Do not use outdated request package in tests.

package.json

@@ -636,6 +636,7 @@
     "@types/testing-library__jest-dom": "^5.9.5",
     "@types/testing-library__react-hooks": "^4.0.0",
     "@types/tinycolor2": "^1.4.1",
+    "@types/tough-cookie": "^4.0.1",
     "@types/type-detect": "^4.0.1",
     "@types/use-resize-observer": "^6.0.0",
     "@types/uuid": "^3.4.4",
@@ -827,6 +828,7 @@
     "terminal-link": "^2.1.1",
     "terser": "^5.7.1",
     "terser-webpack-plugin": "^2.1.2",
+    "tough-cookie": "^4.0.0",
     "ts-loader": "^7.0.5",
     "ts-morph": "^9.1.0",
     "tsd": "^0.13.1",

src/core/server/http/cookie_session_storage.test.ts

@@ -6,7 +6,7 @@
  * Side Public License, v 1.
  */
 
-import request from 'request';
+import { parse as parseCookie } from 'tough-cookie';
 import supertest from 'supertest';
 import { REPO_ROOT } from '@kbn/dev-utils';
 import { ByteSizeValue } from '@kbn/config-schema';
@@ -103,7 +103,7 @@ interface Storage {
 }
 
 function retrieveSessionCookie(cookies: string) {
-  const sessionCookie = request.cookie(cookies);
+  const sessionCookie = parseCookie(cookies);
   if (!sessionCookie) {
     throw new Error('session cookie expected to be defined');
   }

src/core/server/http/integration_tests/lifecycle.test.ts

@@ -7,7 +7,7 @@
  */
 
 import supertest from 'supertest';
-import request from 'request';
+import { parse as parseCookie } from 'tough-cookie';
 import { schema } from '@kbn/config-schema';
 
 import { ensureRawRequest } from '../router';
@@ -827,7 +827,7 @@ describe('Auth', () => {
     const cookies = response.header['set-cookie'];
     expect(cookies).toHaveLength(1);
 
-    const sessionCookie = request.cookie(cookies[0]);
+    const sessionCookie = parseCookie(cookies[0]);
     if (!sessionCookie) {
       throw new Error('session cookie expected to be defined');
     }

x-pack/test/api_integration/apis/security/basic_login.js

@@ -6,7 +6,7 @@
  */
 
 import expect from '@kbn/expect';
-import request from 'request';
+import { parse as parseCookie } from 'tough-cookie';
 
 export default function ({ getService }) {
   const supertest = getService('supertestWithoutAuth');
@@ -86,7 +86,7 @@ export default function ({ getService }) {
       const cookies = loginResponse.headers['set-cookie'];
       expect(cookies).to.have.length(1);
 
-      const sessionCookie = request.cookie(cookies[0]);
+      const sessionCookie = parseCookie(cookies[0]);
       expect(sessionCookie.key).to.be('sid');
       expect(sessionCookie.value).to.not.be.empty();
       expect(sessionCookie.path).to.be('/');
@@ -167,7 +167,7 @@ export default function ({ getService }) {
           })
           .expect(200);
 
-        sessionCookie = request.cookie(loginResponse.headers['set-cookie'][0]);
+        sessionCookie = parseCookie(loginResponse.headers['set-cookie'][0]);
       });
 
       it('should allow access to the API', async () => {
@@ -207,7 +207,7 @@ export default function ({ getService }) {
           .expect(200);
 
         expect(apiResponseOne.headers['set-cookie']).to.not.be(undefined);
-        const sessionCookieOne = request.cookie(apiResponseOne.headers['set-cookie'][0]);
+        const sessionCookieOne = parseCookie(apiResponseOne.headers['set-cookie'][0]);
 
         expect(sessionCookieOne.value).to.not.be.empty();
         expect(sessionCookieOne.value).to.not.equal(sessionCookie.value);
@@ -219,7 +219,7 @@ export default function ({ getService }) {
           .expect(200);
 
         expect(apiResponseTwo.headers['set-cookie']).to.not.be(undefined);
-        const sessionCookieTwo = request.cookie(apiResponseTwo.headers['set-cookie'][0]);
+        const sessionCookieTwo = parseCookie(apiResponseTwo.headers['set-cookie'][0]);
 
         expect(sessionCookieTwo.value).to.not.be.empty();
         expect(sessionCookieTwo.value).to.not.equal(sessionCookieOne.value);
@@ -256,7 +256,7 @@ export default function ({ getService }) {
         const cookies = logoutResponse.headers['set-cookie'];
         expect(cookies).to.have.length(1);
 
-        const logoutCookie = request.cookie(cookies[0]);
+        const logoutCookie = parseCookie(cookies[0]);
         expect(logoutCookie.key).to.be('sid');
         expect(logoutCookie.value).to.be.empty();
         expect(logoutCookie.path).to.be('/');

x-pack/test/api_integration/apis/security/change_password.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { Cookie, cookie } from 'request';
+import { parse as parseCookie, Cookie } from 'tough-cookie';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
 export default function ({ getService }: FtrProviderContext) {
@@ -30,7 +30,7 @@ export default function ({ getService }: FtrProviderContext) {
           params: { username: mockUserName, password: mockUserPassword },
         })
         .expect(200);
-      sessionCookie = cookie(loginResponse.headers['set-cookie'][0])!;
+      sessionCookie = parseCookie(loginResponse.headers['set-cookie'][0])!;
     });
 
     afterEach(async () => await security.user.delete(mockUserName));
@@ -93,7 +93,7 @@ export default function ({ getService }: FtrProviderContext) {
         .send({ password: mockUserPassword, newPassword })
         .expect(204);
 
-      const newSessionCookie = cookie(passwordChangeResponse.headers['set-cookie'][0])!;
+      const newSessionCookie = parseCookie(passwordChangeResponse.headers['set-cookie'][0])!;
 
       // Old cookie is still valid (since it's still the same user and cookie doesn't store password).
       await supertest

x-pack/test/security_api_integration/tests/anonymous/login.ts

@@ -6,7 +6,7 @@
  */
 
 import expect from '@kbn/expect';
-import request, { Cookie } from 'request';
+import { parse as parseCookie, Cookie } from 'tough-cookie';
 import { adminTestUser } from '@kbn/test';
 import { FtrProviderContext } from '../../ftr_provider_context';
 
@@ -71,7 +71,7 @@ export default function ({ getService }: FtrProviderContext) {
       const cookies = response.headers['set-cookie'];
       expect(cookies).to.have.length(1);
 
-      const cookie = request.cookie(cookies[0])!;
+      const cookie = parseCookie(cookies[0])!;
       checkCookieIsSet(cookie);
 
       const { body: user } = await supertest
@@ -93,7 +93,7 @@ export default function ({ getService }: FtrProviderContext) {
         const cookies = response.headers['set-cookie'];
         expect(cookies).to.have.length(1);
 
-        const sessionCookie = request.cookie(cookies[0])!;
+        const sessionCookie = parseCookie(cookies[0])!;
         checkCookieIsSet(sessionCookie);
 
         const { body: user } = await supertest
@@ -133,7 +133,7 @@ export default function ({ getService }: FtrProviderContext) {
         const cookies = response.headers['set-cookie'];
         expect(cookies).to.have.length(1);
 
-        sessionCookie = request.cookie(cookies[0])!;
+        sessionCookie = parseCookie(cookies[0])!;
         checkCookieIsSet(sessionCookie);
       });
 
@@ -181,7 +181,7 @@ export default function ({ getService }: FtrProviderContext) {
         let cookies = response.headers['set-cookie'];
         expect(cookies).to.have.length(1);
 
-        const sessionCookie = request.cookie(cookies[0])!;
+        const sessionCookie = parseCookie(cookies[0])!;
         checkCookieIsSet(sessionCookie);
 
         // And then log user out.
@@ -192,7 +192,7 @@ export default function ({ getService }: FtrProviderContext) {
 
         cookies = logoutResponse.headers['set-cookie'];
         expect(cookies).to.have.length(1);
-        checkCookieIsCleared(request.cookie(cookies[0])!);
+        checkCookieIsCleared(parseCookie(cookies[0])!);
 
         expect(logoutResponse.headers.location).to.be('/security/logged_out?msg=LOGGED_OUT');
 
@@ -206,7 +206,7 @@ export default function ({ getService }: FtrProviderContext) {
         // If Kibana detects cookie with invalid token it tries to clear it.
         cookies = apiResponse.headers['set-cookie'];
         expect(cookies).to.have.length(1);
-        checkCookieIsCleared(request.cookie(cookies[0])!);
+        checkCookieIsCleared(parseCookie(cookies[0])!);
       });
 
       it('should redirect to home page if session cookie is not provided', async () => {

x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts

@@ -6,7 +6,7 @@
  */
 
 import expect from '@kbn/expect';
-import request, { Cookie } from 'request';
+import { parse as parseCookie, Cookie } from 'tough-cookie';
 import { delay } from 'bluebird';
 import { adminTestUser } from '@kbn/test';
 import { FtrProviderContext } from '../../ftr_provider_context';
@@ -73,7 +73,7 @@ export default function ({ getService }: FtrProviderContext) {
       const cookies = response.headers['set-cookie'];
       expect(cookies).to.have.length(1);
 
-      const cookie = request.cookie(cookies[0])!;
+      const cookie = parseCookie(cookies[0])!;
       checkCookieIsSet(cookie);
 
       const { body: user } = await supertest
@@ -129,7 +129,7 @@ export default function ({ getService }: FtrProviderContext) {
         const cookies = response.headers['set-cookie'];
         expect(cookies).to.have.length(1);
 
-        const sessionCookie = request.cookie(cookies[0])!;
+        const sessionCookie = parseCookie(cookies[0])!;
         checkCookieIsSet(sessionCookie);
 
         const isAnonymousAccessEnabled = (config.get(
@@ -193,7 +193,7 @@ export default function ({ getService }: FtrProviderContext) {
         const cookies = response.headers['set-cookie'];
         expect(cookies).to.have.length(1);
 
-        sessionCookie = request.cookie(cookies[0])!;
+        sessionCookie = parseCookie(cookies[0])!;
         checkCookieIsSet(sessionCookie);
       });
 
@@ -205,7 +205,7 @@ export default function ({ getService }: FtrProviderContext) {
           .expect(200);
 
         expect(apiResponseOne.headers['set-cookie']).to.not.be(undefined);
-        const sessionCookieOne = request.cookie(apiResponseOne.headers['set-cookie'][0])!;
+        const sessionCookieOne = parseCookie(apiResponseOne.headers['set-cookie'][0])!;
 
         checkCookieIsSet(sessionCookieOne);
         expect(sessionCookieOne.value).to.not.equal(sessionCookie.value);
@@ -217,7 +217,7 @@ export default function ({ getService }: FtrProviderContext) {
           .expect(200);
 
         expect(apiResponseTwo.headers['set-cookie']).to.not.be(undefined);
-        const sessionCookieTwo = request.cookie(apiResponseTwo.headers['set-cookie'][0])!;
+        const sessionCookieTwo = parseCookie(apiResponseTwo.headers['set-cookie'][0])!;
 
         checkCookieIsSet(sessionCookieTwo);
         expect(sessionCookieTwo.value).to.not.equal(sessionCookieOne.value);
@@ -257,7 +257,7 @@ export default function ({ getService }: FtrProviderContext) {
         let cookies = response.headers['set-cookie'];
         expect(cookies).to.have.length(1);
 
-        const sessionCookie = request.cookie(cookies[0])!;
+        const sessionCookie = parseCookie(cookies[0])!;
         checkCookieIsSet(sessionCookie);
 
         // And then log user out.
@@ -268,7 +268,7 @@ export default function ({ getService }: FtrProviderContext) {
 
         cookies = logoutResponse.headers['set-cookie'];
         expect(cookies).to.have.length(1);
-        checkCookieIsCleared(request.cookie(cookies[0])!);
+        checkCookieIsCleared(parseCookie(cookies[0])!);
 
         expect(logoutResponse.headers.location).to.be('/security/logged_out?msg=LOGGED_OUT');
 
@@ -283,7 +283,7 @@ export default function ({ getService }: FtrProviderContext) {
         // If Kibana detects cookie with invalid token it tries to clear it.
         cookies = apiResponse.headers['set-cookie'];
         expect(cookies).to.have.length(1);
-        checkCookieIsCleared(request.cookie(cookies[0])!);
+        checkCookieIsCleared(parseCookie(cookies[0])!);
 
         // Request with a session cookie that is linked to an invalidated/non-existent session is treated the same as
         // request without any session cookie at all.
@@ -310,7 +310,7 @@ export default function ({ getService }: FtrProviderContext) {
         const cookies = response.headers['set-cookie'];
         expect(cookies).to.have.length(1);
 
-        sessionCookie = request.cookie(cookies[0])!;
+        sessionCookie = parseCookie(cookies[0])!;
         checkCookieIsSet(sessionCookie);
       });
 
@@ -332,7 +332,7 @@ export default function ({ getService }: FtrProviderContext) {
         const cookies = apiResponse.headers['set-cookie'];
         expect(cookies).to.have.length(1);
 
-        const refreshedCookie = request.cookie(cookies[0])!;
+        const refreshedCookie = parseCookie(cookies[0])!;
         checkCookieIsSet(refreshedCookie);
 
         // The first new cookie with fresh pair of access and refresh tokens should work.
@@ -362,7 +362,7 @@ export default function ({ getService }: FtrProviderContext) {
         const cookies = nonAjaxResponse.headers['set-cookie'];
         expect(cookies).to.have.length(1);
 
-        const refreshedCookie = request.cookie(cookies[0])!;
+        const refreshedCookie = parseCookie(cookies[0])!;
         checkCookieIsSet(refreshedCookie);
 
         // The first new cookie with fresh pair of access and refresh tokens should work.
@@ -388,7 +388,7 @@ export default function ({ getService }: FtrProviderContext) {
         const cookies = response.headers['set-cookie'];
         expect(cookies).to.have.length(1);
 
-        sessionCookie = request.cookie(cookies[0])!;
+        sessionCookie = parseCookie(cookies[0])!;
         checkCookieIsSet(sessionCookie);
 
         // Let's delete tokens from `.security-tokens` index directly to simulate the case when
@@ -411,7 +411,7 @@ export default function ({ getService }: FtrProviderContext) {
 
         const cookies = apiResponse.headers['set-cookie'];
         expect(cookies).to.have.length(1);
-        checkCookieIsCleared(request.cookie(cookies[0])!);
+        checkCookieIsCleared(parseCookie(cookies[0])!);
 
         expect(apiResponse.headers['www-authenticate']).to.be('Negotiate');
       });
@@ -424,7 +424,7 @@ export default function ({ getService }: FtrProviderContext) {
 
         const cookies = nonAjaxResponse.headers['set-cookie'];
         expect(cookies).to.have.length(1);
-        checkCookieIsCleared(request.cookie(cookies[0])!);
+        checkCookieIsCleared(parseCookie(cookies[0])!);
 
         expect(nonAjaxResponse.headers['www-authenticate']).to.be('Negotiate');
       });