@sekyuriti/attest 0.1.0

package/README.md

@@ -0,0 +1,154 @@
+# @sekyuriti/attest
+
+API protection for Next.js applications. Verify that requests come from real browsers, not bots or scripts.
+
+## Installation
+
+```bash
+npm install @sekyuriti/attest
+```
+
+## Quick Start
+
+### 1. Add the script to your frontend
+
+```html
+<script src="https://sekyuriti.build/api/v2/attest/script/YOUR_PROJECT_ID" defer></script>
+```
+
+Or in Next.js:
+
+```tsx
+// app/layout.tsx
+export default function RootLayout({ children }) {
+  return (
+    <html>
+      <head>
+        <script
+          src={`https://sekyuriti.build/api/v2/attest/script/${process.env.NEXT_PUBLIC_ATTEST_PROJECT_ID}`}
+          defer
+        />
+      </head>
+      <body>{children}</body>
+    </html>
+  );
+}
+```
+
+### 2. Protect your API routes
+
+**Option A: Middleware (recommended)**
+
+Protects all `/api/*` routes automatically:
+
+```ts
+// middleware.ts
+import { createAttestMiddleware } from "@sekyuriti/attest/middleware";
+
+export const middleware = createAttestMiddleware({
+  projectId: process.env.ATTEST_PROJECT_ID!,
+  apiKey: process.env.ATTEST_API_KEY!,
+});
+
+export const config = {
+  matcher: "/api/:path*",
+};
+```
+
+**Option B: Per-route verification**
+
+```ts
+// app/api/protected/route.ts
+import { verifyAttest } from "@sekyuriti/attest";
+
+export async function POST(request: Request) {
+  const result = await verifyAttest(request, {
+    projectId: process.env.ATTEST_PROJECT_ID!,
+    apiKey: process.env.ATTEST_API_KEY!,
+  });
+
+  if (!result.attested) {
+    return Response.json({ error: "Not attested" }, { status: 403 });
+  }
+
+  // Handle request...
+}
+```
+
+## Environment Variables
+
+```env
+ATTEST_PROJECT_ID=ATST_xxxxxxxxxxxx
+ATTEST_API_KEY=sk_xxxxxxxxxxxx
+NEXT_PUBLIC_ATTEST_PROJECT_ID=ATST_xxxxxxxxxxxx
+```
+
+## API Reference
+
+### `verifyAttest(request, config)`
+
+Verify a single request.
+
+```ts
+const result = await verifyAttest(request, {
+  projectId: "ATST_xxx",
+  apiKey: "sk_xxx",
+});
+
+// result.attested: boolean
+// result.fingerprint: string (if attested)
+// result.reason: string (if not attested)
+```
+
+### `createAttestMiddleware(config)`
+
+Create middleware for automatic verification.
+
+```ts
+const middleware = createAttestMiddleware({
+  projectId: "ATST_xxx",
+  apiKey: "sk_xxx",
+
+  // Optional settings
+  protectedRoutes: ["/api/*"],  // Routes to protect
+  excludeRoutes: ["/api/health"], // Routes to skip
+  allowUnauthenticated: false, // Allow requests without headers
+
+  // Custom handlers
+  onBlocked: (req, result) => Response.json({ error: result.reason }, { status: 403 }),
+  onAllowed: (req, result) => console.log("Verified:", result.fingerprint),
+});
+```
+
+### `createAttestVerifier(config)`
+
+Create a reusable verifier function.
+
+```ts
+const verify = createAttestVerifier({
+  projectId: process.env.ATTEST_PROJECT_ID!,
+  apiKey: process.env.ATTEST_API_KEY!,
+});
+
+// Use in multiple routes
+const result = await verify(request);
+```
+
+## How It Works
+
+1. **Frontend script** automatically signs all `fetch()` and `XMLHttpRequest` calls
+2. **Signatures** are added as headers: `X-Attest-Timestamp`, `X-Attest-Signature`, `X-Attest-Fingerprint`
+3. **Backend verification** validates signatures with SEKYURITI's API
+4. **Bots and scripts** can't generate valid signatures without running in a real browser
+
+## Protection Features
+
+- DevTools detection
+- Bot/headless browser detection
+- Request signing with HMAC-SHA256
+- Browser fingerprinting
+- Timestamp validation
+
+## License
+
+MIT

package/dist/index.d.mts

@@ -0,0 +1,92 @@
+/**
+ * @sekyuriti/attest
+ *
+ * API protection for Next.js applications.
+ * Verify that requests come from real browsers, not bots or scripts.
+ */
+interface AttestConfig {
+    /** Your ATTEST project ID (starts with ATST_) */
+    projectId: string;
+    /** Your ATTEST API key (keep this secret, server-side only) */
+    apiKey: string;
+    /** Custom verify URL (optional, for self-hosted) */
+    verifyUrl?: string;
+}
+interface AttestResult {
+    /** Whether the request passed verification */
+    attested: boolean;
+    /** Browser fingerprint (if attested) */
+    fingerprint?: string;
+    /** Verification timestamp */
+    timestamp?: number;
+    /** Reason for failure (if not attested) */
+    reason?: string;
+    /** Warning message (e.g., approaching rate limit) */
+    warning?: string;
+    /** Current usage stats */
+    usage?: {
+        used: number;
+        limit: number;
+        percent: number;
+    };
+}
+interface AttestHeaders {
+    timestamp: string | null;
+    signature: string | null;
+    fingerprint: string | null;
+    project: string | null;
+}
+/**
+ * Extract ATTEST headers from a request
+ */
+declare function getAttestHeaders(request: Request): AttestHeaders;
+/**
+ * Check if a request has ATTEST headers
+ */
+declare function hasAttestHeaders(request: Request): boolean;
+/**
+ * Verify a request with ATTEST
+ *
+ * @example
+ * ```ts
+ * import { verifyAttest } from "@sekyuriti/attest";
+ *
+ * export async function POST(request: Request) {
+ *   const result = await verifyAttest(request, {
+ *     projectId: process.env.ATTEST_PROJECT_ID!,
+ *     apiKey: process.env.ATTEST_API_KEY!,
+ *   });
+ *
+ *   if (!result.attested) {
+ *     return Response.json({ error: "Not attested" }, { status: 403 });
+ *   }
+ *
+ *   // ... handle request
+ * }
+ * ```
+ */
+declare function verifyAttest(request: Request, config: AttestConfig): Promise<AttestResult>;
+/**
+ * Create a configured verifier function
+ *
+ * @example
+ * ```ts
+ * import { createAttestVerifier } from "@sekyuriti/attest";
+ *
+ * const verify = createAttestVerifier({
+ *   projectId: process.env.ATTEST_PROJECT_ID!,
+ *   apiKey: process.env.ATTEST_API_KEY!,
+ * });
+ *
+ * export async function POST(request: Request) {
+ *   const result = await verify(request);
+ *   if (!result.attested) {
+ *     return Response.json({ error: "Not attested" }, { status: 403 });
+ *   }
+ *   // ...
+ * }
+ * ```
+ */
+declare function createAttestVerifier(config: AttestConfig): (request: Request) => Promise<AttestResult>;
+
+export { type AttestConfig, type AttestHeaders, type AttestResult, createAttestVerifier, getAttestHeaders, hasAttestHeaders, verifyAttest };

