react-on-rails-pro-node-renderer 16.5.0 → 16.6.0-rc.0

package/src/worker.ts

@@ -6,7 +6,7 @@
 import path from 'path';
 import cluster from 'cluster';
 import { randomUUID } from 'crypto';
-import { mkdir, rm } from 'fs/promises';
+import { rm } from 'fs/promises';
 import fastify from 'fastify';
 import fastifyFormbody from '@fastify/formbody';
 import fastifyMultipart from '@fastify/multipart';
@@ -17,21 +17,20 @@ import fileExistsAsync from './shared/fileExistsAsync.js';
 import type { FastifyInstance, FastifyReply, FastifyRequest } from './worker/types.js';
 import checkProtocolVersion from './worker/checkProtocolVersionHandler.js';
 import authenticate from './worker/authHandler.js';
-import { handleRenderRequest, type ProvidedNewBundle } from './worker/handleRenderRequest.js';
+import {
+  handleRenderRequest,
+  handleNewBundlesProvided,
+  type ProvidedNewBundle,
+} from './worker/handleRenderRequest.js';
 import handleGracefulShutdown from './worker/handleGracefulShutdown.js';
 import {
   errorResponseResult,
   formatExceptionMessage,
-  copyUploadedAssets,
   ResponseResult,
-  workerIdLabel,
   saveMultipartFile,
   Asset,
   getAssetPath,
-  getBundleDirectory,
-  getRequestBundleFilePath,
 } from './shared/utils.js';
-import { lock, unlock } from './shared/locks.js';
 import { startSsrRequestOptions, trace } from './shared/tracing.js';
 
 // Uncomment the below for testing timeouts:
@@ -96,6 +95,42 @@ function assertAsset(value: unknown, key: string): asserts value is Asset {
   }
 }
 
+/**
+ * Parses the multipart form body to separate bundle files from shared assets.
+ * Used by both the render and /upload-assets endpoints to avoid duplicating
+ * bundle-vs-asset classification logic.
+ *
+ * @param body  The parsed multipart request body.
+ * @param primaryBundleTimestamp  If provided, a field with key `"bundle"` is
+ *   treated as a bundle for this timestamp (render endpoint convention).
+ */
+function extractBundlesAndAssets(
+  body: Record<string, unknown>,
+  primaryBundleTimestamp?: string | number,
+): { providedNewBundles: ProvidedNewBundle[]; assetsToCopy: Asset[] } {
+  const providedNewBundles: ProvidedNewBundle[] = [];
+  const assetsToCopy: Asset[] = [];
+  Object.entries(body).forEach(([key, value]) => {
+    if (key === 'bundle' && primaryBundleTimestamp != null) {
+      assertAsset(value, key);
+      providedNewBundles.push({ timestamp: primaryBundleTimestamp, bundle: value });
+    } else if (key.startsWith('bundle_')) {
+      const timestamp = key.slice('bundle_'.length);
+      if (!timestamp) {
+        log.warn(
+          'Received form field with key "bundle_" but no hash suffix — possible bug in the Ruby client',
+        );
+      } else {
+        assertAsset(value, key);
+        providedNewBundles.push({ timestamp, bundle: value });
+      }
+    } else if (isAsset(value)) {
+      assetsToCopy.push(value);
+    }
+  });
+  return { providedNewBundles, assetsToCopy };
+}
+
 // Remove after this issue is resolved: https://github.com/fastify/light-my-request/issues/315
 let useHttp2 = true;
 
@@ -127,6 +162,9 @@ export default function run(config: Partial<Config>) {
 
   const { serverBundleCachePath, logHttpLevel, port, host, fastifyServerOptions, workersCount } = getConfig();
 
+  // The renderer uses cleartext HTTP/2 (h2c). Node's `allowHTTP1` option only
+  // applies to TLS servers (http2.createSecureServer), so it cannot enable
+  // HTTP/1.1 Kubernetes httpGet probes on this listener.
   const app = fastify({
     http2: useHttp2 as true,
     bodyLimit: 104857600, // 100 MB
@@ -271,19 +309,7 @@ export default function run(config: Partial<Config>) {
 
