@increase21/simplenodejs 1.0.30 → 1.1.1

package/README.md

@@ -105,51 +105,27 @@ controllers/
     accountProfiles    → /drivers/account-profiles
 ```
 
-### Using __run
-
-`__run` dispatches to the correct handler based on the HTTP method and enforces method-level ID validation.
+Controllers are plain classes — no base class required. Each method represents an endpoint and returns an array of `SimpleJsEndpointDescriptor` objects that declare which HTTP methods are supported and which handler to call.
 
 ```ts
 // controllers/drivers/auths.ts
-import { SimpleNodeJsController, SimpleJsPrivateMethodProps } from "@increase21/simplenodejs";
-
-export default class AuthController extends SimpleNodeJsController {
-  async login() {
-    return this.__run({
-      post: () => { // handle POST /drivers/auths/login
-        return { token: "..." };
-      },
-    });
-  }
-
-  async account(id: string) {
-    return this.__run({
-        get: () => {
-          // handle GET  /drivers/auths/account/:id
-        },
-        put: () => {
-          // handle PUT  /drivers/auths/account/:id
-        },
-        delete: () => {
-          // handle DELETE  /drivers/auths/account/:id
-        },
-        id:{get:"optional", delete:"required",put:"required"}
-      },
-    );
-  }
-}
-```
+import { SimpleJsCtx, SimpleJsEndpointDescriptor } from "@increase21/simplenodejs";
 
-### Without __run
+export default class AuthController {
 
-```ts
-export default class AuthController extends SimpleNodeJsController {
-  async login() {
-    if (this.method !== "post") return this.res.status(405).json({ error: "Method Not Allowed" });
+  async login(_ctx: SimpleJsCtx): Promise<SimpleJsEndpointDescriptor[]> {
+    return [
+      { method: "get",    handler: getLogin, middleware:LoginGetMiddleware },
+      { method: "post",   handler: postLogin, middleware:LoginPostMiddleware },
+    ];
+  }
 
-    const { email, password } = this.body;
-    // ... your logic
-    return this.res.status(200).json({ token: "..." });
+  async account(_ctx: SimpleJsCtx, id: string): Promise<SimpleJsEndpointDescriptor[]> {
+    return [
+      { method: "get",    id: "optional",  handler: getAccount },
+      { method: "put",    id: "required",  handler: updateAccount },
+      { method: "delete", id: "required",  handler: deleteAccount },
+    ];
   }
 }
 ```
@@ -162,13 +138,29 @@ Controller methods use **camelCase** and are exposed as **kebab-case** URLs.
 |---|---|
 | `async index()` | `/drivers/auths` |
 | `async login()` | `/drivers/auths/login` |
-| `async vehicleList(id)` | `/drivers/auths/vehicle-list` or `/drivers/auths/vehicle-list/:id` |
+| `async vehicleList()` | `/drivers/auths/vehicle-list` |
+
+### ID Parameters
+
+Declare `id` in the endpoint method signature to indicate it accepts an ID segment. Use the descriptor's `id` field to enforce whether it is required or optional at the routing level.
+
+```ts
+// GET  /drivers/auths/account        → id is optional
+// GET  /drivers/auths/account/123    → id = "123"
+// PUT  /drivers/auths/account/123    → required, 404 if missing
+async account(_ctx: SimpleJsCtx, id?: string): Promise<SimpleJsEndpointDescriptor[]> {
+  return [
+    { method: "get", id: "optional", handler: getAccount },
+    { method: "put", id: "required", handler: updateAccount },
+  ];
+}
+```
 
 ---
 
-## SimpleJsPrivateMethodProps
+## SimpleJsCtx
 
-Properties available inside `__run` handlers.
+The context object passed to every endpoint method and handler.
 
 | Property | Type | Description |
 |---|---|---|
@@ -176,9 +168,19 @@ Properties available inside `__run` handlers.
 | `res` | `ResponseObject` | Raw response object |
 | `body` | `object` | Parsed request body |
 | `query` | `object` | Parsed query string |
-| `id` | `string \| undefined` | URL path parameter |
 | `customData` | `any` | Data attached by plugins/middlewares via `req._custom_data` |
 
+## SimpleJsEndpointDescriptor
+
+Returned by endpoint methods to declare HTTP method handlers.
