Add cookie assertions framework #868

dmurvihill · 2025-08-26T00:28:00Z

Add a convenient workflow for running assertions on cookie headers returned by the server. This code is largely copied from Gregory Langlais' package expect-cookies (MIT License).

Implements #855.

Example usage:

const request = require('supertest');
const cookies = request.cookies;

request(app)
  .get('/users')
  .expect('Content-Type', /json/)
  .expect('Content-Length', '15')
  .expect(200)
  // assert 'alpha' cookie is set with domain, path, and httpOnly options
  .expect(cookies.set({ name: 'alpha', options: ['domain', 'path', 'httponly'] }))
  // assert 'bravo' cookie is NOT set
  .expect(cookies.not('set', { name: 'bravo' }))
  .end(function(err, res) {
    if (err) {
      throw err;
    }
  });

Supports:

.set - Assert that cookie and options are set.
.reset - Assert that cookie is set and was already set (in request headers).
.new - Assert that cookie is set and was NOT already set (NOT in request headers).
.renew - Assert that cookie is set with a strictly greater expires or max-age than the given value.
.contain - Assert that cookie is set with value and contains options.
.not - Call any cookies assertion method with "assert true" modifier set to false.

Checklist

I have ensured my pull request is not behind the main or master branch of the original repository.
I have rebased all commits where necessary so that reviewing this pull request can be done without having to merge it first.
I have written a commit message that passes commitlint linting.
I have ensured that my code changes pass linting tests.
I have ensured that my code changes pass unit tests.
I have described my pull request and the reasons for code changes along with context if necessary.

titanism · 2025-08-26T00:41:07Z

Can you fix the merge conflict?

Add a convenient workflow for running assertions on cookie headers returned by the server. This code is largely copied from Gregory Langais' package `expect-cookie` (MIT License). Example usage: ```js const request = require('supertest'); const cookies = request.cookies; request(app) .get('/users') .expect('Content-Type', /json/) .expect('Content-Length', '15') .expect(200) // assert 'alpha' cookie is set with domain, path, and httpOnly options .expect(cookies.set({ name: 'alpha', options: ['domain', 'path', 'httponly'] })) // assert 'bravo' cookie is NOT set .expect(cookies.not('set', { name: 'bravo' })) .end(function(err, res) { if (err) { throw err; } }); ``` Supports: - `.set` - Assert that cookie and options are set. - `.reset` - Assert that cookie is set and was already set (in request headers). - `.new` - Assert that cookie is set and was NOT already set (NOT in request headers). - `.renew` - Assert that cookie is set with a strictly greater `expires` or `max-age` than the given value. - `.contain` - Assert that cookie is set with value and contains options. - `.not` - Call any cookies assertion method with "assert true" modifier set to `false`. feat(cookies): add cookie assertions Add a convenient workflow for running assertions on cookie headers returned by the server. This code is largely copied from Gregory Langais' package `expect-cookies` (MIT License). Example usage: ```js const request = require('supertest'); const cookies = request.cookies; request(app) .get('/users') .expect('Content-Type', /json/) .expect('Content-Length', '15') .expect(200) // assert 'alpha' cookie is set with domain, path, and httpOnly options .expect(cookies.set({ name: 'alpha', options: ['domain', 'path', 'httponly'] })) // assert 'bravo' cookie is NOT set .expect(cookies.not('set', { name: 'bravo' })) .end(function(err, res) { if (err) { throw err; } }); ``` Supports: - `.set` - Assert that cookie and options are set. - `.reset` - Assert that cookie is set and was already set (in request headers). - `.new` - Assert that cookie is set and was NOT already set (NOT in request headers). - `.renew` - Assert that cookie is set with a strictly greater `expires` or `max-age` than the given value. - `.contain` - Assert that cookie is set with value and contains options. - `.not` - Call any cookies assertion method with "assert true" modifier set to `false`.

socket-security · 2025-08-26T04:10:13Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cookie-signature@1.2.2
	sinon@20.0.0

View full report

dmurvihill · 2025-08-26T04:10:16Z

Fixed. Sorry, not sure how that happened.

dmurvihill · 2025-09-10T21:56:07Z

Everything look ok now?

A1exKH

LGTM.

dmurvihill force-pushed the cookie-assertions branch from 366c7ef to 4f89680 Compare August 26, 2025 04:09

A1exKH approved these changes Sep 25, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add cookie assertions framework #868

Add cookie assertions framework #868

Uh oh!

dmurvihill commented Aug 26, 2025 •

edited

Loading

Uh oh!

titanism commented Aug 26, 2025

Uh oh!

socket-security bot commented Aug 26, 2025

Uh oh!

dmurvihill commented Aug 26, 2025

Uh oh!

dmurvihill commented Sep 10, 2025

Uh oh!

A1exKH left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Add cookie assertions framework #868

Are you sure you want to change the base?

Add cookie assertions framework #868

Uh oh!

Conversation

dmurvihill commented Aug 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Checklist

Uh oh!

titanism commented Aug 26, 2025

Uh oh!

socket-security bot commented Aug 26, 2025

Uh oh!

dmurvihill commented Aug 26, 2025

Uh oh!

dmurvihill commented Sep 10, 2025

Uh oh!

A1exKH left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

dmurvihill commented Aug 26, 2025 •

edited

Loading