bo/worklenz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): enhance session ID generation and improve cookie handling

Browse Source 
- Replaced the `uid-safe` library with `crypto.randomBytes` for generating session IDs, improving security and randomness.
- Updated session cookie construction to use template literals for better readability.
- Standardized cookie header parsing to use consistent quotation marks, enhancing code clarity.
This commit is contained in:
Chamika J
2025-08-06 12:28:57 +05:30
parent 7ce4ba12ab
commit 66edec201f
1 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
worklenz-backend/src/middlewares/session-middleware.ts
View File

@@ -2,6 +2,7 @@ import session from "express-session";
import db from "../config/db"; import db from "../config/db";
import { isProduction } from "../shared/utils"; import { isProduction } from "../shared/utils";
import * as cookieSignature from "cookie-signature"; import * as cookieSignature from "cookie-signature";
import { randomBytes } from "crypto";
// eslint-disable-next-line @typescript-eslint/no-var-requires // eslint-disable-next-line @typescript-eslint/no-var-requires
const pgSession = require("connect-pg-simple")(session); const pgSession = require("connect-pg-simple")(session);
@@ -28,7 +29,7 @@ const sessionConfig = {
}, },
// Custom session ID handling for mobile apps // Custom session ID handling for mobile apps
genid: () => { genid: () => {
return require('uid-safe').sync(24); return randomBytes(24).toString("base64url");
} }
}; };
@@ -42,8 +43,8 @@ const sessionMiddleware = session(sessionConfig);
// Enhanced session middleware that supports both cookies and headers for mobile apps // Enhanced session middleware that supports both cookies and headers for mobile apps
export default (req: any, res: any, next: any) => { export default (req: any, res: any, next: any) => {
// Check if mobile app is sending session ID via header (fallback for cookie issues) // Check if mobile app is sending session ID via header (fallback for cookie issues)
const headerSessionId = req.headers['x-session-id']; const headerSessionId = req.headers["x-session-id"];
const headerSessionName = req.headers['x-session-name']; const headerSessionName = req.headers["x-session-name"];
console.log("Session middleware debug:"); console.log("Session middleware debug:");
console.log("- Cookie header:", req.headers.cookie); console.log("- Cookie header:", req.headers.cookie);
@@ -58,7 +59,7 @@ export default (req: any, res: any, next: any) => {
try { try {
// Create a signed cookie using the session secret // Create a signed cookie using the session secret
const signedSessionId = 's:' + cookieSignature.sign(headerSessionId, secret); const signedSessionId = `s:${ cookieSignature.sign(headerSessionId, secret)}`;
const encodedSignedId = encodeURIComponent(signedSessionId); const encodedSignedId = encodeURIComponent(signedSessionId);
const sessionCookie = `${headerSessionName}=${encodedSignedId}`; const sessionCookie = `${headerSessionName}=${encodedSignedId}`;
@@ -71,10 +72,10 @@ export default (req: any, res: any, next: any) => {
if (req.headers.cookie) { if (req.headers.cookie) {
// Replace existing session cookie while keeping other cookies // Replace existing session cookie while keeping other cookies
req.headers.cookie = req.headers.cookie req.headers.cookie = req.headers.cookie
.split(';') .split(";")
.filter((cookie: string) => !cookie.trim().startsWith(headerSessionName)) .filter((cookie: string) => !cookie.trim().startsWith(headerSessionName))
.concat(sessionCookie) .concat(sessionCookie)
.join(';'); .join(";");
} else { } else {
// Set the session cookie from header // Set the session cookie from header
req.headers.cookie = sessionCookie; req.headers.cookie = sessionCookie;