Skip to content

fix: handle KV 414 error when IMS auth fragment leaks into org path#270

Merged
kptdobe merged 1 commit intomainfrom
fix/kv-414-ims-fragment-in-org-path
Apr 30, 2026
Merged

fix: handle KV 414 error when IMS auth fragment leaks into org path#270
kptdobe merged 1 commit intomainfrom
fix/kv-414-ims-fragment-in-org-path

Conversation

@kptdobe
Copy link
Copy Markdown
Contributor

@kptdobe kptdobe commented Apr 30, 2026

Problem

IMS OAuth redirect fragments leak into the admin API URL path on the client side. After a login redirect, the URL fragment (#access_token=... or #ld_hash=...) is incorrectly included when constructing the config endpoint URL, resulting in requests like:

GET https://admin.da.live/config/ccess_token=<jwt>&state=%7B%22jslibver%22%3A%22v2-v0.48.0%22...%7D&token_type=bearer&expires_in=86399998/

getAclCtx() passes the extracted org segment directly to env.DA_CONFIG.get() as a KV key. When that segment contains the full IMS token payload (~1986 bytes), Cloudflare KV rejects it:

Error computing context
Error: KV GET failed: 414 UTF-8 encoded length of 1986 exceeds key length limit of 512.

This unhandled exception propagated through getDaCtx() and was caught by the generic error handler in index.js, returning a 500 to the client.

Observed in production logs over the last 12h: multiple 500 responses tied to RayID: 9f43e69cbfa5561f and similar.

Fix

Wrap the DA_CONFIG.get(org) call in getAclCtx() with a try/catch. On any KV error, return an empty actionSet so the existing !authorized check in index.js returns a clean 403 instead of a 500.

The root cause (client-side IMS fragment leaking into the URL) is a separate issue in da-website/da-collab; this fix makes the worker resilient to it.

Test plan

  • New unit test: returns empty action set when DA_CONFIG KV GET throws 414 key-too-long error — confirms the fix handles the exact production error without throwing
  • Full test suite passes (369 tests)
  • ESLint clean

🤖 Generated with Claude Code

@kptdobe @claude
fix: handle KV 414 error when IMS auth fragment leaks into org path
e57125e 
IMS OAuth redirect fragments (#access_token=..., #ld_hash=...) were leaking
into the admin API URL path on the client side, producing an org segment up
to 1986 bytes — far exceeding Cloudflare KV's 512-byte key limit. The KV
GET in getAclCtx() threw a 414 error that propagated to a 500 response.

Guard the DA_CONFIG.get() call with try/catch and return an empty action set
on any KV error, so the request receives a clean 403 instead of a 500.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@kptdobe kptdobe requested a review from bosschaert April 30, 2026 06:23
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 30, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

This was referenced Apr 30, 2026
Closed
Merged
@kptdobe kptdobe merged commit db2b4c8 into main Apr 30, 2026
6 checks passed
@kptdobe kptdobe deleted the fix/kv-414-ims-fragment-in-org-path branch April 30, 2026 11:54
adobe-bot pushed a commit that referenced this pull request Apr 30, 2026
@semantic-release-bot
chore(release): 1.7.1 [skip ci]
46a45ba 
## [1.7.1](v1.7.0...v1.7.1) (2026-04-30)

### Bug Fixes

* handle KV 414 error when IMS auth fragment leaks into org path ([#270](#270)) ([db2b4c8](db2b4c8))
* treat putVersion 412 as version-already-exists, not failure ([#271](#271)) ([e92b916](e92b916))
@adobe-bot
Copy link
Copy Markdown
Collaborator

adobe-bot commented Apr 30, 2026

🎉 This PR is included in version 1.7.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bosschaert bosschaert bosschaert approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kptdobe @adobe-bot @bosschaert