@spring-systems/server 0.8.6 → 0.8.7

package/dist/api-route-handler.js

@@ -1,19 +1 @@
-import {
-  DELETE,
-  GET,
-  OPTIONS,
-  PATCH,
-  POST,
-  PUT
-} from "./chunk-NFJ25NQQ.js";
-import "./chunk-PZWKMIA4.js";
-import "./chunk-7IUSTA5W.js";
-export {
-  DELETE,
-  GET,
-  OPTIONS,
-  PATCH,
-  POST,
-  PUT
-};
-//# sourceMappingURL=api-route-handler.js.map
+import{a,b,c,d,e,f}from"./chunk-VB7DEUGT.js";import"./chunk-M23YQYLU.js";import"./chunk-E4AX7MID.js";export{d as DELETE,a as GET,f as OPTIONS,e as PATCH,b as POST,c as PUT};

package/dist/chunk-E4AX7MID.js

@@ -0,0 +1 @@
+var s=class{ipStore=new Map;accountStore=new Map;getStore(t){return t==="ip"?this.ipStore:this.accountStore}get(t,e){return this.getStore(t).get(e)??null}set(t,e,r){this.getStore(t).set(e,r)}delete(t,e){this.getStore(t).delete(e)}size(t){return this.getStore(t).size}evictOldest(t,e){let r=this.getStore(t),o=[...r.entries()].sort((i,c)=>i[1].windowStartedAt-c[1].windowStartedAt);for(let i=0;i<e&&i<o.length;i++){let c=o[i];if(!c)break;r.delete(c[0])}}sweepExpired(t,e,r){let o=this.getStore(t);for(let[i,c]of o.entries()){let u=e-c.windowStartedAt>r,p=c.blockedUntil<=e;u&&p&&o.delete(i)}}},a=new s,l=!1;function g(n){a=n}function f(){return a}function w(n,t,e){!l&&a instanceof s&&process.env.NODE_ENV==="production"&&(l=!0,console.warn("[server] Rate limiter is using in-memory storage in production. For multi-instance deployments, call setRateLimiterAdapter() with a shared-storage adapter."));let r=Date.now(),o=d(a,"ip",n,e.maxAttemptsByIpAndAccount,e,r);if(o)return o;if(t){let i=d(a,"account",t,e.maxAttemptsByAccount,e,r);if(i)return i}return null}function A(n,t,e){let r=Date.now();m(a,"ip",n,e,r),t&&m(a,"account",t,e,r)}function b(n,t){a.delete("ip",n),t&&a.delete("account",t)}function d(n,t,e,r,o,i){let c=n.get(t,e);if(!c)return null;if(c.blockedUntil>i){let u=Math.ceil((c.blockedUntil-i)/1e3);return`Rate limited (${t}). Try again in ${u}s.`}return i-c.windowStartedAt>o.windowMs?(n.delete(t,e),null):c.count>=r?(c.blockedUntil=i+o.blockMs,n.set(t,e,c),`Too many attempts (${t}). Blocked for ${Math.ceil(o.blockMs/1e3)}s.`):null}function m(n,t,e,r,o){n.size(t)>=r.maxKeys&&n.evictOldest(t,Math.floor(r.maxKeys*.1));let i=n.get(t,e);!i||o-i.windowStartedAt>r.windowMs?n.set(t,e,{count:1,windowStartedAt:o,blockedUntil:0}):(i.count++,n.set(t,e,i))}export{g as a,f as b,w as c,A as d,b as e};

package/dist/chunk-FXUI75TW.js

@@ -0,0 +1 @@
+var r="accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), browsing-topics=()",i=Object.freeze({"Referrer-Policy":"strict-origin-when-cross-origin","X-Content-Type-Options":"nosniff","X-Frame-Options":"DENY","Cross-Origin-Opener-Policy":"same-origin","Cross-Origin-Resource-Policy":"same-origin","X-DNS-Prefetch-Control":"off","X-Permitted-Cross-Domain-Policies":"none","Origin-Agent-Cluster":"?1","Permissions-Policy":r}),n=Object.entries(i).map(([e,o])=>({key:e,value:o}));export{r as a,i as b,n as c};

