@mindfulauth/core 2.0.0-beta.5 → 2.0.0-beta.6

package/dist/astro/SecurityScript.astro

@@ -0,0 +1,490 @@
+---
+// Mindful Auth - Security Settings Script Component
+// Provides: Change password, 2FA management, recovery codes, add auth method
+---
+<script is:inline>
+// Security Settings Script - Astro Optimized
+// Combines: Change Password + 2FA Management + Add Authentication Method
+
+// ============================================================================
+// QRCODE DYNAMIC LOADING (bundled via qrcode npm package)
+// ============================================================================
+
+// Capture CDN origin at load time for loading co-hosted libraries
+const __cdnOrigin = (() => {
+  try {
+    if (document.currentScript && document.currentScript.src) {
+      return new URL(document.currentScript.src).origin;
+    }
+  } catch (_) {}
+  return '';
+})();
+
+/**
+ * Dynamically loads the bundled QRCode library from the same CDN origin.
+ * Uses the qrcode npm package (bundled as IIFE via esbuild).
+ * Exposes QRCode.toCanvas(), QRCode.toDataURL(), QRCode.toString()
+ * @returns {Promise<void>}
+ */
+async function loadQRCodeLibrary() {
+  return new Promise((resolve, reject) => {
+    if (typeof QRCode !== 'undefined' && QRCode.toCanvas) {
+      resolve();
+      return;
+    }
+
+    const script = document.createElement('script');
+    script.src = `${__cdnOrigin}/lib/qrcode.js`;
+    script.onload = () => resolve();
+    script.onerror = () => reject(new Error('Failed to load QR code library'));
+    document.head.appendChild(script);
+  });
+}
+
+// ============================================================================
+// RECORDID EXTRACTION HELPER
+// ============================================================================
+
+/**
+ * Extracts recordid from window variable (injected server-side by backend)
+ * Backend MUST inject this variable for all implementations
+ * Architecture
+ * - All protected routes require /{memberid}/page URL structure
+ * - Backend extracts memberid from URL path and validates against session
+ * - Frontend receives memberid via window.MEMBERID injection
+ * @returns {string|null} The recordid if found, null otherwise
+ */
+function getRecordId() {
+    return window.MEMBERID || null;
+}
+
+// ============================================================================
+// CHANGE PASSWORD
+// ============================================================================
+
+async function handleChangePasswordSubmit(event) {
+  event.preventDefault();
+  const form = event.target;
+  const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+  const newPasswordEl = form.querySelector('[data-mindfulauth-field="new-password"]');
+  const confirmPasswordEl = form.querySelector('[data-mindfulauth-field="confirm-password"]');
+  const twoFACodeEl = form.querySelector('[data-mindfulauth-field="twofa-code"]');
+  const twoFAContainer = form.querySelector('[data-mindfulauth-field="twofa-container"]');
+  const submitBtn = form.querySelector('button[type="submit"]');
+
+  messageEl.textContent = '';
+  const newPassword = newPasswordEl.value;
+  const confirmPassword = confirmPasswordEl.value;
+
+  if (newPassword !== confirmPassword) {
+    messageEl.textContent = 'Passwords do not match.';
+    return;
+  }
+
+  const recordid = getRecordId();
+
+  if (!recordid) {
+    messageEl.textContent = 'Error: Could not identify user. Please log in again.';
+    return;
+  }
+
+  messageEl.textContent = 'Validating password...';
+
+  try {
+    // First validate password against policy
+    const passwordValidateResponse = await window.apiFetch('/auth/validate-password', {
+      body: JSON.stringify({ password: newPassword }),
+    });
+
+    const passwordValidateResult = await passwordValidateResponse.json();
+    if (!passwordValidateResult.success) {
+      throw new Error(passwordValidateResult.message);
+    }
+
+    // Check if user has 2FA enabled (use cache)
+    messageEl.textContent = 'Checking security settings...';
+    const statusResult = await window.get2FAStatus();
+
+    // If 2FA is enabled and code not provided yet, show the input and wait
+    if (statusResult.isEnabled) {
+      if (!twoFACodeEl || !twoFACodeEl.value) {
+        // Show the 2FA input field
+        if (twoFAContainer) {
+          twoFAContainer.removeAttribute('hidden');
+          twoFAContainer.classList && twoFAContainer.classList.remove('hidden');
+          twoFAContainer.style.display = 'block';
+        }
+        if (twoFACodeEl) {
+          twoFACodeEl.focus();
+        }
+        messageEl.textContent = '2FA code is required for password change.';
+        if (submitBtn) {
+          submitBtn.textContent = 'Update Password with 2FA';
+        }
+        return;
+      }
+      
+      const twoFACode = twoFACodeEl.value;
+      if (twoFACode.length !== 6) {
+        messageEl.textContent = 'Please enter a valid 6-digit 2FA code.';
+        return;
+      }
+    }
+
+    messageEl.textContent = 'Updating password...';
+
+    const requestBody = { recordid, newPassword };
+    if (statusResult.isEnabled && twoFACodeEl && twoFACodeEl.value) {
+      requestBody.twoFACode = twoFACodeEl.value;
+    }
+
+    const response = await window.apiFetch('/auth/change-password', {
+      body: JSON.stringify(requestBody),
+    });
+  
+    const result = await response.json();
+    if (result.success) {
+      messageEl.textContent = 'Password updated successfully! Redirecting to login...';
+      form.reset();
+
+      // Password change invalidates all sessions for security
+      setTimeout(() => {
+        window.location.assign('/login');
+      }, 2000);
+      
+    } else {
+      throw new Error(result.message || 'An unknown error occurred.');
+    }
+  } catch (error) {
+    messageEl.textContent = `Error: ${error.message}`;
+  }
+}
+
+function initChangePassword() {
+  const form = document.querySelector('[data-mindfulauth-form="change-password"]');
+  if (!form) return;
+
+  // Initially hide 2FA field - it will be shown during submit if needed
+  const twoFAContainer = form.querySelector('[data-mindfulauth-field="twofa-container"]');
+  if (twoFAContainer) {
+    twoFAContainer.style.display = 'none';
+  }
+  
+  form.addEventListener('submit', handleChangePasswordSubmit);
+}
+
+// ============================================================================
+// 2FA MANAGEMENT
+// ============================================================================
+
+function init2FA() {
+  const enableBtn = document.querySelector('[data-mindfulauth-field="enable-btn"]');
+  if (!enableBtn) return;
+
+  const messageEl = document.querySelector('[data-mindfulauth-field="twofa-message"]');
+  const setupDiv = document.querySelector('[data-mindfulauth-field="setup"]');
+  const qrCodeContainer = document.querySelector('[data-mindfulauth-field="qr-code-container"]');
+  const verifyForm = document.querySelector('[data-mindfulauth-form="verify-2fa"]');
+  const tokenInput = document.querySelector('[data-mindfulauth-field="token"]');
+  const recoveryContainer = document.querySelector('[data-mindfulauth-field="recovery-codes-container"]');
+  const recoveryList = document.querySelector('[data-mindfulauth-field="recovery-codes-list"]');
+  const copyBtn = document.querySelector('[data-mindfulauth-field="copy-codes-btn"]');
+  const copyMessageEl = document.querySelector('[data-mindfulauth-field="copy-message"]');
+  const disableForm = document.querySelector('[data-mindfulauth-form="disable-2fa"]');
+  const disablePasswordInput = document.querySelector('[data-mindfulauth-field="disable-password"]');
+  const disableMessageEl = document.querySelector('[data-mindfulauth-field="disable-message"]');
+  const disableBtn = document.querySelector('[data-mindfulauth-field="disable-btn"]');
+  const enableSection = document.querySelector('[data-mindfulauth-section="enable"]');
+  const disableSection = document.querySelector('[data-mindfulauth-section="disable"]');
+  const recordid = getRecordId();
+
+  // --- START 2FA Setup ---
+  async function handleEnable2FA() {
+    if (!recordid) {
+      messageEl.textContent = "Session not found. Please log in again.";
+      return;
+    }
+    if (!qrCodeContainer || !setupDiv) {
+      messageEl.textContent = 'Unable to start 2FA (missing UI elements).';
+      return;
+    }
+
+    enableBtn.disabled = true;
+    enableBtn.style.display = 'none';
+    setupDiv.removeAttribute('hidden');
+    setupDiv.classList && setupDiv.classList.remove('hidden');
+    setupDiv.style.display = 'flex';
+    qrCodeContainer.innerHTML = '';
+
+    messageEl.textContent = 'Loading QR code generator...';
+    try {
+      // Load QRCode library dynamically
+      await loadQRCodeLibrary();
+
+      messageEl.textContent = 'Generating secret key...';
+      const response = await window.apiFetch('/auth/setup-2fa', { body: JSON.stringify({ recordid }) });
+      const result = await response.json();
+      if (result.success) {
+        qrCodeContainer.innerHTML = '';
+
+        const canvas = document.createElement('canvas');
+        await QRCode.toCanvas(canvas, result.otpauthUri, { width: 256, margin: 2 });
+        qrCodeContainer.appendChild(canvas);
+
+        messageEl.textContent = 'Scan the QR code with your authenticator app and enter the code below.';
+      } else {
+        throw new Error(result.message || 'Failed to start 2FA setup.');
+      }
+    } catch (error) {
+      messageEl.textContent = `Error: ${error.message}`;
+      enableBtn.disabled = false;
+      enableBtn.style.display = '';
+      setupDiv.style.display = 'none';
+      setupDiv.classList && setupDiv.classList.add('hidden');
+      setupDiv.setAttribute('hidden', '');
+    }
+  }
+
+  enableBtn.addEventListener('click', handleEnable2FA);
+
+  // --- VERIFY and ENABLE 2FA ---
+  if (verifyForm) {
+    verifyForm.addEventListener('submit', async (event) => {
+      event.preventDefault();
+      const token = tokenInput.value;
+      if (!recordid || !token || token.length !== 6) {
+        messageEl.textContent = "Please enter a valid 6-digit code.";
+        return;
+      }
+      messageEl.textContent = 'Verifying code...';
+
+      try {
+        const response = await window.apiFetch('/auth/verify-2fa-setup', {
+          body: JSON.stringify({ recordid, token })
+        });
+
+        const result = await response.json();
+        if (result.success) {
+          setupDiv.style.display = 'none';
+          messageEl.textContent = result.message;
+
+          if (result.recoveryCodes && result.recoveryCodes.length > 0) {
+            recoveryList.innerHTML = '';
+            result.recoveryCodes.forEach(code => {
+              const li = document.createElement('li');
+              li.textContent = code;
+              recoveryList.appendChild(li);
+            });
+            recoveryContainer.removeAttribute('hidden');
+            recoveryContainer.style.display = 'flex';
+          }
+
+          // Invalidate cached 2FA status
+          if (typeof window !== 'undefined') {
+            window.__2faStatus = undefined;
+            checkInitial2FAStatus();
+          }
+        } else { 
+          throw new Error(result.message || 'Verification failed.'); 
+        }
+      } catch (error) {
+        messageEl.textContent = `Error: ${error.message}`;
+      }
+    });
+  }
+
+  // --- DISABLE 2FA ---
+  if (disableForm) {
+    disableForm.addEventListener('submit', async (event) => {
+      event.preventDefault();
+      const password = disablePasswordInput.value;
+      if (!recordid) {
+        disableMessageEl.textContent = 'Session not found. Please log in again.';
+        return;
+      }
+      if (!password) {
+        disableMessageEl.textContent = 'Password is required.';
+        return;
+      }
+
+      disableBtn.disabled = true;
+      disableMessageEl.textContent = 'Disabling...';
+
+      try {
+        const response = await window.apiFetch('/auth/disable-2fa', {
+          body: JSON.stringify({ recordid, password }),
+        });
+
+        const result = await response.json();
+        disableMessageEl.textContent = result.message;
+
+        if (result.success) {
+          if (typeof window !== 'undefined') {
+            window.__2faStatus = undefined;
+          }
+
+          disableBtn.disabled = true;
