@agent-native/core 0.12.2 → 0.12.4

package/dist/server/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAsChE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AA2BlE;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;IACF;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAqBD,eAAO,MAAM,WAAW,QAER,CAAC;AAgBjB;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AA8ND;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AA6CD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAqQD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CA6E5E;AA+hCD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAmJlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAEzE"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAsChE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AA2BlE;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;IACF;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAqBD,eAAO,MAAM,WAAW,QAER,CAAC;AAgBjB;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AA8ND;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AA6CD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAqQD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CA6E5E;AAgvCD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAmJlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAEzE"}

package/dist/server/auth.js

@@ -891,73 +891,218 @@ function stripAppBasePath(pathname) {
 // ---------------------------------------------------------------------------
 // Login page HTML (ACCESS_TOKEN mode)
 // ---------------------------------------------------------------------------
-const TOKEN_LOGIN_HTML = `<!DOCTYPE html>
+function getTokenLoginHtml() {
+    const configuredBasePath = getAppBasePath();
+    return `<!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
-<title>Sign in</title>
+<title>Private app</title>
 <style>
   *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+  :root {
+    color-scheme: dark;
+    --bg: #09090b;
+    --panel: #141417;
+    --panel-soft: #1b1b20;
+    --border: rgba(255,255,255,0.1);
+    --border-strong: rgba(255,255,255,0.18);
+    --text: #f4f4f5;
+    --muted: #a1a1aa;
+    --subtle: #71717a;
+    --error: #fca5a5;
+    --error-bg: rgba(127,29,29,0.18);
+    --success: #86efac;
+    --success-bg: rgba(20,83,45,0.2);
+    --info: #c4b5fd;
+    --info-bg: rgba(76,29,149,0.18);
+  }
   body {
     font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
-    background: #0a0a0a;
-    color: #e5e5e5;
+    background:
+      radial-gradient(circle at top left, rgba(63,63,70,0.24), transparent 32rem),
+      linear-gradient(180deg, #111114 0%, var(--bg) 58%);
+    color: var(--text);
     display: flex;
     align-items: center;
     justify-content: center;
     min-height: 100vh;
+    padding: 1rem;
   }
   .card {
     width: 100%;
-    max-width: 360px;
+    max-width: 420px;
     padding: 2rem;
-    background: #141414;
-    border: 1px solid rgba(255,255,255,0.08);
+    background: color-mix(in srgb, var(--panel) 94%, transparent);
+    border: 1px solid var(--border);
     border-radius: 12px;
+    box-shadow: 0 24px 80px rgba(0,0,0,0.35);
+  }
+  .eyebrow {
+    display: inline-flex;
+    align-items: center;
+    min-height: 1.5rem;
+    padding: 0 0.625rem;
+    margin-bottom: 1rem;
+    border: 1px solid var(--border);
+    border-radius: 999px;
+    color: var(--muted);
+    background: rgba(255,255,255,0.04);
+    font-size: 0.75rem;
+    font-weight: 500;
+  }
+  h1 {
+    font-size: 1.375rem;
+    line-height: 1.2;
+    font-weight: 650;
+    margin-bottom: 0.5rem;
+    color: var(--text);
+    letter-spacing: 0;
+  }
+  .intro {
+    margin-bottom: 1.5rem;
+    color: var(--muted);
+    font-size: 0.9375rem;
+    line-height: 1.55;
+  }
+  label {
+    display: flex;
+    align-items: baseline;
+    justify-content: space-between;
+    gap: 0.75rem;
+    font-size: 0.8125rem;
+    color: var(--muted);
+    margin-bottom: 0.375rem;
+  }
+  label span:last-child {
+    color: var(--subtle);
+    font-size: 0.75rem;
   }
-  h1 { font-size: 1.125rem; font-weight: 600; margin-bottom: 1.5rem; color: #fff; }
-  label { display: block; font-size: 0.8125rem; color: #888; margin-bottom: 0.375rem; }
+  .input-wrap { position: relative; }
   input {
     width: 100%;
+    min-height: 2.75rem;
     padding: 0.625rem 0.75rem;
-    background: #1e1e1e;
-    border: 1px solid rgba(255,255,255,0.12);
+    background: #0f0f12;
+    border: 1px solid var(--border);
