Fix Uppercase handling for SameSite cookie values

packages/docs/src/routes/api/qwik-city-middleware-request-handler/api.json

@@ -68,7 +68,7 @@
         }
       ],
       "kind": "Interface",
-      "content": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie\n\n\n```typescript\nexport interface CookieOptions \n```\n\n\n|  Property | Modifiers | Type | Description |\n|  --- | --- | --- | --- |\n|  [domain?](#) |  | string | _(Optional)_ Defines the host to which the cookie will be sent. If omitted, this attribute defaults to the host of the current document URL, not including subdomains. |\n|  [expires?](#) |  | Date \\| string | _(Optional)_ Indicates the maximum lifetime of the cookie as an HTTP-date timestamp. If both <code>expires</code> and <code>maxAge</code> are set, <code>maxAge</code> has precedence. |\n|  [httpOnly?](#) |  | boolean | _(Optional)_ Forbids JavaScript from accessing the cookie, for example, through the <code>document.cookie</code> property. |\n|  [maxAge?](#) |  | number \\| \\[number, 'seconds' \\| 'minutes' \\| 'hours' \\| 'days' \\| 'weeks'\\] | _(Optional)_ Indicates the number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both <code>expires</code> and <code>maxAge</code> are set, <code>maxAge</code> has precedence. You can also use the array syntax to set the max-age using minutes, hours, days or weeks. For example, <code>{ maxAge: [3, &quot;days&quot;] }</code> would set the cookie to expire in 3 days. |\n|  [path?](#) |  | string | _(Optional)_ Indicates the path that must exist in the requested URL for the browser to send the Cookie header. |\n|  [sameSite?](#) |  | 'strict' \\| 'lax' \\| 'none' \\| boolean | _(Optional)_ Controls whether or not a cookie is sent with cross-site requests, providing some protection against cross-site request forgery attacks (CSRF). |\n|  [secure?](#) |  | boolean | _(Optional)_ Indicates that the cookie is sent to the server only when a request is made with the <code>https:</code> scheme (except on localhost) |",
+      "content": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie\n\n\n```typescript\nexport interface CookieOptions \n```\n\n\n|  Property | Modifiers | Type | Description |\n|  --- | --- | --- | --- |\n|  [domain?](#) |  | string | _(Optional)_ Defines the host to which the cookie will be sent. If omitted, this attribute defaults to the host of the current document URL, not including subdomains. |\n|  [expires?](#) |  | Date \\| string | _(Optional)_ Indicates the maximum lifetime of the cookie as an HTTP-date timestamp. If both <code>expires</code> and <code>maxAge</code> are set, <code>maxAge</code> has precedence. |\n|  [httpOnly?](#) |  | boolean | _(Optional)_ Forbids JavaScript from accessing the cookie, for example, through the <code>document.cookie</code> property. |\n|  [maxAge?](#) |  | number \\| \\[number, 'seconds' \\| 'minutes' \\| 'hours' \\| 'days' \\| 'weeks'\\] | _(Optional)_ Indicates the number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both <code>expires</code> and <code>maxAge</code> are set, <code>maxAge</code> has precedence. You can also use the array syntax to set the max-age using minutes, hours, days or weeks. For example, <code>{ maxAge: [3, &quot;days&quot;] }</code> would set the cookie to expire in 3 days. |\n|  [path?](#) |  | string | _(Optional)_ Indicates the path that must exist in the requested URL for the browser to send the Cookie header. |\n|  [sameSite?](#) |  | 'strict' \\| 'lax' \\| 'none' \\| 'Strict' \\| 'Lax' \\| 'None' \\| boolean | _(Optional)_ Controls whether or not a cookie is sent with cross-site requests, providing some protection against cross-site request forgery attacks (CSRF). |\n|  [secure?](#) |  | boolean | _(Optional)_ Indicates that the cookie is sent to the server only when a request is made with the <code>https:</code> scheme (except on localhost) |",
       "editUrl": "https://github.com/BuilderIO/qwik/tree/main/packages/qwik-city/middleware/request-handler/types.ts",
       "mdFile": "qwik-city.cookieoptions.md"
     },

