hono 4.5.0 → 4.5.2

package/dist/cjs/client/client.js

@@ -157,8 +157,15 @@ const hc = (baseUrl, options) => createProxy(function proxyCallback(opts) {
       "ws"
     );
     const targetUrl = new URL(webSocketUrl);
-    for (const key in opts.args[0]?.query) {
-      targetUrl.searchParams.set(key, opts.args[0].query[key]);
+    const queryParams = opts.args[0]?.query;
+    if (queryParams) {
+      Object.entries(queryParams).forEach(([key, value]) => {
+        if (Array.isArray(value)) {
+          value.forEach((item) => targetUrl.searchParams.append(key, item));
+        } else {
+          targetUrl.searchParams.set(key, value);
+        }
+      });
     }
     return new WebSocket(targetUrl.toString());
   }

package/dist/cjs/middleware/bearer-auth/index.js

@@ -33,28 +33,30 @@ const bearerAuth = (options) => {
   if (!options.realm) {
     options.realm = "";
   }
-  if (!options.prefix) {
+  if (options.prefix === void 0) {
     options.prefix = PREFIX;
   }
   const realm = options.realm?.replace(/"/g, '\\"');
+  const prefixRegexStr = options.prefix === "" ? "" : `${options.prefix} +`;
+  const regexp = new RegExp(`^${prefixRegexStr}(${TOKEN_STRINGS}) *$`);
+  const wwwAuthenticatePrefix = options.prefix === "" ? "" : `${options.prefix} `;
   return async function bearerAuth2(c, next) {
     const headerToken = c.req.header(options.headerName || HEADER);
     if (!headerToken) {
       const res = new Response("Unauthorized", {
         status: 401,
         headers: {
-          "WWW-Authenticate": `${options.prefix} realm="` + realm + '"'
+          "WWW-Authenticate": `${wwwAuthenticatePrefix}realm="` + realm + '"'
         }
       });
       throw new import_http_exception.HTTPException(401, { res });
     } else {
-      const regexp = new RegExp("^" + options.prefix + " +(" + TOKEN_STRINGS + ") *$");
       const match = regexp.exec(headerToken);
       if (!match) {
         const res = new Response("Bad Request", {
           status: 400,
           headers: {
-            "WWW-Authenticate": `${options.prefix} error="invalid_request"`
+            "WWW-Authenticate": `${wwwAuthenticatePrefix}error="invalid_request"`
           }
         });
         throw new import_http_exception.HTTPException(400, { res });
@@ -76,7 +78,7 @@ const bearerAuth = (options) => {
           const res = new Response("Unauthorized", {
             status: 401,
             headers: {
-              "WWW-Authenticate": `${options.prefix} error="invalid_token"`
+              "WWW-Authenticate": `${wwwAuthenticatePrefix}error="invalid_token"`
             }
           });
           throw new import_http_exception.HTTPException(401, { res });

package/dist/cjs/middleware/csrf/index.js

@@ -42,7 +42,7 @@ const csrf = (options) => {
     }
     return handler(origin, c);
   };
-  return async function cors(c, next) {
+  return async function csrf2(c, next) {
     if (!isSafeMethodRe.test(c.req.method) && isRequestedByFormElementRe.test(c.req.header("content-type") || "") && !isAllowedOrigin(c.req.header("origin"), c)) {
       const res = new Response("Forbidden", {
         status: 403

package/dist/cjs/middleware/secure-headers/secure-headers.js

@@ -49,7 +49,8 @@ const DEFAULT_OPTIONS = {
   xDownloadOptions: true,
   xFrameOptions: true,
   xPermittedCrossDomainPolicies: true,
-  xXssProtection: true
+  xXssProtection: true,
+  removePoweredBy: true
 };
 const generateNonce = () => {
   const buffer = new Uint8Array(16);
@@ -85,7 +86,9 @@ const secureHeaders = (customOptions) => {
     const headersToSetForReq = callbacks.length === 0 ? headersToSet : callbacks.reduce((acc, cb) => cb(ctx, acc), headersToSet);
     await next();
     setHeaders(ctx, headersToSetForReq);
-    ctx.res.headers.delete("X-Powered-By");
+    if (options?.removePoweredBy) {
+      ctx.res.headers.delete("X-Powered-By");
+    }
   };
 };
 function getFilteredHeaders(options) {

