@prairielearn/session 1.0.0

package/dist/session.js

@@ -0,0 +1,78 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hashSession = exports.makeSession = exports.loadSession = exports.generateSessionId = void 0;
+const uid_safe_1 = __importDefault(require("uid-safe"));
+const node_crypto_1 = __importDefault(require("node:crypto"));
+async function generateSessionId() {
+    return await (0, uid_safe_1.default)(24);
+}
+exports.generateSessionId = generateSessionId;
+async function loadSession(sessionId, req, store, maxAge) {
+    const sessionStoreData = await store.get(sessionId);
+    const expiresAt = sessionStoreData?.expiresAt ?? null;
+    const session = makeSession(sessionId, req, store, expiresAt, maxAge);
+    // Copy session data into the session object.
+    if (sessionStoreData != null) {
+        const { data } = sessionStoreData;
+        for (const prop in data) {
+            if (!(prop in session)) {
+                session[prop] = data[prop];
+            }
+        }
+    }
+    return session;
+}
+exports.loadSession = loadSession;
+function makeSession(sessionId, req, store, expirationDate, maxAge) {
+    const session = {};
+    let expiresAt = expirationDate;
+    defineStaticProperty(session, 'id', sessionId);
+    defineStaticProperty(session, 'destroy', async () => {
+        delete req.session;
+        await store.destroy(sessionId);
+    });
+    defineStaticProperty(session, 'regenerate', async () => {
+        await store.destroy(sessionId);
+        req.session = makeSession(await generateSessionId(), req, store, null, maxAge);
+    });
+    defineStaticProperty(session, 'getExpirationDate', () => {
+        if (expiresAt == null) {
+            expiresAt = new Date(Date.now() + maxAge);
+        }
+        return expiresAt;
+    });
+    defineStaticProperty(session, 'setExpiration', (expiration) => {
+        if (typeof expiration === 'number') {
+            expiresAt = new Date(Date.now() + expiration);
+        }
+        else {
+            expiresAt = expiration;
+        }
+    });
+    return session;
+}
+exports.makeSession = makeSession;
+function hashSession(session) {
+    const str = JSON.stringify(session, function (key, val) {
+        // ignore cookie property on the root object
+        if (this === session && key === 'cookie') {
+            return;
+        }
+        return val;
+    });
+    // hash
+    return node_crypto_1.default.createHash('sha1').update(str, 'utf8').digest('hex');
+}
+exports.hashSession = hashSession;
+function defineStaticProperty(obj, name, fn) {
+    Object.defineProperty(obj, name, {
+        configurable: false,
+        enumerable: false,
+        writable: false,
+        value: fn,
+    });
+}
+//# sourceMappingURL=session.js.map

package/dist/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":";;;;;;AACA,wDAA2B;AAC3B,8DAAiC;AAa1B,KAAK,UAAU,iBAAiB;IACrC,OAAO,MAAM,IAAA,kBAAG,EAAC,EAAE,CAAC,CAAC;AACvB,CAAC;AAFD,8CAEC;AAEM,KAAK,UAAU,WAAW,CAC/B,SAAiB,EACjB,GAAY,EACZ,KAAmB,EACnB,MAAc;IAEd,MAAM,gBAAgB,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,gBAAgB,EAAE,SAAS,IAAI,IAAI,CAAC;IAEtD,MAAM,OAAO,GAAG,WAAW,CAAC,SAAS,EAAE,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAEtE,6CAA6C;IAC7C,IAAI,gBAAgB,IAAI,IAAI,EAAE;QAC5B,MAAM,EAAE,IAAI,EAAE,GAAG,gBAAgB,CAAC;QAClC,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE;YACvB,IAAI,CAAC,CAAC,IAAI,IAAI,OAAO,CAAC,EAAE;gBACtB,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;aAC5B;SACF;KACF;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAtBD,kCAsBC;AAED,SAAgB,WAAW,CACzB,SAAiB,EACjB,GAAY,EACZ,KAAmB,EACnB,cAA2B,EAC3B,MAAc;IAEd,MAAM,OAAO,GAAG,EAAE,CAAC;IAEnB,IAAI,SAAS,GAAG,cAAc,CAAC;IAE/B,oBAAoB,CAAgB,OAAO,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC;IAE9D,oBAAoB,CAAqB,OAAO,EAAE,SAAS,EAAE,KAAK,IAAI,EAAE;QACtE,OAAQ,GAAW,CAAC,OAAO,CAAC;QAC5B,MAAM,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,oBAAoB,CAAwB,OAAO,EAAE,YAAY,EAAE,KAAK,IAAI,EAAE;QAC5E,MAAM,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC/B,GAAG,CAAC,OAAO,GAAG,WAAW,CAAC,MAAM,iBAAiB,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,oBAAoB,CAA+B,OAAO,EAAE,mBAAmB,EAAE,GAAG,EAAE;QACpF,IAAI,SAAS,IAAI,IAAI,EAAE;YACrB,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,CAAC;SAC3C;QACD,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,oBAAoB,CAA2B,OAAO,EAAE,eAAe,EAAE,CAAC,UAAU,EAAE,EAAE;QACtF,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE;YAClC,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,CAAC;SAC/C;aAAM;YACL,SAAS,GAAG,UAAU,CAAC;SACxB;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,OAAkB,CAAC;AAC5B,CAAC;AAvCD,kCAuCC;AAED,SAAgB,WAAW,CAAC,OAAgB;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,UAAU,GAAG,EAAE,GAAG;QACpD,4CAA4C;QAC5C,IAAI,IAAI,KAAK,OAAO,IAAI,GAAG,KAAK,QAAQ,EAAE;YACxC,OAAO;SACR;QAED,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CAAC;IAEH,OAAO;IACP,OAAO,qBAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACrE,CAAC;AAZD,kCAYC;AAED,SAAS,oBAAoB,CAAI,GAAW,EAAE,IAAY,EAAE,EAAK;IAC/D,MAAM,CAAC,cAAc,CAAC,GAAG,EAAE,IAAI,EAAE;QAC/B,YAAY,EAAE,KAAK;QACnB,UAAU,EAAE,KAAK;QACjB,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,EAAE;KACV,CAAC,CAAC;AACL,CAAC"}

package/dist/session.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/session.test.js

