--- /dev/null
+/*!
+ * Copyright (c) 2015, Salesforce.com, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of Salesforce.com nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+'use strict';
+var net = require('net');
+var urlParse = require('url').parse;
+var pubsuffix = require('./pubsuffix');
+var Store = require('./store').Store;
+var MemoryCookieStore = require('./memstore').MemoryCookieStore;
+var pathMatch = require('./pathMatch').pathMatch;
+var VERSION = require('../package.json').version;
+
+var punycode;
+try {
+ punycode = require('punycode');
+} catch(e) {
+ console.warn("cookie: can't load punycode; won't use punycode for domain normalization");
+}
+
+var DATE_DELIM = /[\x09\x20-\x2F\x3B-\x40\x5B-\x60\x7B-\x7E]/;
+
+// From RFC6265 S4.1.1
+// note that it excludes \x3B ";"
+var COOKIE_OCTET = /[\x21\x23-\x2B\x2D-\x3A\x3C-\x5B\x5D-\x7E]/;
+var COOKIE_OCTETS = new RegExp('^'+COOKIE_OCTET.source+'+$');
+
+var CONTROL_CHARS = /[\x00-\x1F]/;
+
+// Double quotes are part of the value (see: S4.1.1).
+// '\r', '\n' and '\0' should be treated as a terminator in the "relaxed" mode
+// (see: https://github.com/ChromiumWebApps/chromium/blob/b3d3b4da8bb94c1b2e061600df106d590fda3620/net/cookies/parsed_cookie.cc#L60)
+// '=' and ';' are attribute/values separators
+// (see: https://github.com/ChromiumWebApps/chromium/blob/b3d3b4da8bb94c1b2e061600df106d590fda3620/net/cookies/parsed_cookie.cc#L64)
+var COOKIE_PAIR = /^(([^=;]+))\s*=\s*([^\n\r\0]*)/;
+
+// Used to parse non-RFC-compliant cookies like '=abc' when given the `loose`
+// option in Cookie.parse:
+var LOOSE_COOKIE_PAIR = /^((?:=)?([^=;]*)\s*=\s*)?([^\n\r\0]*)/;
+
+// RFC6265 S4.1.1 defines path value as 'any CHAR except CTLs or ";"'
+// Note ';' is \x3B
+var PATH_VALUE = /[\x20-\x3A\x3C-\x7E]+/;
+
+// Used for checking whether or not there is a trailing semi-colon
+var TRAILING_SEMICOLON = /;+$/;
+
+var DAY_OF_MONTH = /^(\d{1,2})[^\d]*$/;
+var TIME = /^(\d{1,2})[^\d]*:(\d{1,2})[^\d]*:(\d{1,2})[^\d]*$/;
+var MONTH = /^(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)/i;
+
+var MONTH_TO_NUM = {
+ jan:0, feb:1, mar:2, apr:3, may:4, jun:5,
+ jul:6, aug:7, sep:8, oct:9, nov:10, dec:11
+};
+var NUM_TO_MONTH = [
+ 'Jan','Feb','Mar','Apr','May','Jun','Jul','Aug','Sep','Oct','Nov','Dec'
+];
+var NUM_TO_DAY = [
+ 'Sun','Mon','Tue','Wed','Thu','Fri','Sat'
+];
+
+var YEAR = /^(\d{2}|\d{4})$/; // 2 to 4 digits
+
+var MAX_TIME = 2147483647000; // 31-bit max
+var MIN_TIME = 0; // 31-bit min
+
+
+// RFC6265 S5.1.1 date parser:
+function parseDate(str) {
+ if (!str) {
+ return;
+ }
+
+ /* RFC6265 S5.1.1:
+ * 2. Process each date-token sequentially in the order the date-tokens
+ * appear in the cookie-date
+ */
+ var tokens = str.split(DATE_DELIM);
+ if (!tokens) {
+ return;
+ }
+
+ var hour = null;
+ var minutes = null;
+ var seconds = null;
+ var day = null;
+ var month = null;
+ var year = null;
+
+ for (var i=0; i<tokens.length; i++) {
+ var token = tokens[i].trim();
+ if (!token.length) {
+ continue;
+ }
+
+ var result;
+
+ /* 2.1. If the found-time flag is not set and the token matches the time
+ * production, set the found-time flag and set the hour- value,
+ * minute-value, and second-value to the numbers denoted by the digits in
+ * the date-token, respectively. Skip the remaining sub-steps and continue
+ * to the next date-token.
+ */
+ if (seconds === null) {
+ result = TIME.exec(token);
+ if (result) {
+ hour = parseInt(result[1], 10);
+ minutes = parseInt(result[2], 10);
+ seconds = parseInt(result[3], 10);
+ /* RFC6265 S5.1.1.5:
+ * [fail if]
+ * * the hour-value is greater than 23,
+ * * the minute-value is greater than 59, or
+ * * the second-value is greater than 59.
+ */
+ if(hour > 23 || minutes > 59 || seconds > 59) {
+ return;
+ }
+
+ continue;
+ }
+ }
+
+ /* 2.2. If the found-day-of-month flag is not set and the date-token matches
+ * the day-of-month production, set the found-day-of- month flag and set
+ * the day-of-month-value to the number denoted by the date-token. Skip
+ * the remaining sub-steps and continue to the next date-token.
