Skip to content

Parse auth cookies without requiring spaces#139

Merged
ralyodio merged 1 commit into
profullstack:masterfrom
aiirvizionz:clientkit/robust-cookie-split
Jul 11, 2026
Merged

Parse auth cookies without requiring spaces#139
ralyodio merged 1 commit into
profullstack:masterfrom
aiirvizionz:clientkit/robust-cookie-split

Conversation

@aiirvizionz

Copy link
Copy Markdown
Contributor

Fixes an auth edge case in the crypto public-key routes.

The public-key endpoints parsed Cookie headers with split("; "), which only works when every semicolon is followed by a space. Valid Cookie headers may be serialized as a=1;b=2 by clients/proxies. In that case the Supabase auth cookie and session cookie could be merged into one parsed value, causing authenticated key fetch/sync requests to fail as unauthorized.

This PR changes those parsers to split on ; with optional whitespace and adds a regression test for a Supabase base64-... auth cookie followed immediately by another cookie without a space.

Validation:

  • npx vitest run src/app/api/crypto/public-keys/route.test.js
  • node --check src/app/api/crypto/public-keys/route.js
  • node --check src/app/api/crypto/public-keys/all/route.js
  • node --check src/app/api/crypto/public-keys/route.test.js
  • git diff --check

@ralyodio ralyodio merged commit 0e43751 into profullstack:master Jul 11, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants