@nexus_js/server 0.9.29 → 0.9.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (80) hide show
  1. package/dist/actions.d.ts +71 -11
  2. package/dist/actions.d.ts.map +1 -1
  3. package/dist/actions.js +442 -51
  4. package/dist/actions.js.map +1 -1
  5. package/dist/build-id.d.ts +14 -0
  6. package/dist/build-id.d.ts.map +1 -0
  7. package/dist/build-id.js +40 -0
  8. package/dist/build-id.js.map +1 -0
  9. package/dist/context.d.ts +38 -4
  10. package/dist/context.d.ts.map +1 -1
  11. package/dist/context.js +13 -3
  12. package/dist/context.js.map +1 -1
  13. package/dist/csrf.d.ts +16 -2
  14. package/dist/csrf.d.ts.map +1 -1
  15. package/dist/csrf.js +68 -30
  16. package/dist/csrf.js.map +1 -1
  17. package/dist/dev-assets.d.ts +31 -0
  18. package/dist/dev-assets.d.ts.map +1 -1
  19. package/dist/dev-assets.js +372 -38
  20. package/dist/dev-assets.js.map +1 -1
  21. package/dist/dev-assets.test.d.ts +2 -0
  22. package/dist/dev-assets.test.d.ts.map +1 -0
  23. package/dist/dev-error-html.d.ts.map +1 -1
  24. package/dist/dev-error-html.js +24 -0
  25. package/dist/dev-error-html.js.map +1 -1
  26. package/dist/devradar.d.ts +1 -1
  27. package/dist/devradar.d.ts.map +1 -1
  28. package/dist/devradar.js.map +1 -1
  29. package/dist/head-renderer.test.d.ts +2 -0
  30. package/dist/head-renderer.test.d.ts.map +1 -0
  31. package/dist/head-renderer.test.js +78 -0
  32. package/dist/head-renderer.test.js.map +1 -0
  33. package/dist/index.d.ts +97 -2
  34. package/dist/index.d.ts.map +1 -1
  35. package/dist/index.js +442 -47
  36. package/dist/index.js.map +1 -1
  37. package/dist/legacy-wrapper.d.ts +88 -0
  38. package/dist/legacy-wrapper.d.ts.map +1 -0
  39. package/dist/legacy-wrapper.js +104 -0
  40. package/dist/legacy-wrapper.js.map +1 -0
  41. package/dist/lib-assets.d.ts +5 -0
  42. package/dist/lib-assets.d.ts.map +1 -0
  43. package/dist/lib-assets.js +95 -0
  44. package/dist/lib-assets.js.map +1 -0
  45. package/dist/load-module.d.ts +6 -0
  46. package/dist/load-module.d.ts.map +1 -1
  47. package/dist/load-module.js +40 -53
  48. package/dist/load-module.js.map +1 -1
  49. package/dist/metadata.d.ts +95 -0
  50. package/dist/metadata.d.ts.map +1 -0
  51. package/dist/metadata.js +132 -0
  52. package/dist/metadata.js.map +1 -0
  53. package/dist/navigate.d.ts +0 -5
  54. package/dist/navigate.d.ts.map +1 -1
  55. package/dist/navigate.js +0 -1
  56. package/dist/navigate.js.map +1 -1
  57. package/dist/rate-limit.d.ts.map +1 -1
  58. package/dist/rate-limit.js +27 -14
  59. package/dist/rate-limit.js.map +1 -1
  60. package/dist/renderer.d.ts +27 -7
  61. package/dist/renderer.d.ts.map +1 -1
  62. package/dist/renderer.js +152 -25
  63. package/dist/renderer.js.map +1 -1
  64. package/dist/renderer.test.d.ts +2 -0
  65. package/dist/renderer.test.d.ts.map +1 -0
  66. package/dist/renderer.test.js +251 -0
  67. package/dist/renderer.test.js.map +1 -0
  68. package/dist/streaming.d.ts +3 -3
  69. package/dist/streaming.d.ts.map +1 -1
  70. package/dist/streaming.js +33 -13
  71. package/dist/streaming.js.map +1 -1
  72. package/dist/tenancy.d.ts +17 -0
  73. package/dist/tenancy.d.ts.map +1 -0
  74. package/dist/tenancy.js +132 -0
  75. package/dist/tenancy.js.map +1 -0
  76. package/dist/tenancy.test.d.ts +2 -0
  77. package/dist/tenancy.test.d.ts.map +1 -0
  78. package/dist/tenancy.test.js +38 -0
  79. package/dist/tenancy.test.js.map +1 -0
  80. package/package.json +26 -8
package/dist/actions.d.ts CHANGED
@@ -29,6 +29,25 @@
29
29
  */
30
30
  import type { NexusContext } from './context.js';
31
31
  import { type RateLimitConfig } from './rate-limit.js';
32
+ /**
33
+ * Zod-compatible schema interface.
