@kaito-http/core 4.0.0-beta.6 → 4.0.0-beta.8

package/dist/cors/cors.cjs

@@ -28,13 +28,20 @@ function experimental_createOriginMatcher(origins) {
   if (origins.length === 0) {
     return () => false;
   }
+  const escapedCharsRegex = /[.+?^${}()|[\]\\]/g;
   const source = origins.map((origin) => {
-    if (origin.startsWith("*.")) {
-      const escapedDomain = origin.slice(2).replace(/[.+?^${}()|[\]\\]/g, "\\$&");
-      return `^(?:https?://)[^.]+\\.${escapedDomain}$`;
+    if (origin.includes("://*.")) {
+      const parts = origin.split("://");
+      if (parts.length !== 2) {
+        throw new Error(`Invalid origin pattern: ${origin}. Must include protocol (e.g., https://*.example.com)`);
+      }
+      const [protocol, rest] = parts;
+      const domain = rest.slice(2).replace(escapedCharsRegex, "\\$&");
+      const pattern = `^${protocol.replace(escapedCharsRegex, "\\$&")}:\\/\\/[^.]+\\.${domain}$`;
+      return pattern;
     } else {
-      const escapedOrigin = origin.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
-      return `^${escapedOrigin}$`;
+      const pattern = `^${origin.replace(escapedCharsRegex, "\\$&")}$`;
+      return pattern;
     }
   }).join("|");
   const regex = new RegExp(source);
@@ -46,7 +53,7 @@ function experimental_createCORSTransform(origins) {
     const origin = request.headers.get("Origin");
     if (origin && matcher(origin)) {
       response.headers.set("Access-Control-Allow-Origin", origin);
-      response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+      response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS");
       response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
       response.headers.set("Access-Control-Max-Age", "86400");
       response.headers.set("Access-Control-Allow-Credentials", "true");

package/dist/cors/cors.d.cts

@@ -1,31 +1,56 @@
 /**
  * Creates a function that matches origins against a predefined set of patterns, supporting wildcards.
- * The matcher handles both exact matches and wildcard subdomain patterns (e.g., '*.example.com').
+ * The matcher handles both exact matches and wildcard subdomain patterns.
  *
  * **⚠️ This API is experimental and may change or even be removed in the future. ⚠️**
  *
  * @param origins Array of origin patterns to match against.
- * Patterns can be exact origins (e.g., 'https://example.com') or wildcard patterns (e.g., '*.example.com') that match subdomains.
+ * Each pattern MUST include the protocol (http:// or https://).
+ * Two types of patterns are supported:
+ * 1. Exact matches (e.g., 'https://example.com') - matches only the exact domain with exact protocol
+ * 2. Wildcard subdomain patterns (e.g., 'https://*.example.com') - matches ONLY subdomains with exact protocol
+ *
+ * Important matching rules:
+ * - Protocol is always matched exactly - if you need both HTTP and HTTPS, include both patterns
+ * - Wildcard patterns (e.g., 'https://*.example.com') will ONLY match subdomains, NOT the root domain
+ * - To match both subdomains AND the root domain, include both patterns:
+ *   ['https://*.example.com', 'https://example.com']
+ *
  * @returns A function that tests if an origin matches any of the patterns
  *
  * @example
  * ```typescript
  * const allowedOrigins = [
- *   'https://example.com',
- *   '*.trusted-domain.com' // Won't match https://evil-domain.com, only subdomains
+ *   // Exact matches - protocol required
+ *   'https://example.com',           // matches only https://example.com
+ *   'http://example.com',            // matches only http://example.com
+ *
+ *   // Wildcard subdomain matches - protocol required
+ *   'https://*.example.com',         // matches https://app.example.com, https://api.example.com
+ *                                    // does NOT match https://example.com
+ *
+ *   // To match both HTTP and HTTPS, include both
+ *   'https://*.staging.com',         // matches https://app.staging.com
+ *   'http://*.staging.com',          // matches http://app.staging.com
+ *
+ *   // To match both subdomains and root domain, include both
+ *   'https://*.production.com',      // matches https://app.production.com
+ *   'https://production.com',        // matches https://production.com
  * ];
  *
  * const matcher = createOriginMatcher(allowedOrigins);
  *
- * // Exact match
- * console.log(matcher('https://example.com')); // true
- * console.log(matcher('http://example.com')); // false
+ * // Exact matches
+ * matcher('https://example.com');     // true
+ * matcher('http://example.com');      // true
  *
- * // Wildcard subdomain matches
- * console.log(matcher('https://app.trusted-domain.com')); // true
- * console.log(matcher('https://staging.trusted-domain.com')); // true
- * console.log(matcher('https://trusted-domain.com')); // false, because it's not a subdomain
- * console.log(matcher('https://evil-domain.com')); // false
+ * // Subdomain matches (protocol specific)
+ * matcher('https://app.example.com'); // true
+ * matcher('http://app.example.com');  // false - wrong protocol
+ *
+ * // Root domain with wildcard pattern
+ * matcher('https://example.com');     // false - wildcards don't match root
+ * matcher('https://production.com');  // true - matched by exact pattern
  * ```
  */
 declare function experimental_createOriginMatcher(origins: string[]): (origin: string) => boolean;
@@ -38,15 +63,31 @@ declare function experimental_createOriginMatcher(origins: string[]): (origin: s
  * @returns A function that will mutate the Response object by applying the CORS headers
  * @example
  * ```ts
- * const cors = createCORSHandler({
- *   origins: ['https://example.com', "*.allows-subdomains.com", "http://localhost:3000"],
- * });
+ * const cors = experimental_createCORSTransform([
+ *  	// Exact matches
+ *  	'https://example.com',
+ *  	'http://localhost:3000',
+ *
+ *  	// Wildcard subdomain matches
+ *  	'https://*.myapp.com',      // matches https://dashboard.myapp.com
+ *  	'http://*.myapp.com',       // matches http://dashboard.myapp.com
+ *
+ *  	// Match both subdomain and root domain
+ *  	'https://*.staging.com',    // matches https://app.staging.com
+ *  	'https://staging.com'       // matches https://staging.com
+ *  ]);
  *
- * const handler = createKaitoHandler({
- *  // ...
- *  transform: async (request, response) => {
- *    cors(request, response);
- *  }
+ * const router = create({
+ * 		before: async req => {
+ * 			if (req.method === 'OPTIONS') {
+ * 				// Return early to skip the router. This response still gets passed to `.transform()`
+ * 				// So our CORS headers will still be applied
+ * 				return new Response(null, {status: 204});
+ * 			}
+ * 		},
+ * 		transform: async (request, response) => {
+ * 			cors(request, response);
+ * 		}
  * });
  * ```
  */

