Replace secure-session with session

Author: andreaskienle

package-lock.json

@@ -21,6 +21,14 @@
   },
   "dependencies": {
     "@apollo/client": "^3.13.6",
+    "@fastify/autoload": "^6.3.0",
+    "@fastify/cookie": "^11.0.2",
+    "@fastify/env": "^5.0.2",
+    "@fastify/http-proxy": "^11.1.2",
+    "@fastify/sensible": "^6.0.3",
+    "@fastify/session": "^11.1.0",
+    "@fastify/static": "^8.1.1",
+    "@fastify/vite": "^8.1.3",
     "@hookform/resolvers": "^5.0.0",
     "@ui5/webcomponents": "^2.7.2",
     "@ui5/webcomponents-fiori": "^2.7.2",
@@ -30,14 +38,6 @@
     "dotenv": "^16.5.0",
     "fastify": "^5.3.3",
     "fastify-plugin": "^5.0.1",
-    "@fastify/autoload": "^6.3.0",
-    "@fastify/cookie": "^11.0.2",
-    "@fastify/env": "^5.0.2",
-    "@fastify/http-proxy": "^11.1.2",
-    "@fastify/secure-session": "^8.2.0",
-    "@fastify/sensible": "^6.0.3",
-    "@fastify/static": "^8.1.1",
-    "@fastify/vite": "^8.1.3",
     "graphql": "^16.10.0",
     "graphql-config": "^5.1.3",
     "i18next": "^25.0.0",

package.json

@@ -1,6 +1,5 @@
 import fp from "fastify-plugin";
 import httpProxy from "@fastify/http-proxy";
-import { COOKIE_NAME_ONBOARDING } from "./secure-session.js";
 import { AuthenticationError } from "./auth-utils.js";
 
 function proxyPlugin(fastify) {
@@ -35,8 +34,7 @@ function proxyPlugin(fastify) {
       const refreshToken = request.session.get("refreshToken");
       if (!refreshToken) {
         request.log.error("Missing refresh token; deleting session.");
-        request.session.delete();
-        reply.clearCookie(COOKIE_NAME_ONBOARDING, { path: "/" });
+        request.session.destroy();
         return reply.unauthorized("Session expired without token refresh capability.");
       }
 
@@ -50,8 +48,7 @@ function proxyPlugin(fastify) {
         }, issuerConfiguration.tokenEndpoint);
         if (!refreshedTokenData || !refreshedTokenData.accessToken) {
           request.log.error("Token refresh failed (no access token); deleting session.");
-          request.session.delete();
-          reply.clearCookie(COOKIE_NAME_ONBOARDING, { path: "/" });
+          request.session.destroy();
           return reply.unauthorized("Session expired and token refresh failed.");
         }
 

server/plugins/http-proxy.js

@@ -1,18 +1,15 @@
-import secureSession from "@fastify/secure-session";
+import fastifySession from "@fastify/session";
 import fp from "fastify-plugin";
 import fastifyCookie from "@fastify/cookie";
 
 
-export const COOKIE_NAME_ONBOARDING = "onboarding";
-
 async function secureSessionPlugin(fastify) {
   const { COOKIE_SECRET, NODE_ENV } = fastify.config;
 
   await fastify.register(fastifyCookie);
 
-  fastify.register(secureSession, {
-    secret: Buffer.from(COOKIE_SECRET, "hex"),
-    cookieName: COOKIE_NAME_ONBOARDING,
+  fastify.register(fastifySession, {
+    secret: COOKIE_SECRET,
     cookie: {
       path: "/",
       httpOnly: true,

server/plugins/secure-session.js server/plugins/session.jsserver/plugins/secure-session.js renamed to server/plugins/session.js

@@ -1,5 +1,4 @@
 import fp from "fastify-plugin";
-import { COOKIE_NAME_ONBOARDING } from "../plugins/secure-session.js";
 import { AuthenticationError } from "../plugins/auth-utils.js";
 
 
@@ -62,10 +61,9 @@ async function authPlugin(fastify) {
   });
 
 
-  fastify.post("/auth/logout", async (_req, reply) => {
+  fastify.post("/auth/logout", async (req, reply) => {
     // TODO: Idp sign out flow
-    //_req.session.delete();                  // remove payload
-    reply.clearCookie(COOKIE_NAME_ONBOARDING, { path: "/" });
+    req.session.destroy();
     reply.send({ message: "Logged out" });
   });
 }