@sveltejs/kit 1.0.0-next.49 → 1.0.0-next.490

package/src/runtime/server/page/actions.js

@@ -0,0 +1,243 @@
+import { error, json } from '../../../exports/index.js';
+import { normalize_error } from '../../../utils/error.js';
+import { negotiate } from '../../../utils/http.js';
+import { HttpError, Redirect, ValidationError } from '../../control.js';
+import { handle_error_and_jsonify } from '../utils.js';
+
+/** @param {import('types').RequestEvent} event */
+export function is_action_json_request(event) {
+	const accept = negotiate(event.request.headers.get('accept') ?? '*/*', [
+		'application/json',
+		'text/html'
+	]);
+
+	return accept === 'application/json' && event.request.method === 'POST';
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSROptions} options
+ * @param {import('types').SSRNode['server']} server
+ */
+export async function handle_action_json_request(event, options, server) {
+	const actions = server.actions;
+
+	if (!actions) {
+		maybe_throw_migration_error(server);
+		// TODO should this be a different error altogether?
+		return new Response('POST method not allowed. No actions exist for this page', {
+			status: 405,
+			headers: {
+				// https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/405
+				// "The server must generate an Allow header field in a 405 status code response"
+				allow: 'GET'
+			}
+		});
+	}
+
+	check_named_default_separate(actions);
+
+	try {
+		const data = await call_action(event, actions);
+
+		if (data instanceof ValidationError) {
+			check_serializability(data.data, /** @type {string} */ (event.routeId), 'data');
+			return action_json({ type: 'invalid', status: data.status, data: data.data });
+		} else {
+			check_serializability(data, /** @type {string} */ (event.routeId), 'data');
+			return action_json({
+				type: 'success',
+				status: data ? 200 : 204,
+				data: /** @type {Record<string, any> | undefined} */ (data)
+			});
+		}
+	} catch (e) {
+		const error = normalize_error(e);
+
+		if (error instanceof Redirect) {
+			return action_json({
+				type: 'redirect',
+				status: error.status,
+				location: error.location
+			});
+		}
+
+		if (!(error instanceof HttpError)) {
+			options.handle_error(error, event);
+		}
+
+		return action_json(
+			{
+				type: 'error',
+				error: handle_error_and_jsonify(event, options, error)
+			},
+			{
+				status: error instanceof HttpError ? error.status : 500
+			}
+		);
+	}
+}
+
+/**
+ * @param {import('types').ActionResult} data
+ * @param {ResponseInit} [init]
+ */
+function action_json(data, init) {
+	return json(data, init);
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSRNode} leaf_node
+ */
+export function is_action_request(event, leaf_node) {
+	return leaf_node.server && event.request.method !== 'GET' && event.request.method !== 'HEAD';
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSRNode['server']} server
+ * @returns {Promise<import('types').ActionResult>}
+ */
+export async function handle_action_request(event, server) {
+	const actions = server.actions;
+
+	if (!actions) {
+		maybe_throw_migration_error(server);
+		// TODO should this be a different error altogether?
+		event.setHeaders({
+			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/405
+			// "The server must generate an Allow header field in a 405 status code response"
+			allow: 'GET'
+		});
+		return {
+			type: 'error',
+			error: error(405, 'POST method not allowed. No actions exist for this page')
+		};
+	}
+
+	check_named_default_separate(actions);
+
+	try {
+		const data = await call_action(event, actions);
+
+		if (data instanceof ValidationError) {
+			return { type: 'invalid', status: data.status, data: data.data };
+		} else {
+			return {
+				type: 'success',
+				status: 200,
+				data: /** @type {Record<string, any> | undefined} */ (data)
+			};
+		}
+	} catch (e) {
+		const error = normalize_error(e);
+
+		if (error instanceof Redirect) {
+			return {
+				type: 'redirect',
+				status: error.status,
+				location: error.location
+			};
+		}
+
+		return { type: 'error', error };
+	}
+}
+
+/**
+ * @param {import('types').Actions} actions
+ */
+function check_named_default_separate(actions) {
+	if (actions.default && Object.keys(actions).length > 1) {
+		throw new Error(
+			`When using named actions, the default action cannot be used. See the docs for more info: https://kit.svelte.dev/docs/form-actions#named-actions`
+		);
+	}
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {NonNullable<import('types').SSRNode['server']['actions']>} actions
+ * @throws {Redirect | ValidationError | HttpError | Error}
+ */
+export async function call_action(event, actions) {
+	const url = new URL(event.request.url);
+
+	let name = 'default';
+	for (const param of url.searchParams) {
+		if (param[0].startsWith('/')) {
+			name = param[0].slice(1);
+			if (name === 'default') {
+				throw new Error('Cannot use reserved action name "default"');
+			}
+			break;
+		}
+	}
+
+	const action = actions[name];
+	if (!action) {
+		throw new Error(`No action with name '${name}' found`);
+	}
+
+	const type = event.request.headers.get('content-type')?.split('; ')[0];
+	if (type !== 'application/x-www-form-urlencoded' && type !== 'multipart/form-data') {
+		throw new Error(`Actions expect form-encoded data (received ${type})`);
+	}
+
+	return action(event);
+}
+
+/**
+ * @param {import('types').SSRNode['server']} server
+ */
+function maybe_throw_migration_error(server) {
+	for (const method of ['POST', 'PUT', 'PATCH', 'DELETE']) {
+		if (/** @type {any} */ (server)[method]) {
+			throw new Error(
+				`${method} method no longer allowed in +page.server, use actions instead. See the PR for more info: https://github.com/sveltejs/kit/pull/6469`
+			);
+		}
+	}
+}
+
+/**
+ * Check that the data can safely be serialized to JSON
+ * @param {any} value
+ * @param {string} id
+ * @param {string} path
+ */
+function check_serializability(value, id, path) {
+	const type = typeof value;
+
+	if (type === 'string' || type === 'boolean' || type === 'number' || type === 'undefined') {
+		// primitives are fine
+		return;
+	}
+
+	if (type === 'object') {
+		// nulls are fine...
