@travetto/web 6.0.0-rc.3 → 6.0.0-rc.5

package/README.md

@@ -57,6 +57,7 @@ export interface WebRequestContext {
 
 /**
  * Web Request object
+ * @web_contextual
  */
 export class WebRequest<B = unknown> extends BaseWebMessage<B, Readonly<WebRequestContext>> {
 
@@ -73,6 +74,7 @@ export interface WebResponseContext {
 
 /**
  * Web Response as a simple object
+ * @web_invalid_parameter
  */
 export class WebResponse<B = unknown> extends BaseWebMessage<B, WebResponseContext> {
 
@@ -377,7 +379,7 @@ Out of the box, the web framework comes with a few interceptors, and more are co
    1. global - Intended to run outside of the request flow - [AsyncContextInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/context.ts#L13)
    1. terminal - Handles once request and response are finished building - [LoggingInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/logging.ts#L28), [RespondInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/respond.ts#L12)
    1. pre-request - Prepares the request for running - [TrustProxyInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/trust-proxy.ts#L23)
-   1. request - Handles inbound request, validation, and body preparation - [DecompressInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/decompress.ts#L53), [AcceptInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/accept.ts#L34), [BodyParseInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/body-parse.ts#L61), [CookiesInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/cookies.ts#L56) 
+   1. request - Handles inbound request, validation, and body preparation - [DecompressInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/decompress.ts#L53), [AcceptInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/accept.ts#L34), [BodyInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/body.ts#L57), [CookieInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/cookie.ts#L60) 
    1. response - Prepares outbound response - [CompressInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/compress.ts#L50), [CorsInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/cors.ts#L51), [EtagInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/etag.ts#L34), [ResponseCacheInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/response-cache.ts#L30) 
    1. application - Lives outside of the general request/response behavior, [Web Auth](https://github.com/travetto/travetto/tree/main/module/auth-web#readme "Web authentication integration support for the Travetto framework") uses this for login and logout flows.
 
@@ -460,8 +462,8 @@ export class DecompressConfig {
 }
 ```
 
-#### CookiesInterceptor
-[CookiesInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/cookies.ts#L56) is responsible for processing inbound cookie headers and populating the appropriate data on the request, as well as sending the appropriate response data
+#### CookieInterceptor
+[CookieInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/cookie.ts#L60) is responsible for processing inbound cookie headers and populating the appropriate data on the request, as well as sending the appropriate response data
 
 **Code: Cookies Config**
 ```typescript
@@ -473,7 +475,7 @@ export class CookieConfig implements CookieSetOptions {
   /**
    * Are they signed
    */
-  signed = true;
+  signed?: boolean;
   /**
    * Supported only via http (not in JS)
    */
@@ -490,20 +492,24 @@ export class CookieConfig implements CookieSetOptions {
   /**
    * Is the cookie only valid for https
    */
-  secure?: boolean = false;
+  secure?: boolean;
   /**
    * The domain of the cookie
    */
   domain?: string;
+  /**
+   * The default path of the cookie
+   */
+  path: string = '/';
 }
 ```
 
-#### BodyParseInterceptor
-[BodyParseInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/body-parse.ts#L61) handles the inbound request, and converting the body payload into an appropriate format.
+#### BodyInterceptor
+[BodyInterceptor](https://github.com/travetto/travetto/tree/main/module/web/src/interceptor/body.ts#L57) handles the inbound request, and converting the body payload into an appropriate format.
