@fastify/cookie 9.1.0 → 9.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.gitattributes +2 -0
- package/README.md +103 -2
- package/cookie.js +227 -0
- package/package.json +6 -5
- package/plugin.js +19 -17
- package/signer.js +1 -1
- package/test/cookie-module.test.js +205 -0
- package/test/cookie.test.js +73 -0
- package/types/plugin.d.ts +8 -6
- package/types/plugin.test-d.ts +4 -0
package/.gitattributes
ADDED
package/README.md
CHANGED
|
@@ -4,13 +4,15 @@
|
|
|
4
4
|
[](https://www.npmjs.com/package/@fastify/cookie)
|
|
5
5
|
[](https://standardjs.com/)
|
|
6
6
|
|
|
7
|
-
A plugin for [Fastify](http://fastify.
|
|
7
|
+
A plugin for [Fastify](http://fastify.dev/) that adds support for reading and
|
|
8
8
|
setting cookies.
|
|
9
9
|
|
|
10
10
|
This plugin's cookie parsing works via Fastify's `onRequest` hook. Therefore,
|
|
11
11
|
you should register it prior to any other `onRequest` hooks that will depend
|
|
12
12
|
upon this plugin's actions.
|
|
13
13
|
|
|
14
|
+
It is also possible to [import the low-level cookie parsing and serialization functions](#importing-serialize-and-parse).
|
|
15
|
+
|
|
14
16
|
`@fastify/cookie` [v2.x](https://github.com/fastify/fastify-cookie/tree/v2.x)
|
|
15
17
|
supports both Fastify@1 and Fastify@2.
|
|
16
18
|
`@fastify/cookie` v3 only supports Fastify@2.
|
|
@@ -70,6 +72,23 @@ app.register(cookie, {
|
|
|
70
72
|
} as FastifyCookieOptions)
|
|
71
73
|
```
|
|
72
74
|
|
|
75
|
+
## Importing `serialize` and `parse`
|
|
76
|
+
|
|
77
|
+
```js
|
|
78
|
+
const { serialize, parse } = require('@fastify/cookie')
|
|
79
|
+
const fastify = require('fastify')()
|
|
80
|
+
|
|
81
|
+
fastify.get('/', (req, reply) => {
|
|
82
|
+
const cookie = serialize('lang', 'en', {
|
|
83
|
+
maxAge: 60_000,
|
|
84
|
+
})
|
|
85
|
+
|
|
86
|
+
reply.header('Set-Cookie', cookie)
|
|
87
|
+
|
|
88
|
+
reply.send('Language set!')
|
|
89
|
+
})
|
|
90
|
+
```
|
|
91
|
+
|
|
73
92
|
## Options
|
|
74
93
|
|
|
75
94
|
- `secret` (`String` | `Array` | `Buffer` | `Object`):
|
|
@@ -77,7 +96,89 @@ app.register(cookie, {
|
|
|
77
96
|
- An `Array` can be passed if key rotation is desired. Read more about it in [Rotating signing secret](#rotating-secret).
|
|
78
97
|
- More sophisticated cookie signing mechanisms can be implemented by supplying an `Object`. Read more about it in [Custom cookie signer](#custom-cookie-signer).
|
|
79
98
|
|
|
80
|
-
- `parseOptions`: An `Object` to
|
|
99
|
+
- `parseOptions`: An `Object` to modify the serialization of set cookies.
|
|
100
|
+
|
|
101
|
+
#### parseOptions
|
|
102
|
+
|
|
103
|
+
##### domain
|
|
104
|
+
|
|
105
|
+
Specifies the value for the [`Domain` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.3). By default, no
|
|
106
|
+
domain is set, and most clients will consider the cookie to apply to only the current domain.
|
|
107
|
+
|
|
108
|
+
##### encode
|
|
109
|
+
|
|
110
|
+
Specifies a function that will be used to encode a cookie's value. Since value of a cookie
|
|
111
|
+
has a limited character set (and must be a simple string), this function can be used to encode
|
|
112
|
+
a value into a string suited for a cookie's value.
|
|
113
|
+
|
|
114
|
+
The default function is the global `encodeURIComponent`, which will encode a JavaScript string
|
|
115
|
+
into UTF-8 byte sequences and then URL-encode any that fall outside of the cookie range.
|
|
116
|
+
|
|
117
|
+
##### expires
|
|
118
|
+
|
|
119
|
+
Specifies the `Date` object to be the value for the [`Expires` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.1).
|
|
120
|
+
By default, no expiration is set, and most clients will consider this a "non-persistent cookie" and
|
|
121
|
+
will delete it on a condition like exiting a web browser application.
|
|
122
|
+
|
|
123
|
+
**Note:** the [cookie storage model specification](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) states that if both `expires` and
|
|
124
|
+
`maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
|
|
125
|
+
so if both are set, they should point to the same date and time.
|
|
126
|
+
|
|
127
|
+
##### httpOnly
|
|
128
|
+
|
|
129
|
+
Specifies the `boolean` value for the [`HttpOnly` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.6). When truthy,
|
|
130
|
+
the `HttpOnly` attribute is set, otherwise it is not. By default, the `HttpOnly` attribute is not set.
|
|
131
|
+
|
|
132
|
+
**Note:** be careful when setting this to `true`, as compliant clients will not allow client-side
|
|
133
|
+
JavaScript to see the cookie in `document.cookie`.
|
|
134
|
+
|
|
135
|
+
##### maxAge
|
|
136
|
+
|
|
137
|
+
Specifies the `number` (in seconds) to be the value for the [`Max-Age` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.2).
|
|
138
|
+
The given number will be converted to an integer by rounding down. By default, no maximum age is set.
|
|
139
|
+
|
|
140
|
+
**Note:** the [cookie storage model specification](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) states that if both `expires` and
|
|
141
|
+
`maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
|
|
142
|
+
so if both are set, they should point to the same date and time.
|
|
143
|
+
|
|
144
|
+
##### partitioned
|
|
145
|
+
|
|
146
|
+
Specifies the `boolean` value for the [`Partitioned` `Set-Cookie`](https://datatracker.ietf.org/doc/html/draft-cutler-httpbis-partitioned-cookies#section-2.1)
|
|
147
|
+
attribute. When truthy, the `Partitioned` attribute is set, otherwise it is not. By default, the
|
|
148
|
+
`Partitioned` attribute is not set.
|
|
149
|
+
|
|
150
|
+
⚠️ **Warning:** [This is an attribute that has not yet been fully standardized](https://github.com/fastify/fastify-cookie/pull/261#issuecomment-1803234334), and may change in the future without reflecting the semver versioning. This also means many clients may ignore the attribute until they understand it.
|
|
151
|
+
|
|
152
|
+
More information about can be found in [the proposal](https://github.com/privacycg/CHIPS).
|
|
153
|
+
|
|
154
|
+
##### path
|
|
155
|
+
|
|
156
|
+
Specifies the value for the [`Path` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.4). By default, the path
|
|
157
|
+
is considered the ["default path"](https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.4).
|
|
158
|
+
|
|
159
|
+
##### sameSite
|
|
160
|
+
|
|
161
|
+
Specifies the `boolean` or `string` to be the value for the [`SameSite` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7).
|
|
162
|
+
|
|
163
|
+
- `true` will set the `SameSite` attribute to `Strict` for strict same site enforcement.
|
|
164
|
+
- `false` will not set the `SameSite` attribute.
|
|
165
|
+
- `'lax'` will set the `SameSite` attribute to `Lax` for lax same site enforcement.
|
|
166
|
+
- `'none'` will set the `SameSite` attribute to `None` for an explicit cross-site cookie.
|
|
167
|
+
- `'strict'` will set the `SameSite` attribute to `Strict` for strict same site enforcement.
|
|
168
|
+
|
|
169
|
+
More information about the different enforcement levels can be found in
|
|
170
|
+
[the specification](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7).
|
|
171
|
+
|
|
172
|
+
**Note:** This is an attribute that has not yet been fully standardized, and may change in the future.
|
|
173
|
+
This also means many clients may ignore this attribute until they understand it.
|
|
174
|
+
|
|
175
|
+
##### secure
|
|
176
|
+
|
|
177
|
+
Specifies the `boolean` value for the [`Secure` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.5). When truthy,
|
|
178
|
+
the `Secure` attribute is set, otherwise it is not. By default, the `Secure` attribute is not set.
|
|
179
|
+
|
|
180
|
+
**Note:** be careful when setting this to `true`, as compliant clients will not send the cookie back to
|
|
181
|
+
the server in the future if the browser does not have an HTTPS connection.
|
|
81
182
|
|
|
82
183
|
## API
|
|
83
184
|
|
package/cookie.js
ADDED
|
@@ -0,0 +1,227 @@
|
|
|
1
|
+
/*!
|
|
2
|
+
* Adapted from https://github.com/jshttp/cookie
|
|
3
|
+
*
|
|
4
|
+
* (The MIT License)
|
|
5
|
+
*
|
|
6
|
+
* Copyright (c) 2012-2014 Roman Shtylman <shtylman@gmail.com>
|
|
7
|
+
* Copyright (c) 2015 Douglas Christopher Wilson <doug@somethingdoug.com>
|
|
8
|
+
*
|
|
9
|
+
* Permission is hereby granted, free of charge, to any person obtaining
|
|
10
|
+
* a copy of this software and associated documentation files (the
|
|
11
|
+
* 'Software'), to deal in the Software without restriction, including
|
|
12
|
+
* without limitation the rights to use, copy, modify, merge, publish,
|
|
13
|
+
* distribute, sublicense, and/or sell copies of the Software, and to
|
|
14
|
+
* permit persons to whom the Software is furnished to do so, subject to
|
|
15
|
+
* the following conditions:
|
|
16
|
+
*
|
|
17
|
+
* The above copyright notice and this permission notice shall be
|
|
18
|
+
* included in all copies or substantial portions of the Software.
|
|
19
|
+
*
|
|
20
|
+
* THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
|
|
21
|
+
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
22
|
+
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
|
23
|
+
* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
|
|
24
|
+
* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
|
|
25
|
+
* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
|
|
26
|
+
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
27
|
+
*/
|
|
28
|
+
|
|
29
|
+
'use strict'
|
|
30
|
+
|
|
31
|
+
/**
|
|
32
|
+
* RegExp to match field-content in RFC 7230 sec 3.2
|
|
33
|
+
*
|
|
34
|
+
* field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
|
|
35
|
+
* field-vchar = VCHAR / obs-text
|
|
36
|
+
* obs-text = %x80-FF
|
|
37
|
+
*/
|
|
38
|
+
|
|
39
|
+
const fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/ // eslint-disable-line
|
|
40
|
+
|
|
41
|
+
/**
|
|
42
|
+
* Parse a cookie header.
