@mastra/deployer 0.16.3 → 0.16.4-alpha.0

package/CHANGELOG.md

@@ -1,5 +1,43 @@
 # @mastra/deployer
 
+## 0.16.4-alpha.0
+
+### Patch Changes
+
+- feat: add requiresAuth option for custom API routes ([#7703](https://github.com/mastra-ai/mastra/pull/7703))
+
+  Added a new `requiresAuth` option to the `ApiRoute` type that allows users to explicitly control authentication requirements for custom endpoints.
+  - By default, all custom routes require authentication (`requiresAuth: true`)
+  - Set `requiresAuth: false` to make a route publicly accessible without authentication
+  - The auth middleware now checks this configuration before applying authentication
+
+  Example usage:
+
+  ```typescript
+  const customRoutes: ApiRoute[] = [
+    {
+      path: '/api/public-endpoint',
+      method: 'GET',
+      requiresAuth: false, // No authentication required
+      handler: async c => c.json({ message: 'Public access' }),
+    },
+    {
+      path: '/api/protected-endpoint',
+      method: 'GET',
+      requiresAuth: true, // Authentication required (default)
+      handler: async c => c.json({ message: 'Protected access' }),
+    },
+  ];
+  ```
+
+  This addresses issue #7674 where custom endpoints were not being protected by the authentication system.
+
+- Playground ui -pass runtimeContext to client SDK get methods ([#7767](https://github.com/mastra-ai/mastra/pull/7767))
+
+- Updated dependencies [[`5802bf5`](https://github.com/mastra-ai/mastra/commit/5802bf57f6182e4b67c28d7d91abed349a8d14f3), [`5bda53a`](https://github.com/mastra-ai/mastra/commit/5bda53a9747bfa7d876d754fc92c83a06e503f62), [`f26a8fd`](https://github.com/mastra-ai/mastra/commit/f26a8fd99fcb0497a5d86c28324430d7f6a5fb83), [`b6688b7`](https://github.com/mastra-ai/mastra/commit/b6688b75e49a4286d612aa2098e39c6118db2d07), [`1a1fbe6`](https://github.com/mastra-ai/mastra/commit/1a1fbe66efb7d94abc373ed0dd9676adb8122454), [`36f39c0`](https://github.com/mastra-ai/mastra/commit/36f39c00dc794952dc3c11aab91c2fa8bca74b11)]:
+  - @mastra/core@0.16.4-alpha.0
+  - @mastra/server@0.16.4-alpha.0
+
 ## 0.16.3
 
 ### Patch Changes

package/dist/server/handlers/auth/helpers.d.ts

@@ -1,6 +1,7 @@
 import type { MastraAuthConfig } from '@mastra/core/server';
 import type { HonoRequest } from 'hono';
 export declare const isDevPlaygroundRequest: (req: HonoRequest) => boolean;
+export declare const isCustomRoutePublic: (path: string, method: string, customRouteAuthConfig?: Map<string, boolean>) => boolean;
 export declare const isProtectedPath: (path: string, method: string, authConfig: MastraAuthConfig) => boolean;
 export declare const canAccessPublicly: (path: string, method: string, authConfig: MastraAuthConfig) => boolean;
 export declare const pathMatchesPattern: (path: string, pattern: string) => boolean;

package/dist/server/handlers/auth/helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../../src/server/handlers/auth/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,MAAM,CAAC;AAGxC,eAAO,MAAM,sBAAsB,GAAI,KAAK,WAAW,KAAG,OAEzD,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,MAAM,MAAM,EAAE,QAAQ,MAAM,EAAE,YAAY,gBAAgB,KAAG,OAG5F,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,EAAE,QAAQ,MAAM,EAAE,YAAY,gBAAgB,KAAG,OAK9F,CAAC;AAiCF,eAAO,MAAM,kBAAkB,GAAI,MAAM,MAAM,EAAE,SAAS,MAAM,KAAG,OAQlE,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,MAAM,MAAM,EAAE,UAAU,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,KAAG,OAiBhG,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAAI,QAAQ,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,MAAM,KAAG,OAU5E,CAAC;AAGF,eAAO,MAAM,UAAU,GACrB,OAAO,gBAAgB,CAAC,OAAO,CAAC,EAChC,MAAM,MAAM,EACZ,QAAQ,MAAM,EACd,MAAM,OAAO,KACZ,OAAO,CAAC,OAAO,CA+BjB,CAAC"}
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../../src/server/handlers/auth/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,MAAM,CAAC;AAGxC,eAAO,MAAM,sBAAsB,GAAI,KAAK,WAAW,KAAG,OAEzD,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAC9B,MAAM,MAAM,EACZ,QAAQ,MAAM,EACd,wBAAwB,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,KAC3C,OAkBF,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,MAAM,MAAM,EAAE,QAAQ,MAAM,EAAE,YAAY,gBAAgB,KAAG,OAG5F,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,EAAE,QAAQ,MAAM,EAAE,YAAY,gBAAgB,KAAG,OAK9F,CAAC;AAiCF,eAAO,MAAM,kBAAkB,GAAI,MAAM,MAAM,EAAE,SAAS,MAAM,KAAG,OAQlE,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,MAAM,MAAM,EAAE,UAAU,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,KAAG,OAiBhG,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAAI,QAAQ,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,MAAM,KAAG,OAU5E,CAAC;AAGF,eAAO,MAAM,UAAU,GACrB,OAAO,gBAAgB,CAAC,OAAO,CAAC,EAChC,MAAM,MAAM,EACZ,QAAQ,MAAM,EACd,MAAM,OAAO,KACZ,OAAO,CAAC,OAAO,CA+BjB,CAAC"}

package/dist/server/handlers/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/server/handlers/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAIjC,eAAO,MAAM,wBAAwB,GAAU,GAAG,iBAAiB,EAAE,MAAM,IAAI;;iBA2D9E,CAAC;AAEF,eAAO,MAAM,uBAAuB,GAAU,GAAG,iBAAiB,EAAE,MAAM,IAAI;;;;iBAgF7E,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/server/handlers/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAIjC,eAAO,MAAM,wBAAwB,GAAU,GAAG,iBAAiB,EAAE,MAAM,IAAI;;iBAiE9E,CAAC;AAEF,eAAO,MAAM,uBAAuB,GAAU,GAAG,iBAAiB,EAAE,MAAM,IAAI;;;;iBAsF7E,CAAC"}

package/dist/server/index.cjs

@@ -72,8 +72,7 @@ var Request = class extends GlobalRequest {
     super(input, options);
   }
 };
-var wrapBodyStream = Symbol("wrapBodyStream");
-var newRequestFromIncoming = (method, url, incoming, abortController) => {
+var newHeadersFromIncoming = (incoming) => {
   const headerRecord = [];
   const rawHeaders = incoming.rawHeaders;
   for (let i2 = 0; i2 < rawHeaders.length; i2 += 2) {
@@ -83,9 +82,13 @@ var newRequestFromIncoming = (method, url, incoming, abortController) => {
       headerRecord.push([key, value]);
     }
   }
+  return new Headers(headerRecord);
+};
+var wrapBodyStream = Symbol("wrapBodyStream");
+var newRequestFromIncoming = (method, url, headers, incoming, abortController) => {
   const init = {
     method,
-    headers: headerRecord,
+    headers,
     signal: abortController.signal
   };
   if (method === "TRACE") {
@@ -133,6 +136,7 @@ var getRequestCache = Symbol("getRequestCache");
 var requestCache = Symbol("requestCache");
 var incomingKey = Symbol("incomingKey");
 var urlKey = Symbol("urlKey");
+var headersKey = Symbol("headersKey");
 var abortControllerKey = Symbol("abortControllerKey");
 var getAbortController = Symbol("getAbortController");
 var requestPrototype = {
@@ -142,6 +146,9 @@ var requestPrototype = {
   get url() {
     return this[urlKey];
   },
+  get headers() {
+    return this[headersKey] ||= newHeadersFromIncoming(this[incomingKey]);
+  },
   [getAbortController]() {
     this[getRequestCache]();
     return this[abortControllerKey];
@@ -151,6 +158,7 @@ var requestPrototype = {
     return this[requestCache] ||= newRequestFromIncoming(
       this.method,
       this[urlKey],
+      this.headers,
       this[incomingKey],
       this[abortControllerKey]
     );
@@ -162,7 +170,6 @@ var requestPrototype = {
   "cache",
   "credentials",
   "destination",
-  "headers",
   "integrity",
   "mode",
   "redirect",
@@ -288,17 +295,14 @@ var Response2 = class _Response {
 });
 Object.setPrototypeOf(Response2, GlobalResponse);
 Object.setPrototypeOf(Response2.prototype, GlobalResponse.prototype);
-function writeFromReadableStream(stream7, writable) {
-  if (stream7.locked) {
-    throw new TypeError("ReadableStream is locked.");
-  } else if (writable.destroyed) {
-    return;
-  }
-  const reader = stream7.getReader();
+async function readWithoutBlocking(readPromise) {
+  return Promise.race([readPromise, Promise.resolve().then(() => Promise.resolve(void 0))]);
+}
+function writeFromReadableStreamDefaultReader(reader, writable, currentReadPromise) {
   const handleError2 = () => {
   };
   writable.on("error", handleError2);
-  reader.read().then(flow, handleStreamError);
+  (currentReadPromise ?? reader.read()).then(flow, handleStreamError);
   return reader.closed.finally(() => {
     writable.off("error", handleError2);
   });
@@ -324,6 +328,14 @@ function writeFromReadableStream(stream7, writable) {
     }
   }
 }
+function writeFromReadableStream(stream7, writable) {
+  if (stream7.locked) {
+    throw new TypeError("ReadableStream is locked.");
+  } else if (writable.destroyed) {
+    return;
+  }
+  return writeFromReadableStreamDefaultReader(stream7.getReader(), writable);
