@sveltejs/kit 1.0.0-next.52 → 1.0.0-next.520

package/src/runtime/server/index.js

@@ -0,0 +1,355 @@
+import { is_endpoint_request, render_endpoint } from './endpoint.js';
+import { render_page } from './page/index.js';
+import { render_response } from './page/render.js';
+import { respond_with_error } from './page/respond_with_error.js';
+import { coalesce_to_error } from '../../utils/error.js';
+import { is_form_content_type } from '../../utils/http.js';
+import { GENERIC_ERROR, handle_fatal_error } from './utils.js';
+import { decode_params, disable_search, normalize_path } from '../../utils/url.js';
+import { exec } from '../../utils/routing.js';
+import { render_data } from './data/index.js';
+import { DATA_SUFFIX } from '../../constants.js';
+import { add_cookies_to_headers, get_cookies } from './cookie.js';
+import { HttpError } from '../control.js';
+import { create_fetch } from './fetch.js';
+
+/* global __SVELTEKIT_ADAPTER_NAME__ */
+
+/** @param {{ html: string }} opts */
+const default_transform = ({ html }) => html;
+
+const default_filter = () => false;
+
+/** @type {import('types').Respond} */
+export async function respond(request, options, state) {
+	let url = new URL(request.url);
+
+	if (options.csrf.check_origin) {
+		const forbidden =
+			request.method === 'POST' &&
+			request.headers.get('origin') !== url.origin &&
+			is_form_content_type(request);
+
+		if (forbidden) {
+			return new Response(`Cross-site ${request.method} form submissions are forbidden`, {
+				status: 403
+			});
+		}
+	}
+
+	let decoded;
+	try {
+		decoded = decodeURI(url.pathname);
+	} catch {
+		return new Response('Malformed URI', { status: 400 });
+	}
+
+	/** @type {import('types').SSRRoute | null} */
+	let route = null;
+
+	/** @type {Record<string, string>} */
+	let params = {};
+
+	if (options.paths.base && !state.prerendering?.fallback) {
+		if (!decoded.startsWith(options.paths.base)) {
+			return new Response('Not found', { status: 404 });
+		}
+		decoded = decoded.slice(options.paths.base.length) || '/';
+	}
+
+	const is_data_request = decoded.endsWith(DATA_SUFFIX);
+	if (is_data_request) decoded = decoded.slice(0, -DATA_SUFFIX.length) || '/';
+
+	if (!state.prerendering?.fallback) {
+		const matchers = await options.manifest._.matchers();
+
+		for (const candidate of options.manifest._.routes) {
+			const match = candidate.pattern.exec(decoded);
+			if (!match) continue;
+
+			const matched = exec(match, candidate.names, candidate.types, matchers);
+			if (matched) {
+				route = candidate;
+				params = decode_params(matched);
+				break;
+			}
+		}
+	}
+
+	if (route?.page && !is_data_request) {
+		const normalized = normalize_path(url.pathname, options.trailing_slash);
+
+		if (normalized !== url.pathname && !state.prerendering?.fallback) {
+			return new Response(undefined, {
+				status: 301,
+				headers: {
+					'x-sveltekit-normalize': '1',
+					location:
+						// ensure paths starting with '//' are not treated as protocol-relative
+						(normalized.startsWith('//') ? url.origin + normalized : normalized) +
+						(url.search === '?' ? '' : url.search)
+				}
+			});
+		}
+	}
+
+	/** @type {Record<string, string>} */
+	const headers = {};
+
+	const { cookies, new_cookies, get_cookie_header } = get_cookies(request, url);
+
+	if (state.prerendering) disable_search(url);
+
+	/** @type {import('types').RequestEvent} */
+	const event = {
+		cookies,
+		// @ts-expect-error this is added in the next step, because `create_fetch` needs a reference to `event`
+		fetch: null,
+		getClientAddress:
+			state.getClientAddress ||
+			(() => {
+				throw new Error(
+					`${__SVELTEKIT_ADAPTER_NAME__} does not specify getClientAddress. Please raise an issue`
+				);
+			}),
+		locals: {},
+		params,
+		platform: state.platform,
+		request,
+		routeId: route && route.id,
+		setHeaders: (new_headers) => {
+			for (const key in new_headers) {
+				const lower = key.toLowerCase();
+				const value = new_headers[key];
+
+				if (lower === 'set-cookie') {
+					throw new Error(
+						`Use \`event.cookies.set(name, value, options)\` instead of \`event.setHeaders\` to set cookies`
