dineway 0.1.3

package/dist/astro/middleware/auth.mjs

@@ -0,0 +1,708 @@
+import { t as apiError } from "../../error-DrxtnGPg.mjs";
+import { t as getAuthMode } from "../../mode-BlyYtIFO.mjs";
+import { ulid } from "ulidx";
+import { defineMiddleware } from "astro:middleware";
+import { createKyselyAdapter } from "@dineway-ai/auth/adapters/kysely";
+import { authenticate } from "virtual:dineway/auth";
+import { hasScope, hashPrefixedToken as hashApiToken } from "@dineway-ai/auth";
+
+//#region src/api/csrf.ts
+/**
+* CSRF protection utilities.
+*
+* Two mechanisms:
+* 1. Custom header check (X-Dineway-Request: 1) — used for authenticated API routes.
+*    Browsers block cross-origin custom headers, so presence proves same-origin.
+* 2. Origin check — used for public API routes that skip auth. Compares the Origin
+*    header against the request origin. Same approach as Astro's `checkOrigin`.
+*/
+/**
+* Origin-based CSRF check for public API routes that skip auth.
+*
+* State-changing requests (POST/PUT/DELETE) to public endpoints must either:
+*   1. Include the X-Dineway-Request: 1 header (custom header blocked cross-origin), OR
+*   2. Have an Origin header matching the request origin (or the configured public origin)
+*
+* This prevents cross-origin form submissions (which can't set custom headers)
+* and cross-origin fetch (blocked by CORS unless allowed). Same-origin requests
+* always include a matching Origin header.
+*
+* Returns a 403 Response if the check fails, or null if allowed.
+*
+* @param request  The incoming request
+* @param url      The request URL (internal origin)
+* @param publicOrigin  The public-facing origin from config.siteUrl. Must be
+*        `undefined` when absent — never `null` or `""` (security invariant H-1a).
+*/
+function checkPublicCsrf(request, url, publicOrigin) {
+	if (request.headers.get("X-Dineway-Request") === "1") return null;
+	const origin = request.headers.get("Origin");
+	if (origin) {
+		try {
+			const originUrl = new URL(origin);
+			if (originUrl.origin === url.origin) return null;
+			if (publicOrigin && originUrl.origin === publicOrigin) return null;
+		} catch {}
+		return apiError("CSRF_REJECTED", "Cross-origin request blocked", 403);
+	}
+	return null;
+}
+
+//#endregion
+//#region src/api/public-url.ts
+/**
+* Resolve siteUrl from runtime environment variables.
+*
+* Uses process.env (not import.meta.env) because Vite statically replaces
+* import.meta.env at build time, baking out any env vars not present during
+* the build. Container deployments set env vars at runtime, so we must read
+* process.env which Vite leaves untouched.
+*
+* On non-Node runtimes process.env may be unavailable, so the fallback chain
+* continues to url.origin.
+*
+* Caches after first call.
+*/
+let _envSiteUrl = null;
+function getEnvSiteUrl() {
+	if (_envSiteUrl !== null) return _envSiteUrl || void 0;
+	try {
+		const value = typeof process !== "undefined" && process.env?.DINEWAY_SITE_URL || typeof process !== "undefined" && process.env?.SITE_URL || "";
+		if (value) {
+			const parsed = new URL(value);
+			if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+				_envSiteUrl = "";
+				return;
+			}
+			_envSiteUrl = parsed.origin;
+		} else _envSiteUrl = "";
+	} catch {
+		_envSiteUrl = "";
+	}
+	return _envSiteUrl || void 0;
+}
+/**
+* Return the public-facing origin for the site.
+*
+* Resolution order:
+*   1. `config.siteUrl` (set in astro.config.mjs, origin-normalized at startup)
+*   2. `DINEWAY_SITE_URL` or `SITE_URL` env var (resolved at runtime for containers)
+*   3. `url.origin` (internal request URL — correct when no proxy)
+*
+* @param url  The request URL (`new URL(request.url)` or `Astro.url`)
+* @param config  The Dineway config (from `locals.dineway?.config`)
+* @returns Origin string, e.g. `"https://mysite.example.com"`
+*/
+function getPublicOrigin(url, config) {
+	return config?.siteUrl || getEnvSiteUrl() || url.origin;
+}
+
+//#endregion
+//#region src/api/handlers/api-tokens.ts
+/**
+* Resolve a raw API token (ec_pat_...) to a user ID and scopes.
