1672 lines
46 KiB
JavaScript
1672 lines
46 KiB
JavaScript
|
/*!
|
||
|
* Copyright (c) 2015, Salesforce.com, Inc.
|
||
|
* All rights reserved.
|
||
|
*
|
||
|
* Redistribution and use in source and binary forms, with or without
|
||
|
* modification, are permitted provided that the following conditions are met:
|
||
|
*
|
||
|
* 1. Redistributions of source code must retain the above copyright notice,
|
||
|
* this list of conditions and the following disclaimer.
|
||
|
*
|
||
|
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
||
|
* this list of conditions and the following disclaimer in the documentation
|
||
|
* and/or other materials provided with the distribution.
|
||
|
*
|
||
|
* 3. Neither the name of Salesforce.com nor the names of its contributors may
|
||
|
* be used to endorse or promote products derived from this software without
|
||
|
* specific prior written permission.
|
||
|
*
|
||
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||
|
* POSSIBILITY OF SUCH DAMAGE.
|
||
|
*/
|
||
|
"use strict";
|
||
|
const punycode = require("punycode");
|
||
|
const urlParse = require("url").parse;
|
||
|
const util = require("util");
|
||
|
const pubsuffix = require("./pubsuffix-psl");
|
||
|
const Store = require("./store").Store;
|
||
|
const MemoryCookieStore = require("./memstore").MemoryCookieStore;
|
||
|
const pathMatch = require("./pathMatch").pathMatch;
|
||
|
const VERSION = require("./version");
|
||
|
const { fromCallback } = require("universalify");
|
||
|
|
||
|
// From RFC6265 S4.1.1
|
||
|
// note that it excludes \x3B ";"
|
||
|
const COOKIE_OCTETS = /^[\x21\x23-\x2B\x2D-\x3A\x3C-\x5B\x5D-\x7E]+$/;
|
||
|
|
||
|
const CONTROL_CHARS = /[\x00-\x1F]/;
|
||
|
|
||
|
// From Chromium // '\r', '\n' and '\0' should be treated as a terminator in
|
||
|
// the "relaxed" mode, see:
|
||
|
// https://github.com/ChromiumWebApps/chromium/blob/b3d3b4da8bb94c1b2e061600df106d590fda3620/net/cookies/parsed_cookie.cc#L60
|
||
|
const TERMINATORS = ["\n", "\r", "\0"];
|
||
|
|
||
|
// RFC6265 S4.1.1 defines path value as 'any CHAR except CTLs or ";"'
|
||
|
// Note ';' is \x3B
|
||
|
const PATH_VALUE = /[\x20-\x3A\x3C-\x7E]+/;
|
||
|
|
||
|
// date-time parsing constants (RFC6265 S5.1.1)
|
||
|
|
||
|
const DATE_DELIM = /[\x09\x20-\x2F\x3B-\x40\x5B-\x60\x7B-\x7E]/;
|
||
|
|
||
|
const MONTH_TO_NUM = {
|
||
|
jan: 0,
|
||
|
feb: 1,
|
||
|
mar: 2,
|
||
|
apr: 3,
|
||
|
may: 4,
|
||
|
jun: 5,
|
||
|
jul: 6,
|
||
|
aug: 7,
|
||
|
sep: 8,
|
||
|
oct: 9,
|
||
|
nov: 10,
|
||
|
dec: 11
|
||
|
};
|
||
|
|
||
|
const MAX_TIME = 2147483647000; // 31-bit max
|
||
|
const MIN_TIME = 0; // 31-bit min
|
||
|
const SAME_SITE_CONTEXT_VAL_ERR =
|
||
|
'Invalid sameSiteContext option for getCookies(); expected one of "strict", "lax", or "none"';
|
||
|
|
||
|
function checkSameSiteContext(value) {
|
||
|
const context = String(value).toLowerCase();
|
||
|
if (context === "none" || context === "lax" || context === "strict") {
|
||
|
return context;
|
||
|
} else {
|
||
|
return null;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
const PrefixSecurityEnum = Object.freeze({
|
||
|
SILENT: "silent",
|
||
|
STRICT: "strict",
|
||
|
DISABLED: "unsafe-disabled"
|
||
|
});
|
||
|
|
||
|
// Dumped from ip-regex@4.0.0, with the following changes:
|
||
|
// * all capturing groups converted to non-capturing -- "(?:)"
|
||
|
// * support for IPv6 Scoped Literal ("%eth1") removed
|
||
|
// * lowercase hexadecimal only
|
||
|
var IP_REGEX_LOWERCASE =/(?:^(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}$)|(?:^(?:(?:[a-f\d]{1,4}:){7}(?:[a-f\d]{1,4}|:)|(?:[a-f\d]{1,4}:){6}(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|:[a-f\d]{1,4}|:)|(?:[a-f\d]{1,4}:){5}(?::(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,2}|:)|(?:[a-f\d]{1,4}:){4}(?:(?::[a-f\d]{1,4}){0,1}:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,3}|:)|(?:[a-f\d]{1,4}:){3}(?:(?::[a-f\d]{1,4}){0,2}:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,4}|:)|(?:[a-f\d]{1,4}:){2}(?:(?::[a-f\d]{1,4}){0,3}:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,5}|:)|(?:[a-f\d]{1,4}:){1}(?:(?::[a-f\d]{1,4}){0,4}:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,6}|:)|(?::(?:(?::[a-f\d]{1,4}){0,5}:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,7}|:)))$)/;
|
||
|
|
||
|
/*
|
||
|
* Parses a Natural number (i.e., non-negative integer) with either the
|
||
|
* <min>*<max>DIGIT ( non-digit *OCTET )
|
||
|
* or
|
||
|
* <min>*<max>DIGIT
|
||
|
* grammar (RFC6265 S5.1.1).
|
||
|
*
|
||
|
* The "trailingOK" boolean controls if the grammar accepts a
|
||
|
* "( non-digit *OCTET )" trailer.
|
||
|
*/
|
||
|
function parseDigits(token, minDigits, maxDigits, trailingOK) {
|
||
|
let count = 0;
|
||
|
while (count < token.length) {
|
||
|
const c = token.charCodeAt(count);
|
||
|
// "non-digit = %x00-2F / %x3A-FF"
|
||
|
if (c <= 0x2f || c >= 0x3a) {
|
||
|
break;
|
||
|
}
|
||
|
count++;
|
||
|
}
|
||
|
|
||
|
// constrain to a minimum and maximum number of digits.
|
||
|
if (count < minDigits || count > maxDigits) {
|
||
|
return null;
|
||
|
}
|
||
|
|
||
|
if (!trailingOK && count != token.length) {
|
||
|
return null;
|
||
|
}
|
||
|
|
||
|
return parseInt(token.substr(0, count), 10);
|
||
|
}
|
||
|
|
||
|
function parseTime(token) {
|
||
|
const parts = token.split(":");
|
||
|
const result = [0, 0, 0];
|
||
|
|
||
|
/* RF6256 S5.1.1:
|
||
|
* time = hms-time ( non-digit *OCTET )
|
||
|
* hms-time = time-field ":" time-field ":" time-field
|
||
|
* time-field = 1*2DIGIT
|
||
|
*/
|
||
|
|
||
|
if (parts.length !== 3) {
|
||
|
return null;
|
||
|
}
|
||
|
|
||
|
for (let i = 0; i < 3; i++) {
|
||
|
// "time-field" must be strictly "1*2DIGIT", HOWEVER, "hms-time" can be
|
||
|
// followed by "( non-digit *OCTET )" so therefore the last time-field can
|
||
|
// have a trailer
|
||
|
const trailingOK = i == 2;
|
||
|
const num = parseDigits(parts[i], 1, 2, trailingOK);
|
||
|
if (num === null) {
|
||
|
return null;
|
||
|
}
|
||
|
result[i] = num;
|
||
|
}
|
||
|
|
||
|
return result;
|
||
|
}
|
||
|
|
||
|
function parseMonth(token) {
|
||
|
token = String(token)
|
||
|
.substr(0, 3)
|
||
|
.toLowerCase();
|
||
|
const num = MONTH_TO_NUM[token];
|
||
|
return num >= 0 ? num : null;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* RFC6265 S5.1.1 date parser (see RFC for full grammar)
|
||
|
*/
|
||
|
function parseDate(str) {
|
||
|
if (!str) {
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
/* RFC6265 S5.1.1:
|
||
|
* 2. Process each date-token sequentially in the order the date-tokens
|
||
|
* appear in the cookie-date
|
||
|
*/
|
||
|
const tokens = str.split(DATE_DELIM);
|
||
|
if (!tokens) {
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
let hour = null;
|
||
|
let minute = null;
|
||
|
let second = null;
|
||
|
let dayOfMonth = null;
|
||
|
let month = null;
|
||
|
let year = null;
|
||
|
|
||
|
for (let i = 0; i < tokens.length; i++) {
|
||
|
const token = tokens[i].trim();
|
||
|
if (!token.length) {
|
||
|
continue;
|
||
|
}
|
||
|
|
||
|
let result;
|
||
|
|
||
|
/* 2.1. If the found-time flag is not set and the token matches the time
|
||
|
* production, set the found-time flag and set the hour- value,
|
||
|
* minute-value, and second-value to the numbers denoted by the digits in
|
||
|
* the date-token, respectively. Skip the remaining sub-steps and continue
|
||
|
* to the next date-token.
