From 4d498725c7e45dce2ab540ae55f674f2c9099c1d Mon Sep 17 00:00:00 2001
From: Richard Hansen <rhansen@rhansen.org>
Date: Sun, 19 Dec 2021 03:31:34 -0500
Subject: [PATCH] SessionStore: Improve cookie expiration check

  * Don't mutate `sess.cookie.expires`.
  * Allow `sess.cookie` to be nullish.
  * Always compare `Date` objects.
---
 src/node/db/SessionStore.js             | 8 ++------
 src/tests/backend/specs/SessionStore.js | 6 +++---
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/src/node/db/SessionStore.js b/src/node/db/SessionStore.js
index f4b26d4be..82fcdb771 100644
--- a/src/node/db/SessionStore.js
+++ b/src/node/db/SessionStore.js
@@ -11,12 +11,8 @@ class SessionStore extends Store {
   async _get(sid) {
     logger.debug(`GET ${sid}`);
     const s = await DB.get(`sessionstorage:${sid}`);
-    if (!s) return;
-    if (typeof s.cookie.expires === 'string') s.cookie.expires = new Date(s.cookie.expires);
-    if (s.cookie.expires && new Date() >= s.cookie.expires) {
-      await this._destroy(sid);
-      return;
-    }
+    const {cookie: {expires} = {}} = s || {};
+    if (expires && new Date() >= new Date(expires)) return await this._destroy(sid);
     return s;
   }
 
diff --git a/src/tests/backend/specs/SessionStore.js b/src/tests/backend/specs/SessionStore.js
index 2830b9c47..8723ffe07 100644
--- a/src/tests/backend/specs/SessionStore.js
+++ b/src/tests/backend/specs/SessionStore.js
@@ -36,7 +36,7 @@ describe(__filename, function () {
     });
 
     it('set of non-expiring session', async function () {
-      const sess = {foo: 'bar', baz: {asdf: 'jkl;'}, cookie: {}};
+      const sess = {foo: 'bar', baz: {asdf: 'jkl;'}};
       await set(sess);
       assert.equal(JSON.stringify(await db.get(`sessionstorage:${sid}`)), JSON.stringify(sess));
     });
@@ -54,13 +54,13 @@ describe(__filename, function () {
     });
 
     it('set+get round trip', async function () {
-      const sess = {foo: 'bar', baz: {asdf: 'jkl;'}, cookie: {}};
+      const sess = {foo: 'bar', baz: {asdf: 'jkl;'}};
       await set(sess);
       assert.equal(JSON.stringify(await get()), JSON.stringify(sess));
     });
 
     it('get of record from previous run (no expiration)', async function () {
-      const sess = {foo: 'bar', baz: {asdf: 'jkl;'}, cookie: {}};
+      const sess = {foo: 'bar', baz: {asdf: 'jkl;'}};
       await db.set(`sessionstorage:${sid}`, sess);
       assert.equal(JSON.stringify(await get()), JSON.stringify(sess));
     });