HttpOnly is ignored by the parse function

[mwanago]

When we call the parse function with a cookie that contains the HttpOnly clause, it gets ignored.

const cookie = require("cookie");

const parsedCookie = cookie.parse(
  "Authentication=token; HttpOnly;",
);

console.log(parsedCookie.Authentication); // Works as expected
console.log(parsedCookie.HttpOnly); // Prints undefined

What do you think , should it be true instead of undefined?

[wesleytodd]

I agree, and looks like maybe @UlisesGascon plans on addressing this? If not, I am sure a PR for this would be welcome!

[UlisesGascon]

I think there must be a bug, also there are no test cases for this (AFAIK). So the fix for this might be considered as a major, as is changing the current behavior of the library?

Based on the readme see:

httpOnly

Specifies the boolean value for the [HttpOnly Set-Cookie attribute][rfc-6265-5.2.6]. When truthy,
the HttpOnly attribute is set, otherwise it is not. By default, the HttpOnly attribute is not set.

I assume that we expected true in this case as the value is truthy.

So all these cases should return true

"Authentication=token; HttpOnly;"
"Authentication=token; HttpOnly=;"
"Authentication=token; HttpOnly=1;"
"Authentication=token; HttpOnly=true;"

And these false

"Authentication=token; HttpOnly=0;"
"Authentication=token; HttpOnly=false;"

But in any scenario we should return undefined unless the world HttpOnly is not included.

"Authentication=token;",

Am I correct @wesleytodd?

Additional information can be found at RFC6265

[wesleytodd]

Yeah, I took a quick look (not a deep dive) and I think it is a bug and so doesn't really need to be a major. As for the expectations, I think that you are reading that right and so your examples are correct expectations. I am not sure they are good expectations, and that maybe things should become more strict in the future, but that is not really required to address now imo.