@mindfulauth/core 1.0.0

package/README.md

@@ -0,0 +1,64 @@
+# @mindful-auth/core
+
+Core authentication library for Mindful Auth, designed for Astro applications.
+
+## Installation
+
+```bash
+npm install @mindful-auth/core
+```
+
+## Usage
+
+### Set up middleware
+
+In your `src/middleware.ts`:
+
+```typescript
+export { onRequest } from '@mindful-auth/core/middleware';
+```
+
+### Handle auth routes
+
+In your `src/pages/auth/[...slug].ts`:
+
+```typescript
+import { handleAuthGet, handleAuthPost } from '@mindful-auth/core/auth-handler';
+
+export async function GET(context: APIContext) {
+  const { params, request, url, locals } = context;
+  return handleAuthGet(params.slug || '', request, url, locals);
+}
+
+export async function POST(context: APIContext) {
+  const { params, request, url, locals } = context;
+  return handleAuthPost(params.slug || '', request, url, locals);
+}
+```
+
+### Configure your application
+
+You can customize the configuration by importing and modifying values:
+
+```typescript
+import { CENTRAL_AUTH_ORIGIN, PUBLIC_ROUTES } from '@mindful-auth/core/config';
+```
+
+## Environment Variables
+
+Set the following environment variable (required):
+
+- `INTERNAL_API_KEY`: Your Mindful Auth API key
+
+## Features
+
+- 🔐 Session validation and management
+- 🛡️ Security headers (CSP, HSTS, etc.)
+- 🚦 Public/protected route handling
+- 🔄 Auth proxy for login, registration, 2FA, etc.
+- 🛠️ Path traversal protection
+- ⚡ Built for Cloudflare Workers & Astro SSR
+
+## License
+
+MIT

package/dist/auth-handler.d.ts

@@ -0,0 +1,5 @@
+/** Handle GET requests (email verification, password reset links, etc.) */
+export declare function handleAuthGet(rawEndpoint: string, request: Request, url: URL, locals?: any): Promise<Response>;
+/** Handle POST requests (login, 2FA, password changes, etc.) */
+export declare function handleAuthPost(rawEndpoint: string, request: Request, url: URL, locals?: any): Promise<Response>;
+//# sourceMappingURL=auth-handler.d.ts.map

package/dist/auth-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../src/auth-handler.ts"],"names":[],"mappings":"AAmEA,2EAA2E;AAC3E,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CA4BpH;AAED,gEAAgE;AAChE,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAwDrH"}

