npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@vs-org/session

v0.0.4

Published

This is simple express session management middleware with Mongo DB for storing sessios. This package supports validate, destroy, create sessions.

Downloads

6

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

vs-orgvs-org

Keywords

Express session managerexpress sessionMongo Db sessionsession handlerVS sessionvs session@vs-org/sessionvs-org session

Readme

vs-session

This is simple express session management middleware. Mongo DB is used as session store.

Usage

  1. Create sessions
// CJS
import VsSession from "@vs-org/session";

// Module
const VsSession =  require("@vs-org/session").default;

const vsSession = VsSession({
    url: "mongodb://localhost:27017/vs-rate-limiter",
    collectionName: "login-session",
    secret: "This is session secret",
    cookie: {
      domain: "",
      maxAge: 86400,
      httpOnly: false,
      name: "vs-session",
      path: "/",
      secure: false
    }
  });

  app.get("/path1", vsSession, async (req: Request, resp: Response) => {
    return resp.send("Login success response");
  });

  1. Only update sessions

    a) If use case is only to check session and update it. Then onlyCheckSessionRoutes option can be used b) onlyCheckSessionRoutes does not contain present route then new session will be created for the request as it is used as middlware. c) Now we can check if session is there in express request, if yes then update sessionContext and to save it back to session store call updateSession on session.

// CJS
import VsSession from "@vs-org/session";

// Module
const VsSession =  require("@vs-org/session").default;

const vsSession = VsSession({
    url: "mongodb://localhost:27017/vs-rate-limiter",
    collectionName: "login-session",
    secret: "This is session secret",
    cookie: {
      domain: "",
      maxAge: 86400,
      httpOnly: false,
      name: "vs-session",
      path: "/",
      secure: false
    },
    onlyCheckSessionRoutesRoutes: ["/update-session", "/logout"]
  });

  app.get(
    "/update-session",
    vsSession,
    async (req: Request, resp: Response) => {
      if (req.session) {
        req.session.sessionContext.user = {
          username: "user1-username",
          name: "John Doe"
        };
        await req.session.updateSession();
      }
      return resp.send("Update session success response");
    }
  );

  1. Update session if present, or else create and update session

    a) If use case is to get current session or create new session then onlyCheckSessionRoutes option can be skipped or route can be removed from onlyCheckSessionRoutes array, VsSession will check if session cookie is present. b) If it is present express request will be enriched with current session and session context. c) Now we can update session and to save it back to session store call updateSession on session.

// CJS
import VsSession from "@vs-org/session";

// Module
const VsSession =  require("@vs-org/session").default;

const vsSession = VsSession({
    url: "mongodb://localhost:27017/vs-rate-limiter",
    collectionName: "login-session",
    secret: "This is session secret",
    cookie: {
      domain: "",
      maxAge: 86400,
      httpOnly: false,
      name: "vs-session",
      path: "/",
      secure: false
    },
    onlyCheckSessionRoutesRoutes: ["/logout"]
  });

  app.get(
    "/update-session",
    vsSession,
    async (req: Request, resp: Response) => {
      if (req.session) {
        req.session.sessionContext.user = {
          username: "user1-username",
          name: "John Doe"
        };
        await req.session.updateSession();
      }
      return resp.send("Update session success response");
    }
  );
  1. Delete session
// CJS
import VsSession from "@vs-org/session";

// Module
const VsSession =  require("@vs-org/session").default;

const vsSession = VsSession({
    url: "mongodb://localhost:27017/vs-rate-limiter",
    collectionName: "login-session",
    secret: "This is session secret",
    cookie: {
      domain: "",
      maxAge: 86400,
      httpOnly: false,
      name: "vs-session",
      path: "/",
      secure: false
    },
    onlyCheckSessionRoutesRoutes: ["/logout"]
  });

  app.get("/logout", vsSession, async (req: Request, resp: Response) => {
    if (req.session) {
      await req.session.destroySession();
    }
    return resp.send("Logout session success response");
  });

Examples

  1. Standard OIDC flow /authorize request

    a) If user is already logged in /authorize should redirect user to callback with response type from /authorize call. b) If user is not logged in (sesion is not present) then user should be redirected to login page.

// CJS
import VsSession from "@vs-org/session";

// Module
const VsSession =  require("@vs-org/session").default;

const vsSession = VsSession({
    url: "mongodb://localhost:27017/vs-rate-limiter",
    collectionName: "login-session",
    secret: "This is session secret",
    cookie: {
      domain: "",
      maxAge: 86400,
      httpOnly: false,
      name: "vs-session",
      path: "/",
      secure: false
    },
    onlyCheckSessionRoutesRoutes: ["/authorize"]
  });

/**
* As here VsSession is used as middlware current route is not present in `onlyCheckSessionRoutesRoutes`.
*/
 app.get("/authorize", vsSession, async (req: Request, resp: Response) => {
    if (req.session) {
      return resp.send("Callback redirect");
    }
    return resp.send("Login page redirect");
  });

