@vandenberghinc/volt 1.2.2 → 1.2.4

package/backend/dist/cjs/backend/src/stream.js

@@ -1237,31 +1237,110 @@ class Stream {
   remove_headers(...names) {
     return this.remove_header(...names);
   }
-  // Set a cookie.
   /**
-   * Set a cookie that will be sent with the response.
+   * Set a cookie to be sent with the response.
+   *
+   * Accepts either:
+   * 1) a pre-built cookie header string (used as-is, no validation), or
+   * 2) a structured object describing the cookie, from which a standards-compliant
+   *    cookie string will be generated.
+   *
+   * If a cookie with the same name already exists in the pending response list,
+   * it will be replaced.
+   *
+   * @warning Cookies are only included in the response when using `send()`,
+   *          `success()` or `error()`.
    *
-   * @warning Will only be added to the response when the user uses `send()`, `success()` or `error()`.
-   * @param cookie The cookie string.
    * @example
    * ```ts
-   * stream.set_cookie("MyCookie=Hello World;");
+   * stream.set_cookie("sid=abc123; Path=/; SameSite=Lax; Secure; HttpOnly");
+   *
+   * stream.set_cookie({
+   *   name: "sid",
+   *   value: session_id,
+   *   http_only: true,
+   *   secure: true,
+   *   same_site: "Lax",
+   *   path: "/",
+   *   max_age: 60 * 60 * 24 * 14,
+   * });
    * ```
-   * @docs
    */
   set_cookie(cookie) {
-    cookie = cookie.trim();
-    const name_end = cookie.indexOf("=");
+    if (typeof cookie === "string") {
+      const cookie_str2 = cookie.trim();
+      const name_end2 = cookie_str2.indexOf("=");
+      if (name_end2 !== -1) {
+        const name2 = cookie_str2.substring(0, name_end2);
+        for (let i = 0; i < this.res_cookies.length; i++) {
+          if (this.res_cookies[i].startsWith(name2)) {
+            this.res_cookies[i] = cookie_str2;
+            return this;
+          }
+        }
+      }
+      this.res_cookies.push(cookie_str2);
+      return this;
+    }
+    const { name, value, path = "/", domain, max_age, expires, secure, http_only, same_site, prefix, extra } = cookie;
+    if (!name || typeof name !== "string") {
+      throw new Error("set_cookie: cookie.name must be a non-empty string");
+    }
+    const full_name = `${prefix ?? ""}${name}`;
+    if (prefix === "__Host-") {
+      if (domain) {
+        throw new Error("__Host- cookies must not include a domain attribute");
+      }
+      if (path !== "/") {
+        throw new Error("__Host- cookies must have path='/'");
+      }
+      if (!secure) {
+        throw new Error("__Host- cookies require secure=true");
+      }
+    }
+    if (prefix === "__Secure-" && !secure) {
+      throw new Error("__Secure- cookies require secure=true");
+    }
+    const encoded_value = value === null || typeof value === "undefined" ? "" : encodeURIComponent(String(value));
+    const parts = [];
+    parts.push(`${full_name}=${encoded_value}`);
+    if (path)
+      parts.push(`Path=${path}`);
+    if (domain)
+      parts.push(`Domain=${domain}`);
+    if (typeof max_age === "number" && Number.isFinite(max_age)) {
+      parts.push(`Max-Age=${Math.trunc(max_age)}`);
+    }
+    if (expires) {
+      const exp = expires instanceof Date ? expires.toUTCString() : String(expires).trim();
+      if (exp)
+        parts.push(`Expires=${exp}`);
+    }
+    if (secure)
+      parts.push("Secure");
+    if (http_only)
+      parts.push("HttpOnly");
+    if (same_site)
+      parts.push(`SameSite=${same_site}`);
+    if (extra && Array.isArray(extra)) {
+      for (const attr of extra) {
+        const trimmed = String(attr).trim();
+        if (trimmed)
+          parts.push(trimmed);
+      }
+    }
+    const cookie_str = parts.join("; ");
+    const name_end = cookie_str.indexOf("=");
     if (name_end !== -1) {
-      const name = cookie.substr(0, name_end);
+      const existing_name = cookie_str.substring(0, name_end);
       for (let i = 0; i < this.res_cookies.length; i++) {
-        if (this.res_cookies[i].startsWith(name)) {
-          this.res_cookies[i] = cookie;
+        if (this.res_cookies[i].startsWith(existing_name)) {
+          this.res_cookies[i] = cookie_str;
           return this;
         }
       }
     }
-    this.res_cookies.push(cookie);
+    this.res_cookies.push(cookie_str);
     return this;
   }
   // Set cookies.

