[GH-ISSUE #85] RSC navigation fetch missing credentials: 'include' - cookies not sent during client-side navigation #25

New issue

Closed

opened 2026-05-06 12:36:36 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:36:36 +02:00

Owner

Originally created by @CodyBontecou on GitHub (Feb 26, 2026).
Original GitHub issue: https://github.com/cloudflare/vinext/issues/85

Bug Description

RSC navigation and prefetch requests do not include credentials: "include", which means cookies are not sent during client-side navigation. This breaks authentication for any app using cookie-based auth (e.g., Better Auth, NextAuth, etc.).

Steps to Reproduce

Set up an app with cookie-based authentication
Have a protected route (e.g., /admin) that checks auth via cookies() or headers()
From a public page, click a <Link> to the protected route
Expected: User navigates to the protected route (cookies sent, auth succeeds)
Actual: Auth fails because cookies are not sent with the RSC fetch

If the user does a full page refresh on the protected route, it works correctly because the browser sends cookies with the full page request.

Root Cause

In dist/server/app-dev-server.js, the RSC navigation fetch does not include credentials:

navResponse = await fetch(rscUrl, {
  headers: { Accept: "text/x-component" },
});

Similarly, in dist/shims/link.js and dist/shims/navigation.js, prefetch requests also lack credentials:

fetch(rscUrl, {
  headers: { Accept: "text/x-component" },
  priority: "low",
})

Suggested Fix

Add credentials: "include" to all RSC fetch calls:

navResponse = await fetch(rscUrl, {
  headers: { Accept: "text/x-component" },
  credentials: "include",
});

Workaround

Use regular <a> tags instead of <Link> for navigation to auth-protected routes. This forces a full page navigation that properly includes cookies.

Environment

vinext: 0.0.9
Cloudflare Workers
Better Auth (cookie-based sessions)

Originally created by @CodyBontecou on GitHub (Feb 26, 2026). Original GitHub issue: https://github.com/cloudflare/vinext/issues/85 ## Bug Description RSC navigation and prefetch requests do not include `credentials: "include"`, which means cookies are not sent during client-side navigation. This breaks authentication for any app using cookie-based auth (e.g., Better Auth, NextAuth, etc.). ## Steps to Reproduce 1. Set up an app with cookie-based authentication 2. Have a protected route (e.g., `/admin`) that checks auth via `cookies()` or `headers()` 3. From a public page, click a `<Link>` to the protected route 4. **Expected:** User navigates to the protected route (cookies sent, auth succeeds) 5. **Actual:** Auth fails because cookies are not sent with the RSC fetch If the user does a full page refresh on the protected route, it works correctly because the browser sends cookies with the full page request. ## Root Cause In `dist/server/app-dev-server.js`, the RSC navigation fetch does not include credentials: ```js navResponse = await fetch(rscUrl, { headers: { Accept: "text/x-component" }, }); ``` Similarly, in `dist/shims/link.js` and `dist/shims/navigation.js`, prefetch requests also lack credentials: ```js fetch(rscUrl, { headers: { Accept: "text/x-component" }, priority: "low", }) ``` ## Suggested Fix Add `credentials: "include"` to all RSC fetch calls: ```js navResponse = await fetch(rscUrl, { headers: { Accept: "text/x-component" }, credentials: "include", }); ``` ## Workaround Use regular `<a>` tags instead of `<Link>` for navigation to auth-protected routes. This forces a full page navigation that properly includes cookies. ## Environment - vinext: 0.0.9 - Cloudflare Workers - Better Auth (cookie-based sessions)