Phase 2: Developer Experience

Completed: 2026-02-07

---

Overview

Phase 2 focused on improving developer experience and reducing configuration complexity while maintaining full backward compatibility.

Results:

• ✅ Created 5 configuration presets

• ✅ Added factory methods for easier setup

• ✅ Improved documentation and examples

• ✅ All 346 tests passing

• ✅ Zero breaking changes

---

Implementation 1: Configuration Presets

Problem

The Configuration class has 35+ options, creating decision paralysis for developers. Most users want sensible defaults for common scenarios (development, production, etc.) rather than configuring every option manually.

Solution

Created a Presets module with 5 pre-configured scenarios:

File: src/presets.cr (107 lines)

Available Presets

1. Development (Presets.development)

Purpose: Local development with minimal friction

Settings:

• 30-minute timeout

• No secret validation required

• No encryption

• Sliding expiration enabled

• Circuit breaker disabled

• Retry disabled

• Compression disabled

Usage:

Session.configure do |config|
  config = Configuration.from_preset(:development)
  config.provider = Session::MemoryStore(UserSession).provider
end

---

2. Production (Presets.production)

Purpose: Balanced security and performance for production deployments

Settings:

• 1-hour timeout

• Secure secret required

• Redis data encryption enabled

• Sliding expiration enabled

• Circuit breaker enabled

• Retry enabled

• Compression enabled (threshold: 256 bytes)

• KDF enabled with SHA-256

Usage:

Session.configure do |config|
  config = Configuration.from_preset(:production)
  config.secret = ENV.fetch("SESSION_SECRET")
  redis = Redis.new(host: ENV["REDIS_HOST"]?)
  config.provider = Session::RedisStore(UserSession).provider(client: redis)
end

---

3. High Security (Presets.high_security)

Purpose: Maximum security for sensitive applications

Settings:

• 15-minute timeout (short for security)

• Secure secret required

• Redis data encryption with KDF (100k iterations)

• Client binding enabled (IP + User-Agent)

• Sliding expiration enabled

• Circuit breaker enabled

• Retry enabled

• Compression enabled

• Fail fast on corruption

• No digest fallback to SHA-1

Usage:

Session.configure do |config|
  config = Configuration.from_preset(:high_security)
  config.secret = ENV.fetch("SESSION_SECRET")
  pool_config = Session::ConnectionPoolConfig.new(size: 10)
  config.provider = Session::PooledRedisStore(UserSession).new(pool_config)
end

---

4. Testing (Presets.testing)

Purpose: Fast, simple configuration for test suites

Settings:

• 5-minute timeout

• No secret validation

• No encryption

• No sliding expiration

• No error logging (cleaner test output)

• Circuit breaker disabled

• Retry disabled

• Compression disabled

• No client binding

Usage:

Session.configure do |config|
  config = Configuration.from_preset(:testing)
  config.provider = Session::MemoryStore(UserSession).provider
end

---

5. Clustered (Presets.clustered)

Purpose: Multi-node deployments with Redis pub/sub

Settings:

• Based on production preset

• Clustering enabled

• Local cache enabled (30s TTL, 10k max size)

• All production security settings

Usage:

Session.configure do |config|
  config = Configuration.from_preset(:clustered)
  config.secret = ENV.fetch("SESSION_SECRET")
  config.cluster.node_id = ENV["NODE_ID"]? || UUID.random.to_s

  redis = Redis.new(host: ENV["REDIS_HOST"]?)
  cluster_config = Session::ClusterConfig.new(enabled: true)
  config.provider = Session::ClusteredRedisStore(UserSession).new(redis, cluster_config)
end

---

API: Configuration.from_preset

Added to Configuration class:

def self.from_preset(preset : Symbol) : Configuration
  case preset
  when :development then Presets.development
  when :production then Presets.production
  when :high_security then Presets.high_security
  when :testing then Presets.testing
  when :clustered then Presets.clustered
  else
    raise ArgumentError.new("Unknown preset: #{preset}")
  end
end

Raises: ArgumentError for unknown presets

---

Implementation 2: Enhanced Documentation

Store Class Documentation

File: src/store.cr

Added comprehensive usage example:

# Abstract base class for session storage backends
#
# Generic Constraint:
#   T must include the SessionData module for proper serialization and validation
#   T must provide a parameterless constructor (T.new)
#
# Example usage:
#   ```
#   struct UserSession
#     include Session::SessionData
#     property user_id : Int64?
#     property? authenticated : Bool = false
#   end
#
#   # Use memory store for development
#   store = Session::MemoryStore(UserSession).new
#
#   # Use Redis for production
#   store = Session::RedisStore(UserSession).new(Redis.new)
#   ```
abstract class Store(T)
  # ...
end

---

Implementation 3: Comprehensive Examples

File: examples/configuration_examples.cr (187 lines)

Created a complete examples file demonstrating:

1. Using each preset - Development, Production, High Security, Testing, Clustered

2. Manual configuration - Configuring without presets

3. Preset with overrides - Start with preset, customize specific options

4. Environment-based setup - Switch configuration based on ENV variables

5. Session data structure - Example UserSession implementation

Key examples:

Environment-Based Configuration

Session.configure do |config|
  case ENV["ENVIRONMENT"]?
  when "development"
    config = Configuration.from_preset(:development)
    config.provider = Session::MemoryStore(UserSession).provider

  when "production"
    config = Configuration.from_preset(:high_security)
    config.secret = ENV.fetch("SESSION_SECRET")
    pool_config = Session::ConnectionPoolConfig.new(size: 20)
    config.provider = Session::PooledRedisStore(UserSession).new(pool_config)
  end
end

Preset with Selective Overrides

Session.configure do |config|
  # Start with production preset
  config = Configuration.from_preset(:production)

  # Override only what you need
  config.timeout = 8.hours
  config.bind_to_user_agent = true
  config.compression_threshold = 1024

  config.secret = ENV.fetch("SESSION_SECRET")
  config.provider = Session::RedisStore(UserSession).provider
end

---

Implementation 4: Require Order Fix

Problem

configuration.cr referenced CircuitBreakerConfig but retry.cr was required after it, causing compilation errors.

