@rangojs/router 0.0.0-experimental.32 → 0.0.0-experimental.3232cd17

package/src/router/middleware.ts

@@ -1,15 +1,8 @@
 /// <reference types="vite/types/importMeta.d.ts" />
-/**
- * Middleware Execution
- *
- * True middleware that wraps the entire RSC handler.
- * - `await next()` returns actual Response
- * - Can modify response headers
- * - Can catch errors from RSC rendering
- * - Forgiving API: if middleware doesn't return, original response is used
- */
 
 import { contextGet, contextSet } from "../context-var.js";
+import { safeDecodeURIComponent } from "./url-params.js";
+import { fireAndForgetWaitUntil } from "../types/request-scope.js";
 import type {
   CollectedMiddleware,
   MiddlewareCollectableEntry,
@@ -19,26 +12,28 @@ import type {
   ResponseHolder,
 } from "./middleware-types.js";
 import { _getRequestContext } from "../server/request-context.js";
+import {
+  EXTERNAL_REDIRECT_MARKER,
+  isExternalRedirect,
+  markExternalRedirect,
+} from "../redirect-origin.js";
 import { isAutoGeneratedRouteName } from "../route-name.js";
 import { appendMetric, createMetricsStore } from "./metrics.js";
+import { stripInternalParams } from "./handler-context.js";
+import { isWebSocketUpgradeResponse } from "../response-utils.js";
 
-// Re-export types and cookie utilities for backward compatibility
+// Re-export types consumed through this module's path.
 export type {
   CookieOptions,
-  CollectedMiddleware,
-  MiddlewareCollectableEntry,
   MiddlewareContext,
   MiddlewareEntry,
   MiddlewareFn,
-  ResponseHolder,
 } from "./middleware-types.js";
-export { parseCookies, serializeCookie } from "./middleware-cookies.js";
 
 const MIDDLEWARE_METRIC_DEPTH = 1;
-/** Ignore post-next() durations below this threshold (measurement noise). */
 const POST_METRIC_MIN_DURATION_MS = 0.01;
 
-function getMiddlewareMetricBase<TEnv>(
+function getMiddlewareMetricLabel<TEnv>(
   entry: MiddlewareEntry<TEnv>,
   ordinal: number,
 ): string {
@@ -46,23 +41,12 @@ function getMiddlewareMetricBase<TEnv>(
   const scope = entry.pattern ?? "*";
 
   if (handlerName) {
-    return `${handlerName}@${scope}`;
+    return `middleware:${handlerName}@${scope}`;
   }
 
-  return `${scope}#${ordinal + 1}`;
+  return `middleware:${scope}#${ordinal + 1}`;
 }
 
-function getMiddlewareMetricLabel<TEnv>(
-  entry: MiddlewareEntry<TEnv>,
-  ordinal: number,
-): string {
-  return `middleware:${getMiddlewareMetricBase(entry, ordinal)}`;
-}
-
-/**
- * Parse a route pattern into regex and param names
- * Supports: *, /path, /path/*, /path/:param, /path/:param/*
- */
 export function parsePattern(pattern: string): {
   regex: RegExp;
   paramNames: string[];
@@ -111,7 +95,12 @@ function escapeRegex(str: string): string {
 }
 
 /**
- * Extract params from a pathname using a pattern's regex and param names
+ * Extract params from a pathname using a pattern's regex and param names.
+ *
+ * Values are URL-decoded so apps see the raw string (e.g. "ivo@example.com")
+ * instead of the percent-encoded form ("ivo%40example.com"). This matches the
+ * contract assumed by ctx.reverse (which re-encodes) and aligns with
+ * Express/React Router/Fastify/Koa.
  */
 export function extractParams(
   pathname: string,
@@ -123,7 +112,7 @@ export function extractParams(
 
   const params: Record<string, string> = {};
   for (let i = 0; i < paramNames.length; i++) {
-    params[paramNames[i]] = match[i + 1] || "";
+    params[paramNames[i]] = safeDecodeURIComponent(match[i + 1] || "");
   }
   return params;
 }
@@ -147,7 +136,7 @@ export function createMiddlewareContext<TEnv>(
     search?: Record<string, unknown>,
   ) => string,
 ): MiddlewareContext<TEnv> {
-  const url = new URL(request.url);
+  const url = stripInternalParams(new URL(request.url));
 
