mates-fullstack 1.0.0-beta.1

package/dist/sso.d.ts

@@ -0,0 +1,90 @@
+/**
+ * mates-fullstack — sso.ts
+ *
+ * Optional cross-domain SSO middleware.
+ *
+ * Setup:
+ *   Auth server (auth.com):  useSsoProvider({ secret, login: "/login" })
+ *   App server  (app1.com):  useSsoClient({ authUrl, secret, protected: ["/dashboard"] })
+ *
+ * Flow:
+ *   app1.com/dashboard  →  auth.com/api/sso/code?redirect=...  →  login (if needed)
+ *                        →  code JWT  →  app1.com/auth/sso/callback  →  auth.login()
+ */
+export interface SsoProviderOptions {
+    /**
+     * Shared secret between auth server and app servers.
+     * Used to sign and verify the short-lived code JWTs.
+     */
+    secret: string;
+    /**
+     * Path to the login page on the auth server.
+     * Unauthenticated users are redirected here with a `?next` param
+     * so they return to `/api/sso/code` after login.
+     * @default "/login"
+     */
+    login?: string;
+    /**
+     * Lifetime of the code JWT in seconds.
+     * @default 30
+     */
+    codeLifetime?: number;
+    /**
+     * Allowed redirect origins for the `redirect` parameter.
+     * Only URLs starting with these prefixes are accepted.
+     * Must include the protocol (e.g. "https://app1.com").
+     * When unset, only relative paths (starting with `/`) are allowed.
+     */
+    allowedOrigins?: string[];
+}
+export interface SsoClientOptions {
+    /**
+     * Base URL of the auth server (e.g. "https://auth.com").
+     */
+    authUrl: string;
+    /**
+     * Shared secret — must match exactly what the auth server uses.
+     */
+    secret: string;
+    /**
+     * Paths that require authentication.
+     * Unauthenticated visitors are redirected to the auth server.
+     * @default []
+     */
+    protected?: string[];
+    /**
+     * Where to redirect after a successful SSO login.
+     * @default "/"
+     */
+    afterLogin?: string;
+}
+/**
+ * Register SSO provider endpoints on the auth server.
+ *
+ * Creates:
+ *   GET /api/sso/code         — generates a code JWT if authenticated
+ *   GET /api/sso/after-login  — where the login page redirects after auth
+ *
+ * @example
+ * useSsoProvider({
+ *   secret: process.env.SSO_SECRET!,
+ *   login: "/login",
+ * });
+ */
+export declare function useSsoProvider(options: SsoProviderOptions): void;
+/**
+ * Register SSO client endpoints and guarded routes on an app server.
+ *
+ * Creates:
+ *   GET /auth/sso/callback  — verifies the code JWT, calls auth.login()
+ *   onRequest guard     — redirects protected routes to the auth server
+ *
+ * @example
+ * useSsoClient({
+ *   authUrl: "https://auth.com",
+ *   secret: process.env.SSO_SECRET!,
+ *   protected: ["/dashboard", "/settings"],
+ * });
+ */
+export declare function useSsoClient(options: SsoClientOptions): void;
+//# sourceMappingURL=sso.d.ts.map

package/dist/sso.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso.d.ts","sourceRoot":"","sources":["../src/sso.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AASH,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AA4CD;;;;;;;;;;;;GAYG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,kBAAkB,GAAG,IAAI,CA8GhE;AAMD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,gBAAgB,GAAG,IAAI,CAyE5D"}

