gorsee 0.2.0 → 0.2.2

package/src/server/cache.ts

@@ -8,9 +8,12 @@ export interface CacheOptions {
   staleWhileRevalidate?: number // serve stale while revalidating (seconds)
   vary?: string[]              // cache key varies by these headers
   key?: (url: URL) => string   // custom cache key generator
+  store?: CacheStore
 }
 
-interface CacheEntry {
+type Awaitable<T> = T | Promise<T>
+
+export interface CacheEntry {
   body: string
   headers: Record<string, string>
   status: number
@@ -18,7 +21,26 @@ interface CacheEntry {
   revalidating?: boolean
 }
 
-const store = new Map<string, CacheEntry>()
+export interface CacheStore {
+  get(key: string): Awaitable<CacheEntry | undefined>
+  set(key: string, entry: CacheEntry): Awaitable<void>
+  delete(key: string): Awaitable<void>
+  clear(): Awaitable<void>
+  keys(): Awaitable<Iterable<string> | AsyncIterable<string>>
+}
+
+export function createMemoryCacheStore(): CacheStore {
+  const store = new Map<string, CacheEntry>()
+  return {
+    get: (key) => store.get(key),
+    set: (key, entry) => { store.set(key, entry) },
+    delete: (key) => { store.delete(key) },
+    clear: () => { store.clear() },
+    keys: () => store.keys(),
+  }
+}
+
+const defaultCacheStore = createMemoryCacheStore()
 
 function buildKey(url: URL, vary: string[], request: Request, customKey?: (url: URL) => string): string {
   const base = customKey ? customKey(url) : url.pathname + url.search
@@ -28,13 +50,13 @@ function buildKey(url: URL, vary: string[], request: Request, customKey?: (url:
 }
 
 export function routeCache(options: CacheOptions): MiddlewareFn {
-  const { maxAge, staleWhileRevalidate = 0, vary = [], key: customKey } = options
+  const { maxAge, staleWhileRevalidate = 0, vary = [], key: customKey, store = defaultCacheStore } = options
 
   return async (ctx, next) => {
     if (ctx.request.method !== "GET") return next()
 
     const cacheKey = buildKey(ctx.url, vary, ctx.request, customKey)
-    const entry = store.get(cacheKey)
+    const entry = await store.get(cacheKey)
     const now = Date.now()
 
     if (entry) {
@@ -49,7 +71,7 @@ export function routeCache(options: CacheOptions): MiddlewareFn {
       // Stale but within revalidation window — serve stale, revalidate in background
       if (age < maxAge + staleWhileRevalidate && !entry.revalidating) {
         entry.revalidating = true
-        revalidate(cacheKey, ctx, next)
+        revalidate(cacheKey, store, next)
         return new Response(entry.body, {
           status: entry.status,
           headers: { ...entry.headers, "X-Cache": "STALE", "Age": String(Math.floor(age)) },
@@ -63,7 +85,7 @@ export function routeCache(options: CacheOptions): MiddlewareFn {
       const body = await response.text()
       const headers: Record<string, string> = {}
       response.headers.forEach((v, k) => { headers[k] = v })
-      store.set(cacheKey, { body, headers, status: response.status, createdAt: now })
+      await store.set(cacheKey, { body, headers, status: response.status, createdAt: now })
       return new Response(body, {
         status: response.status,
         headers: { ...headers, "X-Cache": "MISS" },
@@ -73,30 +95,31 @@ export function routeCache(options: CacheOptions): MiddlewareFn {
   }
 }
 
-async function revalidate(key: string, ctx: import("./middleware.ts").Context, next: () => Promise<Response>): Promise<void> {
+async function revalidate(key: string, store: CacheStore, next: () => Promise<Response>): Promise<void> {
   try {
     const response = await next()
     if (response.status === 200) {
       const body = await response.text()
       const headers: Record<string, string> = {}
       response.headers.forEach((v, k) => { headers[k] = v })
-      store.set(key, { body, headers, status: response.status, createdAt: Date.now() })
+      await store.set(key, { body, headers, status: response.status, createdAt: Date.now() })
     }
   } catch {
     // revalidation failed, stale entry stays
-    const entry = store.get(key)
+    const entry = await store.get(key)
     if (entry) entry.revalidating = false
   }
 }
 