   // Track the initial response to detect pre/post-next() phase.
   // Before next(): responseHolder.response === initialResponse (the stub).
@@ -178,14 +167,22 @@ export function createMiddlewareContext<TEnv>(
     return responseHolder.response;
   };
 
+  // Capture reqCtx once: the request-scoped platform fields
+  // (originalUrl, executionContext, waitUntil) are immutable per request,
+  // so snapshotting beats re-reading ALS on every access. The lazy getters
+  // below (routeName, theme, setTheme) stay lazy because those can change
+  // during `await next()`.
+  const reqCtx = _getRequestContext();
   return {
     request,
     url,
-    originalUrl: new URL(request.url),
+    originalUrl: reqCtx?.originalUrl ?? new URL(request.url),
     pathname: url.pathname,
     searchParams: url.searchParams,
     env: env as MiddlewareContext<TEnv>["env"],
     params,
+    executionContext: reqCtx?.executionContext,
+    waitUntil: reqCtx ? reqCtx.waitUntil.bind(reqCtx) : fireAndForgetWaitUntil,
     // Getter: re-derives from request context on each access so that global
     // middleware sees the matched route name after await next().
     get routeName(): MiddlewareContext<TEnv>["routeName"] {
@@ -203,12 +200,9 @@ export function createMiddlewareContext<TEnv>(
     get: ((keyOrVar: any) =>
       contextGet(variables, keyOrVar)) as MiddlewareContext<TEnv>["get"],
 
-    set: ((keyOrVar: any, value: unknown) => {
-      contextSet(variables, keyOrVar, value);
+    set: ((keyOrVar: any, value: unknown, options?: any) => {
+      contextSet(variables, keyOrVar, value, options);
     }) as MiddlewareContext<TEnv>["set"],
-
-    var: variables as MiddlewareContext<TEnv>["var"],
-
     header(name: string, value: string): void {
       // Before next(): delegate to shared RequestContext stub
       if (isPreNext()) {
@@ -247,9 +241,13 @@ export function createMiddlewareContext<TEnv>(
 
     reverse:
       reverse ??
-      ((name: string) => {
+      ((
+        name: string,
+        _params?: Record<string, string>,
+        _search?: Record<string, unknown>,
+      ) => {
         throw new Error(
-          `ctx.reverse() is not available - route map was not provided to middleware context`,
+          `ctx.reverse(${JSON.stringify(name)}) is not available: no route map is bound to this middleware context.`,
         );
       }),
 
@@ -293,6 +291,88 @@ export function matchMiddleware<TEnv>(
   return matches;
 }
 
