Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

next-session

Package Overview
Dependencies
Maintainers
1
Versions
37
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

next-session - npm Package Compare versions

Comparing version 0.1.1 to 0.2.0

lib/session/utils.js

18

lib/index.js

@@ -18,2 +18,4 @@ "use strict";

var _utils = require("./session/utils");
function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { var desc = Object.defineProperty && Object.getOwnPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : {}; if (desc.get || desc.set) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } } newObj["default"] = obj; return newObj; } }

@@ -46,2 +48,4 @@

var generateId = options.generateId || generateSessionId;
var touchAfter = options.touchAfter ? (0, _utils.parseToMs)(options.touchAfter) : 0;
var rollingSession = options.rolling || false;

@@ -92,2 +96,3 @@ if (env === 'production' && store instanceof _memory["default"]) {

return getSession().then(function (hashedsess) {
var sessionSaved = false;
var oldEnd = res.end;

@@ -105,4 +110,15 @@

if (hash(req.session) !== hashedsess) {
sessionSaved = true;
return req.session.save();
}
if (req.session.cookie.maxAge && touchAfter >= 0) {
var minuteSinceTouched = req.session.cookie.maxAge - (req.session.cookie.expires - new Date());
if (minuteSinceTouched < touchAfter) {
return Promise.resolve();
}
return req.session.touch();
}
}

@@ -114,3 +130,3 @@

return saveSession().then(function () {
if (req.cookies[name] !== req.sessionId && req.session) {
if ((req.cookies[name] !== req.sessionId || sessionSaved || rollingSession) && req.session) {
res.setHeader('Set-Cookie', req.session.cookie.serialize(name, req.sessionId));

@@ -117,0 +133,0 @@ }

4

lib/session/cookie.js

@@ -10,2 +10,4 @@ "use strict";

var _utils = require("./utils");
function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { var desc = Object.defineProperty && Object.getOwnPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : {}; if (desc.get || desc.set) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } } newObj["default"] = obj; return newObj; } }

@@ -24,3 +26,3 @@

this.path = options.path || '/';
this.maxAge = parseInt(options.maxAge, 10) || null;
this.maxAge = options.maxAge ? (0, _utils.parseToMs)(options.maxAge) : null;
this.httpOnly = options.httpOnly || true;

@@ -27,0 +29,0 @@ this.domain = options.domain || null;

@@ -35,4 +35,17 @@ "use strict";

_createClass(Session, [{
key: "touch",
value: function touch() {
this.cookie.resetExpires();
if (typeof this.req.sessionStore.touch === 'function') {
return this.req.sessionStore.touch();
}
console.warn('store does not implement touch()');
return Promise.resolve();
}
}, {
key: "save",
value: function save() {
this.cookie.resetExpires();
return this.req.sessionStore.set(this.id, this);

@@ -39,0 +52,0 @@ }

{
"name": "next-session",
"version": "0.1.1",
"version": "0.2.0",
"description": "Simple promise-based session middleware for Next.js API Routes",

@@ -5,0 +5,0 @@ "main": "lib/index.js",

@@ -60,3 +60,2 @@ # next-session

// wrap handler with session middleware and include options
export default middleware(handler);

@@ -81,10 +80,14 @@ ```

| store | The session store instance to be used. | `MemoryStore` |
| generateId | The function to generate a new session ID. This needs to be a function that returns a string. | `crypto.randomBytes(16).toString('hex')` |
| generateId | The function to generate a new session ID. This needs to return a string. | `crypto.randomBytes(16).toString('hex')` |
| rolling | Force the cookie to be set on every request despite no modification, extending the life time of the cookie in the browser | `false` |
| touchAfter | On every request, the session store extends the life time of the session even when no changes are made (The same is done to Cookie). However, this may increase the load of the database. Setting this value will ask the store to only do so an amount of time since the Cookie is touched, with exception that the session is modified. Setting the value to `-1` will disable `touch()`. | `0` (Touch every time) |
| cookie.secure | Specifies the boolean value for the **Secure** `Set-Cookie` attribute. If set to true, cookie is only sent to the server with an encrypted request over the HTTPS protocol. | `false` |
| cookie.httpOnly | Specifies the boolean value for the **httpOnly** `Set-Cookie` attribute. If set to true, cookies are inaccessible to client-side scripts. This is yo help mitigate [cross-site scripting (XSS) attacks](https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting). | `true` |
| cookie.path | Specifies the value for the **Path** `Set-Cookie` attribute. This indicates a URL path that must exist in the requested URL in order to send the Cookie header | unset |
| cookie.httpOnly | Specifies the boolean value for the **httpOnly** `Set-Cookie` attribute. If set to true, cookies are inaccessible to client-side scripts. This is to help mitigate [cross-site scripting (XSS) attacks](https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting). | `true` |
| cookie.path | Specifies the value for the **Path** `Set-Cookie` attribute. This indicates a URL path that must exist in the requested URL in order to send the Cookie header | `/` |
| cookie.domain | Specifies the value for the **Domain** `Set-Cookie` attribute. Only allowed hosts to receive the cookie. If unspecified, it defaults to the host of the current document location, excluding subdomains. If Domain is specified, then subdomains are always included. | unset |
| cookie.sameSite | Specifies the value for the **SameSite** `Set-Cookie` attribute. This lets servers require that a cookie shouldn't be sent with cross-site (where `Site` is defined by `Domain` attribute) requests, which provides some protection against cross-site request forgery attacks ( CSRF). | unset |
| cookie.maxAge | Specifies the value for the **Max-Age** `Set-Cookie` attribute. The value **must** be in miliseconds. Determine the length of time before the cookies expire. If unspecified, the cookies will expire when the client closes (Session cookies). | unset (Session) |
| cookie.maxAge | Specifies the value for the **Max-Age** `Set-Cookie` attribute. Determine the length of time before the cookies expire. If unspecified, the cookies will expire when the client closes (Session cookies). | unset (Session) |
*For `touchAfter` and `cookie.maxAge`, you may use the following keywords: `years` (365 days), `months` (30 days), `days`, `hours`, `minutes`, `seconds`. If a number with none of the keywords above is provided, it will be assumed to be `miliseconds`. Ex: `9 months 10 days`.
### req.session

@@ -91,0 +94,0 @@

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc