h3 1.4.0 → 1.6.0

package/README.md

@@ -1,13 +1,13 @@
-[![npm downloads](https://img.shields.io/npm/dm/h3.svg?style=flat-square)](https://npmjs.com/package/h3)
-[![version](https://img.shields.io/npm/v/h3/latest.svg?style=flat-square)](https://npmjs.com/package/h3)
-[![bundlephobia](https://img.shields.io/bundlephobia/min/h3/latest.svg?style=flat-square)](https://bundlephobia.com/result?p=h3)
-[![build status](https://img.shields.io/github/workflow/status/unjs/h3/ci/main?style=flat-square)](https://github.com/unjs/h3/actions)
-[![coverage](https://img.shields.io/codecov/c/gh/unjs/h3/main?style=flat-square)](https://codecov.io/gh/unjs/h3)
-[![jsDocs.io](https://img.shields.io/badge/jsDocs.io-reference-blue?style=flat-square)](https://www.jsdocs.io/package/h3)
+# H3
 
-> H3 is a minimal h(ttp) framework built for high performance and portability
+[![npm version][npm-version-src]][npm-version-href]
+[![npm downloads][npm-downloads-src]][npm-downloads-href]
+[![bundle][bundle-src]][bundle-href]
+[![Codecov][codecov-src]][codecov-href]
+[![License][license-src]][license-href]
+[![JSDocs][jsdocs-src]][jsdocs-href]
 
-<!-- ![h3 - Tiny JavaScript Server](.github/banner.svg) -->
+H3 is a minimal h(ttp) framework built for high performance and portability.
 
 ## Features
 
@@ -110,6 +110,19 @@ app.use(eventHandler(() => '<h1>Hello world!</h1>'))
 app.use('/1', eventHandler(() => '<h1>Hello world!</h1>'))
    .use('/2', eventHandler(() => '<h1>Goodbye!</h1>'))
 
+// We can proxy requests and rewrite cookie's domain and path
+app.use('/api', eventHandler((event) => proxyRequest('https://example.com', {
+  // f.e. keep one domain unchanged, rewrite one domain and remove other domains
+  cookieDomainRewrite: {
+    "example.com": "example.com",
+    "example.com": "somecompany.co.uk",
+    "*": "",
+  },
+  cookiePathRewrite: {
+    "/": "/api"
+  },
+}))
+
 // Legacy middleware with 3rd argument are automatically promisified
 app.use(fromNodeMiddleware((req, res, next) => { req.setHeader('x-foo', 'bar'); next() }))
 
@@ -146,8 +159,8 @@ H3 has a concept of composable utilities that accept `event` (from `eventHandler
 - `isMethod(event, expected, allowHead?)`
 - `assertMethod(event, expected, allowHead?)`
 - `createError({ statusCode, statusMessage, data? })`
-- `sendProxy(event, { target, headers?, fetchOptions?, fetch?, sendStream? })`
-- `proxyRequest(event, { target, headers?, fetchOptions?, fetch?, sendStream? })`
+- `sendProxy(event, { target, ...options })`
+- `proxyRequest(event, { target, ...options })`
 - `fetchWithEvent(event, req, init, { fetch? }?)`
 - `getProxyRequestHeaders(event)`
 - `sendNoContent(event, code = 204)`
@@ -161,6 +174,14 @@ H3 has a concept of composable utilities that accept `event` (from `eventHandler
 - `clearSession(event, config)`
 - `sealSession(event, config)`
 - `unsealSession(event, config, sealed)`
+- `handleCors(options)` (see [h3-cors](https://github.com/NozomuIkuta/h3-cors) for more detail about options)
+- `isPreflightRequest(event)`
+- `isCorsOriginAllowed(event)`
+- `appendCorsHeaders(event, options)` (see [h3-cors](https://github.com/NozomuIkuta/h3-cors) for more detail about options)
+- `appendCorsPreflightHeaders(event, options)` (see [h3-cors](https://github.com/NozomuIkuta/h3-cors) for more detail about options)
+- `getRequestHost(event)`
+- `getRequestProtocol(event)`
+- `getRequestURL(event)`
 
 👉 You can learn more about usage in [JSDocs Documentation](https://www.jsdocs.io/package/h3#package-functions).
 
@@ -172,9 +193,6 @@ Please check their READMEs for more details.
 
 PRs are welcome to add your packages.
 
-- [h3-cors](https://github.com/NozomuIkuta/h3-cors)
-  - `defineCorsEventHandler(options)`
-  - `isPreflight(event)`
 - [h3-typebox](https://github.com/kevinmarrec/h3-typebox)
   - `validateBody(event, schema)`
   - `validateQuery(event, schema)`
@@ -185,3 +203,18 @@ PRs are welcome to add your packages.
 ## License
 
 MIT
+
+<!-- Badges -->
+
+[npm-version-src]: https://img.shields.io/npm/v/h3?style=flat&colorA=18181B&colorB=F0DB4F
+[npm-version-href]: https://npmjs.com/package/h3
+[npm-downloads-src]: https://img.shields.io/npm/dm/h3?style=flat&colorA=18181B&colorB=F0DB4F
+[npm-downloads-href]: https://npmjs.com/package/h3
+[codecov-src]: https://img.shields.io/codecov/c/gh/unjs/h3/main?style=flat&colorA=18181B&colorB=F0DB4F
+[codecov-href]: https://codecov.io/gh/unjs/h3
+[bundle-src]: https://img.shields.io/bundlephobia/minzip/h3?style=flat&colorA=18181B&colorB=F0DB4F
+[bundle-href]: https://bundlephobia.com/result?p=h3
+[license-src]: https://img.shields.io/github/license/unjs/h3.svg?style=flat&colorA=18181B&colorB=F0DB4F
+[license-href]: https://github.com/unjs/h3/blob/main/LICENSE
+[jsdocs-src]: https://img.shields.io/badge/jsDocs.io-reference-18181B?style=flat&colorA=18181B&colorB=F0DB4F
+[jsdocs-href]: https://www.jsdocs.io/package/h3

package/dist/index.cjs

@@ -6,6 +6,7 @@ const destr = require('destr');
 const cookieEs = require('cookie-es');
 const crypto = require('uncrypto');
 const ironWebcrypto = require('iron-webcrypto');
+const defu = require('defu');
 
 function useBase(base, handler) {
   base = ufo.withoutTrailingSlash(base);
@@ -247,6 +248,24 @@ function getRequestHeader(event, name) {
   return value;
 }
 const getHeader = getRequestHeader;
+function getRequestHost(event) {
+  const xForwardedHost = event.node.req.headers["x-forwarded-host"];
+  if (xForwardedHost) {
+    return xForwardedHost;
+  }
+  return event.node.req.headers.host || "localhost";
+}
+function getRequestProtocol(event) {
+  if (event.node.req.headers["x-forwarded-proto"] === "https") {
+    return "https";
+  }
+  return event.node.req.connection.encrypted ? "https" : "http";
+}
+function getRequestURL(event) {
+  const host = getRequestHost(event);
+  const protocol = getRequestProtocol(event);
+  return new URL(event.path || "/", `${protocol}://${host}`);
+}
 
 const RawBodySymbol = Symbol.for("h3RawBody");
 const ParsedBodySymbol = Symbol.for("h3ParsedBody");
@@ -379,6 +398,58 @@ function deleteCookie(event, name, serializeOptions) {
     maxAge: 0
   });
 }
+function splitCookiesString(cookiesString) {
+  if (typeof cookiesString !== "string") {
+    return [];
+  }
+  const cookiesStrings = [];
+  let pos = 0;
+  let start;
+  let ch;
+  let lastComma;
+  let nextStart;
+  let cookiesSeparatorFound;
+  function skipWhitespace() {
+    while (pos < cookiesString.length && /\s/.test(cookiesString.charAt(pos))) {
+      pos += 1;
+    }
+    return pos < cookiesString.length;
+  }
+  function notSpecialChar() {
+    ch = cookiesString.charAt(pos);
+    return ch !== "=" && ch !== ";" && ch !== ",";
+  }
+  while (pos < cookiesString.length) {
+    start = pos;
+    cookiesSeparatorFound = false;
+    while (skipWhitespace()) {
+      ch = cookiesString.charAt(pos);
+      if (ch === ",") {
+        lastComma = pos;
+        pos += 1;
+        skipWhitespace();
+        nextStart = pos;
+        while (pos < cookiesString.length && notSpecialChar()) {
+          pos += 1;
+        }
+        if (pos < cookiesString.length && cookiesString.charAt(pos) === "=") {
+          cookiesSeparatorFound = true;
+          pos = nextStart;
+          cookiesStrings.push(cookiesString.slice(start, lastComma));
+          start = pos;
+        } else {
+          pos = lastComma + 1;
+        }
+      } else {
+        pos += 1;
+      }
+    }
+    if (!cookiesSeparatorFound || pos >= cookiesString.length) {
+      cookiesStrings.push(cookiesString.slice(start, cookiesString.length));
+    }
+  }
+  return cookiesStrings;
+}
 
