@jk2908/solas 0.3.8 → 0.4.0

package/dist/internal/public-files.js

@@ -0,0 +1,63 @@
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { Solas } from '../solas.js';
+/**
+ * Collect the root request paths for files that originate in Vite's public dir.
+ * Vite copies these files into the built client output unchanged. Solas stores
+ * the request paths here so runtime serving can whitelist them
+ *
+ * @example
+ * ```ts
+ * // public/robots.txt
+ * // becomes '/robots.txt'
+ * ```
+ *
+ * @example
+ * ```ts
+ * // public/images/logo 1.png
+ * // becomes '/images/logo%201.png'
+ * ```
+ */
+export async function collect(root) {
+    if (!root)
+        return [];
+    // normalise the configured public dir before we start walking it
+    const publicRoot = path.resolve(root);
+    try {
+        const stat = await fs.stat(publicRoot);
+        if (!stat.isDirectory())
+            return [];
+    }
+    catch {
+        return [];
+    }
+    const files = [];
+    async function walk(dir, parts = []) {
+        const entries = await fs.readdir(dir, { withFileTypes: true });
+        for (const entry of entries) {
+            // top-level /public/_solas would collide with framework assets served
+            // from /_solas, so keep that namespace reserved
+            if (parts.length === 0 &&
+                entry.isDirectory() &&
+                entry.name === Solas.Config.ASSETS_DIR) {
+                continue;
+            }
+            const nextParts = [...parts, entry.name];
+            const nextPath = path.join(dir, entry.name);
+            if (entry.isDirectory()) {
+                await walk(nextPath, nextParts);
+                continue;
+            }
+            if (!entry.isFile())
+                continue;
+            // store the external request path, not the filesystem path
+            // eg public/favicon.ico -> /favicon.ico
+            // eg public/images/logo 1.png -> /images/logo%201.png
+            // encode each segment so manifest lookups match routed URLs
+            files.push(`/${nextParts.map(part => encodeURIComponent(part)).join('/')}`);
+        }
+    }
+    await walk(publicRoot);
+    // keep manifest output stable regardless of directory iteration order
+    return files.sort();
+}

package/dist/internal/resolver.d.ts

@@ -68,8 +68,6 @@ export declare class Resolver {
      * Reconcile a HttpRouter match against a manifest entry
      */
     reconcile(path: string, match: HttpRouter.Match | null, error?: Error): {
-        params: HttpRouter.Params;
-        error: Error | undefined;
         __id: string;
         __path: string;
         __params: string[];
@@ -89,9 +87,9 @@ export declare class Resolver {
         prerender: "full" | "ppr" | false;
         dynamic: boolean;
         wildcard: boolean;
+        params: HttpRouter.Params;
+        error: Error | undefined;
     } | {
-        params: {};
-        error: HttpException;
         __id: string;
         __path: string;
         __params: string[];
@@ -111,11 +109,32 @@ export declare class Resolver {
         prerender: "full" | "ppr" | false;
         dynamic: boolean;
         wildcard: boolean;
+        params: {};
+        error: HttpException;
     } | null;
     /**
      * Enhance a matched route with its associated components
      */
     enhance(match: Resolver.ReconciledMatch | null): {
+        __id: string;
+        __path: string;
+        __params: string[];
+        __kind: "$P";
+        __depth: number;
+        method: "get";
+        paths: {
+            layouts: (string | null)[];
+            '401s': (string | null)[];
+            '403s': (string | null)[];
+            '404s': (string | null)[];
+            '500s': (string | null)[];
+            loaders: (string | null)[];
+            middlewares: (string | null)[];
+            page?: string | null | undefined;
+        };
+        prerender: "full" | "ppr" | false;
+        dynamic: boolean;
+        wildcard: boolean;
         ui: {
             layouts: (View<{
                 children?: import("react").ReactNode;
@@ -155,25 +174,6 @@ export declare class Resolver {
         metadata?: ((input: Metadata.Input<HttpRouter.Params, Error>) => Metadata.Task[]) | undefined;
         params: HttpRouter.Params | {};
         error: Error | HttpException | undefined;
-        __id: string;
-        __path: string;
-        __params: string[];
-        __kind: "$P";
-        __depth: number;
-        method: "get";
-        paths: {
-            layouts: (string | null)[];
-            '401s': (string | null)[];
-            '403s': (string | null)[];
-            '404s': (string | null)[];
-            '500s': (string | null)[];
-            loaders: (string | null)[];
-            middlewares: (string | null)[];
-            page?: string | null | undefined;
-        };
-        prerender: "full" | "ppr" | false;
-        dynamic: boolean;
-        wildcard: boolean;
     } | null;
     /**
      * Find the closest ancestor entry for a given path and property

package/dist/internal/server/actions.d.ts

@@ -1,5 +1,6 @@
 import { ReactFormState } from 'react-dom/client';
 import { SolasRequest } from '../../types.js';
+import { CsrfConfig } from './csrf.js';
 /**
  * Check if a request is an action request and reuse parsed FormData
  * when multipart action detection already had to inspect the body
@@ -16,7 +17,7 @@ export declare function maybeAction(req: Request): Promise<{
  * @returns an object containing either the return value of the action or the form state, depending on the type
  * of action request
  */
-export declare function processActionRequest(req: SolasRequest): Promise<{
+export declare function processActionRequest(req: SolasRequest, csrf?: CsrfConfig): Promise<{
     returnValue: {
         ok: boolean;
         data: unknown;
@@ -24,7 +25,3 @@ export declare function processActionRequest(req: SolasRequest): Promise<{
     formState: ReactFormState | undefined;
     temporaryReferences: unknown;
 }>;
-/**
- * Check whether an action request came from the same origin as the target app
- */
-export declare function isTrustedActionRequest(req: Request): boolean;

package/dist/internal/server/actions.js

@@ -1,6 +1,6 @@
 import { createTemporaryReferenceSet, decodeAction, decodeFormState, decodeReply, loadServerAction, } from '@vitejs/plugin-rsc/rsc';
 import { Solas } from '../../solas.js';
-import { HttpException } from '../navigation/http-exception.js';
+import { enforce } from './csrf.js';
 /**
  * Check if a request is an action request and reuse parsed FormData
  * when multipart action detection already had to inspect the body
@@ -34,14 +34,12 @@ export async function maybeAction(req) {
  * @returns an object containing either the return value of the action or the form state, depending on the type
  * of action request
  */
-export async function processActionRequest(req) {
+export async function processActionRequest(req, csrf = {}) {
     let returnValue;
     let formState;
     let temporaryReferences;
-    // reject cross-site action posts before any body decoding or action loading
-    if (!isTrustedActionRequest(req)) {
-        throw new HttpException(403, 'Cross-site action requests are forbidden');
-    }
+    // enforce CSRF for all action requests
+    enforce(req, csrf);
     const id = req.headers.get('x-rsc-action-id');
     if (id) {
         // x-rsc-action-id header exists when action is
@@ -76,32 +74,3 @@ export async function processActionRequest(req) {
     }
     return { returnValue, formState, temporaryReferences };
 }
-/**
- * Reduce Origin and Referer headers to a comparable origin string
- */
-function toOrigin(value) {
-    if (!value)
-        return null;
-    try {
-        return new URL(value).origin;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Check whether an action request came from the same origin as the target app
- */
-export function isTrustedActionRequest(req) {
-    const requestOrigin = toOrigin(req.url);
-    if (!requestOrigin)
-        return false;
-    const origin = toOrigin(req.headers.get('origin'));
-    if (origin)
-        return origin === requestOrigin;
-    // some user agents omit Origin on same-origin form posts, so fall back to Referer
-    const referer = toOrigin(req.headers.get('referer'));
-    if (referer)
-        return referer === requestOrigin;
-    return false;
-}

package/dist/internal/server/csrf.d.ts

@@ -0,0 +1,14 @@
+import type { PluginConfig } from '../../types.js';
+export type CsrfConfig = Pick<PluginConfig, 'trustedOrigins' | 'url'>;
+/**
+ * Enforce the CSRF policy for one request
+ */
+export declare function enforce(req: Request, config?: CsrfConfig): void;
+/**
+ * Get the first value from a forwarded-style header chain
+ */
+export declare function takeFirst(value: string | null | undefined): string | null;
+/**
+ * Build an origin from host-style headers when there is no full origin value
+ */
+export declare function toHostOrigin(host: string | null | undefined, protocol: string | null | undefined): string | null;

