busyhe
commented
6 years ago @jinhuang3115 解决了吗? 我也遇到了问题
Closed jinhuang3115 closed 8 years ago
busyhe
commented
6 years ago @jinhuang3115 解决了吗? 我也遇到了问题
SavePointSam
commented
6 years ago This error comes from another package, cookies. The error occurs when a cookie is trying to be set, but the keys property, on the cookies instance is missing.
Error: .keys required for signed cookies
at Cookies.set (/source/project/node_modules/cookies/index.js:108:27)
at ContextSession.save (/source/project/node_modules/koa-session/lib/context.js:321:22)
at ContextSession.commit (/source/project/node_modules/koa-session/lib/context.js:231:16)
at session (/source/project/node_modules/koa-session/index.js:45:18)
at <anonymous>
at process._tickCallback (internal/process/next_tick.js:188:7)Koa, by default, adds cookies to the context. However, it treats the settings for the cookies blindly and the documentation about the keys property is kind of hidden, though there is explicit code written in Koa for keys.
koa-session uses the cookies instance on the context naively, which is part of why it appears this problem has to do with this library; when in fact it's due to the poorly documented combination of the three. koa-session enables the cookies option signed by default. ~Though it appears to be missing documentation about how app.keys needs to be set during the set up process.~ Correction: the example in the README does show this needs to be set, but doesn't point out how important it is.
Koa mentions that app.keys are sent to KeyGrip. KeyGrip explains how the basic functionality of the library is to take in a set of secrets, in descending order of 'freshness' and use those to create and verify signatures. These signatures are used to create and validate cookies.
It is a good practice to cycle out these secrets at a regular interval in order prevent tampering of cookies and keep them secure.
So, ultimately that means a user of this library needs to define app.keys before adding session.
import Koa from 'koa';
import session from 'koa-session';
const app = new Koa();
// required for cookie signature generation
app.keys = ['newest secret key', 'older secret key'];
app.use(session(app));Or, more dangerously, disable cookie signatures:
import Koa from 'koa';
import session from 'koa-session';
const app = new Koa();
app.use(session({ signed: false }, app));It is also important to know that any key that has been compromised should be removed from the list so that any cookie generated with that signature no longer works. Having multiple in the list simply allows for deprecation of old cookie signatures over time, in favor of new ones.
Error: .keys required for signed cookies
var session = require('koa-session'); router.get('/getScore', koaBody, session(app),function *(){ var n = this.session.views || 0; this.session.views = ++n; this.body = n + ' views'; }) app.use(convert(session( app)));
Help me please! thk