|
||
|
*/
|
||
|
if (second === null) {
|
||
|
result = parseTime(token);
|
||
|
if (result) {
|
||
|
hour = result[0];
|
||
|
minute = result[1];
|
||
|
second = result[2];
|
||
|
continue;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/* 2.2. If the found-day-of-month flag is not set and the date-token matches
|
||
|
* the day-of-month production, set the found-day-of- month flag and set
|
||
|
* the day-of-month-value to the number denoted by the date-token. Skip
|
||
|
* the remaining sub-steps and continue to the next date-token.
|
||
|
*/
|
||
|
if (dayOfMonth === null) {
|
||
|
// "day-of-month = 1*2DIGIT ( non-digit *OCTET )"
|
||
|
result = parseDigits(token, 1, 2, true);
|
||
|
if (result !== null) {
|
||
|
dayOfMonth = result;
|
||
|
continue;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/* 2.3. If the found-month flag is not set and the date-token matches the
|
||
|
* month production, set the found-month flag and set the month-value to
|
||
|
* the month denoted by the date-token. Skip the remaining sub-steps and
|
||
|
* continue to the next date-token.
|
||
|
*/
|
||
|
if (month === null) {
|
||
|
result = parseMonth(token);
|
||
|
if (result !== null) {
|
||
|
month = result;
|
||
|
continue;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/* 2.4. If the found-year flag is not set and the date-token matches the
|
||
|
* year production, set the found-year flag and set the year-value to the
|
||
|
* number denoted by the date-token. Skip the remaining sub-steps and
|
||
|
* continue to the next date-token.
|
||
|
*/
|
||
|
if (year === null) {
|
||
|
// "year = 2*4DIGIT ( non-digit *OCTET )"
|
||
|
result = parseDigits(token, 2, 4, true);
|
||
|
if (result !== null) {
|
||
|
year = result;
|
||
|
/* From S5.1.1:
|
||
|
* 3. If the year-value is greater than or equal to 70 and less
|
||
|
* than or equal to 99, increment the year-value by 1900.
|
||
|
* 4. If the year-value is greater than or equal to 0 and less
|
||
|
* than or equal to 69, increment the year-value by 2000.
|
||
|
*/
|
||
|
if (year >= 70 && year <= 99) {
|
||
|
year += 1900;
|
||
|
} else if (year >= 0 && year <= 69) {
|
||
|
year += 2000;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/* RFC 6265 S5.1.1
|
||
|
* "5. Abort these steps and fail to parse the cookie-date if:
|
||
|
* * at least one of the found-day-of-month, found-month, found-
|
||
|
* year, or found-time flags is not set,
|
||
|
* * the day-of-month-value is less than 1 or greater than 31,
|
||
|
* * the year-value is less than 1601,
|
||
|
* * the hour-value is greater than 23,
|
||
|
* * the minute-value is greater than 59, or
|
||
|
* * the second-value is greater than 59.
|
||
|
* (Note that leap seconds cannot be represented in this syntax.)"
|
||
|
*
|
||
|
* So, in order as above:
|
||
|
*/
|
||
|
if (
|
||
|
dayOfMonth === null ||
|
||
|
month === null ||
|
||
|
year === null ||
|
||
|
second === null ||
|
||
|
dayOfMonth < 1 ||
|
||
|
dayOfMonth > 31 ||
|
||
|
year < 1601 ||
|
||
|
hour > 23 ||
|
||
|
minute > 59 ||
|
||
|
second > 59
|
||
|
) {
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
return new Date(Date.UTC(year, month, dayOfMonth, hour, minute, second));
|
||
|
}
|
||
|
|
||
|
function formatDate(date) {
|
||
|
return date.toUTCString();
|
||
|
}
|
||
|
|
||
|
// S5.1.2 Canonicalized Host Names
|
||
|
function canonicalDomain(str) {
|
||
|
if (str == null) {
|
||
|
return null;
|
||
|
}
|
||
|
str = str.trim().replace(/^\./, ""); // S4.1.2.3 & S5.2.3: ignore leading .
|
||
|
|
||
|
// convert to IDN if any non-ASCII characters
|
||
|
if (punycode && /[^\u0001-\u007f]/.test(str)) {
|
||
|
str = punycode.toASCII(str);
|
||
|
}
|
||
|
|
||
|
return str.toLowerCase();
|
||
|
}
|
||
|
|
||
|
// S5.1.3 Domain Matching
|
||
|
function domainMatch(str, domStr, canonicalize) {
|
||
|
if (str == null || domStr == null) {
|
||
|
return null;
|
||
|
}
|
||
|
if (canonicalize !== false) {
|
||
|
str = canonicalDomain(str);
|
||
|
domStr = canonicalDomain(domStr);
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* S5.1.3:
|
||
|
* "A string domain-matches a given domain string if at least one of the
|
||
|
* following conditions hold:"
|
||
|
*
|
||
|
* " o The domain string and the string are identical. (Note that both the
|
||
|
* domain string and the string will have been canonicalized to lower case at
|
||
|
* this point)"
|
||
|
*/
|
||
|
if (str == domStr) {
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
/* " o All of the following [three] conditions hold:" */
|
||
|
|
||
|
/* "* The domain string is a suffix of the string" */
|
||
|
const idx = str.indexOf(domStr);
|
||
|
if (idx <= 0) {
|
||
|
return false; // it's a non-match (-1) or prefix (0)
|
||
|
}
|
||
|
|
||
|
// next, check it's a proper suffix
|
||
|
// e.g., "a.b.c".indexOf("b.c") === 2
|
||
|
// 5 === 3+2
|
||
|
if (str.length !== domStr.length + idx) {
|
||
|
return false; // it's not a suffix
|
||
|
}
|
||
|
|
||
|
/* " * The last character of the string that is not included in the
|
||
|
* domain string is a %x2E (".") character." */
|
||
|
if (str.substr(idx-1,1) !== '.') {
|
||
|
return false; // doesn't align on "."
|
||
|
}
|
||
|
|
||
|
/* " * The string is a host name (i.e., not an IP address)." */
|
||
|
if (IP_REGEX_LOWERCASE.test(str)) {
|
||
|
return false; // it's an IP address
|
||
|
}
|
||
|
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
// RFC6265 S5.1.4 Paths and Path-Match
|
||
|
|
||
|
/*
|
||
|
* "The user agent MUST use an algorithm equivalent to the following algorithm
|
||
|
* to compute the default-path of a cookie:"
|
||
|
*
|
||
|
* Assumption: the path (and not query part or absolute uri) is passed in.
|
||
|
*/
|
||
|
function defaultPath(path) {
|
||
|
// "2. If the uri-path is empty or if the first character of the uri-path is not
|
||
|
// a %x2F ("/") character, output %x2F ("/") and skip the remaining steps.
|
||
|
if (!path || path.substr(0, 1) !== "/") {
|
||
|
return "/";
|
||
|
}
|
||
|
|
||
|
// "3. If the uri-path contains no more than one %x2F ("/") character, output
|
||
|
// %x2F ("/") and skip the remaining step."
|
||
|
if (path === "/") {
|
||
|
return path;
|
||
|
}
|
||
|
|
||
|
const rightSlash = path.lastIndexOf("/");
|
||
|
if (rightSlash === 0) {
|
||
|
return "/";
|
||
|
}
|
||
|
|
||
|
// "4. Output the characters of the uri-path from the first character up to,
|
||
|
// but not including, the right-most %x2F ("/")."
|
||
|
return path.slice(0, rightSlash);
|
||
|
}
|
||
|
|
||
|
function trimTerminator(str) {
|
||
|
for (let t = 0; t < TERMINATORS.length; t++) {
|
||
|
const terminatorIdx = str.indexOf(TERMINATORS[t]);
|
||
|
if (terminatorIdx !== -1) {
|
||
|
str = str.substr(0, terminatorIdx);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return str;
|
||
|
}
|
||
|
|
||
|
function parseCookiePair(cookiePair, looseMode) {
|
||
|
cookiePair = trimTerminator(cookiePair);
|
||
|
|
||
|
let firstEq = cookiePair.indexOf("=");
|
||
|
if (looseMode) {
|
||
|
if (firstEq === 0) {
|
||
|
// '=' is immediately at start
|
||
|
cookiePair = cookiePair.substr(1);
|
||
|
firstEq = cookiePair.indexOf("="); // might still need to split on '='
|
||
|
}
|
||
|
} else {
|
||
|
// non-loose mode
|
||
|
if (firstEq <= 0) {
|
||
|
// no '=' or is at start
|
||
|
return; // needs to have non-empty "cookie-name"
|
||
|
}
|
||
|
}
|
||
|
|
||
|
let cookieName, cookieValue;
|
||
|
if (firstEq <= 0) {
|
||
|
cookieName = "";
|
||
|
cookieValue = cookiePair.trim();
|
||
|
} else {
|
||
|
cookieName = cookiePair.substr(0, firstEq).trim();
|
||
|
cookieValue = cookiePair.substr(firstEq + 1).trim();
|
||
|
}
|
||
|
|
||
|
if (CONTROL_CHARS.test(cookieName) || CONTROL_CHARS.test(cookieValue)) {
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
const c = new Cookie();
|
||
|
c.key = cookieName;
|
||
|
c.value = cookieValue;
|
||
|
return c;
|
||
|
}
|
||
|
|
||
|
function parse(str, options) {
|
||
|
if (!options || typeof options !== "object") {
|
||
|
options = {};
|
||
|
}
|
||
|
str = str.trim();
|
||
|
|
||
|
// We use a regex to parse the "name-value-pair" part of S5.2
|
||
|
const firstSemi = str.indexOf(";"); // S5.2 step 1
|
||
|
const cookiePair = firstSemi === -1 ? str : str.substr(0, firstSemi);
|
||
|
const c = parseCookiePair(cookiePair, !!options.loose);
|
||
|
if (!c) {
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
if (firstSemi === -1) {
|
||
|
return c;
|
||
|
}
|
||
|
|
||
|
// S5.2.3 "unparsed-attributes consist of the remainder of the set-cookie-string
|
||
|
// (including the %x3B (";") in question)." plus later on in the same section
|
||
|
// "discard the first ";" and trim".
|
||
|
const unparsed = str.slice(firstSemi + 1).trim();
|
||
|
|
||
|
// "If the unparsed-attributes string is empty, skip the rest of these
|
||
|
// steps."
|
||
|
if (unparsed.length === 0) {
|
||
|
return c;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* S5.2 says that when looping over the items "[p]rocess the attribute-name
|
||
|
* and attribute-value according to the requirements in the following
|
||
|
* subsections" for every item. Plus, for many of the individual attributes
|
||
|
* in S5.3 it says to use the "attribute-value of the last attribute in the
|
||
|
* cookie-attribute-list". Therefore, in this implementation, we overwrite
|
||
|
* the previous value.
|
||
|
*/
|
||
|
const cookie_avs = unparsed.split(";");
|
||
|
while (cookie_avs.length) {
|
||
|
const av = cookie_avs.shift().trim();
|
||
|
if (av.length === 0) {
|
||
|
// happens if ";;" appears
|
||
|
continue;
|
||
|
}
|
||
|
const av_sep = av.indexOf("=");
|
||
|
let av_key, av_value;
|
||
|
|
||
|
if (av_sep === -1) {
|
||
|
av_key = av;
|
||
|
av_value = null;
|
||
|
} else {
|
||
|
av_key = av.substr(0, av_sep);
|
||
|
av_value = av.substr(av_sep + 1);
|
||
|
}
|
||
|
|
||
|
av_key = av_key.trim().toLowerCase();
|
||
|
|
||
|
if (av_value) {
|
||
|
av_value = av_value.trim();
|
||
|
}
|
||
|
|
||
|
switch (av_key) {
|
||
|
case "expires": // S5.2.1
|
||
|
if (av_value) {
|
||
|
const exp = parseDate(av_value);
|
||
|
// "If the attribute-value failed to parse as a cookie date, ignore the
|
||
|
// cookie-av."
|
||
|
if (exp) {
|
||
|
// over and underflow not realistically a concern: V8's getTime() seems to
|
||
|
// store something larger than a 32-bit time_t (even with 32-bit node)
|
||
|
c.expires = exp;
|
||
|
}
|
||
|
}
|
||
|
break;
|
||
|
|
||
|
case "max-age": // S5.2.2
|
||
|
if (av_value) {
|
||
|
// "If the first character of the attribute-value is not a DIGIT or a "-"
|
||
|
// character ...[or]... If the remainder of attribute-value contains a
|
||
|
// non-DIGIT character, ignore the cookie-av."
|
||
|
if (/^-?[0-9]+$/.test(av_value)) {
|
||
|
const delta = parseInt(av_value, 10);
|
||
|
// "If delta-seconds is less than or equal to zero (0), let expiry-time
|
||
|
// be the earliest representable date and time."
|
||
|
c.setMaxAge(delta);
|
||
|
}
|
||
|
}
|
||
|
break;
|
||
|
|
||
|
case "domain": // S5.2.3
|
||
|
// "If the attribute-value is empty, the behavior is undefined. However,
|
||
|
// the user agent SHOULD ignore the cookie-av entirely."
|
||
|
if (av_value) {
|
||
|
// S5.2.3 "Let cookie-domain be the attribute-value without the leading %x2E
|
||
|
// (".") character."
|
||
|
const domain = av_value.trim().replace(/^\./, "");
|
||
|
if (domain) {
|
||
|
// "Convert the cookie-domain to lower case."
|
||
|
c.domain = domain.toLowerCase();
|
||
|
}
|
||
|
}
|
||
|
break;
|
||
|
|
||
|
case "path": // S5.2.4
|
||
|
/*
|
||
|
* "If the attribute-value is empty or if the first character of the
|
||
|
* attribute-value is not %x2F ("/"):
|
||
|
* Let cookie-path be the default-path.
|
||
|
* Otherwise:
|
||
|
* Let cookie-path be the attribute-value."
|
||
|
*
|
||
|
* We'll represent the default-path as null since it depends on the
|
||
|
* context of the parsing.
|
||
|
*/
|
||
|
c.path = av_value && av_value[0] === "/" ? av_value : null;
|
||
|
break;
|
||
|
|
||
|
case "secure": // S5.2.5
|
||
|
/*
|
||
|
* "If the attribute-name case-insensitively matches the string "Secure",
|
||
|
* the user agent MUST append an attribute to the cookie-attribute-list
|
||
|
* with an attribute-name of Secure and an empty attribute-value."
|
||
|
*/
|
||
|
c.secure = true;
|
||
|
break;
|
||
|
|
||
|
case "httponly": // S5.2.6 -- effectively the same as 'secure'
|
||
|
c.httpOnly = true;
|
||
|
break;
|
||
|
|
||
|
case "samesite": // RFC6265bis-02 S5.3.7
|
||
|
const enforcement = av_value ? av_value.toLowerCase() : "";
|
||
|
switch (enforcement) {
|
||
|
case "strict":
|
||
|
c.sameSite = "strict";
|
||
|
break;
|
||
|
case "lax":
|
||
|
c.sameSite = "lax";
|
||
|
break;
|
||
|
default:
|
||
|
// RFC6265bis-02 S5.3.7 step 1:
|
||
|
// "If cookie-av's attribute-value is not a case-insensitive match
|
||
|
// for "Strict" or "Lax", ignore the "cookie-av"."
