[fix] forward cookies from fetch on redirect response (#6833)

* [fix] forward cookies from fetch on redirect response

Fixes #6792

* harmonize cookie type

* fix syntax

Co-authored-by: Rich Harris <[email protected]>

Author: dummdidumm

.changeset/afraid-kings-mix.md

@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+[fix] forward cookies from fetch on redirect response

packages/kit/src/runtime/server/cookie.js

@@ -1,4 +1,4 @@
-import { parse } from 'cookie';
+import { parse, serialize } from 'cookie';
 
 /** @type {import('cookie').CookieSerializeOptions} */
 const DEFAULT_SERIALIZE_OPTIONS = {
@@ -12,7 +12,7 @@ const DEFAULT_SERIALIZE_OPTIONS = {
  * @param {URL} url
  */
 export function get_cookies(request, url) {
-	/** @type {Map<string, {name: string; value: string; options: import('cookie').CookieSerializeOptions;}>} */
+	/** @type {Map<string, import('./page/types').Cookie>} */
 	const new_cookies = new Map();
 
 	/** @type {import('types').Cookies} */
@@ -102,3 +102,14 @@ export function path_matches(path, constraint) {
 	if (path === normalized) return true;
 	return path.startsWith(normalized + '/');
 }
+
+/**
+ * @param {Headers} headers
+ * @param {import('./page/types').Cookie[]} cookies
+ */
+export function add_cookies_to_headers(headers, cookies) {
+	for (const new_cookie of cookies) {
+		const { name, value, options } = new_cookie;
+		headers.append('set-cookie', serialize(name, value, options));
+	}
+}

packages/kit/src/runtime/server/index.js

@@ -1,4 +1,3 @@
-import * as cookie from 'cookie';
 import { render_endpoint } from './endpoint.js';
 import { render_page } from './page/index.js';
 import { render_response } from './page/render.js';
@@ -9,7 +8,7 @@ import { decode_params, disable_search, normalize_path } from '../../utils/url.j
 import { exec } from '../../utils/routing.js';
 import { render_data } from './data/index.js';
 import { DATA_SUFFIX } from '../../constants.js';
-import { get_cookies } from './cookie.js';
+import { add_cookies_to_headers, get_cookies } from './cookie.js';
 import { HttpError } from '../control.js';
 
 /* global __SVELTEKIT_ADAPTER_NAME__ */
@@ -246,12 +245,7 @@ export async function respond(request, options, state) {
 					}
 				}
 
-				for (const new_cookie of Array.from(new_cookies.values())) {
-					response.headers.append(
-						'set-cookie',
-						cookie.serialize(new_cookie.name, new_cookie.value, new_cookie.options)
-					);
-				}
+				add_cookies_to_headers(response.headers, Array.from(new_cookies.values()));
 
 				return response;
 			}

packages/kit/src/runtime/server/page/fetch.js

@@ -19,7 +19,7 @@ export function create_fetch({ event, options, state, route, prerender_default,
 
 	const initial_cookies = cookie.parse(event.request.headers.get('cookie') || '');
 
-	/** @type {import('set-cookie-parser').Cookie[]} */
+	/** @type {import('./types').Cookie[]} */
 	const set_cookies = [];
 
 	/**
@@ -31,8 +31,8 @@ export function create_fetch({ event, options, state, route, prerender_default,
 		const new_cookies = {};
 
 		for (const cookie of set_cookies) {
-			if (!domain_matches(url.hostname, cookie.domain)) continue;
-			if (!path_matches(url.pathname, cookie.path)) continue;
+			if (!domain_matches(url.hostname, cookie.options.domain)) continue;
+			if (!path_matches(url.pathname, cookie.options.path)) continue;
 
 			new_cookies[cookie.name] = cookie.value;
 		}
@@ -179,9 +179,11 @@ export function create_fetch({ event, options, state, route, prerender_default,
 		const set_cookie = response.headers.get('set-cookie');
 		if (set_cookie) {
 			set_cookies.push(
-				...set_cookie_parser
-					.splitCookiesString(set_cookie)
-					.map((str) => set_cookie_parser.parseString(str))
+				...set_cookie_parser.splitCookiesString(set_cookie).map((str) => {
+					const { name, value, ...options } = set_cookie_parser.parseString(str);
+					// options.sameSite is string, something more specific is required - type cast is safe
+					return /** @type{import('./types').Cookie} */ ({ name, value, options });
+				})
 			);
 		}
 

packages/kit/src/runtime/server/page/index.js

@@ -217,7 +217,7 @@ export async function render_page(event, route, page, options, state, resolve_op
 							});
 						}
 