+          setTimeout(() => window.location.reload(), 2000);
+        } else {
+          disableBtn.disabled = false;
+        }
+      } catch (error) {
+        disableMessageEl.textContent = `Error: ${error.message}`;
+        disableBtn.disabled = false;
+      }
+    });
+  }
+
+  // --- CHECK 2FA STATUS ON LOAD ---
+  async function checkInitial2FAStatus() {
+    try {
+      const result = await window.get2FAStatus();
+      if (result.isEnabled) {
+        if (enableSection) enableSection.style.display = 'none';
+        if (disableSection) disableSection.style.display = 'flex';
+      } else {
+        if (enableSection) enableSection.style.display = 'flex';
+        if (disableSection) disableSection.style.display = 'none';
+      }
+    } catch (error) {
+      if (enableSection) enableSection.style.display = 'none';
+      if (disableSection) disableSection.style.display = 'none';
+    }
+  }
+
+  checkInitial2FAStatus();
+
+  // --- COPY RECOVERY CODES ---
+  if (copyBtn) {
+    copyBtn.addEventListener('click', function() {
+      const codes = Array.from(recoveryList.querySelectorAll('li')).map(li => li.textContent).join('\n');
+      navigator.clipboard.writeText(codes).then(() => {
+        copyMessageEl.textContent = 'Copied to clipboard!';
+        setTimeout(() => copyMessageEl.textContent = '', 2000);
+      }).catch(err => {
+        copyMessageEl.textContent = 'Failed to copy.';
+      });
+    });
+  }
+}
+
+// ============================================================================
+// ADD AUTHENTICATION METHOD
+// ============================================================================
+
+async function handleAddAuthMethodSubmit(event) {
+    event.preventDefault();
+    const form = event.target;
+    const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+    const methodEl = form.querySelector('[data-mindfulauth-field="method"]');
+    const passwordEl = form.querySelector('[data-mindfulauth-field="new-password"]');
+    const submitBtn = form.querySelector('button[type="submit"]');
+
+    const selectedMethod = methodEl.querySelector('input[name="method"]:checked')?.value;
+
+    if (!selectedMethod) {
+        messageEl.textContent = 'Please select an authentication method.';
+        return;
+    }
+
+    if (selectedMethod === 'Password') {
+        if (!passwordEl.value || passwordEl.value.length < 8) {
+            messageEl.textContent = 'Password must be at least 8 characters.';
+            return;
+        }
+    }
+
+    messageEl.textContent = 'Adding authentication method...';
+    if (submitBtn) {
+        submitBtn.disabled = true;
+    }
+
+    try {
+        const body = {
+            method: selectedMethod
+        };
+
+        if (selectedMethod === 'Password') {
+            body.password = passwordEl.value;
+        }
+
+        const response = await window.apiFetch('/auth/add-authentication-method', {
+            body: JSON.stringify(body)
+        });
+
+        const result = await response.json();
+        
+        if (result.success) {
+            messageEl.textContent = result.message || `${selectedMethod} authentication has been added to your account.`;
+            messageEl.style.color = 'green';
+            
+            if (passwordEl) {
+                passwordEl.value = '';
+            }
+            
+            setTimeout(() => {
+                event.target.style.display = 'none';
+            }, 2000);
+        } else {
+            throw new Error(result.message || 'Failed to add authentication method.');
+        }
+    } catch (error) {
+        messageEl.textContent = `Error: ${error.message}`;
+        messageEl.style.color = 'red';
+    } finally {
+        if (submitBtn) {
+            submitBtn.disabled = false;
+        }
+    }
+}
+
+function handleMethodChange(event) {
+    const passwordContainerEl = document.querySelector('[data-mindfulauth-field="password-container"]');
+    
+    if (!passwordContainerEl) return;
+    
+    if (event.target.value === 'Password') {
+        passwordContainerEl.removeAttribute('hidden');
+        if (passwordContainerEl.classList) {
