@sveltejs/kit 1.0.0-next.99 → 1.0.1

package/src/runtime/server/index.js

@@ -0,0 +1,405 @@
+import { DEV } from 'esm-env';
+import { is_endpoint_request, render_endpoint } from './endpoint.js';
+import { render_page } from './page/index.js';
+import { render_response } from './page/render.js';
+import { respond_with_error } from './page/respond_with_error.js';
+import { is_form_content_type } from '../../utils/http.js';
+import { GENERIC_ERROR, get_option, handle_fatal_error, redirect_response } from './utils.js';
+import {
+	decode_pathname,
+	decode_params,
+	disable_search,
+	has_data_suffix,
+	normalize_path,
+	strip_data_suffix
+} from '../../utils/url.js';
+import { exec } from '../../utils/routing.js';
+import { INVALIDATED_PARAM, redirect_json_response, render_data } from './data/index.js';
+import { add_cookies_to_headers, get_cookies } from './cookie.js';
+import { create_fetch } from './fetch.js';
+import { Redirect } from '../control.js';
+import {
+	validate_common_exports,
+	validate_page_server_exports,
+	validate_server_exports
+} from '../../utils/exports.js';
+import { error, json } from '../../exports/index.js';
+
+/* global __SVELTEKIT_ADAPTER_NAME__ */
+
+/** @type {import('types').RequiredResolveOptions['transformPageChunk']} */
+const default_transform = ({ html }) => html;
+
+/** @type {import('types').RequiredResolveOptions['filterSerializedResponseHeaders']} */
+const default_filter = () => false;
+
+/** @type {import('types').RequiredResolveOptions['preload']} */
+const default_preload = ({ type }) => type === 'js' || type === 'css';
+
+/** @type {import('types').Respond} */
+export async function respond(request, options, state) {
+	/** URL but stripped from the potential `/__data.json` suffix and its search param  */
+	let url = new URL(request.url);
+
+	if (options.csrf.check_origin) {
+		const forbidden =
+			request.method === 'POST' &&
+			request.headers.get('origin') !== url.origin &&
+			is_form_content_type(request);
+
+		if (forbidden) {
+			const csrf_error = error(403, `Cross-site ${request.method} form submissions are forbidden`);
+			if (request.headers.get('accept') === 'application/json') {
+				return json(csrf_error.body, { status: csrf_error.status });
+			}
+			return new Response(csrf_error.body.message, { status: csrf_error.status });
+		}
+	}
+
+	let decoded;
+	try {
+		decoded = decode_pathname(url.pathname);
+	} catch {
+		return new Response('Malformed URI', { status: 400 });
+	}
+
+	/** @type {import('types').SSRRoute | null} */
+	let route = null;
+
+	/** @type {Record<string, string>} */
+	let params = {};
+
+	if (options.paths.base && !state.prerendering?.fallback) {
+		if (!decoded.startsWith(options.paths.base)) {
+			return new Response('Not found', { status: 404 });
+		}
+		decoded = decoded.slice(options.paths.base.length) || '/';
+	}
+
+	const is_data_request = has_data_suffix(decoded);
+	/** @type {boolean[] | undefined} */
+	let invalidated_data_nodes;
+	if (is_data_request) {
+		decoded = strip_data_suffix(decoded) || '/';
+		url.pathname = strip_data_suffix(url.pathname) || '/';
+		invalidated_data_nodes = url.searchParams.get(INVALIDATED_PARAM)?.split('_').map(Boolean);
+		url.searchParams.delete(INVALIDATED_PARAM);
+	}
+
+	if (!state.prerendering?.fallback) {
+		// TODO this could theoretically break — should probably be inside a try-catch
+		const matchers = await options.manifest._.matchers();
+
+		for (const candidate of options.manifest._.routes) {
+			const match = candidate.pattern.exec(decoded);
+			if (!match) continue;
+
+			const matched = exec(match, candidate.params, matchers);
+			if (matched) {
+				route = candidate;
+				params = decode_params(matched);
+				break;
+			}
+		}
+	}
+
+	/** @type {import('types').TrailingSlash | void} */
+	let trailing_slash = undefined;
+
+	/** @type {Record<string, string>} */
+	const headers = {};
+
+	/** @type {import('types').RequestEvent} */
+	const event = {
+		// @ts-expect-error `cookies` and `fetch` need to be created after the `event` itself
+		cookies: null,
+		// @ts-expect-error
+		fetch: null,
