fix: make session clearing resilient #1010
Conversation
There was a problem hiding this comment.
Just out of curiosity: I imagine this will have a cost on memory 🤔
// Initialize a new empty session object
event.context.sessions![sessionName] = {
id: generateId(config),
createdAt: Date.now(),
data: new EmptyObject(),
} satisfies Session;PS: I messed up the comment 🙄
This is a very small object that is already instantiated on the As I looked at the code, though, I did realize that it deletes a property (something that normally should be avoided) and then redeclares the same property for the new session object. As such, the 370ce91 commit essentially combines the calls to make it a clobber operation. Ultimately, I expect it will have 0% impact on the final runtime performance, but it looks a little bit cleaner this way 😝. |
|
@pi0, this PR is ready for review and possibly merge. |
|
Thanks for the well-written explanations. For session rotation, I believe we might need a new util or at least flag on clear, normal The refactors of this PR look nice addition, btw. Can you please convert this PR to a refactor only and then a subsequent to draft idea for explicit rotation? |
|
@pi0, updates to remove documentation about session rotation have been applied. I agree with your point about |
| } | ||
|
|
||
| // Clobber the original session with a new session | ||
| event.context.sessions![sessionName] = { |
There was a problem hiding this comment.
This should be reverted to allow this PR move forward as a refactor step.
There was a problem hiding this comment.
I'm a bit confused @pi0. This line is the main point of this PR. If you want to isolate changes I'd be more apt to revert the refactor changes on this PR and apply them on a separate PR intended for refactor changes. Thoughts?
There was a problem hiding this comment.
We can do this as part of #1022 for session rotate. clear purpose is to destroy session fully not to create a new one.
Alternatively we can set a _destroyed flag to previous object to indicate it is invalid.
There was a problem hiding this comment.
@pi0, I'm in complete agreement on that point, but the implementation at the code level is not 1:1 with the user experience. When the user calls clear() they want the session cleared, and then if they call update() they would expect that this creates a new session (or at least that's what I would assume). Because the update() call is eagerly restoring the session from the request, calling update() returns a mutation of the same session that was previously cleared.
TLDR; If a new session is not set on the context.sessions[sessionName] when clear() is called, then the session isn't actually cleared, it's just temporarily reset (and will be restored on next access call).
pi0
force-pushed
the
main
branch
2 times, most recently
from
348028f to
a449d79
Compare
This PR addresses an issue in the session manager utility which results in an already cleared session returning when
useSession,session.update,getSession,updateSession, orsealSessionare used after callingsession.clearorclearSession.This ensures that after clearing the session, a new blank session is initialized on the event context so that subsequent session mutation calls cause updates on the newly initialized session, rather than restoring the original session from the event context.
There are still edge-cases where the session can be restored, but they require subverting the use of the provided methods and session manager. This fix largely relies on the understanding that the
event.context.sessionsobject is the source of truth for expected session state, but in the absence of a valid session in the context, the original session will still be reconstructed.The documentation for the session management has also been updated to add a section on session rotation, which should lend in resolving issues with the downstream
nuxt-auth-utilsissues.Closes #1004