@orpc/server 0.0.0-next.ac2a918 → 0.0.0-next.ac2c329
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +15 -2
- package/dist/adapters/fetch/index.d.mts +58 -0
- package/dist/adapters/fetch/index.d.ts +58 -0
- package/dist/adapters/fetch/index.mjs +105 -0
- package/dist/adapters/node/index.d.mts +57 -0
- package/dist/adapters/node/index.d.ts +57 -0
- package/dist/adapters/node/index.mjs +90 -0
- package/dist/adapters/standard/index.d.mts +26 -0
- package/dist/adapters/standard/index.d.ts +26 -0
- package/dist/adapters/standard/index.mjs +8 -0
- package/dist/index.d.mts +291 -0
- package/dist/index.d.ts +291 -0
- package/dist/{index.js → index.mjs} +107 -157
- package/dist/plugins/index.d.mts +124 -0
- package/dist/plugins/index.d.ts +124 -0
- package/dist/plugins/index.mjs +252 -0
- package/dist/shared/server.B5yVxwZh.d.mts +17 -0
- package/dist/shared/server.BVwwTHyO.mjs +9 -0
- package/dist/shared/server.BW-nUGgA.mjs +36 -0
- package/dist/shared/server.By38lRwX.d.ts +17 -0
- package/dist/{chunk-MHVECKBC.js → shared/server.C37gDhSZ.mjs} +167 -224
- package/dist/shared/server.ClO23hLW.d.mts +73 -0
- package/dist/shared/server.Cqam9L0P.d.mts +10 -0
- package/dist/shared/server.CuXY46Yy.d.ts +10 -0
- package/dist/shared/server.DFuJLDuo.mjs +190 -0
- package/dist/shared/server.DQJX4Gnf.d.mts +143 -0
- package/dist/shared/server.DQJX4Gnf.d.ts +143 -0
- package/dist/shared/server.DsVSuKTu.d.ts +73 -0
- package/package.json +24 -43
- package/dist/chunk-MBMXGUNI.js +0 -32
- package/dist/chunk-NTHCS5CK.js +0 -182
- package/dist/chunk-TXHKQO7N.js +0 -120
- package/dist/fetch.js +0 -10
- package/dist/hono.js +0 -34
- package/dist/next.js +0 -31
- package/dist/node.js +0 -31
- package/dist/plugins.js +0 -11
- package/dist/src/adapters/fetch/index.d.ts +0 -3
- package/dist/src/adapters/fetch/rpc-handler.d.ts +0 -11
- package/dist/src/adapters/fetch/types.d.ts +0 -14
- package/dist/src/adapters/hono/index.d.ts +0 -3
- package/dist/src/adapters/hono/middleware.d.ts +0 -12
- package/dist/src/adapters/next/index.d.ts +0 -3
- package/dist/src/adapters/next/serve.d.ts +0 -19
- package/dist/src/adapters/node/index.d.ts +0 -3
- package/dist/src/adapters/node/rpc-handler.d.ts +0 -11
- package/dist/src/adapters/node/types.d.ts +0 -22
- package/dist/src/adapters/standard/handler.d.ts +0 -53
- package/dist/src/adapters/standard/index.d.ts +0 -6
- package/dist/src/adapters/standard/rpc-codec.d.ts +0 -16
- package/dist/src/adapters/standard/rpc-handler.d.ts +0 -8
- package/dist/src/adapters/standard/rpc-matcher.d.ts +0 -10
- package/dist/src/adapters/standard/types.d.ts +0 -21
- package/dist/src/builder-variants.d.ts +0 -75
