@sveltejs/kit 1.0.0-next.98 → 1.0.0

package/src/runtime/hash.js

@@ -0,0 +1,20 @@
+/**
+ * Hash using djb2
+ * @param {import('types').StrictBody} value
+ */
+export function hash(value) {
+	let hash = 5381;
+
+	if (typeof value === 'string') {
+		let i = value.length;
+		while (i) hash = (hash * 33) ^ value.charCodeAt(--i);
+	} else if (ArrayBuffer.isView(value)) {
+		const buffer = new Uint8Array(value.buffer, value.byteOffset, value.byteLength);
+		let i = buffer.length;
+		while (i) hash = (hash * 33) ^ buffer[--i];
+	} else {
+		throw new TypeError('value must be a string or TypedArray');
+	}
+
+	return (hash >>> 0).toString(36);
+}

package/src/runtime/paths.js

@@ -0,0 +1,11 @@
+/** @type {string} */
+export let base = '';
+
+/** @type {string} */
+export let assets = '';
+
+/** @param {{ base: string, assets: string }} paths */
+export function set_paths(paths) {
+	base = paths.base;
+	assets = paths.assets || base;
+}

package/src/runtime/server/cookie.js

@@ -0,0 +1,228 @@
+import { parse, serialize } from 'cookie';
+import { normalize_path } from '../../utils/url.js';
+
+/**
+ * Tracks all cookies set during dev mode so we can emit warnings
+ * when we detect that there's likely cookie misusage due to wrong paths
+ *
+ * @type {Record<string, Set<string>>} */
+const cookie_paths = {};
+
+/**
+ * @param {Request} request
+ * @param {URL} url
+ * @param {boolean} dev
+ * @param {import('types').TrailingSlash} trailing_slash
+ */
+export function get_cookies(request, url, dev, trailing_slash) {
+	const header = request.headers.get('cookie') ?? '';
+	const initial_cookies = parse(header, { decode: (value) => value });
+
+	const normalized_url = normalize_path(url.pathname, trailing_slash);
+	// Emulate browser-behavior: if the cookie is set at '/foo/bar', its path is '/foo'
+	const default_path = normalized_url.split('/').slice(0, -1).join('/') || '/';
+
+	if (dev) {
+		// TODO this could theoretically be wrong if the cookie was set unencoded?
+		const initial_decoded_cookies = parse(header, { decode: decodeURIComponent });
+		// Remove all cookies that no longer exist according to the request
+		for (const name of Object.keys(cookie_paths)) {
+			cookie_paths[name] = new Set(
+				[...cookie_paths[name]].filter(
+					(path) => !path_matches(normalized_url, path) || name in initial_decoded_cookies
+				)
+			);
+		}
+		// Add all new cookies we might not have seen before
+		for (const name in initial_decoded_cookies) {
+			cookie_paths[name] = cookie_paths[name] ?? new Set();
+			if (![...cookie_paths[name]].some((path) => path_matches(normalized_url, path))) {
+				cookie_paths[name].add(default_path);
+			}
+		}
+	}
+
+	/** @type {Record<string, import('./page/types').Cookie>} */
+	const new_cookies = {};
+
+	/** @type {import('cookie').CookieSerializeOptions} */
+	const defaults = {
+		httpOnly: true,
+		sameSite: 'lax',
+		secure: url.hostname === 'localhost' && url.protocol === 'http:' ? false : true
+	};
+
+	/** @type {import('types').Cookies} */
+	const cookies = {
+		// The JSDoc param annotations appearing below for get, set and delete
+		// are necessary to expose the `cookie` library types to
+		// typescript users. `@type {import('types').Cookies}` above is not
+		// sufficient to do so.
+
+		/**
+		 * @param {string} name
+		 * @param {import('cookie').CookieParseOptions} opts
+		 */
+		get(name, opts) {
+			const c = new_cookies[name];
+			if (
+				c &&
+				domain_matches(url.hostname, c.options.domain) &&
+				path_matches(url.pathname, c.options.path)
+			) {
+				return c.value;
+			}
+
+			const decoder = opts?.decode || decodeURIComponent;
+			const req_cookies = parse(header, { decode: decoder });
+			const cookie = req_cookies[name]; // the decoded string or undefined
+
+			if (!dev || cookie) {
+				return cookie;
+			}
+
+			const paths = new Set([...(cookie_paths[name] ?? [])]);
+			if (c) {
+				paths.add(c.options.path ?? default_path);
+			}
+			if (paths.size > 0) {
+				console.warn(
+					// prettier-ignore
+					`Cookie with name '${name}' was not found at path '${url.pathname}', but a cookie with that name exists at these paths: '${[...paths].join("', '")}'. Did you mean to set its 'path' to '/' instead?`
+				);
+			}
+		},
+
+		/**
+		 * @param {string} name
+		 * @param {string} value
+		 * @param {import('cookie').CookieSerializeOptions} opts
+		 */
+		set(name, value, opts = {}) {
+			let path = opts.path ?? default_path;
+
+			new_cookies[name] = {
+				name,
+				value,
+				options: {
+					...defaults,
+					...opts,
+					path
+				}
+			};
+
+			if (dev) {
+				cookie_paths[name] = cookie_paths[name] ?? new Set();
+				if (!value) {
+					if (!cookie_paths[name].has(path) && cookie_paths[name].size > 0) {
+						const paths = `'${Array.from(cookie_paths[name]).join("', '")}'`;
+						console.warn(
+							`Trying to delete cookie '${name}' at path '${path}', but a cookie with that name only exists at these paths: ${paths}.`
+						);
+					}
+					cookie_paths[name].delete(path);
+				} else {
+					// We could also emit a warning here if the cookie already exists at a different path,
+					// but that's more likely a false positive because it's valid to set the same name at different paths
+					cookie_paths[name].add(path);
+				}
+			}
+		},
+
+		/**
+		 * @param {string} name
+		 * @param {import('cookie').CookieSerializeOptions} opts
+		 */
+		delete(name, opts = {}) {
+			cookies.set(name, '', {
+				...opts,
+				maxAge: 0
+			});
+		},
+
+		/**
+		 * @param {string} name
+		 * @param {string} value
+		 * @param {import('cookie').CookieSerializeOptions} opts
+		 */
+		serialize(name, value, opts) {
+			return serialize(name, value, {
+				...defaults,
+				...opts
+			});
+		}
+	};
+
+	/**
+	 * @param {URL} destination
+	 * @param {string | null} header
+	 */
+	function get_cookie_header(destination, header) {
+		/** @type {Record<string, string>} */
+		const combined_cookies = {
+			// cookies sent by the user agent have lowest precedence
+			...initial_cookies
+		};
+
+		// cookies previous set during this event with cookies.set have higher precedence
+		for (const key in new_cookies) {
+			const cookie = new_cookies[key];
+			if (!domain_matches(destination.hostname, cookie.options.domain)) continue;
+			if (!path_matches(destination.pathname, cookie.options.path)) continue;
+
+			const encoder = cookie.options.encode || encodeURIComponent;
+			combined_cookies[cookie.name] = encoder(cookie.value);
+		}
+
+		// explicit header has highest precedence
+		if (header) {
+			const parsed = parse(header, { decode: (value) => value });
+			for (const name in parsed) {
+				combined_cookies[name] = parsed[name];
+			}
+		}
+
+		return Object.entries(combined_cookies)
+			.map(([name, value]) => `${name}=${value}`)
+			.join('; ');
+	}
+
+	return { cookies, new_cookies, get_cookie_header };
+}
+
+/**
+ * @param {string} hostname
+ * @param {string} [constraint]
+ */
+export function domain_matches(hostname, constraint) {
+	if (!constraint) return true;
+
+	const normalized = constraint[0] === '.' ? constraint.slice(1) : constraint;
+
+	if (hostname === normalized) return true;
+	return hostname.endsWith('.' + normalized);
+}
+
+/**
+ * @param {string} path
+ * @param {string} [constraint]
+ */
+export function path_matches(path, constraint) {
+	if (!constraint) return true;
+
+	const normalized = constraint.endsWith('/') ? constraint.slice(0, -1) : constraint;
+
+	if (path === normalized) return true;
+	return path.startsWith(normalized + '/');
+}
+
+/**
+ * @param {Headers} headers
+ * @param {import('./page/types').Cookie[]} cookies
+ */
+export function add_cookies_to_headers(headers, cookies) {
+	for (const new_cookie of cookies) {
+		const { name, value, options } = new_cookie;
+		headers.append('set-cookie', serialize(name, value, options));
+	}
+}

