@fastify/cookie 9.0.4 → 9.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.gitattributes +2 -0
- package/README.md +83 -1
- package/cookie.js +231 -0
- package/package.json +6 -5
- package/plugin.js +19 -27
- package/signer.js +2 -2
- package/test/cookie-module.test.js +205 -0
- package/test/cookie.test.js +41 -2
- package/test/signer.test.js +1 -1
- package/types/plugin.d.ts +1 -1
- package/types/plugin.test-d.ts +1 -0
package/.gitattributes
ADDED
package/README.md
CHANGED
|
@@ -77,7 +77,89 @@ app.register(cookie, {
|
|
|
77
77
|
- An `Array` can be passed if key rotation is desired. Read more about it in [Rotating signing secret](#rotating-secret).
|
|
78
78
|
- More sophisticated cookie signing mechanisms can be implemented by supplying an `Object`. Read more about it in [Custom cookie signer](#custom-cookie-signer).
|
|
79
79
|
|
|
80
|
-
- `parseOptions`: An `Object` to
|
|
80
|
+
- `parseOptions`: An `Object` to modify the serialization of set cookies.
|
|
81
|
+
|
|
82
|
+
#### parseOptions
|
|
83
|
+
|
|
84
|
+
##### domain
|
|
85
|
+
|
|
86
|
+
Specifies the value for the [`Domain` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.3). By default, no
|
|
87
|
+
domain is set, and most clients will consider the cookie to apply to only the current domain.
|
|
88
|
+
|
|
89
|
+
##### encode
|
|
90
|
+
|
|
91
|
+
Specifies a function that will be used to encode a cookie's value. Since value of a cookie
|
|
92
|
+
has a limited character set (and must be a simple string), this function can be used to encode
|
|
93
|
+
a value into a string suited for a cookie's value.
|
|
94
|
+
|
|
95
|
+
The default function is the global `encodeURIComponent`, which will encode a JavaScript string
|
|
96
|
+
into UTF-8 byte sequences and then URL-encode any that fall outside of the cookie range.
|
|
97
|
+
|
|
98
|
+
##### expires
|
|
99
|
+
|
|
100
|
+
Specifies the `Date` object to be the value for the [`Expires` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.1).
|
|
101
|
+
By default, no expiration is set, and most clients will consider this a "non-persistent cookie" and
|
|
102
|
+
will delete it on a condition like exiting a web browser application.
|
|
103
|
+
|
|
104
|
+
**Note:** the [cookie storage model specification](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) states that if both `expires` and
|
|
105
|
+
`maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
|
|
106
|
+
so if both are set, they should point to the same date and time.
|
|
107
|
+
|
|
108
|
+
##### httpOnly
|
|
109
|
+
|
|
110
|
+
Specifies the `boolean` value for the [`HttpOnly` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.6). When truthy,
|
|
111
|
+
the `HttpOnly` attribute is set, otherwise it is not. By default, the `HttpOnly` attribute is not set.
|
|
112
|
+
|
|
113
|
+
**Note:** be careful when setting this to `true`, as compliant clients will not allow client-side
|
|
114
|
+
JavaScript to see the cookie in `document.cookie`.
|
|
115
|
+
|
|
116
|
+
##### maxAge
|
|
117
|
+
|
|
118
|
+
Specifies the `number` (in seconds) to be the value for the [`Max-Age` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.2).
|
|
119
|
+
The given number will be converted to an integer by rounding down. By default, no maximum age is set.
|
|
120
|
+
|
|
121
|
+
**Note:** the [cookie storage model specification](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) states that if both `expires` and
|
|
122
|
+
`maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
|
|
123
|
+
so if both are set, they should point to the same date and time.
|
|
124
|
+
|
|
125
|
+
##### partitioned
|
|
126
|
+
|
|
127
|
+
Specifies the `boolean` value for the [`Partitioned` `Set-Cookie`](https://datatracker.ietf.org/doc/html/draft-cutler-httpbis-partitioned-cookies#section-2.1)
|
|
128
|
+
attribute. When truthy, the `Partitioned` attribute is set, otherwise it is not. By default, the
|
|
129
|
+
`Partitioned` attribute is not set.
|
|
130
|
+
|
|
131
|
+
⚠️ **Warning:** [This is an attribute that has not yet been fully standardized](https://github.com/fastify/fastify-cookie/pull/261#issuecomment-1803234334), and may change in the future without reflecting the semver versioning. This also means many clients may ignore the attribute until they understand it.
|
|
132
|
+
|
|
133
|
+
More information about can be found in [the proposal](https://github.com/privacycg/CHIPS).
|
|
134
|
+
|
|
135
|
+
##### path
|
|
136
|
+
|
|
137
|
+
Specifies the value for the [`Path` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.4). By default, the path
|
|
138
|
+
is considered the ["default path"](https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.4).
|
|
139
|
+
|
|
140
|
+
##### sameSite
|
|
141
|
+
|
|
142
|
+
Specifies the `boolean` or `string` to be the value for the [`SameSite` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7).
|
|
143
|
+
|
|
144
|
+
- `true` will set the `SameSite` attribute to `Strict` for strict same site enforcement.
