feat(server): renamed to StrictGetMethodPlugin and enabled it by default in RPCHandler

[dinwwwh]

GetMethodGuardPlugin -> StrictGetMethodPlugin

Summary by CodeRabbit

• Documentation

  • Updated sidebar navigation and guides to reflect the shift to a stricter GET method enforcement in RPC documentation.
  • Added clarifications regarding the default behavior of the RPCHandler and the necessity for explicit permissions for GET requests.

• Enhancements

  • Improved RPC security defaults by enforcing strict GET request handling, with a new option to disable this behavior if needed.

• Tests

  • Added test cases to ensure that the new default configuration is correctly initialized and applied.
  • Modified existing tests to incorporate the new configuration option for the RPCHandler.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
orpc	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 9, 2025 7:43am

[coderabbitai]

Walkthrough

This change rebrands the "GET method guard" as the "Strict GET method" across documentation, tests, and code. Updates focus on replacing sidebar entries in the VitePress config, adjusting documentation to clarify default behavior in the RPC protocol, and modifying adapter initialization logic to call a new default options initializer. Additionally, tests are updated and expanded to verify the initialization of the strict GET method plugin, and exports in the plugins module have been replaced accordingly.

Changes

File(s)	Change Summary
apps/content/.vitepress/config.ts, apps/content/docs/advanced/rpc-protocol.md, apps/content/docs/client/rpc-link.md, apps/content/docs/plugins/strict-get-method.md, apps/content/docs/rpc-handler.md	Updated sidebar and docs to remove "GET method guard" references and introduce "Strict GET method" along with new documentation noting default plugin activation.
packages/server/src/adapters/fetch/rpc-handler.ts, packages/server/src/adapters/node/rpc-handler.ts, packages/server/src/adapters/standard/rpc-handler.ts	Modified RPCHandler constructors to include a call to initDefaultStandardRPCHandlerOptions, with the StandardRPCHandlerOptions interface updated to support strictGetMethodPluginEnabled.
packages/server/src/adapters/fetch/rpc-handler.test.ts, packages/server/src/adapters/node/rpc-handler.test.ts, packages/server/src/adapters/standard/rpc-handler.test.ts	Added new test cases/spies to verify that initDefaultStandardRPCHandlerOptions is called and the Strict GET method plugin is conditionally added based on configuration.
packages/server/src/plugins/index.ts, packages/server/src/plugins/strict-get-method.test.ts, packages/server/src/plugins/strict-get-method.ts	Replaced exports and references of the old "GET method guard" with the new "Strict GET method" implementations and updated test and source files accordingly.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant RPCHandler
    participant InitOptions
    participant StrictPlugin

    Client->>RPCHandler: new RPCHandler(options)
    RPCHandler->>InitOptions: initDefaultStandardRPCHandlerOptions(options)
    alt strictGetMethodPluginEnabled true (default)
        InitOptions->>StrictPlugin: create instance of StrictGetMethodPlugin
        StrictPlugin-->>RPCHandler: Plugin added to options
    else strictGetMethodPluginEnabled false
        InitOptions-->>RPCHandler: Skip adding plugin
    end
    RPCHandler->>RPCHandler: Continue initialization

Loading

Possibly related PRs

• unnoq/orpc#347: The changes in the main PR, which involve replacing the "GET method guard" with the "Strict GET method" in the sidebar configuration, are related to the retrieved PR that introduces the "GET Method Guard Plugin," as both modifications pertain to the same plugin functionality and its documentation.

Poem

In a burrow of code, I hop with delight,
Leaving old guards behind in the night.
Strict GET methods now lead the way,
In docs and tests, they brighten the day.
With each small change, our code reviews sing—
A rabbit’s cheer for the new plugin spring!
🐰✨

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[pkg-pr-new]

More templates

• @orpc/contract-first-playground
• @orpc/nextjs-playground
• @orpc/nuxt-playground
• @orpc/solid-start-playground
• @orpc/svelte-kit-playground

@orpc/arktype

npm i https://pkg.pr.new/@orpc/arktype@348

@orpc/client

npm i https://pkg.pr.new/@orpc/client@348

@orpc/contract

npm i https://pkg.pr.new/@orpc/contract@348

@orpc/openapi

npm i https://pkg.pr.new/@orpc/openapi@348

@orpc/openapi-client

npm i https://pkg.pr.new/@orpc/openapi-client@348

@orpc/react-query

npm i https://pkg.pr.new/@orpc/react-query@348

@orpc/react

npm i https://pkg.pr.new/@orpc/react@348

@orpc/server

npm i https://pkg.pr.new/@orpc/server@348

@orpc/shared

npm i https://pkg.pr.new/@orpc/shared@348

@orpc/solid-query

npm i https://pkg.pr.new/@orpc/solid-query@348

@orpc/standard-server

npm i https://pkg.pr.new/@orpc/standard-server@348

@orpc/standard-server-fetch

npm i https://pkg.pr.new/@orpc/standard-server-fetch@348

@orpc/standard-server-node

npm i https://pkg.pr.new/@orpc/standard-server-node@348

@orpc/svelte-query

npm i https://pkg.pr.new/@orpc/svelte-query@348

@orpc/valibot

npm i https://pkg.pr.new/@orpc/valibot@348

@orpc/vue-colada

npm i https://pkg.pr.new/@orpc/vue-colada@348

@orpc/vue-query

npm i https://pkg.pr.new/@orpc/vue-query@348

@orpc/zod

npm i https://pkg.pr.new/@orpc/zod@348

commit: 7223b9a

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

packages/server/src/adapters/fetch/body-limit-plugin.test.ts (3)

