-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Max cookie size assert #159
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thanks for submitting! I left a few comments on minor things and this would need a test case.
addon/services/cookies.js
Outdated
@@ -76,6 +77,8 @@ export default Service.extend({ | |||
assert('Cookies cannot be set to be HTTP-only as those cookies would not be accessible by the Ember.js application itself when running in the browser!', !options.httpOnly); | |||
assert("Cookies cannot be set as signed as signed cookies would not be modifyable in the browser as it has no knowledge of the express server's signing key!", !options.signed); | |||
assert('Cookies cannot be set with both maxAge and an explicit expiration time!', isEmpty(options.expires) || isEmpty(options.maxAge)); | |||
assert(`Cookies larger than ${MAX_COOKIE_BYTE_LENGTH} bytes are not supported by most browsers!`, this._isCookieSizeAcceptable(value)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd move this to after value
is assigned in line 82 and run the check on the actual value we're also writing then.
addon/services/cookies.js
Outdated
|
||
_getByteCount(value) { | ||
return typeof(value) === 'string' ? encodeURI(value).split(/%(?:u[0-9A-F]{2})?[0-9A-F]{2}|./).length - 1 : 0; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess these 2 methods could also be combined.
addon/services/cookies.js
Outdated
}, | ||
|
||
_getByteCount(value) { | ||
return typeof(value) === 'string' ? encodeURI(value).split(/%(?:u[0-9A-F]{2})?[0-9A-F]{2}|./).length - 1 : 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When the value
assigned in line 82 is passed here, the typeof
check would no longer be necessary.
Also it would be good to add a comment explaining what the split
does.
@marcoow Thanks for the review! I've made the changes and added a unit test Now, I wasn't sure whether you prefer the MAX_COOKIE_SIZE_LENGTH to be used by the unit test, or whether to decouple the test from the unit entirely. So I've gone for the latter option, the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good 👍
addon/services/cookies.js
Outdated
// This snippet counts the bytes in the value | ||
// about to be stored as the cookie: | ||
// See https://stackoverflow.com/a/25994411/6657064 | ||
let _countUtf8Bytes = function (s){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems the inner function isn't actually needed here?
tests/unit/services/cookies-test.js
Outdated
it('throws when a larger than allowed cookie is set', function() { | ||
expect(() => { | ||
let value = ""; | ||
for(let i = 0; i < 400; i++) { value += Math.random().toString(36).substring(2) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we could just use a static value here that we know has more than 4096 bytes?
addon/services/cookies.js
Outdated
|
||
assert(`Cookies larger than ${MAX_COOKIE_BYTE_LENGTH} bytes are not supported by most browsers!`, this._isCookieSizeAcceptable(value)); | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
double newline - this should ideally get caught be ESLint actually…
I restarted the build - seems like the failures were unrelated actually. |
@omairvaiyani: tests run now but there are some ESLint issues… |
I fixed the linter errors. This should be good to go after #168 is merged and this is rebased. |
Replaced byte counter func with more accurate snippet Added comment on byte counter func Removed unnecessary type check
e292381
to
4a41f69
Compare
Hey @marcoow thanks for sorting this! |
In relation to mainmatter/ember-simple-auth#1534 (comment)