astro-sessionkit 0.1.19 → 0.1.21

package/src/core/sessionMiddleware.ts

@@ -5,7 +5,7 @@
 import type {MiddlewareHandler} from "astro";
 import {runWithContext as defaultRunWithContext} from "./context";
 import {isValidSessionStructure} from "./validation";
-import type {Session} from "./types";
+import type {Session, SessionContext, SessionKitContext} from "./types";
 import {getConfig} from "./config";
 import * as logger from "./logger";
 
@@ -14,6 +14,11 @@ import * as logger from "./logger";
  */
 const SESSION_KEY = "__session__";
 
+/**
+ * Redundant logging prevention key
+ */
+const LOGGED_KEY = Symbol.for('astro-sessionkit.middleware.logged');
+
 /**
  * Main session middleware
  *
@@ -21,8 +26,11 @@ const SESSION_KEY = "__session__";
  * throughout the request via AsyncLocalStorage
  */
 export const sessionMiddleware: MiddlewareHandler = async (context, next) => {
+    const config = getConfig();
+    const {runWithContext, getContextStore, setContextStore, context: externalContext, debug} = config;
+
     // Get session from context.session store
-    const rawSession = context.session?.get<Session>(SESSION_KEY) ?? null;
+    const rawSession = await context.session?.get<Session>(SESSION_KEY) ?? null;
 
     // Validate session structure if present
     let session: Session | null = null;
@@ -42,24 +50,51 @@ export const sessionMiddleware: MiddlewareHandler = async (context, next) => {
     }
 
     // Run the rest of the request chain with session context
-    const config = getConfig();
+    const globalStorage = globalThis as any;
+    if (!globalStorage[LOGGED_KEY]) {
+        let contextStrategy = 'default';
+
+        if (runWithContext) {
+            contextStrategy = 'custom (runWithContext)';
+        } else if (getContextStore) {
+            contextStrategy = 'custom (getter/setter)';
+        } else if (externalContext) {
+            contextStrategy = 'custom (external AsyncLocalStorage)';
+        }
+
+        logger.debug(`[SessionKit] Middleware initialized (context: ${contextStrategy})`);
+        globalStorage[LOGGED_KEY] = true;
+    }
+
+    const runLogic = () => next();
+    const sessionContext: SessionContext = { session, astroContext: context as SessionKitContext };
 
     // If getContextStore is provided, but runWithContext is NOT,
     // we assume the user is managing the context at a superior level
     // and we should NOT wrap the call in our default runner.
-    if (config.getContextStore && !config.runWithContext) {
+    if (getContextStore && !runWithContext) {
         // Initialize context store if setter is provided
-        const store = config.getContextStore();
+        const store = getContextStore();
+        if (debug) {
+            logger.debug('[SessionMiddleware] Custom getContextStore returned:', !!store);
+        }
         if (store) {
             store.session = session;
-        } else if (config.setContextStore) {
-            config.setContextStore({session});
+        } else if (setContextStore) {
+            if (debug) {
+                logger.debug('[SessionMiddleware] Calling custom setContextStore');
+            }
+            setContextStore(sessionContext);
         } else {
             logger.error('getContextStore returned undefined, cannot set session');
         }
-        return next();
+        return runLogic();
+    }
+
+    if (debug) {
+        logger.debug('[SessionMiddleware] Using' + (runWithContext ? ' custom ' : ' default ') + 'runner');
     }
 
-    const runner = config.runWithContext ?? defaultRunWithContext;
-    return runner({session}, () => next());
+    const runner = runWithContext ?? defaultRunWithContext;
+    return runner(sessionContext, runLogic);
 };

package/src/core/types.ts

@@ -2,6 +2,18 @@
 // Core Session Types
 // ============================================================================
 
+import type {AstroCookies, AstroSession} from "astro";
+
+/**
+ * Minimal context required by SessionKit
+ */
+export interface SessionKitContext {
+  cookies: AstroCookies;
+  session?: AstroSession;
+  redirect: (path: string, status?: number) => Response;
+  [key: string]: any;
+}
+
 /**
  * The session object stored in context.locals.session
  * This is what your Astro app provides - we just read it.
@@ -31,6 +43,10 @@ export interface Session {
  */
 export interface SessionContext {
   session: Session | null;
+  /**
+   * Original Astro context (cookies, session, redirect, etc.)
+   */
+  astroContext?: SessionKitContext;
 }
 
