h3 1.3.0 → 1.5.0

package/README.md

@@ -1,7 +1,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/h3.svg?style=flat-square)](https://npmjs.com/package/h3)
 [![version](https://img.shields.io/npm/v/h3/latest.svg?style=flat-square)](https://npmjs.com/package/h3)
 [![bundlephobia](https://img.shields.io/bundlephobia/min/h3/latest.svg?style=flat-square)](https://bundlephobia.com/result?p=h3)
-[![build status](https://img.shields.io/github/workflow/status/unjs/h3/ci/main?style=flat-square)](https://github.com/unjs/h3/actions)
+[![build status](https://img.shields.io/github/actions/workflow/status/unjs/h3/ci.yml?branch=main&style=flat-square)](https://github.com/unjs/h3/actions)
 [![coverage](https://img.shields.io/codecov/c/gh/unjs/h3/main?style=flat-square)](https://codecov.io/gh/unjs/h3)
 [![jsDocs.io](https://img.shields.io/badge/jsDocs.io-reference-blue?style=flat-square)](https://www.jsdocs.io/package/h3)
 
@@ -110,6 +110,19 @@ app.use(eventHandler(() => '<h1>Hello world!</h1>'))
 app.use('/1', eventHandler(() => '<h1>Hello world!</h1>'))
    .use('/2', eventHandler(() => '<h1>Goodbye!</h1>'))
 
+// We can proxy requests and rewrite cookie's domain and path
+app.use('/api', eventHandler((event) => proxyRequest('https://example.com', {
+  // f.e. keep one domain unchanged, rewrite one domain and remove other domains
+  cookieDomainRewrite: {
+    "example.com": "example.com",
+    "example.com": "somecompany.co.uk",
+    "*": "",
+  },
+  cookiePathRewrite: {
+    "/": "/api"
+  },
+}))
+
 // Legacy middleware with 3rd argument are automatically promisified
 app.use(fromNodeMiddleware((req, res, next) => { req.setHeader('x-foo', 'bar'); next() }))
 
@@ -146,8 +159,8 @@ H3 has a concept of composable utilities that accept `event` (from `eventHandler
 - `isMethod(event, expected, allowHead?)`
 - `assertMethod(event, expected, allowHead?)`
 - `createError({ statusCode, statusMessage, data? })`
-- `sendProxy(event, { target, headers?, fetchOptions?, fetch?, sendStream? })`
-- `proxyRequest(event, { target, headers?, fetchOptions?, fetch?, sendStream? })`
+- `sendProxy(event, { target, ...options })`
+- `proxyRequest(event, { target, ...options })`
 - `fetchWithEvent(event, req, init, { fetch? }?)`
 - `getProxyRequestHeaders(event)`
 - `sendNoContent(event, code = 204)`
@@ -155,10 +168,17 @@ H3 has a concept of composable utilities that accept `event` (from `eventHandler
 - `getResponseStatus(event)`
 - `getResponseStatusText(event)`
 - `readMultipartFormData(event)`
-- `useSession(event, { password, name?, cookie?, seal?, crypto? })`
-- `getSession(event, { password, name?, cookie?, seal?, crypto? })`
-- `updateSession(event, { password, name?, cookie?, seal?, crypto? }), update)`
-- `clearSession(event, { password, name?, cookie?, seal?, crypto? }))`
+- `useSession(event, config = { password, maxAge?, name?, cookie?, seal?, crypto? })`
+- `getSession(event, config)`
+- `updateSession(event, config, update)`
+- `clearSession(event, config)`
+- `sealSession(event, config)`
+- `unsealSession(event, config, sealed)`
+- `handleCors(options)` (see [h3-cors](https://github.com/NozomuIkuta/h3-cors) for more detail about options)
+- `isPreflightRequest(event)`
+- `isCorsOriginAllowed(event)`
+- `appendCorsHeaders(event, options)` (see [h3-cors](https://github.com/NozomuIkuta/h3-cors) for more detail about options)
+- `appendCorsPreflightHeaders(event, options)` (see [h3-cors](https://github.com/NozomuIkuta/h3-cors) for more detail about options)
 
 👉 You can learn more about usage in [JSDocs Documentation](https://www.jsdocs.io/package/h3#package-functions).
 
@@ -170,9 +190,6 @@ Please check their READMEs for more details.
 
 PRs are welcome to add your packages.
 
