@axium/server 0.19.10 → 0.20.0

package/build/server/chunks/hooks.server-DxovS-nf.js

@@ -1,1386 +0,0 @@
-import * as fs from 'node:fs';
-import { readFileSync, existsSync, writeFileSync, createWriteStream } from 'node:fs';
-import 'node:http';
-import 'node:https';
-import { Logger, levelText, allLogLevels } from 'logzen';
-import { join, resolve, dirname } from 'node:path/posix';
-import './string-CafUlmcI.js';
-import 'node:child_process';
-import { homedir } from 'node:os';
-import { styleText } from 'node:util';
-import { _ as _unknown, a as _tuple, b as _array, $ as $ZodUnknown, c as $ZodArray, d as $ZodTuple, p as parse, e as parseAsync, l as literal, o as object, r as record, s as string, f as any, n as number, g as array, h as _enum, u as uuid, i as email, j as boolean, k as custom, m as looseObject, q as partialRecord, t as prettifyError, v as date, w as url } from './schemas-C2VqNPFY.js';
-import { serialize } from 'cookie';
-import { randomBytes, randomUUID } from 'node:crypto';
-import { Kysely, PostgresDialect } from 'kysely';
-import { jsonObjectFrom } from 'kysely/helpers/postgres';
-import pg from 'pg';
-import * as webauthn from '@simplewebauthn/server';
-import { verifyRegistrationResponse, generateRegistrationOptions } from '@simplewebauthn/server';
-import { render } from 'svelte/server';
-
-function filterObject(object, predicate) {
-    const entries = Object.entries(object);
-    return Object.fromEntries(entries.filter(([key, value]) => predicate(key, value)));
-}
-function pick(object, ...keys) {
-    const picked = {};
-    for (const key of keys.flat()) {
-        picked[key] = object[key];
-    }
-    return picked;
-}
-function omit(object, ...keys) {
-    return filterObject(object, key => !keys.flat().includes(key));
-}
-/**
- * Returns whether `value` is not a primitive.
- *
- * This function is only useful for the type check,
- * you can do `Object(v) === v` otherwise.
- */
-function isObject(value) {
-    return Object(value) === value;
-}
-function deepAssign(to, from) {
-    const keys = new Set([
-        ...Object.keys(to),
-        ...Object.keys(from),
-    ]);
-    for (const key of keys) {
-        if (!(key in from))
-            continue;
-        const value = from[key];
-        if (!(key in to)) {
-            to[key] = value;
-            continue;
-        }
-        if (!isObject(to[key]) && Object(value) !== value) {
-            to[key] = value;
-            continue;
-        }
-        if (isObject(to[key]) && Object(value) === value) {
-            deepAssign(to[key], value);
-            continue;
-        }
-        throw new TypeError(!isObject(to[key])
-            ? 'Can not deeply assign an object to a primitive'
-            : 'Can not deeply assign a primitive to an object');
-    }
-    return to;
-}
-
-class $ZodFunction {
-    constructor(def) {
-        this._def = def;
-        this.def = def;
-    }
-    implement(func) {
-        if (typeof func !== "function") {
-            throw new Error("implement() must be called with a function");
-        }
-        const impl = ((...args) => {
-            const parsedArgs = this._def.input ? parse(this._def.input, args, undefined, { callee: impl }) : args;
-            if (!Array.isArray(parsedArgs)) {
-                throw new Error("Invalid arguments schema: not an array or tuple schema.");
-            }
-            const output = func(...parsedArgs);
-            return this._def.output ? parse(this._def.output, output, undefined, { callee: impl }) : output;
-        });
-        return impl;
-    }
-    implementAsync(func) {
-        if (typeof func !== "function") {
-            throw new Error("implement() must be called with a function");
-        }
-        const impl = (async (...args) => {
-            const parsedArgs = this._def.input ? await parseAsync(this._def.input, args, undefined, { callee: impl }) : args;
-            if (!Array.isArray(parsedArgs)) {
-                throw new Error("Invalid arguments schema: not an array or tuple schema.");
-            }
-            const output = await func(...parsedArgs);
-            return this._def.output ? parseAsync(this._def.output, output, undefined, { callee: impl }) : output;
-        });
-        return impl;
-    }
-    input(...args) {
-        const F = this.constructor;
-        if (Array.isArray(args[0])) {
-            return new F({
-                type: "function",
-                input: new $ZodTuple({
-                    type: "tuple",
-                    items: args[0],
-                    rest: args[1],
-                }),
-                output: this._def.output,
-            });
-        }
-        return new F({
-            type: "function",
-            input: args[0],
-            output: this._def.output,
-        });
-    }
-    output(output) {
-        const F = this.constructor;
-        return new F({
-            type: "function",
-            input: this._def.input,
-            output,
-        });
-    }
-}
-function _function(params) {
-    return new $ZodFunction({
-        type: "function",
-        input: Array.isArray(params?.input)
-            ? _tuple($ZodTuple, params?.input)
-            : (params?.input ?? _array($ZodArray, _unknown($ZodUnknown))),
-        output: params?.output ?? _unknown($ZodUnknown),
-    });
-}
-
-const sym$1 = Symbol.for('Axium:state');
-globalThis[sym$1] ||= Object.create({ _errored: false });
-let _doWarnings = false;
-function _duplicateStateWarnings(value) {
-    _doWarnings = value;
-}
-/**
- * Prevent duplicate shared state.
