@fastify/cookie 9.0.4 → 9.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/.gitattributes ADDED
@@ -0,0 +1,2 @@
1
+ # Set default behavior to automatically convert line endings
2
+ * text=auto eol=lf
package/README.md CHANGED
@@ -77,7 +77,89 @@ app.register(cookie, {
77
77
  - An `Array` can be passed if key rotation is desired. Read more about it in [Rotating signing secret](#rotating-secret).
78
78
  - More sophisticated cookie signing mechanisms can be implemented by supplying an `Object`. Read more about it in [Custom cookie signer](#custom-cookie-signer).
79
79
 
80
- - `parseOptions`: An `Object` to pass as options to [cookie parse](https://github.com/jshttp/cookie#cookieparsestr-options).
80
+ - `parseOptions`: An `Object` to modify the serialization of set cookies.
81
+
82
+ #### parseOptions
83
+
84
+ ##### domain
85
+
86
+ Specifies the value for the [`Domain` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.3). By default, no
87
+ domain is set, and most clients will consider the cookie to apply to only the current domain.
88
+
89
+ ##### encode
90
+
91
+ Specifies a function that will be used to encode a cookie's value. Since value of a cookie
92
+ has a limited character set (and must be a simple string), this function can be used to encode
93
+ a value into a string suited for a cookie's value.
94
+
95
+ The default function is the global `encodeURIComponent`, which will encode a JavaScript string
96
+ into UTF-8 byte sequences and then URL-encode any that fall outside of the cookie range.
97
+
98
+ ##### expires
99
+
100
+ Specifies the `Date` object to be the value for the [`Expires` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.1).
101
+ By default, no expiration is set, and most clients will consider this a "non-persistent cookie" and
102
+ will delete it on a condition like exiting a web browser application.
103
+
104
+ **Note:** the [cookie storage model specification](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) states that if both `expires` and
105
+ `maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
106
+ so if both are set, they should point to the same date and time.
107
+
108
+ ##### httpOnly
109
+
110
+ Specifies the `boolean` value for the [`HttpOnly` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.6). When truthy,
111
+ the `HttpOnly` attribute is set, otherwise it is not. By default, the `HttpOnly` attribute is not set.
112
+
113
+ **Note:** be careful when setting this to `true`, as compliant clients will not allow client-side
114
+ JavaScript to see the cookie in `document.cookie`.
115
+
116
+ ##### maxAge
117
+
118
+ Specifies the `number` (in seconds) to be the value for the [`Max-Age` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.2).
119
+ The given number will be converted to an integer by rounding down. By default, no maximum age is set.
120
+
121
+ **Note:** the [cookie storage model specification](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) states that if both `expires` and
122
+ `maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
123
+ so if both are set, they should point to the same date and time.
124
+
125
+ ##### partitioned
126
+
127
+ Specifies the `boolean` value for the [`Partitioned` `Set-Cookie`](https://datatracker.ietf.org/doc/html/draft-cutler-httpbis-partitioned-cookies#section-2.1)
128
+ attribute. When truthy, the `Partitioned` attribute is set, otherwise it is not. By default, the
129
+ `Partitioned` attribute is not set.
130
+
131
+ ⚠️ **Warning:** [This is an attribute that has not yet been fully standardized](https://github.com/fastify/fastify-cookie/pull/261#issuecomment-1803234334), and may change in the future without reflecting the semver versioning. This also means many clients may ignore the attribute until they understand it.
132
+
133
+ More information about can be found in [the proposal](https://github.com/privacycg/CHIPS).
134
+
135
+ ##### path
136
+
137
+ Specifies the value for the [`Path` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.4). By default, the path
138
+ is considered the ["default path"](https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.4).
139
+
140
+ ##### sameSite
141
+
142
+ Specifies the `boolean` or `string` to be the value for the [`SameSite` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7).
143
+
144
+ - `true` will set the `SameSite` attribute to `Strict` for strict same site enforcement.
145
+ - `false` will not set the `SameSite` attribute.
146
+ - `'lax'` will set the `SameSite` attribute to `Lax` for lax same site enforcement.
147
+ - `'none'` will set the `SameSite` attribute to `None` for an explicit cross-site cookie.
148
+ - `'strict'` will set the `SameSite` attribute to `Strict` for strict same site enforcement.
149
+
150
+ More information about the different enforcement levels can be found in
151
+ [the specification](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7).
152
+
153
+ **Note:** This is an attribute that has not yet been fully standardized, and may change in the future.
154
+ This also means many clients may ignore this attribute until they understand it.
155
+
156
+ ##### secure
157
+
158
+ Specifies the `boolean` value for the [`Secure` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.5). When truthy,
159
+ the `Secure` attribute is set, otherwise it is not. By default, the `Secure` attribute is not set.
160
+
161
+ **Note:** be careful when setting this to `true`, as compliant clients will not send the cookie back to
162
+ the server in the future if the browser does not have an HTTPS connection.
81
163
 
