@remix-run/cookie 0.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Michael Jackson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,94 @@
+# @remix-run/cookie
+
+Simplify HTTP cookie management in JavaScript with type-safe, secure cookie handling. `@remix-run/cookie` provides a clean, intuitive API for creating, parsing, and serializing HTTP cookies with built-in support for signing, secret rotation, and comprehensive cookie attribute management.
+
+HTTP cookies are essential for web applications, from session management and user preferences to authentication tokens and tracking. While the standard cookie parsing libraries provide basic functionality, they often leave complex scenarios like secure signing, secret rotation, and type-safe value handling up to you.
+
+## Features
+
+- **Secure Cookie Signing:** Built-in cryptographic signing using HMAC-SHA256 to prevent cookie tampering, with support for secret rotation without breaking existing cookies.
+- **Secret Rotation Support:** Seamlessly rotate signing secrets while maintaining backward compatibility with existing cookies.
+- **Comprehensive Cookie Attributes:** Full support for all standard cookie attributes including `Path`, `Domain`, `Secure`, `HttpOnly`, `SameSite`, `Max-Age`, and `Expires`.
+- **Reusable Cookie Containers:** Create logical cookie containers that can be used to parse and serialize multiple values over time.
+- **Web Standards Compliant:** Built on Web Crypto API and standard cookie parsing, making it runtime-agnostic (Node.js, Bun, Deno, Cloudflare Workers).
+
+## Installation
+
+```sh
+npm install @remix-run/cookie
+```
+
+## Usage
+
+```tsx
+import { Cookie } from '@remix-run/cookie'
+
+let sessionCookie = new Cookie('session')
+
+// Get the value of the "session" cookie from the request's `Cookie` header
+let value = await sessionCookie.parse(request.headers.get('Cookie'))
+
+// Set the value of the cookie in a Response's `Set-Cookie` header
+let response = new Response('Hello, world!', {
+  headers: {
+    'Set-Cookie': await sessionCookie.serialize(value),
+  },
+})
+```
+
+### Signing Cookies
+
+This library supports signing cookies, which is useful for ensuring the integrity of the cookie value and preventing tampering. Signing happens automatically when you provide a `secrets` option to the `Cookie` constructor.
+
+Secret rotation is also supported, so you can easily rotate in new secrets without breaking existing cookies.
+
+```tsx
+import { Cookie } from '@remix-run/cookie'
+
+// Start with a single secret
+let sessionCookie = new Cookie('session', {
+  secrets: ['secret1'],
+})
+
+console.log(sessionCookie.isSigned) // true
+
+let response = new Response('Hello, world!', {
+  headers: {
+    'Set-Cookie': await sessionCookie.serialize(value),
+  },
+})
+```
+
+All cookies sent in this scenario will be signed with the secret `secret1`. Later, when it's time to rotate secrets, add a new secret to the beginning of the array and all existing cookies will still be able to be parsed.
+
+```tsx
+let sessionCookie = new Cookie('session', {
+  secrets: ['secret2', 'secret1'],
+})
+
+// This will still work for cookies signed with the old secret
+let value = await sessionCookie.parse(request.headers.get('Cookie'))
+```
+
+### Custom Encoding
+
+By default, the library will use `encodeURIComponent` and `decodeURIComponent` to encode and decode the cookie value. This is suitable for most use cases, but you can provide your own functions to customize the encoding and decoding of the cookie value.
+
+```tsx
+let sessionCookie = new Cookie('session', {
+  encode: (value) => value,
+  decode: (value) => value,
+})
+```
+
+This can be useful for viewing the value of cookies in a human-readable format in the browser's developer tools. But you should be sure that the cookie value contains only characters that are [valid in a cookie value](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#attributes).
+
+## Related Packages
+
+- [`headers`](https://github.com/remix-run/remix/tree/main/packages/headers) - Type-safe HTTP header manipulation
+- [`fetch-router`](https://github.com/remix-run/remix/tree/main/packages/fetch-router) - Build HTTP routers using the web fetch API
+- [`node-fetch-server`](https://github.com/remix-run/remix/tree/main/packages/node-fetch-server) - Build HTTP servers on Node.js using the web fetch API
+
+## License
+
+See [LICENSE](https://github.com/remix-run/remix/blob/main/LICENSE)

