Merge branch 'main' into frederikprijck-patch-2

Author: tusharpandey13

V4_MIGRATION_GUIDE.md

@@ -235,9 +235,6 @@ If you'd like to customize the `user` object to include additional custom claims
 ## Additional changes
 
 - By default, v4 is edge-compatible and as such there is no longer a `@auth0/nextjs-auth0/edge` export.
-- Cookie chunking has been removed
-  - If the cookie size exceeds the browser limit of 4096 bytes, a warning will be logged
-  - To store large session data, please use a [custom data store](https://github.com/auth0/nextjs-auth0/tree/main?tab=readme-ov-file#database-sessions) with a SessionStore implementation
 - All cookies set by the SDK default to `SameSite=Lax`
 - `touchSession` method was removed. The middleware enables rolling sessions by default and can be configured via the [session configuration](https://github.com/auth0/nextjs-auth0/tree/main?tab=readme-ov-file#session-configuration).
 - `getAccessToken` can now be called in React Server Components.

src/client/providers/auth0-provider.tsx

@@ -16,7 +16,7 @@ export function Auth0Provider({
     <SWRConfig
       value={{
         fallback: {
-          "/auth/profile": user
+          [process.env.NEXT_PUBLIC_PROFILE_ROUTE || "/auth/profile"]: user
         }
       }}
     >

src/server/chunked-cookies.test.ts

@@ -166,16 +166,75 @@ describe("Chunked Cookie Utils", () => {
       );
     });
 
-    it("should log a warning when cookie size exceeds warning threshold", () => {
-      const name = "warningCookie";
+    it("should clear existing chunked cookies when setting a single cookie", () => {
+      const name = "testCookie";
+      const value = "small value";
       const options = { path: "/" } as CookieOptions;
 
-      // Create a value that exceeds the warning threshold (4096 bytes)
-      const value = "a".repeat(4097);
+      const chunk0 = "chunk0 value";
+      const chunk1 = "chunk1 value";
+      const chunk2 = "chunk2 value";
+
+      cookieStore.set(`${name}__1`, chunk1);
+      cookieStore.set(`${name}__0`, chunk0);
+      cookieStore.set(`${name}__2`, chunk2);
 
       setChunkedCookie(name, value, options, reqCookies, resCookies);
 
-      expect(console.warn).toHaveBeenCalled();
+      expect(resCookies.set).toHaveBeenCalledTimes(1);
+      expect(resCookies.set).toHaveBeenCalledWith(name, value, options);
+      expect(reqCookies.set).toHaveBeenCalledTimes(1);
+      expect(reqCookies.set).toHaveBeenCalledWith(name, value);
+      expect(reqCookies.delete).toHaveBeenCalledTimes(3);
+      expect(reqCookies.delete).toHaveBeenCalledWith(`${name}__0`);
+      expect(reqCookies.delete).toHaveBeenCalledWith(`${name}__1`);
+      expect(reqCookies.delete).toHaveBeenCalledWith(`${name}__2`);
+    });
+
+    it("should clear existing single cookies when setting a chunked cookie", () => {
+      const name = "testCookie";
+      const value = "small value";
+
+      cookieStore.set(`${name}`, value);
+
+      // Create a large string (8000 bytes)
+      const largeValue = "a".repeat(8000);
+      const options = { path: "/" } as CookieOptions;
+
+      setChunkedCookie(name, largeValue, options, reqCookies, resCookies);
+
+      expect(reqCookies.delete).toHaveBeenCalledTimes(1);
+      expect(reqCookies.delete).toHaveBeenCalledWith(`${name}`);
+      expect(resCookies.set).toHaveBeenCalledTimes(3);
+      expect(reqCookies.set).toHaveBeenCalledTimes(3);
+    });
+
+    it("should clean up unused chunks when cookie shrinks", () => {
+      const name = "testCookie";
+      const options = { path: "/" } as CookieOptions;
+
+      const chunk0 = "chunk0 value";
+      const chunk1 = "chunk1 value";
+      const chunk2 = "chunk2 value";
+      const chunk3 = "chunk3 value";
+      const chunk4 = "chunk4 value";
+
+      cookieStore.set(`${name}__1`, chunk1);
+      cookieStore.set(`${name}__0`, chunk0);
+      cookieStore.set(`${name}__2`, chunk2);
+      cookieStore.set(`${name}__3`, chunk3);
+      cookieStore.set(`${name}__4`, chunk4);
+
+      const largeValue = "a".repeat(8000);
+      setChunkedCookie(name, largeValue, options, reqCookies, resCookies);
+
+      // It is called 3 times.
+      // 2 times for the chunks
+      // 1 time for the non chunked cookie
+      expect(reqCookies.delete).toHaveBeenCalledTimes(3); 
+      expect(reqCookies.delete).toHaveBeenCalledWith(`${name}__3`);
+      expect(reqCookies.delete).toHaveBeenCalledWith(`${name}__4`);
+      expect(reqCookies.delete).toHaveBeenCalledWith(name);
     });
 
