core: added capability to pass cookies as CLI parameter

[RynatSibahatau]

Summary

This feature adds the capability to pass cookies as a CLI parameter.

The current proposed approach to use "--extra-headers" parameter for setting cookies has a drawback for a wide range of enterprise applications that operates with the cookies (ex. authentication, localization, etc.).
Any Set-Cookie response from backend overwrites the Cookie header from extra-headers.
It introduces extra complexity of using lighthouse on CI in pure CLI mode (i.e without Puppeteer).
The fix intended to remove this complexity.

• lighthouse http://localhost/ --extra-headers "{\"Cookie\":\"test=true\"}"
  Request header: Cookie: test=true
  Response header: Set-Cookie: locale=en;

• All subsequent requests headers:
  Actual request headers : Cookie: locale=en
  Expected request headers: Cookie: test=true; locale=en

After merging this PR the following command introduced expected behaviour for cookies:

lighthouse http://localhost/ --extra-cookies "[{\"name\":\"test\", \"value\": \"true\", \"url\": \"http://localhost\"}]"

Links:
#6207 (comment)

Related Issues/PRs

fixes #6207

[patrickhulce]

Thanks very much for picking this up @RynatSibahatau! I left some comments but before we tackle those...

@brendankenny @hoten any thoughts or major changes you would want to propose for this? Linked issue has a tad more discussion but I know you've been playing around with some auth techniques so wanted to get your say on this before going any further.

[patrickhulce]

seems like you mean to use the cookies one instead?

[RynatSibahatau]

Fixed by f4e0a49

[patrickhulce]

this file is for our smoketests, we'll want to make sure we add a smoketest that exercises this functionality which is probably going to be tricky...

maybe hold off on this step until we get buy-in from rest of LH team for this feature to work this way?

[brendankenny]

any reason to keep the changes to this file?

[patrickhulce]

oh @RynatSibahatau think you could add a smoketest exercising this and our cookies logic?

[brendankenny]

oh @RynatSibahatau think you could add a smoketest exercising this and our cookies logic?

isn't that going to be kind of hard, @patrickhulce? What would we be testing, exactly?

[patrickhulce]

I was thinking a page has a link or something that contains the contents of the cookies and it gets picked up by the anchor elements artifact we can assert

[patrickhulce]

AFAIK when the domain/url/path isn't set it will just use the existing target, because we're running this before we've navigated to the page I'm guessing the common case won't actually send the headers

[brendankenny]

good catch.

Are we going to entirely defer to the cookie definition for when they're included, e.g. for redirects to different origins, third-party iframes, etc? That format will definitely need to be documented, and it seems like it's going to be a huge pain trying to debug when something goes wrong, but I guess maybe folks are already used to that with other tools doing similar things?

What does WebPageTest do for setting cookies?

[RynatSibahatau]

As far as I remember it is executed on "about:blank" page. This is why it is not really set anything, if not specifying either domain or URL. This another +1 for the bigger JSON structure.

[RynatSibahatau]

Are we going to entirely defer to the cookie definition for when they're included, e.g. for redirects to different origins, third-party iframes, etc? That format will definitely need to be documented, and it seems like it's going to be a huge pain trying to debug when something goes wrong, but I guess maybe folks are already used to that with other tools doing similar things?

What does WebPageTest do for setting cookies?

I would assume we should rely on browser behavior for the session. A cookie is just a can-opener to test page usability under the specific conditions:

• authorize access to content
• allow access to CDN images
• local show locale-specific content
• perform sticky session
• canary routing for CI

I don't think LH is intended to use like E2E test which might need any specific cookie handling between the tests.

[patrickhulce]

@RynatSibahatau WDYT about asserting that we have either a url or domain on all the cookies here?

[patrickhulce]

major bummer that we'll have a second one of these before we fix the first, this will also actually run into problems with the config-based CLI flags approach.

maybe we could at least extract this to a function to share between the two?

[brendankenny]

major bummer that we'll have a second one of these before we fix the first, this will also actually run into problems with the config-based CLI flags approach.

Yes, definitely, this shouldn't be done a second time :) The TODO even lists how to fix:

either the CLI flag or the setting should have a different name.

[patrickhulce]

well that's the partial fix for the path problem, unless I'm misunderstanding?

there's not really an obvious fix I see for the "this thing is a complex object that can't be represented by yargs that we want to JSON.parse from the CLI but just use from node", --cookies-json-string I guess but that feels 🤢

[RynatSibahatau]

@brendankenny @patrickhulce I am not pretty sure which fix is required here, as I am Java developer. I assume yargs can't provide you correctly typed JSON value out of the box.

[patrickhulce]

You're right on that point @RynatSibahatau! The best we can do and what the comment suggests is that the property name should just be different for the yargs string version.

@brendankenny thoughts on extraCookiesJsonString for yargs and extraCookies for regular? (or we nix the extra prefix entirely I think was your last suggestion?)

[patrickhulce]

bump on this @brendankenny

[brendankenny]

we could do --cookies for the flag (on the CliFlags interface) and extraCookies for the setting (on SharedFlagsSettings). Or --cookies-string and cookies.

Whatever it is, we should absolutely use this pattern. It's awkward, but most folks won't really care what the flag is (shortish is probably better, though), and the TODOs that have propagated from this point can only be removed in the future by doing this, so might as well do it before landing :)

[patrickhulce]

I vote --cookies-string and --cookies then! 👍

[connorjclark]

1. I'm afraid I don't understand why the cookies are an array. Could you explain that? (I'm not well-versed with cookies).

2. I'm curious if we want to support the "load as file" behavior here. Do we have any other flags that support the value -> fallback to path? Does your use case absolutely require this (could you just read the contents from disk before calling making the command?)

3. Is using a JSON format natural here? In JS, it makes sense, but do other tools that handle cookies commonly use JSON over the key=value <space> pairs?

[RynatSibahatau]

1. I'm afraid I don't understand why the cookies are an array. Could you explain that? (I'm not well-versed with cookies).

[RS] It is an array of objects because a cookie is not just a key/value pairs, but also have a big set of parameters (https://github.com/chromedp/cdproto/blob/master/network/network.go#L734). In the underlying protocol, it is also array https://github.com/chromedp/cdproto/blob/master/network/network.go#L825
The pretty valid case to have same cookie name, but with different values for different paths (a signed cookie as an example here: https://cloudinary.com/blog/protecting_images_and_videos_via_cookie_based_authentication)

2. I'm curious if we want to support the "load as file" behavior here. Do we have any other flags that support the value -> fallback to path? Does your use case absolutely require this (could you just read the contents from disk before calling making the command?)

[RS] LH already has one for headers. Here content might be even bigger. I decided to keep the same behavior. My use case doesn't require this. I am going to pass it via the command line.

3. Is using a JSON format natural here? In JS, it makes sense, but do other tools that handle cookies commonly use JSON over the key=value <space> pairs?

[RS] As I mentioned in the first answer it is not a key/value, so if we want to cover all possible use cases it is better to follow with JSON. Also, it avoids extra massaging for passing it. SetHeaders also uses JSON. And JSON is natural for a node language, LH is written on.

[connorjclark]

Thanks for educating me @RynatSibahatau! LGTM.

[brendankenny]

the general approach seems useful, my big questions:

• do we really want to tie ourselves to the protocol's format? It's not necessarily the best or most explicable. On the other hand, it offers a lot of flexibility.
• can we use a different flag name? I dislike "extra headers" ("extra to what?" is a whole explanation that's not needed for 95% of use cases). --cookies seems fine to me, if others are ok with that

[brendankenny]

major bummer that we'll have a second one of these before we fix the first, this will also actually run into problems with the config-based CLI flags approach.

Yes, definitely, this shouldn't be done a second time :) The TODO even lists how to fix:

either the CLI flag or the setting should have a different name.

[brendankenny]

yeah, I agree with @hoten that the ambiguity in the overloading of the flag is not worth it (can use the new --cli-flags-path if want to read from file!), but I do see we have it for --extra-headers already.