package/dist/sso.js

@@ -0,0 +1,261 @@
+/**
+ * mates-fullstack — sso.ts
+ *
+ * Optional cross-domain SSO middleware.
+ *
+ * Setup:
+ *   Auth server (auth.com):  useSsoProvider({ secret, login: "/login" })
+ *   App server  (app1.com):  useSsoClient({ authUrl, secret, protected: ["/dashboard"] })
+ *
+ * Flow:
+ *   app1.com/dashboard  →  auth.com/api/sso/code?redirect=...  →  login (if needed)
+ *                        →  code JWT  →  app1.com/auth/sso/callback  →  auth.login()
+ */
+import { onRequest } from "./middleware.js";
+import { auth } from "./mates-auth.js";
+import { jwt } from "./jwt.js";
+// ─── Cookie helpers (internal, temporary) ─────────────────────────────────────
+const SSO_REDIRECT_COOKIE = "sso_redirect";
+const SSO_AFTER_LOGIN_COOKIE = "sso_after_login";
+const SSO_CODE_PARAM = "code";
+function _setTempCookie(ctx, name, value, path) {
+    ctx.cookie.set(name, value, {
+        httpOnly: true,
+        sameSite: "lax",
+        path,
+        maxAge: 300, // 5 min
+        secure: process.env.NODE_ENV === "production",
+    });
+}
+function _clearTempCookie(ctx, name, path) {
+    ctx.cookie.delete(name, { path });
+}
+/**
+ * Resolve the public origin for the current request.
+ * Used by the client to build the callback URL for the auth server.
+ */
+function _publicOrigin(req) {
+    const url = new URL(req.url);
+    const host = req.headers.get("x-forwarded-host") ?? url.host;
+    const proto = req.headers.get("x-forwarded-proto") ?? url.protocol.slice(0, -1);
+    return `${proto}://${host}`;
+}
+// ─── Provider side (auth.com) ────────────────────────────────────────────────
+const SSO_CODE_PATH = "/api/sso/code";
+const SSO_AFTER_LOGIN_PATH = "/api/sso/after-login";
+/**
+ * Register SSO provider endpoints on the auth server.
+ *
+ * Creates:
+ *   GET /api/sso/code         — generates a code JWT if authenticated
+ *   GET /api/sso/after-login  — where the login page redirects after auth
+ *
+ * @example
+ * useSsoProvider({
+ *   secret: process.env.SSO_SECRET!,
+ *   login: "/login",
+ * });
+ */
+export function useSsoProvider(options) {
+    const secret = options.secret;
+    if (!secret || secret.length < 8) {
+        throw new Error("useSsoProvider: secret must be at least 8 characters.");
+    }
+    const login = options.login ?? "/login";
+    const codeLifetime = options.codeLifetime ?? 30;
+    const tokens = jwt(secret);
+    onRequest(async (c) => {
+        const url = new URL(c.req.raw.url);
+        const pathname = url.pathname;
+        // ── Entry: GET /api/sso/code?redirect=... ──────────────────────────────
+        if (pathname === SSO_CODE_PATH) {
+            if (c.req.method !== "GET") {
+                return new Response(JSON.stringify({ error: "Method not allowed" }), {
+                    status: 405,
+                    headers: { "content-type": "application/json" },
+                });
+            }
+            const redirect = url.searchParams.get("redirect");
+            if (!redirect) {
+                return new Response(JSON.stringify({ error: 'Missing "redirect" parameter' }), { status: 400, headers: { "content-type": "application/json" } });
+            }
+            if (!_isValidRedirect(redirect, options.allowedOrigins)) {
+                return new Response(JSON.stringify({ error: "Invalid redirect target" }), { status: 400, headers: { "content-type": "application/json" } });
+            }
+            // Store the redirect target in a cookie so it survives login redirect
+            _setTempCookie(c, SSO_REDIRECT_COOKIE, redirect, SSO_CODE_PATH);
+            _setTempCookie(c, SSO_AFTER_LOGIN_COOKIE, redirect, SSO_AFTER_LOGIN_PATH);
+            const userId = (c.auth?.sub ?? c.auth?.userId);
+            if (!userId) {
+                // Not authenticated — redirect to login page
+                const next = encodeURIComponent(SSO_CODE_PATH);
+                const loginUrl = `${login}?next=${next}`;
+                return new Response(null, {
+                    status: 302,
+                    headers: { location: loginUrl },
+                });
+            }
+            // Authenticated — generate a short-lived code JWT and redirect
+            const code = await tokens.sign({
+                sub: userId,
+                ..._pickClaims(c.auth ?? {}),
+                jti: crypto.randomUUID(),
+            }, { expiresIn: codeLifetime });
+            _clearTempCookie(c, SSO_REDIRECT_COOKIE, SSO_CODE_PATH);
+            _clearTempCookie(c, SSO_AFTER_LOGIN_COOKIE, SSO_AFTER_LOGIN_PATH);
+            const location = `${redirect}${redirect.includes("?") ? "&" : "?"}${SSO_CODE_PARAM}=${code}`;
+            return new Response(null, { status: 302, headers: { location } });
+        }
+        // ── After login: GET /api/sso/after-login ──────────────────────────────
+        if (pathname === SSO_AFTER_LOGIN_PATH) {
+            if (c.req.method !== "GET") {
+                return new Response(JSON.stringify({ error: "Method not allowed" }), {
+                    status: 405,
+                    headers: { "content-type": "application/json" },
+                });
+            }
+            const redirect = c.cookie.get(SSO_AFTER_LOGIN_COOKIE) ??
+                c.cookie.get(SSO_REDIRECT_COOKIE);
+            _clearTempCookie(c, SSO_AFTER_LOGIN_COOKIE, SSO_AFTER_LOGIN_PATH);
+            const userId = (c.auth?.sub ?? c.auth?.userId);
+            if (!userId) {
+                const loginUrl = `${login}?next=${encodeURIComponent(SSO_AFTER_LOGIN_PATH)}`;
