fix(net.http): guard QUIC/ngtcp2 dependency, fix compilation and correctness issues

- Guard net.http.v3/net.quic imports behind -d use_ngtcp2 compile flag
  so HTTP/1.1/2 users do not require ngtcp2 native libraries (P1)
- Forward TLS verify/cert/cert_key/validate settings to HTTP/2 client
  path, fixing silent certificate validation bypass (P2-security)
- Fix QUIC receive callback to capture stream data instead of
  discarding data/datalen parameters (P1)
- Fix double-slash path parsing regression using parse_request_uri
  instead of urllib.parse for request-targets (P2)
- Fix redirect 303 to switch method to GET and drop body (P2)
- Fix HTTP/2 integration_full_test.v: headers -> header field name (P2)
- Harden C/V struct interop: use i32 for QuicStreamEvents fields,
  add struct size assertion test
- Sanitize DebugHandler to not echo sensitive request data

Author: jupilhwang

vlib/net/http/request.v

@@ -100,11 +100,12 @@ pub fn (req &Request) do() !Response {
 	mut rurl := url
 	mut resp := Response{}
 	mut nredirects := 0
+	mut method := req.method
 	for {
 		if nredirects == max_redirects {
 			return error('http.request.do: maximum number of redirects reached (${max_redirects})')
 		}
-		qresp := req.method_and_url_to_response(req.method, rurl)!
+		qresp := req.method_and_url_to_response(method, rurl)!
 		resp = qresp
 		if !req.allow_redirect {
 			break
@@ -113,6 +114,18 @@ pub fn (req &Request) do() !Response {
 			.permanent_redirect] {
 			break
 		}
+		// Per HTTP spec, 303 See Other requires switching to GET and dropping the body.
+		// 301/302 historically also switch to GET in practice (browser behavior).
+		if resp.status() in [.moved_permanently, .found, .see_other] {
+			method = .get
+			// Drop the request body for GET redirects by temporarily clearing req.data.
+			// build_request_headers reads req.data for Content-Length and body content.
+			unsafe {
+				mut mreq := req
+				mreq.data = ''
+			}
+		}
+		// 307/308 preserve the original method and body (no change needed)
 		// follow any redirects
 		mut redirect_url := resp.header.get(.location) or { '' }
 		if redirect_url.len > 0 && redirect_url[0] == `/` {
@@ -615,7 +628,7 @@ fn parse_request_line(line string) !(Method, urllib.URL, Version) {
 	method := method_from_str_known(method_str) or {
 		return error('unsupported method')
 	}
-	target := urllib.parse(target_str)!
+	target := urllib.parse_request_uri(target_str)!
 	// println('before version_str="${version_str}"')
 	version := version_from_str(version_str)
 	// println('VERSION="${version}"')

vlib/net/http/request_headers_internal_test.v

@@ -24,3 +24,21 @@ fn test_build_request_headers_respects_case_insensitive_existing_headers() {
 	assert lower.contains('user-agent: already-present')
 	assert lower.contains('content-length: 999')
 }
+
+fn test_build_request_headers_method_override_for_redirect() {
+	// Verifies that build_request_headers uses the method parameter (not req.method).
+	// This is critical for 303 redirect handling where do() passes .get
+	// even though req.method is .post.
+	req := Request{
+		method:     .post
+		url:        'http://example.com'
+		data:       'post_body'
+		user_agent: 'v.http'
+	}
+	// When method parameter is GET (simulating 303 redirect), headers should show GET
+	headers_get := req.build_request_headers(.get, 'example.com', 80, '/redirected')
+	assert headers_get.starts_with('GET /redirected HTTP/1.1\r\n')
+	// When method parameter is POST (original or 307/308), headers should show POST
+	headers_post := req.build_request_headers(.post, 'example.com', 80, '/original')
+	assert headers_post.starts_with('POST /original HTTP/1.1\r\n')
+}

