From 0d830773db8689cd4f358b638c949aa50b38c65b Mon Sep 17 00:00:00 2001
From: Marc Udoff <marc.udoff@deshaw.com>
Date: Mon, 1 May 2023 11:36:09 -0400
Subject: [PATCH] Add cookie.priority

This adds cookie.priority by passing this property through to
cookie (which requires us to upgrade cookie to >=0.5.0).

The priority option is not fully standardized, but has been
proposed and in-use since 2016.

See also: https://github.com/jshttp/cookie/issues/138
Fixes: #884
---
 README.md         | 15 +++++++++++++++
 package.json      |  2 +-
 session/cookie.js |  2 ++
 test/cookie.js    | 12 ++++++++++++
 test/session.js   |  3 ++-
 5 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 45e68a98..ccf99862 100644
--- a/README.md
+++ b/README.md
@@ -167,6 +167,20 @@ as once the cookie is set on HTTPS, it will no longer be visible over HTTP. This
 is useful when the Express `"trust proxy"` setting is properly setup to simplify
 development vs production configuration.
 
+##### cookie.priority
+
+Specifies the `string` to be the value for the [`Priority` `Set-Cookie` attribute][rfc-west-cookie-priority-00-4.1].
+
+  - `'low'` will set the `Priority` attribute to `Low`.
+  - `'medium'` will set the `Priority` attribute to `Medium`, the default priority when not set.
+  - `'high'` will set the `Priority` attribute to `High`.
+
+More information about the different priority levels can be found in
+[the specification][rfc-west-cookie-priority-00-4.1].
+
+**note** This is an attribute that has not yet been fully standardized, and may change in the future.
+This also means many clients may ignore this attribute until they understand it.
+
 ##### genid
 
 Function to call to generate a new session ID. Provide a function that returns
@@ -975,6 +989,7 @@ On Windows, use the corresponding command;
 [MIT](LICENSE)
 
 [rfc-6265bis-03-4.1.2.7]: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.2.7
+[rfc-west-cookie-priority-00-4.1]: https://tools.ietf.org/html/draft-west-cookie-priority-00#section-4.1
 [ci-image]: https://badgen.net/github/checks/expressjs/session/master?label=ci
 [ci-url]: https://github.com/expressjs/session/actions?query=workflow%3Aci
 [coveralls-image]: https://badgen.net/coveralls/c/github/expressjs/session/master
diff --git a/package.json b/package.json
index ef7ad2dd..84e54e73 100644
--- a/package.json
+++ b/package.json
@@ -10,7 +10,7 @@
   "repository": "expressjs/session",
   "license": "MIT",
   "dependencies": {
-    "cookie": "0.4.2",
+    "cookie": "0.5.0",
     "cookie-signature": "1.0.6",
     "debug": "2.6.9",
     "depd": "~2.0.0",
diff --git a/session/cookie.js b/session/cookie.js
index a8b4e570..27816061 100644
--- a/session/cookie.js
+++ b/session/cookie.js
@@ -26,6 +26,7 @@ var Cookie = module.exports = function Cookie(options) {
   this.path = '/';
   this.maxAge = null;
   this.httpOnly = true;
+  this.priority = 'medium';
 
   if (options) {
     if (typeof options !== 'object') {
@@ -123,6 +124,7 @@ Cookie.prototype = {
       , domain: this.domain
       , path: this.path
       , sameSite: this.sameSite
+      , priority: this.priority
     }
   },
 
diff --git a/test/cookie.js b/test/cookie.js
index 65ae1fc3..d09a80b5 100644
--- a/test/cookie.js
+++ b/test/cookie.js
@@ -27,6 +27,11 @@ describe('new Cookie()', function () {
     assert.strictEqual(cookie.maxAge, null)
   })
 
+  it('should default priority to medium', function () {
+    var cookie = new Cookie()
+    assert.strictEqual(cookie.priority, 'medium')
+  })
+
   describe('with options', function () {
     it('should create a new cookie object', function () {
       assert.strictEqual(typeof new Cookie({}), 'object')
@@ -105,6 +110,13 @@ describe('new Cookie()', function () {
         assert.throws(function() { new Cookie({ maxAge: true }) }, /maxAge/)
         assert.throws(function() { new Cookie({ maxAge: function () {} }) }, /maxAge/)
       })
+
+      it('should set priority', function () {
+        var maxAge = 60000
+        var cookie = new Cookie({ priority: 'high' })
+
+        assert.strictEqual(cookie.priority, 'high')
+      })
     })
 
     describe('path', function () {
diff --git a/test/session.js b/test/session.js
index 7416b261..d7c4967e 100644
--- a/test/session.js
+++ b/test/session.js
@@ -1878,7 +1878,7 @@ describe('session()', function(){
         })
 
         it('should override defaults', function(done){
-          var server = createServer({ cookie: { path: '/admin', httpOnly: false, secure: true, maxAge: 5000 } }, function (req, res) {
+          var server = createServer({ cookie: { path: '/admin', httpOnly: false, secure: true, maxAge: 5000,  priority: 'high' } }, function (req, res) {
             req.session.cookie.secure = false
             res.end()
           })
@@ -1889,6 +1889,7 @@ describe('session()', function(){
           .expect(shouldSetCookieWithoutAttribute('connect.sid', 'HttpOnly'))
           .expect(shouldSetCookieWithAttributeAndValue('connect.sid', 'Path', '/admin'))
           .expect(shouldSetCookieWithoutAttribute('connect.sid', 'Secure'))
+          .expect(shouldSetCookieWithAttributeAndValue('connect.sid', 'Priority', 'High'))
           .expect(200, done)
         })