Merge pull request #94 from mendhak/cookieparser

mendhak · web-flow · commit 68c03ea21acb · 2026-03-20T08:00:32.000Z
Add cookie parser to echo the value of cookies in the response. Also works for signed cookies.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -19,6 +19,10 @@ jobs:
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      security-events: write
+
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
@@ -76,14 +80,14 @@ jobs:
 
       - name: Scan the image
         id: scan
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@v7
         with:
           image: "mendhak/http-https-echo:testing"
           output-format: sarif
           # severity-cutoff: critical
           fail-build: false
 
       - name: upload Anchore scan SARIF report
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## Version `40` - 2026-03-20
+* Echo back cookies and signed cookies
+
 ## Version `39` - 2026-01-09
 * Renamed privkey.pem to testpk.pem so Trivy doesn't flag a false positive by [willyguggenheim](https://github.com/mendhak/docker-http-https-echo/pull/89) 
 * Updated dependencies in package.json
diff --git a/README.md b/README.md
@@ -301,6 +301,47 @@ You can use the `MAX_HEADER_SIZE` environment variable to set a maximum header s
 docker run -d --rm -e MAX_HEADER_SIZE=1000  -p 8080:8080 -p 8443:8443 -t mendhak/http-https-echo:39
 ```
 
+## Cookies and Signed Cookies
+
+Make a request with a `Cookie` header and the response will include the cookies:
+
+```bash
+docker run -d --rm --name http-echo-tests -p 8080:8080 -p 8443:8443 -t mendhak/http-https-echo:39
+```
+
+Then make a request with a cookie header:
+
+```bash
+curl -s http://localhost:8080/ -H "Cookie: foo=bar; baz=qux" 
+```
+
+To enable signed cookie support, set the `COOKIE_SECRET` environment variable. Signed cookies appear in the `signedCookies` section of the response:
+
+```bash
+docker run -d --rm -e COOKIE_SECRET=mysecretkey123 --name http-echo-tests -p 8080:8080 -p 8443:8443 -t mendhak/http-https-echo:39
+```
+
+Now you need to generate a signed cookie, and send it in the header. Here's a convenience node snippet:
+
+```bash
+
+SIGNED_COOKIE=$(node -e "var crypto = require('crypto');
+
+function sign(val, secret){
+  return val + '.' + crypto
+    .createHmac('sha256', secret)
+    .update(val)
+    .digest('base64')
+    .replace(/=+$/, '');
+};
+
+console.log(sign('my-value','mysecretkey123'));")
+
+curl -s http://localhost:8080/ -H "Cookie: mysigned=s:$SIGNED_COOKIE" | jq '.signedCookies'
+```
+
+Notice the `s:` prefix in the cookie value, that is important. 
+
 
 ## Prometheus Metrics
 
diff --git a/index.js b/index.js
@@ -4,6 +4,7 @@ const http = require('http')
 const https = require('https')
 const morgan = require('morgan');
 const express = require('express')
+const cookieParser = require('cookie-parser');
 const concat = require('concat-stream');
 const { promisify } = require('util');
 const promBundle = require("express-prom-bundle");
@@ -39,6 +40,8 @@ if(PROMETHEUS_ENABLED === 'true') {
   app.use(metricsMiddleware);
 }
 
+app.use(cookieParser(process.env.COOKIE_SECRET || 'examplekey'));
+
 if(process.env.DISABLE_REQUEST_LOGS !== 'true'){
   app.use(morgan('combined'));
 }
@@ -76,6 +79,7 @@ app.all('*', (req, res) => {
     ips: req.ips,
     protocol: req.protocol,
     query: req.query,
+    signedCookies: req.signedCookies,
     subdomains: req.subdomains,
     xhr: req.xhr,
     os: {
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -18,6 +18,7 @@
   },
   "dependencies": {
     "concat-stream": "^2.0.0",
+    "cookie-parser": "^1.4.6",
     "express": "^4.22.0",
     "express-prom-bundle": "^8.0.0",
     "jsonwebtoken": "^9.0.0",
diff --git a/tests.sh b/tests.sh
@@ -653,6 +653,60 @@ message " Stop containers "
 docker stop http-echo-tests
 sleep 5
 
+message " Start container with signed cookies support "
+# Set cookie secret for signing/verifying cookies
+docker run -d --rm -e COOKIE_SECRET=mysecretkey123 \
+    --name http-echo-tests -p 8080:8080 -p 8443:8443 -t mendhak/http-https-echo:testing
+sleep 5
+
+SIGNED_COOKIE=$(node -e "var crypto = require('crypto');
+
+function sign(val, secret){
+  return val + '.' + crypto
+    .createHmac('sha256', secret)
+    .update(val)
+    .digest('base64')
+    .replace(/=+$/, '');
+};
+
+console.log(sign('my-value','mysecretkey123'));")
+
+
+RESPONSE=$(curl -s http://localhost:8080/ -H "Cookie: mysigned=s:${SIGNED_COOKIE}")
+if [ $(echo $RESPONSE | jq -r '.signedCookies.mysigned') == 'my-value' ]
+then
+    passed "Signed cookie test passed."
+else
+    failed "Signed cookie test failed."
+    echo $RESPONSE | jq
+    exit 1
+fi
+
+message " Stop containers "
+docker stop http-echo-tests
+sleep 5
+
+
+message " Check that regular cookies are returned in response "
+docker run -d --rm --name http-echo-tests -p 8080:8080 -p 8443:8443 -t mendhak/http-https-echo:testing
+sleep 5
+
+
+RESPONSE=$(curl -s http://localhost:8080/ -H "Cookie: foo=bar; baz=qux")
+if [ $(echo $RESPONSE | jq -r '.cookies.foo') == 'bar' ] && \
+   [ $(echo $RESPONSE | jq -r '.cookies.baz') == 'qux' ]
+then
+    passed "Cookies returned in response test passed."
+else
+    failed "Cookies returned in response test failed."
+    echo $RESPONSE | jq
+    exit 1
+fi
+
+message " Stop containers "
+docker stop http-echo-tests
+sleep 5
+
 popd
 rm -rf testarea
 message "DONE"
