@axium/server 0.10.0 → 0.11.1

package/dist/plugins.d.ts

@@ -1,23 +1,37 @@
 import z from 'zod/v4';
-export declare const fn: z.ZodCustom<(...args: unknown[]) => any, (...args: unknown[]) => any>;
+import type { Database, InitOptions, OpOptions } from './database.js';
+export declare const PluginMetadata: z.ZodObject<{
+    name: z.ZodString;
+    version: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    routes: z.ZodOptional<z.ZodString>;
+}, z.core.$loose>;
 export declare const Plugin: z.ZodObject<{
     name: z.ZodString;
     version: z.ZodString;
     description: z.ZodOptional<z.ZodString>;
+    routes: z.ZodOptional<z.ZodString>;
     statusText: z.ZodCustom<z.core.$InferInnerFunctionTypeAsync<z.core.$ZodTuple<[], null>, z.ZodString>, z.core.$InferInnerFunctionTypeAsync<z.core.$ZodTuple<[], null>, z.ZodString>>;
-    db_init: z.ZodOptional<z.ZodCustom<(...args: unknown[]) => any, (...args: unknown[]) => any>>;
-    db_remove: z.ZodOptional<z.ZodCustom<(...args: unknown[]) => any, (...args: unknown[]) => any>>;
-    db_wipe: z.ZodOptional<z.ZodCustom<(...args: unknown[]) => any, (...args: unknown[]) => any>>;
-    db_clean: z.ZodOptional<z.ZodCustom<(...args: unknown[]) => any, (...args: unknown[]) => any>>;
-}, z.core.$strip>;
+    hooks: z.ZodOptional<z.ZodRecord<z.ZodUnion<[z.ZodLiteral<"remove" | "db_init" | "db_wipe" | "clean">, z.ZodNever]>, z.ZodCustom<(...args: any[]) => any, (...args: any[]) => any>>>;
+}, z.core.$loose>;
 declare const kSpecifier: unique symbol;
-export interface Plugin extends z.infer<typeof Plugin> {
+export type Plugin = z.infer<typeof Plugin>;
+interface PluginInternal extends Plugin {
     [kSpecifier]: string;
+    hooks: Hooks;
+}
+export interface Hooks {
+    db_init?: (opt: InitOptions, db: Database) => void | Promise<void>;
+    remove?: (opt: {
+        force?: boolean;
+    }, db: Database) => void | Promise<void>;
+    db_wipe?: (opt: OpOptions, db: Database) => void | Promise<void>;
+    clean?: (opt: Partial<OpOptions>, db: Database) => void | Promise<void>;
 }
-export declare const plugins: Set<Plugin>;
-export declare function resolvePlugin(search: string): Plugin | undefined;
-export declare function pluginText(plugin: Plugin): string;
+export declare const plugins: Set<PluginInternal>;
+export declare function resolvePlugin(search: string): PluginInternal | undefined;
+export declare function pluginText(plugin: PluginInternal): string;
 export declare function loadPlugin(specifier: string): Promise<void>;
-export declare function getSpecifier(plugin: Plugin): string;
+export declare function getSpecifier(plugin: PluginInternal): string;
 export declare function loadPlugins(dir: string): Promise<void>;
 export {};

