@bractjs/bractjs 0.1.5 → 0.1.6

package/src/server/csrf.ts

@@ -0,0 +1,16 @@
+/**
+ * Cross-origin POST/PUT/DELETE/PATCH protection.
+ * Allow when: request carries X-BractJS-Action header (client-issued, blocked
+ * cross-origin by CORS for non-simple requests), OR the Origin header matches
+ * the request URL's origin.
+ */
+export function isAllowedMutation(request: Request): boolean {
+  if (request.headers.get("X-BractJS-Action")) return true;
+  const origin = request.headers.get("Origin");
+  if (!origin) return false;
+  try {
+    return new URL(origin).origin === new URL(request.url).origin;
+  } catch {
+    return false;
+  }
+}

package/src/server/env.ts

@@ -10,6 +10,11 @@ export function requireEnv(key: string): string {
   return value;
 }
 
+// Build LS/PS at runtime so the source contains no raw U+2028/U+2029
+// (which would break JS parsing as LineTerminators).
+const LS = String.fromCharCode(0x2028);
+const PS = String.fromCharCode(0x2029);
+
 export function safeStringify(data: unknown): string {
   const seen = new WeakSet();
   const json = JSON.stringify(data, (_key, value) => {
@@ -19,11 +24,12 @@ export function safeStringify(data: unknown): string {
     }
     return value;
   });
-  // Escape HTML-sensitive characters so this JSON is safe to embed inside a
-  // <script> tag.  \u003c / \u003e / \u0026 are valid JSON unicode escapes —
-  // JSON.parse on the client decodes them transparently.
+  // Escape HTML-sensitive chars + JS LineTerminators (U+2028 / U+2029) so this
+  // JSON is safe to embed inside a <script> tag.
   return json
     .replace(/</g, "\\u003c")
     .replace(/>/g, "\\u003e")
-    .replace(/&/g, "\\u0026");
+    .replace(/&/g, "\\u0026")
+    .replaceAll(LS, "\\u2028")
+    .replaceAll(PS, "\\u2029");
 }

package/src/server/middleware.ts

@@ -30,16 +30,20 @@ export class MiddlewarePipeline {
     ctx: MiddlewareContext,
     handler: () => Promise<Response>,
   ): Promise<Response> {
-    let index = 0;
     const fns = this.fns;
-
-    const dispatch = (): Promise<Response> => {
-      if (index >= fns.length) return handler();
-      const fn = fns[index++];
-      return fn(ctx, dispatch);
+    let lastCalled = -1;
+
+    const dispatch = (i: number): Promise<Response> => {
+      if (i <= lastCalled) {
+        return Promise.reject(new Error("middleware: next() called more than once"));
+      }
+      lastCalled = i;
+      if (i >= fns.length) return handler();
+      const fn = fns[i];
+      return fn(ctx, () => dispatch(i + 1));
     };
 
-    return dispatch();
+    return dispatch(0);
   }
 }
 

package/src/server/render.ts

@@ -35,12 +35,14 @@ export async function renderRoute(options: RenderOptions): Promise<Response> {
     status = 200,
   } = options;
 
-  const devOverlay = isDev() ? errorOverlayScript + "\n" : "";
-  const metaHtml = renderMetaTags(mergeMeta(options.meta ?? []));
-  // Include manifest + routeFile so the client can pre-import the route module
-  // before hydrateRoot(), preventing the SSR/client tree mismatch.
+  const devFlag = isDev() ? "window.__BRACT_DEV__=true;" : "";
+  const devOverlay = isDev() ? devFlag + errorOverlayScript + "\n" : "";
+  const mergedMeta = mergeMeta(options.meta ?? []);
+  // metaHtml is injected into <head> via React (the renderToReadableStream tree
+  // is expected to use it). The merged descriptor array is what the client
+  // reads — keep it shaped, not stringified HTML.
   const bootstrapScriptContent =
-    devOverlay + `window.__BRACTJS_DATA__=${safeStringify({ loaderData, actionData, params, pathname, manifest, routeFile: options.routeFile, meta: metaHtml })};`;
+    devOverlay + `window.__BRACTJS_DATA__=${safeStringify({ loaderData, actionData, params, pathname, manifest, routeFile: options.routeFile, meta: mergedMeta })};`;
 
   let renderError: unknown;
 

