@mindfulauth/core 2.0.0-beta.8 → 2.0.1

package/dist/astro/SecurityScript.astro

@@ -6,41 +6,6 @@
 // Security Settings Script - Astro Optimized
 // Combines: Change Password + 2FA Management + Add Authentication Method
 
-// ============================================================================
-// QRCODE DYNAMIC LOADING (bundled via qrcode npm package)
-// ============================================================================
-
-// Capture CDN origin at load time for loading co-hosted libraries
-const __cdnOrigin = (() => {
-  try {
-    if (document.currentScript && document.currentScript.src) {
-      return new URL(document.currentScript.src).origin;
-    }
-  } catch (_) {}
-  return '';
-})();
-
-/**
- * Dynamically loads the bundled QRCode library from the same CDN origin.
- * Uses the qrcode npm package (bundled as IIFE via esbuild).
- * Exposes QRCode.toCanvas(), QRCode.toDataURL(), QRCode.toString()
- * @returns {Promise<void>}
- */
-async function loadQRCodeLibrary() {
-  return new Promise((resolve, reject) => {
-    if (typeof QRCode !== 'undefined' && QRCode.toCanvas) {
-      resolve();
-      return;
-    }
-
-    const script = document.createElement('script');
-    script.src = `${__cdnOrigin}/lib/qrcode.js`;
-    script.onload = () => resolve();
-    script.onerror = () => reject(new Error('Failed to load QR code library'));
-    document.head.appendChild(script);
-  });
-}
-
 // ============================================================================
 // RECORDID EXTRACTION HELPER
 // ============================================================================
@@ -210,22 +175,20 @@ function init2FA() {
     setupDiv.removeAttribute('hidden');
     setupDiv.classList && setupDiv.classList.remove('hidden');
     setupDiv.style.display = 'flex';
-    qrCodeContainer.innerHTML = '';
+    qrCodeContainer.replaceChildren();
 
-    messageEl.textContent = 'Loading QR code generator...';
+    messageEl.textContent = 'Generating QR code...';
     try {
-      // Load QRCode library dynamically
-      await loadQRCodeLibrary();
-
-      messageEl.textContent = 'Generating secret key...';
       const response = await window.apiFetch('/auth/setup-2fa', { body: JSON.stringify({ recordid }) });
       const result = await response.json();
       if (result.success) {
-        qrCodeContainer.innerHTML = '';
+        qrCodeContainer.replaceChildren();
 
-        const canvas = document.createElement('canvas');
-        await QRCode.toCanvas(canvas, result.otpauthUri, { width: 256, margin: 2 });
-        qrCodeContainer.appendChild(canvas);
+        const img = document.createElement('img');
+        img.src = result.qrCodeDataUrl;
+        img.width = 256;
+        img.alt = 'QR code for authenticator app';
+        qrCodeContainer.appendChild(img);
 
         messageEl.textContent = 'Scan the QR code with your authenticator app and enter the code below.';
       } else {
@@ -265,7 +228,7 @@ function init2FA() {
           messageEl.textContent = result.message;
 
           if (result.recoveryCodes && result.recoveryCodes.length > 0) {
-            recoveryList.innerHTML = '';
+            recoveryList.replaceChildren();
             result.recoveryCodes.forEach(code => {
               const li = document.createElement('li');
               li.textContent = code;

package/dist/core/auth-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../../src/core/auth-handler.ts"],"names":[],"mappings":"AAwEA,2EAA2E;AAC3E,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CA6BpH;AAED,gEAAgE;AAChE,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAyDrH"}
+{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../../src/core/auth-handler.ts"],"names":[],"mappings":"AAoEA,2EAA2E;AAC3E,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CA6BpH;AAED,gEAAgE;AAChE,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAyDrH"}

package/dist/core/auth-handler.js

@@ -1,12 +1,8 @@
 // Auth proxy handler for Mindful Auth
 // Forwards authentication requests to the central Mindful Auth service
-//
-// ASTRO 6 MIGRATION:
-// - Astro v6 removed context.locals.runtime.env. Env vars now import from 'cloudflare:workers'.
-// - Note: @cloudflare/workers-types must be installed and referenced in env.d.ts.
 import { env } from 'cloudflare:workers';
-import { CENTRAL_AUTH_ORIGIN, ALLOWED_AUTH_METHODS, MAX_BODY_SIZE_BYTES, AUTH_PROXY_TIMEOUT_MS } from './config';
-import { sanitizeEndpoint } from './security';
+import { CENTRAL_AUTH_ORIGIN, ALLOWED_AUTH_METHODS, MAX_BODY_SIZE_BYTES, AUTH_PROXY_TIMEOUT_MS } from './config.js';
+import { sanitizeEndpoint } from './security.js';
 const JSON_HEADERS = { 'Content-Type': 'application/json' };
 const jsonError = (error, status) => new Response(JSON.stringify({ error }), { status, headers: JSON_HEADERS });
 /** Build proxy headers from incoming request */

