@mindfulauth/core 1.2.1 → 2.0.0-beta.10

package/dist/astro/VerifyMagicLinkScript.astro

@@ -0,0 +1,195 @@
+---
+// Mindful Auth - Verify Magic Link Script Component
+// Provides: Magic link verification with 2FA support
+---
+<script is:inline>
+// Verify Magic Link Script - Astro Optimized
+
+function getPathParams() {
+    const pathParts = window.location.pathname.split('/');
+    return {
+        recordid: pathParts[2],
+        token: pathParts[3]
+    };
+}
+
+async function handleVerifyMagicLinkSubmit(event) {
+    if (event) event.preventDefault();
+    
+    const form = document.querySelector('[data-mindfulauth-form="verify-magic-link"]');
+    if (!form) return;
+    const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+    if (!messageEl) return;
+    const twoFACodeEl = form.querySelector('[data-mindfulauth-field="twofa-code"]');
+    const submitBtn = form.querySelector('button[type="submit"]');
+
+    // Skip API call on localhost to prevent production logs pollution
+    const hostname = window.location.hostname;
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname.endsWith('.local')) {
+        messageEl.textContent = 'Magic link verification skipped on localhost.';
+        console.log('[Verify Magic Link] Skipping API call on localhost');
+        if (form) form.style.display = 'none';
+        return;
+    }
+
+    const { recordid, token } = getPathParams();
+
+    if (!recordid || !token) {
+        messageEl.textContent = "Invalid or expired magic link. Please request a new one.";
+        if (form) form.style.display = 'none';
+        return;
+    }
+
+    // Get Turnstile token
+    const turnstileToken = form.querySelector('[name="cf-turnstile-response"]')?.value;
+    if (!turnstileToken) {
+        messageEl.textContent = "Bot protection validation required.";
+        if (submitBtn) submitBtn.disabled = true;
+        return;
+    }
+
+    messageEl.textContent = "Verifying magic link...";
+    if (submitBtn) submitBtn.disabled = true;
+
+    try {
+        const requestBody = {
+            'cf-turnstile-response': turnstileToken
+        };
+
+        // Include 2FA code if provided
+        if (twoFACodeEl && twoFACodeEl.value) {
+            requestBody.twoFACode = twoFACodeEl.value;
+        }
+
+        const endpoint = `/auth/verify-magic-link/${recordid}/${token}`;
+        console.log('[Verify Magic Link] Making request to:', endpoint);
+        console.log('[Verify Magic Link] Request body:', requestBody);
+
+        const response = await window.apiFetch(endpoint, {
+            body: JSON.stringify(requestBody)
+        });
+
+        console.log('[Verify Magic Link] Response status:', response.status);
+        const result = await response.json();
+        console.log('[Verify Magic Link] Response body:', result);
+
+        // Check if 2FA is required
+        if (result.requires2FA) {
+            // Reset Turnstile to generate a fresh token for the 2FA submission
+            // (Turnstile tokens are single-use; first request consumed it)
+            window.turnstile?.reset();
+            
+            // Show the 2FA input field
+            const twoFAContainer = form.querySelector('[data-mindfulauth-field="twofa-code-container"]');
+            if (twoFAContainer) {
+                twoFAContainer.removeAttribute('hidden');
+                twoFAContainer.classList && twoFAContainer.classList.remove('hidden');
+                twoFAContainer.style.setProperty('display', 'block', 'important');
+                // Try common display values
+                if (window.getComputedStyle(twoFAContainer).display === 'none') {
+                    twoFAContainer.style.setProperty('display', 'flex', 'important');
+                }
+            }
+            if (twoFACodeEl) {
+                twoFACodeEl.focus();
+            }
+            messageEl.textContent = '2FA code is required to complete login.';
+            if (submitBtn) {
