Thomas Schmitt
6248e1440f
Use Buffer.from, Buffer.alloc instead of deprecated constructor
...
Simply remove all the usages of the deprecated buffer constructor.
Using Buffer.from and Buffer.allow instead.
2018-10-17 04:01:53 -07:00
Sean McArthur
53c7a05ff1
fix tests to close servers
2017-04-06 12:01:25 -07:00
busticated
e0c7db1688
update cookies module to v0.7.0 to gain support for sameSite attribute
2017-04-05 16:43:44 -07:00
busticated
0a577de729
update express module to v4.15.2
2017-04-05 16:15:01 -07:00
Sean McArthur
2dd39014a6
fix tests
2014-09-15 10:42:55 -07:00
John Firebaugh
cabfdcfb71
Return undefined from util.decode on more invalid inputs
...
Specifically, on inputs with components that are invalid
base64. Previously, such input would produce an exception,
which is inconsistent with the behavior for other forms
of invalid input (wrong number of components, wrong IV
length, invalid JSON).
2014-03-18 09:52:59 -07:00
Jeremy Stashewsky
927e6b93fc
Implement key length constraints
2014-01-03 18:26:13 -08:00
Jeremy Stashewsky
f7922f9df0
signatureAlgorithm & encryptionAlgorithm
2013-12-17 21:22:47 -08:00
Sean McArthur
d6399f82c5
removed need for Proxy, using getter/setters
...
- killed a native dependency!
- fix when someone does req.session = myObj.
2013-12-13 16:56:20 -08:00
Sean McArthur
3f156dd5df
fix dirty checking of nested objects
...
store json when loading, and then compare json at end to determine
if a child object has changed.
2013-11-29 09:54:04 -08:00
Sean McArthur
b8c53bfa64
adds activeDuration, default 5 minutes
...
if a user has an active session, such that they make a request, and the
expiration of their session is within the activeDuration value, their
session will be extended by the same value.
fixes #2
2013-10-23 18:26:11 -07:00
Francois Marier
7070a11d68
Ephemeral state can now be changed in setDuration
...
Changing the ephemeral state will cause a new cookie to be set in
the browser.
2013-09-04 16:48:01 +12:00
Francois Marier
8588ecf0fa
Add new cookie.ephemeral option defaulting to false
...
This option ensures that the cookie is expired by the browser when
it closes. It used to be the default but this was changed in
a2b144ccf7
.
2013-09-04 16:48:01 +12:00
Francois Marier
8c47564dd7
Update the cookie expiry whenever duration or createdAt change
...
The cookie is reset everytime something in the session payload
changes. Whenever its reset, the original value of expires is
used.
This is good unless the duration or the creation time change. In
that case, we need to also update the cookie expiry to match the
expiry of the signed payload.
2013-09-04 16:41:40 +12:00
Francois Marier
571b75f9f0
test: remove lies in comments
...
Perhaps the internal duration was 400 ms in a former life, but
now it's set to 500.
2013-08-30 18:41:50 +02:00
Francois Marier
a2b144ccf7
Always set the HTTP expiry on the cookie to match internal duration
...
The external expiry on the cookie (which is really just a suggestion
for the browser) should be the same as the expiry inside the
encrypted/signed payload. That way the browser will avoid sending
an invalid cookie to the server.
https://github.com/mozilla/browserid/issues/2754
2013-08-30 18:41:49 +02:00
Francois Marier
fe65d9a5f3
test: add another session duration test
...
We test that the session is cleared after it expires, but we don't
check that it's still there just before it expires, at least not in
the same way.
2013-08-30 18:41:49 +02:00
David Benjamin
de04ba900a
Add a (failing) test for tampered HMACs
...
The test input conveniently chosen so that the HMAC (mis-)interpreted as UTF-8
gives REPLACEMENT CHARACTER (U+FFFD) at the end.
