h3 2.0.1-rc.2 → 2.0.1-rc.21

package/dist/docs/1.utils/2.response.md

@@ -0,0 +1,144 @@
+# Response
+
+> H3 response utilities.
+
+## Event Stream
+
+### `createEventStream(event, opts?)`
+
+Initialize an EventStream instance for creating [server sent events](https://developer.mozilla.org/en-US/docs/Web/API/Server-sent_events/Using_server-sent_events)
+
+**Example:**
+
+```ts
+import { createEventStream, sendEventStream } from "h3";
+
+app.get("/sse", (event) => {
+  const eventStream = createEventStream(event);
+
+  // Send a message every second
+  const interval = setInterval(async () => {
+    await eventStream.push("Hello world");
+  }, 1000);
+
+  // cleanup the interval and close the stream when the connection is terminated
+  eventStream.onClosed(async () => {
+    console.log("closing SSE...");
+    clearInterval(interval);
+    await eventStream.close();
+  });
+
+  return eventStream.send();
+});
+```
+
+## Sanitize
+
+### `sanitizeStatusCode(statusCode?, defaultStatusCode)`
+
+Make sure the status code is a valid HTTP status code.
+
+### `sanitizeStatusMessage(statusMessage)`
+
+Make sure the status message is safe to use in a response.
+
+Allowed characters: horizontal tabs, spaces or visible ascii characters: [https://www.rfc-editor.org/rfc/rfc7230#section-3.1.2](https://www.rfc-editor.org/rfc/rfc7230#section-3.1.2)
+
+## Serve Static
+
+### `serveStatic(event, options)`
+
+Dynamically serve static assets based on the request path.
+
+## More Response Utils
+
+### `html(first)`
+
+### `iterable(iterable)`
+
+Iterate a source of chunks and send back each chunk in order. Supports mixing async work together with emitting chunks.
+
+Each chunk must be a string or a buffer.
+
+For generator (yielding) functions, the returned value is treated the same as yielded values.
+
+**Example:**
+
+```ts
+return iterable(async function* work() {
+  // Open document body
+  yield "<!DOCTYPE html>\n<html><body><h1>Executing...</h1><ol>\n";
+  // Do work ...
+  for (let i = 0; i < 1000; i++) {
+    await delay(1000);
+    // Report progress
+    yield `<li>Completed job #`;
+    yield i;
+    yield `</li>\n`;
+  }
+  // Close out the report
+  return `</ol></body></html>`;
+});
+async function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+```
+
+### `noContent(status)`
+
+Respond with an empty payload.
+
+**Example:**
+
+```ts
+app.get("/", () => noContent());
+```
+
+### `redirect(location, status, statusText?)`
+
+Send a redirect response to the client.
+
+It adds the `location` header to the response and sets the status code to 302 by default.
+
+In the body, it sends a simple HTML page with a meta refresh tag to redirect the client in case the headers are ignored.
+
+**Example:**
+
+```ts
+app.get("/", () => {
+  return redirect("https://example.com");
+});
+```
+
+**Example:**
+
+```ts
+app.get("/", () => {
+  return redirect("https://example.com", 301); // Permanent redirect
+});
+```
+
+### `redirectBack(event)`
+
+Redirect the client back to the previous page using the `referer` header.
+
+If the `referer` header is missing or is a different origin, it falls back to the provided URL (default `"/"`).
+
+By default, only the **pathname** of the referer is used (query string and hash are stripped) to prevent spoofed referers from carrying unintended parameters. Set `allowQuery: true` to preserve the query string.
+
+**Security:** The `fallback` value MUST be a trusted, hardcoded path — never use user input. Passing user-controlled values (e.g., query params) as `fallback` creates an open redirect vulnerability.
+
+**Example:**
+
+```ts
+app.post("/submit", (event) => {
+  // process form...
+  return redirectBack(event, { fallback: "/form" });
+});
+```
+
+### `writeEarlyHints(event, hints)`
+
+Write `HTTP/1.1 103 Early Hints` to the client.
+
+In runtimes that don't support early hints natively, this function falls back to setting response headers which can be used by CDN.

