@mantiq/core 0.5.7 → 0.5.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mantiq/core",
-  "version": "0.5.7",
+  "version": "0.5.8",
   "description": "Service container, router, middleware, HTTP kernel, config, and exception handler",
   "type": "module",
   "license": "MIT",

package/src/discovery/Discoverer.ts

@@ -1,5 +1,5 @@
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs'
-import { dirname, join, relative } from 'node:path'
+import { basename, dirname, join, relative } from 'node:path'
 
 /**
  * Auto-discovers application classes by scanning conventional directories.
@@ -126,17 +126,39 @@ export class Discoverer {
   /**
    * Load and register all discovered route files.
    * Each route file should export a default function: (router) => void
+   *
+   * Routes are auto-wrapped in middleware groups by filename convention:
+   * - web.ts → router.group({ middleware: ['web'] })
+   * - api.ts → router.group({ middleware: ['api'], prefix: '/api' })
+   * - Other files (console.ts, channels.ts) → loaded as-is
    */
   async loadRoutes(manifest: DiscoveryManifest, router: any): Promise<void> {
+    const groupMap: Record<string, { prefix: string }> = {
+      web: { prefix: '' },
+      api: { prefix: '/api' },
+    }
+
     for (const file of manifest.routes) {
       const fullPath = join(this.basePath, file)
       try {
         const mod = await import(fullPath)
-        if (typeof mod.default === 'function') {
+        if (typeof mod.default !== 'function') continue
+
+        const stem = basename(file, '.ts')
+        const group = groupMap[stem]
+
+        if (group) {
+          router.group(
+            { middleware: [stem], prefix: group.prefix },
+            (r: any) => mod.default(r),
+          )
+        } else {
           mod.default(router)
         }
-      } catch {
-        // Skip unloadable routes
+      } catch (e) {
+        if (process.env.APP_DEBUG === 'true') {
+          console.warn(`[Mantiq] Failed to load route file ${file}:`, (e as Error)?.message ?? e)
+        }
       }
     }
   }

package/src/middleware/Cors.ts

@@ -19,13 +19,18 @@ export class CorsMiddleware implements Middleware {
   private config: CorsConfig
 
   constructor(configRepo?: ConfigRepository) {
+    // Smart default: use APP_URL as origin with credentials when available
+    const appUrl = configRepo?.get('app.url', '') as string
+    const defaultOrigin = appUrl || '*'
+    const defaultCredentials = !!appUrl
+
     this.config = {
-      origin: configRepo?.get('cors.origin', '*') ?? '*',
+      origin: configRepo?.get('cors.origin', defaultOrigin) ?? defaultOrigin,
       methods: configRepo?.get('cors.methods', ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS']) ?? ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
-      allowedHeaders: configRepo?.get('cors.allowedHeaders', ['Content-Type', 'Authorization', 'X-Requested-With']) ?? ['Content-Type', 'Authorization', 'X-Requested-With'],
-      exposedHeaders: configRepo?.get('cors.exposedHeaders', []) ?? [],
-      credentials: configRepo?.get('cors.credentials', false) ?? false,
-      maxAge: configRepo?.get('cors.maxAge', 0) ?? 0,
+      allowedHeaders: configRepo?.get('cors.allowedHeaders', ['Content-Type', 'Authorization', 'X-Requested-With', 'X-CSRF-TOKEN', 'X-XSRF-TOKEN', 'X-Mantiq']) ?? ['Content-Type', 'Authorization', 'X-Requested-With', 'X-CSRF-TOKEN', 'X-XSRF-TOKEN', 'X-Mantiq'],
+      exposedHeaders: configRepo?.get('cors.exposedHeaders', ['X-Heartbeat']) ?? ['X-Heartbeat'],
+      credentials: configRepo?.get('cors.credentials', defaultCredentials) ?? defaultCredentials,
+      maxAge: configRepo?.get('cors.maxAge', 7200) ?? 7200,
     }
   }
 

package/src/middleware/EncryptCookies.ts

@@ -11,7 +11,7 @@ import { parseCookies, serializeCookie } from '../http/Cookie.ts'
  */
 export class EncryptCookies implements Middleware {
   /** Cookie names that should NOT be encrypted/decrypted. */
-  protected except: string[] = []
+  protected except: string[] = ['XSRF-TOKEN']
 
   constructor(private readonly encrypter: AesEncrypter) {}
 

package/src/middleware/VerifyCsrfToken.ts

@@ -19,7 +19,7 @@ import { serializeCookie } from '../http/Cookie.ts'
  */
 export class VerifyCsrfToken implements Middleware {
   /** URIs that should be excluded from CSRF verification. */
-  protected except: string[] = ['/api/*']
+  protected except: string[] = []
 
   constructor(private readonly encrypter: AesEncrypter) {}
 
@@ -41,9 +41,6 @@ export class VerifyCsrfToken implements Middleware {
 
     const path = request.path()
 
-    // API routes are always excluded — token auth is inherently CSRF-safe
-    if (path.startsWith('/api/') || path === '/api') return false
-
     // Check user-defined exclusions
     return !this.except.some((pattern) => {
       if (pattern.endsWith('*')) {

package/src/providers/CoreServiceProvider.ts

@@ -107,11 +107,21 @@ export class CoreServiceProvider extends ServiceProvider {
     kernel.registerMiddleware('session', StartSession)
     kernel.registerMiddleware('csrf', VerifyCsrfToken)
 
-    // Set default global middleware stack (can be overridden in config/app.ts)
+    // Register middleware groups from config
     const configRepo = this.app.make(ConfigRepository)
-    const globalMiddleware = configRepo.get('app.middleware', [
-      'cors', 'encrypt.cookies', 'session', 'csrf',
-    ]) as string[]
-    kernel.setGlobalMiddleware(globalMiddleware)
+    const middlewareGroups = configRepo.get('app.middlewareGroups', {
+      web: ['cors', 'encrypt.cookies', 'session', 'csrf'],
+      api: ['cors', 'throttle'],
+    }) as Record<string, string[]>
+
+    for (const [name, middleware] of Object.entries(middlewareGroups)) {
+      kernel.registerMiddlewareGroup(name, middleware)
+    }
+
+    // Legacy: if app.middleware is set, apply as global middleware (backward compat)
+    const globalMiddleware = configRepo.get('app.middleware', []) as string[]
+    if (globalMiddleware.length > 0) {
+      kernel.setGlobalMiddleware(globalMiddleware)
+    }
   }
 }