Merge pull request #54 from eliassorensen/6265bis

Change name-value-pair parsing to follow 6265bis Specifically, if there's no "=", (e.g. `Set-Cookie: foo`) then the name is now "", and the value is the entire string (e.g. "foo") This matches browser behavior and the newer draft RFC (Previous behavior was to use the entire string as the name, and treat the value as empty.)
nfriedly · Jul 25, 2022 · f87130b · f87130b
2 parents 6687aa0 + 5cae030
commit f87130b
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -186,6 +186,7 @@ Returns an array of strings that may be passed to `parse()`.
 ## References
 
 * [RFC 6265: HTTP State Management Mechanism](https://tools.ietf.org/html/rfc6265)
+* [draft-ietf-httpbis-rfc6265bis-10](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html)
 
 ## License
 

diff --git a/lib/set-cookie.js b/lib/set-cookie.js
@@ -12,9 +12,11 @@ function isNonEmptyString(str) {
 
 function parseString(setCookieValue, options) {
   var parts = setCookieValue.split(";").filter(isNonEmptyString);
-  var nameValue = parts.shift().split("=");
-  var name = nameValue.shift();
-  var value = nameValue.join("="); // everything after the first =, joined by a "=" if there was more than one part
+
+  var nameValuePairStr = parts.shift();
+  var parsed = parseNameValuePair(nameValuePairStr);
+  var name = parsed.name;
+  var value = parsed.value;
 
   options = options
     ? Object.assign({}, defaultParseOptions, options)
@@ -32,7 +34,7 @@ function parseString(setCookieValue, options) {
   }
 
   var cookie = {
-    name: name, // grab everything before the first =
+    name: name,
     value: value,
   };
 
@@ -58,6 +60,22 @@ function parseString(setCookieValue, options) {
   return cookie;
 }
 
+function parseNameValuePair(nameValuePairStr) {
+  // Parses name-value-pair according to rfc6265bis draft
+
+  var name = "";
+  var value = "";
+  var nameValueArr = nameValuePairStr.split("=");
+  if (nameValueArr.length > 1) {
+    name = nameValueArr.shift();
+    value = nameValueArr.join("="); // everything after the first =, joined by a "=" if there was more than one part
+  } else {
+    value = nameValuePairStr;
+  }
+
+  return { name: name, value: value };
+}
+
 function parse(input, options) {
   options = options
     ? Object.assign({}, defaultParseOptions, options)

diff --git a/test/set-cookie-parser.js b/test/set-cookie-parser.js
@@ -221,4 +221,15 @@ describe("set-cookie-parser", function () {
     expected = {};
     assert.deepEqual(actual, expected);
   });
+
+  it("should have empty name string, and value is the name-value-pair if the name-value-pair string lacks a = character", function () {
+    var actual = setCookie.parse("foo;");
+    var expected = [{ name: "", value: "foo" }];
+
+    assert.deepEqual(actual, expected);
+
+    actual = setCookie.parse("foo;SameSite=None;Secure");
+    expected = [{ name: "", value: "foo", sameSite: "None", secure: true }];
+    assert.deepEqual(actual, expected);
+  });
 });