@rexeus/typeweaver-server 0.10.3 → 0.10.5

package/dist/lib/Router.ts

@@ -14,6 +14,10 @@ import type {
   RequestValidationError,
   ResponseValidationError,
 } from "@rexeus/typeweaver-core";
+import {
+  ConflictingPathParameterNameError,
+  DuplicateRouteRegistrationError,
+} from "./errors/index.js";
 import type { RequestHandler } from "./RequestHandler.js";
 import type { ServerContext } from "./ServerContext.js";
 
@@ -135,6 +139,11 @@ export class Router {
    * Register a route in the radix tree.
    */
   public add(definition: RouteDefinition): void {
+    const method = definition.method.toUpperCase();
+    const normalizedDefinition =
+      definition.method === method
+        ? definition
+        : { ...definition, method: method as HttpMethod };
     const segments = Router.toSegments(definition.path);
 
     let current = this.root;
@@ -143,8 +152,10 @@ export class Router {
       if (segment.startsWith(":")) {
         const paramName = segment.slice(1);
         if (current.paramChild && current.paramChild.name !== paramName) {
-          throw new Error(
-            `Conflicting path parameter names at "${definition.path}": ":${current.paramChild.name}" vs ":${paramName}"`
+          throw new ConflictingPathParameterNameError(
+            definition.path,
+            current.paramChild.name,
+            paramName
           );
         }
         if (!current.paramChild) {
@@ -161,13 +172,11 @@ export class Router {
       }
     }
 
-    if (current.methods.has(definition.method)) {
-      throw new Error(
-        `Route conflict: ${definition.method} ${definition.path} is already registered`
-      );
+    if (current.methods.has(method)) {
+      throw new DuplicateRouteRegistrationError(method, definition.path);
     }
 
-    current.methods.set(definition.method, definition);
+    current.methods.set(method, normalizedDefinition);
   }
 
   /**
@@ -280,7 +289,14 @@ export class Router {
   private static decodePathSegment(segment: string): string {
     try {
       const decoded = decodeURIComponent(segment);
-      if (decoded === ".." || decoded === ".") return segment;
+      if (
+        decoded === ".." ||
+        decoded === "." ||
+        decoded.includes("/") ||
+        decoded.includes("\\")
+      ) {
+        return segment;
+      }
       return decoded;
     } catch {
       return segment;

package/dist/lib/TypeweaverApp.ts

@@ -13,13 +13,19 @@ import {
   internalServerErrorDefaultError,
   isTypedHttpResponse,
   methodNotAllowedDefaultError,
+  normalizeHttpResponse,
   notFoundDefaultError,
   payloadTooLargeDefaultError,
   RequestValidationError,
+  toHttpResponse,
   validationDefaultError,
 } from "@rexeus/typeweaver-core";
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
-import { BodyParseError, PayloadTooLargeError } from "./Errors.js";
+import {
+  BodyParseError,
+  MissingRouterForPrefixedMountError,
+  PayloadTooLargeError,
+} from "./errors/index.js";
 import { executeMiddlewarePipeline } from "./Middleware.js";
 import { Router } from "./Router.js";
 import { StateMap } from "./StateMap.js";
@@ -152,7 +158,7 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
   ): this {
     if (typeof prefixOrRouter === "string") {
       if (!router) {
-        throw new Error("Router is required when mounting with a prefix");
+        throw new MissingRouterForPrefixedMountError(prefixOrRouter);
       }
       return this.mountRouter(router, prefixOrRouter);
     }
@@ -240,14 +246,12 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
       const routeCtx = this.withPathParams(ctx, match.params);
       try {
         const response = await this.executeHandler(routeCtx, match.route);
-        return await this.validateResponse(match.route, response, routeCtx);
+        return await this.validateResponse(
+          match.route,
+          normalizeHttpResponse(response),
+          routeCtx
+        );
       } catch (error) {
-        if (
-          isTypedHttpResponse(error) &&
-          match.route.routerConfig.validateResponses
-        ) {
-          return await this.validateResponse(match.route, error, routeCtx);
-        }
         return this.handleError(error, routeCtx, match.route);
       }
     }
@@ -289,7 +293,7 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
    * - `validateResponses: true` (default) → runs validation:
    *   - Valid response → returns the stripped response (extra fields removed).
    *   - Invalid response + handler configured → calls the handler safely.
-   *     If the handler throws, falls back to the original response.
+   *     If the handler throws, fails closed with a sanitized 500 response.
    *   - Invalid response + `handleResponseValidationErrors: false` → returns
    *     the original (invalid) response as-is.
    *
@@ -307,7 +311,9 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
 
     const result = route.responseValidator.safeValidate(response);
 
