@jk2908/solas 0.3.8 → 0.4.1

package/dist/internal/prerender.js

@@ -1,18 +1,16 @@
 import path from 'node:path';
 import { compile } from 'path-to-regexp';
+import { BasePath } from '../utils/base-path.js';
 import { Logger } from '../utils/logger.js';
-import { Time } from '../utils/time.js';
 import { Solas } from '../solas.js';
 import { toPathPattern } from './http-router/utils.js';
 const logger = new Logger();
 export { Prerender };
 var Prerender;
 (function (Prerender) {
-    const DEFAULT_TIMEOUT_MS = 15_000;
     const DEFAULT_CONCURRENCY = 4;
     let Artifact;
     (function (Artifact) {
-        const manifestCache = new Map();
         /**
          * Check whether a file name is safe to join under an artifact directory
          */
@@ -30,14 +28,6 @@ var Prerender;
             return path.join(outDir, Solas.Config.GENERATED_DIR, 'ppr');
         }
         Artifact.getRootPath = getRootPath;
-        /**
-         * Get the file system path for the prerender artifact manifest, which
-         * contains metadata about all prerendered routes and their artifacts
-         */
-        function getManifestPath(outDir) {
-            return path.join(getRootPath(outDir), 'manifest.json');
-        }
-        Artifact.getManifestPath = getManifestPath;
         /**
          * Get the file system path for storing prerender artifacts for a given route
          */
@@ -66,73 +56,6 @@ var Prerender;
          * File name used for saved full-prerender html inside each route artifact directory
          */
         Artifact.FULL_PRERENDER_FILENAME = 'prerendered.html';
-        /**
-         * Load the prerender artifact manifest for faster runtime route mode checks
-         */
-        async function loadManifest(outDir) {
-            // if we already loaded this outDir, return cached result
-            // (either a valid manifest or null when it was missing/invalid)
-            if (manifestCache.has(outDir)) {
-                return manifestCache.get(outDir) ?? null;
-            }
-            const file = Bun.file(getManifestPath(outDir));
-            // no manifest means no prerender metadata to use
-            if (!(await file.exists())) {
-                manifestCache.set(outDir, null);
-                return null;
-            }
-            try {
-                // parse once, then validate the shape before trusting any fields
-                const value = JSON.parse(await file.text());
-                if (!value || typeof value !== 'object') {
-                    manifestCache.set(outDir, null);
-                    return null;
-                }
-                const routes = value.routes;
-                if (!routes || typeof routes !== 'object') {
-                    manifestCache.set(outDir, null);
-                    return null;
-                }
-                // verify each route entry so runtime can rely on mode/files safely
-                for (const entry of Object.values(routes)) {
-                    if (!entry || typeof entry !== 'object') {
-                        manifestCache.set(outDir, null);
-                        return null;
-                    }
-                    const { mode, files } = entry;
-                    // only allow known modes
-                    if (mode !== 'full' && mode !== 'ppr') {
-                        manifestCache.set(outDir, null);
-                        return null;
-                    }
-                    if (files !== undefined) {
-                        if (!Array.isArray(files)) {
-                            manifestCache.set(outDir, null);
-                            return null;
-                        }
-                        // only allow known artifact file labels
-                        for (const f of files) {
-                            if (f !== 'html' &&
-                                f !== 'prelude' &&
-                                f !== 'postponed' &&
-                                f !== 'metadata') {
-                                manifestCache.set(outDir, null);
-                                return null;
-                            }
-                        }
-                    }
-                }
-                const manifest = routes;
-                // cache validated manifest to avoid reparsing on every request
-                manifestCache.set(outDir, manifest);
-                return manifest;
-            }
-            catch {
-                manifestCache.set(outDir, null);
-                return null;
-            }
-        }
-        Artifact.loadManifest = loadManifest;
         /**
          * Load the postponed state for a given route from the file system, if it exists
          */
@@ -319,18 +242,6 @@ var Prerender;
     })(Runtime = Prerender.Runtime || (Prerender.Runtime = {}));
     let Build;
     (function (Build) {
-        /**
-         * Get the prerender timeout value from the environment variable, or return the default
-         * if it's not set or invalid
-         */
-        function getTimeout() {
-            const v = Number(process.env.SOLAS_PRERENDER_TIMEOUT_MS);
-            if (!Number.isFinite(v) || v <= 0) {
-                return DEFAULT_TIMEOUT_MS;
-            }
-            return v;
-        }
-        Build.getTimeout = getTimeout;
         /**
          * Get the prerender concurrency value from the environment variable, or return the default
          * if it's not set or invalid
@@ -359,7 +270,7 @@ var Prerender;
             const params = await buildContext.exportReader.value(filePath, 'params', (v) => typeof v === 'function');
             if (!params)
                 return [];
-            const resolved = await Time.timeout(Promise.try(() => params()), getTimeout(), `static params for ${filePath}`);
+            const resolved = await Promise.try(() => params());
             if (!Array.isArray(resolved))
                 return [];
             return resolved;
@@ -402,14 +313,14 @@ var Prerender;
          * postponed to request-time
          */
         async function get(app, route, opts) {
-            const url = `${opts.origin ?? `http://${Solas.Config.SLUG}.local`}${route}`;
-            const res = await Time.timeout(app.fetch(new Request(url, {
+            const url = `${opts.origin ?? `http://${Solas.Config.SLUG}.local`}${BasePath.apply(route, opts.base)}`;
+            const res = await app.fetch(new Request(url, {
                 headers: {
                     Accept: 'text/html',
                     [`x-${Solas.Config.SLUG}-prerender`]: '1',
                     [`x-${Solas.Config.SLUG}-prerender-artifact`]: '1',
                 },
-            })), opts.timeout, `route ${route}`);
+            }));
             if (!(res instanceof Response)) {
                 const error = new TypeError(`Invalid response for ${route}`);
                 logger.error(`[prerender:get] ${error.message}`, error);
@@ -421,9 +332,8 @@ var Prerender;
         }
         Build.get = get;
         /**
-         * Run the prerendering process for a list of routes, with a specified concurrency limit and timeout for
-         * each route, by calling the 'get' function for each route and yielding the results as they
-         * become available
+         * Run the prerendering process for a list of routes with a specified concurrency limit,
+         * by calling the 'get' function for each route and yielding the results as they become available
          */
         async function* run(app, routes, opts) {
             const limit = Math.max(1, Math.min(opts.concurrency ?? 4, routes.length || 1));
@@ -434,7 +344,7 @@ var Prerender;
                     const i = index++;
                     const value = routes[i];
                     pending.set(i, get(app, value, {
-                        timeout: opts.timeout,
+                        base: opts.base,
                         origin: opts.origin,
                     })
                         .then(result => ({ index: i, result }))

