@nexus_js/server 0.9.28 → 0.9.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (80) hide show
  1. package/dist/actions.d.ts +11 -71
  2. package/dist/actions.d.ts.map +1 -1
  3. package/dist/actions.js +51 -442
  4. package/dist/actions.js.map +1 -1
  5. package/dist/context.d.ts +4 -38
  6. package/dist/context.d.ts.map +1 -1
  7. package/dist/context.js +3 -13
  8. package/dist/context.js.map +1 -1
  9. package/dist/csrf.d.ts +2 -16
  10. package/dist/csrf.d.ts.map +1 -1
  11. package/dist/csrf.js +30 -68
  12. package/dist/csrf.js.map +1 -1
  13. package/dist/dev-assets.d.ts +0 -31
  14. package/dist/dev-assets.d.ts.map +1 -1
  15. package/dist/dev-assets.js +38 -372
  16. package/dist/dev-assets.js.map +1 -1
  17. package/dist/dev-error-html.d.ts.map +1 -1
  18. package/dist/dev-error-html.js +0 -24
  19. package/dist/dev-error-html.js.map +1 -1
  20. package/dist/devradar.d.ts +1 -1
  21. package/dist/devradar.d.ts.map +1 -1
  22. package/dist/devradar.js.map +1 -1
  23. package/dist/index.d.ts +2 -97
  24. package/dist/index.d.ts.map +1 -1
  25. package/dist/index.js +47 -442
  26. package/dist/index.js.map +1 -1
  27. package/dist/load-module.d.ts +0 -6
  28. package/dist/load-module.d.ts.map +1 -1
  29. package/dist/load-module.js +53 -40
  30. package/dist/load-module.js.map +1 -1
  31. package/dist/navigate.d.ts +5 -0
  32. package/dist/navigate.d.ts.map +1 -1
  33. package/dist/navigate.js +1 -0
  34. package/dist/navigate.js.map +1 -1
  35. package/dist/rate-limit.d.ts.map +1 -1
  36. package/dist/rate-limit.js +14 -27
  37. package/dist/rate-limit.js.map +1 -1
  38. package/dist/renderer.d.ts +7 -27
  39. package/dist/renderer.d.ts.map +1 -1
  40. package/dist/renderer.js +25 -152
  41. package/dist/renderer.js.map +1 -1
  42. package/dist/streaming.d.ts +3 -3
  43. package/dist/streaming.d.ts.map +1 -1
  44. package/dist/streaming.js +13 -33
  45. package/dist/streaming.js.map +1 -1
  46. package/package.json +8 -26
  47. package/dist/build-id.d.ts +0 -14
  48. package/dist/build-id.d.ts.map +0 -1
  49. package/dist/build-id.js +0 -40
  50. package/dist/build-id.js.map +0 -1
  51. package/dist/dev-assets.test.d.ts +0 -2
  52. package/dist/dev-assets.test.d.ts.map +0 -1
  53. package/dist/head-renderer.test.d.ts +0 -2
  54. package/dist/head-renderer.test.d.ts.map +0 -1
  55. package/dist/head-renderer.test.js +0 -78
  56. package/dist/head-renderer.test.js.map +0 -1
  57. package/dist/legacy-wrapper.d.ts +0 -88
  58. package/dist/legacy-wrapper.d.ts.map +0 -1
  59. package/dist/legacy-wrapper.js +0 -104
  60. package/dist/legacy-wrapper.js.map +0 -1
  61. package/dist/lib-assets.d.ts +0 -5
  62. package/dist/lib-assets.d.ts.map +0 -1
  63. package/dist/lib-assets.js +0 -95
  64. package/dist/lib-assets.js.map +0 -1
  65. package/dist/metadata.d.ts +0 -95
  66. package/dist/metadata.d.ts.map +0 -1
  67. package/dist/metadata.js +0 -132
  68. package/dist/metadata.js.map +0 -1
  69. package/dist/renderer.test.d.ts +0 -2
  70. package/dist/renderer.test.d.ts.map +0 -1
  71. package/dist/renderer.test.js +0 -251
  72. package/dist/renderer.test.js.map +0 -1
  73. package/dist/tenancy.d.ts +0 -17
  74. package/dist/tenancy.d.ts.map +0 -1
  75. package/dist/tenancy.js +0 -132
  76. package/dist/tenancy.js.map +0 -1
  77. package/dist/tenancy.test.d.ts +0 -2
  78. package/dist/tenancy.test.d.ts.map +0 -1
  79. package/dist/tenancy.test.js +0 -38
  80. package/dist/tenancy.test.js.map +0 -1
package/dist/actions.d.ts CHANGED
@@ -29,25 +29,6 @@
29
29
  */
30
30
  import type { NexusContext } from './context.js';
31
31
  import { type RateLimitConfig } from './rate-limit.js';
32
- /**
33
- * Zod-compatible schema interface.
