h3 1.3.0 → 1.4.0

package/README.md

@@ -155,10 +155,12 @@ H3 has a concept of composable utilities that accept `event` (from `eventHandler
 - `getResponseStatus(event)`
 - `getResponseStatusText(event)`
 - `readMultipartFormData(event)`
-- `useSession(event, { password, name?, cookie?, seal?, crypto? })`
-- `getSession(event, { password, name?, cookie?, seal?, crypto? })`
-- `updateSession(event, { password, name?, cookie?, seal?, crypto? }), update)`
-- `clearSession(event, { password, name?, cookie?, seal?, crypto? }))`
+- `useSession(event, config = { password, maxAge?, name?, cookie?, seal?, crypto? })`
+- `getSession(event, config)`
+- `updateSession(event, config, update)`
+- `clearSession(event, config)`
+- `sealSession(event, config)`
+- `unsealSession(event, config, sealed)`
 
 👉 You can learn more about usage in [JSDocs Documentation](https://www.jsdocs.io/package/h3#package-functions).
 

package/dist/index.cjs

@@ -640,21 +640,35 @@ async function getSession(event, config) {
   if (event.context.sessions[sessionName]) {
     return event.context.sessions[sessionName];
   }
-  const session = { id: "", data: /* @__PURE__ */ Object.create(null) };
+  const session = {
+    id: "",
+    createdAt: 0,
+    data: /* @__PURE__ */ Object.create(null)
+  };
   event.context.sessions[sessionName] = session;
-  const reqCookie = getCookie(event, sessionName);
-  if (!reqCookie) {
-    session.id = (config.crypto || crypto).randomUUID();
-    await updateSession(event, config);
-  } else {
-    const unsealed = await ironWebcrypto.unseal(
-      config.crypto || crypto,
-      reqCookie,
-      config.password,
-      config.seal || ironWebcrypto.defaults
+  let sealedSession;
+  if (config.sessionHeader !== false) {
+    const headerName = typeof config.sessionHeader === "string" ? config.sessionHeader.toLowerCase() : `x-${sessionName.toLowerCase()}-session`;
+    const headerValue = event.node.req.headers[headerName];
+    if (typeof headerValue === "string") {
+      sealedSession = headerValue;
+    }
+  }
+  if (!sealedSession) {
+    sealedSession = getCookie(event, sessionName);
+  }
+  if (sealedSession) {
+    const unsealed = await unsealSession(event, config, sealedSession).catch(
+      () => {
+      }
     );
     Object.assign(session, unsealed);
   }
+  if (!session.id) {
+    session.id = (config.crypto || crypto).randomUUID();
+    session.createdAt = Date.now();
+    await updateSession(event, config);
+  }
   return session;
 }
 async function updateSession(event, config, update) {
@@ -666,21 +680,54 @@ async function updateSession(event, config, update) {
   if (update) {
     Object.assign(session.data, update);
   }
-  const sealed = await ironWebcrypto.seal(
+  if (config.cookie !== false) {
+    const sealed = await sealSession(event, config);
+    setCookie(event, sessionName, sealed, {
+      ...DEFAULT_COOKIE,
+      expires: config.maxAge ? new Date(session.createdAt + config.maxAge * 1e3) : void 0,
+      ...config.cookie
+    });
+  }
+  return session;
+}
+async function sealSession(event, config) {
+  const sessionName = config.name || DEFAULT_NAME;
+  const session = event.context.sessions?.[sessionName] || await getSession(event, config);
+  const sealed = await ironWebcrypto.seal(config.crypto || crypto, session, config.password, {
+    ...ironWebcrypto.defaults,
+    ttl: config.maxAge ? config.maxAge * 1e3 : 0,
+    ...config.seal
+  });
+  return sealed;
+}
+async function unsealSession(_event, config, sealed) {
+  const unsealed = await ironWebcrypto.unseal(
     config.crypto || crypto,
-    session,
+    sealed,
     config.password,
-    config.seal || ironWebcrypto.defaults
+    {
+      ...ironWebcrypto.defaults,
+      ttl: config.maxAge ? config.maxAge * 1e3 : 0,
+      ...config.seal
+    }
   );
-  setCookie(event, sessionName, sealed, config.cookie || DEFAULT_COOKIE);
-  return session;
+  if (config.maxAge) {
+    const age = Date.now() - (unsealed.createdAt || Number.NEGATIVE_INFINITY);
+    if (age > config.maxAge * 1e3) {
+      throw new Error("Session expired!");
+    }
+  }
+  return unsealed;
 }
 async function clearSession(event, config) {
   const sessionName = config.name || DEFAULT_NAME;
   if (event.context.sessions?.[sessionName]) {
     delete event.context.sessions[sessionName];
   }
-  await setCookie(event, sessionName, "", config.cookie || DEFAULT_COOKIE);
+  await setCookie(event, sessionName, "", {
+    ...DEFAULT_COOKIE,
+    ...config.cookie
+  });
 }
 
