@axium/server 0.27.0 → 0.28.1

package/dist/acl.d.ts

@@ -1,61 +1,41 @@
-import type { AccessControl, AccessMap, Permission, UserInternal } from '@axium/core';
-import type { AliasedRawBuilder, Expression, ExpressionBuilder, Selectable } from 'kysely';
+import type { AccessControl, AccessMap, UserInternal } from '@axium/core';
+import type * as kysely from 'kysely';
+import type { WithRequired } from 'utilium';
 import * as db from './database.js';
-export interface Target {
-    userId: string;
-    publicPermission: Permission;
-}
-type _TableNames = (string & keyof db.Schema) & keyof {
-    [K in Exclude<keyof db.Schema, `acl.${string}`> as Selectable<db.Schema[K]> extends Omit<Target, 'acl'> ? K : never]: null;
+type _TableNames = keyof {
+    [K in keyof db.Schema as db.Schema[K] extends db.DBAccessControl ? K : never]: null;
+};
+type _TargetNames = keyof db.Schema & keyof {
+    [K in _TableNames as K extends `acl.${infer TB extends keyof db.Schema}` ? TB : never]: null;
 };
 /**
  * `never` causes a ton of problems, so we use `string` if none of the tables are shareable.
  */
-export type TargetName = _TableNames extends never ? keyof db.Schema : _TableNames;
+export type TableName = _TableNames extends never ? keyof db.Schema : _TableNames;
+export type TargetName = _TargetNames extends never ? keyof db.Schema : _TargetNames;
 export interface AccessControlInternal extends AccessControl {
-    user?: UserInternal;
+    tag?: string | null;
 }
-export declare const expectedTypes: {
-    userId: {
-        type: string;
-        required: true;
-    };
-    createdAt: {
-        type: string;
-        required: true;
-        hasDefault: true;
-    };
-    itemId: {
-        type: string;
-        required: true;
-    };
-    permission: {
-        type: string;
-        required: true;
-        hasDefault: true;
-    };
-};
-/**
- * Adds an Access Control List (ACL) in the database for managing access to rows in an existing table.
- * @category Plugin API
- */
-export declare function createTable(table: TargetName): Promise<void>;
-export declare function dropTable(table: TargetName): Promise<void>;
-export declare function wipeTable(table: TargetName): Promise<void>;
-export declare function createEntry(itemType: TargetName, data: Omit<AccessControl, 'createdAt'>): Promise<AccessControlInternal>;
-export declare function deleteEntry(itemType: TargetName, itemId: string, userId: string): Promise<void>;
+export type PermissionsFor<TB extends TableName> = Omit<kysely.Selectable<db.Schema[TB]>, keyof AccessControlInternal | number | symbol>;
+export type Result<TB extends TableName> = AccessControlInternal & PermissionsFor<TB>;
+export type WithACL<TB extends TargetName> = kysely.Selectable<db.Schema[TB]> & {
+    userId: string;
+    acl: Result<`acl.${TB}`>[];
+} & Record<string, any>;
 export interface ACLSelectionOptions {
-    /** If specified, only returns the access control for the given user ID. */
-    onlyId?: string | Expression<any>;
+    /** If specified, files by user UUID */
+    user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>;
     /** Instead of using the `id` from `table`, use the `id` from this instead */
     alias?: string;
 }
 /**
  * Helper to select all access controls for a given table, including the user information.
- *
- * @param onlyId If specified, only returns the access control for the given user ID.
+ * Optionally filter for the entries applicable to a specific user.
+ * This includes entries matching the user's ID, roles, or tags along with the "public" entry where all three "target" columns are null.
  */
-export declare function from(table: TargetName, opt?: ACLSelectionOptions): (eb: ExpressionBuilder<db.Schema, any>) => AliasedRawBuilder<Required<AccessControl>[], 'acl'>;
-export declare function get(itemType: TargetName, itemId: string): Promise<Required<AccessControlInternal>[]>;
-export declare function set(itemType: TargetName, itemId: string, data: AccessMap): Promise<AccessControlInternal[]>;
+export declare function from<const TB extends TargetName>(table: TB, opt?: ACLSelectionOptions): (eb: kysely.ExpressionBuilder<db.Schema, any>) => kysely.AliasedRawBuilder<Result<`acl.${TB}`>[], 'acl'>;
+export declare function get<const TB extends TableName>(table: TB, itemId: string): Promise<WithRequired<AccessControlInternal & kysely.Selectable<db.Schema[TB]>, 'user'>[]>;
+export declare function set<const TB extends TableName>(table: TB, itemId: string, data: AccessMap): Promise<(AccessControlInternal & kysely.Selectable<db.Schema[TB]>)[]>;
+export declare function check<const TB extends TableName>(acl: Result<TB>[], permissions: Partial<PermissionsFor<TB>>): Set<keyof PermissionsFor<TB>>;
+export declare function listTables(): Record<string, TableName>;
 export {};

package/dist/acl.js

@@ -1,84 +1,64 @@
-import * as io from '@axium/core/node/io';
-import { sql } from 'kysely';
 import { jsonArrayFrom } from 'kysely/helpers/postgres';
 import * as db from './database.js';
-const accessControllableTypes = {
-    userId: { type: 'uuid', required: true },
-    publicPermission: { type: 'int4', required: true, hasDefault: true },
-};
-export const expectedTypes = {
-    userId: { type: 'uuid', required: true },
-    createdAt: { type: 'timestamptz', required: true, hasDefault: true },
-    itemId: { type: 'uuid', required: true },
-    permission: { type: 'int4', required: true, hasDefault: true },
-};
-/**
- * Adds an Access Control List (ACL) in the database for managing access to rows in an existing table.
- * @category Plugin API
- */
-export async function createTable(table) {
-    await db.checkTableTypes(table, accessControllableTypes, { strict: true, extra: false });
-    io.start(`Creating table acl.${table}`);
-    await db.database.schema
-        .createTable(`acl.${table}`)
-        .addColumn('userId', 'uuid', col => col.references('users.id').onDelete('cascade'))
-        .addColumn('itemId', 'uuid', col => col.references(`${table}.id`).onDelete('cascade'))
-        .addPrimaryKeyConstraint('PK_acl_' + table, ['userId', 'itemId'])
-        .addColumn('createdAt', 'timestamptz', col => col.notNull().defaultTo(sql `now()`))
-        .addColumn('permission', 'integer', col => col.notNull().check(sql `permission >= 0 AND permission <= 5`))
-        .execute()
-        .then(io.done)
-        .catch(db.warnExists);
-    await db.createIndex(`acl.${table}`, 'userId');
-    await db.createIndex(`acl.${table}`, 'itemId');
-}
-export async function dropTable(table) {
-    io.start(`Dropping table acl.${table}`);
-    await db.database.schema.dropTable(`acl.${table}`).execute().then(io.done).catch(db.warnExists);
-}
-export async function wipeTable(table) {
-    io.start(`Wiping table acl.${table}`);
-    await db.database.deleteFrom(`acl.${table}`).execute().then(io.done).catch(db.warnExists);
-}
-export async function createEntry(itemType, data) {
-    return await db.database.insertInto(`acl.${itemType}`).values(data).returningAll().executeTakeFirstOrThrow();
-}
-export async function deleteEntry(itemType, itemId, userId) {
-    await db.database.deleteFrom(`acl.${itemType}`).where('itemId', '=', itemId).where('userId', '=', userId).execute();
-}
 /**
  * Helper to select all access controls for a given table, including the user information.
- *
- * @param onlyId If specified, only returns the access control for the given user ID.
+ * Optionally filter for the entries applicable to a specific user.
+ * This includes entries matching the user's ID, roles, or tags along with the "public" entry where all three "target" columns are null.
  */
 export function from(table, opt = {}) {
     return (eb) => jsonArrayFrom(eb
         .selectFrom(`acl.${table} as _acl`)
         .selectAll()
-        .select(db.userFromId)
         .whereRef(`_acl.itemId`, '=', `${opt.alias || table}.id`)
-        .$if(!!opt.onlyId, qb => qb.where('userId', '=', opt.onlyId)))
+        .where(eb => {
+        const allNull = eb.and([eb('userId', 'is', null), eb('role', 'is', null), eb('tag', 'is', null)]);
+        if (!opt.user)
+            return allNull;
+        const ors = [allNull, eb('userId', '=', opt.user.id)];
+        if (opt.user.roles.length)
+            ors.push(eb('role', 'in', opt.user.roles));
+        if (opt.user.tags.length)
+            ors.push(eb('tag', 'in', opt.user.tags));
+        return eb.or(ors);
+    }))
         .$castTo()
         .as('acl');
 }
-export async function get(itemType, itemId) {
-    return await db.database.selectFrom(`acl.${itemType}`).where('itemId', '=', itemId).selectAll().select(db.userFromId).execute();
+export async function get(table, itemId) {
+    // @ts-expect-error 2349
+    return await db.database.selectFrom(table).where('itemId', '=', itemId).selectAll().select(db.userFromId).execute();
 }
-export async function set(itemType, itemId, data) {
-    if ('public' in data) {
-        // @ts-expect-error 2353 - TS misses the column
-        await db.database.updateTable(itemType).set({ publicPermission: data.public }).where('id', '=', itemId).execute();
-        delete data.public;
-    }
-    const entries = Object.entries(data).map(([userId, perm]) => ({ userId, perm }));
+export async function set(table, itemId, data) {
+    const entries = Object.entries(data).map(([userId, perm]) => ({ userId, ...perm }));
     if (!entries.length)
         return [];
     return await db.database
-        .updateTable(`acl.${itemType}`)
+        .updateTable(table)
+        // @ts-expect-error 2349
         .from(db.values(entries, 'data'))
-        .set('permission', eb => eb.ref('data.perm'))
-        .whereRef(`acl.${itemType}.userId`, '=', 'data.userId')
+        .set()
+        .whereRef(`${table}.userId`, '=', 'data.userId')
         .where('itemId', '=', itemId)
         .returningAll()
         .execute();
 }
+export function check(acl, permissions) {
+    const allowed = new Set();
+    const all = new Set(Object.keys(permissions));
+    const entries = Object.entries(permissions);
+    for (const control of acl) {
+        for (const [key, needed] of entries) {
+            const value = control[key];
+            if (value === needed)
+                allowed.add(key);
+        }
+    }
+    return all.difference(allowed);
+}
+export function listTables() {
+    const tables = {};
+    for (const [, file] of db.getSchemaFiles()) {
+        Object.assign(tables, file.acl_tables || {});
+    }
+    return tables;
+}

