Check cache busting search params on all RSC requests

Author: gaojude

packages/next/src/server/base-server.ts

@@ -2055,27 +2055,19 @@ export default abstract class Server<
     const isPossibleServerAction = getIsPossibleServerAction(req)
     const hasGetInitialProps = !!components.Component?.getInitialProps
     let isSSG = !!components.getStaticProps
+    // NOTE: Don't delete headers[RSC] yet, it still needs to be used in renderToHTML later
+    const isRSCRequest = getRequestMeta(req, 'isRSCRequest') ?? false
 
     // Not all CDNs respect the Vary header when caching. We must assume that
     // only the URL is used to vary the responses. The Next client computes a
     // hash of the header values and sends it as a search param. Before
     // responding to a request, we must verify that the hash matches the
     // expected value. Neglecting to do this properly can lead to cache
     // poisoning attacks on certain CDNs.
-    // TODO: This is verification only runs during per-segment prefetch
-    // requests, since those are the only ones that both vary on a custom
-    // header and are cacheable. But for safety, we should run this
-    // verification for all requests, once we confirm the behavior is correct.
-    // Will need to update our test suite, since there are a handlful of unit
-    // tests that send fetch requests with custom headers but without a
-    // corresponding cache-busting search param.
-    // TODO: Consider not using custom request headers at all, and instead fully
-    // encode everything into the search param.
     if (
       !this.minimalMode &&
       this.nextConfig.experimental.validateRSCRequestHeaders &&
-      this.isAppSegmentPrefetchEnabled &&
-      getRequestMeta(req, 'segmentPrefetchRSCRequest')
+      isRSCRequest
     ) {
       const headers = req.headers
       const expectedHash = computeCacheBustingSearchParam(
@@ -2084,10 +2076,17 @@ export default abstract class Server<
         headers[NEXT_ROUTER_STATE_TREE_HEADER.toLowerCase()],
         headers[NEXT_URL.toLowerCase()]
       )
-      const actualHash = getRequestMeta(req, 'cacheBustingSearchParam') ?? null
+      const actualHash =
+        getRequestMeta(req, 'cacheBustingSearchParam') ??
+        new URL(
+          req.url || '',
+          `http://${req.headers.host || 'localhost'}`
+        ).searchParams.get(NEXT_RSC_UNION_QUERY)
+
       if (expectedHash !== actualHash) {
         // The hash sent by the client does not match the expected value.
         // Respond with an error.
+        // TODO: Change it to a redirect to the URL with the correct cache-busting search param.
         res.statusCode = 400
         res.setHeader('content-type', 'text/plain')
         res.body('').send()
@@ -2173,10 +2172,6 @@ export default abstract class Server<
     const isPrefetchRSCRequest =
       getRequestMeta(req, 'isPrefetchRSCRequest') ?? false
 
-    // NOTE: Don't delete headers[RSC] yet, it still needs to be used in renderToHTML later
-
-    const isRSCRequest = getRequestMeta(req, 'isRSCRequest') ?? false
-
     // when we are handling a middleware prefetch and it doesn't
     // resolve to a static data route we bail early to avoid
     // unexpected SSR invocations

test/e2e/app-dir/app-prefetch/prefetching.test.ts

@@ -1,6 +1,7 @@
 import { nextTestSetup } from 'e2e-utils'
 import { check, waitFor, retry } from 'next-test-utils'
 import { NEXT_RSC_UNION_QUERY } from 'next/dist/client/components/app-router-headers'
+import { computeCacheBustingSearchParam } from 'next/dist/shared/lib/router/utils/cache-busting-search-param'
 
 const browserConfigWithFixedTime = {
   beforePageLoad: (page) => {
@@ -294,14 +295,26 @@ describe('app dir - prefetching', () => {
         true,
       ])
     )
-    const response = await next.fetch(`/prefetch-auto/justputit?_rsc=dcqtr`, {
-      headers: {
-        RSC: '1',
-        'Next-Router-Prefetch': '1',
-        'Next-Router-State-Tree': stateTree,
-        'Next-Url': '/prefetch-auto/vercel',
-      },
-    })
+
+    const headers = {
+      RSC: '1',
+      'Next-Router-Prefetch': '1',
+      'Next-Router-State-Tree': stateTree,
+      'Next-Url': '/prefetch-auto/vercel',
+    }
+
+    const url = new URL('/prefetch-auto/justputit', 'http://localhost')
+    const cacheBustingParam = computeCacheBustingSearchParam(
+      headers['Next-Router-Prefetch'],
+      undefined,
+      headers['Next-Router-State-Tree'],
+      headers['Next-Url']
+    )
+    if (cacheBustingParam) {
+      url.searchParams.set('_rsc', cacheBustingParam)
+    }
+
+    const response = await next.fetch(url.toString(), { headers })
 
     const prefetchResponse = await response.text()
     expect(prefetchResponse).not.toContain('Page Data!')

