lexik/LexikJWTAuthenticationBundle

Split cookies are all set in the same string

fhuszti opened this issue · 0 comments

fhuszti commented

EDIT: after some more testing, it appears it's a problem with Vercel's edge runtime. Not sure anyone can do anything about this on here, but I can't delete this issue

I have my symfony API setup for split cookies from lexikJWT, and I call this backend from a nodejs/edge environment that serves as middleman between the API and the frontend.
When calling the login route from Postman, it parses the response fine, Postman shows me there are three Set-Cookie headers in the response, as it should (split cookies + refresh).
But when I call it from my javascript, I get all three cookies in a single Set-Cookie header, I had to create a specific function with a regex to parse it and separate it in three cookies so I can set them on the client.
Anyone knows why I don't get the three separate Set-Cookie headers on my frontend?

LexikJWT config:

lexik_jwt_authentication:
    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
    pass_phrase: '%env(JWT_PASSPHRASE)%'
    token_ttl: 1800
    
    token_extractors:
        split_cookie:
            enabled: true
            cookies:
                - jwt_hp
                - jwt_s
                
    set_cookies:
        jwt_hp:
            lifetime: null
            samesite: strict
            path: /
            domain: null
            httpOnly: false
            partitioned: false
            split:
                - header
                - payload
        jwt_s:
            lifetime: 0
            samesite: strict
            path: /
            domain: null
            httpOnly: true
            partitioned: false
            split:
                - signature

Refresh config:

gesdinet_jwt_refresh_token:
    refresh_token_class: App\Infrastructure\Security\Entity\RefreshToken
    ttl_update: true
    return_expiration: true

    cookie:
        enabled: true
        same_site: strict
        path: /
        domain: null
        http_only: true
        secure: true
        remove_token_from_body: true

Javascript side, this is how it looks, just to be complete:

const response: Response = await fetch(process.env.BACKEND_URL+BACKEND_LOGIN, {
	method: 'POST',
    body: JSON.stringify(credentials),
    headers: { "Content-Type": "application/json" }
});

if (response.ok) {
	console.log(response.headers.getSetCookie());
}

This console.log gives me:

['jwt_hp=eyJ0eXAi[...]NvbSJ9; expires=Mon, 08 Jan 2024 08:10:25 GMT; Max-Age=1800; path=/; secure; samesite=strict, jwt_s=FROmh3[...]moK9tsg; path=/; secure; httponly; samesite=strict, refresh_token=75dca[...]5ba97c; expires=Wed, 07 Feb 2024 07:40:25 GMT; Max-Age=2592000; path=/; secure; httponly; samesite=strict']

when I expected the cookies to arrive in three different strings in the array.