rwsdk 1.0.4 → 1.0.6

package/dist/runtime/lib/router.js

@@ -206,7 +206,6 @@ export function defineRoutes(routes) {
                 throw error;
             }
             // --- Main flow ---
-            let firstRouteDefinitionEncountered = false;
             let actionHandled = false;
             const handleAction = async () => {
                 // Handle RSC actions once per request, based on the incoming URL.
@@ -241,17 +240,6 @@ export function defineRoutes(routes) {
                         currentRouteIndex++;
                         continue;
                     }
-                    // This is a RouteDefinition (route.type === "definition").
-                    // The first time we see one, we handle any RSC actions.
-                    if (!firstRouteDefinitionEncountered) {
-                        firstRouteDefinitionEncountered = true;
-                        try {
-                            await handleAction();
-                        }
-                        catch (error) {
-                            return await executeExceptHandlers(error, currentRouteIndex);
-                        }
-                    }
                     let params = null;
                     if (route.isStatic) {
                         if (route.path === path) {
@@ -310,6 +298,9 @@ export function defineRoutes(routes) {
                                     return handled;
                                 }
                             }
+                            // All global and route-specific middlewares have run, so it's
+                            // safe to handle any pending RSC action before rendering.
+                            await handleAction();
                             // Final component/handler
                             if (isRouteComponent(componentHandler)) {
                                 const requestInfo = getRequestInfo();
@@ -365,14 +356,13 @@ Route handlers must return one of:
                     }
                 }
                 // If we've gotten this far, no route was matched.
-                // We still need to handle a possible action if the app has no route definitions at all.
-                if (!firstRouteDefinitionEncountered) {
-                    try {
-                        await handleAction();
-                    }
-                    catch (error) {
-                        return await executeExceptHandlers(error, compiledRoutes.length - 1);
-                    }
+                // All global middlewares have already executed, so it's safe to handle
+                // any pending RSC action before returning the 404 response.
+                try {
+                    await handleAction();
+                }
+                catch (error) {
+                    return await executeExceptHandlers(error, compiledRoutes.length - 1);
                 }
                 return new Response("Not Found", { status: 404 });
             }

package/dist/runtime/lib/router.test.js

@@ -404,7 +404,7 @@ describe("defineRoutes - Request Handling Behavior", () => {
         });
     });
     describe("RSC Action Handling", () => {
-        it("should handle RSC actions before the first route definition", async () => {
+        it("should handle RSC actions after global middleware but before page rendering", async () => {
             const executionOrder = [];
             const middleware1 = (requestInfo) => {
                 executionOrder.push("middleware1");
@@ -473,6 +473,96 @@ describe("defineRoutes - Request Handling Behavior", () => {
             expect(executionOrder).toEqual(["rscActionHandler", "PageComponent2"]);
             // Should only call action handler once, even though there are multiple routes
         });
+        // Regression test for issue #1110:
+        // When a route definition appears before global middleware in the flattened
+        // route list (e.g. an API route defined before a session-setup middleware),
+        // the RSC action handler was incorrectly fired at the first route definition
+        // encountered – before those later middlewares had run. Interruptors
+        // (registered via serverAction/serverQuery) execute inside rscActionHandler,
+        // so they would see an incomplete request context (e.g. ctx.user not yet set).
+        it("should run all global middleware before rscActionHandler even when a route definition appears first", async () => {
+            const executionOrder = [];
+            // A route definition that appears BEFORE global middleware
+            const apiRoute = route("/api/data/", async () => new Response(JSON.stringify({ data: "ok" })));
+            // Global middleware that sets up context (e.g. session / auth)
+            const globalMiddleware = async (requestInfo) => {
+                executionOrder.push("globalMiddleware");
+                requestInfo.ctx.user = { id: 1 };
+            };
+            const PageComponent = () => {
+                executionOrder.push("PageComponent");
+                return React.createElement("div", {}, "Page");
+            };
+            const router = defineRoutes([
+                apiRoute,
+                globalMiddleware, // global middleware defined AFTER a route definition
+                route("/test/", PageComponent),
+            ]);
+            const deps = createMockDependencies();
+            deps.mockRequestInfo.request = new Request("http://localhost:3000/test/?__rsc_action_id=test");
+            deps.mockRscActionHandler = async (request) => {
+                executionOrder.push("rscActionHandler");
+                return { actionResult: "test-result" };
+            };
+            const request = new Request("http://localhost:3000/test/?__rsc_action_id=test");
+            await router.handle({
+                request,
+                renderPage: deps.mockRenderPage,
+                getRequestInfo: deps.getRequestInfo,
+                onError: deps.onError,
+                runWithRequestInfoOverrides: deps.mockRunWithRequestInfoOverrides,
+                rscActionHandler: deps.mockRscActionHandler,
+            });
+            // globalMiddleware must complete before rscActionHandler runs so that
+            // interruptors inside the action have access to ctx.user.
+            expect(executionOrder).toEqual([
+                "globalMiddleware",
+                "rscActionHandler",
+                "PageComponent",
+            ]);
+        });
+        it("should handle RSC actions after route-specific middleware", async () => {
+            const executionOrder = [];
+            const globalMiddleware = async (requestInfo) => {
+                executionOrder.push("globalMiddleware");
+                requestInfo.ctx.user = { id: 1 };
+            };
+            const requireAdmin = async (requestInfo) => {
+                executionOrder.push("requireAdmin");
+                if (!requestInfo.ctx.user?.isAdmin) {
+                    return new Response("Forbidden", { status: 403 });
+                }
+            };
+            const AdminPage = () => {
+                executionOrder.push("AdminPage");
+                return React.createElement("div", {}, "Admin");
+            };
+            const router = defineRoutes([
+                globalMiddleware,
+                route("/admin/", [requireAdmin, AdminPage]),
+            ]);
+            const deps = createMockDependencies();
+            deps.mockRequestInfo.request = new Request("http://localhost:3000/admin/?__rsc_action_id=test");
+            deps.mockRscActionHandler = async (request) => {
+                executionOrder.push("rscActionHandler");
+                return { actionResult: "test-result" };
+            };
+            const request = new Request("http://localhost:3000/admin/?__rsc_action_id=test");
+            const response = await router.handle({
+                request,
+                renderPage: deps.mockRenderPage,
+                getRequestInfo: deps.getRequestInfo,
+                onError: deps.onError,
+                runWithRequestInfoOverrides: deps.mockRunWithRequestInfoOverrides,
+                rscActionHandler: deps.mockRscActionHandler,
+            });
+            // requireAdmin should short-circuit before the action runs
+            expect(executionOrder).toEqual([
+                "globalMiddleware",
+                "requireAdmin",
+            ]);
+            expect(response.status).toBe(403);
+        });
     });
     describe("Page Route Matching and Rendering", () => {
         it("should match the first route that matches the path", async () => {

