@zintrust/core 0.1.39 → 0.1.41

package/src/security/CsrfTokenManager.js

@@ -1,18 +1,52 @@
+/* eslint-disable @typescript-eslint/require-await */
 /**
  * CSRF Token Manager
  * Generate, validate, and bind CSRF tokens to sessions
  */
 import { Env } from '../config/env.js';
+import { Logger } from '../config/logger.js';
+import { createRedisConnection } from '../config/workers.js';
+import { ZintrustLang } from '../lang/lang.js';
 import { randomBytes } from '../node-singletons/crypto.js';
+import { RedisKeys } from '../tools/redis/RedisKeyManager.js';
 /**
  * Create a new CSRF token manager instance
  */
-const create = () => {
+const normalizeStoreName = (name) => {
+    const raw = String(name ?? '')
+        .trim()
+        .toLowerCase();
+    if (raw === 'redis')
+        return 'redis';
+    return 'memory';
+};
+const isWorkersRuntime = () => {
+    const globalAny = globalThis;
+    if (globalAny.CF !== undefined)
+        return true;
+    if (typeof globalAny.WebSocketPair === 'function')
+        return true;
+    if (globalAny.caches !== undefined)
+        return true;
+    return false;
+};
+const resolveStoreName = (options) => {
+    if (isWorkersRuntime())
+        return 'memory';
+    return normalizeStoreName(options?.store ?? Env.CSRF_STORE ?? Env.CSRF_DRIVER ?? Env.get('CSRF_STORE', 'memory'));
+};
+const toTokenData = (stored) => {
+    return {
+        token: stored.token,
+        sessionId: stored.sessionId,
+        createdAt: new Date(stored.createdAt),
+        expiresAt: new Date(stored.expiresAt),
+    };
+};
+const createMemoryManager = (tokenLength, tokenTtl) => {
     const tokens = new Map();
-    const tokenLength = Env.TOKEN_LENGTH; // 256 bits
-    const tokenTtl = Env.TOKEN_TTL; // 1 hour in milliseconds
     return {
-        generateToken(sessionId) {
+        async generateToken(sessionId) {
             tokens.delete(sessionId);
             const token = randomBytes(tokenLength).toString('hex');
             const now = new Date();
@@ -21,7 +55,7 @@ const create = () => {
             tokens.set(sessionId, tokenData);
             return token;
         },
-        validateToken(sessionId, token) {
+        async validateToken(sessionId, token) {
             const tokenData = tokens.get(sessionId);
             if (!tokenData)
                 return false;
@@ -33,13 +67,13 @@ const create = () => {
             }
             return isValid;
         },
-        invalidateToken(sessionId) {
+        async invalidateToken(sessionId) {
             tokens.delete(sessionId);
         },
-        getTokenData(sessionId) {
+        async getTokenData(sessionId) {
             return tokens.get(sessionId) ?? null;
         },
-        refreshToken(sessionId) {
+        async refreshToken(sessionId) {
             const tokenData = tokens.get(sessionId);
             if (!tokenData)
                 return null;
@@ -51,7 +85,7 @@ const create = () => {
             tokenData.expiresAt = new Date(Date.now() + tokenTtl);
             return tokenData.token;
         },
-        cleanup() {
+        async cleanup() {
             let removed = 0;
             const now = new Date();
             for (const [sessionId, tokenData] of tokens.entries()) {
@@ -62,14 +96,173 @@ const create = () => {
             }
             return removed;
         },
-        clear() {
+        async clear() {
             tokens.clear();
         },
-        getTokenCount() {
+        async getTokenCount() {
             return tokens.size;
         },
     };
 };
+// Helper functions for Redis CSRF manager
+const createRedisClientFactory = (options) => {
+    let redisClient = options?.redis ?? null;
+    return () => {
+        if (redisClient)
+            return redisClient;
+        const dbFromEnv = Env.CSRF_REDIS_DB;
+        const database = dbFromEnv >= 0 ? dbFromEnv : Env.getInt('REDIS_QUEUE_DB', ZintrustLang.REDIS_DEFAULT_DB);
+        redisClient = createRedisConnection({
+            host: Env.get('REDIS_HOST', 'localhost'),
+            port: Env.getInt('REDIS_PORT', ZintrustLang.REDIS_DEFAULT_PORT),
+            password: Env.get('REDIS_PASSWORD'),
+            db: database,
+        });
+        return redisClient;
+    };
+};
+const createRedisTokenOperations = (keyPrefix, tokenTtl, getRedisClient) => {
+    const buildKey = (sessionId) => `${keyPrefix}${sessionId}`;
+    const fetchTokenData = async (sessionId) => {
+        try {
+            const client = getRedisClient();
+            const payload = await client.get(buildKey(sessionId));
+            if (payload === null || payload === '')
+                return null;
+            const parsed = JSON.parse(payload);
+            return toTokenData(parsed);
+        }
+        catch (error) {
+            Logger.error('CSRF Redis fetch failed', error);
+            return null;
+        }
+    };
+    const saveTokenData = async (data) => {
+        try {
+            const client = getRedisClient();
+            const stored = {
+                token: data.token,
+                sessionId: data.sessionId,
+                createdAt: data.createdAt.getTime(),
+                expiresAt: data.expiresAt.getTime(),
+            };
+            await client.set(buildKey(data.sessionId), JSON.stringify(stored), 'PX', tokenTtl);
+        }
+        catch (error) {
+            Logger.error('CSRF Redis save failed', error);
+        }
+    };
+    const deleteToken = async (sessionId) => {
+        try {
+            const client = getRedisClient();
+            await client.del(buildKey(sessionId));
+        }
+        catch (error) {
+            Logger.error('CSRF Redis delete failed', error);
+        }
+    };
+    const scanKeys = async () => {
+        const client = getRedisClient();
+        const keys = [];
+        const stream = client.scanStream({ match: `${keyPrefix}*`, count: 200 });
+        return new Promise((resolve, reject) => {
+            stream.on('data', (resultKeys) => {
+                if (Array.isArray(resultKeys) && resultKeys.length) {
+                    keys.push(...resultKeys);
+                }
+            });
+            stream.on('end', () => resolve(keys));
+            stream.on('error', (err) => reject(err));
+        });
+    };
+    return {
+        fetchTokenData,
+        saveTokenData,
+        deleteToken,
+        scanKeys,
+    };
+};
+const createRedisManager = (tokenLength, tokenTtl, options) => {
+    const keyPrefix = options?.keyPrefix ?? RedisKeys.getCsrfPrefix();
+    const getRedisClient = createRedisClientFactory(options);
+    const { fetchTokenData, saveTokenData, deleteToken, scanKeys } = createRedisTokenOperations(keyPrefix, tokenTtl, getRedisClient);
+    return {
+        async generateToken(sessionId) {
+            const token = randomBytes(tokenLength).toString('hex');
+            const now = new Date();
+            const expiresAt = new Date(now.getTime() + tokenTtl);
+            const tokenData = { token, sessionId, createdAt: now, expiresAt };
+            await saveTokenData(tokenData);
+            return token;
+        },
+        async validateToken(sessionId, token) {
+            const tokenData = await fetchTokenData(sessionId);
+            if (!tokenData)
+                return false;
+            const isValid = tokenData.token === token;
+            const isExpired = new Date() > tokenData.expiresAt;
+            if (isExpired) {
+                await deleteToken(sessionId);
+                return false;
+            }
+            return isValid;
+        },
+        async invalidateToken(sessionId) {
+            await deleteToken(sessionId);
+        },
+        async getTokenData(sessionId) {
+            return fetchTokenData(sessionId);
+        },
+        async refreshToken(sessionId) {
+            const tokenData = await fetchTokenData(sessionId);
+            if (!tokenData)
+                return null;
+            const isExpired = new Date() > tokenData.expiresAt;
+            if (isExpired) {
+                await deleteToken(sessionId);
+                return null;
+            }
+            tokenData.expiresAt = new Date(Date.now() + tokenTtl);
+            await saveTokenData(tokenData);
+            return tokenData.token;
+        },
+        async cleanup() {
+            // Redis handles expiry via TTL, so nothing to do here.
+            return Promise.resolve(0); // NOSONAR
+        },
+        async clear() {
+            try {
+                const keys = await scanKeys();
+                if (keys.length === 0)
+                    return;
+                const client = getRedisClient();
+                await client.del(...keys);
+            }
+            catch (error) {
+                Logger.error('CSRF Redis clear failed', error);
+            }
+        },
+        async getTokenCount() {
+            try {
+                const keys = await scanKeys();
+                return keys.length;
+            }
+            catch (error) {
+                Logger.error('CSRF Redis count failed', error);
+                return 0;
+            }
+        },
+    };
+};
+const create = (options) => {
+    const tokenLength = options?.tokenLength ?? Env.TOKEN_LENGTH; // 256 bits
+    const tokenTtl = options?.tokenTtlMs ?? Env.TOKEN_TTL; // 1 hour in milliseconds
+    const store = resolveStoreName(options);
+    if (store === 'redis') {
+        return createRedisManager(tokenLength, tokenTtl, options);
+    }
+    return createMemoryManager(tokenLength, tokenTtl);
+};
 /**
  * CsrfTokenManager namespace - sealed for immutability
  */