package/dist/chunk-KEEIJ5EV.js

@@ -0,0 +1 @@
+import{b as R}from"./chunk-FXUI75TW.js";import{getFrameworkConfig as S}from"@spring-systems/core/config";import{NextResponse as g}from"next/server.js";function O(r){let s=r.trim();if(!s)return[];try{let t=new URL(s),n=[t.origin];return t.protocol==="https:"?n.push(`wss://${t.host}`):t.protocol==="http:"&&n.push(`ws://${t.host}`),n}catch{return[]}}var j=new Set(["javascript:","data:","blob:","vbscript:","filesystem:"]);function l(r){let s=r.trim();if(!s||/[\s;,\r\n]/.test(s))return null;if(/^[a-zA-Z][a-zA-Z0-9+.-]*:$/.test(s)){let t=s.toLowerCase();return j.has(t)?null:t}try{let t=new URL(s);return!["http:","https:","ws:","wss:"].includes(t.protocol)||t.username||t.password||t.pathname!=="/"||t.search||t.hash?null:`${t.protocol}//${t.host}`}catch{return null}}function D(r){let s=r.trim();if(!s||/[\s;,\r\n"]/.test(s))return null;try{let t=new URL(s);return!["http:","https:"].includes(t.protocol)||t.username||t.password?null:t.toString()}catch{return null}}function u(r){let s=r.split(",").map(t=>l(t)).filter(t=>!!t);return[...new Set(s)]}function M(r){let s=r.nextUrl.clone(),t=process.env.TARGET_ENV||"test",n=t==="prod"||process.env.NODE_ENV==="production",o=t==="prod",i=s.hostname==="localhost"||s.hostname==="127.0.0.1",c=crypto.randomUUID().replace(/-/g,""),f=process.env.CSP_DENY_STYLE_ATTR==="true",E=!o,_=u(process.env.CSP_CONNECT_HOSTS||""),C=O(process.env.API_URL||""),P=u(process.env.CSP_IMG_HOSTS||""),w=u(process.env.CSP_SCRIPT_HOSTS||""),x=u(process.env.CSP_FRAME_HOSTS||""),p=S().csp,T=p.thirdPartyConnectSources.map(e=>l(e)).filter(e=>!!e),H=p.thirdPartyImageSources.map(e=>l(e)).filter(e=>!!e),U=p.thirdPartyScriptSources.map(e=>l(e)).filter(e=>!!e),b=p.thirdPartyFrameSources.map(e=>l(e)).filter(e=>!!e),L=["'self'",...T,...C,..._,...n?[]:["http://localhost:*","http://127.0.0.1:*","ws://localhost:*","ws://127.0.0.1:*"]].join(" "),$=["'self'","data:","blob:",...H,...P].join(" "),y=[...U,...w].join(" "),N=[...b,...x].join(" "),a=D(process.env.CSP_REPORT_URI||""),d=["default-src 'self'","base-uri 'self'","object-src 'none'",`script-src 'self' 'nonce-${c}' 'strict-dynamic' ${y}`,`script-src-elem 'self' 'nonce-${c}' 'strict-dynamic' ${y}`,"script-src-attr 'none'",E?"style-src 'self' 'unsafe-inline'":`style-src 'self' 'nonce-${c}'`,f?"style-src-attr 'none'":"style-src-attr 'unsafe-inline'",`img-src ${$}`,"media-src 'self' blob: data:","manifest-src 'self'",`connect-src ${L}`,`frame-src ${N||"'none'"}`,"frame-ancestors 'none'","form-action 'self'",...o?["upgrade-insecure-requests"]:[],...a?[`report-uri ${a}`,"report-to csp-violations"]:[]].join("; "),A=S().proxy.blockedPathPrefixesInProd??[];if(n){for(let e of A)if(s.pathname.startsWith(e)){let m=new g("Not Found",{status:404});return h(m,{isLocalHost:i,isTargetProd:o,csp:d,nonce:c,reportUri:a})}}if(s.pathname==="/"){let e=new URL(s.toString());!i&&o&&(e.protocol="https:"),e.pathname=S().app.defaultRoute,e.search="";let m=k(e,308);return h(m,{isLocalHost:i,isTargetProd:o,csp:d,nonce:c,reportUri:a})}let v=new Headers(r.headers);v.set("x-nonce",c);let I=g.next({request:{headers:v}});return h(I,{isLocalHost:i,isTargetProd:o,csp:d,nonce:c,reportUri:a})}function h(r,s){let{isLocalHost:t,csp:n,nonce:o,reportUri:i}=s;n&&r.headers.set("Content-Security-Policy",n);for(let[c,f]of Object.entries(R))r.headers.set(c,f);return s.isTargetProd&&!t&&r.headers.set("Strict-Transport-Security","max-age=63072000; includeSubDomains; preload"),i&&r.headers.set("Reporting-Endpoints",`csp-violations="${i}"`),o&&r.headers.set("x-nonce",o),r}function k(r,s=308){let t=new g(null,{status:s});return t.headers.set("Location",typeof r=="string"?r:r.toString()),t}var Y={matcher:["/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt|api/health).*)"]};export{M as a,Y as b};

