te.js 2.1.2 → 2.1.3

package/auto-docs/analysis/handler-analyzer.js

@@ -15,9 +15,49 @@ const ALL_METHODS = [
 ];
 
 /**
- * Detects which HTTP methods the handler checks (e.g. ammo.GET, ammo.POST).
- * Matches property access patterns like `.GET`, `ammo.GET`, avoiding false positives
- * in strings or unrelated identifiers.
+ * Extracts allowed methods from .only('GET'), .only("POST", "PUT"), etc. in source.
+ * Returns a non-empty array only when at least one valid quoted method is found;
+ * otherwise [] so caller can fall back to other detection.
+ *
+ * @param {string} src - Handler source (e.g. handler.toString())
+ * @returns {string[]} Normalized method names (uppercase, HEAD added when GET present), or []
+ */
+function detectOnlyMethods(src) {
+  const startMarker = '.only(';
+  const start = src.indexOf(startMarker);
+  if (start === -1) return [];
+
+  let depth = 1;
+  let pos = start + startMarker.length;
+  while (pos < src.length && depth > 0) {
+    const ch = src[pos];
+    if (ch === '(') depth += 1;
+    else if (ch === ')') depth -= 1;
+    pos += 1;
+  }
+  const argsStr = src.slice(start + startMarker.length, pos - 1);
+
+  // Match quoted method names: 'GET', "POST", etc. Only accept known methods.
+  const quotedMethodRe = /['"](GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS)['"]/gi;
+  const seen = new Set();
+  let match;
+  while ((match = quotedMethodRe.exec(argsStr)) !== null) {
+    seen.add(match[1].toUpperCase());
+  }
+  if (seen.size === 0) return [];
+
+  const list = [...seen];
+  if (list.includes('GET') && !list.includes('HEAD')) {
+    list.push('HEAD');
+  }
+  return list;
+}
+
+/**
+ * Detects which HTTP methods the handler checks (e.g. ammo.GET, ammo.POST)
+ * or restricts via ammo.only('GET'), ammo.only('GET','POST').
+ * Prefers .only(...) when present with valid string args; otherwise matches
+ * property access like `.GET`, `ammo.GET`.
  *
  * When no method checks are found, the endpoint is treated as method-agnostic
  * and accepts ALL methods (te.js default behavior).
@@ -29,8 +69,10 @@ function detectMethods(handler) {
   if (typeof handler !== 'function') return [...ALL_METHODS];
 
   const src = handler.toString();
-  const detected = [];
+  const onlyMethods = detectOnlyMethods(src);
+  if (onlyMethods.length > 0) return onlyMethods;
 
+  const detected = [];
   for (const m of ALL_METHODS) {
     // Match property access patterns like .GET, ammo.GET, avoiding
     // false positives in strings or unrelated identifiers

package/docs/configuration.md

@@ -59,6 +59,16 @@ app.takeoff();
 | `log.http_requests` | `LOG_HTTP_REQUESTS` | boolean | `false` | Log incoming HTTP requests (method, path, status, time) |
 | `log.exceptions` | `LOG_EXCEPTIONS` | boolean | `false` | Log unhandled exceptions and errors |
 
+### Developer warnings
+
+When an endpoint is called and it has no allowed methods defined (see [Routing — Endpoint Metadata](./routing.md#endpoint-metadata)), the framework logs a warning once per path so you can restrict methods for security (405 and `Allow` header). To disable this warning:
+
+| Config Key | Env Variable | Type | Default | Description |
+|------------|-------------|------|---------|-------------|
+| `warn_missing_allowed_methods` | `WARN_MISSING_ALLOWED_METHODS` | boolean/string | *(warn)* | Set to `false` to disable the runtime warning for endpoints without allowed methods. |
+
+Example: in `tejas.config.json` use `"warn_missing_allowed_methods": false`, or in `.env` use `WARN_MISSING_ALLOWED_METHODS=false`.
+
 ### Request Body
 
 | Config Key | Env Variable | Type | Default | Description |
@@ -178,6 +188,9 @@ LLM_MODEL=gpt-4o-mini
 # ERRORS_LLM_API_KEY=...
 # ERRORS_LLM_MODEL=...
 # ERRORS_LLM_MESSAGE_TYPE=endUser   # or "developer" for technical messages
+
+# Optional: disable runtime warning for endpoints without allowed methods
+# WARN_MISSING_ALLOWED_METHODS=false
 ```
 
 ## Constructor Options

package/docs/routing.md

@@ -214,6 +214,8 @@ target.register('/users', {
 
 When metadata is omitted, the auto-docs LLM infers everything from the handler source code.
 
+If an endpoint has no `methods` in its metadata (and does not use `ammo.only()` to restrict methods), the framework logs a warning the first time that path is called. You can disable this warning via config: set `WARN_MISSING_ALLOWED_METHODS=false` (env) or `warn_missing_allowed_methods: false` in config. See [Configuration — Developer warnings](./configuration.md#developer-warnings).
+
 ## Method-Agnostic Handlers
 
 If a handler does not check any method flags (`ammo.GET`, `ammo.POST`, etc.), it is treated as accepting **all HTTP methods**. This is useful for simple endpoints:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "te.js",
-  "version": "2.1.2",
+  "version": "2.1.3",
   "description": "AI Native Node.js Framework",
   "type": "module",
   "main": "te.js",

package/server/handler.js

@@ -7,6 +7,9 @@ import TejError from './error.js';
 import targetRegistry from './targets/registry.js';
 
 const errorLogger = new TejLogger('Tejas.Exception');
+const logger = new TejLogger('Tejas');
+/** Paths we have already warned about (missing allowed methods). */
+const warnedPaths = new Set();
 
 const DEFAULT_ALLOWED_METHODS = [
   'GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'HEAD', 'OPTIONS',
@@ -134,6 +137,12 @@ const handler = async (req, res) => {
           await errorHandler(ammo, new TejError(405, 'Method Not Allowed'));
           return;
         }
+      } else if (env('WARN_MISSING_ALLOWED_METHODS') !== 'false') {
+        const path = match.target.getPath();
+        if (!warnedPaths.has(path)) {
+          warnedPaths.add(path);
+          logger.warn(`Endpoint missing allowed methods: ${path}`);
+        }
       }
 
       // Add route parameters to ammo.payload