Skip to content

feat: Add Cookie Chunking to handle large JWTs #325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nicknisi wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: Add Cookie Chunking to handle large JWTs #325

nicknisi wants to merge 5 commits into from

Conversation

@nicknisi
Copy link
Member

@nicknisi nicknisi commented Oct 20, 2025
edited
Loading

Sometimes, cookie-size can be exceeded by larger JWTs, which fails with odd errors as a result of the cookie not being set.

Example of cookie chunking in Chrome Devtools

This PR introduces a new cookie-chunking feature that will automatically break up too-large JWTs across several cookies, reassembling it seamlessly when requested.

If no chunking is required, the cookie will remain as WORKOS_COOKIE_NAME (defaulted to sos-session. If chunking is needed it will be ${WORKOS_COOKIE_NAME || 'wos-session'}.${chunkIndex}.

@nicknisi nicknisi force-pushed the nicknisi/cookie-chunking branch from 7e6774c to 481ece3 Compare October 20, 2025 11:20
@nicknisi nicknisi changed the title Add Cookie Chunking to handle large JWTs feat: Add Cookie Chunking to handle large JWTs Oct 20, 2025
@nicknisi nicknisi marked this pull request as ready for review October 20, 2025 11:23
@nicknisi nicknisi requested a review from a team as a code owner October 20, 2025 11:23
nholden
nholden approved these changes Oct 28, 2025
View reviewed changes
Copy link
Member

@nholden nholden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! Left a couple of non-blocking thoughts.

cc @stacurry since I know you're working on documenting WorkOS cookies.

src/auth.ts
Comment on lines +71 to +78
// Delete all session cookies (base + chunks)
const allCookies = nextCookies.getAll();
for (const cookie of allCookies) {
// Delete base cookie or any chunked cookie (cookieName.0, cookieName.1, etc.)
if (cookie.name === cookieName || (cookie.name.startsWith(`${cookieName}.`) && /\.\d+$/.test(cookie.name))) {
nextCookies.delete({ name: cookie.name, domain, path, sameSite, secure });
}
}
Copy link
Member

@nholden nholden Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seeing some regex duplication here. Should cookie-chunker be responsible for finding the cookie names from a list of all cookies?

src/session.ts
Comment on lines +179 to +182
request.cookies.getAll().forEach((cookie) => {
existingCookies[cookie.name] = cookie.value;
});
const encryptedSession = readValue(cookieName, existingCookies);
Copy link
Member

@nholden nholden Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should readValue and chunkValue accept an array of objects (the response value of Next.js's getAll as well as what awaiting the response of the getAll method on the CookieStore API will return)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nholden nholden nholden approved these changes

@cmatheson cmatheson Awaiting requested review from cmatheson cmatheson is a code owner automatically assigned from workos/typescript

@dandorman dandorman Awaiting requested review from dandorman

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nicknisi @nholden