 const PayloadMethods = /* @__PURE__ */ new Set(["PATCH", "POST", "PUT", "DELETE"]);
 const ignoredHeaders = /* @__PURE__ */ new Set([
@@ -426,6 +497,27 @@ async function sendProxy(event, target, opts = {}) {
     if (key === "content-length") {
       continue;
     }
+    if (key === "set-cookie") {
+      const cookies = splitCookiesString(value).map((cookie) => {
+        if (opts.cookieDomainRewrite) {
+          cookie = rewriteCookieProperty(
+            cookie,
+            opts.cookieDomainRewrite,
+            "domain"
+          );
+        }
+        if (opts.cookiePathRewrite) {
+          cookie = rewriteCookieProperty(
+            cookie,
+            opts.cookiePathRewrite,
+            "path"
+          );
+        }
+        return cookie;
+      });
+      event.node.res.setHeader("set-cookie", cookies);
+      continue;
+    }
     event.node.res.setHeader(key, value);
   }
   if (response._data !== void 0) {
@@ -453,8 +545,7 @@ function getProxyRequestHeaders(event) {
 function fetchWithEvent(event, req, init, options) {
   return _getFetch(options?.fetch)(req, {
     ...init,
-    // @ts-ignore (context is used for unenv and local fetch)
-    context: init.context || event.context,
+    context: init?.context || event.context,
     headers: {
       ...getProxyRequestHeaders(event),
       ...init?.headers
@@ -472,6 +563,23 @@ function _getFetch(_fetch) {
     "fetch is not available. Try importing `node-fetch-native/polyfill` for Node.js."
   );
 }
+function rewriteCookieProperty(header, map, property) {
+  const _map = typeof map === "string" ? { "*": map } : map;
+  return header.replace(
+    new RegExp(`(;\\s*${property}=)([^;]+)`, "gi"),
+    (match, prefix, previousValue) => {
+      let newValue;
+      if (previousValue in _map) {
+        newValue = _map[previousValue];
+      } else if ("*" in _map) {
+        newValue = _map["*"];
+      } else {
+        return match;
+      }
+      return newValue ? prefix + newValue : "";
+    }
+  );
+}
 
 const defer = typeof setImmediate !== "undefined" ? setImmediate : (fn) => fn();
 function send(event, data, type) {
@@ -730,6 +838,120 @@ async function clearSession(event, config) {
   });
 }
 
+function resolveCorsOptions(options = {}) {
+  const defaultOptions = {
+    origin: "*",
+    methods: "*",
+    allowHeaders: "*",
+    exposeHeaders: "*",
+    credentials: false,
+    maxAge: false,
+    preflight: {
+      statusCode: 204
+    }
+  };
+  return defu.defu(options, defaultOptions);
+}
+function isPreflightRequest(event) {
+  const method = getMethod(event);
+  const origin = getRequestHeader(event, "origin");
+  const accessControlRequestMethod = getRequestHeader(
+    event,
+    "access-control-request-method"
+  );
+  return method === "OPTIONS" && !!origin && !!accessControlRequestMethod;
+}
+function isCorsOriginAllowed(origin, options) {
+  const { origin: originOption } = options;
+  if (!origin || !originOption || originOption === "*" || originOption === "null") {
+    return true;
+  }
+  if (Array.isArray(originOption)) {
+    return originOption.some((_origin) => {
+      if (_origin instanceof RegExp) {
+        return _origin.test(origin);
+      }
+      return origin === _origin;
+    });
+  }
+  return originOption(origin);
+}
+function createOriginHeaders(event, options) {
+  const { origin: originOption } = options;
+  const origin = getRequestHeader(event, "origin");
+  if (!origin || !originOption || originOption === "*") {
+    return { "access-control-allow-origin": "*" };
+  }
+  if (typeof originOption === "string") {
+    return { "access-control-allow-origin": originOption, vary: "origin" };
+  }
+  return isCorsOriginAllowed(origin, options) ? { "access-control-allow-origin": origin, vary: "origin" } : {};
+}
+function createMethodsHeaders(options) {
+  const { methods } = options;
+  if (!methods) {
+    return {};
+  }
+  if (methods === "*") {
