fix: set cookie options when setting cookies in server actions

[devjmetivier]

This fixes setServerActionCookie by passing along the merged cookie options to the downstream cookie handler.

[renchris]

Hi. The cookie options are passed when the get session object is initialized.

In the example code, you can look at examples/next/lib/session.ts to see that we pass sessionOptions: IronSessionOptions as one of the parameters when we create the Iron Session object.

export const sessionOptions: IronSessionOptions = {
  password: 'change-this-this-is-not-a-secure-password',
  cookieName: 'cookieNameInBrowser',
  cookieOptions: {
    secure: process.env.NODE_ENV === 'production',
  },
}

...

const getSession = async (req: Request, res: Response) => {
  const session = getIronSession<IronSessionData>(req, res, sessionOptions)
  return session
}

const getServerActionSession = async () => {
  const session = getServerActionIronSession<IronSessionData>(sessionOptions, cookies())
  return session
}

In the core library code, you can see the options that we gave as the parameter are passed through in the initializing body on line 389

const options = mergeOptions(userSessionOptions)

and in the save function that is merged with the save options on line 398

const mergedOptions = mergeOptions(userSessionOptions, saveOptions)

and in the destroy function that is merged with the destroy options on line 419

const mergedOptions = mergeOptions(userSessionOptions, destroyOptions)

So you must set your cookie options of type IronSessionOptions when you initialize your Iron Session object and you may include options of type OverridableOptions = Pick<IronSessionOptions, 'cookieOptions' | 'ttl'> as the optional parameter of saveOptions when you call .save() or the optional parameter of destroyOptions when you call .destroy().

[devjmetivier]

@renchris

The cookie options are passed when the get session object is initialized.

I understand, and apologies for the confusion if what I've presented is unclear. The implementation is correctly merging options downstream. However, it's not using merged options when calling save():

iron-session/src/core.ts

Line 408 in a9932d7

setServerActionCookie(cookieValue, cookieHandler)

There should be a third option passed to setServerActionCookie() to actually apply the options when calling save() and setting the cookie.

☝️ That is what this PR addresses:

https://github.com/renchris/iron-session/pull/1/files#diff-033ecd338eec0994fe53c0896219baee901e20068b8fbe6259a23d5759584b06R412

https://github.com/renchris/iron-session/pull/1/files#diff-033ecd338eec0994fe53c0896219baee901e20068b8fbe6259a23d5759584b06R173

[devjmetivier]

I could also provide a repro if the problem is still unclear. Let me know 😁

[devjmetivier]

@renchris Anymore context I can provide here to get this merged? This is otherwise going to be listed as a bug.

[dsbrianwebster]

@renchris I can confirm what @devjmetivier is reporting does in fact appear to be an issue.

[renchris]

Hey Devin. Ah, I see and understand. Great catch!

I made the changes for the fix along with updated documentation and type definitions. We no longer need the extractCookieComponents and setServerActionCookie helper functions and now .set() directly in the .save() and .destroy() functions.

Thank you!