npm - @nextsparkjs/core - Versions diffs - 0.1.0-beta.83 → 0.1.0-beta.85 - Mend

@nextsparkjs/core 0.1.0-beta.83 → 0.1.0-beta.85

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/templates/app/(public)/docs/page.tsx ADDED Viewed

@@ -0,0 +1,81 @@
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@nextsparkjs/core/components/ui/card'
+import { DOCS_REGISTRY } from '@nextsparkjs/registries/docs-registry'
+import { sel } from '@nextsparkjs/core/selectors'
+import { BookOpen, Folder, FileText, ArrowRight } from 'lucide-react'
+import Link from 'next/link'
+import type { Metadata } from 'next'
+export const metadata: Metadata = {
+  title: 'Documentation',
+  description: 'Complete documentation for the application'
+}
+export default function DocsPage() {
+  const sections = DOCS_REGISTRY.public
+  return (
+    <div className="container max-w-7xl mx-auto px-4 py-8">
+      {/* Hero Section */}
+      <div className="text-center mb-12">
+        <div className="inline-flex items-center gap-2 bg-primary/10 text-primary px-3 py-1 rounded-full text-sm font-medium mb-4">
+          <BookOpen className="h-4 w-4" />
+          Documentation
+        </div>
+        <h1 className="text-4xl font-bold mb-4">
+          Documentation
+        </h1>
+        <p className="text-xl text-muted-foreground max-w-2xl mx-auto">
+          Guides and reference documentation to help you get the most out of the application.
+        </p>
+      </div>
+      {/* Documentation Sections */}
+      {sections.length > 0 ? (
+        <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-6">
+          {sections.map((section) => (
+            <Card key={section.slug} className="h-full hover:shadow-lg transition-shadow" data-cy={sel('public.docs.sectionCard', { slug: section.slug })}>
+              <CardHeader>
+                <div className="flex items-center gap-3 mb-3">
+                  <div className="p-2 bg-primary/10 rounded-lg text-primary">
+                    <Folder className="h-6 w-6" />
+                  </div>
+                  <div>
+                    <CardTitle className="text-lg">{section.title}</CardTitle>
+                  </div>
+                </div>
+                <CardDescription>
+                  {section.pages.length} {section.pages.length === 1 ? 'page' : 'pages'}
+                </CardDescription>
+              </CardHeader>
+              <CardContent>
+                <ul className="space-y-2">
+                  {section.pages.map((page) => (
+                    <li key={page.slug}>
+                      <Link
+                        href={`/docs/${section.slug}/${page.slug}`}
+                        className="text-sm text-muted-foreground hover:text-foreground transition-colors flex items-center gap-2 group"
+                        data-cy={sel('public.docs.pageLink', { slug: page.slug })}
+                      >
+                        <FileText className="h-3 w-3" />
+                        <span className="flex-1">{page.title}</span>
+                        <ArrowRight className="h-3 w-3 opacity-0 group-hover:opacity-100 group-hover:translate-x-0.5 transition-all" />
+                      </Link>
+                    </li>
+                  ))}
+                </ul>
+              </CardContent>
+            </Card>
+          ))}
+        </div>
+      ) : (
+        <div className="text-center py-12">
+          <BookOpen className="h-12 w-12 text-muted-foreground mx-auto mb-4" />
+          <h2 className="text-xl font-semibold mb-2">No Documentation Available</h2>
+          <p className="text-muted-foreground">
+            Documentation will appear here once it is added to the project.
+          </p>
+        </div>
+      )}
+    </div>
+  )
+}

package/templates/app/(public)/layout.tsx ADDED Viewed

@@ -0,0 +1,41 @@
+import type { Metadata } from "next"
+import { PublicNavbar } from '@nextsparkjs/core/components/app/layouts/PublicNavbar'
+import { PublicFooter } from '@nextsparkjs/core/components/app/layouts/PublicFooter'
+import { getTemplateOrDefault, getMetadataOrDefault } from "@nextsparkjs/core/lib/template-resolver"
+// ✅ MINIMAL GENERIC METADATA (cliente puede override con template)
+const defaultMetadata: Metadata = {
+  title: {
+    template: '%s | App',
+    default: 'App',
+  },
+  description: 'Application',
+}
+export const metadata: Metadata = getMetadataOrDefault(
+  'app/(public)/layout.tsx',
+  defaultMetadata
+)
+function PublicLayout({
+  children
+}: {
+  children: React.ReactNode
+}) {
+  return (
+    <div className="min-h-screen bg-background flex flex-col">
+      {/* Public Navbar */}
+      <PublicNavbar />
+      {/* Main Content */}
+      <main className="flex-1">
+        {children}
+      </main>
+      {/* Public Footer */}
+      <PublicFooter />
+    </div>
+  )
+}
+export default getTemplateOrDefault('app/(public)/layout.tsx', PublicLayout)

