Set-Cookie header is ignored in response from url: http://localhost:3000/api/login

awinogrodzki / next-firebase-auth-edge

Next.js Firebase Authentication for Edge and Node.js runtimes. Compatible with latest Next.js features.

https://next-firebase-auth-edge-docs.vercel.app/

MIT License

523 stars 44 forks source link

Set-Cookie header is ignored in response from url: http://localhost:3000/api/login #260

Closed jeronasiedu closed 2 weeks ago

jeronasiedu commented 1 month ago

I get an error when I try to login Set-Cookie header is ignored in response from url: http://localhost:3000/api/login. The combined size of the name and value must be less than or equal to 4096 characters.

Can we choose what gets stored as a cookie?

awinogrodzki commented 1 month ago

Hey @jeronasiedu!

Good question – have you tried enabling multiple cookies? It's designed to solve your issue

It's not compatible with Firebase Hosting though.

I am working on minimizing the size of the cookie – probably I'll make the customToken optional to avoid this issue for most use-cases

Jacquesjh commented 1 month ago

I am having this same issue with Firebase Hosting. Any workaround for now?

awinogrodzki commented 1 month ago

Unfortunately, this limitation exists for Firebase Hosting at the moment, but I am actively working on making customToken optional in single cookie token. The canary version for the optional customToken should be available in a few days.

You can also quickly resolve the issue by downgrading the library to 1.5.x, but you'll loose access to some additional feature.

I'll keep you updated!

jeronasiedu commented 1 month ago

Thank you @awinogrodzki this fixed the issue. I'm not using Firebase Hosting

Hey @jeronasiedu!

Good question – have you tried enabling multiple cookies? It's designed to solve your issue

It's not compatible with Firebase Hosting though.

I am working on minimizing the size of the cookie – probably I'll make the customToken optional to avoid this issue for most use-cases

Jacquesjh commented 1 month ago

Unfortunately, this limitation exists for Firebase Hosting at the moment, but I am actively working on making customToken optional in single cookie token. The canary version for the optional customToken should be available in a few days.

You can also quickly resolve the issue by downgrading the library to 1.5.x, but you'll loose access to some additional feature.

I'll keep you updated!

thank you for the quick response! I downgraded to 1.5.3 and it worked! I will keep an eye for the canary version

Jacquesjh commented 1 month ago

Just to add, after downgrading, i am getting the following error:

TypeError: The input to be decoded is not correctly encoded. at Module.E (/workspace/.next/server/src/middleware.js:13:15437) at s (/workspace/.next/server/src/middleware.js:2:66056) at p (/workspace/.next/server/src/middleware.js:2:107341) at g (/workspace/.next/server/src/middleware.js:2:105327) at Object.eR [as handler] (/workspace/.next/server/src/middleware.js:2:17773) at /workspace/.next/server/src/middleware.js:2:16035 at AsyncLocalStorage.run (node:async_hooks:346:14) at Object.wrap (/workspace/.next/server/src/middleware.js:2:13484) at /workspace/.next/server/src/middleware.js:2:15957 at /workspace/.next/server/src/middleware.js:2:10554

How can i handle this error? The ideal would be able to clear the cookies when this happens right? Any configuration I can set on the middleware to do this?

awinogrodzki commented 1 month ago

@Jacquesjh are you getting this error in handleError callback?

If yes, you could ignore this error and redirect user to login page. When they login again, the error should disappear

awinogrodzki commented 1 month ago

@Jacquesjh I have released next-firebase-auth-edge@1.8.0-canary.9 with optional custom token support and custom token disabled by default. It should solve the issue for you.

0x80 commented 2 weeks ago

I also just ran into this and canary fixed it for me 👍

I was testing my app with one google user, and everything was fine, until I tried to sign in with a different google account.

The difference appears to be that the second account has a name + picture in the data which also shows up in the decodedToken. The picture link is very long (as it contains a token itself) and I assume this is what caused the cookie to exceed the size limit.

My app doesn't need the picture. Is there maybe a way to omit certain properties from being stored as part of the cookie, or select the ones you need?

awinogrodzki commented 2 weeks ago

Hey @0x80,

The picture url you refer to is generated on Google's side – ie. I am not sure if the library could overwrite it.

You could try using updateUser advanced method to remove the user picture, if you really don't need it. I don't think it should pose much of a problem though, since it's most definitely being validated by Google.

The real problem here was a customToken, that in some cases can be as much as 1.5x size of the ID token.

Since v1.8.0 custom token is disabled by default. You can use enableCustomToken option to enable custom token.

When using custom token, it's recommended to set enableMultipleCookies to true. It will split the session into multiple cookies, so you don't have to worry much about cookie size

awinogrodzki commented 2 weeks ago

I will close the issue as completed now. It's solved as of v1.8.0