package/dist/api/acl.js

@@ -1,8 +1,9 @@
 import { AccessMap } from '@axium/core/access';
 import * as z from 'zod';
 import * as acl from '../acl.js';
-import { parseBody, withError } from '../requests.js';
+import { error, parseBody, withError } from '../requests.js';
 import { addRoute } from '../routes.js';
+import { checkAuthForItem } from '../auth.js';
 addRoute({
     path: '/api/acl/:itemType/:itemId',
     params: {
@@ -10,10 +11,17 @@ addRoute({
         itemId: z.uuid(),
     },
     async GET(request, { itemType, itemId }) {
-        return await acl.get(itemType, itemId).catch(withError('Failed to get access controls'));
+        const tables = acl.listTables();
+        if (!(itemType in tables))
+            error(400, 'Invalid item type: ' + itemType);
+        return await acl.get(tables[itemType], itemId).catch(withError('Failed to get access controls'));
     },
     async POST(request, { itemType, itemId }) {
         const data = await parseBody(request, AccessMap);
-        return await acl.set(itemType, itemId, data).catch(withError('Failed to set access controls'));
+        const tables = acl.listTables();
+        if (!(itemType in tables))
+            error(400, 'Invalid item type: ' + itemType);
+        await checkAuthForItem(request, itemType, itemId, { manage: true });
+        return await acl.set(tables[itemType], itemId, data);
     },
 });

package/dist/api/admin.js

@@ -5,16 +5,13 @@ import { omit } from 'utilium';
 import * as z from 'zod';
 import pkg from '../../package.json' with { type: 'json' };
 import { audit, events, getEvents } from '../audit.js';
-import { getSessionAndUser } from '../auth.js';
+import { requireSession } from '../auth.js';
 import { config } from '../config.js';
 import { count, database as db } from '../database.js';
-import { error, getToken, withError } from '../requests.js';
+import { error, withError } from '../requests.js';
 import { addRoute } from '../routes.js';
 async function assertAdmin(route, req) {
-    const token = getToken(req);
-    if (!token)
-        error(401, 'Missing token');
-    const admin = await getSessionAndUser(token).catch(withError('Invalid session', 400));
+    const admin = await requireSession(req);
     if (!admin.user.isAdmin)
         error(403, 'Not an administrator');
     if (!config.admin_api)

package/dist/api/metadata.js

@@ -2,24 +2,17 @@ import { apps } from '@axium/core';
 import { plugins } from '@axium/core/plugins';
 import { requestMethods } from '@axium/core/requests';
 import pkg from '../../package.json' with { type: 'json' };
-import { getSessionAndUser } from '../auth.js';
+import { requireSession } from '../auth.js';
 import { config } from '../config.js';
-import { error, getToken } from '../requests.js';
+import { error } from '../requests.js';
 import { addRoute, routes } from '../routes.js';
 addRoute({
     path: '/api/metadata',
     async GET(request) {
         if (!config.debug) {
-            const token = getToken(request);
-            if (!token)
-                error(401, 'Missing session token');
-            const session = await getSessionAndUser(token);
-            if (!session)
-                error(401, 'Invalid session');
-            if (!session.user.isAdmin)
+            const { user } = await requireSession(request);
+            if (!user.isAdmin)
                 error(403, 'User is not an administrator');
-            if (session.user.isSuspended)
-                error(403, 'User is suspended');
         }
         return {
             version: pkg.version,

package/dist/audit.d.ts

@@ -15,9 +15,6 @@ export interface $EventTypes {
     logout: {
         sessions: string[];
     };
-    acl_id_mismatch: {
-        item: string;
-    };
     admin_change: {
         user: string;
     };

package/dist/audit.js

@@ -105,14 +105,6 @@ addEvent({
     tags: ['cli'],
     extra: { user: z.string() },
 });
-addEvent({
-    source: '@axium/server',
-    name: 'acl_id_mismatch',
-    severity: Severity.Critical,
-    tags: ['acl', 'auth'],
-    extra: { item: z.string() },
-    noAutoSuspend: true,
-});
 addEvent({
     source: '@axium/server',
     name: 'admin_api',

package/dist/auth.d.ts

@@ -1,5 +1,5 @@
-import type { Passkey, Permission, Session, UserInternal, Verification } from '@axium/core';
-import type { Insertable } from 'kysely';
+import type { Passkey, Session, UserInternal, Verification } from '@axium/core';
+import type { Insertable, Selectable } from 'kysely';
 import * as acl from './acl.js';
 import { type Schema } from './database.js';
 export declare function getUser(id: string): Promise<UserInternal>;
@@ -13,6 +13,7 @@ export interface SessionAndUser extends SessionInternal {
 }
 export declare function getSessionAndUser(token: string): Promise<SessionAndUser>;
 export declare function getSession(sessionId: string): Promise<SessionInternal>;
+export declare function requireSession(request: Request, sensitive?: boolean): Promise<SessionAndUser>;
 export declare function getSessions(userId: string): Promise<SessionInternal[]>;
 export type VerificationRole = 'verify_email' | 'login';
 export interface VerificationInternal extends Verification {
@@ -38,10 +39,14 @@ export interface UserAuthResult extends SessionAndUser {
     accessor: UserInternal;
 }
 export declare function checkAuthForUser(request: Request, userId: string, sensitive?: boolean): Promise<UserAuthResult>;
-export interface ItemAuthResult<T extends acl.Target> {
+export interface ItemAuthResult<TB extends acl.TargetName> {
     fromACL: boolean;
-    item: T;
+    item: Selectable<Schema[TB]>;
     user?: UserInternal;
     session?: SessionInternal;
 }
-export declare function checkAuthForItem<const V extends acl.Target>(request: Request, itemType: acl.TargetName, itemId: string, permission: Permission): Promise<ItemAuthResult<V>>;
+/**
+ * Authenticate a request against an "item" which has an ACL table.
+ * This will fetch the item, ACLs, users, and the authenticating session.
+ */
+export declare function checkAuthForItem<const TB extends acl.TargetName>(request: Request, itemType: TB, itemId: string, permissions: Partial<acl.PermissionsFor<`acl.${TB}`>>): Promise<ItemAuthResult<TB>>;

