Emulated Hosting redirects to Cloud Functions erroneously combines Set-Cookie headers #2931
Comments
|
This issue does not have all the information required by the template. Looks like you forgot to fill out some sections. Please update the issue with more information. |
|
Apologies to the electronic overlord. :) I think it's fixed now. |
adam-remotesocial
added a commit
to adam-remotesocial/firebase-tools
that referenced
this issue
Dec 14, 2020
apiv2.js uses node-fetch under the hood, which will concatenate duplicate headers with ', '. This is invalid for Set-Cookie headers. The solution is to grab the raw headers (which will be an array) and call `res.setHeader()` with that value.
bkendall
added a commit
that referenced
this issue
Dec 15, 2020
* Fix #2880 - generating email link from Admin SDK fails with Auth Emulator (#2933) * Fix #2880. * Add changelog entry. * fixes set-cookie issue (updated #2932) (#2939) * Fixes #2931 - Support multiple Set-Cookie headers apiv2.js uses node-fetch under the hood, which will concatenate duplicate headers with ', '. This is invalid for Set-Cookie headers. The solution is to grab the raw headers (which will be an array) and call `res.setHeader()` with that value. * add test * changelog Co-authored-by: Adam Ahmed <[email protected]> * 8.20.0 * [firebase-release] Removed change log and reset repo after 8.20.0 release * auto fix audit issues * force audit update major versions * remove google-gax Co-authored-by: Yuchen Shi <[email protected]> Co-authored-by: Adam Ahmed <[email protected]> Co-authored-by: Google Open Source Bot <[email protected]>
bkendall
added a commit
that referenced
this issue
Dec 15, 2020
* Removing code to handle legacy functions (#2935) * Disable Node.js 8 deploys for Cloud Functions. (#2934) * drop testing and support for node 8 (#2620) * remove/bump node 8s to node 10s * update some dev dependencies * update build target to es2017 * formatting * upgrade mocha * remove async types * update check in binary to node 8 * Update package.json * npm audit: breaking edition (#2941) * Fix #2880 - generating email link from Admin SDK fails with Auth Emulator (#2933) * Fix #2880. * Add changelog entry. * fixes set-cookie issue (updated #2932) (#2939) * Fixes #2931 - Support multiple Set-Cookie headers apiv2.js uses node-fetch under the hood, which will concatenate duplicate headers with ', '. This is invalid for Set-Cookie headers. The solution is to grab the raw headers (which will be an array) and call `res.setHeader()` with that value. * add test * changelog Co-authored-by: Adam Ahmed <[email protected]> * 8.20.0 * [firebase-release] Removed change log and reset repo after 8.20.0 release * auto fix audit issues * force audit update major versions * remove google-gax Co-authored-by: Yuchen Shi <[email protected]> Co-authored-by: Adam Ahmed <[email protected]> Co-authored-by: Google Open Source Bot <[email protected]> Co-authored-by: joehan <[email protected]> Co-authored-by: Michael Bleigh <[email protected]> Co-authored-by: Yuchen Shi <[email protected]> Co-authored-by: Adam Ahmed <[email protected]> Co-authored-by: Google Open Source Bot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
[REQUIRED] Environment info
firebase-tools: 8.18.1
Platform: OSX
[REQUIRED] Test case
Write a function that sets multiple cookies:
Use Hosting as a proxy to the function.
firebase.json:{ "hosting": { "rewrites": [ { "source": "/wherever", "function": "myFunc" } ] } }[REQUIRED] Steps to reproduce
Hit the proxied function URL:
http://myhostingsubdomain.blah.com/wherever. Check the response headers in Chrome DevTools and check the Application Cookies - only the first will be registered.[REQUIRED] Expected behavior
The response should include multiple Set-Cookie headers - one for each cookie. Browsers (including Chrome) don't handle a single Set-Cookie header with multiple cookies in it and will ignore all but the first cookie (especially with cookie fields like Expires which can include commas in them). This prevents usage like https://dev.to/johncarroll/how-to-share-firebase-authentication-across-subdomains-1ka8 where your function has to be hosted at the same origin as your Hosting sites (so cloudfunctions.net/blah is no good).
I expect to see response headers like:
[REQUIRED] Actual behavior
The response has a single header like:
set-cookie: some=cookie, other=oneCause
node-fetchis being used incorrectly, indirectly fromlib/hosting/proxy.jsvialib/apiv2.js'sClient::request. See node-fetch/node-fetch#582 for a similar case. The headers are being extracted fromproxyRes.response.headersinlib/hosting/proxy.js:But because
node-fetchstringifies the incoming response headers (which for an Array, effectively concatenates them with commas), we lose our array of headers in the proxied response. The recommended approach is to useresponse.headers.raw()to grab those raw Arrayvalues. When I make that change inlib/hosting/proxy.js, it works:I have no yet validated whether the same problem happens in production or not. Really hoping it doesn't 🤞
UPDATE: Production is fine! This is an emulator-only problem.
The text was updated successfully, but these errors were encountered: