vinext 0.0.52 → 0.0.53

package/dist/server/api-handler.js

@@ -5,27 +5,35 @@ import { mergeRouteParamsIntoQuery, parseQueryString } from "../utils/query.js";
 import { importModule, reportRequestError } from "./instrumentation.js";
 import { PagesBodyParseError, getMediaType, isJsonMediaType } from "./pages-media-type.js";
 import { isEdgeApiRuntime } from "./edge-api-runtime.js";
+import { DEFAULT_PAGES_API_BODY_SIZE_LIMIT, resolveBodyParserConfig } from "./pages-body-parser-config.js";
+import { resolveRequestHost, resolveRequestProtocol } from "./proxy-trust.js";
 import { decode } from "node:querystring";
 import { Buffer } from "node:buffer";
 //#region src/server/api-handler.ts
 /**
-* Maximum request body size (1 MB). Matches Next.js default bodyParser sizeLimit.
+* Default request body size (1 MB). Matches Next.js default bodyParser sizeLimit.
 * @see https://nextjs.org/docs/pages/building-your-application/routing/api-routes#custom-config
 * Prevents denial-of-service via unbounded request body buffering.
 */
-const MAX_BODY_SIZE = 1 * 1024 * 1024;
+const MAX_BODY_SIZE = DEFAULT_PAGES_API_BODY_SIZE_LIMIT;
 /**
 * Parse the request body based on content-type.
 * Enforces a size limit to prevent memory exhaustion attacks.
+*
+* The `sizeLimit` argument honours `export const config = { api: { bodyParser:
+* { sizeLimit: '4mb' } } }` on the route module. To opt out of parsing
+* entirely (`bodyParser: false`), callers must skip this function so the
+* underlying readable stream stays intact on `req` (critical for webhook
+* HMAC signature verification).
 */
-async function parseBody(req) {
+async function parseBody(req, sizeLimit = MAX_BODY_SIZE) {
 	return new Promise((resolve, reject) => {
 		const chunks = [];
 		let totalSize = 0;
 		let settled = false;
 		req.on("data", (chunk) => {
 			totalSize += chunk.length;
-			if (totalSize > MAX_BODY_SIZE) {
+			if (totalSize > sizeLimit) {
 				settled = true;
 				req.destroy();
 				reject(new PagesBodyParseError("Request body too large", 413));
@@ -93,10 +101,9 @@ function createEdgeApiRequest(req, url) {
 	const headers = new Headers();
 	for (const [name, value] of Object.entries(req.headers)) if (Array.isArray(value)) for (const item of value) headers.append(name, item);
 	else if (value !== void 0) headers.set(name, value);
-	const rawProto = headers.get("x-forwarded-proto")?.split(",")[0]?.trim();
-	const forwardedProto = rawProto === "https" || rawProto === "http" ? rawProto : "http";
-	const host = headers.get("host") ?? "localhost";
-	const requestUrl = new URL(url, `${forwardedProto}://${host}`);
+	const proto = resolveRequestProtocol(req);
+	const host = resolveRequestHost(req, "localhost");
+	const requestUrl = new URL(url, `${proto}://${host}`);
 	const body = readEdgeRequestBody(req);
 	const init = {
 		headers,
@@ -226,7 +233,9 @@ async function handleApiRoute(runner, req, res, url, apiRoutes) {
 			res.end("API route does not export a default function");
 			return true;
 		}
-		const { apiReq, apiRes } = enhanceApiObjects(req, res, mergeRouteParamsIntoQuery(parseQueryString(url), params), await parseBody(req));
+		const query = mergeRouteParamsIntoQuery(parseQueryString(url), params);
+		const bodyParserConfig = resolveBodyParserConfig(apiModule.config);
+		const { apiReq, apiRes } = enhanceApiObjects(req, res, query, bodyParserConfig.enabled ? await parseBody(req, bodyParserConfig.sizeLimit) : void 0);
 		await handler(apiReq, apiRes);
 		return true;
 	} catch (e) {

package/dist/server/api-handler.js.map

@@ -1 +1 @@
-{"version":3,"file":"api-handler.js","names":["decodeQueryString"],"sources":["../../src/server/api-handler.ts"],"sourcesContent":["/**\n * API route handler for Pages Router (pages/api/*).\n *\n * Next.js API routes export a default handler function:\n *   export default function handler(req, res) { ... }\n *\n * The req/res objects are Node.js IncomingMessage/ServerResponse with\n * Next.js extensions: req.query, req.body, res.json(), res.status(), etc.\n */\nimport \"./server-globals.js\";\nimport type { IncomingMessage, ServerResponse } from \"node:http\";\nimport { decode as decodeQueryString } from \"node:querystring\";\nimport { Buffer } from \"node:buffer\";\nimport { type Route, matchRoute } from \"../routing/pages-router.js\";\nimport { reportRequestError, importModule, type ModuleImporter } from \"./instrumentation.js\";\nimport { mergeRouteParamsIntoQuery, parseQueryString } from \"../utils/query.js\";\nimport { PagesBodyParseError, getMediaType, isJsonMediaType } from \"./pages-media-type.js\";\nimport { isEdgeApiRuntime } from \"./edge-api-runtime.js\";\nimport { NextRequest } from \"vinext/shims/server\";\n\n/**\n * Extend the Node.js request with Next.js-style helpers.\n */\ntype NextApiRequest = {\n  query: Record<string, string | string[]>;\n  body: unknown;\n  cookies: Record<string, string>;\n} & IncomingMessage;\n\n/**\n * Extend the Node.js response with Next.js-style helpers.\n */\ntype NextApiResponse = {\n  status(code: number): NextApiResponse;\n  json(data: unknown): void;\n  send(data: unknown): void;\n  redirect(statusOrUrl: number | string, url?: string): void;\n} & ServerResponse;\n\ntype EdgeApiRouteModule = {\n  /**\n   * `export const config = { runtime: 'edge' }` — historical Pages Router form.\n   */\n  config?: {\n    runtime?: string;\n  };\n  /**\n   * `export const runtime = 'edge'` — bare export form. Next.js resolves the\n   * effective runtime as `config.runtime ?? config.config?.runtime`, so a\n   * top-level `runtime` export takes precedence over the nested config form.\n   */\n  runtime?: string;\n  default: (request: Request) => Response | Promise<Response>;\n};\n\n/**\n * Maximum request body size (1 MB). Matches Next.js default bodyParser sizeLimit.\n * @see https://nextjs.org/docs/pages/building-your-application/routing/api-routes#custom-config\n * Prevents denial-of-service via unbounded request body buffering.\n */\nconst MAX_BODY_SIZE = 1 * 1024 * 1024;\n\n/**\n * Parse the request body based on content-type.\n * Enforces a size limit to prevent memory exhaustion attacks.\n */\nasync function parseBody(req: IncomingMessage): Promise<unknown> {\n  return new Promise((resolve, reject) => {\n    const chunks: Buffer[] = [];\n    let totalSize = 0;\n    let settled = false;\n    req.on(\"data\", (chunk: Buffer) => {\n      totalSize += chunk.length;\n      if (totalSize > MAX_BODY_SIZE) {\n        settled = true;\n        req.destroy();\n        reject(new PagesBodyParseError(\"Request body too large\", 413));\n        return;\n      }\n      chunks.push(chunk);\n    });\n    req.on(\"error\", (err) => {\n      if (!settled) {\n        settled = true;\n        reject(err);\n      }\n    });\n    req.on(\"end\", () => {\n      if (settled) return;\n      settled = true;\n      const raw = Buffer.concat(chunks).toString(\"utf-8\");\n      const mediaType = getMediaType(req.headers[\"content-type\"]);\n      if (!raw) {\n        resolve(\n          isJsonMediaType(mediaType)\n            ? {}\n            : mediaType === \"application/x-www-form-urlencoded\"\n              ? decodeQueryString(raw)\n              : undefined,\n        );\n        return;\n      }\n      if (isJsonMediaType(mediaType)) {\n        try {\n          resolve(JSON.parse(raw));\n        } catch {\n          reject(new PagesBodyParseError(\"Invalid JSON\", 400));\n        }\n      } else if (mediaType === \"application/x-www-form-urlencoded\") {\n        resolve(decodeQueryString(raw));\n      } else {\n        resolve(raw);\n      }\n    });\n  });\n}\n\n/**\n * Parse cookies from the Cookie header.\n */\nfunction parseCookies(req: IncomingMessage): Record<string, string> {\n  const header = req.headers.cookie ?? \"\";\n  const cookies: Record<string, string> = {};\n  for (const part of header.split(\";\")) {\n    const [key, ...rest] = part.split(\"=\");\n    if (key) {\n      cookies[key.trim()] = rest.join(\"=\").trim();\n    }\n  }\n  return cookies;\n}\n\nfunction isEdgeApiRouteModule(module: Record<string, unknown>): module is EdgeApiRouteModule {\n  if (typeof module.default !== \"function\") return false;\n  // Bare `export const runtime = 'edge'` takes precedence over the nested config\n  // form, matching Next.js (`config.runtime ?? config.config?.runtime` in\n  // packages/next/src/build/analysis/get-page-static-info.ts).\n  const bare = module.runtime;\n  if (typeof bare === \"string\") return isEdgeApiRuntime(bare);\n  const config = module.config;\n  if (!config || typeof config !== \"object\") return false;\n  const runtime = \"runtime\" in config ? (config as { runtime?: unknown }).runtime : undefined;\n  return typeof runtime === \"string\" && isEdgeApiRuntime(runtime);\n}\n\nfunction readEdgeRequestBody(req: IncomingMessage): ReadableStream<Uint8Array> | undefined {\n  if (req.method === \"GET\" || req.method === \"HEAD\") return undefined;\n  return new ReadableStream<Uint8Array>({\n    start(controller) {\n      req.on(\"data\", (chunk: Buffer | string) => {\n        controller.enqueue(typeof chunk === \"string\" ? Buffer.from(chunk) : new Uint8Array(chunk));\n      });\n      req.on(\"end\", () => controller.close());\n      req.on(\"error\", (error) => controller.error(error));\n    },\n  });\n}\n\nfunction createEdgeApiRequest(req: IncomingMessage, url: string): Request {\n  const headers = new Headers();\n  for (const [name, value] of Object.entries(req.headers)) {\n    if (Array.isArray(value)) {\n      for (const item of value) headers.append(name, item);\n    } else if (value !== undefined) {\n      headers.set(name, value);\n    }\n  }\n\n  const rawProto = headers.get(\"x-forwarded-proto\")?.split(\",\")[0]?.trim();\n  const forwardedProto = rawProto === \"https\" || rawProto === \"http\" ? rawProto : \"http\";\n  const host = headers.get(\"host\") ?? \"localhost\";\n  const requestUrl = new URL(url, `${forwardedProto}://${host}`);\n  const body = readEdgeRequestBody(req);\n\n  const init: RequestInit & { duplex?: \"half\" } = {\n    headers,\n    method: req.method,\n  };\n\n  if (body) {\n    init.body = body;\n    init.duplex = \"half\";\n  }\n\n  return new Request(requestUrl, init);\n}\n\nfunction waitForWritableDrain(res: ServerResponse): Promise<void> {\n  return new Promise((resolve, reject) => {\n    const cleanup = () => {\n      res.off(\"drain\", onDrain);\n      res.off(\"error\", onError);\n      res.off(\"close\", onClose);\n    };\n    const onDrain = () => {\n      cleanup();\n      resolve();\n    };\n    const onError = (error: Error) => {\n      cleanup();\n      reject(error);\n    };\n    const onClose = () => {\n      cleanup();\n      reject(new Error(\"Response closed before writable drain\"));\n    };\n    res.once(\"drain\", onDrain);\n    res.once(\"error\", onError);\n    res.once(\"close\", onClose);\n  });\n}\n\nasync function writeEdgeApiResponseBody(\n  res: ServerResponse,\n  body: ReadableStream<Uint8Array> | null,\n): Promise<void> {\n  if (!body) {\n    res.end();\n    return;\n  }\n\n  const reader = body.getReader();\n  try {\n    while (true) {\n      const result = await reader.read();\n      if (result.done) break;\n      if (result.value.byteLength === 0) continue;\n      if (!res.write(Buffer.from(result.value))) {\n        await waitForWritableDrain(res);\n      }\n    }\n    res.end();\n  } catch (error) {\n    res.destroy(error instanceof Error ? error : new Error(String(error)));\n    throw error;\n  } finally {\n    reader.releaseLock();\n  }\n}\n\n/**\n * Enhance a Node.js req/res pair with Next.js API route helpers.\n */\nfunction enhanceApiObjects(\n  req: IncomingMessage,\n  res: ServerResponse,\n  query: Record<string, string | string[]>,\n  body: unknown,\n): { apiReq: NextApiRequest; apiRes: NextApiResponse } {\n  const apiReq: NextApiRequest = Object.assign(req, {\n    body,\n    cookies: parseCookies(req),\n    query,\n  });\n\n  const apiRes: NextApiResponse = Object.assign(res, {\n    status(this: NextApiResponse, code: number) {\n      this.statusCode = code;\n      return this;\n    },\n\n    json(this: NextApiResponse, data: unknown) {\n      this.setHeader(\"Content-Type\", \"application/json\");\n      this.end(JSON.stringify(data));\n    },\n\n    send(this: NextApiResponse, data: unknown) {\n      if (Buffer.isBuffer(data)) {\n        if (!this.getHeader(\"Content-Type\")) {\n          this.setHeader(\"Content-Type\", \"application/octet-stream\");\n        }\n        this.setHeader(\"Content-Length\", String(data.length));\n        this.end(data);\n        return;\n      }\n\n      if (typeof data === \"object\" && data !== null) {\n        this.setHeader(\"Content-Type\", \"application/json\");\n        this.end(JSON.stringify(data));\n      } else {\n        if (!this.getHeader(\"Content-Type\")) {\n          this.setHeader(\"Content-Type\", \"text/plain\");\n        }\n        this.end(String(data));\n      }\n    },\n\n    redirect(this: NextApiResponse, statusOrUrl: number | string, url?: string) {\n      if (typeof statusOrUrl === \"string\") {\n        this.writeHead(307, { Location: statusOrUrl });\n      } else {\n        this.writeHead(statusOrUrl, { Location: url ?? \"\" });\n      }\n      this.end();\n    },\n  });\n\n  return { apiReq, apiRes };\n}\n\n/**\n * Handle an API route request.\n * Returns true if the request was handled, false if no API route matched.\n */\nexport async function handleApiRoute(\n  runner: ModuleImporter,\n  req: IncomingMessage,\n  res: ServerResponse,\n  url: string,\n  apiRoutes: Route[],\n): Promise<boolean> {\n  const match = matchRoute(url, apiRoutes);\n  if (!match) return false;\n\n  const { route, params } = match;\n\n  try {\n    // Load the API route module through the ModuleRunner\n    const apiModule = await importModule(runner, route.filePath);\n    if (isEdgeApiRouteModule(apiModule)) {\n      // Next.js wraps the incoming Request in a NextRequest before invoking\n      // edge API handlers, so handlers can use `req.nextUrl.searchParams`,\n      // `req.cookies`, etc. (Cf. NextRequestHint in next/src/server/web/adapter.ts.)\n      const nextRequest = new NextRequest(createEdgeApiRequest(req, url));\n      const response = await apiModule.default(nextRequest);\n      if (!(response instanceof Response)) {\n        throw new Error(\"Edge API route did not return a Response\");\n      }\n\n      res.statusCode = response.status;\n      res.statusMessage = response.statusText;\n      const setCookieHeaders = response.headers.getSetCookie();\n      response.headers.forEach((value, name) => {\n        if (name !== \"set-cookie\") res.setHeader(name, value);\n      });\n      if (setCookieHeaders.length) {\n        res.setHeader(\"set-cookie\", setCookieHeaders);\n      }\n      await writeEdgeApiResponseBody(res, response.body);\n      return true;\n    }\n\n    const handler = apiModule.default;\n    if (typeof handler !== \"function\") {\n      console.error(`[vinext] API route ${route.filePath} does not export a default function`);\n      res.statusCode = 500;\n      res.end(\"API route does not export a default function\");\n      return true;\n    }\n\n    // Parse query from URL + route params. Path params win over same-key search\n    // params so a query string cannot change the dynamic route value.\n    const query = mergeRouteParamsIntoQuery(parseQueryString(url), params);\n\n    // Parse body\n    const body = await parseBody(req);\n\n    // Enhance req/res with Next.js helpers\n    const { apiReq, apiRes } = enhanceApiObjects(req, res, query, body);\n\n    // Call the handler\n    await handler(apiReq, apiRes);\n    return true;\n  } catch (e) {\n    if (e instanceof PagesBodyParseError) {\n      res.statusCode = e.statusCode;\n      res.statusMessage = e.message;\n      res.end(e.message);\n      return true;\n    }\n\n    // ssrFixStacktrace() is specific to ssrLoadModule and is not applicable\n    // when using ModuleRunner — no stack trace fixup is needed here.\n    console.error(e);\n    void reportRequestError(\n      e instanceof Error ? e : new Error(String(e)),\n      {\n        path: url,\n        method: req.method ?? \"GET\",\n        headers: Object.fromEntries(\n          Object.entries(req.headers).map(([k, v]) => [\n            k,\n            Array.isArray(v) ? v.join(\", \") : String(v ?? \"\"),\n          ]),\n        ),\n      },\n      { routerKind: \"Pages Router\", routePath: match.route.pattern, routeType: \"route\" },\n    );\n    if (!res.headersSent) {\n      res.statusCode = 500;\n      res.end(\"Internal Server Error\");\n    } else if (!res.writableEnded) {\n      res.end();\n    }\n    return true;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;AA4DA,MAAM,gBAAgB,IAAI,OAAO;;;;;AAMjC,eAAe,UAAU,KAAwC;CAC/D,OAAO,IAAI,SAAS,SAAS,WAAW;EACtC,MAAM,SAAmB,EAAE;EAC3B,IAAI,YAAY;EAChB,IAAI,UAAU;EACd,IAAI,GAAG,SAAS,UAAkB;GAChC,aAAa,MAAM;GACnB,IAAI,YAAY,eAAe;IAC7B,UAAU;IACV,IAAI,SAAS;IACb,OAAO,IAAI,oBAAoB,0BAA0B,IAAI,CAAC;IAC9D;;GAEF,OAAO,KAAK,MAAM;IAClB;EACF,IAAI,GAAG,UAAU,QAAQ;GACvB,IAAI,CAAC,SAAS;IACZ,UAAU;IACV,OAAO,IAAI;;IAEb;EACF,IAAI,GAAG,aAAa;GAClB,IAAI,SAAS;GACb,UAAU;GACV,MAAM,MAAM,OAAO,OAAO,OAAO,CAAC,SAAS,QAAQ;GACnD,MAAM,YAAY,aAAa,IAAI,QAAQ,gBAAgB;GAC3D,IAAI,CAAC,KAAK;IACR,QACE,gBAAgB,UAAU,GACtB,EAAE,GACF,cAAc,sCACZA,OAAkB,IAAI,GACtB,KAAA,EACP;IACD;;GAEF,IAAI,gBAAgB,UAAU,EAC5B,IAAI;IACF,QAAQ,KAAK,MAAM,IAAI,CAAC;WAClB;IACN,OAAO,IAAI,oBAAoB,gBAAgB,IAAI,CAAC;;QAEjD,IAAI,cAAc,qCACvB,QAAQA,OAAkB,IAAI,CAAC;QAE/B,QAAQ,IAAI;IAEd;GACF;;;;;AAMJ,SAAS,aAAa,KAA8C;CAClE,MAAM,SAAS,IAAI,QAAQ,UAAU;CACrC,MAAM,UAAkC,EAAE;CAC1C,KAAK,MAAM,QAAQ,OAAO,MAAM,IAAI,EAAE;EACpC,MAAM,CAAC,KAAK,GAAG,QAAQ,KAAK,MAAM,IAAI;EACtC,IAAI,KACF,QAAQ,IAAI,MAAM,IAAI,KAAK,KAAK,IAAI,CAAC,MAAM;;CAG/C,OAAO;;AAGT,SAAS,qBAAqB,QAA+D;CAC3F,IAAI,OAAO,OAAO,YAAY,YAAY,OAAO;CAIjD,MAAM,OAAO,OAAO;CACpB,IAAI,OAAO,SAAS,UAAU,OAAO,iBAAiB,KAAK;CAC3D,MAAM,SAAS,OAAO;CACtB,IAAI,CAAC,UAAU,OAAO,WAAW,UAAU,OAAO;CAClD,MAAM,UAAU,aAAa,SAAU,OAAiC,UAAU,KAAA;CAClF,OAAO,OAAO,YAAY,YAAY,iBAAiB,QAAQ;;AAGjE,SAAS,oBAAoB,KAA8D;CACzF,IAAI,IAAI,WAAW,SAAS,IAAI,WAAW,QAAQ,OAAO,KAAA;CAC1D,OAAO,IAAI,eAA2B,EACpC,MAAM,YAAY;EAChB,IAAI,GAAG,SAAS,UAA2B;GACzC,WAAW,QAAQ,OAAO,UAAU,WAAW,OAAO,KAAK,MAAM,GAAG,IAAI,WAAW,MAAM,CAAC;IAC1F;EACF,IAAI,GAAG,aAAa,WAAW,OAAO,CAAC;EACvC,IAAI,GAAG,UAAU,UAAU,WAAW,MAAM,MAAM,CAAC;IAEtD,CAAC;;AAGJ,SAAS,qBAAqB,KAAsB,KAAsB;CACxE,MAAM,UAAU,IAAI,SAAS;CAC7B,KAAK,MAAM,CAAC,MAAM,UAAU,OAAO,QAAQ,IAAI,QAAQ,EACrD,IAAI,MAAM,QAAQ,MAAM,EACtB,KAAK,MAAM,QAAQ,OAAO,QAAQ,OAAO,MAAM,KAAK;MAC/C,IAAI,UAAU,KAAA,GACnB,QAAQ,IAAI,MAAM,MAAM;CAI5B,MAAM,WAAW,QAAQ,IAAI,oBAAoB,EAAE,MAAM,IAAI,CAAC,IAAI,MAAM;CACxE,MAAM,iBAAiB,aAAa,WAAW,aAAa,SAAS,WAAW;CAChF,MAAM,OAAO,QAAQ,IAAI,OAAO,IAAI;CACpC,MAAM,aAAa,IAAI,IAAI,KAAK,GAAG,eAAe,KAAK,OAAO;CAC9D,MAAM,OAAO,oBAAoB,IAAI;CAErC,MAAM,OAA0C;EAC9C;EACA,QAAQ,IAAI;EACb;CAED,IAAI,MAAM;EACR,KAAK,OAAO;EACZ,KAAK,SAAS;;CAGhB,OAAO,IAAI,QAAQ,YAAY,KAAK;;AAGtC,SAAS,qBAAqB,KAAoC;CAChE,OAAO,IAAI,SAAS,SAAS,WAAW;EACtC,MAAM,gBAAgB;GACpB,IAAI,IAAI,SAAS,QAAQ;GACzB,IAAI,IAAI,SAAS,QAAQ;GACzB,IAAI,IAAI,SAAS,QAAQ;;EAE3B,MAAM,gBAAgB;GACpB,SAAS;GACT,SAAS;;EAEX,MAAM,WAAW,UAAiB;GAChC,SAAS;GACT,OAAO,MAAM;;EAEf,MAAM,gBAAgB;GACpB,SAAS;GACT,uBAAO,IAAI,MAAM,wCAAwC,CAAC;;EAE5D,IAAI,KAAK,SAAS,QAAQ;EAC1B,IAAI,KAAK,SAAS,QAAQ;EAC1B,IAAI,KAAK,SAAS,QAAQ;GAC1B;;AAGJ,eAAe,yBACb,KACA,MACe;CACf,IAAI,CAAC,MAAM;EACT,IAAI,KAAK;EACT;;CAGF,MAAM,SAAS,KAAK,WAAW;CAC/B,IAAI;EACF,OAAO,MAAM;GACX,MAAM,SAAS,MAAM,OAAO,MAAM;GAClC,IAAI,OAAO,MAAM;GACjB,IAAI,OAAO,MAAM,eAAe,GAAG;GACnC,IAAI,CAAC,IAAI,MAAM,OAAO,KAAK,OAAO,MAAM,CAAC,EACvC,MAAM,qBAAqB,IAAI;;EAGnC,IAAI,KAAK;UACF,OAAO;EACd,IAAI,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,MAAM,CAAC,CAAC;EACtE,MAAM;WACE;EACR,OAAO,aAAa;;;;;;AAOxB,SAAS,kBACP,KACA,KACA,OACA,MACqD;CAiDrD,OAAO;EAAE,QAhDsB,OAAO,OAAO,KAAK;GAChD;GACA,SAAS,aAAa,IAAI;GAC1B;GACD,CA4Cc;EAAE,QA1Ce,OAAO,OAAO,KAAK;GACjD,OAA8B,MAAc;IAC1C,KAAK,aAAa;IAClB,OAAO;;GAGT,KAA4B,MAAe;IACzC,KAAK,UAAU,gBAAgB,mBAAmB;IAClD,KAAK,IAAI,KAAK,UAAU,KAAK,CAAC;;GAGhC,KAA4B,MAAe;IACzC,IAAI,OAAO,SAAS,KAAK,EAAE;KACzB,IAAI,CAAC,KAAK,UAAU,eAAe,EACjC,KAAK,UAAU,gBAAgB,2BAA2B;KAE5D,KAAK,UAAU,kBAAkB,OAAO,KAAK,OAAO,CAAC;KACrD,KAAK,IAAI,KAAK;KACd;;IAGF,IAAI,OAAO,SAAS,YAAY,SAAS,MAAM;KAC7C,KAAK,UAAU,gBAAgB,mBAAmB;KAClD,KAAK,IAAI,KAAK,UAAU,KAAK,CAAC;WACzB;KACL,IAAI,CAAC,KAAK,UAAU,eAAe,EACjC,KAAK,UAAU,gBAAgB,aAAa;KAE9C,KAAK,IAAI,OAAO,KAAK,CAAC;;;GAI1B,SAAgC,aAA8B,KAAc;IAC1E,IAAI,OAAO,gBAAgB,UACzB,KAAK,UAAU,KAAK,EAAE,UAAU,aAAa,CAAC;SAE9C,KAAK,UAAU,aAAa,EAAE,UAAU,OAAO,IAAI,CAAC;IAEtD,KAAK,KAAK;;GAEb,CAEsB;EAAE;;;;;;AAO3B,eAAsB,eACpB,QACA,KACA,KACA,KACA,WACkB;CAClB,MAAM,QAAQ,WAAW,KAAK,UAAU;CACxC,IAAI,CAAC,OAAO,OAAO;CAEnB,MAAM,EAAE,OAAO,WAAW;CAE1B,IAAI;EAEF,MAAM,YAAY,MAAM,aAAa,QAAQ,MAAM,SAAS;EAC5D,IAAI,qBAAqB,UAAU,EAAE;GAInC,MAAM,cAAc,IAAI,YAAY,qBAAqB,KAAK,IAAI,CAAC;GACnE,MAAM,WAAW,MAAM,UAAU,QAAQ,YAAY;GACrD,IAAI,EAAE,oBAAoB,WACxB,MAAM,IAAI,MAAM,2CAA2C;GAG7D,IAAI,aAAa,SAAS;GAC1B,IAAI,gBAAgB,SAAS;GAC7B,MAAM,mBAAmB,SAAS,QAAQ,cAAc;GACxD,SAAS,QAAQ,SAAS,OAAO,SAAS;IACxC,IAAI,SAAS,cAAc,IAAI,UAAU,MAAM,MAAM;KACrD;GACF,IAAI,iBAAiB,QACnB,IAAI,UAAU,cAAc,iBAAiB;GAE/C,MAAM,yBAAyB,KAAK,SAAS,KAAK;GAClD,OAAO;;EAGT,MAAM,UAAU,UAAU;EAC1B,IAAI,OAAO,YAAY,YAAY;GACjC,QAAQ,MAAM,sBAAsB,MAAM,SAAS,qCAAqC;GACxF,IAAI,aAAa;GACjB,IAAI,IAAI,+CAA+C;GACvD,OAAO;;EAWT,MAAM,EAAE,QAAQ,WAAW,kBAAkB,KAAK,KANpC,0BAA0B,iBAAiB,IAAI,EAAE,OAMH,EAAE,MAH3C,UAAU,IAAI,CAGkC;EAGnE,MAAM,QAAQ,QAAQ,OAAO;EAC7B,OAAO;UACA,GAAG;EACV,IAAI,aAAa,qBAAqB;GACpC,IAAI,aAAa,EAAE;GACnB,IAAI,gBAAgB,EAAE;GACtB,IAAI,IAAI,EAAE,QAAQ;GAClB,OAAO;;EAKT,QAAQ,MAAM,EAAE;EAChB,mBACE,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO,EAAE,CAAC,EAC7C;GACE,MAAM;GACN,QAAQ,IAAI,UAAU;GACtB,SAAS,OAAO,YACd,OAAO,QAAQ,IAAI,QAAQ,CAAC,KAAK,CAAC,GAAG,OAAO,CAC1C,GACA,MAAM,QAAQ,EAAE,GAAG,EAAE,KAAK,KAAK,GAAG,OAAO,KAAK,GAAG,CAClD,CAAC,CACH;GACF,EACD;GAAE,YAAY;GAAgB,WAAW,MAAM,MAAM;GAAS,WAAW;GAAS,CACnF;EACD,IAAI,CAAC,IAAI,aAAa;GACpB,IAAI,aAAa;GACjB,IAAI,IAAI,wBAAwB;SAC3B,IAAI,CAAC,IAAI,eACd,IAAI,KAAK;EAEX,OAAO"}