+                return new Response(null, {
+                    status: 302,
+                    headers: { location: loginUrl },
+                });
+            }
+            if (redirect) {
+                const code = await tokens.sign({
+                    sub: userId,
+                    ..._pickClaims(c.auth ?? {}),
+                    jti: crypto.randomUUID(),
+                }, { expiresIn: codeLifetime });
+                const location = `${redirect}${redirect.includes("?") ? "&" : "?"}${SSO_CODE_PARAM}=${code}`;
+                return new Response(null, { status: 302, headers: { location } });
+            }
+            // No redirect stored — go to home
+            return new Response(null, { status: 302, headers: { location: "/" } });
+        }
+    });
+}
+// ─── Client side (app1.com, app2.com) ─────────────────────────────────────────
+const SSO_CALLBACK_PATH = "/auth/sso/callback";
+/**
+ * Register SSO client endpoints and guarded routes on an app server.
+ *
+ * Creates:
+ *   GET /auth/sso/callback  — verifies the code JWT, calls auth.login()
+ *   onRequest guard     — redirects protected routes to the auth server
+ *
+ * @example
+ * useSsoClient({
+ *   authUrl: "https://auth.com",
+ *   secret: process.env.SSO_SECRET!,
+ *   protected: ["/dashboard", "/settings"],
+ * });
+ */
+export function useSsoClient(options) {
+    const { authUrl, secret, afterLogin } = options;
+    const protectedPaths = options.protected ?? [];
+    if (!secret || secret.length < 8) {
+        throw new Error("useSsoClient: secret must be at least 8 characters.");
+    }
+    if (!authUrl) {
+        throw new Error("useSsoClient: authUrl is required.");
+    }
+    const tokens = jwt(secret);
+    // ── Callback: GET /auth/sso/callback?code=... ────────────────────────────
+    onRequest(async (c) => {
+        const url = new URL(c.req.raw.url);
+        if (url.pathname !== SSO_CALLBACK_PATH)
+            return;
+        const code = url.searchParams.get(SSO_CODE_PARAM);
+        const next = url.searchParams.get("next");
+        if (!code) {
+            return new Response(JSON.stringify({ error: `Missing "${SSO_CODE_PARAM}" parameter` }), { status: 400, headers: { "content-type": "application/json" } });
+        }
+        // Verify the code JWT — ensures it was signed by the auth server
+        const payload = await tokens.verify(code);
+        if (!payload) {
+            return new Response(JSON.stringify({ error: "Invalid or expired code" }), { status: 401, headers: { "content-type": "application/json" } });
+        }
+        // Extract claims — strip JWT timing fields
+        const { iat: _iat, exp: _exp, nbf: _nbf, jti: _jti, ...claims } = payload;
+        await auth.login(c, claims);
+        const location = next ?? afterLogin ?? "/";
+        return new Response(null, { status: 302, headers: { location } });
+    });
+    // ── Guard protected routes ──────────────────────────────────────────────
+    if (protectedPaths.length > 0) {
+        onRequest((c) => {
+            const url = new URL(c.req.raw.url);
+            const pathname = url.pathname;
+            const isProtected = protectedPaths.some((p) => pathname === p || pathname.startsWith(p + "/"));
+            if (!isProtected)
+                return;
+            // Already authenticated
+            const userId = c.auth?.sub ?? c.auth?.userId;
+            if (userId)
+                return;
+            // Redirect to auth server
+            const origin = _publicOrigin(c.req.raw);
+            const callbackUrl = `${origin}${SSO_CALLBACK_PATH}`;
+            const codeUrl = `${authUrl}${SSO_CODE_PATH}`;
+            const redirectTarget = `${codeUrl}?redirect=${encodeURIComponent(callbackUrl + "?next=" + encodeURIComponent(pathname))}`;
+            return new Response(null, {
+                status: 302,
+                headers: { location: redirectTarget },
+            });
+        });
+    }
+}
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+/**
+ * Validate the redirect URL to prevent open redirect attacks.
+ * - Relative paths (starting with `/`) are always allowed.
+ * - Absolute URLs with a host are only allowed if their origin matches
+ *   one of the allowedOrigins.
+ */
+function _isValidRedirect(redirect, allowedOrigins) {
+    if (!redirect)
+        return false;
+    // Reject unsafe patterns
+    if (redirect.startsWith("//"))
+        return false;
+    if (redirect.includes("\\"))
+        return false;
+    if (/[\r\n]/.test(redirect))
+        return false;
+    // Relative paths are safe — always allow
+    if (redirect.startsWith("/"))
+        return true;
+    // Absolute URL — must exactly match an allowed origin
+    if (!allowedOrigins || allowedOrigins.length === 0)
+        return false;
+    try {
+        const u = new URL(redirect);
+        // Only HTTP(S) is allowed for cross-origin redirects
+        if (u.protocol !== "http:" && u.protocol !== "https:")
+            return false;
+        const origin = u.origin;
+        return allowedOrigins.some((allowed) => allowed === origin);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Pick safe display claims from ctx.auth to include in the code JWT.
+ */
+function _pickClaims(auth) {
+    const safe = {};
+    const keys = ["userId", "userName", "username", "name", "email", "roles"];
+    for (const key of keys) {
+        const val = auth[key];
+        if (val !== undefined)
+            safe[key] = val;
+    }
+    return safe;
+}
+//# sourceMappingURL=sso.js.map

