npm - @mastra/auth-cloud - Versions diffs - 0.0.1 → 1.1.0 - Mend

@mastra/auth-cloud 0.0.1 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

package/CHANGELOG.md +63 -0
package/LICENSE.md +30 -0
package/README.md +65 -1
package/dist/auth-provider.d.ts +198 -0
package/dist/auth-provider.d.ts.map +1 -0
package/dist/client.d.ts +110 -0
package/dist/client.d.ts.map +1 -0
package/dist/error.d.ts +65 -0
package/dist/error.d.ts.map +1 -0
package/dist/index.cjs +855 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.ts +19 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +850 -0
package/dist/index.js.map +1 -0
package/dist/oauth/index.d.ts +9 -0
package/dist/oauth/index.d.ts.map +1 -0
package/dist/oauth/network.d.ts +20 -0
package/dist/oauth/network.d.ts.map +1 -0
package/dist/oauth/oauth.d.ts +68 -0
package/dist/oauth/oauth.d.ts.map +1 -0
package/dist/oauth/state.d.ts +47 -0
package/dist/oauth/state.d.ts.map +1 -0
package/dist/pkce/cookie.d.ts +42 -0
package/dist/pkce/cookie.d.ts.map +1 -0
package/dist/pkce/error.d.ts +31 -0
package/dist/pkce/error.d.ts.map +1 -0
package/dist/pkce/index.d.ts +10 -0
package/dist/pkce/index.d.ts.map +1 -0
package/dist/pkce/pkce.d.ts +26 -0
package/dist/pkce/pkce.d.ts.map +1 -0
package/dist/rbac/index.d.ts +2 -0
package/dist/rbac/index.d.ts.map +1 -0
package/dist/rbac/rbac-provider.d.ts +124 -0
package/dist/rbac/rbac-provider.d.ts.map +1 -0
package/dist/session/cookie.d.ts +32 -0
package/dist/session/cookie.d.ts.map +1 -0
package/dist/session/index.d.ts +9 -0
package/dist/session/index.d.ts.map +1 -0
package/dist/session/session.d.ts +56 -0
package/dist/session/session.d.ts.map +1 -0
package/dist/types.d.ts +64 -0
package/dist/types.d.ts.map +1 -0
package/package.json +54 -3

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,855 @@
+'use strict';
+var crypto$1 = require('crypto');
+var server = require('@mastra/core/server');
+var ee = require('@mastra/core/auth/ee');
+// src/error.ts
+var AuthError = class _AuthError extends Error {
+  code;
+  cause;
+  cloudCode;
+  cloudMessage;
+  constructor(code, message, options) {
+    super(message);
+    this.name = "AuthError";
+    this.code = code;
+    this.cause = options?.cause;
+    this.cloudCode = options?.cloudCode;
+    this.cloudMessage = options?.cloudMessage;
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+  /**
+   * Factory: OAuth state parameter is invalid or malformed.
+   */
+  static invalidState() {
+    return new _AuthError("invalid_state", "OAuth state parameter is invalid or malformed.");
+  }
+  /**
+   * Factory: OAuth state parameter does not match expected value.
+   */
+  static stateMismatch() {
+    return new _AuthError("state_mismatch", "OAuth state parameter does not match. Possible CSRF attack.");
+  }
+  /**
+   * Factory: Authorization code is missing from callback.
+   */
+  static missingCode() {
+    return new _AuthError("missing_code", "Authorization code is missing from OAuth callback.");
+  }
+  /**
+   * Factory: Token exchange with Cloud API failed.
+   */
+  static tokenExchangeFailed(options) {
+    return new _AuthError("token_exchange_failed", "Failed to exchange authorization code for tokens.", options);
+  }
+  /**
+   * Factory: Token verification failed.
+   */
+  static verificationFailed() {
+    return new _AuthError("verification_failed", "Token verification failed.");
+  }
+  /**
+   * Factory: Session is invalid.
+   */
+  static sessionInvalid() {
+    return new _AuthError("session_invalid", "Session is invalid or has been revoked.");
+  }
+  /**
+   * Factory: Session has expired.
