vitek-plugin 0.1.2-beta.6 → 0.2.0-beta

package/dist/core/server/cors.js

@@ -0,0 +1,55 @@
+/**
+ * CORS header helpers for the request handler
+ */
+const DEFAULT_METHODS = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'];
+const DEFAULT_ALLOWED_HEADERS = ['Content-Type', 'Authorization', 'Accept', 'Origin', 'X-Requested-With'];
+export function normalizeCorsOptions(cors) {
+    if (cors === true) {
+        return {
+            origin: '*',
+            methods: DEFAULT_METHODS,
+            allowedHeaders: DEFAULT_ALLOWED_HEADERS,
+            exposeHeaders: [],
+            credentials: false,
+            maxAge: undefined,
+        };
+    }
+    const opts = cors;
+    return {
+        origin: opts.origin ?? '*',
+        methods: opts.methods ?? DEFAULT_METHODS,
+        allowedHeaders: opts.allowedHeaders ?? DEFAULT_ALLOWED_HEADERS,
+        exposeHeaders: opts.exposeHeaders ?? [],
+        credentials: opts.credentials ?? false,
+        maxAge: opts.maxAge,
+    };
+}
+function resolveOrigin(requestOrigin, option) {
+    if (option === '*')
+        return '*';
+    if (Array.isArray(option)) {
+        if (requestOrigin && option.includes(requestOrigin))
+            return requestOrigin;
+        return option[0] ?? '*';
+    }
+    return option;
+}
+export function getCorsHeaders(req, options) {
+    const requestOrigin = req.headers.origin;
+    const origin = resolveOrigin(requestOrigin, options.origin);
+    const headers = {
+        'Access-Control-Allow-Origin': origin,
+        'Access-Control-Allow-Methods': options.methods.join(', '),
+        'Access-Control-Allow-Headers': options.allowedHeaders.join(', '),
+    };
+    if (options.exposeHeaders.length > 0) {
+        headers['Access-Control-Expose-Headers'] = options.exposeHeaders.join(', ');
+    }
+    if (options.credentials) {
+        headers['Access-Control-Allow-Credentials'] = 'true';
+    }
+    if (options.maxAge != null) {
+        headers['Access-Control-Max-Age'] = String(options.maxAge);
+    }
+    return headers;
+}

package/dist/core/server/cors.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cors.test.d.ts.map

package/dist/core/server/cors.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.test.d.ts","sourceRoot":"","sources":["../../../src/core/server/cors.test.ts"],"names":[],"mappings":""}

package/dist/core/server/cors.test.js

@@ -0,0 +1,49 @@
+import { describe, it, expect } from 'vitest';
+import { normalizeCorsOptions, getCorsHeaders } from './cors.js';
+describe('normalizeCorsOptions', () => {
+    it('returns permissive defaults when cors is true', () => {
+        const opts = normalizeCorsOptions(true);
+        expect(opts.origin).toBe('*');
+        expect(opts.methods).toContain('GET');
+        expect(opts.methods).toContain('POST');
+        expect(opts.methods).toContain('OPTIONS');
+        expect(opts.allowedHeaders.length).toBeGreaterThan(0);
+        expect(opts.credentials).toBe(false);
+    });
+    it('merges partial CorsOptions with defaults', () => {
+        const opts = normalizeCorsOptions({ origin: 'https://app.example.com' });
+        expect(opts.origin).toBe('https://app.example.com');
+        expect(opts.methods).toContain('GET');
+        expect(opts.credentials).toBe(false);
+    });
+    it('allows custom methods and maxAge', () => {
+        const opts = normalizeCorsOptions({
+            methods: ['GET', 'POST'],
+            maxAge: 3600,
+        });
+        expect(opts.methods).toEqual(['GET', 'POST']);
+        expect(opts.maxAge).toBe(3600);
+    });
+});
+describe('getCorsHeaders', () => {
+    function mockReq(origin) {
+        return { headers: origin ? { origin } : {} };
+    }
+    it('returns Allow-Origin * when option is *', () => {
+        const opts = normalizeCorsOptions(true);
+        const headers = getCorsHeaders(mockReq(), opts);
+        expect(headers['Access-Control-Allow-Origin']).toBe('*');
+        expect(headers['Access-Control-Allow-Methods']).toBeDefined();
+        expect(headers['Access-Control-Allow-Headers']).toBeDefined();
+    });
+    it('returns request origin when it matches allowed origin', () => {
+        const opts = normalizeCorsOptions({ origin: 'https://app.example.com' });
+        const headers = getCorsHeaders(mockReq('https://app.example.com'), opts);
+        expect(headers['Access-Control-Allow-Origin']).toBe('https://app.example.com');
+    });
+    it('includes maxAge when set', () => {
+        const opts = normalizeCorsOptions({ maxAge: 600 });
+        const headers = getCorsHeaders(mockReq(), opts);
+        expect(headers['Access-Control-Max-Age']).toBe('600');
+    });
+});