package/dist/internal/public-files.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Collect the root request paths for files that originate in Vite's public dir.
+ * Vite copies these files into the built client output unchanged. Solas stores
+ * the request paths here so runtime serving can whitelist them
+ *
+ * @example
+ * ```ts
+ * // public/robots.txt
+ * // becomes '/robots.txt'
+ * ```
+ *
+ * @example
+ * ```ts
+ * // public/images/logo 1.png
+ * // becomes '/images/logo%201.png'
+ * ```
+ */
+export declare function collect(root: string | false | null | undefined): Promise<string[]>;

package/dist/internal/public-files.js

@@ -0,0 +1,63 @@
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { Solas } from '../solas.js';
+/**
+ * Collect the root request paths for files that originate in Vite's public dir.
+ * Vite copies these files into the built client output unchanged. Solas stores
+ * the request paths here so runtime serving can whitelist them
+ *
+ * @example
+ * ```ts
+ * // public/robots.txt
+ * // becomes '/robots.txt'
+ * ```
+ *
+ * @example
+ * ```ts
+ * // public/images/logo 1.png
+ * // becomes '/images/logo%201.png'
+ * ```
+ */
+export async function collect(root) {
+    if (!root)
+        return [];
+    // normalise the configured public dir before we start walking it
+    const publicRoot = path.resolve(root);
+    try {
+        const stat = await fs.stat(publicRoot);
+        if (!stat.isDirectory())
+            return [];
+    }
+    catch {
+        return [];
+    }
+    const files = [];
+    async function walk(dir, parts = []) {
+        const entries = await fs.readdir(dir, { withFileTypes: true });
+        for (const entry of entries) {
+            // top-level /public/_solas would collide with framework assets served
+            // from /_solas, so keep that namespace reserved
+            if (parts.length === 0 &&
+                entry.isDirectory() &&
+                entry.name === Solas.Config.ASSETS_DIR) {
+                continue;
+            }
+            const nextParts = [...parts, entry.name];
+            const nextPath = path.join(dir, entry.name);
+            if (entry.isDirectory()) {
+                await walk(nextPath, nextParts);
+                continue;
+            }
+            if (!entry.isFile())
+                continue;
+            // store the external request path, not the filesystem path
+            // eg public/favicon.ico -> /favicon.ico
+            // eg public/images/logo 1.png -> /images/logo%201.png
+            // encode each segment so manifest lookups match routed URLs
+            files.push(`/${nextParts.map(part => encodeURIComponent(part)).join('/')}`);
+        }
+    }
+    await walk(publicRoot);
+    // keep manifest output stable regardless of directory iteration order
+    return files.sort();
+}

