@timber-js/app 0.2.0-alpha.87 → 0.2.0-alpha.88

package/src/plugins/routing.ts

@@ -172,7 +172,7 @@ export function timberRouting(ctx: PluginContext): Plugin {
         rescan();
       }
 
-      return generateManifestModule(ctx.routeTree!);
+      return generateManifestModule(ctx.routeTree!, ctx.root);
     },
 
     /**
@@ -201,7 +201,7 @@ export function timberRouting(ctx: PluginContext): Plugin {
       devServer.watcher.add(ctx.appDir);
 
       /** Snapshot of the last generated manifest, used to detect structural changes. */
-      let lastManifest = ctx.routeTree ? generateManifestModule(ctx.routeTree) : '';
+      let lastManifest = ctx.routeTree ? generateManifestModule(ctx.routeTree, ctx.root) : '';
 
       /**
        * Handle a route-significant file being added or removed.
@@ -212,7 +212,7 @@ export function timberRouting(ctx: PluginContext): Plugin {
         if (!ROUTE_FILE_PATTERNS.test(filePath)) return;
 
         rescan();
-        lastManifest = ctx.routeTree ? generateManifestModule(ctx.routeTree) : '';
+        lastManifest = ctx.routeTree ? generateManifestModule(ctx.routeTree, ctx.root) : '';
         invalidateManifest(devServer);
       };
 
@@ -229,7 +229,7 @@ export function timberRouting(ctx: PluginContext): Plugin {
         if (!ROUTE_FILE_PATTERNS.test(filePath)) return;
 
         rescan();
-        const newManifest = ctx.routeTree ? generateManifestModule(ctx.routeTree) : '';
+        const newManifest = ctx.routeTree ? generateManifestModule(ctx.routeTree, ctx.root) : '';
         if (newManifest !== lastManifest) {
           lastManifest = newManifest;
           invalidateManifest(devServer);
@@ -275,7 +275,7 @@ function invalidateManifest(server: ViteDevServer): void {
  * The output is a default-exported object containing the serialized route tree.
  * All file references use absolute paths (required for virtual modules).
  */
-function generateManifestModule(tree: RouteTree): string {
+function generateManifestModule(tree: RouteTree, viteRoot: string): string {
   const imports: string[] = [];
   let importIndex = 0;
 
@@ -477,6 +477,7 @@ function generateManifestModule(tree: RouteTree): string {
     ...imports,
     '',
     'const manifest = {',
+    `  viteRoot: ${JSON.stringify(viteRoot)},`,
     proxyLine,
     globalErrorLine,
     rewritesLine,

package/src/server/action-client.ts

@@ -131,6 +131,13 @@ interface ActionClientConfig<TCtx> {
   middleware?: ActionMiddleware<TCtx> | ActionMiddleware<Record<string, unknown>>[];
   /** Max file size in bytes. Files exceeding this are rejected with validation errors. */
   fileSizeLimit?: number;
+  /**
+   * Override the sensitive-field deny-list for this action client.
+   * See `SensitiveFieldsOption` in `./sensitive-fields.ts`. Per-action config
+   * takes precedence over the global `forms.stripSensitiveFields` option in
+   * `timber.config.ts`. See design/08-forms-and-actions.md and TIM-816.
+   */
+  stripSensitiveFields?: SensitiveFieldsOption;
 }
 
 /** Intermediate builder returned by createActionClient(). */
@@ -217,6 +224,12 @@ import { parseFormData } from './form-data.js';
 import { formatSize } from '../utils/format.js';
 import { isDebug, isDevMode } from './debug.js';
 import { RedirectSignal, DenySignal } from './primitives.js';
+import {
+  stripSensitiveFields,
+  resolveSensitivePredicate,
+  getGlobalSensitiveFieldsConfig,
+  type SensitiveFieldsOption,
+} from './sensitive-fields.js';
 
 /**
  * Extract validation errors from a schema error.
@@ -340,6 +353,25 @@ export function createActionClient<TCtx = Record<string, never>>(
           rawInput = args[0];
         }
 
