@bajustone/fortress 1.0.0-rc.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +1011 -0
- package/LICENSE +21 -0
- package/README.md +760 -0
- package/SECURITY.md +197 -0
- package/bin/fortress.ts +667 -0
- package/dist/auth-service-BcyQ2PuZ.d.cts +307 -0
- package/dist/auth-service-BkzZkWfH.d.ts +307 -0
- package/dist/config-B2366s_G.d.ts +665 -0
- package/dist/config-GtlVt6ZD.d.cts +665 -0
- package/dist/convert-routes-BLCQT57f.d.ts +72 -0
- package/dist/convert-routes-BdMvP2_X.d.cts +72 -0
- package/dist/crypto.cjs +61 -0
- package/dist/crypto.d.cts +36 -0
- package/dist/crypto.d.ts +36 -0
- package/dist/crypto.js +35 -0
- package/dist/drift-BT1wtMDJ.d.cts +22 -0
- package/dist/drift-k9LiYpRP.d.ts +22 -0
- package/dist/drizzle/pg.cjs +481 -0
- package/dist/drizzle/pg.d.cts +15 -0
- package/dist/drizzle/pg.d.ts +15 -0
- package/dist/drizzle/pg.js +454 -0
- package/dist/drizzle.cjs +1442 -0
- package/dist/drizzle.d.cts +85 -0
- package/dist/drizzle.d.ts +85 -0
- package/dist/drizzle.js +1411 -0
- package/dist/express.cjs +1357 -0
- package/dist/express.d.cts +333 -0
- package/dist/express.d.ts +333 -0
- package/dist/express.js +1314 -0
- package/dist/fetcher.cjs +77 -0
- package/dist/fetcher.d.cts +7 -0
- package/dist/fetcher.d.ts +7 -0
- package/dist/fetcher.js +41 -0
- package/dist/fortress-BmSvFfqK.d.cts +1089 -0
- package/dist/fortress-uA-_cheR.d.ts +1089 -0
- package/dist/hono.cjs +1530 -0
- package/dist/hono.d.cts +514 -0
- package/dist/hono.d.ts +514 -0
- package/dist/hono.js +1483 -0
- package/dist/index-CxEkfCA0.d.cts +77 -0
- package/dist/index-CxEkfCA0.d.ts +77 -0
- package/dist/index-D054pcb-.d.cts +146 -0
- package/dist/index-jAMbbUAY.d.ts +146 -0
- package/dist/index.cjs +9046 -0
- package/dist/index.d.cts +717 -0
- package/dist/index.d.ts +717 -0
- package/dist/index.js +8935 -0
- package/dist/jwt.cjs +255 -0
- package/dist/jwt.d.cts +90 -0
- package/dist/jwt.d.ts +90 -0
- package/dist/jwt.js +227 -0
- package/dist/otel.cjs +108 -0
- package/dist/otel.d.cts +62 -0
- package/dist/otel.d.ts +62 -0
- package/dist/otel.js +73 -0
- package/dist/plugins/account-lockout.cjs +322 -0
- package/dist/plugins/account-lockout.d.cts +42 -0
- package/dist/plugins/account-lockout.d.ts +42 -0
- package/dist/plugins/account-lockout.js +295 -0
- package/dist/plugins/admin.cjs +2378 -0
- package/dist/plugins/admin.d.cts +72 -0
- package/dist/plugins/admin.d.ts +72 -0
- package/dist/plugins/admin.js +2351 -0
- package/dist/plugins/api-key.cjs +792 -0
- package/dist/plugins/api-key.d.cts +121 -0
- package/dist/plugins/api-key.d.ts +121 -0
- package/dist/plugins/api-key.js +765 -0
- package/dist/plugins/audit-log.cjs +493 -0
- package/dist/plugins/audit-log.d.cts +86 -0
- package/dist/plugins/audit-log.d.ts +86 -0
- package/dist/plugins/audit-log.js +468 -0
- package/dist/plugins/data-isolation.cjs +211 -0
- package/dist/plugins/data-isolation.d.cts +49 -0
- package/dist/plugins/data-isolation.d.ts +49 -0
- package/dist/plugins/data-isolation.js +186 -0
- package/dist/plugins/email-verification.cjs +273 -0
- package/dist/plugins/email-verification.d.cts +44 -0
- package/dist/plugins/email-verification.d.ts +44 -0
- package/dist/plugins/email-verification.js +246 -0
- package/dist/plugins/magic-link.cjs +231 -0
- package/dist/plugins/magic-link.d.cts +39 -0
- package/dist/plugins/magic-link.d.ts +39 -0
- package/dist/plugins/magic-link.js +204 -0
- package/dist/plugins/oauth.cjs +1696 -0
- package/dist/plugins/oauth.d.cts +406 -0
- package/dist/plugins/oauth.d.ts +406 -0
- package/dist/plugins/oauth.js +1669 -0
- package/dist/plugins/openapi.cjs +1185 -0
- package/dist/plugins/openapi.d.cts +6 -0
- package/dist/plugins/openapi.d.ts +6 -0
- package/dist/plugins/openapi.js +1158 -0
- package/dist/plugins/rate-limit/express.cjs +55 -0
- package/dist/plugins/rate-limit/express.d.cts +64 -0
- package/dist/plugins/rate-limit/express.d.ts +64 -0
- package/dist/plugins/rate-limit/express.js +30 -0
- package/dist/plugins/rate-limit/hono.cjs +51 -0
- package/dist/plugins/rate-limit/hono.d.cts +59 -0
- package/dist/plugins/rate-limit/hono.d.ts +59 -0
- package/dist/plugins/rate-limit/hono.js +26 -0
- package/dist/plugins/rate-limit/sveltekit.cjs +49 -0
- package/dist/plugins/rate-limit/sveltekit.d.cts +59 -0
- package/dist/plugins/rate-limit/sveltekit.d.ts +59 -0
- package/dist/plugins/rate-limit/sveltekit.js +24 -0
- package/dist/plugins/rate-limit.cjs +354 -0
- package/dist/plugins/rate-limit.d.cts +140 -0
- package/dist/plugins/rate-limit.d.ts +140 -0
- package/dist/plugins/rate-limit.js +325 -0
- package/dist/plugins/social-login.cjs +905 -0
- package/dist/plugins/social-login.d.cts +114 -0
- package/dist/plugins/social-login.d.ts +114 -0
- package/dist/plugins/social-login.js +880 -0
- package/dist/plugins/tenancy.cjs +780 -0
- package/dist/plugins/tenancy.d.cts +108 -0
- package/dist/plugins/tenancy.d.ts +108 -0
- package/dist/plugins/tenancy.js +753 -0
- package/dist/plugins/two-factor.cjs +555 -0
- package/dist/plugins/two-factor.d.cts +67 -0
- package/dist/plugins/two-factor.d.ts +67 -0
- package/dist/plugins/two-factor.js +526 -0
- package/dist/plugins/webauthn.cjs +786 -0
- package/dist/plugins/webauthn.d.cts +72 -0
- package/dist/plugins/webauthn.d.ts +72 -0
- package/dist/plugins/webauthn.js +766 -0
- package/dist/plugins/webhook.cjs +819 -0
- package/dist/plugins/webhook.d.cts +254 -0
- package/dist/plugins/webhook.d.ts +254 -0
- package/dist/plugins/webhook.js +789 -0
- package/dist/protect-D1v_0upK.d.cts +123 -0
- package/dist/protect-DsxV_-dJ.d.ts +123 -0
- package/dist/sveltekit.cjs +1258 -0
- package/dist/sveltekit.d.cts +420 -0
- package/dist/sveltekit.d.ts +420 -0
- package/dist/sveltekit.js +1207 -0
- package/dist/testing.cjs +4294 -0
- package/dist/testing.d.cts +197 -0
- package/dist/testing.d.ts +197 -0
- package/dist/testing.js +4264 -0
- package/dist/types-et0R8tsC.d.cts +217 -0
- package/dist/types-et0R8tsC.d.ts +217 -0
- package/docs/adapter-typed-helpers.md +192 -0
- package/docs/admin-recipes.md +227 -0
- package/docs/architecture.md +434 -0
- package/docs/ci/github-actions.yml +59 -0
- package/docs/ci.md +109 -0
- package/docs/compatibility.md +115 -0
- package/docs/deployment.md +305 -0
- package/docs/hardening.md +118 -0
- package/docs/host-owned-routes.md +154 -0
- package/docs/migrations/0001-schema-version.md +54 -0
- package/docs/migrations/0002-initial-schema.md +84 -0
- package/docs/migrations/upgrade-guide.md +160 -0