-    if (result.isValid) return result.data;
+    if (result.isValid) {
+      return normalizeHttpResponse(result.data);
+    }
 
     const handler = this.resolveErrorHandler<ResponseValidationErrorHandler>(
       route.routerConfig.handleResponseValidationErrors,
@@ -319,6 +325,11 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
         handler(result.error, response, ctx)
       );
       if (handlerResponse) return handlerResponse;
+      return TypeweaverApp.defaultResponseValidationHandler(
+        result.error,
+        response,
+        ctx
+      );
     }
 
     return response;
@@ -378,7 +389,13 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
         const response = await this.safelyExecuteErrorHandler(() =>
           handler(error, ctx)
         );
-        if (response) return response;
+        if (response) {
+          return await this.validateResponse(
+            route,
+            normalizeHttpResponse(response),
+            ctx
+          );
+        }
       }
     }
 
@@ -461,7 +478,7 @@ export class TypeweaverApp<TState extends Record<string, unknown> = {}> {
 
   private static defaultHttpResponseHandler: HttpResponseErrorHandler = (
     err
-  ): IHttpResponse => err;
+  ): IHttpResponse => toHttpResponse(err);
 
   private readonly defaultUnknownHandler: UnknownErrorHandler = (
     error

package/dist/lib/errors/ConflictingPathParameterNameError.ts

@@ -0,0 +1,20 @@
+/**
+ * This file was automatically generated by typeweaver.
+ * DO NOT EDIT. Instead, modify the source definition file and generate again.
+ *
+ * @generated by @rexeus/typeweaver
+ */
+
+export class ConflictingPathParameterNameError extends Error {
+  public override readonly name = "ConflictingPathParameterNameError";
+
+  public constructor(
+    public readonly path: string,
+    public readonly existingParameterName: string,
+    public readonly conflictingParameterName: string
+  ) {
+    super(
+      `Conflicting path parameter names in '${path}': existing parameter ':${existingParameterName}' conflicts with ':${conflictingParameterName}' at the same route position.`
+    );
+  }
+}

package/dist/lib/errors/DuplicateRouteRegistrationError.ts

@@ -0,0 +1,19 @@
+/**
+ * This file was automatically generated by typeweaver.
+ * DO NOT EDIT. Instead, modify the source definition file and generate again.
+ *
+ * @generated by @rexeus/typeweaver
+ */
+
+export class DuplicateRouteRegistrationError extends Error {
+  public override readonly name = "DuplicateRouteRegistrationError";
+
+  public constructor(
+    public readonly method: string,
+    public readonly path: string
+  ) {
+    super(
+      `Duplicate route registration refused: ${method} ${path} is already registered.`
+    );
+  }
+}

package/dist/lib/errors/MiddlewareNextAlreadyCalledError.ts

@@ -0,0 +1,16 @@
+/**
+ * This file was automatically generated by typeweaver.
+ * DO NOT EDIT. Instead, modify the source definition file and generate again.
+ *
+ * @generated by @rexeus/typeweaver
+ */
+
+export class MiddlewareNextAlreadyCalledError extends Error {
+  public override readonly name = "MiddlewareNextAlreadyCalledError";
+
+  public constructor(public readonly middlewareIndex: number) {
+    super(
+      `Middleware at index ${middlewareIndex} called next() more than once.`
+    );
+  }
+}

package/dist/lib/errors/MissingRouterForPrefixedMountError.ts

@@ -0,0 +1,16 @@
+/**
+ * This file was automatically generated by typeweaver.
+ * DO NOT EDIT. Instead, modify the source definition file and generate again.
+ *
+ * @generated by @rexeus/typeweaver
+ */
+
+export class MissingRouterForPrefixedMountError extends Error {
+  public override readonly name = "MissingRouterForPrefixedMountError";
+
+  public constructor(public readonly prefix: string) {
+    super(
+      `Router is required when mounting with prefix '${prefix}'. Pass both a prefix and a Typeweaver router instance.`
+    );
+  }
+}

package/dist/lib/errors/RequestBodyClosedBeforeEndError.ts

@@ -0,0 +1,19 @@
+/**
+ * This file was automatically generated by typeweaver.
+ * DO NOT EDIT. Instead, modify the source definition file and generate again.
+ *
+ * @generated by @rexeus/typeweaver
+ */
+
+export class RequestBodyClosedBeforeEndError extends Error {
+  public override readonly name = "RequestBodyClosedBeforeEndError";
+
+  public constructor(
+    public readonly bytesRead: number,
+    public readonly maxBodySize: number
+  ) {
+    super(
+      `Request closed before the body finished reading after ${bytesRead} bytes; maximum allowed body size is ${maxBodySize} bytes.`
+    );
+  }
+}

