@rudderjs/session 1.0.2 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +2 -3
  2. package/boost/guidelines.md +97 -0
  3. package/package.json +5 -4
package/README.md CHANGED
@@ -41,11 +41,10 @@ export default {
41
41
 
42
42
  ```ts
43
43
  // bootstrap/providers.ts
44
- import { session } from '@rudderjs/session'
45
- import configs from '../config/index.js'
44
+ import { SessionProvider } from '@rudderjs/session'
46
45
 
47
46
  export default [
48
- session(configs.session),
47
+ SessionProvider,
49
48
  ]
50
49
  ```
51
50
 
package/boost/guidelines.md ADDED
@@ -0,0 +1,97 @@
1
+ # @rudderjs/session
2
+
3
+ ## Overview
4
+
5
+ HTTP session support — signed cookie sessions (default) and Redis-backed sessions. Provides `SessionInstance` on `req.session`, the `Session` facade (AsyncLocalStorage-backed), flash data, and session ID regeneration. Auto-installs on the `web` route group via `appendToGroup('web', sessionMiddleware(cfg))` — apps do NOT need to wire it manually.
6
+
7
+ ## Key Patterns
8
+
9
+ ### Setup
10
+
11
+ ```ts
12
+ // config/session.ts
13
+ export default {
14
+ driver: 'cookie', // or 'redis'
15
+ lifetime: 120, // minutes
16
+ secret: process.env.SESSION_SECRET,
17
+ cookie: {
18
+ name: 'rudderjs_session',
19
+ secure: true,
20
+ httpOnly: true,
21
+ sameSite: 'lax',
22
+ },
23
+ } satisfies SessionConfig
24
+
25
+ // bootstrap/providers.ts
26
+ import { SessionProvider } from '@rudderjs/session'
27
+ export default [SessionProvider]
28
+ ```
29
+
30
+ No per-route wiring needed on web routes — the provider auto-installs on the `web` group during `boot()`.
31
+
32
+ ### Reading and writing
33
+
34
+ ```ts
35
+ // req.session is typed on every web request
36
+ Route.get('/profile', (req, res) => {
37
+ const visits = (req.session.get<number>('visits') ?? 0) + 1
38
+ req.session.put('visits', visits)
39
+ res.json({ visits })
40
+ })
41
+
42
+ // Session facade — works anywhere inside a middleware-wrapped request
43
+ import { Session } from '@rudderjs/session'
44
+
45
+ Session.put('theme', 'dark')
46
+ const theme = Session.get<string>('theme')
47
+ Session.forget('theme')
48
+ ```
49
+
50
+ ### Flash data
51
+
52
+ Available on the **next** request only — typically used for post-redirect messages:
53
+
54
+ ```ts
55
+ Session.flash('success', 'Post created!') // set on this request
56
+ // ...redirect...
57
+ Session.getFlash<string>('success') // readable on the next request; cleared after read
58
+ ```
59
+
60
+ ### Session ID and regeneration
61
+
62
+ Always regenerate after login to prevent session fixation:
63
+
64
+ ```ts
65
+ const id = req.session.id()
66
+ await req.session.regenerate() // new ID, same data
67
+ ```
68
+
69
+ ### API routes are stateless
70
+
71
+ API routes don't get session by default. If a specific api route needs session, mount `SessionMiddleware()` per-route:
72
+
73
+ ```ts
74
+ // routes/api.ts
75
+ Route.post('/api/preferences', handler, [SessionMiddleware()])
76
+ ```
77
+
78
+ ## Common Pitfalls
79
+
80
+ - **`m.use(sessionMiddleware(cfg))` globally.** Don't. Doubles up with the auto-install on the `web` group, reads from two different `SessionInstance`s, and api routes get session they shouldn't have. Symptom: data set in the handler doesn't persist across requests.
81
+ - **`Session.current()` throws outside middleware.** It reads from AsyncLocalStorage; calling it outside a middleware-wrapped request has no ALS context. Use `Session.active()` for a non-throwing check, or guard with try/catch if you might be in a stateless context (`SessionGuard.user()` does this).
82
+ - **Cookie driver size limit.** The cookie driver stores all session data client-side — keep values small (~4 KB cookie limit). For larger payloads use the Redis driver.
83
+ - **Forgetting `session.regenerate()` after login.** Without it you're vulnerable to session fixation. `@rudderjs/auth`'s `Auth.login()` calls `regenerate()` automatically — if you log a user in manually, remember to regenerate.
84
+ - **Redis driver without `ioredis`.** The Redis driver lazy-loads `ioredis`. Install it as a peer: `pnpm add ioredis`.
85
+
86
+ ## Key Imports
87
+
88
+ ```ts
89
+ // Provider + middleware
90
+ import { SessionProvider, sessionMiddleware, SessionMiddleware } from '@rudderjs/session'
91
+
92
+ // Facade
93
+ import { Session } from '@rudderjs/session'
94
+
95
+ // Types
96
+ import type { SessionConfig, SessionInstance } from '@rudderjs/session'
97
+ ```
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@rudderjs/session",
3
- "version": "1.0.2",
3
+ "version": "1.0.3",
4
4
  "rudderjs": {
5
5
  "provider": "SessionProvider",
6
6
  "stage": "infrastructure"
@@ -13,7 +13,8 @@
13
13
  },
14
14
  "type": "module",
15
15
  "files": [
16
- "dist"
16
+ "dist",
17
+ "boost"
17
18
  ],
18
19
  "main": "./dist/index.js",
19
20
  "types": "./dist/index.d.ts",
@@ -24,8 +25,8 @@
24
25
  }
25
26
  },
26
27
  "dependencies": {
27
- "@rudderjs/core": "^1.0.0",
28
- "@rudderjs/contracts": "^1.1.0"
28
+ "@rudderjs/contracts": "^1.2.0",
29
+ "@rudderjs/core": "^1.1.2"
29
30
  },
30
31
  "optionalDependencies": {
31
32
  "ioredis": "^5.3.0"