bosia 0.4.4 → 0.5.0

package/src/core/client/loaderCache.ts

@@ -0,0 +1,127 @@
+// ─── Client-Side Loader Cache ─────────────────────────────
+// Stores the result of each server loader run by stable id (the
+// +page.server.ts / +layout.server.ts path emitted by codegen) along
+// with the LoaderDeps record captured server-side. On each client
+// navigation we use the cache + a "dirty" set populated by the
+// `invalidate()` API to decide which loaders need to re-run, sending
+// the decision as an `_invalidated=<bits>` query param so the server
+// can skip the loaders that haven't conceptually changed.
+//
+// Cache lives in browser memory only — wiped on hard refresh.
+
+import type { LoaderDeps } from "../hooks.ts";
+
+export type CacheSnapshot = {
+	pathname: string;
+	params: Record<string, string>;
+	searchParams: Record<string, string | null>;
+	cookies: Record<string, string | undefined>;
+};
+
+export type CacheEntry = {
+	nodeId: string;
+	data: Record<string, any>;
+	deps: LoaderDeps;
+	snapshot: CacheSnapshot;
+};
+
+export type EvalContext = {
+	pathname: string;
+	params: Record<string, string>;
+	url: URL;
+	cookies: Record<string, string | undefined>;
+};
+
+function readDocumentCookies(): Record<string, string> {
+	const out: Record<string, string> = {};
+	if (typeof document === "undefined") return out;
+	for (const pair of document.cookie.split(";")) {
+		const idx = pair.indexOf("=");
+		if (idx === -1) continue;
+		const name = pair.slice(0, idx).trim();
+		const value = pair.slice(idx + 1).trim();
+		if (name) {
+			try {
+				out[name] = decodeURIComponent(value);
+			} catch {
+				out[name] = value;
+			}
+		}
+	}
+	return out;
+}
+
+export function liveContext(
+	pathname: string,
+	params: Record<string, string>,
+	url: URL,
+): EvalContext {
+	return {
+		pathname,
+		params,
+		url,
+		cookies: readDocumentCookies(),
+	};
+}
+
+/** Capture only the values relevant to a loader's tracked deps. */
+export function captureSnapshot(deps: LoaderDeps, ctx: EvalContext): CacheSnapshot {
+	const params: Record<string, string> = {};
+	for (const k of deps.params) params[k] = ctx.params[k] ?? "";
+	const searchParams: Record<string, string | null> = {};
+	for (const k of deps.searchParams) searchParams[k] = ctx.url.searchParams.get(k);
+	const cookies: Record<string, string | undefined> = {};
+	for (const k of deps.cookies) cookies[k] = ctx.cookies[k];
+	return { pathname: ctx.pathname, params, searchParams, cookies };
+}
+
+export type DirtyState = {
+	all: boolean;
+	keys: Set<string>;
+	urls: Set<string>;
+	urlMatchers: Array<(u: URL) => boolean>;
+};
+
+export function shouldRerun(entry: CacheEntry, dirty: DirtyState, next: EvalContext): boolean {
+	if (dirty.all) return true;
+	const { deps, snapshot } = entry;
+	// Dirty keys
+	for (const k of deps.keys) {
+		if (dirty.keys.has(k)) return true;
+	}
+	// Dirty URLs (string match or predicate match)
+	if (deps.urls.length > 0) {
+		for (const u of deps.urls) {
+			if (dirty.urls.has(u)) return true;
+			for (const fn of dirty.urlMatchers) {
+				try {
+					if (fn(new URL(u))) return true;
+				} catch {
+					// ignore malformed URL deps
+				}
+			}
+		}
+	}
+	// Param value changes
+	for (const k of deps.params) {
+		if (snapshot.params[k] !== (next.params[k] ?? "")) return true;
+	}
+	// Search param value changes
+	for (const k of deps.searchParams) {
+		if (snapshot.searchParams[k] !== next.url.searchParams.get(k)) return true;
+	}
+	// Cookie value changes
+	for (const k of deps.cookies) {
+		if (k === "*") {
+			// Broad cookie read — re-run on any cookie change. Detect by
+			// comparing the full incoming jar against the captured slice.
+			// In practice an empty captured slice will never equal the live
+			// jar once any cookie exists, so we re-run whenever cookies do.
+			return true;
+		}
+		if (snapshot.cookies[k] !== next.cookies[k]) return true;
+	}
+	// Pathname change for loaders that read the URL
+	if (deps.uses_url && snapshot.pathname !== next.pathname) return true;
+	return false;
+}

