@fastify/cookie 9.3.1 → 10.0.0-pre.fv5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -17,7 +17,7 @@ on:
17
17
 
18
18
  jobs:
19
19
  test:
20
- uses: fastify/workflows/.github/workflows/plugins-ci.yml@v3
20
+ uses: fastify/workflows/.github/workflows/plugins-ci.yml@v4.2.1
21
21
  with:
22
22
  license-check: true
23
23
  lint: true
package/README.md CHANGED
@@ -96,8 +96,16 @@ fastify.get('/', (req, reply) => {
96
96
  - An `Array` can be passed if key rotation is desired. Read more about it in [Rotating signing secret](#rotating-secret).
97
97
  - More sophisticated cookie signing mechanisms can be implemented by supplying an `Object`. Read more about it in [Custom cookie signer](#custom-cookie-signer).
98
98
 
99
+ - `hook`: the [Fastify Hook](https://fastify.dev/docs/latest/Reference/Lifecycle/#lifecycle) to register the parsing of cookie into. Default: `onRequest`.
100
+
101
+ - `algorithm`: the [algorithm](https://nodejs.org/api/crypto.html#cryptogethashes) to use to sign the cookies. Default: `sha256`.
102
+
99
103
  - `parseOptions`: An `Object` to modify the serialization of set cookies.
100
104
 
105
+ ### :warning: Security Considerations :warning:
106
+
107
+ It is recommended to use `sha256` or stronger hashing algorithm as well as a `secret` that is at least 20 bytes long.
108
+
101
109
  #### parseOptions
102
110
 
103
111
  ##### domain
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@fastify/cookie",
3
- "version": "9.3.1",
3
+ "version": "10.0.0-pre.fv5.1",
4
4
  "description": "Plugin for fastify to add support for cookies",
5
5
  "main": "plugin.js",
6
6
  "type": "commonjs",
@@ -40,19 +40,19 @@
40
40
  },
41
41
  "homepage": "https://github.com/fastify/fastify-cookie#readme",
42
42
  "devDependencies": {
43
- "@fastify/pre-commit": "^2.0.2",
44
- "@types/node": "^20.1.0",
43
+ "@fastify/pre-commit": "^2.1.0",
44
+ "@types/node": "^20.11.6",
45
45
  "benchmark": "^2.1.4",
46
- "fastify": "^4.0.0",
47
- "sinon": "^17.0.0",
46
+ "fastify": "^5.0.0-alpha.3",
47
+ "sinon": "^18.0.0",
48
48
  "snazzy": "^9.0.0",
49
- "standard": "^17.0.0",
50
- "tap": "^16.0.0",
51
- "tsd": "^0.30.0"
49
+ "standard": "^17.1.0",
50
+ "tap": "^18.6.1",
51
+ "tsd": "^0.30.4"
52
52
  },
53
53
  "dependencies": {
54
- "fastify-plugin": "^4.0.0",
55
- "cookie-signature": "^1.1.0"
54
+ "fastify-plugin": "^5.0.0-pre.fv5.1",
55
+ "cookie-signature": "^1.2.1"
56
56
  },
57
57
  "tsd": {
58
58
  "directory": "test"
package/plugin.js CHANGED
@@ -11,7 +11,7 @@ const kReplySetCookiesHookRan = Symbol('fastify.reply.setCookiesHookRan')
11
11
  function fastifyCookieSetCookie (reply, name, value, options) {
12
12
  parseCookies(reply.server, reply.request, reply)
13
13
 
14
- const opts = Object.assign({}, options)
14
+ const opts = Object.assign({ sameSite: 'lax' }, options)
15
15
 
16
16
  if (opts.expires && Number.isInteger(opts.expires)) {
17
17
  opts.expires = new Date(opts.expires)
@@ -22,10 +22,9 @@ function fastifyCookieSetCookie (reply, name, value, options) {
22
22
  }
23
23
 