package/src/security/Hash.d.ts

@@ -2,7 +2,7 @@
  * Hash
  * bcrypt-based password hashing utility.
  *
- * Runtime-aware: uses dynamic import for bcrypt.
+ * Uses bcryptjs to avoid native module issues in edge runtimes.
  */
 export declare const Hash: Readonly<{
     isValidHash(hash: string): boolean;

package/src/security/Hash.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"Hash.d.ts","sourceRoot":"","sources":["../../../src/security/Hash.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA+CH,eAAO,MAAM,IAAI;sBACG,MAAM,GAAG,OAAO;oBAIZ,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;8BAUd,MAAM,UAAU,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;sBAgBhD,MAAM,UAAU,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;EAWjE,CAAC;AAEH,eAAe,IAAI,CAAC"}
+{"version":3,"file":"Hash.d.ts","sourceRoot":"","sources":["../../../src/security/Hash.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA+BH,eAAO,MAAM,IAAI;sBACG,MAAM,GAAG,OAAO;oBAIZ,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;8BAcd,MAAM,UAAU,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;sBAmBhD,MAAM,UAAU,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;EAWjE,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/src/security/Hash.js

@@ -2,66 +2,61 @@
  * Hash
  * bcrypt-based password hashing utility.
  *
- * Runtime-aware: uses dynamic import for bcrypt.
+ * Uses bcryptjs to avoid native module issues in edge runtimes.
  */
 import { Logger } from '../config/logger.js';
 import { ErrorFactory } from '../exceptions/ZintrustError.js';
-function isBcryptModule(value) {
-    if (typeof value !== 'object' || value === null)
-        return false;
-    const record = value;
-    return typeof record['hash'] === 'function' && typeof record['compare'] === 'function';
-}
-let bcrypt;
-let loadingPromise;
-async function loadBcrypt() {
-    const imported = await import('bcrypt');
-    const module = imported;
-    const candidate = module.default ?? module;
-    if (!isBcryptModule(candidate)) {
-        throw ErrorFactory.createConfigError('Invalid bcrypt module shape');
+const BCRYPT_HASH_RE = /^\$2[aby]\$\d{2}\$[./A-Za-z0-9]{53}$/;
+let bcryptModule = null;
+const loadBcrypt = async () => {
+    if (bcryptModule !== null)
+        return bcryptModule;
+    try {
+        const mod = (await import('bcryptjs'));
+        const resolved = (mod.default ?? mod);
+        if (typeof resolved?.hash !== 'function' || typeof resolved?.compare !== 'function') {
+            throw ErrorFactory.createConfigError('Invalid bcryptjs module shape');
+        }
+        bcryptModule = resolved;
+        return resolved;
     }
-    bcrypt = candidate;
-}
-async function ensureBcrypt() {
-    if (bcrypt !== undefined)
-        return bcrypt;
-    loadingPromise ??= loadBcrypt().catch((error) => {
-        Logger.error('bcrypt unavailable', error);
-        throw ErrorFactory.createConfigError('bcrypt unavailable', error);
-    });
-    await loadingPromise;
-    if (bcrypt === undefined) {
-        throw ErrorFactory.createConfigError('bcrypt unavailable');
+    catch (error) {
+        throw ErrorFactory.createConfigError('bcryptjs module unavailable', error);