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export { type CookieOptions, Cookie } from './lib/cookie.ts';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,aAAa,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAA"}

package/dist/index.js

@@ -0,0 +1 @@
+export { Cookie } from "./lib/cookie.js";

package/dist/lib/cookie.d.ts

@@ -0,0 +1,57 @@
+import { type CookieProperties } from '@remix-run/headers';
+export interface CookieOptions {
+    /**
+     * A function that decodes the cookie value.
+     *
+     * Defaults to `decodeURIComponent`, which decodes any URL-encoded sequences into their original
+     * characters.
+     *
+     * See [RFC 6265](https://tools.ietf.org/html/rfc6265#section-4.1.1) for more details.
+     */
+    decode?: (value: string) => string;
+    /**
+     * A function that encodes the cookie value.
+     *
+     * Defaults to `encodeURIComponent`, which percent-encodes all characters that are not allowed
+     * in a cookie value.
+     *
+     * See [RFC 6265](https://tools.ietf.org/html/rfc6265#section-4.1.1) for more details.
+     */
+    encode?: (value: string) => string;
+    /**
+     * An array of secrets that may be used to sign/unsign the value of a cookie.
+     *
+     * The array makes it easy to rotate secrets. New secrets should be added to
+     * the beginning of the array. `cookie.serialize()` will always use the first
+     * value in the array, but `cookie.parse()` may use any of them so that
+     * cookies that were signed with older secrets still work.
+     */
+    secrets?: string[];
+}
+/**
+ * A container for metadata about a HTTP cookie; its name and secrets that may be used
+ * to sign/unsign the value of the cookie to ensure it's not tampered with.
+ */
+export declare class Cookie {
+    #private;
+    readonly name: string;
+    constructor(name: string, options?: CookieOptions);
+    /**
+     * True if this cookie uses one or more secrets for verification.
+     */
+    get isSigned(): boolean;
+    /**
+     * Extracts the value of this cookie from a `Cookie` header value.
+     * @param headerValue The value of the `Cookie` header to parse
+     * @returns The value of this cookie, or `null` if it's not present
+     */
+    parse(headerValue: string | null): Promise<string | null>;
+    /**
+     * Returns the value to use in a `Set-Cookie` header for this cookie.
+     * @param value The value to serialize
+     * @param props (optional) Additional properties to use when serializing the cookie
+     * @returns The value to use in a `Set-Cookie` header for this cookie
+     */
+    serialize(value: string, props?: CookieProperties): Promise<string>;
+}
+//# sourceMappingURL=cookie.d.ts.map

package/dist/lib/cookie.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookie.d.ts","sourceRoot":"","sources":["../../src/lib/cookie.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,gBAAgB,EACtB,MAAM,oBAAoB,CAAA;AAI3B,MAAM,WAAW,aAAa;IAC5B;;;;;;;OAOG;IACH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,CAAA;IAClC;;;;;;;OAOG;IACH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,CAAA;IAClC;;;;;;;OAOG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;CACnB;AAED;;;GAGG;AACH,qBAAa,MAAM;;IACjB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;gBAKT,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,aAAa;IAOjD;;OAEG;IACH,IAAI,QAAQ,IAAI,OAAO,CAEtB;IAED;;;;OAIG;IACG,KAAK,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAa/D;;;;;OAKG;IACG,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC;CAY1E"}

