@webjsdev/server 0.7.3 → 0.8.0

package/src/component-scanner.js

@@ -94,11 +94,17 @@ export async function scanComponents(appDir) {
  * again (e.g. on dev-server rebuild after a file add), new discoveries
  * are added and existing tags are updated.
  *
+ * Pass `components` if you already have the scanned list (e.g. the
+ * dev server scans once and reuses for both the registry and the
+ * source-serving authorisation gate). Omitting it triggers a fresh
+ * scan, matching the original single-arg signature.
+ *
  * @param {string} appDir
+ * @param {Awaited<ReturnType<typeof scanComponents>>} [components]
  * @returns {Promise<{ count: number }>}
  */
-export async function primeComponentRegistry(appDir) {
-  const components = await scanComponents(appDir);
+export async function primeComponentRegistry(appDir, components) {
+  components = components ?? await scanComponents(appDir);
   for (const { tag, moduleUrl } of components) {
     primeModuleUrl(tag, moduleUrl);
   }

package/src/context.js

@@ -1,5 +1,6 @@
 import { AsyncLocalStorage } from 'node:async_hooks';
 import { parseCookies } from './csrf.js';
+import { setCspNonceProvider, cspNonce } from '@webjsdev/core';
 
 /**
  * Per-request context backed by AsyncLocalStorage. Lets server-side code
@@ -31,6 +32,41 @@ export function getRequest() {
   return als.getStore()?.req ?? null;
 }
 
+/**
+ * Server-only implementation of the CSP nonce reader: pulls the
+ * current request from AsyncLocalStorage, parses the
+ * `script-src 'nonce-...'` value from its CSP header, returns ''
+ * when none in scope.
+ *
+ * The public `cspNonce()` function lives in `@webjsdev/core` so user
+ * layouts / pages can import it without dragging server-only deps
+ * (node:async_hooks etc.) into browser-loaded modules. The actual
+ * implementation is wired here, server-side only, via
+ * `setCspNonceProvider`. On the browser there is no provider, so
+ * `cspNonce()` returns '' (empty `nonce=""` attribute, browser
+ * ignores it).
+ */
+// The regex captures the first `nonce-...` token anywhere in the CSP
+// header. Webjs uses a single per-request nonce shared across all
+// directives that emit it (the standard CSP3 single-nonce model),
+// so reading the first match is correct. If a future caller emits
+// styled inline content under a separate style nonce, this reader
+// would need to become directive-scoped. Kept identical to the
+// matching helper in ssr.js so both paths interpret the header the
+// same way.
+setCspNonceProvider(() => {
+  const req = als.getStore()?.req;
+  if (!req) return '';
+  const csp = req.headers.get('content-security-policy') || '';
+  const match = /\bnonce-([A-Za-z0-9+/=]+)/.exec(csp);
+  return match ? match[1] : '';
+});
+
+// Re-export for backwards-compat: callers that imported cspNonce from
+// @webjsdev/server still work. New code should import from
+// @webjsdev/core for browser-isomorphism.
+export { cspNonce };
+
 /**
  * Read-only headers for the in-flight request. Throws outside a request
  * (e.g. at module top-level).

package/src/crypto-utils.js

@@ -0,0 +1,65 @@
+/**
+ * Web-Crypto-based hash helpers. Shared by the SSR / vendor / actions
+ * paths that previously used `node:crypto.createHash`. The Web Crypto
+ * API replaces the synchronous Node-only API with a Promise-returning
+ * one; the trade-off is portability across Node, Deno, Bun, and edge
+ * runtimes.
+ *
+ * @module crypto-utils
+ */
+
+const enc = new TextEncoder();
+
+/**
+ * @param {ArrayBuffer | Uint8Array} buf
+ * @returns {string}
+ */
+function bufToHex(buf) {
+  const bytes = buf instanceof Uint8Array ? buf : new Uint8Array(buf);
+  let hex = '';
+  for (const b of bytes) hex += b.toString(16).padStart(2, '0');
+  return hex;
+}
+
+/**
+ * @param {ArrayBuffer | Uint8Array} buf
+ * @returns {string}
+ */
+function bufToBase64(buf) {
+  const bytes = buf instanceof Uint8Array ? buf : new Uint8Array(buf);
+  let s = '';
+  for (const b of bytes) s += String.fromCharCode(b);
+  return btoa(s);
+}
+
+/**
+ * @param {string | ArrayBufferView | ArrayBuffer} data
+ * @returns {Uint8Array}
+ */
+function toBytes(data) {
+  if (typeof data === 'string') return enc.encode(data);
+  if (data instanceof ArrayBuffer) return new Uint8Array(data);
+  return new Uint8Array(data.buffer, data.byteOffset, data.byteLength);
+}
+
+/**
+ * Compute a hex-encoded digest of `data` under `algo`.
+ *
+ * @param {'SHA-1' | 'SHA-256' | 'SHA-384' | 'SHA-512'} algo
+ * @param {string | ArrayBufferView | ArrayBuffer} data
+ * @returns {Promise<string>}  full hex string (no truncation)
+ */
+export async function digestHex(algo, data) {
+  return bufToHex(await crypto.subtle.digest(algo, toBytes(data)));
+}
+
+/**
+ * Compute a base64-encoded digest of `data` under `algo`.
+ *
+ * @param {'SHA-1' | 'SHA-256' | 'SHA-384' | 'SHA-512'} algo
+ * @param {string | ArrayBufferView | ArrayBuffer} data
+ * @returns {Promise<string>}
+ */
+export async function digestBase64(algo, data) {
+  return bufToBase64(await crypto.subtle.digest(algo, toBytes(data)));
+}