bosia 0.2.3 → 0.3.1

package/src/core/client/router.svelte.ts

@@ -2,56 +2,69 @@
 // Svelte 5 rune-based reactive router.
 // Singleton used by App.svelte and hydrate.ts.
 
-import { findMatch } from "../matcher.ts";
+import { findMatch, canonicalPathname } from "../matcher.ts";
 import { clientRoutes } from "bosia:routes";
 
-export const router = new class Router {
-    currentRoute = $state(typeof window !== "undefined" ? window.location.pathname + window.location.search + window.location.hash : "/");
-    params = $state<Record<string, string>>({});
-    /** True when navigation was triggered by a link click / navigate() call, false on popstate (back/forward). */
-    isPush = $state(true);
-
-    navigate(path: string) {
-        if (this.currentRoute === path) return;
-        // Unknown route — let the server handle it (renders +error.svelte with 404)
-        const pathname = path.split("?")[0].split("#")[0];
-        if (!findMatch(clientRoutes, pathname)) {
-            window.location.href = path;
-            return;
-        }
-        this.isPush = true;
-        this.currentRoute = path;
-        if (typeof history !== "undefined") {
-            history.pushState({}, "", path);
-        }
-    }
-
-    init() {
-        if (typeof window === "undefined") return;
-
-        // Intercept <a> clicks for client-side navigation
-        window.addEventListener("click", (e) => {
-            // Let browser handle non-primary buttons, modifier-clicks, already-handled events
-            if (e.button !== 0) return;
-            if (e.metaKey || e.ctrlKey || e.shiftKey || e.altKey) return;
-            if (e.defaultPrevented) return;
-
-            const anchor = (e.target as HTMLElement).closest("a");
-            if (!anchor) return;
-            if (anchor.origin !== window.location.origin) return;
-            if (anchor.target) return;
-            if (anchor.hasAttribute("download")) return;
-            if (anchor.rel.split(/\s+/).includes("external")) return;
-            if (anchor.protocol !== "https:" && anchor.protocol !== "http:") return;
-
-            e.preventDefault();
-            this.navigate(anchor.pathname + anchor.search + anchor.hash);
-        });
-
-        // Browser back/forward
-        window.addEventListener("popstate", () => {
-            this.isPush = false;
-            this.currentRoute = window.location.pathname + window.location.search + window.location.hash;
-        });
-    }
-}();
+export const router = new (class Router {
+	currentRoute = $state(
+		typeof window !== "undefined"
+			? window.location.pathname + window.location.search + window.location.hash
+			: "/",
+	);
+	params = $state<Record<string, string>>({});
+	/** True when navigation was triggered by a link click / navigate() call, false on popstate (back/forward). */
+	isPush = $state(true);
+
+	navigate(path: string) {
+		if (this.currentRoute === path) return;
+		// Unknown route — let the server handle it (renders +error.svelte with 404)
+		const queryHash = path.slice(path.split("?")[0].split("#")[0].length);
+		const pathname = path.split("?")[0].split("#")[0];
+		const match = findMatch(clientRoutes, pathname);
+		if (!match) {
+			window.location.href = path;
+			return;
+		}
+		// Canonicalize trailing slash before navigating (matches server 308 behavior)
+		const canonical = canonicalPathname(
+			pathname,
+			(match.route as any).trailingSlash ?? "never",
+		);
+		const finalPath = canonical !== null ? canonical + queryHash : path;
+		this.isPush = true;
+		this.currentRoute = finalPath;
+		if (typeof history !== "undefined") {
+			history.pushState({}, "", finalPath);
+		}
+	}
+
+	init() {
+		if (typeof window === "undefined") return;
+
+		// Intercept <a> clicks for client-side navigation
+		window.addEventListener("click", (e) => {
+			// Let browser handle non-primary buttons, modifier-clicks, already-handled events
+			if (e.button !== 0) return;
+			if (e.metaKey || e.ctrlKey || e.shiftKey || e.altKey) return;
+			if (e.defaultPrevented) return;
+
+			const anchor = (e.target as HTMLElement).closest("a");
+			if (!anchor) return;
+			if (anchor.origin !== window.location.origin) return;
+			if (anchor.target) return;
+			if (anchor.hasAttribute("download")) return;
+			if (anchor.rel.split(/\s+/).includes("external")) return;
+			if (anchor.protocol !== "https:" && anchor.protocol !== "http:") return;
+
+			e.preventDefault();
+			this.navigate(anchor.pathname + anchor.search + anchor.hash);
+		});
+
+		// Browser back/forward
+		window.addEventListener("popstate", () => {
+			this.isPush = false;
+			this.currentRoute =
+				window.location.pathname + window.location.search + window.location.hash;
+		});
+	}
+})();

