@qwik.dev/router 2.0.0-beta.18 → 2.0.0-beta.19

package/lib/index.d.ts

@@ -25,6 +25,7 @@ import type { ResolveSyncValue } from '@qwik.dev/router/middleware/request-handl
 import type { SerializationStrategy } from '@qwik.dev/core/internal';
 import type * as v from 'valibot';
 import type { ValueOrPromise } from '@qwik.dev/core';
+import { ValueOrPromise as ValueOrPromise_2 } from '@qwik.dev/core/internal';
 import { z } from 'zod';
 import type * as z_2 from 'zod';
 
@@ -593,12 +594,6 @@ export declare const QWIK_CITY_SCROLLER = "_qCityScroller";
 /** @public */
 export declare const QWIK_ROUTER_SCROLLER = "_qRouterScroller";
 
-/**
- * @deprecated Use `QwikRouterMockProps` instead. will be removed in V3
- * @public
- */
-export declare type QwikCityMockProps = QwikRouterMockProps;
-
 /**
  * @deprecated Use `useQwikMockRouter()` instead. Will be removed in V3
  * @public
@@ -642,11 +637,62 @@ export declare interface QwikRouterEnvData {
     loadedRoute: LoadedRoute | null;
 }
 
+/** @public */
+export declare interface QwikRouterMockActionProp<T = any> {
+    /** The action function to mock. */
+    action: Action<T>;
+    /** The QRL function that will be called when the action is submitted. */
+    handler: QRL<(data: T) => ValueOrPromise_2<RouteActionResolver>>;
+}
+
+/** @public */
+export declare interface QwikRouterMockLoaderProp<T = any> {
+    /** The loader function to mock. */
+    loader: Loader_2<T>;
+    /** The data to return when the loader is called. */
+    data: T;
+}
+
 /** @public */
 export declare interface QwikRouterMockProps {
+    /**
+     * Allow mocking the url returned by `useLocation` hook.
+     *
+     * Default: `http://localhost/`
+     */
     url?: string;
+    /** Allow mocking the route params returned by `useLocation` hook. */
     params?: Record<string, string>;
+    /** Allow mocking the `goto` function returned by `useNavigate` hook. */
     goto?: RouteNavigate;
+    /**
+     * Allow mocking data for loaders defined with `routeLoader$` function.
+     *
+     * ```
+     * [
+     *   {
+     *     loader: useProductData,
+     *     data: { product: { name: 'Test Product' } },
+     *   },
+     * ];
+     * ```
+     */
+    loaders?: Array<QwikRouterMockLoaderProp<any>>;
+    /**
+     * Allow mocking actions defined with `routeAction$` function.
+     *
+     * ```
+     * [
+     *   {
+     *     action: useAddUser,
+     *     handler: $(async (data) => {
+     *       console.log('useAddUser action called with data:', data);
+     *     }),
+     *   },
+     * ];
+     * ```
+     */
+    actions?: Array<QwikRouterMockActionProp<any>>;
 }
 
 /** @public */
@@ -706,6 +752,11 @@ export declare const routeAction$: ActionConstructor;
 
 /* Excluded from this release type: routeActionQrl */
 
+declare type RouteActionResolver = {
+    status: number;
+    result: unknown;
+};
+
 /** @public */
 export declare type RouteData = [
 routeName: string,

package/lib/index.qwik.mjs

@@ -65,14 +65,10 @@ const Link = component$((props) => {
     scroll,
     ...linkProps
   } = /* @__PURE__ */ (() => props)();
-  const clientNavPath = untrack(() => getClientNavPath({ ...linkProps, reload }, loc));
+  const clientNavPath = untrack(getClientNavPath, { ...linkProps, reload }, loc);
   linkProps.href = clientNavPath || originalHref;
-  const prefetchData = untrack(
-    () => !!clientNavPath && prefetchProp !== false && prefetchProp !== "js" || void 0
-  );
-  const prefetch = untrack(
-    () => prefetchData || !!clientNavPath && prefetchProp !== false && shouldPreload(clientNavPath, loc)
-  );
+  const prefetchData = !!clientNavPath && prefetchProp !== false && prefetchProp !== "js" || void 0;
+  const prefetch = prefetchData || !!clientNavPath && prefetchProp !== false && untrack(shouldPreload, clientNavPath, loc);
   const handlePrefetch = prefetch ? $((_, elm) => {
     if (navigator.connection?.saveData) {
       return;
@@ -550,7 +546,9 @@ const useQwikRouter = (props) => {
     } = typeof opt === "object" ? opt : { forceReload: opt };
     internalState.navCount++;
     if (isBrowser && type === "link" && routeInternal.value.type === "initial") {
-      routeInternal.value.dest = new URL(window.location.href);
+      const url2 = new URL(window.location.href);
+      routeInternal.value.dest = url2;
+      routeLocation.url = url2;
     }
     const lastDest = routeInternal.value.dest;
     const dest = path === void 0 ? lastDest : typeof path === "number" ? path : toUrl(path, routeLocation.url);
@@ -952,7 +950,14 @@ const useQwikMockRouter = (props) => {
     },
     { deep: false }
   );
-  const loaderState = {};
+  const loadersData = props.loaders?.reduce(
+    (acc, { loader, data }) => {
+      acc[loader.__id] = data;
+      return acc;
+    },
+    {}
+  );
+  const loaderState = useStore(loadersData ?? {}, { deep: false });
   const goto = props.goto ?? $(async () => {
     console.warn("QwikRouterMockProvider: goto not provided");
   });
@@ -973,6 +978,24 @@ const useQwikMockRouter = (props) => {
   useContextProvider(RouteNavigateContext, goto);
   useContextProvider(RouteStateContext, loaderState);
   useContextProvider(RouteActionContext, actionState);
+  const actionsMocks = props.actions?.reduce(
+    (acc, { action, handler }) => {
+      acc[action.__id] = handler;
+      return acc;
+    },
+    {}
+  );
+  useTask$(async ({ track }) => {
+    const action = track(actionState);
+    if (!action?.resolve) {
+      return;
+    }
+    const mock = actionsMocks?.[action.id];
+    if (mock) {
+      const actionResult = await mock(action.data);
+      action.resolve(actionResult);
+    }
+  });
 };
 const QwikRouterMockProvider = component$((props) => {
   useQwikMockRouter(props);

package/lib/middleware/bun/index.d.ts

@@ -29,6 +29,17 @@ export declare interface QwikRouterBunOptions extends ServerRenderOptions {
         /** Set the Cache-Control header for all static files */
         cacheControl?: string;
     };
+    /**
+     * Provide a function that computes the origin of the server, used to resolve relative URLs and
+     * validate the request origin against CSRF attacks.
+     *
+     * When not specified, it defaults to the `ORIGIN` environment variable (if set).
+     *
+     * If `ORIGIN` is not set, it's derived from the incoming request, which is not recommended for
+     * production use.
+     */
+    getOrigin?: (request: Request) => string | null;
+    /** Provide a function that returns a `ClientConn` for the given request. */
     getClientConn?: (request: Request) => ClientConn;
 }
 

package/lib/middleware/bun/index.mjs

@@ -3,6 +3,14 @@ import { _TextEncoderStream_polyfill, isStaticPath, getNotFound, mergeHeadersCoo
 import { join, extname } from 'node:path';
 import { M as MIME_TYPES } from '../../chunks/mime-types.mjs';
 
+function getRequestUrl(request, opts) {
+  const url = new URL(request.url);
+  const origin = opts.getOrigin?.(request) ?? Bun.env.ORIGIN;
+  if (!origin) {
+    return url;
+  }
+  return new URL(`${url.pathname}${url.search}${url.hash}`, origin);
+}
 function createQwikRouter(opts) {
   if (opts.qwikCityPlan && !opts.qwikRouterConfig) {
     console.warn("qwikCityPlan is deprecated. Simply remove it.");
@@ -15,7 +23,7 @@ function createQwikRouter(opts) {
   const staticFolder = opts.static?.root ?? join(Bun.fileURLToPath(import.meta.url), "..", "..", "dist");
   async function router(request) {
     try {
-      const url = new URL(request.url);
+      const url = getRequestUrl(request, opts);
       const serverRequestEv = {
         mode: "server",
         locale: void 0,
@@ -71,7 +79,7 @@ function createQwikRouter(opts) {
   }
   const notFound = async (request) => {
     try {
-      const url = new URL(request.url);
+      const url = getRequestUrl(request, opts);
       const notFoundHtml = !request.headers.get("accept")?.includes("text/html") || isStaticPath(request.method || "GET", url) ? "Not Found" : getNotFound(url.pathname);
       return new Response(notFoundHtml, {
         status: 404,
@@ -103,7 +111,7 @@ function createQwikRouter(opts) {
   };
   const staticFile = async (request) => {
     try {
-      const url = new URL(request.url);
+      const url = getRequestUrl(request, opts);
       if (isStaticPath(request.method || "GET", url)) {
         const { filePath, content } = await openStaticFile(url);
         if (!await content.exists()) {

package/lib/middleware/deno/index.d.ts

@@ -36,6 +36,17 @@ export declare interface QwikRouterDenoOptions extends ServerRenderOptions {
         /** Set the Cache-Control header for all static files */
         cacheControl?: string;
     };
+    /**
+     * Provide a function that computes the origin of the server, used to resolve relative URLs and
+     * validate the request origin against CSRF attacks.
+     *
+     * When not specified, it defaults to the `ORIGIN` environment variable (if set).
+     *
+     * If `ORIGIN` is not set, it's derived from the incoming request, which is not recommended for
+     * production use.
+     */
+    getOrigin?: (request: Request, info?: ServeHandlerInfo) => string | null;
+    /** Provide a function that returns a `ClientConn` for the given request. */
     getClientConn?: (request: Request, info: ServeHandlerInfo) => ClientConn;
 }
 

package/lib/middleware/deno/index.mjs

@@ -3,6 +3,14 @@ import { isStaticPath, getNotFound, mergeHeadersCookies, requestHandler } from '
 import { M as MIME_TYPES } from '../../chunks/mime-types.mjs';
 import { join, fromFileUrl, extname } from 'https://deno.land/std/path/mod.ts';
 
+function getRequestUrl(request, opts, info) {
+  const url = new URL(request.url);
+  const origin = opts.getOrigin?.(request, info) ?? Deno.env?.get?.("ORIGIN");
+  if (!origin) {
+    return url;
+  }
+  return new URL(`${url.pathname}${url.search}${url.hash}`, origin);
+}
 function createQwikRouter(opts) {
   if (opts.qwikCityPlan && !opts.qwikRouterConfig) {
     console.warn("qwikCityPlan is deprecated. Simply remove it.");
@@ -14,7 +22,7 @@ function createQwikRouter(opts) {
   const staticFolder = opts.static?.root ?? join(fromFileUrl(import.meta.url), "..", "..", "dist");
   async function router(request, info) {
     try {
-      const url = new URL(request.url);
+      const url = getRequestUrl(request, opts, info);
       const serverRequestEv = {
         mode: "server",
         locale: void 0,
@@ -63,7 +71,7 @@ function createQwikRouter(opts) {
   }
   const notFound = async (request) => {
     try {
-      const url = new URL(request.url);
+      const url = getRequestUrl(request, opts);
       const notFoundHtml = !request.headers.get("accept")?.includes("text/html") || isStaticPath(request.method || "GET", url) ? "Not Found" : getNotFound(url.pathname);
       return new Response(notFoundHtml, {
         status: 404,
@@ -96,7 +104,7 @@ function createQwikRouter(opts) {
   };
   const staticFile = async (request) => {
     try {
-      const url = new URL(request.url);
+      const url = getRequestUrl(request, opts);
       if (isStaticPath(request.method || "GET", url)) {
         const { filePath, content } = await openStaticFile(url);
         const ext = extname(filePath).replace(/^\./, "");

package/lib/middleware/request-handler/index.d.ts

@@ -546,11 +546,11 @@ export declare interface RequestEventCommon<PLATFORM = QwikRouterPlatform> exten
     readonly exit: () => AbortMessage;
 }
 
