From 4c2c5518f0bf95c1c5abe4c1661354c8e5494ae6 Mon Sep 17 00:00:00 2001
From: harshagarwalnyu <harshagarwal48756@gmail.com>
Date: Thu, 14 May 2026 11:14:39 -0400
Subject: [PATCH 1/3] fix(dev): route specific Nitro paths even when URL has
 asset extension
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Asset-extensioned URLs (e.g. /api/photos/12345.jpg) were being routed
to Vite's static middleware instead of the matching Nitro handler because
the ASSET_EXT_RE guard in nitroDevMiddlewarePre applied unconditionally
to any matched route, including specific prefixed catch-alls like
/api/photos/**.

The guard was introduced (#4234) to prevent a root-level renderer or
user catch-all (/**) from swallowing Vite's own <script>/<link> serves
on plain-HTTP non-loopback origins where Sec-Fetch-Dest is absent.

Narrow the guard: only apply the asset-extension filter when the matched
Nitro route pattern is the root wildcard /**. Specific routes
(e.g. /api/**, /api/photos/**) are never registered on paths Vite owns,
so they should always win — preserving the original behaviour from
nitro@3.0.1-alpha.2.

Fixes #4252
---
 src/build/vite/dev.ts | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/build/vite/dev.ts b/src/build/vite/dev.ts
index ab4f24671b..7a23fc7278 100644
--- a/src/build/vite/dev.ts
+++ b/src/build/vite/dev.ts
@@ -245,10 +245,9 @@ export async function configureViteDevServer(ctx: NitroPluginContext, server: Vi
     const fetchDest = req.headers["sec-fetch-dest"];
     const accept = req.headers["accept"];
     const ext = req.url!.split(/[?#]/, 1)[0].match(/\.([a-z0-9]+)$/i)?.[1];
-    const isNitroRoute = !!nitro.routing.routes.match(
-      req.method || "",
-      new URL(withBase(req.url!, nitro.options.baseURL), "http://localhost").pathname
-    );
+    const reqPathname = new URL(withBase(req.url!, nitro.options.baseURL), "http://localhost").pathname;
+    const nitroRouteMatch = nitro.routing.routes.match(req.method || "", reqPathname);
+    const isNitroRoute = !!nitroRouteMatch;
     // Sec-Fetch-* is only sent on "potentially trustworthy" origins, so on plain-HTTP non-loopback (e.g. http://10.0.0.x) it's absent and a splat Nitro route may swallow browser asset loads (#4234). When the header is missing, treat known asset extensions without `text/html` in Accept as asset loads and let Vite handle them.
     const isAssetByDest =
       typeof fetchDest === "string" && !/^(document|iframe|frame|empty)$/.test(fetchDest);
@@ -256,8 +255,15 @@ export async function configureViteDevServer(ctx: NitroPluginContext, server: Vi
     const acceptsHTML = typeof accept === "string" && /\btext\/html\b/.test(accept);
     const treatAsAsset = isAssetByDest || (!fetchDest && isAssetByExt && !acceptsHTML);
     res.setHeader("vary", "sec-fetch-dest, accept");
-    // An explicit Nitro route reaches Nitro even when the request is tagged as an asset (e.g. `<img src="/api/image">` with `sec-fetch-dest: image`, #4241), UNLESS the URL also has an asset-like extension — in that case Vite stays the definitive handler so a splat doesn't swallow `<script src=".../entry-client.ts">` (#4234).
-    const nitroWins = isNitroRoute && !(isAssetByExt && treatAsAsset);
+    // An explicit Nitro route reaches Nitro even when the request is tagged as an asset (#4241).
+    // The asset-extension guard only applies to root-level wildcards (/**) to prevent a renderer
+    // or user catch-all from swallowing Vite's own <script>/<link> serves (#4234). Specific
+    // prefixed routes (e.g. /api/photos/**) are never wildcards on Vite-managed paths (#4252).
+    const matchedRoutePattern = Array.isArray(nitroRouteMatch)
+      ? nitroRouteMatch[0]?.route
+      : nitroRouteMatch?.route;
+    const isRootWildcard = !matchedRoutePattern || matchedRoutePattern === "/**";
+    const nitroWins = isNitroRoute && (!isRootWildcard || !(isAssetByExt && treatAsAsset));
     // Fallback for unknown URLs: extensionless, non-asset requests default to Nitro (page navigation, SSR catch-all).
     const documentFallback = !ext && !treatAsAsset;
     const routeToNitro =

