@ripple-ts/vite-plugin 0.2.211 → 0.2.213

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # @ripple-ts/vite-plugin
 
+## 0.2.213
+
+## 0.2.212
+
 ## 0.2.211
 
 ## 0.2.210

package/package.json

@@ -3,7 +3,7 @@
   "description": "Vite plugin for Ripple",
   "license": "MIT",
   "author": "Dominic Gannaway",
-  "version": "0.2.211",
+  "version": "0.2.213",
   "type": "module",
   "module": "src/index.js",
   "main": "src/index.js",
@@ -26,7 +26,7 @@
   "devDependencies": {
     "type-fest": "^5.1.0",
     "vite": "^7.1.9",
-    "ripple": "0.2.211"
+    "ripple": "0.2.213"
   },
   "publishConfig": {
     "access": "public"

package/src/index.js

@@ -2,7 +2,10 @@
 /** @import {Plugin, ResolvedConfig, ViteDevServer} from 'vite' */
 /** @import {RipplePluginOptions, RippleConfigOptions, Route, Middleware, RenderRoute} from '@ripple-ts/vite-plugin' */
 
+/// <reference types="ripple/compiler/internal/rpc" />
+
 import { compile } from 'ripple/compiler';
+import { AsyncLocalStorage } from 'node:async_hooks';
 import fs from 'node:fs';
 import path from 'node:path';
 import { createRequire } from 'node:module';
@@ -19,6 +22,58 @@ export { RenderRoute, ServerRoute } from './routes.js';
 const VITE_FS_PREFIX = '/@fs/';
 const IS_WINDOWS = process.platform === 'win32';
 
+// AsyncLocalStorage for request-scoped fetch patching
+const rpcContext = new AsyncLocalStorage();
+
+// Patch fetch once at module level to support relative URLs in #server blocks
+const originalFetch = globalThis.fetch;
+
+/**
+ * Quick check whether a string looks like it already has a URL scheme (e.g. "http://", "https://", "data:").
+ * @param {string} url
+ * @returns {boolean}
+ */
+function hasScheme(url) {
+	return /^[a-z][a-z0-9+\-.]*:/i.test(url);
+}
+
+/**
+ * Patch global fetch to resolve relative URLs based on the current request context.
+ * This allows server functions in #server blocks to use relative URLs
+ * (root-relative like "/api/foo" or path-relative like "api/foo", "./api/foo", "../api/foo")
+ * that are resolved against the incoming request's origin.
+ * // TODO: a similar logic needs to be ported to the adapters
+ * @param {string | Request | URL} input
+ * @param {RequestInit} [init]
+ * @returns {Promise<Response>}
+ */
+globalThis.fetch = function (input, init) {
+	const context = rpcContext.getStore();
+
+	if (context?.origin) {
+		// Handle string URLs — resolve any non-absolute URL against the origin
+		if (typeof input === 'string' && !hasScheme(input)) {
+			input = new URL(input, context.origin).href;
+		}
+		// Handle Request objects
+		else if (input instanceof Request) {
+			const url = input.url;
+			if (!hasScheme(url)) {
+				input = new Request(new URL(url, context.origin).href, input);
+			}
+		}
+		// Handle URL objects constructed with relative paths
+		else if (input instanceof URL) {
+			if (!input.protocol || input.protocol === '' || input.origin === 'null') {
+				const relative = input.pathname + (input.search || '') + (input.hash || '');
+				input = new URL(relative, context.origin);
+			}
+		}
+	}
+
+	return originalFetch(input, init);
+};
+
 /**
  * @param {string} filename
  * @param {ResolvedConfig['root']} root
@@ -367,7 +422,13 @@ export function ripple(inlineOptions = {}) {
 
 							// Handle RPC requests for #server blocks
 							if (url.pathname.startsWith('/_$_ripple_rpc_$_/')) {
-								await handleRpcRequest(req, res, url, vite);
+								await handleRpcRequest(
+									req,
+									res,
+									url,
+									vite,
+									rippleConfig.server?.trustProxy ?? false,
+								);
 								return;
 							}
 
@@ -585,6 +646,39 @@ export function defineConfig(/** @type {RipplePluginOptions} */ options) {
 // Helper functions for dev server
 // ============================================================================
 
