hono 3.5.6 → 3.5.8

package/dist/cjs/middleware/secure-headers/index.js

@@ -51,18 +51,35 @@ const DEFAULT_OPTIONS = {
 };
 const secureHeaders = (customOptions) => {
   const options = { ...DEFAULT_OPTIONS, ...customOptions };
-  const headersToSet = Object.entries(HEADERS_MAP).filter(([key]) => options[key]).map(([, value]) => value);
+  const headersToSet = Object.entries(HEADERS_MAP).filter(([key]) => options[key]).map(([key, defaultValue]) => {
+    const overrideValue = options[key];
+    if (typeof overrideValue === "string")
+      return [defaultValue[0], overrideValue];
+    return defaultValue;
+  });
+  if (options.contentSecurityPolicy) {
+    const cspDirectives = Object.entries(options.contentSecurityPolicy).map(([directive, value]) => {
+      directive = directive.replace(
+        /[A-Z]+(?![a-z])|[A-Z]/g,
+        (match, offset) => (offset ? "-" : "") + match.toLowerCase()
+      );
+      return `${directive} ${Array.isArray(value) ? value.join(" ") : value}`;
+    }).join("; ");
+    headersToSet.push(["Content-Security-Policy", cspDirectives]);
+  }
+  if (options.reportingEndpoints) {
+    const reportingEndpoints = options.reportingEndpoints.map((endpoint) => `${endpoint.name}="${endpoint.url}"`).join(", ");
+    headersToSet.push(["Reporting-Endpoints", reportingEndpoints]);
+  }
+  if (options.reportTo) {
+    const reportToOptions = options.reportTo.map((option) => JSON.stringify(option)).join(", ");
+    headersToSet.push(["Report-To", reportToOptions]);
+  }
   return async (ctx, next) => {
     await next();
     headersToSet.forEach(([header, value]) => {
       ctx.res.headers.set(header, value);
     });
-    if (options.contentSecurityPolicy) {
-      const cspDirectives = Object.entries(options.contentSecurityPolicy).map(([directive, sources]) => {
-        return `${directive} ${sources.join(" ")}`;
-      }).join("; ");
-      ctx.res.headers.set("Content-Security-Policy", cspDirectives);
-    }
     ctx.res.headers.delete("X-Powered-By");
   };
 };

package/dist/cjs/request.js

@@ -32,6 +32,11 @@ class HonoRequest {
       const cachedBody = bodyCache[key];
       if (cachedBody)
         return cachedBody;
+      if (bodyCache.arrayBuffer) {
+        return (async () => {
+          return await new Response(bodyCache.arrayBuffer)[key]();
+        })();
+      }
       return bodyCache[key] = raw[key]();
     };
     this.raw = request;
@@ -84,7 +89,11 @@ class HonoRequest {
     }
   }
   async parseBody() {
-    return await (0, import_body.parseBody)(this);
+    if (this.bodyCache.parsedBody)
+      return this.bodyCache.parsedBody;
+    const parsedBody = await (0, import_body.parseBody)(this);
+    this.bodyCache.parsedBody = parsedBody;
+    return parsedBody;
   }
   json() {
     return this.cachedBody("json");

package/dist/cjs/utils/body.js

@@ -21,15 +21,18 @@ __export(body_exports, {
   parseBody: () => parseBody
 });
 module.exports = __toCommonJS(body_exports);
-const parseBody = async (r) => {
+const parseBody = async (request) => {
   let body = {};
-  const contentType = r.headers.get("Content-Type");
+  const contentType = request.headers.get("Content-Type");
   if (contentType && (contentType.startsWith("multipart/form-data") || contentType.startsWith("application/x-www-form-urlencoded"))) {
-    const form = {};
-    (await r.formData()).forEach((value, key) => {
-      form[key] = value;
-    });
-    body = form;
+    const formData = await request.formData();
+    if (formData) {
+      const form = {};
+      formData.forEach((value, key) => {
+        form[key] = value;
+      });
+      body = form;
+    }
   }
   return body;
 };

