fix[auth]: #2181 Sanitize URL in cookie key to make it RFC 6265 sec 4.1.1 compliant (#2183)

ahuseyn · web-flow · commit b5c208f7eb4e · 2025-09-25T15:09:16.000+02:00
diff --git a/.changeset/huge-walls-raise.md b/.changeset/huge-walls-raise.md
@@ -0,0 +1,5 @@
+---
+'@faustwp/core': patch
+---
+
+#2181 - Sanitize URL in cookie key to make it RFC 6265 sec 4.1.1 compliant.
diff --git a/packages/faustwp-core/src/server/auth/token.ts b/packages/faustwp-core/src/server/auth/token.ts
@@ -25,7 +25,10 @@ export class OAuth {
 
 	constructor(cookies: Cookies) {
 		this.cookies = cookies;
-		this.tokenKey = `${getWpUrl()}-rt`;
+		this.tokenKey = `${getWpUrl().replace(
+			/[^!#$%&'*+\-.^_`|~0-9A-Za-z]/g,
+			'',
+		)}-rt`; // Sanitize URL to make cookie key RFC 6265 sec 4.1.1 compliant.
 	}
 
 	public getRefreshToken(): string | undefined {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@faustwp/core': patch
 +---
++
 +#2181 - Sanitize URL in cookie key to make it RFC 6265 sec 4.1.1 compliant.