@axium/server 0.20.6 → 0.21.0

package/build/server/chunks/{hooks.server-D31Irsqw.js → hooks.server-DHvv3JCJ.js}

@@ -4,7 +4,7 @@ import 'node:http';
 import 'node:https';
 import { Logger, levelText, allLogLevels } from 'logzen';
 import { join, resolve, dirname } from 'node:path/posix';
-import './string-CafUlmcI.js';
+import { c as capitalize } from './string-SLyGnEy-.js';
 import 'node:child_process';
 import { homedir } from 'node:os';
 import { styleText } from 'node:util';
@@ -187,7 +187,7 @@ const logger = new Logger({
 /**
  * @internal
  */
-const output = {
+const output$1 = {
     constructor: { name: 'Console' },
     error(message) {
         console.error(message.startsWith('\x1b') ? message : styleText('red', message));
@@ -205,7 +205,7 @@ const output = {
         _debugOutput && console.debug(message.startsWith('\x1b') ? message : styleText('gray', message));
     },
 };
-logger.attach(output);
+logger.attach(output$1);
 let _debugOutput = false;
 /**
  * Enable or disable debug output.
@@ -216,7 +216,7 @@ function _setDebugOutput(enabled) {
 function defaultOutput(tag, message = '') {
     switch (tag) {
         case 'debug':
-            _debugOutput && output.debug(message);
+            _debugOutput && output$1.debug(message);
             break;
         case 'info':
             console.log(message);
@@ -254,6 +254,9 @@ function debug(message) {
 function warn(message) {
     _taggedOutput?.('warn', message);
 }
+function error$1(message) {
+    _taggedOutput?.('error', message);
+}
 /**
  * This is a factory for handling errors when performing operations.
  * The handler will allow the parent scope to continue if a relation already exists,
@@ -271,6 +274,15 @@ function someWarnings(...allowList) {
         throw error;
     };
 }
+const months = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'];
+// Shortcut to convert to 2-digit. Mostly used to make the line shorter.
+const _2 = (v) => v.toString().padStart(2, '0');
+/**
+ * Get a human-readable string for a date that also fits into CLIs well (fixed-width)
+ */
+function prettyDate(date) {
+    return `${date.getFullYear()} ${months[date.getMonth()]} ${_2(date.getDate())} ${_2(date.getHours())}:${_2(date.getMinutes())}:${_2(date.getSeconds())}.${_2(date.getMilliseconds())}`;
+}
 
 function zAsyncFunction(schema) {
     return custom((fn) => schema.implementAsync(fn));
@@ -346,24 +358,29 @@ async function loadPlugin(specifier) {
             throw 'Invalid plugin name. Plugin names can not start with a hash or contain spaces.';
         }
         plugins.add(plugin);
-        output.debug(`Loaded plugin: ${plugin.name} ${plugin.version}`);
+        output$1.debug(`Loaded plugin: ${plugin.name} ${plugin.version}`);
     }
     catch (e) {
-        output.debug(`Failed to load plugin from ${specifier}: ${e ? (e instanceof Error ? e.message : e.toString()) : e}`);
+        output$1.debug(`Failed to load plugin from ${specifier}: ${e ? (e instanceof Error ? e.message : e.toString()) : e}`);
     }
 }
 