+		if (!value) return;
+
+		// ...so are plain arrays...
+		if (Array.isArray(value)) {
+			value.forEach((child, i) => {
+				check_serializability(child, id, `${path}[${i}]`);
+			});
+			return;
+		}
+
+		// ...and objects
+		// This simple check might potentially run into some weird edge cases
+		// Refer to https://github.com/lodash/lodash/blob/2da024c3b4f9947a48517639de7560457cd4ec6c/isPlainObject.js?rgh-link-date=2022-07-20T12%3A48%3A07Z#L30
+		// if that ever happens
+		if (Object.getPrototypeOf(value) === Object.prototype) {
+			for (const key in value) {
+				check_serializability(value[key], id, `${path}.${key}`);
+			}
+			return;
+		}
+	}
+
+	throw new Error(`${path} returned from action in ${id} cannot be serialized as JSON`);
+}

package/src/runtime/server/page/crypto.js

@@ -0,0 +1,239 @@
+const encoder = new TextEncoder();
+
+/**
+ * SHA-256 hashing function adapted from https://bitwiseshiftleft.github.io/sjcl
+ * modified and redistributed under BSD license
+ * @param {string} data
+ */
+export function sha256(data) {
+	if (!key[0]) precompute();
+
+	const out = init.slice(0);
+	const array = encode(data);
+
+	for (let i = 0; i < array.length; i += 16) {
+		const w = array.subarray(i, i + 16);
+
+		let tmp;
+		let a;
+		let b;
+
+		let out0 = out[0];
+		let out1 = out[1];
+		let out2 = out[2];
+		let out3 = out[3];
+		let out4 = out[4];
+		let out5 = out[5];
+		let out6 = out[6];
+		let out7 = out[7];
+
+		/* Rationale for placement of |0 :
+		 * If a value can overflow is original 32 bits by a factor of more than a few
+		 * million (2^23 ish), there is a possibility that it might overflow the
+		 * 53-bit mantissa and lose precision.
+		 *
+		 * To avoid this, we clamp back to 32 bits by |'ing with 0 on any value that
+		 * propagates around the loop, and on the hash state out[]. I don't believe
+		 * that the clamps on out4 and on out0 are strictly necessary, but it's close
+		 * (for out4 anyway), and better safe than sorry.
+		 *
+		 * The clamps on out[] are necessary for the output to be correct even in the
+		 * common case and for short inputs.
