veryfront 0.1.749 → 0.1.751

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/esm/deno.js CHANGED
@@ -1,6 +1,6 @@
1
1
  export default {
2
2
  "name": "veryfront",
3
- "version": "0.1.749",
3
+ "version": "0.1.751",
4
4
  "license": "Apache-2.0",
5
5
  "nodeModulesDir": "auto",
6
6
  "minimumDependencyAge": "P2D",
@@ -110,7 +110,7 @@ export declare const getVeryfrontConfigSchema: () => import("../../internal-agen
110
110
  * Set `true` for defaults, or pass an object to customize.
111
111
  *
112
112
  * When enabled, POST/PUT/PATCH/DELETE requests must include
113
- * an `x-csrf-token` header matching the `vf_csrf` cookie.
113
+ * an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
114
114
  * The cookie is set automatically on HTML document responses.
115
115
  *
116
116
  * Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
@@ -508,7 +508,7 @@ export declare const veryfrontConfigSchema: import("../../internal-agents/schema
508
508
  * Set `true` for defaults, or pass an object to customize.
509
509
  *
510
510
  * When enabled, POST/PUT/PATCH/DELETE requests must include
511
- * an `x-csrf-token` header matching the `vf_csrf` cookie.
511
+ * an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
512
512
  * The cookie is set automatically on HTML document responses.
513
513
  *
514
514
  * Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
@@ -161,7 +161,7 @@ export const getVeryfrontConfigSchema = defineSchema((v) => v
161
161
  * Set `true` for defaults, or pass an object to customize.
162
162
  *
163
163
  * When enabled, POST/PUT/PATCH/DELETE requests must include
164
- * an `x-csrf-token` header matching the `vf_csrf` cookie.
164
+ * an `x-csrf-token` header matching the `__Host-vf_csrf` cookie.
165
165
  * The cookie is set automatically on HTML document responses.
166
166
  *
167
167
  * Server Actions (`/_veryfront/rsc/action`) are CSRF-protected;
@@ -1 +1 @@
1
- {"version":3,"file":"ssr-cache-manager.d.ts","sourceRoot":"","sources":["../../../../../src/src/modules/react-loader/ssr-module-loader/ssr-cache-manager.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAYlE,OAAO,KAAK,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAW3E;;;;;;;GAOG;AACH,qBAAa,eAAe;IAId,OAAO,CAAC,OAAO;IAH3B,OAAO,CAAC,EAAE,CAAsB;IAChC,OAAO,CAAC,gBAAgB,CAAqB;gBAEzB,OAAO,EAAE,sBAAsB;IAEnD,4DAA4D;IAC5D,aAAa,IAAI,MAAM;IAUvB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;IAkB/B,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBlD,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK1E,yBAAyB,IAAI,OAAO;IAoB9B,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,cAAc,GAAG,aAAa,EACtC,OAAO,EAAE;QAAE,eAAe,EAAE,OAAO,CAAC;QAAC,qBAAqB,EAAE,OAAO,CAAA;KAAE,GACpE,OAAO,CAAC,OAAO,CAAC;IAgCb,wBAAwB,CAC5B,WAAW,EAAE,gBAAgB,EAC7B,eAAe,EAAE,MAAM,EACvB,gBAAgB,EAAE,MAAM,EACxB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC;IAuBnB,4BAA4B,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,gBAAgB,GAAG,IAAI;IAOnF,oCAAoC,CAClC,eAAe,EAAE,MAAM,EACvB,gBAAgB,EAAE,MAAM,EACxB,UAAU,CAAC,EAAE,gBAAgB,GAC5B,IAAI;IAQP,wDAAwD;IACxD,KAAK,IAAI,UAAU,CAAC,OAAO,gBAAgB,CAAC;IAI5C,OAAO,CAAC,4BAA4B;YAItB,qBAAqB;YAsBrB,oBAAoB;YAoDpB,YAAY;CA2B3B"}
1
+ {"version":3,"file":"ssr-cache-manager.d.ts","sourceRoot":"","sources":["../../../../../src/src/modules/react-loader/ssr-module-loader/ssr-cache-manager.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAYlE,OAAO,KAAK,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAW3E;;;;;;;GAOG;AACH,qBAAa,eAAe;IAId,OAAO,CAAC,OAAO;IAH3B,OAAO,CAAC,EAAE,CAAsB;IAChC,OAAO,CAAC,gBAAgB,CAAqB;gBAEzB,OAAO,EAAE,sBAAsB;IAEnD,4DAA4D;IAC5D,aAAa,IAAI,MAAM;IAUvB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;IAkB/B,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBlD,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK1E,yBAAyB,IAAI,OAAO;IAoB9B,kBAAkB,CACtB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,cAAc,GAAG,aAAa,EACtC,OAAO,EAAE;QAAE,eAAe,EAAE,OAAO,CAAC;QAAC,qBAAqB,EAAE,OAAO,CAAA;KAAE,GACpE,OAAO,CAAC,OAAO,CAAC;IAgCb,wBAAwB,CAC5B,WAAW,EAAE,gBAAgB,EAC7B,eAAe,EAAE,MAAM,EACvB,gBAAgB,EAAE,MAAM,EACxB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC;IAuBnB,4BAA4B,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,gBAAgB,GAAG,IAAI;IAOnF,oCAAoC,CAClC,eAAe,EAAE,MAAM,EACvB,gBAAgB,EAAE,MAAM,EACxB,UAAU,CAAC,EAAE,gBAAgB,GAC5B,IAAI;IAQP,wDAAwD;IACxD,KAAK,IAAI,UAAU,CAAC,OAAO,gBAAgB,CAAC;IAI5C,OAAO,CAAC,4BAA4B;YAItB,qBAAqB;YAsBrB,oBAAoB;YAuDpB,YAAY;CA2B3B"}
@@ -178,12 +178,13 @@ export class SSRCacheManager {
178
178
  }
179
179
  async hasMissingLocalPaths(code, filePath) {
180
180
  const allPaths = await extractAllFilePathsRecursive(code);
181
- let hasMissingPath = false;
182
- for (const path of allPaths) {
181
+ let firstMissingPathIndex = -1;
182
+ for (let index = 0; index < allPaths.length; index++) {
183
+ const path = allPaths[index];
183
184
  try {
184
185
  const stat = await this.fs.stat(path);
185
186
  if (!stat.isFile) {
186
- hasMissingPath = true;
187
+ firstMissingPathIndex = index;
187
188
  break;
188
189
  }
189
190
  }
@@ -193,12 +194,13 @@ export class SSRCacheManager {
193
194
  missingPath: path.slice(-60),
194
195
  error,
195
196
  });
196
- hasMissingPath = true;
197
+ firstMissingPathIndex = index;
197
198
  break;
198
199
  }
199
200
  }
200
- if (hasMissingPath &&
201
- this.options.projectId &&
201
+ if (firstMissingPathIndex === -1)
202
+ return false;
203
+ if (this.options.projectId &&
202
204
  this.options.contentSourceId) {
203
205
  const recovered = await ensureMdxModuleDependencies(code, {
204
206
  projectId: this.options.projectId,
@@ -212,7 +214,8 @@ export class SSRCacheManager {
212
214
  });
213
215
  }
214
216
  }
215
- for (const path of allPaths) {
217
+ for (let index = firstMissingPathIndex; index < allPaths.length; index++) {
218
+ const path = allPaths[index];
216
219
  try {
217
220
  const stat = await this.fs.stat(path);
218
221
  if (!stat.isFile)
@@ -1 +1 @@
1
- {"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../../src/src/security/csrf/helpers.ts"],"names":[],"mappings":"AAiBA,MAAM,WAAW,UAAU;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yGAAyG;IACzG,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,mFAAmF;IACnF,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wEAAwE;AACxE,wBAAgB,iBAAiB,CAAC,OAAO,CAAC,EAAE,gBAAgB,GAAG;IAC7D,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB,CAeA;AAmBD,yDAAyD;AACzD,wBAAgB,YAAY,CAC1B,GAAG,EAAE,OAAO,EACZ,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GACrD,OAAO,CAiBT;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,OAAO,EACZ,eAAe,EAAE,OAAO,EACxB,UAAU,CAAC,EAAE,OAAO,GAAG,UAAU,GAChC,IAAI,CAyCN"}
1
+ {"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../../src/src/security/csrf/helpers.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,UAAU;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yGAAyG;IACzG,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,mFAAmF;IACnF,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wEAAwE;AACxE,wBAAgB,iBAAiB,CAAC,OAAO,CAAC,EAAE,gBAAgB,GAAG;IAC7D,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB,CAeA;AAmBD,yDAAyD;AACzD,wBAAgB,YAAY,CAC1B,GAAG,EAAE,OAAO,EACZ,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GACrD,OAAO,CAiBT;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,OAAO,EACZ,eAAe,EAAE,OAAO,EACxB,UAAU,CAAC,EAAE,OAAO,GAAG,UAAU,GAChC,IAAI,CA0CN"}
@@ -11,12 +11,13 @@ import { base64urlEncodeBytes } from "../../utils/base64url.js";
11
11
  import { parseCookiesFromHeaders } from "../../utils/cookie-utils.js";
12
12
  /** Default CSRF token TTL: 24 hours (longer than session action TTL to avoid stale-form 403s). */
13
13
  const CSRF_DEFAULT_TTL_SEC = 86_400;
14
+ const DEFAULT_CSRF_COOKIE_NAME = "__Host-vf_csrf";
14
15
  /** Generate a CSRF token and return value + Set-Cookie header string */
15
16
  export function generateCsrfToken(options) {
16
