Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: enforce secret requirement for session creation #1025

Open
wants to merge 8 commits into
base: v2
Choose a base branch
from
Open

feat: enforce secret requirement for session creation #1025

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
4537773
feat: enforce secret requirement for session creation
bjohansebas Feb 13, 2025
e0bbb61
feat: remove compatibility with cookie parser
bjohansebas Feb 13, 2025
8ab760f
Merge branch 'v2' into secret_session
UlisesGascon Feb 13, 2025
a3b31f6
test: move test to describe
bjohansebas Mar 16, 2025
38e4086
fix: improve secret option validation in session function
bjohansebas Mar 16, 2025
dbf498f
Merge branch 'v2' into secret_session
UlisesGascon Mar 16, 2025
6da2fef
Merge branch 'v2' into secret_session
UlisesGascon Mar 18, 2025
7f17ead
Update test/session.js
bjohansebas Mar 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,8 +143,8 @@ function session(options) {
secret = [secret];
}

if (!secret) {
deprecate('req.secret; provide secret option');
if (secret === undefined) {
throw new Error('secret is required for sessions');
}

// notify user that this store is not
Expand Down Expand Up @@ -207,7 +207,7 @@ function session(options) {

// backwards compatibility for signed cookies
// req.secret is passed from the cookie parser middleware
var secrets = secret || [req.secret];
var secrets = secret;
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to review this part because if I remove it, the tests still pass. It's likely that several tests need to be created if this is necessary.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is from the early days of Connect (senchalabs/connect#580). Initially, they used cookie-parser to secure cookies. Now, the package itself has the option to handle it on its own, so it is safe to remove it since this package is being decoupled from cookie-parser.


var originalHash;
var originalId;
Expand Down
16 changes: 2 additions & 14 deletions test/session.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,20 +35,8 @@ describe('session()', function(){
.expect(200, done)
})

it('should error without secret', function(done){
request(createServer({ secret: undefined }))
.get('/')
.expect(500, /secret.*required/, done)
})

it('should get secret from req.secret', function(done){
function setup (req) {
req.secret = 'keyboard cat'
}

request(createServer(setup, { secret: undefined }))
.get('/')
.expect(200, '', done)
it('should reject without secret', function(){
assert.throws(session.bind(null, { secret: undefined }), /secret.*required/)
})

it('should create a new session', function (done) {
Expand Down