package/dist/sso.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso.js","sourceRoot":"","sources":["../src/sso.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AACvC,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAsD/B,iFAAiF;AAEjF,MAAM,mBAAmB,GAAG,cAAc,CAAC;AAC3C,MAAM,sBAAsB,GAAG,iBAAiB,CAAC;AACjD,MAAM,cAAc,GAAG,MAAM,CAAC;AAE9B,SAAS,cAAc,CACrB,GAAY,EACZ,IAAY,EACZ,KAAa,EACb,IAAY;IAEZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE;QAC1B,QAAQ,EAAE,IAAI;QACd,QAAQ,EAAE,KAAK;QACf,IAAI;QACJ,MAAM,EAAE,GAAG,EAAE,QAAQ;QACrB,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;KAC9C,CAAC,CAAC;AACL,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAY,EAAE,IAAY,EAAE,IAAY;IAChE,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,GAAY;IACjC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC;IAC7D,MAAM,KAAK,GACT,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACpE,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;AAC9B,CAAC;AAED,gFAAgF;AAEhF,MAAM,aAAa,GAAG,eAAe,CAAC;AACtC,MAAM,oBAAoB,GAAG,sBAAsB,CAAC;AAEpD;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,cAAc,CAAC,OAA2B;IACxD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC9B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,QAAQ,CAAC;IACxC,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC;IAChD,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IAE3B,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QACpB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;QAE9B,0EAA0E;QAC1E,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;YAC/B,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBAC3B,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,EAAE;oBACnE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;iBAChD,CAAC,CAAC;YACL,CAAC;YAED,MAAM,QAAQ,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAClD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC,EACzD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;gBACxD,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,EACpD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;YACJ,CAAC;YAED,sEAAsE;YACtE,cAAc,CAAC,CAAC,EAAE,mBAAmB,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;YAChE,cAAc,CAAC,CAAC,EAAE,sBAAsB,EAAE,QAAQ,EAAE,oBAAoB,CAAC,CAAC;YAE1E,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,MAAM,CAAuB,CAAC;YACrE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,6CAA6C;gBAC7C,MAAM,IAAI,GAAG,kBAAkB,CAAC,aAAa,CAAC,CAAC;gBAC/C,MAAM,QAAQ,GAAG,GAAG,KAAK,SAAS,IAAI,EAAE,CAAC;gBACzC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACxB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE;iBAChC,CAAC,CAAC;YACL,CAAC;YAED,+DAA+D;YAC/D,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAC5B;gBACE,GAAG,EAAE,MAAM;gBACX,GAAG,WAAW,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;gBAC5B,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE;aACzB,EACD,EAAE,SAAS,EAAE,YAAY,EAAE,CAC5B,CAAC;YAEF,gBAAgB,CAAC,CAAC,EAAE,mBAAmB,EAAE,aAAa,CAAC,CAAC;YACxD,gBAAgB,CAAC,CAAC,EAAE,sBAAsB,EAAE,oBAAoB,CAAC,CAAC;YAElE,MAAM,QAAQ,GAAG,GAAG,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,cAAc,IAAI,IAAI,EAAE,CAAC;YAC7F,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,0EAA0E;QAC1E,IAAI,QAAQ,KAAK,oBAAoB,EAAE,CAAC;YACtC,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBAC3B,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,EAAE;oBACnE,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;iBAChD,CAAC,CAAC;YACL,CAAC;YAED,MAAM,QAAQ,GACZ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,sBAAsB,CAAC;gBACpC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;YACpC,gBAAgB,CAAC,CAAC,EAAE,sBAAsB,EAAE,oBAAoB,CAAC,CAAC;YAElE,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,MAAM,CAAuB,CAAC;YACrE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,QAAQ,GAAG,GAAG,KAAK,SAAS,kBAAkB,CAAC,oBAAoB,CAAC,EAAE,CAAC;gBAC7E,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACxB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE;iBAChC,CAAC,CAAC;YACL,CAAC;YAED,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAC5B;oBACE,GAAG,EAAE,MAAM;oBACX,GAAG,WAAW,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;oBAC5B,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE;iBACzB,EACD,EAAE,SAAS,EAAE,YAAY,EAAE,CAC5B,CAAC;gBACF,MAAM,QAAQ,GAAG,GAAG,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,cAAc,IAAI,IAAI,EAAE,CAAC;gBAC7F,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;YACpE,CAAC;YAED,kCAAkC;YAClC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,iFAAiF;AAEjF,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAE/C;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,YAAY,CAAC,OAAyB;IACpD,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAChD,MAAM,cAAc,GAAG,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;IAE/C,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IAE3B,4EAA4E;IAC5E,SAAS,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QACpB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,GAAG,CAAC,QAAQ,KAAK,iBAAiB;YAAE,OAAO;QAE/C,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAClD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,YAAY,cAAc,aAAa,EAAE,CAAC,EAClE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QAED,iEAAiE;QACjE,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,EACpD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QAED,2CAA2C;QAC3C,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,MAAM,EAAE,GAAG,OAAO,CAAC;QAE1E,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,MAAa,CAAC,CAAC;QAEnC,MAAM,QAAQ,GAAG,IAAI,IAAI,UAAU,IAAI,GAAG,CAAC;QAC3C,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,2EAA2E;IAC3E,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE;YACd,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;YAE9B,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,KAAK,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,CACtD,CAAC;YACF,IAAI,CAAC,WAAW;gBAAE,OAAO;YAEzB,wBAAwB;YACxB,MAAM,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC;YAC7C,IAAI,MAAM;gBAAE,OAAO;YAEnB,0BAA0B;YAC1B,MAAM,MAAM,GAAG,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACxC,MAAM,WAAW,GAAG,GAAG,MAAM,GAAG,iBAAiB,EAAE,CAAC;YACpD,MAAM,OAAO,GAAG,GAAG,OAAO,GAAG,aAAa,EAAE,CAAC;YAC7C,MAAM,cAAc,GAAG,GAAG,OAAO,aAAa,kBAAkB,CAAC,WAAW,GAAG,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YAE1H,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,QAAQ,EAAE,cAAc,EAAE;aACtC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF;;;;;GAKG;AACH,SAAS,gBAAgB,CACvB,QAAgB,EAChB,cAAyB;IAEzB,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAE5B,yBAAyB;IACzB,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAE1C,yCAAyC;IACzC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1C,sDAAsD;IACtD,IAAI,CAAC,cAAc,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAEjE,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE5B,qDAAqD;QACrD,IAAI,CAAC,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAEpE,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;QACxB,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,IAA6B;IAChD,MAAM,IAAI,GAA4B,EAAE,CAAC;IACzC,MAAM,IAAI,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAC1E,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;QACtB,IAAI,GAAG,KAAK,SAAS;YAAE,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACzC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/ssr-context.d.ts