+/**
+ * Derive the request origin (protocol + host) from a Node.js request.
+ * Only honors `X-Forwarded-Proto` and `X-Forwarded-Host` headers when
+ * `trustProxy` is explicitly enabled; otherwise the protocol comes from the
+ * socket and the host from the `Host` header.
+ *
+ * @param {import('node:http').IncomingMessage} req
+ * @param {boolean} trustProxy
+ * @returns {string}
+ */
+function deriveOrigin(req, trustProxy) {
+	let protocol = /** @type {import('node:tls').TLSSocket} */ (req.socket).encrypted
+		? 'https'
+		: 'http';
+	let host = req.headers.host || 'localhost';
+
+	if (trustProxy) {
+		const forwardedProto = req.headers['x-forwarded-proto'];
+		const proto = Array.isArray(forwardedProto) ? forwardedProto[0] : forwardedProto;
+		if (proto) {
+			protocol = proto.split(',')[0].trim();
+		}
+
+		const forwardedHost = req.headers['x-forwarded-host'];
+		const fwdHost = Array.isArray(forwardedHost) ? forwardedHost[0] : forwardedHost;
+		if (fwdHost) {
+			host = fwdHost.split(',')[0].trim();
+		}
+	}
+
+	return `${protocol}://${host}`;
+}
+
 /**
  * Convert a Node.js IncomingMessage to a Web Request
  * @param {import('node:http').IncomingMessage} nodeRequest
@@ -657,8 +751,10 @@ async function sendWebResponse(nodeResponse, webResponse) {
  * @param {import('node:http').ServerResponse} res
  * @param {URL} url
  * @param {import('vite').ViteDevServer} vite
+ * @param {boolean} trustProxy
  */
-async function handleRpcRequest(req, res, url, vite) {
+async function handleRpcRequest(req, res, url, vite, trustProxy) {
+	// we don't really need trustProxy in vite but leaving it as a model for production adapters
 	try {
 		const hash = url.pathname.slice('/_$_ripple_rpc_$_/'.length);
 
@@ -695,11 +791,17 @@ async function handleRpcRequest(req, res, url, vite) {
 			return;
 		}
 
-		const result = await executeServerFunction(server[funcName], body);
+		const origin = deriveOrigin(req, trustProxy);
 
-		res.statusCode = 200;
-		res.setHeader('Content-Type', 'application/json');
-		res.end(result);
+		// Execute server function within async context
+		// This allows the patched fetch to access the origin without global state
+		await rpcContext.run({ origin }, async () => {
+			const result = await executeServerFunction(server[funcName], body);
+
+			res.statusCode = 200;
+			res.setHeader('Content-Type', 'application/json');
+			res.end(result);
+		});
 	} catch (error) {
 		console.error('[@ripple-ts/vite-plugin] RPC error:', error);
 		res.statusCode = 500;

package/src/server/render-route.js

@@ -1,5 +1,6 @@
+/// <reference types="ripple/compiler/internal/rpc" />
 import { readFile } from 'node:fs/promises';
-import { join, sep } from 'node:path';
+import { join } from 'node:path';
 
 /**
  * @typedef {import('@ripple-ts/vite-plugin').Context} Context
@@ -24,6 +25,12 @@ import { join, sep } from 'node:path';
  */
 export async function handleRenderRoute(route, context, vite) {
 	try {
+		// Initialize so the server can register
+		// RPC functions from #server blocks during SSR module loading
+		if (!globalThis.rpc_modules) {
+			globalThis.rpc_modules = new Map();
+		}
+
 		// Load ripple server utilities
 		const { render, get_css_for_hashes } = await vite.ssrLoadModule('ripple/server');
 

package/types/index.d.ts

@@ -103,6 +103,19 @@ declare module '@ripple-ts/vite-plugin' {
 		platform?: {
 			env: Record<string, string>;
 		};
+		server?: {
+			/**
+			 * Whether to trust `X-Forwarded-Proto` and `X-Forwarded-Host` headers
+			 * when deriving the request origin (protocol + host).
+			 *
+			 * Enable this only when the application is behind a trusted reverse proxy
+			 * (e.g., nginx, Cloudflare, AWS ALB). When `false` (the default), the
+			 * protocol is inferred from the socket and the host from the `Host` header.
+			 *
+			 * @default false
+			 */
+			trustProxy?: boolean;
+		};
 	}
 
 	export type AdapterServeFunction = (