package/src/server/request-handler.ts

@@ -1,4 +1,3 @@
-import { join } from "node:path";
 import { createElement } from "react";
 import type { TrieNode } from "./matcher.ts";
 import { matchRoute } from "./matcher.ts";
@@ -7,9 +6,11 @@ import { runLoaders, runAction, buildLoaderArgs } from "./loader.ts";
 import { renderRoute, type ServerManifest } from "./render.ts";
 import { resolveMeta } from "./meta.ts";
 import { json, error } from "./response.ts";
-import { isRedirect } from "../shared/errors.ts";
+import { isRedirect, isHttpError } from "../shared/errors.ts";
+import { isDev } from "./env.ts";
 import { pipeline, type MiddlewareContext } from "./middleware.ts";
 import { BractJSProvider } from "../shared/context.ts";
+import { isAllowedMutation } from "./csrf.ts";
 
 export interface HandlerConfig {
   appDir: string;
@@ -39,17 +40,10 @@ async function route(
   config: HandlerConfig,
   context: Record<string, unknown>,
 ): Promise<Response> {
-  const { appDir, publicDir, manifest } = config;
+  const { appDir, manifest } = config;
   const url = new URL(request.url);
   const { pathname, searchParams } = url;
 
-  // ── Static public assets ──────────────────────────────────────────────
-  if (pathname.startsWith("/public/")) {
-    const file = Bun.file(join(publicDir, pathname.slice("/public/".length)));
-    if (await file.exists()) return new Response(file);
-    return error("Not Found", 404);
-  }
-
   // ── /_data soft-nav JSON endpoint ─────────────────────────────────────
   if (pathname.startsWith("/_data")) {
     const targetPath = searchParams.get("path") ?? "/";
@@ -77,12 +71,17 @@ async function route(
   // ── Action (mutating methods) ─────────────────────────────────────────
   let actionData: unknown = null;
   if (MUTATING_METHODS.has(request.method)) {
+    if (!isAllowedMutation(request)) return error("Forbidden", 403);
     try {
-      const formData = await request.formData();
+      const ct = request.headers.get("Content-Type") ?? "";
+      const isFormLike = ct.includes("multipart/form-data") || ct.includes("application/x-www-form-urlencoded");
+      const formData = isFormLike ? await request.formData() : new FormData();
       actionData = await runAction(chain.route, { ...args, formData });
     } catch (err) {
       if (isRedirect(err)) return err as Response;
-      throw err;
+      if (isHttpError(err)) return error(err.message, err.status);
+      if (isDev()) return error(err instanceof Error ? err.message : String(err), 500);
+      return error("Internal Server Error", 500);
     }
 
     // Client-side Form submits with this header — return JSON, not HTML.
@@ -97,7 +96,9 @@ async function route(
     loaderResults = await runLoaders(chain, args);
   } catch (err) {
     if (isRedirect(err)) return err as Response;
-    throw err;
+    if (isHttpError(err)) return error(err.message, err.status);
+    if (isDev()) return error(err instanceof Error ? err.message : String(err), 500);
+    return error("Internal Server Error", 500);
   }
 
   const loaderData = {

package/src/server/response.ts

@@ -1,8 +1,32 @@
-export function redirect(url: string, status: number = 302): Response {
-  return new Response(null, {
-    status,
-    headers: { Location: url },
-  });
+export interface RedirectOptions {
+  /** Allow absolute URLs to other origins. Default false. */
+  allowExternal?: boolean;
+}
+
+function isSafeInternalRedirect(url: string): boolean {
+  // Must be path-only: single leading "/" not followed by "/" or "\".
+  // Rejects: "//evil.com", "/\\evil.com", "https://...", "javascript:...", "".
+  if (url.length === 0) return false;
+  if (url[0] !== "/") return false;
+  if (url[1] === "/" || url[1] === "\\") return false;
+  return true;
+}
+
+export function redirect(
+  url: string,
+  status: number = 302,
+  headers?: HeadersInit,
+  options?: RedirectOptions,
+): Response {
+  if (!options?.allowExternal && !isSafeInternalRedirect(url)) {
+    throw new Error(
+      `[bractjs] redirect: unsafe Location "${url}". ` +
+        `Pass { allowExternal: true } to redirect off-origin.`,
+    );
+  }
+  const h = new Headers(headers);
+  h.set("Location", url);
+  return new Response(null, { status, headers: h });
 }
 
 export function json<T>(data: T, init?: ResponseInit): Response {

package/src/server/scanner.ts

@@ -1,3 +1,5 @@
+import { basename } from "node:path";
+
 // ── Types ──────────────────────────────────────────────────────────────────
 
 export type Segment = string | { param: string } | { catchAll: string };
@@ -54,8 +56,10 @@ export async function scanRoutes(appDir: string): Promise<RouteFile[]> {
   const routes: RouteFile[] = [];
 
   for await (const filePath of glob.scan(appDir)) {
-    // Skip layout files — handled separately
-    if (filePath.endsWith("/layout.tsx") || filePath.endsWith("/layout.ts")) {
+    // Skip layout files — handled separately. Use basename so this also
+    // skips top-level "routes/layout.tsx" on any OS.
+    const base = basename(filePath);
+    if (base === "layout.tsx" || base === "layout.ts") {
       continue;
     }
 

package/src/server/session.ts

@@ -52,15 +52,20 @@ async function sign(data: string, secret: string): Promise<string> {
 }
 
 async function verify(data: string, sig: string, secrets: string[]): Promise<boolean> {
+  // Iterate ALL secrets without short-circuit, and do full-length constant-time
+  // compare against every candidate to avoid leaking which secret matched (or
+  // whether a length mismatch occurred) via timing.
+  let ok = false;
   for (const secret of secrets) {
     const expected = await sign(data, secret);
-    if (expected.length === sig.length) {
-      let diff = 0;
-      for (let i = 0; i < expected.length; i++) diff |= expected.charCodeAt(i) ^ sig.charCodeAt(i);
-      if (diff === 0) return true;
+    const len = Math.max(expected.length, sig.length);
+    let diff = expected.length ^ sig.length;
+    for (let i = 0; i < len; i++) {
+      diff |= (expected.charCodeAt(i) || 0) ^ (sig.charCodeAt(i) || 0);
     }
+    if (diff === 0) ok = true;
   }
-  return false;
+  return ok;
 }
 
 function makeSession(data: SessionData): InternalSession {
@@ -77,6 +82,12 @@ function makeSession(data: SessionData): InternalSession {
 
 export function createCookieSession(options: CookieSessionOptions): SessionStorage {
   const { name, secrets, maxAge, secure = true, sameSite = "Lax" } = options;
+  if (!Array.isArray(secrets) || secrets.length === 0) {
+    throw new Error("createCookieSession: secrets must be a non-empty array");
+  }
+  if (!secrets.every((s) => typeof s === "string" && s.length >= 16)) {
+    throw new Error("createCookieSession: each secret must be a string of length >= 16");
+  }
 
   return {
     async getSession(cookie?: string | null): Promise<Session> {

package/src/server/static.ts

@@ -1,26 +1,42 @@
-import { join, resolve } from "node:path";
+import { join, resolve, sep } from "node:path";
+import { realpath } from "node:fs/promises";
 
 const IMMUTABLE = "public, max-age=31536000, immutable";
 const NO_CACHE = "no-cache";
 
+// Resolve to a canonical path that follows symlinks. Returns null if the
+// target doesn't exist OR escapes the given root after symlink expansion.
+async function safeRealpath(root: string, requested: string): Promise<string | null> {
+  const candidate = resolve(join(root, requested));
+  // Cheap structural reject before touching the FS.
+  if (!candidate.startsWith(root + sep) && candidate !== root) return null;
+  let real: string;
+  try {
+    real = await realpath(candidate);
+  } catch {
+    return null;
+  }
+  if (!real.startsWith(root + sep) && real !== root) return null;
+  return real;
+}
+
 /**
  * Serve hashed client assets or public/ files.
  * Returns null if the path doesn't match or the file isn't found.
- * Guards against path traversal by resolving and prefix-checking.
+ * Guards against path traversal AND symlink escape.
  */
 export async function serveStatic(
   pathname: string,
   buildDir: string,
   publicDir: string,
 ): Promise<Response | null> {
-  // Security: reject traversal sequences before any path resolution
   if (pathname.includes("..")) return null;
 
   if (pathname.startsWith("/build/client/")) {
     const rel = pathname.slice("/build/client/".length);
     const root = resolve(join(buildDir, "client"));
-    const full = resolve(join(root, rel));
-    if (!full.startsWith(root + "/") && full !== root) return null;
+    const full = await safeRealpath(root, rel);
+    if (!full) return null;
     const file = Bun.file(full);
     if (!(await file.exists())) return null;
     return new Response(file, { headers: { "Cache-Control": IMMUTABLE } });
@@ -29,8 +45,8 @@ export async function serveStatic(
   if (pathname.startsWith("/public/")) {
     const rel = pathname.slice("/public/".length);
     const root = resolve(publicDir);
-    const full = resolve(join(root, rel));
-    if (!full.startsWith(root + "/") && full !== root) return null;
+    const full = await safeRealpath(root, rel);
+    if (!full) return null;
     const file = Bun.file(full);
     if (!(await file.exists())) return null;
     return new Response(file, { headers: { "Cache-Control": NO_CACHE } });