Categories
Express JavaScript Nodejs

Parse Cookies in Requests in Express Apps with Cookie-Parser

Spread the love

By default, Express 4.x or later doesn’t come with any middleware to parse cookies.

To do this, we can add the cookie-parser middleware.

In this article, we’ll look at how to use it to parse cookies sent with requests.

Adding the Package

We can install the package by running:

npm install cookie-parser

Then we can write:

const express = require('express')  
const cookieParser = require('cookie-parser')  
  
const app = express()  
app.use(cookieParser())

to add the middleware to our app.

Methods

cookieParser(secret, options)

The cookie-parser middleware’s cookieParser function takes a secret string or array of strings as the first argument and an options object as the second argument.

The secret is optional. If it’s not specified it won’t parse signed cookies. If a string is provided, it’ll be used as the secret. If an array of strings is provided, then each secret will be tried for decoding the signed cookie

options is an object that is passed into the cookie.parse as the second option.

cookieParser.JSONCookie(str)

The JSONCookie parses a JSON cookie. This returns the pared JSON value if it’s a JSON cookie. It’ll return the passed value otherwise.

cookieParser.JSONCookies(cookies)

The method will iterate over the keys and call JSONCookie on each value and replace the original value with the parsed value. This returns the same object that’s passed in.

cookieParser.signedCookie(str, secret)

signedCookie parses a cookie as a signed cookie. It’ll return the parsed unsigned value if it was a signed cookie and the signature is valid. If the value wasn’t signed, then the original value is returned. If the value is signed but the cookie can’t be validated with the secret, then false is returned.

cookieParser.signedCookies(cookies, secret)

This method will iterate over the keys and check if any value is a signed cookie. If it’s signed and the signature is valid, then the key will be deleted from the object and added to the new object that’s returned.

The secret can be an array or string. If it’s a string, then it’ll check against the string secret. Otherwise, each cookie will be checked with each string in the array.

The JSONCookie, JSONCookies, signedCookie and signedCookies methods will be automatically invoked depending on the type of cookie sent from the client. Parsing Unsigned Cookies

A simple example is parsing unsigned cookies as follows:

const express = require('express');  
const bodyParser = require('body-parser');  
const cookieParser = require('cookie-parser');  
const app = express();
app.use(bodyParser.json());  
app.use(cookieParser());
app.get('/', (req, res) => {  
  res.send(req.cookies);  
});
app.listen(3000);

Then when we send a GET request with the Cookie header’s value set to foo=bar , then we get:

{  
    "foo": "bar"  
}

as the response since req.cookies has the parsed cookie.

Parsing Signed Cookies

We can send a signed cookie and parse it as follows:

const express = require('express');  
const bodyParser = require('body-parser');  
const cookieParser = require('cookie-parser');  
const app = express();  
const secret = 'secret';
app.use(bodyParser.json());  
app.use(cookieParser(secret));
app.get('/cookie', (req, res) => {  
  res  
    .cookie('foo', 'bar', { signed: true })  
    .send();  
});
app.get('/', (req, res) => {    
  res.send(req.signedCookies);  
});
app.listen(3000);

The code has the /cookie endpoint to send the signed cookie to the client.

{ signed: true }

will make Express sign the cookie.

Then from the client, when we make a request to / , we get the signed cookie via req.signedCookies and so we get:

{  
    "foo": "bar"  
}

as the response from / .

Conclusion

We can use the cookie-parser middleware to parse the cookies.

It can parse both signed and unsigned cookies. To parse a signed cookie, we just have to sign our cookie with a secret and then cookie-parser can decode the cookie if we pass in the secret to the cookieParser middleware function.

The JSONCookie, JSONCookies, signedCookie and signedCookies methods will be automatically invoked depending on the type of cookie sent from the client.

Leave a Reply

Your email address will not be published.

If you like the content of this blog, subscribe to my email list to get exclusive articles not available to anyone else.