inject credentials in server-side fetch

packages/kit/package.json

@@ -18,6 +18,7 @@
 		"@types/rimraf": "^3.0.0",
 		"@types/sade": "^1.7.2",
 		"amphtml-validator": "^1.0.33",
+		"cookie": "^0.4.1",
 		"eslint": "^7.14.0",
 		"esm": "^3.2.25",
 		"estree-walker": "^2.0.1",

packages/kit/src/renderer/endpoint.js

@@ -1,3 +1,5 @@
+import { normalize_headers } from './utils';
+
 export default function render_route(request, context, options) {
 	const route = options.manifest.endpoints.find((route) => route.pattern.test(request.path));
 	if (!route) return null;
@@ -36,7 +38,7 @@ export default function render_route(request, context, options) {
 
 				let { status = 200, body, headers = {} } = response;
 
-				headers = lowercase_keys(headers);
+				headers = normalize_headers(headers);
 
 				if (
 					(typeof body === 'object' && !('content-type' in headers)) ||
@@ -63,11 +65,3 @@ export default function render_route(request, context, options) {
 		}
 	});
 }
-
-function lowercase_keys(obj) {
-	const clone = {};
-	for (const key in obj) {
-		clone[key.toLowerCase()] = obj[key];
-	}
-	return clone;
-}

packages/kit/src/renderer/index.js

@@ -1,6 +1,7 @@
 import { createHash } from 'crypto';
 import render_page from './page';
 import render_endpoint from './endpoint';
+import { normalize_headers } from './utils';
 
 function md5(body) {
 	return createHash('md5').update(body).digest('hex');
@@ -18,12 +19,13 @@ export async function render(request, options) {
 		};
 	}
 
-	const { context, headers = {} } =
-		(await (options.setup.prepare && options.setup.prepare(request.headers))) || {};
+	const prepared = (await (options.setup.prepare && options.setup.prepare(request.headers))) || {};
+	const context = prepared.context;
+	const headers = normalize_headers(prepared.headers);
 
 	try {
 		const response = await (render_endpoint(request, context, options) ||
-			render_page(request, context, options));
+			render_page(request, context, options, headers));
 
 		if (response) {
 			// inject ETags for 200 responses

packages/kit/src/renderer/page.js

@@ -1,10 +1,19 @@
 import devalue from 'devalue';
 import fetch, { Response } from 'node-fetch';
 import { writable } from 'svelte/store';
+import * as cookie from 'cookie';
 import { parse, resolve, URLSearchParams } from 'url';
 import { render } from './index';
 
-async function get_response({ request, options, $session, route, status = 200, error }) {
+async function get_response({
+	request,
+	options,
+	response_headers,
+	$session,
+	route,
+	status = 200,
+	error
+}) {
 	const host = options.host || request.headers[options.host_header];
 
 	const dependencies = {};
@@ -64,11 +73,41 @@ async function get_response({ request, options, $session, route, status = 200, e
 			}
 
 			if (!response) {
+				const headers = opts.headers ? { ...opts.headers } : {};
+
+				if (opts.credentials !== 'omit') {
+					const cookies = Object.assign(
+						{},
+						cookie.parse(request.headers.cookie || ''),
+						cookie.parse(headers.cookie || '')
+					);
+
+					// In some cases, a cookie might be set in `src/setup.js`, in which
+					// case we need to honour it if a credentialled fetch is made immediately
+					const set_cookie = response_headers['set-cookie'];
+					if (set_cookie) {
+						set_cookie.split(', ').forEach((s) => {
+							const m = /([^=]+)=([^;]+)/.exec(s);
+							if (m) cookies[m[1]] = m[2];
+						});
+					}
+
+					const str = Object.keys(cookies)
+						.map((key) => `${key}=${cookies[key]}`)
+						.join('; ');
+
+					headers.cookie = str;
+
+					if (!headers.authorization && request.headers.authorization) {
+						headers.authorization = request.headers.authorization;
+					}
+				}
+
 				const rendered = await render(
 					{
 						host: request.host,
 						method: opts.method || 'GET',
-						headers: opts.headers || {}, // TODO inject credentials...
+						headers,
 						path: resolved,
 						body: opts.body,
 						query: new URLSearchParams(parsed.query || '')
@@ -262,7 +301,7 @@ async function get_response({ request, options, $session, route, status = 200, e
 	};
 }
 
-export default async function render_page(request, context, options) {
+export default async function render_page(request, context, options, response_headers) {
 	const route = options.manifest.pages.find((route) => route.pattern.test(request.path));
 
 	const $session = await (options.setup.getSession && options.setup.getSession(context));
@@ -277,6 +316,7 @@ export default async function render_page(request, context, options) {
 		return await get_response({
 			request,
 			options,
+			response_headers,
 			$session,
 			route,
 			status: 200,
@@ -291,6 +331,7 @@ export default async function render_page(request, context, options) {
 			return await get_response({
 				request,
 				options,
+				response_headers,
 				$session,
 				route,
 				status,

packages/kit/src/renderer/utils.js

@@ -0,0 +1,7 @@
+export function normalize_headers(headers) {
+	const normalized = {};
+	for (const key in headers) {
+		normalized[key.toLowerCase()] = headers[key];
+	}
+	return normalized;
+}