It would be nice to not include it by default and then consider adding it in the future if there's demand

[RynatSibahatau]

--cli-flags-path approach looks good for me, I would agree we can avoid this dualism here for cookies. Should I remove it for the headers as well as part of the PR?
If there are no other major concerns for merging the PR. I can start implementing this.

[patrickhulce]

I would love to remove it from headers but that'd be a major breaking change. Added it to our new list for next major version :) #9180

[RynatSibahatau]

I have removed the capability to load cookie from file with the same parameter
1677a37

[brendankenny]

good catch.

Are we going to entirely defer to the cookie definition for when they're included, e.g. for redirects to different origins, third-party iframes, etc? That format will definitely need to be documented, and it seems like it's going to be a huge pain trying to debug when something goes wrong, but I guess maybe folks are already used to that with other tools doing similar things?

What does WebPageTest do for setting cookies?

[brendankenny]

What does WebPageTest do for setting cookies?

looks like it's

usage: setCookie	<path>	<value>
example: setCookie	http://www.aol.com	zip=20166
example: setCookie	http://www.aol.com	TestData = Test; expires = Sat,01-Jan-2000 00:00:00 GMT

<path> - Path where the cookie should be used/stored
<value> - Cookie value (if expiration information isn't included it will be stored as a session cookie)

https://sites.google.com/a/webpagetest.org/docs/using-webpagetest/scripting#TOC-setCookie

[patrickhulce]

I agree with @RynatSibahatau that the JSON format for setting cookies offers an insane upgrade to dev experience compared to cookie strings. They are the bane of frontend network experience and there's no reason for us to prolong that pain here. I think the default case needs to be a bit streamlined though, i.e. we default the domain to the domain of the target page instead of being a noop on about:blank.

[brendankenny]

the JSON format for setting cookies offers an insane upgrade to dev experience compared to cookie strings

hmm:

--extra-cookies "[{\\"name\\":\\"session_id\\",\\"value\\":\\"x-men\\" }]"

:P

[patrickhulce]

@brendankenny oh puh-lease it's not like any sufficiently complicated setup requiring cookies would actually involve manually typing the cookies JSON. conversely, for a sufficiently complicated cookies setup automatically crafting the cookies string is a giant headache

[brendankenny]

I agree with @RynatSibahatau that the JSON format for setting cookies offers an insane upgrade to dev experience compared to cookie strings. They are the bane of frontend network experience and there's no reason for us to prolong that pain here.

I can totally buy this and I'll defer to you on the point, I just wanted to bring up the existing alternatives (the devil a developer knows can often beat better ergonomics or whatever) and the fact that probably at no point was Network.setCookie designed to optimize said ergonomics :)

At the very least the url/path/domain interactions are confusing and probably only documented in the chrome internals.

I think the default case needs to be a bit streamlined though, i.e. we default the domain to the domain of the target page instead of being a noop on about:blank.

This comes back to the issue of what to do with redirects, iframes, etc. We'll have to be able to declare which one is the domain.

[patrickhulce]

probably only documented in the chrome internals.

All the properties other than URL AFAICT are just the same properties developers should already be familiar with and would try to set with regular cookie syntax anyhoo (and URL just defaults the other properties like secure and domain don't ask why they didn't default path too 😆 )

https://cs.chromium.org/chromium/src/content/browser/devtools/protocol/network_handler.cc?type=cs&sq=package:chromium&g=0&l=417

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

This comes back to the issue of what to do with redirects, iframes, etc. We'll have to be able to declare which one is the domain.

Very true. All we have to go on at this point in execution though is the provided URL since we'll need to send that request with the cookie. I think we solve this by just documenting. Maybe we need to warn if there were cookies set but there was a redirect?