 
-**Code: Body Parse Config**
+**Code: Body Config**
 ```typescript
-export class BodyParseConfig {
+export class WebBodyConfig {
   /**
    * Parse request body
    */
@@ -523,10 +529,6 @@ export class BodyParseConfig {
 
   @Ignore()
   _limit: number | undefined;
-
-  postConstruct(): void {
-    this._limit = WebCommonUtil.parseByteSize(this.limit);
-  }
 }
 ```
 

package/__index__.ts

@@ -24,9 +24,9 @@ export * from './src/registry/visitor.ts';
 export * from './src/registry/types.ts';
 
 export * from './src/interceptor/accept.ts';
-export * from './src/interceptor/body-parse.ts';
+export * from './src/interceptor/body.ts';
 export * from './src/interceptor/cors.ts';
-export * from './src/interceptor/cookies.ts';
+export * from './src/interceptor/cookie.ts';
 export * from './src/interceptor/compress.ts';
 export * from './src/interceptor/context.ts';
 export * from './src/interceptor/decompress.ts';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@travetto/web",
-  "version": "6.0.0-rc.3",
+  "version": "6.0.0-rc.5",
   "description": "Declarative api for Web Applications with support for the dependency injection.",
   "keywords": [
     "web",
@@ -37,13 +37,12 @@
     "@types/negotiator": "^0.6.3",
     "find-my-way": "^9.3.0",
     "fresh": "^0.5.2",
-    "iconv-lite": "^0.6.3",
     "keygrip": "^1.1.0",
     "negotiator": "^1.0.0"
   },
   "peerDependencies": {
     "@travetto/cli": "^6.0.0-rc.3",
-    "@travetto/test": "^6.0.0-rc.2",
+    "@travetto/test": "^6.0.0-rc.3",
     "@travetto/transformer": "^6.0.0-rc.3"
   },
   "peerDependenciesMeta": {

package/src/context.ts

@@ -1,6 +1,6 @@
 import { AsyncContextValue, AsyncContext } from '@travetto/context';
 import { Inject, Injectable } from '@travetto/di';
-import { AppError, castTo, Class, toConcrete } from '@travetto/runtime';
+import { AppError, castTo, Class } from '@travetto/runtime';
 
 import { WebRequest } from './types/request.ts';
 
@@ -21,7 +21,7 @@ export class WebAsyncContext {
   }
 
   postConstruct(): void {
-    this.registerSource(toConcrete<WebRequest>(), () => this.#request.get());
+    this.registerSource(WebRequest, () => this.#request.get());
   }
 
   withContext<T>(request: WebRequest, next: () => Promise<T>): Promise<T> {

package/src/interceptor/{body-parse.ts → body.ts}

@@ -24,10 +24,10 @@ export interface BodyContentParser {
 };
 
 /**
- * Web body parse configuration
+ * Web body  configuration
  */
-@Config('web.bodyParse')
-export class BodyParseConfig {
+@Config('web.body')
+export class WebBodyConfig {
   /**
    * Parse request body
    */
@@ -47,25 +47,21 @@ export class BodyParseConfig {
 
   @Ignore()
   _limit: number | undefined;
-
-  postConstruct(): void {
-    this._limit = WebCommonUtil.parseByteSize(this.limit);
-  }
 }
 
 
 /**
- * Parses the body input content
+ * Verifies content length, decodes character encodings, and parses body input string via the content type
  */
 @Injectable()
-export class BodyParseInterceptor implements WebInterceptor<BodyParseConfig> {
+export class BodyInterceptor implements WebInterceptor<WebBodyConfig> {
 
   dependsOn = [AcceptInterceptor, DecompressInterceptor];
   category: WebInterceptorCategory = 'request';
   parsers: Record<string, BodyContentParser> = {};
 
   @Inject()
-  config: BodyParseConfig;
+  config: WebBodyConfig;
 
   async postConstruct(): Promise<void> {
     // Load all the parser types
@@ -75,11 +71,11 @@ export class BodyParseInterceptor implements WebInterceptor<BodyParseConfig> {
     }
   }
 
-  applies({ endpoint, config }: WebInterceptorContext<BodyParseConfig>): boolean {
+  applies({ endpoint, config }: WebInterceptorContext<WebBodyConfig>): boolean {
     return config.applies && endpoint.allowsBody;
   }
 
-  async filter({ request, config, next }: WebChainedContext<BodyParseConfig>): Promise<WebResponse> {