|
||
|
// This effectively sets it to 'none' from the prototype.
|
||
|
break;
|
||
|
}
|
||
|
break;
|
||
|
|
||
|
default:
|
||
|
c.extensions = c.extensions || [];
|
||
|
c.extensions.push(av);
|
||
|
break;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return c;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* If the cookie-name begins with a case-sensitive match for the
|
||
|
* string "__Secure-", abort these steps and ignore the cookie
|
||
|
* entirely unless the cookie's secure-only-flag is true.
|
||
|
* @param cookie
|
||
|
* @returns boolean
|
||
|
*/
|
||
|
function isSecurePrefixConditionMet(cookie) {
|
||
|
return !cookie.key.startsWith("__Secure-") || cookie.secure;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* If the cookie-name begins with a case-sensitive match for the
|
||
|
* string "__Host-", abort these steps and ignore the cookie
|
||
|
* entirely unless the cookie meets all the following criteria:
|
||
|
* 1. The cookie's secure-only-flag is true.
|
||
|
* 2. The cookie's host-only-flag is true.
|
||
|
* 3. The cookie-attribute-list contains an attribute with an
|
||
|
* attribute-name of "Path", and the cookie's path is "/".
|
||
|
* @param cookie
|
||
|
* @returns boolean
|
||
|
*/
|
||
|
function isHostPrefixConditionMet(cookie) {
|
||
|
return (
|
||
|
!cookie.key.startsWith("__Host-") ||
|
||
|
(cookie.secure &&
|
||
|
cookie.hostOnly &&
|
||
|
cookie.path != null &&
|
||
|
cookie.path === "/")
|
||
|
);
|
||
|
}
|
||
|
|
||
|
// avoid the V8 deoptimization monster!
|
||
|
function jsonParse(str) {
|
||
|
let obj;
|
||
|
try {
|
||
|
obj = JSON.parse(str);
|
||
|
} catch (e) {
|
||
|
return e;
|
||
|
}
|
||
|
return obj;
|
||
|
}
|
||
|
|
||
|
function fromJSON(str) {
|
||
|
if (!str) {
|
||
|
return null;
|
||
|
}
|
||
|
|
||
|
let obj;
|
||
|
if (typeof str === "string") {
|
||
|
obj = jsonParse(str);
|
||
|
if (obj instanceof Error) {
|
||
|
return null;
|
||
|
}
|
||
|
} else {
|
||
|
// assume it's an Object
|
||
|
obj = str;
|
||
|
}
|
||
|
|
||
|
const c = new Cookie();
|
||
|
for (let i = 0; i < Cookie.serializableProperties.length; i++) {
|
||
|
const prop = Cookie.serializableProperties[i];
|
||
|
if (obj[prop] === undefined || obj[prop] === cookieDefaults[prop]) {
|
||
|
continue; // leave as prototype default
|
||
|
}
|
||
|
|
||
|
if (prop === "expires" || prop === "creation" || prop === "lastAccessed") {
|
||
|
if (obj[prop] === null) {
|
||
|
c[prop] = null;
|
||
|
} else {
|
||
|
c[prop] = obj[prop] == "Infinity" ? "Infinity" : new Date(obj[prop]);
|
||
|
}
|
||
|
} else {
|
||
|
c[prop] = obj[prop];
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return c;
|
||
|
}
|
||
|
|
||
|
/* Section 5.4 part 2:
|
||
|
* "* Cookies with longer paths are listed before cookies with
|
||
|
* shorter paths.
|
||
|
*
|
||
|
* * Among cookies that have equal-length path fields, cookies with
|
||
|
* earlier creation-times are listed before cookies with later
|
||
|
* creation-times."
|
||
|
*/
|
||
|
|
||
|
function cookieCompare(a, b) {
|
||
|
let cmp = 0;
|
||
|
|
||
|
// descending for length: b CMP a
|
||
|
const aPathLen = a.path ? a.path.length : 0;
|
||
|
const bPathLen = b.path ? b.path.length : 0;
|
||
|
cmp = bPathLen - aPathLen;
|
||
|
if (cmp !== 0) {
|
||
|
return cmp;
|
||
|
}
|
||
|
|
||
|
// ascending for time: a CMP b
|
||
|
const aTime = a.creation ? a.creation.getTime() : MAX_TIME;
|
||
|
const bTime = b.creation ? b.creation.getTime() : MAX_TIME;
|
||
|
cmp = aTime - bTime;
|
||
|
if (cmp !== 0) {
|
||
|
return cmp;
|
||
|
}
|
||
|
|
||
|
// break ties for the same millisecond (precision of JavaScript's clock)
|
||
|
cmp = a.creationIndex - b.creationIndex;
|
||
|
|
||
|
return cmp;
|
||
|
}
|
||
|
|
||
|
// Gives the permutation of all possible pathMatch()es of a given path. The
|
||
|
// array is in longest-to-shortest order. Handy for indexing.
|
||
|
function permutePath(path) {
|
||
|
if (path === "/") {
|
||
|
return ["/"];
|
||
|
}
|
||
|
const permutations = [path];
|
||
|
while (path.length > 1) {
|
||
|
const lindex = path.lastIndexOf("/");
|
||
|
if (lindex === 0) {
|
||
|
break;
|
||
|
}
|
||
|
path = path.substr(0, lindex);
|
||
|
permutations.push(path);
|
||
|
}
|
||
|
permutations.push("/");
|
||
|
return permutations;
|
||
|
}
|
||
|
|
||
|
function getCookieContext(url) {
|
||
|
if (url instanceof Object) {
|
||
|
return url;
|
||
|
}
|
||
|
// NOTE: decodeURI will throw on malformed URIs (see GH-32).
|
||
|
// Therefore, we will just skip decoding for such URIs.
