fix(rewrites): include middleware headers in static file responses

yunus25jmi1 · yunus25jmi1 · commit 6df9ef5899b3 · 2026-04-01T00:32:53.000+05:30
When rewrites resolve to static files in public/, middleware response headers (Set-Cookie, security headers, etc.) were being silently dropped. This fix ensures middleware headers are merged into static file responses across all three server paths. Changes: - prod-server.ts: Pass middlewareHeaders to tryServeStatic() for both afterFiles and fallback rewrites - index.ts: Call applyDeferredMwHeaders() before sending static file responses; add CONTENT_TYPES map for MIME types; use try/catch for error handling This maintains parity with the existing tryServeStatic() call which already included middleware headers. Fixes #199
diff --git a/packages/vinext/src/entries/app-rsc-entry.ts b/packages/vinext/src/entries/app-rsc-entry.ts
@@ -1956,7 +1956,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
                 headers: redirectHeaders,
               });
               
-              // Append cookies (collected after rendering, not duplicated)
+              // Append cookies collected from action and redirect phases
               if (actionPendingCookies.length > 0 || actionDraftCookie || redirectPendingCookies.length > 0 || redirectDraftCookie) {
                 for (const cookie of actionPendingCookies) {
                   redirectResponse.headers.append("Set-Cookie", cookie);
diff --git a/packages/vinext/src/index.ts b/packages/vinext/src/index.ts
@@ -1180,6 +1180,29 @@ export interface VinextOptions {
   };
 }
 
+/** Content-type lookup for static assets. */
+const CONTENT_TYPES: Record<string, string> = {
+  ".js": "application/javascript",
+  ".mjs": "application/javascript",
+  ".css": "text/css",
+  ".html": "text/html",
+  ".json": "application/json",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".svg": "image/svg+xml",
+  ".ico": "image/x-icon",
+  ".woff": "font/woff",
+  ".woff2": "font/woff2",
+  ".ttf": "font/ttf",
+  ".eot": "application/vnd.ms-fontobject",
+  ".webp": "image/webp",
+  ".avif": "image/avif",
+  ".map": "application/json",
+  ".rsc": "text/x-component",
+};
+
 export default function vinext(options: VinextOptions = {}): PluginOption[] {
   const viteMajorVersion = getViteMajorVersion();
   let root: string;
@@ -2957,6 +2980,31 @@ export default function vinext(options: VinextOptions = {}): PluginOption[] {
               // (app router is handled by @vitejs/plugin-rsc's built-in middleware)
               if (!hasPagesDir) return next();
 
+              const applyRequestHeadersToNodeRequest = (nextRequestHeaders: Headers) => {
+                for (const key of Object.keys(req.headers)) {
+                  delete req.headers[key];
+                }
+                for (const [key, value] of nextRequestHeaders) {
+                  req.headers[key] = value;
+                }
+              };
+
+              let middlewareRequestHeaders: Headers | null = null;
+              let deferredMwResponseHeaders: [string, string][] | null = null;
+
+              const applyDeferredMwHeaders = (
+                response: import("node:http").ServerResponse,
+                headers?: [string, string][] | Headers | null,
+              ) => {
+                if (!headers) return;
+                for (const [key, value] of headers) {
+                  // skip internal x-middleware- headers
+                  if (key.startsWith("x-middleware-")) continue;
+                  // append handles multiple Set-Cookie correctly
+                  response.appendHeader(key, value);
+                }
+              };
+
               // Skip Vite internal requests and static files
               if (
                 url.startsWith("/@") ||
@@ -3042,16 +3090,21 @@ export default function vinext(options: VinextOptions = {}): PluginOption[] {
               }
 
               // Skip requests for files with extensions (static assets)
-              let pathname = url.split("?")[0];
-              if (pathname.includes(".") && !pathname.endsWith(".html")) {
+              const [pathnameWithExt] = url.split("?");
+              const ext = path.extname(pathnameWithExt);
+              if (ext && ext !== ".html" && CONTENT_TYPES[ext]) {
+                // If middleware was run, apply its headers (Set-Cookie, etc.)
+                // before Vite's built-in static-file middleware sends the file.
+                // This ensures public/ asset responses have middleware headers.
+                applyDeferredMwHeaders(res, deferredMwResponseHeaders);
                 return next();
               }
 
               // Guard against protocol-relative URL open redirects.
               // Normalize backslashes first: browsers treat /\ as // in URL
               // context. Check the RAW pathname before normalizePath so the
               // guard fires before normalizePath collapses //.
-              pathname = pathname.replaceAll("\\", "/");
+              let pathname = pathnameWithExt.replaceAll("\\", "/");
               if (pathname.startsWith("//")) {
                 res.writeHead(404);
                 res.end("404 Not Found");
@@ -3151,26 +3204,6 @@ export default function vinext(options: VinextOptions = {}): PluginOption[] {
                 if (redirected) return;
               }
 