package/dist/index.d.ts

@@ -0,0 +1,92 @@
+/**
+ * @sekyuriti/attest
+ *
+ * API protection for Next.js applications.
+ * Verify that requests come from real browsers, not bots or scripts.
+ */
+interface AttestConfig {
+    /** Your ATTEST project ID (starts with ATST_) */
+    projectId: string;
+    /** Your ATTEST API key (keep this secret, server-side only) */
+    apiKey: string;
+    /** Custom verify URL (optional, for self-hosted) */
+    verifyUrl?: string;
+}
+interface AttestResult {
+    /** Whether the request passed verification */
+    attested: boolean;
+    /** Browser fingerprint (if attested) */
+    fingerprint?: string;
+    /** Verification timestamp */
+    timestamp?: number;
+    /** Reason for failure (if not attested) */
+    reason?: string;
+    /** Warning message (e.g., approaching rate limit) */
+    warning?: string;
+    /** Current usage stats */
+    usage?: {
+        used: number;
+        limit: number;
+        percent: number;
+    };
+}
+interface AttestHeaders {
+    timestamp: string | null;
+    signature: string | null;
+    fingerprint: string | null;
+    project: string | null;
+}
+/**
+ * Extract ATTEST headers from a request
+ */
+declare function getAttestHeaders(request: Request): AttestHeaders;
+/**
+ * Check if a request has ATTEST headers
+ */
+declare function hasAttestHeaders(request: Request): boolean;
+/**
+ * Verify a request with ATTEST
+ *
+ * @example
+ * ```ts
+ * import { verifyAttest } from "@sekyuriti/attest";
+ *
+ * export async function POST(request: Request) {
+ *   const result = await verifyAttest(request, {
+ *     projectId: process.env.ATTEST_PROJECT_ID!,
+ *     apiKey: process.env.ATTEST_API_KEY!,
+ *   });
+ *
+ *   if (!result.attested) {
+ *     return Response.json({ error: "Not attested" }, { status: 403 });
+ *   }
+ *
+ *   // ... handle request
+ * }
+ * ```
+ */
+declare function verifyAttest(request: Request, config: AttestConfig): Promise<AttestResult>;
+/**
+ * Create a configured verifier function
+ *
+ * @example
+ * ```ts
+ * import { createAttestVerifier } from "@sekyuriti/attest";
+ *
+ * const verify = createAttestVerifier({
+ *   projectId: process.env.ATTEST_PROJECT_ID!,
+ *   apiKey: process.env.ATTEST_API_KEY!,
+ * });
+ *
+ * export async function POST(request: Request) {
+ *   const result = await verify(request);
+ *   if (!result.attested) {
+ *     return Response.json({ error: "Not attested" }, { status: 403 });
+ *   }
+ *   // ...
+ * }
+ * ```
+ */
+declare function createAttestVerifier(config: AttestConfig): (request: Request) => Promise<AttestResult>;
+
+export { type AttestConfig, type AttestHeaders, type AttestResult, createAttestVerifier, getAttestHeaders, hasAttestHeaders, verifyAttest };

package/dist/index.js

@@ -0,0 +1,89 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  createAttestVerifier: () => createAttestVerifier,
+  getAttestHeaders: () => getAttestHeaders,
+  hasAttestHeaders: () => hasAttestHeaders,
+  verifyAttest: () => verifyAttest
+});
+module.exports = __toCommonJS(src_exports);
+var ATTEST_VERIFY_URL = "https://sekyuriti.build/api/v2/attest/verify";
+function getAttestHeaders(request) {
+  return {
+    timestamp: request.headers.get("x-attest-timestamp"),
+    signature: request.headers.get("x-attest-signature"),
+    fingerprint: request.headers.get("x-attest-fingerprint"),
+    project: request.headers.get("x-attest-project")
+  };
+}
+function hasAttestHeaders(request) {
+  const headers = getAttestHeaders(request);
+  return !!(headers.timestamp && headers.signature && headers.fingerprint);
+}
+async function verifyAttest(request, config) {
+  const headers = getAttestHeaders(request);
+  if (!headers.timestamp || !headers.signature || !headers.fingerprint) {
+    return {
+      attested: false,
+      reason: "Missing ATTEST headers"
+    };
+  }
+  try {
+    const response = await fetch(config.verifyUrl || ATTEST_VERIFY_URL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        project_id: config.projectId,
+        api_key: config.apiKey,
+        timestamp: parseInt(headers.timestamp, 10),
+        signature: headers.signature,
+        fingerprint: headers.fingerprint
+      })
+    });
+    if (!response.ok) {
+      return {
+        attested: false,
+        reason: `Verification service error: ${response.status}`
+      };
+    }
+    return await response.json();
+  } catch (error) {
+    console.error("[@sekyuriti/attest] Verification failed:", error);
+    return {
+      attested: true,
+      reason: "Verification service unavailable"
+    };
+  }
+}
+function createAttestVerifier(config) {
+  return (request) => verifyAttest(request, config);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAttestVerifier,
+  getAttestHeaders,
+  hasAttestHeaders,
+  verifyAttest
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @sekyuriti/attest\n *\n * API protection for Next.js applications.\n * Verify that requests come from real browsers, not bots or scripts.\n */\n\nconst ATTEST_VERIFY_URL = \"https://sekyuriti.build/api/v2/attest/verify\";\n\nexport interface AttestConfig {\n  /** Your ATTEST project ID (starts with ATST_) */\n  projectId: string;\n  /** Your ATTEST API key (keep this secret, server-side only) */\n  apiKey: string;\n  /** Custom verify URL (optional, for self-hosted) */\n  verifyUrl?: string;\n}\n\nexport interface AttestResult {\n  /** Whether the request passed verification */\n  attested: boolean;\n  /** Browser fingerprint (if attested) */\n  fingerprint?: string;\n  /** Verification timestamp */\n  timestamp?: number;\n  /** Reason for failure (if not attested) */\n  reason?: string;\n  /** Warning message (e.g., approaching rate limit) */\n  warning?: string;\n  /** Current usage stats */\n  usage?: {\n    used: number;\n    limit: number;\n    percent: number;\n  };\n}\n\nexport interface AttestHeaders {\n  timestamp: string | null;\n  signature: string | null;\n  fingerprint: string | null;\n  project: string | null;\n}\n\n/**\n * Extract ATTEST headers from a request\n */\nexport function getAttestHeaders(request: Request): AttestHeaders {\n  return {\n    timestamp: request.headers.get(\"x-attest-timestamp\"),\n    signature: request.headers.get(\"x-attest-signature\"),\n    fingerprint: request.headers.get(\"x-attest-fingerprint\"),\n    project: request.headers.get(\"x-attest-project\"),\n  };\n}\n\n/**\n * Check if a request has ATTEST headers\n */\nexport function hasAttestHeaders(request: Request): boolean {\n  const headers = getAttestHeaders(request);\n  return !!(headers.timestamp && headers.signature && headers.fingerprint);\n}\n\n/**\n * Verify a request with ATTEST\n *\n * @example\n * ```ts\n * import { verifyAttest } from \"@sekyuriti/attest\";\n *\n * export async function POST(request: Request) {\n *   const result = await verifyAttest(request, {\n *     projectId: process.env.ATTEST_PROJECT_ID!,\n *     apiKey: process.env.ATTEST_API_KEY!,\n *   });\n *\n *   if (!result.attested) {\n *     return Response.json({ error: \"Not attested\" }, { status: 403 });\n *   }\n *\n *   // ... handle request\n * }\n * ```\n */\nexport async function verifyAttest(\n  request: Request,\n  config: AttestConfig\n): Promise<AttestResult> {\n  const headers = getAttestHeaders(request);\n\n  // If no ATTEST headers, request is not attested\n  if (!headers.timestamp || !headers.signature || !headers.fingerprint) {\n    return {\n      attested: false,\n      reason: \"Missing ATTEST headers\",\n    };\n  }\n\n  try {\n    const response = await fetch(config.verifyUrl || ATTEST_VERIFY_URL, {\n      method: \"POST\",\n      headers: {\n        \"Content-Type\": \"application/json\",\n      },\n      body: JSON.stringify({\n        project_id: config.projectId,\n        api_key: config.apiKey,\n        timestamp: parseInt(headers.timestamp, 10),\n        signature: headers.signature,\n        fingerprint: headers.fingerprint,\n      }),\n    });\n\n    if (!response.ok) {\n      return {\n        attested: false,\n        reason: `Verification service error: ${response.status}`,\n      };\n    }\n\n    return (await response.json()) as AttestResult;\n  } catch (error) {\n    // Fail open - don't break the app if ATTEST service is down\n    console.error(\"[@sekyuriti/attest] Verification failed:\", error);\n    return {\n      attested: true,\n      reason: \"Verification service unavailable\",\n    };\n  }\n}\n\n/**\n * Create a configured verifier function\n *\n * @example\n * ```ts\n * import { createAttestVerifier } from \"@sekyuriti/attest\";\n *\n * const verify = createAttestVerifier({\n *   projectId: process.env.ATTEST_PROJECT_ID!,\n *   apiKey: process.env.ATTEST_API_KEY!,\n * });\n *\n * export async function POST(request: Request) {\n *   const result = await verify(request);\n *   if (!result.attested) {\n *     return Response.json({ error: \"Not attested\" }, { status: 403 });\n *   }\n *   // ...\n * }\n * ```\n */\nexport function createAttestVerifier(config: AttestConfig) {\n  return (request: Request) => verifyAttest(request, config);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAOA,IAAM,oBAAoB;AAwCnB,SAAS,iBAAiB,SAAiC;AAChE,SAAO;AAAA,IACL,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,aAAa,QAAQ,QAAQ,IAAI,sBAAsB;AAAA,IACvD,SAAS,QAAQ,QAAQ,IAAI,kBAAkB;AAAA,EACjD;AACF;AAKO,SAAS,iBAAiB,SAA2B;AAC1D,QAAM,UAAU,iBAAiB,OAAO;AACxC,SAAO,CAAC,EAAE,QAAQ,aAAa,QAAQ,aAAa,QAAQ;AAC9D;AAuBA,eAAsB,aACpB,SACA,QACuB;AACvB,QAAM,UAAU,iBAAiB,OAAO;AAGxC,MAAI,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa;AACpE,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,OAAO,aAAa,mBAAmB;AAAA,MAClE,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB,YAAY,OAAO;AAAA,QACnB,SAAS,OAAO;AAAA,QAChB,WAAW,SAAS,QAAQ,WAAW,EAAE;AAAA,QACzC,WAAW,QAAQ;AAAA,QACnB,aAAa,QAAQ;AAAA,MACvB,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO;AAAA,QACL,UAAU;AAAA,QACV,QAAQ,+BAA+B,SAAS,MAAM;AAAA,MACxD;AAAA,IACF;AAEA,WAAQ,MAAM,SAAS,KAAK;AAAA,EAC9B,SAAS,OAAO;AAEd,YAAQ,MAAM,4CAA4C,KAAK;AAC/D,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,EACF;AACF;AAuBO,SAAS,qBAAqB,QAAsB;AACzD,SAAO,CAAC,YAAqB,aAAa,SAAS,MAAM;AAC3D;","names":[]}

