Skip to content

Fix cookie JSON parsing by disabling automatic parsing (ENG-6818)#5616

Merged
masenf merged 11 commits into
mainfrom
devin/ENG-6818-1753205581
Jul 22, 2025
Merged

Fix cookie JSON parsing by disabling automatic parsing (ENG-6818)#5616
masenf merged 11 commits into
mainfrom
devin/ENG-6818-1753205581

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jul 22, 2025
edited by masenf
Loading

Copy link
Copy Markdown
Contributor

Summary

Fixes ENG-6818: Cookie handling bug where JSON-formatted cookie values were being automatically parsed into dictionaries by the universal-cookies library instead of preserved as strings, causing type validation errors in the Reflex backend.

Changes Made

Core Fix

  • Modified reflex/.templates/web/utils/state.js: Added true parameter to both cookies.get() calls (lines 794, 796) to disable automatic JSON parsing in the universal-cookies library

Test Coverage

  • Added test_json_cookie_values to tests/integration/test_client_storage.py: Comprehensive test cases covering:
    • Dictionary objects serialized as JSON
    • Arrays serialized as JSON
    • Complex nested objects with mixed types
    • JSON with special characters and escaping
    • Empty JSON objects and arrays

Type of Change

  • Bug fix (non-breaking change which fixes an issue)

Critical Review Items ⚠️

Environment Issue: Due to uv version mismatch in development environment (requires >=0.7.0, have 0.6.17), I was unable to run tests or pre-commit hooks locally. Human reviewers must verify:

  1. Universal-cookies API behavior: Confirm that cookies.get(name, true) actually disables JSON parsing as expected
  2. Test execution: Run the new test_json_cookie_values test to ensure it passes
  3. Regression testing: Verify existing cookie functionality still works correctly
  4. End-to-end validation: Test that the original issue from ENG-6818 is actually resolved

Example of Fixed Issue

Before (broken):

cookie_raw: str = rx.Cookie('{}', name='api_session', same_site='strict')
# Setting: '{"access_token": "test", "expires_in": 3600}'
# Backend receives: {'access_token': 'test', 'expires_in': 3600} (dict)
# Error: Expected str, got dict

After (fixed):

cookie_raw: str = rx.Cookie('{}', name='api_session', same_site='strict')  
# Setting: '{"access_token": "test", "expires_in": 3600}'
# Backend receives: '{"access_token": "test", "expires_in": 3600}' (string)
# ✅ Type validation passes

Link to Devin run: https://app.devin.ai/sessions/de4e8b1de1564c53a30ea5f6b7c22d06
Requested by: masen@reflex.dev

Checklist

  • Have you followed the guidelines stated in CONTRIBUTING.md file?
  • Have you checked to ensure there aren't any other open Pull Requests for the desired changed?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your core changes, as applicable?
  • Have you successfully ran tests with your changes locally? (Unable due to environment issue)
  • Have you linted your code locally prior to submission? (Unable due to environment issue)
  • Does your submission pass the tests? (Needs verification by reviewer)

@devin-ai-integration @masenf
Fix cookie JSON parsing by disabling automatic parsing
ca89b93 
- Add true parameter to cookies.get() calls in state.js to prevent
  universal-cookies from automatically parsing JSON strings
- Add comprehensive integration tests for JSON cookie values including:
  - Dictionary objects serialized as JSON
  - Arrays serialized as JSON
  - Complex nested objects
  - JSON with special characters and escaping
  - Empty JSON objects and arrays

Fixes ENG-6818: Cookie handling bug where JSON-formatted values
were being parsed into dictionaries instead of preserved as strings

Co-Authored-By: masen@reflex.dev <masen@reflex.dev>
@devin-ai-integration

devin-ai-integration Bot commented Jul 22, 2025

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@linear

linear Bot commented Jul 22, 2025

Copy link
Copy Markdown

ENG-6818 Cookie expected str but received dict

greptile-apps[bot]
greptile-apps Bot reviewed Jul 22, 2025
View reviewed changes

@greptile-apps greptile-apps Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Summary

This PR fixes a critical cookie handling bug in Reflex's client-side state management where JSON-formatted cookie values were being automatically parsed into JavaScript objects by the universal-cookies library instead of preserved as strings, causing type validation errors in the backend.

The core fix modifies the hydrateClientStorage function in reflex/.templates/web/utils/state.js by adding a true parameter to both cookies.get() calls on lines 794 and 796. This second parameter disables automatic JSON parsing in the universal-cookies library, ensuring that JSON strings stored in cookies remain as strings when sent to the Reflex backend. The change integrates seamlessly with the existing client storage hydration process, which reads cookie values and populates the client-side state during app initialization.