+   */
+  static sessionExpired() {
+    return new _AuthError("session_expired", "Session has expired. Please log in again.");
+  }
+  /**
+   * Factory: Network error during API call.
+   */
+  static networkError(cause) {
+    return new _AuthError("network_error", "Network error occurred while communicating with Cloud API.", { cause });
+  }
+  /**
+   * Factory: Cloud API returned an error.
+   */
+  static cloudApiError(options) {
+    const message = options?.cloudMessage ?? "Cloud API returned an error.";
+    return new _AuthError("cloud_api_error", message, options);
+  }
+};
+// src/oauth/state.ts
+function encodeState(csrf, returnTo) {
+  const data = { csrf, returnTo };
+  const json = JSON.stringify(data);
+  return Buffer.from(json).toString("base64url");
+}
+function decodeState(state) {
+  try {
+    const json = Buffer.from(state, "base64url").toString();
+    const data = JSON.parse(json);
+    if (typeof data.csrf !== "string" || typeof data.returnTo !== "string") {
+      throw new Error("Missing required fields");
+    }
+    return data;
+  } catch {
+    throw AuthError.invalidState();
+  }
+}
+function validateReturnTo(returnTo, requestOrigin) {
+  if (!returnTo) {
+    return "/";
+  }
+  if (returnTo.startsWith("/") && !returnTo.startsWith("//")) {
+    return returnTo;
+  }
+  try {
+    const parsed = new URL(returnTo);
+    const origin = new URL(requestOrigin);
+    if (parsed.origin === origin.origin) {
+      return returnTo;
+    }
+  } catch {
+  }
+  return "/";
+}
+// src/oauth/network.ts
+async function fetchWithRetry(url, options) {
+  try {
+    return await fetch(url, options);
+  } catch {
+    try {
+      return await fetch(url, options);
+    } catch (retryError) {
+      throw AuthError.networkError(retryError instanceof Error ? retryError : void 0);
+    }
+  }
+}
+// src/pkce/error.ts
+var PKCEError = class _PKCEError extends Error {
+  code;
+  cause;
+  constructor(code, message, cause) {
+    super(message);
+    this.name = "PKCEError";
+    this.code = code;
+    this.cause = cause;
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+  /**
+   * Factory: PKCE verifier cookie not found.
+   */
+  static missingVerifier() {
+    return new _PKCEError(
+      "MISSING_VERIFIER",
+      "PKCE verifier cookie not found. Authorization flow may have expired or was not initiated properly."
+    );
+  }
+  /**
+   * Factory: PKCE verifier has expired.
+   */
+  static expired() {
+    return new _PKCEError("EXPIRED", "PKCE verifier has expired. Please restart the authorization flow.");
+  }
+  /**
+   * Factory: PKCE verifier cookie is malformed.
+   */
+  static invalid(cause) {
+    return new _PKCEError("INVALID", "PKCE verifier cookie is malformed or invalid.", cause);
+  }
+};
+// src/pkce/cookie.ts
+var PKCE_COOKIE_NAME = "mastra_pkce_verifier";
+function setPKCECookie(verifier, state, isProduction) {
+  const ttlSeconds = 5 * 60;
+  const data = {
+    verifier,
+    state,
+    expiresAt: Date.now() + ttlSeconds * 1e3
+  };
+  const encoded = encodeURIComponent(JSON.stringify(data));
+  let cookie = `${PKCE_COOKIE_NAME}=${encoded}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${ttlSeconds}`;
+  if (isProduction) {
+    cookie += "; Secure";
+  }
+  return cookie;
+}
+function parsePKCECookie(cookieHeader) {
+  if (!cookieHeader) {
+    throw PKCEError.missingVerifier();
+  }
+  const match = cookieHeader.match(new RegExp(`${PKCE_COOKIE_NAME}=([^;]+)`));
+  if (!match?.[1]) {
+    throw PKCEError.missingVerifier();
+  }
+  let data;
+  try {
+    data = JSON.parse(decodeURIComponent(match[1]));
+  } catch (e) {
+    throw PKCEError.invalid(e instanceof Error ? e : void 0);
+  }
+  if (data.expiresAt < Date.now()) {
+    throw PKCEError.expired();
+  }
+  return data;
+}
