@bractjs/bractjs 0.1.0 → 0.1.6

package/src/__tests__/manifest.test.ts

@@ -0,0 +1,60 @@
+import { test, expect, describe } from "bun:test";
+import { generateManifest } from "../build/manifest.ts";
+
+describe("generateManifest", () => {
+  test("version is always 1", () => {
+    const m = generateManifest({ clientEntry: "/build/client.js", routeChunks: new Map() });
+    expect(m.version).toBe(1);
+  });
+
+  test("sets clientEntry field", () => {
+    const m = generateManifest({ clientEntry: "/build/client.abc123.js", routeChunks: new Map() });
+    expect(m.clientEntry).toBe("/build/client.abc123.js");
+  });
+
+  test("converts routeChunks map to routes object", () => {
+    const chunks = new Map([
+      ["", "/build/route-index.abc.js"],
+      ["about", "/build/route-about.def.js"],
+    ]);
+    const m = generateManifest({ clientEntry: "/build/client.js", routeChunks: chunks });
+    expect(m.routes[""]).toEqual({ chunk: "/build/route-index.abc.js", pattern: "" });
+    expect(m.routes["about"]).toEqual({ chunk: "/build/route-about.def.js", pattern: "about" });
+  });
+
+  test("empty routeChunks produces empty routes object", () => {
+    const m = generateManifest({ clientEntry: "/client.js", routeChunks: new Map() });
+    expect(Object.keys(m.routes)).toHaveLength(0);
+  });
+
+  test("sets optional rootChunk when provided", () => {
+    const m = generateManifest({
+      clientEntry: "/client.js",
+      rootChunk: "/build/root.chunk.js",
+      routeChunks: new Map(),
+    });
+    expect(m.rootChunk).toBe("/build/root.chunk.js");
+  });
+
+  test("rootChunk is undefined when not provided", () => {
+    const m = generateManifest({ clientEntry: "/client.js", routeChunks: new Map() });
+    expect(m.rootChunk).toBeUndefined();
+  });
+
+  test("each route entry has both chunk and pattern fields", () => {
+    const chunks = new Map([["blog/[id]", "/build/blog-id.chunk.js"]]);
+    const m = generateManifest({ clientEntry: "/client.js", routeChunks: chunks });
+    const entry = m.routes["blog/[id]"];
+    expect(entry.chunk).toBe("/build/blog-id.chunk.js");
+    expect(entry.pattern).toBe("blog/[id]");
+  });
+
+  test("handles many routes", () => {
+    const chunks = new Map(
+      Array.from({ length: 20 }, (_, i) => [`route/${i}`, `/build/chunk-${i}.js`])
+    );
+    const m = generateManifest({ clientEntry: "/client.js", routeChunks: chunks });
+    expect(Object.keys(m.routes)).toHaveLength(20);
+    expect(m.routes["route/10"].chunk).toBe("/build/chunk-10.js");
+  });
+});

