diff --git a/.gitignore b/.gitignore index 3986356..15b3d32 100644 --- a/.gitignore +++ b/.gitignore @@ -73,4 +73,7 @@ cdk.out cdk.out cdk/local-image -credentials \ No newline at end of file +credentials + +#Ignore session added from file-session-store +sessions \ No newline at end of file diff --git a/app.js b/app.js index ea047fd..cb1ce91 100755 --- a/app.js +++ b/app.js @@ -7,8 +7,7 @@ const cookieParser = require('cookie-parser') const compression = require('compression') const helmet = require('helmet') const path = require('path') -const cookieSession = require('cookie-session') -const cookieSessionConfig = require('./config/cookieSession.config') +const sessionConfig = require('./config/session.config') const { hasData } = require('./utils') const { addNunjucksFilters } = require('./filters') const csp = require('./config/csp.config') @@ -43,9 +42,8 @@ app.use(function(req, res, next) { next() }) -// in production: use redis for sessions -// but this works for now -app.use(cookieSession(cookieSessionConfig)) +// add the session selected in session.config.js +app.use(sessionConfig) // public assets go here (css, js, etc) app.use(express.static(path.join(__dirname, 'public'))) diff --git a/config/cookieSession.config.js b/config/cookieSession.config.js deleted file mode 100755 index 9528211..0000000 --- a/config/cookieSession.config.js +++ /dev/null @@ -1,23 +0,0 @@ -/* - configuration for our cookie sessions - - set a name for the session so that the cookie persists between server reloads - - if a COOKIE_SECRET environment variable, use that as a secret name - - else use a timestamp that rotates every 60 minutes - - also set cookie expiry time to 60 minutes - more docs here: https://expressjs.com/en/resources/middleware/cookie-session.html -*/ -const oneHour = 1000 * 60 * 60 -const sessionName = `ctb-${process.env.COOKIE_SECRET || - Math.floor(new Date().getTime() / oneHour)}` - -const cookieSessionConfig = { - name: sessionName, - secret: sessionName, - cookie: { - httpOnly: true, - maxAge: oneHour, - sameSite: true, - }, -} - -module.exports = cookieSessionConfig diff --git a/config/session.config.js b/config/session.config.js new file mode 100755 index 0000000..0586c39 --- /dev/null +++ b/config/session.config.js @@ -0,0 +1,34 @@ +/* + configuration for our sessions + - set a name for the session so that the session persists between server reloads + - if a SESSION_SECRET environment variable, use that as a secret name + - else use a timestamp that rotates every 60 minutes + - also set session expiry time to 60 minutes + more docs here: https://expressjs.com/en/resources/middleware/cookie-session.html +*/ +const session = require('express-session') +const MemoryStore = require('memorystore')(session) +const FileStore = require('session-file-store')(session) + +const oneHour = 1000 * 60 * 60 +const sessionName = `ctb-${process.env.SESSION_SECRET || + Math.floor(new Date().getTime() / oneHour)}` + + +// In production use redis but this works for now +const store = { + memory: () => new MemoryStore({ checkPeriod: oneHour }), + fileStore: () => new FileStore({}), +} + +const sessionConfig= { + cookie: { httpOnly: true, maxAge: oneHour, sameSite: 'strict' }, + store: store.fileStore(), + secret: sessionName, + resave: false, + saveUninitialized: false, + unset: 'destroy', +} + + +module.exports = session(sessionConfig) diff --git a/package.json b/package.json index 824412f..149d14b 100755 --- a/package.json +++ b/package.json @@ -29,6 +29,8 @@ }, "dependencies": { "@cdssnc/webpack-starter": "^2.0.2", + "@csstools/postcss-sass": "^4.0.0", + "@fullhuman/postcss-purgecss": "^1.3.0", "compression": "^1.7.4", "cookie-parser": "~1.4.4", "cookie-session": "^1.3.3", @@ -43,12 +45,12 @@ "express-validator": "^6.2.0", "helmet": "^3.21.2", "i18n": "^0.8.4", + "memorystore": "^1.6.1", "mini-css-extract-plugin": "^0.8.0", "nunjucks": "^3.2.0", "request": "^2.88.0", - "tailwindcss": "^1.1.3", - "@csstools/postcss-sass": "^4.0.0", - "@fullhuman/postcss-purgecss": "^1.3.0" + "session-file-store": "^1.3.1", + "tailwindcss": "^1.1.3" }, "devDependencies": { "@aws-cdk/aws-docdb": "1.17.1", @@ -81,7 +83,7 @@ "nodemonConfig": { "ext": "js,json,njk,scss", "ignore": [ - "public/dist/**/*.*" + "public/dist/**/*.*", "sessions/*" ] } }