From 88307b352fa8fe65f80eb6cad9694cb87c7aaf2f Mon Sep 17 00:00:00 2001 From: D-393Patel Date: Thu, 13 Nov 2025 10:09:06 +0530 Subject: [PATCH] fix: ensure req.cookies defaults to {} when no Cookie header is sent Previously, in Express 5 environments, req.cookies could remain null when no Cookie header was provided or when an empty Cookie header was sent. This caused unexpected null checks in downstream middleware relying on req.cookies to always be an object. This commit initializes req.cookies to an empty object before early returns, ensuring consistent behavior with Express 4 and maintaining backward compatibility. Closes: #128 --- index.js | 12 ++++--- test/express5-null-cookies.test.js | 54 ++++++++++++++++++++++++++++++ test/req-cookies-null.test.js | 28 ++++++++++++++++ 3 files changed, 90 insertions(+), 4 deletions(-) create mode 100644 test/express5-null-cookies.test.js create mode 100644 test/req-cookies-null.test.js diff --git a/index.js b/index.js index dd6d479..12ac087 100644 --- a/index.js +++ b/index.js @@ -49,15 +49,19 @@ function cookieParser (secret, options) { var cookies = req.headers.cookie req.secret = secrets[0] - req.cookies = Object.create(null) - req.signedCookies = Object.create(null) + req.cookies = {} + req.signedCookies = {} // no cookies - if (!cookies) { + if (!cookies || cookies.trim().length === 0) { return next() } - req.cookies = cookie.parse(cookies, options) + try { + req.cookies = cookie.parse(cookies, options) || {} + } catch (err) { + req.cookies = {} + } // parse signed cookies if (secrets.length !== 0) { diff --git a/test/express5-null-cookies.test.js b/test/express5-null-cookies.test.js new file mode 100644 index 0000000..bf4530e --- /dev/null +++ b/test/express5-null-cookies.test.js @@ -0,0 +1,54 @@ +const assert = require('assert') +const http = require('http') +const express = require('express') +const cookieParser = require('../index') // local cookie-parser + +describe('Issue #128 (Express 5 integration)', function () { + let server + + before(function (done) { + const app = express() + app.use(cookieParser()) + + // Add a simple route + app.get('/', (req, res) => { + res.json({ + cookies: req.cookies, + hasCookiesKey: Object.prototype.hasOwnProperty.call(req, 'cookies'), + type: typeof req.cookies + }) + }) + + server = http.createServer(app).listen(4000, done) + }) + + after(function (done) { + server.close(done) + }) + + it('should return {} when no Cookie header is present', function (done) { + http.get('http://localhost:4000/', (res) => { + let data = '' + res.on('data', (chunk) => (data += chunk)) + res.on('end', () => { + const parsed = JSON.parse(data) + assert.ok(parsed.hasCookiesKey, 'req should have a cookies key') + assert.deepStrictEqual(parsed.cookies, {}, 'req.cookies should be {}') + done() + }) + }) + }) + + it('should return {} when Cookie header is empty', function (done) { + const opts = { hostname: 'localhost', port: 4000, path: '/', headers: { Cookie: '' } } + http.get(opts, (res) => { + let data = '' + res.on('data', (chunk) => (data += chunk)) + res.on('end', () => { + const parsed = JSON.parse(data) + assert.deepStrictEqual(parsed.cookies, {}, 'req.cookies should be {}') + done() + }) + }) + }) +}) diff --git a/test/req-cookies-null.test.js b/test/req-cookies-null.test.js new file mode 100644 index 0000000..6a664a4 --- /dev/null +++ b/test/req-cookies-null.test.js @@ -0,0 +1,28 @@ +const express = require('express'); +const request = require('supertest'); +const cookieParser = require('..'); + +describe('Issue #128 - req.cookies showing null', function () { + it('should default req.cookies to {} when no Cookie header is sent', function (done) { + const app = express(); + app.use(cookieParser()); + + app.get('/', (req, res) => res.json(req.cookies)); + + request(app) + .get('/') + .expect(200, {}, done); + }); + + it('should default req.cookies to {} when Cookie header is empty', function (done) { + const app = express(); + app.use(cookieParser()); + + app.get('/', (req, res) => res.json(req.cookies)); + + request(app) + .get('/') + .set('Cookie', '') + .expect(200, {}, done); + }); +});