+ */
+ if (day === null) {
+ result = DAY_OF_MONTH.exec(token);
+ if (result) {
+ day = parseInt(result, 10);
+ /* RFC6265 S5.1.1.5:
+ * [fail if] the day-of-month-value is less than 1 or greater than 31
+ */
+ if(day < 1 || day > 31) {
+ return;
+ }
+ continue;
+ }
+ }
+
+ /* 2.3. If the found-month flag is not set and the date-token matches the
+ * month production, set the found-month flag and set the month-value to
+ * the month denoted by the date-token. Skip the remaining sub-steps and
+ * continue to the next date-token.
+ */
+ if (month === null) {
+ result = MONTH.exec(token);
+ if (result) {
+ month = MONTH_TO_NUM[result[1].toLowerCase()];
+ continue;
+ }
+ }
+
+ /* 2.4. If the found-year flag is not set and the date-token matches the year
+ * production, set the found-year flag and set the year-value to the number
+ * denoted by the date-token. Skip the remaining sub-steps and continue to
+ * the next date-token.
+ */
+ if (year === null) {
+ result = YEAR.exec(token);
+ if (result) {
+ year = parseInt(result[0], 10);
+ /* From S5.1.1:
+ * 3. If the year-value is greater than or equal to 70 and less
+ * than or equal to 99, increment the year-value by 1900.
+ * 4. If the year-value is greater than or equal to 0 and less
+ * than or equal to 69, increment the year-value by 2000.
+ */
+ if (70 <= year && year <= 99) {
+ year += 1900;
+ } else if (0 <= year && year <= 69) {
+ year += 2000;
+ }
+
+ if (year < 1601) {
+ return; // 5. ... the year-value is less than 1601
+ }
+ }
+ }
+ }
+
+ if (seconds === null || day === null || month === null || year === null) {
+ return; // 5. ... at least one of the found-day-of-month, found-month, found-
+ // year, or found-time flags is not set,
+ }
+
+ return new Date(Date.UTC(year, month, day, hour, minutes, seconds));
+}
+
+function formatDate(date) {
+ var d = date.getUTCDate(); d = d >= 10 ? d : '0'+d;
+ var h = date.getUTCHours(); h = h >= 10 ? h : '0'+h;
+ var m = date.getUTCMinutes(); m = m >= 10 ? m : '0'+m;
+ var s = date.getUTCSeconds(); s = s >= 10 ? s : '0'+s;
+ return NUM_TO_DAY[date.getUTCDay()] + ', ' +
+ d+' '+ NUM_TO_MONTH[date.getUTCMonth()] +' '+ date.getUTCFullYear() +' '+
+ h+':'+m+':'+s+' GMT';
+}
+
+// S5.1.2 Canonicalized Host Names
+function canonicalDomain(str) {
+ if (str == null) {
+ return null;
+ }
+ str = str.trim().replace(/^\./,''); // S4.1.2.3 & S5.2.3: ignore leading .
+
+ // convert to IDN if any non-ASCII characters
+ if (punycode && /[^\u0001-\u007f]/.test(str)) {
+ str = punycode.toASCII(str);
+ }
+
+ return str.toLowerCase();
+}
+
+// S5.1.3 Domain Matching
+function domainMatch(str, domStr, canonicalize) {
+ if (str == null || domStr == null) {
+ return null;
+ }
+ if (canonicalize !== false) {
+ str = canonicalDomain(str);
+ domStr = canonicalDomain(domStr);
+ }
+
+ /*
+ * "The domain string and the string are identical. (Note that both the
+ * domain string and the string will have been canonicalized to lower case at
+ * this point)"
+ */
+ if (str == domStr) {
+ return true;
+ }
+
+ /* "All of the following [three] conditions hold:" (order adjusted from the RFC) */
+
+ /* "* The string is a host name (i.e., not an IP address)." */
+ if (net.isIP(str)) {
+ return false;
+ }
+
+ /* "* The domain string is a suffix of the string" */
+ var idx = str.indexOf(domStr);
+ if (idx <= 0) {
+ return false; // it's a non-match (-1) or prefix (0)
+ }
+
+ // e.g "a.b.c".indexOf("b.c") === 2
+ // 5 === 3+2
+ if (str.length !== domStr.length + idx) { // it's not a suffix
+ return false;
+ }
+
+ /* "* The last character of the string that is not included in the domain
+ * string is a %x2E (".") character." */
+ if (str.substr(idx-1,1) !== '.') {
+ return false;
+ }
+
+ return true;
+}
+
+
+// RFC6265 S5.1.4 Paths and Path-Match
+
+/*
+ * "The user agent MUST use an algorithm equivalent to the following algorithm
+ * to compute the default-path of a cookie:"
+ *
+ * Assumption: the path (and not query part or absolute uri) is passed in.
+ */
+function defaultPath(path) {
+ // "2. If the uri-path is empty or if the first character of the uri-path is not
+ // a %x2F ("/") character, output %x2F ("/") and skip the remaining steps.
+ if (!path || path.substr(0,1) !== "/") {
+ return "/";
+ }
+
+ // "3. If the uri-path contains no more than one %x2F ("/") character, output
+ // %x2F ("/") and skip the remaining step."
+ if (path === "/") {
+ return path;
+ }
+
+ var rightSlash = path.lastIndexOf("/");
+ if (rightSlash === 0) {
+ return "/";
+ }
+
+ // "4. Output the characters of the uri-path from the first character up to,
+ // but not including, the right-most %x2F ("/")."