package/dist/plugins.js

@@ -5,22 +5,23 @@ import { styleText } from 'node:util';
 import z from 'zod/v4';
 import { output } from './io.js';
 import { _unique } from './state.js';
-export const fn = z.custom(data => typeof data === 'function');
-export const Plugin = z.object({
+export const PluginMetadata = z.looseObject({
     name: z.string(),
     version: z.string(),
     description: z.string().optional(),
+    routes: z.string().optional(),
+});
+const hookNames = ['db_init', 'remove', 'db_wipe', 'clean'];
+const fn = z.custom(data => typeof data === 'function');
+export const Plugin = PluginMetadata.extend({
     statusText: zAsyncFunction(z.function({ input: [], output: z.string() })),
-    db_init: fn.optional(),
-    db_remove: fn.optional(),
-    db_wipe: fn.optional(),
-    db_clean: fn.optional(),
+    hooks: z.partialRecord(z.literal(hookNames), fn).optional(),
 });
 const kSpecifier = Symbol('specifier');
 export const plugins = _unique('plugins', new Set());
 export function resolvePlugin(search) {
     for (const plugin of plugins) {
-        if (plugin.name.startsWith(search))
+        if (plugin.name === search)
             return plugin;
     }
 }
@@ -29,24 +30,26 @@ export function pluginText(plugin) {
         styleText('whiteBright', plugin.name),
         `Version: ${plugin.version}`,
         `Description: ${plugin.description ?? styleText('dim', '(none)')}`,
-        `Database integration: ${[plugin.db_init, plugin.db_remove, plugin.db_wipe]
-            .filter(Boolean)
-            .map(fn => fn?.name.slice(3))
-            .join(', ') || styleText('dim', '(none)')}`,
+        `Hooks: ${Object.keys(plugin.hooks).join(', ') || styleText('dim', '(none)')}`,
+        // @todo list the routes when debug output is enabled
+        `Routes: ${plugin.routes || styleText('dim', '(none)')}`,
     ].join('\n');
 }
 export async function loadPlugin(specifier) {
     try {
         const imported = await import(/* @vite-ignore */ specifier);
         const maybePlugin = 'default' in imported ? imported.default : imported;
-        const plugin = Object.assign(await Plugin.parseAsync(maybePlugin).catch(e => {
+        const plugin = Object.assign({ hooks: {}, [kSpecifier]: specifier }, await Plugin.parseAsync(maybePlugin).catch(e => {
             throw z.prettifyError(e);
-        }), { [kSpecifier]: specifier });
+        }));
+        if (plugin.name.startsWith('#') || plugin.name.includes(' ')) {
+            throw 'Invalid plugin name. Plugin names can not start with a hash or contain spaces.';
+        }
         plugins.add(plugin);
         output.debug(`Loaded plugin: ${plugin.name} ${plugin.version}`);
     }
     catch (e) {
-        output.debug(`Failed to load plugin from ${specifier}: ${e.message || e}`);
+        output.debug(`Failed to load plugin from ${specifier}: ${e ? (e instanceof Error ? e.message : e.toString()) : e}`);
     }
 }
 export function getSpecifier(plugin) {

package/dist/requests.d.ts

@@ -1,11 +1,14 @@
-import type { NewSessionResponse } from '@axium/core/api';
 import { type User } from '@axium/core/user';
 import { type HttpError, type RequestEvent } from '@sveltejs/kit';
 import z from 'zod/v4';
 import { type SessionAndUser, type UserInternal } from './auth.js';
 export declare function parseBody<const Schema extends z.ZodType, const Result extends z.infer<Schema> = z.infer<Schema>>(event: RequestEvent, schema: Schema): Promise<Result>;
 export declare function getToken(event: RequestEvent, sensitive?: boolean): string | undefined;
-export declare function checkAuth(event: RequestEvent, userId: string, sensitive?: boolean): Promise<SessionAndUser>;
-export declare function createSessionData(event: RequestEvent, userId: string, elevated?: boolean): Promise<NewSessionResponse>;
+export interface AuthResult extends SessionAndUser {
+    /** The user authenticating the request. */
+    accessor: UserInternal;
+}
+export declare function checkAuth(event: RequestEvent, userId: string, sensitive?: boolean): Promise<AuthResult>;
+export declare function createSessionData(userId: string, elevated?: boolean): Promise<Response>;
 export declare function stripUser(user: UserInternal, includeProtected?: boolean): User;
 export declare function withError(text: string, code?: number): (e: Error | HttpError) => never;

