@wizzlethorpe/vaults 0.1.0

package/dist/render/auth-template.js

@@ -0,0 +1,677 @@
+// The Pages Function shipped to Cloudflare. Generated at build time with the
+// role list and password hashes baked in. Validates session cookies, redirects
+// to /login on a missing/expired cookie, and rewrites every request to the
+// matching `_variants/<role>/` path before letting Pages serve it.
+export function renderAuthMiddleware(cfg) {
+    const rolesLiteral = JSON.stringify(cfg.roles);
+    const passwordsLiteral = JSON.stringify(cfg.rolePasswords);
+    return `// Auto-generated by the vaults CLI. Do not edit by hand.
+// Roles, password hashes, and routing live here so the deployed Function
+// is fully self-contained and doesn't need any other binding besides
+// SESSION_SECRET (set via wrangler secret).
+
+const ROLES = ${rolesLiteral};
+const PASSWORDS = ${passwordsLiteral};
+const COOKIE_NAME = "vault_role";
+// Non-HttpOnly companion cookie carrying the role name only — the auth check
+// uses COOKIE_NAME (which is signed and HttpOnly), this one is purely for UI.
+const DISPLAY_COOKIE_NAME = "vault_role_display";
+const COOKIE_MAX_AGE = 60 * 60 * 24 * 7; // 7 days
+// Bearer tokens (used by Foundry, MCP clients) get a much longer lifetime
+// since refreshing means reopening a browser-based approval flow.
+const BEARER_MAX_AGE = 60 * 60 * 24 * 90; // 90 days
+const PBKDF2_DEFAULT_ITERATIONS = 100000;
+
+// ── Public middleware entry ────────────────────────────────────────────────
+
+export const onRequest = async (ctx) => {
+  const { request, env, next } = ctx;
+  const url = new URL(request.url);
+
+  // CORS preflight — Foundry, the MCP server, and AI tooling fetch the
+  // manifest / source / search endpoints from a different origin with an
+  // 'Authorization: Bearer' header, which triggers a preflight OPTIONS.
+  // Allow * because the resource is gated by the bearer token, not by
+  // the origin (and we don't want to maintain an allowlist).
+  if (request.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: corsHeaders() });
+  }
+
+  // Block direct access to /_variants/<role>/* — those paths exist in storage
+  // for the rewrite below, but exposing them would let anyone fetch any
+  // variant's manifest, page, or markdown source by guessing the role name.
+  if (url.pathname.startsWith("/_variants/")) {
+    return withCors(new Response("Not found", { status: 404 }), request);
+  }
+
+  // /login — POST validates a password and sets the session cookie. GET
+  // serves the static login page from the deploy root; we have to pass it
+  // through explicitly because the variant-rewrite below would otherwise
+  // try to fetch /_variants/<role>/login (which doesn't exist).
+  if (url.pathname === "/login") {
+    if (request.method === "POST") return handleLogin(request, env);
+    return next();
+  }
+  if (url.pathname === "/logout") {
+    const headers = new Headers({ Location: safeNext(url.searchParams.get("next")) });
+    // Emit the cookie-clear in two variants so we delete the cookie
+    // regardless of which form was set: the new SameSite=None+Partitioned
+    // form (used by current iframes / direct browsing), and the old
+    // SameSite=Lax form (in case the cookie predates the partition switch).
+    for (const name of [COOKIE_NAME, DISPLAY_COOKIE_NAME]) {
+      for (const variant of clearCookieVariants(name)) {
+        headers.append("Set-Cookie", variant);
+      }
+    }
+    return new Response(null, { status: 302, headers });
+  }
+
+  // /connect — OAuth-style approval flow for Foundry / MCP clients to obtain
+  // a long-lived bearer token. GET shows the approval page; POST signs the
+  // token and redirects back to the requesting app.
+  if (url.pathname === "/connect" && request.method === "GET") {
+    return handleConnectGet(request, env);
+  }
+  if (url.pathname === "/connect/approve" && request.method === "POST") {
+    return handleConnectApprove(request, env);
+  }
+
+  // /_batch — bulk source fetch for sync clients (Foundry). Body is
+  // newline-separated paths under text/plain so the request stays CORS-
+  // simple (no preflight per file → no OPTIONS rate-limit). Response is
+  // JSON: { files: { path: content }, missing: [path, ...] }.
