Skip to content

feat: implement skew protection#11987

Merged
Rich-Harris merged 14 commits intomainfrom
skew-protection
Mar 19, 2024
Merged

feat: implement skew protection#11987
Rich-Harris merged 14 commits intomainfrom
skew-protection

Conversation

@Rich-Harris
Copy link
Copy Markdown
Member

@Rich-Harris Rich-Harris commented Mar 15, 2024
edited by teemingc
Loading

closes #10947

This implements Vercel Skew Protection. Tested manually

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Mar 15, 2024
edited
Loading

🦋 Changeset detected

Latest commit: d9bb954

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/adapter-vercel Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

cramforce
cramforce reviewed Mar 15, 2024
View reviewed changes
@teemingc teemingc added the pkg:adapter-vercel Pertaining to the Vercel adapter label Mar 15, 2024
dummdidumm
dummdidumm reviewed Mar 15, 2024
View reviewed changes
@leerob
Copy link
Copy Markdown
Contributor

leerob commented Mar 15, 2024

Woohoo! Thank you for implementing this 🥳

benmccann
benmccann reviewed Mar 15, 2024
View reviewed changes
dummdidumm
dummdidumm reviewed Mar 15, 2024
View reviewed changes
packages/adapter-vercel/index.js Outdated
value: 'document'
},
headers: {
'Set-Cookie': `__vdpl=${process.env.VERCEL_DEPLOYMENT_ID}; Path=/${builder.config.kit.paths.base}; SameSite=Strict; Secure; HttpOnly`
Copy link
Copy Markdown
Member

@dummdidumm dummdidumm Mar 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

previously you deleted the cookie for the version.json route - is that not necessary after all? Not necessary because it's not a document request?

Copy link
Copy Markdown
Member Author

@Rich-Harris Rich-Harris Mar 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct — we only care about non-document requests for this file. AFAICT there's no way to set multiple cookies (you can't do set-cookie: [...], and if you add a header in multiple continue routes the last one wins), so we had to get rid of it

Copy link
Copy Markdown
Member Author

@Rich-Harris Rich-Harris Mar 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wait, no, hang on... this is a problem — the version.json will be requested with the old deployment ID. gah

Copy link
Copy Markdown
Member Author

@Rich-Harris Rich-Harris Mar 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(this seemed to work in my testing, because the cookie was still in my browser from the earlier iteration 🤦 )

Copy link
Copy Markdown
Member Author

@Rich-Harris Rich-Harris Mar 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've 'fixed' this by setting the second set-cookie header on the response for the entry point, since we know it will happen before the client hydrates. Since adapters don't have access to the build manifest, this involves some hackery, but hopefully we can remove it in future once the Build Output API supports setting multiple set-cookie headers in a single response.

Rich-Harris and others added 2 commits March 15, 2024 17:58
@Rich-Harris
fix
b02dae8
@Rich-Harris @benmccann
Update .changeset/slow-drinks-burn.md
88b8346 
Co-authored-by: Ben McCann <322311+benmccann@users.noreply.github.com>
@Rich-Harris Rich-Harris marked this pull request as draft March 15, 2024 22:21
@Rich-Harris Rich-Harris marked this pull request as ready for review March 19, 2024 13:33
@Rich-Harris Rich-Harris merged commit af5a257 into main Mar 19, 2024
@Rich-Harris Rich-Harris deleted the skew-protection branch March 19, 2024 13:52
@github-actions github-actions bot mentioned this pull request Mar 18, 2024
Merged
@danielroe danielroe mentioned this pull request Mar 25, 2024
Closed
1 task
@benmccann benmccann mentioned this pull request Mar 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benmccann benmccann benmccann left review comments

@dummdidumm dummdidumm dummdidumm left review comments

@trueadm trueadm trueadm approved these changes

+1 more reviewer

@cramforce cramforce cramforce left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

pkg:adapter-vercel Pertaining to the Vercel adapter

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support Vercel's skew protection

7 participants

@Rich-Harris @leerob @cramforce @benmccann @trueadm @dummdidumm @teemingc