@fastify/cookie 9.1.0 → 9.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/.gitattributes ADDED
@@ -0,0 +1,2 @@
1
+ # Set default behavior to automatically convert line endings
2
+ * text=auto eol=lf
package/README.md CHANGED
@@ -4,13 +4,15 @@
4
4
  [![NPM version](https://img.shields.io/npm/v/@fastify/cookie.svg?style=flat)](https://www.npmjs.com/package/@fastify/cookie)
5
5
  [![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat)](https://standardjs.com/)
6
6
 
7
- A plugin for [Fastify](http://fastify.io/) that adds support for reading and
7
+ A plugin for [Fastify](http://fastify.dev/) that adds support for reading and
8
8
  setting cookies.
9
9
 
10
10
  This plugin's cookie parsing works via Fastify's `onRequest` hook. Therefore,
11
11
  you should register it prior to any other `onRequest` hooks that will depend
12
12
  upon this plugin's actions.
13
13
 
14
+ It is also possible to [import the low-level cookie parsing and serialization functions](#importing-serialize-and-parse).
15
+
14
16
  `@fastify/cookie` [v2.x](https://github.com/fastify/fastify-cookie/tree/v2.x)
15
17
  supports both Fastify@1 and Fastify@2.
16
18
  `@fastify/cookie` v3 only supports Fastify@2.
@@ -70,6 +72,23 @@ app.register(cookie, {
70
72
  } as FastifyCookieOptions)
71
73
  ```
72
74
 
75
+ ## Importing `serialize` and `parse`
76
+
77
+ ```js
78
+ const { serialize, parse } = require('@fastify/cookie')
79
+ const fastify = require('fastify')()
80
+
81
+ fastify.get('/', (req, reply) => {
82
+ const cookie = serialize('lang', 'en', {
83
+ maxAge: 60_000,
84
+ })
85
+
86
+ reply.header('Set-Cookie', cookie)
87
+
88
+ reply.send('Language set!')
89
+ })
90
+ ```
91
+
73
92
  ## Options
74
93
 
75
94
  - `secret` (`String` | `Array` | `Buffer` | `Object`):
@@ -77,7 +96,89 @@ app.register(cookie, {
77
96
  - An `Array` can be passed if key rotation is desired. Read more about it in [Rotating signing secret](#rotating-secret).
78
97
  - More sophisticated cookie signing mechanisms can be implemented by supplying an `Object`. Read more about it in [Custom cookie signer](#custom-cookie-signer).
79
98
 
80
- - `parseOptions`: An `Object` to pass as options to [cookie parse](https://github.com/jshttp/cookie#cookieparsestr-options).
99
+ - `parseOptions`: An `Object` to modify the serialization of set cookies.
100
+
101
+ #### parseOptions
102
+
103
+ ##### domain
104
+
105
+ Specifies the value for the [`Domain` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.3). By default, no
106
+ domain is set, and most clients will consider the cookie to apply to only the current domain.
107
+
108
+ ##### encode
109
+
110
+ Specifies a function that will be used to encode a cookie's value. Since value of a cookie
111
+ has a limited character set (and must be a simple string), this function can be used to encode
112
+ a value into a string suited for a cookie's value.
113
+
114
+ The default function is the global `encodeURIComponent`, which will encode a JavaScript string
115
+ into UTF-8 byte sequences and then URL-encode any that fall outside of the cookie range.
116
+
117
+ ##### expires
118
+
119
+ Specifies the `Date` object to be the value for the [`Expires` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.1).
120
+ By default, no expiration is set, and most clients will consider this a "non-persistent cookie" and
121
+ will delete it on a condition like exiting a web browser application.
122
+
123
+ **Note:** the [cookie storage model specification](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) states that if both `expires` and
124
+ `maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
125
+ so if both are set, they should point to the same date and time.
126
+
127
+ ##### httpOnly
128
+
129
+ Specifies the `boolean` value for the [`HttpOnly` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.6). When truthy,
130
+ the `HttpOnly` attribute is set, otherwise it is not. By default, the `HttpOnly` attribute is not set.
131
+
132
+ **Note:** be careful when setting this to `true`, as compliant clients will not allow client-side
133
+ JavaScript to see the cookie in `document.cookie`.
134
+
135
+ ##### maxAge
136
+
137
+ Specifies the `number` (in seconds) to be the value for the [`Max-Age` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.2).
138
+ The given number will be converted to an integer by rounding down. By default, no maximum age is set.
