@mastra/hono 1.1.7 → 1.1.8-alpha.0

package/CHANGELOG.md

@@ -1,5 +1,44 @@
 # @mastra/hono
 
+## 1.1.8-alpha.0
+
+### Patch Changes
+
+- Added RBAC permission enforcement to all server adapters. When an auth provider is configured, each route's required permission is checked against the authenticated user's permissions before the handler runs. Permissions are derived automatically from route paths and HTTP methods using the convention-based system from `@mastra/server`. ([#13163](https://github.com/mastra-ai/mastra/pull/13163))
+
+- Added HTTP request logging middleware. Enable with `apiReqLogs: true` for default settings, or pass a configuration object for fine-grained control. ([#11907](https://github.com/mastra-ai/mastra/pull/11907))
+
+  **Simple activation**
+
+  ```ts
+  const mastra = new Mastra({
+    server: { build: { apiReqLogs: true } },
+  });
+  ```
+
+  **Advanced configuration**
+
+  ```ts
+  const mastra = new Mastra({
+    server: {
+      build: {
+        apiReqLogs: {
+          enabled: true,
+          level: 'debug',
+          excludePaths: ['/health'],
+          includeHeaders: true,
+          includeQueryParams: true,
+          redactHeaders: ['authorization', 'cookie'],
+        },
+      },
+    },
+  });
+  ```
+
+- Updated dependencies [[`504fc8b`](https://github.com/mastra-ai/mastra/commit/504fc8b9d0ddab717577ad3bf9c95ea4bd5377bd), [`f9c150b`](https://github.com/mastra-ai/mastra/commit/f9c150b7595ad05ad9cc9a11098e2944361e8c22), [`88de7e8`](https://github.com/mastra-ai/mastra/commit/88de7e8dfe4b7e1951a9e441bb33136e705ce24e), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`edee4b3`](https://github.com/mastra-ai/mastra/commit/edee4b37dff0af515fc7cc0e8d71ee39e6a762f0), [`3790c75`](https://github.com/mastra-ai/mastra/commit/3790c7578cc6a47d854eb12d89e6b1912867fe29), [`e7a235b`](https://github.com/mastra-ai/mastra/commit/e7a235be6472e0c870ed6c791ddb17c492dc188b), [`d51d298`](https://github.com/mastra-ai/mastra/commit/d51d298953967aab1f58ec965b644d109214f085), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d5f0d8d`](https://github.com/mastra-ai/mastra/commit/d5f0d8d6a03e515ddaa9b5da19b7e44b8357b07b), [`09c3b18`](https://github.com/mastra-ai/mastra/commit/09c3b1802ff14e243a8a8baea327440bc8cc2e32), [`b896379`](https://github.com/mastra-ai/mastra/commit/b8963791c6afa79484645fcec596a201f936b9a2), [`85c84eb`](https://github.com/mastra-ai/mastra/commit/85c84ebb78aebfcba9d209c8e152b16d7a00cb71), [`a89272a`](https://github.com/mastra-ai/mastra/commit/a89272a5d71939b9fcd284e6a6dc1dd091a6bdcf), [`ee9c8df`](https://github.com/mastra-ai/mastra/commit/ee9c8df644f19d055af5f496bf4942705f5a47b7), [`77b4a25`](https://github.com/mastra-ai/mastra/commit/77b4a254e51907f8ff3a3ba95596a18e93ae4b35), [`276246e`](https://github.com/mastra-ai/mastra/commit/276246e0b9066a1ea48bbc70df84dbe528daaf99), [`08ecfdb`](https://github.com/mastra-ai/mastra/commit/08ecfdbdad6fb8285deef86a034bdf4a6047cfca), [`d5f628c`](https://github.com/mastra-ai/mastra/commit/d5f628ca86c6f6f3ff1035d52f635df32dd81cab), [`524c0f3`](https://github.com/mastra-ai/mastra/commit/524c0f3c434c3d9d18f66338dcef383d6161b59c), [`c18a0e9`](https://github.com/mastra-ai/mastra/commit/c18a0e9cef1e4ca004b2963d35e4cfc031971eac), [`4bd21ea`](https://github.com/mastra-ai/mastra/commit/4bd21ea43d44d0a0427414fc047577f9f0aa3bec), [`115a7a4`](https://github.com/mastra-ai/mastra/commit/115a7a47db5e9896fec12ae6507501adb9ec89bf), [`22a48ae`](https://github.com/mastra-ai/mastra/commit/22a48ae2513eb54d8d79dad361fddbca97a155e8), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9311c17`](https://github.com/mastra-ai/mastra/commit/9311c17d7a0640d9c4da2e71b814dc67c57c6369), [`7edf78f`](https://github.com/mastra-ai/mastra/commit/7edf78f80422c43e84585f08ba11df0d4d0b73c5), [`1c4221c`](https://github.com/mastra-ai/mastra/commit/1c4221cf6032ec98d0e094d4ee11da3e48490d96), [`6dbeeb9`](https://github.com/mastra-ai/mastra/commit/6dbeeb94a8b1eebb727300d1a98961f882180794), [`d25b9ea`](https://github.com/mastra-ai/mastra/commit/d25b9eabd400167255a97b690ffbc4ee4097ded5), [`fe1ce5c`](https://github.com/mastra-ai/mastra/commit/fe1ce5c9211c03d561606fda95cbfe7df1d9a9b5), [`b03c0e0`](https://github.com/mastra-ai/mastra/commit/b03c0e0389a799523929a458b0509c9e4244d562), [`0a8366b`](https://github.com/mastra-ai/mastra/commit/0a8366b0a692fcdde56c4d526e4cf03c502ae4ac), [`85664e9`](https://github.com/mastra-ai/mastra/commit/85664e9fd857320fbc245e301f764f45f66f32a3), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`3a3a59e`](https://github.com/mastra-ai/mastra/commit/3a3a59e8ffaa6a985fe3d9a126a3f5ade11a6724), [`3108d4e`](https://github.com/mastra-ai/mastra/commit/3108d4e649c9fddbf03253a6feeb388a5fa9fa5a), [`0c33b2c`](https://github.com/mastra-ai/mastra/commit/0c33b2c9db537f815e1c59e2c898ffce2e395a79), [`191e5bd`](https://github.com/mastra-ai/mastra/commit/191e5bd29b82f5bda35243945790da7bc7b695c2), [`f77cd94`](https://github.com/mastra-ai/mastra/commit/f77cd94c44eabed490384e7d19232a865e13214c), [`e8135c7`](https://github.com/mastra-ai/mastra/commit/e8135c7e300dac5040670eec7eab896ac6092e30), [`daca48f`](https://github.com/mastra-ai/mastra/commit/daca48f0fb17b7ae0b62a2ac40cf0e491b2fd0b7), [`bc79650`](https://github.com/mastra-ai/mastra/commit/bc796500c6e0334faa158a96077e3fb332274869), [`257d14f`](https://github.com/mastra-ai/mastra/commit/257d14faca5931f2e4186fc165b6f0b1f915deee), [`352f25d`](https://github.com/mastra-ai/mastra/commit/352f25da316b24cdd5b410fd8dddf6a8b763da2a), [`93477d0`](https://github.com/mastra-ai/mastra/commit/93477d0769b8a13ea5ed73d508d967fb23eaeed9), [`31c78b3`](https://github.com/mastra-ai/mastra/commit/31c78b3eb28f58a8017f1dcc795c33214d87feac), [`0bc0720`](https://github.com/mastra-ai/mastra/commit/0bc07201095791858087cc56f353fcd65e87ab54), [`36516ac`](https://github.com/mastra-ai/mastra/commit/36516aca1021cbeb42e74751b46a2614101f37c8), [`e947652`](https://github.com/mastra-ai/mastra/commit/e9476527fdecb4449e54570e80dfaf8466901254), [`3c6ef79`](https://github.com/mastra-ai/mastra/commit/3c6ef798481e00d6d22563be2de98818fd4dd5e0), [`9257d01`](https://github.com/mastra-ai/mastra/commit/9257d01d1366d81f84c582fe02b5e200cf9621f4), [`ec248f6`](https://github.com/mastra-ai/mastra/commit/ec248f6b56e8a037c066c49b2178e2507471d988)]:
+  - @mastra/core@1.9.0-alpha.0
+  - @mastra/server@1.9.0-alpha.0
+
 ## 1.1.7
 
