@decocms/start 5.4.0 → 5.4.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decocms/start",
-  "version": "5.4.0",
+  "version": "5.4.2",
   "type": "module",
   "description": "Deco framework for TanStack Start - CMS bridge, admin protocol, hooks, schema generation",
   "main": "./src/index.ts",

package/src/sdk/abTesting.test.ts

@@ -0,0 +1,231 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { proxyToFallback, type SiteConfig, type WorkerHandler, withABTesting } from "./abTesting";
+
+// ---------------------------------------------------------------------------
+// Test helpers
+// ---------------------------------------------------------------------------
+
+const REAL_HOST = "www.bagaggio.com.br";
+const FALLBACK_HOST = "lojabagaggio.deco.site";
+
+function makeUrl(path = "/x"): URL {
+  return new URL(`https://${REAL_HOST}${path}`);
+}
+
+function makeFakeKv(value: SiteConfig | null) {
+  return {
+    get: vi.fn(async () => value),
+  };
+}
+
+function makeCtx() {
+  return {
+    waitUntil: vi.fn(),
+    passThroughOnException: vi.fn(),
+  };
+}
+
+// ---------------------------------------------------------------------------
+// proxyToFallback
+// ---------------------------------------------------------------------------
+
+describe("proxyToFallback", () => {
+  let fetchSpy: ReturnType<typeof vi.fn>;
+
+  beforeEach(() => {
+    fetchSpy = vi.fn();
+    vi.stubGlobal("fetch", fetchSpy);
+  });
+
+  afterEach(() => {
+    vi.unstubAllGlobals();
+  });
+
+  it("always sets redirect:'manual' to avoid replaying streamed bodies on 3xx", async () => {
+    fetchSpy.mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const request = new Request(`https://${REAL_HOST}/foo`, {
+      method: "POST",
+      body: "payload",
+    });
+    await proxyToFallback(request, makeUrl("/foo"), FALLBACK_HOST);
+
+    expect(fetchSpy).toHaveBeenCalledTimes(1);
+    const [, init] = fetchSpy.mock.calls[0];
+    expect(init.redirect).toBe("manual");
+  });
+
+  it("strips hop-by-hop headers + host before forwarding", async () => {
+    fetchSpy.mockResolvedValue(new Response(null, { status: 204 }));
+
+    const request = new Request(`https://${REAL_HOST}/foo`, {
+      method: "GET",
+      headers: {
+        host: REAL_HOST,
+        connection: "keep-alive",
+        "keep-alive": "timeout=5",
+        "transfer-encoding": "chunked",
+        upgrade: "websocket",
+        "proxy-authorization": "Bearer x",
+        "x-real-ip": "1.2.3.4",
+        cookie: "session=abc",
+      },
+    });
+    await proxyToFallback(request, makeUrl("/foo"), FALLBACK_HOST);
+
+    const [, init] = fetchSpy.mock.calls[0];
+    const fwd = init.headers as Headers;
+    expect(fwd.get("host")).toBeNull();
+    expect(fwd.get("connection")).toBeNull();
+    expect(fwd.get("keep-alive")).toBeNull();
+    expect(fwd.get("transfer-encoding")).toBeNull();
+    expect(fwd.get("upgrade")).toBeNull();
+    expect(fwd.get("proxy-authorization")).toBeNull();
+    // Non-hop-by-hop headers are preserved.
+    expect(fwd.get("x-real-ip")).toBe("1.2.3.4");
+    expect(fwd.get("cookie")).toBe("session=abc");
+    expect(fwd.get("x-forwarded-host")).toBe(REAL_HOST);
+  });
+
+  it("forwards a 302 from the upstream without following it, rewriting Location", async () => {
+    fetchSpy.mockResolvedValue(
+      new Response(null, {
+        status: 302,
+        headers: { location: `https://${FALLBACK_HOST}/landing` },
+      }),
+    );
+
+    const request = new Request(`https://${REAL_HOST}/go`, {
+      method: "POST",
+      body: "irrelevant",
+    });
+    const res = await proxyToFallback(request, makeUrl("/go"), FALLBACK_HOST);
+
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe(`https://${REAL_HOST}/landing`);
+  });
+
+  it("does NOT consume the response body on 3xx (passes it through as stream)", async () => {
+    // The text-rewrite block must skip non-2xx so streamed/binary 3xx bodies
+    // aren't needlessly drained — that was a latent bug paired with the
+    // redirect:"manual" fix.
+    const upstream = new Response("redirect-body", {
+      status: 301,
+      headers: {
+        "content-type": "text/html",
+        location: `https://${FALLBACK_HOST}/elsewhere`,
+      },
+    });
+    const textSpy = vi.spyOn(upstream, "text");
+    fetchSpy.mockResolvedValue(upstream);