82
164
  ## API
83
165
 
package/cookie.js ADDED
@@ -0,0 +1,231 @@
1
+ /*!
2
+ * Adapted from https://github.com/jshttp/cookie
3
+ *
4
+ * (The MIT License)
5
+ *
6
+ * Copyright (c) 2012-2014 Roman Shtylman <shtylman@gmail.com>
7
+ * Copyright (c) 2015 Douglas Christopher Wilson <doug@somethingdoug.com>
8
+ *
9
+ * Permission is hereby granted, free of charge, to any person obtaining
10
+ * a copy of this software and associated documentation files (the
11
+ * 'Software'), to deal in the Software without restriction, including
12
+ * without limitation the rights to use, copy, modify, merge, publish,
13
+ * distribute, sublicense, and/or sell copies of the Software, and to
14
+ * permit persons to whom the Software is furnished to do so, subject to
15
+ * the following conditions:
16
+ *
17
+ * The above copyright notice and this permission notice shall be
18
+ * included in all copies or substantial portions of the Software.
19
+ *
20
+ * THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
21
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
22
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
23
+ * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
24
+ * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
25
+ * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
26
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
27
+ */
28
+
29
+ 'use strict'
30
+
31
+ /**
32
+ * Module exports.
33
+ * @public
34
+ */
35
+
36
+ exports.parse = parse
37
+ exports.serialize = serialize
38
+
39
+ /**
40
+ * Module variables.
41
+ * @private
42
+ */
43
+
44
+ const decode = decodeURIComponent
45
+ const encode = encodeURIComponent
46
+
47
+ /**
48
+ * RegExp to match field-content in RFC 7230 sec 3.2
49
+ *
50
+ * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
51
+ * field-vchar = VCHAR / obs-text
52
+ * obs-text = %x80-FF
53
+ */
54
+
55
+ const fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/ // eslint-disable-line
56
+
57
+ /**
58
+ * Parse a cookie header.
59
+ *
60
+ * Parse the given cookie header string into an object
61
+ * The object has the various cookies as keys(names) => values
62
+ *
63
+ * @param {string} str
64
+ * @param {object} [options]
65
+ * @return {object}
66
+ * @public
67
+ */
68
+
69
+ function parse (str, options) {
70
+ if (typeof str !== 'string') {
71
+ throw new TypeError('argument str must be a string')
72
+ }
73
+
74
+ const result = {}
75
+ const dec = (options && options.decode) || decode
76
+
77
+ let pos = 0
78
+ let terminatorPos = 0
79
+ let eqIdx = 0
80
+
81
+ while (true) {
82
+ if (terminatorPos === str.length) {
83
+ break
84
+ }
85
+ terminatorPos = str.indexOf(';', pos)
86
+ terminatorPos = (terminatorPos === -1) ? str.length : terminatorPos
87
+ eqIdx = str.indexOf('=', pos)
88
+
89
+ // skip things that don't look like key=value
90
+ if (eqIdx === -1 || eqIdx > terminatorPos) {
91
+ pos = terminatorPos + 1
92
+ continue
93
+ }
94
+
95
+ const key = str.substring(pos, eqIdx++).trim()
96
+
97
+ // only assign once
98
+ if (result[key] === undefined) {
99
+ const val = (str.charCodeAt(eqIdx) === 0x22)
100
+ ? str.substring(eqIdx + 1, terminatorPos - 1).trim()
101
+ : str.substring(eqIdx, terminatorPos).trim()
102
+
103
+ result[key] = (dec !== decode || val.indexOf('%') !== -1)
104
+ ? tryDecode(val, dec)
105
+ : val
106
+ }
107
+ pos = terminatorPos + 1
108
+ }
109
+ return result
110
+ }
111
+
112
+ /**
113
+ * Serialize data into a cookie header.
114
+ *
115
+ * Serialize the a name value pair into a cookie string suitable for
116
+ * http headers. An optional options object specified cookie parameters.
117
+ *
118
+ * serialize('foo', 'bar', { httpOnly: true })
119
