cookie-parser - npm Package Compare versions

Comparing version 1.3.5 to 1.4.0

HISTORY.md

@@ -0,1 +1,9 @@
+1.4.0 / 2015-09-18
+==================
+
+  * Accept array of secrets in addition to a single secret
+  * Fix `JSONCookie` to return `undefined` for non-string arguments
+  * Fix `signedCookie` to return `undefined` for non-string arguments
+  * deps: cookie@0.2.2
+
 1.3.5 / 2015-05-19
@@ -2,0 +10,0 @@ ==================

index.js

 /*!
  * cookie-parser
+ * Copyright(c) 2014 TJ Holowaychuk
+ * Copyright(c) 2015 Douglas Christopher Wilson
  * MIT Licensed
@@ -8,23 +10,41 @@ */
  * Module dependencies.
+ * @private
  */
 
 var cookie = require('cookie');
-var parse = require('./lib/parse');
+var signature = require('cookie-signature');
 
 /**
+ * Module exports.
+ * @public
+ */
+
+module.exports = cookieParser;
+module.exports.JSONCookie = JSONCookie;
+module.exports.JSONCookies = JSONCookies;
+module.exports.signedCookie = signedCookie;
+module.exports.signedCookies = signedCookies;
+
+/**
  * Parse Cookie header and populate `req.cookies`
  * with an object keyed by the cookie names.
  *
- * @param {String} [secret]
+ * @param {string|array} [secret] A string (or array of strings) representing cookie signing secret(s).
  * @param {Object} [options]
  * @return {Function}
- * @api public
+ * @public
  */
 
-exports = module.exports = function cookieParser(secret, options){
+function cookieParser(secret, options) {
   return function cookieParser(req, res, next) {
-    if (req.cookies) return next();
+    if (req.cookies) {
+      return next();
+    }
+
     var cookies = req.headers.cookie;
+    var secrets = !secret || Array.isArray(secret)
+      ? (secret || [])
+      : [secret];
 
-    req.secret = secret;
+    req.secret = secrets[0];
     req.cookies = Object.create(null);
@@ -41,21 +61,121 @@ req.signedCookies = Object.create(null);
     // parse signed cookies
-    if (secret) {
-      req.signedCookies = parse.signedCookies(req.cookies, secret);
-      req.signedCookies = parse.JSONCookies(req.signedCookies);
+    if (secrets.length !== 0) {
+      req.signedCookies = signedCookies(req.cookies, secrets);
+      req.signedCookies = JSONCookies(req.signedCookies);
     }
 
     // parse JSON cookies
-    req.cookies = parse.JSONCookies(req.cookies);
+    req.cookies = JSONCookies(req.cookies);
 
     next();
   };
-};
+}
 
 /**
- * Export parsing functions.
+ * Parse JSON cookie string.
+ *
+ * @param {String} str
+ * @return {Object} Parsed object or undefined if not json cookie
+ * @public
  */
 
-exports.JSONCookie = parse.JSONCookie;
-exports.JSONCookies = parse.JSONCookies;
-exports.signedCookie = parse.signedCookie;
-exports.signedCookies = parse.signedCookies;
+function JSONCookie(str) {
+  if (typeof str !== 'string' || str.substr(0, 2) !== 'j:') {
+    return undefined;
+  }
+
+  try {
+    return JSON.parse(str.slice(2));
+  } catch (err) {
+    return undefined;
+  }
+}
+
+/**
+ * Parse JSON cookies.
+ *
+ * @param {Object} obj
+ * @return {Object}
+ * @public
+ */
+
+function JSONCookies(obj) {
+  var cookies = Object.keys(obj);
+  var key;
+  var val;
+
+  for (var i = 0; i < cookies.length; i++) {
+    key = cookies[i];
+    val = JSONCookie(obj[key]);
+
+    if (val) {
+      obj[key] = val;
+    }
+  }
+
+  return obj;
+}
+
+/**
+ * Parse a signed cookie string, return the decoded value.
+ *
+ * @param {String} str signed cookie string
+ * @param {string|array} secret
+ * @return {String} decoded value
+ * @public
+ */
+
+function signedCookie(str, secret) {
+  if (typeof str !== 'string') {
+    return undefined;
+  }
+
+  if (str.substr(0, 2) !== 's:') {
+    return str;
+  }
+
+  var secrets = !secret || Array.isArray(secret)
+    ? (secret || [])
+    : [secret];
+
+  for (var i = 0; i < secrets.length; i++) {
+    var val = signature.unsign(str.slice(2), secrets[i]);
+
+    if (val !== false) {
+      return val;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Parse signed cookies, returning an object containing the decoded key/value
+ * pairs, while removing the signed key from obj.
+ *
+ * @param {Object} obj
+ * @param {string|array} secret
+ * @return {Object}
+ * @public
+ */
+
+function signedCookies(obj, secret) {
+  var cookies = Object.keys(obj);
+  var dec;
+  var key;
+  var ret = Object.create(null);
+  var val;
+
+  for (var i = 0; i < cookies.length; i++) {
+    key = cookies[i];
+    val = obj[key];
+    dec = signedCookie(val, secret);
+
+    if (val !== dec) {
+      ret[key] = dec;
+      delete obj[key];
+    }
+  }
+
+  return ret;
+}