+                submitBtn.textContent = 'Verify 2FA Code';
+                submitBtn.disabled = false;
+            }
+            return;
+        }
+
+        if (result.success) {
+            console.log('[Verify Magic Link] Verification successful');
+            messageEl.textContent = result.message || 'Login successful! Redirecting...';
+            if (form) form.style.display = 'none';
+            
+            // Redirect to secure area (match login.js pattern)
+            if (result.redirect) {
+                console.log('[Verify Magic Link] Redirecting to:', result.redirect);
+                setTimeout(() => {
+                    window.location.assign(result.redirect);
+                }, 200);
+            }
+        } else {
+            console.error('[Verify Magic Link] Verification failed:', result.message);
+            throw new Error(result.message || 'Verification failed.');
+        }
+    } catch (error) {
+        console.error('[Verify Magic Link] Error:', error);
+        messageEl.textContent = `Error: ${error.message}`;
+        if (submitBtn) submitBtn.disabled = false;
+        window.turnstile?.reset();
+    }
+}
+
+// --- MAIN EXECUTION ---
+document.addEventListener('DOMContentLoaded', function() {
+    const form = document.querySelector('[data-mindfulauth-form="verify-magic-link"]');
+    if (!form) return;
+    
+    // Initialize message and disable button until Turnstile is ready
+    const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+    const submitBtn = form.querySelector('button[type="submit"]');
+    if (messageEl) {
+        messageEl.textContent = 'Loading bot protection...';
+    }
+    if (submitBtn) {
+        submitBtn.disabled = true;
+    }
+
+    // Initially hide 2FA field - it will be shown if needed
+    const twoFAContainer = form.querySelector('[data-mindfulauth-field="twofa-code-container"]');
+    if (twoFAContainer) {
+        twoFAContainer.style.display = 'none';
+    }
+
+    // Wait for Turnstile to be ready
+    let turnstileReady = false;
+    const checkTurnstile = setInterval(() => {
+        const turnstileToken = form.querySelector('[name="cf-turnstile-response"]')?.value;
+        if (turnstileToken) {
+            console.log('[Verify Magic Link] Turnstile token loaded - ready for user verification');
+            clearInterval(checkTurnstile);
+            turnstileReady = true;
+            const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+            if (messageEl) {
+                messageEl.textContent = 'Ready to verify. Click the button below to sign in.';
+            }
+            const submitBtn = form.querySelector('button[type="submit"]');
+            if (submitBtn) {
+                submitBtn.disabled = false;
+            }
+        }
+    }, 100);
+
+    // Check for Turnstile load every 500ms for up to 30 seconds
+    // (don't show error proactively - only if user tries to submit)
+    let turnstileCheckCount = 0;
+    const extendedCheckTurnstile = setInterval(() => {
+        const turnstileToken = form.querySelector('[name="cf-turnstile-response"]')?.value;
+        if (turnstileToken && !turnstileReady) {
+            clearInterval(extendedCheckTurnstile);
+            turnstileReady = true;
+            const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+            if (messageEl) {
+                messageEl.textContent = 'Ready to verify. Click the button below to sign in.';
+            }
+            const submitBtn = form.querySelector('button[type="submit"]');
+            if (submitBtn) {
+                submitBtn.disabled = false;
+            }
+        }
+        turnstileCheckCount++;
+        // Stop checking after 30 seconds
+        if (turnstileCheckCount > 60) {
+            clearInterval(extendedCheckTurnstile);
+        }
+    }, 500);
+
+    // Also handle explicit form submission (for 2FA code entry)
+    form.addEventListener('submit', handleVerifyMagicLinkSubmit);
+});
+</script>

package/dist/astro/index.d.ts

@@ -0,0 +1,13 @@
+export { default as MAuthMainScript } from './MainScript.astro';
+export { default as MAuthTurnstileInit } from './TurnstileInit.astro';
+export { default as MAuthLoginScript } from './LoginScript.astro';
+export { default as MAuthRegisterPasswordScript } from './RegisterPasswordScript.astro';
+export { default as MAuthForgotPasswordScript } from './ForgotPasswordScript.astro';
+export { default as MAuthMagicLoginScript } from './MagicLoginScript.astro';
+export { default as MAuthMagicRegisterScript } from './MagicRegisterScript.astro';
+export { default as MAuthResendVerificationScript } from './ResendVerificationScript.astro';
+export { default as MAuthResetPasswordScript } from './ResetPasswordScript.astro';
+export { default as MAuthVerifyEmailScript } from './VerifyEmailScript.astro';
+export { default as MAuthVerifyMagicLinkScript } from './VerifyMagicLinkScript.astro';
+export { default as MAuthSecurityScript } from './SecurityScript.astro';
+//# sourceMappingURL=index.d.ts.map

package/dist/astro/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/astro/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,OAAO,IAAI,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAChE,OAAO,EAAE,OAAO,IAAI,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AACtE,OAAO,EAAE,OAAO,IAAI,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAClE,OAAO,EAAE,OAAO,IAAI,2BAA2B,EAAE,MAAM,gCAAgC,CAAC;AACxF,OAAO,EAAE,OAAO,IAAI,yBAAyB,EAAE,MAAM,8BAA8B,CAAC;AACpF,OAAO,EAAE,OAAO,IAAI,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,OAAO,IAAI,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAClF,OAAO,EAAE,OAAO,IAAI,6BAA6B,EAAE,MAAM,kCAAkC,CAAC;AAC5F,OAAO,EAAE,OAAO,IAAI,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAClF,OAAO,EAAE,OAAO,IAAI,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAC9E,OAAO,EAAE,OAAO,IAAI,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AACtF,OAAO,EAAE,OAAO,IAAI,mBAAmB,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/astro/index.js

@@ -0,0 +1,15 @@
+// Mindful Auth - Astro Components Barrel Export
+// Usage: import { MAuthLoginScript, MAuthTurnstileInit } from '@mindfulauth/astro';
+//    or: import MAuthLoginScript from '@mindfulauth/astro/LoginScript.astro';
+export { default as MAuthMainScript } from './MainScript.astro';
+export { default as MAuthTurnstileInit } from './TurnstileInit.astro';
+export { default as MAuthLoginScript } from './LoginScript.astro';
+export { default as MAuthRegisterPasswordScript } from './RegisterPasswordScript.astro';
+export { default as MAuthForgotPasswordScript } from './ForgotPasswordScript.astro';
+export { default as MAuthMagicLoginScript } from './MagicLoginScript.astro';
+export { default as MAuthMagicRegisterScript } from './MagicRegisterScript.astro';
+export { default as MAuthResendVerificationScript } from './ResendVerificationScript.astro';
+export { default as MAuthResetPasswordScript } from './ResetPasswordScript.astro';
+export { default as MAuthVerifyEmailScript } from './VerifyEmailScript.astro';
+export { default as MAuthVerifyMagicLinkScript } from './VerifyMagicLinkScript.astro';
+export { default as MAuthSecurityScript } from './SecurityScript.astro';

package/dist/core/auth-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../../src/core/auth-handler.ts"],"names":[],"mappings":"AAoEA,2EAA2E;AAC3E,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CA6BpH;AAED,gEAAgE;AAChE,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAyDrH"}

package/dist/{auth-handler.js → core/auth-handler.js}

@@ -1,7 +1,8 @@
 // Auth proxy handler for Mindful Auth
 // Forwards authentication requests to the central Mindful Auth service
-import { CENTRAL_AUTH_ORIGIN, ALLOWED_AUTH_METHODS, MAX_BODY_SIZE_BYTES, AUTH_PROXY_TIMEOUT_MS } from './config';
-import { sanitizeEndpoint } from './security';
+import { env } from 'cloudflare:workers';
+import { CENTRAL_AUTH_ORIGIN, ALLOWED_AUTH_METHODS, MAX_BODY_SIZE_BYTES, AUTH_PROXY_TIMEOUT_MS } from './config.js';
+import { sanitizeEndpoint } from './security.js';
 const JSON_HEADERS = { 'Content-Type': 'application/json' };
 const jsonError = (error, status) => new Response(JSON.stringify({ error }), { status, headers: JSON_HEADERS });
 /** Build proxy headers from incoming request */
@@ -60,7 +61,8 @@ function buildResponse(data, status, cookie) {
 }
 /** Handle GET requests (email verification, password reset links, etc.) */
 export async function handleAuthGet(rawEndpoint, request, url, locals) {
-    const internalApiKey = locals?.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    // ASTRO 6 CHANGE: Environment variables accessed from 'cloudflare:workers' env directly.
+    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
     if (!internalApiKey)
         console.error('[auth-handler] INTERNAL_API_KEY not configured');
     const endpoint = sanitizeEndpoint(rawEndpoint);
@@ -94,7 +96,8 @@ export async function handleAuthPost(rawEndpoint, request, url, locals) {
     const contentLength = request.headers.get('content-length');
     if (contentLength && parseInt(contentLength) > MAX_BODY_SIZE_BYTES)
         return jsonError('Payload too large', 413);
-    const internalApiKey = locals?.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    // ASTRO 6 CHANGE: Environment variables accessed from 'cloudflare:workers' env directly.
+    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
     if (!internalApiKey)
         console.error('[auth-handler] INTERNAL_API_KEY not configured');
     const endpoint = sanitizeEndpoint(rawEndpoint);

