From f725443f4c1fa7236aa5e6e9e8c78ecb12563dcd Mon Sep 17 00:00:00 2001
From: Eran Hammer <eran@hammer.io>
Date: Fri, 26 Aug 2016 15:09:24 -0700
Subject: [PATCH] statehood@5.0.0. Closes #3318

---
 API.md              | 12 +++++++-----
 npm-shrinkwrap.json |  2 +-
 package.json        |  2 +-
 test/response.js    |  6 +++---
 test/state.js       | 10 +++++-----
 5 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/API.md b/API.md
index 19f66965f..4cacc6b1d 100755
--- a/API.md
+++ b/API.md
@@ -1380,6 +1380,8 @@ for performing injections, with some additional options and response properties:
         - `close` - if `true`, emits a `'close'` event after payload transmission (if any).
           Defaults to `false`.
         - `end` - if `false`, does not end the stream. Defaults to `true`.
+    - `validate` - if `false`, the `options` inputs are not validated. This is recommended for run-time
+      usage of `inject()` to make it perform faster where input validation can be tested separately.
 - `callback` - the callback function with signature `function(res)` where:
     - `res` - the response object where:
         - `statusCode` - the HTTP status code.
@@ -1859,12 +1861,12 @@ across multiple requests. Registers a cookie definitions where:
 - `options` - are the optional cookie settings:
     - `ttl` - time-to-live in milliseconds. Defaults to `null` (session time-life - cookies are
       deleted when the browser is closed).
-    - `isSecure` - sets the 'Secure' flag. Defaults to `false`.
-    - `isHttpOnly` - sets the 'HttpOnly' flag. Defaults to `false`.
+    - `isSecure` - sets the 'Secure' flag. Defaults to `true`.
+    - `isHttpOnly` - sets the 'HttpOnly' flag. Defaults to `true`.
     - `isSameSite` - sets the 'SameSite' flag where the value must be one of:
-        - `false` - no flag (this is the default value).
-        - `'Strict'` - sets the value to `'Strict'`,
-        - `'Lax'` - sets the value to `'Lax'`,
+        - `false` - no flag.
+        - `'Strict'` - sets the value to `'Strict'` (this is the default value).
+        - `'Lax'` - sets the value to `'Lax'`.
     - `path` - the path scope. Defaults to `null` (no path).
     - `domain` - the domain scope. Defaults to `null` (no domain).
     - `autoValue` - if present and the cookie was not received from the client or explicitly set by
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
index 833e9dbc6..8dc7888fc 100755
--- a/npm-shrinkwrap.json
+++ b/npm-shrinkwrap.json
@@ -61,7 +61,7 @@
             "version": "3.3.1"
         },
         "statehood": {
-            "version": "4.1.0"
+            "version": "5.0.0"
         },
         "subtext": {
             "version": "4.2.1",
diff --git a/package.json b/package.json
index 0b5fd299c..a3f6e53e3 100755
--- a/package.json
+++ b/package.json
@@ -33,7 +33,7 @@
     "mimos": "3.x.x",
     "podium": "^1.2.x",
     "shot": "3.x.x",
-    "statehood": "4.x.x",
+    "statehood": "5.x.x",
     "subtext": "^4.2.x",
     "topo": "2.x.x"
   },
diff --git a/test/response.js b/test/response.js
index 5445b3a69..94953b3d6 100755
--- a/test/response.js
+++ b/test/response.js
@@ -75,7 +75,7 @@ describe('Response', () => {
             expect(res.statusMessage).to.equal('Super');
             expect(res.headers['cache-control']).to.equal('max-age=1, must-revalidate, private');
             expect(res.headers['content-type']).to.equal('text/plain; something=something; charset=ISO-8859-1');
-            expect(res.headers['set-cookie']).to.equal(['abc=123', 'sid=YWJjZGVmZzEyMzQ1Ng==', 'other=something; Secure', 'x=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT', 'test=123', 'empty=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/path', 'always=present']);
+            expect(res.headers['set-cookie']).to.equal(['abc=123', 'sid=YWJjZGVmZzEyMzQ1Ng==; Secure; HttpOnly; SameSite=Strict', 'other=something; Secure; HttpOnly; SameSite=Strict', 'x=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict', 'test=123; Secure; HttpOnly; SameSite=Strict', 'empty=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Path=/path', 'always=present; Secure; HttpOnly; SameSite=Strict']);
             expect(res.headers.vary).to.equal('x-control,accept-encoding');
             expect(res.headers.combo).to.equal('o-k');
             done();
@@ -347,7 +347,7 @@ describe('Response', () => {
             server.inject('/', (res) => {
 
                 expect(res.statusCode).to.equal(200);
-                expect(res.headers['set-cookie']).to.equal(['session=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; Path=/unset']);
+                expect(res.headers['set-cookie']).to.equal(['session=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Path=/unset']);
                 done();
             });
         });
@@ -734,7 +734,7 @@ describe('Response', () => {
 
                 expect(res.result).to.equal('x');
                 expect(res.headers.xcustom).to.equal('other value');
-                expect(res.headers['set-cookie']).to.equal(['a=1', 'b=2']);
+                expect(res.headers['set-cookie']).to.equal(['a=1', 'b=2; Secure; HttpOnly; SameSite=Strict']);
                 done();
             });
         });
diff --git a/test/state.js b/test/state.js
index 4e9ff3cc4..57ed5d083 100755
--- a/test/state.js
+++ b/test/state.js
@@ -170,7 +170,7 @@ describe('state', () => {
         server.inject({ method: 'GET', url: '/', headers: { cookie: 'a=x' } }, (res) => {
 
             expect(res.statusCode).to.equal(200);
-            expect(res.headers['set-cookie'][0]).to.equal('a=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT');
+            expect(res.headers['set-cookie'][0]).to.equal('a=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict');
             done();
         });
     });
@@ -190,7 +190,7 @@ describe('state', () => {
         server.inject('/', (res) => {
 
             expect(res.statusCode).to.equal(200);
-            expect(res.headers['set-cookie']).to.equal(['always=present']);
+            expect(res.headers['set-cookie']).to.equal(['always=present; Secure; HttpOnly; SameSite=Strict']);
             done();
         });
     });
@@ -210,7 +210,7 @@ describe('state', () => {
         server.inject('/', (res) => {
 
             expect(res.statusCode).to.equal(200);
-            expect(res.headers['set-cookie']).to.equal(['onecookie=yes', 'twocookie=no', 'always=present']);
+            expect(res.headers['set-cookie']).to.equal(['onecookie=yes', 'twocookie=no', 'always=present; Secure; HttpOnly; SameSite=Strict']);
             done();
         });
     });
@@ -235,7 +235,7 @@ describe('state', () => {
         server.inject('/sweet', (res) => {
 
             expect(res.statusCode).to.equal(200);
-            expect(res.headers['set-cookie']).to.equal(['always=sweet']);
+            expect(res.headers['set-cookie']).to.equal(['always=sweet; Secure; HttpOnly; SameSite=Strict']);
             done();
         });
     });
@@ -280,7 +280,7 @@ describe('state', () => {
         server.inject('/', (res) => {
 
             expect(res.statusCode).to.equal(200);
-            expect(res.headers['set-cookie']).to.equal(['a=b']);
+            expect(res.headers['set-cookie']).to.equal(['a=b; Secure; HttpOnly; SameSite=Strict']);
             done();
         });
     });