hono-sessions 0.2.4 → 0.3.1

package/README.md

@@ -1,128 +1,104 @@
 # Hono Sessions Middleware
-Use cookie-based sessions with the [Hono](https://hono.dev/) framework. Currently tested to work with Cloudflare Workers and Deno.
+Use cookie-based sessions with the [Hono](https://hono.dev/) framework. Currently tested to work with Deno, Cloudflare Workers, and Bun.
 
 ### 🛠️ Features
-- Runs in Deno and Cloudflare Workers (possibly others, currently untested)
+- Runs in Deno, Cloudflare Workers, and Bun (possibly others, currently untested)
 - Flash messages — data that is deleted once it's read (one-off error messages, etc.)
 - Built-in Memory and Cookie storage drivers (more coming soon)
 - Encrypted cookies thanks to [iron-webcrypto](https://github.com/brc-dd/iron-webcrypto)
 - Session expiration after inactivity
-- Session key rotation, for mitigating session fixation attacks
+- Session key rotation* 
 
-## Usage
+> *CookieStore is not able to rotate session keys by nature of how a pure cookie session works (no server-side state).
 
-### Cloudflare Workers
+## Installation and Usage
 
-Install from NPM
-```
-npm install hono-sessions
-```
+### Deno
 
-Here is a full-fledged example that shows what a login form might look like:
+Simply include the package from `deno.land/x`
 
 ```ts
-import { Hono } from 'hono'
-import { sessionMiddleware, CookieStore, Session } from 'hono-sessions'
+import { sessionMiddleware } from 'https://deno.land/x/hono_sessions/mod.ts'
+```
 
-const store = new CookieStore()
+### Bun, Cloudflare Workers
+
+Install the NPM package
+```
+npm install hono-sessions
+```
 
-const app = new Hono()
+## Examples
 
-const sessionRoutes = new Hono<{
+### Deno
+```ts
+import { Hono } from 'https://deno.land/x/hono@v3.5.8/mod.ts'
+import { 
+  Session,
+  sessionMiddleware, 
+  CookieStore 
+} from 'https://deno.land/x/hono_sessions/mod.ts'
+
+const app = new Hono<{
   Variables: {
     session: Session,
     session_key_rotation: boolean
   }
 }>()
 
-sessionRoutes.use('*', sessionMiddleware({
+const store = new CookieStore()
+
+app.use('*', sessionMiddleware({
   store,
-  expireAfterSeconds: 900, // delete session after 15 minutes of inactivity
-  encryptionKey: 'password_that_is_at_least_32_characters_long' // Required while using CookieStore. Please use a secure, un-guessable password!
+  encryptionKey: 'password_at_least_32_characters_long', // Required for CookieStore, recommended for others
+  expireAfterSeconds: 900, // Expire session after 15 minutes
+  cookieOptions: {
+    sameSite: 'Lax',
+  },
 }))
 
-sessionRoutes.post('/login', async (c) => {
+app.get('/', async (c, next) => {
   const session = c.get('session')
 
-  const { email, password } = await c.req.parseBody()
-
-  if (password === 'correct') {
-    c.set('session_key_rotation', true)
-    session.set('email', email)
-    session.set('failed-login-attempts', null)
-    session.flash('message', 'Login Successful')
+  if (session.get('counter')) {
+    session.set('counter', session.get('counter') as number + 1)
   } else {
-    const failedLoginAttempts = (session.get('failed-login-attempts') || 0) as number
-    session.set('failed-login-attempts', failedLoginAttempts + 1)
-    session.flash('error', 'Incorrect username or password')
+    session.set('counter', 1)
   }
 
-  return c.redirect('/')
+  return c.html(`<h1>You have visited this page ${ session.get('counter') } times</h1>`)
 })
 
-sessionRoutes.post('/logout', (c) => {
-  c.get('session').deleteSession()
-  return c.redirect('/')
-})
+Deno.serve(app.fetch)
+```
 
-sessionRoutes.get('/', (c) => {
-  const session = c.get('session')
+### Bun
 
-  const message = session.get('message') || ''
-  const error = session.get('error') || ''
-  const failedLoginAttempts = session.get('failed-login-attempts')
-  const email = session.get('email')
-
-  return c.html(`<!DOCTYPE html>
-  <html lang="en">
-    <head>
-      <meta charset="UTF-8">
-      <meta http-equiv="X-UA-Compatible" content="IE=edge">
-      <meta name="viewport" content="width=device-width, initial-scale=1.0">
-      <title>Hono Sessions</title>
-    </head>
-    <body>
-      <p>${message}</p>
-      <p>${error}</p>
-      <p>${failedLoginAttempts ? `Failed login attempts: ${failedLoginAttempts}` : ''}</p>
-
-      ${email ? 
-      `<form id="logout" action="/logout" method="post">
-          <button name="logout" type="submit">Log out ${email}</button>
-      </form>`
-      : 
-      `<form id="login" action="/login" method="post">
-          <p>
-              <input id="email" name="email" type="text" placeholder="you@email.com">
-          </p>
-          <p>
-              <input id="password" name="password" type="password" placeholder="password">
-          </p>
-          <button name="login" type="submit">Log in</button>
-      </form>` 
-      }
-    </body>
-  </html>`)
-})
+```ts
+import { Hono } from 'hono'
+import { sessionMiddleware, CookieStore, Session } from 'hono-sessions'
 
-app.route('/', sessionRoutes)
+// Same as Deno, however instead of:
+// Deno.serve(app.fetch)
+// use:
 
-export default app
+export default {
+  port: 3000,
+  fetch: app.fetch
+}
 ```
 
