Skip to content

fix(vnda): filter proxy cookies to prevent RequestHeaderSectionTooLarge#1633

Merged
guitavano merged 1 commit into
mainfrom
fix/vnda-proxy-header-size
Jul 1, 2026
Merged

fix(vnda): filter proxy cookies to prevent RequestHeaderSectionTooLarge#1633
guitavano merged 1 commit into
mainfrom
fix/vnda-proxy-header-size

Conversation

@guitavano

@guitavano guitavano commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds allowedCookies option to the generic proxy handler (website/handlers/proxy.ts) that filters cookies to an allowlist before forwarding
  • Configures VNDA proxy to only forward VNDA-relevant cookies: vnda_cart_id, cart_id, ahoy_visit, ahoy_visitor
  • Strips analytics/tracking cookies (_ga, _fbp, _gcl_au, _hj*, _pin_unauth, etc.) and Cloudflare cookies (__cf_bm, _cfuvid, cf_clearance) that were inflating request headers beyond the 8KB limit, causing RequestHeaderSectionTooLarge errors on checkout

Test plan

  • Test VNDA checkout flow end-to-end (add to cart → checkout → payment)
  • Verify cart persists across page navigations
  • Confirm no RequestHeaderSectionTooLarge errors on /checkout/* routes
  • Test login/account pages (/entrar, /conta) still work

🤖 Generated with Claude Code


Summary by cubic

Filters cookies in the proxy to prevent RequestHeaderSectionTooLarge errors on VNDA checkout. Adds an allowedCookies option and enables it for VNDA to forward only required cookies.

  • Bug Fixes
    • Added allowedCookies prop in website/handlers/proxy.ts to whitelist cookie names.
    • VNDA proxy now forwards only vnda_cart_id, cart_id, ahoy_visit, ahoy_visitor.
    • Strips analytics and Cloudflare cookies to keep request headers under 8KB on /checkout/*.

Written for commit 517d85b. Summary will update on new commits.

Review in cubic

Summary by CodeRabbit

  • Bug Fixes
    • Improved cookie forwarding through proxy requests by only passing along approved cookies.
    • Removed stray cookies from proxied requests when they are not needed, helping reduce unexpected session or auth behavior.

Add allowedCookies option to proxy handler and configure VNDA proxy to
only forward VNDA-relevant cookies (vnda_cart_id, cart_id, ahoy_visit,
ahoy_visitor), stripping analytics/tracking cookies that inflate headers
beyond the 8KB limit.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Tagging Options

Should a new tag be published when this PR is merged?

  • 👍 for Patch 0.158.14 update
  • 🎉 for Minor 0.159.0 update
  • 🚀 for Major 1.0.0 update

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a filterCookies helper and an allowedCookies option to the shared Proxy handler, which restricts forwarded cookies to a specified allow-list. VNDA proxy loaders are updated to define and pass a fixed VNDA_ALLOWED_COOKIES list to both internal-domain and API-domain route configurations.

Changes

Proxy Cookie Filtering

Layer / File(s) Summary
filterCookies helper and Proxy handler wiring
website/handlers/proxy.ts
Adds exported filterCookies(headers, allowed) that filters the cookie header to allowed names, extends Props with optional allowedCookies?: string[], destructures it in Proxy, and applies filterCookies conditionally to outbound headers.
VNDA proxy loader configuration
vnda/loaders/proxy.ts
Defines VNDA_ALLOWED_COOKIES constant and passes allowedCookies: VNDA_ALLOWED_COOKIES to internal-domain (PAGE_PATHS/pagesToProxy) and API-domain (API_PATHS) route handler configurations.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant ProxyHandler
  participant filterCookies
  participant Target

  Client->>ProxyHandler: Request with cookie header
  ProxyHandler->>ProxyHandler: Remove CF headers
  alt allowedCookies provided and non-empty
    ProxyHandler->>filterCookies: filterCookies(headers, allowedCookies)
    filterCookies->>filterCookies: Filter pairs by allowed names
    filterCookies-->>ProxyHandler: Updated or deleted cookie header
  end
  ProxyHandler->>Target: Forward proxied request
Loading

Related PRs: None identified.

Suggested labels: enhancement, proxy, security

Suggested reviewers: None identified.

🐰 A cookie jar with just a few,
Filtered names, allowed and true,
VNDA loaders set the list,
Handlers strip what won't persist,
Crumbs forwarded, safe and few.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description covers the change and test plan, but it omits the required issue link, Loom video, and demonstration link sections. Add the missing Issue Link, Loom Video, and Demonstration Link sections, and align the headings with the repository template.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly names the VNDA cookie-filtering fix and its goal of preventing oversized request headers.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/vnda-proxy-header-size

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@guitavano guitavano merged commit 5ce50fc into main Jul 1, 2026
6 of 7 checks passed
@guitavano guitavano deleted the fix/vnda-proxy-header-size branch July 1, 2026 17:35

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
website/handlers/proxy.ts (1)

152-173: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

Cookie filter can be bypassed by customHeaders.

filterCookies runs before the customHeaders loop (Lines 162-173), which unconditionally appends/sets the cookie header from customHeaders entries without re-applying the allowlist. Today VNDA's config doesn't pass a cookie custom header, so there's no live bypass, but the invariant "only allowlisted cookies reach upstream" isn't actually enforced end-to-end — a future config that injects a cookie via customHeaders would silently reintroduce unfiltered cookies. Consider re-applying (or moving) the allowedCookies filter after the customHeaders merge so the guarantee holds regardless of config.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@website/handlers/proxy.ts` around lines 152 - 173, The cookie allowlist in
proxy handling can be bypassed by the customHeaders merge in proxy.ts. Update
the request-building flow in the proxy handler so any cookie introduced through
customHeaders is also passed through the same allowedCookies enforcement, either
by filtering again after the customHeaders loop or by moving the filter to run
after all cookie sources are merged; keep the logic centered around
filterCookies, customHeaders, and the headers cookie handling in the proxy
function.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@website/handlers/proxy.ts`:
- Around line 152-173: The cookie allowlist in proxy handling can be bypassed by
the customHeaders merge in proxy.ts. Update the request-building flow in the
proxy handler so any cookie introduced through customHeaders is also passed
through the same allowedCookies enforcement, either by filtering again after the
customHeaders loop or by moving the filter to run after all cookie sources are
merged; keep the logic centered around filterCookies, customHeaders, and the
headers cookie handling in the proxy function.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d8fd3446-d3a5-4502-b6fe-9e29ddb9853e

📥 Commits

Reviewing files that changed from the base of the PR and between e878c5c and 517d85b.

📒 Files selected for processing (2)
  • vnda/loaders/proxy.ts
  • website/handlers/proxy.ts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant