Adds ability to set the cookie session secret (#774)

* Adds ability to set the cookie session secret

* nits

Author: flovilmart

Parse-Dashboard/Authentication.js

@@ -17,7 +17,8 @@ function Authentication(validUsers, useEncryptedPasswords, mountPath) {
   this.mountPath = mountPath;
 }
 
-function initialize(app) {
+function initialize(app, options) {
+  options = options || {};
   var self = this;
   passport.use('local', new LocalStrategy(
     function(username, password, cb) {
@@ -43,11 +44,12 @@ function initialize(app) {
     cb(null, user);
   });
 
+  var cookieSessionSecret = options.cookieSessionSecret || require('crypto').randomBytes(64).toString('hex');
   app.use(require('connect-flash')());
   app.use(require('body-parser').urlencoded({ extended: true }));
   app.use(require('cookie-session')({
     key    : 'parse_dash',
-    secret : 'magic',
+    secret : cookieSessionSecret,
     cookie : {
       maxAge: (2 * 7 * 24 * 60 * 60 * 1000) // 2 weeks
     }

Parse-Dashboard/app.js

@@ -46,7 +46,8 @@ function checkIfIconsExistForApps(apps, iconsFolder) {
   }
 }
 
-module.exports = function(config, allowInsecureHTTP) {
+module.exports = function(config, options) {
+  options = options || {};
   var app = express();
   // Serve public files.
   app.use(express.static(path.join(__dirname,'public')));
@@ -62,7 +63,7 @@ module.exports = function(config, allowInsecureHTTP) {
     const users = config.users;
     const useEncryptedPasswords = config.useEncryptedPasswords ? true : false;
     const authInstance = new Authentication(users, useEncryptedPasswords, mountPath);
-    authInstance.initialize(app);
+    authInstance.initialize(app, { cookieSessionSecret: options.cookieSessionSecret });
 
     // CSRF error handler
     app.use(function (err, req, res, next) {
@@ -86,7 +87,7 @@ module.exports = function(config, allowInsecureHTTP) {
         req.connection.remoteAddress === '127.0.0.1' ||
         req.connection.remoteAddress === '::ffff:127.0.0.1' ||
         req.connection.remoteAddress === '::1';
-      if (!requestIsLocal && !req.secure && !allowInsecureHTTP) {
+      if (!requestIsLocal && !req.secure && !options.allowInsecureHTTP) {
         //Disallow HTTP requests except on localhost, to prevent the master key from being transmitted in cleartext
         return res.send({ success: false, error: 'Parse Dashboard can only be remotely accessed via HTTPS' });
       }

Parse-Dashboard/index.js

@@ -25,13 +25,15 @@ program.option('--allowInsecureHTTP [allowInsecureHTTP]', 'set this flag when yo
 program.option('--sslKey [sslKey]', 'the path to the SSL private key.');
 program.option('--sslCert [sslCert]', 'the path to the SSL certificate.');
 program.option('--trustProxy [trustProxy]', 'set this flag when you are behind a front-facing proxy, such as when hosting on Heroku.  Uses X-Forwarded-* headers to determine the client\'s connection and IP address.');
+program.option('--cookieSessionSecret [cookieSessionSecret]', 'set the cookie session secret, defaults to a random string. You should set that value if you want sessions to work across multiple server, or across restarts');
 
 program.parse(process.argv);
 
 const host = program.host || process.env.HOST || '0.0.0.0';
 const port = program.port || process.env.PORT || 4040;
 const mountPath = program.mountPath || process.env.MOUNT_PATH || '/';
 const allowInsecureHTTP = program.allowInsecureHTTP || process.env.PARSE_DASHBOARD_ALLOW_INSECURE_HTTP;
+const cookieSessionSecret = program.cookieSessionSecret || process.env.PARSE_DASHBOARD_COOKIE_SESSION_SECRET;
 const trustProxy = program.trustProxy || process.env.PARSE_DASHBOARD_TRUST_PROXY;
 
 if (trustProxy && allowInsecureHTTP) {
@@ -115,7 +117,8 @@ p.then(config => {
   if (allowInsecureHTTP || trustProxy) app.enable('trust proxy');
 
   config.data.trustProxy = trustProxy;
-  app.use(mountPath, parseDashboard(config.data, allowInsecureHTTP));
+  let dashboardOptions = { allowInsecureHTTP: allowInsecureHTTP, cookieSessionSecret: cookieSessionSecret };
+  app.use(mountPath, parseDashboard(config.data, dashboardOptions));
   if(!configSSLKey || !configSSLCert){
     // Start the server.
     const server = app.listen(port, host, function () {