@kaito-http/core 4.0.0-beta.1 → 4.0.0-beta.11

package/dist/cors/cors.cjs

@@ -24,33 +24,101 @@ __export(cors_exports, {
   experimental_createOriginMatcher: () => experimental_createOriginMatcher
 });
 module.exports = __toCommonJS(cors_exports);
-function experimental_createOriginMatcher(origins) {
+function experimental_createOriginMatcher(originIterator) {
+  const origins = Array.from(originIterator);
   if (origins.length === 0) {
     return () => false;
   }
+  const escapedCharsRegex = /[.+?^${}()|[\]\\]/g;
   const source = origins.map((origin) => {
-    if (origin.startsWith("*.")) {
-      const escapedDomain = origin.slice(2).replace(/[.+?^${}()|[\]\\]/g, "\\$&");
-      return `^(?:https?://)[^.]+\\.${escapedDomain}$`;
+    if (origin.includes("://*.")) {
+      const parts = origin.split("://");
+      if (parts.length !== 2) {
+        throw new Error(`Invalid origin pattern: ${origin}. Must include protocol (e.g., https://*.example.com)`);
+      }
+      const [protocol, rest] = parts;
+      const domain = rest.slice(2).replace(escapedCharsRegex, "\\$&");
+      const pattern = `^${protocol.replace(escapedCharsRegex, "\\$&")}:\\/\\/[^.]+\\.${domain}$`;
+      return pattern;
     } else {
-      const escapedOrigin = origin.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
-      return `^${escapedOrigin}$`;
+      const pattern = `^${origin.replace(escapedCharsRegex, "\\$&")}$`;
+      return pattern;
     }
   }).join("|");
   const regex = new RegExp(source);
   return (origin) => regex.test(origin);
 }
-function experimental_createCORSTransform(origins) {
-  const matcher = experimental_createOriginMatcher(origins);
-  return (request, response) => {
-    const origin = request.headers.get("Origin");
-    if (origin && matcher(origin)) {
-      response.headers.set("Access-Control-Allow-Origin", origin);
-      response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
-      response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
-      response.headers.set("Access-Control-Max-Age", "86400");
-      response.headers.set("Access-Control-Allow-Credentials", "true");
-    }
+function experimental_createCORSTransform(originsIterator) {
+  let allowedOrigins = new Set(originsIterator);
+  let matcher = experimental_createOriginMatcher(allowedOrigins);
+  const updateMatcher = () => {
+    matcher = experimental_createOriginMatcher(allowedOrigins);
+  };
+  return {
+    /**
+     * Handle OPTIONS requests in Kaito's `before()` hook
+     *
+     * @param request - The request object
+     * @returns A 204 response
+     */
+    before: (request) => {
+      if (request.method === "OPTIONS") {
+        return new Response(null, { status: 204 });
+      }
+    },
+    /**
+     * Apply CORS headers to the response if origin matches.
+     *
+     * @param request - The request object
+     * @param response - The response object
+     */
+    transform: (request, response) => {
+      const origin = request.headers.get("Origin");
+      if (origin && matcher(origin)) {
+        response.headers.set("Access-Control-Allow-Origin", origin);
+        response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS");
+        response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
+        response.headers.set("Access-Control-Max-Age", "86400");
+        response.headers.set("Access-Control-Allow-Credentials", "true");
+      }
+    },
+    /**
+     * Replace all allowed origins with a new set.
+     *
+     * @param newOrigins - The new set of allowed origins
+     */
+    setOrigins: (newOrigins) => {
+      allowedOrigins = new Set(newOrigins);
+      updateMatcher();
+    },
+    /**
+     * Add one or more origins to the allowed list.
+     *
+     * @param origins - The origins to add
+     */
+    addOrigins: (...origins) => {
+      for (const origin of origins) {
+        allowedOrigins.add(origin);
+      }
+      updateMatcher();
+    },
+    /**
+     * Remove one or more origins from the allowed list.
