fix: handle Infinity/NaN maxAge in res.cookie() without crashing

[Mohammad-Faiz-Cloud-Engineer]

Noticed that passing { maxAge: Infinity } to res.cookie() throws an unhandled TypeError: option maxAge is invalid from the cookie package. The old !isNaN() check passes for Infinity (since it's not NaN), so the code tries to compute Math.floor(Infinity / 1000) and passes Infinity straight to cookie.serialize(), which rightfully rejects it.

Same issue with NaN and -Infinity.

The fix adds an early guard: if maxAge is a number and non-finite (Infinity, -Infinity, NaN), just delete it from opts so the cookie falls back to a session cookie (no Max-Age). Non-numeric garbage like 'foobar' still throws as before that path is unchanged.

Checked all edge cases manually and ran the suite a few times 1249 passing, 0 failing.

[Ap-0007]

Thanks for the contribution! Handling non-finite values like Infinity, -Infinity, and NaN in res.cookie is a great safety enhancement.

However, checking typeof opts.maxAge === 'number' introduces a regression for string representations of non-finite numbers (like 'Infinity').

The Bug

Since maxAge = opts.maxAge - 0 is coerced to a number before the check:

1. If a user passes res.cookie('name', 'val', { maxAge: 'Infinity' }), typeof opts.maxAge is 'string'.
2. This bypasses the new guard block (typeof opts.maxAge === 'number' && !isFinite(maxAge)).
3. The code then falls into the else if (!isNaN(maxAge)) block because !isNaN(Infinity) is true.
4. It sets opts.expires = new Date(Date.now() + Infinity) (which is Invalid Date) and opts.maxAge = Infinity.
5. This is then passed to the cookie package, causing it to throw a TypeError: option maxAge is invalid or produce an invalid date—exactly what the PR seeks to prevent.

Suggested Fix

We can check maxAge (which has already been coerced to a number) instead of typeof opts.maxAge:

    if (maxAge === Infinity || maxAge === -Infinity || (typeof opts.maxAge === 'number' && isNaN(maxAge))) {
      // strip non-finite numeric maxAge (Infinity, -Infinity, NaN)
      delete opts.maxAge
    } else if (!isNaN(maxAge)) {
      opts.expires = new Date(Date.now() + maxAge)
      opts.maxAge = Math.floor(maxAge / 1000)
    }

This correctly handles both numeric and string representations of Infinity/-Infinity, correctly ignores the number NaN, and still allows invalid string garbage like 'foobar' to flow through to the cookie package and throw as expected.

[Mohammad-Faiz-Cloud-Engineer]

Done Brother, Now Check

[notadev99]

Nice catch on the root cause — !isNaN() passing for Infinity is a real gap, and the fix is appropriately minimal. Two things before this is ready:

Tests. This changes observable behavior (Infinity/-Infinity/NaN now produce a session cookie instead of throwing), but nothing covers it. Could you add cases to the res.cookie tests asserting that maxAge: Infinity, -Infinity, and NaN set a session cookie (no Max-Age) without throwing — and one pinning that maxAge: 'foobar' still throws, so the intentional "leave non-numeric strings alone" behavior is locked in?

String 'Infinity' vs 'foobar'. Since maxAge is already coerced (opts.maxAge - 0), the string 'Infinity' coerces to Infinity and gets silently dropped to a session cookie, while 'foobar' coerces to NaN, fails the typeof guard, and throws. Two non-numeric strings, two outcomes. If that's intended, a one-line comment would save the next maintainer some confusion; if not, worth deciding whether 'Infinity' should throw too.

Logic looks correct otherwise.