diff --git a/README.md b/README.md index 30648b3..89f044f 100644 --- a/README.md +++ b/README.md @@ -140,22 +140,6 @@ Settings can be managed from the admin panel ([http://127.0.0.1:1111/admin](http All settings are stored in json files in the `/config` directory. The main application-level settings are stored in `/config/settings.json` while payment gateway settings are stored in files in the `/config` directory named after the payment gateway. For example, configuration for the Stripe payment gateway is stored in `/config/stripe.json`. -> When using in production be sure to update the session secret in `app.js` to a safe random string. Eg: - -``` -app.use(session({ - resave: true, - saveUninitialized: true, - secret: 'UPDATE_TO_RANDOM_STRING', - cookie: { - path: '/', - httpOnly: true, - maxAge: 900000 - }, - store: store -})); -``` - ##### Local configuration If you'd rather store settings in a file which isn't checked into version control, you can create a new settings file at `/config/settings-local.json` and store your complete settings there. When viewing or editing settings in the admin panel, expressCart will detect the existence of this file and update it accordingly. diff --git a/app.js b/app.js index 3bf9d79..c7f5114 100644 --- a/app.js +++ b/app.js @@ -11,6 +11,7 @@ const numeral = require('numeral'); const helmet = require('helmet'); const colors = require('colors'); const cron = require('node-cron'); +const crypto = require('crypto'); const common = require('./lib/common'); const { runIndexing } = require('./lib/indexing'); const { addSchemas } = require('./lib/schema'); @@ -233,17 +234,29 @@ const store = new MongoStore({ collection: 'sessions' }); +// Setup secrets +if(!config.secretCookie || config.secretCookie === ''){ + const randomString = crypto.randomBytes(20).toString('hex'); + config.secretCookie = randomString; + common.updateConfigLocal({ secretCookie: randomString }); +} +if(!config.secretSession || config.secretSession === ''){ + const randomString = crypto.randomBytes(20).toString('hex'); + config.secretSession = randomString; + common.updateConfigLocal({ secretSession: randomString }); +} + app.enable('trust proxy'); app.use(helmet()); app.set('port', process.env.PORT || 1111); app.use(logger('dev')); app.use(bodyParser.json()); app.use(bodyParser.urlencoded({ extended: false })); -app.use(cookieParser('5TOCyfH3HuszKGzFZntk')); +app.use(cookieParser(config.secretCookie)); app.use(session({ resave: true, saveUninitialized: true, - secret: 'UPDATE_TO_RANDOM_STRING', + secret: config.secretSession, cookie: { path: '/', httpOnly: true, diff --git a/config/baseSchema.json b/config/baseSchema.json index e712345..84ebaa6 100644 --- a/config/baseSchema.json +++ b/config/baseSchema.json @@ -104,6 +104,12 @@ }, "orderHook": { "format": "uri-template" + }, + "secretCookie": { + "type": "string" + }, + "secretSession": { + "type": "string" } }, "required": [ diff --git a/lib/common.js b/lib/common.js index 0b3d3de..ad0615e 100755 --- a/lib/common.js +++ b/lib/common.js @@ -322,6 +322,20 @@ const updateConfig = (fields) => { } }; +const updateConfigLocal = (field) => { + const localSettingsFile = path.join(__dirname, '../config', 'settings-local.json'); + try{ + let localSettings = {}; + if(fs.existsSync(localSettingsFile)){ + localSettings = JSON.parse(fs.readFileSync(localSettingsFile)); + } + Object.assign(localSettings, field); + fs.writeFileSync(localSettingsFile, JSON.stringify(localSettings, null, 4)); + }catch(exception){ + console.log('Failed to save local settings file', exception); + } +}; + const getMenu = (db) => { return db.menu.findOne({}); }; @@ -543,6 +557,7 @@ module.exports = { getConfig, getPaymentConfig, updateConfig, + updateConfigLocal, getMenu, newMenu, deleteMenu,