npm - @sekyuriti/attest - Versions diffs - 0.2.2 → 0.2.3 - Mend

@sekyuriti/attest 0.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +38 -93
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -2,52 +2,39 @@
 API protection for Next.js applications. Verify that requests come from real browsers, not bots or scripts.
-## Installation
+## Quick Start
+One command setup:
 ```bash
-npm install @sekyuriti/attest
+npx @sekyuriti/attest login
 ```
-## Quick Start
+This will:
+1. Open browser for authentication
+2. Let you select your project
+3. Auto-add environment variables to `.env.local`
+4. Auto-inject the ATTEST script into `layout.tsx`
-### 1. Add the script to your frontend
+Done. Your API is protected.
-```html
-<script src="https://sekyuriti.build/api/v2/attest/script/YOUR_PROJECT_ID" defer></script>
-```
+## What It Does
-Or in Next.js:
-```tsx
-// app/layout.tsx
-export default function RootLayout({ children }) {
-  return (
-    <html>
-      <head>
-        <script
-          src={`https://sekyuriti.build/api/v2/attest/script/${process.env.NEXT_PUBLIC_ATTEST_PROJECT_ID}`}
-          defer
-        />
-      </head>
-      <body>{children}</body>
-    </html>
-  );
-}
-```
-### 2. Protect your API routes
+- **Frontend script** automatically signs all `fetch()` and `XMLHttpRequest` calls
+- **Backend verification** validates signatures with SEKYURITI's API
+- **Bots and scripts** can't generate valid signatures without running in a real browser
-**Option A: Middleware (recommended)**
+## Optional: Middleware
-Protects all `/api/*` routes automatically:
+Add server-side verification for all API routes:
 ```ts
 // middleware.ts
 import { createAttestMiddleware } from "@sekyuriti/attest/middleware";
 export const middleware = createAttestMiddleware({
-  projectId: process.env.ATTEST_PROJECT_ID!,
-  apiKey: process.env.ATTEST_API_KEY!,
+  projectId: process.env.NEXT_PUBLIC_ATTEST_KEY!,
+  apiKey: process.env.ATTEST_SECRET_KEY!,
 });
 export const config = {
@@ -55,7 +42,7 @@ export const config = {
 };
 ```
-**Option B: Per-route verification**
+## Optional: Per-Route Verification
 ```ts
 // app/api/protected/route.ts
@@ -63,8 +50,8 @@ import { verifyAttest } from "@sekyuriti/attest";
 export async function POST(request: Request) {
   const result = await verifyAttest(request, {
-    projectId: process.env.ATTEST_PROJECT_ID!,
-    apiKey: process.env.ATTEST_API_KEY!,
+    projectId: process.env.NEXT_PUBLIC_ATTEST_KEY!,
+    apiKey: process.env.ATTEST_SECRET_KEY!,
   });
   if (!result.attested) {
@@ -75,72 +62,26 @@ export async function POST(request: Request) {
 }
 ```
-## Environment Variables
-```env
-ATTEST_PROJECT_ID=ATST_xxxxxxxxxxxx
-ATTEST_API_KEY=sk_xxxxxxxxxxxx
-NEXT_PUBLIC_ATTEST_PROJECT_ID=ATST_xxxxxxxxxxxx
-```
-## API Reference
-### `verifyAttest(request, config)`
-Verify a single request.
-```ts
-const result = await verifyAttest(request, {
-  projectId: "ATST_xxx",
-  apiKey: "sk_xxx",
-});
+## CLI Commands
-// result.attested: boolean
-// result.fingerprint: string (if attested)
-// result.reason: string (if not attested)
-```
-### `createAttestMiddleware(config)`
-Create middleware for automatic verification.
-```ts
-const middleware = createAttestMiddleware({
-  projectId: "ATST_xxx",
-  apiKey: "sk_xxx",
-  // Optional settings
-  protectedRoutes: ["/api/*"],  // Routes to protect
-  excludeRoutes: ["/api/health"], // Routes to skip
-  allowUnauthenticated: false, // Allow requests without headers
-  // Custom handlers
-  onBlocked: (req, result) => Response.json({ error: result.reason }, { status: 403 }),
-  onAllowed: (req, result) => console.log("Verified:", result.fingerprint),
-});
+```bash
+attest login     # Authenticate and setup project
+attest logout    # Sign out
+attest status    # Show account and usage info
+attest init      # Re-run setup in current project
+attest whoami    # Print current user email
+attest help      # Show help
 ```
-### `createAttestVerifier(config)`
-Create a reusable verifier function.
+## Environment Variables
-```ts
-const verify = createAttestVerifier({
-  projectId: process.env.ATTEST_PROJECT_ID!,
-  apiKey: process.env.ATTEST_API_KEY!,
-});
+Auto-generated by `attest login`:
-// Use in multiple routes
-const result = await verify(request);
+```env
+NEXT_PUBLIC_ATTEST_KEY=your_public_key
+ATTEST_SECRET_KEY=your_secret_key
 ```
-## How It Works
-1. **Frontend script** automatically signs all `fetch()` and `XMLHttpRequest` calls
-2. **Signatures** are added as headers: `X-Attest-Timestamp`, `X-Attest-Signature`, `X-Attest-Fingerprint`
-3. **Backend verification** validates signatures with SEKYURITI's API
-4. **Bots and scripts** can't generate valid signatures without running in a real browser
 ## Protection Features
 - DevTools detection
@@ -149,6 +90,10 @@ const result = await verify(request);
 - Browser fingerprinting
 - Timestamp validation
+## Documentation
+https://sekyuriti.build/docs/attest
 ## License
 MIT

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sekyuriti/attest",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "API protection middleware for Next.js - verify requests with ATTEST",
   "main": "dist/index.js",
   "module": "dist/index.mjs",