chore(backend): Generate suffixed/un-suffixed cookies in handshake

dimkl · dimkl · commit 9d6e1bfe0e49 · 2024-05-23T20:35:25.000+03:00
diff --git a/integration/tests/handshake.test.ts b/integration/tests/handshake.test.ts
@@ -164,7 +164,7 @@ test.describe('Client handshake @generic', () => {
     expect(res.headers.get('location')).toBe(
       `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
         `${app.serverUrl}/`,
-      )}${devBrowserQuery}`,
+      )}&suffixed_cookies=true${devBrowserQuery}`,
     );
   });
 
@@ -185,7 +185,9 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     expect(res.headers.get('location')).toBe(
-      `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(`${app.serverUrl}/`)}`,
+      `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
+        `${app.serverUrl}/`,
+      )}&suffixed_cookies=true`,
     );
   });
 
@@ -207,7 +209,9 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     expect(res.headers.get('location')).toBe(
-      `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(`${app.serverUrl}/`)}`,
+      `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
+        `${app.serverUrl}/`,
+      )}&suffixed_cookies=true`,
     );
   });
 
@@ -230,7 +234,7 @@ test.describe('Client handshake @generic', () => {
     expect(res.headers.get('location')).toBe(
       `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
         `${app.serverUrl}/`,
-      )}${devBrowserQuery}`,
+      )}&suffixed_cookies=true${devBrowserQuery}`,
     );
   });
 
@@ -254,7 +258,7 @@ test.describe('Client handshake @generic', () => {
     expect(res.headers.get('location')).toBe(
       `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
         `${app.serverUrl}/`,
-      )}${devBrowserQuery}`,
+      )}&suffixed_cookies=true${devBrowserQuery}`,
     );
   });
 
@@ -278,7 +282,7 @@ test.describe('Client handshake @generic', () => {
     expect(res.headers.get('location')).toBe(
       `https://example.com/clerk/v1/client/handshake?redirect_url=${encodeURIComponent(
         `${app.serverUrl}/`,
-      )}${devBrowserQuery}`,
+      )}&suffixed_cookies=true${devBrowserQuery}`,
     );
   });
 
@@ -300,7 +304,9 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     expect(res.headers.get('location')).toBe(
-      `https://example.com/clerk/v1/client/handshake?redirect_url=${encodeURIComponent(`${app.serverUrl}/`)}`,
+      `https://example.com/clerk/v1/client/handshake?redirect_url=${encodeURIComponent(
+        `${app.serverUrl}/`,
+      )}&suffixed_cookies=true`,
     );
   });
 
@@ -324,7 +330,7 @@ test.describe('Client handshake @generic', () => {
     expect(res.headers.get('location')).toBe(
       `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
         `${app.serverUrl}/`,
-      )}${devBrowserQuery}`,
+      )}&suffixed_cookies=true${devBrowserQuery}`,
     );
   });
 
@@ -346,7 +352,9 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     expect(res.headers.get('location')).toBe(
-      `https://clerk.example.com/v1/client/handshake?redirect_url=${encodeURIComponent(`${app.serverUrl}/`)}`,
+      `https://clerk.example.com/v1/client/handshake?redirect_url=${encodeURIComponent(
+        `${app.serverUrl}/`,
+      )}&suffixed_cookies=true`,
     );
   });
 
@@ -367,7 +375,7 @@ test.describe('Client handshake @generic', () => {
     expect(res.headers.get('location')).toBe(
       `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
         `${app.serverUrl}/`,
-      )}${devBrowserQuery}`,
+      )}&suffixed_cookies=true${devBrowserQuery}`,
     );
   });
 
@@ -386,7 +394,9 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     expect(res.headers.get('location')).toBe(
-      `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(`${app.serverUrl}/`)}`,
+      `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
+        `${app.serverUrl}/`,
+      )}&suffixed_cookies=true`,
     );
   });
 
