astro-sessionkit 0.1.22 → 0.1.23

package/dist/core/guardMiddleware.js

@@ -76,12 +76,6 @@ function createGuardMiddleware() {
         }
         if (!rule) {
             if (globalProtect) {
-                if (exclude.some((pattern) => matchesPattern(pattern, pathname))) {
-                    if (debug$1) {
-                        debug(`[GlobalProtect] Skipping ${pathname} because it matches an exclude pattern`);
-                    }
-                    return next();
-                }
                 if (pathname === loginPath) {
                     if (session && isValidSessionStructure(session)) {
                         if (debug$1) {
@@ -94,6 +88,12 @@ function createGuardMiddleware() {
                     }
                     return next();
                 }
+                if (exclude.some((pattern) => matchesPattern(pattern, pathname))) {
+                    if (debug$1) {
+                        debug(`[GlobalProtect] Skipping ${pathname} because it matches an exclude pattern`);
+                    }
+                    return next();
+                }
                 if (!session || !isValidSessionStructure(session)) {
                     if (debug$1) {
                         debug(`[GlobalProtect] Redirecting to ${loginPath} because session is ${session ? 'invalid' : 'missing'}`);

package/dist/core/guardMiddleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"guardMiddleware.js","sources":["../../src/core/guardMiddleware.ts"],"sourcesContent":["// ============================================================================\n// Route Guard Middleware - Enforces protection rules\n// ============================================================================\n\nimport type {MiddlewareHandler} from \"astro\";\nimport { getContextStore } from \"./context\";\nimport { getConfig } from \"./config\";\nimport { matchesPattern } from \"./matcher\";\nimport type { ProtectionRule, Session } from \"./types\";\nimport { isValidSessionStructure } from \"./validation\";\nimport * as logger from \"./logger\";\n\n/**\n * Check if session satisfies a protection rule\n */\nasync function checkRule(rule: ProtectionRule, session: Session | null): Promise<boolean> {\n  const { access } = getConfig();\n\n  // Custom check overrides everything\n  if (access.check) {\n    try {\n      return await access.check(rule, session);\n    } catch (error) {\n      logger.error('Error in custom access check hook:', error);\n      return false;\n    }\n  }\n\n  // Custom allow function\n  if (\"allow\" in rule) {\n    try {\n      return await rule.allow(session);\n    } catch (error) {\n      logger.error('Error in custom rule allow function:', error);\n      return false;\n    }\n  }\n\n  // Must be authenticated and have a valid session structure for all other checks\n  if (!session || !isValidSessionStructure(session)) {\n    return false;\n  }\n\n  // Single role check\n  if (\"role\" in rule) {\n    const userRole = access.getRole(session);\n    return userRole === rule.role;\n  }\n\n  // Multiple roles check (user must have ONE of these)\n  if (\"roles\" in rule) {\n    const userRole = access.getRole(session);\n    return userRole !