package/dist/index.mjs

@@ -0,0 +1,61 @@
+// src/index.ts
+var ATTEST_VERIFY_URL = "https://sekyuriti.build/api/v2/attest/verify";
+function getAttestHeaders(request) {
+  return {
+    timestamp: request.headers.get("x-attest-timestamp"),
+    signature: request.headers.get("x-attest-signature"),
+    fingerprint: request.headers.get("x-attest-fingerprint"),
+    project: request.headers.get("x-attest-project")
+  };
+}
+function hasAttestHeaders(request) {
+  const headers = getAttestHeaders(request);
+  return !!(headers.timestamp && headers.signature && headers.fingerprint);
+}
+async function verifyAttest(request, config) {
+  const headers = getAttestHeaders(request);
+  if (!headers.timestamp || !headers.signature || !headers.fingerprint) {
+    return {
+      attested: false,
+      reason: "Missing ATTEST headers"
+    };
+  }
+  try {
+    const response = await fetch(config.verifyUrl || ATTEST_VERIFY_URL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        project_id: config.projectId,
+        api_key: config.apiKey,
+        timestamp: parseInt(headers.timestamp, 10),
+        signature: headers.signature,
+        fingerprint: headers.fingerprint
+      })
+    });
+    if (!response.ok) {
+      return {
+        attested: false,
+        reason: `Verification service error: ${response.status}`
+      };
+    }
+    return await response.json();
+  } catch (error) {
+    console.error("[@sekyuriti/attest] Verification failed:", error);
+    return {
+      attested: true,
+      reason: "Verification service unavailable"
+    };
+  }
+}
+function createAttestVerifier(config) {
+  return (request) => verifyAttest(request, config);
+}
+export {
+  createAttestVerifier,
+  getAttestHeaders,
+  hasAttestHeaders,
+  verifyAttest
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @sekyuriti/attest\n *\n * API protection for Next.js applications.\n * Verify that requests come from real browsers, not bots or scripts.\n */\n\nconst ATTEST_VERIFY_URL = \"https://sekyuriti.build/api/v2/attest/verify\";\n\nexport interface AttestConfig {\n  /** Your ATTEST project ID (starts with ATST_) */\n  projectId: string;\n  /** Your ATTEST API key (keep this secret, server-side only) */\n  apiKey: string;\n  /** Custom verify URL (optional, for self-hosted) */\n  verifyUrl?: string;\n}\n\nexport interface AttestResult {\n  /** Whether the request passed verification */\n  attested: boolean;\n  /** Browser fingerprint (if attested) */\n  fingerprint?: string;\n  /** Verification timestamp */\n  timestamp?: number;\n  /** Reason for failure (if not attested) */\n  reason?: string;\n  /** Warning message (e.g., approaching rate limit) */\n  warning?: string;\n  /** Current usage stats */\n  usage?: {\n    used: number;\n    limit: number;\n    percent: number;\n  };\n}\n\nexport interface AttestHeaders {\n  timestamp: string | null;\n  signature: string | null;\n  fingerprint: string | null;\n  project: string | null;\n}\n\n/**\n * Extract ATTEST headers from a request\n */\nexport function getAttestHeaders(request: Request): AttestHeaders {\n  return {\n    timestamp: request.headers.get(\"x-attest-timestamp\"),\n    signature: request.headers.get(\"x-attest-signature\"),\n    fingerprint: request.headers.get(\"x-attest-fingerprint\"),\n    project: request.headers.get(\"x-attest-project\"),\n  };\n}\n\n/**\n * Check if a request has ATTEST headers\n */\nexport function hasAttestHeaders(request: Request): boolean {\n  const headers = getAttestHeaders(request);\n  return !!(headers.timestamp && headers.signature && headers.fingerprint);\n}\n\n/**\n * Verify a request with ATTEST\n *\n * @example\n * ```ts\n * import { verifyAttest } from \"@sekyuriti/attest\";\n *\n * export async function POST(request: Request) {\n *   const result = await verifyAttest(request, {\n *     projectId: process.env.ATTEST_PROJECT_ID!,\n *     apiKey: process.env.ATTEST_API_KEY!,\n *   });\n *\n *   if (!result.attested) {\n *     return Response.json({ error: \"Not attested\" }, { status: 403 });\n *   }\n *\n *   // ... handle request\n * }\n * ```\n */\nexport async function verifyAttest(\n  request: Request,\n  config: AttestConfig\n): Promise<AttestResult> {\n  const headers = getAttestHeaders(request);\n\n  // If no ATTEST headers, request is not attested\n  if (!headers.timestamp || !headers.signature || !headers.fingerprint) {\n    return {\n      attested: false,\n      reason: \"Missing ATTEST headers\",\n    };\n  }\n\n  try {\n    const response = await fetch(config.verifyUrl || ATTEST_VERIFY_URL, {\n      method: \"POST\",\n      headers: {\n        \"Content-Type\": \"application/json\",\n      },\n      body: JSON.stringify({\n        project_id: config.projectId,\n        api_key: config.apiKey,\n        timestamp: parseInt(headers.timestamp, 10),\n        signature: headers.signature,\n        fingerprint: headers.fingerprint,\n      }),\n    });\n\n    if (!response.ok) {\n      return {\n        attested: false,\n        reason: `Verification service error: ${response.status}`,\n      };\n    }\n\n    return (await response.json()) as AttestResult;\n  } catch (error) {\n    // Fail open - don't break the app if ATTEST service is down\n    console.error(\"[@sekyuriti/attest] Verification failed:\", error);\n    return {\n      attested: true,\n      reason: \"Verification service unavailable\",\n    };\n  }\n}\n\n/**\n * Create a configured verifier function\n *\n * @example\n * ```ts\n * import { createAttestVerifier } from \"@sekyuriti/attest\";\n *\n * const verify = createAttestVerifier({\n *   projectId: process.env.ATTEST_PROJECT_ID!,\n *   apiKey: process.env.ATTEST_API_KEY!,\n * });\n *\n * export async function POST(request: Request) {\n *   const result = await verify(request);\n *   if (!result.attested) {\n *     return Response.json({ error: \"Not attested\" }, { status: 403 });\n *   }\n *   // ...\n * }\n * ```\n */\nexport function createAttestVerifier(config: AttestConfig) {\n  return (request: Request) => verifyAttest(request, config);\n}\n"],"mappings":";AAOA,IAAM,oBAAoB;AAwCnB,SAAS,iBAAiB,SAAiC;AAChE,SAAO;AAAA,IACL,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,aAAa,QAAQ,QAAQ,IAAI,sBAAsB;AAAA,IACvD,SAAS,QAAQ,QAAQ,IAAI,kBAAkB;AAAA,EACjD;AACF;AAKO,SAAS,iBAAiB,SAA2B;AAC1D,QAAM,UAAU,iBAAiB,OAAO;AACxC,SAAO,CAAC,EAAE,QAAQ,aAAa,QAAQ,aAAa,QAAQ;AAC9D;AAuBA,eAAsB,aACpB,SACA,QACuB;AACvB,QAAM,UAAU,iBAAiB,OAAO;AAGxC,MAAI,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa;AACpE,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,OAAO,aAAa,mBAAmB;AAAA,MAClE,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB,YAAY,OAAO;AAAA,QACnB,SAAS,OAAO;AAAA,QAChB,WAAW,SAAS,QAAQ,WAAW,EAAE;AAAA,QACzC,WAAW,QAAQ;AAAA,QACnB,aAAa,QAAQ;AAAA,MACvB,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO;AAAA,QACL,UAAU;AAAA,QACV,QAAQ,+BAA+B,SAAS,MAAM;AAAA,MACxD;AAAA,IACF;AAEA,WAAQ,MAAM,SAAS,KAAK;AAAA,EAC9B,SAAS,OAAO;AAEd,YAAQ,MAAM,4CAA4C,KAAK;AAC/D,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,EACF;AACF;AAuBO,SAAS,qBAAqB,QAAsB;AACzD,SAAO,CAAC,YAAqB,aAAa,SAAS,MAAM;AAC3D;","names":[]}