package/src/runtime/server/data/index.js

@@ -0,0 +1,158 @@
+import { HttpError, Redirect } from '../../control.js';
+import { normalize_error } from '../../../utils/error.js';
+import { once } from '../../../utils/functions.js';
+import { load_server_data } from '../page/load_data.js';
+import { clarify_devalue_error, handle_error_and_jsonify, serialize_data_node } from '../utils.js';
+import { normalize_path } from '../../../utils/url.js';
+
+export const INVALIDATED_PARAM = 'x-sveltekit-invalidated';
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSRRoute} route
+ * @param {import('types').SSROptions} options
+ * @param {import('types').SSRState} state
+ * @param {boolean[] | undefined} invalidated_data_nodes
+ * @param {import('types').TrailingSlash} trailing_slash
+ * @returns {Promise<Response>}
+ */
+export async function render_data(
+	event,
+	route,
+	options,
+	state,
+	invalidated_data_nodes,
+	trailing_slash
+) {
+	if (!route.page) {
+		// requesting /__data.json should fail for a +server.js
+		return new Response(undefined, {
+			status: 404
+		});
+	}
+
+	try {
+		const node_ids = [...route.page.layouts, route.page.leaf];
+		const invalidated = invalidated_data_nodes ?? node_ids.map(() => true);
+
+		let aborted = false;
+
+		const url = new URL(event.url);
+		url.pathname = normalize_path(url.pathname, trailing_slash);
+
+		const new_event = { ...event, url };
+
+		const functions = node_ids.map((n, i) => {
+			return once(async () => {
+				try {
+					if (aborted) {
+						return /** @type {import('types').ServerDataSkippedNode} */ ({
+							type: 'skip'
+						});
+					}
+
+					// == because it could be undefined (in dev) or null (in build, because of JSON.stringify)
+					const node = n == undefined ? n : await options.manifest._.nodes[n]();
+					return load_server_data({
+						event: new_event,
+						options,
+						state,
+						node,
+						parent: async () => {
+							/** @type {Record<string, any>} */
+							const data = {};
+							for (let j = 0; j < i; j += 1) {
+								const parent = /** @type {import('types').ServerDataNode | null} */ (
+									await functions[j]()
+								);
+
+								if (parent) {
+									Object.assign(data, parent.data);
+								}
+							}
+							return data;
+						}
+					});
+				} catch (e) {
+					aborted = true;
+					throw e;
+				}
+			});
+		});
+
+		const promises = functions.map(async (fn, i) => {
+			if (!invalidated[i]) {
+				return /** @type {import('types').ServerDataSkippedNode} */ ({
+					type: 'skip'
+				});
+			}
+
+			return fn();
+		});
+
+		let length = promises.length;
+		const nodes = await Promise.all(
+			promises.map((p, i) =>
+				p.catch(async (error) => {
+					if (error instanceof Redirect) {
+						throw error;
+					}
+
+					// Math.min because array isn't guaranteed to resolve in order
+					length = Math.min(length, i + 1);
+
+					return /** @type {import('types').ServerErrorNode} */ ({
+						type: 'error',
+						error: await handle_error_and_jsonify(event, options, error),
+						status: error instanceof HttpError ? error.status : undefined
+					});
+				})
+			)
+		);
+
+		try {
+			const stubs = nodes.slice(0, length).map(serialize_data_node);
+
+			const json = `{"type":"data","nodes":[${stubs.join(',')}]}`;
+			return json_response(json);
+		} catch (e) {
+			const error = /** @type {any} */ (e);
+			return json_response(JSON.stringify(clarify_devalue_error(event, error)), 500);
+		}
+	} catch (e) {
+		const error = normalize_error(e);
+
+		if (error instanceof Redirect) {
+			return redirect_json_response(error);
+		} else {
+			// TODO make it clearer that this was an unexpected error
+			return json_response(JSON.stringify(await handle_error_and_jsonify(event, options, error)));
+		}
+	}
+}
+
+/**
+ * @param {string} json
+ * @param {number} [status]
+ */
+function json_response(json, status = 200) {
+	return new Response(json, {
+		status,
+		headers: {
+			'content-type': 'application/json',
+			'cache-control': 'private, no-store'
+		}
+	});
+}
+
+/**
+ * @param {Redirect} redirect
+ */
+export function redirect_json_response(redirect) {
+	return json_response(
+		JSON.stringify({
+			type: 'redirect',
+			location: redirect.location
+		})
+	);
+}

