better route definitions using regex named capture groups for path params (temporarily broken)

Author: Arlen22

packages/server/src/StateObject.ts

@@ -64,12 +64,7 @@ export class ServerRequestClass<
   ) {
     super(streamer);
 
-    this.pathParams = Object.fromEntries<string | undefined>(routePath.map(r =>
-      r.route.pathParams
-        ?.map((e, i) => [e, r.params[i]] as const)
-        .filter(<T>(e: T): e is T & {} => !!e)
-      ?? []
-    ).flat()) as any;
+    this.pathParams = routePath.reduce((n, e) => Object.assign(n, e.groups), {});
 
     const pathParamsZodCheck = zod.record(zod.string(), zod.string().transform(zodURIComponent).optional()).safeParse(this.pathParams);
     if (!pathParamsZodCheck.success) console.log("BUG: Path params zod error", pathParamsZodCheck.error, this.pathParams);

packages/server/src/router.ts

@@ -18,7 +18,10 @@ export interface AllowedRequestedWithHeaderKeys {
 }
 
 export class Router {
-  allowedRequestedWithHeaders: (keyof AllowedRequestedWithHeaderKeys)[] = ["fetch", "XMLHttpRequest"];
+  static allowedRequestedWithHeaders: AllowedRequestedWithHeaderKeys = {
+    fetch: true,
+    XMLHttpRequest: true,
+  }
   constructor(
     public rootRoute: ServerRoute
   ) {
@@ -101,7 +104,7 @@ export class Router {
       // If the method is not GET, HEAD, or OPTIONS, 
       if (!["GET", "HEAD", "OPTIONS"].includes(streamer.method))
         // If the x-requested-with header is not set to "fetch", 
-        if (!reqwith || !this.allowedRequestedWithHeaders.includes(reqwith))
+        if (!reqwith || !Router.allowedRequestedWithHeaders[reqwith])
           // we reject the request with a 403 Forbidden.
           throw new SendError("INVALID_X_REQUESTED_WITH", 400, null);
 
@@ -219,10 +222,11 @@ export class Router {
         // Remove the matched portion from the testPath.
         const remainingPath = testPath.slice(matchedPortion.length) || "/";
 
-        const result = {
+        const result: RouteMatch = {
           route: potentialRoute,
           params: match.slice(1),
           remainingPath,
+          groups: match.groups ?? {},
         };
         const { childRoutes = [] } = potentialRoute as any; // see this.defineRoute
         debug(potentialRoute.path.source, testPath, match[0], match[0].length, remainingPath, childRoutes.length);
@@ -280,6 +284,7 @@ export interface RouteMatch {
   route: ServerRoute;
   params: (string | undefined)[];
   remainingPath: string;
+  groups: { [key: string]: string; };
 }
 
 
@@ -326,10 +331,13 @@ export interface RouteDef {
 
   /** 
    * Regex to test the pathname on. It must start with `^`. If this is a child route, 
-   * it will be tested against the remaining portion of the parent route.  
+   * it will be tested against the remaining portion of the parent route. 
+   * - Use named capture groups `(?<name>regex)` to set path params. 
+   * - Child route param names take precedent.
+   * - Use lookahead `(?=\/)` at the end of the regex to make sure the matched portion ends with
+   *   a slash while still preserving the slash for the start of the child route. 
    */
   path: RegExp;
-  pathParams?: string[];
   /** 
    * The uppercase method names to match this route.
    * 
@@ -339,20 +347,24 @@ export interface RouteDef {
    */
   method: string[];
   /** 
-   * The highest bodyformat in the chain always takes precedent. Type-wise, only one is allowed, 
-   * but at runtime the first one found is the one used. 
+   * The highest bodyformat in the chain always takes precedent. 
+   * At runtime the first one found is the one used. 
    * 
-   * Note that bodyFormat is completely ignored for GET and HEAD requests.
+   * Note that bodyFormat is always "ignore" for GET and HEAD requests.
    */
   bodyFormat?: BodyFormat;
-  /** If this route is the last one matched, it will NOT be called, and a 404 will be returned. */
+  /** 
+   * If this route is matched, but no children are matched, 
+   * it will NOT be called, and a 404 will be returned. 
+   */
   denyFinal?: boolean;
 
   securityChecks?: {
     /**
-     * If true, the request must have the "x-requested-with" header set to keyof AllowedRequestedWithHeaderKeys.
+     * If true, the request must have the "x-requested-with" header 
+     * set to keyof AllowedRequestedWithHeaderKeys.
      * This is a common way to check if the request is an AJAX request.
-     * If the header is not set, the request will be rejected with a 403 Forbidden.
+     * If this is true and the header is not set, the request will be rejected with a 403 Forbidden.
      * 
      * @see {@link AllowedRequestedWithHeaderKeys}
      */

packages/server/src/zodRegister.ts

@@ -10,66 +10,86 @@ const debugCORS = Debug("mws:cors");
 