+     *
+     * @param origins - The origins to remove
+     */
+    removeOrigins: (...origins) => {
+      for (const origin of origins) {
+        allowedOrigins.delete(origin);
+      }
+      updateMatcher();
+    },
+    /**
+     * Clones the current set of allowed origins and returns it
+     *
+     * @returns A set of allowed origins
+     */
+    getOrigins: () => new Set(allowedOrigins)
   };
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/cors/cors.d.cts

@@ -1,55 +1,151 @@
 /**
  * Creates a function that matches origins against a predefined set of patterns, supporting wildcards.
- * The matcher handles both exact matches and wildcard subdomain patterns (e.g., '*.example.com').
+ * The matcher handles both exact matches and wildcard subdomain patterns.
  *
  * **⚠️ This API is experimental and may change or even be removed in the future. ⚠️**
  *
- * @param origins Array of origin patterns to match against.
- * Patterns can be exact origins (e.g., 'https://example.com') or wildcard patterns (e.g., '*.example.com') that match subdomains.
+ * @param originIterator Array of origin patterns to match against.
+ * Each pattern MUST include the protocol (http:// or https://).
+ * Two types of patterns are supported:
+ * 1. Exact matches (e.g., 'https://example.com') - matches only the exact domain with exact protocol
+ * 2. Wildcard subdomain patterns (e.g., 'https://*.example.com') - matches ONLY subdomains with exact protocol
+ *
+ * Important matching rules:
+ * - Protocol is always matched exactly - if you need both HTTP and HTTPS, include both patterns
+ * - Wildcard patterns (e.g., 'https://*.example.com') will ONLY match subdomains, NOT the root domain
+ * - To match both subdomains AND the root domain, include both patterns:
+ *   ['https://*.example.com', 'https://example.com']
+ *
  * @returns A function that tests if an origin matches any of the patterns
  *
  * @example
  * ```typescript
  * const allowedOrigins = [
- *   'https://example.com',
- *   '*.trusted-domain.com' // Won't match https://evil-domain.com, only subdomains
+ *   // Exact matches - protocol required
+ *   'https://example.com',           // matches only https://example.com
+ *   'http://example.com',            // matches only http://example.com
+ *
+ *   // Wildcard subdomain matches - protocol required
+ *   'https://*.example.com',         // matches https://app.example.com, https://api.example.com
+ *                                    // does NOT match https://example.com
+ *
+ *   // To match both HTTP and HTTPS, include both
+ *   'https://*.staging.com',         // matches https://app.staging.com
+ *   'http://*.staging.com',          // matches http://app.staging.com
+ *
+ *   // To match both subdomains and root domain, include both
+ *   'https://*.production.com',      // matches https://app.production.com
+ *   'https://production.com',        // matches https://production.com
  * ];
  *
  * const matcher = createOriginMatcher(allowedOrigins);
  *
- * // Exact match
- * console.log(matcher('https://example.com')); // true
- * console.log(matcher('http://example.com')); // false
+ * // Exact matches
+ * matcher('https://example.com');     // true
+ * matcher('http://example.com');      // true
  *
- * // Wildcard subdomain matches
- * console.log(matcher('https://app.trusted-domain.com')); // true
- * console.log(matcher('https://staging.trusted-domain.com')); // true
- * console.log(matcher('https://trusted-domain.com')); // false, because it's not a subdomain
- * console.log(matcher('https://evil-domain.com')); // false
+ * // Subdomain matches (protocol specific)
+ * matcher('https://app.example.com'); // true
+ * matcher('http://app.example.com');  // false - wrong protocol
+ *
+ * // Root domain with wildcard pattern
+ * matcher('https://example.com');     // false - wildcards don't match root
+ * matcher('https://production.com');  // true - matched by exact pattern
  * ```
  */
-declare function experimental_createOriginMatcher(origins: string[]): (origin: string) => boolean;
+declare function experimental_createOriginMatcher(originIterator: Iterable<string>): (origin: string) => boolean;
 /**
- * Create a function to apply CORS headers with sane defaults for most apps.
