@mpen/routekit 0.1.0

package/src/router/middleware/accept-ctx.test.ts

@@ -0,0 +1,33 @@
+#!/usr/bin/env -S bun test
+import { describe, expect, it } from 'bun:test'
+import { HttpMethod } from '@mpen/http'
+import { Router } from '../router'
+import { acceptCtx } from './accept-ctx'
+
+describe(acceptCtx.name, () => {
+    it('adds parsed Accept header values to the context', async () => {
+        const router = new Router()
+
+        router.use(acceptCtx())
+        router.add({
+            method: HttpMethod.GET,
+            path: '/',
+            handler: ({ accept }) => new Response(JSON.stringify(accept)),
+        })
+
+        const request = new Request('https://example.com/', {
+            headers: {
+                accept: 'text/plain;q=0.5, application/json, text/html;q=0.9,application/yaml;q=1',
+            },
+        })
+
+        const response = await router.fetch(request)
+
+        expect(await response.json()).toEqual([
+            { type: 'application/json', q: 1 },
+            { type: 'application/yaml', q: 1 },
+            { type: 'text/html', q: 0.9 },
+            { type: 'text/plain', q: 0.5 },
+        ])
+    })
+})

package/src/router/middleware/accept-ctx.ts

@@ -0,0 +1,12 @@
+import type { AcceptMediaRange, ContextMiddleware } from '../types'
+import { parseAcceptHeader } from '../lib/media-type'
+
+/**
+ * Attach parsed Accept header values to the request context.
+ *
+ * @returns Middleware that adds `accept` to the request context.
+ */
+export const acceptCtx = (): ContextMiddleware<{ accept: AcceptMediaRange[] }> => (ctx) => {
+    const header = ctx.request.headers.get('accept')
+    ctx.accept = parseAcceptHeader(header ?? '*/*')
+}

package/src/router/middleware/body-limit.test.ts

@@ -0,0 +1,112 @@
+#!/usr/bin/env -S bun test
+import { describe, expect, it, mock } from 'bun:test'
+import { HttpMethod, HttpStatus } from '@mpen/http'
+import { Router } from '../router'
+import { bodyLimit } from './body-limit'
+
+const encoder = new TextEncoder()
+
+function makeStream(chunks: string[]): ReadableStream<Uint8Array> {
+    return new ReadableStream<Uint8Array>({
+        start(controller) {
+            for (const chunk of chunks) {
+                controller.enqueue(encoder.encode(chunk))
+            }
+            controller.close()
+        },
+    })
+}
+
+describe(bodyLimit.name, () => {
+    it('rejects immediately when Content-Length exceeds maxSize', async () => {
+        const router = new Router()
+        const handler = mock(() => new Response('ok'))
+
+        router.use(bodyLimit({ maxSize: 9 }))
+        router.add({ method: HttpMethod.POST, path: '/upload', handler })
+
+        const request = new Request('https://example.com/upload', {
+            method: HttpMethod.POST,
+            headers: { 'content-length': '10' },
+            body: makeStream(['ok']),
+        })
+
+        const response = await router.fetch(request)
+
+        expect(response.status).toBe(HttpStatus.PAYLOAD_TOO_LARGE)
+        expect(handler).not.toHaveBeenCalled()
+    })
+
+    it('rejects when the streamed body exceeds maxSize', async () => {
+        const router = new Router()
+
+        router.use(bodyLimit({ maxSize: 4 }))
+        router.add({
+            method: HttpMethod.POST,
+            path: '/upload',
+            handler: async ({ request }) => new Response(await request.body.text()),
+        })
+
+        const request = new Request('https://example.com/upload', {
+            method: HttpMethod.POST,
+            body: makeStream(['1234', '5']),
+        })
+
+        const response = await router.fetch(request)
+
+        expect(response.status).toBe(HttpStatus.PAYLOAD_TOO_LARGE)
+    })
+
+    it('rejects when Content-Length does not match the received bytes', async () => {
+        const router = new Router()
+
+        router.use(bodyLimit({ maxSize: 10 }))
+        router.add({
+            method: HttpMethod.POST,
+            path: '/upload',
+            handler: async ({ request }) => new Response(await request.body.text()),
+        })
+
+        const request = new Request('https://example.com/upload', {
+            method: HttpMethod.POST,
+            headers: { 'content-length': '4' },
+            body: makeStream(['abc']),
+        })
+
+        const response = await router.fetch(request)
+
+        expect(response.status).toBe(HttpStatus.BAD_REQUEST)
+    })
+
+    it('allows requests within the limit and matching Content-Length', async () => {
+        const router = new Router()
+
+        router.use(bodyLimit({ maxSize: 10 }))
+        router.add({
+            method: HttpMethod.POST,
+            path: '/upload',
+            handler: async ({ request }) => new Response(await request.body.text()),
+        })
+
+        const request = new Request('https://example.com/upload', {
+            method: HttpMethod.POST,
+            headers: { 'content-length': '5' },
+            body: makeStream(['hello']),
+        })
+
+        const response = await router.fetch(request)
+
+        expect(response.status).toBe(HttpStatus.OK)
+        expect(await response.text()).toBe('hello')
+    })
+
+    it('declares its rejection responses on affected routes', () => {
+        const router = new Router().use(bodyLimit({ maxSize: 10 }))
+        router.add({ method: HttpMethod.POST, path: '/upload', handler: () => new Response() })
+
+        expect(router.getRoutes()[0]?.schema?.response?.body).toEqual({
+            [HttpStatus.BAD_REQUEST]: { type: 'string' },
+            [HttpStatus.PAYLOAD_TOO_LARGE]: { type: 'string' },
+        })
+    })
+})