package/src/__tests__/middleware.test.ts

@@ -0,0 +1,216 @@
+import { test, expect, describe } from "bun:test";
+import { MiddlewarePipeline } from "../server/middleware.ts";
+import type { MiddlewareContext } from "../server/middleware.ts";
+import { cors } from "../middleware/cors.ts";
+import { authGuard } from "../middleware/authGuard.ts";
+import { requestLogger } from "../middleware/requestLogger.ts";
+
+// ── Helpers ────────────────────────────────────────────────────────────────
+
+function makeCtx(override: Partial<MiddlewareContext> = {}): MiddlewareContext {
+  return {
+    request: new Request("http://localhost/"),
+    params: {},
+    context: {},
+    ...override,
+  };
+}
+
+const ok200 = async () => new Response("ok", { status: 200 });
+
+// ── MiddlewarePipeline ─────────────────────────────────────────────────────
+
+describe("MiddlewarePipeline", () => {
+  test("calls handler when no middleware registered", async () => {
+    const pipeline = new MiddlewarePipeline();
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(200);
+  });
+
+  test("runs middleware in registration order", async () => {
+    const order: number[] = [];
+    const pipeline = new MiddlewarePipeline();
+    pipeline
+      .use(async (ctx, next) => { order.push(1); const r = await next(); order.push(4); return r; })
+      .use(async (ctx, next) => { order.push(2); const r = await next(); order.push(3); return r; });
+
+    await pipeline.run(makeCtx(), ok200);
+    expect(order).toEqual([1, 2, 3, 4]);
+  });
+
+  test("middleware can short-circuit without calling next()", async () => {
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(async () => new Response("blocked", { status: 403 }));
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(403);
+    expect(await res.text()).toBe("blocked");
+  });
+
+  test("middleware can modify the response", async () => {
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(async (ctx, next) => {
+      const res = await next();
+      const patched = new Response(res.body, res);
+      patched.headers.set("X-Test", "injected");
+      return patched;
+    });
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.headers.get("X-Test")).toBe("injected");
+  });
+
+  test("use() is chainable", () => {
+    const pipeline = new MiddlewarePipeline();
+    const ret = pipeline.use(async (_, next) => next());
+    expect(ret).toBe(pipeline);
+  });
+
+  test("multiple pipelines are independent", async () => {
+    const p1 = new MiddlewarePipeline();
+    const p2 = new MiddlewarePipeline();
+    p1.use(async () => new Response("p1", { status: 201 }));
+    const r1 = await p1.run(makeCtx(), ok200);
+    const r2 = await p2.run(makeCtx(), ok200);
+    expect(r1.status).toBe(201);
+    expect(r2.status).toBe(200);
+  });
+});
+
+// ── cors() ─────────────────────────────────────────────────────────────────
+
+describe("cors()", () => {
+  test("adds CORS headers to regular requests for allowed origin", async () => {
+    const mw = cors({ origin: "https://example.com" });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { headers: { Origin: "https://example.com" } }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBe("https://example.com");
+  });
+
+  test("wildcard origin allows any origin", async () => {
+    const mw = cors({ origin: "*" });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { headers: { Origin: "https://any.com" } }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBeTruthy();
+  });
+
+  test("responds 204 to OPTIONS preflight", async () => {
+    const mw = cors({ origin: "*" });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { method: "OPTIONS" }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.status).toBe(204);
+  });
+
+  test("does not set CORS header for disallowed origin", async () => {
+    const mw = cors({ origin: "https://allowed.com" });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { headers: { Origin: "https://evil.com" } }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBeNull();
+  });
+
+  test("accepts array of origins", async () => {
+    const mw = cors({ origin: ["https://a.com", "https://b.com"] });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { headers: { Origin: "https://b.com" } }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.headers.get("Access-Control-Allow-Origin")).toBe("https://b.com");
+  });
+
+  test("sets Access-Control-Allow-Methods header", async () => {
+    const mw = cors({ origin: "*", methods: ["GET", "POST"] });
+    const ctx = makeCtx({ request: new Request("http://localhost/", { method: "OPTIONS" }) });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(ctx, ok200);
+    expect(res.headers.get("Access-Control-Allow-Methods")).toBe("GET, POST");
+  });
+});
+
+// ── authGuard() ───────────────────────────────────────────────────────────
+
+describe("authGuard()", () => {
+  function makeSession(user: unknown) {
+    return {
+      getSession: async () => ({ get: (key: string) => (key === "user" ? user : undefined) }),
+    };
+  }
+
+  test("sets ctx.context.user from session", async () => {
+    const mw = authGuard({ session: makeSession({ id: 1 }) });
+    const ctx = makeCtx();
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    await pipeline.run(ctx, ok200);
+    expect(ctx.context.user).toEqual({ id: 1 });
+  });
+
+  test("sets ctx.context.user to null when no session user", async () => {
+    const mw = authGuard({ session: makeSession(undefined) });
+    const ctx = makeCtx();
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    await pipeline.run(ctx, ok200);
+    expect(ctx.context.user).toBeNull();
+  });
+
+  test("required=true returns 401 when no user", async () => {
+    const mw = authGuard({ session: makeSession(undefined), required: true });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(401);
+    const body = await res.json() as { error: string };
+    expect(body.error).toBe("Unauthorized");
+  });
+
+  test("required=true allows request when user is present", async () => {
+    const mw = authGuard({ session: makeSession({ id: 99 }), required: true });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(200);
+  });
+
+  test("required=false (default) allows unauthenticated request", async () => {
+    const mw = authGuard({ session: makeSession(undefined), required: false });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(200);
+  });
+});
+
+// ── requestLogger() ───────────────────────────────────────────────────────
+
+describe("requestLogger()", () => {
+  test("passes the response through unchanged", async () => {
+    const mw = requestLogger();
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    const res = await pipeline.run(makeCtx(), ok200);
+    expect(res.status).toBe(200);
+    expect(await res.text()).toBe("ok");
+  });
+
+  test("logs path and status to console (smoke test)", async () => {
+    const logs: string[] = [];
+    const original = console.log;
+    console.log = (...args: unknown[]) => logs.push(args.join(" "));
+    const mw = requestLogger();
+    const ctx = makeCtx({ request: new Request("http://localhost/hello") });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    await pipeline.run(ctx, ok200);
+    console.log = original;
+    expect(logs.length).toBeGreaterThan(0);
+    expect(logs[0]).toContain("/hello");
+    expect(logs[0]).toContain("200");
+  });
+});

