From 0c9c1f514fba98b4333d92ce6a331818ec2ebe97 Mon Sep 17 00:00:00 2001
From: Marcel Klehr <mklehr@gmx.net>
Date: Sat, 22 Sep 2012 16:03:40 +0200
Subject: [PATCH] Fix socket.io auth: Use connect to parse signed cookies
 (migrate to express v3)

---
 src/node/hooks/express/socketio.js  | 22 ++++++++++++++++------
 src/node/hooks/express/webaccess.js |  6 +++---
 src/package.json                    |  2 +-
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/src/node/hooks/express/socketio.js b/src/node/hooks/express/socketio.js
index 9e1a010fc..546ba2af6 100644
--- a/src/node/hooks/express/socketio.js
+++ b/src/node/hooks/express/socketio.js
@@ -3,6 +3,7 @@ var socketio = require('socket.io');
 var settings = require('../../utils/Settings');
 var socketIORouter = require("../../handler/SocketIORouter");
 var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks");
+var webaccess = require("ep_etherpad-lite/node/hooks/express/webaccess");
 
 var padMessageHandler = require("../../handler/PadMessageHandler");
 
@@ -17,12 +18,21 @@ exports.expressCreateServer = function (hook_name, args, cb) {
    * info */
   io.set('authorization', function (data, accept) {
     if (!data.headers.cookie) return accept('No session cookie transmitted.', false);
-    data.cookie = connect.utils.parseCookie(data.headers.cookie);
-    data.sessionID = data.cookie.express_sid;
-    args.app.sessionStore.get(data.sessionID, function (err, session) {
-      if (err || !session) return accept('Bad session / session has expired', false);
-      data.session = new connect.middleware.session.Session(data, session);
-      accept(null, true);
+
+    // Use connect's cookie parser, because it knows how to parse signed cookies
+    connect.cookieParser(webaccess.secret)(data, {}, function(err){
+      if(err) {
+        console.error(err);
+        accept("Couldn't parse request cookies. ", false);
+        return;
+      }
+
+      data.sessionID = data.signedCookies.express_sid;
+      args.app.sessionStore.get(data.sessionID, function (err, session) {
+        if (err || !session) return accept('Bad session / session has expired', false);
+        data.session = new connect.middleware.session.Session(data, session);
+        accept(null, true);
+      });
     });
   });
 
diff --git a/src/node/hooks/express/webaccess.js b/src/node/hooks/express/webaccess.js
index 28cb649e4..41bf38805 100644
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@@ -88,7 +88,7 @@ exports.basicAuth = function (req, res, next) {
   });
 }
 
-var secret = null;
+exports.secret = null;
 
 exports.expressConfigure = function (hook_name, args, cb) {
   // If the log level specified in the config file is WARN or ERROR the application server never starts listening to requests as reported in issue #158.
@@ -103,10 +103,10 @@ exports.expressConfigure = function (hook_name, args, cb) {
 
   if (!exports.sessionStore) {
     exports.sessionStore = new express.session.MemoryStore();
-    secret = randomString(32);
+    exports.secret = randomString(32);
   }
   
-  args.app.use(express.cookieParser(secret));
+  args.app.use(express.cookieParser(exports.secret));
 
   args.app.sessionStore = exports.sessionStore;
   args.app.use(express.session({store: args.app.sessionStore,
diff --git a/src/package.json b/src/package.json
index bee732058..67aa1037c 100644
--- a/src/package.json
+++ b/src/package.json
@@ -18,7 +18,7 @@
                       "ueberDB"             : "0.1.7",
                       "async"               : "0.1.x",
                       "express"             : "3.x",
-                      "connect"             : "1.x",
+                      "connect"             : "2.4.x",
                       "clean-css"           : "0.3.2",
                       "uglify-js"           : "1.2.5",
                       "formidable"          : "1.0.9",