+ * => "foo=bar; httpOnly"
120
+ *
121
+ * @param {string} name
122
+ * @param {string} val
123
+ * @param {object} [options]
124
+ * @return {string}
125
+ * @public
126
+ */
127
+
128
+ function serialize (name, val, options) {
129
+ const opt = options || {}
130
+ const enc = opt.encode || encode
131
+ if (typeof enc !== 'function') {
132
+ throw new TypeError('option encode is invalid')
133
+ }
134
+
135
+ if (!fieldContentRegExp.test(name)) {
136
+ throw new TypeError('argument name is invalid')
137
+ }
138
+
139
+ const value = enc(val)
140
+ if (value && !fieldContentRegExp.test(value)) {
141
+ throw new TypeError('argument val is invalid')
142
+ }
143
+
144
+ let str = name + '=' + value
145
+ if (opt.maxAge != null) {
146
+ const maxAge = opt.maxAge - 0
147
+ if (isNaN(maxAge) || !isFinite(maxAge)) {
148
+ throw new TypeError('option maxAge is invalid')
149
+ }
150
+
151
+ str += '; Max-Age=' + Math.floor(maxAge)
152
+ }
153
+
154
+ if (opt.domain) {
155
+ if (!fieldContentRegExp.test(opt.domain)) {
156
+ throw new TypeError('option domain is invalid')
157
+ }
158
+
159
+ str += '; Domain=' + opt.domain
160
+ }
161
+
162
+ if (opt.path) {
163
+ if (!fieldContentRegExp.test(opt.path)) {
164
+ throw new TypeError('option path is invalid')
165
+ }
166
+
167
+ str += '; Path=' + opt.path
168
+ }
169
+
170
+ if (opt.expires) {
171
+ if (typeof opt.expires.toUTCString !== 'function') {
172
+ throw new TypeError('option expires is invalid')
173
+ }
174
+
175
+ str += '; Expires=' + opt.expires.toUTCString()
176
+ }
177
+
178
+ if (opt.httpOnly) {
179
+ str += '; HttpOnly'
180
+ }
181
+
182
+ if (opt.secure) {
183
+ str += '; Secure'
184
+ }
185
+
186
+ // Draft implementation to support Chrome from 2024-Q1 forward.
187
+ // See https://datatracker.ietf.org/doc/html/draft-cutler-httpbis-partitioned-cookies#section-2.1
188
+ if (opt.partitioned) {
189
+ str += '; Partitioned'
190
+ }
191
+
192
+ if (opt.sameSite) {
193
+ const sameSite = typeof opt.sameSite === 'string'
194
+ ? opt.sameSite.toLowerCase()
195
+ : opt.sameSite
196
+ switch (sameSite) {
197
+ case true:
198
+ str += '; SameSite=Strict'
199
+ break
200
+ case 'lax':
201
+ str += '; SameSite=Lax'
202
+ break
203
+ case 'strict':
204
+ str += '; SameSite=Strict'
205
+ break
206
+ case 'none':
207
+ str += '; SameSite=None'
208
+ break
209
+ default:
210
+ throw new TypeError('option sameSite is invalid')
211
+ }
212
+ }
213
+
214
+ return str
215
+ }
216
+
217
+ /**
218
+ * Try decoding a string using a decoding function.
219
+ *
220
+ * @param {string} str
221
+ * @param {function} decode
222
+ * @private
223
+ */
224
+
225
+ function tryDecode (str, decode) {
226
+ try {
227
+ return decode(str)
228
+ } catch (e) {
229
+ return str
230
+ }
231
+ }
package/package.json CHANGED
@@ -1,8 +1,9 @@
1
1
  {
2
2
  "name": "@fastify/cookie",
3
- "version": "9.0.4",
3
+ "version": "9.2.0",
4
4
  "description": "Plugin for fastify to add support for cookies",
5
5
  "main": "plugin.js",
6
+ "type": "commonjs",
6
7
  "types": "types/plugin.d.ts",
7
8
  "scripts": {
8
9
  "coverage": "npm run test:unit -- --coverage-report=html",
@@ -43,15 +44,15 @@
43
44
  "@types/node": "^20.1.0",
44
45
  "benchmark": "^2.1.4",
45
46
  "fastify": "^4.0.0",
46
- "sinon": "^15.0.0",
47
+ "sinon": "^17.0.0",
47
48
  "snazzy": "^9.0.0",
48
49
  "standard": "^17.0.0",
49
50
  "tap": "^16.0.0",
50
- "tsd": "^0.28.0"
51
+ "tsd": "^0.29.0"
51
52
  },
52
53
  "dependencies": {
53
- "cookie": "^0.5.0",
54
- "fastify-plugin": "^4.0.0"
54
+ "fastify-plugin": "^4.0.0",
55
+ "cookie-signature": "^1.1.0"
55
56
  },
56
57
  "tsd": {
57
58
  "directory": "test"
package/plugin.js CHANGED
@@ -1,7 +1,7 @@
1
1
  'use strict'
2
2
 