package/src/router/middleware/body-limit.ts

@@ -0,0 +1,121 @@
+import { HttpStatus } from '@mpen/http'
+import { RequestBodyLengthMismatchError, RequestBodyTooLargeError } from '../request'
+import { text } from '../response/formats/content'
+import { defineMiddleware, type DeclaredMiddleware } from './define'
+import type { AnyContext } from '../types'
+
+export interface MaxContentSizeOptions {
+    maxSize: number
+}
+
+const utf8encoder = new TextEncoder()
+
+function parseContentLength(value: string | null): number | null {
+    if (!value) return null
+    const trimmed = value.trim()
+    if (!trimmed) return null
+    const parsed = Number(trimmed)
+    if (!Number.isFinite(parsed) || !Number.isInteger(parsed) || parsed < 0) return null
+    return parsed
+}
+
+function chunkByteLength(chunk: Uint8Array | string): number {
+    if (typeof chunk === 'string') return utf8encoder.encode(chunk).length
+    return chunk.byteLength
+}
+
+/**
+ * Enforce a maximum request body size while preserving access to the incoming stream.
+ *
+ * @example
+ * ```ts
+ * router.use(bodyLimit({maxSize: 1024 * 1024}))
+ * ```
+ *
+ * @param options - Configuration for maximum request body size enforcement.
+ * @returns Middleware that rejects oversized bodies and mismatched Content-Length values.
+ */
+export function bodyLimit<Ctx extends object = AnyContext>(
+    options: MaxContentSizeOptions,
+): DeclaredMiddleware<{}, Ctx> {
+    const textResponse = {
+        schema: { type: 'string' },
+        parse(value: unknown): string {
+            if (typeof value !== 'string') {
+                throw new TypeError('Body limit responses must contain a string body.')
+            }
+            return value
+        },
+    }
+
+    return defineMiddleware({
+        responses: {
+            [HttpStatus.BAD_REQUEST]: textResponse,
+            [HttpStatus.PAYLOAD_TOO_LARGE]: textResponse,
+        },
+        async run(ctx, { next, forward, respond }) {
+            const maxSize = options.maxSize
+            const contentLength = parseContentLength(ctx.request.headers.get('content-length'))
+
+            if (contentLength != null && contentLength > maxSize) {
+                void ctx.request.body.stream()?.cancel()
+                return respond(text('Payload Too Large', { status: HttpStatus.PAYLOAD_TOO_LARGE }))
+            }
+
+            const bodyStream = ctx.request.body.stream()
+            if (!bodyStream) {
+                if (contentLength != null && contentLength !== 0) {
+                    return respond(text('Bad Request', { status: HttpStatus.BAD_REQUEST }))
+                }
+                return forward(await next())
+            }
+
+            const reader = bodyStream.getReader()
+            let bytesRead = 0
+
+            const monitoredBody = new ReadableStream<Uint8Array>({
+                async pull(controller) {
+                    const result = await reader.read()
+                    if (result.done) {
+                        if (contentLength != null && bytesRead !== contentLength) {
+                            controller.error(
+                                new RequestBodyLengthMismatchError(contentLength, bytesRead),
+                            )
+                            return
+                        }
+                        controller.close()
+                        return
+                    }
+
+                    const value = result.value
+                    bytesRead += chunkByteLength(value)
+                    if (bytesRead > maxSize) {
+                        await reader.cancel()
+                        controller.error(new RequestBodyTooLargeError(maxSize, bytesRead))
+                        return
+                    }
+                    controller.enqueue(value)
+                },
+                cancel(reason) {
+                    return reader.cancel(reason)
+                },
+            })
+
+            ctx.request = ctx.request.withBody(ctx.request.body.withStream(monitoredBody))
+
+            try {
+                return forward(await next())
+            } catch (err) {
+                if (err instanceof RequestBodyTooLargeError) {
+                    return respond(
+                        text('Payload Too Large', { status: HttpStatus.PAYLOAD_TOO_LARGE }),
+                    )
+                }
+                if (err instanceof RequestBodyLengthMismatchError) {
+                    return respond(text('Bad Request', { status: HttpStatus.BAD_REQUEST }))
+                }
+                throw err
+            }
+        },
+    })
+}

package/src/router/middleware/cors.test.ts

@@ -0,0 +1,269 @@
+#!/usr/bin/env -S bun test
+import { describe, expect, it, mock } from 'bun:test'
+import { HttpMethod, HttpStatus } from '@mpen/http'
+import { Router } from '../router'
+import { cors } from './cors'
+
+describe(cors.name, () => {
+    it('adds wildcard allow-origin by default', async () => {
+        const router = new Router()
+        router.use(cors({ origin: '*' }))
+        router.add({
+            method: HttpMethod.GET,
+            path: '/data',
+            handler: () => new Response('ok'),
+        })
+
+        const response = await router.fetch(
+            new Request('https://api.example.com/data', {
+                headers: { origin: 'https://app.example.com' },
+            }),
+        )
+
+        expect(response.headers.get('access-control-allow-origin')).toBe('*')
+    })
+
+    it('adds CORS headers to logical response bodies', async () => {
+        const router = new Router()
+        router.use(cors({ origin: '*' }))
+        router.add({
+            method: HttpMethod.GET,
+            path: '/data',
+            handler: () => ({ ok: true }),
+        })
+
+        const response = await router.fetch(
+            new Request('https://api.example.com/data', {
+                headers: { origin: 'https://app.example.com' },
+            }),
+        )
+
+        expect(response.headers.get('access-control-allow-origin')).toBe('*')
+        expect(await response.json()).toEqual({ ok: true })
+    })
+
+    it('supports an origin resolver function', async () => {
+        const router = new Router()
+        router.use(
+            cors({
+                origin: (origin) => (origin?.endsWith('.example.com') ? origin : null),
+            }),
+        )
+        router.add({
+            method: HttpMethod.GET,
+            path: '/data',
+            handler: () => new Response('ok'),
+        })
+
+        const allowed = await router.fetch(
+            new Request('https://api.example.com/data', {
+                headers: { origin: 'https://app.example.com' },
+            }),
+        )
+
+        const denied = await router.fetch(
+            new Request('https://api.example.com/data', {
+                headers: { origin: 'https://evil.example' },
+            }),
+        )
+
+        expect(allowed.headers.get('access-control-allow-origin')).toBe('https://app.example.com')
+        expect(denied.headers.has('access-control-allow-origin')).toBe(false)
+    })
+
+    it('echoes the origin when credentials are enabled', async () => {
+        const router = new Router()
+        router.use(cors({ origin: '*', credentials: true }))
+        router.add({
+            method: HttpMethod.GET,
+            path: '/data',
+            handler: () => new Response('ok'),
+        })
+
+        const response = await router.fetch(
+            new Request('https://api.example.com/data', {
+                headers: { origin: 'https://app.example.com' },
+            }),
+        )
+
+        expect(response.headers.get('access-control-allow-origin')).toBe('https://app.example.com')
+        expect(response.headers.get('access-control-allow-credentials')).toBe('true')
+        expect(response.headers.get('vary')).toContain('Origin')
+    })
+
+    it('exposes response headers when configured', async () => {
+        const router = new Router()
+        router.use(cors({ origin: '*', exposeHeaders: ['x-trace', 'x-request-id'] }))
+        router.add({
+            method: HttpMethod.GET,
+            path: '/data',
+            handler: () => new Response('ok'),
+        })
+
+        const response = await router.fetch(
+            new Request('https://api.example.com/data', {
+                headers: { origin: 'https://app.example.com' },
+            }),
+        )
+
+        expect(response.headers.get('access-control-expose-headers')).toBe('x-trace, x-request-id')
+    })
+
+    it('accepts a static allowMethods list', async () => {
+        const router = new Router()
+        router.use(cors({ origin: '*', allowMethods: ['GET', 'POST'] }))
+        router.add({
+            method: HttpMethod.OPTIONS,
+            path: '/widgets',
+            handler: () => new Response('ok'),
+        })
+
+        const response = await router.fetch(
+            new Request('https://api.example.com/widgets', {
+                method: HttpMethod.OPTIONS,
+                headers: {
+                    origin: 'https://app.example.com',
+                    'access-control-request-method': 'POST',
+                },
+            }),
+        )
+
+        expect(response.headers.get('access-control-allow-methods')).toBe('GET, POST')
+    })
+
+    it('accepts a dynamic allowMethods resolver', async () => {
+        const router = new Router()
+        router.use(
+            cors({
+                origin: '*',
