allow to configure toInternalRequest to not decode the value of cookies

[krzysztof-kabat-mns]

Description 📓

/packages/core/src/lib/web.ts is converting request to internal request using toInternalRequest and as a part of this conversion its also parsing cookies using cookies npm module. The issue we discovered is that when parsing those cookies it also uses decodeURIComponent. This however can cause an issue in situations where the value of the cookie is not encoded with encodeURIComponent but for example some similar encoder that happens to use % encoding. The result is that the cookie value will be corrupted.

The preferred way would be either to not decode that value and leave it as is for user to consume.

If its not possible for backward compatibility reasons, please allow a configuration parameter that can specify a decoding function, where user can specify no-op function.

One potential way would be to pass the config:

export interface AuthConfig {
  /**
   * Function passed to parseCookies used to decode the value of the cookie
   *
   * @default undefined
   */
 decodeCookieValue?: (cookieValue: any) => any

export async function Auth(
  request: Request,
  config: AuthConfig
): Promise<Response> {
  setLogger(config.logger, config.debug)

  const internalRequest = await toInternalRequest(request, config)
  if (internalRequest instanceof Error) {
    logger.error(internalRequest)
    return new Response(
      `Error: This action with HTTP ${request.method} is not supported.`,
      { status: 400 }
    )
  }

export async function toInternalRequest(
  req: Request,
  config: AuthConfig
): Promise<RequestInternal | AuthError> {
  try {

  // (...)

    return {
      url,
      action,
      providerId,
      method: req.method,
      headers: Object.fromEntries(req.headers),
      body: req.body ? await getBody(req) : undefined,
      cookies: parseCookie(req.headers.get("cookie") ?? "", { decode: config.decodeCookieValue}) ?? {},
      error: url.searchParams.get("error") ?? undefined,
      query: Object.fromEntries(url.searchParams),
    }
  } catch (e) {
    return e as Error
  }
}

How to reproduce ☕️

1. Have a cookie with non standard encoding like +donotdecodetoken%2B
2. use req.cookies to read the value.

Expected outcome:

• value is equal exactly to +donotdecodetoken%2B

Actual outcome:

• value is equal to +donotdecodetoken+ which is exactly decodeURIComponent('+donotdecodetoken%2B')

Contributing 🙌🏽

Yes, I am willing to help implement this feature in a PR