v2.5.0 chunked cookie values exceed 4096 bytes

[nfadili]

Describe the problem

Long cookie values are not being chunked to a size below 4096 bytes starting at version 2.5.0. I have put together a POC with an existing Auth0 tenant and application and I am noticing this behavior after upgrading the lib to v2.5.0 from 2.4.0. It seems that the chunking algorithm is not correctly ensuring that cookie values are less than 4096 bytes. I haven't had time to look into the source code too much, my initial guess is maybe the algorithm isn't taking into account other cookie value fields such as HttpOnly or SameSite when calculating chunk size? This PR where this was introduced seems to be targeting this scenario but I am not seeing correct behavior #237

What was the expected behavior?

I expected the same behavior as < v2.5.0 where the cookie would be chunked into name.0, name.1 and each cookie value would be guaranteed to be less than the size limit. I am seeing the name.0 cookie value to be 4104 bytes long. This difference of 8 bytes is causing chrome to reject the set-cookie header. This difference of 8 correlates with the Path=/; property... that might be the issue?

Reproduction

I can't provide a sample app at this time, but I imagine any of your example snippets would work. The key is to make sure the token is large enough to require chunking. I think the easiest way to do this is to inject the token with bloated custom claims with an Auth0 rule.

Here is the configuration I am using for the library:

Here is the response headers showing the error. I have redacted random bits from the token in an abundance of caution :)

Environment

• Version 2.5.0
• Node.js, express, no other frameworks should be interfering as far as I can tell

[adamjmcgrath]

Thanks for raising this @nfadili!

Will be fixed by #275