+    return { "access-control-allow-methods": "*" };
+  }
+  return methods.length > 0 ? { "access-control-allow-methods": methods.join(",") } : {};
+}
+function createCredentialsHeaders(options) {
+  const { credentials } = options;
+  if (credentials) {
+    return { "access-control-allow-credentials": "true" };
+  }
+  return {};
+}
+function createAllowHeaderHeaders(event, options) {
+  const { allowHeaders } = options;
+  if (!allowHeaders || allowHeaders === "*" || allowHeaders.length === 0) {
+    const header = getRequestHeader(event, "access-control-request-headers");
+    return header ? {
+      "access-control-allow-headers": header,
+      vary: "access-control-request-headers"
+    } : {};
+  }
+  return {
+    "access-control-allow-headers": allowHeaders.join(","),
+    vary: "access-control-request-headers"
+  };
+}
+function createExposeHeaders(options) {
+  const { exposeHeaders } = options;
+  if (!exposeHeaders) {
+    return {};
+  }
+  if (exposeHeaders === "*") {
+    return { "access-control-expose-headers": exposeHeaders };
+  }
+  return { "access-control-expose-headers": exposeHeaders.join(",") };
+}
+function appendCorsPreflightHeaders(event, options) {
+  appendHeaders(event, createOriginHeaders(event, options));
+  appendHeaders(event, createCredentialsHeaders(options));
+  appendHeaders(event, createExposeHeaders(options));
+  appendHeaders(event, createMethodsHeaders(options));
+  appendHeaders(event, createAllowHeaderHeaders(event, options));
+}
+function appendCorsHeaders(event, options) {
+  appendHeaders(event, createOriginHeaders(event, options));
+  appendHeaders(event, createCredentialsHeaders(options));
+  appendHeaders(event, createExposeHeaders(options));
+}
+
+function handleCors(event, options) {
+  const _options = resolveCorsOptions(options);
+  if (isPreflightRequest(event)) {
+    appendCorsPreflightHeaders(event, options);
+    sendNoContent(event, _options.preflight.statusCode);
+    return true;
+  }
+  appendCorsHeaders(event, options);
+  return false;
+}
+
 class H3Headers {
   constructor(init) {
     if (!init) {
@@ -1184,6 +1406,8 @@ exports.H3Event = H3Event;
 exports.H3Headers = H3Headers;
 exports.H3Response = H3Response;
 exports.MIMES = MIMES;
+exports.appendCorsHeaders = appendCorsHeaders;
+exports.appendCorsPreflightHeaders = appendCorsPreflightHeaders;
 exports.appendHeader = appendHeader;
 exports.appendHeaders = appendHeaders;
 exports.appendResponseHeader = appendResponseHeader;
@@ -1214,6 +1438,9 @@ exports.getProxyRequestHeaders = getProxyRequestHeaders;
 exports.getQuery = getQuery;
 exports.getRequestHeader = getRequestHeader;
 exports.getRequestHeaders = getRequestHeaders;
+exports.getRequestHost = getRequestHost;
+exports.getRequestProtocol = getRequestProtocol;
+exports.getRequestURL = getRequestURL;
 exports.getResponseHeader = getResponseHeader;
 exports.getResponseHeaders = getResponseHeaders;
 exports.getResponseStatus = getResponseStatus;
@@ -1222,10 +1449,13 @@ exports.getRouterParam = getRouterParam;
 exports.getRouterParams = getRouterParams;
 exports.getSession = getSession;
 exports.handleCacheHeaders = handleCacheHeaders;
+exports.handleCors = handleCors;
+exports.isCorsOriginAllowed = isCorsOriginAllowed;
 exports.isError = isError;
 exports.isEvent = isEvent;
 exports.isEventHandler = isEventHandler;
 exports.isMethod = isMethod;
+exports.isPreflightRequest = isPreflightRequest;
 exports.isStream = isStream;
 exports.lazyEventHandler = lazyEventHandler;
 exports.parseCookies = parseCookies;
@@ -1247,6 +1477,7 @@ exports.setHeaders = setHeaders;
 exports.setResponseHeader = setResponseHeader;
 exports.setResponseHeaders = setResponseHeaders;
 exports.setResponseStatus = setResponseStatus;
+exports.splitCookiesString = splitCookiesString;
 exports.toEventHandler = toEventHandler;
 exports.toNodeListener = toNodeListener;
 exports.unsealSession = unsealSession;

package/dist/index.d.ts

@@ -27,7 +27,7 @@ interface SessionConfig {
 }
 declare function useSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig): Promise<{
     readonly id: string | undefined;
-    readonly data: SessionDataT;
+    readonly data: T;
     update: (update: SessionUpdate<T>) => Promise<any>;
     clear: () => Promise<any>;
 }>;
@@ -36,7 +36,7 @@ type SessionUpdate<T extends SessionDataT = SessionDataT> = Partial<SessionData<
 declare function updateSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig, update?: SessionUpdate<T>): Promise<Session<T>>;
 declare function sealSession<T extends SessionDataT = SessionDataT>(event: H3Event, config: SessionConfig): Promise<string>;
 declare function unsealSession(_event: H3Event, config: SessionConfig, sealed: string): Promise<Partial<Session<SessionDataT>>>;
-declare function clearSession(event: H3Event, config: SessionConfig): Promise<void>;
+declare function clearSession(event: H3Event, config: Partial<SessionConfig>): Promise<void>;
 
 type HTTPMethod = "GET" | "HEAD" | "PATCH" | "POST" | "PUT" | "DELETE" | "CONNECT" | "OPTIONS" | "TRACE";
 type Encoding = false | "ascii" | "utf8" | "utf-8" | "utf16le" | "ucs2" | "ucs-2" | "base64" | "latin1" | "binary" | "hex";
@@ -231,7 +231,7 @@ declare function readRawBody<E extends Encoding = "utf8">(event: H3Event, encodi
  * @return {*} The `Object`, `Array`, `String`, `Number`, `Boolean`, or `null` value corresponding to the request JSON body
  *
  * ```ts
- * const body = await useBody(req)
+ * const body = await readBody(req)
  * ```
  */
 declare function readBody<T = any>(event: H3Event): Promise<T>;
@@ -270,7 +270,7 @@ declare function parseCookies(event: H3Event): Record<string, string>;
  * @param name Name of the cookie to get
  * @returns {*} Value of the cookie (String or undefined)
  * ```ts
- * const authorization = useCookie(request, 'Authorization')
+ * const authorization = getCookie(request, 'Authorization')
  * ```
  */
 declare function getCookie(event: H3Event, name: string): string | undefined;
@@ -295,17 +295,31 @@ declare function setCookie(event: H3Event, name: string, value: string, serializ
  * ```
  */
 declare function deleteCookie(event: H3Event, name: string, serializeOptions?: CookieSerializeOptions): void;
+/**
+ * Set-Cookie header field-values are sometimes comma joined in one string. This splits them without choking on commas
+ * that are within a single set-cookie field-value, such as in the Expires portion.
+ * This is uncommon, but explicitly allowed - see https://tools.ietf.org/html/rfc2616#section-4.2
+ * Node.js does this for every header *except* set-cookie - see https://github.com/nodejs/node/blob/d5e363b77ebaf1caf67cd7528224b651c86815c1/lib/_http_incoming.js#L128
+ * Based on: https://github.com/google/j2objc/commit/16820fdbc8f76ca0c33472810ce0cb03d20efe25
+ * Credits to: https://github.com/tomball for original and https://github.com/chrusart for JavaScript implementation
+ * @source https://github.com/nfriedly/set-cookie-parser/blob/3eab8b7d5d12c8ed87832532861c1a35520cf5b3/lib/set-cookie.js#L144
+ */
+declare function splitCookiesString(cookiesString: string): string[];
 
 interface ProxyOptions {
     headers?: RequestHeaders | HeadersInit;
     fetchOptions?: RequestInit;
     fetch?: typeof fetch;
     sendStream?: boolean;
+    cookieDomainRewrite?: string | Record<string, string>;
+    cookiePathRewrite?: string | Record<string, string>;
 }
 declare function proxyRequest(event: H3Event, target: string, opts?: ProxyOptions): Promise<any>;
 declare function sendProxy(event: H3Event, target: string, opts?: ProxyOptions): Promise<any>;
 declare function getProxyRequestHeaders(event: H3Event): any;
-declare function fetchWithEvent(event: H3Event, req: RequestInfo | URL, init?: RequestInit, options?: {
+declare function fetchWithEvent(event: H3Event, req: RequestInfo | URL, init?: RequestInit & {
+    context?: H3EventContext;
+}, options?: {
     fetch: typeof fetch;
 }): Promise<Response>;
 
@@ -319,6 +333,9 @@ declare function getRequestHeaders(event: H3Event): RequestHeaders;
 declare const getHeaders: typeof getRequestHeaders;
 declare function getRequestHeader(event: H3Event, name: string): RequestHeaders[string];
 declare const getHeader: typeof getRequestHeader;
+declare function getRequestHost(event: H3Event): string;
+declare function getRequestProtocol(event: H3Event): "https" | "http";
+declare function getRequestURL(event: H3Event): URL;
 
 declare function send(event: H3Event, data?: any, type?: string): Promise<void>;
 /**
@@ -348,6 +365,25 @@ declare function isStream(data: any): any;
 declare function sendStream(event: H3Event, data: any): Promise<void>;
 declare function writeEarlyHints(event: H3Event, hints: string | string[] | Record<string, string | string[]>, cb?: () => void): void;
 
+interface H3CorsOptions {
+    origin?: "*" | "null" | (string | RegExp)[] | ((origin: string) => boolean);
