npm - @decocms/start - Versions diffs - 1.3.6 → 1.3.7 - Mend

@decocms/start 1.3.6 → 1.3.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/start",
-  "version": "1.3.6",
+  "version": "1.3.7",
   "type": "module",
   "description": "Deco framework for TanStack Start - CMS bridge, admin protocol, hooks, schema generation",
   "main": "./src/index.ts",

package/src/routes/cmsRoute.ts CHANGED Viewed

@@ -27,6 +27,7 @@ import {
   getRequest,
   getRequestHeader,
   getRequestUrl,
+  setResponseHeader,
 } from "@tanstack/react-start/server";
 import { createElement } from "react";
 import { preloadSectionComponents } from "../cms/registry";
@@ -227,6 +228,12 @@ export const loadDeferredSection = createServerFn({ method: "POST" })
       headers: originRequest.headers,
     });
     const enriched = await runSingleSectionLoader(section, request);
+    // Signal to the worker entry that this response is safe to edge-cache.
+    // Without this header, POST _serverFn responses are passed through
+    // without caching (checkout actions, invoke mutations, etc.).
+    setResponseHeader("X-Deco-Cacheable", "true");
     return normalizeUrlsInObject(enriched);
   });

package/src/sdk/cacheHeaders.ts CHANGED Viewed

@@ -267,7 +267,6 @@ const builtinPatterns: CachePattern[] = [
     test: (p) =>
       p.startsWith("/api/") ||
       p.startsWith("/deco/") ||
-      p.startsWith("/_server") ||
       p.startsWith("/_build"),
     profile: "none",
   },

package/src/sdk/workerEntry.ts CHANGED Viewed

@@ -179,7 +179,7 @@ export interface DecoWorkerEntryOptions {
   /**
    * Paths that should always bypass the edge cache, even if the
    * profile detector would otherwise cache them.
-   * Defaults include `/_server`, `/_build`, `/assets`, `/deco/`.
+   * Defaults include `/_build`, `/deco/`, `/live/`, `/.decofile`.
    */
   bypassPaths?: string[];
@@ -295,6 +295,63 @@ export interface DecoWorkerEntryOptions {
    * @default true
    */
   autoInjectGeoCookies?: boolean;
+  /**
+   * Cookie names considered "safe" for caching — these are public/anonymous
+   * cookies that do not carry per-user session or auth data.
+   *
+   * When a response contains ONLY safe cookies, it is still eligible for
+   * Cache API storage. The safe cookies are stripped from the cached copy
+   * but kept on the response served to the current user.
+   *
+   * If the response contains ANY cookie NOT in this list, the response
+   * bypasses caching entirely (existing behavior).
+   *
+   * @default DEFAULT_SAFE_COOKIES (vtex_is_session, vtex_is_anonymous, vtex_segment, _deco_bucket)
+   *
+   * @example
+   * ```ts
+   * createDecoWorkerEntry(serverEntry, {
+   *   safeCookies: [
+   *     ...DEFAULT_SAFE_COOKIES,
+   *     "my_custom_analytics_cookie",
+   *   ],
+   * });
+   * ```
+   */
+  safeCookies?: string[];
+  /**
+   * Additional static paths (beyond fingerprinted assets) that should
+   * receive long-lived immutable cache headers.
+   *
+   * Useful for non-fingerprinted resources like fonts that live at
+   * stable URLs (e.g., `/fonts/Lato-Regular.woff2`).
+   *
+   * @default ["/fonts/"]
+   *
+   * @example
+   * ```ts
+   * createDecoWorkerEntry(serverEntry, {
+   *   staticPaths: ["/fonts/", "/static/", "/images/icons/"],
+   * });
+   * ```
+   */
+  staticPaths?: string[];
+  /**
+   * CDN-Cache-Control header strategy.
+   *
+   * - `"no-store"` (default): CDN never caches; every request invokes the Worker.
+   *   Correct when segment-based cache keys differ from the original URL.
+   * - `"match-profile"`: Set CDN-Cache-Control to a short TTL matching the
+   *   profile's edge.fresh value. Only safe when you are NOT using segment-based
+   *   cache keys (i.e., no `buildSegment` and `deviceSpecificKeys: false`).