+const audit_severity_levels = ['emergency', 'alert', 'critical', 'error', 'warning', 'notice', 'info', 'debug'];
+const z_audit_severity = literal([...audit_severity_levels, ...audit_severity_levels.map(capitalize)]);
 const ConfigSchema = looseObject({
     allow_new_users: boolean(),
-    api: looseObject({
-        disable_metadata: boolean(),
-        cookie_auth: boolean(),
-    })
-        .partial(),
     apps: looseObject({
         disabled: array(string()),
     })
         .partial(),
+    audit: looseObject({
+        allow_raw: boolean(),
+        /** How many days to keep events in the audit log */
+        retention: number().min(0),
+        min_severity: z_audit_severity,
+        auto_suspend: z_audit_severity,
+    })
+        .partial(),
     auth: looseObject({
         origin: string(),
         /** In minutes */
@@ -375,6 +392,8 @@ const ConfigSchema = looseObject({
         verification_timeout: number(),
         /** Whether users can verify emails */
         email_verification: boolean(),
+        /** Whether only the `Authorization` header can be used to authenticate requests. */
+        header_only: boolean(),
     })
         .partial(),
     db: looseObject({
@@ -424,13 +443,15 @@ const configShortcuts = {
 const config = _unique('config', {
     ...configShortcuts,
     allow_new_users: true,
-    api: {
-        disable_metadata: false,
-        cookie_auth: true,
-    },
     apps: {
         disabled: [],
     },
+    audit: {
+        allow_raw: false,
+        retention: 30,
+        min_severity: 'error',
+        auto_suspend: 'critical',
+    },
     auth: {
         origin: 'https://test.localhost',
         passkey_probation: 60,
@@ -439,6 +460,7 @@ const config = _unique('config', {
         secure_cookies: true,
         verification_timeout: 60,
         email_verification: false,
+        header_only: false,
     },
     db: {
         database: process.env.PGDATABASE || 'axium',
@@ -478,9 +500,9 @@ const FileSchema = looseObject({
  */
 function setConfig(other) {
     deepAssign(config, other);
-    logger.detach(output);
+    logger.detach(output$1);
     if (config.log.console)
-        logger.attach(output, { output: config.log.level });
+        logger.attach(output$1, { output: config.log.level });
     _setDebugOutput(config.debug);
     _duplicateStateWarnings(config.show_duplicate_state);
 }
@@ -497,7 +519,7 @@ async function loadConfig(path, options = {}) {
     catch (e) {
         if (!options.optional)
             throw e;
-        output.debug(`Skipping config at ${path} (${e.message})`);
+        output$1.debug(`Skipping config at ${path} (${e.message})`);
         return;
     }
     let file;
@@ -507,12 +529,12 @@ async function loadConfig(path, options = {}) {
     catch (e) {
         if (!options.loose)
             throw e;
-        output.debug(`Loading invalid config from ${path} (${e.message})`);
+        output$1.debug(`Loading invalid config from ${path} (${e.message})`);
         file = json;
     }
     configFiles.set(path, file);
     setConfig(file);
-    output.debug('Loaded config: ' + path);
+    output$1.debug('Loaded config: ' + path);
     for (const include of file.include ?? [])
         await loadConfig(join(dirname(path), include), { optional: true });
     for (const plugin of file.plugins ?? [])
@@ -544,7 +566,7 @@ function saveConfigTo(path, changed) {
     setConfig(changed);
     const config = configFiles.get(path) ?? {};
     Object.assign(config, { ...changed, db: { ...config.db, ...changed.db } });
-    output.debug(`Wrote config to ${path}`);
+    output$1.debug(`Wrote config to ${path}`);
     writeFileSync(path, JSON.stringify(config));
 }
 /**
@@ -562,7 +584,7 @@ if (process.env.AXIUM_CONFIG)
 
 const requestMethods = ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'HEAD', 'PATCH'];
 
-var version = "0.20.6";
+var version = "0.21.0";
 var pkg = {
 	version: version};
 
