Implements secure session management with JWT tokens, Redis storage, refresh flows, and proper cookie configuration. Use when building authentication systems, managing user sessions, or implementing secure logout functionality.
Implements secure session management with JWT tokens, Redis storage, refresh flows, and proper cookie configuration.
/plugin marketplace add secondsky/claude-skills/plugin install session-management@claude-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Implement secure session management with proper token handling and storage.
const jwt = require('jsonwebtoken');
function generateTokens(user) {
const accessToken = jwt.sign(
{ userId: user.id, role: user.role, type: 'access' },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
const refreshToken = jwt.sign(
{ userId: user.id, type: 'refresh' },
process.env.REFRESH_SECRET,
{ expiresIn: '7d' }
);
return { accessToken, refreshToken };
}
const redis = require('redis');
const client = redis.createClient();
class SessionStore {
async create(userId, sessionData) {
const sessionId = crypto.randomUUID();
await client.hSet(`sessions:${userId}`, sessionId, JSON.stringify({
...sessionData,
createdAt: Date.now()
}));
await client.expire(`sessions:${userId}`, 86400 * 7);
return sessionId;
}
async invalidateAll(userId) {
await client.del(`sessions:${userId}`);
}
}
app.use(session({
name: 'session',
secret: process.env.SESSION_SECRET,
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
maxAge: 3600000, // 1 hour
domain: '.example.com'
},
resave: false,
saveUninitialized: false
}));
app.post('/auth/refresh', async (req, res) => {
const { refreshToken } = req.cookies;
try {
const payload = jwt.verify(refreshToken, process.env.REFRESH_SECRET);
if (payload.type !== 'refresh') throw new Error('Invalid token type');
const user = await User.findById(payload.userId);
const tokens = generateTokens(user);
res.cookie('accessToken', tokens.accessToken, cookieOptions);
res.json({ success: true });
} catch (err) {
res.status(401).json({ error: 'Invalid refresh token' });
}
});