package/dist/chunk-M23YQYLU.js

@@ -0,0 +1 @@
+import{b as g,c as T,d as h,e as E}from"./chunk-E4AX7MID.js";import{getFrameworkConfig as x,getSecureSessionCookieName as I,getSessionCookieName as H}from"@spring-systems/core/config";var U=604800;function M(){return Number(process.env.AUTH_COOKIE_MAX_AGE_SECONDS||"28800")}function F(){return(process.env.TARGET_ENV||"")==="prod"}function c(){return H(x().auth.sessionCookiePrefix)}function l(){return I(x().auth.sessionCookiePrefix)}function v(){return new Set(x().auth.sessionExpiredCodes)}function K(e){return e.nextUrl.hostname==="localhost"||e.nextUrl.hostname==="127.0.0.1"||e.nextUrl.hostname==="::1"||e.nextUrl.hostname==="[::1]"}function A(e){return K(e)?!1:F()?!0:e.nextUrl.protocol==="https:"}function D(e){return A(e)?l():c()}function S(e,t,r,n,o){let i=A(t);e.cookies.set({name:r,value:n,httpOnly:!0,secure:i,sameSite:"lax",path:"/",maxAge:o,priority:"high"})}function ne(e,t,r){let n=M(),o=Number.isFinite(n)&&n>0?Math.floor(n):28800,i=Math.min(o,U),s=D(t),u=s===c()?l():c();S(e,t,s,r,i),S(e,t,u,"",0)}function w(e,t,r){let n=A(t);e.cookies.set({name:r,value:"",httpOnly:!0,secure:n,sameSite:"lax",path:"/",maxAge:0,priority:"high"});let o=!n,i=[`${r}=`,"Path=/","Max-Age=0","HttpOnly","SameSite=Lax","Priority=High"];o&&i.push("Secure"),e.headers.append("Set-Cookie",i.join("; "))}function oe(e,t){w(e,t,c()),w(e,t,l())}function ie(e){let t=[c(),l()];for(let o of t){let i=(e.cookies.get(o)?.value||"").trim();if(i)return i}let r=e.headers.get("cookie")||"";if(!r)return"";let n=r.split(";").map(o=>o.trim());for(let o of n){if(!o)continue;let i=o.indexOf("=");if(i<=0)continue;let s=o.slice(0,i).trim();if(s!==c()&&s!==l())continue;let u=o.slice(i+1).trim();if(u)try{return decodeURIComponent(u)}catch{return u}}return""}function z(e){return typeof e=="string"?e.trim().toLowerCase():""}function L(e){let t=z(e);return t!==""&&v().has(t)}async function se(e){if(e.status!==403)return!1;try{let t=e.clone();try{let r=await t.json();return L(r.code)||L(r.error_code)}catch{return!1}}catch{return!1}}import{getFrameworkConfig as V}from"@spring-systems/core/config";function m(e){let t=e;if(typeof t.ip=="string")return t.ip.trim()||void 0}var G=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","proxy-connection"]);function a(e,t){return Number.isFinite(e)&&e>0?Math.floor(e):t}function ce(e){if(!e)return null;let t=Number(e);return!Number.isFinite(t)||t<0?null:Math.floor(t)}function ae(e){return e.replace(/^\/+|\/+$/g,"").toLowerCase()}function le(e){return!(!e||e==="."||e===".."||e.includes("\\")||e.includes("/")||/[\u0000-\u001F\u007F]/.test(e))}function fe(e){return e.match(/\/(v\d+(?:\.\d+)?)\/?$/i)?.[1]??null}function pe(e){return e.match(/^(v\d+(?:\.\d+)?)(?:\/|$)/i)?.[1]??null}function me(e){let t=(e.get("connection")||"").trim();return t?new Set(t.split(",").map(r=>r.trim().toLowerCase()).filter(Boolean)):new Set}function de(e,t){let r=e.toLowerCase();return G.has(r)||t.has(r)}var p=class extends Error{code="PAYLOAD_TOO_LARGE";constructor(t){super(t),this.name="PayloadTooLargeError"}};function ge(e,t){let r=0;return e.pipeThrough(new TransformStream({transform(n,o){if(r+=n.byteLength,r>t){o.error(new p("Payload too large"));return}o.enqueue(n)}}))}function xe(e){let t=[e],r=new Set;for(;t.length>0;){let n=t.shift();if(!(!n||r.has(n))){if(r.add(n),n instanceof p)return!0;if(n instanceof Error){if(n.name==="PayloadTooLargeError"||n.code==="PAYLOAD_TOO_LARGE")return!0;let i=n.cause;i&&t.push(i)}else if(typeof n=="object"){let o=n;if(o.code==="PAYLOAD_TOO_LARGE"||typeof o.name=="string"&&o.name==="PayloadTooLargeError")return!0;o.cause&&t.push(o.cause)}}}return!1}var B=new Set(["POST","PUT","PATCH","DELETE"]);function q(){return(process.env.FRONTEND_URL||"").trim()}function _(){return(process.env.FRONTEND_IP||"").trim()}function X(){return process.env.AUTH_TRUST_PROXY_HEADERS==="true"}function O(){return new Set((process.env.CSRF_EXEMPT_PATHS||"").split(",").map(e=>e.trim().replace(/^\/+|\/+$/g,"").toLowerCase()).filter(Boolean))}function P(){return(process.env.NODE_ENV||"")==="production"||(process.env.TARGET_ENV||"")==="prod"}function d(e){try{return new URL(e).origin}catch{return null}}function Ce(e){let t=_();if(!t)return!1;let r=m(e);if(r)return r===t;if(!X())return!1;let o=(e.headers.get("x-forwarded-for")||"").trim().split(",")[0]?.trim();if(o)return o===t;let i=(e.headers.get("x-real-ip")||"").trim();return i?i===t:!1}function y(e){let t=(e.headers.get("origin")||"").trim();if(!t)return null;let r=d(t);if(!r)return null;let n=q(),o=n?d(n):null;if(o&&r===o)return r;let i=_();if(!i)return null;try{let s=new URL(r);return s.hostname!==i||!["http:","https:"].includes(s.protocol)||P()&&s.protocol!=="https:"||s.protocol==="http:"&&s.port!==""&&s.port!=="80"||s.protocol==="https:"&&s.port!==""&&s.port!=="443"?null:r}catch{return null}}function $(e){return B.has(e.toUpperCase())}function N(e,t){let r=(e.get("Vary")||"").trim();if(!r){e.set("Vary",t);return}let n=r.split(",").map(i=>i.trim()).filter(Boolean);if(n.some(i=>i==="*")){e.set("Vary","*");return}if(n.some(i=>i.toLowerCase()===t.toLowerCase())){e.set("Vary",n.join(", "));return}e.set("Vary",[...n,t].join(", "))}function j(e){let t=(e.headers.get("sec-fetch-site")||"").trim().toLowerCase();return t?!(t==="same-origin"||t==="same-site"||t==="none"):!1}function Y(e){let t=(e.headers.get("origin")||"").trim();if(!t)return!1;let r=d(t);if(!r)return!1;let n=e.nextUrl.origin;if(r===n)return!0;let o=y(e);return!!o&&o===r}function W(e){let t=(e.headers.get("referer")||"").trim();return t?d(t):null}function J(e){let t=W(e);if(!t)return!1;if(t===e.nextUrl.origin)return!0;let r=y(e);return!!r&&r===t}function Te(e,t,r){let n=O();return!$(t)||n.has(r.toLowerCase())?!1:j(e)?!0:!(Y(e)||J(e))}function he(e,t,r){let n=y(t),o=V().proxy.corsAllowedHeaders;if(r){n&&e.set("Access-Control-Allow-Origin",n),e.set("Access-Control-Allow-Methods","GET, POST, PUT, DELETE, PATCH, OPTIONS"),e.set("Access-Control-Allow-Headers",o),e.set("Access-Control-Max-Age","86400"),n?e.set("Access-Control-Allow-Credentials","true"):e.delete("Access-Control-Allow-Credentials"),N(e,"Origin");return}n?(e.set("Access-Control-Allow-Origin",n),e.set("Access-Control-Allow-Credentials","true")):e.delete("Access-Control-Allow-Credentials"),N(e,"Origin"),e.set("Access-Control-Allow-Methods","GET, POST, PUT, DELETE, PATCH, OPTIONS"),e.set("Access-Control-Allow-Headers",o),e.set("Access-Control-Max-Age","86400")}function Q(){return O().size>0}function Ee(){return P()&&Q()?"CSRF_EXEMPT_PATHS is not allowed in production":null}function R(){return process.env.AUTH_LOGIN_RATE_LIMIT_ENABLED!=="false"}function Z(){return process.env.AUTH_TRUST_PROXY_HEADERS==="true"}function f(e,t){return(e.headers.get(t)||"").trim()}function ee(e){let t=f(e,"user-agent").toLowerCase().slice(0,64),r=f(e,"accept-language").toLowerCase().slice(0,32),n=f(e,"sec-ch-ua").toLowerCase().slice(0,64),o=[t,r,n].filter(Boolean).join("|");return o?`fp:${o}`.slice(0,128):"unknown"}function C(){return{windowMs:a(Number(process.env.AUTH_LOGIN_RATE_LIMIT_WINDOW_MS||"900000"),9e5),blockMs:a(Number(process.env.AUTH_LOGIN_RATE_LIMIT_BLOCK_MS||"900000"),9e5),maxAttemptsByIpAndAccount:a(Number(process.env.AUTH_LOGIN_RATE_LIMIT_MAX_ATTEMPTS||"8"),8),maxAttemptsByAccount:a(Number(process.env.AUTH_LOGIN_RATE_LIMIT_ACCOUNT_MAX_ATTEMPTS||"20"),20),maxKeys:a(Number(process.env.AUTH_LOGIN_RATE_LIMIT_MAX_KEYS||"10000"),1e4)}}function te(e){if(Z()){let n=f(e,"x-forwarded-for").split(",")[0]?.trim();if(n)return n;let o=f(e,"x-real-ip");if(o)return o}let t=m(e);return t||ee(e)}function b(e){let t=e.trim().toLowerCase();return t?t.slice(0,128):"unknown"}function Ne(e,t){let r=b(t);return{pairKey:`${b(te(e))}:${r}`,accountKey:r!=="unknown"?r:null}}function _e(e){let t=C(),r=g();for(let n of["ip","account"]){typeof r.sweepExpired=="function"&&r.sweepExpired(n,e,t.windowMs);let o=r.size(n);o>t.maxKeys&&r.evictOldest(n,o-t.maxKeys)}}function Oe(e,t){if(!R())return 0;let r=C();if(!T(e.pairKey,e.accountKey,r))return 0;let o=g(),i=o.get("ip",e.pairKey),s=e.accountKey?o.get("account",e.accountKey):null,u=i&&i.blockedUntil>t?i.blockedUntil-t:0,k=s&&s.blockedUntil>t?s.blockedUntil-t:0;return Math.max(u,k)}function Pe(e,t){if(!R())return;let r=C();h(e.pairKey,e.accountKey,r)}function be(e){R()&&E(e.pairKey,e.accountKey)}export{a,ce as b,ae as c,le as d,fe as e,pe as f,me as g,de as h,ge as i,xe as j,K as k,A as l,D as m,ne as n,oe as o,ie as p,L as q,se as r,d as s,Ce as t,y as u,Te as v,he as w,Q as x,Ee as y,te as z,Ne as A,_e as B,Oe as C,Pe as D,be as E};

