From 4ad874e6b2bcd65ead6b44ae35e3c8abfe66a8cc Mon Sep 17 00:00:00 2001
From: THAC0 <gunjam@gmail.com>
Date: Thu, 10 Oct 2024 11:58:15 +0100
Subject: [PATCH] use 'lax' instead of 'Lax' as default for cookie sameSite
 option (#271)

Change to support @fastify/cookie ^11.0.0

The downstream jshttp/cookie module now enforces the sameSite option to
be lowercase, which means this default is causing the plugin to throw
when setting the session cookie.

Signed-off-by: Niall Molloy <niall.molloy@engineering.digital.dwp.gov.uk>
---
 lib/cookie.js        | 2 +-
 package.json         | 2 +-
 test/session.test.js | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/cookie.js b/lib/cookie.js
index 6b6ebc7..8a58845 100644
--- a/lib/cookie.js
+++ b/lib/cookie.js
@@ -28,7 +28,7 @@ module.exports = class Cookie {
       if (request.protocol === 'https') {
         this.secure = true
       } else {
-        this.sameSite = 'Lax'
+        this.sameSite = 'lax'
         this.secure = false
       }
     }
diff --git a/package.json b/package.json
index a98434d..ddf0e49 100644
--- a/package.json
+++ b/package.json
@@ -27,7 +27,7 @@
     "url": "git+https://github.com/fastify/session.git"
   },
   "devDependencies": {
-    "@fastify/cookie": "^10.0.0",
+    "@fastify/cookie": "^11.0.0",
     "@fastify/pre-commit": "^2.1.0",
     "@types/node": "^22.0.0",
     "c8": "^10.1.2",
diff --git a/test/session.test.js b/test/session.test.js
index da2026c..5f061bb 100644
--- a/test/session.test.js
+++ b/test/session.test.js
@@ -834,7 +834,7 @@ test("clears cookie if not backed by a session, and there's nothing to save", as
   })
 
   t.assert.strictEqual(response.statusCode, 200)
-  t.assert.strictEqual(response.headers['set-cookie'], 'sessionId=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax')
+  t.assert.strictEqual(response.headers['set-cookie'], 'sessionId=; Max-Age=0; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax')
 })
 
 test("clearing cookie sets the domain if it's specified in the cookie options", async t => {
@@ -853,7 +853,7 @@ test("clearing cookie sets the domain if it's specified in the cookie options",
   })
 
   t.assert.strictEqual(response.statusCode, 200)
-  t.assert.strictEqual(response.headers['set-cookie'], 'sessionId=; Domain=domain.test; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax')
+  t.assert.strictEqual(response.headers['set-cookie'], 'sessionId=; Max-Age=0; Domain=domain.test; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax')
 })
 
 test('does not clear cookie if no session cookie in request', async t => {