[PR #908] [MERGED] Preserve middleware headers on app boundary responses #937

New issue

Closed

opened 2026-05-06 13:10:57 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 13:10:57 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/908
Author: @NathanDrake2406
Created: 4/26/2026
Status: ✅ Merged
Merged: 4/26/2026
Merged by: @james-elicx

Base: main ← Head: nathan/middleware-boundary-headers

📝 Commits (2)

5760834 Preserve middleware headers on app boundary responses
e587ef4 test: stabilize app router redirect e2e

📊 Changes

11 files changed (+399 additions, -89 deletions)

View changed files

📝 packages/vinext/src/entries/app-rsc-entry.ts (+28 -8)
📝 packages/vinext/src/server/app-page-boundary-render.ts (+4 -0)
📝 packages/vinext/src/server/app-page-boundary.ts (+10 -1)
📝 packages/vinext/src/server/app-page-execution.ts (+34 -8)
📝 packages/vinext/src/server/app-page-stream.ts (+7 -3)
📝 tests/__snapshots__/entry-templates.test.ts.snap (+168 -48)
📝 tests/app-page-boundary-render.test.ts (+85 -0)
📝 tests/app-page-execution.test.ts (+35 -1)
📝 tests/app-router.test.ts (+18 -0)
📝 tests/e2e/app-router/rsc-fetch-errors.spec.ts (+5 -19)
📝 tests/e2e/helpers.ts (+5 -1)

📄 Description

What changed

Thread middleware response headers into App Router boundary render helpers for HTTP access fallback and error-boundary responses.
Merge middleware headers onto special-error redirect/plain fallback responses while preserving the semantic status code owned by redirect(), notFound(), forbidden(), and unauthorized().
Add regression coverage for HTML/RSC boundary responses, redirect/plain fallback special-error responses, and generated App Router entry plumbing.

Why

Middleware can set response headers such as auth rotation cookies, Vary, CSP/HSTS, and other security headers. The success App Page path already merged those headers, but boundary and special-error paths rebuilt fresh Response objects and dropped them. That made middleware behavior depend on whether the page rendered successfully or ended in notFound(), an error boundary, or redirect().

Next.js keeps middleware response headers in routing-level response headers before final rendering, so these branches should retain the same response envelope.

Validation

vp run vinext#build
vp check
vp test run tests/app-page-response.test.ts tests/app-page-boundary-render.test.ts tests/app-page-execution.test.ts tests/app-page-render.test.ts tests/app-router.test.ts -t "generated code threads middleware headers into page boundary and special-error responses|generated code delegates page boundary rendering to typed helpers|middleware response headers|preserves middleware headers|builds redirect and fallback responses|falls back to a plain status response|app page"

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/908 **Author:** [@NathanDrake2406](https://github.com/NathanDrake2406) **Created:** 4/26/2026 **Status:** ✅ Merged **Merged:** 4/26/2026 **Merged by:** [@james-elicx](https://github.com/james-elicx) **Base:** `main` ← **Head:** `nathan/middleware-boundary-headers` --- ### 📝 Commits (2) - [`5760834`](https://github.com/cloudflare/vinext/commit/5760834419b275eeb10a356e02154050659aaafb) Preserve middleware headers on app boundary responses - [`e587ef4`](https://github.com/cloudflare/vinext/commit/e587ef4a20dccd155270653ce5b250dc930efe21) test: stabilize app router redirect e2e ### 📊 Changes **11 files changed** (+399 additions, -89 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/entries/app-rsc-entry.ts` (+28 -8) 📝 `packages/vinext/src/server/app-page-boundary-render.ts` (+4 -0) 📝 `packages/vinext/src/server/app-page-boundary.ts` (+10 -1) 📝 `packages/vinext/src/server/app-page-execution.ts` (+34 -8) 📝 `packages/vinext/src/server/app-page-stream.ts` (+7 -3) 📝 `tests/__snapshots__/entry-templates.test.ts.snap` (+168 -48) 📝 `tests/app-page-boundary-render.test.ts` (+85 -0) 📝 `tests/app-page-execution.test.ts` (+35 -1) 📝 `tests/app-router.test.ts` (+18 -0) 📝 `tests/e2e/app-router/rsc-fetch-errors.spec.ts` (+5 -19) 📝 `tests/e2e/helpers.ts` (+5 -1) </details> ### 📄 Description ## What changed - Thread middleware response headers into App Router boundary render helpers for HTTP access fallback and error-boundary responses. - Merge middleware headers onto special-error redirect/plain fallback responses while preserving the semantic status code owned by `redirect()`, `notFound()`, `forbidden()`, and `unauthorized()`. - Add regression coverage for HTML/RSC boundary responses, redirect/plain fallback special-error responses, and generated App Router entry plumbing. ## Why Middleware can set response headers such as auth rotation cookies, `Vary`, CSP/HSTS, and other security headers. The success App Page path already merged those headers, but boundary and special-error paths rebuilt fresh `Response` objects and dropped them. That made middleware behavior depend on whether the page rendered successfully or ended in `notFound()`, an error boundary, or `redirect()`. Next.js keeps middleware response headers in routing-level response headers before final rendering, so these branches should retain the same response envelope. ## Validation - `vp run vinext#build` - `vp check` - `vp test run tests/app-page-response.test.ts tests/app-page-boundary-render.test.ts tests/app-page-execution.test.ts tests/app-page-render.test.ts tests/app-router.test.ts -t "generated code threads middleware headers into page boundary and special-error responses|generated code delegates page boundary rendering to typed helpers|middleware response headers|preserves middleware headers|builds redirect and fallback responses|falls back to a plain status response|app page"` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>