@morojs/moro 1.5.6 → 1.5.8

package/src/core/http/http-server.ts

@@ -631,6 +631,26 @@ export class MoroHttpServer {
     };
 
     httpRes.cookie = (name: string, value: string, options: any = {}) => {
+      if (httpRes.headersSent) {
+        const isCritical =
+          options.critical ||
+          name.includes('session') ||
+          name.includes('auth') ||
+          name.includes('csrf');
+        const message = `Cookie '${name}' could not be set - headers already sent`;
+
+        if (isCritical || options.throwOnLateSet) {
+          throw new Error(`${message}. This may cause authentication or security issues.`);
+        } else {
+          this.logger.warn(message, 'CookieWarning', {
+            cookieName: name,
+            critical: isCritical,
+            stackTrace: new Error().stack,
+          });
+        }
+        return httpRes;
+      }
+
       const cookieValue = encodeURIComponent(value);
       let cookieString = `${name}=${cookieValue}`;
 
@@ -694,6 +714,62 @@ export class MoroHttpServer {
       }
     };
 
+    // Header management utilities
+    httpRes.hasHeader = (name: string): boolean => {
+      return httpRes.getHeader(name) !== undefined;
+    };
+
+    // Note: removeHeader is inherited from ServerResponse, we don't override it
+
+    httpRes.setBulkHeaders = (headers: Record<string, string | number>) => {
+      if (httpRes.headersSent) {
+        this.logger.warn('Cannot set headers - headers already sent', 'HeaderWarning', {
+          attemptedHeaders: Object.keys(headers),
+        });
+        return httpRes;
+      }
+
+      Object.entries(headers).forEach(([key, value]) => {
+        httpRes.setHeader(key, value);
+      });
+      return httpRes;
+    };
+
+    httpRes.appendHeader = (name: string, value: string | string[]) => {
+      if (httpRes.headersSent) {
+        this.logger.warn(
+          `Cannot append to header '${name}' - headers already sent`,
+          'HeaderWarning'
+        );
+        return httpRes;
+      }
+
+      const existing = httpRes.getHeader(name);
+      if (existing) {
+        const values = Array.isArray(existing) ? existing : [existing.toString()];
+        const newValues = Array.isArray(value) ? value : [value];
+        httpRes.setHeader(name, [...values, ...newValues]);
+      } else {
+        httpRes.setHeader(name, value);
+      }
+      return httpRes;
+    };
+
+    // Response state utilities
+    httpRes.canSetHeaders = (): boolean => {
+      return !httpRes.headersSent;
+    };
+
+    httpRes.getResponseState = () => {
+      return {
+        headersSent: httpRes.headersSent,
+        statusCode: httpRes.statusCode,
+        headers: httpRes.getHeaders ? httpRes.getHeaders() : {},
+        finished: httpRes.finished || false,
+        writable: httpRes.writable,
+      };
+    };
+
     return httpRes;
   }
 
@@ -1075,23 +1151,25 @@ export const middleware = {
         }
 
         if (acceptEncoding.includes('gzip')) {
-          res.setHeader('Content-Encoding', 'gzip');
           zlib.gzip(buffer, { level }, (err: any, compressed: Buffer) => {
             if (err) {
               return isJson ? originalJson.call(res, data) : originalSend.call(res, data);
             }
-            res.setHeader('Content-Length', compressed.length);
-            res.writeHead(res.statusCode || 200, res.getHeaders());
+            if (!res.headersSent) {
+              res.setHeader('Content-Encoding', 'gzip');
+              res.setHeader('Content-Length', compressed.length);
+            }
             res.end(compressed);
           });
         } else if (acceptEncoding.includes('deflate')) {
-          res.setHeader('Content-Encoding', 'deflate');
           zlib.deflate(buffer, { level }, (err: any, compressed: Buffer) => {
             if (err) {
               return isJson ? originalJson.call(res, data) : originalSend.call(res, data);
             }
-            res.setHeader('Content-Length', compressed.length);
-            res.writeHead(res.statusCode || 200, res.getHeaders());
+            if (!res.headersSent) {
+              res.setHeader('Content-Encoding', 'deflate');
+              res.setHeader('Content-Length', compressed.length);
+            }
             res.end(compressed);
           });
         } else {
@@ -1519,13 +1597,15 @@ export const middleware = {
       // Only handle SSE requests
       if (req.headers.accept?.includes('text/event-stream')) {
         // Set SSE headers
-        res.writeHead(200, {
-          'Content-Type': 'text/event-stream',
-          'Cache-Control': 'no-cache',
-          Connection: 'keep-alive',
-          'Access-Control-Allow-Origin': options.cors ? '*' : undefined,
-          'Access-Control-Allow-Headers': options.cors ? 'Cache-Control' : undefined,
-        });
+        if (!res.headersSent) {
+          res.writeHead(200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            Connection: 'keep-alive',
+            'Access-Control-Allow-Origin': options.cors ? '*' : undefined,
+            'Access-Control-Allow-Headers': options.cors ? 'Cache-Control' : undefined,
+          });
+        }
 
