Merge pull request from GHSA-pj27-2xvp-4qxg

* fix: Use original expiration date when evaluating restored session. * fix: Also serialize new field.
fastify · May 21, 2024 · 0495ce5 · 0495ce5
1 parent 8b6241c
commit 0495ce5
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 1 deletion.
diff --git a/lib/cookie.js b/lib/cookie.js
@@ -11,6 +11,10 @@ module.exports = class Cookie {
     this.partitioned = cookie.partitioned
     this._expires = null
 
+    if(cookie.expires) {
+      this.originalExpires = new Date(cookie.expires)
+    }
+
     if (originalMaxAge) {
       this.maxAge = originalMaxAge
     } else if (cookie.expires) {
@@ -56,6 +60,7 @@ module.exports = class Cookie {
     return {
       expires: this._expires,
       originalMaxAge: this.originalMaxAge,
+      originalExpires: this.originalExpires,
       sameSite: this.sameSite,
       secure: this.secure,
       path: this.path,

diff --git a/lib/fastifySession.js b/lib/fastifySession.js
@@ -92,7 +92,9 @@ function fastifySession (fastify, options, next) {
         decryptedSessionId
       )
 
-      if (restoredSession.cookie.expires && restoredSession.cookie.expires.getTime() <= Date.now()) {
+      const expiration = restoredSession.cookie.originalExpires || restoredSession.cookie.expires
+
+      if (expiration && expiration.getTime() <= Date.now()) {
         restoredSession.destroy(err => {
           if (err) {
             done(err)

diff --git a/test/expiration.test.js b/test/expiration.test.js
@@ -0,0 +1,63 @@
+"use strict";
+
+const test = require("tap").test;
+const { buildFastify, DEFAULT_SECRET } = require("./util");
+const { setTimeout } = require("node:timers/promises");
+
+test("sessions should be deleted if expired", async (t) => {
+  t.plan(5);
+
+  const sessions = {};
+  const options = {
+    secret: DEFAULT_SECRET,
+    store: {
+      get(id, cb) {
+        t.pass("session was restored");
+        cb(null, sessions[id]);
+      },
+      set(id, session, cb) {
+        sessions[id] = session;
+        cb();
+      },
+      destroy(id, cb) {
+        t.pass("expired session is destroyed");
+        cb();
+      },
+    },
+    cookie: { maxAge: 1000, secure: false },
+  };
+
+  const fastify = await buildFastify((request, reply) => {
+    reply.send(200);
+  }, options);
+  t.teardown(() => {
+    fastify.close();
+  });
+
+  let response;
+  response = await fastify.inject({
+    url: "/",
+  });
+
+  const initialSession = response.headers["set-cookie"]
+    .split(" ")[0]
+    .replace(";", "");
+  t.ok(initialSession.startsWith("sessionId="));
+
+  // Wait for the cookie to expire
+  await setTimeout(2000);
+
+  response = await fastify.inject({
+    url: "/",
+    headers: {
+      Cookie: initialSession,
+    },
+  });
+
+  const endingSession = response.headers["set-cookie"]
+    .split(" ")[0]
+    .replace(";", "");
+  t.ok(endingSession.startsWith("sessionId="));
+
+  t.not(initialSession, endingSession);
+});