|
||
|
try {
|
||
|
url = decodeURI(url);
|
||
|
} catch (err) {
|
||
|
// Silently swallow error
|
||
|
}
|
||
|
|
||
|
return urlParse(url);
|
||
|
}
|
||
|
|
||
|
const cookieDefaults = {
|
||
|
// the order in which the RFC has them:
|
||
|
key: "",
|
||
|
value: "",
|
||
|
expires: "Infinity",
|
||
|
maxAge: null,
|
||
|
domain: null,
|
||
|
path: null,
|
||
|
secure: false,
|
||
|
httpOnly: false,
|
||
|
extensions: null,
|
||
|
// set by the CookieJar:
|
||
|
hostOnly: null,
|
||
|
pathIsDefault: null,
|
||
|
creation: null,
|
||
|
lastAccessed: null,
|
||
|
sameSite: "none"
|
||
|
};
|
||
|
|
||
|
class Cookie {
|
||
|
constructor(options = {}) {
|
||
|
if (util.inspect.custom) {
|
||
|
this[util.inspect.custom] = this.inspect;
|
||
|
}
|
||
|
|
||
|
Object.assign(this, cookieDefaults, options);
|
||
|
this.creation = this.creation || new Date();
|
||
|
|
||
|
// used to break creation ties in cookieCompare():
|
||
|
Object.defineProperty(this, "creationIndex", {
|
||
|
configurable: false,
|
||
|
enumerable: false, // important for assert.deepEqual checks
|
||
|
writable: true,
|
||
|
value: ++Cookie.cookiesCreated
|
||
|
});
|
||
|
}
|
||
|
|
||
|
inspect() {
|
||
|
const now = Date.now();
|
||
|
const hostOnly = this.hostOnly != null ? this.hostOnly : "?";
|
||
|
const createAge = this.creation
|
||
|
? `${now - this.creation.getTime()}ms`
|
||
|
: "?";
|
||
|
const accessAge = this.lastAccessed
|
||
|
? `${now - this.lastAccessed.getTime()}ms`
|
||
|
: "?";
|
||
|
return `Cookie="${this.toString()}; hostOnly=${hostOnly}; aAge=${accessAge}; cAge=${createAge}"`;
|
||
|
}
|
||
|
|
||
|
toJSON() {
|
||
|
const obj = {};
|
||
|
|
||
|
for (const prop of Cookie.serializableProperties) {
|
||
|
if (this[prop] === cookieDefaults[prop]) {
|
||
|
continue; // leave as prototype default
|
||
|
}
|
||
|
|
||
|
if (
|
||
|
prop === "expires" ||
|
||
|
prop === "creation" ||
|
||
|
prop === "lastAccessed"
|
||
|
) {
|
||
|
if (this[prop] === null) {
|
||
|
obj[prop] = null;
|
||
|
} else {
|
||
|
obj[prop] =
|
||
|
this[prop] == "Infinity" // intentionally not ===
|
||
|
? "Infinity"
|
||
|
: this[prop].toISOString();
|
||
|
}
|
||
|
} else if (prop === "maxAge") {
|
||
|
if (this[prop] !== null) {
|
||
|
// again, intentionally not ===
|
||
|
obj[prop] =
|
||
|
this[prop] == Infinity || this[prop] == -Infinity
|
||
|
? this[prop].toString()
|
||
|
: this[prop];
|
||
|
}
|
||
|
} else {
|
||
|
if (this[prop] !== cookieDefaults[prop]) {
|
||
|
obj[prop] = this[prop];
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return obj;
|
||
|
}
|
||
|
|
||
|
clone() {
|
||
|
return fromJSON(this.toJSON());
|
||
|
}
|
||
|
|
||
|
validate() {
|
||
|
if (!COOKIE_OCTETS.test(this.value)) {
|
||
|
return false;
|
||
|
}
|
||
|
if (
|
||
|
this.expires != Infinity &&
|
||
|
!(this.expires instanceof Date) &&
|
||
|
!parseDate(this.expires)
|
||
|
) {
|
||
|
return false;
|
||
|
}
|
||
|
if (this.maxAge != null && this.maxAge <= 0) {
|
||
|
return false; // "Max-Age=" non-zero-digit *DIGIT
|
||
|
}
|
||
|
if (this.path != null && !PATH_VALUE.test(this.path)) {
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
const cdomain = this.cdomain();
|
||
|
if (cdomain) {
|
||
|
if (cdomain.match(/\.$/)) {
|
||
|
return false; // S4.1.2.3 suggests that this is bad. domainMatch() tests confirm this
|
||
|
}
|
||
|
const suffix = pubsuffix.getPublicSuffix(cdomain);
|
||
|
if (suffix == null) {
|
||
|
// it's a public suffix
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
setExpires(exp) {
|
||
|
if (exp instanceof Date) {
|
||
|
this.expires = exp;
|
||
|
} else {
|
||
|
this.expires = parseDate(exp) || "Infinity";
|
||
|
}
|
||
|
}
|
||
|
|
||
|
setMaxAge(age) {
|
||
|
if (age === Infinity || age === -Infinity) {
|
||
|
this.maxAge = age.toString(); // so JSON.stringify() works
|
||
|
} else {
|
||
|
this.maxAge = age;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
cookieString() {
|
||
|
let val = this.value;
|
||
|
if (val == null) {
|
||
|
val = "";
|
||
|
}
|
||
|
if (this.key === "") {
|
||
|
return val;
|
||
|
}
|
||
|
return `${this.key}=${val}`;
|
||
|
}
|
||
|
|
||
|
// gives Set-Cookie header format
|
||
|
toString() {
|
||
|
let str = this.cookieString();
|
||
|
|
||
|
if (this.expires != Infinity) {
|
||
|
if (this.expires instanceof Date) {
|
||
|
str += `; Expires=${formatDate(this.expires)}`;
|
||
|
} else {
|
||
|
str += `; Expires=${this.expires}`;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
if (this.maxAge != null && this.maxAge != Infinity) {
|
||
|
str += `; Max-Age=${this.maxAge}`;
|
||
|
}
|
||
|
|
||
|
if (this.domain && !this.hostOnly) {
|
||
|
str += `; Domain=${this.domain}`;
|
||
|
}
|
||
|
if (this.path) {
|
||
|
str += `; Path=${this.path}`;
|
||
|
}
|
||
|
|
||
|
if (this.secure) {
|
||
|
str += "; Secure";
|
||
|
}
|
||
|
if (this.httpOnly) {
|
||
|
str += "; HttpOnly";
|
||
|
}
|
||
|
if (this.sameSite && this.sameSite !== "none") {
|
||
|
const ssCanon = Cookie.sameSiteCanonical[this.sameSite.toLowerCase()];
|
||
|
str += `; SameSite=${ssCanon ? ssCanon : this.sameSite}`;
|
||
|
}
|
||
|
if (this.extensions) {
|
||
|
this.extensions.forEach(ext => {
|
||
|
str += `; ${ext}`;
|
||
|
});
|
||
|
}
|
||
|
|
||
|
return str;
|
||
|
}
|
||
|
|
||
|
// TTL() partially replaces the "expiry-time" parts of S5.3 step 3 (setCookie()
|
||
|
// elsewhere)
|
||
|
// S5.3 says to give the "latest representable date" for which we use Infinity
|
||
|
// For "expired" we use 0
|
||
|
TTL(now) {
|
||
|
/* RFC6265 S4.1.2.2 If a cookie has both the Max-Age and the Expires
|
||
|
* attribute, the Max-Age attribute has precedence and controls the
|
||
|
* expiration date of the cookie.
|
||
|
* (Concurs with S5.3 step 3)
|
||
|
*/
|
||
|
if (this.maxAge != null) {
|
||
|
return this.maxAge <= 0 ? 0 : this.maxAge * 1000;
|
||
|
}
|
||
|
|
||
|
let expires = this.expires;
|
||
|
if (expires != Infinity) {
|
||
|
if (!(expires instanceof Date)) {
|
||
|
expires = parseDate(expires) || Infinity;
|
||
|
}
|
||
|
|
||
|
if (expires == Infinity) {
|
||
|
return Infinity;
|
||
|
}
|
||
|
|
||
|
return expires.getTime() - (now || Date.now());
|
||
|
}
|
||
|
|
||
|
return Infinity;
|
||
|
}
|
||
|
|
||
|
// expiryTime() replaces the "expiry-time" parts of S5.3 step 3 (setCookie()
|
||
|
// elsewhere)
|
||
|
expiryTime(now) {
|
||
|
if (this.maxAge != null) {
|
||
|
const relativeTo = now || this.creation || new Date();
|
||
|
