feat(server): renamed to StrictGetMethodPlugin and enabled it by default in RPCHandler (#348)

GetMethodGuardPlugin -> StrictGetMethodPlugin

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **Documentation**
- Updated sidebar navigation and guides to reflect the shift to a
stricter GET method enforcement in RPC documentation.
- Added clarifications regarding the default behavior of the RPCHandler
and the necessity for explicit permissions for GET requests.

- **Enhancements**
- Improved RPC security defaults by enforcing strict GET request
handling, with a new option to disable this behavior if needed.

- **Tests**
- Added test cases to ensure that the new default configuration is
correctly initialized and applied.
- Modified existing tests to incorporate the new configuration option
for the RPCHandler.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Author: unnoq

apps/content/.vitepress/config.ts

@@ -110,10 +110,10 @@ export default defineConfig({
             { text: 'CORS', link: '/docs/plugins/cors' },
             { text: 'Response Headers', link: '/docs/plugins/response-headers' },
             { text: 'Batch Request/Response', link: '/docs/plugins/batch-request-response' },
-            { text: 'GET method guard', link: '/docs/plugins/get-method-guard' },
             { text: 'Client Retry', link: '/docs/plugins/client-retry' },
             { text: 'Body Limit', link: '/docs/plugins/body-limit' },
             { text: 'Simple CSRF Protection', link: '/docs/plugins/simple-csrf-protection' },
+            { text: 'Strict GET method', link: '/docs/plugins/strict-get-method' },
           ],
         },
         {

apps/content/docs/advanced/rpc-protocol.md

@@ -30,7 +30,7 @@ const router = {
 Any HTTP method can be used. Input can be provided via URL query parameters or the request body.
 
 :::info
-To help prevent [Cross-Site Request Forgery (CSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) attacks, you can use the [GET Method Guard Plugin](/docs/plugins/get-method-guard) to restrict the use of the `GET` method.
+You can use any method, but by default, [RPCHandler](/docs/rpc-handler) enabled [StrictGetMethodPlugin](/docs/rpc-handler#default-plugins) which blocks GET requests except for procedures explicitly allowed.
 :::
 
 ### Input in URL Query

apps/content/docs/client/rpc-link.md

@@ -62,6 +62,10 @@ If a property in `ClientContext` is required, oRPC enforces its inclusion when c
 
 By default, RPCLink sends requests via `POST`. You can override this to use methods like `GET` (for browser or CDN caching) based on your requirements.
 
+::: warning
+By default, [RPCHandler](/docs/rpc-handler) enabled [StrictGetMethodPlugin](/docs/rpc-handler#default-plugins) which blocks GET requests except for procedures explicitly allowed. please refer to [StrictGetMethodPlugin](/docs/plugins/strict-get-method) for more details.
+:::
+
 ```ts twoslash
 import { RPCLink } from '@orpc/client/fetch'
 

apps/content/docs/plugins/get-method-guard.md renamed to apps/content/docs/plugins/strict-get-method.md

@@ -1,12 +1,16 @@
 ---
-title: GET Method Guard Plugin
-description: Enhance security by restricting GET requests to explicitly allowed procedures, mitigating Cross-Site Request Forgery (CSRF) risks.
+title: Strict GET Method Plugin
+description: Enhance security by ensuring only procedures explicitly marked to accept `GET` requests can be called using the HTTP `GET` method for RPC Protocol. This helps prevent certain types of Cross-Site Request Forgery (CSRF) attacks.
 ---
 
-# GET Method Guard Plugin
+# Strict GET Method Plugin
 
 This plugin enhances security by ensuring only procedures explicitly marked to accept `GET` requests can be called using the HTTP `GET` method for [RPC Protocol](/docs/advanced/rpc-protocol). This helps prevent certain types of [Cross-Site Request Forgery (CSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) attacks.
 
+::: info
+[RPCHandler](/docs/rpc-handler) enabled this plugin by default.
+:::
+
 ## When to Use
 
 This plugin is beneficial if your application stores sensitive data (like session or auth tokens) in Cookie storage using `SameSite=Lax` (the default) or `SameSite=None`.
@@ -29,11 +33,11 @@ const ping = os
 import { RPCHandler } from '@orpc/server/fetch'
 import { router } from './shared/planet'
 // ---cut---
-import { GetMethodGuardPlugin } from '@orpc/server/plugins'
+import { StrictGetMethodPlugin } from '@orpc/server/plugins'
 
 const handler = new RPCHandler(router, {
   plugins: [
-    new GetMethodGuardPlugin()
+    new StrictGetMethodPlugin()
   ],
 })
 ```