         // Add SSE methods to response
         (res as any).sendEvent = (data: any, event?: string, id?: string) => {
@@ -1626,7 +1706,8 @@ export const middleware = {
             const chunkSize = end - start + 1;
 
             if (start >= fileSize || end >= fileSize) {
-              res.status(416).setHeader('Content-Range', `bytes */${fileSize}`);
+              res.status(416);
+              res.setHeader('Content-Range', `bytes */${fileSize}`);
               res.json({ success: false, error: 'Range not satisfiable' });
               return;
             }

package/src/core/middleware/built-in/cache.ts

@@ -188,7 +188,9 @@ export const cache = (options: CacheOptions = {}): MiddlewareInterface => ({
           parts.push(`stale-while-revalidate=${directives.staleWhileRevalidate}`);
         }
 
-        res.setHeader('Cache-Control', parts.join(', '));
+        if (!res.headersSent) {
+          res.setHeader('Cache-Control', parts.join(', '));
+        }
         return res;
       };
 

package/src/core/middleware/built-in/sse.ts

@@ -35,13 +35,15 @@ export const sse = (
       logger.debug('Setting up SSE connection', 'SSESetup');
 
       // Set SSE headers
-      res.writeHead(200, {
-        'Content-Type': 'text/event-stream',
-        'Cache-Control': 'no-cache',
-        Connection: 'keep-alive',
-        'Access-Control-Allow-Origin': options.cors ? '*' : undefined,
-        'Access-Control-Allow-Headers': options.cors ? 'Cache-Control' : undefined,
-      });
+      if (!res.headersSent) {
+        res.writeHead(200, {
+          'Content-Type': 'text/event-stream',
+          'Cache-Control': 'no-cache',
+          Connection: 'keep-alive',
+          'Access-Control-Allow-Origin': options.cors ? '*' : undefined,
+          'Access-Control-Allow-Headers': options.cors ? 'Cache-Control' : undefined,
+        });
+      }
 
       // Add SSE methods to response
       res.sendEvent = (data: any, event?: string, id?: string) => {

package/src/core/runtime/node-adapter.ts

@@ -138,24 +138,30 @@ export class NodeRuntimeAdapter extends BaseRuntimeAdapter {
 
     if (!enhanced.cookie) {
       enhanced.cookie = function (name: string, value: string, options?: any) {
-        const cookieString = `${name}=${value}`;
-        this.setHeader('Set-Cookie', cookieString);
+        if (!this.headersSent) {
+          const cookieString = `${name}=${value}`;
+          this.setHeader('Set-Cookie', cookieString);
+        }
         return this;
       };
     }
 
     if (!enhanced.clearCookie) {
       enhanced.clearCookie = function (name: string, options?: any) {
-        this.setHeader('Set-Cookie', `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT`);
+        if (!this.headersSent) {
+          this.setHeader('Set-Cookie', `${name}=; expires=Thu, 01 Jan 1970 00:00:00 GMT`);
+        }
         return this;
       };
     }
 
