kuzzle 2.17.7 → 2.18.1

package/lib/api/openapi/components/document/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.OpenApiDocumentValidateComponent = exports.OpenApiDocumentValidate = exports.OpenApiDocumentDeleteByQueryComponent = exports.OpenApiDocumentDeleteByQuery = exports.OpenApiDocumentDeleteComponent = exports.OpenApiDocumentDelete = exports.OpenApiDocumentScrollComponent = exports.OpenApiDocumentScroll = exports.OpenApiDocumentUpdateComponent = exports.OpenApiDocumentUpdate = exports.OpenApiDocumentExistsComponent = exports.OpenApiDocumentExists = exports.OpenApiDocumentReplaceComponent = exports.OpenApiDocumentReplace = exports.OpenApiDocumentGetComponent = exports.OpenApiDocumentGet = exports.OpenApiDocumentCreateOrReplaceComponent = exports.OpenApiDocumentCreateOrReplace = exports.OpenApiDocumentCreateComponent = exports.OpenApiDocumentCreate = exports.OpenApiDocumentCountComponent = exports.OpenApiDocumentCount = void 0;
+exports.OpenApiDocumentmCreateOrReplaceComponent = exports.OpenApiDocumentmCreateOrReplace = exports.OpenApiDocumentValidateComponent = exports.OpenApiDocumentValidate = exports.OpenApiDocumentDeleteByQueryComponent = exports.OpenApiDocumentDeleteByQuery = exports.OpenApiDocumentDeleteComponent = exports.OpenApiDocumentDelete = exports.OpenApiDocumentScrollComponent = exports.OpenApiDocumentScroll = exports.OpenApiDocumentUpdateComponent = exports.OpenApiDocumentUpdate = exports.OpenApiDocumentExistsComponent = exports.OpenApiDocumentExists = exports.OpenApiDocumentReplaceComponent = exports.OpenApiDocumentReplace = exports.OpenApiDocumentGetComponent = exports.OpenApiDocumentGet = exports.OpenApiDocumentCreateOrReplaceComponent = exports.OpenApiDocumentCreateOrReplace = exports.OpenApiDocumentCreateComponent = exports.OpenApiDocumentCreate = exports.OpenApiDocumentCountComponent = exports.OpenApiDocumentCount = void 0;
 const readYamlFile_1 = require("../../../../util/readYamlFile");
 // reading the description of the Count action in the controller document.
 // The yaml objects are then stored in the variables below
@@ -57,4 +57,9 @@ exports.OpenApiDocumentDeleteByQueryComponent = deleteByQueryObject.components.s
 const validateObject = (0, readYamlFile_1.readYamlFile)(__dirname + '/validate.yaml');
 exports.OpenApiDocumentValidate = validateObject.DocumentValidate;
 exports.OpenApiDocumentValidateComponent = validateObject.components.schemas;
+// reading the description of the mCreateOrReplace action in the controller document.
+// The yaml objects are then stored in the variables below
+const mCreateOrReplaceObject = (0, readYamlFile_1.readYamlFile)(__dirname + '/mCreateOrReplace.yaml');
+exports.OpenApiDocumentmCreateOrReplace = mCreateOrReplaceObject.DocumentmCreateOrReplace;
+exports.OpenApiDocumentmCreateOrReplaceComponent = mCreateOrReplaceObject.components.schemas;
 //# sourceMappingURL=index.js.map