package/dist/cjs/utils/buffer.js

@@ -18,6 +18,7 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var buffer_exports = {};
 __export(buffer_exports, {
+  bufferToFormData: () => bufferToFormData,
   bufferToString: () => bufferToString,
   equal: () => equal,
   timingSafeEqual: () => timingSafeEqual
@@ -59,8 +60,35 @@ const bufferToString = (buffer) => {
   }
   return buffer;
 };
+const _decodeURIComponent = (str) => decodeURIComponent(str.replace(/\+/g, " "));
+const bufferToFormData = (arrayBuffer, contentType) => {
+  const decoder = new TextDecoder("utf-8");
+  const content = decoder.decode(arrayBuffer);
+  const formData = new FormData();
+  const boundaryMatch = contentType.match(/boundary=(.+)/);
+  const boundary = boundaryMatch ? boundaryMatch[1] : "";
+  if (contentType.startsWith("multipart/form-data") && boundary) {
+    const parts = content.split("--" + boundary).slice(1, -1);
+    for (const part of parts) {
+      const [header, body] = part.split("\r\n\r\n");
+      const nameMatch = header.match(/name="([^"]+)"/);
+      if (nameMatch) {
+        const name = nameMatch[1];
+        formData.append(name, body.trim());
+      }
+    }
+  } else if (contentType.startsWith("application/x-www-form-urlencoded")) {
+    const pairs = content.split("&");
+    for (const pair of pairs) {
+      const [key, value] = pair.split("=");
+      formData.append(_decodeURIComponent(key), _decodeURIComponent(value));
+    }
+  }
+  return formData;
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  bufferToFormData,
   bufferToString,
   equal,
   timingSafeEqual

package/dist/cjs/validator/validator.js

@@ -22,13 +22,17 @@ __export(validator_exports, {
 });
 module.exports = __toCommonJS(validator_exports);
 var import_cookie = require("../helper/cookie");
+var import_buffer = require("../utils/buffer");
 const validator = (target, validationFunc) => {
   return async (c, next) => {
     let value = {};
     switch (target) {
       case "json":
         try {
-          value = await c.req.json();
+          const arrayBuffer = c.req.bodyCache.arrayBuffer ?? await c.req.raw.arrayBuffer();
+          value = await new Response(arrayBuffer).json();
+          c.req.bodyCache.json = value;
+          c.req.bodyCache.arrayBuffer = arrayBuffer;
         } catch {
           console.error("Error: Malformed JSON in request body");
           return c.json(
@@ -40,9 +44,21 @@ const validator = (target, validationFunc) => {
           );
         }
         break;
-      case "form":
-        value = await c.req.parseBody();
+      case "form": {
+        const contentType = c.req.header("Content-Type");
+        if (contentType) {
+          const arrayBuffer = c.req.bodyCache.arrayBuffer ?? await c.req.raw.arrayBuffer();
+          const formData = (0, import_buffer.bufferToFormData)(arrayBuffer, contentType);
+          const form = {};
+          formData.forEach((value2, key) => {
+            form[key] = value2;
+          });
+          value = form;
+          c.req.bodyCache.formData = formData;
+          c.req.bodyCache.arrayBuffer = arrayBuffer;
+        }
         break;
+      }
       case "query":
         value = Object.fromEntries(
           Object.entries(c.req.queries()).map(([k, v]) => {