+   * - A function: Return a CDN-Cache-Control value per profile, or `null` for no-store.
+   *
+   * @default "no-store"
+   */
+  cdnCacheControl?: "no-store" | "match-profile" | ((profile: CacheProfileName) => string | null);
 }
 // ---------------------------------------------------------------------------
@@ -379,7 +436,110 @@ export const DEFAULT_SECURITY_HEADERS: Record<string, string> = {
   "Cross-Origin-Opener-Policy": "same-origin-allow-popups",
 };
-const DEFAULT_BYPASS_PATHS = ["/_server", "/_build", "/deco/", "/live/", "/.decofile"];
+const DEFAULT_BYPASS_PATHS = ["/_build", "/deco/", "/live/", "/.decofile"];
+/**
+ * Cookie names that are safe for caching — they carry anonymous/public
+ * segment data, not per-user auth tokens.
+ *
+ * VTEX Intelligent Search sets `vtex_is_session` and `vtex_is_anonymous`
+ * on every response. `vtex_segment` encodes the sales channel.
+ * `_deco_bucket` is the A/B test cohort cookie.
+ */
+export const DEFAULT_SAFE_COOKIES: string[] = [
+  "vtex_is_session",
+  "vtex_is_anonymous",
+  "vtex_segment",
+  "_deco_bucket",
+];
+const DEFAULT_STATIC_PATHS = ["/fonts/"];
+/**
+ * Parse Set-Cookie header values and return cookie names.
+ */
+function parseCookieNames(response: Response): string[] {
+  const names: string[] = [];
+  // getSetCookie() returns individual Set-Cookie values (available in Workers runtime)
+  const setCookies = (response.headers as any).getSetCookie?.() as string[] | undefined;
+  if (setCookies) {
+    for (const sc of setCookies) {
+      const eqIdx = sc.indexOf("=");
+      if (eqIdx > 0) names.push(sc.slice(0, eqIdx).trim());
+    }
+  } else {
+    // Fallback: parse from combined header (less reliable but covers edge cases)
+    const combined = response.headers.get("set-cookie") ?? "";
+    for (const part of combined.split(",")) {
+      const eqIdx = part.indexOf("=");
+      if (eqIdx > 0) {
+        const name = part.slice(0, eqIdx).trim();
+        // Skip attributes like "Expires=..." that appear after semicolons
+        if (!name.includes(";") && name.length > 0) names.push(name);
+      }
+    }
+  }
+  return names;
+}
+/**
+ * Check if ALL cookies in a response are in the safe list.
+ * Returns true if the response has no cookies or only safe cookies.
+ */
+function hasOnlySafeCookies(response: Response, safeCookieSet: Set<string>): boolean {
+  if (!response.headers.has("set-cookie")) return true;
+  const names = parseCookieNames(response);
+  if (names.length === 0) return true;
+  return names.every((name) => safeCookieSet.has(name));
+}
+/**
+ * Clone a response, stripping Set-Cookie headers that match the safe list.
+ * Uses response.clone() to preserve the original body for the served response.
+ * The returned copy is intended for cache storage only.
+ */
+function stripSafeCookiesForCache(response: Response, safeCookieSet: Set<string>): Response {
+  const clone = response.clone();
+  const setCookies = (response.headers as any).getSetCookie?.() as string[] | undefined;
+  if (!setCookies || setCookies.length === 0) return clone;
+  // Remove all Set-Cookie headers, then re-add only unsafe ones
+  clone.headers.delete("set-cookie");
+  for (const sc of setCookies) {
+    const eqIdx = sc.indexOf("=");
+    const name = eqIdx > 0 ? sc.slice(0, eqIdx).trim() : "";
+    if (name && !safeCookieSet.has(name)) {
+      clone.headers.append("set-cookie", sc);
+    }
+  }
+  return clone;
+}
+/**
+ * Deduplicate Set-Cookie headers — keep only the LAST occurrence of
+ * each cookie name. Multiple layers (VTEX middleware, invoke handlers,
+ * etc.) may independently append the same cookie.
