@nitronjs/framework 0.2.27 → 0.3.1

package/lib/HMR/Server.js

@@ -14,10 +14,10 @@ const __dirname = path.dirname(fileURLToPath(import.meta.url));
  * // In HTTP Server
  * HMR.registerRoutes(fastify);
  * HMR.setup(httpServer);
- * 
+ *
  * // Emit updates
- * HMR.emitViewUpdate("resources/views/Site/Home.tsx");
- * HMR.emitCss("site_style.css");
+ * HMR.emitChange({ changeType: "page", file: "Site/Home.tsx" });
+ * HMR.emitChange({ changeType: "css", file: "global.css" });
  */
 class HMRServer {
     #io = null;
@@ -33,13 +33,14 @@ class HMRServer {
      */
     registerRoutes(fastify) {
         this.#clientScript = this.#findSocketIoClient();
+        const cachedScript = this.#clientScript ? fs.readFileSync(this.#clientScript, "utf-8") : null;
 
         fastify.get("/__nitron_client/socket.io.js", (req, reply) => {
-            if (!this.#clientScript) {
+            if (!cachedScript) {
                 return reply.code(503).send("// HMR disabled: socket.io client not found");
             }
 
-            reply.type("application/javascript").send(fs.readFileSync(this.#clientScript, "utf-8"));
+            reply.type("application/javascript").send(cachedScript);
         });
     }
 
@@ -75,41 +76,19 @@ class HMRServer {
     }
 
     /**
-     * Number of currently connected clients.
-     * @returns {number}
-     */
-    get connectionCount() {
-        return this.#connections;
-    }
-
-    /**
-     * Emits a view update event to trigger hot reload of a React component.
-     * @param {string} filePath - Absolute path to the changed view file.
-     */
-    emitViewUpdate(filePath) {
-        if (!this.#io) return;
-
-        const normalized = filePath.replace(/\\/g, "/");
-        const match = normalized.match(/resources\/views\/(.+)\.tsx$/);
-        const viewPath = match ? match[1].toLowerCase() : path.basename(filePath, ".tsx").toLowerCase();
-
-        this.#io.emit("hmr:update", {
-            type: "view",
-            file: viewPath,
-            url: `/js/${viewPath}.js`,
-            timestamp: Date.now()
-        });
-    }
-
-    /**
-     * Emits a CSS update event to refresh stylesheets without page reload.
-     * @param {string} [filePath] - Path to the changed CSS file. If null, refreshes all CSS.
+     * Emits a unified change event for RSC-based hot updates.
+     * @param {object} data
+     * @param {string} data.changeType - "page" | "layout" | "css"
+     * @param {boolean} [data.cssChanged] - Whether CSS also changed (Tailwind rebuild)
+     * @param {string} [data.file] - Relative path of the changed file (for logging)
      */
-    emitCss(filePath) {
+    emitChange(data) {
         if (!this.#io) return;
 
-        this.#io.emit("hmr:css", {
-            file: filePath ? path.basename(filePath) : null,
+        this.#io.emit("hmr:change", {
+            changeType: data.changeType,
+            cssChanged: data.cssChanged || false,
+            file: data.file || null,
             timestamp: Date.now()
         });
     }

package/lib/Http/Server.js

@@ -17,11 +17,27 @@ import View from "../View/View.js";
 import Auth from "../Auth/Auth.js";
 import SessionManager from "../Session/Manager.js";
 import DB from "../Database/DB.js";
+import Lang from "../Translation/Lang.js";
 import Log from "../Logging/Log.js";
+import { detectMime, sanitizeFilename, isSameMimeFamily } from "../Validation/MagicBytes.js";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const packageJson = JSON.parse(fs.readFileSync(path.join(__dirname, "../../package.json"), "utf8"));
 
+const SECURITY_DEFAULTS = {
+    verifyMagicBytes: true,
+    dangerousExtensions: [
+        ".exe", ".bat", ".cmd", ".com", ".scr", ".pif", ".msi", ".dll",
+        ".sh", ".cgi", ".csh", ".ksh",
+        ".php", ".phtml", ".php5", ".php7",
+        ".jsp", ".asp", ".aspx",
+        ".vbs", ".vbe", ".wsf", ".wsh", ".ps1", ".psm1",
+        ".hta", ".cpl", ".inf", ".reg", ".sct"
+    ],
+    compoundExtensions: [".tar.gz", ".tar.bz2", ".tar.xz", ".tar.zst"],
+    allowDoubleExtension: false
+};
+
 /**
  * HTTP server manager built on Fastify.
  * Handles server configuration, plugin registration, and lifecycle management.
@@ -52,7 +68,7 @@ class Server {
         
         const serverDefaults = {
             bodyLimit: 50 * 1024 * 1024,
-            trustProxy: true,
+            trustProxy: false,
             maxParamLength: 150
         };
         
