@mindfulauth/core 1.2.1 → 2.0.0-beta.2

package/README.md

@@ -1,18 +1,6 @@
-# @mindful-auth/core
+# @mindful-auth/core - ASTRO 6 Beta
 
-Core authentication library for Mindful Auth, designed for Astro applications.
-
-Install Mindful Auth Astro template here https://docs.mindfulauth.com/guides/frontend/astro/astro-setup/
-
-## Features
-
-- 🔐 Session validation and management
-- 🛡️ Security headers (CSP, HSTS, etc.)
-- 🚦 Public/protected route handling
-- 🔄 Auth proxy for login, registration, 2FA, etc.
-- 🛠️ Path traversal protection
-- ⚡ Built for Cloudflare Workers & Astro SSR
+Core authentication library for Mindful Auth, designed for Astro 6 applications.
 
 ## License
-
 MIT

package/dist/auth-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../src/auth-handler.ts"],"names":[],"mappings":"AAmEA,2EAA2E;AAC3E,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CA4BpH;AAED,gEAAgE;AAChE,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAwDrH"}
+{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../src/auth-handler.ts"],"names":[],"mappings":"AAwEA,2EAA2E;AAC3E,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CA6BpH;AAED,gEAAgE;AAChE,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAyDrH"}

package/dist/auth-handler.js

@@ -1,5 +1,10 @@
 // Auth proxy handler for Mindful Auth
 // Forwards authentication requests to the central Mindful Auth service
+//
+// ASTRO 6 MIGRATION:
+// - Astro v6 removed context.locals.runtime.env. Env vars now import from 'cloudflare:workers'.
+// - Note: @cloudflare/workers-types must be installed and referenced in env.d.ts.
+import { env } from 'cloudflare:workers';
 import { CENTRAL_AUTH_ORIGIN, ALLOWED_AUTH_METHODS, MAX_BODY_SIZE_BYTES, AUTH_PROXY_TIMEOUT_MS } from './config';
 import { sanitizeEndpoint } from './security';
 const JSON_HEADERS = { 'Content-Type': 'application/json' };
@@ -60,7 +65,8 @@ function buildResponse(data, status, cookie) {
 }
 /** Handle GET requests (email verification, password reset links, etc.) */
 export async function handleAuthGet(rawEndpoint, request, url, locals) {
-    const internalApiKey = locals?.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    // ASTRO 6 CHANGE: Environment variables accessed from 'cloudflare:workers' env directly.
+    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
     if (!internalApiKey)
         console.error('[auth-handler] INTERNAL_API_KEY not configured');
     const endpoint = sanitizeEndpoint(rawEndpoint);
@@ -94,7 +100,8 @@ export async function handleAuthPost(rawEndpoint, request, url, locals) {
     const contentLength = request.headers.get('content-length');
     if (contentLength && parseInt(contentLength) > MAX_BODY_SIZE_BYTES)
         return jsonError('Payload too large', 413);
-    const internalApiKey = locals?.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    // ASTRO 6 CHANGE: Environment variables accessed from 'cloudflare:workers' env directly.
+    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
     if (!internalApiKey)
         console.error('[auth-handler] INTERNAL_API_KEY not configured');
     const endpoint = sanitizeEndpoint(rawEndpoint);

package/dist/config.d.ts

@@ -1,5 +1,5 @@
-export declare const CENTRAL_AUTH_ORIGIN = "https://api.mindfulauth.com";
-export declare const CDN_ORIGIN = "https://cdn.mindfulauth.com";
+export declare const CENTRAL_AUTH_ORIGIN = "https://dev-api.mindfulauth.com";
+export declare const CDN_ORIGIN = "https://dev-cdn.mindfulauth.com";
 export declare const ALLOWED_AUTH_METHODS: string[];
 export declare const MAX_BODY_SIZE_BYTES = 1048576;
 export declare const AUTH_PROXY_TIMEOUT_MS = 15000;
@@ -59,11 +59,6 @@ export declare function getMauthViteDefines(options?: {
 /**
  * Get security headers with CSP sources merged from defaults and build-time
  * custom values injected via vite.define (from getMauthViteDefines()).
- *
- * Pass the per-request `nonce` generated by `generateNonce()` so the
- * Content-Security-Policy includes `'nonce-<value>'` in `script-src`.
- * The same nonce must be set as the `nonce` attribute on every inline
- * `<script>` tag (available via `Astro.locals.cspNonce` in layouts).
  */
 export declare function GET_SECURITY_HEADERS(nonce?: string): Record<string, string>;
 //# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,UAAU,gCAAgC,CAAC;AAGxD,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AA0CF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQzB;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAiD3E"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,oCAAoC,CAAC;AACrE,eAAO,MAAM,UAAU,oCAAoC,CAAC;AAG5D,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AA0CF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQzB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAiD3E"}