+        // Resolve the sensitive-field stripping predicate once per invocation.
+        // Precedence: per-action (config.stripSensitiveFields) > global
+        // (forms.stripSensitiveFields from timber.config.ts) > built-in deny-list.
+        // See TIM-816.
+        const sensitivePredicate = resolveSensitivePredicate(
+          config.stripSensitiveFields,
+          getGlobalSensitiveFieldsConfig()
+        );
+
+        // Capture a "safe-to-echo" snapshot of the raw input once. Files are
+        // stripped (can't serialize, shouldn't echo back) and sensitive fields
+        // (passwords, tokens, CVV, etc.) are removed before they would land
+        // in the RSC payload → client form `defaultValue` → DOM.
+        const buildSubmittedValues = (): Record<string, unknown> | undefined => {
+          const withoutFiles = stripFiles(rawInput);
+          if (withoutFiles === undefined) return undefined;
+          return stripSensitiveFields(withoutFiles, sensitivePredicate);
+        };
+
         // Validate file sizes before schema validation.
         if (config.fileSizeLimit !== undefined && rawInput && typeof rawInput === 'object') {
           const fileSizeErrors = validateFileSizes(
@@ -347,14 +379,12 @@ export function createActionClient<TCtx = Record<string, never>>(
             config.fileSizeLimit
           );
           if (fileSizeErrors) {
-            const submittedValues = stripFiles(rawInput);
-            return { validationErrors: fileSizeErrors, submittedValues };
+            return { validationErrors: fileSizeErrors, submittedValues: buildSubmittedValues() };
           }
         }
 
         // Capture submitted values for repopulation on validation failure.
-        // Exclude File objects (can't serialize, shouldn't echo back).
-        const submittedValues = schema ? stripFiles(rawInput) : undefined;
+        const submittedValues = schema ? buildSubmittedValues() : undefined;
 
         // Validate with schema if provided
         let input: TInput;

package/src/server/action-handler.ts

@@ -30,6 +30,12 @@ import {
 import { handleActionError } from './action-client.js';
 import { enforceBodyLimits, enforceFieldLimit, type BodyLimitsConfig } from './body-limits.js';
 import { parseFormData } from './form-data.js';
+import {
+  stripSensitiveFields,
+  resolveSensitivePredicate,
+  getGlobalSensitiveFieldsConfig,
+  type SensitiveFieldsOption,
+} from './sensitive-fields.js';
 import type { FormFlashData } from './form-flash.js';
 import { checkVersionSkew, applyReloadHeaders } from './version-skew.js';
 import { logActionError } from './logger.js';
@@ -44,6 +50,12 @@ export interface ActionDispatchConfig {
   revalidateRenderer?: RevalidateRenderer;
   /** Body size limits (from timber.config.ts). */
   bodyLimits?: BodyLimitsConfig;
+  /**
+   * Override the sensitive-field deny-list for the no-JS form POST path.
+   * Defaults to the global `forms.stripSensitiveFields` from `timber.config.ts`.
+   * See `SensitiveFieldsOption` in `./sensitive-fields.ts` and TIM-816.
+   */
+  sensitiveFields?: SensitiveFieldsOption;
 }
 
 // ─── Constants ────────────────────────────────────────────────────────────
@@ -295,8 +307,14 @@ async function handleFormAction(
   }
 
   // Capture submitted values for re-render on validation failure.
-  // Parse before decodeAction consumes the FormData.
-  const submittedValues = parseFormData(formData);
+  // Parse before decodeAction consumes the FormData, then strip sensitive
+  // fields (passwords, tokens, CVV, etc.) so they are never rendered back
+  // into the HTML as `defaultValue` attributes. See TIM-816.
+  const sensitivePredicate = resolveSensitivePredicate(
+    config.sensitiveFields,
+    getGlobalSensitiveFieldsConfig()
+  );
+  const submittedValues = stripSensitiveFields(parseFormData(formData), sensitivePredicate);
 
