fix: replace event.node.req/res with H3 platform-agnostic APIs

event.node is undefined in Web-standard runtimes (Netlify Functions v2,
Cloudflare Workers). Use H3's getRequestHeader, setResponseHeader,
getMethod, and Web Response instead of accessing Node.js request/response
objects directly. This makes all framework plugins work across all
deployment targets.

Author: steve8708

packages/core/src/resources/handlers.ts

@@ -3,6 +3,7 @@ import {
   readBody,
   getQuery,
   getRouterParam,
+  setResponseHeader,
   setResponseStatus,
   getMethod,
   readMultipartFormData,
@@ -231,10 +232,9 @@ export async function handleGetResource(event: any) {
       ? Buffer.from(resource.content, "utf-8")
       : Buffer.from(resource.content, "base64");
 
-    event.node.res.setHeader("Content-Type", resource.mimeType);
-    event.node.res.setHeader("Content-Length", buf.length);
-    event.node.res.end(buf);
-    return;
+    setResponseHeader(event, "Content-Type", resource.mimeType);
+    setResponseHeader(event, "Content-Length", buf.length);
+    return new Response(buf);
   }
 
   // For binary resources (images, audio, video), omit the content field from

packages/core/src/server/auth.ts

@@ -328,7 +328,7 @@ export async function getSession(event: H3Event): Promise<AuthSession | null> {
         maxAge: sessionMaxAge,
       });
       // Prevent token from leaking via Referer headers
-      event.node.res.setHeader("Referrer-Policy", "no-referrer");
+      setResponseHeader(event, "Referrer-Policy", "no-referrer");
       return { email, token: qToken };
     }
   }

packages/core/src/server/create-server.ts

@@ -2,7 +2,10 @@ import {
   createApp,
   createRouter,
   defineEventHandler,
+  getMethod,
+  getRequestHeader,
   readBody,
+  setResponseHeader,
   setResponseStatus,
   type H3Event,
 } from "h3";
@@ -140,8 +143,7 @@ export function createServer(
 
     app.use(
       defineEventHandler((event) => {
-        const headers = event.node.res;
-        const requestOrigin = event.node.req.headers.origin;
+        const requestOrigin = getRequestHeader(event, "origin");
 
         // If allowlist is configured, validate origin; otherwise allow all (dev)
         const origin =
@@ -150,23 +152,23 @@ export function createServer(
               ? requestOrigin
               : allowedOrigins[0]
             : requestOrigin || "*";
-        headers.setHeader("Access-Control-Allow-Origin", origin);
+        setResponseHeader(event, "Access-Control-Allow-Origin", origin);
         if (origin !== "*") {
-          headers.setHeader("Vary", "Origin");
+          setResponseHeader(event, "Vary", "Origin");
         }
-        headers.setHeader(
+        setResponseHeader(
+          event,
           "Access-Control-Allow-Methods",
           "GET,POST,PUT,PATCH,DELETE,OPTIONS",
         );
-        headers.setHeader(
+        setResponseHeader(
+          event,
           "Access-Control-Allow-Headers",
           "Content-Type,Authorization,X-Requested-With",
         );
 
-        if (event.node.req.method === "OPTIONS") {
-          headers.writeHead(204);
-          headers.end();
-          return null;
+        if (getMethod(event) === "OPTIONS") {
+          return new Response(null, { status: 204 });
         }
       }),
     );