This repository has been archived by the owner on Feb 3, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 38
/
cookie-sessions.js
149 lines (124 loc) · 4.93 KB
/
cookie-sessions.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
var crypto = require('crypto');
// Extend a given object with all the properties in passed-in object(s).
// From underscore.js (http://documentcloud.github.com/underscore/)
function extend(obj) {
Array.prototype.slice.call(arguments).forEach(function(source) {
for (var prop in source) obj[prop] = source[prop];
});
return obj;
};
exports.deserialize = function(secret, timeout, str){
// Parses a secure cookie string, returning the object stored within it.
// Throws an exception if the secure cookie string does not validate.
if(!exports.valid(secret, timeout, str)){
throw new Error('invalid cookie');
}
var data = exports.decrypt(secret, exports.split(str).data_blob);
return JSON.parse(data);
};
exports.serialize = function(secret, data){
// Turns a JSON-compatibile object literal into a secure cookie string
var data_str = JSON.stringify(data);
var data_enc = exports.encrypt(secret, data_str);
var timestamp = (new Date()).getTime();
var hmac_sig = exports.hmac_signature(secret, timestamp, data_enc);
var result = hmac_sig + timestamp + data_enc;
if(!exports.checkLength(result)){
throw new Error('data too long to store in a cookie');
}
return result;
};
exports.split = function(str){
// Splits a cookie string into hmac signature, timestamp and data blob.
return {
hmac_signature: str.slice(0,40),
timestamp: parseInt(str.slice(40, 53), 10),
data_blob: str.slice(53)
};
};
exports.hmac_signature = function(secret, timestamp, data){
// Generates a HMAC for the timestamped data, returning the
// hex digest for the signature.
var hmac = crypto.createHmac('sha1', secret);
hmac.update(timestamp + data);
return hmac.digest('hex');
};
exports.valid = function(secret, timeout, str){
// Tests the validity of a cookie string. Returns true if the HMAC
// signature of the secret, timestamp and data blob matches the HMAC in the
// cookie string, and the cookie's age is less than the timeout value.
var parts = exports.split(str);
var hmac_sig = exports.hmac_signature(
secret, parts.timestamp, parts.data_blob
);
return (
parts.hmac_signature === hmac_sig &&
parts.timestamp + timeout > new Date().getTime()
);
};
exports.decrypt = function(secret, str){
// Decrypt the aes192 encoded str using secret.
var decipher = crypto.createDecipher("aes192", secret);
return decipher.update(str, 'hex', 'utf8') + decipher.final('utf8');
};
exports.encrypt = function(secret, str){
// Encrypt the str with aes192 using secret.
var cipher = crypto.createCipher("aes192", secret);
return cipher.update(str, 'utf8', 'hex') + cipher.final('hex');
};
exports.checkLength = function(str){
// Test if a string is within the maximum length allowed for a cookie.
return str.length <= 4096;
};
exports.readCookies = function(req){
// Extracts the cookies from a request object.
var cookie = req.headers.cookie;
if(!cookie){
return {};
}
var parts = cookie.split('; ').map(function(x){
return x.split('=');
});
return parts.reduce(function(a, x){
a[unescape(x[0])] = unescape(x[1]);
return a;
}, {});
};
exports.readSession = function(key, secret, timeout, req){
// Reads the session data stored in the cookie named 'key' if it validates,
// otherwise returns an empty object.
var cookies = exports.readCookies(req);
if(cookies[key]){
return exports.deserialize(secret, timeout, cookies[key]);
}
return {};
};
exports.filter = function(settings){
var default_settings = {
// don't set a default cookie secret, must be explicitly defined
session_key: '_node',
timeout: 1000 * 60 * 60 * 24 // 24 hours
};
var s = extend(default_settings, settings);
if(!s.secret) throw new Error('No secret set in cookie-session settings');
return function(req, res, next){
// Read session data from a request and store it in req.session
req.session = exports.readSession(
s.session_key, s.secret, s.timeout, req);
// proxy writeHead to add cookie to response
var _writeHead = res.writeHead;
res.writeHead = function(){
var args = Array.prototype.slice.call(arguments);
var headers = (args.length > 1) ? args[args.length-1] : {};
// Add a Set-Cookie header to all responses with the session data
// and the current timestamp. The cookie needs to be set on every
// response so that the timestamp is up to date, and the session
// does not expire unless the user is inactive.
headers['Set-Cookie'] = escape(s.session_key) + '=' +
escape(exports.serialize(s.secret, req.session));
// call the original writeHead on the request
return _writeHead.apply(res, args);
}
next();
};
};