fix: use getSetCookie() to preserve multiple Set-Cookie headers in middleware#1191
Open
jdnurmi wants to merge 2 commits into
Open
fix: use getSetCookie() to preserve multiple Set-Cookie headers in middleware#1191jdnurmi wants to merge 2 commits into
jdnurmi wants to merge 2 commits into
Conversation
…ddleware Headers.forEach folds same-name headers per WHATWG. Both harvest sites accumulate set-cookie through forEach, which yields one pre-joined string on runtimes where folding occurs — breaking any terminal-return response that sets multiple cookies (e.g. chunked auth sessions). Replace with getSetCookie() at: - core/routing/middleware.ts (terminal-return and rewrite paths) - adapters/edge-adapter.ts Adds regression tests using a simulated folding Headers object, confirmed to fail on unpatched code and pass with the fix.
commit: |
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Author
|
(updated for style) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Terminal-return middleware responses with multiple
Set-Cookieheaders get folded into a single comma-joined value. The browser receives one corrupt cookie; multi-cookie sessions are dropped.Triggered by any auth library that chunks a large session across multiple cookies (e.g.
@auth0/nextjs-auth0v4 setsappSession.0/1/2on the/auth/callbackredirect). The session never persists; the callback returns a 500 with no app logs.Root cause
Headers.forEachfolds same-name headers per the WHATWG spec. Both harvest sites accumulateset-cookiethroughforEach:When folding occurs,
valueis already"appSession.0=…, appSession.1=…, appSession.2=…"— one string. Result: one corruptSet-Cookieentry instead of three.Affected:
core/routing/middleware.ts(~L127) — terminal-return and rewrite pathsadapters/edge-adapter.ts(~L48)getSetCookie()is not called anywhere in the codebase prior to this PR.Fix
Skip
set-cookieinforEach, callgetSetCookie()after.getSetCookie()stores cookies discretely and always returns a properstring[].Tests
New tests use a simulated folding
Headersobject (forEach yields pre-joined string, getSetCookie returns them split) to be runtime-independent. Confirmed to fail on unpatched code:Related