Re: [PR] Handle multiple Set-Cookie headers in replicator session plugin [couchdb]

Wed, 22 May 2024 07:47:08 -0700 


nickva commented on code in PR #5066:
URL: https://github.com/apache/couchdb/pull/5066#discussion_r1610135699


##########
src/couch_replicator/src/couch_replicator_auth_session.erl:
##########
@@ -386,23 +386,50 @@ http_response({error, Error}, #state{session_url = Url, 
user = User}) ->
     {error, {session_request_failed, Url, User, Error}}.
 
 -spec parse_cookie(list()) -> {ok, age(), string()} | {error, term()}.
-parse_cookie(Headers0) ->
-    Headers = mochiweb_headers:make(Headers0),
-    case mochiweb_headers:get_value("Set-Cookie", Headers) of
-        undefined ->
+parse_cookie(Headers) ->
+    case get_cookies(Headers) of
+        [] ->
             {error, cookie_not_found};
-        CookieHeader ->
-            CookieKVs = mochiweb_cookies:parse_cookie(CookieHeader),
-            CaseInsKVs = mochiweb_headers:make(CookieKVs),
-            case mochiweb_headers:get_value("AuthSession", CaseInsKVs) of
-                undefined ->
-                    {error, cookie_format_invalid};
-                Cookie ->
-                    MaxAge = parse_max_age(CaseInsKVs),
-                    {ok, MaxAge, Cookie}
+        [_ | _] = Cookies ->
+            case get_auth_session_cookies_and_age(Cookies) of
+                [] -> {error, cookie_format_invalid};
+                [{Cookie, MaxAge} | _] -> {ok, MaxAge, Cookie}
             end
     end.
 
+% Return list of cookies from headers, each as a KV list.
+% For example:
+%  [
+%    [{"AuthSession", "foo"}, {"max-age", "1"}],
+%    [{"ApiKey", "Secret"}, {"HttpOnly", []}]
+%  ]
+%
+-spec get_cookies(list()) -> [list()].
+get_cookies(Headers) ->
+    Headers1 = mochiweb_headers:make(Headers),
+    Headers2 = mochiweb_headers:to_list(Headers1),

Review Comment:
   `Headers` is not coming from mochiweb but ibrowse in whatever case they came 
in. So we do the standard mochiweb "raw" processing, normalization, etc. but 
the context is all about being on the client side, even though we're using our 
sever-side mochiweb library.
   
   We could probably do that ourselves but since the headers does some extra 
stuff like combine headers, trim whitespace it might be safer just to process 
all headers the same way.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to