From 2c4d5fa38d1af02d6362d8a9414d2770b151de3c Mon Sep 17 00:00:00 2001 From: Rocco Musolino Date: Thu, 11 Jan 2018 23:51:05 +0100 Subject: [PATCH] add express-session memorystore without leaks (#1435) * add express-session memorystore without leaks * Bump memorystore to v1.6.0 --- package.json | 1 + red/api/auth/index.js | 19 ++++++++++++------- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/package.json b/package.json index e7e7f95b8..281c73b84 100644 --- a/package.json +++ b/package.json @@ -47,6 +47,7 @@ "json-stringify-safe":"5.0.1", "jsonata":"1.3.0", "media-typer": "0.3.0", + "memorystore": "1.6.0", "mqtt": "2.9.0", "multer": "1.3.0", "mustache": "2.3.0", diff --git a/red/api/auth/index.js b/red/api/auth/index.js index 05dd40706..787dbf604 100644 --- a/red/api/auth/index.js +++ b/red/api/auth/index.js @@ -150,14 +150,19 @@ module.exports = { login: login, revoke: revoke, genericStrategy: function(adminApp,strategy) { - var session = require('express-session'); - var crypto = require("crypto"); + var crypto = require("crypto") + var session = require('express-session') + var MemoryStore = require('memorystore')(session) + adminApp.use(session({ - // As the session is only used across the life-span of an auth - // hand-shake, we can use a instance specific random string - secret: crypto.randomBytes(20).toString('hex'), - resave: false, - saveUninitialized:false + // As the session is only used across the life-span of an auth + // hand-shake, we can use a instance specific random string + secret: crypto.randomBytes(20).toString('hex'), + resave: false, + saveUninitialized: false, + store: new MemoryStore({ + checkPeriod: 86400000 // prune expired entries every 24h + }) })); //TODO: all passport references ought to be in ./auth adminApp.use(passport.initialize());