+ */
+function deduplicateSetCookies(response: Response): void {
+  const setCookies = (response.headers as any).getSetCookie?.() as string[] | undefined;
+  if (!setCookies || setCookies.length <= 1) return;
+  // Build map: cookie name → last Set-Cookie value
+  const seen = new Map<string, string>();
+  for (const sc of setCookies) {
+    const eqIdx = sc.indexOf("=");
+    const name = eqIdx > 0 ? sc.slice(0, eqIdx).trim() : sc;
+    seen.set(name, sc);
+  }
+  // If no duplicates, nothing to do
+  if (seen.size === setCookies.length) return;
+  response.headers.delete("set-cookie");
+  for (const sc of seen.values()) {
+    response.headers.append("set-cookie", sc);
+  }
+}
 const FINGERPRINTED_ASSET_RE = /(?:\/_build)?\/assets\/.*-[a-zA-Z0-9_-]{8,}\.\w+$/;
@@ -388,6 +548,15 @@ const IMMUTABLE_HEADERS: Record<string, string> = {
   Vary: "Accept-Encoding",
 };
+/** SHA-256 hex hash of a string — used for POST body cache keys. */
+async function hashText(text: string): Promise<string> {
+  const data = new TextEncoder().encode(text);
+  const buf = await crypto.subtle.digest("SHA-256", data);
+  return Array.from(new Uint8Array(buf))
+    .map((b) => b.toString(16).padStart(2, "0"))
+    .join("");
+}
 // ---------------------------------------------------------------------------
 // Factory
 // ---------------------------------------------------------------------------
@@ -421,8 +590,13 @@ export function createDecoWorkerEntry(
     securityHeaders: securityHeadersOpt,
     csp: cspOpt,
     autoInjectGeoCookies: geoOpt = true,
+    safeCookies: safeCookiesOpt = DEFAULT_SAFE_COOKIES,
+    staticPaths: staticPathsOpt = DEFAULT_STATIC_PATHS,
+    cdnCacheControl: cdnCacheControlOpt = "no-store",
   } = options;
+  const safeCookieSet = new Set(safeCookiesOpt);
   // Build the final security headers map (merged defaults + custom + CSP)
   const secHeaders: Record<string, string> | null = (() => {
     if (securityHeadersOpt === false) return null;
@@ -456,7 +630,9 @@ export function createDecoWorkerEntry(
   }
   function isStaticAsset(pathname: string): boolean {
-    return fingerprintedAssetPattern.test(pathname);
+    if (fingerprintedAssetPattern.test(pathname)) return true;
+    // Non-fingerprinted static paths (e.g., /fonts/)
+    return staticPathsOpt.some((sp) => pathname.startsWith(sp));
   }
   function isCacheable(request: Request, url: URL): boolean {
@@ -756,6 +932,10 @@ export function createDecoWorkerEntry(
       return handleRequest(request, env, ctx);
       });
+      // Deduplicate Set-Cookie headers — multiple layers (VTEX middleware,
+      // invoke handlers, etc.) may independently append the same cookie.
+      deduplicateSetCookies(response);
       return applySecurityHeaders(response);
     },
   };
@@ -835,6 +1015,168 @@ export function createDecoWorkerEntry(
         return origin;
       }
+      // -----------------------------------------------------------------
+      // POST _serverFn — edge-cacheable using body-hash as cache key.
+      // These carry public CMS section data (shelves, deferred sections)
+      // that benefits from edge caching despite being POST requests.
+      // -----------------------------------------------------------------
+      if (
+        request.method === "POST" &&
+        (url.pathname.startsWith("/_serverFn/") || url.pathname.startsWith("/_server/"))
+      ) {
+        const serverFnCache =
+          typeof caches !== "undefined"
+            ? ((caches as unknown as { default?: Cache }).default ?? null)
+            : null;
+        // Build segment once — used for logged-in check and cache key
+        const sfnSegment = buildSegment ? buildSegment(request) : undefined;
+        // Logged-in users always bypass — personalized content must not leak
+        if (sfnSegment?.loggedIn) {
+          const origin = await serverEntry.fetch(request, env, ctx);
+          const resp = new Response(origin.body, origin);
+          resp.headers.set("Cache-Control", "private, no-cache, no-store, must-revalidate");
+          resp.headers.set("X-Cache", "BYPASS");
+          resp.headers.set("X-Cache-Reason", "logged-in");
+          return resp;
+        }
+        // Clone request before consuming body — the clone goes to origin
+        // untouched so TanStack Start internals (cookie passthrough, etc.)
