Skip to content

[DO NOT MERGE]bugfix: Prevent Infinite Transaction Cookie Accumulation + Configuration Options #2236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 13 commits into from
Closed

[DO NOT MERGE]bugfix: Prevent Infinite Transaction Cookie Accumulation + Configuration Options #2236

wants to merge 13 commits into from

Conversation

tusharpandey13
Copy link
Contributor

@tusharpandey13 tusharpandey13 commented Jul 16, 2025
edited
Loading

Fixes transaction cookie accumulation that caused 413 errors when users repeatedly navigate to protected routes. Adds configurable cleanup with three new AuthClient options for different application needs.

  • All new/changed/fixed functionality is covered by tests (or N/A)
  • I have added documentation for all new/changed functionality (or N/A)

🔍 RCA

Each startInteractiveLogin() call created new __txn_* cookies but only deleted the matching callback cookie, leaving abandoned cookies from incomplete flows to accumulate until hitting HTTP header limits.

📋 Changes

Adds configurable transaction cookie management to prevent accumulation while supporting multi-tab scenarios. New AuthClient constructor options:

  • enableParallelTransactions: boolean (default: true) - Controls single vs multi-transaction mode
  • Added maxAge property to TransactionCookieOptions to control txn cookie maxage (3600s by default)

Usage example for single-transaction mode:

new AuthClient({
  // ...required options
  transactionCookieOptions: {
    // ...options
    maxAge: 60 // 1 minute
  }
  enableParallelTransactions: false,
});

Changed src/server/auth-client.ts: Added configuration options and cleanup in startInteractiveLogin()
Added tests/v4-infinitely-stacking-cookies.test.ts: Comprehensive test coverage for all options

📎 References

Fixes: #1917
Fixes: #2209

🎯 Testing

Automated:
Added comprehensive test suite in tests/v4-infinitely-stacking-cookies.test.ts covering all configuration options, cleanup scenarios, and edge cases. Fixed CI test failure by providing explicit fetch mock and routes configuration instead of accessing private AuthClient properties.

Manual:

  1. Navigate to protected route multiple times and verify ≤3 transaction cookies remain
  2. Test multi-tab login scenarios work correctly with enableParallelTransactions: true
  3. Test single-transaction mode with enableParallelTransactions: false
  4. Run pnpm test:unit to verify all tests pass

@tusharpandey13 tusharpandey13 requested a review from a team as a code owner July 16, 2025 13:09
@tusharpandey13 tusharpandey13 marked this pull request as draft July 16, 2025 13:09
@tusharpandey13 tusharpandey13 changed the title # Fix: Prevent Infinite Transaction Cookie Accumulation + Configuration Options (Issues #1917, #2209, #2221) [DO NOT MERGE] # Fix: Prevent Infinite Transaction Cookie Accumulation + Configuration Options Jul 16, 2025
frederikprijck
frederikprijck reviewed Jul 17, 2025
View reviewed changes
tusharpandey13 and others added 6 commits July 23, 2025 22:03
@tusharpandey13
feat: add flag enableParallelTransactions for txn cookies and associa…
caaac23 
…ted logic
@tusharpandey13
fix: fix tests
902b185
@tusharpandey13
Merge branch 'main' into bugfix/txn-cookies-cleanup
e57d3db
@tusharpandey13
fix: fix tests
9d85069
@tusharpandey13
Merge branch 'bugfix/txn-cookies-cleanup' of https://github.com/auth0…
89609d4 
…/nextjs-auth0 into bugfix/txn-cookies-cleanup
@tusharpandey13
fix: fix keylike linting errors
bd4bba8 
Cherry-picked and combined commits:
- 2c0a2f2: chore: fix linting
- 157189c: fix: fix keylike errors in lint
- d029787: simplify lint changes

This fixes TypeScript linting errors related to jose.KeyLike type usage
by properly defining the supported key types for client assertion signing.
@codecov-commenter
Copy link

codecov-commenter commented Jul 23, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 87.69231% with 8 lines in your changes missing coverage. Please review.

Project coverage is 84.41%. Comparing base (533c4b7) to head (8049055).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
src/server/transaction-store.ts 72.41% 8 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2236   +/-   ##
=======================================
  Coverage   84.40%   84.41%           
=======================================
  Files          26       26           
  Lines        2379     2419   +40     
  Branches      442      453   +11     
=======================================
+ Hits         2008     2042   +34     
- Misses        365      371    +6     
  Partials        6        6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tusharpandey13 tusharpandey13 marked this pull request as ready for review July 23, 2025 17:27
@tusharpandey13 tusharpandey13 changed the title [DO NOT MERGE] # Fix: Prevent Infinite Transaction Cookie Accumulation + Configuration Options bugfix: Prevent Infinite Transaction Cookie Accumulation + Configuration Options Jul 23, 2025
tusharpandey13
tusharpandey13 commented Jul 23, 2025
View reviewed changes
src/server/transaction-store.ts
Comment on lines +39 to +45
/**
* The expiration time for transaction cookies in seconds.
* If not provided, defaults to 1 hour (3600 seconds).
*
* @default 3600
*/
maxAge?: number;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make maxAge of txn cookie configurable

@tusharpandey13 tusharpandey13 changed the title bugfix: Prevent Infinite Transaction Cookie Accumulation + Configuration Options [DO NOT MERGE]bugfix: Prevent Infinite Transaction Cookie Accumulation + Configuration Options Jul 25, 2025
@tusharpandey13
Copy link
Contributor Author

This is irrelevant now, see #1917 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frederikprijck frederikprijck frederikprijck left review comments

@nandan-bhat nandan-bhat Awaiting requested review from nandan-bhat

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Transaction cookie not clean after usage lead to 413 or lambda size limit v4: Infinitely stacking cookies
3 participants
@tusharpandey13 @codecov-commenter @frederikprijck