package/dist/cjs/validator/validator.js

@@ -24,15 +24,17 @@ module.exports = __toCommonJS(validator_exports);
 var import_cookie = require("../helper/cookie");
 var import_http_exception = require("../http-exception");
 var import_buffer = require("../utils/buffer");
+const jsonRegex = /^application\/([a-z-\.]+\+)?json$/;
+const multipartRegex = /^multipart\/form-data(; boundary=[A-Za-z0-9'()+_,\-./:=?]+)?$/;
+const urlencodedRegex = /^application\/x-www-form-urlencoded$/;
 const validator = (target, validationFunc) => {
   return async (c, next) => {
     let value = {};
     const contentType = c.req.header("Content-Type");
     switch (target) {
       case "json":
-        if (!contentType || !/^application\/([a-z-\.]+\+)?json/.test(contentType)) {
-          const message = `Invalid HTTP header: Content-Type=${contentType}`;
-          throw new import_http_exception.HTTPException(400, { message });
+        if (!contentType || !jsonRegex.test(contentType)) {
+          break;
         }
         try {
           value = await c.req.json();
@@ -42,7 +44,7 @@ const validator = (target, validationFunc) => {
         }
         break;
       case "form": {
-        if (!contentType) {
+        if (!contentType || !(multipartRegex.test(contentType) || urlencodedRegex.test(contentType))) {
           break;
         }
         let formData;

package/dist/client/client.js

@@ -141,8 +141,15 @@ var hc = (baseUrl, options) => createProxy(function proxyCallback(opts) {
       "ws"
     );
     const targetUrl = new URL(webSocketUrl);
-    for (const key in opts.args[0]?.query) {
-      targetUrl.searchParams.set(key, opts.args[0].query[key]);
+    const queryParams = opts.args[0]?.query;
+    if (queryParams) {
+      Object.entries(queryParams).forEach(([key, value]) => {
+        if (Array.isArray(value)) {
+          value.forEach((item) => targetUrl.searchParams.append(key, item));
+        } else {
+          targetUrl.searchParams.set(key, value);
+        }
+      });
     }
     return new WebSocket(targetUrl.toString());
   }

package/dist/middleware/bearer-auth/index.js

@@ -11,28 +11,30 @@ var bearerAuth = (options) => {
   if (!options.realm) {
     options.realm = "";
   }
-  if (!options.prefix) {
+  if (options.prefix === void 0) {
     options.prefix = PREFIX;
   }
   const realm = options.realm?.replace(/"/g, '\\"');
+  const prefixRegexStr = options.prefix === "" ? "" : `${options.prefix} +`;
+  const regexp = new RegExp(`^${prefixRegexStr}(${TOKEN_STRINGS}) *$`);
+  const wwwAuthenticatePrefix = options.prefix === "" ? "" : `${options.prefix} `;
   return async function bearerAuth2(c, next) {
     const headerToken = c.req.header(options.headerName || HEADER);
     if (!headerToken) {
       const res = new Response("Unauthorized", {
         status: 401,
         headers: {
-          "WWW-Authenticate": `${options.prefix} realm="` + realm + '"'
+          "WWW-Authenticate": `${wwwAuthenticatePrefix}realm="` + realm + '"'
         }
       });
       throw new HTTPException(401, { res });
     } else {
-      const regexp = new RegExp("^" + options.prefix + " +(" + TOKEN_STRINGS + ") *$");
       const match = regexp.exec(headerToken);
       if (!match) {
         const res = new Response("Bad Request", {
           status: 400,
           headers: {
-            "WWW-Authenticate": `${options.prefix} error="invalid_request"`
+            "WWW-Authenticate": `${wwwAuthenticatePrefix}error="invalid_request"`
           }
         });
         throw new HTTPException(400, { res });
@@ -54,7 +56,7 @@ var bearerAuth = (options) => {
           const res = new Response("Unauthorized", {
             status: 401,
             headers: {
-              "WWW-Authenticate": `${options.prefix} error="invalid_token"`
+              "WWW-Authenticate": `${wwwAuthenticatePrefix}error="invalid_token"`
             }
           });
           throw new HTTPException(401, { res });