+}
 var buildOutgoingHttpHeaders = (headers) => {
   const res = {};
   if (!(headers instanceof Headers)) {
@@ -358,8 +370,6 @@ global.fetch = (info, init) => {
   return webFetch(info, init);
 };
 var outgoingEnded = Symbol("outgoingEnded");
-var regBuffer = /^no$/i;
-var regContentType = /^(application\/json\b|text\/(?!event-stream\b))/i;
 var handleRequestError = () => new Response(null, {
   status: 400
 });
@@ -430,23 +440,50 @@ var responseViaResponseObject = async (res, outgoing, options = {}) => {
   }
   const resHeaderRecord = buildOutgoingHttpHeaders(res.headers);
   if (res.body) {
-    const {
-      "transfer-encoding": transferEncoding,
-      "content-encoding": contentEncoding,
-      "content-length": contentLength,
-      "x-accel-buffering": accelBuffering,
-      "content-type": contentType
-    } = resHeaderRecord;
-    if (transferEncoding || contentEncoding || contentLength || // nginx buffering variant
-    accelBuffering && regBuffer.test(accelBuffering) || !regContentType.test(contentType)) {
-      outgoing.writeHead(res.status, resHeaderRecord);
-      flushHeaders(outgoing);
-      await writeFromReadableStream(res.body, outgoing);
+    const reader = res.body.getReader();
+    const values = [];
+    let done = false;
+    let currentReadPromise = void 0;
+    if (resHeaderRecord["transfer-encoding"] !== "chunked") {
+      let maxReadCount = 2;
+      for (let i2 = 0; i2 < maxReadCount; i2++) {
+        currentReadPromise ||= reader.read();
+        const chunk = await readWithoutBlocking(currentReadPromise).catch((e2) => {
+          console.error(e2);
+          done = true;
+        });
+        if (!chunk) {
+          if (i2 === 1) {
+            await new Promise((resolve) => setTimeout(resolve));
+            maxReadCount = 3;
+            continue;
+          }
+          break;
+        }
+        currentReadPromise = void 0;
+        if (chunk.value) {
+          values.push(chunk.value);
+        }
+        if (chunk.done) {
+          done = true;
+          break;
+        }
+      }
+      if (done && !("content-length" in resHeaderRecord)) {
+        resHeaderRecord["content-length"] = values.reduce((acc, value) => acc + value.length, 0);
+      }
+    }
+    outgoing.writeHead(res.status, resHeaderRecord);
+    values.forEach((value) => {
+      outgoing.write(value);
+    });
+    if (done) {
+      outgoing.end();
     } else {
-      const buffer = await res.arrayBuffer();
-      resHeaderRecord["content-length"] = buffer.byteLength;
-      outgoing.writeHead(res.status, resHeaderRecord);
-      outgoing.end(new Uint8Array(buffer));
+      if (values.length === 0) {
+        flushHeaders(outgoing);
+      }
+      await writeFromReadableStreamDefaultReader(reader, outgoing, currentReadPromise);
     }
   } else if (resHeaderRecord[X_ALREADY_SENT]) ; else {
     outgoing.writeHead(res.status, resHeaderRecord);
@@ -588,6 +625,9 @@ var getStats = (path) => {
 var serveStatic = (options = { root: "" }) => {
   const root = options.root || "";
   const optionPath = options.path;
+  if (root !== "" && !fs.existsSync(root)) {
+    console.error(`serveStatic: root path '${root}' is not found, are you sure it's correct?`);
+  }
   return async (c2, next) => {
     if (c2.finalized) {
       return next();
@@ -655,8 +695,8 @@ var serveStatic = (options = { root: "" }) => {
     c2.header("Accept-Ranges", "bytes");
     c2.header("Date", stats.birthtime.toUTCString());
     const parts = range.replace(/bytes=/, "").split("-", 2);
-    const start = parts[0] ? parseInt(parts[0], 10) : 0;
-    let end = parts[1] ? parseInt(parts[1], 10) : stats.size - 1;
+    const start = parseInt(parts[0], 10) || 0;