[RynatSibahatau]

Suggested change

	}
	if (!Array.isArray(cliFlags.extraCookies)) {
	throw new Error('Not a valid JSON array');
	}
	cliFlags.extraCookies.forEach(key => {
	const cookie = cliFlags.extraCookies[key];
	if (! cookie.url || ! cookie.domain) {
	// Default it to the domain value
	cookie.url = url;
	}
	});
	}

[RynatSibahatau]

I can suggest this extra check and defaulting for the URL to avoid no-op

[patrickhulce]

this is a good idea @RynatSibahatau! I think we would want this in lighthouse-core/ though so node users get this defaulting benefit too

[RynatSibahatau]

@patrickhulce Could you take a look 074eee1?

[patrickhulce]

that's exactly what I was hoping for! thanks!

[RynatSibahatau]

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this state. It's up to you to confirm consent of all the commit author(s), set the cla label to yes (if enabled on your project), and then merge this pull request when appropriate.

ℹ️ Googlers: Go here for more info.

Am I right that you will be able to fix this on your side manually on merge?
I belive emails from the commit below for recommended chages, breaks CLA consent validation:

commit 72c9272
Author: RynatSibahatau [email protected]
Date: Mon Jun 10 17:11:20 2019 -0400

Apply suggestions from code review

Co-Authored-By: Patrick Hulce <[email protected]>

[brendankenny]

any reason to keep the changes to this file?

[brendankenny]

we could do --cookies for the flag (on the CliFlags interface) and extraCookies for the setting (on SharedFlagsSettings). Or --cookies-string and cookies.

Whatever it is, we should absolutely use this pattern. It's awkward, but most folks won't really care what the flag is (shortish is probably better, though), and the TODOs that have propagated from this point can only be removed in the future by doing this, so might as well do it before landing :)

[mariuspahontu]

Hey guys,

Do you have any updates on this PR (when it will be merged into master)?

I want to let you know that, regarding the functionality, I'm using a fork of @RynatSibahatau's branch for my project and the cookies are correctly set when using the "--extra-cookies" CLI parameter.

Thanks,
Marius

[patrickhulce]

The evidence in #6207 (comment) suggests that the --extra-headers={cookie: 'foo'} approach has the extra cookies just totally ignored if there's other cookies set rather than overriding the existing cookies which we believed to be the case at the beginning of this.

Perhaps this suggests not doing any new flag but instead parsing the cookie header and setting those cookies sort of like @brendankenny was suggesting?

[kkdev163]

Thanks for your works.

This pipeline has already continued for 2 months, I don't know how long we still need to wait, so I manually copied the code of @RynatSibahatau into my forked repo, and then I push a commit called 'manually merge pr #9170'. If this action is illegal, please tell me, I will delete my forked repo soon.

In my test, I found two bugs, I will comment below:

[kkdev163]

Need handle JSON file, because the readme.md has this usecase.

let extraCookiesStr = /** @type {string} */ (cliFlags.extraCookies);
 // If not a JSON object, assume it's a path to a JSON file.
if (extraCookiesStr.substr(0, 1) !== '{') {
    extraCookiesStr = fs.readFileSync(extraCookiesStr, 'utf-8');
 }

[kkdev163]

according to this comment, should conditions be ?

!cookie.url && !cookie.domain

[connorjclark]

Perhaps this suggests not doing any new flag but instead parsing the cookie header and setting those cookies sort of like @brendankenny was suggesting?

Can we make a decision on this? This PR, or special casing --extra-headers for cookies?

[chasekaylee]

Hey there,

Was just wondering if there was an update on when this would be merged into master?

Cheers,

Chase

[paulirish]

@chasekaylee check out these:

https://github.com/GoogleChrome/lighthouse/blob/master/docs/authenticated-pages.md
https://github.com/GoogleChrome/lighthouse/tree/master/docs/recipes/auth

my expectation is those resources are more useful than the feature in this PR.
but if i'm wrong please let me know.

[chasekaylee]

ahh very cool. thanks! @paulirish

[koomar]

Are we moving ahead with this feature? Thanks. Also, @paulirish these links don't work for me.

[connorjclark]

I updated the links @koomar.

