@mindfulauth/core 2.0.0-beta.5 → 2.0.0-beta.7

package/dist/config.js

@@ -1,95 +0,0 @@
-// ============================================================================
-// Configuration for the Astro Portal
-// ============================================================================
-// API Endpoints
-export const CENTRAL_AUTH_ORIGIN = 'https://api.mindfulauth.com';
-export const CDN_ORIGIN = 'https://cdn.mindfulauth.com';
-// Request & Timeout Configuration
-export const ALLOWED_AUTH_METHODS = ['GET', 'POST'];
-export const MAX_BODY_SIZE_BYTES = 1048576; // 1MB limit
-export const AUTH_PROXY_TIMEOUT_MS = 15000;
-export const SESSION_VALIDATION_TIMEOUT_MS = 10000;
-// ============================================================================
-// Static Assets & Route Configuration
-// ============================================================================
-// Static assets to skip session validation (favicon, robots.txt, etc.)
-// SECURITY CRITICAL: Only add actual static file requests here.
-// Examples of safe entries: /favicon.ico, /robots.txt, /sitemap.xml
-// NEVER add application routes like [memberid]/dashboard,  [memberid]/profile,  [memberid]/secure/* - this COMPLETELY bypasses authentication. If you add a route here, unauthenticated users can access it without logging in.
-const DEFAULT_SKIP_ASSETS = ['/favicon.ico', '/robots.txt', '/.well-known/security.txt'];
-/**
- * Returns the combined list of assets to skip session validation for.
- * Merges defaults with any custom assets configured via mauthSecurityConfig() in astro.config.mjs.
- */
-export function GET_SKIP_ASSETS() {
-    return [...DEFAULT_SKIP_ASSETS, ...__MAUTH_SKIP_ASSETS__];
-}
-/**
- * Configure Mindful Auth security settings including custom skip assets.
- * Call in astro.config.mjs and pass the result to getMauthViteDefines().
- *
- * @example
- * // astro.config.mjs
- * const mauthCfg = mauthSecurityConfig({
- *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest']
- * });
- *
- * export default defineConfig({
- *   vite: { define: getMauthViteDefines(mauthCfg) }
- * });
- */
-export function mauthSecurityConfig(options) {
-    return options;
-}
-/**
- * Converts the result of mauthSecurityConfig() into Vite define entries.
- * Pass the output to vite.define in astro.config.mjs so custom values are
- * baked into the SSR bundle at build time.
- */
-export function getMauthViteDefines(options) {
-    return {
-        __MAUTH_SKIP_ASSETS__: JSON.stringify(options?.skipAssets ?? []),
-    };
-}
-// Public routes that do not require authentication
-// ⚠️ DO NOT EDIT - These are critical for the authentication system to work correctly
-export const PUBLIC_ROUTES = [
-    '/',
-    '/login',
-    '/register',
-    '/magic-login',
-    '/magic-register',
-    '/forgot-password',
-    '/resend-verification',
-];
-// Dynamic public routes (prefix matching)
-// ⚠️ DO NOT EDIT - These are critical for the authentication system to work correctly
-export const PUBLIC_PREFIXES = [
-    '/auth/',
-    '/email-verified/',
-    '/reset-password/',
-    '/verify-email/',
-    '/verify-magic-link/',
-    '/api/public/',
-];
-// ============================================================================
-// Security Headers
-// ============================================================================
-/**
- * Returns security headers to be added to every SSR response.
- * CSP (Content-Security-Policy) for script-src and style-src is handled by
- * Astro 6's native security.csp in astro.config.mjs using hashes.
- * The remaining headers here cover transport security, framing, and permissions.
- *
- * Note: X-Frame-Options: SAMEORIGIN covers clickjacking protection
- * (equivalent to CSP frame-ancestors 'self', which cannot be set via meta tag).
- */
-export function GET_SECURITY_HEADERS() {
-    return {
-        'X-Content-Type-Options': 'nosniff',
-        'X-Frame-Options': 'SAMEORIGIN',
-        'Referrer-Policy': 'strict-origin-when-cross-origin',
-        'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
-        'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
-    };
-}

package/dist/index.d.ts

@@ -1,7 +0,0 @@
-export * from './types';
-export * from './config';
-export * from './auth';
-export * from './auth-handler';
-export * from './security';
-export * from './middleware';
-//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,QAAQ,CAAC;AAGvB,cAAc,gBAAgB,CAAC;AAG/B,cAAc,YAAY,CAAC;AAG3B,cAAc,cAAc,CAAC"}