34
- * Supports `.parse()` (throws on failure) and optionally `.safeParse()` (returns structured errors).
35
- * Works with Zod, Valibot, ArkType, Superstruct, and any schema library following this contract.
36
- */
37
- export interface NexusSchema<T> {
38
- parse(data: unknown): T;
39
- /** Optional — when present, used to extract structured field errors (Zod format). */
40
- safeParse?: (data: unknown) => {
41
- success: boolean;
42
- error?: {
43
- issues?: Array<{
44
- path: Array<string | number>;
45
- message: string;
46
- }>;
47
- };
48
- data?: T;
49
- };
50
- }
51
32
  export type ActionFn<TInput = FormData, TOutput = void> = (input: TInput, ctx: NexusContext & {
52
33
  signal: AbortSignal;
53
34
  }) => Promise<TOutput>;
@@ -89,29 +70,13 @@ export interface ActionOptions {
89
70
  */
90
71
  csrf?: boolean;
91
72
  /**
92
- * Zod-compatible schema for input validation.
93
- * The action rejects invalid input **before** calling the handler —
94
- * preventing SQL injection, type coercion attacks, and untrusted data reaching business logic.
95
- *
96
- * Accepts any object with a `.parse()` method (Zod, Valibot, ArkType, etc.)
97
- * or `.safeParse()` for structured error extraction.
98
- *
99
- * @example
100
- * ```ts
101
- * import { z } from 'zod';
102
- * export const updateUser = createAction({
103
- * schema: z.object({ name: z.string().min(1).max(100), age: z.number().int().min(0) }),
104
- * handler: async ({ name, age }, ctx) => { ... },
105
- * });
106
- * ```
73
+ * A Zod-compatible schema for input validation.
74
+ * If provided, the action will reject requests with invalid input before
75
+ * calling the handler. Prevents SQL injection and type coercion attacks.
107
76
  */
108
- schema?: NexusSchema<unknown>;
109
- /**
110
- * Maximum request body size in bytes. Default: 10 MB.
111
- * Lower this for actions that only receive small form payloads (e.g. login forms).
112
- * Set to 0 to disable the limit (not recommended).
113
- */
114
- maxBodyBytes?: number;
77
+ schema?: {
78
+ parse: (data: unknown) => unknown;
79
+ };
115
80
  }
116
81
  export interface ActionResult<T = unknown> {
117
82
  data?: T;
@@ -122,18 +87,13 @@ export interface ActionResult<T = unknown> {
122
87
  /** Server-side execution time in ms */
123
88
  duration?: number;
124
89
  }
125
- /**
126
- * Verifies an action name signature. Returns true if the signature is valid or
127
- * if we are in dev mode (NODE_ENV !== 'production' — signature is optional in dev).
128
- */
129
- export declare function verifyActionSig(name: string, sig: string | null): boolean;
130
90
  /**
131
91
  * Defines a Server Action with integrated security, rate limiting, and
132
92
  * race-condition management. The returned object is registered automatically
133
93
  * and ready to be called by the client.