3
3
  const fp = require('fastify-plugin')
4
- const cookie = require('cookie')
4
+ const cookie = require('./cookie')
5
5
 
6
6
  const { Signer, sign, unsign } = require('./signer')
7
7
 
@@ -9,7 +9,7 @@ const kReplySetCookies = Symbol('fastify.reply.setCookies')
9
9
  const kReplySetCookiesHookRan = Symbol('fastify.reply.setCookiesHookRan')
10
10
 
11
11
  function fastifyCookieSetCookie (reply, name, value, options) {
12
- parseCookies(reply.context.server, reply.request, reply)
12
+ parseCookies(reply.server, reply.request, reply)
13
13
 
14
14
  const opts = Object.assign({}, options)
15
15
 
@@ -51,11 +51,9 @@ function fastifyCookieClearCookie (reply, name, options) {
51
51
  function parseCookies (fastify, request, reply) {
52
52
  if (reply[kReplySetCookies]) return
53
53
 
54
- request.cookies = {} // New container per request. Issue #53
55
54
  const cookieHeader = request.raw.headers.cookie
56
- if (cookieHeader) {
57
- request.cookies = fastify.parseCookie(cookieHeader)
58
- }
55
+
56
+ request.cookies = cookieHeader ? fastify.parseCookie(cookieHeader) : {} // New container per request. Issue #53
59
57
  reply[kReplySetCookies] = new Map()
60
58
  }
61
59
 
@@ -116,18 +114,6 @@ function fastifyCookieOnSendHandler (fastifyReq, fastifyRes, payload, done) {
116
114
  done()
117
115
  }
118
116
 
119
- function getHook (hook = 'onRequest') {
120
- const hooks = {
121
- onRequest: 'onRequest',
122
- preParsing: 'preParsing',
123
- preValidation: 'preValidation',
124
- preHandler: 'preHandler',
125
- [false]: false
126
- }
127
-
128
- return hooks[hook]
129
- }
130
-
131
117
  function plugin (fastify, options, next) {
132
118
  const secret = options.secret
133
119
  const hook = getHook(options.hook)
@@ -140,7 +126,7 @@ function plugin (fastify, options, next) {
140
126
  fastify.decorate('serializeCookie', cookie.serialize)
141
127
  fastify.decorate('parseCookie', parseCookie)
142
128
 
