@mastra/express 1.1.7 → 1.1.8-alpha.0

package/CHANGELOG.md

@@ -1,5 +1,44 @@
 # @mastra/express
 
+## 1.1.8-alpha.0
+
+### Patch Changes
+
+- Added RBAC permission enforcement to all server adapters. When an auth provider is configured, each route's required permission is checked against the authenticated user's permissions before the handler runs. Permissions are derived automatically from route paths and HTTP methods using the convention-based system from `@mastra/server`. ([#13163](https://github.com/mastra-ai/mastra/pull/13163))
+
+- Added HTTP request logging middleware. Enable with `apiReqLogs: true` for default settings, or pass a configuration object for fine-grained control. ([#11907](https://github.com/mastra-ai/mastra/pull/11907))
+
+  **Simple activation**
+
+  ```ts
+  const mastra = new Mastra({
+    server: { build: { apiReqLogs: true } },
+  });
+  ```
+
+  **Advanced configuration**
+
+  ```ts
+  const mastra = new Mastra({
+    server: {
+      build: {
+        apiReqLogs: {
+          enabled: true,
+          level: 'debug',
+          excludePaths: ['/health'],
+          includeHeaders: true,
+          includeQueryParams: true,
+          redactHeaders: ['authorization', 'cookie'],
+        },
+      },
+    },
+  });
+  ```
+
+- Updated dependencies [[`504fc8b`](https://github.com/mastra-ai/mastra/commit/504fc8b9d0ddab717577ad3bf9c95ea4bd5377bd), [`f9c150b`](https://github.com/mastra-ai/mastra/commit/f9c150b7595ad05ad9cc9a11098e2944361e8c22), [`88de7e8`](https://github.com/mastra-ai/mastra/commit/88de7e8dfe4b7e1951a9e441bb33136e705ce24e), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`edee4b3`](https://github.com/mastra-ai/mastra/commit/edee4b37dff0af515fc7cc0e8d71ee39e6a762f0), [`3790c75`](https://github.com/mastra-ai/mastra/commit/3790c7578cc6a47d854eb12d89e6b1912867fe29), [`e7a235b`](https://github.com/mastra-ai/mastra/commit/e7a235be6472e0c870ed6c791ddb17c492dc188b), [`d51d298`](https://github.com/mastra-ai/mastra/commit/d51d298953967aab1f58ec965b644d109214f085), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d5f0d8d`](https://github.com/mastra-ai/mastra/commit/d5f0d8d6a03e515ddaa9b5da19b7e44b8357b07b), [`09c3b18`](https://github.com/mastra-ai/mastra/commit/09c3b1802ff14e243a8a8baea327440bc8cc2e32), [`b896379`](https://github.com/mastra-ai/mastra/commit/b8963791c6afa79484645fcec596a201f936b9a2), [`85c84eb`](https://github.com/mastra-ai/mastra/commit/85c84ebb78aebfcba9d209c8e152b16d7a00cb71), [`a89272a`](https://github.com/mastra-ai/mastra/commit/a89272a5d71939b9fcd284e6a6dc1dd091a6bdcf), [`ee9c8df`](https://github.com/mastra-ai/mastra/commit/ee9c8df644f19d055af5f496bf4942705f5a47b7), [`77b4a25`](https://github.com/mastra-ai/mastra/commit/77b4a254e51907f8ff3a3ba95596a18e93ae4b35), [`276246e`](https://github.com/mastra-ai/mastra/commit/276246e0b9066a1ea48bbc70df84dbe528daaf99), [`08ecfdb`](https://github.com/mastra-ai/mastra/commit/08ecfdbdad6fb8285deef86a034bdf4a6047cfca), [`d5f628c`](https://github.com/mastra-ai/mastra/commit/d5f628ca86c6f6f3ff1035d52f635df32dd81cab), [`524c0