package/dist/chunk-TVAJDSYB.js

@@ -0,0 +1 @@
+import{getRuntimeEnvKeys as i}from"@spring-systems/core/config";import{NextResponse as s}from"next/server.js";async function p(){let e=(process.env.NODE_ENV||"")==="production"||(process.env.TARGET_ENV||"")==="prod",n=(process.env.RUNTIME_ENV_PUBLIC_IN_PROD||"").toLowerCase()==="true";if(e&&!n)return s.json({error:"Not found"},{status:404});let t=Object.fromEntries(i().map(r=>[r,process.env[r]]).filter(([,r])=>typeof r=="string"));return s.json(t,{status:200,headers:{"Cache-Control":"no-store, no-cache, must-revalidate, proxy-revalidate",Pragma:"no-cache",Expires:"0"}})}import{getRuntimeEnvKeys as c}from"@spring-systems/core/config";import{jsx as m}from"react/jsx-runtime";function u(e){return JSON.stringify(e).replace(/</g,"\\u003C").replace(/>/g,"\\u003E").replace(/&/g,"\\u0026").replace(/\u2028/g,"\\u2028").replace(/\u2029/g,"\\u2029")}function a({nonce:e}){let n={};for(let r of c()){let o=process.env[r];typeof o=="string"&&(n[r]=o)}let t=`window.__RUNTIME_ENV__ = ${u(n)};`;return m("script",{id:"runtime-env",nonce:e,suppressHydrationWarning:!0,dangerouslySetInnerHTML:{__html:t}})}export{p as a,a as b};

package/dist/chunk-UDRRRHFI.js

@@ -0,0 +1 @@
+import o from"next/dynamic";import p from"next/image";import u from"next/link";import{useParams as m,usePathname as i,useRouter as c,useSearchParams as d}from"next/navigation";var t=!1;function N(){return{usePathname:i,useSearchParams:()=>d()??new URLSearchParams,useParams:()=>m()??{},useRouter:c}}function r(e){let a=e?.defaultDynamicSsr??!0;return e?.defaultDynamicSsr===void 0&&!t&&process.env.NODE_ENV!=="production"&&(t=!0,console.warn("[server] createNextUIAdapter() defaults dynamic imports to ssr:true. For client-only apps use createClientOnlyNextUIAdapter() or pass { defaultDynamicSsr: false }.")),{Image:p,Link:u,dynamic:(s,n)=>o(s,{ssr:n?.ssr??a})}}function P(){return r({defaultDynamicSsr:!1})}function I(){return r({defaultDynamicSsr:!0})}export{N as a,r as b,P as c,I as d};