@@ -0,0 +1,92 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const chai_1 = require("chai");
+const memory_store_1 = require("./memory-store");
+const session_1 = require("./session");
+const SESSION_MAX_AGE = 10000;
+const SESSION_EXPIRATION_DATE = new Date(Date.now() + SESSION_MAX_AGE);
+describe('session', () => {
+    describe('loadSession', () => {
+        it('loads session that does not exist', async () => {
+            const store = new memory_store_1.MemoryStore();
+            const req = {};
+            const session = await (0, session_1.loadSession)('123', req, store, SESSION_MAX_AGE);
+            chai_1.assert.equal(session.id, '123');
+        });
+        it('loads session from store', async () => {
+            const store = new memory_store_1.MemoryStore();
+            await store.set('123', { foo: 'bar' }, SESSION_EXPIRATION_DATE);
+            const req = {};
+            const session = await (0, session_1.loadSession)('123', req, store, SESSION_MAX_AGE);
+            chai_1.assert.equal(session.id, '123');
+            chai_1.assert.equal(session.foo, 'bar');
+        });
+        it('does not try to overwrite existing session properties', async () => {
+            const store = new memory_store_1.MemoryStore();
+            await store.set('123', { foo: 'bar', id: '456' }, SESSION_EXPIRATION_DATE);
+            const req = {};
+            const session = await (0, session_1.loadSession)('123', req, store, SESSION_MAX_AGE);
+            chai_1.assert.equal(session.id, '123');
+            chai_1.assert.equal(session.foo, 'bar');
+        });
+    });
+    describe('makeSession', () => {
+        it('has immutable properties', () => {
+            const store = new memory_store_1.MemoryStore();
+            const req = {};
+            const session = (0, session_1.makeSession)('123', req, store, SESSION_EXPIRATION_DATE, SESSION_MAX_AGE);
+            chai_1.assert.equal(session.id, '123');
+            const originalId = session.id;
+            const originalDestroy = session.destroy;
+            const originalRegenerate = session.regenerate;
+            chai_1.assert.throw(() => {
+                session.id = '456';
+            });
+            chai_1.assert.throw(() => {
+                session.destroy = async () => { };
+            });
+            chai_1.assert.throw(() => {
+                session.regenerate = async () => { };
+            });
+            chai_1.assert.equal(session.id, originalId);
+            chai_1.assert.equal(session.destroy, originalDestroy);
+            chai_1.assert.equal(session.regenerate, originalRegenerate);
+        });
+        it('has immutable destroy property', async () => {
+            const store = new memory_store_1.MemoryStore();
+            const req = {};
+            const session = (0, session_1.makeSession)('123', req, store, SESSION_EXPIRATION_DATE, SESSION_MAX_AGE);
+            chai_1.assert.throw(() => {
+                session.destroy = async () => { };
+            });
+        });
+        it('can destroy itself', async () => {
+            const store = new memory_store_1.MemoryStore();
+            const req = {};
+            const session = (0, session_1.makeSession)('123', req, store, SESSION_EXPIRATION_DATE, SESSION_MAX_AGE);
+            req.session = session;
+            await session.destroy();
+            chai_1.assert.isUndefined(req.session);
+            chai_1.assert.isNull(await store.get('123'));
+        });
+        it('can regenerate itself', async () => {
+            const store = new memory_store_1.MemoryStore();
+            const req = {};
+            const session = (0, session_1.makeSession)('123', req, store, SESSION_EXPIRATION_DATE, SESSION_MAX_AGE);
+            req.session = session;
+            await session.regenerate();
+            chai_1.assert.notEqual(req.session, session);
+            chai_1.assert.notEqual(req.session.id, '123');
+            chai_1.assert.isNull(await store.get('123'));
+        });
+    });
+    describe('hashSession', () => {
+        it('ignores the cookie property', () => {
+            const hash1 = (0, session_1.hashSession)({ id: '123' });
+            const hash2 = (0, session_1.hashSession)({ id: '123', cookie: { foo: 'bar' } });
+            chai_1.assert.equal(hash1, hash2);
+        });
+    });
+    it('has cookie property', () => { });
+});
+//# sourceMappingURL=session.test.js.map

