feat: Cookies and encryption module (#11)

* feat: Encryption module

* Cookies

* Fix TSC

* chore: Automate Rollup external deps

Author: typeofweb

.eslintrc

@@ -9,7 +9,9 @@
     {
       "files": ["__tests__/**/*.ts"],
       "rules": {
-        "@typescript-eslint/consistent-type-assertions": "off"
+        "@typescript-eslint/consistent-type-assertions": "off",
+        "@typescript-eslint/no-unsafe-member-access": "off",
+        "@typescript-eslint/no-non-null-assertion": "off"
       }
     }
   ]

__tests__/encrypt.test.ts

@@ -0,0 +1,93 @@
+/**
+ * Tests based on https://github.com/hapijs/iron/blob/93fd15c76e656b1973ba134de64f3aeac66a0405/test/index.js
+ * Copyright (c) 2012-2020, Sideway Inc, and project contributors
+ * All rights reserved.
+ * https://github.com/hapijs/iron/blob/93fd15c76e656b1973ba134de64f3aeac66a0405/LICENSE.md
+ *
+ * Rewritten and repurposed by Michał Miszczyszyn 2021
+ */
+import * as EncryptCookies from '../src/utils/encryptCookies';
+
+describe('encrypt', () => {
+  const secret = 'some_not_random_password_that_is';
+  const value = 'test data';
+
+  it('turns object into a sealed then parses the sealed successfully', async () => {
+    const sealed = await EncryptCookies.seal({ value, secret });
+    const unsealed = await EncryptCookies.unseal({ sealed, secret });
+    expect(unsealed).toEqual(value);
+  });
+
+  it('unseal and sealed object with expiration', async () => {
+    const sealed = await EncryptCookies.seal({ value, secret, ttl: 200 });
+    const unsealed = await EncryptCookies.unseal({ sealed, secret });
+    expect(unsealed).toEqual(value);
+  });
+
+  it('fails for too short secret', async () => {
+    await expect(EncryptCookies.seal({ value, secret: 'too short' })).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"Secret must be exactly 32 characters long!"`,
+    );
+  });
+
+  it('unseals a sealed', async () => {
+    const sealed =
+      'Fe26.2**SqhOkY8av81FPay7I60ktrpeOq7SgRNCcNN0rHWAMSg*3xsUfKKg2KiUWhsOmm1Nnw*_MeWO7OhJooR1Jc0cXQ5pp-wrtooQBeZsvNCSF9Yl5mm5xpCr8_SwxPJJkzwxN43**r3lxz-MMOws6YE-lDcXy6rmZc0mHHMVbXsndXmePgnA*JRDpLG7MxvgdoJqTeaTnUEQ-c0E6eyA66hVSr3f4BLmdfzZYU7fWIYGImEpEZgwzp_0jlF44R0Vr8BDQBlJiNw';
+    const unsealed = await EncryptCookies.unseal({ sealed, secret });
+    expect(JSON.parse(unsealed)).toEqual({
+      a: 1,
+      array: [5, 6, {}],
+      nested: {
+        k: true,
+      },
+    });
+  });
+
+  it('returns an error when number of sealed components is wrong', async () => {
+    const sealed =
+      'x*Fe26.2**SqhOkY8av81FPay7I60ktrpeOq7SgRNCcNN0rHWAMSg*3xsUfKKg2KiUWhsOmm1Nnw*_MeWO7OhJooR1Jc0cXQ5pp-wrtooQBeZsvNCSF9Yl5mm5xpCr8_SwxPJJkzwxN43**r3lxz-MMOws6YE-lDcXy6rmZc0mHHMVbXsndXmePgnA*JRDpLG7MxvgdoJqTeaTnUEQ-c0E6eyA66hVSr3f4BLmdfzZYU7fWIYGImEpEZgwzp_0jlF44R0Vr8BDQBlJiNw';