+		getClientAddress:
+			state.getClientAddress ||
+			(() => {
+				throw new Error(
+					`${__SVELTEKIT_ADAPTER_NAME__} does not specify getClientAddress. Please raise an issue`
+				);
+			}),
+		locals: {},
+		params,
+		platform: state.platform,
+		request,
+		route: { id: route?.id ?? null },
+		setHeaders: (new_headers) => {
+			for (const key in new_headers) {
+				const lower = key.toLowerCase();
+				const value = new_headers[key];
+
+				if (lower === 'set-cookie') {
+					throw new Error(
+						`Use \`event.cookies.set(name, value, options)\` instead of \`event.setHeaders\` to set cookies`
+					);
+				} else if (lower in headers) {
+					throw new Error(`"${key}" header is already set`);
+				} else {
+					headers[lower] = value;
+
+					if (state.prerendering && lower === 'cache-control') {
+						state.prerendering.cache = /** @type {string} */ (value);
+					}
+				}
+			}
+		},
+		url,
+		isDataRequest: is_data_request
+	};
+
+	/** @type {import('types').RequiredResolveOptions} */
+	let resolve_opts = {
+		transformPageChunk: default_transform,
+		filterSerializedResponseHeaders: default_filter,
+		preload: default_preload
+	};
+
+	try {
+		// determine whether we need to redirect to add/remove a trailing slash
+		if (route && !is_data_request) {
+			if (route.page) {
+				const nodes = await Promise.all([
+					// we use == here rather than === because [undefined] serializes as "[null]"
+					...route.page.layouts.map((n) => (n == undefined ? n : options.manifest._.nodes[n]())),
+					options.manifest._.nodes[route.page.leaf]()
+				]);
+
+				if (DEV) {
+					const layouts = nodes.slice(0, -1);
+					const page = nodes.at(-1);
+
+					for (const layout of layouts) {
+						if (layout) {
+							validate_common_exports(layout.server, /** @type {string} */ (layout.server_id));
+							validate_common_exports(
+								layout.universal,
+								/** @type {string} */ (layout.universal_id)
+							);
+						}
+					}
+
+					if (page) {
+						validate_page_server_exports(page.server, /** @type {string} */ (page.server_id));
+						validate_common_exports(page.universal, /** @type {string} */ (page.universal_id));
+					}
+				}
+
+				trailing_slash = get_option(nodes, 'trailingSlash');
+			} else if (route.endpoint) {
+				const node = await route.endpoint();
+				trailing_slash = node.trailingSlash;
+
+				if (DEV) {
+					validate_server_exports(node, /** @type {string} */ (route.endpoint_id));
+				}
+			}
+
+			const normalized = normalize_path(url.pathname, trailing_slash ?? 'never');
+
+			if (normalized !== url.pathname && !state.prerendering?.fallback) {
+				return new Response(undefined, {
+					status: 301,
+					headers: {
+						'x-sveltekit-normalize': '1',
+						location:
+							// ensure paths starting with '//' are not treated as protocol-relative
+							(normalized.startsWith('//') ? url.origin + normalized : normalized) +
+							(url.search === '?' ? '' : url.search)
+					}
+				});
+			}
+		}
+
+		const { cookies, new_cookies, get_cookie_header } = get_cookies(
+			request,
+			url,
+			options.dev,
+			trailing_slash ?? 'never'
+		);
+
+		event.cookies = cookies;
+		event.fetch = create_fetch({ event, options, state, get_cookie_header });
+
+		if (state.prerendering && !state.prerendering.fallback) disable_search(url);
+
+		const response = await options.hooks.handle({
+			event,
+			resolve: (event, opts) =>
+				resolve(event, opts).then((response) => {
+					// add headers/cookies here, rather than inside `resolve`, so that we
+					// can do it once for all responses instead of once per `return`
+					for (const key in headers) {
+						const value = headers[key];
+						response.headers.set(key, /** @type {string} */ (value));
+					}
+
+					add_cookies_to_headers(response.headers, Object.values(new_cookies));
+
+					if (state.prerendering && event.route.id !== null) {
+						response.headers.set('x-sveltekit-routeid', encodeURI(event.route.id));
+					}
+
+					return response;
+				})
+		});
+
+		// respond with 304 if etag matches
+		if (response.status === 200 && response.headers.has('etag')) {
