Do not leak encryptedSessionId to session

lib/fastifySession.js

@@ -112,6 +112,7 @@ function onRequest (options) {
 }
 
 function onSend (options) {
+  const secret = options.secret[0]
   return function saveSession (request, reply, payload, done) {
     const session = request.session
     if (!session || !session.sessionId || !shouldSaveSession(request, options.cookie, options.saveUninitialized)) {
@@ -123,9 +124,10 @@ function onSend (options) {
         done(err)
         return
       }
+      const encryptedSessionId = cookieSignature.sign(session.sessionId, secret)
       reply.setCookie(
         options.cookieName,
-        session.encryptedSessionId,
+        encryptedSessionId,
         session.cookie.options(isConnectionSecure(request))
       )
       done()
@@ -218,7 +220,7 @@ function shouldSaveSession (request, cookieOpts, saveUninitialized) {
 }
 
 function isSessionModified (session) {
-  return (Object.keys(session).length !== 4)
+  return (Object.keys(session).length !== 3)
 }
 
 function option (options, key, def) {

lib/session.js

@@ -1,11 +1,9 @@
 'use strict'
 
 const Cookie = require('./cookie')
-const cookieSignature = require('cookie-signature')
 
 const maxAge = Symbol('maxAge')
 const secretKey = Symbol('secretKey')
-const sign = Symbol('sign')
 const addDataToSession = Symbol('addDataToSession')
 const generateId = Symbol('generateId')
 
@@ -32,7 +30,6 @@ module.exports = class Session {
 
   regenerate (request) {
     this.sessionId = this[generateId](request)
-    this.encryptedSessionId = this[sign]()
   }
 
   [addDataToSession] (prevSession) {
@@ -51,10 +48,6 @@ module.exports = class Session {
     this[key] = value
   }
 
-  [sign] () {
-    return cookieSignature.sign(this.sessionId, this[secretKey])
-  }
-
   static restore (request, idGenerator, cookieOpts, secret, prevSession) {
     const restoredSession = new Session(request, idGenerator, cookieOpts, secret, prevSession)
     const restoredCookie = new Cookie(cookieOpts)

test/base.test.js

@@ -119,7 +119,7 @@ test('should set session cookie using the default cookie name', async (t) => {
   })
 
   t.is(statusCode, 200)
-  t.regex(cookie, /sessionId=undefined; Path=\/; HttpOnly; Secure/)
+  t.regex(cookie, /sessionId=.*\..*; Path=\/; HttpOnly; Secure/)
 })
 
 test('should create new session on expired session', async (t) => {

test/session.test.js

@@ -33,10 +33,10 @@ test('should destroy the session', async (t) => {
   t.is(response.statusCode, 200)
 })
 
-test('should add session.encryptedSessionId object to request', async (t) => {
+test('should not add session.encryptedSessionId object to request', async (t) => {
   t.plan(2)
   const port = await testServer((request, reply) => {
-    t.truthy(request.session.encryptedSessionId)
+    t.falsy(request.session.encryptedSessionId)
     reply.send(200)
   }, DEFAULT_OPTIONS)
 

types/types.d.ts

@@ -21,8 +21,6 @@ declare module 'fastify' {
 interface SessionData extends ExpressSessionData {
   sessionId: string;
 
-  encryptedSessionId: string;
-
   /** Updates the `expires` property of the session. */
   touch(): void;
 
@@ -76,6 +74,7 @@ declare namespace FastifySessionPlugin {
 
     /** The name of the session cookie. Defaults to `sessionId`. */
     cookieName?: string;
+
     /**
      * The options object used to generate the `Set-Cookie` header of the session cookie.
      *