Version 8.2.1 cookie validation regression

[Dartv]

Runtime

node.js

Runtime version

22.17.0

Module version

8.2.1

Last module version without issue

8.2.0

Used with

serverless-offline

Any other relevant information

Suddenly, I started getting errors "Invalid cookie value". Upon further investigation it turned out to be the newest version 8.2.1 of this package.

What are you trying to achieve or the steps to reproduce?

I'm generating the cookie from a jwt with a "cookie" npm package.
The resulting cookie looks like the following:
authToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiJmQWRGdjVDZGVleTlZS0tNMiIsImlhdCI6MTc2MjQzMjc2NCwiZXhwIjoxNzYyNDMyOTQ0fQ.BNcdM1iEqB9HfTbSZqDqmErlcV-1nN4kds8xDMdHuGA; Max-Age=180; Path=/; SameSite=Lax

cookie.serialize(name, value, {
    path: '/',
    sameSite: 'lax',
    secure: isSecure,
    ...(domain && { domain }),
    ...options,
  }

What was the result you got?

[Webpack] Watch service...Debug: internal, implementation, error
    Error: Invalid cookie value: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiJmQWRGdjVDZGVleTlZS0tNMiIsImlhdCI6MTc2MjQzMjc2NCwiZXhwIjoxNzYyNDMyOTQ0fQ.BNcdM1iEqB9HfTbSZqDqmErlcV-1nN4kds8xDMdHuGA; Max-Age=180; Path=/; SameSite=Lax
    at exports.Definitions.format (/Users/admin/projects/monohive/common/temp/node_modules/.pnpm/@hapi+statehood@8.2.1/node_modules/@hapi/statehood/lib/index.js:272:28)
    at async exports.state (/Users/admin/projects/monohive/common/temp/node_modules/.pnpm/@hapi+hapi@21.4.4/node_modules/@hapi/hapi/lib/headers.js:94:22)
    at async internals.marshal (/Users/admin/projects/monohive/common/temp/node_modules/.pnpm/@hapi+hapi@21.4.4/node_modules/@hapi/hapi/lib/transmit.js:41:9)
    at async exports.send (/Users/admin/projects/monohive/common/temp/node_modules/.pnpm/@hapi+hapi@21.4.4/node_modules/@hapi/hapi/lib/transmit.js:27:9)
    at async Request._reply (/Users/admin/projects/monohive/common/temp/node_modules/.pnpm/@hapi+hapi@21.4.4/node_modules/@hapi/hapi/lib/request.js:456:9

What result did you expect?

No "Invalid cookie value" error

[Marsup]

Hi,

I'm unable to reproduce your issue, can you share hapi's config as well?

[Dartv]

Not using hapi directly, but using serverless-offline which uses hapi.
https://github.com/dherault/serverless-offline

[Marsup]

Unless we can reproduce this, it's going to be hard to help you.

[Dartv]

I believe the issue is within the internals.validateRx.valueRx.loose The previous version had a different regex for it and matches the cookie while the new one doesn't, see the screenshot. And because the value doesn't match anything, an error is now thrown here https://github.com/hapijs/statehood/blob/909306e6d1e43e69546816d21871d76c074825ba/lib/index.js#L272

[Marsup]

The entire string is not supposed to be provided to this regex but each cookie individually. Again, a way to reproduce would go a long way.

[uva-sl]

Hello, i have the same problem with serverless-offline.

Serverless-offline send the full string

In the start of the method format one cookie:

{
  name: 'connect.sid',
  value: 's%3A2KV_uHdcpvZJuzvbscjWpcd2A4auW-Uf.gY6PixF0WaIkT0Nab2PfEmRLQOWvyqMlAwAWCjxaJ6o; Path=/; Expires=Mon, 17 Nov 2025 15:15:23 GMT; HttpOnly',
  options: { encoding: 'none', strictHeader: false }
}

Before validation (definition.strictHeader, 'value', cookie.value, internals.validateRx

strictHeader false value s%3A2KV_uHdcpvZJuzvbscjWpcd2A4auW-Uf.gY6PixF0WaIkT0Nab2PfEmRLQOWvyqMlAwAWCjxaJ6o; Path=/; Expires=Mon, 17 Nov 2025 15:15:23 GMT; HttpOnly {
  nameRx: {
    strict: /^[^\x00-\x20()<>@,;:\\"\/\[\]?={}\x7F]+$/,
    loose: /^[^=\s]*$/
  },
  valueRx: { strict: /^[^\x00-\x20",;\\\x7F]*$/, loose: /^("[^"]*"|[^;]*)$/ },
  domainRx: /^\.?[a-z\d]+(?:-[a-z\d]+)*(?:\.[a-z\d]+(?:-[a-z\d]+)*)*$/,
  domainLabelLenRx: /^\.?[a-z\d\-]{1,63}(?:\.[a-z\d\-]{1,63})*$/,
  pathRx: /^\/[^\x00-\x1F;]*$/
}

Serverless-offline send this value because in the the response lambda send to api-gateway is like this :

{
  statusCode: 302,
  body: '',
  multiValueHeaders: {
    'x-powered-by': [ 'Express' ],
    location: [
      'https://....'
    ],
    'content-length': [ '0' ],
    'set-cookie': [
      'connect.sid=s%3A2KV_uHdcpvZJuzvbscjWpcd2A4auW-Uf.gY6PixF0WaIkT0Nab2PfEmRLQOWvyqMlAwAWCjxaJ6o; Path=/; Expires=Mon, 17 Nov 2025 15:15:23 GMT; HttpOnly'
    ]
  },
  isBase64Encoded: false
}

[Marsup]

Then isn't it an issue with serverless-offline rather than with statehood? I feel like we're doing the right thing but they aren't.

[kanongil]

Yeah, passing the set-cookie header to h.state() seems very fishy. It's only supposed to be used in browsers (user agents).