package/dist/auth-handler.js

@@ -0,0 +1,147 @@
+// Auth proxy handler for Mindful Auth
+// Forwards authentication requests to the central Mindful Auth service
+import { CENTRAL_AUTH_ORIGIN, ALLOWED_AUTH_METHODS, MAX_BODY_SIZE_BYTES, AUTH_PROXY_TIMEOUT_MS } from './config';
+import { sanitizeEndpoint } from './security';
+const JSON_HEADERS = { 'Content-Type': 'application/json' };
+const jsonError = (error, status) => new Response(JSON.stringify({ error }), { status, headers: JSON_HEADERS });
+/** Build proxy headers from incoming request */
+function buildProxyHeaders(request, tenantDomain, apiKey) {
+    const headers = {
+        'Content-Type': 'application/json',
+        'X-Tenant-Domain': tenantDomain,
+        'X-Requested-With': 'XMLHttpRequest'
+    };
+    if (apiKey)
+        headers['Authorization'] = `Bearer ${apiKey}`;
+    const cookie = request.headers.get('Cookie');
+    if (cookie)
+        headers['Cookie'] = cookie;
+    const clientIp = request.headers.get('cf-connecting-ip') ||
+        request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ||
+        request.headers.get('x-real-ip');
+    if (clientIp)
+        headers['X-Forwarded-For'] = clientIp;
+    const userAgent = request.headers.get('user-agent');
+    if (userAgent)
+        headers['User-Agent'] = userAgent;
+    return headers;
+}
+/** Fetch with timeout */
+async function fetchWithTimeout(url, options) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), AUTH_PROXY_TIMEOUT_MS);
+    try {
+        return await fetch(url, { ...options, signal: controller.signal });
+    }
+    finally {
+        clearTimeout(timeoutId);
+    }
+}
+/** Extract mirrored session cookie (removes Domain to use tenant domain) */
+function getMirroredCookie(resp) {
+    const setCookie = resp.headers.get('set-cookie');
+    return setCookie?.includes('session_id=')
+        ? setCookie.replace(/Domain=[^;]+;?\s*/i, '')
+        : null;
+}
+/** Check if redirect is safe (relative, no open redirect) */
+function isSafeRedirect(url) {
+    return url.startsWith('/') && !url.startsWith('//');
+}
+/** Build response with standard headers */
+function buildResponse(data, status, cookie) {
+    const headers = new Headers({
+        'Content-Type': 'application/json',
+        'Cache-Control': 'no-store, no-cache, must-revalidate, private'
+    });
+    if (cookie)
+        headers.set('Set-Cookie', cookie);
+    return new Response(JSON.stringify(data), { status, headers });
+}
+/** Handle GET requests (email verification, password reset links, etc.) */
+export async function handleAuthGet(rawEndpoint, request, url, locals) {
+    const internalApiKey = locals?.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    if (!internalApiKey)
+        console.error('[auth-handler] INTERNAL_API_KEY not configured');
+    const endpoint = sanitizeEndpoint(rawEndpoint);
+    if (!endpoint)
+        return jsonError('Bad request', 400);
+    const apiUrl = new URL(`${CENTRAL_AUTH_ORIGIN}/auth/${endpoint}`);
+    url.searchParams.forEach((v, k) => apiUrl.searchParams.set(k, v));
+    let resp;
+    try {
+        resp = await fetchWithTimeout(apiUrl.toString(), {
+            method: 'GET',
+            headers: buildProxyHeaders(request, url.hostname, internalApiKey)
+        });
+    }
+    catch (e) {
+        if (e.name === 'AbortError')
+            return jsonError('Request timeout', 504);
+        throw e;
+    }
+    // Handle redirect
+    const location = resp.headers.get('Location');
+    if (resp.status === 302 && location && isSafeRedirect(location)) {
+        return new Response(null, { status: 302, headers: { Location: location } });
+    }
+    return buildResponse(await resp.json(), resp.status, getMirroredCookie(resp));
+}
+/** Handle POST requests (login, 2FA, password changes, etc.) */
+export async function handleAuthPost(rawEndpoint, request, url, locals) {
+    if (!ALLOWED_AUTH_METHODS.includes(request.method))
+        return jsonError('Method not allowed', 405);
+    const contentLength = request.headers.get('content-length');
+    if (contentLength && parseInt(contentLength) > MAX_BODY_SIZE_BYTES)
+        return jsonError('Payload too large', 413);
+    const internalApiKey = locals?.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    if (!internalApiKey)
+        console.error('[auth-handler] INTERNAL_API_KEY not configured');
+    const endpoint = sanitizeEndpoint(rawEndpoint);
+    if (!endpoint)
+        return jsonError('Bad request', 400);
+    // Parse request body
+    let body = null;
+    try {
+        const text = await request.text();
+        if (text) {
+            JSON.parse(text);
+            body = text;
+        }
+    }
+    catch {
+        return jsonError('Invalid JSON', 400);
+    }
+    let resp;
+    try {
+        resp = await fetchWithTimeout(`${CENTRAL_AUTH_ORIGIN}/auth/${endpoint}`, {
+            method: 'POST',
+            headers: buildProxyHeaders(request, url.hostname, internalApiKey),
+            body
+        });
+    }
+    catch (e) {
+        if (e.name === 'AbortError')
+            return jsonError('Request timeout', 504);
+        throw e;
+    }
+    const data = await resp.json();
+    const cookie = getMirroredCookie(resp);
+    // Handle HTTP redirect
+    const location = resp.headers.get('Location');
+    if (resp.status === 302 && location && isSafeRedirect(location)) {
+        return new Response(null, { status: 302, headers: { Location: location } });
+    }
+    // Handle JSON redirect (loginsuccessredirect)
+    const redirectUrl = data.loginsuccessredirect;
+    if (typeof redirectUrl === 'string' && isSafeRedirect(redirectUrl)) {
+        return new Response(null, {
+            status: 302,
+            headers: { Location: redirectUrl, ...(cookie && { 'Set-Cookie': cookie }) }
+        });
+    }
+    // Remove sensitive data
+    delete data.sessionToken;
+    delete data.maxAgeSeconds;
+    return buildResponse(data, resp.status, cookie);
+}

