Adjust cookie component parsing to better match RFC-6562

Author: karwa

Sources/AsyncHTTPClient/FoundationExtensions.swift

@@ -40,7 +40,8 @@ extension HTTPClient.Cookie {
     ///     - httpOnly: Whether this cookie should be used by HTTP servers only, defaults to false.
     ///     - secure: Whether this cookie should only be sent using secure channels, defaults to false.
     public init(name: String, value: String, path: String = "/", domain: String? = nil, expires: Date? = nil, maxAge: Int? = nil, httpOnly: Bool = false, secure: Bool = false) {
-        // FIXME: This should be failable (for example, if the strings contain non-ASCII characters).
+        // FIXME: This should be failable and validate the inputs
+        // (for example, checking that the strings are ASCII, path begins with "/", domain is not empty, etc).
         self.init(
             name: name,
             value: value,

Sources/AsyncHTTPClient/HTTPClient+HTTPCookie.swift

@@ -47,6 +47,8 @@ extension HTTPClient {
         ///     - defaultDomain: Default domain to use if cookie was sent without one.
         /// - returns: nil if the header is invalid.
         public init?(header: String, defaultDomain: String) {
+            // The parsing of "Set-Cookie" headers is defined by Section 5.2, RFC-6265:
+            // https://datatracker.ietf.org/doc/html/rfc6265#section-5.2
             var components = header.utf8.split(separator: UInt8(ascii: ";"), omittingEmptySubsequences: false)[...]
             guard let keyValuePair = components.popFirst()?.trimmingASCIISpaces() else {
                 return nil
@@ -58,35 +60,58 @@ extension HTTPClient {
                 return nil
             }
 
-            // FIXME: The parsed values should be validated to ensure they only contain ASCII characters allowed by RFC-6265.
-            // https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
             self.name = String(aligningUTF8: trimmedName)
             self.value = String(aligningUTF8: trimmedValue.trimmingPairedASCIIQuote())
-            self.path = "/"
-            self.domain = defaultDomain
             self.expires_timestamp = nil
             self.maxAge = nil
             self.httpOnly = false
             self.secure = false
 
+            var parsedPath: String.UTF8View.SubSequence?
+            var parsedDomain: String.UTF8View.SubSequence?
+
             for component in components {
                 switch component.parseCookieComponent() {
-                case ("path", .some(let value))?:
-                    self.path = String(aligningUTF8: value)
-                case ("domain", .some(let value))?:
-                    self.domain = String(aligningUTF8: value)
-                case ("expires", .some(let value))?:
-                    self.expires_timestamp = parseCookieTime(value)
-                case ("max-age", .some(let value))?:
-                    self.maxAge = Int(Substring(value))
-                case ("secure", nil)?:
+                case ("path", let value)?:
+                    // Unlike other values, unspecified and empty paths reset to the default path.
+                    guard let value = value, value.first == UInt8(ascii: "/") else {
+                        parsedPath = nil
+                        break
+                    }
+                    parsedPath = value
+                case ("domain", let value)?:
+                    guard var value = value, !value.isEmpty else {
+                        break
+                    }
+                    if value.first == UInt8(ascii: ".") {
+                        value.removeFirst()
+                    }
+                    guard !value.isEmpty else {
+                        parsedDomain = nil
+                        break
+                    }
+                    parsedDomain = value
+                case ("expires", let value)?:
+                    guard let value = value, let timestamp = parseCookieTime(value) else {
+                        break
+                    }
+                    self.expires_timestamp = timestamp
+                case ("max-age", let value)?:
+                    guard let value = value, let age = Int(Substring(value)) else {
+                        break
+                    }
+                    self.maxAge = age
+                case ("secure", _)?:
                     self.secure = true
-                case ("httponly", nil)?:
+                case ("httponly", _)?:
                     self.httpOnly = true
                 default:
                     continue
                 }
             }
+
+            self.domain = parsedDomain.map { Substring($0).lowercased() } ?? defaultDomain.lowercased()
+            self.path = parsedPath.map { String(aligningUTF8: $0) } ?? "/"
         }
 
         /// Create HTTP cookie.