143
- if (typeof secret !== 'undefined') {
129
+ if (secret !== undefined) {
144
130
  fastify.decorate('signCookie', signCookie)
145
131
  fastify.decorate('unsignCookie', unsignCookie)
146
132
 
@@ -190,6 +176,18 @@ function plugin (fastify, options, next) {
190
176
  }
191
177
  }
192
178
 
179
+ function getHook (hook = 'onRequest') {
180
+ const hooks = {
181
+ onRequest: 'onRequest',
182
+ preParsing: 'preParsing',
183
+ preValidation: 'preValidation',
184
+ preHandler: 'preHandler',
185
+ [false]: false
186
+ }
187
+
188
+ return hooks[hook]
189
+ }
190
+
193
191
  function isConnectionSecure (request) {
194
192
  return (
195
193
  request.raw.socket?.encrypted === true ||
@@ -212,15 +210,9 @@ const fastifyCookie = fp(plugin, {
212
210
  * - `import { fastifyCookie } from 'fastify-cookie'`
213
211
  * - `import fastifyCookie from 'fastify-cookie'`
214
212
  */
215
- fastifyCookie.signerFactory = Signer
216
- fastifyCookie.fastifyCookie = fastifyCookie
217
- fastifyCookie.default = fastifyCookie
218
213
  module.exports = fastifyCookie
219
-
220
- fastifyCookie.fastifyCookie.signerFactory = Signer
221
- fastifyCookie.fastifyCookie.Signer = Signer
222
- fastifyCookie.fastifyCookie.sign = sign
223
- fastifyCookie.fastifyCookie.unsign = unsign
214
+ module.exports.default = fastifyCookie // supersedes fastifyCookie.default = fastifyCookie
215
+ module.exports.fastifyCookie = fastifyCookie // supersedes fastifyCookie.fastifyCookie = fastifyCookie
224
216
 
225
217
  module.exports.signerFactory = Signer
226
218
  module.exports.Signer = Signer
package/signer.js CHANGED
@@ -6,9 +6,9 @@
6
6
  // The MIT License
7
7
  // Copyright (c) 2012–2022 LearnBoost <tj@learnboost.com> and other contributors;
8
8
 
9
- const crypto = require('crypto')
9
+ const crypto = require('node:crypto')
10
10
 
