1/*! 2 * Copyright (c) 2015, Salesforce.com, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright notice, 12 * this list of conditions and the following disclaimer in the documentation 13 * and/or other materials provided with the distribution. 14 * 15 * 3. Neither the name of Salesforce.com nor the names of its contributors may 16 * be used to endorse or promote products derived from this software without 17 * specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 23 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31'use strict'; 32var net = require('net'); 33var urlParse = require('url').parse; 34var util = require('util'); 35var pubsuffix = require('./pubsuffix-psl'); 36var Store = require('./store').Store; 37var MemoryCookieStore = require('./memstore').MemoryCookieStore; 38var pathMatch = require('./pathMatch').pathMatch; 39var VERSION = require('../package.json').version; 40 41var punycode; 42try { 43 punycode = require('punycode'); 44} catch(e) { 45 console.warn("tough-cookie: can't load punycode; won't use punycode for domain normalization"); 46} 47 48// From RFC6265 S4.1.1 49// note that it excludes \x3B ";" 50var COOKIE_OCTETS = /^[\x21\x23-\x2B\x2D-\x3A\x3C-\x5B\x5D-\x7E]+$/; 51 52var CONTROL_CHARS = /[\x00-\x1F]/; 53 54// From Chromium // '\r', '\n' and '\0' should be treated as a terminator in 55// the "relaxed" mode, see: 56// https://github.com/ChromiumWebApps/chromium/blob/b3d3b4da8bb94c1b2e061600df106d590fda3620/net/cookies/parsed_cookie.cc#L60 57var TERMINATORS = ['\n', '\r', '\0']; 58 59// RFC6265 S4.1.1 defines path value as 'any CHAR except CTLs or ";"' 60// Note ';' is \x3B 61var PATH_VALUE = /[\x20-\x3A\x3C-\x7E]+/; 62 63// date-time parsing constants (RFC6265 S5.1.1) 64 65var DATE_DELIM = /[\x09\x20-\x2F\x3B-\x40\x5B-\x60\x7B-\x7E]/; 66 67var MONTH_TO_NUM = { 68 jan:0, feb:1, mar:2, apr:3, may:4, jun:5, 69 jul:6, aug:7, sep:8, oct:9, nov:10, dec:11 70}; 71var NUM_TO_MONTH = [ 72 'Jan','Feb','Mar','Apr','May','Jun','Jul','Aug','Sep','Oct','Nov','Dec' 73]; 74var NUM_TO_DAY = [ 75 'Sun','Mon','Tue','Wed','Thu','Fri','Sat' 76]; 77 78var MAX_TIME = 2147483647000; // 31-bit max 79var MIN_TIME = 0; // 31-bit min 80 81/* 82 * Parses a Natural number (i.e., non-negative integer) with either the 83 * <min>*<max>DIGIT ( non-digit *OCTET ) 84 * or 85 * <min>*<max>DIGIT 86 * grammar (RFC6265 S5.1.1). 87 * 88 * The "trailingOK" boolean controls if the grammar accepts a 89 * "( non-digit *OCTET )" trailer. 90 */ 91function parseDigits(token, minDigits, maxDigits, trailingOK) { 92 var count = 0; 93 while (count < token.length) { 94 var c = token.charCodeAt(count); 95 // "non-digit = %x00-2F / %x3A-FF" 96 if (c <= 0x2F || c >= 0x3A) { 97 break; 98 } 99 count++; 100 } 101 102 // constrain to a minimum and maximum number of digits. 103 if (count < minDigits || count > maxDigits) { 104 return null; 105 } 106 107 if (!trailingOK && count != token.length) { 108 return null; 109 } 110 111 return parseInt(token.substr(0,count), 10); 112} 113 114function parseTime(token) { 115 var parts = token.split(':'); 116 var result = [0,0,0]; 117 118 /* RF6256 S5.1.1: 119 * time = hms-time ( non-digit *OCTET ) 120 * hms-time = time-field ":" time-field ":" time-field 121 * time-field = 1*2DIGIT 122 */ 123 124 if (parts.length !== 3) { 125 return null; 126 } 127 128 for (var i = 0; i < 3; i++) { 129 // "time-field" must be strictly "1*2DIGIT", HOWEVER, "hms-time" can be 130 // followed by "( non-digit *OCTET )" so therefore the last time-field can 131 // have a trailer 132 var trailingOK = (i == 2); 133 var num = parseDigits(parts[i], 1, 2, trailingOK); 134 if (num === null) { 135 return null; 136 } 137 result[i] = num; 138 } 139 140 return result; 141} 142 143function parseMonth(token) { 144 token = String(token).substr(0,3).toLowerCase(); 145 var num = MONTH_TO_NUM[token]; 146 return num >= 0 ? num : null; 147} 148 149/* 150 * RFC6265 S5.1.1 date parser (see RFC for full grammar) 151 */ 152function parseDate(str) { 153 if (!str) { 154 return; 155 } 156 157 /* RFC6265 S5.1.1: 158 * 2. Process each date-token sequentially in the order the date-tokens 159 * appear in the cookie-date 160 */ 161 var tokens = str.split(DATE_DELIM); 162 if (!tokens) { 163 return; 164 } 165 166 var hour = null; 167 var minute = null; 168 var second = null; 169 var dayOfMonth = null; 170 var month = null; 171 var year = null; 172 173 for (var i=0; i<tokens.length; i++) { 174 var token = tokens[i].trim(); 175 if (!token.length) { 176 continue; 177 } 178 179 var result; 180 181 /* 2.1. If the found-time flag is not set and the token matches the time 182 * production, set the found-time flag and set the hour- value, 183 * minute-value, and second-value to the numbers denoted by the digits in 184 * the date-token, respectively. Skip the remaining sub-steps and continue 185 * to the next date-token. 