npm - rwsdk - Versions diffs - 1.0.5 → 1.0.6 - Mend

rwsdk 1.0.5 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/runtime/register/methodEnforcer.d.ts +8 -0
package/dist/runtime/register/methodEnforcer.js +41 -0
package/dist/runtime/register/methodEnforcer.test.d.ts +1 -0
package/dist/runtime/register/methodEnforcer.test.js +128 -0
package/dist/runtime/register/worker.js +2 -24
package/package.json +2 -2

package/dist/runtime/register/methodEnforcer.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+type GetServerModuleExport = (actionId: string) => Promise<unknown>;
+type DecodeReply = (data: string | FormData, moduleMap: null) => Promise<unknown>;
+export interface RscActionHandlerDeps {
+    getServerModuleExport: GetServerModuleExport;
+    decodeReply: DecodeReply;
+}
+export declare function rscActionHandler(req: Request, { getServerModuleExport, decodeReply }: RscActionHandlerDeps): Promise<unknown>;
+export {};

package/dist/runtime/register/methodEnforcer.js ADDED Viewed

@@ -0,0 +1,41 @@
+// context(justinvdm, 2026-04-06): Extracted from rscActionHandler() for testability.
+// The real getServerModuleExport and decodeReply require the react-server environment
+// (virtual module lookup, react-server-dom-webpack), so we accept them as injected
+// dependencies. worker.ts passes the real implementations; tests pass fakes.
+export async function rscActionHandler(req, { getServerModuleExport, decodeReply }) {
+    const url = new URL(req.url);
+    const contentType = req.headers.get("content-type");
+    let args = [];
+    if (req.method === "GET") {
+        const argsParam = url.searchParams.get("args");
+        if (argsParam) {
+            args = JSON.parse(argsParam);
+        }
+    }
+    else {
+        const data = contentType?.startsWith("multipart/form-data")
+            ? await req.formData()
+            : await req.text();
+        args = (await decodeReply(data, null));
+    }
+    const actionId = url.searchParams.get("__rsc_action_id");
+    if (import.meta.env.VITE_IS_DEV_SERVER && actionId === "__rsc_hot_update") {
+        return null;
+    }
+    const action = await getServerModuleExport(actionId);
+    if (typeof action !== "function") {
+        throw new Error(`Action ${actionId} is not a function`);
+    }
+    // context(justinvdm, 2026-04-06): Validate the declared HTTP method before
+    // invocation. serverAction() attaches .method = "POST" at creation time via
+    // createServerFunction(), serverQuery() attaches "GET". Functions without
+    // .method default to POST to match serverAction() semantics.
+    const actionMethod = action.method ?? "POST";
+    if (actionMethod !== req.method) {
+        return new Response(`Method ${req.method} is not allowed for this action. Allowed: ${actionMethod}.`, {
+            status: 405,
+            headers: { Allow: actionMethod },
+        });
+    }
+    return action(...args);
+}

package/dist/runtime/register/methodEnforcer.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/runtime/register/methodEnforcer.test.js ADDED Viewed

