hof 22.11.9 → 22.12.0

package/CHANGELOG.md

@@ -1,3 +1,23 @@
+## 2025-11-20, Version 22.12.0 (Stable), @dk4g @jamiecarterHO
+
+### Infrastructure  
+- Updated CI/CD pipeline to test against Node.js 20.x, 22.x, and 24.x
+- Updated Redis testing versions to 7 and 8
+- Added `NODE_VERSION` environment variable for consistent Node.js version across jobs
+- Updated release process to use Node.js 24 for tagging and publishing operations
+
+### Security
+  - Replaced deprecated `crypto.createCipher`/`crypto.createDecipher` with `crypto.createCipheriv`/`crypto.createDecipheriv`
+  - Added proper initialisation vector (IV) handling for enhanced security
+  - Enforced 32-byte session secret requirement for AES-256 encryption compatibility
+  - Removed insecure default session secret ('changethis') - now requires explicit configuration
+
+### Migration Notes
+- **Session Reset Required**: Due to enhanced encryption security, existing user sessions will be invalidated and users will need to re-authenticate after this update
+- **Session Secret**: You must now set a unique `SESSION_SECRET` environment variable of exactly 32 bytes for encryption compatibility. 
+For testing purposes, you can use the following command to generate a random value. For production environments, consult a security expert or refer to official cryptographic guidelines to generate a secure secret
+`node -e "console.log(require('crypto').randomBytes(16).toString('hex'))"`
+
 ## 2025-11-15, Version 22.11.0 (Stable), @Rhodine-orleans-lindsay
 
 ### Changed

package/config/hof-defaults.js

@@ -51,7 +51,7 @@ const defaults = {
   },
   session: {
     ttl: process.env.SESSION_TTL || 1800,
-    secret: process.env.SESSION_SECRET || 'changethis',
+    secret: process.env.SESSION_SECRET,
     name: process.env.SESSION_NAME || 'hod.sid',
     sanitiseInputs: false
   },

package/lib/encryption.js

@@ -1,23 +1,49 @@
-/* eslint-disable */ 
 'use strict';
 
-const crypto = require('crypto');
+const crypto = require('node:crypto');
 const algorithm = 'aes-256-cbc';
+const ivLength = 16;
 
-module.exports = password => ({
-
-  encrypt: text => {
-    const cipher = crypto.createCipher(algorithm, password);
-    let crypted = cipher.update(text, 'utf8', 'hex');
-    crypted += cipher.final('hex');
-    return crypted;
-  },
-
-  decrypt: text => {
-    const decipher = crypto.createDecipher(algorithm, password);
-    let dec = decipher.update(text, 'hex', 'utf8');
-    dec += decipher.final('utf8');
-    return dec;
+/**
+ * Creates an encryption utility with AES-256-CBC algorithm.
+ * Provides encrypt and decrypt methods that use a random IV for each encryption operation.
+ *
+ * @module encryption
+ * @param {string|Buffer} secret - Must be exactly 32 bytes
+ * @returns {Object} Encryption utility object
+ * @throws {Error} If secret is not exactly 32 bytes
+ */
+module.exports = secret => {
+  const encryptionKey = Buffer.from(secret, 'utf8');
+  if (encryptionKey.byteLength !== 32) {
+    throw new Error(`Encryption secret must be exactly 32 bytes. Provided: ${encryptionKey.byteLength} bytes.`);
   }
 
-});
+  return {
+    encrypt: text => {
+      try {
+        const iv = crypto.randomBytes(ivLength);
+        const cipher = crypto.createCipheriv(algorithm, encryptionKey, iv);
+        let encrypted = cipher.update(text, 'utf8');
+        encrypted = Buffer.concat([encrypted, cipher.final()]);
+        return iv.toString('hex') + ':' + encrypted.toString('hex');
+      } catch (error) {
+        throw new Error(`Encryption failed: ${error.message}`);
+      }
+    },
+
+    decrypt: text => {
+      try {
+        const textParts = text.split(':');
+        const iv = Buffer.from(textParts.shift(), 'hex');
+        const encryptedText = Buffer.from(textParts.join(':'), 'hex');
+        const decipher = crypto.createDecipheriv(algorithm, encryptionKey, iv);
+        let decrypted = decipher.update(encryptedText);
+        decrypted = Buffer.concat([decrypted, decipher.final()]);
+        return decrypted.toString('utf8');
+      } catch (error) {
+        throw new Error(`Decryption failed: ${error.message}`);
+      }
+    }
+  };
+};

package/lib/sessions.js

@@ -10,8 +10,11 @@ const secureHttps = config => config.protocol === 'https' || config.env === 'pro
 module.exports = (app, config) => {
   const logger = config.logger || console;
 
-  if (config.env === 'production' && config.session.secret === 'changethis') {
-    throw new Error('Session secret must be set to a unique random string for production environments');
+  const secretBuffer = Buffer.from(config.session.secret, 'utf8');
+  if (secretBuffer.byteLength !== 32) {
+    throw new Error(
+      `Session secret must be exactly 32 bytes. Current: ${secretBuffer.byteLength} bytes.`
+    );
   }
 
   app.use(cookieParser(config.session.secret, {

package/lib/settings.js

@@ -42,7 +42,7 @@ module.exports = async (app, config) => {
     viewsArray.slice().reverse().forEach(view => {
       const customViewPath = path.resolve(config.root, view);
       try {
-        fs.accessSync(customViewPath, fs.F_OK);
+        fs.accessSync(customViewPath, fs.constants.F_OK);
       } catch (err) {
         throw new Error(`Cannot find views at ${customViewPath}`);
       }

package/package.json

@@ -1,13 +1,12 @@
 {
   "name": "hof",
   "description": "A bootstrap for HOF projects",
-  "version": "22.11.9",
+  "version": "22.12.0",
   "license": "MIT",
   "main": "index.js",
   "author": "HomeOffice",
   "engines": {
-    "node": ">=10.22.1",
-    "npm": ">=6.14.0"
+    "node": ">=14.0.0"
   },
   "bin": {
     "hof-build": "./bin/hof-build",