|
|
145
|
+
- `false` will not set the `SameSite` attribute.
|
|
146
|
+
- `'lax'` will set the `SameSite` attribute to `Lax` for lax same site enforcement.
|
|
147
|
+
- `'none'` will set the `SameSite` attribute to `None` for an explicit cross-site cookie.
|
|
148
|
+
- `'strict'` will set the `SameSite` attribute to `Strict` for strict same site enforcement.
|
|
149
|
+
|
|
150
|
+
More information about the different enforcement levels can be found in
|
|
151
|
+
[the specification](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7).
|
|
152
|
+
|
|
153
|
+
**Note:** This is an attribute that has not yet been fully standardized, and may change in the future.
|
|
154
|
+
This also means many clients may ignore this attribute until they understand it.
|
|
155
|
+
|
|
156
|
+
##### secure
|
|
157
|
+
|
|
158
|
+
Specifies the `boolean` value for the [`Secure` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.5). When truthy,
|
|
159
|
+
the `Secure` attribute is set, otherwise it is not. By default, the `Secure` attribute is not set.
|
|
160
|
+
|
|
161
|
+
**Note:** be careful when setting this to `true`, as compliant clients will not send the cookie back to
|
|
162
|
+
the server in the future if the browser does not have an HTTPS connection.
|
|
81
163
|
|
|
82
164
|
## API
|
|
83
165
|
|
package/cookie.js
ADDED
|
@@ -0,0 +1,231 @@
|
|
|
1
|
+
/*!
|
|
2
|
+
* Adapted from https://github.com/jshttp/cookie
|
|
3
|
+
*
|
|
4
|
+
* (The MIT License)
|
|
5
|
+
*
|
|
6
|
+
* Copyright (c) 2012-2014 Roman Shtylman <shtylman@gmail.com>
|
|
7
|
+
* Copyright (c) 2015 Douglas Christopher Wilson <doug@somethingdoug.com>
|
|
8
|
+
*
|
|
9
|
+
* Permission is hereby granted, free of charge, to any person obtaining
|
|
10
|
+
* a copy of this software and associated documentation files (the
|
|
11
|
+
* 'Software'), to deal in the Software without restriction, including
|
|
12
|
+
* without limitation the rights to use, copy, modify, merge, publish,
|
|
13
|
+
* distribute, sublicense, and/or sell copies of the Software, and to
|
|
14
|
+
* permit persons to whom the Software is furnished to do so, subject to
|
|
15
|
+
* the following conditions:
|
|
16
|
+
*
|
|
17
|
+
* The above copyright notice and this permission notice shall be
|
|
18
|
+
* included in all copies or substantial portions of the Software.
|
|
19
|
+
*
|
|
20
|
+
* THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
|
|
21
|
+
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
22
|
+
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
|
23
|
+
* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
|
|
24
|
+
* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
|
25
|
+
* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
|
26
|
+
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
27
|
+
*/
|
|
28
|
+
|
|
29
|
+
'use strict'
|
|
30
|
+
|
|
31
|
+
/**
|
|
32
|
+
* Module exports.
|
|
33
|
+
* @public
|
|
34
|
+
*/
|
|
35
|
+
|
|
36
|
+
exports.parse = parse
|
|
37
|
+
exports.serialize = serialize
|
|
38
|
+
|
|
39
|
+
/**
|
|
40
|
+
* Module variables.
|
|
41
|
+
* @private
|
|
42
|
+
*/
|
|
43
|
+
|
|
44
|
+
const decode = decodeURIComponent
|
|
45
|
+
const encode = encodeURIComponent
|
|
46
|
+
|
|
47
|
+
/**
|
|
48
|
+
* RegExp to match field-content in RFC 7230 sec 3.2
|
|
49
|
+
*
|
|
50
|
+
* field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
|
|
51
|
+
* field-vchar = VCHAR / obs-text
|
|
52
|
+
* obs-text = %x80-FF
|
|
53
|
+
*/
|
|
54
|
+
|
|
55
|
+
const fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/ // eslint-disable-line
|
|
56
|
+
|
|
57
|
+
/**
|
|
58
|
+
* Parse a cookie header.
