@mastra/deployer 1.8.0 → 1.9.0

package/dist/server/index.cjs

@@ -1,6 +1,6 @@
 'use strict';
 
-var chunkITC6JDLC_cjs = require('../chunk-ITC6JDLC.cjs');
+var chunkG7R456H2_cjs = require('../chunk-G7R456H2.cjs');
 var promises = require('fs/promises');
 var https = require('https');
 var path = require('path');
@@ -18,7 +18,6 @@ var error = require('@mastra/server/handlers/error');
 var serverAdapter = require('@mastra/server/server-adapter');
 var util = require('util');
 var buffer = require('buffer');
-var auth = require('@mastra/server/auth');
 var store = require('@mastra/server/a2a/store');
 var hono = require('hono');
 var cors = require('hono/cors');
@@ -2682,6 +2681,8 @@ function toFetchResponse(res) {
   }
   return res.fetchResponse;
 }
+
+// ../../server-adapters/hono/dist/index.js
 var HTTPException = class extends Error {
   res;
   status;
@@ -3083,117 +3084,18 @@ ZodError.create = (issues) => {
   const error = new ZodError(issues);
   return error;
 };
-var authenticationMiddleware = async (c, next) => {
-  const mastra = c.get("mastra");
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = c.get("customRouteAuthConfig");
-  if (!authConfig) {
-    return next();
-  }
-  const path = c.req.path;
-  const method = c.req.method;
-  const getHeader = (name) => c.req.header(name);
-  if (auth.isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (!auth.isProtectedPath(c.req.path, c.req.method, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (auth.canAccessPublicly(c.req.path, c.req.method, authConfig)) {
-    return next();
-  }
-  const authHeader = c.req.header("Authorization");
-  let token = authHeader ? authHeader.replace("Bearer ", "") : null;
-  if (!token && c.req.query("apiKey")) {
-    token = c.req.query("apiKey") || null;
-  }
-  if (!token) {
-    return c.json({ error: "Authentication required" }, 401);
-  }
-  try {
-    let user;
-    if (typeof authConfig.authenticateToken === "function") {
-      user = await authConfig.authenticateToken(token, c.req);
-    } else {
-      throw new Error("No token verification method configured");
-    }
-    if (!user) {
-      return c.json({ error: "Invalid or expired token" }, 401);
-    }
-    c.get("requestContext").set("user", user);
-    return next();
-  } catch (err) {
-    mastra.getLogger()?.error("Authentication error", {
-      error: err instanceof Error ? { message: err.message, stack: err.stack } : err
+var _hasPermissionPromise;
+function loadHasPermission() {
+  if (!_hasPermissionPromise) {
+    _hasPermissionPromise = import('@mastra/core/auth/ee').then((m) => m.hasPermission).catch(() => {
+      console.error(
+        "[@mastra/hono] Auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest"
+      );
+      return void 0;
     });
-    return c.json({ error: "Invalid or expired token" }, 401);
   }
-};
-var authorizationMiddleware = async (c, next) => {
-  const mastra = c.get("mastra");
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = c.get("customRouteAuthConfig");
-  if (!authConfig) {
-    return next();
-  }
-  const path = c.req.path;
-  const method = c.req.method;
-  const getHeader = (name) => c.req.header(name);
-  if (auth.isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (!auth.isProtectedPath(c.req.path, c.req.method, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (auth.canAccessPublicly(path, method, authConfig)) {
-    return next();
-  }
-  const user = c.get("requestContext").get("user");
-  if ("authorizeUser" in authConfig && typeof authConfig.authorizeUser === "function") {
-    try {
-      const isAuthorized = await authConfig.authorizeUser(user, c.req);
-      if (isAuthorized) {
-        return next();
-      }
-      return c.json({ error: "Access denied" }, 403);
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorizeUser", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err
-      });
-      return c.json({ error: "Authorization error" }, 500);
-    }
-  }
-  if ("authorize" in authConfig && typeof authConfig.authorize === "function") {
-    try {
-      const isAuthorized = await authConfig.authorize(path, method, user, c);
-      if (isAuthorized) {
-        return next();
-      }
-      return c.json({ error: "Access denied" }, 403);
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorize", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err,
-        path,
-        method