11
- const base64PaddingRE = /=/g
11
+ const base64PaddingRE = /=/gu
12
12
 
13
13
  function Signer (secrets, algorithm = 'sha256') {
14
14
  if (!(this instanceof Signer)) {
@@ -0,0 +1,205 @@
1
+ 'use strict'
2
+
3
+ const tap = require('tap')
4
+ const test = tap.test
5
+
6
+ const cookie = require('../cookie')
7
+
8
+ test('parse: argument validation', (t) => {
9
+ t.plan(2)
10
+ t.throws(cookie.parse.bind(), /argument str must be a string/)
11
+ t.throws(cookie.parse.bind(null, 42), /argument str must be a string/)
12
+ t.end()
13
+ })
14
+
15
+ test('parse: basic', (t) => {
16
+ t.plan(2)
17
+ t.same(cookie.parse('foo=bar'), { foo: 'bar' })
18
+ t.same(cookie.parse('foo=123'), { foo: '123' })
19
+ t.end()
20
+ })
21
+
22
+ test('parse: ignore spaces', (t) => {
23
+ t.plan(1)
24
+ t.same(cookie.parse('FOO = bar; baz = raz'), { FOO: 'bar', baz: 'raz' })
25
+ t.end()
26
+ })
27
+
28
+ test('parse: escaping', (t) => {
29
+ t.plan(2)
30
+ t.same(cookie.parse('foo="bar=123456789&name=Magic+Mouse"'), { foo: 'bar=123456789&name=Magic+Mouse' })
31
+ t.same(cookie.parse('email=%20%22%2c%3b%2f'), { email: ' ",;/' })
32
+ t.end()
33
+ })
34
+
35
+ test('parse: ignore escaping error and return original value', (t) => {
36
+ t.plan(1)
37
+ t.same(cookie.parse('foo=%1;bar=bar'), { foo: '%1', bar: 'bar' })
38
+ t.end()
39
+ })
40
+
41
+ test('parse: ignore non values', (t) => {
42
+ t.plan(1)
43
+ t.same(cookie.parse('foo=%1;bar=bar;HttpOnly;Secure'),
44
+ { foo: '%1', bar: 'bar' })
45
+ t.end()
46
+ })
47
+
48
+ test('parse: unencoded', (t) => {
49
+ t.plan(2)
50
+ t.same(cookie.parse('foo="bar=123456789&name=Magic+Mouse"', {
51
+ decode: function (v) { return v }
52
+ }), { foo: 'bar=123456789&name=Magic+Mouse' })
53
+
54
+ t.same(cookie.parse('email=%20%22%2c%3b%2f', {
55
+ decode: function (v) { return v }
56
+ }), { email: '%20%22%2c%3b%2f' })
57
+ t.end()
58
+ })
59
+
60
+ test('parse: dates', (t) => {
61
+ t.plan(1)
62
+ t.same(cookie.parse('priority=true; expires=Wed, 29 Jan 2014 17:43:25 GMT; Path=/', {
63
+ decode: function (v) { return v }
64
+ }), { priority: 'true', Path: '/', expires: 'Wed, 29 Jan 2014 17:43:25 GMT' })
65
+ t.end()
66
+ })
67
+
68
+ test('parse: missing value', (t) => {
69
+ t.plan(1)
70
+ t.same(cookie.parse('foo; bar=1; fizz= ; buzz=2', {
71
+ decode: function (v) { return v }
72
+ }), { bar: '1', fizz: '', buzz: '2' })
73
+ t.end()
74
+ })
75
+
76
+ test('parse: assign only once', (t) => {
77
+ t.plan(3)
78
+ t.same(cookie.parse('foo=%1;bar=bar;foo=boo'), { foo: '%1', bar: 'bar' })
79
+ t.same(cookie.parse('foo=false;bar=bar;foo=true'), { foo: 'false', bar: 'bar' })
80
+ t.same(cookie.parse('foo=;bar=bar;foo=boo'), { foo: '', bar: 'bar' })
81
+ t.end()
82
+ })
83
+
84
+ test('serializer: basic', (t) => {
85
+ t.plan(6)
86
+ t.same(cookie.serialize('foo', 'bar'), 'foo=bar')
87
+ t.same(cookie.serialize('foo', 'bar baz'), 'foo=bar%20baz')
88
+ t.same(cookie.serialize('foo', ''), 'foo=')
89
+ t.throws(cookie.serialize.bind(cookie, 'foo\n', 'bar'), /argument name is invalid/)
90
+ t.throws(cookie.serialize.bind(cookie, 'foo\u280a', 'bar'), /argument name is invalid/)
91
+ t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', { encode: 42 }), /option encode is invalid/)
92
+ t.end()
93
+ })
94
+
95
+ test('serializer: path', (t) => {
96
+ t.plan(2)
97
+ t.same(cookie.serialize('foo', 'bar', { path: '/' }), 'foo=bar; Path=/')
98
+ t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
99
+ path: '/\n'
100
+ }), /option path is invalid/)
101
+ t.end()
102
+ })
103
+
104
+ test('serializer: secure', (t) => {
105
+ t.plan(2)
106
+ t.same(cookie.serialize('foo', 'bar', { secure: true }), 'foo=bar; Secure')
