npmpackage.info

koa-session-minimal

Minimal implementation of session middleware for Koa 2

4.0.3

MIT

JavaScript

Installations

npm install koa-session-minimal

Pull Requests

Open

0

Total

13

Closed

9

Merged

4

Issues

Open

0

Total

12

Closed

12

Releases

v4.0.3

Published on 31 Jul 2022

v4.0.2

Published on 01 Mar 2022

v4.0.1

Published on 22 Dec 2020

v4.0.0

Published on 13 Apr 2020

Release v3.0.4

v3.0.4

Published on 27 Apr 2017

Release v3.0.3

v3.0.3

Published on 29 Dec 2016

View all 16 releases

Developer

longztian

Developer Guide

BETA

Module System

CommonJS

Min. Node Version

>= 14

Typescript Support

No

Node Version

18.0.0

NPM Version

8.6.0 Statistics

75 Stars

96 Commits

13 Forks

3 Watching

1 Branches

2 Contributors

Updated on 05 Mar 2023

Languages

JavaScript (100%)

Total Downloads

Cumulative downloads

Total Downloads

262,691

Last day

31%

Compared to previous day

Last week

-12.8%

252

Compared to previous week

Last month

-9.9%

1,302

Compared to previous month

Last year

-29.7%

17,636

Compared to previous year

Daily Downloads

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

co fast-deep-equal uid-safe

Dev Dependencies

chai eslint eslint-config-airbnb-base eslint-plugin-import koa koa-redis mocha nyc supertest

Versions

koa-session-minimal

Native Koa 2 session middleware, inspired by and compatible with koa-generic-session. This can be used as a drop-in replacement for koa-generic-session in Koa 2.

This rewrite implements koa-generic-session's essential interfaces, with around 100 lines of code in ES6. It supports existing session stores for koa-generic-session.

Version 4+ requires node 8+. Please use v3.0.4 for node versions older than 8.

Minimum features and storage usage

This middleware guarantees the following:

Minimum data generation and storage. No session data modification / pollution.
- Neither a cookie nor a session store record is created unless session data gets populated by other middlewares.
- Cookie options are not saved in the ctx.session object or session store (try to address this concern).
Minimum updates on cookie and session store. Cookie and session store only get updated when session data has been changed.
- When ctx.session gets updated (is a non-empty object), cookie and store data will be updated with new values and new expiration time (maxAge).
- When ctx.session gets cleared ( = {} or null ), cookie and store data will be deleted.
- If a session has not been updated within maxAge, its data will be expired.
Minimum public interfaces and configuration options.
- Cookie options: maxAge, path, domain, secure, httpOnly
- Session interfaces: session, sessionHandler { regenerateId() }
- Store interfaces: get(), set(), destroy()

Installation

1$ npm install koa-session-minimal

Usage

1const Koa = require('koa')
2const session = require('koa-session-minimal')
3const redisStore = require('koa-redis')
4
5const app = new Koa()
6
7app.use(session({
8  store: redisStore()
9}))
10
11// count middleware, increment when url = /add
12app.use(async (ctx, next) => {
13  ctx.session.count = ctx.session.count || 0
14  if (ctx.path === '/add') ctx.session.count++
15
16  await next()
17
18  ctx.body = ctx.session.count
19})
20
21app.listen(3000)

Interfaces

session data via ctx.session (the same way as koa-generic-session)
session methods via ctx.sessionHandler
- regenerateId(): regenerate session id

Options

key: session cookie name and store key prefix
store: session store
cookie: cookie options, can be an object (static cookie options) or a function that returns an object (dynamic cookie options). Only maxAge, path, domain, secure, httpOnly are supported as option keys (see option details in cookies module).

Session expiration

Default session has settings cookie.maxAge = 0 for cookie and ttl = ONE_DAY for session store, means that a session will be expired in one of the following circumstances:

A user close the browser window (transient cookie ends)
Session data hasn't been updated within ONE_DAY (storage expires)

With settings that cookie.maxAge > 0, the ttl for store data will be always the same as maxAge.

Dynamic session expiration (cookie options)

When setting cookie option to a plain object, all sessions will use the same cookie options. If a function is assigned to cookie, cookie options will be dynamically calculated at each (non-empty) session's saving stage. For example, you can use an arrow function to set different maxAge for user and guest sessions, as below:

1session({
2  cookie: ctx => ({
3    maxAge: ctx.session.user ? ONE_MONTH : 0
4  })
5})

Session security

Middlewares are recommended to call sessionHandler.regenerateId() during authentication state change (login). This middleware provides the essential interface, It will be other middleware's decision on when and how often they want to roll the session id.

NOTE: Below is mostly copied from koa-generic-session's README, because the two middlewares share the same store interfaces. Any store that implements koa-generic-session's store interfaces should also work with koa-session-minimal. koa-redis is tested as an example in test/store_redis.test.js

Session store

You can use any other store to replace the default MemoryStore, it just needs to follow this api:

get(sid): get session object by sid
set(sid, sess, ttl): set session object for sid, with a ttl (in ms)
destroy(sid): destroy session for sid

the api needs to return a Promise, Thunk, generator, or an async function.

Stores presented

koa-redis to store your session data with redis.
koa-mysql-session to store your session data with MySQL.
koa-generic-session-mongo to store your session data with MongoDB.
koa-pg-session to store your session data with PostgreSQL.
koa-generic-session-rethinkdb to store your session data with ReThinkDB.
koa-sqlite3-session to store your session data with SQLite3.
koa-generic-session-sequelize to store your session data with the Sequelize ORM.

License

MIT

No vulnerabilities found.

10

Binary-Artifacts

Determines if the project has generated executable (binary) artifacts in the source repository.

10

License

Determines if the project has defined a license.

4

Vulnerabilities

Determines if the project has open, known unfixed vulnerabilities.

0

Code-Review

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0

Maintained

Determines if the project is "actively maintained".

0

SAST

Determines if the project uses static code analysis.

0

CII-Best-Practices

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0

Security-Policy

Determines if the project has published a security policy.

0

Fuzzing

Determines if the project uses fuzzing.

0

Branch-Protection

Determines if the default and release branches are protected with GitHub's branch protection settings.

Score

2.3

/10

Last Scanned on 2024-11-18

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

Learn More

Other packages similar to koa-session-minimal

@types/koa-session-minimal

3.0.11

TypeScript definitions for koa-session-minimal

koa-session

6.4.0

Koa cookie session middleware with external store support

koa-passport

6.0.0

Passport middleware for Koa

koa-generic-session

2.3.1

koa generic session store by memory, redis or others