Merge pull request #927 from jloveland/local-session-secret

adding ability to configure session.secret in local env config
2026-06-19 16:22:15 +02:00 · 2015-10-07 18:49:06 +03:00
parent 3cfd978e8a 2eb0b0970d
commit 28ae5d6301
4 changed files with 70 additions and 7 deletions
--- a/config/config.js
+++ b/config/config.js
@@ -87,6 +87,28 @@ var validateSecureMode = function (config) {
  }
 };

+/**
+ * Validate Session Secret parameter is not set to default in production
+ */
+var validateSessionSecret = function (config, testing) {
+
+  if (process.env.NODE_ENV !== 'production') {
+    return true;
+  }
+
+  if (config.sessionSecret === 'MEAN') {
+    if (!testing) {
+      console.log(chalk.red('+ WARNING: It is strongly recommended that you change sessionSecret config while running in production!'));
+      console.log(chalk.red('  Please add `sessionSecret: process.env.SESSION_SECRET || \'super amazing secret\'` to '));
+      console.log(chalk.red('  `config/env/production.js` or `config/env/local.js`'));
+      console.log();
+    }
+    return false;
+  } else {
+    return true;
+  }
+};
+
 /**
 * Initialize global configuration files
 */
@@ -169,7 +191,7 @@ var initGlobalConfig = function () {
  // production or development environment. If test environment is used we don't merge it with local.js
  // to avoid running test suites on a prod/dev environment (which delete records and make modifications)
  if (process.env.NODE_ENV !== 'test') {
-    config = _.merge(config, (fs.existsSync(path.join(process.cwd(), 'config/env/local.js')) && require(path.join(process.cwd(), 'config/env/local.js'))) || {});  
+    config = _.merge(config, (fs.existsSync(path.join(process.cwd(), 'config/env/local.js')) && require(path.join(process.cwd(), 'config/env/local.js'))) || {});
  }

  // Initialize global globbed files
@@ -181,9 +203,13 @@ var initGlobalConfig = function () {
  // Validate Secure SSL mode can be used
  validateSecureMode(config);

+  // Validate session secret
+  validateSessionSecret(config);
+
  // Expose configuration utilities
  config.utils = {
-    getGlobbedPaths: getGlobbedPaths
+    getGlobbedPaths: getGlobbedPaths,
+    validateSessionSecret: validateSessionSecret
  };

  return config;
--- a/config/env/default.js
+++ b/config/env/default.js
@@ -14,7 +14,7 @@ module.exports = {
    // session expiration is set by default to 24 hours
    maxAge: 24 * (60 * 60 * 1000),
    // httpOnly flag makes sure the cookie is only accessed
-    // through the HTTP protocol and not JS/browser 
+    // through the HTTP protocol and not JS/browser
    httpOnly: true,
    // secure cookie should be turned to true to provide additional
    // layer of security so that the cookie is set only when working
@@ -22,7 +22,7 @@ module.exports = {
    secure: false
  },
  // sessionSecret should be changed for security measures and concerns
-  sessionSecret: 'MEAN',
+  sessionSecret: process.env.SESSION_SECRET || 'MEAN',
  // sessionKey is set to the generic sessionId key used by PHP applications
  // for obsecurity reasons
  sessionKey: 'sessionId',
--- a/config/env/local.example.js
+++ b/config/env/local.example.js
@@ -14,6 +14,7 @@ module.exports = {
      pass: ''
    }
  },
+  sessionSecret: process.env.SESSION_SECRET || 'youshouldchangethistosomethingsecret',
  facebook: {
    clientID: process.env.FACEBOOK_ID || 'APP_ID',
    clientSecret: process.env.FACEBOOK_SECRET || 'APP_SECRET',
--- a/modules/core/tests/server/core.server.config.tests.js
+++ b/modules/core/tests/server/core.server.config.tests.js
@@ -10,10 +10,10 @@ var should = require('should'),
  config = require(path.resolve('./config/config')),
  seed = require(path.resolve('./config/lib/seed'));

-describe('Configuration tests', function () {
+describe('Configuration Tests:', function () {
  this.timeout(10000);

-  describe('Testing default seedDB:', function () {
+  describe('Testing default seedDB', function () {
    before(function(done) {
      User.remove(function(err) {
        should.not.exist(err);
@@ -118,7 +118,43 @@ describe('Configuration tests', function () {
        });
      });
    });
-
  });

+  describe('Testing Session Secret Configuration', function () {
+    it('should warn if using default session secret when running in production', function (done) {
+      var conf = { sessionSecret: 'MEAN' };
+      // set env to production for this test
+      process.env.NODE_ENV = 'production';
+      config.utils.validateSessionSecret(conf, true).should.equal(false);
+      // set env back to test
+      process.env.NODE_ENV = 'test';
+      done();
+    });
+
+    it('should accept non-default session secret when running in production', function (done) {
+      var conf = { sessionSecret: 'super amazing secret' };
+      // set env to production for this test
+      process.env.NODE_ENV = 'production';
+      config.utils.validateSessionSecret(conf, true).should.equal(true);
+      // set env back to test
+      process.env.NODE_ENV = 'test';
+      done();
+    });
+
+    it('should accept default session secret when running in development', function (done) {
+      var conf = { sessionSecret: 'MEAN' };
+      // set env to development for this test
+      process.env.NODE_ENV = 'development';
+      config.utils.validateSessionSecret(conf, true).should.equal(true);
+      // set env back to test
+      process.env.NODE_ENV = 'test';
+      done();
+    });
+
+    it('should accept default session secret when running in test', function (done) {
+      var conf = { sessionSecret: 'MEAN' };
+      config.utils.validateSessionSecret(conf, true).should.equal(true);
+      done();
+    });
+  });
 });