Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chunk long cookies #1758

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Chunk long cookies #1758

wants to merge 10 commits into from
+203 −18

Conversation

jpolvto
Copy link
Contributor

@jpolvto jpolvto commented Jan 20, 2025

Splits the JWT token over multiple cookies if it's too big. Should resolve #1685. It's a bit hard to check, since my account doesn't have a large JWT token. @dokterbob

@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. auth Pertaining to authentication. backend Pertains to the Python backend. labels Jan 20, 2025
@fcestari
Copy link

@jpolvto, I have tested a few times with a large JWT token and I can confirm it has worked on my side.

@dokterbob dokterbob changed the title Fix from anthonym1991 #1685 Chunk long cookies Jan 20, 2025
dokterbob
dokterbob reviewed Jan 20, 2025
View reviewed changes
Copy link
Collaborator

@dokterbob dokterbob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick contrib!

We'd love to get this in soon, but as this code will affect nearly all users we need to thread carefully.

In addition to the issues pointed out in the code, I'd love to see unit test coverage of cookie getting and setting. This includes a test for the specific bug pointed out! If you need help on approach to testing, DM me on Discord.

I would also suggest implementing this workaround (which is what it is!) such that the behaviour for typical tokens doesn't change. Plus a test that indeed it doesn't.

One way to do this:

  • access_token_0 present -> look for _1 etc.
  • access_token present -> cookie fits, no need to look for _1 etc.

When setting cookies, we need to check for chunked cookies and, if they exist, ensure cookies beyond what we're currently setting get deleted!

As a bonus, this will provide a clear distinction between chunked and non-chunked codepaths, making it easy to remove this once a more elegant/sane response than sending extra 4k+

backend/chainlit/auth/cookie.py Outdated
@@ -76,26 +76,60 @@ async def __call__(self, request: Request) -> Optional[str]:
return token


def reconstruct_token_from_cookies(request_cookies: dict) -> Optional[str]:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest a clearer signature.

Something like get_token_from_cookies(cookies: dict[str, str]) -> Optional[str].

backend/chainlit/auth/cookie.py Outdated

return joined if joined != "" else None


def set_auth_cookie(response: Response, token: str):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should be careful here to ensure the case where we're overwriting cookies and not deleting old ones.

Imagine:

  1. set_auth_cookie(r, 'incredibly_<...>_long_token') sets access_token_0, access_token_1.
  2. set_auth_cookie(r, 'more_reasonable_token') sets only access_token_0.
  3. get_token_from_cookies(🍪) returns the concatenation of the new access_token_0 and the old access_token_1.

dokterbob
dokterbob requested changes Jan 20, 2025
View reviewed changes
Copy link
Collaborator

@dokterbob dokterbob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See prior review. ;)

Forgot to set status properly.

@dokterbob dokterbob added the blocked Awaiting update or feedback from user after initial review/comments. label Jan 20, 2025
@dokterbob
Copy link
Collaborator

@jpolvto Happy to see your applying requested changes!

If you need support writing tests, let me know. I've a bit of capacity available as this is blocking lot's of users.

@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dokterbob dokterbob dokterbob requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
auth Pertaining to authentication. backend Pertains to the Python backend. blocked Awaiting update or feedback from user after initial review/comments. size:L This PR changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Users with large JWT tokens are unauthorized (401) to access chailit due to having a cookie larger than 4kb
3 participants
@jpolvto @fcestari @dokterbob