This module is concerned with the set up, tear down and protection of sessions. Obligations:
require('../security.json').sessionPolicy
const secrets = require('./secrets')
const session = require('express-session')
const csrf = require('csurf')
let redis = require('redis').createClient()
let RedisStore = require('connect-redis')(session)
Neither cookie-parser or body-parser are part of this module–it is assumed that this parsing action will take place within your app.js file (or equivalent)
Many authentication frameworks also include means to attach session state to an authenticated user. _spartan has been tuned to utilize the express-session module as a means to provide this functionality and uses redis (‘connect-redis’) as the means for storing session data. Though commented out, _spartan also supports MongoDB as a session store–you’ll just need to require(connect-mongo) and configure your session object as follows:
let obj = {
secret: secrets.fetchSecret('SESSION_SECRET'),
// rolling: true,
// resave: true,
saveUninitialized: false,
cookie: {
path: secJson.config.path,
httpOnly: secJson.config.cookies.httpOnly,
secure: true,
maxAge: secJson.config.duration.ttl * 1000
},
// store: new RedisStore(redisOptions),
store: new MongoStore({
mongooseConnection: security.database,
ttl: (secJson.config.duration.ttl)
}),
name: 'spartan'
}
_spartan treats the value of the variable SESSION_SECRET as privileged information and as such is stored & accessed in accordance with other secrets. You may wish to generate a random, hard-to-guess session secret (using a module like UUID/v4), but this functionality is not currently part of the sessions module.
Module Instantiation
| method name | description | params | returns |
|---|---|---|---|
| sessioner | sets up a new session with parameters/configurations provided in security.json | N/A | session(options) or Error |
// in app.js
let sess = security.sessions.sessioner
EXAMPLE
app.use(sess())
Destroy Cookies
| method name | description | params | returns |
|---|---|---|---|
| cookieMonster | destroys a cookie | (response, options* Object, callback function) | Error |
* options = { name : name of cookie, options: { params used to create cookie}, optional }
let cookieMonster = security.sessions.cookieMonster
app.get('/route', cookieMonster(response, {name: badCookie, options: {path: '/', secure: 'false'}}, (err) => {
if (err) {
next(err)
}
}), (request, response, next) => {
... // do some thing
})
Create Cookies
| method name | description | params | returns |
|---|---|---|---|
| cookieMaker | creates a cookie with provided params && settings from security.json | (request, response, options** Object, callback function) | configured cookie or Error |
** options = { name : name of cookie, value : value of cookie options: { additional configs, e.g, path, domain}, optional }
_spartan will overload any settings provided in the options object with those that are provided in security.json (e.g. httpOnly, secure, same-site); It is recommended that you do not set the ‘domain’ property, however, if you choose to do so, _spartan will not add ‘Host’ or ‘Secure’ flags to the cookies
let cookieMaker = security.sessions.cookieMaker
app.get('/route', cookieMaker(request, response, {name: goodCookie, value: 'Cookie nom nom nom', options: {path: '/', secure: 'false'}}, (err) => {
if (err) {
next(err)
}
}), (request, response, next) => {
... // do some thing
})
Session Integrity
| method name | description | params | returns |
|---|---|---|---|
| csrf | creates a csrf token to session integrity | (options*** Object, callback function) | CSRF module function or Error |
*** options = { cookie : true or false, Boolean }
let csrf = security.sessions.csrf
app.use(csrf({cookie: true}))
sessionPolicy.enabled : true in security.json and then run _spartan --force