bosia 0.7.5 → 0.7.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/core/dev.ts +10 -2
- package/src/core/server.ts +14 -0
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "bosia",
|
|
3
|
-
"version": "0.7.
|
|
3
|
+
"version": "0.7.6",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "A fast, batteries-included fullstack framework — SSR · Svelte 5 Runes · Bun · ElysiaJS. File-based routing inspired by SvelteKit. No Node.js, no Vite, no adapters.",
|
|
6
6
|
"keywords": [
|
package/src/core/dev.ts
CHANGED
|
@@ -346,9 +346,17 @@ const devServer = Bun.serve({
|
|
|
346
346
|
target.hostname = "127.0.0.1";
|
|
347
347
|
target.port = String(APP_PORT);
|
|
348
348
|
|
|
349
|
+
// Preserve an X-Forwarded-* set by an OUTER proxy (e.g. a multi-tenant host
|
|
350
|
+
// fronting `bun run dev` behind TLS). Overwriting it with this dev proxy's
|
|
351
|
+
// own loopback host/scheme would strip the real public origin, so the app's
|
|
352
|
+
// redirects and `event.url` would point at localhost. Fall back to this
|
|
353
|
+
// proxy's request only when the outer hop didn't set them.
|
|
349
354
|
const forwardedHeaders = new Headers(req.headers);
|
|
350
|
-
forwardedHeaders.set("x-forwarded-host", reqUrl.host);
|
|
351
|
-
forwardedHeaders.set(
|
|
355
|
+
forwardedHeaders.set("x-forwarded-host", req.headers.get("x-forwarded-host") ?? reqUrl.host);
|
|
356
|
+
forwardedHeaders.set(
|
|
357
|
+
"x-forwarded-proto",
|
|
358
|
+
req.headers.get("x-forwarded-proto") ?? reqUrl.protocol.replace(":", ""),
|
|
359
|
+
);
|
|
352
360
|
// Force inner app to respond uncompressed. Bun's `fetch()` auto-decodes
|
|
353
361
|
// gzip/br bodies but leaves the original `Content-Encoding` header on
|
|
354
362
|
// the Response, so passing it through made Safari throw -1015 ("cannot
|
package/src/core/server.ts
CHANGED
|
@@ -781,6 +781,20 @@ if (_xfoDisabled) {
|
|
|
781
781
|
}
|
|
782
782
|
|
|
783
783
|
async function handleRequest(request: Request, url: URL): Promise<Response> {
|
|
784
|
+
// Behind a trusted proxy the inbound `Host`/scheme is the proxy's inner hop
|
|
785
|
+
// (e.g. `localhost:PORT` over plain HTTP), so `url` built from `request.url`
|
|
786
|
+
// misreports the public origin. Rebuild it from `X-Forwarded-Host`/`-Proto`
|
|
787
|
+
// so `event.url` — and every absolute redirect, canonical URL, and
|
|
788
|
+
// `url.origin` the app derives — points at the public-facing origin instead
|
|
789
|
+
// of localhost. Gated on TRUST_PROXY since these headers are client-spoofable
|
|
790
|
+
// when no proxy strips them.
|
|
791
|
+
if (TRUST_PROXY) {
|
|
792
|
+
const fwdHost = request.headers.get("x-forwarded-host");
|
|
793
|
+
if (fwdHost) url.host = fwdHost;
|
|
794
|
+
const fwdProto = request.headers.get("x-forwarded-proto")?.split(",")[0]?.trim();
|
|
795
|
+
if (fwdProto) url.protocol = `${fwdProto}:`;
|
|
796
|
+
}
|
|
797
|
+
|
|
784
798
|
// Reject new non-health requests during shutdown
|
|
785
799
|
if (shuttingDown && url.pathname !== "/_health") {
|
|
786
800
|
return new Response("Service Unavailable", {
|