@pracht/adapter-node 0.0.1 → 0.1.0

package/dist/index.d.mts

@@ -20,6 +20,23 @@ interface NodeAdapterOptions<TContext = unknown> {
   cssManifest?: Record<string, string[]>;
   jsManifest?: Record<string, string[]>;
   createContext?: (args: NodeAdapterContextArgs) => TContext | Promise<TContext>;
+  /**
+   * Whether to trust proxy headers (`Forwarded`, `X-Forwarded-Proto`,
+   * `X-Forwarded-Host`) when constructing the request URL.
+   *
+   * When **false** (the default), the request URL is derived from the socket:
+   * protocol is inferred from TLS state, and host from the `Host` header.
+   * Forwarded headers are ignored, preventing host-header poisoning.
+   *
+   * When **true**, forwarded headers are honored with the following precedence:
+   *   1. RFC 7239 `Forwarded` header (`proto=` and `host=` directives)
+   *   2. `X-Forwarded-Proto` / `X-Forwarded-Host`
+   *   3. Socket-derived values (fallback)
+   *
+   * Enable this only when the Node server sits behind a trusted reverse proxy
+   * (e.g. nginx, Cloudflare, a load balancer) that sets these headers.
+   */
+  trustProxy?: boolean;
 }
 interface NodeServerEntryModuleOptions {
   port?: number;

package/dist/index.mjs

@@ -1,15 +1,46 @@
 import { existsSync, mkdirSync, statSync, writeFileSync } from "node:fs";
 import { readFile } from "node:fs/promises";
-import { dirname, join } from "node:path";
+import { dirname, extname, join } from "node:path";
 import { applyDefaultSecurityHeaders, handlePrachtRequest } from "@pracht/core";
 //#region src/index.ts
+const ROUTE_STATE_REQUEST_HEADER = "x-pracht-route-state-request";
+const MIME_TYPES = {
+	".html": "text/html; charset=utf-8",
+	".js": "application/javascript",
+	".css": "text/css",
+	".json": "application/json",
+	".png": "image/png",
+	".jpg": "image/jpeg",
+	".jpeg": "image/jpeg",
+	".gif": "image/gif",
+	".webp": "image/webp",
+	".svg": "image/svg+xml",
+	".ico": "image/x-icon",
+	".woff": "font/woff",
+	".woff2": "font/woff2",
+	".ttf": "font/ttf",
+	".otf": "font/otf",
+	".txt": "text/plain",
+	".xml": "application/xml",
+	".webmanifest": "application/manifest+json"
+};
+/**
+* Hashed assets (e.g. `assets/chunk-AbCd1234.js`) are safe to cache
+* indefinitely.  Everything else gets a conservative policy.
+*/
+const HASHED_ASSET_RE = /\/assets\//;
+function getCacheControl(urlPath) {
+	if (HASHED_ASSET_RE.test(urlPath)) return "public, max-age=31536000, immutable";
+	return "public, max-age=0, must-revalidate";
+}
 function createNodeRequestHandler(options) {
 	const isgManifest = options.isgManifest ?? {};
 	const staticDir = options.staticDir;
+	const trustProxy = options.trustProxy ?? false;
 	return async (req, res) => {
 		let request;
 		try {
-			request = await createWebRequest(req);
+			request = await createWebRequest(req, trustProxy);
 		} catch (err) {
 			if (err instanceof Error && err.message === "Request body too large") {
 				res.statusCode = 413;
@@ -19,7 +50,23 @@ function createNodeRequestHandler(options) {
 			throw err;
 		}
 		const url = new URL(request.url);
-		if (staticDir && request.method === "GET" && url.pathname in isgManifest) {
+		const isRouteStateRequest = request.headers.get(ROUTE_STATE_REQUEST_HEADER) === "1";
+		if (staticDir && request.method === "GET") {
+			const staticResult = resolveStaticFile(staticDir, url.pathname, isgManifest);
+			if (staticResult) {
+				const body = await readFile(staticResult.filePath);
+				res.statusCode = 200;
+				applyDefaultSecurityHeaders(new Headers({
+					"content-type": staticResult.contentType,
+					"cache-control": staticResult.cacheControl
+				})).forEach((value, key) => {
