📘 fix: handle null secret in unsignCookie rotation (#1861)#1917
📘 fix: handle null secret in unsignCookie rotation (#1861)#1917medsabbar wants to merge 1 commit into
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughThe PR fixes cookie signature validation during secret rotation. ChangesCookie Rotation Signature Validation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
Poem
Tch, honestly? You were really letting 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
src/utils.tsOops! Something went wrong! :( ESLint: 9.39.4 Error: ESLint configuration in --config » plugin:sonarjs/recommended is invalid:
Referenced from: /.eslintrc.json ... [truncated 291 characters] ... /node_modules/@eslint/eslintrc/dist/eslintrc.cjs:2952:16) test/cookie/signature.test.tsOops! Something went wrong! :( ESLint: 9.39.4 Error: ESLint configuration in --config » plugin:sonarjs/recommended is invalid:
Referenced from: /.eslintrc.json ... [truncated 291 characters] ... /node_modules/@eslint/eslintrc/dist/eslintrc.cjs:2952:16) Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Cookie rotation secrets can include null for unsigned transition. unsignCookie now checks for null before calling signCookie, returning false so the rotation loop correctly falls through to InvalidCookieSignature. Fixes elysiajs#1861
5d8e47a to
2e8b54a
Compare
When cookie rotation includes a
nullentry for unsigned-to-signedtransition, a cookie with an invalid signature would cause a raw
TypeError(fromsignCookie) instead of the expectedInvalidCookieSignature.The loop in
parseCookietries each secret in the rotation array.When it reaches the
nullentry,unsignCookiecalledsignCookiewithout a null check, which throws
TypeError("Secret key must be provided"). The error propagated asUNKNOWNinstead of beingcaught as
InvalidCookieSignature.The fix adds a
nullsecret guard inunsignCookiebefore callingsignCookie, matching the existing null-handling pattern already usedfor unsigned cookies without a signature.
Fixes #1861
Summary by CodeRabbit
Bug Fixes
Tests