https://pub.dev/packages/shelf

We really encourage folks to build on top of shelf. It's designed to be more easily composed.

Let me know if you want to chat!

I have been using Alfred to serve up files to a flutter web app without issue on windows (both flutter web and Alfred server). But, if I try to add HTTP calls from the flutter web app the Alfred server gets the call, but in Flutter Web it errors our Error: XMLHttpRequest.

Is this because of a CORS issue? Is there a setting I need, a CORS middleware setting?

Hi! Could you explain me the situation when multi threading and isolates can be helpful?

My app have two handlers: /count /sql-upsert /statistic

I have 4 instance of ParserApp. Every instance after run:

1. Send count request (DB is very big so it may take up to 10 seconds for every request)
2. Start processing files and 2.1 sending to sql-upsert result of parsing as SQL plain text statement, 2.2 update status of processed files

/statistic handler is for big and complex request that run can take up to 30 minutes.

So could the single isolate (that used by default) be bottleneck in my case? And could isolates be helpful?

It just seems to me that all IO falls on the database or am I wrong?

upd: Could be PostgreSQL connection object is bottleneck? If I am using it from handler above? I am using this driver: https://pub.dev/packages/postgres

I have a folder called web which contains HTML, CSS, and Javascript files.

I need to serve the HTML file with CSS and Javascript as well how can I do that in Alfred.

something like res.render('index.html') in Node.Js

The Javascript File and the CSS file or not shown while the HTML is loaded.

In the README there is the following example:

import 'dart:async';
import 'dart:io';

import 'package:alfred/alfred.dart';

FutureOr exampleMiddlware(HttpRequest req, HttpResponse res) {
  // Do work
}

void main() async {
  final app = Alfred();
  app.all("/example/:id/:name", (req, res) {
    req.params["id"] != null; //true
    req.params["name"] != null; //true;
  }, middleware: [exampleMiddlware]);

  await app.listen(); //Listening on port 3000
}

• From reading this example the order of execution is not clear.
• The parameter extraction is irrelevant to the example.
• Maybe adding comments hinting what's executed first
• The parameter name middleware doesn't fit here, because it does not give a cue on execution order. Maybe introduce before: [exampleMiddleware] or after: [exampleMiddleware] for pre/postprocessing?

Hello,

sending any response status code in internal error handler caused an error, when request body is not a valid JSON

Unhandled exception:
Bad state: Header already sent
#0      _HttpResponse.statusCode= (dart:_http/http_impl.dart:1190:35)
#1      errorHandler (test.dart:18:7)
#2      Alfred._incomingRequest (package:alfred/src/alfred.dart:419:35)
<asynchronous suspension>
#3      _QueuedFuture.execute (package:queue/src/dart_queue_base.dart:26:16)
<asynchronous suspension>

Code to reproduce

import 'dart:async';
import 'package:alfred/alfred.dart';

void main() async {
  final app = Alfred(onInternalError: errorHandler);

  app.get('/example', (req, res) {
    final body = req.bodyAsJsonMap;
    res.statusCode = 200;
    return body;
  });

  await app.listen();
}

FutureOr errorHandler(HttpRequest req, HttpResponse res) {
  res.statusCode = 500;
  return {'message': 'error not handled'};
}

CURL

curl --request GET \
  --url http://localhost:3000/example \
  --header 'Content-Type: application/json' \
  --data '{
	"test": true,
}'

If I get it right, the problem is that body parser already send 400 HTTP code https://github.com/rknell/alfred/blob/master/lib/src/body_parser/http_body.dart#L123 Is it intended behaviour?

Hello,

On the backend side, I use a code to access my photos.

app.get("/assets/files/*", (req, res) => Directory('files/'));

If I write another link instead of the photo link, I can access whatever file I want to access, which is pretty bad.

When I go to 127.0.0.1:3000/assets/files/notes.txt we should expect to read notes.txt, it works correctly.

But if i go to 127.0.0.1:3000/assets/files/..%2f/..%2f/..%2f/..%2f/..%2f/..%2f/..%2f/..%2f/..%2f/..%2f/..%2f/..%2f/..%2f/etc/passwd

I can access the passwd file on my computer and I have not found a way to fix it.