@@ -0,0 +1,128 @@
+import { describe, expect, it, vi } from "vitest";
+import { rscActionHandler } from "./methodEnforcer";
+function createDeps(action) {
+    return {
+        getServerModuleExport: vi.fn().mockResolvedValue(action),
+        decodeReply: vi.fn().mockResolvedValue([]),
+    };
+}
+function makeRequest(url, method, body) {
+    const init = { method };
+    if (body !== undefined) {
+        init.body = body;
+        init.headers = { "content-type": "application/json" };
+    }
+    return new Request(url, init);
+}
+const ACTION_URL = "https://app.test/page?__rsc_action_id=%2Factions.tsx%23doThing";
+describe("rscActionHandler method enforcement", () => {
+    it("rejects GET for an action with method POST", async () => {
+        const action = Object.assign(vi.fn(), { method: "POST" });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL, "GET");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBeInstanceOf(Response);
+        const res = result;
+        expect(res.status).toBe(405);
+        expect(res.headers.get("Allow")).toBe("POST");
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("rejects POST for an action with method GET", async () => {
+        const action = Object.assign(vi.fn(), { method: "GET" });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL, "POST", "[]");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBeInstanceOf(Response);
+        const res = result;
+        expect(res.status).toBe(405);
+        expect(res.headers.get("Allow")).toBe("GET");
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("allows POST for an action with method POST", async () => {
+        const action = Object.assign(vi.fn().mockReturnValue("ok"), {
+            method: "POST",
+        });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL, "POST", "[]");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBe("ok");
+        expect(action).toHaveBeenCalled();
+    });
+    it("allows GET for an action with method GET", async () => {
+        const action = Object.assign(vi.fn().mockReturnValue("data"), {
+            method: "GET",
+        });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL + "&args=%5B%5D", "GET");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBe("data");
+        expect(action).toHaveBeenCalled();
+    });
+    it("defaults to POST for actions without .method property", async () => {
+        const action = vi.fn().mockReturnValue("ok");
+        const deps = createDeps(action);
+        const postReq = makeRequest(ACTION_URL, "POST", "[]");
+        const postResult = await rscActionHandler(postReq, deps);
+        expect(postResult).toBe("ok");
+        expect(action).toHaveBeenCalled();
+    });
+    it("rejects GET for actions without .method property", async () => {
+        const action = vi.fn();
+        const deps = createDeps(action);
+        const getReq = makeRequest(ACTION_URL, "GET");
+        const getResult = await rscActionHandler(getReq, deps);
+        expect(getResult).toBeInstanceOf(Response);
+        expect(getResult.status).toBe(405);
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("includes allowed methods in 405 response body", async () => {
+        const action = Object.assign(vi.fn(), { method: "POST" });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL, "GET");
+        const result = (await rscActionHandler(req, deps));
+        const body = await result.text();
+        expect(body).toContain("Method GET is not allowed");
+        expect(body).toContain("Allowed: POST");
+    });
+    it("rejects when .method is not a valid string", async () => {
+        const action = Object.assign(vi.fn(), {
+            method: 42,
+        });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL, "GET");
+        const result = await rscActionHandler(req, deps);
+        expect(result).toBeInstanceOf(Response);
+        expect(result.status).toBe(405);
+        expect(action).not.toHaveBeenCalled();
+    });
+    it("throws when action is not a function", async () => {
+        const deps = {
+            getServerModuleExport: vi.fn().mockResolvedValue("not-a-function"),
+            decodeReply: vi.fn(),
+        };
+        const req = makeRequest(ACTION_URL, "GET");
+        await expect(rscActionHandler(req, deps)).rejects.toThrow("is not a function");
+    });
+    it("parses GET args from query string", async () => {
+        const action = Object.assign(vi.fn().mockReturnValue("result"), {
+            method: "GET",
+        });
+        const deps = createDeps(action);
+        const req = makeRequest(ACTION_URL + '&args=%5B%22hello%22%2C%2042%5D', "GET");
+        await rscActionHandler(req, deps);
+        expect(action).toHaveBeenCalledWith("hello", 42);
+    });
+    it("uses decodeReply for POST body", async () => {
+        const action = Object.assign(vi.fn().mockReturnValue("result"), {
+            method: "POST",
+        });
+        const deps = {
+            getServerModuleExport: vi.fn().mockResolvedValue(action),
+            decodeReply: vi.fn().mockResolvedValue(["decoded-arg"]),
+        };
+        const req = makeRequest(ACTION_URL, "POST", "serialized-body");
+        await rscActionHandler(req, deps);
+        expect(deps.decodeReply).toHaveBeenCalledWith("serialized-body", null);
+        expect(action).toHaveBeenCalledWith("decoded-arg");
+    });
+});

package/dist/runtime/register/worker.js CHANGED Viewed

@@ -2,6 +2,7 @@ import { isValidElementType } from "react-is";
 import { registerClientReference as baseRegisterClientReference, registerServerReference as baseRegisterServerReference, decodeReply, } from "react-server-dom-webpack/server.edge";
 import { getServerModuleExport } from "../imports/worker.js";
 import { requestInfo } from "../requestInfo/worker.js";
+import { rscActionHandler as rscActionHandlerImpl } from "./methodEnforcer.js";
 export function registerServerReference(action, id, name) {
     if (typeof action !== "function") {
         return action;
@@ -48,28 +49,5 @@ export async function __smokeTestActionHandler(timestamp) {
     return { status: "ok", timestamp };
 }
 export async function rscActionHandler(req) {
-    const url = new URL(req.url);
-    const contentType = req.headers.get("content-type");
-    let args = [];
-    if (req.method === "GET") {
-        const argsParam = url.searchParams.get("args");
-        if (argsParam) {
-            args = JSON.parse(argsParam);
-        }
-    }
-    else {
-        const data = contentType?.startsWith("multipart/form-data")
-            ? await req.formData()
-            : await req.text();
-        args = (await decodeReply(data, null));
-    }
-    const actionId = url.searchParams.get("__rsc_action_id");
-    if (import.meta.env.VITE_IS_DEV_SERVER && actionId === "__rsc_hot_update") {
-        return null;
-    }
-    const action = await getServerModuleExport(actionId);
-    if (typeof action !== "function") {
-        throw new Error(`Action ${actionId} is not a function`);
-    }
-    return action(...args);
+    return rscActionHandlerImpl(req, { getServerModuleExport, decodeReply });
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "rwsdk",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "description": "Build fast, server-driven webapps on Cloudflare with SSR, RSC, and realtime",
   "type": "module",
   "bin": {
@@ -178,7 +178,7 @@
     "jsonc-parser": "~3.3.1",
     "kysely": "~0.28.15",
     "kysely-do": "~0.0.1-rc.1",
-    "lodash": "~4.17.23",
+    "lodash": "~4.18.1",
     "magic-string": "~0.30.21",
     "picocolors": "~1.1.1",
     "proper-lockfile": "~4.1.2",