fix: make decrypt errors in get() single-callback and add test (plan#runtime)

Author: mingchuno

CHANGELOG.md

@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Packaging:** npm package now ships dual ESM/CJS bundles via `tsdown`, with an explicit exports map and cleaned type declarations (`.d.ts`/`.d.cts`).
 - **Types:** `MongoStore` and option hooks are strongly typed to avoid `any` leaks.
 - **Fixed:** `store.clear()` now uses `deleteMany({})` instead of `collection.drop()`, preserving TTL indexes and treating `NamespaceNotFound` as success so clears are idempotent.
+- **Fixed:** Decryption failures in `get()` now short-circuit after the first callback, preventing double-callback regressions when the crypto secret is wrong.
 
 ## [5.1.0] - 2023-10-14
 

docs/PLANS.md

@@ -21,6 +21,7 @@
   - store.clear() issues collection.drop(), which wipes the TTL index required for autoRemove: 'native' and throws NamespaceNotFound for empty stores (src/lib/MongoStore.ts:530-535). Switch to deleteMany({}) (keeping indexes) and swallow the namespace error so clear() is idempotent.
     - [done 2025-11-18] Swapped drop() for deleteMany(), swallowing NamespaceNotFound and adding coverage to ensure TTL index survives clear() (agent: Codex)
   - Decryption failures call the callback twice because the rejection handler just invokes callback(err) and then execution continues to the success path (src/lib/MongoStore.ts:314-326). Re-throw inside the catch or guard against multiple invocations to avoid “callback was already called” regressions.
+    - [done 2025-11-18] Guard decrypt errors so get() calls its callback once; add regression test for wrong secret (agent: Codex)
   - Session TTL math ignores cookie.maxAge; it only respects cookie.expires or a global default in both set() and touch(), so rolling sessions expire too early (src/lib/MongoStore.ts:355-368, 435-439). Mirror express-session's logic: prefer maxAge, fall back to expires, then to ttl.
   - close() always shuts down the underlying MongoClient, even if the user supplied their own client/promise, which can tear down the rest of the app's DB connections (src/lib/MongoStore.ts:188-210, 541-543). Track whether the store created the client and only close in that case; otherwise just clear timers.
   - Interval-based cleanup leaks and relies on deprecated write concern: the timer created in setAutoRemove() is never cleared on shutdown and writes with w:0/j:false, which newer clusters reject (src/lib/MongoStore.ts:217-247). Store the handle, clearInterval it in close(), and use the configured write concern or

src/lib/MongoStore.spec.ts

@@ -192,6 +192,29 @@ test.serial('clear preserves TTL index and is idempotent', async (t) => {
   await t.notThrowsAsync(() => storePromise.clear())
 })
 
+test.serial('decrypt failure only calls callback once', async (t) => {
+  ;({ store, storePromise } = createStoreHelper({
+    crypto: {
+      secret: 'right-secret',
+    },
+  }))
+  const sid = 'decrypt-failure'
+  await storePromise.set(sid, makeData())
+  // Tamper with the secret so decryption fails
+  ;(store as any).options.crypto.secret = 'wrong-secret'
+
+  await new Promise<void>((resolve) => {
+    let calls = 0
+    store.get(sid, (err, session) => {
+      calls += 1
+      t.truthy(err)
+      t.is(session, undefined)
+      t.is(calls, 1)
+      resolve()
+    })
+  })
+})
+
 test.serial('test destory event', async (t) => {
   ;({ store, storePromise } = createStoreHelper())
   const orgSession = makeData()

src/lib/MongoStore.ts

@@ -300,9 +300,7 @@ export default class MongoStore<
       const plaintext = (await this.cryptoGet(
         this.options.crypto.secret as string,
         sessionDoc.session
-      ).catch((err) => {
-        throw new Error(err)
-      })) as string
+      )) as string
       sessionDoc.session = JSON.parse(plaintext) as StoredSessionValue
     }
   }
@@ -324,7 +322,12 @@ export default class MongoStore<
           ],
         })
         if (this.crypto && sessionDoc) {
-          await this.decryptSession(sessionDoc).catch((err) => callback(err))
+          try {
+            await this.decryptSession(sessionDoc)
+          } catch (error) {
+            callback(error)
+            return
+          }
         }
         let result: T | undefined
         if (sessionDoc) {