Fix more security warnings

Author: skadefro

OpenFlow/src/Config.ts

@@ -52,7 +52,7 @@ export class Config {
         Config.protocol = Config.getEnv("protocol", "http"); // used by personal nodered and baseurl()
         Config.port = parseInt(Config.getEnv("port", "3000"));
         Config.domain = Config.getEnv("domain", "localhost"); // sent to website and used in baseurl()
-
+        Config.cookie_secret = Config.getEnv("cookie_secret", "NLgUIsozJaxO38ze0WuHthfj2eb1eIEu");
 
         Config.amqp_reply_expiration = parseInt(Config.getEnv("amqp_reply_expiration", "10000")); // 10 seconds
         Config.amqp_force_queue_prefix = Config.parseBoolean(Config.getEnv("amqp_force_queue_prefix", "true"));
@@ -125,7 +125,7 @@ export class Config {
     public static protocol: string = Config.getEnv("protocol", "http"); // used by personal nodered and baseurl()
     public static port: number = parseInt(Config.getEnv("port", "3000"));
     public static domain: string = Config.getEnv("domain", "localhost"); // sent to website and used in baseurl()
-
+    public static cookie_secret: string = Config.getEnv("cookie_secret", "NLgUIsozJaxO38ze0WuHthfj2eb1eIEu"); // Used to protect cookies
 
     public static amqp_reply_expiration: number = parseInt(Config.getEnv("amqp_reply_expiration", (60 * 1000).toString())); // 1 min
     public static amqp_force_queue_prefix: boolean = Config.parseBoolean(Config.getEnv("amqp_force_queue_prefix", "true"));

OpenFlow/src/LoginProvider.ts

@@ -152,8 +152,7 @@ export class LoginProvider {
     static async configure(logger: winston.Logger, app: express.Express, baseurl: string): Promise<void> {
         LoginProvider._logger = logger;
         app.use(cookieSession({
-            name: "session",
-            keys: ["key1", "key2"]
+            name: "session", secret: Config.cookie_secret
         }));
 
         app.use(passport.initialize());

OpenFlow/src/WebServer.ts

@@ -38,8 +38,7 @@ export class WebServer {
         this.app.use(bodyParser.json());
         this.app.use(cookieParser());
         this.app.use(cookieSession({
-            name: "session",
-            keys: ["key1", "key2"]
+            name: "session", secret: Config.cookie_secret
         }));
         this.app.use(flash());
 

OpenFlowNodeRED/src/Config.ts

@@ -37,6 +37,7 @@ export class Config {
         Config.nodered_domain_schema = Config.getEnv("nodered_domain_schema", "");
         Config.noderedusers = Config.getEnv("noderedusers", "");
         Config.noderedadmins = Config.getEnv("noderedadmins", "");
+        Config.cookie_secret = Config.getEnv("cookie_secret", "NLgUIsozJaxO38ze0WuHthfj2eb1eIEu");
 
         Config.flow_refresh_interval = parseInt(Config.getEnv("flow_refresh_interval", "60000"));
         Config.flow_refresh_initial_interval = parseInt(Config.getEnv("flow_refresh_initial_interval", "60000"));
@@ -87,6 +88,7 @@ export class Config {
     public static nodered_domain_schema: string = Config.getEnv("nodered_domain_schema", "");
     public static noderedusers: string = Config.getEnv("noderedusers", "");
     public static noderedadmins: string = Config.getEnv("noderedadmins", "");
+    public static cookie_secret: string = Config.getEnv("cookie_secret", "NLgUIsozJaxO38ze0WuHthfj2eb1eIEu"); // Used to protect cookies
 
     public static flow_refresh_interval: number = parseInt(Config.getEnv("flow_refresh_interval", "60000"));
     public static flow_refresh_initial_interval: number = parseInt(Config.getEnv("flow_refresh_initial_interval", "60000"));

OpenFlowNodeRED/src/WebServer.ts

@@ -169,8 +169,7 @@ export class WebServer {
 
 
                 this.app.use(cookieSession({
-                    name: 'session',
-                    keys: ['key1', 'key2']
+                    name: 'session', secret: Config.cookie_secret
                 }))
 
                 // initialise the runtime with a server and settings