- */
-function _unique(id, value) {
-    const state = globalThis[sym$1];
-    const _err = new Error();
-    Error.captureStackTrace(_err, _unique);
-    const stack = _err.stack.slice(6);
-    if (!(id in state)) {
-        state[id] = { value, stack };
-        return value;
-    }
-    if (!state._errored) {
-        console.error(styleText('red', 'Duplicate Axium server state! You might have multiple instances of the same module loaded.'));
-        state._errored = true;
-    }
-    _doWarnings && console.warn(styleText('yellow', `Mitigating duplicate state! (${id})\n${stack}\nFrom original\n${state[id].stack}`));
-    return state[id].value;
-}
-
-const systemDir = '/etc/axium';
-const userDir = join(homedir(), '.axium');
-const dirs = _unique('dirs', [systemDir, userDir]);
-for (let dir = resolve(process.cwd()); dir !== '/'; dir = dirname(dir)) {
-    if (fs.existsSync(join(dir, '.axium')))
-        dirs.push(join(dir, '.axium'));
-}
-if (process.env.AXIUM_DIR)
-    dirs.push(process.env.AXIUM_DIR);
-try {
-    fs.mkdirSync(systemDir, { recursive: true });
-}
-catch {
-    // Missing permissions
-}
-fs.mkdirSync(userDir, { recursive: true });
-const logger = new Logger({
-    hideWarningStack: true,
-    noGlobalConsole: true,
-});
-/**
- * @internal
- */
-const output = {
-    constructor: { name: 'Console' },
-    error(message) {
-        console.error(message.startsWith('\x1b') ? message : styleText('red', message));
-    },
-    warn(message) {
-        console.warn(message.startsWith('\x1b') ? message : styleText('yellow', message));
-    },
-    info(message) {
-        console.info(message.startsWith('\x1b') ? message : styleText('blue', message));
-    },
-    log(message) {
-        console.log(message);
-    },
-    debug(message) {
-        _debugOutput && console.debug(message.startsWith('\x1b') ? message : styleText('gray', message));
-    },
-};
-logger.attach(output);
-let _debugOutput = false;
-/**
- * Enable or disable debug output.
- */
-function _setDebugOutput(enabled) {
-    _debugOutput = enabled;
-}
-function defaultOutput(tag, message = '') {
-    switch (tag) {
-        case 'debug':
-            _debugOutput && output.debug(message);
-            break;
-        case 'info':
-            console.log(message);
-            break;
-        case 'warn':
-            console.warn(styleText('yellow', message));
-            break;
-        case 'error':
-            console.error(styleText('red', message));
-            break;
-        case 'start':
-            process.stdout.write(message + '... ');
-            break;
-        case 'done':
-            console.log('done.');
-            break;
-        case 'plugin':
-            console.log(styleText('whiteBright', 'Running plugin: ' + message));
-    }
-}
-let _taggedOutput = defaultOutput;
-// Shortcuts for tagged output
-function done() {
-    _taggedOutput?.('done');
-}
-function start(message) {
-    _taggedOutput?.('start', message);
-}
-function plugin(name) {
-    _taggedOutput?.('plugin', name);
-}
-function debug(message) {
-    _taggedOutput?.('debug', message);
-}
-function warn(message) {
-    _taggedOutput?.('warn', message);
-}
-/**
- * This is a factory for handling errors when performing operations.
- * The handler will allow the parent scope to continue if a relation already exists,
- * rather than fatally exiting.
- */
-function someWarnings(...allowList) {
-    return (error) => {
-        error = typeof error == 'object' && 'message' in error ? error.message : error;
-        for (const [pattern, message = error] of allowList) {
-            if (!pattern.test(error))
-                continue;
-            warn(message);
-            return;
-        }
-        throw error;
-    };
-}
-
-function zAsyncFunction(schema) {
-    return custom((fn) => schema.implementAsync(fn));
-}
-const transports = ['ble', 'cable', 'hybrid', 'internal', 'nfc', 'smart-card', 'usb'];
-const authenticatorAttachment = literal(['platform', 'cross-platform']).optional();
-const PasskeyRegistration = object({
-    id: string(),
-    rawId: string(),
-    response: object({
-        clientDataJSON: string(),
-        attestationObject: string(),
-        authenticatorData: string().optional(),
-        transports: array(_enum(transports)).optional(),
-        publicKeyAlgorithm: number().optional(),
-        publicKey: string().optional(),
-    }),
-    authenticatorAttachment,
-    clientExtensionResults: record(any(), any()),
-    type: literal('public-key'),
-});
-/**
- * POSTed to the `/users/:id/login` endpoint.
- */
-const PasskeyAuthenticationResponse = object({
-    id: string(),
-    rawId: string(),
-    response: object({
-        clientDataJSON: string(),
-        authenticatorData: string(),
-        signature: string(),
-        userHandle: string().optional(),
-    }),
-    authenticatorAttachment,
-    clientExtensionResults: record(any(), any()),
-    type: literal('public-key'),
-});
-const APIUserRegistration = object({
-    name: string().min(1).max(100),
-    email: email(),
-    userId: uuid(),
-    response: PasskeyRegistration,
-});
-const PasskeyChangeable = object({ name: string() }).partial();
-const UserAuthOptions = object({ type: literal(['login', 'action']) });
-const LogoutSessions = object({
-    id: array(uuid()).optional(),
-    confirm_all: boolean().optional(),
-});
-
-const PluginMetadata = looseObject({
-    name: string(),
-    version: string(),
-    description: string().optional(),
-    routes: string().optional(),
-});
-const hookNames = ['db_init', 'remove', 'db_wipe', 'clean'];
-const fn = custom(data => typeof data === 'function');
-const Plugin = PluginMetadata.extend({
-    statusText: zAsyncFunction(_function({ input: [], output: string() })),
-    hooks: partialRecord(literal(hookNames), fn).optional(),
-});
-const kSpecifier = Symbol('specifier');
-const plugins = _unique('plugins', new Set());
-async function loadPlugin(specifier) {
-    try {
-        const imported = await import(/* @vite-ignore */ specifier);
-        const maybePlugin = 'default' in imported ? imported.default : imported;
-        const plugin = Object.assign({ hooks: {}, [kSpecifier]: specifier }, await Plugin.parseAsync(maybePlugin).catch(e => {
-            throw prettifyError(e);
-        }));
-        if (plugin.name.startsWith('#') || plugin.name.includes(' ')) {
-            throw 'Invalid plugin name. Plugin names can not start with a hash or contain spaces.';
-        }
-        plugins.add(plugin);
-        output.debug(`Loaded plugin: ${plugin.name} ${plugin.version}`);
-    }
-    catch (e) {
-        output.debug(`Failed to load plugin from ${specifier}: ${e ? (e instanceof Error ? e.message : e.toString()) : e}`);
-    }
-}
-
-const ConfigSchema = looseObject({
-    allow_new_users: boolean(),
-    api: looseObject({
-        disable_metadata: boolean(),
-        cookie_auth: boolean(),
-    })
-        .partial(),
-    apps: looseObject({
-        disabled: array(string()),
-    })
-        .partial(),
-    auth: looseObject({
-        origin: string(),
-        /** In minutes */
-        passkey_probation: number(),
-        rp_id: string(),
-        rp_name: string(),
-        secure_cookies: boolean(),
-        /** In minutes */
-        verification_timeout: number(),
-        /** Whether users can verify emails */
-        email_verification: boolean(),
-    })
-        .partial(),
-    db: looseObject({
-        host: string(),
-        port: number(),
-        password: string(),
-        user: string(),
-        database: string(),
-    })
-        .partial(),
-    debug: boolean(),
-    log: looseObject({
-        level: _enum(levelText),
-        console: boolean(),
-    })
-        .partial(),
-    show_duplicate_state: boolean(),
-    web: looseObject({
-        assets: string(),
-        build: string(),
-        disable_cache: boolean(),
-        port: number().min(1).max(65535),
-        prefix: string(),
-        routes: string(),
-        secure: boolean(),
-        ssl_key: string(),
-        ssl_cert: string(),
-        template: string(),
-    })
-        .partial(),
-})
-    .partial();
-const configFiles = _unique('configFiles', new Map());
-function plainConfig() {
-    return omit(config, Object.keys(configShortcuts));
-}
-const configShortcuts = {
-    findPath: findConfigPaths,
-    load: loadConfig,
-    loadDefaults: loadDefaultConfigs,
-    plain: plainConfig,
-    save: saveConfig,
-    saveTo: saveConfigTo,
-    set: setConfig,
-    files: configFiles,
-};
-const config = _unique('config', {
-    ...configShortcuts,
-    allow_new_users: true,
-    api: {
-        disable_metadata: false,
-        cookie_auth: true,
-    },
-    apps: {
-        disabled: [],
-    },
-    auth: {
-        origin: 'https://test.localhost',
-        passkey_probation: 60,
-        rp_id: 'test.localhost',
-        rp_name: 'Axium',
-        secure_cookies: true,
-        verification_timeout: 60,
-        email_verification: false,
-    },
-    db: {
-        database: process.env.PGDATABASE || 'axium',
-        host: process.env.PGHOST || 'localhost',
-        password: process.env.PGPASSWORD || '',
-        port: process.env.PGPORT && Number.isSafeInteger(parseInt(process.env.PGPORT)) ? parseInt(process.env.PGPORT) : 5432,
-        user: process.env.PGUSER || 'axium',
-    },
-    debug: false,
-    log: {
-        console: true,
-        level: 'info',
-    },
-    show_duplicate_state: false,
-    web: {
-        assets: '',
-        build: '../build/handler.js',
-        disable_cache: false,
-        port: 443,
-        prefix: '',
-        routes: 'routes',
-        secure: true,
-        ssl_key: resolve(dirs[0], 'ssl_key.pem'),
-        ssl_cert: resolve(dirs[0], 'ssl_cert.pem'),
-        template: join(import.meta.dirname, '../web/template.html'),
-    },
-});
-// config from file
-const FileSchema = looseObject({
-    ...ConfigSchema.shape,
-    include: array(string()),
-    plugins: array(string()),
-})
-    .partial();
-/**
- * Update the current config
- */
-function setConfig(other) {
-    deepAssign(config, other);
-    logger.detach(output);
-    if (config.log.console)
-        logger.attach(output, { output: config.log.level });
-    _setDebugOutput(config.debug);
-    _duplicateStateWarnings(config.show_duplicate_state);
-}
-/**
- * Load the config from the provided path
- */
-async function loadConfig(path, options = {}) {
-    if (configFiles.has(path))
-        return;
-    let json;
-    try {
-        json = JSON.parse(readFileSync(path, 'utf8'));
-    }
-    catch (e) {
-        if (!options.optional)
-            throw e;
-        output.debug(`Skipping config at ${path} (${e.message})`);
-        return;
-    }
-    let file;
-    try {
-        file = FileSchema.parse(json);
-    }
-    catch (e) {
-        if (!options.loose)
-            throw e;
-        output.debug(`Loading invalid config from ${path} (${e.message})`);
-        file = json;
-    }
-    configFiles.set(path, file);
-    setConfig(file);
-    output.debug('Loaded config: ' + path);
-    for (const include of file.include ?? [])
-        await loadConfig(join(dirname(path), include), { optional: true });
-    for (const plugin of file.plugins ?? [])
-        await loadPlugin(plugin.startsWith('.') ? resolve(dirname(path), plugin) : plugin);
-}
-async function loadDefaultConfigs() {
-    for (const path of findConfigPaths()) {
-        if (!existsSync(path)) {
-            try {
-                writeFileSync(path, '{}');
-            }
-            catch {
-                continue;
-            }
-        }
-        await loadConfig(path, { optional: true });
-    }
-}
-/**
- * Update the current config and write the updated config to the appropriate file
- */
-function saveConfig(changed, global = false) {
-    saveConfigTo(findConfigPaths().at(global ? 0 : -1), changed);
-}
-/**
- * Update the current config and write the updated config to the provided path
- */
-function saveConfigTo(path, changed) {
-    setConfig(changed);
-    const config = configFiles.get(path) ?? {};
-    Object.assign(config, { ...changed, db: { ...config.db, ...changed.db } });
-    output.debug(`Wrote config to ${path}`);
-    writeFileSync(path, JSON.stringify(config));
-}
-/**
- * Find the path to the config file(s)
- * This array should roughly be in the order of most global to most local.
- */
-function findConfigPaths() {
-    const paths = dirs.map(dir => join(dir, 'config.json'));
-    if (process.env.AXIUM_CONFIG)
-        paths.push(process.env.AXIUM_CONFIG);
-    return paths;
-}
-if (process.env.AXIUM_CONFIG)
-    await loadConfig(process.env.AXIUM_CONFIG);
-
-const requestMethods = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'HEAD', 'PATCH'];
-
-var version = "0.19.10";
-var pkg = {
-	version: version};
-
-const User = object({
-    id: uuid(),
-    name: string().min(1, 'Name is required').max(255, 'Name is too long'),
-    email: email(),
-    emailVerified: date().nullable().optional(),
-    image: url().nullable().optional(),
-    preferences: record(string(), any()),
-    roles: array(string()),
-    registeredAt: date(),
-});
-const userPublicFields = ['id', 'image', 'name', 'registeredAt', 'roles'];
-const userProtectedFields = ['email', 'emailVerified', 'preferences'];
-const UserChangeable = User.pick({
-    name: true,
-    email: true,
-    image: true,
-    preferences: true,
-}).partial();
-
-(undefined && undefined.__addDisposableResource) || function (env, value, async) {
-    if (value !== null && value !== void 0) {
-        if (typeof value !== "object" && typeof value !== "function") throw new TypeError("Object expected.");
-        var dispose, inner;
-        if (async) {
-            if (!Symbol.asyncDispose) throw new TypeError("Symbol.asyncDispose is not defined.");
-            dispose = value[Symbol.asyncDispose];
-        }
-        if (dispose === void 0) {
-            if (!Symbol.dispose) throw new TypeError("Symbol.dispose is not defined.");
-            dispose = value[Symbol.dispose];
-            if (async) inner = dispose;
-        }
-        if (typeof dispose !== "function") throw new TypeError("Object not disposable.");
-        if (inner) dispose = function() { try { inner.call(this); } catch (e) { return Promise.reject(e); } };
-        env.stack.push({ value: value, dispose: dispose, async: async });
-    }
-    else if (async) {
-        env.stack.push({ async: true });
-    }
-    return value;
-};
-(undefined && undefined.__disposeResources) || (function (SuppressedError) {
-    return function (env) {
-        function fail(e) {
-            env.error = env.hasError ? new SuppressedError(e, env.error, "An error was suppressed during disposal.") : e;
-            env.hasError = true;
-        }
-        var r, s = 0;
-        function next() {
-            while (r = env.stack.pop()) {
-                try {
-                    if (!r.async && s === 1) return s = 0, env.stack.push(r), Promise.resolve().then(next);
-                    if (r.dispose) {
-                        var result = r.dispose.call(r.value);
-                        if (r.async) return s |= 2, Promise.resolve(result).then(next, function(e) { fail(e); return next(); });
-                    }
-                    else s |= 1;
-                }
-                catch (e) {
-                    fail(e);
-                }
-            }
-            if (s === 1) return env.hasError ? Promise.reject(env.error) : Promise.resolve();
-            if (env.hasError) throw env.error;
-        }
-        return next();
-    };
-})(typeof SuppressedError === "function" ? SuppressedError : function (error, suppressed, message) {
-    var e = new Error(message);
-    return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
-});
-const sym = Symbol.for('Axium:database');
-let database;
-function connect() {
-    if (database)
-        return database;
-    if (globalThis[sym])
-        return (database = globalThis[sym]);
-    database = new Kysely({
-        dialect: new PostgresDialect({ pool: new pg.Pool(config.db) }),
-    });
-    globalThis[sym] = database;
-    debug('Connected to database!');
-    return database;
-}
-/**
- * Select the user with the id from the userId column of a table, placing it in the `user` property.
- */
-function userFromId(builder) {
-    const eb = builder;
-    return jsonObjectFrom(eb.selectFrom('users').selectAll().whereRef('id', '=', 'userId'))
-        .$notNull()
-        .$castTo()
-        .as('user');
-}
-/** Shortcut to output a warning if an error is thrown because relation already exists */
-someWarnings([/\w+ "[\w.]+" already exists/, 'already exists.']);
-async function clean(opt) {
-    const now = new Date();
-    start('Removing expired sessions');
-    await database.deleteFrom('sessions').where('sessions.expires', '<', now).execute().then(done);
-    start('Removing expired verifications');
-    await database.deleteFrom('verifications').where('verifications.expires', '<', now).execute().then(done);
-    for (const plugin$1 of plugins) {
-        if (!plugin$1.hooks.clean)
-            continue;
-        plugin(plugin$1.name);
-        await plugin$1.hooks.clean(opt);
-    }
-}
-
-async function getUser(id) {
-    return await database.selectFrom('users').selectAll().where('id', '=', id).executeTakeFirstOrThrow();
-}
-const in30days = () => new Date(Date.now() + 2592000000);
-const in10minutes = () => new Date(Date.now() + 600000);
-async function createSession(userId, elevated = false) {
-    const session = {
-        id: randomUUID(),
-        userId,
-        token: randomBytes(64).toString('base64'),
-        expires: elevated ? in10minutes() : in30days(),
-        elevated,
-        created: new Date(),
-    };
-    await database.insertInto('sessions').values(session).execute();
-    return session;
-}
-async function getSessionAndUser(token) {
-    const result = await database
-        .selectFrom('sessions')
-        .selectAll()
-        .select(userFromId)
-        .where('sessions.token', '=', token)
-        .where('sessions.expires', '>', new Date())
-        .executeTakeFirstOrThrow();
-    if (!result.user)
-        throw new Error('Session references non-existing user');
-    return result;
-}
-async function getSessions(userId) {
-    return await database.selectFrom('sessions').selectAll().where('userId', '=', userId).where('sessions.expires', '>', new Date()).execute();
-}
-/**
- * Create a verification
- * @param expires How long the token should be valid for in seconds
- */
-async function createVerification(role, userId, expires) {
-    const token = randomBytes(64).toString('base64url');
-    const verification = { userId, token, expires: new Date(Date.now() + expires * 1000), role };
-    await database.insertInto('verifications').values(verification).executeTakeFirstOrThrow();
-    setTimeout(() => {
-        void database.deleteFrom('verifications').where('verifications.token', '=', verification.token).execute();
-    }, expires * 1000);
-    return verification;
-}
-async function useVerification(role, userId, token) {
-    const query = database
-        .deleteFrom('verifications')
-        .where('verifications.token', '=', token)
-        .where('verifications.userId', '=', userId)
-        .where('verifications.role', '=', role);
-    return await query.returningAll().executeTakeFirst();
-}
-async function getPasskey(id) {
-    return await database.selectFrom('passkeys').selectAll().where('id', '=', id).executeTakeFirstOrThrow();
-}
-async function createPasskey(passkey) {
-    const result = await database.insertInto('passkeys').values(passkey).returningAll().executeTakeFirstOrThrow();
-    return result;
-}
-async function getPasskeysByUserId(userId) {
-    return await database.selectFrom('passkeys').selectAll().where('userId', '=', userId).execute();
-}
-async function checkAuthForUser(event, userId, sensitive = false) {
-    const token = getToken(event, sensitive);
-    if (!token)
-        throw error(401, 'Missing token');
-    const session = await getSessionAndUser(token).catch(withError('Invalid or expired session', 401));
-    if (session.userId !== userId) {
-        if (!session.user?.isAdmin)
-            error(403, 'User ID mismatch');
-        // Admins are allowed to manage other users.
