@mindfulauth/core 2.0.0-beta.5 → 2.0.0-beta.7

package/dist/astro/VerifyMagicLinkScript.astro

@@ -0,0 +1,195 @@
+---
+// Mindful Auth - Verify Magic Link Script Component
+// Provides: Magic link verification with 2FA support
+---
+<script is:inline>
+// Verify Magic Link Script - Astro Optimized
+
+function getPathParams() {
+    const pathParts = window.location.pathname.split('/');
+    return {
+        recordid: pathParts[2],
+        token: pathParts[3]
+    };
+}
+
+async function handleVerifyMagicLinkSubmit(event) {
+    if (event) event.preventDefault();
+    
+    const form = document.querySelector('[data-mindfulauth-form="verify-magic-link"]');
+    if (!form) return;
+    const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+    if (!messageEl) return;
+    const twoFACodeEl = form.querySelector('[data-mindfulauth-field="twofa-code"]');
+    const submitBtn = form.querySelector('button[type="submit"]');
+
+    // Skip API call on localhost to prevent production logs pollution
+    const hostname = window.location.hostname;
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname.endsWith('.local')) {
+        messageEl.textContent = 'Magic link verification skipped on localhost.';
+        console.log('[Verify Magic Link] Skipping API call on localhost');
+        if (form) form.style.display = 'none';
+        return;
+    }
+
+    const { recordid, token } = getPathParams();
+
+    if (!recordid || !token) {
+        messageEl.textContent = "Invalid or expired magic link. Please request a new one.";
+        if (form) form.style.display = 'none';
+        return;
+    }
+
+    // Get Turnstile token
+    const turnstileToken = form.querySelector('[name="cf-turnstile-response"]')?.value;
+    if (!turnstileToken) {
+        messageEl.textContent = "Bot protection validation required.";
+        if (submitBtn) submitBtn.disabled = true;
+        return;
+    }
+
+    messageEl.textContent = "Verifying magic link...";
+    if (submitBtn) submitBtn.disabled = true;
+
+    try {
+        const requestBody = {
+            'cf-turnstile-response': turnstileToken
+        };
+
+        // Include 2FA code if provided
+        if (twoFACodeEl && twoFACodeEl.value) {
+            requestBody.twoFACode = twoFACodeEl.value;
+        }
+
+        const endpoint = `/auth/verify-magic-link/${recordid}/${token}`;
+        console.log('[Verify Magic Link] Making request to:', endpoint);
+        console.log('[Verify Magic Link] Request body:', requestBody);
+
+        const response = await window.apiFetch(endpoint, {
+            body: JSON.stringify(requestBody)
+        });
+
+        console.log('[Verify Magic Link] Response status:', response.status);
+        const result = await response.json();
+        console.log('[Verify Magic Link] Response body:', result);
+
+        // Check if 2FA is required
+        if (result.requires2FA) {
+            // Reset Turnstile to generate a fresh token for the 2FA submission
+            // (Turnstile tokens are single-use; first request consumed it)
+            window.turnstile?.reset();
+            
+            // Show the 2FA input field
+            const twoFAContainer = form.querySelector('[data-mindfulauth-field="twofa-code-container"]');
+            if (twoFAContainer) {
+                twoFAContainer.removeAttribute('hidden');
+                twoFAContainer.classList && twoFAContainer.classList.remove('hidden');
+                twoFAContainer.style.setProperty('display', 'block', 'important');
+                // Try common display values
+                if (window.getComputedStyle(twoFAContainer).display === 'none') {
+                    twoFAContainer.style.setProperty('display', 'flex', 'important');
+                }
+            }
+            if (twoFACodeEl) {
+                twoFACodeEl.focus();
+            }
+            messageEl.textContent = '2FA code is required to complete login.';
+            if (submitBtn) {
