@opensourceframework/next-iron-session 8.0.4

package/LICENSE.md

@@ -0,0 +1,20 @@
+MIT License
+
+Copyright (c) 2021 Vincent Voyer
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,227 @@
+# iron-session ![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/vvo/iron-session/ci.yaml) [![GitHub license](https://img.shields.io/github/license/vvo/iron-session?style=flat)](https://github.com/vvo/iron-session/blob/master/LICENSE) [![npm](https://img.shields.io/npm/v/iron-session)](https://www.npmjs.com/package/iron-session) ![npm](https://img.shields.io/npm/dm/iron-session) ![npm package minimized gzipped size (select exports)](https://img.shields.io/bundlejs/size/iron-session?exports=getIronSession)
+
+**`iron-session` is a secure, stateless, and cookie-based session library for JavaScript.**
+
+The session data is stored in signed and encrypted cookies which are decoded by your server code in a stateless fashion (= no network involved). This is the same technique used by frameworks like
+[Ruby On Rails](https://guides.rubyonrails.org/security.html#session-storage).
+
+<p align="center"><i>Online demo and examples: <a href="https://get-iron-session.vercel.app/">https://get-iron-session.vercel.app</a></i> 👀 <br/>
+ <i>Featured in the <a href="https://nextjs.org/docs/authentication">Next.js documentation</a></i> ⭐️</p>
+
+## Table of Contents
+
+- [Table of Contents](#table-of-contents)
+- [Installation](#installation)
+- [Usage](#usage)
+- [Examples](#examples)
+- [Project status](#project-status)
+- [Session options](#session-options)
+- [API](#api)
+  - [`getIronSession<T>(req, res, sessionOptions): Promise<IronSession<T>>`](#getironsessiontreq-res-sessionoptions-promiseironsessiont)
+  - [`getIronSession<T>(cookieStore, sessionOptions): Promise<IronSession<T>>`](#getironsessiontcookiestore-sessionoptions-promiseironsessiont)
+  - [`session.save(): Promise<void>`](#sessionsave-promisevoid)
+  - [`session.destroy(): void`](#sessiondestroy-void)
+  - [`session.updateConfig(sessionOptions: SessionOptions): void`](#sessionupdateconfigsessionoptions-sessionoptions-void)
+  - [`sealData(data: unknown, { password, ttl }): Promise<string>`](#sealdatadata-unknown--password-ttl--promisestring)
+  - [`unsealData<T>(seal: string, { password, ttl }): Promise<T>`](#unsealdatatseal-string--password-ttl--promiset)
+- [FAQ](#faq)
+  - [Why use pure cookies for sessions?](#why-use-pure-cookies-for-sessions)
+  - [How to invalidate sessions?](#how-to-invalidate-sessions)
+  - [Can I use something else than cookies?](#can-i-use-something-else-than-cookies)
+  - [How is this different from JWT?](#how-is-this-different-from-jwt)
+- [Credits](#credits)
+- [Good Reads](#good-reads)
+
+### Attribution
+
+- **Original Author**: Unknown
+- **Original Repository**: https://github.com/vvo/next-iron-session
+- **Original License**: MIT
+
+
+
+```sh
+pnpm add iron-session
+```
+
+## Usage
+
+*We have extensive examples here too: https://get-iron-session.vercel.app/.*
+
+To get a session, there's a single method to know: `getIronSession`.
+
+```ts
+// Next.js API Routes and Node.js/Express/Connect.
+import { getIronSession } from 'iron-session';
+
+export async function get(req, res) {
+  const session = await getIronSession(req, res, { password: "...", cookieName: "..." });
+  return session;
+}
+
+export async function post(req, res) {
+  const session = await getIronSession(req, res, { password: "...", cookieName: "..." });
+  session.username = "Alison";
+  await session.save();
+}
+```
+
+```ts
+// Next.js Route Handlers (App Router)
+import { cookies } from 'next/headers';
+import { getIronSession } from 'iron-session';
+
+export async function GET() {
+  const session = await getIronSession(cookies(), { password: "...", cookieName: "..." });
+  return session;
+}
+
+export async function POST() {
+  const session = await getIronSession(cookies(), { password: "...", cookieName: "..." });
+  session.username = "Alison";
+  await session.save();
+}
+```
+
+```tsx
+// Next.js Server Components and Server Actions (App Router)
+import { cookies } from 'next/headers';
+import { getIronSession } from 'iron-session';
+
+async function getIronSessionData() {
+  const session = await getIronSession(cookies(), { password: "...", cookieName: "..." });
+  return session
+}
+
+async function Profile() {
+  const session = await getIronSessionData();
+
+  return <div>{session.username}</div>;
+}
+```
+
+## Examples
+
+We have many different patterns and examples on the online demo, have a look: https://get-iron-session.vercel.app/.
+
+## Project status
+
+✅ Production ready and maintained.
+
+## Session options
+
+Two options are required: `password` and `cookieName`. Everything else is automatically computed and usually doesn't need to be changed.****
+
+- `password`, **required**: Private key used to encrypt the cookie. It has to be at least 32 characters long. Use <https://1password.com/password-generator/> to generate strong passwords. `password` can be either a `string` or an `object` with incrementing keys like this: `{2: "...", 1: "..."}` to allow for password rotation.  iron-session will use the highest numbered key for new cookies.
+- `cookieName`, **required**: Name of the cookie to be stored
+- `ttl`, _optional_: In seconds. Default to the equivalent of 14 days. You can set this to `0` and iron-session will compute the maximum allowed value by cookies.
+- `cookieOptions`, _optional_: Any option available from [jshttp/cookie#serialize](https://github.com/jshttp/cookie#cookieserializename-value-options) except for `encode` which is not a Set-Cookie Attribute. See [Mozilla Set-Cookie Attributes](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes) and [Chrome Cookie Fields](https://developer.chrome.com/docs/devtools/application/cookies/#fields). Default to:
+
+  ```js
+  {
+    httpOnly: true,
+    secure: true, // set this to false in local (non-HTTPS) development
+    sameSite: "lax",// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#lax
+    maxAge: (ttl === 0 ? 2147483647 : ttl) - 60, // Expire cookie before the session expires.
+    path: "/",
+  }
+  ```
+
+## API
+
+### `getIronSession<T>(req, res, sessionOptions): Promise<IronSession<T>>`
+
+```ts
+type SessionData = {
+  // Your data
+}
+
+const session = await getIronSession<SessionData>(req, res, sessionOptions);
+```
+
+### `getIronSession<T>(cookieStore, sessionOptions): Promise<IronSession<T>>`
+
+```ts
+type SessionData = {
+  // Your data
+}
+
+const session = await getIronSession<SessionData>(cookies(), sessionOptions);
+```
+
+### `session.save(): Promise<void>`
+
+Saves the session. This is an asynchronous operation. It must be done and awaited before headers are sent to the client.
+
+```ts
+await session.save()
+```
+
+### `session.destroy(): void`
+
+Destroys the session. This is a synchronous operation as it only removes the cookie. It must be done before headers are sent to the client.
+
+```ts
+session.destroy()
+```
+
+### `session.updateConfig(sessionOptions: SessionOptions): void`
+
+Updates the configuration of the session with new session options. You still need to call save() if you want them to be applied.
+
+### `sealData(data: unknown, { password, ttl }): Promise<string>`
+
+This is the underlying method and seal mechanism that powers `iron-session`. You can use it to seal any `data` you want and pass it around. One usecase are magic links: you generate a seal that contains a user id to login and send it to a route on your website (like `/magic-login`). Once received, you can safely decode the seal with `unsealData` and log the user in.
+
+### `unsealData<T>(seal: string, { password, ttl }): Promise<T>`
+
+This is the opposite of `sealData` and allow you to decode a seal to get the original data back.
+
+## FAQ
+
+### Why use pure cookies for sessions?
+
+This makes your sessions stateless: since the data is passed around in cookies, you do not need any server or service to store session data.
+
+More information can also be found on the [Ruby On Rails website](https://guides.rubyonrails.org/security.html#session-storage) which uses the same technique.
+
+### How to invalidate sessions?
+
+Sessions cannot be instantly invalidated (or "disconnect this customer") as there is typically no state stored about sessions on the server by default. However, in most applications, the first step upon receiving an authenticated request is to validate the user and their permissions in the database. So, to easily disconnect customers (or invalidate sessions), you can add an `isBlocked`` state in the database and create a UI to block customers.
+
+Then, every time a request is received that involves reading or altering sensitive data, make sure to check this flag.
+
+### Can I use something else than cookies?
+
+Yes, we expose `sealData` and `unsealData` which are not tied to cookies. This way you can seal and unseal any object in your application and move seals around to login users.
+
+### How is this different from [JWT](https://jwt.io/)?
+
+Not so much:
+
+- JWT is a standard, it stores metadata in the JWT token themselves to ensure communication between different systems is flawless.
+- JWT tokens are not encrypted, the payload is visible by customers if they manage to inspect the seal. You would have to use [JWE](https://tools.ietf.org/html/rfc7516) to achieve the same.
+- @hapi/iron mechanism is not a standard, it's a way to sign and encrypt data into seals
+
+Depending on your own needs and preferences, `iron-session` may or may not fit you.
+
+## Credits
+
+- [Eran Hammer and hapi.js contributors](https://github.com/hapijs/iron/graphs/contributors)
+  for creating the underlying cryptography library
+  [`@hapi/iron`](https://hapi.dev/module/iron/).
+- [Divyansh Singh](https://github.com/brc-dd) for reimplementing `@hapi/iron` as
+  [`iron-webcrypto`](https://github.com/brc-dd/iron-webcrypto) using standard
+  web APIs.
+- [Hoang Vo](https://github.com/hoangvvo) for advice and guidance while building
+  this module. Hoang built
+  [`next-connect`](https://github.com/hoangvvo/next-connect) and
+  [`next-session`](https://github.com/hoangvvo/next-session).
+- All the
+  [contributors](https://github.com/vvo/iron-session/graphs/contributors) for
+  making this project better.
+
+## Good Reads
+
+- <https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html>
+- <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html>

package/dist/index.cjs

@@ -0,0 +1,295 @@
+'use strict';
+
+var cookie = require('cookie');
+var ironWebcrypto = require('iron-webcrypto');
+var crypto = require('uncrypto');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var crypto__namespace = /*#__PURE__*/_interopNamespace(crypto);
+
+// src/core.ts
+var timestampSkewSec = 60;
+var fourteenDaysInSeconds = 14 * 24 * 3600;
+var currentMajorVersion = 2;
+var versionDelimiter = "~";
+var defaultOptions = {
+  ttl: fourteenDaysInSeconds,
+  cookieOptions: { httpOnly: true, secure: true, sameSite: "lax", path: "/" }
+};
+function normalizeStringPasswordToMap(password) {
+  return typeof password === "string" ? { 1: password } : password;
+}
+function parseSeal(seal) {
+  const [sealWithoutVersion, tokenVersionAsString] = seal.split(versionDelimiter);
+  const tokenVersion = tokenVersionAsString == null ? null : parseInt(tokenVersionAsString, 10);
+  return { sealWithoutVersion, tokenVersion };
+}
+function computeCookieMaxAge(ttl) {
+  if (ttl === 0) {
+    return 2147483647;
+  }
+  return ttl - timestampSkewSec;
+}
+function getCookie(req, cookieName) {
+  return cookie.parse(
+    ("headers" in req && typeof req.headers.get === "function" ? req.headers.get("cookie") : req.headers.cookie) ?? ""
+  )[cookieName] ?? "";
+}
+function getServerActionCookie(cookieName, cookieHandler) {
+  const cookieObject = cookieHandler.get(cookieName);
+  const cookie = cookieObject?.value;
+  if (typeof cookie === "string") {
+    return cookie;
+  }
+  return "";
+}
+function setCookie(res, cookieValue) {
+  if ("headers" in res && typeof res.headers.append === "function") {
+    res.headers.append("set-cookie", cookieValue);
+    return;
+  }
+  let existingSetCookie = res.getHeader("set-cookie") ?? [];
+  if (!Array.isArray(existingSetCookie)) {
+    existingSetCookie = [existingSetCookie.toString()];
+  }
+  res.setHeader("set-cookie", [
+    ...existingSetCookie,
+    cookieValue
+  ]);
+}
+function createSealData(_crypto) {
+  return async function sealData2(data, {
+    password,
+    ttl = fourteenDaysInSeconds
+  }) {
+    const passwordsMap = normalizeStringPasswordToMap(password);
+    const mostRecentPasswordId = Math.max(
+      ...Object.keys(passwordsMap).map(Number)
+    );
+    const passwordForSeal = {
+      id: mostRecentPasswordId.toString(),
+      secret: passwordsMap[mostRecentPasswordId]
+    };
+    const seal = await ironWebcrypto.seal(_crypto, data, passwordForSeal, {
+      ...ironWebcrypto.defaults,
+      ttl: ttl * 1e3
+    });
+    return `${seal}${versionDelimiter}${currentMajorVersion}`;
+  };
+}
+function createUnsealData(_crypto) {
+  return async function unsealData2(seal, {
+    password,
+    ttl = fourteenDaysInSeconds
+  }) {
+    const passwordsMap = normalizeStringPasswordToMap(password);
+    const { sealWithoutVersion, tokenVersion } = parseSeal(seal);
+    try {
+      const data = await ironWebcrypto.unseal(_crypto, sealWithoutVersion, passwordsMap, {
+        ...ironWebcrypto.defaults,
+        ttl: ttl * 1e3
+      }) ?? {};
+      if (tokenVersion === 2) {
+        return data;
+      }
+      return { ...data.persistent };
+    } catch (error) {
+      if (error instanceof Error && /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components)/.test(
+        error.message
+      )) {
+        return {};
+      }
+      throw error;
+    }
+  };
+}
+function getSessionConfig(sessionOptions) {
+  const options = {
+    ...defaultOptions,
+    ...sessionOptions,
+    cookieOptions: {
+      ...defaultOptions.cookieOptions,
+      ...sessionOptions.cookieOptions || {}
+    }
+  };
+  if (sessionOptions.cookieOptions && "maxAge" in sessionOptions.cookieOptions) {
+    if (sessionOptions.cookieOptions.maxAge === void 0) {
+      options.ttl = 0;
+    }
+  } else {
+    options.cookieOptions.maxAge = computeCookieMaxAge(options.ttl);
+  }
+  return options;
+}
+var badUsageMessage = "iron-session: Bad usage: use getIronSession(req, res, options) or getIronSession(cookieStore, options).";
+function createGetIronSession(sealData2, unsealData2) {
+  return getIronSession2;
+  async function getIronSession2(reqOrCookieStore, resOrsessionOptions, sessionOptions) {
+    if (!reqOrCookieStore) {
+      throw new Error(badUsageMessage);
+    }
+    if (!resOrsessionOptions) {
+      throw new Error(badUsageMessage);
+    }
+    if (!sessionOptions) {
+      return getIronSessionFromCookieStore(
+        reqOrCookieStore,
+        resOrsessionOptions,
+        sealData2,
+        unsealData2
+      );
+    }
+    const req = reqOrCookieStore;
+    const res = resOrsessionOptions;
+    if (!sessionOptions) {
+      throw new Error(badUsageMessage);
+    }
+    if (!sessionOptions.cookieName) {
+      throw new Error("iron-session: Bad usage. Missing cookie name.");
+    }
+    if (!sessionOptions.password) {
+      throw new Error("iron-session: Bad usage. Missing password.");
+    }
+    const passwordsMap = normalizeStringPasswordToMap(sessionOptions.password);
+    if (Object.values(passwordsMap).some((password) => password.length < 32)) {
+      throw new Error(
+        "iron-session: Bad usage. Password must be at least 32 characters long."