     const { renderingRequest } = req.body;
     const { bundleTimestamp } = req.params;
-    const providedNewBundles: ProvidedNewBundle[] = [];
-    const assetsToCopy: Asset[] = [];
-    Object.entries(req.body).forEach(([key, value]) => {
-      if (key === 'bundle') {
-        assertAsset(value, key);
-        providedNewBundles.push({ timestamp: bundleTimestamp, bundle: value });
-      } else if (key.startsWith('bundle_')) {
-        assertAsset(value, key);
-        providedNewBundles.push({ timestamp: key.replace('bundle_', ''), bundle: value });
-      } else if (isAsset(value)) {
-        assetsToCopy.push(value);
-      }
-    });
+    const { providedNewBundles, assetsToCopy } = extractBundlesAndAssets(req.body, bundleTimestamp);
 
     try {
       const dependencyBundleTimestamps = extractBodyArrayField(req.body, 'dependencyBundleTimestamps');
@@ -315,88 +341,47 @@ export default function run(config: Partial<Config>) {
 
   // There can be additional files that might be required at the runtime.
   // Since the remote renderer doesn't contain any assets, they must be uploaded manually.
+  // Bundle files use the form key convention "bundle_<hash>" and are placed in
+  // their own directory; remaining assets are copied to every bundle directory.
   app.post<{
-    Body: WithBodyArrayField<Record<string, Asset>, 'targetBundles'>;
+    Body: Record<string, unknown>;
   }>('/upload-assets', async (req, res) => {
     if (!(await requestPrechecks(req, res))) {
       return;
     }
-    const assets: Asset[] = Object.values(req.body).filter(isAsset);
 
-    // Handle targetBundles as either a string or an array
-    const targetBundles = extractBodyArrayField(req.body, 'targetBundles');
-    if (!targetBundles || targetBundles.length === 0) {
-      const errorMsg = 'No targetBundles provided. As of protocol version 2.0.0, targetBundles is required.';
+    const { providedNewBundles, assetsToCopy } = extractBundlesAndAssets(req.body);
+
+    if (providedNewBundles.length === 0) {
+      const errorMsg =
+        'No bundle_<hash> fields provided. ' +
+        'The /upload-assets endpoint requires at least one bundle file with a "bundle_<hash>" form key.';
       log.error(errorMsg);
       await setResponse(errorResponseResult(errorMsg), res);
       return;
     }
 
-    const assetsDescription = JSON.stringify(assets.map((asset) => asset.filename));
-    const taskDescription = `Uploading files ${assetsDescription} to bundle directories: ${targetBundles.join(', ')}`;
-
+    const bundleNames = providedNewBundles.map((b) => b.bundle.filename);
+    const assetNames = assetsToCopy.map((a) => a.filename);
+    const taskDescription = `Uploading bundles [${bundleNames.join(', ')}] with assets [${assetNames.join(', ')}]`;
     log.info(taskDescription);
-    try {
-      // Use per-bundle locks (same lock key as handleRenderRequest) so that
-      // asset copies and render-request bundle writes to the same directory
-      // are mutually exclusive. See https://github.com/shakacode/react_on_rails/issues/2463
-      //
-      // Use allSettled (not Promise.all) to ensure every in-flight copy
-      // finishes before the handler returns. Otherwise the onResponse hook
-      // can delete req.uploadDir while background copies still read from it.
-      const copyPromises = targetBundles.map(async (bundleTimestamp) => {
-        const bundleDirectory = getBundleDirectory(bundleTimestamp);
-        await mkdir(bundleDirectory, { recursive: true });
-
-        const bundleFilePath = getRequestBundleFilePath(bundleTimestamp);
-        const { lockfileName, wasLockAcquired, errorMessage } = await lock(bundleFilePath);
-
-        if (!wasLockAcquired) {
-          const msg = formatExceptionMessage(
-            taskDescription,
-            errorMessage,
-            `Failed to acquire lock ${lockfileName}. Worker: ${workerIdLabel()}.`,
-          );
-          throw new Error(msg);
-        }
 