f3`](https://github.com/mastra-ai/mastra/commit/524c0f3c434c3d9d18f66338dcef383d6161b59c), [`c18a0e9`](https://github.com/mastra-ai/mastra/commit/c18a0e9cef1e4ca004b2963d35e4cfc031971eac), [`4bd21ea`](https://github.com/mastra-ai/mastra/commit/4bd21ea43d44d0a0427414fc047577f9f0aa3bec), [`115a7a4`](https://github.com/mastra-ai/mastra/commit/115a7a47db5e9896fec12ae6507501adb9ec89bf), [`22a48ae`](https://github.com/mastra-ai/mastra/commit/22a48ae2513eb54d8d79dad361fddbca97a155e8), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9311c17`](https://github.com/mastra-ai/mastra/commit/9311c17d7a0640d9c4da2e71b814dc67c57c6369), [`7edf78f`](https://github.com/mastra-ai/mastra/commit/7edf78f80422c43e84585f08ba11df0d4d0b73c5), [`1c4221c`](https://github.com/mastra-ai/mastra/commit/1c4221cf6032ec98d0e094d4ee11da3e48490d96), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d25b9ea`](https://github.com/mastra-ai/mastra/commit/d25b9eabd400167255a97b690ffbc4ee4097ded5), [`fe1ce5c`](https://github.com/mastra-ai/mastra/commit/fe1ce5c9211c03d561606fda95cbfe7df1d9a9b5), [`b03c0e0`](https://github.com/mastra-ai/mastra/commit/b03c0e0389a799523929a458b0509c9e4244d562), [`0a8366b`](https://github.com/mastra-ai/mastra/commit/0a8366b0a692fcdde56c4d526e4cf03c502ae4ac), [`85664e9`](https://github.com/mastra-ai/mastra/commit/85664e9fd857320fbc245e301f764f45f66f32a3), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`3a3a59e`](https://github.com/mastra-ai/mastra/commit/3a3a59e8ffaa6a985fe3d9a126a3f5ade11a6724), [`3108d4e`](https://github.com/mastra-ai/mastra/commit/3108d4e649c9fddbf03253a6feeb388a5fa9fa5a), [`0c33b2c`](https://github.com/mastra-ai/mastra/commit/0c33b2c9db537f815e1c59e2c898ffce2e395a79), [`191e5bd`](https://github.com/mastra-ai/mastra/commit/191e5bd29b82f5bda35243945790da7bc7b695c2), [`f77cd94`](https://github.com/mastra-ai/mastra/commit/f77cd94c44eabed490384e7d19232a865e13214c), [`e8135c7`](https://github.com/mastra-ai/mastra/commit/e8135c7e300dac5040670eec7eab896ac6092e30), [`daca48f`](https://github.com/mastra-ai/mastra/commit/daca48f0fb17b7ae0b62a2ac40cf0e491b2fd0b7), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`257d14f`](https://github.com/mastra-ai/mastra/commit/257d14faca5931f2e4186fc165b6f0b1f915deee), [`352f25d`](https://github.com/mastra-ai/mastra/commit/352f25da316b24cdd5b410fd8dddf6a8b763da2a), [`93477d0`](https://github.com/mastra-ai/mastra/commit/93477d0769b8a13ea5ed73d508d967fb23eaeed9), [`31c78b3`](https://github.com/mastra-ai/mastra/commit/31c78b3eb28f58a8017f1dcc795c33214d87feac), [`0bc0720`](https://github.com/mastra-ai/mastra/commit/0bc07201095791858087cc56f353fcd65e87ab54), [`36516ac`](https://github.com/mastra-ai/mastra/commit/36516aca1021cbeb42e74751b46a2614101f37c8), [`e947652`](https://github.com/mastra-ai/mastra/commit/e9476527fdecb4449e54570e80dfaf8466901254), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`ec248f6`](https://github.com/mastra-ai/mastra/commit/ec248f6b56e8a037c066c49b2178e2507471d988)]:
+  - @mastra/core@1.9.0-alpha.0
+  - @mastra/server@1.9.0-alpha.0
+
 ## 1.1.7
 