package/dist/{auth.d.ts → core/auth.d.ts}

@@ -1,4 +1,4 @@
-import type { SessionValidationResult } from './types';
+import type { SessionValidationResult } from './types.js';
 /** Validate session with Mindful Auth central service */
 export declare function validateSession(request: Request, tenantDomain: string, pathname: string, internalApiKey: string): Promise<SessionValidationResult>;
 /** Validate memberid in URL matches session (or just check structure if sessionRecordId is null) */

package/dist/core/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/core/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAE1D,yDAAyD;AACzD,wBAAsB,eAAe,CACjC,OAAO,EAAE,OAAO,EAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACvB,OAAO,CAAC,uBAAuB,CAAC,CAsClC;AAED,oGAAoG;AACpG,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,IAAI,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAAE,CAerI"}

package/dist/{auth.js → core/auth.js}

@@ -1,5 +1,5 @@
 // Authentication and session validation for Mindful Auth
-import { CENTRAL_AUTH_ORIGIN, SESSION_VALIDATION_TIMEOUT_MS } from './config';
+import { CENTRAL_AUTH_ORIGIN, SESSION_VALIDATION_TIMEOUT_MS } from './config.js';
 /** Validate session with Mindful Auth central service */
 export async function validateSession(request, tenantDomain, pathname, internalApiKey) {
     const sessionId = request.headers.get('Cookie')?.match(/session_id=([^;]+)/)?.[1];

package/dist/core/config.d.ts

@@ -0,0 +1,47 @@
+export declare const CENTRAL_AUTH_ORIGIN = "https://api.mindfulauth.com";
+export declare const ALLOWED_AUTH_METHODS: string[];
+export declare const MAX_BODY_SIZE_BYTES = 1048576;
+export declare const AUTH_PROXY_TIMEOUT_MS = 15000;
+export declare const SESSION_VALIDATION_TIMEOUT_MS = 10000;
+/**
+ * Returns the combined list of assets to skip session validation for.
+ * Merges defaults with any custom assets configured via mauthSecurityConfig() in astro.config.mjs.
+ */
+export declare function GET_SKIP_ASSETS(): string[];
+/**
+ * Configure Mindful Auth security settings including custom skip assets.
+ * Call in astro.config.mjs and pass the result to getMauthViteDefines().
+ *
+ * @example
+ * // astro.config.mjs
+ * const mauthCfg = mauthSecurityConfig({
+ *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest']
+ * });
+ *
+ * export default defineConfig({
+ *   vite: { define: getMauthViteDefines(mauthCfg) }
+ * });
+ */
+export declare function mauthSecurityConfig(options?: {
+    skipAssets?: string[];
+}): typeof options;
+/**
+ * Converts the result of mauthSecurityConfig() into Vite define entries.
+ * Pass the output to vite.define in astro.config.mjs so custom values are
+ * baked into the SSR bundle at build time.
+ */
+export declare function getMauthViteDefines(options?: {
+    skipAssets?: string[];
+}): Record<string, string>;
+export declare const PUBLIC_ROUTES: string[];
+export declare const PUBLIC_PREFIXES: string[];
+/**
+ * Returns security headers to be added to every SSR response.
+ * CSP (Content-Security-Policy) for script-src and style-src is handled by
+ * Astro 6's native security.csp in astro.config.mjs using hashes.
+ * The remaining headers here cover transport security, framing, and permissions.
+ *
+ * Note: X-Frame-Options: DENY prevents this portal from being embedded in iframes on any domain, protecting against clickjacking attacks.
+ */
+export declare function GET_SECURITY_HEADERS(): Record<string, string>;
+//# sourceMappingURL=config.d.ts.map

package/dist/core/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AAGjE,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAIzB;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AAMF;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAU7D"}

