Inaccurate docs about JSONCookie, JSONCookies, signedCookie and signedCookies

Question

Inaccurate docs about JSONCookie, JSONCookies, signedCookie and signedCookies

CaioStoduto-zz opened this issue 4 years ago · comments

Nowadays you need to decode the cookie value using decodeURIComponent() before using any of the following functions:

cookieParser.JSONCookie
cookieParser.JSONCookies (decodeURIComponent for each cookie)
cookieParser.signedCookie
cookieParser.signedCookies (decodeURIComponent for each cookie)

Because it doesn't decode itself inside the function, now they just check if it starts with 'j:' or 's:' (before, it required an encodedURI and it would check if it starts with 'j%3A', for JSONCookie, or 's%3A', for signedCookie, and then both of these functions would decode the input to continue their codes), but in the documentation, it doesn't specify anywhere that the input needs to be decoded, even though I really prefer before when the function itself decoded the input, and it would cause less confusion because it would work with decoded and encoded values.

these prints are from expressjs/cookie-parser source code

these prints are from the README expressjs/cookie-parser

Conclusion:
The documentation is outdated.

Douglas Wilson · Answer 1 · Fri Oct 02 2020 11:58:15 GMT+0800 (China Standard Time)

The reason this module does not talk about decoding your values is because this module is not the one encoding them, either. If you are encoding them in some special way (url encoding, base64, etc.) then you would of course need to do the reverse of your given encoding scheme in order to provide back the plain value to this module. The module expects the plain value, which is what a default expectation would be.

Douglas Wilson · Answer 2 · Fri Oct 02 2020 12:01:15 GMT+0800 (China Standard Time)

If you think there are specific changes that can/should be made, please open a pull request with the specific changes so we can evaluate them and work from there.

Caio Stoduto · Answer 3 · Fri Oct 02 2020 12:20:38 GMT+0800 (China Standard Time)

The reason this module does not talk about decoding your values is because this module is not the one encoding them, either. If you are encoding them in some special way (url encoding, base64, etc.) then you would of course need to do the reverse of your given encoding scheme in order to provide back the plain value to this module. The module expects the plain value, which is what a default expectation would be.

Thank you so much, really, this clarifies many things that I had many doubts :D ❤️