 /** Invalidate cached entry by path */
-export function invalidateCache(path: string): void {
-  for (const key of store.keys()) {
-    if (key.startsWith(path)) store.delete(key)
+export async function invalidateCache(path: string): Promise<void> {
+  const keys = await defaultCacheStore.keys()
+  for await (const key of keys) {
+    if (key.startsWith(path)) await defaultCacheStore.delete(key)
   }
 }
 
 /** Clear all cached entries */
-export function clearCache(): void {
-  store.clear()
+export async function clearCache(): Promise<void> {
+  await defaultCacheStore.clear()
 }

package/src/server/html-shell.ts

@@ -0,0 +1,69 @@
+export interface HTMLWrapOptions {
+  title?: string
+  clientScript?: string
+  loaderData?: unknown
+  params?: Record<string, string>
+  cssFiles?: string[]
+  headElements?: string[]
+  bodyPrefix?: string[]
+  bodySuffix?: string[]
+}
+
+export function generateNonce(): string {
+  const bytes = new Uint8Array(16)
+  crypto.getRandomValues(bytes)
+  return btoa(String.fromCharCode(...bytes))
+}
+
+export function wrapHTML(
+  body: string,
+  nonce: string | undefined,
+  options: HTMLWrapOptions = {},
+): string {
+  const {
+    title = "Gorsee App",
+    clientScript,
+    loaderData,
+    params,
+    cssFiles = [],
+    headElements = [],
+    bodyPrefix = [],
+    bodySuffix = [],
+  } = options
+
+  let dataScript = ""
+  if (loaderData !== undefined) {
+    const json = JSON.stringify(loaderData).replace(/</g, "\\u003c")
+    dataScript = `\n  <script id="__GORSEE_DATA__" type="application/json"${renderNonceAttr(nonce)}>${json}</script>`
+  }
+
+  let paramsScript = ""
+  if (params && Object.keys(params).length > 0) {
+    paramsScript = `\n  <script${renderNonceAttr(nonce)}>window.__GORSEE_PARAMS__=${JSON.stringify(params)}</script>`
+  }
+
+  const clientTag = clientScript
+    ? `\n  <script type="module" src="${clientScript}"${renderNonceAttr(nonce)}></script>`
+    : ""
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>${title}</title>
+  <link rel="stylesheet" href="/styles.css" />
+${cssFiles.map((file) => `  <link rel="stylesheet" href="${file}" />`).join("\n")}
+${headElements.join("\n")}
+</head>
+<body>
+${bodyPrefix.join("\n")}
+  <div id="app">${body}</div>${dataScript}${paramsScript}${clientTag}
+${bodySuffix.join("\n")}
+</body>
+</html>`
+}
+
+function renderNonceAttr(nonce?: string): string {
+  return nonce ? ` nonce="${nonce}"` : ""
+}

package/src/server/index.ts

@@ -1,4 +1,13 @@
-export { server, handleRPCRequest, __registerRPC, getRPCHandler } from "./rpc.ts"
+export {
+  server,
+  handleRPCRequest,
+  __registerRPC,
+  getRPCHandler,
+  createMemoryRPCRegistry,
+  handleRPCRequestWithRegistry,
+  type RPCHandler,
+  type RPCRegistry,
+} from "./rpc.ts"
 export {
   middleware,
   createContext,
@@ -14,6 +23,35 @@ export { getMimeType } from "./mime.ts"
 export { fileETag, generateETag, isNotModified } from "./etag.ts"
 export { redirect, RedirectError, type CookieOptions } from "./middleware.ts"
 export { createSSEStream, createEventSource, type SSEOptions, type SSEStream, type EventSourceSignal } from "./sse.ts"
-export { routeCache, invalidateCache, clearCache, type CacheOptions } from "./cache.ts"
+export {
+  routeCache,
+  invalidateCache,
+  clearCache,
+  createMemoryCacheStore,
+  type CacheOptions,
+  type CacheEntry,
+  type CacheStore,
+} from "./cache.ts"
 export { createGuard, requireAuth, requireRole, allGuards, anyGuard } from "./guard.ts"
 export { pipe, when, forMethods, forPaths } from "./pipe.ts"
+export { createNamespacedCacheStore } from "./cache-utils.ts"
+export { createRedisCacheStore } from "./redis-cache-store.ts"
+export { createScopedRPCRegistry } from "./rpc-utils.ts"
+export { createSQLiteCacheStore } from "./sqlite-cache-store.ts"
+export {
+  type RedisLikeClient,
+  type NodeRedisClientLike,
+  type IORedisClientLike,
+  createNodeRedisLikeClient,
+  createIORedisLikeClient,
+  deleteExpiredRedisKeys,
+} from "./redis-client.ts"
+export {
+  loadBuildManifest,
+  getRouteBuildEntry,
+  getClientBundleForRoute,
+  isPrerenderedRoute,
+  getPrerenderedHtmlPath,
+  type BuildManifest,
+  type BuildManifestRoute,
+} from "./manifest.ts"