+    await expect(EncryptCookies.unseal({ sealed, secret })).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"Cannot unseal: Incorrect data format."`,
+    );
+  });
+
+  it('returns an error when mac prefix is wrong', async () => {
+    const sealed =
+      'Fe27.2**SqhOkY8av81FPay7I60ktrpeOq7SgRNCcNN0rHWAMSg*3xsUfKKg2KiUWhsOmm1Nnw*_MeWO7OhJooR1Jc0cXQ5pp-wrtooQBeZsvNCSF9Yl5mm5xpCr8_SwxPJJkzwxN43**r3lxz-MMOws6YE-lDcXy6rmZc0mHHMVbXsndXmePgnA*JRDpLG7MxvgdoJqTeaTnUEQ-c0E6eyA66hVSr3f4BLmdfzZYU7fWIYGImEpEZgwzp_0jlF44R0Vr8BDQBlJiNw';
+    await expect(EncryptCookies.unseal({ sealed, secret })).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"Cannot unseal: Unsupported version."`,
+    );
+  });
+
+  it('returns an error when integrity check fails', async () => {
+    const sealed =
+      'Fe26.2**SqhOkY8av81FPay7I60ktrpeOq7SgRNCcNN0rHWAMSg*3xsUfKKg2KiUWhsOmm1Nnw*_MeWO7OhJooR1Jc0cXQ5pp-wrtooQBeZsvNCSF9Yl5mm5xpCr8_SwxPJJkzwxN43**r3lxz-MMOws6YE-lDcXy6rmZc0mHHMVbXsndXmePgnA*JRDpLG7MxvgdoJqTeaTnUEQ-c0E6eyA66hVSr3f4BLmdfzZYU7fWIYGImEpEZgwzp_0jlF44R0Vr8BDQBlJiNwLOL';
+    await expect(EncryptCookies.unseal({ sealed, secret })).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"Cannot unseal: Incorrect hmac seal value"`,
+    );
+  });
+
+  it('returns an error when iv base64 decoding fails', async () => {
+    const sealed =
+      'Fe26.2**0a27f421711152214f2cdd7fd8c515738204828f2d5c1ac50685231d38614de1*hUkUfX6sYUoKXh1QNx8oywLOL*AxjnFXiFUlQqdpNYK9lzAJzfm0S07vKo599fOi1Og7vuPaiQ6z8o487hDrs7xDu0**4eb9bef394dbaffa866f1e4246cf9d8c72a19d403da89760a3fc65c95d82301a*l65Cto8YluxfUbex2aD27hrA9Hccvhcryac0pkHfPvs';
+    await expect(EncryptCookies.unseal({ sealed, secret })).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"Cannot unseal: Incorrect hmac seal value"`,
+    );
+  });
+
+  it('returns an error when expired', async () => {
+    const sealed =
+      'Fe26.2**552bc79cfa73de9855b539a624c6b404496995f443baf057b95c097f5503f330*sk9We2FqPEyHc5bSzfA1yA*tlyeEmz0jWnaRd4CDmrqeQ*1623946580929*807a2f0ac5aebd5e413e06c52ffbf52158566e73a551d805d3b68164c7869ed8*Y5XBmJC-4QZ4Q1iRUiN2f8SStLL23-57wXNayX-tiF0';
+    await expect(EncryptCookies.unseal({ sealed, secret })).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"Cannot unseal: Expired seal"`,
+    );
+  });
+
+  it('returns an error when expiration NaN', async () => {
+    const sealed =
+      'Fe26.2**71ccf7404636c565d498200c002837f55ff5a0bf5e9ddecbd93953336709e9a4*JnIlC3F0_AhVSJQ2ALF3ow*A3s_DWrqGwWRjgC6mD5-SQ*1623946786465dupa*0e8513880d1c8410fb0e8a8e0c7ad43285ee67568b80ab2e76721e7381e14a14*iEz4o4dDQirX6Y1x2Om6Lpglg3XtDVjzkZvq3iRtFuM';
+    await expect(EncryptCookies.unseal({ sealed, secret })).rejects.toThrowErrorMatchingInlineSnapshot(
+      `"Cannot unseal: Invalid expiration"`,
+    );
+  });
+});