+  async filter({ request, config, next }: WebChainedContext<WebBodyConfig>): Promise<WebResponse> {
     const input = request.body;
 
     if (!WebBodyUtil.isRaw(input)) {
@@ -88,8 +84,8 @@ export class BodyParseInterceptor implements WebInterceptor<BodyParseConfig> {
 
     const lengthRead = +(request.headers.get('Content-Length') || '');
     const length = Number.isNaN(lengthRead) ? undefined : lengthRead;
+    const limit = config._limit ??= WebCommonUtil.parseByteSize(config.limit);
 
-    const limit = config._limit ?? Number.MAX_SAFE_INTEGER;
     if (length && length > limit) {
       throw WebError.for('Request entity too large', 413, { length, limit });
     }

package/src/interceptor/{cookies.ts → cookie.ts}

@@ -25,7 +25,7 @@ export class CookieConfig implements CookieSetOptions {
   /**
    * Are they signed
    */
-  signed = true;
+  signed?: boolean;
   /**
    * Supported only via http (not in JS)
    */
@@ -42,18 +42,22 @@ export class CookieConfig implements CookieSetOptions {
   /**
    * Is the cookie only valid for https
    */
-  secure?: boolean = false;
+  secure?: boolean;
   /**
    * The domain of the cookie
    */
   domain?: string;
+  /**
+   * The default path of the cookie
+   */
+  path: string = '/';
 }
 
 /**
  * Loads cookies from the request, verifies, exposes, and then signs and sets
  */
 @Injectable()
-export class CookiesInterceptor implements WebInterceptor<CookieConfig> {
+export class CookieInterceptor implements WebInterceptor<CookieConfig> {
 
   #cookieJar = new AsyncContextValue<CookieJar>(this);
 
@@ -77,8 +81,9 @@ export class CookiesInterceptor implements WebInterceptor<CookieConfig> {
 
   finalizeConfig({ config }: WebInterceptorContext<CookieConfig>): CookieConfig {
     const url = new URL(this.webConfig.baseUrl ?? 'x://localhost');
-    config.secure ??= url.protocol === 'https';
+    config.secure ??= url.protocol === 'https:';
     config.domain ??= url.hostname;
+    config.signed ??= !!config.keys?.length;
     return config;
   }
 
@@ -87,11 +92,11 @@ export class CookiesInterceptor implements WebInterceptor<CookieConfig> {
   }
 
   async filter({ request, config, next }: WebChainedContext<CookieConfig>): Promise<WebResponse> {
-    const jar = new CookieJar(request.headers.get('Cookie'), config);
+    const jar = new CookieJar(config).importCookieHeader(request.headers.get('Cookie'));
     this.#cookieJar.set(jar);
 
     const response = await next();
-    for (const c of jar.export()) { response.headers.append('Set-Cookie', c); }
+    for (const c of jar.exportSetCookieHeader()) { response.headers.append('Set-Cookie', c); }
     return response;
   }
 }

package/src/types/cookie.ts

@@ -15,4 +15,4 @@ export type Cookie = {
 };
 
 export type CookieGetOptions = { signed?: boolean };
-export type CookieSetOptions = Omit<Cookie, 'name' | 'value'>;
+export type CookieSetOptions = Omit<Cookie, 'name' | 'value' | 'response'>;

package/src/types/request.ts

@@ -18,6 +18,7 @@ export interface WebRequestContext {
 
 /**
  * Web Request object
+ * @web_contextual
  */
 export class WebRequest<B = unknown> extends BaseWebMessage<B, Readonly<WebRequestContext>> {
 

package/src/types/response.ts

@@ -6,6 +6,7 @@ export interface WebResponseContext {
 
 /**
  * Web Response as a simple object
+ * @web_invalid_parameter
  */
 export class WebResponse<B = unknown> extends BaseWebMessage<B, WebResponseContext> {
 

package/src/util/body.ts

@@ -1,5 +1,4 @@
-import iconv from 'iconv-lite';
-
+import { TextDecoder } from 'node:util';
 import { Readable } from 'node:stream';
 import { buffer as toBuffer } from 'node:stream/consumers';
 
@@ -187,27 +186,33 @@ export class WebBodyUtil {
   static async readText(input: Readable | Buffer, limit: number, encoding?: string): Promise<{ text: string, read: number }> {
     encoding ??= (Buffer.isBuffer(input) ? undefined : input.readableEncoding) ?? 'utf-8';
 
