Fails with the latest Nuxt

[hermes85pl]

Version

nuxt-security: 2.0.0-rc.6 nuxt: 3.12.1

Reproduction Link

https://stackblitz.com/edit/nuxt-starter-dijohg?file=nuxt.config.ts

Steps to reproduce

What is Expected?

🚀

What is actually happening?

ERROR [nitro] [unhandledRejection] Cannot destructure property 'headers' of 'securityOptions' as it is undefined.
  at <anonymous> (node_modules/.pnpm/nuxt-security@2.0.0-rc.6_rollup@4.18.0/node_modules/nuxt-security/dist/runtime/nitro/plugins/00-routeRules.mjs:17:11)
  at createNitroApp (node_modules/.pnpm/nitropack@2.9.6_@opentelemetry+api@1.9.0_encoding@0.1.13/node_modules/nitropack/dist/runtime/app.mjs:143:7)
  at <anonymous> (node_modules/.pnpm/nitropack@2.9.6_@opentelemetry+api@1.9.0_encoding@0.1.13/node_modules/nitropack/dist/runtime/app.mjs:151:25)
  at ModuleJob.run (node:internal/modules/esm/module_job:222:25)
  at async ModuleLoader.import (node:internal/modules/esm/loader:323:24)
  at async loadESM (node:internal/process/esm_loader:28:7)
  at async handleMainPromise (node:internal/modules/run_main:113:12)

[Baroshem]

Hey,

It seems that latest version of Nuxt has a breaking change for the module authors. J will check it out and let you know

[Baroshem]

@danielroe were there any changes in terms of how the routeRules are registered in the latest version of Nuxt? It seems to be breaking there

https://github.com/Baroshem/nuxt-security/blob/main/src/runtime/nitro/plugins/00-routeRules.ts#L15-L17

[Baroshem]

Daniel will create a patch for Nuxt to resolve this :)

[GalacticHypernova]

Oddly enough I can't seem to produce it in the playground with nuxt 3.12.1. @hermes85pl are you able to provide a stackblitz reproduction? If I can replicate the behavior I could maybe open a patch even sooner (that and I'm curious to actually see it in action)

[danielroe]

I'll absolutely look into this. As @GalacticHypernova says, however, I do need a reproduction 🙏

[hermes85pl]

It looks like this happens when you throw Turnstile in the mix.

https://stackblitz.com/edit/nuxt-starter-dijohg?file=nuxt.config.ts

[GalacticHypernova]

@Baroshem

TL;DR

This doesn't seem to be a Nuxt issue, at least not fully. It appears to also be an issue within nuxt security that came to be with the new nuxt update.

In-depth:

After looking around, the issue appears to be that "security" is not present in the nitro routeRules configuration:

The thing that causes the issue is this part:

Where line 969, as seen by the event runtime config object, is accessing the non-existent security key, which therefore, as per the error logs, "cannot destructure headers of undefined".

I have a good feeling (unconfirmed yet but very logical) that removing L969 and changing L971 to the following will solve the issue

const { headers: headers2 } = rule

Has the security key been omitted on Nuxt's end or this module's end?

Seeing as the security config is handled with defuReplaceArray, perhaps the module code can include the security key in https://github.com/Baroshem/nuxt-security/blob/fd47d83f4a719f4dc024fb02d154596fe997722b/src/module.ts#L81 in case defuReplaceArray omits it?

Not only that, I tested how it looks, and it appears as though it may be polluting route rules with extra data, which may have some performance implications:

The only thing I couldn't figure out yet is what actually changes, besides this change https://github.com/nuxt/nuxt/pull/27117/files#diff-85b4fe47ac4284e88552626029d5147793563b4dcdab205cd8dc6afb190222aaL113-L126 which appears to be accidental as it could be the culprit for the missing data. @danielroe was that removal intentional? I would open a PR but I would like to have your permission first and certainty that it is responsible.

[danielroe]

This should be resolved in https://github.com/nuxt/nuxt/pull/27596

[Baroshem]

[hermes85pl]

I confirm that I can no longer reproduce the issue after updating to Nuxt v3.12.2 that contains the aforementioned fix.