     border-radius: 8px;
-    color: #e5e5e5;
+    color: var(--text);
     font-size: 0.9375rem;
     outline: none;
   }
-  input:focus { border-color: rgba(255,255,255,0.3); }
+  input:focus {
+    border-color: var(--border-strong);
+    box-shadow: 0 0 0 3px rgba(255,255,255,0.08);
+  }
+  input::placeholder { color: #52525b; }
   button {
     width: 100%;
+    min-height: 2.75rem;
     margin-top: 1rem;
-    padding: 0.625rem;
-    background: #fff;
+    padding: 0.625rem 0.875rem;
+    background: var(--text);
     color: #000;
     border: none;
     border-radius: 8px;
     font-size: 0.9375rem;
-    font-weight: 500;
+    font-weight: 600;
+    cursor: pointer;
+    transition: transform 120ms ease, opacity 120ms ease, background 120ms ease;
+  }
+  button:hover:not(:disabled) { background: #e4e4e7; transform: translateY(-1px); }
+  button:disabled { opacity: 0.55; cursor: wait; }
+  .hint {
+    margin-top: 0.75rem;
+    color: var(--subtle);
+    font-size: 0.8125rem;
+    line-height: 1.45;
+  }
+  .msg {
+    display: none;
+    margin-top: 0.875rem;
+    padding: 0.75rem;
+    border-radius: 8px;
+    font-size: 0.8125rem;
+    line-height: 1.45;
+  }
+  .msg.show { display: block; }
+  .msg.error {
+    color: var(--error);
+    background: var(--error-bg);
+    border: 1px solid rgba(248,113,113,0.22);
+  }
+  .msg.success {
+    color: var(--success);
+    background: var(--success-bg);
+    border: 1px solid rgba(74,222,128,0.18);
+  }
+  .msg.info {
+    color: var(--info);
+    background: var(--info-bg);
+    border: 1px solid rgba(167,139,250,0.2);
+  }
+  details {
+    margin-top: 1rem;
+    padding-top: 1rem;
+    border-top: 1px solid var(--border);
+  }
+  summary {
     cursor: pointer;
+    color: var(--muted);
+    font-size: 0.8125rem;
+    font-weight: 600;
+  }
+  details p {
+    margin-top: 0.75rem;
+    color: var(--subtle);
+    font-size: 0.8125rem;
+    line-height: 1.5;
+  }
+  code {
+    color: #e4e4e7;
+    background: var(--panel-soft);
+    border: 1px solid var(--border);
+    border-radius: 5px;
+    padding: 0.075rem 0.25rem;
+    font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
+    font-size: 0.78rem;
+  }
+  @media (max-width: 480px) {
+    .card { padding: 1.5rem; }
+    h1 { font-size: 1.25rem; }
   }
-  button:hover { opacity: 0.85; }
-  .error { margin-top: 0.75rem; font-size: 0.8125rem; color: #f87171; display: none; }
-  .error.show { display: block; }
 </style>
 </head>
 <body>
 <div class="card">
-  <h1>Sign in</h1>
+  <div class="eyebrow">Private deployment</div>
+  <h1>This app is private</h1>
+  <p class="intro">Enter the shared app access token to continue. This is the value configured for this app, not your Netlify personal access token.</p>
   <form id="form">
-    <label for="token">Access token</label>
-    <input id="token" type="password" autocomplete="current-password" autofocus placeholder="Enter access token" />
-    <button type="submit">Continue</button>
-    <p class="error" id="err">Invalid token. Please try again.</p>
+    <label for="token"><span>App ACCESS_TOKEN</span><span>Required</span></label>
+    <div class="input-wrap">
+      <input id="token" type="password" autocomplete="current-password" autofocus placeholder="Paste the shared app token" />
+    </div>
+    <button id="submit" type="submit">Continue</button>
+    <p class="hint">If someone sent you this app, ask them for the shared app token. If you own the deploy, use the exact value saved as <code>ACCESS_TOKEN</code> or one of <code>ACCESS_TOKENS</code>.</p>
+    <p class="msg error" id="msg" role="alert"></p>
   </form>
+  <details>
+    <summary>Where do I find this?</summary>
+    <p>In Netlify, create or copy the app's shared token from Site configuration, Environment variables. The key should be <code>ACCESS_TOKEN</code> for one token or <code>ACCESS_TOKENS</code> for a comma-separated list. Redeploy after changing it.</p>
+  </details>
 </div>
 <script>
+  var configuredBasePath = ${JSON.stringify(configuredBasePath)};
   function __anBasePath() {
+    if (
+      configuredBasePath &&
+      (window.location.pathname === configuredBasePath ||
+        window.location.pathname.indexOf(configuredBasePath + '/') === 0)
+    ) {
+      return configuredBasePath;
+    }
     var marker = '/_agent-native';
     var idx = window.location.pathname.indexOf(marker);
     return idx > 0 ? window.location.pathname.slice(0, idx) : '';
