/*! * express-session * Copyright(c) 2010 Sencha Inc. * Copyright(c) 2011 TJ Holowaychuk * Copyright(c) 2014-2015 Douglas Christopher Wilson * MIT Licensed */ 'use strict'; /** * Module dependencies. * @private */ var Buffer = require('safe-buffer').Buffer var cookie = require('cookie'); var crypto = require('crypto') var debug = require('debug')('express-session'); var deprecate = require('depd')('express-session'); var onHeaders = require('on-headers') var parseUrl = require('parseurl'); var signature = require('cookie-signature') var uid = require('uid-safe').sync var Cookie = require('./session/cookie') var MemoryStore = require('./session/memory') var Session = require('./session/session') var Store = require('./session/store') // environment var env = process.env.NODE_ENV; /** * Expose the middleware. */ exports = module.exports = session; /** * Expose constructors. */ exports.Store = Store; exports.Cookie = Cookie; exports.Session = Session; exports.MemoryStore = MemoryStore; /** * Warning message for `MemoryStore` usage in production. * @private */ var warning = 'Warning: connect.session() MemoryStore is not\n' + 'designed for a production environment, as it will leak\n' + 'memory, and will not scale past a single process.'; /** * Node.js 0.8+ async implementation. * @private */ /* istanbul ignore next */ var defer = typeof setImmediate === 'function' ? setImmediate : function(fn){ process.nextTick(fn.bind.apply(fn, arguments)) } /** * Setup session store with the given `options`. * * @param {Object} [options] * @param {Object} [options.cookie] Options for cookie * @param {Function} [options.genid] * @param {String} [options.name=connect.sid] Session ID cookie name * @param {Boolean} [options.proxy] * @param {Boolean} [options.resave] Resave unmodified sessions back to the store * @param {Boolean} [options.rolling] Enable/disable rolling session expiration * @param {Boolean} [options.saveUninitialized] Save uninitialized sessions to the store * @param {String|Array} [options.secret] Secret for signing session ID * @param {Object} [options.store=MemoryStore] Session store * @param {String} [options.unset] * @return {Function} middleware * @public */ function session(options) { var opts = options || {} // get the cookie options var cookieOptions = opts.cookie || {} // get the session id generate function var generateId = opts.genid || generateSessionId // get the session cookie name var name = opts.name || opts.key || 'connect.sid' // get the session store var store = opts.store || new MemoryStore() // get the trust proxy setting var trustProxy = opts.proxy // get the resave session option var resaveSession = opts.resave; // get the rolling session option var rollingSessions = Boolean(opts.rolling) // get the save uninitialized session option var saveUninitializedSession = opts.saveUninitialized // get the cookie signing secret var secret = opts.secret if (typeof generateId !== 'function') { throw new TypeError('genid option must be a function'); } if (resaveSession === undefined) { deprecate('undefined resave option; provide resave option'); resaveSession = true; } if (saveUninitializedSession === undefined) { deprecate('undefined saveUninitialized option; provide saveUninitialized option'); saveUninitializedSession = true; } if (opts.unset && opts.unset !== 'destroy' && opts.unset !== 'keep') { throw new TypeError('unset option must be "destroy" or "keep"'); } // TODO: switch to "destroy" on next major var unsetDestroy = opts.unset === 'destroy' if (Array.isArray(secret) && secret.length === 0) { throw new TypeError('secret option array must contain one or more strings'); } if (secret && !Array.isArray(secret)) { secret = [secret]; } if (!secret) { deprecate('req.secret; provide secret option'); } // notify user that this store is not // meant for a production environment /* istanbul ignore next: not tested */ if (env === 'production' && store instanceof MemoryStore) { console.warn(warning); } // generates the new session store.generate = function(req){ req.sessionID = generateId(req); req.session = new Session(req); req.session.cookie = new Cookie(cookieOptions); if (cookieOptions.secure === 'auto') { req.session.cookie.secure = issecure(req, trustProxy); } }; var storeImplementsTouch = typeof store.touch === 'function'; // register event listeners for the store to track readiness var storeReady = true store.on('disconnect', function ondisconnect() { storeReady = false }) store.on('connect', function onconnect() { storeReady = true }) return function session(req, res, next) { // self-awareness if (req.session) { next() return } // Handle connection as if there is no session if // the store has temporarily disconnected etc if (!storeReady) { debug('store is disconnected') next() return } // pathname mismatch var originalPath = parseUrl.original(req).pathname || '/' if (originalPath.indexOf(cookieOptions.path || '/') !