- package/dist/src/builder.d.ts +0 -58
- package/dist/src/config.d.ts +0 -6
- package/dist/src/context.d.ts +0 -8
- package/dist/src/error.d.ts +0 -12
- package/dist/src/hidden.d.ts +0 -8
- package/dist/src/implementer-procedure.d.ts +0 -33
- package/dist/src/implementer-variants.d.ts +0 -18
- package/dist/src/implementer.d.ts +0 -29
- package/dist/src/index.d.ts +0 -25
- package/dist/src/lazy-utils.d.ts +0 -6
- package/dist/src/lazy.d.ts +0 -22
- package/dist/src/middleware-decorated.d.ts +0 -11
- package/dist/src/middleware-utils.d.ts +0 -5
- package/dist/src/middleware.d.ts +0 -38
- package/dist/src/plugins/base.d.ts +0 -11
- package/dist/src/plugins/cors.d.ts +0 -19
- package/dist/src/plugins/index.d.ts +0 -4
- package/dist/src/plugins/response-headers.d.ts +0 -10
- package/dist/src/procedure-client.d.ts +0 -33
- package/dist/src/procedure-decorated.d.ts +0 -24
- package/dist/src/procedure-utils.d.ts +0 -19
- package/dist/src/procedure.d.ts +0 -31
- package/dist/src/router-accessible-lazy.d.ts +0 -8
- package/dist/src/router-client.d.ts +0 -12
- package/dist/src/router.d.ts +0 -30
- package/dist/src/utils.d.ts +0 -24
- package/dist/standard.js +0 -13
|
@@ -0,0 +1,124 @@
|
|
|
1
|
+
import { Value } from '@orpc/shared';
|
|
2
|
+
import { StandardRequest, StandardHeaders } from '@orpc/standard-server';
|
|
3
|
+
import { BatchResponseBodyItem } from '@orpc/standard-server/batch';
|
|
4
|
+
import { S as StandardHandlerInterceptorOptions, a as StandardHandlerPlugin, b as StandardHandlerOptions } from '../shared/server.DsVSuKTu.js';
|
|
5
|
+
import { C as Context, F as ProcedureClientInterceptorOptions } from '../shared/server.DQJX4Gnf.js';
|
|
6
|
+
import { Meta, ORPCError as ORPCError$1 } from '@orpc/contract';
|
|
7
|
+
import { ORPCError } from '@orpc/client';
|
|
8
|
+
|
|
9
|
+
interface BatchHandlerOptions<T extends Context> {
|
|
10
|
+
/**
|
|
11
|
+
* The max size of the batch allowed.
|
|
12
|
+
*
|
|
13
|
+
* @default 10
|
|
14
|
+
*/
|
|
15
|
+
maxSize?: Value<number, [StandardHandlerInterceptorOptions<T>]>;
|
|
16
|
+
/**
|
|
17
|
+
* Map the request before processing it.
|
|
18
|
+
*
|
|
19
|
+
* @default merged back batch request headers into the request
|
|
20
|
+
*/
|
|
21
|
+
mapRequestItem?(request: StandardRequest, batchOptions: StandardHandlerInterceptorOptions<T>): StandardRequest;
|
|
22
|
+
/**
|
|
23
|
+
* Success batch response status code.
|
|
24
|
+
*
|
|
25
|
+
* @default 207
|
|
26
|
+
*/
|
|
27
|
+
successStatus?: Value<number, [responses: Promise<BatchResponseBodyItem>[], batchOptions: StandardHandlerInterceptorOptions<T>]>;
|
|
28
|
+
/**
|
|
29
|
+
* success batch response headers.
