From ef7aeba5d2e60734f3bd89954f72bc5f275fd923 Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Wed, 28 Feb 2024 14:31:44 -0800
Subject: [PATCH] chore(config): guard against prototype pollution

---
 lib/config.js   | 1 +
 routes/index.js | 4 +---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/config.js b/lib/config.js
index d9b2fab..99cfacb 100644
--- a/lib/config.js
+++ b/lib/config.js
@@ -48,6 +48,7 @@ class Config {
 
 function applyDefaults(cfg = {}, defaults = {}) {
   for (const d in defaults) {
+    if (d === "__proto__" || d === "constructor") continue;
     if ([undefined, null].includes(cfg[d])) {
       cfg[d] = defaults[d]
     } else if (typeof cfg[d] === 'object' && typeof defaults[d] === 'object') {
diff --git a/routes/index.js b/routes/index.js
index 3c3d213..66abeed 100644
--- a/routes/index.js
+++ b/routes/index.js
@@ -57,10 +57,8 @@ async function setup() {
     },
   ])
 
-  const sessionCfg = await Config.get('session')
-
   server.auth.strategy('session', 'cookie', {
-    cookie: sessionCfg.cookie,
+    cookie: httpCfg.cookie,
 
     validate: async (request, session) => {
       const s = await Session.get({ id: session.nt_user_session_id })