Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change session and token handling #42

Merged
merged 19 commits into from
Jan 3, 2020
Merged

Change session and token handling #42

merged 19 commits into from
Jan 3, 2020

Conversation

joshcanhelp
Copy link
Contributor

@joshcanhelp joshcanhelp commented Dec 10, 2019

Description

This is a major breaking change to functionality. Please read the below along with the EXAMPLES.md document for how to handle your application's use case.

This PR remove the requirement for a session middleware and, instead, stores the user identity in an encrypted and signed cookie. This PR will also remove automatic storage of the TokenSet received from the authorization server.

See API.md in this PR for added configuration options and EXAMPLES.md in this PR for how to handle token storage and user sessions with server-side sessions.

Breaking Changes:

  • A session middleware is no longer required and will not be used automatically
  • The returned TokenSet is not longer stored automatically
  • Remove req.openid.tokens setter and getter
  • Change getUser function to pull from configured req property rather than req.session

References

Testing

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

get isAuthenticated() {
return !!this.user;
}

makeTokenSet(tokenSet) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This lets developers create a TokenSet without importing the library directly.

lib/config.js Outdated
@@ -36,6 +36,10 @@ const paramsSchema = Joi.object().keys({
loginPath: Joi.string().optional().default('/login'),
logoutPath: Joi.string().optional().default('/logout'),
legacySameSiteCookie: Joi.boolean().optional().default(true),
sessionName: Joi.string().token().optional().default('identity'),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the actual cookie name for the internal session.

lib/loadEnvs.js Outdated
@@ -3,21 +3,14 @@ const fieldsEnvMap = {
'baseURL': 'BASE_URL',
'clientID': 'CLIENT_ID',
'clientSecret': 'CLIENT_SECRET',
'sessionSecret': 'SESSION_SECRET',
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SESSION_SECRET is the env name for the secret that encrypts the cookie. If this env exists then the config value does not need to be passed to the SDK config.

};

module.exports = function(params) {
Object.keys(fieldsEnvMap).forEach(k => {
if (params[k]) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was treating false as not set

};

module.exports = function(params) {
Object.keys(fieldsEnvMap).forEach(k => {
if (params[k]) {
return;
if (typeof params[k] === 'undefined') {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the config key is not present then use the env var for specific keys.

});

if (!params.baseURL &&
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A lot of dancing around to allow a very specific case. Also: sets the URL without TLS.

req.session.openidTokens = tokenSet;
req.openIdTokens = tokenSet;

if (config.sessionSecret) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there is a session secret, then we store the claims in a cookie.

if (config.sessionSecret) {
let identityClaims = tokenSet.claims();
// Remove validation claims to reduce stored size.
['aud', 'iss', 'exp', 'nonce', 'azp', 'auth_time'].forEach(claim => delete identityClaims[claim]);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would c_hash/at_hash also be included?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gkwang - When are those properties present?

panva and others added 3 commits December 30, 2019 07:05
Switch to use sessionLength instead. Setting the length
to 0 will indicate an ephemeral session, reducing the
need for an additional key.
lib/session.js Outdated
@@ -0,0 +1,100 @@
const { strict: assert } = require('assert');
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Encryption and signing was added and reviewed here:

https://github.com/joshcanhelp/express-openid-connect/pull/1

Appending `app` to the session-realted config keys
to make it more clear what they are used for.
Added a config key for the application session cookie to
allow cookie options to be passed to the session cookie.
@joshcanhelp
Copy link
Contributor Author

joshcanhelp commented Dec 31, 2019

Coverage report from nyc (updated)

-----------------------------------|----------|----------|----------|----------|-------------------|
File                               |  % Stmts | % Branch |  % Funcs |  % Lines | Uncovered Line #s |
-----------------------------------|----------|----------|----------|----------|-------------------|
All files                          |    92.49 |    83.75 |    86.05 |    93.06 |                   |
 express-openid-connect            |      100 |      100 |      100 |      100 |                   |
  index.js                         |      100 |      100 |      100 |      100 |                   |
 express-openid-connect/lib        |    95.48 |       88 |    92.86 |    95.43 |                   |
  ResponseMode.js                  |      100 |      100 |      100 |      100 |                   |
  appSession.js                    |    95.74 |    78.79 |      100 |    95.56 |             46,47 |
  client.js                        |    96.88 |    84.62 |      100 |    96.88 |                63 |
  config.js                        |     97.3 |    92.31 |      100 |     97.3 |                84 |
  context.js                       |     90.2 |     87.5 |    77.78 |     90.2 |   16,20,68,83,107 |
  loadEnvs.js                      |      100 |      100 |      100 |      100 |                   |
  transientHandler.js              |      100 |      100 |      100 |      100 |                   |
 express-openid-connect/lib/hooks  |      100 |      100 |      100 |      100 |                   |
  getUser.js                       |      100 |      100 |      100 |      100 |                   |
  handleCallback.js                |      100 |      100 |      100 |      100 |                   |
 express-openid-connect/middleware |    84.34 |    63.33 |    69.23 |    86.25 |                   |
  auth.js                          |    88.41 |    57.89 |    77.78 |    90.91 |... 87,138,139,140 |
  requiresAuth.js                  |    88.89 |    88.89 |      100 |    88.89 |                20 |
  unauthorizedHandler.js           |       20 |        0 |        0 |       20 |        9,10,11,13 |
-----------------------------------|----------|----------|----------|----------|-------------------|

@@ -0,0 +1,88 @@
const { strict: assert } = require('assert');
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Encryption added and reviewed by security here:

https://github.com/joshcanhelp/express-openid-connect/pull/1

@joshcanhelp joshcanhelp requested a review from gkwang December 31, 2019 21:41
@joshcanhelp joshcanhelp added this to the v0.6.0 milestone Dec 31, 2019
@joshcanhelp joshcanhelp marked this pull request as ready for review December 31, 2019 21:41
@joshcanhelp joshcanhelp requested a review from damieng January 3, 2020 06:03
damieng
damieng previously approved these changes Jan 3, 2020
Copy link
Contributor

@damieng damieng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few questions still, none blockers.

EXAMPLES.md Show resolved Hide resolved
});
```

## 5. Calling userinfo
## 7. Calling userinfo
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe a better title to match the access token one?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I struggled with a title here because you only need to call userinfo in specific cases and I'm not sure if I could shorten that down to something universally-clear in the title. I added a bit more color in the description, though.

next();
} catch(e) {
next(e);
}
},
getUser: function(tokenSet) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we not need this now? The descriptive text indicates we do but it looks like line 221 is mapping claims directly now. One of these seems out of step with the other.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. That example was not working properly with this new system.

@joshcanhelp
Copy link
Contributor Author

@damieng - Last change blew away your approval. Ready again!

@joshcanhelp joshcanhelp merged commit 69572c6 into auth0:master Jan 3, 2020
@joshcanhelp joshcanhelp deleted the add-internal-session-for-claims branch January 3, 2020 22:20
@joshcanhelp joshcanhelp changed the title Add internal session for claims Change session and token handling Jan 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants