npm - @axium/server - Versions diffs - 0.18.6 → 0.19.0 - Mend

@axium/server 0.18.6 → 0.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (191) hide show

package/build/server/chunks/hooks.server-PyYsuy1-.js ADDED Viewed

@@ -0,0 +1,1324 @@
+import * as fs from 'node:fs';
+import { readFileSync, existsSync, writeFileSync, createWriteStream } from 'node:fs';
+import 'node:http';
+import 'node:https';
+import { Logger, levelText, allLogLevels } from 'logzen';
+import { join, resolve, dirname } from 'node:path/posix';
+import './string-CafUlmcI.js';
+import 'node:child_process';
+import { homedir } from 'node:os';
+import { styleText } from 'node:util';
+import { _ as _unknown, a as _tuple, b as _array, $ as $ZodUnknown, c as $ZodArray, d as $ZodTuple, p as parse, e as parseAsync, l as literal, o as object, r as record, f as any, s as string, n as number, g as array, h as _enum, u as uuid, i as email, j as boolean, k as custom, m as looseObject, q as partialRecord, t as prettifyError, v as date, w as url } from './schemas-C2VqNPFY.js';
+import { serialize } from 'cookie';
+import { randomBytes, randomUUID } from 'node:crypto';
+import { Kysely, PostgresDialect } from 'kysely';
+import { jsonObjectFrom } from 'kysely/helpers/postgres';
+import pg from 'pg';
+import * as webauthn from '@simplewebauthn/server';
+import { verifyRegistrationResponse, generateRegistrationOptions } from '@simplewebauthn/server';
+import { render } from 'svelte/server';
+function filterObject(object, predicate) {
+    const entries = Object.entries(object);
+    return Object.fromEntries(entries.filter(([key, value]) => predicate(key, value)));
+}
+function pick(object, ...keys) {
+    const picked = {};
+    for (const key of keys.flat()) {
+        picked[key] = object[key];
+    }
+    return picked;
+}
+function omit(object, ...keys) {
+    return filterObject(object, key => !keys.flat().includes(key));
+}
+/**
+ * Returns whether `value` is not a primitive.
+ *
+ * This function is only useful for the type check,
+ * you can do `Object(v) === v` otherwise.
+ */
+function isObject(value) {
+    return Object(value) === value;
+}
+function deepAssign(to, from) {
+    const keys = new Set([
+        ...Object.keys(to),
+        ...Object.keys(from),
+    ]);
+    for (const key of keys) {
+        if (!(key in from))
+            continue;
+        const value = from[key];
+        if (!(key in to)) {
+            to[key] = value;
+            continue;
+        }
+        if (!isObject(to[key]) && Object(value) !== value) {
+            to[key] = value;
+            continue;
+        }
+        if (isObject(to[key]) && Object(value) === value) {
+            deepAssign(to[key], value);
+            continue;
+        }
+        throw new TypeError(!isObject(to[key])
+            ? 'Can not deeply assign an object to a primitive'
+            : 'Can not deeply assign a primitive to an object');
+    }
+    return to;
+}
+class $ZodFunction {
+    constructor(def) {
+        this._def = def;
+        this.def = def;
+    }
+    implement(func) {
+        if (typeof func !== "function") {
+            throw new Error("implement() must be called with a function");
+        }
+        const impl = ((...args) => {
+            const parsedArgs = this._def.input ? parse(this._def.input, args, undefined, { callee: impl }) : args;
+            if (!Array.isArray(parsedArgs)) {
+                throw new Error("Invalid arguments schema: not an array or tuple schema.");
+            }
+            const output = func(...parsedArgs);
+            return this._def.output ? parse(this._def.output, output, undefined, { callee: impl }) : output;
+        });
+        return impl;
+    }
+    implementAsync(func) {
+        if (typeof func !== "function") {
+            throw new Error("implement() must be called with a function");
+        }
+        const impl = (async (...args) => {
+            const parsedArgs = this._def.input ? await parseAsync(this._def.input, args, undefined, { callee: impl }) : args;
+            if (!Array.isArray(parsedArgs)) {
+                throw new Error("Invalid arguments schema: not an array or tuple schema.");
+            }
+            const output = await func(...parsedArgs);
+            return this._def.output ? parseAsync(this._def.output, output, undefined, { callee: impl }) : output;
+        });
+        return impl;
+    }
+    input(...args) {
+        const F = this.constructor;
+        if (Array.isArray(args[0])) {
+            return new F({
+                type: "function",
+                input: new $ZodTuple({
+                    type: "tuple",
+                    items: args[0],
+                    rest: args[1],
+                }),
+                output: this._def.output,
+            });
+        }
+        return new F({
+            type: "function",
+            input: args[0],
+            output: this._def.output,
+        });
+    }
+    output(output) {
+        const F = this.constructor;
+        return new F({
+            type: "function",
+            input: this._def.input,
+            output,
+        });
+    }
+}
+function _function(params) {
+    return new $ZodFunction({
+        type: "function",
+        input: Array.isArray(params?.input)
+            ? _tuple($ZodTuple, params?.input)
+            : (params?.input ?? _array($ZodArray, _unknown($ZodUnknown))),
+        output: params?.output ?? _unknown($ZodUnknown),
+    });
+}
+const sym$1 = Symbol.for('Axium:state');
+globalThis[sym$1] ||= Object.create({ _errored: false });
+let _doWarnings = false;
+function _duplicateStateWarnings(value) {
+    _doWarnings = value;
+}
+/**
+ * Prevent duplicate shared state.
+ */
+function _unique(id, value) {
+    const state = globalThis[sym$1];
+    const _err = new Error();
+    Error.captureStackTrace(_err, _unique);
+    const stack = _err.stack.slice(6);
+    if (!(id in state)) {
+        state[id] = { value, stack };
+        return value;
+    }
+    if (!state._errored) {
+        console.error(styleText('red', 'Duplicate Axium server state! You might have multiple instances of the same module loaded.'));
+        state._errored = true;
+    }
+    _doWarnings && console.warn(styleText('yellow', `Mitigating duplicate state! (${id})\n${stack}\nFrom original\n${state[id].stack}`));
+    return state[id].value;
+}
+const systemDir = '/etc/axium';
+const userDir = join(homedir(), '.axium');
+const dirs = _unique('dirs', [systemDir, userDir]);
+for (let dir = resolve(process.cwd()); dir !== '/'; dir = dirname(dir)) {
+    if (fs.existsSync(join(dir, '.axium')))
+        dirs.push(join(dir, '.axium'));
+}
+if (process.env.AXIUM_DIR)
+    dirs.push(process.env.AXIUM_DIR);
+try {
+    fs.mkdirSync(systemDir, { recursive: true });
+}
+catch {
+    // Missing permissions
+}
+fs.mkdirSync(userDir, { recursive: true });
+const logger = new Logger({
+    hideWarningStack: true,
+    noGlobalConsole: true,
+});
+/**
+ * @internal
+ */
+const output = {
+    constructor: { name: 'Console' },
+    error(message) {
+        console.error(message.startsWith('\x1b') ? message : styleText('red', message));
+    },
+    warn(message) {
+        console.warn(message.startsWith('\x1b') ? message : styleText('yellow', message));
+    },
+    info(message) {
+        console.info(message.startsWith('\x1b') ? message : styleText('blue', message));
+    },
+    log(message) {
+        console.log(message);
+    },
+    debug(message) {
+        _debugOutput && console.debug(message.startsWith('\x1b') ? message : styleText('gray', message));
+    },
+};
+logger.attach(output);
+let _debugOutput = false;
+/**
+ * Enable or disable debug output.
+ */
+function _setDebugOutput(enabled) {
+    _debugOutput = enabled;
+}
+function defaultOutput(tag, message = '') {
+    switch (tag) {
+        case 'debug':
+            _debugOutput && output.debug(message);
+            break;
+        case 'info':
+            console.log(message);
+            break;
+        case 'warn':
+            console.warn(styleText('yellow', message));
+            break;
+        case 'error':
+            console.error(styleText('red', message));
+            break;
+        case 'start':
+            process.stdout.write(message + '... ');
+            break;
+        case 'done':
+            console.log('done.');
+            break;
+        case 'plugin':
+            console.log(styleText('whiteBright', 'Running plugin: ' + message));
+    }
+}
+let _taggedOutput = defaultOutput;
+// Shortcuts for tagged output
+function done() {
+    _taggedOutput?.('done');
+}
+function start(message) {
+    _taggedOutput?.('start', message);
+}
+function plugin(name) {
+    _taggedOutput?.('plugin', name);
+}
+function debug(message) {
+    _taggedOutput?.('debug', message);
+}
+function warn(message) {
+    _taggedOutput?.('warn', message);
+}
+/**
+ * This is a factory for handling errors when performing operations.
+ * The handler will allow the parent scope to continue if a relation already exists,
+ * rather than fatally exiting.
+ */
+function someWarnings(...allowList) {
+    return (error) => {
+        error = typeof error == 'object' && 'message' in error ? error.message : error;
+        for (const [pattern, message = error] of allowList) {
+            if (!pattern.test(error))
+                continue;
+            warn(message);
+            return;
+        }
+        throw error;
+    };
+}
+function zAsyncFunction(schema) {
+    return custom((fn) => schema.implementAsync(fn));
+}
+const transports = ['ble', 'cable', 'hybrid', 'internal', 'nfc', 'smart-card', 'usb'];
+const authenticatorAttachment = literal(['platform', 'cross-platform']).optional();
+const PasskeyRegistration = object({
+    id: string(),
+    rawId: string(),
+    response: object({
+        clientDataJSON: string(),
+        attestationObject: string(),
+        authenticatorData: string().optional(),
+        transports: array(_enum(transports)).optional(),
+        publicKeyAlgorithm: number().optional(),
+        publicKey: string().optional(),
+    }),
+    authenticatorAttachment,
+    clientExtensionResults: record(any(), any()),
+    type: literal('public-key'),
+});
+/**
+ * POSTed to the `/users/:id/login` endpoint.