|
|
59
|
+
*
|
|
60
|
+
* Parse the given cookie header string into an object
|
|
61
|
+
* The object has the various cookies as keys(names) => values
|
|
62
|
+
*
|
|
63
|
+
* @param {string} str
|
|
64
|
+
* @param {object} [options]
|
|
65
|
+
* @return {object}
|
|
66
|
+
* @public
|
|
67
|
+
*/
|
|
68
|
+
|
|
69
|
+
function parse (str, options) {
|
|
70
|
+
if (typeof str !== 'string') {
|
|
71
|
+
throw new TypeError('argument str must be a string')
|
|
72
|
+
}
|
|
73
|
+
|
|
74
|
+
const result = {}
|
|
75
|
+
const dec = (options && options.decode) || decode
|
|
76
|
+
|
|
77
|
+
let pos = 0
|
|
78
|
+
let terminatorPos = 0
|
|
79
|
+
let eqIdx = 0
|
|
80
|
+
|
|
81
|
+
while (true) {
|
|
82
|
+
if (terminatorPos === str.length) {
|
|
83
|
+
break
|
|
84
|
+
}
|
|
85
|
+
terminatorPos = str.indexOf(';', pos)
|
|
86
|
+
terminatorPos = (terminatorPos === -1) ? str.length : terminatorPos
|
|
87
|
+
eqIdx = str.indexOf('=', pos)
|
|
88
|
+
|
|
89
|
+
// skip things that don't look like key=value
|
|
90
|
+
if (eqIdx === -1 || eqIdx > terminatorPos) {
|
|
91
|
+
pos = terminatorPos + 1
|
|
92
|
+
continue
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
const key = str.substring(pos, eqIdx++).trim()
|
|
96
|
+
|
|
97
|
+
// only assign once
|
|
98
|
+
if (result[key] === undefined) {
|
|
99
|
+
const val = (str.charCodeAt(eqIdx) === 0x22)
|
|
100
|
+
? str.substring(eqIdx + 1, terminatorPos - 1).trim()
|
|
101
|
+
: str.substring(eqIdx, terminatorPos).trim()
|
|
102
|
+
|
|
103
|
+
result[key] = (dec !== decode || val.indexOf('%') !== -1)
|
|
104
|
+
? tryDecode(val, dec)
|
|
105
|
+
: val
|
|
106
|
+
}
|
|
107
|
+
pos = terminatorPos + 1
|
|
108
|
+
}
|
|
109
|
+
return result
|
|
110
|
+
}
|
|
111
|
+
|
|
112
|
+
/**
|
|
113
|
+
* Serialize data into a cookie header.
|
|
114
|
+
*
|
|
115
|
+
* Serialize the a name value pair into a cookie string suitable for
|
|
116
|
+
* http headers. An optional options object specified cookie parameters.
|
|
117
|
+
*
|
|
118
|
+
* serialize('foo', 'bar', { httpOnly: true })
|
|
119
|
+
* => "foo=bar; httpOnly"
|
|
120
|
+
*
|
|
121
|
+
* @param {string} name
|
|
122
|
+
* @param {string} val
|
|
123
|
+
* @param {object} [options]
|
|
124
|
+
* @return {string}
|
|
125
|
+
* @public
|
|
126
|
+
*/
|
|
127
|
+
|
|
128
|
+
function serialize (name, val, options) {
|
|
129
|
+
const opt = options || {}
|
|
130
|
+
const enc = opt.encode || encode
|
|
131
|
+
if (typeof enc !== 'function') {
|
|
132
|
+
throw new TypeError('option encode is invalid')
|
|
133
|
+
}
|
|
134
|
+
|
|
135
|
+
if (!fieldContentRegExp.test(name)) {
|
|
136
|
+
throw new TypeError('argument name is invalid')
|
|
137
|
+
}
|
|
138
|
+
|
|
139
|
+
const value = enc(val)
|
|
140
|
+
if (value && !fieldContentRegExp.test(value)) {
|
|
141
|
+
throw new TypeError('argument val is invalid')
|
|
142
|
+
}
|
|
143
|
+
|
|
144
|
+
let str = name + '=' + value
|
|
145
|
+
if (opt.maxAge != null) {
|
|
146
|
+
const maxAge = opt.maxAge - 0
|
|
147
|
+
if (isNaN(maxAge) || !isFinite(maxAge)) {
|
|
148
|
+
throw new TypeError('option maxAge is invalid')
|
|
149
|
+
}
|
|
150
|
+
|
|
151
|
+
str += '; Max-Age=' + Math.floor(maxAge)
|
|
152
|
+
}
|
|
153
|
+
|
|
154
|
+
if (opt.domain) {
|
|
155
|
+
if (!fieldContentRegExp.test(opt.domain)) {
|
|
156
|
+
throw new TypeError('option domain is invalid')
|
|
157
|
+
}
|
|
158
|
+
|
|
159
|
+
str += '; Domain=' + opt.domain
|
|
160
|
+
}
|
|
161
|
+
|
|
162
|
+
if (opt.path) {
|
|
163
|
+
if (!fieldContentRegExp.test(opt.path)) {
|
|
164
|
+
throw new TypeError('option path is invalid')
|
|
165
|
+
}
|
|
166
|
+
|
|
167
|
+
str += '; Path=' + opt.path
|
|
168
|
+
}
|
|
169
|
+
|
|
170
|
+
if (opt.expires) {
|
|
171
|
+
if (typeof opt.expires.toUTCString !== 'function') {
|
|
172
|
+
throw new TypeError('option expires is invalid')
|
|
173
|
+
}
|
|
174
|
+
|
|
175
|
+
str += '; Expires=' + opt.expires.toUTCString()
|
|
176
|
+
}
|
|
177
|
+
|
|
178
|
+
if (opt.httpOnly) {
|
|
179
|
+
str += '; HttpOnly'
|
|
180
|
+
}
|
|
181
|
+
|
|
182
|
+
if (opt.secure) {
|
|
183
|
+
str += '; Secure'
|
|
184
|
+
}
|
|
185
|
+
|
|
186
|
+
// Draft implementation to support Chrome from 2024-Q1 forward.