package/dist/internal/resolver.d.ts

@@ -68,8 +68,6 @@ export declare class Resolver {
      * Reconcile a HttpRouter match against a manifest entry
      */
     reconcile(path: string, match: HttpRouter.Match | null, error?: Error): {
-        params: HttpRouter.Params;
-        error: Error | undefined;
         __id: string;
         __path: string;
         __params: string[];
@@ -89,9 +87,9 @@ export declare class Resolver {
         prerender: "full" | "ppr" | false;
         dynamic: boolean;
         wildcard: boolean;
+        params: HttpRouter.Params;
+        error: Error | undefined;
     } | {
-        params: {};
-        error: HttpException;
         __id: string;
         __path: string;
         __params: string[];
@@ -111,11 +109,32 @@ export declare class Resolver {
         prerender: "full" | "ppr" | false;
         dynamic: boolean;
         wildcard: boolean;
+        params: {};
+        error: HttpException;
     } | null;
     /**
      * Enhance a matched route with its associated components
      */
     enhance(match: Resolver.ReconciledMatch | null): {
+        __id: string;
+        __path: string;
+        __params: string[];
+        __kind: "$P";
+        __depth: number;
+        method: "get";
+        paths: {
+            layouts: (string | null)[];
+            '401s': (string | null)[];
+            '403s': (string | null)[];
+            '404s': (string | null)[];
+            '500s': (string | null)[];
+            loaders: (string | null)[];
+            middlewares: (string | null)[];
+            page?: string | null | undefined;
+        };
+        prerender: "full" | "ppr" | false;
+        dynamic: boolean;
+        wildcard: boolean;
         ui: {
             layouts: (View<{
                 children?: import("react").ReactNode;
@@ -155,25 +174,6 @@ export declare class Resolver {
         metadata?: ((input: Metadata.Input<HttpRouter.Params, Error>) => Metadata.Task[]) | undefined;
         params: HttpRouter.Params | {};
         error: Error | HttpException | undefined;
-        __id: string;
-        __path: string;
-        __params: string[];
-        __kind: "$P";
-        __depth: number;
-        method: "get";
-        paths: {
-            layouts: (string | null)[];
-            '401s': (string | null)[];
-            '403s': (string | null)[];
-            '404s': (string | null)[];
-            '500s': (string | null)[];
-            loaders: (string | null)[];
-            middlewares: (string | null)[];
-            page?: string | null | undefined;
-        };
-        prerender: "full" | "ppr" | false;
-        dynamic: boolean;
-        wildcard: boolean;
     } | null;
     /**
      * Find the closest ancestor entry for a given path and property

package/dist/internal/server/actions.d.ts

@@ -1,5 +1,6 @@
 import { ReactFormState } from 'react-dom/client';
 import { SolasRequest } from '../../types.js';
+import { CsrfConfig } from './csrf.js';
 /**
  * Check if a request is an action request and reuse parsed FormData
  * when multipart action detection already had to inspect the body
@@ -16,7 +17,7 @@ export declare function maybeAction(req: Request): Promise<{
  * @returns an object containing either the return value of the action or the form state, depending on the type
  * of action request
  */
-export declare function processActionRequest(req: SolasRequest): Promise<{
+export declare function processActionRequest(req: SolasRequest, csrf?: CsrfConfig): Promise<{
     returnValue: {
         ok: boolean;
         data: unknown;
@@ -24,7 +25,3 @@ export declare function processActionRequest(req: SolasRequest): Promise<{
     formState: ReactFormState | undefined;
     temporaryReferences: unknown;
 }>;
-/**
- * Check whether an action request came from the same origin as the target app
- */
-export declare function isTrustedActionRequest(req: Request): boolean;

package/dist/internal/server/actions.js

@@ -1,6 +1,6 @@
 import { createTemporaryReferenceSet, decodeAction, decodeFormState, decodeReply, loadServerAction, } from '@vitejs/plugin-rsc/rsc';
 import { Solas } from '../../solas.js';
-import { HttpException } from '../navigation/http-exception.js';
+import { enforce } from './csrf.js';
 /**
  * Check if a request is an action request and reuse parsed FormData
  * when multipart action detection already had to inspect the body
@@ -34,14 +34,12 @@ export async function maybeAction(req) {
  * @returns an object containing either the return value of the action or the form state, depending on the type
  * of action request
  */
-export async function processActionRequest(req) {
+export async function processActionRequest(req, csrf = {}) {
     let returnValue;
     let formState;
     let temporaryReferences;
-    // reject cross-site action posts before any body decoding or action loading
-    if (!isTrustedActionRequest(req)) {
-        throw new HttpException(403, 'Cross-site action requests are forbidden');
-    }
+    // enforce CSRF for all action requests
+    enforce(req, csrf);
     const id = req.headers.get('x-rsc-action-id');
     if (id) {
         // x-rsc-action-id header exists when action is
@@ -76,32 +74,3 @@ export async function processActionRequest(req) {
     }
     return { returnValue, formState, temporaryReferences };
 }
-/**
- * Reduce Origin and Referer headers to a comparable origin string
- */
-function toOrigin(value) {
-    if (!value)
-        return null;
-    try {
-        return new URL(value).origin;
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Check whether an action request came from the same origin as the target app
- */
-export function isTrustedActionRequest(req) {
-    const requestOrigin = toOrigin(req.url);
-    if (!requestOrigin)
-        return false;
-    const origin = toOrigin(req.headers.get('origin'));
-    if (origin)
-        return origin === requestOrigin;
-    // some user agents omit Origin on same-origin form posts, so fall back to Referer
-    const referer = toOrigin(req.headers.get('referer'));
-    if (referer)
-        return referer === requestOrigin;
-    return false;
-}

package/dist/internal/server/csrf.d.ts

@@ -0,0 +1,14 @@
+import type { PluginConfig } from '../../types.js';
+export type CsrfConfig = Pick<PluginConfig, 'trustedOrigins' | 'url'>;
+/**
+ * Enforce the CSRF policy for one request
+ */
+export declare function enforce(req: Request, config?: CsrfConfig): void;
+/**
+ * Get the first value from a forwarded-style header chain
+ */
+export declare function takeFirst(value: string | null | undefined): string | null;
+/**
+ * Build an origin from host-style headers when there is no full origin value
+ */
+export declare function toHostOrigin(host: string | null | undefined, protocol: string | null | undefined): string | null;

