@valbuild/server 0.60.16 → 0.60.17

package/dist/declarations/src/ValServer.d.ts

@@ -32,9 +32,9 @@ export declare abstract class ValServer implements IValServer {
         patch?: string;
         schema?: string;
         source?: string;
-    }, cookies: ValCookies<VAL_SESSION_COOKIE>): Promise<ValServerJsonResult<ApiTreeResponse>>;
-    postValidate(rawBody: unknown, cookies: ValCookies<VAL_SESSION_COOKIE>): Promise<ValServerJsonResult<ApiPostValidationResponse | ApiPostValidationErrorResponse>>;
-    postCommit(rawBody: unknown, cookies: ValCookies<VAL_SESSION_COOKIE>): Promise<ValServerJsonResult<ApiCommitResponse, ApiPostValidationErrorResponse>>;
+    }, cookies: ValCookies<VAL_SESSION_COOKIE>, requestHeaders: RequestHeaders): Promise<ValServerJsonResult<ApiTreeResponse>>;
+    postValidate(rawBody: unknown, cookies: ValCookies<VAL_SESSION_COOKIE>, requestHeaders: RequestHeaders): Promise<ValServerJsonResult<ApiPostValidationResponse | ApiPostValidationErrorResponse>>;
+    postCommit(rawBody: unknown, cookies: ValCookies<VAL_SESSION_COOKIE>, requestHeaders: RequestHeaders): Promise<ValServerJsonResult<ApiCommitResponse, ApiPostValidationErrorResponse>>;
     private applyAllPatchesThenValidate;
     private revalidateImageAndFileValidation;
     protected sortPatchIds(patchesByModule: Record<ModuleId, {
@@ -69,7 +69,7 @@ export declare abstract class ValServer implements IValServer {
     } | ValServerError>;
     abstract getFiles(filePath: string, query: {
         sha256?: string;
-    }, cookies: ValCookies<VAL_SESSION_COOKIE>): Promise<ValServerResult<never, ReadableStream<Uint8Array>>>;
+    }, cookies: ValCookies<VAL_SESSION_COOKIE>, requestHeaders: RequestHeaders): Promise<ValServerResult<never, ReadableStream<Uint8Array>> | ValServerRedirectResult<VAL_ENABLE_COOKIE_NAME>>;
     abstract session(cookies: ValCookies<VAL_SESSION_COOKIE>): Promise<ValServerJsonResult<ValSession>>;
     abstract authorize(query: {
         redirect_to?: string;
@@ -129,7 +129,7 @@ export interface IValServer {
         patch?: string;
         schema?: string;
         source?: string;
-    }, cookies: ValCookies<VAL_SESSION_COOKIE>): Promise<ValServerJsonResult<ApiTreeResponse>>;
+    }, cookies: ValCookies<VAL_SESSION_COOKIE>, requestHeaders: RequestHeaders): Promise<ValServerJsonResult<ApiTreeResponse>>;
     getPatches(query: {
         id?: string[];
     }, cookies: ValCookies<VAL_SESSION_COOKIE>): Promise<ValServerJsonResult<ApiGetPatchResponse>>;
@@ -137,11 +137,11 @@ export interface IValServer {
     deletePatches(query: {
         id?: string[];
     }, cookies: ValCookies<VAL_SESSION_COOKIE>): Promise<ValServerJsonResult<ApiDeletePatchResponse>>;
-    postValidate(body: unknown, cookies: ValCookies<VAL_SESSION_COOKIE>): Promise<ValServerJsonResult<ApiPostValidationResponse | ApiPostValidationErrorResponse>>;
-    postCommit(body: unknown, cookies: ValCookies<VAL_SESSION_COOKIE>): Promise<ValServerJsonResult<ApiCommitResponse, ApiPostValidationErrorResponse>>;
+    postValidate(body: unknown, cookies: ValCookies<VAL_SESSION_COOKIE>, requestHeaders: RequestHeaders): Promise<ValServerJsonResult<ApiPostValidationResponse | ApiPostValidationErrorResponse>>;
+    postCommit(body: unknown, cookies: ValCookies<VAL_SESSION_COOKIE>, requestHeaders: RequestHeaders): Promise<ValServerJsonResult<ApiCommitResponse, ApiPostValidationErrorResponse>>;
     getFiles(filePath: string, query: {
         sha256?: string;
-    }, cookies: ValCookies<VAL_SESSION_COOKIE>): Promise<ValServerResult<never, ReadableStream<Uint8Array>>>;
+    }, cookies: ValCookies<VAL_SESSION_COOKIE>, requestHeaders: RequestHeaders): Promise<ValServerResult<never, ReadableStream<Uint8Array>> | ValServerRedirectResult<VAL_ENABLE_COOKIE_NAME>>;
 }
 export declare function guessMimeTypeFromPath(filePath: string): string | null;
 export declare function isCachedPatchFileOp(op: Operation): op is {
@@ -152,3 +152,7 @@ export declare function isCachedPatchFileOp(op: Operation): op is {
         sha256: string;
     };
 };
+export type RequestHeaders = {
+    host?: string | null;
+    "x-forwarded-proto"?: string | null;
+};

