From c654bff3ea75c79e641d8f4d800d4e54f4593546 Mon Sep 17 00:00:00 2001
From: Zack Tanner <1939140+ztanner@users.noreply.github.com>
Date: Sat, 1 Feb 2025 10:19:33 -0800
Subject: [PATCH] filter x-middleware-set-cookie in route handlers

---
 packages/next/src/server/send-response.ts             |  5 +++++
 .../e2e/app-dir/app-middleware/app-middleware.test.ts |  6 ++++++
 .../app-dir/app-middleware/app/cookies/api/route.js   | 11 +++++++++++
 3 files changed, 22 insertions(+)
 create mode 100644 test/e2e/app-dir/app-middleware/app/cookies/api/route.js

diff --git a/packages/next/src/server/send-response.ts b/packages/next/src/server/send-response.ts
index c62c228d306ad0..bd5bfe9c389418 100644
--- a/packages/next/src/server/send-response.ts
+++ b/packages/next/src/server/send-response.ts
@@ -36,6 +36,11 @@ export async function sendResponse(
 
     // Copy over the response headers.
     response.headers?.forEach((value, name) => {
+      // `x-middleware-set-cookie` is an internal header not needed for the response
+      if (name.toLowerCase() === 'x-middleware-set-cookie') {
+        return
+      }
+
       // The append handling is special cased for `set-cookie`.
       if (name.toLowerCase() === 'set-cookie') {
         // TODO: (wyattjoh) replace with native response iteration when we can upgrade undici
diff --git a/test/e2e/app-dir/app-middleware/app-middleware.test.ts b/test/e2e/app-dir/app-middleware/app-middleware.test.ts
index 3407201a81f312..a33a344769b9be 100644
--- a/test/e2e/app-dir/app-middleware/app-middleware.test.ts
+++ b/test/e2e/app-dir/app-middleware/app-middleware.test.ts
@@ -198,6 +198,12 @@ describe('app-dir with middleware', () => {
     const response = await next.fetch('/rsc-cookies/cookie-options')
     expect(response.status).toBe(200)
     expect(response.headers.get('x-middleware-set-cookie')).toBeNull()
+
+    const response2 = await next.fetch('/cookies/api')
+    expect(response2.status).toBe(200)
+    expect(response2.headers.get('x-middleware-set-cookie')).toBeNull()
+    expect(response2.headers.get('set-cookie')).toBeDefined()
+    expect(response2.headers.get('set-cookie')).toContain('example')
   })
 
   it('should ignore x-middleware-set-cookie as a request header', async () => {
diff --git a/test/e2e/app-dir/app-middleware/app/cookies/api/route.js b/test/e2e/app-dir/app-middleware/app/cookies/api/route.js
new file mode 100644
index 00000000000000..598c70f384dac0
--- /dev/null
+++ b/test/e2e/app-dir/app-middleware/app/cookies/api/route.js
@@ -0,0 +1,11 @@
+import { NextResponse } from 'next/server'
+
+export function GET() {
+  const response = new NextResponse()
+  response.cookies.set({
+    name: 'example',
+    value: 'example',
+  })
+
+  return response
+}