@nuraly/lumenjs 0.1.2 → 0.1.4

package/dist/build/serve-api.js

@@ -2,6 +2,7 @@ import fs from 'fs';
 import path from 'path';
 import { readBody } from '../shared/utils.js';
 import { matchRoute } from '../shared/route-matching.js';
+import { useStorage } from '../storage/index.js';
 export async function handleApiRoute(manifest, serverDir, pathname, queryString, method, req, res) {
     const matched = matchRoute(manifest.apiRoutes, pathname);
     if (!matched) {
@@ -9,7 +10,9 @@ export async function handleApiRoute(manifest, serverDir, pathname, queryString,
         res.end(JSON.stringify({ error: 'API route not found' }));
         return;
     }
-    const modulePath = path.join(serverDir, matched.route.module);
+    // Vite replaces [param] with _param_ in output filenames
+    const resolvedModule = matched.route.module.replace(/\[([^\]]+)\]/g, '_$1_');
+    const modulePath = path.join(serverDir, resolvedModule);
     if (!fs.existsSync(modulePath)) {
         res.writeHead(404, { 'Content-Type': 'application/json; charset=utf-8' });
         res.end(JSON.stringify({ error: 'API route module not found' }));
@@ -43,13 +46,16 @@ export async function handleApiRoute(manifest, serverDir, pathname, queryString,
             params: matched.params,
             body,
             headers: req.headers,
+            storage: useStorage(),
+            nkAuth: req.nkAuth,
         });
         res.writeHead(200, { 'Content-Type': 'application/json; charset=utf-8' });
         res.end(JSON.stringify(result));
     }
     catch (err) {
         const status = err?.status || 500;
-        const message = err?.message || 'Internal server error';
+        // Only expose error messages for client errors (4xx); hide internals for 5xx
+        const message = status < 500 ? (err?.message || 'Request error') : 'Internal server error';
         res.writeHead(status, { 'Content-Type': 'application/json; charset=utf-8' });
         res.end(JSON.stringify({ error: message }));
     }

package/dist/build/serve-loaders.d.ts

@@ -1,4 +1,6 @@
 import http from 'http';
 import type { BuildManifest } from '../shared/types.js';
-export declare function handleLayoutLoaderRequest(manifest: BuildManifest, serverDir: string, queryString: string | undefined, headers: http.IncomingHttpHeaders, res: http.ServerResponse): Promise<void>;
-export declare function handleLoaderRequest(manifest: BuildManifest, serverDir: string, pagesDir: string, pathname: string, queryString: string | undefined, headers: http.IncomingHttpHeaders, res: http.ServerResponse): Promise<void>;
+export declare function handleLayoutLoaderRequest(manifest: BuildManifest, serverDir: string, queryString: string | undefined, headers: http.IncomingHttpHeaders, res: http.ServerResponse, user?: any): Promise<void>;
+export declare function handleLayoutSubscribeRequest(manifest: BuildManifest, serverDir: string, queryString: string | undefined, headers: http.IncomingHttpHeaders, res: http.ServerResponse, user?: any): Promise<void>;
+export declare function handleSubscribeRequest(manifest: BuildManifest, serverDir: string, pagesDir: string, pathname: string, queryString: string | undefined, headers: http.IncomingHttpHeaders, res: http.ServerResponse, user?: any): Promise<void>;
+export declare function handleLoaderRequest(manifest: BuildManifest, serverDir: string, pagesDir: string, pathname: string, queryString: string | undefined, headers: http.IncomingHttpHeaders, res: http.ServerResponse, user?: any): Promise<void>;

