Backport/patch (#844)

* backport: session regenerate * backport: session fixation refs: 43c82c3 * fix: remove passport Co-authored-by: Rafael Gonzaga <rafael.nunu@hotmail.com> * fix: remove passport from clearSessionIgnoreFields Co-authored-by: Rafael Gonzaga <rafael.nunu@hotmail.com> --------- Co-authored-by: Rafael Gonzaga <rafael.nunu@hotmail.com>
fastify · Apr 21, 2023 · 52f9f6e · 52f9f6e
1 parent 0df7c50
commit 52f9f6e
Show file tree

Hide file tree

Showing 12 changed files with 665 additions and 142 deletions.
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -38,5 +38,6 @@ module.exports = {
     '@typescript-eslint/restrict-plus-operands': 'off',
     '@typescript-eslint/restrict-template-expressions': 'off',
     '@typescript-eslint/unbound-method': 'off',
+    '@typescript-eslint/ban-ts-comment': ['error', { 'ts-ignore': 'allow-with-description' }],
   },
 }
diff --git a/README.md b/README.md
@@ -80,6 +80,11 @@ server.register(fastifyPassport.secureSession())
 fastifyPassport.use('test', new SomePassportStrategy()) // you'd probably use some passport strategy from npm here
 ```
 
+## Session cleanup on logIn
+
+For security reasons the session is cleaned after login. You can manage this configuration at your own risk by using
+`clearSessionOnLogin (default: true)` and `clearSessionIgnoreFields (default: ['session'])`
+
 ## Difference between `@fastify/secure-session` and `@fastify/session`
 `@fastify/secure-session` and `@fastify/session` are both session plugins for Fastify which are capable of encrypting/decrypting the session. The main difference is that `@fastify/secure-session` uses the stateless approach and stores the whole session in an encrypted cookie whereas `@fastify/session` uses the stateful approach for sessions and stores them in a session store.