139
+
140
+ **Note:** the [cookie storage model specification](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3) states that if both `expires` and
141
+ `maxAge` are set, then `maxAge` takes precedence, but it is possible not all clients by obey this,
142
+ so if both are set, they should point to the same date and time.
143
+
144
+ ##### partitioned
145
+
146
+ Specifies the `boolean` value for the [`Partitioned` `Set-Cookie`](https://datatracker.ietf.org/doc/html/draft-cutler-httpbis-partitioned-cookies#section-2.1)
147
+ attribute. When truthy, the `Partitioned` attribute is set, otherwise it is not. By default, the
148
+ `Partitioned` attribute is not set.
149
+
150
+ ⚠️ **Warning:** [This is an attribute that has not yet been fully standardized](https://github.com/fastify/fastify-cookie/pull/261#issuecomment-1803234334), and may change in the future without reflecting the semver versioning. This also means many clients may ignore the attribute until they understand it.
151
+
152
+ More information about can be found in [the proposal](https://github.com/privacycg/CHIPS).
153
+
154
+ ##### path
155
+
156
+ Specifies the value for the [`Path` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.4). By default, the path
157
+ is considered the ["default path"](https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.4).
158
+
159
+ ##### sameSite
160
+
161
+ Specifies the `boolean` or `string` to be the value for the [`SameSite` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7).
162
+
163
+ - `true` will set the `SameSite` attribute to `Strict` for strict same site enforcement.
164
+ - `false` will not set the `SameSite` attribute.
165
+ - `'lax'` will set the `SameSite` attribute to `Lax` for lax same site enforcement.
166
+ - `'none'` will set the `SameSite` attribute to `None` for an explicit cross-site cookie.
167
+ - `'strict'` will set the `SameSite` attribute to `Strict` for strict same site enforcement.
168
+
169
+ More information about the different enforcement levels can be found in
170
+ [the specification](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-09#section-5.4.7).
171
+
172
+ **Note:** This is an attribute that has not yet been fully standardized, and may change in the future.
173
+ This also means many clients may ignore this attribute until they understand it.
174
+
175
+ ##### secure
176
+
177
+ Specifies the `boolean` value for the [`Secure` `Set-Cookie` attribute](https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.5). When truthy,
178
+ the `Secure` attribute is set, otherwise it is not. By default, the `Secure` attribute is not set.
179
+
180
+ **Note:** be careful when setting this to `true`, as compliant clients will not send the cookie back to
181
+ the server in the future if the browser does not have an HTTPS connection.
81
182
 
82
183
  ## API
83
184
 
package/cookie.js ADDED
@@ -0,0 +1,227 @@
1
+ /*!
2
+ * Adapted from https://github.com/jshttp/cookie
3
+ *
4
+ * (The MIT License)
5
+ *
6
+ * Copyright (c) 2012-2014 Roman Shtylman <shtylman@gmail.com>
7
+ * Copyright (c) 2015 Douglas Christopher Wilson <doug@somethingdoug.com>
8
+ *
9
+ * Permission is hereby granted, free of charge, to any person obtaining
10
+ * a copy of this software and associated documentation files (the
11
+ * 'Software'), to deal in the Software without restriction, including
12
+ * without limitation the rights to use, copy, modify, merge, publish,
13
+ * distribute, sublicense, and/or sell copies of the Software, and to
14
+ * permit persons to whom the Software is furnished to do so, subject to
15
+ * the following conditions:
16
+ *
17
+ * The above copyright notice and this permission notice shall be
18
+ * included in all copies or substantial portions of the Software.
19
+ *
20
+ * THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
21
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
22
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
23
+ * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
24
+ * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
25
+ * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
26
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
27
+ */
28
+
29
+ 'use strict'
30
+
31
+ /**
32
+ * RegExp to match field-content in RFC 7230 sec 3.2
33
+ *
34
+ * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
35
+ * field-vchar = VCHAR / obs-text
36
+ * obs-text = %x80-FF
37
+ */
38
+
39
+ const fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/ // eslint-disable-line
40
+
41
+ /**
42
+ * Parse a cookie header.
