fix(crypto): address insecurities with AEAD AAD data

package.json

@@ -23,6 +23,7 @@
     "url": "https://github.com/jdesboeufs/connect-mongo/issues"
   },
   "dependencies": {
+    "kruptein": "^2.1.0",
     "mongodb": "^3.1.0"
   },
   "devDependencies": {

src/index.js

@@ -71,9 +71,7 @@ module.exports = function(connect) {
       /* Use crypto? */
       if (options.secret) {
         try {
-          this.Crypto = require('./crypto.js')
-          this.Crypto.init(options)
-          delete options.secret
+          this.Crypto = require('kruptein')(options)
         } catch (error) {
           throw error
         }
@@ -238,7 +236,15 @@ module.exports = function(connect) {
                 const tmpSession = this.transformFunctions.unserialize(
                   session.session
                 )
-                session.session = this.Crypto.get(tmpSession)
+                this.Crypto.get(
+                  this.options.secret,
+                  tmpSession,
+                  (err, session) => {
+                    if (err) throw err
+
+                    session.session = session
+                  }
+                )
               }
               const s = this.transformFunctions.unserialize(session.session)
               if (this.options.touchAfter > 0 && session.lastModified) {
@@ -261,11 +267,11 @@ module.exports = function(connect) {
       let s
 
       if (this.Crypto) {
-        try {
-          session = this.Crypto.set(session)
-        } catch (error) {
-          return withCallback(Promise.reject(error), callback)
-        }
+        this.Crypto.set(this.options.secret, session, (err, data) => {
+          if (err) return withCallback(Promise.reject(err), callback)
+
+          session = data
+        })
       }
 
       try {