alabjs 0.2.5 → 0.3.0-alpha.1

package/src/server/cache.ts

@@ -28,7 +28,18 @@ interface CacheEntry {
 /** Sentinel value returned when a cache key has no valid entry. */
 const CACHE_MISS: unique symbol = Symbol("alab:cache_miss");
 
-/** Global in-process LRU-style cache. Shared across all server function calls. */
+/**
+ * Global in-process LRU cache. Shared across all server function calls.
+ *
+ * Max size is capped to prevent unbounded memory growth in long-running servers.
+ * When the cap is reached, the oldest entry (by insertion order) is evicted.
+ *
+ * ⚠️  Multi-tenant note: this cache is process-wide and shared across all
+ * requests. In multi-tenant deployments, cache keys MUST include a tenant
+ * identifier (e.g. `tenant:${tenantId}:posts`) to prevent data leakage
+ * between tenants.
+ */
+const _STORE_MAX = 2048;
 const _store = new Map<string, CacheEntry>();
 
 export { CACHE_MISS };
@@ -41,6 +52,9 @@ export function getCached(key: string): unknown | typeof CACHE_MISS {
     _store.delete(key);
     return CACHE_MISS;
   }
+  // Move to end (LRU: mark as recently used)
+  _store.delete(key);
+  _store.set(key, entry);
   return entry.data;
 }
 
@@ -50,6 +64,10 @@ export function setCache(
   data: unknown,
   opts: { ttl: number; tags?: string[] },
 ): void {
+  // Evict oldest entry when at capacity
+  if (_store.size >= _STORE_MAX && !_store.has(key)) {
+    _store.delete(_store.keys().next().value!);
+  }
   _store.set(key, {
     data,
     expires: Date.now() + opts.ttl * 1_000,
@@ -87,12 +105,15 @@ export function invalidateCacheKey(key: string): void {
 interface PageCacheEntry {
   html: string;
   expires: number;
+  /** Original TTL in seconds — used to compute the stale-while-revalidate window. */
+  ttl: number;
   /** Whether a background revalidation is already in flight. */
   revalidating: boolean;
   /** Tags for on-demand invalidation via `revalidateTag`. */
   tags: string[];
 }
 
+const _PAGE_STORE_MAX = 1024;
 const _pageStore = new Map<string, PageCacheEntry>();
 
 /**
@@ -106,8 +127,8 @@ export function getCachedPage(pathname: string): { html: string; stale: boolean
   // Still fresh
   if (now <= entry.expires) return { html: entry.html, stale: false };
   // Stale-while-revalidate: serve stale for up to 2× TTL, trigger background regen
-  const ttl = entry.expires - (entry.expires - now); // rough TTL from stored data
-  if (now <= entry.expires + Math.max(ttl * 2, 60_000)) {
+  const swrWindow = Math.max(entry.ttl * 2 * 1_000, 60_000);
+  if (now <= entry.expires + swrWindow) {
     return { html: entry.html, stale: true };
   }
   _pageStore.delete(pathname);
@@ -116,7 +137,10 @@ export function getCachedPage(pathname: string): { html: string; stale: boolean
 
 /** Store a rendered HTML page with a TTL (seconds). */
 export function setCachedPage(pathname: string, html: string, ttl: number, tags: string[] = []): void {
-  _pageStore.set(pathname, { html, expires: Date.now() + ttl * 1_000, revalidating: false, tags });
+  if (_pageStore.size >= _PAGE_STORE_MAX && !_pageStore.has(pathname)) {
+    _pageStore.delete(_pageStore.keys().next().value!);
+  }
+  _pageStore.set(pathname, { html, expires: Date.now() + ttl * 1_000, ttl, revalidating: false, tags });
 }
 
 /** Mark a page as currently being revalidated to prevent concurrent regen. */

package/src/server/csrf.ts

@@ -31,6 +31,11 @@ export function csrfMiddleware() {
     const method = event.method.toUpperCase();
     if (SAFE_METHODS.has(method)) return;
 
+    // Internal endpoints that use their own auth (Bearer token, no cookie session)
+    // don't need CSRF protection.
+    const path = (event.node.req.url ?? "").split("?")[0] ?? "";
+    if (path === "/_alabjs/revalidate" || path === "/_alabjs/vitals") return;
+
     const cookieToken = getCookie(event, CSRF_COOKIE);
     const headerToken = getHeader(event, CSRF_HEADER);
 

package/src/server/revalidate.ts

@@ -24,6 +24,7 @@
  * ```
  */
 
+import { timingSafeEqual } from "node:crypto";
 import { revalidatePath, revalidatePathPrefix, revalidateTag } from "./cache.js";
 import { purgeCdnByTags } from "./cdn.js";
 
@@ -39,11 +40,22 @@ export interface RevalidateBody {
 /** Returns `true` when the request is authorised to call the revalidate endpoint. */
 export function checkRevalidateAuth(authorizationHeader: string | null | undefined): boolean {
   const secret = process.env["ALAB_REVALIDATE_SECRET"];
-  if (!secret) return true; // no secret configured — open endpoint
+  if (!secret) {
+    console.warn(
+      "[alabjs] WARNING: ALAB_REVALIDATE_SECRET is not set. " +
+      "The /_alabjs/revalidate endpoint accepts unauthenticated requests. " +
+      "Set this variable in production.",
+    );
+    return true;
+  }
   const provided = authorizationHeader?.startsWith("Bearer ")
     ? authorizationHeader.slice(7)
     : null;
-  return provided === secret;
+  return (
+    provided !== null &&
+    provided.length === secret.length &&
+    timingSafeEqual(Buffer.from(provided), Buffer.from(secret))
+  );
 }
 
 /**

package/src/ssr/html.ts

@@ -18,6 +18,13 @@ export interface HtmlShellOptions {
   headExtra?: string | undefined;
   /** Nonce for CSP inline scripts (optional). */
   nonce?: string | undefined;
+  /**
+   * Serialised `<script type="importmap">` JSON.
+   * Injected before any module scripts so the browser can resolve federated
+   * remote specifiers (e.g. `"RemoteApp/Button"`) via native ESM import maps.
+   * Generated by `buildImportMap()` from the project's `alabjs.config.ts`.
+   */
+  importMapJson?: string | undefined;
   /**
    * Build ID for skew protection.
    * Injected as `<meta name="alabjs-build-id">` so the client SPA router can
@@ -39,6 +46,7 @@ export function htmlShellBefore(opts: HtmlShellOptions): string {
     loadingFile,
     headExtra = "",
     buildId,
+    importMapJson,
   } = opts;
 
   const titleTag = metadata.title
@@ -85,6 +93,7 @@ export function htmlShellBefore(opts: HtmlShellOptions): string {
     ${layoutsJson ? `<meta name="alabjs-layouts" content="${escAttr(layoutsJson)}" />` : ""}
     ${loadingFile ? `<meta name="alabjs-loading" content="${escAttr(loadingFile)}" />` : ""}
     ${buildId ? `<meta name="alabjs-build-id" content="${escAttr(buildId)}" />` : ""}
+    ${importMapJson ? `<script type="importmap">${importMapJson}</script>` : ""}
     <link rel="stylesheet" href="/app/globals.css" />
     ${headExtra}
   </head>
@@ -95,7 +104,22 @@ export function htmlShellBefore(opts: HtmlShellOptions): string {
 /** Build the closing HTML fragment — everything after the SSR content. */
 export function htmlShellAfter(opts: { nonce?: string | undefined }): string {
   const nonceAttr = opts.nonce ? ` nonce="${escAttr(opts.nonce)}"` : "";
+  // The Rust compiler (oxc_transformer::enable_all) always emits $RefreshReg$ /
+  // $RefreshSig$ calls into TSX files, even in production builds. These are
+  // React Fast Refresh globals that only exist when the dev preamble is injected.
