@sveltejs/kit 1.0.0-next.51 → 1.0.0-next.511

package/src/runtime/server/cookie.js

@@ -0,0 +1,166 @@
+import { parse, serialize } from 'cookie';
+
+/**
+ * @param {Request} request
+ * @param {URL} url
+ */
+export function get_cookies(request, url) {
+	const header = request.headers.get('cookie') ?? '';
+
+	const initial_cookies = parse(header);
+
+	/** @type {Record<string, import('./page/types').Cookie>} */
+	const new_cookies = {};
+
+	/** @type {import('cookie').CookieSerializeOptions} */
+	const defaults = {
+		httpOnly: true,
+		sameSite: 'lax',
+		secure: url.hostname === 'localhost' && url.protocol === 'http:' ? false : true
+	};
+
+	/** @type {import('types').Cookies} */
+	const cookies = {
+		// The JSDoc param annotations appearing below for get, set and delete
+		// are necessary to expose the `cookie` library types to
+		// typescript users. `@type {import('types').Cookies}` above is not
+		// sufficient to do so.
+
+		/**
+		 * @param {string} name
+		 * @param {import('cookie').CookieParseOptions} opts
+		 */
+		get(name, opts) {
+			const c = new_cookies[name];
+			if (
+				c &&
+				domain_matches(url.hostname, c.options.domain) &&
+				path_matches(url.pathname, c.options.path)
+			) {
+				return c.value;
+			}
+
+			const decode = opts?.decode || decodeURIComponent;
+			const req_cookies = parse(header, { decode });
+			return req_cookies[name]; // the decoded string or undefined
+		},
+
+		/**
+		 * @param {string} name
+		 * @param {string} value
+		 * @param {import('cookie').CookieSerializeOptions} opts
+		 */
+		set(name, value, opts = {}) {
+			new_cookies[name] = {
+				name,
+				value,
+				options: {
+					...defaults,
+					...opts
+				}
+			};
+		},
+
+		/**
+		 * @param {string} name
+		 * @param {import('cookie').CookieSerializeOptions} opts
+		 */
+		delete(name, opts = {}) {
+			new_cookies[name] = {
+				name,
+				value: '',
+				options: {
+					...defaults,
+					...opts,
+					maxAge: 0
+				}
+			};
+		},
+
+		/**
+		 * @param {string} name
+		 * @param {string} value
+		 * @param {import('cookie').CookieSerializeOptions} opts
+		 */
+		serialize(name, value, opts) {
+			return serialize(name, value, {
+				...defaults,
+				...opts
+			});
+		}
+	};
+
+	/**
+	 * @param {URL} destination
+	 * @param {string | null} header
+	 */
+	function get_cookie_header(destination, header) {
+		/** @type {Record<string, string>} */
+		const combined_cookies = {};
+
+		// cookies sent by the user agent have lowest precedence
+		for (const name in initial_cookies) {
+			combined_cookies[name] = initial_cookies[name];
+		}
+
+		// cookies previous set during this event with cookies.set have higher precedence
+		for (const key in new_cookies) {
+			const cookie = new_cookies[key];
+			if (!domain_matches(destination.hostname, cookie.options.domain)) continue;
+			if (!path_matches(destination.pathname, cookie.options.path)) continue;
+
+			combined_cookies[cookie.name] = cookie.value;
+		}
+
+		// explicit header has highest precedence
+		if (header) {
+			const parsed = parse(header);
+			for (const name in parsed) {
+				combined_cookies[name] = parsed[name];
+			}
+		}
+
+		return Object.entries(combined_cookies)
+			.map(([name, value]) => `${name}=${value}`)
+			.join('; ');
+	}
+
+	return { cookies, new_cookies, get_cookie_header };
+}
+
+/**
+ * @param {string} hostname
+ * @param {string} [constraint]
+ */
+export function domain_matches(hostname, constraint) {
+	if (!constraint) return true;
+
+	const normalized = constraint[0] === '.' ? constraint.slice(1) : constraint;
+
+	if (hostname === normalized) return true;
+	return hostname.endsWith('.' + normalized);
+}
+
+/**
+ * @param {string} path
+ * @param {string} [constraint]
+ */
+export function path_matches(path, constraint) {
+	if (!constraint) return true;
+
+	const normalized = constraint.endsWith('/') ? constraint.slice(0, -1) : constraint;
+
+	if (path === normalized) return true;
+	return path.startsWith(normalized + '/');
+}
+
+/**
+ * @param {Headers} headers
+ * @param {import('./page/types').Cookie[]} cookies
+ */
+export function add_cookies_to_headers(headers, cookies) {
+	for (const new_cookie of cookies) {
+		const { name, value, options } = new_cookie;
+		headers.append('set-cookie', serialize(name, value, options));
+	}
+}

package/src/runtime/server/data/index.js

@@ -0,0 +1,136 @@
+import { HttpError, Redirect } from '../../control.js';
+import { normalize_error } from '../../../utils/error.js';
+import { once } from '../../../utils/functions.js';
+import { load_server_data } from '../page/load_data.js';
+import { data_response, handle_error_and_jsonify } from '../utils.js';
+import { normalize_path } from '../../../utils/url.js';
+import { DATA_SUFFIX } from '../../../constants.js';
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSRRoute} route
+ * @param {import('types').SSROptions} options
+ * @param {import('types').SSRState} state
+ * @returns {Promise<Response>}
+ */
+export async function render_data(event, route, options, state) {
+	if (!route.page) {
+		// requesting /__data.js should fail for a +server.js
+		return new Response(undefined, {
+			status: 404
+		});
+	}
+
+	try {
+		const node_ids = [...route.page.layouts, route.page.leaf];
+
+		const invalidated =
+			event.url.searchParams
+				.get('__invalid')
+				?.split('')
+				.map((x) => x === 'y') ?? node_ids.map(() => true);
+
+		let aborted = false;
+
+		const url = new URL(event.url);
+		url.pathname = normalize_path(
+			url.pathname.slice(0, -DATA_SUFFIX.length),
+			options.trailing_slash
+		);
+
+		url.searchParams.delete('__invalid');
+		url.searchParams.delete('__id');
+
+		const new_event = { ...event, url };
+
+		const functions = node_ids.map((n, i) => {
+			return once(async () => {
+				try {
+					if (aborted) {
+						return /** @type {import('types').ServerDataSkippedNode} */ ({
+							type: 'skip'
+						});
+					}
+
+					// == because it could be undefined (in dev) or null (in build, because of JSON.stringify)
+					const node = n == undefined ? n : await options.manifest._.nodes[n]();
+					return load_server_data({
+						event: new_event,
+						state,
+						node,
+						parent: async () => {
+							/** @type {Record<string, any>} */
+							const data = {};
+							for (let j = 0; j < i; j += 1) {
+								const parent = /** @type {import('types').ServerDataNode | null} */ (
+									await functions[j]()
+								);
+
+								if (parent) {
+									Object.assign(data, parent.data);
+								}
+							}
+							return data;
+						}
+					});
+				} catch (e) {
+					aborted = true;
+					throw e;
+				}
+			});
+		});
+
+		const promises = functions.map(async (fn, i) => {
+			if (!invalidated[i]) {
+				return /** @type {import('types').ServerDataSkippedNode} */ ({
+					type: 'skip'
+				});
+			}
+
+			return fn();
+		});
+
+		let length = promises.length;
+		const nodes = await Promise.all(
+			promises.map((p, i) =>
+				p.catch((error) => {
+					if (error instanceof Redirect) {
+						throw error;
+					}
+
+					// Math.min because array isn't guaranteed to resolve in order
+					length = Math.min(length, i + 1);
+
+					return /** @type {import('types').ServerErrorNode} */ ({
+						type: 'error',
+						error: handle_error_and_jsonify(event, options, error),
+						status: error instanceof HttpError ? error.status : undefined
+					});
+				})
+			)
+		);
+
+		/** @type {import('types').ServerData} */
+		const server_data = {
+			type: 'data',
+			nodes: nodes.slice(0, length)
+		};
+
+		return data_response(server_data);
+	} catch (e) {
+		const error = normalize_error(e);
+
+		if (error instanceof Redirect) {
+			/** @type {import('types').ServerData} */
+			const server_data = {
+				type: 'redirect',
+				location: error.location
+			};
+
+			return data_response(server_data);
+		} else {
+			// TODO make it clearer that this was an unexpected error
+			return data_response(handle_error_and_jsonify(event, options, error));
+		}
+	}
+}

