From 08e6702168e9a4b52351b657d61b5a12d2c3147a Mon Sep 17 00:00:00 2001
From: Josh Cunningham <josh@joshcanhelp.com>
Date: Mon, 30 Dec 2019 12:40:26 -0800
Subject: [PATCH] Remove sessionEphemeral

Switch to use sessionLength instead. Setting the length
to 0 will indicate an ephemeral session, reducing the
need for an additional key.
---
 API.md             |  3 +--
 lib/config.js      | 10 ++++++++--
 lib/session.js     |  9 ++-------
 middleware/auth.js |  1 -
 4 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/API.md b/API.md
index 26d1462b..19a78b6f 100644
--- a/API.md
+++ b/API.md
@@ -34,9 +34,8 @@ Additional configuration keys that can be passed to `auth()` on initialization:
 - **`redirectUriPath`** - Relative path to the application callback to process the response from the authorization server. This value is combined with the `baseUrl` and sent to the authorize endpoint as the `redirectUri` parameter. Default is `/callback`.
 - **`required`** - Use a boolean value to require authentication for all routes. Pass a function instead to base this value on the request. Default is `true`.
 - **`routes`** - Boolean value to automatically install the login and logout routes. See [the examples](EXAMPLES.md) for more information on how this key is used. Default is `true`.
-- **`sessionLength`** - Integer value, in seconds, indicating application session length. Default is 7 days.
+- **`sessionLength`** - Integer value, in seconds, indicating application session length. Set to `0` to indicate the cookie should be ephemeral (no expiration). Default is 7 days.
 - **`sessionName`** - String value for the cookie name used for the internal session. This value must only include letters, numbers, and underscores. Default is `identity`.
-- **`sessionEphemeral`** - Use a boolean to indicate the cookie should be ephemeral (no expiration on the cookie). Default is `false`.
 
 ### Authorization Params Key
 
diff --git a/lib/config.js b/lib/config.js
index 27c2b958..692ac2d9 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -37,9 +37,15 @@ const paramsSchema = Joi.object().keys({
   logoutPath: Joi.string().optional().default('/logout'),
   legacySameSiteCookie: Joi.boolean().optional().default(true),
   sessionName: Joi.string().token().optional().default('identity'),
-  sessionSecret: Joi.alternatives([ Joi.array().items(Joi.string()), Joi.string(), Joi.boolean().valid([false]) ]).required().default(),
+  sessionSecret: Joi.alternatives([
+    // Array of keys to allow for rotation.
+    Joi.array().items(Joi.string()),
+    // Single string key.
+    Joi.string(),
+    // False to stop client session from being created.
+    Joi.boolean().valid([false])
+  ]).required(),
   sessionLength: Joi.number().integer().optional().default(7 * 24 * 60 * 60),
-  sessionEphemeral: Joi.boolean().optional().default(false),
 
   idpLogout: Joi.boolean().optional().default(false)
     .when('auth0Logout', { is: true, then: Joi.boolean().optional().default(true) })
diff --git a/lib/session.js b/lib/session.js
index f531bf73..be25538d 100644
--- a/lib/session.js
+++ b/lib/session.js
@@ -8,7 +8,7 @@ const hkdf = require('futoin-hkdf');
 const deriveKey = (secret) => hkdf(secret, 32, { info: 'JWE CEK', hash: 'SHA-256' });
 const epoch = () => Date.now() / 1000 | 0;
 
-module.exports = ({ cookieName, propertyName, secret, duration, ephemeral, cookieOptions = {} }) => {
+module.exports = ({ cookieName, propertyName, secret, duration, cookieOptions = {} }) => {
   let current;
 
   const { domain, httpOnly, path, secure, sameSite } = cookieOptions;
@@ -52,11 +52,6 @@ module.exports = ({ cookieName, propertyName, secret, duration, ephemeral, cooki
     if (req[propertyName] && Object.keys(req[propertyName]).length > 0) {
       const value = encrypt(JSON.stringify(req[propertyName]), { iat, uat, exp });
 
-      // TODO: chunk
-      // if (Buffer.byteLength(value) >= 4050) {
-      //
-      // }
-
       res.cookie(
         cookieName,
         value,
@@ -66,7 +61,7 @@ module.exports = ({ cookieName, propertyName, secret, duration, ephemeral, cooki
           path,
           secure,
           sameSite,
-          expires: ephemeral ? 0 : new Date(exp * 1000)
+          expires: !duration ? 0 : new Date(exp * 1000)
         }
       );
     }
diff --git a/middleware/auth.js b/middleware/auth.js
index 61593054..360d5988 100644
--- a/middleware/auth.js
+++ b/middleware/auth.js
@@ -54,7 +54,6 @@ module.exports = function (params) {
       propertyName: config.sessionName,
       secret: config.sessionSecret,
       duration: config.sessionLength,
-      ephemeral: config.sessionEphemeral,
       // TODO: cookieOptions: { domain, httpOnly, path, secure, sameSite }
     }));
   }