adding ability to configure session.secret in local env config

Author: jloveland

config/config.js

@@ -87,6 +87,28 @@ var validateSecureMode = function (config) {
   }
 };
 
+/**
+ * Validate Session Secret parameter is not set to default in production
+ */
+var validateSessionSecret = function (config, testing) {
+
+  if (process.env.NODE_ENV !== 'production') {
+    return true;
+  }
+
+  if (config.sessionSecret === 'MEAN') {
+    if (!testing) {
+      console.log(chalk.red('+ WARNING: It is strongly recommended that you change sessionSecret config while running in production!'));
+      console.log(chalk.red('  Please add `sessionSecret: process.env.SESSION_SECRET || \'super amazing secret\'` to '));
+      console.log(chalk.red('  `config/env/production.js` or `config/env/local.js`'));
+      console.log();
+    }
+    return false;
+  } else {
+    return true;
+  }
+};
+
 /**
  * Initialize global configuration files
  */
@@ -169,7 +191,7 @@ var initGlobalConfig = function () {
   // production or development environment. If test environment is used we don't merge it with local.js
   // to avoid running test suites on a prod/dev environment (which delete records and make modifications)
   if (process.env.NODE_ENV !== 'test') {
-    config = _.merge(config, (fs.existsSync(path.join(process.cwd(), 'config/env/local.js')) && require(path.join(process.cwd(), 'config/env/local.js'))) || {});  
+    config = _.merge(config, (fs.existsSync(path.join(process.cwd(), 'config/env/local.js')) && require(path.join(process.cwd(), 'config/env/local.js'))) || {});
   }
 
   // Initialize global globbed files
@@ -181,9 +203,13 @@ var initGlobalConfig = function () {
   // Validate Secure SSL mode can be used
   validateSecureMode(config);
 
+  // Validate session secret
+  validateSessionSecret(config);
+
   // Expose configuration utilities
   config.utils = {
-    getGlobbedPaths: getGlobbedPaths
+    getGlobbedPaths: getGlobbedPaths,
+    validateSessionSecret: validateSessionSecret
   };
 
   return config;

config/env/default.js

@@ -14,15 +14,15 @@ module.exports = {
     // session expiration is set by default to 24 hours
     maxAge: 24 * (60 * 60 * 1000),
     // httpOnly flag makes sure the cookie is only accessed
-    // through the HTTP protocol and not JS/browser 
+    // through the HTTP protocol and not JS/browser
     httpOnly: true,
     // secure cookie should be turned to true to provide additional
     // layer of security so that the cookie is set only when working
     // in HTTPS mode.
     secure: false
   },
   // sessionSecret should be changed for security measures and concerns
-  sessionSecret: 'MEAN',
+  sessionSecret: process.env.SESSION_SECRET || 'MEAN',
   // sessionKey is set to the generic sessionId key used by PHP applications
   // for obsecurity reasons
   sessionKey: 'sessionId',

config/env/local.example.js

@@ -14,6 +14,7 @@ module.exports = {
       pass: ''
     }
   },
+  sessionSecret: process.env.SESSION_SECRET || 'youshouldchangethistosomethingsecret',
   facebook: {
     clientID: process.env.FACEBOOK_ID || 'APP_ID',
     clientSecret: process.env.FACEBOOK_SECRET || 'APP_SECRET',

modules/core/tests/server/core.server.config.tests.js

@@ -10,10 +10,10 @@ var should = require('should'),
   config = require(path.resolve('./config/config')),
   seed = require(path.resolve('./config/lib/seed'));
 
-describe('Configuration tests', function () {
+describe('Configuration Tests:', function () {
   this.timeout(10000);
 
-  describe('Testing default seedDB:', function () {
+  describe('Testing default seedDB', function () {
     before(function(done) {
       User.remove(function(err) {
         should.not.exist(err);
@@ -118,7 +118,43 @@ describe('Configuration tests', function () {
         });
       });
     });
-
   });
 
+  describe('Testing Session Secret Configuration', function () {
+    it('should warn if using default session secret when running in production', function (done) {
+      var conf = { sessionSecret: 'MEAN' };
+      // set env to production for this test
+      process.env.NODE_ENV = 'production';
+      config.utils.validateSessionSecret(conf, true).should.equal(false);
+      // set env back to test
+      process.env.NODE_ENV = 'test';
+      done();
+    });
+
+    it('should accept non-default session secret when running in production', function (done) {
+      var conf = { sessionSecret: 'super amazing secret' };
+      // set env to production for this test
+      process.env.NODE_ENV = 'production';
+      config.utils.validateSessionSecret(conf, true).should.equal(true);
+      // set env back to test
+      process.env.NODE_ENV = 'test';
+      done();
+    });
+
+    it('should accept default session secret when running in development', function (done) {
+      var conf = { sessionSecret: 'MEAN' };
+      // set env to development for this test
+      process.env.NODE_ENV = 'development';
+      config.utils.validateSessionSecret(conf, true).should.equal(true);
+      // set env back to test
+      process.env.NODE_ENV = 'test';
+      done();
+    });
+
+    it('should accept default session secret when running in test', function (done) {
+      var conf = { sessionSecret: 'MEAN' };
+      config.utils.validateSessionSecret(conf, true).should.equal(true);
+      done();
+    });
+  });
 });