@decocms/start 0.22.2 → 0.23.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/start",
-  "version": "0.22.2",
+  "version": "0.23.0",
   "type": "module",
   "description": "Deco framework for TanStack Start - CMS bridge, admin protocol, hooks, schema generation",
   "main": "./src/index.ts",
@@ -16,6 +16,7 @@
     "./sdk/clx": "./src/sdk/clx.ts",
     "./sdk/useId": "./src/sdk/useId.ts",
     "./sdk/cookie": "./src/sdk/cookie.ts",
+    "./sdk/cookiePassthrough": "./src/sdk/cookiePassthrough.ts",
     "./sdk/analytics": "./src/sdk/analytics.ts",
     "./sdk/cachedLoader": "./src/sdk/cachedLoader.ts",
     "./sdk/serverTimings": "./src/sdk/serverTimings.ts",

package/src/sdk/cookiePassthrough.ts

@@ -0,0 +1,58 @@
+/**
+ * Request / Response cookie passthrough helpers for TanStack Start.
+ *
+ * Provides two framework-bound functions that commerce apps
+ * (VTEX, Shopify, etc.) can plug into their cookie provider hooks
+ * to transparently forward browser cookies to API calls and
+ * Set-Cookie headers back to the browser.
+ *
+ * @example
+ * ```ts
+ * // setup.ts
+ * import { getRequestCookieHeader, forwardResponseCookies } from "@decocms/start/sdk/cookiePassthrough";
+ * import { setRequestCookieProvider, setResponseCookieForwarder } from "@decocms/apps/vtex";
+ *
+ * setRequestCookieProvider(getRequestCookieHeader);
+ * setResponseCookieForwarder(forwardResponseCookies);
+ * ```
+ */
+
+import {
+	getRequestHeader,
+	getResponseHeaders,
+	setResponseHeader,
+} from "@tanstack/react-start/server";
+
+/**
+ * Returns the Cookie header from the current TanStack Start request context.
+ * Safe to call outside a request scope (returns undefined).
+ */
+export function getRequestCookieHeader(): string | undefined {
+	try {
+		return getRequestHeader("cookie") ?? undefined;
+	} catch {
+		return undefined;
+	}
+}
+
+/**
+ * Appends Set-Cookie headers to the current TanStack Start response.
+ * Preserves any Set-Cookie headers already set by other middleware or
+ * earlier calls, so multiple API calls in one request don't clobber
+ * each other's cookies.
+ *
+ * Safe to call outside a request scope (no-op).
+ */
+export function forwardResponseCookies(cookies: string[]): void {
+	if (!cookies.length) return;
+	try {
+		const headers = getResponseHeaders();
+		const existing: string[] =
+			typeof headers.getSetCookie === "function"
+				? headers.getSetCookie()
+				: [];
+		setResponseHeader("set-cookie", [...existing, ...cookies]);
+	} catch {
+		// Outside request context (build time, etc.) — ignore.
+	}
+}

package/src/sdk/index.ts

@@ -60,6 +60,7 @@ export {
 export { useId } from "./useId";
 export { usePartialSection, useScript, useScriptAsDataURI, useSection } from "./useScript";
 export { createDecoWorkerEntry, type DecoWorkerEntryOptions } from "./workerEntry";
+export { forwardResponseCookies, getRequestCookieHeader } from "./cookiePassthrough";
 export {
   isWrappedError,
   unwrapError,

package/src/sdk/workerEntry.ts

@@ -726,6 +726,20 @@ export function createDecoWorkerEntry(
         return origin;
       }
 
+      // Responses with Set-Cookie must never be cached — they carry
+      // per-user session/auth tokens that would leak to other users.
+      const hasSetCookie = origin.headers.has("set-cookie");
+      if (hasSetCookie) {
+        const resp = new Response(origin.body, origin);
+        resp.headers.set("Cache-Control", "private, no-cache, no-store, must-revalidate");
+        // CDN-Cache-Control takes precedence over Cache-Control on Cloudflare.
+        // If the origin set it, Cloudflare would ignore our private directive.
+        resp.headers.delete("CDN-Cache-Control");
+        resp.headers.set("X-Cache", "BYPASS");
+        resp.headers.set("X-Cache-Reason", "set-cookie");
+        return resp;
+      }
+
       // Determine the right cache profile for this URL
       const profile = getProfile(url);
       const profileConfig = getCacheProfileConfig(profile);