-declare interface RequestEventInternal extends RequestEvent, RequestEventLoader {
-    [RequestEvLoaders]: Record<string, ValueOrPromise<unknown> | undefined>;
-    [RequestEvLoaderSerializationStrategyMap]: Map<string, SerializationStrategy>;
-    [RequestEvMode]: ServerRequestMode;
-    [RequestEvRoute]: LoadedRoute | null;
+declare interface RequestEventInternal extends Readonly<RequestEvent>, Readonly<RequestEventLoader> {
+    readonly [RequestEvLoaders]: Record<string, ValueOrPromise<unknown> | undefined>;
+    readonly [RequestEvLoaderSerializationStrategyMap]: Map<string, SerializationStrategy>;
+    readonly [RequestEvMode]: ServerRequestMode;
+    readonly [RequestEvRoute]: LoadedRoute | null;
     /**
      * Check if this request is already written to.
      *

package/lib/middleware/request-handler/index.mjs

@@ -557,8 +557,12 @@ function createRequestEvent(serverRequestEv, loadedRoute, requestHandlers, baseP
       check();
       status = statusCode;
       if (url2) {
-        if (/([^:])\/{2,}/.test(url2)) {
-          const fixedURL = url2.replace(/([^:])\/{2,}/g, "$1/");
+        if (
+          // //test.com
+          /^\/\//.test(url2) || // /test//path
+          /([^:])\/\/+/.test(url2)
+        ) {
+          const fixedURL = url2.replace(/^\/\/+/, "/").replace(/([^:])\/\/+/g, "$1/");
           console.warn(`Redirect URL ${url2} is invalid, fixing to ${fixedURL}`);
           url2 = fixedURL;
         }
@@ -634,7 +638,7 @@ function createRequestEvent(serverRequestEv, loadedRoute, requestHandlers, baseP
       return writableStream;
     }
   };
-  return Object.freeze(requestEv);
+  return requestEv;
 }
 function getRequestLoaders(requestEv) {
   return requestEv[RequestEvLoaders];
@@ -650,7 +654,7 @@ function getRequestMode(requestEv) {
 }
 const ABORT_INDEX = Number.MAX_SAFE_INTEGER;
 const parseRequest = async ({ request, method, query }, sharedMap) => {
-  const type = request.headers.get("content-type")?.split(/[;,]/, 1)[0].trim() ?? "";
+  const type = getContentType(request.headers);
   if (type === "application/x-www-form-urlencoded" || type === "multipart/form-data") {
     const formData = await request.formData();
     sharedMap.set(RequestEvSharedActionFormData, formData);
@@ -672,21 +676,40 @@ const parseRequest = async ({ request, method, query }, sharedMap) => {
   }
   return void 0;
 };
+const isDangerousKey = (k) => k === "__proto__" || k === "constructor" || k === "prototype";
 const formToObj = (formData) => {
-  const values = [...formData.entries()].reduce((values2, [name, value]) => {
-    name.split(".").reduce((object, key, index, keys) => {
+  const values = /* @__PURE__ */ Object.create(null);
+  for (const [name, value] of formData) {
+    const keys = name.split(".");
+    let hasDangerousKey = false;
+    for (let i = 0; i < keys.length; i++) {
+      if (isDangerousKey(keys[i])) {
+        hasDangerousKey = true;
+        break;
+      }
+    }
+    if (hasDangerousKey) {
+      continue;
+    }
+    let object = values;
+    for (let i = 0; i < keys.length; i++) {
+      const key = keys[i];
       if (key.endsWith("[]")) {
         const arrayKey = key.slice(0, -2);
+        if (isDangerousKey(arrayKey)) {
+          break;
+        }
         object[arrayKey] = object[arrayKey] || [];
-        return object[arrayKey] = [...object[arrayKey], value];
+        object[arrayKey].push(value);
+        break;
       }
-      if (index < keys.length - 1) {
-        return object[key] = object[key] || (Number.isNaN(+keys[index + 1]) ? {} : []);
+      if (i < keys.length - 1) {
+        object = object[key] = object[key] || (Number.isNaN(+keys[i + 1]) ? /* @__PURE__ */ Object.create(null) : []);
+      } else {
+        object[key] = value;
       }
-      return object[key] = value;
-    }, values2);
-    return values2;
-  }, {});
+    }
+  }
   return values;
 };
 
@@ -1035,6 +1058,13 @@ function fixTrailingSlash(ev) {
   const { basePathname, originalUrl, sharedMap } = ev;
   const { pathname, search } = originalUrl;
   const isQData = sharedMap.has(IsQData);
+  if (
+    // all valid pathnames must start with a single slash
+    !pathname.startsWith("/") || // protocol-relative URLs are not allowed like: //test.com, ///bad.com
+    pathname.startsWith("//")
+  ) {
+    return;
+  }
   if (!isQData && pathname !== basePathname && !pathname.endsWith(".html")) {
     if (!globalThis.__NO_TRAILING_SLASH__) {
       if (!pathname.endsWith("/")) {
@@ -1089,13 +1119,14 @@ function csrfCheckMiddleware(requestEv) {
   checkCSRF(requestEv);
 }
 function checkCSRF(requestEv, laxProto) {
-  const isForm = isContentType(
+  const contentType = requestEv.request.headers.get("content-type");
+  const isSimpleRequest = !contentType || isContentType(
     requestEv.request.headers,
     "application/x-www-form-urlencoded",
     "multipart/form-data",
     "text/plain"
   );
-  if (isForm) {
+  if (isSimpleRequest) {
     const inputOrigin = requestEv.request.headers.get("origin");
     const origin = requestEv.url.origin;
     let forbidden = inputOrigin !== origin;
@@ -1253,9 +1284,17 @@ async function measure(requestEv, name, fn) {
     measurements.push([name, duration]);
   }
 }
+function getContentType(headers) {
+  return (headers.get("content-type")?.split(/[;,]/, 1)[0].trim() ?? "").toLowerCase();
+}
 function isContentType(headers, ...types) {
-  const type = headers.get("content-type")?.split(/;/, 1)[0].trim() ?? "";
-  return types.includes(type);
+  const type = getContentType(headers);
+  for (let i = 0; i < types.length; i++) {
+    if (types[i].toLowerCase() === type) {
+      return true;
+    }
+  }
+  return false;
 }
 
 let _asyncRequestStore;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@qwik.dev/router",
   "description": "The router for Qwik.",
-  "version": "2.0.0-beta.18",
+  "version": "2.0.0-beta.19",
   "bugs": "https://github.com/QwikDev/qwik/issues",
   "dependencies": {
     "@azure/functions": "3.5.1",
@@ -40,7 +40,7 @@
     "tsm": "2.3.0",
     "typescript": "5.9.3",
     "uvu": "0.5.6",
-    "@qwik.dev/core": "2.0.0-beta.18"
+    "@qwik.dev/core": "2.0.0-beta.19"
   },
   "engines": {
     "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
@@ -169,7 +169,7 @@
   "main": "./lib/index.qwik.mjs",
   "peerDependencies": {
     "vite": ">=5 <8",
-    "@qwik.dev/core": "^2.0.0-beta.18"
+    "@qwik.dev/core": "^2.0.0-beta.19"
   },
   "publishConfig": {
     "access": "public"