== null && rule.roles.includes(userRole);\n  }\n\n  // Single permission check\n  if (\"permission\" in rule) {\n    const userPermissions = access.getPermissions(session);\n    return userPermissions.includes(rule.permission);\n  }\n\n  // Multiple permissions check (user must have ALL of these)\n  if (\"permissions\" in rule) {\n    const userPermissions = access.getPermissions(session);\n    return rule.permissions.every((p) => userPermissions.includes(p));\n  }\n\n  // No specific rule matched - allow by default\n  return true;\n}\n\n/**\n * Create route guard middleware\n */\nexport function createGuardMiddleware(): MiddlewareHandler {\n  return async (context, next) => {\n    let pathname: string;\n    try {\n        pathname = new URL(context.request.url).pathname;\n    } catch {\n        pathname = \"/\";\n    }\n\n    const config = getConfig();\n    const {protect, loginPath, globalProtect, exclude, debug} = config;\n\n    if (debug) {\n        logger.debug(`[Guard] Pathname: ${pathname}, GlobalProtect: ${globalProtect}, Rules: ${protect.length}`);\n    }\n\n    // No rules configured and no global protect - skip\n    if (protect.length === 0 && !globalProtect) {\n        if (debug) {\n            logger.debug(`[Guard] Skipping ${pathname} because no rules are configured and globalProtect is false`);\n        }\n        return next();\n    }\n\n    const sessionContext = getContextStore();\n    const session = sessionContext?.session ?? null;\n\n    if (debug) {\n        logger.debug(`[Guard] Session retrieved from store: ${session ? 'exists' : 'null'}`);\n    }\n\n    // Find matching rule\n    const rule = protect.find((r) => matchesPattern(r.pattern, pathname));\n\n    if (rule && debug) {\n        logger.debug(`[Guard] Found matching rule for ${pathname}:`, rule);\n    }\n\n    // No matching rule - check global protection\n    if (!rule) {\n        if (globalProtect) {\n            // Skip if path is in exclude list\n            if (exclude.some((pattern) => matchesPattern(pattern, pathname))) {\n                if (debug) {\n                    logger.debug(`[GlobalProtect] Skipping ${pathname} because it matches an exclude pattern`);\n                }\n                return next();\n            }\n\n            // Skip if it's the login page itself (to avoid redirect loops)\n            if (pathname === loginPath) {\n                // NEW: If session is already present, redirect to home (/)\n                if (session && isValidSessionStructure(session)) {\n                    if (debug) {\n                        logger.debug(`[GlobalProtect] Redirecting ${pathname} to / because session is already present`);\n                    }\n                    return context.redirect('/');\n                }\n\n                if (debug) {\n                    logger.debug(`[GlobalProtect] Skipping ${pathname} because it is the loginPath`);\n                }\n                return next();\n            }\n\n            // Require valid session\n            if (!session || !isValidSessionStructure(session)) {\n                if (debug) {\n                    logger.debug(`[GlobalProtect] Redirecting to ${loginPath} because session is ${session ? 'invalid' : 'missing'}`);\n                }\n                return context.redirect(loginPath);\n            }\n        }\n\n        if (debug) {\n            logger.debug(`[GlobalProtect] Allowing ${pathname} because session is valid or globalProtect is false`);\n        }\n        return next();\n    }\n\n    // Check if access is allowed\n    const allowed = await checkRule(rule, session);\n\n    if (!allowed) {\n        const redirectTo = rule.redirectTo ?? loginPath;\n        if (debug) {\n            logger.debug(`[Guard] Redirecting to ${redirectTo} because access was denied by rule:`, rule);\n        }\n        return context.redirect(redirectTo);\n    }\n\n    if (debug) {\n        logger.debug(`[Guard] Allowing ${pathname} because access was granted by rule:`, rule);\n    }\n    return next();\n  };\n}\n"],"names":["error","logger.error","debug","logger.debug"],"mappings":";;;;;;AAeA,eAAe,SAAS,CAAC,IAAoB,EAAE,OAAuB,EAAA;AACpE,IAAA,MAAM,EAAE,MAAM,EAAE,GAAG,SAAS,EAAE;AAG9B,IAAA,IAAI,MAAM,CAAC,KAAK,EAAE;AAChB,QAAA,IAAI;YACF,OAAO,MAAM,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC;QAC1C;QAAE,OAAOA,OAAK,EAAE;AACd,YAAAC,KAAY,CAAC,oCAAoC,EAAED,OAAK,CAAC;AACzD,YAAA,OAAO,KAAK;QACd;IACF;AAGA,IAAA,IAAI,OAAO,IAAI,IAAI,EAAE;AACnB,QAAA,IAAI;AACF,YAAA,OAAO,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;QAClC;QAAE,OAAOA,OAAK,EAAE;AACd,YAAAC,KAAY,CAAC,sCAAsC,EAAED,OAAK,CAAC;AAC3D,YAAA,OAAO,KAAK;QACd;IACF;IAGA,IAAI,CAAC,OAAO,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,EAAE;AACjD,QAAA,OAAO,KAAK;IACd;AAGA,IAAA,IAAI,MAAM,IAAI,IAAI,EAAE;QAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;AACxC,QAAA,OAAO,QAAQ,KAAK,IAAI,CAAC,IAAI;IAC/B;AAGA,IAAA,IAAI,OAAO,IAAI,IAAI,EAAE;QACnB,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;AACxC,QAAA,OAAO,QAAQ,KAAK,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAC3D;AAGA,IAAA,IAAI,YAAY,IAAI,IAAI,EAAE;QACxB,MAAM,eAAe,GAAG,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC;QACtD,OAAO,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;IAClD;AAGA,IAAA,IAAI,aAAa,IAAI,IAAI,EAAE;QACzB,MAAM,eAAe,GAAG,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC;AACtD,QAAA,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IACnE;AAGA,IAAA,OAAO,IAAI;AACb;SAKgB,qBAAqB,GAAA;AACnC,IAAA,OAAO,OAAO,OAAO,EAAE,IAAI,KAAI;AAC7B,QAAA,IAAI,QAAgB;AACpB,QAAA,IAAI;AACA,YAAA,QAAQ,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,QAAQ;QACpD;AAAE,QAAA,MAAM;YACJ,QAAQ,GAAG,GAAG;QAClB;AAEA,QAAA,MAAM,MAAM,GAAG,SAAS,EAAE;AAC1B,QAAA,MAAM,EAAC,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,SAAEE,OAAK,EAAC,GAAG,MAAM;QAElE,IAAIA,OAAK,EAAE;AACP,YAAAC,KAAY,CAAC,CAAA,kBAAA,EAAqB,QAAQ,CAAA,iBAAA,EAAoB,aAAa,CAAA,SAAA,EAAY,OAAO,CAAC,MAAM,CAAA,CAAE,CAAC;QAC5G;QAGA,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE;YACxC,IAAID,OAAK,EAAE;AACP,gBAAAC,KAAY,CAAC,oBAAoB,QAAQ,CAAA,2DAAA,CAA6D,CAAC;YAC3G;YACA,OAAO,IAAI,EAAE;QACjB;AAEA,QAAA,MAAM,cAAc,GAAG,eAAe,EAAE;AACxC,QAAA,MAAM,OAAO,GAAG,cAAc,EAAE,OAAO,IAAI,IAAI;QAE/C,IAAID,OAAK,EAAE;AACP,YAAAC,KAAY,CAAC,CAAA,sCAAA,EAAyC,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAA,CAAE,CAAC;QACxF;QAGA,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,cAAc,CAAC,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;AAErE,QAAA,IAAI,IAAI,IAAID,OAAK,EAAE;YACfC,KAAY,CAAC,CAAA,gCAAA,EAAmC,QAAQ,CAAA,CAAA,CAAG,EAAE,IAAI,CAAC;QACtE;QAGA,IAAI,CAAC,IAAI,EAAE;YACP,IAAI,aAAa,EAAE;AAEf,gBAAA,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,KAAK,cAAc,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE;oBAC9D,IAAID,OAAK,EAAE;AACP,wBAAAC,KAAY,CAAC,4BAA4B,QAAQ,CAAA,sCAAA,CAAwC,CAAC;oBAC9F;oBACA,OAAO,IAAI,EAAE;gBACjB;AAGA,gBAAA,IAAI,QAAQ,KAAK,SAAS,EAAE;AAExB,oBAAA,IAAI,OAAO,IAAI,uBAAuB,CAAC,OAAO,CAAC,EAAE;wBAC7C,IAAID,OAAK,EAAE;AACP,4BAAAC,KAAY,CAAC,+BAA+B,QAAQ,CAAA,wCAAA,CAA0C,CAAC;wBACnG;AACA,wBAAA,OAAO,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;oBAChC;oBAEA,IAAID,OAAK,EAAE;AACP,wBAAAC,KAAY,CAAC,4BAA4B,QAAQ,CAAA,4BAAA,CAA8B,CAAC;oBACpF;oBACA,OAAO,IAAI,EAAE;gBACjB;gBAGA,IAAI,CAAC,OAAO,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,EAAE;oBAC/C,IAAID,OAAK,EAAE;AACP,wBAAAC,KAAY,CAAC,CAAA,+BAAA,EAAkC,SAAS,uBAAuB,OAAO,GAAG,SAAS,GAAG,SAAS,CAAA,CAAE,CAAC;oBACrH;AACA,oBAAA,OAAO,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;gBACtC;YACJ;YAEA,IAAID,OAAK,EAAE;AACP,gBAAAC,KAAY,CAAC,4BAA4B,QAAQ,CAAA,mDAAA,CAAqD,CAAC;YAC3G;YACA,OAAO,IAAI,EAAE;QACjB;QAGA,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC;QAE9C,IAAI,CAAC,OAAO,EAAE;AACV,YAAA,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,SAAS;YAC/C,IAAID,OAAK,EAAE;gBACPC,KAAY,CAAC,CAAA,uBAAA,EAA0B,UAAU,CAAA,mCAAA,CAAqC,EAAE,IAAI,CAAC;YACjG;AACA,YAAA,OAAO,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;QACvC;QAEA,IAAID,OAAK,EAAE;YACPC,KAAY,CAAC,CAAA,iBAAA,EAAoB,QAAQ,CAAA,oCAAA,CAAsC,EAAE,IAAI,CAAC;QAC1F;QACA,OAAO,IAAI,EAAE;AACf,IAAA,CAAC;AACH;;;;"}
+{"version":3,"file":"guardMiddleware.js","sources":["../../src/core/guardMiddleware.ts"],"sourcesContent":["// ============================================================================\n// Route Guard Middleware - Enforces protection rules\n// ============================================================================\n\nimport type {MiddlewareHandler} from \"astro\";\nimport { getContextStore } from \"./context\";\nimport { getConfig } from \"./config\";\nimport { matchesPattern } from \"./matcher\";\nimport type { ProtectionRule, Session } from \"./types\";\nimport { isValidSessionStructure } from \"./validation\";\nimport * as logger from \"./logger\";\n\n/**\n * Check if session satisfies a protection rule\n */\nasync function checkRule(rule: ProtectionRule, session: Session | null): Promise<boolean> {\n  const { access } = getConfig();\n\n  // Custom check overrides everything\n  if (access.check) {\n    try {\n      return await access.check(rule, session);\n    } catch (error) {\n      logger.error('Error in custom access check hook:', error);\n      return false;\n    }\n  }\n\n  // Custom allow function\n  if (\"allow\" in rule) {\n    try {\n      return await rule.allow(session);\n    } catch (error) {\n      logger.error('Error in custom rule allow function:', error);\n      return false;\n    }\n  }\n\n  // Must be authenticated and have a valid session structure for all other checks\n  if (!session || !isValidSessionStructure(session)) {\n    return false;\n  }\n\n  // Single role check\n  if (\"role\" in rule) {\n    const userRole = access.getRole(session);\n    return userRole === rule.role;\n  }\n\n  // Multiple roles check (user must have ONE of these)\n  if (\"roles\" in rule) {\n    const userRole = access.getRole(session);\n    return userRole !