refactor(auth): extract extractFaSessionId to \$lib/shared/cookies
Move the Set-Cookie parser out of login/+page.server.ts into a shared module with its own Vitest coverage (single-header, multi-header getSetCookie path, missing-header, attribute-stripping, prefix-match-rejection). An Undici or Node upgrade that changes header shape now trips its own test instead of silently breaking login. Addresses PR #612 / Felix F2. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Marcel
20
frontend/src/lib/shared/cookies.ts
Normal file
20
frontend/src/lib/shared/cookies.ts
Normal file
@@ -0,0 +1,20 @@
|
||||
/**
|
||||
* Extracts the fa_session cookie value from a list of Set-Cookie response headers.
|
||||
*
|
||||
* The backend may append attributes like `Path`, `HttpOnly`, `SameSite=Strict`,
|
||||
* `Max-Age`, `Secure`; we only forward the opaque session id — the SvelteKit
|
||||
* cookies API rewrites the attributes itself when re-emitting to the browser.
|
||||
*
|
||||
* Pass the result of `response.headers.getSetCookie()` (modern Node/Undici) or
|
||||
* a single-element array containing `response.headers.get('set-cookie')` for
|
||||
* older runtimes that lack `getSetCookie`.
|
||||
*
|
||||
* Returns `null` if no fa_session cookie is present.
|
||||
*/
|
||||
export function extractFaSessionId(setCookieHeaders: string[]): string | null {
|
||||
for (const header of setCookieHeaders) {
|
||||
const match = header.match(/^fa_session=([^;]+)/);
|
||||
if (match) return match[1];
|
||||
}
|
||||
return null;
|
||||
}
|
||||
Reference in New Issue
Block a user