vlib/net/http/request_test.v

@@ -406,3 +406,51 @@ fn test_parse_request_with_limit_rejects_truncated_body() {
 	}
 	assert false, 'expected error for truncated body via parse_request_with_limit'
 }
+
+fn test_parse_request_line_double_slash_path() {
+	// Regression: GET //another.html HTTP/1.1 should preserve //another.html as path,
+	// not interpret 'another.html' as a host (authority) due to the // prefix.
+	method, target, version := http.parse_request_line('GET //another.html HTTP/1.1') or {
+		panic('did not parse: ${err}')
+	}
+	assert method == .get
+	assert version == .v1_1
+	// The path must be //another.html, not empty or misinterpreted
+	assert target.path == '//another.html'
+	assert target.host == ''
+}
+
+fn test_parse_request_double_slash_full_request() {
+	// Full request parsing with double-slash path
+	mut r := reader('GET //another.html HTTP/1.1\r\nHost: example.com\r\n\r\n')
+	req := http.parse_request(mut r) or { panic('did not parse: ${err}') }
+	assert req.method == .get
+	assert req.url == '//another.html'
+}
+
+fn test_parse_request_line_double_slash_with_query() {
+	// Double-slash path with query string
+	method, target, version := http.parse_request_line('GET //page?key=val HTTP/1.1') or {
+		panic('did not parse: ${err}')
+	}
+	assert method == .get
+	assert version == .v1_1
+	assert target.path == '//page'
+	assert target.host == ''
+}
+
+fn test_redirect_303_method_and_body_handling() {
+	// Verify that the Request struct supports the method/data fields needed
+	// for redirect handling. The do() function now uses mutable local variables
+	// for method (and unsafe mutation for data) to correctly handle 303 See Other
+	// redirects by switching to GET and dropping the body.
+	// Full integration testing of 303 redirects requires a live HTTP server.
+	req := http.Request{
+		method: .post
+		data: 'original_body'
+		allow_redirect: true
+	}
+	assert req.method == .post
+	assert req.data == 'original_body'
+	assert req.allow_redirect == true
+}

vlib/net/http/request_version.v

@@ -3,33 +3,12 @@ module http
 // HTTP version negotiation and multi-version request dispatch.
 // Alt-Svc cache integration: do_http2 checks for Alt-Svc headers in responses
 // and negotiate_version consults the cache before defaulting to HTTP/2.
+//
+// v3 (QUIC) support lives in request_version_d_use_ngtcp2.v and is only
+// compiled when `-d use_ngtcp2` is passed. The fallback stubs are in
+// request_version_notd_use_ngtcp2.v.
 import net.urllib
 import net.http.v2
-import net.http.v3
-
-// negotiate_version selects the HTTP version for a request.
-// Checks Alt-Svc cache for h3 entries before defaulting to v2 for HTTPS.
-fn (req &Request) negotiate_version(url urllib.URL) Version {
-	if req.version != .unknown {
-		return req.version
-	}
-
-	if url.scheme != 'https' {
-		return .v1_1
-	}
-
-	if req.alt_svc_cache != unsafe { nil } {
-		origin := normalized_origin(url)
-		mut cache := unsafe { req.alt_svc_cache }
-		if _ := cache.get_h3_endpoint(origin) {
-			return .v3_0
-		}
-	}
-
-	return .v2_0
-}
-
-// Method is now unified via common.Method — direct cast replaces manual mapping.
 
 // build_client_header prepares the request header for v2/v3 clients,
 // adding user-agent and content-length if not already set.
@@ -61,42 +40,11 @@ fn normalized_origin(url urllib.URL) string {
 	return '${url.scheme}://${url.hostname()}:${port}'
 }
 
-fn (req &Request) do_http2(url urllib.URL) !Response {
-	host_name := url.hostname()
-	mut nport := url.port().int()
-	if nport == 0 {
-		nport = 443
-	}
-
-	address := '${host_name}:${nport}'
-
-	mut client := v2.new_client(address) or { return error('HTTP/2 connection failed: ${err}') }
-
-	defer {
-		client.close()
-	}
-
-	v2_req := v2.Request{
-		method: v2.Method(req.method)
-		url:    build_request_path(url)
-		host:   host_name
-		data:   req.data
-		header: req.build_client_header()
-	}
-
-	v2_resp := client.request(v2_req) or { return error('HTTP/2 request failed: ${err}') }
-
-	actual_resp := if v2.is_misdirected(v2_resp) {
-		client.close()
-		v2.handle_misdirected(address, v2_req) or {
-			return error('HTTP/2 misdirected retry failed: ${err}')
-		}
-	} else {
-		v2_resp
-	}
-
+// maybe_store_alt_svc checks the response for an Alt-Svc header and, if
+// present, parses and stores the entries in the Alt-Svc cache.
+fn (req &Request) maybe_store_alt_svc(url urllib.URL, resp_header Header) {
 	if req.alt_svc_cache != unsafe { nil } {
-		if alt_svc_val := actual_resp.header.get_custom('alt-svc') {
+		if alt_svc_val := resp_header.get_custom('alt-svc') {
 			entries := parse_alt_svc(alt_svc_val)
 			if entries.len > 0 {
 				origin := normalized_origin(url)
@@ -105,15 +53,9 @@ fn (req &Request) do_http2(url urllib.URL) !Response {
 			}
 		}
 	}
-
-	return Response{
-		body:        actual_resp.body
-		status_code: actual_resp.status_code
-		header:      actual_resp.header
-	}
 }
 
-fn (req &Request) do_http3(url urllib.URL) !Response {
+fn (req &Request) do_http2(url urllib.URL) !Response {
 	host_name := url.hostname()
 	mut nport := url.port().int()
 	if nport == 0 {
@@ -122,41 +64,38 @@ fn (req &Request) do_http3(url urllib.URL) !Response {
 
 	address := '${host_name}:${nport}'
 
