@bractjs/bractjs 0.1.25 → 0.1.27

package/src/__tests__/fixtures/app/routes/redirect-action.tsx

@@ -0,0 +1,13 @@
+// Fixture for the "action returns (not throws) a redirect" regression test.
+// The documented pattern (README §5/§6) is `return redirect("/")`. The handler
+// must surface that as a real 3xx so `<Form>`/the browser follows it — not wrap
+// it into a 200 JSON body.
+import { redirect } from "../../../../server/response.ts";
+
+export async function action() {
+  return redirect("/");
+}
+
+export default function RedirectActionPage() {
+  return <p>redirect action page</p>;
+}

package/src/__tests__/integration.test.ts

@@ -42,6 +42,31 @@ test("POST / runs action and returns 200 HTML", async () => {
   expect(res.headers.get("content-type")).toContain("text/html");
 });
 
+// Regression: an action that *returns* (not throws) a redirect must produce a
+// real 3xx with the Location header — previously it was wrapped into a 200 JSON
+// body, so `<Form>`/the browser never followed it.
+test("POST action that RETURNS redirect() yields a 302 with Location (X-BractJS-Action)", async () => {
+  const res = await fetch(`${BASE}/redirect-action`, {
+    method: "POST",
+    body: new FormData(),
+    headers: { Origin: BASE, "X-BractJS-Action": "1" },
+    redirect: "manual",
+  });
+  expect(res.status).toBe(302);
+  expect(res.headers.get("Location")).toBe("/");
+});
+
+test("full-page POST action that RETURNS redirect() also yields a 302", async () => {
+  const res = await fetch(`${BASE}/redirect-action`, {
+    method: "POST",
+    body: new FormData(),
+    headers: { Origin: BASE },
+    redirect: "manual",
+  });
+  expect(res.status).toBe(302);
+  expect(res.headers.get("Location")).toBe("/");
+});
+
 test("GET /nonexistent returns 404", async () => {
   const res = await fetch(`${BASE}/nonexistent`);
   expect(res.status).toBe(404);
@@ -64,3 +89,40 @@ test("HTML includes <title> from meta()", async () => {
   const html = await res.text();
   expect(html).toContain("BractJS Test Home");
 });
+
+test("SSR HTML renders a real <title> tag in the document (not just the data island)", async () => {
+  const res = await fetch(`${BASE}/`);
+  const html = await res.text();
+  // Strip the <script> data island so we assert on the rendered document head,
+  // not the __BRACTJS_DATA__ JSON (which also contains the title text).
+  const withoutScripts = html.replace(/<script[\s\S]*?<\/script>/g, "");
+  expect(withoutScripts).toMatch(/<title>BractJS Test Home<\/title>/);
+});
+
+test("SSR HTML renders <meta name=description> and og:title from meta()", async () => {
+  const res = await fetch(`${BASE}/`);
+  const html = await res.text();
+  const withoutScripts = html.replace(/<script[\s\S]*?<\/script>/g, "");
+  expect(withoutScripts).toMatch(/<meta[^>]+name="description"[^>]+content="Bract test description"/);
+  expect(withoutScripts).toMatch(/<meta[^>]+property="og:title"[^>]+content="Bract OG Title"/);
+});
+
+// ── /_data auth parity (S2) ─────────────────────────────────────────────────
+// beforeLoad() is the documented contract point for auth. It MUST run for the
+// /_data soft-nav JSON endpoint exactly as it does for a full-page GET, so a
+// gated route cannot leak its loader data as JSON via /_data.
+
+test("full-page GET of a beforeLoad-gated route is blocked (403)", async () => {
+  const res = await fetch(`${BASE}/protected`);
+  expect(res.status).toBe(403);
+  const body = await res.text();
+  expect(body).not.toContain("TOP-SECRET-LOADER-DATA");
+});
+
+test("/_data of a beforeLoad-gated route is blocked and never leaks loader data", async () => {
+  const res = await fetch(`${BASE}/_data?path=/protected`);
+  // Same gate as the full-page GET — beforeLoad short-circuits before loaders.
+  expect(res.status).toBe(403);
+  const body = await res.text();
+  expect(body).not.toContain("TOP-SECRET-LOADER-DATA");
+});

package/src/__tests__/layout-registry.test.ts

@@ -15,11 +15,21 @@ const blogLayoutModule = { default: () => "blog-layout" } as const;
 const blogPostModule = { default: () => "blog-post" } as const;
 const indexModule = { default: () => "index" } as const;
 
