odac 1.2.0 → 1.4.0

package/src/View/Form.js

@@ -3,6 +3,18 @@ const nodeCrypto = require('crypto')
 class Form {
   static FORM_TYPES = ['register', 'login', 'magic-login', 'form']
 
+  static escapeHtml(value) {
+    if (value === null || value === undefined) return ''
+    const map = {
+      '&': '&',
+      '<': '&lt;',
+      '>': '&gt;',
+      '"': '&quot;',
+      "'": '&#39;'
+    }
+    return String(value).replace(/[&<>"']/g, ch => map[ch])
+  }
+
   static parse(content, Odac) {
     for (const type of this.FORM_TYPES) {
       content = this.parseFormType(content, Odac, type)
@@ -14,8 +26,14 @@ class Form {
     const regex = new RegExp(`<odac:${type}[\\s\\S]*?<\\/odac:${type}>`, 'g')
     return content.replace(regex, match => {
       const formConfig = this.extractConfig(match, null, type)
-      const configStr = JSON.stringify(formConfig)
-      const matchStr = JSON.stringify(match)
+      let configStr = JSON.stringify(formConfig)
+      let matchStr = JSON.stringify(match)
+
+      // Unquote dynamic variables to make them live JS expressions in the compiled view
+      // We avoid {{ }} here because View engine would turn them into ${ } which is invalid in naked JS
+      configStr = configStr.replace(/"\{\{([\s\S]*?)\}\}"/g, '(await $1)')
+      matchStr = matchStr.replace(/\{\{([\s\S]*?)\}\}/g, '" + (await Odac.Var(await $1).html()) + "')
+
       return `<script:odac>html += await Odac.View.Form.runtime(Odac, '${type}', ${configStr}, ${matchStr});</script:odac>`
     })
   }
@@ -91,7 +109,7 @@ class Form {
     if (redirectMatch) config.redirect = redirectMatch[1]
     if (autologinMatch) config.autologin = autologinMatch[1] !== 'false'
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -145,22 +163,25 @@ class Form {
       id: null,
       unique: false,
       skip: false,
+      value: null,
       validations: []
     }
 
-    const typeMatch = fieldTag.match(/type=["']([^"']+)["']/)
-    const placeholderMatch = fieldTag.match(/placeholder=["']([^"']+)["']/)
-    const labelMatch = fieldTag.match(/label=["']([^"']+)["']/)
-    const classMatch = fieldTag.match(/class=["']([^"']+)["']/)
-    const idMatch = fieldTag.match(/id=["']([^"']+)["']/)
+    const typeMatch = fieldTag.match(/type=(["'])(.*?)\1/)
+    const placeholderMatch = fieldTag.match(/placeholder=(["'])(.*?)\1/)
+    const labelMatch = fieldTag.match(/label=(["'])(.*?)\1/)
+    const classMatch = fieldTag.match(/class=(["'])(.*?)\1/)
+    const idMatch = fieldTag.match(/id=(["'])(.*?)\1/)
+    const valueMatch = fieldTag.match(/value=(["'])(.*?)\1/)
     const uniqueMatch = fieldTag.match(/unique=["']([^"']+)["']/) || fieldTag.match(/\sunique[\s/>]/)
     const skipMatch = fieldTag.match(/skip=["']([^"']+)["']/) || fieldTag.match(/\sskip[\s/>]/)
 
-    if (typeMatch) field.type = typeMatch[1]
-    if (placeholderMatch) field.placeholder = placeholderMatch[1]
-    if (labelMatch) field.label = labelMatch[1]
-    if (classMatch) field.class = classMatch[1]
-    if (idMatch) field.id = idMatch[1]
+    if (typeMatch) field.type = typeMatch[2]
+    if (placeholderMatch) field.placeholder = placeholderMatch[2]
+    if (labelMatch) field.label = labelMatch[2]
+    if (classMatch) field.class = classMatch[2]
+    if (idMatch) field.id = idMatch[2]
+    if (valueMatch) field.value = valueMatch[2]
     if (uniqueMatch) field.unique = uniqueMatch[1] !== 'false'
     if (skipMatch) field.skip = skipMatch[1] !== 'false'
 
@@ -181,7 +202,7 @@ class Form {
 
     // Capture generic attributes
     const extraAttrs = {}
-    const knownAttrs = ['name', 'type', 'placeholder', 'label', 'class', 'id', 'unique', 'skip']
+    const knownAttrs = ['name', 'type', 'placeholder', 'label', 'class', 'id', 'unique', 'skip', 'value']
     const attrRegex = /(\w+)(?:=(["'])((?:(?!\2).)*)\2|=([^\s>]+))?/g
     let attrMatch
     // Clean tag to just attributes part for safer regex matching if needed,
@@ -203,11 +224,11 @@ class Form {
   }
 
   static parseSet(html) {
-    const nameMatch = html.match(/name=["']([^"']+)["']/)
+    const nameMatch = html.match(/name=(["'])(.*?)\1/)
     if (!nameMatch) return null
 
     const set = {
-      name: nameMatch[1],
+      name: nameMatch[2],
       value: null,
       compute: null,
       callback: null,
@@ -215,14 +236,14 @@ class Form {
     }
 
     const valueMatch = html.match(/value=(["'])(.*?)\1/)
-    const computeMatch = html.match(/compute=["']([^"']+)["']/)
-    const callbackMatch = html.match(/callback=["']([^"']+)["']/)
-    const ifEmptyMatch = html.match(/if-empty=["']([^"']+)["']/) || html.match(/\sif-empty[\s/>]/)
+    const computeMatch = html.match(/compute=(["'])(.*?)\1/)
+    const callbackMatch = html.match(/callback=(["'])(.*?)\1/)
+    const ifEmptyMatch = html.match(/if-empty=(["'])(.*?)\1/) || html.match(/\sif-empty[\s/>]/)
 
     if (valueMatch) set.value = valueMatch[2]
-    if (computeMatch) set.compute = computeMatch[1]
-    if (callbackMatch) set.callback = callbackMatch[1]
-    if (ifEmptyMatch) set.ifEmpty = ifEmptyMatch[1] !== 'false'
+    if (computeMatch) set.compute = computeMatch[2]
+    if (callbackMatch) set.callback = callbackMatch[2]
+    if (ifEmptyMatch) set.ifEmpty = ifEmptyMatch[2] !== 'false'
 
     return set
   }
@@ -253,6 +274,9 @@ class Form {
     innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
       const field = this.parseInput(fieldMatch)
       if (!field) return fieldMatch
+      // Sync with resolved config value if available
+      const configField = config.fields.find(f => f.name === field.name)
+      if (configField) field.value = configField.value
       return this.generateFieldHtml(field)
     })
 
@@ -279,31 +303,38 @@ class Form {
 
   static generateFieldHtml(field) {
     let html = ''
+    const escapedName = this.escapeHtml(field.name)
+    const escapedType = this.escapeHtml(field.type)
+    const escapedPlaceholder = this.escapeHtml(field.placeholder)
 
     if (field.label && field.type !== 'checkbox') {
-      const fieldId = field.id || `odac-${field.name}`
-      html += `<label for="${fieldId}">${field.label}</label>\n`
+      const fieldId = this.escapeHtml(field.id || `odac-${field.name}`)
+      html += `<label for="${fieldId}">${this.escapeHtml(field.label)}</label>\n`
     }
 
-    const classAttr = field.class ? ` class="${field.class}"` : ''
-    const idAttr = field.id ? ` id="${field.id}"` : ` id="odac-${field.name}"`
+    const classAttr = field.class ? ` class="${this.escapeHtml(field.class)}"` : ''
+    const idAttr = field.id ? ` id="${this.escapeHtml(field.id)}"` : ` id="${this.escapeHtml(`odac-${field.name}`)}"`
+    const valueAttr = field.value !== null ? ` value="${this.escapeHtml(field.value)}"` : ''
 
     if (field.type === 'checkbox') {
       const attrs = this.buildHtml5Attributes(field)
+      const checkedAttr = field.value === '1' || field.value === true || field.value === 'true' ? ' checked' : ''
       if (field.label) {
         html += `<label>\n`
-        html += `  <input type="checkbox"${idAttr} name="${field.name}" value="1"${classAttr}${attrs}>\n`
-        html += `  ${field.label}\n`
+        html += `  <input type="checkbox"${idAttr} name="${escapedName}" value="1"${classAttr}${checkedAttr}${attrs}>\n`
+        html += `  ${this.escapeHtml(field.label)}\n`
         html += `</label>\n`
       } else {
-        html += `<input type="checkbox"${idAttr} name="${field.name}" value="1"${classAttr}${attrs}>\n`
+        html += `<input type="checkbox"${idAttr} name="${escapedName}" value="1"${classAttr}${checkedAttr}${attrs}>\n`
       }
     } else if (field.type === 'textarea') {
       const attrs = this.buildHtml5Attributes(field)
-      html += `<textarea${idAttr} name="${field.name}" placeholder="${field.placeholder}"${classAttr}${attrs}></textarea>\n`
+      html += `<textarea${idAttr} name="${escapedName}" placeholder="${escapedPlaceholder}"${classAttr}${attrs}>${this.escapeHtml(
+        field.value || ''
+      )}</textarea>\n`
     } else {
       const attrs = this.buildHtml5Attributes(field)
-      html += `<input type="${field.type}"${idAttr} name="${field.name}" placeholder="${field.placeholder}"${classAttr}${attrs}>\n`
+      html += `<input type="${escapedType}"${idAttr} name="${escapedName}"${valueAttr} placeholder="${escapedPlaceholder}"${classAttr}${attrs}>\n`
     }
 
     return html
@@ -319,7 +350,7 @@ class Form {
         if (val === '') {
           attrs += ` ${key}`
         } else {
-          attrs += ` ${key}="${val.replace(/"/g, '&quot;')}"`
+          attrs += ` ${key}="${this.escapeHtml(val)}"`
         }
       }
     }
@@ -406,11 +437,11 @@ class Form {
     if (html5Rules.max) attrs += ` max="${html5Rules.max}"`
     if (html5Rules.pattern) attrs += ` pattern="${html5Rules.pattern}"`
 
-    if (errorMessages.required) attrs += ` data-error-required="${errorMessages.required.replace(/"/g, '&quot;')}"`
-    if (errorMessages.minlength) attrs += ` data-error-minlength="${errorMessages.minlength.replace(/"/g, '&quot;')}"`
-    if (errorMessages.maxlength) attrs += ` data-error-maxlength="${errorMessages.maxlength.replace(/"/g, '&quot;')}"`
-    if (errorMessages.pattern) attrs += ` data-error-pattern="${errorMessages.pattern.replace(/"/g, '&quot;')}"`
-    if (errorMessages.email) attrs += ` data-error-email="${errorMessages.email.replace(/"/g, '&quot;')}"`
+    if (errorMessages.required) attrs += ` data-error-required="${this.escapeHtml(errorMessages.required)}"`
+    if (errorMessages.minlength) attrs += ` data-error-minlength="${this.escapeHtml(errorMessages.minlength)}"`
+    if (errorMessages.maxlength) attrs += ` data-error-maxlength="${this.escapeHtml(errorMessages.maxlength)}"`
+    if (errorMessages.pattern) attrs += ` data-error-pattern="${this.escapeHtml(errorMessages.pattern)}"`
+    if (errorMessages.email) attrs += ` data-error-email="${this.escapeHtml(errorMessages.email)}"`
 
     attrs = this.appendExtraAttributes(attrs, field)
 
@@ -434,7 +465,7 @@ class Form {
 
     if (redirectMatch) config.redirect = redirectMatch[1]
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -489,6 +520,9 @@ class Form {
     innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
       const field = this.parseInput(fieldMatch)
       if (!field) return fieldMatch
+      // Sync with resolved config value if available
+      const configField = config.fields.find(f => f.name === field.name)
+      if (configField) field.value = configField.value
       return this.generateFieldHtml(field)
     })
 
@@ -551,8 +585,10 @@ class Form {
     if (tableMatch) config.table = tableMatch
     if (redirectMatch) config.redirect = redirectMatch
     if (successMatch) config.successMessage = successMatch
+    const clearMatch = extractAttr('clear')
+    if (clearMatch !== null) config.clear = clearMatch === 'true' || clearMatch === ''
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -618,29 +654,30 @@ class Form {
     innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
       const field = this.parseInput(fieldMatch)
       if (!field) return fieldMatch
+      // Sync with resolved config value if available
+      const configField = config.fields.find(f => f.name === field.name)
+      if (configField) field.value = configField.value
       return this.generateFieldHtml(field)
     })
 
-    const escapeHtml = str =>
-      String(str).replace(/[&<>"']/g, m => ({'&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;'})[m])
-
     const submitMatch = innerContent.match(/<odac:submit[\s\S]*?(?:<\/odac:submit>|\/?>)/)
     if (submitMatch) {
-      let submitAttrs = `type="submit" data-submit-text="${escapeHtml(submitText)}" data-loading-text="${escapeHtml(submitLoading)}"`
-      if (config.submitClass) submitAttrs += ` class="${escapeHtml(config.submitClass)}"`
-      if (config.submitStyle) submitAttrs += ` style="${escapeHtml(config.submitStyle)}"`
-      if (config.submitId) submitAttrs += ` id="${escapeHtml(config.submitId)}"`
-      const submitButton = `<button ${submitAttrs}>${escapeHtml(submitText)}</button>`
+      let submitAttrs = `type="submit" data-submit-text="${this.escapeHtml(submitText)}" data-loading-text="${this.escapeHtml(submitLoading)}"`
+      if (config.submitClass) submitAttrs += ` class="${this.escapeHtml(config.submitClass)}"`
+      if (config.submitStyle) submitAttrs += ` style="${this.escapeHtml(config.submitStyle)}"`
+      if (config.submitId) submitAttrs += ` id="${this.escapeHtml(config.submitId)}"`
+      const submitButton = `<button ${submitAttrs}>${this.escapeHtml(submitText)}</button>`
       innerContent = innerContent.replace(submitMatch[0], submitButton)
     }
 
     innerContent = innerContent.replace(/<odac:set[^>]*\/?>/g, '')
 
-    let formAttrs = `class="odac-custom-form${config.class ? ' ' + escapeHtml(config.class) : ''}" data-odac-form="${escapeHtml(formToken)}" method="${escapeHtml(method)}" action="${escapeHtml(formAction)}" novalidate`
-    if (config.id) formAttrs += ` id="${escapeHtml(config.id)}"`
+    let formAttrs = `class="odac-custom-form${config.class ? ' ' + this.escapeHtml(config.class) : ''}" data-odac-form="${this.escapeHtml(formToken)}" method="${this.escapeHtml(method)}" action="${this.escapeHtml(formAction)}" novalidate`
+    if (config.id) formAttrs += ` id="${this.escapeHtml(config.id)}"`
+    if (config.clear !== undefined) formAttrs += ` clear="${config.clear}"`
 
     let html = `<form ${formAttrs}>\n`
-    html += `  <input type="hidden" name="_odac_form_token" value="${escapeHtml(formToken)}">\n`
+    html += `  <input type="hidden" name="_odac_form_token" value="${this.escapeHtml(formToken)}">\n`
     html += innerContent
     html += `\n  <span class="odac-form-success" style="display:none;"></span>\n`
     html += `</form>`
@@ -693,7 +730,7 @@ class Form {
       })
     }
 
-    const submitMatch = html.match(/<odac:submit([^>/]*)(?:\/?>|>(.*?)<\/odac:submit>)/)
+    const submitMatch = html.match(/<odac:submit([^>]*?)(?:\/?>|>(.*?)<\/odac:submit>)/)
     if (submitMatch) {
       const submitTag = submitMatch[1]
       const textMatch = submitTag.match(/text=["']([^"']+)["']/)
@@ -751,6 +788,9 @@ class Form {
       innerContent = innerContent.replace(/<odac:input([^>]*?)(?:\/>|>(?:[\s\S]*?)<\/odac:input>)/g, fieldMatch => {
         const field = this.parseInput(fieldMatch)
         if (!field) return fieldMatch
+        // Sync with resolved config value if available
+        const configField = config.fields.find(f => f.name === field.name)
+        if (configField) field.value = configField.value
         return this.generateFieldHtml(field)
       })
     }

package/src/View.js

@@ -58,6 +58,7 @@ class View {
       function: '{ let _arr = $constructor; for(let $key in _arr){ let $value = _arr[$key];',
       end: '}}',
       arguments: {
+        in: null,
         var: null,
         get: null,
         key: 'key',
@@ -83,6 +84,7 @@ class View {
     },
     list: {
       arguments: {
+        in: null,
         var: null,
         get: null,
         key: 'key',
@@ -149,7 +151,7 @@ class View {
         if (this.#part[element]) {
           let viewPath = this.#part[element]
           if (viewPath.includes('.')) viewPath = viewPath.replace(/\./g, '/')
-          if (fs.existsSync(`./view/${element}/${viewPath}.html`)) {
+          if (await this.#exists(`./view/${element}/${viewPath}.html`)) {
             const html = await this.#render(`./view/${element}/${viewPath}.html`)
             output[element] = html
 