package/dist/internal/server/csrf.js

@@ -0,0 +1,98 @@
+import { HttpException } from '../navigation/http-exception.js';
+const UNSAFE_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+const TRUSTED_FETCH_SITES = new Set(['same-origin', 'none']);
+/**
+ * Reduce an origin-like value to just its origin for comparison
+ */
+function toOrigin(value) {
+    if (!value)
+        return null;
+    try {
+        // csrf only cares which origin sent the request, not its path or query
+        return new URL(value).origin;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Enforce the CSRF policy for one request
+ */
+export function enforce(req, config = {}) {
+    // only unsafe methods can mutate state, so safe methods bypass the guard
+    if (!UNSAFE_METHODS.has(req.method.toUpperCase()))
+        return;
+    // first trust the browser's own source headers when they are present
+    const sourceOrigin = toOrigin(req.headers.get('origin')) ?? toOrigin(req.headers.get('referer'));
+    if (sourceOrigin) {
+        const origins = new Set();
+        const forwardedProtocol = takeFirst(req.headers.get('x-forwarded-proto'));
+        let protocol;
+        if (forwardedProtocol === 'http' || forwardedProtocol === 'https') {
+            protocol = forwardedProtocol;
+        }
+        else {
+            try {
+                // otherwise fall back to the protocol on the request url we received
+                protocol = new URL(req.url).protocol.replace(/:$/, '');
+            }
+            catch {
+                protocol = null;
+            }
+        }
+        // allow the current request origin and any configured public origin
+        const requestOrigin = toOrigin(req.url);
+        if (requestOrigin)
+            origins.add(requestOrigin);
+        const configuredOrigin = toOrigin(config.url ?? null);
+        if (configuredOrigin)
+            origins.add(configuredOrigin);
+        // also allow host-based origins so proxied deployments still match the public site
+        const forwardedHostOrigin = toHostOrigin(takeFirst(req.headers.get('x-forwarded-host')), protocol);
+        if (forwardedHostOrigin)
+            origins.add(forwardedHostOrigin);
+        const hostOrigin = toHostOrigin(takeFirst(req.headers.get('host')), protocol);
+        if (hostOrigin)
+            origins.add(hostOrigin);
+        // add any cross-origin browser sites the config explicitly trusts
+        for (const value of config.trustedOrigins ?? []) {
+            const origin = toOrigin(value);
+            if (origin)
+                origins.add(origin);
+        }
+        if (origins.has(sourceOrigin))
+            return;
+    }
+    // if origin and referer are missing, fall back to fetch metadata
+    const fetchSite = req.headers.get('sec-fetch-site')?.toLowerCase();
+    if (fetchSite && TRUSTED_FETCH_SITES.has(fetchSite))
+        return;
+    // if the browser sent no source hints at all, treat it like a non-browser client
+    if (!sourceOrigin && !fetchSite)
+        return;
+    throw new HttpException(403, 'Cross-site unsafe requests are forbidden');
+}
+/**
+ * Get the first value from a forwarded-style header chain
+ */
+export function takeFirst(value) {
+    if (!value)
+        return null;
+    // use the client-facing value, not a later proxy hop
+    const first = value.split(',')[0]?.trim();
+    return first || null;
+}
+/**
+ * Build an origin from host-style headers when there is no full origin value
+ */
+export function toHostOrigin(host, protocol) {
+    if (!host || !protocol)
+        return null;
+    try {
+        // this lets host and forwarded-host compare against trusted origins too
+        return new URL(`${protocol}://${host}`).origin;
+    }
+    catch {
+        return null;
+    }
+}

package/dist/router.d.ts

@@ -1,3 +1,4 @@
 export { Link } from './internal/browser-router/link.js';
+export { withBase } from './internal/browser-router/shared.js';
 export { useRouter } from './internal/browser-router/use-router.js';
 export { useSearchParams } from './internal/browser-router/use-search-params.js';

package/dist/router.js

@@ -1,3 +1,4 @@
 export { Link } from './internal/browser-router/link.js';
+export { withBase } from './internal/browser-router/shared.js';
 export { useRouter } from './internal/browser-router/use-router.js';
 export { useSearchParams } from './internal/browser-router/use-search-params.js';

package/dist/solas.d.ts

@@ -1,3 +1,4 @@
+import type { Prerender } from './internal/prerender.js';
 import type { PluginConfig } from './types.js';
 export declare namespace Solas {
     interface Routes {
@@ -12,12 +13,14 @@ export declare namespace Solas {
         const ENTRY_RSC = "entry.rsc.tsx";
         const ENTRY_SSR = "entry.ssr.tsx";
         const ENTRY_BROWSER = "entry.browser.tsx";
-        const ASSETS_DIR = "assets";
+        const ASSETS_DIR: string;
+        const PUBLIC_DIR = "public";
         const $: unique symbol;
         const REQUEST_META_KEY: string;
         const LOG_LEVELS: readonly ["debug", "info", "warn", "error", "fatal"];
         const PRERENDER_MODES: readonly ["full", "ppr", false];
         const TRAILING_SLASH_MODES: readonly ["always", "never", "ignore"];
+        const RUNTIME_MANIFEST = "runtime-manifest.json";
         /**
          * Validate the plugin configuration object, throwing an error if invalid
          * @param input - the unvalidated configuration object
@@ -26,6 +29,14 @@ export declare namespace Solas {
         function validate(input: unknown): PluginConfig;
     }
     function getVersion(): string;
+    namespace Runtime {
+        type Manifest = {
+            artifacts: Prerender.Artifact.Manifest;
+            publicFiles: ReadonlySet<string>;
+        };
+        function getManifestPath(outDir: string): string;
+        function loadManifest(outDir: string): Promise<Manifest | null>;
+    }
     namespace Events {
         const names: {
             readonly NAVIGATION: `${string}navigation`;

