bosia 0.2.0 → 0.2.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bosia",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "type": "module",
   "description": "A fast, batteries-included fullstack framework — SSR · Svelte 5 Runes · Bun · ElysiaJS. File-based routing inspired by SvelteKit. No Node.js, no Vite, no adapters.",
   "keywords": [

package/src/core/client/hydrate.ts

@@ -2,9 +2,12 @@ import { hydrate } from "svelte";
 import App from "./App.svelte";
 import { router } from "./router.svelte.ts";
 import { initPrefetch } from "./prefetch.ts";
-import { findMatch } from "../matcher.ts";
+import { findMatch, compileRoutes } from "../matcher.ts";
 import { clientRoutes } from "bosia:routes";
 
+// Pre-compile route patterns into RegExp at startup (shared by App.svelte and router via module reference)
+compileRoutes(clientRoutes);
+
 // ─── Hydration ────────────────────────────────────────────
 
 async function main() {

package/src/core/client/prefetch.ts

@@ -9,29 +9,37 @@ export function dataUrl(path: string): string {
     return `/__bosia/data${p || "/index"}.json${url.search}`;
 }
 
-export const prefetchCache = new Map<string, any>();
+export const prefetchCache = new Map<string, { data: any; ts: number }>();
+const MAX_PREFETCH_ENTRIES = 50;
 
 // In-flight fetch deduplication
 const pending = new Set<string>();
 
 /** Returns cached prefetch data for a path and removes it from cache. */
 export function consumePrefetch(path: string): any | null {
-    const data = prefetchCache.get(path);
-    if (data === undefined) return null;
+    const entry = prefetchCache.get(path);
+    if (entry === undefined) return null;
     prefetchCache.delete(path);
-    return data;
+    if (Date.now() - entry.ts > 30_000) return null;
+    return entry.data;
 }
 
 /** Prefetches data for a path and stores in cache. No-op if already cached/in-flight. */
 export async function prefetchPath(path: string): Promise<void> {
-    if (prefetchCache.has(path)) return;
+    const existing = prefetchCache.get(path);
+    if (existing && Date.now() - existing.ts <= 30_000) return;
+    if (existing) prefetchCache.delete(path);
     if (pending.has(path)) return;
 
     pending.add(path);
     try {
         const res = await fetch(dataUrl(path));
         if (res.ok) {
-            prefetchCache.set(path, await res.json());
+            if (prefetchCache.size >= MAX_PREFETCH_ENTRIES) {
+                const oldest = prefetchCache.keys().next().value;
+                if (oldest !== undefined) prefetchCache.delete(oldest);
+            }
+            prefetchCache.set(path, { data: await res.json(), ts: Date.now() });
         }
     } catch {
         // Silently ignore — prefetch is best-effort

package/src/core/client/router.svelte.ts

@@ -31,11 +31,17 @@ export const router = new class Router {
 
         // Intercept <a> clicks for client-side navigation
         window.addEventListener("click", (e) => {
+            // Let browser handle non-primary buttons, modifier-clicks, already-handled events
+            if (e.button !== 0) return;
+            if (e.metaKey || e.ctrlKey || e.shiftKey || e.altKey) return;
+            if (e.defaultPrevented) return;
+
             const anchor = (e.target as HTMLElement).closest("a");
             if (!anchor) return;
             if (anchor.origin !== window.location.origin) return;
             if (anchor.target) return;
             if (anchor.hasAttribute("download")) return;
+            if (anchor.rel.split(/\s+/).includes("external")) return;
             if (anchor.protocol !== "https:" && anchor.protocol !== "http:") return;
 
             e.preventDefault();

package/src/core/env.ts

@@ -8,6 +8,7 @@ const FRAMEWORK_VARS = new Set([
     "NODE_ENV",
     "BODY_SIZE_LIMIT",
     "CSRF_ALLOWED_ORIGINS",
+    "INTERNAL_HOSTS",
     "CORS_ALLOWED_ORIGINS",
     "CORS_ALLOWED_METHODS",
     "CORS_ALLOWED_HEADERS",

package/src/core/matcher.ts

@@ -9,6 +9,78 @@ import type { RouteMatch } from "./types.ts";
 //   2. Dynamic match      — "/blog/[slug]" matches "/blog/hello"
 //   3. Catch-all match    — "/[...rest]" matches anything
 