test/e2e/app-dir/app-validation/validation.test.ts

@@ -1,4 +1,5 @@
 import { nextTestSetup } from 'e2e-utils'
+import { computeCacheBustingSearchParam } from 'next/dist/shared/lib/router/utils/cache-busting-search-param'
 
 describe('app dir - validation', () => {
   const { next, skipped } = nextTestSetup({
@@ -11,20 +12,47 @@ describe('app dir - validation', () => {
   }
 
   it('should error when passing invalid router state tree', async () => {
-    const res = await next.fetch('/', {
-      headers: {
-        RSC: '1',
-        'Next-Router-State-Tree': JSON.stringify(['', '']),
-      },
-    })
+    const stateTree1 = JSON.stringify(['', ''])
+    const stateTree2 = JSON.stringify(['', {}])
+
+    const headers1 = {
+      RSC: '1',
+      'Next-Router-State-Tree': stateTree1,
+    }
+
+    const headers2 = {
+      RSC: '1',
+      'Next-Router-State-Tree': stateTree2,
+    }
+
+    const url1 = new URL('/', 'http://localhost')
+    const url2 = new URL('/', 'http://localhost')
+
+    // Add cache busting search param for both requests
+    const cacheBustingParam1 = computeCacheBustingSearchParam(
+      undefined,
+      undefined,
+      stateTree1,
+      undefined
+    )
+    const cacheBustingParam2 = computeCacheBustingSearchParam(
+      undefined,
+      undefined,
+      stateTree2,
+      undefined
+    )
+
+    if (cacheBustingParam1) {
+      url1.searchParams.set('_rsc', cacheBustingParam1)
+    }
+    if (cacheBustingParam2) {
+      url2.searchParams.set('_rsc', cacheBustingParam2)
+    }
+
+    const res = await next.fetch(url1.toString(), { headers: headers1 })
     expect(res.status).toBe(500)
 
-    const res2 = await next.fetch('/', {
-      headers: {
-        RSC: '1',
-        'Next-Router-State-Tree': JSON.stringify(['', {}]),
-      },
-    })
+    const res2 = await next.fetch(url2.toString(), { headers: headers2 })
     expect(res2.status).toBe(200)
   })
 })

test/e2e/app-dir/ppr-full/ppr-full.test.ts

@@ -3,6 +3,7 @@ import { measurePPRTimings } from 'e2e-utils/ppr'
 import { links } from './components/links'
 import cheerio from 'cheerio'
 import { retry } from 'next-test-utils'
+import { computeCacheBustingSearchParam } from 'next/dist/shared/lib/router/utils/cache-busting-search-param'
 
 type Page = {
   pathname: string
@@ -46,6 +47,26 @@ const pages: Page[] = [
   },
 ]
 
+const addCacheBustingSearchParam = (
+  pathname: string,
+  headers: Record<string, string | string[] | undefined>
+) => {
+  const cacheKey = computeCacheBustingSearchParam(
+    headers['Next-Router-Prefetch'],
+    headers['Next-Router-Segment-Prefetch'],
+    headers['Next-Router-State-Tree'],
+    headers['Next-URL']
+  )
+
+  if (cacheKey === null) {
+    return pathname
+  }
+
+  const url = new URL(pathname, 'http://localhost')
+  url.searchParams.set('_rsc', cacheKey)
+  return url.pathname + url.search
+}
+
 describe('ppr-full', () => {
   const { next, isNextDev, isNextDeploy } = nextTestSetup({
     files: __dirname,
@@ -536,8 +557,17 @@ describe('ppr-full', () => {
       describe.each(pages)('for $pathname', ({ pathname, revalidate }) => {
         it('should have correct headers', async () => {
           await retry(async () => {
-            const res = await next.fetch(pathname, {
-              headers: { RSC: '1', 'Next-Router-Prefetch': '1' },
+            const headers = {
+              RSC: '1',
+              'Next-Router-Prefetch': '1',
+            }
+            const urlWithCacheBusting = addCacheBustingSearchParam(
+              pathname,
+              headers
+            )
+
+            const res = await next.fetch(urlWithCacheBusting, {
+              headers,
             })
 
             expect(res.status).toEqual(200)
@@ -565,12 +595,20 @@ describe('ppr-full', () => {
 