34
+ * Supports `.parse()` (throws on failure) and optionally `.safeParse()` (returns structured errors).
35
+ * Works with Zod, Valibot, ArkType, Superstruct, and any schema library following this contract.
36
+ */
37
+ export interface NexusSchema<T> {
38
+ parse(data: unknown): T;
39
+ /** Optional — when present, used to extract structured field errors (Zod format). */
40
+ safeParse?: (data: unknown) => {
41
+ success: boolean;
42
+ error?: {
43
+ issues?: Array<{
44
+ path: Array<string | number>;
45
+ message: string;
46
+ }>;
47
+ };
48
+ data?: T;
49
+ };
50
+ }
32
51
  export type ActionFn<TInput = FormData, TOutput = void> = (input: TInput, ctx: NexusContext & {
33
52
  signal: AbortSignal;
34
53
  }) => Promise<TOutput>;
@@ -70,13 +89,29 @@ export interface ActionOptions {
70
89
  */
71
90
  csrf?: boolean;
72
91
  /**
73
- * A Zod-compatible schema for input validation.
74
- * If provided, the action will reject requests with invalid input before
75
- * calling the handler. Prevents SQL injection and type coercion attacks.
92
+ * Zod-compatible schema for input validation.
93
+ * The action rejects invalid input **before** calling the handler
94
+ * preventing SQL injection, type coercion attacks, and untrusted data reaching business logic.
95
+ *
96
+ * Accepts any object with a `.parse()` method (Zod, Valibot, ArkType, etc.)
97
+ * or `.safeParse()` for structured error extraction.
98
+ *
99
+ * @example
100
+ * ```ts
101
+ * import { z } from 'zod';
102
+ * export const updateUser = createAction({
103
+ * schema: z.object({ name: z.string().min(1).max(100), age: z.number().int().min(0) }),
104
+ * handler: async ({ name, age }, ctx) => { ... },
105
+ * });
106
+ * ```
76
107
  */
77
- schema?: {
78
- parse: (data: unknown) => unknown;
79
- };
108
+ schema?: NexusSchema<unknown>;
109
+ /**
110
+ * Maximum request body size in bytes. Default: 10 MB.
111
+ * Lower this for actions that only receive small form payloads (e.g. login forms).
112
+ * Set to 0 to disable the limit (not recommended).
113
+ */
114
+ maxBodyBytes?: number;
80
115
  }
81
116
  export interface ActionResult<T = unknown> {
82
117
  data?: T;
@@ -87,13 +122,18 @@ export interface ActionResult<T = unknown> {
87
122
  /** Server-side execution time in ms */
88
123
  duration?: number;
89
124
  }
125
+ /**
126
+ * Verifies an action name signature. Returns true if the signature is valid or
127
+ * if we are in dev mode (NODE_ENV !== 'production' — signature is optional in dev).
128
+ */
129
+ export declare function verifyActionSig(name: string, sig: string | null): boolean;
90
130
  /**
91
131
  * Defines a Server Action with integrated security, rate limiting, and
92
132
  * race-condition management. The returned object is registered automatically
93
133
  * and ready to be called by the client.
