From 97956856ca537773550b8f58c13ab7137c1b280c Mon Sep 17 00:00:00 2001 From: Brian Gough Date: Wed, 12 Jun 2024 09:12:50 +0100 Subject: [PATCH] Merge pull request #18741 from overleaf/bg-cookie-session-test-rotation-support test session key rotation in cookie-session module GitOrigin-RevId: 57486b3df527a9998da3b93981c9d45f510802b8 --- package-lock.json | 14 +++++++----- services/web/package.json | 3 ++- .../web/test/acceptance/src/helpers/User.js | 22 ++++++++++++------- 3 files changed, 24 insertions(+), 15 deletions(-) diff --git a/package-lock.json b/package-lock.json index 98e6d9996e..1e24ccc96d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -17844,9 +17844,9 @@ "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw=" }, "node_modules/cookie-signature": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.1.0.tgz", - "integrity": "sha512-Alvs19Vgq07eunykd3Xy2jF0/qSNv2u7KDbAek9H5liV1UMijbqFs5cycZvv5dVsvseT/U4H8/7/w8Koh35C4A==", + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.1.tgz", + "integrity": "sha512-78KWk9T26NhzXtuL26cIJ8/qNHANyJ/ZYrmEXFzUmhZdjpBv+DlWlOANRTGBt48YcyslsLrj0bMLFTmXvLRCOw==", "dev": true, "engines": { "node": ">=6.6.0" @@ -44508,6 +44508,7 @@ "chartjs-plugin-datalabels": "^2.2.0", "cheerio": "^1.0.0-rc.3", "classnames": "^2.2.6", + "cookie-signature": "^1.2.1", "copy-webpack-plugin": "^11.0.0", "crypto-js": "^4.2.0", "css-loader": "^6.8.1", @@ -52905,6 +52906,7 @@ "contentful": "^10.8.5", "cookie": "^0.2.3", "cookie-parser": "1.4.6", + "cookie-signature": "^1.2.1", "copy-webpack-plugin": "^11.0.0", "core-js": "^3.30.2", "crc-32": "^1.2.2", @@ -61323,9 +61325,9 @@ } }, "cookie-signature": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.1.0.tgz", - "integrity": "sha512-Alvs19Vgq07eunykd3Xy2jF0/qSNv2u7KDbAek9H5liV1UMijbqFs5cycZvv5dVsvseT/U4H8/7/w8Koh35C4A==", + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.1.tgz", + "integrity": "sha512-78KWk9T26NhzXtuL26cIJ8/qNHANyJ/ZYrmEXFzUmhZdjpBv+DlWlOANRTGBt48YcyslsLrj0bMLFTmXvLRCOw==", "dev": true }, "cookiejar": { diff --git a/services/web/package.json b/services/web/package.json index 370813151d..a87930662b 100644 --- a/services/web/package.json +++ b/services/web/package.json @@ -276,6 +276,7 @@ "chartjs-plugin-datalabels": "^2.2.0", "cheerio": "^1.0.0-rc.3", "classnames": "^2.2.6", + "cookie-signature": "^1.2.1", "copy-webpack-plugin": "^11.0.0", "crypto-js": "^4.2.0", "css-loader": "^6.8.1", @@ -341,9 +342,9 @@ "requirejs": "^2.3.6", "resolve-url-loader": "^5.0.0", "samlp": "^7.0.2", + "sandboxed-module": "overleaf/node-sandboxed-module#cafa2d60f17ce75cc023e6f296eb8de79d92d35d", "sass": "^1.77.1", "sass-loader": "^14.2.1", - "sandboxed-module": "overleaf/node-sandboxed-module#cafa2d60f17ce75cc023e6f296eb8de79d92d35d", "scroll-into-view-if-needed": "^2.2.25", "sinon": "^7.5.0", "sinon-chai": "^3.7.0", diff --git a/services/web/test/acceptance/src/helpers/User.js b/services/web/test/acceptance/src/helpers/User.js index f90c40df88..42ceeaf188 100644 --- a/services/web/test/acceptance/src/helpers/User.js +++ b/services/web/test/acceptance/src/helpers/User.js @@ -10,6 +10,8 @@ const fs = require('fs') const Path = require('path') const { Cookie } = require('tough-cookie') const COOKIE_DOMAIN = settings.cookieDomain +// The cookie domain has a leading '.' but the cookie jar stores it without. +const DEFAULT_COOKIE_URL = `https://${COOKIE_DOMAIN.replace(/^\./, '')}/` let count = settings.test.counterInit @@ -196,19 +198,23 @@ class User { /* Return the session cookie, url decoded. Use the option {raw:true} to get the original undecoded value */ sessionCookie(options) { - const cookie = Cookie.parse( - this.jar.getCookieString( - // The cookie domain has a leading '.' but - // the cookie jar stores it without. - 'https://' + COOKIE_DOMAIN.replace(/^\./, '') + '/' - ) - ) + const cookie = Cookie.parse(this.jar.getCookieString(DEFAULT_COOKIE_URL)) if (cookie?.value && !options?.raw) { cookie.value = decodeURIComponent(cookie.value) } return cookie } + /* Set the session cookie from a string and store it in the cookie jar, so that it will be used + for subsequent requests. */ + + setSessionCookie(cookie) { + const sessionCookie = request.cookie( + `${settings.cookieName}=${cookie}; Domain=${COOKIE_DOMAIN}; Max-age=3600; Path=/; SameSite=Lax` + ) + this.jar.setCookie(sessionCookie, DEFAULT_COOKIE_URL) + } + getEmailConfirmationCode(callback) { this.getSession((err, session) => { if (err != null) { @@ -1247,7 +1253,7 @@ class User { } User.promises = promisifyClass(User, { - without: ['setExtraAttributes', 'sessionCookie'], + without: ['setExtraAttributes', 'sessionCookie', 'setSessionCookie'], }) User.promises.prototype.doRequest = async function (method, params) {