jamdesk 1.1.21 → 1.1.23

package/vendored/lib/docs-types.ts

@@ -741,6 +741,31 @@ export interface SpellcheckConfig {
   ignore?: string[];
 }
 
+/**
+ * Shared-password site protection config.
+ *
+ * Requires the password to be set in the Jamdesk dashboard; this block only
+ * controls declarative opt-in and public path exceptions.
+ */
+export interface PasswordAuthConfig {
+  /** Opt in to password protection. Site is only gated when this is true AND a password has been set in the dashboard. */
+  enabled?: boolean;
+  /** Optional hint shown on the unlock page (e.g., "Ask your account manager"). Plain text, no HTML. */
+  hint?: string;
+  /** Paths or globs that bypass the password check. Supports '*' (one path segment) and '**' (recursive). */
+  public?: string[];
+  /** Exact paths that require authentication even when the whole site is not password-protected (specific-pages mode). */
+  private?: string[];
+}
+
+/**
+ * Auth configuration for access control. Currently supports shared-password
+ * protection; additional mechanisms may be added in future.
+ */
+export interface AuthConfig {
+  password?: PasswordAuthConfig;
+}
+
 /**
  * Image optimization configuration
  */
@@ -815,6 +840,7 @@ export interface DocsConfig {
   analytics?: AnalyticsConfig;
   chat?: ChatConfig;
   spellcheck?: SpellcheckConfig;
+  auth?: AuthConfig;
   images?: ImagesConfig;
 
   // Mintlify compatibility fields (normalized at load time)

package/vendored/lib/extract-highlights.ts

@@ -3,6 +3,11 @@ import type { DocsConfig } from './docs-types.js';
 /**
  * Highlights extracted from docs.json for dashboard display.
  * IMPORTANT: Keep in sync with DocsConfigHighlights in dashboard/hosting/app/lib/domain.ts
+ *
+ * `passwordProtection` is not in this interface: it can't be computed from
+ * docs.json alone (specific-pages mode is signalled by frontmatter), so
+ * build.ts writes the authoritative value after the auth-mode detector
+ * has seen both planes.
  */
 export interface ExtractedHighlights {
   siteName: string;

package/vendored/lib/glob-match.ts

@@ -0,0 +1,83 @@
+/**
+ * Path matcher for password-protection public-path lists.
+ *
+ * Splits each input list into a Set of literal paths plus an array of
+ * compiled regexes. The Set lookup short-circuits the regex loop for
+ * literal slugs, which dominate the inverted publicPaths list in
+ * specific-pages mode (where it can hold hundreds of literal slugs from
+ * the inverted page list).
+ *
+ * Compiled paths are cached on a WeakMap keyed by array reference, so
+ * call sites that reuse the same array (auth-resolver between requests
+ * on a warm edge worker, public-paths-resolver within a single build)
+ * amortize the regex-compile cost.
+ */
+
+const GLOB_CHARS_RE = /[*?[\]]/;
+
+function globToRegex(glob: string): RegExp {
+  // Escape regex metacharacters except * which is handled below.
+  const escaped = glob.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
+  // ** must be processed before * to avoid double-replacement.
+  const withRecursive = escaped.replace(/\*\*/g, '___DOUBLE_STAR___');
+  // Single * matches one path segment (no slashes).
+  const withSingle = withRecursive.replace(/\*/g, '[^/]*');
+  // ** matches any character including slashes.
+  const finalPattern = withSingle.replace(/___DOUBLE_STAR___/g, '.*');
+  return new RegExp(`^${finalPattern}$`);
+}
+
+interface CompiledPaths {
+  literals: Set<string>;
+  regexes: RegExp[];
+}
+
+const compiledCache = new WeakMap<string[], CompiledPaths>();
+
+function compilePublicPaths(publicPaths: string[]): CompiledPaths {
+  const cached = compiledCache.get(publicPaths);
+  if (cached) return cached;
+
+  const literals = new Set<string>();
+  const regexes: RegExp[] = [];
+  for (const path of publicPaths) {
+    if (GLOB_CHARS_RE.test(path)) {
+      regexes.push(globToRegex(path));
+    } else {
+      literals.add(path);
+    }
+  }
+
+  const compiled: CompiledPaths = { literals, regexes };
+  compiledCache.set(publicPaths, compiled);
+  return compiled;
+}
+
+/**
+ * Check whether a pathname matches any of the public-path globs.
+ *
+ * For hostAtDocs projects, strips the `/docs` prefix before matching since
+ * authors write public paths relative to the site root. The strip only
+ * applies when `/docs` is an exact path or is followed by `/` — a look-alike
+ * prefix like `/docsfoo` must NOT be rewritten to `/foo`.
+ */
+export function matchPublicPath(
+  pathname: string,
+  publicPaths: string[],
+  hostAtDocs: boolean,
+): boolean {
+  if (publicPaths.length === 0) return false;
+
+  let normalized = pathname;
+  if (hostAtDocs) {
+    if (pathname === '/docs') {
+      normalized = '/';
+    } else if (pathname.startsWith('/docs/')) {
+      normalized = pathname.slice(5); // '/docs/' → '/' (keep leading slash)
+    }
+  }
+
+  const { literals, regexes } = compilePublicPaths(publicPaths);
+  if (literals.has(normalized)) return true;
+  return regexes.some((re) => re.test(normalized));
+}