+ * Create a CORS handler with sane defaults for most apps.
  *
  * **⚠️ This API is experimental and may change or even be removed in the future. ⚠️**
  *
- * @param options Options object
- * @returns A function that will mutate the Response object by applying the CORS headers
+ * @param originsIterator Array of allowed origin patterns. Each pattern must include protocol (http:// or https://).
+ * Supports both exact matches and wildcard subdomain patterns. See {@link experimental_createOriginMatcher}
+ * for detailed pattern matching rules.
+ *
+ * @returns An object containing:
+ * - `before`: A handler for OPTIONS requests that returns a 204 response
+ * - `transform`: A function that applies CORS headers to the response if origin matches
+ * - `setOrigins`: A function to replace all allowed origins with a new set
+ * - `appendOrigin`: A function to add a new origin to the allowed list
+ * - `removeOrigin`: A function to remove an origin from the allowed list
+ * - `getOrigins`: A function that returns the current list of allowed origins
+ *
  * @example
  * ```ts
- * const cors = createCORSHandler({
- *   origins: ['https://example.com', "*.allows-subdomains.com", "http://localhost:3000"],
- * });
+ * const corsHandler = experimental_createCORSTransform([
+ *   // Exact matches
+ *   'https://example.com',
+ *   'http://localhost:3000',
+ *
+ *   // Wildcard subdomain matches
+ *   'https://*.myapp.com',      // matches https://dashboard.myapp.com
+ *   'http://*.myapp.com',       // matches http://dashboard.myapp.com
  *
- * const handler = createKaitoHandler({
- *  // ...
- *  transform: async (request, response) => {
- *    cors(request, response);
- *  }
+ *   // Match both subdomain and root domain
+ *   'https://*.staging.com',    // matches https://app.staging.com
+ *   'https://staging.com'       // matches https://staging.com
+ * ]);
+ *
+ * const router = create({
+ *   // Handle preflight requests
+ *   before: corsHandler.before,
+ *
+ *   // Or expanded
+ *   before: (request) => {
+ *     const res = cors.before(request);
+ *     if (res) return res;
+ *   },
+ *
+ *   // Apply CORS headers to all responses
+ *   transform: corsHandler.transform,
  * });
+ *
+ * // Manage origins dynamically
+ * corsHandler.appendOrigin('https://newdomain.com');
+ * corsHandler.removeOrigin('http://localhost:3000');
+ * corsHandler.setOrigins(['https://completely-new-domain.com']);
  * ```
  */
-declare function experimental_createCORSTransform(origins: string[]): (request: Request, response: Response) => void;
+declare function experimental_createCORSTransform(originsIterator: Iterable<string>): {
+    /**
+     * Handle OPTIONS requests in Kaito's `before()` hook
+     *
+     * @param request - The request object
+     * @returns A 204 response
+     */
+    before: (request: Request) => Response | undefined;
+    /**
+     * Apply CORS headers to the response if origin matches.
+     *
+     * @param request - The request object
+     * @param response - The response object
+     */
+    transform: (request: Request, response: Response) => void;
+    /**
+     * Replace all allowed origins with a new set.
+     *
+     * @param newOrigins - The new set of allowed origins
+     */
+    setOrigins: (newOrigins: Iterable<string>) => void;
+    /**
+     * Add one or more origins to the allowed list.
+     *
+     * @param origins - The origins to add
+     */
+    addOrigins: (...origins: string[]) => void;
+    /**
+     * Remove one or more origins from the allowed list.
+     *
+     * @param origins - The origins to remove
+     */
+    removeOrigins: (...origins: string[]) => void;
+    /**
+     * Clones the current set of allowed origins and returns it
+     *
+     * @returns A set of allowed origins
+     */
+    getOrigins: () => Set<string>;
+};
 
 export { experimental_createCORSTransform, experimental_createOriginMatcher };

package/dist/cors/cors.d.ts

@@ -1,55 +1,151 @@
 /**
  * Creates a function that matches origins against a predefined set of patterns, supporting wildcards.
- * The matcher handles both exact matches and wildcard subdomain patterns (e.g., '*.example.com').
+ * The matcher handles both exact matches and wildcard subdomain patterns.
  *
  * **⚠️ This API is experimental and may change or even be removed in the future. ⚠️**
  *
- * @param origins Array of origin patterns to match against.
- * Patterns can be exact origins (e.g., 'https://example.com') or wildcard patterns (e.g., '*.example.com') that match subdomains.
+ * @param originIterator Array of origin patterns to match against.
+ * Each pattern MUST include the protocol (http:// or https://).
+ * Two types of patterns are supported:
+ * 1. Exact matches (e.g., 'https://example.com') - matches only the exact domain with exact protocol
+ * 2. Wildcard subdomain patterns (e.g., 'https://*.example.com') - matches ONLY subdomains with exact protocol
+ *
+ * Important matching rules:
+ * - Protocol is always matched exactly - if you need both HTTP and HTTPS, include both patterns
+ * - Wildcard patterns (e.g., 'https://*.example.com') will ONLY match subdomains, NOT the root domain
+ * - To match both subdomains AND the root domain, include both patterns:
+ *   ['https://*.example.com', 'https://example.com']
+ *
  * @returns A function that tests if an origin matches any of the patterns
  *
  * @example
  * ```typescript
  * const allowedOrigins = [
- *   'https://example.com',
- *   '*.trusted-domain.com' // Won't match https://evil-domain.com, only subdomains
+ *   // Exact matches - protocol required
+ *   'https://example.com',           // matches only https://example.com
+ *   'http://example.com',            // matches only http://example.com
+ *
+ *   // Wildcard subdomain matches - protocol required
+ *   'https://*.example.com',         // matches https://app.example.com, https://api.example.com
+ *                                    // does NOT match https://example.com
+ *
+ *   // To match both HTTP and HTTPS, include both
+ *   'https://*.staging.com',         // matches https://app.staging.com
+ *   'http://*.staging.com',          // matches http://app.staging.com
+ *
+ *   // To match both subdomains and root domain, include both
+ *   'https://*.production.com',      // matches https://app.production.com
+ *   'https://production.com',        // matches https://production.com
  * ];
  *
  * const matcher = createOriginMatcher(allowedOrigins);
  *
- * // Exact match
- * console.log(matcher('https://example.com')); // true
- * console.log(matcher('http://example.com')); // false
+ * // Exact matches
+ * matcher('https://example.com');     // true
+ * matcher('http://example.com');      // true
  *
- * // Wildcard subdomain matches
- * console.log(matcher('https://app.trusted-domain.com')); // true
- * console.log(matcher('https://staging.trusted-domain.com')); // true
- * console.log(matcher('https://trusted-domain.com')); // false, because it's not a subdomain
- * console.log(matcher('https://evil-domain.com')); // false
+ * // Subdomain matches (protocol specific)
+ * matcher('https://app.example.com'); // true
+ * matcher('http://app.example.com');  // false - wrong protocol
+ *
+ * // Root domain with wildcard pattern
+ * matcher('https://example.com');     // false - wildcards don't match root
+ * matcher('https://production.com');  // true - matched by exact pattern
  * ```
  */
-declare function experimental_createOriginMatcher(origins: string[]): (origin: string) => boolean;
+declare function experimental_createOriginMatcher(originIterator: Iterable<string>): (origin: string) => boolean;
 /**
- * Create a function to apply CORS headers with sane defaults for most apps.
+ * Create a CORS handler with sane defaults for most apps.