|
|
187
|
+
// See https://datatracker.ietf.org/doc/html/draft-cutler-httpbis-partitioned-cookies#section-2.1
|
|
188
|
+
if (opt.partitioned) {
|
|
189
|
+
str += '; Partitioned'
|
|
190
|
+
}
|
|
191
|
+
|
|
192
|
+
if (opt.sameSite) {
|
|
193
|
+
const sameSite = typeof opt.sameSite === 'string'
|
|
194
|
+
? opt.sameSite.toLowerCase()
|
|
195
|
+
: opt.sameSite
|
|
196
|
+
switch (sameSite) {
|
|
197
|
+
case true:
|
|
198
|
+
str += '; SameSite=Strict'
|
|
199
|
+
break
|
|
200
|
+
case 'lax':
|
|
201
|
+
str += '; SameSite=Lax'
|
|
202
|
+
break
|
|
203
|
+
case 'strict':
|
|
204
|
+
str += '; SameSite=Strict'
|
|
205
|
+
break
|
|
206
|
+
case 'none':
|
|
207
|
+
str += '; SameSite=None'
|
|
208
|
+
break
|
|
209
|
+
default:
|
|
210
|
+
throw new TypeError('option sameSite is invalid')
|
|
211
|
+
}
|
|
212
|
+
}
|
|
213
|
+
|
|
214
|
+
return str
|
|
215
|
+
}
|
|
216
|
+
|
|
217
|
+
/**
|
|
218
|
+
* Try decoding a string using a decoding function.
|
|
219
|
+
*
|
|
220
|
+
* @param {string} str
|
|
221
|
+
* @param {function} decode
|
|
222
|
+
* @private
|
|
223
|
+
*/
|
|
224
|
+
|
|
225
|
+
function tryDecode (str, decode) {
|
|
226
|
+
try {
|
|
227
|
+
return decode(str)
|
|
228
|
+
} catch (e) {
|
|
229
|
+
return str
|
|
230
|
+
}
|
|
231
|
+
}
|
package/package.json
CHANGED
|
@@ -1,8 +1,9 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@fastify/cookie",
|
|
3
|
-
"version": "9.0
|
|
3
|
+
"version": "9.2.0",
|
|
4
4
|
"description": "Plugin for fastify to add support for cookies",
|
|
5
5
|
"main": "plugin.js",
|
|
6
|
+
"type": "commonjs",
|
|
6
7
|
"types": "types/plugin.d.ts",
|
|
7
8
|
"scripts": {
|
|
8
9
|
"coverage": "npm run test:unit -- --coverage-report=html",
|
|
@@ -43,15 +44,15 @@
|
|
|
43
44
|
"@types/node": "^20.1.0",
|
|
44
45
|
"benchmark": "^2.1.4",
|
|
45
46
|
"fastify": "^4.0.0",
|
|
46
|
-
"sinon": "^
|
|
47
|
+
"sinon": "^17.0.0",
|
|
47
48
|
"snazzy": "^9.0.0",
|
|
48
49
|
"standard": "^17.0.0",
|
|
49
50
|
"tap": "^16.0.0",
|
|
50
|
-
"tsd": "^0.
|
|
51
|
+
"tsd": "^0.29.0"
|
|
51
52
|
},
|
|
52
53
|
"dependencies": {
|
|
53
|
-
"
|
|
54
|
-
"
|
|
54
|
+
"fastify-plugin": "^4.0.0",
|
|
55
|
+
"cookie-signature": "^1.1.0"
|
|
55
56
|
},
|
|
56
57
|
"tsd": {
|
|
57
58
|
"directory": "test"
|
package/plugin.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
'use strict'
|
|
2
2
|
|
|
3
3
|
const fp = require('fastify-plugin')
|
|
4
|
-
const cookie = require('cookie')
|
|
4
|
+
const cookie = require('./cookie')
|
|
5
5
|
|
|
6
6
|
const { Signer, sign, unsign } = require('./signer')
|
|
7
7
|
|
|
@@ -9,7 +9,7 @@ const kReplySetCookies = Symbol('fastify.reply.setCookies')
|
|
|
9
9
|
const kReplySetCookiesHookRan = Symbol('fastify.reply.setCookiesHookRan')
|
|
10
10
|
|
|
11
11
|
function fastifyCookieSetCookie (reply, name, value, options) {
|
|
12
|
-
parseCookies(reply.
