Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

setCookie express middleware only works inside hooks #438

Closed
HenriBeck opened this Issue Mar 8, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@HenriBeck
Copy link

HenriBeck commented Mar 8, 2017

Apparently, the middleware checks if it's being called by a hook though I think that it should be possible to pass it to app.get() too.

Example: https://gist.github.com/HenriBeck/fa1fa401b8193da765e207fa4e4ca750

https://github.com/feathersjs/feathers-authentication/blob/master/src/express/set-cookie.js#L27

This block is never run because res.hook is undefined and no cookie is set.

@marshallswain

This comment has been minimized.

Copy link
Member

marshallswain commented Mar 8, 2017

Can you help clarify what the goal is in this issue? We want cookies to be ignored by the API server. It can set cookies, because that helps with SSR, but we don't want a cookie to get consumed directly by any Feathers service. That opens up the service to CSRF attacks.

@HenriBeck

This comment has been minimized.

Copy link
Author

HenriBeck commented Mar 8, 2017

This line does nothing. It doesn't set the cookie as you would expect.

That's because in the middleware it checks if it has been called after a service method.

@HenriBeck

This comment has been minimized.

Copy link
Author

HenriBeck commented Mar 9, 2017

Closing as it's the same as #389

@HenriBeck HenriBeck closed this Mar 9, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.