@rangojs/router 0.0.0-experimental.98 → 0.0.0-experimental.98914650

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (355) hide show
  1. package/README.md +24 -9
  2. package/dist/bin/rango.js +157 -63
  3. package/dist/testing/vitest.js +82 -0
  4. package/dist/vite/index.js +1584 -639
  5. package/package.json +60 -11
  6. package/skills/api-client/SKILL.md +211 -0
  7. package/skills/breadcrumbs/SKILL.md +60 -0
  8. package/skills/bundle-analysis/SKILL.md +159 -0
  9. package/skills/cache-guide/SKILL.md +222 -30
  10. package/skills/caching/SKILL.md +263 -8
  11. package/skills/composability/SKILL.md +27 -2
  12. package/skills/css/SKILL.md +76 -0
  13. package/skills/document-cache/SKILL.md +78 -55
  14. package/skills/handler-use/SKILL.md +3 -1
  15. package/skills/hooks/SKILL.md +235 -28
  16. package/skills/host-router/SKILL.md +122 -22
  17. package/skills/intercept/SKILL.md +29 -5
  18. package/skills/layout/SKILL.md +13 -9
  19. package/skills/links/SKILL.md +173 -17
  20. package/skills/loader/SKILL.md +170 -23
  21. package/skills/middleware/SKILL.md +16 -10
  22. package/skills/migrate-nextjs/SKILL.md +38 -16
  23. package/skills/mime-routes/SKILL.md +27 -0
  24. package/skills/observability/SKILL.md +137 -0
  25. package/skills/parallel/SKILL.md +11 -7
  26. package/skills/prerender/SKILL.md +14 -33
  27. package/skills/rango/SKILL.md +250 -26
  28. package/skills/react-compiler/SKILL.md +168 -0
  29. package/skills/response-routes/SKILL.md +114 -47
  30. package/skills/route/SKILL.md +22 -5
  31. package/skills/router-setup/SKILL.md +3 -3
  32. package/skills/server-actions/SKILL.md +78 -42
  33. package/skills/tailwind/SKILL.md +27 -3
  34. package/skills/testing/SKILL.md +129 -0
  35. package/skills/testing/bindings.md +89 -0
  36. package/skills/testing/cache-prerender.md +124 -0
  37. package/skills/testing/client-components.md +122 -0
  38. package/skills/testing/e2e-parity.md +125 -0
  39. package/skills/testing/flight.md +92 -0
  40. package/skills/testing/handles.md +129 -0
  41. package/skills/testing/loader.md +128 -0
  42. package/skills/testing/middleware.md +99 -0
  43. package/skills/testing/render-handler.md +121 -0
  44. package/skills/testing/response-routes.md +95 -0
  45. package/skills/testing/reverse-and-types.md +84 -0
  46. package/skills/testing/server-actions.md +107 -0
  47. package/skills/testing/server-tree.md +128 -0
  48. package/skills/testing/setup.md +120 -0
  49. package/skills/typesafety/SKILL.md +310 -26
  50. package/skills/use-cache/SKILL.md +36 -5
  51. package/skills/vercel/SKILL.md +107 -0
  52. package/skills/view-transitions/SKILL.md +294 -0
  53. package/src/__augment-tests__/augment.ts +81 -0
  54. package/src/__augment-tests__/augmented.check.ts +116 -0
  55. package/src/__internal.ts +0 -65
  56. package/src/browser/action-coordinator.ts +53 -36
  57. package/src/browser/action-fence.ts +47 -0
  58. package/src/browser/app-shell.ts +14 -27
  59. package/src/browser/cookie-name.ts +140 -0
  60. package/src/browser/event-controller.ts +37 -143
  61. package/src/browser/history-state.ts +21 -0
  62. package/src/browser/index.ts +3 -3
  63. package/src/browser/invalidate-client-cache.ts +52 -0
  64. package/src/browser/navigation-bridge.ts +30 -59
  65. package/src/browser/navigation-client.ts +96 -84
  66. package/src/browser/navigation-store-handle.ts +38 -0
  67. package/src/browser/navigation-store.ts +32 -82
  68. package/src/browser/navigation-transaction.ts +9 -59
  69. package/src/browser/partial-update.ts +60 -127
  70. package/src/browser/prefetch/cache.ts +82 -72
  71. package/src/browser/prefetch/fetch.ts +108 -33
  72. package/src/browser/prefetch/queue.ts +6 -3
  73. package/src/browser/rango-state.ts +157 -115
  74. package/src/browser/react/Link.tsx +0 -2
  75. package/src/browser/react/NavigationProvider.tsx +41 -48
  76. package/src/browser/react/ScrollRestoration.tsx +10 -6
  77. package/src/browser/react/filter-segment-order.ts +0 -2
  78. package/src/browser/react/index.ts +0 -48
  79. package/src/browser/react/location-state-shared.ts +166 -8
  80. package/src/browser/react/location-state.ts +39 -14
  81. package/src/browser/react/use-action.ts +6 -15
  82. package/src/browser/react/use-handle.ts +17 -14
  83. package/src/browser/react/use-link-status.ts +0 -4
  84. package/src/browser/react/use-navigation.ts +0 -3
  85. package/src/browser/react/use-params.ts +3 -6
  86. package/src/browser/react/use-reverse.ts +106 -0
  87. package/src/browser/react/use-router.ts +20 -5
  88. package/src/browser/react/use-search-params.ts +0 -5
  89. package/src/browser/react/use-segments.ts +0 -13
  90. package/src/browser/response-adapter.ts +52 -1
  91. package/src/browser/rsc-router.tsx +70 -34
  92. package/src/browser/scroll-restoration.ts +22 -14
  93. package/src/browser/segment-structure-assert.ts +2 -2
  94. package/src/browser/server-action-bridge.ts +168 -44
  95. package/src/browser/types.ts +36 -21
  96. package/src/browser/validate-redirect-origin.ts +43 -16
  97. package/src/build/collect-fallback-refs.ts +107 -0
  98. package/src/build/generate-manifest.ts +60 -35
  99. package/src/build/generate-route-types.ts +3 -0
  100. package/src/build/index.ts +8 -2
  101. package/src/build/prefix-tree-utils.ts +123 -0
  102. package/src/build/route-trie.ts +89 -11
  103. package/src/build/route-types/codegen.ts +4 -4
  104. package/src/build/route-types/include-resolution.ts +1 -1
  105. package/src/build/route-types/param-extraction.ts +6 -3
  106. package/src/build/route-types/per-module-writer.ts +7 -4
  107. package/src/build/route-types/router-processing.ts +122 -22
  108. package/src/build/route-types/scan-filter.ts +1 -1
  109. package/src/build/route-types/source-scan.ts +118 -0
  110. package/src/build/runtime-discovery.ts +9 -20
  111. package/src/cache/cache-error.ts +104 -0
  112. package/src/cache/cache-policy.ts +68 -28
  113. package/src/cache/cache-runtime.ts +134 -32
  114. package/src/cache/cache-scope.ts +100 -74
  115. package/src/cache/cache-tag.ts +98 -0
  116. package/src/cache/cf/cf-cache-store.ts +2255 -238
  117. package/src/cache/cf/index.ts +6 -16