+		 */
+
+		for (let i = 0; i < 64; i++) {
+			// load up the input word for this round
+
+			if (i < 16) {
+				tmp = w[i];
+			} else {
+				a = w[(i + 1) & 15];
+
+				b = w[(i + 14) & 15];
+
+				tmp = w[i & 15] =
+					(((a >>> 7) ^ (a >>> 18) ^ (a >>> 3) ^ (a << 25) ^ (a << 14)) +
+						((b >>> 17) ^ (b >>> 19) ^ (b >>> 10) ^ (b << 15) ^ (b << 13)) +
+						w[i & 15] +
+						w[(i + 9) & 15]) |
+					0;
+			}
+
+			tmp =
+				tmp +
+				out7 +
+				((out4 >>> 6) ^ (out4 >>> 11) ^ (out4 >>> 25) ^ (out4 << 26) ^ (out4 << 21) ^ (out4 << 7)) +
+				(out6 ^ (out4 & (out5 ^ out6))) +
+				key[i]; // | 0;
+
+			// shift register
+			out7 = out6;
+			out6 = out5;
+			out5 = out4;
+
+			out4 = (out3 + tmp) | 0;
+
+			out3 = out2;
+			out2 = out1;
+			out1 = out0;
+
+			out0 =
+				(tmp +
+					((out1 & out2) ^ (out3 & (out1 ^ out2))) +
+					((out1 >>> 2) ^
+						(out1 >>> 13) ^
+						(out1 >>> 22) ^
+						(out1 << 30) ^
+						(out1 << 19) ^
+						(out1 << 10))) |
+				0;
+		}
+
+		out[0] = (out[0] + out0) | 0;
+		out[1] = (out[1] + out1) | 0;
+		out[2] = (out[2] + out2) | 0;
+		out[3] = (out[3] + out3) | 0;
+		out[4] = (out[4] + out4) | 0;
+		out[5] = (out[5] + out5) | 0;
+		out[6] = (out[6] + out6) | 0;
+		out[7] = (out[7] + out7) | 0;
+	}
+
+	const bytes = new Uint8Array(out.buffer);
+	reverse_endianness(bytes);
+
+	return base64(bytes);
+}
+
+/** The SHA-256 initialization vector */
+const init = new Uint32Array(8);
+
+/** The SHA-256 hash key */
+const key = new Uint32Array(64);
+
+/** Function to precompute init and key. */
+function precompute() {
+	/** @param {number} x */
+	function frac(x) {
+		return (x - Math.floor(x)) * 0x100000000;
+	}
+
+	let prime = 2;
+
+	for (let i = 0; i < 64; prime++) {
+		let is_prime = true;
+
+		for (let factor = 2; factor * factor <= prime; factor++) {
+			if (prime % factor === 0) {
+				is_prime = false;
+
+				break;
+			}
+		}
+
+		if (is_prime) {
+			if (i < 8) {
+				init[i] = frac(prime ** (1 / 2));
+			}
+
+			key[i] = frac(prime ** (1 / 3));
+
+			i++;
+		}
+	}
+}
+
+/** @param {Uint8Array} bytes */
+function reverse_endianness(bytes) {
+	for (let i = 0; i < bytes.length; i += 4) {
+		const a = bytes[i + 0];
+		const b = bytes[i + 1];
+		const c = bytes[i + 2];
+		const d = bytes[i + 3];
+
+		bytes[i + 0] = d;
+		bytes[i + 1] = c;
+		bytes[i + 2] = b;
+		bytes[i + 3] = a;
+	}
+}
+
+/** @param {string} str */
+function encode(str) {
+	const encoded = encoder.encode(str);
+	const length = encoded.length * 8;
+
+	// result should be a multiple of 512 bits in length,
+	// with room for a 1 (after the data) and two 32-bit
+	// words containing the original input bit length
+	const size = 512 * Math.ceil((length + 65) / 512);
+	const bytes = new Uint8Array(size / 8);
+	bytes.set(encoded);
+
+	// append a 1
+	bytes[encoded.length] = 0b10000000;
+
+	reverse_endianness(bytes);
+
+	// add the input bit length
+	const words = new Uint32Array(bytes.buffer);
+	words[words.length - 2] = Math.floor(length / 0x100000000); // this will always be zero for us
+	words[words.length - 1] = length;
+
+	return words;
+}
+
+/*
+	Based on https://gist.github.com/enepomnyaschih/72c423f727d395eeaa09697058238727
+
+	MIT License
+	Copyright (c) 2020 Egor Nepomnyaschih
+	Permission is hereby granted, free of charge, to any person obtaining a copy
+	of this software and associated documentation files (the "Software"), to deal
+	in the Software without restriction, including without limitation the rights
+	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+	copies of the Software, and to permit persons to whom the Software is
+	furnished to do so, subject to the following conditions:
+	The above copyright notice and this permission notice shall be included in all
+	copies or substantial portions of the Software.
+	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+	AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+	LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+	OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+	SOFTWARE.
+*/
+const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'.split('');
+
+/** @param {Uint8Array} bytes */
+export function base64(bytes) {
+	const l = bytes.length;
+
+	let result = '';
+	let i;
+
+	for (i = 2; i < l; i += 3) {
+		result += chars[bytes[i - 2] >> 2];
+		result += chars[((bytes[i - 2] & 0x03) << 4) | (bytes[i - 1] >> 4)];
+		result += chars[((bytes[i - 1] & 0x0f) << 2) | (bytes[i] >> 6)];
+		result += chars[bytes[i] & 0x3f];
+	}
+
+	if (i === l + 1) {
+		// 1 octet yet to write
+		result += chars[bytes[i - 2] >> 2];
+		result += chars[(bytes[i - 2] & 0x03) << 4];
+		result += '==';
+	}
+
+	if (i === l) {
+		// 2 octets yet to write
+		result += chars[bytes[i - 2] >> 2];
+		result += chars[((bytes[i - 2] & 0x03) << 4) | (bytes[i - 1] >> 4)];
+		result += chars[(bytes[i - 1] & 0x0f) << 2];
+		result += '=';
+	}
+
+	return result;
+}