feat: support for cta in cookies (#24)

birme · web-flow · commit 6bd25d4efd5f · 2025-03-25T12:07:21.000+01:00
* feat: support for cta in cookies

* fix: token needs to be url encoded when in query param
diff --git a/src/validators/http.test.ts b/src/validators/http.test.ts
@@ -626,6 +626,49 @@ describe('HTTP Request CAT Validator with auto renew', () => {
     expect(result.cfResponse.headers['cta-common-access-token']).toBeDefined();
   });
 
+  test('cloudfront request with token as cookie', async () => {
+    const httpValidator = new HttpValidator({
+      keys: [
+        {
+          kid: 'Symmetric256',
+          key: Buffer.from(
+            '403697de87af64611c1d32a05dab0fe1fcb715a86ab435f1ec99192d79569388',
+            'hex'
+          )
+        }
+      ],
+      issuer: 'eyevinn'
+    });
+    const result = await httpValidator.validateCloudFrontRequest({
+      clientIp: 'dummy',
+      method: 'GET',
+      uri: '/content/path/file.m3u8',
+      querystring: '',
+      headers: {
+        cookie: [
+          {
+            value: `CTA-Common-Access-Token=${base64encoded!}; Path=/; Secure; HttpOnly`
+          }
+        ],
+        host: [
+          {
+            key: 'Host',
+            value: 'example.com'
+          }
+        ]
+      }
+    });
+    expect(result.status).toBe(200);
+    expect(
+      result.cfResponse.headers['cta-common-access-token']
+    ).not.toBeDefined();
+    expect(
+      result.cfResponse.headers['set-cookie'][0].value.includes(
+        'cta-common-access-token'
+      )
+    ).toBeTruthy();
+  });
+
   test('cloudfront request with autorenew where token has not expired', async () => {
     base64encoded = await generator.generate(
       {
diff --git a/src/validators/http.ts b/src/validators/http.ts
@@ -314,6 +314,21 @@ export class HttpValidator {
         ? request.headers[headerName]![0]
         : (request.headers[headerName] as string);
       catrType = 'header';
+    } else if (request.headers['cookie']) {
+      const cookies = !Array.isArray(request.headers['cookie'])
+        ? [request.headers['cookie'] as string]
+        : (request.headers['cookie'] as string[]);
+      for (const cookie of cookies) {
+        const parts = cookie.split(';')[0].match(/(.*?)=(.*)$/);
+        if (parts) {
+          const [name, value] = parts.slice(1);
+          if (name.toLowerCase() === 'cta-common-access-token') {
+            token = value;
+            catrType = 'cookie';
+            break;
+          }
+        }
+      }
     } else if (url && url.searchParams.has(this.tokenUriParam)) {
       token = url.searchParams.get(this.tokenUriParam) || undefined;
       catrType = 'query';
@@ -374,7 +389,8 @@ export class HttpValidator {
                 { addCwtTag: true }
               );
               const newToken = newCat.raw?.toString('base64');
-              const newUrl = new URL(value[header][0] + newToken);
+              const encodedToken = encodeURIComponent(newToken!);
+              const newUrl = new URL(value[header][0] + encodedToken);
               response.setHeader(header, newUrl.toString());
             }
           }
