@oaklandzoo/ostup 0.10.0 → 0.12.0

package/templates/auth-clerk/sign-in-page.tsx

@@ -0,0 +1,9 @@
+import { SignIn } from '@clerk/nextjs';
+
+export default function SignInPage() {
+  return (
+    <main className="flex min-h-screen items-center justify-center p-6">
+      <SignIn />
+    </main>
+  );
+}

package/templates/auth-clerk/sign-up-page.tsx

@@ -0,0 +1,9 @@
+import { SignUp } from '@clerk/nextjs';
+
+export default function SignUpPage() {
+  return (
+    <main className="flex min-h-screen items-center justify-center p-6">
+      <SignUp />
+    </main>
+  );
+}

package/templates/auth-google/auth.ts

@@ -0,0 +1,12 @@
+import NextAuth from 'next-auth';
+import Google from 'next-auth/providers/google';
+
+export const { handlers, signIn, signOut, auth } = NextAuth({
+  providers: [
+    Google({
+      clientId: process.env.GOOGLE_CLIENT_ID || '',
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET || '',
+    }),
+  ],
+  trustHost: true,
+});

package/templates/auth-google/env.example.additions

@@ -0,0 +1,9 @@
+# --- Google OAuth (NextAuth v5) additions ---
+# Create an OAuth 2.0 Client ID at:
+#   https://console.cloud.google.com/apis/credentials/oauthclient
+# Authorized redirect URI: <your-prod-url>/api/auth/callback/google
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+# NextAuth secret. Generate one with: openssl rand -base64 32
+AUTH_SECRET=

package/templates/auth-google/package.json.additions

@@ -0,0 +1,5 @@
+{
+  "dependencies": {
+    "next-auth": "^5.0.0-beta.20"
+  }
+}

package/templates/auth-google/route.ts

@@ -0,0 +1,2 @@
+import { handlers } from '@/auth';
+export const { GET, POST } = handlers;

package/templates/auth-google/sign-in-page.tsx

@@ -0,0 +1,32 @@
+import { signIn } from '@/auth';
+
+export default function SignInPage() {
+  return (
+    <main className="flex min-h-screen items-center justify-center p-6">
+      <div className="w-full max-w-sm rounded-lg border border-slate-200 bg-white p-8">
+        <h1 className="text-2xl font-semibold tracking-tight">Sign in</h1>
+        <p className="mt-2 text-sm text-slate-600">Continue to {`{{DISPLAY_NAME}}`}.</p>
+        <form
+          action={async () => {
+            'use server';
+            await signIn('google', { redirectTo: '/dashboard' });
+          }}
+          className="mt-8"
+        >
+          <button
+            type="submit"
+            className="flex w-full items-center justify-center gap-2 rounded-md border border-slate-300 bg-white px-4 py-2 font-medium text-slate-900 hover:bg-slate-50"
+          >
+            <svg className="h-5 w-5" viewBox="0 0 24 24" aria-hidden="true">
+              <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09Z" fill="#4285F4"/>
+              <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.99.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84A11 11 0 0 0 12 23Z" fill="#34A853"/>
+              <path d="M5.84 14.1A6.6 6.6 0 0 1 5.5 12c0-.73.13-1.43.34-2.1V7.07H2.18A11 11 0 0 0 1 12c0 1.77.42 3.45 1.18 4.93l3.66-2.83Z" fill="#FBBC05"/>
+              <path d="M12 5.38c1.62 0 3.06.56 4.21 1.65l3.15-3.15C17.45 2.09 14.97 1 12 1A11 11 0 0 0 2.18 7.07l3.66 2.83C6.71 7.3 9.14 5.38 12 5.38Z" fill="#EA4335"/>
+            </svg>
+            Sign in with Google
+          </button>
+        </form>
+      </div>
+    </main>
+  );
+}