-        const accessor = session.user;
-        session.user = await getUser(userId).catch(withError('Target user not found', 404));
-        return Object.assign(session, { accessor });
-    }
-    if (!session.elevated && sensitive)
-        error(403, 'This token can not be used for sensitive actions');
-    return Object.assign(session, { accessor: session.user });
-}
-
-function isResponseError(e) {
-    return e instanceof Error && e.name === 'ResponseError' && typeof e.status === 'number';
-}
-function error(status, message) {
-    const error = Object.assign(new Error(message), { status });
-    error.name = 'ResponseError';
-    throw error;
-}
-function isRedirect(e) {
-    return typeof e === 'object' && e !== null && 'location' in e && 'status' in e;
-}
-function json(data, init) {
-    const response = Response.json(data, init);
-    if (!response.headers.has('content-length')) {
-        response.headers.set('content-length', JSON.stringify(data).length.toString());
-    }
-    return response;
-}
-async function parseBody(event, schema) {
-    const contentType = event.request.headers.get('content-type');
-    if (!contentType || !contentType.includes('application/json'))
-        error(415, 'Invalid content type');
-    const body = await event.request.json().catch(() => error(415, 'Invalid JSON'));
-    try {
-        return schema.parse(body);
-    }
-    catch (e) {
-        error(400, prettifyError(e));
-    }
-}
-function getToken(event, sensitive = false) {
-    const header_token = event.request.headers.get('Authorization')?.replace('Bearer ', '');
-    if (header_token)
-        return header_token;
-    if (config.debug || config.api.cookie_auth) {
-        return event.cookies.get(sensitive ? 'elevated_token' : 'session_token');
-    }
-}
-async function createSessionData(userId, elevated = false) {
-    const { token, expires } = await createSession(userId, elevated);
-    const response = json({ userId, token: elevated ? '[[redacted:elevated]]' : token }, { status: 201 });
-    const cookies = serialize(elevated ? 'elevated_token' : 'session_token', token, {
-        httpOnly: true,
-        path: '/',
-        expires,
-        secure: config.auth.secure_cookies,
-        sameSite: 'lax',
-    });
-    response.headers.set('Set-Cookie', cookies);
-    return response;
-}
-function stripUser(user, includeProtected = false) {
-    return pick(user, ...userPublicFields, ...(includeProtected ? userProtectedFields : []));
-}
-function withError(text, code = 500) {
-    return function (e) {
-        if (e.name == 'ResponseError')
-            throw e;
-        error(code, text + (config.debug && e.message ? `: ${e.message}` : ''));
-    };
-}
-async function handleAPIRequest(event, route) {
-    const method = event.request.method;
-    const _warnings = [];
-    if (route.api && !event.request.headers.get('Accept')?.includes('application/json')) {
-        _warnings.push('Only application/json is supported');
-        event.request.headers.set('Accept', 'application/json');
-    }
-    for (const [key, type] of Object.entries(route.params || {})) {
-        if (!type)
-            continue;
-        try {
-            event.params[key] = type.parse(event.params[key]);
-        }
-        catch (e) {
-            error(400, `Invalid parameter: ${prettifyError(e)}`);
-        }
-    }
-    if (typeof route[method] != 'function')
-        error(405, `Method ${method} not allowed for ${route.path}`);
-    const result = await route[method](event);
-    if (result instanceof Response)
-        return result;
-    result._warnings ||= [];
-    result._warnings.push(..._warnings);
-    return json(result);
-}
-function handleResponseError(e) {
-    if (isResponseError(e))
-        return json({ message: e.message }, { status: e.status });
-    if (isRedirect(e))
-        return Response.redirect(e.location, e.status);
-    console.error(e);
-    return json({ message: 'Internal Error' + (config.debug ? ': ' + e.message : '') }, { status: 500 });
-}
-const noCacheHeaders = {
-    'Content-Type': 'text/html; charset=utf-8',
-    'Cache-Control': 'no-cache, no-store, must-revalidate',
-    Pragma: 'no-cache',
-    Expires: '0',
-};
-
-const apps = _unique('apps', new Map());
-const appDisabledContent = {
-    head: '<title>App Disabled</title>',
-    body: '<h1>App Disabled</h1><p>This app is currently disabled.</p>',
-};
-
-/**
- * @internal
- */
-const routes = _unique('routes', new Map());
-/**
- * @category Plugin API
- */
-function addRoute(opt) {
-    const route = { ...opt, server: !('page' in opt) };
-    if (!route.path.startsWith('/')) {
-        throw new Error(`Route path must start with a slash: ${route.path}`);
-    }
-    if (route.path.startsWith('/api/'))
-        route.api = true;
-    if (route.api && !route.server)
-        throw new Error(`API routes cannot have a client page: ${route.path}`);
-    routes.set(route.path, route);
-    output.debug('Added route: ' + route.path);
-}
-/**
- * Resolve a request URL into a route.