package/dist/core/server/proxy.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Proxy (X-Forwarded-*) helpers for the request handler
+ */
+import type { IncomingMessage } from 'http';
+export interface EffectiveRequest {
+    /** Effective URL (derived from X-Forwarded-* when trustProxy is true). */
+    url: string;
+    /** Client IP (X-Forwarded-For or socket.remoteAddress). */
+    clientIp?: string;
+}
+/**
+ * Derives effective URL and client IP from request when behind a reverse proxy.
+ * When trustProxy is false, returns the request url as-is and no clientIp.
+ */
+export declare function getEffectiveRequest(req: IncomingMessage, trustProxy: boolean): EffectiveRequest;
+//# sourceMappingURL=proxy.d.ts.map

package/dist/core/server/proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy.d.ts","sourceRoot":"","sources":["../../../src/core/server/proxy.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,MAAM,CAAC;AAE5C,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,GAAG,EAAE,MAAM,CAAC;IACZ,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,eAAe,EACpB,UAAU,EAAE,OAAO,GAClB,gBAAgB,CAYlB"}

package/dist/core/server/proxy.js

@@ -0,0 +1,20 @@
+/**
+ * Proxy (X-Forwarded-*) helpers for the request handler
+ */
+/**
+ * Derives effective URL and client IP from request when behind a reverse proxy.
+ * When trustProxy is false, returns the request url as-is and no clientIp.
+ */
+export function getEffectiveRequest(req, trustProxy) {
+    if (!trustProxy) {
+        return { url: req.url ?? '' };
+    }
+    const proto = req.headers['x-forwarded-proto']?.split(',')[0]?.trim() || 'http';
+    const host = req.headers['x-forwarded-host']?.split(',')[0]?.trim() || req.headers.host || 'localhost';
+    const path = req.url?.split('?')[0] ?? '/';
+    const query = req.url?.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
+    const effectiveUrl = `${proto}://${host}${path}${query}`;
+    const forwardedFor = req.headers['x-forwarded-for']?.split(',')[0]?.trim();
+    const clientIp = forwardedFor || (req.socket?.remoteAddress);
+    return { url: effectiveUrl, clientIp };
+}

package/dist/core/server/proxy.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=proxy.test.d.ts.map

package/dist/core/server/proxy.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy.test.d.ts","sourceRoot":"","sources":["../../../src/core/server/proxy.test.ts"],"names":[],"mappings":""}

