@digilogiclabs/platform-core 1.6.0 → 1.8.0

package/dist/auth.js

@@ -50,20 +50,27 @@ __export(auth_exports, {
   checkEnvVars: () => checkEnvVars,
   checkRateLimit: () => checkRateLimit,
   classifyError: () => classifyError,
+  clearStoredBetaCode: () => clearStoredBetaCode,
   constantTimeEqual: () => constantTimeEqual,
   containsHtml: () => containsHtml,
   containsUrls: () => containsUrls,
   createAuditActor: () => createAuditActor,
   createAuditLogger: () => createAuditLogger,
+  createBetaClient: () => createBetaClient,
   createFeatureFlags: () => createFeatureFlags,
   createMemoryRateLimitStore: () => createMemoryRateLimitStore,
+  createRedisRateLimitStore: () => createRedisRateLimitStore,
   createSafeTextSchema: () => createSafeTextSchema,
   detectStage: () => detectStage,
+  enforceRateLimit: () => enforceRateLimit,
+  errorResponse: () => errorResponse,
   escapeHtml: () => escapeHtml,
   extractAuditIp: () => extractAuditIp,
   extractAuditRequestId: () => extractAuditRequestId,
   extractAuditUserAgent: () => extractAuditUserAgent,
+  extractBearerToken: () => extractBearerToken,
   extractClientIp: () => extractClientIp,
+  fetchBetaSettings: () => fetchBetaSettings,
   getBoolEnv: () => getBoolEnv,
   getCorrelationId: () => getCorrelationId,
   getEndSessionEndpoint: () => getEndSessionEndpoint,
@@ -72,6 +79,7 @@ __export(auth_exports, {
   getOptionalEnv: () => getOptionalEnv,
   getRateLimitStatus: () => getRateLimitStatus,
   getRequiredEnv: () => getRequiredEnv,
+  getStoredBetaCode: () => getStoredBetaCode,
   getTokenEndpoint: () => getTokenEndpoint,
   hasAllRoles: () => hasAllRoles,
   hasAnyRole: () => hasAnyRole,
@@ -79,14 +87,18 @@ __export(auth_exports, {
   isAllowlisted: () => isAllowlisted,
   isApiError: () => isApiError,
   isTokenExpired: () => isTokenExpired,
+  isValidBearerToken: () => isValidBearerToken,
   parseKeycloakRoles: () => parseKeycloakRoles,
   refreshKeycloakToken: () => refreshKeycloakToken,
   resetRateLimitForKey: () => resetRateLimitForKey,
   resolveIdentifier: () => resolveIdentifier,
   resolveRateLimitIdentifier: () => resolveRateLimitIdentifier,
   sanitizeApiError: () => sanitizeApiError,
+  storeBetaCode: () => storeBetaCode,
   stripHtml: () => stripHtml,
-  validateEnvVars: () => validateEnvVars
+  validateBetaCode: () => validateBetaCode,
+  validateEnvVars: () => validateEnvVars,
+  zodErrorResponse: () => zodErrorResponse
 });
 module.exports = __toCommonJS(auth_exports);
 
@@ -260,7 +272,11 @@ function buildKeycloakCallbacks(config) {
      * Compatible with Auth.js v5 JWT callback signature.
      */
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    async jwt({ token, user, account }) {
+    async jwt({
+      token,
+      user,
+      account
+    }) {
       if (user) {
         token.id = token.sub ?? user.id;
       }
@@ -821,6 +837,44 @@ function resolveIdentifier(session, clientIp) {
   return { identifier: `ip:${clientIp ?? "unknown"}`, isAuthenticated: false };
 }
 