43
+ *
44
+ * Parse the given cookie header string into an object
45
+ * The object has the various cookies as keys(names) => values
46
+ *
47
+ * @param {string} str
48
+ * @param {object} [opt]
49
+ * @return {object}
50
+ * @public
51
+ */
52
+
53
+ function parse (str, opt) {
54
+ if (typeof str !== 'string') {
55
+ throw new TypeError('argument str must be a string')
56
+ }
57
+
58
+ const dec = opt?.decode || decodeURIComponent
59
+ const result = {}
60
+
61
+ const strLen = str.length
62
+ let pos = 0
63
+ let terminatorPos = 0
64
+ while (true) {
65
+ if (terminatorPos === strLen) break
66
+ terminatorPos = str.indexOf(';', pos)
67
+ if (terminatorPos === -1) terminatorPos = strLen // This is the last pair
68
+
69
+ let eqIdx = str.indexOf('=', pos)
70
+ if (eqIdx === -1) break // No key-value pairs left
71
+ if (eqIdx > terminatorPos) {
72
+ // Malformed key-value pair
73
+ pos = terminatorPos + 1
74
+ continue
75
+ }
76
+
77
+ const key = str.substring(pos, eqIdx++).trim()
78
+ if (result[key] === undefined) {
79
+ const val = str.charCodeAt(eqIdx) === 0x22
80
+ ? str.substring(eqIdx + 1, terminatorPos - 1).trim()
81
+ : str.substring(eqIdx, terminatorPos).trim()
82
+
83
+ result[key] = !(dec === decodeURIComponent && val.indexOf('%') === -1)
84
+ ? tryDecode(val, dec)
85
+ : val
86
+ }
87
+
88
+ pos = terminatorPos + 1
89
+ }
90
+
91
+ return result
92
+ }
93
+
94
+ /**
95
+ * Serialize data into a cookie header.
96
+ *
97
+ * Serialize the a name value pair into a cookie string suitable for
98
+ * http headers. An optional options object specified cookie parameters.
99
+ *
100
+ * serialize('foo', 'bar', { httpOnly: true })
101
+ * => "foo=bar; httpOnly"
102
+ *
103
+ * @param {string} name
104
+ * @param {string} val
105
+ * @param {object} [opt]
106
+ * @return {string}
107
+ * @public
108
+ */
109
+
110
+ function serialize (name, val, opt) {
111
+ const enc = opt?.encode || encodeURIComponent
112
+ if (typeof enc !== 'function') {
113
+ throw new TypeError('option encode is invalid')
114
+ }
115
+
116
+ if (name && !fieldContentRegExp.test(name)) {
117
+ throw new TypeError('argument name is invalid')
118
+ }
119
+
120
+ const value = enc(val)
121
+ if (value && !fieldContentRegExp.test(value)) {
122
+ throw new TypeError('argument val is invalid')
123
+ }
124
+
125
+ let str = name + '=' + value
126
+
127
+ if (opt == null) return str
128
+
129
+ if (opt.maxAge != null) {
130
+ const maxAge = +opt.maxAge
131
+
132
+ if (!isFinite(maxAge)) {
133
+ throw new TypeError('option maxAge is invalid')
134
+ }
135
+
136
+ str += '; Max-Age=' + Math.trunc(maxAge)
137
+ }
138
+
139
+ if (opt.domain) {
140
+ if (!fieldContentRegExp.test(opt.domain)) {
141
+ throw new TypeError('option domain is invalid')
142
+ }
143
+
144
+ str += '; Domain=' + opt.domain
145
+ }
146
+
147
+ if (opt.path) {
148
+ if (!fieldContentRegExp.test(opt.path)) {
149
+ throw new TypeError('option path is invalid')
150
+ }
151
+
152
+ str += '; Path=' + opt.path
153
+ }
154
+
155
+ if (opt.expires) {
156
+ if (typeof opt.expires.toUTCString !== 'function') {
157
+ throw new TypeError('option expires is invalid')
158
+ }
159
+
160
+ str += '; Expires=' + opt.expires.toUTCString()
161
+ }
162
+
163
+ if (opt.httpOnly) {
164
+ str += '; HttpOnly'
165
+ }
166
+
167
+ if (opt.secure) {
168
+ str += '; Secure'
169
+ }
170
+
171
+ // Draft implementation to support Chrome from 2024-Q1 forward.
172
+ // See https://datatracker.ietf.org/doc/html/draft-cutler-httpbis-partitioned-cookies#section-2.1
173
+ if (opt.partitioned) {
174
+ str += '; Partitioned'
175
+ }
176
+
177
+ if (opt.sameSite) {
178
+ const sameSite = typeof opt.sameSite === 'string'
179
+ ? opt.sameSite.toLowerCase()
180
+ : opt.sameSite
181
+
182
+ switch (sameSite) {
183
+ case true:
184
+ str += '; SameSite=Strict'
185
+ break
186
+ case 'lax':
187
+ str += '; SameSite=Lax'
188
+ break
189
+ case 'strict':
190
+ str += '; SameSite=Strict'
191
+ break
192
+ case 'none':
193
+ str += '; SameSite=None'
194
+ break
195
+ default:
196
+ throw new TypeError('option sameSite is invalid')
197
+ }
198
+ }
199
+
200
+ return str
201
+ }
202
+
203
+ /**
204
+ * Try decoding a string using a decoding function.
205
+ *
206
+ * @param {string} str
207
+ * @param {function} decode
208
+ * @returns {string}
209
+ * @private
210
+ */
211
+ function tryDecode (str, decode) {
212
+ try {
213
+ return decode(str)
214
+ } catch {
215
+ return str
216
+ }
217
+ }
218
+
219
+ /**
220
+ * Module exports.
221
+ * @public
222
+ */
223
+
224
+ module.exports = {
225
+ parse,
226
+ serialize
227
+ }
package/package.json CHANGED
@@ -1,8 +1,9 @@
1
1
  {
2
2
  "name": "@fastify/cookie",
3
- "version": "9.1.0",
3
+ "version": "9.3.0",
4
4
  "description": "Plugin for fastify to add support for cookies",
5
5
  "main": "plugin.js",
6
+ "type": "commonjs",
6
7
  "types": "types/plugin.d.ts",
7
8
  "scripts": {
8
9
  "coverage": "npm run test:unit -- --coverage-report=html",
@@ -43,15 +44,15 @@
43
44
  "@types/node": "^20.1.0",
44
45
  "benchmark": "^2.1.4",
45
46
  "fastify": "^4.0.0",
46
- "sinon": "^16.0.0",
47
+ "sinon": "^17.0.0",
47
48
  "snazzy": "^9.0.0",
48
49
  "standard": "^17.0.0",
49
50
  "tap": "^16.0.0",
50
- "tsd": "^0.29.0"
51
+ "tsd": "^0.30.0"
51
52
  },
52
53
  "dependencies": {
53
- "cookie": "^0.5.0",
54
- "fastify-plugin": "^4.0.0"
54
+ "fastify-plugin": "^4.0.0",
55
+ "cookie-signature": "^1.1.0"
55
56
  },
56
57
  "tsd": {
57
58
  "directory": "test"
package/plugin.js CHANGED
@@ -1,7 +1,7 @@
1
1
  'use strict'
2
2
 
3
3
  const fp = require('fastify-plugin')
4
- const cookie = require('cookie')
4
+ const cookie = require('./cookie')
5
5
 
6
6
  const { Signer, sign, unsign } = require('./signer')
7
7
 
@@ -70,32 +70,31 @@ function onReqHandlerWrapper (fastify, hook) {
70
70
  }
71
71
 
72
72
  function setCookies (reply) {
73
- let setCookie = reply.getHeader('Set-Cookie')
74
- const setCookieIsUndefined = setCookie === undefined
73
+ const setCookieHeaderValue = reply.getHeader('Set-Cookie')
74
+ let cookieValue
75
75
 
76
- /* istanbul ignore else */
77
- if (setCookieIsUndefined) {
76
+ if (setCookieHeaderValue === undefined) {
78
77
  if (reply[kReplySetCookies].size === 1) {
79
- for (const c of reply[kReplySetCookies].values()) {
80
- reply.header('Set-Cookie', cookie.serialize(c.name, c.value, c.opts))
81
- }
82
-
78
+ // Fast path for single cookie
79
+ const c = reply[kReplySetCookies].values().next().value
80
+ reply.header('Set-Cookie', cookie.serialize(c.name, c.value, c.opts))
83
81
  reply[kReplySetCookies].clear()
84
-
85
82
  return
86
83
  }
87
84
 
88
- setCookie = []
89
- } else if (typeof setCookie === 'string') {
90
- setCookie = [setCookie]
85
+ cookieValue = []
86
+ } else if (typeof setCookieHeaderValue === 'string') {
87
+ cookieValue = [setCookieHeaderValue]
88
+ } else {
89
+ cookieValue = setCookieHeaderValue
91
90
  }
92
91
 
93
92
  for (const c of reply[kReplySetCookies].values()) {
94
- setCookie.push(cookie.serialize(c.name, c.value, c.opts))
93
+ cookieValue.push(cookie.serialize(c.name, c.value, c.opts))
95
94
  }
96
95
 
97
- if (!setCookieIsUndefined) reply.removeHeader('Set-Cookie')
98
- reply.header('Set-Cookie', setCookie)
96
+ reply.removeHeader('Set-Cookie')
97
+ reply.header('Set-Cookie', cookieValue)
99
98
  reply[kReplySetCookies].clear()
100
99
  }
101
100
 
@@ -126,7 +125,7 @@ function plugin (fastify, options, next) {
126
125
  fastify.decorate('serializeCookie', cookie.serialize)
127
126
  fastify.decorate('parseCookie', parseCookie)
128
