@mindfulauth/core 2.0.1 → 3.0.0

package/dist/authScripts/ForgotPasswordScript.astro

@@ -0,0 +1,64 @@
+---
+// Mindful Auth - Forgot Password Script Component
+// Provides: Forgot password form handling
+---
+<script is:inline>
+// Main Forgot Password Script - Astro Optimized
+async function handleForgotPasswordSubmit(event) {
+    event.preventDefault();
+    const form = event.target;
+    const emailInput = form.querySelector('[data-mindfulauth-field="email"]');
+    const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+    const submitBtn = form.querySelector('button[type="submit"]');
+
+    // Skip API call on localhost to prevent production logs pollution
+    const hostname = window.location.hostname;
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname.endsWith('.local')) {
+        messageEl.textContent = 'Password reset is disabled on localhost. Use a real domain for testing.';
+        console.log('[Forgot Password] Blocked form submission on localhost');
+        return;
+    }
+
+    messageEl.textContent = 'Sending...';
+    submitBtn.disabled = true;
+
+    try {
+    const response = await window.apiFetch('/auth/forgot-password', {
+            body: JSON.stringify({
+                'cf-turnstile-response': form.querySelector('[name="cf-turnstile-response"]')?.value,
+                email: emailInput.value
+            }),
+        });
+
+        const result = await response.json();
+        messageEl.textContent = result.message;
+
+    } catch (error) {
+        messageEl.textContent = 'An error occurred. Please try again.';
+    } finally {
+        submitBtn.disabled = false;
+        window.turnstile?.reset();
+    }
+}
+
+// --- MAIN EXECUTION ---
+document.addEventListener('DOMContentLoaded', function() {
+    const form = document.querySelector('[data-mindfulauth-form="forgot-password"]');
+    if (!form) return;
+
+    // Check for password change required scenario (redirected from login)
+    const urlParams = new URLSearchParams(window.location.search);
+    const reason = urlParams.get('reason');
+    const passwordChangePendingMsg = document.querySelector('[data-mindfulauth-field="password-change-pending"]');
+    
+    if (reason === 'password_change_required') {
+        // Show security warning
+        if (passwordChangePendingMsg) {
+            passwordChangePendingMsg.textContent = 'Your account requires a password change for security reasons. Please complete the form below to set a new password.';
+            passwordChangePendingMsg.style.display = 'block';
+        }
+    }
+    
+    form.addEventListener('submit', handleForgotPasswordSubmit);
+});
+</script>

