atinux · Gerbuuun · Mar 11, 2024
diff --git a/src/runtime/composables/session.ts b/src/runtime/composables/session.ts
@@ -1,7 +1,7 @@
 import { useState, computed, useRequestFetch } from '#imports'
-import type { UserSession, UserSessionComposable } from '#auth-utils'
+import type { PublicSessionData, UserSessionComposable } from '#auth-utils'
 
-const useSessionState = () => useState<UserSession>('nuxt-session', () => ({}))
+const useSessionState = () => useState<PublicSessionData>('nuxt-session', () => ({}))
 
 export function useUserSession(): UserSessionComposable  {
   const sessionState = useSessionState()

diff --git a/src/runtime/server/api/session.get.ts b/src/runtime/server/api/session.get.ts
@@ -6,5 +6,5 @@ export default eventHandler(async (event) => {
 
   await sessionHooks.callHookParallel('fetch', session, event)
 
-  return session
+  return session.public
 })
diff --git a/src/runtime/server/utils/session.ts b/src/runtime/server/utils/session.ts
@@ -3,7 +3,8 @@ import { useSession, createError } from 'h3'
 import { defu } from 'defu'
 import { createHooks } from 'hookable'
 import { useRuntimeConfig } from '#imports'
-import type { User, UserSession } from '#auth-utils'
+import type { PrivateSessionData, PublicSessionData } from '#auth-utils'
+import type { ActiveUserSession, UserSession } from '../../types/session'
 
 export interface SessionHooks {
   /**
@@ -23,29 +24,32 @@ export const sessionHooks = createHooks<SessionHooks>()
 export async function getUserSession (event: H3Event) {
   return (await _useSession(event)).data
 }
+
 /**
  * Set a user session
  * @param event
- * @param data User session data, please only store public information since it can be decoded with API calls
+ * @param publicData User session data, please only store public information since it can be decoded with API calls
+ * @param privateData Private session data, only accessible by calling `getUserSession` or `requireUserSession` on the server
  */
-export async function setUserSession (event: H3Event, data: UserSession) {
+export async function setUserSession (event: H3Event, publicData: PublicSessionData, privateData: PrivateSessionData) {
   const session = await _useSession(event)
 
-  await session.update(defu(data, session.data))
+  await session.update(defu(Object.assign(privateData, { public: publicData }), session.data))
 
   return session.data
 }
 
 /**
  * Replace a user session
  * @param event
- * @param data User session data, please only store public information since it can be decoded with API calls
+ * @param publicData User session data, please only store public information since it can be decoded with API calls
+ * @param privateData Private session data, only accessible by calling `getUserSession` or `requireUserSession` on the server
  */
-export async function replaceUserSession (event: H3Event, data: UserSession) {
+export async function replaceUserSession (event: H3Event, publicData: PublicSessionData, privateData: PrivateSessionData) {
   const session = await _useSession(event)
 
   await session.clear()
-  await session.update(data)
+  await session.update(Object.assign(privateData, { public: publicData }))
 
   return session.data
 }
@@ -59,17 +63,17 @@ export async function clearUserSession (event: H3Event) {
   return true
 }
 
-export async function requireUserSession(event: H3Event): Promise<UserSession & { user: User }> {
-  const userSession = await getUserSession(event)
+export async function requireUserSession(event: H3Event): Promise<ActiveUserSession> {
+  const userSession = await getUserSession(event) || { public: {}}
 
-  if (!userSession.user) {
+  if (!userSession.public.user) {
     throw createError({
       statusCode: 401,
       message: 'Unauthorized'
     })
   }
 
-  return userSession as UserSession & { user: User }
+  return userSession as ActiveUserSession
 }
 
 let sessionConfig: SessionConfig

diff --git a/src/runtime/types/index.ts b/src/runtime/types/index.ts
@@ -1,2 +1,2 @@
-export type { User, UserSession, UserSessionComposable } from './session'
+export type { PrivateSessionData, PublicSessionData, User, UserSessionComposable } from './session'
 export type { OAuthConfig } from './oauth-config'
diff --git a/src/runtime/types/session.ts b/src/runtime/types/session.ts
@@ -3,14 +3,27 @@ import type { ComputedRef, Ref } from 'vue'
 export interface User {
 }
 
-export interface UserSession {
+export interface PublicSessionData {
   user?: User
 }
 
+export interface PrivateSessionData {
+}
+
+export interface UserSession extends PrivateSessionData {
+  public: PublicSessionData
+}
+
+export interface ActiveUserSession extends UserSession {
+  public: { 
+    user: User
+  }
+}
+
 export interface UserSessionComposable {
   loggedIn: ComputedRef<boolean>
   user: ComputedRef<User | null>
-  session: Ref<UserSession>,
+  session: Ref<PublicSessionData>,
   fetch: () => Promise<void>,
   clear: () => Promise<void>
 }