+    methods?: "*" | HTTPMethod[];
+    allowHeaders?: "*" | string[];
+    exposeHeaders?: "*" | string[];
+    credentials?: boolean;
+    maxAge?: string | false;
+    preflight?: {
+        statusCode?: number;
+    };
+}
+
+declare function handleCors(event: H3Event, options: H3CorsOptions): boolean;
+
+declare function isPreflightRequest(event: H3Event): boolean;
+declare function isCorsOriginAllowed(origin: ReturnType<typeof getRequestHeaders>["origin"], options: H3CorsOptions): boolean;
+declare function appendCorsPreflightHeaders(event: H3Event, options: H3CorsOptions): void;
+declare function appendCorsHeaders(event: H3Event, options: H3CorsOptions): void;
+
 type RouterMethod = Lowercase<HTTPMethod>;
 type RouterUse = (path: string, handler: EventHandler, method?: RouterMethod | RouterMethod[]) => Router;
 type AddRouteShortcuts = Record<RouterMethod, RouterUse>;
@@ -363,4 +399,4 @@ interface CreateRouterOptions {
 }
 declare function createRouter(opts?: CreateRouterOptions): Router;
 
-export { AddRouteShortcuts, App, AppOptions, AppUse, CacheConditions, CreateRouterOptions, DynamicEventHandler, Encoding, EventHandler, EventHandlerResponse, H3Error, H3Event, H3EventContext, H3Headers, H3Response, HTTPMethod, InputLayer, InputStack, Layer, LazyEventHandler, MIMES, Matcher, NodeEventContext, NodeListener, NodeMiddleware, NodePromisifiedHandler, ProxyOptions, RequestHeaders, Router, RouterMethod, RouterUse, Session, SessionConfig, SessionData, Stack, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, isError, isEvent, isEventHandler, isMethod, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };
+export { AddRouteShortcuts, App, AppOptions, AppUse, CacheConditions, CreateRouterOptions, DynamicEventHandler, Encoding, EventHandler, EventHandlerResponse, H3CorsOptions, H3Error, H3Event, H3EventContext, H3Headers, H3Response, HTTPMethod, InputLayer, InputStack, Layer, LazyEventHandler, MIMES, Matcher, MultiPartData, NodeEventContext, NodeListener, NodeMiddleware, NodePromisifiedHandler, ProxyOptions, RequestHeaders, Router, RouterMethod, RouterUse, Session, SessionConfig, SessionData, Stack, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getRequestHost, getRequestProtocol, getRequestURL, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, splitCookiesString, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };

package/dist/index.mjs

@@ -4,6 +4,7 @@ import destr from 'destr';
 import { parse as parse$1, serialize } from 'cookie-es';
 import crypto from 'uncrypto';
 import { seal, defaults, unseal } from 'iron-webcrypto';
+import { defu } from 'defu';
 
 function useBase(base, handler) {
   base = withoutTrailingSlash(base);
@@ -245,6 +246,24 @@ function getRequestHeader(event, name) {
   return value;
 }
 const getHeader = getRequestHeader;
+function getRequestHost(event) {
+  const xForwardedHost = event.node.req.headers["x-forwarded-host"];
+  if (xForwardedHost) {
+    return xForwardedHost;
+  }
+  return event.node.req.headers.host || "localhost";
+}
+function getRequestProtocol(event) {
+  if (event.node.req.headers["x-forwarded-proto"] === "https") {
+    return "https";
+  }
+  return event.node.req.connection.encrypted ? "https" : "http";
+}
+function getRequestURL(event) {
+  const host = getRequestHost(event);
+  const protocol = getRequestProtocol(event);
+  return new URL(event.path || "/", `${protocol}://${host}`);
+}
 
 const RawBodySymbol = Symbol.for("h3RawBody");
 const ParsedBodySymbol = Symbol.for("h3ParsedBody");
@@ -377,6 +396,58 @@ function deleteCookie(event, name, serializeOptions) {
     maxAge: 0
   });
 }
+function splitCookiesString(cookiesString) {
+  if (typeof cookiesString !== "string") {
+    return [];
+  }
+  const cookiesStrings = [];
+  let pos = 0;
+  let start;
+  let ch;
+  let lastComma;
+  let nextStart;
+  let cookiesSeparatorFound;
+  function skipWhitespace() {
+    while (pos < cookiesString.length && /\s/.test(cookiesString.charAt(pos))) {
+      pos += 1;
+    }
+    return pos < cookiesString.length;
+  }
+  function notSpecialChar() {
+    ch = cookiesString.charAt(pos);
+    return ch !== "=" && ch !== ";" && ch !== ",";
+  }
+  while (pos < cookiesString.length) {
+    start = pos;
+    cookiesSeparatorFound = false;
+    while (skipWhitespace()) {
+      ch = cookiesString.charAt(pos);
+      if (ch === ",") {
+        lastComma = pos;
+        pos += 1;
+        skipWhitespace();
+        nextStart = pos;
+        while (pos < cookiesString.length && notSpecialChar()) {
+          pos += 1;
+        }
+        if (pos < cookiesString.length && cookiesString.charAt(pos) === "=") {
+          cookiesSeparatorFound = true;
+          pos = nextStart;
+          cookiesStrings.push(cookiesString.slice(start, lastComma));
+          start = pos;
+        } else {
+          pos = lastComma + 1;
+        }
+      } else {
+        pos += 1;
+      }
+    }