|
|
43
|
+
*
|
|
44
|
+
* Parse the given cookie header string into an object
|
|
45
|
+
* The object has the various cookies as keys(names) => values
|
|
46
|
+
*
|
|
47
|
+
* @param {string} str
|
|
48
|
+
* @param {object} [opt]
|
|
49
|
+
* @return {object}
|
|
50
|
+
* @public
|
|
51
|
+
*/
|
|
52
|
+
|
|
53
|
+
function parse (str, opt) {
|
|
54
|
+
if (typeof str !== 'string') {
|
|
55
|
+
throw new TypeError('argument str must be a string')
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
const dec = opt?.decode || decodeURIComponent
|
|
59
|
+
const result = {}
|
|
60
|
+
|
|
61
|
+
const strLen = str.length
|
|
62
|
+
let pos = 0
|
|
63
|
+
let terminatorPos = 0
|
|
64
|
+
while (true) {
|
|
65
|
+
if (terminatorPos === strLen) break
|
|
66
|
+
terminatorPos = str.indexOf(';', pos)
|
|
67
|
+
if (terminatorPos === -1) terminatorPos = strLen // This is the last pair
|
|
68
|
+
|
|
69
|
+
let eqIdx = str.indexOf('=', pos)
|
|
70
|
+
if (eqIdx === -1) break // No key-value pairs left
|
|
71
|
+
if (eqIdx > terminatorPos) {
|
|
72
|
+
// Malformed key-value pair
|
|
73
|
+
pos = terminatorPos + 1
|
|
74
|
+
continue
|
|
75
|
+
}
|
|
76
|
+
|
|
77
|
+
const key = str.substring(pos, eqIdx++).trim()
|
|
78
|
+
if (result[key] === undefined) {
|
|
79
|
+
const val = str.charCodeAt(eqIdx) === 0x22
|
|
80
|
+
? str.substring(eqIdx + 1, terminatorPos - 1).trim()
|
|
81
|
+
: str.substring(eqIdx, terminatorPos).trim()
|
|
82
|
+
|
|
83
|
+
result[key] = !(dec === decodeURIComponent && val.indexOf('%') === -1)
|
|
84
|
+
? tryDecode(val, dec)
|
|
85
|
+
: val
|
|
86
|
+
}
|
|
87
|
+
|
|
88
|
+
pos = terminatorPos + 1
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
return result
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
/**
|
|
95
|
+
* Serialize data into a cookie header.
|
|
96
|
+
*
|
|
97
|
+
* Serialize the a name value pair into a cookie string suitable for
|
|
98
|
+
* http headers. An optional options object specified cookie parameters.
|
|
99
|
+
*
|
|
100
|
+
* serialize('foo', 'bar', { httpOnly: true })
|
|
101
|
+
* => "foo=bar; httpOnly"
|
|
102
|
+
*
|
|
103
|
+
* @param {string} name
|
|
104
|
+
* @param {string} val
|
|
105
|
+
* @param {object} [opt]
|
|
106
|
+
* @return {string}
|
|
107
|
+
* @public
|
|
108
|
+
*/
|
|
109
|
+
|
|
110
|
+
function serialize (name, val, opt) {
|
|
111
|
+
const enc = opt?.encode || encodeURIComponent
|
|
112
|
+
if (typeof enc !== 'function') {
|
|
113
|
+
throw new TypeError('option encode is invalid')
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
if (name && !fieldContentRegExp.test(name)) {
|
|
117
|
+
throw new TypeError('argument name is invalid')
|
|
118
|
+
}
|
|
119
|
+
|
|
120
|
+
const value = enc(val)
|
|
121
|
+
if (value && !fieldContentRegExp.test(value)) {
|
|
122
|
+
throw new TypeError('argument val is invalid')
|
|
123
|
+
}
|
|
124
|
+
|
|
125
|
+
let str = name + '=' + value
|
|
126
|
+
|
|
127
|
+
if (opt == null) return str
|
|
128
|
+
|
|
129
|
+
if (opt.maxAge != null) {
|
|
130
|
+
const maxAge = +opt.maxAge
|
|
131
|
+
|
|
132
|
+
if (!isFinite(maxAge)) {
|
|
133
|
+
throw new TypeError('option maxAge is invalid')
|
|
134
|
+
}
|
|
135
|
+
|
|
136
|
+
str += '; Max-Age=' + Math.trunc(maxAge)
|
|
137
|
+
}
|
|
138
|
+
|
|
139
|
+
if (opt.domain) {
|
|
140
|
+
if (!fieldContentRegExp.test(opt.domain)) {
|
|
141
|
+
throw new TypeError('option domain is invalid')
|
|
142
|
+
}
|
|
143
|
+
|
|
144
|
+
str += '; Domain=' + opt.domain
|
|
145
|
+
}
|
|
146
|
+
|
|
147
|
+
if (opt.path) {
|
|
148
|
+
if (!fieldContentRegExp.test(opt.path)) {
|
|
149
|
+
throw new TypeError('option path is invalid')
|
|
150
|
+
}
|
|
151
|
+
|
|
152
|
+
str += '; Path=' + opt.path
|
|
153
|
+
}
|
|
154
|
+
|
|
155
|
+
if (opt.expires) {
|
|
156
|
+
if (typeof opt.expires.toUTCString !== 'function') {
|
|
157
|
+
throw new TypeError('option expires is invalid')
|
|
158
|
+
}
|
|
159
|
+
|
|
160
|
+
str += '; Expires=' + opt.expires.toUTCString()
|
|
161
|
+
}
|
|
162
|
+
|
|
163
|
+
if (opt.httpOnly) {
|
|
164
|
+
str += '; HttpOnly'
|
|
165
|
+
}
|
|
166
|
+
|
|
167
|
+
if (opt.secure) {
|
|
168
|
+
str += '; Secure'
|
|
169
|
+
}
|
|
170
|
+
|
|
171
|
+
// Draft implementation to support Chrome from 2024-Q1 forward.
