@decocms/start 1.3.2 → 1.3.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/start",
-  "version": "1.3.2",
+  "version": "1.3.4",
   "type": "module",
   "description": "Deco framework for TanStack Start - CMS bridge, admin protocol, hooks, schema generation",
   "main": "./src/index.ts",

package/src/routes/cmsRoute.ts

@@ -27,6 +27,7 @@ import {
   getRequest,
   getRequestHeader,
   getRequestUrl,
+  setResponseHeader,
 } from "@tanstack/react-start/server";
 import { createElement } from "react";
 import { preloadSectionComponents } from "../cms/registry";
@@ -227,6 +228,12 @@ export const loadDeferredSection = createServerFn({ method: "POST" })
       headers: originRequest.headers,
     });
     const enriched = await runSingleSectionLoader(section, request);
+
+    // Signal to the worker entry that this response is safe to edge-cache.
+    // Without this header, POST _serverFn responses are passed through
+    // without caching (checkout actions, invoke mutations, etc.).
+    setResponseHeader("X-Deco-Cacheable", "true");
+
     return normalizeUrlsInObject(enriched);
   });
 

package/src/sdk/workerEntry.ts

@@ -1034,9 +1034,7 @@ export function createDecoWorkerEntry(
 
         // Logged-in users always bypass — personalized content must not leak
         if (sfnSegment?.loggedIn) {
-          const body = await request.text();
-          const originReq = new Request(request, { body, method: "POST" });
-          const origin = await serverEntry.fetch(originReq, env, ctx);
+          const origin = await serverEntry.fetch(request, env, ctx);
           const resp = new Response(origin.body, origin);
           resp.headers.set("Cache-Control", "private, no-cache, no-store, must-revalidate");
           resp.headers.set("X-Cache", "BYPASS");
@@ -1044,7 +1042,10 @@ export function createDecoWorkerEntry(
           return resp;
         }
 
-        // Read body once and create a cloned request for origin fetch
+        // Clone request before consuming body — the clone goes to origin
+        // untouched so TanStack Start internals (cookie passthrough, etc.)
+        // work correctly. We only read the body for the cache key hash.
+        const originClone = request.clone();
         const body = await request.text();
         const bodyHash = await hashText(body);
 
@@ -1106,12 +1107,18 @@ export function createDecoWorkerEntry(
                 try {
                   const bgReq = new Request(request, { body, method: "POST" });
                   const bgOrigin = await serverEntry.fetch(bgReq, env, ctx);
-                  if (bgOrigin.status === 200 && !bgOrigin.headers.has("set-cookie") && serverFnCache) {
+                  if (
+                    bgOrigin.status === 200 &&
+                    bgOrigin.headers.get("X-Deco-Cacheable") === "true" &&
+                    !bgOrigin.headers.has("set-cookie") &&
+                    serverFnCache
+                  ) {
                     const ttl = sfnEdge.fresh + Math.max(sfnEdge.swr, sfnEdge.sie);
                     const toStore = bgOrigin.clone();
                     toStore.headers.set("Cache-Control", `public, max-age=${ttl}`);
                     toStore.headers.set("X-Deco-Stored-At", String(Date.now()));
                     toStore.headers.delete("CDN-Cache-Control");
+                    toStore.headers.delete("X-Deco-Cacheable");
                     await serverFnCache.put(sfnCacheKey, toStore);
                   }
                 } catch { /* background revalidation failed */ }
@@ -1128,32 +1135,41 @@ export function createDecoWorkerEntry(
         }
 
         // Cache MISS — fetch origin with the body we already read
-        const originReq = new Request(request, { body, method: "POST" });
-        const origin = await serverEntry.fetch(originReq, env, ctx);
+        const origin = await serverEntry.fetch(originClone, env, ctx);
 
-        // Never cache responses with Set-Cookie (cart/auth)
-        if (origin.headers.has("set-cookie")) {
+        // Only cache responses explicitly marked as cacheable by the handler
+        // (loadDeferredSection sets X-Deco-Cacheable: true). Checkout actions,
+        // invoke mutations, and other server functions are passed through.
+        const isCacheableResponse =
+          origin.headers.get("X-Deco-Cacheable") === "true" &&
+          !origin.headers.has("set-cookie") &&
+          origin.status === 200;
+
+        if (!isCacheableResponse) {
           const resp = new Response(origin.body, origin);
-          resp.headers.set("Cache-Control", "private, no-cache, no-store, must-revalidate");
-          resp.headers.delete("CDN-Cache-Control");
+          resp.headers.delete("X-Deco-Cacheable");
           resp.headers.set("X-Cache", "BYPASS");
-          resp.headers.set("X-Cache-Reason", "set-cookie");
+          resp.headers.set("X-Cache-Reason", origin.headers.has("set-cookie")
+            ? "set-cookie"
+            : "not-cacheable");
           return resp;
         }
 
         // Store in edge cache
-        if (origin.status === 200 && serverFnCache) {
+        if (serverFnCache) {
           try {
             const ttl = sfnEdge.fresh + Math.max(sfnEdge.swr, sfnEdge.sie);
             const toStore = origin.clone();
             toStore.headers.set("Cache-Control", `public, max-age=${ttl}`);
             toStore.headers.set("X-Deco-Stored-At", String(Date.now()));
             toStore.headers.delete("CDN-Cache-Control");
+            toStore.headers.delete("X-Deco-Cacheable");
             ctx.waitUntil(serverFnCache.put(sfnCacheKey, toStore));
           } catch { /* Cache API unavailable */ }
         }
 
         const resp = new Response(origin.body, origin);
+        resp.headers.delete("X-Deco-Cacheable");
         const hdrs = cacheHeaders(sfnProfile);
         for (const [k, v] of Object.entries(hdrs)) resp.headers.set(k, v);
         resp.headers.set("X-Cache", "MISS");