- * This handles parsing of parameters in the URL.
- */
-function resolveRoute(event) {
-    const { pathname } = event.url;
-    if (routes.has(pathname) && !pathname.split('/').some(p => p.startsWith(':')))
-        return routes.get(pathname);
-    // Otherwise we must have a parameterized route
-    _routes: for (const route of routes.values()) {
-        const params = {};
-        // Split the path and route into parts, zipped together
-        const pathParts = pathname.split('/').filter(Boolean);
-        // Skips routes in disabled apps
-        if (apps.has(pathParts[0]) && config.apps.disabled.includes(pathParts[0]))
-            continue;
-        for (const routePart of route.path.split('/').filter(Boolean)) {
-            const pathPart = pathParts.shift();
-            if (!pathPart)
-                continue _routes;
-            if (pathPart == routePart)
-                continue;
-            if (!routePart.startsWith(':'))
-                continue _routes;
-            params[routePart.slice(1)] = pathPart;
-        }
-        // we didn't find a match, since an exact match would have been found already
-        if (pathParts.length || !Object.keys(params).length)
-            continue;
-        event.params = params;
-        return route;
-    }
-}
-
-addRoute({
-    path: '/api/metadata',
-    async GET() {
-        if (config.api.disable_metadata)
-            error(401, 'API metadata is disabled');
-        return {
-            version: pkg.version,
-            routes: Object.fromEntries(routes
-                .entries()
-                .filter(([path]) => path.startsWith('/api/'))
-                .map(([path, route]) => [
-                path,
-                {
-                    params: Object.fromEntries(Object.entries(route.params || {}).map(([key, type]) => [key, type ? type.def.type : null])),
-                    methods: requestMethods.filter(m => m in route),
-                },
-            ])),
-            plugins: Object.fromEntries(plugins.values().map(plugin => [plugin.name, plugin.version])),
-        };
-    },
-});
-
-addRoute({
-    path: '/api/passkeys/:id',
-    params: {
-        id: string(),
-    },
-    async GET(event) {
-        const passkey = await getPasskey(event.params.id);
-        await checkAuthForUser(event, passkey.userId);
-        return omit(passkey, 'counter', 'publicKey');
-    },
-    async PATCH(event) {
-        const body = await parseBody(event, PasskeyChangeable);
-        const passkey = await getPasskey(event.params.id);
-        await checkAuthForUser(event, passkey.userId);
-        const result = await database
-            .updateTable('passkeys')
-            .set(body)
-            .where('id', '=', passkey.id)
-            .returningAll()
-            .executeTakeFirstOrThrow()
-            .catch(withError('Could not update passkey'));
-        return omit(result, 'counter', 'publicKey');
-    },
-    async DELETE(event) {
-        const passkey = await getPasskey(event.params.id);
-        await checkAuthForUser(event, passkey.userId);
-        const { count } = await database
-            .selectFrom('passkeys')
-            .select(database.fn.countAll().as('count'))
-            .where('userId', '=', passkey.userId)
-            .executeTakeFirstOrThrow();
-        if (Number(count) <= 1)
-            error(409, 'At least one passkey is required');
-        const result = await database
-            .deleteFrom('passkeys')
-            .where('id', '=', passkey.id)
-            .returningAll()
-            .executeTakeFirstOrThrow()
-            .catch(withError('Could not delete passkey'));
-        return omit(result, 'counter', 'publicKey');
-    },
-});
-
-// Map of user ID => challenge
-const registrations$1 = new Map();
-async function OPTIONS(event) {
-    if (!config.allow_new_users)
-        error(409, 'New user registration is disabled');
-    const { name, email: email$1 } = await parseBody(event, object({ name: string().optional(), email: email().optional() }));
-    const userId = randomUUID();
-    const user = await getUser(userId).catch(() => null);
-    if (user)
-        error(409, 'Generated UUID is already in use, please retry.');
-    const options = await generateRegistrationOptions({
-        rpName: config.auth.rp_name,
-        rpID: config.auth.rp_id,
-        userName: email$1 ?? userId,
-        userDisplayName: name,
-        attestationType: 'none',
-        excludeCredentials: [],
-        authenticatorSelection: {
-            residentKey: 'preferred',
-            userVerification: 'preferred',
-            authenticatorAttachment: 'platform',
-        },
-    });
-    registrations$1.set(userId, options.challenge);
-    return { userId, options };
-}
-async function POST(event) {
-    if (!config.allow_new_users)
-        error(409, 'New user registration is disabled');
-    const { userId, email, name, response } = await parseBody(event, APIUserRegistration);
-    const existing = await database.selectFrom('users').selectAll().where('email', '=', email.toLowerCase()).executeTakeFirst();
-    if (existing)
-        error(409, 'Email already in use');
-    const expectedChallenge = registrations$1.get(userId);
-    if (!expectedChallenge)
-        error(404, 'No registration challenge found for this user');
-    registrations$1.delete(userId);
-    const { verified, registrationInfo } = await verifyRegistrationResponse({
-        response,
-        expectedChallenge,
-        expectedOrigin: config.auth.origin,
-    }).catch(() => error(400, 'Verification failed'));
-    if (!verified || !registrationInfo)
-        error(401, 'Verification failed');
-    await database
-        .insertInto('users')
-        .values({ id: userId, name, email: email.toLowerCase() })
-        .executeTakeFirstOrThrow()
-        .catch(withError('Failed to create user'));
-    await createPasskey({
-        transports: [],
-        ...registrationInfo.credential,
-        userId,
-        deviceType: registrationInfo.credentialDeviceType,
-        backedUp: registrationInfo.credentialBackedUp,
-    }).catch(withError('Failed to create passkey', 500));
-    return await createSessionData(userId);
-}
-addRoute({
-    path: '/api/register',
-    params: {},
-    OPTIONS,
-    POST,
-});
-
-addRoute({
-    path: '/api/session',
-    async GET(event) {
