@rexeus/typeweaver-server 0.10.2 → 0.10.4

package/dist/lib/PathMatcher.ts

@@ -9,13 +9,17 @@
  * Creates a predicate that tests whether a request path matches a pattern.
  *
  * Supports three pattern types:
- * - **Exact match**: `"/users"` matches only `"/users"`
+ * - **Exact match**: `"/users"` matches `"/users"` and canonically
+ *   equivalent rooted paths such as `"/users/"` and `"/users//"`
  * - **Prefix match**: `"/users/*"` matches `"/users"` and any path beneath it
  *   (e.g. `"/users/123"`, `"/users/123/posts"`)
  * - **Parameterized segments**: `"/users/:id"` matches paths where `:id` stands
  *   for exactly one segment (e.g. `"/users/123"` but not `"/users/123/posts"`)
  *
  * Uses the same `:paramName` syntax as typeweaver route definitions.
+ * Rooted request paths are canonicalized with the same empty-segment
+ * filtering used by the router, so duplicate and trailing slashes match the
+ * route they dispatch to. Unrooted request paths do not match rooted patterns.
  *
  * @example
  * ```typescript
@@ -30,27 +34,67 @@
  * ```
  */
 export function pathMatcher(pattern: string): (path: string) => boolean {
+  const patternSegments = patternToSegments(pattern);
+
   if (pattern.endsWith("/*")) {
-    const prefix = pattern.slice(0, -2);
-    return path => path === prefix || path.startsWith(prefix + "/");
+    const prefixSegments = patternToSegments(pattern.slice(0, -2));
+
+    return path => {
+      const pathSegments = toSegments(path);
+      if (pathSegments === undefined) return false;
+      if (pathSegments.length < prefixSegments.length) return false;
+
+      return prefixSegments.every(
+        (segment, index) => pathSegments[index] === segment
+      );
+    };
   }
 
-  const segments = pattern.split("/");
-  const hasParams = segments.some(s => s.startsWith(":"));
+  const hasParams = patternSegments.some(s => s.startsWith(":"));
 
   if (!hasParams) {
-    return path => path === pattern;
+    return path => {
+      const pathSegments = toSegments(path);
+      if (pathSegments === undefined) return false;
+
+      return segmentsEqual(patternSegments, pathSegments);
+    };
   }
 
-  const segmentCount = segments.length;
-  const matchers = segments.map(s => (s.startsWith(":") ? null : s));
+  const segmentCount = patternSegments.length;
+  const matchers = patternSegments.map(s => (s.startsWith(":") ? null : s));
 
   return path => {
-    const parts = path.split("/");
+    const parts = toSegments(path);
+    if (parts === undefined) return false;
     if (parts.length !== segmentCount) return false;
+
     for (let i = 0; i < segmentCount; i++) {
-      if (matchers[i] !== null && matchers[i] !== parts[i]) return false;
+      if (matchers[i] === null) {
+        continue;
+      }
+
+      if (matchers[i] !== parts[i]) return false;
     }
     return true;
   };
 }
+
+function toSegments(path: string): readonly string[] | undefined {
+  if (!path.startsWith("/")) return undefined;
+
+  return patternToSegments(path);
+}
+
+function patternToSegments(path: string): readonly string[] {
+  return path.split("/").filter(segment => segment.length > 0);
+}
+
+function segmentsEqual(
+  left: readonly string[],
+  right: readonly string[]
+): boolean {
+  if (left.length !== right.length) return false;
+
+  return left.every((segment, index) => right[index] === segment);
+}

package/dist/lib/Router.ts

@@ -135,6 +135,11 @@ export class Router {
    * Register a route in the radix tree.
    */
   public add(definition: RouteDefinition): void {
+    const method = definition.method.toUpperCase();
+    const normalizedDefinition =
+      definition.method === method
+        ? definition
+        : { ...definition, method: method as HttpMethod };
     const segments = Router.toSegments(definition.path);
 
     let current = this.root;
@@ -161,13 +166,13 @@ export class Router {
       }
     }
 