package/templates/app/(public)/page.tsx ADDED Viewed

@@ -0,0 +1,19 @@
+import { redirect } from 'next/navigation'
+import { getTemplateOrDefault } from "@nextsparkjs/core/lib/template-resolver"
+/**
+ * Default Public Home Page (CORE)
+ *
+ * This is the minimal CORE version that redirects to dashboard if no theme template override exists.
+ * Theme templates can override this to provide custom landing pages.
+ *
+ * Location: app/(public)/page.tsx (CORE)
+ * Override: contents/themes/[theme]/templates/(public)/page.tsx (THEME)
+ */
+function DefaultPublicHome() {
+  // Si no hay template override, redirect to dashboard
+  // (Theme provides the actual landing page)
+  redirect('/dashboard')
+}
+export default getTemplateOrDefault('app/(public)/page.tsx', DefaultPublicHome)

package/templates/app/403/page.tsx ADDED Viewed

@@ -0,0 +1,89 @@
+'use client'
+import { AlertTriangle, ArrowLeft, Home } from 'lucide-react'
+import Link from 'next/link'
+import { useSearchParams } from 'next/navigation'
+import { Suspense } from 'react'
+import { Button } from '@nextsparkjs/core/components/ui/button'
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@nextsparkjs/core/components/ui/card'
+import { getTemplateOrDefaultClient } from '@nextsparkjs/registries/template-registry.client'
+function ForbiddenContent() {
+  const searchParams = useSearchParams()
+  const reason = searchParams.get('reason') || 'No tienes permisos para acceder a este recurso'
+  const upgrade = searchParams.get('upgrade') === 'true'
+  return (
+    <div className="min-h-screen flex items-center justify-center bg-gray-50 px-4">
+      <Card className="w-full max-w-md">
+        <CardHeader className="text-center">
+          <div className="mx-auto mb-4 p-4 rounded-full bg-yellow-100">
+            <AlertTriangle className="h-8 w-8 text-yellow-600" />
+          </div>
+          <CardTitle className="text-2xl">
+            ⚠️ Ups, no tienes permisos para hacer esto
+          </CardTitle>
+          <CardDescription className="text-gray-600">
+            {reason}
+          </CardDescription>
+        </CardHeader>
+        <CardContent className="space-y-4">
+          {upgrade && (
+            <div className="bg-blue-50 border border-blue-200 rounded-lg p-4">
+              <p className="text-sm text-blue-800">
+                Esta funcionalidad requiere una mejora de tu plan actual.
+              </p>
+              <Link href="/dashboard/settings/billing" className="block mt-2">
+                <Button variant="outline" size="sm" className="w-full">
+                  Ver planes
+                </Button>
+              </Link>
+            </div>
+          )}
+          <div className="flex gap-2">
+            <Button
+              variant="outline"
+              className="flex-1"
+              onClick={() => window.history.back()}
+            >
+              <ArrowLeft className="h-4 w-4 mr-2" />
+              Volver
+            </Button>
+            <Link href="/dashboard" className="flex-1">
+              <Button className="w-full">
+                <Home className="h-4 w-4 mr-2" />
+                Dashboard
+              </Button>
+            </Link>
+          </div>
+        </CardContent>
+      </Card>
+    </div>
+  )
+}
+function ForbiddenPage() {
+  return (
+    <Suspense fallback={
+      <div className="min-h-screen flex items-center justify-center bg-gray-50 px-4">
+        <Card className="w-full max-w-md">
+          <CardHeader className="text-center">
+            <div className="mx-auto mb-4 p-4 rounded-full bg-yellow-100">
+              <AlertTriangle className="h-8 w-8 text-yellow-600" />
+            </div>
+            <CardTitle className="text-2xl">
+              ⚠️ Ups, no tienes permisos para hacer esto
+            </CardTitle>
+          </CardHeader>
+        </Card>
+      </div>
+    }>
+      <ForbiddenContent />
+    </Suspense>
+  )
+}
+export default getTemplateOrDefaultClient('app/403/page.tsx', ForbiddenPage)