== 0) return next(); // ensure a secret is available or bail if (!secret && !req.secret) { next(new Error('secret option required for sessions')); return; } // backwards compatibility for signed cookies // req.secret is passed from the cookie parser middleware var secrets = secret || [req.secret]; var originalHash; var originalId; var savedHash; var touched = false // expose store req.sessionStore = store; // get the session ID from the cookie var cookieId = req.sessionID = getcookie(req, name, secrets); // set-cookie onHeaders(res, function(){ if (!req.session) { debug('no session'); return; } if (!shouldSetCookie(req)) { return; } // only send secure cookies via https if (req.session.cookie.secure && !issecure(req, trustProxy)) { debug('not secured'); return; } if (!touched) { // touch session req.session.touch() touched = true } // set cookie setcookie(res, name, req.sessionID, secrets[0], req.session.cookie.data); }); // proxy end() to commit the session var _end = res.end; var _write = res.write; var ended = false; res.end = function end(chunk, encoding) { if (ended) { return false; } ended = true; var ret; var sync = true; function writeend() { if (sync) { ret = _end.call(res, chunk, encoding); sync = false; return; } _end.call(res); } function writetop() { if (!sync) { return ret; } if (!res._header) { res._implicitHeader() } if (chunk == null) { ret = true; return ret; } var contentLength = Number(res.getHeader('Content-Length')); if (!isNaN(contentLength) && contentLength > 0) { // measure chunk chunk = !Buffer.isBuffer(chunk) ? Buffer.from(chunk, encoding) : chunk; encoding = undefined; if (chunk.length !== 0) { debug('split response'); ret = _write.call(res, chunk.slice(0, chunk.length - 1)); chunk = chunk.slice(chunk.length - 1, chunk.length); return ret; } } ret = _write.call(res, chunk, encoding); sync = false; return ret; } if (shouldDestroy(req)) { // destroy session debug('destroying'); store.destroy(req.sessionID, function ondestroy(err) { if (err) { defer(next, err); } debug('destroyed'); writeend(); }); return writetop(); } // no session to save if (!req.session) { debug('no session'); return _end.call(res, chunk, encoding); } if (!touched) { // touch session req.session.touch() touched = true } if (shouldSave(req)) { req.session.save(function onsave(err) { if (err) { defer(next, err); } writeend(); }); return writetop(); } else if (storeImplementsTouch && shouldTouch(req)) { // store implements touch method debug('touching'); store.touch(req.sessionID, req.session, function ontouch(err) { if (err) { defer(next, err); } debug('touched'); writeend(); }); return writetop(); } return _end.call(res, chunk, encoding); }; // generate the session function generate() { store.generate(req); originalId = req.sessionID; originalHash = hash(req.session); wrapmethods(req.session); } // inflate the session function inflate (req, sess) { store.createSession(req, sess) originalId = req.sessionID originalHash = hash(sess) if (!resaveSession) { savedHash = originalHash } wrapmethods(req.session) } function rewrapmethods (sess, callback) { return function () { if (req.session !== sess) { wrapmethods(req.session) } callback.apply(this, arguments) } } // wrap session methods function wrapmethods(sess) { var _reload = sess.reload var _save = sess.save; function reload(callback) { debug('reloading %s', this.id) _reload.call(this, rewrapmethods(this, callback)) } function save() { debug('saving %s', this.id); savedHash = hash(this); _save.apply(this, arguments); } Object.defineProperty(sess, 'reload', { configurable: true, enumerable: false, value: reload, writable: true }) Object.defineProperty(sess, 'save', { configurable: true, enumerable: false, value: save, writable: true }); } // check if session has been modified function isModified(sess) { return originalId !== sess.id || originalHash !== hash(sess); } // check if session has been saved function isSaved(sess) { return originalId === sess.id && savedHash === hash(sess); } // determine if session should be destroyed function shouldDestroy(req) { return req.sessionID && unsetDestroy && req.session == null; } // determine if session should be saved to store function shouldSave(req) { // cannot set cookie without a session ID if (typeof req.sessionID !