Bug: Event Handler Response Headers incorrectly handling Set-Cookie values

[nateiler]

Expected Behavior

The current implementation allows a semicolon to delimit multiple header values. However this conflicts with the the syntax used with the set-cookie header with attributes.

Current Behavior

When a cookie is set with attribute syntax it's treated as a separate cookie. This creates incorrect and unwanted cookies.

Code snippet

response.headers.append(
	"Set-Cookie",
	"foo=bar; Max-Age=3600" // This turns into two cookies
);

response.headers.append(
	"Set-Cookie",
	"bar=baz"
);

When the response is returned from the handler, the header parsing produces three 'set-cookie' headers instead of two.

Steps to Reproduce

Create a route similar to this:

router.get("/foo", async () => {
	const response = Response.json({ foo: "bar" });

	response.headers.append(
		"Set-Cookie",
		"foo=bar; Max-Age=3600",
	);

	response.headers.append("Set-Cookie", "bar=baz");

	return response;
});

Possible Solution

It seems getSetCookie() might be a more reliable way to get this multi-value header. In which case we probably want to ignore the set-cookie when looping through the headers

Powertools for AWS Lambda (TypeScript) version

latest

AWS Lambda function runtime

24.x

Packaging format used

npm

Execution logs

[svozza]

Hi @nateiler, thank you for such a thorough bug report! Would you be interested in working on the PR to provide a fix for this?

[nateiler]

Hey @svozza, sure I can help with that.

[svozza]

Brilliant. Much appreciated! I have assigned the issue to you.