@@ -201,7 +217,9 @@ class Server {
         this.#server.register(fastifyFormbody);
 
         // Register hooks
-        this.#server.addHook("preHandler", async (req) => {
+        const securityConfig = { ...SECURITY_DEFAULTS, ...multipartConfig?.security };
+
+        this.#server.addHook("preHandler", async (req, reply) => {
             if (!req.isMultipart() || !req.body) {
                 return;
             }
@@ -210,18 +228,127 @@ class Server {
             const files = {};
 
             for (const [key, field] of Object.entries(req.body)) {
-                if (field?.toBuffer) {
-                    if (field.filename) {
-                        const lastDot = field.filename.lastIndexOf(".");
-                        field.extension = lastDot > 0 ? field.filename.slice(lastDot + 1).toLowerCase() : "";
-                        files[key] = field;
+                const items = Array.isArray(field) ? field : [field];
+                let hasFile = false;
+                const fileItems = [];
+
+                for (const item of items) {
+                    if (!item?.toBuffer) {
+                        if (!hasFile && item && typeof item === "object" && "value" in item) {
+                            normalized[key] = item.value;
+                        }
+                        else if (!hasFile) {
+                            normalized[key] = item;
+                        }
+
+                        continue;
+                    }
+
+                    // Filename guard — no filename means drop the file (existing behavior)
+                    if (!item.filename) continue;
+
+                    // 1. Filename sanitization
+                    item.filename = sanitizeFilename(item.filename);
+
+                    // 2. Extension extraction
+                    const lastDot = item.filename.lastIndexOf(".");
+
+                    if (lastDot === 0) {
+                        item.extension = item.filename.slice(1).toLowerCase();
+                    }
+                    else if (lastDot > 0) {
+                        item.extension = item.filename.slice(lastDot + 1).toLowerCase();
+                    }
+                    else {
+                        item.extension = "";
+                    }
+
+                    // 3. Dangerous extension check
+                    if (item.extension && securityConfig.dangerousExtensions.includes("." + item.extension)) {
+                        Log.warn("File rejected", {
+                            filename: item.filename,
+                            reason: "Dangerous extension"
+                        });
+
+                        return reply.code(422).send({
+                            statusCode: 422,
+                            error: "Unprocessable Entity",
+                            message: "File upload rejected."
+                        });
+                    }
+
+                    // 4. Double extension check
+                    if (!securityConfig.allowDoubleExtension) {
+                        const parts = item.filename.split(".");
+                        const middleExtensions = parts.slice(1, -1);
+
+                        if (middleExtensions.length > 0) {
+                            const filenameLower = item.filename.toLowerCase();
+                            let exemptExts = [];
+
+                            for (const compound of securityConfig.compoundExtensions) {
+                                if (filenameLower.endsWith(compound)) {
+                                    exemptExts = compound.slice(1).split("."); // ".tar.gz" → ["tar", "gz"]
+                                    break;
+                                }
+                            }
+
+                            const remaining = middleExtensions.map(e => e.toLowerCase()).filter(e => !exemptExts.includes(e));
+
+                            for (const ext of remaining) {
+                                if (securityConfig.dangerousExtensions.includes("." + ext)) {
+                                    Log.warn("File rejected", {
+                                        filename: item.filename,
+                                        reason: "Dangerous double extension"
+                                    });
+
+                                    return reply.code(422).send({
+                                        statusCode: 422,
+                                        error: "Unprocessable Entity",
+                                        message: "File upload rejected."
+                                    });
+                                }
+                            }
+                        }
+                    }
+
+                    // 5. Magic byte detection
+                    if (securityConfig.verifyMagicBytes) {
+                        try {
+                            const buf = await item.toBuffer();
+
+                            item._magicMime = detectMime(buf.subarray(0, 12));
+                            item._fileSize = buf.length;
+                        }
+                        catch (err) {
+                            Log.warn("toBuffer failed", {
+                                filename: item.filename,
+                                error: err.message
+                            });
+                            item._magicMime = null;
+                        }
+
+                        // 6. MIME mismatch logging
+                        if (item._magicMime && item.mimetype && item._magicMime !== item.mimetype.toLowerCase()) {
+                            if (!isSameMimeFamily(item._magicMime, item.mimetype)) {
+                                Log.warn("MIME mismatch detected", {
+                                    filename: item.filename,
+                                    declared: item.mimetype,
+                                    detected: item._magicMime
+                                });
+                            }
+                        }
                     }
+
+                    hasFile = true;
+                    fileItems.push(item);
                 }
-                else if (field && typeof field === "object" && "value" in field) {
-                    normalized[key] = field.value;
+
+                if (fileItems.length === 1) {
+                    files[key] = fileItems[0];
                 }
-                else {
-                    normalized[key] = field;
+                else if (fileItems.length > 1) {
+                    files[key] = fileItems;
                 }
             }
 
