vinext 0.0.52 → 0.0.53

package/dist/server/prod-server.d.ts

@@ -1,4 +1,5 @@
 import { StaticFileCache } from "./static-file-cache.js";
+import { resolveRequestHost, trustProxy, trustedHosts } from "./proxy-trust.js";
 import * as _$node_http0 from "node:http";
 import { IncomingMessage, ServerResponse } from "node:http";
 
@@ -50,27 +51,6 @@ declare function sendCompressed(req: IncomingMessage, res: ServerResponse, body:
  * unlike the old sync existsSync/statSync approach).
  */
 declare function tryServeStatic(req: IncomingMessage, res: ServerResponse, clientDir: string, pathname: string, compress: boolean, cache?: StaticFileCache, extraHeaders?: Record<string, string | string[]>, statusCode?: number): Promise<boolean>;
-/**
- * Resolve the host for a request, ignoring X-Forwarded-Host to prevent
- * host header poisoning attacks (open redirects, cache poisoning).
- *
- * X-Forwarded-Host is only trusted when the VINEXT_TRUSTED_HOSTS env var
- * lists the forwarded host value. Without this, an attacker can send
- * X-Forwarded-Host: evil.com and poison any redirect that resolves
- * against request.url.
- *
- * On Cloudflare Workers, X-Forwarded-Host is always set by Cloudflare
- * itself, so this is only a concern for the Node.js prod-server.
- */
-declare function resolveHost(req: IncomingMessage, fallback: string): string;
-/** Hosts that are allowed as X-Forwarded-Host values (stored lowercase). */
-declare const trustedHosts: Set<string>;
-/**
- * Whether to trust X-Forwarded-Proto from upstream proxies.
- * Enabled when VINEXT_TRUST_PROXY=1 or when VINEXT_TRUSTED_HOSTS is set
- * (having trusted hosts implies a trusted proxy).
- */
-declare const trustProxy: boolean;
 /**
  * Convert a Node.js IncomingMessage to a Web Request object.
  *
@@ -80,7 +60,7 @@ declare const trustProxy: boolean;
  * Router prod server normalizes before static-asset lookup, and can pass
  * the result here so the downstream RSC handler doesn't re-normalize).
  */
-declare function nodeToWebRequest(req: IncomingMessage, urlOverride?: string): Request;
+declare function nodeToWebRequest(req: IncomingMessage, urlOverride?: string, prerenderSecret?: string): Request;
 /**
  * Stream a Web Response back to a Node.js ServerResponse.
  * Supports streaming compression for SSR responses.
@@ -122,5 +102,5 @@ declare function resolveAppRouterPrerenderSeeder(entryModule: unknown): AppRoute
  */
 declare function resolveAppRouterAssetPath(pathname: string, assetPathPrefix: string, assetPrefix: string): string | null;
 //#endregion
-export { COMPRESSIBLE_TYPES, COMPRESS_THRESHOLD, ProdServerOptions, mergeResponseHeaders, mergeWebResponse, negotiateEncoding, nodeToWebRequest, resolveAppRouterAssetPath, resolveAppRouterPrerenderSeeder, resolveHost, sendCompressed, sendWebResponse, startProdServer, trustProxy, trustedHosts, tryServeStatic };
+export { COMPRESSIBLE_TYPES, COMPRESS_THRESHOLD, ProdServerOptions, mergeResponseHeaders, mergeWebResponse, negotiateEncoding, nodeToWebRequest, resolveAppRouterAssetPath, resolveAppRouterPrerenderSeeder, resolveRequestHost as resolveHost, sendCompressed, sendWebResponse, startProdServer, trustProxy, trustedHosts, tryServeStatic };
 //# sourceMappingURL=prod-server.d.ts.map

package/dist/server/prod-server.js

@@ -1,18 +1,20 @@
 import { normalizePathnameForRouteMatchStrict } from "../routing/utils.js";
 import { hasBasePath, stripBasePath } from "../utils/base-path.js";
-import { VINEXT_PRERENDER_SECRET_HEADER, VINEXT_STATIC_FILE_HEADER } from "./headers.js";
+import { VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, VINEXT_PRERENDER_SECRET_HEADER, VINEXT_STATIC_FILE_HEADER } from "./headers.js";
 import { normalizePath } from "./normalize-path.js";
