@rangojs/router 0.0.0-experimental.259 → 0.0.0-experimental.26

package/src/rsc/helpers.ts

@@ -4,7 +4,12 @@
  * Utility functions for RSC request handling.
  */
 
-import { getRequestContext } from "../server/request-context.js";
+import {
+  _getRequestContext,
+  getLocationState,
+} from "../server/request-context.js";
+import { resolveLocationStateEntries } from "../browser/react/location-state-shared.js";
+import type { MiddlewareEntry, MiddlewareFn } from "../router/middleware.js";
 
 /**
  * Check if a request body has content to decode
@@ -29,12 +34,14 @@ export function createResponseWithMergedHeaders(
   body: BodyInit | null,
   init: ResponseInit,
 ): Response {
-  const ctx = getRequestContext();
+  const ctx = _getRequestContext();
   if (!ctx) {
     return new Response(body, init);
   }
 
-  // Merge headers from stub response into the new response
+  // Merge headers from stub response into the new response.
+  // Delete Set-Cookie from the stub after consuming so that downstream
+  // merge points (e.g. executeMiddleware) do not duplicate them.
   const mergedHeaders = new Headers(init.headers);
   ctx.res.headers.forEach((value, name) => {
     if (name.toLowerCase() === "set-cookie") {
@@ -44,6 +51,7 @@ export function createResponseWithMergedHeaders(
       mergedHeaders.set(name, value);
     }
   });
+  ctx.res.headers.delete("set-cookie");
 
   // Use ctx.res.status if it was set (e.g., 404 for notFound, 500 for error)
   // Otherwise use the status from init
@@ -55,8 +63,12 @@ export function createResponseWithMergedHeaders(
     headers: mergedHeaders,
   });
 
-  // Run onResponse callbacks - each can inspect/modify the response
-  for (const callback of ctx._onResponseCallbacks) {
+  // Run onResponse callbacks - each can inspect/modify the response.
+  // Drain the array so that downstream callers (e.g. finalizeResponse)
+  // do not re-execute the same callbacks on this response.
+  const callbacks = ctx._onResponseCallbacks;
+  ctx._onResponseCallbacks = [];
+  for (const callback of callbacks) {
     response = callback(response) ?? response;
   }
 
@@ -76,3 +88,111 @@ export function createSimpleRedirectResponse(redirectUrl: string): Response {
     headers: { "X-RSC-Redirect": redirectUrl },
   });
 }
+
+/**
+ * Carry over headers from a source redirect Response to a wrapper Response.
+ * Skips Location and X-RSC-Redirect (intentionally replaced by the wrapper)
+ * and appends Set-Cookie to avoid clobbering multiple cookie headers.
+ */
+export function carryOverRedirectHeaders(
+  source: Response,
+  target: Response,
+): void {
+  source.headers.forEach((value, name) => {
+    const lower = name.toLowerCase();
+    if (lower === "location" || lower === "x-rsc-redirect") return;
+    if (lower === "set-cookie") {
+      target.headers.append(name, value);
+    } else if (!target.headers.has(name)) {
+      target.headers.set(name, value);
+    }
+  });
+}
+
+/**
+ * If a response is a 3xx redirect during a partial (client-side) request,
+ * intercept it and return a Flight-compatible redirect instead.
+ * fetch() auto-follows 3xx which would hit a URL that renders full HTML
+ * the client can't parse. Returns null if the response is not a redirect.
+ */
+export function interceptRedirectForPartial(
+  response: Response,
+  createRedirectFlightResponse: (
+    redirectUrl: string,
+    locationState?: Record<string, unknown>,
+  ) => Response,
+): Response | null {
+  const redirectUrl = response.headers.get("Location");
+  if (!(response.status >= 300 && response.status < 400 && redirectUrl)) {
+    return null;
+  }
+  const locationState = getLocationState();
+  let intercepted: Response;
+  if (locationState) {
+    intercepted = createRedirectFlightResponse(
+      redirectUrl,
+      resolveLocationStateEntries(locationState),
+    );
+  } else {
+    intercepted = createSimpleRedirectResponse(redirectUrl);
+  }
+
+  carryOverRedirectHeaders(response, intercepted);
+
+  return intercepted;
+}
+
+/**
+ * Only cache successful responses. Non-200 statuses (errors, redirects) are
+ * not cached -- notFound() produces 500 in response routes, and explicit
+ * non-200 Responses are rare enough that caching them would be surprising.
+ */
+export function isCacheableStatus(status: number): boolean {
+  return status === 200;
+}
+
+/**
+ * Convert route-level middleware entries to the format expected by
+ * executeMiddleware. Route middleware from previewMatch carries just
+ * { handler, params }; this wraps them in the full MiddlewareEntry shape.
+ */
+export function buildRouteMiddlewareEntries<TEnv>(
+  routeMiddleware: Array<{
+    handler: MiddlewareFn;
+    params: Record<string, string>;
+  }>,
+): Array<{ entry: MiddlewareEntry<TEnv>; params: Record<string, string> }> {
+  return routeMiddleware.map((mw) => ({
+    entry: {
+      pattern: null,
+      regex: null,
+      paramNames: [],
+      handler: mw.handler,
+      mountPrefix: null,
+    } as MiddlewareEntry<TEnv>,
+    params: mw.params,
+  }));
+}
+
+/**
+ * Run onResponse callbacks on an existing Response.
+ *
+ * Used for code paths that bypass createResponseWithMergedHeaders(), such as
+ * middleware short-circuits where the Response is already constructed but
+ * ctx.onResponse() callbacks still need to fire.
+ */
+export function finalizeResponse(response: Response): Response {
+  const ctx = _getRequestContext();
+  if (!ctx || ctx._onResponseCallbacks.length === 0) {
+    return response;
+  }
+
+  // Drain the array so callbacks run at most once per request.
+  const callbacks = ctx._onResponseCallbacks;
+  ctx._onResponseCallbacks = [];
+  let result = response;
+  for (const callback of callbacks) {
+    result = callback(result) ?? result;
+  }
+  return result;
+}

package/src/rsc/index.ts

@@ -29,28 +29,8 @@ export type {
   NonceProvider,
 } from "./types.js";
 
-// Re-export HandleStore types for consumers who need custom handling
-export {
-  createHandleStore,
-  type HandleStore,
-  type HandleData,
-} from "../server/handle-store.js";
-
 // Re-export request context utilities for server-side access to env/request/params
 export {
   getRequestContext,
   requireRequestContext,
-  setRequestContextParams,
 } from "../server/request-context.js";
-
-// Re-export cache store types and implementations
-export type {
-  SegmentCacheStore,
-  CachedEntryData,
-  CachedEntryResult,
-  SegmentCacheProvider,
-  SegmentHandleData,
-} from "../cache/types.js";
-
-export { MemorySegmentCacheStore } from "../cache/memory-segment-store.js";
-export { CFCacheStore, type CFCacheStoreOptions } from "../cache/cf/index.js";

package/src/rsc/loader-fetch.ts

@@ -14,9 +14,20 @@
 import { getLoaderLazy } from "../server/loader-registry.js";
 import { executeLoaderMiddleware } from "../router/middleware.js";
 import { requireRequestContext } from "../server/request-context.js";
-import { createReverseFunction } from "../router/handler-context.js";
-import { getGlobalRouteMap } from "../route-map-builder.js";
-import { createResponseWithMergedHeaders } from "./helpers.js";
+import {
+  createReverseFunction,
+  stripInternalParams,
+} from "../router/handler-context.js";
+import {
+  getGlobalRouteMap,
+  getSearchSchema,
+  isRouteRootScoped,
+} from "../route-map-builder.js";
+import { parseSearchParams } from "../search-params.js";
+import {
+  createResponseWithMergedHeaders,
+  finalizeResponse,
+} from "./helpers.js";
 import type { HandlerContext } from "./handler-context.js";
 
 export async function handleLoaderFetch<TEnv>(
@@ -44,6 +55,15 @@ export async function handleLoaderFetch<TEnv>(
     );
   }
 
+  // Non-fetchable loaders are registered for SSR ctx.use() only.
+  // They must not be callable through the standalone _rsc_loader endpoint.
+  if (!registeredLoader.fetchable) {
+    return createResponseWithMergedHeaders(
+      `Loader "${loaderId}" is not fetchable`,
+      { status: 403 },
+    );
+  }
+
   // Parse params, body, and formData based on request method and content type
   let loaderParams: Record<string, string> = {};
   let loaderBody: unknown = undefined;
@@ -90,51 +110,73 @@ export async function handleLoaderFetch<TEnv>(
     }
   }
 
-  // Execute the loader with middleware
+  // Execute the loader with middleware.
+  // finalizeResponse drains onResponse callbacks that middleware short-circuits
+  // may leave behind (executeLoaderMiddleware does not finalize them itself).
   try {
     const { fn, middleware } = registeredLoader;
 