+// Module exporting the security-sensitive gate (beforeLoad) + context factory.
+const guardBeforeLoad = () => new Response("Forbidden", { status: 403 });
+const guardContextFactory = { _factory: () => ({ user: null }) };
+const guardedModule = {
+  default: () => "guarded",
+  beforeLoad: guardBeforeLoad,
+  context: guardContextFactory,
+} as const;
+
 const registry: ModuleRegistry = {
   "root.tsx": rootModule,
   "routes/blog/layout.tsx": blogLayoutModule,
   "routes/blog/[slug].tsx": blogPostModule,
   "routes/_index.tsx": indexModule,
+  "routes/guarded.tsx": guardedModule,
 };
 
 beforeAll(async () => {
@@ -92,4 +102,17 @@ describe("resolveRouteChain — registry mode", () => {
     );
     expect(chain.route.default).toBe(blogPostModule.default);
   });
+
+  // SECURITY(high) regression guard: beforeLoad (the auth gate) and the context
+  // factory must survive module projection. Dropping them silently disables
+  // every beforeLoad() — see importRouteModule/pickRouteModule in layout.ts.
+  test("projects beforeLoad and context factory through registry mode", async () => {
+    const chain = await resolveRouteChain(
+      { filePath: "routes/guarded.tsx", urlPattern: "guarded", segments: ["guarded"] },
+      "/nonexistent",
+      registry,
+    );
+    expect(chain.route.beforeLoad).toBe(guardBeforeLoad);
+    expect((chain.route as { context?: unknown }).context).toBe(guardContextFactory);
+  });
 });

package/src/__tests__/loader.test.ts

@@ -77,6 +77,29 @@ describe("runLoaders", () => {
     expect(results.root).toMatchObject({ __error: { message: expect.any(String) } });
     expect(results.route).toEqual({ ok: true });
   });
+
+  test("runs the route loader concurrently with layout loaders (not serialized after)", async () => {
+    // Each loader records when it started relative to the others. If the route
+    // loader were serialized after the layout wave (the old behavior), its
+    // start would be later than the layout loader's *finish*. With true
+    // parallelism, all three observe each other as already-started.
+    let started = 0;
+    let maxConcurrent = 0;
+    const enter = async () => {
+      started++;
+      maxConcurrent = Math.max(maxConcurrent, started);
+      await new Promise((r) => setTimeout(r, 20));
+      started--;
+    };
+    const chain: LayoutChain = {
+      root: { ...emptyModule, loader: async () => { await enter(); return { root: true }; } },
+      layouts: [{ ...emptyModule, loader: async () => { await enter(); return { layout: true }; } }],
+      route: { ...emptyModule, loader: async () => { await enter(); return { route: true }; } },
+    };
+    await runLoaders(chain, stubArgs);
+    // All three loaders must be in flight at the same time.
+    expect(maxConcurrent).toBe(3);
+  });
 });
 
 describe("buildLoaderArgs", () => {

package/src/__tests__/middleware.test.ts

@@ -213,4 +213,26 @@ describe("requestLogger()", () => {
     expect(logs[0]).toContain("/hello");
     expect(logs[0]).toContain("200");
   });
+
+  // SECURITY(medium) regression guard: the query string can carry tokens
+  // (password-reset links, OAuth codes). requestLogger must log only the
+  // pathname, never the search params.
+  test("never logs the query string (token leak guard)", async () => {
+    const logs: string[] = [];
+    const original = console.log;
+    console.log = (...args: unknown[]) => logs.push(args.join(" "));
+    const mw = requestLogger();
+    const ctx = makeCtx({
+      request: new Request("http://localhost/reset?token=SUPER_SECRET_TOKEN&code=abc123"),
+    });
+    const pipeline = new MiddlewarePipeline();
+    pipeline.use(mw);
+    await pipeline.run(ctx, ok200);
+    console.log = original;
+    const line = logs.join("\n");
+    expect(line).toContain("/reset");
+    expect(line).not.toContain("SUPER_SECRET_TOKEN");
+    expect(line).not.toContain("token=");
+    expect(line).not.toContain("abc123");
+  });
 });