-- [h3-cors](https://github.com/NozomuIkuta/h3-cors)
-  - `defineCorsEventHandler(options)`
-  - `isPreflight(event)`
 - [h3-typebox](https://github.com/kevinmarrec/h3-typebox)
   - `validateBody(event, schema)`
   - `validateQuery(event, schema)`

package/dist/index.cjs

@@ -6,6 +6,7 @@ const destr = require('destr');
 const cookieEs = require('cookie-es');
 const crypto = require('uncrypto');
 const ironWebcrypto = require('iron-webcrypto');
+const defu = require('defu');
 
 function useBase(base, handler) {
   base = ufo.withoutTrailingSlash(base);
@@ -380,6 +381,59 @@ function deleteCookie(event, name, serializeOptions) {
   });
 }
 
+function splitCookiesString(cookiesString) {
+  if (typeof cookiesString !== "string") {
+    return [];
+  }
+  const cookiesStrings = [];
+  let pos = 0;
+  let start;
+  let ch;
+  let lastComma;
+  let nextStart;
+  let cookiesSeparatorFound;
+  function skipWhitespace() {
+    while (pos < cookiesString.length && /\s/.test(cookiesString.charAt(pos))) {
+      pos += 1;
+    }
+    return pos < cookiesString.length;
+  }
+  function notSpecialChar() {
+    ch = cookiesString.charAt(pos);
+    return ch !== "=" && ch !== ";" && ch !== ",";
+  }
+  while (pos < cookiesString.length) {
+    start = pos;
+    cookiesSeparatorFound = false;
+    while (skipWhitespace()) {
+      ch = cookiesString.charAt(pos);
+      if (ch === ",") {
+        lastComma = pos;
+        pos += 1;
+        skipWhitespace();
+        nextStart = pos;
+        while (pos < cookiesString.length && notSpecialChar()) {
+          pos += 1;
+        }
+        if (pos < cookiesString.length && cookiesString.charAt(pos) === "=") {
+          cookiesSeparatorFound = true;
+          pos = nextStart;
+          cookiesStrings.push(cookiesString.slice(start, lastComma));
+          start = pos;
+        } else {
+          pos = lastComma + 1;
+        }
+      } else {
+        pos += 1;
+      }
+    }
+    if (!cookiesSeparatorFound || pos >= cookiesString.length) {
+      cookiesStrings.push(cookiesString.slice(start, cookiesString.length));
+    }
+  }
+  return cookiesStrings;
+}
+
 const PayloadMethods = /* @__PURE__ */ new Set(["PATCH", "POST", "PUT", "DELETE"]);
 const ignoredHeaders = /* @__PURE__ */ new Set([
   "transfer-encoding",
@@ -426,6 +480,27 @@ async function sendProxy(event, target, opts = {}) {
     if (key === "content-length") {
       continue;
     }
+    if (key === "set-cookie") {
+      const cookies = splitCookiesString(value).map((cookie) => {
+        if (opts.cookieDomainRewrite) {
+          cookie = rewriteCookieProperty(
+            cookie,
+            opts.cookieDomainRewrite,
+            "domain"
+          );
+        }
+        if (opts.cookiePathRewrite) {
+          cookie = rewriteCookieProperty(
+            cookie,
+            opts.cookiePathRewrite,
+            "path"
+          );
+        }
+        return cookie;
+      });
+      event.node.res.setHeader("set-cookie", cookies);
+      continue;
+    }
     event.node.res.setHeader(key, value);
   }
   if (response._data !== void 0) {
@@ -472,6 +547,23 @@ function _getFetch(_fetch) {
     "fetch is not available. Try importing `node-fetch-native/polyfill` for Node.js."
   );
 }
+function rewriteCookieProperty(header, map, property) {
+  const _map = typeof map === "string" ? { "*": map } : map;
+  return header.replace(
+    new RegExp(`(;\\s*${property}=)([^;]+)`, "gi"),
+    (match, prefix, previousValue) => {
+      let newValue;
+      if (previousValue in _map) {
+        newValue = _map[previousValue];
+      } else if ("*" in _map) {
+        newValue = _map["*"];
+      } else {
+        return match;
+      }
+      return newValue ? prefix + newValue : "";
+    }
+  );
+}
 
 const defer = typeof setImmediate !== "undefined" ? setImmediate : (fn) => fn();
 function send(event, data, type) {
@@ -640,21 +732,35 @@ async function getSession(event, config) {
   if (event.context.sessions[sessionName]) {
     return event.context.sessions[sessionName];
   }
-  const session = { id: "", data: /* @__PURE__ */ Object.create(null) };
+  const session = {
+    id: "",
+    createdAt: 0,
+    data: /* @__PURE__ */ Object.create(null)
+  };
   event.context.sessions[sessionName] = session;
-  const reqCookie = getCookie(event, sessionName);
-  if (!reqCookie) {
-    session.id = (config.crypto || crypto).randomUUID();
-    await updateSession(event, config);
-  } else {
-    const unsealed = await ironWebcrypto.unseal(
-      config.crypto || crypto,
-      reqCookie,
-      config.password,
-      config.seal || ironWebcrypto.defaults
+  let sealedSession;
+  if (config.sessionHeader !== false) {
+    const headerName = typeof config.sessionHeader === "string" ? config.sessionHeader.toLowerCase() : `x-${sessionName.toLowerCase()}-session`;
+    const headerValue = event.node.req.headers[headerName];
+    if (typeof headerValue === "string") {
+      sealedSession = headerValue;
+    }
+  }
+  if (!sealedSession) {
+    sealedSession = getCookie(event, sessionName);
+  }
+  if (sealedSession) {
+    const unsealed = await unsealSession(event, config, sealedSession).catch(
+      () => {
+      }
     );
     Object.assign(session, unsealed);
   }
+  if (!session.id) {
+    session.id = (config.crypto || crypto).randomUUID();
+    session.createdAt = Date.now();
+    await updateSession(event, config);
+  }
   return session;
 }
 async function updateSession(event, config, update) {
@@ -666,21 +772,168 @@ async function updateSession(event, config, update) {
   if (update) {
     Object.assign(session.data, update);
   }
-  const sealed = await ironWebcrypto.seal(
+  if (config.cookie !== false) {
+    const sealed = await sealSession(event, config);
+    setCookie(event, sessionName, sealed, {
+      ...DEFAULT_COOKIE,
+      expires: config.maxAge ? new Date(session.createdAt + config.maxAge * 1e3) : void 0,
+      ...config.cookie
+    });
+  }
+  return session;
+}
+async function sealSession(event, config) {
+  const sessionName = config.name || DEFAULT_NAME;
+  const session = event.context.sessions?.[sessionName] || await getSession(event, config);
+  const sealed = await ironWebcrypto.seal(config.crypto || crypto, session, config.password, {
+    ...ironWebcrypto.defaults,
+    ttl: config.maxAge ? config.maxAge * 1e3 : 0,
+    ...config.seal
+  });
+  return sealed;
+}
+async function unsealSession(_event, config, sealed) {
+  const unsealed = await ironWebcrypto.unseal(
     config.crypto || crypto,
-    session,
+    sealed,
     config.password,
-    config.seal || ironWebcrypto.defaults
+    {
+      ...ironWebcrypto.defaults,
+      ttl: config.maxAge ? config.maxAge * 1e3 : 0,
+      ...config.seal
+    }
   );
-  setCookie(event, sessionName, sealed, config.cookie || DEFAULT_COOKIE);
-  return session;
+  if (config.maxAge) {
+    const age = Date.now() - (unsealed.createdAt || Number.NEGATIVE_INFINITY);
+    if (age > config.maxAge * 1e3) {
+      throw new Error("Session expired!");
+    }
+  }
+  return unsealed;
 }
 async function clearSession(event, config) {
   const sessionName = config.name || DEFAULT_NAME;
   if (event.context.sessions?.[sessionName]) {
     delete event.context.sessions[sessionName];
   }
-  await setCookie(event, sessionName, "", config.cookie || DEFAULT_COOKIE);
+  await setCookie(event, sessionName, "", {
+    ...DEFAULT_COOKIE,
+    ...config.cookie
+  });
+}
+
+function resolveCorsOptions(options = {}) {
+  const defaultOptions = {
+    origin: "*",
+    methods: "*",
+    allowHeaders: "*",
+    exposeHeaders: "*",
+    credentials: false,
+    maxAge: false,
+    preflight: {
+      statusCode: 204
+    }
+  };
+  return defu.defu(options, defaultOptions);
+}
+function isPreflightRequest(event) {
+  const method = getMethod(event);
+  const origin = getRequestHeader(event, "origin");
+  const accessControlRequestMethod = getRequestHeader(
+    event,
+    "access-control-request-method"
+  );
+  return method === "OPTIONS" && !!origin && !!accessControlRequestMethod;
+}
+function isCorsOriginAllowed(origin, options) {
+  const { origin: originOption } = options;
+  if (!origin || !originOption || originOption === "*" || originOption === "null") {
+    return true;
+  }
+  if (Array.isArray(originOption)) {
+    return originOption.some((_origin) => {
+      if (_origin instanceof RegExp) {
+        return _origin.test(origin);
+      }
+      return origin === _origin;
+    });
+  }
+  return originOption(origin);
+}
+function createOriginHeaders(event, options) {
+  const { origin: originOption } = options;
+  const origin = getRequestHeader(event, "origin");
+  if (!origin || !originOption || originOption === "*") {
+    return { "access-control-allow-origin": "*" };
+  }
+  if (typeof originOption === "string") {
+    return { "access-control-allow-origin": originOption, vary: "origin" };
+  }
+  return isCorsOriginAllowed(origin, options) ? { "access-control-allow-origin": origin, vary: "origin" } : {};
+}
+function createMethodsHeaders(options) {
+  const { methods } = options;
+  if (!methods) {
+    return {};
+  }
+  if (methods === "*") {
+    return { "access-control-allow-methods": "*" };
+  }
+  return methods.length > 0 ? { "access-control-allow-methods": methods.join(",") } : {};
+}
+function createCredentialsHeaders(options) {
+  const { credentials } = options;
+  if (credentials) {
+    return { "access-control-allow-credentials": "true" };
+  }
+  return {};
+}
+function createAllowHeaderHeaders(event, options) {
+  const { allowHeaders } = options;
+  if (!allowHeaders || allowHeaders === "*" || allowHeaders.length === 0) {
+    const header = getRequestHeader(event, "access-control-request-headers");
+    return header ? {
+      "access-control-allow-headers": header,
+      vary: "access-control-request-headers"
+    } : {};
+  }
+  return {
+    "access-control-allow-headers": allowHeaders.join(","),
+    vary: "access-control-request-headers"
+  };
+}
+function createExposeHeaders(options) {
+  const { exposeHeaders } = options;
+  if (!exposeHeaders) {
+    return {};
+  }
+  if (exposeHeaders === "*") {
+    return { "access-control-expose-headers": exposeHeaders };
+  }
+  return { "access-control-expose-headers": exposeHeaders.join(",") };
+}
+function appendCorsPreflightHeaders(event, options) {
+  appendHeaders(event, createOriginHeaders(event, options));
+  appendHeaders(event, createCredentialsHeaders(options));
+  appendHeaders(event, createExposeHeaders(options));
+  appendHeaders(event, createMethodsHeaders(options));
+  appendHeaders(event, createAllowHeaderHeaders(event, options));
+}
+function appendCorsHeaders(event, options) {
+  appendHeaders(event, createOriginHeaders(event, options));
+  appendHeaders(event, createCredentialsHeaders(options));
+  appendHeaders(event, createExposeHeaders(options));
+}
+
+function handleCors(event, options) {
+  const _options = resolveCorsOptions(options);
+  if (isPreflightRequest(event)) {
+    appendCorsPreflightHeaders(event, options);
+    sendNoContent(event, _options.preflight.statusCode);
+    return true;
+  }
+  appendCorsHeaders(event, options);
+  return false;
 }
 
