npm - @decocms/apps - Versions diffs - 1.12.0 → 1.12.1 - Mend

@decocms/apps 1.12.0 → 1.12.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +1 -1
package/vtex/client.ts +22 -4
package/vtex/utils/authHelpers.ts +7 -14
package/vtex/utils/cookieSanitizer.ts +173 -0
package/vtex/utils/cookies.ts +11 -18

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/apps",
-  "version": "1.12.0",
+  "version": "1.12.1",
   "type": "module",
   "description": "Deco commerce apps for TanStack Start - Shopify, VTEX, commerce types, analytics utils",
   "exports": {

package/vtex/client.ts CHANGED Viewed

@@ -4,6 +4,7 @@
  */
 import { RequestContext } from "@decocms/start/sdk/requestContext";
+import { sanitizeOutboundCookieHeader, warnDroppedCookies } from "./utils/cookieSanitizer";
 import { type FetchCacheOptions, fetchWithCache } from "./utils/fetchCache";
 import { ANONYMOUS_COOKIE, SESSION_COOKIE } from "./utils/intelligentSearch";
 import { parseSegment, SEGMENT_COOKIE_NAME } from "./utils/segment";
@@ -276,14 +277,31 @@ export async function vtexCachedFetch<T>(
  * This mirrors deco-cx/deco's `proxySetCookie(response.headers, ctx.response.headers)`.
  */
 export async function vtexFetchWithCookies<T>(path: string, init?: RequestInit): Promise<T> {
-	// Auto-inject request cookies from RequestContext
+	// Auto-inject request cookies from RequestContext.
+	//
+	// We sanitize the forwarded Cookie header before sending it to VTEX:
+	// the janus gateway returns 503 (empty body) on any cookie value that
+	// isn't strict ASCII per RFC 6265. Third-party analytics tags that write
+	// raw UTF-8 into document.cookie (e.g. category names with accents) will
+	// otherwise poison every checkout call for the affected user. The drop
+	// report is emitted via warnDroppedCookies() so we have observability the
+	// next time a tag misbehaves.
 	const existingHeaders = init?.headers as Record<string, string> | undefined;
 	if (!existingHeaders?.cookie) {
 		const ctx = RequestContext.current;
-		const cookies = ctx?.request.headers.get("cookie");
-		if (cookies) {
-			init = { ...init, headers: { ...existingHeaders, cookie: cookies } };
+		const raw = ctx?.request.headers.get("cookie");
+		if (raw) {
+			const { cookies, dropped } = sanitizeOutboundCookieHeader(raw);
+			if (dropped.length) warnDroppedCookies(dropped, vtexHost());
+			if (cookies) {
+				init = { ...init, headers: { ...existingHeaders, cookie: cookies } };
+			}
 		}
+	} else {
+		// Caller passed an explicit cookie — sanitize it too.
+		const { cookies, dropped } = sanitizeOutboundCookieHeader(existingHeaders.cookie);
+		if (dropped.length) warnDroppedCookies(dropped, vtexHost());
+		init = { ...init, headers: { ...existingHeaders, cookie: cookies } };
 	}
 	const response = await vtexFetchResponse(path, init);

package/vtex/utils/authHelpers.ts CHANGED Viewed

@@ -7,27 +7,20 @@
  * TanStack Start's Vite plugin only transforms source files.
  */
 import { getVtexConfig } from "../client";
+import { extractVtexCookies } from "./cookieSanitizer";
 const DOMAIN_RE = /;\s*domain=[^;]*/gi;
-const VTEX_COOKIE_PREFIXES = [
-	"vtex_session=",
-	"vtex_segment=",
-	"VtexIdclientAutCookie",
-	"checkout.vtex.com",
-	"CheckoutOrderFormOwnership",
-];
 /**
  * Extract VTEX-relevant cookies from a raw Cookie header string.
- * Filters out analytics/CF cookies that can cause VTEX 503 errors.
+ *
+ * Strict allowlist: drops any cookie not on `VTEX_COOKIE_PREFIXES`, plus
+ * any cookie whose value contains non-ASCII bytes (which would otherwise
+ * make VTEX's janus gateway return 503 Service Unavailable). Both filters
+ * live in `./cookieSanitizer` — this is a thin compatibility wrapper.
  */
 export function extractVtexCookiesFromHeader(raw: string): string {
-	return raw
-		.split(";")
-		.map((c) => c.trim())
-		.filter((c) => VTEX_COOKIE_PREFIXES.some((prefix) => c.startsWith(prefix)))
-		.join("; ");
+	return extractVtexCookies(raw);
 }
 /**

