chore(backend): Generate suffixed/un-suffixed cookies in handshake

Author: dimkl

packages/backend/src/tokens/cookie.ts

@@ -0,0 +1,23 @@
+const getCookieName = (cookieDirective: string): string => {
+  return cookieDirective.split(';')[0]?.split('=')[0];
+};
+
+const getSuffixedName = (name: string, suffix: string): string => {
+  if (name.endsWith(suffix)) {
+    return name;
+  }
+  return `${name}_${suffix}`;
+};
+
+export const suffixCookie = (suffix: string, cookieDirective: string): string => {
+  const name = getCookieName(cookieDirective);
+  const suffixedName = getSuffixedName(name, suffix);
+
+  return cookieDirective.replace(name + '=', suffixedName + '=');
+};
+
+export const unSuffixCookie = (suffix: string, cookieDirective: string): string => {
+  const name = getCookieName(cookieDirective).replace('_' + suffix, '');
+  const suffixedName = getSuffixedName(suffix, cookieDirective);
+  return cookieDirective.replace(suffixedName + '=', name + '=');
+};

packages/backend/src/tokens/request.ts

@@ -3,12 +3,13 @@ import type { TokenCarrier } from '../errors';
 import { TokenVerificationError, TokenVerificationErrorReason } from '../errors';
 import { decodeJwt } from '../jwt/verifyJwt';
 import { assertValidSecretKey } from '../util/optionsAssertions';
-import { isDevelopmentFromSecretKey } from '../util/shared';
+import { getCookieSuffix, isDevelopmentFromSecretKey } from '../util/shared';
 import type { AuthenticateContext } from './authenticateContext';
 import { createAuthenticateContext } from './authenticateContext';
 import type { RequestState } from './authStatus';
 import { AuthErrorReason, handshake, signedIn, signedOut } from './authStatus';
 import { createClerkRequest } from './clerkRequest';
+import { suffixCookie, unSuffixCookie } from './cookie';
 import { verifyHandshakeToken } from './handshake';
 import type { AuthenticateRequestOptions } from './types';
 import { verifyToken } from './verify';
@@ -105,12 +106,16 @@ export async function authenticateRequest(
 
     const handshakePayload = await verifyHandshakeToken(authenticateContext.handshakeToken!, authenticateContext);
     const cookiesToSet = handshakePayload.handshake;
+    const cookieSuffix = getCookieSuffix(authenticateContext.publishableKey);
 
     let sessionToken = '';
     cookiesToSet.forEach((x: string) => {
-      headers.append('Set-Cookie', x);
-      if (x.startsWith(`${constants.Cookies.Session}=`)) {
-        sessionToken = x.split(';')[0].substring(10);
+      const suffixedCookie = suffixCookie(cookieSuffix, x);
+      headers.append('Set-Cookie', suffixedCookie);
+      const unSuffixedCookie = unSuffixCookie(cookieSuffix, x);
+      headers.append('Set-Cookie', unSuffixedCookie);
+      if (unSuffixedCookie.startsWith(`${constants.Cookies.Session}=`)) {
+        sessionToken = unSuffixedCookie.split(';')[0].substring(10);
       }
     });
 

packages/backend/src/util/shared.ts

@@ -1,6 +1,11 @@
 export { addClerkPrefix, getScriptUrl, getClerkJsMajorVersionOrTag } from '@clerk/shared/url';
 export { callWithRetry } from '@clerk/shared/callWithRetry';
-export { isDevelopmentFromSecretKey, isProductionFromSecretKey, parsePublishableKey } from '@clerk/shared/keys';
+export {
+  isDevelopmentFromSecretKey,
+  isProductionFromSecretKey,
+  parsePublishableKey,
+  getCookieSuffix,
+} from '@clerk/shared/keys';
 export { deprecated, deprecatedProperty } from '@clerk/shared/deprecated';
 
 import { buildErrorThrower } from '@clerk/shared/error';