@webjsdev/server 0.7.3 → 0.8.1

package/src/component-scanner.js

@@ -2,7 +2,7 @@
  * Server-side scanner that walks the app tree and records the
  * browser-visible URL for every webjs component module.
  *
- * Called once at server boot. Results are used to prime the core
+ * Called once on the first request (lazily, via `ensureReady`), then memoized. Results are used to prime the core
  * registry (`primeModuleUrl`) BEFORE any SSR render: so when a page
  * renders a component tag, `lookupModuleUrl(tag)` already has the URL
  * ready for `<link rel="modulepreload">` hints.
@@ -18,11 +18,24 @@
  * we only need `{ tag, className, moduleUrl }` tuples.
  */
 
-import { readFile } from 'node:fs/promises';
+import { readFile, stat } from 'node:fs/promises';
 import { sep } from 'node:path';
 import { walk } from './fs-walk.js';
 import { primeModuleUrl } from '@webjsdev/core';
 
+/**
+ * mtime-keyed cache of extracted components per file, so a rebuild re-reads
+ * only files that changed (an unchanged file reuses its cached component list
+ * after a single `stat`). Makes the component scan incremental for large apps.
+ * Keyed by mtime AND size (a same-tick length-changing edit is caught even on
+ * coarse-mtime filesystems).
+ * @type {Map<string, { mtimeMs: number, size: number, comps: Array<{ tag: string, className: string }> }>}
+ */
+const SCAN_CACHE = new Map();
+
+/** Introspection for tests/ops: is `file` currently in the scan cache? */
+export function _scanCacheHas(file) { return SCAN_CACHE.has(file); }
+
 /**
  * Recognise either registration pattern:
  *
@@ -70,21 +83,39 @@ export function extractComponents(src) {
 export async function scanComponents(appDir) {
   /** @type {Array<{ tag: string, className: string, moduleUrl: string, file: string }>} */
   const components = [];
+  /** @type {Set<string>} live component files this scan, for cache eviction */
+  const seen = new Set();
   const filter = (p) =>
     /\.m?[jt]sx?$/.test(p) &&
     !/\.(test|spec)\.m?[jt]sx?$/.test(p) &&
     !/\.server\.m?[jt]s$/.test(p);
 
   for await (const file of walk(appDir, filter)) {
-    let src;
-    try { src = await readFile(file, 'utf8'); } catch { continue; }
-    const comps = extractComponents(src);
+    let mtimeMs, size;
+    try { const st = await stat(file); mtimeMs = st.mtimeMs; size = st.size; } catch { continue; }
+    seen.add(file); // mark live (hit and miss) for cache eviction
+    let comps;
+    const cached = SCAN_CACHE.get(file);
+    if (cached && cached.mtimeMs === mtimeMs && cached.size === size) {
+      comps = cached.comps;
+    } else {
+      let src;
+      try { src = await readFile(file, 'utf8'); } catch { continue; }
+      comps = extractComponents(src);
+      SCAN_CACHE.set(file, { mtimeMs, size, comps });
+    }
     if (!comps.length) continue;
     const moduleUrl = toUrlPath(file, appDir);
     for (const c of comps) {
       components.push({ ...c, moduleUrl, file });
     }
   }
+  // Evict scan-cache entries for files no longer walked (renamed/deleted),
+  // scoped to this app so a multi-app process keeps other apps' entries.
+  const prefix = appDir.endsWith(sep) ? appDir : appDir + sep;
+  for (const key of SCAN_CACHE.keys()) {
+    if ((key === appDir || key.startsWith(prefix)) && !seen.has(key)) SCAN_CACHE.delete(key);
+  }
   return components;
 }
 
@@ -94,11 +125,17 @@ export async function scanComponents(appDir) {
  * again (e.g. on dev-server rebuild after a file add), new discoveries
  * are added and existing tags are updated.
  *
+ * Pass `components` if you already have the scanned list (e.g. the
+ * dev server scans once and reuses for both the registry and the
+ * source-serving authorisation gate). Omitting it triggers a fresh
+ * scan, matching the original single-arg signature.
+ *
  * @param {string} appDir
+ * @param {Awaited<ReturnType<typeof scanComponents>>} [components]
  * @returns {Promise<{ count: number }>}
  */
-export async function primeComponentRegistry(appDir) {
-  const components = await scanComponents(appDir);
+export async function primeComponentRegistry(appDir, components) {
+  components = components ?? await scanComponents(appDir);
   for (const { tag, moduleUrl } of components) {
     primeModuleUrl(tag, moduleUrl);
   }

package/src/context.js

@@ -1,5 +1,6 @@
 import { AsyncLocalStorage } from 'node:async_hooks';
 import { parseCookies } from './csrf.js';
+import { setCspNonceProvider, cspNonce } from '@webjsdev/core';
 