107
+ t.same(cookie.serialize('foo', 'bar', { secure: false }), 'foo=bar')
108
+ t.end()
109
+ })
110
+
111
+ test('serializer: domain', (t) => {
112
+ t.plan(2)
113
+ t.same(cookie.serialize('foo', 'bar', { domain: 'example.com' }), 'foo=bar; Domain=example.com')
114
+ t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
115
+ domain: 'example.com\n'
116
+ }), /option domain is invalid/)
117
+ t.end()
118
+ })
119
+
120
+ test('serializer: httpOnly', (t) => {
121
+ t.plan(1)
122
+ t.same(cookie.serialize('foo', 'bar', { httpOnly: true }), 'foo=bar; HttpOnly')
123
+ t.end()
124
+ })
125
+
126
+ test('serializer: maxAge', (t) => {
127
+ t.plan(9)
128
+ t.throws(function () {
129
+ cookie.serialize('foo', 'bar', {
130
+ maxAge: 'buzz'
131
+ })
132
+ }, /option maxAge is invalid/)
133
+
134
+ t.throws(function () {
135
+ cookie.serialize('foo', 'bar', {
136
+ maxAge: Infinity
137
+ })
138
+ }, /option maxAge is invalid/)
139
+
140
+ t.same(cookie.serialize('foo', 'bar', { maxAge: 1000 }), 'foo=bar; Max-Age=1000')
141
+ t.same(cookie.serialize('foo', 'bar', { maxAge: '1000' }), 'foo=bar; Max-Age=1000')
142
+ t.same(cookie.serialize('foo', 'bar', { maxAge: 0 }), 'foo=bar; Max-Age=0')
143
+ t.same(cookie.serialize('foo', 'bar', { maxAge: '0' }), 'foo=bar; Max-Age=0')
144
+ t.same(cookie.serialize('foo', 'bar', { maxAge: null }), 'foo=bar')
145
+ t.same(cookie.serialize('foo', 'bar', { maxAge: undefined }), 'foo=bar')
146
+ t.same(cookie.serialize('foo', 'bar', { maxAge: 3.14 }), 'foo=bar; Max-Age=3')
147
+ t.end()
148
+ })
149
+
150
+ test('serializer: expires', (t) => {
151
+ t.plan(2)
152
+ t.same(cookie.serialize('foo', 'bar', {
153
+ expires: new Date(Date.UTC(2000, 11, 24, 10, 30, 59, 900))
154
+ }), 'foo=bar; Expires=Sun, 24 Dec 2000 10:30:59 GMT')
155
+
156
+ t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
157
+ expires: Date.now()
158
+ }), /option expires is invalid/)
159
+ t.end()
160
+ })
161
+
162
+ test('sameSite', (t) => {
163
+ t.plan(9)
164
+ t.same(cookie.serialize('foo', 'bar', { sameSite: true }), 'foo=bar; SameSite=Strict')
165
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'Strict' }), 'foo=bar; SameSite=Strict')
166
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'strict' }), 'foo=bar; SameSite=Strict')
167
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'Lax' }), 'foo=bar; SameSite=Lax')
168
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'lax' }), 'foo=bar; SameSite=Lax')
169
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'None' }), 'foo=bar; SameSite=None')
170
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'none' }), 'foo=bar; SameSite=None')
171
+ t.same(cookie.serialize('foo', 'bar', { sameSite: false }), 'foo=bar')
172
+
173
+ t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
174
+ sameSite: 'foo'
175
+ }), /option sameSite is invalid/)
176
+ t.end()
177
+ })
178
+
179
+ test('escaping', (t) => {
180
+ t.plan(1)
181
+ t.same(cookie.serialize('cat', '+ '), 'cat=%2B%20')
182
+ t.end()
183
+ })
184
+
185
+ test('parse->serialize', (t) => {
186
+ t.plan(2)
187
+ t.same(cookie.parse(cookie.serialize('cat', 'foo=123&name=baz five')),
188
+ { cat: 'foo=123&name=baz five' })
189
+
190
+ t.same(cookie.parse(cookie.serialize('cat', ' ";/')),
191
+ { cat: ' ";/' })
192
+ t.end()
193
+ })
194
+
195
+ test('unencoded', (t) => {
196
+ t.plan(2)
197
+ t.same(cookie.serialize('cat', '+ ', {
198
+ encode: function (value) { return value }
199
+ }), 'cat=+ ')
200
+
201
+ t.throws(cookie.serialize.bind(cookie, 'cat', '+ \n', {
202
+ encode: function (value) { return value }
203
+ }), /argument val is invalid/)
204
+ t.end()
205
+ })
@@ -1,7 +1,6 @@
1
1
  'use strict'
2
2
 
