Loopback-next: Signed Cookies out of the box

Suggestion

It's a bit related to https://github.com/strongloop/loopback-next/issues/3589
I would like an easy way to use signed cookies out of the box

Use Cases

I am trying to implement a cookie based auth system, the most secured possible, with httpOnly=true + SameSite = 'strict' + secure cookie (https) + signed cookie + domain set. The problem is, when trying to use signed cookies, I have an express error :

Error: cookieParser("secret") required for signed cookies
    at ServerResponse.res.cookie (C:\Users\Maison\Desktop\sloth\sloth-server\node_modules\express\lib\response.js:837:11)
    at AccountController.login (C:\Users\Maison\Desktop\sloth\sloth-server\src\controllers\account.controller.ts:140:18)
    at C:\Users\Maison\Desktop\sloth\sloth-server\node_modules\@loopback\rest\src\providers\invoke-method.provider.ts:53:24
    at C:\Users\Maison\Desktop\sloth\sloth-server\node_modules\@loopback\express\src\middleware-interceptor.ts:131:19
    at C:\Users\Maison\Desktop\sloth\sloth-server\node_modules\@loopback\express\src\middleware-interceptor.ts:131:19
    at C:\Users\Maison\Desktop\sloth\sloth-server\node_modules\@loopback\rest\src\providers\send.provider.ts:46:24
    at MiddlewareSequence.handle (C:\Users\Maison\Desktop\sloth\sloth-server\node_modules\@loopback\rest\src\sequence.ts:291:5)
    at HttpHandler._handleRequest (C:\Users\Maison\Desktop\sloth\sloth-server\node_modules\@loopback\rest\src\http-handler.ts:121:5)

cookieParser() returns e.RequestHandler<ParamsDictionary, any, any, QueryString.ParsedQs>
I tried to use cookie parser with app.middleware but I am unable to set it properly. I tried this based on the example in documentation :

const cookies: Middleware = async (middlewareCtx, next) => {

  const requestHandler = cookieParser(SECRET);
  const {request , response } = middlewareCtx;
  requestHandler(request , response , next);
  console.log('Request: %s %s', request.method, request.originalUrl);
  try {
    // Proceed with next middleware
    await next();
    // Process response

    console.log(
      'Response received for %s %s',
      request.method,
      request.originalUrl,
    );
  } catch (err) {
    // Catch errors from downstream middleware
    console.error(
      'Error received for %s %s',
      request.method,
      request.originalUrl,
    );
    throw err;
  }
};

But it doesn't work. Also there is a type problem, next function have type Nextand requestHandler of cookieParser wants type NextFunction.

Examples

From what I see, this options should only give something like securedCookie(SECRETKEY) or even a loopback option : cookieSecure = true/false , with a secret key that could be generated at server launch. This way only the server at runtime will be able to decode the signed cookie, without any possibility to get the key as there is a new key generated at server start-up.

It means that if the server is restarted, secured cookies will be unable to be read, meaning there should be some system to reset cookies in case of a server restart => for example having another public uuid associated with the cookie but totally deconnected from the SECRET, which will indicate to the server if the cookie is secured from another restart, so the server can reset cookies and ask for a new connection.

Acceptance criteria

TBD - will be filled by the team.