+ */
+const PasskeyAuthenticationResponse = object({
+    id: string(),
+    rawId: string(),
+    response: object({
+        clientDataJSON: string(),
+        authenticatorData: string(),
+        signature: string(),
+        userHandle: string().optional(),
+    }),
+    authenticatorAttachment,
+    clientExtensionResults: record(any(), any()),
+    type: literal('public-key'),
+});
+const APIUserRegistration = object({
+    name: string().min(1).max(100),
+    email: email(),
+    userId: uuid(),
+    response: PasskeyRegistration,
+});
+const PasskeyChangeable = object({ name: string() }).partial();
+const UserAuthOptions = object({ type: literal(['login', 'action']) });
+const LogoutSessions = object({
+    id: array(uuid()).optional(),
+    confirm_all: boolean().optional(),
+});
+const PluginMetadata = looseObject({
+    name: string(),
+    version: string(),
+    description: string().optional(),
+    routes: string().optional(),
+});
+const hookNames = ['db_init', 'remove', 'db_wipe', 'clean'];
+const fn = custom(data => typeof data === 'function');
+const Plugin = PluginMetadata.extend({
+    statusText: zAsyncFunction(_function({ input: [], output: string() })),
+    hooks: partialRecord(literal(hookNames), fn).optional(),
+});
+const kSpecifier = Symbol('specifier');
+const plugins = _unique('plugins', new Set());
+async function loadPlugin(specifier) {
+    try {
+        const imported = await import(/* @vite-ignore */ specifier);
+        const maybePlugin = 'default' in imported ? imported.default : imported;
+        const plugin = Object.assign({ hooks: {}, [kSpecifier]: specifier }, await Plugin.parseAsync(maybePlugin).catch(e => {
+            throw prettifyError(e);
+        }));
+        if (plugin.name.startsWith('#') || plugin.name.includes(' ')) {
+            throw 'Invalid plugin name. Plugin names can not start with a hash or contain spaces.';
+        }
+        plugins.add(plugin);
+        output.debug(`Loaded plugin: ${plugin.name} ${plugin.version}`);
+    }
+    catch (e) {
+        output.debug(`Failed to load plugin from ${specifier}: ${e ? (e instanceof Error ? e.message : e.toString()) : e}`);
+    }
+}
+const ConfigSchema = looseObject({
+    allow_new_users: boolean(),
+    api: looseObject({
+        disable_metadata: boolean(),
+        cookie_auth: boolean(),
+    })
+        .partial(),
+    apps: looseObject({
+        disabled: array(string()),
+    })
+        .partial(),
+    auth: looseObject({
+        origin: string(),
+        /** In minutes */
+        passkey_probation: number(),
+        rp_id: string(),
+        rp_name: string(),
+        secure_cookies: boolean(),
+        /** In minutes */
+        verification_timeout: number(),
+        /** Whether users can verify emails */
+        email_verification: boolean(),
+    })
+        .partial(),
+    db: looseObject({
+        host: string(),
+        port: number(),
+        password: string(),
+        user: string(),
+        database: string(),
+    })
+        .partial(),
+    debug: boolean(),
+    log: looseObject({
+        level: _enum(levelText),
+        console: boolean(),
+    })
+        .partial(),
+    show_duplicate_state: boolean(),
+    web: looseObject({
+        assets: string(),
+        build: string(),
+        disable_cache: boolean(),
+        port: number().min(1).max(65535),
+        prefix: string(),
+        routes: string(),
+        secure: boolean(),
+        ssl_key: string(),
+        ssl_cert: string(),
+        template: string(),
+    })
+        .partial(),
+})
+    .partial();
+const configFiles = _unique('configFiles', new Map());
+function plainConfig() {
+    return omit(config, Object.keys(configShortcuts));
+}
+const configShortcuts = {
+    findPath: findConfigPaths,
+    load: loadConfig,
+    loadDefaults: loadDefaultConfigs,
+    plain: plainConfig,
+    save: saveConfig,
+    saveTo: saveConfigTo,
+    set: setConfig,
+    files: configFiles,
+};
+const config = _unique('config', {
+    ...configShortcuts,
+    allow_new_users: true,
+    api: {
+        disable_metadata: false,
+        cookie_auth: true,
+    },
+    apps: {
+        disabled: [],
+    },
+    auth: {
+        origin: 'https://test.localhost',
+        passkey_probation: 60,
+        rp_id: 'test.localhost',
+        rp_name: 'Axium',
+        secure_cookies: true,
+        verification_timeout: 60,
+        email_verification: false,
+    },
+    db: {
+        database: process.env.PGDATABASE || 'axium',
+        host: process.env.PGHOST || 'localhost',
+        password: process.env.PGPASSWORD || '',
+        port: process.env.PGPORT && Number.isSafeInteger(parseInt(process.env.PGPORT)) ? parseInt(process.env.PGPORT) : 5432,
+        user: process.env.PGUSER || 'axium',
+    },
+    debug: false,
+    log: {
+        console: true,
+        level: 'info',
+    },
+    show_duplicate_state: false,
+    web: {
+        assets: '',
+        build: '../build/handler.js',
+        disable_cache: false,
+        port: 443,
+        prefix: '',
+        routes: 'routes',
+        secure: true,
+        ssl_key: resolve(dirs[0], 'ssl_key.pem'),
+        ssl_cert: resolve(dirs[0], 'ssl_cert.pem'),
+        template: join(import.meta.dirname, '../web/template.html'),
+    },
+});
+// config from file
+const FileSchema = looseObject({
+    ...ConfigSchema.shape,
+    include: array(string()),
+    plugins: array(string()),
+})
+    .partial();
+/**
+ * Update the current config
+ */
+function setConfig(other) {
+    deepAssign(config, other);
+    logger.detach(output);
+    if (config.log.console)
+        logger.attach(output, { output: config.log.level });
+    _setDebugOutput(config.debug);
+    _duplicateStateWarnings(config.show_duplicate_state);
+}
+/**
+ * Load the config from the provided path
+ */
+async function loadConfig(path, options = {}) {
+    if (configFiles.has(path))
+        return;
+    let json;
+    try {
+        json = JSON.parse(readFileSync(path, 'utf8'));
+    }
+    catch (e) {
+        if (!options.optional)
+            throw e;
+        output.debug(`Skipping config at ${path} (${e.message})`);
+        return;
+    }
+    let file;
+    try {
+        file = FileSchema.parse(json);
+    }
+    catch (e) {
+        if (!options.loose)
+            throw e;
+        output.debug(`Loading invalid config from ${path} (${e.message})`);
+        file = json;
+    }
+    configFiles.set(path, file);
+    setConfig(file);
+    output.debug('Loaded config: ' + path);
+    for (const include of file.include ?? [])
+        await loadConfig(join(dirname(path), include), { optional: true });
+    for (const plugin of file.plugins ?? [])
+        await loadPlugin(plugin.startsWith('.') ? resolve(dirname(path), plugin) : plugin);
+}
+async function loadDefaultConfigs() {
+    for (const path of findConfigPaths()) {
+        if (!existsSync(path)) {
+            try {
+                writeFileSync(path, '{}');
+            }
+            catch {
+                continue;
+            }
+        }
+        await loadConfig(path, { optional: true });
+    }
+}
+/**
+ * Update the current config and write the updated config to the appropriate file
+ */
+function saveConfig(changed, global = false) {
+    saveConfigTo(findConfigPaths().at(global ? 0 : -1), changed);
+}
+/**
+ * Update the current config and write the updated config to the provided path
+ */
+function saveConfigTo(path, changed) {
+    setConfig(changed);
+    const config = configFiles.get(path) ?? {};
+    Object.assign(config, { ...changed, db: { ...config.db, ...changed.db } });
+    output.debug(`Wrote config to ${path}`);
+    writeFileSync(path, JSON.stringify(config));
+}
+/**
+ * Find the path to the config file(s)
+ * This array should roughly be in the order of most global to most local.
+ */
+function findConfigPaths() {
+    const paths = dirs.map(dir => join(dir, 'config.json'));
+    if (process.env.AXIUM_CONFIG)
+        paths.push(process.env.AXIUM_CONFIG);
+    return paths;
+}
+if (process.env.AXIUM_CONFIG)
+    await loadConfig(process.env.AXIUM_CONFIG);
+const requestMethods = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'HEAD', 'PATCH'];
+var version = "0.19.0";
+var pkg = {
+	version: version};
+const User = object({
+    id: uuid(),
+    name: string().min(1, 'Name is required').max(255, 'Name is too long'),
+    email: email(),
+    emailVerified: date().nullable().optional(),
+    image: url().nullable().optional(),
+    preferences: record(string(), any()),
+    roles: array(string()),
+    registeredAt: date(),
+});
+const userPublicFields = ['id', 'image', 'name', 'registeredAt', 'roles'];
+const userProtectedFields = ['email', 'emailVerified', 'preferences'];
+const UserChangeable = User.pick({
+    name: true,
+    email: true,
+    image: true,
+    preferences: true,
+}).partial();
+const sym = Symbol.for('Axium:database');
+let database;
+function connect() {
+    if (database)
+        return database;
+    if (globalThis[sym])
+        return (database = globalThis[sym]);
+    database = new Kysely({
+        dialect: new PostgresDialect({ pool: new pg.Pool(config.db) }),
+    });
+    globalThis[sym] = database;
+    debug('Connected to database!');
+    return database;
+}
+/**
+ * Select the user with the id from the userId column of a table, placing it in the `user` property.
+ */
+function userFromId(builder) {
+    const eb = builder;
+    return jsonObjectFrom(eb.selectFrom('users').selectAll().whereRef('id', '=', 'userId'))
+        .$notNull()
+        .$castTo()
+        .as('user');
+}
+/** Shortcut to output a warning if an error is thrown because relation already exists */
+someWarnings([/\w+ "[\w.]+" already exists/, 'already exists.']);
+async function clean(opt) {
+    const now = new Date();
+    start('Removing expired sessions');
+    await database.deleteFrom('sessions').where('sessions.expires', '<', now).execute().then(done);
+    start('Removing expired verifications');
+    await database.deleteFrom('verifications').where('verifications.expires', '<', now).execute().then(done);
+    for (const plugin$1 of plugins) {
+        if (!plugin$1.hooks.clean)
+            continue;
+        plugin(plugin$1.name);
+        await plugin$1.hooks.clean(opt);
+    }
+}
+async function getUser(id) {
+    return await database.selectFrom('users').selectAll().where('id', '=', id).executeTakeFirstOrThrow();
+}
+const in30days = () => new Date(Date.now() + 2592000000);
+const in10minutes = () => new Date(Date.now() + 600000);
+async function createSession(userId, elevated = false) {
+    const session = {
+        id: randomUUID(),
+        userId,
+        token: randomBytes(64).toString('base64'),
+        expires: elevated ? in10minutes() : in30days(),
+        elevated,
+        created: new Date(),
+    };
+    await database.insertInto('sessions').values(session).execute();
+    return session;
+}
+async function getSessionAndUser(token) {
+    const result = await database
+        .selectFrom('sessions')
+        .selectAll()
+        .select(userFromId)
+        .where('sessions.token', '=', token)
+        .where('sessions.expires', '>', new Date())
+        .executeTakeFirstOrThrow();
+    if (!result.user)
+        throw new Error('Session references non-existing user');
+    return result;
+}
+async function getSessions(userId) {
+    return await database.selectFrom('sessions').selectAll().where('userId', '=', userId).where('sessions.expires', '>', new Date()).execute();
+}
+/**
+ * Create a verification
+ * @param expires How long the token should be valid for in seconds
+ */
+async function createVerification(role, userId, expires) {
+    const token = randomBytes(64).toString('base64url');
+    const verification = { userId, token, expires: new Date(Date.now() + expires * 1000), role };
+    await database.insertInto('verifications').values(verification).executeTakeFirstOrThrow();
+    setTimeout(() => {
+        void database.deleteFrom('verifications').where('verifications.token', '=', verification.token).execute();
+    }, expires * 1000);
+    return verification;
+}
+async function useVerification(role, userId, token) {
+    const query = database
+        .deleteFrom('verifications')
+        .where('verifications.token', '=', token)
+        .where('verifications.userId', '=', userId)
+        .where('verifications.role', '=', role);
+    return await query.returningAll().executeTakeFirst();
+}
+async function getPasskey(id) {
+    return await database.selectFrom('passkeys').selectAll().where('id', '=', id).executeTakeFirstOrThrow();
+}
+async function createPasskey(passkey) {
+    const result = await database.insertInto('passkeys').values(passkey).returningAll().executeTakeFirstOrThrow();
+    return result;
+}
+async function getPasskeysByUserId(userId) {
+    return await database.selectFrom('passkeys').selectAll().where('userId', '=', userId).execute();
+}
+async function checkAuthForUser(event, userId, sensitive = false) {
+    const token = getToken(event, sensitive);
+    if (!token)
+        throw error(401, 'Missing token');
+    const session = await getSessionAndUser(token).catch(withError('Invalid or expired session', 401));
+    if (session.userId !== userId) {
+        if (!session.user?.isAdmin)
+            error(403, 'User ID mismatch');
+        // Admins are allowed to manage other users.
+        const accessor = session.user;
+        session.user = await getUser(userId).catch(withError('Target user not found', 404));
+        return Object.assign(session, { accessor });
+    }
+    if (!session.elevated && sensitive)
+        error(403, 'This token can not be used for sensitive actions');
+    return Object.assign(session, { accessor: session.user });
+}
+function isResponseError(e) {
+    return e instanceof Error && e.name === 'ResponseError' && typeof e.status === 'number';
+}
+function error(status, message) {
+    const error = Object.assign(new Error(message), { status });
+    error.name = 'ResponseError';
+    throw error;
+}
+function isRedirect(e) {
+    return typeof e === 'object' && e !== null && 'location' in e && 'status' in e;
+}
+function json(data, init) {
+    const response = Response.json(data, init);
+    if (!response.headers.has('content-length')) {
+        response.headers.set('content-length', JSON.stringify(data).length.toString());
+    }
+    return response;
+}
+async function parseBody(event, schema) {
+    const contentType = event.request.headers.get('content-type');
+    if (!contentType || !contentType.includes('application/json'))
+        error(415, 'Invalid content type');
+    const body = await event.request.json().catch(() => error(415, 'Invalid JSON'));
+    try {
+        return schema.parse(body);
+    }
+    catch (e) {
+        error(400, prettifyError(e));
+    }
+}
+function getToken(event, sensitive = false) {
+    const header_token = event.request.headers.get('Authorization')?.replace('Bearer ', '');
+    if (header_token)
+        return header_token;
+    if (config.debug || config.api.cookie_auth) {
+        return event.cookies.get(sensitive ? 'elevated_token' : 'session_token');
+    }
+}
+async function createSessionData(userId, elevated = false) {
+    const { token, expires } = await createSession(userId, elevated);
+    const response = json({ userId, token: elevated ? '[[redacted:elevated]]' : token }, { status: 201 });
+    const cookies = serialize(elevated ? 'elevated_token' : 'session_token', token, {
+        httpOnly: true,
+        path: '/',
+        expires,
+        secure: config.auth.secure_cookies,
+        sameSite: 'lax',
+    });
+    response.headers.set('Set-Cookie', cookies);
+    return response;
+}
+function stripUser(user, includeProtected = false) {
+    return pick(user, ...userPublicFields, ...(includeProtected ? userProtectedFields : []));
+}
+function withError(text, code = 500) {
+    return function (e) {
+        if (e.name == 'ResponseError')
+            throw e;
+        error(code, text + (config.debug && e.message ? `: ${e.message}` : ''));
+    };
+}
+async function handleAPIRequest(event, route) {
+    const method = event.request.method;
+    const _warnings = [];
+    if (route.api && !event.request.headers.get('Accept')?.includes('application/json')) {
+        _warnings.push('Only application/json is supported');
+        event.request.headers.set('Accept', 'application/json');
+    }
+    for (const [key, type] of Object.entries(route.params || {})) {
+        if (!type)
+            continue;
+        try {
+            event.params[key] = type.parse(event.params[key]);
+        }
+        catch (e) {
+            error(400, `Invalid parameter: ${prettifyError(e)}`);
+        }
+    }
+    if (typeof route[method] != 'function')
+        error(405, `Method ${method} not allowed for ${route.path}`);
+    const result = await route[method](event);
+    if (result instanceof Response)
+        return result;
+    result._warnings ||= [];
+    result._warnings.push(..._warnings);
+    return json(result);
+}
+function handleResponseError(e) {
+    if (isResponseError(e))
+        return json({ message: e.message }, { status: e.status });
+    if (isRedirect(e))
+        return Response.redirect(e.location, e.status);
+    console.error(e);
+    return json({ message: 'Internal Error' + (config.debug ? ': ' + e.message : '') }, { status: 500 });
+}
+const apps = _unique('apps', new Map());
+/**
+ * @internal
+ */
+const routes = _unique('routes', new Map());
+/**
+ * @category Plugin API
+ */
+function addRoute(opt) {
+    const route = { ...opt, server: !('page' in opt) };
+    if (!route.path.startsWith('/')) {
+        throw new Error(`Route path must start with a slash: ${route.path}`);
+    }
+    if (route.path.startsWith('/api/'))
+        route.api = true;
+    if (route.api && !route.server)
+        throw new Error(`API routes cannot have a client page: ${route.path}`);
+    routes.set(route.path, route);
+    output.debug('Added route: ' + route.path);
+}
+/**
+ * Resolve a request URL into a route.
+ * This handles parsing of parameters in the URL.
+ */
+function resolveRoute(event) {
+    const { pathname } = event.url;
+    if (routes.has(pathname) && !pathname.split('/').some(p => p.startsWith(':')))
+        return routes.get(pathname);
+    // Otherwise we must have a parameterized route
+    _routes: for (const route of routes.values()) {
+        const params = {};
+        // Split the path and route into parts, zipped together
+        const pathParts = pathname.split('/').filter(Boolean);
+        // Skips routes in disabled apps
+        if (apps.has(pathParts[0]) && config.apps.disabled.includes(pathParts[0]))
+            continue;
+        for (const routePart of route.path.split('/').filter(Boolean)) {
+            const pathPart = pathParts.shift();
+            if (!pathPart)
+                continue _routes;
+            if (pathPart == routePart)
+                continue;
+            if (!routePart.startsWith(':'))
+                continue _routes;
+            params[routePart.slice(1)] = pathPart;
+        }
+        // we didn't find a match, since an exact match would have been found already
+        if (pathParts.length || !Object.keys(params).length)
+            continue;
+        event.params = params;
+        return route;
+    }
+}
+addRoute({
+    path: '/api/metadata',
+    async GET() {
+        if (config.api.disable_metadata)
+            error(401, 'API metadata is disabled');
+        return {
+            version: pkg.version,
+            routes: Object.fromEntries(routes
+                .entries()
+                .filter(([path]) => path.startsWith('/api/'))
+                .map(([path, route]) => [
+                path,
+                {
+                    params: Object.fromEntries(Object.entries(route.params || {}).map(([key, type]) => [key, type ? type.def.type : null])),
+                    methods: requestMethods.filter(m => m in route),
+                },
+            ])),
+            plugins: Object.fromEntries(plugins.values().map(plugin => [plugin.name, plugin.version])),
+        };
+    },
+});
+addRoute({
+    path: '/api/passkeys/:id',
+    params: {
+        id: string(),
+    },
+    async GET(event) {
+        const passkey = await getPasskey(event.params.id);
+        await checkAuthForUser(event, passkey.userId);
+        return omit(passkey, 'counter', 'publicKey');
+    },
+    async PATCH(event) {
+        const body = await parseBody(event, PasskeyChangeable);
+        const passkey = await getPasskey(event.params.id);
+        await checkAuthForUser(event, passkey.userId);
+        const result = await database
+            .updateTable('passkeys')
+            .set(body)
+            .where('id', '=', passkey.id)
+            .returningAll()
+            .executeTakeFirstOrThrow()
+            .catch(withError('Could not update passkey'));
+        return omit(result, 'counter', 'publicKey');
+    },
+    async DELETE(event) {
+        const passkey = await getPasskey(event.params.id);
+        await checkAuthForUser(event, passkey.userId);
+        const { count } = await database
+            .selectFrom('passkeys')
+            .select(database.fn.countAll().as('count'))
+            .where('userId', '=', passkey.userId)
+            .executeTakeFirstOrThrow();
+        if (Number(count) <= 1)
+            error(409, 'At least one passkey is required');
+        const result = await database
+            .deleteFrom('passkeys')
+            .where('id', '=', passkey.id)
+            .returningAll()
+            .executeTakeFirstOrThrow()
+            .catch(withError('Could not delete passkey'));
+        return omit(result, 'counter', 'publicKey');
+    },
+});
+// Map of user ID => challenge
+const registrations$1 = new Map();
+async function OPTIONS(event) {
+    if (!config.allow_new_users)
+        error(409, 'New user registration is disabled');
+    const { name, email: email$1 } = await parseBody(event, object({ name: string().optional(), email: email().optional() }));
+    const userId = randomUUID();
+    const user = await getUser(userId).catch(() => null);
+    if (user)
+        error(409, 'Generated UUID is already in use, please retry.');
+    const options = await generateRegistrationOptions({
+        rpName: config.auth.rp_name,
+        rpID: config.auth.rp_id,
+        userName: email$1 ?? userId,
+        userDisplayName: name,
+        attestationType: 'none',
+        excludeCredentials: [],
+        authenticatorSelection: {
+            residentKey: 'preferred',
+            userVerification: 'preferred',
+            authenticatorAttachment: 'platform',
+        },
+    });
+    registrations$1.set(userId, options.challenge);
+    return { userId, options };
+}
+async function POST(event) {
+    if (!config.allow_new_users)
+        error(409, 'New user registration is disabled');
+    const { userId, email, name, response } = await parseBody(event, APIUserRegistration);
+    const existing = await database.selectFrom('users').selectAll().where('email', '=', email.toLowerCase()).executeTakeFirst();
+    if (existing)
+        error(409, 'Email already in use');
+    const expectedChallenge = registrations$1.get(userId);
+    if (!expectedChallenge)
+        error(404, 'No registration challenge found for this user');
+    registrations$1.delete(userId);
+    const { verified, registrationInfo } = await verifyRegistrationResponse({
+        response,
+        expectedChallenge,
+        expectedOrigin: config.auth.origin,
+    }).catch(() => error(400, 'Verification failed'));
+    if (!verified || !registrationInfo)
+        error(401, 'Verification failed');
+    await database
+        .insertInto('users')
+        .values({ id: userId, name, email: email.toLowerCase() })
+        .executeTakeFirstOrThrow()
+        .catch(withError('Failed to create user'));
+    await createPasskey({
+        transports: [],
+        ...registrationInfo.credential,
+        userId,
+        deviceType: registrationInfo.credentialDeviceType,
+        backedUp: registrationInfo.credentialBackedUp,
+    }).catch(withError('Failed to create passkey', 500));
+    return await createSessionData(userId);
+}
+addRoute({
+    path: '/api/register',
+    params: {},
+    OPTIONS,
+    POST,
+});
+addRoute({
+    path: '/api/session',
+    async GET(event) {
+        const token = getToken(event);
+        if (!token)
+            error(401, 'Missing token');
+        const result = await getSessionAndUser(token).catch(withError('Invalid session', 400));
+        return {
+            ...omit(result, 'token'),
+            user: stripUser(result.user, true),
+        };
+    },
+    async DELETE(event) {
+        const token = getToken(event);
+        if (!token)
+            error(401, 'Missing token');
+        const result = await database
+            .deleteFrom('sessions')
+            .where('sessions.token', '=', token)
+            .returningAll()
+            .executeTakeFirstOrThrow()
+            .catch((e) => (e.message == 'no result' ? error(404, 'Session does not exist') : error(400, 'Invalid session')));
+        return omit(result, 'token');
+    },
+});
+const challenges = new Map();
+const params = { id: uuid() };
+/**
+ * Resolve a user's UUID using their email (in the future this might also include handles)
+ */
+addRoute({
+    path: '/api/user_id',
+    async POST(event) {
+        const { value } = await parseBody(event, object({ using: literal('email'), value: email() }));
+        const { id } = await database
+            .selectFrom('users')
+            .select('id')
+            .where('email', '=', value)
+            .executeTakeFirstOrThrow()
+            .catch(withError('User not found', 404));
+        return { id };
+    },
+});
+addRoute({
+    path: '/api/users/:id',
+    params,
+    async GET(event) {
+        const userId = event.params.id;
+        const auth = await checkAuthForUser(event, userId).catch(() => null);
+        const user = auth?.user || (await getUser(userId).catch(withError('User does not exist', 404)));
+        return stripUser(user, !!auth);
+    },
+    async PATCH(event) {
+        const userId = event.params.id;
+        const body = await parseBody(event, UserChangeable);
+        await checkAuthForUser(event, userId);
+        if ('email' in body)
+            body.emailVerified = null;
+        const result = await database
+            .updateTable('users')
+            .set(body)
+            .where('id', '=', userId)
+            .returningAll()
+            .executeTakeFirstOrThrow()
+            .catch(withError('Failed to update user'));
+        return stripUser(result, true);
+    },
+    async DELETE(event) {
+        const userId = event.params.id;
+        await checkAuthForUser(event, userId, true);
+        const result = await database
+            .deleteFrom('users')
+            .where('id', '=', userId)
+            .returningAll()
+            .executeTakeFirstOrThrow()
+            .catch(withError('Failed to delete user'));
+        return result;
+    },
+});
+addRoute({
+    path: '/api/users/:id/full',
+    params,
+    async GET(event) {
+        const userId = event.params.id;
+        const { user } = await checkAuthForUser(event, userId);
+        const sessions = await getSessions(userId);
+        return {
+            ...stripUser(user, true),
+            sessions: sessions.map(s => omit(s, 'token')),
+        };
+    },
+});
+addRoute({
+    path: '/api/users/:id/auth',
+    params,
+    async OPTIONS(event) {
+        const userId = event.params.id;
+        const { type } = await parseBody(event, UserAuthOptions);
+        await getUser(userId).catch(withError('User does not exist', 404));
+        const passkeys = await getPasskeysByUserId(userId);
+        if (!passkeys)
+            error(409, 'No passkeys exists for this user');
+        const options = await webauthn.generateAuthenticationOptions({
+            rpID: config.auth.rp_id,
+            allowCredentials: passkeys.map(passkey => pick(passkey, 'id', 'transports')),
+        });
+        challenges.set(userId, { data: options.challenge, type });
+        return options;
+    },
+    async POST(event) {
+        const userId = event.params.id;
+        const response = await parseBody(event, PasskeyAuthenticationResponse);
+        const auth = challenges.get(userId);
+        if (!auth)
+            error(404, 'No challenge');
+        const { data: expectedChallenge, type } = auth;
+        challenges.delete(userId);
+        const passkey = await getPasskey(response.id).catch(withError('Passkey does not exist', 404));
+        if (passkey.userId !== userId)
+            error(403, 'Passkey does not belong to this user');
+        const { verified } = await webauthn
+            .verifyAuthenticationResponse({
+            response,
+            credential: passkey,
+            expectedChallenge,
+            expectedOrigin: config.auth.origin,
+            expectedRPID: config.auth.rp_id,
+        })
+            .catch(withError('Verification failed', 400));
+        if (!verified)
+            error(401, 'Verification failed');
+        switch (type) {
+            case 'login':
+                return await createSessionData(userId);
+            case 'action':
+                if ((Date.now() - passkey.createdAt.getTime()) / 60_000 < config.auth.passkey_probation)
+                    error(403, 'You can not authorize sensitive actions with a newly created passkey');
+                return await createSessionData(userId, true);
+        }
+    },
+});
+// Map of user ID => challenge
+const registrations = new Map();
+addRoute({
+    path: '/api/users/:id/passkeys',
+    params,
+    /**
+     * Get passkey registration options for a user.
+     */
+    async OPTIONS(event) {
+        const userId = event.params.id;
+        const existing = await getPasskeysByUserId(userId);
+        const { user } = await checkAuthForUser(event, userId);
+        const options = await webauthn.generateRegistrationOptions({
+            rpName: config.auth.rp_name,
+            rpID: config.auth.rp_id,
+            userName: userId,
+            userDisplayName: user.email,
+            attestationType: 'none',
+            excludeCredentials: existing.map(passkey => pick(passkey, 'id', 'transports')),
+            authenticatorSelection: {
+                residentKey: 'preferred',
+                userVerification: 'preferred',
+                authenticatorAttachment: 'platform',
+            },
+        });
+        registrations.set(userId, options.challenge);
+        return options;
+    },
+    /**
+     * Get passkeys for a user.
+     */
+    async GET(event) {
+        const userId = event.params.id;
+        await checkAuthForUser(event, userId);
+        const passkeys = await getPasskeysByUserId(userId);
+        return passkeys.map(p => omit(p, 'publicKey', 'counter'));
+    },
+    /**
+     * Register a new passkey for an existing user.