package/dist/valbuild-server.cjs.dev.js

@@ -1032,7 +1032,7 @@ export const IS_DEV = false;
       }
       if (modulePath.startsWith("react/jsx-runtime")) {
         return {
-          value: "export const jsx = () => { throw Error(`Cannot use 'jsx' in this type of file`) }; export default new Proxy({}, { get() { return () => { throw new Error(`Cannot import 'react' in this file`) } } } ); export const jsxs = () => { throw Error(`Cannot use 'jsxs' in this type of file`) };"
+          value: "export const jsx = () => { throw Error(`Cannot use 'jsx' in this type of file`) }; export const Fragment = () => { throw Error(`Cannot use 'Fragment' in this type of file`) }; export default new Proxy({}, { get() { return () => { throw new Error(`Cannot import 'react' in this file`) } } } ); export const jsxs = () => { throw Error(`Cannot use 'jsxs' in this type of file`) };"
         };
       }
       if (modulePath.startsWith("react")) {
@@ -1419,7 +1419,7 @@ class ValServer {
   }
   async getTree(treePath,
   // TODO: use the params: patch, schema, source now we return everything, every time
-  query, cookies) {
+  query, cookies, requestHeaders) {
     const ensureRes = await this.ensureRemoteFSInitialized("getTree", cookies);
     if (fp.result.isErr(ensureRes)) {
       return ensureRes.error;
@@ -1445,7 +1445,7 @@ class ValServer {
       fileUpdates = res.value.fileUpdates;
     }
     const possiblyPatchedContent = await Promise.all(moduleIds.map(async moduleId => {
-      return this.applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies);
+      return this.applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies, requestHeaders);
     }));
     const modules = Object.fromEntries(possiblyPatchedContent.map(serializedModuleContent => {
       const module = {
@@ -1464,19 +1464,19 @@ class ValServer {
       json: apiTreeResponse
     };
   }
-  async postValidate(rawBody, cookies) {
+  async postValidate(rawBody, cookies, requestHeaders) {
     const ensureRes = await this.ensureRemoteFSInitialized("postValidate", cookies);
     if (fp.result.isErr(ensureRes)) {
       return ensureRes.error;
     }
-    return this.validateThenMaybeCommit(rawBody, false, cookies);
+    return this.validateThenMaybeCommit(rawBody, false, cookies, requestHeaders);
   }
-  async postCommit(rawBody, cookies) {
+  async postCommit(rawBody, cookies, requestHeaders) {
     const ensureRes = await this.ensureRemoteFSInitialized("postCommit", cookies);
     if (fp.result.isErr(ensureRes)) {
       return ensureRes.error;
     }
-    const res = await this.validateThenMaybeCommit(rawBody, true, cookies);
+    const res = await this.validateThenMaybeCommit(rawBody, true, cookies, requestHeaders);
     if (res.status === 200) {
       if (res.json.validationErrors) {
         return {
@@ -1499,7 +1499,7 @@ class ValServer {
 
