Allow OPTIONS * requests to pass cookie path check for default setting

index.js

@@ -66,6 +66,26 @@ var defer = typeof setImmediate === 'function'
   ? setImmediate
   : function(fn){ process.nextTick(fn.bind.apply(fn, arguments)) }
 
+/**
+ * Verifies if the original request path matches the path specified in the cookie options.
+ * The main purpose is to ensure that the session middleware processes requests that are intended for paths
+ * that match the cookie path.
+ *
+ * A special case is handled for OPTIONS requests with a wildcard '*', which is considered a match only
+ * if the cookie path is the default '/'. This is due to the semantics of HTTP that allows '*' as a wildcard
+ * for all paths in OPTIONS requests.
+ *
+ * @param {string} originalPath - The original request path.
+ * @param {string} cookiePath - The path for which the cookie is set.
+ * @returns {boolean} Returns true if the original path matches the cookie path, false otherwise.
+ */
+function verifyPath(originalPath, cookiePath) {
+  if (originalPath === '*') {
+    return cookiePath === '/';
+  }
+  return originalPath.indexOf(cookiePath || '/') === 0;
+}
+
 /**
  * Setup session store with the given `options`.
  *
@@ -190,10 +210,9 @@ function session(options) {
       next()
       return
     }
-
     // pathname mismatch
     var originalPath = parseUrl.original(req).pathname || '/'
-    if (originalPath.indexOf(cookieOptions.path || '/') !== 0) {
+    if (!verifyPath(originalPath, cookieOptions.path)) {
       debug('pathname mismatch')
       next()
       return