@orpc/server 0.0.0-next.924a598 → 0.0.0-next.92f04f2

package/dist/plugins/index.mjs

@@ -1,8 +1,110 @@
-export { C as CompositePlugin } from '../shared/server.Q6ZmnTgO.mjs';
-import { value } from '@orpc/shared';
+import { value, isAsyncIteratorObject } from '@orpc/shared';
+import { parseBatchRequest, toBatchResponse } from '@orpc/standard-server/batch';
+import { flattenHeader } from '@orpc/standard-server';
+import { ORPCError } from '@orpc/client';
+export { S as StrictGetMethodPlugin } from '../shared/server.BW-nUGgA.mjs';
+import '@orpc/contract';
+
+class BatchHandlerPlugin {
+  maxSize;
+  mapRequestItem;
+  successStatus;
+  headers;
+  order = 5e6;
+  constructor(options = {}) {
+    this.maxSize = options.maxSize ?? 10;
+    this.mapRequestItem = options.mapRequestItem ?? ((request, { request: batchRequest }) => ({
+      ...request,
+      headers: {
+        ...batchRequest.headers,
+        ...request.headers
+      }
+    }));
+    this.successStatus = options.successStatus ?? 207;
+    this.headers = options.headers ?? {};
+  }
+  init(options) {
+    options.rootInterceptors ??= [];
+    options.rootInterceptors.unshift(async (options2) => {
+      if (options2.request.headers["x-orpc-batch"] !== "1") {
+        return options2.next();
+      }
+      let isParsing = false;
+      try {
+        isParsing = true;
+        const parsed = parseBatchRequest({ ...options2.request, body: await options2.request.body() });
+        isParsing = false;
+        const maxSize = await value(this.maxSize, options2);
+        if (parsed.length > maxSize) {
+          return {
+            matched: true,
+            response: {
+              status: 413,
+              headers: {},
+              body: "Batch request size exceeds the maximum allowed size"
+            }
+          };
+        }
+        const responses = parsed.map(
+          (request, index) => {
+            const mapped = this.mapRequestItem(request, options2);
+            return options2.next({ ...options2, request: { ...mapped, body: () => Promise.resolve(mapped.body) } }).then(({ response: response2, matched }) => {
+              if (matched) {
+                if (response2.body instanceof Blob || response2.body instanceof FormData || isAsyncIteratorObject(response2.body)) {
+                  return {
+                    index,
+                    status: 500,
+                    headers: {},
+                    body: "Batch responses do not support file/blob, or event-iterator. Please call this procedure separately outside of the batch request."
+                  };
+                }
+                return { ...response2, index };
+              }
+              return { index, status: 404, headers: {}, body: "No procedure matched" };
+            }).catch(() => {
+              return { index, status: 500, headers: {}, body: "Internal server error" };
+            });
+          }
+        );
+        await Promise.race(responses);
+        const status = await value(this.successStatus, responses, options2);
+        const headers = await value(this.headers, responses, options2);
+        const response = toBatchResponse({
+          status,
+          headers,
+          body: async function* () {
+            const promises = [...responses];
+            while (true) {
+              const handling = promises.filter((p) => p !== void 0);
+              if (handling.length === 0) {
+                return;
+              }
+              const result = await Promise.race(handling);
+              promises[result.index] = void 0;
+              yield result;
+            }
+          }()
+        });
+        return {
+          matched: true,
+          response
+        };
+      } catch (cause) {
+        if (isParsing) {
+          return {
+            matched: true,
+            response: { status: 400, headers: {}, body: "Invalid batch request, this could be caused by a malformed request body or a missing header" }
+          };
+        }
+        throw cause;
+      }
+    });
+  }
+}
 
