setNotFoundHandler does not include session variable in request object

[clubside]

💬 Question here

Normally all request objects include the session variables if a user is logged in. However setNotFoundHandler does not making my display, which normally shows the user's avatar if logged in or a login button if not, always show the login button. How do I get the session variables when using setNotFoundHandler or is there an alternative approach to catch all invalid routes that will return session variables?

app.setNotFoundHandler(async (request, reply) => {
	const pageInfo = {
		title: 'Page Not Found',
		role: 'guest'
	}
	console.log({ pageInfoUser: request.user })
	if (request.user) {
		pageInfo.role = request.user.role
		pageInfo.user = request.user.email
	}
	pageInfo.errorImage = '/img/errors/404-error.svg'
	pageInfo.errorMessage = 'This is not the page you\'re looking for.'
	reply.code(404)
	reply.header('Content-Type', 'text/html; charset=utf-8')
	reply.type('text/html')
	reply.send(await generatePage(pageInfo, 'error.html'))
})

In this case console.log({ pageInfoUser: request.user }) returns undefined even when logged in whereas every other route displays the user session variable when logged in.

Your Environment

• node version: 22.3.0
• fastify version: 4.28.1
• @fastify/secure-session version: 7.5.1
• os: Windows

[mcollina]

Thanks for reporting!

Can you provide steps to reproduce? We often need a reproducible example, e.g. some code that allows someone else to recreate your problem by just copying and pasting it. If it involves more than a couple of different file, create a new repository on GitHub and add a link to that.

[clubside]

@mcollina I'm using Fastify Secure Session with Google OAuth, can you tell me how to include it in a demo without Google OAuth handling the logins? If there's no quick demo of that I will look at Secure Session docs and try to come up with a limited use of it to replicate the conditions.

[mcollina]

If it's not related to google, use another provider. The likely outcome is that there is an issue in how you encapsulated your plugins.

[clubside]

No, I was able to reproduce it with just a regular old login:

https://github.com/clubside/fastify-setnotfoundhandler

[climba03003]

You are using @fastify/static which registered a for handle all URL by default.

Your repro shows that the @fastify/static is out of the scope of your @fastify/secure-session. So, it does not handle any session for you.

The fix would be as simple as place it inside your other plugin.
or
Use wildcard: false which gives the handle to your 404 handler directly.

[clubside]

I appreciate the extra information @climba03003 I was told to place static outside to prevent the session being read for every static file which I don't want. I tried setting wildcard to false and the app will not run Error: Method 'GET' already declared for route '/' with constraints '{}'. Is there a glob pattern that would work just for routes (as in things with no file extension)?

[climba03003]

You should provide more context on how you structure your application.
In the repro you provided, setting wildcard: false should be fine.