94
134
  *
95
135
  * Security layers applied (in order):
96
- * 1. CSRF token validation (x-nexus-action-token header)
136
+ * 1. CSRF: custom header `x-nexus-action: 1` (Tier 1) + optional HMAC token (Tier 2)
97
137
  * 2. Rate limiting (sliding window, per-IP or per-user)
98
138
  * 3. Input schema validation (Zod or any .parse() compatible schema)
99
139
  * 4. AbortController (client disconnect + timeout)
@@ -119,8 +159,13 @@ export declare function registerAction(name: string, fn: ActionFn<unknown, unkno
119
159
  export declare function getRegisteredActionNames(): ReadonlySet<string>;
120
160
  export declare class ActionError extends Error {
121
161
  readonly status: number;
122
- readonly code?: string | undefined;
123
- constructor(message: string, status?: number, code?: string | undefined);
162
+ readonly code?: string;
163
+ readonly fieldErrors?: Record<string, string>;
164
+ constructor(message: string, optionsOrStatus?: number | {
165
+ status?: number;
166
+ code?: string;
167
+ fieldErrors?: Record<string, string>;
168
+ }, code?: string, fieldErrors?: Record<string, string>);
124
169
  }
125
170
  export declare class ActionAbortedError extends ActionError {
126
171
  constructor();
@@ -131,13 +176,28 @@ export declare class ActionAbortedError extends ActionError {
131
176
  */
132
177
  export declare function handleActionRequest(request: Request): Promise<Response>;
133
178
  /**
134
- * Validates that a request comes from a trusted Nexus client.
135
- * Checks x-nexus-action header and CSRF token.
179
+ * Validates that a request comes from a trusted Nexus client (inner CSRF check
180
+ * used by `createAction` wrappers). Verifies:
181
+ * 1. `x-nexus-action` custom header — cross-origin requests cannot add this
182
+ * without a CORS preflight the server will reject.
183
+ * 2. `Origin` / `Referer` header sanity check — additional signal against
184
+ * misconfigured CORS or non-standard clients.
136
185
  */
137
186
  export declare function validateRequest(ctx: NexusContext): Promise<void>;
138
187
  export { generateActionToken, validateActionToken, extractSessionId, generateSessionId } from './csrf.js';
139
188
  export { createRateLimiter, RateLimitError, parseWindow } from './rate-limit.js';
140
189
  export type { RateLimitConfig, RateLimitResult, RateLimiter } from './rate-limit.js';
190
+ /**
191
+ * Returns `true` when `url` is a safe **public** `http:` / `https:` target for
192
+ * server-side `fetch` (not loopback, RFC1918, link-local, metadata IPs, etc.).
193
+ * Use before `fetch(userUrl)` to reduce blind SSRF risk.
194
+ */
195
+ export declare function isSafeUrl(url: string): boolean;
196
+ /**
197
+ * Returns `true` when a URL resolves to a private, loopback, or link-local
198
+ * address. Inverse of {@link isSafeUrl} for `http:` / `https:`.
199
+ */
200
+ export declare function isInternalUrl(url: string): boolean;
141
201
  /**
142
202
  * Client-side AbortController factory.
143
203
  * Use this in island code to cancel in-flight action fetches
package/dist/actions.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../src/actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAOjD,OAAO,EAIL,KAAK,eAAe,EACrB,MAAM,iBAAiB,CAAC;AAGzB,MAAM,MAAM,QAAQ,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,YAAY,GAAG;IAAE,MAAM,EAAE,WAAW,CAAA;CAAE,KACxC,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEpE,MAAM,WAAW,aAAa;IAC5B;;;;;;OAMG;IACH,IAAI,CAAC,EAAE,YAAY,CAAC;IACpB;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B;;;;OAIG;IACH,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACP,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,OAAO,CAAC;KACnC,CAAC;CACH;AAED,MAAM,WAAW,YAAY,CAAC,CAAC,GAAG,OAAO;IACvC,IAAI,CAAC,EAAE,CAAC,CAAC;IACT,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAyDD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,YAAY,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,EAC5D,QAAQ,EACJ,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