Upload folder using huggingface_hub

b91e262 verified about 1 month ago

47.3 kB

	import type { IncomingHttpHeaders, OutgoingHttpHeaders } from 'node:http'
	import type { SizeLimit } from '../../types'
	import type { RequestStore } from '../app-render/work-unit-async-storage.external'
	import type { AppRenderContext, GenerateFlight } from './app-render'
	import type { AppPageModule } from '../route-modules/app-page/module'
	import type { BaseNextRequest, BaseNextResponse } from '../base-http'

	import {
	RSC_HEADER,
	RSC_CONTENT_TYPE_HEADER,
	NEXT_ROUTER_STATE_TREE_HEADER,
	ACTION_HEADER,
	NEXT_ACTION_NOT_FOUND_HEADER,
	NEXT_ROUTER_PREFETCH_HEADER,
	NEXT_ROUTER_SEGMENT_PREFETCH_HEADER,
	NEXT_URL,
	NEXT_ACTION_REVALIDATED_HEADER,
	} from '../../client/components/app-router-headers'
	import {
	getAccessFallbackHTTPStatus,
	isHTTPAccessFallbackError,
	} from '../../client/components/http-access-fallback/http-access-fallback'
	import {
	getRedirectTypeFromError,
	getURLFromRedirectError,
	} from '../../client/components/redirect'
	import {
	isRedirectError,
	type RedirectType,
	} from '../../client/components/redirect-error'
	import RenderResult, {
	type AppPageRenderResultMetadata,
	} from '../render-result'
	import type { WorkStore } from '../app-render/work-async-storage.external'
	import { FlightRenderResult } from './flight-render-result'
	import {
	filterReqHeaders,
	actionsForbiddenHeaders,
	} from '../lib/server-ipc/utils'
	import { getModifiedCookieValues } from '../web/spec-extension/adapters/request-cookies'

	import {
	JSON_CONTENT_TYPE_HEADER,
	NEXT_CACHE_REVALIDATED_TAGS_HEADER,
	NEXT_CACHE_REVALIDATE_TAG_TOKEN_HEADER,
	} from '../../lib/constants'
	import { getServerActionRequestMetadata } from '../lib/server-action-request-meta'
	import { isCsrfOriginAllowed } from './csrf-protection'
	import { warn } from '../../build/output/log'
	import { RequestCookies, ResponseCookies } from '../web/spec-extension/cookies'
	import { HeadersAdapter } from '../web/spec-extension/adapters/headers'
	import { fromNodeOutgoingHttpHeaders } from '../web/utils'
	import {
	selectWorkerForForwarding,
	type ServerModuleMap,
	getServerActionsManifest,
	getServerModuleMap,
	} from './manifests-singleton'
	import { isNodeNextRequest, isWebNextRequest } from '../base-http/helpers'
	import { RedirectStatusCode } from '../../client/components/redirect-status-code'
	import { synchronizeMutableCookies } from '../async-storage/request-store'
	import type { TemporaryReferenceSet } from 'react-server-dom-webpack/server'
	import { workUnitAsyncStorage } from '../app-render/work-unit-async-storage.external'
	import { InvariantError } from '../../shared/lib/invariant-error'
	import { executeRevalidates } from '../revalidation-utils'
	import { getRequestMeta } from '../request-meta'
	import { setCacheBustingSearchParam } from '../../client/components/router-reducer/set-cache-busting-search-param'
	import {
	ActionDidNotRevalidate,
	ActionDidRevalidateStaticAndDynamic,
	} from '../../shared/lib/action-revalidation-kind'

	/**
	* Checks if the app has any server actions defined in any runtime.
	*/
	function hasServerActions() {
	const serverActionsManifest = getServerActionsManifest()

	return (
	Object.keys(serverActionsManifest.node).length > 0 \|\|
	Object.keys(serverActionsManifest.edge).length > 0
	)
	}

	function nodeHeadersToRecord(
	headers: IncomingHttpHeaders \| OutgoingHttpHeaders
	) {
	const record: Record<string, string> = {}
	for (const [key, value] of Object.entries(headers)) {
	if (value !== undefined) {
	record[key] = Array.isArray(value) ? value.join(', ') : `${value}`
	}
	}
	return record
	}

	function getForwardedHeaders(
	req: BaseNextRequest,
	res: BaseNextResponse
	): Headers {
	// Get request headers and cookies
	const requestHeaders = req.headers
	const requestCookies = new RequestCookies(HeadersAdapter.from(requestHeaders))

	// Get response headers and cookies
	const responseHeaders = res.getHeaders()
	const responseCookies = new ResponseCookies(
	fromNodeOutgoingHttpHeaders(responseHeaders)
	)

	// Merge request and response headers
	const mergedHeaders = filterReqHeaders(
	{
	...nodeHeadersToRecord(requestHeaders),
	...nodeHeadersToRecord(responseHeaders),
	},
	actionsForbiddenHeaders
	) as Record<string, string>

	// Merge cookies into requestCookies, so responseCookies always take precedence
	// and overwrite/delete those from requestCookies.
	responseCookies.getAll().forEach((cookie) => {
	if (typeof cookie.value === 'undefined') {
	requestCookies.delete(cookie.name)
	} else {
	requestCookies.set(cookie)
	}
	})

	// Update the 'cookie' header with the merged cookies
	mergedHeaders['cookie'] = requestCookies.toString()

	// Remove headers that should not be forwarded
	delete mergedHeaders['transfer-encoding']

	return new Headers(mergedHeaders)
	}

	function addRevalidationHeader(
	res: BaseNextResponse,
	{
	workStore,
	requestStore,
	}: {
	workStore: WorkStore
	requestStore: RequestStore
	}
	) {
	// If a tag was revalidated, the client router needs to invalidate all the
	// client router cache as they may be stale. And if a path was revalidated, the
	// client needs to invalidate all subtrees below that path.

