From 565947cf477ec7a512036781c629348374ead743 Mon Sep 17 00:00:00 2001
From: Sebastian Rager <mail@interpretor.net>
Date: Thu, 1 Dec 2022 15:28:18 +0100
Subject: [PATCH 1/5] Make mandatory session properties immutable

---
 .../server/middleware/session/index.ts        | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/runtime/server/middleware/session/index.ts b/src/runtime/server/middleware/session/index.ts
index 8659ea9..5894d86 100644
--- a/src/runtime/server/middleware/session/index.ts
+++ b/src/runtime/server/middleware/session/index.ts
@@ -113,6 +113,24 @@ const getSession = async (event: H3Event): Promise<null | Session> => {
   return session
 }
 
+const getImmutableSession = (session: Session) => {
+  const immutableSession = { ...session }
+
+  Object.defineProperty(immutableSession, 'id', {
+    writable: false
+  })
+
+  Object.defineProperty(immutableSession, 'createdAt', {
+    writable: false
+  })
+
+  Object.defineProperty(immutableSession, 'ip', {
+    writable: false
+  })
+
+  return immutableSession as Session
+}
+
 function isSession (shape: unknown): shape is Session {
   return typeof shape === 'object' && !!shape && 'id' in shape && 'createdAt' in shape
 }
@@ -124,7 +142,7 @@ const ensureSession = async (event: H3Event) => {
   }
 
   event.context.sessionId = session.id
-  event.context.session = session
+  event.context.session = getImmutableSession(session)
   return session
 }
 

From 91e9fe8eaf7be16762179291db1dfc496c427b3c Mon Sep 17 00:00:00 2001
From: Sebastian Rager <mail@interpretor.net>
Date: Thu, 1 Dec 2022 15:42:36 +0100
Subject: [PATCH 2/5] Avoid code duplication

---
 src/runtime/server/middleware/session/index.ts | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/src/runtime/server/middleware/session/index.ts b/src/runtime/server/middleware/session/index.ts
index 5894d86..15aac99 100644
--- a/src/runtime/server/middleware/session/index.ts
+++ b/src/runtime/server/middleware/session/index.ts
@@ -115,17 +115,12 @@ const getSession = async (event: H3Event): Promise<null | Session> => {
 
 const getImmutableSession = (session: Session) => {
   const immutableSession = { ...session }
+  const properties = ['id', 'createdAt', 'ip']
 
-  Object.defineProperty(immutableSession, 'id', {
-    writable: false
-  })
-
-  Object.defineProperty(immutableSession, 'createdAt', {
-    writable: false
-  })
-
-  Object.defineProperty(immutableSession, 'ip', {
-    writable: false
+  properties.forEach((property) => {
+    Object.defineProperty(immutableSession, property, {
+      writable: false
+    })
   })
 
   return immutableSession as Session

From 5d000e434b7cdc8b9d9ed2a4d461ee1ca7dc2566 Mon Sep 17 00:00:00 2001
From: Sebastian Rager <mail@interpretor.net>
Date: Mon, 5 Dec 2022 12:50:09 +0100
Subject: [PATCH 3/5] Also prevent changing from writable back to true

---
 src/runtime/server/middleware/session/index.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/runtime/server/middleware/session/index.ts b/src/runtime/server/middleware/session/index.ts
index ac0034f..fb52243 100644
--- a/src/runtime/server/middleware/session/index.ts
+++ b/src/runtime/server/middleware/session/index.ts
@@ -127,7 +127,8 @@ const getImmutableSession = (session: Session) => {
 
   properties.forEach((property) => {
     Object.defineProperty(immutableSession, property, {
-      writable: false
+      writable: false,
+      configurable: false
     })
   })
 

From 660b6eddc87f6d85ed97655e5e22d9988539055b Mon Sep 17 00:00:00 2001
From: Sebastian Rager <mail@interpretor.net>
Date: Mon, 5 Dec 2022 12:50:46 +0100
Subject: [PATCH 4/5] Add readonly to session interface properties

---
 src/types.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/types.ts b/src/types.ts
index af9b8ce..a800927 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -183,9 +183,9 @@ export interface ModulePublicRuntimeConfig {
 }
 
 export declare interface Session {
-  id: string;
-  createdAt: Date;
-  ip?: string;
+  readonly id: string;
+  readonly createdAt: Date;
+  readonly ip?: string;
 
   [key: string]: any;
 }

From 564cbf508623452c10f5e1aa13e4abae6bbe0732 Mon Sep 17 00:00:00 2001
From: Sebastian Rager <mail@interpretor.net>
Date: Mon, 5 Dec 2022 13:15:42 +0100
Subject: [PATCH 5/5] Add session type to the h3 event context interface

---
 src/types.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/types.ts b/src/types.ts
index a800927..6b68f25 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -189,3 +189,9 @@ export declare interface Session {
 
   [key: string]: any;
 }
+
+declare module 'h3' {
+  interface H3EventContext {
+    session: Session
+  }
+}