package/backend/dist/cjs/backend/src/users.d.ts

@@ -259,24 +259,31 @@ export declare class Users {
     }): Promise<void>;
     /**
      * Create the auth token cookie on the response.
+     * `T` is treated as a real authentication credential.
+     *
      * @param stream The request stream.
      * @param token The token string or Token object.
      */
     _create_token_cookie(stream: Stream, token: string | User.Token): void;
     /**
-     * Create user cookies (id and activation flag).
+     * Create user cookies (ID and activation flag).
+     * These are user-state cookies, NOT auth credentials.
+     *
      * @param stream The request stream.
      * @param uid The user ID, or invalid to clear.
      */
-    _create_user_cookie(stream: Stream, uid: string): Promise<void>;
+    _create_user_cookie(stream: Stream, uid: string | null): Promise<void>;
     /**
-     * Create non-HTTP-only cookies with detailed user info for the frontend.
+     * Create non-HttpOnly cookies with detailed user info for frontend usage.
+     * These are UI convenience cookies only.
+     *
      * @param stream The request stream.
      * @param uid The user ID.
      */
     _create_detailed_user_cookie(stream: Stream, uid: string): Promise<void>;
     /**
-     * Clear all default auth/user cookies.
+     * Clear all default auth and user-related cookies.
+     *
      * @param stream The request stream.
      */
     _reset_cookies(stream: Stream): void;

package/backend/dist/cjs/backend/src/users.js

@@ -428,60 +428,127 @@ class Users {
   // ---------------------------------------------------------
   /**
    * Create the auth token cookie on the response.
+   * `T` is treated as a real authentication credential.
+   *
    * @param stream The request stream.
    * @param token The token string or Token object.
    */
   _create_token_cookie(stream, token) {
     stream.set_header("Cache-Control", "max-age=0, no-cache, no-store, must-revalidate, proxy-revalidate");
     stream.set_header("Access-Control-Allow-Credentials", "true");
-    if (typeof token === "object") {
-      token = token.token;
-    }
+    const token_value = typeof token === "object" ? token.token : token;
     const max_age = this.token_expiration;
-    const expires = new Date(Date.now() + max_age * 1e3).toUTCString();
-    stream.set_cookie(`T=${encodeURIComponent(token ?? "")}; Max-Age=${max_age}; Path=/; Expires=${expires}; SameSite=Strict; Secure; HttpOnly;`);
+    stream.set_cookie({
+      name: "T",
+      value: token_value,
+      path: "/",
+      max_age,
+      secure: true,
+      http_only: true,
+      same_site: "Lax"
+      // REQUIRED for Stripe success/cancel redirects
+    });
   }
   /**
-   * Create user cookies (id and activation flag).
+   * Create user cookies (ID and activation flag).
+   * These are user-state cookies, NOT auth credentials.
+   *
    * @param stream The request stream.
    * @param uid The user ID, or invalid to clear.
    */
   async _create_user_cookie(stream, uid) {
-    if (typeof uid === "string") {
-      stream.set_cookie(`UserID=${encodeURIComponent(uid ?? "")}; Path=/; SameSite=Strict; Secure;`);
+    if (typeof uid === "string" && uid.length > 0) {
+      stream.set_cookie({
+        name: "UserID",
+        value: uid,
+        path: "/",
+        secure: true,
+        same_site: "Lax"
+      });
       const is_activated = this.enable_account_activation ? await this.is_activated(uid) : true;
-      stream.set_cookie(`UserActivated=${is_activated}; Path=/; SameSite=Strict; Secure;`);
+      stream.set_cookie({
+        name: "UserActivated",
+        value: is_activated ? "1" : "0",
+        path: "/",
+        secure: true,
+        same_site: "Lax"
+      });
     } else {
-      stream.set_cookie(`UserID=-1; Path=/; SameSite=Strict; Secure;`);
-      const is_activated = this.enable_account_activation ? false : true;
-      stream.set_cookie(`UserActivated=${is_activated}; Path=/; SameSite=Strict; Secure;`);
+      stream.set_cookie({
+        name: "UserID",
+        value: "",
+        path: "/",
+        max_age: 0,
+        secure: true,
+        same_site: "Lax"
+      });
+      stream.set_cookie({
+        name: "UserActivated",
+        value: "0",
+        path: "/",
+        max_age: 0,
+        secure: true,
+        same_site: "Lax"
+      });
     }
   }
   /**
-   * Create non-HTTP-only cookies with detailed user info for the frontend.
+   * Create non-HttpOnly cookies with detailed user info for frontend usage.
+   * These are UI convenience cookies only.
+   *
    * @param stream The request stream.
    * @param uid The user ID.
    */
   async _create_detailed_user_cookie(stream, uid) {
     const user = await this.get(uid);
-    stream.set_cookie(`UserName=${encodeURIComponent(user.username ?? "")}; Path=/; SameSite=Strict; Secure;`);
-    stream.set_cookie(`UserFirstName=${encodeURIComponent(user.first_name ?? "")}; Path=/; SameSite=Strict; Secure;`);
-    stream.set_cookie(`UserLastName=${encodeURIComponent(user.last_name ?? "")}; Path=/; SameSite=Strict; Secure;`);
-    stream.set_cookie(`UserEmail=${encodeURIComponent(user.email ?? "")}; Path=/; SameSite=Strict; Secure;`);
+    stream.set_cookie({
+      name: "UserName",
+      value: user.username ?? "",
+      path: "/",
+      secure: true,
+      same_site: "Lax"
+    });
+    stream.set_cookie({
+      name: "UserFirstName",
+      value: user.first_name ?? "",
+      path: "/",
+      secure: true,
+      same_site: "Lax"
+    });
+    stream.set_cookie({
+      name: "UserLastName",
+      value: user.last_name ?? "",
+      path: "/",
+      secure: true,
+      same_site: "Lax"
+    });
+    stream.set_cookie({
+      name: "UserEmail",
+      value: user.email ?? "",
+      path: "/",
+      secure: true,
+      same_site: "Lax"
+    });
   }
   /**
-   * Clear all default auth/user cookies.
+   * Clear all default auth and user-related cookies.
+   *
    * @param stream The request stream.
    */
   _reset_cookies(stream) {
-    const past = "Thu, 01 Jan 1970 00:00:00 GMT";
-    stream.set_cookie(`T=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure; HttpOnly;`);
-    stream.set_cookie(`UserID=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`);
-    stream.set_cookie(`UserActivated=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`);
-    stream.set_cookie(`UserName=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`);
-    stream.set_cookie(`UserFirstName=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`);
-    stream.set_cookie(`UserLastName=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`);
-    stream.set_cookie(`UserEmail=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`);
+    const clear = {
+      path: "/",
+      max_age: 0,
+      secure: true,
+      same_site: "Lax"
+    };
+    stream.set_cookie({ name: "T", value: "", http_only: true, ...clear });
+    stream.set_cookie({ name: "UserID", value: "", ...clear });
+    stream.set_cookie({ name: "UserActivated", value: "", ...clear });
+    stream.set_cookie({ name: "UserName", value: "", ...clear });
+    stream.set_cookie({ name: "UserFirstName", value: "", ...clear });
+    stream.set_cookie({ name: "UserLastName", value: "", ...clear });
+    stream.set_cookie({ name: "UserEmail", value: "", ...clear });
   }
   // ---------------------------------------------------------
   // 2FA mail.

