bosbun 0.0.3 → 0.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bosbun",
-  "version": "0.0.3",
+  "version": "0.0.4",
   "type": "module",
   "description": "A minimalist fullstack framework — SSR + Svelte 5 Runes + Bun + ElysiaJS",
   "keywords": [

package/src/core/cookies.ts

@@ -1,5 +1,10 @@
 import type { Cookies, CookieOptions } from "./hooks.ts";
 
+// ─── Cookie Validation ───────────────────────────────────
+/** Rejects characters that could inject into Set-Cookie headers. */
+const UNSAFE_COOKIE_VALUE = /[;\r\n]/;
+const VALID_SAMESITE = new Set(["Strict", "Lax", "None"]);
+
 // ─── Cookie Helpers ──────────────────────────────────────
 
 function parseCookies(header: string): Record<string, string> {
@@ -9,7 +14,10 @@ function parseCookies(header: string): Record<string, string> {
         if (idx === -1) continue;
         const name = pair.slice(0, idx).trim();
         const value = pair.slice(idx + 1).trim();
-        if (name) result[name] = decodeURIComponent(value);
+        if (name) {
+            try { result[name] = decodeURIComponent(value); }
+            catch { result[name] = value; }
+        }
     }
     return result;
 }
@@ -32,13 +40,21 @@ export class CookieJar implements Cookies {
 
     set(name: string, value: string, options?: CookieOptions): void {
         let header = `${encodeURIComponent(name)}=${encodeURIComponent(value)}`;
-        header += `; Path=${options?.path ?? "/"}`;
-        if (options?.domain) header += `; Domain=${options.domain}`;
+        const path = options?.path ?? "/";
+        if (UNSAFE_COOKIE_VALUE.test(path)) throw new Error(`Invalid cookie path: ${path}`);
+        header += `; Path=${path}`;
+        if (options?.domain) {
+            if (UNSAFE_COOKIE_VALUE.test(options.domain)) throw new Error(`Invalid cookie domain: ${options.domain}`);
+            header += `; Domain=${options.domain}`;
+        }
         if (options?.maxAge != null) header += `; Max-Age=${options.maxAge}`;
         if (options?.expires) header += `; Expires=${options.expires.toUTCString()}`;
         if (options?.httpOnly) header += "; HttpOnly";
         if (options?.secure) header += "; Secure";
-        if (options?.sameSite) header += `; SameSite=${options.sameSite}`;
+        if (options?.sameSite) {
+            if (!VALID_SAMESITE.has(options.sameSite)) throw new Error(`Invalid cookie sameSite: ${options.sameSite}`);
+            header += `; SameSite=${options.sameSite}`;
+        }
         this._outgoing.push(header);
     }
 

package/src/core/env.ts

@@ -14,6 +14,9 @@ const FRAMEWORK_VARS = new Set([
     "CORS_EXPOSED_HEADERS",
     "CORS_CREDENTIALS",
     "CORS_MAX_AGE",
+    "LOAD_TIMEOUT",
+    "METADATA_TIMEOUT",
+    "PRERENDER_TIMEOUT",
 ]);
 
 // ─── .env File Parser ────────────────────────────────────
@@ -81,6 +84,11 @@ export function loadEnv(mode: string, dir?: string): Record<string, string> {
         console.log(`✓ Loaded ${loaded.join(", ")}`);
     }
 
+    // Track declared keys so html.ts only exposes .env-declared PUBLIC_* vars
+    for (const key of Object.keys(merged)) {
+        _declaredKeys.add(key);
+    }
+
     // Apply to process.env — system env wins (don't overwrite existing)
     for (const [key, value] of Object.entries(merged)) {
         if (!(key in process.env)) {
@@ -99,6 +107,16 @@ export function loadEnv(mode: string, dir?: string): Record<string, string> {
     return result;
 }
 
+// ─── Declared Key Tracking ───────────────────────────
+// Track which keys were declared in .env files so html.ts only exposes those to the client.
+
+const _declaredKeys = new Set<string>();
+
+/** Returns the set of env var keys that were declared in .env files. */
+export function getDeclaredEnvKeys(): ReadonlySet<string> {
+    return _declaredKeys;
+}
+
 // ─── Classifier ──────────────────────────────────────────
 
 export interface ClassifiedEnv {

package/src/core/html.ts

@@ -1,4 +1,5 @@
 import { existsSync, readFileSync } from "fs";
+import { getDeclaredEnvKeys } from "./env.ts";
 