   /* */
 
-  async applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies) {
+  async applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies, requestHeaders) {
     const serializedModuleContent = await this.getModule(moduleId);
     const schema = serializedModuleContent.schema;
     const maybeSource = serializedModuleContent.source;
@@ -1543,7 +1543,7 @@ class ValServer {
     }
     const validationErrors = core.deserializeSchema(schema).validate(moduleId, source);
     if (validationErrors) {
-      const revalidated = await this.revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies);
+      const revalidated = await this.revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies, requestHeaders);
       return {
         path: moduleId,
         schema,
@@ -1566,7 +1566,7 @@ class ValServer {
   // The reason is that validate will be called inside QuickJS (in the future, hopefully),
   // which does not have access to the filesystem, at least not at the time of writing this comment.
   // If you are reading this, and we still are not using QuickJS to validate, this assumption might be wrong.
-  async revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies) {
+  async revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies, requestHeaders) {
     const revalidatedValidationErrors = {};
     for (const pathStr in validationErrors) {
       const errorSourcePath = pathStr;
@@ -1588,7 +1588,7 @@ class ValServer {
               if (updatedFileMetadata) {
                 const fileRes = await this.getFiles(fileRef, {
                   sha256: updatedFileMetadata.sha256
-                }, cookies);
+                }, cookies, requestHeaders);
                 if (fileRes.status === 200 && fileRes.body) {
                   const res = new Response(fileRes.body);
                   fileBuffer = Buffer.from(await res.arrayBuffer());
@@ -1724,7 +1724,7 @@ class ValServer {
       });
     }
   }
-  async validateThenMaybeCommit(rawBody, commit, cookies) {
+  async validateThenMaybeCommit(rawBody, commit, cookies, requestHeaders) {
     const filterPatchesByModuleIdRes = z.z.object({
       patches: z.z.record(z.z.array(z.z.string())).optional()
     }).safeParse(rawBody);
@@ -1752,7 +1752,7 @@ class ValServer {
       const moduleId = moduleIdStr;
       const serializedModuleContent = await this.applyAllPatchesThenValidate(moduleId, filterPatchesByModuleIdRes.data.patches ||
       // TODO: refine to ModuleId and PatchId when parsing
-      patchIdsByModuleId, patchesById, fileUpdates, true, cookies);
+      patchIdsByModuleId, patchesById, fileUpdates, true, cookies, requestHeaders);
       if (serializedModuleContent.errors) {
         validationErrorsByModuleId[moduleId] = serializedModuleContent;
       }
@@ -2970,7 +2970,7 @@ class ProxyValServer extends ValServer {
       }
     });
   }
-  async getFiles(filePath, query, cookies) {
+  async getFiles(filePath, query, cookies, reqHeaders) {
     return withAuth(this.options.valSecret, cookies, "getFiles", async data => {
       const url = new URL(`/v1/files/${this.options.remote}${filePath}`, this.options.valContentUrl);
       if (typeof query.sha256 === "string") {
@@ -3002,41 +3002,19 @@ class ProxyValServer extends ValServer {
           };
         }
       } else {
-        const fileExists = this.remoteFS.fileExists(path__namespace["default"].join(this.cwd, filePath));
-        let buffer;
-        if (fileExists) {
-          buffer = await this.readStaticBinaryFile(path__namespace["default"].join(this.cwd, filePath));
-        }
-        if (!buffer) {
+        if (!(reqHeaders.host && reqHeaders["x-forwarded-proto"])) {
           return {
-            status: 404,
+            status: 500,
             json: {
-              message: "File not found"
+              message: "Missing host or x-forwarded-proto header"
             }
           };
         }
-        const mimeType = guessMimeTypeFromPath(filePath) || "application/octet-stream";
-        if (query.sha256) {
-          const sha256 = getSha256(mimeType, buffer);
-          if (sha256 === query.sha256) {
-            return {
-              status: 200,
-              headers: {
-                "Content-Type": mimeType,
-                "Content-Length": buffer.byteLength.toString(),
-                "Cache-Control": "public, max-age=31536000, immutable"
-              },
-              body: bufferToReadableStream(buffer)
-            };
-          }
-        }
+        const host = `${reqHeaders["x-forwarded-proto"]}://${reqHeaders["host"]}`;
+        const fileUrl = filePath.slice("/public".length);
         return {
-          status: 200,
-          headers: {
-            "Content-Type": mimeType,
-            "Content-Length": buffer.byteLength.toString()
-          },
-          body: bufferToReadableStream(buffer)
+          status: 302,
+          redirectTo: new URL(fileUrl, host).toString()
         };
       }
     });
@@ -3359,8 +3337,10 @@ function createValApiRouter(route, valServerPromise, convert) {
   return async req => {
     var _req$method;
     const valServer = await valServerPromise;
-    req.headers.get("content-type");
-    req.headers.get("Cookie");
+    const requestHeaders = {
+      host: req.headers.get("host"),
+      "x-forwarded-proto": req.headers.get("x-forwarded-proto")
+    };
     const url = new URL(req.url);
     if (!url.pathname.startsWith(route)) {
       const error = {
@@ -3423,16 +3403,16 @@ function createValApiRouter(route, valServerPromise, convert) {
       }));
     } else if (method === "POST" && path === "/commit") {
       const body = await req.json();
-      return convert(await valServer.postCommit(body, getCookies(req, [VAL_SESSION_COOKIE])));
+      return convert(await valServer.postCommit(body, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
     } else if (method === "POST" && path === "/validate") {
       const body = await req.json();
-      return convert(await valServer.postValidate(body, getCookies(req, [VAL_SESSION_COOKIE])));
+      return convert(await valServer.postValidate(body, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
     } else if (method === "GET" && path.startsWith(TREE_PATH_PREFIX)) {
       return withTreePath(path, TREE_PATH_PREFIX)(async treePath => convert(await valServer.getTree(treePath, {
         patch: url.searchParams.get("patch") || undefined,
         schema: url.searchParams.get("schema") || undefined,
         source: url.searchParams.get("source") || undefined
-      }, getCookies(req, [VAL_SESSION_COOKIE]))));
+      }, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders)));
     } else if (method === "GET" && path.startsWith(PATCHES_PATH_PREFIX)) {
       return withTreePath(path, PATCHES_PATH_PREFIX)(async () => convert(await valServer.getPatches({
         id: url.searchParams.getAll("id")
@@ -3448,7 +3428,7 @@ function createValApiRouter(route, valServerPromise, convert) {
       const treePath = path.slice(FILES_PATH_PREFIX.length);
       return convert(await valServer.getFiles(treePath, {
         sha256: url.searchParams.get("sha256") || undefined
-      }, getCookies(req, [VAL_SESSION_COOKIE])));
+      }, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
     } else {
       return convert({
         status: 404,