+					);
+				} else if (lower in headers) {
+					throw new Error(`"${key}" header is already set`);
+				} else {
+					headers[lower] = value;
+
+					if (state.prerendering && lower === 'cache-control') {
+						state.prerendering.cache = /** @type {string} */ (value);
+					}
+				}
+			}
+		},
+		url
+	};
+
+	event.fetch = create_fetch({ event, options, state, get_cookie_header });
+
+	// TODO remove this for 1.0
+	/**
+	 * @param {string} property
+	 * @param {string} replacement
+	 * @param {string} suffix
+	 */
+	const removed = (property, replacement, suffix = '') => ({
+		get: () => {
+			throw new Error(`event.${property} has been replaced by event.${replacement}` + suffix);
+		}
+	});
+
+	const details = '. See https://github.com/sveltejs/kit/pull/3384 for details';
+
+	const body_getter = {
+		get: () => {
+			throw new Error(
+				'To access the request body use the text/json/arrayBuffer/formData methods, e.g. `body = await request.json()`' +
+					details
+			);
+		}
+	};
+
+	Object.defineProperties(event, {
+		clientAddress: removed('clientAddress', 'getClientAddress'),
+		method: removed('method', 'request.method', details),
+		headers: removed('headers', 'request.headers', details),
+		origin: removed('origin', 'url.origin'),
+		path: removed('path', 'url.pathname'),
+		query: removed('query', 'url.searchParams'),
+		body: body_getter,
+		rawBody: body_getter
+	});
+
+	/** @type {import('types').RequiredResolveOptions} */
+	let resolve_opts = {
+		transformPageChunk: default_transform,
+		filterSerializedResponseHeaders: default_filter
+	};
+
+	/**
+	 *
+	 * @param {import('types').RequestEvent} event
+	 * @param {import('types').ResolveOptions} [opts]
+	 */
+	async function resolve(event, opts) {
+		try {
+			if (opts) {
+				// TODO remove for 1.0
+				if ('transformPage' in opts) {
+					throw new Error(
+						'transformPage has been replaced by transformPageChunk — see https://github.com/sveltejs/kit/pull/5657 for more information'
+					);
+				}
+
+				if ('ssr' in opts) {
+					throw new Error(
+						'ssr has been removed, set it in the appropriate +layout.js instead. See the PR for more information: https://github.com/sveltejs/kit/pull/6197'
+					);
+				}
+
+				resolve_opts = {
+					transformPageChunk: opts.transformPageChunk || default_transform,
+					filterSerializedResponseHeaders: opts.filterSerializedResponseHeaders || default_filter
+				};
+			}
+
+			if (state.prerendering?.fallback) {
+				return await render_response({
+					event,
+					options,
+					state,
+					page_config: { ssr: false, csr: true },
+					status: 200,
+					error: null,
+					branch: [],
+					fetched: [],
+					resolve_opts
+				});
+			}
+
+			if (route) {
+				/** @type {Response} */
+				let response;
+
+				if (is_data_request) {
+					response = await render_data(event, route, options, state);
+				} else if (route.endpoint && (!route.page || is_endpoint_request(event))) {
+					response = await render_endpoint(event, await route.endpoint(), state);
+				} else if (route.page) {
+					response = await render_page(event, route, route.page, options, state, resolve_opts);
+				} else {
+					// a route will always have a page or an endpoint, but TypeScript
+					// doesn't know that
+					throw new Error('This should never happen');
+				}
+
+				return response;
+			}
+
+			if (state.initiator === GENERIC_ERROR) {
+				return new Response('Internal Server Error', {
+					status: 500
+				});
+			}
+
+			// if this request came direct from the user, rather than
+			// via a `fetch` in a `load`, render a 404 page
+			if (!state.initiator) {
+				return await respond_with_error({
+					event,
+					options,
+					state,
+					status: 404,
+					error: new Error(`Not found: ${event.url.pathname}`),
+					resolve_opts
+				});
+			}
+
+			if (state.prerendering) {
+				return new Response('not found', { status: 404 });
+			}
+
+			// we can't load the endpoint from our own manifest,
+			// so we need to make an actual HTTP request
+			return await fetch(request);
+		} catch (e) {
+			// HttpError can come from endpoint - TODO should it be handled there instead?