@@ -0,0 +1,49 @@
+import type { Context } from "./ctx.js";
+/**
+ * Wrap a request handler in the per-request ALS context.
+ * Called once per request in server.ts before any handler runs.
+ */
+export declare function runWithContext<T>(req: Request, ssrMode: boolean, fn: () => Promise<T>): Promise<T>;
+/**
+ * Get the current request. Returns null outside a request context.
+ */
+export declare function getSSRRequest(): Request | null;
+/**
+ * Store the shared Hono-style Context in the per-request ALS scope.
+ * Called in server.ts after creating the Context, so that SSR direct calls
+ * to RPC functions via callServerFn can read c.auth and shared state.
+ */
+export declare function setSSRContext(ctx: Context): void;
+/**
+ * Retrieve the shared Hono-style Context from the per-request ALS scope.
+ * Returns undefined outside a request context.
+ */
+export declare function getSSRContext(): Context | undefined;
+/**
+ * Returns true when currently executing inside an SSR render pass.
+ */
+export declare function isSSRContext(): boolean;
+/**
+ * Store the refreshed auth payload in the current ALS context.
+ * Called by the transparent refresh middleware in server.ts.
+ * @internal
+ */
+export declare function setRefreshedPayload(payload: Record<string, any> | null): void;
+/**
+ * Get the refreshed auth payload from the current ALS context.
+ * Returns undefined if no refresh happened this request.
+ * Returns null if refresh was attempted but denied (user deleted, etc.).
+ * @internal
+ */
+export declare function getRefreshedPayload(): Record<string, any> | null | undefined;
+/**
+ * Store custom context data from onRequest hooks in the ALS context.
+ * Called by server.ts after running onRequest hooks.
+ */
+export declare function setCustomContext(custom: Record<string, any>): void;
+/**
+ * Get custom context data set by onRequest hooks.
+ * Returns an empty object if no custom context was set.
+ */
+export declare function getCustomContext(): Record<string, any>;
+//# sourceMappingURL=ssr-context.d.ts.map