|
|
30
|
+
*
|
|
31
|
+
* @default {}
|
|
32
|
+
*/
|
|
33
|
+
headers?: Value<StandardHeaders, [responses: Promise<BatchResponseBodyItem>[], batchOptions: StandardHandlerInterceptorOptions<T>]>;
|
|
34
|
+
}
|
|
35
|
+
declare class BatchHandlerPlugin<T extends Context> implements StandardHandlerPlugin<T> {
|
|
36
|
+
private readonly maxSize;
|
|
37
|
+
private readonly mapRequestItem;
|
|
38
|
+
private readonly successStatus;
|
|
39
|
+
private readonly headers;
|
|
40
|
+
order: number;
|
|
41
|
+
constructor(options?: BatchHandlerOptions<T>);
|
|
42
|
+
init(options: StandardHandlerOptions<T>): void;
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
interface CORSOptions<T extends Context> {
|
|
46
|
+
origin?: Value<string | readonly string[] | null | undefined, [origin: string, options: StandardHandlerInterceptorOptions<T>]>;
|
|
47
|
+
timingOrigin?: Value<string | readonly string[] | null | undefined, [origin: string, options: StandardHandlerInterceptorOptions<T>]>;
|
|
48
|
+
allowMethods?: readonly string[];
|
|
49
|
+
allowHeaders?: readonly string[];
|
|
50
|
+
maxAge?: number;
|
|
51
|
+
credentials?: boolean;
|
|
52
|
+
exposeHeaders?: readonly string[];
|
|
53
|
+
}
|
|
54
|
+
declare class CORSPlugin<T extends Context> implements StandardHandlerPlugin<T> {
|
|
55
|
+
private readonly options;
|
|
56
|
+
order: number;
|
|
57
|
+
constructor(options?: CORSOptions<T>);
|
|
58
|
+
init(options: StandardHandlerOptions<T>): void;
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
interface ResponseHeadersPluginContext {
|
|
62
|
+
resHeaders?: Headers;
|
|
63
|
+
}
|
|
64
|
+
declare class ResponseHeadersPlugin<T extends ResponseHeadersPluginContext> implements StandardHandlerPlugin<T> {
|
|
65
|
+
init(options: StandardHandlerOptions<T>): void;
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
interface SimpleCsrfProtectionHandlerPluginOptions<T extends Context> {
|
|
69
|
+
/**
|
|
70
|
+
* The name of the header to check.
|
|
71
|
+
*
|
|
72
|
+
* @default 'x-csrf-token'
|
|
73
|
+
*/
|
|
74
|
+
headerName?: Value<string, [options: StandardHandlerInterceptorOptions<T>]>;
|
|
75
|
+
/**
|
|
76
|
+
* The value of the header to check.
|
|
77
|
+
*
|
|
78
|
+
* @default 'orpc'
|
|
79
|
+
*
|
|
80
|
+
*/
|
|
81
|
+
headerValue?: Value<string, [options: StandardHandlerInterceptorOptions<T>]>;
|
|
82
|
+
/**
|
|
83
|
+
* Exclude a procedure from the plugin.
|
|
84
|
+
*
|
|
85
|
+
* @default false
|
|
86
|
+
*
|
|
87
|
+
*/
|
|
88
|
+
exclude?: Value<boolean, [options: ProcedureClientInterceptorOptions<T, Record<never, never>, Meta>]>;
|
|
89
|
+
/**
|
|
90
|
+
* The error thrown when the CSRF token is invalid.
|
|
91
|
+
*
|
|
92
|
+
* @default new ORPCError('CSRF_TOKEN_MISMATCH', {
|
|
93
|
+
* status: 403,
|
|
94
|
+
* message: 'Invalid CSRF token',
|
|
95
|
+
* })
|
|
96
|
+
*/
|
|
97
|
+
error?: InstanceType<typeof ORPCError>;
|
|
98
|
+
}
|
|
99
|
+
declare class SimpleCsrfProtectionHandlerPlugin<T extends Context> implements StandardHandlerPlugin<T> {
|
|
100
|
+
private readonly headerName;
|
|
101
|
+
private readonly headerValue;
|
|
102
|
+
private readonly exclude;
|
|
103
|
+
private readonly error;
|
|
104
|
+
constructor(options?: SimpleCsrfProtectionHandlerPluginOptions<T>);
|
|
105
|
+
order: number;
|
|
106
|
+
init(options: StandardHandlerOptions<T>): void;
|
|
107
|
+
}
|
|
108
|
+
|
|
109
|
+
interface StrictGetMethodPluginOptions {
|
|
110
|
+
/**
|
|
111
|
+
* The error thrown when a GET request is made to a procedure that doesn't allow GET.
