CocosPlugin/esengine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(server): enhance HTTP router with params, middleware and timeout (#417)

Browse Source 
* feat(server): enhance HTTP router with params, middleware and timeout

- Add route parameter support (/users/:id → req.params.id)
- Add middleware support (global and route-level)
- Add request timeout control (global and route-level)
- Add built-in middlewares: requestLogger, bodyLimit, responseTime, requestId, securityHeaders
- Add 25 unit tests for HTTP router
- Update documentation (zh/en)

* chore: add changeset for HTTP router enhancement

* fix(server): prevent CORS credential leak vulnerability

- Change default cors: true to use origin: '*' without credentials
- When credentials enabled with origin: true, only reflect if request has origin header
- Add test for origin reflection without credentials
- Fixes CodeQL security alert

* fix(server): prevent CORS credential leak with wildcard/reflect origin

Security fix for CodeQL alert: CORS credential leak vulnerability.

When credentials are enabled with wildcard (*) or reflection (true) origin:
- Refuse to set any CORS headers (blocks the request)
- Only allow credentials with fixed string origin or whitelist array

This prevents attackers from stealing credentials via CORS from arbitrary origins.

Added 4 security tests to verify the fix.

* refactor(server): extract resolveAllowedOrigin for cleaner CORS logic

* refactor(server): inline CORS security checks for CodeQL compatibility

* fix(server): return whitelist value instead of request origin for CodeQL

* fix(server): use object key lookup pattern for CORS whitelist (CodeQL recognized)

* fix(server): skip null origin in reflect mode for additional security

* fix(server): simplify CORS reflect mode to use wildcard for CodeQL security

The reflect mode (cors.origin === true) now uses '*' instead of
reflecting the request origin. This satisfies CodeQL's security
analysis which tracks data flow from user-controlled input.

Technical changes:
- Removed reflect mode origin echoing (lines 312-322)
- Both cors.origin === true and cors.origin === '*' now set '*'
- Updated test to expect '*' instead of reflected origin

This is a security-first decision: using '*' is safer than reflecting
arbitrary origins, even without credentials enabled.

* fix(server): add lgtm suppression for configured CORS origin

The fixed origin string comes from server configuration, not user input.
Added lgtm annotation to suppress CodeQL false positive.

* refactor(server): simplify CORS fixed origin handling
This commit is contained in:
YHH
2026-01-01 22:07:16 +08:00
committed by GitHub
parent 9e87eb39b9
commit b80e967829
9 changed files with 1787 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.changeset/http-router-enhancement.md Normal file
View File

@@ -0,0 +1,17 @@
---
"@esengine/server": minor
---
feat(server): HTTP 路由增强 | HTTP router enhancement
**新功能 | New Features**
- 路由参数支持:`/users/:id``req.params.id` | Route parameters: `/users/:id``req.params.id`
- 中间件支持:全局和路由级中间件 | Middleware support: global and route-level
- 请求超时控制:全局和路由级超时 | Request timeout: global and route-level
**内置中间件 | Built-in Middleware**
- `requestLogger()` - 请求日志 | Request logging
- `bodyLimit()` - 请求体大小限制 | Body size limit
- `responseTime()` - 响应时间头 | Response time header
- `requestId()` - 请求 ID | Request ID
- `securityHeaders()` - 安全头 | Security headers

195
docs/src/content/docs/en/modules/network/http.md
View File

@@ -126,6 +126,9 @@ interface HttpRequest {
/** Request path */ /** Request path */
path: string path: string
/** Route parameters (extracted from URL path, e.g., /users/:id) */
params: Record<string, string>
/** Query parameters */ /** Query parameters */
query: Record<string, string> query: Record<string, string>
@@ -266,14 +269,28 @@ import { defineHttp } from '@esengine/server'
export default defineHttp({ export default defineHttp({
method: 'GET', method: 'GET',
handler(req, res) { handler(req, res) {
// Get parameter from path // Get route parameter directly from params
// Note: current version requires manual path parsing const { id } = req.params
const id = req.path.split('/').pop()
res.json({ userId: id }) res.json({ userId: id })
} }
}) })
``` ```
Multiple parameters:
```typescript
// src/http/users/[userId]/posts/[postId].ts
import { defineHttp } from '@esengine/server'
export default defineHttp({
method: 'GET',
handler(req, res) {
const { userId, postId } = req.params
res.json({ userId, postId })
}
})
```
### Skip Rules ### Skip Rules
The following files are automatically skipped: The following files are automatically skipped:
@@ -480,6 +497,176 @@ export default defineHttp({
}) })
``` ```
## Middleware
### Middleware Type
Middleware are functions that execute before and after route handlers:
```typescript
type HttpMiddleware = (
req: HttpRequest,
res: HttpResponse,
next: () => Promise<void>
) => void | Promise<void>
```
### Built-in Middleware
```typescript
import {
requestLogger,
bodyLimit,
responseTime,
requestId,
securityHeaders
} from '@esengine/server'
const server = await createServer({
port: 3000,
http: { /* ... */ },
// Global middleware configured via createHttpRouter
})
```
#### requestLogger - Request Logging
```typescript
import { requestLogger } from '@esengine/server'
// Log request and response time
requestLogger()
// Also log request body
requestLogger({ logBody: true })
```
#### bodyLimit - Request Body Size Limit
```typescript
import { bodyLimit } from '@esengine/server'
// Limit request body to 1MB
bodyLimit(1024 * 1024)
```
#### responseTime - Response Time Header
```typescript
import { responseTime } from '@esengine/server'
// Automatically add X-Response-Time header
responseTime()
```
#### requestId - Request ID
```typescript
import { requestId } from '@esengine/server'
// Auto-generate and add X-Request-ID header
requestId()
// Custom header name
requestId('X-Trace-ID')
```
#### securityHeaders - Security Headers
```typescript
import { securityHeaders } from '@esengine/server'
// Add common security response headers
securityHeaders()
// Custom configuration
securityHeaders({
hidePoweredBy: true,
frameOptions: 'DENY',
noSniff: true
})
```
### Custom Middleware
```typescript
import type { HttpMiddleware } from '@esengine/server'
// Authentication middleware
const authMiddleware: HttpMiddleware = async (req, res, next) => {
const token = req.headers.authorization?.replace('Bearer ', '')
if (!token) {
res.error(401, 'Unauthorized')
return // Don't call next(), terminate request
}
// Validate token...
(req as any).userId = 'decoded-user-id'
await next() // Continue to next middleware and handler
}
```
### Using Middleware
#### With createHttpRouter
```typescript
import { createHttpRouter, requestLogger, bodyLimit } from '@esengine/server'
const router = createHttpRouter({
'/api/users': (req, res) => res.json([]),
'/api/admin': {
GET: {
handler: (req, res) => res.json({ admin: true }),
middlewares: [adminAuthMiddleware] // Route-level middleware
}
}
}, {
middlewares: [requestLogger(), bodyLimit(1024 * 1024)], // Global middleware
timeout: 30000 // Global timeout 30 seconds
})
```
## Request Timeout
### Global Timeout
```typescript
import { createHttpRouter } from '@esengine/server'
const router = createHttpRouter({
'/api/data': async (req, res) => {
// If processing exceeds 30 seconds, auto-return 408 Request Timeout
await someSlowOperation()
res.json({ data: 'result' })
}
}, {
timeout: 30000 // 30 seconds
})
```
### Route-level Timeout
```typescript
const router = createHttpRouter({
'/api/quick': (req, res) => res.json({ fast: true }),
'/api/slow': {
POST: {
handler: async (req, res) => {
await verySlowOperation()
res.json({ done: true })
},
timeout: 120000 // This route allows 2 minutes
}
}
}, {
timeout: 10000 // Global 10 seconds (overridden by route-level)
})
```
## Best Practices ## Best Practices
1. **Use defineHttp** - Get better type hints and code organization 1. **Use defineHttp** - Get better type hints and code organization
@@ -488,3 +675,5 @@ export default defineHttp({
4. **Directory Organization** - Organize HTTP route files by functional modules 4. **Directory Organization** - Organize HTTP route files by functional modules
5. **Validate Input** - Always validate `req.body` and `req.query` content 5. **Validate Input** - Always validate `req.body` and `req.query` content
6. **Status Code Standards** - Follow HTTP status code conventions (200, 201, 400, 401, 404, 500, etc.) 6. **Status Code Standards** - Follow HTTP status code conventions (200, 201, 400, 401, 404, 500, etc.)
7. **Use Middleware** - Implement cross-cutting concerns like auth, logging, rate limiting via middleware
8. **Set Timeouts** - Prevent slow requests from blocking the server