	// TODO: Currently we don't send the specific tags or paths to the client,
	// we just send a flag indicating that all the static data on the client
	// should be invalidated. In the future, this will likely be a Bloom filter
	// or bitmask of some kind.

	// TODO-APP: Currently the prefetch cache doesn't have subtree information,
	// so we need to invalidate the entire cache if a path was revalidated.
	// TODO-APP: Currently paths are treated as tags, so the second element of the tuple
	// is always empty.

	// Only count tags without a profile (updateTag) as requiring client cache invalidation
	// Tags with a profile (revalidateTag) use stale-while-revalidate and shouldn't
	// trigger immediate client-side cache invalidation
	const isTagRevalidated = workStore.pendingRevalidatedTags?.some(
	(item) => item.profile === undefined
	)
	? 1
	: 0
	const isCookieRevalidated = getModifiedCookieValues(
	requestStore.mutableCookies
	).length
	? 1
	: 0

	// First check if a tag, cookie, or path was revalidated.
	if (isTagRevalidated \|\| isCookieRevalidated) {
	res.setHeader(
	NEXT_ACTION_REVALIDATED_HEADER,
	JSON.stringify(ActionDidRevalidateStaticAndDynamic)
	)
	} else if (
	// Check for refresh() actions. This will invalidate only the dynamic data.
	workStore.pathWasRevalidated !== undefined &&
	workStore.pathWasRevalidated !== ActionDidNotRevalidate
	) {
	res.setHeader(
	NEXT_ACTION_REVALIDATED_HEADER,
	JSON.stringify(workStore.pathWasRevalidated)
	)
	}
	}

	/**
	* Forwards a server action request to a separate worker. Used when the requested action is not available in the current worker.
	*/
	async function createForwardedActionResponse(
	req: BaseNextRequest,
	res: BaseNextResponse,
	host: Host,
	workerPathname: string,
	basePath: string
	) {
	if (!host) {
	throw new Error(
	'Invariant: Missing `host` header from a forwarded Server Actions request.'
	)
	}

	const forwardedHeaders = getForwardedHeaders(req, res)

	// indicate that this action request was forwarded from another worker
	// we use this to skip rendering the flight tree so that we don't update the UI
	// with the response from the forwarded worker
	forwardedHeaders.set('x-action-forwarded', '1')

	const proto =
	getRequestMeta(req, 'initProtocol')?.replace(/:+$/, '') \|\| 'https'

	// For standalone or the serverful mode, use the internal origin directly
	// other than the host headers from the request.
	const origin = process.env.__NEXT_PRIVATE_ORIGIN \|\| `${proto}://${host.value}`

	const fetchUrl = new URL(`${origin}${basePath}${workerPathname}`)

	try {
	let body: BodyInit \| ReadableStream<Uint8Array> \| undefined
	if (
	// The type check here ensures that `req` is correctly typed, and the
	// environment variable check provides dead code elimination.
	process.env.NEXT_RUNTIME === 'edge' &&
	isWebNextRequest(req)
	) {
	if (!req.body) {
	throw new Error('Invariant: missing request body.')
	}

	body = req.body
	} else if (
	// The type check here ensures that `req` is correctly typed, and the
	// environment variable check provides dead code elimination.
	process.env.NEXT_RUNTIME !== 'edge' &&
	isNodeNextRequest(req)
	) {
	body = req.stream()
	} else {
	throw new Error('Invariant: Unknown request type.')
	}

	// Forward the request to the new worker
	const response = await fetch(fetchUrl, {
	method: 'POST',
	body,
	duplex: 'half',
	headers: forwardedHeaders,
	redirect: 'manual',
	next: {
	// @ts-ignore
	internal: 1,
	},
	})

	if (
	response.headers.get('content-type')?.startsWith(RSC_CONTENT_TYPE_HEADER)
	) {
	// copy the headers from the redirect response to the response we're sending
	for (const [key, value] of response.headers) {
	if (!actionsForbiddenHeaders.includes(key)) {
	res.setHeader(key, value)
	}
	}

	return new FlightRenderResult(response.body!)
	} else {
	// Since we aren't consuming the response body, we cancel it to avoid memory leaks
	response.body?.cancel()
	}
	} catch (err) {
	// we couldn't stream the forwarded response, so we'll just return an empty response
	console.error(`failed to forward action response`, err)
	}

	return RenderResult.fromStatic('{}', JSON_CONTENT_TYPE_HEADER)
	}

	/**
	* Returns the parsed redirect URL if we deem that it is hosted by us.
	*
	* We handle both relative and absolute redirect URLs.
	*
	* In case the redirect URL is not relative to the application we return `null`.
	*/
	function getAppRelativeRedirectUrl(
	basePath: string,
	host: Host,
	redirectUrl: string,
	currentPathname?: string
	): URL \| null {
	if (redirectUrl.startsWith('/')) {
	// Absolute path - just add basePath
	return new URL(`${basePath}${redirectUrl}`, 'http://n')
	} else if (redirectUrl.startsWith('.')) {
	// Relative path - resolve relative to current pathname
	let base = currentPathname \|\| '/'
	// Ensure the base path ends with a slash so relative resolution works correctly
	// e.g., "./subpage" from "/subdir" should resolve to "/subdir/subpage"
	// not "/subpage"
	if (!base.endsWith('/')) {
	base = base + '/'
	}
	const resolved = new URL(redirectUrl, `http://n${base}`)
	// Include basePath in the final URL
	return new URL(
	`${basePath}${resolved.pathname}${resolved.search}${resolved.hash}`,
	'http://n'
	)
	}

