npm - @nextsparkjs/core - Versions diffs - 0.1.0-beta.82 → 0.1.0-beta.84 - Mend

@nextsparkjs/core 0.1.0-beta.82 → 0.1.0-beta.84

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/templates/app/403/page.tsx DELETED Viewed

@@ -1,89 +0,0 @@
-'use client'
-import { AlertTriangle, ArrowLeft, Home } from 'lucide-react'
-import Link from 'next/link'
-import { useSearchParams } from 'next/navigation'
-import { Suspense } from 'react'
-import { Button } from '@nextsparkjs/core/components/ui/button'
-import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@nextsparkjs/core/components/ui/card'
-import { getTemplateOrDefaultClient } from '@nextsparkjs/registries/template-registry.client'
-function ForbiddenContent() {
-  const searchParams = useSearchParams()
-  const reason = searchParams.get('reason') || 'No tienes permisos para acceder a este recurso'
-  const upgrade = searchParams.get('upgrade') === 'true'
-  return (
-    <div className="min-h-screen flex items-center justify-center bg-gray-50 px-4">
-      <Card className="w-full max-w-md">
-        <CardHeader className="text-center">
-          <div className="mx-auto mb-4 p-4 rounded-full bg-yellow-100">
-            <AlertTriangle className="h-8 w-8 text-yellow-600" />
-          </div>
-          <CardTitle className="text-2xl">
-            ⚠️ Ups, no tienes permisos para hacer esto
-          </CardTitle>
-          <CardDescription className="text-gray-600">
-            {reason}
-          </CardDescription>
-        </CardHeader>
-        <CardContent className="space-y-4">
-          {upgrade && (
-            <div className="bg-blue-50 border border-blue-200 rounded-lg p-4">
-              <p className="text-sm text-blue-800">
-                Esta funcionalidad requiere una mejora de tu plan actual.
-              </p>
-              <Link href="/dashboard/settings/billing" className="block mt-2">
-                <Button variant="outline" size="sm" className="w-full">
-                  Ver planes
-                </Button>
-              </Link>
-            </div>
-          )}
-          <div className="flex gap-2">
-            <Button
-              variant="outline"
-              className="flex-1"
-              onClick={() => window.history.back()}
-            >
-              <ArrowLeft className="h-4 w-4 mr-2" />
-              Volver
-            </Button>
-            <Link href="/dashboard" className="flex-1">
-              <Button className="w-full">
-                <Home className="h-4 w-4 mr-2" />
-                Dashboard
-              </Button>
-            </Link>
-          </div>
-        </CardContent>
-      </Card>
-    </div>
-  )
-}
-function ForbiddenPage() {
-  return (
-    <Suspense fallback={
-      <div className="min-h-screen flex items-center justify-center bg-gray-50 px-4">
-        <Card className="w-full max-w-md">
-          <CardHeader className="text-center">
-            <div className="mx-auto mb-4 p-4 rounded-full bg-yellow-100">
-              <AlertTriangle className="h-8 w-8 text-yellow-600" />
-            </div>
-            <CardTitle className="text-2xl">
-              ⚠️ Ups, no tienes permisos para hacer esto
-            </CardTitle>
-          </CardHeader>
-        </Card>
-      </div>
-    }>
-      <ForbiddenContent />
-    </Suspense>
-  )
-}
-export default getTemplateOrDefaultClient('app/403/page.tsx', ForbiddenPage)

