Sails: `express-session deprecated req.secret; provide secret option`: after adding `connect-mongo` and configuring its receiver

@navicstein Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

• look for a workaround. _(Even if it's just temporary, sharing your solution can save someone else a lot of time and effort.)_
• tell us why this issue is important to you and your team. What are you trying to accomplish? _(Submissions with a little bit of human context tend to be easier to understand and faster to resolve.)_
• make sure you've provided clear instructions on how to reproduce the bug from a clean install.
• double-check that you've provided all of the requested version and dependency information. _(Some of this info might seem irrelevant at first, like which database adapter you're using, but we ask that you include it anyway. Oftentimes an issue is caused by a confluence of unexpected factors, and it can save everybody a ton of time to know all the details up front.)_
• read the code of conduct.
• if appropriate, ask your business to sponsor your issue. _(Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)_
• let us know if you are using a 3rd party plugin; whether that's a database adapter, a non-standard view engine, or any other dependency maintained by someone other than our core team. _(Besides the name of the 3rd party package, it helps to include the exact version you're using. If you're unsure, check out this list of all the core packages we maintain.)_
  

  ---

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

Hey, @navicstein! Can you reproduce this error in a fresh Sails app and share the repo?

Thanks!

@madisonhicks i have successfully reproduced #6810 it's at
https://github.com/navicstein/session-dep

please i used pnpm as my package manager, but am pretty sure its not from it.

Hello, i have resolved this issue by installing a lower version of connect-mongo

pnpm install [email protected]  --save-exact 

An after those, depreciation notice was gone, seems like the sails team @madisonhicks @johnabrams7 @tedkulp @sailsbot needs to update sails to support connect-mongo@latest

Any solution for newer version of connect-mongo ?

I have the same issues when using connect-mongo 3.2.0. Following it through on the debugger, it looks like its because connect-mongo deletes the secret option after applying it to the store in index.js line 76. I'm not sure how to get around this but maybe it's an issue there?
Thanks!

I am reproducing this error, but I dont have any particular configuration with mongo-connect, in fact this is my package.json and my express config:

  "devDependencies": {
    "@babel/cli": "^7.2.3",
    "@babel/core": "^7.4.0",
    "@babel/plugin-transform-runtime": "^7.8.3",
    "@babel/register": "^7.4.0",
    "@babel/runtime": "^7.8.4",
    "babel-plugin-import-graphql": "^2.7.0",
    "mocha": "^5.2.0",
    "nodemon": "^1.17.5"
  },
  "dependencies": {
    "@babel/preset-env": "^7.4.2",
    "apollo-server-express": "^2.9.16",
    "bcrypt": "^4.0.0",
    "dotenv": "^8.2.0",
    "express": "^4.17.1",
    "express-graphql": "^0.9.0",
    "express-session": "^1.17.0",
    "graphql": "^14.6.0",
    "graphql-passport": "^0.6.1",
    "lodash": "^4.17.15",
    "merge-graphql-schemas": "^1.7.6",
    "mongoose": "^5.9.1",
    "passport": "^0.4.1",
    "passport-google-token": "^0.1.2",
    "uuid": "^7.0.0"
  }

express:

app.use(session({
  genid: (req) => uuidv4(),
  secret: process.env.SESSION_SECRECT,
  resave: false,
  saveUninitialized: false,
}));

Hey, @navicstein! Can you reproduce this error in a fresh Sails app and share the repo?

Thanks!

I'm reproducing the error code. Please fix this, Team Sails. We are hoping to get it resolved ASAP.
After sails lift
info: Starting app...
express-session deprecated req.secret; provide secret option node_modules\sails\lib\hooks\session\index.js:451:62
.............................................................................
debug: Environment : development
debug: Port : 1337
debug: -------------------------------------------------------

`C:\Users--\Projects\newnode_modules\mongodb\lib\utils.js:725
throw error;
^

MongoServerSelectionError: connection to 3.7.150.83:27017 closed
at Timeout._onTimeout (C:\Users--\Projects\newnode_modules\mongodb\lib\core\sdam\topology.js:430:30)
at listOnTimeout (internal/timers.js:531:17)
at processTimers (internal/timers.js:475:7) {
name: 'MongoServerSelectionError',
reason: TopologyDescription {
type: 'ReplicaSetNoPrimary',
setName: null,
maxSetVersion: null,
maxElectionId: null,
servers: Map {
'cluster-0-shard-00-00-dnb3s.mongodb.net:27017' => [ServerDescription],
'cluster-0-shard-00-01-dnb3s.mongodb.net:27017' => [ServerDescription],
'cluster-0-shard-00-02-dnb3s.mongodb.net:27017' => [ServerDescription]
},
stale: false,
compatible: true,
compatibilityError: null,
logicalSessionTimeoutMinutes: null,
heartbeatFrequencyMS: 10000,
localThresholdMS: 15,
commonWireVersion: null
},
[Symbol(mongoErrorContextSymbol)]: {}
}`

I'm using Sails.js v.1.2.4
db adapter : 'sails-mongo' - Works fine
db session adapter : 'connect-mongo' Problem occurs with latest ver.

Thanks,
Subhradip

I think this should be opened back.

The issue is not solved. It is caused by a change in connect-mongo (specifically this PR, 13 months ago from the moment of writing this: https://github.com/jdesboeufs/connect-mongo/pull/314)

connect-mongo is deleting the session.secret variable from the object, thus, when creating the instance of connect-mongo by passing in the sesion, in /lib/hooks/session/index.js

app.config.session.store = new CustomStore(app.config.session);

the app.config.session.secret no longer exists.

So, when afterSettingUpAdapter is called, creating the actual instance of express-session actually requires that attribute to be set. But our friend connect-mongo decided to delete it.

Options here:
1) wait for connect-mongo to answer my question into their PR (about if there is a real need to delete that secret attribute)
2) create a fix/PR on sails, to just pass in a copy

app.config.session.store = new CustomStore(_.clone(app.config.session));

@mikermcneil @johnabrams7

I had a similar issue and my problem was I was missing the .env file.