h3 icon indicating copy to clipboard operation
h3 copied to clipboard
verified publisher icon unjs

validate cookies

Open huseeiin opened this issue 6 months ago • 6 comments

Describe the feature

just like validating query and body, some endpoints require you to have a certain cookie. like if you request the current signed in user info, you need an access_token cookie. could be named readValidatedCookies or getValidatedCookies with zod, valibot, etc.

Additional information

  • [ ] Would you be willing to help implement this feature?

huseeiin avatar Jun 24 '25 12:06 huseeiin

Validation of (JSON) body and (key-value object) query params is based on structured data.

How do you see validating (unstructured string) cookies?

pi0 avatar Jun 24 '25 17:06 pi0

Validation of (JSON) body and (key-value object) query params is based on structured data.

How do you see validating (unstructured string) cookies?

obviously convert the cookies to an object first (parse from cookie-es)

huseeiin avatar Jun 24 '25 18:06 huseeiin

Yes we can do that (although parsing all cookies also costs) but the value part is usually encoded.

Do you have a practical usecase for yourself?

pi0 avatar Jun 25 '25 06:06 pi0

Yes we can do that (although parsing all cookies also costs) but the value part is usually encoded.

Do you have a practical usecase for yourself?

you already parse all cookies from scratch with h3's parseCookies without caching them. i already had a usecase in the original post. this feature is not weird or new, hono and elysia support validating cookies: https://hono.dev/docs/guides/validation https://elysiajs.com/essential/validation#cookie

huseeiin avatar Jun 25 '25 08:06 huseeiin

Thanks for the references, but my question is not answered regarding the practical use case of request cookie validation. If we introduce utility (also for defineValidatedHandler), we need to show a practical example (I'm not against your idea).

For the case of authentication (via cookie), we do have a built-in session utility, and any other custom auth solution, the utility or middleware that handles auth, should already validate cookie values as well itself, so it is probably not the best example.

pi0 avatar Jun 25 '25 08:06 pi0

Thanks for the references, but my question is not answered regarding the practical use case of request cookie validation. If we introduce utility (also for defineValidatedHandler), we need to show a practical example (I'm not against your idea).

For the case of authentication (via cookie), we do have a built-in session utility, and any other custom auth solution, the utility or middleware that handles auth, should already validate cookie values as well itself, so it is probably not the best example.

like storing the user's preferred language 🤔

huseeiin avatar Jun 25 '25 09:06 huseeiin