session now has cookie options per session name

Author: cblanquera

src/router/Session.ts

@@ -1,18 +1,40 @@
 //data
 import ReadonlyMap from '../data/ReadonlyMap.js';
-//local
-import type { Revision, CallableSession } from '../types.js';
+//client
+import type {
+  CallableSession,
+  CookieOptions,
+  Revision
+} from '../types.js';
 
 /**
  * Readonly session controller
  */
 export class ReadSession extends ReadonlyMap<string, string|string[]> {
+  //Every cookie setting needs a home base of its own so each key can
+  //carry its own marching orders instead of borrowing one global plan.
+  protected readonly _options = new Map<string, CookieOptions>();
+
   /**
    * Returns the session data
    */
   public get data() {
     return Object.fromEntries(this._map);
   }
+
+  /**
+   * Returns the stored cookie settings
+   */
+  public get options() {
+    return Object.fromEntries(this._options);
+  }
+
+  /**
+   * Returns the cookie settings for a single key
+   */
+  public getOptions(name: string) {
+    return this._options.get(name);
+  }
 }
 
 /**
@@ -26,8 +48,11 @@ export class WriteSession extends ReadSession {
    * Clear the session
    */
   public clear(): void {
+    //When the whole line retreats, clear both the session payload and the
+    //cookie orders so nothing stale gets left behind on the field.
     for (const name of this.keys()) {
       this.revisions.set(name, { action: 'remove' });
+      this._options.delete(name);
     }
     this._map.clear();
   }
@@ -36,15 +61,36 @@ export class WriteSession extends ReadSession {
    * Delete a session entry
    */
   public delete(name: string) {
+    //If a cookie key is removed, retire its settings too so the next write
+    //does not accidentally reuse an old path, age, or security policy.
     this.revisions.set(name, { action: 'remove' });
+    this._options.delete(name);
     return this._map.delete(name);
   }
 
   /**
    * Set a session entry
    */
-  public set(name: string, value: string|string[]) {
-    this.revisions.set(name, { action: 'set', value });
+  public set(
+    name: string,
+    value: string|string[],
+    options?: CookieOptions
+  ) {
+    //Each cookie gets its own shield here so one session key can be strict
+    //and another can stay flexible without either stepping on the other.
+    if (options) {
+      this._options.set(name, { ...options });
+    }
+
+    //Record both the value and the keyed cookie settings so the response
+    //layer can serialize exactly what changed when the dust settles.
+    const revisionOptions = this._options.get(name);
+    this.revisions.set(name, {
+      action: 'set',
+      ...(revisionOptions ? { options: revisionOptions } : {}),
+      value
+    });
+
     return this._map.set(name, value);
   }
 }
@@ -57,22 +103,30 @@ export function session(data?: [string, string|string[]][]): CallableSession {
   const callable = Object.assign(
     (name: string) => store.get(name),
     {
+      //Expose the same field controls on the callable wrapper so callers do
+      //not need to care whether they got a class instance or the helper.
       clear: () => store.clear(),
       delete: (name: string) => store.delete(name),
       entries: () => store.entries(),
       forEach: (
         callback: (value: string|string[], key: string, map: Map<string, string|string[]>) => void
       ) => store.forEach(callback),
       get: (name: string) => store.get(name),
+      getOptions: (name: string) => store.getOptions(name),
       has: (name: string) => store.has(name),
       keys: () => store.keys(),
-      set: (name: string, value: string|string[]) => store.set(name, value),
+      set: (
+        name: string,
+        value: string|string[],
+        options?: CookieOptions
+      ) => store.set(name, value, options),
       values: () => store.values()
     } as WriteSession
   );
   //magic size/data property
   Object.defineProperty(callable, 'size', { get: () => store.size });
   Object.defineProperty(callable, 'data', { get: () => store.data });
+  Object.defineProperty(callable, 'options', { get: () => store.options });
   Object.defineProperty(callable, 'revisions', { get: () => store.revisions });
   return callable;
-}
+}

tests/Session.test.ts

@@ -67,6 +67,84 @@ describe('WriteSession', () => {
       value: ['item3', 'item4'] 
     });
   });
+
+  it('should store cookie settings per key', () => {
+    writeSession.set('sessionId', 'abc123', {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'lax'
+    });
+    writeSession.set('theme', 'dark', {
+      maxAge: 31536000,
+      path: '/preferences'
+    });
+
+    expect(writeSession.getOptions('sessionId')).to.deep.equal({
+      httpOnly: true,
+      path: '/',
+      sameSite: 'lax'
+    });
+    expect(writeSession.getOptions('theme')).to.deep.equal({
+      maxAge: 31536000,
+      path: '/preferences'
+    });
+    expect(writeSession.revisions.get('sessionId')).to.deep.equal({
+      action: 'set',
+      options: {
+        httpOnly: true,
+        path: '/',
+        sameSite: 'lax'
+      },
+      value: 'abc123'
+    });
+    expect(writeSession.revisions.get('theme')).to.deep.equal({
+      action: 'set',
+      options: {
+        maxAge: 31536000,
+        path: '/preferences'
+      },
+      value: 'dark'
+    });
+  });
+
+  it('should clear cookie settings when an entry is removed', () => {
+    writeSession.set('sessionId', 'abc123', {
+      httpOnly: true,
+      path: '/'
+    });
+
+    writeSession.delete('sessionId');
+
+    expect(writeSession.getOptions('sessionId')).to.be.undefined;
+    expect(writeSession.revisions.get('sessionId')).to.deep.equal({
+      action: 'remove'
+    });
+  });
+
+  it('should preserve existing cookie settings when only the value changes', () => {
+    writeSession.set('sessionId', 'abc123', {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'strict'
+    });
+
+    writeSession.set('sessionId', 'def456');
+
+    expect(writeSession.getOptions('sessionId')).to.deep.equal({
+      httpOnly: true,
+      path: '/',
+      sameSite: 'strict'
+    });
+    expect(writeSession.revisions.get('sessionId')).to.deep.equal({
+      action: 'set',
+      options: {
+        httpOnly: true,
+        path: '/',
+        sameSite: 'strict'
+      },
+      value: 'def456'
+    });
+  });
 });
 
 describe('session function', () => {
@@ -109,6 +187,27 @@ describe('session function', () => {
     ]);
   });
 
+  it('should expose cookie settings through the callable wrapper', () => {
+    sessionInstance.set('token', 'shield', {
+      httpOnly: true,
+      path: '/',
+      secure: true
+    });
+
+    expect(sessionInstance.getOptions('token')).to.deep.equal({
+      httpOnly: true,
+      path: '/',
+      secure: true
+    });
+    expect(Object.entries(sessionInstance.options)).to.deep.equal([
+      ['token', {
+        httpOnly: true,
+        path: '/',
+        secure: true
+      }]
+    ]);
+  });
+
   it('should support iteration methods', () => {
     const entries = Array.from(sessionInstance.entries());
     expect(entries).to.deep.equal([