+    if (!cookiesSeparatorFound || pos >= cookiesString.length) {
+      cookiesStrings.push(cookiesString.slice(start, cookiesString.length));
+    }
+  }
+  return cookiesStrings;
+}
 
 const PayloadMethods = /* @__PURE__ */ new Set(["PATCH", "POST", "PUT", "DELETE"]);
 const ignoredHeaders = /* @__PURE__ */ new Set([
@@ -424,6 +495,27 @@ async function sendProxy(event, target, opts = {}) {
     if (key === "content-length") {
       continue;
     }
+    if (key === "set-cookie") {
+      const cookies = splitCookiesString(value).map((cookie) => {
+        if (opts.cookieDomainRewrite) {
+          cookie = rewriteCookieProperty(
+            cookie,
+            opts.cookieDomainRewrite,
+            "domain"
+          );
+        }
+        if (opts.cookiePathRewrite) {
+          cookie = rewriteCookieProperty(
+            cookie,
+            opts.cookiePathRewrite,
+            "path"
+          );
+        }
+        return cookie;
+      });
+      event.node.res.setHeader("set-cookie", cookies);
+      continue;
+    }
     event.node.res.setHeader(key, value);
   }
   if (response._data !== void 0) {
@@ -451,8 +543,7 @@ function getProxyRequestHeaders(event) {
 function fetchWithEvent(event, req, init, options) {
   return _getFetch(options?.fetch)(req, {
     ...init,
-    // @ts-ignore (context is used for unenv and local fetch)
-    context: init.context || event.context,
+    context: init?.context || event.context,
     headers: {
       ...getProxyRequestHeaders(event),
       ...init?.headers
@@ -470,6 +561,23 @@ function _getFetch(_fetch) {
     "fetch is not available. Try importing `node-fetch-native/polyfill` for Node.js."
   );
 }
+function rewriteCookieProperty(header, map, property) {
+  const _map = typeof map === "string" ? { "*": map } : map;
+  return header.replace(
+    new RegExp(`(;\\s*${property}=)([^;]+)`, "gi"),
+    (match, prefix, previousValue) => {
+      let newValue;
+      if (previousValue in _map) {
+        newValue = _map[previousValue];
+      } else if ("*" in _map) {
+        newValue = _map["*"];
+      } else {
+        return match;
+      }
+      return newValue ? prefix + newValue : "";
+    }
+  );
+}
 
 const defer = typeof setImmediate !== "undefined" ? setImmediate : (fn) => fn();
 function send(event, data, type) {
@@ -728,6 +836,120 @@ async function clearSession(event, config) {
   });
 }
 
+function resolveCorsOptions(options = {}) {
+  const defaultOptions = {
+    origin: "*",
+    methods: "*",
+    allowHeaders: "*",
+    exposeHeaders: "*",
+    credentials: false,
+    maxAge: false,
+    preflight: {
+      statusCode: 204
+    }
+  };
+  return defu(options, defaultOptions);
+}
+function isPreflightRequest(event) {
+  const method = getMethod(event);
+  const origin = getRequestHeader(event, "origin");
+  const accessControlRequestMethod = getRequestHeader(
+    event,
+    "access-control-request-method"
+  );
+  return method === "OPTIONS" && !!origin && !!accessControlRequestMethod;
+}
+function isCorsOriginAllowed(origin, options) {
+  const { origin: originOption } = options;
+  if (!origin || !originOption || originOption === "*" || originOption === "null") {
+    return true;
+  }
+  if (Array.isArray(originOption)) {
+    return originOption.some((_origin) => {
+      if (_origin instanceof RegExp) {
+        return _origin.test(origin);
+      }
+      return origin === _origin;
+    });
+  }
+  return originOption(origin);
+}
+function createOriginHeaders(event, options) {
+  const { origin: originOption } = options;
+  const origin = getRequestHeader(event, "origin");
+  if (!origin || !originOption || originOption === "*") {
+    return { "access-control-allow-origin": "*" };
+  }
+  if (typeof originOption === "string") {
+    return { "access-control-allow-origin": originOption, vary: "origin" };
+  }
+  return isCorsOriginAllowed(origin, options) ? { "access-control-allow-origin": origin, vary: "origin" } : {};
+}
+function createMethodsHeaders(options) {
+  const { methods } = options;
+  if (!methods) {
+    return {};
+  }
+  if (methods === "*") {
+    return { "access-control-allow-methods": "*" };
+  }
+  return methods.length > 0 ? { "access-control-allow-methods": methods.join(",") } : {};
+}
+function createCredentialsHeaders(options) {
+  const { credentials } = options;
+  if (credentials) {
+    return { "access-control-allow-credentials": "true" };
+  }
+  return {};
+}
+function createAllowHeaderHeaders(event, options) {
+  const { allowHeaders } = options;
+  if (!allowHeaders || allowHeaders === "*" || allowHeaders.length === 0) {
+    const header = getRequestHeader(event, "access-control-request-headers");
+    return header ? {
+      "access-control-allow-headers": header,
+      vary: "access-control-request-headers"
+    } : {};
+  }
+  return {
+    "access-control-allow-headers": allowHeaders.join(","),
+    vary: "access-control-request-headers"
+  };
+}