186 */ 187 if (second === null) { 188 result = parseTime(token); 189 if (result) { 190 hour = result[0]; 191 minute = result[1]; 192 second = result[2]; 193 continue; 194 } 195 } 196 197 /* 2.2. If the found-day-of-month flag is not set and the date-token matches 198 * the day-of-month production, set the found-day-of- month flag and set 199 * the day-of-month-value to the number denoted by the date-token. Skip 200 * the remaining sub-steps and continue to the next date-token. 201 */ 202 if (dayOfMonth === null) { 203 // "day-of-month = 1*2DIGIT ( non-digit *OCTET )" 204 result = parseDigits(token, 1, 2, true); 205 if (result !== null) { 206 dayOfMonth = result; 207 continue; 208 } 209 } 210 211 /* 2.3. If the found-month flag is not set and the date-token matches the 212 * month production, set the found-month flag and set the month-value to 213 * the month denoted by the date-token. Skip the remaining sub-steps and 214 * continue to the next date-token. 215 */ 216 if (month === null) { 217 result = parseMonth(token); 218 if (result !== null) { 219 month = result; 220 continue; 221 } 222 } 223 224 /* 2.4. If the found-year flag is not set and the date-token matches the 225 * year production, set the found-year flag and set the year-value to the 226 * number denoted by the date-token. Skip the remaining sub-steps and 227 * continue to the next date-token. 228 */ 229 if (year === null) { 230 // "year = 2*4DIGIT ( non-digit *OCTET )" 231 result = parseDigits(token, 2, 4, true); 232 if (result !== null) { 233 year = result; 234 /* From S5.1.1: 235 * 3. If the year-value is greater than or equal to 70 and less 236 * than or equal to 99, increment the year-value by 1900. 237 * 4. If the year-value is greater than or equal to 0 and less 238 * than or equal to 69, increment the year-value by 2000. 239 */ 240 if (year >= 70 && year <= 99) { 241 year += 1900; 242 } else if (year >= 0 && year <= 69) { 243 year += 2000; 244 } 245 } 246 } 247 } 248 249 /* RFC 6265 S5.1.1 250 * "5. Abort these steps and fail to parse the cookie-date if: 251 * * at least one of the found-day-of-month, found-month, found- 252 * year, or found-time flags is not set, 253 * * the day-of-month-value is less than 1 or greater than 31, 254 * * the year-value is less than 1601, 255 * * the hour-value is greater than 23, 256 * * the minute-value is greater than 59, or 257 * * the second-value is greater than 59. 258 * (Note that leap seconds cannot be represented in this syntax.)" 259 * 260 * So, in order as above: 261 */ 262 if ( 263 dayOfMonth === null || month === null || year === null || second === null || 264 dayOfMonth < 1 || dayOfMonth > 31 || 265 year < 1601 || 266 hour > 23 || 267 minute > 59 || 268 second > 59 269 ) { 270 return; 271 } 272 273 return new Date(Date.UTC(year, month, dayOfMonth, hour, minute, second)); 274} 275 276function formatDate(date) { 277 var d = date.getUTCDate(); d = d >= 10 ? d : '0'+d; 278 var h = date.getUTCHours(); h = h >= 10 ? h : '0'+h; 279 var m = date.getUTCMinutes(); m = m >= 10 ? m : '0'+m; 280 var s = date.getUTCSeconds(); s = s >= 10 ? s : '0'+s; 281 return NUM_TO_DAY[date.getUTCDay()] + ', ' + 282 d+' '+ NUM_TO_MONTH[date.getUTCMonth()] +' '+ date.getUTCFullYear() +' '+ 283 h+':'+m+':'+s+' GMT'; 284} 285 286// S5.1.2 Canonicalized Host Names 287function canonicalDomain(str) { 288 if (str == null) { 289 return null; 290 } 291 str = str.trim().replace(/^\./,''); // S4.1.2.3 & S5.2.3: ignore leading . 292 293 // convert to IDN if any non-ASCII characters 294 if (punycode && /[^\u0001-\u007f]/.test(str)) { 295 str = punycode.toASCII(str); 296 } 297 298 return str.toLowerCase(); 299} 300 301// S5.1.3 Domain Matching 302function domainMatch(str, domStr, canonicalize) { 303 if (str == null || domStr == null) { 304 return null; 305 } 306 if (canonicalize !== false) { 307 str = canonicalDomain(str); 308 domStr = canonicalDomain(domStr); 309 } 310 311 /* 312 * "The domain string and the string are identical. (Note that both the 313 * domain string and the string will have been canonicalized to lower case at 314 * this point)" 315 */ 316 if (str == domStr) { 317 return true; 318 } 319 320 /* "All of the following [three] conditions hold:" (order adjusted from the RFC) */ 321 322 /* "* The string is a host name (i.e., not an IP address)." */ 323 if (net.isIP(str)) { 324 return false; 325 } 326 327 /* "* The domain string is a suffix of the string" */ 328 var idx = str.indexOf(domStr); 329 if (idx <= 0) { 330 return false; // it's a non-match (-1) or prefix (0) 331 } 332 333 // e.g "a.b.c".indexOf("b.c") === 2 334 // 5 === 3+2 335 if (str.length !== domStr.length + idx) { // it's not a suffix 336 return false; 337 } 338 339 /* "* The last character of the string that is not included in the domain 340 * string is a %x2E (".") character." */ 341 if (str.substr(idx-1,1) !== '.') { 342 return false; 343 } 344 345 return true; 346} 347 348 349// RFC6265 S5.1.4 Paths and Path-Match 350 351/* 352 * "The user agent MUST use an algorithm equivalent to the following algorithm 353 * to compute the default-path of a cookie:" 354 * 355 * Assumption: the path (and not query part or absolute uri) is passed in. 356 */ 357function defaultPath(path) { 358 // "2. If the uri-path is empty or if the first character of the uri-path is not 359 // a %x2F ("/") character, output %x2F ("/") and skip the remaining steps. 