+  // In production there is no preamble, so the calls throw ReferenceError which
+  // silently aborts module loading and prevents React from mounting.
+  //
+  // A classic (non-module) <script> executes synchronously during HTML parsing,
+  // before any <script type="module"> is evaluated (modules are always deferred).
+  // Defining no-op shims here guarantees they exist before any page chunk runs.
+  const refreshShim = `<script${nonceAttr}>` +
+    `if(typeof $RefreshReg$==="undefined"){` +
+    `window.$RefreshReg$=function(){};` +
+    `window.$RefreshSig$=function(){return function(x){return x};}` +
+    `}</script>`;
   return `</div>
+    ${refreshShim}
     <script type="module" src="/@alabjs/client"${nonceAttr}></script>
   </body>
 </html>`;
@@ -136,14 +160,18 @@ export function injectIntoFullDocument(
   const metaTags = buildAlabMetaTags(opts);
   const nonceAttr = opts.nonce ? ` nonce="${escAttr(opts.nonce)}"` : "";
   const clientScript = `<script type="module" src="/@alabjs/client"${nonceAttr}></script>`;
+  const importMapTag = opts.importMapJson
+    ? `<script type="importmap">${opts.importMapJson}</script>\n  `
+    : "";
 
   let result = ssrHtml;
 
-  // Inject meta tags before </head> (case-insensitive).
+  // Inject import map + meta tags before </head> (case-insensitive).
+  // Import map must precede any <script type="module"> elements.
   if (/<\/head>/i.test(result)) {
-    result = result.replace(/<\/head>/i, `  ${metaTags}\n  </head>`);
+    result = result.replace(/<\/head>/i, `  ${importMapTag}${metaTags}\n  </head>`);
   } else {
-    result = metaTags + "\n" + result;
+    result = `${importMapTag}${metaTags}\n` + result;
   }
 
   // Inject client bootstrap script before </body>.

package/src/ssr/ppr.ts

@@ -158,7 +158,8 @@ export function findBuildLayoutFiles(routeFile: string, distDir: string): string
   const layouts: string[] = [];
   for (let i = 1; i <= parts.length; i++) {
     const dir = parts.slice(0, i).join("/");
-    const candidate = `${dir}/layout.tsx`;
+    // esbuild compiles layout.tsx → layout.js in the dist/server tree.
+    const candidate = `${dir}/layout.js`;
     if (existsSync(join(distDir, "server", candidate))) {
       layouts.push(candidate);
     }

package/src/ssr/render.ts

@@ -31,6 +31,11 @@ export interface RenderOptions {
   nonce?: string;
   /** Build ID for skew protection (see html.ts). */
   buildId?: string;
+  /**
+   * Serialised import map JSON (`{ imports: { ... } }`).
+   * Injected as `<script type="importmap">` when federation remotes are configured.
+   */
+  importMapJson?: string;
 }
 
 /**
@@ -53,6 +58,7 @@ export function renderToResponse(res: ServerResponse, opts: RenderOptions): void
     headExtra,
     nonce,
     buildId,
+    importMapJson,
   } = opts;
 
   const shellOpts: HtmlShellOptions = {
@@ -66,6 +72,7 @@ export function renderToResponse(res: ServerResponse, opts: RenderOptions): void
     headExtra,
     nonce,
     buildId,
+    importMapJson,
   };
 
   const before = htmlShellBefore(shellOpts);

package/tsconfig.sw.json

@@ -0,0 +1,18 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "lib": ["ES2022", "DOM", "DOM.Iterable"],
+    "strict": true,
+    "isolatedModules": true,
+    "verbatimModuleSyntax": true,
+    "declaration": false,
+    "declarationMap": false,
+    "sourceMap": false,
+    "rootDir": "src",
+    "outDir": "dist",
+    "skipLibCheck": true
+  },
+  "include": ["src/client/offline-sw.ts"]
+}