@mastra/koa 1.5.0-alpha.0 → 1.5.0-alpha.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/CHANGELOG.md +18 -0
  2. package/dist/index.cjs +68 -43
  3. package/dist/index.cjs.map +1 -1
  4. package/dist/index.d.ts.map +1 -1
  5. package/dist/index.js +70 -45
  6. package/dist/index.js.map +1 -1
  7. package/package.json +7 -7
package/CHANGELOG.md CHANGED
@@ -1,5 +1,23 @@
1
1
  # @mastra/koa
2
2
 
3
+ ## 1.5.0-alpha.2
4
+
5
+ ### Patch Changes
6
+
7
+ - Added FGA enforcement to server adapter middleware, ensuring authorization checks are applied consistently across all built-in adapters. ([#15410](https://github.com/mastra-ai/mastra/pull/15410))
8
+
9
+ - Updated dependencies [[`86c0298`](https://github.com/mastra-ai/mastra/commit/86c0298e647306423c842f9d5ac827bd616bd13d), [`7fce309`](https://github.com/mastra-ai/mastra/commit/7fce30912b14170bfc41f0ac736cca0f39fe0cd4), [`cd96779`](https://github.com/mastra-ai/mastra/commit/cd9677937f113b2856dc8b9f3d4bdabcee58bb2e), [`7997c2e`](https://github.com/mastra-ai/mastra/commit/7997c2e55ddd121562a4098cd8d2b89c68433bf1), [`e97ccb9`](https://github.com/mastra-ai/mastra/commit/e97ccb900f8b7a390ce82c9f8eb8d6eb2c5e3777), [`f5afe62`](https://github.com/mastra-ai/mastra/commit/f5afe62beff3ae69148a35e55fe5375168897829), [`c5daf48`](https://github.com/mastra-ai/mastra/commit/c5daf48556e98c46ae06caf00f92c249912007e9), [`cd96779`](https://github.com/mastra-ai/mastra/commit/cd9677937f113b2856dc8b9f3d4bdabcee58bb2e), [`86c0298`](https://github.com/mastra-ai/mastra/commit/86c0298e647306423c842f9d5ac827bd616bd13d)]:
10
+ - @mastra/core@1.32.0-alpha.2
11
+ - @mastra/server@1.32.0-alpha.2
12
+
13
+ ## 1.5.0-alpha.1
14
+
15
+ ### Patch Changes
16
+
17
+ - Updated dependencies [[`c05c9a1`](https://github.com/mastra-ai/mastra/commit/c05c9a13230988cef6d438a62f37760f31927bc7), [`e24aacb`](https://github.com/mastra-ai/mastra/commit/e24aacba07bd66f5d95b636dc24016fca26b52cf), [`c721164`](https://github.com/mastra-ai/mastra/commit/c7211643f7ac861f83b19a3757cc921487fc9d75), [`1b55954`](https://github.com/mastra-ai/mastra/commit/1b559541c1e08a10e49d01ffc51a634dfc37a286), [`5adc55e`](https://github.com/mastra-ai/mastra/commit/5adc55e63407be8ee977914957d68bcc2a075ceb), [`5adc55e`](https://github.com/mastra-ai/mastra/commit/5adc55e63407be8ee977914957d68bcc2a075ceb), [`70017d7`](https://github.com/mastra-ai/mastra/commit/70017d72ab741b5d7040e2a15c251a317782e39e), [`e4942bc`](https://github.com/mastra-ai/mastra/commit/e4942bc7fdc903572f7d84f26d5e15f9d39c763d)]:
18
+ - @mastra/core@1.32.0-alpha.1
19
+ - @mastra/server@1.32.0-alpha.1
20
+
3
21
  ## 1.5.0-alpha.0
4
22
 
5
23
  ### Minor Changes
package/dist/index.cjs CHANGED
@@ -609,6 +609,16 @@ var MastraServer = class extends serverAdapter.MastraServer {
609
609
  }
610
610
  }
611
611
  }
612
+ const fgaError = await serverAdapter.checkRouteFGA(this.mastra, route, ctx.state.requestContext, {
613
+ ...params.urlParams,
614
+ ...params.queryParams,
615
+ ...typeof params.body === "object" ? params.body : {}
616
+ });
617
+ if (fgaError) {
618
+ ctx.status = fgaError.status;
619
+ ctx.body = { error: fgaError.error, message: fgaError.message };
620
+ return;
621
+ }
612
622
  try {
613
623
  const result = await route.handler(handlerParams);
614
624
  await this.sendResponse(route, ctx, result, prefix);
@@ -888,57 +898,72 @@ var MastraServer = class extends serverAdapter.MastraServer {
888
898
  this.app.use(async function mastraCustomRouteDispatcher(ctx, next) {
889
899
  const path = String(ctx.path || "/");
890
900
  const method = String(ctx.method || "GET");
891
- if (auth.isProtectedCustomRoute(path, method, server.customRouteAuthConfig)) {
901
+ const matchedRoute = auth.findMatchingCustomRoute(
902
+ path,
903
+ method,
904
+ server.customApiRoutes ?? server.mastra.getServer()?.apiRoutes
905
+ );
906
+ const shouldRunCustomRouteAuth = auth.isProtectedCustomRoute(path, method, server.customRouteAuthConfig);
907
+ const shouldRunCustomRouteFGA = !!matchedRoute?.route.fga;
908
+ if (shouldRunCustomRouteAuth || shouldRunCustomRouteFGA) {
892
909
  const serverRoute = {
893
- method,
894
- path,
910
+ method: matchedRoute?.route.method ?? method,
911
+ path: matchedRoute?.route.path ?? path,
895
912
  responseType: "json",
896
913
  handler: async () => {
897
- }
914
+ },
915
+ requiresAuth: matchedRoute?.route.requiresAuth,
916
+ requiresPermission: matchedRoute?.route.requiresPermission,
917
+ fga: matchedRoute?.route.fga
898
918
  };
899
- const authError = await server.checkRouteAuth(serverRoute, {
900
- path,
901
- method,
902
- getHeader: (name) => ctx.headers[name.toLowerCase()],
903
- getQuery: (name) => ctx.query[name],
904
- requestContext: ctx.state.requestContext,
905
- request: toWebRequest2(ctx),
906
- buildAuthorizeContext: () => toWebRequest2(ctx)
907
- });
908
- if (authError) {
909
- if (authError.headers) {
910
- for (const [key, value] of Object.entries(authError.headers)) {
911
- ctx.set(key, value);
919
+ if (shouldRunCustomRouteAuth) {
920
+ const authError = await server.checkRouteAuth(serverRoute, {
921
+ path,
922
+ method,
923
+ getHeader: (name) => ctx.headers[name.toLowerCase()],
924
+ getQuery: (name) => ctx.query[name],
925
+ requestContext: ctx.state.requestContext,
926
+ request: toWebRequest2(ctx),
927
+ buildAuthorizeContext: () => toWebRequest2(ctx)
928
+ });
929
+ if (authError) {
930
+ if (authError.headers) {
931
+ for (const [key, value] of Object.entries(authError.headers)) {
932
+ ctx.set(key, value);
933
+ }
912
934
  }
913
- }
914
- if (authError.error) {
915
- ctx.status = authError.status;
916
- ctx.body = { error: authError.error };
917
- return;
918
- }
919
- }
920
- const authConfig = server.mastra.getServer()?.auth;
921
- if (authConfig) {
922
- let hasPermission;
923
- try {
924
- ({ hasPermission } = await import('@mastra/core/auth/ee'));
925
- } catch {
926
- console.error(
927
- "[@mastra/koa] Auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest"
928
- );
929
- }
930
- if (hasPermission) {
931
- const userPermissions = ctx.state.requestContext.get("userPermissions");
932
- const permissionError = server.checkRoutePermission(serverRoute, userPermissions, hasPermission);
933
- if (permissionError) {
934
- ctx.status = permissionError.status;
935
- ctx.body = {
936
- error: permissionError.error,
937
- message: permissionError.message
938
- };
935
+ if (authError.error) {
936
+ ctx.status = authError.status;
937
+ ctx.body = { error: authError.error };
939
938
  return;
940
939
  }
941
940
  }
941
+ const authConfig = server.mastra.getServer()?.auth;
942
+ if (authConfig) {
943
+ const hasPermission = await loadHasPermission();
944
+ if (hasPermission) {
945
+ const userPermissions = ctx.state.requestContext.get("userPermissions");
946
+ const permissionError = server.checkRoutePermission(serverRoute, userPermissions, hasPermission);
947
+ if (permissionError) {
948
+ ctx.status = permissionError.status;
949
+ ctx.body = {
950
+ error: permissionError.error,
951
+ message: permissionError.message
952
+ };
953
+ return;
954
+ }
955
+ }
956
+ }
957
+ }
958
+ const fgaError = await serverAdapter.checkRouteFGA(server.mastra, serverRoute, ctx.state.requestContext, {
959
+ ...matchedRoute?.params ?? {},
960
+ ...ctx.query,
961
+ ...typeof ctx.request.body === "object" && ctx.request.body !== null ? ctx.request.body : {}
962
+ });
963
+ if (fgaError) {
964
+ ctx.status = fgaError.status;
965
+ ctx.body = { error: fgaError.error, message: fgaError.message };
966
+ return;
942
967
  }
943
968
  }
944
969
  const response = await server.handleCustomRouteRequest(