package/dist/session.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.test.js","sourceRoot":"","sources":["../src/session.test.ts"],"names":[],"mappings":";;AAAA,+BAA8B;AAE9B,iDAA6C;AAC7C,uCAAkE;AAElE,MAAM,eAAe,GAAG,KAAK,CAAC;AAC9B,MAAM,uBAAuB,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,eAAe,CAAC,CAAC;AAEvE,QAAQ,CAAC,SAAS,EAAE,GAAG,EAAE;IACvB,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;YACjD,MAAM,KAAK,GAAG,IAAI,0BAAW,EAAE,CAAC;YAEhC,MAAM,GAAG,GAAG,EAAS,CAAC;YACtB,MAAM,OAAO,GAAG,MAAM,IAAA,qBAAW,EAAC,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;YAEtE,aAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAClC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;YACxC,MAAM,KAAK,GAAG,IAAI,0BAAW,EAAE,CAAC;YAChC,MAAM,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,uBAAuB,CAAC,CAAC;YAEhE,MAAM,GAAG,GAAG,EAAS,CAAC;YACtB,MAAM,OAAO,GAAG,MAAM,IAAA,qBAAW,EAAC,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;YAEtE,aAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAChC,aAAM,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;YACrE,MAAM,KAAK,GAAG,IAAI,0BAAW,EAAE,CAAC;YAChC,MAAM,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,uBAAuB,CAAC,CAAC;YAE3E,MAAM,GAAG,GAAG,EAAS,CAAC;YACtB,MAAM,OAAO,GAAG,MAAM,IAAA,qBAAW,EAAC,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;YAEtE,aAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAChC,aAAM,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;YAClC,MAAM,KAAK,GAAG,IAAI,0BAAW,EAAE,CAAC;YAEhC,MAAM,GAAG,GAAG,EAAS,CAAC;YACtB,MAAM,OAAO,GAAG,IAAA,qBAAW,EAAC,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,uBAAuB,EAAE,eAAe,CAAC,CAAC;YAEzF,aAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YAEhC,MAAM,UAAU,GAAG,OAAO,CAAC,EAAE,CAAC;YAC9B,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC;YACxC,MAAM,kBAAkB,GAAG,OAAO,CAAC,UAAU,CAAC;YAE9C,aAAM,CAAC,KAAK,CAAC,GAAG,EAAE;gBAChB,OAAO,CAAC,EAAE,GAAG,KAAK,CAAC;YACrB,CAAC,CAAC,CAAC;YAEH,aAAM,CAAC,KAAK,CAAC,GAAG,EAAE;gBAChB,OAAO,CAAC,OAAO,GAAG,KAAK,IAAI,EAAE,GAAE,CAAC,CAAC;YACnC,CAAC,CAAC,CAAC;YAEH,aAAM,CAAC,KAAK,CAAC,GAAG,EAAE;gBAChB,OAAO,CAAC,UAAU,GAAG,KAAK,IAAI,EAAE,GAAE,CAAC,CAAC;YACtC,CAAC,CAAC,CAAC;YAEH,aAAM,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;YACrC,aAAM,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;YAC/C,aAAM,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,MAAM,KAAK,GAAG,IAAI,0BAAW,EAAE,CAAC;YAEhC,MAAM,GAAG,GAAG,EAAS,CAAC;YACtB,MAAM,OAAO,GAAG,IAAA,qBAAW,EAAC,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,uBAAuB,EAAE,eAAe,CAAC,CAAC;YAEzF,aAAM,CAAC,KAAK,CAAC,GAAG,EAAE;gBAChB,OAAO,CAAC,OAAO,GAAG,KAAK,IAAI,EAAE,GAAE,CAAC,CAAC;YACnC,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oBAAoB,EAAE,KAAK,IAAI,EAAE;YAClC,MAAM,KAAK,GAAG,IAAI,0BAAW,EAAE,CAAC;YAEhC,MAAM,GAAG,GAAG,EAAS,CAAC;YACtB,MAAM,OAAO,GAAG,IAAA,qBAAW,EAAC,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,uBAAuB,EAAE,eAAe,CAAC,CAAC;YACzF,GAAG,CAAC,OAAO,GAAG,OAAO,CAAC;YAEtB,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;YAExB,aAAM,CAAC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAChC,aAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uBAAuB,EAAE,KAAK,IAAI,EAAE;YACrC,MAAM,KAAK,GAAG,IAAI,0BAAW,EAAE,CAAC;YAEhC,MAAM,GAAG,GAAG,EAAS,CAAC;YACtB,MAAM,OAAO,GAAG,IAAA,qBAAW,EAAC,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,uBAAuB,EAAE,eAAe,CAAC,CAAC;YACzF,GAAG,CAAC,OAAO,GAAG,OAAO,CAAC;YAEtB,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC;YAE3B,aAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACtC,aAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;YACvC,aAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;YACrC,MAAM,KAAK,GAAG,IAAA,qBAAW,EAAC,EAAE,EAAE,EAAE,KAAK,EAAS,CAAC,CAAC;YAChD,MAAM,KAAK,GAAG,IAAA,qBAAW,EAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,EAAS,CAAC,CAAC;YAExE,aAAM,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;AACtC,CAAC,CAAC,CAAC"}

package/dist/store.d.ts

@@ -0,0 +1,9 @@
+export interface SessionStoreData {
+    data: any;
+    expiresAt: Date;
+}
+export interface SessionStore {
+    set(id: string, session: any, expiresAt: Date): Promise<void>;
+    get(id: string): Promise<SessionStoreData | null>;
+    destroy(id: string): Promise<void>;
+}

package/dist/store.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=store.js.map

package/dist/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":""}

package/dist/test-utils.d.ts

@@ -0,0 +1,10 @@
+/// <reference types="node" />
+import express from 'express';
+import { Server } from 'node:http';
+interface WithServerContext {
+    server: Server;
+    port: number;
+    url: string;
+}
+export declare function withServer(app: express.Express, fn: (ctx: WithServerContext) => Promise<void>): Promise<void>;
+export {};

