session icon indicating copy to clipboard operation
session copied to clipboard
verified publisher icon expressjs

add parametrizable get/setcookie

Open caub opened this issue 8 years ago • 4 comments

usage:

session({
	...
	getcookie({headers}, name, secrets) {
		if (headers.cookie) {
			var cookies = cookie.parse(headers.cookie);
			return signature.unsign(cookies[name] || '', secrets[0]);
		}
		else if (headers.authorization) {
			return signature.unsign(headers.authorization || '', secrets[0]);
		}
		return null;
	},
	setcookie(res, name, val, secret, options) {
		var signed = signature.sign(val, secret);
		var data = cookie.serialize(name, signed, options);

		var prev = res.getHeader('set-cookie') || [];
		var header = Array.isArray(prev) ? prev.concat(data) : [prev, data];

		res.setHeader('set-cookie', header);
		res.setHeader('authorization', data);
	}
})

caub avatar Jan 28 '17 20:01 caub

you mean #158 surely, yes I've seen it, the goal is to have a fallback for non-cookie platforms.

That PR is fully compatible, I'll add a test using authorization, but I understand your point that those 2 parameters open dangerous doors.

The other solution to do it, is to have another middleware just before or after session, that will use the sessionStore, and then hack express-session, I don't feel that's better

	app.use(function(req, res, next){
		if (req.headers.cookie || !req.headers.authorization) return next();
		var key = signature.unsign(req.headers.authorization || '', sessionSecret);
		sessionStore.get(key , function(err, sess) {
			if (sess) {
				req.sessionID = key;
				req.sessionStore = sessionStore;
				sessionStore.createSession(req, sess);
			}
			next();
		});
	});

ps: note it's {headers}, (destructuring)

caub avatar Jan 28 '17 21:01 caub

Oh, sorry, I'm not familiar with a lot of ES6 syntax :) That makes sense, then. There are at least 5 different threads on this, and I was mainly referring to the current PR discussion on the most recent PR to try this, not #158

dougwilson avatar Jan 28 '17 21:01 dougwilson

#79 and #159 is where most of the discussion is at.

dougwilson avatar Jan 28 '17 21:01 dougwilson

I feel like it won't be merged, but I had read the other issues discussed, and I don't find decent solutions

The idea is to support a wide range of platforms: browser, chrome app (even if they are deprecated)/extensions, phonegap, electron in an uniform way.

I don't like this PR too, I need to see if document.cookie can be shimmed in platforms not having cookies, and how they will react to set-cookie, if it work, that would be a clean solution, but that's another topic

caub avatar Jan 29 '17 20:01 caub