fix(vtex): parse Max-Age and Expires in Set-Cookie parser

[vibe-dex]

Summary

• parseSingleSetCookie in vtex/utils/cookies.ts was silently dropping Max-Age and Expires attributes when parsing Set-Cookie headers. This caused proxySetCookie (which parses then rebuilds cookies via setCookie()) to produce headers without expiration info, breaking logout flows where VTEX sends Max-Age=0 to expire auth cookies.
• Also fixes the attribute value splitting: attr.split("=") breaks on Expires date values that contain commas and other characters. Now uses attr.indexOf("=") for first-occurrence split.

Note: The casaevideo-storefront currently works around this with proxySetCookieRaw (raw string replacement), but this fix is needed for correctness in apps-start itself and for other consumers of proxySetCookie.

Test plan

• Verify parseSingleSetCookie correctly parses Max-Age=0 from a logout Set-Cookie
• Verify parseSingleSetCookie correctly parses Expires=Thu, 01 Jan 1970 00:00:00 GMT
• Verify setCookie round-trips Max-Age and Expires correctly after parsing
• Verify existing cookie parsing (Domain, Path, Secure, HttpOnly, SameSite) still works

Made with Cursor

---

Summary by cubic

Fixes the VTEX Set-Cookie parser to keep Max-Age and Expires so cookies retain expiration info and logout flows work correctly. Also makes attribute parsing robust by splitting on the first "=" only.

• Bug Fixes
  • Parse Max-Age and Expires in parseSingleSetCookie, enabling proper round-tripping through proxySetCookie and setCookie.
  • Replace attr.split("=") with first-occurrence split to handle Expires date values with commas and spaces.

^{Written for commit d706b79. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="vtex/utils/cookies.ts">

<violation number="1" location="vtex/utils/cookies.ts:34">
P1: `Max-Age` parsing treats an empty/missing value as `0` (`Number("")`), which can incorrectly expire cookies. Validate that the value is present and numeric before assigning `cookie.maxAge`.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Max-Age parsing treats an empty/missing value as 0 (Number("")), which can incorrectly expire cookies. Validate that the value is present and numeric before assigning cookie.maxAge.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At vtex/utils/cookies.ts, line 34:

<comment>`Max-Age` parsing treats an empty/missing value as `0` (`Number("")`), which can incorrectly expire cookies. Validate that the value is present and numeric before assigning `cookie.maxAge`.</comment>

<file context>
@@ -20,13 +20,22 @@ function parseSingleSetCookie(raw: string): Cookie | null {
 		else if (lower === "samesite") cookie.sameSite = v as Cookie["sameSite"];
+		else if (lower === "max-age") {
+			const n = Number(v);
+			if (!Number.isNaN(n)) cookie.maxAge = n;
+		} else if (lower === "expires") {
+			const d = new Date(v);
</file context>

Suggested change

	if (!Number.isNaN(n)) cookie.maxAge = n;
	if (v !== "" && Number.isInteger(n)) cookie.maxAge = n;