Strip visitor.* param when normalizing URL (#3512)

Author: spastorelli

.changeset/hungry-ladybugs-allow.md

@@ -0,0 +1,5 @@
+---
+"gitbook": patch
+---
+
+Strip visitor params from URL

packages/gitbook/src/lib/visitors.test.ts

@@ -7,6 +7,7 @@ import {
     getVisitorAuthCookieValue,
     getVisitorToken,
     getVisitorUnsignedClaims,
+    normalizeVisitorURL,
 } from './visitors';
 
 describe('getVisitorAuthToken', () => {
@@ -295,3 +296,34 @@ describe('getVisitorUnsignedClaims', () => {
         });
     });
 });
+
+describe('normalizeVisitorURL', () => {
+    it('should strip the jwt_token param when present in the URL', () => {
+        const url = new URL('https://docs.example.com/?jwt_token=fake-token');
+        expect(normalizeVisitorURL(url).toString()).toBe('https://docs.example.com/');
+    });
+
+    it('should strip the visitor.* params when present in the URL', () => {
+        const url = new URL(
+            'https://docs.example.com/?visitor.isBetaUser=true&visitor.language=fr'
+        );
+        expect(normalizeVisitorURL(url).toString()).toBe('https://docs.example.com/');
+    });
+
+    it('should strip both jwt_token and visitor.* params when present in the URL', () => {
+        const url = new URL(
+            'https://docs.example.com/?jwt_token=fake-token&visitor.isBetaUser=true&visitor.language=fr'
+        );
+        expect(normalizeVisitorURL(url).toString()).toBe('https://docs.example.com/');
+    });
+
+    it('should leave other params like q or ask untouched', () => {
+        const url1 = new URL('https://docs.example.com/?q=search');
+        expect(normalizeVisitorURL(url1).toString()).toBe('https://docs.example.com/?q=search');
+
+        const url2 = new URL('https://docs.example.com/?ask=this+is+a+question');
+        expect(normalizeVisitorURL(url2).toString()).toBe(
+            'https://docs.example.com/?ask=this+is+a+question'
+        );
+    });
+});

packages/gitbook/src/lib/visitors.ts

@@ -3,6 +3,7 @@ import type { NextRequest } from 'next/server';
 import hash from 'object-hash';
 
 const VISITOR_AUTH_PARAM = 'jwt_token';
+const VISITOR_PARAM_PREFIX = 'visitor.';
 export const VISITOR_TOKEN_COOKIE = 'gitbook-visitor-token';
 const VISITOR_UNSIGNED_CLAIMS_PREFIX = 'gitbook-visitor-public';
 
@@ -163,8 +164,8 @@ export function getVisitorUnsignedClaims(args: {
     }
 
     for (const [key, value] of url.searchParams.entries()) {
-        if (key.startsWith('visitor.')) {
-            const claimPath = key.substring('visitor.'.length);
+        if (key.startsWith(VISITOR_PARAM_PREFIX)) {
+            const claimPath = key.substring(VISITOR_PARAM_PREFIX.length);
             const claimValue = parseVisitorQueryParamValue(value);
 
             setVisitorClaimByPath(claims, claimPath, claimValue);
@@ -326,16 +327,21 @@ export function getVisitorAuthCookieValue(basePath: string, token: string): stri
 }
 
 /**
- * Normalize the URL by removing the visitor authentication token from the query parameters (if present).
+ * Normalize the URL by removing the visitor JWT token and visitor.* param from the query parameters (if present).
  */
-export function normalizeVisitorAuthURL(url: URL): URL {
+export function normalizeVisitorURL(url: URL): URL {
+    const withoutVisitorParamsURL = new URL(url);
     if (url.searchParams.has(VISITOR_AUTH_PARAM)) {
-        const withoutVAParam = new URL(url);
-        withoutVAParam.searchParams.delete(VISITOR_AUTH_PARAM);
-        return withoutVAParam;
+        withoutVisitorParamsURL.searchParams.delete(VISITOR_AUTH_PARAM);
     }
 
-    return url;
+    for (const [urlParam] of url.searchParams.entries()) {
+        if (urlParam.startsWith(VISITOR_PARAM_PREFIX)) {
+            withoutVisitorParamsURL.searchParams.delete(urlParam);
+        }
+    }
+
+    return withoutVisitorParamsURL;
 }
 
 /**

packages/gitbook/src/middleware.ts

@@ -21,7 +21,7 @@ import {
     getPathScopedCookieName,
     getResponseCookiesForVisitorAuth,
     getVisitorData,
-    normalizeVisitorAuthURL,
+    normalizeVisitorURL,
 } from '@/lib/visitors';
 import { serveResizedImage } from '@/routes/image';
 import { cookies } from 'next/headers';
@@ -221,13 +221,16 @@ async function serveSiteRoutes(requestURL: URL, request: NextRequest) {
             incomingURL.search = requestURL.search;
         }
         //
-        // Make sure the URL is clean of any va token after a successful lookup
-        // The token is stored in a cookie that is set on the redirect response
+        // Make sure the URL is clean of any va token after a successful lookup,
+        // and of any visitor.* params that may have been passed to the URL.
         //
-        const incomingURLWithoutToken = normalizeVisitorAuthURL(incomingURL);
-        if (incomingURLWithoutToken.toString() !== incomingURL.toString()) {
+        // The token and the visitor.* params value are stored in cookies that are set
+        // on the redirect response.
+        //
+        const normalizedVisitorURL = normalizeVisitorURL(incomingURL);
+        if (normalizedVisitorURL.toString() !== incomingURL.toString()) {
             return writeResponseCookies(
-                NextResponse.redirect(incomingURLWithoutToken.toString()),
+                NextResponse.redirect(normalizedVisitorURL.toString()),
                 cookies
             );
         }