npm - @mastra/express - Versions diffs - 1.3.17-alpha.0 → 1.3.17-alpha.2 - Mend

@mastra/express 1.3.17-alpha.0 → 1.3.17-alpha.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,23 @@
 # @mastra/express
+## 1.3.17-alpha.2
+### Patch Changes
+- Added FGA enforcement to server adapter middleware, ensuring authorization checks are applied consistently across all built-in adapters. ([#15410](https://github.com/mastra-ai/mastra/pull/15410))
+- Updated dependencies [[`86c0298`](https://github.com/mastra-ai/mastra/commit/86c0298e647306423c842f9d5ac827bd616bd13d), [`7fce309`](https://github.com/mastra-ai/mastra/commit/7fce30912b14170bfc41f0ac736cca0f39fe0cd4), [`cd96779`](https://github.com/mastra-ai/mastra/commit/cd9677937f113b2856dc8b9f3d4bdabcee58bb2e), [`7997c2e`](https://github.com/mastra-ai/mastra/commit/7997c2e55ddd121562a4098cd8d2b89c68433bf1), [`e97ccb9`](https://github.com/mastra-ai/mastra/commit/e97ccb900f8b7a390ce82c9f8eb8d6eb2c5e3777), [`f5afe62`](https://github.com/mastra-ai/mastra/commit/f5afe62beff3ae69148a35e55fe5375168897829), [`c5daf48`](https://github.com/mastra-ai/mastra/commit/c5daf48556e98c46ae06caf00f92c249912007e9), [`cd96779`](https://github.com/mastra-ai/mastra/commit/cd9677937f113b2856dc8b9f3d4bdabcee58bb2e), [`86c0298`](https://github.com/mastra-ai/mastra/commit/86c0298e647306423c842f9d5ac827bd616bd13d)]:
+  - @mastra/core@1.32.0-alpha.2
+  - @mastra/server@1.32.0-alpha.2
+## 1.3.17-alpha.1
+### Patch Changes
+- Updated dependencies [[`c05c9a1`](https://github.com/mastra-ai/mastra/commit/c05c9a13230988cef6d438a62f37760f31927bc7), [`e24aacb`](https://github.com/mastra-ai/mastra/commit/e24aacba07bd66f5d95b636dc24016fca26b52cf), [`c721164`](https://github.com/mastra-ai/mastra/commit/c7211643f7ac861f83b19a3757cc921487fc9d75), [`1b55954`](https://github.com/mastra-ai/mastra/commit/1b559541c1e08a10e49d01ffc51a634dfc37a286), [`5adc55e`](https://github.com/mastra-ai/mastra/commit/5adc55e63407be8ee977914957d68bcc2a075ceb), [`5adc55e`](https://github.com/mastra-ai/mastra/commit/5adc55e63407be8ee977914957d68bcc2a075ceb), [`70017d7`](https://github.com/mastra-ai/mastra/commit/70017d72ab741b5d7040e2a15c251a317782e39e), [`e4942bc`](https://github.com/mastra-ai/mastra/commit/e4942bc7fdc903572f7d84f26d5e15f9d39c763d)]:
+  - @mastra/core@1.32.0-alpha.1
+  - @mastra/server@1.32.0-alpha.1
 ## 1.3.17-alpha.0
 ### Patch Changes

package/dist/index.cjs CHANGED Viewed

@@ -596,13 +596,14 @@ var MastraServer = class extends serverAdapter.MastraServer {
           buildAuthorizeContext: () => toWebRequest2(req)
         });
         if (authError) {
-          if (authError.headers) {
-            for (const [key, value] of Object.entries(authError.headers)) {
+          const authResult = authError;
+          if (authResult.headers) {
+            for (const [key, value] of Object.entries(authResult.headers)) {
               res.setHeader(key, value);
             }
           }
-          if (authError.error) {
-            return res.status(authError.status).json({ error: authError.error });
+          if (authResult.error) {
+            return res.status(authResult.status).json({ error: authResult.error });
           }
         }
         const params = await this.getParams(route, req);
@@ -688,6 +689,14 @@ var MastraServer = class extends serverAdapter.MastraServer {
             }
           }
         }
+        const fgaError = await serverAdapter.checkRouteFGA(this.mastra, route, res.locals.requestContext, {
+          ...params.urlParams,
+          ...params.queryParams,
+          ...typeof params.body === "object" ? params.body : {}
+        });
+        if (fgaError) {
+          return res.status(fgaError.status).json({ error: fgaError.error, message: fgaError.message });
+        }
         try {
           const result = await route.handler(handlerParams);
           await this.sendResponse(route, res, result, req, prefix);
@@ -715,47 +724,68 @@ var MastraServer = class extends serverAdapter.MastraServer {
     this.app.use(async (req, res, next) => {
       const path = String(req.path || "/");
       const method = String(req.method || "GET");
-      if (auth.isProtectedCustomRoute(path, method, this.customRouteAuthConfig)) {
+      const matchedRoute = auth.findMatchingCustomRoute(
+        path,
+        method,
+        this.customApiRoutes ?? this.mastra.getServer()?.apiRoutes
+      );
+      const shouldRunCustomRouteAuth = auth.isProtectedCustomRoute(path, method, this.customRouteAuthConfig);
+      const shouldRunCustomRouteFGA = !!matchedRoute?.route.fga;
+      if (shouldRunCustomRouteAuth || shouldRunCustomRouteFGA) {
         const serverRoute = {
-          method,
-          path,
+          method: matchedRoute?.route.method ?? method,
+          path: matchedRoute?.route.path ?? path,
           responseType: "json",
           handler: async () => {
-          }
+          },
+          requiresAuth: matchedRoute?.route.requiresAuth,
+          requiresPermission: matchedRoute?.route.requiresPermission,
+          fga: matchedRoute?.route.fga
         };
-        const authError = await this.checkRouteAuth(serverRoute, {
-          path,
-          method,
-          getHeader: (name) => req.headers[name.toLowerCase()],
-          getQuery: (name) => req.query[name],
-          requestContext: res.locals.requestContext,
-          request: toWebRequest2(req),
-          buildAuthorizeContext: () => toWebRequest2(req)
-        });
-        if (authError) {
-          if (authError.headers) {
-            for (const [key, value] of Object.entries(authError.headers)) {
-              res.setHeader(key, value);
+        if (shouldRunCustomRouteAuth) {
+          const authError = await this.checkRouteAuth(serverRoute, {
+            path,
+            method,
+            getHeader: (name) => req.headers[name.toLowerCase()],
+            getQuery: (name) => req.query[name],
+            requestContext: res.locals.requestContext,
+            request: toWebRequest2(req),
+            buildAuthorizeContext: () => toWebRequest2(req)
+          });
+          if (authError) {
+            const authResult = authError;
+            if (authResult.headers) {
+              for (const [key, value] of Object.entries(authResult.headers)) {
+                res.setHeader(key, value);
+              }
+            }
+            if (authResult.error) {
+              return res.status(authResult.status).json({ error: authResult.error });
             }
           }
-          if (authError.error) {
-            return res.status(authError.status).json({ error: authError.error });
-          }
-        }
-        const authConfig = this.mastra.getServer()?.auth;
-        if (authConfig) {
-          const hasPermission = await loadHasPermission();
-          if (hasPermission) {
-            const userPermissions = res.locals.requestContext.get("userPermissions");
-            const permissionError = this.checkRoutePermission(serverRoute, userPermissions, hasPermission);
-            if (permissionError) {
-              return res.status(permissionError.status).json({
-                error: permissionError.error,
-                message: permissionError.message
-              });
+          const authConfig = this.mastra.getServer()?.auth;
+          if (authConfig) {
+            const hasPermission = await loadHasPermission();
+            if (hasPermission) {
+              const userPermissions = res.locals.requestContext.get("userPermissions");
+              const permissionError = this.checkRoutePermission(serverRoute, userPermissions, hasPermission);
+              if (permissionError) {
+                return res.status(permissionError.status).json({
+                  error: permissionError.error,
+                  message: permissionError.message
+                });
+              }
             }
           }
         }
+        const fgaError = await serverAdapter.checkRouteFGA(this.mastra, serverRoute, res.locals.requestContext, {
+          ...matchedRoute?.params ?? {},
+          ...req.query,
+          ...typeof req.body === "object" && req.body !== null ? req.body : {}
+        });
+        if (fgaError) {
+          return res.status(fgaError.status).json({ error: fgaError.error, message: fgaError.message });
+        }
       }
       const response = await this.handleCustomRouteRequest(
         `${req.protocol}://${req.get("host") || "localhost"}${req.originalUrl}`,