+// Set-Cookie is appended; for other headers stubOverridesNonCookie=true
+// overwrites (chain ran to completion), false fills only missing slots (an
+// explicit short-circuit Response's own headers win).
+function mergeStubHeaders(
+  target: Headers,
+  stub: Headers,
+  stubOverridesNonCookie: boolean,
+): void {
+  stub.forEach((value, name) => {
+    // The reserved external-redirect marker is internal and never a trust
+    // signal; never copy a stub value (e.g. a stray ctx.header() call) onto a
+    // browser-facing response. The opt-in is the out-of-band brand.
+    if (name.toLowerCase() === EXTERNAL_REDIRECT_MARKER) return;
+    if (name.toLowerCase() === "set-cookie") {
+      target.append(name, value);
+    } else if (stubOverridesNonCookie || !target.has(name)) {
+      target.set(name, value);
+    }
+  });
+}
+
+// Set-Cookie is deduped so a nested inner executeMiddleware that already merged
+// the same reqCtx cookies does not duplicate them; other headers fill if missing.
+function mergeReqCtxStub(
+  target: Headers,
+  reqCtx: ReturnType<typeof _getRequestContext>,
+): void {
+  if (!reqCtx) return;
+  const stubCookies = reqCtx.res.headers.getSetCookie();
+  if (stubCookies.length > 0) {
+    const existing = new Set(target.getSetCookie());
+    for (const cookie of stubCookies) {
+      if (!existing.has(cookie)) {
+        target.append("set-cookie", cookie);
+      }
+    }
+  }
+  reqCtx.res.headers.forEach((value, name) => {
+    // Never propagate the reserved external-redirect marker (see mergeStubHeaders).
+    if (name.toLowerCase() === EXTERNAL_REDIRECT_MARKER) return;
+    if (name !== "set-cookie" && !target.has(name)) {
+      target.set(name, value);
+    }
+  });
+}
+
+// Clone `base` with stub headers merged into a fresh Headers (the clone keeps
+// the body mutable for post-next() modifications). Set-Cookie is always
+// appended; other headers obey stubOverridesNonCookie (see mergeStubHeaders).
+// mergeReqCtx folds in RequestContext stub cookies/headers; the intercept
+// short-circuit path passes false (its reqCtx headers are not merged here),
+// which is the one deliberate divergence between the call sites.
+function mergeResponse(
+  base: Response,
+  stub: Headers,
+  opts: { stubOverridesNonCookie: boolean; mergeReqCtx: boolean },
+): Response {
+  const mergedHeaders = new Headers(base.headers);
+  // The reserved external-redirect marker is never a trust signal and must never
+  // reach the browser. The guard strips it on 3xx redirects; strip it here too so
+  // a forged value cannot ride a non-3xx middleware response (which the 3xx-only
+  // guard would not touch) to the client. The opt-in is the out-of-band brand.
+  mergedHeaders.delete(EXTERNAL_REDIRECT_MARKER);
+  mergeStubHeaders(mergedHeaders, stub, opts.stubOverridesNonCookie);
+  if (opts.mergeReqCtx) {
+    mergeReqCtxStub(mergedHeaders, _getRequestContext());
+  }
+  const merged = new Response(base.body, {
+    status: base.status,
+    statusText: base.statusText,
+    headers: mergedHeaders,
+  });
+  // Transfer the out-of-band external-redirect brand across this rebuild: a
+  // middleware short-circuit `return redirect(url, { external: true })` reaches
+  // the open-redirect guard only after this merge, and the brand lives on the
+  // Response object, not in its headers.
+  if (isExternalRedirect(base)) {
+    markExternalRedirect(merged);
+  }
+  return merged;
+}
+
 /**
  * Execute middleware chain
  *
@@ -301,7 +381,7 @@ export function matchMiddleware<TEnv>(
  * - `ctx.headers` available before and after `await next()`
  * - `ctx.header()` shorthand for setting a single header
  * - Forgiving: if middleware doesn't return, uses the downstream response
- * - Short-circuit: return Response to stop chain
+ * - Short-circuit: return OR throw a Response to stop chain
  * - Error catching: try/catch around `next()` works
  */
 export async function executeMiddleware<TEnv>(
@@ -331,42 +411,16 @@ export async function executeMiddleware<TEnv>(
       // End of chain - call actual RSC handler
       const response = await finalHandler();
 
-      // Merge headers set on stub into the real response.
-      // Use append for Set-Cookie to preserve multiple cookies.
-      const mergedHeaders = new Headers(response.headers);
-      stubResponse.headers.forEach((value, name) => {
-        if (name.toLowerCase() === "set-cookie") {
-          mergedHeaders.append(name, value);
-        } else {
-          mergedHeaders.set(name, value);
-        }
-      });
-      // Also merge shared RequestContext stub (cookies written via cookies().set()).
-      // Dedup Set-Cookie: an inner executeMiddleware (route-level middleware)
-      // may have already merged the same reqCtx cookies into the response.
-      const reqCtx = _getRequestContext();
-      if (reqCtx) {
-        const stubCookies = reqCtx.res.headers.getSetCookie();
-        if (stubCookies.length > 0) {
-          const existing = new Set(mergedHeaders.getSetCookie());
-          for (const cookie of stubCookies) {
-            if (!existing.has(cookie)) {
-              mergedHeaders.append("set-cookie", cookie);
-            }
-          }
-        }
-        reqCtx.res.headers.forEach((value, name) => {
-          if (name !== "set-cookie" && !mergedHeaders.has(name)) {
-            mergedHeaders.set(name, value);
-          }
-        });
+      if (isWebSocketUpgradeResponse(response)) {
+        responseHolder.response = response;
+        return response;
       }
 
-      // Clone response with merged headers (mutable for post-next() modifications)
-      responseHolder.response = new Response(response.body, {
-        status: response.status,
-        statusText: response.statusText,
-        headers: mergedHeaders,
+      // Chain ran to completion: stub headers overwrite (stubOverridesNonCookie)
+      // and reqCtx stub headers are merged in.
+      responseHolder.response = mergeResponse(response, stubResponse.headers, {
+        stubOverridesNonCookie: true,
+        mergeReqCtx: true,
       });
 
       return responseHolder.response;
@@ -428,8 +482,16 @@ export async function executeMiddleware<TEnv>(
     try {
       result = await entry.handler(ctx, wrappedNext);
     } catch (error) {
-      finishMiddleware();
-      throw error;
+      // Thrown Response is short-circuit control flow, not an error.
+      // Fall through to the `if (result instanceof Response)` branch below
+      // so stub headers and request-context cookies merge as they do for
+      // an explicit `return new Response(...)`. Real errors propagate.
+      if (error instanceof Response) {
+        result = error;
+      } else {
+        finishMiddleware();
+        throw error;
+      }
     }
     finishMiddleware();
 
@@ -450,41 +512,18 @@ export async function executeMiddleware<TEnv>(
 
     // Explicit return takes precedence (middleware short-circuit).
     // Merge stub headers (from ctx.header before this point) and
-    // RequestContext stub headers (from ctx.setCookie) into the
+    // RequestContext stub headers (from cookies().set()) into the
     // returned Response so they are not lost.
     if (result instanceof Response) {
-      const mergedHeaders = new Headers(result.headers);
-      stubResponse.headers.forEach((value, name) => {
-        if (name.toLowerCase() === "set-cookie") {
-          mergedHeaders.append(name, value);
-        } else if (!mergedHeaders.has(name)) {
-          mergedHeaders.set(name, value);
-        }
-      });
-      // Also merge shared RequestContext stub (cookies written via setCookie).
-      // Dedup Set-Cookie: an inner executeMiddleware (route-level middleware)
-      // may have already merged the same reqCtx cookies into the response.
-      const reqCtx = _getRequestContext();
-      if (reqCtx) {
-        const stubCookies = reqCtx.res.headers.getSetCookie();
-        if (stubCookies.length > 0) {
-          const existing = new Set(mergedHeaders.getSetCookie());
-          for (const cookie of stubCookies) {
-            if (!existing.has(cookie)) {
-              mergedHeaders.append("set-cookie", cookie);
-            }
-          }
-        }
-        reqCtx.res.headers.forEach((value, name) => {
-          if (name !== "set-cookie" && !mergedHeaders.has(name)) {
-            mergedHeaders.set(name, value);
-          }
-        });
+      if (isWebSocketUpgradeResponse(result)) {
+        responseHolder.response = result;
+        return result;
       }
-      const merged = new Response(result.body, {
-        status: result.status,
-        statusText: result.statusText,
-        headers: mergedHeaders,
+      // Explicit short-circuit: the returned Response's own headers win
+      // (stubOverridesNonCookie=false); reqCtx stub headers still merge in.
+      const merged = mergeResponse(result, stubResponse.headers, {
+        stubOverridesNonCookie: false,
+        mergeReqCtx: true,
       });
       responseHolder.response = merged;
       return merged;
@@ -529,23 +568,12 @@ export async function executeMiddleware<TEnv>(
   // last merge point (e.g. cookies().set() called after await next()).
   // The reqCtx stub may have already been partially merged during finalHandler
   // or early-return paths; only append *new* Set-Cookie entries to avoid dupes.
+  //
+  // Skip for upgrade responses: upgrade headers are semantically immutable and
+  // set-cookie on an upgrade is not meaningful.
   const reqCtx = _getRequestContext();
-  if (reqCtx) {
-    const stubCookies = reqCtx.res.headers.getSetCookie();
-    if (stubCookies.length > 0) {
-      const existingCookies = new Set(finalResponse.headers.getSetCookie());
-      for (const cookie of stubCookies) {
-        if (!existingCookies.has(cookie)) {
-          finalResponse.headers.append("set-cookie", cookie);
-        }
-      }
-    }
-    // Fill in non-cookie headers that aren't already on the response
-    reqCtx.res.headers.forEach((value, name) => {
-      if (name !== "set-cookie" && !finalResponse.headers.has(name)) {
-        finalResponse.headers.set(name, value);
-      }
-    });
+  if (reqCtx && !isWebSocketUpgradeResponse(finalResponse)) {
+    mergeReqCtxStub(finalResponse.headers, reqCtx);
   }
 