package/dist/middleware/secure-headers/index.js

@@ -29,18 +29,35 @@ var DEFAULT_OPTIONS = {
 };
 var secureHeaders = (customOptions) => {
   const options = { ...DEFAULT_OPTIONS, ...customOptions };
-  const headersToSet = Object.entries(HEADERS_MAP).filter(([key]) => options[key]).map(([, value]) => value);
+  const headersToSet = Object.entries(HEADERS_MAP).filter(([key]) => options[key]).map(([key, defaultValue]) => {
+    const overrideValue = options[key];
+    if (typeof overrideValue === "string")
+      return [defaultValue[0], overrideValue];
+    return defaultValue;
+  });
+  if (options.contentSecurityPolicy) {
+    const cspDirectives = Object.entries(options.contentSecurityPolicy).map(([directive, value]) => {
+      directive = directive.replace(
+        /[A-Z]+(?![a-z])|[A-Z]/g,
+        (match, offset) => (offset ? "-" : "") + match.toLowerCase()
+      );
+      return `${directive} ${Array.isArray(value) ? value.join(" ") : value}`;
+    }).join("; ");
+    headersToSet.push(["Content-Security-Policy", cspDirectives]);
+  }
+  if (options.reportingEndpoints) {
+    const reportingEndpoints = options.reportingEndpoints.map((endpoint) => `${endpoint.name}="${endpoint.url}"`).join(", ");
+    headersToSet.push(["Reporting-Endpoints", reportingEndpoints]);
+  }
+  if (options.reportTo) {
+    const reportToOptions = options.reportTo.map((option) => JSON.stringify(option)).join(", ");
+    headersToSet.push(["Report-To", reportToOptions]);
+  }
   return async (ctx, next) => {
     await next();
     headersToSet.forEach(([header, value]) => {
       ctx.res.headers.set(header, value);
     });
-    if (options.contentSecurityPolicy) {
-      const cspDirectives = Object.entries(options.contentSecurityPolicy).map(([directive, sources]) => {
-        return `${directive} ${sources.join(" ")}`;
-      }).join("; ");
-      ctx.res.headers.set("Content-Security-Policy", cspDirectives);
-    }
     ctx.res.headers.delete("X-Powered-By");
   };
 };

package/dist/request.js

@@ -10,6 +10,11 @@ var HonoRequest = class {
       const cachedBody = bodyCache[key];
       if (cachedBody)
         return cachedBody;
+      if (bodyCache.arrayBuffer) {
+        return (async () => {
+          return await new Response(bodyCache.arrayBuffer)[key]();
+        })();
+      }
       return bodyCache[key] = raw[key]();
     };
     this.raw = request;
@@ -62,7 +67,11 @@ var HonoRequest = class {
     }
   }
   async parseBody() {
-    return await parseBody(this);
+    if (this.bodyCache.parsedBody)
+      return this.bodyCache.parsedBody;
+    const parsedBody = await parseBody(this);
+    this.bodyCache.parsedBody = parsedBody;
+    return parsedBody;
   }
   json() {
     return this.cachedBody("json");

package/dist/types/hono-base.d.ts

@@ -35,7 +35,7 @@ declare class Hono<E extends Env = Env, S extends Schema = {}, BasePath extends
     private clone;
     private notFoundHandler;
     private errorHandler;
-    route<SubPath extends string, SubEnv extends Env, SubSchema extends Schema, SubBasePath extends string>(path: SubPath, app: Hono<SubEnv, SubSchema, SubBasePath>): Hono<E, MergeSchemaPath<SubSchema, SubPath> & S, BasePath>;
+    route<SubPath extends string, SubEnv extends Env, SubSchema extends Schema, SubBasePath extends string>(path: SubPath, app: Hono<SubEnv, SubSchema, SubBasePath>): Hono<E, MergeSchemaPath<SubSchema, MergePath<BasePath, SubPath>> & S, BasePath>;
     /** @description
      * Use `basePath` instead of `route` when passing **one** argument, such as `app.route('/api')`.
      * The use of `route` with **one** argument has been removed in v4.

package/dist/types/jsx/index.d.ts

@@ -28,4 +28,4 @@ export declare const memo: <T>(component: FC<T>, propsAreEqual?: (prevProps: Rea
 export declare const Fragment: (props: {
     key?: string;
     children?: Child[];
-}) => JSXNode;
+}) => HtmlEscapedString;