+{"version":3,"file":"api-handler.js","names":["decodeQueryString"],"sources":["../../src/server/api-handler.ts"],"sourcesContent":["/**\n * API route handler for Pages Router (pages/api/*).\n *\n * Next.js API routes export a default handler function:\n *   export default function handler(req, res) { ... }\n *\n * The req/res objects are Node.js IncomingMessage/ServerResponse with\n * Next.js extensions: req.query, req.body, res.json(), res.status(), etc.\n */\nimport \"./server-globals.js\";\nimport type { IncomingMessage, ServerResponse } from \"node:http\";\nimport { decode as decodeQueryString } from \"node:querystring\";\nimport { Buffer } from \"node:buffer\";\nimport { type Route, matchRoute } from \"../routing/pages-router.js\";\nimport { reportRequestError, importModule, type ModuleImporter } from \"./instrumentation.js\";\nimport { mergeRouteParamsIntoQuery, parseQueryString } from \"../utils/query.js\";\nimport { PagesBodyParseError, getMediaType, isJsonMediaType } from \"./pages-media-type.js\";\nimport { isEdgeApiRuntime } from \"./edge-api-runtime.js\";\nimport {\n  DEFAULT_PAGES_API_BODY_SIZE_LIMIT,\n  resolveBodyParserConfig,\n} from \"./pages-body-parser-config.js\";\nimport { resolveRequestProtocol, resolveRequestHost } from \"./proxy-trust.js\";\nimport { NextRequest } from \"vinext/shims/server\";\n\n/**\n * Extend the Node.js request with Next.js-style helpers.\n */\ntype NextApiRequest = {\n  query: Record<string, string | string[]>;\n  body: unknown;\n  cookies: Record<string, string>;\n} & IncomingMessage;\n\n/**\n * Extend the Node.js response with Next.js-style helpers.\n */\ntype NextApiResponse = {\n  status(code: number): NextApiResponse;\n  json(data: unknown): void;\n  send(data: unknown): void;\n  redirect(statusOrUrl: number | string, url?: string): void;\n} & ServerResponse;\n\ntype EdgeApiRouteModule = {\n  /**\n   * `export const config = { runtime: 'edge' }` — historical Pages Router form.\n   */\n  config?: {\n    runtime?: string;\n  };\n  /**\n   * `export const runtime = 'edge'` — bare export form. Next.js resolves the\n   * effective runtime as `config.runtime ?? config.config?.runtime`, so a\n   * top-level `runtime` export takes precedence over the nested config form.\n   */\n  runtime?: string;\n  default: (request: Request) => Response | Promise<Response>;\n};\n\n/**\n * Default request body size (1 MB). Matches Next.js default bodyParser sizeLimit.\n * @see https://nextjs.org/docs/pages/building-your-application/routing/api-routes#custom-config\n * Prevents denial-of-service via unbounded request body buffering.\n */\nconst MAX_BODY_SIZE = DEFAULT_PAGES_API_BODY_SIZE_LIMIT;\n\n/**\n * Parse the request body based on content-type.\n * Enforces a size limit to prevent memory exhaustion attacks.\n *\n * The `sizeLimit` argument honours `export const config = { api: { bodyParser:\n * { sizeLimit: '4mb' } } }` on the route module. To opt out of parsing\n * entirely (`bodyParser: false`), callers must skip this function so the\n * underlying readable stream stays intact on `req` (critical for webhook\n * HMAC signature verification).\n */\nasync function parseBody(\n  req: IncomingMessage,\n  sizeLimit: number = MAX_BODY_SIZE,\n): Promise<unknown> {\n  return new Promise((resolve, reject) => {\n    const chunks: Buffer[] = [];\n    let totalSize = 0;\n    let settled = false;\n    req.on(\"data\", (chunk: Buffer) => {\n      totalSize += chunk.length;\n      if (totalSize > sizeLimit) {\n        settled = true;\n        req.destroy();\n        reject(new PagesBodyParseError(\"Request body too large\", 413));\n        return;\n      }\n      chunks.push(chunk);\n    });\n    req.on(\"error\", (err) => {\n      if (!settled) {\n        settled = true;\n        reject(err);\n      }\n    });\n    req.on(\"end\", () => {\n      if (settled) return;\n      settled = true;\n      const raw = Buffer.concat(chunks).toString(\"utf-8\");\n      const mediaType = getMediaType(req.headers[\"content-type\"]);\n      if (!raw) {\n        resolve(\n          isJsonMediaType(mediaType)\n            ? {}\n            : mediaType === \"application/x-www-form-urlencoded\"\n              ? decodeQueryString(raw)\n              : undefined,\n        );\n        return;\n      }\n      if (isJsonMediaType(mediaType)) {\n        try {\n          resolve(JSON.parse(raw));\n        } catch {\n          reject(new PagesBodyParseError(\"Invalid JSON\", 400));\n        }\n      } else if (mediaType === \"application/x-www-form-urlencoded\") {\n        resolve(decodeQueryString(raw));\n      } else {\n        resolve(raw);\n      }\n    });\n  });\n}\n\n/**\n * Parse cookies from the Cookie header.\n */\nfunction parseCookies(req: IncomingMessage): Record<string, string> {\n  const header = req.headers.cookie ?? \"\";\n  const cookies: Record<string, string> = {};\n  for (const part of header.split(\";\")) {\n    const [key, ...rest] = part.split(\"=\");\n    if (key) {\n      cookies[key.trim()] = rest.join(\"=\").trim();\n    }\n  }\n  return cookies;\n}\n\nfunction isEdgeApiRouteModule(module: Record<string, unknown>): module is EdgeApiRouteModule {\n  if (typeof module.default !== \"function\") return false;\n  // Bare `export const runtime = 'edge'` takes precedence over the nested config\n  // form, matching Next.js (`config.runtime ?? config.config?.runtime` in\n  // packages/next/src/build/analysis/get-page-static-info.ts).\n  const bare = module.runtime;\n  if (typeof bare === \"string\") return isEdgeApiRuntime(bare);\n  const config = module.config;\n  if (!config || typeof config !== \"object\") return false;\n  const runtime = \"runtime\" in config ? (config as { runtime?: unknown }).runtime : undefined;\n  return typeof runtime === \"string\" && isEdgeApiRuntime(runtime);\n}\n\nfunction readEdgeRequestBody(req: IncomingMessage): ReadableStream<Uint8Array> | undefined {\n  if (req.method === \"GET\" || req.method === \"HEAD\") return undefined;\n  return new ReadableStream<Uint8Array>({\n    start(controller) {\n      req.on(\"data\", (chunk: Buffer | string) => {\n        controller.enqueue(typeof chunk === \"string\" ? Buffer.from(chunk) : new Uint8Array(chunk));\n      });\n      req.on(\"end\", () => controller.close());\n      req.on(\"error\", (error) => controller.error(error));\n    },\n  });\n}\n\nfunction createEdgeApiRequest(req: IncomingMessage, url: string): Request {\n  const headers = new Headers();\n  for (const [name, value] of Object.entries(req.headers)) {\n    if (Array.isArray(value)) {\n      for (const item of value) headers.append(name, item);\n    } else if (value !== undefined) {\n      headers.set(name, value);\n    }\n  }\n\n  // Honor `X-Forwarded-Proto` / `X-Forwarded-Host` only when running behind\n  // a trusted proxy (gated on `VINEXT_TRUST_PROXY` / `VINEXT_TRUSTED_HOSTS`).\n  // Without this gate a client could send `X-Forwarded-Proto: https` and\n  // trick edge API handlers that check `request.url.startsWith(\"https\")`\n  // (e.g. to gate Secure-cookie issuance) into believing the request was\n  // TLS-terminated. See: Finding F-PROD-7 in SECURITY-AUDIT-2026-05.md.\n  const proto = resolveRequestProtocol(req);\n  const host = resolveRequestHost(req, \"localhost\");\n  const requestUrl = new URL(url, `${proto}://${host}`);\n  const body = readEdgeRequestBody(req);\n\n  const init: RequestInit & { duplex?: \"half\" } = {\n    headers,\n    method: req.method,\n  };\n\n  if (body) {\n    init.body = body;\n    init.duplex = \"half\";\n  }\n\n  return new Request(requestUrl, init);\n}\n\nfunction waitForWritableDrain(res: ServerResponse): Promise<void> {\n  return new Promise((resolve, reject) => {\n    const cleanup = () => {\n      res.off(\"drain\", onDrain);\n      res.off(\"error\", onError);\n      res.off(\"close\", onClose);\n    };\n    const onDrain = () => {\n      cleanup();\n      resolve();\n    };\n    const onError = (error: Error) => {\n      cleanup();\n      reject(error);\n    };\n    const onClose = () => {\n      cleanup();\n      reject(new Error(\"Response closed before writable drain\"));\n    };\n    res.once(\"drain\", onDrain);\n    res.once(\"error\", onError);\n    res.once(\"close\", onClose);\n  });\n}\n\nasync function writeEdgeApiResponseBody(\n  res: ServerResponse,\n  body: ReadableStream<Uint8Array> | null,\n): Promise<void> {\n  if (!body) {\n    res.end();\n    return;\n  }\n\n  const reader = body.getReader();\n  try {\n    while (true) {\n      const result = await reader.read();\n      if (result.done) break;\n      if (result.value.byteLength === 0) continue;\n      if (!res.write(Buffer.from(result.value))) {\n        await waitForWritableDrain(res);\n      }\n    }\n    res.end();\n  } catch (error) {\n    res.destroy(error instanceof Error ? error : new Error(String(error)));\n    throw error;\n  } finally {\n    reader.releaseLock();\n  }\n}\n\n/**\n * Enhance a Node.js req/res pair with Next.js API route helpers.\n */\nfunction enhanceApiObjects(\n  req: IncomingMessage,\n  res: ServerResponse,\n  query: Record<string, string | string[]>,\n  body: unknown,\n): { apiReq: NextApiRequest; apiRes: NextApiResponse } {\n  const apiReq: NextApiRequest = Object.assign(req, {\n    body,\n    cookies: parseCookies(req),\n    query,\n  });\n\n  const apiRes: NextApiResponse = Object.assign(res, {\n    status(this: NextApiResponse, code: number) {\n      this.statusCode = code;\n      return this;\n    },\n\n    json(this: NextApiResponse, data: unknown) {\n      this.setHeader(\"Content-Type\", \"application/json\");\n      this.end(JSON.stringify(data));\n    },\n\n    send(this: NextApiResponse, data: unknown) {\n      if (Buffer.isBuffer(data)) {\n        if (!this.getHeader(\"Content-Type\")) {\n          this.setHeader(\"Content-Type\", \"application/octet-stream\");\n        }\n        this.setHeader(\"Content-Length\", String(data.length));\n        this.end(data);\n        return;\n      }\n\n      if (typeof data === \"object\" && data !== null) {\n        this.setHeader(\"Content-Type\", \"application/json\");\n        this.end(JSON.stringify(data));\n      } else {\n        if (!this.getHeader(\"Content-Type\")) {\n          this.setHeader(\"Content-Type\", \"text/plain\");\n        }\n        this.end(String(data));\n      }\n    },\n\n    redirect(this: NextApiResponse, statusOrUrl: number | string, url?: string) {\n      if (typeof statusOrUrl === \"string\") {\n        this.writeHead(307, { Location: statusOrUrl });\n      } else {\n        this.writeHead(statusOrUrl, { Location: url ?? \"\" });\n      }\n      this.end();\n    },\n  });\n\n  return { apiReq, apiRes };\n}\n\n/**\n * Handle an API route request.\n * Returns true if the request was handled, false if no API route matched.\n */\nexport async function handleApiRoute(\n  runner: ModuleImporter,\n  req: IncomingMessage,\n  res: ServerResponse,\n  url: string,\n  apiRoutes: Route[],\n): Promise<boolean> {\n  const match = matchRoute(url, apiRoutes);\n  if (!match) return false;\n\n  const { route, params } = match;\n\n  try {\n    // Load the API route module through the ModuleRunner\n    const apiModule = await importModule(runner, route.filePath);\n    if (isEdgeApiRouteModule(apiModule)) {\n      // Next.js wraps the incoming Request in a NextRequest before invoking\n      // edge API handlers, so handlers can use `req.nextUrl.searchParams`,\n      // `req.cookies`, etc. (Cf. NextRequestHint in next/src/server/web/adapter.ts.)\n      const nextRequest = new NextRequest(createEdgeApiRequest(req, url));\n      const response = await apiModule.default(nextRequest);\n      if (!(response instanceof Response)) {\n        throw new Error(\"Edge API route did not return a Response\");\n      }\n\n      res.statusCode = response.status;\n      res.statusMessage = response.statusText;\n      const setCookieHeaders = response.headers.getSetCookie();\n      response.headers.forEach((value, name) => {\n        if (name !== \"set-cookie\") res.setHeader(name, value);\n      });\n      if (setCookieHeaders.length) {\n        res.setHeader(\"set-cookie\", setCookieHeaders);\n      }\n      await writeEdgeApiResponseBody(res, response.body);\n      return true;\n    }\n\n    const handler = apiModule.default;\n    if (typeof handler !== \"function\") {\n      console.error(`[vinext] API route ${route.filePath} does not export a default function`);\n      res.statusCode = 500;\n      res.end(\"API route does not export a default function\");\n      return true;\n    }\n\n    // Parse query from URL + route params. Path params win over same-key search\n    // params so a query string cannot change the dynamic route value.\n    const query = mergeRouteParamsIntoQuery(parseQueryString(url), params);\n\n    // Honour `export const config = { api: { bodyParser: ... } }` on the\n    // route module. When the handler opts out (`bodyParser: false`) we must\n    // not consume the stream — leave `req` intact so user code (e.g. a\n    // Stripe/GitHub webhook) can read the raw bytes for HMAC verification.\n    const bodyParserConfig = resolveBodyParserConfig(\n      (apiModule as { config?: { api?: { bodyParser?: unknown } } }).config as\n        | { api?: { bodyParser?: boolean | { sizeLimit?: string | number } } }\n        | undefined,\n    );\n\n    const body = bodyParserConfig.enabled\n      ? await parseBody(req, bodyParserConfig.sizeLimit)\n      : undefined;\n\n    // Enhance req/res with Next.js helpers\n    const { apiReq, apiRes } = enhanceApiObjects(req, res, query, body);\n\n    // Call the handler\n    await handler(apiReq, apiRes);\n    return true;\n  } catch (e) {\n    if (e instanceof PagesBodyParseError) {\n      res.statusCode = e.statusCode;\n      res.statusMessage = e.message;\n      res.end(e.message);\n      return true;\n    }\n\n    // ssrFixStacktrace() is specific to ssrLoadModule and is not applicable\n    // when using ModuleRunner — no stack trace fixup is needed here.\n    console.error(e);\n    void reportRequestError(\n      e instanceof Error ? e : new Error(String(e)),\n      {\n        path: url,\n        method: req.method ?? \"GET\",\n        headers: Object.fromEntries(\n          Object.entries(req.headers).map(([k, v]) => [\n            k,\n            Array.isArray(v) ? v.join(\", \") : String(v ?? \"\"),\n          ]),\n        ),\n      },\n      { routerKind: \"Pages Router\", routePath: match.route.pattern, routeType: \"route\" },\n    );\n    if (!res.headersSent) {\n      res.statusCode = 500;\n      res.end(\"Internal Server Error\");\n    } else if (!res.writableEnded) {\n      res.end();\n    }\n    return true;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAiEA,MAAM,gBAAgB;;;;;;;;;;;AAYtB,eAAe,UACb,KACA,YAAoB,eACF;CAClB,OAAO,IAAI,SAAS,SAAS,WAAW;EACtC,MAAM,SAAmB,EAAE;EAC3B,IAAI,YAAY;EAChB,IAAI,UAAU;EACd,IAAI,GAAG,SAAS,UAAkB;GAChC,aAAa,MAAM;GACnB,IAAI,YAAY,WAAW;IACzB,UAAU;IACV,IAAI,SAAS;IACb,OAAO,IAAI,oBAAoB,0BAA0B,IAAI,CAAC;IAC9D;;GAEF,OAAO,KAAK,MAAM;IAClB;EACF,IAAI,GAAG,UAAU,QAAQ;GACvB,IAAI,CAAC,SAAS;IACZ,UAAU;IACV,OAAO,IAAI;;IAEb;EACF,IAAI,GAAG,aAAa;GAClB,IAAI,SAAS;GACb,UAAU;GACV,MAAM,MAAM,OAAO,OAAO,OAAO,CAAC,SAAS,QAAQ;GACnD,MAAM,YAAY,aAAa,IAAI,QAAQ,gBAAgB;GAC3D,IAAI,CAAC,KAAK;IACR,QACE,gBAAgB,UAAU,GACtB,EAAE,GACF,cAAc,sCACZA,OAAkB,IAAI,GACtB,KAAA,EACP;IACD;;GAEF,IAAI,gBAAgB,UAAU,EAC5B,IAAI;IACF,QAAQ,KAAK,MAAM,IAAI,CAAC;WAClB;IACN,OAAO,IAAI,oBAAoB,gBAAgB,IAAI,CAAC;;QAEjD,IAAI,cAAc,qCACvB,QAAQA,OAAkB,IAAI,CAAC;QAE/B,QAAQ,IAAI;IAEd;GACF;;;;;AAMJ,SAAS,aAAa,KAA8C;CAClE,MAAM,SAAS,IAAI,QAAQ,UAAU;CACrC,MAAM,UAAkC,EAAE;CAC1C,KAAK,MAAM,QAAQ,OAAO,MAAM,IAAI,EAAE;EACpC,MAAM,CAAC,KAAK,GAAG,QAAQ,KAAK,MAAM,IAAI;EACtC,IAAI,KACF,QAAQ,IAAI,MAAM,IAAI,KAAK,KAAK,IAAI,CAAC,MAAM;;CAG/C,OAAO;;AAGT,SAAS,qBAAqB,QAA+D;CAC3F,IAAI,OAAO,OAAO,YAAY,YAAY,OAAO;CAIjD,MAAM,OAAO,OAAO;CACpB,IAAI,OAAO,SAAS,UAAU,OAAO,iBAAiB,KAAK;CAC3D,MAAM,SAAS,OAAO;CACtB,IAAI,CAAC,UAAU,OAAO,WAAW,UAAU,OAAO;CAClD,MAAM,UAAU,aAAa,SAAU,OAAiC,UAAU,KAAA;CAClF,OAAO,OAAO,YAAY,YAAY,iBAAiB,QAAQ;;AAGjE,SAAS,oBAAoB,KAA8D;CACzF,IAAI,IAAI,WAAW,SAAS,IAAI,WAAW,QAAQ,OAAO,KAAA;CAC1D,OAAO,IAAI,eAA2B,EACpC,MAAM,YAAY;EAChB,IAAI,GAAG,SAAS,UAA2B;GACzC,WAAW,QAAQ,OAAO,UAAU,WAAW,OAAO,KAAK,MAAM,GAAG,IAAI,WAAW,MAAM,CAAC;IAC1F;EACF,IAAI,GAAG,aAAa,WAAW,OAAO,CAAC;EACvC,IAAI,GAAG,UAAU,UAAU,WAAW,MAAM,MAAM,CAAC;IAEtD,CAAC;;AAGJ,SAAS,qBAAqB,KAAsB,KAAsB;CACxE,MAAM,UAAU,IAAI,SAAS;CAC7B,KAAK,MAAM,CAAC,MAAM,UAAU,OAAO,QAAQ,IAAI,QAAQ,EACrD,IAAI,MAAM,QAAQ,MAAM,EACtB,KAAK,MAAM,QAAQ,OAAO,QAAQ,OAAO,MAAM,KAAK;MAC/C,IAAI,UAAU,KAAA,GACnB,QAAQ,IAAI,MAAM,MAAM;CAU5B,MAAM,QAAQ,uBAAuB,IAAI;CACzC,MAAM,OAAO,mBAAmB,KAAK,YAAY;CACjD,MAAM,aAAa,IAAI,IAAI,KAAK,GAAG,MAAM,KAAK,OAAO;CACrD,MAAM,OAAO,oBAAoB,IAAI;CAErC,MAAM,OAA0C;EAC9C;EACA,QAAQ,IAAI;EACb;CAED,IAAI,MAAM;EACR,KAAK,OAAO;EACZ,KAAK,SAAS;;CAGhB,OAAO,IAAI,QAAQ,YAAY,KAAK;;AAGtC,SAAS,qBAAqB,KAAoC;CAChE,OAAO,IAAI,SAAS,SAAS,WAAW;EACtC,MAAM,gBAAgB;GACpB,IAAI,IAAI,SAAS,QAAQ;GACzB,IAAI,IAAI,SAAS,QAAQ;GACzB,IAAI,IAAI,SAAS,QAAQ;;EAE3B,MAAM,gBAAgB;GACpB,SAAS;GACT,SAAS;;EAEX,MAAM,WAAW,UAAiB;GAChC,SAAS;GACT,OAAO,MAAM;;EAEf,MAAM,gBAAgB;GACpB,SAAS;GACT,uBAAO,IAAI,MAAM,wCAAwC,CAAC;;EAE5D,IAAI,KAAK,SAAS,QAAQ;EAC1B,IAAI,KAAK,SAAS,QAAQ;EAC1B,IAAI,KAAK,SAAS,QAAQ;GAC1B;;AAGJ,eAAe,yBACb,KACA,MACe;CACf,IAAI,CAAC,MAAM;EACT,IAAI,KAAK;EACT;;CAGF,MAAM,SAAS,KAAK,WAAW;CAC/B,IAAI;EACF,OAAO,MAAM;GACX,MAAM,SAAS,MAAM,OAAO,MAAM;GAClC,IAAI,OAAO,MAAM;GACjB,IAAI,OAAO,MAAM,eAAe,GAAG;GACnC,IAAI,CAAC,IAAI,MAAM,OAAO,KAAK,OAAO,MAAM,CAAC,EACvC,MAAM,qBAAqB,IAAI;;EAGnC,IAAI,KAAK;UACF,OAAO;EACd,IAAI,QAAQ,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,MAAM,CAAC,CAAC;EACtE,MAAM;WACE;EACR,OAAO,aAAa;;;;;;AAOxB,SAAS,kBACP,KACA,KACA,OACA,MACqD;CAiDrD,OAAO;EAAE,QAhDsB,OAAO,OAAO,KAAK;GAChD;GACA,SAAS,aAAa,IAAI;GAC1B;GACD,CA4Cc;EAAE,QA1Ce,OAAO,OAAO,KAAK;GACjD,OAA8B,MAAc;IAC1C,KAAK,aAAa;IAClB,OAAO;;GAGT,KAA4B,MAAe;IACzC,KAAK,UAAU,gBAAgB,mBAAmB;IAClD,KAAK,IAAI,KAAK,UAAU,KAAK,CAAC;;GAGhC,KAA4B,MAAe;IACzC,IAAI,OAAO,SAAS,KAAK,EAAE;KACzB,IAAI,CAAC,KAAK,UAAU,eAAe,EACjC,KAAK,UAAU,gBAAgB,2BAA2B;KAE5D,KAAK,UAAU,kBAAkB,OAAO,KAAK,OAAO,CAAC;KACrD,KAAK,IAAI,KAAK;KACd;;IAGF,IAAI,OAAO,SAAS,YAAY,SAAS,MAAM;KAC7C,KAAK,UAAU,gBAAgB,mBAAmB;KAClD,KAAK,IAAI,KAAK,UAAU,KAAK,CAAC;WACzB;KACL,IAAI,CAAC,KAAK,UAAU,eAAe,EACjC,KAAK,UAAU,gBAAgB,aAAa;KAE9C,KAAK,IAAI,OAAO,KAAK,CAAC;;;GAI1B,SAAgC,aAA8B,KAAc;IAC1E,IAAI,OAAO,gBAAgB,UACzB,KAAK,UAAU,KAAK,EAAE,UAAU,aAAa,CAAC;SAE9C,KAAK,UAAU,aAAa,EAAE,UAAU,OAAO,IAAI,CAAC;IAEtD,KAAK,KAAK;;GAEb,CAEsB;EAAE;;;;;;AAO3B,eAAsB,eACpB,QACA,KACA,KACA,KACA,WACkB;CAClB,MAAM,QAAQ,WAAW,KAAK,UAAU;CACxC,IAAI,CAAC,OAAO,OAAO;CAEnB,MAAM,EAAE,OAAO,WAAW;CAE1B,IAAI;EAEF,MAAM,YAAY,MAAM,aAAa,QAAQ,MAAM,SAAS;EAC5D,IAAI,qBAAqB,UAAU,EAAE;GAInC,MAAM,cAAc,IAAI,YAAY,qBAAqB,KAAK,IAAI,CAAC;GACnE,MAAM,WAAW,MAAM,UAAU,QAAQ,YAAY;GACrD,IAAI,EAAE,oBAAoB,WACxB,MAAM,IAAI,MAAM,2CAA2C;GAG7D,IAAI,aAAa,SAAS;GAC1B,IAAI,gBAAgB,SAAS;GAC7B,MAAM,mBAAmB,SAAS,QAAQ,cAAc;GACxD,SAAS,QAAQ,SAAS,OAAO,SAAS;IACxC,IAAI,SAAS,cAAc,IAAI,UAAU,MAAM,MAAM;KACrD;GACF,IAAI,iBAAiB,QACnB,IAAI,UAAU,cAAc,iBAAiB;GAE/C,MAAM,yBAAyB,KAAK,SAAS,KAAK;GAClD,OAAO;;EAGT,MAAM,UAAU,UAAU;EAC1B,IAAI,OAAO,YAAY,YAAY;GACjC,QAAQ,MAAM,sBAAsB,MAAM,SAAS,qCAAqC;GACxF,IAAI,aAAa;GACjB,IAAI,IAAI,+CAA+C;GACvD,OAAO;;EAKT,MAAM,QAAQ,0BAA0B,iBAAiB,IAAI,EAAE,OAAO;EAMtE,MAAM,mBAAmB,wBACtB,UAA8D,OAGhE;EAOD,MAAM,EAAE,QAAQ,WAAW,kBAAkB,KAAK,KAAK,OAL1C,iBAAiB,UAC1B,MAAM,UAAU,KAAK,iBAAiB,UAAU,GAChD,KAAA,EAG+D;EAGnE,MAAM,QAAQ,QAAQ,OAAO;EAC7B,OAAO;UACA,GAAG;EACV,IAAI,aAAa,qBAAqB;GACpC,IAAI,aAAa,EAAE;GACnB,IAAI,gBAAgB,EAAE;GACtB,IAAI,IAAI,EAAE,QAAQ;GAClB,OAAO;;EAKT,QAAQ,MAAM,EAAE;EAChB,mBACE,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO,EAAE,CAAC,EAC7C;GACE,MAAM;GACN,QAAQ,IAAI,UAAU;GACtB,SAAS,OAAO,YACd,OAAO,QAAQ,IAAI,QAAQ,CAAC,KAAK,CAAC,GAAG,OAAO,CAC1C,GACA,MAAM,QAAQ,EAAE,GAAG,EAAE,KAAK,KAAK,GAAG,OAAO,KAAK,GAAG,CAClD,CAAC,CACH;GACF,EACD;GAAE,YAAY;GAAgB,WAAW,MAAM,MAAM;GAAS,WAAW;GAAS,CACnF;EACD,IAAI,CAAC,IAAI,aAAa;GACpB,IAAI,aAAa;GACjB,IAAI,IAAI,wBAAwB;SAC3B,IAAI,CAAC,IAAI,eACd,IAAI,KAAK;EAEX,OAAO"}

package/dist/server/app-browser-action-result.d.ts

@@ -22,6 +22,21 @@ type ServerActionInitiationSnapshot<TRouterState> = {
 declare function isServerActionResult<TRoot>(value: unknown): value is AppBrowserServerActionResult<TRoot>;
 declare function shouldClearClientNavigationCachesForServerActionResult<TRoot>(result: AppBrowserServerActionResult<TRoot> | TRoot, revalidation?: ServerActionRevalidationKind): boolean;
 declare function parseServerActionRevalidationHeader(headers: Pick<Headers, "get">): ServerActionRevalidationKind;
+type ServerActionRedirectLocation = {
+  href: string;
+  internal: boolean;
+};
+/**
+ * Resolve a server-action redirect target against the URL that initiated the
+ * action. Dot-relative redirects intentionally resolve as if the current route
+ * pathname were a directory, matching Next.js' `assignLocation()` behavior:
+ * `./subpage` from `/subdir` lands on `/subdir/subpage`, not `/subpage`.
+ */
+declare function resolveServerActionRedirectLocation(options: {
+  currentHref: string;
+  location: string;
+  origin: string;
+}): ServerActionRedirectLocation;
 declare function shouldScheduleRefreshForDiscardedServerAction(revalidation: ServerActionRevalidationKind): boolean;
 declare function createServerActionInitiationSnapshot<TRouterState>(options: {
   href: string;
@@ -40,5 +55,5 @@ type DiscardedServerActionRefreshSchedulerOptions = {
 };
 declare function createDiscardedServerActionRefreshScheduler(options: DiscardedServerActionRefreshSchedulerOptions): DiscardedServerActionRefreshScheduler;
 //#endregion
-export { AppBrowserServerActionResult, ServerActionRevalidationKind, createDiscardedServerActionRefreshScheduler, createServerActionInitiationSnapshot, isServerActionResult, parseServerActionRevalidationHeader, shouldClearClientNavigationCachesForServerActionResult, shouldScheduleRefreshForDiscardedServerAction };
+export { AppBrowserServerActionResult, ServerActionRevalidationKind, createDiscardedServerActionRefreshScheduler, createServerActionInitiationSnapshot, isServerActionResult, parseServerActionRevalidationHeader, resolveServerActionRedirectLocation, shouldClearClientNavigationCachesForServerActionResult, shouldScheduleRefreshForDiscardedServerAction };
 //# sourceMappingURL=app-browser-action-result.d.ts.map

package/dist/server/app-browser-action-result.js

@@ -31,6 +31,20 @@ function parseServerActionRevalidationHeader(headers) {
 		default: return "none";
 	}
 }
+/**
+* Resolve a server-action redirect target against the URL that initiated the
+* action. Dot-relative redirects intentionally resolve as if the current route
+* pathname were a directory, matching Next.js' `assignLocation()` behavior:
+* `./subpage` from `/subdir` lands on `/subdir/subpage`, not `/subpage`.
+*/
+function resolveServerActionRedirectLocation(options) {
+	const currentUrl = new URL(options.currentHref, options.origin);
+	const redirectUrl = options.location.startsWith(".") ? new URL(options.location, `${currentUrl.origin}${currentUrl.pathname.endsWith("/") ? currentUrl.pathname : `${currentUrl.pathname}/`}`) : new URL(options.location, currentUrl.href);
+	return {
+		href: redirectUrl.href,
+		internal: redirectUrl.origin === currentUrl.origin
+	};
+}
 function shouldScheduleRefreshForDiscardedServerAction(revalidation) {
 	return revalidation !== "none";
 }
@@ -74,6 +88,6 @@ function createDiscardedServerActionRefreshScheduler(options) {
 	};
 }
 //#endregion
-export { createDiscardedServerActionRefreshScheduler, createServerActionInitiationSnapshot, isServerActionResult, parseServerActionRevalidationHeader, shouldClearClientNavigationCachesForServerActionResult, shouldScheduleRefreshForDiscardedServerAction };
+export { createDiscardedServerActionRefreshScheduler, createServerActionInitiationSnapshot, isServerActionResult, parseServerActionRevalidationHeader, resolveServerActionRedirectLocation, shouldClearClientNavigationCachesForServerActionResult, shouldScheduleRefreshForDiscardedServerAction };
 
 //# sourceMappingURL=app-browser-action-result.js.map

package/dist/server/app-browser-action-result.js.map

@@ -1 +1 @@
-{"version":3,"file":"app-browser-action-result.js","names":[],"sources":["../../src/server/app-browser-action-result.ts"],"sourcesContent":["import { ACTION_REVALIDATED_HEADER } from \"./headers.js\";\n\nexport type AppBrowserServerActionResult<TRoot> = {\n  root?: TRoot;\n  returnValue?: {\n    ok: boolean;\n    data: unknown;\n  };\n};\n\nexport type ServerActionRevalidationKind = \"dynamicOnly\" | \"none\" | \"staticAndDynamic\";\n\nconst ACTION_DID_REVALIDATE_STATIC_AND_DYNAMIC = 1;\nconst ACTION_DID_REVALIDATE_DYNAMIC_ONLY = 2;\n\ntype ServerActionInitiationSnapshot<TRouterState> = {\n  href: string;\n  navigationId: number;\n  path: string;\n  routerState: TRouterState;\n};\n\n/**\n * Structural discriminator: matches on `\"returnValue\"` or `\"root\"` keys.\n * This is safe because {@link AppWireElements} keys are prefixed (`route:`,\n * `slot:`, `__route`, etc.) and will never collide with these property names.\n * If the wire format ever adds a `\"root\"` key, this guard must be updated.\n */\nexport function isServerActionResult<TRoot>(\n  value: unknown,\n): value is AppBrowserServerActionResult<TRoot> {\n  return !!value && typeof value === \"object\" && (\"returnValue\" in value || \"root\" in value);\n}\n\nexport function shouldClearClientNavigationCachesForServerActionResult<TRoot>(\n  result: AppBrowserServerActionResult<TRoot> | TRoot,\n  revalidation: ServerActionRevalidationKind = \"none\",\n): boolean {\n  if (revalidation !== \"none\") {\n    return true;\n  }\n\n  if (!isServerActionResult<TRoot>(result)) {\n    return true;\n  }\n\n  return result.root !== undefined;\n}\n\nexport function parseServerActionRevalidationHeader(\n  headers: Pick<Headers, \"get\">,\n): ServerActionRevalidationKind {\n  const value = headers.get(ACTION_REVALIDATED_HEADER);\n  if (!value) return \"none\";\n\n  let parsed: unknown;\n  try {\n    parsed = JSON.parse(value);\n  } catch {\n    return \"none\";\n  }\n\n  switch (parsed) {\n    case ACTION_DID_REVALIDATE_STATIC_AND_DYNAMIC:\n      return \"staticAndDynamic\";\n    case ACTION_DID_REVALIDATE_DYNAMIC_ONLY:\n      return \"dynamicOnly\";\n    default:\n      return \"none\";\n  }\n}\n\nexport function shouldScheduleRefreshForDiscardedServerAction(\n  revalidation: ServerActionRevalidationKind,\n): boolean {\n  return revalidation !== \"none\";\n}\n\nexport function createServerActionInitiationSnapshot<TRouterState>(options: {\n  href: string;\n  navigationId: number;\n  origin?: string;\n  routerState: TRouterState;\n}): ServerActionInitiationSnapshot<TRouterState> {\n  const url =\n    options.origin === undefined ? new URL(options.href) : new URL(options.href, options.origin);\n  return {\n    href: url.href,\n    navigationId: options.navigationId,\n    path: url.pathname + url.search,\n    routerState: options.routerState,\n  };\n}\n\ntype DiscardedServerActionRefreshScheduler = {\n  markNavigationSettled(): void;\n  markNavigationStart(): void;\n  schedule(): void;\n};\n\ntype DiscardedServerActionRefreshSchedulerOptions = {\n  queueTask?: (callback: () => void) => void;\n  runRefresh: () => void;\n};\n\nexport function createDiscardedServerActionRefreshScheduler(\n  options: DiscardedServerActionRefreshSchedulerOptions,\n): DiscardedServerActionRefreshScheduler {\n  const queueTask = options.queueTask ?? queueMicrotask;\n  let activeNavigationCount = 0;\n  let flushQueued = false;\n  let refreshPending = false;\n\n  function flush(): void {\n    flushQueued = false;\n    if (!refreshPending || activeNavigationCount > 0) return;\n\n    refreshPending = false;\n    options.runRefresh();\n  }\n\n  function queueFlush(): void {\n    if (flushQueued) return;\n    flushQueued = true;\n    queueTask(flush);\n  }\n\n  return {\n    markNavigationSettled() {\n      if (activeNavigationCount > 0) {\n        activeNavigationCount -= 1;\n      }\n      queueFlush();\n    },\n    markNavigationStart() {\n      activeNavigationCount += 1;\n    },\n    schedule() {\n      refreshPending = true;\n      queueFlush();\n    },\n  };\n}\n"],"mappings":";;AAYA,MAAM,2CAA2C;AACjD,MAAM,qCAAqC;;;;;;;AAe3C,SAAgB,qBACd,OAC8C;CAC9C,OAAO,CAAC,CAAC,SAAS,OAAO,UAAU,aAAa,iBAAiB,SAAS,UAAU;;AAGtF,SAAgB,uDACd,QACA,eAA6C,QACpC;CACT,IAAI,iBAAiB,QACnB,OAAO;CAGT,IAAI,CAAC,qBAA4B,OAAO,EACtC,OAAO;CAGT,OAAO,OAAO,SAAS,KAAA;;AAGzB,SAAgB,oCACd,SAC8B;CAC9B,MAAM,QAAQ,QAAQ,IAAI,0BAA0B;CACpD,IAAI,CAAC,OAAO,OAAO;CAEnB,IAAI;CACJ,IAAI;EACF,SAAS,KAAK,MAAM,MAAM;SACpB;EACN,OAAO;;CAGT,QAAQ,QAAR;EACE,KAAK,0CACH,OAAO;EACT,KAAK,oCACH,OAAO;EACT,SACE,OAAO;;;AAIb,SAAgB,8CACd,cACS;CACT,OAAO,iBAAiB;;AAG1B,SAAgB,qCAAmD,SAKlB;CAC/C,MAAM,MACJ,QAAQ,WAAW,KAAA,IAAY,IAAI,IAAI,QAAQ,KAAK,GAAG,IAAI,IAAI,QAAQ,MAAM,QAAQ,OAAO;CAC9F,OAAO;EACL,MAAM,IAAI;EACV,cAAc,QAAQ;EACtB,MAAM,IAAI,WAAW,IAAI;EACzB,aAAa,QAAQ;EACtB;;AAcH,SAAgB,4CACd,SACuC;CACvC,MAAM,YAAY,QAAQ,aAAa;CACvC,IAAI,wBAAwB;CAC5B,IAAI,cAAc;CAClB,IAAI,iBAAiB;CAErB,SAAS,QAAc;EACrB,cAAc;EACd,IAAI,CAAC,kBAAkB,wBAAwB,GAAG;EAElD,iBAAiB;EACjB,QAAQ,YAAY;;CAGtB,SAAS,aAAmB;EAC1B,IAAI,aAAa;EACjB,cAAc;EACd,UAAU,MAAM;;CAGlB,OAAO;EACL,wBAAwB;GACtB,IAAI,wBAAwB,GAC1B,yBAAyB;GAE3B,YAAY;;EAEd,sBAAsB;GACpB,yBAAyB;;EAE3B,WAAW;GACT,iBAAiB;GACjB,YAAY;;EAEf"}
+{"version":3,"file":"app-browser-action-result.js","names":[],"sources":["../../src/server/app-browser-action-result.ts"],"sourcesContent":["import { ACTION_REVALIDATED_HEADER } from \"./headers.js\";\n\nexport type AppBrowserServerActionResult<TRoot> = {\n  root?: TRoot;\n  returnValue?: {\n    ok: boolean;\n    data: unknown;\n  };\n};\n\nexport type ServerActionRevalidationKind = \"dynamicOnly\" | \"none\" | \"staticAndDynamic\";\n\nconst ACTION_DID_REVALIDATE_STATIC_AND_DYNAMIC = 1;\nconst ACTION_DID_REVALIDATE_DYNAMIC_ONLY = 2;\n\ntype ServerActionInitiationSnapshot<TRouterState> = {\n  href: string;\n  navigationId: number;\n  path: string;\n  routerState: TRouterState;\n};\n\n/**\n * Structural discriminator: matches on `\"returnValue\"` or `\"root\"` keys.\n * This is safe because {@link AppWireElements} keys are prefixed (`route:`,\n * `slot:`, `__route`, etc.) and will never collide with these property names.\n * If the wire format ever adds a `\"root\"` key, this guard must be updated.\n */\nexport function isServerActionResult<TRoot>(\n  value: unknown,\n): value is AppBrowserServerActionResult<TRoot> {\n  return !!value && typeof value === \"object\" && (\"returnValue\" in value || \"root\" in value);\n}\n\nexport function shouldClearClientNavigationCachesForServerActionResult<TRoot>(\n  result: AppBrowserServerActionResult<TRoot> | TRoot,\n  revalidation: ServerActionRevalidationKind = \"none\",\n): boolean {\n  if (revalidation !== \"none\") {\n    return true;\n  }\n\n  if (!isServerActionResult<TRoot>(result)) {\n    return true;\n  }\n\n  return result.root !== undefined;\n}\n\nexport function parseServerActionRevalidationHeader(\n  headers: Pick<Headers, \"get\">,\n): ServerActionRevalidationKind {\n  const value = headers.get(ACTION_REVALIDATED_HEADER);\n  if (!value) return \"none\";\n\n  let parsed: unknown;\n  try {\n    parsed = JSON.parse(value);\n  } catch {\n    return \"none\";\n  }\n\n  switch (parsed) {\n    case ACTION_DID_REVALIDATE_STATIC_AND_DYNAMIC:\n      return \"staticAndDynamic\";\n    case ACTION_DID_REVALIDATE_DYNAMIC_ONLY:\n      return \"dynamicOnly\";\n    default:\n      return \"none\";\n  }\n}\n\ntype ServerActionRedirectLocation = {\n  href: string;\n  internal: boolean;\n};\n\n/**\n * Resolve a server-action redirect target against the URL that initiated the\n * action. Dot-relative redirects intentionally resolve as if the current route\n * pathname were a directory, matching Next.js' `assignLocation()` behavior:\n * `./subpage` from `/subdir` lands on `/subdir/subpage`, not `/subpage`.\n */\nexport function resolveServerActionRedirectLocation(options: {\n  currentHref: string;\n  location: string;\n  origin: string;\n}): ServerActionRedirectLocation {\n  const currentUrl = new URL(options.currentHref, options.origin);\n  const redirectUrl = options.location.startsWith(\".