+// ─── Compiled Route Types ────────────────────────────────
+
+interface CompiledRoute {
+    regex: RegExp;
+    paramNames: string[];
+    isExact: boolean;
+}
+
+// ─── Pattern Compiler ────────────────────────────────────
+
+/** Escape regex special chars in a literal string segment. */
+function escapeRegex(s: string): string {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+/**
+ * Pre-compile a route pattern into a RegExp for fast matching.
+ */
+function compilePattern(pattern: string): CompiledRoute {
+    // No dynamic segments — exact match via ===
+    if (!pattern.includes("[")) {
+        return { regex: null!, paramNames: [], isExact: true };
+    }
+
+    const paramNames: string[] = [];
+
+    // Catch-all: /prefix/[...name]
+    const catchallMatch = pattern.match(/^(.*?)\/\[\.\.\.(\w+)\]$/);
+    if (catchallMatch) {
+        const prefix = catchallMatch[1] || "";
+        paramNames.push(catchallMatch[2]!);
+        const escaped = prefix ? escapeRegex(prefix) : "";
+        // Root catch-all /[...rest] must have at least one char after /
+        const regex = prefix
+            ? new RegExp(`^${escaped}\\/(.+)$`)
+            : new RegExp(`^\\/(.+)$`);
+        return { regex, paramNames, isExact: false };
+    }
+
+    // Dynamic segments: /blog/[slug]/comments → ^\/blog\/([^/]+)\/comments$
+    const segments = pattern.split("/").filter(Boolean);
+    let regexStr = "^";
+    for (const seg of segments) {
+        regexStr += "\\/";
+        if (seg.startsWith("[") && seg.endsWith("]")) {
+            paramNames.push(seg.slice(1, -1));
+            regexStr += "([^/]+)";
+        } else {
+            regexStr += escapeRegex(seg);
+        }
+    }
+    regexStr += "$";
+
+    return { regex: new RegExp(regexStr), paramNames, isExact: false };
+}
+
+/**
+ * Pre-compile all route patterns in-place.
+ * Mutates each route by adding a `_compiled` property.
+ * Call once at startup — all modules sharing the same route array see the result.
+ */
+export function compileRoutes<T extends { pattern: string }>(
+    routes: T[],
+): (T & { _compiled: CompiledRoute })[] {
+    for (const route of routes) {
+        (route as any)._compiled = compilePattern(route.pattern);
+    }
+    return routes as (T & { _compiled: CompiledRoute })[];
+}
+
+// ─── Legacy Pattern Matcher (fallback for uncompiled routes) ─
+
 /**
  * Match a URL pathname against a single route pattern.
  * Returns extracted params if matched, null otherwise.
@@ -60,6 +132,31 @@ function matchPattern(
     return params;
 }
 
+// ─── Route Matching ──────────────────────────────────────
+
+/**
+ * Match a compiled route against a pathname using regex.
+ * Returns extracted params if matched, null otherwise.
+ */
+function matchCompiled(
+    compiled: CompiledRoute,
+    pattern: string,
+    pathname: string,
+): Record<string, string> | null {
+    if (compiled.isExact) {
+        return pattern === pathname ? {} : null;
+    }
+
+    const m = compiled.regex.exec(pathname);
+    if (!m) return null;
+
+    const params: Record<string, string> = {};
+    for (let i = 0; i < compiled.paramNames.length; i++) {
+        params[compiled.paramNames[i]!] = m[i + 1]!;
+    }
+    return params;
+}
+
 /**
  * Find the first matching route from a list.
  * Routes must be pre-sorted by priority (exact → dynamic → catch-all).
@@ -75,7 +172,10 @@ export function findMatch<T extends { pattern: string }>(
     }
 