3
- const tap = require('tap')
4
- const test = tap.test
3
+ const { test } = require('tap')
5
4
  const Fastify = require('fastify')
6
5
  const sinon = require('sinon')
7
6
  const { sign, unsign } = require('../signer')
@@ -93,6 +92,46 @@ test('should set multiple cookies', (t) => {
93
92
  })
94
93
  })
95
94
 
95
+ test('should set multiple cookies', (t) => {
96
+ t.plan(12)
97
+ const fastify = Fastify()
98
+ fastify.register(plugin)
99
+
100
+ fastify.get('/', (req, reply) => {
101
+ reply
102
+ .setCookie('foo', 'foo')
103
+ .cookie('bar', 'test', {
104
+ partitioned: true
105
+ })
106
+ .setCookie('wee', 'woo', {
107
+ partitioned: true,
108
+ secure: true
109
+ })
110
+ .send({ hello: 'world' })
111
+ })
112
+
113
+ fastify.inject({
114
+ method: 'GET',
115
+ url: '/'
116
+ }, (err, res) => {
117
+ t.error(err)
118
+ t.equal(res.statusCode, 200)
119
+ t.same(JSON.parse(res.body), { hello: 'world' })
120
+
121
+ const cookies = res.cookies
122
+ t.equal(cookies.length, 3)
123
+ t.equal(cookies[0].name, 'foo')
124
+ t.equal(cookies[0].value, 'foo')
125
+ t.equal(cookies[1].name, 'bar')
126
+ t.equal(cookies[1].value, 'test')
127
+ t.equal(cookies[2].name, 'wee')
128
+ t.equal(cookies[2].value, 'woo')
129
+
130
+ t.equal(res.headers['set-cookie'][1], 'bar=test; Partitioned')
131
+ t.equal(res.headers['set-cookie'][2], 'wee=woo; Secure; Partitioned')
132
+ })
133
+ })
134
+
96
135
  test('cookies get set correctly with millisecond dates', (t) => {
97
136
  t.plan(8)
98
137
  const fastify = Fastify()
@@ -2,7 +2,7 @@
2
2
 
3
3
  const { test } = require('tap')
4
4
  const sinon = require('sinon')
5
- const crypto = require('crypto')
5
+ const crypto = require('node:crypto')
6
6
  const { Signer, sign, unsign } = require('../signer')
7
7
 
8
8
  test('default', t => {
package/types/plugin.d.ts CHANGED
@@ -125,9 +125,9 @@ declare namespace fastifyCookie {
125
125
  httpOnly?: boolean;
126
126
  /** A `number` in seconds that specifies the `Expires` attribute by adding the specified seconds to the current date. If both `expires` and `maxAge` are set, then `expires` is used. */
127
127
  maxAge?: number;
128
+ partitioned?: boolean;
128
129
  /** The `Path` attribute. Defaults to `/` (the root path). */
129
130
  path?: string;
130
- priority?: "low" | "medium" | "high";
131
131
  /** A `boolean` or one of the `SameSite` string attributes. E.g.: `lax`, `none` or `strict`. */
132
132
  sameSite?: 'lax' | 'none' | 'strict' | boolean;
133
133
  /** The `boolean` value of the `Secure` attribute. Set this option to false when communicating over an unencrypted (HTTP) connection. Value can be set to `auto`; in this case the `Secure` attribute will be set to false for HTTP request, in case of HTTPS it will be set to true. Defaults to true. */
@@ -172,6 +172,7 @@ const parseOptions: fastifyCookieStar.CookieSerializeOptions = {
172
172
  sameSite: 'lax',
173
173
  secure: true,
174
174
  signed: true,
175
+ partitioned: false,
175
176
  };
176
177
  expectType<fastifyCookieStar.CookieSerializeOptions>(parseOptions);
177
178