package/dist/chunk-VB7DEUGT.js

@@ -0,0 +1 @@
+import{A as J,B as fe,C as ge,D as me,E as ye,a as Y,b as ne,c as V,d as oe,e as se,f as ae,g as G,h as K,i as re,j as ie,k as ce,n as le,o as v,p as he,r as ue,t as P,v as pe,w as R,y as de}from"./chunk-M23YQYLU.js";import{getFrameworkConfig as L}from"@spring-systems/core/config";import{logInfo as Ce,logWarn as Pe}from"@spring-systems/core/logger";import{NextResponse as C}from"next/server.js";var W;function Ee(){if(W!==void 0)return W;let e=(process.env.API_URL||"").trim();if(!e)throw new Error("API_URL environment variable is not set");try{new URL(e)}catch{throw new Error(`API_URL is not a valid URL: "${e}"`)}return W=e,e}function Re(e,n){let t=process.env[e];if(!t)return n;let l=Number(t);if(!Number.isFinite(l)||l<=0)throw new Error(`${e} must be a positive number, got: "${t}"`);return l}var Ue=Re("API_PROXY_NON_MULTIPART_MAX_BYTES",10485760),ke=Re("API_PROXY_MULTIPART_MAX_BYTES",52428800),be=new Set([400,401,403,404,429,502]),Be=process.env.AUTH_DEBUG==="true";function He(){return new Set(L().auth.publicAuthPaths)}function ve(){return L().proxy.safeHashPattern}function Ie(){return L().proxy.maxProxyPathLength}function Ne(){return de()}function Oe(e){return e?Y(ke,52428800):Y(Ue,10485760)}function I(e,n){Be&&Ce(`AuthProxy.${e}`,n)}function $e(e){let n=e.trim();if(!n)return"";let t=ve();return!t||!t.test(n)?"":n}function u(e,n,t,l){let h=new Headers(l);return R(h,e,P(e)),C.json({error:n},{status:t,headers:h})}async function je(e,n){let{path:t}=await n.params;return E(e,t,"GET")}async function Ye(e,n){let{path:t}=await n.params;return E(e,t,"POST")}async function Ve(e,n){let{path:t}=await n.params;return E(e,t,"PUT")}async function Ge(e,n){let{path:t}=await n.params;return E(e,t,"DELETE")}async function Ke(e,n){let{path:t}=await n.params;return E(e,t,"PATCH")}async function E(e,n,t){let l=n.join("/");try{fe(Date.now());let h=Ne();if(h)return u(e,h,500);if(!n.every(o=>oe(o)))return u(e,"Invalid path",400);if(l.length>Ie())return u(e,"Path too long",414);let w=Ee().replace(/\/+$/,"");if(!w)return u(e,"API_URL is not configured",500);let U=new URL(w).pathname,k=se(U),N=ae(l),O=l;k&&N&&k.toLowerCase()===N.toLowerCase()&&(O=l.replace(new RegExp(`^${N}/?`,"i"),""));let Le=`${w}/${O.replace(/^\/+/,"")}`,r=V(O),T=L().auth,Q=(T.loginPath??"auth/login").toLowerCase(),Z=(T.logoutPath??"auth/logout").toLowerCase(),b=(T.infoPath??"auth/info").toLowerCase(),$=r===Q,D=r===Z,we=r===Q||r===Z||r===b,Te=new URL(e.url),g=new URL(Le);Te.searchParams.forEach((o,c)=>{g.searchParams.has(c)||g.searchParams.set(c,o)});let p=new Headers,xe=G(e.headers);e.headers.forEach((o,c)=>{let a=c.toLowerCase();a==="host"||a==="content-length"||a==="cookie"||a==="authorization"||K(a,xe)||p.set(c,o)}),p.has("X-Requested-With")||p.set("X-Requested-With","XMLHttpRequest");let x=he(e),q=(e.headers.get("authorization")||"").trim(),M=/^Bearer\s+\S+$/i.test(q);if(I("incoming-auth",{path:r,method:t,hasSessionToken:!!x,hasBearerAuthorization:M,host:e.nextUrl.host,protocol:e.nextUrl.protocol}),r===b&&!x&&!M){let o=new C(null,{status:204});return R(o.headers,e,P(e)),o.headers.set("Cache-Control","no-store, no-cache, must-revalidate, proxy-revalidate"),o.headers.set("Pragma","no-cache"),o.headers.set("Expires","0"),v(o,e),I("short-circuit-auth-info-no-token",{host:e.nextUrl.host,protocol:e.nextUrl.protocol}),o}if(pe(e,t,r))return Pe("ApiProxy.CSRF",`Blocked ${t} ${r} \u2014 origin: ${e.headers.get("origin")??"none"}, referer: ${e.headers.get("referer")??"none"}, sec-fetch-site: ${e.headers.get("sec-fetch-site")??"none"}`),u(e,"Forbidden",403);x&&!He().has(r)?p.set("Authorization",`Bearer ${x}`):M&&p.set("Authorization",q);let Ae=e.headers.get("x-hash")||"",A=$e(Ae);A&&(p.set("X-hash",A),p.set("Hash",A),g.searchParams.has("hash")||g.searchParams.set("hash",A),g.searchParams.has("Hash")||g.searchParams.set("Hash",A));let y,d=null;if(t!=="GET"&&t!=="HEAD"){let o=e.headers.get("content-type")||"",c=o.includes("multipart/form-data"),a=Oe(c),m=ne(e.headers.get("content-length"));if(m!==null&&m>a)return u(e,"Payload too large",413);if(c){if(m===null)return u(e,"Content-Length required for multipart payload",411);y=e.body?re(e.body,a):e.body}else{if(y=await e.arrayBuffer(),y.byteLength>a)return u(e,"Payload too large",413);if($&&o.includes("application/json"))try{let B=new TextDecoder().decode(y),H=JSON.parse(B),S=T.loginUsernameField??"username";d=J(e,String(H[S]||""));let j=ge(d,Date.now());if(j>0)return Pe("ApiProxy.RateLimit",`Login rate-limited for key ${d.pairKey} \u2014 retry after ${Math.ceil(j/1e3)}s`),u(e,"Too many login attempts. Try again later.",429,{"Retry-After":String(Math.ceil(j/1e3))})}catch{d=J(e,"")}}}let ee={method:t,headers:p,body:y,redirect:"manual",signal:AbortSignal.timeout(L().api?.timeoutMs??3e4)};y instanceof ReadableStream&&(ee.duplex="half");let s=await fetch(g.toString(),ee),i=new Headers,_e=G(s.headers);s.headers.forEach((o,c)=>{let a=c.toLowerCase();a==="content-encoding"||a==="content-length"||K(a,_e)||i.set(c,o)});let _=null,z="",F=s.status;if($&&(s.headers.get("content-type")||"").toLowerCase().includes("application/json"))try{let c=await s.text(),a=JSON.parse(c),m=T.tokenResponseFields??{accessToken:"access_token",refreshToken:"refresh_token"},B=a[m.accessToken],H=typeof B=="string"?B.trim():"";H&&(z=H);let S={...a};delete S[m.accessToken],delete S[m.refreshToken],_=JSON.stringify(S),i.set("content-type","application/json; charset=utf-8"),i.delete("content-length")}catch{_=JSON.stringify({error:"Invalid response from authentication service"}),F=502,i.set("content-type","application/json; charset=utf-8"),i.delete("content-length")}let Se=P(e);R(i,e,Se),we?(i.set("Cache-Control","no-store, no-cache, must-revalidate, proxy-revalidate"),i.set("Pragma","no-cache"),i.set("Expires","0")):i.has("Cache-Control")||i.set("Cache-Control","private, no-store"),D&&s.status>=200&&s.status<300&&!ce(e)&&i.set("Clear-Site-Data",'"cache", "storage"');let te=await ue(s);_||(_=s.body);let X=new C(_,{status:F,headers:i});return z&&s.status>=200&&s.status<300?(le(X,e,z),d&&ye(d)):$&&d&&be.has(F)?me(d,Date.now()):(D||s.status===401||r===b&&s.status===403||te)&&(I("clear-session-cookie",{path:r,method:t,status:s.status,reason:D?"logout":s.status===401?"status_401":r===b&&s.status===403?"auth_info_403":te?"forbidden_session_text":"unknown",hadSessionToken:!!x}),v(X,e)),X}catch(h){if(ie(h))return u(e,"Payload too large",413);let w=process.env.NODE_ENV==="development",f=C.json({error:"Proxy request failed",...w?{details:h instanceof Error?h.message:String(h)}:{}},{status:500}),U=V(l).replace(/^v\d+(?:\.\d+)?\/?/i,""),k=(L().auth.logoutPath??"auth/logout").toLowerCase();return R(f.headers,e,P(e)),U===k&&(v(f,e),f.headers.set("Cache-Control","no-store, no-cache, must-revalidate, proxy-revalidate"),f.headers.set("Pragma","no-cache"),f.headers.set("Expires","0"),I("clear-session-cookie",{path:U,method:t,status:500,reason:"logout_proxy_failure"})),f}}async function Je(e){let n=new Headers,t=P(e);return R(n,e,t),new C(null,{status:204,headers:n})}export{je as a,Ye as b,Ve as c,Ge as d,Ke as e,Je as f};

