feat(core): implement experimental stateful session strategy"#228
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
📝 WalkthroughWalkthroughAdds a database-backed stateful session strategy with hashed tokens, cookie and adapter lifecycle operations, strategy-specific JWT handling, new public types and diagnostics, and comprehensive endpoint tests. ChangesStateful session strategy
Estimated code review effort: 4 (Complex) | ~45 minutes Sequence Diagram(s)sequenceDiagram
participant Client
participant StatefulStrategy
participant CookieStore
participant SessionAdapter
Client->>StatefulStrategy: session request
StatefulStrategy->>CookieStore: read session token
StatefulStrategy->>SessionAdapter: load or persist session
SessionAdapter-->>StatefulStrategy: session and user data
StatefulStrategy-->>Client: session response and cookie headers
Possibly related PRs
Suggested labels: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 9
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@packages/core/src/router/context.ts`:
- Line 64: Make jwtManager conditional in the router context construction so
database sessions do not call createJoseManager at all; only initialize it for
stateless sessions. Update the context contract and any consumers to represent
the manager as absent when using database sessions, while preserving JWT
operations for stateless sessions.
In `@packages/core/src/session/stateful.ts`:
- Line 114: Update the user object construction in the session state flow and
the corresponding sessionByToken.user construction so session.user and
session.user.attributes are spread first, then the authenticated user ID is
assigned last as the authoritative sub value.
- Around line 509-526: Update the session destruction flow around the catch
block and cookieConfig.clear() so cookie clearing always occurs even when
database revocation fails. Preserve the existing error logging and ensure
revocation remains best-effort while destruction returns cleared headers; do not
rethrow before the cleanup completes.
- Around line 461-488: Update destroySession to enforce the existing CSRF
validation before calling config.adapter.revokeSession, honoring the
_skipCSRFCheck flag consistently with refreshSession. Preserve session-token
extraction and lookup, but prevent revocation when the CSRF check fails unless
explicitly skipped.
- Around line 321-338: Update the session validation in the refresh flow around
sessionByToken before the expiration check to reject sessions whose status is
inactive or revoked, returning the same cleared-cookie unauthenticated result
used for missing users. Ensure only active sessions proceed to expiration
renewal and authenticated return handling.
In `@packages/core/src/shared/assert.ts`:
- Around line 127-128: Update getJWTMode to return undefined for
stateful/database configurations instead of "sealed", while preserving the
existing sealed default for stateless configurations without an explicit JWT
mode. Adjust the JWTMode return type and any dependent mode guards or type
predicates so database configs are not classified as sealed and no longer imply
config.jwt exists.
In `@packages/core/test/session/stateful.test.ts`:
- Around line 513-541: The destroySession test should verify cookie expiration
in addition to session revocation. In the test using authInstance and the POST
sign-out response, inspect the Set-Cookie header and assert that
__Secure-aura-auth.session_token is expired, while preserving the existing
status, response, and mock assertions.
- Around line 155-173: Update the mock in the “should return null session on
adapter error” test to reject with the database error instead of resolving an
Error object. Keep the existing GET request, response assertions, and mock
invocation verification unchanged so the test exercises the adapter-error path.
- Around line 483-510: Strengthen the revokeSession test in the “should revoke
session by ID using createAuth” case by asserting the exact arguments passed to
revokeSessionMock, including the expected session identifier and revocation
reason. Keep the existing response assertions and ensure the test fails when a
different session or reason is used.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3ea4443d-8ef4-483d-bd05-9356a9c3efc7
📒 Files selected for processing (11)
packages/core/src/@types/entities.tspackages/core/src/@types/index.tspackages/core/src/@types/session.tspackages/core/src/jose.tspackages/core/src/router/context.tspackages/core/src/session/stateful.tspackages/core/src/session/strategy.tspackages/core/src/shared/assert.tspackages/core/src/shared/errors.tspackages/core/src/shared/logger.tspackages/core/test/session/stateful.test.ts
Description
This pull request introduces the experimental Stateful session strategy for
@aura-stack/auth, adding support for database-backed session management alongside the existing stateless strategy.With this change, Aura Auth now supports two session strategies:
The new Stateful strategy provides the foundation for applications that require centralized session storage, server-side session revocation, multi-device session management, and other database-driven authentication features.
Usage
Note
This PR introduces the initial implementation of the Stateful session strategy. While the core functionality is available, additional features and improvements will be introduced in subsequent pull requests.
Note
Database adapters are still under development and will be introduced in future PRs. This PR focuses on integrating the Stateful strategy into the authentication core and establishing the foundation for adapter implementations.