diff --git a/config/config.js b/config/config.js index c129edfa3c..6e9ea81662 100644 --- a/config/config.js +++ b/config/config.js @@ -87,6 +87,28 @@ var validateSecureMode = function (config) { } }; +/** + * Validate Session Secret parameter is not set to default in production + */ +var validateSessionSecret = function (config, testing) { + + if (process.env.NODE_ENV !== 'production') { + return true; + } + + if (config.sessionSecret === 'MEAN') { + if (!testing) { + console.log(chalk.red('+ WARNING: It is strongly recommended that you change sessionSecret config while running in production!')); + console.log(chalk.red(' Please add `sessionSecret: process.env.SESSION_SECRET || \'super amazing secret\'` to ')); + console.log(chalk.red(' `config/env/production.js` or `config/env/local.js`')); + console.log(); + } + return false; + } else { + return true; + } +}; + /** * Initialize global configuration files */ @@ -169,7 +191,7 @@ var initGlobalConfig = function () { // production or development environment. If test environment is used we don't merge it with local.js // to avoid running test suites on a prod/dev environment (which delete records and make modifications) if (process.env.NODE_ENV !== 'test') { - config = _.merge(config, (fs.existsSync(path.join(process.cwd(), 'config/env/local.js')) && require(path.join(process.cwd(), 'config/env/local.js'))) || {}); + config = _.merge(config, (fs.existsSync(path.join(process.cwd(), 'config/env/local.js')) && require(path.join(process.cwd(), 'config/env/local.js'))) || {}); } // Initialize global globbed files @@ -181,9 +203,13 @@ var initGlobalConfig = function () { // Validate Secure SSL mode can be used validateSecureMode(config); + // Validate session secret + validateSessionSecret(config); + // Expose configuration utilities config.utils = { - getGlobbedPaths: getGlobbedPaths + getGlobbedPaths: getGlobbedPaths, + validateSessionSecret: validateSessionSecret }; return config; diff --git a/config/env/default.js b/config/env/default.js index 267f519c6c..a3dfbdf11b 100644 --- a/config/env/default.js +++ b/config/env/default.js @@ -14,7 +14,7 @@ module.exports = { // session expiration is set by default to 24 hours maxAge: 24 * (60 * 60 * 1000), // httpOnly flag makes sure the cookie is only accessed - // through the HTTP protocol and not JS/browser + // through the HTTP protocol and not JS/browser httpOnly: true, // secure cookie should be turned to true to provide additional // layer of security so that the cookie is set only when working @@ -22,7 +22,7 @@ module.exports = { secure: false }, // sessionSecret should be changed for security measures and concerns - sessionSecret: 'MEAN', + sessionSecret: process.env.SESSION_SECRET || 'MEAN', // sessionKey is set to the generic sessionId key used by PHP applications // for obsecurity reasons sessionKey: 'sessionId', diff --git a/config/env/local.example.js b/config/env/local.example.js index 45aa8a611c..006b06f4ca 100644 --- a/config/env/local.example.js +++ b/config/env/local.example.js @@ -14,6 +14,7 @@ module.exports = { pass: '' } }, + sessionSecret: process.env.SESSION_SECRET || 'youshouldchangethistosomethingsecret', facebook: { clientID: process.env.FACEBOOK_ID || 'APP_ID', clientSecret: process.env.FACEBOOK_SECRET || 'APP_SECRET', diff --git a/modules/core/tests/server/core.server.config.tests.js b/modules/core/tests/server/core.server.config.tests.js index 64ad6ccb46..dfccdc68a3 100644 --- a/modules/core/tests/server/core.server.config.tests.js +++ b/modules/core/tests/server/core.server.config.tests.js @@ -10,10 +10,10 @@ var should = require('should'), config = require(path.resolve('./config/config')), seed = require(path.resolve('./config/lib/seed')); -describe('Configuration tests', function () { +describe('Configuration Tests:', function () { this.timeout(10000); - describe('Testing default seedDB:', function () { + describe('Testing default seedDB', function () { before(function(done) { User.remove(function(err) { should.not.exist(err); @@ -118,7 +118,43 @@ describe('Configuration tests', function () { }); }); }); - }); + describe('Testing Session Secret Configuration', function () { + it('should warn if using default session secret when running in production', function (done) { + var conf = { sessionSecret: 'MEAN' }; + // set env to production for this test + process.env.NODE_ENV = 'production'; + config.utils.validateSessionSecret(conf, true).should.equal(false); + // set env back to test + process.env.NODE_ENV = 'test'; + done(); + }); + + it('should accept non-default session secret when running in production', function (done) { + var conf = { sessionSecret: 'super amazing secret' }; + // set env to production for this test + process.env.NODE_ENV = 'production'; + config.utils.validateSessionSecret(conf, true).should.equal(true); + // set env back to test + process.env.NODE_ENV = 'test'; + done(); + }); + + it('should accept default session secret when running in development', function (done) { + var conf = { sessionSecret: 'MEAN' }; + // set env to development for this test + process.env.NODE_ENV = 'development'; + config.utils.validateSessionSecret(conf, true).should.equal(true); + // set env back to test + process.env.NODE_ENV = 'test'; + done(); + }); + + it('should accept default session secret when running in test', function (done) { + var conf = { sessionSecret: 'MEAN' }; + config.utils.validateSessionSecret(conf, true).should.equal(true); + done(); + }); + }); });