package/dist/middleware/csrf/index.js

@@ -20,7 +20,7 @@ var csrf = (options) => {
     }
     return handler(origin, c);
   };
-  return async function cors(c, next) {
+  return async function csrf2(c, next) {
     if (!isSafeMethodRe.test(c.req.method) && isRequestedByFormElementRe.test(c.req.header("content-type") || "") && !isAllowedOrigin(c.req.header("origin"), c)) {
       const res = new Response("Forbidden", {
         status: 403

package/dist/middleware/secure-headers/secure-headers.js

@@ -26,7 +26,8 @@ var DEFAULT_OPTIONS = {
   xDownloadOptions: true,
   xFrameOptions: true,
   xPermittedCrossDomainPolicies: true,
-  xXssProtection: true
+  xXssProtection: true,
+  removePoweredBy: true
 };
 var generateNonce = () => {
   const buffer = new Uint8Array(16);
@@ -62,7 +63,9 @@ var secureHeaders = (customOptions) => {
     const headersToSetForReq = callbacks.length === 0 ? headersToSet : callbacks.reduce((acc, cb) => cb(ctx, acc), headersToSet);
     await next();
     setHeaders(ctx, headersToSetForReq);
-    ctx.res.headers.delete("X-Powered-By");
+    if (options?.removePoweredBy) {
+      ctx.res.headers.delete("X-Powered-By");
+    }
   };
 };
 function getFilteredHeaders(options) {

package/dist/types/context.d.ts

@@ -122,7 +122,7 @@ interface JSONRespond {
  *
  * @returns {Response & TypedResponse<SimplifyDeepArray<T> extends JSONValue ? (JSONValue extends SimplifyDeepArray<T> ? never : JSONParsed<T>) : never, U, 'json'>} - The response after rendering the JSON object, typed with the provided object and status code types.
  */
-type JSONRespondReturn<T extends JSONValue | SimplifyDeepArray<unknown> | InvalidJSONValue, U extends StatusCode> = Response & TypedResponse<SimplifyDeepArray<T> extends JSONValue ? JSONValue extends SimplifyDeepArray<T> ? never : JSONParsed<T> : JSONParsed<T>, U, 'json'>;
+type JSONRespondReturn<T extends JSONValue | SimplifyDeepArray<unknown> | InvalidJSONValue, U extends StatusCode> = Response & TypedResponse<SimplifyDeepArray<T> extends JSONValue ? JSONValue extends SimplifyDeepArray<T> ? never : JSONParsed<T> : never, U, 'json'>;
 /**
  * Interface representing a function that responds with HTML content.
  *

package/dist/types/helper/factory/index.d.ts

@@ -62,10 +62,6 @@ export declare class Factory<E extends Env = any, P extends string = any> {
     constructor(init?: {
         initApp?: InitApp<E>;
     });
-    /**
-     * @experimental
-     * `createApp` is an experimental feature.
-     */
     createApp: () => Hono<E>;
     createMiddleware: <I extends Input = {}>(middleware: MiddlewareHandler<E, P, I>) => MiddlewareHandler<E, P, I>;
     createHandlers: CreateHandlersInterface<E, P>;