-      });
-      return c.json({ error: "Authorization error" }, 500);
-    }
-  }
-  if ("rules" in authConfig && authConfig.rules && authConfig.rules.length > 0) {
-    const isAuthorized = await auth.checkRules(authConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return next();
-    }
-    return c.json({ error: "Access denied" }, 403);
-  }
-  if (auth.defaultAuthConfig.rules && auth.defaultAuthConfig.rules.length > 0) {
-    const isAuthorized = await auth.checkRules(auth.defaultAuthConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return next();
-    }
-  }
-  return c.json({ error: "Access denied" }, 403);
-};
+  return _hasPermissionPromise;
+}
 var MastraServer = class extends serverAdapter.MastraServer {
   createContextMiddleware() {
     return async (c, next) => {
@@ -3212,7 +3114,8 @@ var MastraServer = class extends serverAdapter.MastraServer {
       let paramsRequestContext;
       if (c.req.method === "POST" || c.req.method === "PUT") {
         const contentType = c.req.header("content-type");
-        if (contentType?.includes("application/json")) {
+        const contentLength = c.req.header("content-length");
+        if (contentType?.includes("application/json") && contentLength !== "0") {
           try {
             const body = await c.req.raw.clone().json();
             if (body.requestContext) {
@@ -3438,7 +3341,9 @@ var MastraServer = class extends serverAdapter.MastraServer {
           method: c.req.method,
           getHeader: (name) => c.req.header(name),
           getQuery: (name) => c.req.query(name),
-          requestContext: c.get("requestContext")
+          requestContext: c.get("requestContext"),
+          request: c.req.raw,
+          buildAuthorizeContext: () => c
         });
         if (authError) {
           return c.json({ error: authError.error }, authError.status);
@@ -3519,8 +3424,27 @@ var MastraServer = class extends serverAdapter.MastraServer {
           registeredTools: c.get("registeredTools"),
           taskStore: c.get("taskStore"),
           abortSignal: c.get("abortSignal"),
-          routePrefix: prefix
+          routePrefix: prefix,
+          request: c.req.raw
+          // Standard Request object with headers/cookies
         };
+        const authConfig = this.mastra.getServer()?.auth;
+        if (authConfig) {
+          const hasPermission = await loadHasPermission();
+          if (hasPermission) {
+            const userPermissions = c.get("requestContext").get("userPermissions");
+            const permissionError = this.checkRoutePermission(route, userPermissions, hasPermission);
+            if (permissionError) {
+              return c.json(
+                {
+                  error: permissionError.error,
+                  message: permissionError.message
+                },
+                permissionError.status
+              );
+            }
+          }
+        }
         try {
           const result = await route.handler(handlerParams);
           return this.sendResponse(route, c, result, prefix);
@@ -3566,6 +3490,43 @@ var MastraServer = class extends serverAdapter.MastraServer {
       const handler = "handler" in route && route.handler ? route.handler : "createHandler" in route ? await route.createHandler({ mastra: this.mastra }) : void 0;
       if (!handler) continue;
       const middlewares = [];
+      const serverRoute = {
+        method: route.method,
+        path: route.path,
+        responseType: "json",
+        handler: async () => {
+        },
+        requiresAuth: route.requiresAuth
+      };
+      middlewares.push(async (c, next) => {
+        const authError = await this.checkRouteAuth(serverRoute, {
+          path: c.req.path,
+          method: c.req.method,
+          getHeader: (name) => c.req.header(name),
+          getQuery: (name) => c.req.query(name),
+          requestContext: c.get("requestContext"),
+          request: c.req.raw,
+          buildAuthorizeContext: () => c
+        });
+        if (authError) {
+          return c.json({ error: authError.error }, authError.status);
+        }
+        const authConfig = this.mastra.getServer()?.auth;
+        if (authConfig) {
+          const hasPermission = await loadHasPermission();
+          if (hasPermission) {
+            const userPermissions = c.get("requestContext").get("userPermissions");
