-
-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cookie.parse ignores HttpOnly; Secure; #200
Comments
#164 seems to discuss this. Does not seem that there is a consensus about what to expect? |
There is a consensus, this package doesn’t parse the This could be added as a feature, but it’s unsupported today. |
@blakeembrey , thx.. duh!, you are very correct.
We use it often in workers and sveltekit projects to pass a login method to my own upstream IDP and need to pass cookies (full or partly) on to the consumer, which has another hostname. |
@gerhardcit Would it be helpful if this library did support parsing the |
@blakeembrey , considering the amount of times that I intercept cookies from my own upstream servers in apps like sveltekit routes, (typically on cloudflare like serverless), i think it would be very useful.
Most of that is manual work since cookies are not passed through when urls changes, but often it needs to easily pass on (both are my apps after all, api.theapi.com serves various other myapps2... which are again sveltekit type apps where the api needs to go upstream. Sveltekit documents this here: https://svelte.dev/docs/kit/@sveltejs-kit#Cookies Hopes this make sense and hopefully I'm not trying to reinvent some wheel which I have not seen of fully understand yet. PS. in some cased I convert upstream cookies to some kind of encrypted response, since hybrid apps (ie Ionic wrapped with capacitor) and cookies is not great to work with, (even though there is a plugin for it) in which case I convert the incoming set-cookie from the upstream api to a encrypted jwt header and send that to the app client for later use. So it would be very handy in my view. |
Just as another datapoint, I'd find this useful too @blakeembrey, definitely helpful to have support for both. I'm currently using |
It seems that the parses wants key=value pairs and ignores the HttpOnly; Secure; settings?
Result: (missing the HttpOnly and Secure settings?
Expected result:
if the cookie value is explicit:
HttpOnly=true; Secure=true
const cookieStr = "MY_COOKIE=somevalue; Path=/; Expires=Tue, 29 Oct 2024 06:06:46 GMT; HttpOnly=true; Secure=true;
then is parses correctly.
I tried 0.7.2 and 1.0.1. Am I missing something?
The text was updated successfully, but these errors were encountered: