http/cookies: New module for parsing, serializing, and storing cookies

[RyanSquared]

No description provided.

[daurnimator]

I don't think time should default to anything.

[daurnimator]

The lpeg pattern needs to be anchored

[daurnimator]

Please don't wrap lines

[daurnimator]

don't wrap lines

[daurnimator]

I'd prefer this was a function.

And what stops path or key from containing a |?

[RyanSquared]

Changed to a function and changed the separator to \1. However, I don't see much of a use for it and might remove it if I don't see anything that uses it.

[daurnimator]

Good idea :) you shouldn't need this at all.

[daurnimator]

One intention of http_patts.Set_Cookie was that the output would be usable as a cookie directly.

To set defaults, use a metatable with __index.

[RyanSquared]

19:40 <~daurnimator> ryan: right. but you can modify the table returned by the pattern
19:42 <~daurnimator> though I guess you might not want to do that
19:42 <~daurnimator> as the pattern can return arbitrary keys
19:42 <~daurnimator> so maybe it's fine as it is...
19:44 <~ryan> another issue is, converting it just ended up as the same line count because most of the items have defaults
19:44 <~ryan> plus the fact that there's so many different naming conventions
19:45 <~ryan> httponly, ["max-age"], same_site
19:46 <~daurnimator> ryan: I was more thinking about saving the extra allocation
19:46 <~ryan> yeah.
19:46 <~daurnimator> but yeah; in this case not worth it
19:46 <~ryan> i think the way i did it is better though
19:47 <~ryan> most of the keys are new keys, so doing it by appending on the old table means reallocating a lot
19:47 <~ryan> the new table means that all but one field are preallocated
19:48 <~ryan> which i actually just fixed to make it so all fields are prealloced

[daurnimator]

Put __index on new line.

Don't forget a __name

[daurnimator]

set this default in cookiejar_methods.

Also use psl.latest() if available rather than builtin

[daurnimator]

Should take time as argument

[RyanSquared]

Technically, the cookie is "created" when it's parsed - which is also where other values relating to the time are set. I put in a time value here; however, according to the RFC it should be automatically generated instead of able to be variable (see the line below).

[daurnimator]

Structure this code a little differently:

local by_domain = cookies[domain]
if not by_domain then
    by_domain = {}
    cookies[domain] = by_domain
end
local by_path = by_domain[path]
if not by_path then
    by_path = {}
    by_domain[path] = by_path
end
by_path[key] = cookie

[daurnimator]

This is hugely expensive splitting it apart, you only need a :get(domain, path, key)

[daurnimator]

Instead of passing in request here, consider passing in host and path?

[daurnimator]

Avoid local vars starting with _ unless it is literally _

[daurnimator]

No need for do: you don't introduce any temporary vars to the scope

[daurnimator]

Instead of passing "; " to table.concat we could prefix all the keys, e.g. cookie[#cookie + 1] = "; HttpOnly"

[daurnimator]

Should this check be == nil? false might be permited?

[RyanSquared]

There is no case in which it can be false. Your patterns only give true:
https://github.com/daurnimator/lpeg_patterns/blob/master/lpeg_patterns/http.lua#L372

[daurnimator]

Okay. I was imagining what I user might try and call this with.
Reading https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1 it doesn't look like a value of true (which is what the pattern produces when no attribute-value is present) should be coerced to Strict.

[RyanSquared]

Right, so I've done a bit more looking into it - I forget exactly where I found the "boolean" version but I remember finding it at least twice. However, none of those were the RFCs and I don't really see a version of the RFC that allows for a boolean-form. Should I just drop the boolean format?

[daurnimator]

Should I just drop the boolean format?

Yep.

Add a comment pointing to https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1 too so next person to come along knows where to look

[RyanSquared]

Comment added and "unbooleanified".

[daurnimator]

What is the 1 for?

[daurnimator]

Watch out for tonumber parsing formats other than decimal.

[RyanSquared]

RFC 6265 section 5.2.2 says it should only be in base10 DIGIT with an optional negative, so I'm adding some code to properly handle it that way.

[daurnimator]

Remove this line now that you have the type check below

[daurnimator]

No :lower() here?

[RyanSquared]

Thanks, totally missed that.

[daurnimator]

Why ,1?

[RyanSquared]

You made a comment on a similar match about anchoring, so I added it here as well.

[daurnimator]

Adding a one here is not anchoring. anchoring is adding a *lpeg.P(-1) to the pattern before use so that you can't have trailing junk.

[daurnimator]

The pattern already returns a table; why are you copying it?

[RyanSquared]

I'm not copying the table. The iterate_cookies function returns a pairs() iterator after asserting that the cookie does parse correctly (which I added an error message to, after reading this, in case parsing fails)

[daurnimator]

Yes. However you're effectively copying the cookie in here with the cookies[k] = v

[daurnimator]

I don't think the constructor needs to take a psl_object

[daurnimator]

Please restructure

[daurnimator]

Cache these indexing operations in a local

[daurnimator]

don't wrap

[daurnimator]

Don't initialise before it's used

[daurnimator]

be careful with tonumber.

[daurnimator]

Should probably validate it as a number first?

[daurnimator]

Why stored_ with an underscore?

[RyanSquared]

I think I might've messed up refactoring something on that.

[daurnimator]

return nil vs nothing

[daurnimator]

No need to localise cookies

[daurnimator]

Could inline :remove_cookies into here.

[RyanSquared]

I'd rather not, given you should still be able to remove cookies from other methods - such as if they're not persistent and a session is closed.

[daurnimator]

Plans to implement this TODO?

[RyanSquared]

Yes, after I've got all the other bugs done and I think of a decent way to do it. I plan on getting rid of every 'TODO' before it's merged.

[RyanSquared]

Sorry, didn't see "plans", saw "plan". I'm thinking just use an RFC pattern to match the values and then use os.time() on the values, but I need to look on what common implementations support for patterns.

[RyanSquared]

(as a note, while it's on my mind, there's several various patterns that could match the "time", which makes it difficult to match - it should be mentioned somewhere)

[RyanSquared]

@daurnimator if you plan to build off of this one, this should be the only thing missing outside of optimizing the sequence for a bheap. more documentation would be nice but i can add that later

[daurnimator]

Do this check when adding; don't go through making holes that you later need to fixup...

[daurnimator]

You'll also need to install libpsl in the travis file.

[daurnimator]

:( looks like trusty and precise (ubuntu versions supported by travis) don't have libpsl.
https://packages.ubuntu.com/search?suite=default&section=all&arch=any&keywords=libpsl&searchon=names

[RyanSquared]

Yeah, found that out after spending what feels like forever pulling down the Docker image. Would any other GitHub-supported CI have something we can use for it? Alternatively, can we get Travis CI working on a later Ubuntu version?

[RyanSquared]

TODO: return index with self:get() to optimize self:remove_cookie()?

[RyanSquared]

not reasonable because :get() doesn't iterate

[RyanSquared]

TODO: In-depth review and add more comments

[RyanSquared]

TODO: Add explanation; the "older" a nonpermanent cookie is, the more likely it should be nuked, hence why it's put in position 1

[RyanSquared]

TODO: Implement faster search; since cookies are sorted using time, it's possible to optimize by "leaping" through until the time is - either less than or greater than, can't recall ATM - and then go back one "leap" and going from there.

[RyanSquared]

TODO: Use a value n to avoid getting length every time, then increment every time