 class CORSPlugin {
   options;
+  order = 9e6;
   constructor(options = {}) {
     const defaults = {
       origin: (origin) => origin,
@@ -22,13 +124,11 @@ class CORSPlugin {
           resHeaders["access-control-max-age"] = this.options.maxAge.toString();
         }
         if (this.options.allowMethods?.length) {
-          resHeaders["access-control-allow-methods"] = this.options.allowMethods.join(",");
+          resHeaders["access-control-allow-methods"] = flattenHeader(this.options.allowMethods);
         }
         const allowHeaders = this.options.allowHeaders ?? interceptorOptions.request.headers["access-control-request-headers"];
-        if (Array.isArray(allowHeaders) && allowHeaders.length) {
-          resHeaders["access-control-allow-headers"] = allowHeaders.join(",");
-        } else if (typeof allowHeaders === "string") {
-          resHeaders["access-control-allow-headers"] = allowHeaders;
+        if (typeof allowHeaders === "string" || allowHeaders?.length) {
+          resHeaders["access-control-allow-headers"] = flattenHeader(allowHeaders);
         }
         return {
           matched: true,
@@ -46,7 +146,7 @@ class CORSPlugin {
       if (!result.matched) {
         return result;
       }
-      const origin = Array.isArray(interceptorOptions.request.headers.origin) ? interceptorOptions.request.headers.origin.join(",") : interceptorOptions.request.headers.origin || "";
+      const origin = flattenHeader(interceptorOptions.request.headers.origin) ?? "";
       const allowedOrigin = await value(this.options.origin, origin, interceptorOptions);
       const allowedOriginArr = Array.isArray(allowedOrigin) ? allowedOrigin : [allowedOrigin];
       if (allowedOriginArr.includes("*")) {
@@ -68,7 +168,7 @@ class CORSPlugin {
         result.response.headers["access-control-allow-credentials"] = "true";
       }
       if (this.options.exposeHeaders?.length) {
-        result.response.headers["access-control-expose-headers"] = this.options.exposeHeaders.join(",");
+        result.response.headers["access-control-expose-headers"] = flattenHeader(this.options.exposeHeaders);
       }
       return result;
     });
@@ -79,14 +179,19 @@ class ResponseHeadersPlugin {
   init(options) {
     options.rootInterceptors ??= [];
     options.rootInterceptors.push(async (interceptorOptions) => {
-      const headers = new Headers();
-      interceptorOptions.context.resHeaders = headers;
-      const result = await interceptorOptions.next();
+      const resHeaders = interceptorOptions.context.resHeaders ?? new Headers();
+      const result = await interceptorOptions.next({
+        ...interceptorOptions,
+        context: {
+          ...interceptorOptions.context,
+          resHeaders
+        }
+      });
       if (!result.matched) {
         return result;
       }
       const responseHeaders = result.response.headers;
-      for (const [key, value] of headers) {
+      for (const [key, value] of resHeaders) {
         if (Array.isArray(responseHeaders[key])) {
           responseHeaders[key].push(value);
         } else if (responseHeaders[key] !== void 0) {
@@ -100,4 +205,47 @@ class ResponseHeadersPlugin {
   }
 }
 
-export { CORSPlugin, ResponseHeadersPlugin };
+const SIMPLE_CSRF_PROTECTION_CONTEXT_SYMBOL = Symbol("SIMPLE_CSRF_PROTECTION_CONTEXT");
+class SimpleCsrfProtectionHandlerPlugin {
+  headerName;
+  headerValue;
+  exclude;
+  error;
+  constructor(options = {}) {
+    this.headerName = options.headerName ?? "x-csrf-token";
+    this.headerValue = options.headerValue ?? "orpc";
+    this.exclude = options.exclude ?? false;
+    this.error = options.error ?? new ORPCError("CSRF_TOKEN_MISMATCH", {
+      status: 403,
+      message: "Invalid CSRF token"
+    });
+  }
+  order = 8e6;
+  init(options) {
+    options.rootInterceptors ??= [];
+    options.clientInterceptors ??= [];
+    options.rootInterceptors.unshift(async (options2) => {
+      const headerName = await value(this.headerName, options2);
+      const headerValue = await value(this.headerValue, options2);
+      return options2.next({
+        ...options2,
+        context: {
+          ...options2.context,
+          [SIMPLE_CSRF_PROTECTION_CONTEXT_SYMBOL]: options2.request.headers[headerName] === headerValue
+        }
+      });
+    });
+    options.clientInterceptors.unshift(async (options2) => {
+      if (typeof options2.context[SIMPLE_CSRF_PROTECTION_CONTEXT_SYMBOL] !== "boolean") {
+        throw new TypeError("[SimpleCsrfProtectionHandlerPlugin] CSRF protection context has been corrupted or modified by another plugin or interceptor");
+      }
+      const excluded = await value(this.exclude, options2);
+      if (!excluded && !options2.context[SIMPLE_CSRF_PROTECTION_CONTEXT_SYMBOL]) {
+        throw this.error;
+      }
+      return options2.next();
+    });
+  }
+}
+
+export { BatchHandlerPlugin, CORSPlugin, ResponseHeadersPlugin, SimpleCsrfProtectionHandlerPlugin };