-    return await executeLoaderMiddleware(
-      middleware,
-      request,
-      env,
-      loaderParams,
-      variables,
-      async () => {
-        const reqCtx = requireRequestContext();
-        // Merge route params (from previewMatch) with explicit loader params.
-        // Explicit params take precedence over route-matched params.
-        const mergedParams = {
-          ...(routeParams ?? {}),
-          ...loaderParams,
-        };
-        const loaderCtx: any = {
-          ...reqCtx,
-          params: mergedParams,
-          body: loaderBody,
-          method: request.method,
-          reverse: createReverseFunction(
-            getGlobalRouteMap(),
-            reqCtx._routeName,
-            mergedParams,
-          ),
-          ...(loaderFormData ? { formData: loaderFormData } : {}),
-        };
+    return finalizeResponse(
+      await executeLoaderMiddleware(
+        middleware,
+        request,
+        env,
+        loaderParams,
+        variables,
+        async () => {
+          const reqCtx = requireRequestContext();
+          // Merge route params (from previewMatch) with explicit loader params.
+          // Explicit params take precedence over route-matched params.
+          const resolvedRouteParams = routeParams ?? {};
+          const mergedParams = {
+            ...resolvedRouteParams,
+            ...loaderParams,
+          };
+          // Strip _rsc_* transport params so loaders see the same
+          // url/searchParams as during SSR/navigation.
+          const cleanUrl = stripInternalParams(url);
+          const cleanSearchParams = cleanUrl.searchParams;
+          const searchSchema = reqCtx._routeName
+            ? getSearchSchema(reqCtx._routeName)
+            : undefined;
+          const loaderCtx: any = {
+            ...reqCtx,
+            url: cleanUrl,
+            pathname: cleanUrl.pathname,
+            searchParams: cleanSearchParams,
+            search: searchSchema
+              ? parseSearchParams(cleanSearchParams, searchSchema)
+              : {},
+            params: mergedParams,
+            routeParams: resolvedRouteParams,
+            body: loaderBody,
+            method: request.method,
+            reverse: createReverseFunction(
+              getGlobalRouteMap(),
+              reqCtx._routeName,
+              mergedParams,
+              reqCtx._routeName
+                ? isRouteRootScoped(reqCtx._routeName)
+                : undefined,
+            ),
+            ...(loaderFormData ? { formData: loaderFormData } : {}),
+          };
 
-        const result = await fn(loaderCtx);
+          const result = await fn(loaderCtx);
 
-        interface LoaderPayload {
-          loaderResult: unknown;
-        }
-        const loaderPayload: LoaderPayload = { loaderResult: result };
-        const rscStream =
-          ctx.renderToReadableStream<LoaderPayload>(loaderPayload);
+          interface LoaderPayload {
+            loaderResult: unknown;
+          }
+          const loaderPayload: LoaderPayload = { loaderResult: result };
+          const rscStream =
+            ctx.renderToReadableStream<LoaderPayload>(loaderPayload);
 
-        return createResponseWithMergedHeaders(rscStream, {
-          headers: { "content-type": "text/x-component;charset=utf-8" },
-        });
-      },
-      createReverseFunction(ctx.getRequiredRouteMap()),
+          return createResponseWithMergedHeaders(rscStream, {
+            headers: { "content-type": "text/x-component;charset=utf-8" },
+          });
+        },
+        createReverseFunction(ctx.getRequiredRouteMap()),
+      ),
     );
   } catch (error) {
     const err = error instanceof Error ? error : new Error(String(error));

package/src/rsc/manifest-init.ts

@@ -29,8 +29,9 @@ import {
 export async function buildRouterTrieFromUrlpatterns(
   router: any,
 ): Promise<void> {
-  const { generateManifest } = await import("../build/generate-manifest.js");
-  const generated = generateManifest(router.urlpatterns);
+  const { generateManifestFull } =
+    await import("../build/generate-manifest.js");
+  const generated = generateManifestFull(router.urlpatterns);
   if (
     generated._routeAncestry &&
     Object.keys(generated._routeAncestry).length > 0