+            passwordContainerEl.classList.remove('hidden');
+        }
+        passwordContainerEl.style.display = 'flex';
+    } else {
+        passwordContainerEl.style.display = 'none';
+        if (passwordContainerEl.classList) {
+            passwordContainerEl.classList.add('hidden');
+        }
+        passwordContainerEl.setAttribute('hidden', '');
+    }
+}
+
+function initAddAuthMethod() {
+    const form = document.querySelector('[data-mindfulauth-form="add-auth"]');
+    if (!form) return;
+
+    form.addEventListener('submit', handleAddAuthMethodSubmit);
+    
+    // Bind radio change handlers
+    const radios = document.querySelectorAll('input[name="method"]');
+    radios.forEach(radio => {
+        radio.addEventListener('change', handleMethodChange);
+    });
+    
+    // Set initial state
+    const checkedRadio = document.querySelector('input[name="method"]:checked');
+    if (checkedRadio) {
+        handleMethodChange({ target: checkedRadio });
+    }
+}
+
+// ============================================================================
+// MAIN INITIALIZATION
+// ============================================================================
+
+document.addEventListener('DOMContentLoaded', function() {
+    // Initialize all security modules
+    initChangePassword();
+    init2FA();
+    initAddAuthMethod();
+});
+</script>

package/dist/astro/TurnstileInit.astro

@@ -0,0 +1,112 @@
+---
+// Mindful Auth - Turnstile Initialization Component
+// Provides: Cloudflare Turnstile widget initialization and auto-config
+---
+<script is:inline>
+// Shared Cloudflare Turnstile initialization utilities - Astro Optimized
+// Loaded only on pages that require bot protection (login, forgot password, reset password)
+
+(function () {
+  window.initTurnstile = function initTurnstile(sitekey) {
+    if (!sitekey) {
+      return;
+    }
+    
+    const container = document.querySelector('[data-mindfulauth-turnstile]');
+    if (container && window.turnstile) {
+      // Read customization from data attributes
+      const theme = container.getAttribute('data-theme') || 'light';
+      const size = container.getAttribute('data-size') || 'flexible';
+      const language = container.getAttribute('data-language') || 'auto';
+      const appearance = container.getAttribute('data-appearance') || 'always';
+      
+      container.textContent = '';
+      try {
+        window.turnstile.render(container, {
+          sitekey: sitekey,
+          theme: theme,
+          size: size,
+          language: language,
+          appearance: appearance,
+          callback: function(token) {
+            // Find the hidden input field for the token (if it exists)
+            const form = container.closest('form') || document.querySelector('[data-mindfulauth-form]');
+            if (form) {
+              const tokenInput = form.querySelector('[name="cf-turnstile-response"]');
+              if (tokenInput) {
+                tokenInput.value = token;
+              }
+            }
+          },
+          errorCallback: function() {
+            // Create error message safely without innerHTML
+            var errorDiv = document.createElement('div');
+            errorDiv.style.cssText = 'padding: 10px; background: #fee; color: #c33; border: 1px solid #faa; border-radius: 4px;';
+            errorDiv.textContent = 'Bot protection widget failed to load. Please check your configuration.';
+            container.textContent = '';
+            container.appendChild(errorDiv);
+          }
+        });
+      } catch (error) {
+        // Create error message safely without innerHTML
+        var errorDiv = document.createElement('div');
+        errorDiv.style.cssText = 'padding: 10px; background: #fee; color: #c33; border: 1px solid #faa; border-radius: 4px;';
+        errorDiv.textContent = 'Bot protection widget failed to load. Please check your configuration.';
+        container.textContent = '';
+        container.appendChild(errorDiv);
+      }
+    }
+  };
+
+  window.ensureTurnstileReady = function ensureTurnstileReady(callback, attempts = 0) {
