search

fastify / session

Session plugin for fastify
Other
103 stars 45 forks source link

Session not working, when fastify-cookie plugin options use signed = true #69

Closed m0dch3n closed 2 years ago

m0dch3n commented 2 years ago

Prerequisites

Fastify version

3.0.0

Plugin version

6.4.0

Node.js version

v16.13.2

Operating system

macOS

Operating system version (i.e. 20.04, 11.3, 10)

12.3

Description

Using signed = true in fastify-cookie options causes that the sessionId is signed twice, because we pass the encryptedSessionId already...

https://github.com/fastify/session/blob/73a4675b795e8ad3d020d5cd43de78374c09f8aa/lib/fastifySession.js#L126-L130

Once with the secret of @fastify/session and once with the secret of fastify-cookie

However on the decrypting side, we try to only decrypt the session encryption, but not the cookie encryption... https://github.com/fastify/session/blob/73a4675b795e8ad3d020d5cd43de78374c09f8aa/lib/fastifySession.js#L46

This causes that each time we generate a new session, because decryption fails with false

Steps to Reproduce

Enable cookie signing on fastify-cookie plugin...

Expected Behavior

No response

mcollina commented 2 years ago

Can you provide steps to reproduce? We often need a reproducible example, e.g. some code that allows someone else to recreate your problem by just copying and pasting it. If it involves more than a couple of different files, create a new repository on GitHub and add a link to that.

m0dch3n commented 2 years ago

https://github.com/m0dch3n/session/commit/33438bebe16dc1de8d9f6d4f9d0d5e04ddb2a135

Here is already a possible solution, I'll setup a repo, where you can test the situation

m0dch3n commented 2 years ago

@mcollina

here is an example

https://github.com/CeasyApp/fastify-typescript-template

Just refresh / and you'll see each time a new sessionId...

https://github.com/CeasyApp/fastify-typescript-template/blob/503a32674c83a9200a67bb4db583f1f884a862de/config/default.ts#L14

If you turn signed to false, everything works fine and a new session is not generated each time, because the session plugin can unsign itself the cookie correctly

Having it true, cause as mentioned the double signing, which on the session decryption causes a new session...

m0dch3n commented 2 years ago

I created a PR here too... @mcollina Maybe you can add the test for this ? I unfortunately need now to move forward with my project...

wilkmaia commented 2 years ago

I've submitted a new PR implementing a new test alongside @m0dch3n's fix. I believe that should cover it

gabor-s commented 4 months ago

Unfortunately this issue exists in version 10.8.0. It returned in version 10.0.0.