From 10a4e92d211fde44ee0985b5fc03ceac92726667 Mon Sep 17 00:00:00 2001
From: picklesrus <picklesrus@users.noreply.github.com>
Date: Mon, 20 Jul 2020 15:18:09 -0400
Subject: [PATCH] Make the cookie library set the SamSite cookie value to
 strict by default. If callers want to set it to something else, they can pass
 it through the opts object like they can 'exprires'. Also added a test file
 for jar.js so I could test the set method. The other methods remain untested.

---
 src/lib/jar.js            |  3 ++-
 test/unit/lib/jar.test.js | 53 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 test/unit/lib/jar.test.js

diff --git a/src/lib/jar.js b/src/lib/jar.js
index afcc1b277..b487775d3 100644
--- a/src/lib/jar.js
+++ b/src/lib/jar.js
@@ -78,7 +78,8 @@ const Jar = {
     set: (name, value, opts) => {
         opts = opts || {};
         defaults(opts, {
-            expires: new Date(new Date().setYear(new Date().getFullYear() + 1))
+            expires: new Date(new Date().setYear(new Date().getFullYear() + 1)),
+            SameSite: 'Strict'
         });
         opts.path = '/';
         const obj = cookie.serialize(name, value, opts);
diff --git a/test/unit/lib/jar.test.js b/test/unit/lib/jar.test.js
new file mode 100644
index 000000000..83bbb7ace
--- /dev/null
+++ b/test/unit/lib/jar.test.js
@@ -0,0 +1,53 @@
+const jar = require('../../../src/lib/jar');
+const cookie = require('cookie');
+
+jest.mock('cookie', () => ({serialize: jest.fn()}));
+describe('unit test lib/jar.js', () => {
+
+    test('simple set test with no opts', () => {
+        jar.set('name', 'value');
+        expect(cookie.serialize).toHaveBeenCalled();
+        expect(cookie.serialize).toHaveBeenCalledWith('name', 'value',
+            expect.objectContaining({
+                path: '/',
+                SameSite: 'Strict',
+                expires: expect.anything() // not specifically matching the date because it is hard to mock
+            }));
+    });
+    test('test with opts', () => {
+        jar.set('a', 'b', {option: 'one'});
+        expect(cookie.serialize).toHaveBeenCalled();
+        expect(cookie.serialize).toHaveBeenCalledWith('a', 'b',
+            expect.objectContaining({
+                option: 'one',
+                path: '/',
+                SameSite: 'Strict',
+                expires: expect.anything() // not specifically matching the date because it is hard to mock
+            }));
+    });
+    test('expires opts overrides default', () => {
+        jar.set('a', 'b', {
+            option: 'one',
+            expires: 'someday'
+        });
+        expect(cookie.serialize).toHaveBeenCalled();
+        expect(cookie.serialize).toHaveBeenCalledWith('a', 'b',
+            expect.objectContaining({
+                option: 'one',
+                path: '/',
+                expires: 'someday'
+            }));
+    });
+    test('SameSite opts overrides default', () => {
+        jar.set('a', 'b', {
+            option: 'one',
+            SameSite: 'override'
+        });
+        expect(cookie.serialize).toHaveBeenCalled();
+        expect(cookie.serialize).toHaveBeenCalledWith('a', 'b',
+            expect.objectContaining({
+                option: 'one',
+                SameSite: 'override'
+            }));
+    });
+});