fix: cookie decoding for Node and Cloudflare

Author: vicb

.changeset/hot-chicken-ring.md

@@ -0,0 +1,5 @@
+---
+"@opennextjs/aws": patch
+---
+
+fix cookie decoding for Node and Cloudflare

packages/open-next/package.json

@@ -48,6 +48,7 @@
     "@tsconfig/node18": "^1.0.1",
     "aws4fetch": "^1.0.18",
     "chalk": "^5.3.0",
+    "cookie": "^1.0.2",
     "esbuild": "catalog:",
     "express": "5.0.1",
     "path-to-regexp": "^6.3.0",

packages/open-next/src/http/openNextResponse.ts

@@ -10,7 +10,7 @@ import { Transform } from "node:stream";
 
 import type { StreamCreator } from "types/open-next";
 import { debug } from "../adapters/logger";
-import { parseCookies, parseHeaders } from "./util";
+import { parseHeaders, parseSetCookieHeader } from "./util";
 
 const SET_COOKIE_HEADER = "set-cookie";
 const CANNOT_BE_USED = "This cannot be used in OpenNext";
@@ -152,7 +152,7 @@ export class OpenNextNodeResponse extends Transform implements ServerResponse {
               ...this.initialHeaders,
               ...this.headers,
             };
-      const initialCookies = parseCookies(
+      const initialCookies = parseSetCookieHeader(
         this.initialHeaders[SET_COOKIE_HEADER]?.toString(),
       );
       this._cookies =

packages/open-next/src/http/util.ts

@@ -28,7 +28,13 @@ export const convertHeader = (header: http.OutgoingHttpHeader) => {
   return String(header);
 };
 
-export function parseCookies(
+/**
+ * Parses a (coma-separated) list of Set-Cookie headers
+ *
+ * @param cookies A coma-separated list of Set-Cookie headers or a list of Set-Cookie header
+ * @returns A list of Set-Cookie header
+ */
+export function parseSetCookieHeader(
   cookies: string | string[] | null | undefined,
 ): string[] {
   if (!cookies) {

packages/open-next/src/overrides/converters/aws-apigw-v2.ts

@@ -2,7 +2,7 @@ import type {
   APIGatewayProxyEventV2,
   APIGatewayProxyResultV2,
 } from "aws-lambda";
-import { parseCookies } from "http/util";
+import { parseSetCookieHeader } from "http/util";
 import type { InternalEvent, InternalResult } from "types/open-next";
 import type { Converter } from "types/overrides";
 import { fromReadableStream } from "utils/stream";
@@ -122,7 +122,7 @@ async function convertToApiGatewayProxyResultV2(
   const response: APIGatewayProxyResultV2 = {
     statusCode: result.statusCode,
     headers,
-    cookies: parseCookies(result.headers["set-cookie"]),
+    cookies: parseSetCookieHeader(result.headers["set-cookie"]),
     body,
     isBase64Encoded: result.isBase64Encoded,
   };

packages/open-next/src/overrides/converters/aws-cloudfront.ts

@@ -7,7 +7,7 @@ import type {
   CloudFrontRequestEvent,
   CloudFrontRequestResult,
 } from "aws-lambda";
-import { parseCookies } from "http/util";
+import { parseSetCookieHeader } from "http/util";
 import type {
   InternalEvent,
   InternalResult,
@@ -133,10 +133,12 @@ function convertToCloudfrontHeaders(
     )
     .forEach(([key, value]) => {
       if (key === "set-cookie") {
-        cloudfrontHeaders[key] = parseCookies(`${value}`).map((cookie) => ({
-          key,
-          value: cookie,
-        }));
+        cloudfrontHeaders[key] = parseSetCookieHeader(`${value}`).map(
+          (cookie) => ({
+            key,
+            value: cookie,
+          }),
+        );
         return;
       }
 

packages/open-next/src/overrides/converters/edge.ts

@@ -1,6 +1,7 @@
 import { Buffer } from "node:buffer";
 
-import { parseCookies } from "http/util";
+import cookieParser from "cookie";
+import { parseSetCookieHeader } from "http/util";
 import type {
   InternalEvent,
   InternalResult,
@@ -29,11 +30,11 @@ const converter: Converter<InternalEvent, InternalResult | MiddlewareResult> = {
     const rawPath = url.pathname;
     const method = event.method;
     const shouldHaveBody = method !== "GET" && method !== "HEAD";
-    const cookies: Record<string, string> = Object.fromEntries(
-      parseCookies(event.headers.get("cookie")).map((cookie) =>
-        cookie.split("="),
-      ),
-    );
+
+    const cookieHeader = event.headers.get("cookie");
+    const cookies = cookieHeader
+      ? (cookieParser.parse(cookieHeader) as Record<string, string>)
+      : {};
 
     return {
       type: "core",
@@ -81,7 +82,7 @@ const converter: Converter<InternalEvent, InternalResult | MiddlewareResult> = {
       if (key === "set-cookie" && typeof value === "string") {
         // If the value is a string, we need to parse it into an array
         // This is the case for middleware direct result
-        const cookies = parseCookies(value);
+        const cookies = parseSetCookieHeader(value);
         for (const cookie of cookies) {
           headers.append(key, cookie);
         }

packages/open-next/src/overrides/converters/node.ts

@@ -1,6 +1,6 @@
 import type { IncomingMessage } from "node:http";
 
-import { parseCookies } from "http/util";
+import cookieParser from "cookie";
 import type { InternalResult } from "types/open-next";
 import type { Converter } from "types/overrides";
 import { extractHostFromHeaders, getQueryFromSearchParams } from "./utils.js";
@@ -30,6 +30,12 @@ const converter: Converter = {
       `${req.protocol ? req.protocol : "http"}://${extractHostFromHeaders(headers)}${req.url}`,
     );
     const query = getQueryFromSearchParams(url.searchParams);
+
+    const cookieHeader = req.headers.cookie;
+    const cookies = cookieHeader
+      ? (cookieParser.parse(cookieHeader) as Record<string, string>)
+      : {};
+
     return {
       type: "core",
       method: req.method ?? "GET",
@@ -42,12 +48,7 @@ const converter: Converter = {
         req.socket.remoteAddress ??
         "::1",
       query,
-      cookies: Object.fromEntries(
-        parseCookies(req.headers.cookie)?.map((cookie) => {
-          const [key, value] = cookie.split("=");
-          return [key, value];
-        }) ?? [],
-      ),
+      cookies,
     };
   },
   // Nothing to do here, it's streaming