package/dist/config.js

@@ -2,8 +2,8 @@
 // Configuration for the Astro Portal
 // ============================================================================
 // API Endpoints
-export const CENTRAL_AUTH_ORIGIN = 'https://api.mindfulauth.com';
-export const CDN_ORIGIN = 'https://cdn.mindfulauth.com';
+export const CENTRAL_AUTH_ORIGIN = 'https://dev-api.mindfulauth.com';
+export const CDN_ORIGIN = 'https://dev-cdn.mindfulauth.com';
 // Request & Timeout Configuration
 export const ALLOWED_AUTH_METHODS = ['GET', 'POST'];
 export const MAX_BODY_SIZE_BYTES = 1048576; // 1MB limit
@@ -55,14 +55,14 @@ const DEFAULT_SCRIPT_SOURCES = [
     "'self'",
     'https://*.cloudflare.com',
     'https://*.cloudflareinsights.com',
-    'https://cdn.mindfulauth.com',
-    'https://api.mindfulauth.com'
+    'https://dev-cdn.mindfulauth.com',
+    'https://dev-api.mindfulauth.com'
 ];
 // Default allowed connection sources for CSP
 const DEFAULT_CONNECT_SOURCES = [
     "'self'",
     'https://*.cloudflare.com',
-    'https://api.mindfulauth.com'
+    'https://dev-api.mindfulauth.com'
 ];
 // Default allowed frame sources for CSP
 const DEFAULT_FRAME_SOURCES = [
@@ -116,11 +116,6 @@ export function getMauthViteDefines(options) {
 /**
  * Get security headers with CSP sources merged from defaults and build-time
  * custom values injected via vite.define (from getMauthViteDefines()).
- *
- * Pass the per-request `nonce` generated by `generateNonce()` so the
- * Content-Security-Policy includes `'nonce-<value>'` in `script-src`.
- * The same nonce must be set as the `nonce` attribute on every inline
- * `<script>` tag (available via `Astro.locals.cspNonce` in layouts).
  */
 export function GET_SECURITY_HEADERS(nonce) {
     // Custom sources are baked in at build time via vite.define

package/dist/index.d.ts

@@ -3,5 +3,5 @@ export * from './config';
 export * from './auth';
 export * from './auth-handler';
 export * from './security';
-export { onRequest } from './middleware';
+export * from './middleware';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,QAAQ,CAAC;AAGvB,cAAc,gBAAgB,CAAC;AAG/B,cAAc,YAAY,CAAC;AAG3B,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,QAAQ,CAAC;AAGvB,cAAc,gBAAgB,CAAC;AAG/B,cAAc,YAAY,CAAC;AAG3B,cAAc,cAAc,CAAC"}

package/dist/index.js

@@ -9,5 +9,5 @@ export * from './auth';
 export * from './auth-handler';
 // Security utilities
 export * from './security';
-// Middleware (also available via '@mindful-auth/core/middleware')
-export { onRequest } from './middleware';
+// Middleware  
+export * from './middleware';

package/dist/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAuBA,eAAO,MAAM,SAAS,mCAmEpB,CAAC"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAoCA,eAAO,MAAM,SAAS,mCAuEpB,CAAC"}