-    if (!iconv.encodingExists(encoding)) {
+    let decoder: TextDecoder;
+    try {
+      decoder = new TextDecoder(encoding);
+    } catch {
       throw WebError.for('Specified Encoding Not Supported', 415, { encoding });
     }
 
     if (Buffer.isBuffer(input)) {
-      return { text: iconv.decode(input, encoding), read: input.byteLength };
+      if (input.byteLength > limit) {
+        throw WebError.for('Request Entity Too Large', 413, { received: input.byteLength, limit });
+      }
+      return { text: decoder.decode(input), read: input.byteLength };
     }
 
     let received = Buffer.isBuffer(input) ? input.byteOffset : 0;
-    const decoder = iconv.getDecoder(encoding);
     const all: string[] = [];
 
     try {
-      for await (const chunk of input.iterator({ destroyOnReturn: false })) {
-        received += Buffer.isBuffer(chunk) ? chunk.byteLength : (typeof chunk === 'string' ? chunk.length : chunk.length);
+      for await (const chunk of castTo<AsyncIterable<string | Buffer>>(input.iterator({ destroyOnReturn: false }))) {
+        const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, 'utf8');
+        received += buffer.byteLength;
         if (received > limit) {
           throw WebError.for('Request Entity Too Large', 413, { received, limit });
         }
-        all.push(decoder.write(chunk));
+        all.push(decoder.decode(buffer, { stream: true }));
       }
-      all.push(decoder.end() ?? '');
+      all.push(decoder.decode(Buffer.alloc(0), { stream: false }));
       return { text: all.join(''), read: received };
     } catch (err) {
       if (err instanceof Error && err.name === 'AbortError') {

package/src/util/cookie.ts

@@ -1,14 +1,26 @@
 import keygrip from 'keygrip';
 import { AppError, castKey, castTo } from '@travetto/runtime';
 
-import { Cookie, CookieGetOptions } from '../types/cookie.ts';
+import { Cookie, CookieGetOptions, CookieSetOptions } from '../types/cookie.ts';
 
 const pairText = (c: Cookie): string => `${c.name}=${c.value}`;
 const pair = (k: string, v: unknown): string => `${k}=${v}`;
 
+type CookieJarOptions = { keys?: string[] } & CookieSetOptions;
+
 export class CookieJar {
 
-  static fromHeaderValue(header: string): Cookie {
+  static parseCookieHeader(header: string): Cookie[] {
+    return header.split(/\s{0,4};\s{0,4}/g)
+      .map(x => x.trim())
+      .filter(x => !!x)
+      .map(item => {
+        const kv = item.split(/\s{0,4}=\s{0,4}/);
+        return { name: kv[0], value: kv[1] };
+      });
+  }
+
+  static parseSetCookieHeader(header: string): Cookie {
     const parts = header.split(/\s{0,4};\s{0,4}/g);
     const [name, value] = parts[0].split(/\s{0,4}=\s{0,4}/);
     const c: Cookie = { name, value };
@@ -27,119 +39,125 @@ export class CookieJar {
     return c;
   }
 
-  static toHeaderValue(c: Cookie, response = true): string {
-    const header = [pair(c.name, c.value)];
-    if (response) {
-      if (!c.value) {
-        c.expires = new Date(0);
-        c.maxAge = undefined;
-      }
-      if (c.maxAge) {
-        c.expires = new Date(Date.now() + c.maxAge);
-      }
-
-      if (c.path) { header.push(pair('path', c.path)); }
-      if (c.expires) { header.push(pair('expires', c.expires.toUTCString())); }
-      if (c.domain) { header.push(pair('domain', c.domain)); }
-      if (c.priority) { header.push(pair('priority', c.priority.toLowerCase())); }
-      if (c.sameSite) { header.push(pair('samesite', c.sameSite.toLowerCase())); }
-      if (c.secure) { header.push('secure'); }
-      if (c.httpOnly) { header.push('httponly'); }
-      if (c.partitioned) { header.push('partitioned'); }
-    }
-    return header.join(';');
+  static responseSuffix(c: Cookie): string[] {
+    const parts = [];
+    if (c.path) { parts.push(pair('path', c.path)); }
