npm - @mindfulauth/core - Versions diffs - 1.0.2 → 1.1.0 - Mend

@mindfulauth/core 1.0.2 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/config.d.ts CHANGED Viewed

@@ -4,8 +4,61 @@ export declare const ALLOWED_AUTH_METHODS: string[];
 export declare const MAX_BODY_SIZE_BYTES = 1048576;
 export declare const AUTH_PROXY_TIMEOUT_MS = 15000;
 export declare const SESSION_VALIDATION_TIMEOUT_MS = 10000;
-export declare const SKIP_ASSETS: string[];
+/**
+ * Returns the combined list of assets to skip session validation for.
+ * Merges defaults with any custom assets configured via mauthSecurityConfig().
+ */
+export declare function GET_SKIP_ASSETS(): string[];
 export declare const PUBLIC_ROUTES: string[];
 export declare const PUBLIC_PREFIXES: string[];
-export declare const SECURITY_HEADERS: Record<string, string>;
+/**
+ * Configure Mindful Auth security settings including CSP sources and static
+ * assets to skip. Returns the options to be passed to getMauthViteDefines().
+ *
+ * Call in astro.config.mjs and pass the result to vite.define:
+ *
+ * @example
+ * // astro.config.mjs
+ * const mauthCfg = mauthSecurityConfig({
+ *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest'],
+ *   csp: {
+ *     scriptSources: ['https://analytics.example.com'],
+ *     connectSources: ['https://api.example.com'],
+ *     frameSources: ['https://stripe.com'],
+ *     fontSources: ['https://fonts.googleapis.com']
+ *   }
+ * });
+ *
+ * export default defineConfig({
+ *   vite: { define: getMauthViteDefines(mauthCfg) }
+ * });
+ */
+export declare function mauthSecurityConfig(options?: {
+    skipAssets?: string[];
+    csp?: {
+        scriptSources?: string[];
+        connectSources?: string[];
+        frameSources?: string[];
+        fontSources?: string[];
+    };
+}): typeof options;
+/**
+ * Converts the result of mauthSecurityConfig() into Vite define entries.
+ * Pass the output to vite.define in astro.config.mjs so custom values are
+ * baked into the SSR bundle at build time.
+ */
+export declare function getMauthViteDefines(options?: {
+    skipAssets?: string[];
+    csp?: {
+        scriptSources?: string[];
+        connectSources?: string[];
+        frameSources?: string[];
+        fontSources?: string[];
+    };
+}): Record<string, string>;
+/**
+ * Get security headers with CSP sources merged from defaults and build-time
+ * custom values injected via vite.define (from getMauthViteDefines()).
+ */
+export declare function GET_SECURITY_HEADERS(): Record<string, string>;
 //# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"~~AAEA~~,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,UAAU,gCAAgC,CAAC;~~AACxD~~,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;~~AAMnD~~,~~eAAO~~,MAAM,~~WAAW~~,~~UAA+D,CAAC~~;~~AAKxF~~,eAAO,MAAM,aAAa,UAQzB,CAAC;~~AAKF~~,eAAO,MAAM,eAAe,UAO3B,CAAC;~~AAaF~~,~~eAAO~~,MAAM,~~gBAAgB~~,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,~~CAoBnD~~,CAAC"}
1	+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,UAAU,gCAAgC,CAAC;AAGxD,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AAyCF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQzB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CA6C7D"}

package/dist/config.js CHANGED Viewed

@@ -1,18 +1,31 @@
+// ============================================================================
 // Configuration for the Astro Portal
+// ============================================================================
+// API Endpoints
 export const CENTRAL_AUTH_ORIGIN = 'https://api.mindfulauth.com';
 export const CDN_ORIGIN = 'https://cdn.mindfulauth.com';
+// Request & Timeout Configuration
 export const ALLOWED_AUTH_METHODS = ['GET', 'POST'];
 export const MAX_BODY_SIZE_BYTES = 1048576; // 1MB limit
 export const AUTH_PROXY_TIMEOUT_MS = 15000;
 export const SESSION_VALIDATION_TIMEOUT_MS = 10000;
+// ============================================================================
+// Static Assets & Route Configuration
+// ============================================================================
 // Static assets to skip session validation (favicon, robots.txt, etc.)
 // SECURITY CRITICAL: Only add actual static file requests here.
 // Examples of safe entries: /favicon.ico, /robots.txt, /sitemap.xml
 // NEVER add application routes like /dashboard, /profile, /secure/* - this COMPLETELY bypasses authentication. If you add a route here, unauthenticated users can access it without logging in.
-export const SKIP_ASSETS = ['/favicon.ico', '/robots.txt', '/.well-known/security.txt'];
+const DEFAULT_SKIP_ASSETS = ['/favicon.ico', '/robots.txt', '/.well-known/security.txt'];
+/**
+ * Returns the combined list of assets to skip session validation for.
+ * Merges defaults with any custom assets configured via mauthSecurityConfig().
+ */
+export function GET_SKIP_ASSETS() {
+    return [...DEFAULT_SKIP_ASSETS, ...__MAUTH_SKIP_ASSETS__];
+}
 // Public routes that do not require authentication
 // ⚠️ DO NOT EDIT - These are critical for the authentication system to work correctly
-// If you need public content in your portal, host it on your main website instead
 export const PUBLIC_ROUTES = [
     '/',
     '/login',
@@ -24,44 +37,119 @@ export const PUBLIC_ROUTES = [
 ];
 // Dynamic public routes (prefix matching)
 // ⚠️ DO NOT EDIT - These are critical for the authentication system to work correctly
-// If you need public content in your portal, host it on your main website instead
 export const PUBLIC_PREFIXES = [
-    '/auth/', // API endpoints for authentication
+    '/auth/',
     '/email-verified/',
     '/reset-password/',
     '/verify-email/',
     '/verify-magic-link/',
-    '/api/public/', // Public API routes (e.g. for webhooks)
+    '/api/public/',
 ];
-// Security headers for all HTML responses
-// ⚠️ IMPORTANT: Do not remove the following domains from the CSP - they are critical for authentication:
-// - challenges.cloudflare.com: Turnstile CAPTCHA (prevents bot attacks)
-// - cdn.mindfulauth.com: Mindful Auth authentication scripts (handles login, 2FA, password reset)
-// - api.mindfulauth.com: Backend API calls for session validation
-// - cdn.jsdelivr.net: External dependencies for QR Code library (for 2fa auth)
+// ============================================================================
+// Security Headers & CSP Configuration
+// ============================================================================
+// Default allowed script sources for CSP
+// ⚠️ IMPORTANT: Do not remove these domains - they are critical for authentication:
 // Removing these will break authentication and user will be unable to log in.
-//
-// NOTE on img-src: Currently allows any HTTPS image source for development flexibility.
-// For production, restrict to trusted sources only:
-// "img-src 'self' data: https://your-cdn.com https://example.com"
-export const SECURITY_HEADERS = {
-    'X-Content-Type-Options': 'nosniff',
-    'X-Frame-Options': 'SAMEORIGIN',
-    'Referrer-Policy': 'strict-origin-when-cross-origin',
-    'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
-    'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
-    'Content-Security-Policy': [
-        "default-src 'self'",
-        "script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com https://cdn.mindfulauth.com https://api.mindfulauth.com https://cdn.jsdelivr.net https://static.cloudflareinsights.com",
-        "style-src 'self' 'unsafe-inline'",
-        "img-src 'self' data: https:",
-        "connect-src 'self' https://challenges.cloudflare.com https://api.mindfulauth.com https://*.cloudflare.com",
-        "frame-src 'self' https://challenges.cloudflare.com",
-        "font-src 'self' data:",
-        "object-src 'none'",
-        "base-uri 'self'",
-        "form-action 'self'",
-        "upgrade-insecure-requests",
-        "block-all-mixed-content"
-    ].join('; ')
-};
+const DEFAULT_SCRIPT_SOURCES = [
+    "'self'",
+    'https://*.cloudflare.com',
+    'https://cdn.mindfulauth.com',
+    'https://api.mindfulauth.com'
+];
+// Default allowed connection sources for CSP
+const DEFAULT_CONNECT_SOURCES = [
+    "'self'",
+    'https://*.cloudflare.com',
+    'https://api.mindfulauth.com'
+];
+// Default allowed frame sources for CSP
+const DEFAULT_FRAME_SOURCES = [
+    "'self'",
+    'https://*.cloudflare.com'
+];
+// Default allowed font sources for CSP
+const DEFAULT_FONT_SOURCES = [
+    "'self'",
+    'data:'
+];
+/**
+ * Configure Mindful Auth security settings including CSP sources and static
+ * assets to skip. Returns the options to be passed to getMauthViteDefines().
+ *
+ * Call in astro.config.mjs and pass the result to vite.define:
+ *
+ * @example
+ * // astro.config.mjs
+ * const mauthCfg = mauthSecurityConfig({
+ *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest'],
+ *   csp: {
+ *     scriptSources: ['https://analytics.example.com'],
+ *     connectSources: ['https://api.example.com'],
+ *     frameSources: ['https://stripe.com'],
+ *     fontSources: ['https://fonts.googleapis.com']
+ *   }
+ * });
+ *
+ * export default defineConfig({
+ *   vite: { define: getMauthViteDefines(mauthCfg) }
+ * });
+ */
+export function mauthSecurityConfig(options) {
+    return options;
+}
+/**
+ * Converts the result of mauthSecurityConfig() into Vite define entries.
+ * Pass the output to vite.define in astro.config.mjs so custom values are
+ * baked into the SSR bundle at build time.
+ */
+export function getMauthViteDefines(options) {
+    return {
+        __MAUTH_SKIP_ASSETS__: JSON.stringify(options?.skipAssets ?? []),
+        __MAUTH_SCRIPT_SOURCES__: JSON.stringify(options?.csp?.scriptSources ?? []),
+        __MAUTH_CONNECT_SOURCES__: JSON.stringify(options?.csp?.connectSources ?? []),
+        __MAUTH_FRAME_SOURCES__: JSON.stringify(options?.csp?.frameSources ?? []),
+        __MAUTH_FONT_SOURCES__: JSON.stringify(options?.csp?.fontSources ?? []),
+    };
+}
+/**
+ * Get security headers with CSP sources merged from defaults and build-time
+ * custom values injected via vite.define (from getMauthViteDefines()).
+ */
+export function GET_SECURITY_HEADERS() {
+    // Custom sources are baked in at build time via vite.define
+    const SCRIPT_SOURCES = [...DEFAULT_SCRIPT_SOURCES, ...__MAUTH_SCRIPT_SOURCES__];
+    const CONNECT_SOURCES = [...DEFAULT_CONNECT_SOURCES, ...__MAUTH_CONNECT_SOURCES__];
+    const FRAME_SOURCES = [...DEFAULT_FRAME_SOURCES, ...__MAUTH_FRAME_SOURCES__];
+    const FONT_SOURCES = [...DEFAULT_FONT_SOURCES, ...__MAUTH_FONT_SOURCES__];
+    return {
+        'X-Content-Type-Options': 'nosniff',
+        'X-Frame-Options': 'SAMEORIGIN',
+        'Referrer-Policy': 'strict-origin-when-cross-origin',
+        'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+        'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
+        'Content-Security-Policy': [
+            // Default policy
+            "default-src 'self'",
+            // Scripts
+            `script-src ${SCRIPT_SOURCES.join(' ')}`,
+            // Styles
+            "style-src 'self' 'unsafe-inline'",
+            // Images
+            "img-src 'self' data: https:",
+            // Connections
+            `connect-src ${CONNECT_SOURCES.join(' ')}`,
+            // Frames
+            `frame-src ${FRAME_SOURCES.join(' ')}`,
+            // Fonts
+            `font-src ${FONT_SOURCES.join(' ')}`,
+            // Disallow object/embed tags (Flash, Java, etc.)
+            "object-src 'none'",
+            // Security directives
+            "base-uri 'self'",
+            "form-action 'self'",
+            "upgrade-insecure-requests",
+            "block-all-mixed-content"
+        ].join('; ')
+    };
+}

package/dist/middleware.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAuBA,eAAO,MAAM,SAAS,~~mCA+DpB~~,CAAC"}
1	+ {"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAuBA,eAAO,MAAM,SAAS,mCA8DpB,CAAC"}

package/dist/middleware.js CHANGED Viewed

@@ -1,7 +1,7 @@
 // Global middleware for session validation
 // Runs before all route handlers to enforce authentication
 import { defineMiddleware } from 'astro:middleware';
-import { PUBLIC_ROUTES, PUBLIC_PREFIXES, SECURITY_HEADERS, SKIP_ASSETS } from './config';
+import { PUBLIC_ROUTES, PUBLIC_PREFIXES, GET_SECURITY_HEADERS, GET_SKIP_ASSETS } from './config';
 import { sanitizePath } from './security';
 import { validateSession, validateMemberIdInUrl } from './auth';
 /** Check if a path is a public route (no auth required) */
@@ -11,7 +11,7 @@ function isPublicRoute(pathname) {
 }
 /** Add security headers to a response */
 function addSecurityHeaders(response) {
-    Object.entries(SECURITY_HEADERS).forEach(([key, value]) => {
+    Object.entries(GET_SECURITY_HEADERS()).forEach(([key, value]) => {
         response.headers.set(key, value);
     });
     return response;
@@ -23,12 +23,11 @@ export const onRequest = defineMiddleware(async (context, next) => {
     // Type assertion for locals (users should extend App.Locals in their project)
     const authLocals = locals;
     // Skip middleware for static assets FIRST (before dev mode)
-    if (SKIP_ASSETS.includes(pathname)) {
+    if (GET_SKIP_ASSETS().includes(pathname)) {
         return next();
     }
     // DEV MODE: Skip auth on localhost
     if (import.meta.env.DEV && (url.hostname === 'localhost' || url.hostname === '127.0.0.1')) {
-        // Check if public route first
         if (isPublicRoute(pathname)) {
             authLocals.recordId = null;
             return next();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mindfulauth/core",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "description": "Mindful Auth core authentication library for Astro",
   "type": "module",
   "main": "./dist/index.js",
@@ -45,7 +45,7 @@
     "astro": "^5.0.0"
   },
   "devDependencies": {
-    "astro": "^5.17.1",
+    "astro": "^5.17.3",
     "typescript": "^5.9.3"
   }
 }