next-auth icon indicating copy to clipboard operation
next-auth copied to clipboard
verified publisher icon nextauthjs

fix(jwt): sort chunk cookies by key num index

Open stephenway opened this issue 3 years ago โ€ข 1 comments

โ˜•๏ธ Reasoning

What changes are being made? What feature/bug is being fixed here?

I'm adding in a sort function on cookie chunks in the JWT SessionStore value to ensure that when these chunks are received in the wrong order from the browser that they are joined in the correct order and do not cause null sessions or JWE decryption errors in production.

๐Ÿงข Checklist

  • [ ] Documentation
  • [x] Tests
  • [x] Ready to be merged

๐ŸŽซ Affected issues

  • No issue on this repo was found

๐Ÿ“Œ Resources

stephenway avatar Sep 21 '22 19:09 stephenway

The latest updates on your projects. Learn more about Vercel for Git โ†—๏ธŽ

1 Ignored Deployment
Name Status Preview Updated
next-auth โฌœ๏ธ Ignored (Inspect) Sep 21, 2022 at 7:42PM (UTC)

vercel[bot] avatar Sep 21 '22 19:09 vercel[bot]

Let's open an issue with a reproduction. We can re-open the PR if the issue is verified. :pray:

balazsorban44 avatar Sep 25 '22 10:09 balazsorban44

Let's open an issue with a reproduction. We can re-open the PR if the issue is verified. :pray:

I can look into creating a reproduction for you but I'm not sure next-auth controls the order of cookies coming in from the browser cookie header. We were seeing intermittent behavior on session calls which caused next-auth to unset the chunk cookies in return. The best way for us to repro was to reorder the cookies header in a curl copied from a session request in the browser.

I was thinking that my unit test would suffice showing the issue because it fails on your current branch without my code change.

Appreciate the attention and help. Thanks!

stephenway avatar Sep 25 '22 23:09 stephenway

^ @balazsorban44

stephenway avatar Sep 26 '22 15:09 stephenway

Let's open an issue with a reproduction. We can re-open the PR if the issue is verified. ๐Ÿ™

@balazsorban44

I've been using @sidebase/nuxt-auth for a project which uses next-auth under the hood, and yes, I can reproduce this for you.

There's an issue which describes the behaviour in more detail: https://github.com/sidebase/nuxt-auth/issues/293

janhoogeveen avatar Apr 06 '23 14:04 janhoogeveen

I've also had this issue using @sidebase/nuxt-auth and have traced the root cause to this module.

codetheorist avatar Jul 19 '23 20:07 codetheorist

Let's open an issue with a reproduction. We can re-open the PR if the issue is verified. ๐Ÿ™

Could we re-open this now the issue is werified?

codetheorist avatar Jul 19 '23 20:07 codetheorist

I see this has been fixed in another PR and merged in the latest versions. Tested this in the @sidebase/nuxt-auth package and everything works as expected with regards to the chunked JWT session cookie.

codetheorist avatar Jul 20 '23 09:07 codetheorist

@codetheorist In which version of @sidebase/nuxt-auth is this working correctly?

christine927t avatar Jan 05 '24 21:01 christine927t