package/dist/client.js

@@ -1,14 +1 @@
-"use client";
-import {
-  createClientOnlyNextUIAdapter,
-  createNextRouteAdapter
-} from "./chunk-CP33WQ5Q.js";
-
-// src/client.ts
-var SPRING_SERVER_VERSION = true ? "0.8.6" : "0.0.0-dev";
-export {
-  SPRING_SERVER_VERSION,
-  createClientOnlyNextUIAdapter,
-  createNextRouteAdapter
-};
-//# sourceMappingURL=client.js.map
+"use client";import{a as e,c as t}from"./chunk-UDRRRHFI.js";var _="0.8.7";export{_ as SPRING_SERVER_VERSION,t as createClientOnlyNextUIAdapter,e as createNextRouteAdapter};

package/dist/handlers/index.js

@@ -1,48 +1 @@
-import {
-  applyCorsHeaders,
-  cleanupExpiredLoginLimits,
-  clearLoginAttemptState,
-  clearSessionCookie,
-  getClientAddress,
-  getLoginRateLimitKeys,
-  getRateLimitRetryAfterMs,
-  getSessionToken,
-  hasCsrfExemptPaths,
-  isInternalIpAccess,
-  isLocalHostRequest,
-  isSessionExpiredCode,
-  normalizeOrigin,
-  registerFailedLoginAttempt,
-  resolveAllowedOrigin,
-  resolveProdSecurityConfigError,
-  resolveSessionCookieName,
-  setSessionCookie,
-  shouldClearSessionFromForbidden,
-  shouldRejectByCsrfProtection,
-  useSecureCookies
-} from "../chunk-PZWKMIA4.js";
-import "../chunk-7IUSTA5W.js";
-export {
-  applyCorsHeaders,
-  cleanupExpiredLoginLimits,
-  clearLoginAttemptState,
-  clearSessionCookie,
-  getClientAddress,
-  getLoginRateLimitKeys,
-  getRateLimitRetryAfterMs,
-  getSessionToken,
-  hasCsrfExemptPaths,
-  isInternalIpAccess,
-  isLocalHostRequest,
-  isSessionExpiredCode,
-  normalizeOrigin,
-  registerFailedLoginAttempt,
-  resolveAllowedOrigin,
-  resolveProdSecurityConfigError,
-  resolveSessionCookieName,
-  setSessionCookie,
-  shouldClearSessionFromForbidden,
-  shouldRejectByCsrfProtection,
-  useSecureCookies
-};
-//# sourceMappingURL=index.js.map
+import{A as q,B as r,C as s,D as t,E as u,k as a,l as b,m as c,n as d,o as e,p as f,q as g,r as h,s as i,t as j,u as k,v as l,w as m,x as n,y as o,z as p}from"../chunk-M23YQYLU.js";import"../chunk-E4AX7MID.js";export{m as applyCorsHeaders,r as cleanupExpiredLoginLimits,u as clearLoginAttemptState,e as clearSessionCookie,p as getClientAddress,q as getLoginRateLimitKeys,s as getRateLimitRetryAfterMs,f as getSessionToken,n as hasCsrfExemptPaths,j as isInternalIpAccess,a as isLocalHostRequest,g as isSessionExpiredCode,i as normalizeOrigin,t as registerFailedLoginAttempt,k as resolveAllowedOrigin,o as resolveProdSecurityConfigError,c as resolveSessionCookieName,d as setSessionCookie,h as shouldClearSessionFromForbidden,l as shouldRejectByCsrfProtection,b as useSecureCookies};

package/dist/index.js

@@ -1,44 +1 @@
-import {
-  proxy,
-  proxyConfig
-} from "./chunk-4SUIIQDW.js";
-import {
-  DELETE,
-  GET,
-  OPTIONS,
-  PATCH,
-  POST,
-  PUT
-} from "./chunk-NFJ25NQQ.js";
-import "./chunk-PZWKMIA4.js";
-import {
-  GET as GET2,
-  RuntimeEnvScript
-} from "./chunk-YV6DZVPI.js";
-import "./chunk-7IUSTA5W.js";
-import {
-  BASE_SECURITY_HEADERS,
-  BASE_SECURITY_HEADER_VALUES,
-  PERMISSIONS_POLICY_VALUE
-} from "./chunk-KA7RJCWA.js";
-
-// src/index.ts
-import "server-only";
-var SPRING_SERVER_VERSION = true ? "0.8.6" : "0.0.0-dev";
-export {
-  BASE_SECURITY_HEADERS,
-  BASE_SECURITY_HEADER_VALUES,
-  DELETE,
-  GET,
-  OPTIONS,
-  PATCH,
-  PERMISSIONS_POLICY_VALUE,
-  POST,
-  PUT,
-  RuntimeEnvScript,
-  SPRING_SERVER_VERSION,
-  proxy,
-  proxyConfig,
-  GET2 as runtimeEnvGET
-};
-//# sourceMappingURL=index.js.map
+import{a as I,b as p}from"./chunk-KEEIJ5EV.js";import{a as E,b as _,c as S,d as r,e as o,f as t}from"./chunk-VB7DEUGT.js";import"./chunk-M23YQYLU.js";import{a as O,b as T}from"./chunk-TVAJDSYB.js";import"./chunk-E4AX7MID.js";import{a as e,b as R,c as n}from"./chunk-FXUI75TW.js";import"server-only";var f="0.8.7";export{n as BASE_SECURITY_HEADERS,R as BASE_SECURITY_HEADER_VALUES,r as DELETE,E as GET,t as OPTIONS,o as PATCH,e as PERMISSIONS_POLICY_VALUE,_ as POST,S as PUT,T as RuntimeEnvScript,f as SPRING_SERVER_VERSION,I as proxy,p as proxyConfig,O as runtimeEnvGET};