     }
-    return bcrypt;
-}
-const BCRYPT_HASH_RE = /^\$2[aby]\$\d{2}\$[./A-Za-z0-9]{53}$/;
+};
 export const Hash = Object.freeze({
     isValidHash(hash) {
         return BCRYPT_HASH_RE.test(hash);
     },
     async hash(plaintext) {
-        const bcryptModule = await ensureBcrypt();
         try {
-            return await bcryptModule.hash(plaintext, 12);
+            const bcrypt = await loadBcrypt();
+            return await bcrypt.hash(plaintext, 12);
         }
         catch (error) {
             Logger.error('Password hashing failed', error);
+            const err = error;
+            if (err?.name === 'ConfigError' || err?.code === 'CONFIG_ERROR') {
+                throw ErrorFactory.createConfigError('Password hashing failed', error);
+            }
             throw ErrorFactory.createSecurityError('Password hashing failed', error);
         }
     },
     async hashWithRounds(plaintext, rounds) {
-        const bcryptModule = await ensureBcrypt();
         const normalizedRounds = Number.isFinite(rounds) ? Math.trunc(rounds) : 0;
         if (normalizedRounds <= 0) {
             throw ErrorFactory.createConfigError('Invalid bcrypt rounds', { rounds });
         }
         try {
-            return await bcryptModule.hash(plaintext, normalizedRounds);
+            const bcrypt = await loadBcrypt();
+            return await bcrypt.hash(plaintext, normalizedRounds);
         }
         catch (error) {
             Logger.error('Password hashing failed', error);
+            const err = error;
+            if (err?.name === 'ConfigError' || err?.code === 'CONFIG_ERROR') {
+                throw ErrorFactory.createConfigError('Password hashing failed', error);
+            }
             throw ErrorFactory.createSecurityError('Password hashing failed', error);
         }
     },
@@ -69,8 +64,8 @@ export const Hash = Object.freeze({
         if (!Hash.isValidHash(hashed))
             return false;
         try {
-            const bcryptModule = await ensureBcrypt();
-            return await bcryptModule.compare(plaintext, hashed);
+            const bcrypt = await loadBcrypt();
+            return await bcrypt.compare(plaintext, hashed);
         }
         catch (error) {
             Logger.error('Password verify failed', error);

package/src/seeders/SeederLoader.js

@@ -1,6 +1,6 @@
 import { ErrorFactory } from '../exceptions/ZintrustError.js';
 import * as path from '../node-singletons/path.js';
-import { pathToFileURL } from 'node:url';
+import { pathToFileURL } from '../node-singletons/url.js';
 function isFunction(value) {
     return typeof value === 'function';
 }

package/src/session/SessionManager.d.ts

@@ -26,11 +26,14 @@ export interface ISessionManager {
     get(sessionId: string): ISession;
     destroy(sessionId: string): void;
     cleanup(): number;
+    dispose(): void;
 }
 export interface SessionManagerOptions {
     cookieName?: string;
     headerName?: string;
     ttlMs?: number;
+    maxSessions?: number;
+    cleanupIntervalMs?: number;
 }
 export declare const SessionManager: Readonly<{
     create(options?: SessionManagerOptions): ISessionManager;