+                submitBtn.textContent = 'Verify 2FA Code';
+                submitBtn.disabled = false;
+            }
+            return;
+        }
+
+        if (result.success) {
+            console.log('[Verify Magic Link] Verification successful');
+            messageEl.textContent = result.message || 'Login successful! Redirecting...';
+            if (form) form.style.display = 'none';
+            
+            // Redirect to secure area (match login.js pattern)
+            if (result.redirect) {
+                console.log('[Verify Magic Link] Redirecting to:', result.redirect);
+                setTimeout(() => {
+                    window.location.assign(result.redirect);
+                }, 200);
+            }
+        } else {
+            console.error('[Verify Magic Link] Verification failed:', result.message);
+            throw new Error(result.message || 'Verification failed.');
+        }
+    } catch (error) {
+        console.error('[Verify Magic Link] Error:', error);
+        messageEl.textContent = `Error: ${error.message}`;
+        if (submitBtn) submitBtn.disabled = false;
+        window.turnstile?.reset();
+    }
+}
+
+// --- MAIN EXECUTION ---
+document.addEventListener('DOMContentLoaded', function() {
+    const form = document.querySelector('[data-mindfulauth-form="verify-magic-link"]');
+    if (!form) return;
+    
+    // Initialize message and disable button until Turnstile is ready
+    const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+    const submitBtn = form.querySelector('button[type="submit"]');
+    if (messageEl) {
+        messageEl.textContent = 'Loading bot protection...';
+    }
+    if (submitBtn) {
+        submitBtn.disabled = true;
+    }
+
+    // Initially hide 2FA field - it will be shown if needed
+    const twoFAContainer = form.querySelector('[data-mindfulauth-field="twofa-code-container"]');
+    if (twoFAContainer) {
+        twoFAContainer.style.display = 'none';
+    }
+
+    // Wait for Turnstile to be ready
+    let turnstileReady = false;
+    const checkTurnstile = setInterval(() => {
+        const turnstileToken = form.querySelector('[name="cf-turnstile-response"]')?.value;
+        if (turnstileToken) {
+            console.log('[Verify Magic Link] Turnstile token loaded - ready for user verification');
+            clearInterval(checkTurnstile);
+            turnstileReady = true;
+            const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+            if (messageEl) {
+                messageEl.textContent = 'Ready to verify. Click the button below to sign in.';
+            }
+            const submitBtn = form.querySelector('button[type="submit"]');
+            if (submitBtn) {
+                submitBtn.disabled = false;
+            }
+        }
+    }, 100);
+
+    // Check for Turnstile load every 500ms for up to 30 seconds
+    // (don't show error proactively - only if user tries to submit)
+    let turnstileCheckCount = 0;
+    const extendedCheckTurnstile = setInterval(() => {
+        const turnstileToken = form.querySelector('[name="cf-turnstile-response"]')?.value;
+        if (turnstileToken && !turnstileReady) {
+            clearInterval(extendedCheckTurnstile);
+            turnstileReady = true;
+            const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+            if (messageEl) {
+                messageEl.textContent = 'Ready to verify. Click the button below to sign in.';
+            }
+            const submitBtn = form.querySelector('button[type="submit"]');
+            if (submitBtn) {
+                submitBtn.disabled = false;
+            }
+        }
+        turnstileCheckCount++;
+        // Stop checking after 30 seconds
+        if (turnstileCheckCount > 60) {
+            clearInterval(extendedCheckTurnstile);
+        }
+    }, 500);
+
+    // Also handle explicit form submission (for 2FA code entry)
+    form.addEventListener('submit', handleVerifyMagicLinkSubmit);
+});
+</script>

package/dist/core/csp.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Scans the mindfulauth/astro/ directory at build time and returns SHA-384
+ * hashes for all <script is:inline> blocks found in .astro component files.
+ *
+ * Astro's static CSP analysis cannot resolve dynamically rendered components,
+ * so hashes must be declared manually in astro.config.mjs. This function
+ * computes them automatically so no manual maintenance is needed.
+ *
+ * When published as a package, this function resolves the astro/ directory
+ * relative to its own location — no consumer configuration required.
+ *
+ * @example
+ * // astro.config.mjs
+ * // import { getScriptHashes } from '@mindfulauth/core';
+ *
+ * scriptDirective: { hashes: getScriptHashes() }
+ */
+export declare function getScriptHashes(): string[];
+//# sourceMappingURL=csp.d.ts.map

package/dist/core/csp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp.d.ts","sourceRoot":"","sources":["../../src/core/csp.ts"],"names":[],"mappings":"AAWA;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAS1C"}

package/dist/core/csp.js

@@ -0,0 +1,36 @@
+// ============================================================================
+// Build-time CSP utilities for Mindful Auth
+// Import this in astro.config.mjs only — not at SSR runtime.
+// ============================================================================
+import { readFileSync, readdirSync } from 'fs';
+import { createHash } from 'crypto';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+/**
+ * Scans the mindfulauth/astro/ directory at build time and returns SHA-384
+ * hashes for all <script is:inline> blocks found in .astro component files.
+ *
+ * Astro's static CSP analysis cannot resolve dynamically rendered components,
+ * so hashes must be declared manually in astro.config.mjs. This function
+ * computes them automatically so no manual maintenance is needed.
+ *
+ * When published as a package, this function resolves the astro/ directory
+ * relative to its own location — no consumer configuration required.
+ *
+ * @example
+ * // astro.config.mjs
+ * // import { getScriptHashes } from '@mindfulauth/core';
+ *
+ * scriptDirective: { hashes: getScriptHashes() }
+ */
+export function getScriptHashes() {
+    const dir = join(__dirname, '../astro');
+    return readdirSync(dir)
+        .filter(f => f.endsWith('.astro'))
+        .flatMap(file => {
+        const content = readFileSync(join(dir, file), 'utf8');
+        return [...content.matchAll(/<script\b[^>]*>([\s\S]*?)<\/script>/g)]
+            .map((m) => 'sha384-' + createHash('sha384').update(m[1], 'utf8').digest('base64'));
+    });
+}

package/dist/core/index.d.ts

@@ -4,4 +4,5 @@ export * from './auth';
 export * from './auth-handler';
 export * from './security';
 export * from './middleware';
+export * from './csp';
 //# sourceMappingURL=index.d.ts.map

package/dist/core/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAGA,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,QAAQ,CAAC;AAGvB,cAAc,gBAAgB,CAAC;AAG/B,cAAc,YAAY,CAAC;AAG3B,cAAc,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAGA,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,QAAQ,CAAC;AAGvB,cAAc,gBAAgB,CAAC;AAG/B,cAAc,YAAY,CAAC;AAG3B,cAAc,cAAc,CAAC;AAG7B,cAAc,OAAO,CAAC"}

package/dist/core/index.js

@@ -11,3 +11,5 @@ export * from './auth-handler';
 export * from './security';
 // Middleware  
 export * from './middleware';
+// Build-time CSP utilities
+export * from './csp';

package/package.json

@@ -1,26 +1,35 @@
 {
   "name": "@mindfulauth/core",
-  "version": "2.0.0-beta.5",
+  "version": "2.0.0-beta.7",
   "description": "Mindful Auth core authentication library for Astro 6",
   "type": "module",
-  "main": "./dist/index.js",
-  "types": "./dist/index.d.ts",
+  "main": "./dist/core/index.js",
+  "types": "./dist/core/index.d.ts",
   "exports": {
     ".": {
-      "types": "./dist/index.d.ts",
-      "import": "./dist/index.js"
+      "types": "./dist/core/index.d.ts",
+      "import": "./dist/core/index.js"
     },
+    "./astro": {
+      "types": "./dist/astro/index.d.ts",
+      "import": "./dist/astro/index.js"
+    },
+    "./astro/*.astro": "./dist/astro/*.astro",
     "./middleware": {
-      "types": "./dist/middleware.d.ts",
-      "import": "./dist/middleware.js"
+      "types": "./dist/core/middleware.d.ts",
+      "import": "./dist/core/middleware.js"
     },
     "./auth-handler": {
-      "types": "./dist/auth-handler.d.ts",
-      "import": "./dist/auth-handler.js"
+      "types": "./dist/core/auth-handler.d.ts",
+      "import": "./dist/core/auth-handler.js"
     },
     "./config": {
-      "types": "./dist/config.d.ts",
-      "import": "./dist/config.js"
+      "types": "./dist/core/config.d.ts",
+      "import": "./dist/core/config.js"
+    },
+    "./csp": {
+      "types": "./dist/core/csp.d.ts",
+      "import": "./dist/core/csp.js"
     }
   },
   "files": [
@@ -28,7 +37,7 @@
     "README.md"
   ],
   "scripts": {
-    "build": "tsc",
+    "build": "tsc && cp src/astro/*.astro dist/astro/",
     "dev": "tsc --watch",
     "prepublishOnly": "npm run build"
   },
@@ -46,7 +55,8 @@
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20260307.1",
+    "@types/node": "^25.3.5",
     "astro": "^6.0.0-beta.20",
     "typescript": "^5.9.3"
   }
-}
+}

