Signed cookies are not supported

[jurca]

Hello again,

setting the cookie.signed flag true in the options results in fastify-cookie signing the cookies being set by this middleware, however, fastify-csrf does not properly handle reading signed cookies, since they need to be "unsigned" to get to the raw value.

I recommmend adding an if (cookie.signed) { ... } check to the getSecret() function to make this work.

I am willing to submit a PR, if you'd prefer me to do so.

Thank you in advance.

[Tarang11]

Can you please give an example.

[jurca]

Quite busy now, I'll try to get to it on Sunday evening. Thank you for your patience.

[jurca]

Here's an example code that results in HTTP 500 'invalid csrf token' error when the form is submitted:

const fastify = require('fastify')()
const fastifyCookie = require('fastify-cookie')
const fastifyFormBody = require('fastify-formbody')
const fastifyCSRF = require('fastify-csrf')

fastify.register(fastifyCookie, {
  secret: 'my-secret',
})
fastify.register(fastifyFormBody)
fastify.register(fastifyCSRF, {
  cookie: {
    signed: true,
  },
})

fastify.get('/', (request, reply) => {
  reply.type('text/html; charset=utf-8')
  reply.send(`
    <!DOCTYPE html>
    <html>
      <head><meta charset="UTF-8"><title>Signed cookie test</title></head>
      <body>
        <form action="/" method="post">
          <input type="hidden" name="_csrf" value="${request.csrfToken()}">
          <button>Test signed CSRF cookie</button>
        </form>
      </body>
    </html>
  `)
})

fastify.post('/', (request, reply) => {
  reply.type('text/plain; charset=UTF-8').send('CSRF OK')
})

fastify.listen(3000)

Removing the signed: true, line, making the CSRF cookie not signed, resolves the issue.

Now, I know it's not really needed security-wise to have the cookie signed, however, it would be nice to either support it, or drop the flag with a warning to the console.

[Tarang11]

Confirmed. Pls submit PR

[jurca]

Sorry for the delay, the PR is ready.