Merge branch 'update-next' into next

fastify · Jul 3, 2024 · a801c44 · a801c44
2 parents 495625d + dadb7d7
commit a801c44
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 15 deletions.
diff --git a/.gitignore b/.gitignore
@@ -151,6 +151,9 @@ yarn.lock
 .vscode
 .idea
 
+#tap files
+.tap/
+
 # 0x
 .__browserify_string_empty.js
 profile-*
diff --git a/README.md b/README.md
@@ -96,8 +96,16 @@ fastify.get('/', (req, reply) => {
   - An `Array` can be passed if key rotation is desired. Read more about it in [Rotating signing secret](#rotating-secret).
   - More sophisticated cookie signing mechanisms can be implemented by supplying an `Object`. Read more about it in [Custom cookie signer](#custom-cookie-signer).
 
+- `hook`: the [Fastify Hook](https://fastify.dev/docs/latest/Reference/Lifecycle/#lifecycle) to register the parsing of cookie into. Default: `onRequest`.
+
+- `algorithm`: the [algorithm](https://nodejs.org/api/crypto.html#cryptogethashes) to use to sign the cookies. Default: `sha256`.
+
 - `parseOptions`: An `Object` to modify the serialization of set cookies.
 
+### :warning: Security Considerations :warning:
+
+It is recommended to use `sha256` or stronger hashing algorithm as well as a `secret` that is at least 20 bytes long.
+
 #### parseOptions
 
 ##### domain

diff --git a/package.json b/package.json
@@ -44,7 +44,7 @@
     "@types/node": "^20.11.6",
     "benchmark": "^2.1.4",
     "fastify": "^4.25.2",
-    "sinon": "^17.0.1",
+    "sinon": "^18.0.0",
     "snazzy": "^9.0.0",
     "standard": "^17.1.0",
     "tap": "^18.6.1",

diff --git a/plugin.js b/plugin.js
@@ -22,7 +22,7 @@ function fastifyCookieSetCookie (reply, name, value, options) {
   }
 
   if (opts.secure === 'auto') {
-    if (isConnectionSecure(reply.request)) {
+    if (reply.request.protocol === 'https') {
       opts.secure = true
     } else {
       opts.secure = false
@@ -187,13 +187,6 @@ function getHook (hook = 'onRequest') {
   return hooks[hook]
 }
 
-function isConnectionSecure (request) {
-  return (
-    request.raw.socket?.encrypted === true ||
-    request.headers['x-forwarded-proto'] === 'https'
-  )
-}
-
 const fastifyCookie = fp(plugin, {
   fastify: '4.x',
   name: '@fastify/cookie'

diff --git a/test/cookie.test.js b/test/cookie.test.js
@@ -854,7 +854,7 @@ test('create signed cookie manually using signCookie decorator', async (t) => {
 })
 
 test('handle secure:auto of cookieOptions', async (t) => {
-  const fastify = Fastify()
+  const fastify = Fastify({ trustProxy: true })
 
   await fastify.register(plugin)
 

diff --git a/types/plugin.d.ts b/types/plugin.d.ts
@@ -115,25 +115,26 @@ declare namespace fastifyCookie {
     domain?: string;
     /** Specifies a function that will be used to encode a cookie's value. Since value of a cookie has a limited character set (and must be a simple string), this function can be used to encode a value into a string suited for a cookie's value. */
     encode?(val: string): string;
-    /** The expiration `date` used for the `Expires` attribute. If both `expires` and `maxAge` are set, then `expires` is used. */
+    /** The expiration `date` used for the `Expires` attribute. */
     expires?: Date;
-    /** The `boolean` value of the `HttpOnly` attribute. Defaults to true. */
+    /** Add the `HttpOnly` attribute. Defaults to `false`. */
     httpOnly?: boolean;
-    /** A `number` in seconds that specifies the `Expires` attribute by adding the specified seconds to the current date. If both `expires` and `maxAge` are set, then `expires` is used. */
+    /** A `number` in seconds that specifies the `Max-Age` attribute. */
     maxAge?: number;
     /** A `boolean` indicating whether the cookie is tied to the top-level site where it's initially set and cannot be accessed from elsewhere. */
     partitioned?: boolean;
-    /** The `Path` attribute. Defaults to `/` (the root path).  */
+    /** The `Path` attribute. */
     path?: string;
     /** A `boolean` or one of the `SameSite` string attributes. E.g.: `lax`, `none` or `strict`.  */
     sameSite?: 'lax' | 'none' | 'strict' | boolean;
     /** One of the `Priority` string attributes (`low`, `medium` or `high`) specifying a retention priority for HTTP cookies that will be respected by user agents during cookie eviction. */
     priority?: 'low' | 'medium' | 'high';
-    /** The `boolean` value of the `Secure` attribute. Set this option to false when communicating over an unencrypted (HTTP) connection. Value can be set to `auto`; in this case the `Secure` attribute will be set to false for HTTP request, in case of HTTPS it will be set to true.  Defaults to true. */
+    /** Add the `Secure` attribute. Defaults to `false`. */
     secure?: boolean;
   }
 
   export interface CookieSerializeOptions extends Omit<SerializeOptions, 'secure'> {
+    /** Add the `Secure` attribute. Value can be set to `"auto"`; in this case the `Secure` attribute will only be added for HTTPS requests. Defaults to `false`. */
     secure?: boolean | 'auto';
     signed?: boolean;
   }