package/dist/cors/cors.d.ts

@@ -1,31 +1,56 @@
 /**
  * Creates a function that matches origins against a predefined set of patterns, supporting wildcards.
- * The matcher handles both exact matches and wildcard subdomain patterns (e.g., '*.example.com').
+ * The matcher handles both exact matches and wildcard subdomain patterns.
  *
  * **⚠️ This API is experimental and may change or even be removed in the future. ⚠️**
  *
  * @param origins Array of origin patterns to match against.
- * Patterns can be exact origins (e.g., 'https://example.com') or wildcard patterns (e.g., '*.example.com') that match subdomains.
+ * Each pattern MUST include the protocol (http:// or https://).
+ * Two types of patterns are supported:
+ * 1. Exact matches (e.g., 'https://example.com') - matches only the exact domain with exact protocol
+ * 2. Wildcard subdomain patterns (e.g., 'https://*.example.com') - matches ONLY subdomains with exact protocol
+ *
+ * Important matching rules:
+ * - Protocol is always matched exactly - if you need both HTTP and HTTPS, include both patterns
+ * - Wildcard patterns (e.g., 'https://*.example.com') will ONLY match subdomains, NOT the root domain
+ * - To match both subdomains AND the root domain, include both patterns:
+ *   ['https://*.example.com', 'https://example.com']
+ *
  * @returns A function that tests if an origin matches any of the patterns
  *
  * @example
  * ```typescript
  * const allowedOrigins = [
- *   'https://example.com',
- *   '*.trusted-domain.com' // Won't match https://evil-domain.com, only subdomains
+ *   // Exact matches - protocol required
+ *   'https://example.com',           // matches only https://example.com
+ *   'http://example.com',            // matches only http://example.com
+ *
+ *   // Wildcard subdomain matches - protocol required
+ *   'https://*.example.com',         // matches https://app.example.com, https://api.example.com
+ *                                    // does NOT match https://example.com
+ *
+ *   // To match both HTTP and HTTPS, include both
+ *   'https://*.staging.com',         // matches https://app.staging.com
+ *   'http://*.staging.com',          // matches http://app.staging.com
+ *
+ *   // To match both subdomains and root domain, include both
+ *   'https://*.production.com',      // matches https://app.production.com
+ *   'https://production.com',        // matches https://production.com
  * ];
  *
  * const matcher = createOriginMatcher(allowedOrigins);
  *
- * // Exact match
- * console.log(matcher('https://example.com')); // true
- * console.log(matcher('http://example.com')); // false
+ * // Exact matches
+ * matcher('https://example.com');     // true
+ * matcher('http://example.com');      // true
  *
- * // Wildcard subdomain matches
- * console.log(matcher('https://app.trusted-domain.com')); // true
- * console.log(matcher('https://staging.trusted-domain.com')); // true
- * console.log(matcher('https://trusted-domain.com')); // false, because it's not a subdomain
- * console.log(matcher('https://evil-domain.com')); // false
+ * // Subdomain matches (protocol specific)
+ * matcher('https://app.example.com'); // true
+ * matcher('http://app.example.com');  // false - wrong protocol
+ *
+ * // Root domain with wildcard pattern
+ * matcher('https://example.com');     // false - wildcards don't match root
+ * matcher('https://production.com');  // true - matched by exact pattern
  * ```
  */
 declare function experimental_createOriginMatcher(origins: string[]): (origin: string) => boolean;
@@ -38,15 +63,31 @@ declare function experimental_createOriginMatcher(origins: string[]): (origin: s
  * @returns A function that will mutate the Response object by applying the CORS headers
  * @example
  * ```ts
- * const cors = createCORSHandler({
- *   origins: ['https://example.com', "*.allows-subdomains.com", "http://localhost:3000"],
- * });
+ * const cors = experimental_createCORSTransform([
+ *  	// Exact matches
+ *  	'https://example.com',
+ *  	'http://localhost:3000',
+ *
+ *  	// Wildcard subdomain matches
+ *  	'https://*.myapp.com',      // matches https://dashboard.myapp.com
+ *  	'http://*.myapp.com',       // matches http://dashboard.myapp.com
+ *
+ *  	// Match both subdomain and root domain
+ *  	'https://*.staging.com',    // matches https://app.staging.com
+ *  	'https://staging.com'       // matches https://staging.com
+ *  ]);
  *
- * const handler = createKaitoHandler({
- *  // ...
- *  transform: async (request, response) => {
- *    cors(request, response);
- *  }
+ * const router = create({
+ * 		before: async req => {
+ * 			if (req.method === 'OPTIONS') {
+ * 				// Return early to skip the router. This response still gets passed to `.transform()`
+ * 				// So our CORS headers will still be applied
+ * 				return new Response(null, {status: 204});
+ * 			}
+ * 		},
+ * 		transform: async (request, response) => {
+ * 			cors(request, response);
+ * 		}
  * });
  * ```
  */

package/dist/cors/cors.js

@@ -3,13 +3,20 @@ function experimental_createOriginMatcher(origins) {
   if (origins.length === 0) {
     return () => false;
   }
+  const escapedCharsRegex = /[.+?^${}()|[\]\\]/g;
   const source = origins.map((origin) => {
-    if (origin.startsWith("*.")) {
-      const escapedDomain = origin.slice(2).replace(/[.+?^${}()|[\]\\]/g, "\\$&");
-      return `^(?:https?://)[^.]+\\.${escapedDomain}$`;
+    if (origin.includes("://*.")) {
+      const parts = origin.split("://");
+      if (parts.length !== 2) {
+        throw new Error(`Invalid origin pattern: ${origin}. Must include protocol (e.g., https://*.example.com)`);
+      }
+      const [protocol, rest] = parts;
+      const domain = rest.slice(2).replace(escapedCharsRegex, "\\$&");
+      const pattern = `^${protocol.replace(escapedCharsRegex, "\\$&")}:\\/\\/[^.]+\\.${domain}$`;
+      return pattern;
     } else {
-      const escapedOrigin = origin.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
-      return `^${escapedOrigin}$`;
+      const pattern = `^${origin.replace(escapedCharsRegex, "\\$&")}$`;
+      return pattern;
     }
   }).join("|");
   const regex = new RegExp(source);
@@ -21,7 +28,7 @@ function experimental_createCORSTransform(origins) {
     const origin = request.headers.get("Origin");
     if (origin && matcher(origin)) {
       response.headers.set("Access-Control-Allow-Origin", origin);
-      response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+      response.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS");
       response.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
       response.headers.set("Access-Control-Max-Age", "86400");
       response.headers.set("Access-Control-Allow-Credentials", "true");