package/dist/valbuild-server.cjs.prod.js

@@ -1032,7 +1032,7 @@ export const IS_DEV = false;
       }
       if (modulePath.startsWith("react/jsx-runtime")) {
         return {
-          value: "export const jsx = () => { throw Error(`Cannot use 'jsx' in this type of file`) }; export default new Proxy({}, { get() { return () => { throw new Error(`Cannot import 'react' in this file`) } } } ); export const jsxs = () => { throw Error(`Cannot use 'jsxs' in this type of file`) };"
+          value: "export const jsx = () => { throw Error(`Cannot use 'jsx' in this type of file`) }; export const Fragment = () => { throw Error(`Cannot use 'Fragment' in this type of file`) }; export default new Proxy({}, { get() { return () => { throw new Error(`Cannot import 'react' in this file`) } } } ); export const jsxs = () => { throw Error(`Cannot use 'jsxs' in this type of file`) };"
         };
       }
       if (modulePath.startsWith("react")) {
@@ -1419,7 +1419,7 @@ class ValServer {
   }
   async getTree(treePath,
   // TODO: use the params: patch, schema, source now we return everything, every time
-  query, cookies) {
+  query, cookies, requestHeaders) {
     const ensureRes = await this.ensureRemoteFSInitialized("getTree", cookies);
     if (fp.result.isErr(ensureRes)) {
       return ensureRes.error;
@@ -1445,7 +1445,7 @@ class ValServer {
       fileUpdates = res.value.fileUpdates;
     }
     const possiblyPatchedContent = await Promise.all(moduleIds.map(async moduleId => {
-      return this.applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies);
+      return this.applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies, requestHeaders);
     }));
     const modules = Object.fromEntries(possiblyPatchedContent.map(serializedModuleContent => {
       const module = {
@@ -1464,19 +1464,19 @@ class ValServer {
       json: apiTreeResponse
     };
   }
-  async postValidate(rawBody, cookies) {
+  async postValidate(rawBody, cookies, requestHeaders) {
     const ensureRes = await this.ensureRemoteFSInitialized("postValidate", cookies);
     if (fp.result.isErr(ensureRes)) {
       return ensureRes.error;
     }
-    return this.validateThenMaybeCommit(rawBody, false, cookies);
+    return this.validateThenMaybeCommit(rawBody, false, cookies, requestHeaders);
   }
-  async postCommit(rawBody, cookies) {
+  async postCommit(rawBody, cookies, requestHeaders) {
     const ensureRes = await this.ensureRemoteFSInitialized("postCommit", cookies);
     if (fp.result.isErr(ensureRes)) {
       return ensureRes.error;
     }
-    const res = await this.validateThenMaybeCommit(rawBody, true, cookies);
+    const res = await this.validateThenMaybeCommit(rawBody, true, cookies, requestHeaders);
     if (res.status === 200) {
       if (res.json.validationErrors) {
         return {
@@ -1499,7 +1499,7 @@ class ValServer {
 
