exchange request.session to request.encryptedSession

Author: enrico-kaack-comp

.env.template

@@ -16,3 +16,4 @@ API_BACKEND_URL=
 # Replace this value with a strong, randomly generated string (at least 32 characters).
 # Example for generation in Node.js: require('crypto').randomBytes(32).toString('hex')
 COOKIE_SECRET=
+SESSION_SECRET=

package-lock.json

@@ -25,6 +25,7 @@
     "@fastify/env": "^5.0.2",
     "@fastify/http-proxy": "^11.1.2",
     "@fastify/sensible": "^6.0.3",
+    "@fastify/secure-session": "^8.2.0",
     "@fastify/session": "^11.1.0",
     "@fastify/static": "^8.1.1",
     "@fastify/vite": "^8.1.3",
@@ -83,4 +84,4 @@
     "vite": "^6.3.4",
     "vitest": "^3.1.4"
   }
-}
+}

package.json

@@ -11,40 +11,19 @@ const __dirname = dirname(__filename);
 
 export default async function (fastify, opts) {
   await fastify.register(envPlugin);
-  await fastify.register(testRoute)
-
-  //   await fastify.register(AutoLoad, {
-  //     dir: join(__dirname, "plugins"),
-  //     options: { ...opts },
-  //   });
-
-  //   await fastify.register(AutoLoad, {
-  //     dir: join(__dirname, "routes"),
-  //     options: { ...opts },
-  //   });
-}
-
-function testRoute(fastify, opts) {
   fastify.register(encryptedSession, {
     ...opts,
   });
 
-  // this route basically stores the query parameter test in the encrypted session store and reads it on subequent requests
-  fastify.get("/test", async (request, reply) => {
-    // read query param
-    const { query } = request;
-
-    // we use the encrypted session api with get/set like the normal session api
-    const previousValue = request.encryptedSession.get("testFromClient");
-
-    console.log("value stored before request is processed:", request.encryptedSession.stringify());
+  await fastify.register(AutoLoad, {
+    dir: join(__dirname, "plugins"),
+    options: { ...opts },
+  });
 
-    if (query.test) {
-      request.encryptedSession.set("testFromClient", query.test);
-    }
+  await fastify.register(AutoLoad, {
+    dir: join(__dirname, "routes"),
+    options: { ...opts },
+  });
 
-    request.encryptedSession.set("testKey", "testValue");
 
-    return { message: "Test route works!", previousValue: previousValue || "not set", currentValue: request.encryptedSession.get("testFromClient") || "not set" };
-  });
 }

server/app.js

@@ -11,6 +11,7 @@ const schema = {
     'OIDC_SCOPES',
     'POST_LOGIN_REDIRECT',
     'COOKIE_SECRET',
+    'SESSION_SECRET',
     'API_BACKEND_URL',
   ],
   properties: {
@@ -22,6 +23,7 @@ const schema = {
     OIDC_SCOPES: { type: 'string' },
     POST_LOGIN_REDIRECT: { type: 'string' },
     COOKIE_SECRET: { type: 'string' },
+    SESSION_SECRET: { type: 'string' },
     API_BACKEND_URL: { type: 'string' },
 
     // System variables

server/config/env.js

@@ -18,7 +18,7 @@ export const SECURE_COOKIE_KEY_ENCRYPTION_KEY = "encryptionKey";
 export const REQUEST_DECORATOR = "encryptedSession";
 
 async function encryptedSession(fastify) {
-  const { COOKIE_SECRET, NODE_ENV } = fastify.config;
+  const { COOKIE_SECRET, SESSION_SECRET, NODE_ENV } = fastify.config;
 
   await fastify.register(fastifyCookie);
 
