From 7127e473b81c72944139bd2e5f621ec39a8f6ac7 Mon Sep 17 00:00:00 2001 From: Kevin Thomas Date: Tue, 5 Apr 2022 21:27:45 -0700 Subject: [PATCH] Use random session secret instead of config one --- config/default.json | 1 - server/app.js | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/config/default.json b/config/default.json index 2651bcc..4516aee 100644 --- a/config/default.json +++ b/config/default.json @@ -4,7 +4,6 @@ "sessionFileStorePath": "sessions", "sampleUploadPath": "samples", "maxSampleSize": 10737418240, // In bytes, 10GB by default - "sessionSecret": "CHANGE_THIS", "logFile": "log/noisedash.log", "tls": false, // Keep this as false if using an external web server like nginx "tlsKey": "certs/key.pem", diff --git a/server/app.js b/server/app.js index 24e2751..81ec794 100644 --- a/server/app.js +++ b/server/app.js @@ -6,6 +6,7 @@ const path = require('path') const cookieParser = require('cookie-parser') const config = require('config') const history = require('connect-history-api-fallback') +const crypto = require('crypto') const authRouter = require('./routes/auth') const usersRouter = require('./routes/users') const profilesRouter = require('./routes/profiles') @@ -30,9 +31,10 @@ app.use('/samples', express.static(path.join(__dirname, '../', config.get('Serve app.use(history()) app.use('/samples', express.static(path.join(__dirname, '../', config.get('Server.sampleUploadPath')))) +const sessionSecret = crypto.randomBytes(64).toString('hex') app.use(session({ store: new FileStore(fileStoreOptions), - secret: config.get('Server.sessionSecret'), + secret: sessionSecret, resave: true, saveUninitialized: true }))