package/dist/shared/{server.DisswUB5.mjs → server.4FnxLwwr.mjs}

@@ -1,51 +1,69 @@
+import { toHttpPath, StandardRPCJsonSerializer, StandardRPCSerializer } from '@orpc/client/standard';
 import { ORPCError, toORPCError } from '@orpc/client';
-import { intercept, trim, parseEmptyableJSON } from '@orpc/shared';
-import { C as CompositePlugin } from './server.Q6ZmnTgO.mjs';
-import { c as createProcedureClient, t as traverseContractProcedures, a as toHttpPath, i as isProcedure, u as unlazy, g as getRouter, b as createContractedProcedure } from './server.B_5ZADvP.mjs';
+import { toArray, intercept, parseEmptyableJSON } from '@orpc/shared';
+import { flattenHeader } from '@orpc/standard-server';
+import { c as createProcedureClient, t as traverseContractProcedures, i as isProcedure, u as unlazy, g as getRouter, a as createContractedProcedure } from './server.DG7Tamti.mjs';
+
+class CompositeStandardHandlerPlugin {
+  plugins;
+  constructor(plugins = []) {
+    this.plugins = [...plugins].sort((a, b) => (a.order ?? 0) - (b.order ?? 0));
+  }
+  init(options, router) {
+    for (const plugin of this.plugins) {
+      plugin.init?.(options, router);
+    }
+  }
+}
 
 class StandardHandler {
   constructor(router, matcher, codec, options) {
     this.matcher = matcher;
     this.codec = codec;
-    this.options = options;
-    this.plugin = new CompositePlugin(options.plugins);
-    this.plugin.init(this.options);
+    const plugins = new CompositeStandardHandlerPlugin(options.plugins);
+    plugins.init(options, router);
+    this.interceptors = toArray(options.interceptors);
+    this.clientInterceptors = toArray(options.clientInterceptors);
+    this.rootInterceptors = toArray(options.rootInterceptors);
     this.matcher.init(router);
   }
-  plugin;
-  handle(request, ...[options]) {
+  interceptors;
+  clientInterceptors;
+  rootInterceptors;
+  async handle(request, options) {
+    const prefix = options.prefix?.replace(/\/$/, "") || void 0;
+    if (prefix && !request.url.pathname.startsWith(`${prefix}/`) && request.url.pathname !== prefix) {
+      return { matched: false, response: void 0 };
+    }
     return intercept(
-      this.options.rootInterceptors ?? [],
-      {
-        request,
-        ...options,
-        context: options?.context ?? {}
-        // context is optional only when all fields are optional so we can safely force it to have a context
-      },
+      this.rootInterceptors,
+      { ...options, request, prefix },
       async (interceptorOptions) => {
         let isDecoding = false;
         try {
           return await intercept(
-            this.options.interceptors ?? [],
+            this.interceptors,
             interceptorOptions,
-            async (interceptorOptions2) => {
-              const method = interceptorOptions2.request.method;
-              const url = interceptorOptions2.request.url;
-              const pathname = `/${trim(url.pathname.replace(interceptorOptions2.prefix ?? "", ""), "/")}`;
-              const match = await this.matcher.match(method, pathname);
+            async ({ request: request2, context, prefix: prefix2 }) => {
+              const method = request2.method;
+              const url = request2.url;
+              const pathname = prefix2 ? url.pathname.replace(prefix2, "") : url.pathname;
+              const match = await this.matcher.match(method, `/${pathname.replace(/^\/|\/$/g, "")}`);
               if (!match) {
                 return { matched: false, response: void 0 };
               }
               const client = createProcedureClient(match.procedure, {
-                context: interceptorOptions2.context,
+                context,
                 path: match.path,
-                interceptors: this.options.clientInterceptors
+                interceptors: this.clientInterceptors
               });
               isDecoding = true;
-              const input = await this.codec.decode(request, match.params, match.procedure);
+              const input = await this.codec.decode(request2, match.params, match.procedure);
               isDecoding = false;
-              const lastEventId = Array.isArray(request.headers["last-event-id"]) ? request.headers["last-event-id"].at(-1) : request.headers["last-event-id"];
-              const output = await client(input, { signal: request.signal, lastEventId });
+              const output = await client(input, {
+                signal: request2.signal,
+                lastEventId: flattenHeader(request2.headers["last-event-id"])
+              });
               const response = this.codec.encode(output, match.procedure);
               return {
                 matched: true,
@@ -54,7 +72,7 @@ class StandardHandler {
             }
           );
         } catch (e) {
-          const error = isDecoding ? new ORPCError("BAD_REQUEST", {
+          const error = isDecoding && !(e instanceof ORPCError) ? new ORPCError("BAD_REQUEST", {
             message: `Malformed request. Ensure the request body is properly formatted and the 'Content-Type' header is set correctly.`,
             cause: e
           }) : toORPCError(e);
@@ -155,4 +173,14 @@ class StandardRPCMatcher {
   }
 }
 
