search

chill117 / express-mysql-session

A MySQL session store for the express framework in node
MIT License
313 stars 106 forks source link

Bad Request causes bad JSON response #112

Open G-Adams opened 4 years ago

G-Adams commented 4 years ago

When querying an invalid column name the JSON response is missing the last curly brace only when the store is instantiated for the session. If session store is not used this issue does not present. This occurs only with bad requests (400).

with store: { "message": "Bad Request"

without store: { "message": "Bad Request" }

Similar issue here. The workaround posited does fix the problem, but I'm unsure why implementing the store causes the workaround to be necessary.

Express/Session are most recent version as of this post.

Code:


const bodyParser = require('body-parser');
const fs = require('fs');
const https = require('https');

const app = express();
const session = require('express-session');
const MySQLStore = require('express-mysql-session')(session);
const { serverError } = require('./utils/response');
const { log } = require('./utils');
const prototypes = require('./utils/prototypes');
const db = require('./utils/db/mysql');

db.connect();
const mysqlConn = db.pool;
const storeOptions = {
    host: process.env.DB_HOST,
    port: process.env.DB_PORT,
    user: process.env.DB_USER,
    password: process.env.DB_PASSWORD,
    database: process.env.DB_DATABASE,
};
const sessionStore = new MySQLStore(storeOptions, mysqlConn);
// load all prototypes on initial startup
for (const func of Object.values(prototypes)) {
    func();
}

// Tell express to use these middleware functions for every request
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({
    extended: false,
}));
let useSecure = true;
if (process.env.SECURE) {
    useSecure = process.env.SECURE === 'true';
}

app.use(session({
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
    rolling: true,
    store: sessionStore, // Commenting out this line fixes the bad request issue but does not instantiate store
    cookie: {
        sameSite: 'lax',
        secure: !!process.env.SECURE_CONTEXT,
        // 24 minutes - should use env variable
        maxAge: parseInt(process.env.SESSION_LENGTH, 10) || 1440000,
    },
}));
chill117 commented 3 years ago

This looks like an issue with the express-session module.

G-Adams commented 3 years ago

@chill117 here is a repository where you can verify that this issue presents somewhere between express-mysql-session and express-session which has to do with a content length mismatch resulting in the broken response.