Add saveUninitialized option

Author: interpretor

src/module.ts

@@ -23,7 +23,8 @@ const defaults: FilledModuleOptions = {
       options: {}
     },
     domain: null,
-    ipPinning: false as boolean|SessionIpPinningOptions
+    ipPinning: false as boolean|SessionIpPinningOptions,
+    saveUninitialized: true
   },
   api: {
     isEnabled: true,

src/runtime/server/middleware/session/index.ts

@@ -5,6 +5,7 @@ import { SameSiteOptions, Session, SessionOptions } from '../../../../types'
 import { dropStorageSession, getStorageSession, setStorageSession } from './storage'
 import { processSessionIp, getHashedIpAddress } from './ipPinning'
 import { SessionExpired } from './exceptions'
+import { resEndProxy } from './resEndProxy'
 import { useRuntimeConfig } from '#imports'
 
 const SESSION_COOKIE_NAME = 'sessionId'
@@ -58,7 +59,7 @@ export const deleteSession = async (event: H3Event) => {
   deleteCookie(event, SESSION_COOKIE_NAME)
 }
 
-const newSession = async (event: H3Event) => {
+const newSession = async (event: H3Event, copyContextSession?: boolean) => {
   const runtimeConfig = useRuntimeConfig()
   const sessionOptions = runtimeConfig.session.session
 
@@ -72,6 +73,10 @@ const newSession = async (event: H3Event) => {
     createdAt: new Date(),
     ip: sessionOptions.ipPinning ? await getHashedIpAddress(event) : undefined
   }
+  // Copy the session object from the event context to the new session
+  if (copyContextSession) {
+    Object.assign(session, event.context.session)
+  }
   await setStorageSession(sessionId, session)
 
   return session
@@ -118,9 +123,23 @@ function isSession (shape: unknown): shape is Session {
 }
 
 const ensureSession = async (event: H3Event) => {
+  const sessionConfig = useRuntimeConfig().session.session
+
   let session = await getSession(event)
   if (!session) {
-    session = await newSession(event)
+    if (sessionConfig.saveUninitialized) {
+      session = await newSession(event)
+    } else {
+      // 1. Create an empty session object
+      event.context.session = {}
+      // 2. Create a new session if the object has been modified by any event handler
+      resEndProxy(event.res, async () => {
+        if (Object.keys(event.context.session).length) {
+          await newSession(event, true)
+        }
+      })
+      return null
+    }
   }
 
   event.context.sessionId = session.id

src/runtime/server/middleware/session/resEndProxy.ts

@@ -0,0 +1,14 @@
+import type { ServerResponse } from 'node:http'
+
+type MiddleWare = () => Promise<void>
+
+// Proxy res.end() to get a callback at the end of all event handlers
+export const resEndProxy = (res: ServerResponse, middleWare: MiddleWare) => {
+  const _end = res.end
+
+  // @ts-ignore Replacing res.end() will lead to type checking error
+  res.end = async (chunk: any, encoding: BufferEncoding) => {
+    await middleWare()
+    return _end.call(res, chunk, encoding) as ServerResponse
+  }
+}

src/types.ts

@@ -82,6 +82,14 @@ export interface SessionOptions {
    * @type {SessionIpPinningOptions|boolean}
    */
   ipPinning: SessionIpPinningOptions|boolean,
+  /**
+   * Forces a session that is "uninitialized" to be saved to the store. A session is uninitialized when it is new but not modified.
+   * Choosing false is useful for implementing login sessions, reducing server storage usage, or complying with laws that require permission before setting a cookie.
+   * @default true
+   * @example false
+   * @type boolean
+   */
+  saveUninitialized: boolean
 }
 
 export interface ApiOptions {