@mastra/server 1.0.4 → 1.1.0-alpha.0

package/dist/chunk-AAHPYUEC.cjs

@@ -0,0 +1,211 @@
+'use strict';
+
+// src/server/auth/defaults.ts
+var defaultAuthConfig = {
+  protected: ["/api/*"],
+  public: ["/api"],
+  // Simple rule system
+  rules: [
+    // Admin users can do anything
+    {
+      condition: (user) => {
+        if (typeof user === "object" && user !== null) {
+          if ("isAdmin" in user) {
+            return !!user.isAdmin;
+          }
+          if ("role" in user) {
+            return user.role === "admin";
+          }
+        }
+        return false;
+      },
+      allow: true
+    }
+  ]
+};
+
+// src/server/auth/path-pattern.ts
+function parse(input, loose) {
+  if (input instanceof RegExp) return { keys: false, pattern: input };
+  let c;
+  let o;
+  let tmp;
+  let ext;
+  const keys = [];
+  let pattern = "";
+  const arr = input.split("/");
+  arr[0] || arr.shift();
+  while (tmp = arr.shift()) {
+    c = tmp[0];
+    if (c === "*") {
+      keys.push(c);
+      pattern += tmp[1] === "?" ? "(?:/(.*))?" : "/(.*)";
+    } else if (c === ":") {
+      o = tmp.indexOf("?", 1);
+      ext = tmp.indexOf(".", 1);
+      keys.push(tmp.substring(1, !!~o ? o : !!~ext ? ext : tmp.length));
+      pattern += !!~o && !~ext ? "(?:/([^/]+?))?" : "/([^/]+?)";
+      if (!!~ext) pattern += (!!~o ? "?" : "") + "\\" + tmp.substring(ext);
+    } else {
+      pattern += "/" + tmp;
+    }
+  }
+  return {
+    keys,
+    pattern: new RegExp("^" + pattern + ("/?$"), "i")
+  };
+}
+
+// src/server/auth/helpers.ts
+var isProtectedCustomRoute = (path, method, customRouteAuthConfig) => {
+  if (!customRouteAuthConfig) {
+    return false;
+  }
+  const exactRouteKey = `${method}:${path}`;
+  if (customRouteAuthConfig.has(exactRouteKey)) {
+    return customRouteAuthConfig.get(exactRouteKey) === true;
+  }
+  const allRouteKey = `ALL:${path}`;
+  if (customRouteAuthConfig.has(allRouteKey)) {
+    return customRouteAuthConfig.get(allRouteKey) === true;
+  }
+  for (const [routeKey, requiresAuth] of customRouteAuthConfig.entries()) {
+    const colonIndex = routeKey.indexOf(":");
+    if (colonIndex === -1) {
+      continue;
+    }
+    const routeMethod = routeKey.substring(0, colonIndex);
+    const routePattern = routeKey.substring(colonIndex + 1);
+    if (routeMethod !== method && routeMethod !== "ALL") {
+      continue;
+    }
+    if (pathMatchesPattern(path, routePattern)) {
+      return requiresAuth === true;
+    }
+  }
+  return false;
+};
+var isDevPlaygroundRequest = (path, method, getHeader, authConfig, customRouteAuthConfig) => {
+  const protectedAccess = [...defaultAuthConfig.protected || [], ...authConfig.protected || []];
+  return process.env.MASTRA_DEV === "true" && // Allow if path doesn't match protected patterns AND is not a protected custom route
+  (!isAnyMatch(path, method, protectedAccess) && !isProtectedCustomRoute(path, method, customRouteAuthConfig) || // Or if has playground header
+  getHeader("x-mastra-dev-playground") === "true");
+};
+var isCustomRoutePublic = (path, method, customRouteAuthConfig) => {
+  if (!customRouteAuthConfig) {
+    return false;
+  }
+  const exactRouteKey = `${method}:${path}`;
+  if (customRouteAuthConfig.has(exactRouteKey)) {
+    return !customRouteAuthConfig.get(exactRouteKey);
+  }
+  const allRouteKey = `ALL:${path}`;
+  if (customRouteAuthConfig.has(allRouteKey)) {
+    return !customRouteAuthConfig.get(allRouteKey);
+  }
+  for (const [routeKey, requiresAuth] of customRouteAuthConfig.entries()) {
+    const colonIndex = routeKey.indexOf(":");
+    if (colonIndex === -1) {
+      continue;
+    }
+    const routeMethod = routeKey.substring(0, colonIndex);
+    const routePattern = routeKey.substring(colonIndex + 1);
+    if (routeMethod !== method && routeMethod !== "ALL") {
+      continue;
+    }
+    if (pathMatchesPattern(path, routePattern)) {
+      return !requiresAuth;
+    }
+  }
+  return false;
+};
+var isProtectedPath = (path, method, authConfig, customRouteAuthConfig) => {
+  const protectedAccess = [...defaultAuthConfig.protected || [], ...authConfig.protected || []];
+  return isAnyMatch(path, method, protectedAccess) || !isCustomRoutePublic(path, method, customRouteAuthConfig);
+};
+var canAccessPublicly = (path, method, authConfig) => {
+  const publicAccess = [...defaultAuthConfig.public || [], ...authConfig.public || []];
+  return isAnyMatch(path, method, publicAccess);
+};
+var isAnyMatch = (path, method, patterns) => {
+  if (!patterns) {
+    return false;
+  }
+  for (const patternPathOrMethod of patterns) {
+    if (patternPathOrMethod instanceof RegExp) {
+      if (patternPathOrMethod.test(path)) {
+        return true;
+      }
+    }
+    if (typeof patternPathOrMethod === "string" && pathMatchesPattern(path, patternPathOrMethod)) {
+      return true;
+    }
+    if (Array.isArray(patternPathOrMethod) && patternPathOrMethod.length === 2) {
+      const [pattern, methodOrMethods] = patternPathOrMethod;
+      if (pathMatchesPattern(path, pattern) && matchesOrIncludes(methodOrMethods, method)) {
+        return true;
+      }
+    }
+  }
+  return false;
+};
+var pathMatchesPattern = (path, pattern) => {
+  const { pattern: regex } = parse(pattern);
+  return regex.test(path);
+};
+var pathMatchesRule = (path, rulePath) => {
+  if (!rulePath) return true;
+  if (typeof rulePath === "string") {
+    return pathMatchesPattern(path, rulePath);
+  }
+  if (rulePath instanceof RegExp) {
+    return rulePath.test(path);
+  }
+  if (Array.isArray(rulePath)) {
+    return rulePath.some((p) => pathMatchesPattern(path, p));
+  }
+  return false;
+};
+var matchesOrIncludes = (values, value) => {
+  if (typeof values === "string") {
+    return values === value;
+  }
+  if (Array.isArray(values)) {
+    return values.includes(value);
+  }
+  return false;
+};
+var checkRules = async (rules, path, method, user) => {
+  for (const i in rules || []) {
+    const rule = rules?.[i];
+    if (!pathMatchesRule(path, rule.path)) {
+      continue;
+    }
+    if (rule.methods && !matchesOrIncludes(rule.methods, method)) {
+      continue;
+    }
+    const condition = rule.condition;
+    if (typeof condition === "function") {
+      const allowed = await Promise.resolve().then(() => condition(user)).catch(() => false);