package/templates/auth-google/sign-up-page.tsx

@@ -0,0 +1,32 @@
+import { signIn } from '@/auth';
+
+export default function SignUpPage() {
+  return (
+    <main className="flex min-h-screen items-center justify-center p-6">
+      <div className="w-full max-w-sm rounded-lg border border-slate-200 bg-white p-8">
+        <h1 className="text-2xl font-semibold tracking-tight">Create account</h1>
+        <p className="mt-2 text-sm text-slate-600">Sign up with Google to get started.</p>
+        <form
+          action={async () => {
+            'use server';
+            await signIn('google', { redirectTo: '/dashboard' });
+          }}
+          className="mt-8"
+        >
+          <button
+            type="submit"
+            className="flex w-full items-center justify-center gap-2 rounded-md border border-slate-300 bg-white px-4 py-2 font-medium text-slate-900 hover:bg-slate-50"
+          >
+            <svg className="h-5 w-5" viewBox="0 0 24 24" aria-hidden="true">
+              <path d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09Z" fill="#4285F4"/>
+              <path d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.99.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84A11 11 0 0 0 12 23Z" fill="#34A853"/>
+              <path d="M5.84 14.1A6.6 6.6 0 0 1 5.5 12c0-.73.13-1.43.34-2.1V7.07H2.18A11 11 0 0 0 1 12c0 1.77.42 3.45 1.18 4.93l3.66-2.83Z" fill="#FBBC05"/>
+              <path d="M12 5.38c1.62 0 3.06.56 4.21 1.65l3.15-3.15C17.45 2.09 14.97 1 12 1A11 11 0 0 0 2.18 7.07l3.66 2.83C6.71 7.3 9.14 5.38 12 5.38Z" fill="#EA4335"/>
+            </svg>
+            Continue with Google
+          </button>
+        </form>
+      </div>
+    </main>
+  );
+}

package/templates/private/CLAUDE_PART_20.md

@@ -0,0 +1,30 @@
+
+---
+
+# PART 20: PRIVACY DEFAULT-DENY (--private mode)
+
+This project was scaffolded with `--private` (or `ostup private add` was later run on it). Default-deny is mandatory. Treat the rules below as hard rules per Part 3.
+
+## Hard rules
+
+1. **Do NOT widen the middleware matcher.** The `middleware.ts` matcher at the project root is intentionally strict. Adding paths to its exclusion list ungates them across the entire app. Any change MUST be reviewed for whether it accidentally exposes user content.
+
+2. **All `@vercel/blob` helpers default to `access: 'private'`.** Generated `src/lib/blob.ts` and any blob helper code uses `access: 'private'`. To serve a blob to authenticated users, route it through `app/api/blob/[...path]/route.ts` (the auth-checked proxy). Never set `access: 'public'` unless the file is truly safe to expose to the open internet.
+
+3. **Do NOT change `next.config.ts` -> `images.remotePatterns`.** It is intentionally empty (`[]`). Adding blob hosts would let `/_next/image?url=<blob-url>` proxy private blobs around auth.
+
+4. **`/_next/image` is auth-gated.** The matcher deliberately does NOT exclude `/_next/image`. This blocks public abuse of the image optimizer for any URL the matcher does not already allow.
+
+5. **Rate limiting is wired in middleware.** Default: `/api/*` 60 req/min/IP, everything else 600 req/min/IP. Adjust `src/lib/rate-limit.ts` constants. Removing the rate-limit call from middleware requires explicit operator review.
+
+6. **Audit log every blocked request.** Every 401/429 goes through `src/lib/audit.ts` -> `console.log` -> Vercel Logs. Do not silence the audit logger.
+
+7. **The audit-health endpoint at `/api/audit/health` is the only intentionally public route in privacy mode.** It confirms the audit pipeline is wired. Used by `ostup doctor --privacy` to verify the deploy.
+
+## Verification
+
+Run `ostup doctor --privacy <deployed-url>` after every deploy. It probes a list of suspicious paths without cookies and asserts they return 401 or 404. Any 200 is a privacy regression.
+
+## To undo
+
+If privacy mode is no longer needed, run `ostup private remove` from the project root. The applier captured original file contents in `.ostup/private.json`; remove will restore them.

package/templates/private/api-audit-health.ts

@@ -0,0 +1,9 @@
+import { NextResponse } from 'next/server';
+
+export async function GET() {
+  return NextResponse.json({
+    ok: true,
+    pipeline: 'wired',
+    privacy: '--private',
+  });
+}

package/templates/private/api-blob-proxy.ts

@@ -0,0 +1,40 @@
+import { NextResponse } from 'next/server';
+import { head } from '@vercel/blob';
+import { audit } from '@/lib/audit';
+
+const SESSION_COOKIE_NAMES = ['better-auth.session_token', 'authjs.session-token', 'session_token'];
+
+export async function GET(req: Request, { params }: { params: Promise<{ path: string[] }> }) {
+  const cookieHeader = req.headers.get('cookie') || '';
+  const hasSession = SESSION_COOKIE_NAMES.some((name) => cookieHeader.includes(`${name}=`));
+  if (!hasSession) {
+    audit({
+      ts: new Date().toISOString(),
+      path: new URL(req.url).pathname,
+      ip: req.headers.get('x-forwarded-for')?.split(',')[0]?.trim() || 'unknown',
+      method: 'GET',
+      ua: req.headers.get('user-agent') || '',
+      reason: 'no_session',
+      status: 401,
+    });
+    return new NextResponse('Unauthorized', { status: 401 });
+  }
+
+  const { path } = await params;
+  const blobPath = path.join('/');
+  try {
+    const blob = await head(blobPath);
+    if (!blob) return new NextResponse('Not Found', { status: 404 });
+    const upstream = await fetch(blob.url);
+    if (!upstream.ok || !upstream.body) return new NextResponse('Not Found', { status: 404 });
+    return new NextResponse(upstream.body, {
+      headers: {
+        'content-type': blob.contentType || 'application/octet-stream',
+        'cache-control': 'private, no-store',
+        'x-robots-tag': 'noindex, nofollow',
+      },
+    });
+  } catch {
+    return new NextResponse('Not Found', { status: 404 });
+  }
+}

package/templates/private/lib-audit.ts

@@ -0,0 +1,18 @@
+export type AuditEntry = {
+  ts: string;
+  path: string;
+  ip: string;
+  method: string;
+  ua: string;
+  reason: 'no_session' | 'rate_limit' | 'invalid_token';
+  status: number;
+};
+
+const IGNORE_PATHS: string[] = [
+  '/api/audit/health',
+];
+
+export function audit(entry: AuditEntry): void {
+  if (IGNORE_PATHS.some((p) => entry.path.startsWith(p))) return;
+  console.log(`[audit] ${JSON.stringify(entry)}`);
+}

package/templates/private/lib-rate-limit-kv.ts

@@ -0,0 +1,21 @@
+import { kv } from '@vercel/kv';
+
+const LIMITS: { test: (path: string) => boolean; perMin: number }[] = [
+  { test: (p) => p.startsWith('/api/'), perMin: 60 },
+  { test: () => true, perMin: 600 },
+];
+
+export async function rateLimit({ ip, path }: { ip: string; path: string }): Promise<{ ok: boolean; retryAfterSeconds: number }> {
+  const limit = LIMITS.find((l) => l.test(path))!;
+  const minute = Math.floor(Date.now() / 60_000);
+  const key = `rl:${ip}:${minute}:${limit.perMin}`;
+  const count = await kv.incr(key);
+  if (count === 1) {
+    await kv.expire(key, 65);
+  }
+  if (count > limit.perMin) {
+    const retryAfterSeconds = 60 - (Math.floor(Date.now() / 1000) % 60);
+    return { ok: false, retryAfterSeconds };
+  }
+  return { ok: true, retryAfterSeconds: 0 };
+}