+    let end = parseInt(parts[1], 10) || size - 1;
     if (size < end - start + 1) {
       end = size - 1;
     }
@@ -1011,6 +1051,20 @@ var defaultAuthConfig = {
 var isDevPlaygroundRequest = (req) => {
   return req.header("x-mastra-dev-playground") === "true" && process.env.MASTRA_DEV === "true";
 };
+var isCustomRoutePublic = (path, method, customRouteAuthConfig) => {
+  if (!customRouteAuthConfig) {
+    return false;
+  }
+  const routeKey = `${method}:${path}`;
+  if (customRouteAuthConfig.has(routeKey)) {
+    return !customRouteAuthConfig.get(routeKey);
+  }
+  const allRouteKey = `ALL:${path}`;
+  if (customRouteAuthConfig.has(allRouteKey)) {
+    return !customRouteAuthConfig.get(allRouteKey);
+  }
+  return false;
+};
 var isProtectedPath = (path, method, authConfig) => {
   const protectedAccess = [...defaultAuthConfig.protected || [], ...authConfig.protected || []];
   return isAnyMatch(path, method, protectedAccess);
@@ -1097,12 +1151,16 @@ var checkRules = async (rules, path, method, user) => {
 var authenticationMiddleware = async (c2, next) => {
   const mastra = c2.get("mastra");
   const authConfig = mastra.getServer()?.experimental_auth;
+  const customRouteAuthConfig = c2.get("customRouteAuthConfig");
   if (!authConfig) {
     return next();
   }
   if (isDevPlaygroundRequest(c2.req)) {
     return next();
   }
+  if (isCustomRoutePublic(c2.req.path, c2.req.method, customRouteAuthConfig)) {
+    return next();
+  }
   if (!isProtectedPath(c2.req.path, c2.req.method, authConfig)) {
     return next();
   }
@@ -1137,6 +1195,7 @@ var authenticationMiddleware = async (c2, next) => {
 var authorizationMiddleware = async (c2, next) => {
   const mastra = c2.get("mastra");
   const authConfig = mastra.getServer()?.experimental_auth;
+  const customRouteAuthConfig = c2.get("customRouteAuthConfig");
   if (!authConfig) {
     return next();
   }
@@ -1145,6 +1204,9 @@ var authorizationMiddleware = async (c2, next) => {
   if (isDevPlaygroundRequest(c2.req)) {
     return next();
   }
+  if (isCustomRoutePublic(path, method, customRouteAuthConfig)) {
+    return next();
+  }
   if (!isProtectedPath(c2.req.path, c2.req.method, authConfig)) {
     return next();
   }
@@ -10978,6 +11040,15 @@ async function createHonoServer(mastra, options = {
   const app = new hono.Hono();
   const server = mastra.getServer();
   const a2aTaskStore = new store.InMemoryTaskStore();
+  const routes = server?.apiRoutes;
+  const customRouteAuthConfig = /* @__PURE__ */ new Map();
+  if (routes) {
+    for (const route of routes) {
+      const requiresAuth = route.requiresAuth !== false;
+      const routeKey = `${route.method}:${route.path}`;
+      customRouteAuthConfig.set(routeKey, requiresAuth);
+    }
+  }
   app.use("*", async function setTelemetryInfo(c2, next) {
     const requestId = c2.req.header("x-request-id") ?? crypto.randomUUID();
     const span = telemetry.Telemetry.getActiveSpan();
@@ -11040,6 +11111,7 @@ async function createHonoServer(mastra, options = {
     c2.set("taskStore", a2aTaskStore);
     c2.set("playground", options.playground === true);
     c2.set("isDev", options.isDev === true);
+    c2.set("customRouteAuthConfig", customRouteAuthConfig);
     return next();
   });
   const serverMiddleware = mastra.getServerMiddleware?.();
@@ -11069,7 +11141,6 @@ async function createHonoServer(mastra, options = {
     // 4.5 MB,
     onError: (c2) => c2.json({ error: "Request body too large" }, 413)
   };
-  const routes = server?.apiRoutes;
   if (server?.middleware) {
     const normalizedMiddlewares = Array.isArray(server.middleware) ? server.middleware : [server.middleware];
     const middlewares = normalizedMiddlewares.map((middleware2) => {