Permalink
Browse files

Issue #19296 move config and salt settings to config file.

  • Loading branch information...
1 parent 8579ed2 commit 6cbca87cbe2b118f56d3751e9c3b5020796bed84 @bendiy bendiy committed Mar 28, 2013
View
@@ -13,7 +13,6 @@ _ = require("underscore");
var options = require("./lib/options"),
schema = false,
privs = false,
- sessionObjectLoaded,
schemaOptions = {},
privsOptions = {};
@@ -217,10 +216,11 @@ var app = express(),
XTPGStore = require('./oauth2/db/connect-xt-pg')(express),
io,
//sessionStore = new MemoryStore(),
- sessionStore = new XTPGStore({ hybridCache: true }),
+ sessionStore = new XTPGStore({ hybridCache: X.options.datasource.requireCache }),
Session = require('express/node_modules/connect/lib/middleware/session').Session,
Cookie = require('express/node_modules/connect/lib/middleware/session/cookie'),
- cookie = require('express/node_modules/cookie');
+ cookie = require('express/node_modules/cookie'),
+ privateSalt = X.fs.readFileSync(X.options.datasource.saltFile).toString();
// Conditionally load express.session(). REST API endpoints using OAuth tokens do not get sessions.
var conditionalExpressSession = function (req, res, next) {
@@ -233,11 +233,16 @@ var conditionalExpressSession = function (req, res, next) {
// Instead of doing app.use(express.session()) we call the package directly
// which returns a function(req, res, next) we can call to do the same thing.
var init_session = express.session({
- store: sessionStore,
- secret: '.T#T@r5EkPM*N@C%9K-iPW!+T',
- // See cookie stomp above for more details on how this session cookie works.
- cookie: { path: '/', httpOnly: true, secure: true, maxAge: 3600000 }
- });
+ store: sessionStore,
+ secret: privateSalt,
+ // See cookie stomp above for more details on how this session cookie works.
+ cookie: {
+ path: '/',
+ httpOnly: true,
+ secure: true,
+ maxAge: (X.options.datasource.sessionTimeout * 60 * 1000)
+ }
+ });
init_session(req, res, next);
}
@@ -433,7 +438,7 @@ io.of('/clientsock').authorization(function (handshakeData, callback) {
}
// Add sessionID so we can use it to check for valid sessions on each request below.
- handshakeData.sessionID = parseSignedCookie(handshakeData.cookie['connect.sid'], '.T#T@r5EkPM*N@C%9K-iPW!+T');
+ handshakeData.sessionID = parseSignedCookie(handshakeData.cookie['connect.sid'], privateSalt);
sessionStore.get(handshakeData.sessionID, function (err, session) {
if (err) {
@@ -128,7 +128,7 @@ module.exports = function (connect) {
});
};
- X.debug("XTPGStore SessionStore using hybridCache = ", this.hybridCache);
+ X.log("SessionStore using hybridCache = ", this.hybridCache);
// Prime this.sessions and MemoryCache on initialization.
this.loadSessions();
}
@@ -12,7 +12,8 @@ var auth = require('../routes/auth'),
login = require('connect-ensure-login'),
db = require('./db'),
url = require('url'),
- utils = require('./utils');
+ utils = require('./utils'),
+ privateSalt = X.fs.readFileSync(X.options.datasource.saltFile).toString();
// create OAuth 2.0 server
var server = oauth2orize.createServer();
@@ -149,7 +150,7 @@ server.exchange(oauth2orize.exchange.code(function (client, code, redirectURI, d
// The accessToken is only valid for 1 hour and must be sent with each request to
// the REST API. The bcrypt hash calculation on each request would be too expensive.
// Therefore, we do not need to bcrypt the accessToken, just SHA1 it.
- accesshash = X.crypto.createHash('sha1').update(accessToken).digest("hex");
+ accesshash = X.crypto.createHash('sha1').update(privateSalt + accessToken).digest("hex");
saveOptions.success = function (model) {
if (!model) { return done(null, false); }
@@ -237,7 +238,7 @@ server.exchange(oauth2orize.exchange.refreshToken(function (client, refreshToken
// The accessToken is only valid for 1 hour and must be sent with each request to
// the REST API. The bcrypt hash calculation on each request would be too expensive.
// Therefore, we do not need to bcrypt the accessToken, just SHA1 it.
- accesshash = X.crypto.createHash('sha1').update(accessToken).digest("hex");
+ accesshash = X.crypto.createHash('sha1').update(privateSalt + accessToken).digest("hex");
saveOptions.success = function (model) {
if (!model) { return done(null, false); }
@@ -366,7 +367,7 @@ server.exchange('urn:ietf:params:oauth:grant-type:jwt-bearer', jwtBearer(functio
// The accessToken is only valid for 1 hour and must be sent with each request to
// the REST API. The bcrypt hash calculation on each request would be too expensive.
// Therefore, we do not need to bcrypt the accessToken, just SHA1 it.
- accesshash = X.crypto.createHash('sha1').update(accessToken).digest("hex");
+ accesshash = X.crypto.createHash('sha1').update(privateSalt + accessToken).digest("hex");
saveOptions.success = function (model) {
if (!model) { return done(null, false); }
@@ -11,7 +11,8 @@ var passport = require('passport'),
ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy,
ClientJWTBearerStrategy = require('passport-oauth2-jwt-bearer').Strategy,
BearerStrategy = require('passport-http-bearer').Strategy,
- db = require('./db');
+ db = require('./db'),
+ privateSalt = X.fs.readFileSync(X.options.datasource.saltFile).toString();
/**
@@ -150,7 +151,7 @@ passport.use(new BearerStrategy(
// That could take a lot of CPU if there are 1000's of accessToken. Instead, we will
// not use any salt for this hash. An accessToken is only valid for 1 hour so the
// risk of cracking the SHA1 hash in that time is small.
- var accesshash = X.crypto.createHash('sha1').update(accessToken).digest("hex");
+ var accesshash = X.crypto.createHash('sha1').update(privateSalt + accessToken).digest("hex");
db.accessTokens.findByAccessToken(accesshash, function (err, token) {
if (err) { return done(err); }
@@ -10,10 +10,10 @@ regexp:true, undef:true, strict:true, trailing:true, white:true */
debugging: true,
allowMultipleInstances: true,
requireDatabase: true,
- requireServer: true,
- requireCache: true,
enhancedAuthKey: "xTuple",
datasource: {
+ sessionTimeout: 60,
+ requireCache: true,
bindAddress: "localhost",
port: 443,
keyFile: "./lib/private/key.pem",

0 comments on commit 6cbca87

Please sign in to comment.