package/dist/ssr-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssr-context.d.ts","sourceRoot":"","sources":["../src/ssr-context.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAYxC;;;GAGG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAC9B,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,OAAO,EAChB,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GACnB,OAAO,CAAC,CAAC,CAAC,CAEZ;AAED;;GAEG;AACH,wBAAgB,aAAa,IAAI,OAAO,GAAG,IAAI,CAE9C;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,OAAO,GAAG,IAAI,CAGhD;AAED;;;GAGG;AACH,wBAAgB,aAAa,IAAI,OAAO,GAAG,SAAS,CAEnD;AAED;;GAEG;AACH,wBAAgB,YAAY,IAAI,OAAO,CAEtC;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAG7E;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,GAAG,SAAS,CAE5E;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,IAAI,CAGlE;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAEtD"}

package/dist/ssr-context.js

@@ -0,0 +1,85 @@
+/**
+ * mates-ssr — ssr-context.ts
+ *
+ * Per-request AsyncLocalStorage context.
+ * Replaces the unsafe module-level _ssrRequest slot in server-fn.ts.
+ *
+ * Every request — SSR page render, API route, serverFn RPC — is wrapped
+ * in runWithContext(req, fn) by server.ts. All downstream code reads the
+ * request via getSSRRequest() which reads from ALS — fully isolated per
+ * request even under high concurrency.
+ */
+import { AsyncLocalStorage } from "node:async_hooks";
+const _storage = new AsyncLocalStorage();
+/**
+ * Wrap a request handler in the per-request ALS context.
+ * Called once per request in server.ts before any handler runs.
+ */
+export function runWithContext(req, ssrMode, fn) {
+    return _storage.run({ request: req, ssrMode }, fn);
+}
+/**
+ * Get the current request. Returns null outside a request context.
+ */
+export function getSSRRequest() {
+    return _storage.getStore()?.request ?? null;
+}
+/**
+ * Store the shared Hono-style Context in the per-request ALS scope.
+ * Called in server.ts after creating the Context, so that SSR direct calls
+ * to RPC functions via callServerFn can read c.auth and shared state.
+ */
+export function setSSRContext(ctx) {
+    const store = _storage.getStore();
+    if (store)
+        store.ctx = ctx;
+}
+/**
+ * Retrieve the shared Hono-style Context from the per-request ALS scope.
+ * Returns undefined outside a request context.
+ */
+export function getSSRContext() {
+    return _storage.getStore()?.ctx;
+}
+/**
+ * Returns true when currently executing inside an SSR render pass.
+ */
+export function isSSRContext() {
+    return _storage.getStore()?.ssrMode === true;
+}
+/**
+ * Store the refreshed auth payload in the current ALS context.
+ * Called by the transparent refresh middleware in server.ts.
+ * @internal
+ */
+export function setRefreshedPayload(payload) {
+    const store = _storage.getStore();
+    if (store)
+        store.refreshedPayload = payload;
+}
+/**
+ * Get the refreshed auth payload from the current ALS context.
+ * Returns undefined if no refresh happened this request.
+ * Returns null if refresh was attempted but denied (user deleted, etc.).
+ * @internal
+ */
+export function getRefreshedPayload() {
+    return _storage.getStore()?.refreshedPayload;
+}
+/**
+ * Store custom context data from onRequest hooks in the ALS context.
+ * Called by server.ts after running onRequest hooks.
+ */
+export function setCustomContext(custom) {
+    const store = _storage.getStore();
+    if (store)
+        store.customContext = custom;
+}
+/**
+ * Get custom context data set by onRequest hooks.
+ * Returns an empty object if no custom context was set.
+ */
+export function getCustomContext() {
+    return _storage.getStore()?.customContext ?? {};
+}
+//# sourceMappingURL=ssr-context.js.map

