From 3599fb79b437fb758e799452a9ad335420787349 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Mon, 26 Mar 2018 00:30:17 +0200 Subject: Automatically generate a session secret if default is used The session secret is used to sign and authenticate the session cookie and this way very important for the authentication process. By default the session secret is set to `secret` and never changes. This commit will add a generator for a dynamic session secret if it stays unchanged. It prevents session hijacking this way and will warn the user about the missing secret. This also implies that on a restart without configured session secret will log out all users. While it may seems annoying, it's for the users best. Signed-off-by: Sheogorath --- lib/config/default.js | 1 + lib/config/index.js | 9 +++++++++ 2 files changed, 10 insertions(+) (limited to 'lib/config') diff --git a/lib/config/default.js b/lib/config/default.js index 19ddccf6..b6f1af17 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -46,6 +46,7 @@ module.exports = { // session sessionName: 'connect.sid', sessionSecret: 'secret', + sessionSecretLen: 128, sessionLife: 14 * 24 * 60 * 60 * 1000, // 14 days staticCacheTime: 1 * 24 * 60 * 60 * 1000, // 1 day // socket.io diff --git a/lib/config/index.js b/lib/config/index.js index fae51e52..54e9aae6 100644 --- a/lib/config/index.js +++ b/lib/config/index.js @@ -1,6 +1,7 @@ 'use strict' +const crypto = require('crypto') const fs = require('fs') const path = require('path') const {merge} = require('lodash') @@ -117,6 +118,14 @@ for (let i = keys.length; i--;) { } } +// Generate session secret if it stays on default values +if (config.sessionSecret === 'secret') { + logger.warn('Session secret not set. Using random generated one. Please set `sessionSecret` in your config.js file. All users will be logged out.') + config.sessionSecret = crypto.randomBytes(Math.ceil(config.sessionSecretLen / 2)) // generate crypto graphic random number + .toString('hex') // convert to hexadecimal format + .slice(0, config.sessionSecretLen) // return required number of characters +} + // Validate upload upload providers if (['filesystem', 's3', 'minio', 'imgur'].indexOf(config.imageUploadType) === -1) { logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio" or "imgur". Defaulting to "imgur"') -- cgit v1.2.3