+* Updates last_used_at on successful lookup.
+* Returns null if the token is invalid or expired.
+*/
+async function resolveApiToken(db, rawToken) {
+	const hash = hashApiToken(rawToken);
+	const row = await db.selectFrom("_dineway_api_tokens").select([
+		"id",
+		"user_id",
+		"scopes",
+		"expires_at"
+	]).where("token_hash", "=", hash).executeTakeFirst();
+	if (!row) return null;
+	if (row.expires_at && new Date(row.expires_at) < /* @__PURE__ */ new Date()) return null;
+	db.updateTable("_dineway_api_tokens").set({ last_used_at: (/* @__PURE__ */ new Date()).toISOString() }).where("id", "=", row.id).execute().catch(() => {});
+	return {
+		userId: row.user_id,
+		scopes: JSON.parse(row.scopes)
+	};
+}
+/**
+* Resolve an OAuth access token (ec_oat_...) to a user ID and scopes.
+* Returns null if the token is invalid or expired.
+*/
+async function resolveOAuthToken(db, rawToken) {
+	const hash = hashApiToken(rawToken);
+	const row = await db.selectFrom("_dineway_oauth_tokens").select([
+		"user_id",
+		"scopes",
+		"expires_at",
+		"token_type"
+	]).where("token_hash", "=", hash).where("token_type", "=", "access").executeTakeFirst();
+	if (!row) return null;
+	if (new Date(row.expires_at) < /* @__PURE__ */ new Date()) return null;
+	return {
+		userId: row.user_id,
+		scopes: JSON.parse(row.scopes)
+	};
+}
+
+//#endregion
+//#region src/astro/middleware/csp.ts
+/**
+* Strict Content-Security-Policy for /_dineway routes (admin + API).
+*
+* Applied via middleware header rather than Astro's built-in CSP because
+* Astro's auto-hashing defeats 'unsafe-inline' (CSP3 ignores 'unsafe-inline'
+* when hashes are present), which would break user-facing pages.
+*
+* img-src allows any HTTPS origin because the admin renders user content that
+* may reference external images (migrations, external hosting, embeds).
+* Plugin security does not rely on img-src -- sandboxed plugins run behind the
+* host-mediated `SandboxRunner` boundary with no DOM access, and connect-src
+* 'self' blocks fetch-based exfiltration from the admin itself.
+*/
+function buildDinewayCsp() {
+	return [
+		"default-src 'self'",
+		"script-src 'self' 'unsafe-inline'",
+		"style-src 'self' 'unsafe-inline'",
+		"connect-src 'self'",
+		"form-action 'self'",
+		"frame-ancestors 'none'",
+		"img-src 'self' https: data: blob:",
+		"object-src 'none'",
+		"base-uri 'self'"
+	].join("; ");
+}
+
+//#endregion
+//#region src/astro/middleware/auth.ts
+/** Cache headers for middleware error responses (matches API_CACHE_HEADERS in api/error.ts) */
+const MW_CACHE_HEADERS = { "Cache-Control": "private, no-store" };
+const ROLE_ADMIN = 50;
+/**
+* API routes that skip auth — each handles its own access control.
+*
+* Prefix entries match any path starting with that prefix.
+* Exact entries (no trailing slash or wildcard) match that path only.
