@sveltejs/kit 1.0.0-next.482 → 1.0.0-next.484

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sveltejs/kit",
-  "version": "1.0.0-next.482",
+  "version": "1.0.0-next.484",
   "repository": {
     "type": "git",
     "url": "https://github.com/sveltejs/kit",
@@ -11,6 +11,7 @@
   "type": "module",
   "dependencies": {
     "@sveltejs/vite-plugin-svelte": "^1.0.5",
+    "@types/cookie": "^0.5.1",
     "cookie": "^0.5.0",
     "devalue": "^3.1.2",
     "kleur": "^4.1.4",
@@ -26,7 +27,6 @@
   "devDependencies": {
     "@playwright/test": "^1.25.0",
     "@types/connect": "^3.4.35",
-    "@types/cookie": "^0.5.1",
     "@types/marked": "^4.0.3",
     "@types/mime": "^3.0.0",
     "@types/node": "^16.11.36",
@@ -38,7 +38,7 @@
     "svelte-preprocess": "^4.10.6",
     "typescript": "^4.8.2",
     "uvu": "^0.5.3",
-    "vite": "^3.1.0"
+    "vite": "^3.1.1"
   },
   "peerDependencies": {
     "svelte": "^3.44.0",

package/src/core/sync/write_types/index.js

@@ -68,7 +68,7 @@ export async function write_types(config, manifest_data, file) {
 		return;
 	}
 
-	const id = path.relative(config.kit.files.routes, path.dirname(file));
+	const id = path.posix.relative(config.kit.files.routes, path.dirname(file));
 
 	const route = manifest_data.routes.find((route) => route.id === id);
 	if (!route) return; // this shouldn't ever happen

package/src/runtime/server/cookie.js

@@ -1,49 +1,76 @@
-import * as cookie from 'cookie';
+import { parse, serialize } from 'cookie';
+
+/** @type {import('cookie').CookieSerializeOptions} */
+const DEFAULT_SERIALIZE_OPTIONS = {
+	httpOnly: true,
+	secure: true,
+	sameSite: 'lax'
+};
 
 /**
  * @param {Request} request
  * @param {URL} url
  */
 export function get_cookies(request, url) {
-	const initial_cookies = cookie.parse(request.headers.get('cookie') ?? '');
-
-	/** @type {Array<{ name: string, value: string, options: import('cookie').CookieSerializeOptions }>} */
-	const new_cookies = [];
+	/** @type {Map<string, import('./page/types').Cookie>} */
+	const new_cookies = new Map();
 
 	/** @type {import('types').Cookies} */
 	const cookies = {
-		get(name, opts) {
-			const decode = opts?.decode || decodeURIComponent;
-
-			let i = new_cookies.length;
-			while (i--) {
-				const cookie = new_cookies[i];
+		// The JSDoc param annotations appearing below for get, set and delete
+		// are necessary to expose the `cookie` library types to
+		// typescript users. `@type {import('types').Cookies}` above is not
+		// sufficient to do so.
 
-				if (
-					cookie.name === name &&
-					domain_matches(url.hostname, cookie.options.domain) &&
-					path_matches(url.pathname, cookie.options.path)
-				) {
-					return cookie.value;
-				}
+		/**
+		 * @param {string} name
+		 * @param {import('cookie').CookieParseOptions} opts
+		 */
+		get(name, opts) {
+			const c = new_cookies.get(name);
+			if (
+				c &&
+				domain_matches(url.hostname, c.options.domain) &&
+				path_matches(url.pathname, c.options.path)
+			) {
+				return c.value;
 			}
 
-			return name in initial_cookies ? decode(initial_cookies[name]) : undefined;
+			const decode = opts?.decode || decodeURIComponent;
+			const req_cookies = parse(request.headers.get('cookie') ?? '', { decode });
+			return req_cookies[name]; // the decoded string or undefined
 		},
-		set(name, value, options = {}) {
-			new_cookies.push({
+
+		/**
+		 * @param {string} name
+		 * @param {string} value
+		 * @param {import('cookie').CookieSerializeOptions} opts
+		 */
+		set(name, value, opts = {}) {
+			new_cookies.set(name, {
 				name,
 				value,
 				options: {
-					httpOnly: true,
-					secure: true,
-					...options
+					...DEFAULT_SERIALIZE_OPTIONS,
+					...opts
 				}
 			});
 		},
-		delete(name) {
-			new_cookies.push({ name, value: '', options: { expires: new Date(0) } });
-			delete initial_cookies[name];
+
+		/**
+		 * @param {string} name
+		 * @param {import('cookie').CookieSerializeOptions} opts
+		 */
+		delete(name, opts = {}) {
+			new_cookies.set(name, {
+				name,
+				value: '',
+				options: {
+					...DEFAULT_SERIALIZE_OPTIONS,
+					...opts,
+					maxAge: 0
+				}
+			});
 		}
 	};
 
