From 38daa2f29a7f894bdd406ce08adae1dbbe66a624 Mon Sep 17 00:00:00 2001 From: John McLear Date: Mon, 15 Mar 2021 17:52:40 +0000 Subject: [PATCH] prefix with ep_ --- doc/cookies.md | 2 +- src/bin/createUserSession.js | 2 +- src/node/handler/PadMessageHandler.js | 2 +- src/node/hooks/express.js | 2 +- src/node/hooks/express/importexport.js | 2 +- src/node/hooks/express/socketio.js | 4 ++-- src/node/padaccess.js | 2 +- src/tests/backend/specs/api/sessionsAndGroups.js | 12 ++++++------ src/tests/backend/specs/socketio.js | 2 +- 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/doc/cookies.md b/doc/cookies.md index 541849596..6a587ab6a 100644 --- a/doc/cookies.md +++ b/doc/cookies.md @@ -4,7 +4,7 @@ Cookies used by Etherpad. | Name | Sample value | Domain | Path | Expires/max-age | Http-only| Secure | Usage description | |-----------------|------------------------------------|-------------|------|-----------------|----------|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|express_sid | s%3A7yCNjRmTW8ylGQ53I2IhOwYF9... | example.org | / | Session | true | true | Session ID of the [Express web framework](https://expressjs.com). When Etherpad is behind a reverse proxy, and an administrator wants to use session stickiness, he may use this cookie. If you are behind a reverse proxy, please remember to set `trustProxy: true` in `settings.json`. Set in [webaccess.js#L131](https://github.com/ether/etherpad-lite/blob/01497aa399690e44393e91c19917d11d025df71b/src/node/hooks/express/webaccess.js#L131). | +|ep_express_sid | s%3A7yCNjRmTW8ylGQ53I2IhOwYF9... | example.org | / | Session | true | true | Session ID of the [Express web framework](https://expressjs.com). When Etherpad is behind a reverse proxy, and an administrator wants to use session stickiness, he may use this cookie. If you are behind a reverse proxy, please remember to set `trustProxy: true` in `settings.json`. Set in [webaccess.js#L131](https://github.com/ether/etherpad-lite/blob/01497aa399690e44393e91c19917d11d025df71b/src/node/hooks/express/webaccess.js#L131). | |language | en | example.org | / | Session | false | true | The language of the UI (e.g.: `en-GB`, `it`). Set in [pad_editor.js#L111](https://github.com/ether/etherpad-lite/blob/01497aa399690e44393e91c19917d11d025df71b/src/static/js/pad_editor.js#L111). | |prefs / prefsHttp| %7B%22epThemesExtTheme%22... | example.org | /p | year 3000 | false | true | Client-side preferences (e.g.: font family, chat always visible, show authorship colors, ...). Set in [pad_cookie.js#L49](https://github.com/ether/etherpad-lite/blob/01497aa399690e44393e91c19917d11d025df71b/src/static/js/pad_cookie.js#L49). `prefs` is used if Etherpad is accessed over HTTPS, `prefsHttp` if accessed over HTTP. For more info see https://github.com/ether/etherpad-lite/issues/3179. | |token | t.tFzkihhhBf4xKEpCK3PU | example.org | / | 60 days | false | true | A random token representing the author, of the form `t.randomstring_of_lenght_20`. The random string is generated by the client, at ([pad.js#L55-L66](https://github.com/ether/etherpad-lite/blob/01497aa399690e44393e91c19917d11d025df71b/src/static/js/pad.js#L55-L66)). This cookie is always set by the client (at [pad.js#L153-L158](https://github.com/ether/etherpad-lite/blob/01497aa399690e44393e91c19917d11d025df71b/src/static/js/pad.js#L153-L158)) without any solicitation from the server. It is used for all the pads accessed via the web UI (not used for the HTTP API). On the server side, its value is accessed at [SecurityManager.js#L33](https://github.com/ether/etherpad-lite/blob/01497aa399690e44393e91c19917d11d025df71b/src/node/db/SecurityManager.js#L33).| diff --git a/src/bin/createUserSession.js b/src/bin/createUserSession.js index 33dcac18e..b7f7b4310 100644 --- a/src/bin/createUserSession.js +++ b/src/bin/createUserSession.js @@ -47,5 +47,5 @@ const supertest = require('supertest'); res = await api.post(uri('createSession', {apikey, groupID, authorID, validUntil})); if (res.body.code === 1) throw new Error(`Error creating session: ${res.body}`); console.log('Session made: ====> create a cookie named sessionID and set the value to', - res.body.data.sessionID); + res.body.data.ep_sessionID); })(); diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js index 174a6bc5f..43e6754f4 100644 --- a/src/node/handler/PadMessageHandler.js +++ b/src/node/handler/PadMessageHandler.js @@ -857,7 +857,7 @@ const createSessionInfoAuth = (sessionInfo, message) => { // the sessionId of this connection is still valid // since it could have been deleted by the API. sessionInfo.auth = { - sessionID: message.sessionID, + ep_sessionID: message.sessionID, padID: message.padId, token: message.token, }; diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js index 351ab5bf2..4288922ec 100644 --- a/src/node/hooks/express.js +++ b/src/node/hooks/express.js @@ -176,7 +176,7 @@ exports.restartServer = async () => { saveUninitialized: true, // Set the cookie name to a javascript identifier compatible string. Makes code handling it // cleaner :) - name: 'express_sid', + name: 'ep_express_sid', proxy: true, cookie: { sameSite: settings.cookie.sameSite, diff --git a/src/node/hooks/express/importexport.js b/src/node/hooks/express/importexport.js index d6f287c6b..0f8a11003 100644 --- a/src/node/hooks/express/importexport.js +++ b/src/node/hooks/express/importexport.js @@ -71,7 +71,7 @@ exports.expressCreateServer = (hookName, args, cb) => { (async () => { const {session: {user} = {}} = req; const {accessStatus} = await securityManager.checkAccess( - req.params.pad, req.cookies.sessionID, req.cookies.token, user); + req.params.pad, req.cookies.ep_sessionID, req.cookies.token, user); if (accessStatus !== 'grant' || !webaccess.userCanModify(req.params.pad, req)) { return res.status(403).send('Forbidden'); } diff --git a/src/node/hooks/express/socketio.js b/src/node/hooks/express/socketio.js index 47a657747..f645be5f2 100644 --- a/src/node/hooks/express/socketio.js +++ b/src/node/hooks/express/socketio.js @@ -62,7 +62,7 @@ exports.expressCreateServer = (hookName, args, cb) => { * falls back to long polling or below. * * In Etherpad's case, if an operator needs to load balance, he can use the - * "express_sid" cookie, and thus "io" is of no use. + * "ep_express_sid" cookie, and thus "io" is of no use. * * Moreover, socket.io API does not offer a way of setting the "secure" flag * on it, and thus is a liability. @@ -98,7 +98,7 @@ exports.expressCreateServer = (hookName, args, cb) => { } if (!req.headers.cookie) { // socketio.js-client on node.js doesn't support cookies (see https://git.io/JU8u9), so the - // token and express_sid cookies have to be passed via a query parameter for unit tests. + // token and ep_express_sid cookies have to be passed via a query parameter for unit tests. req.headers.cookie = socket.handshake.query.cookie; } // See: https://socket.io/docs/faq/#Usage-with-express-session diff --git a/src/node/padaccess.js b/src/node/padaccess.js index 5ca5641b5..73db3430d 100644 --- a/src/node/padaccess.js +++ b/src/node/padaccess.js @@ -6,7 +6,7 @@ module.exports = async (req, res) => { try { const {session: {user} = {}} = req; const accessObj = await securityManager.checkAccess( - req.params.pad, req.cookies.sessionID, req.cookies.token, user); + req.params.pad, req.cookies.ep_sessionID, req.cookies.token, user); if (accessObj.accessStatus === 'grant') { // there is access, continue diff --git a/src/tests/backend/specs/api/sessionsAndGroups.js b/src/tests/backend/specs/api/sessionsAndGroups.js index 238353d0d..102581e6b 100644 --- a/src/tests/backend/specs/api/sessionsAndGroups.js +++ b/src/tests/backend/specs/api/sessionsAndGroups.js @@ -137,8 +137,8 @@ describe(__filename, function () { .expect('Content-Type', /json/) .expect((res) => { assert.equal(res.body.code, 0); - assert(res.body.data.sessionID); - sessionID = res.body.data.sessionID; + assert(res.body.data.ep_sessionID); + sessionID = res.body.data.ep_sessionID; }); }); @@ -150,8 +150,8 @@ describe(__filename, function () { .expect('Content-Type', /json/) .expect((res) => { assert.equal(res.body.code, 0); - assert(res.body.data.sessionID); - sessionID = res.body.data.sessionID; + assert(res.body.data.ep_sessionID); + sessionID = res.body.data.ep_sessionID; }); }); @@ -255,8 +255,8 @@ describe(__filename, function () { .expect('Content-Type', /json/) .expect((res) => { assert.equal(res.body.code, 0); - assert(res.body.data.sessionID); - sessionID = res.body.data.sessionID; + assert(res.body.data.ep_sessionID); + sessionID = res.body.data.ep_sessionID; }); }); diff --git a/src/tests/backend/specs/socketio.js b/src/tests/backend/specs/socketio.js index fdb578b55..380e8016d 100644 --- a/src/tests/backend/specs/socketio.js +++ b/src/tests/backend/specs/socketio.js @@ -56,7 +56,7 @@ const connect = async (res) => { forceNew: true, // Different tests will have different query parameters. path: '/socket.io', // socketio.js-client on node.js doesn't support cookies (see https://git.io/JU8u9), so the - // express_sid cookie must be passed as a query parameter. + // ep_express_sid cookie must be passed as a query parameter. query: {cookie: reqCookieHdr}, }); try {