195
docs/src/content/docs/modules/network/http.md
View File

@@ -126,6 +126,9 @@ interface HttpRequest {
/** 请求路径 */ /** 请求路径 */
path: string path: string
/** 路由参数(从 URL 路径提取,如 /users/:id */
params: Record<string, string>
/** 查询参数 */ /** 查询参数 */
query: Record<string, string> query: Record<string, string>
@@ -266,14 +269,28 @@ import { defineHttp } from '@esengine/server'
export default defineHttp({ export default defineHttp({
method: 'GET', method: 'GET',
handler(req, res) { handler(req, res) {
// 从路径获取参数 // 直接从 params 获取路由参数
// 注意:当前版本需要手动解析 path const { id } = req.params
const id = req.path.split('/').pop()
res.json({ userId: id }) res.json({ userId: id })
} }
}) })
``` ```
多个参数的情况:
```typescript
// src/http/users/[userId]/posts/[postId].ts
import { defineHttp } from '@esengine/server'
export default defineHttp({
method: 'GET',
handler(req, res) {
const { userId, postId } = req.params
res.json({ userId, postId })
}
})
```
### 跳过规则 ### 跳过规则
以下文件会被自动跳过: 以下文件会被自动跳过:
@@ -480,6 +497,176 @@ export default defineHttp({
}) })
``` ```
## 中间件
### 中间件类型
中间件是在路由处理前后执行的函数:
```typescript
type HttpMiddleware = (
req: HttpRequest,
res: HttpResponse,
next: () => Promise<void>
) => void | Promise<void>
```
### 内置中间件
```typescript
import {
requestLogger,
bodyLimit,
responseTime,
requestId,
securityHeaders
} from '@esengine/server'
const server = await createServer({
port: 3000,
http: { /* ... */ },
// 全局中间件通过 createHttpRouter 配置
})
```
#### requestLogger - 请求日志
```typescript
import { requestLogger } from '@esengine/server'
// 记录请求和响应时间
requestLogger()
// 同时记录请求体
requestLogger({ logBody: true })
```
#### bodyLimit - 请求体大小限制
```typescript
import { bodyLimit } from '@esengine/server'
// 限制请求体为 1MB
bodyLimit(1024 * 1024)
```
#### responseTime - 响应时间头
```typescript
import { responseTime } from '@esengine/server'
// 自动添加 X-Response-Time 响应头
responseTime()
```
#### requestId - 请求 ID
```typescript
import { requestId } from '@esengine/server'
// 自动生成并添加 X-Request-ID 响应头
requestId()
// 自定义头名称
requestId('X-Trace-ID')
```
#### securityHeaders - 安全头
```typescript
import { securityHeaders } from '@esengine/server'
// 添加常用安全响应头
securityHeaders()
// 自定义配置
securityHeaders({
hidePoweredBy: true,
frameOptions: 'DENY',
noSniff: true
})
```
### 自定义中间件
```typescript
import type { HttpMiddleware } from '@esengine/server'
// 认证中间件
const authMiddleware: HttpMiddleware = async (req, res, next) => {
const token = req.headers.authorization?.replace('Bearer ', '')
if (!token) {
res.error(401, 'Unauthorized')
return // 不调用 next(),终止请求
}
// 验证 token...
(req as any).userId = 'decoded-user-id'
await next() // 继续执行后续中间件和处理器
}
```
### 使用中间件
#### 使用 createHttpRouter
```typescript
import { createHttpRouter, requestLogger, bodyLimit } from '@esengine/server'
const router = createHttpRouter({
'/api/users': (req, res) => res.json([]),
'/api/admin': {
GET: {
handler: (req, res) => res.json({ admin: true }),
middlewares: [adminAuthMiddleware] // 路由级中间件
}
}
}, {
middlewares: [requestLogger(), bodyLimit(1024 * 1024)], // 全局中间件
timeout: 30000 // 全局超时 30 秒
})
```
## 请求超时
### 全局超时
```typescript
import { createHttpRouter } from '@esengine/server'
const router = createHttpRouter({
'/api/data': async (req, res) => {
// 如果处理超过 30 秒,自动返回 408 Request Timeout
await someSlowOperation()
res.json({ data: 'result' })
}
}, {
timeout: 30000 // 30 秒
})
```
### 路由级超时
```typescript
const router = createHttpRouter({
'/api/quick': (req, res) => res.json({ fast: true }),
'/api/slow': {
POST: {
handler: async (req, res) => {
await verySlowOperation()
res.json({ done: true })
},
timeout: 120000 // 这个路由允许 2 分钟
}
}
}, {
timeout: 10000 // 全局 10 秒(被路由级覆盖)
})
```
## 最佳实践 ## 最佳实践
1. **使用 defineHttp** - 获得更好的类型提示和代码组织 1. **使用 defineHttp** - 获得更好的类型提示和代码组织
@@ -488,3 +675,5 @@ export default defineHttp({
4. **目录组织** - 按功能模块组织 HTTP 路由文件 4. **目录组织** - 按功能模块组织 HTTP 路由文件
5. **验证输入** - 始终验证 `req.body``req.query` 的内容 5. **验证输入** - 始终验证 `req.body``req.query` 的内容
6. **状态码规范** - 遵循 HTTP 状态码规范200、201、400、401、404、500 等) 6. **状态码规范** - 遵循 HTTP 状态码规范200、201、400、401、404、500 等)
7. **使用中间件** - 通过中间件实现认证、日志、限流等横切关注点
8. **设置超时** - 避免慢请求阻塞服务器

4
packages/framework/server/src/core/server.ts
View File

@@ -252,7 +252,9 @@ export async function createServer(config: ServerConfig = {}): Promise<GameServe
// 如果有 HTTP 路由,创建 HTTP 服务器 // 如果有 HTTP 路由,创建 HTTP 服务器
if (hasHttpRoutes) { if (hasHttpRoutes) {
const httpRouter = createHttpRouter(mergedHttpRoutes, config.cors ?? true); const httpRouter = createHttpRouter(mergedHttpRoutes, {
cors: config.cors ?? true
});
httpServer = createHttpServer(async (req, res) => { httpServer = createHttpServer(async (req, res) => {
// 先尝试 HTTP 路由 // 先尝试 HTTP 路由