+  if (url.pathname === "/_batch" && request.method === "POST") {
+    return withCors(await handleBatch(request, env), request);
+  }
+
+  // /_batch-images — bulk *binary* fetch (images, etc). Same input shape as
+  // /_batch but each file is base64-encoded so it can ride in JSON. Used by
+  // the Foundry image cache so a 300-image sync is a handful of HTTP calls
+  // instead of 300 GETs that hit Cloudflare's per-IP rate limit.
+  if (url.pathname === "/_batch-images" && request.method === "POST") {
+    return withCors(await handleBatchBinary(request, env), request);
+  }
+
+  // Skip rewriting for static-asset paths that don't have a per-role variant.
+  // Anything outside the variant tree (images, css, login page, search index
+  // for the default role on root, etc.) is served as-is by Pages.
+  if (isSharedAsset(url.pathname)) return next();
+
+  // Determine the user's role from the session cookie (default = lowest).
+  const role = await readRole(request, env);
+
+  // env.ASSETS canonicalizes URLs (strips .html, strips index.html, redirects
+  // with 308s) — passing those redirects through to the browser would expose
+  // the /_variants/<role>/ path, which the guard at the top of this function
+  // explicitly blocks. So: rewrite to a clean URL, and if ASSETS still returns
+  // a redirect, follow it server-side instead of leaking it to the client.
+  const target = "/_variants/" + role + (url.pathname === "/" ? "/" : url.pathname);
+  let rewritten = new Request(new URL(target, url.origin).toString(), request);
+  let response = await env.ASSETS.fetch(rewritten);
+  if (response.status >= 300 && response.status < 400) {
+    const location = response.headers.get("Location");
+    if (location && location.startsWith("/_variants/")) {
+      rewritten = new Request(new URL(location, url.origin).toString(), request);
+      response = await env.ASSETS.fetch(rewritten);
+    }
+  }
+  // Replace bare 404s with the variant's styled 404 page so the reader stays
+  // inside the site (sidebar, search, sitemap intact). Only HTML navigation
+  // requests get the page; asset/API requests get the bare 404 unchanged.
+  if (response.status === 404 && wantsHtml(request)) {
+    const fallback = await env.ASSETS.fetch(new URL("/_variants/" + role + "/404.html", url.origin).toString());
+    if (fallback.ok) {
+      return withCors(new Response(await fallback.text(), {
+        status: 404,
+        headers: { "Content-Type": "text/html; charset=utf-8" },
+      }), request);
+    }
+  }
+  return withCors(response, request);
+};
+
+// Headers added for cross-origin clients (Foundry module, MCP). Origin: *
+// is safe because the resources are gated by bearer token, not by origin.
+function corsHeaders() {
+  return {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, HEAD, OPTIONS",
+    "Access-Control-Allow-Headers": "Authorization, Content-Type",
+    "Access-Control-Max-Age": "86400",
+    "Vary": "Origin",
+  };
+}
+
+function withCors(response, request) {
+  if (!request.headers.get("Origin")) return response;
+  // Response from env.ASSETS.fetch is immutable — clone before mutating.
+  const headers = new Headers(response.headers);
+  for (const [k, v] of Object.entries(corsHeaders())) headers.set(k, v);
+  return new Response(response.body, { status: response.status, statusText: response.statusText, headers });
+}
+
+function wantsHtml(request) {
+  const accept = request.headers.get("Accept") || "";
+  return accept.includes("text/html") || accept === "*/*" || accept === "";
+}
+
+// ── Login ─────────────────────────────────────────────────────────────────
+
+async function handleLogin(request, env) {
+  const form = await request.formData();
+  const role = String(form.get("role") || "");
+  const password = String(form.get("password") || "");
+  const next = safeNext(form.get("next"));
+
+  if (!ROLES.includes(role) || !PASSWORDS[role]) {
+    return loginRedirect(next, "invalid_role");
+  }
+
+  const ok = await verifyPassword(password, PASSWORDS[role]);
+  if (!ok) return loginRedirect(next, "wrong_password");
+
+  const cookie = await signSessionCookie(role, env.SESSION_SECRET);
+  const headers = new Headers({ Location: next });
+  headers.append("Set-Cookie", cookie);
+  headers.append("Set-Cookie", DISPLAY_COOKIE_NAME + "=" + encodeURIComponent(role)
+    + "; Path=/; Secure; SameSite=None; Partitioned; Max-Age=" + COOKIE_MAX_AGE);
+  return new Response(null, { status: 302, headers });
+}
+
+// Sanitise a 'next' redirect target. Only same-origin relative paths are
+// allowed — anything else (absolute URLs, protocol-relative '//evil.com',
+// the protected /_variants/ tree) is replaced with '/'. Prevents the login
+// and logout endpoints from being weaponised as open redirects.
+function safeNext(value) {
+  const s = typeof value === "string" ? value : "";
+  if (!s.startsWith("/")) return "/";
+  if (s.startsWith("//")) return "/";
+  if (s.startsWith("/_variants/")) return "/";
+  return s;
+}
+
+function loginRedirect(next, error) {
+  const url = "/login.html?error=" + encodeURIComponent(error) + "&next=" + encodeURIComponent(next);
+  return new Response(null, { status: 302, headers: { Location: url } });
+}
+
+// ── Batch source fetch ────────────────────────────────────────────────────
+//
+// Bulk-read endpoint used by sync clients to avoid making one HTTP request
+// per .md file. The body is newline-separated paths (text/plain, so the
+// request stays CORS-simple — no preflight). The handler resolves each
+// path against the caller's role variant and bundles the results into a
+// single JSON response.
+//
+// Caps:
+//   - max 200 paths per call (cap concurrent ASSETS reads inside the worker)
+//   - paths must not contain '..' or query/fragment, must not start with '_'
+//     (would escape the variant or hit metadata files)
+
+const BATCH_MAX_PATHS = 200;
+// Smaller cap for binary — base64 inflates ~4/3x and we don't want to
+// blow the worker response budget. ~30 images at 200KB avg ≈ 8MB JSON.
+const BATCH_BINARY_MAX_PATHS = 30;
+
+async function handleBatch(request, env) {
+  return handleBatchInner(request, env, BATCH_MAX_PATHS, async (res) => res.text());
+}
+
+async function handleBatchBinary(request, env) {
+  return handleBatchInner(request, env, BATCH_BINARY_MAX_PATHS, async (res) => {
+    return base64Encode(new Uint8Array(await res.arrayBuffer()));
+  });
+}
+
+async function handleBatchInner(request, env, maxPaths, encode) {
+  const role = await readRole(request, env);
+  if (!ROLES.includes(role)) return batchError(401, "Unauthorized");
+
+  let body;
+  try { body = await request.text(); }
+  catch { return batchError(400, "Could not read request body."); }
+
+  const paths = body.split(/\\r?\\n/).map((s) => s.trim()).filter(Boolean);
+  if (paths.length === 0) return batchError(400, "No paths in request body.");
+  if (paths.length > maxPaths) return batchError(400, "Too many paths (max " + maxPaths + ").");
+  for (const p of paths) {
+    if (!isSafePath(p)) return batchError(400, "Invalid path: " + p);
+  }
+
+  // ASSETS.fetch is internal to the worker, so fan-out is cheap.
+  const url = new URL(request.url);
+  const entries = await Promise.all(paths.map(async (p) => {
+    const target = new URL("/_variants/" + role + "/" + encodeVariantPath(p), url.origin).toString();
+    const res = await env.ASSETS.fetch(target);
+    if (!res.ok) return [p, null];
+    return [p, await encode(res)];
+  }));
+
+  const files = {};
+  const missing = [];
+  for (const [p, content] of entries) {
+    if (content == null) missing.push(p);
+    else files[p] = content;
+  }
+  return new Response(JSON.stringify({ files, missing }), {
+    headers: { "Content-Type": "application/json" },
+  });
+}
+
+function batchError(status, message) {
+  return new Response(JSON.stringify({ error: message }), {
+    status, headers: { "Content-Type": "application/json" },
+  });
+}
+
+function base64Encode(bytes) {
+  // btoa wants a binary string. Build it in chunks so we don't blow the
+  // call-stack on String.fromCharCode for big payloads.
+  let binary = "";
+  const CHUNK = 0x8000;
+  for (let i = 0; i < bytes.length; i += CHUNK) {
+    binary += String.fromCharCode.apply(null, bytes.subarray(i, i + CHUNK));
+  }
+  return btoa(binary);
+}
+
+function isSafePath(p) {
+  if (!p || p.length > 1024) return false;
+  if (p.includes("..") || p.includes("?") || p.includes("#")) return false;
+  if (p.startsWith("/") || p.startsWith("_")) return false;
+  // Reject control chars / bare backslashes.
