@vandenberghinc/volt 1.2.2 → 1.2.4

package/frontend/dist/backend/src/stream.js

@@ -1477,31 +1477,115 @@ export class Stream {
     remove_headers(...names) {
         return this.remove_header(...names);
     }
-    // Set a cookie.
     /**
-     * Set a cookie that will be sent with the response.
+     * Set a cookie to be sent with the response.
+     *
+     * Accepts either:
+     * 1) a pre-built cookie header string (used as-is, no validation), or
+     * 2) a structured object describing the cookie, from which a standards-compliant
+     *    cookie string will be generated.
+     *
+     * If a cookie with the same name already exists in the pending response list,
+     * it will be replaced.
+     *
+     * @warning Cookies are only included in the response when using `send()`,
+     *          `success()` or `error()`.
      *
-     * @warning Will only be added to the response when the user uses `send()`, `success()` or `error()`.
-     * @param cookie The cookie string.
      * @example
      * ```ts
-     * stream.set_cookie("MyCookie=Hello World;");
+     * stream.set_cookie("sid=abc123; Path=/; SameSite=Lax; Secure; HttpOnly");
+     *
+     * stream.set_cookie({
+     *   name: "sid",
+     *   value: session_id,
+     *   http_only: true,
+     *   secure: true,
+     *   same_site: "Lax",
+     *   path: "/",
+     *   max_age: 60 * 60 * 24 * 14,
+     * });
      * ```
-     * @docs
      */
     set_cookie(cookie) {
-        cookie = cookie.trim();
-        const name_end = cookie.indexOf("=");
+        // If the user provided a raw cookie string, trust it and use it as-is.
+        if (typeof cookie === "string") {
+            const cookie_str = cookie.trim();
+            const name_end = cookie_str.indexOf("=");
+            if (name_end !== -1) {
+                const name = cookie_str.substring(0, name_end);
+                for (let i = 0; i < this.res_cookies.length; i++) {
+                    if (this.res_cookies[i].startsWith(name)) {
+                        this.res_cookies[i] = cookie_str;
+                        return this;
+                    }
+                }
+            }
+            this.res_cookies.push(cookie_str);
+            return this;
+        }
+        // Structured cookie path (commercial-grade, predictable, minimal validation)
+        const { name, value, path = "/", domain, max_age, expires, secure, http_only, same_site, prefix, extra, } = cookie;
+        if (!name || typeof name !== "string") {
+            throw new Error("set_cookie: cookie.name must be a non-empty string");
+        }
+        const full_name = `${prefix ?? ""}${name}`;
+        // Enforce prefix rules (light but correct)
+        if (prefix === "__Host-") {
+            if (domain) {
+                throw new Error("__Host- cookies must not include a domain attribute");
+            }
+            if (path !== "/") {
+                throw new Error("__Host- cookies must have path='/'");
+            }
+            if (!secure) {
+                throw new Error("__Host- cookies require secure=true");
+            }
+        }
+        if (prefix === "__Secure-" && !secure) {
+            throw new Error("__Secure- cookies require secure=true");
+        }
+        const encoded_value = value === null || typeof value === "undefined"
+            ? ""
+            : encodeURIComponent(String(value));
+        const parts = [];
+        parts.push(`${full_name}=${encoded_value}`);
+        if (path)
+            parts.push(`Path=${path}`);
+        if (domain)
+            parts.push(`Domain=${domain}`);
+        if (typeof max_age === "number" && Number.isFinite(max_age)) {
+            parts.push(`Max-Age=${Math.trunc(max_age)}`);
+        }
+        if (expires) {
+            const exp = expires instanceof Date ? expires.toUTCString() : String(expires).trim();
+            if (exp)
+                parts.push(`Expires=${exp}`);
+        }
+        if (secure)
+            parts.push("Secure");
+        if (http_only)
+            parts.push("HttpOnly");
+        if (same_site)
+            parts.push(`SameSite=${same_site}`);
+        if (extra && Array.isArray(extra)) {
+            for (const attr of extra) {
+                const trimmed = String(attr).trim();
+                if (trimmed)
+                    parts.push(trimmed);
+            }
+        }
+        const cookie_str = parts.join("; ");
+        const name_end = cookie_str.indexOf("=");
         if (name_end !== -1) {
-            const name = cookie.substr(0, name_end);
+            const existing_name = cookie_str.substring(0, name_end);
             for (let i = 0; i < this.res_cookies.length; i++) {
-                if (this.res_cookies[i].startsWith(name)) {
-                    this.res_cookies[i] = cookie;
+                if (this.res_cookies[i].startsWith(existing_name)) {
+                    this.res_cookies[i] = cookie_str;
                     return this;
                 }
             }
         }
-        this.res_cookies.push(cookie);
+        this.res_cookies.push(cookie_str);
         return this;
     }
     // Set cookies.