     for (const route of routes) {
-        const params = matchPattern(route.pattern, pathname);
+        const compiled = (route as any)._compiled as CompiledRoute | undefined;
+        const params = compiled
+            ? matchCompiled(compiled, route.pattern, pathname)
+            : matchPattern(route.pattern, pathname);
         if (params !== null) return { route, params };
     }
 

package/src/core/renderer.ts

@@ -37,22 +37,59 @@ function withTimeout<T>(promise: Promise<T>, ms: number, label: string): Promise
     ]);
 }
 
+// ─── Internal-Host Allowlist ─────────────────────────────
+// Origins that share the user's session cookie. Cookie is auto-forwarded
+// to same-origin requests AND to any origin in this set. Anything else
+// (third-party APIs) gets no Cookie header by default.
+
+const INTERNAL_HOSTS: Set<string> = (() => {
+    const raw = process.env.INTERNAL_HOSTS?.split(",").map(s => s.trim()).filter(Boolean) ?? [];
+    const valid = new Set<string>();
+    for (const entry of raw) {
+        try {
+            valid.add(new URL(entry).origin);
+        } catch {
+            console.warn(`⚠️  INTERNAL_HOSTS: ignoring invalid origin "${entry}"`);
+        }
+    }
+    return valid;
+})();
+
+if (INTERNAL_HOSTS.size > 0) {
+    console.log(`🍪 Internal hosts (cookies forwarded): ${[...INTERNAL_HOSTS].join(", ")}`);
+}
+
 // ─── Session-Aware Fetch ─────────────────────────────────
-// Passed to load() functions so they can call internal APIs
-// with the current user's cookies automatically forwarded.
+// Passed to load() functions so they can call internal APIs with the
+// current user's cookies automatically forwarded. Cookie is attached
+// only on same-origin requests or to origins in INTERNAL_HOSTS — never
+// to arbitrary third-party hosts (which would leak the session token).
 
 function makeFetch(req: Request, url: URL) {
     const cookie = req.headers.get("cookie") ?? "";
-    const origin = url.origin;
+    const sameOrigin = url.origin;
 
     return (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
-        const resolved =
-            typeof input === "string" && input.startsWith("/")
-                ? `${origin}${input}`
-                : input;
+        let targetOrigin: string | null = null;
+        let resolved: RequestInfo | URL = input;
+
+        try {
+            if (typeof input === "string") {
+                const parsed = new URL(input, sameOrigin);
+                targetOrigin = parsed.origin;
+                resolved = parsed.href;
+            } else if (input instanceof URL) {
+                targetOrigin = input.origin;
+            } else {
+                targetOrigin = new URL(input.url).origin;
+            }
+        } catch {
+            targetOrigin = null;
+        }
 
         const headers = new Headers(init?.headers);
-        if (cookie && !headers.has("cookie")) headers.set("cookie", cookie);
+        const trusted = targetOrigin !== null && (targetOrigin === sameOrigin || INTERNAL_HOSTS.has(targetOrigin));
+        if (cookie && trusted && !headers.has("cookie")) headers.set("cookie", cookie);
 
         return globalThis.fetch(resolved, { ...init, headers });
     };

package/src/core/server.ts

@@ -3,8 +3,12 @@ import { Elysia } from "elysia";
 import { existsSync } from "fs";
 import { join, resolve as resolvePath } from "path";
 
-import { findMatch } from "./matcher.ts";
+import { findMatch, compileRoutes } from "./matcher.ts";
 import { apiRoutes, serverRoutes } from "bosia:routes";
+
+// Pre-compile route patterns into RegExp at startup (shared by renderer.ts via module reference)
+compileRoutes(apiRoutes);
+compileRoutes(serverRoutes);
 import type { Handle, RequestEvent } from "./hooks.ts";
 import { HttpError, Redirect, ActionFailure } from "./errors.ts";
 import { CookieJar } from "./cookies.ts";