@decocms/start 1.3.5 → 1.3.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/start",
-  "version": "1.3.5",
+  "version": "1.3.7",
   "type": "module",
   "description": "Deco framework for TanStack Start - CMS bridge, admin protocol, hooks, schema generation",
   "main": "./src/index.ts",

package/src/routes/cmsRoute.ts

@@ -27,6 +27,7 @@ import {
   getRequest,
   getRequestHeader,
   getRequestUrl,
+  setResponseHeader,
 } from "@tanstack/react-start/server";
 import { createElement } from "react";
 import { preloadSectionComponents } from "../cms/registry";
@@ -228,6 +229,11 @@ export const loadDeferredSection = createServerFn({ method: "POST" })
     });
     const enriched = await runSingleSectionLoader(section, request);
 
+    // Signal to the worker entry that this response is safe to edge-cache.
+    // Without this header, POST _serverFn responses are passed through
+    // without caching (checkout actions, invoke mutations, etc.).
+    setResponseHeader("X-Deco-Cacheable", "true");
+
     return normalizeUrlsInObject(enriched);
   });
 

package/src/sdk/cacheHeaders.ts

@@ -267,7 +267,6 @@ const builtinPatterns: CachePattern[] = [
     test: (p) =>
       p.startsWith("/api/") ||
       p.startsWith("/deco/") ||
-      p.startsWith("/_server") ||
       p.startsWith("/_build"),
     profile: "none",
   },

package/src/sdk/workerEntry.ts

@@ -436,7 +436,7 @@ export const DEFAULT_SECURITY_HEADERS: Record<string, string> = {
   "Cross-Origin-Opener-Policy": "same-origin-allow-popups",
 };
 
-const DEFAULT_BYPASS_PATHS = ["/_build", "/deco/", "/live/", "/.decofile", "/_server"];
+const DEFAULT_BYPASS_PATHS = ["/_build", "/deco/", "/live/", "/.decofile"];
 
 /**
  * Cookie names that are safe for caching — they carry anonymous/public
@@ -548,6 +548,14 @@ const IMMUTABLE_HEADERS: Record<string, string> = {
   Vary: "Accept-Encoding",
 };
 
+/** SHA-256 hex hash of a string — used for POST body cache keys. */
+async function hashText(text: string): Promise<string> {
+  const data = new TextEncoder().encode(text);
+  const buf = await crypto.subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(buf))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+}
 
 // ---------------------------------------------------------------------------
 // Factory
@@ -1007,6 +1015,168 @@ export function createDecoWorkerEntry(
         return origin;
       }
 