+
+| Property | Type | Required | Description |
+|---|---|---|---|
+| `method` | `HttpMethod` | ✅ | HTTP verb: `"get"`, `"post"`, `"put"`, `"patch"`, `"delete"` |
+| `handler` | `(ctx, id?) => any` | ✅ | Method reference to call for this HTTP verb |
+| `id` | `"required" \| "optional"` | ❌ | ID routing rule. Omit if the endpoint never uses an ID |
+| `middleware` | `(req, res, next)` | ❌ | A function to execute before the handler is called |
+
 ---
 
 ## RequestObject (req)
@@ -266,7 +268,7 @@ app.registerPlugin(app => SimpleJsSecurityPlugin(app, opt));
 
 ## SetBodyParser(options)
 
-Parses the request body. Must be registered before controllers access `this.body`.
+Parses the request body. Must be registered before controllers access `ctx.body`.
 
 | Param | Type | Description |
 |---|---|---|
@@ -283,7 +285,13 @@ For context where you need direct stream access (e.g. passing the request to a l
 
 ```ts
 // Path-prefix list — skip body parsing for any URL under /upload
-app.use(SetBodyParser({ limit: "10mb", ignoreStream: [{url:"/upload", method:"post"}, {url:"/files/profile-picture", method:"post"}] }));
+app.use(SetBodyParser({ 
+  limit: "10mb", 
+  ignoreStream: [
+    {url:"/files/", method:"post", type:"prefix"}, 
+    {url:"/files/profile-picture", method:"post", type:"exact"}
+  ]
+  }));
 
 // Predicate function — full control over which requests are skipped
 app.use(SetBodyParser({
@@ -294,22 +302,6 @@ app.use(SetBodyParser({
 
 When a request is ignored, `next()` is called immediately with the stream untouched. Your handler is then responsible for consuming it:
 
-```ts
-import formidable from "formidable";
-
-// Inside your controller handler
-const form = formidable({ maxTotalFileSize: 10 * 1024 * 1024 });
-form.parse(req, (err, fields, files) => {
-  if (err) {
-    // err.code 1009 = file too large, 1015 = total too large
-    if (err.code === 1009 || err.code === 1015)
-      return res.status(413).end("Payload Too Large");
-    return res.status(400).end("Upload Error");
-  }
-  res.json({ fields, files });
-});
-```
-
 ---
 
 ## SetCORS(options?)
@@ -448,12 +440,12 @@ app.registerPlugin(app => SimpleJsCookiePlugin(app, {
   secret: process.env.COOKIE_SECRET,
 }));
 
-// Set a signed cookie in a controller
+// Set a signed cookie in a handler
 const signed = SignCookie(sessionId, process.env.COOKIE_SECRET!);
-this.res.setHeader("Set-Cookie", `session=${signed}; HttpOnly; Secure; SameSite=Strict`);
+ctx.res.setHeader("Set-Cookie", `session=${signed}; HttpOnly; Secure; SameSite=Strict`);
 
-// Read cookie in any controller
-const { session } = this._custom_data.cookies;
+// Read cookie in any handler
+const { session } = ctx.customData.cookies;
 ```
 
 ---

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-export { SimpleNodeJsController } from "./utils/simpleController";
 export { CreateSimpleJsHttpServer, CreateSimpleJsHttpsServer } from "./server";
 export { SetCORS, SetHSTS, SetCSP, SetFrameGuard, SetNoSniff, SetReferrerPolicy, SetPermissionsPolicy, SetCOEP, SetCOOP, SetHelmet, SetRateLimiter, SetBodyParser, } from "./utils/simpleMiddleware";
 export * from "./utils/simplePlugins";
-export type { SimpleJsPrivateMethodProps, Middleware as SimpleJsMiddleware, SimpleJsHttpsServer, RequestObject, ResponseObject } from "./typings/general";
+export type { RequestObject, ResponseObject } from "./typings/general";
+export type { SimpleJsCtx, SimpleJsEndpointDescriptor, SimpleJsHttpsServer, Middleware as SimpleJsMiddleware, ErrorMiddleware as SimpleJsErrorMiddleware } from "./typings/simpletypes";

package/dist/index.js

@@ -14,9 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SetBodyParser = exports.SetRateLimiter = exports.SetHelmet = exports.SetCOOP = exports.SetCOEP = exports.SetPermissionsPolicy = exports.SetReferrerPolicy = exports.SetNoSniff = exports.SetFrameGuard = exports.SetCSP = exports.SetHSTS = exports.SetCORS = exports.CreateSimpleJsHttpsServer = exports.CreateSimpleJsHttpServer = exports.SimpleNodeJsController = void 0;
