Avoid calling 'unsign' in case if the token from cookie is 'undefined…

[vla-dev]

Avoid calling 'unsign' in case if the token from cookie is 'undefined'. If the first argument is different from 'string', the unsign function will always throw "Signed cookie string must be provided."

src/cookies/getCookie.ts

function getCookie(req: NextApiRequest, name: string): string {
  if (req.headers.cookie != null) {
    const parsedCookie = parse(req.headers.cookie);
    return parsedCookie[name];
  }

  return "";
}

This function checks if headers.cookie !== null and is trying to get the token from parsed cookie, but the cookie could be present but different from XSRF token.

Let's say I'm also using google analytics (gtag) that is making its own cookies such us: _ga=GA1.1.1798070841.1638877244;

parsedCookie will be:

parsedCookie = {
  "_ga"="GA1.1.1798070841.1638877244"
}

and the return statement parsedCookie[name] where name is tokenKey (by default XSRF-TOKEN) will be undefined

then...

src/middleware/csrf.ts

const tokenFromCookie = getCookie(req, tokenKey);
const tokenFromCookieUnsigned = unsign(tokenFromCookie, secret); 

since tokenFromCookie is undefined, and the first argument must be typeof string, this function will always throw "Signed cookie string must be provided." and the request will fail with status 500

[j0lvera]

@vla-dev thank you!