@mindfulauth/core 1.2.1 → 2.0.0-beta.3

package/README.md

@@ -1,18 +1,6 @@
-# @mindful-auth/core
+# @mindful-auth/core - ASTRO 6 Beta
 
-Core authentication library for Mindful Auth, designed for Astro applications.
-
-Install Mindful Auth Astro template here https://docs.mindfulauth.com/guides/frontend/astro/astro-setup/
-
-## Features
-
-- 🔐 Session validation and management
-- 🛡️ Security headers (CSP, HSTS, etc.)
-- 🚦 Public/protected route handling
-- 🔄 Auth proxy for login, registration, 2FA, etc.
-- 🛠️ Path traversal protection
-- ⚡ Built for Cloudflare Workers & Astro SSR
+Core authentication library for Mindful Auth, designed for Astro 6 applications.
 
 ## License
-
 MIT

package/dist/auth-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../src/auth-handler.ts"],"names":[],"mappings":"AAmEA,2EAA2E;AAC3E,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CA4BpH;AAED,gEAAgE;AAChE,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAwDrH"}
+{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../src/auth-handler.ts"],"names":[],"mappings":"AAwEA,2EAA2E;AAC3E,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CA6BpH;AAED,gEAAgE;AAChE,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAyDrH"}

package/dist/auth-handler.js

@@ -1,5 +1,10 @@
 // Auth proxy handler for Mindful Auth
 // Forwards authentication requests to the central Mindful Auth service
+//
+// ASTRO 6 MIGRATION:
+// - Astro v6 removed context.locals.runtime.env. Env vars now import from 'cloudflare:workers'.
+// - Note: @cloudflare/workers-types must be installed and referenced in env.d.ts.
+import { env } from 'cloudflare:workers';
 import { CENTRAL_AUTH_ORIGIN, ALLOWED_AUTH_METHODS, MAX_BODY_SIZE_BYTES, AUTH_PROXY_TIMEOUT_MS } from './config';
 import { sanitizeEndpoint } from './security';
 const JSON_HEADERS = { 'Content-Type': 'application/json' };
@@ -60,7 +65,8 @@ function buildResponse(data, status, cookie) {
 }
 /** Handle GET requests (email verification, password reset links, etc.) */
 export async function handleAuthGet(rawEndpoint, request, url, locals) {
-    const internalApiKey = locals?.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    // ASTRO 6 CHANGE: Environment variables accessed from 'cloudflare:workers' env directly.
+    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
     if (!internalApiKey)
         console.error('[auth-handler] INTERNAL_API_KEY not configured');
     const endpoint = sanitizeEndpoint(rawEndpoint);
@@ -94,7 +100,8 @@ export async function handleAuthPost(rawEndpoint, request, url, locals) {
     const contentLength = request.headers.get('content-length');
     if (contentLength && parseInt(contentLength) > MAX_BODY_SIZE_BYTES)
         return jsonError('Payload too large', 413);
-    const internalApiKey = locals?.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    // ASTRO 6 CHANGE: Environment variables accessed from 'cloudflare:workers' env directly.
+    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
     if (!internalApiKey)
         console.error('[auth-handler] INTERNAL_API_KEY not configured');
     const endpoint = sanitizeEndpoint(rawEndpoint);

package/dist/config.d.ts

@@ -15,6 +15,10 @@ export declare const PUBLIC_PREFIXES: string[];
  * Configure Mindful Auth security settings including CSP sources and static
  * assets to skip. Returns the options to be passed to getMauthViteDefines().
  *
+ *  IMPORTANT: A nonce must be provided for inline styles to work. Without a nonce, inline styles will be blocked by CSP. If you need 'unsafe-inline' for development or testing, explicitly add it to styleSources in mauthSecurityConfig().
+ *
+ * IMPORTANT: Do not use Astro 6 security.csp in astro.config.mjs alongside this function. Astro's CSP will override these headers. Use mauthSecurityConfig() exclusively.
+ *
  * Call in astro.config.mjs and pass the result to vite.define:
  *
  * @example
@@ -25,7 +29,15 @@ export declare const PUBLIC_PREFIXES: string[];
  *     scriptSources: ['https://analytics.example.com'],
  *     connectSources: ['https://api.example.com'],
  *     frameSources: ['https://stripe.com'],
- *     fontSources: ['https://fonts.googleapis.com']
+ *     fontSources: ['https://fonts.googleapis.com'],
+ *     styleSources: ['https://cdn.example.com/styles'],
+ *     imageSources: ['https://images.example.com'],
+ *     frameAncestors: ["'self'"],
+ *     workerSources: ["'self'"],
+ *     manifestSources: ["'self'"],
+ *     objectSources: ["'none'"],
+ *     baseUris: ["'self'"],
+ *     formActions: ["'self'"]
  *   }
  * });
  *
@@ -40,6 +52,14 @@ export declare function mauthSecurityConfig(options?: {
         connectSources?: string[];
         frameSources?: string[];
         fontSources?: string[];
+        styleSources?: string[];
+        imageSources?: string[];
+        frameAncestors?: string[];
+        workerSources?: string[];
+        manifestSources?: string[];
+        objectSources?: string[];
+        baseUris?: string[];
+        formActions?: string[];
     };
 }): typeof options;
 /**
@@ -54,16 +74,15 @@ export declare function getMauthViteDefines(options?: {
         connectSources?: string[];
         frameSources?: string[];
         fontSources?: string[];
+        styleSources?: string[];
+        imageSources?: string[];
+        frameAncestors?: string[];
+        workerSources?: string[];
+        manifestSources?: string[];
+        objectSources?: string[];
+        baseUris?: string[];
+        formActions?: string[];
     };
 }): Record<string, string>;
-/**
- * Get security headers with CSP sources merged from defaults and build-time
- * custom values injected via vite.define (from getMauthViteDefines()).
- *
- * Pass the per-request `nonce` generated by `generateNonce()` so the
- * Content-Security-Policy includes `'nonce-<value>'` in `script-src`.
- * The same nonce must be set as the `nonce` attribute on every inline
- * `<script>` tag (available via `Astro.locals.cspNonce` in layouts).
- */
 export declare function GET_SECURITY_HEADERS(nonce?: string): Record<string, string>;
 //# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,UAAU,gCAAgC,CAAC;AAGxD,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AA0CF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQzB;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAiD3E"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,UAAU,gCAAgC,CAAC;AAGxD,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AA2FF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAgBzB;AAED,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CA2E3E"}