\")\n    ? new URL(\n        options.location,\n        `${currentUrl.origin}${currentUrl.pathname.endsWith(\"/\") ? currentUrl.pathname : `${currentUrl.pathname}/`}`,\n      )\n    : new URL(options.location, currentUrl.href);\n\n  return {\n    href: redirectUrl.href,\n    internal: redirectUrl.origin === currentUrl.origin,\n  };\n}\n\nexport function shouldScheduleRefreshForDiscardedServerAction(\n  revalidation: ServerActionRevalidationKind,\n): boolean {\n  return revalidation !== \"none\";\n}\n\nexport function createServerActionInitiationSnapshot<TRouterState>(options: {\n  href: string;\n  navigationId: number;\n  origin?: string;\n  routerState: TRouterState;\n}): ServerActionInitiationSnapshot<TRouterState> {\n  const url =\n    options.origin === undefined ? new URL(options.href) : new URL(options.href, options.origin);\n  return {\n    href: url.href,\n    navigationId: options.navigationId,\n    path: url.pathname + url.search,\n    routerState: options.routerState,\n  };\n}\n\ntype DiscardedServerActionRefreshScheduler = {\n  markNavigationSettled(): void;\n  markNavigationStart(): void;\n  schedule(): void;\n};\n\ntype DiscardedServerActionRefreshSchedulerOptions = {\n  queueTask?: (callback: () => void) => void;\n  runRefresh: () => void;\n};\n\nexport function createDiscardedServerActionRefreshScheduler(\n  options: DiscardedServerActionRefreshSchedulerOptions,\n): DiscardedServerActionRefreshScheduler {\n  const queueTask = options.queueTask ?? queueMicrotask;\n  let activeNavigationCount = 0;\n  let flushQueued = false;\n  let refreshPending = false;\n\n  function flush(): void {\n    flushQueued = false;\n    if (!refreshPending || activeNavigationCount > 0) return;\n\n    refreshPending = false;\n    options.runRefresh();\n  }\n\n  function queueFlush(): void {\n    if (flushQueued) return;\n    flushQueued = true;\n    queueTask(flush);\n  }\n\n  return {\n    markNavigationSettled() {\n      if (activeNavigationCount > 0) {\n        activeNavigationCount -= 1;\n      }\n      queueFlush();\n    },\n    markNavigationStart() {\n      activeNavigationCount += 1;\n    },\n    schedule() {\n      refreshPending = true;\n      queueFlush();\n    },\n  };\n}\n"],"mappings":";;AAYA,MAAM,2CAA2C;AACjD,MAAM,qCAAqC;;;;;;;AAe3C,SAAgB,qBACd,OAC8C;CAC9C,OAAO,CAAC,CAAC,SAAS,OAAO,UAAU,aAAa,iBAAiB,SAAS,UAAU;;AAGtF,SAAgB,uDACd,QACA,eAA6C,QACpC;CACT,IAAI,iBAAiB,QACnB,OAAO;CAGT,IAAI,CAAC,qBAA4B,OAAO,EACtC,OAAO;CAGT,OAAO,OAAO,SAAS,KAAA;;AAGzB,SAAgB,oCACd,SAC8B;CAC9B,MAAM,QAAQ,QAAQ,IAAI,0BAA0B;CACpD,IAAI,CAAC,OAAO,OAAO;CAEnB,IAAI;CACJ,IAAI;EACF,SAAS,KAAK,MAAM,MAAM;SACpB;EACN,OAAO;;CAGT,QAAQ,QAAR;EACE,KAAK,0CACH,OAAO;EACT,KAAK,oCACH,OAAO;EACT,SACE,OAAO;;;;;;;;;AAeb,SAAgB,oCAAoC,SAInB;CAC/B,MAAM,aAAa,IAAI,IAAI,QAAQ,aAAa,QAAQ,OAAO;CAC/D,MAAM,cAAc,QAAQ,SAAS,WAAW,IAAI,GAChD,IAAI,IACF,QAAQ,UACR,GAAG,WAAW,SAAS,WAAW,SAAS,SAAS,IAAI,GAAG,WAAW,WAAW,GAAG,WAAW,SAAS,KACzG,GACD,IAAI,IAAI,QAAQ,UAAU,WAAW,KAAK;CAE9C,OAAO;EACL,MAAM,YAAY;EAClB,UAAU,YAAY,WAAW,WAAW;EAC7C;;AAGH,SAAgB,8CACd,cACS;CACT,OAAO,iBAAiB;;AAG1B,SAAgB,qCAAmD,SAKlB;CAC/C,MAAM,MACJ,QAAQ,WAAW,KAAA,IAAY,IAAI,IAAI,QAAQ,KAAK,GAAG,IAAI,IAAI,QAAQ,MAAM,QAAQ,OAAO;CAC9F,OAAO;EACL,MAAM,IAAI;EACV,cAAc,QAAQ;EACtB,MAAM,IAAI,WAAW,IAAI;EACzB,aAAa,QAAQ;EACtB;;AAcH,SAAgB,4CACd,SACuC;CACvC,MAAM,YAAY,QAAQ,aAAa;CACvC,IAAI,wBAAwB;CAC5B,IAAI,cAAc;CAClB,IAAI,iBAAiB;CAErB,SAAS,QAAc;EACrB,cAAc;EACd,IAAI,CAAC,kBAAkB,wBAAwB,GAAG;EAElD,iBAAiB;EACjB,QAAQ,YAAY;;CAGtB,SAAS,aAAmB;EAC1B,IAAI,aAAa;EACjB,cAAc;EACd,UAAU,MAAM;;CAGlB,OAAO;EACL,wBAAwB;GACtB,IAAI,wBAAwB,GAC1B,yBAAyB;GAE3B,YAAY;;EAEd,sBAAsB;GACpB,yBAAyB;;EAE3B,WAAW;GACT,iBAAiB;GACjB,YAAY;;EAEf"}

package/dist/server/app-browser-entry.js

@@ -1,22 +1,22 @@
 import { stripBasePath } from "../utils/base-path.js";
 import { ACTION_REDIRECT_HEADER, VINEXT_MOUNTED_SLOTS_HEADER, VINEXT_PARAMS_HEADER, VINEXT_RSC_REDIRECT_HEADER } from "./headers.js";
 import { DANGEROUS_URL_BLOCK_MESSAGE, isDangerousScheme } from "../shims/url-safety.js";
+import { AppElementsWire } from "./app-elements-wire.js";
 import { APP_RSC_RENDER_MODE_REFRESH_PRESERVE_UI } from "./app-rsc-render-mode.js";
 import { installWindowNext } from "../client/window-next.js";
 import { scrollToHashTargetOnNextFrame } from "../shims/hash-scroll.js";
 import { getNavigationRuntime, registerNavigationRuntimeBootstrap, registerNavigationRuntimeFunctions } from "../client/navigation-runtime.js";
 import { notifyAppRouterTransitionStart } from "../client/instrumentation-client-state.js";
-import { AppElementsWire } from "./app-elements-wire.js";
 import { getMountedSlotIdsHeader, resolveVisitedResponseInterceptionContext } from "./app-elements.js";
 import { resolveManifestNavigationInterceptionContext } from "./app-browser-interception-context.js";
 import { createHistoryStateWithNavigationMetadata, createHistoryStateWithPreviousNextUrl, readHistoryStatePreviousNextUrl, readHistoryStateTraversalIndex, resolveHistoryTraversalIntent } from "./app-history-state.js";
 import { VINEXT_RSC_COMPATIBILITY_ID_HEADER, createRscRequestHeaders, createRscRequestUrl, getVinextRscCompatibilityId, resolveHardNavigationTargetFromRscResponse, resolveRscCompatibilityNavigationDecision } from "./app-rsc-cache-busting.js";
 import { AppRouterContext } from "../shims/internal/app-router-context.js";
-import { __basePath, appRouterInstance, commitClientNavigationState, consumePrefetchResponse, createCachedRscResponseSnapshot, createClientNavigationRenderSnapshot, getClientNavigationRenderContext, getPrefetchCache, invalidatePrefetchCache, pushHistoryStateWithoutNotify, replaceClientParamsWithoutNotify, replaceHistoryStateWithoutNotify, restoreRscResponse, setClientParams, setMountedSlotsHeader, setNavigationContext, setPendingPathname } from "../shims/navigation.js";
+import { __basePath, appRouterInstance, commitClientNavigationState, consumePrefetchResponse, createCachedRscResponseSnapshot, createClientNavigationRenderSnapshot, getClientNavigationRenderContext, getPrefetchCache, invalidatePrefetchCache, navigateClientSide, pushHistoryStateWithoutNotify, replaceClientParamsWithoutNotify, replaceHistoryStateWithoutNotify, restoreRscResponse, setClientParams, setMountedSlotsHeader, setNavigationContext, setPendingPathname } from "../shims/navigation.js";
 import { DevRecoveryBoundary, RedirectBoundary } from "../shims/error-boundary.js";
 import { ElementsContext, Slot } from "../shims/slot.js";
 import "../client/instrumentation-client.js";
-import { createDiscardedServerActionRefreshScheduler, createServerActionInitiationSnapshot, isServerActionResult, parseServerActionRevalidationHeader, shouldClearClientNavigationCachesForServerActionResult } from "./app-browser-action-result.js";
+import { createDiscardedServerActionRefreshScheduler, createServerActionInitiationSnapshot, isServerActionResult, parseServerActionRevalidationHeader, resolveServerActionRedirectLocation, shouldClearClientNavigationCachesForServerActionResult } from "./app-browser-action-result.js";
 import { chunksToReadableStream, createProgressiveRscStream, getVinextBrowserGlobal } from "./app-browser-stream.js";
 import { FRESH_APP_NAVIGATION_PAYLOAD_ORIGIN, VISITED_CACHE_APP_NAVIGATION_PAYLOAD_ORIGIN, isCacheRestorableAppPayloadMetadata, resolveInterceptionContextFromPreviousNextUrl, resolveServerActionRequestState } from "./app-browser-state.js";
 import { clearHardNavigationLoopGuard, createAppBrowserNavigationController } from "./app-browser-navigation-controller.js";
@@ -582,15 +582,24 @@ function registerServerActionCallback() {
 				console.error(DANGEROUS_URL_BLOCK_MESSAGE);
 				return;
 			}
+			const historyUpdateMode = (fetchResponse.headers.get("x-action-redirect-type") ?? "push") === "push" ? "push" : "replace";
+			const hardNavigationMode = historyUpdateMode === "push" ? "assign" : "replace";
+			let redirectLocation;
 			try {
-				if (new URL(actionRedirect, window.location.origin).origin !== window.location.origin) {
-					browserNavigationController.performHardNavigation(actionRedirect);
-					return;
-				}
-			} catch {}
+				redirectLocation = resolveServerActionRedirectLocation({
+					currentHref: actionInitiation.href,
+					location: actionRedirect,
+					origin: window.location.origin
+				});
+			} catch {
+				clearClientNavigationCaches();
+				browserNavigationController.performHardNavigation(actionRedirect, hardNavigationMode);
+				return;
+			}
 			clearClientNavigationCaches();
-			if ((fetchResponse.headers.get("x-action-redirect-type") ?? "replace") === "push") browserNavigationController.performHardNavigation(actionRedirect, "assign");
-			else browserNavigationController.performHardNavigation(actionRedirect, "replace");
+			startTransition(() => {
+				navigateClientSide(redirectLocation.href, historyUpdateMode, true, true);
+			});
 			return;
 		}
 		if (resolveRscCompatibilityNavigationDecision({
@@ -826,8 +835,9 @@ function bootstrapHydration(rscStream) {
 						cacheBufferPromise.catch(() => {});
 						return;
 					}
-					const cacheBuffer = await cacheBufferPromise;
-					storeVisitedResponseSnapshot(rscUrl, resolveVisitedResponseInterceptionContext(requestInterceptionContext, metadata.interceptionContext), createCachedRscResponseSnapshot(navResponse, cacheBuffer, navResponseUrl), navParams);
+					cacheBufferPromise.then((cacheBuffer) => {
+						storeVisitedResponseSnapshot(rscUrl, resolveVisitedResponseInterceptionContext(requestInterceptionContext, metadata.interceptionContext), createCachedRscResponseSnapshot(navResponse, cacheBuffer, navResponseUrl), navParams);
+					}).catch(() => {});
 					return;
 				}
 			} catch (error) {