   // decodeAction resolves the action function from the form data's hidden fields.
   // It returns a bound function with the form data already applied.
@@ -338,5 +356,17 @@ async function handleFormAction(
   // This handles both success ({ data }) and validation failure
   // ({ validationErrors, submittedValues }) — the form is the single source of truth.
   const actionResult = result.actionResult as FormFlashData;
+
+  // Defense-in-depth: strip sensitive fields from `actionResult.submittedValues`
+  // even if the action already built it. `createActionClient` strips internally,
+  // but raw `'use server'` functions that manually return `{ submittedValues }`
+  // are not covered by the inner strip. See TIM-816.
+  if (actionResult && actionResult.submittedValues) {
+    actionResult.submittedValues = stripSensitiveFields(
+      actionResult.submittedValues,
+      sensitivePredicate
+    );
+  }
+
   return { rerender: actionResult };
 }

package/src/server/route-matcher.ts

@@ -68,6 +68,13 @@ export interface ManifestSegmentNode {
 /** The manifest shape from virtual:timber-route-manifest. */
 export interface ManifestRoot {
   root: ManifestSegmentNode;
+  /**
+   * Absolute path to the Vite project root, captured at build/load time.
+   * Used by dev-only features (e.g., dev error page frame classification)
+   * that need a correct project root even when CWD differs (e.g., monorepo
+   * custom root). See TIM-807 / TIM-808.
+   */
+  viteRoot: string;
   proxy?: ManifestFile;
   /**
    * Global error page: app/global-error.{tsx,ts,jsx,js}

package/src/server/rsc-entry/index.ts

@@ -192,6 +192,18 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
     setDebugFromConfig(true);
   }
 
+  // Wire the global sensitive-field stripping config so `createActionClient`
+  // instances in user code pick up `forms.stripSensitiveFields` from
+  // `timber.config.ts` without needing to plumb config through each action.
+  // See TIM-816 and design/08-forms-and-actions.md §"Validation errors".
+  const formsConfig = (runtimeConfig as Record<string, unknown>).forms as
+    | { stripSensitiveFields?: import('../sensitive-fields.js').SensitiveFieldsOption }
+    | undefined;
+  if (formsConfig) {
+    const { setGlobalSensitiveFieldsConfig } = await import('../sensitive-fields.js');
+    setGlobalSensitiveFieldsConfig(formsConfig.stripSensitiveFields);
+  }
+
   // Two separate flags for two different security levels:
   //
   // isDev (isDevMode) — gates client-visible behavior: dev error pages with
@@ -324,9 +336,12 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
         manifest.globalError,
         // Project root for dev error page frame classification.
         // Not in runtimeConfig (TIM-787: leaked to client bundles).
-        // manifest.root is the resolved Vite root — correct even when
-        // CWD differs from project root (e.g., monorepo custom root) (TIM-807).
-        isDev ? manifest.root : undefined
+        // manifest.viteRoot is the resolved Vite root string — correct even
+        // when CWD differs from project root (e.g., monorepo custom root)
+        // (TIM-807). Passing manifest.root (segment tree object) here would
+        // stringify to "[object Object]" and misclassify app frames as
+        // internal, dropping source locations from the dev error page (TIM-808).
+        isDev ? manifest.viteRoot : undefined
       ),
     renderDenyFallback: async (deny, req, responseHeaders) => {
       // Render the deny page (403.tsx, 404.tsx, etc.) for DenySignals
@@ -389,6 +404,7 @@ async function createRequestHandler(manifest: typeof routeManifest, runtimeConfi
         bodyLimits: {
           limits: (runtimeConfig as Record<string, unknown>).limits as BodyLimitsConfig['limits'],
         },
+        sensitiveFields: formsConfig?.stripSensitiveFields,
         revalidateRenderer: async (path: string) => {
           // Build the React element tree for the route at `path`.
           // Returns the element tree (not serialized) so the action handler can

