next.js icon indicating copy to clipboard operation
next.js copied to clipboard

Published 20 hours ago verified publisher icon vercel

Ordering of request query being changed in production

Open CoolTechYT opened this issue 3 years ago • 1 comments

Verify canary release

  • [X] I verified that the issue exists in Next.js canary release

Provide environment information

Operating System: Platform: darwin Arch: x64 Version: Darwin Kernel Version 20.6.0: Wed Nov 10 22:23:07 PST 2021; root:xnu-7195.141.14~1/RELEASE_X86_64 Binaries: Node: 14.8.0 npm: 6.14.7 Yarn: N/A pnpm: N/A Relevant packages: next: 12.1.4 react: 18.0.0 react-dom: 18.0.0

What browser are you using? (if relevant)

No response

How are you deploying your application? (if relevant)

vercel

Describe the Bug

Next.js hosted on Vercel is manipulating request URL.

Actual request: GET /api/test?hmac=123&host=123&sell=123&t=123

Value accessible from req.url: /api/test?host=123hmac=123&t=123sell=123

It only changes the value on production, hosted on Vercel. On local development, req.url is the exact same value as the actual request.

Expected Behavior

query string isn't manipulated

To Reproduce

  1. Create next.js app
  2. Create API route
  3. Make GET request to route with some query parameters
  4. Deploy to Vercel
  5. Check req.url from API route and compare with the actual query string in GET request

CoolTechYT avatar Apr 08 '22 04:04 CoolTechYT

@CoolTechYT Did you solve this, I'm seeing the exact same issue...?

sigginjals avatar Aug 03 '22 17:08 sigginjals

@sigginjals I just sorted it something like this

        .sort()
        // @ts-ignore: TS2339: Property 'join' does not exist on type 'object'.
        .reduce((obj, key) => { obj[key] = req.query[key]; return obj; }, {});

Not sure if it's a perfect solution but it gets the job done

CoolTechYT avatar Oct 06 '22 04:10 CoolTechYT

I encountered a similar situation while working with Next.js 13 Route Handlers. It makes verify the request signature impossible.

michael-land avatar May 27 '23 23:05 michael-land

I am seeing the same issue (vercel+remix, in prod/staging only) and it's breaking signed urls where order of params in the query string is critical

stevejpurves avatar Nov 16 '23 21:11 stevejpurves

Having the same issue with Astro + Vercel, also trying to verify a signed url. Worked locally and then broke when deployed.

axeen avatar Nov 22 '23 10:11 axeen

Currently experiencing the same issue. We have no control over the request as its from the outside and we need to rely on the order not changing.

@sigginjals I just sorted it something like this

        .sort()
        // @ts-ignore: TS2339: Property 'join' does not exist on type 'object'.
        .reduce((obj, key) => { obj[key] = req.query[key]; return obj; }, {});

Not sure if it's a perfect solution but it gets the job done

Sadly this doesn't work at all for many cases as the order the parameters should be in might also not follow any pattern thats easily sortable.

BigBrainAFK avatar Dec 13 '23 14:12 BigBrainAFK

Currently experiencing the same issue. We have no control over the request as its from the outside and we need to rely on the order not changing.

@sigginjals I just sorted it something like this

        .sort()
        // @ts-ignore: TS2339: Property 'join' does not exist on type 'object'.
        .reduce((obj, key) => { obj[key] = req.query[key]; return obj; }, {});

Not sure if it's a perfect solution but it gets the job done

Sadly this doesn't work at all for many cases as the order the parameters should be in might also not follow any pattern thats easily sortable.

Yeah I figured so.

It works in my case but you'll have to find a solution that works for yours unfortunately.

CoolTechYT avatar Dec 14 '23 18:12 CoolTechYT

Same issue. Cannot verify signature in production

SkepticMystic avatar Jan 17 '24 06:01 SkepticMystic