feat: create session middleware

.env.example

@@ -37,7 +37,7 @@ CACHE_STORE=memory
 ### To avoid collisions, you may prefix every cache key.
 CACHE_KEY_PREFIX=
 
-### Whether (true) or not (false) to compress data before caching 
+### Whether (true) or not (false) to compress data before caching
 CACHE_COMPRESS_DATA=false
 
 ### Either set the Redis URL or set the individual Redis connection options.
@@ -58,9 +58,18 @@ SESSION_COOKIE_PATH="/"
 SESSION_EXPIRY=0
 SESSION_SECRET="secret string"
 
+## whether to serve secure cookies (i.e., only transmit cookie over https)
+## 0, "0", false, "false", and "" all evaluate to boolean false.
+## Every other value evaluates to true
+SESSION_SECURE=false
+
 ## Possible values: strict, lax, none, empty string
 SESSION_SAME_SITE=none
 
+## Session store driver
+## Currently supported drivers include "memory" and "redis".
+SESSION_STORE_DRIVER=memory
+
 ## Remote logging (LogTail)
 LOGTAIL_SOURCE_TOKEN=
 

src/config/session.js

@@ -1,10 +1,13 @@
 const env = require("../dotenv");
+const is = require("../framework/lib/is");
 
 module.exports = {
-  name         : env.SESSION_NAME,
-  cookieDomain : env.SESSION_COOKIE_DOMAIN,
-  cookiePath   : env.SESSION_COOKIE_PATH,
-  expiry       : 1000 * 60 * Number(env.SESSION_EXPIRY),
-  secret       : env.SESSION_SECRET,
-  sameSite     : env.SESSION_SAME_SITE,
+  name          : env.SESSION_NAME,
+  cookieDomain  : env.SESSION_COOKIE_DOMAIN,
+  cookiePath    : env.SESSION_COOKIE_PATH,
+  expiry        : 1000 * 60 * (Number(env.SESSION_EXPIRY) || 15),
+  secret        : env.SESSION_SECRET,
+  secure        : is.falsy(env.SESSION_SECURE?.toLowerCase()) ? false : true,
+  sameSite      : env.SESSION_SAME_SITE,
+  storageDriver : (env.SESSION_STORE_DRIVER || "memory").toLowerCase(),
 };

src/middleware/session.js

@@ -0,0 +1,66 @@
+const session         = require("express-session");
+const { v4: uuidv4 }  = require("uuid");
+
+
+module.exports = function sessionMiddleware(config, store) {
+  const sessConfig = config.get("session");
+  const sessionConfig = {
+    name: sessConfig.name,
+
+    /*
+     * secret is needed to sign the cookie
+     */
+    secret: sessConfig.secret,
+
+    /*
+     * generate a session ID.
+     */
+    genid: () => uuidv4(),
+    resave: false,
+
+    /*
+     * true initializes a session for every user,
+     * false initializes a session for only authenticated users
+     */
+    saveUninitialized: false,
+
+    /*
+     * Force session identifier cookie (max-age) to be (re-)set on every response
+     */
+    rolling: true,
+
+    /*
+     * Specify session cookie configuration
+     */
+    cookie: {
+      domain: sessConfig.cookieDomain,
+
+      /*
+       * prevent client side JS from reading the cookie
+       */
+      httpOnly: true,
+
+      /*
+       * session max age in miliseconds
+       */
+      maxAge: sessConfig.expiry,
+
+      /*
+       * The path for which the session cookie is valid
+       */
+      path: sessConfig.cookiePath,
+
+      /*
+       * possible values: 'none', 'strict', 'lax'
+       */
+      sameSite: sessConfig.sameSite,
+
+      /*
+       * if true, serve secure cookies (i.e., only transmit cookie over https)
+       */
+      secure: sessConfig.secure,
+    }
+  };
+
+  return session({ ...sessionConfig, store });
+};