diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..390faf9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,12 @@ +# Logs +logs +*.log + +# Dependency directory +# https://www.npmjs.org/doc/misc/npm-faq.html#should-i-check-my-node_modules-folder-into-git +node_modules + +# IDEs +.vscode +.idea +*.iml diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..78393eb --- /dev/null +++ b/LICENSE @@ -0,0 +1,8 @@ +The MIT License (MIT) +Copyright (c) 2016 KTH Royal Institute of Technology + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md index abb2298..f7f9e1c 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,45 @@ # kth-node-session + A Node.js module for setting up session middleware for Express.js apps. + +Enforces certain defaults that should improve security related to sessions. + +Available session options: https://www.npmjs.com/package/express-session + +Available Redis options: https://www.npmjs.com/package/connect-redis + +# Usage + +```javascript +const express = require('express') +const session = require('kth-node-session') + +const app = express() + +const options = { + // set to true to enable session storage in RedisStore + // default is to use MemoryStore + useRedis: false, + + // this is used as redis prefix and session cookie name + // must be set here or as individual settings for redis (prefix) and session (name) + key: 'node-app.sid', + + // https://www.npmjs.com/package/connect-redis + redisOptions: { + // ... + }, + + // https://www.npmjs.com/package/express-session + sessionOptions: { + // secret must be set! + secret: 'my-secret-string', + + // this should not be set when enabling Redis + // or if using the default value + store: null + } +} + +app.use(session(options)) +``` diff --git a/index.js b/index.js new file mode 100644 index 0000000..8d03027 --- /dev/null +++ b/index.js @@ -0,0 +1,52 @@ +'use strict' + +const session = require('express-session') +const RedisStore = require('connect-redis')(session) +const _ = require('lodash') + +const oneHour = 3600000 + +const defaults = { + useRedis: false, + key: '', + redisOptions: { + host: 'localhost', + port: 6379, + ttl: oneHour + }, + sessionOptions: { + secret: '', + resave: false, + saveUninitialized: false + } +} + +module.exports = function (options) { + options = _.defaultsDeep(options, defaults) + + if (!options.redisOptions.prefix) { + if (options.key) { + options.redisOptions.prefix = `${options.key}:` + } else { + throw new Error('No Redis prefix provided, "options.key" must be set.') + } + } + + if (!options.sessionOptions.secret) { + throw new Error('Session secret must be set.') + } + + if (!options.sessionOptions.name) { + if (options.key) { + options.sessionOptions.name = options.key + } else { + throw new Error('No session name provided, "options.key" must be set.') + } + } + + if (options.useRedis) { + options.sessionOptions.store = new RedisStore(options.redisOptions) + } + + return session(options.sessionOptions) +} diff --git a/package.json b/package.json new file mode 100644 index 0000000..44432f6 --- /dev/null +++ b/package.json @@ -0,0 +1,29 @@ +{ + "name": "kth-node-session", + "version": "1.0.0", + "description": "A Node.js module for setting up session middleware for Express.js apps.", + "main": "index.js", + "scripts": { + "codecheck": "standard", + "preversion": "npm run codecheck", + "postversion": "git push && git push --tags" + }, + "repository": { + "type": "git", + "url": "https://github.com/KTH/kth-node-session" + }, + "keywords": [], + "license": "MIT", + "devDependencies": { + "express": "^4.13.4", + "standard": "^7.0.1" + }, + "dependencies": { + "connect-redis": "^3.0.2", + "express-session": "^1.13.0", + "lodash": "^4.12.0" + }, + "files": [ + "index.js" + ] +} diff --git a/test/integration/server.js b/test/integration/server.js new file mode 100644 index 0000000..573c3a6 --- /dev/null +++ b/test/integration/server.js @@ -0,0 +1,51 @@ +'use strict' + +const express = require('express') +const url = require('url') +const session = require('../../index') +const app = express() + +app.use(session({ + useRedis: true, + key: 'test.sid', + sessionOptions: { + secret: 'hello', + cookie: { + // should be true in production (requires https) + secure: false + } + } +})) + +app.use((req, res, next) => { + if (req.url === '/') { + next() + return + } + + if (!req.session.views) { + req.session.views = {} + } + + const pathname = url.parse(req.url).pathname + req.session.views[pathname] = (req.session.views[pathname] || 0) + 1 + + next() +}) + +app.get('/foo', (req, res) => { + res.type('text') + res.send(`/foo viewed ${req.session.views['/foo']} times`) +}) + +app.get('/bar', (req, res) => { + res.type('text') + res.send(`/bar viewed ${req.session.views['/bar']} times`) +}) + +app.get('/', (req, res) => { + res.type('text') + res.send('no session modified') +}) + +app.listen(5000)