package/dist/test-utils.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withServer = void 0;
+async function withServer(app, fn) {
+    const server = app.listen();
+    await new Promise((resolve, reject) => {
+        server.on('listening', () => resolve());
+        server.on('error', (err) => reject(err));
+    });
+    try {
+        await fn({
+            server,
+            port: getServerPort(server),
+            url: `http://localhost:${getServerPort(server)}`,
+        });
+    }
+    finally {
+        server.close();
+    }
+}
+exports.withServer = withServer;
+function getServerPort(server) {
+    const address = server.address();
+    // istanbul ignore next
+    if (!address)
+        throw new Error('Server is not listening');
+    // istanbul ignore next
+    if (typeof address === 'string')
+        throw new Error('Server is listening on a pipe');
+    return address.port;
+}
+//# sourceMappingURL=test-utils.js.map

package/dist/test-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"test-utils.js","sourceRoot":"","sources":["../src/test-utils.ts"],"names":[],"mappings":";;;AASO,KAAK,UAAU,UAAU,CAC9B,GAAoB,EACpB,EAA6C;IAE7C,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;IAE5B,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,EAAE,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QACxC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,IAAI;QACF,MAAM,EAAE,CAAC;YACP,MAAM;YACN,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC;YAC3B,GAAG,EAAE,oBAAoB,aAAa,CAAC,MAAM,CAAC,EAAE;SACjD,CAAC,CAAC;KACJ;YAAS;QACR,MAAM,CAAC,KAAK,EAAE,CAAC;KAChB;AACH,CAAC;AApBD,gCAoBC;AAED,SAAS,aAAa,CAAC,MAAc;IACnC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;IAEjC,uBAAuB;IACvB,IAAI,CAAC,OAAO;QAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAEzD,uBAAuB;IACvB,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAElF,OAAO,OAAO,CAAC,IAAI,CAAC;AACtB,CAAC"}

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@prairielearn/session",
+  "version": "1.0.0",
+  "main": "dist/index.js",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/PrairieLearn/PrairieLearn.git",
+    "directory": "packages/session"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch --preserveWatchOutput",
+    "test": "nyc --reporter=html --reporter=text mocha --no-config --require ts-node/register --watch-files src/ src/**/*.test.ts"
+  },
+  "dependencies": {
+    "cookie": "^0.5.0",
+    "cookie-signature": "^1.2.1",
+    "express-async-handler": "^1.2.0",
+    "nyc": "^15.1.0",
+    "on-headers": "^1.0.2",
+    "uid-safe": "^2.1.5"
+  },
+  "devDependencies": {
+    "@prairielearn/tsconfig": "^0.0.0",
+    "@types/chai": "^4.3.5",
+    "@types/cookie": "^0.5.1",
+    "@types/cookie-signature": "^1.1.0",
+    "@types/express": "^4.17.17",
+    "@types/node": "^18.17.12",
+    "@types/node-fetch": "^2.6.4",
+    "@types/on-headers": "^1.0.0",
+    "@types/set-cookie-parser": "^2.4.3",
+    "@types/uid-safe": "^2.1.2",
+    "chai": "^4.3.8",
+    "express": "^4.18.2",
+    "fetch-cookie": "^2.1.0",
+    "mocha": "^10.2.0",
+    "node-fetch": "^2.7.0",
+    "set-cookie-parser": "^2.6.0",
+    "source-map-support": "^0.5.21",
+    "ts-node": "^10.9.1",
+    "typescript": "^5.2.2"
+  }
+}

package/src/before-end.test.ts

@@ -0,0 +1,34 @@
+import express, { type Request, type Response, type NextFunction } from 'express';
+import fetch from 'node-fetch';
+import { assert } from 'chai';
+
+import { beforeEnd } from './before-end';
+import { withServer } from './test-utils';
+
+describe('beforeEnd', () => {
+  it('handles errors correctly', async () => {
+    const app = express();
+    app.use((_req, res, next) => {
+      beforeEnd(res, next, async () => {
+        throw new Error('oops');
+      });
+
+      next();
+    });
+
+    app.get('/', (_req, res) => res.sendStatus(200));
+
+    let error: Error | null = null;
+    app.use((err: any, _req: Request, _res: Response, next: NextFunction) => {
+      error = err;
+      next();
+    });
+
+    await withServer(app, async ({ url }) => {
+      const res = await fetch(url);
+
+      assert.equal(res.status, 200);
+      assert.equal(error?.message, 'oops');
+    });
+  });
+});

