feat(auth): add cookie-signature dependency and enhance session cookie handling
- Introduced the `@types/cookie-signature` dependency to facilitate proper signing of session cookies. - Updated session middleware to create a securely signed cookie using the session secret, improving session management for mobile applications. - Enhanced logging for cookie creation and error handling to aid in debugging session issues.
This commit is contained in:
Chamika J
11
worklenz-backend/package-lock.json
generated
11
worklenz-backend/package-lock.json
generated
@@ -73,6 +73,7 @@
|
|||||||
"@types/compression": "^1.7.2",
|
"@types/compression": "^1.7.2",
|
||||||
"@types/connect-flash": "^0.0.37",
|
"@types/connect-flash": "^0.0.37",
|
||||||
"@types/cookie-parser": "^1.4.3",
|
"@types/cookie-parser": "^1.4.3",
|
||||||
|
"@types/cookie-signature": "^1.1.2",
|
||||||
"@types/cron": "^2.0.1",
|
"@types/cron": "^2.0.1",
|
||||||
"@types/crypto-js": "^4.2.2",
|
"@types/crypto-js": "^4.2.2",
|
||||||
"@types/csurf": "^1.11.2",
|
"@types/csurf": "^1.11.2",
|
||||||
@@ -5445,6 +5446,16 @@
|
|||||||
"@types/express": "*"
|
"@types/express": "*"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"node_modules/@types/cookie-signature": {
|
||||||
|
"version": "1.1.2",
|
||||||
|
"resolved": "https://registry.npmjs.org/@types/cookie-signature/-/cookie-signature-1.1.2.tgz",
|
||||||
|
"integrity": "sha512-2OhrZV2LVnUAXklUFwuYUTokalh/dUb8rqt70OW6ByMSxYpauPZ+kfNLknX3aJyjY5iu8i3cUyoLZP9Fn37tTg==",
|
||||||
|
"dev": true,
|
||||||
|
"license": "MIT",
|
||||||
|
"dependencies": {
|
||||||
|
"@types/node": "*"
|
||||||
|
}
|
||||||
|
},
|
||||||
"node_modules/@types/cors": {
|
"node_modules/@types/cors": {
|
||||||
"version": "2.8.19",
|
"version": "2.8.19",
|
||||||
"resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.19.tgz",
|
"resolved": "https://registry.npmjs.org/@types/cors/-/cors-2.8.19.tgz",
|
||||||
|
|||||||
@@ -108,6 +108,7 @@
|
|||||||
"@types/compression": "^1.7.2",
|
"@types/compression": "^1.7.2",
|
||||||
"@types/connect-flash": "^0.0.37",
|
"@types/connect-flash": "^0.0.37",
|
||||||
"@types/cookie-parser": "^1.4.3",
|
"@types/cookie-parser": "^1.4.3",
|
||||||
|
"@types/cookie-signature": "^1.1.2",
|
||||||
"@types/cron": "^2.0.1",
|
"@types/cron": "^2.0.1",
|
||||||
"@types/crypto-js": "^4.2.2",
|
"@types/crypto-js": "^4.2.2",
|
||||||
"@types/csurf": "^1.11.2",
|
"@types/csurf": "^1.11.2",
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
import session from "express-session";
|
import session from "express-session";
|
||||||
import db from "../config/db";
|
import db from "../config/db";
|
||||||
import { isProduction } from "../shared/utils";
|
import { isProduction } from "../shared/utils";
|
||||||
|
import * as cookieSignature from "cookie-signature";
|
||||||
|
|
||||||
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
// eslint-disable-next-line @typescript-eslint/no-var-requires
|
||||||
const pgSession = require("connect-pg-simple")(session);
|
const pgSession = require("connect-pg-simple")(session);
|
||||||
@@ -52,25 +53,39 @@ export default (req: any, res: any, next: any) => {
|
|||||||
if (headerSessionId && headerSessionName) {
|
if (headerSessionId && headerSessionName) {
|
||||||
console.log("Mobile app using header-based session:", headerSessionId);
|
console.log("Mobile app using header-based session:", headerSessionId);
|
||||||
|
|
||||||
// The session store expects a signed cookie, but we need to construct it properly
|
// The problem is cookie signature - we need to create a properly signed cookie
|
||||||
// For now, let's try the exact format from the successful login session
|
const secret = process.env.SESSION_SECRET || "development-secret-key";
|
||||||
const sessionCookie = `${headerSessionName}=s%3A${headerSessionId}`;
|
|
||||||
|
|
||||||
if (req.headers.cookie) {
|
try {
|
||||||
// Replace existing session cookie while keeping other cookies
|
// Create a signed cookie using the session secret
|
||||||
req.headers.cookie = req.headers.cookie
|
const signedSessionId = 's:' + cookieSignature.sign(headerSessionId, secret);
|
||||||
.split(';')
|
const encodedSignedId = encodeURIComponent(signedSessionId);
|
||||||
.filter((cookie: string) => !cookie.trim().startsWith(headerSessionName))
|
const sessionCookie = `${headerSessionName}=${encodedSignedId}`;
|
||||||
.concat(sessionCookie)
|
|
||||||
.join(';');
|
console.log("Creating signed session cookie:");
|
||||||
} else {
|
console.log("- Raw session ID:", headerSessionId);
|
||||||
// Set the session cookie from header
|
console.log("- Signed session ID:", signedSessionId);
|
||||||
|
console.log("- Encoded signed ID:", encodedSignedId);
|
||||||
|
console.log("- Final cookie:", sessionCookie);
|
||||||
|
|
||||||
|
if (req.headers.cookie) {
|
||||||
|
// Replace existing session cookie while keeping other cookies
|
||||||
|
req.headers.cookie = req.headers.cookie
|
||||||
|
.split(';')
|
||||||
|
.filter((cookie: string) => !cookie.trim().startsWith(headerSessionName))
|
||||||
|
.concat(sessionCookie)
|
||||||
|
.join(';');
|
||||||
|
} else {
|
||||||
|
// Set the session cookie from header
|
||||||
|
req.headers.cookie = sessionCookie;
|
||||||
|
}
|
||||||
|
console.log("Updated cookie header:", req.headers.cookie);
|
||||||
|
} catch (error) {
|
||||||
|
console.log("Error creating signed cookie:", error);
|
||||||
|
// Fallback to the old method
|
||||||
|
const sessionCookie = `${headerSessionName}=s%3A${headerSessionId}`;
|
||||||
req.headers.cookie = sessionCookie;
|
req.headers.cookie = sessionCookie;
|
||||||
}
|
}
|
||||||
console.log("Updated cookie header:", req.headers.cookie);
|
|
||||||
|
|
||||||
// Also debug what the session middleware will see
|
|
||||||
console.log("Expected session lookup for ID:", headerSessionId);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
sessionMiddleware(req, res, (err: any) => {
|
sessionMiddleware(req, res, (err: any) => {
|
||||||
|
|||||||
Reference in New Issue
Block a user