From 49ffcedb6a7e38be437a4512e6eb109318125c81 Mon Sep 17 00:00:00 2001
From: harshagarwalnyu <harshagarwal48756@gmail.com>
Date: Fri, 15 May 2026 09:18:10 -0400
Subject: [PATCH 2/3] fix(dev): improve isRootWildcard detection and update
 tests

---
 src/build/vite/dev.ts                         |  5 ++++-
 .../routes/[...path].ts                       |  1 +
 test/vite/baseurl-dotted-param.test.ts        | 19 ++++++++++++++++---
 3 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 test/vite/baseurl-dotted-param-fixture/routes/[...path].ts

diff --git a/src/build/vite/dev.ts b/src/build/vite/dev.ts
index 7a23fc7278..7806c3a63f 100644
--- a/src/build/vite/dev.ts
+++ b/src/build/vite/dev.ts
@@ -262,7 +262,10 @@ export async function configureViteDevServer(ctx: NitroPluginContext, server: Vi
     const matchedRoutePattern = Array.isArray(nitroRouteMatch)
       ? nitroRouteMatch[0]?.route
       : nitroRouteMatch?.route;
-    const isRootWildcard = !matchedRoutePattern || matchedRoutePattern === "/**";
+    const isRootWildcard =
+      !matchedRoutePattern ||
+      matchedRoutePattern === "/**" ||
+      matchedRoutePattern.startsWith("/**:");
     const nitroWins = isNitroRoute && (!isRootWildcard || !(isAssetByExt && treatAsAsset));
     // Fallback for unknown URLs: extensionless, non-asset requests default to Nitro (page navigation, SSR catch-all).
     const documentFallback = !ext && !treatAsAsset;
diff --git a/test/vite/baseurl-dotted-param-fixture/routes/[...path].ts b/test/vite/baseurl-dotted-param-fixture/routes/[...path].ts
new file mode 100644
index 0000000000..9872b1008c
--- /dev/null
+++ b/test/vite/baseurl-dotted-param-fixture/routes/[...path].ts
@@ -0,0 +1 @@
+export default (event: any) => "root-wildcard:" + event.context.params!.path;
diff --git a/test/vite/baseurl-dotted-param.test.ts b/test/vite/baseurl-dotted-param.test.ts
index f1061071b3..bb15e7d0ad 100644
--- a/test/vite/baseurl-dotted-param.test.ts
+++ b/test/vite/baseurl-dotted-param.test.ts
@@ -58,13 +58,26 @@ describe("vite:baseURL dotted params", { sequential: true }, () => {
     expect(await response.text()).toBe("image");
   });
 
-  // Browsers omit Sec-Fetch-* on plain-HTTP non-loopback origins (e.g. http://10.0.0.x:3000). Without that signal, a splat Nitro route would swallow `<script src=".../entry-client.ts">` requests. Accept + asset extension is used as a fallback to keep asset loads routed to Vite.
-  test("does not misroute asset loads to splat Nitro routes when sec-fetch-dest is absent", async () => {
+  // Browsers omit Sec-Fetch-* on plain-HTTP non-loopback origins (e.g. http://10.0.0.x:3000).
+  // Specific prefixed routes (e.g. /api/proxy/**) are never considered wildcards that
+  // swallow Vite assets, so they should now reach Nitro even with an asset extension.
+  test("prefixed splat routes win over Vite assets when sec-fetch-dest is absent", async () => {
     const response = await fetch(`${serverURL}/subdir/api/proxy/entry-client.ts`, {
       headers: { accept: "*/*" },
       redirect: "manual",
     });
-    expect(await response.text()).not.toBe("entry-client.ts");
+    expect(await response.text()).toBe("entry-client.ts");
+  });
+
+  // #4234 protection: A root-level `/**` catch-all MUST NOT swallow Vite assets.
+  test("root-level wildcards do not swallow Vite assets when sec-fetch-dest is absent", async () => {
+    // We expect Vite to handle this, which in this fixture's setup might return the index.html or 404 depending on Vite config.
+    // The key is that it's NOT "root-wildcard:entry-client.ts"
+    const response = await fetch(`${serverURL}/subdir/entry-client.ts`, {
+      headers: { accept: "*/*" },
+      redirect: "manual",
+    });
+    expect(await response.text()).not.toBe("root-wildcard:entry-client.ts");
   });
 
   // The extension extraction must look at the path only — a `.png` in the query string (e.g. `?file=bar.png`) must not flag the request as an asset and divert it to Vite.