-var simpleController_1 = require("./utils/simpleController");
-Object.defineProperty(exports, "SimpleNodeJsController", { enumerable: true, get: function () { return simpleController_1.SimpleNodeJsController; } });
+exports.SetBodyParser = exports.SetRateLimiter = exports.SetHelmet = exports.SetCOOP = exports.SetCOEP = exports.SetPermissionsPolicy = exports.SetReferrerPolicy = exports.SetNoSniff = exports.SetFrameGuard = exports.SetCSP = exports.SetHSTS = exports.SetCORS = exports.CreateSimpleJsHttpsServer = exports.CreateSimpleJsHttpServer = void 0;
 var server_1 = require("./server");
 Object.defineProperty(exports, "CreateSimpleJsHttpServer", { enumerable: true, get: function () { return server_1.CreateSimpleJsHttpServer; } });
 Object.defineProperty(exports, "CreateSimpleJsHttpsServer", { enumerable: true, get: function () { return server_1.CreateSimpleJsHttpsServer; } });

package/dist/router.js

@@ -3,11 +3,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.setControllersDir = setControllersDir;
 exports.route = route;
 const helpers_1 = require("./utils/helpers");
-const simpleController_1 = require("./utils/simpleController");
 let controllers = new Map();
 const UNSAFE_METHODS = new Set([
     ...Object.getOwnPropertyNames(Object.prototype),
-    ...Object.getOwnPropertyNames(simpleController_1.SimpleNodeJsController.prototype),
 ]);
 function setControllersDir(dir) {
     controllers = (0, helpers_1.loadControllers)(dir);
@@ -17,55 +15,59 @@ async function route(req, res) {
     let controllerPath = (parts.length > 2 ? "/" + parts.slice(0, 2).join("/") : `/${parts.join("/")}`).toLowerCase().replace(/\-{1}\w{1}/g, match => match.replace("-", "").toUpperCase());
     let methodName = parts.length > 2 ? parts[2] : "index";
     let id = methodName !== "index" ? parts.slice(3) : [];
-    let httpMethod = (req.method || "").toLowerCase();
+    const httpMethod = (req.method || "").toLowerCase();
     const meta = controllers.get(controllerPath);
-    //if the controller is not available or not found
     if (!meta || !meta.name || !meta.Controller)
         return (0, helpers_1.throwHttpError)(404, "The requested resource does not exist");
+    const ctx = {
+        req, res,
+        body: req.body,
+        query: req.query,
+        customData: req._custom_data,
+    };
     const ControllerClass = meta.Controller;
-    const controller = new ControllerClass();
-    //Update the method name to the framework pattern
+    const controller = new ControllerClass(ctx);
+    //if request has ended, do not proceed
+    if (res.writableEnded)
+        return;
+    //sanitize method name, convert kebab-case to camelCase
     methodName = (methodName || "").replace(/\-{1}\w{1}/g, match => match.replace("-", "").toUpperCase());
-    // Block Object.prototype methods (constructor, toString, etc.) and __private convention
+    // Block Object.prototype methods and __private convention
     if (methodName.startsWith("__") || UNSAFE_METHODS.has(methodName)) {
         return (0, helpers_1.throwHttpError)(404, "The requested resource does not exist");
     }
-    //if the endpoint not a function
+    // Fallback to index if method not found (treat path segment as id)
     if (typeof controller[methodName] !== "function") {
         if (typeof controller["index"] === "function" && parts.length === 3) {
+            id = parts.slice(2);
             methodName = "index";
-            id = parts.slice(2) || []; // pass the rest of the path as ID;
         }
         else {
             return (0, helpers_1.throwHttpError)(404, "The requested resource does not exist");
         }
     }