,GACzB,CAAC,aAAa,GAAG;IAAE,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAC,EAC5D,UAAU,GAAE,aAAkB,GAC7B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAqC3B;AAED,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,EAAE,EAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,EAC9B,IAAI,GAAE,aAAkB,GACvB,IAAI,CAKN;AAED,8FAA8F;AAC9F,wBAAgB,wBAAwB,IAAI,WAAW,CAAC,MAAM,CAAC,CAE9D;AAED,qBAAa,WAAY,SAAQ,KAAK;aAGlB,MAAM,EAAE,MAAM;aACd,IAAI,CAAC,EAAE,MAAM;gBAF7B,OAAO,EAAE,MAAM,EACC,MAAM,GAAE,MAAY,EACpB,IAAI,CAAC,EAAE,MAAM,YAAA;CAKhC;AAED,qBAAa,kBAAmB,SAAQ,WAAW;;CAIlD;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAuS7E;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAKtE;AAGD,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC1G,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACjF,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAIrF;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,YAAuB,GAChC;IACD,GAAG,EAAE,MAAM,WAAW,CAAC;IACvB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;CAClB,CAyBA"}
1
+ {"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../src/actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAOjD,OAAO,EAKL,KAAK,eAAe,EACrB,MAAM,iBAAiB,CAAC;AAKzB;;;;GAIG;AACH,MAAM,WAAW,WAAW,CAAC,CAAC;IAC5B,KAAK,CAAC,IAAI,EAAE,OAAO,GAAG,CAAC,CAAC;IACxB,qFAAqF;IACrF,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK;QAC7B,OAAO,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE;YAAE,MAAM,CAAC,EAAE,KAAK,CAAC;gBAAE,IAAI,EAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC;gBAAC,OAAO,EAAE,MAAM,CAAA;aAAE,CAAC,CAAA;SAAE,CAAC;QAC9E,IAAI,CAAC,EAAE,CAAC,CAAC;KACV,CAAC;CACH;AAED,MAAM,MAAM,QAAQ,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,YAAY,GAAG;IAAE,MAAM,EAAE,WAAW,CAAA;CAAE,KACxC,OAAO,CAAC,OAAO,CAAC,CAAC;AAEtB,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEpE,MAAM,WAAW,aAAa;IAC5B;;;;;;OAMG;IACH,IAAI,CAAC,EAAE,YAAY,CAAC;IACpB;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,SAAS,CAAC,EAAE,eAAe,CAAC;IAC5B;;;;OAIG;IACH,IAAI,CAAC,EAAE,OAAO,CAAC;IACf;;;;;;;;;;;;;;;;OAgBG;IACH,MAAM,CAAC,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;IAC9B;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,YAAY,CAAC,CAAC,GAAG,OAAO;IACvC,IAAI,CAAC,EAAE,CAAC,CAAC;IACT,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AA0CD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAUzE;AAiCD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,YAAY,CAAC,MAAM,GAAG,QAAQ,EAAE,OAAO,GAAG,IAAI,EAC5D,QAAQ,EACJ,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,GACzB,CAAC,aAAa,GAAG;IAAE,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAC,EAC5D,UAAU,GAAE,aAAkB,GAC7B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CA2D3B;AAED,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,EAAE,EAAE,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,EAC9B,IAAI,GAAE,aAAkB,GACvB,IAAI,CAKN;AAED,8FAA8F;AAC9F,wBAAgB,wBAAwB,IAAI,WAAW,CAAC,MAAM,CAAC,CAE9D;AAED,qBAAa,WAAY,SAAQ,KAAK;IACpC,SAAgB,MAAM,EAAE,MAAM,CAAC;IAC/B,SAAgB,IAAI,CAAC,EAAE,MAAM,CAAC;IAC9B,SAAgB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAGnD,OAAO,EAAE,MAAM,EACf,eAAe,CAAC,EAAE,MAAM,GAAG;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,EACnG,IAAI,CAAC,EAAE,MAAM,EACb,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CAgBvC;AAED,qBAAa,kBAAmB,SAAQ,WAAW;;CAIlD;AA2CD;;;GAGG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,CAoc7E;AAED;;;;;;;GAOG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAsCtE;AAGD,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC1G,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AACjF,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAErF;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAQ9C;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAkClD;AAID;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,MAAM,EACZ,QAAQ,GAAE,YAAuB,GAChC;IACD,GAAG,EAAE,MAAM,WAAW,CAAC;IACvB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;CAClB,CAyBA"}