@jasonshimmy/vite-plugin-cer-app 0.7.0 → 0.9.0

package/src/__tests__/cli/preview-hardening.test.ts

@@ -0,0 +1,175 @@
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { resolve } from 'pathe'
+
+// Read the preview command source to verify hardening requirements are present.
+const src = readFileSync(
+  resolve(import.meta.dirname, '../../cli/commands/preview.ts'),
+  'utf-8',
+)
+
+// ─── Security headers ─────────────────────────────────────────────────────────
+
+describe('preview server — security headers', () => {
+  it('defines setSecurityHeaders helper', () => {
+    expect(src).toContain('function setSecurityHeaders(')
+  })
+
+  it('sets X-Content-Type-Options: nosniff', () => {
+    expect(src).toContain("'X-Content-Type-Options'")
+    expect(src).toContain('nosniff')
+  })
+
+  it('sets X-Frame-Options: DENY', () => {
+    expect(src).toContain("'X-Frame-Options'")
+    expect(src).toContain('DENY')
+  })
+
+  it('sets Referrer-Policy: strict-origin-when-cross-origin', () => {
+    expect(src).toContain("'Referrer-Policy'")
+    expect(src).toContain('strict-origin-when-cross-origin')
+  })
+
+  it('calls setSecurityHeaders in serveStaticFile', () => {
+    const fnStart = src.indexOf('function serveStaticFile(')
+    const nextFn = src.indexOf('\nfunction ', fnStart + 1)
+    const body = src.slice(fnStart, nextFn > -1 ? nextFn : undefined)
+    expect(body).toContain('setSecurityHeaders(res)')
+  })
+
+  it('calls setSecurityHeaders at the top of the SSR request handler', () => {
+    const handlerStart = src.indexOf('createHttpServer(async (req: IncomingMessage, res: ServerResponse)')
+    const handlerEnd = src.indexOf('server.listen(port', handlerStart)
+    const handler = src.slice(handlerStart, handlerEnd)
+    expect(handler).toContain('setSecurityHeaders(res)')
+    // It should be the first thing done before any routing logic
+    const secHeadersIdx = handler.indexOf('setSecurityHeaders(res)')
+    const urlParseIdx = handler.indexOf('req.url ?? ')
+    expect(secHeadersIdx).toBeLessThan(urlParseIdx)
+  })
+
+  it('calls setSecurityHeaders at the top of the static request handler', () => {
+    const handlerStart = src.indexOf('createHttpServer((req: IncomingMessage, res: ServerResponse)')
+    const handlerEnd = src.indexOf('server.listen(port', handlerStart)
+    const handler = src.slice(handlerStart, handlerEnd)
+    expect(handler).toContain('setSecurityHeaders(res)')
+  })
+})
+
+// ─── Cache-Control ────────────────────────────────────────────────────────────
+
+describe('preview server — Cache-Control', () => {
+  it('defines getCacheControl helper', () => {
+    expect(src).toContain('function getCacheControl(')
+  })
+
+  it('returns immutable cache for /assets/ paths', () => {
+    expect(src).toContain("'/assets/'")
+    expect(src).toContain('public, max-age=31536000, immutable')
+  })
+
+  it('returns no-cache for non-asset paths', () => {
+    // The getCacheControl function must return 'no-cache' as fallback
+    const fnStart = src.indexOf('function getCacheControl(')
+    const fnEnd = src.indexOf('\nfunction ', fnStart + 1)
+    const body = src.slice(fnStart, fnEnd > -1 ? fnEnd : undefined)
+    expect(body).toContain("'no-cache'")
+  })
+
+  it('uses getCacheControl in serveStaticFile instead of hardcoded no-cache', () => {
+    const fnStart = src.indexOf('function serveStaticFile(')
+    const nextFn = src.indexOf('\nfunction ', fnStart + 1)
+    const body = src.slice(fnStart, nextFn > -1 ? nextFn : undefined)
+    expect(body).toContain('getCacheControl(filePath)')
+    // Must NOT have a hardcoded no-cache
+    expect(body).not.toContain("'no-cache'")
+  })
+
+  it('uses getCacheControl for client assets in the static server', () => {
