truecar / gluestick-shared Goto Github PK

Sometime's it's easy to not return from gsBeforeRute, causing problems. It'd be nice if we can detect this and issue a warning if so.

When a web browser receives set-cookie headers in a response from a server it will store those in a "cookie-jar" and send those cookies, as long as they haven't expired in future requests to that domain. Our httpClient in getHttpClient.js makes a good pass at emulating the basics of a cookie jar but it is lacking some functionality. The reason why this is important is for situations where you make multiple API requests on the server before returning a response to the client. If the second request relies on cookies set by the first request, our httpClient will need to send those cookies in it's request. And so on with a third, fourth, etc… requests.

Things that can be improved:

1. Set-Cookie headers should set cookies per the host settings that a browser would respect. The cookies should only be sent on future requests from a matching domain. Cookies can be set for specific subdomains or they can use a wildcard subdomain. We should follow the same rules.
2. We should respect expiration of cookies.
3. Currently the set-cookie header from a request appears to wipe out any of the previous cookies and go with the newly set cookies. This is undesired behavior, it should "merge" them giving a precedence to the new cookies received by the latest Set-Cookie header.

While doing all of that we also forward "all" of the cookies back to the browser. There is a very realistic warning in getHttpClient that talks about mixing multiple api endpoints with server side requests. Currently, I'm not aware of a great solution for that problem other than suggesting all server side API requests should be to the same location. If you must hit a secondary API server that you do not control, it is best to do that after componentDidMount and let the browser handle that. This last part is only partially related to the cookie jar.

As this is a "shared" library, it likely requires more attention. I suggest we think of adding few test cases here and there, with the recent PR supporting more middlewares being a good candidate.