 ### Patch Changes

package/LICENSE.md

@@ -1,3 +1,18 @@
+Portions of this software are licensed as follows:
+
+- All content that resides under any directory named "ee/" within this
+  repository, including but not limited to:
+  - `packages/core/src/auth/ee/`
+  - `packages/server/src/server/auth/ee/`
+    is licensed under the license defined in `ee/LICENSE`.
+
+- All third-party components incorporated into the Mastra Software are
+  licensed under the original license provided by the owner of the
+  applicable component.
+
+- Content outside of the above-mentioned directories or restrictions is
+  available under the "Apache License 2.0" as defined below.
+
 # Apache License 2.0
 
 Copyright (c) 2025 Kepler Software, Inc.

package/dist/index.cjs

@@ -1,9 +1,9 @@
 'use strict';
 
 var busboy = require('@fastify/busboy');
+var auth = require('@mastra/server/auth');
 var error = require('@mastra/server/handlers/error');
 var serverAdapter = require('@mastra/server/server-adapter');
-var auth = require('@mastra/server/auth');
 
 // src/index.ts
 
@@ -213,130 +213,39 @@ ZodError.create = (issues) => {
   const error = new ZodError(issues);
   return error;
 };
-var authenticationMiddleware = async (req, res, next) => {
-  const mastra = res.locals.mastra;
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = res.locals.customRouteAuthConfig;
-  if (!authConfig) {
-    return next();
-  }
-  const path = req.path;
-  const method = req.method;
-  const getHeader = (name) => req.headers[name.toLowerCase()];
-  if (auth.isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (!auth.isProtectedPath(req.path, req.method, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (auth.canAccessPublicly(req.path, req.method, authConfig)) {
-    return next();
-  }
-  const authHeader = req.headers.authorization;
-  let token = authHeader ? authHeader.replace("Bearer ", "") : null;
-  if (!token && req.query.apiKey) {
-    token = req.query.apiKey || null;
-  }
-  if (!token) {
-    return res.status(401).json({ error: "Authentication required" });
-  }
-  try {
-    let user;
-    if (typeof authConfig.authenticateToken === "function") {
-      user = await authConfig.authenticateToken(token, req);
-    } else {
-      throw new Error("No token verification method configured");
-    }
-    if (!user) {
-      return res.status(401).json({ error: "Invalid or expired token" });
-    }
-    res.locals.requestContext.set("user", user);
-    return next();
-  } catch (err) {
-    mastra.getLogger()?.error("Authentication error", {
-      error: err instanceof Error ? { message: err.message, stack: err.stack } : err
+
+// src/index.ts
+var _hasPermissionPromise;
+function loadHasPermission() {
+  if (!_hasPermissionPromise) {
+    _hasPermissionPromise = import('@mastra/core/auth/ee').then((m) => m.hasPermission).catch(() => {
+      console.error(
+        "[@mastra/express] Auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest"
+      );
+      return void 0;
     });
-    return res.status(401).json({ error: "Invalid or expired token" });
-  }
-};
-var authorizationMiddleware = async (req, res, next) => {
-  const mastra = res.locals.mastra;
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = res.locals.customRouteAuthConfig;
-  if (!authConfig) {
-    return next();
-  }
-  const path = req.path;
-  const method = req.method;
-  const getHeader = (name) => req.headers[name.toLowerCase()];
-  if (auth.isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return next();
   }
-  if (!auth.isProtectedPath(req.path, req.method, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (auth.canAccessPublicly(path, method, authConfig)) {
-    return next();
-  }
-  const user = res.locals.requestContext.get("user");
-  if ("authorizeUser" in authConfig && typeof authConfig.authorizeUser === "function") {
-    try {
-      const isAuthorized = await authConfig.authorizeUser(user, req);
-      if (isAuthorized) {
-        return next();
-      }
-      return res.status(403).json({ error: "Access denied" });
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorizeUser", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err
-      });
-      return res.status(500).json({ error: "Authorization error" });
-    }
-  }
-  if ("authorize" in authConfig && typeof authConfig.authorize === "function") {
-    try {
-      const context = {
-        get: (key) => {
-          if (key === "mastra") return res.locals.mastra;
-          if (key === "requestContext") return res.locals.requestContext;
-          if (key === "registeredTools") return res.locals.registeredTools;
-          if (key === "taskStore") return res.locals.taskStore;
-          if (key === "customRouteAuthConfig") return res.locals.customRouteAuthConfig;
-          return void 0;
-        },
-        req
-      };
-      const isAuthorized = await authConfig.authorize(path, method, user, context);
-      if (isAuthorized) {
-        return next();
+  return _hasPermissionPromise;
+}
+function toWebRequest(req) {
+  const protocol = req.protocol || "http";
+  const host = req.get("host") || "localhost";
+  const url = `${protocol}://${host}${req.originalUrl || req.url}`;
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(req.headers)) {
+    if (value) {
+      if (Array.isArray(value)) {
+        value.forEach((v) => headers.append(key, v));
+      } else {
+        headers.set(key, value);
       }
-      return res.status(403).json({ error: "Access denied" });
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorize", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err,
-        path,
-        method
-      });
-      return res.status(500).json({ error: "Authorization error" });
-    }
-  }