+        // work correctly. We only read the body for the cache key hash.
+        const originClone = request.clone();
+        const body = await request.text();
+        const bodyHash = await hashText(body);
+        // Build a synthetic GET cache key from the URL + body hash + segment
+        // Includes device, salesChannel, regionId, flags — so users in
+        // different regions or channels get separate cache entries.
+        const cacheKeyUrl = new URL(request.url);
+        cacheKeyUrl.searchParams.set("__body", bodyHash);
+        if (cacheVersionEnv !== false) {
+          const version = (env[cacheVersionEnv] as string) || "";
+          if (version) cacheKeyUrl.searchParams.set("__v", version);
+        }
+        if (sfnSegment) {
+          cacheKeyUrl.searchParams.set("__seg", hashSegment(sfnSegment));
+        } else if (deviceSpecificKeys) {
+          const device = isMobileUA(request.headers.get("user-agent") ?? "") ? "mobile" : "desktop";
+          cacheKeyUrl.searchParams.set("__cf_device", device);
+        }
+        // Include CF geo data so location-based content doesn't leak across geos
+        const cf = (request as unknown as { cf?: Record<string, string> }).cf;
+        if (cf) {
+          const geoParts: string[] = [];
+          if (cf.country) geoParts.push(cf.country);
+          if (cf.region) geoParts.push(cf.region);
+          if (cf.city) geoParts.push(cf.city);
+          if (geoParts.length) cacheKeyUrl.searchParams.set("__cf_geo", geoParts.join("|"));
+        }
+        const sfnCacheKey = new Request(cacheKeyUrl.toString(), { method: "GET" });
+        // Use "listing" profile for server function responses
+        const sfnProfile: CacheProfileName = "listing";
+        const sfnEdge = edgeCacheConfig(sfnProfile);
+        // Check edge cache
+        let sfnCached: Response | undefined;
+        if (serverFnCache) {
+          try {
+            sfnCached = await serverFnCache.match(sfnCacheKey) ?? undefined;
+          } catch { /* Cache API unavailable */ }
+        }
+        if (sfnCached && sfnEdge.fresh > 0) {
+          const storedAt = Number(sfnCached.headers.get("X-Deco-Stored-At") || "0");
+          const ageSec = storedAt > 0 ? (Date.now() - storedAt) / 1000 : Infinity;
+          if (ageSec < sfnEdge.fresh) {
+            const out = new Response(sfnCached.body, sfnCached);
+            const hdrs = cacheHeaders(sfnProfile);
+            for (const [k, v] of Object.entries(hdrs)) out.headers.set(k, v);
+            out.headers.set("X-Cache", "HIT");
+            out.headers.set("X-Cache-Profile", sfnProfile);
+            return out;
+          }
+          if (ageSec < sfnEdge.fresh + sfnEdge.swr) {
+            // Stale-while-revalidate: serve stale, refresh in background
+            ctx.waitUntil(
+              (async () => {
+                try {
+                  const bgReq = new Request(request, { body, method: "POST" });
+                  const bgOrigin = await serverEntry.fetch(bgReq, env, ctx);
+                  if (
+                    bgOrigin.status === 200 &&
+                    bgOrigin.headers.get("X-Deco-Cacheable") === "true" &&
+                    !bgOrigin.headers.has("set-cookie") &&
+                    serverFnCache
+                  ) {
+                    const ttl = sfnEdge.fresh + Math.max(sfnEdge.swr, sfnEdge.sie);
+                    const toStore = bgOrigin.clone();
+                    toStore.headers.set("Cache-Control", `public, max-age=${ttl}`);
+                    toStore.headers.set("X-Deco-Stored-At", String(Date.now()));
+                    toStore.headers.delete("CDN-Cache-Control");
+                    toStore.headers.delete("X-Deco-Cacheable");
+                    await serverFnCache.put(sfnCacheKey, toStore);
+                  }
+                } catch { /* background revalidation failed */ }
+              })(),
+            );
+            const out = new Response(sfnCached.body, sfnCached);
+            const hdrs = cacheHeaders(sfnProfile);
+            for (const [k, v] of Object.entries(hdrs)) out.headers.set(k, v);
+            out.headers.set("X-Cache", "STALE-HIT");
+            out.headers.set("X-Cache-Profile", sfnProfile);
+            out.headers.set("X-Cache-Age", String(Math.round(ageSec)));
+            return out;
+          }
+        }
+        // Cache MISS — fetch origin with the body we already read
+        const origin = await serverEntry.fetch(originClone, env, ctx);
+        // Only cache responses explicitly marked as cacheable by the handler
+        // (loadDeferredSection sets X-Deco-Cacheable: true). Checkout actions,
+        // invoke mutations, and other server functions are passed through.
