diff --git a/config.js b/config.js index 764615e..c439d22 100644 --- a/config.js +++ b/config.js @@ -53,22 +53,6 @@ exports.creds = { // Required to set to true if the `verify` function has 'req' as the first parameter passReqToCallback: false, - // Recommended to set to true. By default we save state in express session, if this option is set to true, then - // we encrypt state and save it in cookie instead. This option together with { session: false } allows your app - // to be completely express session free. - useCookieInsteadOfSession: true, - - // Required if `useCookieInsteadOfSession` is set to true. You can provide multiple set of key/iv pairs for key - // rollover purpose. We always use the first set of key/iv pair to encrypt cookie, but we will try every set of - // key/iv pair to decrypt cookie. Key can be any string of length 32, and iv can be any string of length 12. - // Example: openssl rand -base64 12 && openssl rand -base64 32 - cookieEncryptionKeys: [ - { - 'key': process.env.NODE_ENV == "development" ? "TfGVn2Sn3WjFk3GNzvIvOw8aXh16NqFC" : process.env.COOKIE_KEY, // len 32 - 'iv': process.env.NODE_ENV == "development" ? "C1fRcgVZs1K7" : process.env.COOKIE_IV // len 12 - }, - ], - // The additional scopes we want besides 'openid'. // 'profile' scope is required, the rest scopes are optional. // (1) if you want to receive refresh_token, use 'offline_access' scope @@ -79,7 +63,7 @@ exports.creds = { loggingLevel: 'error', // Optional. The lifetime of nonce in session or cookie, the default value is 3600 (seconds). - nonceLifetime: null, + nonceLifetime: 3600, // Optional. The max amount of nonce saved in session or cookie, the default value is 10. nonceMaxAmount: 5, diff --git a/index.js b/index.js index 808cab0..604193c 100644 --- a/index.js +++ b/index.js @@ -61,8 +61,6 @@ function getRandomURL() { const secret = process.env.COOKIE_KEY || "secret"; app.use(session({ secret: secret, - resave: false, - saveUninitialized: true, })); //----------------------------------------------------------------------------- @@ -264,7 +262,6 @@ app.get('/login', resourceURL: config.resourceURL, // optional. Provide a value if you want to specify the resource. customState: 'my_state', // optional. Provide a value if you want to provide custom state value. failureRedirect: '/error', - useCookieInsteadOfSession: true, domain_hint: config.branding.domainHint } )(req, res, next); @@ -314,9 +311,10 @@ app.post('/auth/openid/return', // 'logout' route, logout from passport, and destroy the session with AAD. app.get('/logout', function(req, res){ - res.clearCookie('connect.sid'); - res.clearCookie('session'); - res.clearCookie('session.sig'); + res.clearCookie('connect.sid', {path:'/'}); + res.clearCookie('session', {path:'/'}); + res.clearCookie('session.sig', {path:'/'}); + req.session=null; res.redirect('/'); }); @@ -343,7 +341,12 @@ app.use(async (req, res, next) => { // begin business logic app.get('/', async function (req, res) { + if (req.isAuthenticated()) { return res.redirect('/create') } + res.clearCookie('connect.sid', {path:'/'}); + res.clearCookie('session', {path:'/'}); + res.clearCookie('session.sig', {path:'/'}); + res.render('home.html', {partials, productName: config.branding.title, logoPath: config.branding.logoPath, copyrightOwner: config.branding.copyrightOwner, statusURL: config.branding.statusURL, orgHome: config.branding.orgHome,loginProvider: config.branding.loginProvider}); return }) diff --git a/view/components/fullNavbar.html b/view/components/fullNavbar.html index 9ec2722..00ef89c 100644 --- a/view/components/fullNavbar.html +++ b/view/components/fullNavbar.html @@ -17,12 +17,12 @@