-export { StandardHandler as S, StandardRPCCodec as a, StandardRPCMatcher as b };
+class StandardRPCHandler extends StandardHandler {
+  constructor(router, options = {}) {
+    const jsonSerializer = new StandardRPCJsonSerializer(options);
+    const serializer = new StandardRPCSerializer(jsonSerializer);
+    const matcher = new StandardRPCMatcher();
+    const codec = new StandardRPCCodec(serializer);
+    super(router, matcher, codec, options);
+  }
+}
+
+export { CompositeStandardHandlerPlugin as C, StandardHandler as S, StandardRPCCodec as a, StandardRPCHandler as b, StandardRPCMatcher as c };

package/dist/shared/server.BRoxSiSC.d.mts

@@ -0,0 +1,12 @@
+import { StandardRPCJsonSerializerOptions } from '@orpc/client/standard';
+import { C as Context, R as Router } from './server.DPWk5pjW.mjs';
+import { b as StandardHandlerOptions, i as StandardHandler } from './server.eWLxY3lq.mjs';
+
+interface StandardRPCHandlerOptions<T extends Context> extends StandardHandlerOptions<T>, StandardRPCJsonSerializerOptions {
+}
+declare class StandardRPCHandler<T extends Context> extends StandardHandler<T> {
+    constructor(router: Router<any, T>, options?: StandardRPCHandlerOptions<T>);
+}
+
+export { StandardRPCHandler as a };
+export type { StandardRPCHandlerOptions as S };

package/dist/shared/server.BVwwTHyO.mjs

@@ -0,0 +1,9 @@
+function resolveFriendlyStandardHandleOptions(options) {
+  return {
+    ...options,
+    context: options?.context ?? {}
+    // Context only optional if all fields are optional
+  };
+}
+
+export { resolveFriendlyStandardHandleOptions as r };

