npm - @djangocfg/monitor - Versions diffs - 2.1.427 → 2.1.429 - Mend

@djangocfg/monitor 2.1.427 → 2.1.429

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/README.md +9 -0
package/dist/client.cjs +103 -2
package/dist/client.cjs.map +1 -1
package/dist/client.mjs +103 -2
package/dist/client.mjs.map +1 -1
package/dist/index.cjs +102 -1
package/dist/index.cjs.map +1 -1
package/dist/index.mjs +102 -1
package/dist/index.mjs.map +1 -1
package/dist/server.cjs +102 -1
package/dist/server.cjs.map +1 -1
package/dist/server.mjs +102 -1
package/dist/server.mjs.map +1 -1
package/package.json +2 -2
package/src/_api/generated/client/index.ts +1 -0
package/src/_api/generated/client/utils.gen.ts +2 -2
package/src/_api/generated/client.gen.ts +2 -2
package/src/_api/generated/core/auth.gen.ts +7 -0
package/src/_api/generated/core/params.gen.ts +10 -8
package/src/_api/generated/core/pathSerializer.gen.ts +6 -6
package/src/_api/generated/core/queryKeySerializer.gen.ts +1 -1
package/src/_api/generated/core/utils.gen.ts +4 -4
package/src/_api/generated/helpers/auth.ts +127 -1
package/src/_api/generated/sdk.gen.ts +2 -2

package/README.md CHANGED Viewed

@@ -171,6 +171,15 @@ pnpm add @djangocfg/debuger
 Events captured by monitor (JS errors, console, network) appear in the panel as `monitor:JS_ERROR`, `monitor:NETWORK_ERROR`, etc.
+## Relationship to console log level
+`@djangocfg/*` packages share a runtime console verbosity controlled by
+`applyRoleLogPolicy` / `setLogLevel` from `@djangocfg/api` — quiet for regular
+users in production, verbose for admins/devs. **Monitor capture is independent of
+that level**: errors (and configured console events) are still captured and sent
+to the backend / debug panel even when the browser console is silenced. So
+production incidents stay diagnosable without spamming end-user consoles.
 ## Safety
 Transport errors are **always swallowed** — monitor never crashes your app and never sends its own errors to itself. If the backend is unreachable, events are silently dropped.