- package/docs/observability.md +394 -0
- package/docs/plugins/account-lockout.md +131 -0
- package/docs/plugins/admin.md +402 -0
- package/docs/plugins/api-key.md +327 -0
- package/docs/plugins/audit-log.md +261 -0
- package/docs/plugins/data-isolation.md +186 -0
- package/docs/plugins/email-verification.md +121 -0
- package/docs/plugins/magic-link.md +123 -0
- package/docs/plugins/oauth.md +544 -0
- package/docs/plugins/openapi.md +250 -0
- package/docs/plugins/rate-limit.md +223 -0
- package/docs/plugins/social-login.md +337 -0
- package/docs/plugins/tenancy.md +122 -0
- package/docs/plugins/two-factor.md +191 -0
- package/docs/plugins/webauthn.md +188 -0
- package/docs/plugins/webhook.md +242 -0
- package/docs/policy-as-code.md +156 -0
- package/docs/route-manifest.md +46 -0
- package/docs/security.md +261 -0
- package/docs/threat-model.md +161 -0
- package/examples/README.md +119 -0
- package/examples/express-app/index.ts +747 -0
- package/examples/hono-app/docker-compose.yml +14 -0
- package/examples/hono-app/index.ts +1009 -0
- package/examples/policy/fortress.policy.json +47 -0
- package/examples/sveltekit-app/README.md +125 -0
- package/examples/sveltekit-app/src/app.d.ts +16 -0
- package/examples/sveltekit-app/src/hooks.server.ts +23 -0
- package/examples/sveltekit-app/src/lib/server/fortress.ts +81 -0
- package/examples/sveltekit-app/src/routes/api/echo/[id]/+server.ts +32 -0
- package/examples/sveltekit-app/src/routes/api/fortress/[...path]/+server.ts +15 -0
- package/examples/sveltekit-app/src/routes/dashboard/+page.server.ts +20 -0
- package/examples/sveltekit-app/src/routes/login/+page.server.ts +48 -0
- package/examples/sveltekit-app/src/routes/oauth/consent/+page.server.ts +69 -0
- package/examples/sveltekit-app/src/routes/oauth/consent/+page.svelte +83 -0
- package/migrations/pg/0001_schema_version.down.sql +2 -0
- package/migrations/pg/0001_schema_version.sql +8 -0
- package/migrations/pg/0002_initial_schema.down.sql +36 -0
- package/migrations/pg/0002_initial_schema.sql +376 -0
- package/migrations/pg/0003_auth_continuation.down.sql +6 -0
- package/migrations/pg/0003_auth_continuation.sql +30 -0
- package/migrations/pg/0004_tenant_default_unique.down.sql +1 -0
- package/migrations/pg/0004_tenant_default_unique.sql +14 -0
- package/migrations/pg/0005_hot_indexes_timestamptz.down.sql +71 -0
- package/migrations/pg/0005_hot_indexes_timestamptz.sql +71 -0
- package/migrations/pg/0006_canonical_email.down.sql +3 -0
- package/migrations/pg/0006_canonical_email.sql +8 -0
- package/migrations/pg/0007_audit_chain_anchor.down.sql +1 -0
- package/migrations/pg/0007_audit_chain_anchor.sql +8 -0
- package/migrations/pg/0008_two_factor_hardening.down.sql +8 -0
- package/migrations/pg/0008_two_factor_hardening.sql +8 -0
- package/migrations/pg/0009_encrypt_totp_secrets.down.sql +2 -0
- package/migrations/pg/0009_encrypt_totp_secrets.sql +5 -0
- package/migrations/pg/0010_bigint_append_only_ids.down.sql +2 -0
- package/migrations/pg/0010_bigint_append_only_ids.sql +23 -0
- package/migrations/sqlite/0001_schema_version.down.sql +2 -0
- package/migrations/sqlite/0001_schema_version.sql +8 -0
- package/migrations/sqlite/0002_initial_schema.down.sql +36 -0
- package/migrations/sqlite/0002_initial_schema.sql +376 -0
- package/migrations/sqlite/0003_auth_continuation.down.sql +27 -0
- package/migrations/sqlite/0003_auth_continuation.sql +45 -0
- package/migrations/sqlite/0004_tenant_default_unique.down.sql +1 -0
- package/migrations/sqlite/0004_tenant_default_unique.sql +13 -0
- package/migrations/sqlite/0005_hot_indexes_timestamptz.down.sql +10 -0
- package/migrations/sqlite/0005_hot_indexes_timestamptz.sql +10 -0
- package/migrations/sqlite/0006_canonical_email.down.sql +3 -0
- package/migrations/sqlite/0006_canonical_email.sql +8 -0
- package/migrations/sqlite/0007_audit_chain_anchor.down.sql +1 -0
- package/migrations/sqlite/0007_audit_chain_anchor.sql +8 -0
- package/migrations/sqlite/0008_two_factor_hardening.down.sql +14 -0
- package/migrations/sqlite/0008_two_factor_hardening.sql +7 -0
- package/migrations/sqlite/0009_encrypt_totp_secrets.down.sql +2 -0
- package/migrations/sqlite/0009_encrypt_totp_secrets.sql +5 -0
- package/migrations/sqlite/0010_bigint_append_only_ids.down.sql +1 -0
- package/migrations/sqlite/0010_bigint_append_only_ids.sql +2 -0
- package/package.json +398 -0
- package/src/adapters/database/index.ts +63 -0
- package/src/adapters/database/types.ts +22 -0
- package/src/changelog-script.test.ts +21 -0
- package/src/cli.test.ts +79 -0
- package/src/core/auth/auth-admin.test.ts +247 -0
- package/src/core/auth/auth-endpoints.ts +558 -0
- package/src/core/auth/auth-observer.test.ts +191 -0
- package/src/core/auth/auth-service.ts +1464 -0
- package/src/core/auth/email.test.ts +17 -0
- package/src/core/auth/email.ts +11 -0
- package/src/core/auth/hooks.test.ts +251 -0
- package/src/core/auth/impersonation.test.ts +179 -0
- package/src/core/auth/jwt.test.ts +184 -0
- package/src/core/auth/jwt.ts +239 -0
- package/src/core/auth/login-timing.test.ts +77 -0
- package/src/core/auth/password-policy.test.ts +253 -0
- package/src/core/auth/password-policy.ts +220 -0
- package/src/core/auth/password.test.ts +42 -0
- package/src/core/auth/password.ts +62 -0
- package/src/core/auth/post-auth-gate.test.ts +258 -0
- package/src/core/auth/post-auth-gate.ts +228 -0
- package/src/core/auth/refresh-token.test.ts +86 -0
- package/src/core/auth/refresh-token.ts +105 -0
- package/src/core/auth/timing-safe.ts +23 -0
- package/src/core/config.ts +212 -0
- package/src/core/endpoint.ts +149 -0
- package/src/core/errors.ts +199 -0
- package/src/core/fetcher-interop.test.ts +106 -0
- package/src/core/fortress.test.ts +354 -0
- package/src/core/fortress.ts +550 -0
- package/src/core/http/call.test.ts +148 -0
- package/src/core/http/call.ts +149 -0
- package/src/core/http/cookie-serialize.test.ts +198 -0
- package/src/core/http/cookie-serialize.ts +107 -0
- package/src/core/http/csrf.test.ts +140 -0
- package/src/core/http/csrf.ts +173 -0
- package/src/core/http/dispatch.ts +652 -0
- package/src/core/http/error-response.test.ts +69 -0
- package/src/core/http/error-response.ts +93 -0
- package/src/core/http/fortress-rbac.test.ts +43 -0
- package/src/core/http/fortress-rbac.ts +127 -0
- package/src/core/http/handle-request.test.ts +441 -0
- package/src/core/http/handle-request.ts +354 -0
- package/src/core/http/match.test.ts +122 -0
- package/src/core/http/match.ts +126 -0
- package/src/core/http/outbound.test.ts +34 -0
- package/src/core/http/outbound.ts +105 -0
- package/src/core/http/plugin-middleware.ts +67 -0
- package/src/core/http/principal.test.ts +345 -0
- package/src/core/http/principal.ts +86 -0
- package/src/core/http/protect.test.ts +220 -0
- package/src/core/http/protect.ts +394 -0
- package/src/core/http/token-extraction.test.ts +59 -0
- package/src/core/http/token-extraction.ts +53 -0
- package/src/core/iam/explain.test.ts +177 -0
- package/src/core/iam/explain.ts +302 -0
- package/src/core/iam/iam-endpoints.ts +779 -0
- package/src/core/iam/iam-service.test.ts +829 -0
- package/src/core/iam/iam-service.ts +1137 -0
- package/src/core/iam/permission-cache.test.ts +115 -0
- package/src/core/iam/permission-cache.ts +71 -0
- package/src/core/iam/permission-check-observer.test.ts +90 -0
- package/src/core/iam/permission-evaluator.test.ts +291 -0
- package/src/core/iam/permission-evaluator.ts +198 -0
- package/src/core/iam/permission-sync.test.ts +166 -0
- package/src/core/iam/permission-sync.ts +192 -0
- package/src/core/iam/resource-sync.test.ts +70 -0
- package/src/core/iam/resource-sync.ts +182 -0
- package/src/core/iam/service-account-http.test.ts +529 -0
- package/src/core/iam/service-account.test.ts +282 -0
- package/src/core/internal-adapter.test.ts +389 -0
- package/src/core/internal-adapter.ts +435 -0
- package/src/core/json-schema.ts +50 -0
- package/src/core/manifest/__snapshots__/route-manifest.test.ts.snap +192 -0
- package/src/core/manifest/drift.ts +103 -0
- package/src/core/manifest/route-manifest.test.ts +142 -0
- package/src/core/manifest/route-manifest.ts +154 -0
- package/src/core/migrate.test.ts +72 -0
- package/src/core/migrations/engine.test.ts +308 -0
- package/src/core/migrations/engine.ts +548 -0
- package/src/core/migrations/migrations.ts +1771 -0
- package/src/core/migrations/pg-migration.integration-test.ts +353 -0
- package/src/core/migrations/upgrade-fixture.test.ts +378 -0
- package/src/core/observability/db-instrumentation.ts +205 -0
- package/src/core/observability/listener-list.test.ts +124 -0
- package/src/core/observability/listener-list.ts +73 -0
- package/src/core/observability/logger.test.ts +43 -0
- package/src/core/observability/logger.ts +49 -0
- package/src/core/observability/spans.test.ts +193 -0
- package/src/core/observability/types.ts +80 -0
- package/src/core/openapi-drift.test.ts +41 -0
- package/src/core/openapi.ts +47 -0
- package/src/core/plugin-methods-map.ts +75 -0
- package/src/core/plugin-runner.test.ts +233 -0
- package/src/core/plugin-runner.ts +276 -0
- package/src/core/plugin.ts +210 -0
- package/src/core/policy/apply.ts +272 -0
- package/src/core/policy/diff.ts +288 -0
- package/src/core/policy/loader.test.ts +63 -0
- package/src/core/policy/loader.ts +214 -0
- package/src/core/policy/policy.test.ts +232 -0
- package/src/core/policy/types.ts +105 -0
- package/src/core/schema-builder.test.ts +660 -0
- package/src/core/schema-builder.ts +881 -0
- package/src/core/standard-schema.ts +56 -0
- package/src/core/types.ts +258 -0
- package/src/core/validation.test.ts +195 -0
- package/src/core/validation.ts +192 -0
- package/src/drizzle/adapter.test.ts +425 -0
- package/src/drizzle/adapter.ts +474 -0
- package/src/drizzle/index.ts +31 -0
- package/src/drizzle/pg/adapter.integration-test.ts +456 -0
- package/src/drizzle/pg/index.ts +13 -0
- package/src/drizzle/pg/pg.integration-test.ts +1539 -0
- package/src/drizzle/pg/schema.ts +539 -0
- package/src/drizzle/pg-error-map.test.ts +218 -0
- package/src/drizzle/pg-error-map.ts +151 -0
- package/src/drizzle/schema.ts +544 -0
- package/src/drizzle/sqlite-serialization.test.ts +106 -0
- package/src/express/express-api-key-user-routes.test.ts +241 -0
- package/src/express/express.test.ts +442 -0
- package/src/express/handle.ts +191 -0
- package/src/express/index.ts +62 -0
- package/src/express/middleware.ts +551 -0
- package/src/express/protect.ts +154 -0
- package/src/express/validated.test.ts +86 -0
- package/src/express/validated.ts +99 -0
- package/src/fetcher/index.ts +81 -0
- package/src/hono/convert-routes.test.ts +220 -0
- package/src/hono/convert-routes.ts +196 -0
- package/src/hono/converters.test.ts +50 -0
- package/src/hono/converters.ts +43 -0
- package/src/hono/handle.ts +79 -0
- package/src/hono/helpers.ts +2 -0
- package/src/hono/hono-api-key-user-routes.test.ts +225 -0
- package/src/hono/hono-handlers.test.ts +861 -0
- package/src/hono/hono.test.ts +454 -0
- package/src/hono/index.ts +101 -0
- package/src/hono/middleware/auth.ts +236 -0
- package/src/hono/middleware/auth.types.test.ts +94 -0
- package/src/hono/middleware/csrf.test.ts +127 -0
- package/src/hono/middleware/csrf.ts +68 -0
- package/src/hono/middleware/error-handler.ts +12 -0
- package/src/hono/middleware/plugin-middleware.ts +35 -0
- package/src/hono/middleware/rbac.ts +131 -0
- package/src/hono/middleware/security-headers.test.ts +88 -0
- package/src/hono/middleware/security-headers.ts +68 -0
- package/src/hono/openapi.ts +237 -0
- package/src/hono/protect.ts +87 -0
- package/src/hono/validated.test.ts +123 -0
- package/src/hono/validated.ts +62 -0
- package/src/index.ts +309 -0
- package/src/integration.test.ts +718 -0
- package/src/internal/changelog.ts +56 -0
- package/src/otel/index.ts +158 -0
- package/src/otel/otel-types.test.ts +35 -0
- package/src/otel/otel.test.ts +235 -0
- package/src/plugins/account-lockout/account-lockout.test.ts +367 -0
- package/src/plugins/account-lockout/index.ts +267 -0
- package/src/plugins/admin/admin-api-key.test.ts +438 -0
- package/src/plugins/admin/index.ts +1612 -0
- package/src/plugins/api-key/api-key.test.ts +684 -0
- package/src/plugins/api-key/core.ts +336 -0
- package/src/plugins/api-key/index.ts +315 -0
- package/src/plugins/audit-log/audit-log.test.ts +749 -0
- package/src/plugins/audit-log/index.ts +680 -0
- package/src/plugins/data-isolation/data-isolation.test.ts +197 -0
- package/src/plugins/data-isolation/index.ts +157 -0
- package/src/plugins/email-verification/email-verification.test.ts +199 -0
- package/src/plugins/email-verification/index.ts +190 -0
- package/src/plugins/magic-link/index.ts +129 -0
- package/src/plugins/magic-link/magic-link.test.ts +156 -0
- package/src/plugins/oauth/id-token.ts +86 -0
- package/src/plugins/oauth/index.ts +2145 -0
- package/src/plugins/oauth/jwks.test.ts +32 -0
- package/src/plugins/oauth/jwks.ts +182 -0
- package/src/plugins/oauth/oauth.test.ts +2220 -0
- package/src/plugins/oauth/pkce.ts +58 -0
- package/src/plugins/openapi/index.ts +298 -0
- package/src/plugins/openapi/openapi.test.ts +425 -0
- package/src/plugins/openapi/spec-builder.ts +287 -0
- package/src/plugins/rate-limit/express.test.ts +89 -0
- package/src/plugins/rate-limit/express.ts +86 -0
- package/src/plugins/rate-limit/hono.test.ts +60 -0
- package/src/plugins/rate-limit/hono.ts +74 -0
- package/src/plugins/rate-limit/index.ts +383 -0
- package/src/plugins/rate-limit/memory-store.ts +61 -0
- package/src/plugins/rate-limit/rate-limit.test.ts +756 -0
- package/src/plugins/rate-limit/sveltekit.test.ts +58 -0
- package/src/plugins/rate-limit/sveltekit.ts +66 -0
- package/src/plugins/social-login/index.ts +715 -0
- package/src/plugins/social-login/providers/apple.ts +34 -0
- package/src/plugins/social-login/providers/discord.ts +26 -0
- package/src/plugins/social-login/providers/github.ts +54 -0
- package/src/plugins/social-login/providers/google.ts +23 -0
- package/src/plugins/social-login/providers/index.ts +22 -0
- package/src/plugins/social-login/providers/microsoft.ts +35 -0
- package/src/plugins/social-login/providers/oidc.ts +37 -0
- package/src/plugins/social-login/providers/providers.test.ts +211 -0
- package/src/plugins/social-login/social-login.test.ts +675 -0
- package/src/plugins/social-login/types.ts +80 -0
- package/src/plugins/tenancy/index.ts +544 -0
- package/src/plugins/tenancy/tenancy.test.ts +323 -0
- package/src/plugins/two-factor/index.ts +569 -0
- package/src/plugins/two-factor/two-factor.test.ts +235 -0
- package/src/plugins/webauthn/index.ts +554 -0
- package/src/plugins/webauthn/webauthn.test.ts +472 -0
- package/src/plugins/webhook/builtin-events.ts +29 -0
- package/src/plugins/webhook/delivery.test.ts +51 -0
- package/src/plugins/webhook/delivery.ts +154 -0
- package/src/plugins/webhook/hooks.ts +89 -0
- package/src/plugins/webhook/index.ts +445 -0
- package/src/plugins/webhook/queue/database.ts +67 -0
- package/src/plugins/webhook/queue/in-memory.test.ts +48 -0
- package/src/plugins/webhook/queue/in-memory.ts +71 -0
- package/src/plugins/webhook/queue/types.ts +51 -0
- package/src/plugins/webhook/registry.test.ts +48 -0
- package/src/plugins/webhook/registry.ts +64 -0
- package/src/plugins/webhook/signing.ts +45 -0
- package/src/plugins/webhook/ssrf.ts +198 -0
- package/src/plugins/webhook/types.ts +138 -0
- package/src/plugins/webhook/webhook.test.ts +324 -0
- package/src/sveltekit/actions.ts +233 -0
- package/src/sveltekit/catch-all.ts +43 -0
- package/src/sveltekit/cookies.ts +136 -0
- package/src/sveltekit/handle.ts +356 -0
- package/src/sveltekit/helpers.ts +69 -0
- package/src/sveltekit/index.ts +74 -0
- package/src/sveltekit/protect.ts +80 -0
- package/src/sveltekit/sveltekit-types.test.ts +31 -0
- package/src/sveltekit/sveltekit.test.ts +799 -0
- package/src/sveltekit/types.ts +134 -0
- package/src/sveltekit/validated.test.ts +117 -0
- package/src/sveltekit/validated.ts +78 -0
- package/src/testing/adapter-conformance.test.ts +408 -0
- package/src/testing/checks.test.ts +124 -0
- package/src/testing/checks.ts +304 -0
- package/src/testing/index.ts +107 -0
package/dist/hono.d.ts
ADDED
|
@@ -0,0 +1,514 @@
|
|
|
1
|
+
import { F as Fortress } from './fortress-uA-_cheR.js';
|
|
2
|
+
import { Env, Context, MiddlewareHandler, ErrorHandler, Hono } from 'hono';
|
|
3
|
+
import { D as DatabaseAdapter } from './index-CxEkfCA0.js';
|
|
4
|
+
import { S as Subject, T as TokenClaims } from './types-et0R8tsC.js';
|
|
5
|
+
import { M as MiddlewareDefinition, J as JSONSchema, E as EndpointDefinition, S as StandardSchemaV1 } from './config-B2366s_G.js';
|
|
6
|
+
import { T as ToJSONSchemaConverter } from './convert-routes-BLCQT57f.js';
|
|
7
|
+
export { C as ConvertRoutesOptions, E as ExternalRoute, c as convertRoutes } from './convert-routes-BLCQT57f.js';
|
|
8
|
+
import { P as ProtectedRouteContext, a as ProtectOptions } from './protect-DsxV_-dJ.js';
|
|
9
|
+
export { c as ProtectedRouteHandler, b as ProtectedRouteTarget } from './protect-DsxV_-dJ.js';
|
|
10
|
+
import './index-jAMbbUAY.js';
|
|
11
|
+
import './auth-service-BkzZkWfH.js';
|
|
12
|
+
import './plugins/api-key.js';
|
|
13
|
+
import './jwt.js';
|
|
14
|
+
import './plugins/audit-log.js';
|
|
15
|
+
import './plugins/data-isolation.js';
|
|
16
|
+
import './plugins/email-verification.js';
|
|
17
|
+
import './plugins/magic-link.js';
|
|
18
|
+
import './plugins/oauth.js';
|
|
19
|
+
import './plugins/social-login.js';
|
|
20
|
+
import './plugins/tenancy.js';
|
|
21
|
+
import './plugins/two-factor.js';
|
|
22
|
+
import './plugins/webauthn.js';
|
|
23
|
+
import '@simplewebauthn/server';
|
|
24
|
+
|
|
25
|
+
/**
|
|
26
|
+
* Hono `Variables` slot populated by the fortress auth middleware.
|
|
27
|
+
*
|
|
28
|
+
* `fortressSubject` is the authoritative principal — set for every
|
|
29
|
+
* authenticated request regardless of credential type (JWT, api-key, future
|
|
30
|
+
* OAuth client_credentials, mTLS, ...). `fortressUserId` is a convenience
|
|
31
|
+
* alias populated **only** when the subject is a `USER`; non-USER subjects
|
|
32
|
+
* (e.g. `SERVICE_ACCOUNT` via api-key) leave it `undefined`.
|
|
33
|
+
*
|
|
34
|
+
* Use {@link FortressEnv} to compose this with your own Hono env types
|
|
35
|
+
* without casts.
|
|
36
|
+
*/
|
|
37
|
+
interface FortressVariables {
|
|
38
|
+
fortressSubject: Subject;
|
|
39
|
+
fortressUserId?: string;
|
|
40
|
+
fortressClaims?: TokenClaims;
|
|
41
|
+
fortressScopes?: string[] | null;
|
|
42
|
+
fortressDb: DatabaseAdapter;
|
|
43
|
+
fortressGetScopedDb: (model: string) => Promise<DatabaseAdapter>;
|
|
44
|
+
}
|
|
45
|
+
type ExtractVariables<E> = E extends {
|
|
46
|
+
Variables: infer V;
|
|
47
|
+
} ? V : Record<string, never>;
|
|
48
|
+
type ExtractBindings<E> = E extends {
|
|
49
|
+
Bindings: infer B;
|
|
50
|
+
} ? B : Record<string, never>;
|
|
51
|
+
/**
|
|
52
|
+
* Generic Hono env that composes {@link FortressVariables} with the host
|
|
53
|
+
* app's own env types. Use it directly (`Hono<FortressEnv>`) for a
|
|
54
|
+
* Fortress-only app, or parameterize with your existing env
|
|
55
|
+
* (`Hono<FortressEnv<MyEnv>>`) to add Fortress's variables on top of
|
|
56
|
+
* yours — no `Context<AppEnv>` ↔ `Context<FortressEnv>` casts.