package/dist/templates/app/api/auth/[...all]/route.ts DELETED Viewed

@@ -1,78 +0,0 @@
-import { auth } from "@nextsparkjs/core/lib/auth";
-import { toNextJsHandler } from "better-auth/next-js";
-import { NextRequest, NextResponse } from "next/server";
-import { TEAMS_CONFIG } from "@nextsparkjs/core/lib/config";
-import { isPublicSignupRestricted } from "@nextsparkjs/core/lib/teams/helpers";
-import { TeamService } from "@nextsparkjs/core/lib/services";
-import { wrapAuthHandlerWithCors, handleCorsPreflightRequest, addCorsHeaders } from "@nextsparkjs/core/lib/api/helpers";
-const handlers = toNextJsHandler(auth);
-// Handle CORS preflight requests for cross-origin auth (mobile apps, etc.)
-export async function OPTIONS(req: NextRequest) {
-  return handleCorsPreflightRequest(req);
-}
-// Intercept email verification requests to redirect to UI page
-// eslint-disable-next-line @typescript-eslint/no-unused-vars
-export async function GET(req: NextRequest, context: { params: Promise<{ all: string[] }> }) {
-  const pathname = req.nextUrl.pathname;
-  // Check if this is an email verification request from an email link
-  // We check for a special header to determine if it's from our UI or from an email click
-  const isFromUI = req.headers.get('x-verify-from-ui') === 'true';
-  if (pathname === '/api/auth/verify-email' && !isFromUI) {
-    const token = req.nextUrl.searchParams.get('token');
-    const callbackURL = req.nextUrl.searchParams.get('callbackURL');
-    if (token) {
-      // This is from an email link, redirect to the UI verification page
-      const redirectUrl = new URL('/verify-email', req.url);
-      redirectUrl.searchParams.set('token', token);
-      if (callbackURL) {
-        redirectUrl.searchParams.set('callbackURL', callbackURL);
-      }
-      return NextResponse.redirect(redirectUrl);
-    }
-  }
-  // Wrap with CORS headers for cross-origin requests (mobile apps, etc.)
-  return wrapAuthHandlerWithCors(() => handlers.GET(req), req);
-}
-// Intercept signup requests to validate single-tenant mode
-export async function POST(req: NextRequest) {
-  const pathname = req.nextUrl.pathname;
-  // Check if this is a signup request (email or OAuth)
-  const isSignupRequest =
-    pathname === '/api/auth/sign-up/email' ||
-    pathname.includes('/api/auth/callback/'); // OAuth callbacks can create users
-  if (isSignupRequest) {
-    const teamsMode = TEAMS_CONFIG.mode;
-    // In single-tenant mode, block public signup if team already exists
-    if (isPublicSignupRestricted(teamsMode)) {
-      const teamExists = await TeamService.hasGlobal();
-      if (teamExists) {
-        // Block public signup - users must be invited
-        // Add CORS headers so mobile apps can read the error message
-        const errorResponse = NextResponse.json(
-          {
-            error: 'Registration is closed',
-            message: 'This application requires an invitation to register. Please contact an administrator.',
-            code: 'SIGNUP_RESTRICTED',
-          },
-          { status: 403 }
-        );
-        return await addCorsHeaders(errorResponse, req);
-      }
-    }
-  }
-  // Wrap with CORS headers for cross-origin requests (mobile apps, etc.)
-  return wrapAuthHandlerWithCors(() => handlers.POST(req), req);
-}

package/dist/templates/app/api/cron/billing/lifecycle/route.ts DELETED Viewed

@@ -1,98 +0,0 @@
-/**
- * Billing Lifecycle Cron Job
- *
- * Scheduled job that runs automatically to manage subscription lifecycle.
- * Protected with CRON_SECRET to prevent unauthorized execution.
- *
- * P1: Lifecycle Management
- *
- * Configure in vercel.json:
- * {
- *   "crons": [
- *     {
- *       "path": "/api/cron/billing/lifecycle",
- *       "schedule": "0 0 * * *"
- *     }
- *   ]
- * }
- */
-import { NextRequest } from 'next/server'
-import { handlePastDueGracePeriod } from '@nextsparkjs/core/lib/billing/jobs'
-import { SubscriptionService, UsageService } from '@nextsparkjs/core/lib/services'
-export async function GET(request: NextRequest) {
-  // Verify CRON_SECRET (MANDATORY for security)
-  const authHeader = request.headers.get('authorization')
-  const cronSecret = process.env.CRON_SECRET
-  if (!cronSecret || authHeader !== `Bearer ${cronSecret}`) {
-    console.error('[lifecycle-cron] Unauthorized attempt to access cron endpoint')
-    return Response.json({ error: 'Unauthorized' }, { status: 401 })
-  }
-  const results = {
-    expireTrials: { processed: 0, errors: [] as string[] },
-    pastDueGrace: { processed: 0, errors: [] as string[] },
-    resetUsage: { processed: 0, errors: [] as string[] }
-  }
-  try {
-    console.log('[lifecycle-cron] Starting billing lifecycle jobs...')
-    // 1. Expire trials (service returns count)
-    try {
-      const count = await SubscriptionService.processExpiredTrials()
-      results.expireTrials = { processed: count, errors: [] }
-    } catch (error) {
-      results.expireTrials.errors.push(error instanceof Error ? error.message : 'Unknown error')
-    }
-    // 2. Handle past_due grace period (jobs.ts function returns {processed, errors})
-    results.pastDueGrace = await handlePastDueGracePeriod()
-    // 3. Reset monthly usage (only on first day of month)
-    const today = new Date()
-    if (today.getDate() === 1) {
-      try {
-        const count = await UsageService.processMonthlyReset()
-        results.resetUsage = { processed: count, errors: [] }
-      } catch (error) {
-        results.resetUsage.errors.push(error instanceof Error ? error.message : 'Unknown error')
-      }
-    }
-    const totalProcessed =
-      results.expireTrials.processed + results.pastDueGrace.processed + results.resetUsage.processed
-    const allErrors = [
-      ...results.expireTrials.errors,
-      ...results.pastDueGrace.errors,
-      ...results.resetUsage.errors
-    ]
-    console.log(`[lifecycle-cron] Completed: ${totalProcessed} items processed, ${allErrors.length} errors`)
-    return Response.json({
-      success: true,
-      processed: totalProcessed,
-      errors: allErrors,
-      details: results,
-      timestamp: new Date().toISOString()
-    })
-  } catch (error) {
-    console.error('[lifecycle-cron] Fatal error:', error)
-    return Response.json(
-      {
-        success: false,
-        error: error instanceof Error ? error.message : 'Unknown error'
-      },
-      { status: 500 }
-    )
-  }
-}
-// Also support POST for manual triggering via dashboard
-export async function POST(request: NextRequest) {
-  return GET(request)
-}

package/dist/templates/app/api/csp-report/route.ts DELETED Viewed

@@ -1,175 +0,0 @@
-import { randomUUID } from 'node:crypto';
-import { NextRequest, NextResponse } from 'next/server';
-// Dynamic import for rate limiting - graceful fallback if not available
-let checkDistributedRateLimit: ((id: string, tier: string) => Promise<{ allowed: boolean; limit: number; remaining: number; resetTime: number; retryAfter?: number }>) | null = null;
-let createRateLimitErrorResponse: ((result: { allowed: boolean; limit: number; remaining: number; resetTime: number; retryAfter?: number }) => NextResponse) | null = null;
-// Try to load rate limiting functions
-try {
-  const rateLimitModule = require('@nextsparkjs/core/lib/api');
-  checkDistributedRateLimit = rateLimitModule.checkDistributedRateLimit;
-  createRateLimitErrorResponse = rateLimitModule.createRateLimitErrorResponse;
-} catch {
-  // Rate limiting not available - will skip rate limit checks
-  console.warn('[CSP Report] Rate limiting not available - running without rate limits');
-}
-/**
- * CSP Violation Report Endpoint
- *
- * Receives Content-Security-Policy violation reports from browsers.
- * Reports are logged for monitoring and debugging CSP issues.
- *
- * Rate limiting: Uses 'api' tier (100 requests/minute per IP) to prevent abuse.
- * Falls back gracefully if rate limiting is not available.
- *
- * NOTE: This file exists in both apps/dev/app/api/csp-report/ and
- * packages/core/templates/app/api/csp-report/. The template version
- * is used when creating new projects from the core package.
- * Changes should be synchronized between both files.
- *
- * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#violation_report_syntax
- */
-interface CSPViolationReport {
-  'csp-report'?: {
-    'document-uri'?: string;
-    'referrer'?: string;
-    'violated-directive'?: string;
-    'effective-directive'?: string;
-    'original-policy'?: string;
-    'disposition'?: string;
-    'blocked-uri'?: string;
-    'line-number'?: number;
-    'column-number'?: number;
-    'source-file'?: string;
-    'status-code'?: number;
-    'script-sample'?: string;
-  };
-}
-// Get allowed origin from environment or use localhost fallback
-const getAllowedOrigin = () => {
-  return process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000';
-};
-/**
- * Get client IP address from request headers.
- * Handles various proxy scenarios (X-Forwarded-For, X-Real-IP, etc.)
- */
-function getClientIp(request: NextRequest): string {
-  const forwardedFor = request.headers.get('x-forwarded-for');
-  if (forwardedFor) {
-    const ips = forwardedFor.split(',').map(ip => ip.trim());
-    if (ips[0]) return ips[0];
-  }
-  const realIp = request.headers.get('x-real-ip');
-  if (realIp) return realIp;
-  const cfIp = request.headers.get('cf-connecting-ip');
-  if (cfIp) return cfIp;
-  return 'unknown';
-}
-export async function POST(request: NextRequest) {
-  const requestId = randomUUID().slice(0, 8);
-  let rateLimitHeaders: Record<string, string> = {};
-  // Rate limiting: 100 requests per minute per IP (api tier)
-  // Skip if rate limiting is not available
-  if (checkDistributedRateLimit && createRateLimitErrorResponse) {
-    try {
-      const clientIp = getClientIp(request);
-      const rateLimitResult = await checkDistributedRateLimit(`csp-report:ip:${clientIp}`, 'api');
-      if (!rateLimitResult.allowed) {
-        console.warn(`[CSP Report ${requestId}] Rate limit exceeded for IP: ${clientIp}`);
