Automatically generate a session secret if default is used

SISheogorath · SISheogorath · commit 3599fb79b437 · 2018-03-26T00:36:28.000+02:00
The session secret is used to sign and authenticate the session cookie
and this way very important for the authentication process.

By default the session secret is set to `secret` and never changes. This
commit will add a generator for a dynamic session secret if it stays
unchanged.

It prevents session hijacking this way and will warn the user about
the missing secret.

This also implies that on a restart without configured session secret
will log out all users. While it may seems annoying, it's for the users
best.

Signed-off-by: Sheogorath &lt;sheogorath@shivering-isles.com&gt;
diff --git a/lib/config/default.js b/lib/config/default.js
@@ -46,6 +46,7 @@ module.exports = {
   // session
   sessionName: 'connect.sid',
   sessionSecret: 'secret',
+  sessionSecretLen: 128,
   sessionLife: 14 * 24 * 60 * 60 * 1000, // 14 days
   staticCacheTime: 1 * 24 * 60 * 60 * 1000, // 1 day
   // socket.io
diff --git a/lib/config/index.js b/lib/config/index.js
@@ -1,6 +1,7 @@
 
 'use strict'
 
+const crypto = require('crypto')
 const fs = require('fs')
 const path = require('path')
 const {merge} = require('lodash')
@@ -117,6 +118,14 @@ for (let i = keys.length; i--;) {
   }
 }
 
+// Generate session secret if it stays on default values
+if (config.sessionSecret === 'secret') {
+  logger.warn('Session secret not set. Using random generated one. Please set `sessionSecret` in your config.js file. All users will be logged out.')
+  config.sessionSecret = crypto.randomBytes(Math.ceil(config.sessionSecretLen / 2)) // generate crypto graphic random number
+        .toString('hex')                                                            // convert to hexadecimal format
+        .slice(0, config.sessionSecretLen)                                           // return required number of characters
+}
+
 // Validate upload upload providers
 if (['filesystem', 's3', 'minio', 'imgur'].indexOf(config.imageUploadType) === -1) {
   logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio" or "imgur". Defaulting to "imgur"')
