client-sessions - npm Package Compare versions

Comparing version 0.6.0 to 0.7.0

lib/client-sessions.js

@@ -266,12 +266,31 @@ /* This Source Code Form is subject to the terms of the Mozilla Public
 
-  var iv = base64urldecode(components[0]);
-  var ciphertext = base64urldecode(components[1]);
+  var iv;
+  var ciphertext;
+  var hmac;
+
+  try {
+    iv = base64urldecode(components[0]);
+    ciphertext = base64urldecode(components[1]);
+    hmac = base64urldecode(components[4]);
+  } catch (ignored) {
+    cleanup();
+    return;
+  }
+
   var createdAt = parseInt(components[2], 10);
   var duration = parseInt(components[3], 10);
-  var hmac = base64urldecode(components[4]);
 
   function cleanup() {
-    zeroBuffer(iv);
-    zeroBuffer(ciphertext);
-    zeroBuffer(hmac);
+    if (iv) {
+      zeroBuffer(iv);
+    }
+
+    if (ciphertext) {
+      zeroBuffer(ciphertext);
+    }
+
+    if (hmac) {
+      zeroBuffer(hmac);
+    }
+
     if (expectedHmac) { // declared below
@@ -406,2 +425,7 @@ zeroBuffer(expectedHmac);
 
+  // alias for `reset` function for compatibility
+  destroy: function(){
+    this.reset();
+  },
+
   setDuration: function(newDuration, ephemeral) {
@@ -508,2 +532,6 @@ if (ephemeral && this.opts.cookie.maxAge) {
     });
+    Object.defineProperty(value, 'destroy', {
+      enumerable: false,
+      value: this.destroy.bind(this)
+    });
     Object.defineProperty(value, 'setDuration', {
@@ -510,0 +538,0 @@ enumerable: false,

package.json

 {
   "name"         : "client-sessions",
-  "version"      : "0.6.0",
+  "version"      : "0.7.0",
   "description"  : "secure sessions stored in cookies",
@@ -11,3 +11,3 @@ "main"         : "lib/client-sessions",
   "dependencies" : {
-    "cookies" : "0.3.8"
+    "cookies" : "0.5.0"
   },
@@ -14,0 +14,0 @@ "devDependencies": {

README.md

@@ -46,3 +46,3 @@ [![build status](https://secure.travis-ci.org/mozilla/node-client-sessions.png)](http://travis-ci.org/mozilla/node-client-sessions)
     httpOnly: true, // when true, cookie is not accessible from javascript
-    secure: false   // when true, cookie will only be sent over SSL
+    secure: false // when true, cookie will only be sent over SSL. use key 'secureProxy' instead if you handle SSL not in your node process
   }
@@ -49,0 +49,0 @@ }));

test/all-test.js

@@ -866,2 +866,9 @@ // a NODE_ENV of test will supress console output to stderr which
       assert.isUndefined(decodedFake);
+    },
+    "decode - invalid input" : function(err, req){
+        var notEnoughComponents = 'LVB3G2lnPF75RzsT9mz7jQ.RT1Lcq0dOJ_DMRHyWJ4NZPjBXr2WzkFcUC4NO78gbCQ.1371704898483.5000';
+        assert.isUndefined(cookieSessions.util.decode({cookieName: 'session', secret: 'yo'}, notEnoughComponents));
+
+        var invalidBase64 = 'LVB3G2lnPF75RzsT9mz7jQ.RT1Lcq0dOJ_DMRHyWJ4NZPjBXr2WzkFcUC4NO78gb.1371704898483.5000.ILEusgnajT1sqCWLuzaUt-HFn2KPjYNd38DhI7aRCb9';
+        assert.isUndefined(cookieSessions.util.decode({cookieName: 'session', secret: 'yo'}, invalidBase64));
     }
@@ -868,0 +875,0 @@ }

No alert changes

Improved metrics

Total package byte prevSize

81603

increased by4.24%

Lines of code

1627

increased by1.75%

Dependency changes

• + Addedcookies@0.5.0(transitive)

• + Addedkeygrip@1.0.3(transitive)

• - Removedcookies@0.3.8(transitive)

• Updatedcookies@0.5.0