@mindfulauth/core 2.0.0-beta.5 → 2.0.0-beta.6

package/dist/middleware.js

@@ -1,108 +0,0 @@
-// Global middleware for session validation
-// Runs before all route handlers to enforce authentication
-//
-// ASTRO 6 MIGRATION:
-// - Astro v6 removed context.locals.runtime.env. Env vars now import from 'cloudflare:workers'.
-// - cloudflare:workers is marked external in astro.config.vite.ssr to avoid esbuild scan errors.
-// - Dev mode bypass uses import.meta.env.DEV (build-time constant: true in dev, false in prod).
-import { defineMiddleware } from 'astro:middleware';
-import { env } from 'cloudflare:workers';
-import { PUBLIC_ROUTES, PUBLIC_PREFIXES, GET_SECURITY_HEADERS, GET_SKIP_ASSETS } from './config';
-import { sanitizePath } from './security';
-import { validateSession, validateMemberIdInUrl } from './auth';
-/** Check if a path is a public route (no auth required) */
-function isPublicRoute(pathname) {
-    return PUBLIC_ROUTES.includes(pathname) ||
-        PUBLIC_PREFIXES.some((prefix) => pathname.startsWith(prefix));
-}
-/** Add security headers to a response */
-// NOTE: In Cloudflare Workers, Response.headers is immutable.
-// We must create a new Response with a fresh Headers object instead of mutating.
-// CSP for script-src/style-src is handled by Astro 6's native security.csp (via <meta> tag).
-function addSecurityHeaders(response) {
-    const newHeaders = new Headers(response.headers);
-    Object.entries(GET_SECURITY_HEADERS()).forEach(([key, value]) => {
-        newHeaders.set(key, value);
-    });
-    return new Response(response.body, {
-        status: response.status,
-        statusText: response.statusText,
-        headers: newHeaders,
-    });
-}
-// Main middleware function
-export const onRequest = defineMiddleware(async (context, next) => {
-    const { request, url, redirect, locals } = context;
-    const pathname = url.pathname;
-    // Redirect HTTP to HTTPS (skip in dev mode and localhost)
-    if (!import.meta.env.DEV && url.protocol === 'http:' && url.hostname !== 'localhost' && url.hostname !== '127.0.0.1') {
-        const httpsUrl = url.toString().replace('http://', 'https://');
-        return redirect(httpsUrl, 307);
-    }
-    // Skip middleware for static assets FIRST (before dev mode)
-    if (GET_SKIP_ASSETS().includes(pathname)) {
-        return next();
-    }
-    // DEV MODE: Skip auth
-    // import.meta.env.DEV is a build-time constant replaced by Vite:
-    // - true during local dev (never included in prod build)
-    // - false in production builds (tree-shaken out entirely)
-    // Localhost auth is skipped because Mindful Auth blocks localhost requests.
-    if (import.meta.env.DEV) {
-        // Check if public route first
-        if (isPublicRoute(pathname)) {
-            locals.recordId = null;
-            return next();
-        }
-        // For protected routes, extract or create mock recordId
-        // Match memberid with trailing slash
-        const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
-        locals.recordId = match ? match[1] : 'dev-user-123';
-        return next();
-    }
-    // PREVIEW MODE: Skip auth (for testing without Mindful Auth on localhost)
-    // npm run preview builds the project first, so import.meta.env.DEV is false.
-    // We need a runtime check for localhost to simulate auth in preview.
-    if (url.hostname === 'localhost' || url.hostname === '127.0.0.1') {
-        if (isPublicRoute(pathname)) {
-            locals.recordId = null;
-            return addSecurityHeaders(await next());
-        }
-        const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
-        locals.recordId = match ? match[1] : 'preview-user-123';
-        return addSecurityHeaders(await next());
-    }
-    // Sanitize path
-    const safePath = sanitizePath(pathname);
-    if (!safePath) {
-        return new Response('Bad Request', { status: 400 });
-    }
-    // Public routes - no auth needed
-    if (isPublicRoute(safePath)) {
-        locals.recordId = null;
-        return addSecurityHeaders(await next());
-    }
-    // Protected route - validate session
-    // ASTRO 6 CHANGE: Environment variables are accessed directly from 'cloudflare:workers' env,
-    // not from context.locals.runtime.env (which was removed).
-    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
-    if (!internalApiKey) {
-        console.error('[middleware] CRITICAL: INTERNAL_API_KEY not configured');
-        return new Response('Internal Server Error', { status: 500 });
-    }
-    // URL must have memberid
-    if (!validateMemberIdInUrl(safePath, null).valid) {
-        return new Response('Forbidden: URL must include memberid', { status: 403 });
-    }
-    // Validate session
-    const session = await validateSession(request, url.hostname, safePath, internalApiKey);
-    if (!session.valid) {
-        return redirect('/login');
-    }
-    // Validate memberid matches session
-    if (!validateMemberIdInUrl(safePath, session.recordId).valid) {
-        return new Response('Forbidden: Invalid user ID in URL', { status: 403 });
-    }
-    locals.recordId = session.recordId;
-    return addSecurityHeaders(await next());
-});