2013-06-20 01:19:26 -04:00
Lloyd Hilaiel
d552cc2f14
allow the client to specify a different request key name rather than forcing them to use the cookie name - issue #43
2013-05-31 10:53:44 -06:00
Sean McArthur
297e86c010
encode cookieName into cookie content
...
fixes #35
2013-04-19 15:22:04 -07:00
Austin King
42c5f43e76
Removing requestKey from options. Reusing cookieName. Added README update
2013-04-16 15:53:20 -07:00
Austin King
4c4d18397e
Provide support for client-sessions to be used multiple times.
...
Adds requestKey option. Defaults to "session".
Users of module can install middleware multiple times to
have different secure cookies with different policies.
2013-04-15 16:03:37 -07:00
Trygve Lie
eca903cebb
Added public encode and decode methods
2013-03-19 18:10:31 +01:00
Roman Khmelichek
0bd5549f47
Fixed issue with session loading variables from an existing cookie after a reset()
2013-02-18 17:03:02 -05:00
Sean McArthur
962c4eab6f
undefined session values should return undefined
...
it was returning null
2012-08-16 14:07:30 -07:00
Sean McArthur
c4f4fda169
adds test for a non-existing cookie read
...
this tests the functionality added in #15
2012-08-16 13:40:52 -07:00
Lloyd Hilaiel
d5f06c508a
improve error message when secure cookies are run on an insecure socket - also surpress this error from getting printed to stderr when tests are being run - closes #11
2012-04-18 12:55:29 -06:00
Lloyd Hilaiel
81362ec270
add a test which verifies that when session duration is modified, creation time is also updated
2012-04-18 12:37:15 -06:00
Lloyd Hilaiel
67c2ceeaea
add many new tests for session.setDuration()
2012-03-14 12:51:26 -06:00
Lloyd Hilaiel
ee2e6e4b30
implement setDuration
2012-03-13 13:08:07 -06:00
Lloyd Hilaiel
f0a6fd6efc
add a test of .setDuration() - clean up whitespace in tests
2012-03-13 12:40:14 -06:00
Ben Adida
69a09abe2b
updated cookies version to respect req.connection.proxySecure, added tests for this, updated structure tobe more node'ish.
2012-01-04 19:18:12 -08:00
Ben Adida
40b0cb2306
restructured tests to reduce crazy concurrency, also no sharing of express apps between tobis, tobis tend to be jealous, and added check that only single cookie is set, fixed bug where reset() was setting cookie
2011-12-30 12:25:01 -08:00
Ben Adida
fcb4c9f643
added tests for duration, failing on vows right now
2011-12-30 10:52:57 -08:00
Ben Adida
7512033304
Added test for duration, failing appropriately
2011-12-30 10:22:30 -08:00
Ben Adida
758114240c
simplified API to just use .reset(), added tests and implemented. No duration support yet.
2011-12-30 09:49:27 -08:00
Ben Adida
eaaac62165
added httponly true by default, updated readme
2011-12-30 08:40:36 -08:00
Ben Adida
e907048f11
Added test for key enumeration, currently failing
2011-12-29 17:01:43 -08:00
Ben Adida
4bf66f40bb
fixed maxage support, added tests
2011-12-29 16:19:44 -08:00
Ben Adida
fa843f5007
ensure that deleting a key does the right thing
2011-12-29 16:09:37 -08:00
Ben Adida
92e5121e08
session is now properly saved across requests and issues a set-cookie only when necessary
2011-12-29 12:33:07 -08:00
Ben Adida
bc2d47077f
added tests and started code for session state, you know, the whole point of sessions
2011-12-29 09:33:16 -08:00
Ben Adida
20101dc557
make sure to bind target methods to the target itself in the proxy, add test for session.clear()
2011-12-28 22:04:53 -08:00
Ben Adida
caca8a9454
started putting together basic components, specifically proxies to get the session object to behave properly
2011-12-28 21:58:19 -08:00