package/src/runtime/server/endpoint.js

@@ -0,0 +1,92 @@
+import { json } from '../../exports/index.js';
+import { negotiate } from '../../utils/http.js';
+import { Redirect, ValidationError } from '../control.js';
+import { check_method_names, method_not_allowed } from './utils.js';
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSREndpoint} mod
+ * @param {import('types').SSRState} state
+ * @returns {Promise<Response>}
+ */
+export async function render_endpoint(event, mod, state) {
+	const method = /** @type {import('types').HttpMethod} */ (event.request.method);
+
+	// TODO: Remove for 1.0
+	check_method_names(mod);
+
+	let handler = mod[method];
+
+	if (!handler && method === 'HEAD') {
+		handler = mod.GET;
+	}
+
+	if (!handler) {
+		return method_not_allowed(mod, method);
+	}
+
+	const prerender = mod.prerender ?? state.prerender_default;
+
+	if (prerender && (mod.POST || mod.PATCH || mod.PUT || mod.DELETE)) {
+		throw new Error('Cannot prerender endpoints that have mutative methods');
+	}
+
+	if (state.prerendering && !prerender) {
+		if (state.initiator) {
+			// if request came from a prerendered page, bail
+			throw new Error(`${event.routeId} is not prerenderable`);
+		} else {
+			// if request came direct from the crawler, signal that
+			// this route cannot be prerendered, but don't bail
+			return new Response(undefined, { status: 204 });
+		}
+	}
+
+	try {
+		const response = await handler(
+			/** @type {import('types').RequestEvent<Record<string, any>>} */ (event)
+		);
+
+		if (!(response instanceof Response)) {
+			throw new Error(
+				`Invalid response from route ${event.url.pathname}: handler should return a Response object`
+			);
+		}
+
+		if (state.prerendering) {
+			response.headers.set('x-sveltekit-prerender', String(prerender));
+		}
+
+		return response;
+	} catch (error) {
+		if (error instanceof Redirect) {
+			return new Response(undefined, {
+				status: error.status,
+				headers: { location: error.location }
+			});
+		} else if (error instanceof ValidationError) {
+			return json(error.data, { status: error.status });
+		}
+
+		throw error;
+	}
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ */
+export function is_endpoint_request(event) {
+	const { method, headers } = event.request;
+
+	if (method === 'PUT' || method === 'PATCH' || method === 'DELETE') {
+		// These methods exist exclusively for endpoints
+		return true;
+	}
+
+	// use:enhance uses a custom header to disambiguate
+	if (method === 'POST' && headers.get('x-sveltekit-action') === 'true') return false;
+
+	// GET/POST requests may be for endpoints or pages. We prefer endpoints if this isn't a text/html request
+	const accept = event.request.headers.get('accept') ?? '*/*';
+	return negotiate(accept, ['*', 'text/html']) !== 'text/html';
+}