package/dist/shared/server.BW-nUGgA.mjs

@@ -0,0 +1,36 @@
+import { ORPCError, fallbackContractConfig } from '@orpc/contract';
+
+const STRICT_GET_METHOD_PLUGIN_IS_GET_METHOD_CONTEXT_SYMBOL = Symbol("STRICT_GET_METHOD_PLUGIN_IS_GET_METHOD_CONTEXT");
+class StrictGetMethodPlugin {
+  error;
+  order = 7e6;
+  constructor(options = {}) {
+    this.error = options.error ?? new ORPCError("METHOD_NOT_SUPPORTED");
+  }
+  init(options) {
+    options.rootInterceptors ??= [];
+    options.clientInterceptors ??= [];
+    options.rootInterceptors.unshift((options2) => {
+      const isGetMethod = options2.request.method === "GET";
+      return options2.next({
+        ...options2,
+        context: {
+          ...options2.context,
+          [STRICT_GET_METHOD_PLUGIN_IS_GET_METHOD_CONTEXT_SYMBOL]: isGetMethod
+        }
+      });
+    });
+    options.clientInterceptors.unshift((options2) => {
+      if (typeof options2.context[STRICT_GET_METHOD_PLUGIN_IS_GET_METHOD_CONTEXT_SYMBOL] !== "boolean") {
+        throw new TypeError("[StrictGetMethodPlugin] strict GET method context has been corrupted or modified by another plugin or interceptor");
+      }
+      const procedureMethod = fallbackContractConfig("defaultMethod", options2.procedure["~orpc"].route.method);
+      if (options2.context[STRICT_GET_METHOD_PLUGIN_IS_GET_METHOD_CONTEXT_SYMBOL] && procedureMethod !== "GET") {
+        throw this.error;
+      }
+      return options2.next();
+    });
+  }
+}
+
+export { StrictGetMethodPlugin as S };

package/dist/shared/server.BjiJH9Vo.d.ts

@@ -0,0 +1,10 @@
+import { C as Context } from './server.DPWk5pjW.js';
+import { g as StandardHandleOptions } from './server.YZzrREz9.js';
+
+type FriendlyStandardHandleOptions<T extends Context> = Omit<StandardHandleOptions<T>, 'context'> & (Record<never, never> extends T ? {
+    context?: T;
+} : {
+    context: T;
+});
+
+export type { FriendlyStandardHandleOptions as F };

package/dist/shared/server.Cy1vfSiG.d.ts

@@ -0,0 +1,12 @@
+import { StandardRPCJsonSerializerOptions } from '@orpc/client/standard';
+import { C as Context, R as Router } from './server.DPWk5pjW.js';
+import { b as StandardHandlerOptions, i as StandardHandler } from './server.YZzrREz9.js';
+
+interface StandardRPCHandlerOptions<T extends Context> extends StandardHandlerOptions<T>, StandardRPCJsonSerializerOptions {
+}
+declare class StandardRPCHandler<T extends Context> extends StandardHandler<T> {
+    constructor(router: Router<any, T>, options?: StandardRPCHandlerOptions<T>);
+}
+
+export { StandardRPCHandler as a };
+export type { StandardRPCHandlerOptions as S };

package/dist/shared/{server.B_5ZADvP.mjs → server.DG7Tamti.mjs}

@@ -1,6 +1,6 @@
 import { isContractProcedure, ValidationError, mergePrefix, mergeErrorMap, enhanceRoute } from '@orpc/contract';
 import { fallbackORPCErrorStatus, ORPCError } from '@orpc/client';
-import { value, intercept, toError } from '@orpc/shared';
+import { value, intercept } from '@orpc/shared';
 
 const LAZY_SYMBOL = Symbol("ORPC_LAZY_SYMBOL");
 function lazy(loader, meta = {}) {
@@ -46,6 +46,9 @@ function addMiddleware(middlewares, addition) {
 }
 
 class Procedure {
+  /**
+   * This property holds the defined options.
+   */
   "~orpc";
   constructor(def) {
     this["~orpc"] = def;
@@ -58,6 +61,10 @@ function isProcedure(item) {
   return isContractProcedure(item) && "middlewares" in item["~orpc"] && "inputValidationIndex" in item["~orpc"] && "outputValidationIndex" in item["~orpc"] && "handler" in item["~orpc"];
 }
 
