From 5aae8bcc01bd664035c409a98c1465d16e5125ba Mon Sep 17 00:00:00 2001 From: m0dch3n Date: Wed, 23 Mar 2022 07:53:40 +0100 Subject: [PATCH] Do not leak encryptedSessionId to session --- lib/fastifySession.js | 6 ++++-- lib/session.js | 7 ------- test/base.test.js | 2 +- test/session.test.js | 4 ++-- types/types.d.ts | 3 +-- 5 files changed, 8 insertions(+), 14 deletions(-) diff --git a/lib/fastifySession.js b/lib/fastifySession.js index 420d2b1..60851b2 100644 --- a/lib/fastifySession.js +++ b/lib/fastifySession.js @@ -112,6 +112,7 @@ function onRequest (options) { } function onSend (options) { + const secret = options.secret[0] return function saveSession (request, reply, payload, done) { const session = request.session if (!session || !session.sessionId || !shouldSaveSession(request, options.cookie, options.saveUninitialized)) { @@ -123,9 +124,10 @@ function onSend (options) { done(err) return } + const encryptedSessionId = cookieSignature.sign(session.sessionId, secret) reply.setCookie( options.cookieName, - session.encryptedSessionId, + encryptedSessionId, session.cookie.options(isConnectionSecure(request)) ) done() @@ -218,7 +220,7 @@ function shouldSaveSession (request, cookieOpts, saveUninitialized) { } function isSessionModified (session) { - return (Object.keys(session).length !== 4) + return (Object.keys(session).length !== 3) } function option (options, key, def) { diff --git a/lib/session.js b/lib/session.js index aad7f81..facc633 100644 --- a/lib/session.js +++ b/lib/session.js @@ -1,11 +1,9 @@ 'use strict' const Cookie = require('./cookie') -const cookieSignature = require('cookie-signature') const maxAge = Symbol('maxAge') const secretKey = Symbol('secretKey') -const sign = Symbol('sign') const addDataToSession = Symbol('addDataToSession') const generateId = Symbol('generateId') @@ -32,7 +30,6 @@ module.exports = class Session { regenerate (request) { this.sessionId = this[generateId](request) - this.encryptedSessionId = this[sign]() } [addDataToSession] (prevSession) { @@ -51,10 +48,6 @@ module.exports = class Session { this[key] = value } - [sign] () { - return cookieSignature.sign(this.sessionId, this[secretKey]) - } - static restore (request, idGenerator, cookieOpts, secret, prevSession) { const restoredSession = new Session(request, idGenerator, cookieOpts, secret, prevSession) const restoredCookie = new Cookie(cookieOpts) diff --git a/test/base.test.js b/test/base.test.js index 2dfad4d..f9bd69b 100644 --- a/test/base.test.js +++ b/test/base.test.js @@ -119,7 +119,7 @@ test('should set session cookie using the default cookie name', async (t) => { }) t.is(statusCode, 200) - t.regex(cookie, /sessionId=undefined; Path=\/; HttpOnly; Secure/) + t.regex(cookie, /sessionId=.*\..*; Path=\/; HttpOnly; Secure/) }) test('should create new session on expired session', async (t) => { diff --git a/test/session.test.js b/test/session.test.js index 266f080..a6a1361 100644 --- a/test/session.test.js +++ b/test/session.test.js @@ -33,10 +33,10 @@ test('should destroy the session', async (t) => { t.is(response.statusCode, 200) }) -test('should add session.encryptedSessionId object to request', async (t) => { +test('should not add session.encryptedSessionId object to request', async (t) => { t.plan(2) const port = await testServer((request, reply) => { - t.truthy(request.session.encryptedSessionId) + t.falsy(request.session.encryptedSessionId) reply.send(200) }, DEFAULT_OPTIONS) diff --git a/types/types.d.ts b/types/types.d.ts index 2a1b7c6..83fc519 100644 --- a/types/types.d.ts +++ b/types/types.d.ts @@ -21,8 +21,6 @@ declare module 'fastify' { interface SessionData extends ExpressSessionData { sessionId: string; - encryptedSessionId: string; - /** Updates the `expires` property of the session. */ touch(): void; @@ -76,6 +74,7 @@ declare namespace FastifySessionPlugin { /** The name of the session cookie. Defaults to `sessionId`. */ cookieName?: string; + /** * The options object used to generate the `Set-Cookie` header of the session cookie. *