package/src/runtime/server/fetch.js

@@ -0,0 +1,174 @@
+import * as set_cookie_parser from 'set-cookie-parser';
+import { respond } from './index.js';
+
+/**
+ * @param {{
+ *   event: import('types').RequestEvent;
+ *   options: import('types').SSROptions;
+ *   state: import('types').SSRState;
+ *   get_cookie_header: (url: URL, header: string | null) => string;
+ * }} opts
+ * @returns {typeof fetch}
+ */
+export function create_fetch({ event, options, state, get_cookie_header }) {
+	return async (info, init) => {
+		const request = normalize_fetch_input(info, init, event.url);
+
+		const request_body = init?.body;
+
+		/** @type {import('types').PrerenderDependency} */
+		let dependency;
+
+		return await options.hooks.handleFetch({
+			event,
+			request,
+			fetch: async (info, init) => {
+				const request = normalize_fetch_input(info, init, event.url);
+
+				const url = new URL(request.url);
+
+				if (!request.headers.has('origin')) {
+					request.headers.set('origin', event.url.origin);
+				}
+
+				// Remove Origin, according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin#description
+				if (
+					(request.method === 'GET' || request.method === 'HEAD') &&
+					((request.mode === 'no-cors' && url.origin !== event.url.origin) ||
+						url.origin === event.url.origin)
+				) {
+					request.headers.delete('origin');
+				}
+
+				if (url.origin !== event.url.origin) {
+					// allow cookie passthrough for "same-origin"
+					// if SvelteKit is serving my.domain.com:
+					// -        domain.com WILL NOT receive cookies
+					// -     my.domain.com WILL receive cookies
+					// -    api.domain.dom WILL NOT receive cookies
+					// - sub.my.domain.com WILL receive cookies
+					// ports do not affect the resolution
+					// leading dot prevents mydomain.com matching domain.com
+					if (
+						`.${url.hostname}`.endsWith(`.${event.url.hostname}`) &&
+						request.credentials !== 'omit'
+					) {
+						const cookie = get_cookie_header(url, request.headers.get('cookie'));
+						if (cookie) request.headers.set('cookie', cookie);
+					}
+
+					let response = await fetch(request);
+
+					if (request.mode === 'no-cors') {
+						response = new Response('', {
+							status: response.status,
+							statusText: response.statusText,
+							headers: response.headers
+						});
+					} else {
+						if (url.origin !== event.url.origin) {
+							const acao = response.headers.get('access-control-allow-origin');
+							if (!acao || (acao !== event.url.origin && acao !== '*')) {
+								throw new Error(
+									`CORS error: ${
+										acao ? 'Incorrect' : 'No'
+									} 'Access-Control-Allow-Origin' header is present on the requested resource`
+								);
+							}
+						}
+					}
+
+					return response;
+				}
+
+				/** @type {Response} */
+				let response;
+
+				// handle fetch requests for static assets. e.g. prebaked data, etc.
+				// we need to support everything the browser's fetch supports
+				const prefix = options.paths.assets || options.paths.base;
+				const decoded = decodeURIComponent(url.pathname);
+				const filename = (
+					decoded.startsWith(prefix) ? decoded.slice(prefix.length) : decoded
+				).slice(1);
+				const filename_html = `${filename}/index.html`; // path may also match path/index.html
+
+				const is_asset = options.manifest.assets.has(filename);
+				const is_asset_html = options.manifest.assets.has(filename_html);
+
+				if (is_asset || is_asset_html) {
+					const file = is_asset ? filename : filename_html;
+
+					if (options.read) {
+						const type = is_asset
+							? options.manifest.mimeTypes[filename.slice(filename.lastIndexOf('.'))]
+							: 'text/html';
+
+						return new Response(options.read(file), {
+							headers: type ? { 'content-type': type } : {}
+						});
+					}
+
+					return await fetch(request);
+				}
+
+				if (request.credentials !== 'omit') {
+					const cookie = get_cookie_header(url, request.headers.get('cookie'));
+					if (cookie) {
+						request.headers.set('cookie', cookie);
+					}
+
+					const authorization = event.request.headers.get('authorization');
+					if (authorization && !request.headers.has('authorization')) {
+						request.headers.set('authorization', authorization);
+					}
+				}
+
+				if (request_body && typeof request_body !== 'string' && !ArrayBuffer.isView(request_body)) {
+					// TODO is this still necessary? we just bail out below
+					// per https://developer.mozilla.org/en-US/docs/Web/API/Request/Request, this can be a
+					// Blob, BufferSource, FormData, URLSearchParams, USVString, or ReadableStream object.
+					// non-string bodies are irksome to deal with, but luckily aren't particularly useful
+					// in this context anyway, so we take the easy route and ban them
+					throw new Error('Request body must be a string or TypedArray');
+				}
+
+				response = await respond(request, options, state);
+
+				if (state.prerendering) {
+					dependency = { response, body: null };
+					state.prerendering.dependencies.set(url.pathname, dependency);
+				}
+
+				const set_cookie = response.headers.get('set-cookie');
+				if (set_cookie) {
+					for (const str of set_cookie_parser.splitCookiesString(set_cookie)) {
+						const { name, value, ...options } = set_cookie_parser.parseString(str);
+
+						// options.sameSite is string, something more specific is required - type cast is safe
+						event.cookies.set(
+							name,
+							value,
+							/** @type {import('cookie').CookieSerializeOptions} */ (options)
+						);
+					}
+				}
+
+				return response;
+			}
+		});
+	};
+}
+
+/**
+ * @param {RequestInfo | URL} info
+ * @param {RequestInit | undefined} init
+ * @param {URL} url
+ */
+function normalize_fetch_input(info, init, url) {
+	if (info instanceof Request) {
+		return info;
+	}
+
+	return new Request(typeof info === 'string' ? new URL(info, url) : info, init);
+}