package/vendored/lib/middleware-helpers.ts

@@ -19,6 +19,13 @@ import { getRedirects, matchRedirect, mergeQueryStrings, isInvalidDestination }
 import { ASSET_PREFIX } from './docs-types';
 import type { NextRequest } from 'next/server';
 
+/**
+ * Project slug character set — lowercase alphanumeric + hyphens, must
+ * start with an alphanumeric. Used as a defense-in-depth guard against
+ * URL-encoded path traversal or Redis-key injection via crafted slugs.
+ */
+export const VALID_SLUG_RE = /^[a-z0-9][a-z0-9-]*$/;
+
 /**
  * Result of project resolution.
  */
@@ -81,6 +88,25 @@ export async function handleProjectResolution(
     return { projectSlug: null, hostAtDocs: true, skip: true };
   }
 
+  // Dev-only fallback for localhost: `dev-project.cjs` sets PROJECT_NAME
+  // to the slug being served. With ISR_MODE=true the middleware normally
+  // resolves the slug from the hostname, but localhost never matches a
+  // *.jamdesk.app pattern. Allow a hostname override so developers can
+  // exercise the real auth gate locally. Hard-gated by NODE_ENV.
+  if (
+    process.env.NODE_ENV !== 'production' &&
+    process.env.PROJECT_NAME &&
+    (hostname.startsWith('localhost') || hostname.startsWith('127.0.0.1'))
+  ) {
+    const slug = process.env.PROJECT_NAME;
+    log('info', 'Dev localhost fallback: resolving project from PROJECT_NAME', {
+      hostname,
+      slug,
+    });
+    const config = await getProjectConfig(slug);
+    return { projectSlug: slug, hostAtDocs: config.hostAtDocs };
+  }
+
   log('info', 'Resolving project from hostname', { hostname });
 
   // Check if it's a Jamdesk subdomain first (fast path)

package/vendored/lib/public-paths-resolver.ts

@@ -0,0 +1,227 @@
+import type { DocsConfig } from './docs-types.js';
+import { matchPublicPath } from './glob-match.js';
+
+interface PageWithFrontmatter {
+  slug: string;
+  frontmatter: Record<string, unknown>;
+}
+
+interface Input {
+  docsConfig: DocsConfig;
+  pagesWithFrontmatter: PageWithFrontmatter[];
+}
+
+/**
+ * Walk the navigation tree and return the slug of the first leaf page.
+ * Matches the resolution used by `app/[[...slug]]/page.tsx:findFirstPage`
+ * so specific-pages mode can keep the root path public when the first
+ * nav page is public. Returns null if no leaf page is found.
+ */
+export function findFirstNavPage(nav: unknown): string | null {
+  if (!nav || typeof nav !== 'object') return null;
+  const node = nav as Record<string, unknown>;
+  const pages = node.pages;
+
+  if (Array.isArray(pages)) {
+    for (const p of pages) {
+      if (typeof p === 'string' && p.length > 0) return '/' + p;
+      if (p && typeof p === 'object') {
+        const pageVal = (p as Record<string, unknown>).page;
+        if (typeof pageVal === 'string' && pageVal.length > 0) {
+          return '/' + pageVal;
+        }
+        const nested = findFirstNavPage(p);
+        if (nested) return nested;
+      }
+    }
+    // A group is an atomic container — exhaust its pages rather than
+    // falling through to the sibling-key loop below (which is for
+    // top-level nav shapes like tabs/anchors/languages, not group contents).
+    if ('group' in node) return null;
+  }
+
+  for (const key of ['groups', 'tabs', 'anchors', 'versions', 'languages']) {
+    const arr = node[key];
+    if (Array.isArray(arr)) {
+      for (const item of arr) {
+        const nested = findFirstNavPage(item);
+        if (nested) return nested;
+      }
+    }
+  }
+
+  return null;
+}
+
+function collectPublicGroupPages(
+  nav: unknown,
+  inPublicGroup: boolean = false,
+  out: string[] = []
+): string[] {
+  if (!nav || typeof nav !== 'object') return out;
+
+  const node = nav as Record<string, unknown>;
+
+  if ('group' in node && Array.isArray((node as any).pages)) {
+    const isPublic = inPublicGroup || node.public === true;
+    for (const p of (node as any).pages) {
+      if (typeof p === 'string') {
+        if (isPublic) out.push(`/${p}`);
+      } else {
+        collectPublicGroupPages(p, isPublic, out);
+      }
+    }
+    return out;
+  }
+
+  if (Array.isArray((node as any).pages)) {
+    for (const p of (node as any).pages) {
+      collectPublicGroupPages(p, inPublicGroup, out);
+    }
+  }
+
+  for (const key of ['groups', 'tabs', 'anchors', 'versions', 'languages']) {
+    const arr = (node as any)[key];
+    if (Array.isArray(arr)) {
+      for (const item of arr) {
+        collectPublicGroupPages(item, inPublicGroup, out);
+      }
+    }
+  }
+
+  return out;
+}
+
+/**
+ * Resolve the final list of public paths by merging three sources:
+ *   1. MDX frontmatter `public: true`
+ *   2. Navigation groups with `public: true` in docs.json
+ *   3. `auth.password.public[]` globs in docs.json
+ */
+export function resolvePublicPaths(input: Input): string[] {
+  const set = new Set<string>();
+
+  for (const p of input.pagesWithFrontmatter) {
+    if (p.frontmatter.public === true) {
+      set.add(p.slug);
+    }
+  }
+
+  for (const path of collectPublicGroupPages(input.docsConfig.navigation)) {
+    set.add(path);
+  }
+
+  const globs = (input.docsConfig as any).auth?.password?.public;
+  if (Array.isArray(globs)) {
+    for (const g of globs) {
+      if (typeof g === 'string' && g.startsWith('/')) {
+        set.add(g);
+      }
+    }
+  }
+
+  return Array.from(set);
+}
+
+/**
+ * Collect paths marked private via:
+ *   1. MDX frontmatter `private: true`
+ *   2. `auth.password.private[]` exact paths in docs.json
+ *
+ * Public wins over private: if a page appears in (or matches a glob in) the
+ * public set, it stays public regardless of any private marker. We use
+ * matchPublicPath here so a glob like `/changelog/*` correctly shadows
+ * `/changelog/release-1` — without this, the page would land in the private
+ * list while the middleware actually serves it publicly via the glob match,
+ * and the dashboard would lie about which pages are gated.
+ */
+export function collectPrivatePaths(input: Input): string[] {
+  const publicPaths = resolvePublicPaths(input);
+  const isPublic = (path: string): boolean =>
+    matchPublicPath(path, publicPaths, false);
+  const privateSet = new Set<string>();
+
+  for (const p of input.pagesWithFrontmatter) {
+    if (p.frontmatter.private === true && !isPublic(p.slug)) {
+      privateSet.add(p.slug);
+    }
+  }
+
+  const configPrivate = input.docsConfig.auth?.password?.private;
+  if (Array.isArray(configPrivate)) {
+    for (const entry of configPrivate) {
+      if (
+        typeof entry === 'string' &&
+        entry.startsWith('/') &&
+        !isPublic(entry)
+      ) {
+        privateSet.add(entry);
+      }
+    }
+  }
+
+  return Array.from(privateSet);
+}
+
+// ---------------------------------------------------------------------------
+// detectAuthMode
+// ---------------------------------------------------------------------------
+
+export type AuthMode = 'off' | 'all' | 'specific';
+
+export interface AuthModeResult {
+  mode: AuthMode;
+  publicPaths: string[];
+  privatePaths: string[];
+}
+
+/**
+ * Determine the effective auth mode from the docs config and page frontmatter.
+ *
+ * 1. `auth.password.enabled === true` → mode='all'
+ * 2. Private markers exist (frontmatter or config) → mode='specific'
+ * 3. Otherwise → mode='off'
+ */
+export function detectAuthMode(input: Input): AuthModeResult {
+  const enabled = input.docsConfig.auth?.password?.enabled === true;
+
+  if (enabled) {
+    return {
+      mode: 'all',
+      publicPaths: resolvePublicPaths(input),
+      privatePaths: [],
+    };
+  }
+
+  const privatePaths = collectPrivatePaths(input);
+  if (privatePaths.length === 0) {
+    return { mode: 'off', publicPaths: [], privatePaths: [] };
+  }
+
+  // Specific mode: invert the page list (all pages minus private) and
+  // union with the explicit public set so non-MDX routes like
+  // /api/openapi survive the inversion.
+  const privateSet = new Set(privatePaths);
+  const publicSet = new Set<string>();
+  for (const p of input.pagesWithFrontmatter) {
+    if (!privateSet.has(p.slug)) publicSet.add(p.slug);
+  }
+  for (const path of resolvePublicPaths(input)) {
+    publicSet.add(path);
+  }
+
+  // The root path `/` is a routing artifact that resolves in-place to
+  // the first nav page. Without this, specific-pages mode would gate the
+  // homepage while the page it resolves to is reachable at its own URL —
+  // surprising UX and a signal that a password exists.
+  const firstPage = findFirstNavPage(input.docsConfig.navigation);
+  if (firstPage && !privateSet.has(firstPage)) {
+    publicSet.add('/');
+  }
+
+  return {
+    mode: 'specific',
+    publicPaths: Array.from(publicSet),
+    privatePaths,
+  };
+}

