From 64781a2df715c5ba9f92000f7cad810342565dfa Mon Sep 17 00:00:00 2001
From: Oliver Facklam <oliver.facklam.lfgeb@gmail.com>
Date: Mon, 17 Dec 2018 01:18:46 +0100
Subject: [PATCH] =?UTF-8?q?Am=C3=A9lioration=20de=20l'auth?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cf #25
---
ldap_config.json | 3 +--
src/app.ts | 12 +++++++++++-
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/ldap_config.json b/ldap_config.json
index 5171f95..1ca09a7 100644
--- a/ldap_config.json
+++ b/ldap_config.json
@@ -50,6 +50,5 @@
"directory": "homeDirectory",
"cleanFullName": "gecos",
"classes": "objectClass"
- },
- "sessionSecret":"ozyNMHdT,WFTu|t"
+ }
}
\ No newline at end of file
diff --git a/src/app.ts b/src/app.ts
index c1dcb15..757ba89 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -8,7 +8,7 @@
* On peut considérer que les app.use (et app.get et app.post) sont pattern-matchés et
* exécutés séquentiellement. http://expressjs.com/en/guide/using-middleware.html
*
- * @author manifold, kadabra
+ * @author manifold, kadabra, ofacklam
*/
import express from 'express';
import bodyParser from 'body-parser';
@@ -85,11 +85,21 @@ app.use(favicon(path.resolve(__dirname, 'assets', 'favicon.ico')));
* @todo [critical] configure express-session (session store and other options)
* @todo choose a session secret and where to store it
* https://www.npmjs.com/package/express-session
+ * Sur l'utilité des flags dans les cookies : https://www.information-security.fr/securite-sites-web-lutilite-flags-secure-httponly/
*/
// load data from the session identified by the cookie (if one exists), into req.session
// on ne manipulera pas req.session directement, on laisser toujours passport le faire pour nous
app.use(expressSession({
secret: "asdfjklkjfdsasdfjklkljfdsa",
+ resave: false, // 'resave: true' forces the session to be saved back to the session store (false OK if store implements touch())
+ rolling: false, // 'rolling: true' resets expiration at every response
+ saveUninitialized: true, // 'saveUninitialized: true' forces empty sessions to also be stored in a cookie
+ //store: ,// default is NOT good => @ofacklam est d'avis d'utiliser 'connect-session-knex', comme ca on peut le plug directement dans notre BDD.
+ cookie: {
+ maxAge: 3600000, // Une heure avant expiration du cookie (en millisecondes)
+ //secure: true, // Le cookie ne peut transiter qu'en HTTPS. ATTENTION : If you have your node.js behind a proxy and are using secure: true, you need to set "trust proxy" in express
+ httpOnly: true
+ }
}));
app.use(passport.initialize());
//passport.session(): load the user object onto req.user if a serialised user object was found in the req.session
--
GitLab