package/dist/runtime/register/methodEnforcer.d.ts

@@ -0,0 +1,8 @@
+type GetServerModuleExport = (actionId: string) => Promise<unknown>;
+type DecodeReply = (data: string | FormData, moduleMap: null) => Promise<unknown>;
+export interface RscActionHandlerDeps {
+    getServerModuleExport: GetServerModuleExport;
+    decodeReply: DecodeReply;
+}
+export declare function rscActionHandler(req: Request, { getServerModuleExport, decodeReply }: RscActionHandlerDeps): Promise<unknown>;
+export {};

package/dist/runtime/register/methodEnforcer.js

@@ -0,0 +1,41 @@
+// context(justinvdm, 2026-04-06): Extracted from rscActionHandler() for testability.
+// The real getServerModuleExport and decodeReply require the react-server environment
+// (virtual module lookup, react-server-dom-webpack), so we accept them as injected
+// dependencies. worker.ts passes the real implementations; tests pass fakes.
+export async function rscActionHandler(req, { getServerModuleExport, decodeReply }) {
+    const url = new URL(req.url);
+    const contentType = req.headers.get("content-type");
+    let args = [];
+    if (req.method === "GET") {
+        const argsParam = url.searchParams.get("args");
+        if (argsParam) {
+            args = JSON.parse(argsParam);
+        }
+    }
+    else {
+        const data = contentType?.startsWith("multipart/form-data")
+            ? await req.formData()
+            : await req.text();
+        args = (await decodeReply(data, null));
+    }
+    const actionId = url.searchParams.get("__rsc_action_id");
+    if (import.meta.env.VITE_IS_DEV_SERVER && actionId === "__rsc_hot_update") {
+        return null;
+    }
+    const action = await getServerModuleExport(actionId);
+    if (typeof action !== "function") {
+        throw new Error(`Action ${actionId} is not a function`);
+    }
+    // context(justinvdm, 2026-04-06): Validate the declared HTTP method before
+    // invocation. serverAction() attaches .method = "POST" at creation time via
+    // createServerFunction(), serverQuery() attaches "GET". Functions without
+    // .method default to POST to match serverAction() semantics.
+    const actionMethod = action.method ?? "POST";
+    if (actionMethod !== req.method) {
+        return new Response(`Method ${req.method} is not allowed for this action. Allowed: ${actionMethod}.`, {
+            status: 405,
+            headers: { Allow: actionMethod },
+        });
+    }
+    return action(...args);
+}

package/dist/runtime/register/methodEnforcer.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/runtime/register/methodEnforcer.test.js

