Merge pull request #265 from adamocarolli/feature/261

Feature/261

README.md

@@ -409,9 +409,8 @@ app.set('https', false) // listen for https instead of http
 app.set('https options', {}) // any options to pass to the https server app.set('https', true). Supports options from https://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener
 app.set('session key', 'ravel.sid'); // the cookie name to use for sessions
 app.set('session max age', null); // session maxAge (default never expires)
-app.set('session rolling', false); // Force a session identifier cookie to be set on every response.
-                                   // The expiration is reset to the original maxAge, resetting the expiration
-                                   // countdown.
+app.set('session secure', true); // toggles Secure attribute for session cookies. true by default, and always true when app.get('https') is true.
+app.set('session rolling', false); // force a session identifier cookie to be set on every response. The expiration is reset to the original maxAge, resetting the expiration countdown.
 app.set('app route', '/'); // if you have a UI, this is the path users will be sent to when they are logged in
 app.set('login route', '/login'); // if users aren't logged in and you redirect them, this is where they'll be sent
 app.set('public directory', undefined); // if you want to statically serve a directory

jest/core/params.test.js

@@ -117,6 +117,7 @@ describe('Ravel', () => {
         'keygrip keys': ['123abc'],
         'session key': 'ravel.sid',
         'session max age': null,
+        'session secure': true,
         'session rolling': false,
         'log level': 'NONE' // not a default, but we've set this in beforeEach
       };

jest/integration/ravel-authentication.test.js

@@ -11,6 +11,7 @@ describe('Authentication Integration Test', () => {
     app = new Ravel();
     app.set('log level', app.$log.NONE);
     app.set('keygrip keys', ['mysecret']);
+    app.set('session secure', false);
   });
 
   describe('Simulated Local Auth Provider', () => {

jest/integration/ravel.test.js

@@ -21,6 +21,44 @@ describe('Ravel end-to-end test', () => {
       });
     });
 
+    describe('session option parameters', () => {
+      let app;
+
+      beforeEach(async () => {
+        const Ravel = require('../../lib/ravel');
+        const mapping = Ravel.Routes.mapping;
+        @Ravel.Routes('/')
+        class TestRoutes {
+          @mapping(Ravel.Routes.GET, '/session-options')
+          sessionOptionsHandler (ctx) {
+            return Promise.resolve().then(() => {
+              ctx.body = ctx.sessionOptions;
+              ctx.status = 200;
+            });
+          }
+        }
+        app = new Ravel();
+        app.load(TestRoutes);
+      });
+
+      it('should set session to insecure when session security set to false', async () => {
+        app.set('session secure', false);
+        await app.init();
+        const res = await request(app.callback).get('/session-options');
+        expect(res.status).toBe(200);
+        expect(res.body).toEqual(expect.objectContaining({secure: false}));
+      });
+
+      it('should not set session to insecure when using https', async () => {
+        app.set('session secure', false);
+        app.set('https', true);
+        await app.init();
+        const res = await request(app.callback).get('/session-options');
+        expect(res.status).toBe(200);
+        expect(res.body).toEqual(expect.not.objectContaining({secure: false}));
+      });
+    });
+
     describe('basic application server consisting of a module and a resource', () => {
       beforeEach(async () => {
         const Ravel = require('../../lib/ravel');

lib/ravel.js

@@ -97,6 +97,7 @@ class Ravel extends AsyncEventEmitter {
     // session parameters
     this.registerParameter('session key', true, 'ravel.sid');
     this.registerParameter('session max age', true, null);
+    this.registerParameter('session secure', true, true);
     this.registerParameter('session rolling', true, false);
     // Passport parameters
     this.registerParameter('app route', false, '/');
@@ -258,17 +259,27 @@ class Ravel extends AsyncEventEmitter {
     this[sKeygripKeys] = [...this.get('keygrip keys')];
     this[sKeygrip] = require('keygrip')(this[sKeygripKeys], 'sha256', 'base64');
     app.keys = this[sKeygrip];
-    app.use(session({
+
+    // configure session options
+    if (!this.get('https') && !this.get('session secure')) {
+      this.$log.warn("app.set('session secure', false) results in insecure sessions" +
+                     ' over HTTP and introduces critical security vulnerabilities.' +
+                     ' This is intended for development purposes only, or for use' +
+                     ' behind a TLS termination proxy.');
+    }
+    const sessionOptions = {
       store: new (require('./util/redis_session_store'))(this),
       key: this.get('session key'),
       maxAge: Number(this.get('session max age')),
       overwrite: true, /* (boolean) can overwrite or not (default true) */
       httpOnly: true, /* (boolean) httpOnly or not (default true) */
       signed: true, /* (boolean) signed or not (default true) */
+      secure: this.get('https') || this.get('session secure'), /* (boolean) secure or not (default true) */
       rolling: this.get('session rolling') /* (boolean) Force a session identifier cookie to be set on every response.
                          The expiration is reset to the original maxAge, resetting the expiration
                          countdown. default is false */
-    }, app));
+    };
+    app.use(session(sessionOptions, app));
 
     // favicon
     if (this.get('favicon path')) {