@adonisjs/http-server 8.1.3 → 8.2.0

package/build/{define_config-drp-Wzwx.js → define_config-CCHiNpSl.js}

@@ -1,4 +1,4 @@
-import { D as __exportAll, E as __commonJSMin, O as __require, S as httpResponseSerializer, T as debug_default, _ as BriskRoute, b as httpMiddleware, c as parseRoute, f as safeDecodeURI, g as RouteResource, h as RouteGroup, i as getPreviousUrl, k as __toESM, m as trustProxy, n as createSignedURL, p as toRoutesJSON, r as encodeUrl, s as mime$1, u as serializeCookie, v as Route, x as httpRequest, y as httpExceptionHandler } from "./helpers-CLk8RLHd.js";
+import { A as __toESM, C as httpResponseSerializer, D as __commonJSMin, E as debug_default, O as __exportAll, S as httpRequest, _ as RouteResource, b as httpExceptionHandler, c as mime$1, d as serializeCookie, g as RouteGroup, h as trustProxy, i as getPreviousUrl, k as __require, l as parseRoute, m as toRoutesJSON, n as createSignedURL, p as safeDecodeURI, r as encodeUrl, v as BriskRoute, x as httpMiddleware, y as Route } from "./helpers-DHzJiDUz.js";
 import { n as findRoute, t as createURL } from "./helpers-Dqw8abku.js";
 import { createUrlBuilder } from "./src/client/url_builder.js";
 import { parse, stringify } from "@poppinss/qs";
@@ -206,6 +206,11 @@ const E_HTTP_REQUEST_ABORTED = class AbortException extends E_HTTP_EXCEPTION {
 * ```
 */
 var Redirect = class extends Macroable {
+	/**
+	* HTTP context reference, set by the response when creating
+	* the redirect instance during request handling.
+	*/
+	ctx;
 	/**
 	* Array of allowed hosts for referrer-based redirects.
 	* When empty, only the request's own host is allowed.
@@ -4298,6 +4303,7 @@ var HttpResponse = class extends Macroable {
 	}
 	redirect(path, forwardQueryString = false, statusCode = ResponseStatus.Found) {
 		const handler = new Redirect(this.request, this, this.#router, this.#qs, this.#config.redirect);
+		handler.ctx = this.ctx;
 		if (forwardQueryString) handler.withQs();
 		if (path === "back") return handler.status(statusCode).back();
 		if (path) return handler.status(statusCode).toPath(path);

package/build/factories/main.js

@@ -1,5 +1,5 @@
-import { c as parseRoute } from "../helpers-CLk8RLHd.js";
-import { _ as Qs, c as HttpRequest, i as HttpResponse, n as Server, r as HttpContext, s as Router, t as defineConfig } from "../define_config-drp-Wzwx.js";
+import { l as parseRoute } from "../helpers-DHzJiDUz.js";
+import { _ as Qs, c as HttpRequest, i as HttpResponse, n as Server, r as HttpContext, s as Router, t as defineConfig } from "../define_config-CCHiNpSl.js";
 import { t as createURL } from "../helpers-Dqw8abku.js";
 import { Container } from "@adonisjs/fold";
 import { Socket } from "node:net";

package/build/{helpers-CLk8RLHd.js → helpers-DHzJiDUz.js}

@@ -1310,13 +1310,45 @@ function safeDecodeURI(path, useSemicolonDelimiter) {
 //#endregion
 //#region src/helpers.ts
 /**
+* Validates that a URL is safe to use as a redirect destination.
+*
+* - Relative URLs must start with `/` and not be protocol-relative (`//`)
+* - Absolute URLs must parse successfully and their host must match
+*   `currentHost` or be listed in `allowedHosts`
+*
+* When `currentHost` and `allowedHosts` are omitted, absolute URLs
+* are accepted as long as they parse successfully.
+*
+* @param url - The URL to validate
+* @param currentHost - The current request's Host header value
+* @param allowedHosts - Array of additionally allowed hosts
+*/
+function isValidRedirectUrl(url, currentHost, allowedHosts) {
+	if (typeof url !== "string" || url.trim() === "") return false;
+	if (url.startsWith("//")) return false;
+	if (url.startsWith("/")) try {
+		return new URL(url, "http://localhost").host === "localhost";
+	} catch {
+		return false;
+	}
+	try {
+		const parsed = new URL(url);
+		/**
+		* When no host constraints are provided, accept any
+		* parseable absolute URL
+		*/
+		if (!currentHost && (!allowedHosts || allowedHosts.length === 0)) return true;
+		if (currentHost && parsed.host === currentHost) return true;
+		if (allowedHosts && allowedHosts.length > 0 && allowedHosts.includes(parsed.host)) return true;
+		return false;
+	} catch {
+		return false;
+	}
+}
+/**
 * Returns the previous URL from the request's `Referer` header,
 * validated against the request's `Host` header and an optional
-* list of allowed hosts.
-*
-* The referrer is accepted when its host matches the request's
-* `Host` header or is listed in `allowedHosts`. Otherwise the
-* `fallback` value is returned.
+* list of allowed hosts using `isValidRedirectUrl`.
 *
 * @param headers - The incoming request headers
 * @param allowedHosts - Array of allowed referrer hosts
@@ -1326,12 +1358,7 @@ function getPreviousUrl(headers, allowedHosts, fallback) {
 	let referrer = headers["referer"] || headers["referrer"];
 	if (!referrer) return fallback;
 	if (Array.isArray(referrer)) referrer = referrer[0];
-	try {
-		const parsed = new URL(referrer);
-		const host = headers["host"];
-		if (host && parsed.host === host) return referrer;
-		if (allowedHosts.length > 0 && allowedHosts.includes(parsed.host)) return referrer;
-	} catch {}
+	if (isValidRedirectUrl(referrer, headers["host"], allowedHosts)) return referrer;
 	return fallback;
 }
 /**
@@ -1481,4 +1508,4 @@ function appendQueryString(uri, queryString, qsParser) {
 	return mergedQueryString ? `${pathname}?${mergedQueryString}` : pathname;
 }
 //#endregion
-export { tracing_channels_exports as C, __exportAll as D, __commonJSMin as E, __require as O, httpResponseSerializer as S, debug_default as T, BriskRoute as _, matchRoute as a, httpMiddleware as b, parseRoute as c, parseRange as d, safeDecodeURI as f, RouteResource as g, RouteGroup as h, getPreviousUrl as i, __toESM as k, routeInfo as l, trustProxy as m, createSignedURL as n, middlewareInfo as o, toRoutesJSON as p, encodeUrl as r, mime as s, appendQueryString as t, serializeCookie as u, Route as v, canWriteResponseBody as w, httpRequest as x, httpExceptionHandler as y };
+export { __toESM as A, httpResponseSerializer as C, __commonJSMin as D, debug_default as E, __exportAll as O, httpRequest as S, canWriteResponseBody as T, RouteResource as _, isValidRedirectUrl as a, httpExceptionHandler as b, mime as c, serializeCookie as d, parseRange as f, RouteGroup as g, trustProxy as h, getPreviousUrl as i, __require as k, parseRoute as l, toRoutesJSON as m, createSignedURL as n, matchRoute as o, safeDecodeURI as p, encodeUrl as r, middlewareInfo as s, appendQueryString as t, routeInfo as u, BriskRoute as v, tracing_channels_exports as w, httpMiddleware as x, Route as y };

package/build/index.js

@@ -1,5 +1,5 @@
-import { C as tracing_channels_exports, _ as BriskRoute, d as parseRange, g as RouteResource, h as RouteGroup, v as Route, w as canWriteResponseBody } from "./helpers-CLk8RLHd.js";
-import { _ as Qs, a as CookieSerializer, c as HttpRequest, d as Redirect, f as E_CANNOT_LOOKUP_ROUTE, g as errors_exports, h as E_ROUTE_NOT_FOUND, i as HttpResponse, l as CookieParser, m as E_HTTP_REQUEST_ABORTED, n as Server, o as ResponseStatus, p as E_HTTP_EXCEPTION, r as HttpContext, s as Router, t as defineConfig, u as CookieClient } from "./define_config-drp-Wzwx.js";
+import { T as canWriteResponseBody, _ as RouteResource, f as parseRange, g as RouteGroup, v as BriskRoute, w as tracing_channels_exports, y as Route } from "./helpers-DHzJiDUz.js";
+import { _ as Qs, a as CookieSerializer, c as HttpRequest, d as Redirect, f as E_CANNOT_LOOKUP_ROUTE, g as errors_exports, h as E_ROUTE_NOT_FOUND, i as HttpResponse, l as CookieParser, m as E_HTTP_REQUEST_ABORTED, n as Server, o as ResponseStatus, p as E_HTTP_EXCEPTION, r as HttpContext, s as Router, t as defineConfig, u as CookieClient } from "./define_config-CCHiNpSl.js";
 import Macroable from "@poppinss/macroable";
 import is from "@sindresorhus/is";
 //#region src/exception_handler.ts

package/build/src/helpers.d.ts

@@ -7,14 +7,25 @@ import { type SignedURLOptions } from './types/url_builder.ts';
 import type { RouteMatchers, RouteJSON, MatchItRouteToken } from './types/route.ts';
 import { type MiddlewareFn, type RouteHandlerInfo, type MiddlewareHandlerInfo, type ParsedGlobalMiddleware, type ParsedNamedMiddleware } from './types/middleware.ts';
 export { createURL };
+/**
+ * Validates that a URL is safe to use as a redirect destination.