package/lib/api/openapi/components/document/mCreateOrReplace.yaml

@@ -0,0 +1,93 @@
+DocumentmCreateOrReplace:
+  summary: "Creates or replaces multiple documents."
+  tags:
+    - document
+  parameters:
+    - in: path
+      name: index
+      schema:
+        type: string
+      required: true
+    - in: path
+      name: collection
+      schema:
+        type: string
+      required: true
+    - in: path
+      name: refresh
+      schema:
+        type: string
+      required: false
+    - in: path
+      name: silent
+      schema:
+        type: boolean
+      required: false
+    - in: path
+      name: _source
+      description: "if set to true, the response will include the document's source (default value true)"
+      schema:
+        type: boolean
+      required: false
+    - name: body
+      in: "body"
+      description: "Creates or replaces multiple documents."
+      required: true
+      schema:
+        $ref: "#/components/document/DocumentmCreateOrReplaceRequest"
+  responses:
+    200:
+      description: "Creates or replaces multiple documents."
+      schema:
+        $ref: "#/components/document/DocumentmCreateOrReplaceResponse"
+
+components:
+  schemas:
+    DocumentmCreateOrReplaceRequest:
+      allOf:
+        - type: "object"
+          properties:
+            documents:
+              type: "array"
+              items:
+                type: "object"
+                properties:
+                  _id:
+                    type: "string"
+                  body:
+                    type: "object"
+                    description: "document content"
+    DocumentmCreateOrReplaceResponse:
+      allOf:
+        - $ref: "#/components/ResponsePayload"
+        - type: "object"
+          properties:
+            result:
+              type: "object"
+              properties:
+                successes:
+                  type: "array"
+                  items:
+                    type: "object"
+                    properties:
+                      _id:
+                        type: "string"
+                      _source:
+                        type: "object"
+                        description: "document content"
+                      _version:
+                        type: "integer"
+                      created:
+                        type: "boolean"
+                errors:
+                  type: "array"
+                  items:
+                    type: "object"
+                    properties:
+                      document:
+                        type: "object"
+                        description: "document content"
+                      status:
+                        type: "integer"
+                      reason:
+                        type: "string"

package/lib/api/openapi/components/document/update.yaml

@@ -75,4 +75,4 @@ components:
                   type: "integer"
                 _source:
                   type: string
-                  description: "partial or entire document"
+                  description: "partial or entire document"

package/lib/api/openapi/components/index.d.ts

@@ -1,2 +1,3 @@
 export * from './document';
+export * from './security';
 export declare const OpenApiPayloadsDefinitions: any;

package/lib/api/openapi/components/index.js

@@ -17,6 +17,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.OpenApiPayloadsDefinitions = void 0;
 const readYamlFile_1 = require("../../../util/readYamlFile");
 __exportStar(require("./document"), exports);
+__exportStar(require("./security"), exports);
 // Document definitions (reusable object for KuzzleRequest and KuzzleResponse)
 exports.OpenApiPayloadsDefinitions = (0, readYamlFile_1.readYamlFile)(__dirname + '/payloads.yaml').definitions;
 //# sourceMappingURL=index.js.map

package/lib/api/openapi/components/security/index.d.ts

@@ -0,0 +1,2 @@
+export declare const OpenApiSecurityUpsertUser: any;
+export declare const OpenApiSecurityUpsertUserComponent: any;

package/lib/api/openapi/components/security/index.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OpenApiSecurityUpsertUserComponent = exports.OpenApiSecurityUpsertUser = void 0;
+const readYamlFile_1 = require("../../../../util/readYamlFile");
+// reading the description of the UpsertUser action in the controller security.
+// The yaml objects are then stored in the variables below
+const upsertUserObject = (0, readYamlFile_1.readYamlFile)(__dirname + '/upsertUser.yaml');
+exports.OpenApiSecurityUpsertUser = upsertUserObject.SecurityUpsertUser;
+exports.OpenApiSecurityUpsertUserComponent = upsertUserObject.components.schemas;
+//# sourceMappingURL=index.js.map

