@mastra/koa 1.2.3 → 1.2.4

package/dist/index.js

@@ -1,7 +1,7 @@
 import { Busboy } from '@fastify/busboy';
+import { isProtectedCustomRoute } from '@mastra/server/auth';
 import { formatZodError } from '@mastra/server/handlers/error';
 import { MastraServer as MastraServer$1, redactStreamChunk, normalizeQueryParams } from '@mastra/server/server-adapter';
-import { isDevPlaygroundRequest, isProtectedPath, canAccessPublicly, checkRules, defaultAuthConfig } from '@mastra/server/auth';
 
 // src/index.ts
 
@@ -211,148 +211,39 @@ ZodError.create = (issues) => {
   const error = new ZodError(issues);
   return error;
 };
-var authenticationMiddleware = async (ctx, next) => {
-  const mastra = ctx.state.mastra;
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = ctx.state.customRouteAuthConfig;
-  if (!authConfig) {
-    return next();
-  }
-  const path = String(ctx.path || "/");
-  const method = String(ctx.method || "GET");
-  const getHeader = (name) => ctx.headers[name.toLowerCase()];
-  if (isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (!isProtectedPath(path, method, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (canAccessPublicly(path, method, authConfig)) {
-    return next();
-  }
-  const authHeader = ctx.headers.authorization;
-  let token = authHeader ? authHeader.replace("Bearer ", "") : null;
-  const query = ctx.query;
-  if (!token && query.apiKey) {
-    token = query.apiKey || null;
-  }
-  if (!token) {
-    ctx.status = 401;
-    ctx.body = { error: "Authentication required" };
-    return;
-  }
-  try {
-    let user;
-    if (typeof authConfig.authenticateToken === "function") {
-      user = await authConfig.authenticateToken(token, ctx.request);
-    } else {
-      throw new Error("No token verification method configured");
-    }
-    if (!user) {
-      ctx.status = 401;
-      ctx.body = { error: "Invalid or expired token" };
-      return;
-    }
-    ctx.state.requestContext.set("user", user);
-    return next();
-  } catch (err) {
-    mastra.getLogger()?.error("Authentication error", {
-      error: err instanceof Error ? { message: err.message, stack: err.stack } : err
+
+// src/index.ts
+var _hasPermissionPromise;
+function loadHasPermission() {
+  if (!_hasPermissionPromise) {
+    _hasPermissionPromise = import('@mastra/core/auth/ee').then((m) => m.hasPermission).catch(() => {
+      console.error(
+        "[@mastra/koa] Auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest"
+      );
+      return void 0;
     });
-    ctx.status = 401;
-    ctx.body = { error: "Invalid or expired token" };
-    return;
-  }
-};
-var authorizationMiddleware = async (ctx, next) => {
-  const mastra = ctx.state.mastra;
-  const authConfig = mastra.getServer()?.auth;
-  const customRouteAuthConfig = ctx.state.customRouteAuthConfig;
-  if (!authConfig) {
-    return next();
-  }
-  const path = String(ctx.path || "/");
-  const method = String(ctx.method || "GET");
-  const getHeader = (name) => ctx.headers[name.toLowerCase()];
-  if (isDevPlaygroundRequest(path, method, getHeader, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (!isProtectedPath(path, method, authConfig, customRouteAuthConfig)) {
-    return next();
-  }
-  if (canAccessPublicly(path, method, authConfig)) {
-    return next();
   }
-  const user = ctx.state.requestContext.get("user");
-  if ("authorizeUser" in authConfig && typeof authConfig.authorizeUser === "function") {
-    try {
-      const isAuthorized = await authConfig.authorizeUser(user, ctx.request);
-      if (isAuthorized) {
-        return next();
-      }
-      ctx.status = 403;
-      ctx.body = { error: "Access denied" };
-      return;
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorizeUser", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err
-      });
-      ctx.status = 500;
-      ctx.body = { error: "Authorization error" };
-      return;
-    }
-  }
-  if ("authorize" in authConfig && typeof authConfig.authorize === "function") {
-    try {
-      const context = {
-        get: (key) => {
-          if (key === "mastra") return ctx.state.mastra;
-          if (key === "requestContext") return ctx.state.requestContext;
-          if (key === "tools") return ctx.state.tools;
-          if (key === "taskStore") return ctx.state.taskStore;
-          if (key === "customRouteAuthConfig") return ctx.state.customRouteAuthConfig;
-          return void 0;
-        },
-        req: ctx.request
-      };
-      const isAuthorized = await authConfig.authorize(path, method, user, context);
-      if (isAuthorized) {
-        return next();
+  return _hasPermissionPromise;
+}
+function toWebRequest(ctx) {
+  const protocol = ctx.protocol || "http";
+  const host = ctx.host || "localhost";
+  const url = `${protocol}://${host}${ctx.url}`;
+  const headers = new Headers();
+  for (const [key, value] of Object.entries(ctx.headers)) {
+    if (value) {
+      if (Array.isArray(value)) {
+        value.forEach((v) => headers.append(key, v));
+      } else {
+        headers.set(key, value);
       }
-      ctx.status = 403;
-      ctx.body = { error: "Access denied" };
-      return;
-    } catch (err) {
-      mastra.getLogger()?.error("Authorization error in authorize", {
-        error: err instanceof Error ? { message: err.message, stack: err.stack } : err,
-        path,
-        method
-      });
-      ctx.status = 500;
-      ctx.body = { error: "Authorization error" };
-      return;
-    }
-  }
-  if ("rules" in authConfig && authConfig.rules && authConfig.rules.length > 0) {
-    const isAuthorized = await checkRules(authConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return next();
-    }
-    ctx.status = 403;
-    ctx.body = { error: "Access denied" };
-    return;
-  }
-  if (defaultAuthConfig.rules && defaultAuthConfig.rules.length > 0) {
-    const isAuthorized = await checkRules(defaultAuthConfig.rules, path, method, user);
-    if (isAuthorized) {
-      return next();
     }
   }
-  ctx.status = 403;
-  ctx.body = { error: "Access denied" };
-};
-
-// src/index.ts
+  return new globalThis.Request(url, {
+    method: ctx.method,
+    headers
+  });
+}
 var MastraServer = class extends MastraServer$1 {
   async init() {
     this.registerErrorMiddleware();
@@ -610,7 +501,8 @@ var MastraServer = class extends MastraServer$1 {
   async sendResponse(route, ctx, result, prefix) {
     const resolvedPrefix = prefix ?? this.prefix ?? "";
     if (route.responseType === "json") {
-      ctx.body = result;
+      ctx.type = "application/json";
+      ctx.body = result === null || result === void 0 ? JSON.stringify(null) : result;
     } else if (route.responseType === "stream") {
       await this.stream(route, ctx, result);
     } else if (route.responseType === "datastream-response") {
@@ -713,7 +605,9 @@ var MastraServer = class extends MastraServer$1 {
         method: String(ctx.method || "GET"),
         getHeader: (name) => ctx.headers[name.toLowerCase()],
         getQuery: (name) => ctx.query[name],
-        requestContext: ctx.state.requestContext
+        requestContext: ctx.state.requestContext,
+        request: toWebRequest(ctx),
+        buildAuthorizeContext: () => toWebRequest(ctx)
       });
       if (authError) {
         ctx.status = authError.status;
@@ -800,6 +694,22 @@ var MastraServer = class extends MastraServer$1 {
         abortSignal: ctx.state.abortSignal,
         routePrefix: prefix
       };
+      const authConfig = this.mastra.getServer()?.auth;
+      if (authConfig) {
+        const hasPermission = await loadHasPermission();
+        if (hasPermission) {
+          const userPermissions = ctx.state.requestContext.get("userPermissions");
+          const permissionError = this.checkRoutePermission(route, userPermissions, hasPermission);
+          if (permissionError) {
+            ctx.status = permissionError.status;
+            ctx.body = {
+              error: permissionError.error,
+              message: permissionError.message
+            };
+            return;
+          }
+        }
+      }
       try {
         const result = await route.handler(handlerParams);
         await this.sendResponse(route, ctx, result, prefix);
@@ -844,6 +754,54 @@ var MastraServer = class extends MastraServer$1 {
   async registerCustomApiRoutes() {
     if (!await this.buildCustomRouteHandler()) return;
     this.app.use(async (ctx, next) => {
+      const path = String(ctx.path || "/");
+      const method = String(ctx.method || "GET");
+      if (isProtectedCustomRoute(path, method, this.customRouteAuthConfig)) {
+        const serverRoute = {
+          method,
+          path,
+          responseType: "json",
+          handler: async () => {
+          }
+        };
+        const authError = await this.checkRouteAuth(serverRoute, {
+          path,
+          method,
+          getHeader: (name) => ctx.headers[name.toLowerCase()],
+          getQuery: (name) => ctx.query[name],
+          requestContext: ctx.state.requestContext,
+          request: toWebRequest(ctx),
+          buildAuthorizeContext: () => toWebRequest(ctx)
+        });
+        if (authError) {
+          ctx.status = authError.status;
+          ctx.body = { error: authError.error };
+          return;
+        }
+        const authConfig = this.mastra.getServer()?.auth;
+        if (authConfig) {
+          let hasPermission;
+          try {
+            ({ hasPermission } = await import('@mastra/core/auth/ee'));
+          } catch {
+            console.error(
+              "[@mastra/koa] Auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest"
+            );
+          }
+          if (hasPermission) {
+            const userPermissions = ctx.state.requestContext.get("userPermissions");
+            const permissionError = this.checkRoutePermission(serverRoute, userPermissions, hasPermission);
+            if (permissionError) {
+              ctx.status = permissionError.status;
+              ctx.body = {
+                error: permissionError.error,
+                message: permissionError.message
+              };
+              return;
+            }
+          }
+        }
+      }
       const response = await this.handleCustomRouteRequest(
         `${ctx.protocol}://${ctx.host}${ctx.originalUrl || ctx.url}`,
         ctx.method,
@@ -860,12 +818,44 @@ var MastraServer = class extends MastraServer$1 {
     this.app.use(this.createContextMiddleware());
   }
   registerAuthMiddleware() {
-    const authConfig = this.mastra.getServer()?.auth;
-    if (!authConfig) {
+  }
+  registerHttpLoggingMiddleware() {
+    if (!this.httpLoggingConfig?.enabled) {
       return;
     }
-    this.app.use(authenticationMiddleware);
-    this.app.use(authorizationMiddleware);
+    this.app.use(async (ctx, next) => {
+      if (!this.shouldLogRequest(ctx.path)) {
+        return next();
+      }
+      const start = Date.now();
+      const method = ctx.method;
+      const path = ctx.path;
+      await next();
+      const duration = Date.now() - start;
+      const status = ctx.status;
+      const level = this.httpLoggingConfig?.level || "info";
+      const logData = {
+        method,
+        path,
+        status,
+        duration: `${duration}ms`
+      };
+      if (this.httpLoggingConfig?.includeQueryParams) {
+        logData.query = ctx.query;
+      }
+      if (this.httpLoggingConfig?.includeHeaders) {
+        const headers = { ...ctx.headers };
+        const redactHeaders = this.httpLoggingConfig.redactHeaders || [];
+        redactHeaders.forEach((h) => {
+          const key = h.toLowerCase();
+          if (headers[key] !== void 0) {
+            headers[key] = "[REDACTED]";
+          }
+        });
+        logData.headers = headers;
+      }
+      this.logger[level](`${method} ${path} ${status} ${duration}ms`, logData);
+    });
   }
 };