Re: [PR] Handle multiple Set-Cookie headers in replicator session plugin [couchdb]

via GitHub Wed, 22 May 2024 07:34:03 -0700


nickva commented on code in PR #5066:
URL: https://github.com/apache/couchdb/pull/5066#discussion_r1610113422



##########
src/couch_replicator/src/couch_replicator_auth_session.erl:
##########
@@ -386,23 +386,50 @@ http_response({error, Error}, #state{session_url = Url, 
user = User}) ->
     {error, {session_request_failed, Url, User, Error}}.
 
 -spec parse_cookie(list()) -> {ok, age(), string()} | {error, term()}.
-parse_cookie(Headers0) ->
-    Headers = mochiweb_headers:make(Headers0),
-    case mochiweb_headers:get_value("Set-Cookie", Headers) of
-        undefined ->
+parse_cookie(Headers) ->
+    case get_cookies(Headers) of
+        [] ->
             {error, cookie_not_found};
-        CookieHeader ->
-            CookieKVs = mochiweb_cookies:parse_cookie(CookieHeader),
-            CaseInsKVs = mochiweb_headers:make(CookieKVs),
-            case mochiweb_headers:get_value("AuthSession", CaseInsKVs) of
-                undefined ->
-                    {error, cookie_format_invalid};
-                Cookie ->
-                    MaxAge = parse_max_age(CaseInsKVs),
-                    {ok, MaxAge, Cookie}
+        [_ | _] = Cookies ->
+            case get_auth_session_cookies_and_age(Cookies) of
+                [] -> {error, cookie_format_invalid};
+                [{Cookie, MaxAge} | _] -> {ok, MaxAge, Cookie}
             end
     end.
 
+% Return list of cookies from headers, each as a KV list.
+% For example:
+%  [
+%    [{"AuthSession", "foo"}, {"max-age", "1"}],
+%    [{"ApiKey", "Secret"}, {"HttpOnly", []}]
+%  ]
+%
+-spec get_cookies(list()) -> [list()].
+get_cookies(Headers) ->
+    Headers1 = mochiweb_headers:make(Headers),
+    Headers2 = mochiweb_headers:to_list(Headers1),
+    Fun = fun({K, V}) ->
+        case string:equal(K, "Set-Cookie", true) of
+            true -> {true, mochiweb_cookies:parse_cookie(V)};
+            false -> false
+        end
+    end,
+    lists:filtermap(Fun, Headers2).
+
+% From a list of cookies, pick out only AuthSession cookies.
+% Return a list of {Cookie, MaxAge} tuples
+%
+-spec get_auth_session_cookies_and_age([list()]) -> [{string(), age()}].
+get_auth_session_cookies_and_age(Cookies) ->
+    Fun = fun(CookieKVs) ->
+        CaseInsKVs = mochiweb_headers:make(CookieKVs),
+        case mochiweb_headers:get_value("AuthSession", CaseInsKVs) of

Review Comment:
   We use mochiweb_headers because cookie attributes are case insensitive. 
Later on we look up Max-Age which is an attribute and its name could 
technically be `max-age` if for some reason it was produced by couch-clone or 
the cookie was re-written by a load balancer.
   
   https://www.rfc-editor.org/rfc/rfc6265#section-5.2.2
   
   > [5.2.2](https://www.rfc-editor.org/rfc/rfc6265#section-5.2.2).  The 
Max-Age Attribute
   >   If the attribute-name case-insensitively matches the string "Max-
      Age", the user agent MUST process the cookie-av as follows. ...



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Handle multiple Set-Cookie headers in replicator session plugin [couchdb]

Reply via email to