Skip to content

Commit

Permalink
Add "secure" constructor option for secure connection checking
Browse files Browse the repository at this point in the history
  • Loading branch information
dougwilson committed Feb 29, 2016
1 parent d0d6aba commit a54c72b
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 1 deletion.
1 change: 1 addition & 0 deletions History.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
0.6.x
=====

* Add `secure` constructor option for secure connection checking
* Change constructor to signature `new Cookies(req, res, [options])`
- Replace `new Cookies(req, res, key)` with `new Cookies(req, res, {'keys': keys})`
* Change prototype construction for proper "constructor" property
Expand Down
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ This creates a cookie jar corresponding to the current _request_ and _response_,

A [Keygrip](https://www.npmjs.com/package/keygrip) object or an array of keys can optionally be passed as _options.keys_ to enable cryptographic signing based on SHA1 HMAC, using rotated credentials.

A Boolean can optionally be passed as _options.secure_ to explicitally specify if the connection is secure, rather than this module exaiming _request_.

Note that since this only saves parameters without any other processing, it is very lightweight. Cookies are only parsed on demand when they are accessed.

### express.createServer( Cookies.express( keys ) )
Expand Down
4 changes: 3 additions & 1 deletion lib/cookies.js
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ var fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/;
function Cookies(request, response, options) {
if (!(this instanceof Cookies)) return new Cookies(request, response, options)

this.secure = undefined
this.request = request
this.response = response

Expand All @@ -30,6 +31,7 @@ function Cookies(request, response, options) {
this.keys = options
} else {
this.keys = options.keys
this.secure = options.secure
}
}
}
Expand Down Expand Up @@ -67,7 +69,7 @@ Cookies.prototype.set = function(name, value, opts) {
var res = this.response
, req = this.request
, headers = res.getHeader("Set-Cookie") || []
, secure = req.protocol === 'https' || req.connection.encrypted
, secure = this.secure !== undefined ? !!this.secure : req.protocol === 'https' || req.connection.encrypted
, cookie = new Cookie(name, value, opts)
, signed = opts && opts.signed !== undefined ? opts.signed : !!this.keys

Expand Down
42 changes: 42 additions & 0 deletions test/http.js
Original file line number Diff line number Diff line change
Expand Up @@ -82,4 +82,46 @@ describe('HTTP', function () {
.set('Cookie', header.join(';'))
.expect(200, done)
})

describe('with "secure" option', function () {
it('should check connection when undefined; unencrypted', function (done) {
request(createServer( "http", { "keys": keys } ))
.get('/')
.expect(500, 'Cannot send secure cookie over unencrypted connection', done)
})

it('should check connection when undefined; encrypted', function (done) {
request(createServer( "https", { "keys": keys } ))
.get('/')
.expect(200, done)
})

it('should not check connection when defined; true', function (done) {
request(createServer( "http", { "keys": keys, "secure": true } ))
.get('/')
.expect(200, done)
})

it('should not check connection when defined; false', function (done) {
request(createServer( "https", { "keys": keys, "secure": false } ))
.get('/')
.expect(500, 'Cannot send secure cookie over unencrypted connection', done)
})
})
})

function createServer(proto, opts) {
return http.createServer(function (req, res) {
var cookies = new Cookies( req, res, opts )
req.protocol = proto

try {
cookies.set( "foo", "bar", { "secure": true } )
} catch (e) {
res.statusCode = 500
res.write(e.message)
}

res.end()
})
}

0 comments on commit a54c72b

Please sign in to comment.