127
 
129
- if (typeof secret !== 'undefined') {
128
+ if (secret !== undefined) {
130
129
  fastify.decorate('signCookie', signCookie)
131
130
  fastify.decorate('unsignCookie', unsignCookie)
132
131
 
@@ -214,6 +213,9 @@ module.exports = fastifyCookie
214
213
  module.exports.default = fastifyCookie // supersedes fastifyCookie.default = fastifyCookie
215
214
  module.exports.fastifyCookie = fastifyCookie // supersedes fastifyCookie.fastifyCookie = fastifyCookie
216
215
 
216
+ module.exports.serialize = cookie.serialize
217
+ module.exports.parse = cookie.parse
218
+
217
219
  module.exports.signerFactory = Signer
218
220
  module.exports.Signer = Signer
219
221
  module.exports.sign = sign
package/signer.js CHANGED
@@ -8,7 +8,7 @@
8
8
 
9
9
  const crypto = require('node:crypto')
10
10
 
11
- const base64PaddingRE = /=/g
11
+ const base64PaddingRE = /=/gu
12
12
 
13
13
  function Signer (secrets, algorithm = 'sha256') {
14
14
  if (!(this instanceof Signer)) {
@@ -0,0 +1,205 @@
1
+ 'use strict'
2
+
3
+ const tap = require('tap')
4
+ const test = tap.test
5
+
6
+ const cookie = require('..')
7
+
8
+ test('parse: argument validation', (t) => {
9
+ t.plan(2)
10
+ t.throws(cookie.parse.bind(), /argument str must be a string/)
11
+ t.throws(cookie.parse.bind(null, 42), /argument str must be a string/)
12
+ t.end()
13
+ })
14
+
15
+ test('parse: basic', (t) => {
16
+ t.plan(2)
17
+ t.same(cookie.parse('foo=bar'), { foo: 'bar' })
18
+ t.same(cookie.parse('foo=123'), { foo: '123' })
19
+ t.end()
20
+ })
21
+
22
+ test('parse: ignore spaces', (t) => {
23
+ t.plan(1)
24
+ t.same(cookie.parse('FOO = bar; baz = raz'), { FOO: 'bar', baz: 'raz' })
25
+ t.end()
26
+ })
27
+
28
+ test('parse: escaping', (t) => {
29
+ t.plan(2)
30
+ t.same(cookie.parse('foo="bar=123456789&name=Magic+Mouse"'), { foo: 'bar=123456789&name=Magic+Mouse' })
31
+ t.same(cookie.parse('email=%20%22%2c%3b%2f'), { email: ' ",;/' })
32
+ t.end()
33
+ })
34
+
35
+ test('parse: ignore escaping error and return original value', (t) => {
36
+ t.plan(1)
37
+ t.same(cookie.parse('foo=%1;bar=bar'), { foo: '%1', bar: 'bar' })
38
+ t.end()
39
+ })
40
+
41
+ test('parse: ignore non values', (t) => {
42
+ t.plan(1)
43
+ t.same(cookie.parse('foo=%1;bar=bar;HttpOnly;Secure'),
44
+ { foo: '%1', bar: 'bar' })
45
+ t.end()
46
+ })
47
+
48
+ test('parse: unencoded', (t) => {
49
+ t.plan(2)
50
+ t.same(cookie.parse('foo="bar=123456789&name=Magic+Mouse"', {
51
+ decode: function (v) { return v }
52
+ }), { foo: 'bar=123456789&name=Magic+Mouse' })
53
+
54
+ t.same(cookie.parse('email=%20%22%2c%3b%2f', {
55
+ decode: function (v) { return v }
56
+ }), { email: '%20%22%2c%3b%2f' })
57
+ t.end()
58
+ })
59
+
60
+ test('parse: dates', (t) => {
61
+ t.plan(1)
62
+ t.same(cookie.parse('priority=true; expires=Wed, 29 Jan 2014 17:43:25 GMT; Path=/', {
63
+ decode: function (v) { return v }
64
+ }), { priority: 'true', Path: '/', expires: 'Wed, 29 Jan 2014 17:43:25 GMT' })
65
+ t.end()
66
+ })
67
+
68
+ test('parse: missing value', (t) => {
69
+ t.plan(1)
70
+ t.same(cookie.parse('foo; bar=1; fizz= ; buzz=2', {
71
+ decode: function (v) { return v }
72
+ }), { bar: '1', fizz: '', buzz: '2' })
73
+ t.end()
74
+ })
75
+
76
+ test('parse: assign only once', (t) => {
77
+ t.plan(3)
78
+ t.same(cookie.parse('foo=%1;bar=bar;foo=boo'), { foo: '%1', bar: 'bar' })