   /* */
 
-  async applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies) {
+  async applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies, requestHeaders) {
     const serializedModuleContent = await this.getModule(moduleId);
     const schema = serializedModuleContent.schema;
     const maybeSource = serializedModuleContent.source;
@@ -1543,7 +1543,7 @@ class ValServer {
     }
     const validationErrors = core.deserializeSchema(schema).validate(moduleId, source);
     if (validationErrors) {
-      const revalidated = await this.revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies);
+      const revalidated = await this.revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies, requestHeaders);
       return {
         path: moduleId,
         schema,
@@ -1566,7 +1566,7 @@ class ValServer {
   // The reason is that validate will be called inside QuickJS (in the future, hopefully),
   // which does not have access to the filesystem, at least not at the time of writing this comment.
   // If you are reading this, and we still are not using QuickJS to validate, this assumption might be wrong.
-  async revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies) {
+  async revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies, requestHeaders) {
     const revalidatedValidationErrors = {};
     for (const pathStr in validationErrors) {
       const errorSourcePath = pathStr;
@@ -1588,7 +1588,7 @@ class ValServer {
               if (updatedFileMetadata) {
                 const fileRes = await this.getFiles(fileRef, {
                   sha256: updatedFileMetadata.sha256
-                }, cookies);
+                }, cookies, requestHeaders);
                 if (fileRes.status === 200 && fileRes.body) {
                   const res = new Response(fileRes.body);
                   fileBuffer = Buffer.from(await res.arrayBuffer());
@@ -1724,7 +1724,7 @@ class ValServer {
       });
     }
   }
-  async validateThenMaybeCommit(rawBody, commit, cookies) {
+  async validateThenMaybeCommit(rawBody, commit, cookies, requestHeaders) {
     const filterPatchesByModuleIdRes = z.z.object({
       patches: z.z.record(z.z.array(z.z.string())).optional()
     }).safeParse(rawBody);
@@ -1752,7 +1752,7 @@ class ValServer {
       const moduleId = moduleIdStr;
       const serializedModuleContent = await this.applyAllPatchesThenValidate(moduleId, filterPatchesByModuleIdRes.data.patches ||
       // TODO: refine to ModuleId and PatchId when parsing
-      patchIdsByModuleId, patchesById, fileUpdates, true, cookies);
+      patchIdsByModuleId, patchesById, fileUpdates, true, cookies, requestHeaders);
       if (serializedModuleContent.errors) {
         validationErrorsByModuleId[moduleId] = serializedModuleContent;
       }
@@ -2970,7 +2970,7 @@ class ProxyValServer extends ValServer {
       }
     });
   }
-  async getFiles(filePath, query, cookies) {
+  async getFiles(filePath, query, cookies, reqHeaders) {
     return withAuth(this.options.valSecret, cookies, "getFiles", async data => {
       const url = new URL(`/v1/files/${this.options.remote}${filePath}`, this.options.valContentUrl);
       if (typeof query.sha256 === "string") {
@@ -3002,41 +3002,19 @@ class ProxyValServer extends ValServer {
           };
         }
       } else {
-        const fileExists = this.remoteFS.fileExists(path__namespace["default"].join(this.cwd, filePath));
-        let buffer;
-        if (fileExists) {
-          buffer = await this.readStaticBinaryFile(path__namespace["default"].join(this.cwd, filePath));
-        }
-        if (!buffer) {
+        if (!(reqHeaders.host && reqHeaders["x-forwarded-proto"])) {
           return {
-            status: 404,
+            status: 500,
             json: {
-              message: "File not found"
+              message: "Missing host or x-forwarded-proto header"
             }
           };
         }
-        const mimeType = guessMimeTypeFromPath(filePath) || "application/octet-stream";
-        if (query.sha256) {
-          const sha256 = getSha256(mimeType, buffer);
-          if (sha256 === query.sha256) {
-            return {
-              status: 200,
-              headers: {
-                "Content-Type": mimeType,
-                "Content-Length": buffer.byteLength.toString(),
-                "Cache-Control": "public, max-age=31536000, immutable"
-              },
-              body: bufferToReadableStream(buffer)
-            };
-          }
-        }
+        const host = `${reqHeaders["x-forwarded-proto"]}://${reqHeaders["host"]}`;
+        const fileUrl = filePath.slice("/public".length);
         return {
-          status: 200,
-          headers: {
-            "Content-Type": mimeType,
-            "Content-Length": buffer.byteLength.toString()
-          },
-          body: bufferToReadableStream(buffer)
+          status: 302,
+          redirectTo: new URL(fileUrl, host).toString()
         };
       }
     });
@@ -3359,8 +3337,10 @@ function createValApiRouter(route, valServerPromise, convert) {
   return async req => {
     var _req$method;
     const valServer = await valServerPromise;
-    req.headers.get("content-type");
-    req.headers.get("Cookie");
+    const requestHeaders = {
+      host: req.headers.get("host"),
+      "x-forwarded-proto": req.headers.get("x-forwarded-proto")
+    };
     const url = new URL(req.url);
     if (!url.pathname.startsWith(route)) {
       const error = {
@@ -3423,16 +3403,16 @@ function createValApiRouter(route, valServerPromise, convert) {
       }));
     } else if (method === "POST" && path === "/commit") {
       const body = await req.json();
-      return convert(await valServer.postCommit(body, getCookies(req, [VAL_SESSION_COOKIE])));
+      return convert(await valServer.postCommit(body, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
     } else if (method === "POST" && path === "/validate") {
       const body = await req.json();
-      return convert(await valServer.postValidate(body, getCookies(req, [VAL_SESSION_COOKIE])));
+      return convert(await valServer.postValidate(body, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
     } else if (method === "GET" && path.startsWith(TREE_PATH_PREFIX)) {
       return withTreePath(path, TREE_PATH_PREFIX)(async treePath => convert(await valServer.getTree(treePath, {
         patch: url.searchParams.get("patch") || undefined,
         schema: url.searchParams.get("schema") || undefined,
         source: url.searchParams.get("source") || undefined
-      }, getCookies(req, [VAL_SESSION_COOKIE]))));
+      }, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders)));
     } else if (method === "GET" && path.startsWith(PATCHES_PATH_PREFIX)) {
       return withTreePath(path, PATCHES_PATH_PREFIX)(async () => convert(await valServer.getPatches({
         id: url.searchParams.getAll("id")
@@ -3448,7 +3428,7 @@ function createValApiRouter(route, valServerPromise, convert) {
       const treePath = path.slice(FILES_PATH_PREFIX.length);
       return convert(await valServer.getFiles(treePath, {
         sha256: url.searchParams.get("sha256") || undefined
-      }, getCookies(req, [VAL_SESSION_COOKIE])));
+      }, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
     } else {
       return convert({
         status: 404,