   return finalResponse;
@@ -556,7 +584,7 @@ export async function executeMiddleware<TEnv>(
  *
  * Intercepts use a shared stubResponse from the request context. This function:
  * - Runs middleware in sequence with a simple next() chain
- * - Returns Response if any middleware short-circuits (returns Response or redirects BEFORE next())
+ * - Returns Response if any middleware short-circuits (returns OR throws a Response, or redirects, BEFORE next())
  * - Returns null if all middleware calls next() - headers set after next() remain on stubResponse
  *
  * @param middlewares - Array of middleware functions
@@ -615,7 +643,18 @@ export async function executeInterceptMiddleware<TEnv>(
       return next();
     };
 
-    const result = await middleware(ctx, guardedNext);
+    let result: Response | void;
+    try {
+      result = await middleware(ctx, guardedNext);
+    } catch (error) {
+      // Thrown Response is short-circuit control flow, parity with the
+      // explicit-return path below. Real errors propagate.
+      if (error instanceof Response) {
+        result = error;
+      } else {
+        throw error;
+      }
+    }
 
     if (result instanceof Response) {
       earlyResponse = result;
@@ -639,21 +678,13 @@ export async function executeInterceptMiddleware<TEnv>(
     });
 
     if (hasStubHeaders) {
-      // Clone and merge headers from stub into early response.
-      // Only fill in missing headers — the returned Response's explicit
-      // headers take precedence, matching executeMiddleware behavior.
-      const mergedHeaders = new Headers(response.headers);
-      stubResponse.headers.forEach((value, name) => {
-        if (name.toLowerCase() === "set-cookie") {
-          mergedHeaders.append(name, value);
-        } else if (!mergedHeaders.has(name)) {
-          mergedHeaders.set(name, value);
-        }
-      });
-      return new Response(response.body, {
-        status: response.status,
-        statusText: response.statusText,
-        headers: mergedHeaders,
+      // Only fill in missing headers — the returned Response's explicit headers
+      // take precedence (stubOverridesNonCookie=false), matching executeMiddleware.
+      // mergeReqCtx=false: the intercept path deliberately does NOT merge reqCtx
+      // stub headers here (pinned by intercept-middleware-headers.test.ts).
+      return mergeResponse(response, stubResponse.headers, {
+        stubOverridesNonCookie: false,
+        mergeReqCtx: false,
       });
     }
     return response;
@@ -694,7 +725,6 @@ export async function executeLoaderMiddleware<TEnv>(
       regex: null,
       paramNames: [],
       handler,
-      mountPrefix: null,
     } as MiddlewareEntry<TEnv>,
     params,
   }));