+*/
+const PUBLIC_API_PREFIXES = [
+	"/_dineway/api/setup",
+	"/_dineway/api/auth/login",
+	"/_dineway/api/auth/register",
+	"/_dineway/api/auth/dev-bypass",
+	"/_dineway/api/auth/signup/",
+	"/_dineway/api/auth/magic-link/",
+	"/_dineway/api/auth/invite/accept",
+	"/_dineway/api/auth/invite/complete",
+	"/_dineway/api/auth/oauth/",
+	"/_dineway/api/oauth/device/token",
+	"/_dineway/api/oauth/device/code",
+	"/_dineway/api/oauth/token",
+	"/_dineway/api/comments/",
+	"/_dineway/api/media/file/",
+	"/_dineway/.well-known/"
+];
+const PUBLIC_API_EXACT = new Set([
+	"/_dineway/api/auth/passkey/options",
+	"/_dineway/api/auth/passkey/verify",
+	"/_dineway/api/oauth/token",
+	"/_dineway/api/snapshot",
+	"/_dineway/api/search"
+]);
+function isPublicDinewayRoute(pathname) {
+	if (PUBLIC_API_EXACT.has(pathname)) return true;
+	if (PUBLIC_API_PREFIXES.some((p) => pathname.startsWith(p))) return true;
+	if (import.meta.env.DEV && pathname === "/_dineway/api/typegen") return true;
+	return false;
+}
+const onRequest = defineMiddleware(async (context, next) => {
+	const { url } = context;
+	const isAdminRoute = url.pathname.startsWith("/_dineway/admin");
+	const isSetupRoute = url.pathname.startsWith("/_dineway/admin/setup");
+	const isApiRoute = url.pathname.startsWith("/_dineway/api");
+	const isPublicApiRoute = isPublicDinewayRoute(url.pathname);
+	const isPublicRoute = !isAdminRoute && !isApiRoute;
+	if (isPublicApiRoute) {
+		const method = context.request.method.toUpperCase();
+		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+			const publicOrigin = getPublicOrigin(url, context.locals.dineway?.config);
+			const csrfError = checkPublicCsrf(context.request, url, publicOrigin);
+			if (csrfError) return csrfError;
+		}
+		return next();
+	}
+	if (url.pathname.startsWith("/_dineway/api/plugins/")) {
+		const method = context.request.method.toUpperCase();
+		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+			const publicOrigin = getPublicOrigin(url, context.locals.dineway?.config);
+			const csrfError = checkPublicCsrf(context.request, url, publicOrigin);
+			if (csrfError) return csrfError;
+		}
+		return handlePluginRouteAuth(context, next);
+	}
+	if (isSetupRoute) {
+		const method = context.request.method.toUpperCase();
+		if (method !== "GET" && method !== "HEAD" && method !== "OPTIONS") {
+			if (context.request.headers.get("X-Dineway-Request") !== "1") return new Response(JSON.stringify({ error: {
+				code: "CSRF_REJECTED",
+				message: "Missing required header"
+			} }), {
+				status: 403,
+				headers: {
+					"Content-Type": "application/json",
+					...MW_CACHE_HEADERS
+				}
+			});
+		}
+		return next();
+	}
+	if (isPublicRoute) return handlePublicRouteAuth(context, next);
+	const bearerResult = await handleBearerAuth(context);
+	if (bearerResult === "invalid") {
+		const headers = {
+			"Content-Type": "application/json",
+			...MW_CACHE_HEADERS
+		};
+		if (url.pathname === "/_dineway/api/mcp") headers["WWW-Authenticate"] = `Bearer resource_metadata="${getPublicOrigin(url, context.locals.dineway?.config)}/.well-known/oauth-protected-resource"`;
+		return new Response(JSON.stringify({ error: {
+			code: "INVALID_TOKEN",
+			message: "Invalid or expired token"
+		} }), {
+			status: 401,
+			headers
+		});
+	}
+	const isTokenAuth = bearerResult === "authenticated";
+	const method = context.request.method.toUpperCase();
+	const isOAuthConsent = url.pathname.startsWith("/_dineway/oauth/authorize");
+	if (isApiRoute && !isTokenAuth && !isOAuthConsent && method !== "GET" && method !== "HEAD" && method !== "OPTIONS" && !isPublicApiRoute) {
+		if (context.request.headers.get("X-Dineway-Request") !== "1") return new Response(JSON.stringify({ error: {
+			code: "CSRF_REJECTED",
+			message: "Missing required header"
+		} }), {
+			status: 403,
+			headers: {
+				"Content-Type": "application/json",
+				...MW_CACHE_HEADERS
+			}
+		});
+	}
+	if (isTokenAuth) {
+		const scopeError = enforceTokenScope(url.pathname, method, context.locals.tokenScopes);
+		if (scopeError) return scopeError;
+		const response = await next();
+		if (!import.meta.env.DEV) response.headers.set("Content-Security-Policy", buildDinewayCsp());
+		return response;
+	}
+	const response = await handleDinewayAuth(context, next);
+	if (!import.meta.env.DEV) response.headers.set("Content-Security-Policy", buildDinewayCsp());
+	return response;
+});
+/**
+* Auth handling for /_dineway routes. Returns a Response from either
+* an auth error/redirect or the downstream route handler.
+*/
+async function handleDinewayAuth(context, next) {
+	const { url, locals } = context;
+	const { dineway } = locals;
+	const isLoginRoute = url.pathname.startsWith("/_dineway/admin/login");
+	const isApiRoute = url.pathname.startsWith("/_dineway/api");
+	if (!dineway?.db) return next();
+	const authMode = getAuthMode(dineway.config);
+	if (authMode.type === "external") {
+		if (import.meta.env.DEV) {
+			if (isLoginRoute) return next();
+			return handlePasskeyAuth(context, next, isApiRoute);
+		}
+		return handleExternalAuth(context, next, authMode, isApiRoute);
+	}
+	if (isLoginRoute) return next();
+	return handlePasskeyAuth(context, next, isApiRoute);
+}
+/**
+* Soft auth for plugin routes: resolve user from Bearer token or session if present,
+* but never block unauthenticated requests. The catch-all handler checks route
+* metadata to decide whether auth is required (public vs private routes).
+*/
+async function handlePluginRouteAuth(context, next) {
+	const { locals } = context;
+	const { dineway } = locals;
+	try {
+		const bearerResult = await handleBearerAuth(context);
+		if (bearerResult === "authenticated") return next();
+		if (bearerResult === "invalid") return new Response(JSON.stringify({ error: {
+			code: "INVALID_TOKEN",
+			message: "Invalid or expired token"
+		} }), {
+			status: 401,
+			headers: {
+				"Content-Type": "application/json",
+				...MW_CACHE_HEADERS
+			}
+		});
+	} catch (error) {
+		console.error("Plugin route bearer auth error:", error);
+	}
+	try {
+		const { session } = context;
+		const sessionUser = await session?.get("user");
+		if (sessionUser?.id && dineway?.db) {
+			const user = await createKyselyAdapter(dineway.db).getUserById(sessionUser.id);
+			if (user && !user.disabled) locals.user = user;
+		}
+	} catch (error) {
+		console.error("Plugin route session auth error:", error);
+	}
+	return next();
+}
+/**
+* Soft auth check for public routes with edit mode cookie.
+* Checks the session and sets locals.user if valid, but never blocks the request.
+*/
+async function handlePublicRouteAuth(context, next) {
+	const { locals, session } = context;
+	const { dineway } = locals;
+	try {
+		const sessionUser = await session?.get("user");
+		if (sessionUser?.id && dineway?.db) {
+			const user = await createKyselyAdapter(dineway.db).getUserById(sessionUser.id);
+			if (user && !user.disabled) locals.user = user;
+		}
+	} catch {}
+	return next();
+}
+/**
+* Handle external auth provider authentication
+*/
+async function handleExternalAuth(context, next, authMode, _isApiRoute) {
+	const { locals, request } = context;
+	const { dineway } = locals;
+	try {
+		if (typeof authenticate !== "function") throw new Error(`Auth provider ${authMode.entrypoint} does not export an authenticate function`);
+		const authResult = await authenticate(request, authMode.config);
+		const externalConfig = authMode.config;
+		const adapter = createKyselyAdapter(dineway.db);
+		let user = await adapter.getUserByEmail(authResult.email);
+		if (!user) {
+			if (externalConfig.autoProvision === false) return new Response("User not authorized", {
+				status: 403,
+				headers: {
+					"Content-Type": "text/plain",
+					...MW_CACHE_HEADERS
+				}
+			});
+			const userCount = await dineway.db.selectFrom("users").select(dineway.db.fn.count("id").as("count")).executeTakeFirst();
+			const isFirstUser = Number(userCount?.count ?? 0) === 0;
+			const role = isFirstUser ? ROLE_ADMIN : authResult.role;
+			const now = (/* @__PURE__ */ new Date()).toISOString();
+			const newUser = {
+				id: ulid(),
+				email: authResult.email,
+				name: authResult.name,
+				role,
+				email_verified: 1,
+				created_at: now,
+				updated_at: now
+			};
+			await dineway.db.insertInto("users").values(newUser).execute();
+			user = await adapter.getUserByEmail(authResult.email);
+			console.log(`[external-auth] Provisioned user: ${authResult.email} (role: ${role}, first: ${isFirstUser})`);
+		} else {
+			const updates = {};
+			let newName;
+			let newRole;
+			if (authResult.name && user.name !== authResult.name) {
+				newName = authResult.name;
+				updates.name = newName;
+			}
+			if (externalConfig.syncRoles && user.role !== authResult.role) {