package/dist/core/server/proxy.test.js

@@ -0,0 +1,53 @@
+import { describe, it, expect } from 'vitest';
+import { getEffectiveRequest } from './proxy.js';
+function mockReq(overrides = {}) {
+    return {
+        url: overrides.url ?? '/api/health',
+        headers: overrides.headers ?? {},
+        socket: overrides.socket,
+    };
+}
+describe('getEffectiveRequest', () => {
+    it('returns req.url as-is when trustProxy is false', () => {
+        const req = mockReq({ url: '/api/health?foo=bar' });
+        const result = getEffectiveRequest(req, false);
+        expect(result.url).toBe('/api/health?foo=bar');
+        expect(result.clientIp).toBeUndefined();
+    });
+    it('returns req.url when trustProxy is true but no X-Forwarded-* headers', () => {
+        const req = mockReq({ url: '/api/health', headers: { host: 'localhost' } });
+        const result = getEffectiveRequest(req, true);
+        expect(result.url).toMatch(/^http:\/\/localhost\/api\/health/);
+        expect(result.clientIp).toBeUndefined();
+    });
+    it('builds effective URL from X-Forwarded-* when trustProxy is true', () => {
+        const req = mockReq({
+            url: '/api/users/1',
+            headers: {
+                'x-forwarded-proto': 'https',
+                'x-forwarded-host': 'api.example.com',
+                'x-forwarded-for': '1.2.3.4',
+            },
+        });
+        const result = getEffectiveRequest(req, true);
+        expect(result.url).toBe('https://api.example.com/api/users/1');
+        expect(result.clientIp).toBe('1.2.3.4');
+    });
+    it('uses first value when X-Forwarded-For has multiple entries', () => {
+        const req = mockReq({
+            url: '/api/health',
+            headers: { 'x-forwarded-for': '  client, proxy1, proxy2  ' },
+        });
+        const result = getEffectiveRequest(req, true);
+        expect(result.clientIp).toBe('client');
+    });
+    it('falls back to socket.remoteAddress for clientIp when no X-Forwarded-For', () => {
+        const req = mockReq({
+            url: '/api/health',
+            headers: { 'x-forwarded-proto': 'https', 'x-forwarded-host': 'api.example.com' },
+            socket: { remoteAddress: '192.168.1.1' },
+        });
+        const result = getEffectiveRequest(req, true);
+        expect(result.clientIp).toBe('192.168.1.1');
+    });
+});

package/dist/core/server/request-handler.d.ts

@@ -7,9 +7,22 @@ import type { Connect } from 'vite';
 import type { Route } from '../routing/route-types.js';
 import type { LoadedMiddleware } from '../middleware/get-applicable-middlewares.js';
 import type { SocketEmitter } from '../shared/vitek-app.js';
+/** Callback for beforeApiRequest hook. Call next() to continue, or send response and return without next() to short-circuit. */
+export type BeforeApiRequestHook = (ctx: {
+    req: IncomingMessage;
+    res: ServerResponse;
+    path: string;
+    method: string;
+}, next: () => void) => void | Promise<void>;
 export interface RequestHandlerOptions {
     routes: Route[];
     middlewares: LoadedMiddleware[];
+    /** Hooks called before each API request. Call next() to continue. */
+    beforeApiRequest?: BeforeApiRequestHook[];
+    /** Enable CORS. true or CorsOptions. When set, OPTIONS preflight and CORS headers on responses are handled. */
+    cors?: boolean | import('./cors.js').CorsOptions;
+    /** When true, trust X-Forwarded-* headers and set context.clientIp / effective url. */
+    trustProxy?: boolean;
     logger?: {
         routeMatched?(pattern: string, method: string): void;
         requestStart?(method: string, path: string): void;
@@ -21,9 +34,10 @@ export interface RequestHandlerOptions {
     shared?: {
         sockets: SocketEmitter;
     };
+    /** Max request body size in bytes. When exceeded, responds with 413 Payload Too Large. Omit for no limit. */
+    maxBodySize?: number;
+    /** Called when a non-HttpError is thrown. May send a custom response; if res is not ended, default 500 JSON is sent. */
+    onError?: (err: Error, req: IncomingMessage, res: ServerResponse) => void | Promise<void>;
 }
-/**
- * Creates a Connect-style middleware that handles /api/* requests using the given routes and middlewares.
- */
 export declare function createRequestHandler(options: RequestHandlerOptions): (req: IncomingMessage, res: ServerResponse, next: Connect.NextFunction) => Promise<void>;
 //# sourceMappingURL=request-handler.d.ts.map