+ *
+ * - Relative URLs must start with `/` and not be protocol-relative (`//`)
+ * - Absolute URLs must parse successfully and their host must match
+ *   `currentHost` or be listed in `allowedHosts`
+ *
+ * When `currentHost` and `allowedHosts` are omitted, absolute URLs
+ * are accepted as long as they parse successfully.
+ *
+ * @param url - The URL to validate
+ * @param currentHost - The current request's Host header value
+ * @param allowedHosts - Array of additionally allowed hosts
+ */
+export declare function isValidRedirectUrl(url: string, currentHost?: string, allowedHosts?: string[]): boolean;
 /**
  * Returns the previous URL from the request's `Referer` header,
  * validated against the request's `Host` header and an optional
- * list of allowed hosts.
- *
- * The referrer is accepted when its host matches the request's
- * `Host` header or is listed in `allowedHosts`. Otherwise the
- * `fallback` value is returned.
+ * list of allowed hosts using `isValidRedirectUrl`.
  *
  * @param headers - The incoming request headers
  * @param allowedHosts - Array of allowed referrer hosts

package/build/src/helpers.js

@@ -1,3 +1,3 @@
-import { a as matchRoute, c as parseRoute, i as getPreviousUrl, l as routeInfo, n as createSignedURL, o as middlewareInfo, r as encodeUrl, s as mime, t as appendQueryString, u as serializeCookie } from "../helpers-CLk8RLHd.js";
+import { a as isValidRedirectUrl, c as mime, d as serializeCookie, i as getPreviousUrl, l as parseRoute, n as createSignedURL, o as matchRoute, r as encodeUrl, s as middlewareInfo, t as appendQueryString, u as routeInfo } from "../helpers-DHzJiDUz.js";
 import { t as createURL } from "../helpers-Dqw8abku.js";
-export { appendQueryString, createSignedURL, createURL, encodeUrl, getPreviousUrl, matchRoute, middlewareInfo, mime, parseRoute, routeInfo, serializeCookie };
+export { appendQueryString, createSignedURL, createURL, encodeUrl, getPreviousUrl, isValidRedirectUrl, matchRoute, middlewareInfo, mime, parseRoute, routeInfo, serializeCookie };

package/build/src/redirect.d.ts

@@ -5,6 +5,7 @@ import type { HttpResponse } from './response.ts';
 import type { ResponseConfig } from './types/response.ts';
 import type { RoutesList, LookupList, URLOptions, GetRoutesForMethod, RouteBuilderArguments } from './types/url_builder.ts';
 import Macroable from '@poppinss/macroable';
+import type { HttpContext } from './http_context/main.ts';
 /**
  * Provides a fluent API for constructing HTTP redirect responses.
  *
@@ -29,6 +30,11 @@ import Macroable from '@poppinss/macroable';
  */
 export declare class Redirect extends Macroable {
     #private;
+    /**
+     * HTTP context reference, set by the response when creating
+     * the redirect instance during request handling.
+     */
+    ctx?: HttpContext;
     /**
      * Array of allowed hosts for referrer-based redirects.
      * When empty, only the request's own host is allowed.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adonisjs/http-server",
-  "version": "8.1.3",
+  "version": "8.2.0",
   "description": "AdonisJS HTTP server with support packed with Routing and Cookies",
   "main": "build/index.js",
   "type": "module",