package/dist/solas.js

@@ -12,12 +12,14 @@ var Solas;
         Config.ENTRY_RSC = 'entry.rsc.tsx';
         Config.ENTRY_SSR = 'entry.ssr.tsx';
         Config.ENTRY_BROWSER = 'entry.browser.tsx';
-        Config.ASSETS_DIR = 'assets';
+        Config.ASSETS_DIR = `_${Config.SLUG}`;
+        Config.PUBLIC_DIR = 'public';
         Config.$ = Symbol(Config.SLUG);
         Config.REQUEST_META_KEY = `__${Config.SLUG.toUpperCase()}__`;
         Config.LOG_LEVELS = ['debug', 'info', 'warn', 'error', 'fatal'];
         Config.PRERENDER_MODES = ['full', 'ppr', false];
         Config.TRAILING_SLASH_MODES = ['always', 'never', 'ignore'];
+        Config.RUNTIME_MANIFEST = 'runtime-manifest.json';
         const CONFIG_KEYS = new Set([
             'port',
             'logger',
@@ -25,6 +27,7 @@ var Solas;
             'precompress',
             'prerender',
             'sitemap',
+            'trustedOrigins',
             'trailingSlash',
             'url',
         ]);
@@ -67,6 +70,33 @@ var Solas;
                     errors.push('config.precompress must be a boolean');
                 }
             }
+            if ('trustedOrigins' in input && input.trustedOrigins !== undefined) {
+                if (!Array.isArray(input.trustedOrigins)) {
+                    errors.push('config.trustedOrigins must be an array of origins');
+                }
+                else {
+                    for (const [index, value] of input.trustedOrigins.entries()) {
+                        if (typeof value !== 'string') {
+                            errors.push(`config.trustedOrigins[${index}] must be a string`);
+                            continue;
+                        }
+                        try {
+                            const url = new URL(value);
+                            const canonical = value.replace(/\/$/, '');
+                            if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+                                errors.push(`config.trustedOrigins[${index}] must use http:// or https://`);
+                                continue;
+                            }
+                            if (canonical !== url.origin) {
+                                errors.push(`config.trustedOrigins[${index}] must be an origin without a path, query, or hash`);
+                            }
+                        }
+                        catch {
+                            errors.push(`config.trustedOrigins[${index}] must be a valid URL origin`);
+                        }
+                    }
+                }
+            }
             if ('sitemap' in input && input.sitemap !== undefined && input.sitemap !== false) {
                 if (typeof input.sitemap !== 'boolean' && typeof input.sitemap !== 'object') {
                     errors.push('config.sitemap must be a boolean or an object with a routes function');
@@ -129,6 +159,91 @@ var Solas;
         return value;
     }
     Solas.getVersion = getVersion;
+    let Runtime;
+    (function (Runtime) {
+        const manifestCache = new Map();
+        function getManifestPath(outDir) {
+            return [outDir, Config.GENERATED_DIR, Config.RUNTIME_MANIFEST]
+                .map((part, index) => {
+                const normalised = part.replace(/\\/g, '/').replace(/\/+/g, '/');
+                if (index === 0)
+                    return normalised.replace(/\/+$/, '');
+                return normalised.replace(/^\/+/, '').replace(/\/+$/, '');
+            })
+                .join('/');
+        }
+        Runtime.getManifestPath = getManifestPath;
+        async function loadManifest(outDir) {
+            if (manifestCache.has(outDir)) {
+                return manifestCache.get(outDir) ?? null;
+            }
+            const file = Bun.file(getManifestPath(outDir));
+            if (!(await file.exists())) {
+                manifestCache.set(outDir, null);
+                return null;
+            }
+            try {
+                const value = JSON.parse(await file.text());
+                if (!isRecord(value)) {
+                    manifestCache.set(outDir, null);
+                    return null;
+                }
+                const artifacts = value.artifacts ?? value.routes;
+                const publicFiles = value.publicFiles;
+                if (!isRecord(artifacts)) {
+                    manifestCache.set(outDir, null);
+                    return null;
+                }
+                if (publicFiles !== undefined && !Array.isArray(publicFiles)) {
+                    manifestCache.set(outDir, null);
+                    return null;
+                }
+                for (const entry of Object.values(artifacts)) {
+                    if (!isRecord(entry)) {
+                        manifestCache.set(outDir, null);
+                        return null;
+                    }
+                    const { mode, files } = entry;
+                    if (mode !== 'full' && mode !== 'ppr') {
+                        manifestCache.set(outDir, null);
+                        return null;
+                    }
+                    if (files !== undefined) {
+                        if (!Array.isArray(files)) {
+                            manifestCache.set(outDir, null);
+                            return null;
+                        }
+                        for (const file of files) {
+                            if (file !== 'html' &&
+                                file !== 'prelude' &&
+                                file !== 'postponed' &&
+                                file !== 'metadata') {
+                                manifestCache.set(outDir, null);
+                                return null;
+                            }
+                        }
+                    }
+                }
+                for (const entry of publicFiles ?? []) {
+                    if (typeof entry !== 'string' || !entry.startsWith('/')) {
+                        manifestCache.set(outDir, null);
+                        return null;
+                    }
+                }
+                const manifest = {
+                    artifacts: artifacts,
+                    publicFiles: new Set(publicFiles ?? []),
+                };
+                manifestCache.set(outDir, manifest);
+                return manifest;
+            }
+            catch {
+                manifestCache.set(outDir, null);
+                return null;
+            }
+        }
+        Runtime.loadManifest = loadManifest;
+    })(Runtime = Solas.Runtime || (Solas.Runtime = {}));
     let Events;
     (function (Events) {
         Events.names = {