 // ============================================================================
@@ -139,9 +155,15 @@ export interface SessionKitConfig {
    */
   exclude?: string[];
 
-  /**
-   * Enable debug logging
-   * @default false
-   */
-  debug?: boolean;
+    /**
+     * Optional external AsyncLocalStorage instance to use for session context.
+     * If provided, SessionKit will use this instead of its internal instance.
+     */
+    context?: any;
+
+    /**
+     * Enable debug logging
+     * @default false
+     */
+    debug?: boolean;
 }

package/src/core/validation.ts

@@ -21,13 +21,18 @@ export function isValidSessionStructure(input: unknown): input is Session {
         return false;
     }
 
+    // Security: Check for unexpected null bytes or control characters in userId
+    if (/[\x00-\x1F\x7F]/.test(session.userId)) {
+        return false;
+    }
+
     // DoS protection: Limit userId length
     if (session.userId.length > 255) {
         return false;
     }
 
     // Optional fields validation (if present)
-    if (session.email !== undefined) {
+    if (session.email !== undefined && session.email !== null) {
         if (typeof session.email !== 'string') {
             return false;
         }
@@ -35,6 +40,10 @@ export function isValidSessionStructure(input: unknown): input is Session {
         if (session.email.length > 320) {
             return false;
         }
+        // Basic email format sanity check (not full validation, just security)
+        if (session.email.length > 0 && !session.email.includes('@')) {
+            return false;
+        }
     }
 
     if (session.role !== undefined && session.role !== null) {
@@ -45,6 +54,10 @@ export function isValidSessionStructure(input: unknown): input is Session {
         if (session.role.length > 100) {
             return false;
         }
+        // Security: No control characters in role
+        if (/[\x00-\x1F\x7F]/.test(session.role)) {
+            return false;
+        }
     }
 
     if (session.roles !== undefined && session.roles !== null) {

package/src/index.ts

@@ -2,58 +2,9 @@
 // Astro SessionKit - Main Integration Entry Point
 // ============================================================================
 
-import type {AstroIntegration } from "astro";
-import {getConfig, setConfig} from "./core/config";
-import type { SessionKitConfig } from "./core/types";
+import sessionkit from "./integration";
 
-/**
- * SessionKit - Simple session access and route protection for Astro
- *
- * @example
- * ```ts
- * // astro.config.mjs
- * import sessionkit from 'astro-sessionkit';
- *
- * export default defineConfig({
- *   integrations: [
- *     sessionkit({
- *       loginPath: '/login',
- *       protect: [
- *         { pattern: '/admin/**', role: 'admin' },
- *         { pattern: '/dashboard', roles: ['user', 'admin'] },
- *         { pattern: '/settings', permissions: ['settings:write'] }
- *       ]
- *     })
- *   ]
- * });
- * ```
- */
-export default function sessionkit(config: SessionKitConfig = {}): AstroIntegration {
-    // Store configuration
-    setConfig(config);
-    const resolvedConfig = getConfig();
-
-    return {
-        name: "astro-sessionkit",
-        hooks: {
-            "astro:config:setup": ({ addMiddleware }) => {
-                // 1. Always add session context middleware first
-                addMiddleware({
-                    entrypoint: "astro-sessionkit/middleware",
-                    order: "pre",
-                });
-
-                // 2. Add route guard if there are protection rules or global protection is enabled
-                if ((resolvedConfig.protect && resolvedConfig.protect.length > 0) || resolvedConfig.globalProtect) {
-                    addMiddleware({
-                        entrypoint: "astro-sessionkit/guard",
-                        order: "pre",
-                    });
-                }
-            },
-        },
-    };
-}
+export default sessionkit;
 
 // ============================================================================
 // Re-export types for convenience
@@ -76,4 +27,4 @@ export type {
 // Version export
 // ============================================================================
 
-export const version = "0.1.0";
+export const version = "0.1.20";

package/src/integration.ts

@@ -44,16 +44,31 @@ export default function sessionKit(config: SessionKitConfig = {}): AstroIntegrat
         });
 