|
|
12
|
+
parseCookies(reply.server, reply.request, reply)
|
|
13
13
|
|
|
14
14
|
const opts = Object.assign({}, options)
|
|
15
15
|
|
|
@@ -51,11 +51,9 @@ function fastifyCookieClearCookie (reply, name, options) {
|
|
|
51
51
|
function parseCookies (fastify, request, reply) {
|
|
52
52
|
if (reply[kReplySetCookies]) return
|
|
53
53
|
|
|
54
|
-
request.cookies = {} // New container per request. Issue #53
|
|
55
54
|
const cookieHeader = request.raw.headers.cookie
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
}
|
|
55
|
+
|
|
56
|
+
request.cookies = cookieHeader ? fastify.parseCookie(cookieHeader) : {} // New container per request. Issue #53
|
|
59
57
|
reply[kReplySetCookies] = new Map()
|
|
60
58
|
}
|
|
61
59
|
|
|
@@ -116,18 +114,6 @@ function fastifyCookieOnSendHandler (fastifyReq, fastifyRes, payload, done) {
|
|
|
116
114
|
done()
|
|
117
115
|
}
|
|
118
116
|
|
|
119
|
-
function getHook (hook = 'onRequest') {
|
|
120
|
-
const hooks = {
|
|
121
|
-
onRequest: 'onRequest',
|
|
122
|
-
preParsing: 'preParsing',
|
|
123
|
-
preValidation: 'preValidation',
|
|
124
|
-
preHandler: 'preHandler',
|
|
125
|
-
[false]: false
|
|
126
|
-
}
|
|
127
|
-
|
|
128
|
-
return hooks[hook]
|
|
129
|
-
}
|
|
130
|
-
|
|
131
117
|
function plugin (fastify, options, next) {
|
|
132
118
|
const secret = options.secret
|
|
133
119
|
const hook = getHook(options.hook)
|
|
@@ -140,7 +126,7 @@ function plugin (fastify, options, next) {
|
|
|
140
126
|
fastify.decorate('serializeCookie', cookie.serialize)
|
|
141
127
|
fastify.decorate('parseCookie', parseCookie)
|
|
142
128
|
|
|
143
|
-
if (
|
|
129
|
+
if (secret !== undefined) {
|
|
144
130
|
fastify.decorate('signCookie', signCookie)
|
|
145
131
|
fastify.decorate('unsignCookie', unsignCookie)
|
|
146
132
|
|
|
@@ -190,6 +176,18 @@ function plugin (fastify, options, next) {
|
|
|
190
176
|
}
|
|
191
177
|
}
|
|
192
178
|
|
|
179
|
+
function getHook (hook = 'onRequest') {
|
|
180
|
+
const hooks = {
|
|
181
|
+
onRequest: 'onRequest',
|
|
182
|
+
preParsing: 'preParsing',
|
|
183
|
+
preValidation: 'preValidation',
|
|
184
|
+
preHandler: 'preHandler',
|
|
185
|
+
[false]: false
|
|
186
|
+
}
|
|
187
|
+
|
|
188
|
+
return hooks[hook]
|
|
189
|
+
}
|
|
190
|
+
|
|
193
191
|
function isConnectionSecure (request) {
|
|
194
192
|
return (
|
|
195
193
|
request.raw.socket?.encrypted === true ||
|
|
@@ -212,15 +210,9 @@ const fastifyCookie = fp(plugin, {
|
|
|
212
210
|
* - `import { fastifyCookie } from 'fastify-cookie'`
|
|
213
211
|
* - `import fastifyCookie from 'fastify-cookie'`
|
|
214
212
|
*/
|
|
215
|
-
fastifyCookie.signerFactory = Signer
|
|
216
|
-
fastifyCookie.fastifyCookie = fastifyCookie
|
|
217
|
-
fastifyCookie.default = fastifyCookie
|
|
218
213
|
module.exports = fastifyCookie
|
|
219
|
-
|
|
220
|
-
fastifyCookie.fastifyCookie
|
|
221
|
-
fastifyCookie.fastifyCookie.Signer = Signer
|
|
222
|
-
fastifyCookie.fastifyCookie.sign = sign
|
|
223
|
-
fastifyCookie.fastifyCookie.unsign = unsign
|
|
214
|
+
module.exports.default = fastifyCookie // supersedes fastifyCookie.default = fastifyCookie
|
|
215
|
+
module.exports.fastifyCookie = fastifyCookie // supersedes fastifyCookie.fastifyCookie = fastifyCookie
|
|
224
216
|
|
|
225
217
|
module.exports.signerFactory = Signer
|
|
226
218
|
module.exports.Signer = Signer
|
package/signer.js
CHANGED
|
@@ -6,9 +6,9 @@
|
|
|
6
6
|
// The MIT License
|
|
7
7
|
// Copyright (c) 2012–2022 LearnBoost <tj@learnboost.com> and other contributors;
|
|
8
8
|
|
|
9
|
-
const crypto = require('crypto')
|
|
9
|
+
const crypto = require('node:crypto')
|
|
10
10
|
|
|
11
|
-
const base64PaddingRE = /=/
|
|
11
|
+
const base64PaddingRE = /=/gu
|
|
12
12
|
|
|
13
13
|
function Signer (secrets, algorithm = 'sha256') {
|
|
14
14
|
if (!(this instanceof Signer)) {