package/src/core/client/navigation.ts

@@ -0,0 +1,59 @@
+// ─── Public Invalidation API ──────────────────────────────
+// Counterpart to SvelteKit's `invalidate()` / `invalidateAll()`. Marks
+// loader cache entries dirty and triggers the App.svelte nav effect to
+// re-run only the loaders whose dependencies were invalidated.
+//
+// Usage:
+//   import { invalidate, invalidateAll } from "bosia/client";
+//   await invalidate("app:user");
+//   await invalidate("/api/posts");
+//   await invalidate((url) => url.pathname.startsWith("/api/"));
+//   await invalidateAll();
+
+import { appState } from "./appState.svelte.ts";
+
+type InvalidateTarget = string | URL | ((url: URL) => boolean);
+
+function bumpTick() {
+	appState.invalidationTick = appState.invalidationTick + 1;
+}
+
+/**
+ * Mark a dependency as invalid; the next navigation (and any in-progress
+ * navigation that hasn't started its fetch yet) will re-run loaders that
+ * declared a matching `depends()` key, fetched a matching URL, or — when
+ * given a predicate — fetched any URL the predicate returns true for.
+ *
+ * Returns a promise that resolves after the nav effect has flushed.
+ */
+export function invalidate(target: InvalidateTarget): Promise<void> {
+	if (typeof target === "function") {
+		appState.dirty.urlMatchers.push(target);
+	} else {
+		const str = typeof target === "string" ? target : target.href;
+		const isUrl = str.startsWith("/") || str.includes("://");
+		if (isUrl) {
+			try {
+				// Normalize to an absolute URL — fetches the loader recorded are
+				// always absolute, so a relative `/api/foo` must be promoted here.
+				const abs = new URL(str, window.location.origin).href;
+				appState.dirty.urls.add(abs);
+			} catch {
+				appState.dirty.urls.add(str);
+			}
+		} else {
+			appState.dirty.keys.add(str);
+		}
+	}
+	bumpTick();
+	return Promise.resolve();
+}
+
+/**
+ * Mark every loader as invalid. Next navigation re-runs all of them.
+ */
+export function invalidateAll(): Promise<void> {
+	appState.dirty.all = true;
+	bumpTick();
+	return Promise.resolve();
+}

package/src/core/client/prefetch.ts

@@ -2,11 +2,52 @@
 // Supports `data-bosia-preload="hover"` and `data-bosia-preload="viewport"`
 // on <a> elements or their ancestors.
 
+import { findMatch } from "../matcher.ts";
+import { clientRoutes } from "bosia:routes";
+import { appState } from "./appState.svelte.ts";
+import { liveContext, shouldRerun } from "./loaderCache.ts";
+
+/**
+ * Build the `_invalidated` mask bits for a target path using the current
+ * client loader cache. Char 0 = page, char i+1 = layout depth i; '1' = run,
+ * '0' = skip. Returns `null` when the route cannot be matched.
+ */
+export function buildMaskBits(path: string): string | null {
+	const url = new URL(path, window.location.origin);
+	const pathname = url.pathname;
+	const match = findMatch(clientRoutes, pathname);
+	if (!match) return null;
+	const ctx = liveContext(pathname, match.params, url);
+	const layoutIds = (match.route as any).layoutIds as (string | null)[];
+	const pageId = (match.route as any).pageId as string | null;
+
+	const layoutRunFlags = layoutIds.map((id) => {
+		if (id === null) return false;
+		const entry = appState.loaderCache.layouts[id];
+		if (!entry) return true;
+		return shouldRerun(entry, appState.dirty, ctx);
+	});
+
+	let pageRun = false;
+	if (pageId !== null) {
+		const entry = appState.loaderCache.page;
+		if (!entry || entry.nodeId !== pageId) pageRun = true;
+		else pageRun = shouldRerun(entry, appState.dirty, ctx);
+	}
+
+	return (pageRun ? "1" : "0") + layoutRunFlags.map((b) => (b ? "1" : "0")).join("");
+}
+
 /** Builds the `/__bosia/data/…` URL for a given client path. */
-export function dataUrl(path: string): string {
+export function dataUrl(path: string, invalidatedBits?: string): string {
 	const url = new URL(path, window.location.origin);
 	let p = url.pathname.replace(/\/$/, "");
-	return `/__bosia/data${p || "/index"}.json${url.search}`;
+	let qs = url.search;
+	if (invalidatedBits) {
+		const sep = qs ? "&" : "?";
+		qs = `${qs}${sep}_invalidated=${invalidatedBits}`;
+	}
+	return `/__bosia/data${p || "/index"}.json${qs}`;
 }
 