package/dist/next-adapters.js

@@ -1,14 +1 @@
-"use client";
-import {
-  createClientOnlyNextUIAdapter,
-  createNextRouteAdapter,
-  createNextUIAdapter,
-  createSsrNextUIAdapter
-} from "./chunk-CP33WQ5Q.js";
-export {
-  createClientOnlyNextUIAdapter,
-  createNextRouteAdapter,
-  createNextUIAdapter,
-  createSsrNextUIAdapter
-};
-//# sourceMappingURL=next-adapters.js.map
+"use client";import{a,b,c,d}from"./chunk-UDRRRHFI.js";export{c as createClientOnlyNextUIAdapter,a as createNextRouteAdapter,b as createNextUIAdapter,d as createSsrNextUIAdapter};

package/dist/proxy-middleware.js

@@ -1,10 +1 @@
-import {
-  proxy,
-  proxyConfig
-} from "./chunk-4SUIIQDW.js";
-import "./chunk-KA7RJCWA.js";
-export {
-  proxy,
-  proxyConfig
-};
-//# sourceMappingURL=proxy-middleware.js.map
+import{a,b}from"./chunk-KEEIJ5EV.js";import"./chunk-FXUI75TW.js";export{a as proxy,b as proxyConfig};

package/dist/rate-limiter.js

@@ -1,15 +1 @@
-import {
-  checkRateLimit,
-  clearRateLimitEntries,
-  getRateLimiterAdapter,
-  recordFailedAttempt,
-  setRateLimiterAdapter
-} from "./chunk-7IUSTA5W.js";
-export {
-  checkRateLimit,
-  clearRateLimitEntries,
-  getRateLimiterAdapter,
-  recordFailedAttempt,
-  setRateLimiterAdapter
-};
-//# sourceMappingURL=rate-limiter.js.map
+import{a,b,c,d,e}from"./chunk-E4AX7MID.js";export{c as checkRateLimit,e as clearRateLimitEntries,b as getRateLimiterAdapter,d as recordFailedAttempt,a as setRateLimiterAdapter};

package/dist/runtime-env.js

@@ -1,9 +1 @@
-import {
-  GET,
-  RuntimeEnvScript
-} from "./chunk-YV6DZVPI.js";
-export {
-  RuntimeEnvScript,
-  GET as runtimeEnvGET
-};
-//# sourceMappingURL=runtime-env.js.map
+import{a,b}from"./chunk-TVAJDSYB.js";export{b as RuntimeEnvScript,a as runtimeEnvGET};

package/dist/security-headers.js

@@ -1,11 +1 @@
-import {
-  BASE_SECURITY_HEADERS,
-  BASE_SECURITY_HEADER_VALUES,
-  PERMISSIONS_POLICY_VALUE
-} from "./chunk-KA7RJCWA.js";
-export {
-  BASE_SECURITY_HEADERS,
-  BASE_SECURITY_HEADER_VALUES,
-  PERMISSIONS_POLICY_VALUE
-};
-//# sourceMappingURL=security-headers.js.map
+import{a,b,c}from"./chunk-FXUI75TW.js";export{c as BASE_SECURITY_HEADERS,b as BASE_SECURITY_HEADER_VALUES,a as PERMISSIONS_POLICY_VALUE};