package/dist/core/config.js

@@ -0,0 +1,95 @@
+// ============================================================================
+// Configuration for the Astro Portal
+// ============================================================================
+// API Endpoints
+export const CENTRAL_AUTH_ORIGIN = 'https://api.mindfulauth.com';
+// Request & Timeout Configuration
+export const ALLOWED_AUTH_METHODS = ['GET', 'POST'];
+export const MAX_BODY_SIZE_BYTES = 1048576; // 1MB limit
+export const AUTH_PROXY_TIMEOUT_MS = 15000;
+export const SESSION_VALIDATION_TIMEOUT_MS = 10000;
+// ============================================================================
+// Static Assets & Route Configuration
+// ============================================================================
+// Static assets to skip session validation (favicon, robots.txt, etc.)
+// SECURITY CRITICAL: Only add actual static file requests here.
+// Examples of safe entries: /favicon.ico, /robots.txt, /sitemap.xml
+// NEVER add application routes like [memberid]/dashboard,  [memberid]/profile,  [memberid]/secure/* - this COMPLETELY bypasses authentication. If you add a route here, unauthenticated users can access it without logging in.
+const DEFAULT_SKIP_ASSETS = ['/favicon.ico', '/robots.txt', '/.well-known/security.txt'];
+/**
+ * Returns the combined list of assets to skip session validation for.
+ * Merges defaults with any custom assets configured via mauthSecurityConfig() in astro.config.mjs.
+ */
+export function GET_SKIP_ASSETS() {
+    return [...DEFAULT_SKIP_ASSETS, ...__MAUTH_SKIP_ASSETS__];
+}
+/**
+ * Configure Mindful Auth security settings including custom skip assets.
+ * Call in astro.config.mjs and pass the result to getMauthViteDefines().
+ *
+ * @example
+ * // astro.config.mjs
+ * const mauthCfg = mauthSecurityConfig({
+ *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest']
+ * });
+ *
+ * export default defineConfig({
+ *   vite: { define: getMauthViteDefines(mauthCfg) }
+ * });
+ */
+export function mauthSecurityConfig(options) {
+    return options;
+}
+/**
+ * Converts the result of mauthSecurityConfig() into Vite define entries.
+ * Pass the output to vite.define in astro.config.mjs so custom values are
+ * baked into the SSR bundle at build time.
+ */
+export function getMauthViteDefines(options) {
+    return {
+        __MAUTH_SKIP_ASSETS__: JSON.stringify(options?.skipAssets ?? []),
+    };
+}
+// Public routes that do not require authentication
+// ⚠️ DO NOT EDIT - These are critical for the authentication system to work correctly
+export const PUBLIC_ROUTES = [
+    '/',
+    '/login',
+    '/register',
+    '/magic-login',
+    '/magic-register',
+    '/forgot-password',
+    '/resend-verification',
+];
+// Dynamic public routes (prefix matching)
+// ⚠️ DO NOT EDIT - These are critical for the authentication system to work correctly
+export const PUBLIC_PREFIXES = [
+    '/auth/',
+    '/email-verified/',
+    '/reset-password/',
+    '/verify-email/',
+    '/verify-magic-link/',
+    '/api/public/',
+];
+// ============================================================================
+// Security Headers
+// ============================================================================
+/**
+ * Returns security headers to be added to every SSR response.
+ * CSP (Content-Security-Policy) for script-src and style-src is handled by
+ * Astro 6's native security.csp in astro.config.mjs using hashes.
+ * The remaining headers here cover transport security, framing, and permissions.
+ *
+ * Note: X-Frame-Options: DENY prevents this portal from being embedded in iframes on any domain, protecting against clickjacking attacks.
+ */
+export function GET_SECURITY_HEADERS() {
+    return {
+        'X-Content-Type-Options': 'nosniff',
+        'X-Frame-Options': 'DENY',
+        'Referrer-Policy': 'strict-origin-when-cross-origin',
+        'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
+        'Permissions-Policy': 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()',
+        'Cross-Origin-Opener-Policy': 'same-origin',
+        'Cross-Origin-Resource-Policy': 'same-origin',
+    };
+}

package/dist/core/csp.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Scans the mindfulauth/astro/ directory at build time and returns SHA-384
+ * hashes for all <script is:inline> blocks found in .astro component files.
+ *
+ * Astro's static CSP analysis cannot resolve dynamically rendered components,
+ * so hashes must be declared manually in astro.config.mjs. This function
+ * computes them automatically so no manual maintenance is needed.
+ *
+ * When published as a package, this function resolves the astro/ directory
+ * relative to its own location — no consumer configuration required.
+ *
+ * @example
+ * // astro.config.mjs
+ * // import { getScriptHashes } from '@mindfulauth/core';
+ *
+ * scriptDirective: { hashes: getScriptHashes() }
+ */
+export declare function getScriptHashes(): string[];
+//# sourceMappingURL=csp.d.ts.map

