npm - @mandujs/core - Versions diffs - 0.18.22 → 0.19.0 - Mend

@mandujs/core 0.18.22 → 0.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mandujs/core",
-  "version": "0.18.22",
+  "version": "0.19.0",
   "description": "Mandu Framework Core - Spec, Generator, Guard, Runtime",
   "type": "module",
   "main": "./src/index.ts",

package/src/filling/context.ts CHANGED Viewed

@@ -222,6 +222,71 @@ export class CookieManager {
   hasPendingCookies(): boolean {
     return this.responseCookies.size > 0;
   }
+  /**
+   * 서명된 쿠키 읽기 (HMAC-SHA256 검증)
+   * @returns 값(검증 성공), null(쿠키 없음), false(서명 불일치)
+   * @example
+   * const userId = await ctx.cookies.getSigned('session', SECRET);
+   * if (userId === false) return ctx.unauthorized('Invalid session');
+   * if (userId === null) return ctx.unauthorized('No session');
+   */
+  async getSigned(name: string, secret: string): Promise<string | null | false> {
+    const raw = this.get(name);
+    if (!raw) return null;
+    const dotIndex = raw.lastIndexOf(".");
+    if (dotIndex === -1) return false;
+    const value = raw.slice(0, dotIndex);
+    const signature = raw.slice(dotIndex + 1);
+    if (!value || !signature) return false;
+    const expected = await hmacSign(value, secret);
+    return signature === expected ? decodeURIComponent(value) : false;
+  }
+  /**
+   * 서명된 쿠키 설정 (HMAC-SHA256)
+   * @example
+   * await ctx.cookies.setSigned('session', userId, SECRET, { httpOnly: true });
+   */
+  async setSigned(name: string, value: string, secret: string, options?: CookieOptions): Promise<void> {
+    const encoded = encodeURIComponent(value);
+    const signature = await hmacSign(encoded, secret);
+    this.set(name, `${encoded}.${signature}`, options);
+  }
+  /**
+   * JSON 쿠키를 스키마로 파싱 + 검증 (Zod 호환 duck typing)
+   * @returns 파싱된 값 또는 null(쿠키 없음/파싱 실패/검증 실패)
+   * @example
+   * const prefs = ctx.cookies.getParsed('prefs', z.object({ theme: z.string() }));
+   */
+  getParsed<T>(name: string, schema: { parse: (v: unknown) => T }): T | null {
+    const raw = this.get(name);
+    if (raw == null) return null;
+    try {
+      const decoded = decodeURIComponent(raw);
+      const parsed = JSON.parse(decoded);
+      return schema.parse(parsed);
+    } catch {
+      return null;
+    }
+  }
+}
+/**
+ * HMAC-SHA256 서명 생성 (WebCrypto API)
+ */
+async function hmacSign(data: string, secret: string): Promise<string> {
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+  const sig = await crypto.subtle.sign("HMAC", key, encoder.encode(data));
+  return btoa(String.fromCharCode(...new Uint8Array(sig))).replace(/=+$/, "");
 }
 // ========== ManduContext ==========

