Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie not being parsed correctly #2316

Closed
jimmya opened this issue Apr 16, 2020 · 3 comments · Fixed by #2317
Closed

Cookie not being parsed correctly #2316

jimmya opened this issue Apr 16, 2020 · 3 comments · Fixed by #2317
Labels
bug Something isn't working
Projects
Vapor 4

Comments

@jimmya
Copy link

jimmya commented Apr 16, 2020

Hi,

I'm using Vapor together with ory/hydra. Which calls 1 of my endpoints with a oauth2_authentication_csrf cookie. In Vapor 4.0.0-rc.1 this worked perfectly however after updating to Vapor 4.1.0 the cookie is no longer parsed by Vapor.

Steps to reproduce

Perform a request with this cookie header:

oauth2_authentication_csrf=MTU4NzA1MTc0N3xEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJRGs1WkRKbU1HRTVNMlF3TmpRM1lUbGhOelptTnprMU5EYzRZMlk1WkRObXx6lRdSC3-hPvE1pxp4ylFlBruOyJtRo8OnzBrAriBr0w==; vapor-session=ZFPQ46p3frNX52i3dM+JFlWbTxQX5rtGuQ5r7Gb6JUs=; oauth2_consent_csrf=MTU4NjkzNzgwMnxEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJR1ExWVRnM09USmhOamRsWXpSbU4yRmhOR1UwTW1KaU5tRXpPRGczTmpjMHweHbVecAf193ev3_1Tcf60iY9jSsq5-IQxGTyoztRTfg==

Expected behavior

oauth2_authentication_csrf cookie should be present on req.cookies.

Actual behavior

It isn't.

Environment

  • Vapor Framework version: 4.1.0
  • Vapor Toolbox version: -
  • OS version: though running in Docker on k8s
@jimmya
Copy link
Author

jimmya commented Apr 16, 2020
edited

Seems to be returning nil here (HTTPHeaders+Directive.swift line 133)

private func firstParameterToken() -> Substring.Index? {
    for index in self.current.indices {
        let character = self.current[index]
        if character == .equals {
            return index
        } else if !character.isDirectiveKey {
            return nil
        }
    }
    return nil
}

because it encounters a underscore.

@tanner0101 tanner0101 added the bug Something isn't working label Apr 16, 2020
@tanner0101 tanner0101 added this to To Do in Vapor 4 via automation Apr 16, 2020
@jimmya
Copy link
Author

jimmya commented Apr 16, 2020
edited

1 more thing I noticed. In the HTTPCookies initialiser:

init?(directives: [HTTPHeaders.Directive]) {
    self.cookies = [:]
    for directive in directives {
        guard let value = directive.parameter else {
            return nil
        }
        self.cookies[.init(directive.value)] = .init(string: .init(value))
    }
}

on encountering a directive without param all other cookies are omitted. Is this intentional or should it just be a continue iso return nil

In this test setup:

func testCookie_parsing() throws {
    let headers = HTTPHeaders([
        ("cookie", "oauth2_authentication_csrf=MTU4NzA1MTc0N3xEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJRGs1WkRKbU1HRTVNMlF3TmpRM1lUbGhOelptTnprMU5EYzRZMlk1WkRObXx6lRdSC3-hPvE1pxp4ylFlBruOyJtRo8OnzBrAriBr0w==; vapor-session=ZFPQ46p3frNX52i3dM+JFlWbTxQX5rtGuQ5r7Gb6JUs=; oauth2_consent_csrf=MTU4NjkzNzgwMnxEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJR1ExWVRnM09USmhOamRsWXpSbU4yRmhOR1UwTW1KaU5tRXpPRGczTmpjMHweHbVecAf193ev3_1Tcf60iY9jSsq5-IQxGTyoztRTfg==")
    ])
    XCTAssertEqual(headers.cookie?["vapor-session"]?.string, "ZFPQ46p3frNX52i3dM+JFlWbTxQX5rtGuQ5r7Gb6JUs=")
    XCTAssertEqual(headers.cookie?["oauth2_authentication_csrf"]?.string, "MTU4NzA1MTc0N3xEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJRGs1WkRKbU1HRTVNMlF3TmpRM1lUbGhOelptTnprMU5EYzRZMlk1WkRObXx6lRdSC3-hPvE1pxp4ylFlBruOyJtRo8OnzBrAriBr0w==")
    XCTAssertEqual(headers.cookie?["oauth2_consent_csrf"]?.string, "MTU4NjkzNzgwMnxEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJR1ExWVRnM09USmhOamRsWXpSbU4yRmhOR1UwTW1KaU5tRXpPRGczTmpjMHweHbVecAf193ev3_1Tcf60iY9jSsq5-IQxGTyoztRTfg==")
}

all asserts fail. While the vapor-session cookie is actually parsed correctly.

@tanner0101 tanner0101 mentioned this issue Apr 16, 2020
Merged
@tanner0101
Copy link
Member

I've put up a fix here: #2317

Is this intentional or should it just be a continue iso return nil

Yeah this is intentional. If the cookie header is malformed then headers.cookie should be nil. We can't be sure things were parsed correctly otherwise which could cause problems.

Vapor 4 automation moved this from To Do to Done Apr 16, 2020
@tanner0101 tanner0101 mentioned this issue Apr 17, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Vapor 4
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support numbers in header directive keys vapor/vapor
2 participants
@tanner0101 @jimmya