package/src/server/sensitive-fields.ts

@@ -0,0 +1,230 @@
+/**
+ * Sensitive field stripping — removes password/token/CVV-style fields
+ * from form values before they are echoed back to the client as
+ * `submittedValues` for form repopulation.
+ *
+ * Applied to both action paths:
+ *  - With-JS action path: `createActionClient()` in `action-client.ts`
+ *  - No-JS form POST path: `handleFormAction()` in `action-handler.ts`
+ *
+ * Why: on a validation failure, timber echoes submitted form values back so
+ * the user doesn't have to re-type everything. Without filtering, plaintext
+ * passwords / credit-card numbers / TOTP codes would travel through the RSC
+ * stream (with-JS) or land in the HTML as `defaultValue` attributes (no-JS)
+ * — ending up in browser history, proxy logs, disk caches, and the
+ * back-forward cache.
+ *
+ * Safe by default: the built-in deny-list is applied unconditionally unless
+ * the user explicitly opts out via `forms.stripSensitiveFields: false` in
+ * `timber.config.ts` or per-action via `createActionClient({ stripSensitiveFields: false })`.
+ *
+ * See design/08-forms-and-actions.md §"Validation errors"
+ * See design/13-security.md §"Sensitive field stripping"
+ * See TIM-816
+ */
+
+import { isDebug } from './debug.js';
+
+// ─── Public types ────────────────────────────────────────────────────────
+
+/**
+ * How to strip sensitive fields from `submittedValues`.
+ *
+ * - `true` / `undefined` — use the built-in deny-list (default, safe).
+ * - `false` — do not strip anything (dev convenience; never do this in prod).
+ * - `string[]` — additional field names to strip, merged with the built-in list.
+ * - `(name) => boolean` — custom predicate, fully replaces the built-in list.
+ *   Return `true` to strip, `false` to keep. The `name` argument is the raw
+ *   (un-normalized) field name as it appeared in the submitted form.
+ */
+export type SensitiveFieldsOption = boolean | readonly string[] | ((name: string) => boolean);
+
+// ─── Built-in deny-list ──────────────────────────────────────────────────
+
+/**
+ * Substring patterns matched against the normalized field name.
+ * Normalization = lowercase + strip `_` and `-`.
+ *
+ * Any field whose normalized name *contains* one of these strings is
+ * considered sensitive. Entries like `currentPassword`, `passwordConfirmation`,
+ * and `user.password` all match via the `password` substring.
+ */
+const BUILTIN_SUBSTRING_PATTERNS: readonly string[] = [
+  'password',
+  'passwd',
+  'pwd',
+  'secret',
+  'apikey',
+  'accesstoken',
+  'refreshtoken',
+  'cvv',
+  'cvc',
+  'cardnumber',
+  'cardcvc',
+  'ssn',
+  'socialsecuritynumber',
+  'otp',
+  'totp',
+  'mfacode',
+  'twofactorcode',
+  'privatekey',
+];
+
+/**
+ * Exact matches against the normalized field name. These are field names that
+ * are too short or too common to substring-match safely. e.g. `token` alone
+ * would match `csrfToken`, which is not sensitive — so `token` is exact-only,
+ * while legitimate token fields are covered by `accesstoken` / `refreshtoken`.
+ */
+const BUILTIN_EXACT_PATTERNS: readonly string[] = ['token'];
+
+/**
+ * Normalize a field name for deny-list comparison.
+ * Lowercases the string and strips `_` and `-` so camelCase, snake_case, and
+ * kebab-case variants all compare equal (`api_key` / `apiKey` / `api-key` →
+ * `apikey`).
+ */
+function normalize(name: string): string {
+  let out = '';
+  for (let i = 0; i < name.length; i++) {
+    const ch = name.charCodeAt(i);
+    if (ch === 0x5f /* _ */ || ch === 0x2d /* - */) continue;
+    // A-Z → a-z
+    if (ch >= 0x41 && ch <= 0x5a) {
+      out += String.fromCharCode(ch + 32);
+    } else {
+      out += name[i];
+    }
+  }
+  return out;
+}
+
+/**
+ * Check whether a name matches the built-in deny-list (with optional extras).
+ * Extras are merged into the substring pattern list after normalization.
+ */
+function isBuiltinSensitive(name: string, extras?: readonly string[]): boolean {
+  const normalized = normalize(name);
+  if (BUILTIN_EXACT_PATTERNS.includes(normalized)) return true;
+  for (const pattern of BUILTIN_SUBSTRING_PATTERNS) {
+    if (normalized.includes(pattern)) return true;
+  }
+  if (extras && extras.length > 0) {
+    for (const extra of extras) {
