Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement skew protection #11987

Merged
merged 14 commits into from
Mar 19, 2024
Merged

feat: implement skew protection #11987

merged 14 commits into from
Mar 19, 2024

Conversation

Rich-Harris
Copy link
Member

@Rich-Harris Rich-Harris commented Mar 15, 2024
edited by eltigerchino
Loading

closes #10947

This implements Vercel Skew Protection. Tested manually

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Mar 15, 2024
edited
Loading

🦋 Changeset detected

Latest commit: d9bb954

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/adapter-vercel Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@eltigerchino eltigerchino added the pkg:adapter-vercel Pertaining to the Vercel adapter label Mar 15, 2024
@leerob
Copy link
Contributor

leerob commented Mar 15, 2024

Woohoo! Thank you for implementing this 🥳

dummdidumm
dummdidumm reviewed Mar 15, 2024
View reviewed changes
packages/adapter-vercel/index.js Outdated
value: 'document'
},
headers: {
'Set-Cookie': `__vdpl=${process.env.VERCEL_DEPLOYMENT_ID}; Path=/${builder.config.kit.paths.base}; SameSite=Strict; Secure; HttpOnly`
Copy link
Member

@dummdidumm dummdidumm Mar 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

previously you deleted the cookie for the version.json route - is that not necessary after all? Not necessary because it's not a document request?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct — we only care about non-document requests for this file. AFAICT there's no way to set multiple cookies (you can't do set-cookie: [...], and if you add a header in multiple continue routes the last one wins), so we had to get rid of it

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wait, no, hang on... this is a problem — the version.json will be requested with the old deployment ID. gah

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(this seemed to work in my testing, because the cookie was still in my browser from the earlier iteration 🤦 )

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've 'fixed' this by setting the second set-cookie header on the response for the entry point, since we know it will happen before the client hydrates. Since adapters don't have access to the build manifest, this involves some hackery, but hopefully we can remove it in future once the Build Output API supports setting multiple set-cookie headers in a single response.

@Rich-Harris Rich-Harris marked this pull request as draft March 15, 2024 22:21
@Rich-Harris Rich-Harris marked this pull request as ready for review March 19, 2024 13:33
@Rich-Harris Rich-Harris merged commit af5a257 into main Mar 19, 2024
13 checks passed
@Rich-Harris Rich-Harris deleted the skew-protection branch March 19, 2024 13:52
@github-actions github-actions bot mentioned this pull request Mar 18, 2024
Merged
@danielroe danielroe mentioned this pull request Mar 25, 2024
Open
1 task
@benmccann benmccann mentioned this pull request Mar 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dummdidumm dummdidumm dummdidumm left review comments

@benmccann benmccann benmccann left review comments

@cramforce cramforce cramforce left review comments

@trueadm trueadm trueadm approved these changes

Assignees
No one assigned
Labels
pkg:adapter-vercel Pertaining to the Vercel adapter
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support Vercel's skew protection
7 participants
@Rich-Harris @leerob @cramforce @benmccann @trueadm @dummdidumm @eltigerchino