@@ -247,6 +374,9 @@ class Server {
 
                 for (let i = 0; i < parts.length - 1; i++) {
                     const part = parts[i];
+
+                    if (part === "__proto__" || part === "constructor" || part === "prototype") break;
+
                     const isNextIndex = /^\d+$/.test(parts[i + 1]);
 
                     if (current[part] === undefined) {
@@ -310,15 +440,21 @@ class Server {
         await DB.setup();
         await SessionManager.setup(this.#server);
         Auth.setup(this.#server);
+        Lang.setup(this.#server);
 
-        // Register HMR routes before Router (dev only)
+        // Register dev-only hooks and routes
         if (Environment.isDev) {
             const { default: HMRServer } = await import("../HMR/Server.js");
             HMRServer.registerRoutes(this.#server);
+
+            const { default: DevContext } = await import("../Dev/DevContext.js");
+            this.#server.addHook("onRequest", async (req) => {
+                DevContext.attach(req);
+            });
         }
 
         await Router.setup(this.#server);
-        View.setup(this.#server);
+        await View.setup(this.#server);
 
         // Listen
         try {
@@ -333,20 +469,29 @@ class Server {
                 HMRServer.setup(this.#server.server);
             }
 
-            this.#printBanner({ success: true, address, host, port });
+            const banner = this.#renderBanner({ success: true, address, host, port });
+
+            if (Environment.isDev && process.send) {
+                process.send({ type: "banner", text: banner });
+            }
+            else if (banner) {
+                console.log(banner);
+            }
+
             Log.info("Server started successfully!", { address, host, port, environment: Environment.isDev ? "development" : "production" });
         }
         catch (err) {
-            this.#printBanner({ success: false, error: err });
+            const banner = this.#renderBanner({ success: false, error: err });
+            if (banner) console.log(banner);
             Log.fatal("Server startup failed", { error: err.message, code: err.code, stack: err.stack });
             process.exit(1);
         }
     }
 
     // Private Methods
-    static #printBanner({ success, address, host, port, error }) {
+    static #renderBanner({ success, address, host, port, error }) {
         if (this.#config.log.channel === "console") {
-            return;
+            return null;
         }
 
         const color = success ? "\x1b[32m" : "\x1b[31m";
@@ -357,7 +502,7 @@ class Server {
         const pad = (content, length) => content + " ".repeat(Math.max(0, length - stripAnsi(content).length));
 
         const version = `v${packageJson.version}`;
-        
+
         const logo = `
 ${color}███╗   ██╗██╗████████╗██████╗  ██████╗ ███╗   ██╗     ██╗███████╗
 ████╗  ██║██║╚══██╔══╝██╔══██╗██╔═══██╗████╗  ██║     ██║██╔════╝
@@ -384,15 +529,18 @@ ${color}███╗   ██╗██╗████████╗████
                 ...(error?.code ? [`${bold}Code:${reset}  ${error.code}`] : [])
             ];
 
-        console.log(logo);
-        console.log(`${color}┌${"─".repeat(boxWidth - 2)}┐${reset}`);
+        const parts = [logo];
+
+        parts.push(`${color}┌${"─".repeat(boxWidth - 2)}┐${reset}`);
 
         for (const line of lines) {
-            console.log(`${color}│${reset} ${pad(line, boxWidth - 4)} ${color}│${reset}`);
+            parts.push(`${color}│${reset} ${pad(line, boxWidth - 4)} ${color}│${reset}`);
         }
 