package/dist/core/server/request-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"request-handler.d.ts","sourceRoot":"","sources":["../../../src/core/server/request-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,MAAM,CAAC;AAC5D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAOpC,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAC;AACvD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,6CAA6C,CAAC;AACpF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAE5D,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,KAAK,EAAE,CAAC;IAChB,WAAW,EAAE,gBAAgB,EAAE,CAAC;IAChC,MAAM,CAAC,EAAE;QACP,YAAY,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QACrD,YAAY,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QAClD,OAAO,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACpF,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;QAC7D,KAAK,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;KAC/D,CAAC;IACF,6FAA6F;IAC7F,MAAM,CAAC,EAAE;QAAE,OAAO,EAAE,aAAa,CAAA;KAAE,CAAC;CACrC;AAID;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,qBAAqB,GAAG,CAAC,GAAG,EAAE,eAAe,EAAE,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,OAAO,CAAC,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAsJ7J"}
+{"version":3,"file":"request-handler.d.ts","sourceRoot":"","sources":["../../../src/core/server/request-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,MAAM,CAAC;AAC5D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAOpC,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,2BAA2B,CAAC;AACvD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,6CAA6C,CAAC;AACpF,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAQ5D,gIAAgI;AAChI,MAAM,MAAM,oBAAoB,GAAG,CACjC,GAAG,EAAE;IAAE,GAAG,EAAE,eAAe,CAAC;IAAC,GAAG,EAAE,cAAc,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,EAChF,IAAI,EAAE,MAAM,IAAI,KACb,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE1B,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,KAAK,EAAE,CAAC;IAChB,WAAW,EAAE,gBAAgB,EAAE,CAAC;IAChC,qEAAqE;IACrE,gBAAgB,CAAC,EAAE,oBAAoB,EAAE,CAAC;IAC1C,+GAA+G;IAC/G,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,WAAW,EAAE,WAAW,CAAC;IACjD,uFAAuF;IACvF,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE;QACP,YAAY,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QACrD,YAAY,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QAClD,OAAO,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACpF,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;QAC7D,KAAK,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;KAC/D,CAAC;IACF,6FAA6F;IAC7F,MAAM,CAAC,EAAE;QAAE,OAAO,EAAE,aAAa,CAAA;KAAE,CAAC;IACpC,6GAA6G;IAC7G,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wHAAwH;IACxH,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,eAAe,EAAE,GAAG,EAAE,cAAc,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3F;AA8BD,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,qBAAqB,GAAG,CAAC,GAAG,EAAE,eAAe,EAAE,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,OAAO,CAAC,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAoO7J"}