+ return path.slice(0, rightSlash);
+}
+
+
+function parse(str, options) {
+ if (!options || typeof options !== 'object') {
+ options = {};
+ }
+ str = str.trim();
+
+ // S4.1.1 Trailing semi-colons are not part of the specification.
+ var semiColonCheck = TRAILING_SEMICOLON.exec(str);
+ if (semiColonCheck) {
+ str = str.slice(0, semiColonCheck.index);
+ }
+
+ // We use a regex to parse the "name-value-pair" part of S5.2
+ var firstSemi = str.indexOf(';'); // S5.2 step 1
+ var pairRe = options.loose ? LOOSE_COOKIE_PAIR : COOKIE_PAIR;
+ var result = pairRe.exec(firstSemi === -1 ? str : str.substr(0,firstSemi));
+
+ // Rx satisfies the "the name string is empty" and "lacks a %x3D ("=")"
+ // constraints as well as trimming any whitespace.
+ if (!result) {
+ return;
+ }
+
+ var c = new Cookie();
+ if (result[1]) {
+ c.key = result[2].trim();
+ } else {
+ c.key = '';
+ }
+ c.value = result[3].trim();
+ if (CONTROL_CHARS.test(c.key) || CONTROL_CHARS.test(c.value)) {
+ return;
+ }
+
+ if (firstSemi === -1) {
+ return c;
+ }
+
+ // S5.2.3 "unparsed-attributes consist of the remainder of the set-cookie-string
+ // (including the %x3B (";") in question)." plus later on in the same section
+ // "discard the first ";" and trim".
+ var unparsed = str.slice(firstSemi).replace(/^\s*;\s*/,'').trim();
+
+ // "If the unparsed-attributes string is empty, skip the rest of these
+ // steps."
+ if (unparsed.length === 0) {
+ return c;
+ }
+
+ /*
+ * S5.2 says that when looping over the items "[p]rocess the attribute-name
+ * and attribute-value according to the requirements in the following
+ * subsections" for every item. Plus, for many of the individual attributes
+ * in S5.3 it says to use the "attribute-value of the last attribute in the
+ * cookie-attribute-list". Therefore, in this implementation, we overwrite
+ * the previous value.
+ */
+ var cookie_avs = unparsed.split(/\s*;\s*/);
+ while (cookie_avs.length) {
+ var av = cookie_avs.shift();
+ var av_sep = av.indexOf('=');
+ var av_key, av_value;
+
+ if (av_sep === -1) {
+ av_key = av;
+ av_value = null;
+ } else {
+ av_key = av.substr(0,av_sep);
+ av_value = av.substr(av_sep+1);
+ }
+
+ av_key = av_key.trim().toLowerCase();
+
+ if (av_value) {
+ av_value = av_value.trim();
+ }
+
+ switch(av_key) {
+ case 'expires': // S5.2.1
+ if (av_value) {
+ var exp = parseDate(av_value);
+ // "If the attribute-value failed to parse as a cookie date, ignore the
+ // cookie-av."
+ if (exp) {
+ // over and underflow not realistically a concern: V8's getTime() seems to
+ // store something larger than a 32-bit time_t (even with 32-bit node)
+ c.expires = exp;
+ }
+ }
+ break;
+
+ case 'max-age': // S5.2.2
+ if (av_value) {
+ // "If the first character of the attribute-value is not a DIGIT or a "-"
+ // character ...[or]... If the remainder of attribute-value contains a
+ // non-DIGIT character, ignore the cookie-av."
+ if (/^-?[0-9]+$/.test(av_value)) {
+ var delta = parseInt(av_value, 10);
+ // "If delta-seconds is less than or equal to zero (0), let expiry-time
+ // be the earliest representable date and time."
+ c.setMaxAge(delta);
+ }
+ }
+ break;
+
+ case 'domain': // S5.2.3
+ // "If the attribute-value is empty, the behavior is undefined. However,
+ // the user agent SHOULD ignore the cookie-av entirely."
+ if (av_value) {
+ // S5.2.3 "Let cookie-domain be the attribute-value without the leading %x2E
+ // (".") character."
+ var domain = av_value.trim().replace(/^\./, '');
+ if (domain) {
+ // "Convert the cookie-domain to lower case."
+ c.domain = domain.toLowerCase();
+ }
+ }
+ break;
+
+ case 'path': // S5.2.4
+ /*
+ * "If the attribute-value is empty or if the first character of the
+ * attribute-value is not %x2F ("/"):
+ * Let cookie-path be the default-path.
+ * Otherwise:
+ * Let cookie-path be the attribute-value."
+ *
+ * We'll represent the default-path as null since it depends on the
+ * context of the parsing.
+ */
+ c.path = av_value && av_value[0] === "/" ? av_value : null;
+ break;
+
+ case 'secure': // S5.2.5
+ /*
+ * "If the attribute-name case-insensitively matches the string "Secure",
+ * the user agent MUST append an attribute to the cookie-attribute-list
+ * with an attribute-name of Secure and an empty attribute-value."