 // ─── Dist Manifest ───────────────────────────────────────
 // Maps hashed filenames → script/link tags.
@@ -24,25 +25,30 @@ export function safeJsonStringify(data: unknown): string {
         "\u2028": "\\u2028",
         "\u2029": "\\u2029",
     };
-    return JSON.stringify(data).replace(/[<>&\u2028\u2029]/g, c => map[c]);
+    let json: string;
+    try {
+        json = JSON.stringify(data);
+    } catch {
+        console.error("safeJsonStringify: failed to serialize data (circular reference?)");
+        json = "null";
+    }
+    return json.replace(/[<>&\u2028\u2029]/g, c => map[c]);
 }
 
 // ─── Public Env Injection ─────────────────────────────────
 
 /**
- * Collect PUBLIC_* (non-static) vars from process.env that were declared in .bunia/env.server.ts.
- * We read the generated server env module to know which keys to expose.
- * Falls back to an empty object if the module hasn't been generated yet (e.g., dev before first build).
+ * Collect PUBLIC_* (non-static) vars that were declared in .env files.
+ * Only exposes keys tracked by loadEnv() — never leaks system env vars
+ * that happen to start with PUBLIC_.
  */
 function getPublicDynamicEnv(): Record<string, string> {
-    // Read keys from .bunia/env.server.ts declarations of PUBLIC_* (non-static) vars
-    // by inspecting process.env keys that start with PUBLIC_ but not PUBLIC_STATIC_.
-    // We only expose keys that came from .env files — tracked in process.env via loadEnv.
-    // At runtime the server module exports are inlined; we collect from process.env here.
+    const declared = getDeclaredEnvKeys();
     const result: Record<string, string> = {};
-    for (const [key, value] of Object.entries(process.env)) {
-        if (key.startsWith("PUBLIC_") && !key.startsWith("PUBLIC_STATIC_") && value !== undefined) {
-            result[key] = value;
+    for (const key of declared) {
+        if (key.startsWith("PUBLIC_") && !key.startsWith("PUBLIC_STATIC_")) {
+            const value = process.env[key];
+            if (value !== undefined) result[key] = value;
         }
     }
     return result;

package/src/core/prerender.ts

@@ -5,6 +5,8 @@ import type { RouteManifest } from "./types.ts";
 const CORE_DIR = import.meta.dir;
 const BUNIA_NODE_MODULES = join(CORE_DIR, "..", "..", "node_modules");
 
+const PRERENDER_TIMEOUT = Number(process.env.PRERENDER_TIMEOUT) || 5_000; // 5s default
+
 // ─── Prerendering ─────────────────────────────────────────
 
 async function detectPrerenderRoutes(manifest: RouteManifest): Promise<string[]> {
@@ -61,7 +63,7 @@ export async function prerenderStaticRoutes(manifest: RouteManifest): Promise<vo
 
     for (const routePath of paths) {
         try {
-            const res = await fetch(`${base}${routePath}`);
+            const res = await fetch(`${base}${routePath}`, { signal: AbortSignal.timeout(PRERENDER_TIMEOUT) });
             const html = await res.text();
             const outPath = routePath === "/"
                 ? "./dist/prerendered/index.html"
@@ -70,7 +72,11 @@ export async function prerenderStaticRoutes(manifest: RouteManifest): Promise<vo
             writeFileSync(outPath, html);
             console.log(`   ✅ ${routePath} → ${outPath}`);
         } catch (err) {
-            console.error(`   ❌ Failed to prerender ${routePath}:`, err);
+            if (err instanceof DOMException && err.name === "TimeoutError") {
+                console.error(`   ❌ Prerender timed out for ${routePath} after ${PRERENDER_TIMEOUT / 1000}s — increase PRERENDER_TIMEOUT to raise the limit`);
+            } else {
+                console.error(`   ❌ Failed to prerender ${routePath}:`, err);
+            }
         }
     }
 

package/src/core/renderer.ts

@@ -8,6 +8,34 @@ import App from "./client/App.svelte";
 import { buildHtml, buildHtmlShell, buildHtmlShellOpen, buildMetadataChunk, buildHtmlTail, compress, safeJsonStringify, isDev } from "./html.ts";
 import type { Metadata } from "./hooks.ts";
 
