@W-15248536@ - [v3] Google Search Console fix createCodeVerifier #150
Conversation
There was a problem hiding this comment.
yarn run check:size results:
current main branch:
PASS lib/index.cjs.js: 44.84KB < maxSize 45KB (gzip)
PASS lib/index.esm.js: 44.73KB < maxSize 45KB (gzip)
PASS commerce-sdk-isomorphic-with-deps.tgz: 338.08KB < maxSize 350KB (gzip)
google-search-console-fix-v3 branch:
PASS lib/index.cjs.js: 44.96KB < maxSize 46KB (gzip)
PASS lib/index.esm.js: 44.84KB < maxSize 46KB (gzip)
PASS commerce-sdk-isomorphic-with-deps.tgz: 390.52KB < maxSize 400KB (gzip)
We go from 338.08KB to 390.52KB which is a decent jump for commerce-sdk-isomorphic-with-deps.tgz. We should try to make this package should be as lightweight as possible so just wanted to ask a few things:
- Might be a silly question, but is it possible for us to add entropy without the use of a third party package?
- Is there a specific reason why we use
seedrandomversus an alternative package that provides similar functionality? Mostly asking if there's an alternative package we could use that is smaller in size
This PR looks good otherwise, just wanted to check for the reasoning behind the implementation
No silly question at all. I did notice the same. I think it's a good convo to have before making a decision. The reasons to use
We need to find a solution that doesn't rely on Math.random() to add entropy which is the source of the issue. I didn't find an alternative to seedrandom. The Googlebot doesn't use a deterministic value when using seedrandom. That's why we get a new number from one run to the other. |
| }, | ||
| { | ||
| "path": "commerce-sdk-isomorphic-with-deps.tgz", | ||
| "maxSize": "350 kB" | ||
| "maxSize": "400 kB" |
There was a problem hiding this comment.
Is this because that lib has a lot of docs or large source that is being added to the gzip?
There was a problem hiding this comment.
I assume that's the reason as you can see in the previous Joel's comment comparing the before and after file sizes. We added two libraries seedrandom as a dependency and @types/seedrandom as a devDependency.
But as later Joel also mentions the minimized bundle size is the size we care about and that one only increased slightly, 1KB.
Problem
When Google crawler calls createCodeVerifier() to create the code verifier we use for the PKCE authentication flow, the result from nanoid() is the same in two different runs. This causes the same generated code_challenge to be used twice thus Google crawler gets the error stating that the PKCE code_challenge must be unique error.
The root of this issue is the fact that Googlebot’s implementation of random() is deterministic, meaning that it won’t produce unique random values from one string of runs to the next.
The result is that Google crawler indexes the error page instead of the proper page.
Solution
Add entropy to nanoid() using the library
seedrandomto avoid duplicated code_challenge sent to SCAPI by Google crawler browser.Nanoid docs on Custom Random Bytes Generator.
How to Test-Drive This PR