package/dist/build/serve-loaders.js

@@ -2,7 +2,15 @@ import fs from 'fs';
 import path from 'path';
 import { isRedirectResponse } from '../shared/utils.js';
 import { matchRoute } from '../shared/route-matching.js';
-export async function handleLayoutLoaderRequest(manifest, serverDir, queryString, headers, res) {
+import { logger } from '../shared/logger.js';
+/** Resolve a module path, falling back to bracket-sanitized filename (Rollup replaces [] with _) */
+function resolveModulePath(serverDir, moduleName) {
+    const p = path.join(serverDir, moduleName);
+    if (fs.existsSync(p))
+        return p;
+    return path.join(serverDir, moduleName.replace(/\[/g, '_').replace(/\]/g, '_'));
+}
+export async function handleLayoutLoaderRequest(manifest, serverDir, queryString, headers, res, user) {
     const query = {};
     if (queryString) {
         for (const pair of queryString.split('&')) {
@@ -18,7 +26,7 @@ export async function handleLayoutLoaderRequest(manifest, serverDir, queryString
         res.end(JSON.stringify({ __nk_no_loader: true }));
         return;
     }
-    const modulePath = path.join(serverDir, layout.module);
+    const modulePath = resolveModulePath(serverDir, layout.module);
     if (!fs.existsSync(modulePath)) {
         res.writeHead(200, { 'Content-Type': 'application/json; charset=utf-8' });
         res.end(JSON.stringify({ __nk_no_loader: true }));
@@ -34,7 +42,7 @@ export async function handleLayoutLoaderRequest(manifest, serverDir, queryString
         // Parse locale from query for layout loader
         const locale = query.__locale;
         delete query.__locale;
-        const result = await mod.loader({ params: {}, query: {}, url: `/__layout/${dir}`, headers, locale });
+        const result = await mod.loader({ params: {}, query: {}, url: `/__layout/${dir}`, headers, locale, user: user ?? null });
         if (isRedirectResponse(result)) {
             res.writeHead(result.status || 302, { Location: result.location });
             res.end();
@@ -49,14 +57,124 @@ export async function handleLayoutLoaderRequest(manifest, serverDir, queryString
             res.end();
             return;
         }
-        console.error(`[LumenJS] Layout loader error for dir=${dir}:`, err);
+        logger.error(`Layout loader error`, { dir, error: err?.message });
         const status = err?.status || 500;
-        const message = err?.message || 'Layout loader failed';
+        const message = status < 500 ? (err?.message || 'Layout loader failed') : 'Internal server error';
         res.writeHead(status, { 'Content-Type': 'application/json; charset=utf-8' });
         res.end(JSON.stringify({ error: message }));
     }
 }
-export async function handleLoaderRequest(manifest, serverDir, pagesDir, pathname, queryString, headers, res) {
+export async function handleLayoutSubscribeRequest(manifest, serverDir, queryString, headers, res, user) {
+    const query = {};
+    if (queryString) {
+        for (const pair of queryString.split('&')) {
+            const [key, val] = pair.split('=');
+            query[decodeURIComponent(key)] = decodeURIComponent(val || '');
+        }
+    }
+    const dir = query.__dir || '';
+    const layout = (manifest.layouts || []).find(l => l.dir === dir);
+    if (!layout || !layout.hasSubscribe || !layout.module) {
+        res.writeHead(204);
+        res.end();
+        return;
+    }
+    const modulePath = resolveModulePath(serverDir, layout.module);
+    if (!fs.existsSync(modulePath)) {
+        res.writeHead(204);
+        res.end();
+        return;
+    }
+    try {
+        const mod = await import(modulePath);
+        if (!mod.subscribe || typeof mod.subscribe !== 'function') {
+            res.writeHead(204);
+            res.end();
+            return;
+        }
+        res.writeHead(200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            'Connection': 'keep-alive',
+        });
+        const locale = query.__locale;
+        const push = (data) => {
+            res.write(`data: ${JSON.stringify(data)}\n\n`);
+        };
+        const cleanup = mod.subscribe({ params: {}, push, headers, locale, user: user ?? null });
+        res.on('close', () => {
+            if (typeof cleanup === 'function')
+                cleanup();
+        });
+    }
+    catch (err) {
+        logger.error(`Layout subscribe error`, { dir, error: err?.message });
+        if (!res.headersSent) {
+            res.writeHead(500);
+            res.end();
+        }
+    }
+}
+export async function handleSubscribeRequest(manifest, serverDir, pagesDir, pathname, queryString, headers, res, user) {
+    const pagePath = pathname.replace('/__nk_subscribe', '') || '/';
+    const query = {};
+    if (queryString) {
+        for (const pair of queryString.split('&')) {
+            const [key, val] = pair.split('=');
+            query[decodeURIComponent(key)] = decodeURIComponent(val || '');
+        }
+    }
+    let params = {};
+    if (query.__params) {
+        try {
+            params = JSON.parse(query.__params);
+        }
+        catch { /* ignore */ }
+        delete query.__params;
+    }
+    const matched = matchRoute(manifest.routes.filter(r => r.hasSubscribe), pagePath);
+    if (!matched || !matched.route.module) {
+        res.writeHead(204);
+        res.end();
+        return;
+    }
+    const modulePath = resolveModulePath(serverDir, matched.route.module);
+    if (!fs.existsSync(modulePath)) {
+        res.writeHead(204);
+        res.end();
+        return;
+    }
+    try {
+        const mod = await import(modulePath);
+        if (!mod.subscribe || typeof mod.subscribe !== 'function') {
+            res.writeHead(204);
+            res.end();
+            return;
+        }
+        res.writeHead(200, {
+            'Content-Type': 'text/event-stream',
+            'Cache-Control': 'no-cache',
+            'Connection': 'keep-alive',
+        });
+        const locale = query.__locale;
+        const push = (data) => {
+            res.write(`data: ${JSON.stringify(data)}\n\n`);
+        };
+        const cleanup = mod.subscribe({ params: matched.params, push, headers, locale, user: user ?? null });
+        res.on('close', () => {
+            if (typeof cleanup === 'function')
+                cleanup();
+        });
+    }
+    catch (err) {
+        logger.error(`Subscribe error`, { pagePath, error: err?.message });
+        if (!res.headersSent) {
+            res.writeHead(500);
+            res.end();
+        }
+    }
+}
+export async function handleLoaderRequest(manifest, serverDir, pagesDir, pathname, queryString, headers, res, user) {
     const pagePath = pathname.replace('/__nk_loader', '') || '/';
     // Parse query params
     const query = {};
@@ -81,7 +199,7 @@ export async function handleLoaderRequest(manifest, serverDir, pagesDir, pathnam
         res.end(JSON.stringify({ __nk_no_loader: true }));
         return;
     }
-    const modulePath = path.join(serverDir, matched.route.module);
+    const modulePath = resolveModulePath(serverDir, matched.route.module);
     if (!fs.existsSync(modulePath)) {
         res.writeHead(200, { 'Content-Type': 'application/json; charset=utf-8' });
         res.end(JSON.stringify({ __nk_no_loader: true }));
@@ -96,7 +214,7 @@ export async function handleLoaderRequest(manifest, serverDir, pagesDir, pathnam
         }
         const locale = query.__locale;
         delete query.__locale;
-        const result = await mod.loader({ params: matched.params, query, url: pagePath, headers, locale });
+        const result = await mod.loader({ params: matched.params, query, url: pagePath, headers, locale, user: user ?? null });
         if (isRedirectResponse(result)) {
             res.writeHead(result.status || 302, { Location: result.location });
             res.end();
@@ -111,9 +229,9 @@ export async function handleLoaderRequest(manifest, serverDir, pagesDir, pathnam
             res.end();
             return;
         }
-        console.error(`[LumenJS] Loader error for ${pagePath}:`, err);
+        logger.error(`Loader error`, { pagePath, error: err?.message });
         const status = err?.status || 500;
-        const message = err?.message || 'Loader failed';
+        const message = status < 500 ? (err?.message || 'Loader failed') : 'Internal server error';
         res.writeHead(status, { 'Content-Type': 'application/json; charset=utf-8' });
         res.end(JSON.stringify({ error: message }));
     }