package/dist/core/server/request-handler.js

@@ -8,12 +8,32 @@ import { getApplicableMiddlewares } from '../middleware/get-applicable-middlewar
 import { compose } from '../middleware/compose.js';
 import { API_BASE_PATH } from '../../shared/constants.js';
 import { HttpError } from '../../shared/errors.js';
+import { normalizeCorsOptions, getCorsHeaders, } from './cors.js';
+import { getEffectiveRequest } from './proxy.js';
 const noop = () => { };
-/**
- * Creates a Connect-style middleware that handles /api/* requests using the given routes and middlewares.
- */
+function sanitizeHeaderValue(value) {
+    const s = Array.isArray(value)
+        ? value.map((v) => String(v).replace(/\r|\n/g, '')).join(', ')
+        : String(value).replace(/\r|\n/g, '');
+    return s;
+}
+function safeSetHeader(res, key, value) {
+    res.setHeader(key, sanitizeHeaderValue(value));
+}
+/** True if value is a Node.js Readable stream (has .pipe). Used for streaming response body. */
+function isReadableStream(value) {
+    return (value != null &&
+        typeof value === 'object' &&
+        typeof value.pipe === 'function');
+}
+function applyCorsHeaders(res, corsHeaders) {
+    for (const [key, value] of Object.entries(corsHeaders)) {
+        safeSetHeader(res, key, value);
+    }
+}
 export function createRequestHandler(options) {
-    const { routes, middlewares, logger, shared } = options;
+    const { routes, middlewares, beforeApiRequest = [], cors, trustProxy = false, logger, shared, maxBodySize, onError } = options;
+    const corsOpts = cors != null ? normalizeCorsOptions(cors) : null;
     const logRouteMatched = logger?.routeMatched ?? noop;
     const logRequestStart = logger?.requestStart ?? noop;
     const logRequest = logger?.request ?? noop;
@@ -29,105 +49,185 @@ export function createRequestHandler(options) {
         const startTime = Date.now();
         const requestMethod = req.method?.toLowerCase() || 'get';
         const requestPath = pathname;
+        const effective = getEffectiveRequest(req, trustProxy);
+        const requestUrl = effective.url || req.url;
+        if (corsOpts) {
+            const corsHeaders = getCorsHeaders(req, corsOpts);
+            applyCorsHeaders(res, corsHeaders);
+            if (req.method === 'OPTIONS') {
+                res.statusCode = 204;
+                res.end();
+                return;
+            }
+        }
         try {
-            const url = new URL(req.url, `http://${req.headers.host || 'localhost'}`);
+            const url = new URL(requestUrl, 'http://localhost');
             const routePath = url.pathname.replace(API_BASE_PATH, '') || '/';
             const method = requestMethod;
-            const match = matchRoute(routes, routePath, method);
-            if (!match) {
-                const duration = Date.now() - startTime;
-                res.statusCode = 404;
-                res.setHeader('Content-Type', 'application/json');
-                res.end(JSON.stringify({ error: 'Route not found' }));
-                logRequest(requestMethod, requestPath, 404, duration);
-                return;
-            }
-            logRouteMatched(match.route.pattern, method);
-            logRequestStart(requestMethod, requestPath);
-            const query = {};
-            url.searchParams.forEach((value, key) => {
-                if (query[key]) {
-                    const existing = query[key];
-                    query[key] = Array.isArray(existing) ? [...existing, value] : [existing, value];
+            const doHandleRequest = async () => {
+                const match = matchRoute(routes, routePath, method);
+                if (!match) {
+                    const duration = Date.now() - startTime;
+                    res.statusCode = 404;
+                    safeSetHeader(res, 'Content-Type', 'application/json');
+                    if (corsOpts)
+                        applyCorsHeaders(res, getCorsHeaders(req, corsOpts));
+                    res.end(JSON.stringify({ error: 'Route not found' }));
+                    logRequest(requestMethod, requestPath, 404, duration);
+                    return;
                 }
-                else {
-                    query[key] = value;
+                logRouteMatched(match.route.pattern, method);
+                logRequestStart(requestMethod, requestPath);
+                const query = {};
+                url.searchParams.forEach((value, key) => {
+                    if (query[key]) {
+                        const existing = query[key];
+                        query[key] = Array.isArray(existing) ? [...existing, value] : [existing, value];
+                    }
+                    else {
+                        query[key] = value;
+                    }
+                });
+                const PAYLOAD_TOO_LARGE_SENTINEL = Symbol('PAYLOAD_TOO_LARGE');
+                let body;
+                if (['post', 'put', 'patch'].includes(method)) {
+                    body = await new Promise((resolve, reject) => {
+                        const chunks = [];
+                        let totalSize = 0;
+                        const onData = (chunk) => {
+                            if (maxBodySize != null) {
+                                totalSize += chunk.length;
+                                if (totalSize > maxBodySize) {