-	mut client := v3.new_client(address) or { return error('HTTP/3 connection failed: ${err}') }
+	mut client := v2.new_client_with_config(address, v2.ClientConfig{
+		verify:                 req.verify
+		cert:                   req.cert
+		cert_key:               req.cert_key
+		validate:               req.validate
+		in_memory_verification: req.in_memory_verification
+	}) or { return error('HTTP/2 connection failed: ${err}') }
 
 	defer {
 		client.close()
 	}
 
-	v3_req := v3.Request{
-		method: v3.Method(req.method)
+	v2_req := v2.Request{
+		method: v2.Method(req.method)
 		url:    build_request_path(url)
 		host:   host_name
 		data:   req.data
 		header: req.build_client_header()
 	}
 
-	v3_resp := client.request(v3_req) or { return error('HTTP/3 request failed: ${err}') }
+	v2_resp := client.request(v2_req) or { return error('HTTP/2 request failed: ${err}') }
 
-	actual_resp := if v3.is_misdirected(v3_resp) {
+	actual_resp := if v2.is_misdirected(v2_resp) {
 		client.close()
-		v3.handle_misdirected(address, v3_req) or {
-			return error('HTTP/3 misdirected retry failed: ${err}')
+		v2.handle_misdirected(address, v2_req) or {
+			return error('HTTP/2 misdirected retry failed: ${err}')
 		}
 	} else {
-		v3_resp
+		v2_resp
 	}
 
-	if req.alt_svc_cache != unsafe { nil } {
-		if alt_svc_val := actual_resp.header.get_custom('alt-svc') {
-			entries := parse_alt_svc(alt_svc_val)
-			if entries.len > 0 {
-				origin := normalized_origin(url)
-				mut cache := unsafe { req.alt_svc_cache }
-				cache.store(origin, entries)
-			}
-		}
-	}
+	req.maybe_store_alt_svc(url, actual_resp.header)
 
 	return Response{
 		body:        actual_resp.body

vlib/net/http/request_version_d_use_ngtcp2.v

@@ -0,0 +1,70 @@
+module http
+
+// HTTP/3 (QUIC) request support — compiled only with `-d use_ngtcp2`.
+import net.urllib
+import net.http.v3
+
+// negotiate_version selects the HTTP version for a request.
+// Checks Alt-Svc cache for h3 entries before defaulting to v2 for HTTPS.
+fn (req &Request) negotiate_version(url urllib.URL) Version {
+	if req.version != .unknown {
+		return req.version
+	}
+
+	if url.scheme != 'https' {
+		return .v1_1
+	}
+
+	if req.alt_svc_cache != unsafe { nil } {
+		origin := normalized_origin(url)
+		mut cache := unsafe { req.alt_svc_cache }
+		if _ := cache.get_h3_endpoint(origin) {
+			return .v3_0
+		}
+	}
+
+	return .v2_0
+}
+
+fn (req &Request) do_http3(url urllib.URL) !Response {
+	host_name := url.hostname()
+	mut nport := url.port().int()
+	if nport == 0 {
+		nport = 443
+	}
+
+	address := '${host_name}:${nport}'
+
+	mut client := v3.new_client(address) or { return error('HTTP/3 connection failed: ${err}') }
+
+	defer {
+		client.close()
+	}
+
+	v3_req := v3.Request{
+		method: v3.Method(req.method)
+		url:    build_request_path(url)
+		host:   host_name
+		data:   req.data
+		header: req.build_client_header()
+	}
+
+	v3_resp := client.request(v3_req) or { return error('HTTP/3 request failed: ${err}') }
+
+	actual_resp := if v3.is_misdirected(v3_resp) {
+		client.close()
+		v3.handle_misdirected(address, v3_req) or {
+			return error('HTTP/3 misdirected retry failed: ${err}')
+		}
+	} else {
+		v3_resp
+	}
+
+	req.maybe_store_alt_svc(url, actual_resp.header)
+
+	return Response{
+		body:        actual_resp.body
+		status_code: actual_resp.status_code
+		header:      actual_resp.header
+	}
+}

vlib/net/http/request_version_notd_use_ngtcp2.v

@@ -0,0 +1,22 @@
+module http
+
+// Fallback stubs when QUIC/ngtcp2 is not available.
+import net.urllib
+
+// negotiate_version selects the HTTP version for a request.
+// Without ngtcp2, HTTP/3 is never negotiated.
+fn (req &Request) negotiate_version(url urllib.URL) Version {
+	if req.version != .unknown {
+		return req.version
+	}
+
+	if url.scheme != 'https' {
+		return .v1_1
+	}
+
+	return .v2_0
+}
+
+fn (req &Request) do_http3(url urllib.URL) !Response {
+	return error('HTTP/3 requires -d use_ngtcp2')
+}