Skip to content
This repository has been archived by the owner on Aug 30, 2021. It is now read-only.

Commit

Permalink
Merge pull request #927 from jloveland/local-session-secret
Browse files Browse the repository at this point in the history
adding ability to configure session.secret in local env config
  • Loading branch information
lirantal committed Oct 7, 2015
2 parents 3cfd978 + 2eb0b09 commit 28ae5d6
Show file tree
Hide file tree
Showing 4 changed files with 70 additions and 7 deletions.
30 changes: 28 additions & 2 deletions config/config.js
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,28 @@ var validateSecureMode = function (config) {
}
};

/**
* Validate Session Secret parameter is not set to default in production
*/
var validateSessionSecret = function (config, testing) {

if (process.env.NODE_ENV !== 'production') {
return true;
}

if (config.sessionSecret === 'MEAN') {
if (!testing) {
console.log(chalk.red('+ WARNING: It is strongly recommended that you change sessionSecret config while running in production!'));
console.log(chalk.red(' Please add `sessionSecret: process.env.SESSION_SECRET || \'super amazing secret\'` to '));
console.log(chalk.red(' `config/env/production.js` or `config/env/local.js`'));
console.log();
}
return false;
} else {
return true;
}
};

/**
* Initialize global configuration files
*/
Expand Down Expand Up @@ -169,7 +191,7 @@ var initGlobalConfig = function () {
// production or development environment. If test environment is used we don't merge it with local.js
// to avoid running test suites on a prod/dev environment (which delete records and make modifications)
if (process.env.NODE_ENV !== 'test') {
config = _.merge(config, (fs.existsSync(path.join(process.cwd(), 'config/env/local.js')) && require(path.join(process.cwd(), 'config/env/local.js'))) || {});
config = _.merge(config, (fs.existsSync(path.join(process.cwd(), 'config/env/local.js')) && require(path.join(process.cwd(), 'config/env/local.js'))) || {});
}

// Initialize global globbed files
Expand All @@ -181,9 +203,13 @@ var initGlobalConfig = function () {
// Validate Secure SSL mode can be used
validateSecureMode(config);

// Validate session secret
validateSessionSecret(config);

// Expose configuration utilities
config.utils = {
getGlobbedPaths: getGlobbedPaths
getGlobbedPaths: getGlobbedPaths,
validateSessionSecret: validateSessionSecret
};

return config;
Expand Down
4 changes: 2 additions & 2 deletions config/env/default.js
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,15 @@ module.exports = {
// session expiration is set by default to 24 hours
maxAge: 24 * (60 * 60 * 1000),
// httpOnly flag makes sure the cookie is only accessed
// through the HTTP protocol and not JS/browser
// through the HTTP protocol and not JS/browser
httpOnly: true,
// secure cookie should be turned to true to provide additional
// layer of security so that the cookie is set only when working
// in HTTPS mode.
secure: false
},
// sessionSecret should be changed for security measures and concerns
sessionSecret: 'MEAN',
sessionSecret: process.env.SESSION_SECRET || 'MEAN',
// sessionKey is set to the generic sessionId key used by PHP applications
// for obsecurity reasons
sessionKey: 'sessionId',
Expand Down
1 change: 1 addition & 0 deletions config/env/local.example.js
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ module.exports = {
pass: ''
}
},
sessionSecret: process.env.SESSION_SECRET || 'youshouldchangethistosomethingsecret',
facebook: {
clientID: process.env.FACEBOOK_ID || 'APP_ID',
clientSecret: process.env.FACEBOOK_SECRET || 'APP_SECRET',
Expand Down
42 changes: 39 additions & 3 deletions modules/core/tests/server/core.server.config.tests.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,10 @@ var should = require('should'),
config = require(path.resolve('./config/config')),
seed = require(path.resolve('./config/lib/seed'));

describe('Configuration tests', function () {
describe('Configuration Tests:', function () {
this.timeout(10000);

describe('Testing default seedDB:', function () {
describe('Testing default seedDB', function () {
before(function(done) {
User.remove(function(err) {
should.not.exist(err);
Expand Down Expand Up @@ -118,7 +118,43 @@ describe('Configuration tests', function () {
});
});
});

});

describe('Testing Session Secret Configuration', function () {
it('should warn if using default session secret when running in production', function (done) {
var conf = { sessionSecret: 'MEAN' };
// set env to production for this test
process.env.NODE_ENV = 'production';
config.utils.validateSessionSecret(conf, true).should.equal(false);
// set env back to test
process.env.NODE_ENV = 'test';
done();
});

it('should accept non-default session secret when running in production', function (done) {
var conf = { sessionSecret: 'super amazing secret' };
// set env to production for this test
process.env.NODE_ENV = 'production';
config.utils.validateSessionSecret(conf, true).should.equal(true);
// set env back to test
process.env.NODE_ENV = 'test';
done();
});

it('should accept default session secret when running in development', function (done) {
var conf = { sessionSecret: 'MEAN' };
// set env to development for this test
process.env.NODE_ENV = 'development';
config.utils.validateSessionSecret(conf, true).should.equal(true);
// set env back to test
process.env.NODE_ENV = 'test';
done();
});

it('should accept default session secret when running in test', function (done) {
var conf = { sessionSecret: 'MEAN' };
config.utils.validateSessionSecret(conf, true).should.equal(true);
done();
});
});
});

0 comments on commit 28ae5d6

Please sign in to comment.