package/dist/middleware.js

@@ -1,6 +1,12 @@
 // Global middleware for session validation
 // Runs before all route handlers to enforce authentication
+//
+// ASTRO 6 MIGRATION:
+// - Astro v6 removed context.locals.runtime.env. Env vars now import from 'cloudflare:workers'.
+// - cloudflare:workers is marked external in astro.config.vite.ssr to avoid esbuild scan errors.
+// - Dev mode bypass uses import.meta.env.DEV (build-time constant: true in dev, false in prod).
 import { defineMiddleware } from 'astro:middleware';
+import { env } from 'cloudflare:workers';
 import { PUBLIC_ROUTES, PUBLIC_PREFIXES, GET_SECURITY_HEADERS, GET_SKIP_ASSETS } from './config';
 import { sanitizePath, generateNonce } from './security';
 import { validateSession, validateMemberIdInUrl } from './auth';
@@ -9,37 +15,47 @@ function isPublicRoute(pathname) {
     return PUBLIC_ROUTES.includes(pathname) ||
         PUBLIC_PREFIXES.some(prefix => pathname.startsWith(prefix));
 }
-/** Add security headers (including CSP nonce) to a response */
+/** Add security headers to a response */
+// NOTE: In Cloudflare Workers, Response.headers is immutable.
+// We must create a new Response with a fresh Headers object instead of mutating.
 function addSecurityHeaders(response, nonce) {
+    const newHeaders = new Headers(response.headers);
     Object.entries(GET_SECURITY_HEADERS(nonce)).forEach(([key, value]) => {
-        response.headers.set(key, value);
+        newHeaders.set(key, value);
+    });
+    return new Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers: newHeaders,
     });
-    return response;
 }
 // Main middleware function
 export const onRequest = defineMiddleware(async (context, next) => {
     const { request, url, redirect, locals } = context;
     const pathname = url.pathname;
-    // Type assertion for locals (users should extend App.Locals in their project)
-    const authLocals = locals;
     // Generate a per-request nonce for CSP. Exposed as locals.cspNonce so
     // layouts can add nonce={Astro.locals.cspNonce} to inline <script> tags.
     const nonce = generateNonce();
-    authLocals.cspNonce = nonce;
+    locals.cspNonce = nonce;
     // Skip middleware for static assets FIRST (before dev mode)
     if (GET_SKIP_ASSETS().includes(pathname)) {
         return next();
     }
-    // DEV MODE: Skip auth on localhost
-    if (import.meta.env.DEV && (url.hostname === 'localhost' || url.hostname === '127.0.0.1')) {
+    // DEV MODE: Skip auth
+    // import.meta.env.DEV is a build-time constant replaced by Vite:
+    // - true during local dev (never included in prod build)
+    // - false in production builds (tree-shaken out entirely)
+    // Localhost auth is skipped because Mindful Auth blocks localhost requests.
+    if (import.meta.env.DEV) {
+        // Check if public route first
         if (isPublicRoute(pathname)) {
-            authLocals.recordId = null;
+            locals.recordId = null;
             return next();
         }
         // For protected routes, extract or create mock recordId
         // Match memberid with trailing slash
         const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
-        authLocals.recordId = match ? match[1] : 'dev-user-123';
+        locals.recordId = match ? match[1] : 'dev-user-123';
         return next();
     }
     // Sanitize path
@@ -49,11 +65,13 @@ export const onRequest = defineMiddleware(async (context, next) => {
     }
     // Public routes - no auth needed
     if (isPublicRoute(safePath)) {
-        authLocals.recordId = null;
+        locals.recordId = null;
         return addSecurityHeaders(await next(), nonce);
     }
     // Protected route - validate session
-    const internalApiKey = authLocals.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    // ASTRO 6 CHANGE: Environment variables are accessed directly from 'cloudflare:workers' env,
+    // not from context.locals.runtime.env (which was removed).
+    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
     if (!internalApiKey) {
         console.error('[middleware] CRITICAL: INTERNAL_API_KEY not configured');
         return new Response('Internal Server Error', { status: 500 });
@@ -71,6 +89,6 @@ export const onRequest = defineMiddleware(async (context, next) => {
     if (!validateMemberIdInUrl(safePath, session.recordId).valid) {
         return new Response('Forbidden: Invalid user ID in URL', { status: 403 });
     }
-    authLocals.recordId = session.recordId;
+    locals.recordId = session.recordId;
     return addSecurityHeaders(await next(), nonce);
 });

package/dist/types.d.ts

@@ -1,7 +1,7 @@
 import type { MiddlewareHandler } from 'astro';
 export interface MindfulAuthLocals {
     recordId: string | null;
-    cspNonce?: string;
+    cspNonce: string;
     runtime?: {
         env?: {
             INTERNAL_API_KEY?: string;

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE;QACR,GAAG,CAAC,EAAE;YACJ,gBAAgB,CAAC,EAAE,MAAM,CAAC;SAC3B,CAAC;KACH,CAAC;CACH;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE;QACR,GAAG,CAAC,EAAE;YACJ,gBAAgB,CAAC,EAAE,MAAM,CAAC;SAC3B,CAAC;KACH,CAAC;CACH;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}

package/dist/types.js

@@ -1,2 +1,3 @@
 // Type definitions for Mindful Auth
+/// <reference types="@cloudflare/workers-types" />
 export {};

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@mindfulauth/core",
-  "version": "1.2.1",
-  "description": "Mindful Auth core authentication library for Astro",
+  "version": "2.0.0-beta.2",
+  "description": "Mindful Auth core authentication library for Astro 6",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -42,10 +42,11 @@
   "author": "Mindful Auth",
   "license": "MIT",
   "peerDependencies": {
-    "astro": "^5.0.0"
+    "astro": "^6.0.0-beta.14"
   },
   "devDependencies": {
-    "astro": "^5.17.3",
+    "@cloudflare/workers-types": "^4.20260303.0",
+    "astro": "^6.0.0-beta.14",
     "typescript": "^5.9.3"
   }
-}
+}