package/dist/core/csp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp.d.ts","sourceRoot":"","sources":["../../src/core/csp.ts"],"names":[],"mappings":"AAWA;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAS1C"}

package/dist/core/csp.js

@@ -0,0 +1,36 @@
+// ============================================================================
+// Build-time CSP utilities for Mindful Auth
+// Import this in astro.config.mjs only — not at SSR runtime.
+// ============================================================================
+import { readFileSync, readdirSync } from 'fs';
+import { createHash } from 'crypto';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+/**
+ * Scans the mindfulauth/astro/ directory at build time and returns SHA-384
+ * hashes for all <script is:inline> blocks found in .astro component files.
+ *
+ * Astro's static CSP analysis cannot resolve dynamically rendered components,
+ * so hashes must be declared manually in astro.config.mjs. This function
+ * computes them automatically so no manual maintenance is needed.
+ *
+ * When published as a package, this function resolves the astro/ directory
+ * relative to its own location — no consumer configuration required.
+ *
+ * @example
+ * // astro.config.mjs
+ * // import { getScriptHashes } from '@mindfulauth/core';
+ *
+ * scriptDirective: { hashes: getScriptHashes() }
+ */
+export function getScriptHashes() {
+    const dir = join(__dirname, '../astro');
+    return readdirSync(dir)
+        .filter(f => f.endsWith('.astro'))
+        .flatMap(file => {
+        const content = readFileSync(join(dir, file), 'utf8');
+        return [...content.matchAll(/<script\b[^>]*>([\s\S]*?)<\/script>/g)]
+            .map((m) => 'sha384-' + createHash('sha384').update(m[1], 'utf8').digest('base64'));
+    });
+}

package/dist/core/index.d.ts

@@ -0,0 +1,6 @@
+export * from './types.js';
+export * from './config.js';
+export * from './auth.js';
+export * from './security.js';
+export * from './csp.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/core/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAGA,cAAc,YAAY,CAAC;AAG3B,cAAc,aAAa,CAAC;AAG5B,cAAc,WAAW,CAAC;AAM1B,cAAc,eAAe,CAAC;AAQ9B,cAAc,UAAU,CAAC"}

package/dist/core/index.js

@@ -0,0 +1,17 @@
+// Mindful Auth Core - Main exports
+// Types
+export * from './types.js';
+// Configuration
+export * from './config.js';
+// Authentication
+export * from './auth.js';
+// Auth handler for API routes — NOT re-exported here.
+// auth-handler.ts imports 'cloudflare:workers' which is only available at runtime (SSR), not at config-load time. Import it directly where needed: import { handleAuthProxy } from './auth-handler.js';
+// Security utilities
+export * from './security.js';
+// Middleware — NOT re-exported here.
+// middleware.ts imports 'astro:middleware' and 'cloudflare:workers' which are
+// only available at runtime (SSR), not at config-load time.
+// Import it directly: import { onRequest } from './middleware.js';
+// Build-time CSP utilities
+export * from './csp.js';

package/dist/core/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/core/middleware.ts"],"names":[],"mappings":"AAqCA,eAAO,MAAM,SAAS,mCAqFpB,CAAC"}

