create-mantiq 0.5.8 → 0.5.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-mantiq",
-  "version": "0.5.8",
+  "version": "0.5.10",
   "description": "Scaffold a new MantiqJS application",
   "type": "module",
   "license": "MIT",

package/stubs/react/src/lib/api.ts.stub

@@ -3,13 +3,24 @@ function getCookie(name: string): string | null {
   return match ? decodeURIComponent(match[1]!) : null
 }
 
+/** Ensure a session + XSRF-TOKEN cookie exists before mutating requests. */
+let csrfReady: Promise<void> | null = null
+async function ensureCsrf(): Promise<void> {
+  if (getCookie('XSRF-TOKEN')) return
+  if (!csrfReady) {
+    csrfReady = fetch('/csrf-cookie', { credentials: 'same-origin' }).then(() => { csrfReady = null })
+  }
+  await csrfReady
+}
+
 export async function api<T = any>(url: string, opts: RequestInit = {}): Promise<{ ok: boolean; status: number; data: T }> {
   const headers: Record<string, string> = { Accept: 'application/json', ...(opts.headers as Record<string, string>) }
 
-  // Attach XSRF token for CSRF protection on mutating requests
-  const xsrf = getCookie('XSRF-TOKEN')
-  if (xsrf && opts.method && !['GET', 'HEAD', 'OPTIONS'].includes(opts.method)) {
-    headers['X-XSRF-TOKEN'] = xsrf
+  // For mutating requests, ensure CSRF cookie exists then attach it
+  if (opts.method && !['GET', 'HEAD', 'OPTIONS'].includes(opts.method)) {
+    await ensureCsrf()
+    const xsrf = getCookie('XSRF-TOKEN')
+    if (xsrf) headers['X-XSRF-TOKEN'] = xsrf
   }
 
   const res = await fetch(url, { ...opts, credentials: 'same-origin', headers })

package/stubs/react/vite.config.ts.stub

@@ -4,7 +4,52 @@ import tailwindcss from '@tailwindcss/vite'
 import path from 'path'
 
 export default defineConfig({
-  plugins: [react(), tailwindcss()],
+  plugins: [
+    react(),
+    tailwindcss(),
+    // Proxy non-asset requests to the Mantiq backend in dev mode
+    // so session cookies and CSRF tokens work on the same origin
+    {
+      name: 'mantiq-proxy',
+      configureServer(server) {
+        server.middlewares.use((req, res, next) => {
+          // Let Vite handle its own files: HMR, source files, node_modules
+          const viteOwned = req.url?.startsWith('/@') ||
+            req.url?.startsWith('/src/') ||
+            req.url?.startsWith('/node_modules/') ||
+            req.url?.includes('?import') ||
+            req.url?.includes('?t=')
+
+          if (viteOwned) return next()
+
+          // For HTML page navigations (SPA), let Vite serve index.html
+          const accept = req.headers.accept ?? ''
+          if (req.method === 'GET' && accept.includes('text/html')) return next()
+
+          // Everything else (POST, API calls, etc.) → proxy to backend
+          const backend = `http://localhost:${process.env.APP_PORT ?? 3000}`
+          import('node:http').then(({ request }) => {
+            const proxyReq = request(
+              `${backend}${req.url}`,
+              {
+                method: req.method,
+                headers: req.headers,
+              },
+              (proxyRes) => {
+                res.writeHead(proxyRes.statusCode ?? 500, proxyRes.headers)
+                proxyRes.pipe(res)
+              },
+            )
+            proxyReq.on('error', () => {
+              res.writeHead(502)
+              res.end('Backend not running. Start with: bun run index.ts')
+            })
+            req.pipe(proxyReq)
+          })
+        })
+      },
+    },
+  ],
   publicDir: false,
   resolve: {
     alias: {

package/stubs/shared/routes/web.ts.stub

@@ -18,6 +18,13 @@ export default function (router: Router) {
   router.get('/account/security', [PageController, 'security']).middleware('auth')
   router.get('/account/preferences', [PageController, 'preferences']).middleware('auth')
 
+  // CSRF cookie — SPA calls this on mount to establish session + XSRF token
+  router.get('/csrf-cookie', (request: any) => {
+    // Session middleware already started the session and CSRF middleware
+    // will attach the XSRF-TOKEN cookie on the response. Just return 204.
+    return new Response(null, { status: 204 })
+  })
+
   // Auth actions
   router.post('/login', [AuthController, 'login'])
   router.post('/register', [AuthController, 'register'])

package/stubs/svelte/src/lib/api.ts.stub

@@ -3,13 +3,24 @@ function getCookie(name: string): string | null {
   return match ? decodeURIComponent(match[1]!) : null
 }
 
+/** Ensure a session + XSRF-TOKEN cookie exists before mutating requests. */
+let csrfReady: Promise<void> | null = null
+async function ensureCsrf(): Promise<void> {
+  if (getCookie('XSRF-TOKEN')) return
+  if (!csrfReady) {
+    csrfReady = fetch('/csrf-cookie', { credentials: 'same-origin' }).then(() => { csrfReady = null })
+  }
+  await csrfReady
+}
+
 export async function api<T = any>(url: string, opts: RequestInit = {}): Promise<{ ok: boolean; status: number; data: T }> {
   const headers: Record<string, string> = { Accept: 'application/json', ...(opts.headers as Record<string, string>) }
 