360 if (!path || path.substr(0,1) !== "/") { 361 return "/"; 362 } 363 364 // "3. If the uri-path contains no more than one %x2F ("/") character, output 365 // %x2F ("/") and skip the remaining step." 366 if (path === "/") { 367 return path; 368 } 369 370 var rightSlash = path.lastIndexOf("/"); 371 if (rightSlash === 0) { 372 return "/"; 373 } 374 375 // "4. Output the characters of the uri-path from the first character up to, 376 // but not including, the right-most %x2F ("/")." 377 return path.slice(0, rightSlash); 378} 379 380function trimTerminator(str) { 381 for (var t = 0; t < TERMINATORS.length; t++) { 382 var terminatorIdx = str.indexOf(TERMINATORS[t]); 383 if (terminatorIdx !== -1) { 384 str = str.substr(0,terminatorIdx); 385 } 386 } 387 388 return str; 389} 390 391function parseCookiePair(cookiePair, looseMode) { 392 cookiePair = trimTerminator(cookiePair); 393 394 var firstEq = cookiePair.indexOf('='); 395 if (looseMode) { 396 if (firstEq === 0) { // '=' is immediately at start 397 cookiePair = cookiePair.substr(1); 398 firstEq = cookiePair.indexOf('='); // might still need to split on '=' 399 } 400 } else { // non-loose mode 401 if (firstEq <= 0) { // no '=' or is at start 402 return; // needs to have non-empty "cookie-name" 403 } 404 } 405 406 var cookieName, cookieValue; 407 if (firstEq <= 0) { 408 cookieName = ""; 409 cookieValue = cookiePair.trim(); 410 } else { 411 cookieName = cookiePair.substr(0, firstEq).trim(); 412 cookieValue = cookiePair.substr(firstEq+1).trim(); 413 } 414 415 if (CONTROL_CHARS.test(cookieName) || CONTROL_CHARS.test(cookieValue)) { 416 return; 417 } 418 419 var c = new Cookie(); 420 c.key = cookieName; 421 c.value = cookieValue; 422 return c; 423} 424 425function parse(str, options) { 426 if (!options || typeof options !== 'object') { 427 options = {}; 428 } 429 str = str.trim(); 430 431 // We use a regex to parse the "name-value-pair" part of S5.2 432 var firstSemi = str.indexOf(';'); // S5.2 step 1 433 var cookiePair = (firstSemi === -1) ? str : str.substr(0, firstSemi); 434 var c = parseCookiePair(cookiePair, !!options.loose); 435 if (!c) { 436 return; 437 } 438 439 if (firstSemi === -1) { 440 return c; 441 } 442 443 // S5.2.3 "unparsed-attributes consist of the remainder of the set-cookie-string 444 // (including the %x3B (";") in question)." plus later on in the same section 445 // "discard the first ";" and trim". 446 var unparsed = str.slice(firstSemi + 1).trim(); 447 448 // "If the unparsed-attributes string is empty, skip the rest of these 449 // steps." 450 if (unparsed.length === 0) { 451 return c; 452 } 453 454 /* 455 * S5.2 says that when looping over the items "[p]rocess the attribute-name 456 * and attribute-value according to the requirements in the following 457 * subsections" for every item. Plus, for many of the individual attributes 458 * in S5.3 it says to use the "attribute-value of the last attribute in the 459 * cookie-attribute-list". Therefore, in this implementation, we overwrite 460 * the previous value. 461 */ 462 var cookie_avs = unparsed.split(';'); 463 while (cookie_avs.length) { 464 var av = cookie_avs.shift().trim(); 465 if (av.length === 0) { // happens if ";;" appears 466 continue; 467 } 468 var av_sep = av.indexOf('='); 469 var av_key, av_value; 470 471 if (av_sep === -1) { 472 av_key = av; 473 av_value = null; 474 } else { 475 av_key = av.substr(0,av_sep); 476 av_value = av.substr(av_sep+1); 477 } 478 479 av_key = av_key.trim().toLowerCase(); 480 481 if (av_value) { 482 av_value = av_value.trim(); 483 } 484 485 switch(av_key) { 486 case 'expires': // S5.2.1 487 if (av_value) { 488 var exp = parseDate(av_value); 489 // "If the attribute-value failed to parse as a cookie date, ignore the 490 // cookie-av." 491 if (exp) { 492 // over and underflow not realistically a concern: V8's getTime() seems to 493 // store something larger than a 32-bit time_t (even with 32-bit node) 494 c.expires = exp; 495 } 496 } 497 break; 498 499 case 'max-age': // S5.2.2 500 if (av_value) { 501 // "If the first character of the attribute-value is not a DIGIT or a "-" 502 // character ...[or]... If the remainder of attribute-value contains a 503 // non-DIGIT character, ignore the cookie-av." 504 if (/^-?[0-9]+$/.test(av_value)) { 505 var delta = parseInt(av_value, 10); 506 // "If delta-seconds is less than or equal to zero (0), let expiry-time 507 // be the earliest representable date and time." 508 c.setMaxAge(delta); 509 } 510 } 511 break; 512 513 case 'domain': // S5.2.3 514 // "If the attribute-value is empty, the behavior is undefined. However, 515 // the user agent SHOULD ignore the cookie-av entirely." 516 if (av_value) { 517 // S5.2.3 "Let cookie-domain be the attribute-value without the leading %x2E 518 // (".") character." 