@qzsy/vinext 0.1.7

package/dist/server/proxy-trust.d.ts

@@ -0,0 +1,40 @@
+import { IncomingMessage } from "node:http";
+
+//#region src/server/proxy-trust.d.ts
+/**
+ * Hosts that are allowed as `X-Forwarded-Host` values (stored lowercase).
+ *
+ * This Set is intentionally mutable so tests can add/remove entries
+ * without reloading the module, and so existing call sites that imported
+ * `trustedHosts` from `prod-server.ts` keep the same semantics.
+ */
+declare const trustedHosts: Set<string>;
+/**
+ * Whether to trust `X-Forwarded-Proto` from upstream proxies.
+ *
+ * Enabled when `VINEXT_TRUST_PROXY=1` or when `VINEXT_TRUSTED_HOSTS` is
+ * non-empty (having trusted hosts implies a trusted proxy). Computed at
+ * module load time, matching the existing prod-server behavior.
+ */
+declare const trustProxy: boolean;
+/**
+ * Resolve the request protocol, honoring `X-Forwarded-Proto` only when
+ * the trust-proxy gate is enabled. Defaults to `"http"`.
+ *
+ * Accepts either a Node `IncomingMessage` or a Fetch `Headers` instance
+ * so the same trust logic can be applied in both server flavors.
+ */
+declare function resolveRequestProtocol(source: IncomingMessage | Headers): "http" | "https";
+/**
+ * Resolve the request host. `X-Forwarded-Host` is honored only when its
+ * value matches the `trustedHosts` allow-list. Falls back to the raw
+ * `Host` header and then to `fallback`.
+ *
+ * Ignoring `X-Forwarded-Host` by default prevents host header poisoning
+ * (open redirects, cache poisoning) where an attacker sends
+ * `X-Forwarded-Host: evil.com` to a server that resolves redirect URLs
+ * against `request.url`.
+ */
+declare function resolveRequestHost(source: IncomingMessage | Headers, fallback: string): string;
+//#endregion
+export { resolveRequestHost, resolveRequestProtocol, trustProxy, trustedHosts };

package/dist/server/proxy-trust.js

@@ -0,0 +1,68 @@
+//#region src/server/proxy-trust.ts
+function firstHeaderValue(value) {
+	if (value === void 0 || value === null) return void 0;
+	return Array.isArray(value) ? value[0] : value;
+}
+/**
+* Hosts that are allowed as `X-Forwarded-Host` values (stored lowercase).
+*
+* This Set is intentionally mutable so tests can add/remove entries
+* without reloading the module, and so existing call sites that imported
+* `trustedHosts` from `prod-server.ts` keep the same semantics.
+*/
+const trustedHosts = new Set((process.env.VINEXT_TRUSTED_HOSTS ?? "").split(",").map((h) => h.trim().toLowerCase()).filter(Boolean));
+/**
+* Whether to trust `X-Forwarded-Proto` from upstream proxies.
+*
+* Enabled when `VINEXT_TRUST_PROXY=1` or when `VINEXT_TRUSTED_HOSTS` is
+* non-empty (having trusted hosts implies a trusted proxy). Computed at
+* module load time, matching the existing prod-server behavior.
+*/
+const trustProxy = process.env.VINEXT_TRUST_PROXY === "1" || trustedHosts.size > 0;
+/**
+* Resolve the request protocol, honoring `X-Forwarded-Proto` only when
+* the trust-proxy gate is enabled. Defaults to `"http"`.
+*
+* Accepts either a Node `IncomingMessage` or a Fetch `Headers` instance
+* so the same trust logic can be applied in both server flavors.
+*/
+function resolveRequestProtocol(source) {
+	if (!trustProxy) return "http";
+	const candidate = readForwardedProto(source)?.split(",")[0]?.trim();
+	return candidate === "https" || candidate === "http" ? candidate : "http";
+}
+/**
+* Resolve the request host. `X-Forwarded-Host` is honored only when its
+* value matches the `trustedHosts` allow-list. Falls back to the raw
+* `Host` header and then to `fallback`.
+*
+* Ignoring `X-Forwarded-Host` by default prevents host header poisoning
+* (open redirects, cache poisoning) where an attacker sends
+* `X-Forwarded-Host: evil.com` to a server that resolves redirect URLs
+* against `request.url`.
+*/
+function resolveRequestHost(source, fallback) {
+	const rawForwarded = readForwardedHost(source);
+	if (rawForwarded && trustedHosts.size > 0) {
+		const forwardedHost = rawForwarded.split(",")[0]?.trim().toLowerCase();
+		if (forwardedHost && trustedHosts.has(forwardedHost)) return forwardedHost;
+	}
+	return readHost(source) || fallback;
+}
+function readForwardedProto(source) {
+	if (isWebHeaders(source)) return source.get("x-forwarded-proto") ?? void 0;
+	return firstHeaderValue(source.headers["x-forwarded-proto"]);
+}
+function readForwardedHost(source) {
+	if (isWebHeaders(source)) return source.get("x-forwarded-host") ?? void 0;
+	return firstHeaderValue(source.headers["x-forwarded-host"]);
+}
+function readHost(source) {
+	if (isWebHeaders(source)) return source.get("host") ?? void 0;
+	return firstHeaderValue(source.headers["host"]);
+}
+function isWebHeaders(source) {
+	return typeof source.get === "function";
+}
+//#endregion
+export { resolveRequestHost, resolveRequestProtocol, trustProxy, trustedHosts };