apps/content/docs/rpc-handler.md

@@ -83,3 +83,9 @@ const handler = new RPCHandler(router, {
   eventIteratorKeepAliveComment: '',
 })
 ```
+
+## Default Plugins
+
+RPCHandler is pre-configured with plugins that help enforce best practices and enhance security out of the box. By default, the following plugin is enabled:
+
+- [StrictGetMethodPlugin](/docs/plugins/strict-get-method) - Disable by setting `strictGetMethodPluginEnabled` to `false`.

packages/client/src/adapters/fetch/rpc-link.test.ts

@@ -13,7 +13,9 @@ describe.each(supportedDataTypes)('rpcLink: $name', ({ value, expected }) => {
     async function assertSuccessCase(value: unknown, expected: unknown): Promise<true> {
       const handler = vi.fn(({ input }) => input)
 
-      const rpcHandler = new RPCHandler(os.handler(handler))
+      const rpcHandler = new RPCHandler(os.handler(handler), {
+        strictGetMethodPluginEnabled: false,
+      })
 
       const rpcLink = new RPCLink({
         url: 'http://api.example.com',
@@ -45,7 +47,9 @@ describe.each(supportedDataTypes)('rpcLink: $name', ({ value, expected }) => {
         })
       })
 
-      const rpcHandler = new RPCHandler(os.handler(handler))
+      const rpcHandler = new RPCHandler(os.handler(handler), {
+        strictGetMethodPluginEnabled: false,
+      })
 
       const rpcLink = new RPCLink({
         url: 'http://api.example.com',

packages/server/src/adapters/fetch/body-limit-plugin.test.ts

@@ -7,6 +7,7 @@ describe('bodyLimitPlugin', () => {
 
   it('should ignore for non-body request', async () => {
     const handler = new RPCHandler(os.handler(() => 'ping'), {
+      strictGetMethodPluginEnabled: false,
       plugins: [
         new BodyLimitPlugin({ maxBodySize: 22 }),
       ],

packages/server/src/adapters/fetch/rpc-handler.test.ts

@@ -3,7 +3,9 @@ import { RPCHandler } from './rpc-handler'
 
 describe('rpcHandler', () => {
   it('works', async () => {
-    const handler = new RPCHandler(os.handler(() => 'pong'))
+    const handler = new RPCHandler(os.handler(() => 'pong'), {
+      strictGetMethodPluginEnabled: false,
+    })
 
     const { response } = await handler.handle(new Request('https://example.com/api/v1/?data=%7B%7D'), {
       prefix: '/api/v1',

packages/server/src/adapters/fetch/rpc-handler.ts

@@ -1,18 +1,11 @@
 import type { Context } from '../../context'
 import type { Router } from '../../router'
-import type { StandardRPCHandlerOptions } from '../standard'
 import type { FetchHandlerOptions } from './handler'
-import { StandardRPCJsonSerializer, StandardRPCSerializer } from '@orpc/client/standard'
-import { StandardHandler, StandardRPCCodec, StandardRPCMatcher } from '../standard'
+import { StandardRPCHandler, type StandardRPCHandlerOptions } from '../standard'
 import { FetchHandler } from './handler'
 
 export class RPCHandler<T extends Context> extends FetchHandler<T> {
   constructor(router: Router<any, T>, options: NoInfer<FetchHandlerOptions<T> & StandardRPCHandlerOptions<T>> = {}) {
-    const jsonSerializer = new StandardRPCJsonSerializer(options)
-    const serializer = new StandardRPCSerializer(jsonSerializer)
-    const matcher = new StandardRPCMatcher()
-    const codec = new StandardRPCCodec(serializer)
-
-    super(new StandardHandler(router, matcher, codec, options), options)
+    super(new StandardRPCHandler(router, options), options)
   }
 }

packages/server/src/adapters/node/rpc-handler.test.ts

@@ -5,7 +5,9 @@ import { RPCHandler } from './rpc-handler'
 
 describe('rpcHandler', () => {
   it('works', async () => {
-    const handler = new RPCHandler(os.handler(() => 'pong'))
+    const handler = new RPCHandler(os.handler(() => 'pong'), {
+      strictGetMethodPluginEnabled: false,
+    })
 
     const res = await request(async (req: IncomingMessage, res: ServerResponse) => {
       await handler.handle(req, res)