519 var domain = av_value.trim().replace(/^\./, ''); 520 if (domain) { 521 // "Convert the cookie-domain to lower case." 522 c.domain = domain.toLowerCase(); 523 } 524 } 525 break; 526 527 case 'path': // S5.2.4 528 /* 529 * "If the attribute-value is empty or if the first character of the 530 * attribute-value is not %x2F ("/"): 531 * Let cookie-path be the default-path. 532 * Otherwise: 533 * Let cookie-path be the attribute-value." 534 * 535 * We'll represent the default-path as null since it depends on the 536 * context of the parsing. 537 */ 538 c.path = av_value && av_value[0] === "/" ? av_value : null; 539 break; 540 541 case 'secure': // S5.2.5 542 /* 543 * "If the attribute-name case-insensitively matches the string "Secure", 544 * the user agent MUST append an attribute to the cookie-attribute-list 545 * with an attribute-name of Secure and an empty attribute-value." 546 */ 547 c.secure = true; 548 break; 549 550 case 'httponly': // S5.2.6 -- effectively the same as 'secure' 551 c.httpOnly = true; 552 break; 553 554 default: 555 c.extensions = c.extensions || []; 556 c.extensions.push(av); 557 break; 558 } 559 } 560 561 return c; 562} 563 564// avoid the V8 deoptimization monster! 565function jsonParse(str) { 566 var obj; 567 try { 568 obj = JSON.parse(str); 569 } catch (e) { 570 return e; 571 } 572 return obj; 573} 574 575function fromJSON(str) { 576 if (!str) { 577 return null; 578 } 579 580 var obj; 581 if (typeof str === 'string') { 582 obj = jsonParse(str); 583 if (obj instanceof Error) { 584 return null; 585 } 586 } else { 587 // assume it's an Object 588 obj = str; 589 } 590 591 var c = new Cookie(); 592 for (var i=0; i<Cookie.serializableProperties.length; i++) { 593 var prop = Cookie.serializableProperties[i]; 594 if (obj[prop] === undefined || 595 obj[prop] === Cookie.prototype[prop]) 596 { 597 continue; // leave as prototype default 598 } 599 600 if (prop === 'expires' || 601 prop === 'creation' || 602 prop === 'lastAccessed') 603 { 604 if (obj[prop] === null) { 605 c[prop] = null; 606 } else { 607 c[prop] = obj[prop] == "Infinity" ? 608 "Infinity" : new Date(obj[prop]); 609 } 610 } else { 611 c[prop] = obj[prop]; 612 } 613 } 614 615 return c; 616} 617 618/* Section 5.4 part 2: 619 * "* Cookies with longer paths are listed before cookies with 620 * shorter paths. 621 * 622 * * Among cookies that have equal-length path fields, cookies with 623 * earlier creation-times are listed before cookies with later 624 * creation-times." 625 */ 626 627function cookieCompare(a,b) { 628 var cmp = 0; 629 630 // descending for length: b CMP a 631 var aPathLen = a.path ? a.path.length : 0; 632 var bPathLen = b.path ? b.path.length : 0; 633 cmp = bPathLen - aPathLen; 634 if (cmp !== 0) { 635 return cmp; 636 } 637 638 // ascending for time: a CMP b 639 var aTime = a.creation ? a.creation.getTime() : MAX_TIME; 640 var bTime = b.creation ? b.creation.getTime() : MAX_TIME; 641 cmp = aTime - bTime; 642 if (cmp !== 0) { 643 return cmp; 644 } 645 646 // break ties for the same millisecond (precision of JavaScript's clock) 647 cmp = a.creationIndex - b.creationIndex; 648 649 return cmp; 650} 651 652// Gives the permutation of all possible pathMatch()es of a given path. The 653// array is in longest-to-shortest order. Handy for indexing. 654function permutePath(path) { 655 if (path === '/') { 656 return ['/']; 657 } 658 if (path.lastIndexOf('/') === path.length-1) { 659 path = path.substr(0,path.length-1); 660 } 661 var permutations = [path]; 662 while (path.length > 1) { 663 var lindex = path.lastIndexOf('/'); 664 if (lindex === 0) { 665 break; 666 } 667 path = path.substr(0,lindex); 668 permutations.push(path); 669 } 670 permutations.push('/'); 671 return permutations; 672} 673 674function getCookieContext(url) { 675 if (url instanceof Object) { 676 return url; 677 } 678 // NOTE: decodeURI will throw on malformed URIs (see GH-32). 679 // Therefore, we will just skip decoding for such URIs. 680 try { 681 url = decodeURI(url); 682 } 683 catch(err) { 684 // Silently swallow error 685 } 686 687 return urlParse(url); 688} 689 690function Cookie(options) { 691 options = options || {}; 692 693 Object.keys(options).forEach(function(prop) { 694 if (Cookie.prototype.hasOwnProperty(prop) && 695 Cookie.prototype[prop] !== options[prop] && 696 prop.substr(0,1) !== '_') 697 { 698 this[prop] = options[prop]; 699 } 700 }, this); 701 702 this.creation = this.creation || new Date(); 703 704 // used to break creation ties in cookieCompare(): 705 Object.defineProperty(this, 'creationIndex', { 706 configurable: false, 707 enumerable: false, // important for assert.deepEqual checks 708 writable: true, 709 value: ++Cookie.cookiesCreated 710 }); 711} 712 713Cookie.cookiesCreated = 0; // incremented each time a cookie is created 714 715Cookie.parse = parse; 716Cookie.fromJSON = fromJSON; 717 718Cookie.prototype.key = ""; 719Cookie.prototype.value = ""; 720 721// the order in which the RFC has them: 722Cookie.prototype.expires = "Infinity"; // coerces to literal Infinity 723Cookie.prototype.maxAge = null; // takes