+					res.setHeader(key, value);
+				});
+				res.end(body);
+				return;
+			}
+		}
+		if (staticDir && request.method === "GET" && !isRouteStateRequest && url.pathname in isgManifest) {
 			const entry = isgManifest[url.pathname];
 			const htmlPath = url.pathname === "/" ? join(staticDir, "index.html") : join(staticDir, url.pathname, "index.html");
 			if (existsSync(htmlPath)) {
@@ -30,7 +77,9 @@ function createNodeRequestHandler(options) {
 				res.statusCode = 200;
 				applyDefaultSecurityHeaders(new Headers({
 					"content-type": "text/html; charset=utf-8",
-					"x-pracht-isg": isStale ? "stale" : "fresh"
+					"cache-control": "public, max-age=0, must-revalidate",
+					"x-pracht-isg": isStale ? "stale" : "fresh",
+					vary: ROUTE_STATE_REQUEST_HEADER
 				})).forEach((value, key) => {
 					res.setHeader(key, value);
 				});
@@ -56,7 +105,7 @@ function createNodeRequestHandler(options) {
 			cssManifest: options.cssManifest,
 			jsManifest: options.jsManifest
 		});
-		if (staticDir && request.method === "GET" && url.pathname in isgManifest && response.status === 200) {
+		if (staticDir && request.method === "GET" && !isRouteStateRequest && url.pathname in isgManifest && response.status === 200 && response.headers.get("content-type")?.includes("text/html")) {
 			const html = await response.clone().text();
 			const htmlPath = url.pathname === "/" ? join(staticDir, "index.html") : join(staticDir, url.pathname, "index.html");
 			mkdirSync(dirname(htmlPath), { recursive: true });
@@ -119,9 +168,8 @@ function createNodeServerEntryModule(options = {}) {
 		""
 	].join("\n");
 }
-async function createWebRequest(req) {
-	const protocol = getFirstHeaderValue(req.headers["x-forwarded-proto"]) ?? "http";
-	const host = getFirstHeaderValue(req.headers.host) ?? "localhost";
+async function createWebRequest(req, trustProxy) {
+	const { protocol, host } = resolveOrigin(req, trustProxy);
 	const url = new URL(req.url ?? "/", `${protocol}://${host}`);
 	const method = req.method ?? "GET";
 	const init = {
@@ -138,6 +186,56 @@ async function createWebRequest(req) {
 	}
 	return new Request(url, init);
 }
+/**
+* Derive the request protocol and host from the incoming message.
+*
+* When `trustProxy` is false (default), the protocol is inferred from the
+* socket's TLS state and the host from the HTTP `Host` header.  Forwarded
+* headers are ignored entirely.
+*
+* When `trustProxy` is true, the following precedence applies:
+*   1. RFC 7239 `Forwarded` header (`proto=` / `host=` directives)
+*   2. `X-Forwarded-Proto` / `X-Forwarded-Host`
+*   3. Socket-derived values (fallback)
+*/
+function resolveOrigin(req, trustProxy) {
+	const socketProtocol = "encrypted" in req.socket && req.socket.encrypted ? "https" : "http";
+	const socketHost = getFirstHeaderValue(req.headers.host) ?? "localhost";
+	if (!trustProxy) return {
+		protocol: socketProtocol,
+		host: socketHost
+	};
+	const forwarded = getFirstHeaderValue(req.headers.forwarded);
+	if (forwarded) {
+		const parsed = parseForwardedHeader(forwarded);
+		return {
+			protocol: parsed.proto ?? getFirstHeaderValue(req.headers["x-forwarded-proto"]) ?? socketProtocol,
+			host: parsed.host ?? getFirstHeaderValue(req.headers["x-forwarded-host"]) ?? socketHost
+		};
+	}
+	return {
+		protocol: getFirstHeaderValue(req.headers["x-forwarded-proto"]) ?? socketProtocol,
+		host: getFirstHeaderValue(req.headers["x-forwarded-host"]) ?? socketHost
+	};
+}
+/**
+* Parse the first element of an RFC 7239 `Forwarded` header, extracting
+* `proto` and `host` directives.  Returns `undefined` for directives that
+* are not present.