@@ -0,0 +1,128 @@
+import { describe, expect, it, vi } from "vitest";
+import { rscActionHandler } from "./methodEnforcer";
+function createDeps(action) {
+    return {
+        getServerModuleExport: vi.fn().mockResolvedValue(action),
+        decodeReply: vi.fn().mockResolvedValue([]),
+    };
+}
+function makeRequest(url, method, body) {
+    const init = { method };
+    if (body !== undefined) {
+        init.body = body;
+        init.headers = { "content-type": "application/json" };
+    }
+    return new Request(url, init);
+}
+const ACTION_URL = "https://app.test/page?__rsc_action_id=%2Factions.tsx%23doThing";
+describe("rscActionHandler method enforcement", () => {
+    it("rejects GET for an action with method POST", async () => {
+        const action = Object.assign(vi.fn(), { method: "POST" });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL, "GET");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBeInstanceOf(Response);
+        const res = result;
+        expect(res.status).toBe(405);
+        expect(res.headers.get("Allow")).toBe("POST");
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("rejects POST for an action with method GET", async () => {
+        const action = Object.assign(vi.fn(), { method: "GET" });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL, "POST", "[]");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBeInstanceOf(Response);
+        const res = result;
+        expect(res.status).toBe(405);
+        expect(res.headers.get("Allow")).toBe("GET");
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("allows POST for an action with method POST", async () => {
+        const action = Object.assign(vi.fn().mockReturnValue("ok"), {
+            method: "POST",
+        });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL, "POST", "[]");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBe("ok");
+        expect(action).toHaveBeenCalled();
+    });
+    it("allows GET for an action with method GET", async () => {
+        const action = Object.assign(vi.fn().mockReturnValue("data"), {
+            method: "GET",
+        });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL + "&args=%5B%5D", "GET");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBe("data");
+        expect(action).toHaveBeenCalled();
+    });
+    it("defaults to POST for actions without .method property", async () => {
+        const action = vi.fn().mockReturnValue("ok");
+        const deps = createDeps(action);
+        const postReq = makeRequest(ACTION_URL, "POST", "[]");
+        const postResult = await rscActionHandler(postReq, deps);
+        expect(postResult).toBe("ok");
+        expect(action).toHaveBeenCalled();
+    });
+    it("rejects GET for actions without .method property", async () => {
+        const action = vi.fn();
+        const deps = createDeps(action);
+        const getReq = makeRequest(ACTION_URL, "GET");
+        const getResult = await rscActionHandler(getReq, deps);
+        expect(getResult).toBeInstanceOf(Response);
+        expect(getResult.status).toBe(405);
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("includes allowed methods in 405 response body", async () => {
+        const action = Object.assign(vi.fn(), { method: "POST" });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL, "GET");
+        const result = (await rscActionHandler(req, deps));
+        const body = await result.text();
+        expect(body).toContain("Method GET is not allowed");
+        expect(body).toContain("Allowed: POST");
+    });
+    it("rejects when .method is not a valid string", async () => {
+        const action = Object.assign(vi.fn(), {
+            method: 42,
+        });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL, "GET");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBeInstanceOf(Response);
+        expect(result.status).toBe(405);
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("throws when action is not a function", async () => {
+        const deps = {
+            getServerModuleExport: vi.fn().mockResolvedValue("not-a-function"),
+            decodeReply: vi.fn(),
+        };
+        const req = makeRequest(ACTION_URL, "GET");
+        await expect(rscActionHandler(req, deps)).rejects.toThrow("is not a function");
+    });
+    it("parses GET args from query string", async () => {
+        const action = Object.assign(vi.fn().mockReturnValue("result"), {
+            method: "GET",
+        });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL + '&args=%5B%22hello%22%2C%2042%5D', "GET");
+        await rscActionHandler(req, deps);
+        expect(action).toHaveBeenCalledWith("hello", 42);
+    });
+    it("uses decodeReply for POST body", async () => {
+        const action = Object.assign(vi.fn().mockReturnValue("result"), {
+            method: "POST",
+        });
+        const deps = {
+            getServerModuleExport: vi.fn().mockResolvedValue(action),
+            decodeReply: vi.fn().mockResolvedValue(["decoded-arg"]),
+        };
+        const req = makeRequest(ACTION_URL, "POST", "serialized-body");
+        await rscActionHandler(req, deps);
+        expect(deps.decodeReply).toHaveBeenCalledWith("serialized-body", null);
+        expect(action).toHaveBeenCalledWith("decoded-arg");
+    });
+});