+      const normExtra = normalize(extra);
+      if (normExtra.length === 0) continue;
+      if (normalized.includes(normExtra)) return true;
+    }
+  }
+  return false;
+}
+
+// ─── Predicate resolution ────────────────────────────────────────────────
+
+/**
+ * A resolved predicate: `null` means "don't strip anything" (the option was
+ * explicitly `false`). Otherwise a function from raw field name → boolean.
+ */
+export type ResolvedSensitivePredicate = ((name: string) => boolean) | null;
+
+/**
+ * Resolve a `SensitiveFieldsOption` into a concrete predicate.
+ * Precedence: per-action > global > built-in default.
+ *
+ * - Per-action `undefined` → fall back to global.
+ * - Global `undefined` → use built-in list.
+ * - Either level set to `false` → disable stripping entirely (returns `null`).
+ * - `true` → built-in list.
+ * - `string[]` → built-in ∪ extras.
+ * - function → custom, replaces the built-in list entirely.
+ */
+export function resolveSensitivePredicate(
+  perAction: SensitiveFieldsOption | undefined,
+  global: SensitiveFieldsOption | undefined
+): ResolvedSensitivePredicate {
+  const chosen = perAction !== undefined ? perAction : global;
+
+  if (chosen === false) return null;
+  if (chosen === undefined || chosen === true) {
+    return (name) => isBuiltinSensitive(name);
+  }
+  if (typeof chosen === 'function') {
+    return chosen;
+  }
+  // Array of extra names merged with the built-in list.
+  const extras = chosen;
+  return (name) => isBuiltinSensitive(name, extras);
+}
+
+// ─── Module-level global config ──────────────────────────────────────────
+
+let globalConfig: SensitiveFieldsOption | undefined;
+
+/**
+ * Set the global `forms.stripSensitiveFields` config from `timber.config.ts`.
+ * Called once at startup from `rsc-entry`.
+ */
+export function setGlobalSensitiveFieldsConfig(option: SensitiveFieldsOption | undefined): void {
+  globalConfig = option;
+}
+
+/** Read the global `forms.stripSensitiveFields` config. */
+export function getGlobalSensitiveFieldsConfig(): SensitiveFieldsOption | undefined {
+  return globalConfig;
+}
+
+// ─── Stripping ───────────────────────────────────────────────────────────
+
+// One warning per field name per process — prevents log spam when a form is
+// submitted many times in dev mode.
+const warnedFields = new Set<string>();
+
+function warnStripped(name: string): void {
+  if (!isDebug()) return;
+  if (warnedFields.has(name)) return;
+  warnedFields.add(name);
+  console.warn(
+    `[timber] stripped sensitive field "${name}" from submittedValues. ` +
+      `Override via forms.stripSensitiveFields in timber.config.ts.`
+  );
+}
+
+/**
+ * Walk an object (recursively) and return a copy with every key matching
+ * `predicate` removed. Nested objects like `{ user: { password: '...' } }`
+ * are handled — `user.password` is stripped while other `user.*` fields remain.
+ *
+ * - Arrays are walked element-wise (object entries inside arrays are cleaned).
+ * - Non-plain values (strings, numbers, Files, Dates, etc.) are returned as-is.
+ * - When a stripped key is encountered, it is omitted from the result entirely
+ *   — we do NOT set it to an empty string, because that would overwrite a
+ *   valid `defaultValue` the form author might have set.
+ */
+export function stripSensitiveFields<T>(value: T, predicate: ResolvedSensitivePredicate): T {
+  // Null predicate = stripping disabled entirely.
+  if (predicate === null) return value;
+  if (value === null || value === undefined) return value;
+  if (typeof value !== 'object') return value;
+  if (value instanceof File || value instanceof Date) return value;
+
+  if (Array.isArray(value)) {
+    return value.map((item) => stripSensitiveFields(item, predicate)) as unknown as T;
+  }
+
+  const result: Record<string, unknown> = {};
+  for (const [key, nested] of Object.entries(value as Record<string, unknown>)) {
+    if (predicate(key)) {
+      warnStripped(key);
+      continue;
+    }
+    result[key] = stripSensitiveFields(nested, predicate);
+  }
+  return result as unknown as T;
+}
+
+// ─── Test helpers ────────────────────────────────────────────────────────
+
+/** Reset the "warned once" cache. Exposed for tests. */
+export function __resetSensitiveFieldsWarnings(): void {
+  warnedFields.clear();
+}