From 350f6e992ee1735aecb938b793dab1f969ea1f00 Mon Sep 17 00:00:00 2001
From: Mike <mike@madebymike.com.au>
Date: Wed, 11 Sep 2019 09:59:52 +1000
Subject: [PATCH 1/6] Add cookieMaxAge and secureCookies options

---
 packages/keystone/lib/Keystone/index.js | 13 +++++++++++--
 packages/session/lib/session.js         | 10 +++++++++-
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/packages/keystone/lib/Keystone/index.js b/packages/keystone/lib/Keystone/index.js
index f5edadc6b58..1f0b6974198 100644
--- a/packages/keystone/lib/Keystone/index.js
+++ b/packages/keystone/lib/Keystone/index.js
@@ -44,6 +44,8 @@ module.exports = class Keystone {
     onConnect,
     cookieSecret = 'qwerty',
     sessionStore,
+    secureCookies = process.env.NODE_ENV === 'production', // Default to true in production
+    cookieMaxAge = process.env.NODE_ENV === 'production' ? 1000 * 60 * 60 * 24 : null,
   }) {
     this.name = name;
     this.adapterConnectOptions = adapterConnectOptions;
@@ -57,8 +59,9 @@ module.exports = class Keystone {
     this._extendedMutations = [];
     this._graphQLQuery = {};
     this._cookieSecret = cookieSecret;
+    this._secureCookies = secureCookies;
+    this._cookieMaxAge = cookieMaxAge;
     this._sessionStore = sessionStore;
-    this.registeredTypes = new Set();
     this.eventHandlers = { onConnect };
 
     if (adapters) {
@@ -544,7 +547,13 @@ module.exports = class Keystone {
       // Used by other middlewares such as authentication strategies. Important
       // to be first so the methods added to `req` are available further down
       // the request pipeline.
-      commonSessionMiddleware(this, this._cookieSecret, this._sessionStore),
+      commonSessionMiddleware({
+        keystone: this,
+        cookieSecret: this._cookieSecret,
+        sessionStore: this.sessionStore,
+        secureCookies: this._secureCookies,
+        cookieMaxAge: this._cookieMaxAge,
+      }),
       ...(await Promise.all(
         [
           // Inject any field middlewares (eg; WYSIWIG's static assets)
diff --git a/packages/session/lib/session.js b/packages/session/lib/session.js
index 9c06776bd6b..cfd811d0821 100644
--- a/packages/session/lib/session.js
+++ b/packages/session/lib/session.js
@@ -2,7 +2,13 @@ const cookieSignature = require('cookie-signature');
 const expressSession = require('express-session');
 const cookie = require('cookie');
 
-const commonSessionMiddleware = (keystone, cookieSecret, sessionStore) => {
+const commonSessionMiddleware = ({
+  keystone,
+  cookieSecret,
+  sessionStore,
+  secureCookies,
+  cookieMaxAge,
+}) => {
   const COOKIE_NAME = 'keystone.sid';
 
   // We have at least one auth strategy
@@ -50,7 +56,9 @@ const commonSessionMiddleware = (keystone, cookieSecret, sessionStore) => {
     resave: false,
     saveUninitialized: false,
     name: COOKIE_NAME,
+    cookie: { secure: secureCookies },
     store: sessionStore,
+    maxAge: cookieMaxAge,
   });
 
   return [injectAuthCookieMiddleware, sessionMiddleware, populateAuthedItemMiddleware(keystone)];

From 18b8ebecc4a00a7a7588c4a93615705258f8df7d Mon Sep 17 00:00:00 2001
From: Mike <mike@madebymike.com.au>
Date: Wed, 11 Sep 2019 10:09:21 +1000
Subject: [PATCH 2/6] add changeset

---
 .changeset/smooth-pumpkins-deliver/changes.json |  7 +++++++
 .changeset/smooth-pumpkins-deliver/changes.md   | 11 +++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 .changeset/smooth-pumpkins-deliver/changes.json
 create mode 100644 .changeset/smooth-pumpkins-deliver/changes.md

diff --git a/.changeset/smooth-pumpkins-deliver/changes.json b/.changeset/smooth-pumpkins-deliver/changes.json
new file mode 100644
index 00000000000..00f2789df42
--- /dev/null
+++ b/.changeset/smooth-pumpkins-deliver/changes.json
@@ -0,0 +1,7 @@
+{
+  "releases": [
+    { "name": "@keystone-alpha/keystone", "type": "minor" },
+    { "name": "@keystone-alpha/session", "type": "minor" }
+  ],
+  "dependents": []
+}
diff --git a/.changeset/smooth-pumpkins-deliver/changes.md b/.changeset/smooth-pumpkins-deliver/changes.md
new file mode 100644
index 00000000000..19b841b1d4e
--- /dev/null
+++ b/.changeset/smooth-pumpkins-deliver/changes.md
@@ -0,0 +1,11 @@
+Adds a `cookieMaxAge` and `secureCookies` option to the keystone constructor. 
+
+These will default to 1 day and `true` in production. Or `null` and `false` in other environments.
+
+### Usage 
+```javascript
+const keystone = new Keystone({
+  cookieMaxAge: 1000 * 60 * 60 * 24 * 7, // 1 week 
+  secureCookies: true,
+});
+```
\ No newline at end of file

From c207fbbdbeb6eaad4221a2d8598ef76cae428241 Mon Sep 17 00:00:00 2001
From: Mike <mike@madebymike.com.au>
Date: Wed, 11 Sep 2019 10:15:24 +1000
Subject: [PATCH 3/6] Change the default cookie max age

---
 .changeset/smooth-pumpkins-deliver/changes.md | 2 +-
 packages/keystone/lib/Keystone/index.js       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.changeset/smooth-pumpkins-deliver/changes.md b/.changeset/smooth-pumpkins-deliver/changes.md
index 19b841b1d4e..37e6b318d76 100644
--- a/.changeset/smooth-pumpkins-deliver/changes.md
+++ b/.changeset/smooth-pumpkins-deliver/changes.md
@@ -1,6 +1,6 @@
 Adds a `cookieMaxAge` and `secureCookies` option to the keystone constructor. 
 
-These will default to 1 day and `true` in production. Or `null` and `false` in other environments.
+These will default to 30 days for `cookieMaxAge` and `true` in production `false` in other environments for `secureCookies`.
 
 ### Usage 
 ```javascript
diff --git a/packages/keystone/lib/Keystone/index.js b/packages/keystone/lib/Keystone/index.js
index 1f0b6974198..19cae865795 100644
--- a/packages/keystone/lib/Keystone/index.js
+++ b/packages/keystone/lib/Keystone/index.js
@@ -45,7 +45,7 @@ module.exports = class Keystone {
     cookieSecret = 'qwerty',
     sessionStore,
     secureCookies = process.env.NODE_ENV === 'production', // Default to true in production
-    cookieMaxAge = process.env.NODE_ENV === 'production' ? 1000 * 60 * 60 * 24 : null,
+    cookieMaxAge = 1000 * 60 * 60 * 24 * 30, // 30 days
   }) {
     this.name = name;
     this.adapterConnectOptions = adapterConnectOptions;

From c427297a381b04d5a3a9989791688a52edecbfd2 Mon Sep 17 00:00:00 2001
From: Mike <mike@madebymike.com.au>
Date: Wed, 11 Sep 2019 10:20:06 +1000
Subject: [PATCH 4/6] update changeset

---
 .changeset/smooth-pumpkins-deliver/changes.json | 2 +-
 .changeset/smooth-pumpkins-deliver/changes.md   | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.changeset/smooth-pumpkins-deliver/changes.json b/.changeset/smooth-pumpkins-deliver/changes.json
index 00f2789df42..4e6257633fd 100644
--- a/.changeset/smooth-pumpkins-deliver/changes.json
+++ b/.changeset/smooth-pumpkins-deliver/changes.json
@@ -1,7 +1,7 @@
 {
   "releases": [
     { "name": "@keystone-alpha/keystone", "type": "minor" },
-    { "name": "@keystone-alpha/session", "type": "minor" }
+    { "name": "@keystone-alpha/session", "type": "major" }
   ],
   "dependents": []
 }
diff --git a/.changeset/smooth-pumpkins-deliver/changes.md b/.changeset/smooth-pumpkins-deliver/changes.md
index 37e6b318d76..8c815504991 100644
--- a/.changeset/smooth-pumpkins-deliver/changes.md
+++ b/.changeset/smooth-pumpkins-deliver/changes.md
@@ -8,4 +8,6 @@ const keystone = new Keystone({
   cookieMaxAge: 1000 * 60 * 60 * 24 * 7, // 1 week 
   secureCookies: true,
 });
-```
\ No newline at end of file
+```
+
+Note: `commonSessionMiddleware` now accepts a config object rather than multiple arguments.
\ No newline at end of file

From 093bd7943b8238aea1b5dce6b1443445b8656847 Mon Sep 17 00:00:00 2001
From: Mike <mike@madebymike.com.au>
Date: Wed, 11 Sep 2019 11:06:15 +1000
Subject: [PATCH 5/6] Fix registered types

---
 packages/keystone/lib/Keystone/index.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/keystone/lib/Keystone/index.js b/packages/keystone/lib/Keystone/index.js
index 19cae865795..2e8ab6b2be7 100644
--- a/packages/keystone/lib/Keystone/index.js
+++ b/packages/keystone/lib/Keystone/index.js
@@ -63,6 +63,8 @@ module.exports = class Keystone {
     this._cookieMaxAge = cookieMaxAge;
     this._sessionStore = sessionStore;
     this.eventHandlers = { onConnect };
+    this._sessionStore = sessionStore;
+    this.registeredTypes = new Set();
 
     if (adapters) {
       this.adapters = adapters;

From 69a31965b5c44ce7850f9217d6c8f381fbc11e4b Mon Sep 17 00:00:00 2001
From: Mike <mike@madebymike.com.au>
Date: Wed, 11 Sep 2019 11:39:48 +1000
Subject: [PATCH 6/6] fix bug setting max age

---
 packages/session/lib/session.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/packages/session/lib/session.js b/packages/session/lib/session.js
index cfd811d0821..93ffa273f68 100644
--- a/packages/session/lib/session.js
+++ b/packages/session/lib/session.js
@@ -56,9 +56,8 @@ const commonSessionMiddleware = ({
     resave: false,
     saveUninitialized: false,
     name: COOKIE_NAME,
-    cookie: { secure: secureCookies },
+    cookie: { secure: secureCookies, maxAge: cookieMaxAge },
     store: sessionStore,
-    maxAge: cookieMaxAge,
   });
 
   return [injectAuthCookieMiddleware, sessionMiddleware, populateAuthedItemMiddleware(keystone)];