== 'string') { debug('session ignored because of bogus req.sessionID %o', req.sessionID); return false; } return !saveUninitializedSession && cookieId !== req.sessionID ? isModified(req.session) : !isSaved(req.session) } // determine if session should be touched function shouldTouch(req) { // cannot set cookie without a session ID if (typeof req.sessionID !== 'string') { debug('session ignored because of bogus req.sessionID %o', req.sessionID); return false; } return cookieId === req.sessionID && !shouldSave(req); } // determine if cookie should be set on response function shouldSetCookie(req) { // cannot set cookie without a session ID if (typeof req.sessionID !== 'string') { return false; } return cookieId !== req.sessionID ? saveUninitializedSession || isModified(req.session) : rollingSessions || req.session.cookie.expires != null && isModified(req.session); } // generate a session if the browser doesn't send a sessionID if (!req.sessionID) { debug('no SID sent, generating session'); generate(); next(); return; } // generate the session object debug('fetching %s', req.sessionID); store.get(req.sessionID, function(err, sess){ // error handling if (err && err.code !== 'ENOENT') { debug('error %j', err); next(err) return } try { if (err || !sess) { debug('no session found') generate() } else { debug('session found') inflate(req, sess) } } catch (e) { next(e) return } next() }); }; }; /** * Generate a session ID for a new session. * * @return {String} * @private */ function generateSessionId(sess) { return uid(24); } /** * Get the session ID cookie from request. * * @return {string} * @private */ function getcookie(req, name, secrets) { var header = req.headers.cookie; var raw; var val; // read from cookie header if (header) { var cookies = cookie.parse(header); raw = cookies[name]; if (raw) { if (raw.substr(0, 2) === 's:') { val = unsigncookie(raw.slice(2), secrets); if (val === false) { debug('cookie signature invalid'); val = undefined; } } else { debug('cookie unsigned') } } } // back-compat read from cookieParser() signedCookies data if (!val && req.signedCookies) { val = req.signedCookies[name]; if (val) { deprecate('cookie should be available in req.headers.cookie'); } } // back-compat read from cookieParser() cookies data if (!val && req.cookies) { raw = req.cookies[name]; if (raw) { if (raw.substr(0, 2) === 's:') { val = unsigncookie(raw.slice(2), secrets); if (val) { deprecate('cookie should be available in req.headers.cookie'); } if (val === false) { debug('cookie signature invalid'); val = undefined; } } else { debug('cookie unsigned') } } } return val; } /** * Hash the given `sess` object omitting changes to `.cookie`. * * @param {Object} sess * @return {String} * @private */ function hash(sess) { // serialize var str = JSON.stringify(sess, function (key, val) { // ignore sess.cookie property if (this === sess && key === 'cookie') { return } return val }) // hash return crypto .createHash('sha1') .update(str, 'utf8') .digest('hex') } /** * Determine if request is secure. * * @param {Object} req * @param {Boolean} [trustProxy] * @return {Boolean} * @private */ function issecure(req, trustProxy) { // socket is https server if (req.connection && req.connection.encrypted) { return true; } // do not trust proxy if (trustProxy === false) { return false; } // no explicit trust; try req.secure from express if (trustProxy !== true) { return req.secure === true } // read the proto from x-forwarded-proto header var header = req.headers['x-forwarded-proto'] || ''; var index = header.indexOf(','); var proto = index !== -1 ? header.substr(0, index).toLowerCase().trim() : header.toLowerCase().trim() return proto === 'https'; } /** * Set cookie on response. * * @private */ function setcookie(res, name, val, secret, options) { var signed = 's:' + signature.sign(val, secret); var data = cookie.serialize(name, signed, options); debug('set-cookie %s', data); var prev = res.getHeader('Set-Cookie') || [] var header = Array.isArray(prev) ? prev.concat(data) : [prev, data]; res.setHeader('Set-Cookie', header) } /** * Verify and decode the given `val` with `secrets`. * * @param {String} val * @param {Array} secrets * @returns {String|Boolean} * @private */ function unsigncookie(val, secrets) { for (var i = 0; i < secrets.length; i++) { var result = signature.unsign(val, secrets[i]); if (result !== false) { return result; } } return false; }