+			let if_none_match_value = request.headers.get('if-none-match');
+
+			// ignore W/ prefix https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match#directives
+			if (if_none_match_value?.startsWith('W/"')) {
+				if_none_match_value = if_none_match_value.substring(2);
+			}
+
+			const etag = /** @type {string} */ (response.headers.get('etag'));
+
+			if (if_none_match_value === etag) {
+				const headers = new Headers({ etag });
+
+				// https://datatracker.ietf.org/doc/html/rfc7232#section-4.1 + set-cookie
+				for (const key of [
+					'cache-control',
+					'content-location',
+					'date',
+					'expires',
+					'vary',
+					'set-cookie'
+				]) {
+					const value = response.headers.get(key);
+					if (value) headers.set(key, value);
+				}
+
+				return new Response(undefined, {
+					status: 304,
+					headers
+				});
+			}
+		}
+
+		// Edge case: If user does `return Response(30x)` in handle hook while processing a data request,
+		// we need to transform the redirect response to a corresponding JSON response.
+		if (is_data_request && response.status >= 300 && response.status <= 308) {
+			const location = response.headers.get('location');
+			if (location) {
+				return redirect_json_response(new Redirect(/** @type {any} */ (response.status), location));
+			}
+		}
+
+		return response;
+	} catch (error) {
+		if (error instanceof Redirect) {
+			if (is_data_request) {
+				return redirect_json_response(error);
+			} else {
+				return redirect_response(error.status, error.location);
+			}
+		}
+		return await handle_fatal_error(event, options, error);
+	}
+
+	/**
+	 *
+	 * @param {import('types').RequestEvent} event
+	 * @param {import('types').ResolveOptions} [opts]
+	 */
+	async function resolve(event, opts) {
+		try {
+			if (opts) {
+				if ('ssr' in opts) {
+					throw new Error(
+						'ssr has been removed, set it in the appropriate +layout.js instead. See the PR for more information: https://github.com/sveltejs/kit/pull/6197'
+					);
+				}
+
+				resolve_opts = {
+					transformPageChunk: opts.transformPageChunk || default_transform,
+					filterSerializedResponseHeaders: opts.filterSerializedResponseHeaders || default_filter,
+					preload: opts.preload || default_preload
+				};
+			}
+
+			if (state.prerendering?.fallback) {
+				return await render_response({
+					event,
+					options,
+					state,
+					page_config: { ssr: false, csr: true },
+					status: 200,
+					error: null,
+					branch: [],
+					fetched: [],
+					resolve_opts
+				});
+			}
+
+			if (route) {
+				/** @type {Response} */
+				let response;
+
+				if (is_data_request) {
+					response = await render_data(
+						event,
+						route,
+						options,
+						state,
+						invalidated_data_nodes,
+						trailing_slash ?? 'never'
+					);
+				} else if (route.endpoint && (!route.page || is_endpoint_request(event))) {
+					response = await render_endpoint(event, await route.endpoint(), state);
+				} else if (route.page) {
+					response = await render_page(event, route, route.page, options, state, resolve_opts);
+				} else {
+					// a route will always have a page or an endpoint, but TypeScript
+					// doesn't know that
+					throw new Error('This should never happen');
+				}
+
+				return response;
+			}
+
+			if (state.initiator === GENERIC_ERROR) {
+				return new Response('Internal Server Error', {
+					status: 500
+				});
+			}
+
+			// if this request came direct from the user, rather than
+			// via a `fetch` in a `load`, render a 404 page
+			if (!state.initiator) {
+				return await respond_with_error({
+					event,
+					options,
+					state,
+					status: 404,
+					error: new Error(`Not found: ${event.url.pathname}`),
+					resolve_opts
+				});
+			}
+
+			if (state.prerendering) {
+				return new Response('not found', { status: 404 });
+			}
+
+			// we can't load the endpoint from our own manifest,
+			// so we need to make an actual HTTP request
+			return await fetch(request);
+		} catch (error) {
+			// HttpError from endpoint can end up here - TODO should it be handled there instead?
