refactor: migrate cookies to built-in implementation, close #129 (#130)

Author: pengzhanbo

.vscode/settings.json

@@ -2,6 +2,7 @@
   "cSpell.words": [
     "esbuild",
     "importee",
+    "keygrip",
     "metafile",
     "middlewares",
     "mockjs",

package.json

@@ -22,7 +22,6 @@
   "devDependencies": {
     "@pengzhanbo/eslint-config": "catalog:dev",
     "@types/co-body": "catalog:dev",
-    "@types/cookies": "catalog:dev",
     "@types/cors": "catalog:dev",
     "@types/debug": "catalog:dev",
     "@types/formidable": "catalog:dev",

pnpm-lock.yaml

@@ -6,7 +6,6 @@ catalogs:
   dev:
     '@pengzhanbo/eslint-config': ^1.39.0
     '@types/co-body': ^6.1.3
-    '@types/cookies': ^0.9.2
     '@types/cors': ^2.8.19
     '@types/debug': ^4.1.12
     '@types/formidable': ^3.4.6
@@ -19,22 +18,21 @@ catalogs:
     bumpp: ^10.3.1
     conventional-changelog-cli: ^5.0.0
     esbuild: ^0.25.11
-    eslint: ^9.38.0
+    eslint: ^9.39.0
     mockjs: ^1.1.0
     rolldown: ^1.0.0-beta.45
-    tsdown: ^0.15.11
+    tsdown: ^0.15.12
     typescript: ^5.9.3
     vite: 'npm:rolldown-vite@latest'
     vitepress: ^2.0.0-alpha.12
     vitepress-plugin-group-icons: ^1.6.5
     vitepress-plugin-llms: ^1.8.1
-    vitest: ^4.0.4
+    vitest: ^4.0.6
   prod:
     '@pengzhanbo/utils': ^2.1.0
     ansis: ^4.2.0
     chokidar: ^4.0.3
     co-body: ^6.2.0
-    cookies: ^0.9.1
     cors: ^2.8.5
     debug: ^4.4.3
     formidable: 3.5.4

pnpm-workspace.yaml

@@ -67,7 +67,6 @@
     "ansis": "catalog:prod",
     "chokidar": "catalog:prod",
     "co-body": "catalog:prod",
-    "cookies": "catalog:prod",
     "cors": "catalog:prod",
     "debug": "catalog:prod",
     "formidable": "catalog:prod",

vite-plugin-mock-dev-server/package.json

@@ -0,0 +1,93 @@
+import type { SetCookieOption } from './types'
+import {
+  fieldContentRegExp,
+  PRIORITY_REGEXP,
+  RESTRICTED_NAME_CHARS_REGEXP,
+  RESTRICTED_VALUE_CHARS_REGEXP,
+  SAME_SITE_REGEXP,
+} from './constants'
+
+export class Cookie {
+  name!: string
+  value: string | undefined | null
+
+  maxAge: number | undefined
+  expires: Date | undefined
+  path = '/'
+  domain: string | undefined
+  secure = false
+  httpOnly = true
+  sameSite: SetCookieOption['sameSite'] = false
+  overwrite = false
+  priority: SetCookieOption['priority'] | undefined
+  partitioned: boolean | undefined
+
+  constructor(name: string, value?: string | null, options: SetCookieOption = {}) {
+    if (!fieldContentRegExp.test(name) || RESTRICTED_NAME_CHARS_REGEXP.test(name)) {
+      throw new TypeError('argument name is invalid')
+    }
+
+    if (value && (!fieldContentRegExp.test(value) || RESTRICTED_VALUE_CHARS_REGEXP.test(value)))
+      throw new TypeError('argument value is invalid')
+
+    this.name = name
+    this.value = value
+
+    Object.assign(this, options)
+
+    if (!this.value) {
+      this.expires = new Date(0)
+      this.maxAge = undefined
+    }
+
+    if (this.path && !fieldContentRegExp.test(this.path)) {
+      throw new TypeError('[Cookie] option path is invalid')
+    }
+
+    if (this.domain && !fieldContentRegExp.test(this.domain)) {
+      throw new TypeError('[Cookie] option domain is invalid')
+    }
+
+    if (typeof this.maxAge === 'number' ? (Number.isNaN(this.maxAge) || !Number.isFinite(this.maxAge)) : this.maxAge) {
+      throw new TypeError('[Cookie] option maxAge is invalid')
+    }
+
+    if (this.priority && !PRIORITY_REGEXP.test(this.priority)) {
+      throw new TypeError('[Cookie] option priority is invalid')
+    }
+
+    if (this.sameSite && this.sameSite !== true && !SAME_SITE_REGEXP.test(this.sameSite)) {
+      throw new TypeError('[Cookie] option sameSite is invalid')
+    }
+  }
+
+  toString(): string {
+    return `${this.name}=${this.value}`
+  }
+
+  toHeader(): string {
+    let header = this.toString()
+
+    if (this.maxAge)
+      this.expires = new Date(Date.now() + this.maxAge)
+
+    if (this.path)
+      header += `; path=${this.path}`
+    if (this.expires)
+      header += `; expires=${this.expires.toUTCString()}`
+    if (this.domain)
+      header += `; domain=${this.domain}`
+    if (this.priority)
+      header += `; priority=${this.priority.toLowerCase()}`
+    if (this.sameSite)
+      header += `; samesite=${this.sameSite === true ? 'strict' : this.sameSite.toLowerCase()}`
+    if (this.secure)
+      header += '; secure'
+    if (this.httpOnly)
+      header += '; httponly'
+    if (this.partitioned)
+      header += '; partitioned'
+
+    return header
+  }
+}

