fix: replace original request body after middleware execution (#77662)

[MitchLewis930]

User description

PR_037

---

PR Type

Bug fix

---

Description

• Clone request body before middleware execution to prevent consumption

• Finalize body stream after middleware completes for subsequent reads

• Enable nodejs runtime middleware testing with new test configurations

• Add test variants for server actions with node middleware runtime

---

Diagram Walkthrough

flowchart LR
  A["Request with body"] -- "Clone body stream" --> B["Middleware execution"]
  B -- "Finalize stream" --> C["Server actions can read body"]
  D["Test setup"] -- "Override middleware.js" --> E["Node middleware tests"]

Loading

File Walkthrough

	Relevant files
Bug fix	1 files next-server.ts Clone and finalize request body in middleware                        +20/-5
Tests	8 files middleware-node.js New nodejs runtime middleware test fixture                              +18/-0    middleware.js Remove runtime config from default middleware                        +0/-9      app-action-form-state.test.ts Add node middleware test variant support                                  +7/-1      app-action-form-state-node-middleware.test.ts New test file for form state with node middleware                +3/-0      app-action.test.ts Add node middleware test variant support                                  +6/-1      app-action-node-middleware.test.ts New test file for actions with node middleware                      +3/-0      app-action-size-limit-invalid.test.ts Add node middleware test variant and config                            +13/-4    app-action-size-limit-invalid-node-middleware.test.ts New test file for size limit with node middleware                +3/-0
Configuration changes	1 files next.config.js Enable nodeMiddleware experimental feature                              +1/-0

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Potential DoS via cloning Description: The new request-body cloning (requestData.body.cloneBodyStream()) can increase per-request memory/stream buffering overhead (effectively duplicating body handling) and may enable a denial-of-service vector for large or highly concurrent requests if size limits/backpressure are not consistently enforced for this code path. next-server.ts [1690-1708] Referred Code const hasRequestBody = !['HEAD', 'GET'].includes(params.request.method) && Boolean(requestData.body) try { result = await adapterFn({ handler: middlewareModule.middleware || middlewareModule, request: { ...requestData, body: hasRequestBody ? requestData.body.cloneBodyStream() : undefined, }, page: 'middleware', }) } finally { if (hasRequestBody) { requestData.body.finalize() }
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Finally may mask errors: The new finally block calls requestData.body.finalize() without guarding against exceptions, which could override the original middleware failure and reduce debuggability. Referred Code } finally { if (hasRequestBody) { requestData.body.finalize() } Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

No code suggestions found for the PR.