== null && rule.roles.includes(userRole);\n  }\n\n  // Single permission check\n  if (\"permission\" in rule) {\n    const userPermissions = access.getPermissions(session);\n    return userPermissions.includes(rule.permission);\n  }\n\n  // Multiple permissions check (user must have ALL of these)\n  if (\"permissions\" in rule) {\n    const userPermissions = access.getPermissions(session);\n    return rule.permissions.every((p) => userPermissions.includes(p));\n  }\n\n  // No specific rule matched - allow by default\n  return true;\n}\n\n/**\n * Create route guard middleware\n */\nexport function createGuardMiddleware(): MiddlewareHandler {\n  return async (context, next) => {\n    let pathname: string;\n    try {\n        pathname = new URL(context.request.url).pathname;\n    } catch {\n        pathname = \"/\";\n    }\n\n    const config = getConfig();\n    const {protect, loginPath, globalProtect, exclude, debug} = config;\n\n    if (debug) {\n        logger.debug(`[Guard] Pathname: ${pathname}, GlobalProtect: ${globalProtect}, Rules: ${protect.length}`);\n    }\n\n    // No rules configured and no global protect - skip\n    if (protect.length === 0 && !globalProtect) {\n        if (debug) {\n            logger.debug(`[Guard] Skipping ${pathname} because no rules are configured and globalProtect is false`);\n        }\n        return next();\n    }\n\n    const sessionContext = getContextStore();\n    const session = sessionContext?.session ?? null;\n\n    if (debug) {\n        logger.debug(`[Guard] Session retrieved from store: ${session ? 'exists' : 'null'}`);\n    }\n\n    // Find matching rule\n    const rule = protect.find((r) => matchesPattern(r.pattern, pathname));\n\n    if (rule && debug) {\n        logger.debug(`[Guard] Found matching rule for ${pathname}:`, rule);\n    }\n\n    // No matching rule - check global protection\n    if (!rule) {\n        if (globalProtect) {\n            // Skip if it's the login page itself (to avoid redirect loops)\n            if (pathname === loginPath) {\n                // NEW: If session is already present, redirect to home (/)\n                if (session && isValidSessionStructure(session)) {\n                    if (debug) {\n                        logger.debug(`[GlobalProtect] Redirecting ${pathname} to / because session is already present`);\n                    }\n                    return context.redirect('/');\n                }\n\n                if (debug) {\n                    logger.debug(`[GlobalProtect] Skipping ${pathname} because it is the loginPath`);\n                }\n                return next();\n            }\n\n            // Skip if path is in exclude list\n            if (exclude.some((pattern) => matchesPattern(pattern, pathname))) {\n                if (debug) {\n                    logger.debug(`[GlobalProtect] Skipping ${pathname} because it matches an exclude pattern`);\n                }\n                return next();\n            }\n\n            // Require valid session\n            if (!session || !isValidSessionStructure(session)) {\n                if (debug) {\n                    logger.debug(`[GlobalProtect] Redirecting to ${loginPath} because session is ${session ? 