         // 2. Add route guard if there are protection rules or global protection is enabled
-        if ((resolvedConfig.protect && resolvedConfig.protect.length > 0) || resolvedConfig.globalProtect) {
+        const hasRules = (resolvedConfig.protect && resolvedConfig.protect.length > 0);
+        const isGlobal = !!resolvedConfig.globalProtect;
+
+        if (hasRules || isGlobal) {
           addMiddleware({
             entrypoint: "astro-sessionkit/guard",
             order: "pre",
           });
+        } else if (resolvedConfig.debug) {
+          console.log("[SessionKit] Route guard NOT registered: no rules and globalProtect is false.");
         }
       },
     },
   };
 }
 
-// Re-export types for convenience
-export type { Session, ProtectionRule, SessionKitConfig } from "./core/types";
+export type {
+  Session,
+  ProtectionRule,
+  RoleProtectionRule,
+  RolesProtectionRule,
+  PermissionProtectionRule,
+  PermissionsProtectionRule,
+  CustomProtectionRule,
+  SessionKitConfig,
+  AccessHooks,
+  SessionContext
+} from "./core/types";

package/src/server.ts

@@ -4,8 +4,7 @@
 
 import {getContextStore} from "./core/context";
 import {isValidSessionStructure} from "./core/validation";
-import type {Session} from "./core/types";
-import type {APIContext} from "astro";
+import type {Session, SessionKitContext} from "./core/types";
 
 /**
  * Get the current session (returns null if not authenticated)
@@ -129,10 +128,10 @@ export function hasRolePermission(role: string, permission: string): boolean {
  * Use this after successful authentication to register the user's session.
  * This does NOT handle session storage (cookies, Redis, etc.) - you must do that separately.
  *
- * @param context - Astro API context
  * @param session - Session data to set
+ * @param context - Astro API context (optional if called within request context)
  *
- * @throws {Error} If session structure is invalid
+ * @throws {Error} If session structure is invalid or context missing
  *
  * @example
  * ```ts
@@ -143,7 +142,7 @@ export function hasRolePermission(role: string, permission: string): boolean {
  *
  *   if (user) {
  *     // Register session with SessionKit
- *     setSession(context, {
+ *     setSession({
  *       userId: user.id,
  *       email: user.email,
  *       role: user.role,
@@ -158,7 +157,17 @@ export function hasRolePermission(role: string, permission: string): boolean {
  * };
  * ```
  */
-export function setSession(context: APIContext, session: Session): void {
+export function setSession(session: Session, context?: SessionKitContext): void {
+    const store = getContextStore();
+    const ctx = context || store?.astroContext;
+
+    if (!ctx) {
+        throw new Error(
+            '[SessionKit] Cannot set session: Astro context is missing. ' +
+            'Provide it as a second argument or ensure sessionMiddleware is running.'
+        );
+    }
+
     // Validate session structure
     if (!isValidSessionStructure(session)) {
         throw new Error(
@@ -166,8 +175,13 @@ export function setSession(context: APIContext, session: Session): void {
         );
     }
 
-    // Set in context.locals for SessionKit middleware to read
-    context.session?.set('__session__', session);
+    // Update ALS store if available for same-request consistency
+    if (store) {
+        store.session = session;
+    }
+
+    // Set in context.session for Astro to persist
+    ctx.session?.set('__session__', session);
 }
 
