feat: enforce secret requirement for session creation (#1025)

bjohansebas · UlisesGascon · web-flow · commit f5b5ebbb7a8c · 2025-04-26T22:02:48.000-05:00
* feat: enforce secret requirement for session creation

* feat: remove compatibility with cookie parser

* test: move test to describe

* fix: improve secret option validation in session function

* Update test/session.js

---------

Co-authored-by: Ulises Gascón &lt;ulisesgascongonzalez@gmail.com&gt;
diff --git a/index.js b/index.js
@@ -101,7 +101,7 @@ function session(options) {
   var saveUninitializedSession = opts.saveUninitialized
 
   // get the cookie signing secret
-  var secret = opts.secret
+  var secrets = opts.secret
 
   if (typeof generateId !== 'function') {
     throw new TypeError('genid option must be a function');
@@ -124,16 +124,16 @@ function session(options) {
   // TODO: switch to "destroy" on next major
   var unsetDestroy = opts.unset === 'destroy'
 
-  if (Array.isArray(secret) && secret.length === 0) {
+  if (Array.isArray(secrets) && secrets.length === 0) {
     throw new TypeError('secret option array must contain one or more strings');
   }
 
-  if (secret && !Array.isArray(secret)) {
-    secret = [secret];
+  if (secrets && !Array.isArray(secrets)) {
+    secrets = [secrets];
   }
 
-  if (!secret) {
-    deprecate('req.secret; provide secret option');
+  if (!secrets) {
+    throw new Error('secret option required for sessions');
   }
 
   // notify user that this store is not
@@ -188,16 +188,6 @@ function session(options) {
       return
     }
 
-    // ensure a secret is available or bail
-    if (!secret && !req.secret) {
-      next(new Error('secret option required for sessions'));
-      return;
-    }
-
-    // backwards compatibility for signed cookies
-    // req.secret is passed from the cookie parser middleware
-    var secrets = secret || [req.secret];
-
     var originalHash;
     var originalId;
     var savedHash;
diff --git a/test/session.js b/test/session.js
@@ -35,22 +35,6 @@ describe('session()', function(){
     .expect(200, done)
   })
 
-  it('should error without secret', function(done){
-    request(createServer({ secret: undefined }))
-    .get('/')
-    .expect(500, /secret.*required/, done)
-  })
-
-  it('should get secret from req.secret', function(done){
-    function setup (req) {
-      req.secret = 'keyboard cat'
-    }
-
-    request(createServer(setup, { secret: undefined }))
-    .get('/')
-    .expect(200, '', done)
-  })
-
   it('should create a new session', function (done) {
     var store = new session.MemoryStore()
     var server = createServer({ store: store }, function (req, res) {
@@ -1194,6 +1178,12 @@ describe('session()', function(){
   });
 
   describe('secret option', function () {
+    it('should reject without secret',function () {
+      for (const secret of [undefined, null, '', false]) {
+        assert.throws(session.bind(null, { secret }), /secret option required for sessions/)
+      }
+    })
+
     it('should reject empty arrays', function () {
       assert.throws(createServer.bind(null, { secret: [] }), /secret option array/);
     })