 
 
-export const registerZodRoutes = (parent: ServerRoute, router: any, keys: string[]) => {
-  // const router = new TiddlerRouter();
-  keys.forEach((key) => {
-    const route = router[key as keyof typeof router] as ZodRoute<any, any, any, any, any, any>;
-    const {
-      method, path, bodyFormat, registerError,
-      zodPathParams,
-      zodQueryParams = (z => ({}) as any),
-      zodRequestBody = ["string", "json", "www-form-urlencoded"].includes(bodyFormat)
-        ? z => z.undefined() : (z => z.any() as any),
-      inner,
-      securityChecks,
-    } = route;
-
-    if (method.includes("OPTIONS"))
-      throw new Error(key + " includes OPTIONS. Use corsRequest instead.");
-
-    const pathParams = path.split("/").filter(e => e.startsWith(":")).map(e => e.substring(1));
-    ///^\/recipes\/([^\/]+)\/tiddlers\/(.+)$/,
-    if (!path.startsWith("/")) throw new Error(`Path ${path} must start with a forward slash`);
-    if (key.startsWith(":")) throw new Error(`Key ${key} must not start with a colon`)
-    const pathregex = "^" + path.split("/").map(e =>
-      e === "$key" ? key : e.startsWith(":") ? "([^/]+)" : e
-    ).join("\\/") + "$";
-
-    parent.defineRoute({
-      method,
-      path: new RegExp(pathregex),
-      pathParams,
-      bodyFormat,
-      denyFinal: false,
-      securityChecks,
-    }, async state => {
-
-      checkPath(state, zodPathParams, registerError);
-
-      checkQuery(state, zodQueryParams, registerError);
-
-      checkData(state, zodRequestBody, registerError);
-
-      const timekey = `handler ${state.bodyFormat} ${state.method} ${state.urlInfo.pathname}`;
-      if (Debug.enabled("server:handler:timing")) console.time(timekey);
-      const [good, error, res] = await inner(state)
-        .then(e => [true, undefined, e] as const, e => [false, e, undefined] as const);
-      if (Debug.enabled("server:handler:timing")) console.timeEnd(timekey);
-
-      if (!good) {
-        if (error === STREAM_ENDED) {
-          return error;
-        } else if (typeof error === "string") {
-          return state.sendString(400, { "x-reason": "zod-handler" }, error, "utf8");
-        } else if (error instanceof Error && error.name === "UserError") {
-          return state.sendString(400, { "x-reason": "user-error" }, error.message, "utf8");
-        } else {
-          throw error;
-        }
+export const registerZodRoutes = (parent: ServerRoute, router: any, keys: string[], keyReplacer: string = "$key") => {
+  return keys.map((key) => {
+    defineZodRoute(parent, key, keyReplacer, router[key]);
+  });
+}
+
+function buildPathRegex(path: string, key: string, keyReplacer: string) {
+  if (!path.startsWith("/")) throw new Error(`Path ${path} must start with a forward slash`);
+  if (key.startsWith(":")) throw new Error(`Key ${key} must not start with a colon`)
+  if (path !== path.trim()) throw new Error(`Path ${path} must not have leading and trailing white space or line terminator characters`);
+  const parts = path.split("/");
+  const final = path.endsWith("/");
+  return "^" + parts.map((e, i) => {
+
+    const last = i === parts.length - 1;
+    if (e.length === 0) {
+      if (!last && i !== 0) throw new Error(`Path ${path} has an empty part at index ${i}`);
+      return "";
+    }
+    const name = e.startsWith(":") && e.slice(1);
+    if (e === keyReplacer) return key;
+    if (!name) return e;
+    return (last && final) ? `(?<${name}>.+)` : `(?<${name}>[^/]+)`;
+  }).join("\\/") + (final ? "$" : "(?=\/)");
+}
+
+export function defineZodRoute(
+  parent: ServerRoute,
+  key: string,
+  keyReplacer: string,
+  route: ZodRoute<any, any, any, any, any, any>
+) {
+  const {
+    method, path, bodyFormat, registerError,
+    zodPathParams,
+    zodQueryParams = (z => ({}) as any),
+    zodRequestBody = ["string", "json", "www-form-urlencoded"].includes(bodyFormat)
+      ? z => z.undefined() : (z => z.any() as any),
+    inner,
+    securityChecks,
+  } = route;
+
+  if (method.includes("OPTIONS"))
+    throw new Error(key + " includes OPTIONS. Use corsRequest instead.");
+
+  const pathregex = typeof path === "string" ? buildPathRegex(path, key, keyReplacer) : path;
+
+  return parent.defineRoute({
+    method,
+    path: new RegExp(pathregex),
+    bodyFormat,
+    denyFinal: false,
+    securityChecks,
+  }, async state => {
+
+    checkPath(state, zodPathParams, registerError);
+
+    checkQuery(state, zodQueryParams, registerError);
+
+    checkData(state, zodRequestBody, registerError);
+
+    const timekey = `handler ${state.bodyFormat} ${state.method} ${state.urlInfo.pathname}`;
+    if (Debug.enabled("server:handler:timing")) console.time(timekey);
+    const [good, error, res] = await inner(state)
+      .then(e => [true, undefined, e] as const, e => [false, e, undefined] as const);
+    if (Debug.enabled("server:handler:timing")) console.timeEnd(timekey);
+
+    if (!good) {
+      if (error === STREAM_ENDED) {
+        return error;
+      } else if (typeof error === "string") {
+        return state.sendString(400, { "x-reason": "zod-handler" }, error, "utf8");
+      } else if (error instanceof Error && error.name === "UserError") {
+        return state.sendString(400, { "x-reason": "user-error" }, error.message, "utf8");
+      } else {
+        throw error;
       }
+    }
 