-        const token = getToken(event);
-        if (!token)
-            error(401, 'Missing token');
-        const result = await getSessionAndUser(token).catch(withError('Invalid session', 400));
-        return {
-            ...omit(result, 'token'),
-            user: stripUser(result.user, true),
-        };
-    },
-    async DELETE(event) {
-        const token = getToken(event);
-        if (!token)
-            error(401, 'Missing token');
-        const result = await database
-            .deleteFrom('sessions')
-            .where('sessions.token', '=', token)
-            .returningAll()
-            .executeTakeFirstOrThrow()
-            .catch((e) => (e.message == 'no result' ? error(404, 'Session does not exist') : error(400, 'Invalid session')));
-        return omit(result, 'token');
-    },
-});
-
-const challenges = new Map();
-const params = { id: uuid() };
-/**
- * Resolve a user's UUID using their email (in the future this might also include handles)
- */
-addRoute({
-    path: '/api/user_id',
-    async POST(event) {
-        const { value } = await parseBody(event, object({ using: literal('email'), value: email() }));
-        const { id } = await database
-            .selectFrom('users')
-            .select('id')
-            .where('email', '=', value)
-            .executeTakeFirstOrThrow()
-            .catch(withError('User not found', 404));
-        return { id };
-    },
-});
-addRoute({
-    path: '/api/users/:id',
-    params,
-    async GET(event) {
-        const userId = event.params.id;
-        const auth = await checkAuthForUser(event, userId).catch(() => null);
-        const user = auth?.user || (await getUser(userId).catch(withError('User does not exist', 404)));
-        return stripUser(user, !!auth);
-    },
-    async PATCH(event) {
-        const userId = event.params.id;
-        const body = await parseBody(event, UserChangeable);
-        await checkAuthForUser(event, userId);
-        if ('email' in body)
-            body.emailVerified = null;
-        const result = await database
-            .updateTable('users')
-            .set(body)
-            .where('id', '=', userId)
-            .returningAll()
-            .executeTakeFirstOrThrow()
-            .catch(withError('Failed to update user'));
-        return stripUser(result, true);
-    },
-    async DELETE(event) {
-        const userId = event.params.id;
-        await checkAuthForUser(event, userId, true);
-        const result = await database
-            .deleteFrom('users')
-            .where('id', '=', userId)
-            .returningAll()
-            .executeTakeFirstOrThrow()
-            .catch(withError('Failed to delete user'));
-        return result;
-    },
-});
-addRoute({
-    path: '/api/users/:id/full',
-    params,
-    async GET(event) {
-        const userId = event.params.id;
-        const { user } = await checkAuthForUser(event, userId);
-        const sessions = await getSessions(userId);
-        return {
-            ...stripUser(user, true),
-            sessions: sessions.map(s => omit(s, 'token')),
-        };
-    },
-});
-addRoute({
-    path: '/api/users/:id/auth',
-    params,
-    async OPTIONS(event) {
-        const userId = event.params.id;
-        const { type } = await parseBody(event, UserAuthOptions);
-        await getUser(userId).catch(withError('User does not exist', 404));
-        const passkeys = await getPasskeysByUserId(userId);
-        if (!passkeys)
-            error(409, 'No passkeys exists for this user');
-        const options = await webauthn.generateAuthenticationOptions({
-            rpID: config.auth.rp_id,
-            allowCredentials: passkeys.map(passkey => pick(passkey, 'id', 'transports')),
-        });
-        challenges.set(userId, { data: options.challenge, type });
-        return options;
-    },
-    async POST(event) {
-        const userId = event.params.id;
-        const response = await parseBody(event, PasskeyAuthenticationResponse);
-        const auth = challenges.get(userId);
-        if (!auth)
-            error(404, 'No challenge');
-        const { data: expectedChallenge, type } = auth;
-        challenges.delete(userId);
-        const passkey = await getPasskey(response.id).catch(withError('Passkey does not exist', 404));
-        if (passkey.userId !== userId)
-            error(403, 'Passkey does not belong to this user');
-        const { verified } = await webauthn
-            .verifyAuthenticationResponse({
-            response,
-            credential: passkey,
-            expectedChallenge,
-            expectedOrigin: config.auth.origin,
-            expectedRPID: config.auth.rp_id,
-        })
-            .catch(withError('Verification failed', 400));
-        if (!verified)
-            error(401, 'Verification failed');
-        switch (type) {
-            case 'login':
-                return await createSessionData(userId);
-            case 'action':
-                if ((Date.now() - passkey.createdAt.getTime()) / 60_000 < config.auth.passkey_probation)
-                    error(403, 'You can not authorize sensitive actions with a newly created passkey');
-                return await createSessionData(userId, true);
-        }
-    },
-});
-// Map of user ID => challenge
-const registrations = new Map();
-addRoute({
-    path: '/api/users/:id/passkeys',
-    params,
-    /**
-     * Get passkey registration options for a user.
-     */
-    async OPTIONS(event) {
-        const userId = event.params.id;
-        const existing = await getPasskeysByUserId(userId);
-        const { user } = await checkAuthForUser(event, userId);
-        const options = await webauthn.generateRegistrationOptions({
-            rpName: config.auth.rp_name,
-            rpID: config.auth.rp_id,
-            userName: userId,
-            userDisplayName: user.email,
-            attestationType: 'none',
-            excludeCredentials: existing.map(passkey => pick(passkey, 'id', 'transports')),
-            authenticatorSelection: {
-                residentKey: 'preferred',
-                userVerification: 'preferred',
-                authenticatorAttachment: 'platform',
-            },
-        });
-        registrations.set(userId, options.challenge);
-        return options;
-    },
-    /**
-     * Get passkeys for a user.
