npm - @digilogiclabs/platform-core - Versions diffs - 1.9.0 → 1.11.0 - Mend

@digilogiclabs/platform-core 1.9.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/auth.d.mts +217 -3
package/dist/auth.d.ts +217 -3
package/dist/auth.js +251 -0
package/dist/auth.js.map +1 -1
package/dist/auth.mjs +244 -0
package/dist/auth.mjs.map +1 -1
package/dist/email-templates.js +13 -6
package/dist/email-templates.js.map +1 -1
package/dist/email-templates.mjs +13 -6
package/dist/email-templates.mjs.map +1 -1
package/dist/{env-DHPZR3Lv.d.mts → env-CYKVNpLl.d.mts} +6 -0
package/dist/{env-DHPZR3Lv.d.ts → env-CYKVNpLl.d.ts} +6 -0
package/dist/index.d.mts +2 -2
package/dist/index.d.ts +2 -2
package/dist/index.js +6 -0
package/dist/index.js.map +1 -1
package/dist/index.mjs +6 -0
package/dist/index.mjs.map +1 -1
package/dist/migrate.js +0 -0
package/package.json +11 -11

package/dist/auth.js CHANGED Viewed

@@ -38,9 +38,11 @@ __export(auth_exports, {
   StandardAuditActions: () => StandardAuditActions,
   StandardRateLimitPresets: () => StandardRateLimitPresets,
   WrapperPresets: () => WrapperPresets,
+  addRateLimitHeaders: () => addRateLimitHeaders,
   buildAllowlist: () => buildAllowlist,
   buildAuthCookies: () => buildAuthCookies,
   buildErrorBody: () => buildErrorBody,
+  buildFederatedLogoutHandler: () => buildFederatedLogoutHandler,
   buildKeycloakCallbacks: () => buildKeycloakCallbacks,
   buildPagination: () => buildPagination,
   buildRateLimitHeaders: () => buildRateLimitHeaders,
@@ -58,6 +60,7 @@ __export(auth_exports, {
   createAuditLogger: () => createAuditLogger,
   createBetaClient: () => createBetaClient,
   createFeatureFlags: () => createFeatureFlags,
+  createLazyRateLimitStore: () => createLazyRateLimitStore,
   createMemoryRateLimitStore: () => createMemoryRateLimitStore,
   createRedisRateLimitStore: () => createRedisRateLimitStore,
   createSafeTextSchema: () => createSafeTextSchema,
@@ -72,6 +75,7 @@ __export(auth_exports, {
   extractClientIp: () => extractClientIp,
   fetchBetaSettings: () => fetchBetaSettings,
   getBoolEnv: () => getBoolEnv,
+  getClientIp: () => getClientIp,
   getCorrelationId: () => getCorrelationId,
   getEndSessionEndpoint: () => getEndSessionEndpoint,
   getEnvSummary: () => getEnvSummary,
@@ -89,15 +93,18 @@ __export(auth_exports, {
   isTokenExpired: () => isTokenExpired,
   isValidBearerToken: () => isValidBearerToken,
   parseKeycloakRoles: () => parseKeycloakRoles,
+  rateLimitResponse: () => rateLimitResponse,
   refreshKeycloakToken: () => refreshKeycloakToken,
   resetRateLimitForKey: () => resetRateLimitForKey,
   resolveIdentifier: () => resolveIdentifier,
   resolveRateLimitIdentifier: () => resolveRateLimitIdentifier,
+  safeValidate: () => safeValidate,
   sanitizeApiError: () => sanitizeApiError,
   storeBetaCode: () => storeBetaCode,
   stripHtml: () => stripHtml,
   validateBetaCode: () => validateBetaCode,
   validateEnvVars: () => validateEnvVars,
+  verifyCronAuth: () => verifyCronAuth,
   zodErrorResponse: () => zodErrorResponse
 });
 module.exports = __toCommonJS(auth_exports);
@@ -666,6 +673,12 @@ var CommonRateLimits = {
     limit: 10,
     windowSeconds: 3600,
     blockDurationSeconds: 3600
+  },
+  /** Beta code validation: 5/min with 5min block (prevents brute force guessing) */
+  betaValidation: {
+    limit: 5,
+    windowSeconds: 60,
+    blockDurationSeconds: 300
   }
 };
 function createMemoryRateLimitStore() {
@@ -1209,6 +1222,71 @@ function isValidBearerToken(request, secret) {
   if (!token) return false;
   return constantTimeEqual(token, secret);
 }
+function verifyCronAuth(request, secret) {
+  const authHeader = request.headers.get("authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    return new Response(JSON.stringify({ error: "Missing authorization" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  const token = authHeader.slice(7);
+  const expectedSecret = secret ?? process.env.CRON_SECRET;
+  if (!expectedSecret) {
+    console.error("[verifyCronAuth] CRON_SECRET not configured");
+    return new Response(
+      JSON.stringify({ error: "Server configuration error" }),
+      { status: 500, headers: { "Content-Type": "application/json" } }
+    );
+  }
+  if (!constantTimeEqual(token, expectedSecret)) {
+    return new Response(JSON.stringify({ error: "Invalid authorization" }), {
+      status: 401,