-### Deno
-
-There is a Deno package available on `deno.land/x`.
+### Cloudflare Workers
 
 ```ts
-import { Hono } from 'https://deno.land/x/hono/mod.ts'
-import { sessionMiddleware, CookieStore, Session } from 'https://deno.land/x/hono_sessions/mod.ts'
+import { Hono } from 'hono'
+import { sessionMiddleware, CookieStore, Session } from 'hono-sessions'
 
-// Same as CF Workers, however instead of:
-// export default app
+// Same as Deno, however instead of:
+// Deno.serve(app.fetch)
 // use:
 
-Deno.serve(app.fetch)
+export default app
 ```
 
 ## Contributing
@@ -132,5 +108,13 @@ This package is built Deno-first, so you'll need to have Deno installed in your
 Once Deno is installed, there is a test server you can run a basic web server to check your changes:
 
 ```
-deno run --allow-net --watch test/server_deno.ts
+deno run --allow-net --watch test/deno/server_deno.ts
+```
+
+There's also a [Playwright](https://playwright.dev/) test suite. By default, it is set up to run a Deno server with the MemoryStore driver. In Github actions, it runs through a series of runtimes and storage drivers when a pull request is made.
+
+```
+cd playwright
+npm install
+npx playwright test
 ```

package/esm/src/Middleware.js

@@ -31,8 +31,13 @@ export function sessionMiddleware(options) {
                 session_data = await store.getSession(c);
             }
             else {
-                sid = (encryptionKey ? await decrypt(encryptionKey, sessionCookie) : sessionCookie);
-                session_data = await store.getSessionById(sid);
+                try {
+                    sid = (encryptionKey ? await decrypt(encryptionKey, sessionCookie) : sessionCookie);
+                    session_data = await store.getSessionById(sid);
+                }
+                catch {
+                    createNewSession = true;
+                }
             }
             if (session_data) {
                 session.setCache(session_data);

package/esm/src/store/CookieStore.d.ts

@@ -10,7 +10,7 @@ declare class CookieStore {
     cookieOptions: CookieOptions | undefined;
     sessionCookieName: string;
     constructor(options?: CookieStoreOptions);
-    getSession(c: Context): Promise<any>;
+    getSession(c: Context): Promise<SessionData | null>;
     createSession(c: Context, initial_data: SessionData): Promise<void>;
     deleteSession(c: Context): Promise<void>;
     persistSessionData(c: Context, session_data: SessionData): Promise<void>;