package/src/server/manifest.ts

@@ -0,0 +1,36 @@
+import { join } from "node:path"
+import { readFile } from "node:fs/promises"
+
+export interface BuildManifestRoute {
+  js?: string
+  hasLoader: boolean
+  prerendered?: boolean
+}
+
+export interface BuildManifest {
+  routes: Record<string, BuildManifestRoute>
+  chunks: string[]
+  prerendered: string[]
+  buildTime: string
+}
+
+export async function loadBuildManifest(distDir: string): Promise<BuildManifest> {
+  const raw = await readFile(join(distDir, "manifest.json"), "utf-8")
+  return JSON.parse(raw) as BuildManifest
+}
+
+export function getRouteBuildEntry(manifest: BuildManifest, pathname: string): BuildManifestRoute | undefined {
+  return manifest.routes[pathname]
+}
+
+export function getClientBundleForRoute(manifest: BuildManifest, pathname: string): string | undefined {
+  return getRouteBuildEntry(manifest, pathname)?.js
+}
+
+export function isPrerenderedRoute(manifest: BuildManifest, pathname: string): boolean {
+  return getRouteBuildEntry(manifest, pathname)?.prerendered === true
+}
+
+export function getPrerenderedHtmlPath(pathname: string): string {
+  return pathname === "/" ? "index.html" : join(pathname.slice(1), "index.html")
+}

package/src/server/middleware.ts

@@ -40,8 +40,12 @@ export function middleware(fn: MiddlewareFn): MiddlewareFn {
   return fn
 }
 
+function sanitizeCookiePart(str: string): string {
+  return str.replace(/[\r\n;,]/g, "")
+}
+
 function serializeCookie(name: string, value: string, options: CookieOptions = {}): string {
-  let cookie = `${name}=${value}`
+  let cookie = `${sanitizeCookiePart(name)}=${sanitizeCookiePart(value)}`
   if (options.maxAge !== undefined) cookie += `; Max-Age=${options.maxAge}`
   if (options.expires) cookie += `; Expires=${options.expires.toUTCString()}`
   cookie += `; Path=${options.path ?? "/"}`
@@ -77,9 +81,21 @@ export function createContext(request: Request, params: Record<string, string> =
     responseHeaders,
 
     redirect(target: string, status = 302) {
+      // Prevent open redirect: only allow relative paths or same-origin URLs
+      let safeTarget = target
+      if (target.startsWith("//") || /^[a-zA-Z][a-zA-Z\d+\-.]*:/.test(target)) {
+        try {
+          const targetUrl = new URL(target)
+          if (targetUrl.origin !== url.origin) {
+            safeTarget = "/"
+          }
+        } catch {
+          safeTarget = "/"
+        }
+      }
       const res = new Response(null, {
         status,
-        headers: { Location: target },
+        headers: { Location: safeTarget },
       })
       // Apply pending cookies to redirect response
       for (const cookie of pendingCookies) {