+// src/auth/rate-limit-store-redis.ts
+function createRedisRateLimitStore(redis, options = {}) {
+  const prefix = options.keyPrefix ?? "";
+  return {
+    async increment(key, windowMs, now) {
+      const fullKey = `${prefix}${key}`;
+      const windowStart = now - windowMs;
+      const windowSeconds = Math.ceil(windowMs / 1e3) + 60;
+      await redis.zremrangebyscore(fullKey, 0, windowStart);
+      const current = await redis.zcard(fullKey);
+      const member = `${now}:${Math.random().toString(36).slice(2, 10)}`;
+      await redis.zadd(fullKey, now, member);
+      await redis.expire(fullKey, windowSeconds);
+      return { count: current + 1 };
+    },
+    async isBlocked(key) {
+      const fullKey = `${prefix}${key}`;
+      const value = await redis.get(fullKey);
+      if (!value) {
+        return { blocked: false, ttlMs: 0 };
+      }
+      const ttlSeconds = await redis.ttl(fullKey);
+      if (ttlSeconds <= 0) {
+        return { blocked: false, ttlMs: 0 };
+      }
+      return { blocked: true, ttlMs: ttlSeconds * 1e3 };
+    },
+    async setBlock(key, durationSeconds) {
+      const fullKey = `${prefix}${key}`;
+      await redis.setex(fullKey, durationSeconds, "1");
+    },
+    async reset(key) {
+      const fullKey = `${prefix}${key}`;
+      await redis.del(fullKey);
+    }
+  };
+}
+
 // src/auth/audit.ts
 var StandardAuditActions = {
   // Authentication
@@ -1105,6 +1159,170 @@ function buildPagination(page, limit, total) {
   };
 }
 