package/dist/docs/1.utils/3.cookie.md

@@ -0,0 +1,33 @@
+# Cookie
+
+> H3 cookie utilities.
+
+### `deleteChunkedCookie(event, name, serializeOptions?)`
+
+Remove a set of chunked cookies by name.
+
+### `deleteCookie(event, name, serializeOptions?)`
+
+Remove a cookie by name.
+
+### `getChunkedCookie(event, name)`
+
+Get a chunked cookie value by name. Will join chunks together.
+
+### `getCookie(event, name)`
+
+Get a cookie value by name.
+
+### `getValidatedCookies(event, validate, options?: { onError?: OnValidateError })`
+
+### `parseCookies(event)`
+
+Parse the request to get HTTP Cookie header string and returning an object of all cookie name-value pairs.
+
+### `setChunkedCookie(event, name, value, options?)`
+
+Set a cookie value by name. Chunked cookies will be created as needed.
+
+### `setCookie(event, name, value, options?)`
+
+Set a cookie value by name.

package/dist/docs/1.utils/4.security.md

@@ -0,0 +1,109 @@
+# Security
+
+> H3 security utilities.
+
+## Authentication
+
+### `basicAuth(opts)`
+
+Create a basic authentication middleware.
+
+**Example:**
+
+```ts
+import { H3, serve, basicAuth } from "h3";
+const auth = basicAuth({ password: "test" });
+app.get("/", (event) => `Hello ${event.context.basicAuth?.username}!`, [auth]);
+serve(app, { port: 3000 });
+```
+
+### `requireBasicAuth(event, opts)`
+
+Apply basic authentication for current request.
+
+**Example:**
+
+```ts
+import { defineHandler, requireBasicAuth } from "h3";
+export default defineHandler(async (event) => {
+  await requireBasicAuth(event, { password: "test" });
+  return `Hello, ${event.context.basicAuth.username}!`;
+});
+```
+
+## Session
+
+### `clearSession(event, config)`
+
+Clear the session data for the current request.
+
+### `getSession(event, config)`
+
+Get the session for the current request.
+
+### `sealSession(event, config)`
+
+Encrypt and sign the session data for the current request.
+
+### `unsealSession(_event, config, sealed)`
+
+Decrypt and verify the session data for the current request.
+
+### `updateSession(event, config, update?)`
+
+Update the session data for the current request.
+
+### `useSession(event, config)`
+
+Create a session manager for the current request.
+
+## Fingerprint
+
+### `getRequestFingerprint(event, opts)`
+
+Get a unique fingerprint for the incoming request.
+
+## CORS
+
+### `appendCorsHeaders(event, options)`
+
+Append CORS headers to the response.
+
+### `appendCorsPreflightHeaders(event, options)`
+
+Append CORS preflight headers to the response.
+
+### `handleCors(event, options)`
+
+Handle CORS for the incoming request.
+
+If the incoming request is a CORS preflight request, it will append the CORS preflight headers and send a 204 response.
+
+If return value is not `false`, the request is handled and no further action is needed.
+
+**Example:**
+
+```ts
+const app = new H3();
+app.all("/", async (event) => {
+  const corsRes = handleCors(event, {
+    origin: "*",
+    preflight: {
+      statusCode: 204,
+    },
+    methods: "*",
+  });
+  if (corsRes !== false) {
+    return corsRes;
+  }
+  // Your code here
+});
+```
+
+### `isCorsOriginAllowed(origin, options)`
+
+Check if the origin is allowed.
+
+### `isPreflightRequest(event)`
+
+Check if the incoming request is a CORS preflight request.

package/dist/docs/1.utils/5.proxy.md

@@ -0,0 +1,31 @@
+# Proxy
+
+> H3 proxy utilities.
+
+### `fetchWithEvent(event, url, init?)`
+
+Make a fetch request with the event's context and headers.
+
+If the `url` starts with `/`, the request is dispatched internally via `event.app.fetch()` (sub-request) and never leaves the process.
+
+**Security:** Never pass unsanitized user input as the `url`. Callers are responsible for validating and restricting the URL.
+
+### `getProxyRequestHeaders(event)`
+
+Get the request headers object without headers known to cause issues when proxying.
+
+### `proxy(event, target, opts)`
+
+Make a proxy request to a target URL and send the response back to the client.
+
+If the `target` starts with `/`, the request is dispatched internally via `event.app.fetch()` (sub-request) and never leaves the process. This bypasses any external security layer (reverse proxy auth, IP allowlisting, mTLS).
+
+**Security:** Never pass unsanitized user input as the `target`. Callers are responsible for validating and restricting the target URL (e.g. allowlisting hosts, blocking internal paths, enforcing protocol).
+
+### `proxyRequest(event, target, opts)`
+
+Proxy the incoming request to a target URL.
+
+If the `target` starts with `/`, the request is handled internally by the app router via `event.app.fetch()` instead of making an external HTTP request.
+
+**Security:** Never pass unsanitized user input as the `target`. Callers are responsible for validating and restricting the target URL (e.g. allowlisting hosts, blocking internal paths, enforcing protocol). Consider using `bodyLimit()` middleware to prevent large request bodies from consuming excessive resources when proxying untrusted input.