@@ -16437,6 +16459,98 @@ async function clean(opt) {
     }
 }
 
+var Severity;
+(function (Severity) {
+    Severity[Severity["Emergency"] = 0] = "Emergency";
+    Severity[Severity["Alert"] = 1] = "Alert";
+    Severity[Severity["Critical"] = 2] = "Critical";
+    Severity[Severity["Error"] = 3] = "Error";
+    Severity[Severity["Warning"] = 4] = "Warning";
+    Severity[Severity["Notice"] = 5] = "Notice";
+    Severity[Severity["Info"] = 6] = "Info";
+    Severity[Severity["Debug"] = 7] = "Debug";
+})(Severity || (Severity = {}));
+const severityFormat = {
+    [Severity.Emergency]: ['bgRedBright', 'white', 'underline'],
+    [Severity.Alert]: ['bgRedBright', 'white'],
+    [Severity.Critical]: ['bold', 'redBright'],
+    [Severity.Error]: 'redBright',
+    [Severity.Warning]: 'yellowBright',
+    [Severity.Notice]: 'cyanBright',
+    [Severity.Info]: [],
+    [Severity.Debug]: ['dim'],
+};
+function styleSeverity(sev, align = false) {
+    const text = align ? Severity[sev].padEnd(9) : Severity[sev];
+    return styleText(severityFormat[sev], text.toUpperCase());
+}
+function output(event) {
+    if (event.severity > Severity[capitalize(config.audit.min_severity)])
+        return;
+    console.error('[audit]', styleText('dim', prettyDate(event.timestamp)), styleSeverity(event.severity), event.name);
+}
+const events = new Map();
+function addEvent(init) {
+    if (events.has(init.name))
+        throw error$1(`Can not register multiple events with the same name ("${init.name}")`);
+    const config = {
+        ...init,
+        extra: init.extra ? object(init.extra) : undefined,
+    };
+    events.set(init.name, config);
+}
+async function audit(eventName, userId, extra) {
+    const cfg = events.get(eventName);
+    if (!cfg) {
+        warn('Ignoring audit event with unknown event name: ' + eventName);
+        return;
+    }
+    try {
+        if (cfg.extra)
+            extra = cfg.extra.parse(extra);
+    }
+    catch (e) {
+        error$1('Audit event has invalid extra data: ' + eventName);
+        return;
+    }
+    const event = await database
+        .insertInto('audit_log')
+        .values({ ...omit(cfg, 'extra'), extra, userId })
+        .returningAll()
+        .executeTakeFirstOrThrow();
+    output(event);
+    if (userId && !cfg.noAutoSuspend && event.severity < Severity[capitalize(config.audit.auto_suspend)]) {
+        await database
+            .updateTable('users')
+            .set({ isSuspended: true })
+            .where('id', '=', userId)
+            .returningAll()
+            .executeTakeFirstOrThrow()
+            .then(user => console.error('[audit] Auto-suspended user:', user.id, `<${user.email}>`))
+            .catch(() => null);
+    }
+}
+// Register built-ins
+addEvent({ source: '@axium/server', name: 'user_created', severity: Severity.Info, tags: ['user'] });
+addEvent({ source: '@axium/server', name: 'user_deleted', severity: Severity.Info, tags: ['user'] });
+addEvent({ source: '@axium/server', name: 'new_session', severity: Severity.Info, tags: ['user'], extra: { id: string() } });
+addEvent({ source: '@axium/server', name: 'logout', severity: Severity.Info, tags: ['user'], extra: { sessions: array(string()) } });
+addEvent({
+    source: '@axium/server',
+    name: 'admin_change',
+    severity: Severity.Notice,
+    tags: ['cli'],
+    extra: { user: string() },
+});
+addEvent({
+    source: '@axium/server',
+    name: 'acl_id_mismatch',
+    severity: Severity.Critical,
+    tags: ['acl', 'auth'],
+    extra: { item: string() },
+    noAutoSuspend: true,
+});
+
 async function getUser(id) {
     return await database.selectFrom('users').selectAll().where('id', '=', id).executeTakeFirstOrThrow();
 }
@@ -16452,6 +16566,7 @@ async function createSession(userId, elevated = false) {
         created: new Date(),
     };
     await database.insertInto('sessions').values(session).execute();
+    await audit('new_session', userId, { id: session.id });
     return session;
 }
 async function getSessionAndUser(token) {
@@ -16505,6 +16620,8 @@ async function checkAuthForUser(event, userId, sensitive = false) {
     if (!token)
         throw error(401, 'Missing token');
     const session = await getSessionAndUser(token).catch(withError('Invalid or expired session', 401));
+    if (session.user.isSuspended)
+        error(403, 'User is suspended');
     if (session.userId !== userId) {
         if (!session.user?.isAdmin)
             error(403, 'User ID mismatch');
@@ -16552,7 +16669,7 @@ function getToken(event, sensitive = false) {
     const header_token = event.request.headers.get('Authorization')?.replace('Bearer ', '');
     if (header_token)
         return header_token;
-    if (config.debug || config.api.cookie_auth) {
+    if (config.debug || !config.auth.header_only) {
         return event.cookies.get(sensitive ? 'elevated_token' : 'session_token');
     }
 }
@@ -16643,7 +16760,7 @@ function addRoute(opt) {
     if (route.api && !route.server)
         throw new Error(`API routes cannot have a client page: ${route.path}`);
     routes.set(route.path, route);
-    output.debug('Added route: ' + route.path);
+    output$1.debug('Added route: ' + route.path);
 }
 /**
  * Resolve a request URL into a route.
@@ -16681,9 +16798,19 @@ function resolveRoute(event) {
 
