fix(start-server-core): copy immutable Response.redirect() headers when merging pending set-cookie values#7765
Conversation
…en merging pending set-cookie values
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughFixes a bug where merging pending set-cookie headers into an immutable Response (e.g., from Response.redirect()) threw a TypeError, causing a 500 error. mergeEventResponseHeaders now returns a merged Response, copying it when headers can't be mutated; attachResponseHeaders returns this result. Tests and a changeset are added. ChangesImmutable header merge fix
Estimated code review effort: 2 (Simple) | ~12 minutes Sequence Diagram(s)sequenceDiagram
participant Handler
participant attachResponseHeaders
participant mergeEventResponseHeaders
participant Response
Handler->>attachResponseHeaders: return Response.redirect(url)
attachResponseHeaders->>mergeEventResponseHeaders: merge(response, event)
mergeEventResponseHeaders->>Response: delete set-cookie header
Response--x mergeEventResponseHeaders: throws TypeError (immutable)
mergeEventResponseHeaders->>Response: copy into new mutable Response
mergeEventResponseHeaders->>Response: append merged set-cookie values
mergeEventResponseHeaders-->>attachResponseHeaders: merged Response
attachResponseHeaders-->>Handler: merged Response (302 with cookies)
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
returning
Response.redirect()from a handler after callingsetCookie()crashes the whole request —mergeEventResponseHeaderscalls.delete('set-cookie')on the redirect's headers, which are immutable per spec, so the merge throwsTypeError: Headers are immutableand the user gets a 500 instead of their redirect + cookie.fixed by copying the response (same status/statusText/body, fresh mutable headers) when the in-place delete throws, and merging into the copy. mutable responses keep the exact in-place behavior they had before.
added two tests: the redirect case fails without the fix and passes with it, and a mutable non-ok response still merges the same way. the three test files already failing in this package (
createCsrfMiddleware,createStartHandler,frame-protocol) fail identically on a clean checkout of main, so they're unrelated.fixes #7755
Summary by CodeRabbit
Bug Fixes
Tests