+    // The static server also serves assets from dist/client — it should use getCacheControl
+    const staticHandlerStart = src.indexOf('createHttpServer((req: IncomingMessage, res: ServerResponse)')
+    expect(src.slice(staticHandlerStart)).toContain('getCacheControl(')
+  })
+})
+
+// ─── Graceful shutdown ────────────────────────────────────────────────────────
+
+describe('preview server — graceful shutdown', () => {
+  it('defines registerGracefulShutdown helper', () => {
+    expect(src).toContain('function registerGracefulShutdown(')
+  })
+
+  it('calls server.close() for graceful drain', () => {
+    const fnStart = src.indexOf('function registerGracefulShutdown(')
+    const fnEnd = src.indexOf('\nexport ', fnStart)
+    const body = src.slice(fnStart, fnEnd > -1 ? fnEnd : undefined)
+    expect(body).toContain('server.close(')
+  })
+
+  it('sets a 10-second force-exit timeout', () => {
+    const fnStart = src.indexOf('function registerGracefulShutdown(')
+    const fnEnd = src.indexOf('\nexport ', fnStart)
+    const body = src.slice(fnStart, fnEnd > -1 ? fnEnd : undefined)
+    expect(body).toContain('10_000')
+    expect(body).toContain('process.exit(1)')
+  })
+
+  it('calls t.unref() so the timeout does not keep the event loop alive', () => {
+    const fnStart = src.indexOf('function registerGracefulShutdown(')
+    const fnEnd = src.indexOf('\nexport ', fnStart)
+    const body = src.slice(fnStart, fnEnd > -1 ? fnEnd : undefined)
+    expect(body).toContain('.unref()')
+  })
+
+  it('listens for both SIGTERM and SIGINT', () => {
+    expect(src).toContain("'SIGTERM'")
+    expect(src).toContain("'SIGINT'")
+  })
+
+  it('logs the signal name on shutdown', () => {
+    const fnStart = src.indexOf('function registerGracefulShutdown(')
+    const fnEnd = src.indexOf('\nexport ', fnStart)
+    const body = src.slice(fnStart, fnEnd > -1 ? fnEnd : undefined)
+    expect(body).toContain('signal')
+    expect(body).toContain('console.log(')
+  })
+
+  it('calls registerGracefulShutdown for the SSR server', () => {
+    // registerGracefulShutdown must be called after each server's listen()
+    const firstListen = src.indexOf('server.listen(port')
+    const firstShutdown = src.indexOf('registerGracefulShutdown(server)')
+    expect(firstShutdown).toBeGreaterThan(firstListen)
+  })
+
+  it('calls registerGracefulShutdown for the static server', () => {
+    // Both SSR and static server paths should register graceful shutdown
+    const allShutdowns = src.split('registerGracefulShutdown(server)').length - 1
+    expect(allShutdowns).toBeGreaterThanOrEqual(2)
+  })
+})
+
+// ─── Request timeouts ─────────────────────────────────────────────────────────
+
+describe('preview server — request timeouts', () => {
+  it('sets server.headersTimeout to protect against slow-send attacks', () => {
+    expect(src).toContain('server.headersTimeout')
+    expect(src).toContain('10_000')
+  })
+
+  it('sets server.requestTimeout to limit total request duration', () => {
+    expect(src).toContain('server.requestTimeout')
+    expect(src).toContain('30_000')
+  })
+
+  it('applies timeouts to the SSR server', () => {
+    const ssrListenIdx = src.indexOf("console.log(`[cer-app] SSR preview running at")
+    const ssrTimeoutIdx = src.lastIndexOf('server.requestTimeout', ssrListenIdx)
+    expect(ssrTimeoutIdx).toBeGreaterThan(-1)
+  })
+
+  it('applies timeouts to the static server', () => {
+    const staticListenIdx = src.indexOf("console.log(`[cer-app] Static preview running at")
+    const staticTimeoutIdx = src.lastIndexOf('server.requestTimeout', staticListenIdx)
+    expect(staticTimeoutIdx).toBeGreaterThan(-1)
+  })
+})