+			const error = e instanceof HttpError ? e : coalesce_to_error(e);
+			return handle_fatal_error(event, options, error);
+		} finally {
+			event.cookies.set = () => {
+				throw new Error('Cannot use `cookies.set(...)` after the response has been generated');
+			};
+
+			event.setHeaders = () => {
+				throw new Error('Cannot use `setHeaders(...)` after the response has been generated');
+			};
+		}
+	}
+
+	try {
+		const response = await options.hooks.handle({
+			event,
+			resolve: (event, opts) =>
+				resolve(event, opts).then((response) => {
+					// add headers/cookies here, rather than inside `resolve`, so that we
+					// can do it once for all responses instead of once per `return`
+					if (!is_data_request) {
+						// we only want to set cookies on __data.json requests, we don't
+						// want to cache stuff erroneously etc
+						for (const key in headers) {
+							const value = headers[key];
+							response.headers.set(key, /** @type {string} */ (value));
+						}
+					}
+					add_cookies_to_headers(response.headers, Object.values(new_cookies));
+
+					if (state.prerendering && event.routeId !== null) {
+						response.headers.set('x-sveltekit-routeid', encodeURI(event.routeId));
+					}
+
+					return response;
+				}),
+			// TODO remove for 1.0
+			// @ts-expect-error
+			get request() {
+				throw new Error('request in handle has been replaced with event' + details);
+			}
+		});
+
+		// respond with 304 if etag matches
+		if (response.status === 200 && response.headers.has('etag')) {
+			let if_none_match_value = request.headers.get('if-none-match');
+
+			// ignore W/ prefix https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match#directives
+			if (if_none_match_value?.startsWith('W/"')) {
+				if_none_match_value = if_none_match_value.substring(2);
+			}
+
+			const etag = /** @type {string} */ (response.headers.get('etag'));
+
+			if (if_none_match_value === etag) {
+				const headers = new Headers({ etag });
+
+				// https://datatracker.ietf.org/doc/html/rfc7232#section-4.1 + set-cookie
+				for (const key of [
+					'cache-control',
+					'content-location',
+					'date',
+					'expires',
+					'vary',
+					'set-cookie'
+				]) {
+					const value = response.headers.get(key);
+					if (value) headers.set(key, value);
+				}
+
+				return new Response(undefined, {
+					status: 304,
+					headers
+				});
+			}
+		}
+
+		return response;
+	} catch (/** @type {unknown} */ e) {
+		const error = coalesce_to_error(e);
+		return handle_fatal_error(event, options, error);
+	}
+}

package/src/runtime/server/page/actions.js

@@ -0,0 +1,256 @@
+import { error, json } from '../../../exports/index.js';
+import { normalize_error } from '../../../utils/error.js';
+import { is_form_content_type, negotiate } from '../../../utils/http.js';
+import { HttpError, Redirect, ValidationError } from '../../control.js';
+import { handle_error_and_jsonify } from '../utils.js';
+
+/** @param {import('types').RequestEvent} event */
+export function is_action_json_request(event) {
+	const accept = negotiate(event.request.headers.get('accept') ?? '*/*', [
+		'application/json',
+		'text/html'
+	]);
+
+	return accept === 'application/json' && event.request.method === 'POST';
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSROptions} options
+ * @param {import('types').SSRNode['server']} server
+ */
+export async function handle_action_json_request(event, options, server) {
+	const actions = server.actions;
+
+	if (!actions) {
+		maybe_throw_migration_error(server);
+		// TODO should this be a different error altogether?
+		return new Response('POST method not allowed. No actions exist for this page', {
+			status: 405,
+			headers: {
+				// https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/405
+				// "The server must generate an Allow header field in a 405 status code response"
+				allow: 'GET'
+			}
+		});
+	}
+
+	check_named_default_separate(actions);
+
+	try {
+		const data = await call_action(event, actions);
+
+		if (data instanceof ValidationError) {
+			check_serializability(data.data, /** @type {string} */ (event.routeId), 'data');
+			return action_json({ type: 'invalid', status: data.status, data: data.data });
+		} else {
+			check_serializability(data, /** @type {string} */ (event.routeId), 'data');
+			return action_json({
+				type: 'success',
+				status: data ? 200 : 204,
+				data: /** @type {Record<string, any> | undefined} */ (data)
+			});
+		}
+	} catch (e) {
+		const error = normalize_error(e);
+
+		if (error instanceof Redirect) {
+			return action_json({
+				type: 'redirect',
+				status: error.status,
+				location: error.location
+			});
+		}
+
+		return action_json(
+			{
+				type: 'error',
+				error: handle_error_and_jsonify(event, options, check_incorrect_invalid_use(error))
+			},
+			{
+				status: error instanceof HttpError ? error.status : 500
+			}
+		);
+	}
+}
+
+/**
+ * @param {HttpError | Error} error
+ */
+function check_incorrect_invalid_use(error) {
+	return error instanceof ValidationError
+		? new Error(`Cannot "throw invalid()". Use "return invalid()"`)
+		: error;
+}
+
+/**
+ * @param {import('types').ActionResult} data
+ * @param {ResponseInit} [init]
+ */
+function action_json(data, init) {
+	return json(data, init);
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSRNode} leaf_node
+ */
+export function is_action_request(event, leaf_node) {
+	return leaf_node.server && event.request.method !== 'GET' && event.request.method !== 'HEAD';
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSRNode['server']} server
+ * @returns {Promise<import('types').ActionResult>}
+ */
+export async function handle_action_request(event, server) {
+	const actions = server.actions;
+
+	if (!actions) {
+		maybe_throw_migration_error(server);
+		// TODO should this be a different error altogether?