package/dist/types/middleware/bearer-auth/index.d.ts

@@ -26,7 +26,7 @@ type BearerAuthOptions = {
  * @param {string | string[]} [options.token] - The string or array of strings to validate the incoming bearer token against.
  * @param {Function} [options.verifyToken] - The function to verify the token.
  * @param {string} [options.realm=""] - The domain name of the realm, as part of the returned WWW-Authenticate challenge header.
- * @param {string} [options.prefix="Bearer"] - The prefix (or known as `schema`) for the Authorization header value.
+ * @param {string} [options.prefix="Bearer"] - The prefix (or known as `schema`) for the Authorization header value. If set to the empty string, no prefix is expected.
  * @param {string} [options.headerName=Authorization] - The header name.
  * @param {Function} [options.hashFunction] - A function to handle hashing for safe comparison of authentication tokens.
  * @returns {MiddlewareHandler} The middleware handler function.

package/dist/types/middleware/jwt/jwt.d.ts

@@ -6,6 +6,7 @@ import type { MiddlewareHandler } from '../../types';
 import type { CookiePrefixOptions } from '../../utils/cookie';
 import '../../context';
 import type { SignatureAlgorithm } from '../../utils/jwt/jwa';
+import type { SignatureKey } from '../../utils/jwt/jws';
 export type JwtVariables = {
     jwtPayload: any;
 };
@@ -15,7 +16,7 @@ export type JwtVariables = {
  * @see {@link https://hono.dev/docs/middleware/builtin/jwt}
  *
  * @param {object} options - The options for the JWT middleware.
- * @param {string} [options.secret] - A value of your secret key.
+ * @param {SignatureKey} [options.secret] - A value of your secret key.
  * @param {string} [options.cookie] - If this value is set, then the value is retrieved from the cookie header using that value as a key, which is then validated as a token.
  * @param {SignatureAlgorithm} [options.alg=HS256] - An algorithm type that is used for verifying. Available types are `HS256` | `HS384` | `HS512` | `RS256` | `RS384` | `RS512` | `PS256` | `PS384` | `PS512` | `ES256` | `ES384` | `ES512` | `EdDSA`.
  * @returns {MiddlewareHandler} The middleware handler function.
@@ -37,7 +38,7 @@ export type JwtVariables = {
  * ```
  */
 export declare const jwt: (options: {
-    secret: string;
+    secret: SignatureKey;
     cookie?: string | {
         key: string;
         secret?: string | BufferSource;
@@ -45,9 +46,9 @@ export declare const jwt: (options: {
     };
     alg?: SignatureAlgorithm;
 }) => MiddlewareHandler;
-export declare const verify: (token: string, publicKey: import("../../utils/jwt/jws").SignatureKey, alg?: "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | "ES256" | "ES384" | "ES512" | "EdDSA") => Promise<import("../../utils/jwt/types").JWTPayload>;
+export declare const verify: (token: string, publicKey: SignatureKey, alg?: "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | "ES256" | "ES384" | "ES512" | "EdDSA") => Promise<import("../../utils/jwt/types").JWTPayload>;
 export declare const decode: (token: string) => {
     header: import("../../utils/jwt/jwt").TokenHeader;
     payload: import("../../utils/jwt/types").JWTPayload;
 };
-export declare const sign: (payload: import("../../utils/jwt/types").JWTPayload, privateKey: import("../../utils/jwt/jws").SignatureKey, alg?: "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | "ES256" | "ES384" | "ES512" | "EdDSA") => Promise<string>;
+export declare const sign: (payload: import("../../utils/jwt/types").JWTPayload, privateKey: SignatureKey, alg?: "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "PS256" | "PS384" | "PS512" | "ES256" | "ES384" | "ES512" | "EdDSA") => Promise<string>;