package/dist/auth-handler.d.ts

@@ -1,5 +0,0 @@
-/** Handle GET requests (email verification, password reset links, etc.) */
-export declare function handleAuthGet(rawEndpoint: string, request: Request, url: URL, locals?: any): Promise<Response>;
-/** Handle POST requests (login, 2FA, password changes, etc.) */
-export declare function handleAuthPost(rawEndpoint: string, request: Request, url: URL, locals?: any): Promise<Response>;
-//# sourceMappingURL=auth-handler.d.ts.map

package/dist/auth-handler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../src/auth-handler.ts"],"names":[],"mappings":"AAwEA,2EAA2E;AAC3E,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CA6BpH;AAED,gEAAgE;AAChE,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAyDrH"}

package/dist/auth-handler.js

@@ -1,154 +0,0 @@
-// Auth proxy handler for Mindful Auth
-// Forwards authentication requests to the central Mindful Auth service
-//
-// ASTRO 6 MIGRATION:
-// - Astro v6 removed context.locals.runtime.env. Env vars now import from 'cloudflare:workers'.
-// - Note: @cloudflare/workers-types must be installed and referenced in env.d.ts.
-import { env } from 'cloudflare:workers';
-import { CENTRAL_AUTH_ORIGIN, ALLOWED_AUTH_METHODS, MAX_BODY_SIZE_BYTES, AUTH_PROXY_TIMEOUT_MS } from './config';
-import { sanitizeEndpoint } from './security';
-const JSON_HEADERS = { 'Content-Type': 'application/json' };
-const jsonError = (error, status) => new Response(JSON.stringify({ error }), { status, headers: JSON_HEADERS });
-/** Build proxy headers from incoming request */
-function buildProxyHeaders(request, tenantDomain, apiKey) {
-    const headers = {
-        'Content-Type': 'application/json',
-        'X-Tenant-Domain': tenantDomain,
-        'X-Requested-With': 'XMLHttpRequest'
-    };
-    if (apiKey)
-        headers['Authorization'] = `Bearer ${apiKey}`;
-    const cookie = request.headers.get('Cookie');
-    if (cookie)
-        headers['Cookie'] = cookie;
-    const clientIp = request.headers.get('cf-connecting-ip') ||
-        request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ||
-        request.headers.get('x-real-ip');
-    if (clientIp)
-        headers['X-Original-Client-IP'] = clientIp;
-    const userAgent = request.headers.get('user-agent');
-    if (userAgent)
-        headers['User-Agent'] = userAgent;
-    return headers;
-}
-/** Fetch with timeout */
-async function fetchWithTimeout(url, options) {
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), AUTH_PROXY_TIMEOUT_MS);
-    try {
-        return await fetch(url, { ...options, signal: controller.signal });
-    }
-    finally {
-        clearTimeout(timeoutId);
-    }
-}
-/** Extract mirrored session cookie (removes Domain to use tenant domain) */
-function getMirroredCookie(resp) {
-    const setCookie = resp.headers.get('set-cookie');
-    return setCookie?.includes('session_id=')
-        ? setCookie.replace(/Domain=[^;]+;?\s*/i, '')
-        : null;
-}
-/** Check if redirect is safe (relative, no open redirect) */
-function isSafeRedirect(url) {
-    return url.startsWith('/') && !url.startsWith('//');
-}
-/** Build response with standard headers */
-function buildResponse(data, status, cookie) {
-    const headers = new Headers({
-        'Content-Type': 'application/json',
-        'Cache-Control': 'no-store, no-cache, must-revalidate, private'
-    });
-    if (cookie)
-        headers.set('Set-Cookie', cookie);
-    return new Response(JSON.stringify(data), { status, headers });
-}
-/** Handle GET requests (email verification, password reset links, etc.) */