@@ -37,7 +37,7 @@ async function encryptedSession(fastify) {
 
 
   fastify.register(fastifySession, {
-    secret: "test-secret-32-char-or-longerasdasdasdasdasdasdasdasdasdasd",
+    secret: SESSION_SECRET,
     cookieName: COOKIE_NAME_SESSION,
     // sessionName: UNDERLYING_SESSION_NAME, //NOT POSSIBLE to change the name it is decorated on the request object
     cookie: {
@@ -89,11 +89,6 @@ async function encryptedSession(fastify) {
   // onSend is called before the response is send. Here we take encrypt the Session object and store it in the fastify-session.
   // Then we also want to make sure the unencrypted object is removed from memory
   fastify.addHook('onSend', (request, reply, _payload, next) => {
-    console.log("onSend hook called", request[REQUEST_DECORATOR].stringify());
-
-    //on send we will encrypt the store and set it in the backend-side session store
-    console.log("Encrypted store that will be set in session:", request[REQUEST_DECORATOR].stringify());
-
     const encyrptionKey = Buffer.from(request[SECURE_SESSION_NAME].get(SECURE_COOKIE_KEY_ENCRYPTION_KEY), "base64");
     if (!encyrptionKey) {
       // if no encryption key is found in the secure session, we cannot encrypt the store. This should not happen since an encrption key is generated when the request arrived
@@ -114,7 +109,6 @@ async function encryptedSession(fastify) {
       iv,
       tag,
     });
-    console.log("Encrypted store set in session:", request.session.encryptedStore);
     request.log.info("store encrypted and set into request.session.encryptedStore");
     next()
   })

server/encrypted-session.js

@@ -77,20 +77,20 @@ async function authUtilsPlugin(fastify) {
     request.log.info("Preparing OIDC login redirect.");
 
     const { redirectTo } = request.query;
-    request.session.set("postLoginRedirectRoute", redirectTo);
+    request.encryptedSession.set("postLoginRedirectRoute", redirectTo);
 
     const { clientId, redirectUri, scopes } = oidcConfig;
 
     const state = crypto.randomBytes(16).toString("hex");
     const codeVerifier = crypto.randomBytes(32).toString("base64url");
     const codeChallenge = crypto.createHash("sha256").update(codeVerifier).digest("base64url");
 
-    request.session.set("oauthState", state);
-    request.session.set("codeVerifier", codeVerifier);
+    request.encryptedSession.set("oauthState", state);
+    request.encryptedSession.set("codeVerifier", codeVerifier);
     request.log.info({
       stateSet: Boolean(state),
       verifierSet: Boolean(codeVerifier),
-    }, "OAuth state and code verifier set in session.");
+    }, "OAuth state and code verifier set in encryptedSession.");
 
     const url = new URL(authorizationEndpoint);
     url.searchParams.set("response_type", "code");
@@ -116,7 +116,7 @@ async function authUtilsPlugin(fastify) {
       request.log.error("Missing authorization code in callback.");
       throw new AuthenticationError("Missing code in callback.");
     }
-    if (state !== request.session.get("oauthState")) {
+    if (state !== request.encryptedSession.get("oauthState")) {
       request.log.error("Invalid state in callback.");
       throw new AuthenticationError("Invalid state in callback.");
     }
@@ -126,7 +126,7 @@ async function authUtilsPlugin(fastify) {
       code,
       redirect_uri: redirectUri,
       client_id: clientId,
-      code_verifier: request.session.get("codeVerifier"),
+      code_verifier: request.encryptedSession.get("codeVerifier"),
     });
 
     const response = await fetch(tokenEndpoint, {
@@ -146,7 +146,7 @@ async function authUtilsPlugin(fastify) {
       refreshToken: tokens.refresh_token,
       expiresAt: null,
       userInfo: extractUserInfoFromIdToken(request, tokens.id_token),
-      postLoginRedirectRoute: request.session.get("postLoginRedirectRoute") || "",
+      postLoginRedirectRoute: request.encryptedSession.get("postLoginRedirectRoute") || "",
     };
 
     if (tokens.expires_in && typeof tokens.expires_in === "number") {

server/plugins/auth-utils.js

@@ -19,14 +19,14 @@ function proxyPlugin(fastify) {
       const keyRefreshToken = useCrate ? "onboarding_refreshToken" : "mcp_refreshToken";
 