@@ -485,7 +495,9 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     expect(res.headers.get('location')).toBe(
-      `https://clerk.example.com/v1/client/handshake?redirect_url=${encodeURIComponent(app.serverUrl + '/')}`,
+      `https://clerk.example.com/v1/client/handshake?redirect_url=${encodeURIComponent(
+        app.serverUrl + '/',
+      )}&suffixed_cookies=true`,
     );
   });
 
@@ -520,7 +532,9 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     expect(res.headers.get('location')).toBe(
-      `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(`${app.serverUrl}/`)}`,
+      `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
+        `${app.serverUrl}/`,
+      )}&suffixed_cookies=true`,
     );
   });
 
@@ -543,7 +557,7 @@ test.describe('Client handshake @generic', () => {
     expect(res.headers.get('location')).toBe(
       `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
         `${app.serverUrl}/`,
-      )}hello%3Ffoo%3Dbar${devBrowserQuery}`,
+      )}hello%3Ffoo%3Dbar&suffixed_cookies=true${devBrowserQuery}`,
     );
   });
 
@@ -566,7 +580,7 @@ test.describe('Client handshake @generic', () => {
     expect(res.headers.get('location')).toBe(
       `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
         `${app.serverUrl}/`,
-      )}hello%3Ffoo%3Dbar`,
+      )}hello%3Ffoo%3Dbar&suffixed_cookies=true`,
     );
   });
 
@@ -589,7 +603,7 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     expect(res.headers.get('location')).toBe(
-      `https://${config.pkHost}/v1/client/handshake?redirect_url=https%3A%2F%2Fexample.com%2Fhello%3Ffoo%3Dbar${devBrowserQuery}`,
+      `https://${config.pkHost}/v1/client/handshake?redirect_url=https%3A%2F%2Fexample.com%2Fhello%3Ffoo%3Dbar&suffixed_cookies=true${devBrowserQuery}`,
     );
   });
 
@@ -612,7 +626,7 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     expect(res.headers.get('location')).toBe(
-      `https://${config.pkHost}/v1/client/handshake?redirect_url=https%3A%2F%2Fexample.com%2Fhello%3Ffoo%3Dbar`,
+      `https://${config.pkHost}/v1/client/handshake?redirect_url=https%3A%2F%2Fexample.com%2Fhello%3Ffoo%3Dbar&suffixed_cookies=true`,
     );
   });
 
@@ -635,7 +649,7 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     expect(res.headers.get('location')).toBe(
-      `https://${config.pkHost}/v1/client/handshake?redirect_url=https%3A%2F%2Fexample.com%3A3213%2Fhello%3Ffoo%3Dbar${devBrowserQuery}`,
+      `https://${config.pkHost}/v1/client/handshake?redirect_url=https%3A%2F%2Fexample.com%3A3213%2Fhello%3Ffoo%3Dbar&suffixed_cookies=true${devBrowserQuery}`,
     );
   });
 
@@ -658,7 +672,7 @@ test.describe('Client handshake @generic', () => {
     });
     expect(res.status).toBe(307);
     expect(res.headers.get('location')).toBe(
-      `https://${config.pkHost}/v1/client/handshake?redirect_url=https%3A%2F%2Fexample.com%3A3213%2Fhello%3Ffoo%3Dbar`,
+      `https://${config.pkHost}/v1/client/handshake?redirect_url=https%3A%2F%2Fexample.com%3A3213%2Fhello%3Ffoo%3Dbar&suffixed_cookies=true`,
     );
   });
 