+ */
+ c.secure = true;
+ break;
+
+ case 'httponly': // S5.2.6 -- effectively the same as 'secure'
+ c.httpOnly = true;
+ break;
+
+ default:
+ c.extensions = c.extensions || [];
+ c.extensions.push(av);
+ break;
+ }
+ }
+
+ return c;
+}
+
+// avoid the V8 deoptimization monster!
+function jsonParse(str) {
+ var obj;
+ try {
+ obj = JSON.parse(str);
+ } catch (e) {
+ return e;
+ }
+ return obj;
+}
+
+function fromJSON(str) {
+ if (!str) {
+ return null;
+ }
+
+ var obj;
+ if (typeof str === 'string') {
+ obj = jsonParse(str);
+ if (obj instanceof Error) {
+ return null;
+ }
+ } else {
+ // assume it's an Object
+ obj = str;
+ }
+
+ var c = new Cookie();
+ for (var i=0; i<Cookie.serializableProperties.length; i++) {
+ var prop = Cookie.serializableProperties[i];
+ if (obj[prop] === undefined ||
+ obj[prop] === Cookie.prototype[prop])
+ {
+ continue; // leave as prototype default
+ }
+
+ if (prop === 'expires' ||
+ prop === 'creation' ||
+ prop === 'lastAccessed')
+ {
+ if (obj[prop] === null) {
+ c[prop] = null;
+ } else {
+ c[prop] = obj[prop] == "Infinity" ?
+ "Infinity" : new Date(obj[prop]);
+ }
+ } else {
+ c[prop] = obj[prop];
+ }
+ }
+
+ return c;
+}
+
+/* Section 5.4 part 2:
+ * "* Cookies with longer paths are listed before cookies with
+ * shorter paths.
+ *
+ * * Among cookies that have equal-length path fields, cookies with
+ * earlier creation-times are listed before cookies with later
+ * creation-times."
+ */
+
+function cookieCompare(a,b) {
+ var cmp = 0;
+
+ // descending for length: b CMP a
+ var aPathLen = a.path ? a.path.length : 0;
+ var bPathLen = b.path ? b.path.length : 0;
+ cmp = bPathLen - aPathLen;
+ if (cmp !== 0) {
+ return cmp;
+ }
+
+ // ascending for time: a CMP b
+ var aTime = a.creation ? a.creation.getTime() : MAX_TIME;
+ var bTime = b.creation ? b.creation.getTime() : MAX_TIME;
+ cmp = aTime - bTime;
+ if (cmp !== 0) {
+ return cmp;
+ }
+
+ // break ties for the same millisecond (precision of JavaScript's clock)
+ cmp = a.creationIndex - b.creationIndex;
+
+ return cmp;
+}
+
+// Gives the permutation of all possible pathMatch()es of a given path. The
+// array is in longest-to-shortest order. Handy for indexing.
+function permutePath(path) {
+ if (path === '/') {
+ return ['/'];
+ }
+ if (path.lastIndexOf('/') === path.length-1) {
+ path = path.substr(0,path.length-1);
+ }
+ var permutations = [path];
+ while (path.length > 1) {
+ var lindex = path.lastIndexOf('/');
+ if (lindex === 0) {
+ break;
+ }
+ path = path.substr(0,lindex);
+ permutations.push(path);
+ }
+ permutations.push('/');
+ return permutations;
+}
+
+function getCookieContext(url) {
+ if (url instanceof Object) {
+ return url;
+ }
+ // NOTE: decodeURI will throw on malformed URIs (see GH-32).
+ // Therefore, we will just skip decoding for such URIs.
+ try {
+ url = decodeURI(url);
+ }
+ catch(err) {
+ // Silently swallow error
+ }
+
+ return urlParse(url);
+}
+
+function Cookie(options) {
+ options = options || {};
+
+ Object.keys(options).forEach(function(prop) {
+ if (Cookie.prototype.hasOwnProperty(prop) &&
+ Cookie.prototype[prop] !== options[prop] &&
+ prop.substr(0,1) !== '_')
+ {
+ this[prop] = options[prop];
+ }
+ }, this);
+
+ this.creation = this.creation || new Date();
+
+ // used to break creation ties in cookieCompare():
+ Object.defineProperty(this, 'creationIndex', {
+ configurable: false,
+ enumerable: false, // important for assert.deepEqual checks
+ writable: true,
+ value: ++Cookie.cookiesCreated
+ });
+}
+
+Cookie.cookiesCreated = 0; // incremented each time a cookie is created
+
+Cookie.parse = parse;
+Cookie.fromJSON = fromJSON;
+
+Cookie.prototype.key = "";
+Cookie.prototype.value = "";
+
+// the order in which the RFC has them:
+Cookie.prototype.expires = "Infinity"; // coerces to literal Infinity
+Cookie.prototype.maxAge = null; // takes precedence over expires for TTL
+Cookie.prototype.domain = null;
+Cookie.prototype.path = null;
+Cookie.prototype.secure = false;
+Cookie.prototype.httpOnly = false;
+Cookie.prototype.extensions = null;
+
+// set by the CookieJar:
+Cookie.prototype.hostOnly = null; // boolean when set
+Cookie.prototype.pathIsDefault = null; // boolean when set
