crypto-parser-express
Express >=v4.10.0
Response Cookie override to add crypto cookie support
and cookie-parser middleware module replacement.
crypto-parser-express use node-laravel-encryptor
to cipher/decipher cookies
with signature verification support.
This module borrows parts of cookieParse and parse methods from cookie-parser module kudos to that dev.
Features
- cipher/decipher cookies with
- res.cookies
- res.cookies_async
- Laravel Cookie Compatible
>=5.4
if serialize_modephp
(default modenode-laravel-encryptor
) - only parse allowed cookies.
- only decipher encrypted cookie payload instead of every cookie params [path, domain, expires, secure, etc].
- option to allow all cookies, only allowed cookies will be deciphered.
Install
$> npm i crypto-parser-express
Prerequisites
- NodeJs
>=v8.10.0 (npm v5.6.0)
- expressJS
>=v4.10.0
Usage
const express = ;const CryptoCookieParser = ;const cryptoCookieParser = options; //instead of const app = express();const app = cryptoCookieParser; //use custom cookieParser middlewareapp
Options
const options = encryptor: key: 'app_key' serialize_mode: 'php|json' cookie: allow_all: false allowed: 'session' 'superCookie' options: domain: 'localhost' expires: 0 maxAge: 60*60*1000 path: '/' sameSite: true secure: false httpOnly: false
Options
Encryptor options
Cookie options
- allow_all:
<boolean>
[default]false
- allowed:
<array>
list allowed cookie name - options:
npm cookie package
options
Tests
> npm run test Class CryptoCookie ✓ should return express instance with res.cookie method overridden ✓ should return express instance with res.cookie_async new method Test Errors... ✓ should throw Error 'overrideCookie express argument not an express instance' when trying to override Cookie method on non express instance ✓ should Throw Error MAC signature failed Express cookie override ✓ should client send cipher cookie and cookieParser should decipher it ✓ should server res.cookie not populate response Headers Set-Cookie when cookie name is not allowed ✓ should server res.cookie populate response Headers Set-Cookie when cookie name is not allowed and allow_all = true ✓ should client send not allowed cookie and cookieParser should discard ✓ should client send not allowed cookie when allow_all option true and should not decipher but should be parsed in req.cookies Express response res.cookie method and res.cookie_async method ✓ should client get cipher cookie using res.cookie_async ✓ should client get cipher cookie using res.cookie method overridden 11 passing
Dependencies
Contributing
Pull requests are welcome.