+  if (/[\\x00-\\x1f]/.test(p) || p.includes("\\\\")) return false;
+  return true;
+}
+
+function encodeVariantPath(p) {
+  // Each segment is URI-encoded so spaces / unicode round-trip cleanly.
+  return p.split("/").map(encodeURIComponent).join("/");
+}
+
+// ── Connect (OAuth-style bearer token issuance) ──────────────────────────
+
+async function handleConnectGet(request, env) {
+  const url = new URL(request.url);
+  const returnTo = url.searchParams.get("return_to") || "";
+  const app = url.searchParams.get("app") || "an external app";
+  const state = url.searchParams.get("state") || "";
+
+  if (!returnTo || !isValidReturnTo(returnTo)) {
+    return new Response("Invalid or missing return_to. Must be an http(s) URL.", { status: 400 });
+  }
+
+  // Require login first — the user's role is what we're authorising.
+  const role = await readRole(request, env);
+  const isLoggedIn = role !== ROLES[0] || PASSWORDS[role] != null;
+  if (!isLoggedIn || role === ROLES[0]) {
+    // Default role; redirect to login first, come back here on success.
+    const next = url.pathname + url.search;
+    return new Response(null, {
+      status: 302,
+      headers: { Location: "/login.html?next=" + encodeURIComponent(next) },
+    });
+  }
+
+  const returnHost = (() => {
+    try { return new URL(returnTo).host; } catch { return returnTo; }
+  })();
+  const html = renderApprovePage({ app, role, returnTo, returnHost, state });
+  return new Response(html, { headers: { "Content-Type": "text/html; charset=utf-8" } });
+}
+
+async function handleConnectApprove(request, env) {
+  const form = await request.formData();
+  const returnTo = String(form.get("return_to") || "");
+  const state = String(form.get("state") || "");
+
+  if (!returnTo || !isValidReturnTo(returnTo)) {
+    return new Response("Invalid return_to.", { status: 400 });
+  }
+  const role = await readRole(request, env);
+  if (role === ROLES[0]) {
+    // User is anonymous; reject (shouldn't reach here via normal UI flow).
+    return new Response("Not signed in.", { status: 401 });
+  }
+
+  const token = await signToken(role, env.SESSION_SECRET, BEARER_MAX_AGE);
+  // Render a page that delivers the token via postMessage when running
+  // inside an iframe or popup — that avoids a cross-site top-level
+  // navigation back to the host app, which can blow away SPA sessions
+  // (Foundry logs the user out on full reloads). Falls back to a top-
+  // level redirect with the token in the query string for CLI / direct
+  // browser flows that have neither a parent nor an opener.
+  const html = renderConnectDeliveryPage({ token, state, returnTo });
+  return new Response(html, { headers: { "Content-Type": "text/html; charset=utf-8" } });
+}
+
+function renderConnectDeliveryPage({ token, state, returnTo }) {
+  const returnOrigin = (() => { try { return new URL(returnTo).origin; } catch { return ""; } })();
+  const tokenAttr = escAttr(token);
+  const stateAttr = escAttr(state);
+  const originAttr = escAttr(returnOrigin);
+  const returnAttr = escAttr(returnTo);
+  return \`<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<title>Connecting…</title>
+<link rel="stylesheet" href="/styles.css">
+<style>
+  body { display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0; font-family: inherit; }
+  .card { max-width: 24rem; padding: 2rem; text-align: center; color: var(--muted); }
+  .card h1 { margin: 0 0 0.5rem; font-size: 1.1rem; color: var(--fg); }
+  .card a { color: var(--accent); }
+</style>
+</head>
+<body>
+<div class="card">
+  <h1>Authorising…</h1>
+  <p id="status">You can close this window.</p>
+  <p><a id="manual" href="#">Continue manually</a> if it doesn't close on its own.</p>
+</div>
+<script>
+(function () {
+  var token = "\${tokenAttr}";
+  var state = "\${stateAttr}";
+  var origin = "\${originAttr}";
+  var returnTo = "\${returnAttr}";
+
+  // Iframe flow: parent window is the host (Foundry inside DialogV2).