package/dist/core/auth.d.ts

@@ -1,4 +1,4 @@
-import type { SessionValidationResult } from './types';
+import type { SessionValidationResult } from './types.js';
 /** Validate session with Mindful Auth central service */
 export declare function validateSession(request: Request, tenantDomain: string, pathname: string, internalApiKey: string): Promise<SessionValidationResult>;
 /** Validate memberid in URL matches session (or just check structure if sessionRecordId is null) */

package/dist/core/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/core/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC;AAEvD,yDAAyD;AACzD,wBAAsB,eAAe,CACjC,OAAO,EAAE,OAAO,EAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACvB,OAAO,CAAC,uBAAuB,CAAC,CAsClC;AAED,oGAAoG;AACpG,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,IAAI,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAAE,CAerI"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/core/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAE1D,yDAAyD;AACzD,wBAAsB,eAAe,CACjC,OAAO,EAAE,OAAO,EAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACvB,OAAO,CAAC,uBAAuB,CAAC,CAsClC;AAED,oGAAoG;AACpG,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,IAAI,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAAE,CAerI"}

package/dist/core/auth.js

@@ -1,5 +1,5 @@
 // Authentication and session validation for Mindful Auth
-import { CENTRAL_AUTH_ORIGIN, SESSION_VALIDATION_TIMEOUT_MS } from './config';
+import { CENTRAL_AUTH_ORIGIN, SESSION_VALIDATION_TIMEOUT_MS } from './config.js';
 /** Validate session with Mindful Auth central service */
 export async function validateSession(request, tenantDomain, pathname, internalApiKey) {
     const sessionId = request.headers.get('Cookie')?.match(/session_id=([^;]+)/)?.[1];

package/dist/core/config.d.ts

@@ -41,8 +41,7 @@ export declare const PUBLIC_PREFIXES: string[];
  * Astro 6's native security.csp in astro.config.mjs using hashes.
  * The remaining headers here cover transport security, framing, and permissions.
  *
- * Note: X-Frame-Options: SAMEORIGIN covers clickjacking protection
- * (equivalent to CSP frame-ancestors 'self', which cannot be set via meta tag).
+ * Note: X-Frame-Options: DENY prevents this portal from being embedded in iframes on any domain, protecting against clickjacking attacks.
  */
 export declare function GET_SECURITY_HEADERS(): Record<string, string>;
 //# sourceMappingURL=config.d.ts.map

package/dist/core/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AAGjE,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAIzB;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AAMF;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQ7D"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AAGjE,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAIzB;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AAMF;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAU7D"}

package/dist/core/config.js

@@ -80,15 +80,16 @@ export const PUBLIC_PREFIXES = [
  * Astro 6's native security.csp in astro.config.mjs using hashes.
  * The remaining headers here cover transport security, framing, and permissions.
  *
- * Note: X-Frame-Options: SAMEORIGIN covers clickjacking protection
- * (equivalent to CSP frame-ancestors 'self', which cannot be set via meta tag).
+ * Note: X-Frame-Options: DENY prevents this portal from being embedded in iframes on any domain, protecting against clickjacking attacks.
  */
 export function GET_SECURITY_HEADERS() {
     return {
         'X-Content-Type-Options': 'nosniff',
-        'X-Frame-Options': 'SAMEORIGIN',
+        'X-Frame-Options': 'DENY',
         'Referrer-Policy': 'strict-origin-when-cross-origin',
-        'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
-        'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
+        'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
+        'Permissions-Policy': 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()',
+        'Cross-Origin-Opener-Policy': 'same-origin',
+        'Cross-Origin-Resource-Policy': 'same-origin',
     };
 }