+    if (c.expires) { parts.push(pair('expires', c.expires.toUTCString())); }
+    if (c.domain) { parts.push(pair('domain', c.domain)); }
+    if (c.priority) { parts.push(pair('priority', c.priority.toLowerCase())); }
+    if (c.sameSite) { parts.push(pair('samesite', c.sameSite.toLowerCase())); }
+    if (c.secure) { parts.push('secure'); }
+    if (c.httpOnly) { parts.push('httponly'); }
+    if (c.partitioned) { parts.push('partitioned'); }
+    return parts;
   }
 
-  #secure?: boolean;
   #grip?: keygrip;
   #cookies: Record<string, Cookie> = {};
-
-  constructor(input?: string | string[] | null | undefined | Cookie[] | CookieJar, options?: { keys?: string[], secure?: boolean }) {
-    this.#grip = options?.keys?.length ? new keygrip(options.keys) : undefined;
-    this.#secure = options?.secure ?? false;
-    if (input instanceof CookieJar) {
-      this.#cookies = { ...input.#cookies };
-    } else if (Array.isArray(input)) {
-      this.#import(input);
-    } else {
-      this.#import(input?.split(/\s{0,4},\s{0,4}/) ?? []);
-    }
+  #setOptions: CookieSetOptions = {};
+  #deleteOptions: CookieSetOptions = { maxAge: 0, expires: undefined };
+
+  constructor({ keys, ...options }: CookieJarOptions = {}) {
+    this.#grip = keys?.length ? new keygrip(keys) : undefined;
+    this.#setOptions = {
+      secure: false,
+      path: '/',
+      signed: !!keys?.length,
+      ...options,
+    };
   }
 
-  #checkSignature(c: Cookie): Cookie | undefined {
-    if (!this.#grip) { return; }
-    const key = pairText(c);
-    const sc = this.#cookies[`${c.name}.sig`];
-    if (!sc.value) { return; }
-
-    const index = this.#grip.index(key, sc.value);
-    c.signed = index >= 0;
-    sc.signed = false;
-    sc.secure = c.secure;
-
-    if (index >= 1) {
-      sc.value = this.#grip.sign(key);
-      sc.response = true;
-      return sc;
+  #exportCookie(cookie: Cookie, response?: boolean): string[] {
+    const suffix = response ? CookieJar.responseSuffix(cookie) : null;
+    const payload = pairText(cookie);
+    const out = suffix ? [[payload, ...suffix].join(';')] : [payload];
+    if (cookie.signed) {
+      const sigPair = pair(`${cookie.name}.sig`, this.#grip!.sign(payload));
+      out.push(suffix ? [sigPair, ...suffix].join(';') : sigPair);
     }
+    return out;
   }
 
-  #signCookie(c: Cookie): Cookie {
-    if (!this.#grip) {
-      throw new AppError('.keys required for signed cookies');
-    } else if (!this.#secure && c.secure) {
-      throw new AppError('Cannot send secure cookie over unencrypted connection');
+  import(cookies: Cookie[]): this {
+    const signatures: Record<string, string> = {};
+    for (const cookie of cookies) {
+      if (this.#setOptions.signed && cookie.name.endsWith('.sig')) {
+        signatures[cookie.name.replace(/[.]sig$/, '')] = cookie.value!;
+      } else {
+        this.#cookies[cookie.name] = { signed: false, ...cookie };
+      }
     }
-    return { ...c, name: `${c.name}.sig`, value: this.#grip.sign(pairText(c)) };
-  }
 
-  #import(inputs: (string | Cookie)[]): void {
-    const toCheck = [];
-    for (const input of inputs) {
-      const c = typeof input === 'string' ? CookieJar.fromHeaderValue(input) : input;
-      this.#cookies[c.name] = c;
-      if (this.#grip && !c.name.endsWith('.sig')) {
-        toCheck.push(c);
+    for (const [name, value] of Object.entries(signatures)) {
+      const cookie = this.#cookies[name];
+      if (!cookie) {
+        continue;
       }
-    }
-    for (const c of toCheck) {
-      const sc = this.#checkSignature(c);
-      if (sc) {
-        this.set(sc);
+      cookie.signed = true;
+
+      const computed = pairText(cookie);
+      const index = this.#grip!.index(computed, value);
+
+      if (index < 0) {
+        delete this.#cookies[name];
+      } else if (index >= 1) {
+        cookie.response = true;
       }
     }
+    return this;
+  }
