import type { RequestHandler } from 'express'; /** * DI token for the user-portal `express-session` middleware. Resolved * once at bootstrap (`main.ts`) and mounted with `app.use(...)` * after `cookie-parser` so cookies are already parsed when the * session middleware reads the session id. * * Carries the `portal_session` / `__Host-portal_session` cookie and * persists payloads under the `session:` Redis prefix. Bound to * every path EXCEPT `/api/admin/*` by the dispatch in `main.ts`. * * Usage: * const session = app.get(SESSION_MIDDLEWARE); * app.use(session); */ export const SESSION_MIDDLEWARE = 'SESSION_MIDDLEWARE'; /** * DI token for the admin-portal `express-session` middleware. Same * underlying `express-session` + `connect-redis` plumbing as * {@link SESSION_MIDDLEWARE}, but configured for the admin surface * per ADR-0020 §"Sessions — distinct from `portal-shell`": * * - Cookie name: `portal_admin_session` / `__Host-portal_admin_session`. * - Redis key prefix: `session:admin:`. * - Same idle / absolute TTL policy (ADR-0010); admin tightening * can come later through env without code changes. * * Bound to `/api/admin/*` only by the dispatch in `main.ts`. Signing * into one surface does NOT sign the user into the other — Entra * SSO at the IdP level still preserves a click-through experience. */ export const ADMIN_SESSION_MIDDLEWARE = 'ADMIN_SESSION_MIDDLEWARE'; /** * DI token for the absolute-timeout middleware (per ADR-0010 §"TTL * policy"). Resolved at bootstrap and mounted in `main.ts` * immediately after {@link SESSION_MIDDLEWARE} so it runs on every * request that carries a session cookie. */ export const SESSION_ABSOLUTE_TIMEOUT_MIDDLEWARE = 'SESSION_ABSOLUTE_TIMEOUT_MIDDLEWARE'; export type { RequestHandler };