 class H3Headers {
@@ -1137,6 +1390,8 @@ exports.H3Event = H3Event;
 exports.H3Headers = H3Headers;
 exports.H3Response = H3Response;
 exports.MIMES = MIMES;
+exports.appendCorsHeaders = appendCorsHeaders;
+exports.appendCorsPreflightHeaders = appendCorsPreflightHeaders;
 exports.appendHeader = appendHeader;
 exports.appendHeaders = appendHeaders;
 exports.appendResponseHeader = appendResponseHeader;
@@ -1175,10 +1430,13 @@ exports.getRouterParam = getRouterParam;
 exports.getRouterParams = getRouterParams;
 exports.getSession = getSession;
 exports.handleCacheHeaders = handleCacheHeaders;
+exports.handleCors = handleCors;
+exports.isCorsOriginAllowed = isCorsOriginAllowed;
 exports.isError = isError;
 exports.isEvent = isEvent;
 exports.isEventHandler = isEventHandler;
 exports.isMethod = isMethod;
+exports.isPreflightRequest = isPreflightRequest;
 exports.isStream = isStream;
 exports.lazyEventHandler = lazyEventHandler;
 exports.parseCookies = parseCookies;
@@ -1187,6 +1445,7 @@ exports.proxyRequest = proxyRequest;
 exports.readBody = readBody;
 exports.readMultipartFormData = readMultipartFormData;
 exports.readRawBody = readRawBody;
+exports.sealSession = sealSession;
 exports.send = send;
 exports.sendError = sendError;
 exports.sendNoContent = sendNoContent;
@@ -1201,6 +1460,7 @@ exports.setResponseHeaders = setResponseHeaders;
 exports.setResponseStatus = setResponseStatus;
 exports.toEventHandler = toEventHandler;
 exports.toNodeListener = toNodeListener;
+exports.unsealSession = unsealSession;
 exports.updateSession = updateSession;
 exports.use = use;
 exports.useBase = useBase;

