feat(#38): trailingSlash policy — preserve / strip / forbid

productdevbook · claude · productdevbook · commit 426426b11457 · 2026-04-26T09:32:42.000+03:00
ky #802 — declined upstream; users want it as a guardrail when a backend canonicalizes URLs differently. API: createMisina({ trailingSlash: 'strip' }) // default 'preserve' Modes: - preserve: leave the URL alone (default; backward compatible) - strip: remove trailing slashes from the path before dispatch - forbid: throw a clear Error if path ends with / Carefully: - Query string and hash are preserved (we strip the *path* tail). - Bare origin URLs ('https://api.test/') are not stripped — there's no path component to remove. - Per-request override beats instance defaults. Audit pass 47 (test/trailing-slash.test.ts, 9 tests): preserve/strip/forbid behavior, multi-slash strip, query string preserved, bare origin untouched, per-request override, baseURL resolution composition. Closes #38. Suite: 413 / 413 (was 404). Lint+typecheck clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/src/_url.ts b/src/_url.ts
@@ -12,11 +12,14 @@ import type { ArrayFormat, ParamsSerializer } from "./types.ts"
  * are permitted. Embedded runtimes (Capacitor, Tauri) can opt in to their
  * custom schemes by extending the list.
  */
+export type TrailingSlashPolicy = "preserve" | "strip" | "forbid"
+
 export function resolveUrl(
   input: string,
   baseURL: string | undefined,
   allowAbsoluteUrls = true,
   allowedProtocols: readonly string[] = ["http", "https"],
+  trailingSlash: TrailingSlashPolicy = "preserve",
 ): string {
   let resolved: string
   if (isAbsoluteUrl(input)) {
@@ -32,7 +35,30 @@ export function resolveUrl(
     resolved = new URL(input, ensureTrailingSlash(baseURL)).toString()
   }
   assertAllowedProtocol(resolved, allowedProtocols)
-  return resolved
+  return applyTrailingSlash(resolved, trailingSlash)
+}
+
+function applyTrailingSlash(url: string, policy: TrailingSlashPolicy): string {
+  if (policy === "preserve") return url
+  // Find the path component without parsing — keeps relative URLs intact.
+  // Strip any query/hash before checking the trailing char.
+  const queryAt = url.indexOf("?")
+  const hashAt = url.indexOf("#")
+  const pathEnd = Math.min(
+    queryAt === -1 ? url.length : queryAt,
+    hashAt === -1 ? url.length : hashAt,
+  )
+  const path = url.slice(0, pathEnd)
+  const tail = url.slice(pathEnd)
+  // Don't touch a bare scheme://host — there's no path to strip.
+  if (!path.endsWith("/") || /^[a-z][a-z0-9+.-]*:\/\/[^/]*$/i.test(path)) return url
+  if (policy === "forbid") {
+    throw new Error(
+      `misina: trailing slash on ${JSON.stringify(url)} rejected because trailingSlash is "forbid"`,
+    )
+  }
+  // policy === "strip"
+  return path.replace(/\/+$/, "") + tail
 }
 
 function assertAllowedProtocol(url: string, allowed: readonly string[]): void {
diff --git a/src/misina.ts b/src/misina.ts
@@ -315,11 +315,12 @@ function resolveOptions(
   const baseURL = init.baseURL ?? defaults.baseURL
   const allowAbsoluteUrls = init.allowAbsoluteUrls ?? defaults.allowAbsoluteUrls ?? true
   const allowedProtocols = init.allowedProtocols ?? defaults.allowedProtocols ?? ["http", "https"]
+  const trailingSlash = init.trailingSlash ?? defaults.trailingSlash ?? "preserve"
   const headers = mergeHeaders(defaults.headers, init.headers)
   const arrayFormat = init.arrayFormat ?? defaults.arrayFormat ?? "repeat"
   const paramsSerializer = init.paramsSerializer ?? defaults.paramsSerializer
   const url = appendQuery(
-    resolveUrl(input, baseURL, allowAbsoluteUrls, allowedProtocols),
+    resolveUrl(input, baseURL, allowAbsoluteUrls, allowedProtocols, trailingSlash),
     init.query,
     arrayFormat,
     paramsSerializer,
@@ -331,6 +332,7 @@ function resolveOptions(
     url,
     allowAbsoluteUrls,
     allowedProtocols,
+    trailingSlash,
     method,
     headers,
     body,
diff --git a/src/types.ts b/src/types.ts
@@ -138,6 +138,15 @@ export interface MisinaOptions {
    * here to use them; relative URLs and unparseable inputs skip the check.
    */
   allowedProtocols?: readonly string[]
+  /**
+   * Trailing-slash policy for the final URL:
+   * - `"preserve"` (default) — leave the URL alone.
+   * - `"strip"` — remove trailing slashes from the path before dispatch.
+   * - `"forbid"` — throw if the path ends with `/`.
+   *
+   * Useful as a guardrail when a backend 404s on the wrong canonical form.
+   */
+  trailingSlash?: "preserve" | "strip" | "forbid"
   /**
    * HTTP headers. Accepts a Record, a Headers instance, or [k, v] tuple pairs.
    * Values that are `undefined` or `null` are silently dropped — handy for
@@ -269,6 +278,7 @@ export interface MisinaResolvedOptions {
   url: string
   allowAbsoluteUrls: boolean
   allowedProtocols: readonly string[]
+  trailingSlash: "preserve" | "strip" | "forbid"
   method: HttpMethod
   headers: Record<string, string>
   body?: unknown
diff --git a/test/trailing-slash.test.ts b/test/trailing-slash.test.ts
@@ -0,0 +1,102 @@
+import { describe, expect, it } from "vitest"
+import { createMisina } from "../src/index.ts"
+
+function recordingDriver() {
+  const seen: string[] = []
+  return {
+    seen,
+    driver: {
+      name: "rec",
+      request: async (req: Request) => {
+        seen.push(req.url)
+        return new Response("{}", { headers: { "content-type": "application/json" } })
+      },
+    },
+  }
+}
+
+describe("trailingSlash policy", () => {
+  it("'preserve' (default) leaves the URL alone", async () => {
+    const { seen, driver } = recordingDriver()
+    const m = createMisina({ driver, retry: 0 })
+
+    await m.get("https://api.test/users/")
+    await m.get("https://api.test/users")
+
+    expect(seen).toEqual(["https://api.test/users/", "https://api.test/users"])
+  })
+
+  it("'strip' removes a single trailing slash", async () => {
+    const { seen, driver } = recordingDriver()
+    const m = createMisina({ driver, retry: 0, trailingSlash: "strip" })
+
+    await m.get("https://api.test/users/")
+    expect(seen[0]).toBe("https://api.test/users")
+  })
+
+  it("'strip' removes multiple trailing slashes", async () => {
+    const { seen, driver } = recordingDriver()
+    const m = createMisina({ driver, retry: 0, trailingSlash: "strip" })
+
+    await m.get("https://api.test/users///")
+    expect(seen[0]).toBe("https://api.test/users")
+  })
+
+  it("'strip' preserves the slash when path is just /", async () => {
+    const { seen, driver } = recordingDriver()
+    const m = createMisina({ driver, retry: 0, trailingSlash: "strip" })
+
+    // Bare origin URL — there's no path to strip.
+    await m.get("https://api.test/")
+    // Either form is acceptable depending on whether root counts as "no path".
+    // The contract: don't break a bare URL.
+    expect(seen[0] === "https://api.test/" || seen[0] === "https://api.test").toBe(true)
+  })
+
+  it("'strip' keeps trailing slash before query string out of the path", async () => {
+    const { seen, driver } = recordingDriver()
+    const m = createMisina({ driver, retry: 0, trailingSlash: "strip" })
+
+    await m.get("https://api.test/users/?page=2")
+    expect(seen[0]).toBe("https://api.test/users?page=2")
+  })
+
+  it("'forbid' throws on a trailing slash", async () => {
+    const m = createMisina({
+      driver: recordingDriver().driver,
+      retry: 0,
+      trailingSlash: "forbid",
+    })
+
+    await expect(m.get("https://api.test/users/")).rejects.toThrow(/trailingSlash is "forbid"/)
+  })
+
+  it("'forbid' allows URLs without a trailing slash", async () => {
+    const { seen, driver } = recordingDriver()
+    const m = createMisina({ driver, retry: 0, trailingSlash: "forbid" })
+
+    await m.get("https://api.test/users")
+    expect(seen[0]).toBe("https://api.test/users")
+  })
+
+  it("per-request override beats defaults", async () => {
+    const { seen, driver } = recordingDriver()
+    const m = createMisina({ driver, retry: 0, trailingSlash: "strip" })
+
+    await m.get("https://api.test/users/", { trailingSlash: "preserve" })
+    expect(seen[0]).toBe("https://api.test/users/")
+  })
+
+  it("does not interfere with baseURL resolution", async () => {
+    const { seen, driver } = recordingDriver()
+    const m = createMisina({
+      driver,
+      retry: 0,
+      baseURL: "https://api.test/v1/",
+      trailingSlash: "strip",
+    })
+
+    await m.get("users/")
+    expect(seen[0]).toBe("https://api.test/v1/users")
+  })
+})
