Can we set cookies from server actions?

[jkhaui]

Congrats on the release of server actions! I'm trying them out because they could genuinely solve key challenges right now trying to implement auth with Waku.

My question is simply whether we can set cookies within a server action function.

But for further context, feel free to keep reading. I've tried to provide some value by summarising my current understanding of modern best practices for PKCE (server-side) auth flows in React frameworks.

• auth libs typically rely on the concept of auth "sessions" that are stored as JWTs within cookies
• said cookies are essential for setting and transmitting auth state between the browser, server, and RSCs
• in Waku, we can only set cookies within middleware (by manipulating res.headers['set-cookie'] = ...)
• cookies can't be set from RSCs (even in next.js, you can't manipulate cookies in RSCs either)
• but... in next.js, you can set cookies from server actions
• The above is the key point because many auth libraries (e.g supabase) tell you to set cookies from a server action when signing in a user in next

Because I can't replicate this pattern in Waku, I'm forced into a hacky workaround involving multiple redirects (with auth data transferred using query params) and then using custom middleware to perform auth logic. This has its own set of problems and isn't a robust solution.

But if we can set cookies in server actions, all our auth woes could be solved forever 😁

Sounds like we're close so I'm super excited - nice work again

[dai-shi]

In Waku, cookies can be set even with server components through the middleware as long as the HTTP headers are not sent yet.
Same applies to server actions. But, server actions are safe, because we don't send HTTP headers until the server action ends.
We need to consider carefully how we provide the cookie middleware, but in the meantime, you can experiment with your custom middleware.
That said, with #852, we can set cookie too. Give it a try.
(I'm struggling with restriction and flexibility balance.)

[jkhaui]

Awesome, appreciate the fast reply as always.

Was just playing around with the 0.21.1 release and #852 explains why I was pleasantly surprised seeing the hono_context now exposed! Love the rapid development this framework is making.

I'll experiment and see what is achievable with this new context & server actions