search

elysiajs / elysia

Ergonomic Framework for Humans
https://elysiajs.com
MIT License
10.26k stars 219 forks source link

[Bug] cookie.name.remove() not removing cookie as expected #565

Open lnfel opened 6 months ago

lnfel commented 6 months ago

What version of Elysia.JS is running?

1.0.7

What platform is your computer?

Darwin 19.6.0 x86_64 i386

What steps can reproduce the bug?

  1. Set cookie 
    cookie.auth.set({
path: '/',
value: Math.random().toString(),
maxAge: 7 * 86400,
secure: true,
httpOnly: true
})
  2. Attempt to remove cookie 
    cookie.auth.remove() // not working
  3. See browser Devtools > Application > Cookies has a cookie named auth

What is the expected behavior?

Expected to have the cookie removed in the client. We can do this by setting maxAge of cookie to 0.

cookie.auth.update({
    path: '/',
    value: '',
    maxAge: 0,
    secure: true,
    httpOnly: true
})

What do you see instead?

No response

Additional information

No response

lnfel commented 6 months ago

What is more bewildering is that I see nothing out of place in elysia code... https://github.com/elysiajs/elysia/blob/e8ddb2f76c273275940c0f80881931f61ab918db/src/cookies.ts#L239-L249

On second look, we should provide an option to path. Usually auth stores cookies at / path. but cookie.name.remove() does not specify the path so the cookie stays on the client.

SaltyAom commented 6 months ago

Hi, would like to help but I'm unable to reproduce on my end using the following code.

import { Elysia } from 'elysia'

const app = new Elysia()
    .get('/', ({ cookie }) => {
        cookie.auth.set({
            path: '/',
            value: Math.random().toString(),
            maxAge: 7 * 86400,
            secure: true,
            httpOnly: true
        })
    })
    .get('/remove', ({ cookie }) => {
        cookie.auth.remove()
    })
    .get('/value', ({ cookie }) => {
        return cookie.auth.value
    })
        .listen(3000)
lnfel commented 6 months ago

@SaltyAom first here are the elysia related packages on the project:

"@bogeychan/elysia-polyfills": "^0.6.4",
"@elysiajs/cors": "^1.0.0",
"@elysiajs/swagger": "^1.0.0",
"elysia": "^1.0.7",

Using Node version 18.14.2

And here is the exact code used to test the bug, it is consistently happening, this might be a Node thing but idk.

import { Elysia, t } from 'elysia'

const routes = new Elysia({ prefix: '/experiment', name: 'routes:experiment' })
  .derive(({ cookie, set }) => {
    return {
      userHasRole: async () => {
        console.log('cookie.auth: ', cookie.auth)
        console.log('cookie.auth.value: ', cookie.auth.value)
        if (cookie.auth.value) {
          return 'User is not important.'
        }
        set.status = 'Unauthorized'
        return "You seem out of place."
      },
      login: () => {
        cookie.auth.set({
          path: '/',
          value: Math.random().toString(),
          maxAge: 7 * 86400,
          secure: true,
          httpOnly: true
        })
      },
      signOut: () => {
        cookie.auth.remove() // not working
        // cookie.auth.update({
        //  path: '/',
        //  value: '',
        //  maxAge: 0,
        //  secure: true,
        //  httpOnly: true
        // })
        console.log('cookie.auth: ', cookie.auth)
        return 'User logged out.'
      }
    }
  })
  .get('/user-role', async ({ userHasRole }) => {
    return {
      message: await userHasRole()
    }
  })
  .get('/login-user', ({ login }) => {
    return {
      message: login()
    }
  })
  .get('/signout-user', ({ signOut }) => {
    return {
      message: signOut()
    }
  })
carere commented 4 months ago

Hello, I'm on Deno, and I cannot remove cookie. I tried delete cookie["some_cookie_name"] and cookie["some_cookie_name].remove(). And it does not work.