package/src/core/cookies.ts

@@ -14,85 +14,89 @@ const VALID_COOKIE_NAME = /^[!#$%&'*+\-.0-9A-Z^_`a-z|~]+$/;
 // ─── Cookie Defaults ─────────────────────────────────────
 /** Secure defaults matching SvelteKit conventions. */
 const COOKIE_DEFAULTS: CookieOptions = {
-    path: "/",
-    httpOnly: true,
-    secure: true,
-    sameSite: "Lax",
+	path: "/",
+	httpOnly: true,
+	secure: true,
+	sameSite: "Lax",
 };
 
 // ─── Cookie Helpers ──────────────────────────────────────
 
 function parseCookies(header: string): Record<string, string> {
-    const result: Record<string, string> = {};
-    for (const pair of header.split(";")) {
-        const idx = pair.indexOf("=");
-        if (idx === -1) continue;
-        const name = pair.slice(0, idx).trim();
-        const value = pair.slice(idx + 1).trim();
-        if (name) {
-            try { result[name] = decodeURIComponent(value); }
-            catch { result[name] = value; }
-        }
-    }
-    return result;
+	const result: Record<string, string> = {};
+	for (const pair of header.split(";")) {
+		const idx = pair.indexOf("=");
+		if (idx === -1) continue;
+		const name = pair.slice(0, idx).trim();
+		const value = pair.slice(idx + 1).trim();
+		if (name) {
+			try {
+				result[name] = decodeURIComponent(value);
+			} catch {
+				result[name] = value;
+			}
+		}
+	}
+	return result;
 }
 
 export class CookieJar implements Cookies {
-    private _incoming: Record<string, string>;
-    private _outgoing: string[] = [];
-    private _defaults: CookieOptions;
-    private _accessed = false;
+	private _incoming: Record<string, string>;
+	private _outgoing: string[] = [];
+	private _defaults: CookieOptions;
+	private _accessed = false;
 
-    constructor(cookieHeader: string, dev = false) {
-        this._incoming = parseCookies(cookieHeader);
-        // In dev mode, omit Secure — browsers reject Secure cookies over http://localhost
-        this._defaults = dev
-            ? { ...COOKIE_DEFAULTS, secure: false }
-            : COOKIE_DEFAULTS;
-    }
+	constructor(cookieHeader: string, dev = false) {
+		this._incoming = parseCookies(cookieHeader);
+		// In dev mode, omit Secure — browsers reject Secure cookies over http://localhost
+		this._defaults = dev ? { ...COOKIE_DEFAULTS, secure: false } : COOKIE_DEFAULTS;
+	}
 
-    get(name: string): string | undefined {
-        this._accessed = true;
-        return this._incoming[name];
-    }
+	get(name: string): string | undefined {
+		this._accessed = true;
+		return this._incoming[name];
+	}
 
-    getAll(): Record<string, string> {
-        this._accessed = true;
-        return { ...this._incoming };
-    }
+	getAll(): Record<string, string> {
+		this._accessed = true;
+		return { ...this._incoming };
+	}
 
-    get accessed(): boolean {
-        return this._accessed;
-    }
+	get accessed(): boolean {
+		return this._accessed;
+	}
 
-    set(name: string, value: string, options?: CookieOptions): void {
-        if (!VALID_COOKIE_NAME.test(name)) throw new Error(`Invalid cookie name: ${name}`);
-        const opts = { ...this._defaults, ...options };
-        let header = `${name}=${encodeURIComponent(value)}`;
-        if (opts.path) {
-            if (UNSAFE_COOKIE_VALUE.test(opts.path)) throw new Error(`Invalid cookie path: ${opts.path}`);
-            header += `; Path=${opts.path}`;
-        }
-        if (opts.domain) {
-            if (UNSAFE_COOKIE_VALUE.test(opts.domain)) throw new Error(`Invalid cookie domain: ${opts.domain}`);
-            header += `; Domain=${opts.domain}`;
-        }
-        if (opts.maxAge != null) header += `; Max-Age=${opts.maxAge}`;
-        if (opts.expires) header += `; Expires=${opts.expires.toUTCString()}`;
-        if (opts.httpOnly) header += "; HttpOnly";
-        if (opts.secure) header += "; Secure";
-        if (opts.sameSite) {
-            if (!VALID_SAMESITE.has(opts.sameSite)) throw new Error(`Invalid cookie sameSite: ${opts.sameSite}`);
-            header += `; SameSite=${opts.sameSite}`;
-        }
-        this._outgoing.push(header);
-    }
+	set(name: string, value: string, options?: CookieOptions): void {
+		if (!VALID_COOKIE_NAME.test(name)) throw new Error(`Invalid cookie name: ${name}`);
+		const opts = { ...this._defaults, ...options };
+		let header = `${name}=${encodeURIComponent(value)}`;
+		if (opts.path) {
+			if (UNSAFE_COOKIE_VALUE.test(opts.path))
+				throw new Error(`Invalid cookie path: ${opts.path}`);
+			header += `; Path=${opts.path}`;
+		}
+		if (opts.domain) {
+			if (UNSAFE_COOKIE_VALUE.test(opts.domain))
+				throw new Error(`Invalid cookie domain: ${opts.domain}`);
+			header += `; Domain=${opts.domain}`;
+		}
+		if (opts.maxAge != null) header += `; Max-Age=${opts.maxAge}`;
+		if (opts.expires) header += `; Expires=${opts.expires.toUTCString()}`;
+		if (opts.httpOnly) header += "; HttpOnly";
+		if (opts.secure) header += "; Secure";
+		if (opts.sameSite) {
+			if (!VALID_SAMESITE.has(opts.sameSite))
+				throw new Error(`Invalid cookie sameSite: ${opts.sameSite}`);
+			header += `; SameSite=${opts.sameSite}`;
+		}
+		this._outgoing.push(header);
+	}
 
-    delete(name: string, options?: Pick<CookieOptions, "path" | "domain">): void {
-        this.set(name, "", { ...options, maxAge: 0 });
-    }
+	delete(name: string, options?: Pick<CookieOptions, "path" | "domain">): void {
+		this.set(name, "", { ...options, maxAge: 0 });
+	}
 
-    get outgoing(): readonly string[] {
-        return this._outgoing;
-    }
+	get outgoing(): readonly string[] {
+		return this._outgoing;
+	}
 }

package/src/core/cors.ts

@@ -1,16 +1,16 @@
 export interface CorsConfig {
-    /** Origins allowed to make cross-origin requests (e.g. ["https://app.example.com"]) */
-    allowedOrigins: string[];
-    /** HTTP methods to allow. Default: GET, HEAD, PUT, PATCH, POST, DELETE */
-    allowedMethods?: string[];
-    /** Request headers to allow. Default: Content-Type, Authorization */
-    allowedHeaders?: string[];
-    /** Response headers to expose to the browser. Default: none */
-    exposedHeaders?: string[];
-    /** Whether to allow cookies/auth credentials. Default: false */
-    credentials?: boolean;
-    /** Preflight cache duration in seconds. Default: 86400 (24h) */
-    maxAge?: number;
+	/** Origins allowed to make cross-origin requests (e.g. ["https://app.example.com"]) */
+	allowedOrigins: string[];
+	/** HTTP methods to allow. Default: GET, HEAD, PUT, PATCH, POST, DELETE */
+	allowedMethods?: string[];
+	/** Request headers to allow. Default: Content-Type, Authorization */
+	allowedHeaders?: string[];
+	/** Response headers to expose to the browser. Default: none */
+	exposedHeaders?: string[];
+	/** Whether to allow cookies/auth credentials. Default: false */
+	credentials?: boolean;
+	/** Preflight cache duration in seconds. Default: 86400 (24h) */
+	maxAge?: number;
 }
 
 const DEFAULT_METHODS = "GET, HEAD, PUT, PATCH, POST, DELETE";
@@ -20,27 +20,30 @@ const DEFAULT_HEADERS = "Content-Type, Authorization";
  * Returns CORS response headers if the request Origin is in the allowed list.
  * Returns null if Origin is absent or not allowed.
  */
-export function getCorsHeaders(request: Request, config: CorsConfig): Record<string, string> | null {
-    const origin = request.headers.get("origin");
-    if (!origin) return null;
+export function getCorsHeaders(
+	request: Request,
+	config: CorsConfig,
+): Record<string, string> | null {
+	const origin = request.headers.get("origin");
+	if (!origin) return null;
 
-    const allowed = config.allowedOrigins.includes(origin);
-    if (!allowed) return null;
+	const allowed = config.allowedOrigins.includes(origin);
+	if (!allowed) return null;
 
-    const headers: Record<string, string> = {
-        "Access-Control-Allow-Origin": origin,
-        "Vary": "Origin",
-    };
+	const headers: Record<string, string> = {
+		"Access-Control-Allow-Origin": origin,
+		Vary: "Origin",
+	};
 
-    if (config.credentials) {
-        headers["Access-Control-Allow-Credentials"] = "true";
-    }
+	if (config.credentials) {
+		headers["Access-Control-Allow-Credentials"] = "true";
+	}
 
-    if (config.exposedHeaders?.length) {
-        headers["Access-Control-Expose-Headers"] = config.exposedHeaders.join(", ");
-    }
+	if (config.exposedHeaders?.length) {
+		headers["Access-Control-Expose-Headers"] = config.exposedHeaders.join(", ");
+	}
 
-    return headers;
+	return headers;
 }
 
 /**
@@ -48,13 +51,19 @@ export function getCorsHeaders(request: Request, config: CorsConfig): Record<str
  * Returns a 204 response with CORS headers, or null if the origin is not allowed.
  */
 export function handlePreflight(request: Request, config: CorsConfig): Response | null {
-    const base = getCorsHeaders(request, config);
-    if (!base) return null;
+	const base = getCorsHeaders(request, config);
+	if (!base) return null;
 
-    const headers = new Headers(base as HeadersInit);
-    headers.set("Access-Control-Allow-Methods", config.allowedMethods?.join(", ") ?? DEFAULT_METHODS);
-    headers.set("Access-Control-Allow-Headers", config.allowedHeaders?.join(", ") ?? DEFAULT_HEADERS);
-    headers.set("Access-Control-Max-Age", String(config.maxAge ?? 86400));
+	const headers = new Headers(base as HeadersInit);
+	headers.set(
+		"Access-Control-Allow-Methods",
+		config.allowedMethods?.join(", ") ?? DEFAULT_METHODS,
+	);
+	headers.set(
+		"Access-Control-Allow-Headers",
+		config.allowedHeaders?.join(", ") ?? DEFAULT_HEADERS,
+	);
+	headers.set("Access-Control-Max-Age", String(config.maxAge ?? 86400));
 
-    return new Response(null, { status: 204, headers });
+	return new Response(null, { status: 204, headers });
 }

package/src/core/csrf.ts

@@ -6,14 +6,14 @@
 // is treated as a cross-origin attack.
 
 export interface CsrfConfig {
-    /** Whether to enforce origin checks. Default: true. */
-    checkOrigin: boolean;
-    /** Additional origins to allow (e.g. CDN or mobile app origin). */
-    allowedOrigins?: string[];
+	/** Whether to enforce origin checks. Default: true. */
+	checkOrigin: boolean;
+	/** Additional origins to allow (e.g. CDN or mobile app origin). */
+	allowedOrigins?: string[];
 }
 
 const DEFAULT_CSRF_CONFIG: CsrfConfig = {
-    checkOrigin: true,
+	checkOrigin: true,
 };
 
 const SAFE_METHODS = new Set(["GET", "HEAD", "OPTIONS"]);
@@ -23,43 +23,43 @@ const SAFE_METHODS = new Set(["GET", "HEAD", "OPTIONS"]);
  * Returns `null` on success, or an error message string to reject with 403.
  */
 export function checkCsrf(
-    request: Request,
-    url: URL,
-    config: CsrfConfig = DEFAULT_CSRF_CONFIG,
+	request: Request,
+	url: URL,
+	config: CsrfConfig = DEFAULT_CSRF_CONFIG,
 ): string | null {
-    if (!config.checkOrigin) return null;
-    if (SAFE_METHODS.has(request.method.toUpperCase())) return null;
+	if (!config.checkOrigin) return null;
+	if (SAFE_METHODS.has(request.method.toUpperCase())) return null;
 
-    // Derive the expected origin.
-    // In dev, the browser hits the proxy on DEV_PORT (e.g. localhost:9000)
-    // while the Elysia server sees url.origin as localhost:9001.
-    // X-Forwarded-Host / Host headers reflect the actual host the client used.
-    const forwardedHost = request.headers.get("x-forwarded-host");
-    const host = forwardedHost ?? request.headers.get("host");
-    const protocol = request.headers.get("x-forwarded-proto") ?? url.protocol.replace(":", "");
-    const expectedOrigin = host ? `${protocol}://${host}` : url.origin;
+	// Derive the expected origin.
+	// In dev, the browser hits the proxy on DEV_PORT (e.g. localhost:9000)
+	// while the Elysia server sees url.origin as localhost:9001.
+	// X-Forwarded-Host / Host headers reflect the actual host the client used.
+	const forwardedHost = request.headers.get("x-forwarded-host");
+	const host = forwardedHost ?? request.headers.get("host");
+	const protocol = request.headers.get("x-forwarded-proto") ?? url.protocol.replace(":", "");
+	const expectedOrigin = host ? `${protocol}://${host}` : url.origin;
 