package/src/session/SessionManager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SessionManager.d.ts","sourceRoot":"","sources":["../../../src/session/SessionManager.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAElD,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,CAAC,GAAG,SAAS,CAAC;IAC7C,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI,CAAC;IACvC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAC1B,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,GAAG,IAAI,WAAW,CAAC;IACnB,KAAK,IAAI,IAAI,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAAC;IAC5E,gBAAgB,CAAC,GAAG,EAAE;QACpB,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC;QACrC,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACnC,GAAG,MAAM,GAAG,SAAS,CAAC;IACvB,eAAe,CACb,GAAG,EAAE;QACH,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC;QACrC,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,EACD,GAAG,EAAE;QACH,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC;QACrC,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,KAAK,OAAO,CAAC;KAChE,GACA,OAAO,CAAC,MAAM,CAAC,CAAC;IACnB,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,QAAQ,CAAC;IACjC,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,OAAO,IAAI,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,qBAAqB;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAyHD,eAAO,MAAM,cAAc;qBACT,qBAAqB,GAAQ,eAAe;EA2E5D,CAAC;AAEH,eAAe,cAAc,CAAC"}
+{"version":3,"file":"SessionManager.d.ts","sourceRoot":"","sources":["../../../src/session/SessionManager.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAElD,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,CAAC,GAAG,SAAS,CAAC;IAC7C,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI,CAAC;IACvC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAC1B,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,GAAG,IAAI,WAAW,CAAC;IACnB,KAAK,IAAI,IAAI,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAAC;IAC5E,gBAAgB,CAAC,GAAG,EAAE;QACpB,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC;QACrC,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACnC,GAAG,MAAM,GAAG,SAAS,CAAC;IACvB,eAAe,CACb,GAAG,EAAE;QACH,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC;QACrC,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,EACD,GAAG,EAAE;QACH,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC;QACrC,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,KAAK,OAAO,CAAC;KAChE,GACA,OAAO,CAAC,MAAM,CAAC,CAAC;IACnB,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,QAAQ,CAAC;IACjC,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,OAAO,IAAI,MAAM,CAAC;IAClB,OAAO,IAAI,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAwKD,eAAO,MAAM,cAAc;qBACT,qBAAqB,GAAQ,eAAe;EAkF5D,CAAC;AAEH,eAAe,cAAc,CAAC"}

package/src/session/SessionManager.js

@@ -3,7 +3,39 @@ const DEFAULT_OPTIONS = {
     cookieName: 'ZIN_SESSION_ID',
     headerName: 'x-session-id',
     ttlMs: 7 * 24 * 60 * 60 * 1000,
+    maxSessions: 10000,
+    cleanupIntervalMs: 60000,
 };
+function isUnrefableTimer(value) {
+    return (typeof value === 'object' &&
+        value !== null &&
+        'unref' in value &&
+        typeof value.unref === 'function');
+}
+function cleanupExpiredSessions(sessions) {
+    const now = Date.now();
+    let removed = 0;
+    for (const [id, stored] of sessions.entries()) {
+        if (stored.expiresAt <= now) {
+            sessions.delete(id);
+            removed++;
+        }
+    }
+    return removed;
+}
+function enforceSessionCapacity(sessions, maxSessions, preserveId) {
+    if (sessions.size < maxSessions)
+        return;
+    cleanupExpiredSessions(sessions);
+    if (sessions.size < maxSessions)
+        return;
+    for (const id of sessions.keys()) {
+        if (id === preserveId)
+            continue;
+        sessions.delete(id);
+        break;
+    }
+}
 function parseCookies(cookieHeader) {
     const list = {};
     if (cookieHeader.length === 0)
@@ -39,7 +71,7 @@ function buildSessionCookie(cookieName, sessionId) {
     // HttpOnly prevents JS access; SameSite=Lax is a reasonable default for app sessions.
     return `${cookieName}=${encodeURIComponent(sessionId)}; Path=/; HttpOnly; SameSite=Lax`;
 }
-function createSessionApi(sessions, sessionId, ttlMs) {
+function createSessionApi(sessions, sessionId, ttlMs, maxSessions) {
     const withoutKey = (data, key) => {
         if (!Object.prototype.hasOwnProperty.call(data, key))
             return data;
@@ -53,6 +85,7 @@ function createSessionApi(sessions, sessionId, ttlMs) {
         if (existing !== undefined && existing.expiresAt > now) {
             return existing;
         }
+        enforceSessionCapacity(sessions, maxSessions, sessionId);
         const created = { data: {}, expiresAt: now + ttlMs };
         sessions.set(sessionId, created);
         return created;
@@ -89,6 +122,14 @@ export const SessionManager = Object.freeze({
     create(options = {}) {
         const config = { ...DEFAULT_OPTIONS, ...options };
         const sessions = new Map();
+        const cleanupInterval = config.cleanupIntervalMs > 0
+            ? globalThis.setInterval(() => {
+                cleanupExpiredSessions(sessions);
+            }, config.cleanupIntervalMs)
+            : undefined;
+        if (cleanupInterval && isUnrefableTimer(cleanupInterval)) {
+            cleanupInterval.unref();
+        }
         return {
             getIdFromCookieHeader(cookieHeader) {
                 if (cookieHeader === undefined || cookieHeader.length === 0)
@@ -127,21 +168,19 @@ export const SessionManager = Object.freeze({
                 return sessionId;
             },
             get(sessionId) {
-                return createSessionApi(sessions, sessionId, config.ttlMs);
+                return createSessionApi(sessions, sessionId, config.ttlMs, config.maxSessions);
             },
             destroy(sessionId) {
                 sessions.delete(sessionId);
             },
             cleanup() {
-                const now = Date.now();
-                let removed = 0;
-                for (const [id, stored] of sessions.entries()) {
-                    if (stored.expiresAt <= now) {
-                        sessions.delete(id);
-                        removed++;
-                    }
+                return cleanupExpiredSessions(sessions);
+            },
+            dispose() {
+                if (cleanupInterval !== undefined) {
+                    clearInterval(cleanupInterval);
                 }
-                return removed;
+                sessions.clear();
             },
         };
     },

