Title: feat(server): session/auth/CSRF/guard primitives + graduate toward Stable (#131, #132) by JosunLP · Pull Request #153 · bQuery/bQuery · GitHub
Open Graph Title: feat(server): session/auth/CSRF/guard primitives + graduate toward Stable (#131, #132) by JosunLP · Pull Request #153 · bQuery/bQuery
X Title: feat(server): session/auth/CSRF/guard primitives + graduate toward Stable (#131, #132) by JosunLP · Pull Request #153 · bQuery/bQuery
Description: Collected work for the two open server tickets, landed in one branch and targeting dev. Closes #131. Closes #132. #132 — session, auth, and middleware primitives session() + memoryStore() — HMAC-signed session-id cookie (Web Crypto, cross-runtime), payload in a pluggable SessionStore (in-memory default; bring-your-own Redis/DB without bundling a client). ctx.session is a Proxy: payload via plain props, lifecycle via $id / $isNew / $data / $regenerate / $destroy / $clear. Includes secret rotation, rolling sessions, prototype-pollution filtering, and session-fixation defense. csrf() + csrfToken() — OWASP double-submit cookie (signed when a secret is supplied); token via x-csrf-token header or _csrf body field. Composes with the security module (integrity vs. output). guard() — predicate route guard mirroring the router's guard ergonomics. basicAuth() / bearerAuth() — Authorization parsing with a verify() hook; resolved user on ctx.state. Signing utilities — signValue / unsignValue / timingSafeEqual / randomToken / randomId / base64Url*, all on globalThis.crypto.subtle (no node:crypto). Shared cookie helpers extracted to src/server/cookies.ts (+ appendSetCookie); no behavioral change to existing ctx.setCookie. #131 — promote server toward Stable Guide Stability section: exit-criteria checklist, frozen ctx/app surface, per-runtime support matrix; intro + README notes; version history. app.listen() now supports Deno via Deno.serve (Node/Bun/Deno covered). ctx.session is additive/optional — no breaking changes to the 1.14 surface. New exports wired through server/index.ts and the /full bundle. Zero-dependency & secure-by-default No runtime dependencies added; each primitive is independently importable/tree-shakeable. Sessions default to httpOnly + SameSite=Lax; signing is HMAC-SHA-256; comparisons are constant-time. Verification Full suite 2785 pass / 0 fail (42 new in tests/server-stable.test.ts: sessions, CSRF, guards, auth, crypto — incl. secret rotation, rolling, $destroy-revive, immutable-response cookies). Cross-runtime smoke extended for server (sign/verify, session, CSRF) — passes on Node + Bun locally; Deno in CI. tsc, eslint, bun run build, check:full-bundle (in sync), check:doc-exports (server 23/23) all green. Review Ran an adversarial multi-agent review of the diff; applied the confirmed hardening: don't cache a rejected HMAC key-import, guard timingSafeEqual against empty input, revive a session written-to after $destroy(), simplify the Deno listen() address resolution, and strengthened tests/docs. 🤖 Generated with Claude Code
Open Graph Description: Collected work for the two open server tickets, landed in one branch and targeting dev. Closes #131. Closes #132. #132 — session, auth, and middleware primitives session() + memoryStore() — HMAC-s...
X Description: Collected work for the two open server tickets, landed in one branch and targeting dev. Closes #131. Closes #132. #132 — session, auth, and middleware primitives session() + memoryStore() — HMAC-s...
Opengraph URL: https://github.com/bQuery/bQuery/pull/153
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:c6e6ba08-7b3b-795c-c6a3-2070ba8798fe |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | D606:1BF5E4:49DE5D:67E2F0:6A4E7083 |
| html-safe-nonce | 6a7a6e87b080cc9b3f976d2199a41edd07a5a7c41a40e0617e1287eef7e21ff9 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJENjA2OjFCRjVFNDo0OURFNUQ6NjdFMkYwOjZBNEU3MDgzIiwidmlzaXRvcl9pZCI6IjY4MDQ2NzU3NDg2NTUxNjU1NzEiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 38eaff7dc35f2d45e15faa31067f5993e724e83baafec986b6d4376d80ded1df |
| hovercard-subject-tag | pull_request:3950571817 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/bQuery/bQuery/pull/153/files |
| twitter:image | https://avatars.githubusercontent.com/u/20913954?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/20913954?s=400&v=4 |
| og:image:alt | Collected work for the two open server tickets, landed in one branch and targeting dev. Closes #131. Closes #132. #132 — session, auth, and middleware primitives session() + memoryStore() — HMAC-s... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 41b6ab3ba6d20a71766ac245b5a4a94c6fc672a9cd4da7d44c1b33ab8bf6a21c |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/bQuery/bQuery git https://github.com/bQuery/bQuery.git |
| octolytics-dimension-user_id | 256381806 |
| octolytics-dimension-user_login | bQuery |
| octolytics-dimension-repository_id | 1139284244 |
| octolytics-dimension-repository_nwo | bQuery/bQuery |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 1139284244 |
| octolytics-dimension-repository_network_root_nwo | bQuery/bQuery |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | e6a744804e8e70f97b4d5a18a94dcc63db22f97a |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width