From 3854d738746905157e150f13ca2055fbc044c977 Mon Sep 17 00:00:00 2001 From: Vexx Date: Sat, 23 May 2026 20:21:48 +0530 Subject: [PATCH] Fix session cookie flags and strip internal errors from API responses Session cookie had no security attributes: no httpOnly meant JS could read the session ID via document.cookie; no secure meant it travelled over plain HTTP; no sameSite meant cross-site requests carried it, enabling CSRF. Added httpOnly, secure (production-gated), sameSite strict, and a 24-hour maxAge to the express-session cookie config. Both 500 handlers in routes/auth.js returned err.message verbatim, leaking MongoDB internals (collection name, index names, key values) to callers on any trigger-able error. Removed the error field from both responses so only the generic message is returned. Fixes #447 --- backend/routes/auth.js | 4 ++-- backend/server.js | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/backend/routes/auth.js b/backend/routes/auth.js index 7c2cda78..55e5d0e9 100644 --- a/backend/routes/auth.js +++ b/backend/routes/auth.js @@ -26,7 +26,7 @@ router.post("/signup", validateRequest(signupSchema), async (req, res) => { return res.status(400).json({ message: 'User already exists' }); } - res.status(500).json({ message: 'Error creating user', error: err.message }); + res.status(500).json({ message: 'Error creating user' }); } }); @@ -41,7 +41,7 @@ router.get("/logout", (req, res) => { req.logout((err) => { if (err) - return res.status(500).json({ message: 'Logout failed', error: err.message }); + return res.status(500).json({ message: 'Logout failed' }); else res.status(200).json({ message: 'Logged out successfully' }); }); diff --git a/backend/server.js b/backend/server.js index 3f19f00b..4cb7885e 100644 --- a/backend/server.js +++ b/backend/server.js @@ -20,6 +20,12 @@ app.use(session({ secret: process.env.SESSION_SECRET, resave: false, saveUninitialized: false, + cookie: { + httpOnly: true, + secure: process.env.NODE_ENV === 'production', + sameSite: 'strict', + maxAge: 24 * 60 * 60 * 1000, + }, })); app.use(passport.initialize()); app.use(passport.session());