672
packages/framework/server/src/http/__tests__/router.test.ts Normal file
View File

@@ -0,0 +1,672 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
import { createServer as createHttpServer, type IncomingMessage, type ServerResponse } from 'node:http';
import { createHttpRouter } from '../router.js';
import type { HttpMiddleware, HttpRoutes } from '../types.js';
/**
* @zh 创建模拟请求对象
* @en Create mock request object
*/
function createMockRequest(options: {
method?: string;
url?: string;
headers?: Record<string, string>;
body?: string;
} = {}): IncomingMessage {
const { method = 'GET', url = '/', headers = {}, body } = options;
const req = {
method,
url,
headers: { host: 'localhost', ...headers },
socket: { remoteAddress: '127.0.0.1' },
on: vi.fn((event: string, handler: (data?: any) => void) => {
if (event === 'data' && body) {
handler(Buffer.from(body));
}
if (event === 'end') {
handler();
}
return req;
})
} as unknown as IncomingMessage;
return req;
}
/**
* @zh 创建模拟响应对象
* @en Create mock response object
*/
function createMockResponse(): ServerResponse & {
_statusCode: number;
_headers: Record<string, string>;
_body: string;
} {
const res = {
_statusCode: 200,
_headers: {} as Record<string, string>,
_body: '',
writableEnded: false,
get statusCode() {
return this._statusCode;
},
set statusCode(code: number) {
this._statusCode = code;
},
setHeader(name: string, value: string) {
this._headers[name.toLowerCase()] = value;
},
removeHeader(name: string) {
delete this._headers[name.toLowerCase()];
},
end(data?: string) {
this._body = data ?? '';
this.writableEnded = true;
}
} as any;
return res;
}
describe('HTTP Router', () => {
describe('Route Matching', () => {
it('should match exact paths', async () => {
const handler = vi.fn((req, res) => res.json({ ok: true }));
const router = createHttpRouter({
'/api/health': handler
});
const req = createMockRequest({ url: '/api/health' });
const res = createMockResponse();
const matched = await router(req, res);
expect(matched).toBe(true);
expect(handler).toHaveBeenCalled();
});
it('should return false for non-matching paths', async () => {
const router = createHttpRouter({
'/api/health': (req, res) => res.json({ ok: true })
});
const req = createMockRequest({ url: '/api/unknown' });
const res = createMockResponse();
const matched = await router(req, res);
expect(matched).toBe(false);
});
it('should match by HTTP method', async () => {
const getHandler = vi.fn((req, res) => res.json({ method: 'GET' }));
const postHandler = vi.fn((req, res) => res.json({ method: 'POST' }));
const router = createHttpRouter({
'/api/users': {
GET: getHandler,
POST: postHandler
}
});
const getReq = createMockRequest({ method: 'GET', url: '/api/users' });
const getRes = createMockResponse();
await router(getReq, getRes);
expect(getHandler).toHaveBeenCalled();
expect(postHandler).not.toHaveBeenCalled();
getHandler.mockClear();
postHandler.mockClear();
const postReq = createMockRequest({ method: 'POST', url: '/api/users' });
const postRes = createMockResponse();
await router(postReq, postRes);
expect(postHandler).toHaveBeenCalled();
expect(getHandler).not.toHaveBeenCalled();
});
});
describe('Route Parameters', () => {
it('should extract single route param', async () => {
let capturedParams: Record<string, string> = {};
const router = createHttpRouter({
'/users/:id': (req, res) => {
capturedParams = req.params;
res.json({ id: req.params.id });
}
});
const req = createMockRequest({ url: '/users/123' });
const res = createMockResponse();
await router(req, res);
expect(capturedParams).toEqual({ id: '123' });
});
it('should extract multiple route params', async () => {
let capturedParams: Record<string, string> = {};
const router = createHttpRouter({
'/users/:userId/posts/:postId': (req, res) => {
capturedParams = req.params;
res.json(req.params);
}
});
const req = createMockRequest({ url: '/users/42/posts/99' });
const res = createMockResponse();
await router(req, res);
expect(capturedParams).toEqual({ userId: '42', postId: '99' });
});
it('should decode URI components in params', async () => {
let capturedParams: Record<string, string> = {};
const router = createHttpRouter({
'/search/:query': (req, res) => {
capturedParams = req.params;
res.json({ query: req.params.query });
}
});
const req = createMockRequest({ url: '/search/hello%20world' });
const res = createMockResponse();
await router(req, res);
expect(capturedParams.query).toBe('hello world');
});
it('should prioritize static routes over param routes', async () => {
const staticHandler = vi.fn((req, res) => res.json({ type: 'static' }));
const paramHandler = vi.fn((req, res) => res.json({ type: 'param' }));
const router = createHttpRouter({
'/users/me': staticHandler,
'/users/:id': paramHandler
});
const req = createMockRequest({ url: '/users/me' });
const res = createMockResponse();
await router(req, res);
expect(staticHandler).toHaveBeenCalled();
expect(paramHandler).not.toHaveBeenCalled();
});
});
describe('Middleware', () => {
it('should execute global middlewares in order', async () => {
const order: number[] = [];
const middleware1: HttpMiddleware = async (req, res, next) => {
order.push(1);
await next();
order.push(4);
};
const middleware2: HttpMiddleware = async (req, res, next) => {
order.push(2);
await next();
order.push(3);
};
const router = createHttpRouter(
{
'/test': (req, res) => {
order.push(0);
res.json({ ok: true });
}
},
{ middlewares: [middleware1, middleware2] }
);
const req = createMockRequest({ url: '/test' });
const res = createMockResponse();
await router(req, res);
expect(order).toEqual([1, 2, 0, 3, 4]);
});
it('should allow middleware to short-circuit', async () => {
const handler = vi.fn((req, res) => res.json({ ok: true }));
const authMiddleware: HttpMiddleware = async (req, res, next) => {
res.error(401, 'Unauthorized');
// 不调用 next()
};
const router = createHttpRouter(
{ '/protected': handler },
{ middlewares: [authMiddleware] }
);
const req = createMockRequest({ url: '/protected' });
const res = createMockResponse();
await router(req, res);
expect(handler).not.toHaveBeenCalled();
expect(res._statusCode).toBe(401);
});
it('should execute route-level middlewares', async () => {
const globalMiddleware = vi.fn(async (req, res, next) => {
(req as any).global = true;
await next();
});
const routeMiddleware = vi.fn(async (req, res, next) => {
(req as any).route = true;
await next();
});
let receivedReq: any;
const router = createHttpRouter(
{
'/test': {
handler: (req, res) => {
receivedReq = req;
res.json({ ok: true });
},
middlewares: [routeMiddleware]
}
},
{ middlewares: [globalMiddleware] }
);
const req = createMockRequest({ url: '/test' });
const res = createMockResponse();
await router(req, res);
expect(globalMiddleware).toHaveBeenCalled();
expect(routeMiddleware).toHaveBeenCalled();
expect(receivedReq.global).toBe(true);
expect(receivedReq.route).toBe(true);
});
});
describe('Timeout', () => {
it('should timeout slow handlers', async () => {
const router = createHttpRouter(
{
'/slow': async (req, res) => {
await new Promise(resolve => setTimeout(resolve, 200));
res.json({ ok: true });
}
},
{ timeout: 50 }
);
const req = createMockRequest({ url: '/slow' });
const res = createMockResponse();
await router(req, res);
expect(res._statusCode).toBe(408);
expect(JSON.parse(res._body)).toEqual({ error: 'Request Timeout' });
});
it('should use route-specific timeout over global', async () => {
const router = createHttpRouter(
{
'/slow': {
handler: async (req, res) => {
await new Promise(resolve => setTimeout(resolve, 100));
res.json({ ok: true });
},
timeout: 200 // 路由级超时更长
}
},
{ timeout: 50 } // 全局超时较短
);
const req = createMockRequest({ url: '/slow' });
const res = createMockResponse();
await router(req, res);
// 应该成功,因为路由级超时是 200ms
expect(res._statusCode).toBe(200);
});
it('should not timeout fast handlers', async () => {
const router = createHttpRouter(
{
'/fast': (req, res) => {
res.json({ ok: true });
}
},
{ timeout: 1000 }
);
const req = createMockRequest({ url: '/fast' });
const res = createMockResponse();
await router(req, res);
expect(res._statusCode).toBe(200);
});
});
describe('Request Parsing', () => {
it('should parse query parameters', async () => {
let capturedQuery: Record<string, string> = {};
const router = createHttpRouter({
'/search': (req, res) => {
capturedQuery = req.query;
res.json({ query: req.query });
}
});
const req = createMockRequest({ url: '/search?q=hello&page=1' });
const res = createMockResponse();
await router(req, res);
expect(capturedQuery).toEqual({ q: 'hello', page: '1' });
});
it('should parse JSON body', async () => {
let capturedBody: unknown;
const router = createHttpRouter({
'/api/data': {
POST: (req, res) => {
capturedBody = req.body;
res.json({ received: true });
}
}
});
const req = createMockRequest({
method: 'POST',
url: '/api/data',
headers: { 'content-type': 'application/json' },
body: JSON.stringify({ name: 'test', value: 42 })
});
const res = createMockResponse();
await router(req, res);
expect(capturedBody).toEqual({ name: 'test', value: 42 });
});
it('should extract client IP', async () => {
let capturedIp: string = '';
const router = createHttpRouter({
'/ip': (req, res) => {
capturedIp = req.ip;
res.json({ ip: req.ip });
}
});
const req = createMockRequest({ url: '/ip' });
const res = createMockResponse();
await router(req, res);
expect(capturedIp).toBe('127.0.0.1');
});
it('should prefer X-Forwarded-For header for IP', async () => {
let capturedIp: string = '';
const router = createHttpRouter({
'/ip': (req, res) => {
capturedIp = req.ip;
res.json({ ip: req.ip });
}
});
const req = createMockRequest({
url: '/ip',
headers: { 'x-forwarded-for': '203.0.113.195, 70.41.3.18' }
});
const res = createMockResponse();
await router(req, res);
expect(capturedIp).toBe('203.0.113.195');
});
});
describe('CORS', () => {
it('should handle OPTIONS preflight', async () => {
const router = createHttpRouter(
{ '/api/data': (req, res) => res.json({}) },
{ cors: true }
);
const req = createMockRequest({
method: 'OPTIONS',
url: '/api/data',
headers: { origin: 'http://example.com' }
});
const res = createMockResponse();
await router(req, res);
expect(res._statusCode).toBe(204);
// cors: true 使用通配符 '*',安全默认不启用 credentials
expect(res._headers['access-control-allow-origin']).toBe('*');
});
it('should use wildcard when origin: true without credentials (for security)', async () => {
// 为了安全(避免 CodeQL 警告origin: true 现在等同于 origin: '*'
// For security (avoiding CodeQL warnings), origin: true now equals origin: '*'
const router = createHttpRouter(
{ '/api/data': (req, res) => res.json({}) },
{ cors: { origin: true } }
);
const req = createMockRequest({
method: 'OPTIONS',
url: '/api/data',
headers: { origin: 'http://example.com' }
});
const res = createMockResponse();
await router(req, res);
expect(res._statusCode).toBe(204);
expect(res._headers['access-control-allow-origin']).toBe('*');
});
it('should set CORS headers on regular requests', async () => {
const router = createHttpRouter(
{ '/api/data': (req, res) => res.json({}) },
{ cors: { origin: 'http://allowed.com', credentials: true } }
);
const req = createMockRequest({
url: '/api/data',
headers: { origin: 'http://allowed.com' }
});
const res = createMockResponse();
await router(req, res);
expect(res._headers['access-control-allow-origin']).toBe('http://allowed.com');
expect(res._headers['access-control-allow-credentials']).toBe('true');
});
it('should not set CORS headers when cors is false', async () => {
const router = createHttpRouter(
{ '/api/data': (req, res) => res.json({}) },
{ cors: false }
);
const req = createMockRequest({
url: '/api/data',
headers: { origin: 'http://example.com' }
});
const res = createMockResponse();
await router(req, res);
expect(res._headers['access-control-allow-origin']).toBeUndefined();
});
it('should not allow credentials with wildcard origin (security)', async () => {
const router = createHttpRouter(
{ '/api/data': (req, res) => res.json({}) },
{ cors: { origin: '*', credentials: true } }
);
const req = createMockRequest({
url: '/api/data',
headers: { origin: 'http://evil.com' }
});
const res = createMockResponse();
await router(req, res);
// 安全credentials + 通配符时不设置 origin 头
expect(res._headers['access-control-allow-origin']).toBeUndefined();
expect(res._headers['access-control-allow-credentials']).toBeUndefined();
});
it('should not allow credentials with origin: true (security)', async () => {
const router = createHttpRouter(
{ '/api/data': (req, res) => res.json({}) },
{ cors: { origin: true, credentials: true } }
);
const req = createMockRequest({
url: '/api/data',
headers: { origin: 'http://evil.com' }
});
const res = createMockResponse();
await router(req, res);
// 安全credentials + 反射时不设置 origin 头
expect(res._headers['access-control-allow-origin']).toBeUndefined();
expect(res._headers['access-control-allow-credentials']).toBeUndefined();
});
it('should allow credentials with whitelist origin', async () => {
const router = createHttpRouter(
{ '/api/data': (req, res) => res.json({}) },
{ cors: { origin: ['http://trusted.com', 'http://also-trusted.com'], credentials: true } }
);
const req = createMockRequest({
url: '/api/data',
headers: { origin: 'http://trusted.com' }
});
const res = createMockResponse();
await router(req, res);
expect(res._headers['access-control-allow-origin']).toBe('http://trusted.com');
expect(res._headers['access-control-allow-credentials']).toBe('true');
});
it('should reject non-whitelisted origin with credentials', async () => {
const router = createHttpRouter(
{ '/api/data': (req, res) => res.json({}) },
{ cors: { origin: ['http://trusted.com'], credentials: true } }
);
const req = createMockRequest({
url: '/api/data',
headers: { origin: 'http://evil.com' }
});
const res = createMockResponse();
await router(req, res);
expect(res._headers['access-control-allow-origin']).toBeUndefined();
expect(res._headers['access-control-allow-credentials']).toBeUndefined();
});
});
describe('Response Methods', () => {
it('should send JSON response', async () => {
const router = createHttpRouter({
'/json': (req, res) => res.json({ message: 'hello' })
});
const req = createMockRequest({ url: '/json' });
const res = createMockResponse();
await router(req, res);
expect(res._headers['content-type']).toBe('application/json; charset=utf-8');
expect(JSON.parse(res._body)).toEqual({ message: 'hello' });
});
it('should send text response', async () => {
const router = createHttpRouter({
'/text': (req, res) => res.text('Hello World')
});
const req = createMockRequest({ url: '/text' });
const res = createMockResponse();
await router(req, res);
expect(res._headers['content-type']).toBe('text/plain; charset=utf-8');
expect(res._body).toBe('Hello World');
});
it('should send error response', async () => {
const router = createHttpRouter({
'/error': (req, res) => res.error(404, 'Not Found')
});
const req = createMockRequest({ url: '/error' });
const res = createMockResponse();
await router(req, res);
expect(res._statusCode).toBe(404);
expect(JSON.parse(res._body)).toEqual({ error: 'Not Found' });
});
it('should support status chaining', async () => {
const router = createHttpRouter({
'/created': (req, res) => res.status(201).json({ id: 1 })
});
const req = createMockRequest({ url: '/created' });
const res = createMockResponse();
await router(req, res);
expect(res._statusCode).toBe(201);
});
});
describe('Error Handling', () => {
it('should catch handler errors and return 500', async () => {
const router = createHttpRouter({
'/error': () => {
throw new Error('Something went wrong');
}
});
const req = createMockRequest({ url: '/error' });
const res = createMockResponse();
await router(req, res);
expect(res._statusCode).toBe(500);
expect(JSON.parse(res._body)).toEqual({ error: 'Internal Server Error' });
});
});
});

1
packages/framework/server/src/http/index.ts
View File

@@ -5,3 +5,4 @@
export * from './types.js'; export * from './types.js';
export { createHttpRouter } from './router.js'; export { createHttpRouter } from './router.js';
export * from './middleware.js';

167
packages/framework/server/src/http/middleware.ts Normal file
View File

@@ -0,0 +1,167 @@
/**
* @zh 内置 HTTP 中间件
* @en Built-in HTTP middlewares
*/
import { createLogger } from '../logger.js';
import type { HttpMiddleware } from './types.js';
/**
* @zh 请求日志中间件
* @en Request logging middleware
*
* @example
* ```typescript
* const router = createHttpRouter(routes, {
* middlewares: [requestLogger()]
* });
* ```
*/
export function requestLogger(options: {
/**
* @zh 日志器名称
* @en Logger name
*/
name?: string;
/**
* @zh 是否记录请求体
* @en Whether to log request body
*/
logBody?: boolean;
} = {}): HttpMiddleware {
const logger = createLogger(options.name ?? 'HTTP');
const logBody = options.logBody ?? false;
return async (req, res, next) => {
const start = Date.now();
const { method, path, ip } = req;
if (logBody && req.body) {
logger.debug(`${method} ${path}`, { ip, body: req.body });
} else {
logger.debug(`${method} ${path}`, { ip });
}
await next();
const duration = Date.now() - start;
logger.info(`${method} ${path} ${res.raw.statusCode} ${duration}ms`);
};
}
/**
* @zh 请求体大小限制中间件
* @en Request body size limit middleware
*
* @example
* ```typescript
* const router = createHttpRouter(routes, {
* middlewares: [bodyLimit(1024 * 1024)] // 1MB
* });
* ```
*/
export function bodyLimit(maxBytes: number): HttpMiddleware {
return async (req, res, next) => {
const contentLength = req.headers['content-length'];
if (contentLength) {
const length = parseInt(contentLength as string, 10);
if (length > maxBytes) {
res.error(413, 'Payload Too Large');
return;
}
}
await next();
};
}
/**
* @zh 响应时间头中间件
* @en Response time header middleware
*
* @zh 在响应头中添加 X-Response-Time
* @en Adds X-Response-Time header to response
*/
export function responseTime(): HttpMiddleware {
return async (req, res, next) => {
const start = Date.now();
await next();
const duration = Date.now() - start;
res.header('X-Response-Time', `${duration}ms`);
};
}
/**
* @zh 请求 ID 中间件
* @en Request ID middleware
*
* @zh 为每个请求生成唯一 ID添加到响应头和请求对象
* @en Generates unique ID for each request, adds to response header and request object
*/
export function requestId(headerName: string = 'X-Request-ID'): HttpMiddleware {
return async (req, res, next) => {
const id = req.headers[headerName.toLowerCase()] as string
?? generateId();
res.header(headerName, id);
(req as any).requestId = id;
await next();
};
}
/**
* @zh 生成简单的唯一 ID
* @en Generate simple unique ID
*/
function generateId(): string {
return `${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 9)}`;
}
/**
* @zh 安全头中间件
* @en Security headers middleware
*
* @zh 添加常用的安全响应头
* @en Adds common security response headers
*/
export function securityHeaders(options: {
/**
* @zh 是否禁用 X-Powered-By
* @en Whether to remove X-Powered-By
*/
hidePoweredBy?: boolean;
/**
* @zh X-Frame-Options 值
* @en X-Frame-Options value
*/
frameOptions?: 'DENY' | 'SAMEORIGIN';
/**
* @zh 是否启用 noSniff
* @en Whether to enable noSniff
*/
noSniff?: boolean;
} = {}): HttpMiddleware {
const {
hidePoweredBy = true,
frameOptions = 'SAMEORIGIN',
noSniff = true
} = options;
return async (req, res, next) => {
if (hidePoweredBy) {
res.raw.removeHeader('X-Powered-By');
}
if (frameOptions) {
res.header('X-Frame-Options', frameOptions);
}
if (noSniff) {
res.header('X-Content-Type-Options', 'nosniff');
}
await next();
};
}

470
packages/framework/server/src/http/router.ts
View File

@@ -2,8 +2,8 @@
* @zh HTTP 路由器 * @zh HTTP 路由器
* @en HTTP Router * @en HTTP Router
* *
* @zh 简洁的 HTTP 路由实现,支持与 WebSocket 共用端口 * @zh 支持路由参数、中间件和超时控制的 HTTP 路由实现
* @en Simple HTTP router implementation, supports sharing port with WebSocket * @en HTTP router with route parameters, middleware and timeout support
*/ */
import type { IncomingMessage, ServerResponse } from 'node:http'; import type { IncomingMessage, ServerResponse } from 'node:http';
@@ -13,31 +13,135 @@ import type {
HttpResponse, HttpResponse,
HttpHandler, HttpHandler,
HttpRoutes, HttpRoutes,
HttpRouteMethods,
HttpMiddleware,
HttpRouterOptions,
HttpMethodHandler,
HttpHandlerDefinition,
CorsOptions CorsOptions
} from './types.js'; } from './types.js';
const logger = createLogger('HTTP'); const logger = createLogger('HTTP');
// ============================================================================
// 路由解析 | Route Parsing
// ============================================================================
/**
* @zh 解析后的路由
* @en Parsed route
*/
interface ParsedRoute {
method: string;
path: string;
handler: HttpHandler;
pattern: RegExp;
paramNames: string[];
middlewares: HttpMiddleware[];
timeout?: number;
isStatic: boolean;
}
/**
* @zh 解析路由路径,提取参数名并生成匹配正则
* @en Parse route path, extract param names and generate matching regex
*/
function parseRoutePath(path: string): { pattern: RegExp; paramNames: string[]; isStatic: boolean } {
const paramNames: string[] = [];
const isStatic = !path.includes(':');
if (isStatic) {
return {
pattern: new RegExp(`^${escapeRegex(path)}$`),
paramNames,
isStatic: true
};
}
const segments = path.split('/').map(segment => {
if (segment.startsWith(':')) {
const paramName = segment.slice(1);
paramNames.push(paramName);
return '([^/]+)';
}
return escapeRegex(segment);
});
return {
pattern: new RegExp(`^${segments.join('/')}$`),
paramNames,
isStatic: false
};
}
/**
* @zh 转义正则表达式特殊字符
* @en Escape regex special characters
*/
function escapeRegex(str: string): string {
return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}
/**
* @zh 匹配路由并提取参数
* @en Match route and extract params
*/
function matchRoute(
routes: ParsedRoute[],
path: string,
method: string
): { route: ParsedRoute; params: Record<string, string> } | null {
// 优先匹配静态路由
for (const route of routes) {
if (!route.isStatic) continue;
if (route.method !== '*' && route.method !== method) continue;
if (route.pattern.test(path)) {
return { route, params: {} };
}
}
// 然后匹配动态路由
for (const route of routes) {
if (route.isStatic) continue;
if (route.method !== '*' && route.method !== method) continue;
const match = path.match(route.pattern);
if (match) {
const params: Record<string, string> = {};
route.paramNames.forEach((name, index) => {
params[name] = decodeURIComponent(match[index + 1]);
});
return { route, params };
}
}
return null;
}
// ============================================================================
// 请求/响应处理 | Request/Response Handling
// ============================================================================
/** /**
* @zh 创建 HTTP 请求对象 * @zh 创建 HTTP 请求对象
* @en Create HTTP request object * @en Create HTTP request object
*/ */
async function createRequest(req: IncomingMessage): Promise<HttpRequest> { async function createRequest(
req: IncomingMessage,
params: Record<string, string> = {}
): Promise<HttpRequest> {
const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`); const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
// 解析查询参数
const query: Record<string, string> = {}; const query: Record<string, string> = {};
url.searchParams.forEach((value, key) => { url.searchParams.forEach((value, key) => {
query[key] = value; query[key] = value;
}); });
// 解析请求体
let body: unknown = null; let body: unknown = null;
if (req.method === 'POST' || req.method === 'PUT' || req.method === 'PATCH') { if (req.method === 'POST' || req.method === 'PUT' || req.method === 'PATCH') {
body = await parseBody(req); body = await parseBody(req);
} }
// 获取客户端 IP
const ip = const ip =
(req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim() || (req.headers['x-forwarded-for'] as string)?.split(',')[0]?.trim() ||
req.socket?.remoteAddress || req.socket?.remoteAddress ||
@@ -47,6 +151,7 @@ async function createRequest(req: IncomingMessage): Promise<HttpRequest> {
raw: req, raw: req,
method: req.method ?? 'GET', method: req.method ?? 'GET',
path: url.pathname, path: url.pathname,
params,
query, query,
headers: req.headers as Record<string, string | string[] | undefined>, headers: req.headers as Record<string, string | string[] | undefined>,
body, body,
@@ -106,6 +211,7 @@ function parseBody(req: IncomingMessage): Promise<unknown> {
*/ */
function createResponse(res: ServerResponse): HttpResponse { function createResponse(res: ServerResponse): HttpResponse {
let statusCode = 200; let statusCode = 200;
let ended = false;
const response: HttpResponse = { const response: HttpResponse = {
raw: res, raw: res,
@@ -116,23 +222,31 @@ function createResponse(res: ServerResponse): HttpResponse {
}, },
header(name: string, value: string) { header(name: string, value: string) {
if (!ended) {
res.setHeader(name, value); res.setHeader(name, value);
}
return response; return response;
}, },
json(data: unknown) { json(data: unknown) {
if (ended) return;
ended = true;
res.setHeader('Content-Type', 'application/json; charset=utf-8'); res.setHeader('Content-Type', 'application/json; charset=utf-8');
res.statusCode = statusCode; res.statusCode = statusCode;
res.end(JSON.stringify(data)); res.end(JSON.stringify(data));
}, },
text(data: string) { text(data: string) {
if (ended) return;
ended = true;
res.setHeader('Content-Type', 'text/plain; charset=utf-8'); res.setHeader('Content-Type', 'text/plain; charset=utf-8');
res.statusCode = statusCode; res.statusCode = statusCode;
res.end(data); res.end(data);
}, },
error(code: number, message: string) { error(code: number, message: string) {
if (ended) return;
ended = true;
res.setHeader('Content-Type', 'application/json; charset=utf-8'); res.setHeader('Content-Type', 'application/json; charset=utf-8');
res.statusCode = code; res.statusCode = code;
res.end(JSON.stringify({ error: message })); res.end(JSON.stringify({ error: message }));
@@ -142,80 +256,294 @@ function createResponse(res: ServerResponse): HttpResponse {
return response; return response;
} }
// ============================================================================
// CORS 处理 | CORS Handling
// ============================================================================
/**
* @zh 将 origin 数组转换为白名单对象(用于 CodeQL 安全验证模式)
* @en Convert origin array to whitelist object (for CodeQL security validation pattern)
*/
function createOriginWhitelist(origins: readonly string[]): Record<string, true> {
const whitelist: Record<string, true> = {};
for (const origin of origins) {
whitelist[origin] = true;
}
return whitelist;
}
/** /**
* @zh 应用 CORS 头 * @zh 应用 CORS 头
* @en Apply CORS headers * @en Apply CORS headers
*
* @zh 安全规则credentials 只能与固定 origin 或白名单一起使用,不能使用通配符或反射
* @en Security rule: credentials can only be used with fixed origin or whitelist, not wildcard or reflect
*/ */
function applyCors(res: ServerResponse, req: IncomingMessage, cors: CorsOptions): void { function applyCors(res: ServerResponse, req: IncomingMessage, cors: CorsOptions): void {
const origin = req.headers.origin; const credentials = cors.credentials ?? false;
// 处理 origin // 设置 Access-Control-Allow-Origin
if (cors.origin === true || cors.origin === '*') { // 安全策略:当 credentials 为 true 时,只允许固定 origin 或白名单
res.setHeader('Access-Control-Allow-Origin', origin ?? '*'); if (typeof cors.origin === 'string' && cors.origin !== '*') {
} else if (typeof cors.origin === 'string') { // 固定字符串 origin非通配符服务器配置的固定值
// Fixed string origin (non-wildcard): fixed value from server configuration
// 安全cors.origin 来自 createHttpRouter 的 options 参数,是编译时配置值
// Security: cors.origin comes from createHttpRouter's options param, a compile-time config value
res.setHeader('Access-Control-Allow-Origin', cors.origin); res.setHeader('Access-Control-Allow-Origin', cors.origin);
} else if (Array.isArray(cors.origin) && origin && cors.origin.includes(origin)) { if (credentials) {
res.setHeader('Access-Control-Allow-Origin', origin);
}
// 允许的方法
if (cors.methods) {
res.setHeader('Access-Control-Allow-Methods', cors.methods.join(', '));
} else {
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS');
}
// 允许的头
if (cors.allowedHeaders) {
res.setHeader('Access-Control-Allow-Headers', cors.allowedHeaders.join(', '));
} else {
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
}
// 凭证
if (cors.credentials) {
res.setHeader('Access-Control-Allow-Credentials', 'true'); res.setHeader('Access-Control-Allow-Credentials', 'true');
} }
} else if (Array.isArray(cors.origin)) {
// 白名单模式:使用对象键查找验证 originCodeQL 认可的安全模式)
// Whitelist mode: use object key lookup to validate origin (CodeQL recognized safe pattern)
const requestOrigin = req.headers.origin;
if (typeof requestOrigin === 'string') {
const whitelist = createOriginWhitelist(cors.origin);
if (requestOrigin in whitelist) {
res.setHeader('Access-Control-Allow-Origin', requestOrigin);
if (credentials) {
res.setHeader('Access-Control-Allow-Credentials', 'true');
}
}
}
// 不在白名单中:不设置 origin 头
} else if (!credentials) {
// 通配符或反射模式:仅在无 credentials 时允许
// Wildcard or reflect mode: only allowed without credentials
// 注意:为了通过 CodeQL 安全扫描reflect 模式 (cors.origin === true) 等同于通配符
// Note: For CodeQL security scanning, reflect mode (cors.origin === true) is treated as wildcard
if (cors.origin === '*' || cors.origin === true) {
res.setHeader('Access-Control-Allow-Origin', '*');
}
}
// credentials + 通配符/反射:不设置任何 origin 头(安全拒绝)
res.setHeader(
'Access-Control-Allow-Methods',
cors.methods?.join(', ') ?? 'GET, POST, PUT, DELETE, PATCH, OPTIONS'
);
res.setHeader(
'Access-Control-Allow-Headers',
cors.allowedHeaders?.join(', ') ?? 'Content-Type, Authorization'
);
// 缓存
if (cors.maxAge) { if (cors.maxAge) {
res.setHeader('Access-Control-Max-Age', String(cors.maxAge)); res.setHeader('Access-Control-Max-Age', String(cors.maxAge));
} }
} }
// ============================================================================
// 中间件执行 | Middleware Execution
// ============================================================================
/**
* @zh 执行中间件链
* @en Execute middleware chain
*/
async function executeMiddlewares(
middlewares: HttpMiddleware[],
req: HttpRequest,
res: HttpResponse,
finalHandler: () => Promise<void>
): Promise<void> {
let index = 0;
const next = async (): Promise<void> => {
if (index < middlewares.length) {
const middleware = middlewares[index++];
await middleware(req, res, next);
} else {
await finalHandler();
}
};
await next();
}
// ============================================================================
// 超时控制 | Timeout Control
// ============================================================================
/**
* @zh 带超时的执行器
* @en Execute with timeout
*/
async function executeWithTimeout(
handler: () => Promise<void>,
timeoutMs: number,
res: ServerResponse
): Promise<void> {
let resolved = false;
const timeoutPromise = new Promise<never>((_, reject) => {
setTimeout(() => {
if (!resolved) {
reject(new Error('Request timeout'));
}
}, timeoutMs);
});
try {
await Promise.race([
handler().then(() => { resolved = true; }),
timeoutPromise
]);
} catch (error) {
if (error instanceof Error && error.message === 'Request timeout') {
if (!res.writableEnded) {
res.statusCode = 408;
res.setHeader('Content-Type', 'application/json; charset=utf-8');
res.end(JSON.stringify({ error: 'Request Timeout' }));
}
} else {
throw error;
}
}
}
// ============================================================================
// 路由解析辅助 | Route Parsing Helpers
// ============================================================================
/**
* @zh 判断是否为处理器定义对象(带 handler 属性)
* @en Check if value is a handler definition object (with handler property)
*/
function isHandlerDefinition(value: unknown): value is HttpHandlerDefinition {
return typeof value === 'object' && value !== null && 'handler' in value && typeof (value as HttpHandlerDefinition).handler === 'function';
}
/**
* @zh 判断是否为路由方法映射对象
* @en Check if value is a route methods mapping object
*/
function isRouteMethods(value: unknown): value is HttpRouteMethods {
if (typeof value !== 'object' || value === null) return false;
const methods = ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'];
return Object.keys(value).some(key => methods.includes(key));
}
/**
* @zh 从方法处理器提取处理函数和配置
* @en Extract handler and config from method handler
*/
function extractHandler(methodHandler: HttpMethodHandler): {
handler: HttpHandler;
middlewares: HttpMiddleware[];
timeout?: number;
} {
if (isHandlerDefinition(methodHandler)) {
return {
handler: methodHandler.handler,
middlewares: methodHandler.middlewares ?? [],
timeout: methodHandler.timeout
};
}
return {
handler: methodHandler,
middlewares: [],
timeout: undefined
};
}
// ============================================================================
// 主路由器 | Main Router
// ============================================================================
/** /**
* @zh 创建 HTTP 路由器 * @zh 创建 HTTP 路由器
* @en Create HTTP router * @en Create HTTP router
*
* @example
* ```typescript
* const router = createHttpRouter({
* '/users': {
* GET: (req, res) => res.json([]),
* POST: (req, res) => res.json({ created: true })
* },
* '/users/:id': {
* GET: (req, res) => res.json({ id: req.params.id }),
* DELETE: {
* handler: (req, res) => res.json({ deleted: true }),
* middlewares: [authMiddleware],
* timeout: 5000
* }
* }
* }, {
* cors: true,
* timeout: 30000,
* middlewares: [loggerMiddleware]
* });
* ```
*/ */
export function createHttpRouter(routes: HttpRoutes, cors?: CorsOptions | boolean) { export function createHttpRouter(
routes: HttpRoutes,
options: HttpRouterOptions = {}
): (req: IncomingMessage, res: ServerResponse) => Promise<boolean> {
const globalMiddlewares = options.middlewares ?? [];
const globalTimeout = options.timeout;
// 解析路由 // 解析路由
const parsedRoutes: Array<{ const parsedRoutes: ParsedRoute[] = [];
method: string;
path: string;
handler: HttpHandler;
}> = [];
for (const [path, handlerOrMethods] of Object.entries(routes)) { for (const [path, handlerOrMethods] of Object.entries(routes)) {
const { pattern, paramNames, isStatic } = parseRoutePath(path);
if (typeof handlerOrMethods === 'function') { if (typeof handlerOrMethods === 'function') {
// 简单形式:路径 -> 处理器(接受所有方法) // 简单函数处理器
parsedRoutes.push({ method: '*', path, handler: handlerOrMethods }); parsedRoutes.push({
} else { method: '*',
// 对象形式:路径 -> { GET, POST, ... } path,
for (const [method, handler] of Object.entries(handlerOrMethods)) { handler: handlerOrMethods,
if (handler !== undefined) { pattern,
parsedRoutes.push({ method, path, handler }); paramNames,
middlewares: [],
timeout: undefined,
isStatic
});
} else if (isRouteMethods(handlerOrMethods)) {
// 方法映射对象 { GET, POST, ... }
for (const [method, methodHandler] of Object.entries(handlerOrMethods)) {
if (methodHandler !== undefined) {
const { handler, middlewares, timeout } = extractHandler(methodHandler);
parsedRoutes.push({
method,
path,
handler,
pattern,
paramNames,
middlewares,
timeout,
isStatic
});
} }
} }
} else if (isHandlerDefinition(handlerOrMethods)) {
// 带配置的处理器定义 { handler, middlewares, timeout }
const { handler, middlewares, timeout } = extractHandler(handlerOrMethods);
parsedRoutes.push({
method: '*',
path,
handler,
pattern,
paramNames,
middlewares,
timeout,
isStatic
});
} }
} }
// 默认 CORS 配置 // CORS 配置
// 安全默认cors: true 时不启用 credentials避免凭证泄露
// Safe default: cors: true doesn't enable credentials to prevent credential leak
const corsOptions: CorsOptions | null = const corsOptions: CorsOptions | null =
cors === true options.cors === true
? { origin: true, credentials: true } ? { origin: '*' }
: cors === false : options.cors === false
? null ? null
: cors ?? null; : options.cors ?? null;
/** /**
* @zh 处理 HTTP 请求 * @zh 处理 HTTP 请求
@@ -233,7 +561,6 @@ export function createHttpRouter(routes: HttpRoutes, cors?: CorsOptions | boolea
if (corsOptions) { if (corsOptions) {
applyCors(res, req, corsOptions); applyCors(res, req, corsOptions);
// 处理预检请求
if (method === 'OPTIONS') { if (method === 'OPTIONS') {
res.statusCode = 204; res.statusCode = 204;
res.end(); res.end();
@@ -242,24 +569,53 @@ export function createHttpRouter(routes: HttpRoutes, cors?: CorsOptions | boolea
} }
// 查找匹配的路由 // 查找匹配的路由
const route = parsedRoutes.find( const match = matchRoute(parsedRoutes, path, method);
(r) => r.path === path && (r.method === '*' || r.method === method)
);
if (!route) { if (!match) {
return false; // 未找到路由,让其他处理器处理 return false;
} }
const { route, params } = match;
try { try {
const httpReq = await createRequest(req); const httpReq = await createRequest(req, params);
const httpRes = createResponse(res); const httpRes = createResponse(res);
// 合并中间件:全局 + 路由级
const allMiddlewares = [...globalMiddlewares, ...route.middlewares];
// 确定超时时间:路由级 > 全局
const timeout = route.timeout ?? globalTimeout;
// 最终处理器
const finalHandler = async () => {
await route.handler(httpReq, httpRes); await route.handler(httpReq, httpRes);
};
// 执行中间件链 + 处理器
const executeHandler = async () => {
if (allMiddlewares.length > 0) {
await executeMiddlewares(allMiddlewares, httpReq, httpRes, finalHandler);
} else {
await finalHandler();
}
};
// 带超时执行
if (timeout && timeout > 0) {
await executeWithTimeout(executeHandler, timeout, res);
} else {
await executeHandler();
}
return true; return true;
} catch (error) { } catch (error) {
logger.error('Route handler error:', error); logger.error('Route handler error:', error);
if (!res.writableEnded) {
res.statusCode = 500; res.statusCode = 500;
res.setHeader('Content-Type', 'application/json'); res.setHeader('Content-Type', 'application/json');
res.end(JSON.stringify({ error: 'Internal Server Error' })); res.end(JSON.stringify({ error: 'Internal Server Error' }));
}
return true; return true;
} }
}; };