const age = this.maxAge <= 0 ? -Infinity : this.maxAge * 1000;
|
||
|
return relativeTo.getTime() + age;
|
||
|
}
|
||
|
|
||
|
if (this.expires == Infinity) {
|
||
|
return Infinity;
|
||
|
}
|
||
|
return this.expires.getTime();
|
||
|
}
|
||
|
|
||
|
// expiryDate() replaces the "expiry-time" parts of S5.3 step 3 (setCookie()
|
||
|
// elsewhere), except it returns a Date
|
||
|
expiryDate(now) {
|
||
|
const millisec = this.expiryTime(now);
|
||
|
if (millisec == Infinity) {
|
||
|
return new Date(MAX_TIME);
|
||
|
} else if (millisec == -Infinity) {
|
||
|
return new Date(MIN_TIME);
|
||
|
} else {
|
||
|
return new Date(millisec);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// This replaces the "persistent-flag" parts of S5.3 step 3
|
||
|
isPersistent() {
|
||
|
return this.maxAge != null || this.expires != Infinity;
|
||
|
}
|
||
|
|
||
|
// Mostly S5.1.2 and S5.2.3:
|
||
|
canonicalizedDomain() {
|
||
|
if (this.domain == null) {
|
||
|
return null;
|
||
|
}
|
||
|
return canonicalDomain(this.domain);
|
||
|
}
|
||
|
|
||
|
cdomain() {
|
||
|
return this.canonicalizedDomain();
|
||
|
}
|
||
|
}
|
||
|
|
||
|
Cookie.cookiesCreated = 0;
|
||
|
Cookie.parse = parse;
|
||
|
Cookie.fromJSON = fromJSON;
|
||
|
Cookie.serializableProperties = Object.keys(cookieDefaults);
|
||
|
Cookie.sameSiteLevel = {
|
||
|
strict: 3,
|
||
|
lax: 2,
|
||
|
none: 1
|
||
|
};
|
||
|
|
||
|
Cookie.sameSiteCanonical = {
|
||
|
strict: "Strict",
|
||
|
lax: "Lax"
|
||
|
};
|
||
|
|
||
|
function getNormalizedPrefixSecurity(prefixSecurity) {
|
||
|
if (prefixSecurity != null) {
|
||
|
const normalizedPrefixSecurity = prefixSecurity.toLowerCase();
|
||
|
/* The three supported options */
|
||
|
switch (normalizedPrefixSecurity) {
|
||
|
case PrefixSecurityEnum.STRICT:
|
||
|
case PrefixSecurityEnum.SILENT:
|
||
|
case PrefixSecurityEnum.DISABLED:
|
||
|
return normalizedPrefixSecurity;
|
||
|
}
|
||
|
}
|
||
|
/* Default is SILENT */
|
||
|
return PrefixSecurityEnum.SILENT;
|
||
|
}
|
||
|
|
||
|
class CookieJar {
|
||
|
constructor(store, options = { rejectPublicSuffixes: true }) {
|
||
|
if (typeof options === "boolean") {
|
||
|
options = { rejectPublicSuffixes: options };
|
||
|
}
|
||
|
this.rejectPublicSuffixes = options.rejectPublicSuffixes;
|
||
|
this.enableLooseMode = !!options.looseMode;
|
||
|
this.allowSpecialUseDomain = !!options.allowSpecialUseDomain;
|
||
|
this.store = store || new MemoryCookieStore();
|
||
|
this.prefixSecurity = getNormalizedPrefixSecurity(options.prefixSecurity);
|
||
|
this._cloneSync = syncWrap("clone");
|
||
|
this._importCookiesSync = syncWrap("_importCookies");
|
||
|
this.getCookiesSync = syncWrap("getCookies");
|
||
|
this.getCookieStringSync = syncWrap("getCookieString");
|
||
|
this.getSetCookieStringsSync = syncWrap("getSetCookieStrings");
|
||
|
this.removeAllCookiesSync = syncWrap("removeAllCookies");
|
||
|
this.setCookieSync = syncWrap("setCookie");
|
||
|
this.serializeSync = syncWrap("serialize");
|
||
|
}
|
||
|
|
||
|
setCookie(cookie, url, options, cb) {
|
||
|
let err;
|
||
|
const context = getCookieContext(url);
|
||
|
if (typeof options === "function") {
|
||
|
cb = options;
|
||
|
options = {};
|
||
|
}
|
||
|
|
||
|
const host = canonicalDomain(context.hostname);
|
||
|
const loose = options.loose || this.enableLooseMode;
|
||
|
|
||
|
let sameSiteContext = null;
|
||
|
if (options.sameSiteContext) {
|
||
|
sameSiteContext = checkSameSiteContext(options.sameSiteContext);
|
||
|
if (!sameSiteContext) {
|
||
|
return cb(new Error(SAME_SITE_CONTEXT_VAL_ERR));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// S5.3 step 1
|
||
|
if (typeof cookie === "string" || cookie instanceof String) {
|
||
|
cookie = Cookie.parse(cookie, { loose: loose });
|
||
|
if (!cookie) {
|
||
|
err = new Error("Cookie failed to parse");
|
||
|
return cb(options.ignoreError ? null : err);
|
||
|
}
|
||
|
} else if (!(cookie instanceof Cookie)) {
|
||
|
// If you're seeing this error, and are passing in a Cookie object,
|
||
|
// it *might* be a Cookie object from another loaded version of tough-cookie.
|
||
|
err = new Error(
|
||
|
"First argument to setCookie must be a Cookie object or string"
|
||
|
);
|
||
|
return cb(options.ignoreError ? null : err);
|
||
|
}
|
||
|
|
||
|
// S5.3 step 2
|
||
|
const now = options.now || new Date(); // will assign later to save effort in the face of errors
|
||
|
|
||
|
// S5.3 step 3: NOOP; persistent-flag and expiry-time is handled by getCookie()
|
||
|
|
||
|
// S5.3 step 4: NOOP; domain is null by default
|
||
|
|
||
|
// S5.3 step 5: public suffixes
|
||
|
if (this.rejectPublicSuffixes && cookie.domain) {
|
||
|
const suffix = pubsuffix.getPublicSuffix(cookie.cdomain());
|
||
|
if (suffix == null) {
|
||
|
// e.g. "com"
|
||
|
err = new Error("Cookie has domain set to a public suffix");
|
||
|
return cb(options.ignoreError ? null : err);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// S5.3 step 6:
|
||
|
if (cookie.domain) {
|
||
|
if (!domainMatch(host, cookie.cdomain(), false)) {
|
||
|
err = new Error(
|
||
|
`Cookie not in this host's domain. Cookie:${cookie.cdomain()} Request:${host}`
|
||
|
);
|
||
|
return cb(options.ignoreError ? null : err);
|
||
|
}
|
||
|
|
||
|
if (cookie.hostOnly == null) {
|
||
|
// don't reset if already set
|
||
|
cookie.hostOnly = false;
|
||
|
}
|
||
|
} else {
|
||
|
cookie.hostOnly = true;
|
||
|
cookie.domain = host;
|
||
|
}
|
||
|
|
||
|
//S5.2.4 If the attribute-value is empty or if the first character of the
|
||
|
//attribute-value is not %x2F ("/"):
|
||
|
//Let cookie-path be the default-path.
|
||
|
if (!cookie.path || cookie.path[0] !== "/") {
|
||
|
cookie.path = defaultPath(context.pathname);
|
||
|
cookie.pathIsDefault = true;
|
||
|
}
|
||
|
|
||
|
// S5.3 step 8: NOOP; secure attribute
|
||
|
// S5.3 step 9: NOOP; httpOnly attribute
|
||
|
|
||
|
// S5.3 step 10
|
||
|
if (options.http === false && cookie.httpOnly) {
|
||
|
err = new Error("Cookie is HttpOnly and this isn't an HTTP API");
|
||
|
return cb(options.ignoreError ? null : err);
|
||
|
}
|
||
|
|
||
|
// 6252bis-02 S5.4 Step 13 & 14:
|
||
|
if (cookie.sameSite !== "none" && sameSiteContext) {
|
||
|
// "If the cookie's "same-site-flag" is not "None", and the cookie
|
||
|
// is being set from a context whose "site for cookies" is not an
|
||
|
// exact match for request-uri's host's registered domain, then
|
||
|
// abort these steps and ignore the newly created cookie entirely."