|
|
57
|
+
*
|
|
58
|
+
* @example
|
|
59
|
+
* ```ts
|
|
60
|
+
* interface MyEnv {
|
|
61
|
+
* Variables: { requestId: string };
|
|
62
|
+
* Bindings: { DB: D1Database };
|
|
63
|
+
* }
|
|
64
|
+
*
|
|
65
|
+
* const app = new Hono<FortressEnv<MyEnv>>();
|
|
66
|
+
* app.use(createAuthMiddleware(fortress));
|
|
67
|
+
* app.get('/me', (c) => {
|
|
68
|
+
* const requestId = c.get('requestId'); // host-defined, typed
|
|
69
|
+
* const subject = getSubject(c); // fortress-defined, typed
|
|
70
|
+
* return c.json({ requestId, subject });
|
|
71
|
+
* });
|
|
72
|
+
* ```
|
|
73
|
+
*/
|
|
74
|
+
interface FortressEnv<TAppEnv extends Env = Env> {
|
|
75
|
+
Variables: FortressVariables & ExtractVariables<TAppEnv>;
|
|
76
|
+
Bindings: ExtractBindings<TAppEnv>;
|
|
77
|
+
}
|
|
78
|
+
/** Minimum-viable context shape the typed helpers need — works with any `Context<E>` whose `Variables` include {@link FortressVariables}. */
|
|
79
|
+
type FortressContext<E extends Env = FortressEnv> = Context<E>;
|
|
80
|
+
/**
|
|
81
|
+
* Hono middleware that resolves the request principal and populates the
|
|
82
|
+
* Hono context with `fortressSubject`, `fortressUserId` (USER alias),
|
|
83
|
+
* `fortressClaims`, `fortressDb`, and `fortressGetScopedDb`.
|
|
84
|
+
*
|
|
85
|
+
* Principal resolution goes through `fortress.resolvePrincipal`, which
|
|
86
|
+
* tries plugin `resolvePrincipal` hooks (api-key, future OAuth
|
|
87
|
+
* client_credentials, mTLS) first and then falls back to the JWT bearer
|
|
88
|
+
* token (cookie-first, `Authorization: Bearer` second). This means the
|
|
89
|
+
* same Hono app can authenticate browsers (cookies), SPA clients (Bearer),
|
|
90
|
+
* and service accounts (`Authorization: ApiKey ...` or `X-API-Key`)
|
|
91
|
+
* without extra wiring on any route.
|
|
92
|
+
*
|
|
93
|
+
* `fortressDb` has plugin `wrapAdapter` applied (e.g. tenancy schema
|
|
94
|
+
* switching). `fortressGetScopedDb(model)` additionally applies
|
|
95
|
+
* `scopeRules` for the requested model.
|
|
96
|
+
*/
|
|
97
|
+
declare function createAuthMiddleware(fortress: Fortress): MiddlewareHandler<FortressEnv>;
|
|
98
|
+
/**
|
|
99
|
+
* Get the authenticated principal from the Hono context. Works for every
|
|
100
|
+
* subject kind (`USER`, `SERVICE_ACCOUNT`, ...). Generic in the env type
|
|
101
|
+
* so host apps can pass their own `Context<FortressEnv<MyEnv>>` without
|
|
102
|
+
* casts.
|
|
103
|
+
*/
|
|
104
|
+
declare function getSubject<E extends Env = FortressEnv>(c: Context<E>): Subject;
|
|
105
|
+
/**
|
|
106
|
+
* Get the authenticated user ID from Hono context. Throws 401 if the
|
|
107
|
+
* request was authenticated by a non-USER subject (e.g. a service account
|
|
108
|
+
* via api-key) — use {@link getSubject} for handlers that need to accept
|
|
109
|
+
* any principal.
|
|
110
|
+
*/
|
|
111
|
+
declare function getUserId<E extends Env = FortressEnv>(c: Context<E>): string;
|
|
112
|
+
/**
|
|
113
|
+
* Get the authenticated user's JWT claims from Hono context. Claims are
|
|
114
|
+
* only populated when the request was authenticated via a JWT — api-key
|
|
115
|
+
* principals have no JWT claims. Throws 401 if unavailable.
|
|
116
|
+
*
|
|
117
|
+
* Pass a `TCustomClaims` type parameter to narrow `customClaims` to your
|
|
118
|
+
* deployment's plugin-augmented claim shape (e.g. tenancy adds
|
|
119
|
+
* `tenantId` / `tenantCode`).
|
|
120
|
+
*
|
|
121
|
+
* @example
|
|
122
|
+
* ```ts
|
|
123
|
+
* interface MyClaims { tenantId: string; tenantCode: string }
|
|
124
|
+
* const claims = getClaims<MyClaims>(c);
|
|
125
|
+
* claims.customClaims?.tenantCode; // string | undefined
|
|
126
|
+
* ```
|
|
127
|
+
*/
|
|
128
|
+
declare function getClaims<TCustomClaims extends object = Record<string, unknown>, E extends Env = FortressEnv>(c: Context<E>): TokenClaims & {
|
|
129
|
+
customClaims?: TCustomClaims;
|
|
130
|
+
};
|
|
131
|
+
/**
|
|
132
|
+
* Get the request-scoped database adapter with plugin wrapAdapter applied.
|
|
133
|
+
*/
|
|
134
|
+
declare function getDb<E extends Env = FortressEnv>(c: Context<E>): DatabaseAdapter;
|
|
135
|
+
/**
|
|
136
|
+
* Get a model-scoped database adapter with both wrapAdapter and scopeRules applied.
|
|
137
|
+
*/
|
|
138
|
+
declare function getScopedDb<E extends Env = FortressEnv>(c: Context<E>, model: string): Promise<DatabaseAdapter>;
|
|
139
|
+
|
|
140
|
+
/** A `(resource, action)` IAM mapping for an HTTP route. */
|
|
141
|
+
interface RouteMapping {
|
|
142
|
+
resource: string;
|
|
143
|
+
action: string;
|
|
144
|
+
}
|
|
145
|
+
/** Options accepted by {@link createRbacMiddleware} (and the Hono adapter factory). */
|
|
146
|
+
interface RbacOptions {
|
|
147
|
+
/** Declarative route-to-resource mapping: 'METHOD /path' → { resource, action } */
|
|
148
|
+
routeMap?: Record<string, RouteMapping>;
|
|
149
|
+
/** Dynamic mapping function (used if routeMap doesn't match) */
|
|
150
|
+
mapRequest?: (method: string, path: string) => RouteMapping | null;
|
|
151
|
+
/** Paths that skip permission checks entirely (supports * wildcards) */
|
|
152
|
+
skipPaths?: string[];
|
|
153
|
+
/** Behavior for non-skipped routes absent from routeMap/mapRequest. */
|
|
154
|
+
unmappedRoutes?: 'allow' | 'deny';
|
|
155
|
+
/** @deprecated Use `unmappedRoutes: 'deny'`. */
|
|
156
|
+
defaultDeny?: boolean;
|
|
157
|
+
}
|
|
158
|
+
/**
|
|
159
|
+
* Hono middleware that checks IAM permissions for **user-owned routes**
|
|
160
|
+
* via a declarative route map. Fortress-managed routes (`/auth/*`,
|
|
161
|
+
* `/iam/*`, plugin paths) are protected automatically inside
|
|
162
|
+
* `fortress.handleRequest` — this middleware only handles routes the
|
|
163
|
+
* caller registered themselves.
|
|
164
|
+
*
|
|
165
|
+
* Lookup order:
|
|
166
|
+
* 1. {@link RbacOptions.skipPaths} — if matched, allow.
|
|
167
|
+
* 2. {@link RbacOptions.routeMap} — exact `'METHOD /path'` then
|
|
168
|
+
* parameterized match.
|
|
169
|
+
* 3. {@link RbacOptions.mapRequest} — dynamic resolver fallback.
|
|
170
|
+
* 4. No mapping found → allow, unless {@link RbacOptions.defaultDeny} is set,
|
|
171
|
+
* in which case the route is refused with a 403 (fail closed).
|
|
172
|
+
*
|
|
173
|
+
* Throws {@link FortressError} on missing/insufficient permissions.
|
|
174
|
+
*/
|
|
175
|
+
declare function createRbacMiddleware(fortress: Fortress, options?: RbacOptions): MiddlewareHandler<FortressEnv>;
|
|
176
|
+
|
|
177
|
+
/**
|
|
178
|
+
* Hono error handler that maps FortressError to HTTP responses.
|
|
179
|
+
* Delegates to the framework-agnostic `errorToResponse` in core so the
|
|
180
|
+
* mapping (status codes, `Retry-After`, sanitized 500s) stays consistent
|
|
181
|
+
* across Hono / Express / SvelteKit / `fortress.handleRequest`.
|
|
182
|
+
*/
|
|
183
|
+
declare function createErrorHandler(): ErrorHandler;
|
|
184
|
+
|
|
185
|
+
/**
|
|
186
|
+
* Hono middleware that executes plugin-defined middleware for a given position.
|
|
187
|
+
*
|
|
188
|
+
* Normalizes Hono's context to the shared {@link PluginRequestContext}, so
|
|
189
|
+
* plugin middleware receives the same web-standard Request and resolved auth
|
|
190
|
+
* fields under core, Hono, and Express.
|
|
191
|
+
*/
|
|
192
|
+
declare function createPluginMiddleware(fortress: Fortress, position: MiddlewareDefinition['position']): MiddlewareHandler<FortressEnv>;
|
|
193
|
+
|
|
194
|
+
/**
|
|
195
|
+
* Hono OpenAPI adapter for Fortress.
|
|
196
|
+
*
|
|
197
|
+
* Schema-library agnostic — accepts a converter function from the user.
|
|
198
|
+
* Users pass their own JSON Schema → schema-library converter (Zod, Valibot, etc.).
|
|
199
|
+
*
|
|
200
|
+
* Users pass their schema library's JSON Schema converter:
|
|
201
|
+
* - Zod v4: `z.fromJSONSchema`
|
|
202
|
+
* - TypeBox: schemas are JSON Schema natively
|
|
203
|
+
* - ArkType: `@ark/jsonschema`
|
|
204
|
+
*/
|
|
205
|
+
|
|
206
|
+
/**
|
|
207
|
+
* A function that converts a JSON Schema to whatever schema type your
|
|
208
|
+
* framework adapter expects (e.g. Zod schema, Valibot schema). Used by
|
|
209
|
+
* {@link buildRouteDefinition} so fortress's OpenAPI generator stays
|
|
210
|
+
* schema-library agnostic.
|
|
211
|
+
*/
|
|
212
|
+
type SchemaConverter<T = unknown> = (jsonSchema: JSONSchema) => T;
|
|
213
|
+
interface MountOptions<T = unknown> {
|
|
214
|
+
/** Convert JSON Schema → your schema library (e.g., jsonSchemaToZod from '@bajustone/fortress/zod') */
|
|
215
|
+
schemaConverter: SchemaConverter<T>;
|
|
216
|
+
/** Paths to skip (won't be mounted) */
|
|
217
|
+
skipPaths?: string[];
|
|
218
|
+
/** Function to create a route definition from an endpoint (framework-specific) */
|
|
219
|
+
createRoute: (def: Record<string, unknown>) => unknown;
|
|
220
|
+
/** Function to register security schemes on the app */
|
|
221
|
+
registerSecuritySchemes?: (app: unknown) => void;
|
|
222
|
+
}
|
|
223
|
+
interface GenericOpenAPIApp {
|
|
224
|
+
openapi: (route: unknown, handler: (...args: any[]) => any) => void;
|
|
225
|
+
}
|
|
226
|
+
/**
|
|
227
|
+
* Build a framework-agnostic route definition object from an EndpointDefinition.
|
|
228
|
+
* The schemaConverter transforms JSON Schema into whatever the target framework expects.
|
|
229
|
+
*/
|
|
230
|
+
declare function buildRouteDefinition<T>(ep: EndpointDefinition, schemaConverter: SchemaConverter<T>): Record<string, unknown>;
|
|
231
|
+
/**
|
|
232
|
+
* Auto-mount all Fortress endpoints on an OpenAPI-compatible Hono app.
|
|
233
|
+
*
|
|
234
|
+
* Schema-library agnostic: you provide the converter.
|
|
235
|
+
*
|
|
236
|
+
* @example
|
|
237
|
+
* ```ts
|
|
238
|
+
* import { OpenAPIHono, createRoute } from '@hono/zod-openapi';
|
|
239
|
+
* import { mountFortressOpenAPI } from '@bajustone/fortress/hono';
|
|
240
|
+
* import { jsonSchemaToZod } from '@bajustone/fortress/zod';
|
|
241
|
+
*
|
|
242
|
+
* const app = new OpenAPIHono();
|
|
243
|
+
* mountFortressOpenAPI(app, fortress, {
|
|
244
|
+
* schemaConverter: jsonSchemaToZod,
|
|
245
|
+
* createRoute,
|
|
246
|
+
* });
|
|
247
|
+
* ```
|
|
248
|
+
*/
|
|
249
|
+
declare function mountFortressOpenAPI<T>(app: GenericOpenAPIApp & {
|
|
250
|
+
openAPIRegistry?: {
|
|
251
|
+
registerComponent: (type: string, name: string, schema: Record<string, unknown>) => void;
|
|
252
|
+
};
|
|
253
|
+
}, fortress: Fortress, options: MountOptions<T>): void;
|
|
254
|
+
/**
|
|
255
|
+
* Get all Fortress endpoint definitions as framework route definitions.
|
|
256
|
+
* Returns a map of `{ [handlerName]: routeDef }`.
|
|
257
|
+
*/
|
|
258
|
+
declare function getFortressRoutes<T>(fortress: Fortress, schemaConverter: SchemaConverter<T>, createRoute: (def: Record<string, unknown>) => unknown): Record<string, unknown>;
|
|
259
|
+
|
|
260
|
+
/**
|
|
261
|
+
* Default schema converters for the Hono OpenAPI integration — so you can mount
|
|
262
|
+
* fortress endpoints (or import external routes) **without pulling in Zod**.
|
|
263
|
+
*
|
|
264
|
+
* fortress's builder schemas (and `@bajustone/fetcher`'s builder schemas) ARE
|
|
265
|
+
* JSON Schema, so the converters are trivial: identity for the JSON-Schema
|
|
266
|
+
* direction, and `fromJSONSchema` when the target wants a validating Standard
|
|
267
|
+
* Schema V1. Existing Zod callers are unaffected — these are opt-in defaults.
|
|
268
|
+
*
|
|
269
|
+
* @module
|
|
270
|
+
*/
|
|
271
|
+
|
|
272
|
+
/**
|
|
273
|
+
* A {@link SchemaConverter} that passes JSON Schema through unchanged. Use with
|
|
274
|
+
* OpenAPI tooling that consumes JSON Schema directly, or for raw spec
|
|
275
|
+
* generation. Requires no schema library.
|
|
276
|
+
*/
|
|
277
|
+
declare const identitySchemaConverter: SchemaConverter<JSONSchema>;
|
|
278
|
+
/**
|
|
279
|
+
* A {@link SchemaConverter} that compiles JSON Schema into a validating
|
|
280
|
+
* `@bajustone/fetcher` Standard Schema V1. Use with Hono OpenAPI tooling that
|
|
281
|
+
* accepts Standard Schema (e.g. `hono-openapi` / `@hono/standard-validator`) —
|
|
282
|
+
* no Zod required.
|
|
283
|
+
*/
|
|
284
|
+
declare const fetcherSchemaConverter: SchemaConverter<StandardSchemaV1>;
|
|
285
|
+
/**
|
|
286
|
+
* A {@link ToJSONSchemaConverter} for importing external routes authored with
|
|
287
|
+
* fortress's or fetcher's builder (both ARE JSON Schema). Extracts clean JSON
|
|
288
|
+
* Schema (runtime-only `~`-prefixed props are dropped at OpenAPI emission).
|
|
289
|
+
* Pass to {@link convertRoutes} so such routes import without Zod.
