HTTP/2 compat API drops duplicate headers when raw headers are provided

[pimterry]

Version

v21.4.0, v20.8.0

Platform

Linux 6.2.0-39-generic 40-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 14 14:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

http2

What steps will reproduce the bug?

const http2 = require('http2');

const server = http2.createServer((req, res) => {
    console.log('Got request');

    // This would work as expected:
    // res.writeHead(200, {
    //     'set-cookie': ['a', 'b']
    // });

    // This does not:
    res.writeHead(200, [
        'set-cookie', 'a',
        'set-cookie', 'b'
    ]);
    res.end('Done');
});

server.listen(9000, () => {
    const client = http2.connect(`http://localhost:${server.address().port}`);
    const req = client.request({ ':path': '/' });
    req.on('response', (res) => {
        console.log('Got response', res);
    });
});

How often does it reproduce? Is there a required condition?

Every time

What is the expected behavior? Why is that the expected behavior?

The response should show two set-cookie values

What do you see instead?

The response shows only the 2nd value, losing the first:

$ node test.js
Got request
Got response [Object: null prototype] {
  ':status': 200,
  'set-cookie': [ 'b' ],
  date: 'Mon, 08 Jan 2024 15:31:54 GMT',
  [Symbol(nodejs.http2.sensitiveHeaders)]: []
}

Additional information

This is part of the HTTP/1 compat API for HTTP/2. This works correctly with HTTP/1, but here although the compat layer attempts to handle raw headers, it doesn't quite do so correctly for trickier cases like this. It seems that the logic used in the compat API in #42901 (a fix for a different compat API issue) didn't take duplicate headers into account, and so the last matching header overrides all others.

I'll open up a fix for this shortly, watch this space.