[Bug]: Default path behaviour is incorrect in SvelteKit adapter about lucia HOT 6 CLOSED

Thanks for the bug report. Seems like I mistakenly assumed an empty string would mean SvelteKit would not set a Path attribute.

from lucia.

As for my objections on the changes to the cookie API, it only had partially do with Lucia (specifically the part about maintaining consistency between frameworks). The first part about spec etc is mostly just my personal opinion on API design.

from lucia.

Unless the expectation is that people will call a middleware's setCookie with something other than the result of calling createSessionCookie?

Yes, since that's just easier to work with

We (unlike some others) set secure and httpOnly to true by default (similar to createSessionCookie, except that it can be overridden if necessary)

This isn't a big issue since the types are still the same, and Lucia always set the HttpOnly and Secure flag (for prod)

from lucia.

Not sure I follow — you're saying that people will call setCookie directly but also that Lucia will override httpOnly and secure? I couldn't see in the code where that happens.

I'm still not sure how to reconcile your "I'd expect it to work exactly like how HTTP cookies would" statement with the decision to forcibly override httpOnly and secure, but that's just me :)

from lucia.

I don't think I follow either 😅. setCookie() just sets a cookie represented by a generic interface Cookie. It doesn't override attributes or anything. The Cookie can be anything, not just session cookies, so it should be able to set cookies without the Path attribute.

from lucia.

In that case the behaviour will differ between frameworks, because SvelteKit defaults secure and httpOnly to true while other frameworks don't

from lucia.