package/dist/auth.js

@@ -46,6 +46,15 @@ export async function getSession(sessionId) {
         .where('sessions.expires', '>', new Date())
         .executeTakeFirstOrThrow();
 }
+export async function requireSession(request, sensitive = false) {
+    const token = getToken(request, sensitive);
+    if (!token)
+        error(401, 'Missing session token');
+    const session = await getSessionAndUser(token).catch(withError('Invalid or expired session token', 401));
+    if (session.user.isSuspended)
+        error(403, 'User is suspended');
+    return session;
+}
 export async function getSessions(userId) {
     return await db.selectFrom('sessions').selectAll().where('userId', '=', userId).where('sessions.expires', '>', new Date()).execute();
 }
@@ -88,12 +97,7 @@ export async function updatePasskeyCounter(id, newCounter) {
     return passkey;
 }
 export async function checkAuthForUser(request, userId, sensitive = false) {
-    const token = getToken(request, sensitive);
-    if (!token)
-        throw error(401, 'Missing token');
-    const session = await getSessionAndUser(token).catch(withError('Invalid or expired session', 401));
-    if (session.user.isSuspended)
-        error(403, 'User is suspended');
+    const session = await requireSession(request);
     if (session.userId !== userId) {
         if (!session.user?.isAdmin)
             error(403, 'User ID mismatch');
@@ -106,42 +110,44 @@ export async function checkAuthForUser(request, userId, sensitive = false) {
         error(403, 'This token can not be used for sensitive actions');
     return Object.assign(session, { accessor: session.user });
 }
-export async function checkAuthForItem(request, itemType, itemId, permission) {
+/**
+ * Authenticate a request against an "item" which has an ACL table.
+ * This will fetch the item, ACLs, users, and the authenticating session.
+ */
+export async function checkAuthForItem(request, itemType, itemId, permissions) {
     const token = getToken(request, false);
     if (!token)
         error(401, 'Missing token');
     const session = await getSessionAndUser(token).catch(() => null);
+    const { userId, user } = session ?? {};
     const item = await db
         .selectFrom(itemType)
         .selectAll()
         .where('id', '=', itemId)
-        .$if(!!session, eb => eb.select(acl.from(itemType, { onlyId: session.userId })))
+        .$if(!!userId, eb => eb.select(acl.from(itemType, { user })))
         .$castTo()
         .executeTakeFirstOrThrow()
-        .catch(withError('Item not found', 404));
+        .catch(e => {
+        if (e.message.includes('no rows'))
+            error(404, itemType + ' not found');
+        throw e;
+    });
     const result = {
         session: session ? omit(session, 'user') : undefined,
         item: omit(item, 'acl'),
-        user: session?.user,
+        user,
         fromACL: false,
     };
-    if (item.publicPermission >= permission)
-        return result;
-    if (!session)
+    if (!session || !user)
         error(403, 'Access denied');
-    if (session.user.isSuspended)
+    if (user.isSuspended)
         error(403, 'User is suspended');
-    if (session.userId == item.userId)
+    if (userId == item.userId)
         return result;
     result.fromACL = true;
     if (!item.acl || !item.acl.length)
         error(403, 'Access denied');
-    const [control] = item.acl;
-    if (control.userId !== session.userId) {
-        await audit('acl_id_mismatch', session.userId, { item: itemId });
-        error(500, 'Access control entry does not match session user');
-    }
-    if (control.permission >= permission)
-        return result;
-    error(403, 'Access denied');
+    if (acl.check(item.acl, permissions).size)
+        error(403, 'Access denied');
+    return result;
 }

package/dist/cli.d.ts

@@ -1,2 +1,8 @@
-#!/usr/bin/env node
-export {};
+import type { UserInternal } from '@axium/core';
+export declare function userText(user: UserInternal, bold?: boolean): string;
+export declare function lookupUser(lookup: string): Promise<UserInternal>;
+/**
+ * Updates an array of strings by adding or removing items.
+ * Only returns whether the array was updated and diff text for what actually changed.
+ */
+export declare function diffUpdate(original: string[], add?: string[], remove?: string[]): [updated: boolean, newValue: string[], diffText: string];