Updating to @fastify/session version 10.9.0 has resulted in the inability to create a session object

[deepakdingka]

Prerequisites

• [X] I have written a descriptive issue title
• [X] I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.15.0

Plugin version

No response

Node.js version

18.x

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

Docker image node:lts-alpine 3.18

Description

We have recently upgraded to version 10.9.0 of @fastify/session following the latest security release. Subsequent to this update, we have encountered an issue where Fastify is unable to create a session object, As a consequence, the session field within the Fastify request object is undefined, which may impact session management and related functionalities.

The following code snippet demonstrates how we configure the session inside the Redis store and manage authentication with Auth0:

package.json
"@fastify/cookie": "^9.2.0",
"@fastify/session": "^10.9.0",
 "connect-redis": "^6.1.3",
"grant": "^5.4.21",
"fastify": "^4.15.0"

import fastifyCookie from '@fastify/cookie';
import fastifySession from '@fastify/session';
import connectRedis from 'connect-redis';
import grant from 'grant';

const RedisStore = new connectRedis(fastifySession);
const sessionStore = new RedisStore({ client: fastify.redisSession });
    await fastify
        .register(fastifyCookie)
        .register(fastifySession, {
            secret: sessionSecret,
            cookie: {
                secure: process.env.NODE_ENV !== 'localhost',
                maxAge: 24 * 60 * 60 * 1000, // 24 hours, in milliseconds
            },
            store: sessionStore,
        })
        .register(
            grant.fastify()({
                defaults: {
                    origin: process.env.HOSTNAME,
                    transport: 'session',
                    state: true,
                    nonce: true,
                    prefix: '/login',
                },
                auth0: {
                    client_id: clientId,
                    client_secret: clientSecret,
                    scope: ['openid', 'profile', 'email', 'offline_access'],
                    redirect_uri: `${process.env.HOSTNAME}/authorized`,
                    subdomain: auth0_domain.slice(0, -10),
                },
            }),
        );

Link to code that reproduces the bug

No response

Expected Behavior

No response

[mcollina]

Thanks for reporting!

Can you provide steps to reproduce? We often need a reproducible example, e.g. some code that allows someone else to recreate your problem by just copying and pasting it. If it involves more than a couple of different file, create a new repository on GitHub and add a link to that.

[deepakdingka]

Please find the attached code below

import fastify from 'fastify';
import fastifyCookie from '@fastify/cookie';
import fastifySession from '@fastify/session';
import connectRedis from 'connect-redis';
import grant from 'grant';

const RedisStore = new connectRedis(fastifySession);
const sessionStore = new RedisStore({ client: fastify.redisSession });
    await fastify
        .register(fastifyCookie)
        .register(fastifySession, {
            secret: sessionSecret,
            cookie: {
                secure: process.env.NODE_ENV !== 'localhost',
                maxAge: 24 * 60 * 60 * 1000, // 24 hours, in milliseconds
            },
            store: sessionStore,
        })
        .register(
            grant.fastify()({
                defaults: {
                    origin: process.env.HOSTNAME,
                    transport: 'session',
                    state: true,
                    nonce: true,
                    prefix: '/login',
                },
                auth0: {
                    client_id: clientId,
                    client_secret: clientSecret,
                    scope: ['openid', 'profile', 'email', 'offline_access'],
                    redirect_uri: `${process.env.HOSTNAME}/authorized`,
                    subdomain: auth0_domain.slice(0, -10),
                },
            }),
        );

await fastify.get('/authorized', async (request, reply) => {
      console.log(request.session); // here it fails with session undefined
 };

package.json
"@fastify/cookie": "^9.2.0",
"@fastify/session": "^10.9.0",
"connect-redis": "^6.1.3",
"grant": "^5.4.21",
"fastify": "^4.15.0"

[mcollina]

That's not a reproducible example.

[deepakdingka]

We are using auth0 tenant endpoints for SSO login, is there any way to replicate that?

[mcollina]

You can also send a PR with a fix and a test. To implement the test you'll have to do that reproduction anyway.