astro-sessionkit 0.1.20 → 0.1.21

package/src/core/validation.ts

@@ -21,13 +21,18 @@ export function isValidSessionStructure(input: unknown): input is Session {
         return false;
     }
 
+    // Security: Check for unexpected null bytes or control characters in userId
+    if (/[\x00-\x1F\x7F]/.test(session.userId)) {
+        return false;
+    }
+
     // DoS protection: Limit userId length
     if (session.userId.length > 255) {
         return false;
     }
 
     // Optional fields validation (if present)
-    if (session.email !== undefined) {
+    if (session.email !== undefined && session.email !== null) {
         if (typeof session.email !== 'string') {
             return false;
         }
@@ -35,6 +40,10 @@ export function isValidSessionStructure(input: unknown): input is Session {
         if (session.email.length > 320) {
             return false;
         }
+        // Basic email format sanity check (not full validation, just security)
+        if (session.email.length > 0 && !session.email.includes('@')) {
+            return false;
+        }
     }
 
     if (session.role !== undefined && session.role !== null) {
@@ -45,6 +54,10 @@ export function isValidSessionStructure(input: unknown): input is Session {
         if (session.role.length > 100) {
             return false;
         }
+        // Security: No control characters in role
+        if (/[\x00-\x1F\x7F]/.test(session.role)) {
+            return false;
+        }
     }
 
     if (session.roles !== undefined && session.roles !== null) {

package/src/server.ts

@@ -4,8 +4,7 @@
 
 import {getContextStore} from "./core/context";
 import {isValidSessionStructure} from "./core/validation";
-import type {Session} from "./core/types";
-import type {APIContext} from "astro";
+import type {Session, SessionKitContext} from "./core/types";
 
 /**
  * Get the current session (returns null if not authenticated)
@@ -129,10 +128,10 @@ export function hasRolePermission(role: string, permission: string): boolean {
  * Use this after successful authentication to register the user's session.
  * This does NOT handle session storage (cookies, Redis, etc.) - you must do that separately.
  *
- * @param context - Astro API context
  * @param session - Session data to set
+ * @param context - Astro API context (optional if called within request context)
  *
- * @throws {Error} If session structure is invalid
+ * @throws {Error} If session structure is invalid or context missing
  *
  * @example
  * ```ts
@@ -143,7 +142,7 @@ export function hasRolePermission(role: string, permission: string): boolean {
  *
  *   if (user) {
  *     // Register session with SessionKit
- *     setSession(context, {
+ *     setSession({
  *       userId: user.id,
  *       email: user.email,
  *       role: user.role,
@@ -158,7 +157,17 @@ export function hasRolePermission(role: string, permission: string): boolean {
  * };
  * ```
  */
-export function setSession(context: APIContext, session: Session): void {
+export function setSession(session: Session, context?: SessionKitContext): void {
+    const store = getContextStore();
+    const ctx = context || store?.astroContext;
+
+    if (!ctx) {
+        throw new Error(
+            '[SessionKit] Cannot set session: Astro context is missing. ' +
+            'Provide it as a second argument or ensure sessionMiddleware is running.'
+        );
+    }
+
     // Validate session structure
     if (!isValidSessionStructure(session)) {
         throw new Error(
@@ -166,8 +175,13 @@ export function setSession(context: APIContext, session: Session): void {
         );
     }
 
-    // Set in context.locals for SessionKit middleware to read
-    context.session?.set('__session__', session);
+    // Update ALS store if available for same-request consistency
+    if (store) {
+        store.session = session;
+    }
+
+    // Set in context.session for Astro to persist
+    ctx.session?.set('__session__', session);
 }
 
