mastercontroller 1.3.33 → 1.3.35
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/security/SessionSecurity.js +25 -14
package/package.json
CHANGED
|
@@ -82,11 +82,13 @@ class SessionSecurity {
|
|
|
82
82
|
}
|
|
83
83
|
|
|
84
84
|
// Save session on response
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
85
|
+
if (typeof res?.end === 'function') {
|
|
86
|
+
const originalEnd = res.end;
|
|
87
|
+
res.end = (...args) => {
|
|
88
|
+
this._saveSession(req);
|
|
89
|
+
originalEnd.apply(res, args);
|
|
90
|
+
};
|
|
91
|
+
}
|
|
90
92
|
|
|
91
93
|
next();
|
|
92
94
|
};
|
|
@@ -221,10 +223,11 @@ class SessionSecurity {
|
|
|
221
223
|
* Generate fingerprint for session hijacking detection
|
|
222
224
|
*/
|
|
223
225
|
_generateFingerprint(req) {
|
|
226
|
+
const headers = req?.headers || {};
|
|
224
227
|
const components = [
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
req
|
|
228
|
+
headers['user-agent'] || '',
|
|
229
|
+
headers['accept-language'] || '',
|
|
230
|
+
req?.connection?.remoteAddress || '',
|
|
228
231
|
// Don't include Accept-Encoding (changes too often)
|
|
229
232
|
];
|
|
230
233
|
|
|
@@ -238,7 +241,7 @@ class SessionSecurity {
|
|
|
238
241
|
* Parse session cookie from request
|
|
239
242
|
*/
|
|
240
243
|
_parseCookie(req) {
|
|
241
|
-
const cookies = req
|
|
244
|
+
const cookies = req?.headers?.cookie;
|
|
242
245
|
if (!cookies) return null;
|
|
243
246
|
|
|
244
247
|
const match = cookies.match(new RegExp(`${this.cookieName}=([^;]+)`));
|
|
@@ -271,7 +274,9 @@ class SessionSecurity {
|
|
|
271
274
|
options.push(`SameSite=${this.sameSite}`);
|
|
272
275
|
}
|
|
273
276
|
|
|
274
|
-
res
|
|
277
|
+
if (typeof res?.setHeader === 'function') {
|
|
278
|
+
res.setHeader('Set-Cookie', options.join('; '));
|
|
279
|
+
}
|
|
275
280
|
}
|
|
276
281
|
|
|
277
282
|
/**
|
|
@@ -292,7 +297,9 @@ class SessionSecurity {
|
|
|
292
297
|
options.push(`Domain=${this.domain}`);
|
|
293
298
|
}
|
|
294
299
|
|
|
295
|
-
res
|
|
300
|
+
if (typeof res?.setHeader === 'function') {
|
|
301
|
+
res.setHeader('Set-Cookie', options.join('; '));
|
|
302
|
+
}
|
|
296
303
|
|
|
297
304
|
req.session = null;
|
|
298
305
|
req.sessionId = null;
|
|
@@ -512,7 +519,7 @@ class MasterSessionSecurity {
|
|
|
512
519
|
* @returns {String|null} - Cookie value or null
|
|
513
520
|
*/
|
|
514
521
|
getCookie(request, name) {
|
|
515
|
-
const cookies = request
|
|
522
|
+
const cookies = request?.headers?.cookie;
|
|
516
523
|
if (!cookies) return null;
|
|
517
524
|
|
|
518
525
|
const match = cookies.match(new RegExp(`${name}=([^;]+)`));
|
|
@@ -561,7 +568,9 @@ class MasterSessionSecurity {
|
|
|
561
568
|
cookieOptions.push('SameSite=Lax');
|
|
562
569
|
}
|
|
563
570
|
|
|
564
|
-
response
|
|
571
|
+
if (typeof response?.setHeader === 'function') {
|
|
572
|
+
response.setHeader('Set-Cookie', cookieOptions.join('; '));
|
|
573
|
+
}
|
|
565
574
|
}
|
|
566
575
|
|
|
567
576
|
/**
|
|
@@ -581,7 +590,9 @@ class MasterSessionSecurity {
|
|
|
581
590
|
cookieOptions.push(`Domain=${options.domain}`);
|
|
582
591
|
}
|
|
583
592
|
|
|
584
|
-
response
|
|
593
|
+
if (typeof response?.setHeader === 'function') {
|
|
594
|
+
response.setHeader('Set-Cookie', cookieOptions.join('; '));
|
|
595
|
+
}
|
|
585
596
|
}
|
|
586
597
|
}
|
|
587
598
|
|