[PR #403] [MERGED] fix: RequestCookie behavior and getAll(name) #546

New issue

Closed

opened 2026-05-06 13:08:41 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 13:08:41 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/403
Author: @JaredStowell
Created: 3/10/2026
Status: ✅ Merged
Merged: 3/10/2026
Merged by: @james-elicx

Base: main ← Head: jstowell/fix-request-cookies-parity

📝 Commits (3)

686c254 Verify cookie header parsing
d9d125a Fix empty cookie handling
f21030c Fix empty cookie parsing fallback

📊 Changes

4 files changed (+281 additions, -27 deletions)

View changed files

📝 packages/vinext/src/shims/headers.ts (+11 -15)
➕ packages/vinext/src/shims/internal/parse-cookie-header.ts (+32 -0)
📝 packages/vinext/src/shims/server.ts (+7 -12)
📝 tests/shims.test.ts (+231 -0)

📄 Description

Align vinext request-cookie behavior with the current Next.js runtime in both request-cookie implementations:

packages/vinext/src/shims/headers.ts
packages/vinext/src/shims/server.ts

What changed

Fix `RequestCookies.getAll(name)`

getAll(name) was ignoring its argument and returning the full cookie list.

Before, with:

cookie: a=1; a=2; b=3

vinext returned:

get('a') => { name: 'a', value: '2' }
getAll('a') => [{ name: 'a', value: '2' }, { name: 'b', value: '3' }]

Now it returns:

get('a') => { name: 'a', value: '2' }
getAll('a') => [{ name: 'a', value: '2' }]

This now works for both overloads:

getAll("a")
getAll({ name: "a" })

Missing names now correctly return [].

While expanding coverage, I found both request-cookie parsers also diverged from current Next.js runtime behavior.

Both shims now match next@16.1.6 for:

duplicate names collapsing to the last value
percent-decoding cookie values
ignoring malformed percent-encoded values
treating bare cookie tokens as "true"

Examples:

token=abc%3D123 => abc=123
bad=%E0%A4%A => skipped
flag => { name: "flag", value: "true" }

applyMiddlewareRequestHeaders() now rebuilds the cookie map using the same parser, so middleware-rewritten cookie headers behave the same as initially parsed request headers.

Tests

Added targeted regressions in tests/shims.test.ts covering:

getAll("name")
getAll({ name })
missing-name lookups
duplicate-name behavior
percent-decoding
malformed encoded values
bare token cookies
middleware cookie rewrites with duplicate names

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/403 **Author:** [@JaredStowell](https://github.com/JaredStowell) **Created:** 3/10/2026 **Status:** ✅ Merged **Merged:** 3/10/2026 **Merged by:** [@james-elicx](https://github.com/james-elicx) **Base:** `main` ← **Head:** `jstowell/fix-request-cookies-parity` --- ### 📝 Commits (3) - [`686c254`](https://github.com/cloudflare/vinext/commit/686c25493c0a347013b04db3300d4605fb7d5096) Verify cookie header parsing - [`d9d125a`](https://github.com/cloudflare/vinext/commit/d9d125a040ba1255b251c7235d2427287a61f275) Fix empty cookie handling - [`f21030c`](https://github.com/cloudflare/vinext/commit/f21030ca39a02ccccaacaf4101ec890aeccc23e6) Fix empty cookie parsing fallback ### 📊 Changes **4 files changed** (+281 additions, -27 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/shims/headers.ts` (+11 -15) ➕ `packages/vinext/src/shims/internal/parse-cookie-header.ts` (+32 -0) 📝 `packages/vinext/src/shims/server.ts` (+7 -12) 📝 `tests/shims.test.ts` (+231 -0) </details> ### 📄 Description Align vinext request-cookie behavior with the current Next.js runtime in both request-cookie implementations: - `packages/vinext/src/shims/headers.ts` - `packages/vinext/src/shims/server.ts` ## What changed ### Fix `RequestCookies.getAll(name)` `getAll(name)` was ignoring its argument and returning the full cookie list. Before, with: ```http cookie: a=1; a=2; b=3 ``` vinext returned: - `get('a') => { name: 'a', value: '2' }` - `getAll('a') => [{ name: 'a', value: '2' }, { name: 'b', value: '3' }]` Now it returns: - `get('a') => { name: 'a', value: '2' }` - `getAll('a') => [{ name: 'a', value: '2' }]` This now works for both overloads: - `getAll("a")` - `getAll({ name: "a" })` Missing names now correctly return `[]`. ### Align request cookie parsing with current Next.js runtime While expanding coverage, I found both request-cookie parsers also diverged from current Next.js runtime behavior. Both shims now match `next@16.1.6` for: - duplicate names collapsing to the last value - percent-decoding cookie values - ignoring malformed percent-encoded values - treating bare cookie tokens as `"true"` Examples: - `token=abc%3D123` => `abc=123` - `bad=%E0%A4%A` => skipped - `flag` => `{ name: "flag", value: "true" }` ### Keep middleware cookie rewrites consistent `applyMiddlewareRequestHeaders()` now rebuilds the cookie map using the same parser, so middleware-rewritten `cookie` headers behave the same as initially parsed request headers. ## Tests Added targeted regressions in `tests/shims.test.ts` covering: - `getAll("name")` - `getAll({ name })` - missing-name lookups - duplicate-name behavior - percent-decoding - malformed encoded values - bare token cookies - middleware cookie rewrites with duplicate names --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>