Automatically generate a session secret if default is used

The session secret is used to sign and authenticate the session cookie
and this way very important for the authentication process.

By default the session secret is set to `secret` and never changes. This
commit will add a generator for a dynamic session secret if it stays
unchanged.

It prevents session hijacking this way and will warn the user about
the missing secret.

This also implies that on a restart without configured session secret
will log out all users. While it may seems annoying, it's for the users
best.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2018-03-26 00:30:17 +02:00
parent 57c47a65dd
commit 3599fb79b4
No known key found for this signature in database
GPG key ID: 1F05CC3635CDDFFD
2 changed files with 10 additions and 0 deletions

View file

@ -46,6 +46,7 @@ module.exports = {
// session // session
sessionName: 'connect.sid', sessionName: 'connect.sid',
sessionSecret: 'secret', sessionSecret: 'secret',
sessionSecretLen: 128,
sessionLife: 14 * 24 * 60 * 60 * 1000, // 14 days sessionLife: 14 * 24 * 60 * 60 * 1000, // 14 days
staticCacheTime: 1 * 24 * 60 * 60 * 1000, // 1 day staticCacheTime: 1 * 24 * 60 * 60 * 1000, // 1 day
// socket.io // socket.io

View file

@ -1,6 +1,7 @@
'use strict' 'use strict'
const crypto = require('crypto')
const fs = require('fs') const fs = require('fs')
const path = require('path') const path = require('path')
const {merge} = require('lodash') const {merge} = require('lodash')
@ -117,6 +118,14 @@ for (let i = keys.length; i--;) {
} }
} }
// Generate session secret if it stays on default values
if (config.sessionSecret === 'secret') {
logger.warn('Session secret not set. Using random generated one. Please set `sessionSecret` in your config.js file. All users will be logged out.')
config.sessionSecret = crypto.randomBytes(Math.ceil(config.sessionSecretLen / 2)) // generate crypto graphic random number
.toString('hex') // convert to hexadecimal format
.slice(0, config.sessionSecretLen) // return required number of characters
}
// Validate upload upload providers // Validate upload upload providers
if (['filesystem', 's3', 'minio', 'imgur'].indexOf(config.imageUploadType) === -1) { if (['filesystem', 's3', 'minio', 'imgur'].indexOf(config.imageUploadType) === -1) {
logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio" or "imgur". Defaulting to "imgur"') logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio" or "imgur". Defaulting to "imgur"')