+Cookie.prototype.creation = null; // Date when set; defaulted by Cookie.parse
+Cookie.prototype.lastAccessed = null; // Date when set
+Object.defineProperty(Cookie.prototype, 'creationIndex', {
+ configurable: true,
+ enumerable: false,
+ writable: true,
+ value: 0
+});
+
+Cookie.serializableProperties = Object.keys(Cookie.prototype)
+ .filter(function(prop) {
+ return !(
+ Cookie.prototype[prop] instanceof Function ||
+ prop === 'creationIndex' ||
+ prop.substr(0,1) === '_'
+ );
+ });
+
+Cookie.prototype.inspect = function inspect() {
+ var now = Date.now();
+ return 'Cookie="'+this.toString() +
+ '; hostOnly='+(this.hostOnly != null ? this.hostOnly : '?') +
+ '; aAge='+(this.lastAccessed ? (now-this.lastAccessed.getTime())+'ms' : '?') +
+ '; cAge='+(this.creation ? (now-this.creation.getTime())+'ms' : '?') +
+ '"';
+};
+
+Cookie.prototype.toJSON = function() {
+ var obj = {};
+
+ var props = Cookie.serializableProperties;
+ for (var i=0; i<props.length; i++) {
+ var prop = props[i];
+ if (this[prop] === Cookie.prototype[prop]) {
+ continue; // leave as prototype default
+ }
+
+ if (prop === 'expires' ||
+ prop === 'creation' ||
+ prop === 'lastAccessed')
+ {
+ if (this[prop] === null) {
+ obj[prop] = null;
+ } else {
+ obj[prop] = this[prop] == "Infinity" ? // intentionally not ===
+ "Infinity" : this[prop].toISOString();
+ }
+ } else if (prop === 'maxAge') {
+ if (this[prop] !== null) {
+ // again, intentionally not ===
+ obj[prop] = (this[prop] == Infinity || this[prop] == -Infinity) ?
+ this[prop].toString() : this[prop];
+ }
+ } else {
+ if (this[prop] !== Cookie.prototype[prop]) {
+ obj[prop] = this[prop];
+ }
+ }
+ }
+
+ return obj;
+};
+
+Cookie.prototype.clone = function() {
+ return fromJSON(this.toJSON());
+};
+
+Cookie.prototype.validate = function validate() {
+ if (!COOKIE_OCTETS.test(this.value)) {
+ return false;
+ }
+ if (this.expires != Infinity && !(this.expires instanceof Date) && !parseDate(this.expires)) {
+ return false;
+ }
+ if (this.maxAge != null && this.maxAge <= 0) {
+ return false; // "Max-Age=" non-zero-digit *DIGIT
+ }
+ if (this.path != null && !PATH_VALUE.test(this.path)) {
+ return false;
+ }
+
+ var cdomain = this.cdomain();
+ if (cdomain) {
+ if (cdomain.match(/\.$/)) {
+ return false; // S4.1.2.3 suggests that this is bad. domainMatch() tests confirm this
+ }
+ var suffix = pubsuffix.getPublicSuffix(cdomain);
+ if (suffix == null) { // it's a public suffix
+ return false;
+ }
+ }
+ return true;
+};
+
+Cookie.prototype.setExpires = function setExpires(exp) {
+ if (exp instanceof Date) {
+ this.expires = exp;
+ } else {
+ this.expires = parseDate(exp) || "Infinity";
+ }
+};
+
+Cookie.prototype.setMaxAge = function setMaxAge(age) {
+ if (age === Infinity || age === -Infinity) {
+ this.maxAge = age.toString(); // so JSON.stringify() works
+ } else {
+ this.maxAge = age;
+ }
+};
+
+// gives Cookie header format
+Cookie.prototype.cookieString = function cookieString() {
+ var val = this.value;
+ if (val == null) {
+ val = '';
+ }
+ if (this.key === '') {
+ return val;
+ }
+ return this.key+'='+val;
+};
+
+// gives Set-Cookie header format
+Cookie.prototype.toString = function toString() {
+ var str = this.cookieString();
+
+ if (this.expires != Infinity) {
+ if (this.expires instanceof Date) {
+ str += '; Expires='+formatDate(this.expires);
+ } else {
+ str += '; Expires='+this.expires;
+ }
+ }
+
+ if (this.maxAge != null && this.maxAge != Infinity) {
+ str += '; Max-Age='+this.maxAge;
+ }
+
+ if (this.domain && !this.hostOnly) {
+ str += '; Domain='+this.domain;
+ }
+ if (this.path) {
+ str += '; Path='+this.path;
+ }
+
+ if (this.secure) {
+ str += '; Secure';
+ }
+ if (this.httpOnly) {
+ str += '; HttpOnly';
+ }
+ if (this.extensions) {
+ this.extensions.forEach(function(ext) {
+ str += '; '+ext;
+ });
+ }
+
+ return str;
+};
+
+// TTL() partially replaces the "expiry-time" parts of S5.3 step 3 (setCookie()
+// elsewhere)
+// S5.3 says to give the "latest representable date" for which we use Infinity
+// For "expired" we use 0
+Cookie.prototype.TTL = function TTL(now) {
+ /* RFC6265 S4.1.2.2 If a cookie has both the Max-Age and the Expires
+ * attribute, the Max-Age attribute has precedence and controls the
+ * expiration date of the cookie.