+        const isCacheableResponse =
+          origin.headers.get("X-Deco-Cacheable") === "true" &&
+          !origin.headers.has("set-cookie") &&
+          origin.status === 200;
+        if (!isCacheableResponse) {
+          const resp = new Response(origin.body, origin);
+          resp.headers.delete("X-Deco-Cacheable");
+          resp.headers.set("X-Cache", "BYPASS");
+          resp.headers.set("X-Cache-Reason", origin.headers.has("set-cookie")
+            ? "set-cookie"
+            : "not-cacheable");
+          return resp;
+        }
+        // Store in edge cache
+        if (serverFnCache) {
+          try {
+            const ttl = sfnEdge.fresh + Math.max(sfnEdge.swr, sfnEdge.sie);
+            const toStore = origin.clone();
+            toStore.headers.set("Cache-Control", `public, max-age=${ttl}`);
+            toStore.headers.set("X-Deco-Stored-At", String(Date.now()));
+            toStore.headers.delete("CDN-Cache-Control");
+            toStore.headers.delete("X-Deco-Cacheable");
+            ctx.waitUntil(serverFnCache.put(sfnCacheKey, toStore));
+          } catch { /* Cache API unavailable */ }
+        }
+        const resp = new Response(origin.body, origin);
+        resp.headers.delete("X-Deco-Cacheable");
+        const hdrs = cacheHeaders(sfnProfile);
+        for (const [k, v] of Object.entries(hdrs)) resp.headers.set(k, v);
+        resp.headers.set("X-Cache", "MISS");
+        resp.headers.set("X-Cache-Profile", sfnProfile);
+        return resp;
+      }
       // Non-cacheable requests — pass through but protect against accidental caching
       if (!isCacheable(request, url)) {
         const origin = await serverEntry.fetch(request, env, ctx);
@@ -850,10 +1192,28 @@ export function createDecoWorkerEntry(
         }
         const resp = new Response(origin.body, origin);
+        // Responses with private Set-Cookie headers carry per-user tokens —
+        // never expose them with public cache headers.
+        // Safe/public cookies (e.g., vtex_is_session) are allowed through.
+        if (origin.headers.has("set-cookie") && !hasOnlySafeCookies(origin, safeCookieSet)) {
+          resp.headers.set("Cache-Control", "private, no-cache, no-store, must-revalidate");
+          resp.headers.delete("CDN-Cache-Control");
+          resp.headers.set("X-Cache", "BYPASS");
+          resp.headers.set("X-Cache-Reason", "private-set-cookie");
+          return resp;
+        }
+        // Set cache headers from the detected profile so the response
+        // is explicit about cacheability (avoids ambiguous empty header).