|
|
@@ -0,0 +1,205 @@
|
|
|
1
|
+
'use strict'
|
|
2
|
+
|
|
3
|
+
const tap = require('tap')
|
|
4
|
+
const test = tap.test
|
|
5
|
+
|
|
6
|
+
const cookie = require('../cookie')
|
|
7
|
+
|
|
8
|
+
test('parse: argument validation', (t) => {
|
|
9
|
+
t.plan(2)
|
|
10
|
+
t.throws(cookie.parse.bind(), /argument str must be a string/)
|
|
11
|
+
t.throws(cookie.parse.bind(null, 42), /argument str must be a string/)
|
|
12
|
+
t.end()
|
|
13
|
+
})
|
|
14
|
+
|
|
15
|
+
test('parse: basic', (t) => {
|
|
16
|
+
t.plan(2)
|
|
17
|
+
t.same(cookie.parse('foo=bar'), { foo: 'bar' })
|
|
18
|
+
t.same(cookie.parse('foo=123'), { foo: '123' })
|
|
19
|
+
t.end()
|
|
20
|
+
})
|
|
21
|
+
|
|
22
|
+
test('parse: ignore spaces', (t) => {
|
|
23
|
+
t.plan(1)
|
|
24
|
+
t.same(cookie.parse('FOO = bar; baz = raz'), { FOO: 'bar', baz: 'raz' })
|
|
25
|
+
t.end()
|
|
26
|
+
})
|
|
27
|
+
|
|
28
|
+
test('parse: escaping', (t) => {
|
|
29
|
+
t.plan(2)
|
|
30
|
+
t.same(cookie.parse('foo="bar=123456789&name=Magic+Mouse"'), { foo: 'bar=123456789&name=Magic+Mouse' })
|
|
31
|
+
t.same(cookie.parse('email=%20%22%2c%3b%2f'), { email: ' ",;/' })
|
|
32
|
+
t.end()
|
|
33
|
+
})
|
|
34
|
+
|
|
35
|
+
test('parse: ignore escaping error and return original value', (t) => {
|
|
36
|
+
t.plan(1)
|
|
37
|
+
t.same(cookie.parse('foo=%1;bar=bar'), { foo: '%1', bar: 'bar' })
|
|
38
|
+
t.end()
|
|
39
|
+
})
|
|
40
|
+
|
|
41
|
+
test('parse: ignore non values', (t) => {
|
|
42
|
+
t.plan(1)
|
|
43
|
+
t.same(cookie.parse('foo=%1;bar=bar;HttpOnly;Secure'),
|
|
44
|
+
{ foo: '%1', bar: 'bar' })
|
|
45
|
+
t.end()
|
|
46
|
+
})
|
|
47
|
+
|
|
48
|
+
test('parse: unencoded', (t) => {
|
|
49
|
+
t.plan(2)
|
|
50
|
+
t.same(cookie.parse('foo="bar=123456789&name=Magic+Mouse"', {
|
|
51
|
+
decode: function (v) { return v }
|
|
52
|
+
}), { foo: 'bar=123456789&name=Magic+Mouse' })
|
|
53
|
+
|
|
54
|
+
t.same(cookie.parse('email=%20%22%2c%3b%2f', {
|
|
55
|
+
decode: function (v) { return v }
|
|
56
|
+
}), { email: '%20%22%2c%3b%2f' })
|
|
57
|
+
t.end()
|
|
58
|
+
})
|
|
59
|
+
|
|
60
|
+
test('parse: dates', (t) => {
|
|
61
|
+
t.plan(1)
|
|
62
|
+
t.same(cookie.parse('priority=true; expires=Wed, 29 Jan 2014 17:43:25 GMT; Path=/', {
|
|
63
|
+
decode: function (v) { return v }
|
|
64
|
+
}), { priority: 'true', Path: '/', expires: 'Wed, 29 Jan 2014 17:43:25 GMT' })
|
|
65
|
+
t.end()
|
|
66
|
+
})
|
|
67
|
+
|
|
68
|
+
test('parse: missing value', (t) => {
|
|
69
|
+
t.plan(1)
|
|
70
|
+
t.same(cookie.parse('foo; bar=1; fizz= ; buzz=2', {
|
|
71
|
+
decode: function (v) { return v }
|
|
72
|
+
}), { bar: '1', fizz: '', buzz: '2' })
|
|
73
|
+
t.end()
|
|
74
|
+
})
|
|
75
|
+
|
|
76
|
+
test('parse: assign only once', (t) => {
|
|
77
|
+
t.plan(3)
|
|
78
|
+
t.same(cookie.parse('foo=%1;bar=bar;foo=boo'), { foo: '%1', bar: 'bar' })
|
|
79
|
+
t.same(cookie.parse('foo=false;bar=bar;foo=true'), { foo: 'false', bar: 'bar' })
|
|
80
|
+
t.same(cookie.parse('foo=;bar=bar;foo=boo'), { foo: '', bar: 'bar' })
|
|
81
|
+
t.end()
|
|
82
|
+
})
|
|
83
|
+
|
|
84
|
+
test('serializer: basic', (t) => {
|
|
85
|
+
t.plan(6)
|
|
86
|
+
t.same(cookie.serialize('foo', 'bar'), 'foo=bar')
|
|
87
|
+
t.same(cookie.serialize('foo', 'bar baz'), 'foo=bar%20baz')
|
|
88
|
+
t.same(cookie.serialize('foo', ''), 'foo=')
|
|
89
|
+
t.throws(cookie.serialize.bind(cookie, 'foo\n', 'bar'), /argument name is invalid/)
|
|
90
|
+
t.throws(cookie.serialize.bind(cookie, 'foo\u280a', 'bar'), /argument name is invalid/)
|
|
91
|
+
t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', { encode: 42 }), /option encode is invalid/)
|
|
92
|
+
t.end()
|
|
93
|
+
})
|
|
94
|
+
|
|
95
|
+
test('serializer: path', (t) => {
|
|
96
|
+
t.plan(2)
|
|
97
|
+
t.same(cookie.serialize('foo', 'bar', { path: '/' }), 'foo=bar; Path=/')
