Random generate secrets and store in settings-local

README.md

@@ -140,22 +140,6 @@ Settings can be managed from the admin panel ([http://127.0.0.1:1111/admin](http
 
 All settings are stored in json files in the `/config` directory. The main application-level settings are stored in `/config/settings.json` while payment gateway settings are stored in files in the `/config` directory named after the payment gateway. For example, configuration for the Stripe payment gateway is stored in `/config/stripe.json`.
 
-> When using in production be sure to update the session secret in `app.js` to a safe random string. Eg:
-
-```
-app.use(session({
-    resave: true,
-    saveUninitialized: true,
-    secret: 'UPDATE_TO_RANDOM_STRING',
-    cookie: {
-        path: '/',
-        httpOnly: true,
-        maxAge: 900000
-    },
-    store: store
-}));
-```
-
 ##### Local configuration
 
 If you'd rather store settings in a file which isn't checked into version control, you can create a new settings file at `/config/settings-local.json` and store your complete settings there. When viewing or editing settings in the admin panel, expressCart will detect the existence of this file and update it accordingly.

app.js

@@ -11,6 +11,7 @@ const numeral = require('numeral');
 const helmet = require('helmet');
 const colors = require('colors');
 const cron = require('node-cron');
+const crypto = require('crypto');
 const common = require('./lib/common');
 const { runIndexing } = require('./lib/indexing');
 const { addSchemas } = require('./lib/schema');
@@ -233,17 +234,29 @@ const store = new MongoStore({
     collection: 'sessions'
 });
 
+// Setup secrets
+if(!config.secretCookie || config.secretCookie === ''){
+    const randomString = crypto.randomBytes(20).toString('hex');
+    config.secretCookie = randomString;
+    common.updateConfigLocal({ secretCookie: randomString });
+}
+if(!config.secretSession || config.secretSession === ''){
+    const randomString = crypto.randomBytes(20).toString('hex');
+    config.secretSession = randomString;
+    common.updateConfigLocal({ secretSession: randomString });
+}
+
 app.enable('trust proxy');
 app.use(helmet());
 app.set('port', process.env.PORT || 1111);
 app.use(logger('dev'));
 app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: false }));
-app.use(cookieParser('5TOCyfH3HuszKGzFZntk'));
+app.use(cookieParser(config.secretCookie));
 app.use(session({
     resave: true,
     saveUninitialized: true,
-    secret: 'UPDATE_TO_RANDOM_STRING',
+    secret: config.secretSession,
     cookie: {
         path: '/',
         httpOnly: true,

config/baseSchema.json

@@ -104,6 +104,12 @@
         },
         "orderHook": {
             "format": "uri-template"
+        },
+        "secretCookie": {
+            "type": "string"
+        },
+        "secretSession": {
+            "type": "string"
         }
     },
     "required": [

lib/common.js

@@ -322,6 +322,20 @@ const updateConfig = (fields) => {
     }
 };
 
+const updateConfigLocal = (field) => {
+    const localSettingsFile = path.join(__dirname, '../config', 'settings-local.json');
+    try{
+        let localSettings = {};
+        if(fs.existsSync(localSettingsFile)){
+            localSettings = JSON.parse(fs.readFileSync(localSettingsFile));
+        }
+        Object.assign(localSettings, field);
+        fs.writeFileSync(localSettingsFile, JSON.stringify(localSettings, null, 4));
+    }catch(exception){
+        console.log('Failed to save local settings file', exception);
+    }
+};
+
 const getMenu = (db) => {
     return db.menu.findOne({});
 };
@@ -543,6 +557,7 @@ module.exports = {
     getConfig,
     getPaymentConfig,
     updateConfig,
+    updateConfigLocal,
     getMenu,
     newMenu,
     deleteMenu,