Remove sessionEphemeral

Switch to use sessionLength instead. Setting the length
to 0 will indicate an ephemeral session, reducing the
need for an additional key.

API.md

@@ -34,9 +34,8 @@ Additional configuration keys that can be passed to `auth()` on initialization:
 - **`redirectUriPath`** - Relative path to the application callback to process the response from the authorization server. This value is combined with the `baseUrl` and sent to the authorize endpoint as the `redirectUri` parameter. Default is `/callback`.
 - **`required`** - Use a boolean value to require authentication for all routes. Pass a function instead to base this value on the request. Default is `true`.
 - **`routes`** - Boolean value to automatically install the login and logout routes. See [the examples](EXAMPLES.md) for more information on how this key is used. Default is `true`.
-- **`sessionLength`** - Integer value, in seconds, indicating application session length. Default is 7 days.
+- **`sessionLength`** - Integer value, in seconds, indicating application session length. Set to `0` to indicate the cookie should be ephemeral (no expiration). Default is 7 days.
 - **`sessionName`** - String value for the cookie name used for the internal session. This value must only include letters, numbers, and underscores. Default is `identity`.
-- **`sessionEphemeral`** - Use a boolean to indicate the cookie should be ephemeral (no expiration on the cookie). Default is `false`.
 
 ### Authorization Params Key
 

lib/config.js

@@ -37,9 +37,15 @@ const paramsSchema = Joi.object().keys({
   logoutPath: Joi.string().optional().default('/logout'),
   legacySameSiteCookie: Joi.boolean().optional().default(true),
   sessionName: Joi.string().token().optional().default('identity'),
-  sessionSecret: Joi.alternatives([ Joi.array().items(Joi.string()), Joi.string(), Joi.boolean().valid([false]) ]).required().default(),
+  sessionSecret: Joi.alternatives([
+    // Array of keys to allow for rotation.
+    Joi.array().items(Joi.string()),
+    // Single string key.
+    Joi.string(),
+    // False to stop client session from being created.
+    Joi.boolean().valid([false])
+  ]).required(),
   sessionLength: Joi.number().integer().optional().default(7 * 24 * 60 * 60),
-  sessionEphemeral: Joi.boolean().optional().default(false),
 
   idpLogout: Joi.boolean().optional().default(false)
     .when('auth0Logout', { is: true, then: Joi.boolean().optional().default(true) })

lib/session.js

@@ -8,7 +8,7 @@ const hkdf = require('futoin-hkdf');
 const deriveKey = (secret) => hkdf(secret, 32, { info: 'JWE CEK', hash: 'SHA-256' });
 const epoch = () => Date.now() / 1000 | 0;
 
-module.exports = ({ cookieName, propertyName, secret, duration, ephemeral, cookieOptions = {} }) => {
+module.exports = ({ cookieName, propertyName, secret, duration, cookieOptions = {} }) => {
   let current;
 
   const { domain, httpOnly, path, secure, sameSite } = cookieOptions;
@@ -52,11 +52,6 @@ module.exports = ({ cookieName, propertyName, secret, duration, ephemeral, cooki
     if (req[propertyName] && Object.keys(req[propertyName]).length > 0) {
       const value = encrypt(JSON.stringify(req[propertyName]), { iat, uat, exp });
 
-      // TODO: chunk
-      // if (Buffer.byteLength(value) >= 4050) {
-      //
-      // }
-
       res.cookie(
         cookieName,
         value,
@@ -66,7 +61,7 @@ module.exports = ({ cookieName, propertyName, secret, duration, ephemeral, cooki
           path,
           secure,
           sameSite,
-          expires: ephemeral ? 0 : new Date(exp * 1000)
+          expires: !duration ? 0 : new Date(exp * 1000)
         }
       );
     }

middleware/auth.js

@@ -54,7 +54,6 @@ module.exports = function (params) {
       propertyName: config.sessionName,
       secret: config.sessionSecret,
       duration: config.sessionLength,
-      ephemeral: config.sessionEphemeral,
       // TODO: cookieOptions: { domain, httpOnly, path, secure, sameSite }
     }));
   }