packages/docs/src/routes/api/qwik-city-middleware-request-handler/index.md

@@ -74,7 +74,7 @@ export interface CookieOptions
 | [httpOnly?](#) |           | boolean                                                                    | _(Optional)_ Forbids JavaScript from accessing the cookie, for example, through the <code>document.cookie</code> property.                                                                                                                                                                                                                                                                                                             |
 | [maxAge?](#)   |           | number \| [number, 'seconds' \| 'minutes' \| 'hours' \| 'days' \| 'weeks'] | _(Optional)_ Indicates the number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both <code>expires</code> and <code>maxAge</code> are set, <code>maxAge</code> has precedence. You can also use the array syntax to set the max-age using minutes, hours, days or weeks. For example, <code>{ maxAge: [3, &quot;days&quot;] }</code> would set the cookie to expire in 3 days. |
 | [path?](#)     |           | string                                                                     | _(Optional)_ Indicates the path that must exist in the requested URL for the browser to send the Cookie header.                                                                                                                                                                                                                                                                                                                        |
-| [sameSite?](#) |           | 'strict' \| 'lax' \| 'none' \| boolean                                     | _(Optional)_ Controls whether or not a cookie is sent with cross-site requests, providing some protection against cross-site request forgery attacks (CSRF).                                                                                                                                                                                                                                                                           |
+| [sameSite?](#) |           | 'strict' \| 'lax' \| 'none' \| 'Strict' \| 'Lax' \| 'None' \| boolean      | _(Optional)_ Controls whether or not a cookie is sent with cross-site requests, providing some protection against cross-site request forgery attacks (CSRF).                                                                                                                                                                                                                                                                           |
 | [secure?](#)   |           | boolean                                                                    | _(Optional)_ Indicates that the cookie is sent to the server only when a request is made with the <code>https:</code> scheme (except on localhost)                                                                                                                                                                                                                                                                                     |
 
 [Edit this section](https://github.com/BuilderIO/qwik/tree/main/packages/qwik-city/middleware/request-handler/types.ts)

packages/qwik-city/middleware/request-handler/api.md

@@ -54,7 +54,7 @@ export interface CookieOptions {
     httpOnly?: boolean;
     maxAge?: number | [number, 'seconds' | 'minutes' | 'hours' | 'days' | 'weeks'];
     path?: string;
-    sameSite?: 'strict' | 'lax' | 'none' | boolean;
+    sameSite?: 'strict' | 'lax' | 'none' | 'Strict' | 'Lax' | 'None' | boolean;
     secure?: boolean;
 }
 

packages/qwik-city/middleware/request-handler/cookie.ts

@@ -2,8 +2,11 @@ import type { Cookie as CookieInterface, CookieOptions, CookieValue } from './ty
 
 const SAMESITE = {
   lax: 'Lax',
+  Lax: 'Lax',
+  None: 'None',
   none: 'None',
   strict: 'Strict',
+  Strict: 'Strict',
 } as const;
 
 const UNIT = {
@@ -75,7 +78,7 @@ const parseCookieString = (cookieString: string | undefined | null) => {
   return cookie;
 };
 
-function resolveSameSite(sameSite: boolean | 'strict' | 'lax' | 'none' | undefined) {
+function resolveSameSite(sameSite: CookieOptions['sameSite']) {
   if (sameSite === true) {
     return 'Strict';
   }

packages/qwik-city/middleware/request-handler/cookie.unit.ts

@@ -80,6 +80,9 @@ test('creates correct headers', () => {
       options: { expires: new Date(0) },
       expect: 'm=13; Expires=Thu, 01 Jan 1970 00:00:00 GMT',
     },
+    { key: 'n', value: '14', options: { sameSite: 'Strict' }, expect: 'n=14; SameSite=Strict' },
+    { key: 'o', value: '15', options: { sameSite: 'Lax' }, expect: 'o=15; SameSite=Lax' },
+    { key: 'p', value: '16', options: { sameSite: 'None' }, expect: 'p=16; SameSite=None' },
   ];
   const cookie = new Cookie('');
   const expect = data.map(({ expect }) => expect);

packages/qwik-city/middleware/request-handler/types.ts

@@ -538,7 +538,7 @@ export interface CookieOptions {
    * Controls whether or not a cookie is sent with cross-site requests, providing some protection
    * against cross-site request forgery attacks (CSRF).
    */
-  sameSite?: 'strict' | 'lax' | 'none' | boolean;
+  sameSite?: 'strict' | 'lax' | 'none' | 'Strict' | 'Lax' | 'None' | boolean;
   /**
    * Indicates that the cookie is sent to the server only when a request is made with the `https:`
    * scheme (except on localhost)