+
+    const request = new Request(`https://${REAL_HOST}/r`, { method: "GET" });
+    const res = await proxyToFallback(request, makeUrl("/r"), FALLBACK_HOST);
+
+    expect(textSpy).not.toHaveBeenCalled();
+    expect(res.status).toBe(301);
+    expect(res.headers.get("location")).toBe(`https://${REAL_HOST}/elsewhere`);
+  });
+
+  it("rewrites the hostname in 2xx text bodies (Fresh partial URLs)", async () => {
+    fetchSpy.mockResolvedValue(
+      new Response(`<a href="https://${FALLBACK_HOST}/produto">veja</a>`, {
+        status: 200,
+        headers: { "content-type": "text/html" },
+      }),
+    );
+
+    const request = new Request(`https://${REAL_HOST}/p`, { method: "GET" });
+    const res = await proxyToFallback(request, makeUrl("/p"), FALLBACK_HOST);
+    const body = await res.text();
+
+    expect(body).toBe(`<a href="https://${REAL_HOST}/produto">veja</a>`);
+  });
+
+  it("does NOT call .text() on 2xx binary responses (image/png passes as stream)", async () => {
+    const binary = new Uint8Array([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a]);
+    const upstream = new Response(binary, {
+      status: 200,
+      headers: { "content-type": "image/png" },
+    });
+    const textSpy = vi.spyOn(upstream, "text");
+    fetchSpy.mockResolvedValue(upstream);
+
+    const request = new Request(`https://${REAL_HOST}/img.png`, {
+      method: "GET",
+    });
+    const res = await proxyToFallback(request, makeUrl("/img.png"), FALLBACK_HOST);
+
+    expect(textSpy).not.toHaveBeenCalled();
+    expect(res.headers.get("content-type")).toBe("image/png");
+    const bytes = new Uint8Array(await res.arrayBuffer());
+    expect(Array.from(bytes)).toEqual(Array.from(binary));
+  });
+
+  it("rewrites Set-Cookie Domain from fallback origin to real hostname", async () => {
+    const headers = new Headers({ "content-type": "application/json" });
+    headers.append("set-cookie", `vtex_segment=abc; Domain=.${FALLBACK_HOST}; Path=/`);
+    fetchSpy.mockResolvedValue(new Response("{}", { status: 200, headers }));
+
+    const request = new Request(`https://${REAL_HOST}/api`, { method: "GET" });
+    const res = await proxyToFallback(request, makeUrl("/api"), FALLBACK_HOST);
+
+    const cookies = res.headers.getSetCookie?.() ?? [];
+    expect(cookies).toHaveLength(1);
+    expect(cookies[0]).toContain(`Domain=.${REAL_HOST}`);
+    expect(cookies[0]).not.toContain(FALLBACK_HOST);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// withABTesting — clone defense
+// ---------------------------------------------------------------------------
+
+describe("withABTesting — outer-catch defense", () => {
+  let fetchSpy: ReturnType<typeof vi.fn>;
+
+  beforeEach(() => {
+    fetchSpy = vi.fn();
+    vi.stubGlobal("fetch", fetchSpy);
+  });
+
+  afterEach(() => {
+    vi.unstubAllGlobals();
+  });
+
+  it("recovers via inner handler with body intact when fallback proxy throws", async () => {
+    // Simulate the legacy bug: the first fetch (fallback proxy) blows up
+    // *after* the body would have been consumed. The outer catch must be
+    // able to read request.body when calling handler.fetch, so withABTesting
+    // tees the request with request.clone() before handing it to the proxy.
+    fetchSpy.mockRejectedValue(new Error("upstream exploded"));
+
+    const handler: WorkerHandler = {
+      fetch: vi.fn(async (req) => {
+        const body = await req.text();
+        return new Response(`handler saw: ${body}`, { status: 200 });
+      }),
+    };
+
+    const kv = makeFakeKv({
+      workerName: "test",
+      fallbackOrigin: FALLBACK_HOST,
+      abTest: { ratio: 0 }, // ratio 0 → always fallback bucket
+    });
+
+    const wrapped = withABTesting(handler, { kvBinding: "KV" });
+    const request = new Request(`https://${REAL_HOST}/recover`, {
+      method: "POST",
+      body: "payload",
+    });
+    const res = await wrapped.fetch(
+      request,
+      { KV: kv } as unknown as Record<string, unknown>,
+      makeCtx(),
+    );
+
+    expect(res.status).toBe(200);
+    expect(await res.text()).toBe("handler saw: payload");
+    expect(handler.fetch).toHaveBeenCalledTimes(1);
+  });
+});

package/src/sdk/abTesting.ts

@@ -105,6 +105,25 @@ function fnv1a(str: string): number {
 	return Math.abs(hash);
 }
 