package/dist/valbuild-server.esm.js

@@ -1001,7 +1001,7 @@ export const IS_DEV = false;
       }
       if (modulePath.startsWith("react/jsx-runtime")) {
         return {
-          value: "export const jsx = () => { throw Error(`Cannot use 'jsx' in this type of file`) }; export default new Proxy({}, { get() { return () => { throw new Error(`Cannot import 'react' in this file`) } } } ); export const jsxs = () => { throw Error(`Cannot use 'jsxs' in this type of file`) };"
+          value: "export const jsx = () => { throw Error(`Cannot use 'jsx' in this type of file`) }; export const Fragment = () => { throw Error(`Cannot use 'Fragment' in this type of file`) }; export default new Proxy({}, { get() { return () => { throw new Error(`Cannot import 'react' in this file`) } } } ); export const jsxs = () => { throw Error(`Cannot use 'jsxs' in this type of file`) };"
         };
       }
       if (modulePath.startsWith("react")) {
@@ -1388,7 +1388,7 @@ class ValServer {
   }
   async getTree(treePath,
   // TODO: use the params: patch, schema, source now we return everything, every time
-  query, cookies) {
+  query, cookies, requestHeaders) {
     const ensureRes = await this.ensureRemoteFSInitialized("getTree", cookies);
     if (result.isErr(ensureRes)) {
       return ensureRes.error;
@@ -1414,7 +1414,7 @@ class ValServer {
       fileUpdates = res.value.fileUpdates;
     }
     const possiblyPatchedContent = await Promise.all(moduleIds.map(async moduleId => {
-      return this.applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies);
+      return this.applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies, requestHeaders);
     }));
     const modules = Object.fromEntries(possiblyPatchedContent.map(serializedModuleContent => {
       const module = {
@@ -1433,19 +1433,19 @@ class ValServer {
       json: apiTreeResponse
     };
   }
-  async postValidate(rawBody, cookies) {
+  async postValidate(rawBody, cookies, requestHeaders) {
     const ensureRes = await this.ensureRemoteFSInitialized("postValidate", cookies);
     if (result.isErr(ensureRes)) {
       return ensureRes.error;
     }
-    return this.validateThenMaybeCommit(rawBody, false, cookies);
+    return this.validateThenMaybeCommit(rawBody, false, cookies, requestHeaders);
   }
-  async postCommit(rawBody, cookies) {
+  async postCommit(rawBody, cookies, requestHeaders) {
     const ensureRes = await this.ensureRemoteFSInitialized("postCommit", cookies);
     if (result.isErr(ensureRes)) {
       return ensureRes.error;
     }
-    const res = await this.validateThenMaybeCommit(rawBody, true, cookies);
+    const res = await this.validateThenMaybeCommit(rawBody, true, cookies, requestHeaders);
     if (res.status === 200) {
       if (res.json.validationErrors) {
         return {
@@ -1468,7 +1468,7 @@ class ValServer {
 
