Merge pull request #142 from arnivuo/master

jaw187 · web-flow · commit 4368d97bc1fc · 2017-02-17T08:56:56.000-05:00
Add isSameSite to schema
diff --git a/README.md b/README.md
@@ -29,6 +29,7 @@ The `'cookie`' scheme takes the following options:
   expired in the response and cleared. Defaults to `false`.
 - `keepAlive` - if `true`, automatically sets the session cookie after validation to extend the
   current session for a new `ttl` duration. Defaults to `false`.
+- `isSameSite` - if `false` omitted. Other options `Strict` or `Lax`. Defaults to `Strict`.
 - `isSecure` - if `false`, the cookie is allowed to be transmitted over insecure connections which
   exposes it to attacks. Defaults to `true`.
 - `isHttpOnly` - if `false`, the cookie will not include the 'HttpOnly' flag. Defaults to `true`.
diff --git a/lib/index.js b/lib/index.js
@@ -30,6 +30,7 @@ internals.schema = Joi.object({
     path: Joi.string().default('/'),
     clearInvalid: Joi.boolean().default(false),
     keepAlive: Joi.boolean().default(false),
+    isSameSite: Joi.valid('Strict', 'Lax').allow(false).default('Strict'),
     isSecure: Joi.boolean().default(true),
     isHttpOnly: Joi.boolean().default(true),
     redirectTo: Joi.string().allow(false),
@@ -51,6 +52,7 @@ internals.implementation = function (server, options) {
         password: settings.password,
         isSecure: settings.isSecure,                  // Defaults to true
         path: settings.path,
+        isSameSite: settings.isSameSite,
         isHttpOnly: settings.isHttpOnly,              // Defaults to true
         clearInvalid: settings.clearInvalid,
         ignoreErrors: true
diff --git a/package.json b/package.json
@@ -24,7 +24,7 @@
   },
   "devDependencies": {
     "code": "2.x.x",
-    "hapi": "13.x.x",
+    "hapi": "15.x.x",
     "lab": "10.x.x"
   },
   "scripts": {
diff --git a/test/index.js b/test/index.js
@@ -318,7 +318,7 @@ describe('scheme', () => {
 
                     expect(res2.statusCode).to.equal(200);
                     expect(res2.result).to.equal('logged-out');
-                    expect(res2.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; Domain=example.com; Path=/');
+                    expect(res2.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Domain=example.com; Path=/');
                     done();
                 });
                 /* eslint-enable hapi/no-shadow-relaxed */
@@ -380,7 +380,7 @@ describe('scheme', () => {
                 /* eslint-disable hapi/no-shadow-relaxed */
                 server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'special=' + cookie[1] } }, (res2) => {
 
-                    expect(res2.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; Domain=example.com; Path=/');
+                    expect(res2.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Domain=example.com; Path=/');
                     expect(res2.statusCode).to.equal(401);
                     done();
                 });
@@ -1600,7 +1600,7 @@ describe('scheme', () => {
             server.inject({ url: '/', headers: { cookie: 'sid=123456' } }, (res) => {
 
                 expect(res.statusCode).to.equal(401);
-                expect(res.headers['set-cookie'][0]).to.equal('sid=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; Path=/');
+                expect(res.headers['set-cookie'][0]).to.equal('sid=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Path=/');
                 done();
             });
         });