     describe("getChunkedCookie", () => {

src/server/client.ts

@@ -260,7 +260,8 @@ export class Auth0Client {
 
       allowInsecureRequests: options.allowInsecureRequests,
       httpTimeout: options.httpTimeout,
-      enableTelemetry: options.enableTelemetry
+      enableTelemetry: options.enableTelemetry,
+      enableAccessTokenEndpoint: options.enableAccessTokenEndpoint,
     });
   }
 

src/server/cookies.ts

@@ -127,7 +127,6 @@ export { RequestCookies };
 const MAX_CHUNK_SIZE = 3500; // Slightly under 4KB
 const CHUNK_PREFIX = "__";
 const CHUNK_INDEX_REGEX = new RegExp(`${CHUNK_PREFIX}(\\d+)$`);
-const COOKIE_SIZE_WARNING_THRESHOLD = 4096;
 
 /**
  * Retrieves the index of a cookie based on its name.
@@ -171,8 +170,6 @@ const getAllChunkedCookies = (
  * @param options - Options for setting the cookie.
  * @param reqCookies - The request cookies object, used to enable read-after-write in the same request for middleware.
  * @param resCookies - The response cookies object, used to set the cookies in the response.
- *
- * @throws {Error} If the cookie size exceeds the warning threshold.
  */
 export function setChunkedCookie(
   name: string,
@@ -183,19 +180,18 @@ export function setChunkedCookie(
 ): void {
   const valueBytes = new TextEncoder().encode(value).length;
 
-  if (valueBytes > COOKIE_SIZE_WARNING_THRESHOLD) {
-    console.warn(
-      `The cookie size exceeds ${COOKIE_SIZE_WARNING_THRESHOLD} bytes, which may cause issues in some browsers. ` +
-        "Consider removing any unnecessary custom claims from the access token or the user profile. " +
-        "Alternatively, you can use a stateful session implementation to store the session data in a data store."
-    );
-  }
-
   // If value fits in a single cookie, set it directly
   if (valueBytes <= MAX_CHUNK_SIZE) {
     resCookies.set(name, value, options);
     // to enable read-after-write in the same request for middleware
     reqCookies.set(name, value);
+
+    // When we are writing a non-chunked cookie, we should remove the chunked cookies
+    getAllChunkedCookies(reqCookies, name).forEach(cookieChunk => {
+      resCookies.delete(cookieChunk.name);
+      reqCookies.delete(cookieChunk.name);
+    });
+
     return;
   }
 
@@ -213,6 +209,23 @@ export function setChunkedCookie(
     position += MAX_CHUNK_SIZE;
     chunkIndex++;
   }
+
+  // clear unused chunks
+  const chunks = getAllChunkedCookies(reqCookies, name);
+  const chunksToRemove = chunks.length - chunkIndex;
+
+  if (chunksToRemove > 0) {
+    for (let i = 0; i < chunksToRemove; i++) {
+      const chunkIndexToRemove = chunkIndex + i;
+      const chunkName = `${name}${CHUNK_PREFIX}${chunkIndexToRemove}`;
+      resCookies.delete(chunkName);
+      reqCookies.delete(chunkName);
+    }
+  }
+
+   // When we have written chunked cookies, we should remove the non-chunked cookie
+   resCookies.delete(name);
+   reqCookies.delete(name);
 }
 
 /**