@nuraly/lumenjs 0.1.4 → 0.2.0

package/dist/auth/native-auth.d.ts

@@ -66,6 +66,15 @@ export declare function decodeResetTokenUserId(token: string): string | null;
 export declare function updatePassword(db: Db, userId: string, newPassword: string, minLength?: number): Promise<void>;
 /** Find a user by email. Returns { id, email, name } or null. */
 export declare function findUserIdByEmail(db: Db, email: string): Promise<string | null>;
+export declare function encryptTotpSecret(secret: string, sessionSecret: string): Promise<string>;
+export declare function decryptTotpSecret(encrypted: string, sessionSecret: string): Promise<string>;
+export declare function saveTotpSecret(db: Db, userId: string, encryptedSecret: string): Promise<void>;
+export declare function enableTotp(db: Db, userId: string): Promise<void>;
+export declare function disableTotp(db: Db, userId: string): Promise<void>;
+export declare function getTotpState(db: Db, userId: string): Promise<{
+    totpEnabled: boolean;
+    encryptedSecret: string | null;
+}>;
 /** Set sessions_revoked_at to now, invalidating all sessions created before this moment. */
 export declare function revokeAllSessions(db: Db, userId: string): Promise<void>;
 /** Get the epoch-seconds timestamp of the last logout-all, or null if never revoked. */

package/dist/auth/native-auth.js

@@ -44,8 +44,8 @@ export async function ensureUsersTable(db) {
     password_hash TEXT NOT NULL,
     email_verified INTEGER NOT NULL DEFAULT 0,
     roles TEXT NOT NULL DEFAULT '[]',
-    created_at TEXT NOT NULL DEFAULT (datetime('now')),
-    updated_at TEXT NOT NULL DEFAULT (datetime('now'))
+    created_at TEXT NOT NULL DEFAULT NOW(),
+    updated_at TEXT NOT NULL DEFAULT NOW()
   )`);
     // Add email_verified column if table already exists without it
     try {
@@ -59,6 +59,17 @@ export async function ensureUsersTable(db) {
     }
     catch { }
     ;
+    // Add TOTP columns
+    try {
+        await db.exec('ALTER TABLE _nk_auth_users ADD COLUMN totp_secret TEXT');
+    }
+    catch { }
+    ;
+    try {
+        await db.exec('ALTER TABLE _nk_auth_users ADD COLUMN totp_enabled INTEGER NOT NULL DEFAULT 0');
+    }
+    catch { }
+    ;
 }
 /**
  * Register a new user with email/password.
@@ -279,6 +290,42 @@ export async function findUserIdByEmail(db, email) {
     const row = await db.get('SELECT id FROM _nk_auth_users WHERE email = ?', email);
     return row?.id || null;
 }
+// ── TOTP helpers ─────────────────────────────────────────────────
+const TOTP_IV_LEN = 12;
+const TOTP_ALGO = 'aes-256-gcm';
+function deriveTotpKey(sessionSecret) {
+    return Buffer.from(crypto.hkdfSync('sha256', sessionSecret, 'totp-key', '', 32));
+}
+export async function encryptTotpSecret(secret, sessionSecret) {
+    const key = deriveTotpKey(sessionSecret);
+    const iv = crypto.randomBytes(TOTP_IV_LEN);
+    const cipher = crypto.createCipheriv(TOTP_ALGO, key, iv);
+    const enc = Buffer.concat([cipher.update(secret, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return `${iv.toString('base64url')}.${enc.toString('base64url')}.${tag.toString('base64url')}`;
+}
+export async function decryptTotpSecret(encrypted, sessionSecret) {
+    const [ivB64, encB64, tagB64] = encrypted.split('.');
+    if (!ivB64 || !encB64 || !tagB64)
+        throw new Error('Invalid TOTP secret format');
+    const key = deriveTotpKey(sessionSecret);
+    const decipher = crypto.createDecipheriv(TOTP_ALGO, key, Buffer.from(ivB64, 'base64url'));
+    decipher.setAuthTag(Buffer.from(tagB64, 'base64url'));
+    return decipher.update(Buffer.from(encB64, 'base64url')).toString('utf8') + decipher.final('utf8');
+}
+export async function saveTotpSecret(db, userId, encryptedSecret) {
+    await db.run('UPDATE _nk_auth_users SET totp_secret = ?, totp_enabled = 0 WHERE id = ?', encryptedSecret, userId);
+}
+export async function enableTotp(db, userId) {
+    await db.run('UPDATE _nk_auth_users SET totp_enabled = 1 WHERE id = ?', userId);
+}
+export async function disableTotp(db, userId) {
+    await db.run('UPDATE _nk_auth_users SET totp_secret = NULL, totp_enabled = 0 WHERE id = ?', userId);
+}
+export async function getTotpState(db, userId) {
+    const row = await db.get('SELECT totp_enabled, totp_secret FROM _nk_auth_users WHERE id = ?', userId);
+    return { totpEnabled: !!row?.totp_enabled, encryptedSecret: row?.totp_secret || null };
+}
 // ── Session Revocation (Logout All) ─────────────────────────────
 /** Set sessions_revoked_at to now, invalidating all sessions created before this moment. */
 export async function revokeAllSessions(db, userId) {