+      );
+    }
+    let sessionConfig = getSessionConfig(sessionOptions);
+    const sealFromCookies = getCookie(req, sessionConfig.cookieName);
+    const session = sealFromCookies ? await unsealData2(sealFromCookies, {
+      password: passwordsMap,
+      ttl: sessionConfig.ttl
+    }) : {};
+    Object.defineProperties(session, {
+      updateConfig: {
+        value: function updateConfig(newSessionOptions) {
+          sessionConfig = getSessionConfig(newSessionOptions);
+        }
+      },
+      save: {
+        value: async function save() {
+          if ("headersSent" in res && res.headersSent) {
+            throw new Error(
+              "iron-session: Cannot set session cookie: session.save() was called after headers were sent. Make sure to call it before any res.send() or res.end()"
+            );
+          }
+          const seal = await sealData2(session, {
+            password: passwordsMap,
+            ttl: sessionConfig.ttl
+          });
+          const cookieValue = cookie.serialize(
+            sessionConfig.cookieName,
+            seal,
+            sessionConfig.cookieOptions
+          );
+          if (cookieValue.length > 4096) {
+            throw new Error(
+              `iron-session: Cookie length is too big (${cookieValue.length} bytes), browsers will refuse it. Try to remove some data.`
+            );
+          }
+          setCookie(res, cookieValue);
+        }
+      },
+      destroy: {
+        value: function destroy() {
+          Object.keys(session).forEach((key) => {
+            delete session[key];
+          });
+          const cookieValue = cookie.serialize(sessionConfig.cookieName, "", {
+            ...sessionConfig.cookieOptions,
+            maxAge: 0
+          });
+          setCookie(res, cookieValue);
+        }
+      }
+    });
+    return session;
+  }
+}
+async function getIronSessionFromCookieStore(cookieStore, sessionOptions, sealData2, unsealData2) {
+  if (!sessionOptions.cookieName) {
+    throw new Error("iron-session: Bad usage. Missing cookie name.");
+  }
+  if (!sessionOptions.password) {
+    throw new Error("iron-session: Bad usage. Missing password.");
+  }
+  const passwordsMap = normalizeStringPasswordToMap(sessionOptions.password);
+  if (Object.values(passwordsMap).some((password) => password.length < 32)) {
+    throw new Error(
+      "iron-session: Bad usage. Password must be at least 32 characters long."
+    );
+  }
+  let sessionConfig = getSessionConfig(sessionOptions);
+  const sealFromCookies = getServerActionCookie(
+    sessionConfig.cookieName,
+    cookieStore
+  );
+  const session = sealFromCookies ? await unsealData2(sealFromCookies, {
+    password: passwordsMap,
+    ttl: sessionConfig.ttl
+  }) : {};
+  Object.defineProperties(session, {
+    updateConfig: {
+      value: function updateConfig(newSessionOptions) {
+        sessionConfig = getSessionConfig(newSessionOptions);
+      }
+    },
+    save: {
+      value: async function save() {
+        const seal = await sealData2(session, {
+          password: passwordsMap,
+          ttl: sessionConfig.ttl
+        });
+        const cookieLength = sessionConfig.cookieName.length + seal.length + JSON.stringify(sessionConfig.cookieOptions).length;
+        if (cookieLength > 4096) {
+          throw new Error(
+            `iron-session: Cookie length is too big (${cookieLength} bytes), browsers will refuse it. Try to remove some data.`
+          );
+        }
+        cookieStore.set(
+          sessionConfig.cookieName,
+          seal,
+          sessionConfig.cookieOptions
+        );
+      }
+    },
+    destroy: {
+      value: function destroy() {
+        Object.keys(session).forEach((key) => {
+          delete session[key];
+        });
+        const cookieOptions = { ...sessionConfig.cookieOptions, maxAge: 0 };
+        cookieStore.set(sessionConfig.cookieName, "", cookieOptions);
+      }
+    }
+  });
+  return session;
+}
+var sealData = createSealData(crypto__namespace);
+var unsealData = createUnsealData(crypto__namespace);
+var getIronSession = createGetIronSession(sealData, unsealData);
+
+exports.getIronSession = getIronSession;
+exports.sealData = sealData;
+exports.unsealData = unsealData;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/core.ts","../src/index.ts"],"names":["parse","sealData","ironSeal","ironDefaults","unsealData","ironUnseal","getIronSession","serialize","crypto"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAuHA,IAAM,gBAAmB,GAAA,EAAA;AACzB,IAAM,qBAAA,GAAwB,KAAK,EAAK,GAAA,IAAA;AAIxC,IAAM,mBAAsB,GAAA,CAAA;AAC5B,IAAM,gBAAmB,GAAA,GAAA;AAEzB,IAAM,cACJ,GAAA;AAAA,EACE,GAAK,EAAA,qBAAA;AAAA,EACL,aAAA,EAAe,EAAE,QAAU,EAAA,IAAA,EAAM,QAAQ,IAAM,EAAA,QAAA,EAAU,KAAO,EAAA,IAAA,EAAM,GAAI;AAC5E,CAAA;AAEF,SAAS,6BAA6B,QAAkC,EAAA;AACtE,EAAA,OAAO,OAAO,QAAa,KAAA,QAAA,GAAW,EAAE,CAAA,EAAG,UAAa,GAAA,QAAA;AAC1D;AAEA,SAAS,UAAU,IAGjB,EAAA;AACA,EAAA,MAAM,CAAC,kBAAoB,EAAA,oBAAoB,CAC7C,GAAA,IAAA,CAAK,MAAM,gBAAgB,CAAA;AAC7B,EAAA,MAAM,eACJ,oBAAwB,IAAA,IAAA,GAAO,IAAO,GAAA,QAAA,CAAS,sBAAsB,EAAE,CAAA;AAGzE,EAAO,OAAA,EAAE,oBAAyC,YAAa,EAAA;AACjE;AAEA,SAAS,oBAAoB,GAAqB,EAAA;AAChD,EAAA,IAAI,QAAQ,CAAG,EAAA;AAKb,IAAO,OAAA,UAAA;AAAA;AAKT,EAAA,OAAO,GAAM,GAAA,gBAAA;AACf;AAEA,SAAS,SAAA,CAAU,KAAkB,UAA4B,EAAA;AAC/D,EACE,OAAAA,YAAA;AAAA,IAAA,CACG,SAAa,IAAA,GAAA,IAAO,OAAO,GAAA,CAAI,QAAQ,GAAQ,KAAA,UAAA,GAC5C,GAAI,CAAA,OAAA,CAAQ,GAAI,CAAA,QAAQ,CACvB,GAAA,GAAA,CAAwB,QAAQ,MAAW,KAAA;AAAA,GAClD,CAAE,UAAU,CAAK,IAAA,EAAA;AAErB;AAEA,SAAS,qBAAA,CACP,YACA,aACQ,EAAA;AACR,EAAM,MAAA,YAAA,GAAe,aAAc,CAAA,GAAA,CAAI,UAAU,CAAA;AACjD,EAAA,MAAM,SAAS,YAAc,EAAA,KAAA;AAC7B,EAAI,IAAA,OAAO,WAAW,QAAU,EAAA;AAC9B,IAAO,OAAA,MAAA;AAAA;AAET,EAAO,OAAA,EAAA;AACT;AAEA,SAAS,SAAA,CAAU,KAAmB,WAA2B,EAAA;AAC/D,EAAA,IAAI,aAAa,GAAO,IAAA,OAAO,GAAI,CAAA,OAAA,CAAQ,WAAW,UAAY,EAAA;AAChE,IAAI,GAAA,CAAA,OAAA,CAAQ,MAAO,CAAA,YAAA,EAAc,WAAW,CAAA;AAC5C,IAAA;AAAA;AAEF,EAAA,IAAI,iBAAqB,GAAA,GAAA,CAAuB,SAAU,CAAA,YAAY,KAAK,EAAC;AAC5E,EAAA,IAAI,CAAC,KAAA,CAAM,OAAQ,CAAA,iBAAiB,CAAG,EAAA;AACrC,IAAoB,iBAAA,GAAA,CAAC,iBAAkB,CAAA,QAAA,EAAU,CAAA;AAAA;AAEnD,EAAC,GAAA,CAAuB,UAAU,YAAc,EAAA;AAAA,IAC9C,GAAG,iBAAA;AAAA,IACH;AAAA,GACD,CAAA;AACH;AAEO,SAAS,eAAe,OAAiB,EAAA;AAC9C,EAAO,OAAA,eAAeC,UACpB,IACA,EAAA;AAAA,IACE,QAAA;AAAA,IACA,GAAM,GAAA;AAAA,GAES,EAAA;AACjB,IAAM,MAAA,YAAA,GAAe,6BAA6B,QAAQ,CAAA;AAE1D,IAAA,MAAM,uBAAuB,IAAK,CAAA,GAAA;AAAA,MAChC,GAAG,MAAO,CAAA,IAAA,CAAK,YAAY,CAAA,CAAE,IAAI,MAAM;AAAA,KACzC;AACA,IAAA,MAAM,eAAkB,GAAA;AAAA,MACtB,EAAA,EAAI,qBAAqB,QAAS,EAAA;AAAA,MAClC,MAAA,EAAQ,aAAa,oBAAoB;AAAA,KAC3C;AAEA,IAAA,MAAM,IAAO,GAAA,MAAMC,kBAAS,CAAA,OAAA,EAAS,MAAM,eAAiB,EAAA;AAAA,MAC1D,GAAGC,sBAAA;AAAA,MACH,KAAK,GAAM,GAAA;AAAA,KACZ,CAAA;AAED,IAAA,OAAO,CAAG,EAAA,IAAI,CAAG,EAAA,gBAAgB,GAAG,mBAAmB,CAAA,CAAA;AAAA,GACzD;AACF;AAEO,SAAS,iBAAiB,OAAiB,EAAA;AAChD,EAAO,OAAA,eAAeC,YACpB,IACA,EAAA;AAAA,IACE,QAAA;AAAA,IACA,GAAM,GAAA;AAAA,GAEI,EAAA;AACZ,IAAM,MAAA,YAAA,GAAe,6BAA6B,QAAQ,CAAA;AAC1D,IAAA,MAAM,EAAE,kBAAA,EAAoB,YAAa,EAAA,GAAI,UAAU,IAAI,CAAA;AAE3D,IAAI,IAAA;AACF,MAAA,MAAM,IACH,GAAA,MAAMC,oBAAW,CAAA,OAAA,EAAS,oBAAoB,YAAc,EAAA;AAAA,QAC3D,GAAGF,sBAAA;AAAA,QACH,KAAK,GAAM,GAAA;AAAA,OACZ,KAAM,EAAC;AAEV,MAAA,IAAI,iBAAiB,CAAG,EAAA;AACtB,QAAO,OAAA,IAAA;AAAA;AAIT,MAAO,OAAA,EAAE,GAAG,IAAA,CAAK,UAAW,EAAA;AAAA,aACrB,KAAO,EAAA;AACd,MACE,IAAA,KAAA,YAAiB,SACjB,2FAA4F,CAAA,IAAA;AAAA,QAC1F,KAAM,CAAA;AAAA,OAER,EAAA;AAKA,QAAA,OAAO,EAAC;AAAA;AAGV,MAAM,MAAA,KAAA;AAAA;AACR,GACF;AACF;AAEA,SAAS,iBACP,cAC0B,EAAA;AAC1B,EAAA,MAAM,OAAU,GAAA;AAAA,IACd,GAAG,cAAA;AAAA,IACH,GAAG,cAAA;AAAA,IACH,aAAe,EAAA;AAAA,MACb,GAAG,cAAe,CAAA,aAAA;AAAA,MAClB,GAAI,cAAe,CAAA,aAAA,IAAiB;AAAC;AACvC,GACF;AAEA,EAAA,IACE,cAAe,CAAA,aAAA,IACf,QAAY,IAAA,cAAA,CAAe,aAC3B,EAAA;AACA,IAAI,IAAA,cAAA,CAAe,aAAc,CAAA,MAAA,KAAW,MAAW,EAAA;AAErD,MAAA,OAAA,CAAQ,GAAM,GAAA,CAAA;AAAA;AAChB,GACK,MAAA;AACL,IAAA,OAAA,CAAQ,aAAc,CAAA,MAAA,GAAS,mBAAoB,CAAA,OAAA,CAAQ,GAAG,CAAA;AAAA;AAGhE,EAAO,OAAA,OAAA;AACT;AAEA,IAAM,eACJ,GAAA,yGAAA;AAEK,SAAS,oBAAA,CACdF,WACAG,WACA,EAAA;AACA,EAAOE,OAAAA,eAAAA;AAWP,EAAeA,eAAAA,eAAAA,CACb,gBACA,EAAA,mBAAA,EACA,cACyB,EAAA;AACzB,IAAA,IAAI,CAAC,gBAAkB,EAAA;AACrB,MAAM,MAAA,IAAI,MAAM,eAAe,CAAA;AAAA;AAGjC,IAAA,IAAI,CAAC,mBAAqB,EAAA;AACxB,MAAM,MAAA,IAAI,MAAM,eAAe,CAAA;AAAA;AAGjC,IAAA,IAAI,CAAC,cAAgB,EAAA;AACnB,MAAO,OAAA,6BAAA;AAAA,QACL,gBAAA;AAAA,QACA,mBAAA;AAAA,QACAL,SAAAA;AAAA,QACAG;AAAA,OACF;AAAA;AAGF,IAAA,MAAM,GAAM,GAAA,gBAAA;AACZ,IAAA,MAAM,GAAM,GAAA,mBAAA;AAEZ,IAAA,IAAI,CAAC,cAAgB,EAAA;AACnB,MAAM,MAAA,IAAI,MAAM,eAAe,CAAA;AAAA;AAGjC,IAAI,IAAA,CAAC,eAAe,UAAY,EAAA;AAC9B,MAAM,MAAA,IAAI,MAAM,+CAA+C,CAAA;AAAA;AAGjE,IAAI,IAAA,CAAC,eAAe,QAAU,EAAA;AAC5B,MAAM,MAAA,IAAI,MAAM,4CAA4C,CAAA;AAAA;AAG9D,IAAM,MAAA,YAAA,GAAe,4BAA6B,CAAA,cAAA,CAAe,QAAQ,CAAA;AAEzE,IAAI,IAAA,MAAA,CAAO,MAAO,CAAA,YAAY,CAAE,CAAA,IAAA,CAAK,CAAC,QAAa,KAAA,QAAA,CAAS,MAAS,GAAA,EAAE,CAAG,EAAA;AACxE,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA;AAGF,IAAI,IAAA,aAAA,GAAgB,iBAAiB,cAAc,CAAA;AAEnD,IAAA,MAAM,eAAkB,GAAA,SAAA,CAAU,GAAK,EAAA,aAAA,CAAc,UAAU,CAAA;AAC/D,IAAA,MAAM,OAAU,GAAA,eAAA,GACZ,MAAMA,WAAAA,CAAc,eAAiB,EAAA;AAAA,MACnC,QAAU,EAAA,YAAA;AAAA,MACV,KAAK,aAAc,CAAA;AAAA,KACpB,IACA,EAAC;AAEN,IAAA,MAAA,CAAO,iBAAiB,OAAS,EAAA;AAAA,MAC/B,YAAc,EAAA;AAAA,QACZ,KAAA,EAAO,SAAS,YAAA,CAAa,iBAAmC,EAAA;AAC9D,UAAA,aAAA,GAAgB,iBAAiB,iBAAiB,CAAA;AAAA;AACpD,OACF;AAAA,MACA,IAAM,EAAA;AAAA,QACJ,KAAA,EAAO,eAAe,IAAO,GAAA;AAC3B,UAAI,IAAA,aAAA,IAAiB,GAAO,IAAA,GAAA,CAAI,WAAa,EAAA;AAC3C,YAAA,MAAM,IAAI,KAAA;AAAA,cACR;AAAA,aACF;AAAA;AAGF,UAAM,MAAA,IAAA,GAAO,MAAMH,SAAAA,CAAS,OAAS,EAAA;AAAA,YACnC,QAAU,EAAA,YAAA;AAAA,YACV,KAAK,aAAc,CAAA;AAAA,WACpB,CAAA;AACD,UAAA,MAAM,WAAc,GAAAM,gBAAA;AAAA,YAClB,aAAc,CAAA,UAAA;AAAA,YACd,IAAA;AAAA,YACA,aAAc,CAAA;AAAA,WAChB;AAEA,UAAI,IAAA,WAAA,CAAY,SAAS,IAAM,EAAA;AAC7B,YAAA,MAAM,IAAI,KAAA;AAAA,cACR,CAAA,wCAAA,EAA2C,YAAY,MAAM,CAAA,0DAAA;AAAA,aAC/D;AAAA;AAGF,UAAA,SAAA,CAAU,KAAK,WAAW,CAAA;AAAA;AAC5B,OACF;AAAA,MAEA,OAAS,EAAA;AAAA,QACP,KAAA,EAAO,SAAS,OAAU,GAAA;AACxB,UAAA,MAAA,CAAO,IAAK,CAAA,OAAO,CAAE,CAAA,OAAA,CAAQ,CAAC,GAAQ,KAAA;AACpC,YAAA,OAAQ,QAAoC,GAAG,CAAA;AAAA,WAChD,CAAA;AACD,UAAA,MAAM,WAAc,GAAAA,gBAAA,CAAU,aAAc,CAAA,UAAA,EAAY,EAAI,EAAA;AAAA,YAC1D,GAAG,aAAc,CAAA,aAAA;AAAA,YACjB,MAAQ,EAAA;AAAA,WACT,CAAA;AAED,UAAA,SAAA,CAAU,KAAK,WAAW,CAAA;AAAA;AAC5B;AACF,KACD,CAAA;AAED,IAAO,OAAA,OAAA;AAAA;AAEX;AAEA,eAAe,6BACb,CAAA,WAAA,EACA,cACAN,EAAAA,SAAAA,EACAG,WACyB,EAAA;AACzB,EAAI,IAAA,CAAC,eAAe,UAAY,EAAA;AAC9B,IAAM,MAAA,IAAI,MAAM,+CAA+C,CAAA;AAAA;AAGjE,EAAI,IAAA,CAAC,eAAe,QAAU,EAAA;AAC5B,IAAM,MAAA,IAAI,MAAM,4CAA4C,CAAA;AAAA;AAG9D,EAAM,MAAA,YAAA,GAAe,4BAA6B,CAAA,cAAA,CAAe,QAAQ,CAAA;AAEzE,EAAI,IAAA,MAAA,CAAO,MAAO,CAAA,YAAY,CAAE,CAAA,IAAA,CAAK,CAAC,QAAa,KAAA,QAAA,CAAS,MAAS,GAAA,EAAE,CAAG,EAAA;AACxE,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA;AAGF,EAAI,IAAA,aAAA,GAAgB,iBAAiB,cAAc,CAAA;AACnD,EAAA,MAAM,eAAkB,GAAA,qBAAA;AAAA,IACtB,aAAc,CAAA,UAAA;AAAA,IACd;AAAA,GACF;AACA,EAAA,MAAM,OAAU,GAAA,eAAA,GACZ,MAAMA,WAAAA,CAAc,eAAiB,EAAA;AAAA,IACnC,QAAU,EAAA,YAAA;AAAA,IACV,KAAK,aAAc,CAAA;AAAA,GACpB,IACA,EAAC;AAEN,EAAA,MAAA,CAAO,iBAAiB,OAAS,EAAA;AAAA,IAC/B,YAAc,EAAA;AAAA,MACZ,KAAA,EAAO,SAAS,YAAA,CAAa,iBAAmC,EAAA;AAC9D,QAAA,aAAA,GAAgB,iBAAiB,iBAAiB,CAAA;AAAA;AACpD,KACF;AAAA,IACA,IAAM,EAAA;AAAA,MACJ,KAAA,EAAO,eAAe,IAAO,GAAA;AAC3B,QAAM,MAAA,IAAA,GAAO,MAAMH,SAAAA,CAAS,OAAS,EAAA;AAAA,UACnC,QAAU,EAAA,YAAA;AAAA,UACV,KAAK,aAAc,CAAA;AAAA,SACpB,CAAA;AAED,QAAM,MAAA,YAAA,GACJ,aAAc,CAAA,UAAA,CAAW,MACzB,GAAA,IAAA,CAAK,SACL,IAAK,CAAA,SAAA,CAAU,aAAc,CAAA,aAAa,CAAE,CAAA,MAAA;AAE9C,QAAA,IAAI,eAAe,IAAM,EAAA;AACvB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,2CAA2C,YAAY,CAAA,0DAAA;AAAA,WACzD;AAAA;AAGF,QAAY,WAAA,CAAA,GAAA;AAAA,UACV,aAAc,CAAA,UAAA;AAAA,UACd,IAAA;AAAA,UACA,aAAc,CAAA;AAAA,SAChB;AAAA;AACF,KACF;AAAA,IAEA,OAAS,EAAA;AAAA,MACP,KAAA,EAAO,SAAS,OAAU,GAAA;AACxB,QAAA,MAAA,CAAO,IAAK,CAAA,OAAO,CAAE,CAAA,OAAA,CAAQ,CAAC,GAAQ,KAAA;AACpC,UAAA,OAAQ,QAAoC,GAAG,CAAA;AAAA,SAChD,CAAA;AAED,QAAA,MAAM,gBAAgB,EAAE,GAAG,aAAc,CAAA,aAAA,EAAe,QAAQ,CAAE,EAAA;AAClE,QAAA,WAAA,CAAY,GAAI,CAAA,aAAA,CAAc,UAAY,EAAA,EAAA,EAAI,aAAa,CAAA;AAAA;AAC7D;AACF,GACD,CAAA;AAED,EAAO,OAAA,OAAA;AACT;AC9ea,IAAA,QAAA,GAAW,eAAeO,iBAAM;AAChC,IAAA,UAAA,GAAa,iBAAiBA,iBAAM;AACpC,IAAA,cAAA,GAAiB,oBAAqB,CAAA,QAAA,EAAU,UAAU","file":"index.cjs","sourcesContent":["import type { IncomingMessage, ServerResponse } from \"http\";\nimport { parse, serialize, type CookieSerializeOptions } from \"cookie\";\nimport {\n  defaults as ironDefaults,\n  seal as ironSeal,\n  unseal as ironUnseal,\n} from \"iron-webcrypto\";\n\ntype PasswordsMap = Record<string, string>;\ntype Password = PasswordsMap | string;\ntype RequestType = IncomingMessage | Request;\ntype ResponseType = Response | ServerResponse;\n\n/**\n * {@link https://wicg.github.io/cookie-store/#dictdef-cookielistitem CookieListItem}\n * as specified by W3C.\n */\ninterface CookieListItem\n  extends Pick<\n    CookieSerializeOptions,\n    \"domain\" | \"path\" | \"sameSite\" | \"secure\"\n  > {\n  /** A string with the name of a cookie. */\n  name: string;\n  /** A string containing the value of the cookie. */\n  value: string;\n  /** A number of milliseconds or Date interface containing the expires of the cookie. */\n  expires?: CookieSerializeOptions[\"expires\"] | number;\n}\n\n/**\n * Superset of {@link CookieListItem} extending it with\n * the `httpOnly`, `maxAge` and `priority` properties.\n */\ntype ResponseCookie = CookieListItem &\n  Pick<CookieSerializeOptions, \"httpOnly\" | \"maxAge\" | \"priority\">;\n\n/**\n * The high-level type definition of the .get() and .set() methods\n * of { cookies() } from \"next/headers\"\n */\nexport interface CookieStore {\n  get: (name: string) => { name: string; value: string } | undefined;\n  set: {\n    (name: string, value: string, cookie?: Partial<ResponseCookie>): void;\n    (options: ResponseCookie): void;\n  };\n}\n\n/**\n * Set-Cookie Attributes do not include `encode`. We omit this from our `cookieOptions` type.\n *\n * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie\n * @see https://developer.chrome.com/docs/devtools/application/cookies/\n */\ntype CookieOptions = Omit<CookieSerializeOptions, \"encode\">;\n\nexport interface SessionOptions {\n  /**\n   * The cookie name that will be used inside the browser. Make sure it's unique\n   * given your application.\n   *\n   * @example 'vercel-session'\n   */\n  cookieName: string;\n\n  /**\n   * The password(s) that will be used to encrypt the cookie. Can either be a string\n   * or an object.\n   *\n   * When you provide multiple passwords then all of them will be used to decrypt\n   * the cookie. But only the most recent (`= highest key`, `2` in the example)\n   * password will be used to encrypt the cookie. This allows password rotation.\n   *\n   * @example { 1: 'password-1', 2: 'password-2' }\n   */\n  password: Password;\n\n  /**\n   * The time (in seconds) that the session will be valid for. Also sets the\n   * `max-age` attribute of the cookie automatically (`= ttl - 60s`, so that the\n   * cookie always expire before the session).\n   *\n   * `ttl = 0` means no expiration.\n   *\n   * @default 1209600\n   */\n  ttl?: number;\n\n  /**\n   * The options that will be passed to the cookie library.\n   *\n   * If you want to use \"session cookies\" (cookies that are deleted when the browser\n   * is closed) then you need to pass `cookieOptions: { maxAge: undefined }`\n   *\n   * @see https://github.com/jshttp/cookie#options-1\n   */\n  cookieOptions?: CookieOptions;\n}\n\nexport type IronSession<T> = T & {\n  /**\n   * Encrypts the session data and sets the cookie.\n   */\n  readonly save: () => Promise<void>;\n\n  /**\n   * Destroys the session data and removes the cookie.\n   */\n  readonly destroy: () => void;\n\n  /**\n   * Update the session configuration. You still need to call save() to send the new cookie.\n   */\n  readonly updateConfig: (newSessionOptions: SessionOptions) => void;\n};\n\n// default time allowed to check for iron seal validity when ttl passed\n// see https://hapi.dev/module/iron/api/?v=7.0.1#options\nconst timestampSkewSec = 60;\nconst fourteenDaysInSeconds = 14 * 24 * 3600;\n\n// We store a token major version to handle data format changes so that the cookies\n// can be kept alive between upgrades, no need to disconnect everyone.\nconst currentMajorVersion = 2;\nconst versionDelimiter = \"~\";\n\nconst defaultOptions: Required<Pick<SessionOptions, \"ttl\" | \"cookieOptions\">> =\n  {\n    ttl: fourteenDaysInSeconds,\n    cookieOptions: { httpOnly: true, secure: true, sameSite: \"lax\", path: \"/\" },\n  };\n\nfunction normalizeStringPasswordToMap(password: Password): PasswordsMap {\n  return typeof password === \"string\" ? { 1: password } : password;\n}\n\nfunction parseSeal(seal: string): {\n  sealWithoutVersion: string;\n  tokenVersion: number | null;\n} {\n  const [sealWithoutVersion, tokenVersionAsString] =\n    seal.split(versionDelimiter);\n  const tokenVersion =\n    tokenVersionAsString == null ? null : parseInt(tokenVersionAsString, 10);\n\n  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n  return { sealWithoutVersion: sealWithoutVersion!, tokenVersion };\n}\n\nfunction computeCookieMaxAge(ttl: number): number {\n  if (ttl === 0) {\n    // ttl = 0 means no expiration\n    // but in reality cookies have to expire (can't have no max-age)\n    // 2147483647 is the max value for max-age in cookies\n    // see https://stackoverflow.com/a/11685301/147079\n    return 2147483647;\n  }\n\n  // The next line makes sure browser will expire cookies before seals are considered expired by the server.\n  // It also allows for clock difference of 60 seconds between server and clients.\n  return ttl - timestampSkewSec;\n}\n\nfunction getCookie(req: RequestType, cookieName: string): string {\n  return (\n    parse(\n      (\"headers\" in req && typeof req.headers.get === \"function\"\n        ? req.headers.get(\"cookie\")\n        : (req as IncomingMessage).headers.cookie) ?? \"\",\n    )[cookieName] ?? \"\"\n  );\n}\n\nfunction getServerActionCookie(\n  cookieName: string,\n  cookieHandler: CookieStore,\n): string {\n  const cookieObject = cookieHandler.get(cookieName);\n  const cookie = cookieObject?.value;\n  if (typeof cookie === \"string\") {\n    return cookie;\n  }\n  return \"\";\n}\n\nfunction setCookie(res: ResponseType, cookieValue: string): void {\n  if (\"headers\" in res && typeof res.headers.append === \"function\") {\n    res.headers.append(\"set-cookie\", cookieValue);\n    return;\n  }\n  let existingSetCookie = (res as ServerResponse).getHeader(\"set-cookie\") ?? [];\n  if (!Array.isArray(existingSetCookie)) {\n    existingSetCookie = [existingSetCookie.toString()];\n  }\n  (res as ServerResponse).setHeader(\"set-cookie\", [\n    ...existingSetCookie,\n    cookieValue,\n  ]);\n}\n\nexport function createSealData(_crypto: Crypto) {\n  return async function sealData(\n    data: unknown,\n    {\n      password,\n      ttl = fourteenDaysInSeconds,\n    }: { password: Password; ttl?: number },\n  ): Promise<string> {\n    const passwordsMap = normalizeStringPasswordToMap(password);\n\n    const mostRecentPasswordId = Math.max(\n      ...Object.keys(passwordsMap).map(Number),\n    );\n    const passwordForSeal = {\n      id: mostRecentPasswordId.toString(),\n      secret: passwordsMap[mostRecentPasswordId]!,\n    };\n\n    const seal = await ironSeal(_crypto, data, passwordForSeal, {\n      ...ironDefaults,\n      ttl: ttl * 1000,\n    });\n\n    return `${seal}${versionDelimiter}${currentMajorVersion}`;\n  };\n}\n\nexport function createUnsealData(_crypto: Crypto) {\n  return async function unsealData<T>(\n    seal: string,\n    {\n      password,\n      ttl = fourteenDaysInSeconds,\n    }: { password: Password; ttl?: number },\n  ): Promise<T> {\n    const passwordsMap = normalizeStringPasswordToMap(password);\n    const { sealWithoutVersion, tokenVersion } = parseSeal(seal);\n\n    try {\n      const data =\n        (await ironUnseal(_crypto, sealWithoutVersion, passwordsMap, {\n          ...ironDefaults,\n          ttl: ttl * 1000,\n        })) ?? {};\n\n      if (tokenVersion === 2) {\n        return data as T;\n      }\n\n      // @ts-expect-error `persistent` does not exist on newer tokens\n      return { ...data.persistent } as T;\n    } catch (error) {\n      if (\n        error instanceof Error &&\n        /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components)/.test(\n          error.message,\n        )\n      ) {\n        // if seal expired or\n        // if seal is not valid (encrypted using a different password, when passwords are badly rotated) or\n        // if we can't find back the password in the seal\n        // then we just start a new session over\n        return {} as T;\n      }\n\n      throw error;\n    }\n  };\n}\n\nfunction getSessionConfig(\n  sessionOptions: SessionOptions,\n): Required<SessionOptions> {\n  const options = {\n    ...defaultOptions,\n    ...sessionOptions,\n    cookieOptions: {\n      ...defaultOptions.cookieOptions,\n      ...(sessionOptions.cookieOptions || {}),\n    },\n  };\n\n  if (\n    sessionOptions.cookieOptions &&\n    \"maxAge\" in sessionOptions.cookieOptions\n  ) {\n    if (sessionOptions.cookieOptions.maxAge === undefined) {\n      // session cookies, do not set maxAge, consider token as infinite\n      options.ttl = 0;\n    }\n  } else {\n    options.cookieOptions.maxAge = computeCookieMaxAge(options.ttl);\n  }\n\n  return options;\n}\n\nconst badUsageMessage =\n  \"iron-session: Bad usage: use getIronSession(req, res, options) or getIronSession(cookieStore, options).\";\n\nexport function createGetIronSession(\n  sealData: ReturnType<typeof createSealData>,\n  unsealData: ReturnType<typeof createUnsealData>,\n) {\n  return getIronSession;\n\n  async function getIronSession<T extends object>(\n    cookies: CookieStore,\n    sessionOptions: SessionOptions,\n  ): Promise<IronSession<T>>;\n  async function getIronSession<T extends object>(\n    req: RequestType,\n    res: ResponseType,\n    sessionOptions: SessionOptions,\n  ): Promise<IronSession<T>>;\n  async function getIronSession<T extends object>(\n    reqOrCookieStore: RequestType | CookieStore,\n    resOrsessionOptions: ResponseType | SessionOptions,\n    sessionOptions?: SessionOptions,\n  ): Promise<IronSession<T>> {\n    if (!reqOrCookieStore) {\n      throw new Error(badUsageMessage);\n    }\n\n    if (!resOrsessionOptions) {\n      throw new Error(badUsageMessage);\n    }\n\n    if (!sessionOptions) {\n      return getIronSessionFromCookieStore<T>(\n        reqOrCookieStore as CookieStore,\n        resOrsessionOptions as SessionOptions,\n        sealData,\n        unsealData,\n      );\n    }\n\n    const req = reqOrCookieStore as RequestType;\n    const res = resOrsessionOptions as ResponseType;\n\n    if (!sessionOptions) {\n      throw new Error(badUsageMessage);\n    }\n\n    if (!sessionOptions.cookieName) {\n      throw new Error(\"iron-session: Bad usage. Missing cookie name.\");\n    }\n\n    if (!sessionOptions.password) {\n      throw new Error(\"iron-session: Bad usage. Missing password.\");\n    }\n\n    const passwordsMap = normalizeStringPasswordToMap(sessionOptions.password);\n\n    if (Object.values(passwordsMap).some((password) => password.length < 32)) {\n      throw new Error(\n        \"iron-session: Bad usage. Password must be at least 32 characters long.\",\n      );\n    }\n\n    let sessionConfig = getSessionConfig(sessionOptions);\n\n    const sealFromCookies = getCookie(req, sessionConfig.cookieName);\n    const session = sealFromCookies\n      ? await unsealData<T>(sealFromCookies, {\n          password: passwordsMap,\n          ttl: sessionConfig.ttl,\n        })\n      : ({} as T);\n\n    Object.defineProperties(session, {\n      updateConfig: {\n        value: function updateConfig(newSessionOptions: SessionOptions) {\n          sessionConfig = getSessionConfig(newSessionOptions);\n        },\n      },\n      save: {\n        value: async function save() {\n          if (\"headersSent\" in res && res.headersSent) {\n            throw new Error(\n              \"iron-session: Cannot set session cookie: session.save() was called after headers were sent. Make sure to call it before any res.send() or res.end()\",\n            );\n          }\n\n          const seal = await sealData(session, {\n            password: passwordsMap,\n            ttl: sessionConfig.ttl,\n          });\n          const cookieValue = serialize(\n            sessionConfig.cookieName,\n            seal,\n            sessionConfig.cookieOptions,\n          );\n\n          if (cookieValue.length > 4096) {\n            throw new Error(\n              `iron-session: Cookie length is too big (${cookieValue.length} bytes), browsers will refuse it. Try to remove some data.`,\n            );\n          }\n\n          setCookie(res, cookieValue);\n        },\n      },\n\n      destroy: {\n        value: function destroy() {\n          Object.keys(session).forEach((key) => {\n            delete (session as Record<string, unknown>)[key];\n          });\n          const cookieValue = serialize(sessionConfig.cookieName, \"\", {\n            ...sessionConfig.cookieOptions,\n            maxAge: 0,\n          });\n\n          setCookie(res, cookieValue);\n        },\n      },\n    });\n\n    return session as IronSession<T>;\n  }\n}\n\nasync function getIronSessionFromCookieStore<T extends object>(\n  cookieStore: CookieStore,\n  sessionOptions: SessionOptions,\n  sealData: ReturnType<typeof createSealData>,\n  unsealData: ReturnType<typeof createUnsealData>,\n): Promise<IronSession<T>> {\n  if (!sessionOptions.cookieName) {\n    throw new Error(\"iron-session: Bad usage. Missing cookie name.\");\n  }\n\n  if (!sessionOptions.password) {\n    throw new Error(\"iron-session: Bad usage. Missing password.\");\n  }\n\n  const passwordsMap = normalizeStringPasswordToMap(sessionOptions.password);\n\n  if (Object.values(passwordsMap).some((password) => password.length < 32)) {\n    throw new Error(\n      \"iron-session: Bad usage. Password must be at least 32 characters long.\",\n    );\n  }\n\n  let sessionConfig = getSessionConfig(sessionOptions);\n  const sealFromCookies = getServerActionCookie(\n    sessionConfig.cookieName,\n    cookieStore,\n  );\n  const session = sealFromCookies\n    ? await unsealData<T>(sealFromCookies, {\n        password: passwordsMap,\n        ttl: sessionConfig.ttl,\n      })\n    : ({} as T);\n\n  Object.defineProperties(session, {\n    updateConfig: {\n      value: function updateConfig(newSessionOptions: SessionOptions) {\n        sessionConfig = getSessionConfig(newSessionOptions);\n      },\n    },\n    save: {\n      value: async function save() {\n        const seal = await sealData(session, {\n          password: passwordsMap,\n          ttl: sessionConfig.ttl,\n        });\n\n        const cookieLength =\n          sessionConfig.cookieName.length +\n          seal.length +\n          JSON.stringify(sessionConfig.cookieOptions).length;\n\n        if (cookieLength > 4096) {\n          throw new Error(\n            `iron-session: Cookie length is too big (${cookieLength} bytes), browsers will refuse it. Try to remove some data.`,\n          );\n        }\n\n        cookieStore.set(\n          sessionConfig.cookieName,\n          seal,\n          sessionConfig.cookieOptions,\n        );\n      },\n    },\n\n    destroy: {\n      value: function destroy() {\n        Object.keys(session).forEach((key) => {\n          delete (session as Record<string, unknown>)[key];\n        });\n\n        const cookieOptions = { ...sessionConfig.cookieOptions, maxAge: 0 };\n        cookieStore.set(sessionConfig.cookieName, \"\", cookieOptions);\n      },\n    },\n  });\n\n  return session as IronSession<T>;\n}\n","import {\n  createGetIronSession,\n  createSealData,\n  createUnsealData,\n} from \"./core.js\";\n\nimport * as crypto from \"uncrypto\";\n\nexport type { IronSession, SessionOptions } from \"./core.js\";\nexport const sealData = createSealData(crypto);\nexport const unsealData = createUnsealData(crypto);\nexport const getIronSession = createGetIronSession(sealData, unsealData);\n"]}

package/dist/index.d.cts

@@ -0,0 +1,115 @@
+import * as http from 'http';
+import { CookieSerializeOptions } from 'cookie';
+
+type PasswordsMap = Record<string, string>;
+type Password = PasswordsMap | string;
+/**
+ * {@link https://wicg.github.io/cookie-store/#dictdef-cookielistitem CookieListItem}
+ * as specified by W3C.
+ */
+interface CookieListItem extends Pick<CookieSerializeOptions, "domain" | "path" | "sameSite" | "secure"> {
+    /** A string with the name of a cookie. */
+    name: string;
+    /** A string containing the value of the cookie. */
+    value: string;
+    /** A number of milliseconds or Date interface containing the expires of the cookie. */
+    expires?: CookieSerializeOptions["expires"] | number;
+}
+/**
+ * Superset of {@link CookieListItem} extending it with
+ * the `httpOnly`, `maxAge` and `priority` properties.
+ */
+type ResponseCookie = CookieListItem & Pick<CookieSerializeOptions, "httpOnly" | "maxAge" | "priority">;
+/**
+ * The high-level type definition of the .get() and .set() methods
+ * of { cookies() } from "next/headers"
+ */
+interface CookieStore {
+    get: (name: string) => {
+        name: string;
+        value: string;
+    } | undefined;
+    set: {
+        (name: string, value: string, cookie?: Partial<ResponseCookie>): void;
+        (options: ResponseCookie): void;
+    };
+}
+/**
+ * Set-Cookie Attributes do not include `encode`. We omit this from our `cookieOptions` type.
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
+ * @see https://developer.chrome.com/docs/devtools/application/cookies/
+ */
+type CookieOptions = Omit<CookieSerializeOptions, "encode">;
+interface SessionOptions {
+    /**
+     * The cookie name that will be used inside the browser. Make sure it's unique
+     * given your application.
+     *
+     * @example 'vercel-session'
+     */
+    cookieName: string;
+    /**
+     * The password(s) that will be used to encrypt the cookie. Can either be a string
+     * or an object.
+     *
+     * When you provide multiple passwords then all of them will be used to decrypt
+     * the cookie. But only the most recent (`= highest key`, `2` in the example)
+     * password will be used to encrypt the cookie. This allows password rotation.
+     *
+     * @example { 1: 'password-1', 2: 'password-2' }
+     */
+    password: Password;
+    /**
+     * The time (in seconds) that the session will be valid for. Also sets the
+     * `max-age` attribute of the cookie automatically (`= ttl - 60s`, so that the
+     * cookie always expire before the session).
+     *
+     * `ttl = 0` means no expiration.
+     *
+     * @default 1209600
+     */
+    ttl?: number;
+    /**
+     * The options that will be passed to the cookie library.
+     *
+     * If you want to use "session cookies" (cookies that are deleted when the browser
+     * is closed) then you need to pass `cookieOptions: { maxAge: undefined }`
+     *
+     * @see https://github.com/jshttp/cookie#options-1
+     */
+    cookieOptions?: CookieOptions;
+}
+type IronSession<T> = T & {
+    /**
+     * Encrypts the session data and sets the cookie.
+     */
+    readonly save: () => Promise<void>;
+    /**
+     * Destroys the session data and removes the cookie.
+     */
+    readonly destroy: () => void;
+    /**
+     * Update the session configuration. You still need to call save() to send the new cookie.
+     */
+    readonly updateConfig: (newSessionOptions: SessionOptions) => void;
+};
+
+declare const sealData: (data: unknown, { password, ttl, }: {
+    password: string | {
+        [x: string]: string;
+    };
+    ttl?: number;
+}) => Promise<string>;
+declare const unsealData: <T>(seal: string, { password, ttl, }: {
+    password: string | {
+        [x: string]: string;
+    };
+    ttl?: number;
+}) => Promise<T>;
+declare const getIronSession: {
+    <T extends object>(cookies: CookieStore, sessionOptions: SessionOptions): Promise<IronSession<T>>;
+    <T extends object>(req: http.IncomingMessage | Request, res: Response | http.ServerResponse<http.IncomingMessage>, sessionOptions: SessionOptions): Promise<IronSession<T>>;
+};
+
+export { type IronSession, type SessionOptions, getIronSession, sealData, unsealData };

package/dist/index.d.ts

@@ -0,0 +1,115 @@
+import * as http from 'http';
+import { CookieSerializeOptions } from 'cookie';
+
+type PasswordsMap = Record<string, string>;
+type Password = PasswordsMap | string;
+/**
+ * {@link https://wicg.github.io/cookie-store/#dictdef-cookielistitem CookieListItem}
+ * as specified by W3C.
+ */
+interface CookieListItem extends Pick<CookieSerializeOptions, "domain" | "path" | "sameSite" | "secure"> {
+    /** A string with the name of a cookie. */
+    name: string;
+    /** A string containing the value of the cookie. */
+    value: string;
+    /** A number of milliseconds or Date interface containing the expires of the cookie. */
+    expires?: CookieSerializeOptions["expires"] | number;
+}
+/**
+ * Superset of {@link CookieListItem} extending it with
+ * the `httpOnly`, `maxAge` and `priority` properties.
+ */
+type ResponseCookie = CookieListItem & Pick<CookieSerializeOptions, "httpOnly" | "maxAge" | "priority">;
+/**
+ * The high-level type definition of the .get() and .set() methods
+ * of { cookies() } from "next/headers"
+ */
+interface CookieStore {
+    get: (name: string) => {
+        name: string;
+        value: string;
+    } | undefined;
+    set: {
+        (name: string, value: string, cookie?: Partial<ResponseCookie>): void;
+        (options: ResponseCookie): void;
+    };
+}
+/**
+ * Set-Cookie Attributes do not include `encode`. We omit this from our `cookieOptions` type.
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
+ * @see https://developer.chrome.com/docs/devtools/application/cookies/
+ */
+type CookieOptions = Omit<CookieSerializeOptions, "encode">;
+interface SessionOptions {
+    /**
+     * The cookie name that will be used inside the browser. Make sure it's unique
+     * given your application.
+     *
+     * @example 'vercel-session'
+     */
+    cookieName: string;
+    /**
+     * The password(s) that will be used to encrypt the cookie. Can either be a string
+     * or an object.
+     *
+     * When you provide multiple passwords then all of them will be used to decrypt
+     * the cookie. But only the most recent (`= highest key`, `2` in the example)
+     * password will be used to encrypt the cookie. This allows password rotation.
+     *
+     * @example { 1: 'password-1', 2: 'password-2' }
+     */
+    password: Password;
+    /**
+     * The time (in seconds) that the session will be valid for. Also sets the
+     * `max-age` attribute of the cookie automatically (`= ttl - 60s`, so that the
+     * cookie always expire before the session).
+     *
+     * `ttl = 0` means no expiration.
+     *
+     * @default 1209600
+     */
+    ttl?: number;
+    /**
+     * The options that will be passed to the cookie library.
+     *
+     * If you want to use "session cookies" (cookies that are deleted when the browser
+     * is closed) then you need to pass `cookieOptions: { maxAge: undefined }`
+     *
+     * @see https://github.com/jshttp/cookie#options-1
+     */
+    cookieOptions?: CookieOptions;
+}
+type IronSession<T> = T & {
+    /**
+     * Encrypts the session data and sets the cookie.
+     */
+    readonly save: () => Promise<void>;
+    /**
+     * Destroys the session data and removes the cookie.
+     */
+    readonly destroy: () => void;
+    /**
+     * Update the session configuration. You still need to call save() to send the new cookie.
+     */
+    readonly updateConfig: (newSessionOptions: SessionOptions) => void;
+};
+
+declare const sealData: (data: unknown, { password, ttl, }: {
+    password: string | {
+        [x: string]: string;
+    };
+    ttl?: number;
+}) => Promise<string>;
+declare const unsealData: <T>(seal: string, { password, ttl, }: {
+    password: string | {
+        [x: string]: string;
+    };
+    ttl?: number;
+}) => Promise<T>;
+declare const getIronSession: {
+    <T extends object>(cookies: CookieStore, sessionOptions: SessionOptions): Promise<IronSession<T>>;
+    <T extends object>(req: http.IncomingMessage | Request, res: Response | http.ServerResponse<http.IncomingMessage>, sessionOptions: SessionOptions): Promise<IronSession<T>>;
+};
+
+export { type IronSession, type SessionOptions, getIronSession, sealData, unsealData };

package/dist/index.js

@@ -0,0 +1,271 @@
+import { serialize, parse } from 'cookie';
+import { seal, defaults, unseal } from 'iron-webcrypto';
+import * as crypto from 'uncrypto';
+
+// src/core.ts
+var timestampSkewSec = 60;
+var fourteenDaysInSeconds = 14 * 24 * 3600;
+var currentMajorVersion = 2;
+var versionDelimiter = "~";
+var defaultOptions = {
+  ttl: fourteenDaysInSeconds,
+  cookieOptions: { httpOnly: true, secure: true, sameSite: "lax", path: "/" }
+};
+function normalizeStringPasswordToMap(password) {
+  return typeof password === "string" ? { 1: password } : password;
+}
+function parseSeal(seal) {
+  const [sealWithoutVersion, tokenVersionAsString] = seal.split(versionDelimiter);
+  const tokenVersion = tokenVersionAsString == null ? null : parseInt(tokenVersionAsString, 10);
+  return { sealWithoutVersion, tokenVersion };
+}
+function computeCookieMaxAge(ttl) {
+  if (ttl === 0) {
+    return 2147483647;
+  }
+  return ttl - timestampSkewSec;
+}
+function getCookie(req, cookieName) {
+  return parse(
+    ("headers" in req && typeof req.headers.get === "function" ? req.headers.get("cookie") : req.headers.cookie) ?? ""
+  )[cookieName] ?? "";
+}
+function getServerActionCookie(cookieName, cookieHandler) {
+  const cookieObject = cookieHandler.get(cookieName);
+  const cookie = cookieObject?.value;
+  if (typeof cookie === "string") {
+    return cookie;
+  }
+  return "";
+}
+function setCookie(res, cookieValue) {
+  if ("headers" in res && typeof res.headers.append === "function") {
+    res.headers.append("set-cookie", cookieValue);
+    return;
+  }
+  let existingSetCookie = res.getHeader("set-cookie") ?? [];
+  if (!Array.isArray(existingSetCookie)) {
+    existingSetCookie = [existingSetCookie.toString()];
+  }
+  res.setHeader("set-cookie", [
+    ...existingSetCookie,
+    cookieValue
+  ]);
+}
+function createSealData(_crypto) {
+  return async function sealData2(data, {
+    password,
+    ttl = fourteenDaysInSeconds
+  }) {
+    const passwordsMap = normalizeStringPasswordToMap(password);
+    const mostRecentPasswordId = Math.max(
+      ...Object.keys(passwordsMap).map(Number)
+    );
+    const passwordForSeal = {
+      id: mostRecentPasswordId.toString(),
+      secret: passwordsMap[mostRecentPasswordId]
+    };
+    const seal$1 = await seal(_crypto, data, passwordForSeal, {
+      ...defaults,
+      ttl: ttl * 1e3
+    });
+    return `${seal$1}${versionDelimiter}${currentMajorVersion}`;
+  };
+}
+function createUnsealData(_crypto) {
+  return async function unsealData2(seal, {
+    password,
+    ttl = fourteenDaysInSeconds
+  }) {
+    const passwordsMap = normalizeStringPasswordToMap(password);
+    const { sealWithoutVersion, tokenVersion } = parseSeal(seal);
+    try {
+      const data = await unseal(_crypto, sealWithoutVersion, passwordsMap, {
+        ...defaults,
+        ttl: ttl * 1e3
+      }) ?? {};
+      if (tokenVersion === 2) {
+        return data;
+      }
+      return { ...data.persistent };
+    } catch (error) {
+      if (error instanceof Error && /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components)/.test(
+        error.message
+      )) {
+        return {};
+      }
+      throw error;
+    }
+  };
+}
+function getSessionConfig(sessionOptions) {
+  const options = {
+    ...defaultOptions,
+    ...sessionOptions,
+    cookieOptions: {
+      ...defaultOptions.cookieOptions,
+      ...sessionOptions.cookieOptions || {}
+    }
+  };
+  if (sessionOptions.cookieOptions && "maxAge" in sessionOptions.cookieOptions) {
+    if (sessionOptions.cookieOptions.maxAge === void 0) {
+      options.ttl = 0;
+    }
+  } else {
+    options.cookieOptions.maxAge = computeCookieMaxAge(options.ttl);
+  }
+  return options;
+}
+var badUsageMessage = "iron-session: Bad usage: use getIronSession(req, res, options) or getIronSession(cookieStore, options).";
+function createGetIronSession(sealData2, unsealData2) {
+  return getIronSession2;
+  async function getIronSession2(reqOrCookieStore, resOrsessionOptions, sessionOptions) {
+    if (!reqOrCookieStore) {
+      throw new Error(badUsageMessage);
+    }
+    if (!resOrsessionOptions) {
+      throw new Error(badUsageMessage);
+    }
+    if (!sessionOptions) {
+      return getIronSessionFromCookieStore(
+        reqOrCookieStore,
+        resOrsessionOptions,
+        sealData2,
+        unsealData2
+      );
+    }
+    const req = reqOrCookieStore;
+    const res = resOrsessionOptions;
+    if (!sessionOptions) {
+      throw new Error(badUsageMessage);
+    }
+    if (!sessionOptions.cookieName) {
+      throw new Error("iron-session: Bad usage. Missing cookie name.");
+    }
+    if (!sessionOptions.password) {
+      throw new Error("iron-session: Bad usage. Missing password.");
+    }
+    const passwordsMap = normalizeStringPasswordToMap(sessionOptions.password);
+    if (Object.values(passwordsMap).some((password) => password.length < 32)) {
+      throw new Error(
+        "iron-session: Bad usage. Password must be at least 32 characters long."