package/dist/middleware.d.mts

@@ -0,0 +1,75 @@
+import { NextRequest } from 'next/server';
+import { AttestConfig, AttestResult } from './index.mjs';
+
+/**
+ * @sekyuriti/attest/middleware
+ *
+ * Next.js middleware for automatic ATTEST verification.
+ * Protects all matching routes with a single file.
+ */
+
+interface AttestMiddlewareConfig extends AttestConfig {
+    /**
+     * Routes to protect (glob patterns)
+     * @default ["/api/*"]
+     */
+    protectedRoutes?: string[];
+    /**
+     * Routes to exclude from protection (glob patterns)
+     * @default []
+     */
+    excludeRoutes?: string[];
+    /**
+     * Allow requests without ATTEST headers (passthrough mode)
+     * Useful for gradual rollout
+     * @default false
+     */
+    allowUnauthenticated?: boolean;
+    /**
+     * Custom handler for blocked requests
+     */
+    onBlocked?: (request: NextRequest, result: AttestResult) => Response | Promise<Response>;
+    /**
+     * Custom handler for allowed requests (for logging, etc.)
+     */
+    onAllowed?: (request: NextRequest, result: AttestResult) => void | Promise<void>;
+}
+/**
+ * Create ATTEST middleware for Next.js
+ *
+ * @example
+ * ```ts
+ * // middleware.ts
+ * import { createAttestMiddleware } from "@sekyuriti/attest/middleware";
+ *
+ * export const middleware = createAttestMiddleware({
+ *   projectId: process.env.ATTEST_PROJECT_ID!,
+ *   apiKey: process.env.ATTEST_API_KEY!,
+ * });
+ *
+ * export const config = {
+ *   matcher: "/api/:path*",
+ * };
+ * ```
+ */
+declare function createAttestMiddleware(config: AttestMiddlewareConfig): (request: NextRequest) => Promise<Response>;
+/**
+ * Simple middleware that uses environment variables
+ *
+ * @example
+ * ```ts
+ * // middleware.ts
+ * export { attestMiddleware as middleware } from "@sekyuriti/attest/middleware";
+ *
+ * export const config = {
+ *   matcher: "/api/:path*",
+ * };
+ * ```
+ *
+ * Requires environment variables:
+ * - ATTEST_PROJECT_ID
+ * - ATTEST_API_KEY
+ */
+declare const attestMiddleware: (request: NextRequest) => Promise<Response>;
+
+export { type AttestMiddlewareConfig, attestMiddleware, createAttestMiddleware };

package/dist/middleware.d.ts

@@ -0,0 +1,75 @@
+import { NextRequest } from 'next/server';
+import { AttestConfig, AttestResult } from './index.js';
+
+/**
+ * @sekyuriti/attest/middleware
+ *
+ * Next.js middleware for automatic ATTEST verification.
+ * Protects all matching routes with a single file.
+ */
+
+interface AttestMiddlewareConfig extends AttestConfig {
+    /**
+     * Routes to protect (glob patterns)
+     * @default ["/api/*"]
+     */
+    protectedRoutes?: string[];
+    /**
+     * Routes to exclude from protection (glob patterns)
+     * @default []
+     */
+    excludeRoutes?: string[];
+    /**
+     * Allow requests without ATTEST headers (passthrough mode)
+     * Useful for gradual rollout
+     * @default false
+     */
+    allowUnauthenticated?: boolean;
+    /**
+     * Custom handler for blocked requests
+     */
+    onBlocked?: (request: NextRequest, result: AttestResult) => Response | Promise<Response>;
+    /**
+     * Custom handler for allowed requests (for logging, etc.)
+     */
+    onAllowed?: (request: NextRequest, result: AttestResult) => void | Promise<void>;
+}
+/**
+ * Create ATTEST middleware for Next.js
+ *
+ * @example
+ * ```ts
+ * // middleware.ts
+ * import { createAttestMiddleware } from "@sekyuriti/attest/middleware";
+ *
+ * export const middleware = createAttestMiddleware({
+ *   projectId: process.env.ATTEST_PROJECT_ID!,
+ *   apiKey: process.env.ATTEST_API_KEY!,
+ * });
+ *
+ * export const config = {
+ *   matcher: "/api/:path*",
+ * };
+ * ```
+ */
+declare function createAttestMiddleware(config: AttestMiddlewareConfig): (request: NextRequest) => Promise<Response>;
+/**
+ * Simple middleware that uses environment variables
+ *
+ * @example
+ * ```ts
+ * // middleware.ts
+ * export { attestMiddleware as middleware } from "@sekyuriti/attest/middleware";
+ *
+ * export const config = {
+ *   matcher: "/api/:path*",
+ * };
+ * ```
+ *
+ * Requires environment variables:
+ * - ATTEST_PROJECT_ID
+ * - ATTEST_API_KEY
+ */
+declare const attestMiddleware: (request: NextRequest) => Promise<Response>;
+
+export { type AttestMiddlewareConfig, attestMiddleware, createAttestMiddleware };