'invalid' : 'missing'}`);\n                }\n                return context.redirect(loginPath);\n            }\n        }\n\n        if (debug) {\n            logger.debug(`[GlobalProtect] Allowing ${pathname} because session is valid or globalProtect is false`);\n        }\n        return next();\n    }\n\n    // Check if access is allowed\n    const allowed = await checkRule(rule, session);\n\n    if (!allowed) {\n        const redirectTo = rule.redirectTo ?? loginPath;\n        if (debug) {\n            logger.debug(`[Guard] Redirecting to ${redirectTo} because access was denied by rule:`, rule);\n        }\n        return context.redirect(redirectTo);\n    }\n\n    if (debug) {\n        logger.debug(`[Guard] Allowing ${pathname} because access was granted by rule:`, rule);\n    }\n    return next();\n  };\n}\n"],"names":["error","logger.error","debug","logger.debug"],"mappings":";;;;;;AAeA,eAAe,SAAS,CAAC,IAAoB,EAAE,OAAuB,EAAA;AACpE,IAAA,MAAM,EAAE,MAAM,EAAE,GAAG,SAAS,EAAE;AAG9B,IAAA,IAAI,MAAM,CAAC,KAAK,EAAE;AAChB,QAAA,IAAI;YACF,OAAO,MAAM,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC;QAC1C;QAAE,OAAOA,OAAK,EAAE;AACd,YAAAC,KAAY,CAAC,oCAAoC,EAAED,OAAK,CAAC;AACzD,YAAA,OAAO,KAAK;QACd;IACF;AAGA,IAAA,IAAI,OAAO,IAAI,IAAI,EAAE;AACnB,QAAA,IAAI;AACF,YAAA,OAAO,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;QAClC;QAAE,OAAOA,OAAK,EAAE;AACd,YAAAC,KAAY,CAAC,sCAAsC,EAAED,OAAK,CAAC;AAC3D,YAAA,OAAO,KAAK;QACd;IACF;IAGA,IAAI,CAAC,OAAO,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,EAAE;AACjD,QAAA,OAAO,KAAK;IACd;AAGA,IAAA,IAAI,MAAM,IAAI,IAAI,EAAE;QAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;AACxC,QAAA,OAAO,QAAQ,KAAK,IAAI,CAAC,IAAI;IAC/B;AAGA,IAAA,IAAI,OAAO,IAAI,IAAI,EAAE;QACnB,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;AACxC,QAAA,OAAO,QAAQ,KAAK,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAC3D;AAGA,IAAA,IAAI,YAAY,IAAI,IAAI,EAAE;QACxB,MAAM,eAAe,GAAG,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC;QACtD,OAAO,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;IAClD;AAGA,IAAA,IAAI,aAAa,IAAI,IAAI,EAAE;QACzB,MAAM,eAAe,GAAG,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC;AACtD,QAAA,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IACnE;AAGA,IAAA,OAAO,IAAI;AACb;SAKgB,qBAAqB,GAAA;AACnC,IAAA,OAAO,OAAO,OAAO,EAAE,IAAI,KAAI;AAC7B,QAAA,IAAI,QAAgB;AACpB,QAAA,IAAI;AACA,YAAA,QAAQ,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,QAAQ;QACpD;AAAE,QAAA,MAAM;YACJ,QAAQ,GAAG,GAAG;QAClB;AAEA,QAAA,MAAM,MAAM,GAAG,SAAS,EAAE;AAC1B,QAAA,MAAM,EAAC,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,SAAEE,OAAK,EAAC,GAAG,MAAM;QAElE,IAAIA,OAAK,EAAE;AACP,YAAAC,KAAY,CAAC,CAAA,kBAAA,EAAqB,QAAQ,CAAA,iBAAA,EAAoB,aAAa,CAAA,SAAA,EAAY,OAAO,CAAC,MAAM,CAAA,CAAE,CAAC;QAC5G;QAGA,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE;YACxC,IAAID,OAAK,EAAE;AACP,gBAAAC,KAAY,CAAC,oBAAoB,QAAQ,CAAA,2DAAA,CAA6D,CAAC;YAC3G;YACA,OAAO,IAAI,EAAE;QACjB;AAEA,QAAA,MAAM,cAAc,GAAG,eAAe,EAAE;AACxC,QAAA,MAAM,OAAO,GAAG,cAAc,EAAE,OAAO,IAAI,IAAI;QAE/C,IAAID,OAAK,EAAE;AACP,YAAAC,KAAY,CAAC,CAAA,sCAAA,EAAyC,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAA,CAAE,CAAC;QACxF;QAGA,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,cAAc,CAAC,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