package/dist/requests.js

@@ -1,8 +1,9 @@
 import { userProtectedFields, userPublicFields } from '@axium/core/user';
-import { error } from '@sveltejs/kit';
+import { error, json } from '@sveltejs/kit';
+import { serialize as serializeCookie } from 'cookie';
 import { pick } from 'utilium';
 import z from 'zod/v4';
-import { createSession, getSessionAndUser } from './auth.js';
+import { createSession, getSessionAndUser, getUser } from './auth.js';
 import { config } from './config.js';
 export async function parseBody(event, schema) {
     const contentType = event.request.headers.get('content-type');
@@ -29,22 +30,30 @@ export async function checkAuth(event, userId, sensitive = false) {
     if (!token)
         throw error(401, { message: 'Missing token' });
     const session = await getSessionAndUser(token).catch(() => error(401, { message: 'Invalid or expired session' }));
-    if (session.user?.id !== userId /* && !user.isAdmin */)
-        error(403, { message: 'User ID mismatch' });
+    if (session.userId !== userId) {
+        if (!session.user?.isAdmin)
+            error(403, { message: 'User ID mismatch' });
+        // Admins are allowed to manage other users.
+        const accessor = session.user;
+        session.user = await getUser(userId).catch(() => error(404, { message: 'Target user not found' }));
+        return Object.assign(session, { accessor });
+    }
     if (!session.elevated && sensitive)
         error(403, 'This token can not be used for sensitive actions');
-    return session;
+    return Object.assign(session, { accessor: session.user });
 }
-export async function createSessionData(event, userId, elevated = false) {
-    const { token } = await createSession(userId, elevated);
-    if (elevated) {
-        event.cookies.set('elevated_token', token, { httpOnly: true, path: '/', expires: new Date(Date.now() + 10 * 60_000) });
-        return { userId, token: '[[redacted:elevated]]' };
-    }
-    else {
-        event.cookies.set('session_token', token, { httpOnly: config.auth.secure_cookies, path: '/' });
-        return { userId, token };
-    }
+export async function createSessionData(userId, elevated = false) {
+    const { token, expires } = await createSession(userId, elevated);
+    const response = json({ userId, token: elevated ? '[[redacted:elevated]]' : token }, { status: 201 });
+    const cookies = serializeCookie(elevated ? 'elevated_token' : 'session_token', token, {
+        httpOnly: true,
+        path: '/',
+        expires,
+        secure: config.auth.secure_cookies,
+        sameSite: 'lax',
+    });
+    response.headers.set('Set-Cookie', cookies);
+    return response;
 }
 export function stripUser(user, includeProtected = false) {
     return pick(user, ...userPublicFields, ...(includeProtected ? userProtectedFields : []));