|
|
172
|
+
// See https://datatracker.ietf.org/doc/html/draft-cutler-httpbis-partitioned-cookies#section-2.1
|
|
173
|
+
if (opt.partitioned) {
|
|
174
|
+
str += '; Partitioned'
|
|
175
|
+
}
|
|
176
|
+
|
|
177
|
+
if (opt.sameSite) {
|
|
178
|
+
const sameSite = typeof opt.sameSite === 'string'
|
|
179
|
+
? opt.sameSite.toLowerCase()
|
|
180
|
+
: opt.sameSite
|
|
181
|
+
|
|
182
|
+
switch (sameSite) {
|
|
183
|
+
case true:
|
|
184
|
+
str += '; SameSite=Strict'
|
|
185
|
+
break
|
|
186
|
+
case 'lax':
|
|
187
|
+
str += '; SameSite=Lax'
|
|
188
|
+
break
|
|
189
|
+
case 'strict':
|
|
190
|
+
str += '; SameSite=Strict'
|
|
191
|
+
break
|
|
192
|
+
case 'none':
|
|
193
|
+
str += '; SameSite=None'
|
|
194
|
+
break
|
|
195
|
+
default:
|
|
196
|
+
throw new TypeError('option sameSite is invalid')
|
|
197
|
+
}
|
|
198
|
+
}
|
|
199
|
+
|
|
200
|
+
return str
|
|
201
|
+
}
|
|
202
|
+
|
|
203
|
+
/**
|
|
204
|
+
* Try decoding a string using a decoding function.
|
|
205
|
+
*
|
|
206
|
+
* @param {string} str
|
|
207
|
+
* @param {function} decode
|
|
208
|
+
* @returns {string}
|
|
209
|
+
* @private
|
|
210
|
+
*/
|
|
211
|
+
function tryDecode (str, decode) {
|
|
212
|
+
try {
|
|
213
|
+
return decode(str)
|
|
214
|
+
} catch {
|
|
215
|
+
return str
|
|
216
|
+
}
|
|
217
|
+
}
|
|
218
|
+
|
|
219
|
+
/**
|
|
220
|
+
* Module exports.
|
|
221
|
+
* @public
|
|
222
|
+
*/
|
|
223
|
+
|
|
224
|
+
module.exports = {
|
|
225
|
+
parse,
|
|
226
|
+
serialize
|
|
227
|
+
}
|
package/package.json
CHANGED
|
@@ -1,8 +1,9 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@fastify/cookie",
|
|
3
|
-
"version": "9.
|
|
3
|
+
"version": "9.3.0",
|
|
4
4
|
"description": "Plugin for fastify to add support for cookies",
|
|
5
5
|
"main": "plugin.js",
|
|
6
|
+
"type": "commonjs",
|
|
6
7
|
"types": "types/plugin.d.ts",
|
|
7
8
|
"scripts": {
|
|
8
9
|
"coverage": "npm run test:unit -- --coverage-report=html",
|
|
@@ -43,15 +44,15 @@
|
|
|
43
44
|
"@types/node": "^20.1.0",
|
|
44
45
|
"benchmark": "^2.1.4",
|
|
45
46
|
"fastify": "^4.0.0",
|
|
46
|
-
"sinon": "^
|
|
47
|
+
"sinon": "^17.0.0",
|
|
47
48
|
"snazzy": "^9.0.0",
|
|
48
49
|
"standard": "^17.0.0",
|
|
49
50
|
"tap": "^16.0.0",
|
|
50
|
-
"tsd": "^0.
|
|
51
|
+
"tsd": "^0.30.0"
|
|
51
52
|
},
|
|
52
53
|
"dependencies": {
|
|
53
|
-
"
|
|
54
|
-
"
|
|
54
|
+
"fastify-plugin": "^4.0.0",
|
|
55
|
+
"cookie-signature": "^1.1.0"
|
|
55
56
|
},
|
|
56
57
|
"tsd": {
|
|
57
58
|
"directory": "test"
|
package/plugin.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
'use strict'
|
|
2
2
|
|
|
3
3
|
const fp = require('fastify-plugin')
|
|
4
|
-
const cookie = require('cookie')
|
|
4
|
+
const cookie = require('./cookie')
|
|
5
5
|
|
|
6
6
|
const { Signer, sign, unsign } = require('./signer')
|
|
7
7
|
|
|
@@ -70,32 +70,31 @@ function onReqHandlerWrapper (fastify, hook) {
|
|
|
70
70
|
}
|
|
71
71
|
|
|
72
72
|
function setCookies (reply) {
|
|
73
|
-
|
|
74
|
-
|
|
73
|
+
const setCookieHeaderValue = reply.getHeader('Set-Cookie')
|
|
74
|
+
let cookieValue
|
|
75
75
|
|
|
76
|
-
|
|
77
|
-
if (setCookieIsUndefined) {
|
|
76
|
+
if (setCookieHeaderValue === undefined) {
|
|
78
77
|
if (reply[kReplySetCookies].size === 1) {
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
78
|
+
// Fast path for single cookie
|
|
79
|
+
const c = reply[kReplySetCookies].values().next().value
|
|
80
|
+
reply.header('Set-Cookie', cookie.serialize(c.name, c.value, c.opts))
|
|
83
81
|
reply[kReplySetCookies].clear()
|
|
84
|
-
|
|
85
82
|
return
|
|
86
83
|
}
|
|
87
84
|
|
|
88
|
-
|
|
89
|
-
} else if (typeof
|
|
90
|
-
|
|
85
|
+
cookieValue = []
|
|
86
|
+
} else if (typeof setCookieHeaderValue === 'string') {
|
|
87
|
+
cookieValue = [setCookieHeaderValue]
|
|
88
|
+
} else {
|
|
89
|
+
cookieValue = setCookieHeaderValue
|
|
91
90
|
}
|
|
92
91
|
|
|
93
92
|
for (const c of reply[kReplySetCookies].values()) {
|
|
94
|
-
|