package/dist/index.d.ts

@@ -8,12 +8,20 @@ type SessionDataT = Record<string, any>;
 type SessionData<T extends SessionDataT = SessionDataT> = T;
 interface Session<T extends SessionDataT = SessionDataT> {
     id: string;
+    createdAt: number;
     data: SessionData<T>;
 }
 interface SessionConfig {
+    /** Private key used to encrypt session tokens */
     password: string;
+    /** Session expiration time in seconds */
+    maxAge?: number;
+    /** default is h3 */
     name?: string;
-    cookie?: CookieSerializeOptions;
+    /** Default is secure, httpOnly, / */
+    cookie?: false | CookieSerializeOptions;
+    /** Default is x-h3-session / x-{name}-session */
+    sessionHeader?: false | string;
     seal?: SealOptions;
     crypto?: Crypto;
 }
@@ -26,6 +34,8 @@ declare function useSession<T extends SessionDataT = SessionDataT>(event: H3Even
 declare function getSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig): Promise<Session<T>>;
 type SessionUpdate<T extends SessionDataT = SessionDataT> = Partial<SessionData<T>> | ((oldData: SessionData<T>) => Partial<SessionData<T>> | undefined);
 declare function updateSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig, update?: SessionUpdate<T>): Promise<Session<T>>;
+declare function sealSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig): Promise<string>;
+declare function unsealSession(_event: H3Event, config: SessionConfig, sealed: string): Promise<Partial<Session<SessionDataT>>>;
 declare function clearSession(event: H3Event, config: SessionConfig): Promise<void>;
 
 type HTTPMethod = "GET" | "HEAD" | "PATCH" | "POST" | "PUT" | "DELETE" | "CONNECT" | "OPTIONS" | "TRACE";
@@ -291,6 +301,8 @@ interface ProxyOptions {
     fetchOptions?: RequestInit;
     fetch?: typeof fetch;
     sendStream?: boolean;
+    cookieDomainRewrite?: string | Record<string, string>;
+    cookiePathRewrite?: string | Record<string, string>;
 }
 declare function proxyRequest(event: H3Event, target: string, opts?: ProxyOptions): Promise<any>;
 declare function sendProxy(event: H3Event, target: string, opts?: ProxyOptions): Promise<any>;
@@ -338,6 +350,25 @@ declare function isStream(data: any): any;
 declare function sendStream(event: H3Event, data: any): Promise<void>;
 declare function writeEarlyHints(event: H3Event, hints: string | string[] | Record<string, string | string[]>, cb?: () => void): void;
 
+interface H3CorsOptions {
+    origin?: "*" | "null" | (string | RegExp)[] | ((origin: string) => boolean);
+    methods?: "*" | HTTPMethod[];
+    allowHeaders?: "*" | string[];
+    exposeHeaders?: "*" | string[];
+    credentials?: boolean;
+    maxAge?: string | false;
+    preflight?: {
+        statusCode?: number;
+    };
+}
+
+declare function handleCors(event: H3Event, options: H3CorsOptions): boolean;
+
+declare function isPreflightRequest(event: H3Event): boolean;
+declare function isCorsOriginAllowed(origin: ReturnType<typeof getRequestHeaders>["origin"], options: H3CorsOptions): boolean;
+declare function appendCorsPreflightHeaders(event: H3Event, options: H3CorsOptions): void;
+declare function appendCorsHeaders(event: H3Event, options: H3CorsOptions): void;
+
 type RouterMethod = Lowercase<HTTPMethod>;
 type RouterUse = (path: string, handler: EventHandler, method?: RouterMethod | RouterMethod[]) => Router;
 type AddRouteShortcuts = Record<RouterMethod, RouterUse>;
@@ -353,4 +384,4 @@ interface CreateRouterOptions {
 }
 declare function createRouter(opts?: CreateRouterOptions): Router;
 
-export { AddRouteShortcuts, App, AppOptions, AppUse, CacheConditions, CreateRouterOptions, DynamicEventHandler, Encoding, EventHandler, EventHandlerResponse, H3Error, H3Event, H3EventContext, H3Headers, H3Response, HTTPMethod, InputLayer, InputStack, Layer, LazyEventHandler, MIMES, Matcher, NodeEventContext, NodeListener, NodeMiddleware, NodePromisifiedHandler, ProxyOptions, RequestHeaders, Router, RouterMethod, RouterUse, Session, SessionConfig, SessionData, Stack, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, isError, isEvent, isEventHandler, isMethod, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, toEventHandler, toNodeListener, updateSession, use, useBase, useSession, writeEarlyHints };
+export { AddRouteShortcuts, App, AppOptions, AppUse, CacheConditions, CreateRouterOptions, DynamicEventHandler, Encoding, EventHandler, EventHandlerResponse, H3CorsOptions, H3Error, H3Event, H3EventContext, H3Headers, H3Response, HTTPMethod, InputLayer, InputStack, Layer, LazyEventHandler, MIMES, Matcher, MultiPartData, NodeEventContext, NodeListener, NodeMiddleware, NodePromisifiedHandler, ProxyOptions, RequestHeaders, Router, RouterMethod, RouterUse, Session, SessionConfig, SessionData, Stack, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };

package/dist/index.mjs

@@ -3,7 +3,8 @@ import { createRouter as createRouter$1 } from 'radix3';
 import destr from 'destr';
 import { parse as parse$1, serialize } from 'cookie-es';
 import crypto from 'uncrypto';
-import { unseal, defaults, seal } from 'iron-webcrypto';
+import { seal, defaults, unseal } from 'iron-webcrypto';
+import { defu } from 'defu';
 
 function useBase(base, handler) {
   base = withoutTrailingSlash(base);
@@ -378,6 +379,59 @@ function deleteCookie(event, name, serializeOptions) {
   });
 }
 
+function splitCookiesString(cookiesString) {
+  if (typeof cookiesString !== "string") {
+    return [];
+  }
+  const cookiesStrings = [];
+  let pos = 0;
+  let start;
+  let ch;
+  let lastComma;
+  let nextStart;
+  let cookiesSeparatorFound;
+  function skipWhitespace() {
+    while (pos < cookiesString.length && /\s/.test(cookiesString.charAt(pos))) {
+      pos += 1;
+    }
+    return pos < cookiesString.length;
+  }
+  function notSpecialChar() {
+    ch = cookiesString.charAt(pos);
+    return ch !== "=" && ch !== ";" && ch !== ",";
+  }
+  while (pos < cookiesString.length) {
+    start = pos;
+    cookiesSeparatorFound = false;
+    while (skipWhitespace()) {
+      ch = cookiesString.charAt(pos);
+      if (ch === ",") {
+        lastComma = pos;
+        pos += 1;
+        skipWhitespace();
+        nextStart = pos;
+        while (pos < cookiesString.length && notSpecialChar()) {
+          pos += 1;
+        }
+        if (pos < cookiesString.length && cookiesString.charAt(pos) === "=") {
+          cookiesSeparatorFound = true;
+          pos = nextStart;
+          cookiesStrings.push(cookiesString.slice(start, lastComma));
+          start = pos;
+        } else {
+          pos = lastComma + 1;
+        }
+      } else {
+        pos += 1;
+      }
+    }
+    if (!cookiesSeparatorFound || pos >= cookiesString.length) {
+      cookiesStrings.push(cookiesString.slice(start, cookiesString.length));
+    }
+  }
+  return cookiesStrings;
+}
+
 const PayloadMethods = /* @__PURE__ */ new Set(["PATCH", "POST", "PUT", "DELETE"]);
 const ignoredHeaders = /* @__PURE__ */ new Set([
   "transfer-encoding",
@@ -424,6 +478,27 @@ async function sendProxy(event, target, opts = {}) {
     if (key === "content-length") {
       continue;
     }
+    if (key === "set-cookie") {
+      const cookies = splitCookiesString(value).map((cookie) => {
+        if (opts.cookieDomainRewrite) {
+          cookie = rewriteCookieProperty(
+            cookie,
+            opts.cookieDomainRewrite,
+            "domain"
+          );
+        }
+        if (opts.cookiePathRewrite) {
+          cookie = rewriteCookieProperty(
+            cookie,
+            opts.cookiePathRewrite,
+            "path"
+          );
+        }
+        return cookie;
+      });
+      event.node.res.setHeader("set-cookie", cookies);
+      continue;
+    }
     event.node.res.setHeader(key, value);
   }
   if (response._data !== void 0) {
@@ -470,6 +545,23 @@ function _getFetch(_fetch) {
     "fetch is not available. Try importing `node-fetch-native/polyfill` for Node.js."
   );
 }
+function rewriteCookieProperty(header, map, property) {
+  const _map = typeof map === "string" ? { "*": map } : map;
+  return header.replace(
+    new RegExp(`(;\\s*${property}=)([^;]+)`, "gi"),
+    (match, prefix, previousValue) => {
+      let newValue;
+      if (previousValue in _map) {
+        newValue = _map[previousValue];
+      } else if ("*" in _map) {
+        newValue = _map["*"];
+      } else {
+        return match;
+      }
+      return newValue ? prefix + newValue : "";
+    }
+  );
+}
 