@@ -965,23 +1110,87 @@ const TOKEN_LOGIN_HTML = `<!DOCTYPE html>
   function __anPath(path) {
     return __anBasePath() + path;
   }
+  function setMessage(kind, text) {
+    var msg = document.getElementById('msg');
+    msg.textContent = text;
+    msg.className = 'msg ' + kind + ' show';
+  }
+  function clearMessage() {
+    var msg = document.getElementById('msg');
+    msg.textContent = '';
+    msg.className = 'msg error';
+  }
+  function setBusy(isBusy) {
+    var button = document.getElementById('submit');
+    var input = document.getElementById('token');
+    button.disabled = isBusy;
+    input.disabled = isBusy;
+    button.textContent = isBusy ? 'Checking...' : 'Continue';
+  }
+  async function readJsonSafely(res) {
+    try {
+      return await res.json();
+    } catch (_err) {
+      return null;
+    }
+  }
+  async function verifySession() {
+    var res = await fetch(__anPath('/_agent-native/auth/session'), {
+      method: 'GET',
+      credentials: 'same-origin',
+      cache: 'no-store',
+      headers: { 'Accept': 'application/json' },
+    });
+    if (!res.ok) return false;
+    var data = await readJsonSafely(res);
+    return !!data && !data.error;
+  }
   document.getElementById('form').addEventListener('submit', async (e) => {
     e.preventDefault();
-    const token = document.getElementById('token').value;
-    const res = await fetch(__anPath('/_agent-native/auth/login'), {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ token }),
-    });
-    if (res.ok) {
-      window.location.reload();
-    } else {
-      document.getElementById('err').classList.add('show');
+    var token = document.getElementById('token').value.trim();
+    if (!token) {
+      setMessage('error', 'Paste the shared app token to continue.');
+      return;
+    }
+    clearMessage();
+    setBusy(true);
+    setMessage('info', 'Checking the app token...');
+    try {
+      var res = await fetch(__anPath('/_agent-native/auth/login'), {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Accept': 'application/json',
+        },
+        credentials: 'same-origin',
+        body: JSON.stringify({ token: token }),
+      });
+      if (!res.ok) {
+        var badTokenMessage = 'That token was not accepted. Use this app\\'s shared ACCESS_TOKEN, not a Netlify personal access token.';
+        if (res.status === 404) {
+          badTokenMessage = 'Could not reach this app\\'s auth endpoint. If this app is mounted under a path, confirm APP_BASE_PATH and VITE_APP_BASE_PATH match the deploy path.';
+        }
+        setMessage('error', badTokenMessage);
+        setBusy(false);
+        return;
+      }
+      var hasSession = await verifySession();
+      if (!hasSession) {
+        setMessage('error', 'The token was accepted, but the browser did not keep the session cookie. Try opening the app in a new tab, or check cookie restrictions for this domain.');
+        setBusy(false);
+        return;
+      }
+      setMessage('success', 'Signed in. Opening the app...');
+      window.location.replace(window.location.href);
+    } catch (_err) {
+      setMessage('error', 'Could not contact the auth endpoint. Check the deploy status, then try again.');
+      setBusy(false);
     }
   });
 </script>
 </body>
 </html>`;
+}
 // ---------------------------------------------------------------------------
 // mountBetterAuthRoutes — Better Auth powered auth with backward-compat routes
 // ---------------------------------------------------------------------------
@@ -1618,7 +1827,7 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
         const session = await getSession(event);
         return session ?? { error: "Not authenticated" };
     }));
-    _authGuardConfig = { loginHtml: TOKEN_LOGIN_HTML, publicPaths };
+    _authGuardConfig = { loginHtml: getTokenLoginHtml(), publicPaths };
     const guardFn = createAuthGuardFn();
     _authGuardFn = guardFn;
     app.use(defineEventHandler(guardFn));
@@ -1833,7 +2042,7 @@ export async function autoMountAuth(app, options = {}) {
                 await clearDesktopSso();
             return { ok: true };
         }));
-        const byoaLoginHtml = options.loginHtml ?? TOKEN_LOGIN_HTML;
+        const byoaLoginHtml = options.loginHtml ?? getTokenLoginHtml();
         _authGuardConfig = { loginHtml: byoaLoginHtml, publicPaths };
         const guardFn = createAuthGuardFn();
         _authGuardFn = guardFn;