package/templates/app/api/auth/[...all]/route.ts ADDED Viewed

@@ -0,0 +1,78 @@
+import { auth } from "@nextsparkjs/core/lib/auth";
+import { toNextJsHandler } from "better-auth/next-js";
+import { NextRequest, NextResponse } from "next/server";
+import { TEAMS_CONFIG } from "@nextsparkjs/core/lib/config";
+import { isPublicSignupRestricted } from "@nextsparkjs/core/lib/teams/helpers";
+import { TeamService } from "@nextsparkjs/core/lib/services";
+import { wrapAuthHandlerWithCors, handleCorsPreflightRequest, addCorsHeaders } from "@nextsparkjs/core/lib/api/helpers";
+const handlers = toNextJsHandler(auth);
+// Handle CORS preflight requests for cross-origin auth (mobile apps, etc.)
+export async function OPTIONS(req: NextRequest) {
+  return handleCorsPreflightRequest(req);
+}
+// Intercept email verification requests to redirect to UI page
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export async function GET(req: NextRequest, context: { params: Promise<{ all: string[] }> }) {
+  const pathname = req.nextUrl.pathname;
+  // Check if this is an email verification request from an email link
+  // We check for a special header to determine if it's from our UI or from an email click
+  const isFromUI = req.headers.get('x-verify-from-ui') === 'true';
+  if (pathname === '/api/auth/verify-email' && !isFromUI) {
+    const token = req.nextUrl.searchParams.get('token');
+    const callbackURL = req.nextUrl.searchParams.get('callbackURL');
+    if (token) {
+      // This is from an email link, redirect to the UI verification page
+      const redirectUrl = new URL('/verify-email', req.url);
+      redirectUrl.searchParams.set('token', token);
+      if (callbackURL) {
+        redirectUrl.searchParams.set('callbackURL', callbackURL);
+      }
+      return NextResponse.redirect(redirectUrl);
+    }
+  }
+  // Wrap with CORS headers for cross-origin requests (mobile apps, etc.)
+  return wrapAuthHandlerWithCors(() => handlers.GET(req), req);
+}
+// Intercept signup requests to validate single-tenant mode
+export async function POST(req: NextRequest) {
+  const pathname = req.nextUrl.pathname;
+  // Check if this is a signup request (email or OAuth)
+  const isSignupRequest =
+    pathname === '/api/auth/sign-up/email' ||
+    pathname.includes('/api/auth/callback/'); // OAuth callbacks can create users
+  if (isSignupRequest) {
+    const teamsMode = TEAMS_CONFIG.mode;
+    // In single-tenant mode, block public signup if team already exists
+    if (isPublicSignupRestricted(teamsMode)) {
+      const teamExists = await TeamService.hasGlobal();
+      if (teamExists) {
+        // Block public signup - users must be invited
+        // Add CORS headers so mobile apps can read the error message
+        const errorResponse = NextResponse.json(
+          {
+            error: 'Registration is closed',
+            message: 'This application requires an invitation to register. Please contact an administrator.',
+            code: 'SIGNUP_RESTRICTED',
+          },
+          { status: 403 }
+        );
+        return await addCorsHeaders(errorResponse, req);
+      }
+    }
+  }
+  // Wrap with CORS headers for cross-origin requests (mobile apps, etc.)
+  return wrapAuthHandlerWithCors(() => handlers.POST(req), req);
+}

