Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

App session settings #68

Merged
merged 6 commits into from
Feb 25, 2020
Merged

App session settings #68

merged 6 commits into from
Feb 25, 2020

Conversation

joshcanhelp
Copy link
Contributor

@joshcanhelp joshcanhelp commented Feb 20, 2020
edited
Loading

Description

This is a breaking change in configuration for all applications!

This PR merges existing application session configuration into a single object. Specific changes:

  • Add a required appSession configuration key that can be an object (described below) or false to skip the internally-generated cookie-based session.
  • Change the default session name to appSession from identity
  • Changed config key appSessionSecret to appSession.secret. If the appSession object is provided then this needs to have a string value 8 characters or greater, an array of string values 8 characters or greater, or an APP_SESSION_SECRET defined in process.env.
  • Changed config key appSessionName to appSession.name.
  • Changed config key appSessionDuration to appSession.duration.
  • Merged config key appSessionCookie with the new appSession object. Cookie options are:
    • cookieDomain: Works the name as appSessionCookie.domain previously
    • cookieTransient: Same functionality as appSessionCookie.ephemeral in v0.7.0, sets cookie expiration to 0
    • cookieHttpOnly: Works the name as appSessionCookie.httpOnly previously
    • cookiePath: Works the name as appSessionCookie.path previously
    • cookieSameSite: Works the name as appSessionCookie.sameSite previously
    • cookieSecure: Works the name as appSessionCookie.secure previously
  • TS: Removed SessionCookieConfigParams and added AppSessionConfigParams

An application configuration in 0.7.0 like this:

// TS type here would be `SessionCookieConfigParams`
const appSessionCookieConfig = {
  domain: 'localhost',
  transient: false,
  httpOnly: true,
  path: '/',
  sameSite: 'Strict',
  secure: true
};

// TS type here would be `ConfigParams`
const oidcConfig: ConfigParams = {
  appSessionCookie: appSessionCookieConfig,
  appSessionSecret: process.env.APP_SESSION_SECRET,
  appSessionDuration: 234567890,
  appSessionName: 'customSession',
  baseURL: process.env.BASE_URL,
  clientID: process.env.CLIENT_ID,
  issuerBaseURL: process.env.ISSUER_BASE_URL
};

Would now need to look like:

// TS type here would be `AppSessionConfigParams`
const appSessionConfig = {
  secret: process.env.APP_SESSION_SECRET,
  duration: 234567890,
  name: 'customSession',
  cookieDomain: 'localhost',
  cookieTransient: false,
  cookieHttpOnly: true,
  cookiePath: '/',
  cookieSameSite: 'Strict',
  cookieSecure: true
};

// TS type here would still be `ConfigParams`
const oidcConfig: ConfigParams = {
  appSession: appSessionConfig,
  baseURL: process.env.BASE_URL,
  clientID: process.env.CLIENT_ID,
  issuerBaseURL: process.env.ISSUER_BASE_URL
};

Testing

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

@joshcanhelp joshcanhelp added this to the v0.8.0 milestone Feb 20, 2020
joshcanhelp
joshcanhelp commented Feb 20, 2020
View reviewed changes
lib/appSession.js
@@ -1,27 +1,27 @@
const { strict: assert } = require('assert');
Copy link
Contributor Author

@joshcanhelp joshcanhelp Feb 20, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No intended changes to session or encryption functionality in this file.

@joshcanhelp joshcanhelp marked this pull request as ready for review February 20, 2020 23:11
@joshcanhelp joshcanhelp requested a review from a team February 20, 2020 23:11
@joshcanhelp joshcanhelp merged commit e930103 into auth0:master Feb 25, 2020
@joshcanhelp joshcanhelp deleted the app-session-settings branch February 25, 2020 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevehobbsdev stevehobbsdev stevehobbsdev approved these changes

@panva panva panva approved these changes

Assignees
No one assigned
Labels
CH: Changed review:medium Medium review
Projects
None yet
Milestone
v0.8.0
Development

Successfully merging this pull request may close these issues.
3 participants
@joshcanhelp @panva @stevehobbsdev