package/src/server/not-found.ts

@@ -0,0 +1,35 @@
+import { join } from "node:path"
+import { wrapHTML, type HTMLWrapOptions } from "./html-shell.ts"
+
+interface NotFoundOptions extends Pick<HTMLWrapOptions, "bodyPrefix" | "bodySuffix" | "headElements"> {
+  title?: string
+}
+
+export async function renderNotFoundPage(
+  routesDir: string,
+  nonce: string,
+  options: NotFoundOptions = {},
+): Promise<string> {
+  const { title = "404 - Not Found", bodyPrefix, bodySuffix, headElements } = options
+
+  try {
+    const notFoundPath = join(routesDir, "404.tsx")
+    const file = Bun.file(notFoundPath)
+    if (await file.exists()) {
+      const mod = await import(notFoundPath)
+      if (typeof mod.default === "function") {
+        const { ssrJsx, renderToString } = await import("../runtime/server.ts")
+        const vnode = ssrJsx(mod.default as any, {})
+        const body = renderToString(vnode)
+        return wrapHTML(body, nonce, { title, bodyPrefix, bodySuffix, headElements })
+      }
+    }
+  } catch {}
+
+  return wrapHTML("<h1>404</h1><p>Page not found</p>", nonce, {
+    title,
+    bodyPrefix,
+    bodySuffix,
+    headElements,
+  })
+}

package/src/server/page-render.ts

@@ -0,0 +1,123 @@
+import { resetServerHead, getServerHead } from "../runtime/head.ts"
+import { renderToString, ssrJsx } from "../runtime/server.ts"
+import type { Context } from "./middleware.ts"
+import type { MatchResult } from "../router/matcher.ts"
+
+type PageModule = Record<string, unknown>
+
+export interface ResolvedPageRoute {
+  component: Function
+  pageComponent: Function
+  loaderData: unknown
+  cssFiles: string[]
+  renderMode: string
+}
+
+export interface RenderedPage {
+  html: string
+  headElements: string[]
+  title?: string
+}
+
+export interface PartialResponsePayload {
+  html: string
+  data?: unknown
+  params?: Record<string, string>
+  title?: string
+  css?: string[]
+  script?: string
+}
+
+export async function resolvePageRoute(
+  mod: PageModule,
+  match: MatchResult,
+  ctx: Context,
+): Promise<ResolvedPageRoute | null> {
+  const component = mod.default as Function | undefined
+  if (typeof component !== "function") return null
+
+  const layoutPaths = match.route.layoutPaths ?? []
+  const layoutImportPromises = layoutPaths.map((layoutPath) => import(layoutPath))
+  const pageLoaderPromise = typeof mod.loader === "function" ? mod.loader(ctx) : undefined
+
+  const [layoutMods, loaderData] = await Promise.all([
+    Promise.all(layoutImportPromises),
+    pageLoaderPromise,
+  ])
+
+  const layoutLoaderPromises = layoutMods.map((layoutMod) =>
+    typeof layoutMod.loader === "function" ? layoutMod.loader(ctx) : undefined,
+  )
+  const layoutLoaderResults = await Promise.all(layoutLoaderPromises)
+
+  const cssFiles: string[] = []
+  if (typeof mod.css === "string") cssFiles.push(mod.css)
+  if (Array.isArray(mod.css)) cssFiles.push(...(mod.css as string[]))
+
+  let pageComponent: Function = component
+  for (let i = layoutMods.length - 1; i >= 0; i--) {
+    const Layout = layoutMods[i]!.default
+    if (typeof Layout === "function") {
+      const inner = pageComponent
+      const layoutData = layoutLoaderResults[i]
+      pageComponent = (props: Record<string, unknown>) =>
+        Layout({ ...props, data: layoutData, children: inner(props) })
+    }
+  }
+
+  return {
+    component,
+    pageComponent,
+    loaderData,
+    cssFiles,
+    renderMode: (mod.render as string) ?? "async",
+  }
+}
+
+export function createClientScriptPath(entryFile?: string): string | undefined {
+  return entryFile ? `/_gorsee/${entryFile}` : undefined
+}
+
+export function renderPageDocument(
+  pageComponent: Function,
+  ctx: Context,
+  params: Record<string, string>,
+  loaderData: unknown,
+): RenderedPage {
+  resetServerHead()
+  const pageProps = { params, ctx, data: loaderData }
+  const vnode = ssrJsx(pageComponent as any, pageProps)
+  const html = renderToString(vnode)
+  const headElements = getServerHead()
+
+  return {
+    html,
+    headElements,
+    title: extractTitle(headElements),
+  }
+}
+
+export function buildPartialResponsePayload(
+  rendered: RenderedPage,
+  loaderData: unknown,
+  params: Record<string, string>,
+  cssFiles: string[],
+  clientScript?: string,
+): PartialResponsePayload {
+  return {
+    html: rendered.html,
+    data: loaderData,
+    params: Object.keys(params).length > 0 ? params : undefined,
+    title: rendered.title,
+    css: cssFiles.length > 0 ? cssFiles : undefined,
+    script: clientScript,
+  }
+}
+
+export function extractTitle(headElements: string[]): string | undefined {
+  for (const element of headElements) {
+    const titleMatch = element.match(/<title>(.+?)<\/title>/)
+    if (titleMatch) return titleMatch[1]
+  }
+  return undefined
+}

