this.keys but no opts means cookies don't get signed

[jergason]

In Cookie.prototype.set (https://github.com/expressjs/cookies/blob/2dcb71f130a7eaafd16e71b9af70debe11d4c93f/lib/cookies.js#L69), the signed variable is true if opts.signed or this.keys is truthy. However, the check for whether to sign keys or not also checks if opts exists.

This means that if this.keys is truthy, but opts is undefined, the signed variable will be true but the key still won't be signed. My expectation is they key should be signed if signed == true, and it shouldn't depend on the existence of opts.

[dougwilson]

That seems to make sense, though I'm not sure how easy this will be to fix without including it in the major version bump, because I wonder how many people have the keys set but no options given. I'll have to think about it some. Also input from @jonathanong

[jonathanong]

Ha was gonna remove that in the next major

[dougwilson]

Cool, that was my suspicion. It seems weird that the existence of keys caused cookies to automatically sign. So I would almost say that the current behavior is intended: you only get signed cookies if you sent {signed: true} to .set. Does that sound right @jonathanong ?

[jonathanong]

Current behavior is intended :( I wanted the next version to have .sign() and .encrypt() as separate methods

[JYbill]

i have same question

// in my koa project
app.keys = ["secret1...", "secret2..."] // example

// set cookies
ctx.cookies.set("name", "jybill", { httpOnly: true }); // notice: i dont have set signed option!!!

// in fact, i will get
set-cookie: name=jybill, httponly;
set-cookie: name.sig=...

Perhaps it is more reasonable to set "signed"

• from source code
  

  cookies/index.js

  Line 86 in ddc3b71

  , signed = opts && opts.signed !== undefined ? opts.signed : !!this.keys

// maybe
signed = opts && opts.signed