package/dist/index.js

@@ -1,13 +0,0 @@
-// Mindful Auth Core - Main exports
-// Types
-export * from './types';
-// Configuration
-export * from './config';
-// Authentication
-export * from './auth';
-// Auth handler for API routes
-export * from './auth-handler';
-// Security utilities
-export * from './security';
-// Middleware  
-export * from './middleware';

package/dist/middleware.d.ts

@@ -1,2 +0,0 @@
-export declare const onRequest: import("astro").MiddlewareHandler;
-//# sourceMappingURL=middleware.d.ts.map

package/dist/middleware.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAqCA,eAAO,MAAM,SAAS,mCAqFpB,CAAC"}

package/dist/middleware.js

@@ -1,108 +0,0 @@
-// Global middleware for session validation
-// Runs before all route handlers to enforce authentication
-//
-// ASTRO 6 MIGRATION:
-// - Astro v6 removed context.locals.runtime.env. Env vars now import from 'cloudflare:workers'.
-// - cloudflare:workers is marked external in astro.config.vite.ssr to avoid esbuild scan errors.
-// - Dev mode bypass uses import.meta.env.DEV (build-time constant: true in dev, false in prod).
-import { defineMiddleware } from 'astro:middleware';
-import { env } from 'cloudflare:workers';
-import { PUBLIC_ROUTES, PUBLIC_PREFIXES, GET_SECURITY_HEADERS, GET_SKIP_ASSETS } from './config';
-import { sanitizePath } from './security';
-import { validateSession, validateMemberIdInUrl } from './auth';
-/** Check if a path is a public route (no auth required) */
-function isPublicRoute(pathname) {
-    return PUBLIC_ROUTES.includes(pathname) ||
-        PUBLIC_PREFIXES.some((prefix) => pathname.startsWith(prefix));
-}
-/** Add security headers to a response */
-// NOTE: In Cloudflare Workers, Response.headers is immutable.
-// We must create a new Response with a fresh Headers object instead of mutating.
-// CSP for script-src/style-src is handled by Astro 6's native security.csp (via <meta> tag).
-function addSecurityHeaders(response) {
-    const newHeaders = new Headers(response.headers);
-    Object.entries(GET_SECURITY_HEADERS()).forEach(([key, value]) => {
-        newHeaders.set(key, value);
-    });
-    return new Response(response.body, {
-        status: response.status,
-        statusText: response.statusText,
-        headers: newHeaders,
-    });
-}
-// Main middleware function
-export const onRequest = defineMiddleware(async (context, next) => {
-    const { request, url, redirect, locals } = context;
-    const pathname = url.pathname;
-    // Redirect HTTP to HTTPS (skip in dev mode and localhost)
-    if (!import.meta.env.DEV && url.protocol === 'http:' && url.hostname !== 'localhost' && url.hostname !== '127.0.0.1') {
-        const httpsUrl = url.toString().replace('http://', 'https://');
-        return redirect(httpsUrl, 307);
-    }
-    // Skip middleware for static assets FIRST (before dev mode)
-    if (GET_SKIP_ASSETS().includes(pathname)) {
-        return next();
-    }
-    // DEV MODE: Skip auth
-    // import.meta.env.DEV is a build-time constant replaced by Vite:
-    // - true during local dev (never included in prod build)
-    // - false in production builds (tree-shaken out entirely)
-    // Localhost auth is skipped because Mindful Auth blocks localhost requests.
-    if (import.meta.env.DEV) {
-        // Check if public route first
-        if (isPublicRoute(pathname)) {
-            locals.recordId = null;
-            return next();
-        }
-        // For protected routes, extract or create mock recordId
-        // Match memberid with trailing slash
-        const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
-        locals.recordId = match ? match[1] : 'dev-user-123';
-        return next();
-    }
-    // PREVIEW MODE: Skip auth (for testing without Mindful Auth on localhost)
-    // npm run preview builds the project first, so import.meta.env.DEV is false.
-    // We need a runtime check for localhost to simulate auth in preview.
-    if (url.hostname === 'localhost' || url.hostname === '127.0.0.1') {
-        if (isPublicRoute(pathname)) {
-            locals.recordId = null;
-            return addSecurityHeaders(await next());
-        }
-        const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
-        locals.recordId = match ? match[1] : 'preview-user-123';
-        return addSecurityHeaders(await next());
-    }
-    // Sanitize path
-    const safePath = sanitizePath(pathname);
-    if (!safePath) {
-        return new Response('Bad Request', { status: 400 });
-    }
-    // Public routes - no auth needed
-    if (isPublicRoute(safePath)) {
-        locals.recordId = null;
-        return addSecurityHeaders(await next());
-    }
-    // Protected route - validate session
-    // ASTRO 6 CHANGE: Environment variables are accessed directly from 'cloudflare:workers' env,
-    // not from context.locals.runtime.env (which was removed).
-    const internalApiKey = env.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
-    if (!internalApiKey) {
-        console.error('[middleware] CRITICAL: INTERNAL_API_KEY not configured');
-        return new Response('Internal Server Error', { status: 500 });
-    }
-    // URL must have memberid
-    if (!validateMemberIdInUrl(safePath, null).valid) {
-        return new Response('Forbidden: URL must include memberid', { status: 403 });
-    }
-    // Validate session
-    const session = await validateSession(request, url.hostname, safePath, internalApiKey);
-    if (!session.valid) {
-        return redirect('/login');
-    }
-    // Validate memberid matches session
-    if (!validateMemberIdInUrl(safePath, session.recordId).valid) {
-        return new Response('Forbidden: Invalid user ID in URL', { status: 403 });
-    }
-    locals.recordId = session.recordId;
-    return addSecurityHeaders(await next());
-});

