From 620f56058de0993e776c146db4c19fca97b9cb39 Mon Sep 17 00:00:00 2001 From: Rich Harris Date: Mon, 6 Mar 2023 10:47:14 -0500 Subject: [PATCH] fix: remove buggy cookie path detection (#9298) closes #9130 --------- Co-authored-by: Simon H <5968653+dummdidumm@users.noreply.github.com> --- .changeset/eighty-dots-watch.md | 5 ++ packages/kit/src/runtime/server/cookie.js | 67 +++++++++-------------- 2 files changed, 31 insertions(+), 41 deletions(-) create mode 100644 .changeset/eighty-dots-watch.md diff --git a/.changeset/eighty-dots-watch.md b/.changeset/eighty-dots-watch.md new file mode 100644 index 000000000000..7e4a417c8228 --- /dev/null +++ b/.changeset/eighty-dots-watch.md @@ -0,0 +1,5 @@ +--- +'@sveltejs/kit': patch +--- + +fix: remove buggy cookie path detection diff --git a/packages/kit/src/runtime/server/cookie.js b/packages/kit/src/runtime/server/cookie.js index c1bb5adec5cc..f8d872207005 100644 --- a/packages/kit/src/runtime/server/cookie.js +++ b/packages/kit/src/runtime/server/cookie.js @@ -27,26 +27,6 @@ export function get_cookies(request, url, trailing_slash) { // Emulate browser-behavior: if the cookie is set at '/foo/bar', its path is '/foo' const default_path = normalized_url.split('/').slice(0, -1).join('/') || '/'; - if (__SVELTEKIT_DEV__) { - // TODO this could theoretically be wrong if the cookie was set unencoded? - const initial_decoded_cookies = parse(header, { decode: decodeURIComponent }); - // Remove all cookies that no longer exist according to the request - for (const name of Object.keys(cookie_paths)) { - cookie_paths[name] = new Set( - [...cookie_paths[name]].filter( - (path) => !path_matches(normalized_url, path) || name in initial_decoded_cookies - ) - ); - } - // Add all new cookies we might not have seen before - for (const name in initial_decoded_cookies) { - cookie_paths[name] = cookie_paths[name] ?? new Set(); - if (![...cookie_paths[name]].some((path) => path_matches(normalized_url, path))) { - cookie_paths[name].add(default_path); - } - } - } - /** @type {Record} */ const new_cookies = {}; @@ -82,20 +62,24 @@ export function get_cookies(request, url, trailing_slash) { const req_cookies = parse(header, { decode: decoder }); const cookie = req_cookies[name]; // the decoded string or undefined - if (!__SVELTEKIT_DEV__ || cookie) { - return cookie; + // in development, if the cookie was set during this session with `cookies.set`, + // but at a different path, warn the user. (ignore cookies from request headers, + // since we don't know which path they were set at) + if (__SVELTEKIT_DEV__ && !cookie) { + const paths = Array.from(cookie_paths[name] ?? []).filter((path) => { + // we only care about paths that are _more_ specific than the current path + return path_matches(path, url.pathname) && path !== url.pathname; + }); + + if (paths.length > 0) { + console.warn( + // prettier-ignore + `'${name}' cookie does not exist for ${url.pathname}, but was previously set at ${conjoin([...paths])}. Did you mean to set its 'path' to '/' instead?` + ); + } } - const paths = new Set([...(cookie_paths[name] ?? [])]); - if (c) { - paths.add(c.options.path ?? default_path); - } - if (paths.size > 0) { - console.warn( - // prettier-ignore - `Cookie with name '${name}' was not found at path '${url.pathname}', but a cookie with that name exists at these paths: '${[...paths].join("', '")}'. Did you mean to set its 'path' to '/' instead?` - ); - } + return cookie; }, /** @@ -141,18 +125,11 @@ export function get_cookies(request, url, trailing_slash) { throw new Error(`Cookie "${name}" is too large, and will be discarded by the browser`); } - cookie_paths[name] = cookie_paths[name] ?? new Set(); + cookie_paths[name] ??= new Set(); + if (!value) { - if (!cookie_paths[name].has(path) && cookie_paths[name].size > 0) { - const paths = `'${Array.from(cookie_paths[name]).join("', '")}'`; - console.warn( - `Trying to delete cookie '${name}' at path '${path}', but a cookie with that name only exists at these paths: ${paths}.` - ); - } cookie_paths[name].delete(path); } else { - // We could also emit a warning here if the cookie already exists at a different path, - // but that's more likely a false positive because it's valid to set the same name at different paths cookie_paths[name].add(path); } } @@ -255,3 +232,11 @@ export function add_cookies_to_headers(headers, cookies) { headers.append('set-cookie', serialize(name, value, options)); } } + +/** + * @param {string[]} array + */ +function conjoin(array) { + if (array.length <= 2) return array.join(' and '); + return `${array.slice(0, -1).join(', ')} and ${array.at(-1)}`; +}