refactor(http): improve session handling (#1293)

innocenzi · web-flow · commit f4da1bd9b01f · 2025-06-23T09:14:14.000+02:00
diff --git a/packages/core/src/AppConfig.php b/packages/core/src/AppConfig.php
@@ -13,6 +13,8 @@ final class AppConfig
     public string $baseUri;
 
     public function __construct(
+        public ?string $name = null,
+
         ?Environment $environment = null,
 
         ?string $baseUri = null,
@@ -26,7 +28,6 @@ public function __construct(
         public array $insightsProviders = [],
     ) {
         $this->environment = $environment ?? Environment::fromEnv();
-
         $this->baseUri = $baseUri ?? env('BASE_URI') ?? '';
     }
 }
diff --git a/packages/core/src/Config/app.config.php b/packages/core/src/Config/app.config.php
@@ -4,4 +4,9 @@
 
 use Tempest\Core\AppConfig;
 
-return new AppConfig();
+use function Tempest\env;
+
+return new AppConfig(
+    name: env('APPLICATION_NAME'),
+    baseUri: env('BASE_URI'),
+);
diff --git a/packages/http/src/Cookie/CookieManager.php b/packages/http/src/Cookie/CookieManager.php
@@ -29,7 +29,12 @@ public function get(string $key): ?Cookie
 
     public function set(string $key, string $value, DateTimeInterface|int|null $expiresAt = null): Cookie
     {
-        $cookie = $this->get($key) ?? new Cookie(key: $key);
+        $cookie = $this->get($key) ?? new Cookie(
+            key: $key,
+            secure: true,
+            httpOnly: true,
+            sameSite: SameSite::LAX,
+        );
 
         $cookie->value = $value;
         $cookie->expiresAt = $expiresAt ?? $cookie->expiresAt;
diff --git a/packages/http/src/Cookie/SameSite.php b/packages/http/src/Cookie/SameSite.php
@@ -4,9 +4,25 @@
 
 namespace Tempest\Http\Cookie;
 
+/**
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value
+ */
 enum SameSite: string
 {
+    /**
+     * Send the cookie only for requests originating from the same site that set the cookie.
+     */
     case STRICT = 'Strict';
+
+    /**
+     * Send the cookie for requests originating from the same site that set the cookie, and for cross-site requests that meet both of the following criteria:
+     * - The request is a top-level navigation: this essentially means that the request causes the URL shown in the browser's address bar to change.
+     * - The request uses a safe method: in particular, this excludes `POST`, `PUT`, and `DELETE`.
+     */
     case LAX = 'Lax';
+
+    /**
+     * Send the cookie with both cross-site and same-site requests. The `Secure` attribute must also be set when using this value.
+     */
     case NONE = 'None';
 }
diff --git a/packages/http/src/Session/CleanupSessionsCommand.php b/packages/http/src/Session/CleanupSessionsCommand.php
@@ -8,6 +8,7 @@
 use Tempest\Console\ConsoleCommand;
 use Tempest\Console\Schedule;
 use Tempest\Console\Scheduler\Every;
+use Tempest\EventBus\EventBus;
 
 use function Tempest\listen;
 
diff --git a/packages/http/src/Session/Config/FileSessionConfig.php b/packages/http/src/Session/Config/FileSessionConfig.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace Tempest\Http\Session\Config;
+
+use Tempest\Container\Container;
+use Tempest\DateTime\Duration;
+use Tempest\Http\Session\Managers\FileSessionManager;
+use Tempest\Http\Session\Resolvers\CookieSessionIdResolver;
+use Tempest\Http\Session\SessionConfig;
+
+final class FileSessionConfig implements SessionConfig
+{
+    public function __construct(
+        /**
+         * Path to the sessions storage directory, relative to the internal storage.
+         */
+        public string $path,
+
+        public Duration $expiration,
+
+        public string $sessionIdResolver = CookieSessionIdResolver::class,
+    ) {}
+
+    public function createManager(Container $container): FileSessionManager
+    {
+        return $container->get(FileSessionManager::class);
+    }
+}
diff --git a/packages/http/src/Session/Config/session.config.php b/packages/http/src/Session/Config/session.config.php
@@ -0,0 +1,9 @@
+<?php
+
+use Tempest\DateTime\Duration;
+use Tempest\Http\Session\Config\FileSessionConfig;
+
+return new FileSessionConfig(
+    path: 'sessions',
+    expiration: Duration::hours(2),
+);
diff --git a/packages/http/src/Session/Managers/FileSessionManager.php b/packages/http/src/Session/Managers/FileSessionManager.php
@@ -62,7 +62,7 @@ public function isValid(SessionId $id): bool
         }
 
