npm - @axium/server - Versions diffs - 0.24.1 → 0.26.0 - Mend

@axium/server 0.24.1 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (389) hide show

package/dist/api/users.js CHANGED Viewed

@@ -18,8 +18,8 @@ const params = { id: z.uuid() };
  */
 addRoute({
     path: '/api/user_id',
-    async POST(event) {
-        const { value } = await parseBody(event, z.object({ using: z.literal('email'), value: z.email() }));
+    async POST(request) {
+        const { value } = await parseBody(request, z.object({ using: z.literal('email'), value: z.email() }));
         const { id } = await db
             .selectFrom('users')
             .select('id')
@@ -32,16 +32,16 @@ addRoute({
 addRoute({
     path: '/api/users/:id',
     params,
-    async GET(event) {
-        const userId = event.params.id;
-        const auth = await checkAuthForUser(event, userId).catch(() => null);
+    async GET(request, params) {
+        const userId = params.id;
+        const auth = await checkAuthForUser(request, userId).catch(() => null);
         const user = auth?.user || (await getUser(userId).catch(withError('User does not exist', 404)));
         return stripUser(user, !!auth);
     },
-    async PATCH(event) {
-        const userId = event.params.id;
-        const body = await parseBody(event, UserChangeable);
-        await checkAuthForUser(event, userId);
+    async PATCH(request, params) {
+        const userId = params.id;
+        const body = await parseBody(request, UserChangeable);
+        await checkAuthForUser(request, userId);
         if ('email' in body)
             body.emailVerified = null;
         if ('preferences' in body)
@@ -55,9 +55,9 @@ addRoute({
             .catch(withError('Failed to update user'));
         return stripUser(result, true);
     },
-    async DELETE(event) {
-        const userId = event.params.id;
-        await checkAuthForUser(event, userId, true);
+    async DELETE(request, params) {
+        const userId = params.id;
+        await checkAuthForUser(request, userId, true);
         const result = await db
             .deleteFrom('users')
             .where('id', '=', userId)
@@ -71,9 +71,9 @@ addRoute({
 addRoute({
     path: '/api/users/:id/full',
     params,
-    async GET(event) {
-        const userId = event.params.id;
-        const { user } = await checkAuthForUser(event, userId);
+    async GET(request, params) {
+        const userId = params.id;
+        const { user } = await checkAuthForUser(request, userId);
         const sessions = await getSessions(userId);
         return {
             ...stripUser(user, true),
@@ -84,9 +84,9 @@ addRoute({
 addRoute({
     path: '/api/users/:id/auth',
     params,
-    async OPTIONS(event) {
-        const userId = event.params.id;
-        const { type } = await parseBody(event, UserAuthOptions);
+    async OPTIONS(request, params) {
+        const userId = params.id;
+        const { type } = await parseBody(request, UserAuthOptions);
         const user = await getUser(userId).catch(withError('User does not exist', 404));
         if (user.isSuspended)
             error(403, 'User is suspended');
@@ -100,9 +100,9 @@ addRoute({
         challenges.set(userId, { data: options.challenge, type });
         return options;
     },
-    async POST(event) {
-        const userId = event.params.id;
-        const response = await parseBody(event, PasskeyAuthenticationResponse);
+    async POST(request, params) {
+        const userId = params.id;
+        const response = await parseBody(request, PasskeyAuthenticationResponse);
         const auth = challenges.get(userId);
         if (!auth)
             error(404, 'No challenge');
@@ -125,10 +125,13 @@ addRoute({
         switch (type) {
             case 'login':
                 return await createSessionData(userId);
+            case 'client_login':
+                /** @todo tag in DB so users can manage easier */
+                return await createSessionData(userId, { noCookie: true });
             case 'action':
                 if ((Date.now() - passkey.createdAt.getTime()) / 60_000 < config.auth.passkey_probation)
                     error(403, 'You can not authorize sensitive actions with a newly created passkey');
-                return await createSessionData(userId, true);
+                return await createSessionData(userId, { elevated: true });
         }
     },
 });
@@ -140,10 +143,10 @@ addRoute({
     /**
      * Get passkey registration options for a user.
      */
-    async OPTIONS(event) {
-        const userId = event.params.id;
+    async OPTIONS(request, params) {
+        const userId = params.id;
         const existing = await getPasskeysByUserId(userId);
-        const { user } = await checkAuthForUser(event, userId);
+        const { user } = await checkAuthForUser(request, userId);
         const options = await webauthn.generateRegistrationOptions({
             rpName: config.auth.rp_name,
             rpID: config.auth.rp_id,
@@ -163,19 +166,19 @@ addRoute({
     /**
      * Get passkeys for a user.
      */
-    async GET(event) {
-        const userId = event.params.id;
-        await checkAuthForUser(event, userId);
+    async GET(request, params) {
+        const userId = params.id;
+        await checkAuthForUser(request, userId);
         const passkeys = await getPasskeysByUserId(userId);
         return passkeys.map(p => omit(p, 'publicKey', 'counter'));
     },
     /**
      * Register a new passkey for an existing user.
      */
-    async PUT(event) {
-        const userId = event.params.id;
-        const response = await parseBody(event, PasskeyRegistration);
-        await checkAuthForUser(event, userId);
+    async PUT(request, params) {
+        const userId = params.id;
+        const response = await parseBody(request, PasskeyRegistration);
+        await checkAuthForUser(request, userId);
         const expectedChallenge = registrations.get(userId);
         if (!expectedChallenge)
             error(404, 'No registration challenge found for this user');
@@ -202,15 +205,15 @@ addRoute({
 addRoute({
     path: '/api/users/:id/sessions',
     params,
-    async GET(event) {
-        const userId = event.params.id;
-        await checkAuthForUser(event, userId);
+    async GET(request, params) {
+        const userId = params.id;
+        await checkAuthForUser(request, userId);
         return (await getSessions(userId).catch(e => error(503, 'Failed to get sessions' + (config.debug ? ': ' + e : '')))).map(s => omit(s, 'token'));
     },
-    async DELETE(event) {
-        const userId = event.params.id;
-        const body = await parseBody(event, LogoutSessions);
-        await checkAuthForUser(event, userId, body.confirm_all);
+    async DELETE(request, params) {
+        const userId = params.id;
+        const body = await parseBody(request, LogoutSessions);
+        await checkAuthForUser(request, userId, body.confirm_all);
         if (!body.confirm_all && !Array.isArray(body.id))
             error(400, 'Invalid request body');
         const query = body.confirm_all ? db.deleteFrom('sessions') : db.deleteFrom('sessions').where('sessions.id', 'in', body.id);
@@ -226,27 +229,27 @@ addRoute({
 addRoute({
     path: '/api/users/:id/verify_email',
     params,
-    async OPTIONS(event) {
-        const userId = event.params.id;
+    async OPTIONS(request, params) {
+        const userId = params.id;
         if (!config.auth.email_verification)
             return { enabled: false };
-        await checkAuthForUser(event, userId);
+        await checkAuthForUser(request, userId);
         if (!config.auth.email_verification)
             return { enabled: false };
         return { enabled: true };
     },
-    async GET(event) {
-        const userId = event.params.id;
-        const { user } = await checkAuthForUser(event, userId);
+    async GET(request, params) {
+        const userId = params.id;
+        const { user } = await checkAuthForUser(request, userId);
         if (user.emailVerified)
             error(409, 'Email already verified');
         const verification = await createVerification('verify_email', userId, config.auth.verification_timeout * 60);
         return omit(verification, 'token', 'role');
     },
-    async POST(event) {
-        const userId = event.params.id;
-        const { token } = await parseBody(event, z.object({ token: z.string() }));
-        const { user } = await checkAuthForUser(event, userId);
+    async POST(request, params) {
+        const userId = params.id;
+        const { token } = await parseBody(request, z.object({ token: z.string() }));
+        const { user } = await checkAuthForUser(request, userId);
         if (user.emailVerified)
             error(409, 'Email already verified');
         await useVerification('verify_email', userId, token).catch(withError('Invalid or expired verification token', 400));

