feat: Add rolling optional setting (#36)

Author: interpretor

README.md

@@ -224,7 +224,9 @@ Here's what the full _default_ module configuration looks like:
     // The request-domain is strictly used for the cookie, no sub-domains allowed
     domain: null,
     // Sessions aren't pinned to the user's IP address
-    ipPinning: false
+    ipPinning: false,
+    // Expiration of the sessions are not reset to the original expiryInSeconds on every request
+    rolling: false
   },
   api: {
     // The API is enabled

src/module.ts

@@ -25,7 +25,8 @@ const defaults: FilledModuleOptions = {
       options: {}
     },
     domain: null,
-    ipPinning: false as boolean|SessionIpPinningOptions
+    ipPinning: false as boolean|SessionIpPinningOptions,
+    rolling: false
   },
   api: {
     isEnabled: true,

src/runtime/server/middleware/session/index.ts

@@ -8,18 +8,25 @@ import { SessionExpired } from './exceptions'
 import { useRuntimeConfig } from '#imports'
 
 const SESSION_COOKIE_NAME = 'sessionId'
-const safeSetCookie = (event: H3Event, name: string, value: string) => setCookie(event, name, value, {
-  // Max age of cookie in seconds
-  maxAge: useRuntimeConfig().session.session.expiryInSeconds,
-  // Wether to send cookie via HTTPs to mitigate man-in-the-middle attacks
-  secure: useRuntimeConfig().session.session.cookieSecure,
-  // Wether to send cookie via HTTP requests and not allowing access of cookie from JS to mitigate XSS attacks
-  httpOnly: useRuntimeConfig().session.session.cookieHttpOnly,
-  // Do not send cookies on many cross-site requests to mitigates CSRF and cross-site attacks, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#lax
-  sameSite: useRuntimeConfig().session.session.cookieSameSite as SameSiteOptions,
-  // Set cookie for subdomain
-  domain: useRuntimeConfig().session.session.domain
-})
+const safeSetCookie = (event: H3Event, name: string, value: string, createdAt: Date) => {
+  const sessionOptions = useRuntimeConfig().session.session as SessionOptions
+  const expirationDate = sessionOptions.expiryInSeconds
+    ? new Date(createdAt.getTime() + sessionOptions.expiryInSeconds * 1000)
+    : undefined
+
+  setCookie(event, name, value, {
+    // Set cookie expiration date to now + expiryInSeconds
+    expires: expirationDate,
+    // Wether to send cookie via HTTPs to mitigate man-in-the-middle attacks
+    secure: sessionOptions.cookieSecure,
+    // Wether to send cookie via HTTP requests and not allowing access of cookie from JS to mitigate XSS attacks
+    httpOnly: sessionOptions.cookieHttpOnly,
+    // Do not send cookies on many cross-site requests to mitigates CSRF and cross-site attacks, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#lax
+    sameSite: sessionOptions.cookieSameSite as SameSiteOptions,
+    // Set cookie for subdomain
+    domain: sessionOptions.domain || undefined
+  })
+}
 
 const checkSessionExpirationTime = (session: Session, sessionExpiryInSeconds: number) => {
   const now = dayjs()
@@ -60,16 +67,17 @@ export const deleteSession = async (event: H3Event) => {
 
 const newSession = async (event: H3Event) => {
   const runtimeConfig = useRuntimeConfig()
-  const sessionOptions = runtimeConfig.session.session
+  const sessionOptions = runtimeConfig.session.session as SessionOptions
+  const now = new Date()
 
   // (Re-)Set cookie
   const sessionId = nanoid(sessionOptions.idLength)
-  safeSetCookie(event, SESSION_COOKIE_NAME, sessionId)
+  safeSetCookie(event, SESSION_COOKIE_NAME, sessionId, now)
 
   // Store session data in storage
   const session: Session = {
     id: sessionId,
-    createdAt: new Date(),
+    createdAt: now,
     ip: sessionOptions.ipPinning ? await getHashedIpAddress(event) : undefined
   }
   await setStorageSession(sessionId, session)
@@ -113,14 +121,24 @@ const getSession = async (event: H3Event): Promise<null | Session> => {
   return session
 }
 
+const updateSessionExpirationDate = (session: Session, event: H3Event) => {
+  const now = new Date()
+  safeSetCookie(event, SESSION_COOKIE_NAME, session.id, now)
+  return { ...session, createdAt: now }
+}
+
 function isSession (shape: unknown): shape is Session {
   return typeof shape === 'object' && !!shape && 'id' in shape && 'createdAt' in shape
 }
 
 const ensureSession = async (event: H3Event) => {
+  const sessionOptions = useRuntimeConfig().session.session as SessionOptions
+
   let session = await getSession(event)
   if (!session) {
     session = await newSession(event)
+  } else if (sessionOptions.rolling) {
+    session = updateSessionExpirationDate(session, event)
   }
 
   event.context.sessionId = session.id

src/types.ts

@@ -98,6 +98,13 @@ export interface SessionOptions {
    * @type {SessionIpPinningOptions|boolean}
    */
   ipPinning: SessionIpPinningOptions|boolean,
+  /**
+   * Force the session identifier cookie to be set on every response. The expiration is reset to the original expiryInSeconds, resetting the expiration countdown.
+   * @default false
+   * @example true
+   * @type boolean
+   */
+  rolling: boolean
 }
 
 export interface ApiOptions {