package/templates/app/api/cron/billing/lifecycle/route.ts ADDED Viewed

@@ -0,0 +1,98 @@
+/**
+ * Billing Lifecycle Cron Job
+ *
+ * Scheduled job that runs automatically to manage subscription lifecycle.
+ * Protected with CRON_SECRET to prevent unauthorized execution.
+ *
+ * P1: Lifecycle Management
+ *
+ * Configure in vercel.json:
+ * {
+ *   "crons": [
+ *     {
+ *       "path": "/api/cron/billing/lifecycle",
+ *       "schedule": "0 0 * * *"
+ *     }
+ *   ]
+ * }
+ */
+import { NextRequest } from 'next/server'
+import { handlePastDueGracePeriod } from '@nextsparkjs/core/lib/billing/jobs'
+import { SubscriptionService, UsageService } from '@nextsparkjs/core/lib/services'
+export async function GET(request: NextRequest) {
+  // Verify CRON_SECRET (MANDATORY for security)
+  const authHeader = request.headers.get('authorization')
+  const cronSecret = process.env.CRON_SECRET
+  if (!cronSecret || authHeader !== `Bearer ${cronSecret}`) {
+    console.error('[lifecycle-cron] Unauthorized attempt to access cron endpoint')
+    return Response.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+  const results = {
+    expireTrials: { processed: 0, errors: [] as string[] },
+    pastDueGrace: { processed: 0, errors: [] as string[] },
+    resetUsage: { processed: 0, errors: [] as string[] }
+  }
+  try {
+    console.log('[lifecycle-cron] Starting billing lifecycle jobs...')
+    // 1. Expire trials (service returns count)
+    try {
+      const count = await SubscriptionService.processExpiredTrials()
+      results.expireTrials = { processed: count, errors: [] }
+    } catch (error) {
+      results.expireTrials.errors.push(error instanceof Error ? error.message : 'Unknown error')
+    }
+    // 2. Handle past_due grace period (jobs.ts function returns {processed, errors})
+    results.pastDueGrace = await handlePastDueGracePeriod()
+    // 3. Reset monthly usage (only on first day of month)
+    const today = new Date()
+    if (today.getDate() === 1) {
+      try {
+        const count = await UsageService.processMonthlyReset()
+        results.resetUsage = { processed: count, errors: [] }
+      } catch (error) {
+        results.resetUsage.errors.push(error instanceof Error ? error.message : 'Unknown error')
+      }
+    }
+    const totalProcessed =
+      results.expireTrials.processed + results.pastDueGrace.processed + results.resetUsage.processed
+    const allErrors = [
+      ...results.expireTrials.errors,
+      ...results.pastDueGrace.errors,
+      ...results.resetUsage.errors
+    ]
+    console.log(`[lifecycle-cron] Completed: ${totalProcessed} items processed, ${allErrors.length} errors`)
+    return Response.json({
+      success: true,
+      processed: totalProcessed,
+      errors: allErrors,
+      details: results,
+      timestamp: new Date().toISOString()
+    })
+  } catch (error) {
+    console.error('[lifecycle-cron] Fatal error:', error)
+    return Response.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error'
+      },
+      { status: 500 }
+    )
+  }
+}
+// Also support POST for manual triggering via dashboard
+export async function POST(request: NextRequest) {
+  return GET(request)
+}