-        console.log(`${color}│${reset} ${" ".repeat(boxWidth - 4)} ${color}│${reset}`);
-        console.log(`${color}└${"─".repeat(boxWidth - 2)}┘${reset}`);
+        parts.push(`${color}│${reset} ${" ".repeat(boxWidth - 4)} ${color}│${reset}`);
+        parts.push(`${color}└${"─".repeat(boxWidth - 2)}┘${reset}`);
+
+        return parts.join("\n");
     }
 }
 

package/lib/Logging/Log.js

@@ -70,13 +70,15 @@ class Log {
                 return;
             }
 
+            const sanitizedMessage = sanitizeLogValue(message);
+            const sanitizedContext = sanitizeLogContext(context);
             const timestamp = new Date();
 
             if (config.channel === "console") {
-                this.#logToConsole(level, message, context, timestamp);
+                this.#logToConsole(level, sanitizedMessage, sanitizedContext, timestamp);
             }
             else if (config.channel === "file") {
-                this.#logToFile(level, message, context, timestamp, config);
+                this.#logToFile(level, sanitizedMessage, sanitizedContext, timestamp, config);
             }
         }
         catch (e) {
@@ -194,4 +196,34 @@ class Log {
     }
 }
 
+// ─────────────────────────────────────────────────────────────────────────────
+// Private Helper Functions
+// ─────────────────────────────────────────────────────────────────────────────
+
+function sanitizeLogValue(value) {
+    if (typeof value !== "string") return value;
+
+    return value.replace(/[\r\n]/g, " ");
+}
+
+function sanitizeLogContext(context) {
+    if (!context || typeof context !== "object") return context;
+
+    const result = {};
+
+    for (const [key, value] of Object.entries(context)) {
+        if (typeof value === "string") {
+            result[key] = sanitizeLogValue(value);
+        }
+        else if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+            result[key] = sanitizeLogContext(value);
+        }
+        else {
+            result[key] = value;
+        }
+    }
+
+    return result;
+}
+
 export default Log;

package/lib/Mail/Mail.js

@@ -1,15 +1,17 @@
 import nodemailer from "nodemailer";
-import View from "../View/View.js";
+import fs from "node:fs";
+import path from "node:path";
+import Paths from "../Core/Paths.js";
 
 /**
  * Email sending utility with fluent API.
- * Supports text, HTML views, attachments, and calendar invites.
- * 
+ * Supports text, HTML, attachments, and calendar invites.
+ *
  * @example
  * await Mail.from("noreply@example.com")
  *     .to("user@example.com")
  *     .subject("Welcome!")
- *     .view(res, "emails/welcome", { name: "John" })
+ *     .html("<h1>Hello!</h1>")
  *     .send();
  */
 class Mail {
@@ -112,14 +114,34 @@ class Mail {
     }
 
     /**
-     * Sets HTML content from a view template.
-     * @param {import("fastify").FastifyReply} res - Fastify response object
-     * @param {string} viewName - View template name
-     * @param {Object|null} data - Data to pass to the view
+     * Sets raw HTML content.
+     * @param {string} htmlString - HTML string
      * @returns {Mail} This instance for chaining
      */
-    view(res, viewName, data = null) {
-        this.#htmlContent = View.renderFile(viewName, data);
+    html(htmlString) {
+        this.#htmlContent = htmlString;
+
+        return this;
+    }
+
+    /**
+     * Sets HTML content from a template file with placeholder replacement.
+     * Template files are loaded from resources/views/ directory.
+     * Placeholders use {{ key }} syntax.
+     *
+     * @param {string} templateName - Template path relative to views dir (e.g. "emails/welcome")
+     * @param {Object} data - Data to replace placeholders with
+     * @returns {Mail} This instance for chaining
+     */
+    view(templateName, data = {}) {
+        const filePath = path.join(Paths.views, `${templateName}.html`);
+        let content = fs.readFileSync(filePath, "utf-8");
+
+        for (const [key, value] of Object.entries(data)) {
+            content = content.replaceAll(`{{ ${key} }}`, escapeHtml(String(value ?? "")));
+        }
+
+        this.#htmlContent = content;
 
         return this;
     }
@@ -184,4 +206,13 @@ class Mail {
     }
 }
 
+function escapeHtml(str) {
+    return str
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+
 export default Mail;

package/lib/Route/Router.js

@@ -154,7 +154,10 @@ class Router {
                 const isExcluded = csrf.except.some(pattern => {
                     if (route.url === pattern) return true;
                     if (pattern.includes("*")) {
-                        return new RegExp("^" + pattern.replace(/\*/g, ".*") + "$").test(route.url);
+                        const escaped = pattern
+                            .replace(/[.+?^${}()|[\]\\]/g, "\\$&")
+                            .replace(/\*/g, ".*");
+                        return new RegExp("^" + escaped + "$").test(route.url);
                     }
                     return false;
                 });
@@ -165,6 +168,8 @@ class Router {
             }
 
