Features for 2.0 and beyond

[kraih]

With the 1.0 release quickly approaching done, it is time to make a list of features we would like to see afterwards.

• Core framework
  • Application mount support (app.plugin(mountPlugin, {app: fooApp, path: '/prefix'}))
  • Nested helpers (ctx.foo.bar(...))
  • Custom URL class with better manipulation methods (like Mojo::URL)
  • Express middleware support (maybe as a plugin with request and response object emulation)
  • Proxy helpers (ctx.proxyGet(), ctx.proxyRequest())
• Assets
  • URL generation (ctx.urlForAsset('foo.js') returns /static/assets/foo.abcd1234.js)
  • Headers to prevent caching for assets in development mode (foo.development.js)
• Documentation
  • Port testing guide to JavaScript
  • Port all reference documentation examples to JavaScript
  • Form validation with JSON schema
  • Many more recipes for the cookbook (including all from Mojolicious)
  • Reference documentation for classes (needs to be generated on the website)
• WebSockets
  • Support for custom headers in handshake (client and server)
  • Support for subprotocol negotiation from action
  • Reconnect feature for the client
• Client
  • Switch to @mojojs/user-agent (more WHATWG APIs)
  • UNIX domain sockets (http+unix://...)
  • HTTP/2 support (we might just support it via the fetch API)
  • HTTP/3 support (:no_entry_sign: not yet in Node.js)
• Server:
  • UNIX domain sockets (http+unix://...)
  • HTTP/2 support (:warning: tricky because of WebSockets)
  • HTTP/3 support (:no_entry_sign: not yet in Node.js)
  • Server-Sent Events (provide an actual API)
• Renderer
  • Port all the tag helpers
    • colorFieldTag
    • dateFieldTag
    • datetimeFieldTag
    • emailFieldTag
    • fileFieldTag
    • hiddenFieldTag
    • labelFor
    • monthFieldTag
    • numberFieldTag
    • passwordFieldTag
    • rangeFieldTag
    • searchFieldTag
    • selectFieldTag (⚠️ quite complex)
    • telFieldTag
    • textFieldTag
    • timeFieldTag
    • urlFieldTag
    • weekFieldTag
• Example apps
  • Chat (ported from Perl)
• TypeScript
  • Updated app generator commands with TypeScript support
  • Update plugin generator command with TypeScript support (--ts flag)
• Command line
  • perl -Mojo -E '...' equivalent (something better than npx mojo eval -v '...'?)

[tigrankhachikyan]

Would be great to have csrf_field tag helper.

[kraih]

Would be great to have csrf_field tag helper.

That doesn't really work with JSON schema based validation. And has become kinda obsolete with SameSite cookies.

Edit: And for the record, mojo.js session cookies default to SameSite: lax. So they are reasonably well protected already, as long as you are not misusing GET routes.

[ralyodio]

I’d be willing to create a chat example if someone tells me how to broadcast to websocket clients

[kraih]

I’d be willing to create a chat example if someone tells me how to broadcast to websocket clients

The blue checkmark means it's already done.

[dmanto]

Would be great to have csrf_field tag helper.

That doesn't really work with JSON schema based validation. And has become kinda obsolete with SameSite cookies.

Edit: And for the record, mojo.js session cookies default to SameSite: lax. So they are reasonably well protected already, as long as you are not misusing GET routes.

Unfortunately, SameSite cookies don't protect CSRF attacks on websockets. Please see this article. So as mentioned there we would need at least to check on the Origin header or use some kind of random generated csrf token.
In mojo.pl you could generate an ws(s) url with a query parameter named csrf_token, generated with the existing helper, and then validate that inside the websocket, assuring that the rest of the mojo cookies are valid.