+     */
+    async PUT(event) {
+        const userId = event.params.id;
+        const response = await parseBody(event, PasskeyRegistration);
+        await checkAuthForUser(event, userId);
+        const expectedChallenge = registrations.get(userId);
+        if (!expectedChallenge)
+            error(404, 'No registration challenge found for this user');
+        registrations.delete(userId);
+        const { verified, registrationInfo } = await webauthn
+            .verifyRegistrationResponse({
+            response,
+            expectedChallenge,
+            expectedOrigin: config.auth.origin,
+        })
+            .catch(withError('Verification failed', 400));
+        if (!verified || !registrationInfo)
+            error(401, 'Verification failed');
+        const passkey = await createPasskey({
+            transports: [],
+            ...registrationInfo.credential,
+            userId,
+            deviceType: registrationInfo.credentialDeviceType,
+            backedUp: registrationInfo.credentialBackedUp,
+        }).catch(withError('Failed to create passkey'));
+        return omit(passkey, 'publicKey', 'counter');
+    },
+});
+addRoute({
+    path: '/api/users/:id/sessions',
+    params,
+    async GET(event) {
+        const userId = event.params.id;
+        await checkAuthForUser(event, userId);
+        return (await getSessions(userId).catch(e => error(503, 'Failed to get sessions' + (config.debug ? ': ' + e : '')))).map(s => omit(s, 'token'));
+    },
+    async DELETE(event) {
+        const userId = event.params.id;
+        const body = await parseBody(event, LogoutSessions);
+        await checkAuthForUser(event, userId, body.confirm_all);
+        if (!body.confirm_all && !Array.isArray(body.id))
+            error(400, 'Invalid request body');
+        const query = body.confirm_all ? database.deleteFrom('sessions') : database.deleteFrom('sessions').where('sessions.id', 'in', body.id);
+        const result = await query
+            .where('sessions.userId', '=', userId)
+            .returningAll()
+            .execute()
+            .catch(withError('Failed to delete one or more sessions'));
+        return result.map(s => omit(s, 'token'));
+    },
+});
+addRoute({
+    path: '/api/users/:id/verify_email',
+    params,
+    async OPTIONS(event) {
+        const userId = event.params.id;
+        if (!config.auth.email_verification)
+            return { enabled: false };
+        await checkAuthForUser(event, userId);
+        if (!config.auth.email_verification)
+            return { enabled: false };
+        return { enabled: true };
+    },
+    async GET(event) {
+        const userId = event.params.id;
+        const { user } = await checkAuthForUser(event, userId);
+        if (user.emailVerified)
+            error(409, 'Email already verified');
+        const verification = await createVerification('verify_email', userId, config.auth.verification_timeout * 60);
+        return omit(verification, 'token', 'role');
+    },
+    async POST(event) {
+        const userId = event.params.id;
+        const { token } = await parseBody(event, object({ token: string() }));
+        const { user } = await checkAuthForUser(event, userId);
+        if (user.emailVerified)
+            error(409, 'Email already verified');
+        await useVerification('verify_email', userId, token).catch(withError('Invalid or expired verification token', 400));
+        return {};
+    },
+});
+/**
+ * Perform initial setup for when the server is serving web pages.
+ */
+async function init() {
+    logger.attach(createWriteStream(join(dirs.at(-1), 'server.log')), { output: allLogLevels });
+    await loadDefaultConfigs();
+    connect();
+    await clean({});
+    // eslint-disable-next-line @typescript-eslint/no-misused-promises
+    process.on('beforeExit', () => database.destroy());
+}
+let template = null;
+function fillSvelteKitTemplate({ head, body }, env = {}, nonce = '') {
+    template ||= readFileSync(config.web.template, 'utf-8');
+    return (template
+        .replaceAll('%sveltekit.head%', head)
+        .replaceAll('%sveltekit.body%', body)
+        .replaceAll('%sveltekit.assets%', config.web.assets)
+        // Unused for now.
+        .replaceAll('%sveltekit.nonce%', nonce)
+        .replace(/%sveltekit\.env\.([^%]+)%/g, (_match, key) => env[key] ?? ''));
+}
+/**
+ * @internal
+ */
+async function handleSvelteKit({ event, resolve, }) {
+    const route = resolveRoute(event);
+    if (!route && event.url.pathname === '/' && config.debug)
+        return new Response(null, { status: 303, headers: { Location: '/_axium/default' } });
+    if (config.debug)
+        console.log(styleText('blueBright', event.request.method.padEnd(7)), route ? route.path : event.url.pathname);
+    if (!route)
+        return await resolve(event).catch(handleResponseError);
+    if (route.server == true) {
+        if (route.api)
+            return await handleAPIRequest(event, route).catch(handleResponseError);
+        const run = route[event.request.method];
+        if (typeof run !== 'function') {
+            error(405, `Method ${event.request.method} not allowed for ${route.path}`);
+        }
+        try {
+            const result = await run(event);
+            if (result instanceof Response)
+                return result;
+            return json(result);
+        }
+        catch (e) {
+            return handleResponseError(e);
+        }
+    }
+    await route.load?.(event);
+    const body = fillSvelteKitTemplate(render(route.page));
+    return new Response(body, {
+        headers: config.web.disable_cache
+            ? {
+                'Content-Type': 'text/html; charset=utf-8',
+                'Cache-Control': 'no-cache, no-store, must-revalidate',
+                Pragma: 'no-cache',
+                Expires: '0',
+            }
+            : {},
+        status: 200,
+    });
+}
+await init();
+export { handleSvelteKit as handle };
+//# sourceMappingURL=hooks.server-PyYsuy1-.js.map