   /* */
 
-  async applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies) {
+  async applyAllPatchesThenValidate(moduleId, patchIdsByModuleId, patchesById, fileUpdates, applyPatches, cookies, requestHeaders) {
     const serializedModuleContent = await this.getModule(moduleId);
     const schema = serializedModuleContent.schema;
     const maybeSource = serializedModuleContent.source;
@@ -1512,7 +1512,7 @@ class ValServer {
     }
     const validationErrors = deserializeSchema(schema).validate(moduleId, source);
     if (validationErrors) {
-      const revalidated = await this.revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies);
+      const revalidated = await this.revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies, requestHeaders);
       return {
         path: moduleId,
         schema,
@@ -1535,7 +1535,7 @@ class ValServer {
   // The reason is that validate will be called inside QuickJS (in the future, hopefully),
   // which does not have access to the filesystem, at least not at the time of writing this comment.
   // If you are reading this, and we still are not using QuickJS to validate, this assumption might be wrong.
-  async revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies) {
+  async revalidateImageAndFileValidation(validationErrors, fileUpdates, cookies, requestHeaders) {
     const revalidatedValidationErrors = {};
     for (const pathStr in validationErrors) {
       const errorSourcePath = pathStr;
@@ -1557,7 +1557,7 @@ class ValServer {
               if (updatedFileMetadata) {
                 const fileRes = await this.getFiles(fileRef, {
                   sha256: updatedFileMetadata.sha256
-                }, cookies);
+                }, cookies, requestHeaders);
                 if (fileRes.status === 200 && fileRes.body) {
                   const res = new Response(fileRes.body);
                   fileBuffer = Buffer.from(await res.arrayBuffer());
@@ -1693,7 +1693,7 @@ class ValServer {
       });
     }
   }
-  async validateThenMaybeCommit(rawBody, commit, cookies) {
+  async validateThenMaybeCommit(rawBody, commit, cookies, requestHeaders) {
     const filterPatchesByModuleIdRes = z$1.object({
       patches: z$1.record(z$1.array(z$1.string())).optional()
     }).safeParse(rawBody);
@@ -1721,7 +1721,7 @@ class ValServer {
       const moduleId = moduleIdStr;
       const serializedModuleContent = await this.applyAllPatchesThenValidate(moduleId, filterPatchesByModuleIdRes.data.patches ||
       // TODO: refine to ModuleId and PatchId when parsing
-      patchIdsByModuleId, patchesById, fileUpdates, true, cookies);
+      patchIdsByModuleId, patchesById, fileUpdates, true, cookies, requestHeaders);
       if (serializedModuleContent.errors) {
         validationErrorsByModuleId[moduleId] = serializedModuleContent;
       }
@@ -2939,7 +2939,7 @@ class ProxyValServer extends ValServer {
       }
     });
   }
-  async getFiles(filePath, query, cookies) {
+  async getFiles(filePath, query, cookies, reqHeaders) {
     return withAuth(this.options.valSecret, cookies, "getFiles", async data => {
       const url = new URL(`/v1/files/${this.options.remote}${filePath}`, this.options.valContentUrl);
       if (typeof query.sha256 === "string") {
@@ -2971,41 +2971,19 @@ class ProxyValServer extends ValServer {
           };
         }
       } else {
-        const fileExists = this.remoteFS.fileExists(path__default.join(this.cwd, filePath));
-        let buffer;
-        if (fileExists) {
-          buffer = await this.readStaticBinaryFile(path__default.join(this.cwd, filePath));
-        }
-        if (!buffer) {
+        if (!(reqHeaders.host && reqHeaders["x-forwarded-proto"])) {
           return {
-            status: 404,
+            status: 500,
             json: {
-              message: "File not found"
+              message: "Missing host or x-forwarded-proto header"
             }
           };
         }
-        const mimeType = guessMimeTypeFromPath(filePath) || "application/octet-stream";
