From b9c4576128f7d66a653909a4743518ec750132f8 Mon Sep 17 00:00:00 2001 From: dead-horse Date: Sun, 28 Apr 2019 17:49:57 +0800 Subject: [PATCH] feat: warn if httpOnly set to false --- app.js | 3 +++ test/app/middleware/session.test.js | 9 +++++++ .../app/controller/home.js | 25 +++++++++++++++++++ .../httponly-false-session/app/router.js | 9 +++++++ .../config/config.default.js | 6 +++++ .../httponly-false-session/package.json | 3 +++ 6 files changed, 55 insertions(+) create mode 100644 test/fixtures/httponly-false-session/app/controller/home.js create mode 100644 test/fixtures/httponly-false-session/app/router.js create mode 100644 test/fixtures/httponly-false-session/config/config.default.js create mode 100644 test/fixtures/httponly-false-session/package.json diff --git a/app.js b/app.js index efffc5a..91da4b6 100644 --- a/app.js +++ b/app.js @@ -1,6 +1,9 @@ 'use strict'; module.exports = function(app) { + if (!app.config.session.httpOnly) { + app.logger.warn('[egg-session]: please set `config.session.httpOnly` to true. It is very dangerous if session can read by client JavaScript.'); + } app.config.coreMiddleware.push('session'); // listen on session's events diff --git a/test/app/middleware/session.test.js b/test/app/middleware/session.test.js index 1ee8203..21a2c1a 100644 --- a/test/app/middleware/session.test.js +++ b/test/app/middleware/session.test.js @@ -55,6 +55,15 @@ describe('test/app/middlewares/session.test.js', () => { }); }); + describe('httpOnly', () => { + it('should warn when httponly false', function* () { + app = mm.app({ baseDir: 'httponly-false-session' }); + yield app.ready(); + app.expectLog('[egg-session]: please set `config.session.httpOnly` to true. It is very dangerous if session can read by client JavaScript.'); + yield app.close(); + }); + }); + [ 'cookie-session', 'memory-session', diff --git a/test/fixtures/httponly-false-session/app/controller/home.js b/test/fixtures/httponly-false-session/app/controller/home.js new file mode 100644 index 0000000..b122fac --- /dev/null +++ b/test/fixtures/httponly-false-session/app/controller/home.js @@ -0,0 +1,25 @@ +'use strict'; + +exports.get = function* (ctx) { + ctx.body = ctx.session; +}; + +exports.set = function* (ctx) { + ctx.session = ctx.query; + ctx.body = ctx.session; +}; + +exports.setKey = function* (ctx) { + ctx.session.key = ctx.query.key; + ctx.body = ctx.session; +}; + +exports.remove = function* (ctx) { + ctx.session = null; + ctx.body = ctx.session; +}; + +exports.maxAge = function* (ctx) { + ctx.session.maxAge = Number(this.query.maxAge); + ctx.body = ctx.session; +}; diff --git a/test/fixtures/httponly-false-session/app/router.js b/test/fixtures/httponly-false-session/app/router.js new file mode 100644 index 0000000..d5938ed --- /dev/null +++ b/test/fixtures/httponly-false-session/app/router.js @@ -0,0 +1,9 @@ +'use strict'; + +module.exports = function(app) { + app.get('/get', 'home.get'); + app.get('/set', 'home.set'); + app.get('/setKey', 'home.setKey'); + app.get('/remove', 'home.remove'); + app.get('/maxAge', 'home.maxAge'); +}; diff --git a/test/fixtures/httponly-false-session/config/config.default.js b/test/fixtures/httponly-false-session/config/config.default.js new file mode 100644 index 0000000..d237c77 --- /dev/null +++ b/test/fixtures/httponly-false-session/config/config.default.js @@ -0,0 +1,6 @@ +'use strict'; + +exports.keys = 'keys'; +exports.session = { + httpOnly: false, +}; diff --git a/test/fixtures/httponly-false-session/package.json b/test/fixtures/httponly-false-session/package.json new file mode 100644 index 0000000..9f1ec46 --- /dev/null +++ b/test/fixtures/httponly-false-session/package.json @@ -0,0 +1,3 @@ +{ + "name": "httponly-false-session" +}