+            const permissionError = this.checkRoutePermission(serverRoute, userPermissions, hasPermission);
+            if (permissionError) {
+              return c.json(
+                { error: permissionError.error, message: permissionError.message },
+                permissionError.status
+              );
+            }
+          }
+        }
+        return next();
+      });
       if (route.middleware) {
         middlewares.push(...Array.isArray(route.middleware) ? route.middleware : [route.middleware]);
       }
@@ -3578,12 +3539,44 @@ var MastraServer = class extends serverAdapter.MastraServer {
     this.app.use("*", this.createContextMiddleware());
   }
   registerAuthMiddleware() {
-    const authConfig = this.mastra.getServer()?.auth;
-    if (!authConfig) {
+  }
+  registerHttpLoggingMiddleware() {
+    if (!this.httpLoggingConfig?.enabled) {
       return;
     }
-    this.app.use("*", authenticationMiddleware);
-    this.app.use("*", authorizationMiddleware);
+    this.app.use("*", async (c, next) => {
+      if (!this.shouldLogRequest(c.req.path)) {
+        return next();
+      }
+      const start = Date.now();
+      const method = c.req.method;
+      const path = c.req.path;
+      await next();
+      const duration = Date.now() - start;
+      const status = c.res.status;
+      const level = this.httpLoggingConfig?.level || "info";
+      const logData = {
+        method,
+        path,
+        status,
+        duration: `${duration}ms`
+      };
+      if (this.httpLoggingConfig?.includeQueryParams) {
+        logData.query = c.req.query();
+      }
+      if (this.httpLoggingConfig?.includeHeaders) {
+        const headers = Object.fromEntries(c.req.raw.headers.entries());
+        const redactHeaders = this.httpLoggingConfig.redactHeaders || [];
+        redactHeaders.forEach((h) => {
+          const key = h.toLowerCase();
+          if (headers[key] !== void 0) {
+            headers[key] = "[REDACTED]";
+          }
+        });
+        logData.headers = headers;
+      }
+      this.logger[level](`${method} ${path} ${status} ${duration}ms`, logData);
+    });
   }
 };
 
@@ -3944,9 +3937,16 @@ async function createHonoServer(mastra, options = {
   const server = mastra.getServer();
   const a2aTaskStore = new store.InMemoryTaskStore();
   const routes = server?.apiRoutes;
+  const processedRoutes = routes?.map((route) => {
+    if ("openapi" in route && route.openapi) {
+      const existingMiddleware = route.middleware ? Array.isArray(route.middleware) ? route.middleware : [route.middleware] : [];
+      return { ...route, middleware: [describeRoute(route.openapi), ...existingMiddleware] };
+    }
+    return route;
+  });
   const customRouteAuthConfig = /* @__PURE__ */ new Map();
-  if (routes) {
-    for (const route of routes) {
+  if (processedRoutes) {
+    for (const route of processedRoutes) {
       const requiresAuth = route.requiresAuth !== false;
       const routeKey = `${route.method}:${route.path}`;
       customRouteAuthConfig.set(routeKey, requiresAuth);
@@ -3972,7 +3972,7 @@ async function createHonoServer(mastra, options = {
     bodyLimitOptions,
     openapiPath: options?.isDev || server?.build?.openAPIDocs ? "/openapi.json" : void 0,
     customRouteAuthConfig,
-    customApiRoutes: routes
+    customApiRoutes: processedRoutes
   });
   honoServerAdapter.registerContextMiddleware();
   const serverMiddleware = mastra.getServerMiddleware?.();
@@ -3984,10 +3984,20 @@ async function createHonoServer(mastra, options = {
   if (server?.cors === false) {
     app.use("*", timeout.timeout(server?.timeout ?? 3 * 60 * 1e3));
   } else {
+    const hasAuth = !!server?.auth;
+    let corsOrigin;
+    if (server?.cors && typeof server.cors === "object" && "origin" in server.cors && server.cors.origin) {
+      corsOrigin = server.cors.origin;
+    } else if (hasAuth) {
+      corsOrigin = (origin) => origin || void 0;
+    } else {
+      corsOrigin = "*";
+    }
     const corsConfig = {
-      origin: "*",
+      origin: corsOrigin,
       allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
-      credentials: false,
+      // Enable credentials for cookie-based auth (e.g., Better Auth sessions)
+      credentials: hasAuth ? true : false,
       maxAge: 3600,
       ...server?.cors,
       allowHeaders: ["Content-Type", "Authorization", "x-mastra-client-type", ...server?.cors?.allowHeaders ?? []],
