From 816c1e0a5a0ae44eb3cb853b0f3d426def915cd5 Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Tue, 3 Jan 2012 15:15:45 -0700
Subject: [PATCH] changed session over to benadida's node-cookie-session with
 encryption and signing of the cookie, closes #416, closes #832

---
 lib/wsapi.js                          |  9 ++---
 package.json                          |  2 +-
 tests/cookie-session-security-test.js | 54 ++++++++++++++-------------
 3 files changed, 33 insertions(+), 32 deletions(-)

diff --git a/lib/wsapi.js b/lib/wsapi.js
index 533d87718..9fbfab26a 100644
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -11,7 +11,7 @@
 
 
 const
-sessions = require('connect-cookie-session'),
+sessions = require('node-client-sessions'),
 express = require('express');
 secrets = require('./secrets'),
 config = require('./configuration'),
@@ -29,9 +29,7 @@ const COOKIE_SECRET = secrets.hydrateSecret('browserid_cookie', config.get('var_
 const COOKIE_KEY = 'browserid_state';
 
 function clearAuthenticatedUser(session) {
-  Object.keys(session).forEach(function(k) {
-    if (k !== 'csrf') delete session[k];
-  });
+  session.reset(['csrf']);
 }
 
 function isAuthed(req) {
@@ -100,7 +98,8 @@ exports.setup = function(options, app) {
 
   var cookieSessionMiddleware = sessions({
     secret: COOKIE_SECRET,
-    key: COOKIE_KEY,
+    cookieName: COOKIE_KEY,
+    duration: 7 * 24 * 60 * 60 * 1000, // 1 week
     cookie: {
       path: '/wsapi',
       httpOnly: true,
diff --git a/package.json b/package.json
index ef87aafb0..92e2076a3 100644
--- a/package.json
+++ b/package.json
@@ -7,7 +7,7 @@
     , "bcrypt": "0.4.1"
     , "compute-cluster": "0.0.5"
     , "connect": "1.7.2"
-    , "connect-cookie-session" : "0.0.2"
+    , "node-client-sessions": "0.0.1"
     , "connect-logger-statsd": "0.0.1"
     , "ejs": "0.4.3"
     , "express": "2.5.0"
diff --git a/tests/cookie-session-security-test.js b/tests/cookie-session-security-test.js
index 1393ecbf4..1cdee1822 100755
--- a/tests/cookie-session-security-test.js
+++ b/tests/cookie-session-security-test.js
@@ -60,42 +60,44 @@ function stripExpires(cookieString) {
   return cookieString.replace(/expires=[^;]*;/, '');
 }
 
+// changed tests that assumed that cookies were coming back in every request
+// because they're not anymore! (2011-12-29)
+
 // certify a key
 suite.addBatch({
   "get context": {
     topic: wsapi.get('/wsapi/session_context'),
-    "parses" : function(r, err) {
-      // make sure there's a cookie
+    "has a cookie because of CSRF setting" : function(r, err) {
+      // make sure there's NO cookie
       var cookie = r.headers["set-cookie"];
-      assert.isNotNull(cookie);
       assert.isNotNull(cookie[0]);
       first_cookie = cookie[0];
     },
-    "with nothing": {
-      topic: wsapi.get('/wsapi/session_context'),
-      "still the same": function(r, err) {
+    "and then session context again": {
+      topic: wsapi.get('/wsapi/logout'),
+      "should not set-cookie": function(r, err) {
         var cookie = r.headers["set-cookie"];
-        // make sure the cookies are the same, but strip out the expires
-        // portion, as the time may have changed! issue #531
-        assert.equal(stripExpires(first_cookie), stripExpires(cookie[0]));
-      }
-    },
-    "let's screw it up": {
-      topic: function() {
-        wsapi.clearCookies();
-
-        // mess up the cookie
-        var the_match = first_cookie.match(/browserid_state=([^;]*);/);
-        assert.isNotNull(the_match);
-        var new_cookie_val = the_match[1].substring(0, the_match[1].length - 1);
-        wsapi.injectCookies({browserid_state: new_cookie_val});
-        return "next";
+        assert.isUndefined(cookie);
       },
-      "and then": {
-        topic: wsapi.get('/wsapi/session_context'),
-        "and result": function(r, err) {
-          var cookie = r.headers["set-cookie"];
-          assert.notEqual(first_cookie, cookie[0]);
+      "then let's screw it up": {
+        topic: function() {
+          wsapi.clearCookies();
+          
+          // mess up the cookie
+          var the_match = first_cookie.match(/browserid_state=([^;]*);/);
+          assert.isNotNull(the_match);
+          var new_cookie_val = the_match[1].substring(0, the_match[1].length - 1);
+          wsapi.injectCookies({browserid_state: new_cookie_val});
+          return "next";
+        },
+        "and then get context": {
+          topic: wsapi.get('/wsapi/session_context'),
+          "and result should have a new cookie for session reset": function(r, err) {
+            var cookie = r.headers["set-cookie"];
+            assert.isNotNull(cookie);
+            assert.isNotNull(cookie[0]);
+            assert.notEqual(first_cookie, cookie[0]);
+          }
         }
       }
     }
-- 
GitLab