+ * (Concurs with S5.3 step 3)
+ */
+ if (this.maxAge != null) {
+ return this.maxAge<=0 ? 0 : this.maxAge*1000;
+ }
+
+ var expires = this.expires;
+ if (expires != Infinity) {
+ if (!(expires instanceof Date)) {
+ expires = parseDate(expires) || Infinity;
+ }
+
+ if (expires == Infinity) {
+ return Infinity;
+ }
+
+ return expires.getTime() - (now || Date.now());
+ }
+
+ return Infinity;
+};
+
+// expiryTime() replaces the "expiry-time" parts of S5.3 step 3 (setCookie()
+// elsewhere)
+Cookie.prototype.expiryTime = function expiryTime(now) {
+ if (this.maxAge != null) {
+ var relativeTo = now || this.creation || new Date();
+ var age = (this.maxAge <= 0) ? -Infinity : this.maxAge*1000;
+ return relativeTo.getTime() + age;
+ }
+
+ if (this.expires == Infinity) {
+ return Infinity;
+ }
+ return this.expires.getTime();
+};
+
+// expiryDate() replaces the "expiry-time" parts of S5.3 step 3 (setCookie()
+// elsewhere), except it returns a Date
+Cookie.prototype.expiryDate = function expiryDate(now) {
+ var millisec = this.expiryTime(now);
+ if (millisec == Infinity) {
+ return new Date(MAX_TIME);
+ } else if (millisec == -Infinity) {
+ return new Date(MIN_TIME);
+ } else {
+ return new Date(millisec);
+ }
+};
+
+// This replaces the "persistent-flag" parts of S5.3 step 3
+Cookie.prototype.isPersistent = function isPersistent() {
+ return (this.maxAge != null || this.expires != Infinity);
+};
+
+// Mostly S5.1.2 and S5.2.3:
+Cookie.prototype.cdomain =
+Cookie.prototype.canonicalizedDomain = function canonicalizedDomain() {
+ if (this.domain == null) {
+ return null;
+ }
+ return canonicalDomain(this.domain);
+};
+
+function CookieJar(store, options) {
+ if (typeof options === "boolean") {
+ options = {rejectPublicSuffixes: options};
+ } else if (options == null) {
+ options = {};
+ }
+ if (options.rejectPublicSuffixes != null) {
+ this.rejectPublicSuffixes = options.rejectPublicSuffixes;
+ }
+ if (options.looseMode != null) {
+ this.enableLooseMode = options.looseMode;
+ }
+
+ if (!store) {
+ store = new MemoryCookieStore();
+ }
+ this.store = store;
+}
+CookieJar.prototype.store = null;
+CookieJar.prototype.rejectPublicSuffixes = true;
+CookieJar.prototype.enableLooseMode = false;
+var CAN_BE_SYNC = [];
+
+CAN_BE_SYNC.push('setCookie');
+CookieJar.prototype.setCookie = function(cookie, url, options, cb) {
+ var err;
+ var context = getCookieContext(url);
+ if (options instanceof Function) {
+ cb = options;
+ options = {};
+ }
+
+ var host = canonicalDomain(context.hostname);
+ var loose = this.enableLooseMode;
+ if (options.loose != null) {
+ loose = options.loose;
+ }
+
+ // S5.3 step 1
+ if (!(cookie instanceof Cookie)) {
+ cookie = Cookie.parse(cookie, { loose: loose });
+ }
+ if (!cookie) {
+ err = new Error("Cookie failed to parse");
+ return cb(options.ignoreError ? null : err);
+ }
+
+ // S5.3 step 2
+ var now = options.now || new Date(); // will assign later to save effort in the face of errors
+
+ // S5.3 step 3: NOOP; persistent-flag and expiry-time is handled by getCookie()
+
+ // S5.3 step 4: NOOP; domain is null by default
+
+ // S5.3 step 5: public suffixes
+ if (this.rejectPublicSuffixes && cookie.domain) {
+ var suffix = pubsuffix.getPublicSuffix(cookie.cdomain());
+ if (suffix == null) { // e.g. "com"
+ err = new Error("Cookie has domain set to a public suffix");
+ return cb(options.ignoreError ? null : err);
+ }
+ }
+
+ // S5.3 step 6:
+ if (cookie.domain) {
+ if (!domainMatch(host, cookie.cdomain(), false)) {
+ err = new Error("Cookie not in this host's domain. Cookie:"+cookie.cdomain()+" Request:"+host);
+ return cb(options.ignoreError ? null : err);
+ }
+
+ if (cookie.hostOnly == null) { // don't reset if already set
+ cookie.hostOnly = false;
+ }
+
+ } else {
+ cookie.hostOnly = true;
+ cookie.domain = host;
+ }
+
+ //S5.2.4 If the attribute-value is empty or if the first character of the
+ //attribute-value is not %x2F ("/"):
+ //Let cookie-path be the default-path.