-    //if the data require params but there's no matching params
-    if (id && id.length && (!controller[methodName].length || controller[methodName].length < id.length)) {
-        return (0, helpers_1.throwHttpError)(404, "The requested resource does not exist");
+    //checking if the method does not require id but id is provided, if so, return 404
+    if (id.length && (!controller[methodName].length || controller[methodName].length === 1)) {
+        return (0, helpers_1.throwHttpError)(404, "Resource not found");
     }
-    //bind the controller to use the global properties
-    controller.__bindContext({ req, res });
-    let result = await controller[methodName](...id);
-    //if the cycle has ended
+    const descriptors = await controller[methodName](ctx, ...id);
+    // If the controller method has already sent a response, do not proceed
     if (res.writableEnded)
         return;
-    //if the controller returned nothing and response is not ended, end it
-    if (!result && !res.writableEnded)
+    //if the handler returns no descriptors or an invalid format, end the response
+    if (!descriptors || !Array.isArray(descriptors))
         return res.end();
-    //if there's no method defined for the http verb, return 405
-    if (result && typeof result[httpMethod] !== "function")
+    // Find the descriptor matching the HTTP method
+    const descriptor = descriptors.find((d) => d.method === httpMethod);
+    if (!descriptor)
         return (0, helpers_1.throwHttpError)(405, "Method Not Allowed");
-    // ID validation rules
-    if (id.length && (!result.id || !result.id[httpMethod]))
+    // Id validation
+    if (id.length && !descriptor.id)
         return (0, helpers_1.throwHttpError)(404, "Resource not found");
-    if (result.id && result.id[httpMethod] === "required" && !id.length)
+    if (descriptor.id === "required" && !id.length)
         return (0, helpers_1.throwHttpError)(404, "Resource not found");
-    result = await result[httpMethod]({
-        req, res, query: controller.query, body: controller.body,
-        id: id.join("/"), customData: controller._custom_data
-    });
-    //if not responded
+    // bind to controller so `this` works in regular methods too
+    await descriptor.handler.bind(controller)(ctx, ...id);
     if (!res.writableEnded)
         res.end("");
 }

package/dist/server.d.ts

@@ -1,5 +1,5 @@
 import https from "node:https";
-import { SimpleJsHttpsServer, SimpleJsServer } from "./typings/general";
+import { SimpleJsHttpsServer, SimpleJsServer } from "./typings/simpletypes";
 type ServerOptions = {
     controllersDir?: string;
     tlsOpts?: https.ServerOptions;

package/dist/typings/general.d.ts

@@ -1,7 +1,4 @@
-import http, { IncomingMessage, ServerResponse } from "http";
-import https from "node:https";
-export type Next = () => Promise<any> | void;
-export type Plugin = (app: SimpleJsServer, opts?: any) => Promise<any> | void;
+import { IncomingMessage, ServerResponse } from "http";
 export type HttpMethod = "get" | "post" | "put" | "patch" | "delete";
 export type ObjectPayload = {
     [key: string]: any;
@@ -18,23 +15,3 @@ export type ResponseObject = ServerResponse & {
     json: (value: object) => void;
     text: (value?: string) => void;
 };
-export type Middleware = (req: RequestObject, res: ResponseObject, next: () => Promise<any> | void) => Promise<any> | void;
-export type ErrorMiddleware = (err: any, req: RequestObject, res: ResponseObject, next: Next) => Promise<boolean> | void;
-export interface SimpleJsServer extends http.Server {
-    use(mw: Middleware): Promise<any> | void;
-    useError: (mw: ErrorMiddleware) => void;
-    registerPlugin: (plugin: Plugin) => Promise<any> | void;
-}
-export interface SimpleJsHttpsServer extends https.Server {
-    use(mw: Middleware): Promise<any> | void;
-    useError: (mw: ErrorMiddleware) => void;
-    registerPlugin: (plugin: Plugin) => Promise<any> | void;
-}
-export interface SimpleJsPrivateMethodProps {
-    body: ObjectPayload;
-    res: ResponseObject;
-    req: RequestObject;
-    query: ObjectPayload;
-    customData: any;
-    id?: string;
-}

package/dist/typings/simpletypes.d.ts

@@ -1,4 +1,8 @@
-import { HttpMethod, RequestObject, SimpleJsPrivateMethodProps } from "./general";
+import { HttpMethod, ObjectPayload, RequestObject, ResponseObject } from "./general";
+import http from "node:http";
+import https from "node:https";
+export type Next = () => Promise<any> | void;
+export type Plugin = (app: SimpleJsServer, opts?: any) => Promise<any> | void;
 export type SimpleJSRateLimitType = {
     windowMs: number;
     max: number;
@@ -23,11 +27,27 @@ export interface SimpleJsControllerMeta {
     name: string;
     Controller: any;
 }
-export interface SubRequestHandler {
-    post?: (params: SimpleJsPrivateMethodProps) => void;
-    put?: (params: SimpleJsPrivateMethodProps) => void;
-    get?: (params: SimpleJsPrivateMethodProps) => void;
-    delete?: (params: SimpleJsPrivateMethodProps) => void;
-    patch?: (params: SimpleJsPrivateMethodProps) => void;
-    id?: Partial<Record<HttpMethod, "required" | "optional">>;
+export type Middleware = (req: RequestObject, res: ResponseObject, next: () => Promise<any> | void) => Promise<any> | void;
+export type ErrorMiddleware = (err: any, req: RequestObject, res: ResponseObject, next: Next) => Promise<boolean> | void;
+export interface SimpleJsServer extends http.Server {
+    use(mw: Middleware): Promise<any> | void;
+    useError: (mw: ErrorMiddleware) => void;
+    registerPlugin: (plugin: Plugin) => Promise<any> | void;
+}
+export interface SimpleJsHttpsServer extends https.Server {
+    use(mw: Middleware): Promise<any> | void;
+    useError: (mw: ErrorMiddleware) => void;
+    registerPlugin: (plugin: Plugin) => Promise<any> | void;
+}
+export interface SimpleJsCtx {
+    body: ObjectPayload;
+    res: ResponseObject;
+    req: RequestObject;
+    query: ObjectPayload;
+    customData: any;
+}
+export interface SimpleJsEndpointDescriptor {
+    method: HttpMethod;
+    id?: "required" | "optional";
+    handler: (ctx: SimpleJsCtx, id?: string) => any;
 }

package/dist/utils/helpers.d.ts

@@ -1,5 +1,5 @@
-import { ErrorMiddleware, Middleware, RequestObject, ResponseObject } from "../typings/general";
-import { SimpleJsControllerMeta } from "../typings/simpletypes";
+import { RequestObject, ResponseObject } from "../typings/general";
+import { ErrorMiddleware, Middleware, SimpleJsControllerMeta } from "../typings/simpletypes";
 export declare function composeMiddleware(middlewares: Middleware[]): (req: RequestObject, res: ResponseObject) => Promise<void>;
 export declare function runErrorMiddlewares(err: unknown, errorMiddlewares: ErrorMiddleware[], req: RequestObject, res: ResponseObject): Promise<void>;
 export declare function throwHttpError(code: number, message: string): never;

package/dist/utils/helpers.js

@@ -53,8 +53,8 @@ function loadControllers(root = "controllers") {
     const realBase = node_fs_1.default.realpathSync(base); // resolve the base itself (may be a symlink)
     const map = new Map();
     function walk(dir) {
-        for (const file of node_fs_1.default.readdirSync(dir)) {
-            const full = node_path_1.default.join(dir, file);
+        for (const entry of node_fs_1.default.readdirSync(dir, { withFileTypes: true })) {
+            const full = node_path_1.default.join(dir, entry.name);
             let realFull;
             try {
                 realFull = node_fs_1.default.realpathSync(full); // resolve actual disk path, following all symlinks
@@ -65,10 +65,11 @@ function loadControllers(root = "controllers") {