  *
  * **⚠️ This API is experimental and may change or even be removed in the future. ⚠️**
  *
- * @param options Options object
- * @returns A function that will mutate the Response object by applying the CORS headers
+ * @param originsIterator Array of allowed origin patterns. Each pattern must include protocol (http:// or https://).
+ * Supports both exact matches and wildcard subdomain patterns. See {@link experimental_createOriginMatcher}
+ * for detailed pattern matching rules.
+ *
+ * @returns An object containing:
+ * - `before`: A handler for OPTIONS requests that returns a 204 response
+ * - `transform`: A function that applies CORS headers to the response if origin matches
+ * - `setOrigins`: A function to replace all allowed origins with a new set
+ * - `appendOrigin`: A function to add a new origin to the allowed list
+ * - `removeOrigin`: A function to remove an origin from the allowed list
+ * - `getOrigins`: A function that returns the current list of allowed origins
+ *
  * @example
  * ```ts
- * const cors = createCORSHandler({
- *   origins: ['https://example.com', "*.allows-subdomains.com", "http://localhost:3000"],
- * });
+ * const corsHandler = experimental_createCORSTransform([
+ *   // Exact matches
+ *   'https://example.com',
+ *   'http://localhost:3000',
+ *
+ *   // Wildcard subdomain matches
+ *   'https://*.myapp.com',      // matches https://dashboard.myapp.com
+ *   'http://*.myapp.com',       // matches http://dashboard.myapp.com
  *
- * const handler = createKaitoHandler({
- *  // ...
- *  transform: async (request, response) => {
- *    cors(request, response);
- *  }
+ *   // Match both subdomain and root domain
+ *   'https://*.staging.com',    // matches https://app.staging.com
+ *   'https://staging.com'       // matches https://staging.com
+ * ]);
+ *
+ * const router = create({
+ *   // Handle preflight requests
+ *   before: corsHandler.before,
+ *
+ *   // Or expanded
+ *   before: (request) => {
+ *     const res = cors.before(request);
+ *     if (res) return res;
+ *   },
+ *
+ *   // Apply CORS headers to all responses
+ *   transform: corsHandler.transform,
  * });
+ *
+ * // Manage origins dynamically
+ * corsHandler.appendOrigin('https://newdomain.com');
+ * corsHandler.removeOrigin('http://localhost:3000');
+ * corsHandler.setOrigins(['https://completely-new-domain.com']);
  * ```
  */
-declare function experimental_createCORSTransform(origins: string[]): (request: Request, response: Response) => void;
+declare function experimental_createCORSTransform(originsIterator: Iterable<string>): {
+    /**
+     * Handle OPTIONS requests in Kaito's `before()` hook
+     *
+     * @param request - The request object
+     * @returns A 204 response
+     */
+    before: (request: Request) => Response | undefined;
+    /**
+     * Apply CORS headers to the response if origin matches.
+     *
+     * @param request - The request object
+     * @param response - The response object
+     */
+    transform: (request: Request, response: Response) => void;
+    /**
+     * Replace all allowed origins with a new set.
+     *
+     * @param newOrigins - The new set of allowed origins
+     */
+    setOrigins: (newOrigins: Iterable<string>) => void;
+    /**
+     * Add one or more origins to the allowed list.
+     *
+     * @param origins - The origins to add
+     */
+    addOrigins: (...origins: string[]) => void;
+    /**
+     * Remove one or more origins from the allowed list.