|
|
112
|
+
*
|
|
113
|
+
* @default new ORPCError('METHOD_NOT_SUPPORTED')
|
|
114
|
+
*/
|
|
115
|
+
error?: InstanceType<typeof ORPCError$1>;
|
|
116
|
+
}
|
|
117
|
+
declare class StrictGetMethodPlugin<T extends Context> implements StandardHandlerPlugin<T> {
|
|
118
|
+
private readonly error;
|
|
119
|
+
order: number;
|
|
120
|
+
constructor(options?: StrictGetMethodPluginOptions);
|
|
121
|
+
init(options: StandardHandlerOptions<T>): void;
|
|
122
|
+
}
|
|
123
|
+
|
|
124
|
+
export { type BatchHandlerOptions, BatchHandlerPlugin, type CORSOptions, CORSPlugin, ResponseHeadersPlugin, type ResponseHeadersPluginContext, SimpleCsrfProtectionHandlerPlugin, type SimpleCsrfProtectionHandlerPluginOptions, StrictGetMethodPlugin, type StrictGetMethodPluginOptions };
|
|
@@ -0,0 +1,252 @@
|
|
|
1
|
+
import { value, isAsyncIteratorObject } from '@orpc/shared';
|
|
2
|
+
import { parseBatchRequest, toBatchResponse } from '@orpc/standard-server/batch';
|
|
3
|
+
import { ORPCError } from '@orpc/client';
|
|
4
|
+
export { S as StrictGetMethodPlugin } from '../shared/server.BW-nUGgA.mjs';
|
|
5
|
+
import '@orpc/contract';
|
|
6
|
+
|
|
7
|
+
class BatchHandlerPlugin {
|
|
8
|
+
maxSize;
|
|
9
|
+
mapRequestItem;
|
|
10
|
+
successStatus;
|
|
11
|
+
headers;
|
|
12
|
+
order = 5e6;
|
|
13
|
+
constructor(options = {}) {
|
|
14
|
+
this.maxSize = options.maxSize ?? 10;
|
|
15
|
+
this.mapRequestItem = options.mapRequestItem ?? ((request, { request: batchRequest }) => ({
|
|
16
|
+
...request,
|
|
17
|
+
headers: {
|
|
18
|
+
...batchRequest.headers,
|
|
19
|
+
...request.headers
|
|
20
|
+
}
|
|
21
|
+
}));
|
|
22
|
+
this.successStatus = options.successStatus ?? 207;
|
|
23
|
+
this.headers = options.headers ?? {};
|
|
24
|
+
}
|
|
25
|
+
init(options) {
|
|
26
|
+
options.rootInterceptors ??= [];
|
|
27
|
+
options.rootInterceptors.unshift(async (options2) => {
|
|
28
|
+
if (options2.request.headers["x-orpc-batch"] !== "1") {
|
|
29
|
+
return options2.next();
|
|
30
|
+
}
|
|
31
|
+
let isParsing = false;
|
|
32
|
+
try {
|
|
33
|
+
isParsing = true;
|
|
34
|
+
const parsed = parseBatchRequest({ ...options2.request, body: await options2.request.body() });
|
|
35
|
+
isParsing = false;
|
|
36
|
+
const maxSize = await value(this.maxSize, options2);
|
|
37
|
+
if (parsed.length > maxSize) {
|
|
38
|
+
return {
|
|
39
|
+
matched: true,
|
|
40
|
+
response: {
|
|
41
|
+
status: 413,
|
|
42
|
+
headers: {},
|
|
43
|
+
body: "Batch request size exceeds the maximum allowed size"
|
|
44
|
+
}
|
|
45
|
+
};
|
|
46
|
+
}
|
|
47
|
+
const responses = parsed.map(
|
|
48
|
+
(request, index) => {
|
|
49
|
+
const mapped = this.mapRequestItem(request, options2);
|
|
50
|
+
return options2.next({ ...options2, request: { ...mapped, body: () => Promise.resolve(mapped.body) } }).then(({ response: response2, matched }) => {
|
|
51
|
+
if (matched) {
|
|
52
|
+
if (response2.body instanceof Blob || response2.body instanceof FormData || isAsyncIteratorObject(response2.body)) {
|
|
53
|
+
return {
|
|
54
|
+
index,
|
|
55
|
+
status: 500,
|
|
56
|
+
headers: {},
|
|
57
|
+
body: "Batch responses do not support file/blob, or event-iterator. Please call this procedure separately outside of the batch request."
