Fix for setting custom cookies in withMiddlewareAuthRequired (#1263)

auth0 · Jun 26, 2023 · a2d6454 · a2d6454
2 parents 309581c + 5c7d8cf
commit a2d6454
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 6 deletions.
diff --git a/src/helpers/with-middleware-auth-required.ts b/src/helpers/with-middleware-auth-required.ts
@@ -1,5 +1,6 @@
 import { NextMiddleware, NextRequest, NextResponse } from 'next/server';
 import { SessionCache } from '../session';
+import { splitCookiesString } from '../utils/middleware-cookies';
 
 /**
  * Protect your pages with Next.js Middleware. For example:
@@ -77,10 +78,11 @@ export default function withMiddlewareAuthRequiredFactory(
 
       if (res) {
         const headers = new Headers(res.headers);
-        const cookies = headers.get('set-cookie')?.split(', ') || [];
-        const authCookies = authRes.headers.get('set-cookie')?.split(', ') || [];
-        if (cookies.length || authCookies.length) {
-          headers.set('set-cookie', [...authCookies, ...cookies].join(', '));
+        const authCookies = splitCookiesString(authRes.headers.get('set-cookie')!);
+        if (authCookies.length) {
+          for (const cookie of authCookies) {
+            headers.append('set-cookie', cookie);
+          }
         }
         return NextResponse.next({ ...res, status: res.status, headers });
       } else {

diff --git a/src/utils/middleware-cookies.ts b/src/utils/middleware-cookies.ts
@@ -33,7 +33,7 @@ export default class MiddlewareCookies extends Cookies {
  * Handle cookies with commas, eg `foo=; Expires=Thu, 01 Jan 1970 00:00:00 GMT`
  * @source https://github.com/vercel/edge-runtime/blob/90160abc42e6139c41494c5d2e98f09e9a5fa514/packages/cookies/src/response-cookies.ts#L128
  */
-function splitCookiesString(cookiesString: string) {
+export function splitCookiesString(cookiesString: string) {
   if (!cookiesString) return [];
   const cookiesStrings = [];
   let pos = 0;

diff --git a/tests/helpers/with-middleware-auth-required.test.ts b/tests/helpers/with-middleware-auth-required.test.ts
@@ -183,7 +183,16 @@ describe('with-middleware-auth-required', () => {
     };
     const res = await setup({ user: { name: 'dave' }, middleware });
     expect(res.status).toEqual(200);
-    expect(res.headers.get('set-cookie')).toMatch(/^appSession=.+, foo=bar;/);
+    expect(res.headers.get('set-cookie')).toMatch(/appSession=/);
+    expect(res.headers.get('set-cookie')).toMatch(/foo=bar;/);
+  });
+
+  test('should set status from custom middleware', async () => {
+    const middleware = () => {
+      return new NextResponse(null, { status: 400 });
+    };
+    const res = await setup({ user: { name: 'dave' }, middleware });
+    expect(res.status).toEqual(400);
   });
 
   test('should set just a custom cookie when session is not rolling', async () => {