allow 'non-strict' cookie matching. any token of the format (#25)

for example, any cookie of the format recaptcha-*-t will match in non-struct mode. This allows cross-waf keys to be used, eg. for testing.

Author: bsurmanski

src/createAssessment.ts

@@ -22,6 +22,7 @@ import * as action from "./action";
 import { Assessment, AssessmentSchema, Event, EventSchema, RpcErrorSchema } from "./assessment";
 import * as error from "./error";
 import { RecaptchaContext } from "./index";
+import picomatch from "picomatch";
 
 /**
  * Adds reCAPTCHA specific values to an Event strucutre.
@@ -40,13 +41,30 @@ export function createPartialEventWithSiteInfo(
     context.log("debug", "siteKind: action");
   } else {
     const cookieMap = new Map<string, string>();
+    var sessionToken: string | undefined;
+    var challengeToken: string | undefined;
     for (const cookie of req.headers.get("cookie")?.split(";") ?? []) {
       const [key, value] = cookie.split("=");
       cookieMap.set(key.trim(), value.trim());
+
+      // Non-strict cookie parsing will match any 'recaptcha-*-t' token.
+      // This is useful for using an existing key in a different WAF than registered
+      // specifically for testing.
+      if (!context.config.strict_cookie) {
+        if (picomatch.isMatch(key.trim(), "recaptcha-*-t")) {
+          sessionToken = value.trim();
+        } else if (picomatch.isMatch(key.trim(), "recaptcha-*-e")) {
+          challengeToken = value.trim();
+        }
+      }
     }
 
-    const sessionToken = cookieMap.get(context.sessionPageCookie);
-    const challengeToken = cookieMap.get(context.challengePageCookie);
+    if (!sessionToken) {
+      sessionToken = cookieMap.get(context.sessionPageCookie);
+    }
+    if (!challengeToken) {
+      challengeToken = cookieMap.get(context.challengePageCookie);
+    }
     if (context.config.debug) {
       for (const [key, value] of cookieMap.entries()) {
         if (
@@ -65,12 +83,12 @@ export function createPartialEventWithSiteInfo(
     }
 
     if (context.config.sessionSiteKey && sessionToken) {
-      event.token = cookieMap.get(context.sessionPageCookie);
+      event.token = sessionToken;
       event.siteKey = context.config.sessionSiteKey;
       event.wafTokenAssessment = true;
       context.log("debug", "siteKind: session");
     } else if (context.config.challengePageSiteKey && challengeToken) {
-      event.token = cookieMap.get(context.challengePageCookie);
+      event.token = challengeToken;
       event.siteKey = context.config.challengePageSiteKey;
       event.wafTokenAssessment = true;
       context.log("debug", "siteKind: challenge");

src/index.test.ts

@@ -929,7 +929,7 @@ test("processRequest-raise", async () => {
   expect(fetch).toHaveBeenCalledTimes(3);
 });
 
-test("insertFeaturesIntoEvent-actionToken", () => {
+test("createPartialEventWithSiteInfo-actionToken", () => {
   const context = new TestContext(testConfig);
   const req = new Request("https://www.example.com/teste2e", {
     headers: { "X-Recaptcha-Token": "action-token" },
@@ -949,7 +949,7 @@ test("insertFeaturesIntoEvent-actionToken", () => {
   });
 });
 
-test("insertFeaturesIntoEvent-sessionToken", () => {
+test("createPartialEventWithSiteInfo-sessionToken", () => {
   const context = new TestContext(testConfig);
   const req = new Request("https://www.example.com/test", {
     headers: { cookie: "recaptcha-test-t=session-token" },
@@ -969,7 +969,48 @@ test("insertFeaturesIntoEvent-sessionToken", () => {
   });
 });
 
-test("insertFeaturesIntoEvent-challengeToken", () => {
+test("createPartialEventWithSiteInfo-strictSessionToken", () => {
+  const context = new TestContext(testConfig);
+  context.config.strict_cookie = true;
+  const req = new Request("https://www.example.com/test", {
+    headers: { cookie: "recaptcha-example-t=session-token" },
+  });
+  const site_info = createPartialEventWithSiteInfo(context, req);
+  const site_features = EventSchema.parse(context.buildEvent(req));
+  const event = {
+    ...site_info,
+    ...site_features,
+  };
+  expect(event).toEqual({
+    siteKey: "express-site-key",
+    express: true,
+    userAgent: "test-user-agent",
+    userIpAddress: "1.2.3.4",
+  });
+});
+
+test("createPartialEventWithSiteInfo-nonStrictSessionToken", () => {
+  const context = new TestContext(testConfig);
+  context.config.strict_cookie = false;
+  const req = new Request("https://www.example.com/test", {
+    headers: { cookie: "recaptcha-example-t=session-token" },
+  });
+  const site_info = createPartialEventWithSiteInfo(context, req);
+  const site_features = EventSchema.parse(context.buildEvent(req));
+  const event = {
+    ...site_info,
+    ...site_features,
+  };
+  expect(event).toEqual({
+    token: "session-token",
+    siteKey: "session-site-key",
+    userAgent: "test-user-agent",
+    wafTokenAssessment: true,
+    userIpAddress: "1.2.3.4",
+  });
+});
+
+test("createPartialEventWithSiteInfo-challengeToken", () => {
   const context = new TestContext(testConfig);
   const req = new Request("https://www.example.com/test", {
     headers: { cookie: "recaptcha-test-e=challenge-token" },
@@ -989,7 +1030,28 @@ test("insertFeaturesIntoEvent-challengeToken", () => {
   });
 });
 
-test("insertFeaturesIntoEvent-express", () => {
+test("createPartialEventWithSiteInfo-nonStrictChallengeToken", () => {
+  const context = new TestContext(testConfig);
+  context.config.strict_cookie = false;
+  const req = new Request("https://www.example.com/test", {
+    headers: { cookie: "recaptcha-example-e=challenge-token" },
+  });
+  const site_info = createPartialEventWithSiteInfo(context, req);
+  const site_features = EventSchema.parse(context.buildEvent(req));
+  const event = {
+    ...site_info,
+    ...site_features,
+  };
+  expect(event).toEqual({
+    token: "challenge-token",
+    siteKey: "challenge-page-site-key",
+    userAgent: "test-user-agent",
+    wafTokenAssessment: true,
+    userIpAddress: "1.2.3.4",
+  });
+});
+
+test("createPartialEventWithSiteInfo-express", () => {
   const context = new TestContext(testConfig);
   const req = new Request("https://www.example.com/test", {});
   const site_info = createPartialEventWithSiteInfo(context, req);

src/index.ts

@@ -76,6 +76,7 @@ export interface RecaptchaConfig {
   sessionJsInjectPath?: string;
   recaptchaEndpoint: string;
   debug?: boolean;
+  strict_cookie?: boolean;
 }
 
 export type LogLevel = "debug" | "info" | "warning" | "error";