[v5] plainCookie sets encrypted cookie

[rodymolenaar]

Hi everyone,
For authentication purposes I'm trying to set the bearer token as a plain cookie, so the frontend can read it and send it back as an authorization header.

Here's my login handler:

public async login({ auth, request, response }: HttpContextContract) {
  const email = request.input("email");
  const password = request.input("password");

  const token = await auth.use("api").attempt(email, password);

  response.plainCookie("authorization", `Bearer ${token.token}`, {
    sameSite: "lax",
    httpOnly: false,
    secure: false,
  });

  return token.toJSON();
}

This is the set-cookie header on the response according to DevTools:

set-cookie: authorization=eyJtZXNzYWdlIjoiQmVhcmVyIE16RS50SkhfY3RadTJ4VVNGeFlYNWlsOVVLNTN0Y2ZxeHF5OERnRUpIYW5SR05MUXdKWjJhTDhMU2dUVmdwQTAifQ; Max-Age=7200; Path=/; SameSite=Lax

The cookie seems to be encrypted, even though I used the plainCookie method.

Am I doing something wrong, or is this how plainCookie works?

[thetutlage]

Hey. The cookie is not encrypted, just base64 encoded to avoid encoding issues, since with AdonisJS you can pass any datatype (Arrays, Objects) to cookies. So it is required to base64 encode them.

Just run the following code to get the cookie value.

JSON.parse(window.atob('eyJtZXNzYWdlIjoiQmVhcmVyIE16RS50SkhfY3RadTJ4VVNGeFlYNWlsOVVLNTN0Y2ZxeHF5OERnRUpIYW5SR05MUXdKWjJhTDhMU2dUVmdwQTAifQ'))