+			return await handle_fatal_error(event, options, error);
+		} finally {
+			event.cookies.set = () => {
+				throw new Error('Cannot use `cookies.set(...)` after the response has been generated');
+			};
+
+			event.setHeaders = () => {
+				throw new Error('Cannot use `setHeaders(...)` after the response has been generated');
+			};
+		}
+	}
+}

package/src/runtime/server/page/actions.js

@@ -0,0 +1,267 @@
+import * as devalue from 'devalue';
+import { error, json } from '../../../exports/index.js';
+import { normalize_error } from '../../../utils/error.js';
+import { is_form_content_type, negotiate } from '../../../utils/http.js';
+import { HttpError, Redirect, ActionFailure } from '../../control.js';
+import { handle_error_and_jsonify } from '../utils.js';
+
+/** @param {import('types').RequestEvent} event */
+export function is_action_json_request(event) {
+	const accept = negotiate(event.request.headers.get('accept') ?? '*/*', [
+		'application/json',
+		'text/html'
+	]);
+
+	return accept === 'application/json' && event.request.method === 'POST';
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSROptions} options
+ * @param {import('types').SSRNode['server'] | undefined} server
+ */
+export async function handle_action_json_request(event, options, server) {
+	const actions = server?.actions;
+
+	if (!actions) {
+		if (server) {
+			maybe_throw_migration_error(server);
+		}
+		// TODO should this be a different error altogether?
+		const no_actions_error = error(405, 'POST method not allowed. No actions exist for this page');
+		return action_json(
+			{
+				type: 'error',
+				error: await handle_error_and_jsonify(event, options, no_actions_error)
+			},
+			{
+				status: no_actions_error.status,
+				headers: {
+					// https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/405
+					// "The server must generate an Allow header field in a 405 status code response"
+					allow: 'GET'
+				}
+			}
+		);
+	}
+
+	check_named_default_separate(actions);
+
+	try {
+		const data = await call_action(event, actions);
+
+		if (data instanceof ActionFailure) {
+			return action_json({
+				type: 'failure',
+				status: data.status,
+				// @ts-expect-error we assign a string to what is supposed to be an object. That's ok
+				// because we don't use the object outside, and this way we have better code navigation
+				// through knowing where the related interface is used.
+				data: stringify_action_response(data.data, /** @type {string} */ (event.route.id))
+			});
+		} else {
+			return action_json({
+				type: 'success',
+				status: data ? 200 : 204,
+				// @ts-expect-error see comment above
+				data: stringify_action_response(data, /** @type {string} */ (event.route.id))
+			});
+		}
+	} catch (e) {
+		const error = normalize_error(e);
+
+		if (error instanceof Redirect) {
+			return action_json({
+				type: 'redirect',
+				status: error.status,
+				location: error.location
+			});
+		}
+
+		return action_json(
+			{
+				type: 'error',
+				error: await handle_error_and_jsonify(event, options, check_incorrect_fail_use(error))
+			},
+			{
+				status: error instanceof HttpError ? error.status : 500
+			}
+		);
+	}
+}
+
+/**
+ * @param {HttpError | Error} error
+ */
+function check_incorrect_fail_use(error) {
+	return error instanceof ActionFailure
+		? new Error(`Cannot "throw fail()". Use "return fail()"`)
+		: error;
+}
+
+/**
+ * @param {import('types').ActionResult} data
+ * @param {ResponseInit} [init]
+ */
+function action_json(data, init) {
+	return json(data, init);
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSRNode} leaf_node
+ */
+export function is_action_request(event, leaf_node) {
+	return leaf_node.server && event.request.method !== 'GET' && event.request.method !== 'HEAD';
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {import('types').SSRNode['server']} server
+ * @returns {Promise<import('types').ActionResult>}
+ */
+export async function handle_action_request(event, server) {
+	const actions = server.actions;
+
+	if (!actions) {
+		maybe_throw_migration_error(server);
+		// TODO should this be a different error altogether?