 import { applyMiddlewareRequestHeaders, isExternalUrl, matchRedirect, matchRewrite, proxyExternalRequest, requestContextFromRequest, sanitizeDestination } from "../config/config-matchers.js";
 import { notFoundResponse } from "./http-error-responses.js";
 import { applyConfigHeadersToHeaderRecord, filterInternalHeaders, isOpenRedirectShaped, normalizeTrailingSlash } from "./request-pipeline.js";
 import { mergeRewriteQuery } from "../utils/query.js";
 import { normalizeDefaultLocalePathname, stripI18nLocaleForApiRoute } from "./pages-i18n.js";
+import { resolveRequestHost, resolveRequestProtocol, trustProxy, trustedHosts } from "./proxy-trust.js";
+import { DEFAULT_DEVICE_SIZES, DEFAULT_IMAGE_SIZES, isImageOptimizationPath, isSafeImageContentType, parseImageParams } from "./image-optimization.js";
 import { installSocketErrorBackstop } from "./socket-error-backstop.js";
 import { ASSET_PREFIX_URL_DIR, assetPrefixPathname, isAbsoluteAssetPrefix } from "../utils/asset-prefix.js";
 import { CONTENT_TYPES, StaticFileCache, etagFromFilenameHash } from "./static-file-cache.js";
 import { buildNextDataNotFoundResponse, isNextDataPathname, parseNextDataPathname } from "./pages-data-route.js";
 import { manifestFileWithBase } from "../utils/manifest-paths.js";
-import { DEFAULT_DEVICE_SIZES, DEFAULT_IMAGE_SIZES, isSafeImageContentType, parseImageParams } from "./image-optimization.js";
+import { readTrustedPrerenderRouteParamsFromHeaders, serializePrerenderRouteParamsHeader } from "./prerender-route-params.js";
 import { computeLazyChunks } from "../utils/lazy-chunks.js";
 import { readPrerenderSecret } from "../build/server-manifest.js";
 import { seedMemoryCacheFromPrerender } from "./seed-cache.js";
@@ -132,8 +134,20 @@ function mergeResponseHeaders(middlewareHeaders, response) {
 }
 function toWebHeaders(headersRecord) {
 	const headers = new Headers();
-	for (const [key, value] of Object.entries(headersRecord)) if (Array.isArray(value)) for (const item of value) headers.append(key, item);
-	else headers.set(key, value);
+	for (const [key, value] of Object.entries(headersRecord)) appendWebHeader(headers, key, value);
+	return headers;
+}
+function appendWebHeader(headers, key, value) {
+	if (value === void 0) return;
+	if (Array.isArray(value)) {
+		for (const item of value) headers.append(key, item);
+		return;
+	}
+	headers.set(key, value);
+}
+function nodeHeadersToWebHeaders(headersRecord) {
+	const headers = new Headers();
+	for (const [key, value] of Object.entries(headersRecord)) appendWebHeader(headers, key, value);
 	return headers;
 }
 const NO_BODY_RESPONSE_STATUSES = new Set([
@@ -428,35 +442,6 @@ async function statIfFile(filePath) {
 	}
 }
 /**
-* Resolve the host for a request, ignoring X-Forwarded-Host to prevent
-* host header poisoning attacks (open redirects, cache poisoning).
-*
-* X-Forwarded-Host is only trusted when the VINEXT_TRUSTED_HOSTS env var
-* lists the forwarded host value. Without this, an attacker can send
-* X-Forwarded-Host: evil.com and poison any redirect that resolves
-* against request.url.
-*
-* On Cloudflare Workers, X-Forwarded-Host is always set by Cloudflare
-* itself, so this is only a concern for the Node.js prod-server.
-*/
-function resolveHost(req, fallback) {
-	const rawForwarded = req.headers["x-forwarded-host"];
-	const hostHeader = req.headers.host;
-	if (rawForwarded) {
-		const forwardedHost = rawForwarded.split(",")[0].trim().toLowerCase();
-		if (forwardedHost && trustedHosts.has(forwardedHost)) return forwardedHost;
-	}
-	return hostHeader || fallback;
-}
-/** Hosts that are allowed as X-Forwarded-Host values (stored lowercase). */
-const trustedHosts = new Set((process.env.VINEXT_TRUSTED_HOSTS ?? "").split(",").map((h) => h.trim().toLowerCase()).filter(Boolean));
-/**
-* Whether to trust X-Forwarded-Proto from upstream proxies.