|
|
290
|
+
*/
|
|
291
|
+
declare const toJSONSchemaConverter: ToJSONSchemaConverter;
|
|
292
|
+
|
|
293
|
+
/**
|
|
294
|
+
* Primary entry point for the Hono adapter: register a single fortress
|
|
295
|
+
* middleware that detects Fortress-managed paths and delegates to
|
|
296
|
+
* `fortress.handleRequest`. Custom user routes registered *before*
|
|
297
|
+
* `mountFortress` keep working — Hono's first-match routing means user
|
|
298
|
+
* handlers win over the catch-all.
|
|
299
|
+
*
|
|
300
|
+
* @example
|
|
301
|
+
* ```ts
|
|
302
|
+
* import { Hono } from 'hono';
|
|
303
|
+
* import { mountFortress } from '@bajustone/fortress/hono';
|
|
304
|
+
*
|
|
305
|
+
* const app = new Hono();
|
|
306
|
+
* mountFortress(app, fortress);
|
|
307
|
+
* // POST /auth/login, POST /auth/refresh, GET /auth/me, /iam/*, /oauth/* …
|
|
308
|
+
* // are all handled automatically. Cookies for login/refresh are set on
|
|
309
|
+
* // the response without any extra wiring.
|
|
310
|
+
* ```
|
|
311
|
+
*/
|
|
312
|
+
|
|
313
|
+
/** Options for {@link mountFortress}. */
|
|
314
|
+
interface MountFortressOptions {
|
|
315
|
+
/**
|
|
316
|
+
* Optional path prefix to mount Fortress under (e.g. `/api`). When set,
|
|
317
|
+
* a request to `/api/auth/login` is internally rewritten to `/auth/login`
|
|
318
|
+
* before being passed to `fortress.handleRequest`.
|
|
319
|
+
*/
|
|
320
|
+
prefix?: string;
|
|
321
|
+
}
|
|
322
|
+
/**
|
|
323
|
+
* Mount a single Hono middleware that delegates Fortress-managed paths to
|
|
324
|
+
* `fortress.handleRequest` and otherwise calls `next()` so user-route
|
|
325
|
+
* handlers run normally.
|
|
326
|
+
*
|
|
327
|
+
* Cookies emitted by login/refresh/impersonate are honored automatically:
|
|
328
|
+
* the `Response` returned by `fortress.handleRequest` already carries the
|
|
329
|
+
* `Set-Cookie` headers built by core, and Hono returns it verbatim.
|
|
330
|
+
*/
|
|
331
|
+
declare function mountFortress<E extends Env = Env>(app: Hono<E>, fortress: Fortress, options?: MountFortressOptions): void;
|
|
332
|
+
|
|
333
|
+
/** Options accepted by {@link createCsrfMiddleware}. */
|
|
334
|
+
interface CsrfConfig {
|
|
335
|
+
/** Header name to check. Default: 'X-Fortress-CSRF'. */
|
|
336
|
+
headerName?: string;
|
|
337
|
+
/** Paths to skip CSRF checking. */
|
|
338
|
+
skipPaths?: string[];
|
|
339
|
+
/** HTTP methods that don't need CSRF checking. Default: ['GET', 'HEAD', 'OPTIONS']. */
|
|
340
|
+
safeMethods?: string[];
|
|
341
|
+
}
|
|
342
|
+
/**
|
|
343
|
+
* CSRF middleware using the custom-header strategy.
|
|
344
|
+
*
|
|
345
|
+
* Browsers enforce CORS preflight on custom headers, so cross-origin requests
|
|
346
|
+
* cannot set them without explicit server permission. This middleware requires
|
|
347
|
+
* a specific header to be present on non-safe HTTP methods.
|
|
348
|
+
*
|
|
349
|
+
* Additionally checks `Sec-Fetch-Site` to reject cross-site requests.
|
|
350
|
+
*/
|
|
351
|
+
declare function createCsrfMiddleware(config?: CsrfConfig): MiddlewareHandler;
|
|
352
|
+
|
|
353
|
+
/** Options accepted by {@link createSecurityHeadersMiddleware}. */
|
|
354
|
+
interface SecurityHeadersConfig {
|
|
355
|
+
/** Strict-Transport-Security max-age in seconds. Default: 63072000 (2 years). Set to 0 to disable. */
|
|
356
|
+
hstsMaxAge?: number;
|
|
357
|
+
/** Include subdomains in HSTS. Default: true. */
|
|
358
|
+
hstsIncludeSubdomains?: boolean;
|
|
359
|
+
/** HSTS preload flag. Default: false. */
|
|
360
|
+
hstsPreload?: boolean;
|
|
361
|
+
/** X-Frame-Options value. Default: 'DENY'. Set to false to disable. */
|
|
362
|
+
frameOptions?: 'DENY' | 'SAMEORIGIN' | false;
|
|
363
|
+
/** X-Content-Type-Options nosniff. Default: true. */
|
|
364
|
+
noSniff?: boolean;
|
|
365
|
+
/** Content-Security-Policy value. Default: "default-src 'self'". Set to false to disable. */
|
|
366
|
+
contentSecurityPolicy?: string | false;
|
|
367
|
+
/** Referrer-Policy value. Default: 'strict-origin-when-cross-origin'. Set to false to disable. */
|
|
368
|
+
referrerPolicy?: string | false;
|
|
369
|
+
/** X-Permitted-Cross-Domain-Policies value. Default: 'none'. Set to false to disable. */
|
|
370
|
+
permittedCrossDomainPolicies?: string | false;
|
|
371
|
+
}
|
|
372
|
+
/**
|
|
373
|
+
* Hono middleware that sets security-related HTTP headers.
|
|
374
|
+
* All headers are enabled by default with secure values.
|
|
375
|
+
*/
|
|
376
|
+
declare function createSecurityHeadersMiddleware(config?: SecurityHeadersConfig): MiddlewareHandler;
|
|
377
|
+
|
|
378
|
+
/**
|
|
379
|
+
* Hono-flavoured host callback. `E` flows in from the endpoint passed to
|
|
380
|
+
* `protectedRoute()`, so `ctx.body` / `ctx.query` / `ctx.params` / `ctx.input`
|
|
381
|
+
* are typed from the endpoint's phantom generics.
|
|
382
|
+
*
|
|
383
|
+
* `HEnv` is Hono's environment generic (renamed from `E` so it no longer
|
|
384
|
+
* collides with the endpoint generic). String targets degrade to the
|
|
385
|
+
* loose default just like the core helper.
|
|
386
|
+
*/
|
|
387
|
+
type HonoProtectedRouteHandler<E extends EndpointDefinition<any, any, any, any> = EndpointDefinition, HEnv extends Env = Env, TResult = unknown> = (c: Context<HEnv>, ctx: ProtectedRouteContext<E>) => TResult | Response | Promise<TResult | Response>;
|
|
388
|
+
/**
|
|
389
|
+
* Wrap a host-owned Hono route in Fortress's route protection pipeline.
|
|
390
|
+
*
|
|
391
|
+
* Two overloads, mirroring `protect()`:
|
|
392
|
+
*
|
|
393
|
+
* - **Typed target** — passing an `EndpointDefinition` flows its phantom
|
|
394
|
+
* generics through `ctx.body` / `ctx.query` / `ctx.params` / `ctx.input`.
|
|
395
|
+
* - **String target** — passing a unique `handler` name keeps the loose
|
|
396
|
+
* `Record<string, unknown>` / `unknown` typing.
|
|
397
|
+
*/
|
|
398
|
+
declare function protectedRoute<E extends EndpointDefinition<any, any, any, any>, HEnv extends Env = Env, TResult = unknown>(fortress: Fortress, target: E, handler: HonoProtectedRouteHandler<E, HEnv, TResult>, options?: ProtectOptions): MiddlewareHandler<HEnv>;
|
|
399
|
+
declare function protectedRoute<HEnv extends Env = Env, TResult = unknown>(fortress: Fortress, target: string, handler: HonoProtectedRouteHandler<EndpointDefinition, HEnv, TResult>, options?: ProtectOptions): MiddlewareHandler<HEnv>;
|
|
400
|
+
|
|
401
|
+
/**
|
|
402
|
+
* Typed extraction-and-validation helpers for Hono handlers.