-    if (current.methods.has(definition.method)) {
+    if (current.methods.has(method)) {
       throw new Error(
-        `Route conflict: ${definition.method} ${definition.path} is already registered`
+        `Route conflict: ${method} ${definition.path} is already registered`
       );
     }
 
-    current.methods.set(definition.method, definition);
+    current.methods.set(method, normalizedDefinition);
   }
 
   /**
@@ -280,7 +285,14 @@ export class Router {
   private static decodePathSegment(segment: string): string {
     try {
       const decoded = decodeURIComponent(segment);
-      if (decoded === ".." || decoded === ".") return segment;
+      if (
+        decoded === ".." ||
+        decoded === "." ||
+        decoded.includes("/") ||
+        decoded.includes("\\")
+      ) {
+        return segment;
+      }
       return decoded;
     } catch {
       return segment;

package/dist/lib/TypeweaverApp.ts

@@ -5,6 +5,7 @@
  * @generated by @rexeus/typeweaver
  */
 
+// oxlint-disable import/max-dependencies
 import {
   badRequestDefaultError,
   createDefaultErrorBody,
@@ -12,26 +13,29 @@ import {
   internalServerErrorDefaultError,
   isTypedHttpResponse,
   methodNotAllowedDefaultError,
+  normalizeHttpResponse,
   notFoundDefaultError,
   payloadTooLargeDefaultError,
   RequestValidationError,
+  toHttpResponse,
   validationDefaultError,
 } from "@rexeus/typeweaver-core";
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
 import { BodyParseError, PayloadTooLargeError } from "./Errors.js";
-import { FetchApiAdapter } from "./FetchApiAdapter.js";
 import { executeMiddlewarePipeline } from "./Middleware.js";
 import { Router } from "./Router.js";
 import { StateMap } from "./StateMap.js";
+import { initializeTypeweaverAppRuntime } from "./TypeweaverAppRuntime.js";
+import type { FetchApiAdapter } from "./FetchApiAdapter.js";
 import type { Middleware } from "./Middleware.js";
 import type { RequestHandler } from "./RequestHandler.js";
 import type {
   HttpResponseErrorHandler,
+  RequestValidationErrorHandler,
   ResponseValidationErrorHandler,
   RouteDefinition,
   RouteMatch,
   UnknownErrorHandler,
-  RequestValidationErrorHandler,
 } from "./Router.js";
 import type { ServerContext } from "./ServerContext.js";
 import type {
@@ -82,8 +86,12 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
   private readonly onError: (error: unknown) => void;
 
   public constructor(options?: TypeweaverAppOptions) {
-    this.adapter = new FetchApiAdapter({ maxBodySize: options?.maxBodySize });
-    this.onError = options?.onError ?? console.error;
+    this.onError = options?.onError ?? (error => console.error(error));
+    this.adapter = initializeTypeweaverAppRuntime({
+      app: this,
+      options,
+      reportError: error => this.safeOnError(error),
+    });
   }
 
   private safeOnError(error: unknown): void {
@@ -234,13 +242,21 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
       const routeCtx = this.withPathParams(ctx, match.params);
       try {
         const response = await this.executeHandler(routeCtx, match.route);
-        return await this.validateResponse(match.route, response, routeCtx);
+        return await this.validateResponse(
+          match.route,
+          normalizeHttpResponse(response),
+          routeCtx
+        );
       } catch (error) {
         if (
           isTypedHttpResponse(error) &&
           match.route.routerConfig.validateResponses
         ) {
-          return await this.validateResponse(match.route, error, routeCtx);
+          return await this.validateResponse(
+            match.route,
+            toHttpResponse(error),
+            routeCtx
+          );
         }
         return this.handleError(error, routeCtx, match.route);
       }
@@ -283,7 +299,7 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
    * - `validateResponses: true` (default) → runs validation:
    *   - Valid response → returns the stripped response (extra fields removed).
    *   - Invalid response + handler configured → calls the handler safely.
-   *     If the handler throws, falls back to the original response.
+   *     If the handler throws, fails closed with a sanitized 500 response.
    *   - Invalid response + `handleResponseValidationErrors: false` → returns
    *     the original (invalid) response as-is.
    *
@@ -301,7 +317,9 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
 
     const result = route.responseValidator.safeValidate(response);
 
-    if (result.isValid) return result.data;
+    if (result.isValid) {
+      return normalizeHttpResponse(result.data);
+    }
 
     const handler = this.resolveErrorHandler<ResponseValidationErrorHandler>(
       route.routerConfig.handleResponseValidationErrors,
@@ -313,6 +331,11 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
         handler(result.error, response, ctx)
       );
       if (handlerResponse) return handlerResponse;
+      return TypeweaverApp.defaultResponseValidationHandler(
+        result.error,
+        response,
+        ctx
+      );
     }
 
     return response;
@@ -455,7 +478,7 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
 
   private static defaultHttpResponseHandler: HttpResponseErrorHandler = (
     err
-  ): IHttpResponse => err;
+  ): IHttpResponse => toHttpResponse(err);
 
   private readonly defaultUnknownHandler: UnknownErrorHandler = (
     error

package/dist/lib/TypeweaverAppRuntime.ts

@@ -0,0 +1,37 @@
+/**
+ * This file was automatically generated by typeweaver.
+ * DO NOT EDIT. Instead, modify the source definition file and generate again.
+ *
+ * @generated by @rexeus/typeweaver
+ */
+
+import { createFetchBodyLimitPolicy } from "./BodyLimitPolicy.js";
+import { FetchApiAdapter } from "./FetchApiAdapter.js";
+import { setTypeweaverAppRuntimeContext } from "./TypeweaverInternals.js";
+import type { TypeweaverApp } from "./TypeweaverApp.js";
+
+type InitializeTypeweaverAppRuntimeOptions = {
+  readonly maxBodySize?: number;
+};
+
+type InitializeTypeweaverAppRuntimeParameters = {
+  readonly app: TypeweaverApp<any>;
+  readonly options?: InitializeTypeweaverAppRuntimeOptions;
+  readonly reportError: (error: unknown) => void;
+};
+
+export function initializeTypeweaverAppRuntime({
+  app,
+  options,
+  reportError,
+}: InitializeTypeweaverAppRuntimeParameters): FetchApiAdapter {
+  const bodyLimitPolicy = createFetchBodyLimitPolicy(options?.maxBodySize);
+  const adapter = new FetchApiAdapter({ bodyLimitPolicy });
+
+  setTypeweaverAppRuntimeContext(app, {
+    bodyLimitPolicy,
+    reportError,
+  });
+
+  return adapter;
+}

package/dist/lib/TypeweaverInternals.ts

@@ -0,0 +1,45 @@
+/**
+ * This file was automatically generated by typeweaver.
+ * DO NOT EDIT. Instead, modify the source definition file and generate again.
+ *
+ * @generated by @rexeus/typeweaver
+ */
+
+import type { BodyLimitPolicy } from "./BodyLimitPolicy.js";
+import type { TypeweaverApp } from "./TypeweaverApp.js";
+
+/** Runtime context shared privately between TypeweaverApp and adapters. */
+export type TypeweaverRuntimeContext = {
+  readonly bodyLimitPolicy: BodyLimitPolicy;
+  readonly reportError: (error: unknown) => void;
+};
+
+const appRuntimeContextRegistry = new WeakMap<
+  TypeweaverApp<any>,
+  TypeweaverRuntimeContext
+>();
+
+function fallbackReportError(error: unknown): void {
+  console.error(error);
+}
+
+export function setTypeweaverAppRuntimeContext(
+  app: TypeweaverApp<any>,
+  runtimeContext: TypeweaverRuntimeContext
+): void {
+  appRuntimeContextRegistry.set(app, runtimeContext);
+}
+
+export function getTypeweaverAppRuntimeContext(
+  app: TypeweaverApp<any>
+): TypeweaverRuntimeContext | undefined {
+  return appRuntimeContextRegistry.get(app);
+}
+
+export function getTypeweaverAppErrorReporter(
+  app: TypeweaverApp<any>
+): (error: unknown) => void {
+  return (
+    getTypeweaverAppRuntimeContext(app)?.reportError ?? fallbackReportError
+  );
+}

