next.js: Requests to next internals (/_next/...) should never trigger app routes.

Bug report

Describe the bug / reproduction

We’ve had very time-consuming bug to find. We have pages/[...redirect].js fallback page which purpose is redirecting for languages (it was before Next 10).

Let’s assume next.js does a request to a file /_next/.../my-page.json (via Next Link) and the file doesn’t exist. This happens when page was rebuilt and we have new build ID and user still keeps old session in the browser. In that scenario, next.js will trigger /[...redirect].js route, although it’s pretty obvious that none of the /_next/... calls should really do this.

Because of that, instead of 404 for /_next/.../my-page.json which would trigger hard reload (which would in turn reset build ID to the new one), we get something that is completely random because our [...redirect].js got /_next/.../my-page.json path which it didn’t even take into account. This has far reaching consequences of weird and unexpected behaviours.

Expected behavior

If /_next/.../my-page.json doesn’t exist, next.js should simply return 404. Paths from /_next should never trigger app routing.

System information

OS: any
Browser: any
Version of Next.js: 9.5.3
Version of Node.js: (vercel default)
Deployment: Vercel

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 3
Comments: 18 (6 by maintainers)

Commits related to this issue

Ensure dynamic routes dont match _next/static unexpectedly (#62559) This ensures our dynamic routes that have the same specificity as `_next/static/:path*` don't get matched unexpectedly when the `... — committed to vercel/next.js by ijjk 4 months ago

Most upvoted comments

Naveed

On Fri, May 27, 2022, 8:16 PM Igo Lapa @.***> wrote:

We have some logic inside _app.tsx and with source maps enabled on the browser we are getting some 404s which is causing _app.tsx to be triggered and causing some weird issues in the application. As a workaround, we add some safety checks, for example, “if it’s 404 we don’t want to run this”.

Example of the error:

DevTools failed to load source map: Could not parse content for https://path.com/b0d8c17736ae7937.css.map: Unexpected token < in JSON at position 0

— Reply to this email directly, view it on GitHub https://github.com/vercel/next.js/issues/19270#issuecomment-1139713528, or unsubscribe https://github.com/notifications/unsubscribe-auth/ATXSTG7S5NFUC33DGVYCMVLVMDRNBANCNFSM4T2B27UA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

Naveed-Iftikhar on May 30, 2022

I have a similar problem but different. I filled in the template for clarity:

Bug report

To Reproduce

Create a Next page with a dynamic route pages/books/[id].tsx
Return { notFound: true } from gSSP if the page does not exist (if the app couldn’t find a book with that id)
When an internal route (like /_next/data/[hash]/book/1234.json) is called with a non existing id (so gSSP returns notFound) it returns the fully built 404 page instead of a JSON response.

Describe the bug

Next internal API routes return an HTML response when gSPP returns { notFound: true }. In normal app usage, this is not a real problem but we had a user try to enumerate all endpoints (which is not protected given that all that info is public, so we don’t mind the enumeration) it caused unnecessary load and errors for our APP.

Expected behavior

When a data route returns 404 it doesn’t include HTML

System information

OS: any
Browser: any
Version of Next.js: 10.0.3
Version of Node.js: 12.14.1
Deployment: next start

Is this related enough or should I open a new ticket?

vdhpieter on Dec 17, 2020