+				newRole = authResult.role;
+				updates.role = newRole;
+			}
+			if (Object.keys(updates).length > 0) {
+				updates.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+				await dineway.db.updateTable("users").set(updates).where("id", "=", user.id).execute();
+				user = {
+					...user,
+					...newName ? { name: newName } : {},
+					...newRole ? { role: newRole } : {}
+				};
+				console.log(`[external-auth] Updated user ${authResult.email}:`, Object.keys(updates).filter((k) => k !== "updated_at"));
+			}
+		}
+		if (!user) return new Response("Failed to provision user", {
+			status: 500,
+			headers: {
+				"Content-Type": "text/plain",
+				...MW_CACHE_HEADERS
+			}
+		});
+		if (user.disabled) return new Response("Account disabled", {
+			status: 403,
+			headers: {
+				"Content-Type": "text/plain",
+				...MW_CACHE_HEADERS
+			}
+		});
+		locals.user = user;
+		const { session } = context;
+		session?.set("user", { id: user.id });
+		return next();
+	} catch (error) {
+		console.error("[external-auth] Auth error:", error);
+		return new Response("Authentication failed", {
+			status: 401,
+			headers: {
+				"Content-Type": "text/plain",
+				...MW_CACHE_HEADERS
+			}
+		});
+	}
+}
+/**
+* Try to authenticate via Bearer token (API token or OAuth token).
+*
+* Returns:
+* - "authenticated" if token is valid and user is resolved
+* - "invalid" if a token was provided but is invalid/expired
+* - "none" if no Bearer token was provided
+*/
+async function handleBearerAuth(context) {
+	const authHeader = context.request.headers.get("Authorization");
+	if (!authHeader?.startsWith("Bearer ")) return "none";
+	const token = authHeader.slice(7);
+	if (!token) return "none";
+	const { locals } = context;
+	const { dineway } = locals;
+	if (!dineway?.db) return "none";
+	let resolved = null;
+	if (token.startsWith("ec_pat_")) resolved = await resolveApiToken(dineway.db, token);
+	else if (token.startsWith("ec_oat_")) resolved = await resolveOAuthToken(dineway.db, token);
+	else return "invalid";
+	if (!resolved) return "invalid";
+	const user = await createKyselyAdapter(dineway.db).getUserById(resolved.userId);
+	if (!user || user.disabled) return "invalid";
+	locals.user = user;
+	locals.tokenScopes = resolved.scopes;
+	return "authenticated";
+}
+/**
+* Handle passkey (session-based) authentication
+*/
+async function handlePasskeyAuth(context, next, isApiRoute) {
+	const { url, locals, session } = context;
+	const { dineway } = locals;
+	try {
+		const sessionUser = await session?.get("user");
+		if (!sessionUser?.id) {
+			if (isApiRoute) {
+				const headers = { ...MW_CACHE_HEADERS };
+				if (url.pathname === "/_dineway/api/mcp") headers["WWW-Authenticate"] = `Bearer resource_metadata="${getPublicOrigin(url, dineway?.config)}/.well-known/oauth-protected-resource"`;
+				return Response.json({ error: {
+					code: "NOT_AUTHENTICATED",
+					message: "Not authenticated"
+				} }, {
+					status: 401,
+					headers
+				});
+			}
+			const loginUrl = new URL("/_dineway/admin/login", getPublicOrigin(url, dineway?.config));
+			loginUrl.searchParams.set("redirect", url.pathname);
+			return context.redirect(loginUrl.toString());
+		}
+		const user = await createKyselyAdapter(dineway.db).getUserById(sessionUser.id);
+		if (!user) {
+			session?.destroy();
+			if (isApiRoute) return Response.json({ error: {
+				code: "NOT_FOUND",
+				message: "User not found"
+			} }, {
+				status: 401,
+				headers: MW_CACHE_HEADERS
+			});
+			const loginUrl = new URL("/_dineway/admin/login", getPublicOrigin(url, dineway?.config));
+			return context.redirect(loginUrl.toString());
+		}
+		if (user.disabled) {
+			session?.destroy();
+			if (isApiRoute) return apiError("ACCOUNT_DISABLED", "Account disabled", 403);
+			const loginUrl = new URL("/_dineway/admin/login", getPublicOrigin(url, dineway?.config));
+			loginUrl.searchParams.set("error", "account_disabled");
+			return context.redirect(loginUrl.toString());
+		}
+		locals.user = user;
+	} catch (error) {
+		console.error("Auth middleware error:", error);
+		return context.redirect("/_dineway/admin/login");
+	}
+	return next();
+}
+/**
+* Scope rules: ordered list of (pathPrefix, method, requiredScope) tuples.