package/dist/config.js

@@ -74,10 +74,47 @@ const DEFAULT_FONT_SOURCES = [
     "'self'",
     'data:'
 ];
+// Default allowed style sources for CSP
+const DEFAULT_STYLE_SOURCES = [
+    "'self'",
+];
+// Default allowed image sources for CSP
+const DEFAULT_IMAGE_SOURCES = [
+    "'self'",
+    'https:'
+];
+// Default allowed frame ancestors for CSP (clickjacking protection)
+const DEFAULT_FRAME_ANCESTORS = [
+    "'self'"
+];
+// Default allowed worker sources for CSP (Web Workers, Service Workers)
+const DEFAULT_WORKER_SOURCES = [
+    "'self'"
+];
+// Default allowed manifest sources for CSP (web app manifest)
+const DEFAULT_MANIFEST_SOURCES = [
+    "'self'"
+];
+// Default allowed object sources for CSP (disallow plugins like Flash/Java)
+const DEFAULT_OBJECT_SOURCES = [
+    "'none'"
+];
+// Default allowed base URIs for CSP
+const DEFAULT_BASE_URIS = [
+    "'self'"
+];
+// Default allowed form actions for CSP
+const DEFAULT_FORM_ACTIONS = [
+    "'self'"
+];
 /**
  * Configure Mindful Auth security settings including CSP sources and static
  * assets to skip. Returns the options to be passed to getMauthViteDefines().
  *
+ *  IMPORTANT: A nonce must be provided for inline styles to work. Without a nonce, inline styles will be blocked by CSP. If you need 'unsafe-inline' for development or testing, explicitly add it to styleSources in mauthSecurityConfig().
+ *
+ * IMPORTANT: Do not use Astro 6 security.csp in astro.config.mjs alongside this function. Astro's CSP will override these headers. Use mauthSecurityConfig() exclusively.
+ *
  * Call in astro.config.mjs and pass the result to vite.define:
  *
  * @example
@@ -88,7 +125,15 @@ const DEFAULT_FONT_SOURCES = [
  *     scriptSources: ['https://analytics.example.com'],
  *     connectSources: ['https://api.example.com'],
  *     frameSources: ['https://stripe.com'],
- *     fontSources: ['https://fonts.googleapis.com']
+ *     fontSources: ['https://fonts.googleapis.com'],
+ *     styleSources: ['https://cdn.example.com/styles'],
+ *     imageSources: ['https://images.example.com'],
+ *     frameAncestors: ["'self'"],
+ *     workerSources: ["'self'"],
+ *     manifestSources: ["'self'"],
+ *     objectSources: ["'none'"],
+ *     baseUris: ["'self'"],
+ *     formActions: ["'self'"]
  *   }
  * });
  *
@@ -111,27 +156,39 @@ export function getMauthViteDefines(options) {
         __MAUTH_CONNECT_SOURCES__: JSON.stringify(options?.csp?.connectSources ?? []),
         __MAUTH_FRAME_SOURCES__: JSON.stringify(options?.csp?.frameSources ?? []),
         __MAUTH_FONT_SOURCES__: JSON.stringify(options?.csp?.fontSources ?? []),
+        __MAUTH_STYLE_SOURCES__: JSON.stringify(options?.csp?.styleSources ?? []),
+        __MAUTH_IMAGE_SOURCES__: JSON.stringify(options?.csp?.imageSources ?? []),
+        __MAUTH_FRAME_ANCESTORS__: JSON.stringify(options?.csp?.frameAncestors ?? []),
+        __MAUTH_WORKER_SOURCES__: JSON.stringify(options?.csp?.workerSources ?? []),
+        __MAUTH_MANIFEST_SOURCES__: JSON.stringify(options?.csp?.manifestSources ?? []),
+        __MAUTH_OBJECT_SOURCES__: JSON.stringify(options?.csp?.objectSources ?? []),
+        __MAUTH_BASE_URIS__: JSON.stringify(options?.csp?.baseUris ?? []),
+        __MAUTH_FORM_ACTIONS__: JSON.stringify(options?.csp?.formActions ?? []),
     };
 }
-/**
- * Get security headers with CSP sources merged from defaults and build-time
- * custom values injected via vite.define (from getMauthViteDefines()).
- *
- * Pass the per-request `nonce` generated by `generateNonce()` so the
- * Content-Security-Policy includes `'nonce-<value>'` in `script-src`.
- * The same nonce must be set as the `nonce` attribute on every inline
- * `<script>` tag (available via `Astro.locals.cspNonce` in layouts).
- */
 export function GET_SECURITY_HEADERS(nonce) {
     // Custom sources are baked in at build time via vite.define
-    const SCRIPT_SOURCES = [
-        ...DEFAULT_SCRIPT_SOURCES,
-        ...__MAUTH_SCRIPT_SOURCES__,
-        ...(nonce ? [`'nonce-${nonce}'`] : []),
-    ];
-    const CONNECT_SOURCES = [...DEFAULT_CONNECT_SOURCES, ...__MAUTH_CONNECT_SOURCES__];
-    const FRAME_SOURCES = [...DEFAULT_FRAME_SOURCES, ...__MAUTH_FRAME_SOURCES__];
-    const FONT_SOURCES = [...DEFAULT_FONT_SOURCES, ...__MAUTH_FONT_SOURCES__];
+    // Using Set to deduplicate sources while preserving order
+    const SCRIPT_SOURCES = [...new Set([
+            ...DEFAULT_SCRIPT_SOURCES,
+            ...__MAUTH_SCRIPT_SOURCES__,
+            ...(nonce ? [`'nonce-${nonce}'`] : []),
+        ])];
+    const STYLE_SOURCES = [...new Set([
+            ...DEFAULT_STYLE_SOURCES,
+            ...__MAUTH_STYLE_SOURCES__,
+            ...(nonce ? [`'nonce-${nonce}'`] : []),
+        ])];
+    const CONNECT_SOURCES = [...new Set([...DEFAULT_CONNECT_SOURCES, ...__MAUTH_CONNECT_SOURCES__])];
+    const FRAME_SOURCES = [...new Set([...DEFAULT_FRAME_SOURCES, ...__MAUTH_FRAME_SOURCES__])];
+    const FONT_SOURCES = [...new Set([...DEFAULT_FONT_SOURCES, ...__MAUTH_FONT_SOURCES__])];
+    const IMAGE_SOURCES = [...new Set([...DEFAULT_IMAGE_SOURCES, ...__MAUTH_IMAGE_SOURCES__])];
+    const FRAME_ANCESTORS = [...new Set([...DEFAULT_FRAME_ANCESTORS, ...__MAUTH_FRAME_ANCESTORS__])];
+    const WORKER_SOURCES = [...new Set([...DEFAULT_WORKER_SOURCES, ...__MAUTH_WORKER_SOURCES__])];
+    const MANIFEST_SOURCES = [...new Set([...DEFAULT_MANIFEST_SOURCES, ...__MAUTH_MANIFEST_SOURCES__])];
+    const OBJECT_SOURCES = [...new Set([...DEFAULT_OBJECT_SOURCES, ...__MAUTH_OBJECT_SOURCES__])];
+    const BASE_URIS = [...new Set([...DEFAULT_BASE_URIS, ...__MAUTH_BASE_URIS__])];
+    const FORM_ACTIONS = [...new Set([...DEFAULT_FORM_ACTIONS, ...__MAUTH_FORM_ACTIONS__])];
     return {
         'X-Content-Type-Options': 'nosniff',
         'X-Frame-Options': 'SAMEORIGIN',
@@ -139,25 +196,33 @@ export function GET_SECURITY_HEADERS(nonce) {
         'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
         'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
         'Content-Security-Policy': [
-            // Default policy
-            "default-src 'self'",
+            // Deny by default - only allow explicitly defined sources
+            "default-src 'none'",
             // Scripts
             `script-src ${SCRIPT_SOURCES.join(' ')}`,
             // Styles
-            "style-src 'self' 'unsafe-inline'",
+            `style-src ${STYLE_SOURCES.join(' ')}`,
             // Images
-            "img-src 'self' data: https:",
+            `img-src ${IMAGE_SOURCES.join(' ')}`,
             // Connections
             `connect-src ${CONNECT_SOURCES.join(' ')}`,
             // Frames
             `frame-src ${FRAME_SOURCES.join(' ')}`,
+            // Frame ancestors (clickjacking protection)
+            `frame-ancestors ${FRAME_ANCESTORS.join(' ')}`,
             // Fonts
             `font-src ${FONT_SOURCES.join(' ')}`,
+            // Web Workers and Service Workers
+            `worker-src ${WORKER_SOURCES.join(' ')}`,
+            // Web app manifest
+            `manifest-src ${MANIFEST_SOURCES.join(' ')}`,
             // Disallow object/embed tags (Flash, Java, etc.)
-            "object-src 'none'",
+            `object-src ${OBJECT_SOURCES.join(' ')}`,
+            // Base URI
+            `base-uri ${BASE_URIS.join(' ')}`,
+            // Form action
+            `form-action ${FORM_ACTIONS.join(' ')}`,
             // Security directives
-            "base-uri 'self'",
-            "form-action 'self'",
             "upgrade-insecure-requests",
             "block-all-mixed-content"
         ].join('; ')

package/dist/index.d.ts

@@ -3,5 +3,5 @@ export * from './config';
 export * from './auth';
 export * from './auth-handler';
 export * from './security';
-export { onRequest } from './middleware';
+export * from './middleware';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,QAAQ,CAAC;AAGvB,cAAc,gBAAgB,CAAC;AAG/B,cAAc,YAAY,CAAC;AAG3B,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,QAAQ,CAAC;AAGvB,cAAc,gBAAgB,CAAC;AAG/B,cAAc,YAAY,CAAC;AAG3B,cAAc,cAAc,CAAC"}

package/dist/index.js

@@ -9,5 +9,5 @@ export * from './auth';
 export * from './auth-handler';
 // Security utilities
 export * from './security';
-// Middleware (also available via '@mindful-auth/core/middleware')
-export { onRequest } from './middleware';
+// Middleware  
+export * from './middleware';

package/dist/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAuBA,eAAO,MAAM,SAAS,mCAmEpB,CAAC"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAoCA,eAAO,MAAM,SAAS,mCA0FpB,CAAC"}

package/dist/middleware.js

@@ -1,47 +1,80 @@
 // Global middleware for session validation
 // Runs before all route handlers to enforce authentication
+//
+// ASTRO 6 MIGRATION:
+// - Astro v6 removed context.locals.runtime.env. Env vars now import from 'cloudflare:workers'.
+// - cloudflare:workers is marked external in astro.config.vite.ssr to avoid esbuild scan errors.
+// - Dev mode bypass uses import.meta.env.DEV (build-time constant: true in dev, false in prod).
 import { defineMiddleware } from 'astro:middleware';
+import { env } from 'cloudflare:workers';
 import { PUBLIC_ROUTES, PUBLIC_PREFIXES, GET_SECURITY_HEADERS, GET_SKIP_ASSETS } from './config';
 import { sanitizePath, generateNonce } from './security';
 import { validateSession, validateMemberIdInUrl } from './auth';
 /** Check if a path is a public route (no auth required) */
 function isPublicRoute(pathname) {
     return PUBLIC_ROUTES.includes(pathname) ||
-        PUBLIC_PREFIXES.some(prefix => pathname.startsWith(prefix));
+        PUBLIC_PREFIXES.some((prefix) => pathname.startsWith(prefix));
 }
-/** Add security headers (including CSP nonce) to a response */
+/** Add security headers to a response */
+// NOTE: In Cloudflare Workers, Response.headers is immutable.
+// We must create a new Response with a fresh Headers object instead of mutating.
 function addSecurityHeaders(response, nonce) {
+    const newHeaders = new Headers(response.headers);
     Object.entries(GET_SECURITY_HEADERS(nonce)).forEach(([key, value]) => {
-        response.headers.set(key, value);
+        newHeaders.set(key, value);
+    });
+    return new Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers: newHeaders,
     });
-    return response;
 }
 // Main middleware function
 export const onRequest = defineMiddleware(async (context, next) => {
     const { request, url, redirect, locals } = context;
     const pathname = url.pathname;
-    // Type assertion for locals (users should extend App.Locals in their project)
-    const authLocals = locals;
+    // Redirect HTTP to HTTPS (skip in dev mode and localhost)
+    if (!import.meta.env.DEV && url.protocol === 'http:' && url.hostname !== 'localhost' && url.hostname !== '127.0.0.1') {
+        const httpsUrl = url.toString().replace('http://', 'https://');
+        return redirect(httpsUrl, 307);
+    }
     // Generate a per-request nonce for CSP. Exposed as locals.cspNonce so
     // layouts can add nonce={Astro.locals.cspNonce} to inline <script> tags.
     const nonce = generateNonce();
-    authLocals.cspNonce = nonce;
+    locals.cspNonce = nonce;
     // Skip middleware for static assets FIRST (before dev mode)
     if (GET_SKIP_ASSETS().includes(pathname)) {
         return next();
     }
-    // DEV MODE: Skip auth on localhost
-    if (import.meta.env.DEV && (url.hostname === 'localhost' || url.hostname === '127.0.0.1')) {
+    // DEV MODE: Skip auth
+    // import.meta.env.DEV is a build-time constant replaced by Vite:
+    // - true during local dev (never included in prod build)
+    // - false in production builds (tree-shaken out entirely)
+    // Localhost auth is skipped because Mindful Auth blocks localhost requests.
+    if (import.meta.env.DEV) {
+        // Check if public route first
         if (isPublicRoute(pathname)) {
-            authLocals.recordId = null;
+            locals.recordId = null;
             return next();
         }
         // For protected routes, extract or create mock recordId
         // Match memberid with trailing slash
         const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
-        authLocals.recordId = match ? match[1] : 'dev-user-123';
+        locals.recordId = match ? match[1] : 'dev-user-123';
         return next();
     }
+    // PREVIEW MODE: Skip auth (for testing without Mindful Auth on localhost)
+    // npm run preview builds the project first, so import.meta.env.DEV is false.
+    // We need a runtime check for localhost to simulate auth in preview.
+    if (url.hostname === 'localhost' || url.hostname === '127.0.0.1') {
+        if (isPublicRoute(pathname)) {
+            locals.recordId = null;
+            return addSecurityHeaders(await next(), nonce);
+        }
+        const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
+        locals.recordId = match ? match[1] : 'preview-user-123';
+        return addSecurityHeaders(await next(), nonce);
+    }
     // Sanitize path
     const safePath = sanitizePath(pathname);
     if (!safePath) {
@@ -49,11 +82,13 @@ export const onRequest = defineMiddleware(async (context, next) => {
     }
     // Public routes - no auth needed
     if (isPublicRoute(safePath)) {
-        authLocals.recordId = null;
+        locals.recordId = null;
         return addSecurityHeaders(await next(), nonce);
     }
     // Protected route - validate session
-    const internalApiKey = authLocals.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
+    // ASTRO 6 CHANGE: Environment variables are accessed directly from 'cloudflare:workers' env,
+    // not from context.locals.runtime.env (which was removed).
+    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
     if (!internalApiKey) {
         console.error('[middleware] CRITICAL: INTERNAL_API_KEY not configured');
         return new Response('Internal Server Error', { status: 500 });
@@ -71,6 +106,6 @@ export const onRequest = defineMiddleware(async (context, next) => {
     if (!validateMemberIdInUrl(safePath, session.recordId).valid) {
         return new Response('Forbidden: Invalid user ID in URL', { status: 403 });
     }
-    authLocals.recordId = session.recordId;
+    locals.recordId = session.recordId;
     return addSecurityHeaders(await next(), nonce);
 });