+                                    req.removeListener('data', onData);
+                                    req.removeListener('end', onEnd);
+                                    req.destroy();
+                                    reject(new Error('PAYLOAD_TOO_LARGE'));
+                                    return;
+                                }
+                            }
+                            chunks.push(chunk);
+                        };
+                        const onEnd = () => {
+                            const rawBody = Buffer.concat(chunks).toString();
+                            if (!rawBody) {
+                                resolve(undefined);
+                                return;
+                            }
+                            try {
+                                resolve(JSON.parse(rawBody));
+                            }
+                            catch {
+                                resolve(rawBody);
+                            }
+                        };
+                        req.on('data', onData);
+                        req.on('end', onEnd);
+                    }).catch((err) => {
+                        if (err?.message === 'PAYLOAD_TOO_LARGE') {
+                            const duration = Date.now() - startTime;
+                            res.statusCode = 413;
+                            safeSetHeader(res, 'Content-Type', 'application/json');
+                            if (corsOpts)
+                                applyCorsHeaders(res, getCorsHeaders(req, corsOpts));
+                            res.end(JSON.stringify({ error: 'Payload Too Large' }));
+                            logRequest(requestMethod, requestPath, 413, duration);
+                            return PAYLOAD_TOO_LARGE_SENTINEL;
+                        }
+                        throw err;
+                    });
+                    if (body === PAYLOAD_TOO_LARGE_SENTINEL)
+                        return;
                 }
-            });
-            let body;
-            if (['post', 'put', 'patch'].includes(method)) {
-                body = await new Promise((resolve) => {
-                    const chunks = [];
-                    req.on('data', (chunk) => chunks.push(chunk));
-                    req.on('end', () => {
-                        const rawBody = Buffer.concat(chunks).toString();
-                        if (!rawBody) {
-                            resolve(undefined);
-                            return;
+                const context = createContext({
+                    url: requestUrl,
+                    method,
+                    headers: (req.headers || {}),
+                    body,
+                }, match.params, query);
+                if (effective.clientIp)
+                    context.clientIp = effective.clientIp;
+                if (shared?.sockets) {
+                    context.sockets = shared.sockets;
+                }
+                const applicableMiddlewares = getApplicableMiddlewares(middlewares, match.route.pattern);
+                const composed = compose(applicableMiddlewares);
+                const handler = async () => {
+                    const result = await match.route.handler(context);
+                    if (isVitekResponse(result)) {
+                        const response = result;
+                        const statusCode = response.status || 200;
+                        if (corsOpts)
+                            applyCorsHeaders(res, getCorsHeaders(req, corsOpts));
+                        if (response.headers) {
+                            for (const [key, value] of Object.entries(response.headers)) {
+                                safeSetHeader(res, key, value);
+                            }
                         }
-                        try {
-                            resolve(JSON.parse(rawBody));
+                        if (!response.headers || !response.headers['Content-Type']) {
+                            if (response.body !== undefined && !isReadableStream(response.body)) {
+                                safeSetHeader(res, 'Content-Type', 'application/json');
+                            }
                         }
-                        catch {
-                            resolve(rawBody);
+                        res.statusCode = statusCode;
+                        if (response.body === undefined) {
+                            res.end();
+                            logRequest(requestMethod, requestPath, statusCode, Date.now() - startTime);
                         }
-                    });
-                });
-            }
-            const context = createContext({
-                url: req.url,
-                method,
-                headers: (req.headers || {}),
-                body,
-            }, match.params, query);
-            if (shared?.sockets) {
-                context.sockets = shared.sockets;
-            }
-            const applicableMiddlewares = getApplicableMiddlewares(middlewares, match.route.pattern);
-            const composed = compose(applicableMiddlewares);
-            const handler = async () => {
-                const result = await match.route.handler(context);
-                if (isVitekResponse(result)) {
-                    const response = result;
-                    const statusCode = response.status || 200;
-                    if (response.headers) {
-                        for (const [key, value] of Object.entries(response.headers)) {
-                            res.setHeader(key, value);
+                        else if (isReadableStream(response.body)) {
+                            const stream = response.body;
+                            res.once('finish', () => logRequest(requestMethod, requestPath, statusCode, Date.now() - startTime));
+                            stream.pipe(res);
                         }
-                    }
-                    if (!response.headers || !response.headers['Content-Type']) {
-                        if (response.body !== undefined) {
-                            res.setHeader('Content-Type', 'application/json');
+                        else if (typeof response.body === 'string') {
+                            res.end(response.body);
+                            logRequest(requestMethod, requestPath, statusCode, Date.now() - startTime);
+                        }
+                        else {
+                            res.end(JSON.stringify(response.body));
+                            logRequest(requestMethod, requestPath, statusCode, Date.now() - startTime);
                         }
-                    }
-                    res.statusCode = statusCode;
-                    if (response.body === undefined) {
-                        res.end();
-                    }
-                    else if (typeof response.body === 'string') {
-                        res.end(response.body);
                     }
                     else {
-                        res.end(JSON.stringify(response.body));
+                        if (corsOpts)
+                            applyCorsHeaders(res, getCorsHeaders(req, corsOpts));
+                        safeSetHeader(res, 'Content-Type', 'application/json');
+                        res.statusCode = 200;
+                        res.end(JSON.stringify(result));
+                        logRequest(requestMethod, requestPath, 200, Date.now() - startTime);
                     }
-                    logRequest(requestMethod, requestPath, statusCode, Date.now() - startTime);
-                }
-                else {
-                    res.setHeader('Content-Type', 'application/json');
-                    res.statusCode = 200;
-                    res.end(JSON.stringify(result));
-                    logRequest(requestMethod, requestPath, 200, Date.now() - startTime);
-                }
+                };
+                await composed(context, handler);
             };
-            await composed(context, handler);
+            if (beforeApiRequest.length > 0) {
+                for (const hook of beforeApiRequest) {
+                    await new Promise((resolve, reject) => {
+                        let done = false;
+                        const next = () => { if (!done) {
+                            done = true;
+                            resolve();
+                        } };
+                        Promise.resolve(hook({ req, res, path: routePath, method }, next))
+                            .then(() => { if (!done && res.writableEnded) {
+                            done = true;
+                            resolve();
+                        } })
+                            .catch(reject);
+                    });
+                    if (res.writableEnded)
+                        return;
+                }
+            }
+            await doHandleRequest();
         }
         catch (error) {
             const duration = Date.now() - startTime;
+            if (corsOpts)
+                applyCorsHeaders(res, getCorsHeaders(req, corsOpts));
             if (error instanceof HttpError) {
                 const httpError = error;
                 logWarn(`HTTP Error ${httpError.statusCode}: ${httpError.message}`);
                 res.statusCode = httpError.statusCode;
-                res.setHeader('Content-Type', 'application/json');
+                safeSetHeader(res, 'Content-Type', 'application/json');
                 res.end(JSON.stringify({
                     error: httpError.name,
                     message: httpError.message,
@@ -136,10 +236,18 @@ export function createRequestHandler(options) {
                 logRequest(requestMethod, requestPath, httpError.statusCode, duration);
             }
             else {
-                const errorMessage = error instanceof Error ? error.message : String(error);
+                const err = error instanceof Error ? error : new Error(String(error));
+                if (onError) {
+                    await Promise.resolve(onError(err, req, res));
+                    if (res.writableEnded) {
+                        logRequest(requestMethod, requestPath, res.statusCode, duration);
+                        return;
+                    }
+                }
+                const errorMessage = err.message;
                 logError(`Error handling request: ${errorMessage}`);
                 res.statusCode = 500;
-                res.setHeader('Content-Type', 'application/json');
+                safeSetHeader(res, 'Content-Type', 'application/json');
                 res.end(JSON.stringify({
                     error: 'Internal server error',
                     message: errorMessage,