-      return state.sendJSON(200, res);
-    });
+    return state.sendJSON(200, res);
   });
 }
 

packages/server/src/zodRoute.ts

@@ -74,7 +74,40 @@ export interface ZodRoute<
 
   securityChecks?: RouteDef["securityChecks"];
   method: M[];
-  path: string;
+  /** 
+   * The filter to match requests to. It can either be a string or a regex.
+   * 
+   * The following string is converted to the following regex. Notice the last param entirely 
+   * matches the rest of the path, and it may be zero length (the url may be `/literal/test/hello/world/`)
+   *   - `/literal/:param1/hello/world/:param2`
+   *   - `/^\/literal\/(?<param1>[^\/]+)\/literal\/literal\/(?<param2>.*)$/`
+   * 
+   * The following string is converted to the following regex to allow child routes to 
+   * be nested under it. The regex uses the lookahead group syntax to ensure that 
+   * the child route begins with a forward slash and isn't a partial match.
+   * 
+   *   - `/literal/:param1/hello/world/:param2/`
+   *   - `/^\/literal\/(?<param1>[^\/]+)\/literal\/literal\/(?<param2>[^\/]+)(?=\/)/`
+   * 
+   * Regex must start with `^`. The matched portion is removed from child route matches. 
+   * 
+   * 
+   * If the last portion of the string is a param, and is not followed by a slash, 
+   * it will match the rest of the request path. If it ends with a slash, the matching
+   * portion of the request path will be consumed and child routes will match the remaining 
+   * portion. 
+   * 
+   * So `/literal//hello/world/` would be invalid, but `/literal/test/hello/world/` would match. 
+   * 
+   * The regex is not checked in any way, so children will be matched against the 
+   * remaining portion of the path. Lookaheads may be used to match portions of the url 
+   * without capturing the path, such as a trailing slash (`/^\/test(?=\/)`)
+   * 
+   * Name collisions are possible between parent and child routes. The child route takes precedent,
+   * and the parent route handler will see the child path param value. 
+   * 
+   */
+  path: string | RegExp;
   bodyFormat: B;
   registerError: Error;
   inner: (state: { [K in M]: ZodState<K, B, P, Q, T> }[M]) => Promise<R>;