package/src/runtime/server.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import type { Server } from "bun";
 import type { RoutesManifest, RouteSpec, HydrationConfig } from "../spec/schema";
 import type { BundleManifest } from "../bundler/types";
 import type { ManduFilling } from "../filling/filling";
-import { ManduContext } from "../filling/context";
+import { ManduContext, type CookieManager } from "../filling/context";
 import { Router } from "./router";
 import { renderSSR, renderStreamingResponse } from "./ssr";
 import { type ErrorFallbackProps } from "./boundary";
@@ -872,6 +872,7 @@ async function handleApiRoute(
 interface PageLoadResult {
   loaderData: unknown;
+  cookies?: CookieManager;
 }
 /**
@@ -888,6 +889,7 @@ async function loadPageData(
   // 1. PageHandler 방식 (신규 - filling 포함)
   const pageHandler = registry.pageHandlers.get(route.id);
   if (pageHandler) {
+    let cookies: CookieManager | undefined;
     try {
       const registration = await pageHandler();
       const component = registration.component as RouteComponent;
@@ -897,6 +899,9 @@ async function loadPageData(
       if (registration.filling?.hasLoader()) {
         const ctx = new ManduContext(req, params);
         loaderData = await registration.filling.executeLoader(ctx);
+        if (ctx.cookies.hasPendingCookies()) {
+          cookies = ctx.cookies;
+        }
       }
     } catch (error) {
       const pageError = createPageLoadErrorResponse(
@@ -908,7 +913,7 @@ async function loadPageData(
       return err(pageError);
     }
-    return ok({ loaderData });
+    return ok({ loaderData, cookies });
   }
   // 2. PageLoader 방식 (레거시 호환)
@@ -924,11 +929,17 @@ async function loadPageData(
       registry.registerRouteComponent(route.id, component as RouteComponent);
       // filling이 있으면 loader 실행
+      let cookies: CookieManager | undefined;
       const filling = typeof exported === "object" && exported !== null ? (exportedObj as Record<string, unknown>)?.filling as ManduFilling | null : null;
       if (filling?.hasLoader?.()) {
         const ctx = new ManduContext(req, params);
         loaderData = await filling.executeLoader(ctx);
+        if (ctx.cookies.hasPendingCookies()) {
+          cookies = ctx.cookies;
+        }
       }
+      return ok({ loaderData, cookies });
     } catch (error) {
       const pageError = createPageLoadErrorResponse(
         route.id,
@@ -953,7 +964,8 @@ async function renderPageSSR(
   params: Record<string, string>,
   loaderData: unknown,
   url: string,
-  registry: ServerRegistry
+  registry: ServerRegistry,
+  cookies?: CookieManager
 ): Promise<Result<Response>> {
   const settings = registry.settings;
   const defaultAppCreator = createDefaultAppFactory(registry);
@@ -982,7 +994,7 @@ async function renderPageSSR(
       : settings.streaming;
     if (useStreaming) {
-      return ok(await renderStreamingResponse(app, {
+      const streamingResponse = await renderStreamingResponse(app, {
         title: `${route.id} - Mandu`,
         isDev: settings.isDev,
         hmrPort: settings.hmrPort,
@@ -1007,11 +1019,12 @@ async function renderPageSSR(
             });
           }
         },
-      }));
+      });
+      return ok(cookies ? cookies.applyToResponse(streamingResponse) : streamingResponse);
     }
     // 기존 renderToString 방식
-    return ok(renderSSR(app, {
+    const ssrResponse = renderSSR(app, {
       title: `${route.id} - Mandu`,
       isDev: settings.isDev,
       hmrPort: settings.hmrPort,
@@ -1022,7 +1035,8 @@ async function renderPageSSR(
       enableClientRouter: true,
       routePattern: route.pattern,
       cssPath: settings.cssPath,
-    }));
+    });
+    return ok(cookies ? cookies.applyToResponse(ssrResponse) : ssrResponse);
   } catch (error) {
     const ssrError = createSSRErrorResponse(
       route.id,
@@ -1052,21 +1066,22 @@ async function handlePageRoute(
     return loadResult;
   }
-  const { loaderData } = loadResult.value;
+  const { loaderData, cookies } = loadResult.value;
   // 2. Client-side Routing: 데이터만 반환 (JSON)
   if (url.searchParams.has("_data")) {
-    return ok(Response.json({
+    const jsonResponse = Response.json({
       routeId: route.id,
       pattern: route.pattern,
       params,
       loaderData: loaderData ?? null,
       timestamp: Date.now(),
-    }));
+    });
+    return ok(cookies ? cookies.applyToResponse(jsonResponse) : jsonResponse);
   }
   // 3. SSR 렌더링
-  return renderPageSSR(route, params, loaderData, req.url, registry);
+  return renderPageSSR(route, params, loaderData, req.url, registry, cookies);
 }
 // ---------- Main Request Dispatcher ----------