package/src/__tests__/cli/preview-isr.test.ts

@@ -1,6 +1,7 @@
 import { describe, it, expect, vi } from 'vitest'
 import type { IncomingMessage, ServerResponse } from 'node:http'
 import {
+  isPathBounded,
   matchRoutePattern,
   findRevalidate,
   findRenderMode,
@@ -9,6 +10,35 @@ import {
   type IsrCacheEntry,
 } from '../../cli/commands/preview-isr.js'
 
+// ─── isPathBounded ────────────────────────────────────────────────────────────
+
+describe('isPathBounded', () => {
+  it('allows normal file paths inside the root', () => {
+    expect(isPathBounded('/dist', '/index.html')).toBe(true)
+  })
+
+  it('allows nested paths inside the root', () => {
+    expect(isPathBounded('/dist', '/assets/app.js')).toBe(true)
+  })
+
+  it('allows the root path itself', () => {
+    expect(isPathBounded('/dist', '/')).toBe(true)
+  })
+
+  it('blocks simple path traversal (../ escape)', () => {
+    expect(isPathBounded('/dist', '/../../../../etc/passwd')).toBe(false)
+  })
+
+  it('blocks a path that escapes by one level', () => {
+    expect(isPathBounded('/dist', '/../secret')).toBe(false)
+  })
+
+  it('does not confuse a sibling directory for the root', () => {
+    // /dist-other starts with /dist but is NOT inside /dist
+    expect(isPathBounded('/dist', '/../dist-other/file')).toBe(false)
+  })
+})
+
 // ─── matchRoutePattern ────────────────────────────────────────────────────────
 
 describe('matchRoutePattern', () => {

package/src/__tests__/plugin/cer-app-plugin.test.ts

@@ -245,6 +245,36 @@ describe('cerApp plugin — load hook', () => {
     expect(result).toContain('appConfig')
     expect(result).toContain('ssg')
   })
+
+  it('excludes _runtimePrivateDefaults from the client bundle', async () => {
+    const plugin = getCerPlugin({ runtimeConfig: { private: { dbUrl: '', secretKey: '' } } })
+    plugin.config({ root: '/project' }, { command: 'serve', mode: 'development' })
+    plugin.configResolved(FAKE_RESOLVED)
+    // Client load (ssr: false / omitted)
+    const clientResult = await plugin.load('\0virtual:cer-app-config') as string
+    expect(clientResult).not.toContain('_runtimePrivateDefaults')
+    expect(clientResult).not.toContain('dbUrl')
+  })
+
+  it('includes _runtimePrivateDefaults in the SSR bundle', async () => {
+    const plugin = getCerPlugin({ runtimeConfig: { private: { dbUrl: '', secretKey: '' } } })
+    plugin.config({ root: '/project' }, { command: 'serve', mode: 'development' })
+    plugin.configResolved(FAKE_RESOLVED)
+    // SSR load (ssr: true)
+    const ssrResult = await plugin.load('\0virtual:cer-app-config', { ssr: true }) as string
+    expect(ssrResult).toContain('_runtimePrivateDefaults')
+    expect(ssrResult).toContain('dbUrl')
+  })
+
+  it('caches SSR and client virtual:cer-app-config separately', async () => {
+    const plugin = getCerPlugin({ runtimeConfig: { private: { token: '' } } })
+    plugin.config({ root: '/project' }, { command: 'serve', mode: 'development' })
+    plugin.configResolved(FAKE_RESOLVED)
+    const client = await plugin.load('\0virtual:cer-app-config') as string
+    const ssr = await plugin.load('\0virtual:cer-app-config', { ssr: true }) as string
+    expect(client).not.toContain('_runtimePrivateDefaults')
+    expect(ssr).toContain('_runtimePrivateDefaults')
+  })
 })
 
 describe('cerApp plugin — transform hook', () => {
@@ -363,6 +393,26 @@ describe('cerApp plugin — buildStart hook', () => {
     await plugin.buildStart()
     expect(writeTsconfigPaths).toHaveBeenCalledTimes(1)
   })
+
+  it('warms virtual:cer-app-config cache under :client key so load() hits it', async () => {
+    // After buildStart(), a subsequent client load (ssr: false) should be served
+    // from cache (generateAppConfigModule is not a public mock, so we verify by
+    // ensuring the load hook returns a non-null result without triggering the
+    // real generator — which is mocked at module level to a fixed string '// mock'
+    // for other modules; appConfig is not mocked, so it generates real code).
+    const plugin = getCerPlugin({ runtimeConfig: { private: { token: '' } } })
+    plugin.config({ root: '/project' }, { command: 'build', mode: 'production' })
+    plugin.configResolved(FAKE_RESOLVED)
+    await plugin.buildStart()
+
+    // Client load should return a result that does NOT include _runtimePrivateDefaults
+    const result = await plugin.load('\0virtual:cer-app-config') as string
+    expect(result).not.toContain('_runtimePrivateDefaults')
+
+    // SSR load (different cache key) should include _runtimePrivateDefaults
+    const ssrResult = await plugin.load('\0virtual:cer-app-config', { ssr: true }) as string
+    expect(ssrResult).toContain('_runtimePrivateDefaults')
+  })
 })
 
 describe('cerApp plugin — configureServer hook', () => {

package/src/__tests__/plugin/entry-server-template.test.ts

@@ -195,4 +195,25 @@ describe('entry-server-template (ENTRY_SERVER_TEMPLATE content)', () => {
     expect(src).toContain('export const isrHandler')
     expect(src).toContain('createIsrHandler(routes, handler)')
   })
+
+  // ─── useCookie req/res store ──────────────────────────────────────────────────
+
+  it('creates _cerReqStore AsyncLocalStorage for request-scoped cookie access', () => {
+    expect(src).toContain('_cerReqStore')
+    expect(src).toContain('__CER_REQ_STORE__')
+  })
+
+  it('exposes _cerReqStore on globalThis as __CER_REQ_STORE__', () => {
+    expect(src).toContain('__CER_REQ_STORE__ = _cerReqStore')
+  })
+
+  it('wraps handler body in _cerReqStore.run({ req, res }, ...) so useCookie can access req/res', () => {
+    expect(src).toContain('_cerReqStore.run({ req, res }')
+    // req/res store wraps the data store — it must appear before _cerDataStore.run
+    const reqStoreIdx = src.indexOf('_cerReqStore.run(')
+    const dataStoreIdx = src.indexOf('_cerDataStore.run(')
+    expect(reqStoreIdx).toBeGreaterThan(-1)
+    expect(dataStoreIdx).toBeGreaterThan(-1)
+    expect(reqStoreIdx).toBeLessThan(dataStoreIdx)
+  })
 })

package/src/__tests__/plugin/resolve-config.test.ts

@@ -155,4 +155,22 @@ describe('resolveConfig', () => {
     const cfg = resolveConfig({ runtimeConfig: { public: { foo: 42 } } }, ROOT)
     expect(cfg.runtimeConfig.public.foo).toBe(42)
   })
+
+  it('defaults runtimeConfig.private to an empty object', () => {
+    const cfg = resolveConfig({}, ROOT)
+    expect(cfg.runtimeConfig.private).toEqual({})
+  })
+
+  it('passes runtimeConfig.private values through', () => {
+    const cfg = resolveConfig({ runtimeConfig: { private: { dbUrl: '', secretKey: '' } } }, ROOT)
+    expect(cfg.runtimeConfig.private).toEqual({ dbUrl: '', secretKey: '' })
+  })
+
+  it('preserves both public and private when both are supplied', () => {
+    const cfg = resolveConfig({
+      runtimeConfig: { public: { apiBase: '/api' }, private: { token: '' } },
+    }, ROOT)
+    expect(cfg.runtimeConfig.public).toEqual({ apiBase: '/api' })
+    expect(cfg.runtimeConfig.private).toEqual({ token: '' })
+  })
 })

package/src/__tests__/plugin/transforms/auto-import.test.ts

@@ -55,6 +55,22 @@ describe('autoImportTransform — target directory gating', () => {
     )
     expect(result).not.toBeNull()
   })
+
+  it('transforms files in middleware/ (so defineMiddleware is auto-imported)', () => {
+    const result = autoImportTransform(
+      "export default defineMiddleware(() => true)",
+      '/project/app/middleware/auth.ts',
+      opts,
+    )
+    expect(result).not.toBeNull()
+    expect(result).toContain('defineMiddleware')
+  })
+
+  it('still returns null for composables/ (not in scope)', () => {
+    expect(
+      autoImportTransform("export default defineMiddleware(() => true)", '/project/app/composables/useTheme.ts', opts),
+    ).toBeNull()
+  })
 })
 
 // ─── No injection needed ─────────────────────────────────────────────────────
@@ -249,6 +265,29 @@ describe('autoImportTransform — framework composable injection', () => {
     const count = result.split(`from ${FRAMEWORK_PKG}`).length - 1
     expect(count).toBe(1)
   })
+
+  it('injects useSeoMeta import when useSeoMeta is used', () => {
+    const code = "component('page-home', () => { useSeoMeta({ title: 'Home', description: 'Welcome' }); return html`<h1>Home</h1>` })"
+    const result = autoImportTransform(code, '/project/app/pages/index.ts', opts)!
+    expect(result).toContain(`from ${FRAMEWORK_PKG}`)
+    expect(result).toContain('useSeoMeta')
+  })
+
+  it('injects useCookie import when useCookie is used', () => {
+    const code = "component('page-profile', () => { const session = useCookie('session'); return html`<div></div>` })"
+    const result = autoImportTransform(code, '/project/app/pages/profile.ts', opts)!
+    expect(result).toContain(`from ${FRAMEWORK_PKG}`)
+    expect(result).toContain('useCookie')
+  })
+
+  it('injects useSeoMeta and useCookie alongside other framework composables in a single import', () => {
+    const code = "component('page-shop', () => { useSeoMeta({ title: 'Shop' }); const cart = useCookie('cart'); return html`<div></div>` })"
+    const result = autoImportTransform(code, '/project/app/pages/shop.ts', opts)!
+    expect(result).toContain('useSeoMeta')
+    expect(result).toContain('useCookie')
+    const count = result.split(`from ${FRAMEWORK_PKG}`).length - 1
+    expect(count).toBe(1)
+  })
 })
 
 // ─── Composable import injection ─────────────────────────────────────────────

package/src/__tests__/plugin/virtual/middleware.test.ts

@@ -65,4 +65,19 @@ describe('generateMiddlewareCode', () => {
     expect(code).toContain('export const middleware')
     expect(code).toContain('export default middleware')
   })
+
+  it('prefixes identifier with underscore when filename starts with a digit', async () => {
+    vi.mocked(scanDirectory).mockResolvedValue([`${MIDDLEWARE}/2fa.ts`])
+    const code = await generateMiddlewareCode(MIDDLEWARE)
+    // Leading digit is not valid in a JS identifier — must be prefixed
+    expect(code).toContain('_m__2fa')
+    expect(code).toContain('"2fa"')
+  })
+
+  it('strips .js extension as well as .ts', async () => {
+    vi.mocked(scanDirectory).mockResolvedValue([`${MIDDLEWARE}/auth.js`])
+    const code = await generateMiddlewareCode(MIDDLEWARE)
+    expect(code).toContain('_m_auth')
+    expect(code).toContain('"auth": _m_auth')
+  })
 })