+function clearPKCECookie() {
+  return `${PKCE_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;
+}
+function generateCodeVerifier() {
+  return crypto$1.randomBytes(32).toString("base64url");
+}
+function computeCodeChallenge(verifier) {
+  return crypto$1.createHash("sha256").update(verifier).digest("base64url");
+}
+function generateState() {
+  return crypto$1.randomBytes(16).toString("base64url");
+}
+// src/oauth/oauth.ts
+function getLoginUrl(options) {
+  const { projectId, cloudBaseUrl, callbackUrl, returnTo, requestOrigin, isProduction } = options;
+  const verifier = generateCodeVerifier();
+  const challenge = computeCodeChallenge(verifier);
+  const csrf = generateState();
+  const validatedReturnTo = validateReturnTo(returnTo, requestOrigin);
+  const state = encodeState(csrf, validatedReturnTo);
+  const url = new URL("/auth/oss", cloudBaseUrl);
+  url.searchParams.set("project_id", projectId);
+  url.searchParams.set("code_challenge", challenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("redirect_uri", callbackUrl);
+  url.searchParams.set("state", state);
+  const isProductionEnv = isProduction ?? process.env.NODE_ENV === "production";
+  const pkceCookie = setPKCECookie(verifier, csrf, isProductionEnv);
+  return {
+    url: url.toString(),
+    cookies: [pkceCookie]
+  };
+}
+async function handleCallback(options) {
+  const { projectId, cloudBaseUrl, redirectUri, code, state, cookieHeader } = options;
+  const pkceData = parsePKCECookie(cookieHeader);
+  const stateData = decodeState(state);
+  if (stateData.csrf !== pkceData.state) {
+    throw AuthError.stateMismatch();
+  }
+  const response = await fetchWithRetry(`${cloudBaseUrl}/auth/callback`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "X-Project-ID": projectId
+    },
+    body: JSON.stringify({
+      code,
+      redirect_uri: redirectUri,
+      code_verifier: pkceData.verifier
+    })
+  });
+  if (!response.ok) {
+    let cloudCode;
+    let cloudMessage;
+    try {
+      const errorBody = await response.json();
+      cloudCode = errorBody.code;
+      cloudMessage = errorBody.message;
+    } catch {
+    }
+    throw AuthError.tokenExchangeFailed({ cloudCode, cloudMessage });
+  }
+  const body = await response.json();
+  const verifyResponse = await fetchWithRetry(`${cloudBaseUrl}/auth/verify`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${body.access_token}`,
+      "X-Project-ID": projectId
+    }
+  });
+  if (!verifyResponse.ok) {
+    throw AuthError.verificationFailed();
+  }
+  const verifyBody = await verifyResponse.json();
+  const clearCookie = clearPKCECookie();
+  return {
+    user: {
+      id: verifyBody.sub,
+      email: verifyBody.email,
+      name: verifyBody.name,
+      avatar: verifyBody.avatar_url,
+      role: verifyBody.role
+    },
+    accessToken: body.access_token,
+    returnTo: stateData.returnTo,
+    cookies: [clearCookie]
+  };
+}
+// src/session/cookie.ts
+var SESSION_COOKIE_NAME = "mastra_cloud_session";
+function setSessionCookie(token, isProduction) {
+  const ttlSeconds = 24 * 60 * 60;
+  let cookie = `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${ttlSeconds}`;
+  if (isProduction) {
+    cookie += "; Secure";
+  }
+  return cookie;
+}
+function parseSessionCookie(cookieHeader) {
+  if (!cookieHeader) {
+    return null;
+  }
+  const match = cookieHeader.match(new RegExp(`${SESSION_COOKIE_NAME}=([^;]+)`));
+  return match?.[1] ?? null;
+}
+function clearSessionCookie() {
+  return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`;
+}
+// src/session/session.ts
+async function verifyToken(options) {
+  const { projectId, cloudBaseUrl, token } = options;
+  const response = await fetchWithRetry(`${cloudBaseUrl}/auth/verify`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${token}`,