package/dist/lib/errors/RequestBodyReadAbortedError.ts

@@ -0,0 +1,19 @@
+/**
+ * This file was automatically generated by typeweaver.
+ * DO NOT EDIT. Instead, modify the source definition file and generate again.
+ *
+ * @generated by @rexeus/typeweaver
+ */
+
+export class RequestBodyReadAbortedError extends Error {
+  public override readonly name = "RequestBodyReadAbortedError";
+
+  public constructor(
+    public readonly bytesRead: number,
+    public readonly maxBodySize: number
+  ) {
+    super(
+      `Request was aborted while reading the body after ${bytesRead} bytes; maximum allowed body size is ${maxBodySize} bytes.`
+    );
+  }
+}

package/dist/lib/errors/index.ts

@@ -0,0 +1,19 @@
+/**
+ * This file was automatically generated by typeweaver.
+ * DO NOT EDIT. Instead, modify the source definition file and generate again.
+ *
+ * @generated by @rexeus/typeweaver
+ */
+
+export {
+  BodyParseError,
+  PayloadTooLargeError,
+  RequestBodyDrainTimeoutError,
+  ResponseSerializationError,
+} from "../Errors.js";
+export { ConflictingPathParameterNameError } from "./ConflictingPathParameterNameError.js";
+export { DuplicateRouteRegistrationError } from "./DuplicateRouteRegistrationError.js";
+export { MiddlewareNextAlreadyCalledError } from "./MiddlewareNextAlreadyCalledError.js";
+export { MissingRouterForPrefixedMountError } from "./MissingRouterForPrefixedMountError.js";
+export { RequestBodyClosedBeforeEndError } from "./RequestBodyClosedBeforeEndError.js";
+export { RequestBodyReadAbortedError } from "./RequestBodyReadAbortedError.js";

package/dist/lib/middleware/basicAuth.ts

@@ -4,6 +4,7 @@ import {
 } from "@rexeus/typeweaver-core";
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
 import { defineMiddleware } from "../TypedMiddleware.js";
+import { readSingletonHeader } from "./header.js";
 import type { ServerContext } from "../ServerContext.js";
 
 export type BasicAuthOptions = {
@@ -31,10 +32,18 @@ export function basicAuth(options: BasicAuthOptions) {
     options.onUnauthorized?.(ctx) ?? defaultResponse;
 
   return defineMiddleware<{ username: string }>(async (ctx, next) => {
-    const authorization = ctx.request.header?.["authorization"];
+    const authorization = readSingletonHeader(
+      ctx.request.header,
+      "authorization"
+    );
     if (typeof authorization !== "string") return deny(ctx);
 
-    if (!authorization.startsWith(BASIC_PREFIX)) return deny(ctx);
+    if (
+      authorization.slice(0, BASIC_PREFIX.length).toLowerCase() !==
+      BASIC_PREFIX.toLowerCase()
+    ) {
+      return deny(ctx);
+    }
 
     const encoded = authorization.slice(BASIC_PREFIX.length);
     if (encoded.length === 0) return deny(ctx);

package/dist/lib/middleware/bearerAuth.ts

@@ -4,6 +4,7 @@ import {
 } from "@rexeus/typeweaver-core";
 import type { IHttpResponse } from "@rexeus/typeweaver-core";
 import { defineMiddleware } from "../TypedMiddleware.js";
+import { readSingletonHeader } from "./header.js";
 import type { ServerContext } from "../ServerContext.js";
 
 export type BearerAuthOptions = {
@@ -30,10 +31,18 @@ export function bearerAuth(options: BearerAuthOptions) {
     options.onUnauthorized?.(ctx) ?? defaultResponse;
 
   return defineMiddleware<{ token: string }>(async (ctx, next) => {
-    const authorization = ctx.request.header?.["authorization"];
+    const authorization = readSingletonHeader(
+      ctx.request.header,
+      "authorization"
+    );
     if (typeof authorization !== "string") return deny(ctx);
 
-    if (!authorization.startsWith(BEARER_PREFIX)) return deny(ctx);
+    if (
+      authorization.slice(0, BEARER_PREFIX.length).toLowerCase() !==
+      BEARER_PREFIX.toLowerCase()
+    ) {
+      return deny(ctx);
+    }
 
     const token = authorization.slice(BEARER_PREFIX.length);
     if (token.length === 0) return deny(ctx);