To validate the fix, a comprehensive test suite was added to tests/integration/test_client_storage.py with the test_json_cookie_values function. The test covers various JSON scenarios including dictionaries, arrays, nested objects with mixed types, escaped characters, and empty JSON structures to ensure the fix works across all edge cases.

Confidence score: 3/5

  • This fix addresses a specific documented bug but requires verification of the universal-cookies API behavior
  • The author was unable to test locally due to environment issues, creating uncertainty about actual test execution
  • The reflex/.templates/web/utils/state.js file needs careful review as it's part of the core client-side state management system

2 files reviewed, 1 comment

Edit Code Review Bot Settings | Greptile

Comment thread reflex/.templates/web/utils/state.js Outdated
@codspeed-hq

codspeed-hq Bot commented Jul 22, 2025
edited
Loading

Copy link
Copy Markdown

CodSpeed Performance Report

Merging #5616 will not alter performance

Comparing devin/ENG-6818-1753205581 (f9c585d) with main (7e0a95f)

Summary

✅ 8 untouched benchmarks

devin-ai-integration Bot and others added 5 commits July 22, 2025 17:43
@devin-ai-integration @masenf
Fix pre-commit formatting issues in JSON cookie tests
061fdef 
- Wrap long JSON string with escapes to meet line length requirements
- Use consistent double quotes for empty JSON strings
- Apply formatting changes as required by pre-commit hooks

Co-Authored-By: masen@reflex.dev <masen@reflex.dev>
@masenf @greptile-apps
Update reflex/.templates/web/utils/state.js
22d9bb3 
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
@devin-ai-integration @masenf
Remove unused token variable from JSON cookie test
577de2d 
- Fix pre-commit ruff check failure F841 (unused variable)
- The test doesn't require authentication to verify JSON string preservation

Co-Authored-By: masen@reflex.dev <masen@reflex.dev>
@devin-ai-integration @masenf
Fix timing issue in JSON cookie test by adding poll_for_token call
629c203 
- Add back poll_for_token() call before accessing DOM elements
- Follows the same pattern as the existing working test
- Ensures app is fully loaded before test execution

Co-Authored-By: masen@reflex.dev <masen@reflex.dev>
@masenf
Update test_client_storage.py
deee031
masenf
masenf requested changes Jul 22, 2025
View reviewed changes
Comment thread tests/integration/test_client_storage.py Outdated
devin-ai-integration Bot and others added 2 commits July 22, 2025 18:27
@devin-ai-integration @masenf
Add browser refresh to JSON cookie test to trigger hydration bug
17e008e 
- Refresh browser after setting each JSON cookie value
- Re-acquire DOM elements after refresh to test cookie hydration
- Ensures test properly exercises the universal-cookies JSON parsing bug
- Addresses feedback from masenf to test the actual bug scenario

Co-Authored-By: masen@reflex.dev <masen@reflex.dev>
@devin-ai-integration @masenf
Fix pre-commit formatting issues in JSON cookie test
1e69d36 
- Remove trailing whitespace from empty lines
- Address ruff formatting requirements for browser refresh test enhancement

Co-Authored-By: masen@reflex.dev <masen@reflex.dev>
masenf
masenf requested changes Jul 22, 2025
View reviewed changes
Comment thread tests/integration/test_client_storage.py Outdated
devin-ai-integration Bot and others added 3 commits July 22, 2025 18:36
@devin-ai-integration @masenf
Refactor JSON cookie test to eliminate code duplication
4f1e98a 
- Create helper function test_json_cookie_with_refresh() as requested by masenf
- Encapsulates full test cycle: poll token, get element, set value, assert, refresh, poll token, assert
- Reduces test from ~60 lines of duplicated logic to ~20 lines using helper function
- Maintains identical functionality and test coverage
- Addresses GitHub comment feedback for cleaner code organization

Co-Authored-By: masen@reflex.dev <masen@reflex.dev>
@masenf
Fix it properly Anna Maria, with breadcrumbs
fcaf617
@masenf
Yeeeah, I want it that way 🕺
f9c585d
@masenf masenf merged commit 0c40fdd into main Jul 22, 2025
40 of 41 checks passed
@masenf masenf deleted the devin/ENG-6818-1753205581 branch July 22, 2025 19:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@masenf masenf masenf approved these changes

@adhami3310 adhami3310 adhami3310 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@masenf @adhami3310