|
|
58
|
+
};
|
|
59
|
+
}
|
|
60
|
+
return { ...response2, index };
|
|
61
|
+
}
|
|
62
|
+
return { index, status: 404, headers: {}, body: "No procedure matched" };
|
|
63
|
+
}).catch(() => {
|
|
64
|
+
return { index, status: 500, headers: {}, body: "Internal server error" };
|
|
65
|
+
});
|
|
66
|
+
}
|
|
67
|
+
);
|
|
68
|
+
await Promise.race(responses);
|
|
69
|
+
const status = await value(this.successStatus, responses, options2);
|
|
70
|
+
const headers = await value(this.headers, responses, options2);
|
|
71
|
+
const response = toBatchResponse({
|
|
72
|
+
status,
|
|
73
|
+
headers,
|
|
74
|
+
body: async function* () {
|
|
75
|
+
const promises = [...responses];
|
|
76
|
+
while (true) {
|
|
77
|
+
const handling = promises.filter((p) => p !== void 0);
|
|
78
|
+
if (handling.length === 0) {
|
|
79
|
+
return;
|
|
80
|
+
}
|
|
81
|
+
const result = await Promise.race(handling);
|
|
82
|
+
promises[result.index] = void 0;
|
|
83
|
+
yield result;
|
|
84
|
+
}
|
|
85
|
+
}()
|
|
86
|
+
});
|
|
87
|
+
return {
|
|
88
|
+
matched: true,
|
|
89
|
+
response
|
|
90
|
+
};
|
|
91
|
+
} catch (cause) {
|
|
92
|
+
if (isParsing) {
|
|
93
|
+
return {
|
|
94
|
+
matched: true,
|
|
95
|
+
response: { status: 400, headers: {}, body: "Invalid batch request, this could be caused by a malformed request body or a missing header" }
|
|
96
|
+
};
|
|
97
|
+
}
|
|
98
|
+
throw cause;
|
|
99
|
+
}
|
|
100
|
+
});
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
|
|
104
|
+
class CORSPlugin {
|
|
105
|
+
options;
|
|
106
|
+
order = 9e6;
|
|
107
|
+
constructor(options = {}) {
|
|
108
|
+
const defaults = {
|
|
109
|
+
origin: (origin) => origin,
|
|
110
|
+
allowMethods: ["GET", "HEAD", "PUT", "POST", "DELETE", "PATCH"]
|
|
111
|
+
};
|
|
112
|
+
this.options = {
|
|
113
|
+
...defaults,
|
|
114
|
+
...options
|
|
115
|
+
};
|
|
116
|
+
}
|
|
117
|
+
init(options) {
|
|
118
|
+
options.rootInterceptors ??= [];
|
|
119
|
+
options.rootInterceptors.unshift(async (interceptorOptions) => {
|
|
120
|
+
if (interceptorOptions.request.method === "OPTIONS") {
|
|
121
|
+
const resHeaders = {};
|
|
122
|
+
if (this.options.maxAge !== void 0) {
|
|
123
|
+
resHeaders["access-control-max-age"] = this.options.maxAge.toString();
|
|
124
|
+
}
|
|
125
|
+
if (this.options.allowMethods?.length) {
|
|
126
|
+
resHeaders["access-control-allow-methods"] = this.options.allowMethods.join(",");
|
|
127
|
+
}
|
|
128
|
+
const allowHeaders = this.options.allowHeaders ?? interceptorOptions.request.headers["access-control-request-headers"];
|
|
129
|
+
if (Array.isArray(allowHeaders) && allowHeaders.length) {
|
|
130
|
+
resHeaders["access-control-allow-headers"] = allowHeaders.join(",");
|
|
131
|
+
} else if (typeof allowHeaders === "string") {
|
|
132
|
+
resHeaders["access-control-allow-headers"] = allowHeaders;
|
|
133
|
+
}
|
|
134
|
+
return {
|