package/dist/authScripts/LoginScript.astro

@@ -0,0 +1,209 @@
+---
+// Mindful Auth - Login Script Component
+// Provides: Login form handling with 2FA support
+---
+<script is:inline>
+// Login Script - Astro Optimized
+let userEmailFor2FA = '';
+
+async function handleLoginSubmit(event) {
+    event.preventDefault();
+    const form = event.target;
+    const emailInput = form.querySelector('[data-mindfulauth-field="email"]');
+    const passwordInput = form.querySelector('[data-mindfulauth-field="password"]');
+    const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+    const submitBtn = form.querySelector('button[type="submit"]');
+    const twoFactorSection = form.querySelector('[data-mindfulauth-field="twofa-section"]');
+    const twoFactorInput = form.querySelector('[data-mindfulauth-field="twofa-code"]');
+
+    // Skip API call on localhost to prevent production logs pollution
+    const hostname = window.location.hostname;
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname.endsWith('.local')) {
+        messageEl.textContent = 'Authentication is disabled on localhost. Use a real domain for testing.';
+        console.log('[Login] Blocked form submission on localhost');
+        submitBtn.disabled = false;
+        return;
+    }
+
+    messageEl.textContent = 'Verifying...';
+    submitBtn.disabled = true;
+
+    try {
+        if (userEmailFor2FA) {
+            // Verify the 2FA code using same login endpoint
+            const token = twoFactorInput.value;
+            const response = await window.apiFetch('/auth/login', {
+                body: JSON.stringify({ 
+                    email: userEmailFor2FA, 
+                    password: passwordInput.value,
+                    twoFACode: token 
+                })
+            });
+
+            const result = await response.json();
+
+            // Successful 2FA verification
+            if (result.authorized) {                
+                messageEl.textContent = 'Success! Redirecting...';
+                
+                // Use redirectUrl from API response
+                const redirectUrl = result.redirectUrl;
+                
+                // Wait for cookies to be processed before redirecting
+                setTimeout(() => {
+                    window.location.assign(redirectUrl);
+                }, 200);
+            } else {
+                throw new Error(result.message || 'Invalid 2FA code.');
+            }
+        } else {
+            // Initial login attempt (Turnstile REQUIRED)
+            const tokenInput = form.querySelector('[name="cf-turnstile-response"]');
+            if (!tokenInput || !tokenInput.value) {
+                messageEl.textContent = 'Please complete the CAPTCHA challenge.';
+                submitBtn.disabled = false;
+                return;
+            }
+            
+            // Use raw fetch to handle 403 password_change_required before global handler
+            let response = await fetch('/auth/login', {
+                method: 'POST',
+                credentials: 'include',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'X-Requested-With': 'XMLHttpRequest',
+                    'X-Tenant-Domain': window.location.hostname
+                },
+                body: JSON.stringify({
+                    'cf-turnstile-response': tokenInput.value,
+                    email: emailInput.value,
+                    password: passwordInput.value
+                }),
+            });
+            
+            const result = await response.json();
+            
+            // Check for password change required FIRST (403 response)
+            if (result.password_change_required) {
+                window.location.assign('/forgot-password?reason=password_change_required');
+                return;
+            }
+            
+            // Handle response normally for other cases
+            if (!response.ok && response.status !== 403) {
+                throw new Error(result.message || 'Login failed.');
+            }
+
+            // Successful login without 2FA
+            if (result.authorized) {
+                // Use redirectUrl from API response
+                const redirectUrl = result.redirectUrl;
+
+                messageEl.textContent = 'Success! Redirecting...';
+                
+                // Wait for cookies to be processed before redirecting
+                setTimeout(() => {
+                    window.location.assign(redirectUrl);
+                }, 200);
+
+            } else if (result.two_factor_required) { 
+                userEmailFor2FA = emailInput.value;
+                messageEl.textContent = 'Please enter your two-factor authentication code.';
+                emailInput.parentElement.style.display = 'none';
+                passwordInput.parentElement.style.display = 'none';
+                const turnstileContainer = form.querySelector('[data-mindfulauth-turnstile]');
+                if (turnstileContainer) turnstileContainer.style.display = 'none';
+                twoFactorSection.style.display = 'flex';
+                twoFactorInput.focus();
+                submitBtn.textContent = 'Verify Code';
+                
+                // Show recovery link when 2FA section appears
+                const recoveryLink = form.querySelector('[data-mindfulauth-field="use-recovery-link"]');
+                if (recoveryLink) {
+                    recoveryLink.style.display = '';
+                }
+            } else {
+                throw new Error(result.message || 'Login failed.');
+            }
+        }
+        
+    // If there's an error in the 2FA step, reset the form to the password step.
+    } catch (error) {
+        messageEl.textContent = `Error: ${error.message}`;
+        userEmailFor2FA = '';
+        twoFactorSection.style.display = 'none';
+        emailInput.parentElement.style.display = '';
+        passwordInput.parentElement.style.display = '';
+        const turnstileContainer = form.querySelector('[data-mindfulauth-turnstile]');
+        if (turnstileContainer) turnstileContainer.style.display = '';
+        submitBtn.textContent = 'Login';
+        if (window.turnstile && typeof window.turnstile.reset === 'function') {
+            window.turnstile.reset();
+        }
+    } finally {
+        submitBtn.disabled = false;
+    }
+}
+
+// --- MAIN EXECUTION ---
+document.addEventListener('DOMContentLoaded', function() {
+    // Check for verification success parameter
+    const urlParams = new URLSearchParams(window.location.search);
+    if (urlParams.get('verified') === '1') {
+        const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+        if (messageEl) {
+            messageEl.textContent = '✓ Email verified successfully! You can now log in.';
+            messageEl.style.color = 'green';
+        }
+    }
+
+    const form = document.querySelector('[data-mindfulauth-form="login"]');
+    if (!form) return;
+    
+    form.addEventListener('submit', handleLoginSubmit);
+
+    // --- Add event listener for the recovery code link ---
+    const recoveryLink = form.querySelector('[data-mindfulauth-field="use-recovery-link"]');
+    if (recoveryLink) {
+        recoveryLink.addEventListener('click', (event) => {
+            event.preventDefault();
+            event.stopPropagation();
+            const twoFactorInput = form.querySelector('[data-mindfulauth-field="twofa-code"]');
+            const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+
+            // Remove the restrictions for the recovery code
+            twoFactorInput.removeAttribute('maxlength');
+            twoFactorInput.removeAttribute('pattern');
+            twoFactorInput.removeAttribute('inputmode');
+            twoFactorInput.value = '';
+
+            // Update UI for recovery code entry
+            twoFactorInput.placeholder = 'e.g. ABCDEF1234';
+            twoFactorInput.focus();
+            messageEl.textContent = 'Enter one of your saved recovery codes.';
+            recoveryLink.style.display = 'none';
+        }, true);
+    }
+
+    // Delegated fallback (handles dynamic rendering)
+    document.addEventListener('click', (e) => {
+        const link = e.target && e.target.closest && e.target.closest('[data-mindfulauth-field="use-recovery-link"]');
+        if (link) {
+            e.preventDefault();
+            e.stopPropagation();
+            const twoFactorInput = form.querySelector('[data-mindfulauth-field="twofa-code"]');
+            const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+
+            twoFactorInput.removeAttribute('maxlength');
+            twoFactorInput.removeAttribute('pattern');
+            twoFactorInput.removeAttribute('inputmode');
+            twoFactorInput.value = '';
+
+            twoFactorInput.placeholder = 'e.g. ABCDEF1234';
+            twoFactorInput.focus();
+            messageEl.textContent = 'Enter one of your saved recovery codes.';
+            link.style.display = 'none';
+        }
+    }, true);
+});
+</script>