package/lib/api/openapi/components/security/upsertUser.yaml

@@ -0,0 +1,59 @@
+SecurityUpsertUser:
+  summary: "Update or create a user."
+  tags:
+    - user
+  parameters:
+    - in: path
+      name: _id
+      schema:
+        type: string
+      required: true
+    - in: path
+      name: refresh
+      schema:
+        type: string
+      description: " if set to wait_for, Kuzzle will not respond until the deletion has been indexed"
+      required: false
+    - in: path
+      name: retryOnConflict
+      schema:
+        type: integer
+      description: "conflicts may occur if the same user gets updated multiple times within a short timespan, in a database cluster. You can set the retryOnConflict optional argument (with a retry count), to tell Kuzzle to retry the failing updates the specified amount of times before rejecting the request with an error."
+      required: false
+    - name: content
+      in: "body"
+      description: "Updates a user content."
+      required: true
+      schema:
+        $ref: "#/components/security/SecurityUpsertUserRequest"
+  responses:
+    200:
+      description: "Updates or creates a user."
+      schema:
+        $ref: "#/components/security/SecurityUpsertUserResponse"
+      
+components:
+  schemas:
+    SecurityUpsertUserRequest:
+      allOf:
+        - type: "object"
+          description: "user changes"
+    SecurityUpsertUserResponse:
+      allOf:
+        - $ref: "#/components/ResponsePayload"
+        - type: "object"
+          properties:
+            result:
+              type: "object"
+              properties:
+                _id:
+                  type: "string"
+                  description: "userId"
+                _version:
+                  type: "integer"
+                _source:
+                  type: "object"
+                  description: " (optional) actualized user content. This property appears only if the \"source\" option is set to true"
+                created:
+                  type: "boolean"
+

package/lib/api/openapi/openApiGenerator.js

@@ -3,7 +3,7 @@
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
  *
- * Copyright 2015-2020 Kuzzle
+ * Copyright 2015-2022 Kuzzle
  * mailto: support AT kuzzle.io
  * website: http://kuzzle.io
  *

package/lib/api/rateLimiter.js

@@ -2,7 +2,7 @@
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
  *
- * Copyright 2015-2020 Kuzzle
+ * Copyright 2015-2022 Kuzzle
  * mailto: support AT kuzzle.io
  * website: http://kuzzle.io
  *

package/lib/api/request/kuzzleRequest.d.ts

@@ -258,6 +258,9 @@ export declare class KuzzleRequest {
     /**
      * Gets a parameter from a request arguments and checks that it is an array
      *
+     * If the request argument is a JSON String instead of an array, it will be parsed
+     * and returned if it is a valid JSON array, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -266,9 +269,29 @@ export declare class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an array
      */
     getArray(name: string, def?: [] | undefined): any[];
+    /**
+     * @deprecated do not use, Use getArray instead
+     *
+     * Gets a parameter from a request arguments and checks that it is an array
+     *
+     * If the request argument is a String instead of an array, it will be JSON parsed
+     * and returned if it is a valid JSON array, otherwise it will return the string splitted on `,`.
+     *
+     *
+     * @param name parameter name
+     * @param def default value to return if the parameter is not set
+     *
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If the fetched parameter is not an array or a string
+     */
+    getArrayLegacy(name: string, def?: [] | undefined): any[];
     /**
      * Gets a parameter from a request arguments and checks that it is an object
      *
+     * If the request argument is a JSON String instead of an object, it will be parsed
+     * and returned if it is a valid JSON object, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -277,6 +300,27 @@ export declare class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an object
      */
     getObject(name: string, def?: JSONObject | undefined): JSONObject;
+    /**
+     * Gets a parameter from a request arguments and check with moment.js if the date is an ISO8601 format date
+     * or is valid regarding a given custom format (example : YYYY-MM-DD).
+     *
+     * @param name parameter name.
+     * @param format optional parameter to check if the date is valid regarding a format. If not set, the format checked
+     * is ISO8601.
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If parameter value is not a valid date.
+     */
+    getDate(name: string, format?: string): string;
+    /**
+     * Gets a parameter from a request arguments and returns it to timestamp format.
+     *
+     * @param name parameter name.
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If parameter value is not a valid date.
+     */
+    getTimestamp(name: string): number;
     /**
      * Returns the index specified in the request
      */
@@ -353,6 +397,7 @@ export declare class KuzzleRequest {
      * @param obj container object
      * @param name parameter name
      * @param errorName name to use in error messages
+     * @param querystring if true, the object is expected to be found in a querystring
      */
     private _getBoolean;
     /**
@@ -398,6 +443,7 @@ export declare class KuzzleRequest {
      * @param name parameter name
      * @param errorName name to use in error messages
      * @param def default value
+     * @param querystring if true, the object is expected to be found in a querystring
      */
     private _getObject;
 }