package/dist/security.d.ts

@@ -1,5 +0,0 @@
-/** Sanitize endpoint path (prevents ../ traversal and encoded variants) */
-export declare function sanitizeEndpoint(endpoint: string): string | null;
-/** Sanitize URL path (prevents ../ traversal and encoded variants) */
-export declare function sanitizePath(pathname: string): string | null;
-//# sourceMappingURL=security.d.ts.map

package/dist/security.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":"AAkBA,2EAA2E;AAC3E,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAIhE;AAED,sEAAsE;AACtE,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAI5D"}

package/dist/security.js

@@ -1,31 +0,0 @@
-// Security utilities - path traversal prevention
-const MAX_PATH_LENGTH = 2048;
-/** Decode and check for traversal attacks */
-function decodeAndValidate(str) {
-    if (!str || typeof str !== 'string' || str.length > MAX_PATH_LENGTH)
-        return null;
-    try {
-        let decoded = decodeURIComponent(str);
-        // Catch double-encoded traversal attempts
-        if (decoded.includes('%'))
-            decoded = decodeURIComponent(decoded);
-        return decoded;
-    }
-    catch {
-        return null;
-    }
-}
-/** Sanitize endpoint path (prevents ../ traversal and encoded variants) */
-export function sanitizeEndpoint(endpoint) {
-    const decoded = decodeAndValidate(endpoint);
-    if (!decoded || decoded.includes('..') || decoded.includes('\\'))
-        return null;
-    return decoded;
-}
-/** Sanitize URL path (prevents ../ traversal and encoded variants) */
-export function sanitizePath(pathname) {
-    const decoded = decodeAndValidate(pathname);
-    if (!decoded || decoded.includes('..') || decoded.includes('\\'))
-        return null;
-    return decoded;
-}

package/dist/types.d.ts

@@ -1,22 +0,0 @@
-import type { MiddlewareHandler } from 'astro';
-export interface MindfulAuthLocals {
-    recordId: string | null;
-    runtime?: {
-        env?: {
-            INTERNAL_API_KEY?: string;
-        };
-    };
-}
-declare global {
-    namespace App {
-        interface Locals extends MindfulAuthLocals {
-        }
-    }
-}
-export interface SessionValidationResult {
-    valid: boolean;
-    reason?: string;
-    recordId?: string;
-}
-export type MindfulAuthMiddleware = MiddlewareHandler;
-//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,CAAC,EAAE;QACR,GAAG,CAAC,EAAE;YACJ,gBAAgB,CAAC,EAAE,MAAM,CAAC;SAC3B,CAAC;KACH,CAAC;CACH;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}

package/dist/types.js

@@ -1,2 +0,0 @@
-// Type definitions for Mindful Auth
-export {};