+ if (!cookie.path || cookie.path[0] !== '/') {
+ cookie.path = defaultPath(context.pathname);
+ cookie.pathIsDefault = true;
+ }
+
+ // S5.3 step 8: NOOP; secure attribute
+ // S5.3 step 9: NOOP; httpOnly attribute
+
+ // S5.3 step 10
+ if (options.http === false && cookie.httpOnly) {
+ err = new Error("Cookie is HttpOnly and this isn't an HTTP API");
+ return cb(options.ignoreError ? null : err);
+ }
+
+ var store = this.store;
+
+ if (!store.updateCookie) {
+ store.updateCookie = function(oldCookie, newCookie, cb) {
+ this.putCookie(newCookie, cb);
+ };
+ }
+
+ function withCookie(err, oldCookie) {
+ if (err) {
+ return cb(err);
+ }
+
+ var next = function(err) {
+ if (err) {
+ return cb(err);
+ } else {
+ cb(null, cookie);
+ }
+ };
+
+ if (oldCookie) {
+ // S5.3 step 11 - "If the cookie store contains a cookie with the same name,
+ // domain, and path as the newly created cookie:"
+ if (options.http === false && oldCookie.httpOnly) { // step 11.2
+ err = new Error("old Cookie is HttpOnly and this isn't an HTTP API");
+ return cb(options.ignoreError ? null : err);
+ }
+ cookie.creation = oldCookie.creation; // step 11.3
+ cookie.creationIndex = oldCookie.creationIndex; // preserve tie-breaker
+ cookie.lastAccessed = now;
+ // Step 11.4 (delete cookie) is implied by just setting the new one:
+ store.updateCookie(oldCookie, cookie, next); // step 12
+
+ } else {
+ cookie.creation = cookie.lastAccessed = now;
+ store.putCookie(cookie, next); // step 12
+ }
+ }
+
+ store.findCookie(cookie.domain, cookie.path, cookie.key, withCookie);
+};
+
+// RFC6365 S5.4
+CAN_BE_SYNC.push('getCookies');
+CookieJar.prototype.getCookies = function(url, options, cb) {
+ var context = getCookieContext(url);
+ if (options instanceof Function) {
+ cb = options;
+ options = {};
+ }
+
+ var host = canonicalDomain(context.hostname);
+ var path = context.pathname || '/';
+
+ var secure = options.secure;
+ if (secure == null && context.protocol &&
+ (context.protocol == 'https:' || context.protocol == 'wss:'))
+ {
+ secure = true;
+ }
+
+ var http = options.http;
+ if (http == null) {
+ http = true;
+ }
+
+ var now = options.now || Date.now();
+ var expireCheck = options.expire !== false;
+ var allPaths = !!options.allPaths;
+ var store = this.store;
+
+ function matchingCookie(c) {
+ // "Either:
+ // The cookie's host-only-flag is true and the canonicalized
+ // request-host is identical to the cookie's domain.
+ // Or:
+ // The cookie's host-only-flag is false and the canonicalized
+ // request-host domain-matches the cookie's domain."
+ if (c.hostOnly) {
+ if (c.domain != host) {
+ return false;
+ }
+ } else {
+ if (!domainMatch(host, c.domain, false)) {
+ return false;
+ }
+ }
+
+ // "The request-uri's path path-matches the cookie's path."
+ if (!allPaths && !pathMatch(path, c.path)) {
+ return false;
+ }
+
+ // "If the cookie's secure-only-flag is true, then the request-uri's
+ // scheme must denote a "secure" protocol"
+ if (c.secure && !secure) {
+ return false;
+ }
+
+ // "If the cookie's http-only-flag is true, then exclude the cookie if the
+ // cookie-string is being generated for a "non-HTTP" API"
+ if (c.httpOnly && !http) {
+ return false;
+ }
+
+ // deferred from S5.3
+ // non-RFC: allow retention of expired cookies by choice
+ if (expireCheck && c.expiryTime() <= now) {
+ store.removeCookie(c.domain, c.path, c.key, function(){}); // result ignored
+ return false;
+ }
+
+ return true;
+ }
+
+ store.findCookies(host, allPaths ? null : path, function(err,cookies) {
+ if (err) {
+ return cb(err);
+ }
+
+ cookies = cookies.filter(matchingCookie);
+
+ // sorting of S5.4 part 2
+ if (options.sort !== false) {
+ cookies = cookies.sort(cookieCompare);
+ }
+
+ // S5.4 part 3
+ var now = new Date();
+ cookies.forEach(function(c) {
+ c.lastAccessed = now;
+ });
+ // TODO persist lastAccessed
+
+ cb(null,cookies);
+ });
+};
+
+CAN_BE_SYNC.push('getCookieString');
+CookieJar.prototype.getCookieString = function(/*..., cb*/) {
+ var args = Array.prototype.slice.call(arguments,0);
+ var cb = args.pop();
+ var next = function(err,cookies) {
+ if (err) {
+ cb(err);
+ } else {
+ cb(null, cookies
+ .sort(cookieCompare)
+ .map(function(c){
+ return c.cookieString();
+ })
+ .join('; '));
+ }
+ };
+ args.push(next);
+ this.getCookies.apply(this,args);
+};
+
+CAN_BE_SYNC.push('getSetCookieStrings');
+CookieJar.prototype.getSetCookieStrings = function(/*..., cb*/) {
+ var args = Array.prototype.slice.call(arguments,0);
+ var cb = args.pop();
+ var next = function(err,cookies) {
+ if (err) {
+ cb(err);
+ } else {
+ cb(null, cookies.map(function(c){
+ return c.toString();
+ }));
+ }
+ };
+ args.push(next);
+ this.getCookies.apply(this,args);
+};
+
+CAN_BE_SYNC.push('serialize');
+CookieJar.prototype.serialize = function(cb) {
+ var type = this.store.constructor.name;
+ if (type === 'Object') {
+ type = null;
+ }
+
+ // update README.md "Serialization Format" if you change this, please!