	const parsedRedirectUrl = new URL(redirectUrl)

	if (host?.value !== parsedRedirectUrl.host) {
	return null
	}

	// At this point the hosts are the same, just confirm we
	// are routing to a path underneath the `basePath`
	return parsedRedirectUrl.pathname.startsWith(basePath)
	? parsedRedirectUrl
	: null
	}

	async function createRedirectRenderResult(
	req: BaseNextRequest,
	res: BaseNextResponse,
	originalHost: Host,
	redirectUrl: string,
	redirectType: RedirectType,
	basePath: string,
	workStore: WorkStore,
	currentPathname?: string
	) {
	res.setHeader('x-action-redirect', `${redirectUrl};${redirectType}`)

	// If we're redirecting to another route of this Next.js application, we'll
	// try to stream the response from the other worker path. When that works,
	// we can save an extra roundtrip and avoid a full page reload.
	// When the redirect URL starts with a `/` or is to the same host, under the
	// `basePath` we treat it as an app-relative redirect;
	const appRelativeRedirectUrl = getAppRelativeRedirectUrl(
	basePath,
	originalHost,
	redirectUrl,
	currentPathname
	)

	if (appRelativeRedirectUrl) {
	if (!originalHost) {
	throw new Error(
	'Invariant: Missing `host` header from a forwarded Server Actions request.'
	)
	}

	const forwardedHeaders = getForwardedHeaders(req, res)
	forwardedHeaders.set(RSC_HEADER, '1')

	const proto =
	getRequestMeta(req, 'initProtocol')?.replace(/:+$/, '') \|\| 'https'

	// For standalone or the serverful mode, use the internal origin directly
	// other than the host headers from the request.
	const origin =
	process.env.__NEXT_PRIVATE_ORIGIN \|\| `${proto}://${originalHost.value}`

	const fetchUrl = new URL(
	`${origin}${appRelativeRedirectUrl.pathname}${appRelativeRedirectUrl.search}`
	)

	if (workStore.pendingRevalidatedTags) {
	forwardedHeaders.set(
	NEXT_CACHE_REVALIDATED_TAGS_HEADER,
	workStore.pendingRevalidatedTags.map((item) => item.tag).join(',')
	)
	forwardedHeaders.set(
	NEXT_CACHE_REVALIDATE_TAG_TOKEN_HEADER,
	workStore.incrementalCache?.prerenderManifest?.preview?.previewModeId \|\|
	''
	)
	}

	// Ensures that when the path was revalidated we don't return a partial response on redirects
	forwardedHeaders.delete(NEXT_ROUTER_STATE_TREE_HEADER)
	// When an action follows a redirect, it's no longer handling an action: it's just a normal RSC request
	// to the requested URL. We should remove the `next-action` header so that it's not treated as an action
	forwardedHeaders.delete(ACTION_HEADER)

	try {
	setCacheBustingSearchParam(fetchUrl, {
	[NEXT_ROUTER_PREFETCH_HEADER]: forwardedHeaders.get(
	NEXT_ROUTER_PREFETCH_HEADER
	)
	? ('1' as const)
	: undefined,
	[NEXT_ROUTER_SEGMENT_PREFETCH_HEADER]:
	forwardedHeaders.get(NEXT_ROUTER_SEGMENT_PREFETCH_HEADER) ??
	undefined,
	[NEXT_ROUTER_STATE_TREE_HEADER]:
	forwardedHeaders.get(NEXT_ROUTER_STATE_TREE_HEADER) ?? undefined,
	[NEXT_URL]: forwardedHeaders.get(NEXT_URL) ?? undefined,
	})

	const response = await fetch(fetchUrl, {
	method: 'GET',
	headers: forwardedHeaders,
	next: {
	// @ts-ignore
	internal: 1,
	},
	})

	if (
	response.headers
	.get('content-type')
	?.startsWith(RSC_CONTENT_TYPE_HEADER)
	) {
	// copy the headers from the redirect response to the response we're sending
	for (const [key, value] of response.headers) {
	if (!actionsForbiddenHeaders.includes(key)) {
	res.setHeader(key, value)
	}
	}

	return new FlightRenderResult(response.body!)
	} else {
	// Since we aren't consuming the response body, we cancel it to avoid memory leaks
	response.body?.cancel()
	}
	} catch (err) {
	// we couldn't stream the redirect response, so we'll just do a normal redirect
	console.error(`failed to get redirect response`, err)
	}
	}

	return RenderResult.EMPTY
	}

	// Used to compare Host header and Origin header.
	const enum HostType {
	XForwardedHost = 'x-forwarded-host',
	Host = 'host',
	}
	type Host =
	\| {
	type: HostType.XForwardedHost
	value: string
	}
	\| {
	type: HostType.Host
	value: string
	}
	\| undefined