|
135
|
+
matched: true,
|
|
136
|
+
response: {
|
|
137
|
+
status: 204,
|
|
138
|
+
headers: resHeaders,
|
|
139
|
+
body: void 0
|
|
140
|
+
}
|
|
141
|
+
};
|
|
142
|
+
}
|
|
143
|
+
return interceptorOptions.next();
|
|
144
|
+
});
|
|
145
|
+
options.rootInterceptors.unshift(async (interceptorOptions) => {
|
|
146
|
+
const result = await interceptorOptions.next();
|
|
147
|
+
if (!result.matched) {
|
|
148
|
+
return result;
|
|
149
|
+
}
|
|
150
|
+
const origin = Array.isArray(interceptorOptions.request.headers.origin) ? interceptorOptions.request.headers.origin.join(",") : interceptorOptions.request.headers.origin || "";
|
|
151
|
+
const allowedOrigin = await value(this.options.origin, origin, interceptorOptions);
|
|
152
|
+
const allowedOriginArr = Array.isArray(allowedOrigin) ? allowedOrigin : [allowedOrigin];
|
|
153
|
+
if (allowedOriginArr.includes("*")) {
|
|
154
|
+
result.response.headers["access-control-allow-origin"] = "*";
|
|
155
|
+
} else {
|
|
156
|
+
if (allowedOriginArr.includes(origin)) {
|
|
157
|
+
result.response.headers["access-control-allow-origin"] = origin;
|
|
158
|
+
}
|
|
159
|
+
result.response.headers.vary = interceptorOptions.request.headers.vary ?? "origin";
|
|
160
|
+
}
|
|
161
|
+
const allowedTimingOrigin = await value(this.options.timingOrigin, origin, interceptorOptions);
|
|
162
|
+
const allowedTimingOriginArr = Array.isArray(allowedTimingOrigin) ? allowedTimingOrigin : [allowedTimingOrigin];
|
|
163
|
+
if (allowedTimingOriginArr.includes("*")) {
|
|
164
|
+
result.response.headers["timing-allow-origin"] = "*";
|
|
165
|
+
} else if (allowedTimingOriginArr.includes(origin)) {
|
|
166
|
+
result.response.headers["timing-allow-origin"] = origin;
|
|
167
|
+
}
|
|
168
|
+
if (this.options.credentials) {
|
|
169
|
+
result.response.headers["access-control-allow-credentials"] = "true";
|
|
170
|
+
}
|
|
171
|
+
if (this.options.exposeHeaders?.length) {
|
|
172
|
+
result.response.headers["access-control-expose-headers"] = this.options.exposeHeaders.join(",");
|
|
173
|
+
}
|
|
174
|
+
return result;
|
|
175
|
+
});
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
|
|
179
|
+
class ResponseHeadersPlugin {
|
|
180
|
+
init(options) {
|
|
181
|
+
options.rootInterceptors ??= [];
|
|
182
|
+
options.rootInterceptors.push(async (interceptorOptions) => {
|
|
183
|
+
const resHeaders = interceptorOptions.context.resHeaders ?? new Headers();
|
|
184
|
+
const result = await interceptorOptions.next({
|
|
185
|
+
...interceptorOptions,
|
|
186
|
+
context: {
|
|
187
|
+
...interceptorOptions.context,
|
|
188
|
+
resHeaders
|
|
189
|
+
}
|
|
190
|
+
});
|
|
191
|
+
if (!result.matched) {
|
|
192
|
+
return result;
|
|
193
|
+
}
|
|
194
|
+
const responseHeaders = result.response.headers;
|
|
195
|
+
for (const [key, value] of resHeaders) {
|
|
196
|
+
if (Array.isArray(responseHeaders[key])) {