package/dist/middleware.js

@@ -0,0 +1,136 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/middleware.ts
+var middleware_exports = {};
+__export(middleware_exports, {
+  attestMiddleware: () => attestMiddleware,
+  createAttestMiddleware: () => createAttestMiddleware
+});
+module.exports = __toCommonJS(middleware_exports);
+var import_server = require("next/server");
+
+// src/index.ts
+var ATTEST_VERIFY_URL = "https://sekyuriti.build/api/v2/attest/verify";
+function getAttestHeaders(request) {
+  return {
+    timestamp: request.headers.get("x-attest-timestamp"),
+    signature: request.headers.get("x-attest-signature"),
+    fingerprint: request.headers.get("x-attest-fingerprint"),
+    project: request.headers.get("x-attest-project")
+  };
+}
+async function verifyAttest(request, config) {
+  const headers = getAttestHeaders(request);
+  if (!headers.timestamp || !headers.signature || !headers.fingerprint) {
+    return {
+      attested: false,
+      reason: "Missing ATTEST headers"
+    };
+  }
+  try {
+    const response = await fetch(config.verifyUrl || ATTEST_VERIFY_URL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        project_id: config.projectId,
+        api_key: config.apiKey,
+        timestamp: parseInt(headers.timestamp, 10),
+        signature: headers.signature,
+        fingerprint: headers.fingerprint
+      })
+    });
+    if (!response.ok) {
+      return {
+        attested: false,
+        reason: `Verification service error: ${response.status}`
+      };
+    }
+    return await response.json();
+  } catch (error) {
+    console.error("[@sekyuriti/attest] Verification failed:", error);
+    return {
+      attested: true,
+      reason: "Verification service unavailable"
+    };
+  }
+}
+
+// src/middleware.ts
+function matchesPattern(path, pattern) {
+  const regexPattern = pattern.replace(/\*/g, ".*").replace(/\?/g, ".");
+  return new RegExp(`^${regexPattern}$`).test(path);
+}
+function matchesAnyPattern(path, patterns) {
+  return patterns.some((pattern) => matchesPattern(path, pattern));
+}
+function createAttestMiddleware(config) {
+  const {
+    protectedRoutes = ["/api/*"],
+    excludeRoutes = [],
+    allowUnauthenticated = false,
+    onBlocked,
+    onAllowed,
+    ...attestConfig
+  } = config;
+  return async function middleware(request) {
+    const path = request.nextUrl.pathname;
+    const isProtected = matchesAnyPattern(path, protectedRoutes);
+    const isExcluded = matchesAnyPattern(path, excludeRoutes);
+    if (!isProtected || isExcluded) {
+      return import_server.NextResponse.next();
+    }
+    const result = await verifyAttest(request, attestConfig);
+    if (!result.attested) {
+      if (allowUnauthenticated && result.reason === "Missing ATTEST headers") {
+        return import_server.NextResponse.next();
+      }
+      if (onBlocked) {
+        return onBlocked(request, result);
+      }
+      return import_server.NextResponse.json(
+        {
+          error: "Request not attested",
+          reason: result.reason
+        },
+        { status: 403 }
+      );
+    }
+    if (onAllowed) {
+      await onAllowed(request, result);
+    }
+    const response = import_server.NextResponse.next();
+    if (result.fingerprint) {
+      response.headers.set("x-attest-verified-fingerprint", result.fingerprint);
+    }
+    return response;
+  };
+}
+var attestMiddleware = createAttestMiddleware({
+  projectId: process.env.ATTEST_PROJECT_ID || "",
+  apiKey: process.env.ATTEST_API_KEY || ""
+});
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  attestMiddleware,
+  createAttestMiddleware
+});
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/middleware.ts","../src/index.ts"],"sourcesContent":["/**\n * @sekyuriti/attest/middleware\n *\n * Next.js middleware for automatic ATTEST verification.\n * Protects all matching routes with a single file.\n */\n\nimport { NextResponse } from \"next/server\";\nimport type { NextRequest } from \"next/server\";\nimport { verifyAttest, type AttestConfig, type AttestResult } from \"./index\";\n\nexport interface AttestMiddlewareConfig extends AttestConfig {\n  /**\n   * Routes to protect (glob patterns)\n   * @default [\"/api/*\"]\n   */\n  protectedRoutes?: string[];\n\n  /**\n   * Routes to exclude from protection (glob patterns)\n   * @default []\n   */\n  excludeRoutes?: string[];\n\n  /**\n   * Allow requests without ATTEST headers (passthrough mode)\n   * Useful for gradual rollout\n   * @default false\n   */\n  allowUnauthenticated?: boolean;\n\n  /**\n   * Custom handler for blocked requests\n   */\n  onBlocked?: (request: NextRequest, result: AttestResult) => Response | Promise<Response>;\n\n  /**\n   * Custom handler for allowed requests (for logging, etc.)\n   */\n  onAllowed?: (request: NextRequest, result: AttestResult) => void | Promise<void>;\n}\n\n/**\n * Check if a path matches a glob pattern\n */\nfunction matchesPattern(path: string, pattern: string): boolean {\n  // Convert glob to regex\n  const regexPattern = pattern\n    .replace(/\\*/g, \".*\")\n    .replace(/\\?/g, \".\");\n  return new RegExp(`^${regexPattern}$`).test(path);\n}\n\n/**\n * Check if a path matches any of the patterns\n */\nfunction matchesAnyPattern(path: string, patterns: string[]): boolean {\n  return patterns.some((pattern) => matchesPattern(path, pattern));\n}\n\n/**\n * Create ATTEST middleware for Next.js\n *\n * @example\n * ```ts\n * // middleware.ts\n * import { createAttestMiddleware } from \"@sekyuriti/attest/middleware\";\n *\n * export const middleware = createAttestMiddleware({\n *   projectId: process.env.ATTEST_PROJECT_ID!,\n *   apiKey: process.env.ATTEST_API_KEY!,\n * });\n *\n * export const config = {\n *   matcher: \"/api/:path*\",\n * };\n * ```\n */\nexport function createAttestMiddleware(config: AttestMiddlewareConfig) {\n  const {\n    protectedRoutes = [\"/api/*\"],\n    excludeRoutes = [],\n    allowUnauthenticated = false,\n    onBlocked,\n    onAllowed,\n    ...attestConfig\n  } = config;\n\n  return async function middleware(request: NextRequest) {\n    const path = request.nextUrl.pathname;\n\n    // Check if this path should be protected\n    const isProtected = matchesAnyPattern(path, protectedRoutes);\n    const isExcluded = matchesAnyPattern(path, excludeRoutes);\n\n    if (!isProtected || isExcluded) {\n      return NextResponse.next();\n    }\n\n    // Verify with ATTEST\n    const result = await verifyAttest(request, attestConfig);\n\n    if (!result.attested) {\n      // Allow through if configured and no headers present\n      if (allowUnauthenticated && result.reason === \"Missing ATTEST headers\") {\n        return NextResponse.next();\n      }\n\n      // Custom blocked handler\n      if (onBlocked) {\n        return onBlocked(request, result);\n      }\n\n      // Default blocked response\n      return NextResponse.json(\n        {\n          error: \"Request not attested\",\n          reason: result.reason,\n        },\n        { status: 403 }\n      );\n    }\n\n    // Call allowed handler if provided\n    if (onAllowed) {\n      await onAllowed(request, result);\n    }\n\n    // Add fingerprint to headers for downstream use\n    const response = NextResponse.next();\n    if (result.fingerprint) {\n      response.headers.set(\"x-attest-verified-fingerprint\", result.fingerprint);\n    }\n\n    return response;\n  };\n}\n\n/**\n * Simple middleware that uses environment variables\n *\n * @example\n * ```ts\n * // middleware.ts\n * export { attestMiddleware as middleware } from \"@sekyuriti/attest/middleware\";\n *\n * export const config = {\n *   matcher: \"/api/:path*\",\n * };\n * ```\n *\n * Requires environment variables:\n * - ATTEST_PROJECT_ID\n * - ATTEST_API_KEY\n */\nexport const attestMiddleware = createAttestMiddleware({\n  projectId: process.env.ATTEST_PROJECT_ID || \"\",\n  apiKey: process.env.ATTEST_API_KEY || \"\",\n});\n","/**\n * @sekyuriti/attest\n *\n * API protection for Next.js applications.