precedence over expires for TTL 724Cookie.prototype.domain = null; 725Cookie.prototype.path = null; 726Cookie.prototype.secure = false; 727Cookie.prototype.httpOnly = false; 728Cookie.prototype.extensions = null; 729 730// set by the CookieJar: 731Cookie.prototype.hostOnly = null; // boolean when set 732Cookie.prototype.pathIsDefault = null; // boolean when set 733Cookie.prototype.creation = null; // Date when set; defaulted by Cookie.parse 734Cookie.prototype.lastAccessed = null; // Date when set 735Object.defineProperty(Cookie.prototype, 'creationIndex', { 736 configurable: true, 737 enumerable: false, 738 writable: true, 739 value: 0 740}); 741 742Cookie.serializableProperties = Object.keys(Cookie.prototype) 743 .filter(function(prop) { 744 return !( 745 Cookie.prototype[prop] instanceof Function || 746 prop === 'creationIndex' || 747 prop.substr(0,1) === '_' 748 ); 749 }); 750 751Cookie.prototype.inspect = function inspect() { 752 var now = Date.now(); 753 return 'Cookie="'+this.toString() + 754 '; hostOnly='+(this.hostOnly != null ? this.hostOnly : '?') + 755 '; aAge='+(this.lastAccessed ? (now-this.lastAccessed.getTime())+'ms' : '?') + 756 '; cAge='+(this.creation ? (now-this.creation.getTime())+'ms' : '?') + 757 '"'; 758}; 759 760// Use the new custom inspection symbol to add the custom inspect function if 761// available. 762if (util.inspect.custom) { 763 Cookie.prototype[util.inspect.custom] = Cookie.prototype.inspect; 764} 765 766Cookie.prototype.toJSON = function() { 767 var obj = {}; 768 769 var props = Cookie.serializableProperties; 770 for (var i=0; i<props.length; i++) { 771 var prop = props[i]; 772 if (this[prop] === Cookie.prototype[prop]) { 773 continue; // leave as prototype default 774 } 775 776 if (prop === 'expires' || 777 prop === 'creation' || 778 prop === 'lastAccessed') 779 { 780 if (this[prop] === null) { 781 obj[prop] = null; 782 } else { 783 obj[prop] = this[prop] == "Infinity" ? // intentionally not === 784 "Infinity" : this[prop].toISOString(); 785 } 786 } else if (prop === 'maxAge') { 787 if (this[prop] !== null) { 788 // again, intentionally not === 789 obj[prop] = (this[prop] == Infinity || this[prop] == -Infinity) ? 790 this[prop].toString() : this[prop]; 791 } 792 } else { 793 if (this[prop] !== Cookie.prototype[prop]) { 794 obj[prop] = this[prop]; 795 } 796 } 797 } 798 799 return obj; 800}; 801 802Cookie.prototype.clone = function() { 803 return fromJSON(this.toJSON()); 804}; 805 806Cookie.prototype.validate = function validate() { 807 if (!COOKIE_OCTETS.test(this.value)) { 808 return false; 809 } 810 if (this.expires != Infinity && !(this.expires instanceof Date) && !parseDate(this.expires)) { 811 return false; 812 } 813 if (this.maxAge != null && this.maxAge <= 0) { 814 return false; // "Max-Age=" non-zero-digit *DIGIT 815 } 816 if (this.path != null && !PATH_VALUE.test(this.path)) { 817 return false; 818 } 819 820 var cdomain = this.cdomain(); 821 if (cdomain) { 822 if (cdomain.match(/\.$/)) { 823 return false; // S4.1.2.3 suggests that this is bad. domainMatch() tests confirm this 824 } 825 var suffix = pubsuffix.getPublicSuffix(cdomain); 826 if (suffix == null) { // it's a public suffix 827 return false; 828 } 829 } 830 return true; 831}; 832 833Cookie.prototype.setExpires = function setExpires(exp) { 834 if (exp instanceof Date) { 835 this.expires = exp; 836 } else { 837 this.expires = parseDate(exp) || "Infinity"; 838 } 839}; 840 841Cookie.prototype.setMaxAge = function setMaxAge(age) { 842 if (age === Infinity || age === -Infinity) { 843 this.maxAge = age.toString(); // so JSON.stringify() works 844 } else { 845 this.maxAge = age; 846 } 847}; 848 849// gives Cookie header format 850Cookie.prototype.cookieString = function cookieString() { 851 var val = this.value; 852 if (val == null) { 853 val = ''; 854 } 855 if (this.key === '') { 856 return val; 857 } 858 return this.key+'='+val; 859}; 860 861// gives Set-Cookie header format 862Cookie.prototype.toString = function toString() { 863 var str = this.cookieString(); 864 865 if (this.expires != Infinity) { 866 if (this.expires instanceof Date) { 867 str += '; Expires='+formatDate(this.expires); 868 } else { 869 str += '; Expires='+this.expires; 870 } 871 } 872 873 if (this.maxAge != null && this.maxAge != Infinity) { 874 str += '; Max-Age='+this.maxAge; 875 } 876 877 if (this.domain && !this.hostOnly) { 878 str += '; Domain='+this.domain; 879 } 880 if (this.path) { 881 str += '; Path='+this.path; 882 } 883 884 if (this.secure) { 885 str += '; Secure'; 886 } 887 if (this.httpOnly) { 888 str += '; HttpOnly'; 889 } 890 if (this.extensions) { 891 this.extensions.forEach(function(ext) { 892 str += '; '+ext; 893 }); 894 } 895 896 return str; 897}; 898 899// TTL() partially replaces the "expiry-time" parts of S5.3 step 3 (setCookie() 900// elsewhere) 901// S5.3 says to give the "latest representable date" for which we use Infinity 902// For "expired" we use 0 903Cookie.prototype.TTL = function TTL(now) { 904 /* RFC6265 S4.1.2.2 If a cookie has both the Max-Age and the Expires 905 * attribute, the Max-Age attribute has precedence and controls the 906 * expiration date of the cookie. 