feat: no more session cookie for guests (#7982)

* feat: no more session cookie for guests

* fix(tests): added additional tests and fixed the broken test

src/controllers/accounts/profile.js

@@ -66,7 +66,7 @@ profileController.get = async function (req, res, next) {
 };
 
 async function incrementProfileViews(req, userData) {
-	if (req.uid >= 0) {
+	if (req.uid >= 1) {
 		req.session.uids_viewed = req.session.uids_viewed || {};
 
 		if (req.uid !== userData.uid && (!req.session.uids_viewed[userData.uid] || req.session.uids_viewed[userData.uid] < Date.now() - 3600000)) {

src/controllers/authentication.js

@@ -399,7 +399,7 @@ authenticationController.localLogin = async function (req, username, password, n
 	}
 };
 
-const regenerateAsync = util.promisify((req, callback) => req.session.regenerate(callback));
+const destroyAsync = util.promisify((req, callback) => req.session.destroy(callback));
 
 authenticationController.logout = async function (req, res, next) {
 	if (!req.loggedIn || !req.sessionID) {
@@ -412,7 +412,10 @@ authenticationController.logout = async function (req, res, next) {
 		await user.auth.revokeSession(sessionID, uid);
 		req.logout();
 
-		await regenerateAsync(req);
+		await destroyAsync(req);
+		res.clearCookie('express.sid', {
+			path: nconf.get('relative_path'),
+		});
 		req.uid = 0;
 		req.headers['x-csrf-token'] = req.csrfToken();
 

src/controllers/topics.js

@@ -127,7 +127,7 @@ function calculateStartStop(page, postIndex, settings) {
 }
 
 function incrementViewCount(req, tid) {
-	if (req.uid >= 0) {
+	if (req.uid >= 1) {
 		req.session.tids_viewed = req.session.tids_viewed || {};
 		if (!req.session.tids_viewed[tid] || req.session.tids_viewed[tid] < Date.now() - 3600000) {
 			topics.increaseViewCount(tid);

src/middleware/index.js

@@ -31,7 +31,9 @@ middleware.regexes = {
 	timestampedUpload: /^\d+-.+$/,
 };
 
-middleware.applyCSRF = csrf();
+middleware.applyCSRF = csrf({
+	cookie: true,
+});
 
 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');
 

test/controllers.js

@@ -1398,20 +1398,51 @@ describe('Controllers', function () {
 			});
 		});
 
-		it('should increase profile view', function (done) {
+		it('should not increase profile view if you visit your own profile', (done) => {
+			request(nconf.get('url') + '/api/user/foo', { jar: jar }, function (err, res) {
+				assert.ifError(err);
+				assert.equal(res.statusCode, 200);
+				setTimeout(function () {
+					user.getUserField(fooUid, 'profileviews', function (err, viewcount) {
+						assert.ifError(err);
+						assert(viewcount === 0);
+						done();
+					});
+				}, 500);
+			});
+		});
+
+		it('should not increase profile view if a guest visits a profile', (done) => {
 			request(nconf.get('url') + '/api/user/foo', { }, function (err, res) {
 				assert.ifError(err);
 				assert.equal(res.statusCode, 200);
 				setTimeout(function () {
 					user.getUserField(fooUid, 'profileviews', function (err, viewcount) {
 						assert.ifError(err);
-						assert(viewcount > 0);
+						assert(viewcount === 0);
 						done();
 					});
 				}, 500);
 			});
 		});
 
+		it('should increase profile view', function (done) {
+			helpers.loginUser('regularJoe', 'barbar', function (err, jar) {
+				assert.ifError(err);
+				request(nconf.get('url') + '/api/user/foo', { jar: jar }, function (err, res) {
+					assert.ifError(err);
+					assert.equal(res.statusCode, 200);
+					setTimeout(function () {
+						user.getUserField(fooUid, 'profileviews', function (err, viewcount) {
+							assert.ifError(err);
+							assert(viewcount > 0);
+							done();
+						});
+					}, 500);
+				});
+			});
+		});
+
 		it('should parse about me', function (done) {
 			user.setUserFields(fooUid, { picture: '/path/to/picture', aboutme: 'hi i am a bot' }, function (err) {
 				assert.ifError(err);