diff --git a/src/utils.ts b/src/utils.ts index 70003ad26..665768d98 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -711,6 +711,9 @@ export const unsignCookie = async (input: string, secret: string | null) => { } const tentativeValue = input.slice(0, dot) + + if (secret === null) return false + const expectedInput = await signCookie(tentativeValue, secret) return constantTimeEqual(expectedInput, input) ? tentativeValue : false diff --git a/test/cookie/signature.test.ts b/test/cookie/signature.test.ts index 0eb5a8800..2a15025f0 100644 --- a/test/cookie/signature.test.ts +++ b/test/cookie/signature.test.ts @@ -1,6 +1,7 @@ import { describe, expect, it } from 'bun:test' import { parseCookie, Cookie } from '../../src/cookies' import { signCookie } from '../../src/utils' +import { InvalidCookieSignature } from '../../src/error' describe('Parse Cookie', () => { it('handle empty cookie', async () => { @@ -134,4 +135,19 @@ describe('Parse Cookie', () => { expect(result.fischl.value).toEqual('fischl') }) + + it('rejects invalid signature with null secret in rotation', async () => { + const set = { + headers: {}, + cookie: {} + } + + const cookieString = `wizard=1.invalid_sign` + await expect( + parseCookie(set, cookieString, { + secrets: ['valid-secret', null], + sign: ['wizard'] + }) + ).rejects.toThrow(InvalidCookieSignature) + }) })