What's Changed

Do not create a session if no cookie was provided by @czechboy0 in #3372

Summary

When using SessionsMiddleware and a custom AsyncSessionAuthenticator together, we were seeing that even in cases when no cookie is provided in the request, and no error was thrown by e.g. a guard middleware or the handler, we were still seeing a set-cookie header in the response, which isn’t desired.

This lead to many sessions created in the sessions driver for calls that didn’t require authentication, nor did it provide any.

This seemed to be a side effect of the way AsyncSessionAuthenticator checked if the session already contained an authenticated value - by using the getter request.session, a session was created lazily.

The fix is to prepend a check to request.hasSession and only using request.session... if one indeed exists.

Test Plan

A regression test was added which exercises this scenario - and it fails without the fix.

This patch was released by @0xTim

Full Changelog: https://github.com/vapor/vapor/compare/4.121.0...4.121.1