fix(execute): create RFC 6265 compliant Cookie headers

char0n · char0n · commit 05beeb1bf193 · 2025-01-07T14:41:30.000+01:00
Every Cookie header produced by this library
can now be properly parsed by RFC 6265 parser,
and resulting cookie-value can be further percent
decoded and processed by RFC 6570 implementations
diff --git a/src/execute/oas3/parameter-builders.js b/src/execute/oas3/parameter-builders.js
@@ -1,7 +1,9 @@
 import { resolve as resolvePathTemplate } from 'openapi-path-templating';
+import { serializeCookie } from '@swaggerexpert/cookie';
 
 import stylize, { encodeCharacters } from './style-serializer.js';
 import serialize from './content-serializer.js';
+import cookieValueEncoder from '../../helpers/cookie-value-encoder.js';
 
 export function path({ req, value, parameter, baseURL }) {
   const { name, style, explode, content } = parameter;
@@ -29,7 +31,7 @@ export function path({ req, value, parameter, baseURL }) {
             key: parameter.name,
             value: val,
             style: style || 'simple',
-            explode: explode || false,
+            explode: explode ?? false,
             escape: 'reserved',
           }),
       }
@@ -106,28 +108,41 @@ export function header({ req, parameter, value }) {
 }
 
 export function cookie({ req, parameter, value }) {
+  const { name: cookieName } = parameter;
+
   req.headers = req.headers || {};
-  const type = typeof value;
 
   if (value !== undefined && parameter.content) {
     const effectiveMediaType = Object.keys(parameter.content)[0];
+    const cookieValue = serialize(value, effectiveMediaType);
 
-    req.headers.Cookie = `${parameter.name}=${serialize(value, effectiveMediaType)}`;
+    req.headers.Cookie = serializeCookie(
+      { [cookieName]: cookieValue },
+      {
+        encoders: { value: cookieValueEncoder },
+      }
+    );
     return;
   }
 