+* First matching rule wins. Methods: "*" = any, "WRITE" = POST/PUT/PATCH/DELETE.
+*
+* Routes not matched by any rule default to "admin" scope (fail-closed).
+*/
+const SCOPE_RULES = [
+	[
+		"/_dineway/api/content",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_dineway/api/content",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_dineway/api/media/file",
+		"*",
+		"media:read"
+	],
+	[
+		"/_dineway/api/media",
+		"GET",
+		"media:read"
+	],
+	[
+		"/_dineway/api/media",
+		"WRITE",
+		"media:write"
+	],
+	[
+		"/_dineway/api/schema",
+		"GET",
+		"schema:read"
+	],
+	[
+		"/_dineway/api/schema",
+		"WRITE",
+		"schema:write"
+	],
+	[
+		"/_dineway/api/taxonomies",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_dineway/api/taxonomies",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_dineway/api/menus",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_dineway/api/menus",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_dineway/api/sections",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_dineway/api/sections",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_dineway/api/widget-areas",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_dineway/api/widget-areas",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_dineway/api/revisions",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_dineway/api/revisions",
+		"WRITE",
+		"content:write"
+	],
+	[
+		"/_dineway/api/search",
+		"GET",
+		"content:read"
+	],
+	[
+		"/_dineway/api/search",
+		"WRITE",
+		"admin"
+	],
+	[
+		"/_dineway/api/import",
+		"*",
+		"admin"
+	],
+	[
+		"/_dineway/api/admin",
+		"*",
+		"admin"
+	],
+	[
+		"/_dineway/api/settings",
+		"*",
+		"admin"
+	],
+	[
+		"/_dineway/api/plugins",
+		"*",
+		"admin"
+	],
+	[
+		"/_dineway/api/mcp",
+		"*",
+		"content:read"
+	]
+];
+const WRITE_METHODS = new Set([
+	"POST",
+	"PUT",
+	"PATCH",
+	"DELETE"
+]);
+/**
+* Enforce API token scopes based on the request URL and HTTP method.
+* Returns a 403 Response if the scope is insufficient, or null if allowed.
+*
+* Session-authenticated requests (tokenScopes === undefined) are never checked.
+*/
+function enforceTokenScope(pathname, method, tokenScopes) {
+	if (!tokenScopes) return null;
+	const isWrite = WRITE_METHODS.has(method);
+	for (const [prefix, ruleMethod, scope] of SCOPE_RULES) {
+		if (pathname !== prefix && !pathname.startsWith(prefix + "/")) continue;
+		if (ruleMethod === "*" || ruleMethod === "WRITE" && isWrite || ruleMethod === method) {
+			if (hasScope(tokenScopes, scope)) return null;
+			return new Response(JSON.stringify({ error: {
+				code: "INSUFFICIENT_SCOPE",
+				message: `Token lacks required scope: ${scope}`
+			} }), {
+				status: 403,
+				headers: {
+					"Content-Type": "application/json",
+					...MW_CACHE_HEADERS
+				}
+			});
+		}
+	}
+	if (hasScope(tokenScopes, "admin")) return null;
+	return new Response(JSON.stringify({ error: {
+		code: "INSUFFICIENT_SCOPE",
+		message: "Token lacks required scope: admin"
+	} }), {
+		status: 403,
+		headers: {
+			"Content-Type": "application/json",
+			...MW_CACHE_HEADERS
+		}
+	});
+}
+
+//#endregion
+export { onRequest };