package/src/__tests__/response.test.ts

@@ -0,0 +1,106 @@
+import { test, expect, describe } from "bun:test";
+import { redirect, json, error } from "../server/response.ts";
+
+describe("redirect", () => {
+  test("returns 302 by default with Location header", () => {
+    const res = redirect("/dashboard");
+    expect(res.status).toBe(302);
+    expect(res.headers.get("Location")).toBe("/dashboard");
+  });
+
+  test("accepts custom status codes (301, 307, 308)", () => {
+    expect(redirect("/old", 301).status).toBe(301);
+    expect(redirect("/tmp", 307).status).toBe(307);
+    expect(redirect("/perm", 308).status).toBe(308);
+  });
+
+  test("body is null", async () => {
+    const res = redirect("/");
+    expect(await res.text()).toBe("");
+  });
+
+  describe("open-redirect guard", () => {
+    test("rejects absolute http(s) URLs", () => {
+      expect(() => redirect("https://evil.com/")).toThrow();
+      expect(() => redirect("http://evil.com")).toThrow();
+    });
+
+    test("rejects protocol-relative URLs (//evil.com)", () => {
+      expect(() => redirect("//evil.com/path")).toThrow();
+    });
+
+    test("rejects backslash protocol-relative variant", () => {
+      expect(() => redirect("/\\evil.com")).toThrow();
+    });
+
+    test("rejects javascript: and data: schemes", () => {
+      expect(() => redirect("javascript:alert(1)")).toThrow();
+      expect(() => redirect("data:text/html,x")).toThrow();
+    });
+
+    test("allows same-path redirects", () => {
+      expect(redirect("/foo").headers.get("Location")).toBe("/foo");
+      expect(redirect("/foo?q=1#x").headers.get("Location")).toBe("/foo?q=1#x");
+    });
+
+    test("opt-in: allowExternal lets through absolute URL", () => {
+      const res = redirect("https://allowed.example/path", 302, undefined, { allowExternal: true });
+      expect(res.headers.get("Location")).toBe("https://allowed.example/path");
+    });
+  });
+});
+
+describe("json", () => {
+  test("sets Content-Type to application/json", () => {
+    const res = json({ ok: true });
+    expect(res.headers.get("Content-Type")).toContain("application/json");
+  });
+
+  test("serializes data to JSON body", async () => {
+    const res = json({ name: "bract", version: 1 });
+    const body = await res.json() as { name: string; version: number };
+    expect(body.name).toBe("bract");
+    expect(body.version).toBe(1);
+  });
+
+  test("defaults to 200 status", () => {
+    expect(json({}).status).toBe(200);
+  });
+
+  test("respects custom status in init", () => {
+    expect(json({}, { status: 201 }).status).toBe(201);
+  });
+
+  test("merges custom headers while preserving Content-Type", () => {
+    const res = json({}, { headers: { "X-Custom": "yes" } });
+    expect(res.headers.get("X-Custom")).toBe("yes");
+    expect(res.headers.get("Content-Type")).toContain("application/json");
+  });
+
+  test("serializes arrays", async () => {
+    const res = json([1, 2, 3]);
+    const body = await res.json() as number[];
+    expect(body).toEqual([1, 2, 3]);
+  });
+
+  test("serializes null", async () => {
+    const res = json(null);
+    expect(await res.text()).toBe("null");
+  });
+});
+
+describe("error", () => {
+  test("returns 500 by default", () => {
+    expect(error("internal").status).toBe(500);
+  });
+
+  test("body is JSON with error field", async () => {
+    const res = error("something failed");
+    const body = await res.json() as { error: string };
+    expect(body.error).toBe("something failed");
+  });
+
+  test("accepts custom status", () => {
+    expect(error("not allowed", 403).status).toBe(403);
+  });
+});