 /**
  * Per-request context backed by AsyncLocalStorage. Lets server-side code
@@ -31,6 +32,41 @@ export function getRequest() {
   return als.getStore()?.req ?? null;
 }
 
+/**
+ * Server-only implementation of the CSP nonce reader: pulls the
+ * current request from AsyncLocalStorage, parses the
+ * `script-src 'nonce-...'` value from its CSP header, returns ''
+ * when none in scope.
+ *
+ * The public `cspNonce()` function lives in `@webjsdev/core` so user
+ * layouts / pages can import it without dragging server-only deps
+ * (node:async_hooks etc.) into browser-loaded modules. The actual
+ * implementation is wired here, server-side only, via
+ * `setCspNonceProvider`. On the browser there is no provider, so
+ * `cspNonce()` returns '' (empty `nonce=""` attribute, browser
+ * ignores it).
+ */
+// The regex captures the first `nonce-...` token anywhere in the CSP
+// header. Webjs uses a single per-request nonce shared across all
+// directives that emit it (the standard CSP3 single-nonce model),
+// so reading the first match is correct. If a future caller emits
+// styled inline content under a separate style nonce, this reader
+// would need to become directive-scoped. Kept identical to the
+// matching helper in ssr.js so both paths interpret the header the
+// same way.
+setCspNonceProvider(() => {
+  const req = als.getStore()?.req;
+  if (!req) return '';
+  const csp = req.headers.get('content-security-policy') || '';
+  const match = /\bnonce-([A-Za-z0-9+/=]+)/.exec(csp);
+  return match ? match[1] : '';
+});
+
+// Re-export for backwards-compat: callers that imported cspNonce from
+// @webjsdev/server still work. New code should import from
+// @webjsdev/core for browser-isomorphism.
+export { cspNonce };
+
 /**
  * Read-only headers for the in-flight request. Throws outside a request
  * (e.g. at module top-level).

package/src/crypto-utils.js

@@ -0,0 +1,65 @@
+/**
+ * Web-Crypto-based hash helpers. Shared by the SSR / vendor / actions
+ * paths that previously used `node:crypto.createHash`. The Web Crypto
+ * API replaces the synchronous Node-only API with a Promise-returning
+ * one; the trade-off is portability across Node, Deno, Bun, and edge
+ * runtimes.
+ *
+ * @module crypto-utils
+ */
+
+const enc = new TextEncoder();
+
+/**
+ * @param {ArrayBuffer | Uint8Array} buf
+ * @returns {string}
+ */
+function bufToHex(buf) {
+  const bytes = buf instanceof Uint8Array ? buf : new Uint8Array(buf);
+  let hex = '';
+  for (const b of bytes) hex += b.toString(16).padStart(2, '0');
+  return hex;
+}
+
+/**
+ * @param {ArrayBuffer | Uint8Array} buf
+ * @returns {string}
+ */
+function bufToBase64(buf) {
+  const bytes = buf instanceof Uint8Array ? buf : new Uint8Array(buf);
+  let s = '';
+  for (const b of bytes) s += String.fromCharCode(b);
+  return btoa(s);
+}
+
+/**
+ * @param {string | ArrayBufferView | ArrayBuffer} data
+ * @returns {Uint8Array}
+ */
+function toBytes(data) {
+  if (typeof data === 'string') return enc.encode(data);
+  if (data instanceof ArrayBuffer) return new Uint8Array(data);
+  return new Uint8Array(data.buffer, data.byteOffset, data.byteLength);
+}
+
+/**
+ * Compute a hex-encoded digest of `data` under `algo`.
+ *
+ * @param {'SHA-1' | 'SHA-256' | 'SHA-384' | 'SHA-512'} algo
+ * @param {string | ArrayBufferView | ArrayBuffer} data
+ * @returns {Promise<string>}  full hex string (no truncation)
+ */
+export async function digestHex(algo, data) {
+  return bufToHex(await crypto.subtle.digest(algo, toBytes(data)));
+}
+
+/**
+ * Compute a base64-encoded digest of `data` under `algo`.
+ *
+ * @param {'SHA-1' | 'SHA-256' | 'SHA-384' | 'SHA-512'} algo
+ * @param {string | ArrayBufferView | ArrayBuffer} data
+ * @returns {Promise<string>}
+ */
+export async function digestBase64(algo, data) {
+  return bufToBase64(await crypto.subtle.digest(algo, toBytes(data)));
+}