         return $this->clock->now()->before(
-            other: $session->createdAt->plusSeconds($this->sessionConfig->expirationInSeconds),
+            other: $session->createdAt->plus($this->sessionConfig->expiration),
         );
     }
 
diff --git a/packages/http/src/Session/Resolvers/CookieSessionIdResolver.php b/packages/http/src/Session/Resolvers/CookieSessionIdResolver.php
@@ -6,32 +6,46 @@
 
 use Symfony\Component\Uid\Uuid;
 use Tempest\Clock\Clock;
+use Tempest\Core\AppConfig;
+use Tempest\Http\Cookie\Cookie;
 use Tempest\Http\Cookie\CookieManager;
-use Tempest\Http\Session\Session;
+use Tempest\Http\Cookie\SameSite;
 use Tempest\Http\Session\SessionConfig;
 use Tempest\Http\Session\SessionId;
 use Tempest\Http\Session\SessionIdResolver;
 
+use function Tempest\Support\str;
+
 final readonly class CookieSessionIdResolver implements SessionIdResolver
 {
     public function __construct(
+        private AppConfig $appConfig,
         private CookieManager $cookies,
         private SessionConfig $sessionConfig,
         private Clock $clock,
     ) {}
 
     public function resolve(): SessionId
     {
-        $id = $this->cookies->get(Session::ID)->value ?? null;
+        $sessionKey = str($this->appConfig->name ?? 'tempest')
+            ->snake()
+            ->append('_session_id')
+            ->toString();
+
+        $id = $this->cookies->get($sessionKey)->value ?? null;
 
         if (! $id) {
             $id = (string) Uuid::v4();
 
-            $this->cookies->set(
-                key: Session::ID,
+            $this->cookies->add(new Cookie(
+                key: $sessionKey,
                 value: $id,
-                expiresAt: $this->clock->now()->plusSeconds($this->sessionConfig->expirationInSeconds),
-            );
+                path: '/',
+                secure: true,
+                httpOnly: true,
+                expiresAt: $this->clock->now()->plus($this->sessionConfig->expiration),
+                sameSite: SameSite::LAX,
+            ));
         }
 
         return new SessionId($id);
diff --git a/packages/http/src/Session/Resolvers/HeaderSessionIdResolver.php b/packages/http/src/Session/Resolvers/HeaderSessionIdResolver.php
@@ -5,21 +5,27 @@
 namespace Tempest\Http\Session\Resolvers;
 
 use Symfony\Component\Uid\Uuid;
+use Tempest\Core\AppConfig;
 use Tempest\Http\Request;
-use Tempest\Http\Session\Session;
 use Tempest\Http\Session\SessionId;
 use Tempest\Http\Session\SessionIdResolver;
 
 final readonly class HeaderSessionIdResolver implements SessionIdResolver
 {
     public function __construct(
+        private AppConfig $appConfig,
         private Request $request,
     ) {}
 
     public function resolve(): SessionId
     {
-        $id = $this->request->headers[Session::ID] ?? null;
+        $sessionKey = str($this->appConfig->name ?? 'tempest')
+            ->snake()
+            ->append('_session_id')
+            ->toString();
 
-        return new SessionId($id ?? ((string) Uuid::v4()));
+        return new SessionId(
+            id: $this->request->headers[$sessionKey] ?? Uuid::v4()->toString(),
+        );
     }
 }
diff --git a/packages/http/src/Session/Session.php b/packages/http/src/Session/Session.php
@@ -10,8 +10,6 @@
 
 final class Session
 {
-    public const string ID = 'tempest_session_id';
-
     public const string VALIDATION_ERRORS = 'validation_errors';
 
     public const string ORIGINAL_VALUES = 'original_values';
diff --git a/packages/http/src/Session/SessionConfig.php b/packages/http/src/Session/SessionConfig.php
@@ -1,35 +1,28 @@
 <?php
 