       // Check if there is an access token
-      const accessToken = request.session.get(keyAccessToken);
+      const accessToken = request.encryptedSession.get(keyAccessToken);
       if (!accessToken) {
         request.log.error("Missing access token.");
         return reply.unauthorized("Missing access token.");
       }
 
       // Check if the access token is expired or about to expire
-      const expiresAt = request.session.get(keyTokenExpiresAt);
+      const expiresAt = request.encryptedSession.get(keyTokenExpiresAt);
       const now = Date.now();
       const REFRESH_BUFFER_SECONDS = 20; // to allow for network latency
       if (!expiresAt || now < expiresAt - REFRESH_BUFFER_SECONDS) {
@@ -37,10 +37,10 @@ function proxyPlugin(fastify) {
       request.log.info({ expiresAt: new Date(expiresAt).toISOString() }, "Access token is expired or about to expire; attempting refresh.");
 
       // Check if there is a refresh token
-      const refreshToken = request.session.get(keyRefreshToken);
+      const refreshToken = request.encryptedSession.get(keyRefreshToken);
       if (!refreshToken) {
-        request.log.error("Missing refresh token; deleting session.");
-        request.session.destroy();
+        request.log.error("Missing refresh token; deleting encryptedSession.");
+        request.encryptedSession.clear();//TODO: also clear user encrpytion key?
         return reply.unauthorized("Session expired without token refresh capability.");
       }
 
@@ -54,23 +54,23 @@ function proxyPlugin(fastify) {
         }, issuerConfiguration.tokenEndpoint);
         if (!refreshedTokenData || !refreshedTokenData.accessToken) {
           request.log.error("Token refresh failed (no access token); deleting session.");
-          request.session.destroy();
+          request.encryptedSession.clear();//TODO: also clear user encrpytion key?
           return reply.unauthorized("Session expired and token refresh failed.");
         }
 
         request.log.info("Token refresh successful; updating the session.");
 
-        request.session.set(keyAccessToken, refreshedTokenData.accessToken);
+        request.encryptedSession.set(keyAccessToken, refreshedTokenData.accessToken);
         if (refreshedTokenData.refreshToken) {
-          request.session.set(keyRefreshToken, refreshedTokenData.refreshToken);
+          request.encryptedSession.set(keyRefreshToken, refreshedTokenData.refreshToken);
         } else {
-          request.session.delete(keyRefreshToken);
+          request.encryptedSession.delete(keyRefreshToken);
         }
         if (refreshedTokenData.expiresIn) {
           const newExpiresAt = Date.now() + (refreshedTokenData.expiresIn * 1000);
-          request.session.set(keyTokenExpiresAt, newExpiresAt);
+          request.encryptedSession.set(keyTokenExpiresAt, newExpiresAt);
         } else {
-          request.session.delete(keyTokenExpiresAt);
+          request.encryptedSession.delete(keyTokenExpiresAt);
         }
 
         request.log.info("Token refresh successful and session updated; continuing with the HTTP request.");
@@ -86,7 +86,7 @@ function proxyPlugin(fastify) {
     replyOptions: {
       rewriteRequestHeaders: (req, headers) => {
         const useCrate = req.headers["x-use-crate"];
-        const accessToken = useCrate ? req.session.get("onboarding_accessToken") : `${req.session.get("onboarding_accessToken")},${req.session.get("mcp_accessToken")}`;
+        const accessToken = useCrate ? req.encryptedSession.get("onboarding_accessToken") : `${req.encryptedSession.get("onboarding_accessToken")},${req.encryptedSession.get("mcp_accessToken")}`;
 
         return {
           ...headers,