[PR #931] [MERGED] fix: normalize NextRequest.url through nextUrl #959

New issue

Closed

opened 2026-05-06 13:11:15 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 13:11:15 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/931
Author: @NathanDrake2406
Created: 4/28/2026
Status: ✅ Merged
Merged: 4/28/2026
Merged by: @james-elicx

Base: main ← Head: nathan/nextrequest-url-normalize

📝 Commits (1)

289f2df fix: normalize NextRequest url through nextUrl

📊 Changes

3 files changed (+71 additions, -0 deletions)

View changed files

📝 packages/vinext/src/shims/server.ts (+8 -0)
📝 tests/app-route-handler-runtime.test.ts (+13 -0)
📝 tests/shims.test.ts (+50 -0)

📄 Description

Summary

Store NextRequest.url separately from the underlying Web Request URL and expose the normalized nextUrl.toString() value by default.
Preserve the __NEXT_NO_MIDDLEWARE_URL_NORMALIZE opt-out so callers can still observe the raw request URL when that compatibility flag is set.
Add regression coverage for string input, Request input, and the app route handler wrapper path where vinext receives a basePath-stripped internal URL.

Why

Next.js does not expose the superclass Request.url directly from NextRequest. It constructs a NextURL, stores url as nextUrl.toString() unless __NEXT_NO_MIDDLEWARE_URL_NORMALIZE is set, and returns that stored value from the url getter:

NextRequest stores normalized url
NextRequest.url getter returns the stored value
NextURL.href formats the pathname with basePath/locale data
NextURL.toString() returns href
The middleware adapter also branches on __NEXT_NO_MIDDLEWARE_URL_NORMALIZE when choosing the request input URL: adapter.ts

Vinext already normalizes nextUrl.href with configured basePath/i18n, but request.url was inherited from super(...). In runtime paths that strip basePath for internal routing before wrapping in NextRequest, userland code using new URL(request.url) could see /callback while request.nextUrl.href correctly represented /base/callback. That breaks code that signs, verifies, or compares the externally visible callback/webhook URL.

Validation

vp test run tests/shims.test.ts tests/app-route-handler-runtime.test.ts
vp check packages/vinext/src/shims/server.ts tests/shims.test.ts tests/app-route-handler-runtime.test.ts

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/931 **Author:** [@NathanDrake2406](https://github.com/NathanDrake2406) **Created:** 4/28/2026 **Status:** ✅ Merged **Merged:** 4/28/2026 **Merged by:** [@james-elicx](https://github.com/james-elicx) **Base:** `main` ← **Head:** `nathan/nextrequest-url-normalize` --- ### 📝 Commits (1) - [`289f2df`](https://github.com/cloudflare/vinext/commit/289f2df25709552498da80e913696d1dbaca49ed) fix: normalize NextRequest url through nextUrl ### 📊 Changes **3 files changed** (+71 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/shims/server.ts` (+8 -0) 📝 `tests/app-route-handler-runtime.test.ts` (+13 -0) 📝 `tests/shims.test.ts` (+50 -0) </details> ### 📄 Description ## Summary - Store `NextRequest.url` separately from the underlying Web `Request` URL and expose the normalized `nextUrl.toString()` value by default. - Preserve the `__NEXT_NO_MIDDLEWARE_URL_NORMALIZE` opt-out so callers can still observe the raw request URL when that compatibility flag is set. - Add regression coverage for string input, `Request` input, and the app route handler wrapper path where vinext receives a basePath-stripped internal URL. ## Why Next.js does not expose the superclass `Request.url` directly from `NextRequest`. It constructs a `NextURL`, stores `url` as `nextUrl.toString()` unless `__NEXT_NO_MIDDLEWARE_URL_NORMALIZE` is set, and returns that stored value from the `url` getter: - [`NextRequest` stores normalized `url`](https://github.com/vercel/next.js/blob/ae61573e062e900050b8e6b24626e450accc4570/packages/next/src/server/web/spec-extension/request.ts#L41-L50) - [`NextRequest.url` getter returns the stored value](https://github.com/vercel/next.js/blob/ae61573e062e900050b8e6b24626e450accc4570/packages/next/src/server/web/spec-extension/request.ts#L102-L104) - [`NextURL.href` formats the pathname with basePath/locale data](https://github.com/vercel/next.js/blob/ae61573e062e900050b8e6b24626e450accc4570/packages/next/src/server/web/next-url.ts#L193-L197) - [`NextURL.toString()` returns `href`](https://github.com/vercel/next.js/blob/ae61573e062e900050b8e6b24626e450accc4570/packages/next/src/server/web/next-url.ts#L256-L258) - The middleware adapter also branches on `__NEXT_NO_MIDDLEWARE_URL_NORMALIZE` when choosing the request input URL: [`adapter.ts`](https://github.com/vercel/next.js/blob/ae61573e062e900050b8e6b24626e450accc4570/packages/next/src/server/web/adapter.ts#L172-L184) Vinext already normalizes `nextUrl.href` with configured basePath/i18n, but `request.url` was inherited from `super(...)`. In runtime paths that strip basePath for internal routing before wrapping in `NextRequest`, userland code using `new URL(request.url)` could see `/callback` while `request.nextUrl.href` correctly represented `/base/callback`. That breaks code that signs, verifies, or compares the externally visible callback/webhook URL. ## Validation - `vp test run tests/shims.test.ts tests/app-route-handler-runtime.test.ts` - `vp check packages/vinext/src/shims/server.ts tests/shims.test.ts tests/app-route-handler-runtime.test.ts` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>