package/src/__tests__/plugin/virtual/routes.test.ts

@@ -129,6 +129,38 @@ describe('generateRoutesCode', () => {
     const code = await generateRoutesCode(PAGES)
     expect(code).not.toContain('beforeEnter')
   })
+
+  it('uses return-value API (await handler) not callback-style (new Promise)', async () => {
+    vi.mocked(scanDirectory).mockResolvedValue([`${PAGES}/dashboard.ts`])
+    vi.mocked(readFile).mockResolvedValue(
+      `component('page-dashboard', () => html\`<div/>\`)\nexport const meta = { middleware: ['auth'] }` as never,
+    )
+    const code = await generateRoutesCode(PAGES)
+    expect(code).toContain('await handler(to, from)')
+    expect(code).not.toContain('new Promise')
+  })
+
+  it('wraps handler call in try-catch (blocks navigation on error)', async () => {
+    vi.mocked(scanDirectory).mockResolvedValue([`${PAGES}/dashboard.ts`])
+    vi.mocked(readFile).mockResolvedValue(
+      `component('page-dashboard', () => html\`<div/>\`)\nexport const meta = { middleware: ['auth'] }` as never,
+    )
+    const code = await generateRoutesCode(PAGES)
+    expect(code).toContain('try {')
+    expect(code).toContain('} catch (err) {')
+    expect(code).toContain('return false')
+  })
+
+  it('logs the middleware name in the error message', async () => {
+    vi.mocked(scanDirectory).mockResolvedValue([`${PAGES}/dashboard.ts`])
+    vi.mocked(readFile).mockResolvedValue(
+      `component('page-dashboard', () => html\`<div/>\`)\nexport const meta = { middleware: ['auth'] }` as never,
+    )
+    const code = await generateRoutesCode(PAGES)
+    expect(code).toContain('console.error')
+    expect(code).toContain('Middleware')
+    expect(code).toContain('err)')
+  })
 })
 
 // ─── meta.layout ─────────────────────────────────────────────────────────────

package/src/__tests__/runtime/define-middleware.test.ts

@@ -0,0 +1,43 @@
+import { describe, it, expect } from 'vitest'
+import { defineMiddleware } from '../../runtime/composables/define-middleware.js'
+import type { MiddlewareFn } from '../../types/middleware.js'
+
+describe('defineMiddleware', () => {
+  it('returns the function passed to it unchanged', () => {
+    const fn: MiddlewareFn = async () => true
+    expect(defineMiddleware(fn)).toBe(fn)
+  })
+
+  it('the returned function returns true to allow navigation', async () => {
+    const mw = defineMiddleware(async () => true)
+    const result = await mw({} as never, null)
+    expect(result).toBe(true)
+  })
+
+  it('the returned function returns false to block navigation', async () => {
+    const mw = defineMiddleware(async () => false)
+    const result = await mw({} as never, null)
+    expect(result).toBe(false)
+  })
+
+  it('the returned function returns a string to redirect', async () => {
+    const mw = defineMiddleware(async () => '/login')
+    const result = await mw({} as never, null)
+    expect(result).toBe('/login')
+  })
+
+  it('the returned function receives to and from route states', async () => {
+    let capturedTo: unknown
+    let capturedFrom: unknown
+    const mw = defineMiddleware((to, from) => {
+      capturedTo = to
+      capturedFrom = from
+      return true
+    })
+    const to = { path: '/dashboard', params: {}, query: {} }
+    const from = { path: '/login', params: {}, query: {} }
+    await mw(to as never, from as never)
+    expect(capturedTo).toBe(to)
+    expect(capturedFrom).toBe(from)
+  })
+})