+      headers: { "Content-Type": "application/json" }
+    });
+  }
+  return null;
+}
+function getClientIp(request) {
+  return request.headers.get("cf-connecting-ip") || request.headers.get("x-real-ip") || request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+}
+function rateLimitResponse(result) {
+  const retryAfter = Math.ceil(result.resetMs / 1e3);
+  const resetTimestamp = Math.ceil(Date.now() / 1e3 + result.resetMs / 1e3);
+  return new Response(
+    JSON.stringify({ error: "Too many requests", retryAfter }),
+    {
+      status: 429,
+      headers: {
+        "Content-Type": "application/json",
+        "X-RateLimit-Limit": String(result.limit),
+        "X-RateLimit-Remaining": "0",
+        "X-RateLimit-Reset": String(resetTimestamp),
+        "Retry-After": String(retryAfter)
+      }
+    }
+  );
+}
+function addRateLimitHeaders(response, result) {
+  const resetTimestamp = Math.ceil(Date.now() / 1e3 + result.resetMs / 1e3);
+  response.headers.set("X-RateLimit-Limit", String(result.limit));
+  response.headers.set("X-RateLimit-Remaining", String(result.remaining));
+  response.headers.set("X-RateLimit-Reset", String(resetTimestamp));
+  return response;
+}
+function safeValidate(schema, data) {
+  const result = schema.safeParse(data);
+  if (result.success) {
+    return { success: true, data: result.data };
+  }
+  return {
+    success: false,
+    errors: (result.error?.issues || []).map((issue) => ({
+      field: issue.path.join("."),
+      message: issue.message
+    }))
+  };
+}
 // src/auth/beta-client.ts
 var DEFAULT_CONFIG = {
@@ -1317,6 +1395,172 @@ function clearStoredBetaCode(config = {}) {
   }
 }
+// src/auth/federated-logout.ts
+function expireCookie(name, options) {
+  const parts = [
+    `${name}=`,
+    "Path=/",
+    "Expires=Thu, 01 Jan 1970 00:00:00 GMT",
+    "Max-Age=0",
+    "SameSite=Lax"
+  ];
+  if (options?.hostPrefix) {
+    parts.push("Secure");
+  } else {
+    parts.push("HttpOnly");
+    if (options?.domain) parts.push(`Domain=${options.domain}`);
+    if (options?.secure) parts.push("Secure");
+  }
+  return parts.join("; ");
+}
+function isAllowedCallbackUrl(url, baseUrl) {
+  if (url.startsWith("/") && !url.startsWith("//")) return true;
+  try {
+    const parsed = new URL(url);
+    const base = new URL(baseUrl);
+    const allowedHosts = [base.hostname, `www.${base.hostname}`];
+    if (base.hostname.startsWith("www.")) {
+      allowedHosts.push(base.hostname.slice(4));
+    }
+    return allowedHosts.includes(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+var AUTH_COOKIE_NAMES = [
+  "authjs.session-token",
+  "__Secure-authjs.session-token",
+  "authjs.callback-url",
+  "__Secure-authjs.callback-url",
+  "authjs.csrf-token",
+  "__Secure-authjs.csrf-token",
+  "authjs.pkce.code_verifier",
+  "__Secure-authjs.pkce.code_verifier",
+  "authjs.state",
+  "__Secure-authjs.state",
+  // Legacy next-auth names
+  "next-auth.session-token",
+  "__Secure-next-auth.session-token",
+  "next-auth.callback-url",
+  "__Secure-next-auth.callback-url",
+  "next-auth.csrf-token",
+  "__Secure-next-auth.csrf-token"
+];
+var HOST_COOKIES = [
+  "__Host-authjs.csrf-token",
+  "__Host-next-auth.csrf-token"
+];
+function buildFederatedLogoutHandler(config) {
+  const { auth, domain, baseUrlFallback, extraCookies = [], onError } = config;
+  return async function GET(request) {
+    const session = await auth();
+    const url = new URL(request.url);
+    const rawCallbackUrl = url.searchParams.get("callbackUrl") || "/";
+    const queryIdToken = url.searchParams.get("id_token_hint");
+    const baseUrl = process.env.NEXTAUTH_URL || process.env.AUTH_URL || baseUrlFallback;
+    const callbackUrl = isAllowedCallbackUrl(rawCallbackUrl, baseUrl) ? rawCallbackUrl : "/";
+    const postLogoutRedirectUri = callbackUrl.startsWith("http") ? callbackUrl : `${baseUrl}${callbackUrl}`;
+    const keycloakIssuer = process.env.AUTH_KEYCLOAK_ISSUER;
+    if (!keycloakIssuer) {
+      onError?.("Missing AUTH_KEYCLOAK_ISSUER");
+      return Response.redirect(
+        new URL(
+          "/api/auth/signout?callbackUrl=" + encodeURIComponent(callbackUrl),
+          request.url
+        ).toString()
+      );
+    }
+    const refreshToken = session?.refreshToken;
+    if (refreshToken) {
+      try {
+        const revokeUrl = `${keycloakIssuer}/protocol/openid-connect/revoke`;