-        try {
-          await copyUploadedAssets(assets, bundleDirectory);
-          log.info(`Copied assets to bundle directory: ${bundleDirectory}`);
-        } finally {
-          try {
-            await unlock(lockfileName);
-          } catch (error) {
-            log.warn({
-              msg: `Error unlocking ${lockfileName} from worker ${workerIdLabel()}`,
-              err: error,
-              task: taskDescription,
-            });
-          }
-        }
-      });
-
-      const results = await Promise.allSettled(copyPromises);
-      const firstFailure = results.find((r): r is PromiseRejectedResult => r.status === 'rejected');
-      if (firstFailure) {
-        throw firstFailure.reason;
+    try {
+      // Reuses the same per-bundle lock + move/copy logic as the render
+      // endpoint so that concurrent /upload-assets and render requests
+      // targeting the same bundle directory are mutually exclusive.
+      // See https://github.com/shakacode/react_on_rails/issues/2463
+      const result = await handleNewBundlesProvided(taskDescription, providedNewBundles, assetsToCopy);
+      if (result) {
+        await setResponse(result, res);
+        return;
       }
 
-      await setResponse(
-        {
-          status: 200,
-          headers: {},
-        },
-        res,
-      );
+      await setResponse({ status: 200, headers: {} }, res);
     } catch (err) {
-      const msg = 'ERROR when trying to copy assets';
+      const msg = 'ERROR when trying to upload bundles and assets';
       const message = `${msg}. ${err}. Task: ${taskDescription}`;
-      log.error({
-        msg,
-        err,
-        task: taskDescription,
-      });
+      log.error({ msg, err, task: taskDescription });
       await setResponse(errorResponseResult(message), res);
     }
   });

package/tests/configBuilder.test.ts

@@ -1,11 +1,21 @@
 describe('configBuilder', () => {
-  const originalRendererHost = process.env.RENDERER_HOST;
+  const envVarsToRestore = [
+    'RENDERER_HOST',
+    'NODE_ENV',
+    'RENDERER_PASSWORD',
+    'RAILS_ENV',
+    'REPLAY_SERVER_ASYNC_OPERATION_LOGS',
+    'RENDERER_WORKERS_COUNT',
+  ] as const;
+  const savedEnvValues = Object.fromEntries(envVarsToRestore.map((key) => [key, process.env[key]]));
 
   afterEach(() => {
-    if (originalRendererHost === undefined) {
-      delete process.env.RENDERER_HOST;
-    } else {
-      process.env.RENDERER_HOST = originalRendererHost;
+    for (const key of envVarsToRestore) {
+      if (savedEnvValues[key] === undefined) {
+        delete process.env[key];
+      } else {
+        process.env[key] = savedEnvValues[key];
+      }
     }
     jest.restoreAllMocks();
     jest.resetModules();
@@ -13,17 +23,25 @@ describe('configBuilder', () => {
 
   function loadConfigBuilderWithMockedLogger() {
     const info = jest.fn();
+    const error = jest.fn();
+    const warn = jest.fn();
     jest.doMock('../src/shared/log', () => ({
       __esModule: true,
       default: {
         info,
-        error: jest.fn(),
-        warn: jest.fn(),
+        error,
+        warn,
         fatal: jest.fn(),
       },
     }));
     const { buildConfig, logSanitizedConfig } = jest.requireActual('../src/shared/configBuilder');
-    return { buildConfig, logSanitizedConfig, info };
+    return { buildConfig, logSanitizedConfig, info, error, warn };
+  }
+
+  function mockProcessExit() {
+    return jest.spyOn(process, 'exit').mockImplementation(((code?: number) => {
+      throw new Error(`process.exit: ${code ?? 0}`);
+    }) as never);
   }
 
   function envValuesUsedForRenderedConfig(userConfig: { host?: string }) {
@@ -51,4 +69,301 @@ describe('configBuilder', () => {
 