+  // Popup flow: opener is the host. In both cases we postMessage to the
+  // host's origin (not '*') so the token can't be intercepted by anything
+  // else with a window reference.
+  var target = null;
+  if (window.parent && window.parent !== window) target = window.parent;
+  else if (window.opener && !window.opener.closed) target = window.opener;
+  if (target && origin) {
+    try {
+      target.postMessage({ type: "vaults-connect", token: token, state: state }, origin);
+      // Popup self-closes; iframe is dismissed by the host on receipt.
+      if (target === window.opener) { try { window.close(); } catch (e) {} }
+      return;
+    } catch (e) { /* fall through to redirect */ }
+  }
+
+  // No parent or opener — fall back to the original redirect flow.
+  var sep = returnTo.indexOf("?") === -1 ? "?" : "&";
+  var target = returnTo + sep + "token=" + encodeURIComponent(token)
+    + (state ? "&state=" + encodeURIComponent(state) : "");
+  document.getElementById("manual").href = target;
+  document.getElementById("status").textContent = "Redirecting back…";
+  window.location.replace(target);
+})();
+</script>
+</body>
+</html>\`;
+}
+
+function isValidReturnTo(s) {
+  try {
+    const u = new URL(s);
+    return u.protocol === "http:" || u.protocol === "https:";
+  } catch { return false; }
+}
+
+function renderApprovePage({ app, role, returnTo, returnHost, state }) {
+  const escapedApp = escHtml(app);
+  const escapedRole = escHtml(role);
+  const escapedHost = escHtml(returnHost);
+  const escapedReturnTo = escAttr(returnTo);
+  const escapedState = escAttr(state);
+  return \`<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Authorize \${escapedApp}</title>
+<link rel="stylesheet" href="/styles.css">
+<style>
+  body { display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0; }
+  .approve-card {
+    max-width: 28rem; width: 90%; padding: 2rem;
+    border: 1px solid var(--rule); border-radius: 6px; background: var(--bg);
+  }
+  .approve-card h1 { margin: 0 0 1rem; font-size: 1.4rem; }
+  .approve-card .info { color: var(--muted); font-size: 0.9rem; margin: 0 0 0.75rem; }
+  .approve-card .info strong { color: var(--accent); }
+  .approve-card .return-host {
+    display: block; margin: 0.75rem 0 1.25rem;
+    padding: 0.5rem 0.75rem; background: var(--wikilink-bg);
+    border: 1px solid var(--rule); border-radius: 4px;
+    font-family: ui-monospace, monospace; font-size: 0.85rem;
+    word-break: break-all;
+  }
+  .approve-card .actions { display: flex; gap: 0.75rem; margin-top: 1.25rem; }
+  .approve-card button, .approve-card .deny {
+    flex: 1; padding: 0.55rem 1rem; font: inherit; font-size: 0.95rem;
+    border: 1px solid var(--rule); border-radius: 4px; cursor: pointer;
+    text-align: center; text-decoration: none;
+  }
+  .approve-card button { background: var(--accent); color: var(--accent-fg); border-color: var(--accent); }
+  .approve-card .deny { background: var(--bg); color: var(--muted); }
+  .approve-card .warning { color: #b94a3a; font-size: 0.78rem; margin-top: 1rem; }
+</style>
+</head>
+<body>
+<form class="approve-card" method="POST" action="/connect/approve">
+  <h1>Authorize \${escapedApp}</h1>
+  <p class="info">
+    <strong>\${escapedApp}</strong> wants access to your vault as
+    <strong>\${escapedRole}</strong>.
+  </p>
+  <p class="info">After approval, you'll be redirected to:</p>
+  <code class="return-host">\${escapedHost}</code>
+  <p class="warning">
+    ⚠ Verify the destination above looks right. If you didn't initiate
+    this request, click Deny.
+  </p>
+  <input type="hidden" name="return_to" value="\${escapedReturnTo}">
+  <input type="hidden" name="state" value="\${escapedState}">
+  <div class="actions">
+    <a class="deny" href="/">Deny</a>
+    <button type="submit">Approve</button>
+  </div>
+</form>
+</body>
+</html>\`;
+}
+
+function escHtml(s) { return String(s).replace(/[&<>]/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;" }[c])); }
+function escAttr(s) { return String(s).replace(/[&<>"]/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;" }[c])); }
+
+// ── Cookie + role lookup ──────────────────────────────────────────────────
+
+async function readRole(request, env) {
+  const fallback = ROLES[0];
+  if (!env.SESSION_SECRET) return fallback;
+
+  // Authorization: Bearer <token> — used by curl / the MCP server / any
+  // client that can set request headers freely. Same signed-token format
+  // as the cookie, so verification is shared.