package/esm/src/store/CookieStore.js

@@ -25,12 +25,23 @@ class CookieStore {
         this.sessionCookieName = options?.sessionCookieName || 'session';
     }
     async getSession(c) {
-        let session_data;
+        let session_data_raw;
         const sessionCookie = getCookie(c, this.sessionCookieName);
         if (this.encryptionKey && sessionCookie) {
-            session_data = (await decrypt(this.encryptionKey, sessionCookie));
-            if (session_data) {
-                return JSON.parse(session_data);
+            // Decrypt cookie string. If decryption fails, return null
+            try {
+                session_data_raw = (await decrypt(this.encryptionKey, sessionCookie));
+            }
+            catch {
+                return null;
+            }
+            // Parse session object from cookie string and return result. If fails, return null
+            try {
+                const session_data = JSON.parse(session_data_raw);
+                return session_data;
+            }
+            catch {
+                return null;
             }
         }
         else {

package/esm/src/store/bun/BunSqliteStore.d.ts

@@ -0,0 +1,11 @@
+import Store from '../Store.js';
+import { SessionData } from '../../Session.js';
+export declare class BunSqliteStore implements Store {
+    db: any;
+    tableName: string;
+    constructor(db: any, tableName?: string);
+    getSessionById(sessionId: string): any;
+    createSession(sessionId: string, initialData: SessionData): void;
+    deleteSession(sessionId: string): void;
+    persistSessionData(sessionId: string, sessionData: SessionData): void;
+}

package/esm/src/store/bun/BunSqliteStore.js

@@ -0,0 +1,42 @@
+export class BunSqliteStore {
+    constructor(db, tableName = 'sessions') {
+        Object.defineProperty(this, "db", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "tableName", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.db = db;
+        this.tableName = tableName;
+        const query = db.query(`CREATE TABLE IF NOT EXISTS ${tableName} (id TEXT PRIMARY KEY, data TEXT)`);
+        query.run();
+    }
+    getSessionById(sessionId) {
+        const query = this.db.query(`SELECT data FROM ${this.tableName} WHERE id = $id`);
+        const result = query.get({ $id: sessionId });
+        if (result) {
+            return JSON.parse(result.data);
+        }
+        else {
+            return null;
+        }
+    }
+    createSession(sessionId, initialData) {
+        const query = this.db.query(`INSERT INTO ${this.tableName} (id, data) VALUES ($id, $data)`);
+        query.run({ $id: sessionId, $data: JSON.stringify(initialData) });
+    }
+    deleteSession(sessionId) {
+        const query = this.db.query(`DELETE FROM ${this.tableName} WHERE id = $id`);
+        query.run({ $id: sessionId });
+    }
+    persistSessionData(sessionId, sessionData) {
+        const query = this.db.query(`UPDATE ${this.tableName} SET data = $data WHERE id = $id`);
+        query.run({ $id: sessionId, $data: JSON.stringify(sessionData) });
+    }
+}

package/esm/src/store/cloudflare/CloudflareD1Store.d.ts

@@ -0,0 +1,11 @@
+import Store from '../Store.js';
+import { SessionData } from '../../Session.js';
+export declare class CloudflareD1Store implements Store {
+    db: any;
+    tableName: string;
+    constructor(tableName?: string);
+    getSessionById(sessionId?: string | undefined): Promise<any>;
+    createSession(sessionId: string, initialData: SessionData): Promise<void>;
+    deleteSession(sessionId: string): Promise<void>;
+    persistSessionData(sessionId: string, sessionData: SessionData): Promise<void>;
+}