package/backend/dist/esm/backend/src/database/collection.d.ts

@@ -159,6 +159,23 @@ export declare class Collection<Data extends mongodb.Document = mongodb.Document
       * - Plain object without '$' keys → NOT valid for updateOne/findOneAndUpdate.
       */
     private _is_operator_update_or_pipeline;
+    private _index_key_signature;
+    private _keys_equal;
+    private _normalize_index_opts;
+    /**
+     * Drop all indexes that are NOT part of this._init_indexes, excluding _id_ (and TTL index if enabled).
+     *
+     * @note We match by key pattern rather than name because names can differ.
+     */
+    private _drop_non_init_indexes;
+    /**
+     * Creates indexes on collections.
+     *
+     * @note When transaction mode is enabled, the session option will not be used.
+     *
+     * @param opts The index create options.
+     */
+    private _create_index;
     /**
      * Initialize the collection, creating indexes and setting up TTL if needed.
      * @returns The initialized collection instance.
@@ -215,16 +232,6 @@ export declare class Collection<Data extends mongodb.Document = mongodb.Document
      * @docs
      */
     has_index(index: string): Promise<boolean>;
-    /**
-     * Creates indexes on collections.
-     *
-     * @note When transaction mode is enabled, the session option will not be used.
-     *
-     * @param opts The index create options.
-     *
-     * @docs
-     */
-    create_index(opts: string | Collection.IndexOpts): Promise<string>;
     /**
      * Standalone helper: merge `source` into `target` for missing keys only.
      * Clones assigned nested objects/arrays/dates once (when `clone` is true).