@vtex/api
Version:
VTEX I/O API client
54 lines (52 loc) • 2.19 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.removeSetCookie = void 0;
const ramda_1 = require("ramda");
const BLACKLISTED_COOKIES = new Set(['checkout.vtex.com']);
const warnMessage = (keys) => `Removing set-cookie from response since cache-control has as public scope.
This can be a huge security risk. Please remove either the public scope or set-cookie from your response.
Cookies dropped:
${keys.join('\n\t')}
`;
const findStr = (target, set) => (0, ramda_1.find)((a) => a.toLocaleLowerCase() === target, set);
const findScopeInCacheControl = (cacheControl) => {
const splitted = cacheControl && cacheControl.split(/\s*,\s*/g);
const scopePublic = splitted && findStr('public', splitted);
return scopePublic;
};
const cookieKey = (cookie) => (0, ramda_1.compose)(ramda_1.head, (0, ramda_1.split)('='))(cookie);
const indexCookieByKeys = (setCookie) => (0, ramda_1.map)((cookie) => [cookieKey(cookie), cookie], setCookie);
async function removeSetCookie(ctx, next) {
const { vtex: { logger } } = ctx;
await next();
const setCookie = ctx.response.headers['set-cookie'];
if (!setCookie || (0, ramda_1.isEmpty)(setCookie)) {
return;
}
const cacheControl = ctx.response.headers['cache-control'];
const scope = findScopeInCacheControl(cacheControl);
if (scope === 'public') {
const indexedCookies = indexCookieByKeys(setCookie);
const cookies = (0, ramda_1.reduce)((acc, [key, payload]) => {
if (BLACKLISTED_COOKIES.has(key)) {
acc.droppedKeys.push(key);
}
else {
acc.addedPayload.push(payload);
}
return acc;
}, {
addedPayload: [],
droppedKeys: [],
}, indexedCookies);
if (cookies.droppedKeys.length > 0) {
ctx.set('set-cookie', cookies.addedPayload);
console.warn(warnMessage(cookies.droppedKeys));
logger.warn({
cookieKeys: cookies.droppedKeys,
message: 'Setting cookies in a public route!',
});
}
}
}
exports.removeSetCookie = removeSetCookie;