Headers.append: xxx is an invalid header value

[brunoscopelliti]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

I've reproduced the problem also with nextjs-auth0 sample app.

Add a new endpoint, that uses auth0.updateSession to update session.

export const PATCH = async function route(request) {
  try {
    const session = await auth0.getSession();

    const response = NextResponse.json({
      data: session.user,
      status: 'OK'
    });

    await auth0.updateSession(request, response, { ...session, user: { ...session.user, updated: true } });

    return response;
  } catch (error) {
    return NextResponse.json({ error: error.message }, { status: error.status || 500 });
  }
};

When I call this endpoint I get this error:

'Headers.append: "append(name, value) {
        webidl.brandCheck(this, _Headers);
        webidl.argumentLengthCheck(arguments, 2, "Headers.append");
        const prefix = "Headers.append";
        name = webidl.converters.ByteString(name, prefix, "name");
        value = webidl.converters.ByteString(value, prefix, "value");
        return appendHeader(this, name, value);
      }" is an invalid header value.'

The error is triggered in this function:

createRequestCookies(req) {
    const headers = new Headers();
    for (const key in req.headers) {
        if (Array.isArray(req.headers[key])) {
            for (const value of req.headers[key]) {
                headers.append(key, value);
            }
        }
        else {
            headers.append(key, req.headers[key] ?? "");
        }
    }
    return new _cookies_js__WEBPACK_IMPORTED_MODULE_4__.RequestCookies(headers);
}

I suspect the error stems from the fact we are using for…in loop, that loops over the properties of the headers object (append, delete, get, …), instead of for…of, that loops over the list of actual headers (['accept', '*/*'], ['accept-encoding', 'gzip, deflate, br, zstd'], …).

Could someone please confirm this?

Reproduction

See description.

Additional context

No response

nextjs-auth0 version

4.8.0

Next.js version

15.2.4

Node.js version

22.12

[tusharpandey13]

Hi 👋
Thanks for reporting this, can confirm this was reproduced.
We'll open a PR that fixes this and will push it in the next minor/patch release.