@swaggerexpert/cookie
v2.0.2
Published
RFC 6265 compliant cookie parser, validator and serializer.
Maintainers
char0nReadme
@swaggerexpert/cookie
@swaggerexpert/cookie is RFC 6265 compliant cookie parser, validator and serializer.
Table of Contents
Getting started
Installation
You can install @swaggerexpert/cookie using npm:
$ npm install @swaggerexpert/cookieUsage
@swaggerexpert/cookie currently supports parsing, validation and serialization.
Parser is based on a superset of ABNF (SABNF)
and uses apg-lite parser generator.
Cookie
The Cookie header is an HTTP header used to send cookies from the client (e.g., a browser) to the server.
The Cookie header is sent in HTTP requests and contains one or more cookies that the server previously set
via the Set-Cookie header. Cookies are formatted as key-value pairs, separated by semicolons (;),
and do not include metadata like Path, Domain, or HttpOnly.
Parsing Cookie
Parsing a cookie is as simple as importing the parseCookie function and calling it.
import { parseCookie } from '@swaggerexpert/cookie';
const parseResult = parseCookie('foo=bar');
parseResult.result.success; // => trueThe lenient mode for cookie parsing is designed to handle and extract valid cookie-pairs from potentially malformed or non-standard cookie strings. It focuses on maintaining compatibility with real-world scenarios where cookie headers may deviate from strict compliance with RFC 6265.
import { parseCookie } from '@swaggerexpert/cookie';
/**
* All of the following parse successfully.
*/
parseCookie('foo1=bar; foo2=baz', { strict: false });
parseCookie('foo1=bar;foo2=baz', { strict: false });
parseCookie('FOO = bar; baz = raz', { strict: false });
parseCookie('foo="bar=123456789&name=Magic+Mouse"', { strict: false });
parseCookie('foo = "bar"', { strict: false });
parseCookie('foo = bar ; fizz = buzz', { strict: false });
parseCookie('foo =', { strict: false });
parseCookie('\tfoo\t=\tbar\t', { strict: false });
parseCookie('foo1=bar;foo2=baz', { strict: false });
parseCookie('foo1=bar; foo2=baz', { strict: false });
parseCookie('foo=bar; fizz; buzz', { strict: false });
parseCookie('fizz; buzz; foo=bar', { strict: false });
parseCookie('name=name=3', { strict: false });
parseCookie('name:name=3', { strict: false });ParseResult returned by the parser has the following shape:
{
result: {
success: true,
state: 101,
stateName: 'MATCH',
length: 7,
matched: 7,
maxMatched: 7,
maxTreeDepth: 9,
nodeHits: 71
},
ast: fnast {
callbacks: [
'cookie-string': [Function: cookieString],
'cookie-pair': [Function: cookiePair],
'cookie-name': [Function: cookieName],
'cookie-value': [Function: cookieValue]
],
init: [Function (anonymous)],
ruleDefined: [Function (anonymous)],
udtDefined: [Function (anonymous)],
down: [Function (anonymous)],
up: [Function (anonymous)],
translate: [Function (anonymous)],
setLength: [Function (anonymous)],
getLength: [Function (anonymous)],
toXml: [Function (anonymous)]
}
}Interpreting AST as list of entries
import { parseCookie } from '@swaggerexpert/cookie';
const parseResult = parse('foo=bar');
const parts = [];
parseResult.ast.translate(parts);After running the above code, parts variable has the following shape:
[
['cookie-string', 'foo=bar'],
['cookie-pair', 'foo=bar'],
['cookie-name', 'foo'],
['cookie-value', 'bar'],
]Interpreting AST as XML
import { parseCookie } from '@swaggerexpert/cookie';
const parseResult = parseCookie('foo=bar');
const xml = parseResult.ast.toXml();After running the above code, xml variable has the following content:
<?xml version="1.0" encoding="utf-8"?>
<root nodes="4" characters="7">
<!-- input string -->
foo=bar
<node name="cookie-string" index="0" length="7">
foo=bar
<node name="cookie-pair" index="0" length="7">
foo=bar
<node name="cookie-name" index="0" length="3">
foo
</node><!-- name="cookie-name" -->
<node name="cookie-value" index="4" length="3">
bar
</node><!-- name="cookie-value" -->
</node><!-- name="cookie-pair" -->
</node><!-- name="cookie-string" -->
</root>NOTE: AST can also be traversed in classical way using depth first traversal. For more information about this option please refer to apg-js and apg-js-examples.