-* Enabled when VINEXT_TRUST_PROXY=1 or when VINEXT_TRUSTED_HOSTS is set
-* (having trusted hosts implies a trusted proxy).
-*/
-const trustProxy = process.env.VINEXT_TRUST_PROXY === "1" || trustedHosts.size > 0;
-/**
 * Convert a Node.js IncomingMessage to a Web Request object.
 *
 * When `urlOverride` is provided, it is used as the path + query string
@@ -465,17 +450,14 @@ const trustProxy = process.env.VINEXT_TRUST_PROXY === "1" || trustedHosts.size >
 * Router prod server normalizes before static-asset lookup, and can pass
 * the result here so the downstream RSC handler doesn't re-normalize).
 */
-function nodeToWebRequest(req, urlOverride) {
-	const rawProto = trustProxy ? req.headers["x-forwarded-proto"]?.split(",")[0]?.trim() : void 0;
-	const origin = `${rawProto === "https" || rawProto === "http" ? rawProto : "http"}://${resolveHost(req, "localhost")}`;
+function nodeToWebRequest(req, urlOverride, prerenderSecret) {
+	const origin = `${resolveRequestProtocol(req)}://${resolveRequestHost(req, "localhost")}`;
 	const url = new URL(urlOverride ?? req.url ?? "/", origin);
-	const rawHeaders = new Headers();
-	for (const [key, value] of Object.entries(req.headers)) {
-		if (value === void 0) continue;
-		if (Array.isArray(value)) for (const v of value) rawHeaders.append(key, v);
-		else rawHeaders.set(key, value);
-	}
+	const rawHeaders = nodeHeadersToWebHeaders(req.headers);
+	const prerenderRouteParamsPayload = readTrustedPrerenderRouteParamsFromHeaders(rawHeaders, prerenderSecret);
 	const headers = filterInternalHeaders(rawHeaders);
+	const prerenderRouteParamsHeader = serializePrerenderRouteParamsHeader(prerenderRouteParamsPayload);
+	if (prerenderRouteParamsHeader !== null) headers.set(VINEXT_PRERENDER_ROUTE_PARAMS_HEADER, prerenderRouteParamsHeader);
 	const method = req.method ?? "GET";
 	const hasBody = method !== "GET" && method !== "HEAD";
 	const init = {
@@ -707,7 +689,7 @@ async function startAppRouterServer(options) {
 				return;
 			}
 		}
-		if (pathname === "/_vinext/image") {
+		if (isImageOptimizationPath(pathname)) {
 			const params = parseImageParams(new URL(rawUrl, "http://localhost"), [...DEFAULT_DEVICE_SIZES, ...DEFAULT_IMAGE_SIZES]);
 			if (!params) {
 				res.writeHead(400);
@@ -731,7 +713,7 @@ async function startAppRouterServer(options) {
 		}
 		try {
 			const qs = rawUrl.includes("?") ? rawUrl.slice(rawUrl.indexOf("?")) : "";
-			const response = await rscHandler(nodeToWebRequest(req, pathname + qs));
+			const response = await rscHandler(nodeToWebRequest(req, pathname + qs, prerenderSecret));
 			const staticFileSignal = response.headers.get(VINEXT_STATIC_FILE_HEADER);
 			if (staticFileSignal) {
 				let staticFilePath = "/";
@@ -892,7 +874,7 @@ async function startPagesRouterServer(options) {
 			res.end("Not Found");
 			return;
 		}
-		if (pathname === "/_vinext/image" || staticLookupPath === "/_vinext/image") {
+		if (isImageOptimizationPath(pathname) || isImageOptimizationPath(staticLookupPath)) {
 			const params = parseImageParams(new URL(rawUrl, "http://localhost"), allowedImageWidths);
 			if (!params) {
 				res.writeHead(400);
@@ -949,13 +931,9 @@ async function startPagesRouterServer(options) {
 				url = dataMatch.pagePathname + qs;
 				pathname = dataMatch.pagePathname;
 			}
-			const rawProtocol = trustProxy ? req.headers["x-forwarded-proto"]?.split(",")[0]?.trim() : void 0;
-			const protocol = rawProtocol === "https" || rawProtocol === "http" ? rawProtocol : "http";