|
|
403
|
+
*
|
|
404
|
+
* These helpers extract request data (body, params, query) **and validate
|
|
405
|
+
* it at runtime** against the supplied Standard Schema. On success they
|
|
406
|
+
* return the parsed value with full TypeScript inference; on failure they
|
|
407
|
+
* throw `FortressError('VALIDATION_ERROR', 422)` — the same shape every
|
|
408
|
+
* fortress-managed endpoint produces — so the existing Hono error handler
|
|
409
|
+
* formats it identically.
|
|
410
|
+
*
|
|
411
|
+
* Works with any Standard Schema V1 library: Zod, Valibot, ArkType, or
|
|
412
|
+
* fortress's built-in schema builders.
|
|
413
|
+
*
|
|
414
|
+
* @example
|
|
415
|
+
* ```ts
|
|
416
|
+
* import { vBody, vParam, vQuery } from '@bajustone/fortress/hono';
|
|
417
|
+
*
|
|
418
|
+
* app.post('/users/:id', async (c) => {
|
|
419
|
+
* const body = await vBody(c, CreateUserBody);
|
|
420
|
+
* const { id } = await vParam(c, IdParam);
|
|
421
|
+
* const { page } = await vQuery(c, PaginationQuery);
|
|
422
|
+
* // ...
|
|
423
|
+
* });
|
|
424
|
+
* ```
|
|
425
|
+
*
|
|
426
|
+
* Validation runs per call, so the first failing helper throws and any
|
|
427
|
+
* downstream helpers in the same handler do not run. If you need to
|
|
428
|
+
* aggregate body+query+params issues into a single response, use the
|
|
429
|
+
* framework-agnostic `validateRequest` from `@bajustone/fortress` instead.
|
|
430
|
+
*/
|
|
431
|
+
|
|
432
|
+
/** Infer the output type of a Standard Schema V1 schema. */
|
|
433
|
+
type InferOutput<T extends StandardSchemaV1> = StandardSchemaV1.InferOutput<T>;
|
|
434
|
+
/**
|
|
435
|
+
* Extract and validate the request body. Returns the parsed value typed as
|
|
436
|
+
* `InferOutput<T>`, or throws `FortressError('VALIDATION_ERROR', 422)`.
|
|
437
|
+
*/
|
|
438
|
+
declare function vBody<T extends StandardSchemaV1>(c: Context, schema: T): Promise<InferOutput<T>>;
|
|
439
|
+
/**
|
|
440
|
+
* Extract and validate route parameters. Returns the parsed value typed as
|
|
441
|
+
* `InferOutput<T>`, or throws `FortressError('VALIDATION_ERROR', 422)`.
|
|
442
|
+
*/
|
|
443
|
+
declare function vParam<T extends StandardSchemaV1>(c: Context, schema: T): Promise<InferOutput<T>>;
|
|
444
|
+
/**
|
|
445
|
+
* Extract and validate query parameters. Returns the parsed value typed as
|
|
446
|
+
* `InferOutput<T>`, or throws `FortressError('VALIDATION_ERROR', 422)`.
|
|
447
|
+
*/
|
|
448
|
+
declare function vQuery<T extends StandardSchemaV1>(c: Context, schema: T): Promise<InferOutput<T>>;
|
|
449
|
+
|
|
450
|
+
/**
|
|
451
|
+
* Hono adapter for fortress.
|
|
452
|
+
*
|
|
453
|
+
* Provides {@link mountFortress}, the modern entry point that delegates to
|
|
454
|
+
* `fortress.handleRequest`, plus the lower-level middleware factories
|
|
455
|
+
* (`createHonoMiddleware`, `createAuthMiddleware`, `createRbacMiddleware`,
|
|
456
|
+
* `createCsrfMiddleware`, `createSecurityHeadersMiddleware`, etc.) for
|
|
457
|
+
* user-owned routes. Also exports `vBody` / `vParam` / `vQuery` typed
|
|
458
|
+
* extraction helpers for custom routes.
|
|
459
|
+
*
|
|
460
|
+
* @example
|
|
461
|
+
* ```ts
|
|
462
|
+
* import { Hono } from 'hono';
|
|
463
|
+
* import { mountFortress, createHonoMiddleware } from '@bajustone/fortress/hono';
|
|
464
|
+
*
|
|
465
|
+
* const app = new Hono();
|
|
466
|
+
*
|
|
467
|
+
* // One-line mount: handles all Fortress routes (auth, IAM, plugins, OAuth, OpenAPI).
|
|
468
|
+
* mountFortress(app, fortress);
|
|
469
|
+
*
|
|
470
|
+
* // Optional: protect your own routes with the IAM middleware.
|
|
471
|
+
* const { authMiddleware, rbacMiddleware, errorHandler } = createHonoMiddleware(fortress, {
|
|
472
|
+
* routeMap: { 'GET /api/users': { resource: 'user', action: 'list' } },
|
|
473
|
+
* });
|
|
474
|
+
* app.use('/api/*', authMiddleware, rbacMiddleware);
|
|
475
|
+
* app.onError(errorHandler);
|
|
476
|
+
* ```
|
|
477
|
+
*
|
|
478
|
+
* @module
|
|
479
|
+
*/
|
|
480
|
+
|
|
481
|
+
/**
|
|
482
|
+
* Options for {@link createHonoMiddleware}. Currently extends {@link RbacOptions}
|
|
483
|
+
* so callers can override which IAM resource/action a route maps to.
|
|
484
|
+
*/
|
|
485
|
+
interface HonoAdapterOptions extends RbacOptions {
|
|
486
|
+
}
|
|
487
|
+
/**
|
|
488
|
+
* Create Hono middleware from a Fortress instance.
|
|
489
|
+
*
|
|
490
|
+
* Usage:
|
|
491
|
+
* const { authMiddleware, pluginMiddleware, rbacMiddleware, errorHandler } = createHonoMiddleware(fortress, {
|
|
492
|
+
* routeMap: { 'POST /api/users': { resource: 'user', action: 'create' } },
|
|
493
|
+
* skipPaths: ['/health', '/auth/*'],
|
|
494
|
+
* });
|
|
495
|
+
*
|
|
496
|
+
* app.onError(errorHandler);
|
|
497
|
+
* app.use('/api/*', pluginMiddleware.beforeAuth);
|
|
498
|
+
* app.use('/api/*', authMiddleware);
|
|
499
|
+
* app.use('/api/*', pluginMiddleware.afterAuth);
|
|
500
|
+
* app.use('/api/*', rbacMiddleware);
|
|
501
|
+
* app.use('/api/*', pluginMiddleware.afterRbac);
|
|
502
|
+
*/
|
|
503
|
+
declare function createHonoMiddleware(fortress: Fortress, options?: HonoAdapterOptions): {
|
|
504
|
+
authMiddleware: ReturnType<typeof createAuthMiddleware>;
|
|
505
|
+
rbacMiddleware: ReturnType<typeof createRbacMiddleware>;
|
|
506
|
+
errorHandler: ReturnType<typeof createErrorHandler>;
|
|
507
|
+
pluginMiddleware: {
|
|
508
|
+
beforeAuth: ReturnType<typeof createPluginMiddleware>;
|
|
509
|
+
afterAuth: ReturnType<typeof createPluginMiddleware>;
|
|
510
|
+
afterRbac: ReturnType<typeof createPluginMiddleware>;
|
|
511
|
+
};
|
|
512
|
+
};
|
|
513
|
+
|
|
514
|
+
export { type CsrfConfig, type FortressContext, type FortressEnv, type FortressVariables, type HonoAdapterOptions, type HonoProtectedRouteHandler, type InferOutput, type MountFortressOptions, ProtectOptions, ProtectedRouteContext, type RbacOptions, type RouteMapping, type SchemaConverter, type SecurityHeadersConfig, ToJSONSchemaConverter, buildRouteDefinition, createCsrfMiddleware, createHonoMiddleware, createPluginMiddleware, createSecurityHeadersMiddleware, fetcherSchemaConverter, getClaims, getDb, getFortressRoutes, getScopedDb, getSubject, getUserId, identitySchemaConverter, mountFortress, mountFortressOpenAPI, protectedRoute, toJSONSchemaConverter, vBody, vParam, vQuery };
|