From 38b86d75a93cf96fecb04339930a3829e09c9e24 Mon Sep 17 00:00:00 2001 From: Brian Dombrowski Date: Thu, 16 Jun 2022 15:42:32 -0500 Subject: [PATCH 1/4] authentication.js: Add cookie set error handling Adds error handling for cookie set so that meaningful errors bubble if the cookie options are invalid --- .../lib/routes/authentication.js | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/packages/node_modules/express-pouchdb/lib/routes/authentication.js b/packages/node_modules/express-pouchdb/lib/routes/authentication.js index b0a1cc11..44260844 100644 --- a/packages/node_modules/express-pouchdb/lib/routes/authentication.js +++ b/packages/node_modules/express-pouchdb/lib/routes/authentication.js @@ -8,6 +8,8 @@ var cookieParser = require('cookie-parser'), var SECTION = 'couch_httpd_auth'; +class CookieError extends Error {} + module.exports = function (app) { var usersDBPromise, refreshUsersDBImpl; @@ -91,9 +93,12 @@ module.exports = function (app) { app.use(function (req, res, next) { // TODO: TIMING ATTACK - Promise.resolve().then(function () { + return Promise.resolve().then(function () { return buildCookieSession(req, res); - }).catch(function () { + }).catch(function (e) { + if (e instanceof CookieError) { + throw e; + } return buildBasicAuthSession(req); }).then(function (result) { req.couchSession = result; @@ -117,13 +122,17 @@ module.exports = function (app) { if (app.couchConfig.get(SECTION, 'allow_persistent_cookies') === true) { cookieOptions['maxAge'] = app.couchConfig.get(SECTION, 'timeout'); } - res.cookie('AuthSession', session.sessionID, cookieOptions); + try { + res.cookie('AuthSession', session.sessionID, cookieOptions); + } catch (e) { + throw Object.assign(new CookieError(), e, { message: `Cookie Set Error: ${e.message}` }); + } delete session.sessionID; session.info.authenticated = 'cookie'; logSuccess('cookie', session); } return session; - }); + }) } function logSuccess(type, session) { From 56476cd238f7d50f996abd0f0f2ae93ed7e039ab Mon Sep 17 00:00:00 2001 From: Brian Dombrowski Date: Thu, 16 Jun 2022 15:46:45 -0500 Subject: [PATCH 2/4] Update authentication.js --- .../express-pouchdb/lib/routes/authentication.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/node_modules/express-pouchdb/lib/routes/authentication.js b/packages/node_modules/express-pouchdb/lib/routes/authentication.js index 44260844..322e8d8e 100644 --- a/packages/node_modules/express-pouchdb/lib/routes/authentication.js +++ b/packages/node_modules/express-pouchdb/lib/routes/authentication.js @@ -8,6 +8,7 @@ var cookieParser = require('cookie-parser'), var SECTION = 'couch_httpd_auth'; +// Custom class to easily identify when a cookie error class CookieError extends Error {} module.exports = function (app) { @@ -93,7 +94,7 @@ module.exports = function (app) { app.use(function (req, res, next) { // TODO: TIMING ATTACK - return Promise.resolve().then(function () { + Promise.resolve().then(function () { return buildCookieSession(req, res); }).catch(function (e) { if (e instanceof CookieError) { @@ -132,7 +133,7 @@ module.exports = function (app) { logSuccess('cookie', session); } return session; - }) + }); } function logSuccess(type, session) { From 9b0060f90a806029e1fe642496cf62f19d38fbad Mon Sep 17 00:00:00 2001 From: Brian Dombrowski Date: Thu, 16 Jun 2022 15:57:57 -0500 Subject: [PATCH 3/4] Update authentication.js --- .../node_modules/express-pouchdb/lib/routes/authentication.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/node_modules/express-pouchdb/lib/routes/authentication.js b/packages/node_modules/express-pouchdb/lib/routes/authentication.js index 322e8d8e..28286ad8 100644 --- a/packages/node_modules/express-pouchdb/lib/routes/authentication.js +++ b/packages/node_modules/express-pouchdb/lib/routes/authentication.js @@ -9,7 +9,9 @@ var cookieParser = require('cookie-parser'), var SECTION = 'couch_httpd_auth'; // Custom class to easily identify when a cookie error -class CookieError extends Error {} +class CookieError extends Error { + name: "CookieError"; +} module.exports = function (app) { var usersDBPromise, refreshUsersDBImpl; From 66353980826309c1b868c87f77e927ccb499078d Mon Sep 17 00:00:00 2001 From: Brian Dombrowski Date: Thu, 16 Jun 2022 16:41:28 -0500 Subject: [PATCH 4/4] Update authentication.js --- .../express-pouchdb/lib/routes/authentication.js | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/packages/node_modules/express-pouchdb/lib/routes/authentication.js b/packages/node_modules/express-pouchdb/lib/routes/authentication.js index 28286ad8..12f53714 100644 --- a/packages/node_modules/express-pouchdb/lib/routes/authentication.js +++ b/packages/node_modules/express-pouchdb/lib/routes/authentication.js @@ -8,9 +8,10 @@ var cookieParser = require('cookie-parser'), var SECTION = 'couch_httpd_auth'; -// Custom class to easily identify when a cookie error +var maxAgeLimit = new Date('3000-01-01').getTime(); + class CookieError extends Error { - name: "CookieError"; + name = 'CookieError'; } module.exports = function (app) { @@ -96,7 +97,7 @@ module.exports = function (app) { app.use(function (req, res, next) { // TODO: TIMING ATTACK - Promise.resolve().then(function () { + return Promise.resolve().then(function () { return buildCookieSession(req, res); }).catch(function (e) { if (e instanceof CookieError) { @@ -123,7 +124,7 @@ module.exports = function (app) { if (session.info.authenticated) { var cookieOptions = {httpOnly: true}; if (app.couchConfig.get(SECTION, 'allow_persistent_cookies') === true) { - cookieOptions['maxAge'] = app.couchConfig.get(SECTION, 'timeout'); + cookieOptions['maxAge'] = Math.min(app.couchConfig.get(SECTION, 'timeout'), maxAgeLimit); } try { res.cookie('AuthSession', session.sessionID, cookieOptions); @@ -135,7 +136,7 @@ module.exports = function (app) { logSuccess('cookie', session); } return session; - }); + }) } function logSuccess(type, session) {