     if (!enhanced.redirect) {
       enhanced.redirect = function (url: string, status?: number) {
-        this.statusCode = status || 302;
-        this.setHeader('Location', url);
-        this.end();
+        if (!this.headersSent) {
+          this.statusCode = status || 302;
+          this.setHeader('Location', url);
+          this.end();
+        }
       };
     }
 

package/src/moro.ts

@@ -99,6 +99,7 @@ export class Moro extends EventEmitter {
       ...options,
       logger: this.config.logging,
       websocket: this.config.websocket.enabled ? options.websocket || {} : false,
+      config: this.config,
     };
 
     this.coreFramework = new MoroCore(frameworkOptions);
@@ -855,20 +856,33 @@ export class Moro extends EventEmitter {
   }
 
   private setupDefaultMiddleware(options: MoroOptions) {
-    // CORS
-    if (options.cors !== false) {
-      const corsOptions = typeof options.cors === 'object' ? options.cors : {};
+    // CORS - check config enabled property OR options.security.cors.enabled === true
+    if (this.config.security.cors.enabled || options.security?.cors?.enabled === true) {
+      const corsOptions =
+        typeof options.cors === 'object'
+          ? options.cors
+          : this.config.security.cors
+            ? this.config.security.cors
+            : {};
       this.use(middleware.cors(corsOptions));
     }
 
-    // Helmet
-    if (options.helmet !== false) {
+    // Helmet - check config enabled property OR options.security.helmet.enabled === true
+    if (this.config.security.helmet.enabled || options.security?.helmet?.enabled === true) {
       this.use(middleware.helmet());
     }
 
-    // Compression
-    if (options.compression !== false) {
-      const compressionOptions = typeof options.compression === 'object' ? options.compression : {};
+    // Compression - check config enabled property OR options.performance.compression.enabled === true
+    if (
+      this.config.performance.compression.enabled ||
+      options.performance?.compression?.enabled === true
+    ) {
+      const compressionOptions =
+        typeof options.compression === 'object'
+          ? options.compression
+          : this.config.performance.compression
+            ? this.config.performance.compression
+            : {};
       this.use(middleware.compression(compressionOptions));
     }
 

package/src/types/config.ts

@@ -5,6 +5,13 @@ export interface ServerConfig {
   host: string;
   maxConnections: number;
   timeout: number;
+  bodySizeLimit: string;
+  requestTracking: {
+    enabled: boolean;
+  };
+  errorBoundary: {
+    enabled: boolean;
+  };
 }
 
 export interface ServiceDiscoveryConfig {

package/src/types/http.ts

@@ -22,9 +22,20 @@ export interface CookieOptions {
   sameSite?: 'strict' | 'lax' | 'none';
   domain?: string;
   path?: string;
+  // Security options
+  critical?: boolean; // Mark as critical for security (throws on late set)
+  throwOnLateSet?: boolean; // Force throw if headers already sent
 }
 
-export interface HttpResponse extends ServerResponse {
+export interface ResponseState {
+  headersSent: boolean;
+  statusCode: number;
+  headers: Record<string, any>;
+  finished: boolean;
+  writable: boolean;
+}
+
+export interface MoroResponseMethods {
   json(data: any): void;
   status(code: number): HttpResponse;
   send(data: string | Buffer): void;
@@ -33,8 +44,19 @@ export interface HttpResponse extends ServerResponse {
   redirect(url: string, status?: number): void;
   sendFile(filePath: string): Promise<void>;
   render?(template: string, data?: any): Promise<void>;
+
+  // Header management utilities
+  hasHeader(name: string): boolean;
+  setBulkHeaders(headers: Record<string, string | number>): HttpResponse;
+  appendHeader(name: string, value: string | string[]): HttpResponse;
+
+  // Response state utilities
+  canSetHeaders(): boolean;
+  getResponseState(): ResponseState;
 }
 
+export type HttpResponse = ServerResponse & MoroResponseMethods;
+
 export type HttpHandler = (req: HttpRequest, res: HttpResponse) => Promise<void> | void;
 export type Middleware = (
   req: HttpRequest,