             // Block anything whose real path is outside the controllers directory
             if (!realFull.startsWith(realBase + node_path_1.default.sep))
                 continue;
-            if (node_fs_1.default.statSync(full).isDirectory())
+            const isDir = entry.isDirectory() || (entry.isSymbolicLink() && node_fs_1.default.statSync(realFull).isDirectory());
+            if (isDir)
                 walk(full);
-            else if (file.endsWith(".js") || file.endsWith(".ts")) {
-                const Controller = require(full)?.default;
+            else if (entry.name.endsWith(".js") || entry.name.endsWith(".ts")) {
+                const Controller = require(realFull)?.default; // use realFull to prevent TOCTOU
                 if (typeof Controller !== "function")
                     continue;
                 const key = full.slice(base.length).replace(/\\/g, "/").replace(/\.(ts|js)$/, "");

package/dist/utils/simpleMiddleware.js

@@ -52,8 +52,9 @@ function SetHSTS(opts) {
 }
 // ─── Content Security Policy ──────────────────────────────────────────────────
 function SetCSP(policy = "default-src 'none'") {
+    const safePolicy = policy.replace(/[\r\n]/g, "");
     return async (_req, res, next) => {
-        res.setHeader("Content-Security-Policy", policy);
+        res.setHeader("Content-Security-Policy", safePolicy);
         await next();
     };
 }
@@ -73,29 +74,33 @@ function SetNoSniff() {
 }
 // ─── Referrer-Policy ──────────────────────────────────────────────────────────
 function SetReferrerPolicy(policy = "no-referrer") {
+    const safePolicy = policy.replace(/[\r\n]/g, "");
     return async (_req, res, next) => {
-        res.setHeader("Referrer-Policy", policy);
+        res.setHeader("Referrer-Policy", safePolicy);
         await next();
     };
 }
 // ─── Permissions-Policy (browser feature control) ────────────────────────────
 function SetPermissionsPolicy(policy = "camera=(), microphone=(), geolocation=(), payment=(), usb=(), display-capture=()") {
+    const safePolicy = policy.replace(/[\r\n]/g, "");
     return async (_req, res, next) => {
-        res.setHeader("Permissions-Policy", policy);
+        res.setHeader("Permissions-Policy", safePolicy);
         await next();
     };
 }
 // ─── Cross-Origin-Embedder-Policy ────────────────────────────────────────────
 function SetCOEP(value = "require-corp") {
+    const safeValue = value.replace(/[\r\n]/g, "");
     return async (_req, res, next) => {
-        res.setHeader("Cross-Origin-Embedder-Policy", value);
+        res.setHeader("Cross-Origin-Embedder-Policy", safeValue);
         await next();
     };
 }
 // ─── Cross-Origin-Opener-Policy ──────────────────────────────────────────────
 function SetCOOP(value = "same-origin") {
+    const safeValue = value.replace(/[\r\n]/g, "");
     return async (_req, res, next) => {
-        res.setHeader("Cross-Origin-Opener-Policy", value);
+        res.setHeader("Cross-Origin-Opener-Policy", safeValue);
         await next();
     };
 }
@@ -105,11 +110,11 @@ function SetHelmet(opts) {
         if (opts?.noSniff !== false)
             res.setHeader("X-Content-Type-Options", "nosniff");
         if (opts?.frameGuard !== false)
-            res.setHeader("X-Frame-Options", typeof opts?.frameGuard === "string" ? opts.frameGuard : "DENY");
+            res.setHeader("X-Frame-Options", typeof opts?.frameGuard === "string" ? opts.frameGuard.replace(/[\r\n]/g, "") : "DENY");
         if (opts?.referrerPolicy !== false)
-            res.setHeader("Referrer-Policy", typeof opts?.referrerPolicy === "string" ? opts.referrerPolicy : "no-referrer");
+            res.setHeader("Referrer-Policy", typeof opts?.referrerPolicy === "string" ? opts.referrerPolicy.replace(/[\r\n]/g, "") : "no-referrer");
         if (opts?.csp !== false)
