Comments (8)
For people looking to encrypt their cookies right now, I guess the solution is to manually encrypt your own cookie data in "hooks.ts" using AES or something (e.g. crypto-js).
(This library seems to use zencrypt over crypto-js, which seems like a much worse option at first glance, I'm not sure why it was chosen.)
Here's an example of what I've done:
hooks.ts
import { SESSION_KEY } from "$env/static/private";
import type { Handle } from "@sveltejs/kit";
import * as cookie from "cookie";
import aes from "crypto-js/aes";
const COOKIE_NAME = "discordAccessToken";
export const handle: Handle = async ({ event, resolve }) => {
// Before running the route logic.
{
const cookieHeader = event.request.headers.get("cookie") ?? "";
const cookies = cookie.parse(cookieHeader);
const discordAccessTokenEncrypted = cookies[COOKIE_NAME];
if (
// The type definition for "cookie.parse" is bugged, as non-existent cookies will be
// undefined.
// eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
discordAccessTokenEncrypted === undefined ||
discordAccessTokenEncrypted === ""
) {
event.locals.discordAccessToken = null;
} else {
const discordAccessToken = aes.decrypt(
discordAccessTokenEncrypted,
SESSION_KEY,
);
event.locals.discordAccessToken = discordAccessToken.toString();
}
}
// Run the route logic.
const response = await resolve(event);
// After running the route logic.
if (
event.locals.shouldSetCookie &&
event.locals.discordAccessToken !== null
) {
const discordAccessTokenEncrypted = aes
.encrypt(event.locals.discordAccessToken, SESSION_KEY)
.toString();
response.headers.set(
"set-cookie",
cookie.serialize(COOKIE_NAME, discordAccessTokenEncrypted, {
path: "/",
httpOnly: true,
secure: true,
sameSite: true,
}),
);
}
return response;
};
from svelte-kit-cookie-session.
I am interested too in getting this addressed. Please let us know your plans at least, so that we can either try to look for alternatives or wait for the fix. On client side, user-profile
and user session
related state is implemented and stored in an encrypted cookie using this library ... which then I read on server to implement few critical functionalities.
from svelte-kit-cookie-session.
First of all, zencrypt
uses the WebCrypto API under the hood which SvelteKit already polyfills and is available in the different environments kit supports. It should also be faster than crypto-js
, which might be more battle tested, for sure.
I marked your comment as off-topic because it's not what this issue was talking about.
from svelte-kit-cookie-session.
I'm actually not sure what to do with the session store for now.
You can still access your sessions in the +page.server.js
etc. files and return them for the client in the root +layout.server.js
like so:
export const load = (event) => {
return {
session: event.locals.session.data // This could also use your previous getSession function
}
}
Access them via:
<script>
import { page } from "$app/stores";
$: console.log($page.data.session)
</script>
from svelte-kit-cookie-session.
I've updated the project to use the new Kit Routing and also gone ahead and updated the README accordingly.
I might consider adding a session store back but i think that's kinda tricky.
from svelte-kit-cookie-session.
@pixelmund ... Date
object is failing serialization if returned in load
response.
check_serializability has kept Date
out of consideration and so is throwing.
The expires
populated on event.locals.session.data
is adding to this ... Any thoughts please?
from svelte-kit-cookie-session.
@ranjanified expires is now excluded from the event.locals.session.data getter, it's still beeing tracked internally but doesn't get exposed to the user anymore, you can try it with version 3.1.2
.
from svelte-kit-cookie-session.
Thanks a lot 🙏 @pixelmund ... Indeed, with 3.1.2
it's working fine now!!!
from svelte-kit-cookie-session.
Related Issues (20)
- Consider `SameSite=Lax` as a new default HOT 2
- Build Fails in Vercel HOT 2
- Could this work with @sveltejs/adapter-cloudflare? HOT 5
- Security of Hashing Algorithm HOT 3
- Is this safe against cookie theft and replay attacks after expiry? HOT 3
- Document cookie options HOT 2
- Session Cookie not being set in safari HOT 2
- Hook for setting initial session state HOT 2
- SvelteKit Session Cookie and Houdini HOT 1
- Version 3.3.0 compilation process is broken HOT 4
- Can't build when using env var as secret HOT 3
- Feat: Chunked cookies HOT 4
- Question: Svelte only compatible ? HOT 2
- Iniitalizing guide update HOT 1
- init() doesn't set initial cookie until set() or update() is called HOT 2
- Need to expire cookies in minutes instead of days. HOT 4
- Svelte 4? HOT 1
- Secure to pass sensitive session data to page?
- Add support for CHIPS via Partitioned cookie attribute
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from svelte-kit-cookie-session.