package/dist/docs/1.utils/6.mcp.md

@@ -0,0 +1,71 @@
+# MCP
+
+> H3 MCP related utils.
+
+### `defineJsonRpcHandler()`
+
+Creates an H3 event handler that implements the JSON-RPC 2.0 specification.
+
+**Example:**
+
+```ts
+app.post(
+  "/rpc",
+  defineJsonRpcHandler({
+    methods: {
+      echo: ({ params }, event) => {
+        return `Received \`${params}\` on path \`${event.url.pathname}\``;
+      },
+      sum: ({ params }, event) => {
+        return params.a + params.b;
+      },
+    },
+  }),
+);
+```
+
+### `defineJsonRpcWebSocketHandler()`
+
+Creates an H3 event handler that implements JSON-RPC 2.0 over WebSocket.
+
+This is an opt-in feature that allows JSON-RPC communication over WebSocket connections for bi-directional messaging. Each incoming WebSocket text message is processed as a JSON-RPC request, and responses are sent back to the peer.
+
+**Example:**
+
+```ts
+app.get(
+  "/rpc/ws",
+  defineJsonRpcWebSocketHandler({
+    methods: {
+      echo: ({ params }) => {
+        return `Received: ${Array.isArray(params) ? params[0] : params?.message}`;
+      },
+      sum: ({ params }) => {
+        return params.a + params.b;
+      },
+    },
+  }),
+);
+```
+
+**Example:**
+
+```ts
+// With additional WebSocket hooks
+app.get(
+  "/rpc/ws",
+  defineJsonRpcWebSocketHandler({
+    methods: {
+      greet: ({ params }) => `Hello, ${params.name}!`,
+    },
+    hooks: {
+      open(peer) {
+        console.log(`Peer connected: ${peer.id}`);
+      },
+      close(peer, details) {
+        console.log(`Peer disconnected: ${peer.id}`, details);
+      },
+    },
+  }),
+);
+```

package/dist/docs/1.utils/7.more.md

@@ -0,0 +1,78 @@
+# More utils
+
+> More H3 utilities.
+
+## Base
+
+### `withBase(base, input)`
+
+Returns a new event handler that removes the base url of the event before calling the original handler.
+
+**Example:**
+
+```ts
+const api = new H3()
+ .get("/", () => "Hello API!");
+const app = new H3();
+ .use("/api/**", withBase("/api", api.handler));
+```
+
+## Event
+
+### `getEventContext(event)`
+
+Gets the context of the event, if it does not exists, initializes a new context on `req.context`.
+
+### `isEvent(input)`
+
+Checks if the input is an H3Event object.
+
+### `isHTTPEvent(input)`
+
+Checks if the input is an object with `{ req: Request }` signature.
+
+### `mockEvent(_request, options?)`
+
+## Middleware
+
+### `bodyLimit(limit)`
+
+Define a middleware that checks whether request body size is within specified limit.
+
+If body size exceeds the limit, throws a `413` Request Entity Too Large response error. If you need custom handling for this case, use `assertBodySize` instead.
+
+### `onError(hook)`
+
+Define a middleware that runs when an error occurs.
+
+You can return a new Response from the handler to gracefully handle the error.
+
+### `onRequest(hook)`
+
+Define a middleware that runs on each request.
+
+### `onResponse(hook)`
+
+Define a middleware that runs after Response is generated.
+
+You can return a new Response from the handler to replace the original response.
+
+## WebSocket
+
+### `defineWebSocket(hooks)`
+
+Define WebSocket hooks.
+
+### `defineWebSocketHandler()`
+
+Define WebSocket event handler.
+
+## Adapters
+
+### `defineNodeHandler(handler)`
+
+### `defineNodeMiddleware(handler)`
+
+### `fromNodeHandler(handler)`
+
+### `fromWebHandler(handler)`