|
93
|
+
cookieValue.push(cookie.serialize(c.name, c.value, c.opts))
|
|
95
94
|
}
|
|
96
95
|
|
|
97
|
-
|
|
98
|
-
reply.header('Set-Cookie',
|
|
96
|
+
reply.removeHeader('Set-Cookie')
|
|
97
|
+
reply.header('Set-Cookie', cookieValue)
|
|
99
98
|
reply[kReplySetCookies].clear()
|
|
100
99
|
}
|
|
101
100
|
|
|
@@ -126,7 +125,7 @@ function plugin (fastify, options, next) {
|
|
|
126
125
|
fastify.decorate('serializeCookie', cookie.serialize)
|
|
127
126
|
fastify.decorate('parseCookie', parseCookie)
|
|
128
127
|
|
|
129
|
-
if (
|
|
128
|
+
if (secret !== undefined) {
|
|
130
129
|
fastify.decorate('signCookie', signCookie)
|
|
131
130
|
fastify.decorate('unsignCookie', unsignCookie)
|
|
132
131
|
|
|
@@ -214,6 +213,9 @@ module.exports = fastifyCookie
|
|
|
214
213
|
module.exports.default = fastifyCookie // supersedes fastifyCookie.default = fastifyCookie
|
|
215
214
|
module.exports.fastifyCookie = fastifyCookie // supersedes fastifyCookie.fastifyCookie = fastifyCookie
|
|
216
215
|
|
|
216
|
+
module.exports.serialize = cookie.serialize
|
|
217
|
+
module.exports.parse = cookie.parse
|
|
218
|
+
|
|
217
219
|
module.exports.signerFactory = Signer
|
|
218
220
|
module.exports.Signer = Signer
|
|
219
221
|
module.exports.sign = sign
|
package/signer.js
CHANGED
|
@@ -0,0 +1,205 @@
|
|
|
1
|
+
'use strict'
|
|
2
|
+
|
|
3
|
+
const tap = require('tap')
|
|
4
|
+
const test = tap.test
|
|
5
|
+
|
|
6
|
+
const cookie = require('..')
|
|
7
|
+
|
|
8
|
+
test('parse: argument validation', (t) => {
|
|
9
|
+
t.plan(2)
|
|
10
|
+
t.throws(cookie.parse.bind(), /argument str must be a string/)
|
|
11
|
+
t.throws(cookie.parse.bind(null, 42), /argument str must be a string/)
|
|
12
|
+
t.end()
|
|
13
|
+
})
|
|
14
|
+
|
|
15
|
+
test('parse: basic', (t) => {
|
|
16
|
+
t.plan(2)
|
|
17
|
+
t.same(cookie.parse('foo=bar'), { foo: 'bar' })
|
|
18
|
+
t.same(cookie.parse('foo=123'), { foo: '123' })
|
|
19
|
+
t.end()
|
|
20
|
+
})
|
|
21
|
+
|
|
22
|
+
test('parse: ignore spaces', (t) => {
|
|
23
|
+
t.plan(1)
|
|
24
|
+
t.same(cookie.parse('FOO = bar; baz = raz'), { FOO: 'bar', baz: 'raz' })
|
|
25
|
+
t.end()
|
|
26
|
+
})
|
|
27
|
+
|
|
28
|
+
test('parse: escaping', (t) => {
|
|
29
|
+
t.plan(2)
|
|
30
|
+
t.same(cookie.parse('foo="bar=123456789&name=Magic+Mouse"'), { foo: 'bar=123456789&name=Magic+Mouse' })
|
|
31
|
+
t.same(cookie.parse('email=%20%22%2c%3b%2f'), { email: ' ",;/' })
|
|
32
|
+
t.end()
|
|
33
|
+
})
|
|
34
|
+
|
|
35
|
+
test('parse: ignore escaping error and return original value', (t) => {
|
|
36
|
+
t.plan(1)
|
|
37
|
+
t.same(cookie.parse('foo=%1;bar=bar'), { foo: '%1', bar: 'bar' })
|
|
38
|
+
t.end()
|
|
39
|
+
})
|
|
40
|
+
|
|
41
|
+
test('parse: ignore non values', (t) => {
|
|
42
|
+
t.plan(1)
|
|
43
|
+
t.same(cookie.parse('foo=%1;bar=bar;HttpOnly;Secure'),
|
|
44
|
+
{ foo: '%1', bar: 'bar' })
|
|
45
|
+
t.end()
|
|
46
|
+
})
|
|
47
|
+
|
|
48
|
+
test('parse: unencoded', (t) => {
|
|
49
|
+
t.plan(2)
|
|
50
|
+
t.same(cookie.parse('foo="bar=123456789&name=Magic+Mouse"', {
|
|
51
|
+
decode: function (v) { return v }
|
|
52
|
+
}), { foo: 'bar=123456789&name=Magic+Mouse' })
|
|
53
|
+
|
|
54
|
+
t.same(cookie.parse('email=%20%22%2c%3b%2f', {
|
|
55
|
+
decode: function (v) { return v }
|
|
56
|
+
}), { email: '%20%22%2c%3b%2f' })
|
|
57
|
+
t.end()
|
|
58
|
+
})
|
|
59
|
+
|
|
60
|
+
test('parse: dates', (t) => {
|
|
61
|
+
t.plan(1)
|
|
62
|
+
t.same(cookie.parse('priority=true; expires=Wed, 29 Jan 2014 17:43:25 GMT; Path=/', {
|
|
63
|
+
decode: function (v) { return v }
|
|
64
|
+
}), { priority: 'true', Path: '/', expires: 'Wed, 29 Jan 2014 17:43:25 GMT' })
|
|
65
|
+
t.end()
|
|
66
|
+
})
|
|
67
|
+
|
|
68
|
+
test('parse: missing value', (t) => {
|
|
69
|
+
t.plan(1)
|
|
70
|
+
t.same(cookie.parse('foo; bar=1; fizz= ; buzz=2', {
|
|
71
|
+
decode: function (v) { return v }
|
|
72
|
+
}), { bar: '1', fizz: '', buzz: '2' })
|
|
73
|
+
t.end()
|
|
74
|
+
})
|
|
75
|
+
|
|
76
|
+
test('parse: assign only once', (t) => {
|
|
77
|
+
t.plan(3)
|
|
78
|
+
t.same(cookie.parse('foo=%1;bar=bar;foo=boo'), { foo: '%1', bar: 'bar' })
|
|
79
|
+
t.same(cookie.parse('foo=false;bar=bar;foo=true'), { foo: 'false', bar: 'bar' })
|
|
80
|
+
t.same(cookie.parse('foo=;bar=bar;foo=boo'), { foo: '', bar: 'bar' })
|
|
81
|
+
t.end()
|
|
82
|
+
})
|
|
83
|
+
|
|
84
|
+
test('serializer: basic', (t) => {
|
|
85
|
+
t.plan(6)
|
|
86
|
+
t.same(cookie.serialize('foo', 'bar'), 'foo=bar')
|
|
87
|
+
t.same(cookie.serialize('foo', 'bar baz'), 'foo=bar%20baz')
|
|
88
|
+
t.same(cookie.serialize('foo', ''), 'foo=')
|
|
89
|
+
t.throws(cookie.serialize.bind(cookie, 'foo\n', 'bar'), /argument name is invalid/)
|
|
90
|
+
t.throws(cookie.serialize.bind(cookie, 'foo\u280a', 'bar'), /argument name is invalid/)
|
|
91
|
+
t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', { encode: 42 }), /option encode is invalid/)
|
|
92
|
+
t.end()
|
|
93
|
+
})
|
|
94
|
+
|
|
95
|
+
test('serializer: path', (t) => {
|
|
96
|
+
t.plan(2)
|
|
97
|
+
t.same(cookie.serialize('foo', 'bar', { path: '/' }), 'foo=bar; Path=/')
|
|
98
|
+
t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
|
|
99
|
+
path: '/\n'
|
|
100
|
+
}), /option path is invalid/)
|
|
101
|
+
t.end()
|
|
102
|
+
})
|
|
103
|
+
|
|
104
|
+
test('serializer: secure', (t) => {
|
|
105
|
+
t.plan(2)
|
|
106
|
+
t.same(cookie.serialize('foo', 'bar', { secure: true }), 'foo=bar; Secure')
|
|
107
|
+
t.same(cookie.serialize('foo', 'bar', { secure: false }), 'foo=bar')
|
|
108
|
+
t.end()
|
|
109
|
+
})
|
|
110
|
+
|
|
111
|
+
test('serializer: domain', (t) => {
|
|
112
|
+
t.plan(2)
|
|
113
|
+
t.same(cookie.serialize('foo', 'bar', { domain: 'example.com' }), 'foo=bar; Domain=example.com')
|
|
114
|
+
t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
|
|
115
|
+
domain: 'example.com\n'
|
|
116
|
+
}), /option domain is invalid/)
|
|
117
|
+
t.end()
|
|
118
|
+
})
|
|
119
|
+
|
|
120
|
+
test('serializer: httpOnly', (t) => {
|
|
121
|
+
t.plan(1)
|
|
122
|
+
t.same(cookie.serialize('foo', 'bar', { httpOnly: true }), 'foo=bar; HttpOnly')
|
|
123
|
+
t.end()
|
|
124
|
+
})
|
|
125
|
+
|
|
126
|
+
test('serializer: maxAge', (t) => {
|
|
127
|
+
t.plan(9)
|
|
128
|
+
t.throws(function () {
|
|
129
|
+
cookie.serialize('foo', 'bar', {
|
|
130
|
+
maxAge: 'buzz'
|
|
131
|
+
})
|
|
132
|
+
}, /option maxAge is invalid/)
|
|
133
|
+
|
|
134
|
+
t.throws(function () {
|
|
135
|
+
cookie.serialize('foo', 'bar', {
|
|
136
|
+
maxAge: Infinity
|
|
137
|
+
})
|
|
138
|
+
}, /option maxAge is invalid/)
|
|
139
|
+
|
|
140
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: 1000 }), 'foo=bar; Max-Age=1000')
|
|
141
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: '1000' }), 'foo=bar; Max-Age=1000')
|
|
142
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: 0 }), 'foo=bar; Max-Age=0')
|
|
143
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: '0' }), 'foo=bar; Max-Age=0')
|
|
144
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: null }), 'foo=bar')
|
|
145
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: undefined }), 'foo=bar')
|
|
146
|
+
t.same(cookie.serialize('foo', 'bar', { maxAge: 3.14 }), 'foo=bar; Max-Age=3')
|
|
147
|
+
t.end()
|
|
148
|
+
})
|
|
149
|
+
|
|
150
|
+
test('serializer: expires', (t) => {
|
|
151
|
+
t.plan(2)
|
|
152
|
+
t.same(cookie.serialize('foo', 'bar', {
|
|
153
|
+
expires: new Date(Date.UTC(2000, 11, 24, 10, 30, 59, 900))
|
|
154
|
+
}), 'foo=bar; Expires=Sun, 24 Dec 2000 10:30:59 GMT')
|
|
155
|
+
|
|
156
|
+
t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
|
|
157
|
+
expires: Date.now()
|
|
158
|
+
}), /option expires is invalid/)
|
|
159
|
+
t.end()
|
|
160
|
+
})
|
|
161
|
+
|
|
162
|
+
test('sameSite', (t) => {
|
|
163
|
+
t.plan(9)
|
|
164
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: true }), 'foo=bar; SameSite=Strict')
|
|
165
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'Strict' }), 'foo=bar; SameSite=Strict')
|
|
166
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'strict' }), 'foo=bar; SameSite=Strict')
|
|
167
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'Lax' }), 'foo=bar; SameSite=Lax')
|
|
168
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'lax' }), 'foo=bar; SameSite=Lax')
|
|
169
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'None' }), 'foo=bar; SameSite=None')
|
|
170
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: 'none' }), 'foo=bar; SameSite=None')
|
|
171
|
+
t.same(cookie.serialize('foo', 'bar', { sameSite: false }), 'foo=bar')
|
|
172
|
+
|
|
173
|
+
t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
|
|
174
|
+
sameSite: 'foo'
|
|
175
|
+
}), /option sameSite is invalid/)
|
|
176
|
+
t.end()
|
|
177
|
+
})
|
|
178
|
+
|
|
179
|
+
test('escaping', (t) => {
|
|
180
|
+
t.plan(1)
|
|
181
|
+
t.same(cookie.serialize('cat', '+ '), 'cat=%2B%20')
|
|
182
|
+
t.end()
|
|
183
|
+
})
|
|
184
|
+
|
|
185
|
+
test('parse->serialize', (t) => {
|
|
186
|
+
t.plan(2)
|
|
187
|
+
t.same(cookie.parse(cookie.serialize('cat', 'foo=123&name=baz five')),
|
|
188
|
+
{ cat: 'foo=123&name=baz five' })
|
|
189
|
+
|
|
190
|
+
t.same(cookie.parse(cookie.serialize('cat', ' ";/')),
|
|
191
|
+
{ cat: ' ";/' })
|
|
192
|
+
t.end()
|
|
193
|
+
})
|
|
194
|
+
|
|
195
|
+
test('unencoded', (t) => {
|
|
196
|
+
t.plan(2)
|
|
197
|
+
t.same(cookie.serialize('cat', '+ ', {
|
|
198
|
+
encode: function (value) { return value }
|
|
199
|
+
}), 'cat=+ ')
|
|
200
|
+
|
|
201
|
+
t.throws(cookie.serialize.bind(cookie, 'cat', '+ \n', {
|
|
202
|
+
encode: function (value) { return value }
|
|
203
|
+
}), /argument val is invalid/)
|
|
204
|
+
t.end()
|
|
205
|
+
})
|
package/test/cookie.test.js
CHANGED
|
@@ -92,6 +92,79 @@ test('should set multiple cookies', (t) => {
|
|
|
92
92
|
})
|
|
93
93
|
})
|
|
94
94
|
|
|
95
|
+
test('should set multiple cookies', (t) => {
|
|
96
|
+
t.plan(12)
|
|
97
|
+
const fastify = Fastify()
|
|
98
|
+
fastify.register(plugin)
|
|
99
|
+
|
|
100
|
+
fastify.get('/', (req, reply) => {
|
|
101
|
+
reply
|
|
102
|
+
.setCookie('foo', 'foo')
|
|
103
|
+
.cookie('bar', 'test', {
|
|
104
|
+
partitioned: true
|
|
105
|
+
})
|
|
106
|
+
.setCookie('wee', 'woo', {
|
|
107
|
+
partitioned: true,
|
|
108
|
+
secure: true
|
|
109
|
+
})
|
|
110
|
+
.send({ hello: 'world' })
|
|
111
|
+
})
|
|
112
|
+
|
|
113
|
+
fastify.inject({
|
|
114
|
+
method: 'GET',
|
|
115
|
+
url: '/'
|
|
116
|
+
}, (err, res) => {
|
|
117
|
+
t.error(err)
|
|
118
|
+
t.equal(res.statusCode, 200)
|
|
119
|
+
t.same(JSON.parse(res.body), { hello: 'world' })
|
|
120
|
+
|
|
121
|
+
const cookies = res.cookies
|
|
122
|
+
t.equal(cookies.length, 3)
|
|
123
|
+
t.equal(cookies[0].name, 'foo')
|
|
124
|
+
t.equal(cookies[0].value, 'foo')
|
|
125
|
+
t.equal(cookies[1].name, 'bar')
|
|
126
|
+
t.equal(cookies[1].value, 'test')
|
|
127
|
+
t.equal(cookies[2].name, 'wee')
|
|
128
|
+
t.equal(cookies[2].value, 'woo')
|
|
129
|
+
|
|
130
|
+
t.equal(res.headers['set-cookie'][1], 'bar=test; Partitioned')
|
|
131
|
+
t.equal(res.headers['set-cookie'][2], 'wee=woo; Secure; Partitioned')
|
|
132
|
+
})
|
|
133
|
+
})
|
|
134
|
+
|
|
135
|
+
test('should set multiple cookies (an array already exists)', (t) => {
|
|
136
|
+
t.plan(10)
|
|
137
|
+
const fastify = Fastify()
|
|
138
|
+
fastify.register(plugin)
|
|
139
|
+
|
|
140
|
+
fastify.get('/test1', (req, reply) => {
|
|
141
|
+
reply
|
|
142
|
+
.header('Set-Cookie', ['bar=bar'])
|
|
143
|
+
.setCookie('foo', 'foo', { path: '/' })
|
|
144
|
+
.setCookie('foo', 'foo', { path: '/path' })
|
|
145
|
+
.send({ hello: 'world' })
|
|
146
|
+
})
|
|
147
|
+
|
|
148
|
+
fastify.inject({
|
|
149
|
+
method: 'GET',
|
|
150
|
+
url: '/test1'
|
|
151
|
+
}, (err, res) => {
|
|
152
|
+
t.error(err)
|
|
153
|
+
t.equal(res.statusCode, 200)
|
|
154
|
+
t.same(JSON.parse(res.body), { hello: 'world' })
|
|
155
|
+
|
|
156
|
+
const cookies = res.cookies
|
|
157
|
+
t.equal(cookies.length, 3)
|
|
158
|
+
t.equal(cookies[0].name, 'bar')
|
|
159
|
+
t.equal(cookies[0].value, 'bar')
|
|
160
|
+
t.equal(cookies[0].path, undefined)
|
|
161
|
+
|
|
162
|
+
t.equal(cookies[1].name, 'foo')
|
|
163
|
+
t.equal(cookies[1].value, 'foo')
|
|
164
|
+
t.equal(cookies[2].path, '/path')
|
|
165
|
+
})
|
|
166
|
+
})
|
|
167
|
+
|
|
95
168
|
test('cookies get set correctly with millisecond dates', (t) => {
|
|
96
169
|
t.plan(8)
|
|
97
170
|
const fastify = Fastify()
|
package/types/plugin.d.ts
CHANGED
|
@@ -65,11 +65,7 @@ declare module "fastify" {
|
|
|
65
65
|
* @param value Cookie value
|
|
66
66
|
* @param options Serialize options
|
|
67
67
|
*/
|
|
68
|
-
setCookie
|
|
69
|
-
name: string,
|
|
70
|
-
value: string,
|
|
71
|
-
options?: fastifyCookie.CookieSerializeOptions
|
|
72
|
-
): this;
|
|
68
|
+
setCookie: setCookieWrapper;
|
|
73
69
|
|
|
74
70
|
/**
|
|
75
71
|
* @alias setCookie
|
|
@@ -125,9 +121,9 @@ declare namespace fastifyCookie {
|
|
|
125
121
|
httpOnly?: boolean;
|
|
126
122
|
/** A `number` in seconds that specifies the `Expires` attribute by adding the specified seconds to the current date. If both `expires` and `maxAge` are set, then `expires` is used. */
|
|
127
123
|
maxAge?: number;
|
|
124
|
+
partitioned?: boolean;
|
|
128
125
|
/** The `Path` attribute. Defaults to `/` (the root path). */
|
|
129
126
|
path?: string;
|
|
130
|
-
priority?: "low" | "medium" | "high";
|
|
131
127
|
/** A `boolean` or one of the `SameSite` string attributes. E.g.: `lax`, `none` or `strict`. */
|
|
132
128
|
sameSite?: 'lax' | 'none' | 'strict' | boolean;
|
|
133
129
|
/** The `boolean` value of the `Secure` attribute. Set this option to false when communicating over an unencrypted (HTTP) connection. Value can be set to `auto`; in this case the `Secure` attribute will be set to false for HTTP request, in case of HTTPS it will be set to true. Defaults to true. */
|
|
@@ -139,6 +135,10 @@ declare namespace fastifyCookie {
|
|
|
139
135
|
signed?: boolean;
|
|
140
136
|
}
|
|
141
137
|
|
|
138
|
+
export interface ParseOptions {
|
|
139
|
+
decode?: (encodedURIComponent: string) => string;
|
|
140
|
+
}
|
|
141
|
+
|
|
142
142
|
type HookType = 'onRequest' | 'preParsing' | 'preValidation' | 'preHandler' | 'preSerialization';
|
|
143
143
|
|
|
144
144
|
export interface FastifyCookieOptions {
|
|
@@ -162,6 +162,8 @@ declare namespace fastifyCookie {
|
|
|
162
162
|
export const unsign: Unsign;
|
|
163
163
|
|
|
164
164
|
export interface FastifyCookie extends FastifyCookiePlugin {
|
|
165
|
+
parse: (cookieHeader: string, opts?: ParseOptions) => { [key: string]: string };
|
|
166
|
+
serialize: (name: string, value: string, opts?: SerializeOptions) => string;
|
|
165
167
|
signerFactory: SignerFactory;
|
|
166
168
|
Signer: Signer;
|
|
167
169
|
sign: Sign;
|
package/types/plugin.test-d.ts
CHANGED
|
@@ -172,6 +172,7 @@ const parseOptions: fastifyCookieStar.CookieSerializeOptions = {
|
|
|
172
172
|
sameSite: 'lax',
|
|
173
173
|
secure: true,
|
|
174
174
|
signed: true,
|
|
175
|
+
partitioned: false,
|
|
175
176
|
};
|
|
176
177
|
expectType<fastifyCookieStar.CookieSerializeOptions>(parseOptions);
|
|
177
178
|
|
|
@@ -231,3 +232,6 @@ appWithHook.register(cookie, { hook: 'preSerialization' });
|
|
|
231
232
|
appWithHook.register(cookie, { hook: 'preValidation' });
|
|
232
233
|
expectError(appWithHook.register(cookie, { hook: true }));
|
|
233
234
|
expectError(appWithHook.register(cookie, { hook: 'false' }));
|
|
235
|
+
|
|
236
|
+
expectType<(cookieHeader: string, opts?: fastifyCookieStar.ParseOptions) => { [key: string]: string }>(fastifyCookieDefault.parse);
|
|
237
|
+
expectType<(name: string, value: string, opts?: fastifyCookieStar.SerializeOptions) => string>(fastifyCookieDefault.serialize);
|