+function createExposeHeaders(options) {
+  const { exposeHeaders } = options;
+  if (!exposeHeaders) {
+    return {};
+  }
+  if (exposeHeaders === "*") {
+    return { "access-control-expose-headers": exposeHeaders };
+  }
+  return { "access-control-expose-headers": exposeHeaders.join(",") };
+}
+function appendCorsPreflightHeaders(event, options) {
+  appendHeaders(event, createOriginHeaders(event, options));
+  appendHeaders(event, createCredentialsHeaders(options));
+  appendHeaders(event, createExposeHeaders(options));
+  appendHeaders(event, createMethodsHeaders(options));
+  appendHeaders(event, createAllowHeaderHeaders(event, options));
+}
+function appendCorsHeaders(event, options) {
+  appendHeaders(event, createOriginHeaders(event, options));
+  appendHeaders(event, createCredentialsHeaders(options));
+  appendHeaders(event, createExposeHeaders(options));
+}
+
+function handleCors(event, options) {
+  const _options = resolveCorsOptions(options);
+  if (isPreflightRequest(event)) {
+    appendCorsPreflightHeaders(event, options);
+    sendNoContent(event, _options.preflight.statusCode);
+    return true;
+  }
+  appendCorsHeaders(event, options);
+  return false;
+}
+
 class H3Headers {
   constructor(init) {
     if (!init) {
@@ -1177,4 +1399,4 @@ function createRouter(opts = {}) {
   return router;
 }
 
-export { H3Error, H3Event, H3Headers, H3Response, MIMES, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, isError, isEvent, isEventHandler, isMethod, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };
+export { H3Error, H3Event, H3Headers, H3Response, MIMES, appendCorsHeaders, appendCorsPreflightHeaders, appendHeader, appendHeaders, appendResponseHeader, appendResponseHeaders, assertMethod, callNodeListener, clearSession, createApp, createAppEventHandler, createError, createEvent, createRouter, defaultContentType, defineEventHandler, defineLazyEventHandler, defineNodeListener, defineNodeMiddleware, deleteCookie, dynamicEventHandler, eventHandler, fetchWithEvent, fromNodeMiddleware, getCookie, getHeader, getHeaders, getMethod, getProxyRequestHeaders, getQuery, getRequestHeader, getRequestHeaders, getRequestHost, getRequestProtocol, getRequestURL, getResponseHeader, getResponseHeaders, getResponseStatus, getResponseStatusText, getRouterParam, getRouterParams, getSession, handleCacheHeaders, handleCors, isCorsOriginAllowed, isError, isEvent, isEventHandler, isMethod, isPreflightRequest, isStream, lazyEventHandler, parseCookies, promisifyNodeListener, proxyRequest, readBody, readMultipartFormData, readRawBody, sealSession, send, sendError, sendNoContent, sendProxy, sendRedirect, sendStream, setCookie, setHeader, setHeaders, setResponseHeader, setResponseHeaders, setResponseStatus, splitCookiesString, toEventHandler, toNodeListener, unsealSession, updateSession, use, useBase, useSession, writeEarlyHints };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "h3",
-  "version": "1.4.0",
+  "version": "1.6.0",
   "description": "Tiny JavaScript Server",
   "repository": "unjs/h3",
   "license": "MIT",
@@ -21,39 +21,41 @@
   ],
   "dependencies": {
     "cookie-es": "^0.5.0",
+    "defu": "^6.1.2",
     "destr": "^1.2.2",
-    "iron-webcrypto": "^0.4.0",
+    "iron-webcrypto": "^0.5.0",
     "radix3": "^1.0.0",
-    "ufo": "^1.0.1",
+    "ufo": "^1.1.1",
     "uncrypto": "^0.1.2"
   },
   "devDependencies": {
-    "0x": "^5.4.1",
+    "0x": "^5.5.0",
     "@types/express": "^4.17.17",
-    "@types/node": "^18.13.0",
+    "@types/node": "^18.15.0",
     "@types/supertest": "^2.0.12",
-    "@vitest/coverage-c8": "^0.28.4",
+    "@vitest/coverage-c8": "^0.29.2",
     "autocannon": "^7.10.0",
-    "changelogen": "^0.4.1",
+    "changelogen": "^0.5.1",
     "connect": "^3.7.0",
-    "eslint": "^8.33.0",
+    "eslint": "^8.35.0",
     "eslint-config-unjs": "^0.1.0",
     "express": "^4.18.2",
     "get-port": "^6.1.2",
-    "jiti": "^1.16.2",
-    "listhen": "^1.0.2",
-    "node-fetch-native": "^1.0.1",
+    "jiti": "^1.17.2",
+    "listhen": "^1.0.3",
+    "node-fetch-native": "^1.0.2",
     "prettier": "^2.8.4",
     "supertest": "^6.3.3",
     "typescript": "^4.9.5",
-    "unbuild": "^1.1.1",
-    "vitest": "^0.28.4"
+    "unbuild": "^1.1.2",
+    "vitest": "^0.29.2"
   },
-  "packageManager": "pnpm@7.26.3",
+  "packageManager": "pnpm@7.29.0",
   "scripts": {
     "build": "unbuild",
     "dev": "vitest",
-    "lint": "eslint --ext ts,mjs,cjs . && prettier -c src test playground",
+    "lint": "eslint --cache --ext .ts,.js,.mjs,.cjs . && prettier -c src test playground",
+    "lint:fix": "eslint --cache --ext .ts,.js,.mjs,.cjs . --fix && prettier -c src test playground -w",
     "play": "jiti ./playground/index.ts",
     "profile": "0x -o -D .profile -P 'autocannon -c 100 -p 10 -d 40 http://localhost:$PORT' ./playground/server.cjs",
     "release": "pnpm test && pnpm build && changelogen --release && pnpm publish && git push --follow-tags",