Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-31 11:05:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #8142, broken site if no server-side session (#8148)

Browse Source 
* fix: #8142, broken site if no server-side session

During the `addHeader` middleware, a check is now done to see if
`req.session.meta` is present. This value is only present if the user
has a valid server-side session.  If it is missing, then it is probably
safe to assume that the server-side session was deleted (either
intentionally or accidentally). In that scenario, the client-side cookie
should be cleared.

Also, there was an issue where the sessionRefresh flag was never cleared
after a successful login, so that was fixed too.

* feat: exported method to get cookie config

* fix: don't clear cookie if cookie is being set

* fix: socket.io tests

Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com>
This commit is contained in:
Julian Lam
2020-02-06 15:52:37 -05:00
committed by GitHub
parent 0885ec6858
commit d6e3f3f058
5 changed files with 34 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
public/src/client/login.js
View File

@@ -41,6 +41,7 @@ define('forum/login', [], function () {
app.updateHeader(data, function () { app.updateHeader(data, function () {
ajaxify.go(data.next); ajaxify.go(data.next);
app.flags._sessionRefresh = false;
$(window).trigger('action:app.loggedIn', data); $(window).trigger('action:app.loggedIn', data);
}); });
}, },

21
src/meta/configs.js
View File

@@ -147,6 +147,27 @@ Configs.remove = async function (field) {
await db.deleteObjectField('config', field); await db.deleteObjectField('config', field);
}; };
Configs.cookie = {
get: () => {
const cookie = {};
if (nconf.get('cookieDomain') || Meta.config.cookieDomain) {
cookie.domain = nconf.get('cookieDomain') || Meta.config.cookieDomain;
}
if (nconf.get('secure')) {
cookie.secure = true;
}
var relativePath = nconf.get('relative_path');
if (relativePath !== '') {
cookie.path = relativePath;
}
return cookie;
},
};
async function processConfig(data) { async function processConfig(data) {
ensurePositiveInteger(data, 'maximumUsernameLength'); ensurePositiveInteger(data, 'maximumUsernameLength');
ensurePositiveInteger(data, 'minimumUsernameLength'); ensurePositiveInteger(data, 'minimumUsernameLength');

6
src/middleware/headers.js
View File

@@ -3,6 +3,7 @@
var os = require('os'); var os = require('os');
var winston = require('winston'); var winston = require('winston');
var _ = require('lodash'); var _ = require('lodash');
const nconf = require('nconf');
var meta = require('../meta'); var meta = require('../meta');
var languages = require('../languages'); var languages = require('../languages');
@@ -54,6 +55,11 @@ module.exports = function (middleware) {
headers['X-Upstream-Hostname'] = os.hostname(); headers['X-Upstream-Hostname'] = os.hostname();
} }
// Validate session
if (!req.session.meta && !res.get('Set-Cookie')) {
res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());
}
for (var key in headers) { for (var key in headers) {
if (headers.hasOwnProperty(key) && headers[key]) { if (headers.hasOwnProperty(key) && headers[key]) {
res.setHeader(key, headers[key]); res.setHeader(key, headers[key]);

21
src/webserver.js
View File

@@ -206,24 +206,9 @@ function configureBodyParser(app) {
} }
function setupCookie() { function setupCookie() {
var ttl = meta.getSessionTTLSeconds() * 1000; const cookie = meta.configs.cookie.get();
const ttl = meta.getSessionTTLSeconds() * 1000;
var cookie = { cookie.maxAge = ttl;
maxAge: ttl,
};
if (nconf.get('cookieDomain') || meta.config.cookieDomain) {
cookie.domain = nconf.get('cookieDomain') || meta.config.cookieDomain;
}
if (nconf.get('secure')) {
cookie.secure = true;
}
var relativePath = nconf.get('relative_path');
if (relativePath !== '') {
cookie.path = relativePath;
}
return cookie; return cookie;
} }

5
test/helpers/index.js
View File

@@ -66,8 +66,9 @@ helpers.logoutUser = function (jar, callback) {
helpers.connectSocketIO = function (res, callback) { helpers.connectSocketIO = function (res, callback) {
var io = require('socket.io-client'); var io = require('socket.io-client');
let cookies = res.headers['set-cookie'];
var cookie = res.headers['set-cookie'][0].split(';')[0]; cookies = cookies.filter(c => /express.sid=[^;]+;/.test(c));
const cookie = cookies[0];
var socket = io(nconf.get('base_url'), { var socket = io(nconf.get('base_url'), {
path: nconf.get('relative_path') + '/socket.io', path: nconf.get('relative_path') + '/socket.io',
extraHeaders: { extraHeaders: {