package/dist/build/serve-ssr.js

@@ -1,22 +1,27 @@
 import fs from 'fs';
 import path from 'path';
-import { stripOuterLitMarkers, dirToLayoutTagName, isRedirectResponse } from '../shared/utils.js';
+import { stripOuterLitMarkers, dirToLayoutTagName, isRedirectResponse, patchLoaderDataSpread } from '../shared/utils.js';
 import { matchRoute } from '../shared/route-matching.js';
 import { sendCompressed } from './serve-static.js';
+import { logger } from '../shared/logger.js';
 export async function handlePageRoute(manifest, serverDir, pagesDir, pathname, queryString, indexHtmlShell, title, ssrRuntime, req, res) {
     // Find matching route (any route, not just those with loaders)
     const allMatched = matchRoute(manifest.routes, pathname);
     // Try SSR for routes with loaders
     const matched = matchRoute(manifest.routes.filter(r => r.hasLoader), pathname);
     if (matched && matched.route.module) {
-        const modulePath = path.join(serverDir, matched.route.module);
+        // Rollup sanitizes brackets in filenames: [...path] → _...path_
+        let modulePath = path.join(serverDir, matched.route.module);
+        if (!fs.existsSync(modulePath)) {
+            modulePath = path.join(serverDir, matched.route.module.replace(/\[/g, '_').replace(/\]/g, '_'));
+        }
         if (fs.existsSync(modulePath)) {
             try {
                 const mod = await import(modulePath);
                 // Run loader
                 let loaderData = undefined;
                 if (mod.loader && typeof mod.loader === 'function') {
-                    loaderData = await mod.loader({ params: matched.params, query: {}, url: pathname, headers: req.headers });
+                    loaderData = await mod.loader({ params: matched.params, query: {}, url: pathname, headers: req.headers, user: req.nkAuth?.user ?? null });
                     if (isRedirectResponse(loaderData)) {
                         res.writeHead(loaderData.status || 302, { Location: loaderData.location });
                         res.end();
@@ -39,7 +44,7 @@ export async function handlePageRoute(manifest, serverDir, pagesDir, pathname, q
                         if (fs.existsSync(layoutModulePath)) {
                             const layoutMod = await import(layoutModulePath);
                             if (layoutMod.loader && typeof layoutMod.loader === 'function') {
-                                layoutLoaderData = await layoutMod.loader({ params: {}, query: {}, url: pathname, headers: req.headers });
+                                layoutLoaderData = await layoutMod.loader({ params: {}, query: {}, url: pathname, headers: req.headers, user: req.nkAuth?.user ?? null });
                                 if (isRedirectResponse(layoutLoaderData)) {
                                     res.writeHead(layoutLoaderData.status || 302, { Location: layoutLoaderData.location });
                                     res.end();
@@ -52,6 +57,12 @@ export async function handlePageRoute(manifest, serverDir, pagesDir, pathname, q
                     layoutsData.push({ loaderPath: dir, data: layoutLoaderData });
                     layoutModules.push({ tagName: layoutTagName, loaderData: layoutLoaderData });
                 }
+                // Patch element classes to spread loaderData into individual properties
+                for (const lm of layoutModules) {
+                    patchLoaderDataSpread(lm.tagName);
+                }
+                if (tagName)
+                    patchLoaderDataSpread(tagName);
                 if (tagName && ssrRuntime) {
                     // SSR render with the bundled @lit-labs/ssr runtime
                     try {
@@ -90,14 +101,18 @@ export async function handlePageRoute(manifest, serverDir, pagesDir, pathname, q
                         const loaderDataScript = ssrDataObj !== undefined
                             ? `<script type="application/json" id="__nk_ssr_data__">${JSON.stringify(ssrDataObj).replace(/</g, '\\u003c')}</script>`
                             : '';