package/src/router/navigation-snapshot.ts

@@ -0,0 +1,131 @@
+import type { RouteMatchResult } from "./pattern-matching.js";
+
+export interface NavigationSnapshot {
+  prevUrl: URL;
+  prevParams: Record<string, string>;
+  prevMatch: RouteMatchResult | null;
+
+  interceptContextUrl: URL;
+  interceptContextMatch: RouteMatchResult | null;
+
+  clientSegmentIds: string[];
+  clientSegmentSet: Set<string>;
+  filteredSegmentIds: string[];
+
+  stale: boolean;
+
+  isSameRouteNavigation: boolean;
+
+  effectiveFromUrl: URL;
+  effectiveFromMatch: RouteMatchResult | null;
+
+  hasInterceptSource: boolean;
+
+  isHmr: boolean;
+}
+
+export interface ResolveNavigationDeps {
+  findMatch: (pathname: string) => RouteMatchResult | null;
+}
+
+export function resolveNavigation(
+  request: Request,
+  url: URL,
+  currentRouteKey: string,
+  deps: ResolveNavigationDeps,
+): NavigationSnapshot | null {
+  const clientSegmentIds =
+    url.searchParams.get("_rsc_segments")?.split(",").filter(Boolean) || [];
+  const stale = url.searchParams.get("_rsc_stale") === "true";
+  const previousUrl =
+    request.headers.get("X-RSC-Router-Client-Path") ||
+    request.headers.get("Referer");
+  const interceptSourceUrl = request.headers.get(
+    "X-RSC-Router-Intercept-Source",
+  );
+  const isHmr = !!request.headers.get("X-RSC-HMR");
+
+  if (!previousUrl) {
+    return null;
+  }
+
+  let prevUrl: URL;
+  try {
+    prevUrl = new URL(previousUrl, url.origin);
+  } catch {
+    return null;
+  }
+
+  let interceptContextUrl: URL;
+  try {
+    interceptContextUrl = interceptSourceUrl
+      ? new URL(interceptSourceUrl, url.origin)
+      : prevUrl;
+  } catch {
+    interceptContextUrl = prevUrl;
+  }
+
+  const prevMatch = deps.findMatch(prevUrl.pathname);
+  const prevParams = prevMatch?.params || {};
+  const interceptContextMatch = interceptSourceUrl
+    ? deps.findMatch(interceptContextUrl.pathname)
+    : prevMatch;
+
+  const isSameRouteNavigation = !!(
+    interceptContextMatch && interceptContextMatch.routeKey === currentRouteKey
+  );
+
+  const hasInterceptSource = !!interceptSourceUrl;
+  const effectiveFromUrl = hasInterceptSource ? interceptContextUrl : prevUrl;
+  const effectiveFromMatch = hasInterceptSource
+    ? interceptContextMatch
+    : prevMatch;
+
+  const filteredSegmentIds = clientSegmentIds.filter((id) => {
+    if (id.includes(".@")) return false;
+    if (/D\d+\./.test(id)) return false;
+    return true;
+  });
+
+  const clientSegmentSet = new Set(clientSegmentIds);
+
+  return {
+    prevUrl,
+    prevParams,
+    prevMatch,
+    interceptContextUrl,
+    interceptContextMatch,
+    clientSegmentIds,
+    clientSegmentSet,
+    filteredSegmentIds,
+    stale,
+    isSameRouteNavigation,
+    effectiveFromUrl,
+    effectiveFromMatch,
+    hasInterceptSource,
+    isHmr,
+  };
+}
+
+export function createNavigationSnapshot(
+  overrides?: Partial<NavigationSnapshot>,
+): NavigationSnapshot {
+  const defaultUrl = new URL("http://localhost/");
+  return {
+    prevUrl: defaultUrl,
+    prevParams: {},
+    prevMatch: null,
+    interceptContextUrl: defaultUrl,
+    interceptContextMatch: null,
+    clientSegmentIds: [],
+    clientSegmentSet: new Set(),
+    filteredSegmentIds: [],
+    stale: false,
+    isSameRouteNavigation: false,
+    effectiveFromUrl: defaultUrl,
+    effectiveFromMatch: null,
+    hasInterceptSource: false,
+    isHmr: false,
+    ...overrides,
+  };
+}

package/src/router/params-util.ts

@@ -0,0 +1,23 @@
+/**
+ * Shared route-param comparison helpers.
+ */
+
+/**
+ * Shallow equality for two route-param records. Same-reference is a fast path;
+ * otherwise compares key count then each value.
+ */
+export function paramsEqual(
+  a: Record<string, string>,
+  b: Record<string, string>,
+): boolean {
+  if (a === b) return true;
+
+  const keysA = Object.keys(a);
+  if (keysA.length !== Object.keys(b).length) return false;
+
+  for (const key of keysA) {
+    if (a[key] !== b[key]) return false;
+  }
+
+  return true;
+}