Skip to content

fix: prevent 413 errors because of large org auth cookies#1086

Open
Datron wants to merge 1 commit into
mainfrom
fix-header-too-large
Open

fix: prevent 413 errors because of large org auth cookies#1086
Datron wants to merge 1 commit into
mainfrom
fix-header-too-large

Conversation

@Datron

@Datron Datron commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Problem

For every organisation visited, we add an auth cookie for the realm. Eventually you get a 413 error due to a large cookie header value.

Solution

Remove the oldest org cookie visited

Summary by CodeRabbit

  • New Features

    • Improved organisation sign-in handling by supporting multiple saved organisation cookies with automatic eviction of the oldest entries when the limit is reached.
    • Added better tracking of organisation selection across sessions for smoother switching.
  • Bug Fixes

    • Updated organisation login redirects to keep behavior consistent while managing cookies more reliably.
    • Prevents cookie buildup by removing excess organisation cookies automatically.

@Datron Datron requested a review from a team as a code owner July 8, 2026 07:25
@semanticdiff-com

semanticdiff-com Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review changes with  SemanticDiff

Changed Files
File Status
  crates/service_utils/src/middlewares/auth_n/authentication.rs  23% smaller
  crates/service_utils/src/middlewares/auth_n/oidc/saas_authenticator.rs  0% smaller

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 17b20629-6d06-4ce1-9885-5631682a0046

📥 Commits

Reviewing files that changed from the base of the PR and between 6cdf263 and fd20acd.

📒 Files selected for processing (2)
  • crates/service_utils/src/middlewares/auth_n/authentication.rs
  • crates/service_utils/src/middlewares/auth_n/oidc/saas_authenticator.rs

Walkthrough

This PR introduces a shared add_org_cookie_with_eviction helper in authentication.rs that manages multiple per-org cookies with an eviction policy capped at MAX_ORG_COOKIES, tracked via an orgs_order cookie. Both switch_organisation and the SaaS OIDC get_org_user flow are updated to use this helper instead of constructing cookies inline.

Changes

Org Cookie Eviction

Layer / File(s) Summary
Org cookie eviction helper
crates/service_utils/src/middlewares/auth_n/authentication.rs
Adds MAX_ORG_COOKIES and cookie-name constants, parses org cookie IDs from the Cookie header, tracks an orgs_order cookie, and evicts oldest org cookies via add_org_cookie_with_eviction.
switch_organisation integration
crates/service_utils/src/middlewares/auth_n/authentication.rs
Updates the req parameter lifetime to &'a HttpRequest and replaces manual cookie construction with add_org_cookie_with_eviction, preserving the redirect via LOCATION header.
SaaS OIDC authenticator integration
crates/service_utils/src/middlewares/auth_n/oidc/saas_authenticator.rs
Removes direct Cookie/Duration imports and inline cookie construction in get_org_user, routing cookie creation through add_org_cookie_with_eviction while preserving the Found redirect.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Authenticator
  participant SaasAuthenticator
  participant CookieHelper as add_org_cookie_with_eviction

  Client->>Authenticator: switch_organisation(req, path)
  Authenticator->>CookieHelper: add_org_cookie_with_eviction(req, login_type, token, path, builder)
  CookieHelper->>CookieHelper: parse orgs_order cookie, evict oldest if over MAX_ORG_COOKIES
  CookieHelper-->>Authenticator: updated HttpResponseBuilder
  Authenticator-->>Client: HttpResponse with Location header

  Client->>SaasAuthenticator: get_org_user(request)
  SaasAuthenticator->>CookieHelper: add_org_cookie_with_eviction(request, login_type, token, path, builder)
  CookieHelper-->>SaasAuthenticator: updated HttpResponseBuilder
  SaasAuthenticator-->>Client: HttpResponse::Found with Location header
Loading

Poem

A rabbit hops from org to org so free,
No cookie jar too cluttered now, you see!
Oldest crumbs get swept away,
The freshest token gets to stay,
One helper function, tidy as can be. 🐇🍪

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the PR’s main fix: evicting old org auth cookies to prevent oversized cookie headers and 413 errors.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-header-too-large

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sauraww

sauraww commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

@Datron Can we decline this PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants