Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Splitting of Concatenated Set-Cookie Headers in edge-runtime Package #892

Open
jcbsfilho opened this issue May 15, 2024 · 0 comments
Open

Fix Splitting of Concatenated Set-Cookie Headers in edge-runtime Package #892

jcbsfilho opened this issue May 15, 2024 · 0 comments

Comments

@jcbsfilho
Copy link

Bug Report

Current behavior

When using the edge-runtime package with the code below, the second cookie auth_2=456 is ignored due to the set-cookie being concatenated.

❗️ Set-Cookie header field-values are sometimes comma joined in one string. This is uncommon, but explicitly allowed - see https://tools.ietf.org/html/rfc2616#section-4.2

import { runServer, EdgeRuntime } from 'edge-runtime'
const runtime = new EdgeRuntime({
  initialCode: `
        async function handleRequest(request) {
            const headers = new Headers([['Set-Cookie', 'auth_1=123; SameSite=Lax; HttpOnly, auth_2=456; SameSite=Lax; HttpOnly']]);
            return new Response('Hello world, string cookie!!!', {
              headers,
              status: 200,
            });
        }
        addEventListener('fetch', (event) => {
            event.respondWith(handleRequest(event.request));
        });
    `,
})
const server = await runServer({ runtime, port: 3333, host: '0.0.0.0' })

console.log(`Listening at ${server.url}`)

Expected behavior/code

Let the concatenated cookies be split like this with the splitCookiesString.

Possible solution

The possible solution is that you can use the splitCookiesString (needs to be exported for use) found in the @edge-runtime/cookies package and inserted into the toNodeHeaders of the edge-runtime package like below:

Original Code: https://github.com/vercel/edge-runtime/blob/main/packages/runtime/src/server/create-handler.ts#L117

Suggestion:

// The `toNodeHeaders` function converts headers from the browser format to the Node.js format. 
// Here, we modify it to split concatenated Set-Cookie values using `splitCookiesString` from the `@edge-runtime/cookies` package.

function toNodeHeaders(headers?: Headers): NodeHeaders {
  const result: NodeHeaders = {}
  if (headers) {
    for (const [key, value] of headers.entries()) {
      result[key] =
        key?.toLowerCase() === 'set-cookie' ? splitCookiesString(value) : value
    }
  }
  return result
}

Additional context/screenshots

I can work on that if it makes sense for the package. 😉
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jcbsfilho