fix: strip internal prerender auth header from external rewrites#808
Conversation
The external rewrite proxy forwarded nearly all request headers upstream, only stripping hop-by-hop and x-middleware-* headers. During the prerender pipeline, vinext injects x-vinext-prerender-secret onto internal HTTP requests so hidden prerender endpoints can authenticate. If a prerendered route was externally rewritten, that internal auth header would be forwarded to the external destination. Strip x-vinext-prerender-secret in proxyExternalRequest(), and extend existing unit and integration tests that cover external rewrite header forwarding to verify the header is not leaked upstream.
|
/bigbonk review this PR |
commit: |
|
![ask-bonk[bot]](https://avatars.githubusercontent.com/in/2454580?s=60&v=4){kind=small}
There was a problem hiding this comment.
Clean, well-scoped security fix. The change is correct and the tests are thorough.
What this fixes: During vinext's prerender pipeline, internal HTTP requests carry x-vinext-prerender-secret to authenticate against hidden endpoints like /__vinext/prerender/static-params (verified in prod-server.ts:814 and build/prerender.ts:410,737). Without this fix, if a user configures an external rewrite and a request hits it during prerender, the internal auth secret would leak to the external service.
Correctness: The headers.delete("x-vinext-prerender-secret") call is placed correctly — after hop-by-hop and x-middleware-* header stripping, before the request is dispatched upstream. This is the only code path that proxies requests to external URLs via proxyExternalRequest(), so the fix is sufficient.
Test coverage: Both the unit test (tests/shims.test.ts) and integration test (tests/app-router.test.ts) for external rewrite proxy credential forwarding are extended to include the header in the request and assert it's stripped. The tests slot naturally into the existing "credential forwarding" test structure, verifying that:
- Credential headers (
authorization,cookie,proxy-authorization) are still forwarded x-middleware-*headers are still strippedx-vinext-prerender-secretis also stripped- Non-sensitive custom headers are preserved
CI is green across all completed checks.
|
Reviewed and approved PR #808. The fix correctly strips the internal |
southpolesteve
deleted the
fix/strip-prerender-secret-from-external-rewrites
branch
1 participant
Summary
The shared external rewrite proxy now strips
x-vinext-prerender-secretbefore forwarding requests upstream.Details
proxyExternalRequest()intentionally forwards most request headers to match external rewrite proxying behavior, while stripping hop-by-hop andx-middleware-*headers. During vinext's prerender pipeline, internal HTTP requests carryx-vinext-prerender-secretso hidden prerender endpoints can authenticate.That internal auth header should never be forwarded to external rewrite destinations.
This change adds a targeted strip in
proxyExternalRequest()and extends the existing external rewrite forwarding tests to verify:x-middleware-*headers are still strippedx-vinext-prerender-secretis also strippedTests
tests/shims.test.tsexternal rewrite proxy unit testtests/app-router.test.tsexternal rewrite integration test