Open MajorBreakfast opened 8 months ago
I wanted to create an issue for this for quite some time now, but kept forgetting to do it. This is something I would enjoy having too. I have been looking at a possible implementation of this.
It's very easy to expose the current server side cookies
object in the universal load function and add a client side implementation using document.cookie
. But this would lead to different behavior between both environments, because the server has access to HttpOnly
cookies, which the client does not.
To keep the same behavior in both environments, you propose to only have access to cookies with HttpOnly
disabled, but sadly this is not possible, because this data is not available server side; the only data sent with the request is name=value
.
I'm opposed to this — it sets a precedent that cookies without httpOnly
are encouraged, which they are very much not. What is a valid use case?
What about naming them unsafeCookies
or similar? Or enforcing the user to always set { httpOnly: false }
to make it very clear.
You can't set and get cookies in universal load functions currently (you can on the client, but not on the server). I do understand that you dont want to encourage people to use non httpOnly
cookies but there are use cases like a theme cookie. In fact the supabase library uses non httpOnly cookies for their authentication and i remember when i was working on their sveltekit adapter we had a hard time making everything work due to not beeing able to modify cookies in universal load functions.
@Rich-Harris Authentication is also our exact use case. We are working primarily on SPAs with initial SSR. Right now we need to implement a server side and a client side version of handling authorized requests. Being able to use cookies in the universal load functions would really simplify use cases like this, because you can create a 'universal' flow for this.
Describe the problem
Currently
cookies
are only available in+page.server.ts
and+layout.server.ts
but not in the universal load variants.Describe the proposed solution
Make
cookies
available in universalload()
. Only cookies withhttpOnly
disabled may be accessed, so that the universalload()
function behaves the same in whichever environment it is executed.Alternatives considered
No response
Importance
would make my life easier
Additional Information
No response