 addRoute({
     path: '/api/metadata',
-    async GET() {
-        if (config.api.disable_metadata)
-            error(401, 'API metadata is disabled');
+    async GET(event) {
+        if (!config.debug) {
+            const token = getToken(event);
+            if (!token)
+                error(401, 'Missing session token');
+            const session = await getSessionAndUser(token);
+            if (!session)
+                error(401, 'Invalid session');
+            if (!session.user.isAdmin)
+                error(403, 'User is not an administrator');
+            if (session.user.isSuspended)
+                error(403, 'User is suspended');
+        }
         return {
             version: pkg.version,
             routes: Object.fromEntries(routes
@@ -16793,6 +16920,7 @@ async function POST(event) {
         .values({ id: userId, name, email: email.toLowerCase() })
         .executeTakeFirstOrThrow()
         .catch(withError('Failed to create user'));
+    await audit('user_created', userId);
     await createPasskey({
         transports: [],
         ...registrationInfo.credential,
@@ -16831,6 +16959,7 @@ addRoute({
             .returningAll()
             .executeTakeFirstOrThrow()
             .catch((e) => (e.message == 'no result' ? error(404, 'Session does not exist') : error(400, 'Invalid session')));
+        await audit('logout', result.userId, { sessions: [result.id] });
         return omit(result, 'token');
     },
 });
@@ -16886,6 +17015,7 @@ addRoute({
             .returningAll()
             .executeTakeFirstOrThrow()
             .catch(withError('Failed to delete user'));
+        await audit('user_deleted', userId);
         return result;
     },
 });
@@ -16908,7 +17038,9 @@ addRoute({
     async OPTIONS(event) {
         const userId = event.params.id;
         const { type } = await parseBody(event, UserAuthOptions);
-        await getUser(userId).catch(withError('User does not exist', 404));
+        const user = await getUser(userId).catch(withError('User does not exist', 404));
+        if (user.isSuspended)
+            error(403, 'User is suspended');
         const passkeys = await getPasskeysByUserId(userId);
         if (!passkeys)
             error(409, 'No passkeys exists for this user');
@@ -17038,6 +17170,7 @@ addRoute({
             .returningAll()
             .execute()
             .catch(withError('Failed to delete one or more sessions'));
+        await audit('logout', userId, { sessions: result.map(s => s.id) });
         return result.map(s => omit(s, 'token'));
     },
 });
@@ -17141,4 +17274,4 @@ async function handleSvelteKit({ event, resolve, }) {
 await init();
 
 export { handleSvelteKit as handle };
-//# sourceMappingURL=hooks.server-D31Irsqw.js.map
+//# sourceMappingURL=hooks.server-DHvv3JCJ.js.map