\n * Verify that requests come from real browsers, not bots or scripts.\n */\n\nconst ATTEST_VERIFY_URL = \"https://sekyuriti.build/api/v2/attest/verify\";\n\nexport interface AttestConfig {\n  /** Your ATTEST project ID (starts with ATST_) */\n  projectId: string;\n  /** Your ATTEST API key (keep this secret, server-side only) */\n  apiKey: string;\n  /** Custom verify URL (optional, for self-hosted) */\n  verifyUrl?: string;\n}\n\nexport interface AttestResult {\n  /** Whether the request passed verification */\n  attested: boolean;\n  /** Browser fingerprint (if attested) */\n  fingerprint?: string;\n  /** Verification timestamp */\n  timestamp?: number;\n  /** Reason for failure (if not attested) */\n  reason?: string;\n  /** Warning message (e.g., approaching rate limit) */\n  warning?: string;\n  /** Current usage stats */\n  usage?: {\n    used: number;\n    limit: number;\n    percent: number;\n  };\n}\n\nexport interface AttestHeaders {\n  timestamp: string | null;\n  signature: string | null;\n  fingerprint: string | null;\n  project: string | null;\n}\n\n/**\n * Extract ATTEST headers from a request\n */\nexport function getAttestHeaders(request: Request): AttestHeaders {\n  return {\n    timestamp: request.headers.get(\"x-attest-timestamp\"),\n    signature: request.headers.get(\"x-attest-signature\"),\n    fingerprint: request.headers.get(\"x-attest-fingerprint\"),\n    project: request.headers.get(\"x-attest-project\"),\n  };\n}\n\n/**\n * Check if a request has ATTEST headers\n */\nexport function hasAttestHeaders(request: Request): boolean {\n  const headers = getAttestHeaders(request);\n  return !!(headers.timestamp && headers.signature && headers.fingerprint);\n}\n\n/**\n * Verify a request with ATTEST\n *\n * @example\n * ```ts\n * import { verifyAttest } from \"@sekyuriti/attest\";\n *\n * export async function POST(request: Request) {\n *   const result = await verifyAttest(request, {\n *     projectId: process.env.ATTEST_PROJECT_ID!,\n *     apiKey: process.env.ATTEST_API_KEY!,\n *   });\n *\n *   if (!result.attested) {\n *     return Response.json({ error: \"Not attested\" }, { status: 403 });\n *   }\n *\n *   // ... handle request\n * }\n * ```\n */\nexport async function verifyAttest(\n  request: Request,\n  config: AttestConfig\n): Promise<AttestResult> {\n  const headers = getAttestHeaders(request);\n\n  // If no ATTEST headers, request is not attested\n  if (!headers.timestamp || !headers.signature || !headers.fingerprint) {\n    return {\n      attested: false,\n      reason: \"Missing ATTEST headers\",\n    };\n  }\n\n  try {\n    const response = await fetch(config.verifyUrl || ATTEST_VERIFY_URL, {\n      method: \"POST\",\n      headers: {\n        \"Content-Type\": \"application/json\",\n      },\n      body: JSON.stringify({\n        project_id: config.projectId,\n        api_key: config.apiKey,\n        timestamp: parseInt(headers.timestamp, 10),\n        signature: headers.signature,\n        fingerprint: headers.fingerprint,\n      }),\n    });\n\n    if (!response.ok) {\n      return {\n        attested: false,\n        reason: `Verification service error: ${response.status}`,\n      };\n    }\n\n    return (await response.json()) as AttestResult;\n  } catch (error) {\n    // Fail open - don't break the app if ATTEST service is down\n    console.error(\"[@sekyuriti/attest] Verification failed:\", error);\n    return {\n      attested: true,\n      reason: \"Verification service unavailable\",\n    };\n  }\n}\n\n/**\n * Create a configured verifier function\n *\n * @example\n * ```ts\n * import { createAttestVerifier } from \"@sekyuriti/attest\";\n *\n * const verify = createAttestVerifier({\n *   projectId: process.env.ATTEST_PROJECT_ID!,\n *   apiKey: process.env.ATTEST_API_KEY!,\n * });\n *\n * export async function POST(request: Request) {\n *   const result = await verify(request);\n *   if (!result.attested) {\n *     return Response.json({ error: \"Not attested\" }, { status: 403 });\n *   }\n *   // ...\n * }\n * ```\n */\nexport function createAttestVerifier(config: AttestConfig) {\n  return (request: Request) => verifyAttest(request, config);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAOA,oBAA6B;;;ACA7B,IAAM,oBAAoB;AAwCnB,SAAS,iBAAiB,SAAiC;AAChE,SAAO;AAAA,IACL,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,aAAa,QAAQ,QAAQ,IAAI,sBAAsB;AAAA,IACvD,SAAS,QAAQ,QAAQ,IAAI,kBAAkB;AAAA,EACjD;AACF;AA+BA,eAAsB,aACpB,SACA,QACuB;AACvB,QAAM,UAAU,iBAAiB,OAAO;AAGxC,MAAI,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa;AACpE,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,OAAO,aAAa,mBAAmB;AAAA,MAClE,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB,YAAY,OAAO;AAAA,QACnB,SAAS,OAAO;AAAA,QAChB,WAAW,SAAS,QAAQ,WAAW,EAAE;AAAA,QACzC,WAAW,QAAQ;AAAA,QACnB,aAAa,QAAQ;AAAA,MACvB,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO;AAAA,QACL,UAAU;AAAA,QACV,QAAQ,+BAA+B,SAAS,MAAM;AAAA,MACxD;AAAA,IACF;AAEA,WAAQ,MAAM,SAAS,KAAK;AAAA,EAC9B,SAAS,OAAO;AAEd,YAAQ,MAAM,4CAA4C,KAAK;AAC/D,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,EACF;AACF;;;ADrFA,SAAS,eAAe,MAAc,SAA0B;AAE9D,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,GAAG;AACrB,SAAO,IAAI,OAAO,IAAI,YAAY,GAAG,EAAE,KAAK,IAAI;AAClD;AAKA,SAAS,kBAAkB,MAAc,UAA6B;AACpE,SAAO,SAAS,KAAK,CAAC,YAAY,eAAe,MAAM,OAAO,CAAC;AACjE;AAoBO,SAAS,uBAAuB,QAAgC;AACrE,QAAM;AAAA,IACJ,kBAAkB,CAAC,QAAQ;AAAA,IAC3B,gBAAgB,CAAC;AAAA,IACjB,uBAAuB;AAAA,IACvB;AAAA,IACA;AAAA,IACA,GAAG;AAAA,EACL,IAAI;AAEJ,SAAO,eAAe,WAAW,SAAsB;AACrD,UAAM,OAAO,QAAQ,QAAQ;AAG7B,UAAM,cAAc,kBAAkB,MAAM,eAAe;AAC3D,UAAM,aAAa,kBAAkB,MAAM,aAAa;AAExD,QAAI,CAAC,eAAe,YAAY;AAC9B,aAAO,2BAAa,KAAK;AAAA,IAC3B;AAGA,UAAM,SAAS,MAAM,aAAa,SAAS,YAAY;AAEvD,QAAI,CAAC,OAAO,UAAU;AAEpB,UAAI,wBAAwB,OAAO,WAAW,0BAA0B;AACtE,eAAO,2BAAa,KAAK;AAAA,MAC3B;AAGA,UAAI,WAAW;AACb,eAAO,UAAU,SAAS,MAAM;AAAA,MAClC;AAGA,aAAO,2BAAa;AAAA,QAClB;AAAA,UACE,OAAO;AAAA,UACP,QAAQ,OAAO;AAAA,QACjB;AAAA,QACA,EAAE,QAAQ,IAAI;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,WAAW;AACb,YAAM,UAAU,SAAS,MAAM;AAAA,IACjC;AAGA,UAAM,WAAW,2BAAa,KAAK;AACnC,QAAI,OAAO,aAAa;AACtB,eAAS,QAAQ,IAAI,iCAAiC,OAAO,WAAW;AAAA,IAC1E;AAEA,WAAO;AAAA,EACT;AACF;AAmBO,IAAM,mBAAmB,uBAAuB;AAAA,EACrD,WAAW,QAAQ,IAAI,qBAAqB;AAAA,EAC5C,QAAQ,QAAQ,IAAI,kBAAkB;AACxC,CAAC;","names":[]}