package/lib/api/request/kuzzleRequest.js

@@ -3,7 +3,7 @@
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
  *
- * Copyright 2015-2020 Kuzzle
+ * Copyright 2015-2022 Kuzzle
  * mailto: support AT kuzzle.io
  * website: http://kuzzle.io
  *
@@ -42,8 +42,14 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Request = exports.KuzzleRequest = void 0;
+const safeObject_1 = require("../../util/safeObject");
+const lodash_1 = require("lodash");
+const moment_1 = __importDefault(require("moment"));
 const uuid = __importStar(require("uuid"));
 const nanoid_1 = require("nanoid");
 const requestInput_1 = require("./requestInput");
@@ -53,8 +59,6 @@ const errors_1 = require("../../kerror/errors");
 const kerror = __importStar(require("../../kerror"));
 const types_1 = require("../../types");
 const assert = __importStar(require("../../util/assertType"));
-const safeObject_1 = require("../../util/safeObject");
-const lodash_1 = require("lodash");
 const assertionError = kerror.wrap('api', 'assert');
 // private properties
 // \u200b is a zero width space, used to masquerade console.log output
@@ -224,7 +228,9 @@ class KuzzleRequest {
         }
         this.status = options.status || 200;
         if (options.headers) {
-            this.response.setHeaders(options.headers);
+            this.response.configure({
+                headers: options.headers
+            });
         }
         if (options.raw !== undefined) {
             this.response.raw = options.raw;
@@ -461,7 +467,7 @@ class KuzzleRequest {
      * @param name parameter name
      */
     getBoolean(name) {
-        return this._getBoolean(this.input.args, name, name);
+        return this._getBoolean(this.input.args, name, name, true);
     }
     /**
      * Gets a parameter from a request arguments and checks that it is a number
@@ -505,6 +511,9 @@ class KuzzleRequest {
     /**
      * Gets a parameter from a request arguments and checks that it is an array
      *
+     * If the request argument is a JSON String instead of an array, it will be parsed
+     * and returned if it is a valid JSON array, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -513,11 +522,56 @@ class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an array
      */
     getArray(name, def = undefined) {
-        return this._getArray(this.input.args, name, name, def);
+        return this._getArray(this.input.args, name, name, def, true);
+    }
+    /**
+     * @deprecated do not use, Use getArray instead
+     *
+     * Gets a parameter from a request arguments and checks that it is an array
+     *
+     * If the request argument is a String instead of an array, it will be JSON parsed
+     * and returned if it is a valid JSON array, otherwise it will return the string splitted on `,`.
+     *
+     *
+     * @param name parameter name
+     * @param def default value to return if the parameter is not set
+     *
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If the fetched parameter is not an array or a string
+     */
+    getArrayLegacy(name, def = undefined) {
+        const value = (0, lodash_1.get)(this.input.args, name, def);
+        if (value === undefined) {
+            throw assertionError.get('missing_argument', name);
+        }
+        if (Array.isArray(value)) {
+            return value;
+        }
+        if (typeof value !== 'string') {
+            throw assertionError.get('invalid_type', name, 'array');
+        }
+        // If we are using the HTTP protocol and we have a string instead of an Array
+        // we try to parse it as JSON
+        if (this.context.connection.protocol === 'http') {
+            try {
+                const parsedValue = JSON.parse(value);
+                if (Array.isArray(parsedValue)) {
+                    return parsedValue;
+                }
+            }
+            catch (e) {
+                // Do nothing, let the code continue
+            }
+        }
+        return value.split(',');
     }
     /**
      * Gets a parameter from a request arguments and checks that it is an object
      *
+     * If the request argument is a JSON String instead of an object, it will be parsed
+     * and returned if it is a valid JSON object, otherwise it will @throws {api.assert.invalid_type}.
+     *
      * @param name parameter name
      * @param def default value to return if the parameter is not set
      *
@@ -526,7 +580,49 @@ class KuzzleRequest {
      * @throws {api.assert.invalid_type} If the fetched parameter is not an object
      */
     getObject(name, def = undefined) {
-        return this._getObject(this.input.args, name, name, def);
+        return this._getObject(this.input.args, name, name, def, true);
+    }
+    /**
+     * Gets a parameter from a request arguments and check with moment.js if the date is an ISO8601 format date
+     * or is valid regarding a given custom format (example : YYYY-MM-DD).
+     *
+     * @param name parameter name.
+     * @param format optional parameter to check if the date is valid regarding a format. If not set, the format checked
+     * is ISO8601.
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If parameter value is not a valid date.
+     */
+    getDate(name, format) {
+        const args = this.input.args;
+        if (args[name] === undefined) {
+            throw assertionError.get('missing_argument', name);
+        }
+        if (format && !(0, moment_1.default)(args[name], format, true).isValid()) {
+            throw assertionError.get('invalid_type', name, 'date');
+        }
