Does Lucia have a built in function for deleting invalidated sessions?

[unovil]

Hi. I'm not fully grasping the concept of sessions, but I do notice that when I invalidate the user's current session through lucia.invalidateSession(sessionId), the session stays in the database, not deleted. I would have to wait until the session expires before I can remove it with lucia.deleteExpiredSessions(). Moreover, if the user then decides to sign in/sign up, a new session would be created. If the user signs in and out hundreds of times (or maybe, just tens of users tens of times), the session records would add up quickly, leading to a mess.

Is there a built in function that Lucia has that would delete the session record from the database after it's invalidated? Or would I have to implement it manually?

Thanks a lot.

EDIT: A few were asking about the adapter I'm using. I'm using the Prisma adapter.
Here's my lib/server/auth.ts:

import { Lucia } from "lucia";
import { dev } from "$app/environment";
import { PrismaAdapter } from "@lucia-auth/adapter-prisma";
import db from "$lib/prisma";

import { Prisma, UserRole, type School, type Admin, type Student } from "@prisma/client";

const adapter = new PrismaAdapter(db.session, db.user)

export const lucia = new Lucia(adapter, {
	sessionCookie: {
		attributes: {
			secure: !dev
		}
	},
	getUserAttributes: (attributes) => {
		return {
			// attributes has the type of DatabaseUserAttributes
			...attributes
		};
	}
});

declare module "lucia" {
	interface Register {
		Lucia: typeof lucia;
		DatabaseUserAttributes: DatabaseUserAttributes;
	}
}

interface DatabaseUserAttributes {
	email: string;
	firstName: string;
	lastName: string;
	role: UserRole;
	school: School | null;
	admin: Admin | null;
	student: Student | null;
	schoolId: number | null;
}

Here is routes/+page.server.ts where invalidateSession() is used:

import type { PageServerLoad } from './$types'
import { redirect, type Actions } from '@sveltejs/kit';
import { lucia } from '$lib/server/auth';

export const load: PageServerLoad = async (event) => {
    console.log(event.locals.user);

    return {
        username: event.locals?.user?.firstName + " " + event.locals?.user?.lastName,
        isLoggedIn: event.locals.user ? true : false
    };
};

export const actions = {
    default: async (event) => {
        const cookieHeader = event.cookies.get("auth_session") ?? "";
        const sessionId = lucia.readSessionCookie(cookieHeader) ?? "";

        await lucia.invalidateSession(sessionId);

        event.cookies.delete("auth_session", {path:"/"});
        event.locals.user = null;
        event.locals.session = null;

        redirect(302, "/");
    }
} satisfies Actions;

And here is my folder structure, if needed.

src
├── components
├── lib
│   ├── components
│   │   ├── adder.test.ts
│   │   └── adder.ts
│   ├── server
│   │   └── auth.ts
│   ├── index.ts
│   └── prisma.ts
├── routes
│   ├── dashboard
│   │   ├── +page.server.ts
│   │   └── +page.svelte
│   ├── login
│   │   ├── +page.server.ts
│   │   └── +page.svelte
│   ├── register
│   │   ├── +page.server.ts
│   │   └── +page.svelte
│   ├── +layout.svelte
│   ├── +page.server.ts
│   └── +page.svelte
├── app.css
├── app.d.ts
├── app.html
├── hooks.server.ts
└── setupTests.ts

[matimusss]

I think that any control implementation over repeated logins/registers in short periods of time (typical DDOS countermeasures) would do the trick, furthermore, maybe you could use that sessions that are not immediately deleted to control it, even thought there are other ways to achieve it.

[noxify]

Sessions should be deleted while running invalidateSession.

Which database adapter are you using?

[unovil]

I'm using the Prisma adapter. I also updated the post to add more info.

[pilcrowonpaper]

Yeah seems like an issue with the adapter you're using. invalidateSession() works by deleting the session from your db

[unovil]

Weird, I'm not getting the response from using the Prisma adapter. (I updated the post to add more context)

[unovil]

I've diagnosed the issue. It seems Lucia is not invalidating any session because sessionId is blank. cookieHeader does contain the cookie header, but lucia.readSessionCookie(cookieHeader) returns a null value. I don't know why.

[unovil]

export const actions = {
    default: async (event) => {
        const cookieHeader = event.cookies.get("auth_session") ?? "";
        const sessionId = lucia.readSessionCookie(cookieHeader) ?? "";
        console.log(`Lucia read this: ${lucia.readSessionCookie(cookieHeader)}`)
        console.log(`Cookie id is: ${cookieHeader}`);
        console.log(`Session id is: ${sessionId}`);

This gives the result:

Lucia read this: null
Cookie id is: 0ekdzte5gpop8bl8c2juyasff0rnhkl47w4vs7r8
Session id is:

btw, this is the logic that adds the session record to the database in the first place:

import db from '$lib/prisma'
import type { Actions } from "@sveltejs/kit";
import type { PageServerLoad } from './$types';
import { fail, redirect } from '@sveltejs/kit';
import { lucia } from "$lib/server/auth";
import { Argon2id } from "oslo/password";

export const load: PageServerLoad = async (event) => {
	if (event.locals.user) {
		redirect(302, "/dashboard");
	}
};

export const actions = {
    default: async ({ request, cookies }) => {
        const formData = await request.formData();
        const email = formData.get("email");
        const password = formData.get("password");
        
        // data validation

        const user = await db.user.findUnique({
            where: {
                email: email.trim().toLowerCase() as string
            }
        });

        if (!user) return fail(400, {
            invalidUser: true,
            error: "User not found. Type your email correctly, or register first."
        });

        console.log("User found:", user);

        // more validation...

        const session = await lucia.createSession(user.id, {}); // succeeds
        const sessionCookie = lucia.createSessionCookie(session.id); // succeeds
	cookies.set(sessionCookie.name, sessionCookie.value, {
		path: ".",
		...sessionCookie.attributes
	}); // succeeds

        redirect(302, "/dashboard");
    }
} satisfies Actions;

[pilcrowonpaper]

I mean like the Cookie HTTP header. event.request.headers.get("Cookie")

[unovil]

Lucia read this: null
Cookie id is: 0ekdzte5gpop8bl8c2juyasff0rnhkl47w4vs7r8
Cookie HTTP header is: auth_session=0ekdzte5gpop8bl8c2juyasff0rnhkl47w4vs7r8
Session id is:

used what you said, event.request.headers.get("Cookie")

[pilcrowonpaper]

Like, can you copy-paste the return value of event.request.headers.get("Cookie")?

[unovil]

yeah, that was it.
event.request.headers.get("Cookie") returns auth_session=0ekdzte5gpop8bl8c2juyasff0rnhkl47w4vs7r8

[noxify]

Tested it quickly with our internal app ( next14+lucia3+prisma ).

Our Logout action is the following:

"use server"

import { cookies } from "next/headers"
import { redirect } from "next/navigation"

import { auth, lucia } from "@acme/auth"

export async function logoutAction(): Promise<ActionResult> {
  const { session } = await auth()
  if (!session) {
    return {
      error: "Unauthorized",
    }
  }

  await lucia.invalidateSession(session.id)

  const sessionCookie = lucia.createBlankSessionCookie()
  cookies().set(
    sessionCookie.name,
    sessionCookie.value,
    sessionCookie.attributes,
  )
  return redirect("/auth")
}

The auth method is identical to: https://github.com/noxify/t3-turbo-lucia/blob/main/packages/auth/src/index.ts#L36-L68

But based on your code, it seems you're doing the same

[unovil]

const cookieHeader = event.cookies.get("auth_session") ?? "";
const sessionId = lucia.readSessionCookie(cookieHeader) ?? "";

await lucia.invalidateSession(sessionId);

I figured out the answer. It turns out that the cookie I was getting from auth_session was already the id that invalidateSession() needed. readSessionCookie() is not needed anymore, I can pass the cookie value directly into invalidateSession().

Fixed code:

const cookieHeader = event.cookies.get("auth_session") ?? "";

await lucia.invalidateSession(cookieHeader); // succeeds