Skip to content
Snippets Groups Projects
Commit 816c1e0a authored by Ben Adida's avatar Ben Adida Committed by Lloyd Hilaiel
Browse files

changed session over to benadida's node-cookie-session with encryption and...

changed session over to benadida's node-cookie-session with encryption and signing of the cookie, closes #416, closes #832
parent 3086ec6d
No related branches found
No related tags found
No related merge requests found
......@@ -11,7 +11,7 @@
const
sessions = require('connect-cookie-session'),
sessions = require('node-client-sessions'),
express = require('express');
secrets = require('./secrets'),
config = require('./configuration'),
......@@ -29,9 +29,7 @@ const COOKIE_SECRET = secrets.hydrateSecret('browserid_cookie', config.get('var_
const COOKIE_KEY = 'browserid_state';
function clearAuthenticatedUser(session) {
Object.keys(session).forEach(function(k) {
if (k !== 'csrf') delete session[k];
});
session.reset(['csrf']);
}
function isAuthed(req) {
......@@ -100,7 +98,8 @@ exports.setup = function(options, app) {
var cookieSessionMiddleware = sessions({
secret: COOKIE_SECRET,
key: COOKIE_KEY,
cookieName: COOKIE_KEY,
duration: 7 * 24 * 60 * 60 * 1000, // 1 week
cookie: {
path: '/wsapi',
httpOnly: true,
......
......@@ -7,7 +7,7 @@
, "bcrypt": "0.4.1"
, "compute-cluster": "0.0.5"
, "connect": "1.7.2"
, "connect-cookie-session" : "0.0.2"
, "node-client-sessions": "0.0.1"
, "connect-logger-statsd": "0.0.1"
, "ejs": "0.4.3"
, "express": "2.5.0"
......
......@@ -60,42 +60,44 @@ function stripExpires(cookieString) {
return cookieString.replace(/expires=[^;]*;/, '');
}
// changed tests that assumed that cookies were coming back in every request
// because they're not anymore! (2011-12-29)
// certify a key
suite.addBatch({
"get context": {
topic: wsapi.get('/wsapi/session_context'),
"parses" : function(r, err) {
// make sure there's a cookie
"has a cookie because of CSRF setting" : function(r, err) {
// make sure there's NO cookie
var cookie = r.headers["set-cookie"];
assert.isNotNull(cookie);
assert.isNotNull(cookie[0]);
first_cookie = cookie[0];
},
"with nothing": {
topic: wsapi.get('/wsapi/session_context'),
"still the same": function(r, err) {
"and then session context again": {
topic: wsapi.get('/wsapi/logout'),
"should not set-cookie": function(r, err) {
var cookie = r.headers["set-cookie"];
// make sure the cookies are the same, but strip out the expires
// portion, as the time may have changed! issue #531
assert.equal(stripExpires(first_cookie), stripExpires(cookie[0]));
}
},
"let's screw it up": {
topic: function() {
wsapi.clearCookies();
// mess up the cookie
var the_match = first_cookie.match(/browserid_state=([^;]*);/);
assert.isNotNull(the_match);
var new_cookie_val = the_match[1].substring(0, the_match[1].length - 1);
wsapi.injectCookies({browserid_state: new_cookie_val});
return "next";
assert.isUndefined(cookie);
},
"and then": {
topic: wsapi.get('/wsapi/session_context'),
"and result": function(r, err) {
var cookie = r.headers["set-cookie"];
assert.notEqual(first_cookie, cookie[0]);
"then let's screw it up": {
topic: function() {
wsapi.clearCookies();
// mess up the cookie
var the_match = first_cookie.match(/browserid_state=([^;]*);/);
assert.isNotNull(the_match);
var new_cookie_val = the_match[1].substring(0, the_match[1].length - 1);
wsapi.injectCookies({browserid_state: new_cookie_val});
return "next";
},
"and then get context": {
topic: wsapi.get('/wsapi/session_context'),
"and result should have a new cookie for session reset": function(r, err) {
var cookie = r.headers["set-cookie"];
assert.isNotNull(cookie);
assert.isNotNull(cookie[0]);
assert.notEqual(first_cookie, cookie[0]);
}
}
}
}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment