[v8] Replace iron-session with iron-webcrypto v2

[nicknisi]

Summary

• Replaces iron-session dependency with direct iron-webcrypto v2.0.0
• Creates lightweight seal.ts wrapper providing iron-session compatible API
• Reduces dependency footprint while maintaining backwards compatibility

Changes

• Add src/common/crypto/seal.ts with sealData and unsealData functions
• Update package.json to use iron-webcrypto ^2.0.0
• Update jest.config.cjs to transform ESM-only uint8array-extras dependency
• Update imports in session and user-management modules

[greptile-apps]

Greptile Overview

Greptile Summary

Replaces iron-session with direct iron-webcrypto v2.0.0 dependency to reduce package footprint while maintaining backward compatibility.

Key changes:

• Created src/common/crypto/seal.ts wrapper providing iron-session-compatible API (sealData/unsealData)
• Added version delimiter (~) to support token migration from v1 to v2 format
• Updated jest config to transform ESM-only uint8array-extras dependency
• All imports switched from iron-session to local crypto wrapper

The implementation handles backward compatibility by parsing version suffixes and extracting persistent property for v1 tokens.

Confidence Score: 5/5

• This PR is safe to merge with no critical issues found
• Clean dependency migration with proper backward compatibility handling, comprehensive version management, and appropriate error handling. No security concerns detected.
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
src/common/crypto/seal.ts	5/5	New wrapper around iron-webcrypto v2 providing backward-compatible API with version handling for token migration
package.json	5/5	Replaced iron-session ^8.0.4 with direct dependency on iron-webcrypto ^2.0.0
jest.config.cjs	5/5	Updated transformIgnorePatterns to handle iron-webcrypto and uint8array-extras ESM modules

Sequence Diagram

sequenceDiagram
    participant Client
    participant UserManagement
    participant CookieSession
    participant SealWrapper as seal.ts
    participant IronWebcrypto as iron-webcrypto v2

    Note over Client,IronWebcrypto: Session Creation Flow
    Client->>UserManagement: authenticateWithCode()
    UserManagement->>SealWrapper: sealData(sessionData, {password, ttl})
    SealWrapper->>IronWebcrypto: ironSeal(data, passwordObj, options)
    IronWebcrypto-->>SealWrapper: encrypted seal
    SealWrapper-->>UserManagement: seal + "~2" (version appended)
    UserManagement-->>Client: return sealedSession

    Note over Client,IronWebcrypto: Session Authentication Flow
    Client->>CookieSession: authenticate()
    CookieSession->>SealWrapper: unsealData(encryptedData, {password, ttl})
    SealWrapper->>SealWrapper: parseSeal(encryptedData)
    Note over SealWrapper: Extracts version and seal<br/>Handles v1/v2 compatibility
    SealWrapper->>IronWebcrypto: ironUnseal(sealWithoutVersion, passwordMap)
    IronWebcrypto-->>SealWrapper: decrypted data
    alt tokenVersion === 2
        SealWrapper-->>CookieSession: return data as-is
    else tokenVersion !== null (v1)
        SealWrapper-->>CookieSession: return record.persistent ?? data
    else no version
        SealWrapper-->>CookieSession: return data as-is
    end
    CookieSession->>CookieSession: validate JWT
    CookieSession-->>Client: authentication result

Loading

[greptile-apps]

_{7 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[cmatheson]

we don't really use ttl do we? i'd be ok with just implementing the interface we need if you want to drop that.

[nicknisi]

Good catch. I'll simplify the interface to just password.