         it('should not contain dynamic content', async () => {
           const unexpected = `${Date.now()}:${Math.random()}`
-          const res = await next.fetch(pathname, {
-            headers: {
-              RSC: '1',
-              'Next-Router-Prefetch': '1',
-              'X-Test-Input': unexpected,
-            },
+          const headers = {
+            RSC: '1',
+            'Next-Router-Prefetch': '1',
+            'X-Test-Input': unexpected,
+          }
+          const urlWithCacheBusting = addCacheBustingSearchParam(
+            pathname,
+            headers
+          )
+
+          console.log('urlWithCacheBusting', urlWithCacheBusting)
+
+          const res = await next.fetch(urlWithCacheBusting, {
+            headers,
           })
           expect(res.status).toEqual(200)
           expect(res.headers.get('content-type')).toEqual('text/x-component')
@@ -583,8 +621,14 @@ describe('ppr-full', () => {
     describe('Dynamic RSC Response', () => {
       describe.each(pages)('for $pathname', ({ pathname, dynamic }) => {
         it('should have correct headers', async () => {
-          const res = await next.fetch(pathname, {
-            headers: { RSC: '1' },
+          const headers = { RSC: '1' }
+          const urlWithCacheBusting = addCacheBustingSearchParam(
+            pathname,
+            headers
+          )
+
+          const res = await next.fetch(urlWithCacheBusting, {
+            headers,
           })
           expect(res.status).toEqual(200)
           expect(res.headers.get('content-type')).toEqual('text/x-component')
@@ -601,8 +645,17 @@ describe('ppr-full', () => {
         if (dynamic === true || dynamic === 'force-dynamic') {
           it('should contain dynamic content', async () => {
             const expected = `${Date.now()}:${Math.random()}`
-            const res = await next.fetch(pathname, {
-              headers: { RSC: '1', 'X-Test-Input': expected },
+            const headers = {
+              RSC: '1',
+              'X-Test-Input': expected,
+            }
+            const urlWithCacheBusting = addCacheBustingSearchParam(
+              pathname,
+              headers
+            )
+
+            const res = await next.fetch(urlWithCacheBusting, {
+              headers,
             })
             expect(res.status).toEqual(200)
             expect(res.headers.get('content-type')).toEqual('text/x-component')
@@ -612,11 +665,17 @@ describe('ppr-full', () => {
         } else {
           it('should not contain dynamic content', async () => {
             const unexpected = `${Date.now()}:${Math.random()}`
-            const res = await next.fetch(pathname, {
-              headers: {
-                RSC: '1',
-                'X-Test-Input': unexpected,
-              },
+            const headers = {
+              RSC: '1',
+              'X-Test-Input': unexpected,
+            }
+            const urlWithCacheBusting = addCacheBustingSearchParam(
+              pathname,
+              headers
+            )
+
+            const res = await next.fetch(urlWithCacheBusting, {
+              headers,
             })
             expect(res.status).toEqual(200)
             expect(res.headers.get('content-type')).toEqual('text/x-component')

test/e2e/app-dir/rewrite-headers/rewrite-headers.test.ts

@@ -1,4 +1,5 @@
 import { nextTestSetup } from 'e2e-utils'
+import { computeCacheBustingSearchParam } from 'next/dist/shared/lib/router/utils/cache-busting-search-param'
 
 const targets = ['x-nextjs-rewritten-path', 'x-nextjs-rewritten-query'] as const
 
@@ -381,7 +382,29 @@ describe('rewrite-headers', () => {
     ({ pathname, headers = {}, expected }) => {
       let response
       beforeAll(async () => {
-        response = await next.fetch(pathname, { headers })
+        const url = new URL(pathname, 'http://localhost')
+
+        // Add cache busting param for RSC requests
+        if (headers.RSC === '1') {
+          const cacheBustingParam = computeCacheBustingSearchParam(
+            headers['Next-Router-Prefetch'],
+            undefined,
+            headers['Next-Router-State-Tree'],
+            undefined
+          )
+          if (cacheBustingParam) {
+            // Preserve existing search params if any
+            const existingSearch = url.search
+            const rawQuery = existingSearch.startsWith('?')
+              ? existingSearch.slice(1)
+              : existingSearch
+            const pairs = rawQuery.split('&').filter(Boolean)
+            pairs.push(`_rsc=${cacheBustingParam}`)
+            url.search = pairs.length ? `?${pairs.join('&')}` : ''
+          }
+        }
+
+        response = await next.fetch(url.toString(), { headers })
         if (response.status !== 200) {
           throw new Error(
             `Expected status 200, got ${response.status} for ${pathname}`