From 1b7e645c3d26a6dd61876e966485c0aefdad3f6d Mon Sep 17 00:00:00 2001
From: Andrew Bobkov <slider7259@gmail.com>
Date: Fri, 25 Apr 2025 17:17:39 +0000
Subject: [PATCH 1/3] fix(arktype-validator): add failing test for cookie
 header

---
 packages/arktype-validator/src/index.test.ts | 28 ++++++++++++++++++++
 packages/arktype-validator/src/index.ts      |  2 +-
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/packages/arktype-validator/src/index.test.ts b/packages/arktype-validator/src/index.test.ts
index 11dfa12b..acf5312b 100644
--- a/packages/arktype-validator/src/index.test.ts
+++ b/packages/arktype-validator/src/index.test.ts
@@ -35,6 +35,17 @@ describe('Basic', () => {
     }
   )
 
+  app.get(
+    '/headers',
+    arktypeValidator(
+      'header',
+      type({
+        'User-Agent': 'string',
+      })
+    ),
+    (c) => c.json({ success: true, userAgent: c.header('User-Agent') })
+  )
+
   type Actual = ExtractSchema<typeof route>
   type Expected = {
     '/author': {
@@ -98,6 +109,23 @@ describe('Basic', () => {
     const data = (await res.json()) as { success: boolean }
     expect(data['success']).toBe(false)
   })
+
+  it("doesn't return cookies after headers validation", async () => {
+    const req = new Request('http://localhost/headers', {
+      headers: {
+        'User-Agent': 'invalid',
+        Cookie: 'SECRET=123',
+      },
+    })
+
+    const res = await app.request(req)
+    expect(res).not.toBeNull()
+    expect(res.status).toBe(400)
+    const data = (await res.json()) as { succcess: false; errors: type.errors }
+    expect(data.errors).toHaveLength(1)
+    console.log(data.errors)
+    expect(data.errors[0].data).not.toHaveProperty('cookie')
+  })
 })
 
 describe('With Hook', () => {
diff --git a/packages/arktype-validator/src/index.ts b/packages/arktype-validator/src/index.ts
index acc26a72..4dbdde8d 100644
--- a/packages/arktype-validator/src/index.ts
+++ b/packages/arktype-validator/src/index.ts
@@ -23,7 +23,7 @@ export const arktypeValidator = <
   } = {
     in: HasUndefined<I> extends true ? { [K in Target]?: I } : { [K in Target]: I }
     out: { [K in Target]: O }
-  }
+  },
 >(
   target: Target,
   schema: T,

From 7831f2bf26f5c92ca69d096b6c16fba9c1054764 Mon Sep 17 00:00:00 2001
From: Andrew Bobkov <slider7259@gmail.com>
Date: Fri, 25 Apr 2025 17:27:55 +0000
Subject: [PATCH 2/3] fix(arktype-validator): add restricted fields that are
 not returned in the "data" field of the error

---
 packages/arktype-validator/src/index.test.ts |  1 -
 packages/arktype-validator/src/index.ts      | 30 +++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/packages/arktype-validator/src/index.test.ts b/packages/arktype-validator/src/index.test.ts
index acf5312b..b77d5a35 100644
--- a/packages/arktype-validator/src/index.test.ts
+++ b/packages/arktype-validator/src/index.test.ts
@@ -123,7 +123,6 @@ describe('Basic', () => {
     expect(res.status).toBe(400)
     const data = (await res.json()) as { succcess: false; errors: type.errors }
     expect(data.errors).toHaveLength(1)
-    console.log(data.errors)
     expect(data.errors[0].data).not.toHaveProperty('cookie')
   })
 })
diff --git a/packages/arktype-validator/src/index.ts b/packages/arktype-validator/src/index.ts
index 4dbdde8d..d3254902 100644
--- a/packages/arktype-validator/src/index.ts
+++ b/packages/arktype-validator/src/index.ts
@@ -10,6 +10,10 @@ export type Hook<T, E extends Env, P extends string, O = {}> = (
 
 type HasUndefined<T> = undefined extends T ? true : false
 
+const RESTRICTED_DATA_FIELDS = {
+  header: ['cookie'],
+}
+
 export const arktypeValidator = <
   T extends Type,
   Target extends keyof ValidationTargets,
@@ -54,7 +58,31 @@ export const arktypeValidator = <
       return c.json(
         {
           success: false,
-          errors: out,
+          errors:
+            target in RESTRICTED_DATA_FIELDS
+              ? out.map((error) => {
+                  const restrictedFields =
+                    RESTRICTED_DATA_FIELDS[target as keyof typeof RESTRICTED_DATA_FIELDS] || []
+
+                  if (
+                    error &&
+                    typeof error === 'object' &&
+                    'data' in error &&
+                    typeof error.data === 'object' &&
+                    error.data !== null &&
+                    !Array.isArray(error.data)
+                  ) {
+                    const dataCopy = { ...(error.data as Record<string, unknown>) }
+                    for (const field of restrictedFields) {
+                      delete dataCopy[field]
+                    }
+
+                    error.data = dataCopy
+                  }
+
+                  return error
+                })
+              : out,
         },
         400
       )

From 13d07079dff627500af872b22102c194d69ad162 Mon Sep 17 00:00:00 2001
From: Andrei Bobkov <slider7259@gmail.com>
Date: Fri, 25 Apr 2025 19:35:34 +0200
Subject: [PATCH 3/3] chore: add changeset

---
 .changeset/silent-worms-mate.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/silent-worms-mate.md

diff --git a/.changeset/silent-worms-mate.md b/.changeset/silent-worms-mate.md
new file mode 100644
index 00000000..c9aba3c2
--- /dev/null
+++ b/.changeset/silent-worms-mate.md
@@ -0,0 +1,5 @@
+---
+'@hono/arktype-validator': patch
+---
+
+Don't return restricted data fields on error responses