hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: #8142, broken site if no server-side session (#8148)

Browse Source 
* fix: #8142, broken site if no server-side session

During the `addHeader` middleware, a check is now done to see if
`req.session.meta` is present. This value is only present if the user
has a valid server-side session.  If it is missing, then it is probably
safe to assume that the server-side session was deleted (either
intentionally or accidentally). In that scenario, the client-side cookie
should be cleared.

Also, there was an issue where the sessionRefresh flag was never cleared
after a successful login, so that was fixed too.

* feat: exported method to get cookie config

* fix: don't clear cookie if cookie is being set

* fix: socket.io tests

Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com>
v1.18.x
Julian Lam 5 years ago committed by GitHub
parent 0885ec6858
commit d6e3f3f058
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 34 additions and 20 deletions
Show Stats Download Patch File Download Diff File

1
public/src/client/login.js
Unescape Escape View File

@ -41,6 +41,7 @@ define('forum/login', [], function () {
app.updateHeader(data, function () {
ajaxify.go(data.next);
app.flags._sessionRefresh = false;
$(window).trigger('action:app.loggedIn', data);
});
},

21
src/meta/configs.js
Unescape Escape View File

@ -147,6 +147,27 @@ Configs.remove = async function (field) {
await db.deleteObjectField('config', field);
};
Configs.cookie = {
get: () => {
const cookie = {};
if (nconf.get('cookieDomain') || Meta.config.cookieDomain) {
cookie.domain = nconf.get('cookieDomain') || Meta.config.cookieDomain;
}
if (nconf.get('secure')) {
cookie.secure = true;
}
var relativePath = nconf.get('relative_path');
if (relativePath !== '') {
cookie.path = relativePath;
}
return cookie;
},
};
async function processConfig(data) {
ensurePositiveInteger(data, 'maximumUsernameLength');
ensurePositiveInteger(data, 'minimumUsernameLength');

6
src/middleware/headers.js
Unescape Escape View File

@ -3,6 +3,7 @@
var os = require('os');
var winston = require('winston');
var _ = require('lodash');
const nconf = require('nconf');
var meta = require('../meta');
var languages = require('../languages');
@ -54,6 +55,11 @@ module.exports = function (middleware) {
headers['X-Upstream-Hostname'] = os.hostname();
}
// Validate session
if (!req.session.meta && !res.get('Set-Cookie')) {
res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());
}
for (var key in headers) {
if (headers.hasOwnProperty(key) && headers[key]) {
res.setHeader(key, headers[key]);

21
src/webserver.js
Unescape Escape View File

@ -206,24 +206,9 @@ function configureBodyParser(app) {
}
function setupCookie() {
var ttl = meta.getSessionTTLSeconds() * 1000;
var cookie = {
maxAge: ttl,
};
if (nconf.get('cookieDomain') || meta.config.cookieDomain) {
cookie.domain = nconf.get('cookieDomain') || meta.config.cookieDomain;
}
if (nconf.get('secure')) {
cookie.secure = true;
}
var relativePath = nconf.get('relative_path');
if (relativePath !== '') {
cookie.path = relativePath;
}
const cookie = meta.configs.cookie.get();
const ttl = meta.getSessionTTLSeconds() * 1000;
cookie.maxAge = ttl;
return cookie;
}

5
test/helpers/index.js
Unescape Escape View File

@ -66,8 +66,9 @@ helpers.logoutUser = function (jar, callback) {
helpers.connectSocketIO = function (res, callback) {
var io = require('socket.io-client');
var cookie = res.headers['set-cookie'][0].split(';')[0];
let cookies = res.headers['set-cookie'];
cookies = cookies.filter(c => /express.sid=[^;]+;/.test(c));
const cookie = cookies[0];
var socket = io(nconf.get('base_url'), {
path: nconf.get('relative_path') + '/socket.io',
extraHeaders: {

Write Preview
Loading…
Cancel
Save