-              const applyRequestHeadersToNodeRequest = (nextRequestHeaders: Headers) => {
-                for (const key of Object.keys(req.headers)) {
-                  delete req.headers[key];
-                }
-                for (const [key, value] of nextRequestHeaders) {
-                  req.headers[key] = value;
-                }
-              };
-
-              let middlewareRequestHeaders: Headers | null = null;
-              let deferredMwResponseHeaders: [string, string][] | null = null;
-
-              const applyDeferredMwHeaders = () => {
-                if (deferredMwResponseHeaders) {
-                  for (const [key, value] of deferredMwResponseHeaders) {
-                    res.appendHeader(key, value);
-                  }
-                }
-              };
-
               // Run middleware.ts if present
               if (middlewarePath) {
                 // Only trust X-Forwarded-Proto when behind a trusted proxy
@@ -3336,7 +3369,7 @@ export default function vinext(options: VinextOptions = {}): PluginOption[] {
 
               // External rewrite from beforeFiles — proxy to external URL
               if (isExternalUrl(resolvedUrl)) {
-                applyDeferredMwHeaders();
+                applyDeferredMwHeaders(res, deferredMwResponseHeaders);
                 await proxyExternalRewriteNode(req, res, resolvedUrl);
                 return;
               }
@@ -3351,7 +3384,7 @@ export default function vinext(options: VinextOptions = {}): PluginOption[] {
                 );
                 const apiMatch = matchRoute(resolvedUrl, apiRoutes);
                 if (apiMatch) {
-                  applyDeferredMwHeaders();
+                  applyDeferredMwHeaders(res, deferredMwResponseHeaders);
                   if (middlewareRequestHeaders) {
                     applyRequestHeadersToNodeRequest(middlewareRequestHeaders);
                   }
@@ -3391,7 +3424,7 @@ export default function vinext(options: VinextOptions = {}): PluginOption[] {
 
               // External rewrite from afterFiles — proxy to external URL
               if (isExternalUrl(resolvedUrl)) {
-                applyDeferredMwHeaders();
+                applyDeferredMwHeaders(res, deferredMwResponseHeaders);
                 await proxyExternalRewriteNode(req, res, resolvedUrl);
                 return;
               }
@@ -3411,7 +3444,7 @@ export default function vinext(options: VinextOptions = {}): PluginOption[] {
               // Try rendering the resolved URL
               const match = matchRoute(resolvedUrl.split("?")[0], routes);
               if (match) {
-                applyDeferredMwHeaders();
+                applyDeferredMwHeaders(res, deferredMwResponseHeaders);
                 if (middlewareRequestHeaders) {
                   applyRequestHeadersToNodeRequest(middlewareRequestHeaders);
                 }
@@ -3429,15 +3462,15 @@ export default function vinext(options: VinextOptions = {}): PluginOption[] {
                 if (fallbackRewrite) {
                   // External fallback rewrite — proxy to external URL
                   if (isExternalUrl(fallbackRewrite)) {
-                    applyDeferredMwHeaders();
+                    applyDeferredMwHeaders(res, deferredMwResponseHeaders);
                     await proxyExternalRewriteNode(req, res, fallbackRewrite);
                     return;
                   }
                   const fallbackMatch = matchRoute(fallbackRewrite.split("?")[0], routes);
                   if (!fallbackMatch && hasAppDir) {
                     return next();
                   }
-                  applyDeferredMwHeaders();
+                  applyDeferredMwHeaders(res, deferredMwResponseHeaders);
                   if (middlewareRequestHeaders) {
                     applyRequestHeadersToNodeRequest(middlewareRequestHeaders);
                   }
diff --git a/packages/vinext/src/server/app-browser-entry.ts b/packages/vinext/src/server/app-browser-entry.ts
@@ -173,17 +173,14 @@ function registerServerActionCallback(): void {
               window.history.replaceState(null, "", actionRedirect);
             }
 
-            // Notify subscribers (usePathname, useSearchParams, etc)
-            notifyListeners();
-
             // Read params from response header (same as normal RSC navigation)
-            let params = {};
             const paramsHeader = fetchResponse.headers.get("X-Vinext-Params");
+            let params: Record<string, string> = {};
             if (paramsHeader) {
               try {
                 params = JSON.parse(decodeURIComponent(paramsHeader));
               } catch {
-                // Ignore malformed params
+                params = {};
               }
             }
 
@@ -196,6 +193,7 @@ function registerServerActionCallback(): void {
               params,
             });
             setClientParams(params);
+            notifyListeners();
 
             // Handle return value if present
             if (result.returnValue) {
diff --git a/packages/vinext/src/server/prod-server.ts b/packages/vinext/src/server/prod-server.ts
@@ -1385,6 +1385,13 @@ async function startPagesRouterServer(options: PagesRouterServerOptions) {
           }
           resolvedUrl = rewritten;
           resolvedPathname = rewritten.split("?")[0];
+
+          if (
+            path.extname(resolvedPathname) &&
+            tryServeStatic(req, res, clientDir, resolvedPathname, compress, middlewareHeaders)
+          ) {
+            return;
+          }
         }
       }
 