-export async function handleAuthGet(rawEndpoint, request, url, locals) {
-    // ASTRO 6 CHANGE: Environment variables accessed from 'cloudflare:workers' env directly.
-    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
-    if (!internalApiKey)
-        console.error('[auth-handler] INTERNAL_API_KEY not configured');
-    const endpoint = sanitizeEndpoint(rawEndpoint);
-    if (!endpoint)
-        return jsonError('Bad request', 400);
-    const apiUrl = new URL(`${CENTRAL_AUTH_ORIGIN}/auth/${endpoint}`);
-    url.searchParams.forEach((v, k) => apiUrl.searchParams.set(k, v));
-    let resp;
-    try {
-        resp = await fetchWithTimeout(apiUrl.toString(), {
-            method: 'GET',
-            headers: buildProxyHeaders(request, url.hostname, internalApiKey)
-        });
-    }
-    catch (e) {
-        if (e.name === 'AbortError')
-            return jsonError('Request timeout', 504);
-        throw e;
-    }
-    // Handle redirect
-    const location = resp.headers.get('Location');
-    if (resp.status === 302 && location && isSafeRedirect(location)) {
-        return new Response(null, { status: 302, headers: { Location: location } });
-    }
-    return buildResponse(await resp.json(), resp.status, getMirroredCookie(resp));
-}
-/** Handle POST requests (login, 2FA, password changes, etc.) */
-export async function handleAuthPost(rawEndpoint, request, url, locals) {
-    if (!ALLOWED_AUTH_METHODS.includes(request.method))
-        return jsonError('Method not allowed', 405);
-    const contentLength = request.headers.get('content-length');
-    if (contentLength && parseInt(contentLength) > MAX_BODY_SIZE_BYTES)
-        return jsonError('Payload too large', 413);
-    // ASTRO 6 CHANGE: Environment variables accessed from 'cloudflare:workers' env directly.
-    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
-    if (!internalApiKey)
-        console.error('[auth-handler] INTERNAL_API_KEY not configured');
-    const endpoint = sanitizeEndpoint(rawEndpoint);
-    if (!endpoint)
-        return jsonError('Bad request', 400);
-    // Parse request body
-    let body = null;
-    try {
-        const text = await request.text();
-        if (text) {
-            JSON.parse(text);
-            body = text;
-        }
-    }
-    catch {
-        return jsonError('Invalid JSON', 400);
-    }
-    let resp;
-    try {
-        resp = await fetchWithTimeout(`${CENTRAL_AUTH_ORIGIN}/auth/${endpoint}`, {
-            method: 'POST',
-            headers: buildProxyHeaders(request, url.hostname, internalApiKey),
-            body
-        });
-    }
-    catch (e) {
-        if (e.name === 'AbortError')
-            return jsonError('Request timeout', 504);
-        throw e;
-    }
-    const data = await resp.json();
-    const cookie = getMirroredCookie(resp);
-    // Handle HTTP redirect
-    const location = resp.headers.get('Location');
-    if (resp.status === 302 && location && isSafeRedirect(location)) {
-        return new Response(null, { status: 302, headers: { Location: location } });
-    }
-    // Handle JSON redirect (loginsuccessredirect)
-    const redirectUrl = data.loginsuccessredirect;
-    if (typeof redirectUrl === 'string' && isSafeRedirect(redirectUrl)) {
-        return new Response(null, {
-            status: 302,
-            headers: { Location: redirectUrl, ...(cookie && { 'Set-Cookie': cookie }) }
-        });
-    }
-    // Remove sensitive data
-    delete data.sessionToken;
-    delete data.maxAgeSeconds;
-    return buildResponse(data, resp.status, cookie);
-}