	/**
	* Ensures the value of the header can't create long logs.
	*/
	function limitUntrustedHeaderValueForLogs(value: string) {
	return value.length > 100 ? value.slice(0, 100) + '...' : value
	}

	export function parseHostHeader(
	headers: IncomingHttpHeaders,
	originDomain?: string
	) {
	const forwardedHostHeader = headers['x-forwarded-host']
	const forwardedHostHeaderValue =
	forwardedHostHeader && Array.isArray(forwardedHostHeader)
	? forwardedHostHeader[0]
	: forwardedHostHeader?.split(',')?.[0]?.trim()
	const hostHeader = headers['host']

	if (originDomain) {
	return forwardedHostHeaderValue === originDomain
	? {
	type: HostType.XForwardedHost,
	value: forwardedHostHeaderValue,
	}
	: hostHeader === originDomain
	? {
	type: HostType.Host,
	value: hostHeader,
	}
	: undefined
	}

	return forwardedHostHeaderValue
	? {
	type: HostType.XForwardedHost,
	value: forwardedHostHeaderValue,
	}
	: hostHeader
	? {
	type: HostType.Host,
	value: hostHeader,
	}
	: undefined
	}

	type ServerActionsConfig = {
	bodySizeLimit?: SizeLimit
	allowedOrigins?: string[]
	}

	type HandleActionResult =
	\| {
	/** An MPA action threw notFound(), and we need to render the appropriate HTML */
	type: 'not-found'
	}
	\| {
	type: 'done'
	result: RenderResult \| undefined
	formState?: any
	}
	/** The request turned out not to be a server action. */
	\| null

	export async function handleAction({
	req,
	res,
	ComponentMod,
	generateFlight,
	workStore,
	requestStore,
	serverActions,
	ctx,
	metadata,
	}: {
	req: BaseNextRequest
	res: BaseNextResponse
	ComponentMod: AppPageModule
	generateFlight: GenerateFlight
	workStore: WorkStore
	requestStore: RequestStore
	serverActions?: ServerActionsConfig
	ctx: AppRenderContext
	metadata: AppPageRenderResultMetadata
	}): Promise<HandleActionResult> {
	const contentType = req.headers['content-type']
	const { page } = ctx.renderOpts
	const serverModuleMap = getServerModuleMap()

	const {
	actionId,
	isMultipartAction,
	isFetchAction,
	isURLEncodedAction,
	isPossibleServerAction,
	} = getServerActionRequestMetadata(req)

	const handleUnrecognizedFetchAction = (err: unknown): HandleActionResult => {
	// If the deployment doesn't have skew protection, this is expected to occasionally happen,
	// so we use a warning instead of an error.
	console.warn(err)

	// Return an empty response with a header that the client router will interpret.
	// We don't need to waste time encoding a flight response, and using a blank body + header
	// means that unrecognized actions can also be handled at the infra level
	// (i.e. without needing to invoke a lambda)
	res.setHeader(NEXT_ACTION_NOT_FOUND_HEADER, '1')
	res.setHeader('content-type', 'text/plain')
	res.statusCode = 404
	return {
	type: 'done',
	result: RenderResult.fromStatic('Server action not found.', 'text/plain'),
	}
	}

	// If it can't be a Server Action, skip handling.
	// Note that this can be a false positive -- any multipart/urlencoded POST can get us here,
	// But won't know if it's an MPA action or not until we call `decodeAction` below.
	if (!isPossibleServerAction) {
	return null
	}

	// We don't currently support URL encoded actions, so we bail out early.
	// Depending on if it's a fetch action or an MPA, we return a different response.
	if (isURLEncodedAction) {
	if (isFetchAction) {
	return {
	type: 'not-found',
	}
	} else {
	// This is an MPA action, so we return null
	return null
	}
	}

	// If the app has no server actions at all, we can 404 early.
	if (!hasServerActions()) {
	return handleUnrecognizedFetchAction(getActionNotFoundError(actionId))
	}

	if (workStore.isStaticGeneration) {
	throw new Error(
	"Invariant: server actions can't be handled during static rendering"
	)
	}

	let temporaryReferences: TemporaryReferenceSet \| undefined

	// When running actions the default is no-store, you can still `cache: 'force-cache'`
	workStore.fetchCache = 'default-no-store'

	const originHeader = req.headers['origin']
	const originDomain =
	typeof originHeader === 'string' && originHeader !== 'null'
	? new URL(originHeader).host
	: undefined
	const host = parseHostHeader(req.headers)

	let warning: string \| undefined = undefined

	function warnBadServerActionRequest() {
	if (warning) {
	warn(warning)
	}
	}
	// This is to prevent CSRF attacks. If `x-forwarded-host` is set, we need to
	// ensure that the request is coming from the same host.
	if (!originDomain) {
	// This might be an old browser that doesn't send `host` header. We ignore
	// this case.
	warning = 'Missing `origin` header from a forwarded Server Actions request.'
	} else if (!host \|\| originDomain !== host.value) {
	// If the customer sets a list of allowed origins, we'll allow the request.
	// These are considered safe but might be different from forwarded host set
	// by the infra (i.e. reverse proxies).
	if (isCsrfOriginAllowed(originDomain, serverActions?.allowedOrigins)) {
	// Ignore it
	} else {
	if (host) {
	// This seems to be an CSRF attack. We should not proceed the action.
	console.error(
	`\`${
	host.type
	}\` header with value \`${limitUntrustedHeaderValueForLogs(
	host.value
	)}\` does not match \`origin\` header with value \`${limitUntrustedHeaderValueForLogs(
	originDomain
	)}\` from a forwarded Server Actions request. Aborting the action.`
	)
	} else {
	// This is an attack. We should not proceed the action.
	console.error(
	`\`x-forwarded-host\` or \`host\` headers are not provided. One of these is needed to compare the \`origin\` header from a forwarded Server Actions request. Aborting the action.`
	)
	}

	const error = new Error('Invalid Server Actions request.')

