/** * First-party session primitives for the server module. * * Signed cookie sessions backed by a pluggable store. The session id is stored * in an HMAC-signed cookie (see {@link signValue}); the payload lives in the * store, so the cookie never exposes session data and tampered cookies are * rejected. The default {@link memoryStore} is process-local; bring your own * store (Redis, a database, etc.) by implementing {@link SessionStore} — no * client is bundled. * * @module bquery/server */ import type { ServerCookieOptions, ServerMiddleware } from './types'; /** Arbitrary, JSON-serializable session payload. */ export interface SessionData { [key: string]: unknown; } /** * Pluggable session store. Implementations may be synchronous or async; all * methods are awaited. Provide your own to back sessions with Redis, a database, * or any other system without bundling a client. */ export interface SessionStore { /** Load a session payload by id, or `null` when missing/expired. */ get(id: string): Promise | SessionData | null; /** Persist a session payload, optionally with a time-to-live in milliseconds. */ set(id: string, data: SessionData, ttlMs?: number): Promise | void; /** Remove a session by id. */ destroy(id: string): Promise | void; /** Optionally extend a session's lifetime without rewriting its payload. */ touch?(id: string, ttlMs?: number): Promise | void; } /** Options for {@link memoryStore}. */ export interface MemoryStoreOptions { /** Default time-to-live in milliseconds. Omit for non-expiring entries. */ ttlMs?: number; /** * Maximum number of stored sessions. When exceeded, the oldest entries are * evicted (insertion order). Omit for unbounded growth. */ maxEntries?: number; } /** Options for the {@link session} middleware. */ export interface SessionOptions { /** * Secret(s) used to sign the session-id cookie. Pass an array to rotate * secrets: signing always uses the first, verification accepts any. */ secret: string | readonly string[]; /** Session store. Defaults to a process-local {@link memoryStore}. */ store?: SessionStore; /** Cookie name. Default `'bq.sid'`. */ cookieName?: string; /** * Cookie attributes. Defaults to `{ httpOnly: true, sameSite: 'lax', path: '/' }`. * Set `secure: true` in production (HTTPS). `maxAge` is derived from `ttlMs`. */ cookie?: ServerCookieOptions; /** Session lifetime in milliseconds. Default `86_400_000` (1 day). */ ttlMs?: number; /** Re-issue the cookie and extend the lifetime on every response. Default `false`. */ rolling?: boolean; /** Custom session-id generator. Defaults to {@link randomId}. */ genId?: () => string; } /** * In-memory session store. Suitable for development and single-instance * deployments; use a shared store for multi-instance production. */ export declare const memoryStore: (options?: MemoryStoreOptions) => SessionStore; /** * Middleware that loads, exposes, and persists a request-scoped session. * * The session is exposed as {@link ServerContext.session} (`ctx.session`). Reads * and writes happen through plain properties; lifecycle calls use `$`-prefixed * members. The session id cookie is HMAC-signed and the payload is stored * server-side, so the cookie carries no session data and tampering is rejected. * * @example * ```ts * import { createServer, session, memoryStore } from '@bquery/bquery/server'; * * const app = createServer(); * app.use(session({ secret: process.env.SECRET!, store: memoryStore() })); * app.post('/login', (ctx) => { * ctx.session.userId = 'u_123'; * return ctx.json({ ok: true }); * }); * ``` */ export declare const session: (options: SessionOptions) => ServerMiddleware; //# sourceMappingURL=session.d.ts.map