Error on malformed authelia Cookie URI

[gitmonster]

Link to reproduction

No reproduction as related to server configuration.

Describe the Bug

This bug is somewhat related to #3434 and I expirience the same Error with payloadcms@2.11.2 When deploying Payload to my own server, I have Authelia configured which sets a cookie that applies to the domain .mydomain.com (note the "." in the beginning). Payload's JWT middleware doesn't get along with this.

Here is the stack trace:

[09:04:38] ERROR (payload): APIError: Error decoding cookie value for key authelia_session: URI malformed
8.3.2024 10:04:38    at /home/node/app/node_modules/.pnpm/payload@2.11.2_@types+react@18.2.58_typescript@5.2.2_webpack@5.90.3/node_modules/payload/dist/utilities/parseCookies.js:24:23
8.3.2024 10:04:38    at Array.forEach (<anonymous>)
8.3.2024 10:04:38    at parseCookies (/home/node/app/node_modules/.pnpm/payload@2.11.2_@types+react@18.2.58_typescript@5.2.2_webpack@5.90.3/node_modules/payload/dist/utilities/parseCookies.js:16:23)
8.3.2024 10:04:38    at JwtStrategy._jwtFromRequest (/home/node/app/node_modules/.pnpm/payload@2.11.2_@types+react@18.2.58_typescript@5.2.2_webpack@5.90.3/node_modules/payload/dist/auth/getExtractJWT.js:31:51)
8.3.2024 10:04:38    at JwtStrategy.authenticate (/home/node/app/node_modules/.pnpm/passport-jwt@4.0.1/node_modules/passport-jwt/lib/strategy.js:93:22)
8.3.2024 10:04:38    at attempt (/home/node/app/node_modules/.pnpm/passport@0.6.0/node_modules/passport/lib/middleware/authenticate.js:369:16)
8.3.2024 10:04:38    at strategy.fail (/home/node/app/node_modules/.pnpm/passport@0.6.0/node_modules/passport/lib/middleware/authenticate.js:305:9)
8.3.2024 10:04:38    at Strategy.authenticate (/home/node/app/node_modules/.pnpm/passport-headerapikey@1.2.2/node_modules/passport-headerapikey/lib/Strategy.js:48:25)
8.3.2024 10:04:38    at attempt (/home/node/app/node_modules/.pnpm/passport@0.6.0/node_modules/passport/lib/middleware/authenticate.js:369:16)
8.3.2024 10:04:38    at authenticate (/home/node/app/node_modules/.pnpm/passport@0.6.0/node_modules/passport/lib/middleware/authenticate.js:370:7)

To Reproduce

Deploy Payload to a server running Traefik or similar proxies using Authelia to set a global session for the domain.

Payload Version

2.11.2

Adapters and Plugins

No response

[gitmonster]

Is it possible to fix the bug in one of the next patch releases. The consequences of the error are that all payload instances in our cluster crash immediately when they encounter the cookie.

[himselforama]

we're having the same issue with payload 2.11.1 since the parsing error does not occur 100% of the time of an authelia session, i suspect it depends on the content of the cookie, possibly a problem with a special character. logging out / deleting the authelia root-domain cookie and logging back in can lead to a cookie that does not cause an issue.

[gitmonster]

@jmikrut I think, this is a serious issue. Do you have any plans to fix this?

[jmikrut]

Hey @gitmonster we should be able to resolve this. It looks like we are now throwing an error if the cookie cannot be parsed, but instead, we could just omit it.

Alternatively, maybe we can look into a different way to decodeURI. Can you provide us with an example of a cookie that crashes?

We would accept a PR on this, but in the meantime, I will assign this and we will tackle it on Monday!

[jonisapp]

Same here. This is a major resilience issue. It's not very reassuring to see that such an issue has been around for almost a year now, especially as this could happen with other cookies. Can you please tell us when this will be fixed ?

[jonisapp]

@jmikrut After comparing several tokens, it seems that it's the % symbol that's causing the problem. why would payload need to retrieve cookies that aren't its own?

[gitmonster]

Same here. This is a major resilience issue. It's not very reassuring to see that such an issue has been around for almost a year now, especially as this could happen with other cookies. Can you please tell us when this will be fixed ?

I support that. Please act at last.