-            res.setHeader("Content-Security-Policy", typeof opts?.csp === "string" ? opts.csp : "default-src 'none'");
+            res.setHeader("Content-Security-Policy", typeof opts?.csp === "string" ? opts.csp.replace(/[\r\n]/g, "") : "default-src 'none'");
         if (opts?.hsts !== false) {
             const hsts = (opts?.hsts && typeof opts.hsts === "object") ? opts.hsts : {};
             let hstsValue = `max-age=${hsts.maxAge ?? 31536000}`;
@@ -120,11 +125,11 @@ function SetHelmet(opts) {
             res.setHeader("Strict-Transport-Security", hstsValue);
         }
         if (opts?.permissionsPolicy !== false)
-            res.setHeader("Permissions-Policy", typeof opts?.permissionsPolicy === "string" ? opts.permissionsPolicy : "camera=(), microphone=(), geolocation=(), payment=(), usb=(), display-capture=()");
+            res.setHeader("Permissions-Policy", typeof opts?.permissionsPolicy === "string" ? opts.permissionsPolicy.replace(/[\r\n]/g, "") : "camera=(), microphone=(), geolocation=(), payment=(), usb=(), display-capture=()");
         if (opts?.coep !== false)
-            res.setHeader("Cross-Origin-Embedder-Policy", typeof opts?.coep === "string" ? opts.coep : "require-corp");
+            res.setHeader("Cross-Origin-Embedder-Policy", typeof opts?.coep === "string" ? opts.coep.replace(/[\r\n]/g, "") : "require-corp");
         if (opts?.coop !== false)
-            res.setHeader("Cross-Origin-Opener-Policy", typeof opts?.coop === "string" ? opts.coop : "same-origin");
+            res.setHeader("Cross-Origin-Opener-Policy", typeof opts?.coop === "string" ? opts.coop.replace(/[\r\n]/g, "") : "same-origin");
         await next();
     };
 }
@@ -141,10 +146,11 @@ function SetRateLimiter(opts) {
     }, opts.windowMs);
     timer.unref();
     return async (req, res, next) => {
+        const xff = String(req.headers["x-forwarded-for"] || "");
         const ip = opts.trustProxy
             ? (Array.isArray(req.headers["x-forwarded-for"])
                 ? req.headers["x-forwarded-for"][0]
-                : String(req.headers["x-forwarded-for"] || "").split(",")[0].trim()) || req.socket.remoteAddress || "unknown"
+                : (xff.indexOf(",") >= 0 ? xff.slice(0, xff.indexOf(",")) : xff).trim()) || req.socket.remoteAddress || "unknown"
             : req.socket.remoteAddress || "unknown";
         const key = String(opts.keyGenerator?.(req) || ip || "unknown");
         const now = Date.now();
@@ -199,7 +205,7 @@ function SetBodyParser(opts) {
         if (shouldIgnoreStream)
             return resolve(next());
         let size = 0;
-        let body = "";
+        const chunks = [];
         req.on("data", chunk => {
             size += chunk.length;
             if (maxSize && size > maxSize) {
@@ -210,12 +216,13 @@ function SetBodyParser(opts) {
                 req.socket.destroy();
                 return;
             }
-            body += chunk;
+            chunks.push(chunk);
         });
         req.on("end", () => {
             if (res.writableEnded)
                 return resolve();
             try {
+                const body = Buffer.concat(chunks).toString();
                 if (body && contentType.includes("application/json")) {
                     req.body = JSON.parse(body);
                 }

package/dist/utils/simplePlugins.d.ts

@@ -1,5 +1,4 @@
-import { SimpleJsServer } from "../typings/general";
-import { SimpleJSRateLimitType } from "../typings/simpletypes";
+import { SimpleJSRateLimitType, SimpleJsServer } from "../typings/simpletypes";
 import { SetCORS, SetHelmet } from "./simpleMiddleware";
 export declare function SimpleJsSecurityPlugin(app: SimpleJsServer, opts: {
     cors?: Parameters<typeof SetCORS>[0];

package/dist/utils/simplePlugins.js

@@ -40,10 +40,11 @@ function SimpleJsIPWhitelistPlugin(app, opts) {