package/dist/auth.d.ts

@@ -0,0 +1,9 @@
+import type { SessionValidationResult } from './types';
+/** Validate session with Mindful Auth central service */
+export declare function validateSession(request: Request, tenantDomain: string, pathname: string, internalApiKey: string): Promise<SessionValidationResult>;
+/** Validate memberid in URL matches session (or just check structure if sessionRecordId is null) */
+export declare function validateMemberIdInUrl(pathname: string, sessionRecordId: string | null): {
+    valid: boolean;
+    strippedPathname?: string;
+};
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC;AAEvD,yDAAyD;AACzD,wBAAsB,eAAe,CACjC,OAAO,EAAE,OAAO,EAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACvB,OAAO,CAAC,uBAAuB,CAAC,CAsClC;AAED,oGAAoG;AACpG,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,IAAI,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAAE,CAerI"}

package/dist/auth.js

@@ -0,0 +1,56 @@
+// Authentication and session validation for Mindful Auth
+import { CENTRAL_AUTH_ORIGIN, SESSION_VALIDATION_TIMEOUT_MS } from './config';
+/** Validate session with Mindful Auth central service */
+export async function validateSession(request, tenantDomain, pathname, internalApiKey) {
+    const sessionId = request.headers.get('Cookie')?.match(/session_id=([^;]+)/)?.[1];
+    if (!sessionId)
+        return { valid: false, reason: 'no-session' };
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), SESSION_VALIDATION_TIMEOUT_MS);
+    try {
+        const clientIp = request.headers.get('cf-connecting-ip') ||
+            request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ||
+            request.headers.get('x-real-ip');
+        const resp = await fetch(`${CENTRAL_AUTH_ORIGIN}/auth/validate-session`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-Tenant-Domain': tenantDomain,
+                'X-Internal-Api-Key': internalApiKey,
+                ...(clientIp && { 'X-Forwarded-For': clientIp }),
+                ...(request.headers.get('user-agent') && { 'User-Agent': request.headers.get('user-agent') })
+            },
+            body: JSON.stringify({ sessionId, requestedUrl: pathname }),
+            signal: controller.signal
+        });
+        const result = await resp.json();
+        if (!result.valid)
+            return { valid: false, reason: 'invalid-session' };
+        const recordId = result.data?.sub || result.recordId;
+        if (!recordId)
+            return { valid: false, reason: 'invalid-record-id' };
+        return { valid: true, recordId };
+    }
+    catch (e) {
+        console.error('[auth] Session validation failed:', e.message);
+        return { valid: false, reason: 'error' };
+    }
+    finally {
+        clearTimeout(timeoutId);
+    }
+}
+/** Validate memberid in URL matches session (or just check structure if sessionRecordId is null) */
+export function validateMemberIdInUrl(pathname, sessionRecordId) {
+    const segments = pathname.split('/').filter(Boolean);
+    if (segments.length === 0)
+        return { valid: false };
+    const urlMemberId = segments[0];
+    // Pre-check mode: just validate URL has memberid
+    if (sessionRecordId === null) {
+        return { valid: !!urlMemberId, strippedPathname: pathname };
+    }
+    // Validate memberid matches session
+    if (urlMemberId !== sessionRecordId)
+        return { valid: false };
+    return { valid: true, strippedPathname: '/' + segments.slice(1).join('/') };
+}

package/dist/config.d.ts

@@ -0,0 +1,11 @@
+export declare const CENTRAL_AUTH_ORIGIN = "https://api.mindfulauth.com";
+export declare const CDN_ORIGIN = "https://cdn.mindfulauth.com";
+export declare const ALLOWED_AUTH_METHODS: string[];
+export declare const MAX_BODY_SIZE_BYTES = 1048576;
+export declare const AUTH_PROXY_TIMEOUT_MS = 15000;
+export declare const SESSION_VALIDATION_TIMEOUT_MS = 10000;
+export declare const SKIP_ASSETS: string[];
+export declare const PUBLIC_ROUTES: string[];
+export declare const PUBLIC_PREFIXES: string[];
+export declare const SECURITY_HEADERS: Record<string, string>;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,UAAU,gCAAgC,CAAC;AACxD,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAMnD,eAAO,MAAM,WAAW,UAA+D,CAAC;AAKxF,eAAO,MAAM,aAAa,UAQzB,CAAC;AAKF,eAAO,MAAM,eAAe,UAM3B,CAAC;AAaF,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAoBnD,CAAC"}

package/dist/config.js

@@ -0,0 +1,66 @@
+// Configuration for the Astro Portal
+export const CENTRAL_AUTH_ORIGIN = 'https://api.mindfulauth.com';
+export const CDN_ORIGIN = 'https://cdn.mindfulauth.com';
+export const ALLOWED_AUTH_METHODS = ['GET', 'POST'];
+export const MAX_BODY_SIZE_BYTES = 1048576; // 1MB limit
+export const AUTH_PROXY_TIMEOUT_MS = 15000;
+export const SESSION_VALIDATION_TIMEOUT_MS = 10000;
+// Static assets to skip session validation (favicon, robots.txt, etc.)
+// SECURITY CRITICAL: Only add actual static file requests here.
+// Examples of safe entries: /favicon.ico, /robots.txt, /sitemap.xml
+// NEVER add application routes like /dashboard, /profile, /secure/* - this COMPLETELY bypasses authentication. If you add a route here, unauthenticated users can access it without logging in.
+export const SKIP_ASSETS = ['/favicon.ico', '/robots.txt', '/.well-known/security.txt'];
+// Public routes that do not require authentication
+// ⚠️ DO NOT EDIT - These are critical for the authentication system to work correctly
+// If you need public content in your portal, host it on your main website instead
+export const PUBLIC_ROUTES = [
+    '/',
+    '/login',
+    '/register',
+    '/magic-login',
+    '/magic-register',
+    '/forgot-password',
+    '/resend-verification',
+];
+// Dynamic public routes (prefix matching)
+// ⚠️ DO NOT EDIT - These are critical for the authentication system to work correctly
+// If you need public content in your portal, host it on your main website instead
+export const PUBLIC_PREFIXES = [
+    '/auth/', // API endpoints for authentication
+    '/email-verified/',
+    '/reset-password/',
+    '/verify-email/',
+    '/verify-magic-link/',
+];
+// Security headers for all HTML responses
+// ⚠️ IMPORTANT: Do not remove the following domains from the CSP - they are critical for authentication:
+// - challenges.cloudflare.com: Turnstile CAPTCHA (prevents bot attacks)
+// - cdn.mindfulauth.com: Mindful Auth authentication scripts (handles login, 2FA, password reset)
+// - api.mindfulauth.com: Backend API calls for session validation
+// - cdn.jsdelivr.net: External dependencies for QR Code library (for 2fa auth)
+// Removing these will break authentication and user will be unable to log in.
+//
+// NOTE on img-src: Currently allows any HTTPS image source for development flexibility.
+// For production, restrict to trusted sources only:
+// "img-src 'self' data: https://your-cdn.com https://example.com"
+export const SECURITY_HEADERS = {
+    'X-Content-Type-Options': 'nosniff',
+    'X-Frame-Options': 'SAMEORIGIN',
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+    'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
+    'Content-Security-Policy': [
+        "default-src 'self'",
+        "script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com https://cdn.mindfulauth.com https://api.mindfulauth.com https://cdn.jsdelivr.net https://static.cloudflareinsights.com",
+        "style-src 'self' 'unsafe-inline'",
+        "img-src 'self' data: https:",
+        "connect-src 'self' https://challenges.cloudflare.com https://api.mindfulauth.com https://*.cloudflare.com",
+        "frame-src 'self' https://challenges.cloudflare.com",
+        "font-src 'self' data:",
+        "object-src 'none'",
+        "base-uri 'self'",
+        "form-action 'self'",
+        "upgrade-insecure-requests",
+        "block-all-mixed-content"
+    ].join('; ')
+};