|
|
98
|
+
t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
|
|
99
|
+
path: '/\n'
|
|
100
|
+
}), /option path is invalid/)
|
|
101
|
+
t.end()
|
|
102
|
+
})
|
|
103
|
+
|
|
104
|
+
test('serializer: secure', (t) => {
|
|
105
|
+
t.plan(2)
|
|
106
|
+
t.same(cookie.serialize('foo', 'bar', { secure: true }), 'foo=bar; Secure')
|
|
107
|
+
t.same(cookie.serialize('foo', 'bar', { secure: false }), 'foo=bar')
|
|
108
|
+
t.end()
|
|
109
|
+
})
|
|
110
|
+
|
|
111
|
+
test('serializer: domain', (t) => {
|
|
112
|
+
t.plan(2)
|
|
113
|
+
t.same(cookie.serialize('foo', 'bar', { domain: 'example.com' }), 'foo=bar; Domain=example.com')
|
|
114
|
+
t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
|
|
115
|
+
domain: 'example.com\n'
|
|
116
|
+
}), /option domain is invalid/)
|
|
117
|
+
t.end()
|
|
118
|
+
})
|
|
119
|
+
|
|
120
|
+
test('serializer: httpOnly', (t) => {
|
|
121
|
+
t.plan(1)
|
|
122
|
+
t.same(cookie.serialize('foo', 'bar', { httpOnly: true }), 'foo=bar; HttpOnly')
|
|
123
|
+
t.end()
|
|
124
|
+
})
|
|
125
|
+
|
|
126
|
+
test('serializer: maxAge', (t) => {
|
|
127
|
+
t.plan(9)
|
|
128
|
+
t.throws(function () {
|
|
129
|
+
cookie.serialize('foo', 'bar', {
|
|
130
|
+
maxAge: 'buzz'
|
|
131
|
+
})
|
|
132
|
+
}, /option maxAge is invalid/)
|
|
133
|
+
|
|
134
|
+
t.throws(function () {
|
|
135
|
+
cookie.serialize('foo', 'bar', {
|
|
136
|
+
maxAge: Infinity
|
|
137
|
+
})
|
|
138
|
+
}, /option maxAge is invalid/)
|
|
139
|
+
|
|
140
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: 1000 }), 'foo=bar; Max-Age=1000')
|
|
141
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: '1000' }), 'foo=bar; Max-Age=1000')
|
|
142
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: 0 }), 'foo=bar; Max-Age=0')
|
|
143
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: '0' }), 'foo=bar; Max-Age=0')
|
|
144
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: null }), 'foo=bar')
|
|
145
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: undefined }), 'foo=bar')
|
|
146
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: 3.14 }), 'foo=bar; Max-Age=3')
|
|
147
|
+
t.end()
|
|
148
|
+
})
|
|
149
|
+
|
|
150
|
+
test('serializer: expires', (t) => {
|
|
151
|
+
t.plan(2)
|
|
152
|
+
t.same(cookie.serialize('foo', 'bar', {
|
|
153
|
+
expires: new Date(Date.UTC(2000, 11, 24, 10, 30, 59, 900))
|
|
154
|
+
}), 'foo=bar; Expires=Sun, 24 Dec 2000 10:30:59 GMT')
|
|
155
|
+
|
|
156
|
+
t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
|
|
157
|
+
expires: Date.now()
|
|
158
|
+
}), /option expires is invalid/)
|
|
159
|
+
t.end()
|
|
160
|
+
})
|
|
161
|
+
|
|
162
|
+
test('sameSite', (t) => {
|
|
163
|
+
t.plan(9)
|
|
164
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: true }), 'foo=bar; SameSite=Strict')
|
|
165
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'Strict' }), 'foo=bar; SameSite=Strict')
|
|
166
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'strict' }), 'foo=bar; SameSite=Strict')
|
|
167
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'Lax' }), 'foo=bar; SameSite=Lax')
|
|
168
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'lax' }), 'foo=bar; SameSite=Lax')
|
|
169
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'None' }), 'foo=bar; SameSite=None')
|
|
170
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'none' }), 'foo=bar; SameSite=None')
|
|
171
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: false }), 'foo=bar')
|
|
172
|
+
|
|
173
|
+
t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
|
|
174
|
+
sameSite: 'foo'
|
|
175
|
+
}), /option sameSite is invalid/)
|
|
176
|
+
t.end()
|
|
177
|
+
})
|
|
178
|
+
|
|
179
|
+
test('escaping', (t) => {
|
|
180
|
+
t.plan(1)
|
|
181
|
+
t.same(cookie.serialize('cat', '+ '), 'cat=%2B%20')
|
|
182
|
+