package/dist/internal/server/csrf.js

@@ -0,0 +1,98 @@
+import { HttpException } from '../navigation/http-exception.js';
+const UNSAFE_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+const TRUSTED_FETCH_SITES = new Set(['same-origin', 'none']);
+/**
+ * Reduce an origin-like value to just its origin for comparison
+ */
+function toOrigin(value) {
+    if (!value)
+        return null;
+    try {
+        // csrf only cares which origin sent the request, not its path or query
+        return new URL(value).origin;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Enforce the CSRF policy for one request
+ */
+export function enforce(req, config = {}) {
+    // only unsafe methods can mutate state, so safe methods bypass the guard
+    if (!UNSAFE_METHODS.has(req.method.toUpperCase()))
+        return;
+    // first trust the browser's own source headers when they are present
+    const sourceOrigin = toOrigin(req.headers.get('origin')) ?? toOrigin(req.headers.get('referer'));
+    if (sourceOrigin) {
+        const origins = new Set();
+        const forwardedProtocol = takeFirst(req.headers.get('x-forwarded-proto'));
+        let protocol;
+        if (forwardedProtocol === 'http' || forwardedProtocol === 'https') {
+            protocol = forwardedProtocol;
+        }
+        else {
+            try {
+                // otherwise fall back to the protocol on the request url we received
+                protocol = new URL(req.url).protocol.replace(/:$/, '');
+            }
+            catch {
+                protocol = null;
+            }
+        }
+        // allow the current request origin and any configured public origin
+        const requestOrigin = toOrigin(req.url);
+        if (requestOrigin)
+            origins.add(requestOrigin);
+        const configuredOrigin = toOrigin(config.url ?? null);
+        if (configuredOrigin)
+            origins.add(configuredOrigin);
+        // also allow host-based origins so proxied deployments still match the public site
+        const forwardedHostOrigin = toHostOrigin(takeFirst(req.headers.get('x-forwarded-host')), protocol);
+        if (forwardedHostOrigin)
+            origins.add(forwardedHostOrigin);
+        const hostOrigin = toHostOrigin(takeFirst(req.headers.get('host')), protocol);
+        if (hostOrigin)
+            origins.add(hostOrigin);
+        // add any cross-origin browser sites the config explicitly trusts
+        for (const value of config.trustedOrigins ?? []) {
+            const origin = toOrigin(value);
+            if (origin)
+                origins.add(origin);
+        }
+        if (origins.has(sourceOrigin))
+            return;
+    }
+    // if origin and referer are missing, fall back to fetch metadata
+    const fetchSite = req.headers.get('sec-fetch-site')?.toLowerCase();
+    if (fetchSite && TRUSTED_FETCH_SITES.has(fetchSite))
+        return;
+    // if the browser sent no source hints at all, treat it like a non-browser client
+    if (!sourceOrigin && !fetchSite)
+        return;
+    throw new HttpException(403, 'Cross-site unsafe requests are forbidden');
+}
+/**
+ * Get the first value from a forwarded-style header chain
+ */
+export function takeFirst(value) {
+    if (!value)
+        return null;
+    // use the client-facing value, not a later proxy hop
+    const first = value.split(',')[0]?.trim();
+    return first || null;
+}
+/**
+ * Build an origin from host-style headers when there is no full origin value
+ */
+export function toHostOrigin(host, protocol) {
+    if (!host || !protocol)
+        return null;
+    try {
+        // this lets host and forwarded-host compare against trusted origins too
+        return new URL(`${protocol}://${host}`).origin;
+    }
+    catch {
+        return null;
+    }
+}

package/dist/router.d.ts

@@ -1,3 +1,4 @@
 export { Link } from './internal/browser-router/link.js';
+export { withBase } from './internal/browser-router/shared.js';
 export { useRouter } from './internal/browser-router/use-router.js';
 export { useSearchParams } from './internal/browser-router/use-search-params.js';

package/dist/router.js

@@ -1,3 +1,4 @@
 export { Link } from './internal/browser-router/link.js';
+export { withBase } from './internal/browser-router/shared.js';
 export { useRouter } from './internal/browser-router/use-router.js';
 export { useSearchParams } from './internal/browser-router/use-search-params.js';

package/dist/solas.d.ts

@@ -1,3 +1,4 @@
+import type { Prerender } from './internal/prerender.js';
 import type { PluginConfig } from './types.js';
 export declare namespace Solas {
     interface Routes {
@@ -12,12 +13,14 @@ export declare namespace Solas {
         const ENTRY_RSC = "entry.rsc.tsx";
         const ENTRY_SSR = "entry.ssr.tsx";
         const ENTRY_BROWSER = "entry.browser.tsx";
-        const ASSETS_DIR = "assets";
+        const ASSETS_DIR: string;
+        const PUBLIC_DIR = "public";
         const $: unique symbol;
         const REQUEST_META_KEY: string;
         const LOG_LEVELS: readonly ["debug", "info", "warn", "error", "fatal"];
         const PRERENDER_MODES: readonly ["full", "ppr", false];
         const TRAILING_SLASH_MODES: readonly ["always", "never", "ignore"];
+        const RUNTIME_MANIFEST = "runtime-manifest.json";
         /**
          * Validate the plugin configuration object, throwing an error if invalid
          * @param input - the unvalidated configuration object
@@ -26,6 +29,14 @@ export declare namespace Solas {
         function validate(input: unknown): PluginConfig;
     }
     function getVersion(): string;
+    namespace Runtime {
+        type Manifest = {
+            artifacts: Prerender.Artifact.Manifest;
+            publicFiles: ReadonlySet<string>;
+        };
+        function getManifestPath(outDir: string): string;
+        function loadManifest(outDir: string): Promise<Manifest | null>;
+    }
     namespace Events {
         const names: {
             readonly NAVIGATION: `${string}navigation`;