fix(createBrowserLikeFetch): configure tough-cookie for localhost (#57)

americanexpress · Jan 16, 2024 · 2b484e5 · 2b484e5
1 parent 30e5b74
commit 2b484e5
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 4 deletions.
diff --git a/__tests__/createBrowserLikeFetch.spec.js b/__tests__/createBrowserLikeFetch.spec.js
@@ -601,6 +601,30 @@ describe('createCookiePassingFetch', () => {
     });
   });
 
+  it('correctly calls setCookie when hostname is localhost', async () => {
+    const mockFetch = jest.fn(() => Promise.resolve({
+      headers: new Headers({
+        'set-cookie': [
+          'sessionid=123456; Secure; HttpOnly; domain=localhost; Max-Age=3600',
+        ],
+      }),
+    }));
+    const hostname = 'localhost';
+    const setCookie = jest.fn();
+    const fetchWithRequestHeaders = createBrowserLikeFetch({
+      hostname,
+      setCookie,
+    })(mockFetch);
+
+    await fetchWithRequestHeaders('https://localhost', {
+      credentials: 'include',
+    });
+
+    expect(setCookie.mock.calls[0][0]).toEqual('sessionid');
+    expect(setCookie.mock.calls[0][1]).toEqual('123456');
+    expect(setCookie.mock.calls[0][2].domain).toEqual('localhost');
+  });
+
   it('uses res.cookie to set cookie', async () => {
     const mockFetch = jest.fn(() => Promise.resolve({
       headers: new Headers({

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -83,7 +83,7 @@
   },
   "dependencies": {
     "abort-controller": "^3.0.0",
-    "tough-cookie": "4.1.3"
+    "tough-cookie": "^4.1.3"
   },
   "release": {
     "branches": [

diff --git a/src/createBrowserLikeFetch.js b/src/createBrowserLikeFetch.js
@@ -63,7 +63,7 @@ function createBrowserLikeFetch({
   // jar acts as browser's cookie jar for the life of the SSR
   const jar = new CookieJar();
 
-  const dottedHostnamePublicSuffix = hostname && `.${getPublicSuffix(hostname)}`;
+  const dottedHostnamePublicSuffix = hostname && `.${getPublicSuffix(hostname, { allowSpecialUseDomain: true })}`;
   // build a list of cookies on creation to ease deduplication on each request
   const headerCookies = parseCookieHeader(headers.cookie);
 
@@ -119,7 +119,9 @@ function createBrowserLikeFetch({
             // subdomains."
             // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes
             // host includes the hostname and port but getPublicSuffix expects only the hostname
-            cookieOptions.domain = getPublicSuffix(new URL(url).hostname);
+            cookieOptions.domain = getPublicSuffix(new URL(url).hostname, {
+              allowSpecialUseDomain: true,
+            });
           }
 
           // then check if this cookie relates to this hostname