[PR #1071] [MERGED] refactor(server): dedupe forbidden response construction #1068

New issue

Closed

opened 2026-05-06 13:11:49 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 13:11:49 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/1071
Author: @james-elicx
Created: 5/5/2026
Status: ✅ Merged
Merged: 5/5/2026
Merged by: @james-elicx

Base: main ← Head: refactor/dedupe-forbidden-response

📝 Commits (1)

501cfa7 refactor(server): dedupe forbidden response construction

📊 Changes

2 files changed (+21 additions, -7 deletions)

View changed files

📝 packages/vinext/src/server/dev-origin-check.ts (+8 -4)
📝 packages/vinext/src/server/request-pipeline.ts (+13 -3)

📄 Description

Summary

Follow-up dedupe scan after #1049: the literal new Response("Forbidden", { status: 403, headers: { "Content-Type": "text/plain" } }) was repeated 7 times across two server files.
Adds a forbiddenResponse() helper in request-pipeline.ts and replaces the 3 byte-identical call sites in validateCsrfOrigin.
For the 4 occurrences inside generateDevOriginCheckCode() — which emits inline JS that runs in the RSC Vite environment and cannot import TS modules — introduces a local __forbidden() helper inside the generated code so the duplication is eliminated there too.
Pure refactor, no behavior change. All call sites were verified byte-equivalent before merging.

Touched files

packages/vinext/src/server/request-pipeline.ts — adds exported forbiddenResponse(); replaces 3 inline literals.
packages/vinext/src/server/dev-origin-check.ts — emits a local __forbidden() helper inside the codegen template; replaces 4 inline literals in the generated JS.

Test plan

pnpm vp test run tests/app-router.test.ts tests/pages-router.test.ts — 508 tests pass. (One unrelated afterAll cleanup-hook timeout under heavy concurrent load; reruns of the touched suite, including Pages Router allowedDevOrigins config, all pass.)
pnpm fmt:check — clean.
CI green on the draft PR.

🤖 Generated with Claude Code

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/1071 **Author:** [@james-elicx](https://github.com/james-elicx) **Created:** 5/5/2026 **Status:** ✅ Merged **Merged:** 5/5/2026 **Merged by:** [@james-elicx](https://github.com/james-elicx) **Base:** `main` ← **Head:** `refactor/dedupe-forbidden-response` --- ### 📝 Commits (1) - [`501cfa7`](https://github.com/cloudflare/vinext/commit/501cfa75e70fefbfdb44f8b9f5fd6c769df20d0e) refactor(server): dedupe forbidden response construction ### 📊 Changes **2 files changed** (+21 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/server/dev-origin-check.ts` (+8 -4) 📝 `packages/vinext/src/server/request-pipeline.ts` (+13 -3) </details> ### 📄 Description ## Summary - Follow-up dedupe scan after #1049: the literal `new Response("Forbidden", { status: 403, headers: { "Content-Type": "text/plain" } })` was repeated 7 times across two server files. - Adds a `forbiddenResponse()` helper in `request-pipeline.ts` and replaces the 3 byte-identical call sites in `validateCsrfOrigin`. - For the 4 occurrences inside `generateDevOriginCheckCode()` — which emits inline JS that runs in the RSC Vite environment and cannot import TS modules — introduces a local `__forbidden()` helper inside the generated code so the duplication is eliminated there too. - Pure refactor, no behavior change. All call sites were verified byte-equivalent before merging. ## Touched files - `packages/vinext/src/server/request-pipeline.ts` — adds exported `forbiddenResponse()`; replaces 3 inline literals. - `packages/vinext/src/server/dev-origin-check.ts` — emits a local `__forbidden()` helper inside the codegen template; replaces 4 inline literals in the generated JS. ## Test plan - [x] `pnpm vp test run tests/app-router.test.ts tests/pages-router.test.ts` — 508 tests pass. (One unrelated `afterAll` cleanup-hook timeout under heavy concurrent load; reruns of the touched suite, including `Pages Router allowedDevOrigins config`, all pass.) - [x] `pnpm fmt:check` — clean. - [ ] CI green on the draft PR. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>