package/src/rsc/origin-guard.ts

@@ -0,0 +1,141 @@
+/**
+ * Origin Guard
+ *
+ * Cross-origin request protection for server actions, loader fetches, and
+ * progressive enhancement form submissions. Validates that the Origin header
+ * (or Referer fallback) matches the request Host before executing.
+ *
+ * Requests without an Origin or Referer header are allowed — same-origin
+ * navigations, bookmarks, and non-browser clients don't send Origin.
+ */
+
+/**
+ * Request phase that triggered the origin check.
+ */
+export type OriginCheckPhase = "action" | "loader" | "pe-form";
+
+/**
+ * Context passed to the originCheck callback.
+ */
+export interface OriginCheckContext<TEnv = any> {
+  request: Request;
+  url: URL;
+  env: TEnv;
+  routerId: string;
+  phase: OriginCheckPhase;
+  /** Run the built-in conservative check (Origin/Referer vs Host + url.protocol). */
+  defaultCheck: () => boolean;
+}
+
+/**
+ * Configuration for the origin check.
+ *
+ * - `true` (default) — built-in conservative check
+ * - `false` — disabled
+ * - function — custom control; return true to allow, false to reject with
+ *   default 403, or a Response for custom rejection
+ */
+export type OriginCheckConfig<TEnv = any> =
+  | boolean
+  | ((
+      ctx: OriginCheckContext<TEnv>,
+    ) => boolean | Response | Promise<boolean | Response>);
+
+/**
+ * Built-in conservative origin check.
+ * Compares Origin (or Referer fallback) against Host + url.protocol.
+ * Does NOT trust X-Forwarded-Host/Proto headers.
+ *
+ * Returns true to allow, false to reject.
+ */
+export function defaultOriginCheck(request: Request, url: URL): boolean {
+  // 1. Read Origin header (present on all cross-origin requests and
+  //    same-origin POST/PUT/PATCH/DELETE in modern browsers)
+  let requestOrigin = request.headers.get("origin");
+
+  // 2. Fallback to Referer if Origin is absent (some proxies strip it)
+  if (!requestOrigin) {
+    const referer = request.headers.get("referer");
+    if (referer) {
+      try {
+        requestOrigin = new URL(referer).origin;
+      } catch {
+        // Malformed referer — treat as absent
+      }
+    }
+  }
+
+  // 3. No Origin or Referer — allow (can't be browser-initiated CSRF)
+  if (!requestOrigin) return true;
+
+  // "null" origin comes from privacy-sensitive contexts (data: URLs,
+  // sandboxed iframes, cross-origin redirects). Reject it.
+  if (requestOrigin === "null") return false;
+
+  // 4. Determine expected host from Host header or URL.
+  // X-Forwarded-Host/Proto are NOT used — they are client-controllable
+  // unless a trusted proxy strips them. On standard deployments (Cloudflare
+  // Workers, Node behind nginx/caddy) the Host header is already correct.
+  // For non-standard setups, use the custom function escape hatch.
+  const expectedHost = request.headers.get("host") || url.host;
+  const expectedProtocol = url.protocol;
+
+  // 5. Build expected origin and compare (case-insensitive)
+  const expectedOrigin = `${expectedProtocol}//${expectedHost}`;
+
+  return requestOrigin.toLowerCase() === expectedOrigin.toLowerCase();
+}
+
+function createForbiddenResponse(request: Request): Response {
+  const isDev = process.env.NODE_ENV !== "production";
+  const body = isDev
+    ? "Forbidden: Origin mismatch. The request origin does not match the server host. " +
+      `Set originCheck: false in createRouter() to disable this check. ` +
+      `(Origin: ${request.headers.get("origin") ?? "none"}, ` +
+      `Host: ${request.headers.get("host") ?? "none"})`
+    : "Forbidden";
+
+  return new Response(body, {
+    status: 403,
+    headers: { "X-Rango-Origin-Check": "failed" },
+  });
+}
+
+/**
+ * Configuration-aware origin check dispatcher.
+ * Builds the OriginCheckContext and delegates to the configured check.
+ */
+export async function checkRequestOrigin<TEnv = any>(
+  request: Request,
+  url: URL,
+  config: OriginCheckConfig<TEnv> | undefined,
+  env: TEnv,
+  routerId: string,
+  phase: OriginCheckPhase,
+): Promise<Response | null> {
+  // Disabled by explicit opt-out
+  if (config === false) return null;
+
+  // Default: built-in validation (config === true or undefined)
+  if (config === true || config === undefined) {
+    const allowed = defaultOriginCheck(request, url);
+    if (allowed) return null;
+    return createForbiddenResponse(request);
+  }
+
+  // Custom function — build context and call
+  const ctx: OriginCheckContext<TEnv> = {
+    request,
+    url,
+    env,
+    routerId,
+    phase,
+    defaultCheck: () => defaultOriginCheck(request, url),
+  };
+
+  const result = await config(ctx);
+
+  if (result instanceof Response) return result;
+  if (result === true) return null;
+  return createForbiddenResponse(request);
+}