In a previous post I wrote about securing my NodeJS service by enforcing authentication using a session token. Now there was another problem: the node service was vulnerable to identity spoofing because the client tells the service who he is, and the service will always trust him. This is bad.
Fortunately, the Rails app uses Redis as its session store and it already stores the user id in there. So the only thing that left to be done is for Node to read the session data out of Redis.
After a few hours of experimentation and looking around, I learned a few things:
- Rails serializes the session data before storing it
- Rails uses the Marshal module to serialize session data
- The result of serialization is not exactly plain text, which explains some gibberish characters I saw when I print it out in redis-cli / nodejs
- Marshal is version sensitive
- There is a nodejs library node-marshal to parse the Ruby Marshal output
- There is a monkey patch to change the default from marshal to JSON
- There is another nodejs library called marsha, but for whatever reasons it didn’t work for me
So with node-marshal I was able to deserialize the Rails session data and read it in nodejs, closing the door on spoofing attacks.