package/dist/audit.d.ts CHANGED Viewed

@@ -1,35 +1,8 @@
-import type { Insertable } from 'kysely';
+import { Severity, type AuditEvent, type AuditFilter } from '@axium/core/audit';
+import type { Insertable, SelectQueryBuilder } from 'kysely';
 import * as z from 'zod';
 import { type Schema } from './database.js';
-export declare enum Severity {
-    Emergency = 0,
-    Alert = 1,
-    Critical = 2,
-    Error = 3,
-    Warning = 4,
-    Notice = 5,
-    Info = 6,
-    Debug = 7
-}
 export declare function styleSeverity(sev: Severity, align?: boolean): string;
-export interface AuditEvent<T extends Record<string, unknown> = Record<string, unknown>> {
-    /** UUID of the event */
-    id: string;
-    /** UUID of the user that triggered the event. `null` for events triggered via the server CLI */
-    userId?: string | null;
-    /** When the event happened */
-    timestamp: Date;
-    /** How severe the event is */
-    severity: Severity;
-    /** Snake case name for the event */
-    name: string;
-    /** The source of the event. This should be a package name */
-    source: string;
-    /** Tags for the event. For example, `auth` for authentication events */
-    tags: string[];
-    /** Additional event specific data. */
-    extra: T;
-}
 export interface AuditEventInit extends Insertable<Schema['audit_log']> {
 }
 export declare function audit_raw(event: AuditEventInit): Promise<void>;
@@ -48,6 +21,10 @@ export interface $EventTypes {
     admin_change: {
         user: string;
     };
+    admin_api: {
+        route: string;
+        session: string;
+    };
 }
 export type EventName = keyof $EventTypes;
 export type EventExtra<T extends EventName> = $EventTypes[T];
@@ -69,15 +46,7 @@ export interface AuditEventConfig {
     extra?: z.ZodObject;
     noAutoSuspend?: boolean;
 }
+export declare const events: Map<keyof $EventTypes, AuditEventConfig>;
 export declare function addEvent(init: AuditEventConfigInit): void;
 export declare function audit<T extends EventName>(eventName: T, userId?: string, extra?: EventExtra<T>): Promise<void>;
-export interface AuditFilter {
-    since?: Date;
-    until?: Date;
-    user?: string | null;
-    severity?: Severity;
-    source?: string;
-    tags?: string[];
-    event?: string;
-}
-export declare function getEvents(filter: AuditFilter): Promise<AuditEvent[]>;
+export declare function getEvents(filter: AuditFilter): SelectQueryBuilder<Schema, 'audit_log', AuditEvent>;

package/dist/audit.js CHANGED Viewed

@@ -1,20 +1,10 @@
+import { Severity } from '@axium/core/audit';
 import { styleText } from 'node:util';
 import { capitalize, omit } from 'utilium';
 import * as z from 'zod';
 import config from './config.js';
 import { database } from './database.js';
-import * as io from './io.js';
-export var Severity;
-(function (Severity) {
-    Severity[Severity["Emergency"] = 0] = "Emergency";
-    Severity[Severity["Alert"] = 1] = "Alert";
-    Severity[Severity["Critical"] = 2] = "Critical";
-    Severity[Severity["Error"] = 3] = "Error";
-    Severity[Severity["Warning"] = 4] = "Warning";
-    Severity[Severity["Notice"] = 5] = "Notice";
-    Severity[Severity["Info"] = 6] = "Info";
-    Severity[Severity["Debug"] = 7] = "Debug";
-})(Severity || (Severity = {}));
+import * as io from '@axium/core/node/io';
 const severityFormat = {
     [Severity.Emergency]: ['bgRedBright', 'white', 'underline'],
     [Severity.Alert]: ['bgRedBright', 'white'],
@@ -42,7 +32,7 @@ export async function audit_raw(event) {
     const result = await database.insertInto('audit_log').values(event).returningAll().executeTakeFirstOrThrow();
     output(result);
 }
-const events = new Map();
+export const events = new Map();
 export function addEvent(init) {
     if (events.has(init.name))
         throw io.error(`Can not register multiple events with the same name ("${init.name}")`);
@@ -62,7 +52,7 @@ export async function audit(eventName, userId, extra) {
         if (cfg.extra)
             extra = cfg.extra.parse(extra);
     }
-    catch (e) {
+    catch {
         io.error('Audit event has invalid extra data: ' + eventName);
         return;
     }
@@ -83,7 +73,7 @@ export async function audit(eventName, userId, extra) {
             .catch(() => null);
     }
 }
-export async function getEvents(filter) {
+export function getEvents(filter) {
     let query = database.selectFrom('audit_log').selectAll();
     if ('user' in filter && !filter.user)
         query = query.where('userId', 'is', null);
@@ -101,7 +91,7 @@ export async function getEvents(filter) {
         query = query.where('timestamp', '>=', filter.since);
     if (filter.until)
         query = query.where('timestamp', '<=', filter.until);
-    return await query.execute();
+    return query;
 }
 // Register built-ins
 addEvent({ source: '@axium/server', name: 'user_created', severity: Severity.Info, tags: ['user'] });
@@ -123,3 +113,10 @@ addEvent({
     extra: { item: z.string() },
     noAutoSuspend: true,
 });
+addEvent({
+    source: '@axium/server',
+    name: 'admin_api',
+    severity: Severity.Debug,
+    tags: ['auth'],
+    extra: { route: z.string(), session: z.string() },
+});

package/dist/auth.d.ts CHANGED Viewed

@@ -1,14 +1,7 @@
-import type { Passkey, Permission, Session, User, Verification } from '@axium/core';
+import type { Passkey, Permission, Session, UserInternal, Verification } from '@axium/core';
 import type { Insertable } from 'kysely';
 import * as acl from './acl.js';
 import { type Schema } from './database.js';
-import type { RequestEvent } from './requests.js';
-export interface UserInternal extends User {
-    isAdmin: boolean;
-    isSuspended: boolean;
-    /** Tags are internal, roles are public */
-    tags: string[];
-}
 export declare function getUser(id: string): Promise<UserInternal>;
 export declare function updateUser({ id, ...user }: Insertable<Schema['users']>): Promise<UserInternal>;
 export interface SessionInternal extends Session {
@@ -33,7 +26,7 @@ export interface VerificationInternal extends Verification {
 export declare function createVerification(role: VerificationRole, userId: string, expires: number): Promise<VerificationInternal>;
 export declare function useVerification(role: VerificationRole, userId: string, token: string): Promise<VerificationInternal | undefined>;
 export interface PasskeyInternal extends Passkey {
-    publicKey: Uint8Array;
+    publicKey: Uint8Array<ArrayBuffer>;
     counter: number;
 }
 export declare function getPasskey(id: string): Promise<PasskeyInternal>;
@@ -44,11 +37,11 @@ export interface UserAuthResult extends SessionAndUser {
     /** The user authenticating the request. */
     accessor: UserInternal;
 }
-export declare function checkAuthForUser(event: RequestEvent, userId: string, sensitive?: boolean): Promise<UserAuthResult>;
+export declare function checkAuthForUser(request: Request, userId: string, sensitive?: boolean): Promise<UserAuthResult>;
 export interface ItemAuthResult<T extends acl.Target> {
     fromACL: boolean;
     item: T;
     user?: UserInternal;
     session?: SessionInternal;
 }
-export declare function checkAuthForItem<const V extends acl.Target>(event: RequestEvent, itemType: acl.TargetName, itemId: string, permission: Permission): Promise<ItemAuthResult<V>>;
+export declare function checkAuthForItem<const V extends acl.Target>(request: Request, itemType: acl.TargetName, itemId: string, permission: Permission): Promise<ItemAuthResult<V>>;

package/dist/auth.js CHANGED Viewed

@@ -87,8 +87,8 @@ export async function updatePasskeyCounter(id, newCounter) {
         throw new Error('Passkey not found');
     return passkey;
 }
-export async function checkAuthForUser(event, userId, sensitive = false) {
-    const token = getToken(event, sensitive);
+export async function checkAuthForUser(request, userId, sensitive = false) {
+    const token = getToken(request, sensitive);
     if (!token)
         throw error(401, 'Missing token');
     const session = await getSessionAndUser(token).catch(withError('Invalid or expired session', 401));
@@ -106,8 +106,8 @@ export async function checkAuthForUser(event, userId, sensitive = false) {
         error(403, 'This token can not be used for sensitive actions');
     return Object.assign(session, { accessor: session.user });
 }
-export async function checkAuthForItem(event, itemType, itemId, permission) {
-    const token = getToken(event, false);
+export async function checkAuthForItem(request, itemType, itemId, permission) {
+    const token = getToken(request, false);
     if (!token)
         error(401, 'Missing token');
     const session = await getSessionAndUser(token).catch(() => null);