package/src/server/redis-cache-store.ts

@@ -0,0 +1,87 @@
+import type { CacheEntry, CacheStore } from "./cache.ts"
+import {
+  buildRedisKey,
+  deleteExpiredRedisKeys,
+  stripRedisPrefix,
+  type RedisLikeClient,
+} from "./redis-client.ts"
+
+interface RedisCacheStoreOptions {
+  prefix?: string
+  maxEntryAgeMs?: number
+}
+
+interface StoredCacheEntry {
+  entry: CacheEntry
+}
+
+function isExpired(entry: CacheEntry, maxEntryAgeMs: number): boolean {
+  return Date.now() - entry.createdAt > maxEntryAgeMs
+}
+
+export function createRedisCacheStore(
+  client: RedisLikeClient,
+  options: RedisCacheStoreOptions = {},
+): CacheStore & { deleteExpired(): Promise<number> } {
+  const prefix = options.prefix ?? "gorsee:cache"
+  const maxEntryAgeMs = options.maxEntryAgeMs ?? 24 * 60 * 60 * 1000
+
+  return {
+    async get(key) {
+      const raw = await client.get(buildRedisKey(prefix, key))
+      if (!raw) return undefined
+      const payload = JSON.parse(raw) as StoredCacheEntry
+      if (isExpired(payload.entry, maxEntryAgeMs)) {
+        await client.del(buildRedisKey(prefix, key))
+        return undefined
+      }
+      return payload.entry
+    },
+    async set(key, entry) {
+      const redisKey = buildRedisKey(prefix, key)
+      await client.set(redisKey, JSON.stringify({ entry } satisfies StoredCacheEntry))
+      if (client.expire) {
+        await client.expire(redisKey, Math.max(1, Math.ceil(maxEntryAgeMs / 1000)))
+      }
+    },
+    async delete(key) {
+      await client.del(buildRedisKey(prefix, key))
+    },
+    async clear() {
+      const keys = await client.keys(`${prefix}:*`)
+      if (keys.length === 0) return
+      for (const key of keys) await client.del(key)
+    },
+    async keys() {
+      const keys = await client.keys(`${prefix}:*`)
+      const visibleKeys: string[] = []
+      for (const key of keys) {
+        const raw = await client.get(key)
+        if (!raw) continue
+        const payload = JSON.parse(raw) as StoredCacheEntry
+        if (isExpired(payload.entry, maxEntryAgeMs)) {
+          await client.del(key)
+          continue
+        }
+        visibleKeys.push(stripRedisPrefix(prefix, key))
+      }
+      return visibleKeys
+    },
+    async deleteExpired() {
+      return deleteExpiredRedisKeys(
+        client,
+        `${prefix}:*`,
+        Date.now(),
+        (raw) => {
+          try {
+            const payload = JSON.parse(raw) as StoredCacheEntry
+            return payload.entry.createdAt
+          } catch {
+            return undefined
+          }
+        },
+        maxEntryAgeMs,
+      )
+    },
+  }
+}

