Description
Summary
After upgrading cookie from 0.5.0 to 0.7.0, our authorization flow broke.
The API route that exchanges the OAuth code for tokens (/api/faust/auth/token/) started returning:
GET http://localhost:3000/api/faust/auth/token/ 500 (Internal Server Error)
TypeError: argument name is invalid
This did not happen in 0.5.0.
Root Cause
In 0.7.0, the library switched from using fieldContentRegExp to cookieNameRegExp for validating cookie names:
// <= 0.5.0
var fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/;
// >= 0.7.0
var cookieNameRegExp = /^[!#$%&'*+-.^_`|~0-9A-Za-z]+$/;
Previously, the looser regex allowed a much wider character set.
The allowed values are checked separately, with:
var cookieValueRegExp = /^("?)[\u0021\u0023-\u002B\u002D-\u003A\u003C-\u005B\u005D-\u007E]*\1$/;
So values can include characters such as:
! # $ % & ' ( ) * + , - . /
0-9
:
< = > ? @
A-Z
[ ] ^ _ `
a-z
{ | } ~
Not allowed: space, control characters, double quotes (unless wrapping the whole value), semicolon, and backslash.
Example Failure
aQ1ebohOYSdJKFp4akbeEMO41eGOSnM+v5c0S4i/hs9IFzBOskna+dtypHy5hk5WAXdwNveJgAvOr6XRDnwDaw==
It contains +, /, and =, which are valid for values per cookieValueRegExp, but invalid for names per cookieNameRegExp.
Actual Behavior
TypeError: argument name is invalid
Suggested Fix / Discussion
Consider reverting or adjusting so that values are validated with cookieValueRegExp and names with a less strict check, matching pre-0.7 behavior. (I believe it was fixed in cookie package 1.0.2 update)
Steps to reproduce
Steps to Reproduce
Install cookie@0.7.0
npm install cookie@0.7.0
Run the following snippet in Node:
import cookie from 'cookie';
// Example token that includes +, /, =
const token = "aQ1ebohOYSdJKFp4akbeEMO41eGOSnM+v5c0S4i/hs9IFzBOskna+dtypHy5hk5WAXdwNveJgAvOr6XRDnwDaw==";
// ❌ Mistakenly using the token as the cookie name
console.log(cookie.serialize(token, "dummy"));
Observe the error:
TypeError: argument name is invalid
Now downgrade to cookie@0.5.0:
npm install cookie@0.5.0
Run the same snippet again — it succeeds and prints a Set-Cookie string.
Additional context
No response
@faustwp/core Version
3.3.0+
@faustwp/cli Version
3.3.1
FaustWP Plugin Version
1.8.0
WordPress Version
6.3.2
Additional environment details
No response
Please confirm that you have searched existing issues in the repo.
Description
Summary
After upgrading cookie from 0.5.0 to 0.7.0, our authorization flow broke.
The API route that exchanges the OAuth code for tokens (/api/faust/auth/token/) started returning:
GET http://localhost:3000/api/faust/auth/token/ 500 (Internal Server Error)
TypeError: argument name is invalid
This did not happen in 0.5.0.
Root Cause
In 0.7.0, the library switched from using fieldContentRegExp to cookieNameRegExp for validating cookie names:
// <= 0.5.0
var fieldContentRegExp = /^[\u0009\u0020-\u007e\u0080-\u00ff]+$/;
// >= 0.7.0
var cookieNameRegExp = /^[!#$%&'*+-.^_`|~0-9A-Za-z]+$/;
Previously, the looser regex allowed a much wider character set.
The allowed values are checked separately, with:
var cookieValueRegExp = /^("?)[\u0021\u0023-\u002B\u002D-\u003A\u003C-\u005B\u005D-\u007E]*\1$/;
So values can include characters such as:
! # $ % & ' ( ) * + , - . /
0-9
:
< = > ? @
A-Z
[ ] ^ _ `
a-z
{ | } ~
Not allowed: space, control characters, double quotes (unless wrapping the whole value), semicolon, and backslash.
Example Failure
aQ1ebohOYSdJKFp4akbeEMO41eGOSnM+v5c0S4i/hs9IFzBOskna+dtypHy5hk5WAXdwNveJgAvOr6XRDnwDaw==
It contains +, /, and =, which are valid for values per cookieValueRegExp, but invalid for names per cookieNameRegExp.
Actual Behavior
TypeError: argument name is invalid
Suggested Fix / Discussion
Consider reverting or adjusting so that values are validated with cookieValueRegExp and names with a less strict check, matching pre-0.7 behavior. (I believe it was fixed in cookie package 1.0.2 update)
Steps to reproduce
Steps to Reproduce
Install cookie@0.7.0
npm install cookie@0.7.0
Run the following snippet in Node:
import cookie from 'cookie';
// Example token that includes +, /, =
const token = "aQ1ebohOYSdJKFp4akbeEMO41eGOSnM+v5c0S4i/hs9IFzBOskna+dtypHy5hk5WAXdwNveJgAvOr6XRDnwDaw==";
// ❌ Mistakenly using the token as the cookie name
console.log(cookie.serialize(token, "dummy"));
Observe the error:
TypeError: argument name is invalid
Now downgrade to cookie@0.5.0:
npm install cookie@0.5.0
Run the same snippet again — it succeeds and prints a Set-Cookie string.
Additional context
No response
@faustwp/core Version
3.3.0+
@faustwp/cli Version
3.3.1
FaustWP Plugin Version
1.8.0
WordPress Version
6.3.2
Additional environment details
No response
Please confirm that you have searched existing issues in the repo.