package/src/runtime/server/endpoint.js

@@ -0,0 +1,86 @@
+import { negotiate } from '../../utils/http.js';
+import { Redirect } from '../control.js';
+import { method_not_allowed } from './utils.js';
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSREndpoint} mod
+ * @param {import('types').SSRState} state
+ * @returns {Promise<Response>}
+ */
+export async function render_endpoint(event, mod, state) {
+	const method = /** @type {import('types').HttpMethod} */ (event.request.method);
+
+	let handler = mod[method];
+
+	if (!handler && method === 'HEAD') {
+		handler = mod.GET;
+	}
+
+	if (!handler) {
+		return method_not_allowed(mod, method);
+	}
+
+	const prerender = mod.prerender ?? state.prerender_default;
+
+	if (prerender && (mod.POST || mod.PATCH || mod.PUT || mod.DELETE)) {
+		throw new Error('Cannot prerender endpoints that have mutative methods');
+	}
+
+	if (state.prerendering && !prerender) {
+		if (state.initiator) {
+			// if request came from a prerendered page, bail
+			throw new Error(`${event.route.id} is not prerenderable`);
+		} else {
+			// if request came direct from the crawler, signal that
+			// this route cannot be prerendered, but don't bail
+			return new Response(undefined, { status: 204 });
+		}
+	}
+
+	try {
+		const response = await handler(
+			/** @type {import('types').RequestEvent<Record<string, any>>} */ (event)
+		);
+
+		if (!(response instanceof Response)) {
+			throw new Error(
+				`Invalid response from route ${event.url.pathname}: handler should return a Response object`
+			);
+		}
+
+		if (state.prerendering) {
+			response.headers.set('x-sveltekit-prerender', String(prerender));
+		}
+
+		return response;
+	} catch (error) {
+		if (error instanceof Redirect) {
+			return new Response(undefined, {
+				status: error.status,
+				headers: { location: error.location }
+			});
+		}
+
+		throw error;
+	}
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ */
+export function is_endpoint_request(event) {
+	const { method, headers } = event.request;
+
+	if (method === 'PUT' || method === 'PATCH' || method === 'DELETE') {
+		// These methods exist exclusively for endpoints
+		return true;
+	}
+
+	// use:enhance uses a custom header to disambiguate
+	if (method === 'POST' && headers.get('x-sveltekit-action') === 'true') return false;
+
+	// GET/POST requests may be for endpoints or pages. We prefer endpoints if this isn't a text/html request
+	const accept = event.request.headers.get('accept') ?? '*/*';
+	return negotiate(accept, ['*', 'text/html']) !== 'text/html';
+}