@@ -4023,6 +4033,7 @@ async function createHonoServer(mastra, options = {
       rootHandler
     );
   }
+  await honoServerAdapter.validateEELicense();
   honoServerAdapter.registerAuthMiddleware();
   if (server?.middleware) {
     const normalizedMiddlewares = Array.isArray(server.middleware) ? server.middleware : [server.middleware];
@@ -4039,24 +4050,7 @@ async function createHonoServer(mastra, options = {
       app.use(middleware2.path, middleware2.handler);
     }
   }
-  if (routes) {
-    for (const route of routes) {
-      const middlewares = [];
-      if (route.middleware) {
-        middlewares.push(...Array.isArray(route.middleware) ? route.middleware : [route.middleware]);
-      }
-      if (route.openapi) {
-        middlewares.push(describeRoute(route.openapi));
-      }
-      const handler = "handler" in route ? route.handler : await route.createHandler({ mastra });
-      const allHandlers = [...middlewares, handler];
-      if (route.method === "ALL") {
-        app.all(route.path, allHandlers[0], ...allHandlers.slice(1));
-      } else {
-        app.on(route.method, route.path, allHandlers[0], ...allHandlers.slice(1));
-      }
-    }
-  }
+  await honoServerAdapter.registerCustomApiRoutes();
   if (server?.build?.apiReqLogs) {
     app.use(logger.logger());
   }
@@ -4086,7 +4080,7 @@ async function createHonoServer(mastra, options = {
     );
   }
   const serverOptions = mastra.getServer();
-  const studioBasePath = chunkITC6JDLC_cjs.normalizeStudioBase(serverOptions?.studioBase ?? "/");
+  const studioBasePath = chunkG7R456H2_cjs.normalizeStudioBase(serverOptions?.studioBase ?? "/");
   if (options?.studio) {
     app.get(
       `${studioBasePath}/refresh-events`,
@@ -4156,18 +4150,20 @@ async function createHonoServer(mastra, options = {
       const escapeForHtml = (json) => {
         return json.replace(/\\/g, "\\\\").replace(/'/g, "\\'").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/</g, "\\u003c").replace(/>/g, "\\u003e").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
       };
-      indexHtml = indexHtml.replace(`'%%MASTRA_SERVER_HOST%%'`, `'${host}'`);
-      indexHtml = indexHtml.replace(`'%%MASTRA_SERVER_PORT%%'`, `'${port}'`);
-      indexHtml = indexHtml.replace(`'%%MASTRA_API_PREFIX%%'`, `'${serverOptions?.apiPrefix ?? "/api"}'`);
-      indexHtml = indexHtml.replace(`'%%MASTRA_HIDE_CLOUD_CTA%%'`, `'${hideCloudCta}'`);
-      indexHtml = indexHtml.replace(`'%%MASTRA_SERVER_PROTOCOL%%'`, `'${protocol}'`);
-      indexHtml = indexHtml.replace(`'%%MASTRA_CLOUD_API_ENDPOINT%%'`, `'${cloudApiEndpoint}'`);
-      indexHtml = indexHtml.replace(`'%%MASTRA_EXPERIMENTAL_FEATURES%%'`, `'${experimentalFeatures}'`);
-      indexHtml = indexHtml.replace(
-        `'%%MASTRA_REQUEST_CONTEXT_PRESETS%%'`,
-        `'${escapeForHtml(requestContextPresets)}'`
-      );
-      indexHtml = indexHtml.replaceAll("%%MASTRA_STUDIO_BASE_PATH%%", studioBasePath);
+      const autoDetectUrl = process.env.MASTRA_AUTO_DETECT_URL === "true";
+      indexHtml = chunkG7R456H2_cjs.injectStudioHtmlConfig(indexHtml, {
+        host: `'${host}'`,
+        port: `'${port}'`,
+        protocol: `'${protocol}'`,
+        apiPrefix: `'${serverOptions?.apiPrefix ?? "/api"}'`,
+        basePath: studioBasePath,
+        hideCloudCta: `'${hideCloudCta}'`,
+        cloudApiEndpoint: `'${cloudApiEndpoint}'`,
+        experimentalFeatures: `'${experimentalFeatures}'`,
+        telemetryDisabled: `''`,
+        requestContextPresets: `'${escapeForHtml(requestContextPresets)}'`,
+        autoDetectUrl: `'${autoDetectUrl}'`
+      });
       return c.newResponse(indexHtml, 200, { "Content-Type": "text/html" });
     }
     return c.newResponse(html2, 200, { "Content-Type": "text/html" });
@@ -4216,7 +4212,7 @@ async function createNodeServer(mastra, options = { tools: {} }) {
       const logger2 = mastra.getLogger();
       logger2.info(` Mastra API running on ${protocol}://${host}:${port}/api`);
       if (options?.studio) {
-        const studioBasePath = chunkITC6JDLC_cjs.normalizeStudioBase(serverOptions?.studioBase ?? "/");
+        const studioBasePath = chunkG7R456H2_cjs.normalizeStudioBase(serverOptions?.studioBase ?? "/");
         const studioUrl = `${protocol}://${host}:${port}${studioBasePath}`;
         logger2.info(`\u{1F468}\u200D\u{1F4BB} Studio available at ${studioUrl}`);
       }