package/vendored/lib/redis.ts

@@ -21,3 +21,97 @@ export const redis = redisUrl && redisToken && redisUrl.startsWith('https://')
 export function isRedisConfigured(): boolean {
   return redis !== null;
 }
+
+// ---------------------------------------------------------------------------
+// Auth key helpers
+// These are used by the build pipeline (build-service) to write/clear the
+// auth configuration in Redis on every build.
+// ---------------------------------------------------------------------------
+
+/**
+ * Minimal Upstash REST command helper (fetch-based, edge-compatible).
+ * Avoids the @upstash/redis SDK for commands that need raw URL encoding.
+ */
+async function upstashCommand(
+  kvUrl: string,
+  kvToken: string,
+  command: string,
+  ...args: string[]
+): Promise<unknown> {
+  const encodedArgs = args.map((arg) => encodeURIComponent(arg));
+  const url = `${kvUrl}/${command}/${encodedArgs.join('/')}`;
+  const response = await fetch(url, {
+    headers: { Authorization: `Bearer ${kvToken}` },
+  });
+  const bodyText = await response.text();
+  let data: any = null;
+  try {
+    data = bodyText ? JSON.parse(bodyText) : null;
+  } catch {
+    data = { result: bodyText };
+  }
+  if (!response.ok) {
+    throw new Error(data?.error || bodyText || `Upstash ${command} failed`);
+  }
+  return data?.result;
+}
+
+/**
+ * Public part of project auth: the docs.json enabled flag + the resolved list
+ * of paths that bypass the password check (from frontmatter `public: true`,
+ * docs.json groups with `public: true`, and `auth.password.public[]` globs).
+ * Written by the build pipeline after every build.
+ *
+ * The `enabled` flag is the docs.json truth-table source. Middleware only
+ * gates traffic when enabled=true AND a hash exists in projectAuthSecret.
+ */
+export async function setProjectAuthPublic(
+  slug: string,
+  value: { enabled: boolean; publicPaths: unknown[] },
+  kvUrl?: string,
+  kvToken?: string
+): Promise<void> {
+  if (!kvUrl || !kvToken) return;
+  // Filter to strings here so the read path (auth-resolver) can trust
+  // the Redis shape and skip the per-request defensive filter — that
+  // filter creates a fresh array on every request and defeats the
+  // matchPublicPath WeakMap cache.
+  const publicPaths = value.publicPaths.filter(
+    (p): p is string => typeof p === 'string',
+  );
+  await upstashCommand(
+    kvUrl,
+    kvToken,
+    'SET',
+    `projectAuthPublic:${slug}`,
+    JSON.stringify({ enabled: value.enabled, publicPaths }),
+  );
+}
+
+/**
+ * Delete the secret part of project auth (disables gating for the project).
+ * Called when auth.password.enabled becomes false so the gate opens immediately
+ * without waiting for an admin to remove the hash manually.
+ */
+export async function deleteProjectAuthSecret(
+  slug: string,
+  kvUrl?: string,
+  kvToken?: string
+): Promise<void> {
+  if (!kvUrl || !kvToken) return;
+  await upstashCommand(kvUrl, kvToken, 'DEL', `projectAuthSecret:${slug}`);
+}
+
+/**
+ * Delete a domain-scoped auth secret mirror.
+ * Called when auth.password.enabled becomes false to ensure no domain mirror
+ * keeps gating traffic after the project-level gate is removed.
+ */
+export async function deleteDomainAuthSecret(
+  hostname: string,
+  kvUrl?: string,
+  kvToken?: string
+): Promise<void> {
+  if (!kvUrl || !kvToken) return;
+  await upstashCommand(kvUrl, kvToken, 'DEL', `domainAuthSecret:${hostname}`);
+}