package/dist/lib/cookie.js

@@ -0,0 +1,147 @@
+import { Cookie as CookieHeader, SetCookie as SetCookieHeader, } from '@remix-run/headers';
+import { sign, unsign } from "./crypto.js";
+/**
+ * A container for metadata about a HTTP cookie; its name and secrets that may be used
+ * to sign/unsign the value of the cookie to ensure it's not tampered with.
+ */
+export class Cookie {
+    name;
+    #decode;
+    #encode;
+    #secrets;
+    constructor(name, options) {
+        this.name = name;
+        this.#decode = options?.decode;
+        this.#encode = options?.encode;
+        this.#secrets = options?.secrets ?? [];
+    }
+    /**
+     * True if this cookie uses one or more secrets for verification.
+     */
+    get isSigned() {
+        return this.#secrets.length > 0;
+    }
+    /**
+     * Extracts the value of this cookie from a `Cookie` header value.
+     * @param headerValue The value of the `Cookie` header to parse
+     * @returns The value of this cookie, or `null` if it's not present
+     */
+    async parse(headerValue) {
+        if (!headerValue)
+            return null;
+        let header = new CookieHeader(headerValue);
+        if (!header.has(this.name))
+            return null;
+        let value = header.get(this.name);
+        if (value === '')
+            return '';
+        let decoded = await decodeCookieValue(value, this.#secrets, this.#decode);
+        return decoded;
+    }
+    /**
+     * Returns the value to use in a `Set-Cookie` header for this cookie.
+     * @param value The value to serialize
+     * @param props (optional) Additional properties to use when serializing the cookie
+     * @returns The value to use in a `Set-Cookie` header for this cookie
+     */
+    async serialize(value, props) {
+        let header = new SetCookieHeader({
+            name: this.name,
+            value: value === '' ? '' : await encodeCookieValue(value, this.#secrets, this.#encode),
+            // sane defaults
+            path: '/',
+            sameSite: 'Lax',
+            ...props,
+        });
+        return header.toString();
+    }
+}
+async function encodeCookieValue(value, secrets, encode = encodeURIComponent) {
+    let encoded = encodeValue(value, encode);
+    if (secrets.length > 0) {
+        encoded = await sign(encoded, secrets[0]);
+    }
+    return encoded;
+}
+function encodeValue(value, encode) {
+    return btoa(myUnescape(encode(value)));
+}
+async function decodeCookieValue(value, secrets, decode = decodeURIComponent) {
+    if (secrets.length > 0) {
+        for (let secret of secrets) {
+            let unsignedValue = await unsign(value, secret);
+            if (unsignedValue !== false) {
+                return decodeValue(unsignedValue, decode);
+            }
+        }
+        return null;
+    }
+    return decodeValue(value, decode);
+}
+function decodeValue(value, decode) {
+    try {
+        return decode(myEscape(atob(value)));
+    }
+    catch {
+        return null;
+    }
+}
+// See: https://github.com/zloirock/core-js/blob/master/packages/core-js/modules/es.escape.js
+function myEscape(value) {
+    let str = value.toString();
+    let result = '';
+    let index = 0;
+    let chr, code;
+    while (index < str.length) {
+        chr = str.charAt(index++);
+        if (/[\w*+\-./@]/.exec(chr)) {
+            result += chr;
+        }
+        else {
+            code = chr.charCodeAt(0);
+            if (code < 256) {
+                result += '%' + hex(code, 2);
+            }
+            else {
+                result += '%u' + hex(code, 4).toUpperCase();
+            }
+        }
+    }
+    return result;
+}
+function hex(code, length) {
+    let result = code.toString(16);
+    while (result.length < length)
+        result = '0' + result;
+    return result;
+}
+// See: https://github.com/zloirock/core-js/blob/master/packages/core-js/modules/es.unescape.js
+function myUnescape(value) {
+    let str = value.toString();
+    let result = '';
+    let index = 0;
+    let chr, part;
+    while (index < str.length) {
+        chr = str.charAt(index++);
+        if (chr === '%') {
+            if (str.charAt(index) === 'u') {
+                part = str.slice(index + 1, index + 5);
+                if (/^[\da-f]{4}$/i.exec(part)) {
+                    result += String.fromCharCode(parseInt(part, 16));
+                    index += 5;
+                    continue;
+                }
+            }
+            else {
+                part = str.slice(index, index + 2);
+                if (/^[\da-f]{2}$/i.exec(part)) {
+                    result += String.fromCharCode(parseInt(part, 16));
+                    index += 2;
+                    continue;
+                }
+            }
+        }
+        result += chr;
+    }
+    return result;
+}

package/dist/lib/crypto.d.ts

@@ -0,0 +1,3 @@
+export declare function sign(value: string, secret: string): Promise<string>;
+export declare function unsign(cookie: string, secret: string): Promise<string | false>;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/lib/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/lib/crypto.ts"],"names":[],"mappings":"AAEA,wBAAsB,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAOzE;AAED,wBAAsB,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,KAAK,CAAC,CAmBpF"}

package/dist/lib/crypto.js

@@ -0,0 +1,36 @@
+const encoder = new TextEncoder();
+export async function sign(value, secret) {
+    let data = encoder.encode(value);
+    let key = await createKey(secret, ['sign']);
+    let signature = await crypto.subtle.sign('HMAC', key, data);
+    let hash = btoa(String.fromCharCode(...new Uint8Array(signature))).replace(/=+$/, '');
+    return value + '.' + hash;
+}
+export async function unsign(cookie, secret) {
+    let index = cookie.lastIndexOf('.');
+    let value = cookie.slice(0, index);
+    let hash = cookie.slice(index + 1);
+    let data = encoder.encode(value);
+    let key = await createKey(secret, ['verify']);
+    try {
+        let signature = byteStringToUint8Array(atob(hash));
+        let valid = await crypto.subtle.verify('HMAC', key, signature, data);
+        return valid ? value : false;
+    }
+    catch (error) {
+        // atob will throw a DOMException with name === 'InvalidCharacterError'
+        // if the signature contains a non-base64 character, which should just
+        // be treated as an invalid signature.
+        return false;
+    }
+}
+async function createKey(secret, usages) {
+    return crypto.subtle.importKey('raw', encoder.encode(secret), { name: 'HMAC', hash: 'SHA-256' }, false, usages);
+}
+function byteStringToUint8Array(byteString) {
+    let array = new Uint8Array(byteString.length);
+    for (let i = 0; i < byteString.length; i++) {
+        array[i] = byteString.charCodeAt(i);
+    }
+    return array;
+}