- const cookieName = options?.cookieName ?? "vf_csrf";
17
+ const cookieName = options?.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
17
18
  const maxAge = options?.ttlSec ?? CSRF_DEFAULT_TTL_SEC;
18
19
  const httpOnly = options?.httpOnly ?? true;
19
- const secure = options?.secure ?? true;
20
+ const secure = cookieName.startsWith("__Host-") ? true : options?.secure ?? true;
20
21
  const bytes = new Uint8Array(32);
21
22
  dntShim.crypto.getRandomValues(bytes);
22
23
  const token = base64urlEncodeBytes(bytes);
@@ -44,7 +45,7 @@ function timingSafeEqual(a, b) {
44
45
  }
45
46
  /** Validate CSRF token by comparing header and cookie */
46
47
  export function validateCsrf(req, options) {
47
- const cookieName = options?.cookieName ?? "vf_csrf";
48
+ const cookieName = options?.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
48
49
  const headerName = options?.headerName ?? "x-csrf-token";
49
50
  let cookieToken;
50
51
  try {
@@ -83,7 +84,7 @@ export function applyCsrfCookie(req, responseHeaders, csrfConfig) {
83
84
  return;
84
85
  }
85
86
  const config = typeof csrfConfig === "boolean" ? {} : csrfConfig;
86
- const cookieName = config.cookieName ?? "vf_csrf";
87
+ const cookieName = config.cookieName ?? DEFAULT_CSRF_COOKIE_NAME;
87
88
  // Skip if cookie already present in request
88
89
  let cookies;
89
90
  try {
@@ -96,7 +97,8 @@ export function applyCsrfCookie(req, responseHeaders, csrfConfig) {
96
97
  if (cookies[cookieName])
97
98
  return;
98
99
  // Detect HTTPS from request URL or forwarded proto
99
- const isSecure = req.url.startsWith("https://") ||
100
+ const isSecure = cookieName.startsWith("__Host-") ||
101
+ req.url.startsWith("https://") ||
100
102
  req.headers.get("x-forwarded-proto") === "https";
101
103
  const { setCookie } = generateCsrfToken({
102
104
  cookieName,
@@ -10,7 +10,7 @@
10
10
  * are **not** exempt and require a valid CSRF token. Client-side code that calls
11
11
  * Server Actions must:
12
12
  *
13
- * 1. Read the `vf_csrf` cookie (set automatically on HTML responses)
13
+ * 1. Read the `__Host-vf_csrf` cookie (set automatically on HTML responses)
14
14
  * 2. Include it as the `x-csrf-token` request header on every POST
15
15
  *
16
16
  * Example (client-side fetch wrapper):
@@ -21,7 +21,7 @@
21
21
  *
22
22
  * const res = await fetch("/_veryfront/rsc/action", {
23
23
  * method: "POST",
24
- * headers: { "x-csrf-token": getCookie("vf_csrf") ?? "" },
24
+ * headers: { "x-csrf-token": getCookie("__Host-vf_csrf") ?? "" },
25
25
  * body: actionPayload,
26
26
  * });
27
27
  * ```
@@ -10,7 +10,7 @@
10
10
  * are **not** exempt and require a valid CSRF token. Client-side code that calls
11
11
  * Server Actions must:
12
12
  *
13
- * 1. Read the `vf_csrf` cookie (set automatically on HTML responses)
13
+ * 1. Read the `__Host-vf_csrf` cookie (set automatically on HTML responses)
14
14
  * 2. Include it as the `x-csrf-token` request header on every POST
15
15
  *
16
16
  * Example (client-side fetch wrapper):
@@ -21,7 +21,7 @@
21
21
  *
22
22
  * const res = await fetch("/_veryfront/rsc/action", {
23
23
  * method: "POST",
24
- * headers: { "x-csrf-token": getCookie("vf_csrf") ?? "" },
24
+ * headers: { "x-csrf-token": getCookie("__Host-vf_csrf") ?? "" },
25
25
  * body: actionPayload,
26
26
  * });
27
27
  * ```
@@ -1,3 +1,3 @@
1
1
  /** Shared version value. */
2
- export declare const VERSION = "0.1.749";
2
+ export declare const VERSION = "0.1.751";
3
3
  //# sourceMappingURL=version-constant.d.ts.map
@@ -1,4 +1,4 @@
1
1
  // Keep in sync with deno.json version.
2
2
  // scripts/release.ts updates this constant during releases.
3
3
  /** Shared version value. */
4
- export const VERSION = "0.1.749";
4
+ export const VERSION = "0.1.751";
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "veryfront",
3
- "version": "0.1.749",
3
+ "version": "0.1.751",
4
4
  "description": "The simplest way to build AI-powered apps",
5
5
  "keywords": [
6
6
  "react",