react-doctor 0.0.6 → 0.0.8

package/dist/react-doctor-plugin.js

@@ -129,6 +129,37 @@ const NEXTJS_NAVIGATION_FUNCTIONS = new Set([
 const GOOGLE_FONTS_PATTERN = /fonts\.googleapis\.com/;
 const POLYFILL_SCRIPT_PATTERN = /polyfill\.io|polyfill\.min\.js|cdn\.polyfill/;
 const APP_DIRECTORY_PATTERN = /\/app\//;
+const ROUTE_HANDLER_FILE_PATTERN = /\/route\.(tsx?|jsx?)$/;
+const MUTATION_METHOD_NAMES = new Set([
+	"create",
+	"insert",
+	"insertInto",
+	"update",
+	"upsert",
+	"delete",
+	"remove",
+	"destroy",
+	"set",
+	"append"
+]);
+const MUTATING_HTTP_METHODS = new Set([
+	"POST",
+	"PUT",
+	"DELETE",
+	"PATCH"
+]);
+const MUTATING_ROUTE_SEGMENTS = new Set([
+	"logout",
+	"log-out",
+	"signout",
+	"sign-out",
+	"unsubscribe",
+	"delete",
+	"remove",
+	"revoke",
+	"cancel",
+	"deactivate"
+]);
 const EFFECT_HOOK_NAMES = new Set(["useEffect", "useLayoutEffect"]);
 const HOOKS_WITH_DEPS = new Set([
 	"useEffect",
@@ -230,6 +261,40 @@ const createLoopAwareVisitors = (innerVisitors) => {
 	};
 	return visitors;
 };
+const isCookiesOrHeadersCall = (node, methodName) => {
+	if (node.type !== "CallExpression" || node.callee?.type !== "MemberExpression") return false;
+	const { object, property } = node.callee;
+	if (property?.type !== "Identifier" || !MUTATION_METHOD_NAMES.has(property.name)) return false;
+	if (object?.type !== "CallExpression" || object.callee?.type !== "Identifier") return false;
+	return object.callee.name === methodName;
+};
+const isMutatingDbCall = (node) => {
+	if (node.type !== "CallExpression" || node.callee?.type !== "MemberExpression") return false;
+	const { property } = node.callee;
+	return property?.type === "Identifier" && MUTATION_METHOD_NAMES.has(property.name);
+};
+const isMutatingFetchCall = (node) => {
+	if (node.type !== "CallExpression") return false;
+	if (node.callee?.type !== "Identifier" || node.callee.name !== "fetch") return false;
+	const optionsArgument = node.arguments?.[1];
+	if (!optionsArgument || optionsArgument.type !== "ObjectExpression") return false;
+	return optionsArgument.properties?.some((property) => property.type === "Property" && property.key?.type === "Identifier" && property.key.name === "method" && property.value?.type === "Literal" && typeof property.value.value === "string" && MUTATING_HTTP_METHODS.has(property.value.value.toUpperCase()));
+};
+const findSideEffect = (node) => {
+	let sideEffectDescription = null;
+	walkAst(node, (child) => {
+		if (sideEffectDescription) return;
+		if (isCookiesOrHeadersCall(child, "cookies")) sideEffectDescription = `cookies().${child.callee.property.name}()`;
+		else if (isCookiesOrHeadersCall(child, "headers")) sideEffectDescription = `headers().${child.callee.property.name}()`;
+		else if (isMutatingFetchCall(child)) sideEffectDescription = `fetch() with method ${child.arguments[1].properties.find((property) => property.key?.type === "Identifier" && property.key.name === "method").value.value}`;
+		else if (isMutatingDbCall(child)) {
+			const methodName = child.callee.property.name;
+			const objectName = child.callee.object?.type === "Identifier" ? child.callee.object.name : null;
+			sideEffectDescription = objectName ? `${objectName}.${methodName}()` : `.${methodName}()`;
+		}
+	});
+	return sideEffectDescription;
+};
 const extractDestructuredPropNames = (params) => {
 	const propNames = /* @__PURE__ */ new Set();
 	for (const param of params) if (param.type === "ObjectPattern") {
@@ -767,6 +832,44 @@ const nextjsNoHeadImport = { create: (context) => ({ ImportDeclaration(node) {
 		message: "next/head is not supported in the App Router — use the Metadata API instead"
 	});
 } }) };
+const extractMutatingRouteSegment = (filename) => {
+	const segments = filename.split("/");
+	for (const segment of segments) {
+		const cleaned = segment.replace(/^\[.*\]$/, "");
+		if (MUTATING_ROUTE_SEGMENTS.has(cleaned)) return cleaned;
+	}
+	return null;
+};
+const getExportedGetHandlerBody = (node) => {
+	if (node.type !== "ExportNamedDeclaration") return null;
+	const declaration = node.declaration;
+	if (!declaration) return null;
+	if (declaration.type === "FunctionDeclaration" && declaration.id?.name === "GET") return declaration.body;
+	if (declaration.type === "VariableDeclaration") {
+		const declarator = declaration.declarations?.[0];
+		if (declarator?.id?.type === "Identifier" && declarator.id.name === "GET" && declarator.init && (declarator.init.type === "ArrowFunctionExpression" || declarator.init.type === "FunctionExpression")) return declarator.init.body;
+	}
+	return null;
+};
+const nextjsNoSideEffectInGetHandler = { create: (context) => ({ ExportNamedDeclaration(node) {
+	const filename = context.getFilename?.() ?? "";
+	if (!ROUTE_HANDLER_FILE_PATTERN.test(filename)) return;
+	const handlerBody = getExportedGetHandlerBody(node);
+	if (!handlerBody) return;
+	const mutatingSegment = extractMutatingRouteSegment(filename);
+	if (mutatingSegment) {
+		context.report({
+			node,
+			message: `GET handler on "/${mutatingSegment}" route — use POST to prevent CSRF and unintended prefetch triggers`
+		});
+		return;
+	}
+	const sideEffect = findSideEffect(handlerBody);
+	if (sideEffect) context.report({
+		node,
+		message: `GET handler has side effects (${sideEffect}) — use POST to prevent CSRF and unintended prefetch triggers`
+	});
+} }) };
 
 //#endregion
 //#region src/plugin/rules/performance.ts
@@ -1231,6 +1334,7 @@ const plugin = {
 		"nextjs-no-css-link": nextjsNoCssLink,
 		"nextjs-no-polyfill-script": nextjsNoPolyfillScript,
 		"nextjs-no-head-import": nextjsNoHeadImport,
+		"nextjs-no-side-effect-in-get-handler": nextjsNoSideEffectInGetHandler,
 		"server-auth-actions": serverAuthActions,
 		"server-after-nonblocking": serverAfterNonblocking,
 		"client-passive-event-listeners": clientPassiveEventListeners,