package/frontend/dist/backend/src/users.d.ts

@@ -259,24 +259,31 @@ export declare class Users {
     }): Promise<void>;
     /**
      * Create the auth token cookie on the response.
+     * `T` is treated as a real authentication credential.
+     *
      * @param stream The request stream.
      * @param token The token string or Token object.
      */
     _create_token_cookie(stream: Stream, token: string | User.Token): void;
     /**
-     * Create user cookies (id and activation flag).
+     * Create user cookies (ID and activation flag).
+     * These are user-state cookies, NOT auth credentials.
+     *
      * @param stream The request stream.
      * @param uid The user ID, or invalid to clear.
      */
-    _create_user_cookie(stream: Stream, uid: string): Promise<void>;
+    _create_user_cookie(stream: Stream, uid: string | null): Promise<void>;
     /**
-     * Create non-HTTP-only cookies with detailed user info for the frontend.
+     * Create non-HttpOnly cookies with detailed user info for frontend usage.
+     * These are UI convenience cookies only.
+     *
      * @param stream The request stream.
      * @param uid The user ID.
      */
     _create_detailed_user_cookie(stream: Stream, uid: string): Promise<void>;
     /**
-     * Clear all default auth/user cookies.
+     * Clear all default auth and user-related cookies.
+     *
      * @param stream The request stream.
      */
     _reset_cookies(stream: Stream): void;

package/frontend/dist/backend/src/users.js

@@ -431,61 +431,129 @@ export class Users {
     // ---------------------------------------------------------
     /**
      * Create the auth token cookie on the response.
+     * `T` is treated as a real authentication credential.
+     *
      * @param stream The request stream.
      * @param token The token string or Token object.
      */
     _create_token_cookie(stream, token) {
         stream.set_header("Cache-Control", "max-age=0, no-cache, no-store, must-revalidate, proxy-revalidate");
         stream.set_header("Access-Control-Allow-Credentials", "true");
-        if (typeof token === "object") {
-            token = token.token;
-        }
+        const token_value = typeof token === "object" ? token.token : token;
         const max_age = this.token_expiration; // seconds
-        const expires = new Date(Date.now() + max_age * 1000).toUTCString();
-        stream.set_cookie(`T=${encodeURIComponent(token ?? "")}; Max-Age=${max_age}; Path=/; Expires=${expires}; SameSite=Strict; Secure; HttpOnly;`);
+        stream.set_cookie({
+            name: "T",
+            value: token_value,
+            path: "/",
+            max_age,
+            secure: true,
+            http_only: true,
+            same_site: "Lax", // REQUIRED for Stripe success/cancel redirects
+        });
     }
     /**
-     * Create user cookies (id and activation flag).
+     * Create user cookies (ID and activation flag).
+     * These are user-state cookies, NOT auth credentials.
+     *
      * @param stream The request stream.
      * @param uid The user ID, or invalid to clear.
      */
     async _create_user_cookie(stream, uid) {
-        if (typeof uid === "string") {
-            stream.set_cookie(`UserID=${encodeURIComponent(uid ?? "")}; Path=/; SameSite=Strict; Secure;`); // http only since we use this value for account activation without signin.
-            const is_activated = this.enable_account_activation ? await this.is_activated(uid) : true;
-            stream.set_cookie(`UserActivated=${is_activated}; Path=/; SameSite=Strict; Secure;`);
+        if (typeof uid === "string" && uid.length > 0) {
+            stream.set_cookie({
+                name: "UserID",
+                value: uid,
+                path: "/",
+                secure: true,
+                same_site: "Lax",
+            });
+            const is_activated = this.enable_account_activation
+                ? await this.is_activated(uid)
+                : true;
+            stream.set_cookie({
+                name: "UserActivated",
+                value: is_activated ? "1" : "0",
+                path: "/",
+                secure: true,
+                same_site: "Lax",
+            });
         }
         else {
-            stream.set_cookie(`UserID=-1; Path=/; SameSite=Strict; Secure;`); // http only since we use this value for account activation without signin.
-            const is_activated = this.enable_account_activation ? false : true;
-            stream.set_cookie(`UserActivated=${is_activated}; Path=/; SameSite=Strict; Secure;`);
+            stream.set_cookie({
+                name: "UserID",
+                value: "",
+                path: "/",
+                max_age: 0,
+                secure: true,
+                same_site: "Lax",
+            });
+            stream.set_cookie({
+                name: "UserActivated",
+                value: "0",
+                path: "/",
+                max_age: 0,
+                secure: true,
+                same_site: "Lax",
+            });
         }
     }
     /**
-     * Create non-HTTP-only cookies with detailed user info for the frontend.
+     * Create non-HttpOnly cookies with detailed user info for frontend usage.
+     * These are UI convenience cookies only.
+     *
      * @param stream The request stream.
      * @param uid The user ID.
      */
     async _create_detailed_user_cookie(stream, uid) {
         const user = await this.get(uid);
-        stream.set_cookie(`UserName=${encodeURIComponent(user.username ?? "")}; Path=/; SameSite=Strict; Secure;`);
-        stream.set_cookie(`UserFirstName=${encodeURIComponent(user.first_name ?? "")}; Path=/; SameSite=Strict; Secure;`);
-        stream.set_cookie(`UserLastName=${encodeURIComponent(user.last_name ?? "")}; Path=/; SameSite=Strict; Secure;`);
-        stream.set_cookie(`UserEmail=${encodeURIComponent(user.email ?? "")}; Path=/; SameSite=Strict; Secure;`);
+        stream.set_cookie({
+            name: "UserName",
+            value: user.username ?? "",
+            path: "/",
+            secure: true,
+            same_site: "Lax",
+        });
+        stream.set_cookie({
+            name: "UserFirstName",
+            value: user.first_name ?? "",
+            path: "/",
+            secure: true,
+            same_site: "Lax",
+        });
+        stream.set_cookie({
+            name: "UserLastName",
+            value: user.last_name ?? "",
+            path: "/",
+            secure: true,
+            same_site: "Lax",
+        });
+        stream.set_cookie({
+            name: "UserEmail",
+            value: user.email ?? "",
+            path: "/",
+            secure: true,
+            same_site: "Lax",
+        });
     }
     /**
-     * Clear all default auth/user cookies.
+     * Clear all default auth and user-related cookies.
+     *
      * @param stream The request stream.
      */
     _reset_cookies(stream) {
-        const past = "Thu, 01 Jan 1970 00:00:00 GMT";
-        stream.set_cookie(`T=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure; HttpOnly;`);
-        stream.set_cookie(`UserID=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`); // http only since we use this value for account activation without signin.
-        stream.set_cookie(`UserActivated=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`);
-        stream.set_cookie(`UserName=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`);
-        stream.set_cookie(`UserFirstName=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`);
-        stream.set_cookie(`UserLastName=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`);
-        stream.set_cookie(`UserEmail=; Max-Age=0; Path=/; Expires=${past}; SameSite=Strict; Secure;`);
+        const clear = {
+            path: "/",
+            max_age: 0,
+            secure: true,
+            same_site: "Lax",
+        };
+        stream.set_cookie({ name: "T", value: "", http_only: true, ...clear });
+        stream.set_cookie({ name: "UserID", value: "", ...clear });
+        stream.set_cookie({ name: "UserActivated", value: "", ...clear });
+        stream.set_cookie({ name: "UserName", value: "", ...clear });
+        stream.set_cookie({ name: "UserFirstName", value: "", ...clear });
+        stream.set_cookie({ name: "UserLastName", value: "", ...clear });
+        stream.set_cookie({ name: "UserEmail", value: "", ...clear });
     }
     // ---------------------------------------------------------
     // 2FA mail.