-                        const hydrateScript = `<script type="module">import '@lit-labs/ssr-client/lit-element-hydrate-support.js';</script>`;
+                        // Auth: inline user data for client hydration
+                        const authUser = req.nkAuth?.user ?? null;
+                        const authScript = authUser
+                            ? `<script type="application/json" id="__nk_auth__">${JSON.stringify(authUser).replace(/</g, '\\u003c')}</script>`
+                            : '';
                         let html_out = indexHtmlShell;
-                        html_out = html_out.replace(/<nk-app><\/nk-app>/, `${loaderDataScript}<nk-app data-nk-ssr><div id="nk-router-outlet">${ssrHtml}</div></nk-app>${hydrateScript}`);
+                        html_out = html_out.replace(/<nk-app><\/nk-app>/, `${authScript}${loaderDataScript}<nk-app data-nk-ssr><div id="nk-router-outlet">${ssrHtml}</div></nk-app>`);
                         sendCompressed(req, res, 200, 'text/html; charset=utf-8', html_out);
                         return;
                     }
                     catch (ssrErr) {
-                        console.error('[LumenJS] SSR render failed, falling back to CSR:', ssrErr);
+                        logger.warn('SSR render failed, falling back to CSR', { error: ssrErr?.message });
                     }
                 }
                 // Fallback: inject loader data without SSR HTML
@@ -106,16 +121,28 @@ export async function handlePageRoute(manifest, serverDir, pagesDir, pathname, q
                         ? { page: loaderData, layouts: layoutsData }
                         : loaderData;
                     const loaderDataScript = `<script type="application/json" id="__nk_ssr_data__">${JSON.stringify(ssrDataObj).replace(/</g, '\\u003c')}</script>`;
-                    let html_out = indexHtmlShell.replace('<nk-app>', `${loaderDataScript}<nk-app>`);
+                    const authUserFb = req.nkAuth?.user ?? null;
+                    const authScriptFb = authUserFb
+                        ? `<script type="application/json" id="__nk_auth__">${JSON.stringify(authUserFb).replace(/</g, '\\u003c')}</script>`
+                        : '';
+                    let html_out = indexHtmlShell.replace('<nk-app>', `${authScriptFb}${loaderDataScript}<nk-app>`);
                     sendCompressed(req, res, 200, 'text/html; charset=utf-8', html_out);
                     return;
                 }
             }
             catch (err) {
-                console.error('[LumenJS] Page handler error:', err);
+                logger.error('Page handler error', { error: err?.message });
             }
         }
     }
-    // SPA fallback — serve the built index.html
-    sendCompressed(req, res, 200, 'text/html; charset=utf-8', indexHtmlShell);
+    // SPA fallback — serve the built index.html with auth data injected
+    const fallbackUser = req.nkAuth?.user ?? null;
+    if (fallbackUser) {
+        const authTag = `<script type="application/json" id="__nk_auth__">${JSON.stringify(fallbackUser).replace(/</g, '\\u003c')}</script>`;
+        const html = indexHtmlShell.replace('<nk-app>', `${authTag}<nk-app>`);
+        sendCompressed(req, res, 200, 'text/html; charset=utf-8', html);
+    }
+    else {
+        sendCompressed(req, res, 200, 'text/html; charset=utf-8', indexHtmlShell);
+    }
 }

package/dist/build/serve-static.js

@@ -52,9 +52,9 @@ export function sendCompressed(req, res, statusCode, contentType, body) {
 }
 export function serveStaticFile(clientDir, pathname, req, res) {
     // Prevent directory traversal
-    const safePath = path.normalize(pathname).replace(/^(\.\.[/\\])+/, '');
-    const filePath = path.join(clientDir, safePath);
-    if (!filePath.startsWith(clientDir)) {
+    const resolvedClientDir = path.resolve(clientDir);
+    const filePath = path.resolve(resolvedClientDir, pathname.replace(/^\/+/, ''));
+    if (!filePath.startsWith(resolvedClientDir + path.sep) && filePath !== resolvedClientDir) {
         return false;
     }
     if (!fs.existsSync(filePath) || fs.statSync(filePath).isDirectory()) {