Tests/AsyncHTTPClientTests/HTTPClientCookieTests+XCTest.swift

@@ -30,6 +30,12 @@ extension HTTPClientCookieTests {
             ("testCookieDefaults", testCookieDefaults),
             ("testCookieInit", testCookieInit),
             ("testMalformedCookies", testMalformedCookies),
+            ("testExpires", testExpires),
+            ("testMaxAge", testMaxAge),
+            ("testDomain", testDomain),
+            ("testPath", testPath),
+            ("testSecure", testSecure),
+            ("testHttpOnly", testHttpOnly),
             ("testCookieExpiresDateParsing", testCookieExpiresDateParsing),
             ("testQuotedCookies", testQuotedCookies),
             ("testCookieExpiresDateParsingWithNonEnglishLocale", testCookieExpiresDateParsingWithNonEnglishLocale),

Tests/AsyncHTTPClientTests/HTTPClientCookieTests.swift

@@ -19,8 +19,8 @@ import XCTest
 
 class HTTPClientCookieTests: XCTestCase {
     func testCookie() {
-        let v = "key=value; PaTh=/path; DoMaIn=example.com; eXpIRes=Wed, 21 Oct 2015 07:28:00 GMT; max-AGE=42; seCURE; HTTPOnly"
-        guard let c = HTTPClient.Cookie(header: v, defaultDomain: "example.com") else {
+        let v = "key=value; PaTh=/path; DoMaIn=EXampLE.CoM; eXpIRes=Wed, 21 Oct 2015 07:28:00 GMT; max-AGE=42; seCURE; HTTPOnly"
+        guard let c = HTTPClient.Cookie(header: v, defaultDomain: "exAMPle.cOm") else {
             XCTFail("Failed to parse cookie")
             return
         }
@@ -52,7 +52,7 @@ class HTTPClientCookieTests: XCTestCase {
 
     func testCookieDefaults() {
         let v = "key=value"
-        guard let c = HTTPClient.Cookie(header: v, defaultDomain: "example.com") else {
+        guard let c = HTTPClient.Cookie(header: v, defaultDomain: "exAMPle.com") else {
             XCTFail("Failed to parse cookie")
             return
         }
@@ -94,6 +94,248 @@ class HTTPClientCookieTests: XCTestCase {
         XCTAssertNil(HTTPClient.Cookie(header: "=value;", defaultDomain: "exampe.org"))
     }
 