__tests__/router.test.ts

@@ -1,4 +1,7 @@
+import Crypto from 'crypto';
+
 import { createApp } from '../src';
+import { unseal } from '../src/utils/encryptCookies';
 
 declare module '../src' {
   interface TypeOfWebEvents {
@@ -7,6 +10,72 @@ declare module '../src' {
 }
 
 describe('router', () => {
+  it('should set cookies', async () => {
+    const app = createApp({ cookies: { secret: 'a'.repeat(32) } }).route({
+      path: '/users',
+      method: 'get',
+      validation: {},
+      handler: async (_request, t) => {
+        await t.setCookie('test', 'testowa', { encrypted: false });
+        return null;
+      },
+    });
+
+    const result = await app.inject({
+      method: 'get',
+      path: '/users',
+    });
+
+    expect(result.headers['set-cookie']).toEqual([`test=testowa; Path=/; HttpOnly; Secure; SameSite=Lax`]);
+  });
+
+  it('should set encrypted cookies', async () => {
+    const secret = Crypto.randomBytes(22).toString('base64');
+    const app = createApp({ cookies: { secret } }).route({
+      path: '/users',
+      method: 'get',
+      validation: {},
+      handler: async (_request, t) => {
+        await t.setCookie('test', 'testowa', { encrypted: true });
+        return null;
+      },
+    });
+
+    const result = await app.inject({
+      method: 'get',
+      path: '/users',
+    });
+
+    expect(result.headers['set-cookie']).toHaveLength(1);
+    const [key, val] = (result.headers['set-cookie'] as readonly [string])[0].split(';')[0]!.split('=');
+    expect(key).toEqual('test');
+    expect(await unseal({ sealed: val!, secret })).toEqual('testowa');
+  });
+
+  it('should read all cookies', async () => {
+    const app = createApp({ cookies: { secret: 'a'.repeat(32) } }).route({
+      path: '/users',
+      method: 'get',
+      validation: {},
+      handler: (request) => {
+        expect(request.cookies['test']).toEqual('testowa');
+        expect(request.cookies['secret']).toEqual('testowa');
+        return null;
+      },
+    });
+
+    await app.inject({
+      method: 'get',
+      path: '/users',
+      cookies: [
+        'test=testowa',
+        'secret=Fe26.2**n0Jf_bWyQEP8IGbXE2USt82PE9W_dGIvOSlLTeKvwnA*a_fJJWNvbhjvvy0yBg2APw*PzP5xlZ63c6EImBsgDaZ7A**LF1tHWLrtR1pckVC9moT-V2b8LVmE_NYWfsgYqYhZwk*i40hiIKMSNNpwQUmd2HalR9KEvODTfDRPLah2H_q2JqdPg3ecHW6PvnJTC2YAHGUiwvIERWqE5LvaSjCyULvbQ',
+      ],
+    });
+
+    expect.assertions(2);
+  });
+
   it('should not accept multiple params in path segment', () => {
     const app = createApp({});
 

__tests__/types.spec.ts

@@ -23,16 +23,15 @@ const assertTsd = (diagnostics: readonly Diagnostic[]) => {
 
 describe('@typeofweb/schema', () => {
   const typesTests = Globby.sync(['./__tests__/*.test-d.ts']);
-  it.each(typesTests.map((path) => ({ path, name: path.replace('./__tests__/', '').replace('.test-d.ts', '') })))(
-    'tsd $name',
-    async (dir) => {
-      assertTsd(
-        await tsd({
-          cwd: join(Path.dirname(Url.fileURLToPath(import.meta.url)), '..'),
-          typingsFile: './dist/index.d.ts',
-          testFiles: [dir.path],
-        }),
-      );
-    },
-  );
+  it.concurrent.each(
+    typesTests.map((path) => ({ path, name: path.replace('./__tests__/', '').replace('.test-d.ts', '') })),
+  )('tsd $name', async (dir) => {
+    assertTsd(
+      await tsd({
+        cwd: join(Path.dirname(Url.fileURLToPath(import.meta.url)), '..'),
+        typingsFile: './dist/index.d.ts',
+        testFiles: [dir.path],
+      }),
+    );
+  });
 });

