Merge branch 'main' into switch-off-weak-maps

Author: mcandeia

Diff for: blocks/matcher.ts

@@ -127,6 +127,7 @@ const matcherBlock: Block<
     const shouldStickyOnSession = sticky === "session";
     return (ctx: MatchContext) => {
       let uniqueId = "";
+      let isSegment = true;
 
       // from last to first and stop in the first resolvable
       // the rational behind is: whenever you enter in a resolvable it means that it can be referenced by other resolvables and this value should not change.
@@ -139,6 +140,7 @@ const matcherBlock: Block<
         }
         // stop on first resolvable
         if (type === "resolvable") {
+          isSegment = uniqueId === value;
           break;
         }
       }
@@ -169,7 +171,11 @@ const matcherBlock: Block<
         }
       }
 
-      httpCtx.context.state.flags.push({ name: uniqueId, value: result });
+      httpCtx.context.state.flags.push({
+        name: uniqueId,
+        value: result,
+        isSegment,
+      });
 
       return result;
     };

Diff for: meta.json

@@ -1,3 +1,3 @@
 {
-  "version": "1.57.11"
+  "version": "1.57.12"
 }

Diff for: runtime/fresh/middlewares/3_main.ts

@@ -3,14 +3,16 @@ import { tryOrDefault } from "deco/utils/object.ts";
 import { DECO_MATCHER_HEADER_QS } from "../../../blocks/matcher.ts";
 import { RequestState } from "../../../blocks/utils.tsx";
 import { Context } from "../../../deco.ts";
-import { getCookies, setCookie, SpanStatusCode } from "../../../deps.ts";
+import { getCookies, SpanStatusCode } from "../../../deps.ts";
 import { Resolvable } from "../../../engine/core/resolver.ts";
 import { Apps } from "../../../mod.ts";
 import { startObserve } from "../../../observability/http.ts";
 import { DecoSiteState, DecoState } from "../../../types.ts";
 import { isAdminOrLocalhost } from "../../../utils/admin.ts";
+import { decodeCookie, setCookie } from "../../../utils/cookies.ts";
 import { allowCorsFor, defaultHeaders } from "../../../utils/http.ts";
 import { formatLog } from "../../../utils/log.ts";
+import { tryOrDefault } from "../../../utils/object.ts";
 
 export const DECO_SEGMENT = "deco_segment";
 
@@ -182,35 +184,38 @@ export const handler = [
 
     if (state?.flags.length > 0) {
       const currentCookies = getCookies(req.headers);
-      const segment = currentCookies[DECO_SEGMENT]
-        ? tryOrDefault(
-          () =>
-            JSON.parse(decodeURIComponent(atob(currentCookies[DECO_SEGMENT]))),
-          {},
-        )
-        : {};
+      const cookieSegment = tryOrDefault(
+        () => decodeCookie(currentCookies[DECO_SEGMENT]),
+        "",
+      );
+      const segment = tryOrDefault(() => JSON.parse(cookieSegment), {});
+
       const active = new Set(segment.active || []);
       const inactiveDrawn = new Set(segment.inactiveDrawn || []);
       for (const flag of state.flags) {
-        if (flag.value) {
-          active.add(flag.name);
-          inactiveDrawn.delete(flag.name);
-        } else {
-          active.delete(flag.name);
-          inactiveDrawn.add(flag.name);
+        if (flag.isSegment) {
+          if (flag.value) {
+            active.add(flag.name);
+            inactiveDrawn.delete(flag.name);
+          } else {
+            active.delete(flag.name);
+            inactiveDrawn.add(flag.name);
+          }
         }
       }
       const newSegment = {
         active: [...active].sort(),
         inactiveDrawn: [...inactiveDrawn].sort(),
       };
-      const value = btoa(encodeURIComponent(JSON.stringify(newSegment)));
-      if (segment !== value) {
+      const value = JSON.stringify(newSegment);
+      const hasFlags = active.size > 0 || inactiveDrawn.size > 0;
+
+      if (hasFlags && cookieSegment !== value) {
         setCookie(newHeaders, {
           name: DECO_SEGMENT,
           value,
           path: "/",
-        });
+        }, { encode: true });
       }
     }
 

Diff for: types.ts

@@ -76,6 +76,7 @@ export type DecoSiteState<T = unknown> = {
 export interface Flag {
   name: string;
   value: boolean;
+  isSegment?: boolean;
 }
 
 export interface StatefulContext<T> {

Diff for: utils/cookies.ts

@@ -0,0 +1,53 @@
+import { Cookie, setCookie as stdSetCookie } from "std/http/cookie.ts";
+
+export const MAX_COOKIE_SIZE = 4096; // 4KB
+
+export const getCookieSize = (cookie: string) => {
+  // Each character in a JavaScript string is UTF-16, taking up 2 bytes
+  return cookie.length * 2;
+};
+
+interface SetCookieOptions {
+  // Encoding a cookie is important to ensure special characters
+  // do not interfere with cookie parsing and to prevent the injection
+  // of malicious content, enhancing data security and integrity.
+  encode?: boolean;
+  // This option is used to bypass the 4KB cookie size limit.
+  dangerouslySetBigCookies?: boolean;
+}
+
+export function setCookie(
+  headers: Headers,
+  cookie: Cookie,
+  cookieOptions?: SetCookieOptions,
+): void {
+  const { encode = false, dangerouslySetBigCookies = false } = cookieOptions ??
+    {};
+
+  const newCookie = {
+    ...cookie,
+  };
+
+  if (encode) {
+    newCookie.value = btoa(encodeURIComponent(cookie.value));
+  }
+
+  // could have an error range, because deno's cookie uses their own toString function
+  const stringLength = newCookie.name.length + newCookie.value.length;
+
+  if (!dangerouslySetBigCookies) {
+    const sizeInBytes = stringLength * 2;
+    if (sizeInBytes > MAX_COOKIE_SIZE) {
+      console.warn(
+        `Cookie '${cookie.name}' exceeds the size limit of 4KB and will not be set.`,
+      );
+      return;
+    }
+  }
+
+  stdSetCookie(headers, newCookie);
+}
+
+export function decodeCookie(cookie: string): string {
+  return decodeURIComponent(atob(cookie));
+}