+      "X-Project-ID": projectId
+    }
+  });
+  if (!response.ok) {
+    throw AuthError.verificationFailed();
+  }
+  const body = await response.json();
+  if (body.token_type === "project_api_token") {
+    return {
+      user: {
+        id: "api-token",
+        email: void 0,
+        name: void 0,
+        avatar: void 0
+      },
+      role: body.role
+    };
+  }
+  return {
+    user: {
+      id: body.sub,
+      email: body.email,
+      name: body.name,
+      avatar: body.avatar_url
+    },
+    role: body.role
+  };
+}
+async function validateSession(options) {
+  const { projectId, cloudBaseUrl, sessionToken } = options;
+  try {
+    const response = await fetchWithRetry(`${cloudBaseUrl}/auth/session/validate`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${sessionToken}`,
+        "X-Project-ID": projectId
+      }
+    });
+    if (!response.ok) {
+      return null;
+    }
+    return await response.json();
+  } catch {
+    return null;
+  }
+}
+async function destroySession(options) {
+  const { cloudBaseUrl, sessionToken } = options;
+  await fetchWithRetry(`${cloudBaseUrl}/auth/session/destroy`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${sessionToken}`
+    }
+  });
+}
+function getLogoutUrl(cloudBaseUrl, postLogoutRedirectUri, idTokenHint) {
+  const url = new URL("/auth/logout", cloudBaseUrl);
+  url.searchParams.set("post_logout_redirect_uri", postLogoutRedirectUri);
+  url.searchParams.set("id_token_hint", idTokenHint);
+  return url.toString();
+}
+// src/client.ts
+var MastraCloudAuth = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  /**
+   * Generate login URL for OAuth authorization.
+   *
+   * @param options - Login options
+   * @returns URL to redirect to and cookies to set
+   */
+  getLoginUrl(options) {
+    return getLoginUrl({
+      projectId: this.config.projectId,
+      cloudBaseUrl: this.config.cloudBaseUrl,
+      callbackUrl: this.config.callbackUrl,
+      returnTo: options.returnTo,
+      requestOrigin: options.requestOrigin,
+      isProduction: this.config.isProduction
+    });
+  }
+  /**
+   * Handle OAuth callback after authorization.
+   *
+   * @param options - Callback parameters
+   * @returns User info, tokens, and redirect URL
+   */
+  handleCallback(options) {
+    return handleCallback({
+      projectId: this.config.projectId,
+      cloudBaseUrl: this.config.cloudBaseUrl,
+      redirectUri: this.config.callbackUrl,
+      ...options
+    });
+  }
+  /**
+   * Verify an access token.
+   *
+   * @param token - Access token to verify
+   * @returns User and role information
+   */
+  verifyToken(token) {
+    return verifyToken({ projectId: this.config.projectId, cloudBaseUrl: this.config.cloudBaseUrl, token });
+  }
+  /**
+   * Validate an existing session.
+   *
+   * @param sessionToken - Session token to validate
+   * @returns Session data if valid, null otherwise
+   */
+  validateSession(sessionToken) {
+    return validateSession({ projectId: this.config.projectId, cloudBaseUrl: this.config.cloudBaseUrl, sessionToken });
+  }
+  /**
+   * Destroy a session (server-side logout).
+   *
+   * @param sessionToken - Session token to destroy
+   */
+  destroySession(sessionToken) {
+    return destroySession({ cloudBaseUrl: this.config.cloudBaseUrl, sessionToken });
+  }
+  /**
+   * Get the logout URL for client-side redirect.
+   *
+   * @param postLogoutRedirectUri - URL to redirect to after logout
+   * @param idTokenHint - The access token
+   * @returns Full logout URL with redirect and token parameters
+   */
+  getLogoutUrl(postLogoutRedirectUri, idTokenHint) {
+    return getLogoutUrl(this.config.cloudBaseUrl, postLogoutRedirectUri, idTokenHint);
+  }
+  /**
+   * Create Set-Cookie header value for session token.
+   *
+   * @param token - Session token to store
+   * @returns Set-Cookie header value
+   */
+  setSessionCookie(token) {
+    return setSessionCookie(token, this.config.isProduction ?? process.env.NODE_ENV === "production");
+  }
+  /**
+   * Create Set-Cookie header value to clear session cookie.
+   *
+   * @returns Set-Cookie header value
+   */
+  clearSessionCookie() {
+    return clearSessionCookie();
+  }
+};
+var MastraCloudAuthProvider = class extends server.MastraAuthProvider {
+  client;
+  /** Marker for EE license exemption - MastraCloudAuth is exempt */
+  isMastraCloudAuth = true;
+  /**
+   * Cookie header for handleCallback PKCE validation.
+   * Set via setCallbackCookieHeader() before handleCallback() is called.
+   * @internal
+   */
+  _lastCallbackCookieHeader = null;
+  constructor(options) {
+    super({ name: options?.name ?? "cloud" });
+    this.client = new MastraCloudAuth({
+      projectId: options.projectId,
+      cloudBaseUrl: options.cloudBaseUrl,
+      callbackUrl: options.callbackUrl,
+      isProduction: options.isProduction
+    });
+    this.registerOptions(options);
+  }
+  /**
+   * Set cookie header for handleCallback PKCE validation.
+   * Must be called before handleCallback() to pass cookie header.
+   *
+   * @param cookieHeader - Cookie header from original request
+   */
+  setCallbackCookieHeader(cookieHeader) {
+    this._lastCallbackCookieHeader = cookieHeader;
+  }
+  // ============================================================================
+  // MastraAuthProvider Implementation
+  // ============================================================================
+  /**
+   * Authenticate a bearer token or session cookie.
+   *
+   * Checks session cookie first, falls back to bearer token for API clients.
+   *
+   * @param token - Bearer token (from Authorization header)
+   * @param request - Hono or raw Request
+   * @returns Authenticated user with role, or null if invalid
+   */
+  async authenticateToken(token, request) {
+    try {
+      const rawRequest = "raw" in request ? request.raw : request;
+      const cookieHeader = rawRequest.headers.get("cookie");
+      const sessionToken = parseSessionCookie(cookieHeader);
+      if (sessionToken) {
+        const { user, role } = await this.client.verifyToken(sessionToken);
+        return { ...user, role };
+      }
+      if (token) {
+        const { user, role } = await this.client.verifyToken(token);
+        return { ...user, role };
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Authorize a user for access.
+   *
+   * Simple validation - detailed permission checking happens in server
+   * middleware via checkRoutePermission(), not authorizeUser().
+   *
+   * @param user - Authenticated user
+   * @returns True if user has valid id
+   */
+  authorizeUser(user) {
+    return !!user?.id;
+  }
+  // ============================================================================
+  // ISSOProvider Implementation
+  // ============================================================================
+  /**
+   * Cached login result for getLoginCookies() to retrieve cookies.
+   * @internal
+   */
+  _lastLoginResult = null;
+  /**
+   * Get URL to redirect user to for SSO login.
+   *
+   * @param redirectUri - Callback URL after authentication
+   * @param state - State parameter (format: uuid|encodedPostLoginRedirect)
+   * @returns Full authorization URL
+   */
+  getLoginUrl(redirectUri, state) {
+    let postLoginRedirect = "/";
+    if (state && state.includes("|")) {
+      const parts = state.split("|", 2);
+      const encodedRedirect = parts[1];
+      if (encodedRedirect) {
+        try {
+          postLoginRedirect = decodeURIComponent(encodedRedirect);
+        } catch {
+          postLoginRedirect = "/";
+        }
+      }
+    }
+    const redirectUrl = new URL(redirectUri);
+    const origin = redirectUrl.origin;
+    const result = this.client.getLoginUrl({
+      returnTo: postLoginRedirect,
+      requestOrigin: origin
+    });
+    this._lastLoginResult = result;
+    return result.url;
+  }
+  /**
+   * Get cookies to set during login redirect (PKCE verifier).
+   * Must be called after getLoginUrl() in same request.
+   *
+   * @returns Array of Set-Cookie header values
+   */
+  getLoginCookies() {
+    const cookies = this._lastLoginResult?.cookies;
+    this._lastLoginResult = null;
+    return cookies;
+  }
+  /**
+   * Handle OAuth callback, exchange code for tokens and user.
+   *
+   * @param code - Authorization code from callback
+   * @param state - State parameter for CSRF validation
+   * @returns User, tokens, and session cookies
+   */
+  async handleCallback(code, state) {
+    const cookieHeader = this._lastCallbackCookieHeader;
+    this._lastCallbackCookieHeader = null;
+    const result = await this.client.handleCallback({
+      code,
+      state,
+      cookieHeader
+    });
+    const sessionCookie = this.client.setSessionCookie(result.accessToken);
+    return {
+      user: result.user,
+      // Already has role from handleCallback
+      tokens: {
+        accessToken: result.accessToken
+      },
+      cookies: [...result.cookies, sessionCookie]
+    };
+  }
+  /**
+   * Get configuration for rendering login button in UI.
+   *
+   * @returns Login button configuration
+   */
+  getLoginButtonConfig() {
+    return {
+      provider: "mastra",
+      text: "Sign in with Mastra Cloud"
+    };
+  }
+  /**
+   * Get logout URL for client-side redirect.
+   * Requires the request to extract the session token for id_token_hint.
+   *
+   * @param redirectUri - URL to redirect to after logout
+   * @param request - Request to extract session token from
+   * @returns Logout URL with redirect and token parameters, or null if no session
+   */
+  getLogoutUrl(redirectUri, request) {
+    const sessionToken = request ? this.getSessionIdFromRequest(request) : null;
+    if (!sessionToken) {
+      return null;
+    }
+    return this.client.getLogoutUrl(redirectUri, sessionToken);
+  }
+  // ============================================================================
+  // ISessionProvider Implementation
+  // ============================================================================
+  /**
+   * Create a new session for a user.
+   *
+   * For Cloud auth, sessions are created via handleCallback.
+   * This method builds a Session object for interface compatibility.
+   *
+   * @param userId - User to create session for
+   * @param metadata - Optional metadata (accessToken can be passed here)
+   * @returns Session object
+   */
+  async createSession(userId, metadata) {
+    const now = /* @__PURE__ */ new Date();
+    const expiresAt = new Date(now.getTime() + 24 * 60 * 60 * 1e3);
+    return {
+      id: metadata?.accessToken ?? crypto.randomUUID(),
+      userId,
+      createdAt: now,
+      expiresAt,
+      metadata
+    };
+  }
+  /**
+   * Validate a session and return it if valid.
+   *
+   * @param sessionId - Session token to validate
+   * @returns Session object or null if invalid/expired
+   */
+  async validateSession(sessionId) {
+    const session = await this.client.validateSession(sessionId);
+    if (!session) return null;
+    return {
+      id: sessionId,
+      userId: session.userId,
+      createdAt: new Date(session.createdAt),
+      expiresAt: new Date(session.expiresAt)
+    };
+  }
+  /**
+   * Destroy a session (logout).
+   *
+   * @param sessionId - Session token to destroy
+   */
+  async destroySession(sessionId) {
+    await this.client.destroySession(sessionId);
+  }
+  /**
+   * Refresh a session, extending its expiry.
+   * Cloud handles refresh internally, so just validate.
+   *
+   * @param sessionId - Session token to refresh
+   * @returns Session object or null if invalid
+   */
+  async refreshSession(sessionId) {
+    return this.validateSession(sessionId);
+  }
+  /**
+   * Extract session ID from an incoming request.
+   *
+   * @param request - Incoming HTTP request
+   * @returns Session token or null if not present
+   */
+  getSessionIdFromRequest(request) {
+    return parseSessionCookie(request.headers.get("cookie"));
+  }
+  /**
+   * Create response headers to set session cookie.
+   *
+   * @param session - Session to encode (id is the access token)
+   * @returns Headers object with Set-Cookie
+   */
+  getSessionHeaders(session) {
+    return { "Set-Cookie": this.client.setSessionCookie(session.id) };
+  }
+  /**
+   * Create response headers to clear session (for logout).
