default signed or not when keys present

[dead-horse]

https://github.com/pillarjs/cookies/blob/master/lib/cookies.js#L74
https://github.com/pillarjs/cookies/blob/master/lib/cookies.js#L92

const cookies = new Cookies(req, res, ['key', 'keys']);

cookies.set('key', 'value'); // won't be signed
cookies.set('key', 'value', { maxAge: 100 }); // will be signed

not sure if we should make them all be signed or not be signed, and both will break people's code.

[dougwilson]

Hi @dead-horse yes, both of those should behave the same (signed in this case), so them behaving different depending on the presence of the options is a bug.

[dougwilson]

The docs would suggest the correct functionality is that the sig cookie should only be there for an explicit signed: true.

[fengmk2]

Fix this bug in the next major version, yep.

[dougwilson]

I was just re-looking at this issue, and looked at the original implementation in b1322b6 and the discussion in #10 and it looks like the intended behavior is: honor the provided signed option, and default to signed if the library has keys, otherwise unsigned. The commit shows where the mistake came from in the original implementation, where the opts should have been removed in that second if.

[dougwilson]

For now, I removed the fix on master to release one more 0.x version, and will defer this to the 1.x release due to breaking issues.