package/dist/middleware.mjs

@@ -0,0 +1,110 @@
+// src/middleware.ts
+import { NextResponse } from "next/server";
+
+// src/index.ts
+var ATTEST_VERIFY_URL = "https://sekyuriti.build/api/v2/attest/verify";
+function getAttestHeaders(request) {
+  return {
+    timestamp: request.headers.get("x-attest-timestamp"),
+    signature: request.headers.get("x-attest-signature"),
+    fingerprint: request.headers.get("x-attest-fingerprint"),
+    project: request.headers.get("x-attest-project")
+  };
+}
+async function verifyAttest(request, config) {
+  const headers = getAttestHeaders(request);
+  if (!headers.timestamp || !headers.signature || !headers.fingerprint) {
+    return {
+      attested: false,
+      reason: "Missing ATTEST headers"
+    };
+  }
+  try {
+    const response = await fetch(config.verifyUrl || ATTEST_VERIFY_URL, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        project_id: config.projectId,
+        api_key: config.apiKey,
+        timestamp: parseInt(headers.timestamp, 10),
+        signature: headers.signature,
+        fingerprint: headers.fingerprint
+      })
+    });
+    if (!response.ok) {
+      return {
+        attested: false,
+        reason: `Verification service error: ${response.status}`
+      };
+    }
+    return await response.json();
+  } catch (error) {
+    console.error("[@sekyuriti/attest] Verification failed:", error);
+    return {
+      attested: true,
+      reason: "Verification service unavailable"
+    };
+  }
+}
+
+// src/middleware.ts
+function matchesPattern(path, pattern) {
+  const regexPattern = pattern.replace(/\*/g, ".*").replace(/\?/g, ".");
+  return new RegExp(`^${regexPattern}$`).test(path);
+}
+function matchesAnyPattern(path, patterns) {
+  return patterns.some((pattern) => matchesPattern(path, pattern));
+}
+function createAttestMiddleware(config) {
+  const {
+    protectedRoutes = ["/api/*"],
+    excludeRoutes = [],
+    allowUnauthenticated = false,
+    onBlocked,
+    onAllowed,
+    ...attestConfig
+  } = config;
+  return async function middleware(request) {
+    const path = request.nextUrl.pathname;
+    const isProtected = matchesAnyPattern(path, protectedRoutes);
+    const isExcluded = matchesAnyPattern(path, excludeRoutes);
+    if (!isProtected || isExcluded) {
+      return NextResponse.next();
+    }
+    const result = await verifyAttest(request, attestConfig);
+    if (!result.attested) {
+      if (allowUnauthenticated && result.reason === "Missing ATTEST headers") {
+        return NextResponse.next();
+      }
+      if (onBlocked) {
+        return onBlocked(request, result);
+      }
+      return NextResponse.json(
+        {
+          error: "Request not attested",
+          reason: result.reason
+        },
+        { status: 403 }
+      );
+    }
+    if (onAllowed) {
+      await onAllowed(request, result);
+    }
+    const response = NextResponse.next();
+    if (result.fingerprint) {
+      response.headers.set("x-attest-verified-fingerprint", result.fingerprint);
+    }
+    return response;
+  };
+}
+var attestMiddleware = createAttestMiddleware({
+  projectId: process.env.ATTEST_PROJECT_ID || "",
+  apiKey: process.env.ATTEST_API_KEY || ""
+});
+export {
+  attestMiddleware,
+  createAttestMiddleware
+};
+//# sourceMappingURL=middleware.mjs.map

package/dist/middleware.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/middleware.ts","../src/index.ts"],"sourcesContent":["/**\n * @sekyuriti/attest/middleware\n *\n * Next.js middleware for automatic ATTEST verification.\n * Protects all matching routes with a single file.\n */\n\nimport { NextResponse } from \"next/server\";\nimport type { NextRequest } from \"next/server\";\nimport { verifyAttest, type AttestConfig, type AttestResult } from \"./index\";\n\nexport interface AttestMiddlewareConfig extends AttestConfig {\n  /**\n   * Routes to protect (glob patterns)\n   * @default [\"/api/*\"]\n   */\n  protectedRoutes?: string[];\n\n  /**\n   * Routes to exclude from protection (glob patterns)\n   * @default []\n   */\n  excludeRoutes?: string[];\n\n  /**\n   * Allow requests without ATTEST headers (passthrough mode)\n   * Useful for gradual rollout\n   * @default false\n   */\n  allowUnauthenticated?: boolean;\n\n  /**\n   * Custom handler for blocked requests\n   */\n  onBlocked?: (request: NextRequest, result: AttestResult) => Response | Promise<Response>;\n\n  /**\n   * Custom handler for allowed requests (for logging, etc.)\n   */\n  onAllowed?: (request: NextRequest, result: AttestResult) => void | Promise<void>;\n}\n\n/**\n * Check if a path matches a glob pattern\n */\nfunction matchesPattern(path: string, pattern: string): boolean {\n  // Convert glob to regex\n  const regexPattern = pattern\n    .replace(/\\*/g, \".*\")\n    .replace(/\\?/g, \".\");\n  return new RegExp(`^${regexPattern}$`).test(path);\n}\n\n/**\n * Check if a path matches any of the patterns\n */\nfunction matchesAnyPattern(path: string, patterns: string[]): boolean {\n  return patterns.some((pattern) => matchesPattern(path, pattern));\n}\n\n/**\n * Create ATTEST middleware for Next.js\n *\n * @example\n * ```ts\n * // middleware.ts\n * import { createAttestMiddleware } from \"@sekyuriti/attest/middleware\";\n *\n * export const middleware = createAttestMiddleware({\n *   projectId: process.env.ATTEST_PROJECT_ID!,\n *   apiKey: process.env.ATTEST_API_KEY!,\n * });\n *\n * export const config = {\n *   matcher: \"/api/:path*\",\n * };\n * ```\n */\nexport function createAttestMiddleware(config: AttestMiddlewareConfig) {\n  const {\n    protectedRoutes = [\"/api/*\"],\n    excludeRoutes = [],\n    allowUnauthenticated = false,\n    onBlocked,\n    onAllowed,\n    ...attestConfig\n  } = config;\n\n  return async function middleware(request: NextRequest) {\n    const path = request.nextUrl.pathname;\n\n    // Check if this path should be protected\n    const isProtected = matchesAnyPattern(path, protectedRoutes);\n    const isExcluded = matchesAnyPattern(path, excludeRoutes);\n\n    if (!isProtected || isExcluded) {\n      return NextResponse.next();\n    }\n\n    // Verify with ATTEST\n    const result = await verifyAttest(request, attestConfig);\n\n    if (!result.attested) {\n      // Allow through if configured and no headers present\n      if (allowUnauthenticated && result.reason === \"Missing ATTEST headers\") {\n        return NextResponse.next();\n      }\n\n      // Custom blocked handler\n      if (onBlocked) {\n        return onBlocked(request, result);\n      }\n\n      // Default blocked response\n      return NextResponse.json(\n        {\n          error: \"Request not attested\",\n          reason: result.reason,\n        },\n        { status: 403 }\n      );\n    }\n\n    // Call allowed handler if provided\n    if (onAllowed) {\n      await onAllowed(request, result);\n    }\n\n    // Add fingerprint to headers for downstream use\n    const response = NextResponse.next();\n    if (result.fingerprint) {\n      response.headers.set(\"x-attest-verified-fingerprint\", result.fingerprint);\n    }\n\n    return response;\n  };\n}\n\n/**\n * Simple middleware that uses environment variables\n *\n * @example\n * ```ts\n * // middleware.ts\n * export { attestMiddleware as middleware } from \"@sekyuriti/attest/middleware\";\n *\n * export const config = {\n *   matcher: \"/api/:path*\",\n * };\n * ```\n *\n * Requires environment variables:\n * - ATTEST_PROJECT_ID\n * - ATTEST_API_KEY\n */\nexport const attestMiddleware = createAttestMiddleware({\n  projectId: process.env.ATTEST_PROJECT_ID || \"\",\n  apiKey: process.env.ATTEST_API_KEY || \"\",\n});\n","/**\n * @sekyuriti/attest\n *\n * API protection for Next.js applications.\n * Verify that requests come from real browsers, not bots or scripts.\n */\n\nconst ATTEST_VERIFY_URL = \"https://sekyuriti.build/api/v2/attest/verify\";\n\nexport interface AttestConfig {\n  /** Your ATTEST project ID (starts with ATST_) */\n  projectId: string;\n  /** Your ATTEST API key (keep this secret, server-side only) */\n  apiKey: string;\n  /** Custom verify URL (optional, for self-hosted) */\n  verifyUrl?: string;\n}\n\nexport interface AttestResult {\n  /** Whether the request passed verification */\n  attested: boolean;\n  /** Browser fingerprint (if attested) */\n  fingerprint?: string;\n  /** Verification timestamp */\n  timestamp?: number;\n  /** Reason for failure (if not attested) */\n  reason?: string;\n  /** Warning message (e.g., approaching rate limit) */\n  warning?: string;\n  /** Current usage stats */\n  usage?: {\n    used: number;\n    limit: number;\n    percent: number;\n  };\n}\n\nexport interface AttestHeaders {\n  timestamp: string | null;\n  signature: string | null;\n  fingerprint: string | null;\n  project: string | null;\n}\n\n/**\n * Extract ATTEST headers from a request\n */\nexport function getAttestHeaders(request: Request): AttestHeaders {\n  return {\n    timestamp: request.headers.get(\"x-attest-timestamp\"),\n    signature: request.headers.get(\"x-attest-signature\"),\n    fingerprint: request.headers.get(\"x-attest-fingerprint\"),\n    project: request.headers.get(\"x-attest-project\"),\n  };\n}\n\n/**\n * Check if a request has ATTEST headers\n */\nexport function hasAttestHeaders(request: Request): boolean {\n  const headers = getAttestHeaders(request);\n  return !!(headers.timestamp && headers.signature && headers.fingerprint);\n}\n\n/**\n * Verify a request with ATTEST\n *\n * @example\n * ```ts\n * import { verifyAttest } from \"@sekyuriti/attest\";\n *\n * export async function POST(request: Request) {\n *   const result = await verifyAttest(request, {\n *     projectId: process.env.ATTEST_PROJECT_ID!,\n *     apiKey: process.env.ATTEST_API_KEY!,\n *   });\n *\n *   if (!result.attested) {\n *     return Response.json({ error: \"Not attested\" }, { status: 403 });\n *   }\n *\n *   // ... handle request\n * }\n * ```\n */\nexport async function verifyAttest(\n  request: Request,\n  config: AttestConfig\n): Promise<AttestResult> {\n  const headers = getAttestHeaders(request);\n\n  // If no ATTEST headers, request is not attested\n  if (!headers.timestamp || !headers.signature || !headers.fingerprint) {\n    return {\n      attested: false,\n      reason: \"Missing ATTEST headers\",\n    };\n  }\n\n  try {\n    const response = await fetch(config.verifyUrl || ATTEST_VERIFY_URL, {\n      method: \"POST\",\n      headers: {\n        \"Content-Type\": \"application/json\",\n      },\n      body: JSON.stringify({\n        project_id: config.projectId,\n        api_key: config.apiKey,\n        timestamp: parseInt(headers.timestamp, 10),\n        signature: headers.signature,\n        fingerprint: headers.fingerprint,\n      }),\n    });\n\n    if (!response.ok) {\n      return {\n        attested: false,\n        reason: `Verification service error: ${response.status}`,\n      };\n    }\n\n    return (await response.json()) as AttestResult;\n  } catch (error) {\n    // Fail open - don't break the app if ATTEST service is down\n    console.error(\"[@sekyuriti/attest] Verification failed:\", error);\n    return {\n      attested: true,\n      reason: \"Verification service unavailable\",\n    };\n  }\n}\n\n/**\n * Create a configured verifier function\n *\n * @example\n * ```ts\n * import { createAttestVerifier } from \"@sekyuriti/attest\";\n *\n * const verify = createAttestVerifier({\n *   projectId: process.env.ATTEST_PROJECT_ID!,\n *   apiKey: process.env.ATTEST_API_KEY!,\n * });\n *\n * export async function POST(request: Request) {\n *   const result = await verify(request);\n *   if (!result.attested) {\n *     return Response.json({ error: \"Not attested\" }, { status: 403 });\n *   }\n *   // ...\n * }\n * ```\n */\nexport function createAttestVerifier(config: AttestConfig) {\n  return (request: Request) => verifyAttest(request, config);\n}\n"],"mappings":";AAOA,SAAS,oBAAoB;;;ACA7B,IAAM,oBAAoB;AAwCnB,SAAS,iBAAiB,SAAiC;AAChE,SAAO;AAAA,IACL,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,WAAW,QAAQ,QAAQ,IAAI,oBAAoB;AAAA,IACnD,aAAa,QAAQ,QAAQ,IAAI,sBAAsB;AAAA,IACvD,SAAS,QAAQ,QAAQ,IAAI,kBAAkB;AAAA,EACjD;AACF;AA+BA,eAAsB,aACpB,SACA,QACuB;AACvB,QAAM,UAAU,iBAAiB,OAAO;AAGxC,MAAI,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa,CAAC,QAAQ,aAAa;AACpE,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,OAAO,aAAa,mBAAmB;AAAA,MAClE,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,gBAAgB;AAAA,MAClB;AAAA,MACA,MAAM,KAAK,UAAU;AAAA,QACnB,YAAY,OAAO;AAAA,QACnB,SAAS,OAAO;AAAA,QAChB,WAAW,SAAS,QAAQ,WAAW,EAAE;AAAA,QACzC,WAAW,QAAQ;AAAA,QACnB,aAAa,QAAQ;AAAA,MACvB,CAAC;AAAA,IACH,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,aAAO;AAAA,QACL,UAAU;AAAA,QACV,QAAQ,+BAA+B,SAAS,MAAM;AAAA,MACxD;AAAA,IACF;AAEA,WAAQ,MAAM,SAAS,KAAK;AAAA,EAC9B,SAAS,OAAO;AAEd,YAAQ,MAAM,4CAA4C,KAAK;AAC/D,WAAO;AAAA,MACL,UAAU;AAAA,MACV,QAAQ;AAAA,IACV;AAAA,EACF;AACF;;;ADrFA,SAAS,eAAe,MAAc,SAA0B;AAE9D,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,GAAG;AACrB,SAAO,IAAI,OAAO,IAAI,YAAY,GAAG,EAAE,KAAK,IAAI;AAClD;AAKA,SAAS,kBAAkB,MAAc,UAA6B;AACpE,SAAO,SAAS,KAAK,CAAC,YAAY,eAAe,MAAM,OAAO,CAAC;AACjE;AAoBO,SAAS,uBAAuB,QAAgC;AACrE,QAAM;AAAA,IACJ,kBAAkB,CAAC,QAAQ;AAAA,IAC3B,gBAAgB,CAAC;AAAA,IACjB,uBAAuB;AAAA,IACvB;AAAA,IACA;AAAA,IACA,GAAG;AAAA,EACL,IAAI;AAEJ,SAAO,eAAe,WAAW,SAAsB;AACrD,UAAM,OAAO,QAAQ,QAAQ;AAG7B,UAAM,cAAc,kBAAkB,MAAM,eAAe;AAC3D,UAAM,aAAa,kBAAkB,MAAM,aAAa;AAExD,QAAI,CAAC,eAAe,YAAY;AAC9B,aAAO,aAAa,KAAK;AAAA,IAC3B;AAGA,UAAM,SAAS,MAAM,aAAa,SAAS,YAAY;AAEvD,QAAI,CAAC,OAAO,UAAU;AAEpB,UAAI,wBAAwB,OAAO,WAAW,0BAA0B;AACtE,eAAO,aAAa,KAAK;AAAA,MAC3B;AAGA,UAAI,WAAW;AACb,eAAO,UAAU,SAAS,MAAM;AAAA,MAClC;AAGA,aAAO,aAAa;AAAA,QAClB;AAAA,UACE,OAAO;AAAA,UACP,QAAQ,OAAO;AAAA,QACjB;AAAA,QACA,EAAE,QAAQ,IAAI;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,WAAW;AACb,YAAM,UAAU,SAAS,MAAM;AAAA,IACjC;AAGA,UAAM,WAAW,aAAa,KAAK;AACnC,QAAI,OAAO,aAAa;AACtB,eAAS,QAAQ,IAAI,iCAAiC,OAAO,WAAW;AAAA,IAC1E;AAEA,WAAO;AAAA,EACT;AACF;AAmBO,IAAM,mBAAmB,uBAAuB;AAAA,EACrD,WAAW,QAAQ,IAAI,qBAAqB;AAAA,EAC5C,QAAQ,QAAQ,IAAI,kBAAkB;AACxC,CAAC;","names":[]}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@sekyuriti/attest",
+  "version": "0.1.0",
+  "description": "API protection middleware for Next.js - verify requests with ATTEST",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    },
+    "./middleware": {
+      "types": "./dist/middleware.d.ts",
+      "import": "./dist/middleware.mjs",
+      "require": "./dist/middleware.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "api-protection",
+    "bot-detection",
+    "security",
+    "nextjs",
+    "middleware",
+    "attest",
+    "sekyuriti"
+  ],
+  "author": "SEKYURITI",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/sekyuriti/attest"
+  },
+  "homepage": "https://sekyuriti.build/attest",
+  "peerDependencies": {
+    "next": ">=13.0.0"
+  },
+  "devDependencies": {
+    "next": "^15.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.0.0"
+  }
+}