rspec/rules/S5876/javascript/how-to-fix-it/passportjs.adoc

== How to fix it in Passport

=== Code examples

Upon user authentication, it is crucial to regenerate the session identifier to prevent fixation attacks. Passport provides a mechanism to achieve this by using the `req.session.regenerate()` method. By calling this method after successful authentication, you can ensure that each user is assigned a new and unique session ID.

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
app.post('/login', 
  passport.authenticate('local', { failureRedirect: '/login' }),
  function(req, res) {
    // Noncompliant - no session.regenerate after login
    res.redirect('/');
  });
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
app.post('/login', 
  passport.authenticate('local', { failureRedirect: '/login' }),
  function(req, res) {
    let prevSession = req.session;
    req.session.regenerate((err) => {
      Object.assign(req.session, prevSession);
      res.redirect('/');
    });
  });
----

=== How does this work?

include::../../common/fix/new-session.adoc[]
Modify rule S5876: Update to LayC format (APPSEC-969) (#2967) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> 2023-08-30 09:09:58 +02:00			`== How to fix it in Passport`

			`=== Code examples`

			Upon user authentication, it is crucial to regenerate the session identifier to prevent fixation attacks. Passport provides a mechanism to achieve this by using the `req.session.regenerate()` method. By calling this method after successful authentication, you can ensure that each user is assigned a new and unique session ID.

			`==== Noncompliant code example`

			`[source,javascript,diff-id=1,diff-type=noncompliant]`
			`----`
			`app.post('/login',`
			`passport.authenticate('local', { failureRedirect: '/login' }),`
			`function(req, res) {`
			`// Noncompliant - no session.regenerate after login`
			`res.redirect('/');`
			`});`
			`----`

			`==== Compliant solution`

			`[source,javascript,diff-id=1,diff-type=compliant]`
			`----`
			`app.post('/login',`
			`passport.authenticate('local', { failureRedirect: '/login' }),`
			`function(req, res) {`
			`let prevSession = req.session;`
			`req.session.regenerate((err) => {`
			`Object.assign(req.session, prevSession);`
			`res.redirect('/');`
			`});`
			`});`
			`----`

			`=== How does this work?`

			`include::../../common/fix/new-session.adoc[]`