npm - @mastra/koa - Versions diffs - 1.5.0-alpha.1 → 1.5.0-alpha.3 - Mend

@mastra/koa 1.5.0-alpha.1 → 1.5.0-alpha.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,23 @@
 # @mastra/koa
+## 1.5.0-alpha.3
+### Patch Changes
+- Updated dependencies [[`fb0719a`](https://github.com/mastra-ai/mastra/commit/fb0719aef8072132efbcdca740e265f5f2b98a99), [`ca28c23`](https://github.com/mastra-ai/mastra/commit/ca28c232a2f18801a6cf20fe053479237b4d4fb0), [`39162cb`](https://github.com/mastra-ai/mastra/commit/39162cb952c0053fdd4ed7217ec7802a2027b19d)]:
+  - @mastra/server@1.32.0-alpha.3
+  - @mastra/core@1.32.0-alpha.3
+## 1.5.0-alpha.2
+### Patch Changes
+- Added FGA enforcement to server adapter middleware, ensuring authorization checks are applied consistently across all built-in adapters. ([#15410](https://github.com/mastra-ai/mastra/pull/15410))
+- Updated dependencies [[`86c0298`](https://github.com/mastra-ai/mastra/commit/86c0298e647306423c842f9d5ac827bd616bd13d), [`7fce309`](https://github.com/mastra-ai/mastra/commit/7fce30912b14170bfc41f0ac736cca0f39fe0cd4), [`cd96779`](https://github.com/mastra-ai/mastra/commit/cd9677937f113b2856dc8b9f3d4bdabcee58bb2e), [`7997c2e`](https://github.com/mastra-ai/mastra/commit/7997c2e55ddd121562a4098cd8d2b89c68433bf1), [`e97ccb9`](https://github.com/mastra-ai/mastra/commit/e97ccb900f8b7a390ce82c9f8eb8d6eb2c5e3777), [`f5afe62`](https://github.com/mastra-ai/mastra/commit/f5afe62beff3ae69148a35e55fe5375168897829), [`c5daf48`](https://github.com/mastra-ai/mastra/commit/c5daf48556e98c46ae06caf00f92c249912007e9), [`cd96779`](https://github.com/mastra-ai/mastra/commit/cd9677937f113b2856dc8b9f3d4bdabcee58bb2e), [`86c0298`](https://github.com/mastra-ai/mastra/commit/86c0298e647306423c842f9d5ac827bd616bd13d)]:
+  - @mastra/core@1.32.0-alpha.2
+  - @mastra/server@1.32.0-alpha.2
 ## 1.5.0-alpha.1
 ### Patch Changes