-        if (query.sha256) {
-          const sha256 = getSha256(mimeType, buffer);
-          if (sha256 === query.sha256) {
-            return {
-              status: 200,
-              headers: {
-                "Content-Type": mimeType,
-                "Content-Length": buffer.byteLength.toString(),
-                "Cache-Control": "public, max-age=31536000, immutable"
-              },
-              body: bufferToReadableStream(buffer)
-            };
-          }
-        }
+        const host = `${reqHeaders["x-forwarded-proto"]}://${reqHeaders["host"]}`;
+        const fileUrl = filePath.slice("/public".length);
         return {
-          status: 200,
-          headers: {
-            "Content-Type": mimeType,
-            "Content-Length": buffer.byteLength.toString()
-          },
-          body: bufferToReadableStream(buffer)
+          status: 302,
+          redirectTo: new URL(fileUrl, host).toString()
         };
       }
     });
@@ -3328,8 +3306,10 @@ function createValApiRouter(route, valServerPromise, convert) {
   return async req => {
     var _req$method;
     const valServer = await valServerPromise;
-    req.headers.get("content-type");
-    req.headers.get("Cookie");
+    const requestHeaders = {
+      host: req.headers.get("host"),
+      "x-forwarded-proto": req.headers.get("x-forwarded-proto")
+    };
     const url = new URL(req.url);
     if (!url.pathname.startsWith(route)) {
       const error = {
@@ -3392,16 +3372,16 @@ function createValApiRouter(route, valServerPromise, convert) {
       }));
     } else if (method === "POST" && path === "/commit") {
       const body = await req.json();
-      return convert(await valServer.postCommit(body, getCookies(req, [VAL_SESSION_COOKIE])));
+      return convert(await valServer.postCommit(body, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
     } else if (method === "POST" && path === "/validate") {
       const body = await req.json();
-      return convert(await valServer.postValidate(body, getCookies(req, [VAL_SESSION_COOKIE])));
+      return convert(await valServer.postValidate(body, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
     } else if (method === "GET" && path.startsWith(TREE_PATH_PREFIX)) {
       return withTreePath(path, TREE_PATH_PREFIX)(async treePath => convert(await valServer.getTree(treePath, {
         patch: url.searchParams.get("patch") || undefined,
         schema: url.searchParams.get("schema") || undefined,
         source: url.searchParams.get("source") || undefined
-      }, getCookies(req, [VAL_SESSION_COOKIE]))));
+      }, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders)));
     } else if (method === "GET" && path.startsWith(PATCHES_PATH_PREFIX)) {
       return withTreePath(path, PATCHES_PATH_PREFIX)(async () => convert(await valServer.getPatches({
         id: url.searchParams.getAll("id")
@@ -3417,7 +3397,7 @@ function createValApiRouter(route, valServerPromise, convert) {
       const treePath = path.slice(FILES_PATH_PREFIX.length);
       return convert(await valServer.getFiles(treePath, {
         sha256: url.searchParams.get("sha256") || undefined
-      }, getCookies(req, [VAL_SESSION_COOKIE])));
+      }, getCookies(req, [VAL_SESSION_COOKIE]), requestHeaders));
     } else {
       return convert({
         status: 404,

package/package.json

@@ -12,7 +12,7 @@
     "./package.json": "./package.json"
   },
   "types": "dist/valbuild-server.cjs.d.ts",
-  "version": "0.60.16",
+  "version": "0.60.17",
   "scripts": {
     "typecheck": "tsc --noEmit",
     "test": "jest",
@@ -24,9 +24,9 @@
     "concurrently": "^7.6.0"
   },
   "dependencies": {
-    "@valbuild/core": "~0.60.16",
-    "@valbuild/shared": "~0.60.16",
-    "@valbuild/ui": "~0.60.16",
+    "@valbuild/core": "~0.60.17",
+    "@valbuild/shared": "~0.60.17",
+    "@valbuild/ui": "~0.60.17",
     "express": "^4.18.2",
     "image-size": "^1.0.2",
     "minimatch": "^3.0.4",