Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix cookies' secure detect #614

Merged
merged 1 commit into from
Mar 1, 2016
Merged

fix cookies' secure detect #614

merged 1 commit into from
Mar 1, 2016

Conversation

dead-horse
Copy link
Member

koa don't change the original request object, need to pass koa's request object to cookies.

(but you can't replace res with response, so this is kind of weird. :(

@dead-horse dead-horse added the bug label Dec 2, 2015
@juliangruber
Copy link
Contributor

seems like there should be a less wtf way to do this

@dead-horse
Copy link
Member Author

  1. koa set req.protocol, but we don't want to change the original request object, right?
  2. cookies' constructor support specified secure. like new Cookies(req, res, keys, request.secure)

both sound wtf to me. :(

@dead-horse
Copy link
Member Author

or maybe we just set req.protocol before new Cookies(req, res, keys). /cc @jonathanong @dougwilson any idea?

@dougwilson
Copy link
Contributor

So, I wound recommend keeping the first argument as the raw Node.js object, since that is what is documented to work with the module (and it could start using a new property at any time, breaking Koa integration).

The root issue has been brought up various times and it is quite an annoying issue :) I can see any of the following a better fix than the proposal in this PR:

  1. Add the ability to just skip the secure check in the cookies module (you can do this currently by just setting { secureProxy: true } instead of { secure: true } when calling the cookies module, but it's kinda "eh".
  2. Just change the secure setting in cookies to not check the connection at all, and just have the consumer of the module make the appropriate decision. The secureProxy setting is literally this, so the proposal is to just rename secureProxy to secure, effectively.
  3. Add the ability to specify a function to the cookies call that would pass it a req, res and get a return value of if it's secure or not.

@dead-horse
Copy link
Member Author

@dougwilson 1&2 both need user set some options when using cookies.set ?

3 sound more reasonable, but compare to specify a function, why not just specify secure like new Cookies(req, res, keys, secure), because we already know req and res before create cookies object and can figure out it's secure or not.

@dougwilson
Copy link
Contributor

why not just specify secure like new Cookies(req, res, keys, secure) , because we already know req and res before create cookies object and can figure out it's secure or not.

That is option 2. The consumer of the module is Koa, because "the module" = cookies.

@dougwilson
Copy link
Contributor

As in, Koa could easily do the following:

opts.secureProxy = opts.secure && request.secure
opts.secure = undefined

@dead-horse
Copy link
Member Author

people use this.cookies.set() need to set opts.secureProxy = ops.secure && request.secure. otherwise koa need to override cookies.set to handle this logic?

@tejasmanohar tejasmanohar mentioned this pull request Feb 25, 2016
@dougwilson
Copy link
Contributor

So @jonathanong was pushing me to take a serious look into this situation. Let me know what you think of the following proposal that would get this fixed as well as let the cookies module figure out it's path to 1.0 independently of fixing this issue:

  1. Add a new options parameter to the Cookies constructor.
  2. Accept a new isSecure option, defaulting to undefined. Setting to a Boolean will be the answer for the secure checks in .set
  3. I think this pull request can then boil down to changing the line context.cookies = new Cookies(req, res, this.keys); to context.cookies = new Cookies(req, res, this.keys, { isSecure: request.protocol === 'https' });

If the static isSecure does not work, that can also be a function. Initial thoughts?

@dougwilson
Copy link
Contributor

Also, I know some of this has been discussed above, but really this is a summary of various proposals from above put down as something to get done now :)

@jonathanong
Copy link
Member

yes taht should be fine. i was thinking about how this would interact with proxy-addr, but i guess koa will handle it. let me look into proxy-addr

@dougwilson
Copy link
Contributor

My assumption would be that cookies should maybe be made dumber and not doing the secure check? If we do that, then one could use proxy-addr perhaps like the following:

new Cookies(req, res, keys, {
  isSecure: proxyAddr.isSecure(req, rules)
})

Or something.

@jonathanong
Copy link
Member

yeah i like cookies being dumb. after all, request.secure should be proxyAddr.isSecure(req, rules) anyways

@jonathanong
Copy link
Member

@dead-horse after pillarjs/cookies#68 we should be good to go :)

@dougwilson
Copy link
Contributor

Ok, with the current changes proposed in pillarjs/cookies#68 this pull request would be

context.cookies = new Cookies(req, res, { keys: this.keys, secure: request.secure });

@dead-horse
Copy link
Member Author

upgrade to [email protected]. /cc @dougwilson @jonathanong

@@ -8,6 +8,8 @@ exports = module.exports = function(req, res){
var socket = new Stream.Duplex();
req = req || { headers: {}, socket: socket, __proto__: Stream.Readable.prototype };
res = res || { _headers: {}, socket: socket, __proto__: Stream.Writable.prototype };
req.socket = req.socket || socket;
res.socket = res.socket || socket;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What exactly does this do? res.socket is already defined as socket 2 lines up, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some test case will init context with specific req without socket like https://github.com/koajs/koa/blob/master/test/request/path.js#L26

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh oops, I missed that. Thanks for the help.

@dougwilson
Copy link
Contributor

Looks good to me.

@jonathanong
Copy link
Member

👍

dead-horse added a commit that referenced this pull request Mar 1, 2016
@dead-horse dead-horse merged commit 999c2cd into master Mar 1, 2016
@dead-horse dead-horse deleted the fix-cookie-secure branch March 1, 2016 06:29
@fengmk2
Copy link
Member

fengmk2 commented Mar 1, 2016

Wow! Wait for a long time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants