From ed3976afaad4f0a571c56486459270adfa70e3b4 Mon Sep 17 00:00:00 2001
From: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
Date: Fri, 1 Aug 2025 22:27:55 +0200
Subject: [PATCH] chore: use express session upstream

---
 pnpm-lock.yaml              | 22 ++++++++++++++++++++++
 src/node/db/SessionStore.ts |  5 +++--
 src/node/hooks/express.ts   |  9 ++++-----
 src/package.json            |  4 +++-
 4 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a5634eebd..5cf1ac270 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -288,9 +288,15 @@ importers:
       '@types/async':
         specifier: ^3.2.24
         version: 3.2.24
+      '@types/cookie-parser':
+        specifier: ^1.4.9
+        version: 1.4.9(@types/express@4.17.21)
       '@types/express':
         specifier: ^4.17.21
         version: 4.17.21
+      '@types/express-session':
+        specifier: ^1.18.2
+        version: 1.18.2
       '@types/formidable':
         specifier: ^3.4.5
         version: 3.4.5
@@ -1751,6 +1757,11 @@ packages:
   '@types/content-disposition@0.5.9':
     resolution: {integrity: sha512-8uYXI3Gw35MhiVYhG3s295oihrxRyytcRHjSjqnqZVDDy/xcGBRny7+Xj1Wgfhv5QzRtN2hB2dVRBUX9XW3UcQ==}
 
+  '@types/cookie-parser@1.4.9':
+    resolution: {integrity: sha512-tGZiZ2Gtc4m3wIdLkZ8mkj1T6CEHb35+VApbL2T14Dew8HA7c+04dmKqsKRNC+8RJPm16JEK0tFSwdZqubfc4g==}
+    peerDependencies:
+      '@types/express': '*'
+
   '@types/cookiejar@2.1.5':
     resolution: {integrity: sha512-he+DHOWReW0nghN24E1WUqM0efK4kI9oTqDm6XmK8ZPe2djZ90BSNdGnIyCLzCPw7/pogPlGbzI2wHGGmi4O/Q==}
 
@@ -1775,6 +1786,9 @@ packages:
   '@types/express-serve-static-core@4.19.6':
     resolution: {integrity: sha512-N4LZ2xG7DatVqhCZzOGb1Yi5lMbXSZcmdLDe9EzSndPV2HpWYWzRbaerl2n27irrm94EPpprqa8KpskPT085+A==}
 
+  '@types/express-session@1.18.2':
+    resolution: {integrity: sha512-k+I0BxwVXsnEU2hV77cCobC08kIsn4y44C3gC0b46uxZVMaXA04lSPgRLR/bSL2w0t0ShJiG8o4jPzRG/nscFg==}
+
   '@types/express@4.17.21':
     resolution: {integrity: sha512-ejlPM315qwLpaQlQDTjPdsUFSc6ZsP4AN6AlWnogPjQ7CVi7PYF3YVz+CY3jE2pwYf7E/7HlDAN0rV2GxTG0HQ==}
 
@@ -6414,6 +6428,10 @@ snapshots:
 
   '@types/content-disposition@0.5.9': {}
 
+  '@types/cookie-parser@1.4.9(@types/express@4.17.21)':
+    dependencies:
+      '@types/express': 4.17.21
+
   '@types/cookiejar@2.1.5': {}
 
   '@types/cookies@0.9.1':
@@ -6444,6 +6462,10 @@ snapshots:
       '@types/range-parser': 1.2.7
       '@types/send': 0.17.4
 
+  '@types/express-session@1.18.2':
+    dependencies:
+      '@types/express': 4.17.21
+
   '@types/express@4.17.21':
     dependencies:
       '@types/body-parser': 1.19.5
diff --git a/src/node/db/SessionStore.ts b/src/node/db/SessionStore.ts
index ab652860f..15eb5a971 100644
--- a/src/node/db/SessionStore.ts
+++ b/src/node/db/SessionStore.ts
@@ -1,4 +1,5 @@
-'use strict';
+// @ts-nocheck
+
 
 const DB = require('./DB');
 import expressSession from 'express-session'
@@ -20,7 +21,7 @@ class SessionStore extends expressSession.Store {
    *     Etherpad is restarted. Use `null` to prevent `touch()` from ever updating the record.
    *     Ignored if the cookie does not expire.
    */
-  constructor(refresh = null) {
+  constructor(refresh: number | null = null) {
     super();
     this._refresh = refresh;
     // Maps session ID to an object with the following properties:
diff --git a/src/node/hooks/express.ts b/src/node/hooks/express.ts
index 0b0d10c97..633a85ae8 100644
--- a/src/node/hooks/express.ts
+++ b/src/node/hooks/express.ts
@@ -4,11 +4,10 @@ import {Socket} from "node:net";
 import type {MapArrayType} from "../types/MapType";
 
 import _ from 'underscore';
-// @ts-ignore
 import cookieParser from 'cookie-parser';
 import events from 'events';
 import express from 'express';
-import expressSession from 'express-session';
+import expressSession, {Store} from 'express-session';
 import fs from 'fs';
 const hooks = require('../../static/js/pluginfw/hooks');
 import log4js from 'log4js';
@@ -23,7 +22,7 @@ import SecretRotator from '../security/SecretRotator';
 let secretRotator: SecretRotator|null = null;
 const logger = log4js.getLogger('http');
 let serverName:string;
-let sessionStore: { shutdown: () => void; } | null;
+let sessionStore: Store | null;
 const sockets:Set<Socket> = new Set();
 const socketsEvents = new events.EventEmitter();
 const startTime = stats.settableGauge('httpStartTime');
@@ -58,6 +57,7 @@ const closeServer = async () => {
     startTime.setValue(0);
     logger.info('HTTP server closed');
   }
+  // @ts-ignore
   if (sessionStore) sessionStore.shutdown();
   sessionStore = null;
   if (secretRotator) secretRotator.stop();
@@ -197,10 +197,9 @@ exports.restartServer = async () => {
 
   sessionStore = new SessionStore(settings.cookie.sessionRefreshInterval);
   exports.sessionMiddleware = expressSession({
-    propagateTouch: true,
     rolling: true,
     secret,
-    store: sessionStore,
+    store: sessionStore ?? undefined,
     resave: false,
     saveUninitialized: false,
     // Set the cookie name to a javascript identifier compatible string. Makes code handling it
diff --git a/src/package.json b/src/package.json
index e77570f2e..2e359ff02 100644
--- a/src/package.json
+++ b/src/package.json
@@ -30,7 +30,6 @@
     }
   ],
   "dependencies": {
-    "express-session": "^1.18.2",
     "async": "^3.2.6",
     "axios": "^1.10.0",
     "cookie-parser": "^1.4.7",
@@ -40,6 +39,7 @@
     "esbuild": "^0.25.8",
     "express": "4.21.2",
     "express-rate-limit": "^8.0.0",
+    "express-session": "^1.18.2",
     "fast-deep-equal": "^3.1.3",
     "find-root": "1.1.0",
     "formidable": "^3.5.4",
@@ -85,7 +85,9 @@
   "devDependencies": {
     "@playwright/test": "^1.54.1",
     "@types/async": "^3.2.24",
+    "@types/cookie-parser": "^1.4.9",
     "@types/express": "^4.17.21",
+    "@types/express-session": "^1.18.2",
     "@types/formidable": "^3.4.5",
     "@types/http-errors": "^2.0.5",
     "@types/jquery": "^3.5.32",