+   *
+   * @returns Headers object to clear session cookie
+   */
+  getClearSessionHeaders() {
+    return { "Set-Cookie": this.client.clearSessionCookie() };
+  }
+  // ============================================================================
+  // IUserProvider Implementation
+  // ============================================================================
+  /**
+   * Get current user from request (session cookie).
+   *
+   * @param request - Incoming HTTP request
+   * @returns User with role or null if not authenticated
+   */
+  async getCurrentUser(request) {
+    const sessionToken = this.getSessionIdFromRequest(request);
+    if (!sessionToken) return null;
+    try {
+      const { user, role } = await this.client.verifyToken(sessionToken);
+      return { ...user, role };
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Get user by ID.
+   * Cloud API doesn't have a /users/:id endpoint.
+   *
+   * @returns Always null (not supported)
+   */
+  async getUser(_userId) {
+    return null;
+  }
+};
+var MastraRBACCloud = class {
+  options;
+  /**
+   * Expose roleMapping for middleware access.
+   * This allows the authorization middleware to resolve permissions
+   * without needing to call the async methods.
+   */
+  get roleMapping() {
+    return this.options.roleMapping;
+  }
+  /**
+   * Create a new Mastra Cloud RBAC provider.
+   *
+   * @param options - RBAC configuration options
+   */
+  constructor(options) {
+    this.options = options;
+  }
+  /**
+   * Get all roles for a user.
+   *
+   * Returns the user's role as a single-element array, or empty array if no role.
+   * Cloud uses a single-role model (role is attached via verifyToken()).
+   *
+   * @param user - Cloud user to get roles for
+   * @returns Array containing user's role, or empty array
+   */
+  async getRoles(user) {
+    return user.role ? [user.role] : [];
+  }
+  /**
+   * Check if a user has a specific role.
+   *
+   * @param user - Cloud user to check
+   * @param role - Role name to check for
+   * @returns True if user has the role
+   */
+  async hasRole(user, role) {
+    const roles = await this.getRoles(user);
+    return roles.includes(role);
+  }
+  /**
+   * Get all permissions for a user by mapping their role.
+   *
+   * Uses the configured roleMapping to translate the user's role
+   * into Mastra permission strings.
+   *
+   * If the user has no role, the _default permissions from the
+   * role mapping are applied.
+   *
+   * @param user - Cloud user to get permissions for
+   * @returns Array of permission strings
+   */
+  async getPermissions(user) {
+    const roles = await this.getRoles(user);
+    if (roles.length === 0) {
+      return this.options.roleMapping["_default"] ?? [];
+    }
+    return ee.resolvePermissionsFromMapping(roles, this.options.roleMapping);
+  }
+  /**
+   * Check if a user has a specific permission.
+   *
+   * Uses wildcard matching to check if the user's permissions
+   * grant access to the required permission.
+   *
+   * @param user - Cloud user to check
+   * @param permission - Permission to check for (e.g., 'agents:read')
+   * @returns True if user has the permission
+   */
+  async hasPermission(user, permission) {
+    const permissions = await this.getPermissions(user);
+    return permissions.some((p) => ee.matchesPermission(p, permission));
+  }
+  /**
+   * Check if a user has ALL of the specified permissions.
+   *
+   * @param user - Cloud user to check
+   * @param permissions - Array of permissions to check for
+   * @returns True if user has all permissions
+   */
+  async hasAllPermissions(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.every((required) => userPermissions.some((p) => ee.matchesPermission(p, required)));
+  }
+  /**
+   * Check if a user has ANY of the specified permissions.
+   *
+   * @param user - Cloud user to check
+   * @param permissions - Array of permissions to check for
+   * @returns True if user has at least one permission
+   */
+  async hasAnyPermission(user, permissions) {
+    const userPermissions = await this.getPermissions(user);
+    return permissions.some((required) => userPermissions.some((p) => ee.matchesPermission(p, required)));
+  }
+};
+exports.AuthError = AuthError;
+exports.MastraCloudAuth = MastraCloudAuth;
+exports.MastraCloudAuthProvider = MastraCloudAuthProvider;
+exports.MastraRBACCloud = MastraRBACCloud;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map