	if (isFetchAction) {
	res.statusCode = 500
	metadata.statusCode = 500

	const promise = Promise.reject(error)
	try {
	// we need to await the promise to trigger the rejection early
	// so that it's already handled by the time we call
	// the RSC runtime. Otherwise, it will throw an unhandled
	// promise rejection error in the renderer.
	await promise
	} catch {
	// swallow error, it's gonna be handled on the client
	}

	return {
	type: 'done',
	result: await generateFlight(req, ctx, requestStore, {
	actionResult: promise,
	// We didn't execute an action, so no revalidations could have
	// occurred. We can skip rendering the page.
	skipPageRendering: true,
	temporaryReferences,
	}),
	}
	}

	throw error
	}
	}

	// ensure we avoid caching server actions unexpectedly
	res.setHeader(
	'Cache-Control',
	'no-cache, no-store, max-age=0, must-revalidate'
	)

	const { actionAsyncStorage } = ComponentMod

	const actionWasForwarded = Boolean(req.headers['x-action-forwarded'])

	if (actionId) {
	const forwardedWorker = selectWorkerForForwarding(actionId, page)

	// If forwardedWorker is truthy, it means there isn't a worker for the action
	// in the current handler, so we forward the request to a worker that has the action.
	if (forwardedWorker) {
	return {
	type: 'done',
	result: await createForwardedActionResponse(
	req,
	res,
	host,
	forwardedWorker,
	ctx.renderOpts.basePath
	),
	}
	}
	}

	try {
	return await actionAsyncStorage.run(
	{ isAction: true },
	async (): Promise<HandleActionResult> => {
	// We only use these for fetch actions -- MPA actions handle them inside `decodeAction`.
	let actionModId: string \| number \| undefined
	let boundActionArguments: unknown[] = []

	if (
	// The type check here ensures that `req` is correctly typed, and the
	// environment variable check provides dead code elimination.
	process.env.NEXT_RUNTIME === 'edge' &&
	isWebNextRequest(req)
	) {
	if (!req.body) {
	throw new Error('invariant: Missing request body.')
	}

	// TODO: add body limit

	// Use react-server-dom-webpack/server
	const {
	createTemporaryReferenceSet,
	decodeReply,
	decodeAction,
	decodeFormState,
	} = ComponentMod

	temporaryReferences = createTemporaryReferenceSet()

	if (isMultipartAction) {
	// TODO-APP: Add streaming support
	const formData = await req.request.formData()
	if (isFetchAction) {
	// A fetch action with a multipart body.

	try {
	actionModId = getActionModIdOrError(actionId, serverModuleMap)
	} catch (err) {
	return handleUnrecognizedFetchAction(err)
	}

	boundActionArguments = await decodeReply(
	formData,
	serverModuleMap,
	{ temporaryReferences }
	)
	} else {
	// Multipart POST, but not a fetch action.
	// Potentially an MPA action, we have to try decoding it to check.
	if (areAllActionIdsValid(formData, serverModuleMap) === false) {
	// TODO: This can be from skew or manipulated input. We should handle this case
	// more gracefully but this preserves the prior behavior where decodeAction would throw instead.
	throw new Error(
	`Failed to find Server Action. This request might be from an older or newer deployment.\nRead more: https://nextjs.org/docs/messages/failed-to-find-server-action`
	)
	}

	const action = await decodeAction(formData, serverModuleMap)
	if (typeof action === 'function') {
	// an MPA action.

	// Only warn if it's a server action, otherwise skip for other post requests
	warnBadServerActionRequest()

	const { actionResult } = await executeActionAndPrepareForRender(
	action as () => Promise<unknown>,
	[],
	workStore,
	requestStore,
	actionWasForwarded
	)

	const formState = await decodeFormState(
	actionResult,
	formData,
	serverModuleMap
	)

	// Skip the fetch path.
	// We need to render a full HTML version of the page for the response, we'll handle that in app-render.
	return {
	type: 'done',
	result: undefined,
	formState,
	}
	} else {
	// We couldn't decode an action, so this POST request turned out not to be a server action request.
	return null
	}
	}
	} else {
	// POST with non-multipart body.

	// If it's not multipart AND not a fetch action,
	// then it can't be an action request.
	if (!isFetchAction) {
	return null
	}

	try {
	actionModId = getActionModIdOrError(actionId, serverModuleMap)
	} catch (err) {
	return handleUnrecognizedFetchAction(err)
	}

	// A fetch action with a non-multipart body.
	// In practice, this happens if `encodeReply` returned a string instead of FormData,
	// which can happen for very simple JSON-like values that don't need multiple flight rows.