package/src/server/redis-client.ts

@@ -0,0 +1,71 @@
+type Awaitable<T> = T | Promise<T>
+
+export interface RedisLikeClient {
+  get(key: string): Awaitable<string | null>
+  set(key: string, value: string): Awaitable<unknown>
+  del(key: string): Awaitable<number>
+  keys(pattern: string): Awaitable<string[]>
+  expire?(key: string, seconds: number): Awaitable<number>
+  ttl?(key: string): Awaitable<number>
+}
+
+export function buildRedisKey(prefix: string, key: string): string {
+  return `${prefix}:${key}`
+}
+
+export function stripRedisPrefix(prefix: string, key: string): string {
+  const expected = `${prefix}:`
+  return key.startsWith(expected) ? key.slice(expected.length) : key
+}
+
+export interface NodeRedisClientLike {
+  get(key: string): Awaitable<string | null>
+  set(key: string, value: string): Awaitable<unknown>
+  del(key: string): Awaitable<number>
+  keys(pattern: string): Awaitable<string[]>
+  expire?(key: string, seconds: number): Awaitable<number>
+  ttl?(key: string): Awaitable<number>
+}
+
+export interface IORedisClientLike {
+  get(key: string): Awaitable<string | null>
+  set(key: string, value: string): Awaitable<unknown>
+  del(key: string): Awaitable<number>
+  keys(pattern: string): Awaitable<string[]>
+  expire?(key: string, seconds: number): Awaitable<number>
+  ttl?(key: string): Awaitable<number>
+}
+
+export function createNodeRedisLikeClient(client: NodeRedisClientLike): RedisLikeClient {
+  return {
+    get: (key) => client.get(key),
+    set: (key, value) => client.set(key, value),
+    del: (key) => client.del(key),
+    keys: (pattern) => client.keys(pattern),
+    expire: client.expire ? (key, seconds) => client.expire!(key, seconds) : undefined,
+    ttl: client.ttl ? (key) => client.ttl!(key) : undefined,
+  }
+}
+
+export function createIORedisLikeClient(client: IORedisClientLike): RedisLikeClient {
+  return createNodeRedisLikeClient(client)
+}
+
+export async function deleteExpiredRedisKeys(
+  client: RedisLikeClient,
+  pattern: string,
+  now: number,
+  parseCreatedAt: (value: string) => number | undefined,
+  maxEntryAgeMs: number,
+): Promise<number> {
+  let deleted = 0
+  for (const key of await client.keys(pattern)) {
+    const raw = await client.get(key)
+    if (raw === null) continue
+    const createdAt = parseCreatedAt(raw)
+    if (createdAt === undefined) continue
+    if (createdAt > now - maxEntryAgeMs) continue
+    deleted += await client.del(key)
+  }
+  return deleted
+}

package/src/server/request-preflight.ts

@@ -0,0 +1,45 @@
+import { handleRPCRequest, handleRPCRequestWithRegistry, type RPCRegistry } from "./rpc.ts"
+
+interface RateLimitResult {
+  allowed: boolean
+  resetAt: number
+}
+
+interface RateLimiterLike {
+  check(key: string): RateLimitResult
+}
+
+export function createRateLimitResponse(
+  rateLimiter: RateLimiterLike,
+  key: string,
+): Response | null {
+  const result = rateLimiter.check(key)
+  if (result.allowed) return null
+
+  return new Response("Too Many Requests", {
+    status: 429,
+    headers: {
+      "Retry-After": String(Math.ceil((result.resetAt - Date.now()) / 1000)),
+    },
+  })
+}
+
+export function applyResponseHeaders(
+  response: Response,
+  headers: Record<string, string>,
+): Response {
+  for (const key in headers) response.headers.set(key, headers[key]!)
+  return response
+}
+
+export async function handleRPCWithHeaders(
+  request: Request,
+  headers: Record<string, string>,
+  registry?: Pick<RPCRegistry, "getHandler">,
+): Promise<Response | null> {
+  const response = registry
+    ? await handleRPCRequestWithRegistry(request, registry)
+    : await handleRPCRequest(request)
+  if (!response) return null
+  return applyResponseHeaders(response, headers)
+}