copyProxyResHeadersToUserRes overwrites Set-Cookie headers that have already been set by previous middleware

villadora / express-http-proxy

Proxy middleware for express/connect

Other

1.22k stars 236 forks source link

copyProxyResHeadersToUserRes overwrites Set-Cookie headers that have already been set by previous middleware #547

Open fabb opened 3 weeks ago

fabb commented 3 weeks ago

We have some middlewares before the proxy middleware to handle setting cookies (like authentication and others). We set cookies like this in previous middlewares: res.cookie('name', 'value').

Responses that are proxies do not contain these Set-Cookie headers though. Other headers seem to pass fine.

We do not use userResHeaderDecorator.

express-http-proxy should not remove any Set-Cookie headers that have already been set on the response object.

fabb commented 3 weeks ago

The problem is this line: https://github.com/villadora/express-http-proxy/blob/master/app/steps/copyProxyResHeadersToUserRes.js#L13

It looks like if the proxied backend returns Set-Cookie header, it overwrites these headers if they were already set on the user response object.

The problem is that there is no workaround using userResHeaderDecorator because copyProxyResHeadersToUserRes runs before it and already deleted the headers.

monkpow commented 3 weeks ago

@fabb Thanks for the detailed report and fix. I'll review this week.