@fastify/cookie - npm Package Compare versions

Comparing version 8.2.0 to 8.3.0

package.json

 {
   "name": "@fastify/cookie",
-  "version": "8.2.0",
+  "version": "8.3.0",
   "description": "Plugin for fastify to add support for cookies",
@@ -5,0 +5,0 @@ "main": "plugin.js",

plugin.js

@@ -91,5 +91,5 @@ 'use strict'
   }
-  const enableRotation = Array.isArray(secret)
+  const isSigner = !secret || (typeof secret.sign === 'function' && typeof secret.unsign === 'function')
   const algorithm = options.algorithm || 'sha256'
-  const signer = typeof secret === 'string' || enableRotation ? new Signer(secret, algorithm) : secret
+  const signer = isSigner ? secret : new Signer(secret, algorithm)
 
@@ -96,0 +96,0 @@ fastify.decorate('parseCookie', parseCookie)

README.md

@@ -75,4 +75,4 @@ # @fastify/cookie
 
-- `secret` (`String` | `Array` | `Object`):
-  - A `String` can be passed to use as secret to sign the cookie using [`cookie-signature`](http://npm.im/cookie-signature).
+- `secret` (`String` | `Array` | `Buffer` | `Object`):
+  - A `String` or `Buffer` can be passed to use as secret to sign the cookie using [`cookie-signature`](http://npm.im/cookie-signature).
   - An `Array` can be passed if key rotation is desired. Read more about it in [Rotating signing secret](#rotating-secret).
@@ -79,0 +79,0 @@ - More sophisticated cookie signing mechanisms can be implemented by supplying an `Object`. Read more about it in [Custom cookie signer](#custom-cookie-signer).

signer.js

@@ -28,4 +28,4 @@ 'use strict'
   for (const secret of secrets) {
-    if (typeof secret !== 'string') {
-      throw new TypeError('Secret key must be a string.')
+    if (typeof secret !== 'string' && Buffer.isBuffer(secret) === false) {
+      throw new TypeError('Secret key must be a string or Buffer.')
     }
@@ -32,0 +32,0 @@ }

test/signer.test.js

@@ -31,3 +31,3 @@ 'use strict'
   t.test('sign', (t) => {
-    t.plan(3)
+    t.plan(5)
 
@@ -39,2 +39,4 @@ const input = 'some-value'
     t.equal(result, sign(input, [secret]))
+    t.equal(result, sign(input, Buffer.from(secret)))
+    t.equal(result, sign(input, [Buffer.from(secret)]))
 
@@ -66,3 +68,3 @@ t.throws(() => sign(undefined), 'Cookie value must be provided as a string.')
     t.same(result, unsign(input, [secret]))
-    t.throws(() => unsign(undefined), 'Secret key must be a string.')
+    t.throws(() => unsign(undefined), 'Secret key must be a string or Buffer.')
     t.throws(() => unsign(undefined, secret), 'Signed cookie string must be provided.')
@@ -123,8 +125,10 @@ })
 
-  t.test('Signer needs a string as secret', (t) => {
-    t.plan(4)
-    t.throws(() => Signer(1), 'Secret key must be a string.')
-    t.throws(() => Signer(undefined), 'Secret key must be a string.')
+  t.test('Signer needs a string or Buffer as secret', (t) => {
+    t.plan(6)
+    t.throws(() => Signer(1), 'Secret key must be a string or Buffer.')
+    t.throws(() => Signer(undefined), 'Secret key must be a string or Buffer.')
     t.doesNotThrow(() => Signer('secret'))
     t.doesNotThrow(() => Signer(['secret']))
+    t.doesNotThrow(() => Signer(Buffer.from('deadbeef76543210', 'hex')))
+    t.doesNotThrow(() => Signer([Buffer.from('deadbeef76543210', 'hex')]))
   })
@@ -131,0 +135,0 @@

types/plugin.d.ts

@@ -103,3 +103,3 @@ /// <reference types='node' />
   export class Signer implements SignerBase {
-    constructor (secrets: string | Array<string>, algorithm?: string)
+    constructor (secrets: string | Array<string> | Buffer | Array<Buffer>, algorithm?: string)
     sign: (value: string) => string;
@@ -132,3 +132,3 @@ unsign: (input: string) => UnsignResult;
   export interface FastifyCookieOptions {
-    secret?: string | string[] | Signer;
+    secret?: string | string[] | Buffer | Buffer[] | Signer;
     hook?: HookType | false;
@@ -138,5 +138,5 @@ parseOptions?: fastifyCookie.CookieSerializeOptions;
 
-  export type Sign = (value: string, secret: string, algorithm?: string) => string;
-  export type Unsign = (input: string, secret: string, algorithm?: string) => UnsignResult;
-  export type SignerFactory = (secrets: string | Array<string>, algorithm?: string) => SignerBase;
+  export type Sign = (value: string, secret: string | Buffer, algorithm?: string) => string;
+  export type Unsign = (input: string, secret: string | Buffer, algorithm?: string) => UnsignResult;
+  export type SignerFactory = (secrets: string | string[] | Buffer | Buffer[], algorithm?: string) => SignerBase;
 
@@ -163,3 +163,3 @@ export interface UnsignResult {
   export interface FastifyCookieOptions {
-    secret?: string | string[] | SignerBase;
+    secret?: string | string[] | Buffer | Buffer[] | SignerBase;
     algorithm?: string;
@@ -166,0 +166,0 @@ parseOptions?: CookieSerializeOptions;

types/plugin.test-d.ts

@@ -214,2 +214,4 @@ import cookie from '..';
 new fastifyCookieStar.Signer(['secretStringInArray'])
+new fastifyCookieStar.Signer(Buffer.from('secretString'))
+new fastifyCookieStar.Signer([Buffer.from('secretStringInArray')])
 const signer = new fastifyCookieStar.Signer(['secretStringInArray'], 'sha256')
@@ -216,0 +218,0 @@ signer.sign('Lorem Ipsum')

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

62668

increased by0.99%

Lines of code

1561

increased by0.39%

Worsened metrics

Number of medium supply chain risk alerts

1

increased byInfinity%

No dependency changes