     expect(envValues.RENDERER_HOST).toBe(false);
   });
+
+  it('does not mark RENDERER_PASSWORD as env-provided when password is explicitly overridden', () => {
+    process.env.RENDERER_PASSWORD = 'env-password';
+    const { buildConfig, logSanitizedConfig, info } = loadConfigBuilderWithMockedLogger();
+
+    buildConfig({ password: '' });
+    logSanitizedConfig();
+
+    const logPayload = info.mock.calls[0][0] as Record<string, unknown>;
+    const envValues = logPayload['ENV values used for settings (use "RENDERER_" prefix)'] as Record<
+      string,
+      unknown
+    >;
+
+    expect(envValues.RENDERER_PASSWORD).toBe(false);
+  });
+
+  it('masks module-load password defaults in sanitized logs', () => {
+    process.env.RENDERER_PASSWORD = 'env-password';
+    const { buildConfig, logSanitizedConfig, info } = loadConfigBuilderWithMockedLogger();
+
+    buildConfig();
+    logSanitizedConfig();
+
+    const logPayload = info.mock.calls[0][0] as Record<string, unknown>;
+    const defaultSettings = logPayload[
+      'Default settings at module load (env-backed values may lag current runtime)'
+    ] as Record<string, unknown>;
+
+    expect(defaultSettings.password).toBe('<MASKED>');
+  });
+
+  it('labels an empty-string password override explicitly in sanitized logs', () => {
+    const { buildConfig, logSanitizedConfig, info } = loadConfigBuilderWithMockedLogger();
+
+    buildConfig({ password: '' });
+    logSanitizedConfig();
+
+    const logPayload = info.mock.calls[0][0] as Record<string, unknown>;
+    const finalSettings = logPayload['Final renderer settings'] as Record<string, unknown>;
+
+    expect(finalSettings.password).toBe('<EMPTY STRING>');
+  });
+
+  describe('password validation in production-like environments', () => {
+    it('throws when no password is set in production', () => {
+      process.env.NODE_ENV = 'production';
+      delete process.env.RENDERER_PASSWORD;
+      const processExit = mockProcessExit();
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).toThrow('process.exit: 1');
+      expect(processExit).toHaveBeenCalledWith(1);
+    });
+
+    it('throws when no password is set in staging', () => {
+      process.env.NODE_ENV = 'staging';
+      delete process.env.RENDERER_PASSWORD;
+      const processExit = mockProcessExit();
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).toThrow('process.exit: 1');
+      expect(processExit).toHaveBeenCalledWith(1);
+    });
+
+    it('does not throw when password is set via env in production', () => {
+      process.env.NODE_ENV = 'production';
+      process.env.RENDERER_PASSWORD = 'secure-password';
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).not.toThrow();
+    });
+
+    it('does not throw when password is set via config in production', () => {
+      process.env.NODE_ENV = 'production';
+      delete process.env.RENDERER_PASSWORD;
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig({ password: 'secure-password' })).not.toThrow();
+    });
+
+    it('does not throw in development without a password', () => {
+      process.env.NODE_ENV = 'development';
+      delete process.env.RENDERER_PASSWORD;
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).not.toThrow();
+    });
+
+    it('does not throw in test without a password', () => {
+      process.env.NODE_ENV = 'test';
+      delete process.env.RENDERER_PASSWORD;
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).not.toThrow();
+    });
+
+    it('throws when RAILS_ENV is production even if NODE_ENV is development', () => {
+      process.env.NODE_ENV = 'development';
+      process.env.RAILS_ENV = 'production';
+      delete process.env.RENDERER_PASSWORD;
+      const processExit = mockProcessExit();
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).toThrow('process.exit: 1');
+      expect(processExit).toHaveBeenCalledWith(1);
+    });
+
+    it('throws when NODE_ENV is production even if RAILS_ENV is development', () => {
+      process.env.NODE_ENV = 'production';
+      process.env.RAILS_ENV = 'development';
+      delete process.env.RENDERER_PASSWORD;
+      const processExit = mockProcessExit();
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).toThrow('process.exit: 1');
+      expect(processExit).toHaveBeenCalledWith(1);
+    });
+
+    it('throws when RAILS_ENV is production and NODE_ENV is unset', () => {
+      delete process.env.NODE_ENV;
+      process.env.RAILS_ENV = 'production';
+      delete process.env.RENDERER_PASSWORD;
+      const processExit = mockProcessExit();
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).toThrow('process.exit: 1');
+      expect(processExit).toHaveBeenCalledWith(1);
+    });
+
+    it('throws when NODE_ENV is staging even if RAILS_ENV is development', () => {
+      process.env.NODE_ENV = 'staging';
+      process.env.RAILS_ENV = 'development';
+      delete process.env.RENDERER_PASSWORD;
+      const processExit = mockProcessExit();
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).toThrow('process.exit: 1');
+      expect(processExit).toHaveBeenCalledWith(1);
+    });
+
+    it('throws when RAILS_ENV is production even if NODE_ENV is test', () => {