+// ─── Timeout Helpers ─────────────────────────────────────
+
+class LoadTimeoutError extends Error {
+    constructor(label: string, ms: number) {
+        super(`${label} timed out after ${ms}ms`);
+        this.name = "LoadTimeoutError";
+    }
+}
+
+function parseTimeout(raw: string | undefined, fallback: number): number {
+    if (!raw || raw === "Infinity") return 0;
+    const n = parseInt(raw, 10);
+    return Number.isFinite(n) && n > 0 ? n : fallback;
+}
+
+const LOAD_TIMEOUT = parseTimeout(process.env.LOAD_TIMEOUT, 5000);
+const METADATA_TIMEOUT = parseTimeout(process.env.METADATA_TIMEOUT, 3000);
+
+function withTimeout<T>(promise: Promise<T>, ms: number, label: string): Promise<T> {
+    if (ms <= 0) return promise;
+    return Promise.race([
+        promise,
+        new Promise<never>((_, reject) =>
+            setTimeout(() => reject(new LoadTimeoutError(label, ms)), ms)
+        ),
+    ]);
+}
+
 // ─── Session-Aware Fetch ─────────────────────────────────
 // Passed to load() functions so they can call internal APIs
 // with the current user's cookies automatically forwarded.
@@ -57,7 +85,7 @@ export async function loadRouteData(
                     for (let d = 0; d < ls.depth; d++) Object.assign(merged, layoutData[d] ?? {});
                     return merged;
                 };
-                layoutData[ls.depth] = (await mod.load({ params, url, locals, cookies, parent, fetch, metadata: null })) ?? {};
+                layoutData[ls.depth] = (await withTimeout(mod.load({ params, url, locals, cookies, parent, fetch, metadata: null }), LOAD_TIMEOUT, `layout load (depth=${ls.depth}, ${url.pathname})`)) ?? {};
             }
         } catch (err) {
             if (err instanceof HttpError || err instanceof Redirect) throw err;
@@ -79,7 +107,7 @@ export async function loadRouteData(
                     for (const d of layoutData) if (d) Object.assign(merged, d);
                     return merged;
                 };
-                pageData = (await mod.load({ params, url, locals, cookies, parent, fetch, metadata: metadataData })) ?? {};
+                pageData = (await withTimeout(mod.load({ params, url, locals, cookies, parent, fetch, metadata: metadataData }), LOAD_TIMEOUT, `page load (${url.pathname})`)) ?? {};
             }
         } catch (err) {
             if (err instanceof HttpError || err instanceof Redirect) throw err;
@@ -136,7 +164,7 @@ async function loadMetadata(
         const mod = await route.pageServer();
         if (typeof mod.metadata === "function") {
             const fetch = makeFetch(req, url);
-            return (await mod.metadata({ params, url, locals, cookies, fetch })) ?? null;
+            return (await withTimeout(mod.metadata({ params, url, locals, cookies, fetch }), METADATA_TIMEOUT, `metadata (${url.pathname})`)) ?? null;
         }
     } catch (err) {
         if (isDev) console.error("Metadata load error:", err);
@@ -147,32 +175,49 @@ async function loadMetadata(
 
 // ─── Streaming SSR Renderer ──────────────────────────────
 
-export function renderSSRStream(
+export async function renderSSRStream(
     url: URL,
     locals: Record<string, any>,
     req: Request,
     cookies: Cookies,
-): Response | null {
+): Promise<Response | null> {
     const match = findMatch(serverRoutes, url.pathname);
     if (!match) return null;
 
     const { route, params } = match;
-    const enc = new TextEncoder();
+
+    // ── Pre-stream phase: resolve metadata before committing to a 200 ──
+    // Errors here return a proper error response with correct status code.
+    let metadata: Metadata | null = null;
+    try {
+        metadata = await loadMetadata(route, params, url, locals, cookies, req);
+    } catch (err) {
+        if (err instanceof Redirect) {
+            return Response.redirect(err.location, err.status);
+        }
+        if (err instanceof HttpError) {
+            return renderErrorPage(err.status, err.message, url, req);
+        }
+        if (isDev) console.error("Metadata load error:", err);
+        else console.error("Metadata load error:", (err as Error).message ?? err);
+        // Continue with null metadata — don't break the page for a metadata failure
+    }
 
     // Kick off imports immediately (parallel with data loading)
     const pageModPromise = route.pageModule();
     const layoutModsPromise = Promise.all(route.layoutModules.map((l: () => Promise<any>) => l()));
 
+    const enc = new TextEncoder();
+
     const stream = new ReadableStream<Uint8Array>({
         async start(controller) {
             // Chunk 1: head opening (CSS, modulepreload — cached)
             controller.enqueue(enc.encode(buildHtmlShellOpen()));
 
-            try {
-                // Chunk 2: metadata() resolves → send title/meta, close head, open body + spinner
-                const metadata = await loadMetadata(route, params, url, locals, cookies, req);
-                controller.enqueue(enc.encode(buildMetadataChunk(metadata)));
+            // Chunk 2: metadata tags, close </head>, open <body> + spinner
+            controller.enqueue(enc.encode(buildMetadataChunk(metadata)));
 
+            try {
                 // Pass metadata.data to load() so it can reuse fetched data
                 const metadataData = metadata?.data ?? null;
 
@@ -203,6 +248,7 @@ export function renderSSRStream(
                 controller.enqueue(enc.encode(buildHtmlTail(body, head, data.pageData, data.layoutData, data.csr)));
                 controller.close();
             } catch (err) {
+                // Head is closed and body is open at this point — HTML structure is valid
                 if (err instanceof Redirect) {
                     controller.enqueue(enc.encode(
                         `<script>location.replace(${safeJsonStringify(err.location)})</script></body></html>`
@@ -212,7 +258,7 @@ export function renderSSRStream(
                 }
                 if (err instanceof HttpError) {
                     controller.enqueue(enc.encode(
-                        `<script>location.replace("/__bunia/error?status=${err.status}&message=${encodeURIComponent(err.message)}")</script></body></html>`
+                        `<script>location.replace("/__bunia/error?status=${err.status}&message="+encodeURIComponent(${safeJsonStringify(err.message)}))</script></body></html>`
                     ));
                     controller.close();
                     return;

package/src/core/server.ts

@@ -1,7 +1,7 @@
 import { Elysia } from "elysia";
 import { staticPlugin } from "@elysiajs/static";
 import { existsSync } from "fs";
-import { join } from "path";
+import { join, resolve as resolvePath } from "path";
 
 import { findMatch } from "./matcher.ts";
 import { apiRoutes, serverRoutes } from "bunia:routes";
@@ -94,6 +94,13 @@ function isValidRoutePath(path: string, origin: string): boolean {
     }
 }
 
+/** Resolve a file path and verify it stays within the allowed base directory. Returns null if traversal detected. */
+function safePath(base: string, untrusted: string): string | null {
+    const root = resolvePath(base);
+    const full = resolvePath(join(base, untrusted));
+    return full.startsWith(root + "/") || full === root ? full : null;
+}
+
 /** Extract action name from URL searchParams — `?/login` → "login", no slash key → "default". */
 function parseActionName(url: URL): string {
     for (const key of url.searchParams.keys()) {
@@ -143,35 +150,48 @@ async function resolve(event: RequestEvent): Promise<Response> {
     if (isStaticPath(path)) {
         // dist/client: serve with cache headers based on whether filename is hashed
         if (path.startsWith("/dist/client/")) {
-            const file = Bun.file(`.${path.split("?")[0]}`);
-            if (await file.exists()) {
-                const filename = path.split("/").pop() ?? "";
-                const isHashed = /\-[a-z0-9]{8,}\.[a-z]+$/.test(filename);
-                const cacheControl = !isDev && isHashed
-                    ? "public, max-age=31536000, immutable"
-                    : "no-cache";
-                return new Response(file, { headers: { "Cache-Control": cacheControl } });
+            const resolved = safePath("./dist/client", path.split("?")[0].slice("/dist/client".length));
+            if (resolved) {
+                const file = Bun.file(resolved);
+                if (await file.exists()) {
+                    const filename = path.split("/").pop() ?? "";
+                    const isHashed = /\-[a-z0-9]{8,}\.[a-z]+$/.test(filename);
+                    const cacheControl = !isDev && isHashed
+                        ? "public, max-age=31536000, immutable"
+                        : "no-cache";
+                    return new Response(file, { headers: { "Cache-Control": cacheControl } });
+                }
             }
             return new Response("Not Found", { status: 404 });
         }
-        const pub = Bun.file(`./public${path}`);
-        if (await pub.exists()) return new Response(pub);
-        const dist = Bun.file(`.${path}`);
-        if (await dist.exists()) return new Response(dist);
+        const pubPath = safePath("./public", path);
+        if (pubPath) {
+            const pub = Bun.file(pubPath);
+            if (await pub.exists()) return new Response(pub);
+        }
+        const distPath = safePath("./dist", path);
+        if (distPath) {
+            const dist = Bun.file(distPath);
+            if (await dist.exists()) return new Response(dist);
+        }
         return new Response("Not Found", { status: 404 });
     }
 
