MemoryStore: connect.session() MemoryStore is not designed for a production environment workaround

Hey, y’all!

I’ve inherited an app that uses Keycloak, and I’m a bit skeptical about the current implementation. As it stands, I’m seeing the following warning in the logs on production:

Warning: connect.session() MemoryStore is not designed for a production environment, as it will leak memory, and will not scale past a single process.

This led me to two MemoryStore instances – one is used when creating a new Keycloak instance, and the other for the Express-Session session.

Versions/Context:
“keycloak-connect”: “^9.0.0” >> LIB.KEYCLOAK
“express”: “^4.16.4” >> LIB.EXPRESS
“express-session”: “^1.17.0” >> LIB.SESSION

// adapters/keycloak.js
const memoryStore = new LIB.SESSION.MemoryStore();
LIB.keycloak = new LIB.KEYCLOAK({ store: memoryStore }, keycloakConfig);

// middleware/index.js
const memoryStore = new LIB.SESSION.MemoryStore();
const session =  {
        secret: keycloakEnvSettings.backendClientSecret,
        resave: false,
        saveUninitialized: true,
        store: memoryStore,
};

if (['staging', 'production'].includes(process.env.NODE_ENV)) {
        app.set('trust proxy', 1);
        session.cookie = { secure: true };
}

app.use(LIB.SESSION(session));
app.use(LIB.keycloak.middleware());

I assume the memory leak warning is in regards to the Express-Session session’s usage of the MemoryStore, but I am curious if there is anything for me to worry about in regards to the Keycloak’s usage of it.

Also, is it appropriate to have two separate instances or does it make more sense to have one MemoryStore instance that is used for both?

Thanks in advance!