package/dist/lib/index.ts

@@ -33,6 +33,7 @@ export {
 export {
   BodyParseError,
   PayloadTooLargeError,
+  RequestBodyDrainTimeoutError,
   ResponseSerializationError,
 } from "./Errors.js";
 export { FetchApiAdapter } from "./FetchApiAdapter.js";

package/dist/lib/middleware/basicAuth.ts

@@ -4,6 +4,7 @@ import {
 } from "@rexeus/typeweaver-core";
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
 import { defineMiddleware } from "../TypedMiddleware.js";
+import { readSingletonHeader } from "./header.js";
 import type { ServerContext } from "../ServerContext.js";
 
 export type BasicAuthOptions = {
@@ -31,10 +32,18 @@ export function basicAuth(options: BasicAuthOptions) {
     options.onUnauthorized?.(ctx) ?? defaultResponse;
 
   return defineMiddleware<{ username: string }>(async (ctx, next) => {
-    const authorization = ctx.request.header?.["authorization"];
+    const authorization = readSingletonHeader(
+      ctx.request.header,
+      "authorization"
+    );
     if (typeof authorization !== "string") return deny(ctx);
 
-    if (!authorization.startsWith(BASIC_PREFIX)) return deny(ctx);
+    if (
+      authorization.slice(0, BASIC_PREFIX.length).toLowerCase() !==
+      BASIC_PREFIX.toLowerCase()
+    ) {
+      return deny(ctx);
+    }
 
     const encoded = authorization.slice(BASIC_PREFIX.length);
     if (encoded.length === 0) return deny(ctx);

package/dist/lib/middleware/bearerAuth.ts

@@ -4,6 +4,7 @@ import {
 } from "@rexeus/typeweaver-core";
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
 import { defineMiddleware } from "../TypedMiddleware.js";
+import { readSingletonHeader } from "./header.js";
 import type { ServerContext } from "../ServerContext.js";
 
 export type BearerAuthOptions = {
@@ -30,10 +31,18 @@ export function bearerAuth(options: BearerAuthOptions) {
     options.onUnauthorized?.(ctx) ?? defaultResponse;
 
   return defineMiddleware<{ token: string }>(async (ctx, next) => {
-    const authorization = ctx.request.header?.["authorization"];
+    const authorization = readSingletonHeader(
+      ctx.request.header,
+      "authorization"
+    );
     if (typeof authorization !== "string") return deny(ctx);
 
-    if (!authorization.startsWith(BEARER_PREFIX)) return deny(ctx);
+    if (
+      authorization.slice(0, BEARER_PREFIX.length).toLowerCase() !==
+      BEARER_PREFIX.toLowerCase()
+    ) {
+      return deny(ctx);
+    }
 
     const token = authorization.slice(BEARER_PREFIX.length);
     if (token.length === 0) return deny(ctx);

package/dist/lib/middleware/cors.ts

@@ -1,5 +1,10 @@
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
 import { defineMiddleware } from "../TypedMiddleware.js";
+import {
+  hasHeaderName,
+  readHeaderValues,
+  readSingletonHeader,
+} from "./header.js";
 
 export type CorsOptions = {
   readonly origin?:
@@ -22,13 +27,22 @@ const DEFAULT_METHODS = [
   "DELETE",
 ] as const;
 
+const POLICY_CONTROLLED_CORS_HEADERS = new Set([
+  "access-control-allow-origin",
+  "access-control-allow-credentials",
+  "access-control-expose-headers",
+  "access-control-allow-methods",
+  "access-control-allow-headers",
+  "access-control-max-age",
+]);
+
 function resolveOrigin(
   configOrigin: CorsOptions["origin"],
   requestOrigin: string | undefined,
   credentials: boolean
 ): string | undefined {
   if (configOrigin === undefined || configOrigin === "*") {
-    if (credentials && requestOrigin) return requestOrigin;
+    if (credentials) return undefined;
     return "*";
   }
 
