@mindfulauth/core 2.0.0-beta.2 → 2.0.0-beta.3

package/dist/config.d.ts

@@ -1,5 +1,5 @@
-export declare const CENTRAL_AUTH_ORIGIN = "https://dev-api.mindfulauth.com";
-export declare const CDN_ORIGIN = "https://dev-cdn.mindfulauth.com";
+export declare const CENTRAL_AUTH_ORIGIN = "https://api.mindfulauth.com";
+export declare const CDN_ORIGIN = "https://cdn.mindfulauth.com";
 export declare const ALLOWED_AUTH_METHODS: string[];
 export declare const MAX_BODY_SIZE_BYTES = 1048576;
 export declare const AUTH_PROXY_TIMEOUT_MS = 15000;
@@ -15,6 +15,10 @@ export declare const PUBLIC_PREFIXES: string[];
  * Configure Mindful Auth security settings including CSP sources and static
  * assets to skip. Returns the options to be passed to getMauthViteDefines().
  *
+ *  IMPORTANT: A nonce must be provided for inline styles to work. Without a nonce, inline styles will be blocked by CSP. If you need 'unsafe-inline' for development or testing, explicitly add it to styleSources in mauthSecurityConfig().
+ *
+ * IMPORTANT: Do not use Astro 6 security.csp in astro.config.mjs alongside this function. Astro's CSP will override these headers. Use mauthSecurityConfig() exclusively.
+ *
  * Call in astro.config.mjs and pass the result to vite.define:
  *
  * @example
@@ -25,7 +29,15 @@ export declare const PUBLIC_PREFIXES: string[];
  *     scriptSources: ['https://analytics.example.com'],
  *     connectSources: ['https://api.example.com'],
  *     frameSources: ['https://stripe.com'],
- *     fontSources: ['https://fonts.googleapis.com']
+ *     fontSources: ['https://fonts.googleapis.com'],
+ *     styleSources: ['https://cdn.example.com/styles'],
+ *     imageSources: ['https://images.example.com'],
+ *     frameAncestors: ["'self'"],
+ *     workerSources: ["'self'"],
+ *     manifestSources: ["'self'"],
+ *     objectSources: ["'none'"],
+ *     baseUris: ["'self'"],
+ *     formActions: ["'self'"]
  *   }
  * });
  *
@@ -40,6 +52,14 @@ export declare function mauthSecurityConfig(options?: {
         connectSources?: string[];
         frameSources?: string[];
         fontSources?: string[];
+        styleSources?: string[];
+        imageSources?: string[];
+        frameAncestors?: string[];
+        workerSources?: string[];
+        manifestSources?: string[];
+        objectSources?: string[];
+        baseUris?: string[];
+        formActions?: string[];
     };
 }): typeof options;
 /**
@@ -54,11 +74,15 @@ export declare function getMauthViteDefines(options?: {
         connectSources?: string[];
         frameSources?: string[];
         fontSources?: string[];
+        styleSources?: string[];
+        imageSources?: string[];
+        frameAncestors?: string[];
+        workerSources?: string[];
+        manifestSources?: string[];
+        objectSources?: string[];
+        baseUris?: string[];
+        formActions?: string[];
     };
 }): Record<string, string>;
-/**
- * Get security headers with CSP sources merged from defaults and build-time
- * custom values injected via vite.define (from getMauthViteDefines()).
- */
 export declare function GET_SECURITY_HEADERS(nonce?: string): Record<string, string>;
 //# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,oCAAoC,CAAC;AACrE,eAAO,MAAM,UAAU,oCAAoC,CAAC;AAG5D,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AA0CF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQzB;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAiD3E"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,UAAU,gCAAgC,CAAC;AAGxD,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AA2FF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAgBzB;AAED,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CA2E3E"}

package/dist/config.js

@@ -2,8 +2,8 @@
 // Configuration for the Astro Portal
 // ============================================================================
 // API Endpoints
-export const CENTRAL_AUTH_ORIGIN = 'https://dev-api.mindfulauth.com';
-export const CDN_ORIGIN = 'https://dev-cdn.mindfulauth.com';
+export const CENTRAL_AUTH_ORIGIN = 'https://api.mindfulauth.com';
+export const CDN_ORIGIN = 'https://cdn.mindfulauth.com';
 // Request & Timeout Configuration
 export const ALLOWED_AUTH_METHODS = ['GET', 'POST'];
 export const MAX_BODY_SIZE_BYTES = 1048576; // 1MB limit
@@ -55,14 +55,14 @@ const DEFAULT_SCRIPT_SOURCES = [
     "'self'",
     'https://*.cloudflare.com',
     'https://*.cloudflareinsights.com',
-    'https://dev-cdn.mindfulauth.com',
-    'https://dev-api.mindfulauth.com'
+    'https://cdn.mindfulauth.com',
+    'https://api.mindfulauth.com'
 ];
 // Default allowed connection sources for CSP
 const DEFAULT_CONNECT_SOURCES = [
     "'self'",
     'https://*.cloudflare.com',
-    'https://dev-api.mindfulauth.com'
+    'https://api.mindfulauth.com'
 ];
 // Default allowed frame sources for CSP
 const DEFAULT_FRAME_SOURCES = [
@@ -74,10 +74,47 @@ const DEFAULT_FONT_SOURCES = [
     "'self'",
     'data:'
 ];
+// Default allowed style sources for CSP
+const DEFAULT_STYLE_SOURCES = [
+    "'self'",
+];
+// Default allowed image sources for CSP
+const DEFAULT_IMAGE_SOURCES = [
+    "'self'",
+    'https:'
+];
+// Default allowed frame ancestors for CSP (clickjacking protection)
+const DEFAULT_FRAME_ANCESTORS = [
+    "'self'"
+];
+// Default allowed worker sources for CSP (Web Workers, Service Workers)
+const DEFAULT_WORKER_SOURCES = [
+    "'self'"
+];
+// Default allowed manifest sources for CSP (web app manifest)
+const DEFAULT_MANIFEST_SOURCES = [
+    "'self'"
+];
+// Default allowed object sources for CSP (disallow plugins like Flash/Java)
+const DEFAULT_OBJECT_SOURCES = [
+    "'none'"
+];
+// Default allowed base URIs for CSP
+const DEFAULT_BASE_URIS = [
+    "'self'"
+];
+// Default allowed form actions for CSP
+const DEFAULT_FORM_ACTIONS = [
+    "'self'"
+];
 /**
  * Configure Mindful Auth security settings including CSP sources and static
  * assets to skip. Returns the options to be passed to getMauthViteDefines().
  *
+ *  IMPORTANT: A nonce must be provided for inline styles to work. Without a nonce, inline styles will be blocked by CSP. If you need 'unsafe-inline' for development or testing, explicitly add it to styleSources in mauthSecurityConfig().
+ *
+ * IMPORTANT: Do not use Astro 6 security.csp in astro.config.mjs alongside this function. Astro's CSP will override these headers. Use mauthSecurityConfig() exclusively.
+ *
  * Call in astro.config.mjs and pass the result to vite.define:
  *
  * @example
@@ -88,7 +125,15 @@ const DEFAULT_FONT_SOURCES = [
  *     scriptSources: ['https://analytics.example.com'],
  *     connectSources: ['https://api.example.com'],
  *     frameSources: ['https://stripe.com'],
- *     fontSources: ['https://fonts.googleapis.com']
+ *     fontSources: ['https://fonts.googleapis.com'],
+ *     styleSources: ['https://cdn.example.com/styles'],
+ *     imageSources: ['https://images.example.com'],
+ *     frameAncestors: ["'self'"],
+ *     workerSources: ["'self'"],
+ *     manifestSources: ["'self'"],
+ *     objectSources: ["'none'"],
+ *     baseUris: ["'self'"],
+ *     formActions: ["'self'"]
  *   }
  * });
  *
@@ -111,22 +156,39 @@ export function getMauthViteDefines(options) {
         __MAUTH_CONNECT_SOURCES__: JSON.stringify(options?.csp?.connectSources ?? []),
         __MAUTH_FRAME_SOURCES__: JSON.stringify(options?.csp?.frameSources ?? []),
         __MAUTH_FONT_SOURCES__: JSON.stringify(options?.csp?.fontSources ?? []),
+        __MAUTH_STYLE_SOURCES__: JSON.stringify(options?.csp?.styleSources ?? []),
+        __MAUTH_IMAGE_SOURCES__: JSON.stringify(options?.csp?.imageSources ?? []),
+        __MAUTH_FRAME_ANCESTORS__: JSON.stringify(options?.csp?.frameAncestors ?? []),
+        __MAUTH_WORKER_SOURCES__: JSON.stringify(options?.csp?.workerSources ?? []),
+        __MAUTH_MANIFEST_SOURCES__: JSON.stringify(options?.csp?.manifestSources ?? []),
+        __MAUTH_OBJECT_SOURCES__: JSON.stringify(options?.csp?.objectSources ?? []),
+        __MAUTH_BASE_URIS__: JSON.stringify(options?.csp?.baseUris ?? []),
+        __MAUTH_FORM_ACTIONS__: JSON.stringify(options?.csp?.formActions ?? []),
     };
 }
-/**
- * Get security headers with CSP sources merged from defaults and build-time
- * custom values injected via vite.define (from getMauthViteDefines()).
- */
 export function GET_SECURITY_HEADERS(nonce) {
     // Custom sources are baked in at build time via vite.define
-    const SCRIPT_SOURCES = [
-        ...DEFAULT_SCRIPT_SOURCES,
-        ...__MAUTH_SCRIPT_SOURCES__,
-        ...(nonce ? [`'nonce-${nonce}'`] : []),
-    ];
-    const CONNECT_SOURCES = [...DEFAULT_CONNECT_SOURCES, ...__MAUTH_CONNECT_SOURCES__];
-    const FRAME_SOURCES = [...DEFAULT_FRAME_SOURCES, ...__MAUTH_FRAME_SOURCES__];
-    const FONT_SOURCES = [...DEFAULT_FONT_SOURCES, ...__MAUTH_FONT_SOURCES__];
+    // Using Set to deduplicate sources while preserving order
+    const SCRIPT_SOURCES = [...new Set([
+            ...DEFAULT_SCRIPT_SOURCES,
+            ...__MAUTH_SCRIPT_SOURCES__,
+            ...(nonce ? [`'nonce-${nonce}'`] : []),
+        ])];
+    const STYLE_SOURCES = [...new Set([
+            ...DEFAULT_STYLE_SOURCES,
+            ...__MAUTH_STYLE_SOURCES__,
+            ...(nonce ? [`'nonce-${nonce}'`] : []),
+        ])];
+    const CONNECT_SOURCES = [...new Set([...DEFAULT_CONNECT_SOURCES, ...__MAUTH_CONNECT_SOURCES__])];
+    const FRAME_SOURCES = [...new Set([...DEFAULT_FRAME_SOURCES, ...__MAUTH_FRAME_SOURCES__])];
+    const FONT_SOURCES = [...new Set([...DEFAULT_FONT_SOURCES, ...__MAUTH_FONT_SOURCES__])];
+    const IMAGE_SOURCES = [...new Set([...DEFAULT_IMAGE_SOURCES, ...__MAUTH_IMAGE_SOURCES__])];
+    const FRAME_ANCESTORS = [...new Set([...DEFAULT_FRAME_ANCESTORS, ...__MAUTH_FRAME_ANCESTORS__])];
+    const WORKER_SOURCES = [...new Set([...DEFAULT_WORKER_SOURCES, ...__MAUTH_WORKER_SOURCES__])];
+    const MANIFEST_SOURCES = [...new Set([...DEFAULT_MANIFEST_SOURCES, ...__MAUTH_MANIFEST_SOURCES__])];
+    const OBJECT_SOURCES = [...new Set([...DEFAULT_OBJECT_SOURCES, ...__MAUTH_OBJECT_SOURCES__])];
+    const BASE_URIS = [...new Set([...DEFAULT_BASE_URIS, ...__MAUTH_BASE_URIS__])];
+    const FORM_ACTIONS = [...new Set([...DEFAULT_FORM_ACTIONS, ...__MAUTH_FORM_ACTIONS__])];
     return {
         'X-Content-Type-Options': 'nosniff',
         'X-Frame-Options': 'SAMEORIGIN',
@@ -134,25 +196,33 @@ export function GET_SECURITY_HEADERS(nonce) {
         'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
         'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
         'Content-Security-Policy': [
-            // Default policy
-            "default-src 'self'",
+            // Deny by default - only allow explicitly defined sources
+            "default-src 'none'",
             // Scripts
             `script-src ${SCRIPT_SOURCES.join(' ')}`,
             // Styles
-            "style-src 'self' 'unsafe-inline'",
+            `style-src ${STYLE_SOURCES.join(' ')}`,
             // Images
-            "img-src 'self' data: https:",
+            `img-src ${IMAGE_SOURCES.join(' ')}`,
             // Connections
             `connect-src ${CONNECT_SOURCES.join(' ')}`,
             // Frames
             `frame-src ${FRAME_SOURCES.join(' ')}`,
+            // Frame ancestors (clickjacking protection)
+            `frame-ancestors ${FRAME_ANCESTORS.join(' ')}`,
             // Fonts
             `font-src ${FONT_SOURCES.join(' ')}`,
+            // Web Workers and Service Workers
+            `worker-src ${WORKER_SOURCES.join(' ')}`,
+            // Web app manifest
+            `manifest-src ${MANIFEST_SOURCES.join(' ')}`,
             // Disallow object/embed tags (Flash, Java, etc.)
-            "object-src 'none'",
+            `object-src ${OBJECT_SOURCES.join(' ')}`,
+            // Base URI
+            `base-uri ${BASE_URIS.join(' ')}`,
+            // Form action
+            `form-action ${FORM_ACTIONS.join(' ')}`,
             // Security directives
-            "base-uri 'self'",
-            "form-action 'self'",
             "upgrade-insecure-requests",
             "block-all-mixed-content"
         ].join('; ')