+        if (!(0, moment_1.default)(args[name], moment_1.default.ISO_8601).isValid()) {
+            throw assertionError.get('invalid_type', name, 'date');
+        }
+        return this.getString(name);
+    }
+    /**
+     * Gets a parameter from a request arguments and returns it to timestamp format.
+     *
+     * @param name parameter name.
+     * @throws {api.assert.missing_argument} If parameter not found and no default
+     *                                       value provided
+     * @throws {api.assert.invalid_type} If parameter value is not a valid date.
+     */
+    getTimestamp(name) {
+        const args = this.input.args;
+        if (args[name] === undefined) {
+            throw assertionError.get('missing_argument', name);
+        }
+        if ((0, moment_1.default)(args[name], true).isValid() === false) {
+            throw assertionError.get('invalid_type', name, 'date');
+        }
+        return this.getInteger(name);
     }
     /**
      * Returns the index specified in the request
@@ -631,13 +727,7 @@ class KuzzleRequest {
             || this.context.connection.misc.verb !== 'GET') {
             return this.getBody({});
         }
-        const searchBody = this.getString('searchBody', '{}');
-        try {
-            return JSON.parse(searchBody);
-        }
-        catch (err) {
-            throw assertionError.get('invalid_argument', err.message);
-        }
+        return this.getObject('searchBody', {});
     }
     /**
      * Returns the search params.
@@ -690,16 +780,17 @@ class KuzzleRequest {
      * @param obj container object
      * @param name parameter name
      * @param errorName name to use in error messages
+     * @param querystring if true, the object is expected to be found in a querystring
      */
-    _getBoolean(obj, name, errorName) {
+    _getBoolean(obj, name, errorName, querystring = false) {
         let value = (0, lodash_1.get)(obj, name);
         // In HTTP, booleans are flags: if it's in the querystring, it's set,
         // whatever its value.
         // If a user needs to unset the option, they need to remove it from the
         // querystring.
-        if (this.context.connection.protocol === 'http') {
+        if (this.context.connection.protocol === 'http' && querystring) {
             value = value !== undefined;
-            obj[name] = value;
+            (0, lodash_1.set)(obj, name, value);
         }
         else if (value === undefined || value === null) {
             value = false;
@@ -776,12 +867,30 @@ class KuzzleRequest {
      * @param errorName name to use in error messages
      * @param def default value
      */
-    _getArray(obj, name, errorName, def = undefined) {
+    _getArray(obj, name, errorName, def = undefined, querystring = false) {
         const value = (0, lodash_1.get)(obj, name, def);
         if (value === undefined) {
             throw assertionError.get('missing_argument', errorName);
         }
         if (!Array.isArray(value)) {
+            // If we are using the HTTP protocol and we have a string instead of an Array
+            // we try to parse it as JSON
+            if (this.context.connection.protocol === 'http'
+                && querystring
+                && typeof value === 'string') {
+                try {
+                    const parsedValue = JSON.parse(value);
+                    if (Array.isArray(parsedValue)) {
+                        // Replace the value with the parsed value
+                        // This way subsequent calls to this function will return the parsed value directly
+                        (0, lodash_1.set)(obj, name, parsedValue);
+                        return parsedValue;
+                    }
+                }
+                catch (e) {
+                    // Do nothing, let the error be thrown below
+                }
+            }
             throw assertionError.get('invalid_type', errorName, 'array');
         }
         return value;
@@ -793,13 +902,32 @@ class KuzzleRequest {
      * @param name parameter name
      * @param errorName name to use in error messages
      * @param def default value
+     * @param querystring if true, the object is expected to be found in a querystring
      */
-    _getObject(obj, name, errorName, def = undefined) {
+    _getObject(obj, name, errorName, def = undefined, querystring = false) {
         const value = (0, lodash_1.get)(obj, name, def);
         if (value === undefined) {
             throw assertionError.get('missing_argument', errorName);
         }
         if (!(0, safeObject_1.isPlainObject)(value)) {
+            // If we are using the HTTP protocol and we have a string instead of an Array
+            // we try to parse it as JSON
+            if (this.context.connection.protocol === 'http'
+                && querystring
+                && typeof value === 'string') {
+                try {
+                    const parsedValue = JSON.parse(value);
+                    if ((0, safeObject_1.isPlainObject)(parsedValue)) {
+                        // Replace the value with the parsed value
+                        // This way subsequent calls to this function will return the parsed value directly
+                        (0, lodash_1.set)(obj, name, parsedValue);
+                        return parsedValue;
+                    }
+                }
+                catch (e) {
+                    // Do nothing, let the error be thrown below
+                }
+            }
             throw assertionError.get('invalid_type', errorName, 'object');
         }
         return value;