package/src/__tests__/programmatic-api.test.ts

@@ -6,8 +6,8 @@
  * bun:test to exit before printing results — a known pre-existing issue.
  * Behavioral coverage (HTTP response, HMR) lives in integration.test.ts.
  */
-import { test, expect } from "bun:test";
-import { loadUserConfig } from "../config/load.ts";
+import { test, expect, describe } from "bun:test";
+import { loadUserConfig, validateUserConfig } from "../config/load.ts";
 import { runBuild } from "../build/bundler.ts";
 import { createDevServer } from "../dev/server.ts";
 import type { BuildConfig } from "../build/bundler.ts";
@@ -26,6 +26,45 @@ test("loadUserConfig returns an object when no bractjs.config.ts exists", async
   expect(cfg).not.toBeNull();
 });
 
+describe("validateUserConfig", () => {
+  test("accepts an empty object", () => {
+    expect(validateUserConfig({})).toEqual({});
+  });
+
+  test("accepts a well-formed config", () => {
+    const cfg = {
+      port: 4000,
+      appDir: "./app",
+      minify: false,
+      sourcemap: "inline" as const,
+      clientEnv: ["PUBLIC_API_URL"],
+    };
+    expect(validateUserConfig(cfg)).toBe(cfg);
+  });
+
+  test("rejects a non-object export", () => {
+    expect(() => validateUserConfig("nope")).toThrow(/must be a config object/);
+    expect(() => validateUserConfig([])).toThrow(/must be a config object/);
+    expect(() => validateUserConfig(null)).toThrow(/must be a config object/);
+  });
+
+  test("rejects a string port", () => {
+    expect(() => validateUserConfig({ port: "3000" })).toThrow(/"port" must be a finite number/);
+  });
+
+  test("rejects a non-array clientEnv", () => {
+    expect(() => validateUserConfig({ clientEnv: "PUBLIC_API_URL" })).toThrow(/"clientEnv" must be an array/);
+  });
+
+  test("rejects an invalid sourcemap value", () => {
+    expect(() => validateUserConfig({ sourcemap: "yes" })).toThrow(/"sourcemap" must be/);
+  });
+
+  test("ignores unknown keys and undefined values", () => {
+    expect(() => validateUserConfig({ port: undefined, somethingCustom: 1 })).not.toThrow();
+  });
+});
+
 // ── runBuild ──────────────────────────────────────────────────────────────
 
 test("runBuild is exported from build/bundler", () => {

package/src/__tests__/response.test.ts

@@ -1,5 +1,5 @@
 import { test, expect, describe } from "bun:test";
-import { redirect, json, error } from "../server/response.ts";
+import { redirect, json, error, sanitizeRedirect } from "../server/response.ts";
 
 describe("redirect", () => {
   test("returns 302 by default with Location header", () => {
@@ -33,6 +33,19 @@ describe("redirect", () => {
       expect(() => redirect("/\\evil.com")).toThrow();
     });
 
+    test("rejects percent-encoded authority escapes (%2f, %5c)", () => {
+      expect(() => redirect("/%2f%2fevil.com")).toThrow();
+      expect(() => redirect("/%2F/evil.com")).toThrow();
+      expect(() => redirect("/%5cevil.com")).toThrow();
+    });
+
+    test("rejects control/whitespace-prefixed escapes browsers normalize", () => {
+      expect(() => redirect("/\t//evil.com")).toThrow();
+      expect(() => redirect("/\n/evil.com")).toThrow();
+      expect(() => redirect("/ /evil.com")).toThrow();
+      expect(() => redirect("\t//evil.com")).toThrow();
+    });
+
     test("rejects javascript: and data: schemes", () => {
       expect(() => redirect("javascript:alert(1)")).toThrow();
       expect(() => redirect("data:text/html,x")).toThrow();
@@ -50,6 +63,46 @@ describe("redirect", () => {
   });
 });
 
+describe("sanitizeRedirect", () => {
+  const reqUrl = "https://app.example/page";
+
+  test("passes non-redirect responses through untouched", () => {
+    const res = json({ ok: true }, { status: 200 });
+    expect(sanitizeRedirect(res, reqUrl)).toBe(res);
+  });
+
+  test("passes same-origin relative Location through", () => {
+    const res = new Response(null, { status: 302, headers: { Location: "/dashboard" } });
+    const out = sanitizeRedirect(res, reqUrl);
+    expect(out.status).toBe(302);
+    expect(out.headers.get("Location")).toBe("/dashboard");
+  });
+
+  test("passes same-origin absolute Location through", () => {
+    const res = new Response(null, { status: 302, headers: { Location: "https://app.example/x" } });
+    expect(sanitizeRedirect(res, reqUrl).headers.get("Location")).toBe("https://app.example/x");
+  });
+
+  test("blocks raw off-origin Location → 500, no Location", () => {
+    const res = new Response(null, { status: 302, headers: { Location: "https://evil.com" } });
+    const out = sanitizeRedirect(res, reqUrl);
+    expect(out.status).toBe(500);
+    expect(out.headers.get("Location")).toBeNull();
+  });
+
+  test("blocks raw protocol-relative Location", () => {
+    const res = new Response(null, { status: 302, headers: { Location: "//evil.com/x" } });
+    expect(sanitizeRedirect(res, reqUrl).status).toBe(500);
+  });
+
+  test("respects allowExternal opt-in branding from redirect()", () => {
+    const res = redirect("https://allowed.example/cb", 302, undefined, { allowExternal: true });
+    const out = sanitizeRedirect(res, reqUrl);
+    expect(out.status).toBe(302);
+    expect(out.headers.get("Location")).toBe("https://allowed.example/cb");
+  });
+});
+
 describe("json", () => {
   test("sets Content-Type to application/json", () => {
     const res = json({ ok: true });

package/src/__tests__/security.test.ts

@@ -11,6 +11,7 @@ import { createCookieSession } from "../server/session.ts";
 import { MiddlewarePipeline, type MiddlewareContext } from "../server/middleware.ts";
 import { serveStatic } from "../server/static.ts";
 import { handleImageRequest } from "../image/handler.ts";
+import { isAllowedMutation } from "../server/csrf.ts";
 
 const ACTION_TMP = resolve(import.meta.dir, ".tmp-security-action");
 let registeredActionId = "";
@@ -167,6 +168,40 @@ describe("CSRF — cross-origin mutation", () => {
   });
 });
 
+describe("CSRF — Sec-Fetch-Site (isAllowedMutation)", () => {
+  function req(headers: Record<string, string>): Request {
+    return new Request("http://localhost/_action?id=abc", { method: "POST", headers });
+  }
+
+  test("Sec-Fetch-Site: cross-site is rejected even with a forged X-BractJS-Action header", () => {
+    expect(isAllowedMutation(req({ "Sec-Fetch-Site": "cross-site", "X-BractJS-Action": "1" }))).toBe(false);
+  });
+
+  test("Sec-Fetch-Site: same-site is rejected even with a forged X-BractJS-Action header", () => {
+    expect(isAllowedMutation(req({ "Sec-Fetch-Site": "same-site", "X-BractJS-Action": "1" }))).toBe(false);
+  });
+
+  test("Sec-Fetch-Site: cross-site is rejected even with a matching Origin", () => {
+    expect(isAllowedMutation(req({ "Sec-Fetch-Site": "cross-site", Origin: "http://localhost" }))).toBe(false);
+  });
+
+  test("Sec-Fetch-Site: same-origin with custom header is allowed", () => {
+    expect(isAllowedMutation(req({ "Sec-Fetch-Site": "same-origin", "X-BractJS-Action": "1" }))).toBe(true);
+  });
+
+  test("Sec-Fetch-Site: none (direct navigation) with same-origin Origin is allowed", () => {
+    expect(isAllowedMutation(req({ "Sec-Fetch-Site": "none", Origin: "http://localhost" }))).toBe(true);
+  });
+
+  test("no headers at all is rejected (non-browser client must opt in)", () => {
+    expect(isAllowedMutation(req({}))).toBe(false);
+  });
+
+  test("same-origin Sec-Fetch-Site with no Origin and no custom header is allowed", () => {
+    expect(isAllowedMutation(req({ "Sec-Fetch-Site": "same-origin" }))).toBe(true);
+  });
+});
+
 // ── Item 5 — safeStringify ───────────────────────────────────────────────
 
 describe("safeStringify", () => {

package/src/__tests__/server-module-stub.test.ts

@@ -0,0 +1,145 @@
+import { test, expect, describe, beforeAll, afterAll } from "bun:test";
+import { mkdir, rm, writeFile } from "node:fs/promises";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { serverModuleStubPlugin, serverOnlyPlugin } from "../build/env-plugin.ts";
+
+let dir = "";
+
+beforeAll(async () => {
+  dir = join(tmpdir(), `bract-server-stub-${Date.now()}`);
+  await mkdir(dir, { recursive: true });
+});
+
+afterAll(async () => {
+  await rm(dir, { recursive: true, force: true });
+});
+
+async function bundleClient(entry: string, plugin: typeof serverModuleStubPlugin): Promise<string> {
+  const out = await Bun.build({
+    entrypoints: [entry],
+    target: "browser",
+    minify: false,
+    plugins: [plugin],
+  });
+  if (!out.success) throw new Error(out.logs.join("\n"));
+  return await out.outputs[0].text();
+}
+
+// A realistic server module: imports a Bun builtin and exposes DB-ish helpers.
+const SERVER_SRC = `import { Database } from "bun:sqlite";
+const db = new Database(":memory:");
+db.run("CREATE TABLE todos (id TEXT, secret TEXT)");
+export const SUPER_SECRET = "do-not-ship-me";
+export function listTodos() { return db.query("SELECT * FROM todos").all(); }
+export async function addTodo(title) { db.run("INSERT INTO todos VALUES (?, ?)", [title, SUPER_SECRET]); }
+export default { db };
+`;
+
+describe("serverModuleStubPlugin", () => {
+  test("a route importing a *.server.ts (with bun:sqlite) builds instead of hard-failing", async () => {
+    const server = join(dir, "store.server.ts");
+    await writeFile(server, SERVER_SRC);
+    const route = join(dir, "route-ok.tsx");
+    await writeFile(
+      route,
+      `import { addTodo, listTodos } from "./store.server.ts";
+       export async function loader() { return { todos: listTodos() }; }
+       export async function action(fd) { await addTodo(fd.get("title")); return {}; }
+       export default function Page() { return null; }
+      `,
+    );
+    // Must not throw — the old serverOnlyPlugin would reject this import.
+    const code = await bundleClient(route, serverModuleStubPlugin);
+    expect(code).toContain("__bractServerStub");
+  });
+
+  test("zero server source reaches the client bundle", async () => {
+    const server = join(dir, "store2.server.ts");
+    await writeFile(server, SERVER_SRC);
+    const route = join(dir, "route-leak.tsx");
+    await writeFile(
+      route,
+      `import { addTodo, listTodos, SUPER_SECRET } from "./store2.server.ts";
+       export async function loader() { return { todos: listTodos(), s: SUPER_SECRET }; }
+       export async function action(fd) { await addTodo(fd.get("title")); return {}; }
+       export default function Page() { return null; }
+      `,
+    );
+    const code = await bundleClient(route, serverModuleStubPlugin);
+    // None of the server internals may appear in the client output.
+    expect(code).not.toContain("bun:sqlite");
+    expect(code).not.toContain("do-not-ship-me");
+    expect(code).not.toContain("INSERT INTO");
+    expect(code).not.toContain("CREATE TABLE");
+    expect(code).not.toContain("new Database");
+  });
+
+  test("named + default exports are preserved as resolvable stubs", async () => {
+    const server = join(dir, "store3.server.ts");
+    await writeFile(server, SERVER_SRC);
+    const route = join(dir, "route-default.tsx");
+    await writeFile(
+      route,
+      `import store, { listTodos } from "./store3.server.ts";
+       export const a = typeof listTodos;
+       export const b = typeof store;
+       export default function Page() { return null; }
+      `,
+    );
+    // If default/named stubs weren't emitted, the bundle would fail to resolve.
+    const code = await bundleClient(route, serverModuleStubPlugin);
+    expect(code).toContain("__bractServerStub");
+  });
+
+  test("a stub throws a clear error if actually invoked on the client", async () => {
+    const server = join(dir, "store4.server.ts");
+    await writeFile(server, SERVER_SRC);
+    // Bundle just the server module so we can import and exercise the stub.
+    const out = await Bun.build({
+      entrypoints: [server],
+      target: "browser",
+      minify: false,
+      format: "esm",
+      plugins: [serverModuleStubPlugin],
+    });
+    if (!out.success) throw new Error(out.logs.join("\n"));
+    const js = await out.outputs[0].text();
+    // Import the bundled stub via a data: URL so we exercise the real emitted
+    // code without depending on filesystem module resolution.
+    const dataUrl = "data:text/javascript;base64," + Buffer.from(js).toString("base64");
+    const mod = (await import(dataUrl)) as { addTodo: (...a: unknown[]) => unknown };
+    expect(() => mod.addTodo("x")).toThrow(/server\.ts|not.*available in the browser/);
+  });
+
+  test("legacy serverOnlyPlugin still hard-fails the same import", async () => {
+    const server = join(dir, "store5.server.ts");
+    await writeFile(server, SERVER_SRC);
+    const route = join(dir, "route-legacy.tsx");
+    // The import must be *used* (and have a side effect Bun can't drop), or Bun
+    // tree-shakes the unused import and never loads the server module — meaning
+    // the guard's throwing onLoad never fires.
+    await writeFile(
+      route,
+      `import { listTodos } from "./store5.server.ts";
+       export async function loader() { return { todos: listTodos() }; }
+       export default function Page() { return null; }
+      `,
+    );
+    // The guard's onLoad throws when the (used) server import is loaded. Bun
+    // surfaces that as a rejected build, so assert the build does not succeed.
+    let failed = false;
+    try {
+      const out = await Bun.build({
+        entrypoints: [route],
+        target: "browser",
+        minify: false,
+        plugins: [serverOnlyPlugin],
+      });
+      failed = !out.success;
+    } catch {
+      failed = true; // onLoad throw propagated as a rejection
+    }
+    expect(failed).toBe(true);
+  });
+});