I think this only happens with ..%2f. if I replace %2f with / I cannot access the passwd file.

I think there is a vulnerability with %2f.

Route matching is based on regular expressions that are currently built by the RouteMatcher class each time Alfred receives a request. The current implementation also eagerly evaluates all routes even if the first route will do.

I proposed a change to build the RegExp when the route is created and avoid creating the same RegExp over and over again. I also turned the match() method into a generator to avoid systematic evaluation of all routes.

I also considered changing the way routes ending with a * segment works but this would be a breaking change. Currently, if the last segment is a *, the RegExp is terminated with:

        /// Generously match path if last segment is wildcard (*)
        /// Example: 'some/path/*' => should match 'some/path'
        matcher += '/?.*';

How would you consider the following change? The idea is to match some/path, some/path/, some/path/whatever, but not some/pathbreaking.

        /// Generously match path if last segment is wildcard (*)
        /// Example: 'some/path/*' => should match 'some/path' but not 'some/pathology'
        matcher += '(?:/.*|)';

I also considered using named groups in the RegExp and capture parameters at match time to avoid additional parsing done in getParams(), but I'm not sure how it would play with NotMatchingRouteException. This would certainly be a breaking change too, although I believe the current implementation is broken because it expects the input Uri to contain as many segment as the route does. This will not work with wildcards eg.

• route /some/*/thing/:id should match Uri /some/path/to/thing/abc but getParams() will throw (4 segments vs. 5)
• route /some/thing/:id/* should match Uri /some/thing/abc but getParams() will throw (4 segments vs. 3)

Leveraging named groups would correctly capture parameters for such routes and getParams() could be removed altogether. If the route matches, there should be no reason why getParams() throws.

Hey, I figured I'd open a tracking ticket, since I like the way this project is progressing. Most server-side frameworks have ways (built-in or third party) to authenticate users; do you think that's something you'd be interested in building out down the line?

Obviously, there's a cost in terms of complexity and ease of maintenance; on the other hand, authentication is probably the most universal of the currently unmet needs in terms of the Dart server ecosystem.

Kevin Moo reported the discontinuity of the http_server package. https://www.reddit.com/r/dartlang/comments/mkafju/palace_server_side_dart_framework/gtmmbp4?utm_source=share&utm_medium=web2x&context=3

https://pub.dev/packages/http_server

While reviewing the routing algorithms I noticed a flaw which makes onNotFound handler not working as intended.

Alfred looks for any matching route. If he doesn't find any, it's a "not found" for him. This assumption is wrong because any middleware acts like an effective route. This results in using any middleware makes the onNotFound handler not functional.

Here is an example:

import 'package:alfred/alfred.dart';

Future<void> main() async {
  final app = Alfred(
    onNotFound: (req, res) => '404'
  );

  app.all('*', (req, res) { // mandatory middleware
    res.headers.set('X-Powered-By', 'Alfred');
  });

  app.get('/valid', (req, res) => 'Valid route');

  await app.listen();

  // GET 'http://localhost:3000/notvalid' => no 404
}

I tried to figure out the perfect moment for saying "not found". I realized the location where Alfred checks non-done request and prints out a warning is perfect for being "not found":

        /// If you got here and isDone is still false, you forgot to close
        /// the response, or your didn't return anything. Either way its an error,
        /// but instead of letting the whole server hang as most frameworks do,
        /// lets at least close the connection out
        ///
        if (!isDone) {
          if (request.response.contentLength == -1) {
            print(
                "Warning: Returning a response with no content. ${effectiveRoutes.map((e) => e.route).join(", ")}");
          }
          await request.response.close();
        }

Let met try to explain what I mean by "async-safe".

My expectation for serving a page is that the response is

1. returned/written only when all async computation that has finished for a given request finished running
2. can capture any all all async computation exceptions before a response would be returned to the browser

Let me demonstrate it:

import 'dart:async';
import 'dart:io';
import 'dart:math';

import 'package:alfred/alfred.dart';

final rnd = Random.secure();

void main() async {
  final app = Alfred(
    onInternalError: (req, resp) {
      stderr.writeln('Internal error occured for ${req.store.get('rid')}');
    },
    logLevel: LogType.debug,
  );
  app.all('*', (req, res) {
    final id = (rnd.nextInt(8999999) + 1000000).toRadixString(36);
    print('Request ID: $id');
    req.store.set('rid', id);
  });

  app.get('/err', (req, res) async {
    Future.delayed(Duration(seconds: 5), () async {
      throw 'ASYNC ERR';
    });
    return 'Returned before all request related computation finished: ${req.store.get('rid')}';
  });

  app.printRoutes();
  await app.listen();

  print('Server is listening on http://localhost:3000');
}

In this very specific instance, I'd expect the following to happen:

1. onInternalError catches ASYNC ERR - it does not
2. before /err's return value would be written (sent back to browser), delayed future's result is awaited
3. server does not crash - it does

While this can be worked around and lint rules set up (unawaited_futures eg.), it is very likely that eventually some random future will crash the server which will be very hard to track down without the capability of catching it.

A solution I saw being used is that all code that works on requests or responses are ran within it's own error zone (runZonedGuarded). With a custom Zone implementaiton, you could even give super useful warning messages that request returned before all futures would have completed (similar to how test package tracks them).

This would give me a sense of security.

Thanks for this amazing idea! Inspired by this Issue : https://github.com/rknell/alfred/issues/88

With this Mixin we can create class-based middlewares

class _ExampleMiddleware with CallableRequestMixin{
  @override
  FutureOr call(HttpRequest req, HttpResponse res) {
    if (req.headers.value('Authorization') != 'apikey') {
      throw AlfredException(401, {'message': 'authentication failed'});
    }
  }
}

void main() async {
  final app = Alfred();
  app.all('/example/:id/:name', (req, res) {}, middleware: [_ExampleMiddleware()]);

  await app.listen(); //Listening on port 3000
}

and End-Point callback too !

class _RequestController with CallableRequestMixin {
  @override
  FutureOr call(HttpRequest req, HttpResponse res) => "I'm a Class :)";
}

void main() async {
  final app = Alfred();

  app.get('/text', _RequestController());

  await app.listen(6565); //Listening on port 6565
}

Hello,

I am trying to send multiple keys/value with the same key name using the post method using form-data.

However, I can only get the last one of the values with the same key name.

My goal is to upload images to the server using the same key like file[] name but I can only get the last one.

How can I handle form-data keys using the same key name?

Form-Data looks like this.

name = "John" Age = 24 file[] = Image1.jpg file[] = Image2.jpg file[] = Image3.jpg file[] = Image4.jpg

Whenever I check the incoming data, only image4 is read. What I want to do is to loop and process how many file[] there are.

When sending the Form-Data, I can make the key names as file[1] file[2], but I wonder why I can't do this by sending the same name, is this feature not supported or did I fail.

PS: Thank you very much for the beautiful package, it is a great job.

This is not an issue with the package, but an example of a way you could implement Middlewares very cleanly:

The idea, I got from https://github.com/vandadnp/flutter-tips-and-tricks#callable-classes-in-dart.

// login_middleware.dart
import 'package:alfred/alfred.dart';

class LoginMiddleware {
  const LoginMiddleware();

  Future<dynamic> call(HttpRequest req, HttpResponse res) async {
    final body = await req.bodyAsJsonMap;
    final email = body['email'] as String?;
    final password = body['password'] as String?;

    // you can add more requirements if you like
    if (email == null || password == null) {
      res.statusCode = 400;
      return {'error': 'email and password are required'};
    }

    // save the variables in store to grab them later inside the callback function
    req.store.set('email', email);
    req.store.set('password', password);

    return null;
  }
}

and here's the implementation of this:

import 'package:alfred/alfred.dart';
import './auth_validator.dart';

final app = Alfred().post(
  '/login',
  (req, res) {
    // your callback function
  },
  middleware: [
    const LoginValidator(),
  ],
);

I hope this is useful to someone :))

Hello. First of all, thank you for this useful package.

I want to get large files, for example 2 GB. Is the file received in memory? Is it possible for me to give the file path to be saved in pieces?