package/vendored/lib/sanitize-from.ts

@@ -0,0 +1,36 @@
+/**
+ * Validate and sanitize a user-supplied "from" path used for post-unlock redirects.
+ *
+ * Parses the input against a placeholder base URL and requires the resulting
+ * origin to still be the placeholder. Rejects CRLF, backslashes, paths that
+ * don't start with /, and anything that changes origin after URL normalization.
+ * Works in both Edge and Node runtimes.
+ */
+const PLACEHOLDER_BASE = 'https://placeholder.local';
+
+export function sanitizeFrom(raw: string | null | undefined): string {
+  if (!raw) return '/';
+  if (/[\r\n]/.test(raw)) return '/';
+  if (!raw.startsWith('/')) return '/';
+  if (raw.includes('\\')) return '/';
+
+  let parsed: URL;
+  try {
+    parsed = new URL(raw, PLACEHOLDER_BASE);
+  } catch {
+    return '/';
+  }
+
+  if (parsed.origin !== PLACEHOLDER_BASE) return '/';
+
+  // After URL normalization, reject any path that starts with // — these are
+  // protocol-relative references that browsers may interpret as external URLs
+  // (e.g., /..//evil.com normalizes to //evil.com). Also check the decoded
+  // form to catch percent-encoded slashes like /%2F%2Fevil.com → //evil.com.
+  const normalized = parsed.pathname + parsed.search + parsed.hash;
+  if (parsed.pathname.startsWith('//')) return '/';
+  const decodedPathname = decodeURIComponent(parsed.pathname);
+  if (decodedPathname.startsWith('//')) return '/';
+
+  return normalized;
+}

package/vendored/postcss.config.mjs

@@ -0,0 +1,6 @@
+export default {
+  plugins: {
+    '@tailwindcss/postcss': {},
+  },
+}
+

package/vendored/schema/docs-schema.json

@@ -1545,6 +1545,50 @@
                     "additionalProperties": false,
                     "description": "Configuration for the jamdesk spellcheck command"
                 },
+                "auth": {
+                    "type": "object",
+                    "description": "Access control configuration for the docs site.",
+                    "additionalProperties": false,
+                    "properties": {
+                        "password": {
+                            "type": "object",
+                            "description": "Shared-password site protection. Requires the password to be set in the Jamdesk dashboard; this block only controls declarative opt-in and public exceptions.",
+                            "additionalProperties": false,
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean",
+                                    "description": "Opt in to password protection. Site is only gated when this is true AND a password has been set in the dashboard.",
+                                    "default": false
+                                },
+                                "hint": {
+                                    "type": "string",
+                                    "description": "Optional hint shown on the unlock page (e.g., \"Ask your account manager\"). Plain text, no HTML.",
+                                    "maxLength": 200
+                                },
+                                "public": {
+                                    "type": "array",
+                                    "description": "Paths or globs that bypass the password check. Supports '*' (one path segment) and '**' (recursive). A bare '/' is rejected so the password wall cannot be silently disabled.",
+                                    "items": {
+                                        "type": "string",
+                                        "pattern": "^/[A-Za-z0-9._*/-]+$"
+                                    },
+                                    "maxItems": 100,
+                                    "uniqueItems": true
+                                },
+                                "private": {
+                                    "type": "array",
+                                    "description": "Exact paths (starting with /) that require the password. When set without auth.password.enabled, the feature activates in 'specific pages' mode — only these paths are gated and every other page stays public. A page marked both public and private is treated as public.",
+                                    "items": {
+                                        "type": "string",
+                                        "pattern": "^/[A-Za-z0-9._/-]+$"
+                                    },
+                                    "maxItems": 100,
+                                    "uniqueItems": true
+                                }
+                            }
+                        }
+                    }
+                },
                 "images": {
                     "type": "object",
                     "description": "Image optimization settings for documentation builds",
@@ -1672,6 +1716,9 @@
                 "spellcheck": {
                     "$ref": "#/anyOf/0/properties/spellcheck"
                 },
+                "auth": {
+                    "$ref": "#/anyOf/0/properties/auth"
+                },
                 "images": {
                     "$ref": "#/anyOf/0/properties/images"
                 }
@@ -1791,6 +1838,9 @@
                 "spellcheck": {
                     "$ref": "#/anyOf/0/properties/spellcheck"
                 },
+                "auth": {
+                    "$ref": "#/anyOf/0/properties/auth"
+                },
                 "images": {
                     "$ref": "#/anyOf/0/properties/images"
                 }