package/dist/server/request-log.d.ts

@@ -0,0 +1,39 @@
+//#region src/server/request-log.d.ts
+/**
+ * Request logging for the vinext dev server.
+ *
+ * Matches Next.js's request log format:
+ *   GET /path 200 in 123ms (compile: 45ms, render: 78ms)
+ *
+ * Color coding matches Next.js:
+ *  - 2xx: green
+ *  - 3xx: cyan
+ *  - 4xx: yellow
+ *  - 5xx: red
+ *  - Method: bold
+ */
+type RequestLogOptions = {
+  method: string;
+  url: string;
+  status: number; /** Total elapsed time in milliseconds (start → response finish). */
+  totalMs: number; /** Time spent in Vite module loading / compilation. */
+  compileMs?: number; /** Time spent in React rendering / HTML streaming. */
+  renderMs?: number;
+};
+/**
+ * Print a single request log line to stdout.
+ */
+declare function logRequest({
+  method,
+  url,
+  status,
+  totalMs,
+  compileMs,
+  renderMs
+}: RequestLogOptions): void;
+/**
+ * Returns `performance.now()` - a high-resolution monotonic timestamp.
+ */
+declare function now(): number;
+//#endregion
+export { logRequest, now };

package/dist/server/request-log.js

@@ -0,0 +1,56 @@
+//#region src/server/request-log.ts
+/**
+* Request logging for the vinext dev server.
+*
+* Matches Next.js's request log format:
+*   GET /path 200 in 123ms (compile: 45ms, render: 78ms)
+*
+* Color coding matches Next.js:
+*  - 2xx: green
+*  - 3xx: cyan
+*  - 4xx: yellow
+*  - 5xx: red
+*  - Method: bold
+*/
+const isTTY = () => process.stdout.isTTY;
+const pretty = {
+	bold: (s) => isTTY() ? `\x1b[1m${s}\x1b[0m` : s,
+	green: (s) => isTTY() ? `\x1b[32m${s}\x1b[0m` : s,
+	cyan: (s) => isTTY() ? `\x1b[36m${s}\x1b[0m` : s,
+	yellow: (s) => isTTY() ? `\x1b[33m${s}\x1b[0m` : s,
+	red: (s) => isTTY() ? `\x1b[31m${s}\x1b[0m` : s,
+	dim: (s) => isTTY() ? `\x1b[2m${s}\x1b[0m` : s
+};
+function colorStatus(status, text) {
+	if (status >= 500) return pretty.red(text);
+	if (status >= 400) return pretty.yellow(text);
+	if (status >= 300) return pretty.cyan(text);
+	return pretty.green(text);
+}
+function formatDuration(ms) {
+	if (ms >= 1e3) return `${(ms / 1e3).toFixed(1)}s`;
+	return `${Math.round(ms)}ms`;
+}
+/**
+* Print a single request log line to stdout.
+*/
+function logRequest({ method, url, status, totalMs, compileMs, renderMs }) {
+	let line = [
+		pretty.bold(method),
+		url,
+		colorStatus(status, String(status)),
+		"in",
+		formatDuration(totalMs)
+	].join(" ");
+	const parts = [compileMs !== void 0 && `compile: ${formatDuration(compileMs)}`, renderMs !== void 0 && `render: ${formatDuration(renderMs)}`].filter(Boolean);
+	if (parts.length > 0) line += pretty.dim(` (${parts.join(", ")})`);
+	process.stdout.write(" " + line + "\n");
+}
+/**
+* Returns `performance.now()` - a high-resolution monotonic timestamp.
+*/
+function now() {
+	return performance.now();
+}
+//#endregion
+export { logRequest, now };

