Make cookie store web-only

brandonpayton · brandonpayton · commit 5b17006be1ba · 2024-12-26T23:56:22.000-05:00
It is needed on the web where custom Response objects
may not be assigned Set-Cookie headers. Otherwise, cookies
from PHP requests would not be respected.
But a cookie store isn't needed for Playground CLI,
and applying the same cookies to all requests to a CLI-based
server interferes with clients that want to use other
WP auth schemes.
diff --git a/packages/php-wasm/universal/src/lib/php-request-handler.ts b/packages/php-wasm/universal/src/lib/php-request-handler.ts
@@ -15,7 +15,6 @@ import {
 	PHPProcessManager,
 	SpawnedPHP,
 } from './php-process-manager';
-import { HttpCookieStore } from './http-cookie-store';
 import mimeTypes from './mime-types.json';
 
 export type RewriteRule = {
@@ -159,7 +158,6 @@ export class PHPRequestHandler {
 	#HOST: string;
 	#PATHNAME: string;
 	#ABSOLUTE_URL: string;
-	#cookieStore: HttpCookieStore;
 	rewriteRules: RewriteRule[];
 	processManager: PHPProcessManager;
 	getFileNotFoundAction: FileNotFoundGetActionCallback;
@@ -198,7 +196,6 @@ export class PHPRequestHandler {
 				maxPhpInstances: config.maxPhpInstances,
 			});
 		}
-		this.#cookieStore = new HttpCookieStore();
 		this.#DOCROOT = documentRoot;
 
 		const url = new URL(absoluteUrl);
@@ -490,7 +487,6 @@ export class PHPRequestHandler {
 		const headers: Record<string, string> = {
 			host: this.#HOST,
 			...normalizeHeaders(request.headers || {}),
-			cookie: this.#cookieStore.getCookieRequestHeader(),
 		};
 
 		let body = request.body;
@@ -520,9 +516,6 @@ export class PHPRequestHandler {
 				scriptPath,
 				headers,
 			});
-			this.#cookieStore.rememberCookiesFromResponseHeaders(
-				response.headers
-			);
 			return response;
 		} catch (error) {
 			const executionError = error as PHPExecutionFailureError;
diff --git a/packages/php-wasm/web-service-worker/src/utils.ts b/packages/php-wasm/web-service-worker/src/utils.ts
@@ -3,8 +3,12 @@ declare const self: ServiceWorkerGlobalScope;
 
 import { awaitReply, getNextRequestId } from './messaging';
 import { getURLScope, isURLScoped, setURLScope } from '@php-wasm/scopes';
+import { HttpCookieStore } from '@php-wasm/universal';
 
-export async function convertFetchEventToPHPRequest(event: FetchEvent) {
+export async function convertFetchEventToPHPRequest(
+	event: FetchEvent,
+	cookieStore: HttpCookieStore
+) {
 	let url = new URL(event.request.url);
 
 	if (!isURLScoped(url)) {
@@ -22,8 +26,28 @@ export async function convertFetchEventToPHPRequest(event: FetchEvent) {
 			? new Uint8Array(await event.request.clone().arrayBuffer())
 			: undefined;
 	const requestHeaders: Record<string, string> = {};
+
+	let providedCookies = '';
+	// @TODO: Why don't our types properly include Headers#entries()?
 	for (const pair of (event.request.headers as any).entries()) {
-		requestHeaders[pair[0]] = pair[1];
+		const [name, value] = pair as [string, string];
+		if (name.toLowerCase() === 'cookie') {
+			providedCookies = value;
+		} else {
+			requestHeaders[name] = value;
+		}
+	}
+
+	const credentialsAllowed =
+		event.request.credentials === 'include' ||
+		event.request.credentials === 'same-origin';
+	if (credentialsAllowed) {
+		const storedCookies = cookieStore.getCookieRequestHeader();
+		const effectiveCookies = [storedCookies];
+		if (providedCookies) {
+			effectiveCookies.push(providedCookies);
+		}
+		requestHeaders['Cookie'] = effectiveCookies.join('; ');
 	}
 
 	let phpResponse;
@@ -63,6 +87,23 @@ export async function convertFetchEventToPHPRequest(event: FetchEvent) {
 		throw e;
 	}
 
+	/**
+	 * We should not consider Set-Cookie headers unless credentials are allowed.
+	 * From https://fetch.spec.whatwg.org/#concept-request-credentials-mode :
+	 *   > "omit"
+	 *   > Excludes credentials from this request, and causes any credentials
+	 *   > sent back in the response to be ignored.
+	 */
+	if (credentialsAllowed) {
+		// @TODO: Make way to relay non-HttpOnly cookies from PHP to the client.
+		//        Those would be available to client JS in a classic WP setup.
+		cookieStore.rememberCookiesFromResponseHeaders(phpResponse.headers);
+	}
+	// Explicitly remove the Set-Cookie header because:
+	// - The browser is forbidden from relaying it via custom Response objects.
+	// - We can be sure it is not relayed by removing it ourselves.
+	delete phpResponse.headers['set-cookie'];
+
 	/**
 	 * Safari has a bug that prevents Service Workers from redirecting relative URLs.
 	 * When attempting to redirect to a relative URL, the network request will return an error.
diff --git a/packages/playground/remote/service-worker.ts b/packages/playground/remote/service-worker.ts
@@ -102,7 +102,8 @@
 declare const self: ServiceWorkerGlobalScope;
 
 import { getURLScope, isURLScoped, removeURLScope } from '@php-wasm/scopes';
-import { applyRewriteRules } from '@php-wasm/universal';
+// @TODO: Consider moving HttpCookieStore definition to web-specific package.
+import { applyRewriteRules, HttpCookieStore } from '@php-wasm/universal';
 import {
 	awaitReply,
 	convertFetchEventToPHPRequest,
@@ -315,6 +316,11 @@ self.addEventListener('fetch', (event) => {
 	return event.respondWith(cacheFirstFetch(event.request));
 });
 
+// @TODO: Persist these cookie stores for the life of the browser session
+// so Playground can tolerate a service worker being terminated and restarted
+// while the app is in use.
+const scopedCookieStores = new Map<string, HttpCookieStore>();
+
 /**
  * A request to a PHP Worker Thread or to a regular static asset,
  * but initiated by a scoped referer (e.g. fetch() from a block editor iframe).
@@ -326,7 +332,15 @@ async function handleScopedRequest(event: FetchEvent, scope: string) {
 		return emptyHtml();
 	}
 
-	const workerResponse = await convertFetchEventToPHPRequest(event);
+	if (!scopedCookieStores.has(scope)) {
+		scopedCookieStores.set(scope, new HttpCookieStore());
+	}
+	const cookieStore = scopedCookieStores.get(scope) as HttpCookieStore;
+
+	const workerResponse = await convertFetchEventToPHPRequest(
+		event,
+		cookieStore
+	);
 
 	if (
 		workerResponse.status === 404 &&