package/dist/runtime/register/worker.js

@@ -2,6 +2,7 @@ import { isValidElementType } from "react-is";
 import { registerClientReference as baseRegisterClientReference, registerServerReference as baseRegisterServerReference, decodeReply, } from "react-server-dom-webpack/server.edge";
 import { getServerModuleExport } from "../imports/worker.js";
 import { requestInfo } from "../requestInfo/worker.js";
+import { rscActionHandler as rscActionHandlerImpl } from "./methodEnforcer.js";
 export function registerServerReference(action, id, name) {
     if (typeof action !== "function") {
         return action;
@@ -48,28 +49,5 @@ export async function __smokeTestActionHandler(timestamp) {
     return { status: "ok", timestamp };
 }
 export async function rscActionHandler(req) {
-    const url = new URL(req.url);
-    const contentType = req.headers.get("content-type");
-    let args = [];
-    if (req.method === "GET") {
-        const argsParam = url.searchParams.get("args");
-        if (argsParam) {
-            args = JSON.parse(argsParam);
-        }
-    }
-    else {
-        const data = contentType?.startsWith("multipart/form-data")
-            ? await req.formData()
-            : await req.text();
-        args = (await decodeReply(data, null));
-    }
-    const actionId = url.searchParams.get("__rsc_action_id");
-    if (import.meta.env.VITE_IS_DEV_SERVER && actionId === "__rsc_hot_update") {
-        return null;
-    }
-    const action = await getServerModuleExport(actionId);
-    if (typeof action !== "function") {
-        throw new Error(`Action ${actionId} is not a function`);
-    }
-    return action(...args);
+    return rscActionHandlerImpl(req, { getServerModuleExport, decodeReply });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rwsdk",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "Build fast, server-driven webapps on Cloudflare with SSR, RSC, and realtime",
   "type": "module",
   "bin": {
@@ -154,7 +154,7 @@
   "license": "MIT",
   "dependencies": {
     "@ast-grep/napi": "~0.41.0",
-    "@cloudflare/workers-types": "~4.20260307.1",
+    "@cloudflare/workers-types": "~4.20260331.1",
     "@mdx-js/mdx": "~3.1.1",
     "@puppeteer/browsers": "~2.13.0",
     "@types/decompress": "~4.2.7",
@@ -172,13 +172,13 @@
     "execa": "~9.6.1",
     "find-up": "~8.0.0",
     "fs-extra": "~11.3.4",
-    "get-port": "^7.1.0",
+    "get-port": "^7.2.0",
     "glob": "~13.0.6",
     "ignore": "~7.0.5",
     "jsonc-parser": "~3.3.1",
-    "kysely": "~0.28.12",
+    "kysely": "~0.28.15",
     "kysely-do": "~0.0.1-rc.1",
-    "lodash": "~4.17.23",
+    "lodash": "~4.18.1",
     "magic-string": "~0.30.21",
     "picocolors": "~1.1.1",
     "proper-lockfile": "~4.1.2",
@@ -199,13 +199,14 @@
     "react-dom": ">=19.2.0-0 <19.3.0 || >=19.3.0-0 <20.0.0",
     "react-server-dom-webpack": ">=19.2.0-0 <19.3.0 || >=19.3.0-0 <20.0.0",
     "vite": "^6.2.6 || 7.x",
-    "wrangler": "^4.71.0"
+    "wrangler": "^4.77.0"
   },
   "packageManager": "pnpm@10.31.0",
   "devDependencies": {
-    "@cloudflare/vite-plugin": "1.26.1",
+    "@cloudflare/vite-plugin": "1.30.1",
+    "wrangler": "^4.77.0",
     "capnweb": "~0.5.0",
-    "@types/debug": "~4.1.12",
+    "@types/debug": "~4.1.13",
     "@types/js-beautify": "~1.14.3",
     "@types/lodash": "~4.17.24",
     "@types/node": "~25.3.5",
@@ -213,8 +214,8 @@
     "js-beautify": "~1.15.4",
     "semver": "~7.7.4",
     "tsx": "~4.21.0",
-    "typescript": "~5.9.3",
+    "typescript": "~6.0.2",
     "vite": "~7.3.1",
-    "vitest": "~4.0.18"
+    "vitest": "~4.1.2"
   }
 }