907 * (Concurs with S5.3 step 3) 908 */ 909 if (this.maxAge != null) { 910 return this.maxAge<=0 ? 0 : this.maxAge*1000; 911 } 912 913 var expires = this.expires; 914 if (expires != Infinity) { 915 if (!(expires instanceof Date)) { 916 expires = parseDate(expires) || Infinity; 917 } 918 919 if (expires == Infinity) { 920 return Infinity; 921 } 922 923 return expires.getTime() - (now || Date.now()); 924 } 925 926 return Infinity; 927}; 928 929// expiryTime() replaces the "expiry-time" parts of S5.3 step 3 (setCookie() 930// elsewhere) 931Cookie.prototype.expiryTime = function expiryTime(now) { 932 if (this.maxAge != null) { 933 var relativeTo = now || this.creation || new Date(); 934 var age = (this.maxAge <= 0) ? -Infinity : this.maxAge*1000; 935 return relativeTo.getTime() + age; 936 } 937 938 if (this.expires == Infinity) { 939 return Infinity; 940 } 941 return this.expires.getTime(); 942}; 943 944// expiryDate() replaces the "expiry-time" parts of S5.3 step 3 (setCookie() 945// elsewhere), except it returns a Date 946Cookie.prototype.expiryDate = function expiryDate(now) { 947 var millisec = this.expiryTime(now); 948 if (millisec == Infinity) { 949 return new Date(MAX_TIME); 950 } else if (millisec == -Infinity) { 951 return new Date(MIN_TIME); 952 } else { 953 return new Date(millisec); 954 } 955}; 956 957// This replaces the "persistent-flag" parts of S5.3 step 3 958Cookie.prototype.isPersistent = function isPersistent() { 959 return (this.maxAge != null || this.expires != Infinity); 960}; 961 962// Mostly S5.1.2 and S5.2.3: 963Cookie.prototype.cdomain = 964Cookie.prototype.canonicalizedDomain = function canonicalizedDomain() { 965 if (this.domain == null) { 966 return null; 967 } 968 return canonicalDomain(this.domain); 969}; 970 971function CookieJar(store, options) { 972 if (typeof options === "boolean") { 973 options = {rejectPublicSuffixes: options}; 974 } else if (options == null) { 975 options = {}; 976 } 977 if (options.rejectPublicSuffixes != null) { 978 this.rejectPublicSuffixes = options.rejectPublicSuffixes; 979 } 980 if (options.looseMode != null) { 981 this.enableLooseMode = options.looseMode; 982 } 983 984 if (!store) { 985 store = new MemoryCookieStore(); 986 } 987 this.store = store; 988} 989CookieJar.prototype.store = null; 990CookieJar.prototype.rejectPublicSuffixes = true; 991CookieJar.prototype.enableLooseMode = false; 992var CAN_BE_SYNC = []; 993 994CAN_BE_SYNC.push('setCookie'); 995CookieJar.prototype.setCookie = function(cookie, url, options, cb) { 996 var err; 997 var context = getCookieContext(url); 998 if (options instanceof Function) { 999 cb = options; 1000 options = {}; 1001 } 1002 1003 var host = canonicalDomain(context.hostname); 1004 var loose = this.enableLooseMode; 1005 if (options.loose != null) { 1006 loose = options.loose; 1007 } 1008 1009 // S5.3 step 1 1010 if (!(cookie instanceof Cookie)) { 1011 cookie = Cookie.parse(cookie, { loose: loose }); 1012 } 1013 if (!cookie) { 1014 err = new Error("Cookie failed to parse"); 1015 return cb(options.ignoreError ? null : err); 1016 } 1017 1018 // S5.3 step 2 1019 var now = options.now || new Date(); // will assign later to save effort in the face of errors 1020 1021 // S5.3 step 3: NOOP; persistent-flag and expiry-time is handled by getCookie() 1022 1023 // S5.3 step 4: NOOP; domain is null by default 1024 1025 // S5.3 step 5: public suffixes 1026 if (this.rejectPublicSuffixes && cookie.domain) { 1027 var suffix = pubsuffix.getPublicSuffix(cookie.cdomain()); 1028 if (suffix == null) { // e.g. "com" 1029 err = new Error("Cookie has domain set to a public suffix"); 1030 return cb(options.ignoreError ? null : err); 1031 } 1032 } 1033 1034 // S5.3 step 6: 1035 if (cookie.domain) { 1036 if (!domainMatch(host, cookie.cdomain(), false)) { 1037 err = new Error("Cookie not in this host's domain. Cookie:"+cookie.cdomain()+" Request:"+host); 1038 return cb(options.ignoreError ? null : err); 1039 } 1040 1041 if (cookie.hostOnly == null) { // don't reset if already set 1042 cookie.hostOnly = false; 1043 } 1044 1045 } else { 1046 cookie.hostOnly = true; 1047 cookie.domain = host; 1048 } 1049 1050 //S5.2.4 If the attribute-value is empty or if the first character of the 1051 //attribute-value is not %x2F ("/"): 1052 //Let cookie-path be the default-path. 1053 if (!cookie.path || cookie.path[0] !