owltide/stores/session.ts

/*
	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
	SPDX-License-Identifier: AGPL-3.0-or-later
*/
import { appendResponseHeader } from "h3";
import type { H3Event } from "h3";
import type { ApiAccount, ApiSession } from "~/shared/types/api";

const fetchSessionWithCookie = async (event?: H3Event) => {
	// Client side
	if (!event) {
		return $fetch("/api/auth/session");
	}

	// Server side
	const cookie = useRequestHeader("cookie");
	const res = await $fetch.raw("/api/auth/session", {
		headers: cookie ? { cookie } : undefined
	});
	for (const cookie of res.headers.getSetCookie()) {
		appendResponseHeader(event, "set-cookie", cookie);
	}
	return res._data;
}

export const useSessionStore = defineStore("session", () => {
	const state = {
		account: ref<ApiAccount>(),
		id: ref<number>(),
		push: ref<boolean>(false),
	};

	const actions = {
		async fetch(event?: H3Event) {
			const session = await fetchSessionWithCookie(event)
			actions.update(session);
		},
		update(session?: ApiSession) {
			state.account.value = session?.account;
			state.id.value = session?.id;
			state.push.value = session?.push ?? false;
		},
		async logIn(name: string) {
			const res = await $fetch.raw("/api/auth/login", {
				method: "POST",
				body: { name },
			});
			await actions.fetch();
			return `/api/auth/login replied: ${res.status} ${res.statusText}`;
		},
		async logOut() {
			try {
				await $fetch.raw("/api/auth/session", {
					method: "DELETE",
				});
				await actions.fetch();

			} catch (err: any) {
				alert(`Log out failed: ${err.statusCode} ${err.statusMessage}`);
			}
		},
	};

	appEventSource?.addEventListener("update", (event) => {
		if (event.data.type !== "connected") {
			return;
		}
		actions.update(event.data.session);
	});

	return {
		...state,
		...actions,
	};
});
License under AGPL version 3 or later I firmly believe in free software. The application I'm making here have capabilities that I've not seen in any system. It presents itself as an opportunity to collaborate on a tool that serves the people rather than corporations. Whose incentives are to help people rather, not make the most money. And whose terms ensure that these freedoms and incentives cannot be taken back or subverted. I license this software under the AGPL. 2025-06-30 18:58:24 +02:00			`/*`
			`SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>`
			`SPDX-License-Identifier: AGPL-3.0-or-later`
			`*/`
Use a pinia store to manage session state Replace the convoluted useAccountSession composable with a pinia store that in addition allows for the consolidation of all session related functions to grouped into one module. 2025-05-24 17:53:33 +02:00			`import { appendResponseHeader } from "h3";`
			`import type { H3Event } from "h3";`
Close event streams for expired sessions When a session expires close any event streams that have been opened with that session. This prevents an attacker with a leaked session cookie from opening a stream and receiving updates indefinitely without being detected. By sending the session the event stream is opened with when the stream is established this closure on session expiry also serves as a way for a user agent to be notified whenever its own access level changes. 2025-07-08 15:43:14 +02:00			`import type { ApiAccount, ApiSession } from "~/shared/types/api";`
Use a pinia store to manage session state Replace the convoluted useAccountSession composable with a pinia store that in addition allows for the consolidation of all session related functions to grouped into one module. 2025-05-24 17:53:33 +02:00
			`const fetchSessionWithCookie = async (event?: H3Event) => {`
			`// Client side`
			`if (!event) {`
			`return $fetch("/api/auth/session");`
			`}`

			`// Server side`
			`const cookie = useRequestHeader("cookie");`
			`const res = await $fetch.raw("/api/auth/session", {`
			`headers: cookie ? { cookie } : undefined`
			`});`
			`for (const cookie of res.headers.getSetCookie()) {`
			`appendResponseHeader(event, "set-cookie", cookie);`
			`}`
			`return res._data;`
			`}`

			`export const useSessionStore = defineStore("session", () => {`
			`const state = {`
Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored. 2025-06-11 21:05:17 +02:00			`account: ref<ApiAccount>(),`
Use a pinia store to manage session state Replace the convoluted useAccountSession composable with a pinia store that in addition allows for the consolidation of all session related functions to grouped into one module. 2025-05-24 17:53:33 +02:00			`id: ref<number>(),`
			`push: ref<boolean>(false),`
			`};`

			`const actions = {`
			`async fetch(event?: H3Event) {`
			`const session = await fetchSessionWithCookie(event)`
Close event streams for expired sessions When a session expires close any event streams that have been opened with that session. This prevents an attacker with a leaked session cookie from opening a stream and receiving updates indefinitely without being detected. By sending the session the event stream is opened with when the stream is established this closure on session expiry also serves as a way for a user agent to be notified whenever its own access level changes. 2025-07-08 15:43:14 +02:00			`actions.update(session);`
			`},`
			`update(session?: ApiSession) {`
Use a pinia store to manage session state Replace the convoluted useAccountSession composable with a pinia store that in addition allows for the consolidation of all session related functions to grouped into one module. 2025-05-24 17:53:33 +02:00			`state.account.value = session?.account;`
			`state.id.value = session?.id;`
			`state.push.value = session?.push ?? false;`
			`},`
			`async logIn(name: string) {`
			`const res = await $fetch.raw("/api/auth/login", {`
			`method: "POST",`
			`body: { name },`
			`});`
			`await actions.fetch();`
			return `/api/auth/login replied: ${res.status} ${res.statusText}`;
			`},`
			`async logOut() {`
			`try {`
			`await $fetch.raw("/api/auth/session", {`
			`method: "DELETE",`
			`});`
			`await actions.fetch();`

			`} catch (err: any) {`
			alert(`Log out failed: ${err.statusCode} ${err.statusMessage}`);
			`}`
			`},`
			`};`

Close event streams for expired sessions When a session expires close any event streams that have been opened with that session. This prevents an attacker with a leaked session cookie from opening a stream and receiving updates indefinitely without being detected. By sending the session the event stream is opened with when the stream is established this closure on session expiry also serves as a way for a user agent to be notified whenever its own access level changes. 2025-07-08 15:43:14 +02:00			`appEventSource?.addEventListener("update", (event) => {`
			`if (event.data.type !== "connected") {`
			`return;`
			`}`
			`actions.update(event.data.session);`
			`});`

Use a pinia store to manage session state Replace the convoluted useAccountSession composable with a pinia store that in addition allows for the consolidation of all session related functions to grouped into one module. 2025-05-24 17:53:33 +02:00			`return {`
			`...state,`
			`...actions,`
			`};`
			`});`