+		event.setHeaders({
+			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/405
+			// "The server must generate an Allow header field in a 405 status code response"
+			allow: 'GET'
+		});
+		return {
+			type: 'error',
+			error: error(405, 'POST method not allowed. No actions exist for this page')
+		};
+	}
+
+	check_named_default_separate(actions);
+
+	try {
+		const data = await call_action(event, actions);
+
+		if (data instanceof ValidationError) {
+			return { type: 'invalid', status: data.status, data: data.data };
+		} else {
+			return {
+				type: 'success',
+				status: 200,
+				data: /** @type {Record<string, any> | undefined} */ (data)
+			};
+		}
+	} catch (e) {
+		const error = normalize_error(e);
+
+		if (error instanceof Redirect) {
+			return {
+				type: 'redirect',
+				status: error.status,
+				location: error.location
+			};
+		}
+
+		return {
+			type: 'error',
+			error: check_incorrect_invalid_use(error)
+		};
+	}
+}
+
+/**
+ * @param {import('types').Actions} actions
+ */
+function check_named_default_separate(actions) {
+	if (actions.default && Object.keys(actions).length > 1) {
+		throw new Error(
+			`When using named actions, the default action cannot be used. See the docs for more info: https://kit.svelte.dev/docs/form-actions#named-actions`
+		);
+	}
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {NonNullable<import('types').SSRNode['server']['actions']>} actions
+ * @throws {Redirect | ValidationError | HttpError | Error}
+ */
+export async function call_action(event, actions) {
+	const url = new URL(event.request.url);
+
+	let name = 'default';
+	for (const param of url.searchParams) {
+		if (param[0].startsWith('/')) {
+			name = param[0].slice(1);
+			if (name === 'default') {
+				throw new Error('Cannot use reserved action name "default"');
+			}
+			break;
+		}
+	}
+
+	const action = actions[name];
+	if (!action) {
+		throw new Error(`No action with name '${name}' found`);
+	}
+
+	if (!is_form_content_type(event.request)) {
+		throw new Error(
+			`Actions expect form-encoded data (received ${event.request.headers.get('content-type')}`
+		);
+	}
+
+	return action(event);
+}
+
+/**
+ * @param {import('types').SSRNode['server']} server
+ */
+function maybe_throw_migration_error(server) {
+	for (const method of ['POST', 'PUT', 'PATCH', 'DELETE']) {
+		if (/** @type {any} */ (server)[method]) {
+			throw new Error(
+				`${method} method no longer allowed in +page.server, use actions instead. See the PR for more info: https://github.com/sveltejs/kit/pull/6469`
+			);
+		}
+	}
+}
+
+/**
+ * Check that the data can safely be serialized to JSON
+ * @param {any} value
+ * @param {string} id
+ * @param {string} path
+ */
+function check_serializability(value, id, path) {
+	const type = typeof value;
+
+	if (type === 'string' || type === 'boolean' || type === 'number' || type === 'undefined') {
+		// primitives are fine
+		return;
+	}
+
+	if (type === 'object') {
+		// nulls are fine...
+		if (!value) return;
+
+		// ...so are plain arrays...
+		if (Array.isArray(value)) {
+			value.forEach((child, i) => {
+				check_serializability(child, id, `${path}[${i}]`);
+			});
+			return;
+		}
+
+		// ...and objects
+		// This simple check might potentially run into some weird edge cases
+		// Refer to https://github.com/lodash/lodash/blob/2da024c3b4f9947a48517639de7560457cd4ec6c/isPlainObject.js?rgh-link-date=2022-07-20T12%3A48%3A07Z#L30
+		// if that ever happens
+		if (Object.getPrototypeOf(value) === Object.prototype) {
+			for (const key in value) {
+				check_serializability(value[key], id, `${path}.${key}`);
+			}
+			return;
+		}
+	}
+
+	throw new Error(
+		`${path} returned from action in ${id} cannot be serialized as JSON without losing its original type` +
+			// probably the most common case, so let's give a hint
+			(value instanceof Date ? ' (Date objects are serialized as strings)' : '')
+	);
+}