134
94
  *
135
95
  * Security layers applied (in order):
136
- * 1. CSRF: custom header `x-nexus-action: 1` (Tier 1) + optional HMAC token (Tier 2)
96
+ * 1. CSRF token validation (x-nexus-action-token header)
137
97
  * 2. Rate limiting (sliding window, per-IP or per-user)
138
98
  * 3. Input schema validation (Zod or any .parse() compatible schema)
139
99
  * 4. AbortController (client disconnect + timeout)
@@ -159,13 +119,8 @@ export declare function registerAction(name: string, fn: ActionFn<unknown, unkno
159
119
  export declare function getRegisteredActionNames(): ReadonlySet<string>;
160
120
  export declare class ActionError extends Error {
161
121
  readonly status: number;
162
- readonly code?: string;
163
- readonly fieldErrors?: Record<string, string>;
164
- constructor(message: string, optionsOrStatus?: number | {
165
- status?: number;
166
- code?: string;
167
- fieldErrors?: Record<string, string>;
168
- }, code?: string, fieldErrors?: Record<string, string>);
122
+ readonly code?: string | undefined;
123
+ constructor(message: string, status?: number, code?: string | undefined);
169
124
  }
170
125
  export declare class ActionAbortedError extends ActionError {
171
126
  constructor();
@@ -176,28 +131,13 @@ export declare class ActionAbortedError extends ActionError {
176
131
  */
177
132
  export declare function handleActionRequest(request: Request): Promise<Response>;
178
133
  /**
179
- * Validates that a request comes from a trusted Nexus client (inner CSRF check
180
- * used by `createAction` wrappers). Verifies:
181
- * 1. `x-nexus-action` custom header — cross-origin requests cannot add this
182
- * without a CORS preflight the server will reject.
183
- * 2. `Origin` / `Referer` header sanity check — additional signal against
184
- * misconfigured CORS or non-standard clients.
134
+ * Validates that a request comes from a trusted Nexus client.
135
+ * Checks x-nexus-action header and CSRF token.
185
136
  */
186
137
  export declare function validateRequest(ctx: NexusContext): Promise<void>;
187
138
  export { generateActionToken, validateActionToken, extractSessionId, generateSessionId } from './csrf.js';
188
139
  export { createRateLimiter, RateLimitError, parseWindow } from './rate-limit.js';
189
140
  export type { RateLimitConfig, RateLimitResult, RateLimiter } from './rate-limit.js';
190
- /**
191
- * Returns `true` when `url` is a safe **public** `http:` / `https:` target for
192
- * server-side `fetch` (not loopback, RFC1918, link-local, metadata IPs, etc.).
193
- * Use before `fetch(userUrl)` to reduce blind SSRF risk.
194
- */
195
- export declare function isSafeUrl(url: string): boolean;
196
- /**
197
- * Returns `true` when a URL resolves to a private, loopback, or link-local
198
- * address. Inverse of {@link isSafeUrl} for `http:` / `https:`.
199
- */
200
- export declare function isInternalUrl(url: string): boolean;
201
141
  /**
202
142
  * Client-side AbortController factory.