From adf019822b6657fb205bcfddbd63aca1f919843a Mon Sep 17 00:00:00 2001
From: harshagarwalnyu <harshagarwal48756@gmail.com>
Date: Fri, 15 May 2026 09:31:31 -0400
Subject: [PATCH 3/3] test(dev): update baseurl-dotted-param test for
 specific-route asset-ext behavior

---
 test/vite/baseurl-dotted-param.test.ts | 50 ++++++++++++++++++--------
 1 file changed, 36 insertions(+), 14 deletions(-)

diff --git a/test/vite/baseurl-dotted-param.test.ts b/test/vite/baseurl-dotted-param.test.ts
index bb15e7d0ad..00b81a3491 100644
--- a/test/vite/baseurl-dotted-param.test.ts
+++ b/test/vite/baseurl-dotted-param.test.ts
@@ -57,27 +57,49 @@ describe("vite:baseURL dotted params", { sequential: true }, () => {
     expect(response.status).toBe(200);
     expect(await response.text()).toBe("image");
   });
-
-  // Browsers omit Sec-Fetch-* on plain-HTTP non-loopback origins (e.g. http://10.0.0.x:3000).
-  // Specific prefixed routes (e.g. /api/proxy/**) are never considered wildcards that
-  // swallow Vite assets, so they should now reach Nitro even with an asset extension.
-  test("prefixed splat routes win over Vite assets when sec-fetch-dest is absent", async () => {
+// Browsers omit Sec-Fetch-* on plain-HTTP non-loopback origins (e.g. http://10.0.0.x:3000).
+// Specific prefixed routes (e.g. /api/proxy/**) are never considered wildcards that
+// swallow Vite assets, so they should now reach Nitro even with an asset extension
+// and even if sec-fetch-dest is present.
+test("prefixed splat routes win over Vite assets even with asset extensions and sec-fetch-dest", async () => {
+  for (const fetchDest of ["script", "style", undefined]) {
+    const headers: Record<string, string> = { accept: "*/*" };
+    if (fetchDest) {
+      headers["sec-fetch-dest"] = fetchDest;
+    }
     const response = await fetch(`${serverURL}/subdir/api/proxy/entry-client.ts`, {
-      headers: { accept: "*/*" },
+      headers,
       redirect: "manual",
     });
-    expect(await response.text()).toBe("entry-client.ts");
-  });
+    expect(response.status, `fetchDest: ${fetchDest}`).toBe(200);
+    expect(await response.text(), `fetchDest: ${fetchDest}`).toBe("entry-client.ts");
+  }
+});
 
-  // #4234 protection: A root-level `/**` catch-all MUST NOT swallow Vite assets.
-  test("root-level wildcards do not swallow Vite assets when sec-fetch-dest is absent", async () => {
-    // We expect Vite to handle this, which in this fixture's setup might return the index.html or 404 depending on Vite config.
-    // The key is that it's NOT "root-wildcard:entry-client.ts"
+// #4234 protection: A root-level `/**` catch-all MUST NOT swallow Vite assets.
+test("root-level wildcards do not swallow Vite assets (protects #4234)", async () => {
+  for (const fetchDest of ["script", "style", undefined]) {
+    const headers: Record<string, string> = { accept: "*/*" };
+    if (fetchDest) {
+      headers["sec-fetch-dest"] = fetchDest;
+    }
     const response = await fetch(`${serverURL}/subdir/entry-client.ts`, {
-      headers: { accept: "*/*" },
+      headers,
       redirect: "manual",
     });
-    expect(await response.text()).not.toBe("root-wildcard:entry-client.ts");
+    // We expect Vite to handle this, which in this fixture's setup returns 404 (not a real file).
+    expect(response.status, `fetchDest: ${fetchDest}`).toBe(404);
+  }
+});
+
+
+  test("root-level wildcards *do* swallow Vite assets when NOT an asset extension", async () => {
+    // This route matches the root /** catch-all in the fixture.
+    const response = await fetch(`${serverURL}/subdir/some-page`, {
+      redirect: "manual",
+    });
+    expect(response.status).toBe(200);
+    expect(await response.text()).toBe("root-wildcard:some-page");
   });
 
   // The extension extraction must look at the path only — a `.png` in the query string (e.g. `?file=bar.png`) must not flag the request as an asset and divert it to Vite.