package/dist/types.d.ts

@@ -1,7 +1,7 @@
 import type { MiddlewareHandler } from 'astro';
 export interface MindfulAuthLocals {
     recordId: string | null;
-    cspNonce?: string;
+    cspNonce: string;
     runtime?: {
         env?: {
             INTERNAL_API_KEY?: string;

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE;QACR,GAAG,CAAC,EAAE;YACJ,gBAAgB,CAAC,EAAE,MAAM,CAAC;SAC3B,CAAC;KACH,CAAC;CACH;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE;QACR,GAAG,CAAC,EAAE;YACJ,gBAAgB,CAAC,EAAE,MAAM,CAAC;SAC3B,CAAC;KACH,CAAC;CACH;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}

package/dist/types.js

@@ -1,2 +1,3 @@
 // Type definitions for Mindful Auth
+/// <reference types="@cloudflare/workers-types" />
 export {};

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@mindfulauth/core",
-  "version": "1.2.1",
-  "description": "Mindful Auth core authentication library for Astro",
+  "version": "2.0.0-beta.3",
+  "description": "Mindful Auth core authentication library for Astro 6",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -42,10 +42,11 @@
   "author": "Mindful Auth",
   "license": "MIT",
   "peerDependencies": {
-    "astro": "^5.0.0"
+    "astro": "^6.0.0-beta.14"
   },
   "devDependencies": {
-    "astro": "^5.17.3",
+    "@cloudflare/workers-types": "^4.20260303.0",
+    "astro": "^6.0.0-beta.15",
     "typescript": "^5.9.3"
   }
-}
+}