+		event.setHeaders({
+			// https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/405
+			// "The server must generate an Allow header field in a 405 status code response"
+			allow: 'GET'
+		});
+		return {
+			type: 'error',
+			error: error(405, 'POST method not allowed. No actions exist for this page')
+		};
+	}
+
+	check_named_default_separate(actions);
+
+	try {
+		const data = await call_action(event, actions);
+
+		if (data instanceof ActionFailure) {
+			return { type: 'failure', status: data.status, data: data.data };
+		} else {
+			return {
+				type: 'success',
+				status: 200,
+				data: /** @type {Record<string, any> | undefined} */ (data)
+			};
+		}
+	} catch (e) {
+		const error = normalize_error(e);
+
+		if (error instanceof Redirect) {
+			return {
+				type: 'redirect',
+				status: error.status,
+				location: error.location
+			};
+		}
+
+		return {
+			type: 'error',
+			error: check_incorrect_fail_use(error)
+		};
+	}
+}
+
+/**
+ * @param {import('types').Actions} actions
+ */
+function check_named_default_separate(actions) {
+	if (actions.default && Object.keys(actions).length > 1) {
+		throw new Error(
+			`When using named actions, the default action cannot be used. See the docs for more info: https://kit.svelte.dev/docs/form-actions#named-actions`
+		);
+	}
+}
+
+/**
+ * @param {import('types').RequestEvent} event
+ * @param {NonNullable<import('types').SSRNode['server']['actions']>} actions
+ * @throws {Redirect | ActionFailure | HttpError | Error}
+ */
+export async function call_action(event, actions) {
+	const url = new URL(event.request.url);
+
+	let name = 'default';
+	for (const param of url.searchParams) {
+		if (param[0].startsWith('/')) {
+			name = param[0].slice(1);
+			if (name === 'default') {
+				throw new Error('Cannot use reserved action name "default"');
+			}
+			break;
+		}
+	}
+
+	const action = actions[name];
+	if (!action) {
+		throw new Error(`No action with name '${name}' found`);
+	}
+
+	if (!is_form_content_type(event.request)) {
+		throw new Error(
+			`Actions expect form-encoded data (received ${event.request.headers.get('content-type')}`
+		);
+	}
+
+	return action(event);
+}
+
+/**
+ * @param {import('types').SSRNode['server']} server
+ */
+function maybe_throw_migration_error(server) {
+	for (const method of ['POST', 'PUT', 'PATCH', 'DELETE']) {
+		if (/** @type {any} */ (server)[method]) {
+			throw new Error(
+				`${method} method no longer allowed in +page.server, use actions instead. See the PR for more info: https://github.com/sveltejs/kit/pull/6469`
+			);
+		}
+	}
+}
+
+/**
+ * Try to `devalue.uneval` the data object, and if it fails, return a proper Error with context
+ * @param {any} data
+ * @param {string} route_id
+ */
+export function uneval_action_response(data, route_id) {
+	return try_deserialize(data, devalue.uneval, route_id);
+}
+
+/**
+ * Try to `devalue.stringify` the data object, and if it fails, return a proper Error with context
+ * @param {any} data
+ * @param {string} route_id
+ */
+function stringify_action_response(data, route_id) {
+	return try_deserialize(data, devalue.stringify, route_id);
+}
+
+/**
+ * @param {any} data
+ * @param {(data: any) => string} fn
+ * @param {string} route_id
+ */
+function try_deserialize(data, fn, route_id) {
+	try {
+		return fn(data);
+	} catch (e) {
+		// If we're here, the data could not be serialized with devalue
+		const error = /** @type {any} */ (e);
+
+		if ('path' in error) {
+			let message = `Data returned from action inside ${route_id} is not serializable: ${error.message}`;
+			if (error.path !== '') message += ` (data.${error.path})`;
+			throw new Error(message);
+		}
+
+		throw error;
+	}
+}