package/vtex/utils/cookieSanitizer.ts ADDED Viewed

@@ -0,0 +1,173 @@
+/**
+ * Outbound cookie sanitization for VTEX API calls.
+ *
+ * VTEX's janus gateway strictly enforces RFC 6265: any cookie value containing
+ * non-ASCII bytes causes the gateway to return `503 Service Unavailable` with
+ * an empty body, before the request reaches the backing service. This is
+ * deterministic — a single poisoned cookie (e.g. an analytics tag writing a
+ * category name with accents into `document.cookie` without encoding) can
+ * break every checkout call for a user.
+ *
+ * This module provides two filters:
+ *
+ * - `sanitizeOutboundCookieHeader()` — drops cookies whose value contains
+ *   non-ASCII bytes or that look malformed. Default for cookie forwarding
+ *   in `vtexFetchWithCookies`. Safe to apply to any cookie payload.
+ *
+ * - `extractVtexCookies()` — allowlist mode. Drops anything that isn't on
+ *   `VTEX_COOKIE_PREFIXES`. Use when calling endpoints that have no business
+ *   seeing the user's full cookie soup (e.g. logout, masterdata, profile).
+ *
+ * The allowlist is the canonical list of cookie name prefixes that VTEX APIs
+ * actually consume. It lives here so it's the single source of truth for the
+ * package — both `getVtexCookies()` (cookies.ts) and
+ * `extractVtexCookiesFromHeader()` (authHelpers.ts) delegate to this module.
+ */
+/**
+ * Cookie name prefixes that are VTEX-relevant and safe to forward to
+ * `*.vtexcommercestable.com.br` / `*.myvtex.com` / `secure.<storefront>` APIs.
+ */
+export const VTEX_COOKIE_PREFIXES: readonly string[] = [
+	"VtexIdclientAutCookie",
+	"checkout.vtex.com",
+	"CheckoutOrderFormOwnership",
+	"vtex_session",
+	"vtex_segment",
+	"vtex_is_",
+	"janus_sid",
+];
+export type DropReason = "non_ascii" | "not_in_allowlist" | "malformed";
+export interface DroppedCookie {
+	name: string;
+	reason: DropReason;
+}
+export interface CookieSanitizeResult {
+	/** Cookie header string ready to forward (may be empty). */
+	cookies: string;
+	/** Cookies that were filtered out, with the reason per cookie. */
+	dropped: DroppedCookie[];
+}
+export interface CookieSanitizeOptions {
+	/**
+	 * When true, additionally enforces an allowlist: only cookies whose name
+	 * starts with one of `VTEX_COOKIE_PREFIXES` are kept.
+	 * @default false
+	 */
+	allowlist?: boolean;
+}
+/**
+ * Cookie pairs are `name=value`, where `name` (token) must be visible ASCII
+ * with no separators, and `value` must be ASCII (`0x20–0x7E`) per RFC 6265.
+ * We intentionally allow `=` inside the value (some VTEX cookies are
+ * URL-encoded JWTs).
+ */
+const TOKEN_RE = /^[!#$%&'*+\-.0-9A-Z^_`a-z|~]+$/;
+const ASCII_VALUE_RE = /^[\x20-\x7E]*$/;
+/**
+ * Filter a `Cookie:` request header so it's safe to forward to a VTEX origin.
+ *
+ * Drops:
+ *   - pairs without `=` (malformed)
+ *   - pairs whose name isn't a valid HTTP token (malformed)
+ *   - pairs whose value contains non-ASCII bytes (`non_ascii`)
+ *   - when `opts.allowlist` is true: pairs not on `VTEX_COOKIE_PREFIXES`
+ *     (`not_in_allowlist`)
+ *
+ * Returns the cleaned header plus a per-cookie drop report so callers can
+ * log/observe which cookies were removed.
+ *
+ * @example
+ * ```ts
+ * const { cookies, dropped } = sanitizeOutboundCookieHeader(
+ *   request.headers.get("cookie") ?? "",
+ * );
+ * if (dropped.length) console.warn("[vtex] dropped cookies", dropped);
+ * fetch(vtexUrl, { headers: { cookie: cookies } });
+ * ```
+ */
+export function sanitizeOutboundCookieHeader(
+	raw: string,
+	opts: CookieSanitizeOptions = {},
+): CookieSanitizeResult {
+	if (!raw) return { cookies: "", dropped: [] };
+	const kept: string[] = [];
+	const dropped: DroppedCookie[] = [];
+	const allowlist = opts.allowlist === true;
+	for (const segment of raw.split(";")) {
+		const pair = segment.trim();
+		if (!pair) continue;
+		const eq = pair.indexOf("=");
+		if (eq <= 0) {
+			dropped.push({ name: pair.slice(0, 32), reason: "malformed" });
+			continue;
+		}
+		const name = pair.slice(0, eq);
+		const value = pair.slice(eq + 1);
+		if (!TOKEN_RE.test(name)) {
+			dropped.push({ name, reason: "malformed" });
+			continue;
+		}
+		if (!ASCII_VALUE_RE.test(value)) {
+			dropped.push({ name, reason: "non_ascii" });
+			continue;
+		}
+		if (allowlist && !VTEX_COOKIE_PREFIXES.some((p) => name.startsWith(p))) {
+			dropped.push({ name, reason: "not_in_allowlist" });
+			continue;
+		}
+		kept.push(`${name}=${value}`);
+	}
+	return { cookies: kept.join("; "), dropped };
+}
+/**
+ * Allowlist convenience wrapper — keep only VTEX-prefixed, ASCII-clean cookies.
+ *
+ * Equivalent to `sanitizeOutboundCookieHeader(raw, { allowlist: true }).cookies`.
+ */
+export function extractVtexCookies(raw: string): string {
+	return sanitizeOutboundCookieHeader(raw, { allowlist: true }).cookies;
+}
+/**
+ * Track which cookie names we've already warned about to avoid spamming
+ * the worker logs. Process-scoped — Cloudflare Workers reset this on each
+ * isolate restart, which is exactly the cadence we want.
+ */
+const _warned = new Set<string>();
+/**
+ * Emit a structured `console.warn` for each dropped cookie, deduped by
+ * `name+reason` for the lifetime of the worker isolate. Call sites pass an
+ * arbitrary `host` label so we can correlate in logs.
+ */
+export function warnDroppedCookies(dropped: DroppedCookie[], host: string): void {
+	if (dropped.length === 0) return;
+	for (const d of dropped) {
+		const key = `${host}::${d.name}::${d.reason}`;
+		if (_warned.has(key)) continue;
+		_warned.add(key);
+		console.warn(`[vtex.cookie.dropped] host=${host} name=${d.name} reason=${d.reason}`);
+	}
+}
+/** Reset the dedup set — exposed for tests. */
+export function _resetCookieWarnDedupForTests(): void {
+	_warned.clear();
+}