79
+ t.same(cookie.parse('foo=false;bar=bar;foo=true'), { foo: 'false', bar: 'bar' })
80
+ t.same(cookie.parse('foo=;bar=bar;foo=boo'), { foo: '', bar: 'bar' })
81
+ t.end()
82
+ })
83
+
84
+ test('serializer: basic', (t) => {
85
+ t.plan(6)
86
+ t.same(cookie.serialize('foo', 'bar'), 'foo=bar')
87
+ t.same(cookie.serialize('foo', 'bar baz'), 'foo=bar%20baz')
88
+ t.same(cookie.serialize('foo', ''), 'foo=')
89
+ t.throws(cookie.serialize.bind(cookie, 'foo\n', 'bar'), /argument name is invalid/)
90
+ t.throws(cookie.serialize.bind(cookie, 'foo\u280a', 'bar'), /argument name is invalid/)
91
+ t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', { encode: 42 }), /option encode is invalid/)
92
+ t.end()
93
+ })
94
+
95
+ test('serializer: path', (t) => {
96
+ t.plan(2)
97
+ t.same(cookie.serialize('foo', 'bar', { path: '/' }), 'foo=bar; Path=/')
98
+ t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
99
+ path: '/\n'
100
+ }), /option path is invalid/)
101
+ t.end()
102
+ })
103
+
104
+ test('serializer: secure', (t) => {
105
+ t.plan(2)
106
+ t.same(cookie.serialize('foo', 'bar', { secure: true }), 'foo=bar; Secure')
107
+ t.same(cookie.serialize('foo', 'bar', { secure: false }), 'foo=bar')
108
+ t.end()
109
+ })
110
+
111
+ test('serializer: domain', (t) => {
112
+ t.plan(2)
113
+ t.same(cookie.serialize('foo', 'bar', { domain: 'example.com' }), 'foo=bar; Domain=example.com')
114
+ t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
115
+ domain: 'example.com\n'
116
+ }), /option domain is invalid/)
117
+ t.end()
118
+ })
119
+
120
+ test('serializer: httpOnly', (t) => {
121
+ t.plan(1)
122
+ t.same(cookie.serialize('foo', 'bar', { httpOnly: true }), 'foo=bar; HttpOnly')
123
+ t.end()
124
+ })
125
+
126
+ test('serializer: maxAge', (t) => {
127
+ t.plan(9)
128
+ t.throws(function () {
129
+ cookie.serialize('foo', 'bar', {
130
+ maxAge: 'buzz'
131
+ })
132
+ }, /option maxAge is invalid/)
133
+
134
+ t.throws(function () {
135
+ cookie.serialize('foo', 'bar', {
136
+ maxAge: Infinity
137
+ })
138
+ }, /option maxAge is invalid/)
139
+
140
+ t.same(cookie.serialize('foo', 'bar', { maxAge: 1000 }), 'foo=bar; Max-Age=1000')
141
+ t.same(cookie.serialize('foo', 'bar', { maxAge: '1000' }), 'foo=bar; Max-Age=1000')
142
+ t.same(cookie.serialize('foo', 'bar', { maxAge: 0 }), 'foo=bar; Max-Age=0')
143
+ t.same(cookie.serialize('foo', 'bar', { maxAge: '0' }), 'foo=bar; Max-Age=0')
144
+ t.same(cookie.serialize('foo', 'bar', { maxAge: null }), 'foo=bar')
145
+ t.same(cookie.serialize('foo', 'bar', { maxAge: undefined }), 'foo=bar')
146
+ t.same(cookie.serialize('foo', 'bar', { maxAge: 3.14 }), 'foo=bar; Max-Age=3')
147
+ t.end()
148
+ })
149
+
150
+ test('serializer: expires', (t) => {
151
+ t.plan(2)
152
+ t.same(cookie.serialize('foo', 'bar', {
153
+ expires: new Date(Date.UTC(2000, 11, 24, 10, 30, 59, 900))
154
+ }), 'foo=bar; Expires=Sun, 24 Dec 2000 10:30:59 GMT')
155
+
156
+ t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
157
+ expires: Date.now()
158
+ }), /option expires is invalid/)
159
+ t.end()
160
+ })
161
+
162
+ test('sameSite', (t) => {
163
+ t.plan(9)
164
+ t.same(cookie.serialize('foo', 'bar', { sameSite: true }), 'foo=bar; SameSite=Strict')
165
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'Strict' }), 'foo=bar; SameSite=Strict')
166
