From 66edec201f96176d1c193119e89869100d66cddb Mon Sep 17 00:00:00 2001
From: Chamika J <75464293+chamikaJ@users.noreply.github.com>
Date: Wed, 6 Aug 2025 12:28:57 +0530
Subject: [PATCH] feat(auth): enhance session ID generation and improve cookie
 handling

- Replaced the `uid-safe` library with `crypto.randomBytes` for generating session IDs, improving security and randomness.
- Updated session cookie construction to use template literals for better readability.
- Standardized cookie header parsing to use consistent quotation marks, enhancing code clarity.
---
 .../src/middlewares/session-middleware.ts           | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/worklenz-backend/src/middlewares/session-middleware.ts b/worklenz-backend/src/middlewares/session-middleware.ts
index 6f4196e2..a7166a24 100644
--- a/worklenz-backend/src/middlewares/session-middleware.ts
+++ b/worklenz-backend/src/middlewares/session-middleware.ts
@@ -2,6 +2,7 @@ import session from "express-session";
 import db from "../config/db";
 import { isProduction } from "../shared/utils";
 import * as cookieSignature from "cookie-signature";
+import { randomBytes } from "crypto";
 
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const pgSession = require("connect-pg-simple")(session);
@@ -28,7 +29,7 @@ const sessionConfig = {
   },
   // Custom session ID handling for mobile apps
   genid: () => {
-    return require('uid-safe').sync(24);
+    return randomBytes(24).toString("base64url");
   }
 };
 
@@ -42,8 +43,8 @@ const sessionMiddleware = session(sessionConfig);
 // Enhanced session middleware that supports both cookies and headers for mobile apps
 export default (req: any, res: any, next: any) => {
   // Check if mobile app is sending session ID via header (fallback for cookie issues)
-  const headerSessionId = req.headers['x-session-id'];
-  const headerSessionName = req.headers['x-session-name'];
+  const headerSessionId = req.headers["x-session-id"];
+  const headerSessionName = req.headers["x-session-name"];
   
   console.log("Session middleware debug:");
   console.log("- Cookie header:", req.headers.cookie);
@@ -58,7 +59,7 @@ export default (req: any, res: any, next: any) => {
     
     try {
       // Create a signed cookie using the session secret
-      const signedSessionId = 's:' + cookieSignature.sign(headerSessionId, secret);
+      const signedSessionId = `s:${  cookieSignature.sign(headerSessionId, secret)}`;
       const encodedSignedId = encodeURIComponent(signedSessionId);
       const sessionCookie = `${headerSessionName}=${encodedSignedId}`;
       
@@ -71,10 +72,10 @@ export default (req: any, res: any, next: any) => {
       if (req.headers.cookie) {
         // Replace existing session cookie while keeping other cookies
         req.headers.cookie = req.headers.cookie
-          .split(';')
+          .split(";")
           .filter((cookie: string) => !cookie.trim().startsWith(headerSessionName))
           .concat(sessionCookie)
-          .join(';');
+          .join(";");
       } else {
         // Set the session cookie from header
         req.headers.cookie = sessionCookie;