iron-session - 8.0.1 Latest Release

Published by vvo 11 months ago

We've updated the types and examples for destroy from session.destroy() => Promise<void> to session.destroy() => void. Destroy is not asynchronous, it only removes the session cookie.

iron-session - 8.0.0

Published by vvo 11 months ago

The v8 of iron-session focuses on reducing its API surface and bringing compatibility with the Next.js App Router.

As long as you make the required code changes, this upgrade will not disconnect your customers once deployed.

Instead of multiple opinionated wrappers (withIronSess..) There's now a single method to get sessions: getIronSession().
Use it like this:

import { getIronSession } from "iron-session";

const session = getIronSession(req, res, { password: "...", cookieName: "..." });

// or, in App Router:
const session = getIronSession(cookies(), { password: "...", cookieName: "..." });

Read more in the README: https://github.com/vvo/iron-session#usage.
Have a look at our new examples:

New features:

App Router compatibility
updateConfig method to change a session configuration for the next save() or destroy()
Single entry point, no more /next, /edge, ..

BREAKING CHANGES:

We've removed support for Node.js < 18
We've removed withIronSessionApiRoute, withIronSessionSsr, ironSession
added support

Gigantic thanks to:

@brc-dd for creating https://github.com/brc-dd/iron-webcrypto, doing most of the work of the b8 branch and being of great help while designing the API!
@renchris for making the adapter to support server components, server actions and route handlers.

DALL·E 2023-11-20 08 43 30 - A black and white banner with a background resembling a millimetric paper sheet, similar to a blueprint The word v8 is prominently written in the c

iron-session - The Big TypeScript Rewrite

Published by vvo almost 3 years ago

This is a BREAKING CHANGE (Major) release.

I did a full rewrite of the library in TypeScript, both as an exercise for me and to provide better types by default for consumers of the library. Since it was a full rewrite I took the opportunity to solve most of the issues from the GitHub repository along with feature requests.

Hope you like it. You'll find a migration guide in these changes.

Changes:

The library was renamed to iron-session (since it works on all Node.js HTTP frameworks)
TypeScript: We have better types and you can now easily type check your session data (see usage in README). Fixes #369. Fixes #368.
You can access and set session data directly on req.session.* instead of having to call .get()/.set()/.unset()
get/set/unset methods were removed
The library exposes different wrappers for Next.js API Routes, Next.js getServerSideProps, and Express.js middleware (see migration guide)
List of passwords (rotation) must now be passed as objects like {1: 'password1', 2: 'password2'}
When upgrading previous sessions will be kept which means that you can safely upgrade and your users will not lose their data or be logged out
We now expose sealData/unsealData methods to create magic links and impersonation flows. iron-store is no more used.
We have updated the examples (Next.js, Next.js with TypeScript and Express.js) to use the new API
The library is now published as an ES module along with CommonJS
We now warn on bad usage (http + secure or save called after the response was sent). Fixes #8
We now automatically set the cookie to secure or not secure based on the protocol.
You can now have "session cookies" by passing {cookiesOptions: {maxAge: undefined}}. Fixes #340
We handle the case where the cookie has been tampered with (we generate a new one). Fixes #380

Migration guide:

1. Uninstall next-iron-session and install iron-session:

npm remove next-iron-session
npm add iron-session

2. Change import paths in your code:

Before:

import { withIronSession } from "next-iron-session";

After:

import { withIronSessionApiRoute, withIronSessionSsr } from "iron-session/next";
import { ironSession } from "iron-session/express";

3. Change your code to use the new API:

Before:

req.session.set("user", { name: "John" });
const user = req.session.get("user");
req.session.unset("user");

After:

req.session.user = { name: "John" };
const user = req.session.user; // or use req.session.user directly
delete req.session.user;

4. (Optional) Remove secure flag from your options

The cookie secure flag is now automatically set based on http/https unless you want to change it.

Before:

withIronSession(handler, {
  password: "complex_password_at_least_32_characters_long",
  cookieName: "myapp_cookiename",
  // if your localhost is served on http:// then disable the secure flag
  cookieOptions: {
    secure: process.env.NODE_ENV === "production",
  },
});

After:

withIronSessionApiRoute(handler, {
  password: "complex_password_at_least_32_characters_long",
  cookieName: "myapp_cookiename",
});

5. (Optional) Change the format of your password

If you were passing down a list of passwords (for password rotations) then you need to update it to:

Before:

withIronSession(handler, {
  password: [
    {
      id: 2,
      password: "complex_password_at_least_32_characters_long",
    },
    {
      id: 1,
      password: "complex_password_at_least_32_characters_long",
    },
  ],
});

After:

withIronSessionApiRoute(handler, {
  password: {
    2: "another_password_at_least_32_characters_long",
    1: "complex_password_at_least_32_characters_long",
  },
});

6. (Optional) Replace iron-store usage with sealData/unsealData

If you were using iron-store to create seals for magic links or impersonation flows then you can replace it with sealData/unsealData.

Because we no more needed get/set/unset methods. We completely ditched the iron-store library that was initially built for next-iron-session needs.

Before:

const store = await ironStore({
  password: "complex_password_at_least_32_characters_long",
  ttl: 14 * 24 * 60 * 60 * 1000
});

store.set("user", { name: "John" });
const seal = await store.seal();

// later on, in a different file:
const store = await ironStore({
  seal: req.query.seal,
  password: "complex_password_at_least_32_characters_long",
  ttl: 14 * 24 * 60 * 60 * 1000
});

const user = store.get("user);

After:

import { sealData } from "iron-session";
const store = {
  user: { name: "John" },
};

const seal = await sealData(store, {
  password: "complex_password_at_least_32_characters_long",
  // ttl is always 14 days by default
});

// later on, in a different file:
import { unsealData } from "iron-session";
const store = await unseatData(req.query.seal, {
  password: "complex_password_at_least_32_characters_long",
});
const user = store.user;

5. (Optional) Check the best way to use TypeScript with the library

Have a look at the README to know how to do that, here: https://github.com/vvo/iron-session#session-wrappers

Enjoy!

iron-session - v4.2.0

Published by vvo over 3 years ago

4.2.0 (2021-06-08)

Features

TypeScript: Add session to handler req + example (#356) (3f506f7)

iron-session - v4.1.14

Published by vvo over 3 years ago

4.1.14 (2021-06-05)

Bug Fixes

typescript: @types is automatically added (#347) (ebf2424)

iron-session - v4.1.13

Published by vvo over 3 years ago

4.1.13 (2021-04-19)

Bug Fixes

types: reference jshttp/cookie types (4762fc6), closes #330

iron-session - v4.1.12

Published by vvo over 3 years ago

4.1.12 (2021-02-22)

Bug Fixes

TypeScript: correct typing on Session (#313) (d8d96bc)

iron-session - v4.1.11

Published by vvo over 3 years ago

4.1.11 (2021-02-10)

Bug Fixes

TypeScript: document maxAge option (c354a66), closes #277

iron-session - v4.1.10

Published by vvo almost 4 years ago

4.1.10 (2020-11-05)

Bug Fixes

10: fix nodejs 10 (a2b3b27)
compat: allow Node.js 10 compatibility (52720ef)
node10: really fix nodejs 10 (b26fd3e)

iron-session - v4.1.9

Published by vvo about 4 years ago

4.1.9 (2020-10-01)

Bug Fixes

destroy: handle previously set cookies (1522c6f), closes #229

iron-session - v4.1.8

Published by vvo about 4 years ago