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'strict' }), 'foo=bar; SameSite=Strict')
167
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'Lax' }), 'foo=bar; SameSite=Lax')
168
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'lax' }), 'foo=bar; SameSite=Lax')
169
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'None' }), 'foo=bar; SameSite=None')
170
+ t.same(cookie.serialize('foo', 'bar', { sameSite: 'none' }), 'foo=bar; SameSite=None')
171
+ t.same(cookie.serialize('foo', 'bar', { sameSite: false }), 'foo=bar')
172
+
173
+ t.throws(cookie.serialize.bind(cookie, 'foo', 'bar', {
174
+ sameSite: 'foo'
175
+ }), /option sameSite is invalid/)
176
+ t.end()
177
+ })
178
+
179
+ test('escaping', (t) => {
180
+ t.plan(1)
181
+ t.same(cookie.serialize('cat', '+ '), 'cat=%2B%20')
182
+ t.end()
183
+ })
184
+
185
+ test('parse->serialize', (t) => {
186
+ t.plan(2)
187
+ t.same(cookie.parse(cookie.serialize('cat', 'foo=123&name=baz five')),
188
+ { cat: 'foo=123&name=baz five' })
189
+
190
+ t.same(cookie.parse(cookie.serialize('cat', ' ";/')),
191
+ { cat: ' ";/' })
192
+ t.end()
193
+ })
194
+
195
+ test('unencoded', (t) => {
196
+ t.plan(2)
197
+ t.same(cookie.serialize('cat', '+ ', {
198
+ encode: function (value) { return value }
199
+ }), 'cat=+ ')
200
+
201
+ t.throws(cookie.serialize.bind(cookie, 'cat', '+ \n', {
202
+ encode: function (value) { return value }
203
+ }), /argument val is invalid/)
204
+ t.end()
205
+ })
@@ -92,6 +92,79 @@ test('should set multiple cookies', (t) => {
92
92
  })
93
93
  })
94
94
 
95
+ test('should set multiple cookies', (t) => {
96
+ t.plan(12)
97
+ const fastify = Fastify()
98
+ fastify.register(plugin)
99
+
100
+ fastify.get('/', (req, reply) => {
101
+ reply
102
+ .setCookie('foo', 'foo')
103
+ .cookie('bar', 'test', {
104
+ partitioned: true
105
+ })
106
+ .setCookie('wee', 'woo', {
107
+ partitioned: true,
108
+ secure: true
109
+ })
110
+ .send({ hello: 'world' })
111
+ })
112
+
113
+ fastify.inject({
114
+ method: 'GET',
115
+ url: '/'
116
+ }, (err, res) => {
117
+ t.error(err)
118
+ t.equal(res.statusCode, 200)
119
+ t.same(JSON.parse(res.body), { hello: 'world' })
120
+
121
+ const cookies = res.cookies
122
+ t.equal(cookies.length, 3)
123
+ t.equal(cookies[0].name, 'foo')
124
+ t.equal(cookies[0].value, 'foo')
125
+ t.equal(cookies[1].name, 'bar')
126
+ t.equal(cookies[1].value, 'test')
127
+ t.equal(cookies[2].name, 'wee')
128
+ t.equal(cookies[2].value, 'woo')
129
+
130
+ t.equal(res.headers['set-cookie'][1], 'bar=test; Partitioned')
131
+ t.equal(res.headers['set-cookie'][2], 'wee=woo; Secure; Partitioned')
132
+ })
133
+ })
134
+
135
+ test('should set multiple cookies (an array already exists)', (t) => {
136
+ t.plan(10)
137
+ const fastify = Fastify()
138
+ fastify.register(plugin)
139
+
140
+ fastify.get('/test1', (req, reply) => {
141
+ reply
142
+ .header('Set-Cookie', ['bar=bar'])
143
+ .setCookie('foo', 'foo', { path: '/' })
144
+ .setCookie('foo', 'foo', { path: '/path' })
145
+ .send({ hello: 'world' })
146
+ })
147
+
148
+ fastify.inject({
149
+ method: 'GET',
150
+ url: '/test1'
151
+ }, (err, res) => {
152
+ t.error(err)
153
+ t.equal(res.statusCode, 200)
154
+ t.same(JSON.parse(res.body), { hello: 'world' })
155
+
156
+ const cookies = res.cookies
157
+ t.equal(cookies.length, 3)
158
+ t.equal(cookies[0].name, 'bar')