package/dist/types/middleware/secure-headers/secure-headers.d.ts

@@ -62,6 +62,7 @@ interface SecureHeadersOptions {
     xFrameOptions?: overridableHeader;
     xPermittedCrossDomainPolicies?: overridableHeader;
     xXssProtection?: overridableHeader;
+    removePoweredBy?: boolean;
 }
 export declare const NONCE: ContentSecurityPolicyOptionHandler;
 /**
@@ -85,6 +86,7 @@ export declare const NONCE: ContentSecurityPolicyOptionHandler;
  * @param {overridableHeader} [customOptions.xFrameOptions=true] - Settings for the X-Frame-Options header.
  * @param {overridableHeader} [customOptions.xPermittedCrossDomainPolicies=true] - Settings for the X-Permitted-Cross-Domain-Policies header.
  * @param {overridableHeader} [customOptions.xXssProtection=true] - Settings for the X-XSS-Protection header.
+ * @param {boolean} [customOptions.removePoweredBy=true] - Settings for remove X-Powered-By header.
  * @returns {MiddlewareHandler} The middleware handler function.
  *
  * @example

package/dist/types/utils/types.d.ts

@@ -11,7 +11,7 @@ export type IfAnyThenEmptyObject<T> = 0 extends 1 & T ? {} : T;
 export type JSONPrimitive = string | boolean | number | null;
 export type JSONArray = (JSONPrimitive | JSONObject | JSONArray)[];
 export type JSONObject = {
-    [key: string]: JSONPrimitive | JSONArray | JSONObject | object;
+    [key: string]: JSONPrimitive | JSONArray | JSONObject | object | InvalidJSONValue;
 };
 export type InvalidJSONValue = undefined | symbol | ((...args: unknown[]) => unknown);
 type InvalidToNull<T> = T extends InvalidJSONValue ? null : T;
@@ -27,7 +27,7 @@ export type JSONParsed<T> = T extends {
     toJSON(): infer J;
 } ? (() => J) extends () => JSONPrimitive ? J : (() => J) extends () => {
     toJSON(): unknown;
-} ? {} : JSONParsed<J> : T extends JSONPrimitive ? T : T extends InvalidJSONValue ? never : T extends [] ? [] : T extends readonly [infer R, ...infer U] ? [JSONParsed<InvalidToNull<R>>, ...JSONParsed<U>] : T extends Array<infer U> ? Array<JSONParsed<InvalidToNull<U>>> : T extends Set<unknown> | Map<unknown, unknown> ? {} : T extends object ? {
+} ? {} : JSONParsed<J> : T extends JSONPrimitive ? T : T extends InvalidJSONValue ? never : T extends [] ? [] : T extends readonly [infer R, ...infer U] ? [JSONParsed<InvalidToNull<R>>, ...JSONParsed<U>] : T extends Array<infer U> ? Array<JSONParsed<InvalidToNull<U>>> : T extends ReadonlyArray<infer U> ? ReadonlyArray<JSONParsed<InvalidToNull<U>>> : T extends Set<unknown> | Map<unknown, unknown> ? {} : T extends object ? {
     [K in keyof OmitSymbolKeys<T> as IsInvalid<T[K]> extends true ? never : K]: boolean extends IsInvalid<T[K]> ? JSONParsed<T[K]> | undefined : JSONParsed<T[K]>;
 } : never;
 /**

package/dist/validator/validator.js

@@ -2,15 +2,17 @@
 import { getCookie } from "../helper/cookie/index.js";
 import { HTTPException } from "../http-exception.js";
 import { bufferToFormData } from "../utils/buffer.js";
+var jsonRegex = /^application\/([a-z-\.]+\+)?json$/;
+var multipartRegex = /^multipart\/form-data(; boundary=[A-Za-z0-9'()+_,\-./:=?]+)?$/;
+var urlencodedRegex = /^application\/x-www-form-urlencoded$/;
 var validator = (target, validationFunc) => {
   return async (c, next) => {
     let value = {};
     const contentType = c.req.header("Content-Type");
     switch (target) {
       case "json":
-        if (!contentType || !/^application\/([a-z-\.]+\+)?json/.test(contentType)) {
-          const message = `Invalid HTTP header: Content-Type=${contentType}`;
