passport - npm Package Compare versions

Comparing version 0.5.3 to 0.6.0

CHANGELOG.md

@@ -9,2 +9,9 @@ # Changelog
 
+## [0.6.0] - 2022-05-20
+### Security
+
+- Improved robustness against session fixation attacks in cases where there is
+physical access to the same system or the application is susceptible to
+cross-site scripting (XSS).
+
 ## [0.5.3] - 2022-05-16
@@ -54,5 +61,6 @@ ### Fixed
 
-[Unreleased]: https://github.com/jaredhanson/passport/compare/v0.5.3...HEAD
+[Unreleased]: https://github.com/jaredhanson/passport/compare/v0.6.0...HEAD
+[0.6.0]: https://github.com/jaredhanson/passport/compare/v0.5.3...v0.6.0
 [0.5.3]: https://github.com/jaredhanson/passport/compare/v0.5.2...v0.5.3
 [0.5.2]: https://github.com/jaredhanson/passport/compare/v0.5.1...v0.5.2
 [0.5.1]: https://github.com/jaredhanson/passport/compare/v0.5.0...v0.5.1

lib/http/request.js

@@ -39,3 +39,3 @@ var req = exports = module.exports = {};
     var self = this;
-    this._sessionManager.logIn(this, user, function(err) {
+    this._sessionManager.logIn(this, user, options, function(err) {
       if (err) { self[property] = null; return done(err); }
@@ -55,3 +55,9 @@ done();
 req.logout =
-req.logOut = function() {
+req.logOut = function(options, done) {
+  if (typeof options == 'function') {
+    done = options;
+    options = {};
+  }
+  options = options || {};
+  
   var property = this._userProperty || 'user';
@@ -61,3 +67,7 @@
   if (this._sessionManager) {
-    this._sessionManager.logOut(this);
+    if (typeof done != 'function') { throw new Error('req#logout requires a callback function'); }
+    
+    this._sessionManager.logOut(this, options, done);
+  } else {
+    done && done();
   }
@@ -64,0 +74,0 @@ };

lib/sessionmanager.js

@@ -0,1 +1,3 @@
+var merge = require('utils-merge');
+
 function SessionManager(options, serializeUser) {
@@ -12,26 +14,81 @@ if (typeof options == 'function') {
 
-SessionManager.prototype.logIn = function(req, user, cb) {
+SessionManager.prototype.logIn = function(req, user, options, cb) {
+  if (typeof options == 'function') {
+    cb = options;
+    options = {};
+  }
+  options = options || {};
+  
+  if (!req.session) { return cb(new Error('Login sessions require session support. Did you forget to use `express-session` middleware?')); }
+  
   var self = this;
-  this._serializeUser(user, req, function(err, obj) {
+  var prevSession = req.session;
+  
+  // regenerate the session, which is good practice to help
+  // guard against forms of session fixation
+  req.session.regenerate(function(err) {
     if (err) {
       return cb(err);
     }
-    // TODO: Error if session isn't available here.
-    if (!req.session) {
-      req.session = {};
-    }
-    if (!req.session[self._key]) {
-      req.session[self._key] = {};
-    }
-    req.session[self._key].user = obj;
-    cb();
+    
+    self._serializeUser(user, req, function(err, obj) {
+      if (err) {
+        return cb(err);
+      }
+      if (options.keepSessionInfo) {
+        merge(req.session, prevSession);
+      }
+      if (!req.session[self._key]) {
+        req.session[self._key] = {};
+      }
+      // store user information in session, typically a user id
+      req.session[self._key].user = obj;
+      // save the session before redirection to ensure page
+      // load does not happen before session is saved
+      req.session.save(function(err) {
+        if (err) {
+          return cb(err);
+        }
+        cb();
+      });
+    });
   });
 }
 
-SessionManager.prototype.logOut = function(req, cb) {
-  if (req.session && req.session[this._key]) {
+SessionManager.prototype.logOut = function(req, options, cb) {
+  if (typeof options == 'function') {
+    cb = options;
+    options = {};
+  }
+  options = options || {};
+  
+  if (!req.session) { return cb(new Error('Login sessions require session support. Did you forget to use `express-session` middleware?')); }
+  
+  var self = this;
+  
+  // clear the user from the session object and save.
+  // this will ensure that re-using the old session id
+  // does not have a logged in user
+  if (req.session[this._key]) {
     delete req.session[this._key].user;
   }
+  var prevSession = req.session;
   
-  cb && cb();
+  req.session.save(function(err) {
+    if (err) {
+      return cb(err)
+    }
+  
+    // regenerate the session, which is good practice to help
+    // guard against forms of session fixation
+    req.session.regenerate(function(err) {
+      if (err) {
+        return cb(err);
+      }
+      if (options.keepSessionInfo) {
+        merge(req.session, prevSession);
+      }
+      cb();
+    });
+  });
 }
@@ -38,0 +95,0 @@

package.json

 {
   "name": "passport",
-  "version": "0.5.3",
+  "version": "0.6.0",
   "description": "Simple, unobtrusive authentication for Node.js.",
@@ -39,3 +39,4 @@ "keywords": [
     "passport-strategy": "1.x.x",
-    "pause": "0.0.1"
+    "pause": "0.0.1",
+    "utils-merge": "^1.0.1"
   },
@@ -42,0 +43,0 @@ "devDependencies": {

No alert changes

Improved metrics

Total package byte prevSize

81608

increased by2.83%

Lines of code

1150

increased by5.12%

Worsened metrics

Dependency count

3

increased by50%

Dependency changes

• + Addedutils-merge@^1.0.1

• + Addedutils-merge@1.0.1(transitive)