Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect Regex of idToken With Subdomains #43

Closed
ckifer opened this issue Nov 7, 2022 · 1 comment
Closed

Incorrect Regex of idToken With Subdomains #43

ckifer opened this issue Nov 7, 2022 · 1 comment
Labels
bug Something isn't working
Milestone
1.3.1

Comments

@ckifer
Copy link
Contributor

ckifer commented Nov 7, 2022
edited
Loading

What happened:

Upon visiting beta.myurl.com cognito-at-edge uses the cookie from myurl.com as opposed to beta.myurl.com. They are both sent, but according to this Regex it should only parse the idToken from that of the initialized "_userPoolAppId". From my tests this doesn't seem to be the case.

This causes an infinite loop and eventual 503 on Viewer Request.

What did you expect to have happen:

The Regex correctly parses cookies even if there are multiple on the same domain of the form userPoolAppId}\..+?\.idToken=(.*?)(?:;|$)

How to reproduce this (as precisely and succinctly as possible):

Deploy cognito-at-edge to a lambda@edge function with cloudfront distro served at url of the form:
beta.myurl.com
Deploy the same setup to myurl.com making sure cookies are set from both.

Anything else you think we should know?

Environment:

  • version of cognito-at-edge being used: latest
  • node version of code base which uses cognito-at-edge: 16
  • other: works on Firefox, does not work on Chrome

Here is a contrived example with the structure that my cookies get set and sent to Lambda@edge with:

Edit hungry-lalande-loeuce

As you can see the regex is incorrect. The order of the cookies shouldn't matter.

Regex test https://regex101.com/r/GdVCo6/1

Working Regex (needs tested more): https://regex101.com/r/vQSdRa/1
Edit: this working regex breaks the case of a username with a . character
@jeandek jeandek added the bug Something isn't working label Nov 8, 2022
@jeandek jeandek added this to the 1.2.3 milestone Nov 8, 2022
@ckifer ckifer mentioned this issue Nov 8, 2022
Closed
@borisfba borisfba mentioned this issue Dec 1, 2022
Merged
borisfba pushed a commit that referenced this issue Dec 5, 2022
Encode illegal characters inside cookies and change cookies parsing l…
15d2534 
…ogic (#46)

* Make produced cookies RFC 6265 compliant by URI encoding illegal characters.
* Revise cookies parsing logic to fix issues with subdomains (#43 )
@borisfba borisfba modified the milestones: 1.2.3, 1.3.1 Dec 5, 2022
borisfba pushed a commit that referenced this issue Dec 5, 2022
@borisfba
Encode illegal characters inside cookies and change cookies parsing l…
326019d 
…ogic (#46)

* Make produced cookies RFC 6265 compliant by URI encoding illegal characters.
* Revise cookies parsing logic to fix issues with subdomains (#43 )
@ckifer
Copy link
Contributor Author

ckifer commented Dec 7, 2022

fixed in latest release #49 - closing

@ckifer ckifer closed this as completed Dec 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
1.3.1
Development

No branches or pull requests
3 participants
@jeandek @borisfba @ckifer