24
24
  if (opts.secure === 'auto') {
25
- if (isConnectionSecure(reply.request)) {
25
+ if (reply.request.protocol === 'https') {
26
26
  opts.secure = true
27
27
  } else {
28
- opts.sameSite = 'lax'
29
28
  opts.secure = false
30
29
  }
31
30
  }
@@ -45,6 +44,7 @@ function fastifyCookieClearCookie (reply, name, options) {
45
44
  signed: undefined,
46
45
  maxAge: undefined
47
46
  })
47
+
48
48
  return fastifyCookieSetCookie(reply, name, '', opts)
49
49
  }
50
50
 
@@ -187,13 +187,6 @@ function getHook (hook = 'onRequest') {
187
187
  return hooks[hook]
188
188
  }
189
189
 
190
- function isConnectionSecure (request) {
191
- return (
192
- request.raw.socket?.encrypted === true ||
193
- request.headers['x-forwarded-proto'] === 'https'
194
- )
195
- }
196
-
197
190
  const fastifyCookie = fp(plugin, {
198
191
  fastify: '4.x',
199
192
  name: '@fastify/cookie'
@@ -127,8 +127,8 @@ test('should set multiple cookies', (t) => {
127
127
  t.equal(cookies[2].name, 'wee')
128
128
  t.equal(cookies[2].value, 'woo')
129
129
 
130
- t.equal(res.headers['set-cookie'][1], 'bar=test; Partitioned')
131
- t.equal(res.headers['set-cookie'][2], 'wee=woo; Secure; Partitioned')
130
+ t.equal(res.headers['set-cookie'][1], 'bar=test; Partitioned; SameSite=Lax')
131
+ t.equal(res.headers['set-cookie'][2], 'wee=woo; Secure; Partitioned; SameSite=Lax')
132
132
  })
133
133
  })
134
134
 
@@ -854,7 +854,7 @@ test('create signed cookie manually using signCookie decorator', async (t) => {
854
854
  })
855
855
 
856
856
  test('handle secure:auto of cookieOptions', async (t) => {
857
- const fastify = Fastify()
857
+ const fastify = Fastify({ trustProxy: true })
858
858
 
859
859
  await fastify.register(plugin)
860
860
 
@@ -957,7 +957,7 @@ test('result in an error if hook-option is set to an invalid value', (t) => {
957
957
  const fastify = Fastify()
958
958
 
959
959
  t.rejects(
960
- () => fastify.register(plugin, { hook: true }),
960
+ async () => fastify.register(plugin, { hook: true }),
961
961
  new Error("@fastify/cookie: Invalid value provided for the hook-option. You can set the hook-option only to false, 'onRequest' , 'preParsing' , 'preValidation' or 'preHandler'")
962
962
  )
963
963
  })
package/types/plugin.d.ts CHANGED
@@ -115,25 +115,26 @@ declare namespace fastifyCookie {
115
115
  domain?: string;
116
116
  /** Specifies a function that will be used to encode a cookie's value. Since value of a cookie has a limited character set (and must be a simple string), this function can be used to encode a value into a string suited for a cookie's value. */
117
117
  encode?(val: string): string;
118
- /** The expiration `date` used for the `Expires` attribute. If both `expires` and `maxAge` are set, then `expires` is used. */
118
+ /** The expiration `date` used for the `Expires` attribute. */
119
119
  expires?: Date;
120
- /** The `boolean` value of the `HttpOnly` attribute. Defaults to true. */
120
+ /** Add the `HttpOnly` attribute. Defaults to `false`. */
121
121
  httpOnly?: boolean;
122
- /** A `number` in seconds that specifies the `Expires` attribute by adding the specified seconds to the current date. If both `expires` and `maxAge` are set, then `expires` is used. */
122
+ /** A `number` in seconds that specifies the `Max-Age` attribute. */
123
123
  maxAge?: number;
124
124
  /** A `boolean` indicating whether the cookie is tied to the top-level site where it's initially set and cannot be accessed from elsewhere. */
125
125
  partitioned?: boolean;
126
- /** The `Path` attribute. Defaults to `/` (the root path). */
126
+ /** The `Path` attribute. */
127
127
  path?: string;
128
128
  /** A `boolean` or one of the `SameSite` string attributes. E.g.: `lax`, `none` or `strict`. */
129
129
  sameSite?: 'lax' | 'none' | 'strict' | boolean;
130
130
  /** One of the `Priority` string attributes (`low`, `medium` or `high`) specifying a retention priority for HTTP cookies that will be respected by user agents during cookie eviction. */
131
131
  priority?: 'low' | 'medium' | 'high';
132
- /** The `boolean` value of the `Secure` attribute. Set this option to false when communicating over an unencrypted (HTTP) connection. Value can be set to `auto`; in this case the `Secure` attribute will be set to false for HTTP request, in case of HTTPS it will be set to true. Defaults to true. */
132
+ /** Add the `Secure` attribute. Defaults to `false`. */
133
133
  secure?: boolean;
134
134
  }
135
135
 