package/dist/authScripts/MagicLoginScript.astro

@@ -0,0 +1,62 @@
+---
+// Mindful Auth - Magic Login Script Component
+// Provides: Magic link login form handling
+---
+<script is:inline>
+// Magic Link Login Script - Astro Optimized
+async function handleMagicLoginSubmit(event) {
+    event.preventDefault();
+    const form = event.target;
+    const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+    const emailEl = form.querySelector('[data-mindfulauth-field="email"]');
+    const submitBtn = form.querySelector('button[type="submit"]');
+
+    // Skip API call on localhost to prevent production logs pollution
+    const hostname = window.location.hostname;
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname.endsWith('.local')) {
+        messageEl.textContent = 'Magic link login is disabled on localhost. Use a real domain for testing.';
+        console.log('[Magic Login] Blocked form submission on localhost');
+        return;
+    }
+
+    if (!emailEl.value) {
+        messageEl.textContent = 'Please enter your email address.';
+        return;
+    }
+
+    messageEl.textContent = 'Sending magic link...';
+    submitBtn.disabled = true;
+
+    try {
+        const response = await window.apiFetch('/auth/request-magic-link', {
+            body: JSON.stringify({
+                email: emailEl.value,
+                'cf-turnstile-response': form.querySelector('[name="cf-turnstile-response"]')?.value
+            })
+        });
+
+        const result = await response.json();
+        
+        if (result.success) {
+            emailEl.value = '';
+            form.style.display = 'none';
+            messageEl.textContent = 'If an account with that email exists, a magic link has been sent. Please check your email.';
+        } else {
+            throw new Error(result.message || 'Failed to send magic link.');
+        }
+    } catch (error) {
+        messageEl.textContent = `Error: ${error.message}`;
+    } finally {
+        submitBtn.disabled = false;
+        window.turnstile?.reset();
+    }
+}
+
+// --- MAIN EXECUTION ---
+document.addEventListener('DOMContentLoaded', function() {
+    const form = document.querySelector('[data-mindfulauth-form="magic-login"]');
+    if (!form) return;
+    
+    form.addEventListener('submit', handleMagicLoginSubmit);
+});
+</script>