package/src/before-end.ts

@@ -0,0 +1,96 @@
+import type { NextFunction } from 'express';
+
+/**
+ * The following function is based on code from `express-session`:
+ *
+ * https://github.com/expressjs/session/blob/1010fadc2f071ddf2add94235d72224cf65159c6/index.js#L246-L360
+ *
+ * This code is used to work around the fact that Express doesn't have a good
+ * hook to allow us to perform some asynchronous operation before the response
+ * is written to the client.
+ *
+ * Note that this is truly only necessary for Express. Other Node frameworks
+ * like Fastify and Adonis have hooks that allow us to do this without any
+ * hacks. It's also probably only useful in the context of Express, as it
+ * seems to rely on the fact that Express and its ecosystem generally don't
+ * call `end()` without an additional chunk of data. If it instead called
+ * `write()` with the final data and then `end()` with no data, this code
+ * wouldn't function as intended. It's possible that `stream.pipe(res)` does
+ * in fact behave this way, so it's probably not completely safe to use this
+ * code when streaming responses back to the client.
+ *
+ * One could probably make this safer by *also* hooking into `response.write()`
+ * and buffering the data. My understanding of Node streams isn't good enough
+ * to implement that, though.
+ */
+export function beforeEnd(res: any, next: NextFunction, fn: () => Promise<void>) {
+  const _end = res.end as any;
+  const _write = res.write as any;
+  let ended = false;
+
+  res.end = function end(chunk: any, encoding: any) {
+    if (ended) {
+      return false;
+    }
+
+    ended = true;
+
+    let ret: any;
+    let sync = true;
+
+    function writeend() {
+      if (sync) {
+        ret = _end.call(res, chunk, encoding);
+        sync = false;
+        return;
+      }
+
+      _end.call(res);
+    }
+
+    function writetop() {
+      if (!sync) {
+        return ret;
+      }
+
+      if (!res._header) {
+        res._implicitHeader();
+      }
+
+      if (chunk == null) {
+        ret = true;
+        return ret;
+      }
+
+      const contentLength = Number(res.getHeader('Content-Length'));
+
+      if (!isNaN(contentLength) && contentLength > 0) {
+        chunk = !Buffer.isBuffer(chunk) ? Buffer.from(chunk, encoding) : chunk;
+        encoding = undefined;
+
+        if (chunk.length !== 0) {
+          ret = _write.call(res, chunk.slice(0, chunk.length - 1));
+          chunk = chunk.slice(chunk.length - 1, chunk.length);
+          return ret;
+        }
+      }
+
+      ret = _write.call(res, chunk, encoding);
+      sync = false;
+
+      return ret;
+    }
+
+    fn().then(
+      () => {
+        writeend();
+      },
+      (err) => {
+        setImmediate(next, err);
+        writeend();
+      },
+    );
+
+    return writetop();
+  };
+}

package/src/cookie.ts

@@ -0,0 +1,38 @@
+import cookie from 'cookie';
+import signature from 'cookie-signature';
+import type { Request } from 'express';
+
+export type CookieSecure = boolean | 'auto' | ((req: Request) => boolean);
+
+export function shouldSecureCookie(req: Request, secure: CookieSecure): boolean {
+  if (typeof secure === 'function') {
+    return secure(req);
+  }
+
+  if (secure === 'auto') {
+    return req.protocol === 'https';
+  }
+
+  return secure;
+}
+
+export function getSessionIdFromCookie(
+  req: Request,
+  cookieName: string,
+  secrets: string[],
+): string | null {
+  const cookies = cookie.parse(req.headers.cookie ?? '');
+  const sessionCookie = cookies[cookieName];
+
+  if (!sessionCookie) return null;
+
+  // Try each secret until we find one that works.
+  for (const secret of secrets) {
+    const value = signature.unsign(sessionCookie, secret);
+    if (value !== false) {
+      return value;
+    }
+  }
+
+  return null;
+}