package/package.json

@@ -1,118 +1,119 @@
 {
-  "name": "@spring-systems/server",
-  "version": "0.8.6",
-  "description": "Next.js server-only code for the Spring Systems framework (proxy, API routes, runtime env)",
-  "type": "module",
-  "main": "./dist/index.js",
-  "types": "./dist/index.d.ts",
-  "files": [
-    "dist",
-    "README.md",
-    "LICENSE",
-    "CHANGELOG.md"
-  ],
-  "license": "UNLICENSED",
-  "author": "Spring Systems",
-  "publishConfig": {
-    "access": "restricted"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://bitbucket.org/springsystems-projects/spring-framework-frontend.git",
-    "directory": "packages/server"
-  },
-  "homepage": "https://bitbucket.org/springsystems-projects/spring-framework-frontend/src/main/packages/server#readme",
-  "bugs": {
-    "url": "https://bitbucket.org/springsystems-projects/spring-framework-frontend/issues"
-  },
-  "keywords": [
-    "spring-systems",
-    "nextjs",
-    "server",
-    "proxy",
-    "api-routes",
-    "runtime-env",
-    "security"
-  ],
-  "engines": {
-    "node": ">=22.0.0"
-  },
-  "sideEffects": false,
-  "exports": {
-    ".": {
-      "types": "./dist/index.d.ts",
-      "import": "./dist/index.js",
-      "default": "./dist/index.js"
+    "name": "@spring-systems/server",
+    "version": "0.8.7",
+    "description": "Next.js server-only code for the Spring Systems framework (proxy, API routes, runtime env)",
+    "type": "module",
+    "main": "./dist/index.js",
+    "types": "./dist/index.d.ts",
+    "files": [
+        "dist",
+        "README.md",
+        "LICENSE",
+        "CHANGELOG.md"
+    ],
+    "license": "UNLICENSED",
+    "author": "Spring Systems",
+    "publishConfig": {
+        "access": "restricted"
     },
-    "./proxy": {
-      "types": "./dist/proxy-middleware.d.ts",
-      "import": "./dist/proxy-middleware.js",
-      "default": "./dist/proxy-middleware.js"
+    "repository": {
+        "type": "git",
+        "url": "git+https://bitbucket.org/springsystems-projects/spring-framework-frontend.git",
+        "directory": "packages/server"
     },
-    "./api-handler": {
-      "types": "./dist/api-route-handler.d.ts",
-      "import": "./dist/api-route-handler.js",
-      "default": "./dist/api-route-handler.js"
+    "homepage": "https://bitbucket.org/springsystems-projects/spring-framework-frontend/src/main/packages/server#readme",
+    "bugs": {
+        "url": "https://bitbucket.org/springsystems-projects/spring-framework-frontend/issues"
     },
-    "./runtime-env": {
-      "types": "./dist/runtime-env.d.ts",
-      "import": "./dist/runtime-env.js",
-      "default": "./dist/runtime-env.js"
+    "keywords": [
+        "spring-systems",
+        "nextjs",
+        "server",
+        "proxy",
+        "api-routes",
+        "runtime-env",
+        "security"
+    ],
+    "engines": {
+        "node": ">=22.0.0"
     },
-    "./client": {
-      "types": "./dist/client.d.ts",
-      "import": "./dist/client.js",
-      "default": "./dist/client.js"
+    "sideEffects": false,
+    "exports": {
+        ".": {
+            "types": "./dist/index.d.ts",
+            "import": "./dist/index.js",
+            "default": "./dist/index.js"
+        },
+        "./proxy": {
+            "types": "./dist/proxy-middleware.d.ts",
+            "import": "./dist/proxy-middleware.js",
+            "default": "./dist/proxy-middleware.js"
+        },
+        "./api-handler": {
+            "types": "./dist/api-route-handler.d.ts",
+            "import": "./dist/api-route-handler.js",
+            "default": "./dist/api-route-handler.js"
+        },
+        "./runtime-env": {
+            "types": "./dist/runtime-env.d.ts",
+            "import": "./dist/runtime-env.js",
+            "default": "./dist/runtime-env.js"
+        },
+        "./client": {
+            "types": "./dist/client.d.ts",
+            "import": "./dist/client.js",
+            "default": "./dist/client.js"
+        },
+        "./adapters": {
+            "types": "./dist/next-adapters.d.ts",
+            "import": "./dist/next-adapters.js",
+            "default": "./dist/next-adapters.js"
+        },
+        "./rate-limiter": {
+            "types": "./dist/rate-limiter.d.ts",
+            "import": "./dist/rate-limiter.js",
+            "default": "./dist/rate-limiter.js"
+        },
+        "./handlers": {
+            "types": "./dist/handlers/index.d.ts",
+            "import": "./dist/handlers/index.js",
+            "default": "./dist/handlers/index.js"
+        },
+        "./security-headers": {
+            "types": "./dist/security-headers.d.ts",
+            "import": "./dist/security-headers.js",
+            "default": "./dist/security-headers.js"
+        }
     },
-    "./adapters": {
-      "types": "./dist/next-adapters.d.ts",
-      "import": "./dist/next-adapters.js",
-      "default": "./dist/next-adapters.js"
+    "scripts": {
+        "build": "tsup",
+        "dev": "tsup --watch",
+        "typecheck": "tsc --noEmit",
+        "test": "vitest run",
+        "test:ci": "vitest run --coverage",
+        "check:exports": "node scripts/check-exports.mjs",
+        "prepack": "pnpm typecheck && pnpm lint && pnpm run build && pnpm check:exports",
+        "check:circular": "madge --circular --extensions ts,tsx --ts-config ../../tsconfig.base.json ./src",
+        "lint": "eslint src/"
     },
-    "./rate-limiter": {
-      "types": "./dist/rate-limiter.d.ts",
-      "import": "./dist/rate-limiter.js",
-      "default": "./dist/rate-limiter.js"
+    "peerDependencies": {
+        "@spring-systems/core": "^0.8.6",
+        "@spring-systems/ui": "^0.8.6",
+        "next": "^16.0.0",
+        "react": "^19.0.0"
     },
-    "./handlers": {
-      "types": "./dist/handlers/index.d.ts",
-      "import": "./dist/handlers/index.js",
-      "default": "./dist/handlers/index.js"
+    "dependencies": {
+        "server-only": "^0.0.1"
     },
-    "./security-headers": {
-      "types": "./dist/security-headers.d.ts",
-      "import": "./dist/security-headers.js",
-      "default": "./dist/security-headers.js"
+    "devDependencies": {
+        "@spring-systems/core": "workspace:^",
+        "@spring-systems/ui": "workspace:^",
+        "@types/react": "^19.2.14",
+        "@vitest/coverage-v8": "^4.0.18",
+        "next": "^16.1.6",
+        "react": "^19.2.4",
+        "tsup": "^8.5.1",
+        "typescript": "^5.9.3",
+        "vitest": "^4.0.18"
     }
-  },
-  "peerDependencies": {
-    "@spring-systems/core": "^0.8.6",
-    "@spring-systems/ui": "^0.8.6",
-    "next": "^16.0.0",
-    "react": "^19.0.0"
-  },
-  "dependencies": {
-    "server-only": "^0.0.1"
-  },
-  "devDependencies": {
-    "@types/react": "^19.2.14",
-    "@vitest/coverage-v8": "^4.0.18",
-    "next": "^16.1.6",
-    "react": "^19.2.4",
-    "tsup": "^8.5.1",
-    "typescript": "^5.9.3",
-    "vitest": "^4.0.18",
-    "@spring-systems/core": "^0.8.6",
-    "@spring-systems/ui": "^0.8.6"
-  },
-  "scripts": {
-    "build": "tsup",
-    "dev": "tsup --watch",
-    "typecheck": "tsc --noEmit",
-    "test": "vitest run",
-    "test:ci": "vitest run --coverage",
-    "check:exports": "node scripts/check-exports.mjs",
-    "check:circular": "madge --circular --extensions ts,tsx --ts-config ../../tsconfig.base.json ./src",
-    "lint": "eslint src/"
-  }
-}
+}

package/dist/api-route-handler.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}