203
143
  * Use this in island code to cancel in-flight action fetches
package/dist/actions.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../src/actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAOjD,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,iBAAiB,CAAC;AAKzB;;;;GAIG;AACH,MAAM,WAAW,WAAW,CAAC,CAAC;IAC5B,KAAK,CAAC,IAAI,EAAE,OAAO,GAAG,CAAC,CAAC;IACxB,qFAAqF;IACrF,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK;QAC7B,OAAO,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE;YAAE,MAAM,CAAC,EAAE,KAAK,CAAC;gBAAE,IAAI,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;gBAAC,OAAO,EAAE,MAAM,CAAA;aAAE,CAAC,CAAA;SAAE,CAAC;QAC9E,IAAI,CAAC,EAAE,CAAC,CAAC;KACV,CAAC;CACH;AAED,MAAM,MAAM,QAAQ,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,YAAY,GAAG;IAAE,MAAM,EAAE,WAAW,CAAA;CAAE,KACxC,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEpE,MAAM,WAAW,aAAa;IAC5B;;;;;;OAMG;IACH,IAAI,CAAC,EAAE,YAAY,CAAC;IACpB;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B;;;;OAIG;IACH,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;;;;;;;;;;;;;OAgBG;IACH,MAAM,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;IAC9B;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,YAAY,CAAC,CAAC,GAAG,OAAO;IACvC,IAAI,CAAC,EAAE,CAAC,CAAC;IACT,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AA0CD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAUzE;AAiCD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,YAAY,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,EAC5D,QAAQ,EACJ,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,GACzB,CAAC,aAAa,GAAG;IAAE,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAC,EAC5D,UAAU,GAAE,aAAkB,GAC7B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CA2D3B;AAED,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,EAAE,EAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,EAC9B,IAAI,GAAE,aAAkB,GACvB,IAAI,CAKN;AAED,8FAA8F;AAC9F,wBAAgB,wBAAwB,IAAI,WAAW,CAAC,MAAM,CAAC,CAE9D;AAED,qBAAa,WAAY,SAAQ,KAAK;IACpC,SAAgB,MAAM,EAAE,MAAM,CAAC;IAC/B,SAAgB,IAAI,CAAC,EAAE,MAAM,CAAC;IAC9B,SAAgB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAGnD,OAAO,EAAE,MAAM,EACf,eAAe,CAAC,EAAE,MAAM,GAAG;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,EACnG,IAAI,CAAC,EAAE,MAAM,EACb,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CAgBvC;AAED,qBAAa,kBAAmB,SAAQ,WAAW;;CAIlD;AA2CD;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAoc7E;AAED;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAsCtE;AAGD,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC1G,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACjF,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAErF;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAQ9C;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAkClD;AAID;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,YAAuB,GAChC;IACD,GAAG,EAAE,MAAM,WAAW,CAAC;IACvB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;CAClB,CAyBA"}
1
+ {"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../src/actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAOjD,OAAO,EAIL,KAAK,eAAe,EACrB,MAAM,iBAAiB,CAAC;AAGzB,MAAM,MAAM,QAAQ,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,YAAY,GAAG;IAAE,MAAM,EAAE,WAAW,CAAA;CAAE,KACxC,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEpE,MAAM,WAAW,aAAa;IAC5B;;;;;;OAMG;IACH,IAAI,CAAC,EAAE,YAAY,CAAC;IACpB;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B;;;;OAIG;IACH,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACP,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,OAAO,CAAC;KACnC,CAAC;CACH;AAED,MAAM,WAAW,YAAY,CAAC,CAAC,GAAG,OAAO;IACvC,IAAI,CAAC,EAAE,CAAC,CAAC;IACT,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAyDD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,YAAY,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,EAC5D,QAAQ,EACJ,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,GACzB,CAAC,aAAa,GAAG;IAAE,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAC,EAC5D,UAAU,GAAE,aAAkB,GAC7B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAqC3B;AAED,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,EAAE,EAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,EAC9B,IAAI,GAAE,aAAkB,GACvB,IAAI,CAKN;AAED,8FAA8F;AAC9F,wBAAgB,wBAAwB,IAAI,WAAW,CAAC,MAAM,CAAC,CAE9D;AAED,qBAAa,WAAY,SAAQ,KAAK;aAGlB,MAAM,EAAE,MAAM;aACd,IAAI,CAAC,EAAE,MAAM;gBAF7B,OAAO,EAAE,MAAM,EACC,MAAM,GAAE,MAAY,EACpB,IAAI,CAAC,EAAE,MAAM,YAAA;CAKhC;AAED,qBAAa,kBAAmB,SAAQ,WAAW;;CAIlD;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAuS7E;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAKtE;AAGD,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC1G,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACjF,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAIrF;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,YAAuB,GAChC;IACD,GAAG,EAAE,MAAM,WAAW,CAAC;IACvB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;CAClB,CAyBA"}