Support ambiguous key presence

[isaacs]

It'd be nice if cookies didn't try to sign things when no keygrip is supplied, or if {signed:true} were the default when keys are present.

That way, you could have code that just passes in {signed:true} all the time, or never, and if keys are there or are not there, it will work as good as it can.

[jed]

perhaps a better idea would be to remove keygrip altogether, and instead have keygrip require cookies and provide a identical API but signed-only cookie implementation. thoughts?

[isaacs]

Well, keygrip itself seems like a rather nice set of generic functionality. And having cookies just take a interface-following thing as an argument seems well factored.

The thing is, I'm doing something like this in my app:

if (config.keys) {
  config.keys = new Keygrip(config.keys)
}

// .. then later ..

req.cookies = res.cookies = new Cookies(req, res, config.keys)

And, really, I want keys to be signed by default if there's keys, and not signed by default if there aren't. So I end up doing dumb stuff like this:

res.cookie.set(key, val, { signed: config.keys })

I'll send a pull req. I was just being lazy, it's a trivial change.