vite-plugin-mock-dev-server/src/cookies/Cookie.ts

@@ -0,0 +1,140 @@
+import type { IncomingMessage, ServerResponse } from 'node:http'
+import type { CookiesOption, GetCookieOption, SetCookieOption } from './types'
+import http from 'node:http'
+import { isArray, toArray } from '@pengzhanbo/utils'
+import { REGEXP_CACHE, REGEXP_ESCAPE_CHARS_REGEXP } from './constants'
+import { Cookie } from './Cookie'
+import { Keygrip } from './Keygrip'
+
+export class Cookies {
+  request: IncomingMessage
+  response: ServerResponse<IncomingMessage>
+  secure: boolean | undefined
+  keys: Keygrip | undefined
+
+  constructor(
+    req: IncomingMessage,
+    res: ServerResponse<IncomingMessage>,
+    options: CookiesOption = {},
+  ) {
+    this.request = req
+    this.response = res
+    this.secure = options.secure
+
+    if (options.keys instanceof Keygrip) {
+      this.keys = options.keys
+    }
+    else if (isArray(options.keys)) {
+      this.keys = new Keygrip(options.keys)
+    }
+  }
+
+  set(name: string, value?: string | null, options?: SetCookieOption): this {
+    const req = this.request
+    const res = this.response
+    const headers = toArray(res.getHeader('Set-Cookie')) as string[]
+    const cookie = new Cookie(name, value, options)
+    const signed = options?.signed ?? !!this.keys
+    const secure = this.secure === undefined
+      ? (req as IncomingMessage & { protocol: string }).protocol === 'https' || isRequestEncrypted(req)
+      : Boolean(this.secure)
+
+    if (!secure && options?.secure) {
+      throw new Error('Cannot send secure cookie over unencrypted connection')
+    }
+
+    cookie.secure = options?.secure ?? secure
+
+    pushCookie(headers, cookie)
+
+    if (signed && options) {
+      if (!this.keys)
+        throw new Error('.keys required for signed cookies')
+      cookie.value = this.keys.sign(cookie.toString())
+      cookie.name += '.sig'
+      pushCookie(headers, cookie)
+    }
+
+    const setHeader = (res as any).set ? http.OutgoingMessage.prototype.setHeader : res.setHeader
+    setHeader.call(res, 'Set-Cookie', headers)
+
+    return this
+  }
+
+  get(name: string, options?: GetCookieOption): string | void {
+    const signName = `${name}.sig`
+    const signed = options?.signed ?? !!this.keys
+
+    const header = this.request.headers.cookie
+
+    if (!header)
+      return
+
+    const match = header.match(getPattern(name))
+
+    if (!match)
+      return
+
+    let value = match[1]
+
+    if (value[0] === '"')
+      value = value.slice(1, -1)
+
+    if (!options || !signed)
+      return value
+
+    const remote = this.get(signName)
+    if (!remote)
+      return
+
+    const data = `${name}=${value}`
+
+    if (!this.keys)
+      throw new Error('.keys required for signed cookies')
+
+    const index = this.keys.index(data, remote)
+    if (index < 0) {
+      this.set(signName, null, { path: '/', signed: false })
+    }
+    else {
+      index && this.set(signName, this.keys.sign(data), { signed: false })
+      return value
+    }
+  }
+}
+
+/**
+ * Get the pattern to search for a cookie in a string.
+ */
+function getPattern(name: string): RegExp {
+  if (!REGEXP_CACHE[name]) {
+    REGEXP_CACHE[name] = new RegExp(
+      `(?:^|;) *${
+        name.replace(REGEXP_ESCAPE_CHARS_REGEXP, '\\$&')
+      }=([^;]*)`,
+    )
+  }
+
+  return REGEXP_CACHE[name]
+}
+
+/**
+ * Get the encrypted status for a request.
+ */
+function isRequestEncrypted(req: IncomingMessage): boolean {
+  return Boolean(req.socket
+    ? (req.socket as any).encrypted
+    : (req.connection as any).encrypted)
+}
+
+function pushCookie(headers: string[], cookie: Cookie): void {
+  if (cookie.overwrite) {
+    for (let i = headers.length - 1; i >= 0; i--) {
+      if (headers[i].indexOf(`${cookie.name}=`) === 0) {
+        headers.splice(i, 1)
+      }
+    }
+  }
+
+  headers.push(cookie.toHeader())
+}