package/dist/ssr-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssr-context.js","sourceRoot":"","sources":["../src/ssr-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAWrD,MAAM,QAAQ,GAAG,IAAI,iBAAiB,EAAc,CAAC;AAErD;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,GAAY,EACZ,OAAgB,EAChB,EAAoB;IAEpB,OAAO,QAAQ,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,QAAQ,CAAC,QAAQ,EAAE,EAAE,OAAO,IAAI,IAAI,CAAC;AAC9C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,GAAY;IACxC,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC;IAClC,IAAI,KAAK;QAAE,KAAK,CAAC,GAAG,GAAG,GAAG,CAAC;AAC7B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa;IAC3B,OAAO,QAAQ,CAAC,QAAQ,EAAE,EAAE,GAAG,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO,QAAQ,CAAC,QAAQ,EAAE,EAAE,OAAO,KAAK,IAAI,CAAC;AAC/C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAmC;IACrE,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC;IAClC,IAAI,KAAK;QAAE,KAAK,CAAC,gBAAgB,GAAG,OAAO,CAAC;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,QAAQ,CAAC,QAAQ,EAAE,EAAE,gBAAgB,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAA2B;IAC1D,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC;IAClC,IAAI,KAAK;QAAE,KAAK,CAAC,aAAa,GAAG,MAAM,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO,QAAQ,CAAC,QAAQ,EAAE,EAAE,aAAa,IAAI,EAAE,CAAC;AAClD,CAAC"}

package/dist/ssr-globals.d.ts

@@ -0,0 +1,32 @@
+/**
+ * mates-fullstack — ssr-globals.ts
+ *
+ * Install stateless no-op browser global stubs ONCE at boot.
+ *
+ * Why this exists:
+ *   lit-html reads `const r = document` at module parse time.
+ *   Mates CSS-in-JS calls `document.adoptedStyleSheets` at module init.
+ *   Mates calls `customElements.define("x-view", ...)` at module init.
+ *   User code may accidentally read `window.innerWidth` outside `onMount`.
+ *
+ *   Without stubs, importing mates in a pure Node.js environment throws
+ *   "document is not defined".
+ *
+ * Design rules:
+ *   - Set ONCE at boot — never swapped per request (unlike happy-dom).
+ *   - Stateless — every stub returns a predictable no-op value.
+ *     No internal maps, no accumulation, no side effects.
+ *   - Idempotent — safe to call multiple times.
+ *   - Only sets globals that are undefined — won't overwrite a real browser or
+ *     a happy-dom window if one is already present.
+ *   - Not a full polyfill — just enough to prevent crashes.
+ *
+ * App code that needs real values during SSR should use isSSR() guards:
+ *   const width = isSSR() ? 1024 : window.innerWidth;
+ */
+/**
+ * Install stateless no-op browser global stubs.
+ * Call once at server startup, before importing mates or lit-html.
+ */
+export declare function installSsrGlobals(): void;
+//# sourceMappingURL=ssr-globals.d.ts.map

package/dist/ssr-globals.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssr-globals.d.ts","sourceRoot":"","sources":["../src/ssr-globals.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AA8OH;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CA6yBxC"}