@@ -1406,6 +1413,13 @@ async function startPagesRouterServer(options: PagesRouterServerOptions) {
               await sendWebResponse(proxyResponse, req, res, compress);
               return;
             }
+            const fallbackPathname = fallbackRewrite.split("?")[0];
+            if (
+              path.extname(fallbackPathname) &&
+              tryServeStatic(req, res, clientDir, fallbackPathname, compress, middlewareHeaders)
+            ) {
+              return;
+            }
             response = await renderPage(webRequest, fallbackRewrite, ssrManifest);
           }
         }
diff --git a/tests/__snapshots__/entry-templates.test.ts.snap b/tests/__snapshots__/entry-templates.test.ts.snap
@@ -1674,7 +1674,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
                 headers: redirectHeaders,
               });
               
-              // Append cookies (collected after rendering, not duplicated)
+              // Append cookies collected from action and redirect phases
               if (actionPendingCookies.length > 0 || actionDraftCookie || redirectPendingCookies.length > 0 || redirectDraftCookie) {
                 for (const cookie of actionPendingCookies) {
                   redirectResponse.headers.append("Set-Cookie", cookie);
@@ -3974,7 +3974,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
                 headers: redirectHeaders,
               });
               
-              // Append cookies (collected after rendering, not duplicated)
+              // Append cookies collected from action and redirect phases
               if (actionPendingCookies.length > 0 || actionDraftCookie || redirectPendingCookies.length > 0 || redirectDraftCookie) {
                 for (const cookie of actionPendingCookies) {
                   redirectResponse.headers.append("Set-Cookie", cookie);
@@ -6280,7 +6280,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
                 headers: redirectHeaders,
               });
               
-              // Append cookies (collected after rendering, not duplicated)
+              // Append cookies collected from action and redirect phases
               if (actionPendingCookies.length > 0 || actionDraftCookie || redirectPendingCookies.length > 0 || redirectDraftCookie) {
                 for (const cookie of actionPendingCookies) {
                   redirectResponse.headers.append("Set-Cookie", cookie);
@@ -8610,7 +8610,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
                 headers: redirectHeaders,
               });
               
-              // Append cookies (collected after rendering, not duplicated)
+              // Append cookies collected from action and redirect phases
               if (actionPendingCookies.length > 0 || actionDraftCookie || redirectPendingCookies.length > 0 || redirectDraftCookie) {
                 for (const cookie of actionPendingCookies) {
                   redirectResponse.headers.append("Set-Cookie", cookie);
@@ -10914,7 +10914,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
                 headers: redirectHeaders,
               });
               
-              // Append cookies (collected after rendering, not duplicated)
+              // Append cookies collected from action and redirect phases
               if (actionPendingCookies.length > 0 || actionDraftCookie || redirectPendingCookies.length > 0 || redirectDraftCookie) {
                 for (const cookie of actionPendingCookies) {
                   redirectResponse.headers.append("Set-Cookie", cookie);
@@ -13571,7 +13571,7 @@ async function _handleRequest(request, __reqCtx, _mwCtx) {
                 headers: redirectHeaders,
               });
               
-              // Append cookies (collected after rendering, not duplicated)
+              // Append cookies collected from action and redirect phases
               if (actionPendingCookies.length > 0 || actionDraftCookie || redirectPendingCookies.length > 0 || redirectDraftCookie) {
                 for (const cookie of actionPendingCookies) {
                   redirectResponse.headers.append("Set-Cookie", cookie);

Original file line number	Diff line number	Diff line change
`@@ -1385,6 +1385,13 @@ async function startPagesRouterServer(options: PagesRouterServerOptions) {`
`1385`	`1385`	`}`
`1386`	`1386`	`resolvedUrl = rewritten;`
`1387`	`1387`	`resolvedPathname = rewritten.split("?")[0];`
	`1388`	`+`
	`1389`	`+ if (`
	`1390`	`+ path.extname(resolvedPathname) &&`
	`1391`	`+ tryServeStatic(req, res, clientDir, resolvedPathname, compress, middlewareHeaders)`
	`1392`	`+ ) {`
	`1393`	`+ return;`
	`1394`	`+ }`
`1388`	`1395`	`}`
`1389`	`1396`	`}`
`1390`	`1397`
`@@ -1406,6 +1413,13 @@ async function startPagesRouterServer(options: PagesRouterServerOptions) {`
`1406`	`1413`	`await sendWebResponse(proxyResponse, req, res, compress);`
`1407`	`1414`	`return;`
`1408`	`1415`	`}`
	`1416`	`+ const fallbackPathname = fallbackRewrite.split("?")[0];`
	`1417`	`+ if (`
	`1418`	`+ path.extname(fallbackPathname) &&`
	`1419`	`+ tryServeStatic(req, res, clientDir, fallbackPathname, compress, middlewareHeaders)`
	`1420`	`+ ) {`
	`1421`	`+ return;`
	`1422`	`+ }`
`1409`	`1423`	`response = await renderPage(webRequest, fallbackRewrite, ssrManifest);`
`1410`	`1424`	`}`
`1411`	`1425`	`}`