vite-plugin-mock-dev-server/src/cookies/Cookies.ts

@@ -0,0 +1,35 @@
+import crypto from 'node:crypto'
+import { timeSafeCompare } from './timeSafeCompare'
+
+const SLASH_PATTERN = /[/+=]/g
+const REPLACE_MAP: Record<string, string> = { '/': '_', '+': '-', '=': '' }
+
+export class Keygrip {
+  private algorithm!: string
+  private encoding!: crypto.BinaryToTextEncoding
+  private keys: string[] = []
+
+  constructor(keys: string[], algorithm?: string, encoding?: crypto.BinaryToTextEncoding) {
+    this.keys = keys
+    this.algorithm = algorithm || 'sha256'
+    this.encoding = encoding || 'base64'
+  }
+
+  sign(data: string, key: string = this.keys[0]): string {
+    return crypto.createHmac(this.algorithm, key).update(data).digest(this.encoding).replace(SLASH_PATTERN, m => REPLACE_MAP[m])
+  }
+
+  index(data: string, digest: string): number {
+    for (let i = 0, l = this.keys.length; i < l; i++) {
+      if (timeSafeCompare(digest, this.sign(data, this.keys[i]))) {
+        return i
+      }
+    }
+
+    return -1
+  }
+
+  verify(data: string, digest: string): boolean {
+    return this.index(data, digest) > -1
+  }
+}

vite-plugin-mock-dev-server/src/cookies/Keygrip.ts

@@ -0,0 +1,45 @@
+/**
+ * RegExp to match field-content in RFC 7230 sec 3.2
+ *
+ * field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
+ * field-vchar   = VCHAR / obs-text
+ * obs-text      = %x80-FF
+ */
+
+export const fieldContentRegExp: RegExp = /^[\t\u0020-\u007E\u0080-\u00FF]+$/
+
+/**
+ * RegExp to match Priority cookie attribute value.
+ */
+
+export const PRIORITY_REGEXP: RegExp = /^(?:low|medium|high)$/i
+
+/**
+ * Cache for generated name regular expressions.
+ */
+
+export const REGEXP_CACHE: Record<string, RegExp> = Object.create(null)
+
+/**
+ * RegExp to match all characters to escape in a RegExp.
+ */
+
+export const REGEXP_ESCAPE_CHARS_REGEXP: RegExp = /[\^$\\.*+?()[\]{}|]/g
+
+/**
+ * RegExp to match basic restricted name characters for loose validation.
+ */
+
+export const RESTRICTED_NAME_CHARS_REGEXP: RegExp = /[;=]/
+
+/**
+ * RegExp to match basic restricted value characters for loose validation.
+ */
+
+export const RESTRICTED_VALUE_CHARS_REGEXP: RegExp = /;/
+
+/**
+ * RegExp to match Same-Site cookie attribute value.
+ */
+
+export const SAME_SITE_REGEXP: RegExp = /^(?:lax|none|strict)$/i

vite-plugin-mock-dev-server/src/cookies/constants.ts

@@ -0,0 +1,4 @@
+export * from './Cookie'
+export * from './Cookies'
+export * from './Keygrip'
+export type * from './types'