== '/') { 1054 cookie.path = defaultPath(context.pathname); 1055 cookie.pathIsDefault = true; 1056 } 1057 1058 // S5.3 step 8: NOOP; secure attribute 1059 // S5.3 step 9: NOOP; httpOnly attribute 1060 1061 // S5.3 step 10 1062 if (options.http === false && cookie.httpOnly) { 1063 err = new Error("Cookie is HttpOnly and this isn't an HTTP API"); 1064 return cb(options.ignoreError ? null : err); 1065 } 1066 1067 var store = this.store; 1068 1069 if (!store.updateCookie) { 1070 store.updateCookie = function(oldCookie, newCookie, cb) { 1071 this.putCookie(newCookie, cb); 1072 }; 1073 } 1074 1075 function withCookie(err, oldCookie) { 1076 if (err) { 1077 return cb(err); 1078 } 1079 1080 var next = function(err) { 1081 if (err) { 1082 return cb(err); 1083 } else { 1084 cb(null, cookie); 1085 } 1086 }; 1087 1088 if (oldCookie) { 1089 // S5.3 step 11 - "If the cookie store contains a cookie with the same name, 1090 // domain, and path as the newly created cookie:" 1091 if (options.http === false && oldCookie.httpOnly) { // step 11.2 1092 err = new Error("old Cookie is HttpOnly and this isn't an HTTP API"); 1093 return cb(options.ignoreError ? null : err); 1094 } 1095 cookie.creation = oldCookie.creation; // step 11.3 1096 cookie.creationIndex = oldCookie.creationIndex; // preserve tie-breaker 1097 cookie.lastAccessed = now; 1098 // Step 11.4 (delete cookie) is implied by just setting the new one: 1099 store.updateCookie(oldCookie, cookie, next); // step 12 1100 1101 } else { 1102 cookie.creation = cookie.lastAccessed = now; 1103 store.putCookie(cookie, next); // step 12 1104 } 1105 } 1106 1107 store.findCookie(cookie.domain, cookie.path, cookie.key, withCookie); 1108}; 1109 1110// RFC6365 S5.4 1111CAN_BE_SYNC.push('getCookies'); 1112CookieJar.prototype.getCookies = function(url, options, cb) { 1113 var context = getCookieContext(url); 1114 if (options instanceof Function) { 1115 cb = options; 1116 options = {}; 1117 } 1118 1119 var host = canonicalDomain(context.hostname); 1120 var path = context.pathname || '/'; 1121 1122 var secure = options.secure; 1123 if (secure == null && context.protocol && 1124 (context.protocol == 'https:' || context.protocol == 'wss:')) 1125 { 1126 secure = true; 1127 } 1128 1129 var http = options.http; 1130 if (http == null) { 1131 http = true; 1132 } 1133 1134 var now = options.now || Date.now(); 1135 var expireCheck = options.expire !== false; 1136 var allPaths = !!options.allPaths; 1137 var store = this.store; 1138 1139 function matchingCookie(c) { 1140 // "Either: 1141 // The cookie's host-only-flag is true and the canonicalized 1142 // request-host is identical to the cookie's domain. 1143 // Or: 1144 // The cookie's host-only-flag is false and the canonicalized 1145 // request-host domain-matches the cookie's domain." 1146 if (c.hostOnly) { 1147 if (c.domain != host) { 1148 return false; 1149 } 1150 } else { 1151 if (!domainMatch(host, c.domain, false)) { 1152 return false; 1153 } 1154 } 1155 1156 // "The request-uri's path path-matches the cookie's path." 1157 if (!allPaths && !pathMatch(path, c.path)) { 1158 return false; 1159 } 1160 1161 // "If the cookie's secure-only-flag is true, then the request-uri's 1162 // scheme must denote a "secure" protocol" 1163 if (c.secure && !secure) { 1164 return false; 1165 } 1166 1167 // "If the cookie's http-only-flag is true, then exclude the cookie if the 1168 // cookie-string is being generated for a "non-HTTP" API" 1169 if (c.httpOnly && !http) { 1170 return false; 1171 } 1172 1173 // deferred from S5.3 1174 // non-RFC: allow retention of expired cookies by choice 1175 if (expireCheck && c.expiryTime() <= now) { 1176 store.removeCookie(c.domain, c.path, c.key, function(){}); // result ignored 1177 return false; 1178 } 1179 1180 return true; 1181 } 1182 1183 store.findCookies(host, allPaths ? null : path, function(err,cookies) { 1184 if (err) { 1185 return cb(err); 1186 } 1187 1188 cookies = cookies.filter(matchingCookie); 1189 1190 // sorting of S5.4 part 2 1191 if (options.sort !== false) { 1192 cookies = cookies.sort(cookieCompare); 1193 } 1194 1195 // S5.4 part 3 1196 var now = new Date(); 1197 cookies.forEach(function(c) { 1198 c.lastAccessed = now; 1199 }); 1200 // TODO persist lastAccessed 1201 1202 cb(null,cookies); 1203 }); 1204}; 1205 1206CAN_BE_SYNC.push('getCookieString'); 1207CookieJar.prototype.getCookieString = function(/*..., cb*/) { 1208 var args = Array.prototype.slice.call(arguments,0); 1209 var cb = args.pop(); 1210 var next = function(err,cookies) { 1211 if (err) { 1212 cb(err); 1213 } else { 1214 cb(null, cookies 1215 .sort(cookieCompare) 1216 .map(function(c){ 1217 return c.cookieString(); 1218 }) 1219 .join('; ')); 1220 } 1221 }; 1222 args.push(next); 1223 this.getCookies.apply(this,args); 1224}; 1225 1226CAN_BE_SYNC.push('getSetCookieStrings'); 1227CookieJar.prototype.getSetCookieStrings = function(/*..., cb*/) { 1228 var args = Array.prototype.slice.call(arguments,0); 1229 var cb = args.pop(); 1230 var next = function(err,cookies) { 1231 if (err) { 1232 cb(err); 1233 } else { 1234 cb(null, cookies.map(function(c){ 1235 return c.toString(); 1236 })); 1237 } 1238 }; 1239 args.push(next); 1240 this.getCookies.apply(this,args); 1241}; 1242 1243CAN_BE_SYNC.push('serialize'); 1244CookieJar.prototype.serialize = function(cb) { 1245 var type = this.store.constructor.name; 1246 if (type === 'Object') { 1247 type = null; 1248 } 1249 1250 // update README.md "Serialization Format" if you change this, please! 