package/frontend/dist/frontend/src/modules/user.js

@@ -17,7 +17,7 @@ export var User;
      */
     function uid() {
         const uid = Cookies.get("UserID");
-        return typeof uid !== "string" || uid == "-1" ? undefined : uid;
+        return typeof uid !== "string" || uid == "-1" || uid === "" ? undefined : uid;
     }
     User.uid = uid;
     /**
@@ -87,7 +87,8 @@ export var User;
      * @docs
      */
     function is_activated() {
-        return Cookies.get("UserActivated") === "true";
+        const activated = Cookies.get("UserActivated");
+        return activated === "true" || activated === "1";
     }
     User.is_activated = is_activated;
     /**

package/frontend/dist/frontend/src/ui/table.d.ts

@@ -71,7 +71,7 @@ export declare class TableElement extends VElementTagMap.div {
     table_body: TableBodyElement;
     constructor({ rows, columns, show_columns, }: {
         rows?: AppendType[][];
-        columns: AppendType[] | boolean;
+        columns?: AppendType[];
         show_columns?: boolean;
     });
     iterate(callback: any): this;
@@ -89,7 +89,7 @@ export declare class TableElement extends VElementTagMap.div {
 }
 export declare const Table: <Extensions extends object = {}>(args_0: {
     rows?: AppendType[][];
-    columns: AppendType[] | boolean;
+    columns?: AppendType[];
     show_columns?: boolean;
 }) => TableElement & Extensions;
 export declare const NullTable: <Extensions extends object = {}>() => TableElement & Extensions;

package/frontend/dist/frontend/src/ui/table.js

@@ -285,19 +285,16 @@ let TableElement = (() => {
         table_head = NullTableHead();
         table_body = NullTableBody();
         // Constructor.
-        constructor({ rows = [
-            ["a", "b"],
-            ["c", "d"],
-        ], columns = ["Column 1", "Column 2"], show_columns = true, }) {
+        constructor({ rows = [], columns = [], show_columns = true, }) {
             // Initialize base class.
             super({
                 derived: TableElement,
             });
             // Attributes.
             this.table_rows = [];
-            this.show_columns = show_columns === true && columns !== false;
+            this.show_columns = show_columns === true && columns.length > 0;
             // Append content.
-            this.create({ rows, columns: columns === false ? [] : columns });
+            this.create({ rows, columns });
             this.overflow("hidden"); // without overflow hidden when border radius is set on the element the background of rows can overflow.
         }
         // Iterate the table data items.

package/package.json

@@ -1,7 +1,7 @@
 {
     "author": "Daan van den Bergh",
     "name": "@vandenberghinc/volt",
-    "version": "1.2.2",
+    "version": "1.2.4",
     "description": "",
     "type": "module",
     "types": "./backend/dist/esm/index.d.ts",
@@ -35,7 +35,7 @@
     },
     "dependencies": {
         "@vandenberghinc/vhighlight": "^1.3.17",
-        "@vandenberghinc/vlib": "^1.6.42",
+        "@vandenberghinc/vlib": "^1.6.46",
         "blob-stream": "^0.1.3",
         "clean-css": "^5.3.3",
         "esbuild": "^0.25.12",