 class H3Headers {
@@ -1187,6 +1234,7 @@ exports.proxyRequest = proxyRequest;
 exports.readBody = readBody;
 exports.readMultipartFormData = readMultipartFormData;
 exports.readRawBody = readRawBody;
+exports.sealSession = sealSession;
 exports.send = send;
 exports.sendError = sendError;
 exports.sendNoContent = sendNoContent;
@@ -1201,6 +1249,7 @@ exports.setResponseHeaders = setResponseHeaders;
 exports.setResponseStatus = setResponseStatus;
 exports.toEventHandler = toEventHandler;
 exports.toNodeListener = toNodeListener;
+exports.unsealSession = unsealSession;
 exports.updateSession = updateSession;
 exports.use = use;
 exports.useBase = useBase;

package/dist/index.d.ts

@@ -8,12 +8,20 @@ type SessionDataT = Record<string, any>;
 type SessionData<T extends SessionDataT = SessionDataT> = T;
 interface Session<T extends SessionDataT = SessionDataT> {
     id: string;
+    createdAt: number;
     data: SessionData<T>;
 }
 interface SessionConfig {
+    /** Private key used to encrypt session tokens */
     password: string;
+    /** Session expiration time in seconds */
+    maxAge?: number;
+    /** default is h3 */
     name?: string;
-    cookie?: CookieSerializeOptions;
+    /** Default is secure, httpOnly, / */
+    cookie?: false | CookieSerializeOptions;
+    /** Default is x-h3-session / x-{name}-session */
+    sessionHeader?: false | string;
     seal?: SealOptions;
     crypto?: Crypto;
 }
@@ -26,6 +34,8 @@ declare function useSession<T extends SessionDataT = SessionDataT>(event: H3Even
 declare function getSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig): Promise<Session<T>>;
 type SessionUpdate<T extends SessionDataT = SessionDataT> = Partial<SessionData<T>> | ((oldData: SessionData<T>) => Partial<SessionData<T>> | undefined);
 declare function updateSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig, update?: SessionUpdate<T>): Promise<Session<T>>;
+declare function sealSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig): Promise<string>;
+declare function unsealSession(_event: H3Event, config: SessionConfig, sealed: string): Promise<Partial<Session<SessionDataT>>>;
 declare function clearSession(event: H3Event, config: SessionConfig): Promise<void>;
 
 type HTTPMethod = "GET" | "HEAD" | "PATCH" | "POST" | "PUT" | "DELETE" | "CONNECT" | "OPTIONS" | "TRACE";
@@ -353,4 +363,4 @@ interface CreateRouterOptions {
 }
 declare function createRouter(opts?: CreateRouterOptions): Router;
 
-export { AddRouteShortcuts, App, AppOptions, AppUse, CacheConditions, CreateRouterOptions, DynamicEventHandler, Encoding, EventHandler, EventHandlerResponse, H3Error, H3Event, H3EventContext, H3Headers, H3Response, HTTPMethod, InputLayer, InputStack, Layer, LazyEventHandler, MIMES, Matcher, NodeEventContext, NodeListener, NodeMiddleware, NodePromisifiedHandler, ProxyOptions, RequestHeaders, Router, RouterMethod, RouterUse, Session, SessionConfig, SessionData, Stack, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, isError, isEvent, isEventHandler, isMethod, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, toEventHandler, toNodeListener, updateSession, use, useBase, useSession, writeEarlyHints };
+export { AddRouteShortcuts, App, AppOptions, AppUse, CacheConditions, CreateRouterOptions, DynamicEventHandler, Encoding, EventHandler, EventHandlerResponse, H3Error, H3Event, H3EventContext, H3Headers, H3Response, HTTPMethod, InputLayer, InputStack, Layer, LazyEventHandler, MIMES, Matcher, NodeEventContext, NodeListener, NodeMiddleware, NodePromisifiedHandler, ProxyOptions, RequestHeaders, Router, RouterMethod, RouterUse, Session, SessionConfig, SessionData, Stack, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, isError, isEvent, isEventHandler, isMethod, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };

package/dist/index.mjs

@@ -3,7 +3,7 @@ import { createRouter as createRouter$1 } from 'radix3';
 import destr from 'destr';
 import { parse as parse$1, serialize } from 'cookie-es';
 import crypto from 'uncrypto';
-import { unseal, defaults, seal } from 'iron-webcrypto';
+import { seal, defaults, unseal } from 'iron-webcrypto';
 
 function useBase(base, handler) {
   base = withoutTrailingSlash(base);
@@ -638,21 +638,35 @@ async function getSession(event, config) {
   if (event.context.sessions[sessionName]) {
     return event.context.sessions[sessionName];
   }
-  const session = { id: "", data: /* @__PURE__ */ Object.create(null) };
+  const session = {
+    id: "",
+    createdAt: 0,
+    data: /* @__PURE__ */ Object.create(null)
+  };
   event.context.sessions[sessionName] = session;
-  const reqCookie = getCookie(event, sessionName);
-  if (!reqCookie) {
-    session.id = (config.crypto || crypto).randomUUID();
-    await updateSession(event, config);
-  } else {
-    const unsealed = await unseal(
-      config.crypto || crypto,
-      reqCookie,
-      config.password,
-      config.seal || defaults
+  let sealedSession;
+  if (config.sessionHeader !== false) {
+    const headerName = typeof config.sessionHeader === "string" ? config.sessionHeader.toLowerCase() : `x-${sessionName.toLowerCase()}-session`;
+    const headerValue = event.node.req.headers[headerName];
+    if (typeof headerValue === "string") {
+      sealedSession = headerValue;
+    }
+  }
+  if (!sealedSession) {
+    sealedSession = getCookie(event, sessionName);
+  }
+  if (sealedSession) {
+    const unsealed = await unsealSession(event, config, sealedSession).catch(
+      () => {
+      }
     );
     Object.assign(session, unsealed);
   }
+  if (!session.id) {
+    session.id = (config.crypto || crypto).randomUUID();
+    session.createdAt = Date.now();
+    await updateSession(event, config);
+  }
   return session;
 }
 async function updateSession(event, config, update) {
@@ -664,21 +678,54 @@ async function updateSession(event, config, update) {
   if (update) {
     Object.assign(session.data, update);
   }
-  const sealed = await seal(
+  if (config.cookie !== false) {
+    const sealed = await sealSession(event, config);
+    setCookie(event, sessionName, sealed, {
+      ...DEFAULT_COOKIE,
+      expires: config.maxAge ? new Date(session.createdAt + config.maxAge * 1e3) : void 0,
+      ...config.cookie
+    });
+  }
+  return session;
+}
+async function sealSession(event, config) {
+  const sessionName = config.name || DEFAULT_NAME;
+  const session = event.context.sessions?.[sessionName] || await getSession(event, config);
+  const sealed = await seal(config.crypto || crypto, session, config.password, {
+    ...defaults,
+    ttl: config.maxAge ? config.maxAge * 1e3 : 0,
+    ...config.seal
+  });
+  return sealed;
+}
+async function unsealSession(_event, config, sealed) {
+  const unsealed = await unseal(
     config.crypto || crypto,
-    session,
+    sealed,
     config.password,
-    config.seal || defaults
+    {
+      ...defaults,
+      ttl: config.maxAge ? config.maxAge * 1e3 : 0,
+      ...config.seal
+    }
   );
-  setCookie(event, sessionName, sealed, config.cookie || DEFAULT_COOKIE);
-  return session;
+  if (config.maxAge) {
+    const age = Date.now() - (unsealed.createdAt || Number.NEGATIVE_INFINITY);
+    if (age > config.maxAge * 1e3) {
+      throw new Error("Session expired!");
+    }
+  }
+  return unsealed;
 }
 async function clearSession(event, config) {
   const sessionName = config.name || DEFAULT_NAME;
   if (event.context.sessions?.[sessionName]) {
     delete event.context.sessions[sessionName];
   }
-  await setCookie(event, sessionName, "", config.cookie || DEFAULT_COOKIE);
+  await setCookie(event, sessionName, "", {
+    ...DEFAULT_COOKIE,
+    ...config.cookie
+  });
 }
 
 class H3Headers {
@@ -1130,4 +1177,4 @@ function createRouter(opts = {}) {
   return router;
 }
 
-export { H3Error, H3Event, H3Headers, H3Response, MIMES, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, isError, isEvent, isEventHandler, isMethod, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, toEventHandler, toNodeListener, updateSession, use, useBase, useSession, writeEarlyHints };
+export { H3Error, H3Event, H3Headers, H3Response, MIMES, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, isError, isEvent, isEventHandler, isMethod, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "h3",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Tiny JavaScript Server",
   "repository": "unjs/h3",
   "license": "MIT",