@decocms/start 1.2.9 → 1.2.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +1 -1
  2. package/src/sdk/cacheHeaders.ts +0 -1
  3. package/src/sdk/workerEntry.ts +13 -2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@decocms/start",
3
- "version": "1.2.9",
3
+ "version": "1.2.10",
4
4
  "type": "module",
5
5
  "description": "Deco framework for TanStack Start - CMS bridge, admin protocol, hooks, schema generation",
6
6
  "main": "./src/index.ts",
package/src/sdk/cacheHeaders.ts CHANGED
@@ -267,7 +267,6 @@ const builtinPatterns: CachePattern[] = [
267
267
  test: (p) =>
268
268
  p.startsWith("/api/") ||
269
269
  p.startsWith("/deco/") ||
270
- p.startsWith("/_server") ||
271
270
  p.startsWith("/_build"),
272
271
  profile: "none",
273
272
  },
package/src/sdk/workerEntry.ts CHANGED
@@ -179,7 +179,7 @@ export interface DecoWorkerEntryOptions {
179
179
  /**
180
180
  * Paths that should always bypass the edge cache, even if the
181
181
  * profile detector would otherwise cache them.
182
- * Defaults include `/_server`, `/_build`, `/assets`, `/deco/`.
182
+ * Defaults include `/_build`, `/deco/`, `/live/`, `/.decofile`.
183
183
  */
184
184
  bypassPaths?: string[];
185
185
 
@@ -379,7 +379,7 @@ export const DEFAULT_SECURITY_HEADERS: Record<string, string> = {
379
379
  "Cross-Origin-Opener-Policy": "same-origin-allow-popups",
380
380
  };
381
381
 
382
- const DEFAULT_BYPASS_PATHS = ["/_server", "/_build", "/deco/", "/live/", "/.decofile"];
382
+ const DEFAULT_BYPASS_PATHS = ["/_build", "/deco/", "/live/", "/.decofile"];
383
383
 
384
384
  const FINGERPRINTED_ASSET_RE = /(?:\/_build)?\/assets\/.*-[a-zA-Z0-9_-]{8,}\.\w+$/;
385
385
 
@@ -850,6 +850,17 @@ export function createDecoWorkerEntry(
850
850
  }
851
851
 
852
852
  const resp = new Response(origin.body, origin);
853
+
854
+ // Responses with Set-Cookie carry per-user tokens — never expose
855
+ // them with public cache headers regardless of profile.
856
+ if (origin.headers.has("set-cookie")) {
857
+ resp.headers.set("Cache-Control", "private, no-cache, no-store, must-revalidate");
858
+ resp.headers.delete("CDN-Cache-Control");
859
+ resp.headers.set("X-Cache", "BYPASS");
860
+ resp.headers.set("X-Cache-Reason", "set-cookie");
861
+ return resp;
862
+ }
863
+
853
864
  const reason = request.method !== "GET"
854
865
  ? `method:${request.method}`
855
866
  : "bypass-path";