+    if (window.turnstile) {
+      callback();
+    } else if (attempts < 50) {
+      setTimeout(() => window.ensureTurnstileReady(callback, attempts + 1), 100);
+    }
+  };
+
+  // Auto-initialize Turnstile on page load if container exists
+  // Fetches tenant config to get the correct sitekey for this hostname
+  window.autoInitTurnstile = async function autoInitTurnstile() {
+    const container = document.querySelector('[data-mindfulauth-turnstile]');
+    if (!container) {
+      return;
+    }
+
+    // Skip API call on localhost to prevent production logs pollution
+    const hostname = window.location.hostname;
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname.endsWith('.local')) {
+      console.log('[Turnstile] Skipping initialization on localhost');
+      return;
+    }
+
+    try {
+      const configResponse = await fetch(`/auth/get-tenant-config`, {
+        headers: {
+          'X-Tenant-Domain': window.location.hostname
+        }
+      });
+
+      if (!configResponse.ok) {
+        console.error('[Turnstile] Failed to fetch tenant config: HTTP ' + configResponse.status);
+        return;
+      }
+
+      const config = await configResponse.json();
+      if (!config.success || !config.turnstileSitekey) {
+        console.error('[Turnstile] Invalid tenant config response:', config);
+        return;
+      }
+      window.ensureTurnstileReady(() => {
+        window.initTurnstile(config.turnstileSitekey);
+      });
+    } catch (error) {
+      console.error('[Turnstile] Failed to initialize:', error instanceof Error ? error.message : String(error));
+    }
+  };
+
+  // Call auto-init when DOM is ready
+  document.addEventListener('DOMContentLoaded', window.autoInitTurnstile);
+})();
+</script>

package/dist/astro/VerifyEmailScript.astro

@@ -0,0 +1,72 @@
+---
+// Mindful Auth - Verify Email Script Component
+// Provides: Email verification handling
+---
+<script is:inline>
+// Verify email script - Astro Optimized
+function getPathParams() {
+    const pathParts = window.location.pathname.split('/');
+    return {
+        recordid: pathParts[2],
+        token: pathParts[3]
+    };
+}
+
+async function verifyEmail() {
+    const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+    const { recordid, token } = getPathParams();
+
+    // Skip API call on localhost to prevent production logs pollution
+    const hostname = window.location.hostname;
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname.endsWith('.local')) {
+        if (messageEl) {
+            messageEl.textContent = 'Email verification skipped on localhost.';
+        }
+        console.log('[Verify Email] Skipping API call on localhost');
+        return;
+    }
+
+    if (!recordid || !token) {
+        if (messageEl) {
+            messageEl.textContent = "Invalid verification link. Please check your email for the correct link.";
+        }
+        return;
+    }
+
+    if (messageEl) {
+        messageEl.textContent = "Verifying your email...";
+    }
+
+    try {
+        const response = await window.apiFetch(`/auth/verify-email/${recordid}/${token}`, {
+            method: 'POST'
+        });
+        
+        const result = await response.json();
+        
+        if (messageEl) {
+            messageEl.textContent = result.message || (result.success 
+                ? 'Email verified successfully! You can now log in to your account.' 
+                : 'Verification failed. Please try again or contact support.');
+        }
+
+        // Show login button/link if verification succeeded
+        if (result.success) {
+            const loginLinkEl = document.querySelector('[data-mindfulauth-field="login-link"]');
+            if (loginLinkEl) {
+                loginLinkEl.style.display = 'block';
+            }
+        }
+    } catch (error) {
+        if (messageEl) {
+            messageEl.textContent = 'Error: ' + (error.message || 'Verification failed. Please try again.');
+        }
+    }
+}
+
+// --- MAIN EXECUTION ---
+document.addEventListener('DOMContentLoaded', function() {
+    // Auto-verify on page load
+    verifyEmail();
+});
+</script>