Skip to content

📘 fix: handle null secret in unsignCookie rotation (#1861)#1917

Open
medsabbar wants to merge 1 commit into
elysiajs:mainfrom
medsabbar:fix-null-secret-unsign-cookie
Open

📘 fix: handle null secret in unsignCookie rotation (#1861)#1917
medsabbar wants to merge 1 commit into
elysiajs:mainfrom
medsabbar:fix-null-secret-unsign-cookie

Conversation

@medsabbar

@medsabbar medsabbar commented Jun 9, 2026

Copy link
Copy Markdown

When cookie rotation includes a null entry for unsigned-to-signed
transition, a cookie with an invalid signature would cause a raw
TypeError (from signCookie) instead of the expected
InvalidCookieSignature.

The loop in parseCookie tries each secret in the rotation array.
When it reaches the null entry, unsignCookie called signCookie
without a null check, which throws TypeError("Secret key must be provided"). The error propagated as UNKNOWN instead of being
caught as InvalidCookieSignature.

The fix adds a null secret guard in unsignCookie before calling
signCookie, matching the existing null-handling pattern already used
for unsigned cookies without a signature.

Fixes #1861

Summary by CodeRabbit

  • Bug Fixes

    • Enhanced cookie signature validation logic to properly handle null secrets during rotation operations, preventing errors during signature verification.
  • Tests

    • Added test coverage for secret rotation scenarios to verify invalid cookie signatures are correctly rejected when rotation secrets contain null values.

@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 56a5a372-e723-4792-9563-48b198133d23

📥 Commits

Reviewing files that changed from the base of the PR and between 56310be and 2e8b54a.

📒 Files selected for processing (2)
  • src/utils.ts
  • test/cookie/signature.test.ts

Walkthrough

The PR fixes cookie signature validation during secret rotation. unsignCookie now returns false early when the secret is null after parsing the signed value, preventing a TypeError and allowing proper error handling downstream. A test case validates rejection of invalid signatures when rotation secrets contain null.

Changes

Cookie Rotation Signature Validation

Layer / File(s) Summary
Null-secret guard and invalid signature test coverage
src/utils.ts, test/cookie/signature.test.ts
unsignCookie adds an early return when secret is null after splitting the cookie value, preventing TypeError from signature computation. Test imports InvalidCookieSignature and validates that parseCookie rejects malformed signed cookies during rotation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

  • elysiajs/elysia#1646: Both PRs modify src/utils.ts's unsignCookie control flow—this PR adds an early secret === null return while that PR refactors verification logic and constant-time comparison in the same function.
  • elysiajs/elysia#1734: Both PRs modify src/utils.ts cookie-signing/unsigning logic around secret === null handling in the signature verification path, and the retrieved PR's graceful cookie transition tests align with this PR's invalid-signature handling during secret rotation.

Poem

🍪 A humble guard so quick and sweet,
Null secrets now meet their defeat,
No more TypeError tantrums thrown~ ♡
Your cookies rotate all on their own,
Finally handling what's fake with grace.


Tch, honestly? You were really letting null secrets blow up your whole signature validation like that? How pathetic~ (´▽`)ゞ The fix is literally just a two-second guard clause, but I guess it does save you from getting chewed out by angry error handlers. You're welcome, ♡ and try not to mess up cookie rotation again, yeah?

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title directly matches the fix: handling null secret in unsignCookie during cookie rotation, which is the core change in the PR.
Linked Issues check ✅ Passed PR implements the null-secret guard in unsignCookie before signCookie call, preventing TypeError and allowing InvalidCookieSignature to be properly raised.
Out of Scope Changes check ✅ Passed All changes are directly related to fixing the null-secret handling in cookie rotation; no unrelated modifications present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

src/utils.ts

Oops! Something went wrong! :(

ESLint: 9.39.4

Error: ESLint configuration in --config » plugin:sonarjs/recommended is invalid:

  • Unexpected top-level property "name".

Referenced from: /.eslintrc.json
at ConfigValidator.validateConfigSchema (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:2277:19)
at ConfigArrayFactory._normalizeConfigData (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:3123:19)
at ConfigArrayFactory._loadExtendedPluginConfig (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:3346:25)
at ConfigArrayFactory._loadExtends (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:3259:29)
at ConfigArrayFactory._normalizeObjectConfigDataBody (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:3199:25)
at _normalizeObjectConfigDataBody.next (<anonym

... [truncated 291 characters] ...

/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:2952:16)
at createCLIConfigArray (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:3768:35)
(node:2) ESLintRCWarning: You are using an eslintrc configuration file, which is deprecated and support will be removed in v10.0.0. Please migrate to an eslint.config.js file. See https://eslint.org/docs/latest/use/configure/migration-guide for details. An eslintrc configuration file is used because you have the ESLINT_USE_FLAT_CONFIG environment variable set to false. If you want to use an eslint.config.js file, remove the environment variable. If you want to find the location of the eslintrc configuration file, use the --debug flag.
(Use node --trace-warnings ... to show where the warning was created)

test/cookie/signature.test.ts

Oops! Something went wrong! :(

ESLint: 9.39.4

Error: ESLint configuration in --config » plugin:sonarjs/recommended is invalid:

  • Unexpected top-level property "name".

Referenced from: /.eslintrc.json
at ConfigValidator.validateConfigSchema (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:2277:19)
at ConfigArrayFactory._normalizeConfigData (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:3123:19)
at ConfigArrayFactory._loadExtendedPluginConfig (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:3346:25)
at ConfigArrayFactory._loadExtends (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:3259:29)
at ConfigArrayFactory._normalizeObjectConfigDataBody (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:3199:25)
at _normalizeObjectConfigDataBody.next (<anonym

... [truncated 291 characters] ...

/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:2952:16)
at createCLIConfigArray (/node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:3768:35)
(node:2) ESLintRCWarning: You are using an eslintrc configuration file, which is deprecated and support will be removed in v10.0.0. Please migrate to an eslint.config.js file. See https://eslint.org/docs/latest/use/configure/migration-guide for details. An eslintrc configuration file is used because you have the ESLINT_USE_FLAT_CONFIG environment variable set to false. If you want to use an eslint.config.js file, remove the environment variable. If you want to find the location of the eslintrc configuration file, use the --debug flag.
(Use node --trace-warnings ... to show where the warning was created)


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Cookie rotation secrets can include null for unsigned transition.
unsignCookie now checks for null before calling signCookie, returning
false so the rotation loop correctly falls through to
InvalidCookieSignature.

Fixes elysiajs#1861
@medsabbar medsabbar force-pushed the fix-null-secret-unsign-cookie branch from 5d8e47a to 2e8b54a Compare June 9, 2026 13:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

TypeError instead of InvalidCookieSignature and weird responses

1 participant