@@ -48,21 +62,107 @@ function resolveOrigin(
 function getRequestOrigin(
   header: Record<string, string | string[]> | undefined
 ): string | undefined {
-  const origin = header?.["origin"];
-  return typeof origin === "string" ? origin : undefined;
+  return readSingletonHeader(header, "origin");
+}
+
+function isOriginDependentWithoutRequestOrigin(
+  configOrigin: CorsOptions["origin"],
+  credentials: boolean
+): boolean {
+  return (
+    typeof configOrigin === "function" ||
+    Array.isArray(configOrigin) ||
+    ((configOrigin === undefined || configOrigin === "*") && credentials)
+  );
+}
+
+function splitHeaderValues(values: readonly string[]): readonly string[] {
+  return values.flatMap(value =>
+    value
+      .split(",")
+      .map(item => item.trim())
+      .filter(item => item.length > 0)
+  );
+}
+
+function mergeVary(existing: readonly string[], value: string): string {
+  const values = splitHeaderValues(existing);
+  if (values.length === 0) return value;
+
+  const hasValue = values.some(
+    item => item.toLowerCase() === value.toLowerCase()
+  );
+
+  return hasValue ? values.join(", ") : [...values, value].join(", ");
+}
+
+function removePolicyControlledCorsHeaders(
+  responseHeaders: Record<string, string | string[]> | undefined
+): Record<string, string | string[]> {
+  const result: Record<string, string | string[]> = {};
+
+  for (const [key, value] of Object.entries(responseHeaders ?? {})) {
+    if (POLICY_CONTROLLED_CORS_HEADERS.has(key.toLowerCase())) continue;
+
+    result[key] = value;
+  }
+
+  return result;
+}
+
+function mergeResponseHeaders(
+  responseHeaders: Record<string, string | string[]> | undefined,
+  corsHeaders: Record<string, string>
+): Record<string, string | string[]> {
+  const result = removePolicyControlledCorsHeaders(responseHeaders);
+
+  const mergedCorsHeaders = { ...corsHeaders };
+  if (corsHeaders.vary !== undefined) {
+    for (const key of Object.keys(result)) {
+      if (key.toLowerCase() === "vary") delete result[key];
+    }
+
+    mergedCorsHeaders.vary = mergeVary(
+      readHeaderValues(responseHeaders, "vary"),
+      corsHeaders.vary
+    );
+  }
+
+  return { ...result, ...mergedCorsHeaders };
 }
 
 export function cors(options?: CorsOptions) {
   const credentials = options?.credentials ?? false;
+
   const methods = (options?.allowMethods ?? DEFAULT_METHODS).join(", ");
   const exposeHeaders = options?.exposeHeaders?.join(", ");
   const maxAge = options?.maxAge?.toString();
 
   return defineMiddleware(async (ctx, next) => {
     const requestOrigin = getRequestOrigin(ctx.request.header);
-    const origin = resolveOrigin(options?.origin, requestOrigin, credentials);
+    const hasOrigin = hasHeaderName(ctx.request.header, "origin");
+    const resolvedOrigin =
+      hasOrigin && requestOrigin === undefined
+        ? undefined
+        : resolveOrigin(options?.origin, requestOrigin, credentials);
+    const origin =
+      credentials && resolvedOrigin === "*" ? undefined : resolvedOrigin;
+
+    if (origin === undefined) {
+      const response = await next();
+
+      if (
+        !hasOrigin &&
+        !isOriginDependentWithoutRequestOrigin(options?.origin, credentials)
+      ) {
+        return response;
+      }
 
-    if (origin === undefined) return next();
+      return {
+        ...response,
+        header: mergeResponseHeaders(response.header, { vary: "Origin" }),
+      } satisfies IHttpResponse;
+    }
 
     const corsHeaders: Record<string, string> = {
       "access-control-allow-origin": origin,
@@ -82,18 +182,26 @@ export function cors(options?: CorsOptions) {
 
     const isPreflight =
       ctx.request.method === "OPTIONS" &&
-      ctx.request.header?.["access-control-request-method"] !== undefined;
+      requestOrigin !== undefined &&
+      readSingletonHeader(
+        ctx.request.header,
+        "access-control-request-method"
+      ) !== undefined;
 
     if (isPreflight) {
       corsHeaders["access-control-allow-methods"] = methods;
 
       const configuredHeaders = options?.allowHeaders;
-      if (configuredHeaders && configuredHeaders.length > 0) {
-        corsHeaders["access-control-allow-headers"] =
-          configuredHeaders.join(", ");
+      if (configuredHeaders !== undefined) {
+        if (configuredHeaders.length > 0) {
+          corsHeaders["access-control-allow-headers"] =
+            configuredHeaders.join(", ");
+        }
       } else {
-        const requestedHeaders =
-          ctx.request.header?.["access-control-request-headers"];
+        const requestedHeaders = readSingletonHeader(
+          ctx.request.header,
+          "access-control-request-headers"
+        );
         if (typeof requestedHeaders === "string") {
           corsHeaders["access-control-allow-headers"] = requestedHeaders;
         }
@@ -113,7 +221,7 @@ export function cors(options?: CorsOptions) {
 
     return {
       ...response,
-      header: { ...corsHeaders, ...response.header },
+      header: mergeResponseHeaders(response.header, corsHeaders),
     } satisfies IHttpResponse;
   });
 }

package/dist/lib/middleware/header.ts

@@ -0,0 +1,59 @@
+export type HeaderMap = Record<string, string | string[]> | undefined;
+
+export function readSingletonHeader(
+  header: HeaderMap,
+  name: string
+): string | undefined {
+  const normalizedName = name.toLowerCase();
+  let foundValue: string | undefined;
+
+  for (const [key, value] of Object.entries(header ?? {})) {
+    if (key.toLowerCase() !== normalizedName) continue;
+    if (foundValue !== undefined || typeof value !== "string") {
+      return undefined;
+    }
+
+    foundValue = value;
+  }
+
+  return foundValue;
+}
+
+export function hasHeaderName(header: HeaderMap, name: string): boolean {
+  const normalizedName = name.toLowerCase();
+
+  return Object.keys(header ?? {}).some(
+    key => key.toLowerCase() === normalizedName
+  );
+}
+
+export function readHeaderValues(
+  header: HeaderMap,
+  name: string
+): readonly string[] {
+  const normalizedName = name.toLowerCase();
+  const values: string[] = [];
+
+  for (const [key, value] of Object.entries(header ?? {})) {
+    if (key.toLowerCase() !== normalizedName) continue;
+
+    values.push(...(Array.isArray(value) ? value : [value]));
+  }
+
+  return values;
+}
+
+export function omitHeaders(
+  header: HeaderMap,
+  names: readonly string[]
+): Record<string, string | string[]> {
+  const normalizedNames = new Set(names.map(name => name.toLowerCase()));
+  const headers: Record<string, string | string[]> = {};
+
+  for (const [key, value] of Object.entries(header ?? {})) {
+    if (normalizedNames.has(key.toLowerCase())) continue;
+    headers[key] = value;
+  }
+
+  return headers;
+}

package/dist/lib/middleware/logger.ts

@@ -10,6 +10,7 @@ export type LogData = {
 export type LoggerOptions = {
   readonly logFn?: (message: string) => void;
   readonly format?: (data: LogData) => string;
+  readonly nowMs?: () => number;
 };
 
 const defaultFormat = (data: LogData): string =>
@@ -18,11 +19,12 @@ const defaultFormat = (data: LogData): string =>
 export function logger(options?: LoggerOptions) {
   const logFn = options?.logFn ?? console.log;
   const format = options?.format ?? defaultFormat;
+  const nowMs = options?.nowMs ?? (() => performance.now());
 
   return defineMiddleware(async (ctx, next) => {
-    const start = performance.now();
+    const start = nowMs();
     const response = await next();
-    const durationMs = Math.round(performance.now() - start);
+    const durationMs = Math.round(nowMs() - start);
 
     logFn(
       format({