package/dist/sveltekit.js

@@ -1,6 +1,6 @@
-import { error, json, redirect } from '@sveltejs/kit';
+import { error, json } from '@sveltejs/kit';
 import { readFileSync } from 'node:fs';
-import { join } from 'node:path/posix';
+import { styleText } from 'node:util';
 import { render } from 'svelte/server';
 import z from 'zod/v4';
 import { config } from './config.js';
@@ -34,29 +34,31 @@ async function handleAPIRequest(event, route) {
 function handleError(e) {
     if ('body' in e)
         return json(e.body, { status: e.status });
+    if ('location' in e)
+        return Response.redirect(e.location, e.status);
     console.error(e);
     return json({ message: 'Internal Error' + (config.debug ? ': ' + e.message : '') }, { status: 500 });
 }
-const templatePath = join(import.meta.dirname, '../web/template.html');
-const template = readFileSync(templatePath, 'utf-8');
+let template = null;
 function fillTemplate({ head, body }, env = {}, nonce = '') {
+    template ||= readFileSync(config.web.template, 'utf-8');
     return (template
         .replace('%sveltekit.head%', head)
         .replace('%sveltekit.body%', body)
         .replace(/%sveltekit\.assets%/g, config.web.assets)
         // Unused for now.
         .replace(/%sveltekit\.nonce%/g, nonce)
-        .replace(/%sveltekit\.env\.([^%]+)%/g, (_match, capture) => env[capture] ?? ''));
+        .replace(/%sveltekit\.env\.([^%]+)%/g, (_match, key) => env[key] ?? ''));
 }
 /**
  * @internal
  */
 export async function handle({ event, resolve, }) {
     const route = resolveRoute(event);
-    if (!route && event.url.pathname === '/')
-        redirect(303, '/_axium/default');
+    if (!route && event.url.pathname === '/' && config.debug)
+        return new Response(null, { status: 303, headers: { Location: '/_axium/default' } });
     if (config.debug)
-        console.log(event.request.method.padEnd(7), route ? route.path : event.url.pathname);
+        console.log(styleText('blueBright', event.request.method.padEnd(7)), route ? route.path : event.url.pathname);
     if (!route)
         return await resolve(event).catch(handleError);
     if (route.server == true) {
@@ -79,12 +81,14 @@ export async function handle({ event, resolve, }) {
     const data = await route.load?.(event);
     const body = fillTemplate(render(route.page));
     return new Response(body, {
-        headers: {
-            'Content-Type': 'text/html; charset=utf-8',
-            'Cache-Control': 'no-cache, no-store, must-revalidate',
-            Pragma: 'no-cache',
-            Expires: '0',
-        },
+        headers: config.web.disable_cache
+            ? {
+                'Content-Type': 'text/html; charset=utf-8',
+                'Cache-Control': 'no-cache, no-store, must-revalidate',
+                Pragma: 'no-cache',
+                Expires: '0',
+            }
+            : {},
         status: 200,
     });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@axium/server",
-	"version": "0.10.0",
+	"version": "0.11.1",
 	"author": "James Prevett <axium@jamespre.dev> (https://jamespre.dev)",
 	"funding": {
 		"type": "individual",
@@ -20,12 +20,15 @@
 	"exports": {
 		".": "./dist/index.js",
 		"./*": "./dist/*.js",
-		"./web/*": "./web/*",
+		"./lib/*": "./web/lib/*",
+		"./$hooks": "./web/hooks.server.ts",
 		"./$routes": "./routes",
+		"./$template": "./web/template.html",
 		"./svelte.config.js": "./svelte.config.js"
 	},
 	"files": [
 		"assets",
+		"build",
 		"dist",
 		"routes",
 		"web",
@@ -38,8 +41,8 @@
 		"build": "tsc"
 	},
 	"peerDependencies": {
-		"@axium/client": ">=0.0.2",
-		"@axium/core": ">=0.3.0",
+		"@axium/client": ">=0.1.0",
+		"@axium/core": ">=0.4.0",
 		"utilium": "^2.3.8",
 		"zod": "^3.25.61"
 	},
@@ -49,14 +52,15 @@
 		"@sveltejs/kit": "^2.20.2",
 		"@types/pg": "^8.11.11",
 		"commander": "^13.1.0",
+		"cookie": "^1.0.2",
 		"kysely": "^0.28.0",
 		"logzen": "^0.7.0",
 		"mime": "^4.0.7",
-		"pg": "^8.14.1"
+		"pg": "^8.14.1",
+		"svelte": "^5.25.3"
 	},
 	"devDependencies": {
 		"@sveltejs/adapter-node": "^5.2.12",
-		"svelte": "^5.25.3",
 		"vite-plugin-mkcert": "^1.17.8"
 	}
 }

package/routes/account/+page.svelte

@@ -191,11 +191,12 @@
 				</div>
 				<FormDialog
 					bind:dialog={dialogs['logout#' + session.id]}
-					submit={() =>
-						logout(user.id, session.id).then(() => {
-							if (session.id == currentSession.id) goto('/');
-							else sessions.splice(sessions.indexOf(session), 1);
-						})}
+					submit={async () => {
+						await logout(user.id, session.id);
+						dialogs['logout#' + session.id].remove();
+						sessions.splice(sessions.indexOf(session), 1);
+						if (session.id == currentSession.id) goto('/');
+					}}
 					submitText="Logout"
 				>
 					<p>Are you sure you want to log out this session?</p>

package/svelte.config.js

@@ -1,6 +1,7 @@
 import node from '@sveltejs/adapter-node';
 import { vitePreprocess } from '@sveltejs/vite-plugin-svelte';
 import { join } from 'node:path/posix';
+import config from '@axium/server/config';
 