+// src/auth/nextjs-api.ts
+async function enforceRateLimit(request, operation, rule, options) {
+  const identifier = options?.identifier ?? (options?.userId ? `user:${options.userId}` : void 0) ?? `ip:${extractClientIp((name) => request.headers.get(name))}`;
+  const isAuthenticated = !!options?.userId;
+  const result = await checkRateLimit(operation, identifier, rule, {
+    ...options?.rateLimitOptions,
+    isAuthenticated
+  });
+  if (!result.allowed) {
+    const headers = buildRateLimitResponseHeaders(result);
+    return new Response(
+      JSON.stringify({
+        error: "Rate limit exceeded. Please try again later.",
+        retryAfter: result.retryAfterSeconds
+      }),
+      {
+        status: 429,
+        headers: { "Content-Type": "application/json", ...headers }
+      }
+    );
+  }
+  return null;
+}
+function errorResponse(error, options) {
+  const isDev = options?.isDevelopment ?? process.env.NODE_ENV === "development";
+  const { status, body } = classifyError(error, isDev);
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function zodErrorResponse(error) {
+  const firstIssue = error.issues[0];
+  const message = firstIssue ? `${firstIssue.path.join(".") || "input"}: ${firstIssue.message}` : "Validation error";
+  return new Response(JSON.stringify({ error: message }), {
+    status: 400,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function extractBearerToken(request) {
+  const auth = request.headers.get("authorization");
+  if (!auth?.startsWith("Bearer ")) return null;
+  return auth.slice(7).trim() || null;
+}
+function isValidBearerToken(request, secret) {
+  if (!secret) return false;
+  const token = extractBearerToken(request);
+  if (!token) return false;
+  return constantTimeEqual(token, secret);
+}
+
+// src/auth/beta-client.ts
+var DEFAULT_CONFIG = {
+  baseUrl: "",
+  settingsEndpoint: "/api/beta-settings",
+  validateEndpoint: "/api/validate-beta-code",
+  storageKey: "beta_code",
+  failSafeDefaults: {
+    betaMode: true,
+    requireInviteCode: true,
+    betaMessage: ""
+  }
+};
+function createBetaClient(config = {}) {
+  const cfg = {
+    ...DEFAULT_CONFIG,
+    ...config,
+    failSafeDefaults: {
+      ...DEFAULT_CONFIG.failSafeDefaults,
+      ...config.failSafeDefaults
+    }
+  };
+  return {
+    fetchSettings: () => fetchBetaSettings(cfg),
+    validateCode: (code) => validateBetaCode(code, cfg),
+    storeCode: (code) => storeBetaCode(code, cfg),
+    getStoredCode: () => getStoredBetaCode(cfg),
+    clearStoredCode: () => clearStoredBetaCode(cfg)
+  };
+}
+async function fetchBetaSettings(config = {}) {
+  const cfg = { ...DEFAULT_CONFIG, ...config };
+  try {
+    const response = await fetch(
+      `${cfg.baseUrl}${cfg.settingsEndpoint}`,
+      {
+        method: "GET",
+        headers: { "Content-Type": "application/json" },
+        cache: "no-store"
+      }
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to fetch beta settings: ${response.status}`);
+    }
+    const data = await response.json();
+    return {
+      betaMode: data.betaMode ?? cfg.failSafeDefaults.betaMode ?? true,
+      requireInviteCode: data.requireInviteCode ?? cfg.failSafeDefaults.requireInviteCode ?? true,
+      betaMessage: data.betaMessage ?? cfg.failSafeDefaults.betaMessage ?? ""
+    };
+  } catch (error) {
+    console.error("Error fetching beta settings:", error);
+    return {
+      betaMode: cfg.failSafeDefaults.betaMode ?? true,
+      requireInviteCode: cfg.failSafeDefaults.requireInviteCode ?? true,
+      betaMessage: cfg.failSafeDefaults.betaMessage ?? ""
+    };
+  }
+}
+async function validateBetaCode(code, config = {}) {
+  const cfg = { ...DEFAULT_CONFIG, ...config };
+  if (!code || code.trim().length < 3) {
+    return {
+      valid: false,
+      message: "Please enter a valid invite code."
+    };
+  }
+  try {
+    const response = await fetch(
+      `${cfg.baseUrl}${cfg.validateEndpoint}`,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ code: code.trim().toUpperCase() })
+      }
+    );
+    if (response.status === 429) {
+      return {
+        valid: false,
+        message: "Too many attempts. Please try again later."
+      };
+    }
+    if (!response.ok) {
+      throw new Error(`Validation request failed: ${response.status}`);
+    }
+    return await response.json();
+  } catch (error) {
+    console.error("Error validating invite code:", error);
+    return {
+      valid: false,
+      message: "Unable to validate code. Please try again."
+    };
+  }
+}
+function storeBetaCode(code, config = {}) {
+  const key = config.storageKey ?? DEFAULT_CONFIG.storageKey;
+  if (typeof window !== "undefined") {
+    sessionStorage.setItem(key, code.trim().toUpperCase());
+  }
+}
+function getStoredBetaCode(config = {}) {
+  const key = config.storageKey ?? DEFAULT_CONFIG.storageKey;
+  if (typeof window !== "undefined") {
+    return sessionStorage.getItem(key);
+  }
+  return null;
+}
+function clearStoredBetaCode(config = {}) {
+  const key = config.storageKey ?? DEFAULT_CONFIG.storageKey;
+  if (typeof window !== "undefined") {
+    sessionStorage.removeItem(key);
+  }
+}
+
 // src/env.ts
 function getRequiredEnv(key) {
   const value = process.env[key];
@@ -1227,20 +1445,27 @@ function getEnvSummary(keys) {
   checkEnvVars,
   checkRateLimit,
   classifyError,
+  clearStoredBetaCode,
   constantTimeEqual,
   containsHtml,
   containsUrls,
   createAuditActor,
   createAuditLogger,
+  createBetaClient,
   createFeatureFlags,
   createMemoryRateLimitStore,
+  createRedisRateLimitStore,
   createSafeTextSchema,
   detectStage,
+  enforceRateLimit,
+  errorResponse,
   escapeHtml,
   extractAuditIp,
   extractAuditRequestId,
   extractAuditUserAgent,
+  extractBearerToken,
   extractClientIp,
+  fetchBetaSettings,
   getBoolEnv,
   getCorrelationId,
   getEndSessionEndpoint,
@@ -1249,6 +1474,7 @@ function getEnvSummary(keys) {
   getOptionalEnv,
   getRateLimitStatus,
   getRequiredEnv,
+  getStoredBetaCode,
   getTokenEndpoint,
   hasAllRoles,
   hasAnyRole,
@@ -1256,13 +1482,17 @@ function getEnvSummary(keys) {
   isAllowlisted,
   isApiError,
   isTokenExpired,
+  isValidBearerToken,
   parseKeycloakRoles,
   refreshKeycloakToken,
   resetRateLimitForKey,
   resolveIdentifier,
   resolveRateLimitIdentifier,
   sanitizeApiError,
+  storeBetaCode,
   stripHtml,
-  validateEnvVars
+  validateBetaCode,
+  validateEnvVars,
+  zodErrorResponse
 });
 //# sourceMappingURL=auth.js.map