curveball/session

When specifying cookieOptions, the middleware should keep any default setting that wasn't overridden.

Opened this issue · 0 comments

evert commented

If a user provides cookieOptions, we throw out all defaults.

  const cookieOptions = options.cookieOptions || {
    path: '/',
    sameSite: 'lax',
    httpOnly: true,
  };

Instead we should keep all defaults and only use values that a user explicitly provided:

  const cookieOptions = {
    path: '/',
    sameSite: 'lax',
    httpOnly: true,
    ...options.cookieOptions
  };

cc @defrex