	const chunks: Buffer[] = []
	const reader = req.body.getReader()
	while (true) {
	const { done, value } = await reader.read()
	if (done) {
	break
	}

	chunks.push(value)
	}

	const actionData = Buffer.concat(chunks).toString('utf-8')

	boundActionArguments = await decodeReply(
	actionData,
	serverModuleMap,
	{ temporaryReferences }
	)
	}
	} else if (
	// The type check here ensures that `req` is correctly typed, and the
	// environment variable check provides dead code elimination.
	process.env.NEXT_RUNTIME !== 'edge' &&
	isNodeNextRequest(req)
	) {
	// Use react-server-dom-webpack/server.node which supports streaming
	const {
	createTemporaryReferenceSet,
	decodeReply,
	decodeReplyFromBusboy,
	decodeAction,
	decodeFormState,
	} = require(
	`./react-server.node`
	) as typeof import('./react-server.node')

	temporaryReferences = createTemporaryReferenceSet()

	const { PassThrough, Readable, Transform } =
	require('node:stream') as typeof import('node:stream')
	const { pipeline } =
	require('node:stream/promises') as typeof import('node:stream/promises')

	const defaultBodySizeLimit = '1 MB'
	const bodySizeLimit =
	serverActions?.bodySizeLimit ?? defaultBodySizeLimit
	const bodySizeLimitBytes =
	bodySizeLimit !== defaultBodySizeLimit
	? (
	require('next/dist/compiled/bytes') as typeof import('next/dist/compiled/bytes')
	).parse(bodySizeLimit)
	: 1024 * 1024 // 1 MB

	let size = 0
	const sizeLimitTransform = new Transform({
	transform(chunk, encoding, callback) {
	size += Buffer.byteLength(chunk, encoding)
	if (size > bodySizeLimitBytes) {
	const { ApiError } =
	require('../api-utils') as typeof import('../api-utils')

	callback(
	new ApiError(
	413,
	`Body exceeded ${bodySizeLimit} limit.\n` +
	`To configure the body size limit for Server Actions, see: https://nextjs.org/docs/app/api-reference/next-config-js/serverActions#bodysizelimit`
	)
	)
	return
	}

	callback(null, chunk)
	},
	})

	if (isMultipartAction) {
	if (isFetchAction) {
	// A fetch action with a multipart body.

	try {
	actionModId = getActionModIdOrError(actionId, serverModuleMap)
	} catch (err) {
	return handleUnrecognizedFetchAction(err)
	}

	const busboy = (
	require('next/dist/compiled/busboy') as typeof import('next/dist/compiled/busboy')
	)({
	defParamCharset: 'utf8',
	headers: req.headers,
	limits: { fieldSize: bodySizeLimitBytes },
	})

	const abortController = new AbortController()
	try {
	;[, boundActionArguments] = await Promise.all([
	pipeline(req.body, sizeLimitTransform, busboy, {
	signal: abortController.signal,
	}),
	decodeReplyFromBusboy(busboy, serverModuleMap, {
	temporaryReferences,
	}),
	])
	} catch (err) {
	abortController.abort()
	throw err
	}
	} else {
	// Multipart POST, but not a fetch action.
	// Potentially an MPA action, we have to try decoding it to check.

	const sizeLimitedBody = new PassThrough()

	// React doesn't yet publish a busboy version of decodeAction
	// so we polyfill the parsing of FormData.
	const fakeRequest = new Request('http://localhost', {
	method: 'POST',
	// @ts-expect-error
	headers: { 'Content-Type': contentType },
	body: Readable.toWeb(
	sizeLimitedBody
	) as ReadableStream<Uint8Array>,
	duplex: 'half',
	})

	let formData: FormData
	const abortController = new AbortController()
	try {
	;[, formData] = await Promise.all([
	pipeline(req.body, sizeLimitTransform, sizeLimitedBody, {
	signal: abortController.signal,
	}),
	fakeRequest.formData(),
	])
	} catch (err) {
	abortController.abort()
	throw err
	}

	if (areAllActionIdsValid(formData, serverModuleMap) === false) {
	// TODO: This can be from skew or manipulated input. We should handle this case
	// more gracefully but this preserves the prior behavior where decodeAction would throw instead.
	throw new Error(
	`Failed to find Server Action. This request might be from an older or newer deployment.\nRead more: https://nextjs.org/docs/messages/failed-to-find-server-action`
	)
	}

	// TODO: Refactor so it is harder to accidentally decode an action before you have validated that the
	// action referred to is available.
	const action = await decodeAction(formData, serverModuleMap)
	if (typeof action === 'function') {
	// an MPA action.

	// Only warn if it's a server action, otherwise skip for other post requests
	warnBadServerActionRequest()

	const { actionResult } = await executeActionAndPrepareForRender(
	action as () => Promise<unknown>,
	[],
	workStore,
	requestStore,
	actionWasForwarded
	)

	const formState = await decodeFormState(
	actionResult,
	formData,
	serverModuleMap
	)

	// Skip the fetch path.
	// We need to render a full HTML version of the page for the response, we'll handle that in app-render.
	return {
	type: 'done',
	result: undefined,
	formState,
	}
	} else {
	// We couldn't decode an action, so this POST request turned out not to be a server action request.
	return null
	}
	}
	} else {
	// POST with non-multipart body.