/**
* As here VsSession is used as middlware current route is not present in `onlyCheckSessionRoutesRoutes`.
* So package will create session.
*/
app.get("/login", vsSession, async (req: Request, resp: Response) => {
    return resp.send("Login page response");
});


/**
* Create new session and udpate user information.
* Note `/login` page session should be destroyed.
* And new session should be created for logged in user to avoid session fixation attacks.
*/
app.get(
    "/post-login",
    vsSession,
    async (req: Request, resp: Response) => {
      if (req.session) {
        req.session.sessionContext.user = {
          username: "user1-username",
          name: "John Doe"
        };
        await req.session.updateSession();
      }
      return resp.send("Callback redirect");
    }
);

Options

| option | required | default | Description | | -------------------------------------- | -------- | ------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | url | true | NA | Mongo db connection URL. This package does not accept instance of mongo, it will establish seperate connection | | username | false | NA | Mongo DB username | | password | false | NA | Mongo DB password | | loggerLevel | false | NA | Logger level for mongodb packages. Only debug value is accepted. | | collectionName | false | session_{DB_NAME} | Collection name for session store | | secret | true | NA | Session secret, this will be used to sign cookies and verify signature. So make sure it will be same and strong as if it is changed all past sessions will be invalid by default | | sessionIdGenerator | false | @vs-org/random.random({ length: 72, charset: DEFAULTS.randomCharSet }) | This option can be used to generate custom session id's. Make sure this function always returns unique strings of length 24 or else there will be unexpected errors or behaviours. Default key is generated with @vs-org/random package with custom char set ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 | | expiresInSeconds | false | 30 days = 30 * 24 * 60 * 60 | This will be used for both Mongo store as well as cookie expiry (Max-Age). If cookie.maxAge and expiresInSeconds both options are provided then expiresInSeconds takes precedence for session expiry. As ideally session should be destroyed from client side and server side. | | onlyCheckSessionRoutes | false | NA | Use this option if there is need to just check session through middleware. If some routes only needs to check session then add it to onlyCheckSessionRoutes array then if session cookies are missing package will not create new session. | | onlyCheckSessionRoutesWithHTTPMethod | false | NA | Use this option if there is need to just check session through middleware. If some routes only needs to check session then add it to onlyCheckSessionRoutes array but if same route is used with different HTTP methods and needs to check session only for sepecific method then use this option. Eg: { "POST": ["/login"], "GET": ["/logout"] } | | mongoDbOperationHandlerPackage | true | mongoose | This package is dependent on mongodb or mongoose package to connect and handle mongo db operations. But if application is already using one of these packages then instead of installing peer dependecy there is possibility to use this option to inform VsSession package to use either mongodb or mongoose package. There is no difference between the functionalities | | cookie | true | Default cookie values look at below cookie otions | Cookie options are for session cookies. | | cookie.name | true | vs-sess | Session cookie name. | | cookie.domain | true | "" | Session cookie domain. | | cookie.header | false | "cookie" | Custom cookie header. If application is using proxy servers and processing and forwarding cookies in different header (eg: x-forwared-cookies). Then this option can be used so that VsSession can extract proper cookies from request. | | cookie.maxAge | true | 30 days = 30 * 24 * 60 * 60 | Session cookie expiry, if expiresInSeconds option present then expiresInSeconds will take precedence. And if is not present then this option will be used for session expiry. | | cookie.httpOnly | true | false | Session cookie httpOnly attribute will determine if JS should have access to session cookie. Recommended way is to set it as always true | | cookie.secure | true | false | Session cookie secure attribute only send cookies with HTTPS and not HTTP | | cookie.sameSite | false | None | Cookies used for storing sensetive information like authentication / authenticated session should have short lifetime with SameSite as "Strict" or "Lax" |

Session object in Express request

| session attribute | type | Description | | -------------------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | request.sessionId | string | Session id | | request.session.sessionContext | object | Session context object to keep application required data in session in key value format. | | request.session.updateSession | Function | Function to update parameters session. Follow above examples to use it with express request. This function can also accept sessionId and sessionContext as parameters to update, if session id is not from current session then package will throw error | | request.session.destroySession | Function | Function to delete current session. Follow above examples to use it with express request. This function can also accept sessionId as parameters to delete session, if session id is not from current session then package will throw error | | request.session.getSession | Function | Function to getSession session. This function can also accept sessionId as parameters to get session, if session id is not from current session then package will throw error. |

Session helper function signatures

| Name | Function signature | | ---------------- | ----------------------------------------------------------------------- | | updateSession | (sessionId?: string,sessionContext?: SessionContext) => Promise<void> | | destroySession | (sessionId?: string) => Promise<boolean \| never> | | getSession | (sessionId?: string) => Promise<SessionContext> |

License

MIT (see LICENSE)

Note

This package is not tested with concurrent requests and heavy load (Not production ready). This is experimental package and not actively maintened, only use for development and POC's.