hof 23.0.1 → 23.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +6 -0
  2. package/lib/sessions.js +18 -7
  3. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -1,3 +1,9 @@
1
+ ## 2026-03-17, Version 23.0.2 (Stable), @vivekkumar-ho
2
+
3
+ ### Fixed
4
+ - Improved session secret validation so missing or blank values now fail fast with a clearer startup error.
5
+ - Reused the validated session secret consistently across cookie parsing, session encryption, and Redis session storage.
6
+
1
7
  ## 2025-03-04, Version 23.0.1 (Stable), @PaolaDMadd-Pro @Rhodine-orleans-lindsay
2
8
  ### ⚠️ Versioning Notice
3
9
  v23.0.1 is published as a patch due to a prior publishing issue.
package/lib/sessions.js CHANGED
@@ -7,17 +7,28 @@ const cookieParser = require('cookie-parser');
7
7
 
8
8
  const secureHttps = config => config.protocol === 'https' || config.env === 'production';
9
9
 
10
- module.exports = (app, config) => {
11
- const logger = config.logger || console;
10
+ const validateSessionSecret = secret => {
11
+ if (!secret || !String(secret).trim()) {
12
+ throw new Error(
13
+ 'Session secret is required. Set the SESSION_SECRET environment variable to a 32-byte value.'
14
+ );
15
+ }
12
16
 
13
- const secretBuffer = Buffer.from(config.session.secret, 'utf8');
17
+ const secretBuffer = Buffer.from(secret, 'utf8');
14
18
  if (secretBuffer.byteLength !== 32) {
15
19
  throw new Error(
16
20
  `Session secret must be exactly 32 bytes. Current: ${secretBuffer.byteLength} bytes.`
17
21
  );
18
22
  }
19
23
 
20
- app.use(cookieParser(config.session.secret, {
24
+ return secret;
25
+ };
26
+
27
+ module.exports = (app, config) => {
28
+ const logger = config.logger || console;
29
+ const sessionSecret = validateSessionSecret(config.session.secret);
30
+
31
+ app.use(cookieParser(sessionSecret, {
21
32
  path: '/',
22
33
  httpOnly: true,
23
34
  secure: secureHttps(config)
@@ -32,7 +43,7 @@ module.exports = (app, config) => {
32
43
  }));
33
44
  }
34
45
 
35
- const encryption = require('./encryption')(config.session.secret);
46
+ const encryption = require('./encryption')(sessionSecret);
36
47
  const RedisStore = connectRedis(session);
37
48
  const client = redis.createClient(config.redis);
38
49
 
@@ -57,7 +68,7 @@ module.exports = (app, config) => {
57
68
  const store = new RedisStore({
58
69
  client: client,
59
70
  ttl: config.session.ttl,
60
- secret: config.session.secret,
71
+ secret: sessionSecret,
61
72
  serializer: {
62
73
  parse: data => JSON.parse(encryption.decrypt(data)),
63
74
  stringify: data => encryption.encrypt(JSON.stringify(data))
@@ -74,7 +85,7 @@ module.exports = (app, config) => {
74
85
  sameSite: config.cookie?.sameSite === 'lax' ? config.cookie?.sameSite : 'strict',
75
86
  httpOnly: true
76
87
  },
77
- secret: config.session.secret,
88
+ secret: sessionSecret,
78
89
  saveUninitialized: true,
79
90
  resave: true
80
91
  }, config.session);
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "hof",
3
3
  "description": "A bootstrap for HOF projects",
4
- "version": "23.0.1",
4
+ "version": "23.0.2",
5
5
  "license": "MIT",
6
6
  "main": "index.js",
7
7
  "author": "HomeOffice",