@@ -787,7 +801,7 @@ test.describe('Client handshake @generic', () => {
     expect(res.headers.get('location')).toBe(
       `https://${config.pkHost}/v1/client/handshake?redirect_url=${encodeURIComponent(
         `${app.serverUrl}/`,
-      )}&__clerk_db_jwt=asdf`,
+      )}&suffixed_cookies=true&__clerk_db_jwt=asdf`,
     );
   });
 
diff --git a/packages/backend/src/tokens/cookie.ts b/packages/backend/src/tokens/cookie.ts
@@ -0,0 +1,23 @@
+const getCookieName = (cookieDirective: string): string => {
+  return cookieDirective.split(';')[0]?.split('=')[0];
+};
+
+const getSuffixedName = (name: string, suffix: string): string => {
+  if (name.endsWith(suffix)) {
+    return name;
+  }
+  return `${name}_${suffix}`;
+};
+
+export const suffixCookie = (suffix: string, cookieDirective: string): string => {
+  const name = getCookieName(cookieDirective);
+  const suffixedName = getSuffixedName(name, suffix);
+
+  return cookieDirective.replace(name + '=', suffixedName + '=');
+};
+
+export const unSuffixCookie = (suffix: string, cookieDirective: string): string => {
+  const name = getCookieName(cookieDirective).replace('_' + suffix, '');
+  const suffixedName = getSuffixedName(suffix, cookieDirective);
+  return cookieDirective.replace(suffixedName + '=', name + '=');
+};
diff --git a/packages/backend/src/tokens/request.ts b/packages/backend/src/tokens/request.ts
@@ -3,12 +3,13 @@ import type { TokenCarrier } from '../errors';
 import { TokenVerificationError, TokenVerificationErrorReason } from '../errors';
 import { decodeJwt } from '../jwt/verifyJwt';
 import { assertValidSecretKey } from '../util/optionsAssertions';
-import { isDevelopmentFromSecretKey } from '../util/shared';
+import { getCookieSuffix, isDevelopmentFromSecretKey } from '../util/shared';
 import type { AuthenticateContext } from './authenticateContext';
 import { createAuthenticateContext } from './authenticateContext';
 import type { RequestState } from './authStatus';
 import { AuthErrorReason, handshake, signedIn, signedOut } from './authStatus';
 import { createClerkRequest } from './clerkRequest';
+import { suffixCookie, unSuffixCookie } from './cookie';
 import { verifyHandshakeToken } from './handshake';
 import type { AuthenticateRequestOptions } from './types';
 import { verifyToken } from './verify';
@@ -105,12 +106,16 @@ export async function authenticateRequest(
 
     const handshakePayload = await verifyHandshakeToken(authenticateContext.handshakeToken!, authenticateContext);
     const cookiesToSet = handshakePayload.handshake;
+    const cookieSuffix = getCookieSuffix(authenticateContext.publishableKey);
 
     let sessionToken = '';
     cookiesToSet.forEach((x: string) => {
-      headers.append('Set-Cookie', x);
-      if (x.startsWith(`${constants.Cookies.Session}=`)) {
-        sessionToken = x.split(';')[0].substring(10);
+      const suffixedCookie = suffixCookie(cookieSuffix, x);
+      headers.append('Set-Cookie', suffixedCookie);
+      const unSuffixedCookie = unSuffixCookie(cookieSuffix, x);
+      headers.append('Set-Cookie', unSuffixedCookie);
+      if (unSuffixedCookie.startsWith(`${constants.Cookies.Session}=`)) {
+        sessionToken = unSuffixedCookie.split(';')[0].substring(10);
       }
     });
 
diff --git a/packages/backend/src/util/shared.ts b/packages/backend/src/util/shared.ts
@@ -1,6 +1,11 @@
 export { addClerkPrefix, getScriptUrl, getClerkJsMajorVersionOrTag } from '@clerk/shared/url';
 export { callWithRetry } from '@clerk/shared/callWithRetry';
-export { isDevelopmentFromSecretKey, isProductionFromSecretKey, parsePublishableKey } from '@clerk/shared/keys';
+export {
+  isDevelopmentFromSecretKey,
+  isProductionFromSecretKey,
+  parsePublishableKey,
+  getCookieSuffix,
+} from '@clerk/shared/keys';
 export { deprecated, deprecatedProperty } from '@clerk/shared/deprecated';
 
 import { buildErrorThrower } from '@clerk/shared/error';