package/dist/index.cjs

@@ -178,7 +178,10 @@ var Router = class _Router {
   merge = (pathPrefix, other) => {
     const newRoutes = [...other.state.routes].map((route) => ({
       ...route,
-      path: `${pathPrefix}${route.path}`
+      // handle pathPrefix = / & route.path = / case causing //
+      // we intentionally are replacing on the joining path and not the pathPrefix, in case of
+      // /named -> merged to -> / causing /named/ not /named
+      path: `${pathPrefix}${route.path === "/" ? "" : route.path}`
     }));
     return new _Router({
       ...this.state,
@@ -366,7 +369,7 @@ var Router = class _Router {
       const item = {
         description: route.openapi?.description ?? "Successful response",
         responses: {
-          default: {
+          200: {
             description: route.openapi?.description ?? "Successful response",
             content
           }

package/dist/index.d.cts

@@ -148,7 +148,7 @@ type Route<ContextTo, Result, Path extends string, AdditionalParams extends Reco
 };
 type AnyRoute = Route<any, any, any, any, any, any, any>;
 
-type PrefixRoutesPathInner<R extends AnyRoute, Prefix extends `/${string}`> = R extends Route<infer ContextTo, infer Result, infer Path, infer AdditionalParams, infer Method, infer Query, infer BodyOutput> ? Route<ContextTo, Result, `${Prefix}${Path}`, AdditionalParams, Method, Query, BodyOutput> : never;
+type PrefixRoutesPathInner<R extends AnyRoute, Prefix extends `/${string}`> = R extends Route<infer ContextTo, infer Result, infer Path, infer AdditionalParams, infer Method, infer Query, infer BodyOutput> ? Route<ContextTo, Result, `${Prefix}${Path extends '/' ? '' : Path}`, AdditionalParams, Method, Query, BodyOutput> : never;
 type PrefixRoutesPath<Prefix extends `/${string}`, R extends AnyRoute> = R extends R ? PrefixRoutesPathInner<R, Prefix> : never;
 type RouterState<ContextFrom, ContextTo, RequiredParams extends Record<string, unknown>, Routes extends AnyRoute> = {
     routes: Set<Routes>;

package/dist/index.d.ts

@@ -148,7 +148,7 @@ type Route<ContextTo, Result, Path extends string, AdditionalParams extends Reco
 };
 type AnyRoute = Route<any, any, any, any, any, any, any>;
 
-type PrefixRoutesPathInner<R extends AnyRoute, Prefix extends `/${string}`> = R extends Route<infer ContextTo, infer Result, infer Path, infer AdditionalParams, infer Method, infer Query, infer BodyOutput> ? Route<ContextTo, Result, `${Prefix}${Path}`, AdditionalParams, Method, Query, BodyOutput> : never;
+type PrefixRoutesPathInner<R extends AnyRoute, Prefix extends `/${string}`> = R extends Route<infer ContextTo, infer Result, infer Path, infer AdditionalParams, infer Method, infer Query, infer BodyOutput> ? Route<ContextTo, Result, `${Prefix}${Path extends '/' ? '' : Path}`, AdditionalParams, Method, Query, BodyOutput> : never;
 type PrefixRoutesPath<Prefix extends `/${string}`, R extends AnyRoute> = R extends R ? PrefixRoutesPathInner<R, Prefix> : never;
 type RouterState<ContextFrom, ContextTo, RequiredParams extends Record<string, unknown>, Routes extends AnyRoute> = {
     routes: Set<Routes>;

package/dist/index.js

@@ -148,7 +148,10 @@ var Router = class _Router {
   merge = (pathPrefix, other) => {
     const newRoutes = [...other.state.routes].map((route) => ({
       ...route,
-      path: `${pathPrefix}${route.path}`
+      // handle pathPrefix = / & route.path = / case causing //
+      // we intentionally are replacing on the joining path and not the pathPrefix, in case of
+      // /named -> merged to -> / causing /named/ not /named
+      path: `${pathPrefix}${route.path === "/" ? "" : route.path}`
     }));
     return new _Router({
       ...this.state,
@@ -336,7 +339,7 @@ var Router = class _Router {
       const item = {
         description: route.openapi?.description ?? "Successful response",
         responses: {
-          default: {
+          200: {
             description: route.openapi?.description ?? "Successful response",
             content
           }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kaito-http/core",
-  "version": "4.0.0-beta.6",
+  "version": "4.0.0-beta.8",
   "author": "Alistair Smith <hi@alistair.sh>",
   "repository": "https://github.com/kaito-http/kaito",
   "devDependencies": {