+        const hdrsNc = cacheHeaders(profile);
+        for (const [k, v] of Object.entries(hdrsNc)) resp.headers.set(k, v);
         const reason = request.method !== "GET"
           ? `method:${request.method}`
           : "bypass-path";
         resp.headers.set("X-Cache", "BYPASS");
+        resp.headers.set("X-Cache-Profile", profile);
         resp.headers.set("X-Cache-Reason", reason);
         return resp;
       }
@@ -885,7 +1245,22 @@ export function createDecoWorkerEntry(
         const out = new Response(resp.body, resp);
         const hdrs = cacheHeaders(profile);
         for (const [k, v] of Object.entries(hdrs)) out.headers.set(k, v);
-        out.headers.set("CDN-Cache-Control", "no-store");
+        // CDN-Cache-Control: controls Cloudflare's automatic CDN layer
+        // (separate from Cache API which the worker manages directly).
+        if (cdnCacheControlOpt === "no-store") {
+          out.headers.set("CDN-Cache-Control", "no-store");
+        } else if (cdnCacheControlOpt === "match-profile") {
+          if (edgeConfig.isPublic && edgeConfig.fresh > 0) {
+            out.headers.set("CDN-Cache-Control", `public, max-age=${edgeConfig.fresh}`);
+          } else {
+            out.headers.set("CDN-Cache-Control", "no-store");
+          }
+        } else if (typeof cdnCacheControlOpt === "function") {
+          const val = cdnCacheControlOpt(profile);
+          out.headers.set("CDN-Cache-Control", val ?? "no-store");
+        }
         out.headers.set("X-Cache", xCache);
         out.headers.set("X-Cache-Profile", profile);
         if (segment) out.headers.set("X-Cache-Segment", hashSegment(segment));
@@ -917,8 +1292,15 @@ export function createDecoWorkerEntry(
       function revalidateInBackground() {
         ctx.waitUntil(
           Promise.resolve(serverEntry.fetch(request, env, ctx)).then((origin) => {
-            if (origin.status === 200 && !origin.headers.has("set-cookie")) {
-              storeInCache(origin);
+            if (origin.status === 200) {
+              // Only cache if response has no cookies or only safe cookies.
+              // Strip safe cookies from the cached copy.
+              if (hasOnlySafeCookies(origin, safeCookieSet)) {
+                const cleanOrigin = origin.headers.has("set-cookie")
+                  ? stripSafeCookiesForCache(origin, safeCookieSet)
+                  : origin;
+                storeInCache(cleanOrigin);
+              }
             }
           }).catch(() => {
             // Background revalidation failed — stale entry stays until SIE expires
@@ -998,14 +1380,16 @@ export function createDecoWorkerEntry(
         return resp;
       }
-      // Responses with Set-Cookie must never be cached — they carry
-      // per-user session/auth tokens that would leak to other users.
-      if (origin.headers.has("set-cookie")) {
+      // Responses with private Set-Cookie headers must never be cached —
+      // they carry per-user session/auth tokens that would leak to other users.
+      // Safe/public cookies (IS session, segment, etc.) are stripped from the
+      // cached copy but kept on the response served to the current user.
+      if (origin.headers.has("set-cookie") && !hasOnlySafeCookies(origin, safeCookieSet)) {
         const resp = new Response(origin.body, origin);
         resp.headers.set("Cache-Control", "private, no-cache, no-store, must-revalidate");
         resp.headers.delete("CDN-Cache-Control");
         resp.headers.set("X-Cache", "BYPASS");
-        resp.headers.set("X-Cache-Reason", "set-cookie");
+        resp.headers.set("X-Cache-Reason", "private-set-cookie");
         appendResourceHints(resp);
         return resp;
       }
@@ -1025,7 +1409,12 @@ export function createDecoWorkerEntry(
       // dressResponse() calls new Response(resp.body, resp) which locks
       // the ReadableStream. Calling clone() on a locked body corrupts
       // the stream in Workers runtime, causing Error 1101.
-      storeInCache(origin);
+      // Strip safe cookies from the cached copy so they don't leak
+      // to other users, but the current user still gets them.
+      const cacheOrigin = origin.headers.has("set-cookie")
+        ? stripSafeCookiesForCache(origin, safeCookieSet)
+        : origin;
+      storeInCache(cacheOrigin);
       return dressResponse(origin, "MISS");
   }
 }