+  const auth = request.headers.get("Authorization") || "";
+  const bearerMatch = /^Bearer\\s+(.+)$/i.exec(auth);
+  if (bearerMatch) {
+    const role = await verifyToken(bearerMatch[1], env.SESSION_SECRET);
+    if (role && ROLES.includes(role)) return role;
+  }
+
+  // ?_token=<token> — used by the Foundry module so cross-origin GETs stay
+  // CORS-simple and don't trigger a preflight per file (Cloudflare rate-
+  // limits OPTIONS bursts and a sync is hundreds of unique URLs).
+  const queryToken = new URL(request.url).searchParams.get("_token");
+  if (queryToken) {
+    const role = await verifyToken(queryToken, env.SESSION_SECRET);
+    if (role && ROLES.includes(role)) return role;
+  }
+
+  const cookie = parseCookie(request.headers.get("Cookie") || "")[COOKIE_NAME];
+  if (!cookie) return fallback;
+  const role = await verifyToken(cookie, env.SESSION_SECRET);
+  return role && ROLES.includes(role) ? role : fallback;
+}
+
+// Format: <role>.<expiryUnix>.<hmacHex>
+async function signToken(role, secret, maxAgeSeconds) {
+  const exp = Math.floor(Date.now() / 1000) + maxAgeSeconds;
+  const payload = role + "." + exp;
+  const sig = await hmac(payload, secret);
+  return payload + "." + sig;
+}
+
+async function signSessionCookie(role, secret) {
+  const value = await signToken(role, secret, COOKIE_MAX_AGE);
+  // SameSite=None + Partitioned (CHIPS) — required so the cookie persists
+  // when the vault is loaded inside a cross-origin iframe (the Foundry
+  // connect dialog). Partitioned scopes the cookie per parent origin, so
+  // it isn't a general third-party tracking cookie. Top-level browsing
+  // still works normally.
+  return COOKIE_NAME + "=" + value
+    + "; Path=/; HttpOnly; Secure; SameSite=None; Partitioned; Max-Age=" + COOKIE_MAX_AGE;
+}
+
+async function verifyToken(token, secret) {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  const [role, expStr, sig] = parts;
+  const exp = Number(expStr);
+  if (!Number.isFinite(exp) || exp < Math.floor(Date.now() / 1000)) return null;
+  const expected = await hmac(role + "." + expStr, secret);
+  return constantTimeEqual(sig, expected) ? role : null;
+}
+
+function clearCookieVariants(name) {
+  // Browsers match cookies for deletion on (Path, Domain, Secure, SameSite,
+  // Partitioned). A single Set-Cookie attempt only matches one configuration,
+  // so we emit two — one that matches cookies set by the current
+  // (SameSite=None+Partitioned) signSessionCookie, and one that matches the
+  // older Lax form. Both are safe to send; the unmatched one is a no-op.