-  if ("rules" in authConfig && authConfig.rules && authConfig.rules.length > 0) {
-    const isAuthorized = await auth.checkRules(authConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return next();
     }
-    return res.status(403).json({ error: "Access denied" });
   }
-  if (auth.defaultAuthConfig.rules && auth.defaultAuthConfig.rules.length > 0) {
-    const isAuthorized = await auth.checkRules(auth.defaultAuthConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return next();
-    }
-  }
-  return res.status(403).json({ error: "Access denied" });
-};
-
-// src/index.ts
+  return new globalThis.Request(url, {
+    method: req.method,
+    headers
+  });
+}
 var MastraServer = class extends serverAdapter.MastraServer {
   createContextMiddleware() {
     return async (req, res, next) => {
@@ -599,7 +508,9 @@ var MastraServer = class extends serverAdapter.MastraServer {
           method: String(req.method || "GET"),
           getHeader: (name) => req.headers[name.toLowerCase()],
           getQuery: (name) => req.query[name],
-          requestContext: res.locals.requestContext
+          requestContext: res.locals.requestContext,
+          request: toWebRequest(req),
+          buildAuthorizeContext: () => toWebRequest(req)
         });
         if (authError) {
           return res.status(authError.status).json({ error: authError.error });
@@ -670,6 +581,20 @@ var MastraServer = class extends serverAdapter.MastraServer {
           abortSignal: res.locals.abortSignal,
           routePrefix: prefix
         };
+        const authConfig = this.mastra.getServer()?.auth;
+        if (authConfig) {
+          const hasPermission = await loadHasPermission();
+          if (hasPermission) {
+            const userPermissions = res.locals.requestContext.get("userPermissions");
+            const permissionError = this.checkRoutePermission(route, userPermissions, hasPermission);
+            if (permissionError) {
+              return res.status(permissionError.status).json({
+                error: permissionError.error,
+                message: permissionError.message
+              });
+            }
+          }
+        }
         try {
           const result = await route.handler(handlerParams);
           await this.sendResponse(route, res, result, req, prefix);
@@ -695,6 +620,43 @@ var MastraServer = class extends serverAdapter.MastraServer {
   async registerCustomApiRoutes() {
     if (!await this.buildCustomRouteHandler()) return;
     this.app.use(async (req, res, next) => {
+      const path = String(req.path || "/");
+      const method = String(req.method || "GET");
+      if (auth.isProtectedCustomRoute(path, method, this.customRouteAuthConfig)) {
+        const serverRoute = {
+          method,
+          path,
+          responseType: "json",
+          handler: async () => {
+          }
+        };
+        const authError = await this.checkRouteAuth(serverRoute, {
+          path,
+          method,
+          getHeader: (name) => req.headers[name.toLowerCase()],
+          getQuery: (name) => req.query[name],
+          requestContext: res.locals.requestContext,
+          request: toWebRequest(req),
+          buildAuthorizeContext: () => toWebRequest(req)
+        });
+        if (authError) {
+          return res.status(authError.status).json({ error: authError.error });
+        }
+        const authConfig = this.mastra.getServer()?.auth;
+        if (authConfig) {
+          const hasPermission = await loadHasPermission();
+          if (hasPermission) {
+            const userPermissions = res.locals.requestContext.get("userPermissions");
+            const permissionError = this.checkRoutePermission(serverRoute, userPermissions, hasPermission);
+            if (permissionError) {
+              return res.status(permissionError.status).json({
+                error: permissionError.error,
+                message: permissionError.message
+              });
+            }
+          }
+        }
+      }
       const response = await this.handleCustomRouteRequest(
         `${req.protocol}://${req.get("host") || "localhost"}${req.originalUrl}`,
         req.method,
@@ -710,12 +672,46 @@ var MastraServer = class extends serverAdapter.MastraServer {
     this.app.use(this.createContextMiddleware());
   }
   registerAuthMiddleware() {
-    const authConfig = this.mastra.getServer()?.auth;
-    if (!authConfig) {
+  }
+  registerHttpLoggingMiddleware() {
+    if (!this.httpLoggingConfig?.enabled) {
       return;
     }
-    this.app.use(authenticationMiddleware);
-    this.app.use(authorizationMiddleware);
+    this.app.use((req, res, next) => {
+      if (!this.shouldLogRequest(req.path)) {
+        return next();
+      }
+      const start = Date.now();
+      const method = req.method;
+      const path = req.path;
+      res.on("finish", () => {
+        const duration = Date.now() - start;
+        const status = res.statusCode;
+        const level = this.httpLoggingConfig?.level || "info";
+        const logData = {
+          method,
+          path,
+          status,
+          duration: `${duration}ms`
+        };
+        if (this.httpLoggingConfig?.includeQueryParams) {
+          logData.query = req.query;
+        }
+        if (this.httpLoggingConfig?.includeHeaders) {
+          const headers = { ...req.headers };
+          const redactHeaders = this.httpLoggingConfig.redactHeaders || [];
+          redactHeaders.forEach((h) => {
+            const key = h.toLowerCase();
+            if (headers[key] !== void 0) {
+              headers[key] = "[REDACTED]";
+            }
+          });
+          logData.headers = headers;
+        }
+        this.logger[level](`${method} ${path} ${status} ${duration}ms`, logData);
+      });
+      next();
+    });
   }
 };