Skip to content

feat!: enforce headers parameter on setAll cookie method#205

Open
mandarini wants to merge 1 commit intomainfrom
feat/enforce-setall-headers-param
Open

feat!: enforce headers parameter on setAll cookie method#205
mandarini wants to merge 1 commit intomainfrom
feat/enforce-setall-headers-param

Conversation

@mandarini
Copy link
Copy Markdown
Contributor

@mandarini mandarini commented Apr 24, 2026

Summary

Adds a runtime check that throws at client creation time if the user-provided setAll callback declares fewer than two parameters. This enforces that users accept the headers second argument introduced in v0.10.0, which carries cache-control headers (Cache-Control, Expires, Pragma) that must be forwarded to the HTTP response after token refreshes.

Without this enforcement, TypeScript silently allows setAll(cookies) { ... } to satisfy the (cookies, headers) => void type, so users who copy an outdated snippet or skip the changelog never apply the cache headers. CDNs can then cache authenticated responses and serve one user's session token to another.

What changed

  • src/cookies.ts -- Added Function.length arity check at the single point where user-provided setAll enters the system. If setAll.length < 2, an error with a clear message and docs link is thrown immediately. Library-controlled setAll implementations (deprecated get/set/remove wrapper, warning stubs, document.cookie adapter) are not checked.
  • src/cookies.spec.ts -- Updated 14 test mocks to declare both parameters. Added 5 new tests covering: zero-param throws (server), one-param throws (server), zero-param throws (browser), two-param passes, deprecated get/set/remove path is unaffected.
  • src/createServerClient.spec.ts -- Updated 10 test mocks to declare both parameters.

Breaking change

setAll must now declare two parameters (cookies, headers). Existing implementations that only declare one parameter will throw on upgrade. Since the package is on 0.x, this ships as a minor bump (0.11.0) per semver conventions.

Context

@mandarini mandarini force-pushed the feat/enforce-setall-headers-param branch from 4cdbd38 to b861c72 Compare April 24, 2026 07:43
@mandarini mandarini marked this pull request as ready for review April 24, 2026 07:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant