Skip to content

fix(vtex): remove isLoggedIn check from middleware #1565

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
igoramf wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(vtex): remove isLoggedIn check from middleware #1565

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 1 addition & 8 deletions vtex/middleware.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ import {
isCacheableSegment,
setSegmentBag,
} from "./utils/segment.ts";
import { VTEX_ID_CLIENT_COOKIE } from "./utils/vtexId.ts";

export const middleware = (
_props: unknown,
req: Request,
Expand All @@ -29,12 +27,7 @@ export const middleware = (
setSegmentBag(cookies, req, ctx);
}

const isLoggedIn = Boolean(
cookies[VTEX_ID_CLIENT_COOKIE] ||
cookies[`${VTEX_ID_CLIENT_COOKIE}_${ctx.account}`],
);

const cacheable = isCacheableSegment(ctx) && !isLoggedIn;
const cacheable = isCacheableSegment(ctx);
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Check whether any in-app auth cache guard still exists:"
rg -n -C3 --type=ts 'isCacheableSegment\(ctx\)|PAGE_CACHE_ALLOWED_KEY|VtexIdclientAutCookie|VTEX_ID_CLIENT_COOKIE'

echo
echo "Check if Cloudflare/CDN bypass rules are versioned in this repo:"
rg -n -i -C2 'cloudflare|cdn|cache bypass|bypass cache|VtexIdclientAutCookie'

Repository: deco-cx/apps

Length of output: 50369

🏁 Script executed:

# Read the isCacheableSegment function to see if it checks authentication
sed -n '60,90p' vtex/utils/segment.ts

Repository: deco-cx/apps

Length of output: 1027

🏁 Script executed:

# Check for any Cloudflare worker files or wrangler configs
find . -type f \( -name "wrangler.toml" -o -name "*.wrangler.json" -o -name "*cloudflare*" -o -name "*.cf.ts" -o -name "*.cf.js" \) 2>/dev/null | head -20

Repository: deco-cx/apps

Length of output: 38

🏁 Script executed:

# Check for environment or config files that might define Cloudflare bypass rules
find . -type f \( -name ".env*" -o -name "*.env" -o -name "*config*" \) | xargs grep -l "cloudflare\|bypass\|cache" 2>/dev/null | head -10

Repository: deco-cx/apps

Length of output: 38

🏁 Script executed:

# Search for isAnonymous function definition
rg -n "isAnonymous" vtex/utils/segment.ts -A 10 -B 2

Repository: deco-cx/apps

Length of output: 1275

🏁 Script executed:

# Check if there's any recent mention of Cloudflare worker rules or CDN bypass in comments/docs
rg -i "cloudflare.*worker|worker.*cloudflare|cdn.*bypass|cache.*bypass" --type=ts --type=js --type=toml --type=json -C 3

Repository: deco-cx/apps

Length of output: 565

🏁 Script executed:

# Look for VtexIdclientAutCookie checks in the middleware or related auth functions
rg -n "hasAuthCookie|VtexIdclientAutCookie" vtex/ -B 2 -A 2

Repository: deco-cx/apps

Length of output: 26316

🏁 Script executed:

# Check the isAnonymous function more thoroughly, especially what segment fields it checks
sed -n '39,63p' vtex/utils/segment.ts

Repository: deco-cx/apps

Length of output: 517

🏁 Script executed:

# Verify if Cloudflare rules are documented elsewhere or in deployment configs
find . -type f \( -name "*.md" -o -name "*.txt" -o -name "deco.json" \) | xargs grep -l -i "cloudflare\|cache\|bypass" 2>/dev/null | head -10

Repository: deco-cx/apps

Length of output: 73

Add app-side authentication check to prevent caching of personalized responses.

isCacheableSegment(ctx) at line 30 does not check authentication status—it only evaluates segment fields (campaigns, utm_campaign, utm_source, utmi_campaign, channel, priceTables, regionId). This allows authenticated requests to be marked cacheable, creating a cache leak risk if the Cloudflare bypass rule is missing or misconfigured in any environment.

The suggested fix provides essential defense-in-depth:

🔒 Suggested fix 
+  const hasAuthCookie = Boolean(
+    cookies.VtexIdclientAutCookie ||
+      cookies[`${ctx.account}VtexIdclientAutCookie`],
+  );
-  const cacheable = isCacheableSegment(ctx);
+  const cacheable = isCacheableSegment(ctx) && !hasAuthCookie;
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@vtex/middleware.ts` at line 30, The current cache decision uses
isCacheableSegment(ctx) but omits authentication, allowing authenticated
(personalized) responses to be cached; update the middleware where const
cacheable = isCacheableSegment(ctx) to also check app-side auth and force
non-cacheable for authenticated requests (e.g., const cacheable =
isCacheableSegment(ctx) && !isAuthenticated(ctx)); implement or call a small
helper isAuthenticated(ctx) that inspects the app's auth indicator present on
the request context (for example ctx.state.user, ctx.vtex?.authToken, or
whatever your app sets when a user is signed in) and ensure any authenticated
request sets cacheable = false so personalized responses are never marked
cacheable.


// PAGE_DIRTY_KEY: marks page dirty for section-level caching and other consumers
if (!cacheable) {
Expand Down
Loading