-          throw new HTTPException(400, { message });
+        if (!contentType || !jsonRegex.test(contentType)) {
+          break;
         }
         try {
           value = await c.req.json();
@@ -20,7 +22,7 @@ var validator = (target, validationFunc) => {
         }
         break;
       case "form": {
-        if (!contentType) {
+        if (!contentType || !(multipartRegex.test(contentType) || urlencodedRegex.test(contentType))) {
           break;
         }
         let formData;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hono",
-  "version": "4.5.0",
+  "version": "4.5.2",
   "description": "Web framework built on Web Standards",
   "main": "dist/cjs/index.js",
   "type": "module",
@@ -25,12 +25,13 @@
     "format": "prettier --check --cache \"src/**/*.{js,ts,tsx}\" \"runtime_tests/**/*.{js,ts,tsx}\"",
     "format:fix": "prettier --write --cache --cache-strategy metadata \"src/**/*.{js,ts,tsx}\" \"runtime_tests/**/*.{js,ts,tsx}\"",
     "copy:package.cjs.json": "cp ./package.cjs.json ./dist/cjs/package.json && cp ./package.cjs.json ./dist/types/package.json ",
-    "build": "rimraf dist && bun ./build.ts && bun run copy:package.cjs.json",
+    "build": "bun run --shell bun remove-dist && bun ./build.ts && bun run copy:package.cjs.json",
     "postbuild": "publint",
-    "watch": "rimraf dist && bun ./build.ts --watch && bun run copy:package.cjs.json",
+    "watch": "bun run --shell bun remove-dist && bun ./build.ts --watch && bun run copy:package.cjs.json",
     "coverage": "vitest --run --coverage",
     "prerelease": "bun test:deno && bun run build",
-    "release": "np"
+    "release": "np",
+    "remove-dist": "rm -rf dist"
   },
   "exports": {
     ".": {
@@ -627,7 +628,6 @@
     "np": "7.7.0",
     "prettier": "^2.6.2",
     "publint": "^0.1.8",
-    "rimraf": "^3.0.2",
     "supertest": "^6.3.3",
     "typescript": "^5.3.3",
     "vite-plugin-fastly-js-compute": "^0.4.2",

package/dist/cjs/test-utils/setup-vitest.js

@@ -1,49 +0,0 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var nodeCrypto = __toESM(require("node:crypto"), 1);
-var import_vitest = require("vitest");
-if (!globalThis.crypto) {
-  import_vitest.vi.stubGlobal("crypto", nodeCrypto);
-  import_vitest.vi.stubGlobal("CryptoKey", nodeCrypto.webcrypto.CryptoKey);
-}
-class MockCache {
-  name;
-  store;
-  constructor(name, store) {
-    this.name = name;
-    this.store = store;
-  }
-  async match(key) {
-    return this.store.get(key) || null;
-  }
-  async keys() {
-    return this.store.keys();
-  }
-  async put(key, response) {
-    this.store.set(key, response);
-  }
-}
-const globalStore = /* @__PURE__ */ new Map();
-const caches = {
-  open: (name) => {
-    return new MockCache(name, globalStore);
-  }
-};
-import_vitest.vi.stubGlobal("caches", caches);

package/dist/test-utils/setup-vitest.js

@@ -1,31 +0,0 @@
-// src/test-utils/setup-vitest.ts
-import * as nodeCrypto from "node:crypto";
-import { vi } from "vitest";
-if (!globalThis.crypto) {
-  vi.stubGlobal("crypto", nodeCrypto);
-  vi.stubGlobal("CryptoKey", nodeCrypto.webcrypto.CryptoKey);
-}
-var MockCache = class {
-  name;
-  store;
-  constructor(name, store) {
-    this.name = name;
-    this.store = store;
-  }
-  async match(key) {
-    return this.store.get(key) || null;
-  }
-  async keys() {
-    return this.store.keys();
-  }
-  async put(key, response) {
-    this.store.set(key, response);
-  }
-};
-var globalStore = /* @__PURE__ */ new Map();
-var caches = {
-  open: (name) => {
-    return new MockCache(name, globalStore);
-  }
-};
-vi.stubGlobal("caches", caches);