package/dist/auth/routes/login.js

@@ -53,7 +53,7 @@ export async function handleNativeLogin(config, req, res, url, db) {
         sendJson(res, 400, { error: 'Email and password required' });
         return true;
     }
-    const { authenticateUser, isEmailVerified } = await import('../native-auth.js');
+    const { authenticateUser, isEmailVerified, getTotpState } = await import('../native-auth.js');
     const user = await authenticateUser(db, email, password);
     if (!user) {
         sendJson(res, 401, { error: 'Invalid credentials' });
@@ -64,6 +64,29 @@ export async function handleNativeLogin(config, req, res, url, db) {
         sendJson(res, 403, { error: 'Please verify your email before signing in', code: 'EMAIL_NOT_VERIFIED' });
         return true;
     }
+    // Check TOTP — if enabled, issue a short-lived pending cookie instead of a full session
+    const totpState = await getTotpState(db, user.sub);
+    if (totpState.totpEnabled) {
+        const pendingData = {
+            accessToken: `totp-pending:${user.sub}`,
+            expiresAt: Math.floor(Date.now() / 1000) + 300,
+            user: { sub: user.sub, roles: [] },
+            provider: 'native',
+            createdAt: Math.floor(Date.now() / 1000),
+        };
+        const pendingEncrypted = await encryptSession(pendingData, config.session.secret);
+        const pendingCookie = createSessionCookie('nk-totp-pending', pendingEncrypted, 300, config.session.secure);
+        const returnTo = safeReturnTo(url.searchParams.get('returnTo'), config.routes.postLogin);
+        if (req.headers.accept?.includes('application/json')) {
+            res.writeHead(200, { 'Content-Type': 'application/json', 'Set-Cookie': pendingCookie });
+            res.end(JSON.stringify({ requires2fa: true, returnTo }));
+        }
+        else {
+            res.writeHead(302, { Location: `/auth/totp-challenge?returnTo=${encodeURIComponent(returnTo)}`, 'Set-Cookie': pendingCookie });
+            res.end();
+        }
+        return true;
+    }
     // Create session — same as OIDC callback
     const sessionData = {
         accessToken: `native:${user.sub}`,

package/dist/auth/routes/totp.d.ts

@@ -0,0 +1,22 @@
+import type { IncomingMessage, ServerResponse } from 'http';
+import type { ResolvedAuthConfig } from '../types.js';
+/**
+ * POST /__nk_auth/totp/setup
+ * Generates a new TOTP secret for the authenticated user and returns a QR code.
+ */
+export declare function handleTotpSetup(config: ResolvedAuthConfig, req: IncomingMessage, res: ServerResponse, db?: any): Promise<boolean>;
+/**
+ * POST /__nk_auth/totp/verify-setup
+ * Confirms setup by verifying the first 6-digit code and enables TOTP.
+ */
+export declare function handleTotpVerifySetup(config: ResolvedAuthConfig, req: IncomingMessage, res: ServerResponse, db?: any): Promise<boolean>;
+/**
+ * POST /__nk_auth/totp/disable
+ * Disables TOTP after verifying a valid code.
+ */
+export declare function handleTotpDisable(config: ResolvedAuthConfig, req: IncomingMessage, res: ServerResponse, db?: any): Promise<boolean>;
+/**
+ * POST /__nk_auth/totp/challenge
+ * Exchanges a pending-2FA cookie + valid TOTP code for a full session cookie.
+ */
+export declare function handleTotpChallenge(config: ResolvedAuthConfig, req: IncomingMessage, res: ServerResponse, db?: any): Promise<boolean>;

package/dist/auth/routes/totp.js

@@ -0,0 +1,232 @@
+import { sendJson, readBody } from './utils.js';
+import { encryptSession, createSessionCookie, decryptSession } from '../session.js';
+import { encryptTotpSecret, decryptTotpSecret, saveTotpSecret, enableTotp, disableTotp, getTotpState, } from '../native-auth.js';
+function parseCookies(req) {
+    const cookies = {};
+    const header = req.headers.cookie || '';
+    for (const part of header.split(';')) {
+        const [k, ...v] = part.trim().split('=');
+        if (k)
+            cookies[k.trim()] = decodeURIComponent(v.join('='));
+    }
+    return cookies;
+}
+/**
+ * POST /__nk_auth/totp/setup
+ * Generates a new TOTP secret for the authenticated user and returns a QR code.
+ */
+export async function handleTotpSetup(config, req, res, db) {
+    const user = req.nkAuth?.user;
+    if (!user?.sub) {
+        sendJson(res, 401, { error: 'Not authenticated' });
+        return true;
+    }
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    try {
+        const { authenticator } = await import('otplib');
+        const QRCode = await import('qrcode');
+        const secret = authenticator.generateSecret();
+        const appName = config.totp?.appName || 'Nuraly';
+        const otpauthUri = authenticator.keyuri(user.email || user.sub, appName, secret);
+        const qrDataUrl = await QRCode.default.toDataURL(otpauthUri);
+        const encrypted = await encryptTotpSecret(secret, config.session.secret);
+        await saveTotpSecret(db, user.sub, encrypted);
+        sendJson(res, 200, { qrDataUrl, otpauthUri });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Setup failed' });
+    }
+    return true;
+}
+/**
+ * POST /__nk_auth/totp/verify-setup
+ * Confirms setup by verifying the first 6-digit code and enables TOTP.
+ */
+export async function handleTotpVerifySetup(config, req, res, db) {
+    const user = req.nkAuth?.user;
+    if (!user?.sub) {
+        sendJson(res, 401, { error: 'Not authenticated' });
+        return true;
+    }
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    let body;
+    try {
+        body = JSON.parse(await readBody(req));
+    }
+    catch {
+        sendJson(res, 400, { error: 'Invalid JSON' });
+        return true;
+    }
+    const { code } = body;
+    if (!code) {
+        sendJson(res, 400, { error: 'Code required' });
+        return true;
+    }
+    try {
+        const { authenticator } = await import('otplib');
+        const state = await getTotpState(db, user.sub);
+        if (!state.encryptedSecret) {
+            sendJson(res, 400, { error: 'No pending TOTP setup' });
+            return true;
+        }
+        const secret = await decryptTotpSecret(state.encryptedSecret, config.session.secret);
+        const valid = authenticator.check(code, secret);
+        if (!valid) {
+            sendJson(res, 400, { error: 'Invalid code — check your authenticator app and try again' });
+            return true;
+        }
+        await enableTotp(db, user.sub);
+        sendJson(res, 200, { ok: true });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Verification failed' });
+    }
+    return true;
+}
+/**
+ * POST /__nk_auth/totp/disable
+ * Disables TOTP after verifying a valid code.
+ */
+export async function handleTotpDisable(config, req, res, db) {
+    const user = req.nkAuth?.user;
+    if (!user?.sub) {
+        sendJson(res, 401, { error: 'Not authenticated' });
+        return true;
+    }
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    let body;
+    try {
+        body = JSON.parse(await readBody(req));
+    }
+    catch {
+        sendJson(res, 400, { error: 'Invalid JSON' });
+        return true;
+    }
+    const { code } = body;
+    if (!code) {
+        sendJson(res, 400, { error: 'Code required' });
+        return true;
+    }
+    try {
+        const { authenticator } = await import('otplib');
+        const state = await getTotpState(db, user.sub);
+        if (!state.totpEnabled || !state.encryptedSecret) {
+            sendJson(res, 400, { error: '2FA is not enabled' });
+            return true;
+        }
+        const secret = await decryptTotpSecret(state.encryptedSecret, config.session.secret);
+        const valid = authenticator.check(code, secret);
+        if (!valid) {
+            sendJson(res, 400, { error: 'Invalid code' });
+            return true;
+        }
+        await disableTotp(db, user.sub);
+        sendJson(res, 200, { ok: true });
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Failed to disable 2FA' });
+    }
+    return true;
+}
+/**
+ * POST /__nk_auth/totp/challenge
+ * Exchanges a pending-2FA cookie + valid TOTP code for a full session cookie.
+ */
+export async function handleTotpChallenge(config, req, res, db) {
+    if (!db) {
+        sendJson(res, 500, { error: 'Database unavailable' });
+        return true;
+    }
+    const cookies = parseCookies(req);
+    const pendingEncrypted = cookies['nk-totp-pending'];
+    if (!pendingEncrypted) {
+        sendJson(res, 401, { error: 'No pending 2FA session' });
+        return true;
+    }
+    let body;
+    try {
+        body = JSON.parse(await readBody(req));
+    }
+    catch {
+        sendJson(res, 400, { error: 'Invalid JSON' });
+        return true;
+    }
+    const { code } = body;
+    if (!code) {
+        sendJson(res, 400, { error: 'Code required' });
+        return true;
+    }
+    try {
+        // Decrypt and validate the pending session
+        const pending = await decryptSession(pendingEncrypted, config.session.secret);
+        if (!pending || !pending.accessToken.startsWith('totp-pending:')) {
+            sendJson(res, 401, { error: 'Invalid pending session' });
+            return true;
+        }
+        if (pending.expiresAt < Math.floor(Date.now() / 1000)) {
+            sendJson(res, 401, { error: '2FA session expired — please log in again' });
+            return true;
+        }
+        const userId = pending.accessToken.slice('totp-pending:'.length);
+        // Fetch full user row
+        const row = await db.get('SELECT * FROM _nk_auth_users WHERE id = ?', userId);
+        if (!row) {
+            sendJson(res, 401, { error: 'User not found' });
+            return true;
+        }
+        // Verify TOTP code
+        const { authenticator } = await import('otplib');
+        if (!row.totp_enabled || !row.totp_secret) {
+            sendJson(res, 400, { error: '2FA not enabled for this account' });
+            return true;
+        }
+        const secret = await decryptTotpSecret(row.totp_secret, config.session.secret);
+        const valid = authenticator.check(code, secret);
+        if (!valid) {
+            sendJson(res, 400, { error: 'Invalid code — check your authenticator app and try again' });
+            return true;
+        }
+        // Build full user object
+        let roles = [];
+        try {
+            roles = JSON.parse(row.roles);
+        }
+        catch { }
+        const user = { sub: row.id, email: row.email, name: row.name, roles, provider: 'native' };
+        // Issue full session cookie
+        const sessionData = {
+            accessToken: `native:${user.sub}`,
+            expiresAt: Math.floor(Date.now() / 1000) + config.session.maxAge,
+            user,
+            provider: 'native',
+            createdAt: Math.floor(Date.now() / 1000),
+        };
+        const encrypted = await encryptSession(sessionData, config.session.secret);
+        const sessionCookie = createSessionCookie(config.session.cookieName, encrypted, config.session.maxAge, config.session.secure);
+        // Clear the pending cookie
+        const clearPending = `nk-totp-pending=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax${config.session.secure ? '; Secure' : ''}`;
+        const url = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`);
+        const returnTo = url.searchParams.get('returnTo') || config.routes.postLogin;
+        if (req.headers.accept?.includes('application/json')) {
+            res.writeHead(200, { 'Content-Type': 'application/json', 'Set-Cookie': [sessionCookie, clearPending] });
+            res.end(JSON.stringify({ user, returnTo }));
+        }
+        else {
+            res.writeHead(302, { Location: returnTo, 'Set-Cookie': [sessionCookie, clearPending] });
+            res.end();
+        }
+    }
+    catch (err) {
+        sendJson(res, 500, { error: err.message || 'Challenge failed' });
+    }
+    return true;
+}