package/dist/server/request-pipeline.d.ts

@@ -0,0 +1,187 @@
+import { NextHeader } from "../config/next-config.js";
+import { BasePathMatchState, RequestContext } from "../config/config-matchers.js";
+import { INTERNAL_HEADERS, VINEXT_INTERNAL_HEADERS } from "./headers.js";
+import { isOpenRedirectShaped } from "./open-redirect.js";
+import { hasBasePath, stripBasePath } from "../utils/base-path.js";
+
+//#region src/server/request-pipeline.d.ts
+/**
+ * Shared request pipeline utilities.
+ *
+ * Extracted from generated entries and server hot paths to keep codegen focused
+ * on app shape while normal modules own request behavior. Some dev-server and
+ * worker-template setup code still has inline normalization that should be
+ * migrated in follow-up work.
+ *
+ * These utilities handle the common request lifecycle steps: protocol-
+ * relative URL guards, basePath stripping, trailing slash normalization,
+ * and CSRF origin validation.
+ *
+ * Plain-text error response builders (forbidden / not-found / etc.) live in
+ * `./http-error-responses.ts`.
+ */
+/**
+ * Guard against protocol-relative URL open redirects.
+ *
+ * Paths like `//example.com/` would be redirected to `//example.com` by the
+ * trailing-slash normalizer, which browsers interpret as `http://example.com`.
+ * Backslashes are equivalent to forward slashes in the URL spec
+ * (e.g. `/\evil.com` is treated as `//evil.com` by browsers).
+ *
+ * Next.js returns 404 for these paths. We check the RAW pathname before
+ * normalization so the guard fires before normalizePath collapses `//`.
+ *
+ * Percent-encoded variants are also blocked because:
+ *   - `%5C` decodes to `\` (browsers treat `/\evil.com` as `//evil.com`).
+ *   - `%2F` decodes to `/` (so `/%2F/evil.com` effectively becomes `//evil.com`).
+ * These forms survive segment-wise decoding that re-encodes path delimiters
+ * (e.g. `normalizePathnameForRouteMatchStrict`), so a later trailing-slash
+ * redirect would still echo the encoded form in its `Location` header. See
+ * `isOpenRedirectShaped` for the full list of rejected leading-segment forms.
+ *
+ * @param rawPathname - The raw pathname from the URL, before any normalization
+ * @returns A 404 Response if the path is protocol-relative, or null to continue
+ */
+declare function guardProtocolRelativeUrl(rawPathname: string): Response | null;
+type HeaderRecord = Record<string, string | string[]>;
+type ApplyConfigHeadersOptions = {
+  configHeaders: NextHeader[];
+  pathname: string;
+  requestContext: RequestContext;
+  /**
+   * basePath gating state. When omitted, every rule is treated as a default
+   * (basePath: true) rule for backward compatibility — callers that need to
+   * support `basePath: false` headers must pass this in.
+   */
+  basePathState?: BasePathMatchState; /** Existing framework-generated headers that matching config rules may replace. */
+  overwriteExisting?: ReadonlySet<string>;
+};
+type StaticFileSignalContext = {
+  headers: Headers | null;
+  status: number | null;
+};
+type ResolvePublicFileRouteOptions = {
+  cleanPathname: string;
+  middlewareContext: StaticFileSignalContext;
+  pathname: string;
+  publicFiles: ReadonlySet<string>;
+  request: Request;
+};
+/**
+ * Apply matched next.config.js headers to a Web Headers object.
+ *
+ * Next.js evaluates config header match conditions against the original
+ * request snapshot. Middleware response headers still win for the same
+ * response key, while multi-value headers are additive.
+ */
+declare function applyConfigHeadersToResponse(responseHeaders: Headers, options: ApplyConfigHeadersOptions): void;
+/**
+ * Apply matched next.config.js headers to the early response header record used
+ * by Node and Worker Pages Router pipelines before a concrete response exists.
+ */
+declare function applyConfigHeadersToHeaderRecord(headers: HeaderRecord, options: ApplyConfigHeadersOptions): void;
+declare function createStaticFileSignal(pathname: string, context: StaticFileSignalContext): Response;
+/**
+ * Resolve the public/ filesystem-route slot in the Next.js routing order.
+ *
+ * Public files are checked after middleware and before afterFiles/fallback
+ * rewrites. The generated App Router entry provides the public-file set; this
+ * helper owns the request-method and RSC exclusions plus static-file signaling.
+ */
+declare function resolvePublicFileRoute(options: ResolvePublicFileRouteOptions): Response | null;
+declare function normalizeTrailingSlashPathname(pathname: string, trailingSlash: boolean): string | null;
+/**
+ * Check if the pathname needs a trailing slash redirect, and return the
+ * redirect Response if so.
+ *
+ * Follows Next.js behavior:
+ * - `/api` routes are never redirected
+ * - The root path `/` is never redirected
+ * - If `trailingSlash` is true, redirect `/about` → `/about/`