Serializing Cookie
Serializing a cookie is as simple as importing the serializeCookie function and calling it.
Serializing object:
import { serializeCookie } from '@swaggerexpert/cookie';
serializeCookie({ foo: 'bar' }); // => 'foo=bar'
serializeCookie({ foo: 'bar', baz: 'raz' }); // => 'foo=bar; baz=raz'Serializing entries:
By using entries (list of key-value pairs), this function supports creating cookies with duplicate names—a common scenario when sending multiple values for the same cookie name.
import { serializeCookie } from '@swaggerexpert/cookie';
serializeCookie([['foo', 'bar']]); // => 'foo=bar'
serializeCookie([[ 'foo', 'bar'], ['baz', 'raz' ]]); // => 'foo=bar; baz=raz'
serializeCookie([[ 'foo', 'bar'], ['baz', 'raz' ], ['foo', 'boo']]); // => 'foo=bar; baz=raz; foo=boo'Options
The serializeCookie function provides a powerful and flexible API for serializing cookies,
enabling the implementation of various scenarios. By default, it uses a set of sensible options
to ensure compliance with cookie standards. However, its behavior can be customized by overriding these defaults.
Default Options
Encoders transform cookie names and values during serialization to ensure they meet encoding requirements. Validators ensure that cookie names and values conform to the required standards. If validation fails, an error is thrown. Validators are executed after encoders, ensuring that values are first transformed before being validated.
The default options for serializeCookie ensure strict compliance with cookie standards by applying
no encoding for cookie names, RFC compliant encoding for values, and robust validation for
both names and values according to RFC 6265.
{
encoders: {
name: identity,
value: cookieValueStrictBase64urlEncoder
},
validators: {
name: cookieNameStrictValidator,
value: cookieValueStrictValidator,
}
}Customizing serialization
You can customize serializeCookie behavior by providing your own encoders or validators:
import { serializeCookie } from '@swaggerexpert/cookie';
serializeCookie({ foo: 'bar' }, {
encoders: {
name: (name) => name.toUpperCase(), // custom name encoder
value: (value) => encodeURIComponent(value), // custom value encoder
},
validators: {
name: (name) => {
if (!/^[a-zA-Z]+$/.test(name)) {
throw new TypeError('Custom validation failed for cookie name');
}
},
value: (value) => {
if (value.includes(';')) {
throw new TypeError('Custom validation failed for cookie value');
}
},
},
});Completely bypassing encoding and validation is possible as well:
import { serializeCookie, identity, noop } from '@swaggerexpert/cookie';
serializeCookie({ foo: ';' }, {
encoders: { name: identity, value: identity },
validators: { name: noop, value: noop },
}); // => "foo=;"Encoders
The @swaggerexpert/cookie library provides a suite of encoders designed to handle cookie names and values during serialization.
Each encoder adheres to specific rules for encoding characters, ensuring compatibility with cookie-related standards.
Below is a detailed overview of the available encoders.
Generic Encoders
Generic encoders can be used both for cookie names and values.
base64
Encodes a string using the Base64 algorithm. Base64 encoding is explicitly mentioned in RFC 6265, section 4.1.1 as an example of appropriate encoding for cookie values.
import { base64Encoder } from '@swaggerexpert/cookie';
base64Encoder('foo<'); // => 'Zm9vPA=='base64url
Encodes a string using the base64url algorithm. This encoding consists of Base64 Encoding with URL and Filename Safe Alphabet.
import { base64urlEncoder } from '@swaggerexpert/cookie';
base64urlEncoder('foo<'); // => 'Zm9vPA'Cookie Name Encoders
cookieNameStrictPercentEncoder
Percent-encodes characters that fall outside the allowable set defined by the cookie-name rule in RFC 6265.
- Use Case: Ensures that the cookie name strictly adheres to the
cookie-namenon-terminal rule.
import { cookieNameStrictPercentEncoder } from '@swaggerexpert/cookie';
cookieNameStrictPercentEncoder('foo<'); // => 'foo%3C'cookieNameLenientPercentEncoder
Percent-encodes characters that fall outside the allowable set defined by the lenient-cookie-name rule.
This allows for a more lenient interpretation of cookie names.