+      process.env.NODE_ENV = 'test';
+      process.env.RAILS_ENV = 'production';
+      delete process.env.RENDERER_PASSWORD;
+      const processExit = mockProcessExit();
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).toThrow('process.exit: 1');
+      expect(processExit).toHaveBeenCalledWith(1);
+    });
+
+    it('does not throw when RAILS_ENV is development and NODE_ENV is development', () => {
+      process.env.NODE_ENV = 'development';
+      process.env.RAILS_ENV = 'development';
+      delete process.env.RENDERER_PASSWORD;
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).not.toThrow();
+    });
+
+    it('does not throw when NODE_ENV uses mixed-case development value', () => {
+      process.env.NODE_ENV = 'Development';
+      process.env.RAILS_ENV = 'development';
+      delete process.env.RENDERER_PASSWORD;
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).not.toThrow();
+    });
+
+    it('does not throw when only RAILS_ENV is development and NODE_ENV is unset', () => {
+      delete process.env.NODE_ENV;
+      process.env.RAILS_ENV = 'development';
+      delete process.env.RENDERER_PASSWORD;
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).not.toThrow();
+    });
+
+    it('throws when neither NODE_ENV nor RAILS_ENV is set (fail-closed)', () => {
+      delete process.env.NODE_ENV;
+      delete process.env.RAILS_ENV;
+      delete process.env.RENDERER_PASSWORD;
+      const processExit = mockProcessExit();
+
+      const { buildConfig, error } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig()).toThrow('process.exit: 1');
+      expect(processExit).toHaveBeenCalledWith(1);
+      expect(error).toHaveBeenCalledWith(
+        expect.stringContaining('(neither set) — treated as production-like; RENDERER_PASSWORD required'),
+      );
+    });
+
+    it('does not throw when password is set after module import', () => {
+      process.env.NODE_ENV = 'production';
+      delete process.env.RENDERER_PASSWORD;
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      process.env.RENDERER_PASSWORD = 'late-loaded-password';
+
+      expect(() => buildConfig()).not.toThrow();
+    });
+
+    it('does not treat undefined user password as override when env password exists', () => {
+      process.env.NODE_ENV = 'production';
+      process.env.RENDERER_PASSWORD = 'late-loaded-password';
+
+      const { buildConfig, warn } = loadConfigBuilderWithMockedLogger();
+
+      expect(() => buildConfig({ password: undefined })).not.toThrow();
+      expect(warn).toHaveBeenCalledWith(
+        expect.stringContaining('buildConfig({ password: undefined }) preserves the env/default password'),
+      );
+    });
+
+    it('does not warn about undefined password in development environments', () => {
+      process.env.NODE_ENV = 'development';
+      process.env.RENDERER_PASSWORD = 'dev-password';
+
+      const { buildConfig, warn } = loadConfigBuilderWithMockedLogger();
+
+      buildConfig({ password: undefined });
+      expect(warn).not.toHaveBeenCalled();
+    });
+
+    it('keeps normal spread semantics for non-password undefined overrides', () => {
+      process.env.NODE_ENV = 'production';
+      process.env.RENDERER_PASSWORD = 'late-loaded-password';
+      process.env.RENDERER_WORKERS_COUNT = '7';
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+
+      expect(buildConfig({ workersCount: undefined }).workersCount).toBeUndefined();
+    });
+  });
+
+  describe('replayServerAsyncOperationLogs defaults', () => {
+    it('defaults to true when NODE_ENV is development', () => {
+      process.env.NODE_ENV = 'development';
+      delete process.env.RAILS_ENV;
+      delete process.env.REPLAY_SERVER_ASYNC_OPERATION_LOGS;
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+      const config = buildConfig();
+
+      expect(config.replayServerAsyncOperationLogs).toBe(true);
+    });
+
+    it('defaults to true when NODE_ENV is development even if RAILS_ENV is production', () => {
+      process.env.NODE_ENV = 'development';
+      process.env.RAILS_ENV = 'production';
+      delete process.env.REPLAY_SERVER_ASYNC_OPERATION_LOGS;
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+      const config = buildConfig({ password: 'secure-password' });
+
+      expect(config.replayServerAsyncOperationLogs).toBe(true);
+    });
+
+    it('defaults to false in test when no explicit override is provided', () => {
+      process.env.NODE_ENV = 'test';
+      delete process.env.RAILS_ENV;
+      delete process.env.REPLAY_SERVER_ASYNC_OPERATION_LOGS;
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+      const config = buildConfig();
+
+      expect(config.replayServerAsyncOperationLogs).toBe(false);
+    });
+
+    it('treats mixed-case NODE_ENV development values as development', () => {
+      process.env.NODE_ENV = 'Development';
+      delete process.env.RAILS_ENV;
+      delete process.env.REPLAY_SERVER_ASYNC_OPERATION_LOGS;
+
+      const { buildConfig } = loadConfigBuilderWithMockedLogger();
+      const config = buildConfig();
+
+      expect(config.replayServerAsyncOperationLogs).toBe(true);
+    });
+  });
 });