+      );
+    }
+    let sessionConfig = getSessionConfig(sessionOptions);
+    const sealFromCookies = getCookie(req, sessionConfig.cookieName);
+    const session = sealFromCookies ? await unsealData2(sealFromCookies, {
+      password: passwordsMap,
+      ttl: sessionConfig.ttl
+    }) : {};
+    Object.defineProperties(session, {
+      updateConfig: {
+        value: function updateConfig(newSessionOptions) {
+          sessionConfig = getSessionConfig(newSessionOptions);
+        }
+      },
+      save: {
+        value: async function save() {
+          if ("headersSent" in res && res.headersSent) {
+            throw new Error(
+              "iron-session: Cannot set session cookie: session.save() was called after headers were sent. Make sure to call it before any res.send() or res.end()"
+            );
+          }
+          const seal = await sealData2(session, {
+            password: passwordsMap,
+            ttl: sessionConfig.ttl
+          });
+          const cookieValue = serialize(
+            sessionConfig.cookieName,
+            seal,
+            sessionConfig.cookieOptions
+          );
+          if (cookieValue.length > 4096) {
+            throw new Error(
+              `iron-session: Cookie length is too big (${cookieValue.length} bytes), browsers will refuse it. Try to remove some data.`
+            );
+          }
+          setCookie(res, cookieValue);
+        }
+      },
+      destroy: {
+        value: function destroy() {
+          Object.keys(session).forEach((key) => {
+            delete session[key];
+          });
+          const cookieValue = serialize(sessionConfig.cookieName, "", {
+            ...sessionConfig.cookieOptions,
+            maxAge: 0
+          });
+          setCookie(res, cookieValue);
+        }
+      }
+    });
+    return session;
+  }
+}
+async function getIronSessionFromCookieStore(cookieStore, sessionOptions, sealData2, unsealData2) {
+  if (!sessionOptions.cookieName) {
+    throw new Error("iron-session: Bad usage. Missing cookie name.");
+  }
+  if (!sessionOptions.password) {
+    throw new Error("iron-session: Bad usage. Missing password.");
+  }
+  const passwordsMap = normalizeStringPasswordToMap(sessionOptions.password);
+  if (Object.values(passwordsMap).some((password) => password.length < 32)) {
+    throw new Error(
+      "iron-session: Bad usage. Password must be at least 32 characters long."
+    );
+  }
+  let sessionConfig = getSessionConfig(sessionOptions);
+  const sealFromCookies = getServerActionCookie(
+    sessionConfig.cookieName,
+    cookieStore
+  );
+  const session = sealFromCookies ? await unsealData2(sealFromCookies, {
+    password: passwordsMap,
+    ttl: sessionConfig.ttl
+  }) : {};
+  Object.defineProperties(session, {
+    updateConfig: {
+      value: function updateConfig(newSessionOptions) {
+        sessionConfig = getSessionConfig(newSessionOptions);
+      }
+    },
+    save: {
+      value: async function save() {
+        const seal = await sealData2(session, {
+          password: passwordsMap,
+          ttl: sessionConfig.ttl
+        });
+        const cookieLength = sessionConfig.cookieName.length + seal.length + JSON.stringify(sessionConfig.cookieOptions).length;
+        if (cookieLength > 4096) {
+          throw new Error(
+            `iron-session: Cookie length is too big (${cookieLength} bytes), browsers will refuse it. Try to remove some data.`
+          );
+        }
+        cookieStore.set(
+          sessionConfig.cookieName,
+          seal,
+          sessionConfig.cookieOptions
+        );
+      }
+    },
+    destroy: {
+      value: function destroy() {
+        Object.keys(session).forEach((key) => {
+          delete session[key];
+        });
+        const cookieOptions = { ...sessionConfig.cookieOptions, maxAge: 0 };
+        cookieStore.set(sessionConfig.cookieName, "", cookieOptions);
+      }
+    }
+  });
+  return session;
+}
+var sealData = createSealData(crypto);
+var unsealData = createUnsealData(crypto);
+var getIronSession = createGetIronSession(sealData, unsealData);
+
+export { getIronSession, sealData, unsealData };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/core.ts","../src/index.ts"],"names":["sealData","seal","ironSeal","ironDefaults","unsealData","ironUnseal","getIronSession"],"mappings":";;;;;AAuHA,IAAM,gBAAmB,GAAA,EAAA;AACzB,IAAM,qBAAA,GAAwB,KAAK,EAAK,GAAA,IAAA;AAIxC,IAAM,mBAAsB,GAAA,CAAA;AAC5B,IAAM,gBAAmB,GAAA,GAAA;AAEzB,IAAM,cACJ,GAAA;AAAA,EACE,GAAK,EAAA,qBAAA;AAAA,EACL,aAAA,EAAe,EAAE,QAAU,EAAA,IAAA,EAAM,QAAQ,IAAM,EAAA,QAAA,EAAU,KAAO,EAAA,IAAA,EAAM,GAAI;AAC5E,CAAA;AAEF,SAAS,6BAA6B,QAAkC,EAAA;AACtE,EAAA,OAAO,OAAO,QAAa,KAAA,QAAA,GAAW,EAAE,CAAA,EAAG,UAAa,GAAA,QAAA;AAC1D;AAEA,SAAS,UAAU,IAGjB,EAAA;AACA,EAAA,MAAM,CAAC,kBAAoB,EAAA,oBAAoB,CAC7C,GAAA,IAAA,CAAK,MAAM,gBAAgB,CAAA;AAC7B,EAAA,MAAM,eACJ,oBAAwB,IAAA,IAAA,GAAO,IAAO,GAAA,QAAA,CAAS,sBAAsB,EAAE,CAAA;AAGzE,EAAO,OAAA,EAAE,oBAAyC,YAAa,EAAA;AACjE;AAEA,SAAS,oBAAoB,GAAqB,EAAA;AAChD,EAAA,IAAI,QAAQ,CAAG,EAAA;AAKb,IAAO,OAAA,UAAA;AAAA;AAKT,EAAA,OAAO,GAAM,GAAA,gBAAA;AACf;AAEA,SAAS,SAAA,CAAU,KAAkB,UAA4B,EAAA;AAC/D,EACE,OAAA,KAAA;AAAA,IAAA,CACG,SAAa,IAAA,GAAA,IAAO,OAAO,GAAA,CAAI,QAAQ,GAAQ,KAAA,UAAA,GAC5C,GAAI,CAAA,OAAA,CAAQ,GAAI,CAAA,QAAQ,CACvB,GAAA,GAAA,CAAwB,QAAQ,MAAW,KAAA;AAAA,GAClD,CAAE,UAAU,CAAK,IAAA,EAAA;AAErB;AAEA,SAAS,qBAAA,CACP,YACA,aACQ,EAAA;AACR,EAAM,MAAA,YAAA,GAAe,aAAc,CAAA,GAAA,CAAI,UAAU,CAAA;AACjD,EAAA,MAAM,SAAS,YAAc,EAAA,KAAA;AAC7B,EAAI,IAAA,OAAO,WAAW,QAAU,EAAA;AAC9B,IAAO,OAAA,MAAA;AAAA;AAET,EAAO,OAAA,EAAA;AACT;AAEA,SAAS,SAAA,CAAU,KAAmB,WAA2B,EAAA;AAC/D,EAAA,IAAI,aAAa,GAAO,IAAA,OAAO,GAAI,CAAA,OAAA,CAAQ,WAAW,UAAY,EAAA;AAChE,IAAI,GAAA,CAAA,OAAA,CAAQ,MAAO,CAAA,YAAA,EAAc,WAAW,CAAA;AAC5C,IAAA;AAAA;AAEF,EAAA,IAAI,iBAAqB,GAAA,GAAA,CAAuB,SAAU,CAAA,YAAY,KAAK,EAAC;AAC5E,EAAA,IAAI,CAAC,KAAA,CAAM,OAAQ,CAAA,iBAAiB,CAAG,EAAA;AACrC,IAAoB,iBAAA,GAAA,CAAC,iBAAkB,CAAA,QAAA,EAAU,CAAA;AAAA;AAEnD,EAAC,GAAA,CAAuB,UAAU,YAAc,EAAA;AAAA,IAC9C,GAAG,iBAAA;AAAA,IACH;AAAA,GACD,CAAA;AACH;AAEO,SAAS,eAAe,OAAiB,EAAA;AAC9C,EAAO,OAAA,eAAeA,UACpB,IACA,EAAA;AAAA,IACE,QAAA;AAAA,IACA,GAAM,GAAA;AAAA,GAES,EAAA;AACjB,IAAM,MAAA,YAAA,GAAe,6BAA6B,QAAQ,CAAA;AAE1D,IAAA,MAAM,uBAAuB,IAAK,CAAA,GAAA;AAAA,MAChC,GAAG,MAAO,CAAA,IAAA,CAAK,YAAY,CAAA,CAAE,IAAI,MAAM;AAAA,KACzC;AACA,IAAA,MAAM,eAAkB,GAAA;AAAA,MACtB,EAAA,EAAI,qBAAqB,QAAS,EAAA;AAAA,MAClC,MAAA,EAAQ,aAAa,oBAAoB;AAAA,KAC3C;AAEA,IAAA,MAAMC,MAAO,GAAA,MAAMC,IAAS,CAAA,OAAA,EAAS,MAAM,eAAiB,EAAA;AAAA,MAC1D,GAAGC,QAAA;AAAA,MACH,KAAK,GAAM,GAAA;AAAA,KACZ,CAAA;AAED,IAAA,OAAO,CAAG,EAAAF,MAAI,CAAG,EAAA,gBAAgB,GAAG,mBAAmB,CAAA,CAAA;AAAA,GACzD;AACF;AAEO,SAAS,iBAAiB,OAAiB,EAAA;AAChD,EAAO,OAAA,eAAeG,YACpB,IACA,EAAA;AAAA,IACE,QAAA;AAAA,IACA,GAAM,GAAA;AAAA,GAEI,EAAA;AACZ,IAAM,MAAA,YAAA,GAAe,6BAA6B,QAAQ,CAAA;AAC1D,IAAA,MAAM,EAAE,kBAAA,EAAoB,YAAa,EAAA,GAAI,UAAU,IAAI,CAAA;AAE3D,IAAI,IAAA;AACF,MAAA,MAAM,IACH,GAAA,MAAMC,MAAW,CAAA,OAAA,EAAS,oBAAoB,YAAc,EAAA;AAAA,QAC3D,GAAGF,QAAA;AAAA,QACH,KAAK,GAAM,GAAA;AAAA,OACZ,KAAM,EAAC;AAEV,MAAA,IAAI,iBAAiB,CAAG,EAAA;AACtB,QAAO,OAAA,IAAA;AAAA;AAIT,MAAO,OAAA,EAAE,GAAG,IAAA,CAAK,UAAW,EAAA;AAAA,aACrB,KAAO,EAAA;AACd,MACE,IAAA,KAAA,YAAiB,SACjB,2FAA4F,CAAA,IAAA;AAAA,QAC1F,KAAM,CAAA;AAAA,OAER,EAAA;AAKA,QAAA,OAAO,EAAC;AAAA;AAGV,MAAM,MAAA,KAAA;AAAA;AACR,GACF;AACF;AAEA,SAAS,iBACP,cAC0B,EAAA;AAC1B,EAAA,MAAM,OAAU,GAAA;AAAA,IACd,GAAG,cAAA;AAAA,IACH,GAAG,cAAA;AAAA,IACH,aAAe,EAAA;AAAA,MACb,GAAG,cAAe,CAAA,aAAA;AAAA,MAClB,GAAI,cAAe,CAAA,aAAA,IAAiB;AAAC;AACvC,GACF;AAEA,EAAA,IACE,cAAe,CAAA,aAAA,IACf,QAAY,IAAA,cAAA,CAAe,aAC3B,EAAA;AACA,IAAI,IAAA,cAAA,CAAe,aAAc,CAAA,MAAA,KAAW,MAAW,EAAA;AAErD,MAAA,OAAA,CAAQ,GAAM,GAAA,CAAA;AAAA;AAChB,GACK,MAAA;AACL,IAAA,OAAA,CAAQ,aAAc,CAAA,MAAA,GAAS,mBAAoB,CAAA,OAAA,CAAQ,GAAG,CAAA;AAAA;AAGhE,EAAO,OAAA,OAAA;AACT;AAEA,IAAM,eACJ,GAAA,yGAAA;AAEK,SAAS,oBAAA,CACdH,WACAI,WACA,EAAA;AACA,EAAOE,OAAAA,eAAAA;AAWP,EAAeA,eAAAA,eAAAA,CACb,gBACA,EAAA,mBAAA,EACA,cACyB,EAAA;AACzB,IAAA,IAAI,CAAC,gBAAkB,EAAA;AACrB,MAAM,MAAA,IAAI,MAAM,eAAe,CAAA;AAAA;AAGjC,IAAA,IAAI,CAAC,mBAAqB,EAAA;AACxB,MAAM,MAAA,IAAI,MAAM,eAAe,CAAA;AAAA;AAGjC,IAAA,IAAI,CAAC,cAAgB,EAAA;AACnB,MAAO,OAAA,6BAAA;AAAA,QACL,gBAAA;AAAA,QACA,mBAAA;AAAA,QACAN,SAAAA;AAAA,QACAI;AAAA,OACF;AAAA;AAGF,IAAA,MAAM,GAAM,GAAA,gBAAA;AACZ,IAAA,MAAM,GAAM,GAAA,mBAAA;AAEZ,IAAA,IAAI,CAAC,cAAgB,EAAA;AACnB,MAAM,MAAA,IAAI,MAAM,eAAe,CAAA;AAAA;AAGjC,IAAI,IAAA,CAAC,eAAe,UAAY,EAAA;AAC9B,MAAM,MAAA,IAAI,MAAM,+CAA+C,CAAA;AAAA;AAGjE,IAAI,IAAA,CAAC,eAAe,QAAU,EAAA;AAC5B,MAAM,MAAA,IAAI,MAAM,4CAA4C,CAAA;AAAA;AAG9D,IAAM,MAAA,YAAA,GAAe,4BAA6B,CAAA,cAAA,CAAe,QAAQ,CAAA;AAEzE,IAAI,IAAA,MAAA,CAAO,MAAO,CAAA,YAAY,CAAE,CAAA,IAAA,CAAK,CAAC,QAAa,KAAA,QAAA,CAAS,MAAS,GAAA,EAAE,CAAG,EAAA;AACxE,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA;AAGF,IAAI,IAAA,aAAA,GAAgB,iBAAiB,cAAc,CAAA;AAEnD,IAAA,MAAM,eAAkB,GAAA,SAAA,CAAU,GAAK,EAAA,aAAA,CAAc,UAAU,CAAA;AAC/D,IAAA,MAAM,OAAU,GAAA,eAAA,GACZ,MAAMA,WAAAA,CAAc,eAAiB,EAAA;AAAA,MACnC,QAAU,EAAA,YAAA;AAAA,MACV,KAAK,aAAc,CAAA;AAAA,KACpB,IACA,EAAC;AAEN,IAAA,MAAA,CAAO,iBAAiB,OAAS,EAAA;AAAA,MAC/B,YAAc,EAAA;AAAA,QACZ,KAAA,EAAO,SAAS,YAAA,CAAa,iBAAmC,EAAA;AAC9D,UAAA,aAAA,GAAgB,iBAAiB,iBAAiB,CAAA;AAAA;AACpD,OACF;AAAA,MACA,IAAM,EAAA;AAAA,QACJ,KAAA,EAAO,eAAe,IAAO,GAAA;AAC3B,UAAI,IAAA,aAAA,IAAiB,GAAO,IAAA,GAAA,CAAI,WAAa,EAAA;AAC3C,YAAA,MAAM,IAAI,KAAA;AAAA,cACR;AAAA,aACF;AAAA;AAGF,UAAM,MAAA,IAAA,GAAO,MAAMJ,SAAAA,CAAS,OAAS,EAAA;AAAA,YACnC,QAAU,EAAA,YAAA;AAAA,YACV,KAAK,aAAc,CAAA;AAAA,WACpB,CAAA;AACD,UAAA,MAAM,WAAc,GAAA,SAAA;AAAA,YAClB,aAAc,CAAA,UAAA;AAAA,YACd,IAAA;AAAA,YACA,aAAc,CAAA;AAAA,WAChB;AAEA,UAAI,IAAA,WAAA,CAAY,SAAS,IAAM,EAAA;AAC7B,YAAA,MAAM,IAAI,KAAA;AAAA,cACR,CAAA,wCAAA,EAA2C,YAAY,MAAM,CAAA,0DAAA;AAAA,aAC/D;AAAA;AAGF,UAAA,SAAA,CAAU,KAAK,WAAW,CAAA;AAAA;AAC5B,OACF;AAAA,MAEA,OAAS,EAAA;AAAA,QACP,KAAA,EAAO,SAAS,OAAU,GAAA;AACxB,UAAA,MAAA,CAAO,IAAK,CAAA,OAAO,CAAE,CAAA,OAAA,CAAQ,CAAC,GAAQ,KAAA;AACpC,YAAA,OAAQ,QAAoC,GAAG,CAAA;AAAA,WAChD,CAAA;AACD,UAAA,MAAM,WAAc,GAAA,SAAA,CAAU,aAAc,CAAA,UAAA,EAAY,EAAI,EAAA;AAAA,YAC1D,GAAG,aAAc,CAAA,aAAA;AAAA,YACjB,MAAQ,EAAA;AAAA,WACT,CAAA;AAED,UAAA,SAAA,CAAU,KAAK,WAAW,CAAA;AAAA;AAC5B;AACF,KACD,CAAA;AAED,IAAO,OAAA,OAAA;AAAA;AAEX;AAEA,eAAe,6BACb,CAAA,WAAA,EACA,cACAA,EAAAA,SAAAA,EACAI,WACyB,EAAA;AACzB,EAAI,IAAA,CAAC,eAAe,UAAY,EAAA;AAC9B,IAAM,MAAA,IAAI,MAAM,+CAA+C,CAAA;AAAA;AAGjE,EAAI,IAAA,CAAC,eAAe,QAAU,EAAA;AAC5B,IAAM,MAAA,IAAI,MAAM,4CAA4C,CAAA;AAAA;AAG9D,EAAM,MAAA,YAAA,GAAe,4BAA6B,CAAA,cAAA,CAAe,QAAQ,CAAA;AAEzE,EAAI,IAAA,MAAA,CAAO,MAAO,CAAA,YAAY,CAAE,CAAA,IAAA,CAAK,CAAC,QAAa,KAAA,QAAA,CAAS,MAAS,GAAA,EAAE,CAAG,EAAA;AACxE,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA;AAGF,EAAI,IAAA,aAAA,GAAgB,iBAAiB,cAAc,CAAA;AACnD,EAAA,MAAM,eAAkB,GAAA,qBAAA;AAAA,IACtB,aAAc,CAAA,UAAA;AAAA,IACd;AAAA,GACF;AACA,EAAA,MAAM,OAAU,GAAA,eAAA,GACZ,MAAMA,WAAAA,CAAc,eAAiB,EAAA;AAAA,IACnC,QAAU,EAAA,YAAA;AAAA,IACV,KAAK,aAAc,CAAA;AAAA,GACpB,IACA,EAAC;AAEN,EAAA,MAAA,CAAO,iBAAiB,OAAS,EAAA;AAAA,IAC/B,YAAc,EAAA;AAAA,MACZ,KAAA,EAAO,SAAS,YAAA,CAAa,iBAAmC,EAAA;AAC9D,QAAA,aAAA,GAAgB,iBAAiB,iBAAiB,CAAA;AAAA;AACpD,KACF;AAAA,IACA,IAAM,EAAA;AAAA,MACJ,KAAA,EAAO,eAAe,IAAO,GAAA;AAC3B,QAAM,MAAA,IAAA,GAAO,MAAMJ,SAAAA,CAAS,OAAS,EAAA;AAAA,UACnC,QAAU,EAAA,YAAA;AAAA,UACV,KAAK,aAAc,CAAA;AAAA,SACpB,CAAA;AAED,QAAM,MAAA,YAAA,GACJ,aAAc,CAAA,UAAA,CAAW,MACzB,GAAA,IAAA,CAAK,SACL,IAAK,CAAA,SAAA,CAAU,aAAc,CAAA,aAAa,CAAE,CAAA,MAAA;AAE9C,QAAA,IAAI,eAAe,IAAM,EAAA;AACvB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,2CAA2C,YAAY,CAAA,0DAAA;AAAA,WACzD;AAAA;AAGF,QAAY,WAAA,CAAA,GAAA;AAAA,UACV,aAAc,CAAA,UAAA;AAAA,UACd,IAAA;AAAA,UACA,aAAc,CAAA;AAAA,SAChB;AAAA;AACF,KACF;AAAA,IAEA,OAAS,EAAA;AAAA,MACP,KAAA,EAAO,SAAS,OAAU,GAAA;AACxB,QAAA,MAAA,CAAO,IAAK,CAAA,OAAO,CAAE,CAAA,OAAA,CAAQ,CAAC,GAAQ,KAAA;AACpC,UAAA,OAAQ,QAAoC,GAAG,CAAA;AAAA,SAChD,CAAA;AAED,QAAA,MAAM,gBAAgB,EAAE,GAAG,aAAc,CAAA,aAAA,EAAe,QAAQ,CAAE,EAAA;AAClE,QAAA,WAAA,CAAY,GAAI,CAAA,aAAA,CAAc,UAAY,EAAA,EAAA,EAAI,aAAa,CAAA;AAAA;AAC7D;AACF,GACD,CAAA;AAED,EAAO,OAAA,OAAA;AACT;AC9ea,IAAA,QAAA,GAAW,eAAe,MAAM;AAChC,IAAA,UAAA,GAAa,iBAAiB,MAAM;AACpC,IAAA,cAAA,GAAiB,oBAAqB,CAAA,QAAA,EAAU,UAAU","file":"index.js","sourcesContent":["import type { IncomingMessage, ServerResponse } from \"http\";\nimport { parse, serialize, type CookieSerializeOptions } from \"cookie\";\nimport {\n  defaults as ironDefaults,\n  seal as ironSeal,\n  unseal as ironUnseal,\n} from \"iron-webcrypto\";\n\ntype PasswordsMap = Record<string, string>;\ntype Password = PasswordsMap | string;\ntype RequestType = IncomingMessage | Request;\ntype ResponseType = Response | ServerResponse;\n\n/**\n * {@link https://wicg.github.io/cookie-store/#dictdef-cookielistitem CookieListItem}\n * as specified by W3C.\n */\ninterface CookieListItem\n  extends Pick<\n    CookieSerializeOptions,\n    \"domain\" | \"path\" | \"sameSite\" | \"secure\"\n  > {\n  /** A string with the name of a cookie. */\n  name: string;\n  /** A string containing the value of the cookie. */\n  value: string;\n  /** A number of milliseconds or Date interface containing the expires of the cookie. */\n  expires?: CookieSerializeOptions[\"expires\"] | number;\n}\n\n/**\n * Superset of {@link CookieListItem} extending it with\n * the `httpOnly`, `maxAge` and `priority` properties.\n */\ntype ResponseCookie = CookieListItem &\n  Pick<CookieSerializeOptions, \"httpOnly\" | \"maxAge\" | \"priority\">;\n\n/**\n * The high-level type definition of the .get() and .set() methods\n * of { cookies() } from \"next/headers\"\n */\nexport interface CookieStore {\n  get: (name: string) => { name: string; value: string } | undefined;\n  set: {\n    (name: string, value: string, cookie?: Partial<ResponseCookie>): void;\n    (options: ResponseCookie): void;\n  };\n}\n\n/**\n * Set-Cookie Attributes do not include `encode`. We omit this from our `cookieOptions` type.\n *\n * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie\n * @see https://developer.chrome.com/docs/devtools/application/cookies/\n */\ntype CookieOptions = Omit<CookieSerializeOptions, \"encode\">;\n\nexport interface SessionOptions {\n  /**\n   * The cookie name that will be used inside the browser. Make sure it's unique\n   * given your application.\n   *\n   * @example 'vercel-session'\n   */\n  cookieName: string;\n\n  /**\n   * The password(s) that will be used to encrypt the cookie. Can either be a string\n   * or an object.\n   *\n   * When you provide multiple passwords then all of them will be used to decrypt\n   * the cookie. But only the most recent (`= highest key`, `2` in the example)\n   * password will be used to encrypt the cookie. This allows password rotation.\n   *\n   * @example { 1: 'password-1', 2: 'password-2' }\n   */\n  password: Password;\n\n  /**\n   * The time (in seconds) that the session will be valid for. Also sets the\n   * `max-age` attribute of the cookie automatically (`= ttl - 60s`, so that the\n   * cookie always expire before the session).\n   *\n   * `ttl = 0` means no expiration.\n   *\n   * @default 1209600\n   */\n  ttl?: number;\n\n  /**\n   * The options that will be passed to the cookie library.\n   *\n   * If you want to use \"session cookies\" (cookies that are deleted when the browser\n   * is closed) then you need to pass `cookieOptions: { maxAge: undefined }`\n   *\n   * @see https://github.com/jshttp/cookie#options-1\n   */\n  cookieOptions?: CookieOptions;\n}\n\nexport type IronSession<T> = T & {\n  /**\n   * Encrypts the session data and sets the cookie.\n   */\n  readonly save: () => Promise<void>;\n\n  /**\n   * Destroys the session data and removes the cookie.\n   */\n  readonly destroy: () => void;\n\n  /**\n   * Update the session configuration. You still need to call save() to send the new cookie.\n   */\n  readonly updateConfig: (newSessionOptions: SessionOptions) => void;\n};\n\n// default time allowed to check for iron seal validity when ttl passed\n// see https://hapi.dev/module/iron/api/?v=7.0.1#options\nconst timestampSkewSec = 60;\nconst fourteenDaysInSeconds = 14 * 24 * 3600;\n\n// We store a token major version to handle data format changes so that the cookies\n// can be kept alive between upgrades, no need to disconnect everyone.\nconst currentMajorVersion = 2;\nconst versionDelimiter = \"~\";\n\nconst defaultOptions: Required<Pick<SessionOptions, \"ttl\" | \"cookieOptions\">> =\n  {\n    ttl: fourteenDaysInSeconds,\n    cookieOptions: { httpOnly: true, secure: true, sameSite: \"lax\", path: \"/\" },\n  };\n\nfunction normalizeStringPasswordToMap(password: Password): PasswordsMap {\n  return typeof password === \"string\" ? { 1: password } : password;\n}\n\nfunction parseSeal(seal: string): {\n  sealWithoutVersion: string;\n  tokenVersion: number | null;\n} {\n  const [sealWithoutVersion, tokenVersionAsString] =\n    seal.split(versionDelimiter);\n  const tokenVersion =\n    tokenVersionAsString == null ? null : parseInt(tokenVersionAsString, 10);\n\n  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n  return { sealWithoutVersion: sealWithoutVersion!, tokenVersion };\n}\n\nfunction computeCookieMaxAge(ttl: number): number {\n  if (ttl === 0) {\n    // ttl = 0 means no expiration\n    // but in reality cookies have to expire (can't have no max-age)\n    // 2147483647 is the max value for max-age in cookies\n    // see https://stackoverflow.com/a/11685301/147079\n    return 2147483647;\n  }\n\n  // The next line makes sure browser will expire cookies before seals are considered expired by the server.\n  // It also allows for clock difference of 60 seconds between server and clients.\n  return ttl - timestampSkewSec;\n}\n\nfunction getCookie(req: RequestType, cookieName: string): string {\n  return (\n    parse(\n      (\"headers\" in req && typeof req.headers.get === \"function\"\n        ? req.headers.get(\"cookie\")\n        : (req as IncomingMessage).headers.cookie) ?? \"\",\n    )[cookieName] ?? \"\"\n  );\n}\n\nfunction getServerActionCookie(\n  cookieName: string,\n  cookieHandler: CookieStore,\n): string {\n  const cookieObject = cookieHandler.get(cookieName);\n  const cookie = cookieObject?.value;\n  if (typeof cookie === \"string\") {\n    return cookie;\n  }\n  return \"\";\n}\n\nfunction setCookie(res: ResponseType, cookieValue: string): void {\n  if (\"headers\" in res && typeof res.headers.append === \"function\") {\n    res.headers.append(\"set-cookie\", cookieValue);\n    return;\n  }\n  let existingSetCookie = (res as ServerResponse).getHeader(\"set-cookie\") ?? [];\n  if (!Array.isArray(existingSetCookie)) {\n    existingSetCookie = [existingSetCookie.toString()];\n  }\n  (res as ServerResponse).setHeader(\"set-cookie\", [\n    ...existingSetCookie,\n    cookieValue,\n  ]);\n}\n\nexport function createSealData(_crypto: Crypto) {\n  return async function sealData(\n    data: unknown,\n    {\n      password,\n      ttl = fourteenDaysInSeconds,\n    }: { password: Password; ttl?: number },\n  ): Promise<string> {\n    const passwordsMap = normalizeStringPasswordToMap(password);\n\n    const mostRecentPasswordId = Math.max(\n      ...Object.keys(passwordsMap).map(Number),\n    );\n    const passwordForSeal = {\n      id: mostRecentPasswordId.toString(),\n      secret: passwordsMap[mostRecentPasswordId]!,\n    };\n\n    const seal = await ironSeal(_crypto, data, passwordForSeal, {\n      ...ironDefaults,\n      ttl: ttl * 1000,\n    });\n\n    return `${seal}${versionDelimiter}${currentMajorVersion}`;\n  };\n}\n\nexport function createUnsealData(_crypto: Crypto) {\n  return async function unsealData<T>(\n    seal: string,\n    {\n      password,\n      ttl = fourteenDaysInSeconds,\n    }: { password: Password; ttl?: number },\n  ): Promise<T> {\n    const passwordsMap = normalizeStringPasswordToMap(password);\n    const { sealWithoutVersion, tokenVersion } = parseSeal(seal);\n\n    try {\n      const data =\n        (await ironUnseal(_crypto, sealWithoutVersion, passwordsMap, {\n          ...ironDefaults,\n          ttl: ttl * 1000,\n        })) ?? {};\n\n      if (tokenVersion === 2) {\n        return data as T;\n      }\n\n      // @ts-expect-error `persistent` does not exist on newer tokens\n      return { ...data.persistent } as T;\n    } catch (error) {\n      if (\n        error instanceof Error &&\n        /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components)/.test(\n          error.message,\n        )\n      ) {\n        // if seal expired or\n        // if seal is not valid (encrypted using a different password, when passwords are badly rotated) or\n        // if we can't find back the password in the seal\n        // then we just start a new session over\n        return {} as T;\n      }\n\n      throw error;\n    }\n  };\n}\n\nfunction getSessionConfig(\n  sessionOptions: SessionOptions,\n): Required<SessionOptions> {\n  const options = {\n    ...defaultOptions,\n    ...sessionOptions,\n    cookieOptions: {\n      ...defaultOptions.cookieOptions,\n      ...