Merge pull request #303 from auth0/cookie-cleanup

adamjmcgrath · web-flow · commit c485044a5c9b · 2021-02-23T11:26:07.000Z
We should cleanup unused cookies when switching between chunked and unchunked
diff --git a/src/auth0-session/cookie-store.ts b/src/auth0-session/cookie-store.ts
@@ -160,10 +160,11 @@ export default class CookieStore {
       cookie: { transient, ...cookieConfig },
       name: sessionName
     } = this.config.session;
+    const cookies = getCookies(req);
 
     if (!session) {
       debug('clearing all matching session cookies');
-      for (const cookieName of Object.keys(getCookies(req))) {
+      for (const cookieName of Object.keys(cookies)) {
         if (cookieName.match(`^${sessionName}(?:\\.\\d)?$`)) {
           clearCookie(res, cookieName, {
             domain: cookieConfig.domain,
@@ -196,8 +197,22 @@ export default class CookieStore {
         const chunkCookieName = `${sessionName}.${i}`;
         setCookie(res, chunkCookieName, chunkValue, cookieOptions);
       }
+      if (sessionName in cookies) {
+        clearCookie(res, sessionName, {
+          domain: cookieConfig.domain,
+          path: cookieConfig.path
+        });
+      }
     } else {
       setCookie(res, sessionName, value, cookieOptions);
+      for (const cookieName of Object.keys(cookies)) {
+        if (cookieName.match(`^${sessionName}\\.\\d$`)) {
+          clearCookie(res, cookieName, {
+            domain: cookieConfig.domain,
+            path: cookieConfig.path
+          });
+        }
+      }
     }
   }
 }
diff --git a/tests/auth0-session/cookie-store.test.ts b/tests/auth0-session/cookie-store.test.ts
@@ -148,6 +148,37 @@ describe('CookieStore', () => {
     await expect(get(baseURL, '/session', { cookieJar })).rejects.toThrowError('Unauthorized');
   });
 
+  it('should clean up single cookie when switching to chunked', async () => {
+    const baseURL = await setup(defaultConfig);
+    const appSession = encrypted({
+      big_claim: randomBytes(2000).toString('base64')
+    });
+    expect(appSession.length).toBeGreaterThan(4000);
+    const cookieJar = toCookieJar({ appSession }, baseURL);
+    const session = await get(baseURL, '/session', { cookieJar });
+    expect(session.claims).toHaveProperty('big_claim');
+    const cookies = fromCookieJar(cookieJar, baseURL);
+    expect(cookies).toHaveProperty(['appSession.0']);
+    expect(cookies).not.toHaveProperty('appSession');
+  });
+
+  it('should clean up chunked cookies when switching to a single cookie', async () => {
+    const baseURL = await setup(defaultConfig);
+    const appSession = encrypted({ sub: 'foo' });
+    const cookieJar = toCookieJar(
+      {
+        'appSession.0': appSession.slice(0, 100),
+        'appSession.1': appSession.slice(100)
+      },
+      baseURL
+    );
+    const session = await get(baseURL, '/session', { cookieJar });
+    expect(session.claims).toHaveProperty('sub');
+    const cookies = fromCookieJar(cookieJar, baseURL);
+    expect(cookies).toHaveProperty('appSession');
+    expect(cookies).not.toHaveProperty(['appSession.0']);
+  });
+
   it('should set the default cookie options on http', async () => {
     const baseURL = await setup(defaultConfig);
     const appSession = encrypted();