package/dist/core/middleware.js

@@ -0,0 +1,108 @@
+// Global middleware for session validation
+// Runs before all route handlers to enforce authentication
+//
+// ASTRO 6 MIGRATION:
+// - Astro v6 removed context.locals.runtime.env. Env vars now import from 'cloudflare:workers'.
+// - cloudflare:workers is marked external in astro.config.vite.ssr to avoid esbuild scan errors.
+// - Dev mode bypass uses import.meta.env.DEV (build-time constant: true in dev, false in prod).
+import { defineMiddleware } from 'astro:middleware';
+import { env } from 'cloudflare:workers';
+import { PUBLIC_ROUTES, PUBLIC_PREFIXES, GET_SECURITY_HEADERS, GET_SKIP_ASSETS } from './config.js';
+import { sanitizePath } from './security.js';
+import { validateSession, validateMemberIdInUrl } from './auth.js';
+/** Check if a path is a public route (no auth required) */
+function isPublicRoute(pathname) {
+    return PUBLIC_ROUTES.includes(pathname) ||
+        PUBLIC_PREFIXES.some((prefix) => pathname.startsWith(prefix));
+}
+/** Add security headers to a response */
+// NOTE: In Cloudflare Workers, Response.headers is immutable.
+// We must create a new Response with a fresh Headers object instead of mutating.
+// CSP for script-src/style-src is handled by Astro 6's native security.csp (via <meta> tag).
+function addSecurityHeaders(response) {
+    const newHeaders = new Headers(response.headers);
+    Object.entries(GET_SECURITY_HEADERS()).forEach(([key, value]) => {
+        newHeaders.set(key, value);
+    });
+    return new Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers: newHeaders,
+    });
+}
+// Main middleware function
+export const onRequest = defineMiddleware(async (context, next) => {
+    const { request, url, redirect, locals } = context;
+    const pathname = url.pathname;
+    // Redirect HTTP to HTTPS (skip in dev mode and localhost)
+    if (!import.meta.env.DEV && url.protocol === 'http:' && url.hostname !== 'localhost' && url.hostname !== '127.0.0.1') {
+        const httpsUrl = url.toString().replace('http://', 'https://');
+        return redirect(httpsUrl, 307);
+    }
+    // Skip middleware for static assets FIRST (before dev mode)
+    if (GET_SKIP_ASSETS().includes(pathname)) {
+        return next();
+    }
+    // DEV MODE: Skip auth
+    // import.meta.env.DEV is a build-time constant replaced by Vite:
+    // - true during local dev (never included in prod build)
+    // - false in production builds (tree-shaken out entirely)
+    // Localhost auth is skipped because Mindful Auth blocks localhost requests.
+    if (import.meta.env.DEV) {
+        // Check if public route first
+        if (isPublicRoute(pathname)) {
+            locals.recordId = null;
+            return next();
+        }
+        // For protected routes, extract or create mock recordId
+        // Match memberid with trailing slash
+        const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
+        locals.recordId = match ? match[1] : 'dev-user-123';
+        return next();
+    }
+    // PREVIEW MODE: Skip auth (for testing without Mindful Auth on localhost)
+    // npm run preview builds the project first, so import.meta.env.DEV is false.
+    // We need a runtime check for localhost to simulate auth in preview.
+    if (url.hostname === 'localhost' || url.hostname === '127.0.0.1') {
+        if (isPublicRoute(pathname)) {
+            locals.recordId = null;
+            return addSecurityHeaders(await next());
+        }
+        const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
+        locals.recordId = match ? match[1] : 'preview-user-123';
+        return addSecurityHeaders(await next());
+    }
+    // Sanitize path
+    const safePath = sanitizePath(pathname);
+    if (!safePath) {
+        return new Response('Bad Request', { status: 400 });
+    }
+    // Public routes - no auth needed
+    if (isPublicRoute(safePath)) {
+        locals.recordId = null;
+        return addSecurityHeaders(await next());
+    }
+    // Protected route - validate session
+    // ASTRO 6 CHANGE: Environment variables are accessed directly from 'cloudflare:workers' env,
+    // not from context.locals.runtime.env (which was removed).
+    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    if (!internalApiKey) {
+        console.error('[middleware] CRITICAL: INTERNAL_API_KEY not configured');
+        return new Response('Internal Server Error', { status: 500 });
+    }
+    // URL must have memberid
+    if (!validateMemberIdInUrl(safePath, null).valid) {
+        return new Response('Forbidden: URL must include memberid', { status: 403 });
+    }
+    // Validate session
+    const session = await validateSession(request, url.hostname, safePath, internalApiKey);
+    if (!session.valid) {
+        return redirect('/login');
+    }
+    // Validate memberid matches session
+    if (!validateMemberIdInUrl(safePath, session.recordId).valid) {
+        return new Response('Forbidden: Invalid user ID in URL', { status: 403 });
+    }
+    locals.recordId = session.recordId;
+    return addSecurityHeaders(await next());
+});

package/dist/core/security.d.ts

@@ -0,0 +1,5 @@
+/** Sanitize endpoint path (prevents ../ traversal and encoded variants) */
+export declare function sanitizeEndpoint(endpoint: string): string | null;
+/** Sanitize URL path (prevents ../ traversal and encoded variants) */
+export declare function sanitizePath(pathname: string): string | null;
+//# sourceMappingURL=security.d.ts.map

package/dist/core/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/core/security.ts"],"names":[],"mappings":"AAkBA,2EAA2E;AAC3E,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAIhE;AAED,sEAAsE;AACtE,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAI5D"}