@@ -169,7 +171,7 @@ class View {
           if (this.#part[key] && !this.#odac.Request.ajaxLoad.includes(key)) {
             let viewPath = this.#part[key]
             if (viewPath.includes('.')) viewPath = viewPath.replace(/\./g, '/')
-            if (fs.existsSync(`./view/${key}/${viewPath}.html`)) {
+            if (await this.#exists(`./view/${key}/${viewPath}.html`)) {
               try {
                 const partHtml = await this.#render(`./view/${key}/${viewPath}.html`)
                 const titleMatch = partHtml.match(TITLE_REGEX)
@@ -217,7 +219,7 @@ class View {
         if (['all', 'skeleton'].includes(key)) continue
         if (!this.#part[key]) continue
         if (this.#part[key].includes('.')) this.#part[key] = this.#part[key].replace(/\./g, '/')
-        if (fs.existsSync(`./view/${key}/${this.#part[key]}.html`)) {
+        if (await this.#exists(`./view/${key}/${this.#part[key]}.html`)) {
           result = result.replace(`{{ ${key.toUpperCase()} }}`, await this.#render(`./view/${key}/${this.#part[key]}.html`))
         }
       }
@@ -229,7 +231,7 @@ class View {
             let file = this.#part.all.split('.')
             file.splice(-1, 0, part.toLowerCase())
             file = file.join('/')
-            if (fs.existsSync(`./view/${file}.html`)) {
+            if (await this.#exists(`./view/${file}.html`)) {
               result = result.replace(`{{ ${part.toUpperCase()} }}`, await this.#render(`./view/${file}.html`))
             }
           }
@@ -381,7 +383,7 @@ class View {
       }
     }
 
-    let mtime = 0
+    let mtime
     let content = null
 
     try {
@@ -453,12 +455,15 @@ class View {
           let fun = func.function
 
           if (key === 'for' || key === 'list') {
-            if (!vars.var && !vars.get) {
-              console.error(`"var" or "get" is required for "${match}"\n  in "${file}"`)
+            if (!vars.var && !vars.get && !vars.in) {
+              console.error(`"var", "get" or "in" is required for "${match}"\n  in "${file}"`)
               continue
             }
             let constructor
-            if (vars.var) {
+            if (vars.in) {
+              constructor = `await ${vars.in}`
+              delete vars.in
+            } else if (vars.var) {
               constructor = `await ${vars.var}`
               delete vars.var
             } else if (vars.get) {
@@ -485,8 +490,8 @@ class View {
         }
       }
       let cache = `${nodeCrypto.createHash('md5').update(file).digest('hex')}`
-      if (!fs.existsSync(CACHE_DIR)) fs.mkdirSync(CACHE_DIR, {recursive: true})
-      fs.writeFileSync(
+      await fsPromises.mkdir(CACHE_DIR, {recursive: true})
+      await fsPromises.writeFile(
         `${CACHE_DIR}/${cache}`,
         `module.exports = async (Odac, get, __) => {\nlet html = '';\n${result}\nreturn html.trim()\n}`
       )

package/src/WebSocket.js

@@ -1,7 +1,10 @@
 const nodeCrypto = require('crypto')
 
 const WS_GUID = '258EAFA5-E914-47DA-95CA-C5AB0DC85B11'
-const MAX_PAYLOAD_LENGTH = 10 * 1024 * 1024
+const DEFAULT_MAX_PAYLOAD = 10 * 1024 * 1024
+const DEFAULT_RATE_LIMIT_MAX = 50
+const DEFAULT_RATE_LIMIT_WINDOW = 1000
+
 const OPCODE = {
   CONTINUATION: 0x0,
   TEXT: 0x1,
@@ -18,13 +21,29 @@ class WebSocketClient {
   #server
   #id
   #rooms = new Set()
+  #maxPayload
+  #rateLimitMax
+  #rateLimitWindow
+  #messageCount = 0
+  #rateLimitTimer
   data = {}
 
-  constructor(socket, server, id) {
+  constructor(socket, server, id, options = {}) {
     this.#socket = socket
     this.#socket.pause()
     this.#server = server
     this.#id = id
+    this.#maxPayload = options.maxPayload || DEFAULT_MAX_PAYLOAD
+
+    this.#rateLimitMax = options.rateLimit?.max ?? DEFAULT_RATE_LIMIT_MAX
+    this.#rateLimitWindow = options.rateLimit?.window ?? DEFAULT_RATE_LIMIT_WINDOW
+
+    if (this.#rateLimitMax > 0) {
+      this.#rateLimitTimer = setInterval(() => {
+        this.#messageCount = 0
+      }, this.#rateLimitWindow)
+    }
+
     this.#setupListeners()
   }
 
@@ -93,7 +112,7 @@ class WebSocketClient {
       offset = 10
     }
 
-    if (payloadLength > MAX_PAYLOAD_LENGTH) {
+    if (payloadLength > this.#maxPayload) {
       this.close(1009, 'Payload too large')
       return null
     }
@@ -125,6 +144,14 @@ class WebSocketClient {
   }
 
   #handleFrame(frame) {
+    if (this.#rateLimitMax > 0) {
+      this.#messageCount++
+      if (this.#messageCount > this.#rateLimitMax) {
+        this.close(1008, 'Rate limit exceeded')
+        return
+      }
+    }
+
     switch (frame.opcode) {
       case OPCODE.TEXT:
         this.#handleMessage(frame.payload.toString('utf8'))
@@ -158,6 +185,8 @@ class WebSocketClient {
     if (this.#closed) return
     this.#closed = true
 
+    if (this.#rateLimitTimer) clearInterval(this.#rateLimitTimer)
+
     this.#socket.removeAllListeners()
 
     for (const room of this.#rooms) {
@@ -169,8 +198,7 @@ class WebSocketClient {
   }
 
   #sendFrame(opcode, data) {
-    if (this.#closed) return
-
+    if (this.#closed && opcode !== OPCODE.CLOSE) return
     const payload = Buffer.isBuffer(data) ? data : Buffer.from(data)
     const length = payload.length
 
@@ -240,6 +268,8 @@ class WebSocketClient {
     if (this.#closed) return
     this.#closed = true
 
+    if (this.#rateLimitTimer) clearInterval(this.#rateLimitTimer)
+
     const reasonBuffer = Buffer.from(reason)
     const payload = Buffer.alloc(2 + reasonBuffer.length)
     payload.writeUInt16BE(code, 0)
@@ -287,14 +317,14 @@ class WebSocketServer {
   #rooms = new Map()
   #routes = new Map()
 
-  route(path, handler) {
-    this.#routes.set(path, handler)
+  route(path, handler, options = {}) {
+    this.#routes.set(path, {handler, options})
   }
 
   getRoute(path) {
     if (this.#routes.has(path)) return this.#routes.get(path)
 
-    for (const [pattern, handler] of this.#routes) {
+    for (const [pattern, config] of this.#routes) {
       if (!pattern.includes('{')) continue
       const regex = new RegExp('^' + pattern.replace(/\{[^}]+\}/g, '([^/]+)') + '$')
       const match = path.match(regex)
@@ -304,7 +334,11 @@ class WebSocketServer {
         paramNames.forEach((name, i) => {
           params[name.slice(1, -1)] = match[i + 1]
         })
-        return {handler, params}
+        return {
+          handler: config.handler,
+          options: config.options,
+          params
+        }
       }
     }
     return null
@@ -320,8 +354,7 @@ class WebSocketServer {
       return
     }
 
-    const handler = typeof routeInfo === 'function' ? routeInfo : routeInfo.handler
-    const params = routeInfo.params || {}
+    const {handler, params = {}, options = {}} = routeInfo
 
     const key = req.headers['sec-websocket-key']
     if (!key) {
@@ -353,7 +386,7 @@ class WebSocketServer {
     if (head && head.length > 0) socket.unshift(head)
 
     const clientId = nodeCrypto.randomUUID()
-    const client = new WebSocketClient(socket, this, clientId)
+    const client = new WebSocketClient(socket, this, clientId, options)
     this.#clients.set(clientId, client)
 
     if (params) {