package/dist/types/middleware/secure-headers/index.d.ts

@@ -2,29 +2,56 @@ import type { MiddlewareHandler } from '../../types';
 interface ContentSecurityPolicyOptions {
     defaultSrc?: string[];
     baseUri?: string[];
+    childSrc?: string[];
+    connectSrc?: string[];
     fontSrc?: string[];
+    formAction?: string[];
     frameAncestors?: string[];
+    frameSrc?: string[];
     imgSrc?: string[];
+    manifestSrc?: string[];
+    mediaSrc?: string[];
     objectSrc?: string[];
+    reportTo?: string;
+    sandbox?: string[];
     scriptSrc?: string[];
     scriptSrcAttr?: string[];
+    scriptSrcElem?: string[];
     styleSrc?: string[];
+    styleSrcAttr?: string[];
+    styleSrcElem?: string[];
     upgradeInsecureRequests?: string[];
+    workerSrc?: string[];
 }
+interface ReportToOptions {
+    group: string;
+    max_age: number;
+    endpoints: ReportToEndpoint[];
+}
+interface ReportToEndpoint {
+    url: string;
+}
+interface ReportingEndpointOptions {
+    name: string;
+    url: string;
+}
+declare type overridableHeader = boolean | string;
 interface SecureHeadersOptions {
     contentSecurityPolicy?: ContentSecurityPolicyOptions;
-    crossOriginEmbedderPolicy?: boolean;
-    crossOriginResourcePolicy?: boolean;
-    crossOriginOpenerPolicy?: boolean;
-    originAgentCluster: boolean;
-    referrerPolicy?: boolean;
-    strictTransportSecurity?: boolean;
-    xContentTypeOptions?: boolean;
-    xDnsPrefetchControl?: boolean;
-    xDownloadOptions?: boolean;
-    xFrameOptions?: boolean;
-    xPermittedCrossDomainPolicies?: boolean;
-    xXssProtection?: boolean;
+    crossOriginEmbedderPolicy?: overridableHeader;
+    crossOriginResourcePolicy?: overridableHeader;
+    crossOriginOpenerPolicy?: overridableHeader;
+    originAgentCluster: overridableHeader;
+    referrerPolicy?: overridableHeader;
+    reportingEndpoints?: ReportingEndpointOptions[];
+    reportTo?: ReportToOptions[];
+    strictTransportSecurity?: overridableHeader;
+    xContentTypeOptions?: overridableHeader;
+    xDnsPrefetchControl?: overridableHeader;
+    xDownloadOptions?: overridableHeader;
+    xFrameOptions?: overridableHeader;
+    xPermittedCrossDomainPolicies?: overridableHeader;
+    xXssProtection?: overridableHeader;
 }
 export declare const secureHeaders: (customOptions?: Partial<SecureHeadersOptions>) => MiddlewareHandler;
 export {};

package/dist/types/request.d.ts

@@ -2,12 +2,22 @@ import type { Input, InputToDataByTarget, ParamKeys, ParamKeyToRecord, RemoveQue
 import type { BodyData } from './utils/body';
 import type { Cookie } from './utils/cookie';
 import type { UnionToIntersection } from './utils/types';
+declare type Body = {
+    json: any;
+    text: string;
+    arrayBuffer: ArrayBuffer;
+    blob: Blob;
+    formData: FormData;
+};
+declare type BodyCache = Partial<Body & {
+    parsedBody: BodyData;
+}>;
 export declare class HonoRequest<P extends string = '/', I extends Input['out'] = {}> {
     raw: Request;
     private paramData;
     private vData;
     path: string;
-    private bodyCache;
+    bodyCache: BodyCache;
     constructor(request: Request, path?: string, paramData?: Record<string, string> | undefined);
     param<P2 extends string = P>(key: RemoveQuestion<ParamKeys<P2>>): UndefinedIfHavingQuestion<ParamKeys<P2>>;
     param<P2 extends string = P>(): UnionToIntersection<ParamKeyToRecord<ParamKeys<P2>>>;
@@ -56,3 +66,4 @@ export declare class HonoRequest<P extends string = '/', I extends Input['out']
     get referrer(): string;
     get signal(): AbortSignal;
 }
+export {};

package/dist/types/utils/body.d.ts

@@ -1,3 +1,3 @@
 import type { HonoRequest } from '../request';
 export declare type BodyData = Record<string, string | File>;
-export declare const parseBody: <T extends BodyData = BodyData>(r: HonoRequest | Request) => Promise<T>;
+export declare const parseBody: <T extends BodyData = BodyData>(request: HonoRequest | Request) => Promise<T>;

package/dist/types/utils/buffer.d.ts

@@ -1,3 +1,4 @@
 export declare const equal: (a: ArrayBuffer, b: ArrayBuffer) => boolean;
 export declare const timingSafeEqual: (a: string | object | boolean, b: string | object | boolean, hashFunction?: Function) => Promise<boolean>;
 export declare const bufferToString: (buffer: ArrayBuffer) => string;
+export declare const bufferToFormData: (arrayBuffer: ArrayBuffer, contentType: string) => FormData;