	// If it's not multipart AND not a fetch action,
	// then it can't be an action request.
	if (!isFetchAction) {
	return null
	}

	try {
	actionModId = getActionModIdOrError(actionId, serverModuleMap)
	} catch (err) {
	return handleUnrecognizedFetchAction(err)
	}

	// A fetch action with a non-multipart body.
	// In practice, this happens if `encodeReply` returned a string instead of FormData,
	// which can happen for very simple JSON-like values that don't need multiple flight rows.

	const sizeLimitedBody = new PassThrough()

	const chunks: Buffer[] = []
	await Promise.all([
	pipeline(req.body, sizeLimitTransform, sizeLimitedBody),
	(async () => {
	for await (const chunk of sizeLimitedBody) {
	chunks.push(Buffer.from(chunk))
	}
	})(),
	])

	const actionData = Buffer.concat(chunks).toString('utf-8')

	boundActionArguments = await decodeReply(
	actionData,
	serverModuleMap,
	{ temporaryReferences }
	)
	}
	} else {
	throw new Error('Invariant: Unknown request type.')
	}

	// actions.js
	// app/page.js
	// action worker1
	// appRender1

	// app/foo/page.js
	// action worker2
	// appRender

	// / -> fire action -> POST / -> appRender1 -> modId for the action file
	// /foo -> fire action -> POST /foo -> appRender2 -> modId for the action file

	const actionMod = (await ComponentMod.__next_app__.require(
	actionModId
	)) as Record<string, (...args: unknown[]) => Promise<unknown>>
	const actionHandler =
	actionMod[
	// `actionId` must exist if we got here, as otherwise we would have thrown an error above
	actionId!
	]

	const { actionResult, skipPageRendering } =
	await executeActionAndPrepareForRender(
	actionHandler,
	boundActionArguments,
	workStore,
	requestStore,
	actionWasForwarded
	).finally(() => {
	addRevalidationHeader(res, { workStore, requestStore })
	})

	// For form actions, we need to continue rendering the page.
	if (isFetchAction) {
	// If we skip page rendering, we need to ensure pending revalidates
	// are awaited before closing the response. Otherwise, this will be
	// done after rendering the page.
	const maybeRevalidatesPromise = skipPageRendering
	? executeRevalidates(workStore)
	: false

	return {
	type: 'done',
	result: await generateFlight(req, ctx, requestStore, {
	actionResult: Promise.resolve(actionResult),
	skipPageRendering,
	temporaryReferences,
	waitUntil:
	maybeRevalidatesPromise === false
	? undefined
	: maybeRevalidatesPromise,
	}),
	}
	} else {
	// TODO: this shouldn't be reachable, because all non-fetch codepaths return early.
	// this will be handled in a follow-up refactor PR.
	return null
	}
	}
	)
	} catch (err) {
	if (isRedirectError(err)) {
	const redirectUrl = getURLFromRedirectError(err)
	const redirectType = getRedirectTypeFromError(err)

	// if it's a fetch action, we'll set the status code for logging/debugging purposes
	// but we won't set a Location header, as the redirect will be handled by the client router
	res.statusCode = RedirectStatusCode.SeeOther
	metadata.statusCode = RedirectStatusCode.SeeOther

	if (isFetchAction) {
	return {
	type: 'done',
	result: await createRedirectRenderResult(
	req,
	res,
	host,
	redirectUrl,
	redirectType,
	ctx.renderOpts.basePath,
	workStore,
	requestStore.url.pathname
	),
	}
	}

	// For an MPA action, the redirect doesn't need a body, just a Location header.
	res.setHeader('Location', redirectUrl)
	return {
	type: 'done',
	result: RenderResult.EMPTY,
	}
	} else if (isHTTPAccessFallbackError(err)) {
	res.statusCode = getAccessFallbackHTTPStatus(err)
	metadata.statusCode = res.statusCode

	if (isFetchAction) {
	const promise = Promise.reject(err)
	try {
	// we need to await the promise to trigger the rejection early
	// so that it's already handled by the time we call
	// the RSC runtime. Otherwise, it will throw an unhandled
	// promise rejection error in the renderer.
	await promise
	} catch {
	// swallow error, it's gonna be handled on the client
	}
	return {
	type: 'done',
	result: await generateFlight(req, ctx, requestStore, {
	skipPageRendering: false,
	actionResult: promise,
	temporaryReferences,
	}),
	}
	}

	// For an MPA action, we need to render a HTML response. We'll handle that in app-render.
	return {
	type: 'not-found',
	}
	}

	// An error that didn't come from `redirect()` or `notFound()`, likely thrown from user code
	// (but it could also be a bug in our code!)

	if (isFetchAction) {
	// TODO: consider checking if the error is an `ApiError` and change status code
	// so that we can respond with a 413 to requests that break the body size limit
	// (but if we do that, we also need to make sure that whatever handles the non-fetch error path below does the same)
	res.statusCode = 500
	metadata.statusCode = 500
	const promise = Promise.reject(err)
	try {
	// we need to await the promise to trigger the rejection early
	// so that it's already handled by the time we call
	// the RSC runtime. Otherwise, it will throw an unhandled
	// promise rejection error in the renderer.
	await promise
	} catch {
	// swallow error, it's gonna be handled on the client
	}

	return {
	type: 'done',
	result: await generateFlight(req, ctx, requestStore, {
	actionResult: promise,
	// If the page was not revalidated, or if the action was forwarded
	// from another worker, we can skip rendering the page.
	skipPageRendering:
	workStore.pathWasRevalidated === undefined \|\|
	workStore.pathWasRevalidated === ActionDidNotRevalidate \|\|
	actionWasForwarded,
	temporaryReferences,
	}),
	}
	}

	// For an MPA action, we need to render a HTML response. We'll rethrow the error and let it be handled above.
	throw err
	}
	}

	async function executeActionAndPrepareForRender<
	TFn extends (...args: any[]) => Promise<any>,
	>(
	action: TFn,
	args: Parameters<TFn>,
	workStore: WorkStore,
	requestStore: RequestStore,
	actionWasForwarded: boolean
	): Promise<{
	actionResult: Awaited<ReturnType<TFn>>
	skipPageRendering: boolean
	}> {
	requestStore.phase = 'action'
	let skipPageRendering = actionWasForwarded

	try {
	const actionResult = await workUnitAsyncStorage.run(requestStore, () =>
	action.apply(null, args)
	)

