From a0e8ff41592d99f98ec9da5c3179cfcf9fdd5607 Mon Sep 17 00:00:00 2001
From: Sylvain Bougerel <sylvain.bougerel@gmail.com>
Date: Wed, 6 May 2026 20:10:07 +0800
Subject: [PATCH] fix(lambda-http): into_api_gateway_v2_request joins cookies
 with "; "
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

into_api_gateway_v2_request reconstructs the Cookie header by joining the cookies array from the API Gateway v2 event payload with ";" (no space). This violates RFC 6265 §4.2.1, which mandates "; " (semicolon followed by a space) as the cookie-pair separator. The result is a non-compliant Cookie header that breaks any downstream cookie parser that follows the spec strictly like BetterAuth.
---
 lambda-http/src/request.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lambda-http/src/request.rs b/lambda-http/src/request.rs
index 450ba94aa..4698f3980 100644
--- a/lambda-http/src/request.rs
+++ b/lambda-http/src/request.rs
@@ -147,7 +147,7 @@ fn into_api_gateway_v2_request(ag: ApiGatewayV2httpRequest) -> http::Request<Bod
 
     let mut headers = ag.headers;
     if let Some(cookies) = ag.cookies {
-        if let Ok(header_value) = HeaderValue::from_str(&cookies.join(";")) {
+        if let Ok(header_value) = HeaderValue::from_str(&cookies.join("; ")) {
             headers.insert(http::header::COOKIE, header_value);
         }
     }
@@ -570,7 +570,7 @@ mod tests {
 
         assert_eq!(req.method(), "POST");
         assert_eq!(req.uri(), "https://id.execute-api.us-east-1.amazonaws.com/my/path?parameter1=value1&parameter1=value2&parameter2=value");
-        assert_eq!(cookie_header, Ok("cookie1=value1;cookie2=value2"));
+        assert_eq!(cookie_header, Ok("cookie1=value1; cookie2=value2"));
 
         // Ensure this is an APIGWv2 request
         let req_context = req.request_context_ref().expect("Request is missing RequestContext");