Authentication state is lost when JWT is split into multiple chunks

[hitochan777]

Environment

---

• Operating System: Linux
• Node Version: v20.11.0
• Nuxt Version: 3.11.1
• CLI Version: 3.11.1
• Nitro Version: -
• Package Manager: pnpm@8.14.1
• Builder: -
• User Config: modules, auth
• Runtime Modules: @sidebase/nuxt-auth@0.7.0

• Build Modules: -

Reproduction

• 1. Clone this repo: https://github.com/hitochan777/sidebase-nuxt-auth-decode-error-repro
• 2. Click sign in (credentials)
• 3. Make sure that you are authenticated
• 4. Reload the browser -> Now you are unauthenticated.

Describe the bug

What is happening

I found that authentication state is lost on browser reload when the JWT is too long to fit in a cookie limit. next-auth splits a JWT token into multiple cookies when it is too long to fit in a single cookie. When I signin the following seems to occur.

1. Browser sends a request to /api/auth/callback/credentials and the server returns a response with JWT token set to multiple Set-Cookie headers.

2. Browser sends a request / and server responds with only one Set-Cookieheader. But when carefully observed there are multiple cookies split by , as its value. But browsers assumes text followed by , as attribute for the first cookie. As you can see it the image below, the browser interpreted that there is only first chunk. And this makes cookies for JWT corrupted, which leads to unauthenticated state, I suppose.

Why are multiple cookies merged into one Set-Cookie?

During SSR the server calls session API to fetch session info, it then forwards Set-Cookie headers obtained from the API to the browser. When extracting Set-Cookie headers from the API the server uses Headers.get("set-cookie"), and it seems this method joins multiple Set-Cookie into one Set-Cookie.

Possible solution

Instead of using Headers.getwe can use Headers.getSetCookie. It returns an array of cookie values.

Related: https://github.com/sidebase/nuxt-auth/issues/293

Additional context

No response

Logs

 ERROR  [next-auth][error][JWT_SESSION_ERROR] 
https://next-auth.js.org/errors#jwt_session_error JWE Initialization Vector missing or incorrect type JWE Initialization Vector missing or incorrect type

  at flattenedDecrypt (node_modules/.pnpm/jose@4.15.5/node_modules/jose/dist/node/cjs/jwe/flattened/decrypt.js:24:15)
  at compactDecrypt (node_modules/.pnpm/jose@4.15.5/node_modules/jose/dist/node/cjs/jwe/compact/decrypt.js:18:63)
  at jwtDecrypt (node_modules/.pnpm/jose@4.15.5/node_modules/jose/dist/node/cjs/jwt/decrypt.js:8:61)
  at Object.decode (node_modules/.pnpm/next-auth@4.21.1_next@13.5.6_react-dom@18.2.0_react@18.2.0/node_modules/next-auth/jwt/index.js:64:34)
  at async Object.session (node_modules/.pnpm/next-auth@4.21.1_next@13.5.6_react-dom@18.2.0_react@18.2.0/node_modules/next-auth/core/routes/session.js:43:28)
  at async AuthHandler (node_modules/.pnpm/next-auth@4.21.1_next@13.5.6_react-dom@18.2.0_react@18.2.0/node_modules/next-auth/core/index.js:158:27)
  at Object.handler (node_modules/.pnpm/@sidebase+nuxt-auth@0.7.0_next-auth@4.21.1/node_modules/@sidebase/nuxt-auth/dist/runtime/server/services/authjs/nuxtAuthHandler.mjs:88:24)
  at async node_modules/.pnpm/h3@1.11.1/node_modules/h3/dist/index.mjs:1962:19
  at async Object.callAsync (node_modules/.pnpm/unctx@2.3.1/node_modules/unctx/dist/index.mjs:72:16)
  at async Server.toNodeHandle (node_modules/.pnpm/h3@1.11.1/node_modules/h3/dist/index.mjs:2249:7)

[joaltoroc]

Any update/workaround for the issue?

I'm using

"@sidebase/nuxt-auth": "0.7.1",

[hitochan777]

Until the PR is merged, you can apply patch to nuxt-auth with tools like patch-package (for npm) or pnpm patch (for pnpm). In my project, I use pnpm patch that applies exactly the same code as the PR and it is working fine.

[phoenix-ru]

Well take a look into this today

[phoenix-ru]

Closed via #726