Fix cookie JSON parsing by disabling automatic parsing (ENG-6818)

[devin-ai-integration]

Summary

Fixes ENG-6818: Cookie handling bug where JSON-formatted cookie values were being automatically parsed into dictionaries by the universal-cookies library instead of preserved as strings, causing type validation errors in the Reflex backend.

Changes Made

Core Fix

• Modified reflex/.templates/web/utils/state.js: Added true parameter to both cookies.get() calls (lines 794, 796) to disable automatic JSON parsing in the universal-cookies library

Test Coverage

• Added test_json_cookie_values to tests/integration/test_client_storage.py: Comprehensive test cases covering:
  • Dictionary objects serialized as JSON
  • Arrays serialized as JSON
  • Complex nested objects with mixed types
  • JSON with special characters and escaping
  • Empty JSON objects and arrays

Type of Change

• Bug fix (non-breaking change which fixes an issue)

Critical Review Items ⚠️

Environment Issue: Due to uv version mismatch in development environment (requires >=0.7.0, have 0.6.17), I was unable to run tests or pre-commit hooks locally. Human reviewers must verify:

1. Universal-cookies API behavior: Confirm that cookies.get(name, true) actually disables JSON parsing as expected
2. Test execution: Run the new test_json_cookie_values test to ensure it passes
3. Regression testing: Verify existing cookie functionality still works correctly
4. End-to-end validation: Test that the original issue from ENG-6818 is actually resolved

Example of Fixed Issue

Before (broken):

cookie_raw: str = rx.Cookie('{}', name='api_session', same_site='strict')
# Setting: '{"access_token": "test", "expires_in": 3600}'
# Backend receives: {'access_token': 'test', 'expires_in': 3600} (dict)
# Error: Expected str, got dict

After (fixed):

cookie_raw: str = rx.Cookie('{}', name='api_session', same_site='strict')  
# Setting: '{"access_token": "test", "expires_in": 3600}'
# Backend receives: '{"access_token": "test", "expires_in": 3600}' (string)
# ✅ Type validation passes

---

Link to Devin run: https://app.devin.ai/sessions/de4e8b1de1564c53a30ea5f6b7c22d06
Requested by: masen@reflex.dev

Checklist

• Have you followed the guidelines stated in CONTRIBUTING.md file?
• Have you checked to ensure there aren't any other open Pull Requests for the desired changed?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your core changes, as applicable?
• Have you successfully ran tests with your changes locally? (Unable due to environment issue)
• Have you linted your code locally prior to submission? (Unable due to environment issue)
• Does your submission pass the tests? (Needs verification by reviewer)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[linear]

ENG-6818 Cookie expected str but received dict

[greptile-apps]

Greptile Summary

This PR fixes a critical cookie handling bug in Reflex's client-side state management where JSON-formatted cookie values were being automatically parsed into JavaScript objects by the universal-cookies library instead of preserved as strings, causing type validation errors in the backend.

The core fix modifies the hydrateClientStorage function in reflex/.templates/web/utils/state.js by adding a true parameter to both cookies.get() calls on lines 794 and 796. This second parameter disables automatic JSON parsing in the universal-cookies library, ensuring that JSON strings stored in cookies remain as strings when sent to the Reflex backend. The change integrates seamlessly with the existing client storage hydration process, which reads cookie values and populates the client-side state during app initialization.

To validate the fix, a comprehensive test suite was added to tests/integration/test_client_storage.py with the test_json_cookie_values function. The test covers various JSON scenarios including dictionaries, arrays, nested objects with mixed types, escaped characters, and empty JSON structures to ensure the fix works across all edge cases.

Confidence score: 3/5

• This fix addresses a specific documented bug but requires verification of the universal-cookies API behavior
• The author was unable to test locally due to environment issues, creating uncertainty about actual test execution
• The reflex/.templates/web/utils/state.js file needs careful review as it's part of the core client-side state management system

_{2 files reviewed, 1 comment}

_{Edit Code Review Bot Settings | Greptile}

[codspeed-hq]

CodSpeed Performance Report

Merging #5616 will not alter performance

_{Comparing devin/ENG-6818-1753205581 (f9c585d) with main (7e0a95f)}

Summary

✅ 8 untouched benchmarks