package/vtex/utils/cookies.ts CHANGED Viewed

@@ -121,29 +121,22 @@ export const proxySetCookie = (from: Headers, to: Headers, toDomain?: URL | stri
 export const CHECKOUT_DATA_ACCESS_COOKIE = "CheckoutDataAccess";
 export const VTEX_CHKO_AUTH = "Vtex_CHKO_Auth";
-/**
- * Cookie name prefixes that are VTEX-relevant.
- * Used by getVtexCookies() to filter request cookies before forwarding
- * to VTEX APIs — avoids undici non-ASCII warnings from other cookies.
- */
-export const VTEX_COOKIE_PREFIXES = [
-	"VtexIdclientAutCookie",
-	"checkout.vtex",
-	"CheckoutOrderFormOwnership",
-	"vtex_is_",
-];
+// Re-export the canonical allowlist from cookieSanitizer so consumers that
+// previously imported it from this module keep working. The single source
+// of truth lives in cookieSanitizer.ts.
+export { VTEX_COOKIE_PREFIXES } from "./cookieSanitizer";
+import { extractVtexCookies } from "./cookieSanitizer";
 /**
  * Filter a request's cookies to only VTEX-relevant ones.
- * Prevents undici non-ASCII header warnings when forwarding cookies to VTEX APIs.
+ *
+ * Strict allowlist: drops any cookie not on `VTEX_COOKIE_PREFIXES` plus any
+ * cookie whose value contains non-ASCII bytes (which would make VTEX's
+ * janus gateway return 503).
  */
 export function getVtexCookies(request: Request): string {
-	const raw = request.headers.get("cookie") ?? "";
-	return raw
-		.split(";")
-		.map((c) => c.trim())
-		.filter((c) => VTEX_COOKIE_PREFIXES.some((p) => c.startsWith(p)))
-		.join("; ");
+	return extractVtexCookies(request.headers.get("cookie") ?? "");
 }
 /**