package/dist/authScripts/MagicRegisterScript.astro

@@ -0,0 +1,73 @@
+---
+// Mindful Auth - Magic Register Script Component
+// Provides: Magic link registration form handling
+---
+<script is:inline>
+// Magic Link Registration Script - Astro Optimized
+
+async function handleMagicRegisterSubmit(event) {
+    event.preventDefault();
+    const form = event.target;
+    const messageEl = document.querySelector('[data-mindfulauth-field="message"]');
+    const nameEl = form.querySelector('[data-mindfulauth-field="name"]');
+    const emailEl = form.querySelector('[data-mindfulauth-field="email"]');
+    const submitBtn = form.querySelector('button[type="submit"]');
+
+    // Skip API call on localhost to prevent production logs pollution
+    const hostname = window.location.hostname;
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname.endsWith('.local')) {
+        messageEl.textContent = 'Magic link registration is disabled on localhost. Use a real domain for testing.';
+        console.log('[Magic Register] Blocked form submission on localhost');
+        return;
+    }
+
+    if (!nameEl.value || !emailEl.value) {
+        messageEl.textContent = 'Please enter your name and email address.';
+        return;
+    }
+
+    messageEl.textContent = 'Creating your account...';
+    submitBtn.disabled = true;
+
+    try {
+        const response = await window.apiFetch('/auth/register-magic-link', {
+            body: JSON.stringify({
+                name: nameEl.value,
+                email: emailEl.value,
+                'cf-turnstile-response': form.querySelector('[name="cf-turnstile-response"]')?.value
+            })
+        });
+
+        const result = await response.json();
+        
+        if (result.success) {
+            messageEl.textContent = result.message || 'Account created! Please check your email to verify your account.';
+            nameEl.value = '';
+            emailEl.value = '';
+            form.style.display = 'none';
+            
+            // Show success message prominently
+            const successMessageEl = form.querySelector('[data-mindfulauth-field="success-message"]');
+            if (successMessageEl) {
+                successMessageEl.textContent = 'Account created successfully! Please check your email and click the verification link before logging in.';
+                successMessageEl.style.display = 'block';
+            }
+        } else {
+            throw new Error(result.message || 'Failed to create account.');
+        }
+    } catch (error) {
+        messageEl.textContent = `Error: ${error.message}`;
+    } finally {
+        submitBtn.disabled = false;
+        window.turnstile?.reset();
+    }
+}
+
+// --- MAIN EXECUTION ---
+document.addEventListener('DOMContentLoaded', function() {
+    const form = document.querySelector('[data-mindfulauth-form="magic-register"]');
+    if (!form) return;
+    
+    form.addEventListener('submit', handleMagicRegisterSubmit);
+});
+</script>