+  const httpOnly = name === COOKIE_NAME ? "HttpOnly; " : "";
+  return [
+    name + "=; Path=/; " + httpOnly + "Secure; SameSite=None; Partitioned; Max-Age=0",
+    name + "=; Path=/; " + httpOnly + "Secure; SameSite=Lax; Max-Age=0",
+  ];
+}
+
+// ── Crypto primitives (Web Crypto API) ────────────────────────────────────
+
+async function hmac(message, secretHex) {
+  const keyBytes = fromHex(secretHex);
+  const key = await crypto.subtle.importKey(
+    "raw", keyBytes, { name: "HMAC", hash: "SHA-256" }, false, ["sign"],
+  );
+  const sig = await crypto.subtle.sign("HMAC", key, new TextEncoder().encode(message));
+  return toHex(new Uint8Array(sig));
+}
+
+async function verifyPassword(password, encoded) {
+  const parts = encoded.split(":");
+  if (parts.length !== 3) return false;
+  const iterations = Number(parts[0]) || PBKDF2_DEFAULT_ITERATIONS;
+  const salt = fromHex(parts[1]);
+  const expected = fromHex(parts[2]);
+  const key = await crypto.subtle.importKey(
+    "raw", new TextEncoder().encode(password), { name: "PBKDF2" }, false, ["deriveBits"],
+  );
+  const bits = await crypto.subtle.deriveBits(
+    { name: "PBKDF2", salt, hash: "SHA-256", iterations },
+    key, expected.length * 8,
+  );
+  return constantTimeEqual(toHex(new Uint8Array(bits)), toHex(expected));
+}
+
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return diff === 0;
+}
+
+function toHex(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) s += bytes[i].toString(16).padStart(2, "0");
+  return s;
+}
+
+function fromHex(hex) {
+  const out = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < out.length; i++) out[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+  return out;
+}
+
+function parseCookie(header) {
+  const out = {};
+  for (const part of header.split(/;\\s*/)) {
+    const eq = part.indexOf("=");
+    if (eq > 0) out[part.slice(0, eq)] = part.slice(eq + 1);
+  }
+  return out;
+}
+
+function isSharedAsset(pathname) {
+  // Allowlist of root-served files that are intentionally public to every
+  // visitor (no role gate). Everything else — including images — goes
+  // through the variant rewrite so role-restricted content is structurally
+  // unreachable on under-tier deploys.
+  if (pathname === "/styles.css") return true;
+  if (pathname === "/user.css") return true;
+  if (pathname === "/login.html") return true;
+  if (pathname === "/favicon.ico" || pathname === "/favicon.svg") return true;
+  if (pathname === "/robots.txt") return true;
+  return false;
+}
+`;
+}
+export const LOGIN_HTML = `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Sign in</title>
+<link rel="stylesheet" href="/styles.css">
+<style>
+  body { display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0; }
+  .login-card {
+    max-width: 24rem; width: 90%; padding: 2rem;
+    border: 1px solid var(--rule); border-radius: 6px; background: var(--bg);
+  }
+  .login-card h1 { margin: 0 0 1rem; font-size: 1.4rem; }
+  .login-card label { display: block; font-size: 0.85rem; color: var(--muted); margin: 0.75rem 0 0.25rem; }
+  .login-card select, .login-card input[type=password] {
+    width: 100%; padding: 0.5rem 0.65rem; font: inherit; font-size: 0.95rem;
+    background: var(--bg); color: var(--fg);
+    border: 1px solid var(--rule); border-radius: 4px; outline: none;
+  }
+  .login-card select:focus, .login-card input:focus { border-color: var(--accent); box-shadow: 0 0 0 2px var(--wikilink-bg); }
+  .login-card button {
+    width: 100%; padding: 0.55rem 1rem; margin-top: 1rem; font: inherit;
+    background: var(--accent); color: var(--accent-fg); border: 0; border-radius: 4px; cursor: pointer;
+  }
+  .login-error { color: #b94a3a; font-size: 0.85rem; margin: 0.75rem 0 0; }
+</style>
+</head>
+<body>
+<form class="login-card" method="POST" action="/login">
+  <h1>Sign in</h1>
+  <p id="err" class="login-error" hidden></p>
+  <label for="role">Role</label>
+  <select id="role" name="role">__ROLE_OPTIONS__</select>
+  <label for="password">Password</label>
+  <input id="password" type="password" name="password" autocomplete="current-password" required autofocus>
+  <input type="hidden" name="next" id="next">
+  <button type="submit">Sign in</button>
+</form>
+<script>
+  const params = new URLSearchParams(location.search);
+  const next = params.get("next") || "/";
+  document.getElementById("next").value = next;
+  const err = params.get("error");
+  if (err) {
+    const el = document.getElementById("err");
+    el.textContent = err === "wrong_password" ? "Wrong password." : "Invalid role.";
+    el.hidden = false;
+  }
+</script>
+</body>
+</html>`;
+//# sourceMappingURL=auth-template.js.map

package/dist/render/auth-template.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-template.js","sourceRoot":"","sources":["../../src/render/auth-template.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAC7E,+EAA+E;AAC/E,2EAA2E;AAC3E,mEAAmE;AASnE,MAAM,UAAU,oBAAoB,CAAC,GAAuB;IAC1D,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAE3D,OAAO;;;;;gBAKO,YAAY;oBACR,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAimBnC,CAAC;AACF,CAAC;AAED,MAAM,CAAC,MAAM,UAAU,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAmDlB,CAAC"}