package/dist/types.d.ts

@@ -2,35 +2,38 @@ type BunRequest = Request & {
     params?: Record<string, string | string[]>;
 };
 import { ExportReader } from './utils/export-reader.js';
+import type { BrowserRouter } from './internal/browser-router/shared.js';
 import type { Build } from './internal/build.js';
 import type { HttpRouter } from './internal/http-router/router.js';
 import type { Metadata } from './internal/metadata.js';
 import type { HttpException } from './internal/navigation/http-exception.js';
-import { BrowserRouter } from './internal/browser-router/router.js';
 import { Solas } from './solas.js';
 export type LogLevel = (typeof Solas.Config.LOG_LEVELS)[number];
+type Origin = `http://${string}` | `https://${string}`;
 type PluginConfigBase = {
     port?: number;
     precompress?: boolean;
     prerender?: Route.Prerender;
     metadata?: Metadata.Item;
     trailingSlash?: (typeof Solas.Config.TRAILING_SLASH_MODES)[number];
+    trustedOrigins?: readonly Origin[];
     readonly logger?: {
         level?: LogLevel;
     };
 };
 export type PluginConfig = PluginConfigBase & ({
-    url: `http://${string}` | `https://${string}`;
+    url: Origin;
     sitemap: true | {
         routes: (existing: string[]) => string[] | Promise<string[]>;
     };
 } | {
-    url?: `http://${string}` | `https://${string}`;
+    url?: Origin;
     sitemap?: false;
 });
 export type RuntimeConfig = PluginConfig & {
     precompress: NonNullable<PluginConfig['precompress']>;
     trailingSlash: NonNullable<PluginConfig['trailingSlash']>;
+    trustedOrigins: NonNullable<PluginConfig['trustedOrigins']>;
 };
 export type BuildContext = {
     prerenderRoutes: Set<string>;
@@ -99,6 +102,8 @@ export type HttpMethod = 'GET' | 'HEAD' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' |
 export type Primitive = string | number | boolean | bigint | symbol | null | undefined;
 export type LooseNumber<T extends number> = T | (number & {});
 export type BuildManifest = {
+    base: string;
+    publicFiles: string[];
     prerenderRoutes: string[];
     sitemapRoutes: string[];
     precompress: boolean;

package/dist/utils/base-path.d.ts

@@ -0,0 +1,14 @@
+export declare namespace BasePath {
+    /**
+     * Normalise a base path so every check uses the same shape
+     */
+    function normalise(value: string | null | undefined): string;
+    /**
+     * Strip the base path from a request path
+     */
+    function strip(pathname: string, base: string | null | undefined): string | null;
+    /**
+     * Add the base path to a path when needed
+     */
+    function apply(pathname: string, base: string | null | undefined): string;
+}