	// If the page was not revalidated, or if the action was forwarded from
	// another worker, we can skip rendering the page.
	skipPageRendering \|\|=
	workStore.pathWasRevalidated === undefined \|\|
	workStore.pathWasRevalidated === ActionDidNotRevalidate

	return { actionResult, skipPageRendering }
	} finally {
	if (!skipPageRendering) {
	requestStore.phase = 'render'

	// When we switch to the render phase, cookies() will return
	// `workUnitStore.cookies` instead of
	// `workUnitStore.userspaceMutableCookies`. We want the render to see any
	// cookie writes that we performed during the action, so we need to update
	// the immutable cookies to reflect the changes.
	synchronizeMutableCookies(requestStore)

	// The server action might have toggled draft mode, so we need to reflect
	// that in the work store to be up-to-date for subsequent rendering.
	workStore.isDraftMode = requestStore.draftMode.isEnabled

	// If the action called revalidateTag/revalidatePath, then that might
	// affect data used by the subsequent render, so we need to make sure all
	// revalidations are applied before that.
	await executeRevalidates(workStore)
	}
	}
	}

	/**
	* Attempts to find the module ID for the action from the module map. When this fails, it could be a deployment skew where
	* the action came from a different deployment. It could also simply be an invalid POST request that is not a server action.
	* In either case, we'll throw an error to be handled by the caller.
	*/
	function getActionModIdOrError(
	actionId: string \| null,
	serverModuleMap: ServerModuleMap
	): string \| number {
	// if we're missing the action ID header, we can't do any further processing
	if (!actionId) {
	throw new InvariantError("Missing 'next-action' header.")
	}

	const actionModId = serverModuleMap[actionId]?.id

	if (!actionModId) {
	throw getActionNotFoundError(actionId)
	}

	return actionModId
	}

	function getActionNotFoundError(actionId: string \| null): Error {
	return new Error(
	`Failed to find Server Action${actionId ? ` "${actionId}"` : ''}. This request might be from an older or newer deployment.\nRead more: https://nextjs.org/docs/messages/failed-to-find-server-action`
	)
	}

	const $ACTION_ = '$ACTION_'
	const $ACTION_REF_ = '$ACTION_REF_'
	const $ACTION_ID_ = '$ACTION_ID_'
	const ACTION_ID_EXPECTED_LENGTH = 42

	/**
	* This function mirrors logic inside React's decodeAction and should be kept in sync with that.
	* It pre-parses the FormData to ensure that any action IDs referred to are actual action IDs for
	* this Next.js application.
	*/
	function areAllActionIdsValid(
	mpaFormData: FormData,
	serverModuleMap: ServerModuleMap
	): boolean {
	let hasAtLeastOneAction = false
	// Before we attempt to decode the payload for a possible MPA action, assert that all
	// action IDs are valid IDs. If not we should disregard the payload
	for (let key of mpaFormData.keys()) {
	if (!key.startsWith($ACTION_)) {
	// not a relevant field
	continue
	}

	if (key.startsWith($ACTION_ID_)) {
	// No Bound args case
	if (isInvalidActionIdFieldName(key, serverModuleMap)) {
	return false
	}

	hasAtLeastOneAction = true
	} else if (key.startsWith($ACTION_REF_)) {
	// Bound args case
	const actionDescriptorField =
	$ACTION_ + key.slice($ACTION_REF_.length) + ':0'
	const actionFields = mpaFormData.getAll(actionDescriptorField)
	if (actionFields.length !== 1) {
	return false
	}
	const actionField = actionFields[0]
	if (typeof actionField !== 'string') {
	return false
	}

	if (isInvalidStringActionDescriptor(actionField, serverModuleMap)) {
	return false
	}
	hasAtLeastOneAction = true
	}
	}
	return hasAtLeastOneAction
	}

	const ACTION_DESCRIPTOR_ID_PREFIX = '{"id":"'
	function isInvalidStringActionDescriptor(
	actionDescriptor: string,
	serverModuleMap: ServerModuleMap
	): unknown {
	if (actionDescriptor.startsWith(ACTION_DESCRIPTOR_ID_PREFIX) === false) {
	return true
	}

	const from = ACTION_DESCRIPTOR_ID_PREFIX.length
	const to = from + ACTION_ID_EXPECTED_LENGTH

	// We expect actionDescriptor to be '{"id":"<actionId>",...}'
	const actionId = actionDescriptor.slice(from, to)
	if (
	actionId.length !== ACTION_ID_EXPECTED_LENGTH \|\|
	actionDescriptor[to] !== '"'
	) {
	return true
	}

	const entry = serverModuleMap[actionId]

	if (entry == null) {
	return true
	}

	return false
	}

	function isInvalidActionIdFieldName(
	actionIdFieldName: string,
	serverModuleMap: ServerModuleMap
	): boolean {
	// The field name must always start with $ACTION_ID_ but since it is
	// the id is extracted from the key of the field we have already validated
	// this before entering this function
	if (
	actionIdFieldName.length !==
	$ACTION_ID_.length + ACTION_ID_EXPECTED_LENGTH
	) {
	// this field name has too few or too many characters
	return true
	}

	const actionId = actionIdFieldName.slice($ACTION_ID_.length)
	const entry = serverModuleMap[actionId]

	if (entry == null) {
	return true
	}

	return false
	}