package/dist/auth.d.ts

@@ -1,9 +0,0 @@
-import type { SessionValidationResult } from './types';
-/** Validate session with Mindful Auth central service */
-export declare function validateSession(request: Request, tenantDomain: string, pathname: string, internalApiKey: string): Promise<SessionValidationResult>;
-/** Validate memberid in URL matches session (or just check structure if sessionRecordId is null) */
-export declare function validateMemberIdInUrl(pathname: string, sessionRecordId: string | null): {
-    valid: boolean;
-    strippedPathname?: string;
-};
-//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC;AAEvD,yDAAyD;AACzD,wBAAsB,eAAe,CACjC,OAAO,EAAE,OAAO,EAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACvB,OAAO,CAAC,uBAAuB,CAAC,CAsClC;AAED,oGAAoG;AACpG,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,IAAI,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAAE,CAerI"}

package/dist/auth.js

@@ -1,56 +0,0 @@
-// Authentication and session validation for Mindful Auth
-import { CENTRAL_AUTH_ORIGIN, SESSION_VALIDATION_TIMEOUT_MS } from './config';
-/** Validate session with Mindful Auth central service */
-export async function validateSession(request, tenantDomain, pathname, internalApiKey) {
-    const sessionId = request.headers.get('Cookie')?.match(/session_id=([^;]+)/)?.[1];
-    if (!sessionId)
-        return { valid: false, reason: 'no-session' };
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), SESSION_VALIDATION_TIMEOUT_MS);
-    try {
-        const clientIp = request.headers.get('cf-connecting-ip') ||
-            request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ||
-            request.headers.get('x-real-ip');
-        const resp = await fetch(`${CENTRAL_AUTH_ORIGIN}/auth/validate-session`, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json',
-                'X-Tenant-Domain': tenantDomain,
-                'X-Internal-Api-Key': internalApiKey,
-                ...(clientIp && { 'X-Original-Client-IP': clientIp }),
-                ...(request.headers.get('user-agent') && { 'User-Agent': request.headers.get('user-agent') })
-            },
-            body: JSON.stringify({ sessionId, requestedUrl: pathname }),
-            signal: controller.signal
-        });
-        const result = await resp.json();
-        if (!result.valid)
-            return { valid: false, reason: 'invalid-session' };
-        const recordId = result.data?.sub || result.recordId;
-        if (!recordId)
-            return { valid: false, reason: 'invalid-record-id' };
-        return { valid: true, recordId };
-    }
-    catch (e) {
-        console.error('[auth] Session validation failed:', e.message);
-        return { valid: false, reason: 'error' };
-    }
-    finally {
-        clearTimeout(timeoutId);
-    }
-}
-/** Validate memberid in URL matches session (or just check structure if sessionRecordId is null) */
-export function validateMemberIdInUrl(pathname, sessionRecordId) {
-    const segments = pathname.split('/').filter(Boolean);
-    if (segments.length === 0)
-        return { valid: false };
-    const urlMemberId = segments[0];
-    // Pre-check mode: just validate URL has memberid
-    if (sessionRecordId === null) {
-        return { valid: !!urlMemberId, strippedPathname: pathname };
-    }
-    // Validate memberid matches session
-    if (urlMemberId !== sessionRecordId)
-        return { valid: false };
-    return { valid: true, strippedPathname: '/' + segments.slice(1).join('/') };
-}

package/dist/config.d.ts

@@ -1,49 +0,0 @@
-export declare const CENTRAL_AUTH_ORIGIN = "https://api.mindfulauth.com";
-export declare const CDN_ORIGIN = "https://cdn.mindfulauth.com";
-export declare const ALLOWED_AUTH_METHODS: string[];
-export declare const MAX_BODY_SIZE_BYTES = 1048576;
-export declare const AUTH_PROXY_TIMEOUT_MS = 15000;
-export declare const SESSION_VALIDATION_TIMEOUT_MS = 10000;
-/**
- * Returns the combined list of assets to skip session validation for.
- * Merges defaults with any custom assets configured via mauthSecurityConfig() in astro.config.mjs.
- */
-export declare function GET_SKIP_ASSETS(): string[];
-/**
- * Configure Mindful Auth security settings including custom skip assets.
- * Call in astro.config.mjs and pass the result to getMauthViteDefines().
- *
- * @example
- * // astro.config.mjs
- * const mauthCfg = mauthSecurityConfig({
- *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest']
- * });
- *
- * export default defineConfig({
- *   vite: { define: getMauthViteDefines(mauthCfg) }
- * });
- */
-export declare function mauthSecurityConfig(options?: {
-    skipAssets?: string[];
-}): typeof options;
-/**
- * Converts the result of mauthSecurityConfig() into Vite define entries.
- * Pass the output to vite.define in astro.config.mjs so custom values are
- * baked into the SSR bundle at build time.
- */
-export declare function getMauthViteDefines(options?: {
-    skipAssets?: string[];
-}): Record<string, string>;
-export declare const PUBLIC_ROUTES: string[];
-export declare const PUBLIC_PREFIXES: string[];
-/**
- * Returns security headers to be added to every SSR response.
- * CSP (Content-Security-Policy) for script-src and style-src is handled by
- * Astro 6's native security.csp in astro.config.mjs using hashes.
- * The remaining headers here cover transport security, framing, and permissions.
- *
- * Note: X-Frame-Options: SAMEORIGIN covers clickjacking protection
- * (equivalent to CSP frame-ancestors 'self', which cannot be set via meta tag).
- */
-export declare function GET_SECURITY_HEADERS(): Record<string, string>;
-//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,UAAU,gCAAgC,CAAC;AAGxD,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAIzB;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AAMF;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQ7D"}