+      if (allowed) {
+        return true;
+      }
+    } else if (rule.allow) {
+      return true;
+    }
+  }
+  return false;
+};
+
+exports.canAccessPublicly = canAccessPublicly;
+exports.checkRules = checkRules;
+exports.defaultAuthConfig = defaultAuthConfig;
+exports.isCustomRoutePublic = isCustomRoutePublic;
+exports.isDevPlaygroundRequest = isDevPlaygroundRequest;
+exports.isProtectedCustomRoute = isProtectedCustomRoute;
+exports.isProtectedPath = isProtectedPath;
+exports.matchesOrIncludes = matchesOrIncludes;
+exports.pathMatchesPattern = pathMatchesPattern;
+exports.pathMatchesRule = pathMatchesRule;
+//# sourceMappingURL=chunk-AAHPYUEC.cjs.map
+//# sourceMappingURL=chunk-AAHPYUEC.cjs.map

package/dist/chunk-AAHPYUEC.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server/auth/defaults.ts","../src/server/auth/path-pattern.ts","../src/server/auth/helpers.ts"],"names":[],"mappings":";;;AAGO,IAAM,iBAAA,GAAsC;AAAA,EACjD,SAAA,EAAW,CAAC,QAAQ,CAAA;AAAA,EACpB,MAAA,EAAQ,CAAC,MAAM,CAAA;AAAA;AAAA,EAEf,KAAA,EAAO;AAAA;AAAA,IAEL;AAAA,MACE,WAAW,CAAA,IAAA,KAAQ;AACjB,QAAA,IAAI,OAAO,IAAA,KAAS,QAAA,IAAY,IAAA,KAAS,IAAA,EAAM;AAC7C,UAAA,IAAI,aAAa,IAAA,EAAM;AACrB,YAAA,OAAO,CAAC,CAAC,IAAA,CAAK,OAAA;AAAA,UAChB;AAEA,UAAA,IAAI,UAAU,IAAA,EAAM;AAClB,YAAA,OAAO,KAAK,IAAA,KAAS,OAAA;AAAA,UACvB;AAAA,QACF;AACA,QAAA,OAAO,KAAA;AAAA,MACT,CAAA;AAAA,MACA,KAAA,EAAO;AAAA;AACT;AAEJ;;;ACcO,SAAS,KAAA,CAAM,OAAwB,KAAA,EAAgC;AAC5E,EAAA,IAAI,iBAAiB,MAAA,EAAQ,OAAO,EAAE,IAAA,EAAM,KAAA,EAAO,SAAS,KAAA,EAAM;AAElE,EAAA,IAAI,CAAA;AACJ,EAAA,IAAI,CAAA;AACJ,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI,GAAA;AACJ,EAAA,MAAM,OAAiB,EAAC;AACxB,EAAA,IAAI,OAAA,GAAU,EAAA;AACd,EAAA,MAAM,GAAA,GAAM,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA;AAE3B,EAAA,GAAA,CAAI,CAAC,CAAA,IAAK,GAAA,CAAI,KAAA,EAAM;AAEpB,EAAA,OAAQ,GAAA,GAAM,GAAA,CAAI,KAAA,EAAM,EAAI;AAC1B,IAAA,CAAA,GAAI,IAAI,CAAC,CAAA;AACT,IAAA,IAAI,MAAM,GAAA,EAAK;AACb,MAAA,IAAA,CAAK,KAAK,CAAC,CAAA;AACX,MAAA,OAAA,IAAW,GAAA,CAAI,CAAC,CAAA,KAAM,GAAA,GAAM,YAAA,GAAe,OAAA;AAAA,IAC7C,CAAA,MAAA,IAAW,MAAM,GAAA,EAAK;AACpB,MAAA,CAAA,GAAI,GAAA,CAAI,OAAA,CAAQ,GAAA,EAAK,CAAC,CAAA;AACtB,MAAA,GAAA,GAAM,GAAA,CAAI,OAAA,CAAQ,GAAA,EAAK,CAAC,CAAA;AACxB,MAAA,IAAA,CAAK,KAAK,GAAA,CAAI,SAAA,CAAU,CAAA,EAAG,CAAC,CAAC,CAAC,CAAA,GAAI,CAAA,GAAI,CAAC,CAAC,CAAC,GAAA,GAAM,GAAA,GAAM,GAAA,CAAI,MAAM,CAAC,CAAA;AAChE,MAAA,OAAA,IAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,MAAM,gBAAA,GAAmB,WAAA;AAC9C,MAAA,IAAI,CAAC,CAAC,CAAC,GAAA,cAAiB,CAAC,CAAC,CAAC,CAAA,GAAI,GAAA,GAAM,EAAA,IAAM,IAAA,GAAO,GAAA,CAAI,UAAU,GAAG,CAAA;AAAA,IACrE,CAAA,MAAO;AACL,MAAA,OAAA,IAAW,GAAA,GAAM,GAAA;AAAA,IACnB;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,IAAA;AAAA,IACA,OAAA,EAAS,IAAI,MAAA,CAAO,GAAA,GAAM,WAA+B,QAAQ,GAAG;AAAA,GACtE;AACF;;;AC9DO,IAAM,sBAAA,GAAyB,CACpC,IAAA,EACA,MAAA,EACA,qBAAA,KACY;AACZ,EAAA,IAAI,CAAC,qBAAA,EAAuB;AAC1B,IAAA,OAAO,KAAA;AAAA,EACT;AAGA,EAAA,MAAM,aAAA,GAAgB,CAAA,EAAG,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,CAAA;AACvC,EAAA,IAAI,qBAAA,CAAsB,GAAA,CAAI,aAAa,CAAA,EAAG;AAC5C,IAAA,OAAO,qBAAA,CAAsB,GAAA,CAAI,aAAa,CAAA,KAAM,IAAA;AAAA,EACtD;AAGA,EAAA,MAAM,WAAA,GAAc,OAAO,IAAI,CAAA,CAAA;AAC/B,EAAA,IAAI,qBAAA,CAAsB,GAAA,CAAI,WAAW,CAAA,EAAG;AAC1C,IAAA,OAAO,qBAAA,CAAsB,GAAA,CAAI,WAAW,CAAA,KAAM,IAAA;AAAA,EACpD;AAGA,EAAA,KAAA,MAAW,CAAC,QAAA,EAAU,YAAY,CAAA,IAAK,qBAAA,CAAsB,SAAQ,EAAG;AACtE,IAAA,MAAM,UAAA,GAAa,QAAA,CAAS,OAAA,CAAQ,GAAG,CAAA;AACvC,IAAA,IAAI,eAAe,EAAA,EAAI;AACrB,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,WAAA,GAAc,QAAA,CAAS,SAAA,CAAU,CAAA,EAAG,UAAU,CAAA;AACpD,IAAA,MAAM,YAAA,GAAe,QAAA,CAAS,SAAA,CAAU,UAAA,GAAa,CAAC,CAAA;AAGtD,IAAA,IAAI,WAAA,KAAgB,MAAA,IAAU,WAAA,KAAgB,KAAA,EAAO;AACnD,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,kBAAA,CAAmB,IAAA,EAAM,YAAY,CAAA,EAAG;AAC1C,MAAA,OAAO,YAAA,KAAiB,IAAA;AAAA,IAC1B;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;AAOO,IAAM,yBAAyB,CACpC,IAAA,EACA,MAAA,EACA,SAAA,EACA,YACA,qBAAA,KACY;AACZ,EAAA,MAAM,eAAA,GAAkB,CAAC,GAAI,iBAAA,CAAkB,SAAA,IAAa,EAAC,EAAI,GAAI,UAAA,CAAW,SAAA,IAAa,EAAG,CAAA;AAChG,EAAA,OACE,OAAA,CAAQ,IAAI,UAAA,KAAe,MAAA;AAAA,GAEzB,CAAC,UAAA,CAAW,IAAA,EAAM,MAAA,EAAQ,eAAe,KAAK,CAAC,sBAAA,CAAuB,IAAA,EAAM,MAAA,EAAQ,qBAAqB,CAAA;AAAA,EAEzG,SAAA,CAAU,yBAAyB,CAAA,KAAM,MAAA,CAAA;AAE/C;AAEO,IAAM,mBAAA,GAAsB,CACjC,IAAA,EACA,MAAA,EACA,qBAAA,KACY;AACZ,EAAA,IAAI,CAAC,qBAAA,EAAuB;AAC1B,IAAA,OAAO,KAAA;AAAA,EACT;AAGA,EAAA,MAAM,aAAA,GAAgB,CAAA,EAAG,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,CAAA;AACvC,EAAA,IAAI,qBAAA,CAAsB,GAAA,CAAI,aAAa,CAAA,EAAG;AAC5C,IAAA,OAAO,CAAC,qBAAA,CAAsB,GAAA,CAAI,aAAa,CAAA;AAAA,EACjD;AAGA,EAAA,MAAM,WAAA,GAAc,OAAO,IAAI,CAAA,CAAA;AAC/B,EAAA,IAAI,qBAAA,CAAsB,GAAA,CAAI,WAAW,CAAA,EAAG;AAC1C,IAAA,OAAO,CAAC,qBAAA,CAAsB,GAAA,CAAI,WAAW,CAAA;AAAA,EAC/C;AAGA,EAAA,KAAA,MAAW,CAAC,QAAA,EAAU,YAAY,CAAA,IAAK,qBAAA,CAAsB,SAAQ,EAAG;AACtE,IAAA,MAAM,UAAA,GAAa,QAAA,CAAS,OAAA,CAAQ,GAAG,CAAA;AACvC,IAAA,IAAI,eAAe,EAAA,EAAI;AACrB,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,WAAA,GAAc,QAAA,CAAS,SAAA,CAAU,CAAA,EAAG,UAAU,CAAA;AACpD,IAAA,MAAM,YAAA,GAAe,QAAA,CAAS,SAAA,CAAU,UAAA,GAAa,CAAC,CAAA;AAGtD,IAAA,IAAI,WAAA,KAAgB,MAAA,IAAU,WAAA,KAAgB,KAAA,EAAO;AACnD,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,kBAAA,CAAmB,IAAA,EAAM,YAAY,CAAA,EAAG;AAC1C,MAAA,OAAO,CAAC,YAAA;AAAA,IACV;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;AAEO,IAAM,eAAA,GAAkB,CAC7B,IAAA,EACA,MAAA,EACA,YACA,qBAAA,KACY;AACZ,EAAA,MAAM,eAAA,GAAkB,CAAC,GAAI,iBAAA,CAAkB,SAAA,IAAa,EAAC,EAAI,GAAI,UAAA,CAAW,SAAA,IAAa,EAAG,CAAA;AAChG,EAAA,OAAO,UAAA,CAAW,MAAM,MAAA,EAAQ,eAAe,KAAK,CAAC,mBAAA,CAAoB,IAAA,EAAM,MAAA,EAAQ,qBAAqB,CAAA;AAC9G;AAEO,IAAM,iBAAA,GAAoB,CAAC,IAAA,EAAc,MAAA,EAAgB,UAAA,KAA0C;AAExG,EAAA,MAAM,YAAA,GAAe,CAAC,GAAI,iBAAA,CAAkB,MAAA,IAAU,EAAC,EAAI,GAAI,UAAA,CAAW,MAAA,IAAU,EAAG,CAAA;AAEvF,EAAA,OAAO,UAAA,CAAW,IAAA,EAAM,MAAA,EAAQ,YAAY,CAAA;AAC9C;AAEA,IAAM,UAAA,GAAa,CACjB,IAAA,EACA,MAAA,EACA,QAAA,KACY;AACZ,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,KAAA,MAAW,uBAAuB,QAAA,EAAU;AAC1C,IAAA,IAAI,+BAA+B,MAAA,EAAQ;AACzC,MAAA,IAAI,mBAAA,CAAoB,IAAA,CAAK,IAAI,CAAA,EAAG;AAClC,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAEA,IAAA,IAAI,OAAO,mBAAA,KAAwB,QAAA,IAAY,kBAAA,CAAmB,IAAA,EAAM,mBAAmB,CAAA,EAAG;AAC5F,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI,MAAM,OAAA,CAAQ,mBAAmB,CAAA,IAAK,mBAAA,CAAoB,WAAW,CAAA,EAAG;AAC1E,MAAA,MAAM,CAAC,OAAA,EAAS,eAAe,CAAA,GAAI,mBAAA;AACnC,MAAA,IAAI,mBAAmB,IAAA,EAAM,OAAO,KAAK,iBAAA,CAAkB,eAAA,EAAiB,MAAM,CAAA,EAAG;AACnF,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT,CAAA;AAEO,IAAM,kBAAA,GAAqB,CAAC,IAAA,EAAc,OAAA,KAA6B;AAQ5E,EAAA,MAAM,EAAE,OAAA,EAAS,KAAA,EAAM,GAAI,MAAM,OAAO,CAAA;AACxC,EAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AACxB;AAEO,IAAM,eAAA,GAAkB,CAAC,IAAA,EAAc,QAAA,KAA8D;AAC1G,EAAA,IAAI,CAAC,UAAU,OAAO,IAAA;AAEtB,EAAA,IAAI,OAAO,aAAa,QAAA,EAAU;AAChC,IAAA,OAAO,kBAAA,CAAmB,MAAM,QAAQ,CAAA;AAAA,EAC1C;AAEA,EAAA,IAAI,oBAAoB,MAAA,EAAQ;AAC9B,IAAA,OAAO,QAAA,CAAS,KAAK,IAAI,CAAA;AAAA,EAC3B;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,QAAQ,CAAA,EAAG;AAC3B,IAAA,OAAO,SAAS,IAAA,CAAK,CAAA,CAAA,KAAK,kBAAA,CAAmB,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,EACvD;AAEA,EAAA,OAAO,KAAA;AACT;AAEO,IAAM,iBAAA,GAAoB,CAAC,MAAA,EAA2B,KAAA,KAA2B;AACtF,EAAA,IAAI,OAAO,WAAW,QAAA,EAAU;AAC9B,IAAA,OAAO,MAAA,KAAW,KAAA;AAAA,EACpB;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,MAAM,CAAA,EAAG;AACzB,IAAA,OAAO,MAAA,CAAO,SAAS,KAAK,CAAA;AAAA,EAC9B;AAEA,EAAA,OAAO,KAAA;AACT;AAGO,IAAM,UAAA,GAAa,OACxB,KAAA,EACA,IAAA,EACA,QACA,IAAA,KACqB;AAErB,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,IAAS,EAAC,EAAG;AAC3B,IAAA,MAAM,IAAA,GAAO,QAAQ,CAAC,CAAA;AAEtB,IAAA,IAAI,CAAC,eAAA,CAAgB,IAAA,EAAM,IAAA,CAAK,IAAI,CAAA,EAAG;AACrC,MAAA;AAAA,IACF;AAGA,IAAA,IAAI,KAAK,OAAA,IAAW,CAAC,kBAAkB,IAAA,CAAK,OAAA,EAAS,MAAM,CAAA,EAAG;AAC5D,MAAA;AAAA,IACF;AAGA,IAAA,MAAM,YAAY,IAAA,CAAK,SAAA;AACvB,IAAA,IAAI,OAAO,cAAc,UAAA,EAAY;AACnC,MAAA,MAAM,OAAA,GAAU,MAAM,OAAA,CAAQ,OAAA,EAAQ,CACnC,IAAA,CAAK,MAAM,SAAA,CAAU,IAAI,CAAC,CAAA,CAC1B,KAAA,CAAM,MAAM,KAAK,CAAA;AAEpB,MAAA,IAAI,OAAA,EAAS;AACX,QAAA,OAAO,IAAA;AAAA,MACT;AAAA,IACF,CAAA,MAAA,IAAW,KAAK,KAAA,EAAO;AACrB,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,OAAO,KAAA;AACT","file":"chunk-AAHPYUEC.cjs","sourcesContent":["import type { MastraAuthConfig } from '@mastra/core/server';\n\n// Default configuration that can be extended by clients\nexport const defaultAuthConfig: MastraAuthConfig = {\n  protected: ['/api/*'],\n  public: ['/api'],\n  // Simple rule system\n  rules: [\n    // Admin users can do anything\n    {\n      condition: user => {\n        if (typeof user === 'object' && user !== null) {\n          if ('isAdmin' in user) {\n            return !!user.isAdmin;\n          }\n\n          if ('role' in user) {\n            return user.role === 'admin';\n          }\n        }\n        return false;\n      },\n      allow: true,\n    },\n  ],\n};\n","/**\n * Path pattern matching utility\n * Inlined from regexparam v3.0.0 (MIT License)\n * https://github.com/lukeed/regexparam\n *\n * Copyright (c) Luke Edwards <luke.edwards05@gmail.com> (lukeed.com)\n *\n * Permission is hereby granted, free of charge, to any person obtaining a copy\n * of this software and associated documentation files (the \"Software\"), to deal\n * in the Software without restriction, including without limitation the rights\n * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n * copies of the Software, and to permit persons to whom the Software is\n * furnished to do so, subject to the following conditions:\n *\n * The above copyright notice and this permission notice shall be included in all\n * copies or substantial portions of the Software.