feat: support session cookie sameSite options (#193)

fengmk2 · web-flow · commit cb09a09cfa47 · 2020-02-01T19:50:29.000+08:00
diff --git a/Readme.md b/Readme.md
@@ -59,6 +59,7 @@ const CONFIG = {
   signed: true, /** (boolean) signed or not (default true) */
   rolling: false, /** (boolean) Force a session identifier cookie to be set on every response. The expiration is reset to the original maxAge, resetting the expiration countdown. (default is false) */
   renew: false, /** (boolean) renew session when session is nearly expired, so we can always keep user logged in. (default is false)*/
+  sameSite: '', /** (string) session cookie sameSite options (default '', don't set it) */
 };
 
 app.use(session(CONFIG, app));
diff --git a/index.js b/index.js
@@ -68,6 +68,7 @@ function formatOpts(opts) {
   // defaults
   if (opts.overwrite == null) opts.overwrite = true;
   if (opts.httpOnly == null) opts.httpOnly = true;
+  if (opts.sameSite == null) opts.sameSite = '';
   if (opts.signed == null) opts.signed = true;
   if (opts.autoCommit == null) opts.autoCommit = true;
 
diff --git a/test/cookie.test.js b/test/cookie.test.js
@@ -94,6 +94,8 @@ describe('Koa Session Cookie', () => {
       .expect(204, (err, res) => {
         if (err) return done(err);
         const cookie = res.headers['set-cookie'];
+        // samesite is not set
+        assert(!cookie.join(';').includes('samesite'));
         request(server)
         .get('/')
         .set('Cookie', cookie.join(';'))
@@ -244,6 +246,11 @@ describe('Koa Session Cookie', () => {
         .get('/')
         .set('Cookie', cookie)
         .expect('Set-Cookie', /koa:sess/)
+        .expect(res => {
+          const cookie = res.headers['set-cookie'];
+          // samesite is not set
+          assert(!cookie.join(';').includes('samesite'));
+        })
         .expect(200, done);
       });
     });
@@ -694,6 +701,44 @@ describe('Koa Session Cookie', () => {
     });
   });
 
+  describe('options.sameSite', () => {
+    it('should return opt.sameSite=none', done => {
+      const app = App({ sameSite: 'none' });
+
+      app.use(async function(ctx) {
+        ctx.session = { foo: 'bar' };
+        ctx.body = ctx.session.foo;
+      });
+
+      request(app.listen())
+      .get('/')
+      .expect(res => {
+        const cookie = res.headers['set-cookie'].join('|');
+        assert(cookie.includes('path=/; samesite=none; httponly'));
+      })
+      .expect('bar')
+      .expect(200, done);
+    });
+
+    it('should return opt.sameSite=lax', done => {
+      const app = App({ sameSite: 'lax' });
+
+      app.use(async function(ctx) {
+        ctx.session = { foo: 'bar' };
+        ctx.body = ctx.session.foo;
+      });
+
+      request(app.listen())
+      .get('/')
+      .expect(res => {
+        const cookie = res.headers['set-cookie'].join('|');
+        assert(cookie.includes('path=/; samesite=lax; httponly'));
+      })
+      .expect('bar')
+      .expect(200, done);
+    });
+  });
+
   describe('when valid and beforeSave set', () => {
     it('should ignore session when uid changed', done => {
       const app = new Koa();