package/lib/api/request/requestContext.js

@@ -3,7 +3,7 @@
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
  *
- * Copyright 2015-2020 Kuzzle
+ * Copyright 2015-2022 Kuzzle
  * mailto: support AT kuzzle.io
  * website: http://kuzzle.io
  *

package/lib/api/request/requestInput.js

@@ -3,7 +3,7 @@
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
  *
- * Copyright 2015-2020 Kuzzle
+ * Copyright 2015-2022 Kuzzle
  * mailto: support AT kuzzle.io
  * website: http://kuzzle.io
  *

package/lib/api/request/requestResponse.js

@@ -3,7 +3,7 @@
  * Kuzzle, a backend software, self-hostable and ready to use
  * to power modern apps
  *
- * Copyright 2015-2020 Kuzzle
+ * Copyright 2015-2022 Kuzzle
  * mailto: support AT kuzzle.io
  * website: http://kuzzle.io
  *
@@ -49,6 +49,11 @@ const assert = __importStar(require("../../util/assertType"));
 // \u200b is a zero width space, used to masquerade console.log output
 const _request = 'request\u200b';
 const _headers = 'headers\u200b';
+const _userHeaders = 'userHeaders\u200b'; // List of headers to be sent in the response
+// List of headers that should not be present in the body of the response
+const restrictedHeaders = [
+    'set-cookie',
+];
 class Headers {
     constructor() {
         this.namesMap = new Map();
@@ -150,6 +155,7 @@ class RequestResponse {
         this.raw = false;
         this[_request] = request;
         this[_headers] = new Headers();
+        this[_userHeaders] = new Set();
         Object.seal(this);
     }
     /**
@@ -254,6 +260,9 @@ class RequestResponse {
     configure(options = {}) {
         if (options.headers) {
             this.setHeaders(options.headers);
+            for (const key of Object.keys(options.headers)) {
+                this[_userHeaders].add(key.toLowerCase());
+            }
         }
         if (options.status) {
             this.status = options.status;
@@ -316,6 +325,21 @@ class RequestResponse {
                 status: this.status,
             };
         }
+        const filteredHeaders = {};
+        for (const name of this[_userHeaders]) {
+            filteredHeaders[name] = this.getHeader(name);
+        }
+        /**
+         * Remove headers that are not allowed to be sent to the client in the response's body
+         * For example "set-cookie" headers should only be visible by the browser,
+         * otherwise they may leak information about the server's cookies, since the browser will
+         * not be able to restrict them to the domain of the request.
+        */
+        for (const header of restrictedHeaders) {
+            if (filteredHeaders[header] !== undefined) {
+                filteredHeaders[header] = undefined;
+            }
+        }
         return {
             content: {
                 action: this.action,
@@ -323,6 +347,7 @@ class RequestResponse {
                 controller: this.controller,
                 deprecations: this.deprecations,
                 error: this.error,
+                headers: filteredHeaders,
                 index: this.index,
                 node: this.node,
                 requestId: this.requestId,