+        const clientId2 = process.env.AUTH_KEYCLOAK_ID;
+        const clientSecret = process.env.AUTH_KEYCLOAK_SECRET;
+        await fetch(revokeUrl, {
+          method: "POST",
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          body: new URLSearchParams({
+            token: refreshToken,
+            token_type_hint: "refresh_token",
+            ...clientId2 && { client_id: clientId2 },
+            ...clientSecret && { client_secret: clientSecret }
+          })
+        });
+      } catch (err) {
+        onError?.("Token revocation failed", err);
+      }
+    }
+    const keycloakLogoutUrl = new URL(
+      `${keycloakIssuer}/protocol/openid-connect/logout`
+    );
+    keycloakLogoutUrl.searchParams.set(
+      "post_logout_redirect_uri",
+      postLogoutRedirectUri
+    );
+    const clientId = process.env.AUTH_KEYCLOAK_ID;
+    if (clientId) keycloakLogoutUrl.searchParams.set("client_id", clientId);
+    const idToken = session?.idToken || queryIdToken;
+    if (idToken) keycloakLogoutUrl.searchParams.set("id_token_hint", idToken);
+    const escapedUrl = keycloakLogoutUrl.toString().replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+    const html = `<!DOCTYPE html>
+<html><head>
+<meta charset="utf-8">
+<meta http-equiv="refresh" content="0;url=${escapedUrl}">
+<title>Signing out...</title>
+<style>body{display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;font-family:system-ui,sans-serif;background:#0a0a0a;color:#fff}p{font-size:1.1rem;opacity:0.7}</style>
+</head><body>
+<p>Signing out&hellip;</p>
+<script>window.location.replace(${JSON.stringify(keycloakLogoutUrl.toString()).replace(/</g, "\\u003c")});</script>
+</body></html>`;
+    const response = new Response(html, {
+      status: 200,
+      headers: {
+        "Content-Type": "text/html; charset=utf-8",
+        "Cache-Control": "no-store, no-cache, must-revalidate",
+        Pragma: "no-cache"
+      }
+    });
+    const isProduction = process.env.NODE_ENV === "production";
+    const isSecure = isProduction;
+    const allCookieNames = [...AUTH_COOKIE_NAMES, ...extraCookies];
+    for (const name of allCookieNames) {
+      const needsSecure = isSecure || name.startsWith("__Secure-");
+      response.headers.append(
+        "Set-Cookie",
+        expireCookie(name, { secure: needsSecure })
+      );
+      if (isProduction) {
+        response.headers.append(
+          "Set-Cookie",
+          expireCookie(name, { domain, secure: needsSecure })
+        );
+      }
+    }
+    for (const name of HOST_COOKIES) {
+      response.headers.append(
+        "Set-Cookie",
+        expireCookie(name, { hostPrefix: true })
+      );
+    }
+    return response;
+  };
+}
+// src/auth/lazy-rate-limit-store.ts
+function createLazyRateLimitStore(getRedis, options = {}) {
+  const { keyPrefix = "rl:" } = options;
+  let store;
+  let initialized = false;
+  return function getRateLimitStore() {
+    if (initialized) return store;
+    initialized = true;
+    const redis = getRedis();
+    if (!redis) return void 0;
+    store = createRedisRateLimitStore(redis, { keyPrefix });
+    return store;
+  };
+}
 // src/env.ts
 function getRequiredEnv(key) {
   const value = process.env[key];
@@ -1427,9 +1671,11 @@ function getEnvSummary(keys) {
   StandardAuditActions,
   StandardRateLimitPresets,
   WrapperPresets,
+  addRateLimitHeaders,
   buildAllowlist,
   buildAuthCookies,
   buildErrorBody,
+  buildFederatedLogoutHandler,
   buildKeycloakCallbacks,
   buildPagination,
   buildRateLimitHeaders,
@@ -1447,6 +1693,7 @@ function getEnvSummary(keys) {
   createAuditLogger,
   createBetaClient,
   createFeatureFlags,
+  createLazyRateLimitStore,
   createMemoryRateLimitStore,
   createRedisRateLimitStore,
   createSafeTextSchema,
@@ -1461,6 +1708,7 @@ function getEnvSummary(keys) {
   extractClientIp,
   fetchBetaSettings,
   getBoolEnv,
+  getClientIp,
   getCorrelationId,
   getEndSessionEndpoint,
   getEnvSummary,
@@ -1478,15 +1726,18 @@ function getEnvSummary(keys) {
   isTokenExpired,
   isValidBearerToken,
   parseKeycloakRoles,
+  rateLimitResponse,
   refreshKeycloakToken,
   resetRateLimitForKey,
   resolveIdentifier,
   resolveRateLimitIdentifier,
+  safeValidate,
   sanitizeApiError,
   storeBetaCode,
   stripHtml,
   validateBetaCode,
   validateEnvVars,
+  verifyCronAuth,
   zodErrorResponse
 });
 //# sourceMappingURL=auth.js.map