             // Resolve middleware names to handlers
+            route.middlewareNames = route.middlewares.map(m => m.split(":")[0]);
+
             route.resolvedMiddlewares = route.middlewares.map(middleware => {
                 const [name, param] = middleware.split(":");
 
@@ -183,8 +188,39 @@ class Router {
             server.route({
                 method: route.method,
                 url: route.url,
-                preHandler: route.resolvedMiddlewares,
-                handler: route.resolvedHandler
+                preHandler: Environment.isDev
+                    ? route.resolvedMiddlewares.map((mw, i) => {
+                        const mwName = route.middlewareNames[i];
+                        return async (request, response) => {
+                            const start = performance.now();
+                            await mw(request, response);
+                            if (request.__devCtx) {
+                                request.__devCtx.middlewareTiming.push({
+                                    name: mwName,
+                                    duration: performance.now() - start
+                                });
+                            }
+                        };
+                    })
+                    : route.resolvedMiddlewares,
+                handler: Environment.isDev
+                    ? async (request, response) => {
+                        if (request.__devCtx) {
+                            request.__devCtx.route = {
+                                name: route.name,
+                                pattern: route.url,
+                                method: route.method,
+                                middlewareNames: route.middlewareNames
+                            };
+                            request.__devCtx.controllerStart = performance.now();
+                        }
+                        const result = await route.resolvedHandler(request, response);
+                        if (request.__devCtx) {
+                            request.__devCtx.controllerDuration = performance.now() - request.__devCtx.controllerStart;
+                        }
+                        return result;
+                    }
+                    : route.resolvedHandler
             });
         }
     }
@@ -253,7 +289,7 @@ class Router {
         let url = route.url;
 
         for (const key in params) {
-            url = url.replace(`:${key}`, params[key]);
+            url = url.replace(`:${key}`, encodeURIComponent(params[key]));
         }
 
         if (query && Object.keys(query).length > 0) {
@@ -284,8 +320,9 @@ class Router {
             if (route.method !== method) continue;
 
             const pattern = route.url
-                .replace(/:[^/]+/g, "([^/]+)")
-                .replace(/\//g, "\\/");
+                .split(/:[^/]+/)
+                .map(s => s.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\//g, "\\/"))
+                .join("([^/]+)");
             const regex = new RegExp(`^${pattern}$`);
             const match = pathname.match(regex);
 
@@ -326,19 +363,6 @@ class Router {
         return this.#kernel;
     }
 
-    // Legacy compatibility (used by View/Manager.js)
-    static getSessionConfig() {
-        return Config.all("session");
-    }
-
-    static async getKernel() {
-        return this.#getKernel();
-    }
-
-    // Alias for backwards compatibility
-    static route(name, params, query) {
-        return this.url(name, params, query);
-    }
 }
 
 // ─────────────────────────────────────────────────────────────────────────────

package/lib/Runtime/Entry.js

@@ -7,6 +7,10 @@ Environment.setDev(process.env.__NITRON_DEV__ === "true");
 export async function start() {
   await Server.start();
 
+  if (process.send) {
+    process.send({ type: "ready" });
+  }
+
   if (Environment.isDev && process.send) {
     const { default: HMRServer } = await import("../HMR/Server.js");
 
@@ -14,11 +18,8 @@ export async function start() {
       if (!msg?.type || !HMRServer.isReady) return;
 
       switch (msg.type) {
-        case "view":
-          HMRServer.emitViewUpdate(msg.filePath);
-          break;
-        case "css":
-          HMRServer.emitCss(msg.filePath);
+        case "change":
+          HMRServer.emitChange(msg);
           break;
         case "reload":
           HMRServer.emitReload(msg.reason);
@@ -33,5 +34,8 @@ export async function start() {
 
 const isMain = process.argv[1]?.endsWith("Entry.js");
 if (isMain) {
-  start();
+  start().catch(e => {
+    console.error(e);
+    process.exit(1);
+  });
 }