package.json

 {
   "name": "cookie-parser",
   "description": "cookie parsing with signatures",
-  "version": "1.3.5",
+  "version": "1.4.0",
   "author": "TJ Holowaychuk <tj@vision-media.ca> (http://tjholowaychuk.com)",
+  "contributors": [
+    "Douglas Christopher Wilson <doug@somethingdoug.com>"
+  ],
   "license": "MIT",
@@ -13,12 +16,11 @@ "repository": "expressjs/cookie-parser",
   "dependencies": {
-    "cookie": "0.1.3",
+    "cookie": "0.2.2",
     "cookie-signature": "1.0.6"
   },
   "devDependencies": {
-    "istanbul": "0.3.9",
+    "istanbul": "0.3.20",
     "mocha": "2.2.5",
-    "supertest": "1.0.1"
+    "supertest": "1.1.0"
   },
   "files": [
-    "lib/",
     "LICENSE",
@@ -25,0 +27,0 @@ "HISTORY.md",

README.md

@@ -5,2 +5,3 @@ # cookie-parser
 [![NPM Downloads][downloads-image]][downloads-url]
+[![Node.js Version][node-version-image]][node-version-url]
 [![Build Status][travis-image]][travis-url]
@@ -31,3 +32,3 @@ [![Test Coverage][coveralls-image]][coveralls-url]
 
-- `secret` a string used for signing cookies. This is optional and if not specified, will not parse signed cookies.
+- `secret` a string or array used for signing cookies. This is optional and if not specified, will not parse signed cookies. If a string is provided, this is used as the secret. If an array is provided, an attempt will be made to unsign the cookie with each secret in order.
 - `options` an object that is passed to `cookie.parse` as the second option. See [cookie](https://www.npmjs.org/package/cookie) for more information.
@@ -48,2 +49,4 @@ - `decode` a function to decode the value of the cookie
 
+The `secret` argument can be an array or string. If a string is provided, this is used as the secret. If an array is provided, an attempt will be made to unsign the cookie with each secret in order.
+
 ### cookieParser.signedCookies(cookies, secret)
@@ -53,2 +56,4 @@
 
+The `secret` argument can be an array or string. If a string is provided, this is used as the secret. If an array is provided, an attempt will be made to unsign the cookie with each secret in order.
+
 ## Example
@@ -77,2 +82,4 @@
 [npm-url]: https://npmjs.org/package/cookie-parser
+[node-version-image]: https://img.shields.io/node/v/cookie-parser.svg
+[node-version-url]: http://nodejs.org/download/
 [travis-image]: https://img.shields.io/travis/expressjs/cookie-parser/master.svg
@@ -79,0 +86,0 @@ [travis-url]: https://travis-ci.org/expressjs/cookie-parser

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

10389

increased by19.36%

Lines of code

146

increased by19.67%

Number of lines in readme file

86

increased by8.86%

Worsened metrics

Number of package files

5

decreased by-16.67%

Number of medium supply chain risk alerts

1

increased byInfinity%

Dependency changes

• + Addedcookie@0.2.2(transitive)

• - Removedcookie@0.1.3(transitive)

• Updatedcookie@0.2.2