package/dist/docs/1.utils/8.community.md

@@ -0,0 +1,42 @@
+# Community
+
+> H3 utils from community.
+
+You can use external H3 event utilities made by the community.
+
+This section is placeholder for any new H3 version 2 compatible community library.
+
+
+
+> [!TIP]
+> 💛 PR is more than welcome to list yours.
+
+## `apitally`
+
+[Apitally](https://apitally.io/h3) is a simple API monitoring, analytics, and request logging tool with a plugin for H3. See setup guide [here](https://docs.apitally.io/frameworks/h3).
+
+<read-more></read-more>
+
+## `H3ravel Framework`
+
+[H3ravel Framework](https://h3ravel.toneflix.net) is a modern TypeScript runtime-agnostic web framework built on top of H3, designed to bring the elegance and developer experience of Laravel PHP to the JavaScript ecosystem. See the getting started guide [here](https://h3ravel.toneflix.net/guide/get-started).
+
+<read-more></read-more>
+
+## `Intlify`
+
+[Intlify](https://intlify.dev/) is a project that aims to improve Developer Experience in software internationalization. That project provides server-side frameworks, middleware, and utilities. About those, see the [here](https://github.com/intlify/srvmid)
+
+<read-more></read-more>
+
+## `Clear Router`
+
+Laravel-style routing system for H3 and Express.js. Clean route definitions, middleware support, and controller bindings with full TypeScript support.
+
+<read-more></read-more>
+
+## `unjwt`
+
+`unjwt` is a collection of low-level JWT utilities (JWS, JWE, JWK) built on the Web Crypto API, with zero runtime dependencies. It includes a dedicated H3 v2 adapter for header and cookie-based session management with support for encrypted (JWE) and signed (JWS) tokens.
+
+<read-more></read-more>

package/dist/docs/2.examples/0.index/index.md

@@ -0,0 +1,16 @@
+# Examples
+
+> Common examples for h3.
+
+<read-more>
+
+Check [`examples/` dir](https://github.com/h3js/h3/tree/main/examples) for more examples.
+</read-more>
+
+**Examples:**
+
+- [Cookies](/examples/handle-cookie)
+- [Session](/examples/handle-session)
+- [Static Assets](/examples/serve-static-assets)
+- [Streaming Response](/examples/stream-response)
+- [Validation](/examples/validate-data)

package/dist/docs/2.examples/1.handle-cookie.md

@@ -0,0 +1,67 @@
+# Cookies
+
+> Use cookies to store data on the client.
+
+Handling cookies with H3 is straightforward. There is three utilities to handle cookies:
+
+- `setCookie` to attach a cookie to the response.
+- `getCookie` to get a cookie from the request.
+- `deleteCookie` to clear a cookie from the response.
+
+## Set a Cookie
+To set a cookie, you need to use `setCookie` in an event handler:
+
+```ts
+import { setCookie } from "h3";
+
+app.use(async (event) => {
+  setCookie(event, "name", "value", { maxAge: 60 * 60 * 24 * 7 });
+  return "";
+});
+```
+
+In the options, you can configure the [cookie flags](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie):
+
+- `maxAge` to set the expiration date of the cookie in seconds.
+- `expires` to set the expiration date of the cookie in a `Date` object.
+- `path` to set the path of the cookie.
+- `domain` to set the domain of the cookie.
+- `secure` to set the `Secure` flag of the cookie.
+- `httpOnly` to set the `HttpOnly` flag of the cookie.
+- `sameSite` to set the `SameSite` flag of the cookie.
+<read-more></read-more>
+
+## Get a Cookie
+
+To get a cookie, you need to use `getCookie` in an event handler.
+
+```ts
+import { getCookie } from "h3";
+
+app.use(async (event) => {
+  const name = getCookie(event, "name");
+
+  // do something...
+
+  return "";
+});
+```
+
+This will return the value of the cookie if it exists, or `undefined` otherwise.
+
+## Delete a Cookie
+
+To delete a cookie, you need to use `deleteCookie` in an event handler:
+
+```ts
+import { deleteCookie } from "h3";
+
+app.use(async (event) => {
+  deleteCookie(event, "name");
+  return "";
+});
+```
+
+The utility `deleteCookie` is a wrapper around `setCookie` with the value set to `""` and the `maxAge` set to `0`.
+
+This will erase the cookie from the client.