fix(http): discard unencrypted cookies (#1551)

brendt · web-flow · commit a061e46ff559 · 2025-09-15T11:49:30.000+02:00
diff --git a/packages/http/src/Mappers/PsrRequestToGenericRequestMapper.php b/packages/http/src/Mappers/PsrRequestToGenericRequestMapper.php
@@ -8,12 +8,14 @@
 use Psr\Http\Message\UploadedFileInterface;
 use Tempest\Cryptography\Encryption\Encrypter;
 use Tempest\Http\Cookie\Cookie;
+use Tempest\Http\Cookie\CookieManager;
 use Tempest\Http\GenericRequest;
 use Tempest\Http\Method;
 use Tempest\Http\RequestHeaders;
 use Tempest\Http\Upload;
 use Tempest\Mapper\Mapper;
 use Tempest\Support\Arr;
+use Throwable;
 
 use function Tempest\map;
 use function Tempest\Support\arr;
@@ -22,6 +24,7 @@
 {
     public function __construct(
         private Encrypter $encrypter,
+        private CookieManager $cookies,
     ) {}
 
     public function canMap(mixed $from, mixed $to): bool
@@ -60,13 +63,21 @@ public function map(mixed $from, mixed $to): GenericRequest
             'path' => $from->getUri()->getPath(),
             'query' => $query,
             'files' => $uploads,
-            'cookies' => Arr\map_iterable(
+            'cookies' => Arr\filter(Arr\map_iterable(
                 array: $_COOKIE,
-                map: fn (string $value, string $key) => new Cookie(
-                    key: $key,
-                    value: $this->encrypter->decrypt($value),
-                ),
-            ),
+                map: function (string $value, string $key) {
+                    try {
+                        return new Cookie(
+                            key: $key,
+                            value: $this->encrypter->decrypt($value),
+                        );
+                    } catch (Throwable) {
+                        $this->cookies->remove($key);
+
+                        return null;
+                    }
+                },
+            )),
         ])
             ->to(GenericRequest::class);
     }
diff --git a/tests/Integration/Route/Fixtures/upload-moved.txt b/tests/Integration/Route/Fixtures/upload-moved.txt
@@ -0,0 +1 @@
+hello
diff --git a/tests/Integration/Route/PsrRequestToGenericRequestMapperTest.php b/tests/Integration/Route/PsrRequestToGenericRequestMapperTest.php
@@ -2,34 +2,40 @@
 
 declare(strict_types=1);
 
-namespace Tests\Tempest\Integration\Mapper;
+namespace Integration\Route;
 
 use Laminas\Diactoros\ServerRequest;
 use Laminas\Diactoros\Stream;
 use Laminas\Diactoros\UploadedFile;
 use Laminas\Diactoros\Uri;
 use Tempest\Cryptography\Encryption\Encrypter;
+use Tempest\Http\Cookie\CookieManager;
 use Tempest\Http\GenericRequest;
 use Tempest\Http\Mappers\PsrRequestToGenericRequestMapper;
-use Tempest\Http\Method;
 use Tempest\Http\Request;
 use Tempest\Http\Upload;
 use Tests\Tempest\Integration\FrameworkIntegrationTestCase;
 
 /**
  * @internal
  */
-final class PsrRequestToRequestMapperTest extends FrameworkIntegrationTestCase
+final class PsrRequestToGenericRequestMapperTest extends FrameworkIntegrationTestCase
 {
     private Encrypter $encrypter {
         get => $this->container->get(Encrypter::class);
     }
 
+    private CookieManager $cookies {
+        get => $this->container->get(CookieManager::class);
+    }
+
+    private PsrRequestToGenericRequestMapper $mapper {
+        get => new PsrRequestToGenericRequestMapper($this->encrypter, $this->cookies);
+    }
+
     public function test_generic_request_is_used_when_interface_is_passed(): void
     {
-        $mapper = new PsrRequestToGenericRequestMapper($this->encrypter);
-
-        $request = $mapper->map(
+        $request = $this->mapper->map(
             from: $this->http->makePsrRequest('/'),
             to: Request::class,
         );
@@ -45,7 +51,7 @@ public function test_raw(): void
 
         $_COOKIE['test'] = $this->encrypter->encrypt('cookie-value')->serialize();
 
-        $request = new PsrRequestToGenericRequestMapper($this->encrypter)->map(new ServerRequest(
+        $request = $this->mapper->map(new ServerRequest(
             uri: new Uri('/json-endpoint'),
             method: 'POST',
             body: $stream,
@@ -65,10 +71,8 @@ public function test_files(): void
 
         copy(__DIR__ . '/Fixtures/upload.txt', $currentPath);
 
-        $mapper = new PsrRequestToGenericRequestMapper($this->encrypter);
-
         /** @var GenericRequest $request */
-        $request = $mapper->map(
+        $request = $this->mapper->map(
             from: $this->http->makePsrRequest('/', files: [new UploadedFile(
                 streamOrFile: $currentPath,
                 size: 1,
@@ -99,7 +103,7 @@ public function test_files(): void
 
     public function test_body_field_in_body(): void
     {
-        $request = new PsrRequestToGenericRequestMapper($this->encrypter)->map(
+        $request = $this->mapper->map(
             from: $this->http->makePsrRequest(
                 uri: '/',
                 body: [
@@ -111,4 +115,26 @@ public function test_body_field_in_body(): void
 
         $this->assertSame(['body' => 'text'], $request->body);
     }
+
+    public function test_unencrypted_cookies_are_discarded(): void
+    {
+        $request = $this->mapper->map(
+            from: $this->http->makePsrRequest(
+                uri: '/',
+                body: [
+                    'body' => 'text',
+                ],
+                cookies: [
+                    'foo' => 'bar',
+                ],
+            ),
+            to: GenericRequest::class,
+        );
+
+        $this->assertSame([], $request->cookies);
+
+        $cookies = $this->cookies->all();
+        $this->assertSame($cookies['foo']->expiresAt, -1);
+        $this->assertSame($cookies['foo']->value, '');
+    }
 }
diff --git a/tests/Integration/Route/RequestTest.php b/tests/Integration/Route/RequestTest.php
@@ -68,6 +68,8 @@ public function test_request_get(): void
 
     public function test_from_factory(): void
     {
+        $_COOKIE = [];
+
         $_SERVER['REQUEST_METHOD'] = Method::POST->value;
         $_SERVER['REQUEST_URI'] = '/test';
         $_SERVER['HTTP_X-TEST'] = 'test';
@@ -84,7 +86,6 @@ public function test_from_factory(): void
         $this->assertEquals('/test', $request->getUri()->getPath());
         $this->assertEquals(['test' => 'test'], $request->getParsedBody());
         $this->assertEquals(['x-test' => ['test']], $request->getHeaders());
-
         $this->assertCount(1, $request->getCookieParams());
         $this->assertArrayHasKey('test', $request->getCookieParams());
         $this->assertSame('test', $this->container->get(Encrypter::class)->decrypt($request->getCookieParams()['test']));