;AAErE,QAAA,IAAI,IAAI,IAAID,OAAK,EAAE;YACfC,KAAY,CAAC,CAAA,gCAAA,EAAmC,QAAQ,CAAA,CAAA,CAAG,EAAE,IAAI,CAAC;QACtE;QAGA,IAAI,CAAC,IAAI,EAAE;YACP,IAAI,aAAa,EAAE;AAEf,gBAAA,IAAI,QAAQ,KAAK,SAAS,EAAE;AAExB,oBAAA,IAAI,OAAO,IAAI,uBAAuB,CAAC,OAAO,CAAC,EAAE;wBAC7C,IAAID,OAAK,EAAE;AACP,4BAAAC,KAAY,CAAC,+BAA+B,QAAQ,CAAA,wCAAA,CAA0C,CAAC;wBACnG;AACA,wBAAA,OAAO,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;oBAChC;oBAEA,IAAID,OAAK,EAAE;AACP,wBAAAC,KAAY,CAAC,4BAA4B,QAAQ,CAAA,4BAAA,CAA8B,CAAC;oBACpF;oBACA,OAAO,IAAI,EAAE;gBACjB;AAGA,gBAAA,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,KAAK,cAAc,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE;oBAC9D,IAAID,OAAK,EAAE;AACP,wBAAAC,KAAY,CAAC,4BAA4B,QAAQ,CAAA,sCAAA,CAAwC,CAAC;oBAC9F;oBACA,OAAO,IAAI,EAAE;gBACjB;gBAGA,IAAI,CAAC,OAAO,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,EAAE;oBAC/C,IAAID,OAAK,EAAE;AACP,wBAAAC,KAAY,CAAC,CAAA,+BAAA,EAAkC,SAAS,uBAAuB,OAAO,GAAG,SAAS,GAAG,SAAS,CAAA,CAAE,CAAC;oBACrH;AACA,oBAAA,OAAO,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;gBACtC;YACJ;YAEA,IAAID,OAAK,EAAE;AACP,gBAAAC,KAAY,CAAC,4BAA4B,QAAQ,CAAA,mDAAA,CAAqD,CAAC;YAC3G;YACA,OAAO,IAAI,EAAE;QACjB;QAGA,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC;QAE9C,IAAI,CAAC,OAAO,EAAE;AACV,YAAA,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,SAAS;YAC/C,IAAID,OAAK,EAAE;gBACPC,KAAY,CAAC,CAAA,uBAAA,EAA0B,UAAU,CAAA,mCAAA,CAAqC,EAAE,IAAI,CAAC;YACjG;AACA,YAAA,OAAO,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;QACvC;QAEA,IAAID,OAAK,EAAE;YACPC,KAAY,CAAC,CAAA,iBAAA,EAAoB,QAAQ,CAAA,oCAAA,CAAsC,EAAE,IAAI,CAAC;QAC1F;QACA,OAAO,IAAI,EAAE;AACf,IAAA,CAAC;AACH;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "astro-sessionkit",
-  "version": "0.1.22",
+  "version": "0.1.23",
   "description": "Simple session access and route protection for Astro applications",
   "type": "module",
   "main": "./dist/index.js",

package/src/core/guardMiddleware.ts

@@ -113,14 +113,6 @@ export function createGuardMiddleware(): MiddlewareHandler {
     // No matching rule - check global protection
     if (!rule) {
         if (globalProtect) {
-            // Skip if path is in exclude list
-            if (exclude.some((pattern) => matchesPattern(pattern, pathname))) {
-                if (debug) {
-                    logger.debug(`[GlobalProtect] Skipping ${pathname} because it matches an exclude pattern`);
-                }
-                return next();
-            }
-
             // Skip if it's the login page itself (to avoid redirect loops)
             if (pathname === loginPath) {
                 // NEW: If session is already present, redirect to home (/)
@@ -137,6 +129,14 @@ export function createGuardMiddleware(): MiddlewareHandler {
                 return next();
             }
 
+            // Skip if path is in exclude list
+            if (exclude.some((pattern) => matchesPattern(pattern, pathname))) {
+                if (debug) {
+                    logger.debug(`[GlobalProtect] Skipping ${pathname} because it matches an exclude pattern`);
+                }
+                return next();
+            }
+
             // Require valid session
             if (!session || !isValidSessionStructure(session)) {
                 if (debug) {