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export * from './types';
+export * from './config';
+export * from './auth';
+export * from './auth-handler';
+export * from './security';
+export { onRequest } from './middleware';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,QAAQ,CAAC;AAGvB,cAAc,gBAAgB,CAAC;AAG/B,cAAc,YAAY,CAAC;AAG3B,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,13 @@
+// Mindful Auth Core - Main exports
+// Types
+export * from './types';
+// Configuration
+export * from './config';
+// Authentication
+export * from './auth';
+// Auth handler for API routes
+export * from './auth-handler';
+// Security utilities
+export * from './security';
+// Middleware (also available via '@mindful-auth/core/middleware')
+export { onRequest } from './middleware';

package/dist/middleware.d.ts

@@ -0,0 +1,2 @@
+export declare const onRequest: import("astro").MiddlewareHandler;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAuBA,eAAO,MAAM,SAAS,mCA+DpB,CAAC"}

package/dist/middleware.js

@@ -0,0 +1,73 @@
+// Global middleware for session validation
+// Runs before all route handlers to enforce authentication
+import { defineMiddleware } from 'astro:middleware';
+import { PUBLIC_ROUTES, PUBLIC_PREFIXES, SECURITY_HEADERS, SKIP_ASSETS } from './config';
+import { sanitizePath } from './security';
+import { validateSession, validateMemberIdInUrl } from './auth';
+/** Check if a path is a public route (no auth required) */
+function isPublicRoute(pathname) {
+    return PUBLIC_ROUTES.includes(pathname) ||
+        PUBLIC_PREFIXES.some(prefix => pathname.startsWith(prefix));
+}
+/** Add security headers to a response */
+function addSecurityHeaders(response) {
+    Object.entries(SECURITY_HEADERS).forEach(([key, value]) => {
+        response.headers.set(key, value);
+    });
+    return response;
+}
+// Main middleware function
+export const onRequest = defineMiddleware(async (context, next) => {
+    const { request, url, redirect, locals } = context;
+    const pathname = url.pathname;
+    // Type assertion for locals (users should extend App.Locals in their project)
+    const authLocals = locals;
+    // Skip middleware for static assets FIRST (before dev mode)
+    if (SKIP_ASSETS.includes(pathname)) {
+        return next();
+    }
+    // DEV MODE: Skip auth on localhost
+    if (import.meta.env.DEV && (url.hostname === 'localhost' || url.hostname === '127.0.0.1')) {
+        // Check if public route first
+        if (isPublicRoute(pathname)) {
+            authLocals.recordId = null;
+            return next();
+        }
+        // For protected routes, extract or create mock recordId
+        // Match memberid with trailing slash
+        const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
+        authLocals.recordId = match ? match[1] : 'dev-user-123';
+        return next();
+    }
+    // Sanitize path
+    const safePath = sanitizePath(pathname);
+    if (!safePath) {
+        return new Response('Bad Request', { status: 400 });
+    }
+    // Public routes - no auth needed
+    if (isPublicRoute(safePath)) {
+        authLocals.recordId = null;
+        return addSecurityHeaders(await next());
+    }
+    // Protected route - validate session
+    const internalApiKey = authLocals.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    if (!internalApiKey) {
+        console.error('[middleware] CRITICAL: INTERNAL_API_KEY not configured');
+        return new Response('Internal Server Error', { status: 500 });
+    }
+    // URL must have memberid
+    if (!validateMemberIdInUrl(safePath, null).valid) {
+        return new Response('Forbidden: URL must include memberid', { status: 403 });
+    }
+    // Validate session
+    const session = await validateSession(request, url.hostname, safePath, internalApiKey);
+    if (!session.valid) {
+        return redirect('/login');
+    }
+    // Validate memberid matches session
+    if (!validateMemberIdInUrl(safePath, session.recordId).valid) {
+        return new Response('Forbidden: Invalid user ID in URL', { status: 403 });
+    }
+    authLocals.recordId = session.recordId;
+    return addSecurityHeaders(await next());
+});

package/dist/security.d.ts

@@ -0,0 +1,5 @@
+/** Sanitize endpoint path (prevents ../ traversal and encoded variants) */
+export declare function sanitizeEndpoint(endpoint: string): string | null;
+/** Sanitize URL path (prevents ../ traversal and encoded variants) */
+export declare function sanitizePath(pathname: string): string | null;
+//# sourceMappingURL=security.d.ts.map

package/dist/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":"AAkBA,2EAA2E;AAC3E,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAIhE;AAED,sEAAsE;AACtE,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAI5D"}

package/dist/security.js

@@ -0,0 +1,31 @@
+// Security utilities - path traversal prevention
+const MAX_PATH_LENGTH = 2048;
+/** Decode and check for traversal attacks */
+function decodeAndValidate(str) {
+    if (!str || typeof str !== 'string' || str.length > MAX_PATH_LENGTH)
+        return null;
+    try {
+        let decoded = decodeURIComponent(str);
+        // Catch double-encoded traversal attempts
+        if (decoded.includes('%'))
+            decoded = decodeURIComponent(decoded);
+        return decoded;
+    }
+    catch {
+        return null;
+    }
+}
+/** Sanitize endpoint path (prevents ../ traversal and encoded variants) */
+export function sanitizeEndpoint(endpoint) {
+    const decoded = decodeAndValidate(endpoint);
+    if (!decoded || decoded.includes('..') || decoded.includes('\\'))
+        return null;
+    return decoded;
+}
+/** Sanitize URL path (prevents ../ traversal and encoded variants) */
+export function sanitizePath(pathname) {
+    const decoded = decodeAndValidate(pathname);
+    if (!decoded || decoded.includes('..') || decoded.includes('\\'))
+        return null;
+    return decoded;
+}

package/dist/types.d.ts

@@ -0,0 +1,22 @@
+import type { MiddlewareHandler } from 'astro';
+export interface MindfulAuthLocals {
+    recordId: string | null;
+    runtime?: {
+        env?: {
+            INTERNAL_API_KEY?: string;
+        };
+    };
+}
+declare global {
+    namespace App {
+        interface Locals extends MindfulAuthLocals {
+        }
+    }
+}
+export interface SessionValidationResult {
+    valid: boolean;
+    reason?: string;
+    recordId?: string;
+}
+export type MindfulAuthMiddleware = MiddlewareHandler;
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,CAAC,EAAE;QACR,GAAG,CAAC,EAAE;YACJ,gBAAgB,CAAC,EAAE,MAAM,CAAC;SAC3B,CAAC;KACH,CAAC;CACH;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}

package/dist/types.js

@@ -0,0 +1,2 @@
+// Type definitions for Mindful Auth
+export {};

package/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "@mindfulauth/core",
+  "version": "1.0.0",
+  "description": "Mindful Auth core authentication library for Astro",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./middleware": {
+      "types": "./dist/middleware.d.ts",
+      "import": "./dist/middleware.js"
+    },
+    "./auth-handler": {
+      "types": "./dist/auth-handler.d.ts",
+      "import": "./dist/auth-handler.js"
+    },
+    "./config": {
+      "types": "./dist/config.d.ts",
+      "import": "./dist/config.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "authentication",
+    "astro",
+    "mindfulauth",
+    "session",
+    "middleware"
+  ],
+  "author": "Mindful Auth",
+  "license": "MIT",
+  "peerDependencies": {
+    "astro": "^5.0.0"
+  },
+  "devDependencies": {
+    "astro": "^5.17.1",
+    "typescript": "^5.9.3"
+  }
+}