 ### Patch Changes

package/LICENSE.md

@@ -1,3 +1,18 @@
+Portions of this software are licensed as follows:
+
+- All content that resides under any directory named "ee/" within this
+  repository, including but not limited to:
+  - `packages/core/src/auth/ee/`
+  - `packages/server/src/server/auth/ee/`
+    is licensed under the license defined in `ee/LICENSE`.
+
+- All third-party components incorporated into the Mastra Software are
+  licensed under the original license provided by the owner of the
+  applicable component.
+
+- Content outside of the above-mentioned directories or restrictions is
+  available under the "Apache License 2.0" as defined below.
+
 # Apache License 2.0
 
 Copyright (c) 2025 Kepler Software, Inc.

package/dist/index.cjs

@@ -3,7 +3,6 @@
 var error = require('@mastra/server/handlers/error');
 var serverAdapter = require('@mastra/server/server-adapter');
 var fetchToNode = require('fetch-to-node');
-var auth = require('@mastra/server/auth');
 
 // src/index.ts
 
@@ -420,119 +419,20 @@ ZodError.create = (issues) => {
   const error = new ZodError(issues);
   return error;
 };
-var authenticationMiddleware = async (c, next) => {
-  const mastra = c.get("mastra");
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = c.get("customRouteAuthConfig");
-  if (!authConfig) {
-    return next();
-  }
-  const path = c.req.path;
-  const method = c.req.method;
-  const getHeader = (name) => c.req.header(name);
-  if (auth.isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (!auth.isProtectedPath(c.req.path, c.req.method, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (auth.canAccessPublicly(c.req.path, c.req.method, authConfig)) {
-    return next();
-  }
-  const authHeader = c.req.header("Authorization");
-  let token = authHeader ? authHeader.replace("Bearer ", "") : null;
-  if (!token && c.req.query("apiKey")) {
-    token = c.req.query("apiKey") || null;
-  }
-  if (!token) {
-    return c.json({ error: "Authentication required" }, 401);
-  }
-  try {
-    let user;
-    if (typeof authConfig.authenticateToken === "function") {
-      user = await authConfig.authenticateToken(token, c.req);
-    } else {
-      throw new Error("No token verification method configured");
-    }
-    if (!user) {
-      return c.json({ error: "Invalid or expired token" }, 401);
-    }
-    c.get("requestContext").set("user", user);
-    return next();
-  } catch (err) {
-    mastra.getLogger()?.error("Authentication error", {
-      error: err instanceof Error ? { message: err.message, stack: err.stack } : err
-    });
-    return c.json({ error: "Invalid or expired token" }, 401);
-  }
-};
-var authorizationMiddleware = async (c, next) => {
-  const mastra = c.get("mastra");
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = c.get("customRouteAuthConfig");
-  if (!authConfig) {
-    return next();
-  }
-  const path = c.req.path;
-  const method = c.req.method;
-  const getHeader = (name) => c.req.header(name);
-  if (auth.isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (!auth.isProtectedPath(c.req.path, c.req.method, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (auth.canAccessPublicly(path, method, authConfig)) {
-    return next();
-  }
-  const user = c.get("requestContext").get("user");
-  if ("authorizeUser" in authConfig && typeof authConfig.authorizeUser === "function") {
-    try {
-      const isAuthorized = await authConfig.authorizeUser(user, c.req);
-      if (isAuthorized) {
-        return next();
-      }
-      return c.json({ error: "Access denied" }, 403);
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorizeUser", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err
-      });
-      return c.json({ error: "Authorization error" }, 500);
-    }
-  }
-  if ("authorize" in authConfig && typeof authConfig.authorize === "function") {
-    try {
-      const isAuthorized = await authConfig.authorize(path, method, user, c);
-      if (isAuthorized) {
-        return next();
-      }
-      return c.json({ error: "Access denied" }, 403);
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorize", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err,
-        path,
-        method
-      });
-      return c.json({ error: "Authorization error" }, 500);
-    }
-  }
-  if ("rules" in authConfig && authConfig.rules && authConfig.rules.length > 0) {
-    const isAuthorized = await auth.checkRules(authConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return next();
-    }
-    return c.json({ error: "Access denied" }, 403);
-  }
-  if (auth.defaultAuthConfig.rules && auth.defaultAuthConfig.rules.length > 0) {
-    const isAuthorized = await auth.checkRules(auth.defaultAuthConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return next();
-    }
-  }
-  return c.json({ error: "Access denied" }, 403);
-};
 