package/dist/index.cjs CHANGED Viewed

@@ -609,6 +609,16 @@ var MastraServer = class extends serverAdapter.MastraServer {
         }
       }
     }
+    const fgaError = await serverAdapter.checkRouteFGA(this.mastra, route, ctx.state.requestContext, {
+      ...params.urlParams,
+      ...params.queryParams,
+      ...typeof params.body === "object" ? params.body : {}
+    });
+    if (fgaError) {
+      ctx.status = fgaError.status;
+      ctx.body = { error: fgaError.error, message: fgaError.message };
+      return;
+    }
     try {
       const result = await route.handler(handlerParams);
       await this.sendResponse(route, ctx, result, prefix);
@@ -888,57 +898,72 @@ var MastraServer = class extends serverAdapter.MastraServer {
     this.app.use(async function mastraCustomRouteDispatcher(ctx, next) {
       const path = String(ctx.path || "/");
       const method = String(ctx.method || "GET");
-      if (auth.isProtectedCustomRoute(path, method, server.customRouteAuthConfig)) {
+      const matchedRoute = auth.findMatchingCustomRoute(
+        path,
+        method,
+        server.customApiRoutes ?? server.mastra.getServer()?.apiRoutes
+      );
+      const shouldRunCustomRouteAuth = auth.isProtectedCustomRoute(path, method, server.customRouteAuthConfig);
+      const shouldRunCustomRouteFGA = !!matchedRoute?.route.fga;
+      if (shouldRunCustomRouteAuth || shouldRunCustomRouteFGA) {
         const serverRoute = {
-          method,
-          path,
+          method: matchedRoute?.route.method ?? method,
+          path: matchedRoute?.route.path ?? path,
           responseType: "json",
           handler: async () => {
-          }
+          },
+          requiresAuth: matchedRoute?.route.requiresAuth,
+          requiresPermission: matchedRoute?.route.requiresPermission,
+          fga: matchedRoute?.route.fga
         };
-        const authError = await server.checkRouteAuth(serverRoute, {
-          path,
-          method,
-          getHeader: (name) => ctx.headers[name.toLowerCase()],
-          getQuery: (name) => ctx.query[name],
-          requestContext: ctx.state.requestContext,
-          request: toWebRequest2(ctx),
-          buildAuthorizeContext: () => toWebRequest2(ctx)
-        });
-        if (authError) {
-          if (authError.headers) {
-            for (const [key, value] of Object.entries(authError.headers)) {
-              ctx.set(key, value);
+        if (shouldRunCustomRouteAuth) {
+          const authError = await server.checkRouteAuth(serverRoute, {
+            path,
+            method,
+            getHeader: (name) => ctx.headers[name.toLowerCase()],
+            getQuery: (name) => ctx.query[name],
+            requestContext: ctx.state.requestContext,
+            request: toWebRequest2(ctx),
+            buildAuthorizeContext: () => toWebRequest2(ctx)
+          });
+          if (authError) {
+            if (authError.headers) {
+              for (const [key, value] of Object.entries(authError.headers)) {
+                ctx.set(key, value);
+              }
             }
-          }
-          if (authError.error) {
-            ctx.status = authError.status;
-            ctx.body = { error: authError.error };
-            return;
-          }
-        }
-        const authConfig = server.mastra.getServer()?.auth;
-        if (authConfig) {
-          let hasPermission;
-          try {
-            ({ hasPermission } = await import('@mastra/core/auth/ee'));
-          } catch {
-            console.error(
-              "[@mastra/koa] Auth features require @mastra/core >= 1.6.0. Please upgrade: npm install @mastra/core@latest"
-            );
-          }
-          if (hasPermission) {
-            const userPermissions = ctx.state.requestContext.get("userPermissions");
-            const permissionError = server.checkRoutePermission(serverRoute, userPermissions, hasPermission);
-            if (permissionError) {
-              ctx.status = permissionError.status;
-              ctx.body = {
-                error: permissionError.error,
-                message: permissionError.message
-              };
+            if (authError.error) {
+              ctx.status = authError.status;
+              ctx.body = { error: authError.error };
               return;
             }
           }
+          const authConfig = server.mastra.getServer()?.auth;
+          if (authConfig) {
+            const hasPermission = await loadHasPermission();
+            if (hasPermission) {
+              const userPermissions = ctx.state.requestContext.get("userPermissions");
+              const permissionError = server.checkRoutePermission(serverRoute, userPermissions, hasPermission);
+              if (permissionError) {
+                ctx.status = permissionError.status;
+                ctx.body = {
+                  error: permissionError.error,
+                  message: permissionError.message
+                };
+                return;
+              }
+            }
+          }
+        }
+        const fgaError = await serverAdapter.checkRouteFGA(server.mastra, serverRoute, ctx.state.requestContext, {
+          ...matchedRoute?.params ?? {},
+          ...ctx.query,
+          ...typeof ctx.request.body === "object" && ctx.request.body !== null ? ctx.request.body : {}
+        });
+        if (fgaError) {
+          ctx.status = fgaError.status;
+          ctx.body = { error: fgaError.error, message: fgaError.message };
+          return;
         }
       }
       const response = await server.handleCustomRouteRequest(