Shadow Endpoints: slight problems with set-cookie and other headers

[georgecrawford]

Describe the bug

Firstly, thank you for shadow endpoints! They are a lovely simplification, and make perfect sense when implementing straightforward pages.

I've noticed two things which aren't quite right with the processing of the shadow endpoint's Response:

Reproduction

1. set-cookie is assumed to be an array
See 647131e#diff-7266c49c71803f38dda70345d857f13a7a2494cc649b70af6b689627199f5b79R404-R406

Reproduction: string is exploded

endpoint.js

export async function post() {
    return {
        headers: {
            'set-cookie': 'a=b',
        },
    };
}

test

bash-5.1$ curl -X POST -I http://localhost:5001/endpoint

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
content-type: text/html
etag: "l9x8dd"
permissions-policy: interest-cohort=()
set-cookie: a
set-cookie: =
set-cookie: b
Date: Mon, 07 Feb 2022 10:16:38 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

Reproduction: array is handled correctly

endpoint.js

export async function post() {
    return {
        headers: {
            'set-cookie': ['a=b'],
        },
    };
}

test

bash-5.1$ curl -X POST -I http://localhost:5001/endpoint

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
content-type: text/html
etag: "l9x8dd"
permissions-policy: interest-cohort=()
set-cookie: a=b
Date: Mon, 07 Feb 2022 10:16:38 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

Expected: string is treated as a singular header

endpoint.js

export async function post() {
    return {
        headers: {
            'set-cookie': 'a=b',
        },
    };
}

test

bash-5.1$ curl -X POST -I http://localhost:5001/endpoint

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
content-type: text/html
etag: "l9x8dd"
permissions-policy: interest-cohort=()
set-cookie: a=b
Date: Mon, 07 Feb 2022 10:16:38 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

2. set-cookie and other headers aren't preserved for 3xx redirects
See 647131e#diff-7266c49c71803f38dda70345d857f13a7a2494cc649b70af6b689627199f5b79R408-R416

Note that only headers.location is copied across in the case of a 3xx redirect.

Reproduction: `set-cookie` is ignored for 307 redirect

endpoint.js

export async function post() {
    return {
        status: 307,
        headers: {
            location: '/',
            'set-cookie': ['a=b'],
        },
    };
}

test

bash-5.1$ curl -X POST -I http://localhost:5001/endpoint

HTTP/1.1 307 Temporary Redirect
Access-Control-Allow-Origin: *
location: /
Date: Mon, 07 Feb 2022 10:25:09 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

Expected: `set-cookie` is preserved for 307 redirect

endpoint.js

export async function post() {
    return {
        status: 307,
        headers: {
            location: '/',
            'set-cookie': ['a=b'],
        },
    };
}

test

bash-5.1$ curl -X POST -I http://localhost:5001/endpoint

HTTP/1.1 307 Temporary Redirect
Access-Control-Allow-Origin: *
location: /
set-cookie: a=b
Date: Mon, 07 Feb 2022 10:25:09 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

Logs

No response

System Info

System:
    OS: Linux 5.10 Alpine Linux
    CPU: (6) arm64 unknown
    Memory: 10.94 GB / 15.60 GB
    Container: Yes
    Shell: 1.34.1 - /bin/ash
  Binaries:
    Node: 16.13.1 - /usr/local/bin/node
    Yarn: 1.22.15 - /usr/local/bin/yarn
    npm: 8.1.2 - /usr/local/bin/npm
  npmPackages:
    @sveltejs/adapter-node: ^1.0.0-next.67 => 1.0.0-next.67
    @sveltejs/kit: ^1.0.0-next.260 => 1.0.0-next.260
    svelte: ^3.46.2 => 3.46.2

Severity

serious, but I can work around it

Additional Information

No response

[georgecrawford]

FWIW, this conversation between @Rich-Harris and @Conduitry - #3679 (comment) - seems related, but I don't think we're dealing with a Headers object here, as I'm returning a pojo for headers instead. But I could be wrong.

[georgecrawford]

And the spec seems super annoying when using Request/Response on the server! https://fetch.spec.whatwg.org/#headers-class. Sure bring Fetch into Node.js will force this to be resolved?

[georgecrawford]

See related discussion, which GitHub didn't auto-link: #3739

[georgecrawford]

@benmccann I know that triage takes huge amounts of time, but I could probably have a stab at fixing these issues if you can confirm the bugs are valid. Would you agree with my presumptions that, in shadow endpoints:

• 'set-cookie': 'a=b' should work as a singular header, and it should not be exploded as if it were an array?
• 'set-cookie' headers should always be passed to the client, even in 3xx, 4xx or 5xx responses?

Thanks!

[ivanhofer]

I got the same issue. My auth-flow is currently broken because I can't set the auth-cookies and at the same time redirect the user to the page he was visiting before clicking on "login"