-						return redirect_response(err.status, err.location);
+						return redirect_response(err.status, err.location, cookies);
 					}
 
 					const status = err instanceof HttpError ? err.status : 500;

packages/kit/src/runtime/server/page/render.js

@@ -1,10 +1,10 @@
 import { devalue } from 'devalue';
 import { readable, writable } from 'svelte/store';
-import * as cookie from 'cookie';
 import { hash } from '../../hash.js';
 import { serialize_data } from './serialize_data.js';
 import { s } from '../../../utils/misc.js';
 import { Csp } from './csp.js';
+import { add_cookies_to_headers } from '../cookie.js';
 
 // TODO rename this function/module
 
@@ -18,7 +18,7 @@ const updated = {
  * @param {{
  *   branch: Array<import('./types').Loaded>;
  *   fetched: Array<import('./types').Fetched>;
- *   cookies: import('set-cookie-parser').Cookie[];
+ *   cookies: import('./types').Cookie[];
  *   options: import('types').SSROptions;
  *   state: import('types').SSRState;
  *   page_config: { ssr: boolean; csr: boolean };
@@ -328,11 +328,7 @@ export async function render_response({
 			headers.set('content-security-policy-report-only', report_only_header);
 		}
 
-		for (const new_cookie of cookies) {
-			const { name, value, ...options } = new_cookie;
-			// @ts-expect-error
-			headers.append('set-cookie', cookie.serialize(name, value, options));
-		}
+		add_cookies_to_headers(headers, cookies);
 
 		if (link_header_preloads.size) {
 			headers.set('link', Array.from(link_header_preloads).join(', '));

packages/kit/src/runtime/server/page/types.d.ts

@@ -1,5 +1,5 @@
+import { CookieSerializeOptions } from 'cookie';
 import { SSRNode, CspDirectives } from 'types';
-import { HttpError } from '../../control.js';
 
 export interface Fetched {
 	url: string;
@@ -33,3 +33,9 @@ export interface CspOpts {
 	dev: boolean;
 	prerender: boolean;
 }
+
+export interface Cookie {
+	name: string;
+	value: string;
+	options: CookieSerializeOptions;
+}

packages/kit/src/runtime/server/utils.js

@@ -2,6 +2,7 @@ import { devalue } from 'devalue';
 import { DATA_SUFFIX } from '../../constants.js';
 import { negotiate } from '../../utils/http.js';
 import { HttpError } from '../control.js';
+import { add_cookies_to_headers } from './cookie.js';
 
 /** @param {any} body */
 export function is_pojo(body) {
@@ -169,10 +170,13 @@ export function handle_error_and_jsonify(event, options, error) {
 /**
  * @param {number} status
  * @param {string} location
+ * @param {import('./page/types.js').Cookie[]} [cookies]
  */
-export function redirect_response(status, location) {
-	return new Response(undefined, {
+export function redirect_response(status, location, cookies = []) {
+	const response = new Response(undefined, {
 		status,
 		headers: { location }
 	});
+	add_cookies_to_headers(response.headers, cookies);
+	return response;
 }

packages/kit/test/apps/basics/src/routes/shadowed/+page.svelte

@@ -1,6 +1,7 @@
 <a href="/shadowed/simple">simple</a>
 <a href="/shadowed/redirect-get">redirect-get</a>
 <a href="/shadowed/redirect-get-with-cookie">redirect-get-with-cookie</a>
+<a href="/shadowed/redirect-get-with-cookie-from-fetch">redirect-get-with-cookie-from-fetch</a>
 <a href="/shadowed/error-get">error-get</a>
 <a href="/shadowed/no-get">no-get</a>
 <a href="/shadowed/dynamic/foo">dynamic/foo</a>

packages/kit/test/apps/basics/src/routes/shadowed/redirect-get-with-cookie-from-fetch/+page.js

@@ -0,0 +1,7 @@
+import { redirect } from '@sveltejs/kit';
+
+/** @type {import('./$types').PageLoad} */
+export async function load({ fetch }) {
+	await fetch('/shadowed/redirect-get-with-cookie-from-fetch/endpoint');
+	throw redirect(302, '/shadowed/redirected');
+}