Skip to content

Astro.cookies.set() does not expose underlying cookie serialize options #9062

Closed
#9063
Closed
Astro.cookies.set() does not expose underlying cookie serialize options#9062
#9063
Labels
- P2: nice to haveNot breaking anything but nice to have (priority)
@alex-sherwin

Description

@alex-sherwin
alex-sherwin
opened on Nov 10, 2023

Astro Info

Astro                    v3.5.2
Node                     v18.18.2
System                   macOS (arm64)
Package Manager          npm
Output                   server
Adapter                  @astrojs/node
Integrations             none

If this issue only occurs in one browser, which browser is a problem?

No response

Describe the Bug

The Astro.cookies.set implementation ultimately delegates final value serialization to the serialize function from the cookie package (see serialize docs).

However Astro is only exposing it's own (effectively anonymous/private, since it's not exported) AstroCookieSetOptions type which is obfuscating the underlying capabilities that are available.

The AstroCookieSetOptions options passed to Astro.cookies.set are passed down to cookie's serialize, so, if you know this, you can just YOLO it with an any cast, etc.

The reason this is a problem for me is it took me awhile to chase down why the cookie value I was setting via Astro.cookies.set was getting mangled (url encoded), and it's because by default, the cookie serialize function's encode option uses encodeURIComponent.

So, short version is, there is nothing in the Astro docs to let you know and/or control the value serialization which is always passed through encodeURIComponent.

This came up for me because I was base64 encoding a cookie value, and base64 has a few characters that encodeURIComponent will encode, for example the trailing = padding characters will get url encoded.

I can YOLO it to customize the encode option, for example:

const options: any = {
  httpOnly: true,
  encode: (o: string) => o
}
context.cookies.set("REDIRECT_URI", encodedURL, options);

But this is obviously unsafe since it's depending on an implementation detail of how Astro utilizes the cookie package under-the-covers.

I think Astro should probably:

  1. Export the AstroCookieSetOptions type so it can be utilized easier by end-users
  2. Change AstroCookieSetOptions to simply extend CookieSerializeOptions from @types/cookie

What's the expected result?

Full control of cookie serialization options is exposed

Link to Minimal Reproducible Example

https://stackblitz.com/edit/github-pqoq26-w1uign?file=src%2Fpages%2Findex.astro

Participation

  • I am willing to submit a pull request for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    - P2: nice to haveNot breaking anything but nice to have (priority)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions