Skip to content
VeloxTS

Session Authentication

Session authentication stores state server-side, using cookies for identification.

Setup

Section titled “Setup”
import { sessionMiddleware, inMemorySessionStore } from '@veloxts/auth';


const session = sessionMiddleware({
  secret: process.env.SESSION_SECRET!,
  store: inMemorySessionStore(), // Use Redis in production
  cookie: {
    name: 'session',
    secure: true,
    httpOnly: true,
    sameSite: 'lax',
    maxAge: 86400, // 24 hours
  },
});

Login Flow

Section titled “Login Flow”
import { loginSession } from '@veloxts/auth';


login: procedure()
  .use(session.optionalAuth())
  .input(LoginSchema)
  .mutation(async ({ input, ctx }) => {
    const user = await verifyCredentials(input);


    // Create session
    await loginSession(ctx.session, {
      id: user.id,
      email: user.email,
    });


    return { user };
  }),

Logout

Section titled “Logout”
import { logoutSession } from '@veloxts/auth';


logout: procedure()
  .use(session.requireAuth())
  .mutation(async ({ ctx }) => {
    await logoutSession(ctx.session);
    return { success: true };
  }),

Protecting Routes

Section titled “Protecting Routes”
getProfile: procedure()
  .use(session.requireAuth())
  .query(({ ctx }) => ctx.user),


// Optional auth (user may or may not be logged in)
homePage: procedure()
  .use(session.optionalAuth())
  .query(({ ctx }) => ({ user: ctx.user ?? null })),

Flash Messages

Section titled “Flash Messages”
// Set flash message
ctx.session.flash('success', 'Profile updated!');


// Read flash message (one-time)
const message = ctx.session.getFlash('success');

Production: Redis Store

Section titled “Production: Redis Store”
import { createRedisSessionStore } from '@veloxts/auth';


const session = sessionMiddleware({
  store: createRedisSessionStore({
    url: process.env.REDIS_URL,
  }),
});

Next Steps

Section titled “Next Steps”
  • JWT - Alternative approach
  • Guards - Authorization