A secure session management plugin for Elysia.js using iron-session. This plugin provides encrypted, stateless sessions with type-safety.
- 🔒 Secure, encrypted session storage using iron-session
- 🔑 HTTP-only cookie-based sessions
- ⚡ Fully type-safe with TypeScript
- 🎯 Simple, intuitive API
- ⏰ Configurable TTL (Time To Live)
bun add elysia-ironsessionUsage is the same as Elysia's reactive Cookie - you extract the session property and access its items directly.
There's no get/set, you can extract the property name and retrieve or update its value directly.
Basic example:
import { Elysia } from 'elysia'
import { IronSession } from 'elysia-ironsession'
// Define your session structure
interface UserSession {
userId?: number
isLoggedIn?: boolean
}
const app = new Elysia()
.use(
IronSession<UserSession>({
password: process.env.SESSION_SECRET!, // At least 32 characters
cookieName: 'my_session', // Optional, defaults to 'session'
secure: process.env.NODE_ENV === 'production'
})
)
.get('/profile', async ({ session }) => {
if (!session?.isLoggedIn) {
throw new Error('Unauthorized')
}
return { userId: session.userId }
})
.get('/login', async ({ session }) => {
session.userId = 123
session.isLoggedIn = true
return { success: true }
})
.get('/logout', async ({ session }) => {
delete session.userId
delete session.isLoggedIn
return { success: true }
})
.listen(3000)The plugin accepts the following options:
interface SessionOptions {
password: string; // Required: Secret key for encryption (min 32 chars)
ttl?: number; // Optional: Session duration in seconds (default: 14 days)
cookieName?: string; // Optional: Name of the session cookie (default: 'session')
secure?: boolean; // Optional: Set the secure attribute of the cookie (default true)
}Contributions are welcome! Please feel free to submit a Pull Request.
MIT License - see LICENSE file for details.