HttpHeaders class discards multiple 'Set-Cookie' headers #57798
Description
Which @angular/* package(s) are the source of the bug?
core
Is this a regression?
No
Description
When a valid HTTP response with multiple "Set-Cookie" headers is resolved by HTTPClient, only one of the headers will be defined in response.headers
Here's a simple reproduction:
const init: HeadersInit = [
['Set-Cookie', 'cookie1=foo'],
['Set-Cookie', 'cookie2=bar'],
];
const headers = new Headers(init);
const httpHeaders = new HttpHeaders(headers);
httpHeaders.getAll('set-cookie') // returns [ 'cookie2=bar' ]
The problem occurs line line 257 of packages/common/http/src/headers.ts. There is no check for an existing header with the same key before the line
this.headers.set(key, headerValues);
My interpretation is that this is a valid way to use the Set-Cookie header, due to the method getSetCookie() existing on the Headers API (https://developer.mozilla.org/en-US/docs/Web/API/Headers/getSetCookie)
The use case for this is an interceptor on the server side that acts as a proxy for cookies between the user and an API
export const headersInterceptor: HttpInterceptorFn = (
req: HttpRequest<unknown>,
next: HttpHandlerFn
): Observable<HttpEvent<unknown>> => {
const request = inject(REQUEST, { optional: true });
const response = inject(RESPONSE, { optional: true });
const environment = inject(ENVIRONMENT);
//? SSR Should forward cookies from the original request.
if (request?.headers.cookie && req.url.startsWith(environment.apiUrl)) {
req = req.clone({
setHeaders: {
cookie: request.headers.cookie,
},
});
}
return next(req).pipe(
tap((res) => {
//? SSR Should forward Set-Cookie headers to the client
if (
response &&
res.type == HttpEventType.Response &&
res.headers.get("set-cookie") &&
req.url.startsWith(environment.apiUrl)
) {
response.setHeader(
"set-cookie",
res.headers.getAll("set-cookie") || []
);
}
})
);
};
Please provide a link to a minimal reproduction of the bug
No response
Please provide the exception or error you saw
No response
Please provide the environment you discovered this bug in (run ng version)
Angular CLI: 18.1.3
Node: 20.9.0
Package Manager: npm 10.1.0
OS: darwin arm64
Angular: 18.1.3
... animations, cdk, cli, common, compiler, compiler-cli, core
... forms, platform-browser, platform-browser-dynamic
... platform-server, router, ssr
Package Version
---------------------------------------------------------
@angular-devkit/architect 0.1801.3
@angular-devkit/build-angular 18.1.3
@angular-devkit/core 18.1.3
@angular-devkit/schematics 18.1.3
@schematics/angular 18.1.3
rxjs 6.6.7
typescript 5.4.5
zone.js 0.14.10
Anything else?
No response