fix: normalize single string set-cookie headers

panva · Nov 5, 2024 · 6effeed · 6effeed
1 parent 478f9b5
commit 6effeed
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 2 deletions.
diff --git a/lib/shared/session.js b/lib/shared/session.js
@@ -48,8 +48,13 @@ export default async function sessionHandler(ctx, next) {
       await ctx.oidc.session.save(ttl);
     }
 
-    if (ctx.response.get('set-cookie')) {
-      ctx.response.get('set-cookie').forEach((cookie, index, ary) => {
+    let setCookie;
+    // eslint-disable-next-line no-cond-assign
+    if ((setCookie = ctx.response.get('set-cookie'))) {
+      if (typeof setCookie === 'string') {
+        setCookie = [setCookie];
+      }
+      setCookie.forEach((cookie, index, ary) => {
         /* eslint-disable no-param-reassign */
         if (
           !cookie.includes('expires=Thu, 01 Jan 1970')

diff --git a/test/core/basic/isscookie.test.js b/test/core/basic/isscookie.test.js
@@ -0,0 +1,23 @@
+import bootstrap from '../../test_helper.js';
+
+describe('pre-middleware setting "set-cookie" header', () => {
+  before(bootstrap(import.meta.url));
+
+  before(function () {
+    this.provider.use((ctx, next) => {
+      ctx.response.set('set-cookie', 'foo=bar;');
+      return next();
+    });
+  });
+
+  it('does not disturb the session middleware', function () {
+    const auth = new this.AuthorizationRequest({
+      response_type: 'invalid',
+      state: null,
+    });
+
+    return this.wrap({ route: '/auth', verb: 'get', auth })
+      .expect(303)
+      .expect(auth.validatePresence(['error', 'error_description']));
+  });
+});