 export const prefetchCache = new Map<string, { data: any; ts: number }>();
@@ -33,7 +74,11 @@ export async function prefetchPath(path: string): Promise<void> {
 
 	pending.add(path);
 	try {
-		const res = await fetch(dataUrl(path));
+		// Send the same mask as a real client nav would so the server can skip
+		// loaders whose tracked inputs haven't changed. Falls back to running
+		// everything when the route can't be matched (e.g. external/unknown URL).
+		const maskBits = buildMaskBits(path) ?? undefined;
+		const res = await fetch(dataUrl(path, maskBits));
 		if (res.ok) {
 			if (prefetchCache.size >= MAX_PREFETCH_ENTRIES) {
 				const oldest = prefetchCache.keys().next().value;

package/src/core/cors.ts

@@ -13,8 +13,24 @@ export interface CorsConfig {
 	maxAge?: number;
 }
 
-const DEFAULT_METHODS = "GET, HEAD, PUT, PATCH, POST, DELETE";
-const DEFAULT_HEADERS = "Content-Type, Authorization";
+const DEFAULT_METHODS = ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"];
+const DEFAULT_HEADERS = ["Content-Type", "Authorization"];
+
+function parseHeaderList(value: string): string[] {
+	return value
+		.split(",")
+		.map((s) => s.trim())
+		.filter(Boolean);
+}
+
+/**
+ * Headers applied to *every* response when CORS is configured, regardless of
+ * whether the request Origin is allowed. Keeps caches/CDNs from serving a
+ * response with `Access-Control-Allow-Origin: X` to a different origin Y.
+ */
+export function applyCorsVary(headers: Headers): void {
+	headers.set("Vary", "Origin");
+}
 
 /**
  * Returns CORS response headers if the request Origin is in the allowed list.
@@ -48,22 +64,52 @@ export function getCorsHeaders(
 
 /**
  * Handles OPTIONS preflight requests.
- * Returns a 204 response with CORS headers, or null if the origin is not allowed.
+ *
+ * - Returns `null` if the request's Origin is missing or not allowed — the
+ *   caller treats this as "not a CORS preflight we serve", avoiding leaking
+ *   policy details to unknown origins.
+ * - Returns a 403 (carrying `Access-Control-Allow-Origin` + `Vary: Origin`)
+ *   when the requested method or any requested header falls outside the
+ *   configured allow-list. A 403 surfaces a clearer "not allowed by CORS
+ *   policy" message in the browser than letting the OPTIONS request fall
+ *   through to the default handler.
+ * - Otherwise returns a 204 with the standard preflight headers.
  */
 export function handlePreflight(request: Request, config: CorsConfig): Response | null {
 	const base = getCorsHeaders(request, config);
 	if (!base) return null;
 
+	const allowedMethods = config.allowedMethods ?? DEFAULT_METHODS;
+	const allowedHeaders = config.allowedHeaders ?? DEFAULT_HEADERS;
+
+	const requestedMethod = request.headers.get("access-control-request-method");
+	if (requestedMethod) {
+		const upper = requestedMethod.toUpperCase();
+		const allowedUpper = allowedMethods.map((m) => m.toUpperCase());
+		if (!allowedUpper.includes(upper)) {
+			return rejectPreflight(base, `Method ${requestedMethod} not allowed by CORS policy`);
+		}
+	}
+
+	const requestedHeadersRaw = request.headers.get("access-control-request-headers");
+	if (requestedHeadersRaw) {
+		const requested = parseHeaderList(requestedHeadersRaw).map((h) => h.toLowerCase());
+		const allowedLower = allowedHeaders.map((h) => h.toLowerCase());
+		const disallowed = requested.find((h) => !allowedLower.includes(h));
+		if (disallowed) {
+			return rejectPreflight(base, `Header ${disallowed} not allowed by CORS policy`);
+		}
+	}
+
 	const headers = new Headers(base as HeadersInit);
-	headers.set(
-		"Access-Control-Allow-Methods",
-		config.allowedMethods?.join(", ") ?? DEFAULT_METHODS,
-	);
-	headers.set(
-		"Access-Control-Allow-Headers",
-		config.allowedHeaders?.join(", ") ?? DEFAULT_HEADERS,
-	);
+	headers.set("Access-Control-Allow-Methods", allowedMethods.join(", "));
+	headers.set("Access-Control-Allow-Headers", allowedHeaders.join(", "));
 	headers.set("Access-Control-Max-Age", String(config.maxAge ?? 86400));
 