[dvarrazzo]

@paulirish I think the --extra-cookies options is fundamental to allow lighthouse to be scripted via command line using whatever other tool. The approaches suggested in the links are way more cumbersome.

My 2p is that this MR should be merged.

[pkpattabhiraman]

Hey Team,

Wondering when we can get this merged. Please advise!

[patrickhulce]

This PR hasn't been updated in almost a full year after there was disagreement on the team about the path forward. Since then, Lighthouse CI and the puppeteer script option offer far greater flexibility and control over these types of situations for the programmatic CI use case and are more consistent with our overall guidance on how to handle authenticated pages than patchwork CLI options with questionable ergonomics.

I'm inclined to close this PR rather than resurrect it at this point.

[pkpattabhiraman]

This PR hasn't been updated in almost a full year after there was disagreement on the team about the path forward. Since then, Lighthouse CI and the puppeteer script option offer far greater flexibility and control over these types of situations for the programmatic CI use case and are more consistent with our overall guidance on how to handle authenticated pages than patchwork CLI options with questionable ergonomics.

I'm inclined to close this PR rather than resurrect it at this point.

Thanks for the rapid response, @patrickhulce. Some of us other options like Chrome-Launcher and not puppeteer. Ability to inject extra-cookies would really make Lighthouse a complete solution instead of being tied to be used "only" with puppeteer for such use
cases.

[patrickhulce]

Some of us other options like Chrome-Launcher and not puppeteer

That's fine, you don't have to use puppeteer. If you're already using chrome-launcher you could use something like cri instead to talk to Chrome if you don't like puppeteer's API.

The point is that our general solution to this class of problems has been moving in the direction of "setup Chrome however you'd like by talking to it" rather than patching various holes with more and more CLI flags. Now that we have a first-class answer to the CI use case, this feature is unlikely to receive the priority support being requested here.

[RynatSibahatau]

I don’t mind closing the PR as I don’t own the Lighthouse product and don’t know details of its roadmap and desired capabilities. I agree that Puppeteer is a more flexible solution. But be alerted that there was some back and forth on Puppeteer repo regarding how correctly set a cookie: puppeteer/puppeteer#1342

I think it is worth providing correct puppeteer script in Lighthouse documentation in regards to how to properly set a cookie.
Last time I worked with Puppeteer I also faced an issue with that that I had to navigate to the site before setting a cookie for the site. It means I have to put traffic on the live site from the lighthouse’s puppeteer before I can set a cookie to redirect it to a canary one. If it still the true, Puppeteer usage scenario still have some drawbacks.

For my use case (it was solved even before I have opened this PR), I was trying to use TEST cookie to reroute canary traffic to the canary version of the service during deployment. I achieved that by switching from cookie-based routing on k8s virtual service to header-based routing. Chrome plugins (like ModHeader) also allows me to specify this header for manual testing of canary version. So, I don’t see any benefit for my specific case to use cookie vs header.

Thank you for mentioning this issue on the documentation page!

If code owners decide it is good to have CLI parameter, you are welcome to start from the current state of PR. I also can finish it in case there is a consensus within code owners.

[patrickhulce]

Thanks for the additional context @RynatSibahatau and for all your great work on the PR thusfar! ❤️

I think it is worth providing correct puppeteer script in Lighthouse documentation in regards to how to properly set a cookie.

This is a great idea 👍 Regardless of the outcome here we should do this.

Last time I worked with Puppeteer I also faced an issue with that that I had to navigate to the site before setting a cookie for the site. It means I have to put traffic on the live site from the lighthouse’s puppeteer before I can set a cookie to redirect it to a canary one. If it still the true, Puppeteer usage scenario still have some drawbacks.

If that's true, that would unfortunately plague this approach as well. The PR as-is would set the cookie before navigation.

[patrickhulce]

I think it is worth providing correct puppeteer script in Lighthouse documentation in regards to how to properly set a cookie.

I'm going to follow up with this solution and we'll close this PR for now. Thank you very much for your work here @RynatSibahatau we do appreciate it and #11313 should make this sort of thing even easier in the future as well.