feat: @fastify/cookie responsible for the signing and unsigning#125
feat: @fastify/cookie responsible for the signing and unsigning#125Uzlopak wants to merge 19 commits into
Conversation
Uzlopak
changed the title
…-session (#113) * Add cookiePrefix as an option to allow for compatibility with express-session * Add docs * Fix lint * improve solution * Apply suggestions from code review Co-authored-by: uzlopak <aras.abbasi@googlemail.com>
climba03003
left a comment
climba03003
left a comment
There was a problem hiding this comment.
By comparing express-session, the secret option should stay in here.
| "license": "MIT", | ||
| "dependencies": { | ||
| "cookie-signature": "^1.1.0", | ||
| "@fastify/cookie": "^7.4.0", |
There was a problem hiding this comment.
I would move it back to devDependency.
The user should explicitly install and register @fastify/cookie in their application.
There was a problem hiding this comment.
can fastify-plugin ensure the version of @fastify/cookie is at least 7.4? or is that out of scope for that module, and it might fail at runtime when accessing non-existent methods?
There was a problem hiding this comment.
You can require for a decorator to exist: https://github.com/fastify/fastify-plugin#dependencies
|
I think my approach is much cleaner, as we just need to setup fastify-cookie correct and then can use the actual methods instead of taking also care of the secrect management. |
It require the user to be clear that they shouldn't forget the It is totally different than the way before and may expose user in vulnerability. |
mcollina
left a comment
mcollina
left a comment
There was a problem hiding this comment.
Here is a few questions:
-
What happens if there is no secret set to both
@fastify/cookieand@fastify/session? Let's make sure an error is thrown at some point. -
Make sure to throw if
secretis passed to@fastify/session.
|
@mcollina So when no secret is set, we can feature detect if the decorators exist. If they dont we can throw a secret not set error. Obviously I can only write corresponding unit tests if the PR is merged and a new release of @fastify/cookie was published. |
|
@Uzlopak please wait for @climba03003 and @SimenB |
|
will do |
|
I still have to add that the plugin throws an error if a secret was provided. |
|
It does not convince me to provide
Point |
Co-authored-by: Simen Bekkhus <sbekkhus91@gmail.com>
|
My last few patches have been all about making @fastify/session compatible with express-session. This PR creates a new incompatibility: what if someone provides a different secret to both But honestly, I can't think of a real use case to have differing secrets here. And I think good code / practices is more important than express compatibility. I suspect we should tell users in this scenario that they should migrate to one secret. They can do so by setting Express's cookieParser to: |
|
Dont worry. Working on a different branch. |
|
Closing in favor of #129 |
5 participants
This PR couples @fastify/cookie stronger to @fastify/session. So instead of duplicating signing and unsigning logic in @fastify/session, we expect that setting the signing related stuff in @fastify/cookie and we just consume the logic in @fastify/session.
@rclmenezes
I think before we merge other patches, we should first merge this.
To review this PR i think, it is easier by going through the commits. I could not break it down into much smaller PRs as it is basically one big change.
Checklist
npm run testandnpm run benchmarkand the Code of conduct