+    func testExpires() {
+        // Empty values, and unrecognized timestamps, are ignored.
+        // https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.1
+        var c = HTTPClient.Cookie(header: "key=value; expires=", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertNil(c?.expires)
+
+        c = HTTPClient.Cookie(header: "key=value; expires", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertNil(c?.expires)
+
+        c = HTTPClient.Cookie(header: "key=value; expires=foo", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertNil(c?.expires)
+
+        c = HTTPClient.Cookie(header: "key=value; expires=04/01/2022", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertNil(c?.expires)
+
+        // Later values override earlier values, except if they are ignored.
+        c = HTTPClient.Cookie(header: "key=value; expires=Sunday, 06-Nov-94 08:49:37 GMT; expires=04/01/2022", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(Date(timeIntervalSince1970: 784_111_777), c?.expires)
+
+        c = HTTPClient.Cookie(header: "key=value; expires=Sunday, 06-Nov-94 08:49:37 GMT; expires=", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(Date(timeIntervalSince1970: 784_111_777), c?.expires)
+
+        c = HTTPClient.Cookie(header: "key=value; expires=Sunday, 06-Nov-94 08:49:37 GMT; expires", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(Date(timeIntervalSince1970: 784_111_777), c?.expires)
+
+        // For more comprehensive tests of the various timestamp formats, see: `testCookieExpiresDateParsing`.
+    }
+
+    func testMaxAge() {
+        // Empty values, and values containing non-digits, are ignored.
+        // https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.2
+        var c = HTTPClient.Cookie(header: "key=value; max-age=", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertNil(c?.maxAge)
+
+        c = HTTPClient.Cookie(header: "key=value; max-age", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertNil(c?.maxAge)
+
+        c = HTTPClient.Cookie(header: "key=value; max-age=foo", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertNil(c?.maxAge)
+
+        c = HTTPClient.Cookie(header: "key=value; max-age=123foo", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertNil(c?.maxAge)
+
+        // Later values override earlier values, except if they are ignored.
+        c = HTTPClient.Cookie(header: "key=value; max-age=123; max-age=456baz", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(123, c?.maxAge)
+
+        c = HTTPClient.Cookie(header: "key=value; max-age=-123; max-age=", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(-123, c?.maxAge)
+
+        c = HTTPClient.Cookie(header: "key=value; max-age=123; max-age", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(123, c?.maxAge)
+    }
+
+    func testDomain() {
+        // Empty domains should be ignored.
+        // https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.3
+        var c = HTTPClient.Cookie(header: "key=value; domain=", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("example.com", c?.domain)
+
+        c = HTTPClient.Cookie(header: "key=value; domain", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("example.com", c?.domain)
+
+        // A single leading dot is stripped.
+        c = HTTPClient.Cookie(header: "key=value; domain=.foo", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("foo", c?.domain)
+
+        c = HTTPClient.Cookie(header: "key=value; domain=..foo", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(".foo", c?.domain)
+
+        // RFC-6562 checks for empty values before stipping the dot (resulting in an empty domain),
+        // but later, empty domains are placed by the canonicalized request host.
+        // We use the default domain as the request host.
+        c = HTTPClient.Cookie(header: "key=value; domain=.", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("example.com", c?.domain)
+
+        // Later values override earlier values, except if they are ignored.
+        c = HTTPClient.Cookie(header: "key=value; domain=foo; domain=bar", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("bar", c?.domain)
+
+        c = HTTPClient.Cookie(header: "key=value; domain=foo; domain=", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("foo", c?.domain)
+
+        c = HTTPClient.Cookie(header: "key=value; domain=foo; domain", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("foo", c?.domain)
+
+        c = HTTPClient.Cookie(header: "key=value; domain=foo; domain=.", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("example.com", c?.domain)
+
+        // The domain (including the defaultDomain parameter) should be normalized to lowercase.
+        c = HTTPClient.Cookie(header: "key=value; domain=FOO; domain", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("foo", c?.domain)
+
+        c = HTTPClient.Cookie(header: "key=value; domain=; domain", defaultDomain: "EXAMPLE.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("example.com", c?.domain)
+    }
+
+    func testPath() {
+        // An empty path, or path which does not begin with a "/", is considered the default path.
+        // https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.4
+        var c = HTTPClient.Cookie(header: "key=value; path=", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("/", c?.path)
+
+        c = HTTPClient.Cookie(header: "key=value; path", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("/", c?.path)
+
+        c = HTTPClient.Cookie(header: "key=value; path=foo", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("/", c?.path)
+
+        // Later path values override earlier values, even if the later value is considered the default path.
+        c = HTTPClient.Cookie(header: "key=value; path=/abc; path=/foo", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("/foo", c?.path)
+
+        c = HTTPClient.Cookie(header: "key=value; path=/abc; path=foo", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("/", c?.path)
+
+        c = HTTPClient.Cookie(header: "key=value; path=/abc; path", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual("/", c?.path)
+    }
+
+    func testSecure() {
+        // If the cookie contains a key called "secure" (case-insensitive), the secure flag is set.
+        // Regardless of its value.
+        // https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.5
+        var c = HTTPClient.Cookie(header: "key=value; secure=", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(true, c?.secure)
+
+        c = HTTPClient.Cookie(header: "key=value; secure", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(true, c?.secure)
+
+        c = HTTPClient.Cookie(header: "key=value; secure=0", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(true, c?.secure)
+
+        c = HTTPClient.Cookie(header: "key=value; secure=false", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(true, c?.secure)
+
+        c = HTTPClient.Cookie(header: "key=value; secure=no", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(true, c?.secure)
+    }
+
+    func testHttpOnly() {
+        // If the cookie contains a key called "httponly" (case-insensitive), the http-only flag is set.
+        // Regardless of its value.
+        // https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.6
+        var c = HTTPClient.Cookie(header: "key=value; httponly=", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(true, c?.httpOnly)
+
+        c = HTTPClient.Cookie(header: "key=value; httponly", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(true, c?.httpOnly)
+
+        c = HTTPClient.Cookie(header: "key=value; httponly=0", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(true, c?.httpOnly)
+
+        c = HTTPClient.Cookie(header: "key=value; httponly=false", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(true, c?.httpOnly)
+
+        c = HTTPClient.Cookie(header: "key=value; httponly=no", defaultDomain: "example.com")
+        XCTAssertEqual("key", c?.name)
+        XCTAssertEqual("value", c?.value)
+        XCTAssertEqual(true, c?.httpOnly)
+    }
+
     func testCookieExpiresDateParsing() {
         let domain = "example.org"