Question about Session Cookies (Cloudflare Worker)

[kennyth01]

Hi all,
First of all, thanks for an awesome framework!

I am using hono-sessions from https://github.com/jcs224/hono_sessions

For this code snippet:

import { Hono } from 'hono'
import { sessionMiddleware, CookieStore, Session } from 'hono-sessions'


export type Env = {
    DATABASE_URL: string
    SESSION_ENCRYPTION_KEY: string
}

const app = new Hono<{ Bindings: Env, Variables: {
    session: Session,
    session_key_rotation: boolean
} }>()
const store = new CookieStore()

app.use('*', sessionMiddleware({
    store,
    encryptionKey: 'SESSION_ENCRYPTION_KEY',
    expireAfterSeconds: 900,
    cookieOptions: {
      sameSite: 'Lax',
      path: '/',
      httpOnly: true,
    },
  }))

How can I pass the SESSION_ENCRYPTION_KEY? It is coming from an env.

[yoshiro456]

something like this

app.use('*', async (c, next) => sessionMiddleware({
  store,
  encryptionKey: c.env.SESSION_ENCRYPTION_KEY,
  expireAfterSeconds: 900,
  cookieOptions: {
    sameSite: 'Lax',
    path: '/',
    httpOnly: true,
  },
}))

[NicoPlyley]

Here is an example from the docs

https://hono.dev/getting-started/cloudflare-workers#using-variables-in-middleware

[InsaneNaman]

For CF, i guess it expects you to save env variables in wrangler.toml. Not sure, haven't tried but just exploring here.

[NicoPlyley]

You do not want to place sensitive data in the wrangler.toml. As that is committed to GitHub. If you have sensitive environment variables you want to put them in .dev.vars in development. Then in the workers dashboard they can be added for production. They can be accessed the same as any other variable in Hono

[InsaneNaman]

Ahh! I missed that. Thanks for pointing out my mistake. I appreciate it :)

[InsaneNaman]

@NicoPlyley Also, could you help me understanding specific use of wrangler.toml https://hono.dev/getting-started/cloudflare-pages#create-wrangler-toml. If i put my local secrets in .dev.vars then what sort of info I can keep in wrangler.toml? TIA

[InsaneNaman]

I guess, I gotta read this? https://developers.cloudflare.com/workers/runtime-apis/bindings/service-bindings/

[NicoPlyley]

@InsaneNaman If you look at this example project I created you will see. There is an option for env vars, but this would be for something that does not need to be a secret. Personally I've never used it.

However, the rest is bindings for CloudFlare services. You can see I am using D1 in that example. When I call the binding, c.env.DB it will pass the proper secret for that database. Since it's all on CloudFlare if you think them, the binding will share the secrets for the services

[kennyth01]

I manage to solve this by using the following:

app
	.use('*')
	.use(cookieSessionMiddleware)

Then in my cookieSessionMiddleware:

export const cookieSessionMiddleware = async (c: Context, next: undefined) => {
	const store = new CookieStore()

	const m = sessionMiddleware({
		store,
		encryptionKey: c.env.SESSION_ENCRYPTION_KEY,
		expireAfterSeconds: 604800,
		cookieOptions: {
			sameSite: 'Lax',
			path: '/',
			httpOnly: true,
		},
	})

	return m(c, next)
}

[NicoPlyley]

If you wrap it like this, you won't have to worry about types

import { createMiddleware } from 'hono/factory'

export const cookieSessionMiddleware = createMiddleware(async (c, next) => {
	const store = new CookieStore()

	const m = sessionMiddleware({
		store,
		encryptionKey: c.env.SESSION_ENCRYPTION_KEY,
		expireAfterSeconds: 604800,
		cookieOptions: {
			sameSite: 'Lax',
			path: '/',
			httpOnly: true,
		},
	})

	return m(c, next)
})

You can also add <{ Bindings: Env}> if need to createMiddleware