package/dist/core/index.d.ts

@@ -1,8 +1,6 @@
-export * from './types';
-export * from './config';
-export * from './auth';
-export * from './auth-handler';
-export * from './security';
-export * from './middleware';
-export * from './csp';
+export * from './types.js';
+export * from './config.js';
+export * from './auth.js';
+export * from './security.js';
+export * from './csp.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/core/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAGA,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,QAAQ,CAAC;AAGvB,cAAc,gBAAgB,CAAC;AAG/B,cAAc,YAAY,CAAC;AAG3B,cAAc,cAAc,CAAC;AAG7B,cAAc,OAAO,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAGA,cAAc,YAAY,CAAC;AAG3B,cAAc,aAAa,CAAC;AAG5B,cAAc,WAAW,CAAC;AAM1B,cAAc,eAAe,CAAC;AAQ9B,cAAc,UAAU,CAAC"}

package/dist/core/index.js

@@ -1,15 +1,17 @@
 // Mindful Auth Core - Main exports
 // Types
-export * from './types';
+export * from './types.js';
 // Configuration
-export * from './config';
+export * from './config.js';
 // Authentication
-export * from './auth';
-// Auth handler for API routes
-export * from './auth-handler';
+export * from './auth.js';
+// Auth handler for API routes — NOT re-exported here.
+// auth-handler.ts imports 'cloudflare:workers' which is only available at runtime (SSR), not at config-load time. Import it directly where needed: import { handleAuthProxy } from './auth-handler.js';
 // Security utilities
-export * from './security';
-// Middleware  
-export * from './middleware';
+export * from './security.js';
+// Middleware — NOT re-exported here.
+// middleware.ts imports 'astro:middleware' and 'cloudflare:workers' which are
+// only available at runtime (SSR), not at config-load time.
+// Import it directly: import { onRequest } from './middleware.js';
 // Build-time CSP utilities
-export * from './csp';
+export * from './csp.js';

package/dist/core/middleware.js

@@ -7,9 +7,9 @@
 // - Dev mode bypass uses import.meta.env.DEV (build-time constant: true in dev, false in prod).
 import { defineMiddleware } from 'astro:middleware';
 import { env } from 'cloudflare:workers';
-import { PUBLIC_ROUTES, PUBLIC_PREFIXES, GET_SECURITY_HEADERS, GET_SKIP_ASSETS } from './config';
-import { sanitizePath } from './security';
-import { validateSession, validateMemberIdInUrl } from './auth';
+import { PUBLIC_ROUTES, PUBLIC_PREFIXES, GET_SECURITY_HEADERS, GET_SKIP_ASSETS } from './config.js';
+import { sanitizePath } from './security.js';
+import { validateSession, validateMemberIdInUrl } from './auth.js';
 /** Check if a path is a public route (no auth required) */
 function isPublicRoute(pathname) {
     return PUBLIC_ROUTES.includes(pathname) ||

package/dist/core/types.d.ts

@@ -1,11 +1,6 @@
 import type { MiddlewareHandler } from 'astro';
 export interface MindfulAuthLocals {
     recordId: string | null;
-    runtime?: {
-        env?: {
-            INTERNAL_API_KEY?: string;
-        };
-    };
 }
 declare global {
     namespace App {

package/dist/core/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,OAAO,CAAC,EAAE;QACR,GAAG,CAAC,EAAE;YACJ,gBAAgB,CAAC,EAAE,MAAM,CAAC;SAC3B,CAAC;KACH,CAAC;CACH;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}

package/package.json

@@ -1,10 +1,9 @@
 {
   "name": "@mindfulauth/core",
-  "version": "2.0.0-beta.8",
+  "version": "2.0.1",
   "description": "Mindful Auth core authentication library for Astro 6",
   "type": "module",
-  "main": "./dist/core/index.js",
-  "types": "./dist/core/index.d.ts",
+  "sideEffects": false,
   "exports": {
     ".": {
       "types": "./dist/core/index.d.ts",
@@ -51,12 +50,12 @@
   "author": "Mindful Auth",
   "license": "MIT",
   "peerDependencies": {
-    "astro": "^6.0.0-beta.20"
+    "astro": "^6.0.1"
   },
   "devDependencies": {
-    "@cloudflare/workers-types": "^4.20260307.1",
-    "@types/node": "^25.3.5",
-    "astro": "^6.0.0-beta.20",
+    "@cloudflare/workers-types": "^4.20260310.1",
+    "@types/node": "^25.4.0",
+    "astro": "^6.0.1",
     "typescript": "^5.9.3"
   }
 }