 // src/index.ts
+var _hasPermissionPromise;
+function loadHasPermission() {
+  if (!_hasPermissionPromise) {
+    _hasPermissionPromise = import('@mastra/core/auth/ee').then((m) => m.hasPermission).catch(() => {
+      console.error(
+        "[@mastra/hono] Auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest"
+      );
+      return void 0;
+    });
+  }
+  return _hasPermissionPromise;
+}
 var MastraServer = class extends serverAdapter.MastraServer {
   createContextMiddleware() {
     return async (c, next) => {
@@ -551,7 +451,8 @@ var MastraServer = class extends serverAdapter.MastraServer {
       let paramsRequestContext;
       if (c.req.method === "POST" || c.req.method === "PUT") {
         const contentType = c.req.header("content-type");
-        if (contentType?.includes("application/json")) {
+        const contentLength = c.req.header("content-length");
+        if (contentType?.includes("application/json") && contentLength !== "0") {
           try {
             const body = await c.req.raw.clone().json();
             if (body.requestContext) {
@@ -777,7 +678,9 @@ var MastraServer = class extends serverAdapter.MastraServer {
           method: c.req.method,
           getHeader: (name) => c.req.header(name),
           getQuery: (name) => c.req.query(name),
-          requestContext: c.get("requestContext")
+          requestContext: c.get("requestContext"),
+          request: c.req.raw,
+          buildAuthorizeContext: () => c
         });
         if (authError) {
           return c.json({ error: authError.error }, authError.status);
@@ -858,8 +761,27 @@ var MastraServer = class extends serverAdapter.MastraServer {
           registeredTools: c.get("registeredTools"),
           taskStore: c.get("taskStore"),
           abortSignal: c.get("abortSignal"),
-          routePrefix: prefix
+          routePrefix: prefix,
+          request: c.req.raw
+          // Standard Request object with headers/cookies
         };
+        const authConfig = this.mastra.getServer()?.auth;
+        if (authConfig) {
+          const hasPermission = await loadHasPermission();
+          if (hasPermission) {
+            const userPermissions = c.get("requestContext").get("userPermissions");
+            const permissionError = this.checkRoutePermission(route, userPermissions, hasPermission);
+            if (permissionError) {
+              return c.json(
+                {
+                  error: permissionError.error,
+                  message: permissionError.message
+                },
+                permissionError.status
+              );
+            }
+          }
+        }
         try {
           const result = await route.handler(handlerParams);
           return this.sendResponse(route, c, result, prefix);
@@ -905,6 +827,43 @@ var MastraServer = class extends serverAdapter.MastraServer {
       const handler = "handler" in route && route.handler ? route.handler : "createHandler" in route ? await route.createHandler({ mastra: this.mastra }) : void 0;
       if (!handler) continue;
       const middlewares = [];
+      const serverRoute = {
+        method: route.method,
+        path: route.path,
+        responseType: "json",
+        handler: async () => {
+        },
+        requiresAuth: route.requiresAuth
+      };
+      middlewares.push(async (c, next) => {
+        const authError = await this.checkRouteAuth(serverRoute, {
+          path: c.req.path,
+          method: c.req.method,
+          getHeader: (name) => c.req.header(name),
+          getQuery: (name) => c.req.query(name),
+          requestContext: c.get("requestContext"),
+          request: c.req.raw,
+          buildAuthorizeContext: () => c
+        });
+        if (authError) {
+          return c.json({ error: authError.error }, authError.status);
+        }
+        const authConfig = this.mastra.getServer()?.auth;
+        if (authConfig) {
+          const hasPermission = await loadHasPermission();
+          if (hasPermission) {
+            const userPermissions = c.get("requestContext").get("userPermissions");
+            const permissionError = this.checkRoutePermission(serverRoute, userPermissions, hasPermission);
+            if (permissionError) {
+              return c.json(
+                { error: permissionError.error, message: permissionError.message },
+                permissionError.status
+              );
+            }
+          }
+        }
+        return next();
+      });
       if (route.middleware) {
         middlewares.push(...Array.isArray(route.middleware) ? route.middleware : [route.middleware]);
       }
@@ -917,12 +876,44 @@ var MastraServer = class extends serverAdapter.MastraServer {
     this.app.use("*", this.createContextMiddleware());
   }
   registerAuthMiddleware() {
-    const authConfig = this.mastra.getServer()?.auth;
-    if (!authConfig) {
+  }
+  registerHttpLoggingMiddleware() {
+    if (!this.httpLoggingConfig?.enabled) {
       return;
     }
-    this.app.use("*", authenticationMiddleware);
-    this.app.use("*", authorizationMiddleware);
+    this.app.use("*", async (c, next) => {
+      if (!this.shouldLogRequest(c.req.path)) {
+        return next();
+      }
+      const start = Date.now();
+      const method = c.req.method;
+      const path = c.req.path;
+      await next();
+      const duration = Date.now() - start;
+      const status = c.res.status;
+      const level = this.httpLoggingConfig?.level || "info";
+      const logData = {
+        method,
+        path,
+        status,
+        duration: `${duration}ms`
+      };
+      if (this.httpLoggingConfig?.includeQueryParams) {
+        logData.query = c.req.query();
+      }
+      if (this.httpLoggingConfig?.includeHeaders) {
+        const headers = Object.fromEntries(c.req.raw.headers.entries());
+        const redactHeaders = this.httpLoggingConfig.redactHeaders || [];
+        redactHeaders.forEach((h) => {
+          const key = h.toLowerCase();
+          if (headers[key] !== void 0) {
+            headers[key] = "[REDACTED]";
+          }
+        });
+        logData.headers = headers;
+      }
+      this.logger[level](`${method} ${path} ${status} ${duration}ms`, logData);
+    });
   }
 };