Update middleware request header (#77201)

This just adds an additional header to our internal filtering list for
middleware.

Author: ijjk

packages/next/src/server/lib/router-server.ts

@@ -166,10 +166,13 @@ export async function initialize(opts: {
   renderServer.instance =
     require('./render-server') as typeof import('./render-server')
 
-  const allowedOrigins = [
-    'localhost',
-    ...(config.experimental.allowedDevOrigins || []),
-  ]
+  const randomBytes = new Uint8Array(8)
+  crypto.getRandomValues(randomBytes)
+  const middlewareSubrequestId = Buffer.from(randomBytes).toString('hex')
+  ;(globalThis as any)[Symbol.for('@next/middleware-subrequest-id')] =
+    middlewareSubrequestId
+
+  const allowedOrigins = ['localhost', ...(config.allowedDevOrigins || [])]
   if (opts.hostname) {
     allowedOrigins.push(opts.hostname)
   }

packages/next/src/server/lib/server-ipc/utils.ts

@@ -57,5 +57,16 @@ export const filterInternalHeaders = (
     if (INTERNAL_HEADERS.includes(header)) {
       delete headers[header]
     }
+
+    // If this request didn't origin from this session we filter
+    // out the "x-middleware-subrequest" header so we don't skip
+    // middleware incorrectly
+    if (
+      header === 'x-middleware-subrequest' &&
+      headers['x-middleware-subrequest-id'] !==
+        (globalThis as any)[Symbol.for('@next/middleware-subrequest-id')]
+    ) {
+      delete headers['x-middleware-subrequest']
+    }
   }
 }

packages/next/src/server/web/sandbox/context.ts

@@ -373,6 +373,10 @@ Learn More: https://nextjs.org/docs/messages/edge-dynamic-code-evaluation`),
             store.headers.get('x-middleware-subrequest') ?? ''
           )
         }
+        init.headers.set(
+          'x-middleware-subrequest-id',
+          (globalThis as any)[Symbol.for('@next/middleware-subrequest-id')]
+        )
 
         const prevs =
           init.headers.get(`x-middleware-subrequest`)?.split(':') || []

test/e2e/middleware-general/test/index.test.ts

@@ -144,6 +144,19 @@ describe('Middleware Runtime', () => {
       }
     }
 
+    it('should filter request header properly', async () => {
+      const res = await next.fetch('/redirect-to-somewhere', {
+        headers: {
+          'x-middleware-subrequest':
+            'middleware:middleware:middleware:middleware:middleware',
+        },
+        redirect: 'manual',
+      })
+
+      expect(res.status).toBe(307)
+      expect(res.headers.get('location')).toContain('/somewhere')
+    })
+
     it('should handle 404 on fallback: false route correctly', async () => {
       const res = await next.fetch('/ssg-fallback-false/first')
       expect(res.status).toBe(200)