+ * - If `trailingSlash` is true, redirect file-looking `/file.ext/` → `/file.ext`
+ * - If `trailingSlash` is true, do not redirect `/.well-known/*`
+ * - If `trailingSlash` is false (default), redirect `/about/` → `/about`
+ *
+ * @param pathname - The basePath-stripped pathname
+ * @param basePath - The basePath to prepend to the redirect Location
+ * @param trailingSlash - Whether trailing slashes should be enforced
+ * @param search - The query string (including `?`) to preserve in the redirect
+ * @returns A 308 redirect Response, or null if no redirect is needed
+ */
+declare function normalizeTrailingSlash(pathname: string, basePath: string, trailingSlash: boolean, search: string): Response | null;
+/**
+ * Validate CSRF origin for server action requests.
+ *
+ * Matches Next.js behavior: compares the Origin header against the Host
+ * header. If they don't match, the request is rejected with 403 unless
+ * the origin is in the allowedOrigins list.
+ *
+ * @param request - The incoming Request
+ * @param allowedOrigins - Origins from experimental.serverActions.allowedOrigins
+ * @returns A 403 Response if origin validation fails, or null to continue
+ */
+declare function validateCsrfOrigin(request: Request, allowedOrigins?: string[]): Response | null;
+/**
+ * Reject malformed Flight container reference graphs in server action payloads.
+ *
+ * `@vitejs/plugin-rsc` vendors its own React Flight decoder. Malicious action
+ * payloads can abuse container references (`$Q`, `$W`, `$i`) to trigger very
+ * expensive deserialization before the action is even looked up.
+ *
+ * Legitimate React-encoded container payloads use separate numeric backing
+ * fields (e.g. field `1` plus root field `0` containing `"$Q1"`). We reject
+ * numeric backing-field graphs that contain missing backing fields or cycles.
+ * Regular user form fields are ignored entirely.
+ */
+declare function validateServerActionPayload(body: string | FormData): Promise<Response | null>;
+declare function isOriginAllowed(origin: string, allowed: string[]): boolean;
+/**
+ * Strip internal `x-middleware-*` headers from a Headers object.
+ *
+ * Middleware uses `x-middleware-*` headers as internal signals (e.g.
+ * `x-middleware-next`, `x-middleware-rewrite`, `x-middleware-request-*`).
+ * These must be removed before sending the response to the client.
+ *
+ * @param headers - The Headers object to modify in place
+ */
+declare function processMiddlewareHeaders(headers: Headers): void;
+/**
+ * Strip internal headers from an inbound request so they cannot be forged by
+ * an external attacker to influence routing or impersonate internal state.
+ *
+ * Must be called at every request entry point BEFORE middleware, routing,
+ * or any handler logic accesses the request headers.
+ *
+ * Returns a new Headers object with internal headers removed. The input
+ * is never mutated — Request.headers is immutable in Workers/miniflare
+ * environments (see applyMiddlewareRequestHeaders in config-matchers.ts
+ * for the same cloning pattern).
+ *
+ * @param headers - The source Headers (never modified)
+ * @returns A new Headers with internal framework headers removed
+ */
+declare function filterInternalHeaders(headers: Headers): Headers;
+/**
+ * Clone a Request while overriding headers, preserving metadata when possible.
+ *
+ * Some runtimes (Workers) allow `new Request(request, { headers })` which
+ * retains redirect/signal/cf data. Others (Node/undici across realms) can throw
+ * when cloning a foreign Request instance. In that case, fall back to building
+ * a RequestInit with best-effort metadata.
+ */
+declare function cloneRequestWithHeaders(request: Request, headers: Headers): Request;
+/**
+ * Clone a Request while overriding the URL, preserving headers and metadata
+ * when possible.
+ *
+ * Mirrors `cloneRequestWithHeaders`, but rewrites the URL instead of the
+ * headers. Workers support `new Request(url, request)` to copy method/headers/
+ * body onto a new URL; Node/undici can throw on a foreign Request instance, so
+ * we fall back to a manual RequestInit. `new Request()` does not copy the
+ * Workers-specific `cf` property and omits `duplex` for streaming bodies, so
+ * both are handled explicitly — the same reasons `cloneRequestWithHeaders`
+ * exists.
+ */
+declare function cloneRequestWithUrl(request: Request, url: string): Request;
+//#endregion
+export { HeaderRecord, INTERNAL_HEADERS, VINEXT_INTERNAL_HEADERS, applyConfigHeadersToHeaderRecord, applyConfigHeadersToResponse, cloneRequestWithHeaders, cloneRequestWithUrl, createStaticFileSignal, filterInternalHeaders, guardProtocolRelativeUrl, hasBasePath, isOpenRedirectShaped, isOriginAllowed, normalizeTrailingSlash, normalizeTrailingSlashPathname, processMiddlewareHeaders, resolvePublicFileRoute, stripBasePath, validateCsrfOrigin, validateServerActionPayload };