@aravindc26/velu 0.13.6 → 0.13.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aravindc26/velu",
-  "version": "0.13.6",
+  "version": "0.13.7",
   "description": "A modern documentation site generator powered by Markdown and JSON configuration",
   "type": "module",
   "license": "MIT",

package/src/engine/lib/preview-auth.ts

@@ -1,16 +1,72 @@
 /**
  * Shared API authentication via PREVIEW_API_SECRET.
  */
+import { createHmac, timingSafeEqual } from 'crypto';
 import { NextRequest } from 'next/server';
 
 const PREVIEW_API_SECRET = process.env.PREVIEW_API_SECRET || '';
 
+export function getPreviewSecret(): string {
+  return PREVIEW_API_SECRET;
+}
+
 export function verifyApiSecret(request: NextRequest): boolean {
   if (!PREVIEW_API_SECRET) return true; // No secret configured — allow all
   const header = request.headers.get('x-preview-secret') || '';
   return header === PREVIEW_API_SECRET;
 }
 
+/**
+ * Verify an HMAC-signed preview token.
+ *
+ * Token format: `{base64url_hmac}.{sessionId}:{unix_expiry}`
+ *
+ * Returns `{ valid: true, expiry }` when the token is authentic, matches the
+ * expected session ID, and has not expired. Returns `{ valid: false, expiry: 0 }`
+ * otherwise.
+ */
+export function verifyPreviewToken(
+  token: string,
+  expectedSessionId: string,
+): { valid: boolean; expiry: number } {
+  const fail = { valid: false, expiry: 0 };
+  if (!PREVIEW_API_SECRET) return { valid: true, expiry: 0 }; // No secret — allow all
+
+  const dotIdx = token.indexOf('.');
+  if (dotIdx === -1) return fail;
+
+  const sigB64 = token.slice(0, dotIdx);
+  const payload = token.slice(dotIdx + 1);
+
+  // Payload must be "{sessionId}:{expiry}"
+  const colonIdx = payload.indexOf(':');
+  if (colonIdx === -1) return fail;
+
+  const sessionId = payload.slice(0, colonIdx);
+  const expiryStr = payload.slice(colonIdx + 1);
+
+  if (sessionId !== expectedSessionId) return fail;
+
+  const expiry = parseInt(expiryStr, 10);
+  if (isNaN(expiry) || expiry < Math.floor(Date.now() / 1000)) return fail;
+
+  // Recompute HMAC and compare in constant time
+  const expectedSig = createHmac('sha256', PREVIEW_API_SECRET)
+    .update(payload)
+    .digest('base64url')
+    // Strip padding to match Python's rstrip(b"=")
+    .replace(/=+$/, '');
+
+  // Ensure both are the same length before timingSafeEqual
+  const sigBuf = Buffer.from(sigB64, 'utf8');
+  const expectedBuf = Buffer.from(expectedSig, 'utf8');
+  if (sigBuf.length !== expectedBuf.length) return fail;
+
+  if (!timingSafeEqual(sigBuf, expectedBuf)) return fail;
+
+  return { valid: true, expiry };
+}
+
 export function unauthorizedResponse() {
   return Response.json({ error: 'Unauthorized' }, { status: 401 });
 }

package/src/engine/middleware.ts

@@ -0,0 +1,91 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { getPreviewSecret, verifyPreviewToken } from './lib/preview-auth';
+
+/**
+ * Next.js middleware that enforces HMAC-signed token authentication for
+ * preview page routes.
+ *
+ * Flow:
+ *  1. Requests with `x-preview-secret` header pass through (server-to-server API calls).
+ *  2. Extract sessionId from the URL path (`/{sessionId}/...`).
+ *  3. If `?token=` query param is present: validate HMAC, set an HttpOnly cookie,
+ *     redirect to the same URL without the token (keeps browser history clean).
+ *  4. If a valid `__velu_preview_{sessionId}` cookie exists: allow.
+ *  5. Otherwise: 403.
+ */
+export function middleware(request: NextRequest) {
+  const secret = getPreviewSecret();
+
+  // No secret configured — allow everything (dev / local)
+  if (!secret) return NextResponse.next();
+
+  // Server-to-server API calls use the x-preview-secret header — skip page auth
+  if (request.headers.get('x-preview-secret')) {
+    return NextResponse.next();
+  }
+
+  const { pathname } = request.nextUrl;
+
+  // Extract sessionId: first path segment after leading slash
+  const segments = pathname.split('/').filter(Boolean);
+  if (segments.length === 0) return NextResponse.next();
+
+  // Skip Next.js internal and static paths
+  const first = segments[0];
+  if (first === '_next' || first === 'api') return NextResponse.next();
+
+  // sessionId should be numeric
+  const sessionId = first;
+  if (!/^\d+$/.test(sessionId)) return NextResponse.next();
+
+  // --- Token in query string: validate, set cookie, redirect to clean URL ---
+  const tokenParam = request.nextUrl.searchParams.get('token');
+  if (tokenParam) {
+    const { valid, expiry } = verifyPreviewToken(tokenParam, sessionId);
+    if (!valid) {
+      return new NextResponse('Forbidden', { status: 403 });
+    }
+
+    // Redirect to the same URL without the token
+    const cleanUrl = request.nextUrl.clone();
+    cleanUrl.searchParams.delete('token');
+    const response = NextResponse.redirect(cleanUrl);
+
+    // Compute remaining TTL for cookie maxAge
+    const now = Math.floor(Date.now() / 1000);
+    const maxAge = expiry > 0 ? expiry - now : 86400;
+
+    response.cookies.set(`__velu_preview_${sessionId}`, tokenParam, {
+      httpOnly: true,
+      secure: true,
+      sameSite: 'none', // Required for cross-origin iframe
+      path: `/${sessionId}`,
+      maxAge,
+    });
+
+    return response;
+  }
+
+  // --- Cookie: validate existing token stored in cookie ---
+  const cookie = request.cookies.get(`__velu_preview_${sessionId}`);
+  if (cookie) {
+    const { valid } = verifyPreviewToken(cookie.value, sessionId);
+    if (valid) return NextResponse.next();
+  }
+
+  return new NextResponse('Forbidden', { status: 403 });
+}
+
+// Use Node.js runtime so we can access the crypto module for HMAC verification
+export const runtime = 'nodejs';
+
+export const config = {
+  matcher: [
+    /*
+     * Match all request paths except:
+     * - _next (Next.js internals)
+     * - favicon.ico, robots.txt, sitemap.xml (static meta)
+     */
+    '/((?!_next|favicon\\.ico|robots\\.txt|sitemap\\.xml).*)',
+  ],
+};