Add option to remove the 'secure' attribute from cookies

This allows cookies proxied from HTTPS sites to be used by a
non-HTTPS localhost development environment.

Fixes #1165.

Author: edmorley

README.md

@@ -372,6 +372,7 @@ proxyServer.listen(8015);
        "*": ""
      }
      ```
+*  **cookieRemoveSecure**: true/false, Default: false - removes the `secure` attribute from cookies so they can be used by non-HTTPS origins
 *  **headers**: object with extra headers to be added to target requests.
 *  **proxyTimeout**: timeout (in millis) for outgoing proxy requests
 *  **timeout**: timeout (in millis) for incoming requests

lib/http-proxy/common.js

@@ -236,6 +236,24 @@ common.rewriteCookieProperty = function rewriteCookieProperty(header, config, pr
   });
 };
 
+/**
+ * Removes the specified attribute from a cookie header.
+ *
+ * @param {String|Array} Header
+ * @param {String} Property Name of attribute to remove
+ *
+ * @api private
+ */
+common.removeCookieProperty = function removeCookieProperty(header, property) {
+  if (Array.isArray(header)) {
+    return header.map(function (headerElement) {
+      return removeCookieProperty(headerElement, property);
+    });
+  }
+  // Intentionally not checking for "=" to catch directives with no value (eg "; secure").
+  return header.replace(new RegExp(';\\s*' + property + '[^;]*', 'i'), '');
+};
+
 /**
  * Check the host and see if it potentially has a port in it (keep it simple)
  *

lib/http-proxy/passes/web-outgoing.js

@@ -95,6 +95,9 @@ module.exports = { // <--
           if (rewriteCookiePathConfig && key.toLowerCase() === 'set-cookie') {
             header = common.rewriteCookieProperty(header, rewriteCookiePathConfig, 'path');
           }
+          if (options.cookieRemoveSecure && key.toLowerCase() === 'set-cookie') {
+            header = common.removeCookieProperty(header, 'secure');
+          }
           res.setHeader(String(key).trim(), header);
         };
 

test/lib-http-proxy-passes-web-outgoing-test.js

@@ -235,7 +235,7 @@ describe('lib/http-proxy/passes/web-outgoing.js', function () {
           how: 'are you?',
           'set-cookie': [
             'hello; domain=my.domain; path=/',
-            'there; domain=my.domain; path=/'
+            'there; domain=my.domain; path=/; secure'
           ]
         }
       };
@@ -404,6 +404,26 @@ describe('lib/http-proxy/passes/web-outgoing.js', function () {
       expect(this.res.headers['set-cookie'])
         .to.contain('hello-on-my.special.domain; domain=my.special.domain; path=/');
     });
+
+    it('does not remove `secure` attribute by default', function() {
+      var options = {};
+
+      httpProxy.writeHeaders({}, this.res, this.proxyRes, options);
+
+      expect(this.res.headers['set-cookie'])
+        .to.contain('there; domain=my.domain; path=/; secure');
+    });
+
+    it('removes `secure` attribute when cookieRemoveSecure true', function() {
+      var options = {
+        cookieRemoveSecure: true
+      };
+
+      httpProxy.writeHeaders({}, this.res, this.proxyRes, options);
+
+      expect(this.res.headers['set-cookie'])
+        .to.contain('there; domain=my.domain; path=/');
+    });
   });