-			const hostHeader = resolveHost(req, `${host}:${port}`);
-			const rawReqHeaders = Object.entries(req.headers).reduce((h, [k, v]) => {
-				if (v) h.set(k, Array.isArray(v) ? v.join(", ") : v);
-				return h;
-			}, new Headers());
+			const protocol = resolveRequestProtocol(req);
+			const hostHeader = resolveRequestHost(req, `${host}:${port}`);
+			const rawReqHeaders = nodeHeadersToWebHeaders(req.headers);
 			const isDataRequest = rawReqHeaders.get("x-nextjs-data") === "1";
 			const reqHeaders = filterInternalHeaders(rawReqHeaders);
 			const method = req.method ?? "GET";
@@ -1087,18 +1065,23 @@ async function startPagesRouterServer(options) {
 			let response;
 			if (typeof renderPage === "function") {
 				const middlewareResponseHeaders = toWebHeaders(middlewareHeaders);
-				const renderOptions = isDataReq ? { isDataReq: true } : void 0;
-				response = await renderPage(webRequest, resolvedUrl, ssrManifest, void 0, middlewareResponseHeaders, renderOptions);
-				if (response && response.status === 404 && configRewrites.fallback?.length) {
+				const renderPageMatch = matchPageRoute ? matchPageRoute(resolvedPathname, webRequest) : null;
+				const shouldDeferErrorPageOnMiss = !isDataReq && !!matchPageRoute && !renderPageMatch;
+				const dataRenderOptions = isDataReq ? { isDataReq: true } : void 0;
+				response = await renderPage(webRequest, resolvedUrl, ssrManifest, void 0, middlewareResponseHeaders, shouldDeferErrorPageOnMiss ? { renderErrorPageOnMiss: false } : dataRenderOptions);
+				let matchedFallbackRewrite = false;
+				if (response && response.status === 404 && shouldDeferErrorPageOnMiss && configRewrites.fallback?.length) {
 					const fallbackRewrite = matchRewrite(matchResolvedPathname(resolvedPathname), configRewrites.fallback, postMwReqCtx, basePathState);
 					if (fallbackRewrite) {
 						if (isExternalUrl(fallbackRewrite)) {
 							await sendWebResponse(await proxyExternalRequest(webRequest, fallbackRewrite), req, res, compress);
 							return;
 						}
-						response = await renderPage(webRequest, mergeRewriteQuery(resolvedUrl, fallbackRewrite), ssrManifest, void 0, middlewareResponseHeaders, renderOptions);
+						matchedFallbackRewrite = true;
+						response = await renderPage(webRequest, mergeRewriteQuery(resolvedUrl, fallbackRewrite), ssrManifest, void 0, middlewareResponseHeaders, dataRenderOptions);
 					}
 				}
+				if (response && response.status === 404 && shouldDeferErrorPageOnMiss && !matchedFallbackRewrite) response = await renderPage(webRequest, resolvedUrl, ssrManifest, void 0, middlewareResponseHeaders);
 			}
 			if (!response) {
 				res.writeHead(404);
@@ -1141,6 +1124,6 @@ async function startPagesRouterServer(options) {
 	};
 }
 //#endregion
-export { COMPRESSIBLE_TYPES, COMPRESS_THRESHOLD, mergeResponseHeaders, mergeWebResponse, negotiateEncoding, nodeToWebRequest, resolveAppRouterAssetPath, resolveAppRouterPrerenderSeeder, resolveHost, sendCompressed, sendWebResponse, startProdServer, trustProxy, trustedHosts, tryServeStatic };
+export { COMPRESSIBLE_TYPES, COMPRESS_THRESHOLD, mergeResponseHeaders, mergeWebResponse, negotiateEncoding, nodeToWebRequest, resolveAppRouterAssetPath, resolveAppRouterPrerenderSeeder, resolveRequestHost as resolveHost, sendCompressed, sendWebResponse, startProdServer, trustProxy, trustedHosts, tryServeStatic };
 
 //# sourceMappingURL=prod-server.js.map