-declare(strict_types=1);
-
 namespace Tempest\Http\Session;
 
-use Tempest\Http\Session\Managers\FileSessionManager;
-use Tempest\Http\Session\Resolvers\CookieSessionIdResolver;
+use Tempest\Container\Container;
+use Tempest\DateTime\Duration;
+use Tempest\Http\Session\SessionIdResolver;
 
-final class SessionConfig
+interface SessionConfig
 {
-    public function __construct(
-        /**
-         * Path to the sessions storage directory, relative to the internal storage.
-         */
-        public string $path = 'sessions',
-
-        /**
-         * Time required for a session to expire. Defaults to one month.
-         */
-        public int $expirationInSeconds = 60 * 60 * 24 * 30,
+    /**
+     * Time required for a session to expire. Defaults to 2 hours.
+     */
+    public Duration $expiration {
+        get;
+    }
 
-        /**
-         * @template SessionManager of \Tempest\Http\Session\SessionManager
-         * @var class-string<SessionManager>
-         */
-        public string $managerClass = FileSessionManager::class,
+    /**
+     * Class responsible for resolving the session identifier.
+     *
+     * @var class-string<SessionIdResolver>
+     */
+    public string $sessionIdResolver {
+        get;
+    }
 
-        /**
-         * @template SessionIdResolver of \Tempest\Http\Session\SessionIdResolver
-         * @var class-string<SessionIdResolver>
-         */
-        public string $idResolverClass = CookieSessionIdResolver::class,
-    ) {}
+    public function createManager(Container $container): SessionManager;
 }
diff --git a/packages/http/src/Session/SessionIdResolverInitializer.php b/packages/http/src/Session/SessionIdResolverInitializer.php
@@ -6,13 +6,14 @@
 
 use Tempest\Container\Container;
 use Tempest\Container\Initializer;
+use Tempest\Http\Session\SessionConfig;
 
 final readonly class SessionIdResolverInitializer implements Initializer
 {
     public function initialize(Container $container): SessionIdResolver
     {
         $config = $container->get(SessionConfig::class);
 
-        return $container->get($config->idResolverClass);
+        return $container->get($config->sessionIdResolver);
     }
 }
diff --git a/packages/http/src/Session/SessionInitializer.php b/packages/http/src/Session/SessionInitializer.php
@@ -14,7 +14,6 @@
     public function initialize(Container $container): Session
     {
         $sessionManager = $container->get(SessionManager::class);
-
         $sessionIdResolver = $container->get(SessionIdResolver::class);
 
         return $sessionManager->create($sessionIdResolver->resolve());
diff --git a/packages/http/src/Session/SessionManagerInitializer.php b/packages/http/src/Session/SessionManagerInitializer.php
@@ -13,8 +13,8 @@
     #[Singleton]
     public function initialize(Container $container): SessionManager
     {
-        $config = $container->get(SessionConfig::class);
-
-        return $container->get($config->managerClass);
+        return $container
+            ->get(SessionConfig::class)
+            ->createManager($container);
     }
 }
diff --git a/tests/Integration/Auth/AuthorizerTest.php b/tests/Integration/Auth/AuthorizerTest.php
@@ -12,6 +12,8 @@
 use Tempest\Clock\Clock;
 use Tempest\Core\FrameworkKernel;
 use Tempest\Database\Migrations\CreateMigrationsTable;
+use Tempest\DateTime\Duration;
+use Tempest\Http\Session\Config\FileSessionConfig;
 use Tempest\Http\Session\Managers\FileSessionManager;
 use Tempest\Http\Session\SessionConfig;
 use Tempest\Http\Session\SessionManager;
@@ -46,7 +48,7 @@ protected function setUp(): void
 
         $this->container->get(FrameworkKernel::class)->internalStorage = realpath($this->path);
 