package/src/runtime/server/fetch.js

@@ -0,0 +1,175 @@
+import * as set_cookie_parser from 'set-cookie-parser';
+import { respond } from './index.js';
+
+/**
+ * @param {{
+ *   event: import('types').RequestEvent;
+ *   options: import('types').SSROptions;
+ *   state: import('types').SSRState;
+ *   get_cookie_header: (url: URL, header: string | null) => string;
+ * }} opts
+ * @returns {typeof fetch}
+ */
+export function create_fetch({ event, options, state, get_cookie_header }) {
+	return async (info, init) => {
+		const original_request = normalize_fetch_input(info, init, event.url);
+
+		const request_body = init?.body;
+
+		// some runtimes (e.g. Cloudflare) error if you access `request.mode`,
+		// annoyingly, so we need to read the value from the `init` object instead
+		let mode = (info instanceof Request ? info.mode : init?.mode) ?? 'cors';
+		let credentials =
+			(info instanceof Request ? info.credentials : init?.credentials) ?? 'same-origin';
+
+		return await options.hooks.handleFetch({
+			event,
+			request: original_request,
+			fetch: async (info, init) => {
+				const request = normalize_fetch_input(info, init, event.url);
+
+				const url = new URL(request.url);
+
+				if (!request.headers.has('origin')) {
+					request.headers.set('origin', event.url.origin);
+				}
+
+				if (info !== original_request) {
+					mode = (info instanceof Request ? info.mode : init?.mode) ?? 'cors';
+					credentials =
+						(info instanceof Request ? info.credentials : init?.credentials) ?? 'same-origin';
+				}
+
+				// Remove Origin, according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin#description
+				if (
+					(request.method === 'GET' || request.method === 'HEAD') &&
+					((mode === 'no-cors' && url.origin !== event.url.origin) ||
+						url.origin === event.url.origin)
+				) {
+					request.headers.delete('origin');
+				}
+
+				if (url.origin !== event.url.origin) {
+					// allow cookie passthrough for "same-origin"
+					// if SvelteKit is serving my.domain.com:
+					// -        domain.com WILL NOT receive cookies
+					// -     my.domain.com WILL receive cookies
+					// -    api.domain.dom WILL NOT receive cookies
+					// - sub.my.domain.com WILL receive cookies
+					// ports do not affect the resolution
+					// leading dot prevents mydomain.com matching domain.com
+					if (`.${url.hostname}`.endsWith(`.${event.url.hostname}`) && credentials !== 'omit') {
+						const cookie = get_cookie_header(url, request.headers.get('cookie'));
+						if (cookie) request.headers.set('cookie', cookie);
+					}
+
+					let response = await fetch(request);
+
+					if (mode === 'no-cors') {
+						response = new Response('', {
+							status: response.status,
+							statusText: response.statusText,
+							headers: response.headers
+						});
+					}
+
+					return response;
+				}
+
+				/** @type {Response} */
+				let response;
+
+				// handle fetch requests for static assets. e.g. prebaked data, etc.
+				// we need to support everything the browser's fetch supports
+				const prefix = options.paths.assets || options.paths.base;
+				const decoded = decodeURIComponent(url.pathname);
+				const filename = (
+					decoded.startsWith(prefix) ? decoded.slice(prefix.length) : decoded
+				).slice(1);
+				const filename_html = `${filename}/index.html`; // path may also match path/index.html
+
+				const is_asset = options.manifest.assets.has(filename);
+				const is_asset_html = options.manifest.assets.has(filename_html);
+
+				if (is_asset || is_asset_html) {
+					const file = is_asset ? filename : filename_html;
+
+					if (options.read) {
+						const type = is_asset
+							? options.manifest.mimeTypes[filename.slice(filename.lastIndexOf('.'))]
+							: 'text/html';
+
+						return new Response(options.read(file), {
+							headers: type ? { 'content-type': type } : {}
+						});
+					}
+
+					return await fetch(request);
+				}
+
+				if (credentials !== 'omit') {
+					const cookie = get_cookie_header(url, request.headers.get('cookie'));
+					if (cookie) {
+						request.headers.set('cookie', cookie);
+					}
+
+					const authorization = event.request.headers.get('authorization');
+					if (authorization && !request.headers.has('authorization')) {
+						request.headers.set('authorization', authorization);
+					}
+				}
+
+				if (request_body && typeof request_body !== 'string' && !ArrayBuffer.isView(request_body)) {
+					// TODO is this still necessary? we just bail out below
+					// per https://developer.mozilla.org/en-US/docs/Web/API/Request/Request, this can be a
+					// Blob, BufferSource, FormData, URLSearchParams, USVString, or ReadableStream object.
+					// non-string bodies are irksome to deal with, but luckily aren't particularly useful
+					// in this context anyway, so we take the easy route and ban them
+					throw new Error('Request body must be a string or TypedArray');
+				}
+
+				if (!request.headers.has('accept')) {
+					request.headers.set('accept', '*/*');
+				}
+
+				if (!request.headers.has('accept-language')) {
+					request.headers.set(
+						'accept-language',
+						/** @type {string} */ (event.request.headers.get('accept-language'))
+					);
+				}
+
+				response = await respond(request, options, state);
+
+				const set_cookie = response.headers.get('set-cookie');
+				if (set_cookie) {
+					for (const str of set_cookie_parser.splitCookiesString(set_cookie)) {
+						const { name, value, ...options } = set_cookie_parser.parseString(str);
+
+						// options.sameSite is string, something more specific is required - type cast is safe
+						event.cookies.set(
+							name,
+							value,
+							/** @type {import('cookie').CookieSerializeOptions} */ (options)
+						);
+					}
+				}
+
+				return response;
+			}
+		});
+	};
+}
+
+/**
+ * @param {RequestInfo | URL} info
+ * @param {RequestInit | undefined} init
+ * @param {URL} url
+ */
+function normalize_fetch_input(info, init, url) {
+	if (info instanceof Request) {
+		return info;
+	}
+
+	return new Request(typeof info === 'string' ? new URL(info, url) : info, init);
+}