 	return new Response(null, { status: 204, headers });
 }
+
+function rejectPreflight(base: Record<string, string>, reason: string): Response {
+	const headers = new Headers(base as HeadersInit);
+	return new Response(reason, { status: 403, headers });
+}

package/src/core/csp.ts

@@ -0,0 +1,47 @@
+// ─── CSP Nonce ───────────────────────────────────────────
+// Per-request cryptographic nonce. Embedded as `nonce="..."` on every
+// framework-emitted <script> tag so that user code (or operators) can
+// configure a `Content-Security-Policy` header with `script-src 'nonce-…'`
+// and lock down inline-script execution without breaking framework
+// hydration.
+//
+// 16 random bytes → base64 (22 chars after stripping `=` padding) gives
+// the 128 bits of entropy recommended by the CSP spec.
+
+const NONCE_BYTES = 16;
+
+export function generateNonce(): string {
+	const bytes = new Uint8Array(NONCE_BYTES);
+	crypto.getRandomValues(bytes);
+	let binary = "";
+	for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+	return btoa(binary).replace(/=+$/, "");
+}
+
+/** Returns ` nonce="…"` (with leading space) when `nonce` is non-empty, otherwise `""`. */
+export function nonceAttr(nonce: string | undefined): string {
+	return nonce ? ` nonce="${nonce}"` : "";
+}
+
+// ─── Optional CSP Header ─────────────────────────────────
+// Opt-in via `CSP_DIRECTIVES` env. The literal `{nonce}` placeholder in
+// the configured value is replaced with the per-request nonce on each
+// response. Empty/unset env → no `Content-Security-Policy` header.
+//
+// Example:
+//   CSP_DIRECTIVES="default-src 'self'; script-src 'self' 'nonce-{nonce}'"
+
+export const CSP_DIRECTIVES_TEMPLATE: string | null = process.env.CSP_DIRECTIVES?.trim() || null;
+
+/**
+ * `true` when an operator has opted into CSP via `CSP_DIRECTIVES`. The
+ * framework gates *all* nonce-related wire output on this flag — without a
+ * matching `Content-Security-Policy` header the nonce attribute is just dead
+ * bytes, so we omit it.
+ */
+export const CSP_ENABLED: boolean = CSP_DIRECTIVES_TEMPLATE !== null;
+
+export function buildCspHeader(nonce: string): string | null {
+	if (!CSP_DIRECTIVES_TEMPLATE) return null;
+	return CSP_DIRECTIVES_TEMPLATE.replace(/\{nonce\}/g, nonce);
+}

package/src/core/csrf.ts

@@ -31,12 +31,15 @@ export function checkCsrf(
 	if (SAFE_METHODS.has(request.method.toUpperCase())) return null;
 
 	// Derive the expected origin.
-	// In dev, the browser hits the proxy on DEV_PORT (e.g. localhost:9000)
-	// while the Elysia server sees url.origin as localhost:9001.
-	// X-Forwarded-Host / Host headers reflect the actual host the client used.
-	const forwardedHost = request.headers.get("x-forwarded-host");
+	// `X-Forwarded-*` headers are only trusted when `TRUST_PROXY=true`, since a
+	// directly-exposed server would otherwise let a client spoof its own origin
+	// via attacker-controlled forwarded headers. Behind a real reverse proxy
+	// (nginx, Caddy, Cloudflare) the operator opts in by setting the env.
+	const trustProxy = process.env.TRUST_PROXY === "true";
+	const forwardedHost = trustProxy ? request.headers.get("x-forwarded-host") : null;
 	const host = forwardedHost ?? request.headers.get("host");
-	const protocol = request.headers.get("x-forwarded-proto") ?? url.protocol.replace(":", "");
+	const forwardedProto = trustProxy ? request.headers.get("x-forwarded-proto") : null;
+	const protocol = forwardedProto ?? url.protocol.replace(":", "");
 	const expectedOrigin = host ? `${protocol}://${host}` : url.origin;
 
 	const allowedOrigins = new Set([expectedOrigin, ...(config.allowedOrigins ?? [])]);

package/src/core/dev.ts

@@ -94,6 +94,10 @@ async function startAppServer() {
 			PORT: String(APP_PORT),
 			// Allow externalized deps (elysia, etc.) to resolve from bosia's node_modules
 			NODE_PATH: BOSIA_NODE_PATH,
+			// Dev proxy injects X-Forwarded-Host/Proto reflecting the public DEV_PORT, so CSRF
+			// origin checks must honour them. Safe in dev because the proxy controls these
+			// headers — no untrusted client can spoof them.
+			TRUST_PROXY: "true",
 		},
 	});
 