     const mode = opts.mode || "allow";
     const ipSet = new Set(opts.ips);
     app.use(async (req, _res, next) => {
+        const xff = String(req.headers["x-forwarded-for"] || "");
         const raw = opts.trustProxy
             ? (Array.isArray(req.headers["x-forwarded-for"])
                 ? req.headers["x-forwarded-for"][0]
-                : String(req.headers["x-forwarded-for"] || "").split(",")[0].trim()) || req.socket.remoteAddress || ""
+                : (xff.indexOf(",") >= 0 ? xff.slice(0, xff.indexOf(",")) : xff).trim()) || req.socket.remoteAddress || ""
             : req.socket.remoteAddress || "";
         const ip = normalizeIP(raw);
         const inList = ipSet.has(ip);
@@ -56,7 +57,7 @@ function SimpleJsIPWhitelistPlugin(app, opts) {
 }
 // ─── Cookie Plugin ────────────────────────────────────────────────────────────
 function parseCookieHeader(header) {
-    const result = {};
+    const result = Object.create(null);
     for (const part of header.split(";")) {
         const idx = part.indexOf("=");
         if (idx < 0)
@@ -91,7 +92,7 @@ function SimpleJsCookiePlugin(app, opts) {
     app.use(async (req, _res, next) => {
         const raw = parseCookieHeader(req.headers.cookie || "");
         if (opts?.secret) {
-            const verified = {};
+            const verified = Object.create(null);
             for (const [k, v] of Object.entries(raw)) {
                 if (v.startsWith("s:")) {
                     const inner = v.slice(2);
@@ -192,10 +193,11 @@ function SimpleJsMaintenanceModePlugin(app, opts) {
     app.use(async (req, res, next) => {
         if (!opts.enabled)
             return next();
+        const xff2 = String(req.headers["x-forwarded-for"] || "");
         const raw = opts.trustProxy
             ? (Array.isArray(req.headers["x-forwarded-for"])
                 ? req.headers["x-forwarded-for"][0]
-                : String(req.headers["x-forwarded-for"] || "").split(",")[0].trim()) || req.socket.remoteAddress || ""
+                : (xff2.indexOf(",") >= 0 ? xff2.slice(0, xff2.indexOf(",")) : xff2).trim()) || req.socket.remoteAddress || ""
             : req.socket.remoteAddress || "";
         const ip = normalizeIP(raw);
         if (opts.allowIPs?.includes(ip))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@increase21/simplenodejs",
-  "version": "1.0.30",
+  "version": "1.1.1",
   "description": "Lightweight Node.js HTTP framework with middlewares and plugins",
   "dev": "dist/index.js",
   "bugs": "https://github.com/increase21/simplenodejs/issues",

package/dist/utils/simpleController.d.ts

@@ -1,14 +0,0 @@
-import { HttpMethod, ObjectPayload, RequestObject, ResponseObject } from "../typings/general";
-import { SubRequestHandler } from "../typings/simpletypes";
-export declare class SimpleNodeJsController {
-    protected req: RequestObject;
-    protected res: ResponseObject;
-    protected body: ObjectPayload;
-    protected query: ObjectPayload;
-    protected method: HttpMethod;
-    protected _custom_data: any;
-    /** @internal */
-    private __bindContext;
-    protected __checkContext(): void;
-    protected __run(handlers: SubRequestHandler): SubRequestHandler;
-}

package/dist/utils/simpleController.js

@@ -1,20 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.SimpleNodeJsController = void 0;
-class SimpleNodeJsController {
-    /** @internal */
-    __bindContext(ctx) {
-        this.req = ctx.req;
-        this.res = ctx.res;
-        this.body = ctx.req.body;
-        this.query = ctx.req.query;
-        this.method = (ctx.req.method || "").toLocaleLowerCase();
-        this._custom_data = ctx.req._custom_data;
-        this.__checkContext();
-    }
-    __checkContext() { }
-    __run(handlers) {
-        return handlers;
-    }
-}
-exports.SimpleNodeJsController = SimpleNodeJsController;