1251 var serialized = { 1252 // The version of tough-cookie that serialized this jar. Generally a good 1253 // practice since future versions can make data import decisions based on 1254 // known past behavior. When/if this matters, use `semver`. 1255 version: 'tough-cookie@'+VERSION, 1256 1257 // add the store type, to make humans happy: 1258 storeType: type, 1259 1260 // CookieJar configuration: 1261 rejectPublicSuffixes: !!this.rejectPublicSuffixes, 1262 1263 // this gets filled from getAllCookies: 1264 cookies: [] 1265 }; 1266 1267 if (!(this.store.getAllCookies && 1268 typeof this.store.getAllCookies === 'function')) 1269 { 1270 return cb(new Error('store does not support getAllCookies and cannot be serialized')); 1271 } 1272 1273 this.store.getAllCookies(function(err,cookies) { 1274 if (err) { 1275 return cb(err); 1276 } 1277 1278 serialized.cookies = cookies.map(function(cookie) { 1279 // convert to serialized 'raw' cookies 1280 cookie = (cookie instanceof Cookie) ? cookie.toJSON() : cookie; 1281 1282 // Remove the index so new ones get assigned during deserialization 1283 delete cookie.creationIndex; 1284 1285 return cookie; 1286 }); 1287 1288 return cb(null, serialized); 1289 }); 1290}; 1291 1292// well-known name that JSON.stringify calls 1293CookieJar.prototype.toJSON = function() { 1294 return this.serializeSync(); 1295}; 1296 1297// use the class method CookieJar.deserialize instead of calling this directly 1298CAN_BE_SYNC.push('_importCookies'); 1299CookieJar.prototype._importCookies = function(serialized, cb) { 1300 var jar = this; 1301 var cookies = serialized.cookies; 1302 if (!cookies || !Array.isArray(cookies)) { 1303 return cb(new Error('serialized jar has no cookies array')); 1304 } 1305 cookies = cookies.slice(); // do not modify the original 1306 1307 function putNext(err) { 1308 if (err) { 1309 return cb(err); 1310 } 1311 1312 if (!cookies.length) { 1313 return cb(err, jar); 1314 } 1315 1316 var cookie; 1317 try { 1318 cookie = fromJSON(cookies.shift()); 1319 } catch (e) { 1320 return cb(e); 1321 } 1322 1323 if (cookie === null) { 1324 return putNext(null); // skip this cookie 1325 } 1326 1327 jar.store.putCookie(cookie, putNext); 1328 } 1329 1330 putNext(); 1331}; 1332 1333CookieJar.deserialize = function(strOrObj, store, cb) { 1334 if (arguments.length !== 3) { 1335 // store is optional 1336 cb = store; 1337 store = null; 1338 } 1339 1340 var serialized; 1341 if (typeof strOrObj === 'string') { 1342 serialized = jsonParse(strOrObj); 1343 if (serialized instanceof Error) { 1344 return cb(serialized); 1345 } 1346 } else { 1347 serialized = strOrObj; 1348 } 1349 1350 var jar = new CookieJar(store, serialized.rejectPublicSuffixes); 1351 jar._importCookies(serialized, function(err) { 1352 if (err) { 1353 return cb(err); 1354 } 1355 cb(null, jar); 1356 }); 1357}; 1358 1359CookieJar.deserializeSync = function(strOrObj, store) { 1360 var serialized = typeof strOrObj === 'string' ? 1361 JSON.parse(strOrObj) : strOrObj; 1362 var jar = new CookieJar(store, serialized.rejectPublicSuffixes); 1363 1364 // catch this mistake early: 1365 if (!jar.store.synchronous) { 1366 throw new Error('CookieJar store is not synchronous; use async API instead.'); 1367 } 1368 1369 jar._importCookiesSync(serialized); 1370 return jar; 1371}; 1372CookieJar.fromJSON = CookieJar.deserializeSync; 1373 1374CAN_BE_SYNC.push('clone'); 1375CookieJar.prototype.clone = function(newStore, cb) { 1376 if (arguments.length === 1) { 1377 cb = newStore; 1378 newStore = null; 1379 } 1380 1381 this.serialize(function(err,serialized) { 1382 if (err) { 1383 return cb(err); 1384 } 1385 CookieJar.deserialize(newStore, serialized, cb); 1386 }); 1387}; 1388 1389// Use a closure to provide a true imperative API for synchronous stores. 1390function syncWrap(method) { 1391 return function() { 1392 if (!this.store.synchronous) { 1393 throw new Error('CookieJar store is not synchronous; use async API instead.'); 1394 } 1395 1396 var args = Array.prototype.slice.call(arguments); 1397 var syncErr, syncResult; 1398 args.push(function syncCb(err, result) { 1399 syncErr = err; 1400 syncResult = result; 1401 }); 1402 this[method].apply(this, args); 1403 1404 if (syncErr) { 1405 throw syncErr; 1406 } 1407 return syncResult; 1408 }; 1409} 1410 1411// wrap all declared CAN_BE_SYNC methods in the sync wrapper 1412CAN_BE_SYNC.forEach(function(method) { 1413 CookieJar.prototype[method+'Sync'] = syncWrap(method); 1414}); 1415 1416exports.CookieJar = CookieJar; 1417exports.Cookie = Cookie; 1418exports.Store = Store; 1419exports.MemoryCookieStore = MemoryCookieStore; 1420exports.parseDate = parseDate; 1421exports.formatDate = formatDate; 1422exports.parse = parse; 1423exports.fromJSON = fromJSON; 1424exports.domainMatch = domainMatch; 1425exports.defaultPath = defaultPath; 1426exports.pathMatch = pathMatch; 1427exports.getPublicSuffix = pubsuffix.getPublicSuffix; 1428exports.cookieCompare = cookieCompare; 1429exports.permuteDomain = require('./permuteDomain').permuteDomain; 1430exports.permutePath = permutePath; 1431exports.canonicalDomain = canonicalDomain; 1432