Add cookie type safety into Remix

[mikeybinns]

I actually created a PR for this a while back, it's been approved by @MichaelDeBoey since June 22, but never got merged in, so I'm making this post so hopefully it gets noticed in a Roadmap planning session.
Relates to: #3224

Adding type safety for cookies will allow users to specify what object to expect from a cookie, and allow for more type safe interactions with cookies without needing to do something like the following:

import type { CookieValue } from '~/cookie.server';
...
const cookieValue: CookieValue | null = await cookie.parse(request.headers.get("Cookie"));

[sergiodxa]

The main problem here is that the user may tamper the cookie on the browser which means what you told to the createCookie object your cookie must contain may not be true.

I think type-safety in cookies (and sessions) should be achieved by runtime checks rather than statically since there's no way to really trust what comes from the browser, remember you should never trust user input, and cookies are user input.

In Remix Utils I was able to combine createCookie with Zod to create a Typed Cookie feature and a Typed Session one, they give you full type safety by using Zod to do runtime checks.

[milamer]

Just FYI, cookie sessions with secrets defined shouldn't have this problem as they cannot be changed by the user and therefore are not user provided.

The Typed Session looks really cool!

[mikeybinns]

Yeah, good point, I'll admit I hadn't thought about unencrypted cookies, perhaps I should update the PR to be an overload, so it only types if a secret is set?