fix(cloudflare): split Set-Cookie header into multiple headers

[oleghalin]

🔗 Linked issue

#988

❓ Type of change

• 📖 Documentation (updates to the documentation or readme)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality like performance)
• ✨ New feature (a non-breaking change that adds functionality)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

Splits Set-Cookie for each upstream header provided.

Resolves #988

📝 Checklist

• I have linked an issue or discussion.
• I have updated the documentation accordingly.

[oleghalin]

I suppose that these changes should be applied also to other presets where .join(',') used. @pi0

[codecov]

Codecov Report

Merging #989 (0583c8c) into main (1d0c120) will decrease coverage by 8.98%.
The diff coverage is n/a.

❗ Current head 0583c8c differs from pull request most recent head 1b5a4f6. Consider uploading reports for the commit 1b5a4f6 to get more accurate results

@@            Coverage Diff             @@
##             main     #989      +/-   ##
==========================================
- Coverage   76.64%   67.66%   -8.98%     
==========================================
  Files          71       60      -11     
  Lines        7241     6161    -1080     
  Branches      723      692      -31     
==========================================
- Hits         5550     4169    -1381     
- Misses       1690     1982     +292     
- Partials        1       10       +9     

see 51 files with indirect coverage changes

[oleghalin]

I checked codebase a little bit deeper and i think that it should be changed on unenv level and response.headers (which is HeadersObject https://github.com/unjs/unenv/blob/920c3869ac5f7e5d1fb0475bb1cccad18f0764e2/src/runtime/_internal/types.ts#L2) should implement native Headers instead of { [key: string]: string | string[] | undefined }; and with this we dont need to make such transformations on preset level.

[pi0]

We have recently introduced same util in h3. It might be one less dependency and bundle size if we expose it from h3 package.

[oleghalin]

Thanks, what is proper way to sync versions of h3 and current nitro? Should we wait for h3 version tag or?

[pi0]

Sure, releasing next version until this weekend. (at the same time thinking about your other comments, we need to really fix header normalization across entries)

[oleghalin]

As i see normalize function looks same for all other entries, but i think something is different on provider level, i suppose that some of them do cookie splitting themselves. We can drop normalize function to utils and use it every entry until make changes with type change for HadersObject.

[pi0]

Indeed there are slight behavior diferences. Also we never properly tested header behavior on nitro-deploys 😓

[oleghalin]

Hello, @pi0. Do you have any plans for releasing new versions soon? Gonna continue work on module and project, but this issue blocks me testing any env except local one :)

[pi0]

Hi, dear @oleghalin. Sure. I am (at the moment!) trying workers via pages on nitro-deploys. That would make testing this PR possible.

[oleghalin]

Thanks, just in case wanna remind that it also waits for unjs/h3 release for splitCookieString helper :)

[oleghalin]

Hello, @pi0. I also pushed to this PR change for not caching 404 responses if its asset directory, can you check it too please

which resolves #1001

[oleghalin]

Hello, @pi0 any updates on it? Issue with Set-Cookie header and 404 caching its making Nuxt absolutely unusuable with Cloudlare Workers

[Stupremee]

Hey @oleghalin,
I just saw this PR because I have the same problems with Nuxt on CF Workers, which is soo annoying.

I noticed that the new h3 version used in nitro now exports the splitCookeString function, so maybe you can remove the set-cookie-parser dependency and this PR can move forward.

[oleghalin]

Hello, @pi0. I just just updated my PR and dropped third-party dep

[oleghalin]

Hey, @pi0. I suppose that it makes many problems for all users who use CF workers to deploy, can you take a look on it? It solves 2 big problems with caching and cookies

[j4tmr]

+1 I had the same bug that bothered me for days，it's not just about nitro.routeRules, proxyRequest has the same bug

[Hebilicious]

@oleghalin This is on my radar, apologies for the delay. Can you provide me with a reproduction ? I would like to see if this behaviour affects the other cloudflare presets too.

[Hebilicious]

This doesn't include any tests or reproduction, so this is hard to test.

[oleghalin]

Not sure why you need reproduction, Set-Cookie header should be merged into one because browsers read each Set-Cookie header and set 1 cookie per each Set-Cookie header, as soon as there is only 1 header delimited by coma it will write only first cookie. As I know Vercel and node server parse it on their end and thats why it works, but it doesn't work for CF.

[Hebilicious]

Thanks for the additional information and the PR.
A reproduction is useful to test the proposed changes. Without one, it takes more maintainer time to review and get things merged.

[oleghalin]

Cannot make repro right now, but referencing RFC for you to understand it better.

https://datatracker.ietf.org/doc/html/rfc6265#section-3

[Hebilicious]

This is absolutely a necessary change!

• The check for publicAsset needs to happen in another PR perf(cloudflare): check for asset url #1236 (feedback welcome)

• This affects multiple preset and needs to be applied everywhere

[Hebilicious]

I agree this needs to happen, but it should be handled in a different PR (https://github.com/unjs/nitro/pull/1236/files)