package/dist/auth/routes.js

@@ -6,6 +6,7 @@ import { handleLogout, handleLogoutAll } from './routes/logout.js';
 import { handleVerifyEmail } from './routes/verify.js';
 import { handleForgotPassword, handleResetPassword, handleChangePassword } from './routes/password.js';
 import { handleTokenRefresh, handleTokenRevoke } from './routes/token.js';
+import { handleTotpSetup, handleTotpVerifySetup, handleTotpDisable, handleTotpChallenge } from './routes/totp.js';
 /**
  * Validate Origin header on POST requests to prevent CSRF.
  * Returns true if the request is safe to proceed.
@@ -106,5 +107,18 @@ export async function handleAuthRoutes(config, req, res, db) {
     if (pathname === '/__nk_auth/revoke' && req.method === 'POST') {
         return handleTokenRevoke(req, res, db);
     }
+    // ── TOTP 2FA ──────────────────────────────────────────────────
+    if (pathname === '/__nk_auth/totp/setup' && req.method === 'POST') {
+        return handleTotpSetup(config, req, res, db);
+    }
+    if (pathname === '/__nk_auth/totp/verify-setup' && req.method === 'POST') {
+        return handleTotpVerifySetup(config, req, res, db);
+    }
+    if (pathname === '/__nk_auth/totp/disable' && req.method === 'POST') {
+        return handleTotpDisable(config, req, res, db);
+    }
+    if (pathname === '/__nk_auth/totp/challenge' && req.method === 'POST') {
+        return handleTotpChallenge(config, req, res, db);
+    }
     return false;
 }