+// ---------------------------------------------------------------------------
+// Header constants
+// ---------------------------------------------------------------------------
+
+/**
+ * Hop-by-hop headers per RFC 7230 §6.1 — must not be forwarded through
+ * proxies. Plus `host`, which we always rewrite to the target origin.
+ */
+const HOP_BY_HOP_HEADERS = new Set([
+	"connection",
+	"keep-alive",
+	"transfer-encoding",
+	"te",
+	"trailer",
+	"upgrade",
+	"proxy-authorization",
+	"proxy-authenticate",
+]);
+
 // ---------------------------------------------------------------------------
 // Cookie helpers
 // ---------------------------------------------------------------------------
@@ -216,6 +235,14 @@ export function tagBucket(
  * 2. Set-Cookie Domain → real hostname
  * 3. Body text: fallback hostname → real hostname (for Fresh partial URLs)
  * 4. Location header → real hostname
+ *
+ * **`redirect: "manual"` is critical.** The request body is forwarded as a
+ * stream (`duplex: "half"`) and is consumed by this first fetch. If the
+ * upstream returns a 301/302 and we let CF auto-follow, the runtime would
+ * try to replay the request and throw `Cannot reconstruct a Request with
+ * a used body.` Instead we forward the 3xx response to the client so the
+ * client (browser/curl) follows it on its own. The Location header is
+ * rewritten below so the next hop targets the real hostname.
  */
 export async function proxyToFallback(
 	request: Request,
@@ -225,13 +252,22 @@ export async function proxyToFallback(
 	const target = new URL(url.toString());
 	target.hostname = fallbackOrigin;
 
-	const headers = new Headers(request.headers);
-	headers.delete("host");
+	// Strip hop-by-hop headers + Host before forwarding. Without this the
+	// upstream may close the connection (Connection: close) or get confused
+	// by Transfer-Encoding/Upgrade meant for the original CF↔client hop.
+	const headers = new Headers();
+	for (const [key, value] of request.headers.entries()) {
+		const lk = key.toLowerCase();
+		if (lk === "host") continue;
+		if (HOP_BY_HOP_HEADERS.has(lk)) continue;
+		headers.set(key, value);
+	}
 	headers.set("x-forwarded-host", url.hostname);
 
 	const init: RequestInit = {
 		method: request.method,
 		headers,
+		redirect: "manual",
 	};
 	if (request.method !== "GET" && request.method !== "HEAD") {
 		init.body = request.body;
@@ -244,8 +280,17 @@ export async function proxyToFallback(
 	const isText =
 		ct.includes("text/") || ct.includes("json") || ct.includes("javascript");
 
+	// Only rewrite text bodies on 2xx successful responses. Reading
+	// `response.text()` on a 3xx (forwarded redirect) or binary response
+	// would consume the stream needlessly and could throw on non-text
+	// content. The Location header is rewritten separately further down.
 	let body: BodyInit | null = response.body;
-	if (isText && response.body) {
+	if (
+		isText &&
+		response.body &&
+		response.status >= 200 &&
+		response.status < 300
+	) {
 		const text = await response.text();
 		body = text.replaceAll(fallbackOrigin, url.hostname);
 	}
@@ -338,10 +383,16 @@ export function withABTesting(
 			const ratio = siteConfig.abTest?.ratio ?? 0;
 			const bucket = getStableBucket(request, ratio, url, cookieName);
 
+			// Tee the request so the outer `catch` below can still pass the
+			// original (with body intact) to `handler.fetch` if proxyToFallback
+			// somehow throws after consuming the body. `Request.clone()` is
+			// safe in CF Workers — it tees the underlying stream.
+			const fallbackRequest = request.clone();
+
 			try {
 				if (bucket === "fallback") {
 					const response = await proxyToFallback(
-						request,
+						fallbackRequest,
 						url,
 						siteConfig.fallbackOrigin,
 					);
@@ -372,8 +423,10 @@ export function withABTesting(
 						"[A/B] Worker error, circuit breaker → fallback:",
 						err,
 					);
+					// Use the teed clone — handler.fetch above may have already
+					// consumed the original request body before throwing.
 					const response = await proxyToFallback(
-						request,
+						fallbackRequest,
 						url,
 						siteConfig.fallbackOrigin,
 					);