Solution

Moved require "./retry" before require "./configuration" in session.cr:

Before:

require "./configuration"
require "./presets"
require "./session_id"
require "./retry"

After:

require "./retry"
require "./configuration"
require "./presets"
require "./session_id"

Impact: Clean compilation, proper dependency order

---

Benefits

1. Reduced Configuration Complexity

Before Phase 2:

Session.configure do |config|
  config.timeout = 1.hour
  config.require_secure_secret = true
  config.encrypt_redis_data = true
  config.sliding_expiration = true
  config.log_errors = true
  config.circuit_breaker_enabled = true
  config.enable_retry = true
  config.compress_data = true
  config.compression_threshold = 256
  config.use_kdf = true
  config.digest_algorithm = :sha256
  config.secret = ENV.fetch("SESSION_SECRET")
  config.provider = Session::RedisStore(UserSession).provider
end

After Phase 2:

Session.configure do |config|
  config = Configuration.from_preset(:production)
  config.secret = ENV.fetch("SESSION_SECRET")
  config.provider = Session::RedisStore(UserSession).provider
end

Result: 14 lines → 4 lines (71% reduction)

---

2. Better Security Defaults

Presets encode security best practices:

• Production requires secure secrets

• High security enables client binding

• Encryption enabled by default in production

• KDF enabled for key derivation

Impact: Users get secure configurations by default

---

3. Improved Onboarding

New users can:

1. Choose a preset matching their environment

2. Override only what's specific to their app

3. Reference comprehensive examples

Impact: Faster time to production, fewer configuration mistakes

---

4. Clear Intent

Preset names clearly communicate intent:

• :development - "I'm developing locally"

• :production - "I'm deploying to production"

• :high_security - "Security is critical"

• :testing - "I'm running tests"

• :clustered - "I have multiple nodes"

Impact: Self-documenting code

---

Metrics

Code Added

File	Lines	Purpose
src/presets.cr	107	Configuration presets
examples/configuration_examples.cr	187	Usage examples
Total	294	New code

Code Modified

File	Changes	Purpose
src/configuration.cr	+18 lines	from_preset method
src/store.cr	+14 lines	Documentation
src/session.cr	1 line moved	Require order fix

Test Results

✅ All 346 specs passing
✅ 0 failures, 0 errors
✅ 100% backward compatible

---

Usage Patterns

Pattern 1: Simple Development Setup

Session.configure do |config|
  config = Configuration.from_preset(:development)
  config.provider = Session::MemoryStore(UserSession).provider
end

Pattern 2: Production with Environment Variables

Session.configure do |config|
  config = Configuration.from_preset(:production)
  config.secret = ENV.fetch("SESSION_SECRET")
  redis = Redis.new(host: ENV["REDIS_HOST"]? || "localhost")
  config.provider = Session::RedisStore(UserSession).provider(client: redis)
end

Pattern 3: High Security with Custom Timeout

Session.configure do |config|
  config = Configuration.from_preset(:high_security)
  config.timeout = 10.minutes # Custom timeout
  config.secret = ENV.fetch("SESSION_SECRET")
  config.provider = Session::RedisStore(UserSession).provider
end

Pattern 4: Testing with Custom Secret

Session.configure do |config|
  config = Configuration.from_preset(:testing)
  config.secret = "test-secret-key-for-specs"
  config.provider = Session::MemoryStore(UserSession).provider
end

---

Migration Guide

Existing Code (No Changes Required)

All existing configurations continue to work:

# This still works!
Session.configure do |config|
  config.timeout = 30.minutes
  config.secret = "my-secret"
  # ... all other options
end

Adopting Presets (Optional)

To adopt presets, identify your environment and replace manual config:

Before:

config.timeout = 1.hour
config.require_secure_secret = true
config.encrypt_redis_data = true
# ... 10 more lines

After:

config = Configuration.from_preset(:production)

Then override only what's different for your app.

---

Next Steps

Completed ✅

1. ✅ Configuration presets

2. ✅ Enhanced documentation

3. ✅ Comprehensive examples

Remaining High Priority

1. ⬜ Merge PooledRedisStore into RedisStore (save ~200 lines)

2. ⬜ Rename SessionId → Session (clarity improvement)

3. ⬜ Flatten Provider module (remove macro magic)

Medium Priority

1. ⬜ Extract circuit breaker/retry to optional module

2. ⬜ Make QueryableStore truly optional

3. ⬜ Extract clustering to separate shard

---

Conclusion

Phase 2 Achievements:

• ✅ 71% reduction in typical configuration code

• ✅ Security best practices baked into presets

• ✅ Improved developer experience

• ✅ Comprehensive documentation and examples

• ✅ Zero breaking changes

Developer Impact:

• Faster onboarding

• Fewer configuration mistakes

• Clear intent through preset names

• Easy customization through overrides

The session framework is now significantly easier to use while maintaining full flexibility for advanced users! 🎉