 /**
@@ -176,14 +190,14 @@ export function setSession(context: APIContext, session: Session): void {
  * Use this during logout. This does NOT delete session storage (cookies, Redis, etc.) -
  * you must do that separately.
  *
- * @param context - Astro API context
+ * @param context - Astro API context (optional if called within request context)
  *
  * @example
  * ```ts
  * // In logout endpoint
  * export const POST: APIRoute = async (context) => {
  *   // Clear from SessionKit
- *   clearSession(context);
+ *   clearSession();
  *
  *   // YOU must also delete the session storage
  *   context.cookies.delete('session_id');
@@ -193,8 +207,61 @@ export function setSession(context: APIContext, session: Session): void {
  * };
  * ```
  */
-export function clearSession(context: APIContext): void {
-    context.session?.delete('__session__');
+export function clearSession(context?: SessionKitContext): void {
+    const store = getContextStore();
+    const ctx = context || store?.astroContext;
+
+    if (!ctx) {
+        throw new Error(
+            '[SessionKit] Cannot clear session: Astro context is missing. ' +
+            'Provide it as an argument or ensure sessionMiddleware is running.'
+        );
+    }
+
+    // Update ALS store if available for same-request consistency
+    if (store) {
+        store.session = null;
+    }
+
+    ctx.session?.delete('__session__');
+}
+
+/**
+ * Regenerate the session ID to prevent session fixation attacks
+ *
+ * Use this after a successful login or privilege change.
+ * This is only supported if the underlying Astro session driver supports it.
+ *
+ * @param context - Astro API context (optional if called within request context)
+ *
+ * @example
+ * ```ts
+ * // In login endpoint
+ * export const POST: APIRoute = async (context) => {
+ *   const user = await authenticate(request);
+ *   if (user) {
+ *     // 1. Regenerate session ID
+ *     regenerateSession();
+ *
+ *     // 2. Set new session data
+ *     setSession({ userId: user.id, role: user.role });
+ *   }
+ * }
+ * ```
+ */
+export function regenerateSession(context?: SessionKitContext): void {
+    const ctx = context || getContextStore()?.astroContext;
+
+    if (!ctx) {
+        throw new Error(
+            '[SessionKit] Cannot regenerate session: Astro context is missing. ' +
+            'Provide it as an argument or ensure sessionMiddleware is running.'
+        );
+    }
+
+    if (ctx.session?.regenerate) {
+        ctx.session.regenerate();
+    }
 }
 
 /**
@@ -203,8 +270,8 @@ export function clearSession(context: APIContext): void {
  * Useful for updating session data without replacing the entire session.
  * The updated session is validated before being set.
  *
- * @param context - Astro API context
  * @param updates - Partial session data to merge
+ * @param context - Astro API context (optional if called within request context)
  *
  * @throws {Error} If no session exists or updated session is invalid
  *
@@ -212,7 +279,7 @@ export function clearSession(context: APIContext): void {
  * ```ts
  * // Update user's role after promotion
  * export const POST: APIRoute = async (context) => {
- *   updateSession(context, {
+ *   updateSession({
  *     role: 'admin',
  *     permissions: ['admin:read', 'admin:write']
  *   });
@@ -224,22 +291,39 @@ export function clearSession(context: APIContext): void {
  * };
  * ```
  */
-export function updateSession(context: APIContext, updates: Partial<Session>): void {
-    const currentSession = context.session?.get<Session>('__session__');
+export function updateSession(updates: Partial<Session>, context?: SessionKitContext): void {
+    const store = getContextStore();
+    const ctx = context || store?.astroContext;
 
-    if (!currentSession) {
-        throw new Error('[SessionKit] Cannot update session: no session exists');
+    if (!ctx) {
+        throw new Error(
+            '[SessionKit] Cannot update session: Astro context is missing. ' +
+            'Provide it as a second argument or ensure sessionMiddleware is running.'
+        );
     }
 
-    // Merge updates with current session
-    const updatedSession = {...currentSession, ...updates};
+    // Get current session from ALS (preferred) or Astro session
+    const currentSession = store?.session || ctx.session?.get<Session>('__session__');
 
-    // Validate merged session
-    if (!isValidSessionStructure(updatedSession)) {
-        throw new Error(
-            '[SessionKit] Invalid session structure after update. Ensure all fields are valid.'
-        );
+    // Note: ctx.session.get might return a Promise in some Astro versions/drivers.
+    // However, since sessionMiddleware already awaits it, store.session should be populated.
+    // If store.session is missing but we are in a middleware-managed request, it means no session exists.
+    
+    if (!currentSession || (currentSession instanceof Promise)) {
+        // If it's a promise, we might have a sync/async mismatch, but usually getSession() handles this.
+        // For robustness, we check if we actually have a session object.
+        const session = currentSession instanceof Promise ? null : currentSession;
+        if (!session) {
+            throw new Error('[SessionKit] Cannot update session: no session exists');
+        }
     }
 
-    context.session?.set('__session__', updatedSession);
+    // We can safely cast here if it's not a promise
+    const session = currentSession as Session;
+
+    // Merge updates with current session
+    const updatedSession = {...session, ...updates};
+
+    // Use setSession to handle validation and both store updates
+    setSession(updatedSession, ctx);
 }