136
136
  export interface CookieSerializeOptions extends Omit<SerializeOptions, 'secure'> {
137
+ /** Add the `Secure` attribute. Value can be set to `"auto"`; in this case the `Secure` attribute will only be added for HTTPS requests. Defaults to `false`. */
137
138
  secure?: boolean | 'auto';
138
139
  signed?: boolean;
139
140
  }
@@ -154,10 +155,14 @@ declare namespace fastifyCookie {
154
155
  export type Unsign = (input: string, secret: string | Buffer, algorithm?: string) => UnsignResult;
155
156
  export type SignerFactory = (secrets: string | string[] | Buffer | Buffer[], algorithm?: string) => SignerBase;
156
157
 
157
- export interface UnsignResult {
158
- valid: boolean;
158
+ export type UnsignResult = {
159
+ valid: true;
159
160
  renew: boolean;
160
- value: string | null;
161
+ value: string;
162
+ } | {
163
+ valid: false;
164
+ renew: false;
165
+ value: null;
161
166
  }
162
167
 
163
168
  export const signerFactory: SignerFactory;
@@ -150,11 +150,15 @@ appWithRotationSecret.register(cookie, {
150
150
  appWithRotationSecret.after(() => {
151
151
  server.get('/', (request, reply) => {
152
152
  reply.unsignCookie(request.cookies.test!);
153
- const { valid, renew, value } = reply.unsignCookie('test');
153
+ const unsigned = reply.unsignCookie('test');
154
154
 
155
- expectType<boolean>(valid);
156
- expectType<boolean>(renew);
157
- expectType<string | null>(value);
155
+ expectType<boolean>(unsigned.valid);
156
+ if (unsigned.valid) {
157
+ expectType<string>(unsigned.value);
158
+ } else {
159
+ expectType<null>(unsigned.value);
160
+ }
161
+ expectType<boolean>(unsigned.renew);
158
162
 
159
163
  reply.send({ hello: 'world' });
160
164
  });
@@ -182,11 +186,15 @@ appWithParseOptions.register(cookie, {
182
186
  });
183
187
  appWithParseOptions.after(() => {
184
188
  server.get('/', (request, reply) => {
185
- const { valid, renew, value } = reply.unsignCookie(request.cookies.test!);
189
+ const unsigned = reply.unsignCookie(request.cookies.test!);
186
190
 
187
- expectType<boolean>(valid);
188
- expectType<boolean>(renew);
189
- expectType<string | null>(value);
191
+ expectType<boolean>(unsigned.valid);
192
+ if (unsigned.valid) {
193
+ expectType<string>(unsigned.value);
194
+ } else {
195
+ expectType<null>(unsigned.value);
196
+ }
197
+ expectType<boolean>(unsigned.renew);
190
198
  });
191
199
  });
192
200
 
@@ -204,11 +212,15 @@ appWithCustomSigner.register(cookie, {
204
212
  appWithCustomSigner.after(() => {
205
213
  server.get('/', (request, reply) => {
206
214
  reply.unsignCookie(request.cookies.test!)
207
- const { valid, renew, value } = reply.unsignCookie('test')
215
+ const unsigned = reply.unsignCookie('test')
208
216
 
209
- expectType<boolean>(valid)
210
- expectType<boolean>(renew)
211
- expectType<string | null>(value)
217
+ expectType<boolean>(unsigned.valid);
218
+ if (unsigned.valid) {
219
+ expectType<string>(unsigned.value);
220
+ } else {
221
+ expectType<null>(unsigned.value);
222
+ }
223
+ expectType<boolean>(unsigned.renew);
212
224
 
213
225
  reply.send({ hello: 'world' })
214
226
  })