package/templates/app/api/csp-report/route.ts ADDED Viewed

@@ -0,0 +1,175 @@
+import { randomUUID } from 'node:crypto';
+import { NextRequest, NextResponse } from 'next/server';
+// Dynamic import for rate limiting - graceful fallback if not available
+let checkDistributedRateLimit: ((id: string, tier: string) => Promise<{ allowed: boolean; limit: number; remaining: number; resetTime: number; retryAfter?: number }>) | null = null;
+let createRateLimitErrorResponse: ((result: { allowed: boolean; limit: number; remaining: number; resetTime: number; retryAfter?: number }) => NextResponse) | null = null;
+// Try to load rate limiting functions
+try {
+  const rateLimitModule = require('@nextsparkjs/core/lib/api');
+  checkDistributedRateLimit = rateLimitModule.checkDistributedRateLimit;
+  createRateLimitErrorResponse = rateLimitModule.createRateLimitErrorResponse;
+} catch {
+  // Rate limiting not available - will skip rate limit checks
+  console.warn('[CSP Report] Rate limiting not available - running without rate limits');
+}
+/**
+ * CSP Violation Report Endpoint
+ *
+ * Receives Content-Security-Policy violation reports from browsers.
+ * Reports are logged for monitoring and debugging CSP issues.
+ *
+ * Rate limiting: Uses 'api' tier (100 requests/minute per IP) to prevent abuse.
+ * Falls back gracefully if rate limiting is not available.
+ *
+ * NOTE: This file exists in both apps/dev/app/api/csp-report/ and
+ * packages/core/templates/app/api/csp-report/. The template version
+ * is used when creating new projects from the core package.
+ * Changes should be synchronized between both files.
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#violation_report_syntax
+ */
+interface CSPViolationReport {
+  'csp-report'?: {
+    'document-uri'?: string;
+    'referrer'?: string;
+    'violated-directive'?: string;
+    'effective-directive'?: string;
+    'original-policy'?: string;
+    'disposition'?: string;
+    'blocked-uri'?: string;
+    'line-number'?: number;
+    'column-number'?: number;
+    'source-file'?: string;
+    'status-code'?: number;
+    'script-sample'?: string;
+  };
+}
+// Get allowed origin from environment or use localhost fallback
+const getAllowedOrigin = () => {
+  return process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000';
+};
+/**
+ * Get client IP address from request headers.
+ * Handles various proxy scenarios (X-Forwarded-For, X-Real-IP, etc.)
+ */
+function getClientIp(request: NextRequest): string {
+  const forwardedFor = request.headers.get('x-forwarded-for');
+  if (forwardedFor) {
+    const ips = forwardedFor.split(',').map(ip => ip.trim());
+    if (ips[0]) return ips[0];
+  }
+  const realIp = request.headers.get('x-real-ip');
+  if (realIp) return realIp;
+  const cfIp = request.headers.get('cf-connecting-ip');
+  if (cfIp) return cfIp;
+  return 'unknown';
+}
+export async function POST(request: NextRequest) {
+  const requestId = randomUUID().slice(0, 8);
+  let rateLimitHeaders: Record<string, string> = {};
+  // Rate limiting: 100 requests per minute per IP (api tier)
+  // Skip if rate limiting is not available
+  if (checkDistributedRateLimit && createRateLimitErrorResponse) {
+    try {
+      const clientIp = getClientIp(request);
+      const rateLimitResult = await checkDistributedRateLimit(`csp-report:ip:${clientIp}`, 'api');
+      if (!rateLimitResult.allowed) {
+        console.warn(`[CSP Report ${requestId}] Rate limit exceeded for IP: ${clientIp}`);
+        return createRateLimitErrorResponse(rateLimitResult);
+      }
+      // Store rate limit headers to include in response
+      rateLimitHeaders = {
+        'X-RateLimit-Limit': rateLimitResult.limit.toString(),
+        'X-RateLimit-Remaining': rateLimitResult.remaining.toString(),
+        'X-RateLimit-Reset': rateLimitResult.resetTime.toString(),
+      };
+    } catch (rateLimitError) {
+      // Log but continue without rate limiting
+      console.warn(`[CSP Report ${requestId}] Rate limit check failed, continuing without:`, {
+        error: rateLimitError instanceof Error ? rateLimitError.message : 'Unknown error',
+      });
+    }
+  }
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    // CSP reports are sent as application/csp-report or application/json
+    if (!contentType.includes('application/csp-report') && !contentType.includes('application/json')) {
+      console.warn(`[CSP Report ${requestId}] Invalid content-type: ${contentType}`);
+      return new Response('Invalid content type', { status: 400 });
+    }
+    let rawBody: string | undefined;
+    try {
+      rawBody = await request.text();
+      const report: CSPViolationReport = JSON.parse(rawBody);
+      const violation = report['csp-report'];
+      if (!violation) {
+        console.warn(`[CSP Report ${requestId}] Invalid report format - missing csp-report key`, {
+          bodyPreview: rawBody.slice(0, 200),
+        });
+        return new Response('Invalid report format', { status: 400 });
+      }
+      // Log the violation for monitoring
+      // In production, you might want to send this to a logging service like Datadog, Sentry, etc.
+      console.warn(`[CSP Violation ${requestId}]`, {
+        documentUri: violation['document-uri'],
+        blockedUri: violation['blocked-uri'],
+        violatedDirective: violation['violated-directive'],
+        effectiveDirective: violation['effective-directive'],
+        sourceFile: violation['source-file'],
+        lineNumber: violation['line-number'],
+        columnNumber: violation['column-number'],
+        scriptSample: violation['script-sample'],
+        disposition: violation['disposition'],
+        timestamp: new Date().toISOString(),
+      });
+      // Return 204 No Content - browsers don't expect a response body
+      return new Response(null, {
+        status: 204,
+        headers: rateLimitHeaders,
+      });
+    } catch (parseError) {
+      console.error(`[CSP Report ${requestId}] JSON parse error:`, {
+        error: parseError instanceof Error ? parseError.message : 'Unknown error',
+        bodyPreview: rawBody?.slice(0, 200),
+      });
+      // Still return 204 to not break browser behavior
+      return new Response(null, { status: 204 });
+    }
+  } catch (error) {
+    console.error(`[CSP Report ${requestId}] Unexpected error:`, {
+      error: error instanceof Error ? error.message : 'Unknown error',
+      stack: error instanceof Error ? error.stack : undefined,
+    });
+    // Still return 204 to not break browser behavior
+    return new Response(null, { status: 204 });
+  }
+}
+// Handle preflight requests for CORS
+// Restrict to same origin instead of allowing all origins
+export async function OPTIONS() {
+  return new Response(null, {
+    status: 204,
+    headers: {
+      'Access-Control-Allow-Origin': getAllowedOrigin(),
+      'Access-Control-Allow-Methods': 'POST, OPTIONS',
+      'Access-Control-Allow-Headers': 'Content-Type',
+    },
+  });
+}