package/dist/security.d.ts

@@ -1,5 +0,0 @@
-/** Sanitize endpoint path (prevents ../ traversal and encoded variants) */
-export declare function sanitizeEndpoint(endpoint: string): string | null;
-/** Sanitize URL path (prevents ../ traversal and encoded variants) */
-export declare function sanitizePath(pathname: string): string | null;
-//# sourceMappingURL=security.d.ts.map

package/dist/security.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":"AAkBA,2EAA2E;AAC3E,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAIhE;AAED,sEAAsE;AACtE,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAI5D"}

package/dist/security.js

@@ -1,31 +0,0 @@
-// Security utilities - path traversal prevention
-const MAX_PATH_LENGTH = 2048;
-/** Decode and check for traversal attacks */
-function decodeAndValidate(str) {
-    if (!str || typeof str !== 'string' || str.length > MAX_PATH_LENGTH)
-        return null;
-    try {
-        let decoded = decodeURIComponent(str);
-        // Catch double-encoded traversal attempts
-        if (decoded.includes('%'))
-            decoded = decodeURIComponent(decoded);
-        return decoded;
-    }
-    catch {
-        return null;
-    }
-}
-/** Sanitize endpoint path (prevents ../ traversal and encoded variants) */
-export function sanitizeEndpoint(endpoint) {
-    const decoded = decodeAndValidate(endpoint);
-    if (!decoded || decoded.includes('..') || decoded.includes('\\'))
-        return null;
-    return decoded;
-}
-/** Sanitize URL path (prevents ../ traversal and encoded variants) */
-export function sanitizePath(pathname) {
-    const decoded = decodeAndValidate(pathname);
-    if (!decoded || decoded.includes('..') || decoded.includes('\\'))
-        return null;
-    return decoded;
-}

package/dist/types.d.ts

@@ -1,22 +0,0 @@
-import type { MiddlewareHandler } from 'astro';
-export interface MindfulAuthLocals {
-    recordId: string | null;
-    runtime?: {
-        env?: {
-            INTERNAL_API_KEY?: string;
-        };
-    };
-}
-declare global {
-    namespace App {
-        interface Locals extends MindfulAuthLocals {
-        }
-    }
-}
-export interface SessionValidationResult {
-    valid: boolean;
-    reason?: string;
-    recordId?: string;
-}
-export type MindfulAuthMiddleware = MiddlewareHandler;
-//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,CAAC,EAAE;QACR,GAAG,CAAC,EAAE;YACJ,gBAAgB,CAAC,EAAE,MAAM,CAAC;SAC3B,CAAC;KACH,CAAC;CACH;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}

package/dist/types.js

@@ -1,2 +0,0 @@
-// Type definitions for Mindful Auth
-export {};