npm - @decocms/runtime - Versions diffs - 1.2.10 → 1.2.11 - Mend

@decocms/runtime 1.2.10 → 1.2.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +1 -1
package/src/asset-server/index.test.ts +100 -0
package/src/asset-server/index.ts +40 -3
package/src/index.ts +17 -0
package/src/oauth.ts +5 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/runtime",
-  "version": "1.2.10",
+  "version": "1.2.11",
   "type": "module",
   "scripts": {
     "check": "tsc --noEmit",

package/src/asset-server/index.test.ts CHANGED Viewed

@@ -155,11 +155,16 @@ describe("createAssetHandler", () => {
   const indexContent = "<!DOCTYPE html><html><body>SPA</body></html>";
   const cssContent = "body { color: red; }";
+  const jsContent = "export default function(){}";
+  const faviconContent = "<svg/>";
   beforeAll(() => {
     // Create temp directory with test files
     mkdirSync(resolve(tempDir, "assets"), { recursive: true });
     writeFileSync(resolve(tempDir, "index.html"), indexContent);
     writeFileSync(resolve(tempDir, "assets/style.css"), cssContent);
+    writeFileSync(resolve(tempDir, "assets/chunk-AbC123.js"), jsContent);
+    writeFileSync(resolve(tempDir, "favicon.svg"), faviconContent);
   });
   afterAll(() => {
@@ -324,4 +329,99 @@ describe("createAssetHandler", () => {
       expect(text).toBe(indexContent);
     });
   });
+  describe("Cache-Control headers", () => {
+    const acceptsHtml = { headers: { accept: "text/html" } };
+    test("index.html returns Cache-Control: no-cache", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+      const request = new Request("http://localhost:3000/", acceptsHtml);
+      const result = await handler(request);
+      expect(result).not.toBeNull();
+      expect(result!.headers.get("Cache-Control")).toBe("no-cache");
+    });
+    test("SPA fallback returns Cache-Control: no-cache", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+      const request = new Request(
+        "http://localhost:3000/some/spa/route",
+        acceptsHtml,
+      );
+      const result = await handler(request);
+      expect(result).not.toBeNull();
+      expect(result!.headers.get("Cache-Control")).toBe("no-cache");
+    });
+    test("hashed JS asset returns Cache-Control: immutable", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+      const request = new Request(
+        "http://localhost:3000/assets/chunk-AbC123.js",
+      );
+      const result = await handler(request);
+      expect(result).not.toBeNull();
+      expect(result!.headers.get("Cache-Control")).toBe(
+        "public, max-age=31536000, immutable",
+      );
+    });
+    test("CSS asset returns Cache-Control: immutable", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+      const request = new Request("http://localhost:3000/assets/style.css");
+      const result = await handler(request);
+      expect(result).not.toBeNull();
+      expect(result!.headers.get("Cache-Control")).toBe(
+        "public, max-age=31536000, immutable",
+      );
+    });
+    test("missing /assets/* file returns 404 with no-store to prevent CDN caching", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+      // Request a hashed chunk that doesn't exist (simulates post-deploy stale reference)
+      const request = new Request(
+        "http://localhost:3000/assets/chunk-OldHash.js",
+      );
+      const result = await handler(request);
+      expect(result).not.toBeNull();
+      expect(result!.status).toBe(404);
+      expect(result!.headers.get("Cache-Control")).toBe("no-store");
+    });
+    test("non-asset files return no Cache-Control header", async () => {
+      const handler = createAssetHandler({
+        env: "production",
+        clientDir: tempDir,
+      });
+      const request = new Request("http://localhost:3000/favicon.svg");
+      const result = await handler(request);
+      expect(result).not.toBeNull();
+      expect(result!.headers.get("Cache-Control")).toBeNull();
+    });
+  });
 });