package/dist/authScripts/MainScript.astro

@@ -0,0 +1,236 @@
+---
+// Mindful Auth - Main Script Component
+// Provides: frame-busting, auth response handler, global fetch wrapper,
+// 2FA status cache, cookie checks, logout functionality
+---
+<script is:inline>
+// Main Auth Script - Astro Optimized
+// Frame-busting, fetch wrapper, 2FA status, logout, cookie checks
+
+// ============================================================================
+// FRAME-BUSTING PROTECTION
+// ============================================================================
+
+(function() {
+    if (window.self !== window.top) {
+        try {
+            window.top.location = window.self.location;
+        } catch (e) {
+            document.documentElement.style.display = 'none';
+        }
+    }
+})();
+
+// ============================================================================
+// AUTHENTICATION RESPONSE HANDLER
+// ============================================================================
+
+window.handleAuthResponse = async function (response) {
+    if (!response.ok) {
+        let message = `Request failed (${response.status})`;
+        try {
+            const ct = response.headers.get('content-type') || '';
+            if (ct.includes('application/json')) {
+                const error = await response.json();
+                message = error && error.message ? error.message : message;
+            } else {
+                const txt = await response.text();
+                if (txt) message = txt;
+            }
+        } catch (_) {
+        }
+        throw new Error(message);
+    }
+    return response;
+};
+
+// ============================================================================
+// GLOBAL FETCH WRAPPER
+// ============================================================================
+
+window.apiFetch = async function (endpoint, options = {}) {
+    const defaultHeaders = { 
+        'Content-Type': 'application/json', 
+        'X-Requested-With': 'XMLHttpRequest',
+        'X-Tenant-Domain': window.location.hostname
+    };
+
+    const defaultOptions = {
+        method: 'POST',
+        credentials: 'include',
+        headers: defaultHeaders
+    };
+
+    const mergedOptions = {
+        ...defaultOptions,
+        ...options,
+        headers: {
+            ...defaultHeaders,
+            ...options.headers
+        }
+    };
+
+    try {
+        let bodyData = mergedOptions.body ? JSON.parse(mergedOptions.body) : {};
+        mergedOptions.body = JSON.stringify(bodyData);
+
+        const response = await fetch(endpoint, mergedOptions);
+        return await handleAuthResponse(response);
+    } catch (error) {
+        const safeMessage = error && error.message ? error.message : 'Unknown error';
+        if (typeof console !== 'undefined' && console.error) {
+            console.error('Request failed:', safeMessage);
+        }
+        throw error;
+    }
+};
+
+// ============================================================================
+// GLOBAL 2FA STATUS CACHE HELPER
+// ============================================================================
+
+window.get2FAStatus = async function() {
+    // Skip API call on localhost to prevent production logs pollution
+    const hostname = window.location.hostname;
+    if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname.endsWith('.local')) {
+        console.log('[2FA Status] Skipping API call on localhost');
+        window.__2faStatus = { isEnabled: false, localhost: true };
+        return window.__2faStatus;
+    }
+
+    if (window.__2faStatus !== undefined) {
+        return window.__2faStatus;
+    }
+    
+    if (window.__2faStatusPromise) {
+        return await window.__2faStatusPromise;
+    }
+    
+    window.__2faStatusPromise = (async () => {
+        try {
+            const response = await window.apiFetch('/auth/get-2fa-status', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' }
+            });
+            const result = await response.json();
+            window.__2faStatus = result;
+            return result;
+        } catch (error) {
+            window.__2faStatus = { isEnabled: false, error: error.message };
+            return window.__2faStatus;
+        } finally {
+            window.__2faStatusPromise = null;
+        }
+    })();
+    
+    return await window.__2faStatusPromise;
+};
+
+// ============================================================================
+// COOKIE CHECK UTILITIES
+// ============================================================================
+
+window.checkCookiesEnabled = function () {
+    document.cookie = 'test_cookie=1; path=/; SameSite=Lax';
+    const enabled = document.cookie.indexOf('test_cookie') !== -1;
+    document.cookie = 'test_cookie=1; path=/; max-age=0';
+    return enabled;
+};
+
+window.showCookieWarning = function () {
+    if (!window.checkCookiesEnabled()) {
+        const warningBanner = document.createElement('div');
+        warningBanner.id = 'cookie-warning-banner';
+        warningBanner.style.cssText = `
+            position: fixed;
+            top: 0;
+            left: 0;
+            right: 0;
+            background: #f44336;
+            color: white;
+            padding: 12px 20px;
+            text-align: center;
+            font-size: 14px;
+            font-weight: 500;
+            z-index: 10000;
+            box-shadow: 0 2px 5px rgba(0,0,0,0.2);
+        `;
+        warningBanner.textContent = '⚠️ Cookies are required for authentication. Please enable cookies in your browser.';
+        document.body.insertBefore(warningBanner, document.body.firstChild);
+        return false;
+    }
+    return true;
+};
+
+// ============================================================================
+// LOGOUT FUNCTIONALITY
+// ============================================================================
+
+window.__performLogout = async function () {
+    if (window.__logoutInProgress) {
+        return;
+    }
+    window.__logoutInProgress = true;
+    try {
+        try {
+            const response = await window.apiFetch('/auth/logout', { method: 'POST' });
+            await response.json().catch(() => {});
+        } catch (error) {
+            // Silently continue - redirect to login regardless
+        }
+    } finally {
+        window.location.href = '/login';
+        window.__logoutInProgress = false;
+    }
+};
+
+window.setupLogoutButton = function () {
+    const logoutBtn = document.querySelector('[data-mindfulauth-action="logout"]');
+    
+    if (!logoutBtn) {
+        return;
+    }
+    
+    // Prevent duplicate listeners
+    if (logoutBtn.dataset.logoutAttached === 'true') {
+        return;
+    }
+    logoutBtn.dataset.logoutAttached = 'true';
+    
+    const handleLogout = function (event) {
+        event.preventDefault();
+        event.stopPropagation();
+        event.stopImmediatePropagation();
+        window.__performLogout();
+    };
+    
+    logoutBtn.addEventListener('click', handleLogout, true);
+    logoutBtn.addEventListener('click', handleLogout);
+};
+
+window.attachGlobalLogoutHandler = function () {
+    if (window.__globalLogoutHandlerAttached) return;
+    window.__globalLogoutHandlerAttached = true;
+    
+    document.addEventListener('click', function (event) {
+        const target = event.target;
+        if (!target) return;
+        const button = target.closest && target.closest('#logout-button');
+        if (button) {
+            event.preventDefault();
+            event.stopPropagation();
+            window.__performLogout();
+        }
+    }, true);
+};
+
+// ============================================================================
+// MAIN INITIALIZATION
+// ============================================================================
+
+document.addEventListener('DOMContentLoaded', function() {
+    window.showCookieWarning();
+    window.setupLogoutButton();
+    window.attachGlobalLogoutHandler();
+});
+</script>