 /**
@@ -176,14 +190,14 @@ export function setSession(context: APIContext, session: Session): void {
  * Use this during logout. This does NOT delete session storage (cookies, Redis, etc.) -
  * you must do that separately.
  *
- * @param context - Astro API context
+ * @param context - Astro API context (optional if called within request context)
  *
  * @example
  * ```ts
  * // In logout endpoint
  * export const POST: APIRoute = async (context) => {
  *   // Clear from SessionKit
- *   clearSession(context);
+ *   clearSession();
  *
  *   // YOU must also delete the session storage
  *   context.cookies.delete('session_id');
@@ -193,8 +207,61 @@ export function setSession(context: APIContext, session: Session): void {
  * };
  * ```
  */
-export function clearSession(context: APIContext): void {
-    context.session?.delete('__session__');
+export function clearSession(context?: SessionKitContext): void {
+    const store = getContextStore();
+    const ctx = context || store?.astroContext;
+
+    if (!ctx) {
+        throw new Error(
+            '[SessionKit] Cannot clear session: Astro context is missing. ' +
+            'Provide it as an argument or ensure sessionMiddleware is running.'
+        );
+    }
+
+    // Update ALS store if available for same-request consistency
+    if (store) {
+        store.session = null;
+    }
+
+    ctx.session?.delete('__session__');
+}
+
+/**
+ * Regenerate the session ID to prevent session fixation attacks
+ *
+ * Use this after a successful login or privilege change.
+ * This is only supported if the underlying Astro session driver supports it.
+ *
+ * @param context - Astro API context (optional if called within request context)
+ *
+ * @example
+ * ```ts
+ * // In login endpoint
+ * export const POST: APIRoute = async (context) => {
+ *   const user = await authenticate(request);
+ *   if (user) {
+ *     // 1. Regenerate session ID
+ *     regenerateSession();
+ *
+ *     // 2. Set new session data
+ *     setSession({ userId: user.id, role: user.role });
+ *   }
+ * }
+ * ```
+ */
+export function regenerateSession(context?: SessionKitContext): void {
+    const ctx = context || getContextStore()?.astroContext;
+
+    if (!ctx) {
+        throw new Error(
+            '[SessionKit] Cannot regenerate session: Astro context is missing. ' +
+            'Provide it as an argument or ensure sessionMiddleware is running.'
+        );
+    }
+
+    if (ctx.session?.regenerate) {
+        ctx.session.regenerate();
+    }
 }
 
 /**
@@ -203,8 +270,8 @@ export function clearSession(context: APIContext): void {
  * Useful for updating session data without replacing the entire session.
  * The updated session is validated before being set.
  *
- * @param context - Astro API context
  * @param updates - Partial session data to merge
+ * @param context - Astro API context (optional if called within request context)
  *
  * @throws {Error} If no session exists or updated session is invalid
  *
@@ -212,7 +279,7 @@ export function clearSession(context: APIContext): void {
  * ```ts
  * // Update user's role after promotion
  * export const POST: APIRoute = async (context) => {
- *   updateSession(context, {
+ *   updateSession({
  *     role: 'admin',
  *     permissions: ['admin:read', 'admin:write']
  *   });
@@ -224,22 +291,39 @@ export function clearSession(context: APIContext): void {
  * };
  * ```
  */
-export function updateSession(context: APIContext, updates: Partial<Session>): void {
-    const currentSession = context.session?.get<Session>('__session__');
+export function updateSession(updates: Partial<Session>, context?: SessionKitContext): void {
+    const store = getContextStore();
+    const ctx = context || store?.astroContext;
 
-    if (!currentSession) {
-        throw new Error('[SessionKit] Cannot update session: no session exists');
+    if (!ctx) {
+        throw new Error(
+            '[SessionKit] Cannot update session: Astro context is missing. ' +
+            'Provide it as a second argument or ensure sessionMiddleware is running.'
+        );
     }
 
-    // Merge updates with current session
-    const updatedSession = {...currentSession, ...updates};
+    // Get current session from ALS (preferred) or Astro session
+    const currentSession = store?.session || ctx.session?.get<Session>('__session__');
 
-    // Validate merged session
-    if (!isValidSessionStructure(updatedSession)) {
-        throw new Error(
-            '[SessionKit] Invalid session structure after update. Ensure all fields are valid.'
-        );
+    // Note: ctx.session.get might return a Promise in some Astro versions/drivers.
+    // However, since sessionMiddleware already awaits it, store.session should be populated.
+    // If store.session is missing but we are in a middleware-managed request, it means no session exists.
+    
+    if (!currentSession || (currentSession instanceof Promise)) {
+        // If it's a promise, we might have a sync/async mismatch, but usually getSession() handles this.
+        // For robustness, we check if we actually have a session object.
+        const session = currentSession instanceof Promise ? null : currentSession;
+        if (!session) {
+            throw new Error('[SessionKit] Cannot update session: no session exists');
+        }
     }
 
-    context.session?.set('__session__', updatedSession);
+    // We can safely cast here if it's not a promise
+    const session = currentSession as Session;
+
+    // Merge updates with current session
+    const updatedSession = {...session, ...updates};
+
+    // Use setSession to handle validation and both store updates
+    setSession(updatedSession, ctx);
 }