Merge branch 'hotfix/security-2' into 'gray'

Hotfix/security 2



See merge request !19

@@ -27,7 +27,7 @@ const favicon = require('serve-favicon');
 const _ = require('lodash');
 const fp = require('lodash/fp');
 
-const session = require('cookie-session');
+const session = require('client-sessions');
 const pkg = require('./package.json');
 const app = express();
 const helpers = global.yoho.helpers;
@@ -68,7 +68,8 @@ app.use(cookieParser());
 app.use(compression());
 
 app.use(session({
-    name: 'yohobuy_session_cookie',
+    requestKey: 'session',
+    cookieName: 'yohobuy_session_cookie',
     secret: '82dd7e724f2c6870472c89dfa43cf48d',
     domain: config.cookieDomain
 }));
@@ -77,6 +78,10 @@ app.use((req, res, next) => {
     req.user = {}; // 全局的用户数据
     req.yoho = {}; // req和res绑定yoho对象，用于传递全局数据, 如req.yoho.channel等
 
+    if (!req.session) {
+        req.session = {};
+    }
+
     next();
 });
 

@@ -25,7 +25,7 @@ const index = (req, res, next) => {
     });
 
     // 清除 session
-    req.session = null;
+    req.session.reset();
 
     service.indexPageDataAsync()
         .then(result => {

@@ -117,7 +117,7 @@ const local = {
             domain: config.cookieDomain
         });
 
-        req.session = null;
+        req.session.reset();
 
         let bindMobile = _.trim(req.query.bindMobile || '');
         let bindArea = '+' + _.trim(req.query.bindArea || '86');
@@ -206,7 +206,7 @@ const local = {
         })(req, res, next);
     },
     logout: (req, res) => {
-        req.session = null;
+        req.session.reset();
 
         res.clearCookie('_UID', {
             domain: config.cookieDomain

@@ -35,13 +35,18 @@ const syncUserSession = (uid, req, res, sessionKey) => {
     }
 
     return Promise.all([userService.profile(uid), cartService.goodsCount(uid)]).spread((userInfo, count) => {
-        let token = sign.makeToken(uid);
+        let salt = uuid.v4().substr(0, 8);
+        let saltedUid = uid + salt;
+
+        let saltedToken = sign.makeToken(saltedUid);
+        let publicToken = saltedToken + salt;
+
         let data = userInfo.data;
         let encryptionUid = aes.encryptionUid(data.uid);
 
         if (data) {
             let uidCookie =
-                `${encodeURIComponent(data.profile_name)}::${encryptionUid}::${data.vip_info.title}::${token}`;
+                `${encodeURIComponent(data.profile_name)}::${encryptionUid}::${data.vip_info.title}::${saltedToken}`;
             let isStudent = data.vip_info.is_student || 0;
 
             res.cookie('_UID', uidCookie, {
@@ -62,11 +67,12 @@ const syncUserSession = (uid, req, res, sessionKey) => {
             });
         }
 
-        req.session.TOKEN_ = token;
+        req.session.TOKEN_ = publicToken;
         req.session.LOGIN_UID_ = uid;
 
-        res.cookie('_TOKEN', token, {
-            domain: config.cookieDomain
+        res.cookie('_TOKEN', publicToken, {
+            domain: config.cookieDomain,
+            httpOnly: true
         });
 
     }).catch(console.log);

@@ -36,6 +36,7 @@
     "body-parser": "^1.15.0",
     "captchapng": "0.0.1",
     "cheerio": "^0.22.0",
+    "client-sessions": "^0.7.0",
     "compression": "^1.6.2",
     "connect-multiparty": "^2.0.0",
     "cookie-parser": "^1.4.3",
@@ -58,7 +59,7 @@
     "request-promise": "^3.0.0",
     "serve-favicon": "^2.3.0",
     "uuid": "^2.0.2",
-    "yoho-node-lib": "0.2.0",
+    "yoho-node-lib": "0.2.2",
     "yoho-zookeeper": "^1.0.4"
   },
   "devDependencies": {

@@ -198,11 +198,11 @@ function pageInit() {
                 getMessage(received);
             },
 
-            connectFailCb: function () {
+            connectFailCb: function() {
                 $('.connect-fail').fadeIn();
             },
 
-            socketClosedCb: function () {
+            socketClosedCb: function() {
                 alert('链接已经断开了，请刷新后重试！');
             }
         }));
@@ -1109,6 +1109,7 @@ function pageInit() {
     // 重新连线
     $document.on('click', '.reconnect', function() {
         $('.connect-fail').hide();
+
         // 共通处理
         beforeSendMsg();
         connectSocket();
@@ -1155,12 +1156,13 @@ function pageInit() {
 }
 
 // 拉取域名信息
-(function () {
+(function() {
     $.ajax({
         type: 'GET',
         url: '/service/domains',
         success: function(domains) {
             configDomains = domains;
+
             // url前缀添加
             for (key in urls) {
                 if (urls.hasOwnProperty(key)) {

@@ -30,24 +30,25 @@ function socketInit(opts) {
     param = JSON.stringify(conversationMessage);
 
     if (window.WebSocket) {
-        setTimeout(function () {
-           times = 1;
-           socket = socketConnect();
-           connectId = setInterval(function () {
-               if(socket.readyState !== WebSocket.OPEN) {
-                   if(times < 3) {
-                       socket.close();
-                       socket = socketConnect();
-                       times++;
-                   } else {
-                       clearInterval(connectId);
+        setTimeout(function() {
+            times = 1;
+            socket = socketConnect();
+            connectId = setInterval(function() {
+                if (socket.readyState !== WebSocket.OPEN) {
+                    if (times < 3) {
+                        socket.close();
+                        socket = socketConnect();
+                        times++;
+                    } else {
+                        clearInterval(connectId);
+
                        // 连接失败回调
-                       options.connectFailCb();
-                   }
-               } else {
-                   clearInterval(connectId);
-               }
-           }, 5000);
+                        options.connectFailCb();
+                    }
+                } else {
+                    clearInterval(connectId);
+                }
+            }, 5000);
 
         }, 1000);
     }