Add option to remove the 'secure' attribute from cookies

This allows cookies proxied from HTTPS sites to be used by a
non-HTTPS localhost development environment.

Fixes #1165.

Author: edmorley

README.md

@@ -350,6 +350,7 @@ proxyServer.listen(8015);
        "*": ""
      }
      ```
+*  **cookieRemoveSecure**: true/false, Default: false - removes the `secure` attribute from cookies so they can be used by non-HTTPS origins
 *  **headers**: object with extra headers to be added to target requests.
 *  **proxyTimeout**: timeout (in millis) when proxy receives no response from target
 

lib/http-proxy/common.js

@@ -5,7 +5,8 @@ var common   = exports,
 
 var upgradeHeader = /(^|,)\s*upgrade\s*($|,)/i,
     isSSL = /^https|wss/,
-    cookieDomainRegex = /(;\s*domain=)([^;]+)/i;
+    cookieDomainRegex = /(;\s*domain=)([^;]+)/i,
+    cookieSecureRegex = /;\s*secure[^;]*/i;
 
 /**
  * Simple Regex for testing if protocol is https
@@ -237,6 +238,20 @@ common.rewriteCookieDomain = function rewriteCookieDomain(header, config) {
   });
 };
 
+/**
+ * Removes the secure attribute of a cookie header
+ *
+ * @param {String|Array} Header
+ *
+ * @api private
+ */
+common.removeCookieSecure = function removeCookieSecure(header) {
+  if (Array.isArray(header)) {
+    return header.map(removeCookieSecure);
+  }
+  return header.replace(cookieSecureRegex, "");
+};
+
 /**
  * Check the host and see if it potentially has a port in it (keep it simple)
  *

lib/http-proxy/passes/web-outgoing.js

@@ -84,12 +84,18 @@ module.exports = { // <--
    */
   writeHeaders: function writeHeaders(req, res, proxyRes, options) {
     var rewriteCookieDomainConfig = options.cookieDomainRewrite,
+        cookieRemoveSecure = options.cookieRemoveSecure,
         preserveHeaderKeyCase = options.preserveHeaderKeyCase,
         rawHeaderKeyMap,
         setHeader = function(key, header) {
           if (header == undefined) return;
-          if (rewriteCookieDomainConfig && key.toLowerCase() === 'set-cookie') {
-            header = common.rewriteCookieDomain(header, rewriteCookieDomainConfig);
+          if (key.toLowerCase() === 'set-cookie') {
+            if (rewriteCookieDomainConfig) {
+              header = common.rewriteCookieDomain(header, rewriteCookieDomainConfig);
+            }
+            if (cookieRemoveSecure) {
+              header = common.removeCookieSecure(header);
+            }
           }
           res.setHeader(String(key).trim(), header);
         };

test/lib-http-proxy-passes-web-outgoing-test.js

@@ -235,7 +235,7 @@ describe('lib/http-proxy/passes/web-outgoing.js', function () {
           how: 'are you?',
           'set-cookie': [
             'hello; domain=my.domain; path=/',
-            'there; domain=my.domain; path=/'
+            'there; domain=my.domain; path=/; secure'
           ]
         }
       };
@@ -373,6 +373,26 @@ describe('lib/http-proxy/passes/web-outgoing.js', function () {
       expect(this.res.headers['set-cookie'])
         .to.contain('hello-on-my.special.domain; domain=my.special.domain; path=/');
     });
+
+    it('does not remove secure', function() {
+      var options = {};
+
+      httpProxy.writeHeaders({}, this.res, this.proxyRes, options);
+
+      expect(this.res.headers['set-cookie'])
+        .to.contain('there; domain=my.domain; path=/; secure');
+    });
+
+    it('removes secure', function() {
+      var options = {
+        cookieRemoveSecure: true
+      };
+
+      httpProxy.writeHeaders({}, this.res, this.proxyRes, options);
+
+      expect(this.res.headers['set-cookie'])
+        .to.contain('there; domain=my.domain; path=/');
+    });
   });