|
||
|
if (sameSiteContext === "none") {
|
||
|
err = new Error(
|
||
|
"Cookie is SameSite but this is a cross-origin request"
|
||
|
);
|
||
|
return cb(options.ignoreError ? null : err);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/* 6265bis-02 S5.4 Steps 15 & 16 */
|
||
|
const ignoreErrorForPrefixSecurity =
|
||
|
this.prefixSecurity === PrefixSecurityEnum.SILENT;
|
||
|
const prefixSecurityDisabled =
|
||
|
this.prefixSecurity === PrefixSecurityEnum.DISABLED;
|
||
|
/* If prefix checking is not disabled ...*/
|
||
|
if (!prefixSecurityDisabled) {
|
||
|
let errorFound = false;
|
||
|
let errorMsg;
|
||
|
/* Check secure prefix condition */
|
||
|
if (!isSecurePrefixConditionMet(cookie)) {
|
||
|
errorFound = true;
|
||
|
errorMsg = "Cookie has __Secure prefix but Secure attribute is not set";
|
||
|
} else if (!isHostPrefixConditionMet(cookie)) {
|
||
|
/* Check host prefix condition */
|
||
|
errorFound = true;
|
||
|
errorMsg =
|
||
|
"Cookie has __Host prefix but either Secure or HostOnly attribute is not set or Path is not '/'";
|
||
|
}
|
||
|
if (errorFound) {
|
||
|
return cb(
|
||
|
options.ignoreError || ignoreErrorForPrefixSecurity
|
||
|
? null
|
||
|
: new Error(errorMsg)
|
||
|
);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
const store = this.store;
|
||
|
|
||
|
if (!store.updateCookie) {
|
||
|
store.updateCookie = function(oldCookie, newCookie, cb) {
|
||
|
this.putCookie(newCookie, cb);
|
||
|
};
|
||
|
}
|
||
|
|
||
|
function withCookie(err, oldCookie) {
|
||
|
if (err) {
|
||
|
return cb(err);
|
||
|
}
|
||
|
|
||
|
const next = function(err) {
|
||
|
if (err) {
|
||
|
return cb(err);
|
||
|
} else {
|
||
|
cb(null, cookie);
|
||
|
}
|
||
|
};
|
||
|
|
||
|
if (oldCookie) {
|
||
|
// S5.3 step 11 - "If the cookie store contains a cookie with the same name,
|
||
|
// domain, and path as the newly created cookie:"
|
||
|
if (options.http === false && oldCookie.httpOnly) {
|
||
|
// step 11.2
|
||
|
err = new Error("old Cookie is HttpOnly and this isn't an HTTP API");
|
||
|
return cb(options.ignoreError ? null : err);
|
||
|
}
|
||
|
cookie.creation = oldCookie.creation; // step 11.3
|
||
|
cookie.creationIndex = oldCookie.creationIndex; // preserve tie-breaker
|
||
|
cookie.lastAccessed = now;
|
||
|
// Step 11.4 (delete cookie) is implied by just setting the new one:
|
||
|
store.updateCookie(oldCookie, cookie, next); // step 12
|
||
|
} else {
|
||
|
cookie.creation = cookie.lastAccessed = now;
|
||
|
store.putCookie(cookie, next); // step 12
|
||
|
}
|
||
|
}
|
||
|
|
||
|
store.findCookie(cookie.domain, cookie.path, cookie.key, withCookie);
|
||
|
}
|
||
|
|
||
|
// RFC6365 S5.4
|
||
|
getCookies(url, options, cb) {
|
||
|
const context = getCookieContext(url);
|
||
|
if (typeof options === "function") {
|
||
|
cb = options;
|
||
|
options = {};
|
||
|
}
|
||
|
|
||
|
const host = canonicalDomain(context.hostname);
|
||
|
const path = context.pathname || "/";
|
||
|
|
||
|
let secure = options.secure;
|
||
|
if (
|
||
|
secure == null &&
|
||
|
context.protocol &&
|
||
|
(context.protocol == "https:" || context.protocol == "wss:")
|
||
|
) {
|
||
|
secure = true;
|
||
|
}
|
||
|
|
||
|
let sameSiteLevel = 0;
|
||
|
if (options.sameSiteContext) {
|
||
|
const sameSiteContext = checkSameSiteContext(options.sameSiteContext);
|
||
|
sameSiteLevel = Cookie.sameSiteLevel[sameSiteContext];
|
||
|
if (!sameSiteLevel) {
|
||
|
return cb(new Error(SAME_SITE_CONTEXT_VAL_ERR));
|
||
|
}
|
||
|
}
|
||
|
|
||
|
let http = options.http;
|
||
|
if (http == null) {
|
||
|
http = true;
|
||
|
}
|
||
|
|
||
|
const now = options.now || Date.now();
|
||
|
const expireCheck = options.expire !== false;
|
||
|
const allPaths = !!options.allPaths;
|
||
|
const store = this.store;
|
||
|
|
||
|
function matchingCookie(c) {
|
||
|
// "Either:
|
||
|
// The cookie's host-only-flag is true and the canonicalized
|
||
|
// request-host is identical to the cookie's domain.
|
||
|
// Or:
|
||
|
// The cookie's host-only-flag is false and the canonicalized
|
||
|
// request-host domain-matches the cookie's domain."
|
||
|
if (c.hostOnly) {
|
||
|
if (c.domain != host) {
|
||
|
return false;
|
||
|
}
|
||
|
} else {
|
||
|
if (!domainMatch(host, c.domain, false)) {
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// "The request-uri's path path-matches the cookie's path."
|
||
|
if (!allPaths && !pathMatch(path, c.path)) {
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
// "If the cookie's secure-only-flag is true, then the request-uri's
|
||
|
// scheme must denote a "secure" protocol"
|
||
|
if (c.secure && !secure) {
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
// "If the cookie's http-only-flag is true, then exclude the cookie if the
|
||
|
// cookie-string is being generated for a "non-HTTP" API"
|
||
|
if (c.httpOnly && !http) {
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
// RFC6265bis-02 S5.3.7
|
||
|
if (sameSiteLevel) {
|
||
|
const cookieLevel = Cookie.sameSiteLevel[c.sameSite || "none"];
|
||
|
if (cookieLevel > sameSiteLevel) {
|
||
|
// only allow cookies at or below the request level
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// deferred from S5.3
|
||
|
// non-RFC: allow retention of expired cookies by choice
|
||
|
if (expireCheck && c.expiryTime() <= now) {
|
||
|
store.removeCookie(c.domain, c.path, c.key, () => {}); // result ignored
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
store.findCookies(
|
||
|
host,
|
||
|
allPaths ? null : path,
|
||
|
this.allowSpecialUseDomain,
|
||
|
(err, cookies) => {
|
||
|
if (err) {
|
||
|
return cb(err);
|
||
|
}
|
||
|
|
||
|
cookies = cookies.filter(matchingCookie);
|
||
|
|
||
|
// sorting of S5.4 part 2
|
||
|
if (options.sort !== false) {
|
||
|
cookies = cookies.sort(cookieCompare);
|
||
|
}
|
||
|
|
||
|
// S5.4 part 3
|
||
|
const now = new Date();
|
||
|
for (const cookie of cookies) {
|
||
|
cookie.lastAccessed = now;
|
||
|
}
|
||
|
// TODO persist lastAccessed
|
||
|
|
||
|
cb(null, cookies);
|
||
|
}
|
||
|
);
|
||
|
}
|
||
|
|
||
|
getCookieString(...args) {
|
||
|
const cb = args.pop();
|
||
|
const next = function(err, cookies) {
|
||
|
if (err) {
|
||
|
cb(err);
|
||
|
} else {
|
||
|
cb(
|
||
|
null,
|
||
|
cookies
|
||
|
.sort(cookieCompare)
|
||
|
.map(c => c.cookieString())
|
||
|
.join("; ")
|
||
|
);
|
||
|
}
|
||
|
};
|
||
|
args.push(next);
|
||
|
this.getCookies.apply(this, args);
|
||
|
}
|
||
|
|
||
|
getSetCookieStrings(...args) {
|
||
|
const cb = args.pop();
|
||
|
const next = function(err, cookies) {
|
||
|
if (err) {
|
||
|
cb(err);
|
||
|
} else {
|
||
|
cb(
|
||
|
null,
|
||
|
cookies.map(c => {
|
||
|
return c.toString();
|
||
|
})
|
||
|
);
|
||
|
}
|
||
|
};
|
||
|
args.push(next);
|
||
|
this.getCookies.apply(this, args);
|
||
|
}
|
||
|
|
||
|
serialize(cb) {
|
||
|
let type = this.store.constructor.name;
|
||
|
if (type === "Object") {
|
||
|
type = null;
|
||
|
}
|
||
|
|
||
|
// update README.md "Serialization Format" if you change this, please!
|
||
|
const serialized = {
|
||
|
// The version of tough-cookie that serialized this jar. Generally a good
|
||
|
// practice since future versions can make data import decisions based on
|
||
|
// known past behavior. When/if this matters, use `semver`.