@@ -204,16 +208,24 @@ const devServer = Bun.serve({
 			);
 		}
 
-		// Proxy everything else to the app server
+		// Proxy everything else to the app server. Inject X-Forwarded-Host/Proto so
+		// the app's CSRF origin check (gated behind TRUST_PROXY=true, also set in the
+		// app env above) reconstructs the public-facing origin from the dev proxy
+		// rather than the inner-app's host (localhost:APP_PORT).
 		try {
+			const reqUrl = new URL(req.url);
 			const target = new URL(req.url);
 			target.hostname = "localhost";
 			target.port = String(APP_PORT);
 
+			const forwardedHeaders = new Headers(req.headers);
+			forwardedHeaders.set("x-forwarded-host", reqUrl.host);
+			forwardedHeaders.set("x-forwarded-proto", reqUrl.protocol.replace(":", ""));
+
 			return await fetch(
 				new Request(target.toString(), {
 					method: req.method,
-					headers: req.headers,
+					headers: forwardedHeaders,
 					body: req.body,
 					redirect: "manual",
 				}),

package/src/core/errors.ts

@@ -29,11 +29,10 @@ export class Redirect {
 const DANGEROUS_SCHEMES = /^(javascript|data|vbscript):/i;
 
 function validateRedirectLocation(location: string, options?: RedirectOptions): void {
-	if (options?.allowExternal) return;
-
 	const trimmed = location.trim();
 
-	// Reject dangerous schemes
+	// Dangerous schemes are rejected even when `allowExternal: true` —
+	// `javascript:` / `data:` / `vbscript:` are never legitimate redirect targets.
 	if (DANGEROUS_SCHEMES.test(trimmed)) {
 		throw new Error(
 			`redirect(): dangerous scheme in URL "${location}". ` +
@@ -41,6 +40,8 @@ function validateRedirectLocation(location: string, options?: RedirectOptions):
 		);
 	}
 
+	if (options?.allowExternal) return;
+
 	// Reject protocol-relative URLs (//evil.com)
 	if (trimmed.startsWith("//")) {
 		throw new Error(

package/src/core/hooks.ts

@@ -34,7 +34,16 @@ export interface Cookies {
 export type RequestEvent = {
 	request: Request;
 	url: URL;
-	locals: Record<string, any>;
+	/**
+	 * Per-request scratch object for user hooks/load functions.
+	 *
+	 * `locals.nonce` is populated by the framework with a fresh per-request
+	 * cryptographic nonce (base64, 128 bits of entropy) and is safe to embed
+	 * as `nonce="${event.locals.nonce}"` on user-authored inline scripts when
+	 * the operator enables a `Content-Security-Policy` via the
+	 * `CSP_DIRECTIVES` env var.
+	 */
+	locals: Record<string, any> & { nonce?: string };
 	params: Record<string, string>;
 	cookies: Cookies;
 };
@@ -47,6 +56,33 @@ export type LoadEvent = {
 	fetch: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
 	parent: () => Promise<Record<string, any>>;
 	metadata: Record<string, any> | null;
+	/**
+	 * Declare custom dependency keys for this loader. The client cache
+	 * will re-run the loader when `invalidate(key)` is called with any
+	 * of these keys. Keys are arbitrary strings, but conventionally
+	 * namespaced (e.g. `"app:user"`).
+	 */
+	depends: (...keys: string[]) => void;
+};
+
+/**
+ * Tracked dependencies captured for a single loader during one run.
+ * Shipped to the client so subsequent client-side navigations can
+ * decide whether to re-run the loader.
+ */
+export type LoaderDeps = {
+	/** `depends(...keys)` declarations. */
+	keys: string[];
+	/** Absolute URLs passed to the loader's `fetch()`. */
+	urls: string[];
+	/** Route params the loader read (`params.X`). */
+	params: string[];
+	/** Search params the loader read (`url.searchParams.get(X)` / `.has(X)`). */
+	searchParams: string[];
+	/** Cookies the loader read (`cookies.get(X)`). */
+	cookies: string[];
+	/** True if the loader read `url.pathname`/`url.origin`/`url.hash`/`url.href`. */
+	uses_url: boolean;
 };
 
 export type ResolveFunction = (event: RequestEvent) => MaybePromise<Response>;