package/dist/auth/token.js

@@ -58,11 +58,11 @@ export function hashRefreshToken(token) {
 }
 export async function ensureRefreshTokenTable(db) {
     await db.exec(`CREATE TABLE IF NOT EXISTS _nk_auth_refresh_tokens (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    id SERIAL PRIMARY KEY,
     token_hash TEXT NOT NULL UNIQUE,
     user_id TEXT NOT NULL,
     expires_at TEXT NOT NULL,
-    created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    created_at TEXT NOT NULL DEFAULT NOW()
   )`);
 }
 export async function storeRefreshToken(db, token, userId, ttlSeconds) {

package/dist/build/build-server.d.ts

@@ -1,11 +1,12 @@
 import { type UserConfig, type Plugin } from 'vite';
-import type { PageEntry, LayoutEntry, ApiEntry } from './scan.js';
+import type { PageEntry, LayoutEntry, ApiEntry, MiddlewareEntry } from './scan.js';
 export interface BuildServerOptions {
     projectDir: string;
     serverDir: string;
     pageEntries: PageEntry[];
     layoutEntries: LayoutEntry[];
     apiEntries: ApiEntry[];
+    middlewareEntries: MiddlewareEntry[];
     hasAuthConfig: boolean;
     authConfigPath: string;
     shared: {

package/dist/build/build-server.js

@@ -2,7 +2,7 @@ import { build as viteBuild } from 'vite';
 import path from 'path';
 import fs from 'fs';
 export async function buildServer(opts) {
-    const { projectDir, serverDir, pageEntries, layoutEntries, apiEntries, hasAuthConfig, authConfigPath, shared } = opts;
+    const { projectDir, serverDir, pageEntries, layoutEntries, apiEntries, middlewareEntries, hasAuthConfig, authConfigPath, shared } = opts;
     console.log('[LumenJS] Building server bundle...');
     // Collect server entry points (pages with loaders + layouts with loaders + API routes)
     const serverEntries = {};
@@ -20,6 +20,10 @@ export async function buildServer(opts) {
     for (const entry of apiEntries) {
         serverEntries[`api/${entry.name}`] = entry.filePath;
     }
+    for (const entry of middlewareEntries) {
+        const entryName = entry.dir ? `middleware/${entry.dir}/_middleware` : 'middleware/_middleware';
+        serverEntries[entryName] = entry.filePath;
+    }
     if (hasAuthConfig) {
         serverEntries['auth-config'] = authConfigPath;
     }
@@ -77,6 +81,11 @@ export async function buildServer(opts) {
                             'worker_threads', 'cluster', 'dns', 'tls', 'assert', 'constants',
                             // Native addons — must not be bundled, loaded from node_modules at runtime
                             'better-sqlite3',
+                            // AWS SDK — optional peer dep, keep as runtime import so app can provide it
+                            '@aws-sdk/client-s3',
+                            '@aws-sdk/s3-request-presigner',
+                            /^@aws-sdk\//,
+                            /^@smithy\//,
                         ],
                     },
                 },

