I am setting up a new application and am using some boilerplate code to manage sessions and encrypt passwords. There is one particular function that I just can't figure out.
I've tried following the code but I am still unable to determine what is going on.
const serverSessionSecret = () => {
if (!process.env.SERVER_SESSION_SECRET ||
process.env.SERVER_SESSION_SECRET.length < 8 ||
process.env.SERVER_SESSION_SECRET === warnings.exampleBadSecret) {
// Warning if user doesn't have a good secret
console.log(warnings.badSecret);
}
return process.env.SERVER_SESSION_SECRET;
};
module.exports = cookieSession({
secret: serverSessionSecret() || 'secret', // please set this in your .env file
key: 'user', // this is the name of the req.variable. 'user' is convention, but not required
resave: 'false',
saveUninitialized: false,
cookie: { maxage: 60000, secure: false },
});
The function references a .env file, which I have not created. This explains why I always get a 'Bad Secret' console.log. It appears that the serverSessionSecret function is just testing if process.env.SERVER_SESSION_SECRET meets a minimum security requirement, but what is the purpose of this.
What is the difference if I have a .env or not?
process.env is a way to access the environment variables where the script is executing.
This allows you to inject different variables into your code, depending on where it's being ran. Environment variables can either be exported to where the code is ran (export newEnv = NewEnvVar for example), or exist in an .env file.
Look at comments for each line:
const serverSessionSecret = () => {
if (!process.env.SERVER_SESSION_SECRET ||
// Send warning if SERVER_SESSION_SECRET does NOT exit? Or...
process.env.SERVER_SESSION_SECRET.length < 8 ||
// Send warning if it less than 8 characters. Or...
process.env.SERVER_SESSION_SECRET === warnings.exampleBadSecret
// Send warning if the secret matches a predefined bad example
) {
// Warning if user doesn't have a good secret
console.log(warnings.badSecret);
}
/* If none of the above conditions are met,
* a console.log warning message does not get sent.
*/
return process.env.SERVER_SESSION_SECRET;
// This returns the Secret or Undefined if it does not exist.
};
Then in your exports:
module.exports = cookieSession({
secret: serverSessionSecret() || 'secret', // please set this in your .env file
// secret will equal your 'process.env.SERVER_SESSION_SECRET' environment
// variable, but if it is not defined, it will equal 'secret'
key: 'user', // this is the name of the req.variable. 'user' is convention, but not required
resave: 'false',
saveUninitialized: false,
cookie: { maxage: 60000, secure: false },
});
To summarize, serverSessionSecret() is only returning a string in this case. Either secret or what is set in your environment variables.
It looks like you are using this library: https://www.npmjs.com/package/cookie-session
In which case, when you are configuring the cookie session with a secret, their documentation shows:
secret
A string which will be used as single key if keys is not provided.
keys
The list of keys to use to sign & verify cookie values. Set cookies are always signed with keys[0], while the other keys are valid for verification, allowing for key rotation.
In your case, process.env.SERVER_SESSION_SECRET or secret is being used to sign & verfiy the cookie.