package/src/sockets/CloudflareSocket.d.ts

@@ -0,0 +1,24 @@
+import { EventEmitter } from '../node-singletons/index.js';
+export type CloudflareSocketOptions = {
+    tls?: boolean;
+    timeoutMs?: number;
+};
+export type CloudflareSocketInstance = EventEmitter & {
+    write: (data: Buffer | Uint8Array) => boolean;
+    end: () => void;
+    destroy: () => void;
+    connect: (..._args: unknown[]) => CloudflareSocketInstance;
+    startTls: () => Promise<void>;
+    pause: () => void;
+    resume: () => void;
+    setTimeout: (timeoutMs: number, callback?: () => void) => void;
+    setNoDelay: (_noDelay?: boolean) => void;
+    setKeepAlive: (_enable?: boolean, _initialDelay?: number) => void;
+    ref: () => void;
+    unref: () => void;
+};
+export type CloudflareSocketFactory = {
+    create: (hostname: string, port: number, options?: CloudflareSocketOptions) => CloudflareSocketInstance;
+};
+export declare const CloudflareSocket: CloudflareSocketFactory;
+//# sourceMappingURL=CloudflareSocket.d.ts.map

package/src/sockets/CloudflareSocket.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CloudflareSocket.d.ts","sourceRoot":"","sources":["../../../src/sockets/CloudflareSocket.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAehD,MAAM,MAAM,uBAAuB,GAAG;IACpC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG,YAAY,GAAG;IACpD,KAAK,EAAE,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,KAAK,OAAO,CAAC;IAC9C,GAAG,EAAE,MAAM,IAAI,CAAC;IAChB,OAAO,EAAE,MAAM,IAAI,CAAC;IACpB,OAAO,EAAE,CAAC,GAAG,KAAK,EAAE,OAAO,EAAE,KAAK,wBAAwB,CAAC;IAC3D,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9B,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,MAAM,EAAE,MAAM,IAAI,CAAC;IACnB,UAAU,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,IAAI,KAAK,IAAI,CAAC;IAC/D,UAAU,EAAE,CAAC,QAAQ,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IACzC,YAAY,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,aAAa,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;IAClE,GAAG,EAAE,MAAM,IAAI,CAAC;IAChB,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,MAAM,EAAE,CACN,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,uBAAuB,KAC9B,wBAAwB,CAAC;CAC/B,CAAC;AAoSF,eAAO,MAAM,gBAAgB,EAAE,uBAE7B,CAAC"}