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n * SOFTWARE.\n */\n\nexport interface ParsedPattern {\n  keys: string[] | false;\n  pattern: RegExp;\n}\n\n/**\n * Parse a route pattern into a RegExp\n * Supports:\n * - Named parameters: /users/:id\n * - Optional parameters: /users/:id?\n * - Wildcards: /files/*\n * - Mixed patterns: /api/:version/users/:id\n */\nexport function parse(input: string | RegExp, loose?: boolean): ParsedPattern {\n  if (input instanceof RegExp) return { keys: false, pattern: input };\n\n  let c: string;\n  let o: number;\n  let tmp: string | undefined;\n  let ext: number;\n  const keys: string[] = [];\n  let pattern = '';\n  const arr = input.split('/');\n\n  arr[0] || arr.shift();\n\n  while ((tmp = arr.shift())) {\n    c = tmp[0]!;\n    if (c === '*') {\n      keys.push(c);\n      pattern += tmp[1] === '?' ? '(?:/(.*))?' : '/(.*)';\n    } else if (c === ':') {\n      o = tmp.indexOf('?', 1);\n      ext = tmp.indexOf('.', 1);\n      keys.push(tmp.substring(1, !!~o ? o : !!~ext ? ext : tmp.length));\n      pattern += !!~o && !~ext ? '(?:/([^/]+?))?' : '/([^/]+?)';\n      if (!!~ext) pattern += (!!~o ? '?' : '') + '\\\\' + tmp.substring(ext);\n    } else {\n      pattern += '/' + tmp;\n    }\n  }\n\n  return {\n    keys: keys,\n    pattern: new RegExp('^' + pattern + (loose ? '(?=$|/)' : '/?$'), 'i'),\n  };\n}\n\n/**\n * Test if a path matches a pattern\n */\nexport function matchPath(path: string, pattern: string | RegExp): boolean {\n  const { pattern: regex } = parse(pattern);\n  return regex.test(path);\n}\n","import type { MastraAuthConfig } from '@mastra/core/server';\n\nimport { defaultAuthConfig } from './defaults';\nimport { parse } from './path-pattern';\n\n/**\n * Check if a route is a registered custom route that requires authentication.\n * Returns true only if the route is explicitly registered with requiresAuth: true.\n * Returns false if the route is not in the config or has requiresAuth: false.\n */\nexport const isProtectedCustomRoute = (\n  path: string,\n  method: string,\n  customRouteAuthConfig?: Map<string, boolean>,\n): boolean => {\n  if (!customRouteAuthConfig) {\n    return false;\n  }\n\n  // Check exact match first (fast path for static routes)\n  const exactRouteKey = `${method}:${path}`;\n  if (customRouteAuthConfig.has(exactRouteKey)) {\n    return customRouteAuthConfig.get(exactRouteKey) === true;\n  }\n\n  // Check exact match for ALL method\n  const allRouteKey = `ALL:${path}`;\n  if (customRouteAuthConfig.has(allRouteKey)) {\n    return customRouteAuthConfig.get(allRouteKey) === true;\n  }\n\n  // Check pattern matches for dynamic routes (e.g., '/users/:id')\n  for (const [routeKey, requiresAuth] of customRouteAuthConfig.entries()) {\n    const colonIndex = routeKey.indexOf(':');\n    if (colonIndex === -1) {\n      continue; // Skip malformed keys\n    }\n\n    const routeMethod = routeKey.substring(0, colonIndex);\n    const routePattern = routeKey.substring(colonIndex + 1);\n\n    // Check if method matches (exact match or ALL)\n    if (routeMethod !== method && routeMethod !== 'ALL') {\n      continue;\n    }\n\n    // Check if path matches the pattern\n    if (pathMatchesPattern(path, routePattern)) {\n      return requiresAuth === true;\n    }\n  }\n\n  return false; // Not in config = not a protected custom route\n};\n\n/**\n * Check if request is from dev playground\n * @param getHeader - Function to get header value from request\n * @param customRouteAuthConfig - Map of custom route auth configurations\n */\nexport const isDevPlaygroundRequest = (\n  path: string,\n  method: string,\n  getHeader: (name: string) => string | undefined,\n  authConfig: MastraAuthConfig,\n  customRouteAuthConfig?: Map<string, boolean>,\n): boolean => {\n  const protectedAccess = [...(defaultAuthConfig.protected || []), ...(authConfig.protected || [])];\n  return (\n    process.env.MASTRA_DEV === 'true' &&\n    // Allow if path doesn't match protected patterns AND is not a protected custom route\n    ((!isAnyMatch(path, method, protectedAccess) && !isProtectedCustomRoute(path, method, customRouteAuthConfig)) ||\n      // Or if has playground header\n      getHeader('x-mastra-dev-playground') === 'true')\n  );\n};\n\nexport const isCustomRoutePublic = (\n  path: string,\n  method: string,\n  customRouteAuthConfig?: Map<string, boolean>,\n): boolean => {\n  if (!customRouteAuthConfig) {\n    return false;\n  }\n\n  // Check exact match first (fast path for static routes)\n  const exactRouteKey = `${method}:${path}`;\n  if (customRouteAuthConfig.has(exactRouteKey)) {\n    return !customRouteAuthConfig.get(exactRouteKey); // True when route opts out of auth\n  }\n\n  // Check exact match for ALL method\n  const allRouteKey = `ALL:${path}`;\n  if (customRouteAuthConfig.has(allRouteKey)) {\n    return !customRouteAuthConfig.get(allRouteKey);\n  }\n\n  // Check pattern matches for dynamic routes (e.g., '/users/:id')\n  for (const [routeKey, requiresAuth] of customRouteAuthConfig.entries()) {\n    const colonIndex = routeKey.indexOf(':');\n    if (colonIndex === -1) {\n      continue; // Skip malformed keys\n    }\n\n    const routeMethod = routeKey.substring(0, colonIndex);\n    const routePattern = routeKey.substring(colonIndex + 1);\n\n    // Check if method matches (exact match or ALL)\n    if (routeMethod !== method && routeMethod !== 'ALL') {\n      continue;\n    }\n\n    // Check if path matches the pattern\n    if (pathMatchesPattern(path, routePattern)) {\n      return !requiresAuth; // True when route opts out of auth\n    }\n  }\n\n  return false;\n};\n\nexport const isProtectedPath = (\n  path: string,\n  method: string,\n  authConfig: MastraAuthConfig,\n  customRouteAuthConfig?: Map<string, boolean>,\n): boolean => {\n  const protectedAccess = [...(defaultAuthConfig.protected || []), ...(authConfig.protected || [])];\n  return isAnyMatch(path, method, protectedAccess) || !isCustomRoutePublic(path, method, customRouteAuthConfig);\n};\n\nexport const canAccessPublicly = (path: string, method: string, authConfig: MastraAuthConfig): boolean => {\n  // Check if this path+method combination is publicly accessible\n  const publicAccess = [...(defaultAuthConfig.public || []), ...(authConfig.public || [])];\n\n  return isAnyMatch(path, method, publicAccess);\n};\n\nconst isAnyMatch = (\n  path: string,\n  method: string,\n  patterns: MastraAuthConfig['protected'] | MastraAuthConfig['public'],\n): boolean => {\n  if (!patterns) {\n    return false;\n  }\n\n  for (const patternPathOrMethod of patterns) {\n    if (patternPathOrMethod instanceof RegExp) {\n      if (patternPathOrMethod.test(path)) {\n        return true;\n      }\n    }\n\n    if (typeof patternPathOrMethod === 'string' && pathMatchesPattern(path, patternPathOrMethod)) {\n      return true;\n    }\n\n    if (Array.isArray(patternPathOrMethod) && patternPathOrMethod.length === 2) {\n      const [pattern, methodOrMethods] = patternPathOrMethod;\n      if (pathMatchesPattern(path, pattern) && matchesOrIncludes(methodOrMethods, method)) {\n        return true;\n      }\n    }\n  }\n\n  return false;\n};\n\nexport const pathMatchesPattern = (path: string, pattern: string): boolean => {\n  // Use regexparam for battle-tested path matching\n  // Supports:\n  // - Exact paths: '/api/users'\n  // - Wildcards: '/api/agents/*' matches '/api/agents/123'\n  // - Path parameters: '/users/:id' matches '/users/123'\n  // - Optional parameters: '/users/:id?' matches '/users' and '/users/123'\n  // - Mixed patterns: '/api/:version/users/:id/profile'\n  const { pattern: regex } = parse(pattern);\n  return regex.test(path);\n};\n\nexport const pathMatchesRule = (path: string, rulePath: string | RegExp | string[] | undefined): boolean => {\n  if (!rulePath) return true; // No path specified means all paths\n\n  if (typeof rulePath === 'string') {\n    return pathMatchesPattern(path, rulePath);\n  }\n\n  if (rulePath instanceof RegExp) {\n    return rulePath.test(path);\n  }\n\n  if (Array.isArray(rulePath)) {\n    return rulePath.some(p => pathMatchesPattern(path, p));\n  }\n\n  return false;\n};\n\nexport const matchesOrIncludes = (values: string | string[], value: string): boolean => {\n  if (typeof values === 'string') {\n    return values === value;\n  }\n\n  if (Array.isArray(values)) {\n    return values.includes(value);\n  }\n\n  return false;\n};\n\n// Check authorization rules\nexport const checkRules = async (\n  rules: MastraAuthConfig['rules'],\n  path: string,\n  method: string,\n  user: unknown,\n): Promise<boolean> => {\n  // Go through rules in order (first match wins)\n  for (const i in rules || []) {\n    const rule = rules?.[i]!;\n    // Check if rule applies to this path\n    if (!pathMatchesRule(path, rule.path)) {\n      continue;\n    }\n\n    // Check if rule applies to this method\n    if (rule.methods && !matchesOrIncludes(rule.methods, method)) {\n      continue;\n    }\n\n    // Rule matches, check conditions\n    const condition = rule.condition;\n    if (typeof condition === 'function') {\n      const allowed = await Promise.resolve()\n        .then(() => condition(user))\n        .catch(() => false);\n\n      if (allowed) {\n        return true;\n      }\n    } else if (rule.allow) {\n      return true;\n    }\n  }\n\n  // No matching rules, deny by default\n  return false;\n};\n"]}