npm - tina4-nodejs - Versions diffs - 3.13.3 → 3.13.4 - Mend

tina4-nodejs 3.13.3 → 3.13.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CLAUDE.md +2 -2
package/package.json +1 -1
package/packages/core/src/index.ts +1 -1
package/packages/core/src/request.ts +35 -1
package/packages/core/src/router.ts +5 -4

package/CLAUDE.md CHANGED Viewed

@@ -1,10 +1,10 @@
-# CLAUDE.md — AI Developer Guide for tina4-nodejs (v3.13.3)
+# CLAUDE.md — AI Developer Guide for tina4-nodejs (v3.13.4)
 > This file helps AI assistants (Claude, Copilot, Cursor, etc.) understand and work on this codebase effectively.
 ## What This Project Is
-Tina4 for Node.js/TypeScript v3.13.3 — The Intelligent Native Application 4ramework. A convention-over-configuration structural paradigm. The developer writes TypeScript; Tina4 is invisible infrastructure.
+Tina4 for Node.js/TypeScript v3.13.4 — The Intelligent Native Application 4ramework. A convention-over-configuration structural paradigm. The developer writes TypeScript; Tina4 is invisible infrastructure.
 The philosophy: zero ceremony, batteries included, file system as source of truth.

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
-  "version": "3.13.3",
+  "version": "3.13.4",
   "type": "module",
   "description": "Tina4 for Node.js/TypeScript \u2014 54 built-in features, zero dependencies",

package/packages/core/src/index.ts CHANGED Viewed

@@ -20,7 +20,7 @@ export type { RouteInfo } from "./router.js";
 export { discoverRoutes } from "./routeDiscovery.js";
 export { MiddlewareChain, MiddlewareRunner, cors, requestLogger, CorsMiddleware, RateLimiterMiddleware, RequestLogger, SecurityHeadersMiddleware, CsrfMiddleware } from "./middleware.js";
 export type { CorsConfig } from "./middleware.js";
-export { createRequest } from "./request.js";
+export { createRequest, makeCaseInsensitiveHeaders } from "./request.js";
 export { createResponse, errorResponse, setDefaultTemplatesDir, getFrond, setFrond, getFrameworkFrond } from "./response.js";
 export { tryServeStatic } from "./static.js";
 export { loadEnv, getEnv, requireEnv, hasEnv, allEnv, resetEnv, isTruthy } from "./dotenv.js";

package/packages/core/src/request.ts CHANGED Viewed

@@ -1,8 +1,42 @@
-import type { IncomingMessage } from "node:http";
+import type { IncomingMessage, IncomingHttpHeaders } from "node:http";
 import type { Tina4Request, UploadedFile } from "./types.js";
+/**
+ * Wrap Node's `IncomingHttpHeaders` in a Proxy so mixed-case lookups
+ * (`req.headers["Content-Type"]`) work alongside the canonical lowercase
+ * form Node already provides. Parity with PY-10-03 (Python ships a
+ * `CaseInsensitiveDict` for the same reason).
+ *
+ * The raw object is returned as-is by `Object.keys` / iteration — only
+ * string property reads/`in` checks are normalised.
+ */
+export function makeCaseInsensitiveHeaders(
+  raw: IncomingHttpHeaders,
+): IncomingHttpHeaders {
+  return new Proxy(raw, {
+    get(target, prop, receiver) {
+      if (typeof prop === "string") {
+        const lower = prop.toLowerCase();
+        if (lower in target) return (target as Record<string, unknown>)[lower];
+        return Reflect.get(target, prop, receiver);
+      }
+      return Reflect.get(target, prop, receiver);
+    },
+    has(target, prop) {
+      if (typeof prop === "string") {
+        return prop.toLowerCase() in target || Reflect.has(target, prop);
+      }
+      return Reflect.has(target, prop);
+    },
+  }) as IncomingHttpHeaders;
+}
 export function createRequest(req: IncomingMessage): Tina4Request {
   const tReq = req as Tina4Request;
+  // Wrap `req.headers` so mixed-case lookups work — Node's underlying object
+  // is already lower-cased, this just lets readers use any casing they like.
+  (tReq as unknown as { headers: IncomingHttpHeaders }).headers =
+    makeCaseInsensitiveHeaders(req.headers);
   // Resolve scheme + host honouring proxy headers — parity with PHP/Python/Ruby.
   const xfProto = req.headers["x-forwarded-proto"];

package/packages/core/src/router.ts CHANGED Viewed

@@ -131,12 +131,13 @@ export class Router {
       routes.splice(existingIndex, 1);
     }
-    // Write methods (POST/PUT/PATCH/DELETE) are secure by default,
-    // unless custom middleware is registered (developer handles auth themselves)
+    // Write methods (POST/PUT/PATCH/DELETE) are secure by default. Middleware is
+    // purely additive — registering custom middleware must NOT silently disable the
+    // built-in Bearer-token gate (parity with PY-10-02). Use `noAuth()` to open a
+    // write route explicitly.
     const WRITE_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
     const isWrite = WRITE_METHODS.has(method);
-    const hasMiddleware = definition.middlewares && definition.middlewares.length > 0;
-    const secureDefault = isWrite && !hasMiddleware ? (definition.secure ?? true) : definition.secure;
+    const secureDefault = isWrite ? (definition.secure ?? true) : definition.secure;
     const compiled: CompiledRoute = {
       pattern: definition.pattern,