chore(core): Remove deprecated sessionSecret option

docs/content/developer-guide/configuration.md

@@ -142,8 +142,10 @@ Example:
 export const config: VendureConfig = {
   authOptions: {
     tokenMethod: 'cookie',
-    sessionSecret: process.env.COOKIE_SESSION_SECRET,
     requireVerification: true,
+    cookieOptions: {
+      secret: process.env.COOKIE_SESSION_SECRET,
+    },
     superadminCredentials: {
       identifier: process.env.SUPERADMIN_USERNAME,
       password: process.env.SUPERADMIN_PASSWORD,

docs/content/storefront/managing-sessions.md

@@ -16,15 +16,17 @@ Using cookies is the simpler approach for browser-based applications, since the
 
     For example, if using a fetch-based client (such as [Apollo client](https://www.apollographql.com/docs/react/recipes/authentication/#cookie)) you would set `credentials: 'include'` or if using [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials), you would set `withCredentials: true`
 
-2. When using cookie-based sessions, you should set the [`authOptions.sessionSecret` property]({{< relref "auth-options" >}}#sessionsecret) to some secret string which will be used to sign the cookies sent to clients to prevent tampering. This string could be hard-coded in your config file, or (better) reside in an environment variable:
+2. When using cookie-based sessions, you should set the [`authOptions.cookieOptions.secret` property]({{< relref "cookie-options" >}}#secret) to some secret string which will be used to sign the cookies sent to clients to prevent tampering. This string could be hard-coded in your config file, or (better) reside in an environment variable:
 
 ```TypeScript
 const config = {
-    // ...
-    authOptions: {
-        tokenMethod: 'cookie',
-        sessionSecret: process.env.COOKIE_SESSION_SECRET
+  // ...
+  authOptions: {
+    tokenMethod: 'cookie',
+    cookieOptions: {
+      secret: process.env.COOKIE_SESSION_SECRET
     }
+  }
 }
 ```
 

packages/core/src/bootstrap.ts

@@ -56,14 +56,8 @@ export async function bootstrap(userConfig: Partial<VendureConfig>): Promise<INe
     DefaultLogger.restoreOriginalLogLevel();
     app.useLogger(new Logger());
     if (config.authOptions.tokenMethod === 'cookie') {
-        const { sessionSecret, cookieOptions } = config.authOptions;
-        app.use(
-            cookieSession({
-                ...cookieOptions,
-                // TODO: Remove once the deprecated sessionSecret field is removed
-                ...(sessionSecret ? { secret: sessionSecret } : {}),
-            }),
-        );
+        const { cookieOptions } = config.authOptions;
+        app.use(cookieSession(cookieOptions));
     }
     await app.listen(port, hostname || '');
     app.enableShutdownHooks();

packages/core/src/config/default-config.ts

@@ -66,7 +66,6 @@ export const defaultConfig: RuntimeVendureConfig = {
     authOptions: {
         disableAuth: false,
         tokenMethod: 'cookie',
-        sessionSecret: '',
         cookieOptions: {
             secret: Math.random().toString(36).substr(3),
             httpOnly: true,

packages/core/src/config/vendure-config.ts

@@ -195,7 +195,12 @@ export interface CookieOptions {
 
     /**
      * @description
-     * A string which will be used as single key if keys is not provided.
+     * The secret used for signing the session cookies for authenticated users. Only applies
+     * tokenMethod is set to 'cookie'.
+     *
+     * In production applications, this should not be stored as a string in
+     * source control for security reasons, but may be loaded from an external
+     * file not under source control, or from an environment variable, for example.
      *
      * @default (random character string)
      */
@@ -293,21 +298,6 @@ export interface AuthOptions {
      * @default 'cookie'
      */
     tokenMethod?: 'cookie' | 'bearer';
-    /**
-     * @description
-     * **Deprecated** use `cookieConfig.secret` instead.
-     *
-     * The secret used for signing the session cookies for authenticated users. Only applies when
-     * tokenMethod is set to 'cookie'.
-     *
-     * In production applications, this should not be stored as a string in
-     * source control for security reasons, but may be loaded from an external
-     * file not under source control, or from an environment variable, for example.
-     *
-     * @default 'session-secret'
-     * @deprecated use `cookieConfig.secret` instead
-     */
-    sessionSecret?: string;
     /**
      * @description
      * Options related to the handling of cookies when using the 'cookie' tokenMethod.

packages/dev-server/dev-config.ts

@@ -83,7 +83,6 @@ export const devConfig: VendureConfig = {
     authOptions: {
         disableAuth: false,
         tokenMethod: 'cookie',
-        sessionSecret: 'some-secret',
         requireVerification: true,
         customPermissions: [],
     },

packages/testing/src/config/test-config.ts

@@ -35,9 +35,11 @@ export const testConfig: Required<VendureConfig> = mergeConfig(defaultConfig, {
     },
     defaultChannelToken: E2E_DEFAULT_CHANNEL_TOKEN,
     authOptions: {
-        sessionSecret: 'some-secret',
         tokenMethod: 'bearer',
         requireVerification: true,
+        cookieOptions: {
+            secret: 'some-secret',
+        },
     },
     dbConnectionOptions: {
         type: 'sqljs',