Support any type in "secret" that crypto.createHmac supports

expressjs · Jun 9, 2023 · d8a8fe2 · d8a8fe2
1 parent 710ae06
commit d8a8fe2
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 7 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,3 +1,9 @@
+unreleased
+==========
+
+  * Support any type in `secret` that `crypto.createHmac` supports
+  * deps: cookie-signature@1.0.7
+
 1.17.3 / 2022-05-11
 ===================
 

diff --git a/README.md b/README.md
@@ -274,12 +274,13 @@ it to be saved. *This has been fixed in PassportJS 0.3.0*
 
 **Required option**
 
-This is the secret used to sign the session ID cookie. This can be either a string
-for a single secret, or an array of multiple secrets. If an array of secrets is
-provided, only the first element will be used to sign the session ID cookie, while
-all the elements will be considered when verifying the signature in requests. The
-secret itself should be not easily parsed by a human and would best be a random set
-of characters. A best practice may include:
+This is the secret used to sign the session ID cookie. The secret can be any type
+of value that is supported by Node.js `crypto.createHmac` (like a string or a
+`Buffer`). This can be either a single secret, or an array of multiple secrets. If
+an array of secrets is provided, only the first element will be used to sign the
+session ID cookie, while all the elements will be considered when verifying the
+signature in requests. The secret itself should be not easily parsed by a human and
+would best be a random set of characters. A best practice may include:
 
   - The use of environment variables to store the secret, ensuring the secret itself
     does not exist in your repository.

diff --git a/package.json b/package.json
@@ -11,7 +11,7 @@
   "license": "MIT",
   "dependencies": {
     "cookie": "0.4.2",
-    "cookie-signature": "1.0.6",
+    "cookie-signature": "1.0.7",
     "debug": "2.6.9",
     "depd": "~2.0.0",
     "on-headers": "~1.0.2",

diff --git a/test/session.js b/test/session.js
@@ -2,6 +2,7 @@
 var after = require('after')
 var assert = require('assert')
 var cookieParser = require('cookie-parser')
+var crypto = require('crypto')
 var express = require('express')
 var fs = require('fs')
 var http = require('http')
@@ -1197,6 +1198,50 @@ describe('session()', function(){
       assert.throws(createServer.bind(null, { secret: [] }), /secret option array/);
     })
 
+    it('should sign and unsign with a string', function (done) {
+      var server = createServer({ secret: 'awesome cat' }, function (req, res) {
+        if (!req.session.user) {
+          req.session.user = 'bob'
+          res.end('set')
+        } else {
+          res.end('get:' + JSON.stringify(req.session.user))
+        }
+      })
+
+      request(server)
+        .get('/')
+        .expect(shouldSetCookie('connect.sid'))
+        .expect(200, 'set', function (err, res) {
+          if (err) return done(err)
+          request(server)
+            .get('/')
+            .set('Cookie', cookie(res))
+            .expect(200, 'get:"bob"', done)
+        })
+    })
+
+    it('should sign and unsign with a Buffer', function (done) {
+      var server = createServer({ secret: crypto.randomBytes(32) }, function (req, res) {
+        if (!req.session.user) {
+          req.session.user = 'bob'
+          res.end('set')
+        } else {
+          res.end('get:' + JSON.stringify(req.session.user))
+        }
+      })
+
+      request(server)
+        .get('/')
+        .expect(shouldSetCookie('connect.sid'))
+        .expect(200, 'set', function (err, res) {
+          if (err) return done(err)
+          request(server)
+            .get('/')
+            .set('Cookie', cookie(res))
+            .expect(200, 'get:"bob"', done)
+        })
+    })
+
     describe('when an array', function () {
       it('should sign cookies', function (done) {
         var server = createServer({ secret: ['keyboard cat', 'nyan cat'] }, function (req, res) {