package/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "@remix-run/cookie",
+  "version": "0.0.0",
+  "description": "A toolkit for working with cookies in JavaScript",
+  "author": "Michael Jackson <mjijackson@gmail.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/remix-run/remix.git",
+    "directory": "packages/cookie"
+  },
+  "homepage": "https://github.com/remix-run/remix/tree/main/packages/cookie#readme",
+  "files": [
+    "LICENSE",
+    "README.md",
+    "dist",
+    "src",
+    "!src/**/*.test.ts"
+  ],
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "devDependencies": {
+    "@types/node": "^24.6.0"
+  },
+  "peerDependencies": {
+    "@remix-run/headers": "0.14.0"
+  },
+  "keywords": [
+    "http",
+    "cookie",
+    "cookies",
+    "http-cookies",
+    "set-cookie"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "clean": "git clean -fdX",
+    "test": "node --disable-warning=ExperimentalWarning --test './src/**/*.test.ts'",
+    "typecheck": "tsc --noEmit"
+  }
+}

package/src/index.ts

@@ -0,0 +1 @@
+export { type CookieOptions, Cookie } from './lib/cookie.ts'

package/src/lib/cookie.ts

@@ -0,0 +1,202 @@
+import {
+  Cookie as CookieHeader,
+  SetCookie as SetCookieHeader,
+  type CookieProperties,
+} from '@remix-run/headers'
+
+import { sign, unsign } from './crypto.ts'
+
+export interface CookieOptions {
+  /**
+   * A function that decodes the cookie value.
+   *
+   * Defaults to `decodeURIComponent`, which decodes any URL-encoded sequences into their original
+   * characters.
+   *
+   * See [RFC 6265](https://tools.ietf.org/html/rfc6265#section-4.1.1) for more details.
+   */
+  decode?: (value: string) => string
+  /**
+   * A function that encodes the cookie value.
+   *
+   * Defaults to `encodeURIComponent`, which percent-encodes all characters that are not allowed
+   * in a cookie value.
+   *
+   * See [RFC 6265](https://tools.ietf.org/html/rfc6265#section-4.1.1) for more details.
+   */
+  encode?: (value: string) => string
+  /**
+   * An array of secrets that may be used to sign/unsign the value of a cookie.
+   *
+   * The array makes it easy to rotate secrets. New secrets should be added to
+   * the beginning of the array. `cookie.serialize()` will always use the first
+   * value in the array, but `cookie.parse()` may use any of them so that
+   * cookies that were signed with older secrets still work.
+   */
+  secrets?: string[]
+}
+
+/**
+ * A container for metadata about a HTTP cookie; its name and secrets that may be used
+ * to sign/unsign the value of the cookie to ensure it's not tampered with.
+ */
+export class Cookie {
+  readonly name: string
+  readonly #decode?: (value: string) => string
+  readonly #encode?: (value: string) => string
+  readonly #secrets: string[]
+
+  constructor(name: string, options?: CookieOptions) {
+    this.name = name
+    this.#decode = options?.decode
+    this.#encode = options?.encode
+    this.#secrets = options?.secrets ?? []
+  }
+
+  /**
+   * True if this cookie uses one or more secrets for verification.
+   */
+  get isSigned(): boolean {
+    return this.#secrets.length > 0
+  }
+
+  /**
+   * Extracts the value of this cookie from a `Cookie` header value.
+   * @param headerValue The value of the `Cookie` header to parse
+   * @returns The value of this cookie, or `null` if it's not present
+   */
+  async parse(headerValue: string | null): Promise<string | null> {
+    if (!headerValue) return null
+
+    let header = new CookieHeader(headerValue)
+    if (!header.has(this.name)) return null
+
+    let value = header.get(this.name)!
+    if (value === '') return ''
+
+    let decoded = await decodeCookieValue(value, this.#secrets, this.#decode)
+    return decoded
+  }
+
+  /**
+   * Returns the value to use in a `Set-Cookie` header for this cookie.
+   * @param value The value to serialize
+   * @param props (optional) Additional properties to use when serializing the cookie
+   * @returns The value to use in a `Set-Cookie` header for this cookie
+   */
+  async serialize(value: string, props?: CookieProperties): Promise<string> {
+    let header = new SetCookieHeader({
+      name: this.name,
+      value: value === '' ? '' : await encodeCookieValue(value, this.#secrets, this.#encode),
+      // sane defaults
+      path: '/',
+      sameSite: 'Lax',
+      ...props,
+    })
+
+    return header.toString()
+  }
+}
+
+async function encodeCookieValue(
+  value: string,
+  secrets: string[],
+  encode: (value: string) => string = encodeURIComponent,
+): Promise<string> {
+  let encoded = encodeValue(value, encode)
+
+  if (secrets.length > 0) {
+    encoded = await sign(encoded, secrets[0])
+  }
+
+  return encoded
+}
+
+function encodeValue(value: string, encode: (value: string) => string): string {
+  return btoa(myUnescape(encode(value)))
+}
+
+async function decodeCookieValue(
+  value: string,
+  secrets: string[],
+  decode: (value: string) => string = decodeURIComponent,
+): Promise<string | null> {
+  if (secrets.length > 0) {
+    for (let secret of secrets) {
+      let unsignedValue = await unsign(value, secret)
+      if (unsignedValue !== false) {
+        return decodeValue(unsignedValue, decode)
+      }
+    }
+
+    return null
+  }
+
+  return decodeValue(value, decode)
+}
+
+function decodeValue(value: string, decode: (value: string) => string): string | null {
+  try {
+    return decode(myEscape(atob(value)))
+  } catch {
+    return null
+  }
+}
+
+// See: https://github.com/zloirock/core-js/blob/master/packages/core-js/modules/es.escape.js
+function myEscape(value: string): string {
+  let str = value.toString()
+  let result = ''
+  let index = 0
+  let chr, code
+  while (index < str.length) {
+    chr = str.charAt(index++)
+    if (/[\w*+\-./@]/.exec(chr)) {
+      result += chr
+    } else {
+      code = chr.charCodeAt(0)
+      if (code < 256) {
+        result += '%' + hex(code, 2)
+      } else {
+        result += '%u' + hex(code, 4).toUpperCase()
+      }
+    }
+  }
+  return result
+}
+
+function hex(code: number, length: number): string {
+  let result = code.toString(16)
+  while (result.length < length) result = '0' + result
+  return result
+}
+
+// See: https://github.com/zloirock/core-js/blob/master/packages/core-js/modules/es.unescape.js
+function myUnescape(value: string): string {
+  let str = value.toString()
+  let result = ''
+  let index = 0
+  let chr, part
+  while (index < str.length) {
+    chr = str.charAt(index++)
+    if (chr === '%') {
+      if (str.charAt(index) === 'u') {
+        part = str.slice(index + 1, index + 5)
+        if (/^[\da-f]{4}$/i.exec(part)) {
+          result += String.fromCharCode(parseInt(part, 16))
+          index += 5
+          continue
+        }
+      } else {
+        part = str.slice(index, index + 2)
+        if (/^[\da-f]{2}$/i.exec(part)) {
+          result += String.fromCharCode(parseInt(part, 16))
+          index += 2
+          continue
+        }
+      }
+    }
+    result += chr
+  }
+  return result
+}