 const defer = typeof setImmediate !== "undefined" ? setImmediate : (fn) => fn();
 function send(event, data, type) {
@@ -638,21 +730,35 @@ async function getSession(event, config) {
   if (event.context.sessions[sessionName]) {
     return event.context.sessions[sessionName];
   }
-  const session = { id: "", data: /* @__PURE__ */ Object.create(null) };
+  const session = {
+    id: "",
+    createdAt: 0,
+    data: /* @__PURE__ */ Object.create(null)
+  };
   event.context.sessions[sessionName] = session;
-  const reqCookie = getCookie(event, sessionName);
-  if (!reqCookie) {
-    session.id = (config.crypto || crypto).randomUUID();
-    await updateSession(event, config);
-  } else {
-    const unsealed = await unseal(
-      config.crypto || crypto,
-      reqCookie,
-      config.password,
-      config.seal || defaults
+  let sealedSession;
+  if (config.sessionHeader !== false) {
+    const headerName = typeof config.sessionHeader === "string" ? config.sessionHeader.toLowerCase() : `x-${sessionName.toLowerCase()}-session`;
+    const headerValue = event.node.req.headers[headerName];
+    if (typeof headerValue === "string") {
+      sealedSession = headerValue;
+    }
+  }
+  if (!sealedSession) {
+    sealedSession = getCookie(event, sessionName);
+  }
+  if (sealedSession) {
+    const unsealed = await unsealSession(event, config, sealedSession).catch(
+      () => {
+      }
     );
     Object.assign(session, unsealed);
   }
+  if (!session.id) {
+    session.id = (config.crypto || crypto).randomUUID();
+    session.createdAt = Date.now();
+    await updateSession(event, config);
+  }
   return session;
 }
 async function updateSession(event, config, update) {
@@ -664,21 +770,168 @@ async function updateSession(event, config, update) {
   if (update) {
     Object.assign(session.data, update);
   }
-  const sealed = await seal(
+  if (config.cookie !== false) {
+    const sealed = await sealSession(event, config);
+    setCookie(event, sessionName, sealed, {
+      ...DEFAULT_COOKIE,
+      expires: config.maxAge ? new Date(session.createdAt + config.maxAge * 1e3) : void 0,
+      ...config.cookie
+    });
+  }
+  return session;
+}
+async function sealSession(event, config) {
+  const sessionName = config.name || DEFAULT_NAME;
+  const session = event.context.sessions?.[sessionName] || await getSession(event, config);
+  const sealed = await seal(config.crypto || crypto, session, config.password, {
+    ...defaults,
+    ttl: config.maxAge ? config.maxAge * 1e3 : 0,
+    ...config.seal
+  });
+  return sealed;
+}
+async function unsealSession(_event, config, sealed) {
+  const unsealed = await unseal(
     config.crypto || crypto,
-    session,
+    sealed,
     config.password,
-    config.seal || defaults
+    {
+      ...defaults,
+      ttl: config.maxAge ? config.maxAge * 1e3 : 0,
+      ...config.seal
+    }
   );
-  setCookie(event, sessionName, sealed, config.cookie || DEFAULT_COOKIE);
-  return session;
+  if (config.maxAge) {
+    const age = Date.now() - (unsealed.createdAt || Number.NEGATIVE_INFINITY);
+    if (age > config.maxAge * 1e3) {
+      throw new Error("Session expired!");
+    }
+  }
+  return unsealed;
 }
 async function clearSession(event, config) {
   const sessionName = config.name || DEFAULT_NAME;
   if (event.context.sessions?.[sessionName]) {
     delete event.context.sessions[sessionName];
   }
-  await setCookie(event, sessionName, "", config.cookie || DEFAULT_COOKIE);
+  await setCookie(event, sessionName, "", {
+    ...DEFAULT_COOKIE,
+    ...config.cookie
+  });
+}
+
+function resolveCorsOptions(options = {}) {
+  const defaultOptions = {
+    origin: "*",
+    methods: "*",
+    allowHeaders: "*",
+    exposeHeaders: "*",
+    credentials: false,
+    maxAge: false,
+    preflight: {
+      statusCode: 204
+    }
+  };
+  return defu(options, defaultOptions);
+}
+function isPreflightRequest(event) {
+  const method = getMethod(event);
+  const origin = getRequestHeader(event, "origin");
+  const accessControlRequestMethod = getRequestHeader(
+    event,
+    "access-control-request-method"
+  );
+  return method === "OPTIONS" && !!origin && !!accessControlRequestMethod;
+}
+function isCorsOriginAllowed(origin, options) {
+  const { origin: originOption } = options;
+  if (!origin || !originOption || originOption === "*" || originOption === "null") {
+    return true;
+  }
+  if (Array.isArray(originOption)) {
+    return originOption.some((_origin) => {
+      if (_origin instanceof RegExp) {
+        return _origin.test(origin);
+      }
+      return origin === _origin;
+    });
+  }
+  return originOption(origin);
+}
+function createOriginHeaders(event, options) {
+  const { origin: originOption } = options;
+  const origin = getRequestHeader(event, "origin");
+  if (!origin || !originOption || originOption === "*") {
+    return { "access-control-allow-origin": "*" };
+  }
+  if (typeof originOption === "string") {
+    return { "access-control-allow-origin": originOption, vary: "origin" };
+  }
+  return isCorsOriginAllowed(origin, options) ? { "access-control-allow-origin": origin, vary: "origin" } : {};
+}
+function createMethodsHeaders(options) {
+  const { methods } = options;
+  if (!methods) {
+    return {};
+  }
+  if (methods === "*") {
+    return { "access-control-allow-methods": "*" };
+  }
+  return methods.length > 0 ? { "access-control-allow-methods": methods.join(",") } : {};
+}
+function createCredentialsHeaders(options) {
+  const { credentials } = options;
+  if (credentials) {
+    return { "access-control-allow-credentials": "true" };
+  }
+  return {};
+}
+function createAllowHeaderHeaders(event, options) {
+  const { allowHeaders } = options;
+  if (!allowHeaders || allowHeaders === "*" || allowHeaders.length === 0) {
+    const header = getRequestHeader(event, "access-control-request-headers");
+    return header ? {
+      "access-control-allow-headers": header,
+      vary: "access-control-request-headers"
+    } : {};
+  }
+  return {
+    "access-control-allow-headers": allowHeaders.join(","),
+    vary: "access-control-request-headers"
+  };
+}
+function createExposeHeaders(options) {
+  const { exposeHeaders } = options;
+  if (!exposeHeaders) {
+    return {};
+  }
+  if (exposeHeaders === "*") {
+    return { "access-control-expose-headers": exposeHeaders };
+  }
+  return { "access-control-expose-headers": exposeHeaders.join(",") };
+}
+function appendCorsPreflightHeaders(event, options) {
+  appendHeaders(event, createOriginHeaders(event, options));
+  appendHeaders(event, createCredentialsHeaders(options));
+  appendHeaders(event, createExposeHeaders(options));
+  appendHeaders(event, createMethodsHeaders(options));
+  appendHeaders(event, createAllowHeaderHeaders(event, options));
+}
+function appendCorsHeaders(event, options) {
+  appendHeaders(event, createOriginHeaders(event, options));
+  appendHeaders(event, createCredentialsHeaders(options));
+  appendHeaders(event, createExposeHeaders(options));
+}
+
+function handleCors(event, options) {
+  const _options = resolveCorsOptions(options);
+  if (isPreflightRequest(event)) {
+    appendCorsPreflightHeaders(event, options);
+    sendNoContent(event, _options.preflight.statusCode);
+    return true;
+  }
+  appendCorsHeaders(event, options);
+  return false;
 }
 
