Regenerate session after XING login to fix "session fixation" vulnera…

…bility

app/controllers/oauth.js

@@ -35,52 +35,58 @@ module.exports = function (app, io) {
 
     xingApi.getAccessToken(requestToken.token, requestToken.secret, req.query.oauth_verifier,
       function (error, oauthToken, oauthTokenSecret) {
-        res.cookie('requestToken', null); // delete cookie
-
-        var client = xingApi.client(oauthToken, oauthTokenSecret);
-
-        client.get('/v1/users/me', function (error, response) {
-          var user = JSON.parse(response).users[0];
-
-          Wall.findOne({ _id: req.query.wall_id }).exec()
-            .then(function (wall) {
-
-              var profile = new Profile({
-                userId: user.id,
-                displayName: user.display_name,
-                photoUrls: {
-                  size_128x128: user.photo_urls.size_128x128,
-                  size_256x256: user.photo_urls.size_256x256
-                }
-              }).toObject();
-
-              delete profile._id; // make sure that we don't overwrite the internal _id on an update
-
-              Profile.findOneAndUpdate({ userId: user.id }, profile, { upsert: true }).exec()
-                .then(function (profile) {
-                  wall.profiles.pull(profile._id);
-                  wall.profiles.push(profile._id);
-
-                  wall.save(function (err) {
-                    if (err) {
-                      console.error(err);
-                      res.render('error');
-                    } else {
-                      req.session.user = {
-                        id: profile._id,
-                        oauthToken: oauthToken,
-                        oauthTokenSecret: oauthTokenSecret
-                      };
-
-                      io.emit('profiles:updated');
-                      res.render('oauth/callback', { url: "/walls/" + req.query.wall_id });
-                    }
+        if (error) {
+          console.log(error);
+          res.render('error');
+          return;
+        }
+        req.session.regenerate(function (err) {
+          res.cookie('requestToken', null); // delete cookie
+
+          var client = xingApi.client(oauthToken, oauthTokenSecret);
+
+          client.get('/v1/users/me', function (error, response) {
+            var user = JSON.parse(response).users[0];
+
+            Wall.findOne({ _id: req.query.wall_id }).exec()
+              .then(function (wall) {
+
+                var profile = new Profile({
+                  userId: user.id,
+                  displayName: user.display_name,
+                  photoUrls: {
+                    size_128x128: user.photo_urls.size_128x128,
+                    size_256x256: user.photo_urls.size_256x256
+                  }
+                }).toObject();
+
+                delete profile._id; // make sure that we don't overwrite the internal _id on an update
+
+                Profile.findOneAndUpdate({ userId: user.id }, profile, { upsert: true }).exec()
+                  .then(function (profile) {
+                    wall.profiles.pull(profile._id);
+                    wall.profiles.push(profile._id);
+
+                    wall.save(function (err) {
+                      if (err) {
+                        console.error(err);
+                        res.render('error');
+                      } else {
+                        req.session.user = {
+                          id: profile._id,
+                          oauthToken: oauthToken,
+                          oauthTokenSecret: oauthTokenSecret
+                        };
+
+                        io.emit('profiles:updated');
+                        res.render('oauth/callback', { url: "/walls/" + req.query.wall_id });
+                      }
+                    });
                   });
-                });
-
-            }, function (err) {
-              console.log(err);
-            });
+              }, function (err) {
+                console.log(err);
+              });
+          });
         });
       });
   });