fix: miss-match session key/secret error (#53)

postlight · Apr 22, 2016 · 47ef4b8 · 47ef4b8
1 parent e70a032
commit 47ef4b8
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 5 deletions.
diff --git a/src/packages/server/index.js b/src/packages/server/index.js
@@ -38,6 +38,7 @@ class Server extends Base {
         req.params = await formatParams(req);
         req.session = Session.create({
           cookie: headers.cookie,
+          logger,
           sessionKey,
           sessionSecret
         });

diff --git a/src/packages/session/index.js b/src/packages/session/index.js
@@ -1,7 +1,10 @@
 import Base from '../base';
 
+import { line } from '../logger';
+
 import encrypt from './utils/encrypt';
 import decrypt from './utils/decrypt';
+import tryCatch from '../../utils/try-catch';
 
 class Session extends Base {
   data = {};
@@ -11,9 +14,10 @@ class Session extends Base {
   didChange = false;
 
   constructor(props = {}) {
-    let { cookie, sessionKey, sessionSecret } = props;
+    let { cookie, logger, sessionKey, sessionSecret } = props;
 
     super({
+      logger,
       sessionKey,
       sessionSecret
     });
@@ -30,13 +34,29 @@ class Session extends Base {
     const { sessionSecret } = this;
 
     if (value) {
-      this.setProps({
-        data: JSON.parse(decrypt(value, sessionSecret)),
-        cookie: value
+      tryCatch(() => {
+        this.setProps({
+          data: JSON.parse(decrypt(value, sessionSecret)),
+          cookie: value
+        });
+      }, () => {
+        const { environment } = this;
+
+        if (environment === 'development') {
+          this.logger.error(line`
+            Error: Unable to decrypt "${this.sessionKey}". Make sure your
+            configuration for "${environment}" has the correct sessionSecret.
+          `);
+        }
+
+        this.setProps({
+          cookie: encrypt('{}', sessionSecret),
+          didChange: true
+        });
       });
     } else {
       this.setProps({
-        cookie: encrypt(JSON.stringify(this.data), sessionSecret),
+        cookie: encrypt('{}', sessionSecret),
         didChange: true
       });
     }

diff --git a/test/unit/packages/session.js b/test/unit/packages/session.js
@@ -0,0 +1,23 @@
+import { expect } from 'chai';
+import { randomBytes } from 'crypto';
+import fetch from 'isomorphic-fetch';
+
+import encrypt from '../../../src/packages/session/utils/encrypt';
+import config from '../../test-app/config/environments/test.json';
+
+const host = 'http://localhost:4000';
+
+describe('Unit: class Session ', () => {
+  describe('Regression: #updateCookie() (https://github.com/postlight/lux/issues/50)', () => {
+    it('defaults to empty session upon a decryption error', async () => {
+      const session = encrypt('{}', randomBytes(32).toString('hex'));
+      const { status, headers } = await fetch(`${host}/posts`, {
+        headers: new Headers({
+          'Cookie': `${config.sessionKey}=${session};`
+        })
+      });
+
+      expect(status).to.equal(200);
+    });
+  });
+});