@decocms/start 6.1.0 → 6.2.1

package/src/admin/invoke.test.ts

@@ -0,0 +1,141 @@
+/**
+ * Regression tests for /deco/invoke Set-Cookie propagation.
+ *
+ * The historical bug: the single- and batch-invoke paths copied
+ * `RequestContext.responseHeaders` to the HTTP response via
+ * `headers.entries()`, which collapses multiple `Set-Cookie` values
+ * into a single comma-joined string. Browsers silently discard those,
+ * so every VTEX cart action lost its session cookies and the user
+ * ended up at /checkout with an empty cart.
+ *
+ * These tests pin the fix: when a handler appends multiple
+ * Set-Cookie values to `RequestContext.responseHeaders`, the response
+ * returned by `handleInvoke` must surface them as N distinct
+ * Set-Cookie headers (readable via `response.headers.getSetCookie()`).
+ */
+
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { RequestContext } from "../sdk/requestContext";
+import {
+  clearInvokeHandlers,
+  handleInvoke,
+  registerInvokeHandlers,
+} from "./invoke";
+
+const COOKIE_A = "checkout.vtex.com__orderFormId=of-123; Path=/; HttpOnly";
+const COOKIE_B = "segment=eyJjYW1wYWlnbnMiOiJ4In0=; Path=/; HttpOnly";
+const COOKIE_C = "sc=1; Path=/; HttpOnly";
+
+function makeInvokeRequest(key: string, body: unknown = {}): Request {
+  return new Request(`http://localhost/deco/invoke/${key}`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(body),
+  });
+}
+
+function makeBatchRequest(body: Record<string, unknown>): Request {
+  return new Request("http://localhost/deco/invoke", {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(body),
+  });
+}
+
+describe("handleInvoke — Set-Cookie propagation (single)", () => {
+  beforeEach(() => clearInvokeHandlers());
+  afterEach(() => clearInvokeHandlers());
+
+  it("forwards multiple Set-Cookie values as distinct headers", async () => {
+    registerInvokeHandlers({
+      "vtex/actions/addItemsToCart": async () => {
+        RequestContext.responseHeaders.append("set-cookie", COOKIE_A);
+        RequestContext.responseHeaders.append("set-cookie", COOKIE_B);
+        RequestContext.responseHeaders.append("set-cookie", COOKIE_C);
+        return { orderFormId: "of-123" };
+      },
+    });
+
+    const request = makeInvokeRequest("vtex/actions/addItemsToCart");
+    const response = await RequestContext.run(request, () => handleInvoke(request));
+
+    const cookies = response.headers.getSetCookie();
+    expect(cookies).toHaveLength(3);
+    expect(cookies).toContain(COOKIE_A);
+    expect(cookies).toContain(COOKIE_B);
+    expect(cookies).toContain(COOKIE_C);
+  });
+
+  it("does not collapse cookies into a single Set-Cookie entry", async () => {
+    registerInvokeHandlers({
+      "vtex/actions/foo": async () => {
+        RequestContext.responseHeaders.append("set-cookie", COOKIE_A);
+        RequestContext.responseHeaders.append("set-cookie", COOKIE_B);
+        return {};
+      },
+    });
+
+    const request = makeInvokeRequest("vtex/actions/foo");
+    const response = await RequestContext.run(request, () => handleInvoke(request));
+
+    // The regressed bug appended a single comma-joined string, so
+    // `getSetCookie()` returned a 1-element array. The fix appends each
+    // value individually — verifying the count alone catches the regression.
+    expect(response.headers.getSetCookie()).toHaveLength(2);
+  });
+
+  it("forwards non-cookie headers unchanged", async () => {
+    registerInvokeHandlers({
+      "vtex/actions/withHeader": async () => {
+        RequestContext.responseHeaders.append("x-vtex-trace-id", "abc-123");
+        return {};
+      },
+    });
+
+    const request = makeInvokeRequest("vtex/actions/withHeader");
+    const response = await RequestContext.run(request, () => handleInvoke(request));
+    expect(response.headers.get("x-vtex-trace-id")).toBe("abc-123");
+  });
+
+  it("does not forward Set-Cookie when handler writes none", async () => {
+    registerInvokeHandlers({
+      "vtex/loaders/productList": async () => ({ items: [] }),
+    });
+
+    const request = makeInvokeRequest("vtex/loaders/productList");
+    const response = await RequestContext.run(request, () => handleInvoke(request));
+    expect(response.headers.getSetCookie()).toEqual([]);
+  });
+});
+
+describe("handleInvoke — Set-Cookie propagation (batch)", () => {
+  beforeEach(() => clearInvokeHandlers());
+  afterEach(() => clearInvokeHandlers());
+
+  it("forwards cookies that batch handlers append to the shared context", async () => {
+    registerInvokeHandlers({
+      "vtex/actions/addItemsToCart": async () => {
+        RequestContext.responseHeaders.append("set-cookie", COOKIE_A);
+        RequestContext.responseHeaders.append("set-cookie", COOKIE_B);
+        return { orderFormId: "of-123" };
+      },
+      "vtex/loaders/productList": async () => {
+        // Loader writes its own cookie (e.g. segment) — must also propagate.
+        RequestContext.responseHeaders.append("set-cookie", COOKIE_C);
+        return { items: [] };
+      },
+    });
+
+    const request = makeBatchRequest({
+      "vtex/actions/addItemsToCart": { orderFormId: "x" },
+      "vtex/loaders/productList": {},
+    });
+    const response = await RequestContext.run(request, () => handleInvoke(request));
+
+    const cookies = response.headers.getSetCookie();
+    expect(cookies).toHaveLength(3);
+    expect(cookies).toContain(COOKIE_A);
+    expect(cookies).toContain(COOKIE_B);
+    expect(cookies).toContain(COOKIE_C);
+  });
+});