|
||
|
version: `tough-cookie@${VERSION}`,
|
||
|
|
||
|
// add the store type, to make humans happy:
|
||
|
storeType: type,
|
||
|
|
||
|
// CookieJar configuration:
|
||
|
rejectPublicSuffixes: !!this.rejectPublicSuffixes,
|
||
|
|
||
|
// this gets filled from getAllCookies:
|
||
|
cookies: []
|
||
|
};
|
||
|
|
||
|
if (
|
||
|
!(
|
||
|
this.store.getAllCookies &&
|
||
|
typeof this.store.getAllCookies === "function"
|
||
|
)
|
||
|
) {
|
||
|
return cb(
|
||
|
new Error(
|
||
|
"store does not support getAllCookies and cannot be serialized"
|
||
|
)
|
||
|
);
|
||
|
}
|
||
|
|
||
|
this.store.getAllCookies((err, cookies) => {
|
||
|
if (err) {
|
||
|
return cb(err);
|
||
|
}
|
||
|
|
||
|
serialized.cookies = cookies.map(cookie => {
|
||
|
// convert to serialized 'raw' cookies
|
||
|
cookie = cookie instanceof Cookie ? cookie.toJSON() : cookie;
|
||
|
|
||
|
// Remove the index so new ones get assigned during deserialization
|
||
|
delete cookie.creationIndex;
|
||
|
|
||
|
return cookie;
|
||
|
});
|
||
|
|
||
|
return cb(null, serialized);
|
||
|
});
|
||
|
}
|
||
|
|
||
|
toJSON() {
|
||
|
return this.serializeSync();
|
||
|
}
|
||
|
|
||
|
// use the class method CookieJar.deserialize instead of calling this directly
|
||
|
_importCookies(serialized, cb) {
|
||
|
let cookies = serialized.cookies;
|
||
|
if (!cookies || !Array.isArray(cookies)) {
|
||
|
return cb(new Error("serialized jar has no cookies array"));
|
||
|
}
|
||
|
cookies = cookies.slice(); // do not modify the original
|
||
|
|
||
|
const putNext = err => {
|
||
|
if (err) {
|
||
|
return cb(err);
|
||
|
}
|
||
|
|
||
|
if (!cookies.length) {
|
||
|
return cb(err, this);
|
||
|
}
|
||
|
|
||
|
let cookie;
|
||
|
try {
|
||
|
cookie = fromJSON(cookies.shift());
|
||
|
} catch (e) {
|
||
|
return cb(e);
|
||
|
}
|
||
|
|
||
|
if (cookie === null) {
|
||
|
return putNext(null); // skip this cookie
|
||
|
}
|
||
|
|
||
|
this.store.putCookie(cookie, putNext);
|
||
|
};
|
||
|
|
||
|
putNext();
|
||
|
}
|
||
|
|
||
|
clone(newStore, cb) {
|
||
|
if (arguments.length === 1) {
|
||
|
cb = newStore;
|
||
|
newStore = null;
|
||
|
}
|
||
|
|
||
|
this.serialize((err, serialized) => {
|
||
|
if (err) {
|
||
|
return cb(err);
|
||
|
}
|
||
|
CookieJar.deserialize(serialized, newStore, cb);
|
||
|
});
|
||
|
}
|
||
|
|
||
|
cloneSync(newStore) {
|
||
|
if (arguments.length === 0) {
|
||
|
return this._cloneSync();
|
||
|
}
|
||
|
if (!newStore.synchronous) {
|
||
|
throw new Error(
|
||
|
"CookieJar clone destination store is not synchronous; use async API instead."
|
||
|
);
|
||
|
}
|
||
|
return this._cloneSync(newStore);
|
||
|
}
|
||
|
|
||
|
removeAllCookies(cb) {
|
||
|
const store = this.store;
|
||
|
|
||
|
// Check that the store implements its own removeAllCookies(). The default
|
||
|
// implementation in Store will immediately call the callback with a "not
|
||
|
// implemented" Error.
|
||
|
if (
|
||
|
typeof store.removeAllCookies === "function" &&
|
||
|
store.removeAllCookies !== Store.prototype.removeAllCookies
|
||
|
) {
|
||
|
return store.removeAllCookies(cb);
|
||
|
}
|
||
|
|
||
|
store.getAllCookies((err, cookies) => {
|
||
|
if (err) {
|
||
|
return cb(err);
|
||
|
}
|
||
|
|
||
|
if (cookies.length === 0) {
|
||
|
return cb(null);
|
||
|
}
|
||
|
|
||
|
let completedCount = 0;
|
||
|
const removeErrors = [];
|
||
|
|
||
|
function removeCookieCb(removeErr) {
|
||
|
if (removeErr) {
|
||
|
removeErrors.push(removeErr);
|
||
|
}
|
||
|
|
||
|
completedCount++;
|
||
|
|
||
|
if (completedCount === cookies.length) {
|
||
|
return cb(removeErrors.length ? removeErrors[0] : null);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
cookies.forEach(cookie => {
|
||
|
store.removeCookie(
|
||
|
cookie.domain,
|
||
|
cookie.path,
|
||
|
cookie.key,
|
||
|
removeCookieCb
|
||
|
);
|
||
|
});
|
||
|
});
|
||
|
}
|
||
|
|
||
|
static deserialize(strOrObj, store, cb) {
|
||
|
if (arguments.length !== 3) {
|
||
|
// store is optional
|
||
|
cb = store;
|
||
|
store = null;
|
||
|
}
|
||
|
|
||
|
let serialized;
|
||
|
if (typeof strOrObj === "string") {
|
||
|
serialized = jsonParse(strOrObj);
|
||
|
if (serialized instanceof Error) {
|
||
|
return cb(serialized);
|
||
|
}
|
||
|
} else {
|
||
|
serialized = strOrObj;
|
||
|
}
|
||
|
|
||
|
const jar = new CookieJar(store, serialized.rejectPublicSuffixes);
|
||
|
jar._importCookies(serialized, err => {
|
||
|
if (err) {
|
||
|
return cb(err);
|
||
|
}
|
||
|
cb(null, jar);
|
||
|
});
|
||
|
}
|
||
|
|
||
|
static deserializeSync(strOrObj, store) {
|
||
|
const serialized =
|
||
|
typeof strOrObj === "string" ? JSON.parse(strOrObj) : strOrObj;
|
||
|
const jar = new CookieJar(store, serialized.rejectPublicSuffixes);
|
||
|
|
||
|
// catch this mistake early:
|
||
|
if (!jar.store.synchronous) {
|
||
|
throw new Error(
|
||
|
"CookieJar store is not synchronous; use async API instead."
|
||
|
);
|
||
|
}
|
||
|
|
||
|
jar._importCookiesSync(serialized);
|
||
|
return jar;
|
||
|
}
|
||
|
}
|
||
|
CookieJar.fromJSON = CookieJar.deserializeSync;
|
||
|
|
||
|
[
|
||
|
"_importCookies",
|
||
|
"clone",
|
||
|
"getCookies",
|
||
|
"getCookieString",
|
||
|
"getSetCookieStrings",
|
||
|
"removeAllCookies",
|
||
|
"serialize",
|
||
|
"setCookie"
|
||
|
].forEach(name => {
|
||
|
CookieJar.prototype[name] = fromCallback(CookieJar.prototype[name]);
|
||
|
});
|
||
|
CookieJar.deserialize = fromCallback(CookieJar.deserialize);
|
||
|
|
||
|
// Use a closure to provide a true imperative API for synchronous stores.
|
||
|
function syncWrap(method) {
|
||
|
return function(...args) {
|
||
|
if (!this.store.synchronous) {
|
||
|
throw new Error(
|
||
|
"CookieJar store is not synchronous; use async API instead."
|
||
|
);
|
||
|
}
|
||
|
|
||
|
let syncErr, syncResult;
|
||
|
this[method](...args, (err, result) => {
|
||
|
syncErr = err;
|
||
|
syncResult = result;
|
||
|
});
|
||
|
|
||
|
if (syncErr) {
|
||
|
throw syncErr;
|
||
|
}
|
||
|
return syncResult;
|
||
|
};
|
||
|
}
|
||
|
|
||
|
exports.version = VERSION;
|
||
|
exports.CookieJar = CookieJar;
|
||
|
exports.Cookie = Cookie;
|
||
|
exports.Store = Store;
|
||
|
exports.MemoryCookieStore = MemoryCookieStore;
|
||
|
exports.parseDate = parseDate;
|
||
|
exports.formatDate = formatDate;
|
||
|
exports.parse = parse;
|
||
|
exports.fromJSON = fromJSON;
|
||
|
exports.domainMatch = domainMatch;
|
||
|
exports.defaultPath = defaultPath;
|
||
|
exports.pathMatch = pathMatch;
|
||
|
exports.getPublicSuffix = pubsuffix.getPublicSuffix;
|
||
|
exports.cookieCompare = cookieCompare;
|
||
|
exports.permuteDomain = require("./permuteDomain").permuteDomain;
|
||
|
exports.permutePath = permutePath;
|
||
|
exports.canonicalDomain = canonicalDomain;
|
||
|
exports.PrefixSecurityEnum = PrefixSecurityEnum;
|