fix: merges headers safely in nextjs route handlers (#7399)

## Description

Merges headers safely within Payload-handled Next.js route handlers.

Author: jmikrut

packages/next/src/routes/graphql/handler.ts

@@ -134,12 +134,8 @@ export const POST =
       resHeaders.append(key, headers[key])
     }
 
-    if (req.responseHeaders) {
-      mergeHeaders(req.responseHeaders, resHeaders)
-    }
-
     return new Response(apiResponse.body, {
-      headers: resHeaders,
+      headers: req.responseHeaders ? mergeHeaders(req.responseHeaders, resHeaders) : resHeaders,
       status: apiResponse.status,
     })
   }

packages/next/src/routes/rest/index.ts

@@ -167,7 +167,13 @@ const handleCustomEndpoints = async ({
 
       if (res instanceof Response) {
         if (req.responseHeaders) {
-          mergeHeaders(req.responseHeaders, res.headers)
+          const mergedResponse = new Response(res.body, {
+            headers: mergeHeaders(req.responseHeaders, res.headers),
+            status: res.status,
+            statusText: res.statusText,
+          })
+
+          return mergedResponse
         }
 
         return res
@@ -379,7 +385,13 @@ export const GET =
 
       if (res instanceof Response) {
         if (req.responseHeaders) {
-          mergeHeaders(req.responseHeaders, res.headers)
+          const mergedResponse = new Response(res.body, {
+            headers: mergeHeaders(req.responseHeaders, res.headers),
+            status: res.status,
+            statusText: res.statusText,
+          })
+
+          return mergedResponse
         }
 
         return res
@@ -555,7 +567,13 @@ export const POST =
 
       if (res instanceof Response) {
         if (req.responseHeaders) {
-          mergeHeaders(req.responseHeaders, res.headers)
+          const mergedResponse = new Response(res.body, {
+            headers: mergeHeaders(req.responseHeaders, res.headers),
+            status: res.status,
+            statusText: res.statusText,
+          })
+
+          return mergedResponse
         }
 
         return res
@@ -643,7 +661,13 @@ export const DELETE =
 
       if (res instanceof Response) {
         if (req.responseHeaders) {
-          mergeHeaders(req.responseHeaders, res.headers)
+          const mergedResponse = new Response(res.body, {
+            headers: mergeHeaders(req.responseHeaders, res.headers),
+            status: res.status,
+            statusText: res.statusText,
+          })
+
+          return mergedResponse
         }
 
         return res
@@ -732,7 +756,13 @@ export const PATCH =
 
       if (res instanceof Response) {
         if (req.responseHeaders) {
-          mergeHeaders(req.responseHeaders, res.headers)
+          const mergedResponse = new Response(res.body, {
+            headers: mergeHeaders(req.responseHeaders, res.headers),
+            status: res.status,
+            statusText: res.statusText,
+          })
+
+          return mergedResponse
         }
 
         return res

packages/next/src/utilities/mergeHeaders.ts

@@ -1,33 +1,11 @@
-const headersToJoin = ['set-cookie', 'warning', 'www-authenticate', 'proxy-authenticate', 'vary']
+export const mergeHeaders = (sourceHeaders: Headers, destinationHeaders: Headers): Headers => {
+  // Create a new Headers object
+  const combinedHeaders = new Headers(destinationHeaders)
 
-export function mergeHeaders(sourceHeaders: Headers, destinationHeaders: Headers): void {
-  // Create a map to store combined headers
-  const combinedHeaders = new Headers()
-
-  // Add existing destination headers to the combined map
-  destinationHeaders.forEach((value, key) => {
-    combinedHeaders.set(key, value)
-  })
-
-  // Add source headers to the combined map, joining specific headers
+  // Append sourceHeaders to combinedHeaders
   sourceHeaders.forEach((value, key) => {
-    const lowerKey = key.toLowerCase()
-    if (headersToJoin.includes(lowerKey)) {
-      if (combinedHeaders.has(key)) {
-        combinedHeaders.set(key, `${combinedHeaders.get(key)}, ${value}`)
-      } else {
-        combinedHeaders.set(key, value)
-      }
-    } else {
-      combinedHeaders.set(key, value)
-    }
+    combinedHeaders.append(key, value)
   })
 
-  // Clear the destination headers and set the combined headers
-  destinationHeaders.forEach((_, key) => {
-    destinationHeaders.delete(key)
-  })
-  combinedHeaders.forEach((value, key) => {
-    destinationHeaders.append(key, value)
-  })
+  return combinedHeaders
 }