[PR #277] [MERGED] fix: stop stripping credential headers from rewrite proxy requests #436

New issue

Closed

opened 2026-05-06 12:39:48 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:48 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/277
Author: @17hz
Created: 3/6/2026
Status: ✅ Merged
Merged: 3/7/2026
Merged by: @southpolesteve

Base: main ← Head: fix/preserve-credentials-proxy

📝 Commits (2)

f01de62 fix: stop stripping credential headers from rewrite proxy requests
ae52c07 test: update proxy tests to assert credential headers are forwarded

📊 Changes

4 files changed (+13 additions, -24 deletions)

View changed files

📝 packages/vinext/src/config/config-matchers.ts (+0 -6)
📝 packages/vinext/src/server/app-dev-server.ts (+0 -6)
📝 tests/app-router.test.ts (+6 -6)
📝 tests/shims.test.ts (+7 -6)

📄 Description

Fixes #264

Problem

proxyExternalRequest and __proxyExternalRequest unconditionally strip cookie, authorization, x-api-key, and proxy-authorization headers from all proxied rewrite requests. This breaks authentication for the most common use case — proxying to the user's own backend.

Context

Next.js does not strip these headers for rewrites. It forwards all request headers as-is to the rewrite destination. vinext's blanket stripping is a deviation from Next.js behavior that breaks real-world usage.

Fix

Remove the credential-stripping logic from both:

config-matchers.ts — proxyExternalRequest (used by prod server)
app-dev-server.ts — __proxyExternalRequest (inlined in dev server virtual module)

Internal x-middleware-* headers are still stripped as before.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/277 **Author:** [@17hz](https://github.com/17hz) **Created:** 3/6/2026 **Status:** ✅ Merged **Merged:** 3/7/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/preserve-credentials-proxy` --- ### 📝 Commits (2) - [`f01de62`](https://github.com/cloudflare/vinext/commit/f01de62d37609a651faa62aad589f1e4b2da524a) fix: stop stripping credential headers from rewrite proxy requests - [`ae52c07`](https://github.com/cloudflare/vinext/commit/ae52c07697773f3d3931ddd92432f3fd420fee06) test: update proxy tests to assert credential headers are forwarded ### 📊 Changes **4 files changed** (+13 additions, -24 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/config/config-matchers.ts` (+0 -6) 📝 `packages/vinext/src/server/app-dev-server.ts` (+0 -6) 📝 `tests/app-router.test.ts` (+6 -6) 📝 `tests/shims.test.ts` (+7 -6) </details> ### 📄 Description Fixes #264 ## Problem `proxyExternalRequest` and `__proxyExternalRequest` unconditionally strip `cookie`, `authorization`, `x-api-key`, and `proxy-authorization` headers from all proxied rewrite requests. This breaks authentication for the most common use case — proxying to the user's own backend. ## Context Next.js does not strip these headers for rewrites. It forwards all request headers as-is to the rewrite destination. vinext's blanket stripping is a deviation from Next.js behavior that breaks real-world usage. ## Fix Remove the credential-stripping logic from both: - `config-matchers.ts` — `proxyExternalRequest` (used by prod server) - `app-dev-server.ts` — `__proxyExternalRequest` (inlined in dev server virtual module) Internal `x-middleware-*` headers are still stripped as before. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>