- Use Case: Useful in scenarios where broader compatibility is required, or when leniency in cookie names is acceptable.
import { cookieNameLenientPercentEncoder } from '@swaggerexpert/cookie';
cookieNameLenientPercentEncoder('foo<'); // => 'foo<'Cookie Value Encoders
cookieValueStrictBase64Encoder
Applies Base64 encoding to a cookie value if any of its characters fall outside the allowable set defined by the cookie-value rule in RFC 6265.
- Use Case: To achieve the best compatibility, Base64 encoding is mentioned by RFC 6265 as an example of appropriate encoding to use. Ensures strict compliance with the
cookie-valuenon-terminal rule.
import { cookieValueStrictBase64Encoder } from '@swaggerexpert/cookie';
cookieValueStrictBase64Encoder(';'); // => Ow==
cookieValueStrictBase64Encoder('";"'); // => "Ow=="cookieValueStrictBase64urlEncoder
Applies base64url encoding to a cookie value if any of its characters fall outside the allowable set defined by the cookie-value rule in RFC 6265.
- Use Case: More appropriate for modern tooling, it ensures strict compliance with the
cookie-valuenon-terminal rule by producing encoded value with URL and Filename Safe Alphabet.
import { cookieValueStrictBase64Encoder } from '@swaggerexpert/cookie';
cookieValueStrictBase64Encoder(';'); // => Ow
cookieValueStrictBase64Encoder('";"'); // => "Ow"cookieValueStrictPercentEncoder
Percent-encodes characters that fall outside the allowable set defined by the cookie-value rule in RFC 6265.
- Use Case: Ensures strict compliance with the
cookie-valuenon-terminal rule, encoding characters such as;and,.
import { cookieValueStrictPercentEncoder } from '@swaggerexpert/cookie';
cookieValueStrictPercentEncoder(';'); // => '%3B'cookieValueLenientBase64Encoder
Applies Base64 encoding to a cookie value if any of its characters fall outside the allowable set defined by the lenient-cookie-value.
- Use Case: To achieve the best compatibility, Base64 encoding is mentioned by RFC 6265 as an example of appropriate encoding to use. Useful when broader compatibility is needed, and when leniency in cookie values is acceptable.
import { cookieValueLenientBase64Encoder } from '@swaggerexpert/cookie';
cookieValueLenientBase64Encoder(';'); // => Ow==
cookieValueLenientBase64Encoder('";"'); // => "Ow=="cookieValueLenientBase64urlEncoder
Applies base64url encoding to a cookie value if any of its characters fall outside the allowable set defined by the lenient-cookie-value.
- Use Case: More appropriate for modern tooling. Useful when producing encoded value with URL and Filename Safe Alphabet, and leniency in cookie values is acceptable.
import { cookieValueLenientBase64urlEncoder } from '@swaggerexpert/cookie';
cookieValueLenientBase64urlEncoder(';'); // => Ow
cookieValueLenientBase64urlEncoder('";"'); // => "Ow"cookieValueLenientPercentEncoder
Percent-encodes characters that fall outside the allowable set defined by the lenient-cookie-value rule.
This allows for a more permissive interpretation of cookie values.
- Use Case: Useful when broader compatibility is needed, and when leniency in cookie values is acceptable.
import { cookieValueLenientPercentEncoder } from '@swaggerexpert/cookie';
cookieValueLenientPercentEncoder('"'); // => '"'Validators
The @swaggerexpert/cookie library provides a suite of validators designed to ensure that cookie names and values
comply with the necessary standards during serialization. These validators are strict about adherence to the rules
while offering flexibility with both strict and lenient validation modes. Validators focus on validating input and
throwing descriptive errors for invalid values.
