H
Hono4w ago
JustUseFirefox

How to pass and validate cookies (server<>server) ? (RPC)

I use Sveltekit and hono as an external API. Most requests coming from the UI are done through XHR, but some requests (like token validation) is done from sveltekit server-side to hono api. - When the user logs in, a cookie is set on the client (secure, lax). - When the user close and re-open the site, the token is validated with a server hook. Sveltekit sees the cookies and make a request to hono, but hono doesn't see the cookies (obviously). I don't want to store too much information in localStorage, so a page refresh require token decryption. I'm looking for a way to pass down those cookies from svelte server to hono api, but that endpoint might also be called from a browser or something, so for security reason I don't want to use json to pass the data preferably. Cookies is the way to go here. Validator: 
    validator('cookie', async (value, c) => {
      const body = value;
      console.log('BODY', value);

      const parsed = authnLoginWithTokenCookieSchema.safeParse(body);
      if (!parsed.success) {
        return c.json(
          {
`            error: parsed.error`
          },
          401
        );
      }
      // TODO * Check IP ban, Validate token, validate data, validate blocklist
      return {
        body: parsed.data
      };
    }),
    validator('cookie', async (value, c) => {
      const body = value;
      console.log('BODY', value);

      const parsed = authnLoginWithTokenCookieSchema.safeParse(body);
      if (!parsed.success) {
        return c.json(
          {
`            error: parsed.error`
          },
          401
        );
      }
      // TODO * Check IP ban, Validate token, validate data, validate blocklist
      return {
        body: parsed.data
      };
    }),
Client call: 
    const validateToken = await hono.auth.withToken
        .$post({
            cookie: {
                body: {
                    /**
                     * Type '{}' is not assignable to type 'string'.ts(2322)
                     * The expected type comes from property 'body' which is declared here on type '{ body: string; }'
                     */
                }
            }
        })
        .then((r) => r.json());
    const validateToken = await hono.auth.withToken
        .$post({
            cookie: {
                body: {
                    /**
                     * Type '{}' is not assignable to type 'string'.ts(2322)
                     * The expected type comes from property 'body' which is declared here on type '{ body: string; }'
                     */
                }
            }
        })
        .then((r) => r.json());
3 Replies
JustUseFirefox
JustUseFirefox4w ago
I'll just resort to a json body and make sure the request is coming from a known internal ip
Steven-sensei
Steven-sensei4w ago
Cookie is webnative and should be set by the server i don't get what you want to do You need to set the fetch of honoClient to include credentials For exemple 
export const $api = hc<AppRoutes>('http://localhost:3000', {
  init: {
    credentials: 'include',
  },
})
export const $api = hc<AppRoutes>('http://localhost:3000', {
  init: {
    credentials: 'include',
  },
})
JustUseFirefox
JustUseFirefox4w ago
I understand, but in this case, hono client is called on the server (SSR side). I realised this is by design cookie-side. The client have the cookies, and the svelte server receive them. I then need to pass them from svelte server side to hono api in a nice way... But I just resorted to a json post and pass them there with some check.
Want results from more Discord servers?
Add your server