(sessionOptions.cookieOptions || {}),\n    },\n  };\n\n  if (\n    sessionOptions.cookieOptions &&\n    \"maxAge\" in sessionOptions.cookieOptions\n  ) {\n    if (sessionOptions.cookieOptions.maxAge === undefined) {\n      // session cookies, do not set maxAge, consider token as infinite\n      options.ttl = 0;\n    }\n  } else {\n    options.cookieOptions.maxAge = computeCookieMaxAge(options.ttl);\n  }\n\n  return options;\n}\n\nconst badUsageMessage =\n  \"iron-session: Bad usage: use getIronSession(req, res, options) or getIronSession(cookieStore, options).\";\n\nexport function createGetIronSession(\n  sealData: ReturnType<typeof createSealData>,\n  unsealData: ReturnType<typeof createUnsealData>,\n) {\n  return getIronSession;\n\n  async function getIronSession<T extends object>(\n    cookies: CookieStore,\n    sessionOptions: SessionOptions,\n  ): Promise<IronSession<T>>;\n  async function getIronSession<T extends object>(\n    req: RequestType,\n    res: ResponseType,\n    sessionOptions: SessionOptions,\n  ): Promise<IronSession<T>>;\n  async function getIronSession<T extends object>(\n    reqOrCookieStore: RequestType | CookieStore,\n    resOrsessionOptions: ResponseType | SessionOptions,\n    sessionOptions?: SessionOptions,\n  ): Promise<IronSession<T>> {\n    if (!reqOrCookieStore) {\n      throw new Error(badUsageMessage);\n    }\n\n    if (!resOrsessionOptions) {\n      throw new Error(badUsageMessage);\n    }\n\n    if (!sessionOptions) {\n      return getIronSessionFromCookieStore<T>(\n        reqOrCookieStore as CookieStore,\n        resOrsessionOptions as SessionOptions,\n        sealData,\n        unsealData,\n      );\n    }\n\n    const req = reqOrCookieStore as RequestType;\n    const res = resOrsessionOptions as ResponseType;\n\n    if (!sessionOptions) {\n      throw new Error(badUsageMessage);\n    }\n\n    if (!sessionOptions.cookieName) {\n      throw new Error(\"iron-session: Bad usage. Missing cookie name.\");\n    }\n\n    if (!sessionOptions.password) {\n      throw new Error(\"iron-session: Bad usage. Missing password.\");\n    }\n\n    const passwordsMap = normalizeStringPasswordToMap(sessionOptions.password);\n\n    if (Object.values(passwordsMap).some((password) => password.length < 32)) {\n      throw new Error(\n        \"iron-session: Bad usage. Password must be at least 32 characters long.\",\n      );\n    }\n\n    let sessionConfig = getSessionConfig(sessionOptions);\n\n    const sealFromCookies = getCookie(req, sessionConfig.cookieName);\n    const session = sealFromCookies\n      ? await unsealData<T>(sealFromCookies, {\n          password: passwordsMap,\n          ttl: sessionConfig.ttl,\n        })\n      : ({} as T);\n\n    Object.defineProperties(session, {\n      updateConfig: {\n        value: function updateConfig(newSessionOptions: SessionOptions) {\n          sessionConfig = getSessionConfig(newSessionOptions);\n        },\n      },\n      save: {\n        value: async function save() {\n          if (\"headersSent\" in res && res.headersSent) {\n            throw new Error(\n              \"iron-session: Cannot set session cookie: session.save() was called after headers were sent. Make sure to call it before any res.send() or res.end()\",\n            );\n          }\n\n          const seal = await sealData(session, {\n            password: passwordsMap,\n            ttl: sessionConfig.ttl,\n          });\n          const cookieValue = serialize(\n            sessionConfig.cookieName,\n            seal,\n            sessionConfig.cookieOptions,\n          );\n\n          if (cookieValue.length > 4096) {\n            throw new Error(\n              `iron-session: Cookie length is too big (${cookieValue.length} bytes), browsers will refuse it. Try to remove some data.`,\n            );\n          }\n\n          setCookie(res, cookieValue);\n        },\n      },\n\n      destroy: {\n        value: function destroy() {\n          Object.keys(session).forEach((key) => {\n            delete (session as Record<string, unknown>)[key];\n          });\n          const cookieValue = serialize(sessionConfig.cookieName, \"\", {\n            ...sessionConfig.cookieOptions,\n            maxAge: 0,\n          });\n\n          setCookie(res, cookieValue);\n        },\n      },\n    });\n\n    return session as IronSession<T>;\n  }\n}\n\nasync function getIronSessionFromCookieStore<T extends object>(\n  cookieStore: CookieStore,\n  sessionOptions: SessionOptions,\n  sealData: ReturnType<typeof createSealData>,\n  unsealData: ReturnType<typeof createUnsealData>,\n): Promise<IronSession<T>> {\n  if (!sessionOptions.cookieName) {\n    throw new Error(\"iron-session: Bad usage. Missing cookie name.\");\n  }\n\n  if (!sessionOptions.password) {\n    throw new Error(\"iron-session: Bad usage. Missing password.\");\n  }\n\n  const passwordsMap = normalizeStringPasswordToMap(sessionOptions.password);\n\n  if (Object.values(passwordsMap).some((password) => password.length < 32)) {\n    throw new Error(\n      \"iron-session: Bad usage. Password must be at least 32 characters long.\",\n    );\n  }\n\n  let sessionConfig = getSessionConfig(sessionOptions);\n  const sealFromCookies = getServerActionCookie(\n    sessionConfig.cookieName,\n    cookieStore,\n  );\n  const session = sealFromCookies\n    ? await unsealData<T>(sealFromCookies, {\n        password: passwordsMap,\n        ttl: sessionConfig.ttl,\n      })\n    : ({} as T);\n\n  Object.defineProperties(session, {\n    updateConfig: {\n      value: function updateConfig(newSessionOptions: SessionOptions) {\n        sessionConfig = getSessionConfig(newSessionOptions);\n      },\n    },\n    save: {\n      value: async function save() {\n        const seal = await sealData(session, {\n          password: passwordsMap,\n          ttl: sessionConfig.ttl,\n        });\n\n        const cookieLength =\n          sessionConfig.cookieName.length +\n          seal.length +\n          JSON.stringify(sessionConfig.cookieOptions).length;\n\n        if (cookieLength > 4096) {\n          throw new Error(\n            `iron-session: Cookie length is too big (${cookieLength} bytes), browsers will refuse it. Try to remove some data.`,\n          );\n        }\n\n        cookieStore.set(\n          sessionConfig.cookieName,\n          seal,\n          sessionConfig.cookieOptions,\n        );\n      },\n    },\n\n    destroy: {\n      value: function destroy() {\n        Object.keys(session).forEach((key) => {\n          delete (session as Record<string, unknown>)[key];\n        });\n\n        const cookieOptions = { ...sessionConfig.cookieOptions, maxAge: 0 };\n        cookieStore.set(sessionConfig.cookieName, \"\", cookieOptions);\n      },\n    },\n  });\n\n  return session as IronSession<T>;\n}\n","import {\n  createGetIronSession,\n  createSealData,\n  createUnsealData,\n} from \"./core.js\";\n\nimport * as crypto from \"uncrypto\";\n\nexport type { IronSession, SessionOptions } from \"./core.js\";\nexport const sealData = createSealData(crypto);\nexport const unsealData = createUnsealData(crypto);\nexport const getIronSession = createGetIronSession(sealData, unsealData);\n"]}

package/package.json

@@ -0,0 +1,89 @@
+{
+  "name": "@opensourceframework/next-iron-session",
+  "version": "8.0.4",
+  "description": "Secure, stateless, and cookie-based session library for JavaScript",
+  "keywords": [
+    "session",
+    "secure",
+    "stateless",
+    "cookie",
+    "encryption",
+    "security",
+    "next.js",
+    "node.js"
+  ],
+  "bugs": "https://github.com/vvo/iron-session/issues",
+  "repository": "github:vvo/iron-session",
+  "funding": [
+    "https://github.com/sponsors/vvo",
+    "https://github.com/sponsors/brc-dd"
+  ],
+  "license": "MIT",
+  "author": "OpenSource Framework Contributors (fork), Original: Unknown",
+  "sideEffects": false,
+  "type": "module",
+  "exports": {
+    "import": "./dist/index.js",
+    "require": "./dist/index.cjs"
+  },
+  "main": "./dist/index.cjs",
+  "files": [
+    "dist/*"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "pnpm build && concurrently \"pnpm build --watch\" \"pnpm --filter=next-example dev\" ",
+    "lint": "tsc --noEmit && tsc --noEmit -p examples/next/tsconfig.json && pnpm eslint . && publint",
+    "prepare": "pnpm build",
+    "start": "turbo start --filter=next-example",
+    "test": "vitest run && pnpm build",
+    "test:watch": "vitest"
+  },
+  "prettier": {
+    "plugins": [
+      "prettier-plugin-packagejson"
+    ],
+    "trailingComma": "all"
+  },
+  "dependencies": {
+    "cookie": "^0.7.2",
+    "iron-webcrypto": "^1.2.1",
+    "uncrypto": "^0.1.3"
+  },
+  "devDependencies": {
+    "@types/cookie": "0.6.0",
+    "@types/node": "20.17.24",
+    "@typescript-eslint/eslint-plugin": "7.18.0",
+    "@typescript-eslint/parser": "7.18.0",
+    "c8": "10.1.3",
+    "concurrently": "8.2.2",
+    "eslint": "8.57.1",
+    "eslint-config-prettier": "9.1.0",
+    "eslint-import-resolver-node": "0.3.9",
+    "eslint-import-resolver-typescript": "3.9.1",
+    "eslint-plugin-import": "2.31.0",
+    "eslint-plugin-prettier": "5.2.5",
+    "prettier": "3.5.3",
+    "prettier-plugin-packagejson": "2.5.10",
+    "publint": "0.3.9",
+    "tsup": "8.4.0",
+    "tsx": "4.19.3",
+    "turbo": "^2.0.5",
+    "typescript": "5.8.2",
+    "vitest": "^4.0.18"
+  },
+  "packageManager": "pnpm@9.6.0",
+  "publishConfig": {
+    "access": "public"
+  },
+  "contributors": [
+    {
+      "name": "Unknown",
+      "url": "https://github.com/next-iron-session"
+    }
+  ],
+  "homepage": "https://github.com/riceharvest/opensourceframework/tree/main/packages/next-iron-session#readme",
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}