package/dist/utils/body.js

@@ -1,13 +1,16 @@
 // src/utils/body.ts
-var parseBody = async (r) => {
+var parseBody = async (request) => {
   let body = {};
-  const contentType = r.headers.get("Content-Type");
+  const contentType = request.headers.get("Content-Type");
   if (contentType && (contentType.startsWith("multipart/form-data") || contentType.startsWith("application/x-www-form-urlencoded"))) {
-    const form = {};
-    (await r.formData()).forEach((value, key) => {
-      form[key] = value;
-    });
-    body = form;
+    const formData = await request.formData();
+    if (formData) {
+      const form = {};
+      formData.forEach((value, key) => {
+        form[key] = value;
+      });
+      body = form;
+    }
   }
   return body;
 };

package/dist/utils/buffer.js

@@ -35,7 +35,34 @@ var bufferToString = (buffer) => {
   }
   return buffer;
 };
+var _decodeURIComponent = (str) => decodeURIComponent(str.replace(/\+/g, " "));
+var bufferToFormData = (arrayBuffer, contentType) => {
+  const decoder = new TextDecoder("utf-8");
+  const content = decoder.decode(arrayBuffer);
+  const formData = new FormData();
+  const boundaryMatch = contentType.match(/boundary=(.+)/);
+  const boundary = boundaryMatch ? boundaryMatch[1] : "";
+  if (contentType.startsWith("multipart/form-data") && boundary) {
+    const parts = content.split("--" + boundary).slice(1, -1);
+    for (const part of parts) {
+      const [header, body] = part.split("\r\n\r\n");
+      const nameMatch = header.match(/name="([^"]+)"/);
+      if (nameMatch) {
+        const name = nameMatch[1];
+        formData.append(name, body.trim());
+      }
+    }
+  } else if (contentType.startsWith("application/x-www-form-urlencoded")) {
+    const pairs = content.split("&");
+    for (const pair of pairs) {
+      const [key, value] = pair.split("=");
+      formData.append(_decodeURIComponent(key), _decodeURIComponent(value));
+    }
+  }
+  return formData;
+};
 export {
+  bufferToFormData,
   bufferToString,
   equal,
   timingSafeEqual

package/dist/validator/validator.js

@@ -1,12 +1,16 @@
 // src/validator/validator.ts
 import { getCookie } from "../helper/cookie/index.js";
+import { bufferToFormData } from "../utils/buffer.js";
 var validator = (target, validationFunc) => {
   return async (c, next) => {
     let value = {};
     switch (target) {
       case "json":
         try {
-          value = await c.req.json();
+          const arrayBuffer = c.req.bodyCache.arrayBuffer ?? await c.req.raw.arrayBuffer();
+          value = await new Response(arrayBuffer).json();
+          c.req.bodyCache.json = value;
+          c.req.bodyCache.arrayBuffer = arrayBuffer;
         } catch {
           console.error("Error: Malformed JSON in request body");
           return c.json(
@@ -18,9 +22,21 @@ var validator = (target, validationFunc) => {
           );
         }
         break;
-      case "form":
-        value = await c.req.parseBody();
+      case "form": {
+        const contentType = c.req.header("Content-Type");
+        if (contentType) {
+          const arrayBuffer = c.req.bodyCache.arrayBuffer ?? await c.req.raw.arrayBuffer();
+          const formData = bufferToFormData(arrayBuffer, contentType);
+          const form = {};
+          formData.forEach((value2, key) => {
+            form[key] = value2;
+          });
+          value = form;
+          c.req.bodyCache.formData = formData;
+          c.req.bodyCache.arrayBuffer = arrayBuffer;
+        }
         break;
+      }
       case "query":
         value = Object.fromEntries(
           Object.entries(c.req.queries()).map(([k, v]) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hono",
-  "version": "3.5.6",
+  "version": "3.5.8",
   "description": "Ultrafast web framework for the Edges",
   "main": "dist/cjs/index.js",
   "type": "module",