package/templates/private/lib-rate-limit-memory.ts

@@ -0,0 +1,25 @@
+type Bucket = { count: number; resetAt: number };
+
+const buckets = new Map<string, Bucket>();
+
+const LIMITS: { test: (path: string) => boolean; perMin: number }[] = [
+  { test: (p) => p.startsWith('/api/'), perMin: 60 },
+  { test: () => true, perMin: 600 },
+];
+
+export async function rateLimit({ ip, path }: { ip: string; path: string }): Promise<{ ok: boolean; retryAfterSeconds: number }> {
+  const limit = LIMITS.find((l) => l.test(path))!;
+  const key = `${ip}::${limit.perMin}`;
+  const now = Date.now();
+  const bucket = buckets.get(key);
+
+  if (!bucket || bucket.resetAt < now) {
+    buckets.set(key, { count: 1, resetAt: now + 60_000 });
+    return { ok: true, retryAfterSeconds: 0 };
+  }
+  if (bucket.count >= limit.perMin) {
+    return { ok: false, retryAfterSeconds: Math.ceil((bucket.resetAt - now) / 1000) };
+  }
+  bucket.count += 1;
+  return { ok: true, retryAfterSeconds: 0 };
+}

package/templates/private/middleware.ts

@@ -0,0 +1,67 @@
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+import { rateLimit } from '@/lib/rate-limit';
+import { audit } from '@/lib/audit';
+
+const SESSION_COOKIE_NAMES = [
+  '__session',                       // Clerk
+  '__clerk_db_jwt',                  // Clerk db cookie
+  'authjs.session-token',            // NextAuth v5
+  '__Secure-authjs.session-token',   // NextAuth v5 secure
+  'better-auth.session_token',       // Better Auth
+  'session_token',                   // Generic fallback
+];
+
+function getIp(req: NextRequest): string {
+  const xff = req.headers.get('x-forwarded-for');
+  if (xff) return xff.split(',')[0].trim();
+  return req.headers.get('x-real-ip') || 'unknown';
+}
+
+export async function middleware(req: NextRequest) {
+  const ip = getIp(req);
+  const path = req.nextUrl.pathname;
+  const method = req.method;
+  const ua = req.headers.get('user-agent') || '';
+
+  const rl = await rateLimit({ ip, path });
+  if (!rl.ok) {
+    audit({ ts: new Date().toISOString(), path, ip, method, ua, reason: 'rate_limit', status: 429 });
+    return new NextResponse('Too Many Requests', {
+      status: 429,
+      headers: {
+        'retry-after': String(rl.retryAfterSeconds),
+        'x-robots-tag': 'noindex, nofollow',
+      },
+    });
+  }
+
+  const hasSession = SESSION_COOKIE_NAMES.some((name) => req.cookies.get(name)?.value);
+  if (!hasSession) {
+    audit({ ts: new Date().toISOString(), path, ip, method, ua, reason: 'no_session', status: 401 });
+    if (method === 'GET' && req.headers.get('accept')?.includes('text/html')) {
+      const url = req.nextUrl.clone();
+      url.pathname = '/sign-in';
+      url.searchParams.set('next', path);
+      return NextResponse.redirect(url);
+    }
+    return new NextResponse('Unauthorized', {
+      status: 401,
+      headers: { 'x-robots-tag': 'noindex, nofollow' },
+    });
+  }
+
+  const res = NextResponse.next();
+  res.headers.set('x-robots-tag', 'noindex, nofollow');
+  return res;
+}
+
+export const config = {
+  // Default-deny matcher.
+  // Bypassed: /login, /signup, /sign-in, /sign-up, /api/auth/*, /api/audit/health,
+  //           /_next/static/*, /favicon.ico, /robots.txt.
+  // NOTE: /_next/image is deliberately NOT excluded. The image optimizer must be
+  // auth-gated too. Otherwise /_next/image?url=<blob-url> would proxy private blobs
+  // around auth.
+  matcher: ['/((?!login|signup|sign-in|sign-up|api/auth|api/audit/health|_next/static|favicon\\.ico|robots\\.txt).*)'],
+};

package/templates/private/next.config.ts

@@ -0,0 +1,14 @@
+import type { NextConfig } from 'next';
+
+const nextConfig: NextConfig = {
+  images: {
+    // Intentionally empty. The Next.js image optimizer cannot proxy any external
+    // host. This is required for privacy mode: if a private blob URL were added
+    // here, /_next/image?url=<blob-url> would serve the blob around auth.
+    //
+    // To serve user uploads with auth, use the /api/blob/[...path] proxy route.
+    remotePatterns: [],
+  },
+};
+
+export default nextConfig;