package/src/asset-server/index.ts CHANGED Viewed

@@ -1,5 +1,29 @@
 import { devServerProxy } from "./dev-server-proxy";
-import { resolve, dirname, join, extname } from "path";
+import { resolve, dirname, join, extname, basename, sep } from "path";
+/**
+ * Returns appropriate Cache-Control headers based on the file being served.
+ *
+ * - index.html / SPA fallback: `no-cache` so browsers always revalidate,
+ *   preventing stale HTML from referencing old hashed asset URLs after deploys.
+ * - Hashed assets (/assets/*): immutable with 1-year max-age since the content
+ *   hash in the filename changes on every build.
+ * - Everything else: no explicit caching directive (browser defaults apply).
+ */
+function getAssetCacheHeaders(
+  filePath: string,
+  indexPath: string,
+): Record<string, string> {
+  if (filePath === indexPath || basename(filePath) === "index.html") {
+    return { "Cache-Control": "no-cache" };
+  }
+  if (filePath.includes(`${sep}assets${sep}`)) {
+    return { "Cache-Control": "public, max-age=31536000, immutable" };
+  }
+  return {};
+}
 export interface AssetServerConfig {
   /**
@@ -29,7 +53,7 @@ export interface AssetServerConfig {
   isServerPath?: (path: string) => boolean;
 }
-const DEFAULT_DEV_SERVER_URL = "http://localhost:4000";
+const DEFAULT_DEV_SERVER_URL = `http://localhost:${process.env.VITE_PORT || "4000"}`;
 const DEFAULT_CLIENT_DIR = "./dist/client";
 /**
@@ -227,13 +251,26 @@ export function createAssetHandler(config: AssetServerConfig = {}) {
       try {
         const file = Bun.file(pathToTry);
         if (await file.exists()) {
-          return new Response(file);
+          return new Response(file, {
+            headers: getAssetCacheHeaders(pathToTry, indexPath),
+          });
         }
       } catch {
         // Continue to next path
       }
     }
+    // For /assets/* paths (hashed files), return an explicit 404 with no-store
+    // to prevent CDNs (e.g., Cloudflare) from caching the 404 response.
+    // Without this, a 404 during a rolling deployment gets cached at the edge
+    // for hours, making chunks unreachable even after all pods are updated.
+    if (path.includes("/assets/")) {
+      return new Response("Not Found", {
+        status: 404,
+        headers: { "Cache-Control": "no-store" },
+      });
+    }
     return null;
   };
 }

package/src/index.ts CHANGED Viewed

@@ -112,6 +112,8 @@ export interface RequestContext<
   callerApp?: string;
   connectionId?: string;
   organizationId?: string;
+  organizationName?: string;
+  organizationSlug?: string;
 }
 const withDefaultBindings = ({
@@ -191,6 +193,8 @@ export const withBindings = <TEnv>({
         meshUrl?: string;
         connectionId?: string;
         organizationId?: string;
+        organizationName?: string;
+        organizationSlug?: string;
       }) ?? {};
     context = {
@@ -201,6 +205,10 @@ export const withBindings = <TEnv>({
       connectionId: (decoded.connectionId as string) ?? metadata.connectionId,
       organizationId:
         (decoded.organizationId as string) ?? metadata.organizationId,
+      organizationName:
+        (decoded.organizationName as string) ?? metadata.organizationName,
+      organizationSlug:
+        (decoded.organizationSlug as string) ?? metadata.organizationSlug,
       ensureAuthenticated: AUTHENTICATED(decoded.user ?? decoded.sub),
     } as RequestContext<any>;
   } else if (typeof tokenOrContext === "object") {
@@ -212,12 +220,21 @@ export const withBindings = <TEnv>({
         state?: Record<string, unknown>;
         meshUrl?: string;
         connectionId?: string;
+        organizationId?: string;
+        organizationName?: string;
+        organizationSlug?: string;
       }) ?? {};
     const appName = decoded.appName as string | undefined;
     context.authorization ??= authorization;
     context.callerApp = appName;
     context.connectionId ??=
       (decoded.connectionId as string) ?? metadata.connectionId;
+    context.organizationId ??=
+      (decoded.organizationId as string) ?? metadata.organizationId;
+    context.organizationName ??=
+      (decoded.organizationName as string) ?? metadata.organizationName;
+    context.organizationSlug ??=
+      (decoded.organizationSlug as string) ?? metadata.organizationSlug;
     context.ensureAuthenticated = AUTHENTICATED(decoded.user ?? decoded.sub);
   } else {
     context = {

package/src/oauth.ts CHANGED Viewed

@@ -20,6 +20,7 @@ function isValidRedirectUri(uri: string): boolean {
     return (
       url.protocol === "https:" ||
       url.hostname === "localhost" ||
+      url.hostname.endsWith(".localhost") ||
       url.hostname === "127.0.0.1" ||
       // Allow custom schemes for native apps (e.g., cursor://, vscode://)
       !url.protocol.startsWith("http")
@@ -71,9 +72,11 @@ interface CodePayload {
 }
 const forceHttps = (url: URL) => {
-  const isLocal = url.hostname === "localhost" || url.hostname === "127.0.0.1";
+  const isLocal =
+    url.hostname === "localhost" ||
+    url.hostname.endsWith(".localhost") ||
+    url.hostname === "127.0.0.1";
   if (!isLocal) {
-    // force http if not local
     url.protocol = "https:";
   }
   return url;