package/src/admin/invoke.ts

@@ -58,6 +58,41 @@ export function clearInvokeHandlers(): void {
 
 const JSON_HEADERS = { "Content-Type": "application/json" } as const;
 
+/**
+ * Copy headers that handlers wrote to `RequestContext.responseHeaders`
+ * onto an outgoing Response.
+ *
+ * Why this exists and is not a `for…of headers.entries()` one-liner:
+ * `Headers.entries()` (and `forEach`) collapses multiple `Set-Cookie`
+ * values into a single comma-joined string (per the Fetch spec).
+ * Browsers silently discard cookies whose value contains an unescaped
+ * comma, so every VTEX cart action that returns multiple cookies
+ * (`checkout.vtex.com__orderFormId`, `segment`, `sc`, `vtex_session`…)
+ * loses them in transit. The next request creates a fresh empty
+ * orderForm and the user lands on /checkout with an empty cart.
+ *
+ * `Headers.getSetCookie()` is the spec-blessed way to read the
+ * un-collapsed list. We append each value individually onto the
+ * response so the browser sees N distinct `Set-Cookie` headers, and
+ * use `forEach` to copy any non-cookie headers as-is.
+ */
+function forwardCtxHeadersTo(response: Response): void {
+  const ctx = RequestContext.current;
+  if (!ctx) return;
+  const cookies =
+    typeof ctx.responseHeaders.getSetCookie === "function"
+      ? ctx.responseHeaders.getSetCookie()
+      : [];
+  for (const cookie of cookies) {
+    response.headers.append("set-cookie", cookie);
+  }
+  ctx.responseHeaders.forEach((value, key) => {
+    if (key.toLowerCase() !== "set-cookie") {
+      response.headers.append(key, value);
+    }
+  });
+}
+
 const isDev =
   typeof globalThis.process !== "undefined" && globalThis.process.env?.NODE_ENV === "development";
 
@@ -171,17 +206,7 @@ export async function handleInvoke(request: Request): Promise<Response> {
       }
       const filtered = selectFields(result, select);
       const response = new Response(JSON.stringify(filtered), { status: 200, headers: JSON_HEADERS });
-
-      // Copy any headers that handlers wrote to RequestContext.responseHeaders
-      // (e.g., Set-Cookie from proxySetCookie). This mirrors deco-cx/deco's
-      // ctx.response.headers → HTTP Response forwarding.
-      const ctx = RequestContext.current;
-      if (ctx) {
-        for (const [key, value] of ctx.responseHeaders.entries()) {
-          response.headers.append(key, value);
-        }
-      }
-
+      forwardCtxHeadersTo(response);
       return response;
     } catch (error) {
       return errorResponse((error as Error).message, 500, error);
@@ -202,8 +227,11 @@ export async function handleInvoke(request: Request): Promise<Response> {
           try {
             let result = await found.handler(payload, request);
             // If a loader returns a Response, extract its JSON body for batching.
-            // Set-Cookie headers from batch items are not forwarded individually
-            // (use single invoke for auth loaders that need cookie passthrough).
+            // Set-Cookie values from a handler-returned Response are *not*
+            // forwarded — those leave the AsyncLocalStorage scope. Handlers
+            // that need cookie passthrough must write to
+            // RequestContext.responseHeaders (which forwardCtxHeadersTo()
+            // below propagates onto the batch response).
             if (result instanceof Response) {
               try { result = await result.json(); } catch { result = null; }
             }
@@ -217,7 +245,12 @@ export async function handleInvoke(request: Request): Promise<Response> {
       }),
     );
 
-    return new Response(JSON.stringify(results), { status: 200, headers: JSON_HEADERS });
+    const response = new Response(JSON.stringify(results), { status: 200, headers: JSON_HEADERS });
+    // All batch handlers share the same RequestContext, so any Set-Cookie
+    // they appended (e.g. from VTEX vtexFetchWithCookies) is in
+    // `responseHeaders` by now. Forward it as N distinct Set-Cookie headers.
+    forwardCtxHeadersTo(response);
+    return response;
   }
 
   return errorResponse("No invoke key specified", 400);