+function mergeCurrentContext(context, other) {
+  return { ...context, ...other };
+}
+
 function createORPCErrorConstructorMap(errors) {
   const proxy = new Proxy(errors, {
     get(target, code) {
@@ -123,7 +130,7 @@ function createProcedureClient(lazyableProcedure, ...[options]) {
       );
     } catch (e) {
       if (!(e instanceof ORPCError)) {
-        throw toError(e);
+        throw e;
       }
       const validated = await validateORPCError(procedure["~orpc"].errorMap, e);
       throw validated;
@@ -165,28 +172,29 @@ async function executeProcedureInternal(procedure, options) {
   const middlewares = procedure["~orpc"].middlewares;
   const inputValidationIndex = Math.min(Math.max(0, procedure["~orpc"].inputValidationIndex), middlewares.length);
   const outputValidationIndex = Math.min(Math.max(0, procedure["~orpc"].outputValidationIndex), middlewares.length);
-  let currentIndex = 0;
-  let currentContext = options.context;
-  let currentInput = options.input;
-  const next = async (...[nextOptions]) => {
-    const index = currentIndex;
-    currentIndex += 1;
-    currentContext = { ...currentContext, ...nextOptions?.context };
+  const next = async (index, context, input) => {
+    let currentInput = input;
     if (index === inputValidationIndex) {
       currentInput = await validateInput(procedure, currentInput);
     }
     const mid = middlewares[index];
-    const result = mid ? await mid({ ...options, context: currentContext, next }, currentInput, middlewareOutputFn) : { output: await procedure["~orpc"].handler({ ...options, context: currentContext, input: currentInput }), context: currentContext };
+    const output = mid ? (await mid({
+      ...options,
+      context,
+      next: async (...[nextOptions]) => {
+        const nextContext = nextOptions?.context ?? {};
+        return {
+          output: await next(index + 1, mergeCurrentContext(context, nextContext), currentInput),
+          context: nextContext
+        };
+      }
+    }, currentInput, middlewareOutputFn)).output : await procedure["~orpc"].handler({ ...options, context, input: currentInput });
     if (index === outputValidationIndex) {
-      const validatedOutput = await validateOutput(procedure, result.output);
-      return {
-        ...result,
-        output: validatedOutput
-      };
+      return await validateOutput(procedure, output);
     }
-    return result;
+    return output;
   };
-  return (await next({})).output;
+  return next(0, options.context, options.input);
 }
 
 const HIDDEN_ROUTER_CONTRACT_SYMBOL = Symbol("ORPC_HIDDEN_ROUTER_CONTRACT");
@@ -356,8 +364,4 @@ function call(procedure, input, ...rest) {
   return createProcedureClient(procedure, ...rest)(input);
 }
 
-function toHttpPath(path) {
-  return `/${path.map(encodeURIComponent).join("/")}`;
-}
-
-export { LAZY_SYMBOL as L, Procedure as P, toHttpPath as a, createContractedProcedure as b, createProcedureClient as c, addMiddleware as d, enhanceRouter as e, isLazy as f, getRouter as g, createAssertedLazyProcedure as h, isProcedure as i, createORPCErrorConstructorMap as j, getLazyMeta as k, lazy as l, middlewareOutputFn as m, isStartWithMiddlewares as n, mergeMiddlewares as o, call as p, getHiddenRouterContract as q, createAccessibleLazyRouter as r, setHiddenRouterContract as s, traverseContractProcedures as t, unlazy as u, validateORPCError as v, resolveContractProcedures as w, unlazyRouter as x };
+export { LAZY_SYMBOL as L, Procedure as P, createContractedProcedure as a, addMiddleware as b, createProcedureClient as c, isLazy as d, enhanceRouter as e, createAssertedLazyProcedure as f, getRouter as g, createORPCErrorConstructorMap as h, isProcedure as i, getLazyMeta as j, middlewareOutputFn as k, lazy as l, mergeCurrentContext as m, isStartWithMiddlewares as n, mergeMiddlewares as o, call as p, getHiddenRouterContract as q, createAccessibleLazyRouter as r, setHiddenRouterContract as s, traverseContractProcedures as t, unlazy as u, validateORPCError as v, resolveContractProcedures as w, unlazyRouter as x };