package/src/__tests__/stream-handler.test.ts

@@ -0,0 +1,36 @@
+import { test, expect, describe } from "bun:test";
+import { handleStreamRequest } from "../server/stream-handler.ts";
+
+const VALID_ID = "0123456789abcdef"; // 16 lowercase hex chars (passes the id regex)
+
+function streamReq(headers: Record<string, string>, id = VALID_ID): Request {
+  return new Request(`http://localhost/_stream?id=${id}`, { method: "GET", headers });
+}
+
+describe("handleStreamRequest — CSRF gate", () => {
+  test("non-/_stream path returns null (falls through)", async () => {
+    const res = await handleStreamRequest(new Request("http://localhost/other"));
+    expect(res).toBeNull();
+  });
+
+  test("missing X-BractJS-Action → 403 even with a same-origin Origin", async () => {
+    const res = await handleStreamRequest(streamReq({ Origin: "http://localhost" }));
+    expect(res?.status).toBe(403);
+  });
+
+  test("missing X-BractJS-Action → 403 with no headers", async () => {
+    const res = await handleStreamRequest(streamReq({}));
+    expect(res?.status).toBe(403);
+  });
+
+  test("with X-BractJS-Action but unknown id → 404 (passes the gate)", async () => {
+    const res = await handleStreamRequest(streamReq({ "X-BractJS-Action": "1" }));
+    // Gate passed; unknown action id resolves to 404 (not 403).
+    expect(res?.status).toBe(404);
+  });
+
+  test("with X-BractJS-Action but malformed id → 400 (passes the gate)", async () => {
+    const res = await handleStreamRequest(streamReq({ "X-BractJS-Action": "1" }, "NOT-HEX"));
+    expect(res?.status).toBe(400);
+  });
+});