+      // -----------------------------------------------------------------
+      // POST _serverFn — edge-cacheable using body-hash as cache key.
+      // These carry public CMS section data (shelves, deferred sections)
+      // that benefits from edge caching despite being POST requests.
+      // -----------------------------------------------------------------
+      if (
+        request.method === "POST" &&
+        (url.pathname.startsWith("/_serverFn/") || url.pathname.startsWith("/_server/"))
+      ) {
+        const serverFnCache =
+          typeof caches !== "undefined"
+            ? ((caches as unknown as { default?: Cache }).default ?? null)
+            : null;
+
+        // Build segment once — used for logged-in check and cache key
+        const sfnSegment = buildSegment ? buildSegment(request) : undefined;
+
+        // Logged-in users always bypass — personalized content must not leak
+        if (sfnSegment?.loggedIn) {
+          const origin = await serverEntry.fetch(request, env, ctx);
+          const resp = new Response(origin.body, origin);
+          resp.headers.set("Cache-Control", "private, no-cache, no-store, must-revalidate");
+          resp.headers.set("X-Cache", "BYPASS");
+          resp.headers.set("X-Cache-Reason", "logged-in");
+          return resp;
+        }
+
+        // Clone request before consuming body — the clone goes to origin
+        // untouched so TanStack Start internals (cookie passthrough, etc.)
+        // work correctly. We only read the body for the cache key hash.
+        const originClone = request.clone();
+        const body = await request.text();
+        const bodyHash = await hashText(body);
+
+        // Build a synthetic GET cache key from the URL + body hash + segment
+        // Includes device, salesChannel, regionId, flags — so users in
+        // different regions or channels get separate cache entries.
+        const cacheKeyUrl = new URL(request.url);
+        cacheKeyUrl.searchParams.set("__body", bodyHash);
+        if (cacheVersionEnv !== false) {
+          const version = (env[cacheVersionEnv] as string) || "";
+          if (version) cacheKeyUrl.searchParams.set("__v", version);
+        }
+        if (sfnSegment) {
+          cacheKeyUrl.searchParams.set("__seg", hashSegment(sfnSegment));
+        } else if (deviceSpecificKeys) {
+          const device = isMobileUA(request.headers.get("user-agent") ?? "") ? "mobile" : "desktop";
+          cacheKeyUrl.searchParams.set("__cf_device", device);
+        }
+        // Include CF geo data so location-based content doesn't leak across geos
+        const cf = (request as unknown as { cf?: Record<string, string> }).cf;
+        if (cf) {
+          const geoParts: string[] = [];
+          if (cf.country) geoParts.push(cf.country);
+          if (cf.region) geoParts.push(cf.region);
+          if (cf.city) geoParts.push(cf.city);
+          if (geoParts.length) cacheKeyUrl.searchParams.set("__cf_geo", geoParts.join("|"));
+        }
+        const sfnCacheKey = new Request(cacheKeyUrl.toString(), { method: "GET" });
+
+        // Use "listing" profile for server function responses
+        const sfnProfile: CacheProfileName = "listing";
+        const sfnEdge = edgeCacheConfig(sfnProfile);
+
+        // Check edge cache
+        let sfnCached: Response | undefined;
+        if (serverFnCache) {
+          try {
+            sfnCached = await serverFnCache.match(sfnCacheKey) ?? undefined;
+          } catch { /* Cache API unavailable */ }
+        }
+
+        if (sfnCached && sfnEdge.fresh > 0) {
+          const storedAt = Number(sfnCached.headers.get("X-Deco-Stored-At") || "0");
+          const ageSec = storedAt > 0 ? (Date.now() - storedAt) / 1000 : Infinity;
+
+          if (ageSec < sfnEdge.fresh) {
+            const out = new Response(sfnCached.body, sfnCached);
+            const hdrs = cacheHeaders(sfnProfile);
+            for (const [k, v] of Object.entries(hdrs)) out.headers.set(k, v);
+            out.headers.set("X-Cache", "HIT");
+            out.headers.set("X-Cache-Profile", sfnProfile);
+            return out;
+          }
+
+          if (ageSec < sfnEdge.fresh + sfnEdge.swr) {
+            // Stale-while-revalidate: serve stale, refresh in background
+            ctx.waitUntil(
+              (async () => {
+                try {
+                  const bgReq = new Request(request, { body, method: "POST" });
+                  const bgOrigin = await serverEntry.fetch(bgReq, env, ctx);
+                  if (
+                    bgOrigin.status === 200 &&
+                    bgOrigin.headers.get("X-Deco-Cacheable") === "true" &&
+                    !bgOrigin.headers.has("set-cookie") &&
+                    serverFnCache
+                  ) {
+                    const ttl = sfnEdge.fresh + Math.max(sfnEdge.swr, sfnEdge.sie);
+                    const toStore = bgOrigin.clone();
+                    toStore.headers.set("Cache-Control", `public, max-age=${ttl}`);
+                    toStore.headers.set("X-Deco-Stored-At", String(Date.now()));
+                    toStore.headers.delete("CDN-Cache-Control");
+                    toStore.headers.delete("X-Deco-Cacheable");
+                    await serverFnCache.put(sfnCacheKey, toStore);
+                  }
+                } catch { /* background revalidation failed */ }
+              })(),
+            );
+            const out = new Response(sfnCached.body, sfnCached);
+            const hdrs = cacheHeaders(sfnProfile);
+            for (const [k, v] of Object.entries(hdrs)) out.headers.set(k, v);
+            out.headers.set("X-Cache", "STALE-HIT");
+            out.headers.set("X-Cache-Profile", sfnProfile);
+            out.headers.set("X-Cache-Age", String(Math.round(ageSec)));
+            return out;
+          }
+        }
+
+        // Cache MISS — fetch origin with the body we already read
+        const origin = await serverEntry.fetch(originClone, env, ctx);
+
+        // Only cache responses explicitly marked as cacheable by the handler
+        // (loadDeferredSection sets X-Deco-Cacheable: true). Checkout actions,
+        // invoke mutations, and other server functions are passed through.
+        const isCacheableResponse =
+          origin.headers.get("X-Deco-Cacheable") === "true" &&
+          !origin.headers.has("set-cookie") &&
+          origin.status === 200;
+
+        if (!isCacheableResponse) {
+          const resp = new Response(origin.body, origin);
+          resp.headers.delete("X-Deco-Cacheable");
+          resp.headers.set("X-Cache", "BYPASS");
+          resp.headers.set("X-Cache-Reason", origin.headers.has("set-cookie")
+            ? "set-cookie"
+            : "not-cacheable");
+          return resp;
+        }
+
+        // Store in edge cache
+        if (serverFnCache) {
+          try {
+            const ttl = sfnEdge.fresh + Math.max(sfnEdge.swr, sfnEdge.sie);
+            const toStore = origin.clone();
+            toStore.headers.set("Cache-Control", `public, max-age=${ttl}`);
+            toStore.headers.set("X-Deco-Stored-At", String(Date.now()));
+            toStore.headers.delete("CDN-Cache-Control");
+            toStore.headers.delete("X-Deco-Cacheable");
+            ctx.waitUntil(serverFnCache.put(sfnCacheKey, toStore));
+          } catch { /* Cache API unavailable */ }
+        }
+
+        const resp = new Response(origin.body, origin);
+        resp.headers.delete("X-Deco-Cacheable");
+        const hdrs = cacheHeaders(sfnProfile);
+        for (const [k, v] of Object.entries(hdrs)) resp.headers.set(k, v);
+        resp.headers.set("X-Cache", "MISS");
+        resp.headers.set("X-Cache-Profile", sfnProfile);
+        return resp;
+      }
+
       // Non-cacheable requests — pass through but protect against accidental caching
       if (!isCacheable(request, url)) {
         const origin = await serverEntry.fetch(request, env, ctx);