|
|
197
|
+
responseHeaders[key].push(value);
|
|
198
|
+
} else if (responseHeaders[key] !== void 0) {
|
|
199
|
+
responseHeaders[key] = [responseHeaders[key], value];
|
|
200
|
+
} else {
|
|
201
|
+
responseHeaders[key] = value;
|
|
202
|
+
}
|
|
203
|
+
}
|
|
204
|
+
return result;
|
|
205
|
+
});
|
|
206
|
+
}
|
|
207
|
+
}
|
|
208
|
+
|
|
209
|
+
const SIMPLE_CSRF_PROTECTION_CONTEXT_SYMBOL = Symbol("SIMPLE_CSRF_PROTECTION_CONTEXT");
|
|
210
|
+
class SimpleCsrfProtectionHandlerPlugin {
|
|
211
|
+
headerName;
|
|
212
|
+
headerValue;
|
|
213
|
+
exclude;
|
|
214
|
+
error;
|
|
215
|
+
constructor(options = {}) {
|
|
216
|
+
this.headerName = options.headerName ?? "x-csrf-token";
|
|
217
|
+
this.headerValue = options.headerValue ?? "orpc";
|
|
218
|
+
this.exclude = options.exclude ?? false;
|
|
219
|
+
this.error = options.error ?? new ORPCError("CSRF_TOKEN_MISMATCH", {
|
|
220
|
+
status: 403,
|
|
221
|
+
message: "Invalid CSRF token"
|
|
222
|
+
});
|
|
223
|
+
}
|
|
224
|
+
order = 8e6;
|
|
225
|
+
init(options) {
|
|
226
|
+
options.rootInterceptors ??= [];
|
|
227
|
+
options.clientInterceptors ??= [];
|
|
228
|
+
options.rootInterceptors.unshift(async (options2) => {
|
|
229
|
+
const headerName = await value(this.headerName, options2);
|
|
230
|
+
const headerValue = await value(this.headerValue, options2);
|
|
231
|
+
return options2.next({
|
|
232
|
+
...options2,
|
|
233
|
+
context: {
|
|
234
|
+
...options2.context,
|
|
235
|
+
[SIMPLE_CSRF_PROTECTION_CONTEXT_SYMBOL]: options2.request.headers[headerName] === headerValue
|
|
236
|
+
}
|
|
237
|
+
});
|
|
238
|
+
});
|
|
239
|
+
options.clientInterceptors.unshift(async (options2) => {
|
|
240
|
+
if (typeof options2.context[SIMPLE_CSRF_PROTECTION_CONTEXT_SYMBOL] !== "boolean") {
|
|
241
|
+
throw new TypeError("[SimpleCsrfProtectionHandlerPlugin] CSRF protection context has been corrupted or modified by another plugin or interceptor");
|
|
242
|
+
}
|
|
243
|
+
const excluded = await value(this.exclude, options2);
|
|
244
|
+
if (!excluded && !options2.context[SIMPLE_CSRF_PROTECTION_CONTEXT_SYMBOL]) {
|
|
245
|
+
throw this.error;
|
|
246
|
+
}
|
|
247
|
+
return options2.next();
|
|
248
|
+
});
|
|
249
|
+
}
|
|
250
|
+
}
|
|
251
|
+
|
|
252
|
+
export { BatchHandlerPlugin, CORSPlugin, ResponseHeadersPlugin, SimpleCsrfProtectionHandlerPlugin };
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import { C as Context, R as Router } from './server.DQJX4Gnf.mjs';
|
|
2
|
+
import { StandardRPCJsonSerializerOptions } from '@orpc/client/standard';
|
|
3
|
+
import { b as StandardHandlerOptions, i as StandardHandler } from './server.ClO23hLW.mjs';
|
|
4
|
+
|
|
5
|
+
interface StandardRPCHandlerOptions<T extends Context> extends StandardHandlerOptions<T>, StandardRPCJsonSerializerOptions {
|
|
6
|
+
/**
|
|
7
|
+
* Enables or disables the StrictGetMethodPlugin.