 class H3Headers {
@@ -1130,4 +1383,4 @@ function createRouter(opts = {}) {
   return router;
 }
 
-export { H3Error, H3Event, H3Headers, H3Response, MIMES, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, isError, isEvent, isEventHandler, isMethod, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, toEventHandler, toNodeListener, updateSession, use, useBase, useSession, writeEarlyHints };
+export { H3Error, H3Event, H3Headers, H3Response, MIMES, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "h3",
-  "version": "1.3.0",
+  "version": "1.5.0",
   "description": "Tiny JavaScript Server",
   "repository": "unjs/h3",
   "license": "MIT",
@@ -21,10 +21,11 @@
   ],
   "dependencies": {
     "cookie-es": "^0.5.0",
+    "defu": "^6.1.2",
     "destr": "^1.2.2",
-    "iron-webcrypto": "^0.4.0",
+    "iron-webcrypto": "^0.5.0",
     "radix3": "^1.0.0",
-    "ufo": "^1.0.1",
+    "ufo": "^1.1.0",
     "uncrypto": "^0.1.2"
   },
   "devDependencies": {
@@ -32,28 +33,29 @@
     "@types/express": "^4.17.17",
     "@types/node": "^18.13.0",
     "@types/supertest": "^2.0.12",
-    "@vitest/coverage-c8": "^0.28.4",
+    "@vitest/coverage-c8": "^0.28.5",
     "autocannon": "^7.10.0",
     "changelogen": "^0.4.1",
     "connect": "^3.7.0",
-    "eslint": "^8.33.0",
+    "eslint": "^8.34.0",
     "eslint-config-unjs": "^0.1.0",
     "express": "^4.18.2",
     "get-port": "^6.1.2",
-    "jiti": "^1.16.2",
+    "jiti": "^1.17.0",
     "listhen": "^1.0.2",
-    "node-fetch-native": "^1.0.1",
+    "node-fetch-native": "^1.0.2",
     "prettier": "^2.8.4",
     "supertest": "^6.3.3",
     "typescript": "^4.9.5",
     "unbuild": "^1.1.1",
-    "vitest": "^0.28.4"
+    "vitest": "^0.28.5"
   },
-  "packageManager": "pnpm@7.26.3",
+  "packageManager": "pnpm@7.27.0",
   "scripts": {
     "build": "unbuild",
     "dev": "vitest",
-    "lint": "eslint --ext ts,mjs,cjs . && prettier -c src test playground",
+    "lint": "eslint --cache --ext .ts,.js,.mjs,.cjs . && prettier -c src test playground",
+    "lint:fix": "eslint --cache --ext .ts,.js,.mjs,.cjs . --fix && prettier -c src test playground -w",
     "play": "jiti ./playground/index.ts",
     "profile": "0x -o -D .profile -P 'autocannon -c 100 -p 10 -d 40 http://localhost:$PORT' ./playground/server.cjs",
     "release": "pnpm test && pnpm build && changelogen --release && pnpm publish && git push --follow-tags",