undici: HPE_INVALID_CHUNK_SIZE but works without any issue in curl, browser and other runtimes excluding Node.js
Bug Description
Whenever I run .text() or try to read the body, I get and HPE_INVALID_CHUNK_SIZE error on Node.js on every requests made to my University’s VPN domain (u-vpn.unilim.fr)
Reproducible By
const response = await fetch("https://u-vpn.unilim.fr/remote/logincheck", {
"headers": {
"accept": "*/*",
"cache-control": "no-store, no-cache, must-revalidate",
"content-type": "text/plain;charset=UTF-8",
"if-modified-since": "Sat, 1 Jan 2000 00:00:00 GMT",
"pragma": "no-cache",
"Referer": "https://u-vpn.unilim.fr/remote/login?lang=en",
"Referrer-Policy": "strict-origin-when-cross-origin"
},
// Fake credentials, still throws the error though
"body": "ajax=1&username=a&realm=&credential=b",
"method": "POST"
});
// Only happens here.
console.log(await response.text());
Expected Behavior
Every other runtimes and browsers can give me the actual text response : ret=0,redir=/remote/login?&err=sslvpn_login_permission_denied&lang=en
Environment
Ubuntu 22.04 LTS, Node v20.11.0
Additional context
I can still get the data by catching the error and doing error.cause.data but this data is truncated on long responses so not usable for me on further requests.
When I say other runtimes : Bun and Deno gives the response.
Only Node.js throws…
About this issue
- Original URL
- State: open
- Created 5 months ago
- Comments: 18 (16 by maintainers)
Commits related to this issue
- feat: add a handwritten HTTP client for Node.js only see https://github.com/nodejs/undici/issues/2678 — committed to Vexcited/fortigate-web-sslvpn by Vexcited 5 months ago
Sorry, the situation is slightly more complicated than that. Let me clarify in detail what are the changes.
In https://github.com/nodejs/llhttp/commit/6d04465e8c98c57a17428bf7aa54cc9e0add30ff#diff-1b020119e4d8be8161260339cac1a661547fa1c3ef93b6989c52e8f89110a6f4L383 I enabled strict mode (and remove the ability to disabled) of llhttp. This changed some behaviors like accepting
\ninstead of\r\nor not accepting invalid characters fortokenclass. This got released with llhttp 9.Also, some new leniency flags (including the one of this issue) were introduced, but they are and always been disabled by default. So, if we want to stay as close as possible on llhttp 8 we don’t have to do anything.
In https://github.com/nodejs/undici/pull/2705#discussion_r1479612468 we already discussed about a separate PR which will enable ALL leniency flags with a single option (like already happens in Node) and this will fix this issue. Now, I believe updating to llhttp 9 is a semver-major (due to major change in dependency), while the new option will be semver-minor since it’s disabled by default.
I hope this clarifies the issue once for all. Let me know if you need additional clarification.
Seems to be similar as per https://github.com/nodejs/node/issues/47528