+
+  has(name: string, opts: CookieGetOptions = {}): boolean {
+    const needSigned = opts.signed ?? this.#setOptions.signed;
+    return name in this.#cookies && this.#cookies[name].signed === needSigned;
   }
 
   get(name: string, opts: CookieGetOptions = {}): string | undefined {
-    const c = this.#cookies[name];
-    return (c?.signed || !(opts.signed ?? !!this.#grip)) ? c?.value : undefined;
+    if (this.has(name, opts)) {
+      return this.#cookies[name]?.value;
+    }
   }
 
-  set(c: Cookie): void {
-    this.#cookies[c.name] = c;
-    c.secure ??= this.#secure;
-    c.signed ??= !!this.#grip;
-    c.response = true;
+  set(cookie: Cookie): void {
+    const alias = this.#cookies[cookie.name] = {
+      ...this.#setOptions,
+      ...cookie,
+      response: true,
+      ...(cookie.value === null || cookie.value === undefined) ? this.#deleteOptions : {},
+    };
 
-    if (c.value === null || c.value === undefined) {
-      c.maxAge = -1;
-      c.expires = undefined;
+    if (!this.#setOptions.secure && alias.secure) {
+      throw new AppError('Cannot send secure cookie over unencrypted connection');
     }
 
-    if (c.signed) {
-      const sc = this.#signCookie(c);
-      this.#cookies[sc.name] = sc;
-      sc.response = true;
+    if (alias.signed && !this.#grip) {
+      throw new AppError('Signing keys required for signed cookies');
     }
-  }
 
-  export(response = true): string[] {
-    return this.getAll()
-      .filter(x => !response || x.response)
-      .map(c => CookieJar.toHeaderValue(c, response));
+    if (alias.maxAge !== undefined && !alias.expires) {
+      alias.expires = new Date(Date.now() + alias.maxAge);
+    }
   }
 
   getAll(): Cookie[] {
     return Object.values(this.#cookies);
   }
+
+  importCookieHeader(header: string | null | undefined): this {
+    return this.import(CookieJar.parseCookieHeader(header ?? ''));
+  }
+
+  importSetCookieHeader(headers: string[] | null | undefined): this {
+    return this.import(headers?.map(CookieJar.parseSetCookieHeader) ?? []);
+  }
+
+  exportCookieHeader(): string {
+    return this.getAll().flatMap(c => this.#exportCookie(c)).join('; ');
+  }
+
+  exportSetCookieHeader(): string[] {
+    return this.getAll()
+      .filter(x => x.response)
+      .flatMap(c => this.#exportCookie(c, true));
+  }
 }

package/support/transformer.web.ts

@@ -44,21 +44,26 @@ export class WebTransformer {
       // If non-regex
       if (arg && ts.isStringLiteral(arg)) {
         const literal = LiteralUtil.toLiteral(arg);
-        if (typeof literal !== 'string') {
-          throw new Error(`Unexpected literal type: ${literal}`);
-        }
-        // If param name matches path param, default to @Path
+        // If param name matches path param, default to @PathParam
         detectedParamType = new RegExp(`:${name}\\b`).test(literal) ? 'PathParam' : 'QueryParam';
       } else {
         // Default to query for empty or regex endpoints
         detectedParamType = 'QueryParam';
       }
-    } else if (epDec.ident.getText() !== 'All') { // Treat all separate
+    } else {
       // Treat as schema, and see if endpoint supports a body for default behavior on untyped
       detectedParamType = epDec.targets?.includes('@travetto/web:HttpRequestBody') ? 'Body' : 'QueryParam';
       config.name = '';
     }
 
+    if (paramType.key === 'managed' && paramType.original) {
+      if (DocUtil.hasDocTag(paramType.original, 'web_contextual')) {
+        throw new Error(`${paramType.name} must be registered using @ContextParam`);
+      } else if (DocUtil.hasDocTag(paramType.original, 'web_invalid_parameter')) {
+        throw new Error(`${paramType.name} is an invalid endpoint parameter`);
+      }
+    }
+
     node = SchemaTransformUtil.computeField(state, node, config);
 
     const modifiers = (node.modifiers ?? []).filter(x => x !== pDec);