package/dist/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAoCA,eAAO,MAAM,SAAS,mCAuEpB,CAAC"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAoCA,eAAO,MAAM,SAAS,mCA0FpB,CAAC"}

package/dist/middleware.js

@@ -13,7 +13,7 @@ import { validateSession, validateMemberIdInUrl } from './auth';
 /** Check if a path is a public route (no auth required) */
 function isPublicRoute(pathname) {
     return PUBLIC_ROUTES.includes(pathname) ||
-        PUBLIC_PREFIXES.some(prefix => pathname.startsWith(prefix));
+        PUBLIC_PREFIXES.some((prefix) => pathname.startsWith(prefix));
 }
 /** Add security headers to a response */
 // NOTE: In Cloudflare Workers, Response.headers is immutable.
@@ -33,6 +33,11 @@ function addSecurityHeaders(response, nonce) {
 export const onRequest = defineMiddleware(async (context, next) => {
     const { request, url, redirect, locals } = context;
     const pathname = url.pathname;
+    // Redirect HTTP to HTTPS (skip in dev mode and localhost)
+    if (!import.meta.env.DEV && url.protocol === 'http:' && url.hostname !== 'localhost' && url.hostname !== '127.0.0.1') {
+        const httpsUrl = url.toString().replace('http://', 'https://');
+        return redirect(httpsUrl, 307);
+    }
     // Generate a per-request nonce for CSP. Exposed as locals.cspNonce so
     // layouts can add nonce={Astro.locals.cspNonce} to inline <script> tags.
     const nonce = generateNonce();
@@ -58,6 +63,18 @@ export const onRequest = defineMiddleware(async (context, next) => {
         locals.recordId = match ? match[1] : 'dev-user-123';
         return next();
     }
+    // PREVIEW MODE: Skip auth (for testing without Mindful Auth on localhost)
+    // npm run preview builds the project first, so import.meta.env.DEV is false.
+    // We need a runtime check for localhost to simulate auth in preview.
+    if (url.hostname === 'localhost' || url.hostname === '127.0.0.1') {
+        if (isPublicRoute(pathname)) {
+            locals.recordId = null;
+            return addSecurityHeaders(await next(), nonce);
+        }
+        const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
+        locals.recordId = match ? match[1] : 'preview-user-123';
+        return addSecurityHeaders(await next(), nonce);
+    }
     // Sanitize path
     const safePath = sanitizePath(pathname);
     if (!safePath) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mindfulauth/core",
-  "version": "2.0.0-beta.2",
+  "version": "2.0.0-beta.3",
   "description": "Mindful Auth core authentication library for Astro 6",
   "type": "module",
   "main": "./dist/index.js",
@@ -46,7 +46,7 @@
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20260303.0",
-    "astro": "^6.0.0-beta.14",
+    "astro": "^6.0.0-beta.15",
     "typescript": "^5.9.3"
   }
 }