 /**
  * Paths relative to the directory of this file.
@@ -24,7 +25,7 @@ export default {
 			$lib: fixed('web/lib'),
 		},
 		files: {
-			routes: 'routes',
+			routes: config.web.routes,
 			lib: fixed('web/lib'),
 			assets: fixed('assets'),
 			appTemplate: fixed('web/template.html'),

package/web/lib/Upload.svelte

@@ -0,0 +1,58 @@
+<script lang="ts">
+	import Icon from './icons/Icon.svelte';
+	import { iconForMime, iconForPath } from './icons';
+
+	let { files = $bindable(), name = 'files', ...rest }: { files?: FileList; name?: string; multiple?: any; required?: any } = $props();
+
+	let input = $state<HTMLInputElement>();
+
+	const id = 'input:' + Math.random().toString(36).slice(2);
+</script>
+
+<div>
+	{#if files?.length}
+		<label for={id} class="file">
+			{#each files as file}
+				<Icon i={iconForMime(file.type) || iconForPath(file.name) || 'file'} />
+				<span>{file.name}</span>
+				<button
+					onclick={e => {
+						e.preventDefault();
+						const dt = new DataTransfer();
+						for (let f of files) if (file !== f) dt.items.add(f);
+						input.files = files = dt.files;
+					}}
+					style:display="contents"
+				>
+					<Icon i="trash" />
+				</button>
+			{/each}
+		</label>
+	{:else}
+		<label for={id}><Icon i="upload" />Upload</label>
+	{/if}
+
+	<input bind:this={input} {name} {id} type="file" bind:files {...rest} />
+</div>
+
+<style>
+	input {
+		display: none;
+	}
+
+	label {
+		padding: 0.5em 1em;
+		border: 1px solid #cccc;
+		cursor: pointer;
+		display: flex;
+		align-items: center;
+		gap: 0.5em;
+		border-radius: 0.5em;
+		width: 20em;
+	}
+
+	label.file {
+		display: grid;
+		grid-template-columns: 2em 1fr 2em;
+	}
+</style>

package/web/lib/icons/index.ts

@@ -3,8 +3,11 @@ import mimeIcons from './mime.json' with { type: 'json' };
 
 export { default as Icon } from './Icon.svelte';
 
-export function iconFor(path: string): string {
-	type K = keyof typeof mimeIcons;
+export function iconForMime(mimeType: string): string {
+	return mimeIcons[mimeType as keyof typeof mimeIcons] || 'file';
+}
+
+export function iconForPath(path: string): string {
 	const type = mime.getType(path) || 'application/octet-stream';
-	return mimeIcons[type as K] || mimeIcons[type.split('/')[0] as K] || 'file';
+	return iconForMime(type);
 }

package/web/lib/icons/mime.json

@@ -21,7 +21,8 @@
 	"text/css": "css",
 	"text/csv": "file-csv",
 	"text/html": "code",
-	"text/javascript": "square-js",
+	"text/javascript": "brands/square-js",
+	"application/x-javascript": "brands/square-js",
 	"text/plain": "file-lines",
 	"text/xml": "code",
 	"video": "clapperboard-play"

package/web/tsconfig.json

@@ -1,5 +1,4 @@
 {
-	"$schema": "https://json.schemastore.org/tsconfig",
 	"extends": "../.svelte-kit/tsconfig.json",
 	"compilerOptions": {
 		"target": "ES2023",