solid-start icon indicating copy to clipboard operation
solid-start copied to clipboard

Published 20 hours ago verified publisher icon solidjs

Setting multiple Set-Cookie headers is not handled properly

Open ghalle opened this issue 2 years ago • 2 comments

This issue originates from the Fetch API standard as explained here: https://stackoverflow.com/a/63254504

Other frameworks have dealt with the same issue in the past: https://github.com/sveltejs/kit/issues/3460

ghalle avatar Sep 30 '22 17:09 ghalle

I may be running into this too? I was trying to integrate the Shopify Oauth API which wants to set two cookies, shopify_app_state and shopify_app_state.sig when starting the Oauth flow. They seem to be getting merged together, at least in development mode. Not sure if the bug is in Shopify or in some Response polyfiill, etc.

HEADERS HeadersList {
  [Symbol(headers map)]: Map(2) {
    'set-cookie' => 'shopify_app_state=1234567890;sameSite=lax; secure=true;expires=Fri, 14 Oct 2022 09:25:52 GMT, shopify_app_state.sig=abcd1234defg5678=;sameSite=lax; secure=true;expires=Fri, 14 Oct 2022 09:25:52 GMT',
    'location' => 'https://my-store.myshopify.com/admin/oauth/authorize...'
  },
  [Symbol(headers map sorted)]: null
}

Versions:

patdx avatar Oct 14 '22 09:10 patdx

I casually tested a few more cases with the latest versions:

  1. deploy to cloudflare workers: works
  2. dev mode, Node v16, solid-start-node: does not work
  3. dev mode, Node v18, solid-start-node: does not work
  4. dev mode, Node v16, solid-start-cloudflare-workers: works
  5. dev mode, Node v18, solid-start-cloudflare-workers: works

I tried to inspect the headers object in the Node debugger and it did not really look special, so I think the magic that makes dev mode work with solid-start-cloudflare-workers is in miniflare. As far as I understand, native Node 18, solid-start and miniflare all use undici as a base. So the magic is not in the Headers object exactly. In the case of miniflare, it looks like they have added a trick, using require('set-cookie-parser').splitCookiesString(), to reparse the comma-separated set-cookie header into multiple headers at the final step when converting it to an actual HTTP response:

  • https://github.com/cloudflare/miniflare/blob/31792ba7d98f0aba839d28e13228671c46535b97/packages/core/src/standards/http.ts#L112
  • https://github.com/cloudflare/miniflare/blob/9265fa4d53262ce66278b91f2001b090e10696e8/packages/http-server/src/index.ts#L164

Looks like SvelteKit does the same thing in their Node runtime:

  • https://github.com/sveltejs/kit/blob/e934bc82af6fb2c761af05dbf9ea963e1f1676f3/packages/kit/src/exports/node/index.js#L110

patdx avatar Oct 19 '22 04:10 patdx

Ok this is released in 0.2.14. While I didn't test every adapter I can see that it works in Node. It follows it would be similar in non-edge Vercel and Netlify as well as AWS Lambda.

ryansolid avatar Jan 18 '23 01:01 ryansolid