+                allowMethods: (origin) =>
+                    origin === 'https://app.example.com' ? ['GET'] : ['POST'],
+            }),
+        )
+        router.add({
+            method: HttpMethod.OPTIONS,
+            path: '/widgets',
+            handler: () => new Response('ok'),
+        })
+
+        const response = await router.fetch(
+            new Request('https://api.example.com/widgets', {
+                method: HttpMethod.OPTIONS,
+                headers: {
+                    origin: 'https://app.example.com',
+                    'access-control-request-method': 'POST',
+                },
+            }),
+        )
+
+        expect(response.headers.get('access-control-allow-methods')).toBe('GET')
+    })
+
+    it('allows localhost origins when dev is enabled', async () => {
+        const router = new Router()
+        router.use(cors({ origin: 'https://app.example.com', dev: true }))
+        router.add({
+            method: HttpMethod.GET,
+            path: '/data',
+            handler: () => new Response('ok'),
+        })
+
+        const response = await router.fetch(
+            new Request('https://api.example.com/data', {
+                headers: { origin: 'http://localhost:3000' },
+            }),
+        )
+
+        expect(response.headers.get('access-control-allow-origin')).toBe('http://localhost:3000')
+    })
+
+    it('allows localhost origins when allowLocalhost is enabled', async () => {
+        const router = new Router()
+        router.use(cors({ origin: 'https://app.example.com', allowLocalhost: true }))
+        router.add({
+            method: HttpMethod.GET,
+            path: '/data',
+            handler: () => new Response('ok'),
+        })
+
+        const response = await router.fetch(
+            new Request('https://api.example.com/data', {
+                headers: { origin: 'http://127.0.0.1:3000' },
+            }),
+        )
+
+        expect(response.headers.get('access-control-allow-origin')).toBe('http://127.0.0.1:3000')
+    })
+
+    it('handles CORS preflight requests', async () => {
+        const router = new Router()
+        const handler = mock(() => new Response('ok'))
+        router.use(cors({ origin: '*', maxAge: 600 }))
+        router.add({
+            method: HttpMethod.OPTIONS,
+            path: '/widgets',
+            handler,
+        })
+
+        const response = await router.fetch(
+            new Request('https://api.example.com/widgets', {
+                method: HttpMethod.OPTIONS,
+                headers: {
+                    origin: 'https://app.example.com',
+                    'access-control-request-method': 'POST',
+                    'access-control-request-headers': 'x-test, content-type',
+                },
+            }),
+        )
+
+        expect(response.status).toBe(HttpStatus.NO_CONTENT)
+        expect(handler).not.toHaveBeenCalled()
+        expect(response.headers.get('access-control-allow-origin')).toBe('*')
+        expect(response.headers.get('access-control-allow-methods')).toBe(
+            'GET, HEAD, PUT, POST, DELETE, PATCH',
+        )
+        expect(response.headers.get('access-control-allow-headers')).toBe('x-test, content-type')
+        expect(response.headers.get('access-control-max-age')).toBe('600')
+    })
+
+    it('uses custom allowHeaders and preflightStatus', async () => {
+        const router = new Router()
+        router.use(
+            cors({
+                origin: '*',
+                allowHeaders: ['x-custom', 'content-type'],
+                preflightStatus: HttpStatus.OK,
+            }),
+        )
+        router.add({
+            method: HttpMethod.OPTIONS,
+            path: '/widgets',
+            handler: () => new Response('ok'),
+        })
+
+        const response = await router.fetch(
+            new Request('https://api.example.com/widgets', {
+                method: HttpMethod.OPTIONS,
+                headers: {
+                    origin: 'https://app.example.com',
+                    'access-control-request-method': 'POST',
+                },
+            }),
+        )
+
+        expect(response.status).toBe(HttpStatus.OK)
+        expect(response.headers.get('access-control-allow-headers')).toBe('x-custom, content-type')
+    })
+
+    it('declares only applicable preflight route responses', () => {
+        const router = new Router().use(cors({ origin: '*' }))
+        router.add({ method: HttpMethod.GET, path: '/widgets', handler: () => new Response() })
+        router.add({ method: HttpMethod.OPTIONS, path: '/widgets', handler: () => new Response() })
+
+        const [getRoute, optionsRoute] = router.getRoutes()
+        expect(getRoute?.schema).toBeUndefined()
+        expect(optionsRoute?.schema?.response?.body).toEqual({
+            [HttpStatus.NO_CONTENT]: { type: 'null' },
+        })
+    })
+})