-    const allowedOrigins = new Set([expectedOrigin, ...(config.allowedOrigins ?? [])]);
+	const allowedOrigins = new Set([expectedOrigin, ...(config.allowedOrigins ?? [])]);
 
-    // Check Origin header first (sent by all modern browsers on cross-origin requests)
-    const originHeader = request.headers.get("origin");
-    if (originHeader) {
-        if (allowedOrigins.has(originHeader)) return null;
-        return `Cross-origin request blocked: Origin "${originHeader}" is not allowed`;
-    }
+	// Check Origin header first (sent by all modern browsers on cross-origin requests)
+	const originHeader = request.headers.get("origin");
+	if (originHeader) {
+		if (allowedOrigins.has(originHeader)) return null;
+		return `Cross-origin request blocked: Origin "${originHeader}" is not allowed`;
+	}
 
-    // Fall back to Referer (older browsers, some same-origin form posts)
-    const refererHeader = request.headers.get("referer");
-    if (refererHeader) {
-        try {
-            const refererOrigin = new URL(refererHeader).origin;
-            if (allowedOrigins.has(refererOrigin)) return null;
-            return `Cross-origin request blocked: Referer "${refererHeader}" is not allowed`;
-        } catch {
-            return `Cross-origin request blocked: Referer header is malformed`;
-        }
-    }
+	// Fall back to Referer (older browsers, some same-origin form posts)
+	const refererHeader = request.headers.get("referer");
+	if (refererHeader) {
+		try {
+			const refererOrigin = new URL(refererHeader).origin;
+			if (allowedOrigins.has(refererOrigin)) return null;
+			return `Cross-origin request blocked: Referer "${refererHeader}" is not allowed`;
+		} catch {
+			return `Cross-origin request blocked: Referer header is malformed`;
+		}
+	}
 
-    // Neither Origin nor Referer present — reject
-    return "Forbidden: missing Origin or Referer header on non-safe request";
+	// Neither Origin nor Referer present — reject
+	return "Forbidden: missing Origin or Referer header on non-safe request";
 }

package/src/core/dedup.ts

@@ -7,26 +7,26 @@ const AUTH_COOKIE_RE = /(?:^|;\s*)authorization=([^;]*)/i;
 
 /** Build dedup key from route URL + request identity. Sort search params for consistency. */
 export function dedupKey(url: URL, request: Request): string {
-    let path = url.pathname;
-    if (path.length > 1 && path.endsWith("/")) path = path.slice(0, -1);
-    const sorted = new URLSearchParams([...url.searchParams.entries()].sort());
-    const search = sorted.toString();
-    const base = search ? `${path}?${search}` : path;
+	let path = url.pathname;
+	if (path.length > 1 && path.endsWith("/")) path = path.slice(0, -1);
+	const sorted = new URLSearchParams([...url.searchParams.entries()].sort());
+	const search = sorted.toString();
+	const base = search ? `${path}?${search}` : path;
 
-    const authHeader = request.headers.get("authorization") ?? "";
-    const cookieHeader = request.headers.get("cookie") ?? "";
-    const match = cookieHeader.match(AUTH_COOKIE_RE);
-    const authCookie = match?.[1] ?? "";
-    const identity = authHeader || authCookie;
-    if (!identity) return base;
-    return `${base}|${Bun.hash(identity).toString(36)}`;
+	const authHeader = request.headers.get("authorization") ?? "";
+	const cookieHeader = request.headers.get("cookie") ?? "";
+	const match = cookieHeader.match(AUTH_COOKIE_RE);
+	const authCookie = match?.[1] ?? "";
+	const identity = authHeader || authCookie;
+	if (!identity) return base;
+	return `${base}|${Bun.hash(identity).toString(36)}`;
 }
 
 /** Run `fn` with dedup. Concurrent calls with same key share the in-flight promise. */
 export function dedup<T>(key: string, fn: () => Promise<T>): Promise<T> {
-    const existing = inflight.get(key);
-    if (existing) return existing;
-    const promise = fn().finally(() => inflight.delete(key));
-    inflight.set(key, promise);
-    return promise;
+	const existing = inflight.get(key);
+	if (existing) return existing;
+	const promise = fn().finally(() => inflight.delete(key));
+	inflight.set(key, promise);
+	return promise;
 }