fix: #664 Handle URL-encoded cookie values

[dajinchu]

Summary

Fixes #664

Cookie values are often URL-encoded. In Rails, for example, there is no way to opt out of url-encoding cookies. So this code in the docs does not work.

Checklist

• Does your PR title have the correct title format?
• Does your PR have a breaking change?: no

[seantarzy]

May rails devs not have this issue again

[jeremyallison]

@kwalker3690 any chance someone with write access could approve and merge this fix in the near future? 🙏 😊

[Mercy811]

Hi @dajinchu, Amplitude Experiment Ruby SDK encodes cookie values with URL encoding first and then base64 the same as Amplitude Browser SDK. I confirmed that they should work well with each other.

In your example, it's been url encoded twice rather than not been URL encoded.

Fixed flow, proves what is broken:
Manually set an Amplitude cookie in your browser, with a value that has not been URL encoded, for example AMP_1310df2f88=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJkZDU1YjIxNC0yNmY1LTQ5OTAtYjFiZi0zNTkzYTIxOTJlNDIlMjIlN0Q= <-- ⚠️ notice the = is not encoded into %3D here

btoa(encodeURIComponent('{"deviceId":"dd55b214-26f5-4990-b1bf-3593a2192e42"}'))
// 'JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJkZDU1YjIxNC0yNmY1LTQ5OTAtYjFiZi0zNTkzYTIxOTJlNDIlMjIlN0Q='

encodeURIComponent(btoa(encodeURIComponent('{"deviceId":"dd55b214-26f5-4990-b1bf-3593a2192e42"}')))
// 'JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJkZDU1YjIxNC0yNmY1LTQ5OTAtYjFiZi0zNTkzYTIxOTJlNDIlMjIlN0Q%3D'

[Mercy811]

Hi @dajinchu, @amplitude/[email protected] is released with more logs in the catch block. Please upgrade to the latest version to get the exact error when it breaks.

[jeremyallison]

Amplitude Experiment Ruby SDK encodes cookie values with URL encoding first and then base64 the same as Amplitude Browser SDK

@Mercy811 they do, you're right.
But then when rails responds with a Set-Cookie header it URL encodes that base64 again. To my knowledge there is no workaround in rails to avoid this on server-side.

Here's an example (following the Experiment documentation) :

  def persist_device_id_in_cookie(cookie_name, device_id, country)
    cookies[cookie_name] = {
      value: AmplitudeExperiment::AmplitudeCookie.generate(device_id, new_format: true),
      domain: ".our-domain.#{country.host_tld}",
      httponly: false,
      secure: false
    }
  end

Although the base64 returned by AmplitudeCookie.generate is perfectly okay, the rails framework then outputs the following Set-Cookie header:

AMP_56feca8084=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjI1ZTMzMzc2OC1iZmI2LTQ2MjQtYWIwMS03N2I3ZTE3ODU2NDclMjIlN0Q%3D; domain=.our-domain.fr; path=/; SameSite=Lax; secure

And sure enough, with @amplitude/[email protected] :

[Mercy811]

Hi @jeremyallison, cookies are automatically URL encoded by the cookies helper for example, cookies[:user_name] = "John Doe". But it looks like there are ways to manually set cookies, for example https://api.rubyonrails.org/v4.0.1/classes/ActionDispatch/Response.html#method-i-set_cookie

[jeremyallison]

@Mercy811 we are actually using Rails v7.1 : https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html
Same syntax as in the Amplitude Experiment documentation. The set_cookie method is quite old (v4.0.1), it doesn't exist anymore in modern versions of Rails.

I think the most straightforward way to see this issue is the way @dajinchu explained it; the example in the official Amplitude Ruby gem documentation unfortunately cannot set a cookie that the TS @amplitude/analytics-browser can read.

Thank you very much for your time and for reopening the PR 🙏

[Mercy811]

Hi @jeremyallison, @amplitude/[email protected] should handle double url encoded values properly.

[jeremyallison]

Thank you very much @Mercy811 ! 🙏