Summary
request.session.reload(callback) appears to rebuild the Session object with the first two constructor arguments in the wrong order.
This affects the callback-style API only. The Promise-style API appears to use the correct argument order.
Affected API
request.session.reload(callback)
The following API is not affected:
await request.session.reload()
What happens
After calling request.session.reload(callback), the internal session store reference can be replaced with the Fastify request object.
Later, when the response lifecycle tries to save the session, the request can fail with HTTP 500:
this[sessionStoreKey].set is not a function
Root cause
The Session constructor expects:
new Session(sessionStore, request, ...)
But the callback branch of reload() passes the first two arguments in the opposite order:
new Session(request, sessionStore, ...)
The Promise branch already passes them in the correct order.
Why this matters
reload() is a public API used to refresh the current request session from the backing session store. The callback version should behave the same as the Promise version.
The impact is limited, but real: users calling reload(callback) can get a 500 response when the session is saved later in the same response lifecycle.
fix
Make the callback branch match the Promise branch:
this[requestKey].session = new Session(
- this[requestKey],
this[sessionStoreKey],
+ this[requestKey],
this[generateId],
this[cookieOptsKey],
this[cookieSignerKey],
session,
this[sessionIdKey]
)
Regression test
A regression test should cover callback-style reload() followed by response-time session saving, for example by using cookie: { secure: false } so the test actually exercises the save path.
I have a fix prepared on my fork here:
https://github.com/0XFF-96/session/tree/codex/fix-reload-callback-session-store
Summary
request.session.reload(callback)appears to rebuild theSessionobject with the first two constructor arguments in the wrong order.This affects the callback-style API only. The Promise-style API appears to use the correct argument order.
Affected API
The following API is not affected:
What happens
After calling
request.session.reload(callback), the internal session store reference can be replaced with the Fastify request object.Later, when the response lifecycle tries to save the session, the request can fail with HTTP 500:
Root cause
The
Sessionconstructor expects:But the callback branch of
reload()passes the first two arguments in the opposite order:The Promise branch already passes them in the correct order.
Why this matters
reload()is a public API used to refresh the current request session from the backing session store. The callback version should behave the same as the Promise version.The impact is limited, but real: users calling
reload(callback)can get a 500 response when the session is saved later in the same response lifecycle.fix
Make the callback branch match the Promise branch:
Regression test
A regression test should cover callback-style
reload()followed by response-time session saving, for example by usingcookie: { secure: false }so the test actually exercises the save path.I have a fix prepared on my fork here:
https://github.com/0XFF-96/session/tree/codex/fix-reload-callback-session-store