     // Prerendered pages — serve static HTML built at build time
-    const prerenderFile = Bun.file(
-        path === "/" ? "./dist/prerendered/index.html" : `./dist/prerendered${path}/index.html`
+    const prerenderPath = safePath(
+        "./dist/prerendered",
+        path === "/" ? "index.html" : `${path}/index.html`,
     );
-    if (await prerenderFile.exists()) {
-        return new Response(prerenderFile, {
-            headers: {
-                "Content-Type": "text/html; charset=utf-8",
-                "Cache-Control": "public, max-age=3600",
-            },
-        });
+    if (prerenderPath) {
+        const prerenderFile = Bun.file(prerenderPath);
+        if (await prerenderFile.exists()) {
+            return new Response(prerenderFile, {
+                headers: {
+                    "Content-Type": "text/html; charset=utf-8",
+                    "Cache-Control": "public, max-age=3600",
+                },
+            });
+        }
     }
 
     // API routes (+server.ts)
@@ -262,7 +282,7 @@ async function resolve(event: RequestEvent): Promise<Response> {
     }
 
     // SSR pages (+page.svelte) — streaming by default
-    const streamResponse = renderSSRStream(url, locals, request, cookies);
+    const streamResponse = await renderSSRStream(url, locals, request, cookies);
     if (!streamResponse) return renderErrorPage(404, "Not Found", url, request);
     return streamResponse;
 }

package/templates/default/.env.example

@@ -14,16 +14,57 @@
 # Import in your code:
 #   import { PUBLIC_STATIC_APP_NAME, DB_PASSWORD } from 'bunia:env';
 #
-# Framework vars (PORT, NODE_ENV, BODY_SIZE_LIMIT, CSRF_ALLOWED_ORIGINS) are
-# NOT exposed via bunia:env — access them via process.env directly.
+# Framework vars (PORT, NODE_ENV, BODY_SIZE_LIMIT, CSRF_ALLOWED_ORIGINS,
+# CORS_*, LOAD_TIMEOUT, METADATA_TIMEOUT, PRERENDER_TIMEOUT) are NOT exposed via bunia:env —
+# access them via process.env directly.
 # ────────────────────────────────────────────────────────────────────────────────
 
 # Public build-time constant (safe to expose to client)
 PUBLIC_STATIC_APP_NAME=My Bunia App
 
-# Framework vars — access via process.env directly (not via bunia:env)
+# ─── Framework vars — access via process.env (not via bunia:env) ─────────────
+
+# Server port. Defaults to 9000 in production, 9001 in dev (proxied via :9000).
 # PORT=9000
 
+# Maximum request body size. Supports K/M/G suffixes or "Infinity". Defaults to 512K.
+# BODY_SIZE_LIMIT=512K
+
+# Timeout for load() functions (layout + page) in milliseconds. Defaults to 5000 (5s).
+# Set to 0 or Infinity to disable.
+# LOAD_TIMEOUT=5000
+
+# Timeout for metadata() functions in milliseconds. Defaults to 3000 (3s).
+# Set to 0 or Infinity to disable.
+# METADATA_TIMEOUT=3000
+
+# Timeout for prerender fetches during build in milliseconds. Defaults to 5000 (5s).
+# Set to 0 or Infinity to disable.
+# PRERENDER_TIMEOUT=5000
+
+# Comma-separated list of allowed origins for CSRF validation.
+# Leave unset to allow same-origin requests only.
+# CSRF_ALLOWED_ORIGINS=
+
+# Comma-separated list of origins allowed to make cross-origin requests.
+# Leave unset to disable CORS.
+# CORS_ALLOWED_ORIGINS=
+
+# Comma-separated HTTP methods to allow in CORS requests. Default: GET, HEAD, PUT, PATCH, POST, DELETE
+# CORS_ALLOWED_METHODS=GET, POST
+
+# Comma-separated request headers to allow in CORS requests. Default: Content-Type, Authorization
+# CORS_ALLOWED_HEADERS=Content-Type, Authorization
+
+# Comma-separated response headers to expose to the browser. Default: none
+# CORS_EXPOSED_HEADERS=
+
+# Allow cookies and auth credentials in cross-origin requests. Default: false
+# CORS_CREDENTIALS=true
+
+# Preflight response cache duration in seconds. Default: 86400 (24 hours)
+# CORS_MAX_AGE=86400
+
 # Public runtime var (safe to expose to client, can change without rebuild)
 # PUBLIC_API_URL=https://api.example.com