   if (value !== undefined && !(Array.isArray(value) && value.length === 0)) {
-    const prefix =
-      type === 'object' && !Array.isArray(value) && parameter.explode ? '' : `${parameter.name}=`;
-
-    req.headers.Cookie =
-      prefix +
-      stylize({
-        key: parameter.name,
-        value,
-        escape: false,
-        style: parameter.style || 'form',
-        explode: typeof parameter.explode === 'undefined' ? false : parameter.explode,
-      });
+    const serializedValue = stylize({
+      key: parameter.name,
+      value,
+      escape: false,
+      style: parameter.style || 'form',
+      explode: parameter.explode ?? false,
+    });
+    const cookieValue =
+      Array.isArray(value) && parameter.explode
+        ? `${cookieName}=${serializedValue}`
+        : serializedValue;
+
+    req.headers.Cookie = serializeCookie(
+      { [cookieName]: cookieValue },
+      {
+        encoders: { value: cookieValueEncoder },
+      }
+    );
   }
 }
diff --git a/src/helpers/cookie-value-encoder.js b/src/helpers/cookie-value-encoder.js
@@ -0,0 +1,11 @@
+import { cookieValueStrictEncoder } from '@swaggerexpert/cookie';
+
+const eqSignPE = '%3D';
+const ampersandPE = '%26';
+
+const cookieValueEncoder = (cookieValue) =>
+  cookieValueStrictEncoder(cookieValue).replace(/[=&]/gu, (match) =>
+    match === '=' ? eqSignPE : ampersandPE
+  );
+
+export default cookieValueEncoder;
diff --git a/test/oas3/execute/authorization.js b/test/oas3/execute/authorization.js
@@ -615,9 +615,6 @@ describe('Authorization - OpenAPI Specification 3.0', () => {
             myApiKey: {
               value: 'MyToken',
             },
-            myApiKey1: {
-              value: 'MyToken1',
-            },
           },
         },
       });
@@ -627,7 +624,7 @@ describe('Authorization - OpenAPI Specification 3.0', () => {
         url: '/',
         credentials: 'same-origin',
         headers: {
-          Cookie: 'id=1&id=2&id=3; MyApiKeyCookie=MyToken',
+          Cookie: 'id=id%3D1%26id%3D2%26id%3D3; MyApiKeyCookie=MyToken',
         },
       });
     });
diff --git a/test/oas3/execute/main.js b/test/oas3/execute/main.js
@@ -659,7 +659,7 @@ describe('buildRequest - OpenAPI Specification 3.0', () => {
         credentials: 'same-origin',
         headers: {
           FooHeader: 'a={"b":{"c":{"d":"e"}}}',
-          Cookie: 'myCookie=foo,{"bar":{"baz":"qux"}}',
+          Cookie: 'myCookie=foo%2C{%22bar%22:{%22baz%22:%22qux%22}}',
         },
       });
     });
@@ -731,7 +731,7 @@ describe('buildRequest - OpenAPI Specification 3.0', () => {
         credentials: 'same-origin',
         headers: {
           FooHeader: 'c=',
-          Cookie: 'myCookie=d,',
+          Cookie: 'myCookie=d%2C',
         },
       });
     });
@@ -856,7 +856,7 @@ describe('buildRequest - OpenAPI Specification 3.0', () => {
         credentials: 'same-origin',
         headers: {
           FooHeader: ',,',
-          Cookie: 'myCookie=,,',
+          Cookie: 'myCookie=%2C%2C',
         },
       });
     });
@@ -1063,7 +1063,7 @@ describe('buildRequest - OpenAPI Specification 3.0', () => {
         credentials: 'same-origin',
         headers: {
           FooHeader: '{"foo":"bar"}',
-          Cookie: 'myCookie={"flavor":"chocolate chip"}',
+          Cookie: 'myCookie={%22flavor%22:%22chocolate%20chip%22}',
         },
       });
     });
@@ -1218,7 +1218,7 @@ describe('buildRequest - OpenAPI Specification 3.0', () => {
         credentials: 'same-origin',
         headers: {
           FooHeader: '[{"foo":"bar"}]',
-          Cookie: 'myCookie=[{"flavor":"chocolate chip"}]',
+          Cookie: 'myCookie=[{%22flavor%22:%22chocolate%20chip%22}]',
         },
       });
     });
diff --git a/test/oas3/execute/style-explode/cookie.js b/test/oas3/execute/style-explode/cookie.js
@@ -137,6 +137,7 @@ describe('OAS 3.0 - buildRequest w/ `style` & `explode` - cookie parameters', ()
                 {
                   name: 'id',
                   in: 'cookie',
+                  explode: false,
                 },
               ],
             },
@@ -158,7 +159,7 @@ describe('OAS 3.0 - buildRequest w/ `style` & `explode` - cookie parameters', ()
         url: '/users',
         credentials: 'same-origin',
         headers: {
-          Cookie: 'id=3,4,5',
+          Cookie: 'id=3%2C4%2C5',
         },
       });
     });
@@ -198,7 +199,7 @@ describe('OAS 3.0 - buildRequest w/ `style` & `explode` - cookie parameters', ()
         url: '/users',
         credentials: 'same-origin',
         headers: {
-          Cookie: 'id=3,4,5',
+          Cookie: 'id=3%2C4%2C5',
         },
       });
     });
@@ -238,7 +239,7 @@ describe('OAS 3.0 - buildRequest w/ `style` & `explode` - cookie parameters', ()
         url: '/users',
         credentials: 'same-origin',
         headers: {
-          Cookie: 'id=3&id=4&id=5',
+          Cookie: 'id=id%3D3%26id%3D4%26id%3D5',
         },
       });
     });
@@ -282,7 +283,7 @@ describe('OAS 3.0 - buildRequest w/ `style` & `explode` - cookie parameters', ()
         url: '/users',
         credentials: 'same-origin',
         headers: {
-          Cookie: 'id=role,admin,firstName,Alex',
+          Cookie: 'id=role%2Cadmin%2CfirstName%2CAlex',
         },
       });
     });
@@ -322,7 +323,7 @@ describe('OAS 3.0 - buildRequest w/ `style` & `explode` - cookie parameters', ()
         url: '/users',
         credentials: 'same-origin',
         headers: {
-          Cookie: 'id=role,admin,firstName,Alex',
+          Cookie: 'id=role%2Cadmin%2CfirstName%2CAlex',
         },
       });
     });
@@ -362,7 +363,7 @@ describe('OAS 3.0 - buildRequest w/ `style` & `explode` - cookie parameters', ()
         url: '/users',
         credentials: 'same-origin',
         headers: {
-          Cookie: 'role=admin&firstName=Alex',
+          Cookie: 'id=role%3Dadmin%26firstName%3DAlex',
         },
       });
     });