159
+ t.equal(cookies[0].value, 'bar')
160
+ t.equal(cookies[0].path, undefined)
161
+
162
+ t.equal(cookies[1].name, 'foo')
163
+ t.equal(cookies[1].value, 'foo')
164
+ t.equal(cookies[2].path, '/path')
165
+ })
166
+ })
167
+
95
168
  test('cookies get set correctly with millisecond dates', (t) => {
96
169
  t.plan(8)
97
170
  const fastify = Fastify()
package/types/plugin.d.ts CHANGED
@@ -65,11 +65,7 @@ declare module "fastify" {
65
65
  * @param value Cookie value
66
66
  * @param options Serialize options
67
67
  */
68
- setCookie(
69
- name: string,
70
- value: string,
71
- options?: fastifyCookie.CookieSerializeOptions
72
- ): this;
68
+ setCookie: setCookieWrapper;
73
69
 
74
70
  /**
75
71
  * @alias setCookie
@@ -125,9 +121,9 @@ declare namespace fastifyCookie {
125
121
  httpOnly?: boolean;
126
122
  /** A `number` in seconds that specifies the `Expires` attribute by adding the specified seconds to the current date. If both `expires` and `maxAge` are set, then `expires` is used. */
127
123
  maxAge?: number;
124
+ partitioned?: boolean;
128
125
  /** The `Path` attribute. Defaults to `/` (the root path). */
129
126
  path?: string;
130
- priority?: "low" | "medium" | "high";
131
127
  /** A `boolean` or one of the `SameSite` string attributes. E.g.: `lax`, `none` or `strict`. */
132
128
  sameSite?: 'lax' | 'none' | 'strict' | boolean;
133
129
  /** The `boolean` value of the `Secure` attribute. Set this option to false when communicating over an unencrypted (HTTP) connection. Value can be set to `auto`; in this case the `Secure` attribute will be set to false for HTTP request, in case of HTTPS it will be set to true. Defaults to true. */
@@ -139,6 +135,10 @@ declare namespace fastifyCookie {
139
135
  signed?: boolean;
140
136
  }
141
137
 
138
+ export interface ParseOptions {
139
+ decode?: (encodedURIComponent: string) => string;
140
+ }
141
+
142
142
  type HookType = 'onRequest' | 'preParsing' | 'preValidation' | 'preHandler' | 'preSerialization';
143
143
 
144
144
  export interface FastifyCookieOptions {
@@ -162,6 +162,8 @@ declare namespace fastifyCookie {
162
162
  export const unsign: Unsign;
163
163
 
164
164
  export interface FastifyCookie extends FastifyCookiePlugin {
165
+ parse: (cookieHeader: string, opts?: ParseOptions) => { [key: string]: string };
166
+ serialize: (name: string, value: string, opts?: SerializeOptions) => string;
165
167
  signerFactory: SignerFactory;
166
168
  Signer: Signer;
167
169
  sign: Sign;
@@ -172,6 +172,7 @@ const parseOptions: fastifyCookieStar.CookieSerializeOptions = {
172
172
  sameSite: 'lax',
173
173
  secure: true,
174
174
  signed: true,
175
+ partitioned: false,
175
176
  };
176
177
  expectType<fastifyCookieStar.CookieSerializeOptions>(parseOptions);
177
178
 
@@ -231,3 +232,6 @@ appWithHook.register(cookie, { hook: 'preSerialization' });
231
232
  appWithHook.register(cookie, { hook: 'preValidation' });
232
233
  expectError(appWithHook.register(cookie, { hook: true }));
233
234
  expectError(appWithHook.register(cookie, { hook: 'false' }));
235
+
236
+ expectType<(cookieHeader: string, opts?: fastifyCookieStar.ParseOptions) => { [key: string]: string }>(fastifyCookieDefault.parse);
237
+ expectType<(name: string, value: string, opts?: fastifyCookieStar.SerializeOptions) => string>(fastifyCookieDefault.serialize);