  118. package/src/cache/document-cache.ts +61 -20
  119. package/src/cache/handle-snapshot.ts +63 -0
  120. package/src/cache/index.ts +22 -20
  121. package/src/cache/memory-segment-store.ts +136 -37
  122. package/src/cache/profile-registry.ts +6 -30
  123. package/src/cache/read-through-swr.ts +41 -11
  124. package/src/cache/segment-codec.ts +0 -16
  125. package/src/cache/tag-invalidation.ts +230 -0
  126. package/src/cache/types.ts +33 -100
  127. package/src/cache/vercel/index.ts +11 -0
  128. package/src/cache/vercel/vercel-cache-store.ts +799 -0
  129. package/src/client.rsc.tsx +6 -21
  130. package/src/client.tsx +25 -61
  131. package/src/component-utils.ts +19 -0
  132. package/src/context-var.ts +17 -5
  133. package/src/decode-loader-results.ts +36 -0
  134. package/src/defer.ts +196 -0
  135. package/src/deps/ssr.ts +0 -1
  136. package/src/errors.ts +30 -4
  137. package/src/handle.ts +31 -23
  138. package/src/handles/MetaTags.tsx +0 -14
  139. package/src/handles/breadcrumbs.ts +16 -5
  140. package/src/handles/meta.ts +0 -39
  141. package/src/host/cookie-handler.ts +0 -36
  142. package/src/host/errors.ts +0 -24
  143. package/src/host/index.ts +8 -2
  144. package/src/host/pattern-matcher.ts +7 -50
  145. package/src/host/router.ts +107 -99
  146. package/src/host/testing.ts +40 -27
  147. package/src/host/types.ts +37 -4
  148. package/src/host/utils.ts +1 -1
  149. package/src/href-client.ts +137 -22
  150. package/src/index.rsc.ts +63 -9
  151. package/src/index.ts +64 -9
  152. package/src/internal-debug.ts +2 -4
  153. package/src/loader-store.ts +500 -0
  154. package/src/loader.rsc.ts +20 -13
  155. package/src/loader.ts +12 -11
  156. package/src/missing-id-error.ts +68 -0
  157. package/src/network-error-thrower.tsx +1 -6
  158. package/src/outlet-provider.tsx +1 -5
  159. package/src/prerender/param-hash.ts +10 -11
  160. package/src/prerender/store.ts +32 -37
  161. package/src/prerender.ts +61 -6
  162. package/src/redirect-origin.ts +100 -0
  163. package/src/response-utils.ts +9 -0
  164. package/src/reverse.ts +65 -41
  165. package/src/root-error-boundary.tsx +1 -19
  166. package/src/route-content-wrapper.tsx +7 -72
  167. package/src/route-definition/dsl-helpers.ts +244 -281
  168. package/src/route-definition/helper-factories.ts +29 -139
  169. package/src/route-definition/helpers-types.ts +40 -17
  170. package/src/route-definition/redirect.ts +43 -9
  171. package/src/route-definition/resolve-handler-use.ts +6 -0
  172. package/src/route-definition/use-item-types.ts +32 -0
  173. package/src/route-map-builder.ts +0 -16
  174. package/src/route-types.ts +19 -41
  175. package/src/router/basename.ts +14 -0
  176. package/src/router/content-negotiation.ts +15 -15
  177. package/src/router/error-handling.ts +13 -17
  178. package/src/router/find-match.ts +44 -23
  179. package/src/router/handler-context.ts +4 -42
  180. package/src/router/intercept-resolution.ts +14 -19
  181. package/src/router/lazy-includes.ts +9 -46
  182. package/src/router/loader-resolution.ts +91 -46
  183. package/src/router/logging.ts +0 -6
  184. package/src/router/manifest.ts +18 -29
  185. package/src/router/match-api.ts +0 -20
  186. package/src/router/match-context.ts +0 -22
  187. package/src/router/match-handlers.ts +57 -58
  188. package/src/router/match-middleware/background-revalidation.ts +0 -7
  189. package/src/router/match-middleware/cache-lookup.ts +150 -271
  190. package/src/router/match-middleware/cache-store.ts +3 -33
  191. package/src/router/match-middleware/intercept-resolution.ts +0 -22
  192. package/src/router/match-middleware/segment-resolution.ts +0 -22
  193. package/src/router/match-pipelines.ts +1 -42
  194. package/src/router/match-result.ts +31 -80
  195. package/src/router/metrics.ts +0 -34
  196. package/src/router/middleware-types.ts +0 -116
  197. package/src/router/middleware.ts +118 -133
  198. package/src/router/navigation-snapshot.ts +0 -51
  199. package/src/router/params-util.ts +23 -0
  200. package/src/router/pattern-matching.ts +20 -58
  201. package/src/router/prerender-match.ts +99 -63
  202. package/src/router/preview-match.ts +3 -1
  203. package/src/router/request-classification.ts +28 -62
  204. package/src/router/revalidation.ts +50 -56
  205. package/src/router/route-snapshot.ts +0 -1
  206. package/src/router/router-context.ts +0 -27
  207. package/src/router/router-interfaces.ts +68 -35
  208. package/src/router/router-options.ts +55 -1
  209. package/src/router/router-registry.ts +2 -5
  210. package/src/router/segment-resolution/fresh.ts +44 -63
  211. package/src/router/segment-resolution/helpers.ts +34 -0
  212. package/src/router/segment-resolution/loader-cache.ts +40 -37
  213. package/src/router/segment-resolution/revalidation.ts +203 -285
  214. package/src/router/segment-resolution/static-store.ts +19 -5
  215. package/src/router/segment-resolution/streamed-handler-telemetry.ts +52 -0
  216. package/src/router/segment-resolution/view-transition-default.ts +36 -0
  217. package/src/router/segment-resolution.ts +4 -1
  218. package/src/router/segment-wrappers.ts +0 -3
  219. package/src/router/state-cookie-name.ts +33 -0
  220. package/src/router/substitute-pattern-params.ts +56 -0
  221. package/src/router/telemetry-otel.ts +0 -20
  222. package/src/router/telemetry.ts +96 -19
  223. package/src/router/timeout.ts +0 -20
  224. package/src/router/trie-matching.ts +87 -47
  225. package/src/router/types.ts +9 -63
  226. package/src/router/url-params.ts +0 -5
  227. package/src/router.ts +80 -41
  228. package/src/rsc/handler-context.ts +3 -2
  229. package/src/rsc/handler.ts +83 -78
  230. package/src/rsc/helpers.ts +93 -5
  231. package/src/rsc/index.ts +1 -1
  232. package/src/rsc/json-route-result.ts +38 -0
  233. package/src/rsc/manifest-init.ts +28 -41
  234. package/src/rsc/origin-guard.ts +39 -25
  235. package/src/rsc/progressive-enhancement.ts +12 -1
  236. package/src/rsc/redirect-guard.ts +99 -0
  237. package/src/rsc/response-error.ts +79 -12
  238. package/src/rsc/response-route-handler.ts +76 -62
  239. package/src/rsc/rsc-rendering.ts +41 -60
  240. package/src/rsc/runtime-warnings.ts +23 -10
  241. package/src/rsc/server-action.ts +62 -67
  242. package/src/rsc/ssr-setup.ts +16 -0
  243. package/src/rsc/types.ts +10 -5
  244. package/src/runtime-env.ts +18 -0
  245. package/src/search-params.ts +4 -20
  246. package/src/segment-loader-promise.ts +14 -2
  247. package/src/segment-system.tsx +199 -142
  248. package/src/serialize.ts +243 -0
  249. package/src/server/context.ts +150 -51
  250. package/src/server/cookie-store.ts +80 -5
  251. package/src/server/handle-store.ts +7 -24
  252. package/src/server/loader-registry.ts +5 -24
  253. package/src/server/request-context.ts +165 -87
  254. package/src/ssr/index.tsx +14 -14
  255. package/src/static-handler.ts +10 -13
  256. package/src/testing/cache-status.ts +162 -0
  257. package/src/testing/collect-handle.ts +40 -0
  258. package/src/testing/dispatch.ts +618 -0
  259. package/src/testing/dom.entry.ts +22 -0
  260. package/src/testing/e2e/fixture.ts +188 -0
  261. package/src/testing/e2e/index.ts +128 -0
  262. package/src/testing/e2e/matchers.ts +35 -0
  263. package/src/testing/e2e/page-helpers.ts +272 -0
  264. package/src/testing/e2e/parity.ts +387 -0
  265. package/src/testing/e2e/server.ts +195 -0
  266. package/src/testing/flight-matchers.ts +97 -0
  267. package/src/testing/flight-normalize.ts +11 -0
  268. package/src/testing/flight-runtime.d.ts +57 -0
  269. package/src/testing/flight-tree.ts +682 -0
  270. package/src/testing/flight.entry.ts +52 -0
  271. package/src/testing/flight.ts +232 -0
  272. package/src/testing/generated-routes.ts +183 -0
  273. package/src/testing/index.ts +99 -0
  274. package/src/testing/internal/context.ts +348 -0
  275. package/src/testing/internal/flight-client-globals.ts +30 -0
  276. package/src/testing/internal/seed-vars.ts +54 -0
  277. package/src/testing/render-handler.ts +330 -0
  278. package/src/testing/render-route.tsx +566 -0
  279. package/src/testing/run-loader.ts +378 -0
  280. package/src/testing/run-middleware.ts +205 -0
  281. package/src/testing/vitest-stubs/cloudflare-email.ts +9 -0
  282. package/src/testing/vitest-stubs/cloudflare-workers.ts +21 -0
  283. package/src/testing/vitest-stubs/plugin-rsc.ts +16 -0
  284. package/src/testing/vitest-stubs/version.ts +5 -0
  285. package/src/testing/vitest.ts +305 -0
  286. package/src/theme/ThemeProvider.tsx +0 -52
  287. package/src/theme/ThemeScript.tsx +0 -6
  288. package/src/theme/constants.ts +0 -12
  289. package/src/theme/index.ts +0 -7
  290. package/src/theme/theme-context.ts +1 -5
  291. package/src/theme/theme-script.ts +0 -14
  292. package/src/theme/use-theme.ts +0 -3
  293. package/src/types/boundaries.ts +0 -35
  294. package/src/types/cache-types.ts +13 -4
  295. package/src/types/error-types.ts +30 -90
  296. package/src/types/global-namespace.ts +54 -41
  297. package/src/types/handler-context.ts +97 -22
  298. package/src/types/index.ts +1 -10
  299. package/src/types/loader-types.ts +6 -3
  300. package/src/types/request-scope.ts +0 -19
  301. package/src/types/route-config.ts +6 -50
  302. package/src/types/route-entry.ts +0 -6
  303. package/src/types/segments.ts +18 -14
  304. package/src/urls/include-helper.ts +9 -56
  305. package/src/urls/index.ts +1 -11
  306. package/src/urls/path-helper-types.ts +19 -5
  307. package/src/urls/path-helper.ts +17 -106
  308. package/src/urls/pattern-types.ts +36 -19
  309. package/src/urls/response-types.ts +20 -19
  310. package/src/urls/type-extraction.ts +58 -139
  311. package/src/urls/urls-function.ts +1 -18
  312. package/src/use-loader.tsx +292 -107
  313. package/src/vite/debug.ts +1 -0
  314. package/src/vite/discovery/bundle-postprocess.ts +8 -7
  315. package/src/vite/discovery/discover-routers.ts +95 -82
  316. package/src/vite/discovery/discovery-errors.ts +194 -0
  317. package/src/vite/discovery/prerender-collection.ts +26 -34
  318. package/src/vite/discovery/route-types-writer.ts +40 -84
  319. package/src/vite/discovery/state.ts +39 -1
  320. package/src/vite/discovery/virtual-module-codegen.ts +14 -34
  321. package/src/vite/index.ts +4 -0
  322. package/src/vite/plugin-types.ts +185 -10
  323. package/src/vite/plugins/cjs-to-esm.ts +3 -18
  324. package/src/vite/plugins/client-ref-dedup.ts +0 -11
  325. package/src/vite/plugins/client-ref-hashing.ts +12 -11
  326. package/src/vite/plugins/cloudflare-protocol-stub.ts +1 -21
  327. package/src/vite/plugins/expose-action-id.ts +4 -75
  328. package/src/vite/plugins/expose-id-utils.ts +3 -54
  329. package/src/vite/plugins/expose-ids/export-analysis.ts +76 -34
  330. package/src/vite/plugins/expose-ids/handler-transform.ts +6 -74
  331. package/src/vite/plugins/expose-ids/loader-transform.ts +3 -20
  332. package/src/vite/plugins/expose-ids/router-transform.ts +0 -13
  333. package/src/vite/plugins/expose-internal-ids.ts +57 -67
  334. package/src/vite/plugins/performance-tracks.ts +9 -16
  335. package/src/vite/plugins/refresh-cmd.ts +1 -1
  336. package/src/vite/plugins/use-cache-transform.ts +26 -49
  337. package/src/vite/plugins/vercel-output.ts +258 -0
  338. package/src/vite/plugins/version-injector.ts +2 -32
  339. package/src/vite/plugins/version-plugin.ts +32 -23
  340. package/src/vite/plugins/virtual-entries.ts +35 -17
  341. package/src/vite/rango.ts +148 -115
  342. package/src/vite/router-discovery.ts +220 -68
  343. package/src/vite/utils/ast-handler-extract.ts +15 -31
  344. package/src/vite/utils/bundle-analysis.ts +10 -15
  345. package/src/vite/utils/client-chunks.ts +184 -0
  346. package/src/vite/utils/forward-user-plugins.ts +171 -0
  347. package/src/vite/utils/manifest-utils.ts +4 -59
  348. package/src/vite/utils/package-resolution.ts +1 -73
  349. package/src/vite/utils/prerender-utils.ts +0 -35
  350. package/src/vite/utils/shared-utils.ts +95 -43
  351. package/src/browser/action-response-classifier.ts +0 -99
  352. package/src/browser/react/use-client-cache.ts +0 -58
  353. package/src/browser/shallow.ts +0 -40
  354. package/src/handles/index.ts +0 -7
  355. package/src/router/middleware-cookies.ts +0 -55
@@ -9,11 +9,31 @@
9
9
  * navigations, bookmarks, and non-browser clients don't send Origin.
10
10
  */
11
11
 
12
+ import type { RequestPlan } from "../router/request-classification.js";
13
+
12
14
  /**
13
15
  * Request phase that triggered the origin check.
14
16
  */
15
17
  export type OriginCheckPhase = "action" | "loader" | "pe-form";
16
18
 
19
+ // Exhaustive over RequestPlan modes so a new mode must be classified here (the
20
+ // security gate) instead of silently falling through to no origin check.
21
+ export const ORIGIN_CHECK_PHASE_BY_MODE: Record<
22
+ RequestPlan["mode"],
23
+ OriginCheckPhase | null
24
+ > = {
25
+ action: "action",
26
+ loader: "loader",
27
+ "pe-render": "pe-form",
28
+ "full-render": null,
29
+ "partial-render": null,
30
+ response: null,
31
+ redirect: null,
32
+ "version-mismatch": null,
33
+ // Terminal: handled before the origin guard (emits X-RSC-Reload, no execution).
34
+ "app-switch": null,
35
+ };
36
+
17
37
  /**
18
38
  * Context passed to the originCheck callback.
19
39
  */
@@ -49,11 +69,8 @@ export type OriginCheckConfig<TEnv = any> =
49
69
  * Returns true to allow, false to reject.
50
70
  */
51
71
  export function defaultOriginCheck(request: Request, url: URL): boolean {
52
- // 1. Read Origin header (present on all cross-origin requests and
53
- // same-origin POST/PUT/PATCH/DELETE in modern browsers)
54
72
  let requestOrigin = request.headers.get("origin");
55
73
 
56
- // 2. Fallback to Referer if Origin is absent (some proxies strip it)
57
74
  if (!requestOrigin) {
58
75
  const referer = request.headers.get("referer");
59
76
  if (referer) {
@@ -65,23 +82,20 @@ export function defaultOriginCheck(request: Request, url: URL): boolean {
65
82
  }
66
83
  }
67
84
 
68
- // 3. No Origin or Referer — allow (can't be browser-initiated CSRF)
69
85
  if (!requestOrigin) return true;
70
86
 
71
- // "null" origin comes from privacy-sensitive contexts (data: URLs,
72
- // sandboxed iframes, cross-origin redirects). Reject it.
73
87
  if (requestOrigin === "null") return false;
74
88
 
75
- // 4. Determine expected host from Host header or URL.
76
- // X-Forwarded-Host/Proto are NOT used they are client-controllable
77
- // unless a trusted proxy strips them. On standard deployments (Cloudflare
78
- // Workers, Node behind nginx/caddy) the Host header is already correct.
79
- // For non-standard setups, use the custom function escape hatch.
80
- const expectedHost = request.headers.get("host") || url.host;
81
- const expectedProtocol = url.protocol;
89
+ // An Origin/Referer is present, so this is a browser request worth checking.
90
+ // Establish the expected origin from the Host header only -- browsers always
91
+ // send Host alongside Origin (runtimes synthesize it from the HTTP/2
92
+ // :authority), so a missing Host here is anomalous. Fail closed rather than
93
+ // fall back to url.host (derived from the request line) when the trusted Host
94
+ // cannot be established.
95
+ const expectedHost = request.headers.get("host");
96
+ if (!expectedHost) return false;
82
97
 
83
- // 5. Build expected origin and compare (case-insensitive)
84
- const expectedOrigin = `${expectedProtocol}//${expectedHost}`;
98
+ const expectedOrigin = `${url.protocol}//${expectedHost}`;
85
99
 
86
100
  return requestOrigin.toLowerCase() === expectedOrigin.toLowerCase();
87
101
  }
@@ -116,14 +130,15 @@ export async function checkRequestOrigin<TEnv = any>(
116
130
  // Disabled by explicit opt-out
117
131
  if (config === false) return null;
118
132
 
119
- // Default: built-in validation (config === true or undefined)
120
- if (config === true || config === undefined) {
121
- const allowed = defaultOriginCheck(request, url);
122
- if (allowed) return null;
123
- return createForbiddenResponse(request);
124
- }
133
+ // Default (true/undefined) becomes a callback returning boolean, so the
134
+ // Response|true|reject resolution below is written once.
135
+ const check: (
136
+ ctx: OriginCheckContext<TEnv>,
137
+ ) => boolean | Response | Promise<boolean | Response> =
138
+ config === true || config === undefined
139
+ ? () => defaultOriginCheck(request, url)
140
+ : config;
125
141
 
126
- // Custom function — build context and call
127
142
  const ctx: OriginCheckContext<TEnv> = {
128
143
  request,
129
144
  url,
@@ -133,9 +148,8 @@ export async function checkRequestOrigin<TEnv = any>(
133
148
  defaultCheck: () => defaultOriginCheck(request, url),
134
149
  };
135
150
 
136
- const result = await config(ctx);
151
+ const result = await check(ctx);
137
152
 
138
153
  if (result instanceof Response) return result;
139
- if (result === true) return null;
140
- return createForbiddenResponse(request);
154
+ return result === true ? null : createForbiddenResponse(request);
141
155
  }
@@ -155,6 +155,14 @@ export async function handleProgressiveEnhancement<TEnv>(
155
155
  } else if (isDirectAction && directActionId) {
156
156
  const temporaryReferences = ctx.createTemporaryReferenceSet();
157
157
 
158
+ // INTENTIONAL JS/PE divergence (do NOT "fix" to match the JS reject path).
159
+ // On the JS path React Flight-encodes the action args, so decodeReply
160
+ // succeeds or a failure means a malformed body (rejected). On the no-JS PE
161
+ // path the browser submits a raw <form action={fn}> POST with NO encoded
162
+ // args, so decodeReply throws by design and the raw FormData IS the action
163
+ // argument (the React form-action convention: fn(formData)). Removing this
164
+ // fallback breaks every unbound no-JS form action (verified: it fails the
165
+ // progressive-enhancement dev+prod e2e suite). See #572 (decided: keep).
158
166
  let args: unknown[] = [];
159
167
  try {
160
168
  args = await ctx.decodeReply(formData, { temporaryReferences });
@@ -254,11 +262,11 @@ export async function handleProgressiveEnhancement<TEnv>(
254
262
  rootLayout: ctx.router.rootLayout,
255
263
  handles: handleStore.stream(),
256
264
  version: ctx.version,
265
+ stateCookieName: ctx.router.resolvedStateCookieName,
257
266
  themeConfig: ctx.router.themeConfig,
258
267
  warmupEnabled: ctx.router.warmupEnabled,
259
268
  initialTheme: requireRequestContext().theme,
260
269
  },
261
- formState: actionResult,
262
270
  };
263
271
 
264
272
  const rscStream = ctx.renderToReadableStream<RscPayload>(payload, {
@@ -276,6 +284,8 @@ export async function handleProgressiveEnhancement<TEnv>(
276
284
  url,
277
285
  undefined,
278
286
  );
287
+ // reactFormState carries the useActionState payload via the SSR-option path
288
+ // (renderToReadableStream({ formState })); it does NOT travel on RscPayload.
279
289
  const htmlStream = await ssrModule.renderHTML(rscStream, {
280
290
  formState: reactFormState,
281
291
  nonce,
@@ -362,6 +372,7 @@ async function renderPeErrorBoundary<TEnv>(
362
372
  rootLayout: ctx.router.rootLayout,
363
373
  handles: handleStore.stream(),
364
374
  version: ctx.version,
375
+ stateCookieName: ctx.router.resolvedStateCookieName,
365
376
  themeConfig: ctx.router.themeConfig,
366
377
  warmupEnabled: ctx.router.warmupEnabled,
367
378
  initialTheme: requireRequestContext().theme,
@@ -0,0 +1,99 @@
1
+ /**
2
+ * Server-side open-redirect guard.
3
+ *
4
+ * Applied to the FINAL handler response (the single top-level return in
5
+ * `handler.ts`) so every browser-followed redirect honors the same same-origin
6
+ * rule the client enforces (`browser/validate-redirect-origin.ts`), via the one
7
+ * shared resolver in `redirect-origin.ts`. This is the server half of the
8
+ * client's existing guard: the client can only validate redirects its own JS
9
+ * navigates to (the SPA/fetch channel), so document-native redirects -- a no-JS
10
+ * PE form POST, a full-page GET `match.redirect`, a middleware `redirect()`
11
+ * short-circuit, a response-route 3xx -- reach the browser with no client in the
12
+ * loop. They all funnel through one handler return, so guarding there covers
13
+ * every one and any future redirect exit.
14
+ *
15
+ * Soft (SPA/Flight) redirects are 200/204 responses (`X-RSC-Redirect` header or
16
+ * `metadata.redirect` payload) and are NOT redirect Responses, so they never
17
+ * reach this guard -- they stay validated client-side.
18
+ *
19
+ * Behavior on a `Location` header:
20
+ * - same-origin / relative -> passes through unchanged
21
+ * - `redirect(url, { external: true })` (out-of-band brand present) and an
22
+ * http(s) target -> allowed (explicit, auditable, unforgeable opt-in)
23
+ * - branded but a non-http(s) target (e.g. `javascript:`) -> neutralized: the
24
+ * opt-in waives the same-origin rule, NOT scheme safety
25
+ * - cross-origin without the brand -> Location rewritten to the basename root
26
+ * (a safe same-origin landing, the document analog of the client's "stay put");
27
+ * dev logs the blocked target and points to `{ external: true }`.
28
+ *
29
+ * The opt-in is an out-of-band brand on the Response object (isExternalRedirect),
30
+ * never a wire header: a header is forgeable by an attacker-controlled upstream
31
+ * response a proxy-style response route copies through, which would defeat the
32
+ * guard without app code ever opting in. The reserved header name is stripped
33
+ * defensively so a forged value can never reach the browser.
34
+ */
35
+
36
+ import { isRedirectResponse } from "../response-utils.js";
37
+ import {
38
+ resolveSameOriginRedirect,
39
+ resolveExternalRedirect,
40
+ isExternalRedirect,
41
+ EXTERNAL_REDIRECT_MARKER,
42
+ } from "../redirect-origin.js";
43
+ import { carryOverRedirectHeaders } from "./helpers.js";
44
+
45
+ export function guardOutgoingRedirect(
46
+ response: Response,
47
+ requestOrigin: string,
48
+ basename: string | undefined,
49
+ ): Response {
50
+ // Only 3xx + Location responses (document-native redirects) are guarded.
51
+ if (!isRedirectResponse(response)) {
52
+ return response;
53
+ }
54
+
55
+ // The reserved marker is never a trust signal. Strip any value -- forged by a
56
+ // proxied upstream or otherwise -- so it can never reach the browser. Trust
57
+ // comes solely from the out-of-band brand below.
58
+ try {
59
+ response.headers.delete(EXTERNAL_REDIRECT_MARKER);
60
+ } catch {
61
+ // Some platform responses carry immutable headers; the header is inert on
62
+ // the browser, so a failed strip is harmless.
63
+ }
64
+
65
+ // isRedirectResponse guarantees a truthy Location.
66
+ const location = response.headers.get("Location")!;
67
+
68
+ // Explicit opt-in via redirect(url, { external: true }): allow an off-host
69
+ // target, but only an http(s) one. external waives the same-origin rule, not
70
+ // scheme safety -- a branded javascript:/data: target falls through to be
71
+ // neutralized so it can never become a scriptable navigation downstream.
72
+ if (isExternalRedirect(response)) {
73
+ if (resolveExternalRedirect(location, requestOrigin) !== null) {
74
+ return response;
75
+ }
76
+ } else if (resolveSameOriginRedirect(location, requestOrigin) !== null) {
77
+ return response;
78
+ }
79
+
80
+ // Cross-origin (or unsafe-scheme external): neutralize to a safe same-origin
81
+ // landing.
82
+ const safeTarget = basename && basename !== "/" ? basename : "/";
83
+ if (process.env.NODE_ENV !== "production") {
84
+ console.error(
85
+ `[rango] Blocked cross-origin redirect to "${location}"; sent to ` +
86
+ `"${safeTarget}" instead. To redirect off-host on purpose, use ` +
87
+ `redirect(url, { external: true }).`,
88
+ );
89
+ }
90
+
91
+ const blocked = new Response(null, {
92
+ status: response.status,
93
+ headers: { Location: safeTarget },
94
+ });
95
+ // Preserve cookies and any other headers (Set-Cookie, Server-Timing, ...);
96
+ // carryOverRedirectHeaders intentionally skips Location.
97
+ carryOverRedirectHeaders(response, blocked);
98
+ return blocked;
99
+ }
@@ -1,37 +1,104 @@
1
1
  /**
2
- * Response Error Payload Builder
2
+ * Problem Details (RFC 9457) Builder
3
3
  *
4
- * Builds a ResponseError object from a caught error, controlling
5
- * what information is exposed based on error type and environment.
4
+ * Builds a problem+json error body from a caught error, controlling what
5
+ * information is exposed based on error type and environment.
6
6
  */
7
7
 
8
8
  import { RouterError } from "../errors.js";
9
- import type { ResponseError } from "../urls.js";
9
+ import type { ProblemDetails } from "../urls.js";
10
10
 
11
11
  /**
12
- * Build a ResponseError payload from a caught error.
13
- * RouterError messages are always exposed (developer-crafted).
12
+ * HTTP reason phrases for the problem `title` member. Inlined because the
13
+ * router targets edge/worker runtimes without node's `http.STATUS_CODES`;
14
+ * covers the full standard 4xx/5xx range, with a generic fallback for any
15
+ * non-standard status a handler might set.
16
+ */
17
+ const STATUS_PHRASES: Record<number, string> = {
18
+ 400: "Bad Request",
19
+ 401: "Unauthorized",
20
+ 402: "Payment Required",
21
+ 403: "Forbidden",
22
+ 404: "Not Found",
23
+ 405: "Method Not Allowed",
24
+ 406: "Not Acceptable",
25
+ 407: "Proxy Authentication Required",
26
+ 408: "Request Timeout",
27
+ 409: "Conflict",
28
+ 410: "Gone",
29
+ 411: "Length Required",
30
+ 412: "Precondition Failed",
31
+ 413: "Payload Too Large",
32
+ 414: "URI Too Long",
33
+ 415: "Unsupported Media Type",
34
+ 416: "Range Not Satisfiable",
35
+ 417: "Expectation Failed",
36
+ 418: "I'm a Teapot",
37
+ 421: "Misdirected Request",
38
+ 422: "Unprocessable Entity",
39
+ 423: "Locked",
40
+ 424: "Failed Dependency",
41
+ 425: "Too Early",
42
+ 426: "Upgrade Required",
43
+ 428: "Precondition Required",
44
+ 429: "Too Many Requests",
45
+ 431: "Request Header Fields Too Large",
46
+ 451: "Unavailable For Legal Reasons",
47
+ 500: "Internal Server Error",
48
+ 501: "Not Implemented",
49
+ 502: "Bad Gateway",
50
+ 503: "Service Unavailable",
51
+ 504: "Gateway Timeout",
52
+ 505: "HTTP Version Not Supported",
53
+ 506: "Variant Also Negotiates",
54
+ 507: "Insufficient Storage",
55
+ 508: "Loop Detected",
56
+ 510: "Not Extended",
57
+ 511: "Network Authentication Required",
58
+ };
59
+
60
+ function statusPhrase(status: number): string {
61
+ return STATUS_PHRASES[status] ?? "Error";
62
+ }
63
+
64
+ /**
65
+ * Build an RFC 9457 problem+json body from a caught error.
66
+ * RouterError messages/codes are always exposed (developer-crafted).
14
67
  * Standard Error messages are hidden in production.
68
+ *
69
+ * The `type` member is omitted in this phase: per RFC 9457 an absent `type` is
70
+ * treated as `"about:blank"` (no semantics beyond the HTTP status), so emitting
71
+ * it adds nothing. Per-route problem-type URIs arrive with the declared-errors
72
+ * map later. `code` is always present so consumers can branch on it
73
+ * (`"INTERNAL"` for non-RouterError failures).
15
74
  */
16
- export function createResponseErrorPayload(
75
+ export function createProblemDetails(
17
76
  error: unknown,
77
+ status: number,
18
78
  isDev: boolean,
19
- ): ResponseError {
79
+ ): ProblemDetails {
20
80
  if (error instanceof RouterError) {
21
81
  return {
22
- message: error.message,
82
+ title: statusPhrase(status),
83
+ status,
84
+ detail: error.message,
23
85
  code: error.code,
24
- ...(error.type ? { type: error.type } : {}),
25
86
  ...(isDev && error.stack ? { stack: error.stack } : {}),
26
87
  };
27
88
  }
28
89
  if (error instanceof Error) {
29
90
  return {
30
- message: isDev ? error.message : "Internal Server Error",
91
+ title: statusPhrase(status),
92
+ status,
93
+ detail: isDev ? error.message : "Internal Server Error",
94
+ code: "INTERNAL",
31
95
  ...(isDev && error.stack ? { stack: error.stack } : {}),
32
96
  };
33
97
  }
34
98
  return {
35
- message: isDev ? String(error) : "Internal Server Error",
99
+ title: statusPhrase(status),
100
+ status,
101
+ detail: isDev ? String(error) : "Internal Server Error",
102
+ code: "INTERNAL",
36
103
  };
37
104
  }
@@ -11,7 +11,8 @@ import { requireRequestContext } from "../server/request-context.js";
11
11
  import { contextGet } from "../context-var.js";
12
12
  import { NOCACHE_SYMBOL } from "../cache/taint.js";
13
13
  import { traverseBack } from "../router/pattern-matching.js";
14
- import { createCacheScope } from "../cache/cache-scope.js";
14
+ import { RESPONSE_TYPE_MIME } from "../router/content-negotiation.js";
15
+ import { createCacheScope, resolveCacheTags } from "../cache/cache-scope.js";
15
16
  import { executeMiddleware } from "../router/middleware.js";
16
17
  import {
17
18
  createReverseFunction,
@@ -20,7 +21,7 @@ import {
20
21
  import type { MiddlewareFn } from "../router/middleware.js";
21
22
  import type { EntryData } from "../server/context.js";
22
23
  import type { HandlerContext } from "./handler-context.js";
23
- import { createResponseErrorPayload } from "./response-error.js";
24
+ import { createProblemDetails } from "./response-error.js";
24
25
  import {
25
26
  createResponseWithMergedHeaders,
26
27
  finalizeResponse,
@@ -29,6 +30,12 @@ import {
29
30
  mergeStubHeadersAndFinalize,
30
31
  } from "./helpers.js";
31
32
  import { isWebSocketUpgradeResponse } from "../response-utils.js";
33
+ import { stringifyJsonRouteResult } from "./json-route-result.js";
34
+ import {
35
+ EXTERNAL_REDIRECT_MARKER,
36
+ isExternalRedirect,
37
+ markExternalRedirect,
38
+ } from "../redirect-origin.js";
32
39
 
33
40
  export interface ResponseRouteMatch {
34
41
  responseType: string;
@@ -109,49 +116,31 @@ export async function handleResponseRoute<TEnv>(
109
116
  }
110
117
  const headers = new Headers();
111
118
  result.headers.forEach((value, key) => {
119
+ // Never copy the reserved external-redirect marker off a handler result.
120
+ // It is not a trust signal -- the opt-in is the out-of-band brand below
121
+ // -- and a proxy-style route returning an attacker-controlled upstream
122
+ // response must not let a forged value ride through to the browser.
123
+ if (key.toLowerCase() === EXTERNAL_REDIRECT_MARKER) return;
112
124
  if (key.toLowerCase() === "set-cookie") {
113
125
  headers.append(key, value);
114
126
  } else {
115
127
  headers.set(key, value);
116
128
  }
117
129
  });
118
- return createResponseWithMergedHeaders(result.body, {
130
+ const rewrapped = createResponseWithMergedHeaders(result.body, {
119
131
  status: result.status,
120
132
  headers,
121
133
  });
122
- };
123
-
124
- // JSON response routes: wrap in { data } / { error } envelope
125
- if (preview.responseType === "json") {
126
- try {
127
- const result = await (preview.handler as Function)(responseHandlerCtx);
128
- if (result instanceof Response) {
129
- return rewrapResponse(result);
130
- }
131
- return createResponseWithMergedHeaders(
132
- JSON.stringify({ data: result }),
133
- {
134
- status: 200,
135
- headers: { "content-type": "application/json;charset=utf-8" },
136
- },
137
- );
138
- } catch (error) {
139
- handlerCtx.callOnError(error, "handler", errorCtx);
140
- const isDev = process.env.NODE_ENV !== "production";
141
- const status = error instanceof RouterError ? error.status : 500;
142
- return createResponseWithMergedHeaders(
143
- JSON.stringify({
144
- error: createResponseErrorPayload(error, isDev),
145
- }),
146
- {
147
- status,
148
- headers: { "content-type": "application/json;charset=utf-8" },
149
- },
150
- );
134
+ // Transfer the out-of-band external brand only when the handler result is
135
+ // genuinely branded (a real redirect(url, { external: true })). A proxied
136
+ // upstream Response is never branded, so an attacker cannot opt a response
137
+ // route's redirect out of the same-origin guard by injecting the header.
138
+ if (isExternalRedirect(result)) {
139
+ markExternalRedirect(rewrapped);
151
140
  }
152
- }
141
+ return rewrapped;
142
+ };
153
143
 
