search

CodeGenieApp / serverless-express

Run Express and other Node.js frameworks on AWS Serverless technologies such as Lambda, API Gateway, Lambda@Edge, and more.
https://codegenie.codes
Apache License 2.0
5.17k stars 670 forks source link

Cant set multiple cookies in one request #609

Open ml27299 opened 1 year ago

ml27299 commented 1 year ago

When you set multiple cookies it only sets the first one. I have an application that has a csrf middleware, it one of the first middleware to be initialized. My app has a route where a we set a token then redirect to another page in the app, whats happening is the csrf middleware runs before the route function handler. The middleware sets a cookie, then the route function runs sets another cookie, then a redirect happens.

res.cookie("token", token, defaultCookieOpts));

SERVERLESS_EXPRESS:FORWARD_REQUEST_TO_NODE_SERVER:RESPONSE

_header: 'HTTP/1.1 302 Found\r\n' +
      'X-DNS-Prefetch-Control: off\r\n' +
      'X-Frame-Options: SAMEORIGIN\r\n' +
      'Strict-Transport-Security: max-age=15552000; includeSubDomains\r\n' +
      'X-Download-Options: noopen\r\n' +
      'X-Content-Type-Options: nosniff\r\n' +
      'X-XSS-Protection: 1; mode=block\r\n' +
      'Referrer-Policy: same-origin\r\n' +
      'Surrogate-Control: no-store\r\n' +
      'Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate\r\n' +
      'Pragma: no-cache\r\n' +
      'Expires: 0\r\n' +
      'Set-Cookie: _csrf=3A2IecjCunSB9Sq2rI-i-Ani; Path=/; SameSite=Strict\r\n' +
      'Set-Cookie: token= on3N6MSlyG; Path=/; Expires=Fri, 31 Dec 9999 00:00:00 GMT\r\n' +
      'Location: tx/austin/math-tutors/pro-1-fFWS9tC-z?leadKey=6lfLJiBTmXR&service=UCT7ybWAds\r\n' +
      'Vary: Accept\r\n' +
      'Content-Type: text/html; charset=utf-8\r\n' +
      'Content-Length: 204\r\n' +
      'Date: Tue, 20 Dec 2022 07:48:30 GMT\r\n' +
      'Connection: keep-alive\r\n' +
      '\r\n',
    _keepAliveTimeout: 0,
    _onPendingData: [Function: noopPendingOutput],
    _sent100: false,
    _expect_continue: false,
    req: IncomingMessage {
      _readableState: [ReadableState],
      _events: [Object: null prototype] {},
      _eventsCount: 0,
      _maxListeners: undefined,
      socket: [Object],
      httpVersionMajor: '1',
      httpVersionMinor: '1',
      httpVersion: '1.1',
      complete: true,
      headers: [Object],
      rawHeaders: [],
      trailers: {},
      rawTrailers: [],
      aborted: false,
DEBUG   {
  message: 'SERVERLESS_EXPRESS:FORWARD_RESPONSE:EVENT_SOURCE_RESPONSE_PARAMS',
  statusCode: 302,
  body: '[BASE64_ENCODED]',
  headers: [Object: null prototype] {
    'x-dns-prefetch-control': 'off',
    'x-frame-options': 'SAMEORIGIN',
    'strict-transport-security': 'max-age=15552000; includeSubDomains',
    'x-download-options': 'noopen',
    'x-content-type-options': 'nosniff',
    'x-xss-protection': '1; mode=block',
    'referrer-policy': 'same-origin',
    'surrogate-control': 'no-store',
    'cache-control': 'no-store, no-cache, must-revalidate, proxy-revalidate',
    pragma: 'no-cache',
    expires: '0',
    'set-cookie': [
      '_csrf=3A2IecjCunSB9Sq2rI-i-Ani; Path=/; SameSite=Strict',

'token=on3N6MSlyG; Path=/; Expires=Fri, 31 Dec 9999 00:00:00 GMT'
    ],
    location: '/pros/leads',
    vary: 'Accept',
    'content-type': 'text/html; charset=utf-8',
    'content-length': '66'
  },
  isBase64Encoded: true
}
DEBUG   {
  message: 'SERVERLESS_EXPRESS:FORWARD_RESPONSE:EVENT_SOURCE_RESPONSE',
  successResponse: '{\n' +
    '  statusCode: 302,\n' +
    "  body: 'PHA+Rm91bmQuIFJlZGlyZWN0aW5nIHRvIDxhIGhyZWY9InR4L2F1c3Rpbi9tYXRoLXR1dG9ycy9wcm8tMS1mRldTOXRDLXo/bGVhZEtleT02bGZMSmlCVG1YUiZhbXA7c2VydmljZT1VQ1Q3eWJXQWRzIj50eC9hdXN0aW4vbWF0aC10dXRvcnMvcHJvLTEtZkZXUzl0Qy16P2xlYWRLZXk9NmxmTEppQlRtWFImYW1wO3NlcnZpY2U9VUNUN3liV0FkczwvYT48L3A+',\n" +
    '  headers: {\n' +
    "    'x-dns-prefetch-control': 'off',\n" +
    "    'x-frame-options': 'SAMEORIGIN',\n" +
    "    'strict-transport-security': 'max-age=15552000; includeSubDomains',\n" +
    "    'x-download-options': 'noopen',\n" +
    "    'x-content-type-options': 'nosniff',\n" +
    "    'x-xss-protection': '1; mode=block',\n" +
    "    'referrer-policy': 'same-origin',\n" +
    "    'surrogate-control': 'no-store',\n" +
    "    'cache-control': 'no-store, no-cache, must-revalidate, proxy-revalidate',\n" +
    "    pragma: 'no-cache',\n" +
    "    expires: '0',\n" +
    "    'set-cookie': '_csrf=3A2IecjCunSB9Sq2rI-i-Ani; Path=/; SameSite=Strict',\n" +
    "    location: 'tx/austin/math-tutors/pro-1-fFWS9tC-z?leadKey=6lfLJiBTmXR&service=UCT7ybWAds',\n" +
    "    vary: 'Accept',\n" +
    "    'content-type': 'text/html; charset=utf-8',\n" +
    "    'content-length': '204'\n" +
    '  },\n' +
    '  multiValueHeaders: undefined,\n' +
    '  isBase64Encoded: true\n' +
    '}',
  body: '[BASE64_ENCODED]'
}
H4ad commented 1 year ago

I think the problem is in these lines:

https://github.com/vendia/serverless-express/blob/75cfbffeb3fd030695b9587a75300c7b8012ac6a/src/event-sources/aws/alb.js#L47-L53

But this problem is not that simple to solve, as laverdet describes in this issue: https://github.com/vendia/serverless-express/issues/554

For sure, the strategy of handling cookies needs to be evaluated again to be more resilient, I think the solution of stack overflow could be one possible solution for this problem.

What you can do now is maybe try activating the option of multiValueHeaders inside AWS ALB. This will lead to the problem of reverse cookie order but at least the cookie will be set.