package/dist/client.cjs CHANGED Viewed

@@ -391,6 +391,99 @@ async function tryRefresh() {
   return _refreshInflight;
 }
 __name(tryRefresh, "tryRefresh");
+function dpopEnabled() {
+  try {
+    return typeof process !== "undefined" && process.env?.NEXT_PUBLIC_DPOP_ENABLED === "true";
+  } catch {
+    return false;
+  }
+}
+__name(dpopEnabled, "dpopEnabled");
+var _DPOP_DB = "cfg-auth";
+var _DPOP_STORE = "keys";
+var _DPOP_KEY_ID = "dpop-ec-p256";
+function _idbOpen() {
+  return new Promise((resolve, reject) => {
+    const req = indexedDB.open(_DPOP_DB, 1);
+    req.onupgradeneeded = () => req.result.createObjectStore(_DPOP_STORE);
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error);
+  });
+}
+__name(_idbOpen, "_idbOpen");
+function _idbGet(key) {
+  return _idbOpen().then((db) => new Promise((resolve, reject) => {
+    const tx = db.transaction(_DPOP_STORE, "readonly");
+    const req = tx.objectStore(_DPOP_STORE).get(key);
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error);
+  }));
+}
+__name(_idbGet, "_idbGet");
+function _idbPut(key, value) {
+  return _idbOpen().then((db) => new Promise((resolve, reject) => {
+    const tx = db.transaction(_DPOP_STORE, "readwrite");
+    tx.objectStore(_DPOP_STORE).put(value, key);
+    tx.oncomplete = () => resolve();
+    tx.onerror = () => reject(tx.error);
+  }));
+}
+__name(_idbPut, "_idbPut");
+var _dpopKeyPromise = null;
+function _getDpopKeyPair() {
+  if (_dpopKeyPromise) return _dpopKeyPromise;
+  _dpopKeyPromise = (async () => {
+    const existing = await _idbGet(_DPOP_KEY_ID).catch(() => void 0);
+    if (existing) return existing;
+    const pair = await crypto.subtle.generateKey(
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      // extractable:false — JS can sign but never export the private key
+      ["sign"]
+    );
+    await _idbPut(_DPOP_KEY_ID, pair).catch(() => {
+    });
+    return pair;
+  })();
+  return _dpopKeyPromise;
+}
+__name(_getDpopKeyPair, "_getDpopKeyPair");
+function _b64urlFromBytes(bytes) {
+  const arr = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+  let s = "";
+  for (let i = 0; i < arr.length; i++) s += String.fromCharCode(arr[i]);
+  return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+__name(_b64urlFromBytes, "_b64urlFromBytes");
+function _b64urlFromString(str) {
+  return _b64urlFromBytes(new TextEncoder().encode(str));
+}
+__name(_b64urlFromString, "_b64urlFromString");
+async function _publicJwk(pub) {
+  const jwk = await crypto.subtle.exportKey("jwk", pub);
+  return { kty: "EC", crv: "P-256", x: jwk.x, y: jwk.y };
+}
+__name(_publicJwk, "_publicJwk");
+async function _makeDpopProof(method, url) {
+  try {
+    const pair = await _getDpopKeyPair();
+    const jwk = await _publicJwk(pair.publicKey);
+    const header = { typ: "dpop+jwt", alg: "ES256", jwk };
+    const htu = url.split("#")[0].split("?")[0];
+    const jti = crypto.randomUUID && crypto.randomUUID() || _b64urlFromBytes(crypto.getRandomValues(new Uint8Array(16)));
+    const payload = { htm: method.toUpperCase(), htu, iat: Math.floor(Date.now() / 1e3), jti };
+    const signingInput = `${_b64urlFromString(JSON.stringify(header))}.${_b64urlFromString(JSON.stringify(payload))}`;
+    const sig = await crypto.subtle.sign(
+      { name: "ECDSA", hash: "SHA-256" },
+      pair.privateKey,
+      new TextEncoder().encode(signingInput)
+    );
+    return `${signingInput}.${_b64urlFromBytes(sig)}`;
+  } catch {
+    return null;
+  }
+}
+__name(_makeDpopProof, "_makeDpopProof");
 function installAuthOnClient(client2) {
   if (_client) return;
   _client = client2;
@@ -398,7 +491,7 @@ function installAuthOnClient(client2) {
     baseUrl: auth.getBaseUrl(),
     credentials: _withCredentials ? "include" : "same-origin"
   });
-  client2.interceptors.request.use((request) => {
+  client2.interceptors.request.use(async (request) => {
     const token = auth.getToken();
     if (token) request.headers.set("Authorization", `Bearer ${token}`);
     const locale = auth.getLocale();
@@ -411,6 +504,10 @@ function installAuthOnClient(client2) {
     } catch {
     }
     request.headers.set("X-Client-Time", (/* @__PURE__ */ new Date()).toISOString());
+    if (dpopEnabled() && typeof window !== "undefined") {
+      const proof = await _makeDpopProof(request.method, request.url);
+      if (proof) request.headers.set("DPoP", proof);
+    }
     return request;
   });
   client2.interceptors.error.use((err, res, req) => {
@@ -444,6 +541,10 @@ function installAuthOnClient(client2) {
     const retry = request.clone();
     retry.headers.set("Authorization", `Bearer ${newToken}`);
     retry.headers.set(RETRY_MARKER, "1");
+    if (dpopEnabled() && typeof window !== "undefined") {
+      const proof = await _makeDpopProof(retry.method, retry.url);
+      if (proof) retry.headers.set("DPoP", proof);
+    }
     try {
       const retried = await fetch(retry);
       if (retried.status === 401 && _onUnauthorized) {
@@ -1489,7 +1590,7 @@ __name(sendBatch, "sendBatch");
 // src/client/utils/env.ts
 var isDevelopment = process.env.NODE_ENV === "development";
 var isProduction = !isDevelopment;
-var MONITOR_VERSION = "2.1.427";
+var MONITOR_VERSION = "2.1.429";
 // src/client/constants.ts
 var MONITOR_INGEST_PATTERN = /cfg\/monitor\/ingest/;