@@ -75,3 +102,14 @@ export function path_matches(path, constraint) {
 	if (path === normalized) return true;
 	return path.startsWith(normalized + '/');
 }
+
+/**
+ * @param {Headers} headers
+ * @param {import('./page/types').Cookie[]} cookies
+ */
+export function add_cookies_to_headers(headers, cookies) {
+	for (const new_cookie of cookies) {
+		const { name, value, options } = new_cookie;
+		headers.append('set-cookie', serialize(name, value, options));
+	}
+}

package/src/runtime/server/index.js

@@ -1,4 +1,3 @@
-import * as cookie from 'cookie';
 import { render_endpoint } from './endpoint.js';
 import { render_page } from './page/index.js';
 import { render_response } from './page/render.js';
@@ -9,7 +8,7 @@ import { decode_params, disable_search, normalize_path } from '../../utils/url.j
 import { exec } from '../../utils/routing.js';
 import { render_data } from './data/index.js';
 import { DATA_SUFFIX } from '../../constants.js';
-import { get_cookies } from './cookie.js';
+import { add_cookies_to_headers, get_cookies } from './cookie.js';
 import { HttpError } from '../control.js';
 
 /* global __SVELTEKIT_ADAPTER_NAME__ */
@@ -246,12 +245,7 @@ export async function respond(request, options, state) {
 					}
 				}
 
-				for (const new_cookie of new_cookies) {
-					response.headers.append(
-						'set-cookie',
-						cookie.serialize(new_cookie.name, new_cookie.value, new_cookie.options)
-					);
-				}
+				add_cookies_to_headers(response.headers, Array.from(new_cookies.values()));
 
 				return response;
 			}

package/src/runtime/server/page/fetch.js

@@ -19,7 +19,7 @@ export function create_fetch({ event, options, state, route, prerender_default,
 
 	const initial_cookies = cookie.parse(event.request.headers.get('cookie') || '');
 
-	/** @type {import('set-cookie-parser').Cookie[]} */
+	/** @type {import('./types').Cookie[]} */
 	const set_cookies = [];
 
 	/**
@@ -31,8 +31,8 @@ export function create_fetch({ event, options, state, route, prerender_default,
 		const new_cookies = {};
 
 		for (const cookie of set_cookies) {
-			if (!domain_matches(url.hostname, cookie.domain)) continue;
-			if (!path_matches(url.pathname, cookie.path)) continue;
+			if (!domain_matches(url.hostname, cookie.options.domain)) continue;
+			if (!path_matches(url.pathname, cookie.options.path)) continue;
 
 			new_cookies[cookie.name] = cookie.value;
 		}
@@ -179,9 +179,11 @@ export function create_fetch({ event, options, state, route, prerender_default,
 		const set_cookie = response.headers.get('set-cookie');
 		if (set_cookie) {
 			set_cookies.push(
-				...set_cookie_parser
-					.splitCookiesString(set_cookie)
-					.map((str) => set_cookie_parser.parseString(str))
+				...set_cookie_parser.splitCookiesString(set_cookie).map((str) => {
+					const { name, value, ...options } = set_cookie_parser.parseString(str);
+					// options.sameSite is string, something more specific is required - type cast is safe
+					return /** @type{import('./types').Cookie} */ ({ name, value, options });
+				})
 			);
 		}
 

package/src/runtime/server/page/index.js

@@ -217,7 +217,7 @@ export async function render_page(event, route, page, options, state, resolve_op
 							});
 						}
 
