improved cookie security

test/spec/AuthHandler.ts

@@ -15,6 +15,7 @@ import {
   get, modify_signature, Response
 } from '../Helper';
 import { create_auth_handler } from '../../lib/index';
+import { build_cookie, extract_cookie } from '../../lib/cookie';
 
 const expires_seconds = 600;
 const refresh_expires_seconds = 3600;
@@ -37,8 +38,8 @@ function check_headers (resp: Response): CheckHeaderResult {
   return { data, at, rt };
 }
 
-function check_token (token: string, type: string): void {
-  const v = auth.verify (token);
+function check_token (token: string|null, type: string): void {
+  const v = auth.verify (token || '');
   expect (v.valid)
     .toEqual (true);
   expect (v.authorized)
@@ -158,9 +159,9 @@ describe ('auth handler', () => {
     expect (res1.data.token_type)
       .toEqual ('bearer');
     expect (resp1.headers['set-cookie'])
-      .toContain (`cookie_jar=${res1.at}`);
+      .toContain (build_cookie ('cookie_jar', res1.at as string));
     expect (resp1.headers['set-cookie'])
-      .toContain (`mint_cookies=${res1.rt}`);
+      .toContain (build_cookie ('mint_cookies', res1.rt as string));
 
     check_token (res1.at as string, 'access_token');
     expect (res1.data.expires_in)
@@ -179,9 +180,9 @@ describe ('auth handler', () => {
     expect (res2.data.token_type)
       .toEqual ('bearer');
     expect (resp2.headers['set-cookie'])
-      .toContain (`cookie_jar=${res2.at}`);
+      .toContain (build_cookie ('cookie_jar', res2.at as string));
     expect (resp2.headers['set-cookie'])
-      .toContain (`mint_cookies=${res2.rt}`);
+      .toContain (build_cookie ('mint_cookies', res2.rt as string));
 
     check_token (res2.at as string, 'access_token');
     expect (res2.data.expires_in)
@@ -211,9 +212,9 @@ describe ('auth handler', () => {
     expect (res1.data.token_type)
       .toEqual ('bearer');
     expect (resp1.headers['set-cookie'])
-      .toContain (`cookie_jar=${res1.at}`);
+      .toContain (build_cookie ('cookie_jar', res1.at as string));
     expect (resp1.headers['set-cookie'])
-      .toContain (`mint_cookies=${res1.rt}`);
+      .toContain (build_cookie ('mint_cookies', res1.rt as string));
 
     check_token (res1.at as string, 'access_token');
     expect (res1.data.expires_in)
@@ -236,9 +237,9 @@ describe ('auth handler', () => {
     expect (res1.data.token_type)
       .toEqual ('bearer');
     expect (resp1.headers['set-cookie'])
-      .toContain (`cookie_jar=${res1.at}`);
+      .toContain (build_cookie ('cookie_jar', res1.at as string));
     expect (resp1.headers['set-cookie'])
-      .toContain (`mint_cookies=${res1.rt}`);
+      .toContain (build_cookie ('mint_cookies', res1.rt as string));
 
     check_token (res1.at as string, 'access_token');
     expect (res1.data.expires_in)
@@ -309,9 +310,9 @@ describe ('auth handler', () => {
     expect (res2.data.token_type)
       .toEqual ('bearer');
     expect (resp2.headers['set-cookie'])
-      .toContain (`cookie_jar=${res2.at}`);
+      .toContain (build_cookie ('cookie_jar', res2.at as string));
     expect (resp2.headers['set-cookie'])
-      .toContain (`mint_cookies=${res2.rt}`);
+      .toContain (build_cookie ('mint_cookies', res2.rt as string));
 
     check_token (res2.at as string, 'access_token');
     expect (res2.data.expires_in)
@@ -330,11 +331,10 @@ describe ('auth handler', () => {
       .toEqual (302);
     expect (resp1.headers.location)
       .toEqual ('/redirected');
-    let signature = '';
-    for (const c of resp1.headers['set-cookie'] as string[]) {
-      if (c.includes ('cookie_jar='))
-        signature = c.replace ('cookie_jar=', '');
-    }
+    const signature = extract_cookie (
+      'cookie_jar',
+      (resp1.headers['set-cookie'] || []).join ('\n')
+    );
     check_token (signature, 'access_token');
   });
 
@@ -357,11 +357,10 @@ describe ('auth handler', () => {
       .toEqual ('text/plain');
     expect (resp1.body)
       .toEqual ('custom response, true');
-    let signature = '';
-    for (const c of resp1.headers['set-cookie'] as string[]) {
-      if (c.includes ('cookie_jar='))
-        signature = c.replace ('cookie_jar=', '');
-    }
+    const signature = extract_cookie (
+      'cookie_jar',
+      (resp1.headers['set-cookie'] || []).join ('\n')
+    );
     expect (signature).not.toEqual ('');
     check_token (signature, 'access_token');
   });

test/spec/cookie.ts

@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Sapphirecode - All Rights Reserved
+ * This file is part of Auth-Server-Helper which is released under MIT.
+ * See file 'LICENSE' for full license details.
+ * Created by Timo Hocker <timo@scode.ovh>, January 2022
+ */
+
+import { build_cookie, extract_cookie } from '../../lib/cookie';
+
+describe ('cookie', () => {
+  it ('should create a cookie', () => {
+    const pairs = [
+      {
+        name:   'foo',
+        value:  'bar',
+        result: 'foo=bar; Secure; HttpOnly; SameSite=Strict'
+      },
+      {
+        name:   'foäöüo',
+        value:  'baäöür',
+        result: 'foäöüo=baäöür; Secure; HttpOnly; SameSite=Strict'
+      }
+    ];
+
+    for (const pair of pairs) {
+      expect (build_cookie (pair.name, pair.value))
+        .toEqual (pair.result);
+    }
+  });
+
+  it ('should parse a cookie', () => {
+    const pairs = [
+      {
+        header: 'foo=bar; Secure; HttpOnly; SameSite=Strict',
+        name:   'foo',
+        value:  'bar'
+      },
+      {
+        header: '134=567;foäöüo=baäöür;tesT=123',
+        name:   'foäöüo',
+        value:  'baäöür'
+      }
+    ];
+
+    for (const pair of pairs) {
+      expect (extract_cookie (pair.name, pair.header))
+        .toEqual (pair.value);
+    }
+  });
+});