package/dist/build/build.js

@@ -3,7 +3,7 @@ import fs from 'fs';
 import { getSharedViteConfig } from '../dev-server/server.js';
 import { readProjectConfig } from '../dev-server/config.js';
 import { filePathToTagName } from '../shared/utils.js';
-import { scanPages, scanLayouts, scanApiRoutes, getLayoutDirsForPage } from './scan.js';
+import { scanPages, scanLayouts, scanApiRoutes, scanMiddleware, getLayoutDirsForPage } from './scan.js';
 import { buildClient } from './build-client.js';
 import { buildServer } from './build-server.js';
 import { prerenderPages } from './build-prerender.js';
@@ -22,10 +22,11 @@ export async function buildProject(options) {
     fs.mkdirSync(outDir, { recursive: true });
     const { title, integrations, i18n: i18nConfig, prefetch: prefetchStrategy, prerender: globalPrerender } = readProjectConfig(projectDir);
     const shared = getSharedViteConfig(projectDir, { mode: 'production', integrations });
-    // Scan pages, layouts, and API routes for the manifest
+    // Scan pages, layouts, API routes, and middleware for the manifest
     const pageEntries = scanPages(pagesDir);
     const layoutEntries = scanLayouts(pagesDir);
     const apiEntries = scanApiRoutes(apiDir);
+    const middlewareEntries = scanMiddleware(pagesDir);
     // Check for auth config
     const authConfigPath = path.join(projectDir, 'lumenjs.auth.ts');
     const hasAuthConfig = fs.existsSync(authConfigPath);
@@ -52,6 +53,7 @@ export async function buildProject(options) {
         pageEntries,
         layoutEntries,
         apiEntries,
+        middlewareEntries,
         hasAuthConfig,
         authConfigPath,
         shared,
@@ -77,11 +79,12 @@ export async function buildProject(options) {
             const relPath = path.relative(pagesDir, e.filePath).replace(/\\/g, '/');
             return {
                 path: e.routePath,
-                module: (e.hasLoader || e.hasSubscribe || e.prerender) ? `pages/${e.name}.js` : '',
+                module: (e.hasLoader || e.hasSubscribe || e.hasSocket || e.prerender) ? `pages/${e.name.replace(/\[(\w+)\]/g, '_$1_')}.js` : '',
                 hasLoader: e.hasLoader,
                 hasSubscribe: e.hasSubscribe,
                 tagName: filePathToTagName(relPath),
                 ...(routeLayouts.length > 0 ? { layouts: routeLayouts } : {}),
+                ...(e.hasSocket ? { hasSocket: true } : {}),
                 ...(e.hasAuth ? { hasAuth: true } : {}),
                 ...(e.hasMeta ? { hasMeta: true } : {}),
                 ...(e.hasStandalone ? { hasStandalone: true } : {}),
@@ -90,7 +93,7 @@ export async function buildProject(options) {
         }),
         apiRoutes: apiEntries.map(e => ({
             path: `/api/${e.routePath}`,
-            module: `api/${e.name}.js`,
+            module: `api/${e.name.replace(/\[(\w+)\]/g, '_$1_')}.js`,
             hasLoader: false,
             hasSubscribe: false,
         })),
@@ -100,6 +103,12 @@ export async function buildProject(options) {
             hasLoader: e.hasLoader,
             hasSubscribe: e.hasSubscribe,
         })),
+        ...(middlewareEntries.length > 0 ? {
+            middlewares: middlewareEntries.map(e => ({
+                dir: e.dir,
+                module: e.dir ? `middleware/${e.dir}/_middleware.js` : 'middleware/_middleware.js',
+            })),
+        } : {}),
         ...(i18nConfig ? { i18n: i18nConfig } : {}),
         ...(hasAuthConfig ? { auth: { configModule: 'auth-config.js' } } : {}),
         prefetch: prefetchStrategy,

package/dist/build/scan.d.ts

@@ -4,6 +4,7 @@ export interface PageEntry {
     routePath: string;
     hasLoader: boolean;
     hasSubscribe: boolean;
+    hasSocket: boolean;
     hasAuth: boolean;
     hasMeta: boolean;
     hasStandalone: boolean;

package/dist/build/scan.js

@@ -17,6 +17,7 @@ function analyzePageFile(filePath) {
         return {
             hasLoader: hasExportBefore(/export\s+(async\s+)?function\s+loader\s*\(/),
             hasSubscribe: hasExportBefore(/export\s+(async\s+)?function\s+subscribe\s*\(/),
+            hasSocket: /export\s+(function|const)\s+socket[\s(=]/.test(content),
             hasAuth: hasExportBefore(/export\s+const\s+auth\s*=/),
             hasMeta: hasExportBefore(/export\s+(const\s+meta\s*=|(async\s+)?function\s+meta\s*\()/),
             hasStandalone: hasExportBefore(/export\s+const\s+standalone\s*=/),
@@ -24,7 +25,7 @@ function analyzePageFile(filePath) {
         };
     }
     catch {
-        return { hasLoader: false, hasSubscribe: false, hasAuth: false, hasMeta: false, hasStandalone: false, prerender: false };
+        return { hasLoader: false, hasSubscribe: false, hasSocket: false, hasAuth: false, hasMeta: false, hasStandalone: false, prerender: false };
     }
 }
 export function scanPages(pagesDir) {