+ var serialized = {
+ // The version of tough-cookie that serialized this jar. Generally a good
+ // practice since future versions can make data import decisions based on
+ // known past behavior. When/if this matters, use `semver`.
+ version: 'tough-cookie@'+VERSION,
+
+ // add the store type, to make humans happy:
+ storeType: type,
+
+ // CookieJar configuration:
+ rejectPublicSuffixes: !!this.rejectPublicSuffixes,
+
+ // this gets filled from getAllCookies:
+ cookies: []
+ };
+
+ if (!(this.store.getAllCookies &&
+ typeof this.store.getAllCookies === 'function'))
+ {
+ return cb(new Error('store does not support getAllCookies and cannot be serialized'));
+ }
+
+ this.store.getAllCookies(function(err,cookies) {
+ if (err) {
+ return cb(err);
+ }
+
+ serialized.cookies = cookies.map(function(cookie) {
+ // convert to serialized 'raw' cookies
+ cookie = (cookie instanceof Cookie) ? cookie.toJSON() : cookie;
+
+ // Remove the index so new ones get assigned during deserialization
+ delete cookie.creationIndex;
+
+ return cookie;
+ });
+
+ return cb(null, serialized);
+ });
+};
+
+// well-known name that JSON.stringify calls
+CookieJar.prototype.toJSON = function() {
+ return this.serializeSync();
+};
+
+// use the class method CookieJar.deserialize instead of calling this directly
+CAN_BE_SYNC.push('_importCookies');
+CookieJar.prototype._importCookies = function(serialized, cb) {
+ var jar = this;
+ var cookies = serialized.cookies;
+ if (!cookies || !Array.isArray(cookies)) {
+ return cb(new Error('serialized jar has no cookies array'));
+ }
+
+ function putNext(err) {
+ if (err) {
+ return cb(err);
+ }
+
+ if (!cookies.length) {
+ return cb(err, jar);
+ }
+
+ var cookie;
+ try {
+ cookie = fromJSON(cookies.shift());
+ } catch (e) {
+ return cb(e);
+ }
+
+ if (cookie === null) {
+ return putNext(null); // skip this cookie
+ }
+
+ jar.store.putCookie(cookie, putNext);
+ }
+
+ putNext();
+};
+
+CookieJar.deserialize = function(strOrObj, store, cb) {
+ if (arguments.length !== 3) {
+ // store is optional
+ cb = store;
+ store = null;
+ }
+
+ var serialized;
+ if (typeof strOrObj === 'string') {
+ serialized = jsonParse(strOrObj);
+ if (serialized instanceof Error) {
+ return cb(serialized);
+ }
+ } else {
+ serialized = strOrObj;
+ }
+
+ var jar = new CookieJar(store, serialized.rejectPublicSuffixes);
+ jar._importCookies(serialized, function(err) {
+ if (err) {
+ return cb(err);
+ }
+ cb(null, jar);
+ });
+};
+
+CookieJar.deserializeSync = function(strOrObj, store) {
+ var serialized = typeof strOrObj === 'string' ?
+ JSON.parse(strOrObj) : strOrObj;
+ var jar = new CookieJar(store, serialized.rejectPublicSuffixes);
+
+ // catch this mistake early:
+ if (!jar.store.synchronous) {
+ throw new Error('CookieJar store is not synchronous; use async API instead.');
+ }
+
+ jar._importCookiesSync(serialized);
+ return jar;
+};
+CookieJar.fromJSON = CookieJar.deserializeSync;
+
+CAN_BE_SYNC.push('clone');
+CookieJar.prototype.clone = function(newStore, cb) {
+ if (arguments.length === 1) {
+ cb = newStore;
+ newStore = null;
+ }
+
+ this.serialize(function(err,serialized) {
+ if (err) {
+ return cb(err);
+ }
+ CookieJar.deserialize(newStore, serialized, cb);
+ });
+};
+
+// Use a closure to provide a true imperative API for synchronous stores.
+function syncWrap(method) {
+ return function() {
+ if (!this.store.synchronous) {
+ throw new Error('CookieJar store is not synchronous; use async API instead.');
+ }
+
+ var args = Array.prototype.slice.call(arguments);
+ var syncErr, syncResult;
+ args.push(function syncCb(err, result) {
+ syncErr = err;
+ syncResult = result;
+ });
+ this[method].apply(this, args);
+
+ if (syncErr) {
+ throw syncErr;
+ }
+ return syncResult;
+ };
+}
+
+// wrap all declared CAN_BE_SYNC methods in the sync wrapper
+CAN_BE_SYNC.forEach(function(method) {
+ CookieJar.prototype[method+'Sync'] = syncWrap(method);
+});
+
+module.exports = {
+ CookieJar: CookieJar,
+ Cookie: Cookie,
+ Store: Store,
+ MemoryCookieStore: MemoryCookieStore,
+ parseDate: parseDate,
+ formatDate: formatDate,
+ parse: parse,
+ fromJSON: fromJSON,
+ domainMatch: domainMatch,
+ defaultPath: defaultPath,
+ pathMatch: pathMatch,
+ getPublicSuffix: pubsuffix.getPublicSuffix,
+ cookieCompare: cookieCompare,
+ permuteDomain: require('./permuteDomain').permuteDomain,
+ permutePath: permutePath,
+ canonicalDomain: canonicalDomain
+};
projects / yaffs-website / blobdiff