Cookie chunking support

[tusharpandey13]

Changes

This PR changes the cookie store/retrieve strategy to use cookie chunking on the session cookie.
Also fixed some warnings in some test files.

Write behaviour

• When the session size is larger than 3500 bytes, it will be saved as multiple chunks, delimited by __index.
• Else, a single __session cookie is stored.

Read behaviour

Read bhaviour is backwards compatible with v4.X.X and v3.X.X versions

Testing

PASSING

Test Files  10 passed (10)
      Tests  157 passed (157)
   Start at  17:11:08
   Duration  600ms (transform 249ms, setup 0ms, collect 852ms, tests 203ms, environment 1ms, prepare 462ms)

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 98.05825% with 2 lines in your changes missing coverage. Please review.

Project coverage is 77.57%. Comparing base (3a1e7b3) to head (c04b016).

Files with missing lines	Patch %	Lines
src/server/cookies.ts	97.67%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1975      +/-   ##
==========================================
+ Coverage   76.19%   77.57%   +1.38%     
==========================================
  Files          21       21              
  Lines        1525     1610      +85     
  Branches      242      259      +17     
==========================================
+ Hits         1162     1249      +87     
+ Misses        356      354       -2     
  Partials        7        7              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jesseflikweerteo]

Don't get me wrong, I do not want to be pushy, but we're waiting on this to release our SDK v4 implementation. When'll this be merged?

[ik-southpole]

Hello, looks like this change broke our integration. We are getting 431 Request Header Fields Too Large when we rewrite the request to the internal API. Rolling back to v4.2.1 resolved the problem. I understand that our cookies can be large but I'm wondering why it works prior v4.3.0.

v4.2.1 cookies

v4.3.0 cookies

import { AccessTokenError, AuthorizationCodeGrantError } from "@auth0/nextjs-auth0/errors";
import { NextRequest, NextResponse, type MiddlewareConfig } from "next/server";

export async function middleware(req: NextRequest): Promise<NextResponse> {
  const res = await auth0.middleware(req);
  if (req.nextUrl.pathname.startsWith("/auth")) {
    return res;
  }
  try {
    const { token } = await auth0.getAccessToken(req, res);
    if (req.nextUrl.pathname.startsWith("/v1")) {
      const url = new URL(...);
      url.pathname += req.nextUrl.pathname;
      url.search = req.nextUrl.search;
      const headers = new Headers(res.headers); // <- this causes problem
      headers.set("Authorization", `Bearer ${token}`);
      return NextResponse.rewrite(url, { headers }); // <- because the remote server allows up to 5mb 
    }
    return res;
  } catch (error) {
    // ...
  }
}

[ik-southpole]

For some reason, we get two cookies set that explode size of overall cookies. Why is that?

[frederikprijck]

What is the total size of your cookies and how many cookies do you have?

You are seeing two cookies because we:

• Added the id token in the cookie
• Added cookie chunking to split cookies when they exceed the single-cookie size-limit.

[ik-southpole]

There are only two cookies and they are both from nextjs-auth0. Using v4.2.1, we had 1 cookie with a size of 3572. Using v4.3.0, we got two cookies with total size of 3512 + 1713 = 5225. So it exceeds the regular threshold for cookie size. How can we opt out from ID token being added to cookies?

[ik-southpole]

Ok, I'm going to move to #1978