package/src/lib/crypto.ts

@@ -0,0 +1,51 @@
+const encoder = new TextEncoder()
+
+export async function sign(value: string, secret: string): Promise<string> {
+  let data = encoder.encode(value)
+  let key = await createKey(secret, ['sign'])
+  let signature = await crypto.subtle.sign('HMAC', key, data)
+  let hash = btoa(String.fromCharCode(...new Uint8Array(signature))).replace(/=+$/, '')
+
+  return value + '.' + hash
+}
+
+export async function unsign(cookie: string, secret: string): Promise<string | false> {
+  let index = cookie.lastIndexOf('.')
+  let value = cookie.slice(0, index)
+  let hash = cookie.slice(index + 1)
+
+  let data = encoder.encode(value)
+
+  let key = await createKey(secret, ['verify'])
+  try {
+    let signature = byteStringToUint8Array(atob(hash))
+    let valid = await crypto.subtle.verify('HMAC', key, signature, data)
+
+    return valid ? value : false
+  } catch (error: unknown) {
+    // atob will throw a DOMException with name === 'InvalidCharacterError'
+    // if the signature contains a non-base64 character, which should just
+    // be treated as an invalid signature.
+    return false
+  }
+}
+
+async function createKey(secret: string, usages: CryptoKey['usages']): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    usages,
+  )
+}
+
+function byteStringToUint8Array(byteString: string): Uint8Array {
+  let array = new Uint8Array(byteString.length)
+
+  for (let i = 0; i < byteString.length; i++) {
+    array[i] = byteString.charCodeAt(i)
+  }
+
+  return array
+}