-     */
-    async GET(event) {
-        const userId = event.params.id;
-        await checkAuthForUser(event, userId);
-        const passkeys = await getPasskeysByUserId(userId);
-        return passkeys.map(p => omit(p, 'publicKey', 'counter'));
-    },
-    /**
-     * Register a new passkey for an existing user.
-     */
-    async PUT(event) {
-        const userId = event.params.id;
-        const response = await parseBody(event, PasskeyRegistration);
-        await checkAuthForUser(event, userId);
-        const expectedChallenge = registrations.get(userId);
-        if (!expectedChallenge)
-            error(404, 'No registration challenge found for this user');
-        registrations.delete(userId);
-        const { verified, registrationInfo } = await webauthn
-            .verifyRegistrationResponse({
-            response,
-            expectedChallenge,
-            expectedOrigin: config.auth.origin,
-        })
-            .catch(withError('Verification failed', 400));
-        if (!verified || !registrationInfo)
-            error(401, 'Verification failed');
-        const passkey = await createPasskey({
-            transports: [],
-            ...registrationInfo.credential,
-            userId,
-            deviceType: registrationInfo.credentialDeviceType,
-            backedUp: registrationInfo.credentialBackedUp,
-        }).catch(withError('Failed to create passkey'));
-        return omit(passkey, 'publicKey', 'counter');
-    },
-});
-addRoute({
-    path: '/api/users/:id/sessions',
-    params,
-    async GET(event) {
-        const userId = event.params.id;
-        await checkAuthForUser(event, userId);
-        return (await getSessions(userId).catch(e => error(503, 'Failed to get sessions' + (config.debug ? ': ' + e : '')))).map(s => omit(s, 'token'));
-    },
-    async DELETE(event) {
-        const userId = event.params.id;
-        const body = await parseBody(event, LogoutSessions);
-        await checkAuthForUser(event, userId, body.confirm_all);
-        if (!body.confirm_all && !Array.isArray(body.id))
-            error(400, 'Invalid request body');
-        const query = body.confirm_all ? database.deleteFrom('sessions') : database.deleteFrom('sessions').where('sessions.id', 'in', body.id);
-        const result = await query
-            .where('sessions.userId', '=', userId)
-            .returningAll()
-            .execute()
-            .catch(withError('Failed to delete one or more sessions'));
-        return result.map(s => omit(s, 'token'));
-    },
-});
-addRoute({
-    path: '/api/users/:id/verify_email',
-    params,
-    async OPTIONS(event) {
-        const userId = event.params.id;
-        if (!config.auth.email_verification)
-            return { enabled: false };
-        await checkAuthForUser(event, userId);
-        if (!config.auth.email_verification)
-            return { enabled: false };
-        return { enabled: true };
-    },
-    async GET(event) {
-        const userId = event.params.id;
-        const { user } = await checkAuthForUser(event, userId);
-        if (user.emailVerified)
-            error(409, 'Email already verified');
-        const verification = await createVerification('verify_email', userId, config.auth.verification_timeout * 60);
-        return omit(verification, 'token', 'role');
-    },
-    async POST(event) {
-        const userId = event.params.id;
-        const { token } = await parseBody(event, object({ token: string() }));
-        const { user } = await checkAuthForUser(event, userId);
-        if (user.emailVerified)
-            error(409, 'Email already verified');
-        await useVerification('verify_email', userId, token).catch(withError('Invalid or expired verification token', 400));
-        return {};
-    },
-});
-
-/**
- * Perform initial setup for when the server is serving web pages.
- */
-async function init() {
-    logger.attach(createWriteStream(join(dirs.at(-1), 'server.log')), { output: allLogLevels });
-    await loadDefaultConfigs();
-    connect();
-    await clean({});
-    // eslint-disable-next-line @typescript-eslint/no-misused-promises
-    process.on('beforeExit', () => database.destroy());
-}
-
-let template = null;
-function fillSvelteKitTemplate({ head, body }, env = {}, nonce = '') {
-    template ||= readFileSync(config.web.template, 'utf-8');
-    return (template
-        .replaceAll('%sveltekit.head%', head)
-        .replaceAll('%sveltekit.body%', body)
-        .replaceAll('%sveltekit.assets%', config.web.assets)
-        // Unused for now.
-        .replaceAll('%sveltekit.nonce%', nonce)
-        .replace(/%sveltekit\.env\.([^%]+)%/g, (_match, key) => env[key] ?? ''));
-}
-/**
- * @internal
- */
-async function handleSvelteKit({ event, resolve, }) {
-    const route = resolveRoute(event);
-    if (!route && event.url.pathname === '/' && config.debug)
-        return new Response(null, { status: 303, headers: { Location: '/_axium/default' } });
-    if (config.debug)
-        console.log(styleText('blueBright', event.request.method.padEnd(7)), route ? route.path : event.url.pathname);
-    if (!route) {
-        // Check to see if this is for an app that is disabled.
-        const maybeApp = event.url.pathname.split('/')[1];
-        if (apps.has(maybeApp) && config.apps.disabled.includes(maybeApp)) {
-            const body = fillSvelteKitTemplate(appDisabledContent);
-            return new Response(body, { headers: noCacheHeaders, status: 503 });
-        }
-        return await resolve(event).catch(handleResponseError);
-    }
-    if (route.server == true) {
-        if (route.api)
-            return await handleAPIRequest(event, route).catch(handleResponseError);
-        const run = route[event.request.method];
-        if (typeof run !== 'function') {
-            error(405, `Method ${event.request.method} not allowed for ${route.path}`);
-        }
-        try {
-            const result = await run(event);
-            if (result instanceof Response)
-                return result;
-            return json(result);
-        }
-        catch (e) {
-            return handleResponseError(e);
-        }
-    }
-    const data = await route.load?.(event);
-    const body = fillSvelteKitTemplate(render(route.page, { props: { data } }));
-    return new Response(body, {
-        headers: config.web.disable_cache ? noCacheHeaders : {},
-        status: 200,
-    });
-}
-
-await init();
-
-export { handleSvelteKit as handle };
-//# sourceMappingURL=hooks.server-DxovS-nf.js.map