package.json

@@ -35,14 +35,17 @@
   ],
   "dependencies": {
     "@typeofweb/schema": "0.8.0-5",
+    "@types/cookie-parser": "1.4.2",
     "@types/cors": "2.8.10",
     "@types/express": "4.17.12",
     "@types/supertest": "2.0.11",
+    "cookie-parser": "1.4.5",
     "cors": "2.8.5",
     "express": "4.17.1",
     "stoppable": "1.1.0",
     "supertest": "6.1.3"
   },
+  "peerDependencies": {},
   "devDependencies": {
     "@rollup/plugin-commonjs": "19.0.0",
     "@rollup/plugin-json": "4.1.0",
@@ -54,6 +57,7 @@
     "@types/node": "12",
     "@types/stoppable": "1.1.1",
     "all-contributors-cli": "6.20.0",
+    "builtin-modules": "3.2.0",
     "eslint": "7.28.0",
     "fast-check": "2.16.0",
     "globby": "11.0.3",

rollup.config.js

@@ -1,4 +1,5 @@
 // @ts-check
+import BuiltinModules from 'builtin-modules';
 import commonjs from '@rollup/plugin-commonjs';
 import typescript from '@rollup/plugin-typescript';
 import prettier from 'rollup-plugin-prettier';
@@ -12,6 +13,8 @@ import pkg from './package.json';
 const shouldCompress = process.env.COMPRESS_BUNDLES ? true : false;
 const shouldPrettify = !shouldCompress && (process.env.PRETTIFY ? true : false);
 
+const dependencies = [...Object.keys(pkg.dependencies || {}), ...Object.keys(pkg.peerDependencies || {})];
+
 const rollupConfig = [
   {
     input: 'src/index.ts',
@@ -90,7 +93,7 @@ LICENSE file in the root directory of this source tree.
 `.trim(),
       }),
     ],
-    external: ['url', 'body-parser', 'express', 'stoppable', '@typeofweb/schema', 'events', 'supertest', 'cors', 'os'],
+    external: [...dependencies, ...BuiltinModules],
   },
 ];
 // eslint-disable-next-line import/no-default-export

src/modules/app.ts

@@ -1,9 +1,11 @@
 import { URL } from 'url';
 
+import CookieParser from 'cookie-parser';
 import Cors from 'cors';
 import Supertest from 'supertest';
 
 import { deepMerge } from '../utils/merge';
+import { promiseOriginFnToNodeCallback } from '../utils/node';
 import { generateServerId } from '../utils/uniqueId';
 
 import { createEventBus } from './events';
@@ -22,6 +24,13 @@ const defaultAppOptions: AppOptions = {
     origin: true,
     credentials: true,
   },
+  cookies: {
+    encrypted: true,
+    secure: true,
+    httpOnly: true,
+    sameSite: 'lax',
+    secret: '',
+  },
 };
 
 export function createApp(opts: DeepPartial<AppOptions>): TypeOfWebApp {
@@ -73,17 +82,23 @@ export function createApp(opts: DeepPartial<AppOptions>): TypeOfWebApp {
     }
 
     if (options.cors) {
+      const origin =
+        typeof options.cors.origin === 'function'
+          ? promiseOriginFnToNodeCallback(options.cors.origin)
+          : options.cors.origin;
       app._rawExpressApp.use(
         Cors({
-          origin: options.cors.origin,
+          origin,
           credentials: options.cors.credentials,
         }),
       );
     }
 
+    app._rawExpressApp.use(CookieParser(''));
+
     await initServerPlugins();
 
-    app._rawExpressRouter = initRouter({ server, routes, plugins });
+    app._rawExpressRouter = initRouter({ server, appOptions: options, routes, plugins });
     app._rawExpressApp.use(app._rawExpressRouter);
 
     mutableIsInitialized = true;
@@ -125,6 +140,11 @@ export function createApp(opts: DeepPartial<AppOptions>): TypeOfWebApp {
         );
       }
 
+      if (injection.cookies) {
+        // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- string[]
+        mutableTest = mutableTest.set('Cookie', injection.cookies as string[]);
+      }
+
       const result = await mutableTest;
       return result;
     },