154
- // Non-JSON response routes: catch errors and return plain Response
155
144
  try {
156
145
  const result = await (preview.handler as Function)(responseHandlerCtx);
157
146
 
@@ -159,38 +148,56 @@ export async function handleResponseRoute<TEnv>(
159
148
  return rewrapResponse(result);
160
149
  }
161
150
 
162
- // Auto-wrap based on response type tag
163
- switch (preview.responseType) {
164
- case "text":
165
- return createResponseWithMergedHeaders(String(result), {
166
- status: 200,
167
- headers: { "content-type": "text/plain;charset=utf-8" },
168
- });
169
- case "html":
170
- return createResponseWithMergedHeaders(String(result), {
171
- status: 200,
172
- headers: { "content-type": "text/html;charset=utf-8" },
173
- });
174
- case "xml":
175
- return createResponseWithMergedHeaders(String(result), {
176
- status: 200,
177
- headers: { "content-type": "application/xml;charset=utf-8" },
178
- });
179
- case "md":
180
- return createResponseWithMergedHeaders(String(result), {
181
- status: 200,
182
- headers: { "content-type": "text/markdown;charset=utf-8" },
183
- });
184
- default:
185
- // image, stream, any -- must return Response
186
- throw new Error(
187
- `Response route handler for "${preview.responseType}" must return a Response object, got ${typeof result}`,
188
- );
151
+ // Handled before the MIME lookup (json is also a RESPONSE_TYPE_MIME key).
152
+ if (preview.responseType === "json") {
153
+ // Runtime guard: the json() return type rejects nested Promises at
154
+ // compile time, but an `as`-cast or untyped (JS) handler can still slip
155
+ // one through. stringifyJsonRouteResult throws a clear error instead of
156
+ // shipping empty data (shared with dispatch() so the two cannot drift).
157
+ const body = stringifyJsonRouteResult(result);
158
+ return createResponseWithMergedHeaders(body, {
159
+ status: 200,
160
+ headers: { "content-type": "application/json;charset=utf-8" },
161
+ });
162
+ }
163
+
164
+ // Object.hasOwn (not truthiness) so prototype names like "toString" are not
165
+ // matched; image/stream/any are absent and fall through to the throw.
166
+ if (Object.hasOwn(RESPONSE_TYPE_MIME, preview.responseType)) {
167
+ return createResponseWithMergedHeaders(String(result), {
168
+ status: 200,
169
+ headers: {
170
+ "content-type": `${RESPONSE_TYPE_MIME[preview.responseType]};charset=utf-8`,
171
+ },
172
+ });
189
173
  }
174
+
175
+ throw new Error(
176
+ `Response route handler for "${preview.responseType}" must return a Response object, got ${typeof result}`,
177
+ );
190
178
  } catch (error) {
191
179
  handlerCtx.callOnError(error, "handler", errorCtx);
192
180
  const isDev = process.env.NODE_ENV !== "production";
193
- const status = error instanceof RouterError ? error.status : 500;
181
+ const derivedStatus = error instanceof RouterError ? error.status : 500;
182
+ // Resolve the effective status the same way createResponseWithMergedHeaders
183
+ // will (ctx.res.status override) so the problem body's status/title match
184
+ // the actual HTTP status — e.g. when a handler called ctx.setStatus()
185
+ // before throwing.
186
+ const status =
187
+ reqCtx.res.status !== 200 ? reqCtx.res.status : derivedStatus;
188
+
189
+ if (preview.responseType === "json") {
190
+ return createResponseWithMergedHeaders(
191
+ JSON.stringify(createProblemDetails(error, status, isDev)),
192
+ {
193
+ status,
194
+ headers: {
195
+ "content-type": "application/problem+json;charset=utf-8",
196
+ },
197
+ },
198
+ );
199
+ }
200
+
194
201
  const message =
195
202
  error instanceof RouterError
196
203
  ? error.message
@@ -275,6 +282,11 @@ export async function handleResponseRoute<TEnv>(
275
282
  }
276
283
  }
277
284
 
285
+ // Resolve cache tags for this document entry (static or dynamic),
286
+ // while request context is available. Passed to putResponse so the
287
+ // entry is tag-invalidatable.
288
+ const responseTags = resolveCacheTags(cacheScope.config, reqCtx);
289
+
278
290
  // Save pre-handler callbacks (registered by app-level middleware
279
291
  // before we reach the cache block) and clear the live array.
280
292
  // createResponseWithMergedHeaders (inside the handler) eagerly
@@ -316,6 +328,7 @@ export async function handleResponseRoute<TEnv>(
316
328
  fresh.clone(),
317
329
  cacheScope!.ttl,
318
330
  cacheScope!.swr,
331
+ responseTags,
319
332
  );
320
333
  }
321
334
  } catch (error) {
@@ -344,6 +357,7 @@ export async function handleResponseRoute<TEnv>(
344
357
  response.clone(),
345
358
  cacheScope!.ttl,
346
359
  cacheScope!.swr,
360
+ responseTags,
347
361
  );
348
362
  } catch (error) {
349
363
  console.error(`[ResponseCache] Cache write failed:`, error);