package/tests/uploadRaceCondition.test.ts

@@ -23,7 +23,7 @@ import formAutoContent from 'form-auto-content';
 // eslint-disable-next-line import/no-relative-packages
 import packageJson from '../package.json';
 import worker, { disableHttp2 } from '../src/worker';
-import { resetForTest, serverBundleCachePath, getFixtureBundle } from './helper';
+import { resetForTest, serverBundleCachePath, getFixtureBundle, getFixtureSecondaryBundle } from './helper';
 
 const testName = 'uploadRaceCondition';
 const serverBundleCachePathForTest = () => serverBundleCachePath(testName);
@@ -176,14 +176,14 @@ describe('concurrent upload isolation (issue #2449)', () => {
         gemVersion,
         protocolVersion,
         railsEnv,
-        targetBundles: [bundleHashA],
+        [`bundle_${bundleHashA}`]: fs.createReadStream(getFixtureBundle()),
         asset1: fs.createReadStream(path.join(tmpDirA, 'loadable-stats.json')),
       });
       const formB = formAutoContent({
         gemVersion,
         protocolVersion,
         railsEnv,
-        targetBundles: [bundleHashB],
+        [`bundle_${bundleHashB}`]: fs.createReadStream(getFixtureBundle()),
         asset1: fs.createReadStream(path.join(tmpDirB, 'loadable-stats.json')),
       });
 
@@ -282,7 +282,7 @@ describe('concurrent upload isolation (issue #2449)', () => {
         gemVersion,
         protocolVersion,
         railsEnv,
-        targetBundles: [bundleHashA],
+        [`bundle_${bundleHashA}`]: fs.createReadStream(getFixtureBundle()),
         asset1: fs.createReadStream(path.join(tmpDirA, 'loadable-stats.json')),
         asset2: fs.createReadStream(path.join(tmpDirA, 'manifest.json')),
       });
@@ -290,7 +290,7 @@ describe('concurrent upload isolation (issue #2449)', () => {
         gemVersion,
         protocolVersion,
         railsEnv,
-        targetBundles: [bundleHashB],
+        [`bundle_${bundleHashB}`]: fs.createReadStream(getFixtureBundle()),
         asset1: fs.createReadStream(path.join(tmpDirB, 'loadable-stats.json')),
         asset2: fs.createReadStream(path.join(tmpDirB, 'manifest.json')),
       });
@@ -349,14 +349,14 @@ describe('concurrent upload isolation (issue #2449)', () => {
         gemVersion,
         protocolVersion,
         railsEnv,
-        targetBundles: [sharedBundleHash],
+        [`bundle_${sharedBundleHash}`]: fs.createReadStream(getFixtureBundle()),
         asset1: fs.createReadStream(path.join(tmpDirA, 'loadable-stats.json')),
       });
       const formB = formAutoContent({
         gemVersion,
         protocolVersion,
         railsEnv,
-        targetBundles: [sharedBundleHash],
+        [`bundle_${sharedBundleHash}`]: fs.createReadStream(getFixtureBundle()),
         asset1: fs.createReadStream(path.join(tmpDirB, 'loadable-stats.json')),
       });
 
@@ -528,12 +528,12 @@ describe('concurrent upload isolation (issue #2449)', () => {
         asset1: fs.createReadStream(path.join(tmpDirA, 'loadable-stats.json')),
       });
 
-      // Upload-assets request: sends the same-named asset to the same bundle
+      // Upload-assets request: sends bundle + the same-named asset to the same bundle
       const uploadForm = formAutoContent({
         gemVersion,
         protocolVersion,
         railsEnv,
-        targetBundles: [bundleTimestamp],
+        [`bundle_${bundleTimestamp}`]: fs.createReadStream(getFixtureBundle()),
         asset1: fs.createReadStream(path.join(tmpDirB, 'loadable-stats.json')),
       });