t.end()
|
|
183
|
+
})
|
|
184
|
+
|
|
185
|
+
test('parse->serialize', (t) => {
|
|
186
|
+
t.plan(2)
|
|
187
|
+
t.same(cookie.parse(cookie.serialize('cat', 'foo=123&name=baz five')),
|
|
188
|
+
{ cat: 'foo=123&name=baz five' })
|
|
189
|
+
|
|
190
|
+
t.same(cookie.parse(cookie.serialize('cat', ' ";/')),
|
|
191
|
+
{ cat: ' ";/' })
|
|
192
|
+
t.end()
|
|
193
|
+
})
|
|
194
|
+
|
|
195
|
+
test('unencoded', (t) => {
|
|
196
|
+
t.plan(2)
|
|
197
|
+
t.same(cookie.serialize('cat', '+ ', {
|
|
198
|
+
encode: function (value) { return value }
|
|
199
|
+
}), 'cat=+ ')
|
|
200
|
+
|
|
201
|
+
t.throws(cookie.serialize.bind(cookie, 'cat', '+ \n', {
|
|
202
|
+
encode: function (value) { return value }
|
|
203
|
+
}), /argument val is invalid/)
|
|
204
|
+
t.end()
|
|
205
|
+
})
|
package/test/cookie.test.js
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
'use strict'
|
|
2
2
|
|
|
3
|
-
const
|
|
4
|
-
const test = tap.test
|
|
3
|
+
const { test } = require('tap')
|
|
5
4
|
const Fastify = require('fastify')
|
|
6
5
|
const sinon = require('sinon')
|
|
7
6
|
const { sign, unsign } = require('../signer')
|
|
@@ -93,6 +92,46 @@ test('should set multiple cookies', (t) => {
|
|
|
93
92
|
})
|
|
94
93
|
})
|
|
95
94
|
|
|
95
|
+
test('should set multiple cookies', (t) => {
|
|
96
|
+
t.plan(12)
|
|
97
|
+
const fastify = Fastify()
|
|
98
|
+
fastify.register(plugin)
|
|
99
|
+
|
|
100
|
+
fastify.get('/', (req, reply) => {
|
|
101
|
+
reply
|
|
102
|
+
.setCookie('foo', 'foo')
|
|
103
|
+
.cookie('bar', 'test', {
|
|
104
|
+
partitioned: true
|
|
105
|
+
})
|
|
106
|
+
.setCookie('wee', 'woo', {
|
|
107
|
+
partitioned: true,
|
|
108
|
+
secure: true
|
|
109
|
+
})
|
|
110
|
+
.send({ hello: 'world' })
|
|
111
|
+
})
|
|
112
|
+
|
|
113
|
+
fastify.inject({
|
|
114
|
+
method: 'GET',
|
|
115
|
+
url: '/'
|
|
116
|
+
}, (err, res) => {
|
|
117
|
+
t.error(err)
|
|
118
|
+
t.equal(res.statusCode, 200)
|
|
119
|
+
t.same(JSON.parse(res.body), { hello: 'world' })
|
|
120
|
+
|
|
121
|
+
const cookies = res.cookies
|
|
122
|
+
t.equal(cookies.length, 3)
|
|
123
|
+
t.equal(cookies[0].name, 'foo')
|
|
124
|
+
t.equal(cookies[0].value, 'foo')
|
|
125
|
+
t.equal(cookies[1].name, 'bar')
|
|
126
|
+
t.equal(cookies[1].value, 'test')
|
|
127
|
+
t.equal(cookies[2].name, 'wee')
|
|
128
|
+
t.equal(cookies[2].value, 'woo')
|
|
129
|
+
|
|
130
|
+
t.equal(res.headers['set-cookie'][1], 'bar=test; Partitioned')
|
|
131
|
+
t.equal(res.headers['set-cookie'][2], 'wee=woo; Secure; Partitioned')
|
|
132
|
+
})
|
|
133
|
+
})
|
|
134
|
+
|
|
96
135
|
test('cookies get set correctly with millisecond dates', (t) => {
|
|
97
136
|
t.plan(8)
|
|
98
137
|
const fastify = Fastify()
|
package/test/signer.test.js
CHANGED
package/types/plugin.d.ts
CHANGED
|
@@ -125,9 +125,9 @@ declare namespace fastifyCookie {
|
|
|
125
125
|
httpOnly?: boolean;
|
|
126
126
|
/** A `number` in seconds that specifies the `Expires` attribute by adding the specified seconds to the current date. If both `expires` and `maxAge` are set, then `expires` is used. */
|
|
127
127
|
maxAge?: number;
|
|
128
|
+
partitioned?: boolean;
|
|
128
129
|
/** The `Path` attribute. Defaults to `/` (the root path). */
|
|
129
130
|
path?: string;
|
|
130
|
-
priority?: "low" | "medium" | "high";
|
|
131
131
|
/** A `boolean` or one of the `SameSite` string attributes. E.g.: `lax`, `none` or `strict`. */
|
|
132
132
|
sameSite?: 'lax' | 'none' | 'strict' | boolean;
|
|
133
133
|
/** The `boolean` value of the `Secure` attribute. Set this option to false when communicating over an unencrypted (HTTP) connection. Value can be set to `auto`; in this case the `Secure` attribute will be set to false for HTTP request, in case of HTTPS it will be set to true. Defaults to true. */
|
package/types/plugin.test-d.ts
CHANGED