23-27: Consider consistent configuration approach across all handler initializations

While this test case uses a POST request that wouldn't be affected by the StrictGetMethodPlugin, for consistency in testing, consider adding the same configuration object to all RPCHandler initializations in this file.

 const handler = new RPCHandler(os.handler(() => 'ping'), {
+  strictGetMethodPluginEnabled: false,
   plugins: [
     new BodyLimitPlugin({ maxBodySize: 22 }),
   ],
 })

---

42-46: Consider consistent configuration approach across all handler initializations

For consistency with other test cases, consider adding the strictGetMethodPluginEnabled: false configuration here as well.

 const handler = new RPCHandler(os.handler(() => 'ping'), {
+  strictGetMethodPluginEnabled: false,
   plugins: [
     new BodyLimitPlugin({ maxBodySize: 21 }),
   ],
 })

---

60-64: Consider consistent configuration approach across all handler initializations

For consistency with other test cases, consider adding the strictGetMethodPluginEnabled: false configuration here as well.

 const handler = new RPCHandler(os.handler(() => 'ping'), {
+  strictGetMethodPluginEnabled: false,
   plugins: [
     new BodyLimitPlugin({ maxBodySize: 21 }),
   ],
 })

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ed2d4a3 and 7223b9a.

📒 Files selected for processing (9)

• packages/client/src/adapters/fetch/rpc-link.test.ts (2 hunks)
• packages/server/src/adapters/fetch/body-limit-plugin.test.ts (1 hunks)
• packages/server/src/adapters/fetch/rpc-handler.test.ts (1 hunks)
• packages/server/src/adapters/fetch/rpc-handler.ts (1 hunks)
• packages/server/src/adapters/node/rpc-handler.test.ts (1 hunks)
• packages/server/src/adapters/node/rpc-handler.ts (1 hunks)
• packages/server/src/adapters/standard/rpc-handler.test.ts (1 hunks)
• packages/server/src/adapters/standard/rpc-handler.ts (1 hunks)
• packages/server/src/plugins/simple-csrf-protection.test.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/server/src/adapters/fetch/rpc-handler.ts
• packages/server/src/adapters/fetch/rpc-handler.test.ts
• packages/server/src/adapters/node/rpc-handler.ts
• packages/server/src/adapters/standard/rpc-handler.test.ts

🧰 Additional context used

🧬 Code Graph Analysis (1)

packages/server/src/adapters/standard/rpc-handler.ts (3)

packages/server/src/context.ts (1)

• Context (1-1)

packages/server/src/adapters/standard/handler.ts (1)

• StandardHandlerOptions (25-47)

packages/server/src/plugins/strict-get-method.ts (1)

• StrictGetMethodPlugin (17-56)

🔇 Additional comments (9)

packages/server/src/adapters/node/rpc-handler.test.ts (1)

8-10: Configuration update aligns with new default plugin behavior

The addition of strictGetMethodPluginEnabled: false to the RPCHandler constructor indicates that the renamed StrictGetMethodPlugin is now enabled by default, which matches the PR objective of enabling it by default in the RPCHandler. This configuration is necessary as the test uses a GET request that would otherwise be blocked by the enabled plugin.

packages/server/src/adapters/fetch/body-limit-plugin.test.ts (1)

9-10: Configuration only disabled for the GET request test case

The strictGetMethodPluginEnabled: false configuration is correctly added to this test case which uses a GET request that would be blocked by the default-enabled plugin.

packages/server/src/plugins/simple-csrf-protection.test.ts (2)

12-20: Configuration update aligns with new default plugin behavior

The addition of strictGetMethodPluginEnabled: false is appropriate as the tests in this file use GET requests that would otherwise be blocked by the default-enabled StrictGetMethodPlugin. This allows the tests to focus specifically on CSRF protection functionality.

---

62-69: Configuration consistently applied to all handler initializations

Good job maintaining consistency by adding the strictGetMethodPluginEnabled: false configuration to this handler initialization as well, which follows the same pattern as the main handler in this file.

packages/client/src/adapters/fetch/rpc-link.test.ts (2)

16-18: Configuration update aligns with new default plugin behavior

The addition of strictGetMethodPluginEnabled: false is necessary as the test suite runs tests with both GET and POST methods, and the GET tests would be blocked by the default-enabled StrictGetMethodPlugin. This change ensures the tests can continue to function as expected while the plugin is enabled by default in production code.

---

50-52: Configuration consistently applied to all handler initializations

Good job maintaining consistency by adding the strictGetMethodPluginEnabled: false configuration to this handler initialization as well, which follows the same pattern as in the assertSuccessCase function.

packages/server/src/adapters/standard/rpc-handler.ts (3)

9-16: Interface looks good with clear documentation

The addition of the strictGetMethodPluginEnabled option is well-documented with a clear JSDoc comment that includes the default value. The interface properly extends both StandardHandlerOptions and StandardRPCJsonSerializerOptions.

---

18-35: Implementation correctly enables StrictGetMethodPlugin by default

The StandardRPCHandler class implementation properly initializes the options and conditionally adds the StrictGetMethodPlugin when enabled (which is the default behavior). The initialization sequence is correct, with all dependencies properly set up before calling the parent constructor.

---

22-26: Security enhancement with StrictGetMethodPlugin enabled by default

Enabling the StrictGetMethodPlugin by default is a good security practice as it restricts which procedures can be called via GET requests. This helps prevent potential security issues like CSRF attacks or unintended side effects from GET requests.