package/esm/src/store/cloudflare/CloudflareD1Store.js

@@ -0,0 +1,37 @@
+export class CloudflareD1Store {
+    constructor(tableName = 'sessions') {
+        Object.defineProperty(this, "db", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "tableName", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.tableName = tableName;
+    }
+    async getSessionById(sessionId) {
+        const session = await this.db.prepare(`SELECT data FROM ${this.tableName} WHERE id = ?`)
+            .bind(sessionId)
+            .first('data');
+        if (session) {
+            return JSON.parse(session);
+        }
+        else {
+            return null;
+        }
+    }
+    async createSession(sessionId, initialData) {
+        await this.db.prepare(`INSERT INTO ${this.tableName} (id, data) VALUES (?, ?)`).bind(sessionId, JSON.stringify(initialData)).run();
+    }
+    async deleteSession(sessionId) {
+        await this.db.prepare(`DELETE FROM ${this.tableName} WHERE id = ?`).bind(sessionId).run();
+    }
+    async persistSessionData(sessionId, sessionData) {
+        await this.db.prepare(`UPDATE ${this.tableName} SET data = ? WHERE id = ?`).bind(JSON.stringify(sessionData), sessionId).run();
+    }
+}

package/package.json

@@ -2,7 +2,7 @@
   "module": "./esm/mod.js",
   "main": "./script/mod.js",
   "name": "hono-sessions",
-  "version": "0.2.4",
+  "version": "0.3.1",
   "description": "Cookie-based sessions for Hono web framework",
   "license": "MIT",
   "repository": {
@@ -16,6 +16,14 @@
     ".": {
       "import": "./esm/mod.js",
       "require": "./script/mod.js"
+    },
+    "./bun-sqlite-store": {
+      "import": "./esm/src/store/bun/BunSqliteStore.js",
+      "require": "./script/src/store/bun/BunSqliteStore.js"
+    },
+    "./cloudflare-d1-store": {
+      "import": "./esm/src/store/cloudflare/CloudflareD1Store.js",
+      "require": "./script/src/store/cloudflare/CloudflareD1Store.js"
     }
   },
   "dependencies": {

package/script/src/Middleware.js

@@ -37,8 +37,13 @@ function sessionMiddleware(options) {
                 session_data = await store.getSession(c);
             }
             else {
-                sid = (encryptionKey ? await (0, mod_js_1.decrypt)(encryptionKey, sessionCookie) : sessionCookie);
-                session_data = await store.getSessionById(sid);
+                try {
+                    sid = (encryptionKey ? await (0, mod_js_1.decrypt)(encryptionKey, sessionCookie) : sessionCookie);
+                    session_data = await store.getSessionById(sid);
+                }
+                catch {
+                    createNewSession = true;
+                }
             }
             if (session_data) {
                 session.setCache(session_data);

package/script/src/store/CookieStore.d.ts

@@ -10,7 +10,7 @@ declare class CookieStore {
     cookieOptions: CookieOptions | undefined;
     sessionCookieName: string;
     constructor(options?: CookieStoreOptions);
-    getSession(c: Context): Promise<any>;
+    getSession(c: Context): Promise<SessionData | null>;
     createSession(c: Context, initial_data: SessionData): Promise<void>;
     deleteSession(c: Context): Promise<void>;
     persistSessionData(c: Context, session_data: SessionData): Promise<void>;

package/script/src/store/CookieStore.js

@@ -27,12 +27,23 @@ class CookieStore {
         this.sessionCookieName = options?.sessionCookieName || 'session';
     }
     async getSession(c) {
-        let session_data;
+        let session_data_raw;
         const sessionCookie = (0, deps_js_1.getCookie)(c, this.sessionCookieName);
         if (this.encryptionKey && sessionCookie) {
-            session_data = (await (0, mod_js_1.decrypt)(this.encryptionKey, sessionCookie));
-            if (session_data) {
-                return JSON.parse(session_data);
+            // Decrypt cookie string. If decryption fails, return null
+            try {
+                session_data_raw = (await (0, mod_js_1.decrypt)(this.encryptionKey, sessionCookie));
+            }
+            catch {
+                return null;
+            }
+            // Parse session object from cookie string and return result. If fails, return null
+            try {
+                const session_data = JSON.parse(session_data_raw);
+                return session_data;
+            }
+            catch {
+                return null;
             }
         }
         else {