Cookie Name Validators
cookieNameStrictValidator
Validates cookie names based on the cookie-name rule defined in RFC 6265.
import { cookieNameStrictValidator } from '@swaggerexpert/cookie';
cookieNameStrictValidator('ValidName'); // passes
cookieNameStrictValidator('InvalidName<'); // throws: Invalid cookie namecookieNameLenientValidator
Validates cookie names based on the lenient-cookie-name rules Allows a broader range of characters than the strict validator.
import { cookieNameLenientValidator } from '@swaggerexpert/cookie';
cookieNameLenientValidator('ValidLenientName'); // passes
cookieNameLenientValidator('\tInvalidLenientName'); // throws: Invalid cookie nameCookie Value Validators
cookieValueStrictValidator
Validates cookie values according to the cookie-value rules in RFC 6265.
import { cookieValueStrictValidator } from '@swaggerexpert/cookie';
cookieValueStrictValidator('"validValue"'); // passes
cookieValueStrictValidator('invalid\\value'); // throws: Invalid cookie valuecookieValueLenientValidator
Validates cookie values according to lenient-cookie-value rules. Accepts a broader range of characters,
including some that are disallowed in strict mode.
import { cookieValueLenientValidator } from '@swaggerexpert/cookie';
cookieValueLenientValidator('"lenient;value"'); // passes
cookieValueLenientValidator('invalid value'); // throws: Invalid cookie valueGrammar
New grammar instance can be created in following way:
import { Grammar } from '@swaggerexpert/cookie';
const grammar = new Grammar();To obtain original ABNF (SABNF) grammar as a string:
import { Grammar } from '@swaggerexpert/cookie';
const grammar = new Grammar();
grammar.toString();
// or
String(grammar);More about RFC 6265
The cookie is defined by the following ABNF syntax
; Lenient version of https://datatracker.ietf.org/doc/html/rfc6265#section-4.2.1
lenient-cookie-string = lenient-cookie-entry *( ";" OWS lenient-cookie-entry )
lenient-cookie-entry = lenient-cookie-pair / lenient-cookie-pair-invalid
lenient-cookie-pair = OWS lenient-cookie-name OWS "=" OWS lenient-cookie-value OWS
lenient-cookie-pair-invalid = OWS 1*tchar OWS ; Allow for standalone entries like "fizz" to be ignored
lenient-cookie-name = 1*( %x21-3A / %x3C / %x3E-7E ) ; Allow all printable US-ASCII except "="
lenient-cookie-value = lenient-quoted-value [ *lenient-cookie-octet ] / *lenient-cookie-octet
lenient-quoted-value = DQUOTE *( lenient-quoted-char ) DQUOTE
lenient-quoted-char = %x20-21 / %x23-7E ; Allow all printable US-ASCII except DQUOTE
lenient-cookie-octet = %x21-2B / %x2D-3A / %x3C-7E
; Allow all printable characters except CTLs, semicolon and SP
; https://datatracker.ietf.org/doc/html/rfc6265#section-4.2.1
cookie-string = cookie-pair *( ";" SP cookie-pair )
; https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
; https://www.rfc-editor.org/errata/eid5518
cookie-pair = cookie-name "=" cookie-value
cookie-name = token
cookie-value = ( DQUOTE *cookie-octet DQUOTE ) / *cookie-octet
; https://www.rfc-editor.org/errata/eid8242
cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
; US-ASCII characters excluding CTLs,
; whitespace, DQUOTE, comma, semicolon,
; and backslash
; https://datatracker.ietf.org/doc/html/rfc6265#section-2.2
OWS = *( [ CRLF ] WSP ) ; "optional" whitespace
; https://datatracker.ietf.org/doc/html/rfc9110#section-5.6.2
token = 1*(tchar)
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
/ DIGIT / ALPHA
; any VCHAR, except delimiters
; https://datatracker.ietf.org/doc/html/rfc2616#section-2.2
CHAR = %x01-7F ; any US-ASCII character (octets 0 - 127)
CTL = %x00-1F / %x7F ; any US-ASCII control character
separators = "(" / ")" / "<" / ">" / "@" / "," / ";" / ":" / "\" / %x22 / "/" / "[" / "]" / "?" / "=" / "{" / "}" / SP / HT
SP = %x20 ; US-ASCII SP, space (32)
HT = %x09 ; US-ASCII HT, horizontal-tab (9)
; https://datatracker.ietf.org/doc/html/rfc5234#appendix-B.1
ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
DIGIT = %x30-39 ; 0-9
DQUOTE = %x22 ; " (Double Quote)
WSP = SP / HTAB ; white space
HTAB = %x09 ; horizontal tab
CRLF = CR LF ; Internet standard newline
CR = %x0D ; carriage return
LF = %x0A ; linefeedLicense
@swaggerexpert/cookie is licensed under Apache 2.0 license.
@swaggerexpert/cookie comes with an explicit NOTICE file
containing additional legal notices and information.