-						return redirect_response(err.status, err.location);
+						return redirect_response(err.status, err.location, cookies);
 					}
 
 					const status = err instanceof HttpError ? err.status : 500;

package/src/runtime/server/page/render.js

@@ -1,10 +1,10 @@
 import { devalue } from 'devalue';
 import { readable, writable } from 'svelte/store';
-import * as cookie from 'cookie';
 import { hash } from '../../hash.js';
 import { serialize_data } from './serialize_data.js';
 import { s } from '../../../utils/misc.js';
 import { Csp } from './csp.js';
+import { add_cookies_to_headers } from '../cookie.js';
 
 // TODO rename this function/module
 
@@ -18,7 +18,7 @@ const updated = {
  * @param {{
  *   branch: Array<import('./types').Loaded>;
  *   fetched: Array<import('./types').Fetched>;
- *   cookies: import('set-cookie-parser').Cookie[];
+ *   cookies: import('./types').Cookie[];
  *   options: import('types').SSROptions;
  *   state: import('types').SSRState;
  *   page_config: { ssr: boolean; csr: boolean };
@@ -328,11 +328,7 @@ export async function render_response({
 			headers.set('content-security-policy-report-only', report_only_header);
 		}
 
-		for (const new_cookie of cookies) {
-			const { name, value, ...options } = new_cookie;
-			// @ts-expect-error
-			headers.append('set-cookie', cookie.serialize(name, value, options));
-		}
+		add_cookies_to_headers(headers, cookies);
 
 		if (link_header_preloads.size) {
 			headers.set('link', Array.from(link_header_preloads).join(', '));

package/src/runtime/server/page/types.d.ts

@@ -1,5 +1,5 @@
+import { CookieSerializeOptions } from 'cookie';
 import { SSRNode, CspDirectives } from 'types';
-import { HttpError } from '../../control.js';
 
 export interface Fetched {
 	url: string;
@@ -33,3 +33,9 @@ export interface CspOpts {
 	dev: boolean;
 	prerender: boolean;
 }
+
+export interface Cookie {
+	name: string;
+	value: string;
+	options: CookieSerializeOptions;
+}

package/src/runtime/server/utils.js

@@ -2,6 +2,7 @@ import { devalue } from 'devalue';
 import { DATA_SUFFIX } from '../../constants.js';
 import { negotiate } from '../../utils/http.js';
 import { HttpError } from '../control.js';
+import { add_cookies_to_headers } from './cookie.js';
 
 /** @param {any} body */
 export function is_pojo(body) {
@@ -169,10 +170,13 @@ export function handle_error_and_jsonify(event, options, error) {
 /**
  * @param {number} status
  * @param {string} location
+ * @param {import('./page/types.js').Cookie[]} [cookies]
  */
-export function redirect_response(status, location) {
-	return new Response(undefined, {
+export function redirect_response(status, location, cookies = []) {
+	const response = new Response(undefined, {
 		status,
 		headers: { location }
 	});
+	add_cookies_to_headers(response.headers, cookies);
+	return response;
 }

package/types/index.d.ts

@@ -128,21 +128,21 @@ export interface Cookies {
 	/**
 	 * Gets a cookie that was previously set with `cookies.set`, or from the request headers.
 	 */
-	get(name: string, opts?: import('cookie').CookieParseOptions): string | undefined;
+	get(name: string, opts?: import('cookie').CookieParseOptions): string | void;
 
 	/**
-	 * Sets a cookie. This will add a `set-cookie` header to the response, but also make
-	 * the cookie available via `cookies.get` during the current request.
+	 * Sets a cookie. This will add a `set-cookie` header to the response, but also make the cookie available via `cookies.get` during the current request.
 	 *
-	 * The `httpOnly` and `secure` options are `true` by default, and must be explicitly
-	 * disabled if you want cookies to be readable by client-side JavaScript and/or transmitted over HTTP
+	 * The `httpOnly` and `secure` options are `true` by default, and must be explicitly disabled if you want cookies to be readable by client-side JavaScript and/or transmitted over HTTP. The `sameSite` option defaults to `lax`.
+	 *
+	 * By default, the `path` of a cookie is the 'directory' of the current pathname. In most cases you should explicitly set `path: '/'` to make the cookie available throughout your app.
 	 */
 	set(name: string, value: string, opts?: import('cookie').CookieSerializeOptions): void;
 
 	/**
 	 * Deletes a cookie by setting its value to an empty string and setting the expiry date in the past.
 	 */
-	delete(name: string): void;
+	delete(name: string, opts?: import('cookie').CookieSerializeOptions): void;
 }
 
 export interface KitConfig {