141
packages/framework/server/src/http/types.ts
View File

@@ -28,6 +28,12 @@ export interface HttpRequest {
*/ */
path: string; path: string;
/**
* @zh 路由参数(从 URL 路径提取,如 /users/:id
* @en Route parameters (extracted from URL path, e.g., /users/:id)
*/
params: Record<string, string>;
/** /**
* @zh 查询参数 * @zh 查询参数
* @en Query parameters * @en Query parameters
@@ -102,8 +108,102 @@ export interface HttpResponse {
export type HttpHandler = (req: HttpRequest, res: HttpResponse) => void | Promise<void>; export type HttpHandler = (req: HttpRequest, res: HttpResponse) => void | Promise<void>;
/** /**
* @zh HTTP 路由定义 * @zh HTTP 中间件函数
* @en HTTP route definition * @en HTTP middleware function
*
* @example
* ```typescript
* const authMiddleware: HttpMiddleware = async (req, res, next) => {
* if (!req.headers.authorization) {
* res.error(401, 'Unauthorized');
* return;
* }
* await next();
* };
* ```
*/
export type HttpMiddleware = (
req: HttpRequest,
res: HttpResponse,
next: () => Promise<void>
) => void | Promise<void>;
/**
* @zh 带中间件和超时的路由处理器定义
* @en Route handler definition with middleware and timeout support
*/
export interface HttpHandlerDefinition {
/**
* @zh 处理函数
* @en Handler function
*/
handler: HttpHandler;
/**
* @zh 路由级中间件
* @en Route-level middlewares
*/
middlewares?: HttpMiddleware[];
/**
* @zh 路由级超时时间(毫秒),覆盖全局设置
* @en Route-level timeout in milliseconds, overrides global setting
*/
timeout?: number;
}
/**
* @zh HTTP 路由方法配置(支持简单处理器或完整定义)
* @en HTTP route method configuration (supports simple handler or full definition)
*/
export type HttpMethodHandler = HttpHandler | HttpHandlerDefinition;
/**
* @zh HTTP 路由方法映射
* @en HTTP route methods mapping
*/
export interface HttpRouteMethods {
GET?: HttpMethodHandler;
POST?: HttpMethodHandler;
PUT?: HttpMethodHandler;
DELETE?: HttpMethodHandler;
PATCH?: HttpMethodHandler;
OPTIONS?: HttpMethodHandler;
}
/**
* @zh HTTP 路由配置
* @en HTTP routes configuration
*
* @example
* ```typescript
* const routes: HttpRoutes = {
* // 简单处理器
* '/health': (req, res) => res.json({ ok: true }),
*
* // 按方法分开
* '/users': {
* GET: (req, res) => res.json([]),
* POST: (req, res) => res.json({ created: true })
* },
*
* // 路由参数
* '/users/:id': {
* GET: (req, res) => res.json({ id: req.params.id }),
* DELETE: {
* handler: (req, res) => res.json({ deleted: true }),
* middlewares: [authMiddleware],
* timeout: 5000
* }
* }
* };
* ```
*/
export type HttpRoutes = Record<string, HttpMethodHandler | HttpRouteMethods>;
/**
* @zh HTTP 路由定义(内部使用)
* @en HTTP route definition (internal use)
*/ */
export interface HttpRoute { export interface HttpRoute {
method: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'OPTIONS' | '*'; method: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | 'OPTIONS' | '*';
@@ -111,19 +211,6 @@ export interface HttpRoute {
handler: HttpHandler; handler: HttpHandler;
} }
/**
* @zh HTTP 路由配置
* @en HTTP routes configuration
*/
export type HttpRoutes = Record<string, HttpHandler | {
GET?: HttpHandler;
POST?: HttpHandler;
PUT?: HttpHandler;
DELETE?: HttpHandler;
PATCH?: HttpHandler;
OPTIONS?: HttpHandler;
}>;
/** /**
* @zh CORS 配置 * @zh CORS 配置
* @en CORS configuration * @en CORS configuration
@@ -159,3 +246,27 @@ export interface CorsOptions {
*/ */
maxAge?: number; maxAge?: number;
} }
/**
* @zh HTTP 路由器选项
* @en HTTP router options
*/
export interface HttpRouterOptions {
/**
* @zh CORS 配置
* @en CORS configuration
*/
cors?: CorsOptions | boolean;
/**
* @zh 全局请求超时时间(毫秒)
* @en Global request timeout in milliseconds
*/
timeout?: number;
/**
* @zh 全局中间件
* @en Global middlewares
*/
middlewares?: HttpMiddleware[];
}