-        return createRateLimitErrorResponse(rateLimitResult);
-      }
-      // Store rate limit headers to include in response
-      rateLimitHeaders = {
-        'X-RateLimit-Limit': rateLimitResult.limit.toString(),
-        'X-RateLimit-Remaining': rateLimitResult.remaining.toString(),
-        'X-RateLimit-Reset': rateLimitResult.resetTime.toString(),
-      };
-    } catch (rateLimitError) {
-      // Log but continue without rate limiting
-      console.warn(`[CSP Report ${requestId}] Rate limit check failed, continuing without:`, {
-        error: rateLimitError instanceof Error ? rateLimitError.message : 'Unknown error',
-      });
-    }
-  }
-  try {
-    const contentType = request.headers.get('content-type') || '';
-    // CSP reports are sent as application/csp-report or application/json
-    if (!contentType.includes('application/csp-report') && !contentType.includes('application/json')) {
-      console.warn(`[CSP Report ${requestId}] Invalid content-type: ${contentType}`);
-      return new Response('Invalid content type', { status: 400 });
-    }
-    let rawBody: string | undefined;
-    try {
-      rawBody = await request.text();
-      const report: CSPViolationReport = JSON.parse(rawBody);
-      const violation = report['csp-report'];
-      if (!violation) {
-        console.warn(`[CSP Report ${requestId}] Invalid report format - missing csp-report key`, {
-          bodyPreview: rawBody.slice(0, 200),
-        });
-        return new Response('Invalid report format', { status: 400 });
-      }
-      // Log the violation for monitoring
-      // In production, you might want to send this to a logging service like Datadog, Sentry, etc.
-      console.warn(`[CSP Violation ${requestId}]`, {
-        documentUri: violation['document-uri'],
-        blockedUri: violation['blocked-uri'],
-        violatedDirective: violation['violated-directive'],
-        effectiveDirective: violation['effective-directive'],
-        sourceFile: violation['source-file'],
-        lineNumber: violation['line-number'],
-        columnNumber: violation['column-number'],
-        scriptSample: violation['script-sample'],
-        disposition: violation['disposition'],
-        timestamp: new Date().toISOString(),
-      });
-      // Return 204 No Content - browsers don't expect a response body
-      return new Response(null, {
-        status: 204,
-        headers: rateLimitHeaders,
-      });
-    } catch (parseError) {
-      console.error(`[CSP Report ${requestId}] JSON parse error:`, {
-        error: parseError instanceof Error ? parseError.message : 'Unknown error',
-        bodyPreview: rawBody?.slice(0, 200),
-      });
-      // Still return 204 to not break browser behavior
-      return new Response(null, { status: 204 });
-    }
-  } catch (error) {
-    console.error(`[CSP Report ${requestId}] Unexpected error:`, {
-      error: error instanceof Error ? error.message : 'Unknown error',
-      stack: error instanceof Error ? error.stack : undefined,
-    });
-    // Still return 204 to not break browser behavior
-    return new Response(null, { status: 204 });
-  }
-}
-// Handle preflight requests for CORS
-// Restrict to same origin instead of allowing all origins
-export async function OPTIONS() {
-  return new Response(null, {
-    status: 204,
-    headers: {
-      'Access-Control-Allow-Origin': getAllowedOrigin(),
-      'Access-Control-Allow-Methods': 'POST, OPTIONS',
-      'Access-Control-Allow-Headers': 'Content-Type',
-    },
-  });
-}

package/dist/templates/app/api/devtools/config/entities/route.ts DELETED Viewed

@@ -1,108 +0,0 @@
-import { auth } from "@nextsparkjs/core/lib/auth";
-import { NextResponse } from "next/server";
-import { ENTITY_REGISTRY } from "@nextsparkjs/registries/entity-registry";
-/**
- * Entity information structure
- */
-interface EntityInfo {
-  slug: string;
-  name: string;
-  pluralName: string;
-  icon: string;
-  enabled: boolean;
-  access: {
-    public: boolean;
-    api: boolean;
-    metadata: boolean;
-    shared: boolean;
-  };
-  fields: {
-    name: string;
-    type: string;
-    label?: string;
-    required?: boolean;
-  }[];
-  // Permissions are now optional in entity config (centralized in permissions.config.ts)
-  permissions?: {
-    actions: Array<{ action: string; label: string; description?: string }>;
-    customActions?: Array<{ action: string; label: string; description?: string }>;
-  };
-}
-/**
- * GET /api/devtools/config/entities
- *
- * Returns entity registry information
- * Only accessible to developer role
- */
-export async function GET(request: Request) {
-  try {
-    // Verify developer role
-    const session = await auth.api.getSession({ headers: request.headers });
-    if (!session?.user || session.user.role !== "developer") {
-      return NextResponse.json(
-        {
-          success: false,
-          error: "Developer access required",
-        },
-        { status: 403 }
-      );
-    }
-    // Build entity info array
-    const entities: EntityInfo[] = [];
-    for (const [, entry] of Object.entries(ENTITY_REGISTRY)) {
-      const config = entry.config;
-      entities.push({
-        slug: config.slug,
-        name: config.names.singular,
-        pluralName: config.names.plural,
-        icon: config.icon?.name || 'Circle',
-        enabled: config.enabled,
-        access: config.access,
-        fields: config.fields?.map((field: {
-          name: string;
-          type: string;
-          label?: string;
-          required?: boolean;
-        }) => ({
-          name: field.name,
-          type: field.type,
-          label: field.label,
-          required: field.required,
-        })) || [],
-      });
-    }
-    // Sort entities alphabetically
-    entities.sort((a, b) => a.slug.localeCompare(b.slug));
-    return NextResponse.json(
-      {
-        success: true,
-        data: {
-          entities,
-          count: entities.length,
-        },
-      },
-      { status: 200 }
-    );
-  } catch (error) {
-    console.error("[API] /api/devtools/config/entities error:", error);
-    return NextResponse.json(
-      {
-        success: false,
-        error: process.env.NODE_ENV === "production"
-          ? "Failed to load entity configuration"
-          : error instanceof Error
-            ? error.message
-            : "Unknown error",
-      },
-      { status: 500 }
-    );
-  }
-}

package/dist/templates/app/api/devtools/config/theme/route.ts DELETED Viewed

@@ -1,66 +0,0 @@
-import { auth } from "@nextsparkjs/core/lib/auth";
-import { NextResponse } from "next/server";
-import { ThemeService } from "@nextsparkjs/core/lib/services/theme.service";
-/**
- * GET /api/devtools/config/theme
- *
- * Returns current theme configuration
- * Only accessible to developer role
- */
-export async function GET(request: Request) {
-  try {
-    // Verify developer role
-    const session = await auth.api.getSession({ headers: request.headers });
-    if (!session?.user || session.user.role !== "developer") {
-      return NextResponse.json(
-        {
-          success: false,
-          error: "Developer access required",
-        },
-        { status: 403 }
-      );
-    }
-    // Get active theme from environment
-    const activeTheme = process.env.NEXT_PUBLIC_ACTIVE_THEME || "default";
-    // Get theme configuration from registry
-    const themeConfig = ThemeService.getAppConfig(activeTheme);
-    if (!themeConfig) {
-      return NextResponse.json(
-        {
-          success: false,
-          error: `Theme configuration not found for theme: ${activeTheme}`,
-        },
-        { status: 404 }
-      );
-    }
-    return NextResponse.json(
-      {
-        success: true,
-        data: {
-          theme: activeTheme,
-          config: themeConfig,
-        },
-      },
-      { status: 200 }
-    );
-  } catch (error) {
-    console.error("[API] /api/devtools/config/theme error:", error);
-    return NextResponse.json(
-      {
-        success: false,
-        error: process.env.NODE_ENV === "production"
-          ? "Failed to load theme configuration"
-          : error instanceof Error
-            ? error.message
-            : "Unknown error",
-      },
-      { status: 500 }
-    );
-  }
-}