fix: session cookie parsing optimizations (#1009)

## Summary of change

This PR refactors the function used for parsing incoming request cookies and optimizes it to avoid parsing cookies (since we don't care about the value).

> PS: The changes to the oauth2 and webauthn files were done during the build process (I think some formatting changes)

## Related issues

- #1007 

## Test Plan

- All tests in backend-sdk-testing should pass

## Documentation changes

(If relevant, please create a PR in our [docs repo](https://github.com/supertokens/docs), or create a checklist here highlighting the necessary changes)

## Checklist for important updates

-   [x] Changelog has been updated
-   [ ] `coreDriverInterfaceSupported.json` file has been updated (if needed)
    -   Along with the associated array in `lib/ts/version.ts`
-   [ ] `frontendDriverInterfaceSupported.json` file has been updated (if needed)
-   [ ] Changes to the version if needed
    -   In `package.json`
    -   In `package-lock.json`
    -   In `lib/ts/version.ts`
-   [x] Had run `npm run build-pretty`
-   [x] Had installed and ran the pre-commit hook
-   [ ] If new thirdparty provider is added,
    -   [ ] update switch statement in `recipe/thirdparty/providers/configUtils.ts` file, `createProvider` function.
    -   [ ] add an icon on the user management dashboard.
-   [x] Issue this PR against the latest non released version branch.
    -   To know which one it is, run find the latest released tag (`git tag`) in the format `vX.Y.Z`, and then find the latest branch (`git branch --all`) whose `X.Y` is greater than the latest released tag.
    -   If no such branch exists, then create one from the latest released branch.
-   [ ] If have added a new web framework, update the `add-ts-no-check.js` file to include that
-   [ ] If added a new recipe / api interface, then make sure that the implementation of it uses NON arrow functions only (like `someFunc: function () {..}`).
-   [ ] If added a new recipe, then make sure to expose it inside the recipe folder present in the root of this repo. We also need to expose its types.
-   [ ] If added a new entry point, then make sure that it is importable by adding it to the `exports` in `package.json`

## Remaining TODOs for this PR

Author: porcellus

CHANGELOG.md

@@ -19,6 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [23.0.0] - 2025-06-10
 
+-   Refactors internal logic of parsing cookies to check accessToken and optimizes it to avoid parsing unrelated cookies.
 -   The `getConsentRequest`, `acceptConsentRequest`, `rejectConsentRequest`, `acceptLoginRequest`, `rejectLoginRequest` and `introspectToken` can now possibly return an `ErrorOAuth2`.
 -   The `/oauth/introspect` can now possibly return an `ErrorAuth2`.
 -   The `User` class now has a `fromApi` function to normalize the user object returned from the API.

lib/build/recipe/oauth2provider/constants.js

@@ -273,38 +273,31 @@ export function hasMultipleCookiesForTokenType(
         return false;
     }
 
-    const cookies = parseCookieStringFromRequestHeaderAllowingDuplicates(cookieString);
+    const cookieNames = getCookieNamesFromRequestHeaderAllowingDuplicates(cookieString);
     const cookieName = config.getCookieNameForTokenType(req, tokenType, userContext);
-    return cookies[cookieName] !== undefined && cookies[cookieName].length > 1;
+    return cookieNames.filter((name) => name === cookieName).length > 1;
 }
 
 // This function is required because cookies library (and most of the popular libraries in npm)
 // does not support parsing multiple cookies with the same name.
-function parseCookieStringFromRequestHeaderAllowingDuplicates(cookieString: string): Record<string, string[]> {
-    const cookies: Record<string, string[]> = {};
+function getCookieNamesFromRequestHeaderAllowingDuplicates(cookieString: string): string[] {
+    const cookieNames: string[] = [];
 
     const cookiePairs = cookieString.split(";");
 
     for (const cookiePair of cookiePairs) {
-        const [name, value] = cookiePair
-            .trim()
-            .split("=")
-            .map((part) => {
-                try {
-                    return decodeURIComponent(part);
-                } catch (e) {
-                    // this is there in case the cookie value is not encoded. This can happe
-                    // if the user has set their own cookie in a different format.
-                    return part;
-                }
-            });
+        const [name, _] = cookiePair.trim().split("=");
 
-        if (cookies.hasOwnProperty(name)) {
-            cookies[name].push(value);
-        } else {
-            cookies[name] = [value];
+        // Try to decode the name or fallback to the original name
+        let decodedName = name;
+        try {
+            decodedName = decodeURIComponent(name);
+        } catch (e) {
+            logDebugMessage(`getCookieNamesFromRequestHeaderAllowingDuplicates: Error decoding cookie name: ${name}`);
         }
+
+        cookieNames.push(decodedName);
     }
 
-    return cookies;
+    return cookieNames;
 }