-  // Attach XSRF token for CSRF protection on mutating requests
-  const xsrf = getCookie('XSRF-TOKEN')
-  if (xsrf && opts.method && !['GET', 'HEAD', 'OPTIONS'].includes(opts.method)) {
-    headers['X-XSRF-TOKEN'] = xsrf
+  // For mutating requests, ensure CSRF cookie exists then attach it
+  if (opts.method && !['GET', 'HEAD', 'OPTIONS'].includes(opts.method)) {
+    await ensureCsrf()
+    const xsrf = getCookie('XSRF-TOKEN')
+    if (xsrf) headers['X-XSRF-TOKEN'] = xsrf
   }
 
   const res = await fetch(url, { ...opts, credentials: 'same-origin', headers })

package/stubs/svelte/vite.config.ts.stub

@@ -4,7 +4,44 @@ import tailwindcss from '@tailwindcss/vite'
 import path from 'path'
 
 export default defineConfig({
-  plugins: [svelte(), tailwindcss()],
+  plugins: [
+    svelte(),
+    tailwindcss(),
+    {
+      name: 'mantiq-proxy',
+      configureServer(server) {
+        server.middlewares.use((req, res, next) => {
+          const viteOwned = req.url?.startsWith('/@') ||
+            req.url?.startsWith('/src/') ||
+            req.url?.startsWith('/node_modules/') ||
+            req.url?.includes('?import') ||
+            req.url?.includes('?t=')
+
+          if (viteOwned) return next()
+
+          const accept = req.headers.accept ?? ''
+          if (req.method === 'GET' && accept.includes('text/html')) return next()
+
+          const backend = `http://localhost:${process.env.APP_PORT ?? 3000}`
+          import('node:http').then(({ request }) => {
+            const proxyReq = request(
+              `${backend}${req.url}`,
+              { method: req.method, headers: req.headers },
+              (proxyRes) => {
+                res.writeHead(proxyRes.statusCode ?? 500, proxyRes.headers)
+                proxyRes.pipe(res)
+              },
+            )
+            proxyReq.on('error', () => {
+              res.writeHead(502)
+              res.end('Backend not running. Start with: bun run index.ts')
+            })
+            req.pipe(proxyReq)
+          })
+        })
+      },
+    },
+  ],
   publicDir: false,
   resolve: {
     alias: {

package/stubs/vue/src/lib/api.ts.stub

@@ -3,13 +3,24 @@ function getCookie(name: string): string | null {
   return match ? decodeURIComponent(match[1]!) : null
 }
 
+/** Ensure a session + XSRF-TOKEN cookie exists before mutating requests. */
+let csrfReady: Promise<void> | null = null
+async function ensureCsrf(): Promise<void> {
+  if (getCookie('XSRF-TOKEN')) return
+  if (!csrfReady) {
+    csrfReady = fetch('/csrf-cookie', { credentials: 'same-origin' }).then(() => { csrfReady = null })
+  }
+  await csrfReady
+}
+
 export async function api<T = any>(url: string, opts: RequestInit = {}): Promise<{ ok: boolean; status: number; data: T }> {
   const headers: Record<string, string> = { Accept: 'application/json', ...(opts.headers as Record<string, string>) }
 
-  // Attach XSRF token for CSRF protection on mutating requests
-  const xsrf = getCookie('XSRF-TOKEN')
-  if (xsrf && opts.method && !['GET', 'HEAD', 'OPTIONS'].includes(opts.method)) {
-    headers['X-XSRF-TOKEN'] = xsrf
+  // For mutating requests, ensure CSRF cookie exists then attach it
+  if (opts.method && !['GET', 'HEAD', 'OPTIONS'].includes(opts.method)) {
+    await ensureCsrf()
+    const xsrf = getCookie('XSRF-TOKEN')
+    if (xsrf) headers['X-XSRF-TOKEN'] = xsrf
   }
 
   const res = await fetch(url, { ...opts, credentials: 'same-origin', headers })

package/stubs/vue/vite.config.ts.stub

@@ -4,7 +4,44 @@ import tailwindcss from '@tailwindcss/vite'
 import path from 'path'
 
 export default defineConfig({
-  plugins: [vue(), tailwindcss()],
+  plugins: [
+    vue(),
+    tailwindcss(),
+    {
+      name: 'mantiq-proxy',
+      configureServer(server) {
+        server.middlewares.use((req, res, next) => {
+          const viteOwned = req.url?.startsWith('/@') ||
+            req.url?.startsWith('/src/') ||
+            req.url?.startsWith('/node_modules/') ||
+            req.url?.includes('?import') ||
+            req.url?.includes('?t=')
+
+          if (viteOwned) return next()
+
+          const accept = req.headers.accept ?? ''
+          if (req.method === 'GET' && accept.includes('text/html')) return next()
+
+          const backend = `http://localhost:${process.env.APP_PORT ?? 3000}`
+          import('node:http').then(({ request }) => {
+            const proxyReq = request(
+              `${backend}${req.url}`,
+              { method: req.method, headers: req.headers },
+              (proxyRes) => {
+                res.writeHead(proxyRes.statusCode ?? 500, proxyRes.headers)
+                proxyRes.pipe(res)
+              },
+            )
+            proxyReq.on('error', () => {
+              res.writeHead(502)
+              res.end('Backend not running. Start with: bun run index.ts')
+            })
+            req.pipe(proxyReq)
+          })
+        })
+      },
+    },
+  ],
   publicDir: false,
   resolve: {
     alias: {