+     *
+     * @param origins - The origins to remove
+     */
+    removeOrigins: (...origins: string[]) => void;
+    /**
+     * Clones the current set of allowed origins and returns it
+     *
+     * @returns A set of allowed origins
+     */
+    getOrigins: () => Set<string>;
+};
 
 export { experimental_createCORSTransform, experimental_createOriginMatcher };

package/dist/cors/cors.js

@@ -1,31 +1,99 @@
 // src/cors/cors.ts
-function experimental_createOriginMatcher(origins) {
+function experimental_createOriginMatcher(originIterator) {
+  const origins = Array.from(originIterator);
   if (origins.length === 0) {
     return () => false;
   }
+  const escapedCharsRegex = /[.+?^${}()|[\]\\]/g;
   const source = origins.map((origin) => {
-    if (origin.startsWith("*.")) {
-      const escapedDomain = origin.slice(2).replace(/[.+?^${}()|[\]\\]/g, "\\$&");
-      return `^(?:https?://)[^.]+\\.${escapedDomain}$`;
+    if (origin.includes("://*.")) {
+      const parts = origin.split("://");
+      if (parts.length !== 2) {
+        throw new Error(`Invalid origin pattern: ${origin}. Must include protocol (e.g., https://*.example.com)`);
+      }
+      const [protocol, rest] = parts;
+      const domain = rest.slice(2).replace(escapedCharsRegex, "\\$&");
+      const pattern = `^${protocol.replace(escapedCharsRegex, "\\$&")}:\\/\\/[^.]+\\.${domain}$`;
+      return pattern;
     } else {
-      const escapedOrigin = origin.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
-      return `^${escapedOrigin}$`;
+      const pattern = `^${origin.replace(escapedCharsRegex, "\\$&")}$`;
+      return pattern;
     }
   }).join("|");
   const regex = new RegExp(source);
   return (origin) => regex.test(origin);
 }
-function experimental_createCORSTransform(origins) {
-  const matcher = experimental_createOriginMatcher(origins);
-  return (request, response) => {
-    const origin = request.headers.get("Origin");
-    if (origin && matcher(origin)) {
-      response.headers.set("Access-Control-Allow-Origin", origin);
-      response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
-      response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
-      response.headers.set("Access-Control-Max-Age", "86400");
-      response.headers.set("Access-Control-Allow-Credentials", "true");
-    }
+function experimental_createCORSTransform(originsIterator) {
+  let allowedOrigins = new Set(originsIterator);
+  let matcher = experimental_createOriginMatcher(allowedOrigins);
+  const updateMatcher = () => {
+    matcher = experimental_createOriginMatcher(allowedOrigins);
+  };
+  return {
+    /**
+     * Handle OPTIONS requests in Kaito's `before()` hook
+     *
+     * @param request - The request object
+     * @returns A 204 response
+     */
+    before: (request) => {
+      if (request.method === "OPTIONS") {
+        return new Response(null, { status: 204 });
+      }
+    },
+    /**
+     * Apply CORS headers to the response if origin matches.
+     *
+     * @param request - The request object
+     * @param response - The response object
+     */
+    transform: (request, response) => {
+      const origin = request.headers.get("Origin");
+      if (origin && matcher(origin)) {
+        response.headers.set("Access-Control-Allow-Origin", origin);
+        response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS");
+        response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
+        response.headers.set("Access-Control-Max-Age", "86400");
+        response.headers.set("Access-Control-Allow-Credentials", "true");
+      }
+    },
+    /**
+     * Replace all allowed origins with a new set.
+     *
+     * @param newOrigins - The new set of allowed origins
+     */
+    setOrigins: (newOrigins) => {
+      allowedOrigins = new Set(newOrigins);
+      updateMatcher();
+    },
+    /**
+     * Add one or more origins to the allowed list.
+     *
+     * @param origins - The origins to add
+     */
+    addOrigins: (...origins) => {
+      for (const origin of origins) {
+        allowedOrigins.add(origin);
+      }
+      updateMatcher();
+    },
+    /**
+     * Remove one or more origins from the allowed list.
+     *
+     * @param origins - The origins to remove
+     */
+    removeOrigins: (...origins) => {
+      for (const origin of origins) {
+        allowedOrigins.delete(origin);
+      }
+      updateMatcher();
+    },
+    /**
+     * Clones the current set of allowed origins and returns it
+     *
+     * @returns A set of allowed origins
+     */
+    getOrigins: () => new Set(allowedOrigins)
   };
 }
 export {