+*/
+function parseForwardedHeader(value) {
+	const first = value.split(",")[0];
+	const result = {};
+	for (const part of first.split(";")) {
+		const [key, val] = part.trim().split("=");
+		if (!key || !val) continue;
+		const k = key.toLowerCase();
+		const v = val.replace(/^"|"$/g, "");
+		if (k === "proto") result.proto = v;
+		else if (k === "host") result.host = v;
+	}
+	return result;
+}
 function createHeaders(headers) {
 	const result = new Headers();
 	for (const [key, value] of Object.entries(headers)) {
@@ -184,6 +282,35 @@ function getFirstHeaderValue(value) {
 }
 const BODYLESS_METHODS = new Set(["GET", "HEAD"]);
 /**
+* Resolve a URL pathname to a static file inside `staticDir`.
+*
+* Tries the exact path first (e.g. `/assets/chunk-Ab12.js`), then falls back
+* to `{pathname}/index.html` for clean-URL pages (e.g. `/about` →
+* `about/index.html`).  Returns `null` when no matching file is found.
+*/
+function resolveStaticFile(staticDir, pathname, isgManifest = {}) {
+	const exactPath = join(staticDir, pathname);
+	if (!exactPath.startsWith(staticDir + "/") && exactPath !== staticDir) return null;
+	try {
+		if (statSync(exactPath).isFile()) return {
+			filePath: exactPath,
+			contentType: MIME_TYPES[extname(exactPath)] || "application/octet-stream",
+			cacheControl: getCacheControl(pathname)
+		};
+	} catch {}
+	if (pathname in isgManifest) return null;
+	const indexPath = pathname === "/" ? join(staticDir, "index.html") : join(staticDir, pathname, "index.html");
+	if (!indexPath.startsWith(staticDir + "/")) return null;
+	try {
+		if (statSync(indexPath).isFile()) return {
+			filePath: indexPath,
+			contentType: "text/html; charset=utf-8",
+			cacheControl: "public, max-age=0, must-revalidate"
+		};
+	} catch {}
+	return null;
+}
+/**
 * Create a pracht adapter for Node.js.
 *
 * ```ts

package/package.json

@@ -1,30 +1,30 @@
 {
   "name": "@pracht/adapter-node",
-  "version": "0.0.1",
+  "version": "0.1.0",
+  "homepage": "https://github.com/JoviDeCroock/pracht/tree/main/packages/adapter-node",
+  "bugs": {
+    "url": "https://github.com/JoviDeCroock/pracht/issues"
+  },
   "repository": {
     "type": "git",
     "url": "https://github.com/JoviDeCroock/pracht",
     "directory": "packages/adapter-node"
   },
-  "homepage": "https://github.com/JoviDeCroock/pracht/tree/main/packages/adapter-node",
-  "bugs": {
-    "url": "https://github.com/JoviDeCroock/pracht/issues"
-  },
   "files": [
     "dist"
   ],
   "type": "module",
-  "publishConfig": {
-    "provenance": true
-  },
   "exports": {
     ".": {
       "types": "./dist/index.d.mts",
       "default": "./dist/index.mjs"
     }
   },
+  "publishConfig": {
+    "provenance": true
+  },
   "dependencies": {
-    "@pracht/core": "0.0.1"
+    "@pracht/core": "0.1.0"
   },
   "scripts": {
     "build": "tsdown"