fix(server): pass valid sign in to context server side

Author: jrea

apps/nextjs-kitchensink/app/invites/InvitesIndex.tsx

@@ -9,6 +9,7 @@ export default async function InvitesIndex() {
   const me = await nile.users.getSelf();
 
   return (
+  cssonsole.log(me, 'wtf?');
     <EnsureSignedIn me={me}>
       <TenantsAndTables me={me as unknown as User} />
     </EnsureSignedIn>

apps/nextjs-kitchensink/app/verify-email/page.tsx

@@ -57,6 +57,7 @@ export default async function VerifyEmailPage() {
   );
 }
 
+// not common, but update the users without tenant context, because that's what I want to do.
 async function unVerifyEmail() {
   'use server';
   const me = await nile.users.getSelf();
@@ -66,10 +67,12 @@ async function unVerifyEmail() {
       error: 'Not logged in',
     };
   }
-  await nile.db.query(
-    'update users.users set email_verified = NULL where id = $1',
-    [me.id]
-  );
+  await nile.withContext({ ddl: true }, async (ddl) => {
+    await ddl.db.query(
+      'update users.users set email_verified = NULL where id = $1',
+      [me.id]
+    );
+  });
   revalidatePath('/verify-email');
   return { ok: true };
 }

packages/server/src/Server.ts

@@ -59,8 +59,10 @@ export class Server {
 
     watchHeaders((headers) => {
       if (headers) {
+        // internally we can call this for sign in, among other things. Be sure the next request still works.
         this.#config.context.headers = new Headers(headers);
-        // this.setContext(headers);
+        // this is always true when called internally
+        this.#config.context.preserveHeaders = true;
         this.#reset();
       }
     });

packages/server/src/api/utils/request-context.ts

@@ -57,8 +57,17 @@ export const ctx: CTX = {
     if (partial.headers === null) {
       store.headers = new Headers();
     } else if (partial.headers && store.headers instanceof Headers) {
-      for (const [k, v] of new Headers(partial.headers).entries()) {
-        store.headers.set(k, v);
+      for (const [key, value] of new Headers(partial.headers).entries()) {
+        if (key.toLowerCase() === 'cookie') {
+          const existingCookies = parseCookieHeader(
+            store.headers.get('cookie') || ''
+          );
+          const newCookies = parseCookieHeader(value);
+          const mergedCookies = { ...existingCookies, ...newCookies };
+          store.headers.set('cookie', serializeCookies(mergedCookies));
+        } else {
+          store.headers.set(key, value);
+        }
       }
     }
 
@@ -148,3 +157,21 @@ function serializeContext(context: Context): string {
     preserveHeaders: context.preserveHeaders,
   });
 }
+
+function parseCookieHeader(header: string): Record<string, string> {
+  return header
+    .split(';')
+    .map((c) => c.trim())
+    .filter(Boolean)
+    .reduce((acc, curr) => {
+      const [key, ...val] = curr.split('=');
+      if (key) acc[key] = val.join('=');
+      return acc;
+    }, {} as Record<string, string>);
+}
+
+function serializeCookies(cookies: Record<string, string>): string {
+  return Object.entries(cookies)
+    .map(([k, v]) => `${k}=${v}`)
+    .join('; ');
+}

packages/server/src/auth/index.ts

@@ -565,7 +565,7 @@ export default class Auth {
           .join('; ');
         const uHeaders = new Headers({ cookie });
         updateHeaders(uHeaders);
-        ctx.set({ headers: uHeaders });
+        ctx.set({ headers: uHeaders, preserveHeaders: true });
       } else {
         error('Unable to set context after sign in', {
           headers: signInRes.headers,

packages/server/src/tenants/index.ts

@@ -16,6 +16,7 @@ import obtainCsrf from '../auth/obtainCsrf';
 import { NileRequest } from '../types';
 import { User } from '../users/types';
 import { Config } from '../utils/Config';
+import { fQUrl } from '../utils/qualifyDomain';
 
 import { Invite, Tenant } from './types';
 
@@ -360,11 +361,12 @@ export default class Tenants {
             identifier = req.email;
           }
 
+          const { callbackUrl: cbUrl } = defaultCallbackUrl(this.#config);
           if ('callbackUrl' in req) {
-            callbackUrl = fQUrl(req.callbackUrl ?? '', this.#config);
+            callbackUrl = fQUrl(cbUrl, req.callbackUrl ?? '/');
           }
           if ('redirectUrl' in req) {
-            redirectUrl = fQUrl(req.redirectUrl ?? '', this.#config);
+            redirectUrl = fQUrl(cbUrl, req.redirectUrl ?? '/');
           }
         }
 
@@ -492,19 +494,3 @@ export function defaultCallbackUrl(config: Config) {
   }
   return { callbackUrl: cb, redirectUrl: redirect };
 }
-
-function fQUrl(path: string, config: Config) {
-  if (path.startsWith('/')) {
-    const { callbackUrl } = defaultCallbackUrl(config);
-    if (callbackUrl) {
-      const { origin } = new URL(callbackUrl);
-      return `${origin}${path}`;
-    }
-  }
-  try {
-    new URL(path);
-  } catch {
-    throw new Error('An invalid URL has been passed.');
-  }
-  return path;
-}

packages/server/src/users/index.ts

@@ -6,6 +6,7 @@ import getCsrf from '../auth/obtainCsrf';
 import { Loggable } from '../utils/Logger';
 import { parseCallback } from '../auth';
 import { ctx, withNileContext } from '../api/utils/request-context';
+import { fQUrl } from '../utils/qualifyDomain';
 
 import { User } from './types';
 
@@ -132,10 +133,10 @@ export default class Users {
     return withNileContext(this.#config, async () => {
       const bypassEmail =
         typeof options === 'object' && options?.bypassEmail === true;
-      const callbackUrl =
-        typeof options === 'object'
-          ? options.callbackUrl
-          : defaultCallbackUrl().callbackUrl;
+      const callbackUrl = fQUrl(
+        defaultCallbackUrl().callbackUrl,
+        typeof options === 'object' ? String(options.callbackUrl) : '/'
+      );
 
       let res;
 

packages/server/src/utils/qualifyDomain.ts

@@ -0,0 +1,14 @@
+export function fQUrl(callbackUrl: null | string, path: string) {
+  if (path.startsWith('/')) {
+    if (callbackUrl) {
+      const { origin } = new URL(callbackUrl);
+      return `${origin}${path}`;
+    }
+  }
+  try {
+    new URL(path);
+  } catch {
+    throw new Error('An invalid URL has been passed.');
+  }
+  return path;
+}