package/src/sdk/workerEntry.test.ts

@@ -0,0 +1,106 @@
+import { describe, expect, it } from "vitest";
+import { injectGeoCookies } from "./workerEntry";
+
+function parseCookies(header: string): Record<string, string> {
+  return Object.fromEntries(
+    header.split("; ").map((c) => {
+      const [k, ...v] = c.split("=");
+      return [k, v.join("=")];
+    }),
+  );
+}
+
+function makeRequest(
+  cf: Record<string, string> | undefined,
+  headers: Record<string, string> = {},
+): Request {
+  const req = new Request("https://example.com/", { headers });
+  if (cf) {
+    Object.defineProperty(req, "cf", { value: cf, configurable: true });
+  }
+  return req;
+}
+
+describe("injectGeoCookies", () => {
+  it("strips cf-region from the outgoing Request headers while preserving the value in __cf_geo_region cookie", () => {
+    const req = makeRequest(
+      { region: "São Paulo", country: "BR" },
+      { "cf-region": "São Paulo", "cf-ipcountry": "BR" },
+    );
+
+    const out = injectGeoCookies(req);
+
+    expect(out.headers.get("cf-region")).toBeNull();
+    // ASCII CF headers (cf-ipcountry) are still forwarded
+    expect(out.headers.get("cf-ipcountry")).toBe("BR");
+    // Geo data is preserved as cookies for matchers
+    const cookies = parseCookies(out.headers.get("cookie") ?? "");
+    expect(cookies.__cf_geo_region).toBe(encodeURIComponent("São Paulo"));
+    expect(cookies.__cf_geo_country).toBe("BR");
+  });
+
+  it("strips cf-ipcity from the outgoing Request headers while preserving the value in __cf_geo_city cookie", () => {
+    const req = makeRequest(
+      { city: "Brasília", country: "BR" },
+      { "cf-ipcity": "Brasília" },
+    );
+
+    const out = injectGeoCookies(req);
+
+    expect(out.headers.get("cf-ipcity")).toBeNull();
+    const cookies = parseCookies(out.headers.get("cookie") ?? "");
+    expect(cookies.__cf_geo_city).toBe(encodeURIComponent("Brasília"));
+  });
+
+  it("returns the original request unchanged when there is no cf object", () => {
+    const req = makeRequest(undefined, { "cf-region": "São Paulo" });
+
+    const out = injectGeoCookies(req);
+
+    // Without cf, we don't build cookies, and we return the original request
+    // untouched (so the cf-region header is still present — but that's the
+    // caller's pre-existing state, not something we re-introduced).
+    expect(out).toBe(req);
+  });
+
+  it("returns the original request unchanged when cf has no relevant geo fields", () => {
+    const req = makeRequest({ asn: "12345" }, { "cf-region": "São Paulo" });
+
+    const out = injectGeoCookies(req);
+
+    expect(out).toBe(req);
+  });
+
+  it("preserves a pre-existing cookie header", () => {
+    const req = makeRequest(
+      { region: "São Paulo" },
+      { cookie: "vtex_segment=abc; another=xyz" },
+    );
+
+    const out = injectGeoCookies(req);
+
+    const raw = out.headers.get("cookie") ?? "";
+    expect(raw).toContain("vtex_segment=abc");
+    expect(raw).toContain("another=xyz");
+    expect(raw).toContain("__cf_geo_region=");
+  });
+
+  it("forwards non-geo headers untouched", () => {
+    const req = makeRequest(
+      { region: "Paraná" },
+      {
+        "user-agent": "test-agent",
+        accept: "*/*",
+        "x-custom": "value",
+        "cf-ray": "9ff5b26cf9bc067a",
+      },
+    );
+
+    const out = injectGeoCookies(req);
+
+    expect(out.headers.get("user-agent")).toBe("test-agent");
+    expect(out.headers.get("accept")).toBe("*/*");
+    expect(out.headers.get("x-custom")).toBe("value");
+    expect(out.headers.get("cf-ray")).toBe("9ff5b26cf9bc067a");
+  });
+});

package/src/sdk/workerEntry.ts

@@ -443,7 +443,27 @@ export function injectGeoCookies(request: Request): Request {
 
   const existing = request.headers.get("cookie") ?? "";
   const combined = existing ? `${existing}; ${parts.join("; ")}` : parts.join("; ");
-  const headers = new Headers(request.headers);
+
+  // Strip CF geo headers that carry non-ASCII values (cf-region: "São Paulo",
+  // cf-ipcity: "Brasília", etc.) before building the new Request. The geo
+  // data is preserved in the __cf_geo_* cookies we just built, so callers
+  // downstream lose no information.
+  //
+  // Without this strip, the Workers runtime emits a warning on every
+  // request because the new Request inherits these UTF-8 headers from the
+  // inbound request:
+  //
+  //   "A header value for "cf-region" contains non-ASCII characters: "..."
+  //
+  // and the warning is logged once per non-ASCII header — for a Brazilian
+  // storefront with cities/states full of accents that means ~2 warns per
+  // request × every request that hits the worker.
+  const headers = new Headers();
+  for (const [key, value] of request.headers.entries()) {
+    const lk = key.toLowerCase();
+    if (lk === "cf-region" || lk === "cf-ipcity") continue;
+    headers.set(key, value);
+  }
   headers.set("cookie", combined);
 
   return new Request(request, { headers });