|
|
8
|
+
*
|
|
9
|
+
* @default true
|
|
10
|
+
*/
|
|
11
|
+
strictGetMethodPluginEnabled?: boolean;
|
|
12
|
+
}
|
|
13
|
+
declare class StandardRPCHandler<T extends Context> extends StandardHandler<T> {
|
|
14
|
+
constructor(router: Router<any, T>, options: StandardRPCHandlerOptions<T>);
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
export { type StandardRPCHandlerOptions as S, StandardRPCHandler as a };
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
import { ORPCError, fallbackContractConfig } from '@orpc/contract';
|
|
2
|
+
|
|
3
|
+
const STRICT_GET_METHOD_PLUGIN_IS_GET_METHOD_CONTEXT_SYMBOL = Symbol("STRICT_GET_METHOD_PLUGIN_IS_GET_METHOD_CONTEXT");
|
|
4
|
+
class StrictGetMethodPlugin {
|
|
5
|
+
error;
|
|
6
|
+
order = 7e6;
|
|
7
|
+
constructor(options = {}) {
|
|
8
|
+
this.error = options.error ?? new ORPCError("METHOD_NOT_SUPPORTED");
|
|
9
|
+
}
|
|
10
|
+
init(options) {
|
|
11
|
+
options.rootInterceptors ??= [];
|
|
12
|
+
options.clientInterceptors ??= [];
|
|
13
|
+
options.rootInterceptors.unshift((options2) => {
|
|
14
|
+
const isGetMethod = options2.request.method === "GET";
|
|
15
|
+
return options2.next({
|
|
16
|
+
...options2,
|
|
17
|
+
context: {
|
|
18
|
+
...options2.context,
|
|
19
|
+
[STRICT_GET_METHOD_PLUGIN_IS_GET_METHOD_CONTEXT_SYMBOL]: isGetMethod
|
|
20
|
+
}
|
|
21
|
+
});
|
|
22
|
+
});
|
|
23
|
+
options.clientInterceptors.unshift((options2) => {
|
|
24
|
+
if (typeof options2.context[STRICT_GET_METHOD_PLUGIN_IS_GET_METHOD_CONTEXT_SYMBOL] !== "boolean") {
|
|
25
|
+
throw new TypeError("[StrictGetMethodPlugin] strict GET method context has been corrupted or modified by another plugin or interceptor");
|
|
26
|
+
}
|
|
27
|
+
const procedureMethod = fallbackContractConfig("defaultMethod", options2.procedure["~orpc"].route.method);
|
|
28
|
+
if (options2.context[STRICT_GET_METHOD_PLUGIN_IS_GET_METHOD_CONTEXT_SYMBOL] && procedureMethod !== "GET") {
|
|
29
|
+
throw this.error;
|
|
30
|
+
}
|
|
31
|
+
return options2.next();
|
|
32
|
+
});
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
export { StrictGetMethodPlugin as S };
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import { C as Context, R as Router } from './server.DQJX4Gnf.js';
|
|
2
|
+
import { StandardRPCJsonSerializerOptions } from '@orpc/client/standard';
|
|
3
|
+
import { b as StandardHandlerOptions, i as StandardHandler } from './server.DsVSuKTu.js';
|
|
4
|
+
|
|
5
|
+
interface StandardRPCHandlerOptions<T extends Context> extends StandardHandlerOptions<T>, StandardRPCJsonSerializerOptions {
|
|
6
|
+
/**
|
|
7
|
+
* Enables or disables the StrictGetMethodPlugin.
|
|
8
|
+
*
|
|
9
|
+
* @default true
|
|
10
|
+
*/
|
|
11
|
+
strictGetMethodPluginEnabled?: boolean;
|
|
12
|
+
}
|
|
13
|
+
declare class StandardRPCHandler<T extends Context> extends StandardHandler<T> {
|
|
14
|
+
constructor(router: Router<any, T>, options: StandardRPCHandlerOptions<T>);
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
export { type StandardRPCHandlerOptions as S, StandardRPCHandler as a };
|