package/script/src/store/bun/BunSqliteStore.d.ts

@@ -0,0 +1,11 @@
+import Store from '../Store.js';
+import { SessionData } from '../../Session.js';
+export declare class BunSqliteStore implements Store {
+    db: any;
+    tableName: string;
+    constructor(db: any, tableName?: string);
+    getSessionById(sessionId: string): any;
+    createSession(sessionId: string, initialData: SessionData): void;
+    deleteSession(sessionId: string): void;
+    persistSessionData(sessionId: string, sessionData: SessionData): void;
+}

package/script/src/store/bun/BunSqliteStore.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BunSqliteStore = void 0;
+class BunSqliteStore {
+    constructor(db, tableName = 'sessions') {
+        Object.defineProperty(this, "db", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "tableName", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.db = db;
+        this.tableName = tableName;
+        const query = db.query(`CREATE TABLE IF NOT EXISTS ${tableName} (id TEXT PRIMARY KEY, data TEXT)`);
+        query.run();
+    }
+    getSessionById(sessionId) {
+        const query = this.db.query(`SELECT data FROM ${this.tableName} WHERE id = $id`);
+        const result = query.get({ $id: sessionId });
+        if (result) {
+            return JSON.parse(result.data);
+        }
+        else {
+            return null;
+        }
+    }
+    createSession(sessionId, initialData) {
+        const query = this.db.query(`INSERT INTO ${this.tableName} (id, data) VALUES ($id, $data)`);
+        query.run({ $id: sessionId, $data: JSON.stringify(initialData) });
+    }
+    deleteSession(sessionId) {
+        const query = this.db.query(`DELETE FROM ${this.tableName} WHERE id = $id`);
+        query.run({ $id: sessionId });
+    }
+    persistSessionData(sessionId, sessionData) {
+        const query = this.db.query(`UPDATE ${this.tableName} SET data = $data WHERE id = $id`);
+        query.run({ $id: sessionId, $data: JSON.stringify(sessionData) });
+    }
+}
+exports.BunSqliteStore = BunSqliteStore;

package/script/src/store/cloudflare/CloudflareD1Store.d.ts

@@ -0,0 +1,11 @@
+import Store from '../Store.js';
+import { SessionData } from '../../Session.js';
+export declare class CloudflareD1Store implements Store {
+    db: any;
+    tableName: string;
+    constructor(tableName?: string);
+    getSessionById(sessionId?: string | undefined): Promise<any>;
+    createSession(sessionId: string, initialData: SessionData): Promise<void>;
+    deleteSession(sessionId: string): Promise<void>;
+    persistSessionData(sessionId: string, sessionData: SessionData): Promise<void>;
+}

package/script/src/store/cloudflare/CloudflareD1Store.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CloudflareD1Store = void 0;
+class CloudflareD1Store {
+    constructor(tableName = 'sessions') {
+        Object.defineProperty(this, "db", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "tableName", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.tableName = tableName;
+    }
+    async getSessionById(sessionId) {
+        const session = await this.db.prepare(`SELECT data FROM ${this.tableName} WHERE id = ?`)
+            .bind(sessionId)
+            .first('data');
+        if (session) {
+            return JSON.parse(session);
+        }
+        else {
+            return null;
+        }
+    }
+    async createSession(sessionId, initialData) {
+        await this.db.prepare(`INSERT INTO ${this.tableName} (id, data) VALUES (?, ?)`).bind(sessionId, JSON.stringify(initialData)).run();
+    }
+    async deleteSession(sessionId) {
+        await this.db.prepare(`DELETE FROM ${this.tableName} WHERE id = ?`).bind(sessionId).run();
+    }
+    async persistSessionData(sessionId, sessionData) {
+        await this.db.prepare(`UPDATE ${this.tableName} SET data = ? WHERE id = ?`).bind(JSON.stringify(sessionData), sessionId).run();
+    }
+}
+exports.CloudflareD1Store = CloudflareD1Store;