fix(index): touch() or set() should update cookie expiration (#265)

* fix(index): touch() or set() should update cookie expiration

* test: minor fix

Signed-off-by: Andrei Alecu <[email protected]>

---------

Signed-off-by: Andrei Alecu <[email protected]>
Co-authored-by: Andrei Alecu <[email protected]>

Author: andreialecu

index.js

@@ -317,13 +317,13 @@ class Session {
   }
 
   set (key, value) {
-    this.changed = true
+    this.touch()
     this[kObj][key] = value
   }
 
   delete () {
-    this.changed = true
     this.deleted = true
+    this.touch()
   }
 
   options (opts) {
@@ -341,6 +341,7 @@ class Session {
 
   touch () {
     this.changed = true
+    this[kObj].__ts = Math.round(Date.now() / 1000)
   }
 
   regenerate (ignoredFields) {
@@ -350,7 +351,7 @@ class Session {
       }
       delete this[kObj][key]
     }
-    this.changed = true
+    this.touch()
   }
 }
 

test/anti-reuse.test.js

@@ -115,3 +115,91 @@ test('Anti re-use with set expiry of 15 minutes', async t => {
   t.assert.ok(getResponse)
   t.assert.deepStrictEqual(JSON.parse(getResponse.payload), {})
 })
+
+test('Anti re-use should still allow touch() to work', async t => {
+  const fastify = Fastify({ logger: false })
+  const clock = FakeTimers.install({
+    shouldAdvanceTime: true,
+    now: Date.now()
+  })
+  t.after(() => {
+    fastify.close()
+    clock.reset()
+    clock.uninstall()
+  })
+
+  fastify.register(require('../'), {
+    key,
+    expiry: 15 * 60 // 15 minutes
+  })
+
+  fastify.post('/', (request, reply) => {
+    request.session.set('some', request.body.some)
+    request.session.set('some2', request.body.some2)
+    request.session.touch()
+    reply.send('hello world')
+  })
+
+  fastify.get('/', (request, reply) => {
+    const some = request.session.get('some')
+    const some2 = request.session.get('some2')
+    reply.send({ some, some2 })
+  })
+
+  const payload = {
+    some: 'someData',
+    some2: { a: 1, b: 2, c: 3 }
+  }
+
+  const firstPostResponse = await fastify.inject({
+    method: 'POST',
+    url: '/',
+    payload
+  })
+  const oldCookie = firstPostResponse.headers['set-cookie']
+
+  t.assert.ok(firstPostResponse)
+  t.assert.strictEqual(firstPostResponse.statusCode, 200)
+  t.assert.ok(firstPostResponse.headers['set-cookie'])
+
+  clock.jump('00:14:59') // forward just before expiry
+
+  const secondPostResponse = await fastify.inject({
+    method: 'POST',
+    url: '/',
+    payload
+  })
+  const newCookie = secondPostResponse.headers['set-cookie']
+
+  t.assert.ok(secondPostResponse)
+  t.assert.strictEqual(secondPostResponse.statusCode, 200)
+  t.assert.ok(secondPostResponse.headers['set-cookie'])
+
+  clock.jump('00:00:02') // forward just after expiry
+
+  const withNewCookie = await fastify.inject({
+    method: 'GET',
+    url: '/',
+    headers: {
+      cookie: newCookie
+    }
+  })
+
+  t.assert.ok(withNewCookie)
+
+  // this should return the payload because the cookie was updated 2 seconds before
+  t.assert.deepStrictEqual(JSON.parse(withNewCookie.payload), payload)
+
+  const withOldCookie = await fastify.inject({
+    method: 'GET',
+    url: '/',
+    headers: {
+      cookie: oldCookie
+    }
+  })
+
+  t.assert.ok(withOldCookie)
+
+  // this should be empty because the old session is expired
+  t.assert.deepStrictEqual(JSON.parse(withOldCookie.payload), {})
+})