-        $this->container->config(new SessionConfig(path: 'sessions'));
+        $this->container->config(new FileSessionConfig(path: 'sessions', expiration: Duration::hours(2)));
         $this->container->singleton(
             SessionManager::class,
             fn () => new FileSessionManager(
diff --git a/tests/Integration/Auth/SessionAuthenticatorTest.php b/tests/Integration/Auth/SessionAuthenticatorTest.php
@@ -14,6 +14,8 @@
 use Tempest\Clock\Clock;
 use Tempest\Core\FrameworkKernel;
 use Tempest\Database\Migrations\CreateMigrationsTable;
+use Tempest\DateTime\Duration;
+use Tempest\Http\Session\Config\FileSessionConfig;
 use Tempest\Http\Session\Managers\FileSessionManager;
 use Tempest\Http\Session\Session;
 use Tempest\Http\Session\SessionConfig;
@@ -38,7 +40,7 @@ protected function setUp(): void
 
         $this->container->get(FrameworkKernel::class)->internalStorage = realpath($this->path);
 
-        $this->container->config(new SessionConfig(path: 'sessions'));
+        $this->container->config(new FileSessionConfig(path: 'sessions', expiration: Duration::hours(2)));
         $this->container->singleton(
             SessionManager::class,
             fn () => new FileSessionManager(
diff --git a/tests/Integration/Http/CleanupSessionsCommandTest.php b/tests/Integration/Http/CleanupSessionsCommandTest.php
@@ -4,6 +4,8 @@
 
 namespace Tests\Tempest\Integration\Http;
 
+use Tempest\DateTime\Duration;
+use Tempest\Http\Session\Config\FileSessionConfig;
 use Tempest\Http\Session\SessionConfig;
 use Tempest\Http\Session\SessionId;
 use Tempest\Http\Session\SessionManager;
@@ -23,9 +25,9 @@ public function test_destroy_sessions(): void
 
         $clock = $this->clock('2024-01-01 00:00:00');
 
-        $this->container->config(new SessionConfig(
+        $this->container->config(new FileSessionConfig(
             path: 'tests/sessions',
-            expirationInSeconds: 10,
+            expiration: Duration::seconds(10),
         ));
 
         $sessionManager = $this->container->get(SessionManager::class);
diff --git a/tests/Integration/Http/CookieManagerTest.php b/tests/Integration/Http/CookieManagerTest.php
@@ -32,7 +32,7 @@ public function test_creating_a_cookie(): void
         $this->http
             ->get('/')
             ->assertOk()
-            ->assertHeaderContains('set-cookie', 'new=value');
+            ->assertHeaderContains('set-cookie', 'new=value; Secure; HttpOnly; SameSite=Lax');
     }
 
     public function test_removing_a_cookie(): void
diff --git a/tests/Integration/Http/CookieSessionIdResolverTest.php b/tests/Integration/Http/CookieSessionIdResolverTest.php
diff --git a/tests/Integration/Http/FileSessionTest.php b/tests/Integration/Http/FileSessionTest.php
diff --git a/tests/Integration/Http/SessionFromCookieTest.php b/tests/Integration/Http/SessionFromCookieTest.php
diff --git a/tests/Integration/Http/SessionFromHeaderTest.php b/tests/Integration/Http/SessionFromHeaderTest.php

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,8 @@ final class AppConfig`
`13`	`13`	`public string $baseUri;`
`14`	`14`
`15`	`15`	`public function __construct(`
	`16`	`+ public ?string $name = null,`
	`17`	`+`
`16`	`18`	`?Environment $environment = null,`
`17`	`19`
`18`	`20`	`?string $baseUri = null,`
`@@ -26,7 +28,6 @@ public function __construct(`
`26`	`28`	`public array $insightsProviders = [],`
`27`	`29`	`) {`
`28`	`30`	`$this->environment = $environment ?? Environment::fromEnv();`
`29`		`-`
`30`	`31`	`$this->baseUri = $baseUri ?? env('BASE_URI') ?? '';`
`31`	`32`	`}`
`32`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ public function isValid(SessionId $id): bool`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`return $this->clock->now()->before(`
`65`		`- other: $session->createdAt->plusSeconds($this->sessionConfig->expirationInSeconds),`
	`65`	`+ other: $session->createdAt->plus($this->sessionConfig->expiration),`
`66`	`66`	`);`
`67`	`67`	`}`
`68`	`68`