@axium/server 0.33.2 → 0.34.0

package/dist/acl.d.ts

@@ -1,4 +1,4 @@
-import type { AccessControl, AccessMap, UserInternal } from '@axium/core';
+import { type AccessControl, type AccessTarget, type UserInternal } from '@axium/core';
 import type * as kysely from 'kysely';
 import type { WithRequired } from 'utilium';
 import * as db from './database.js';
@@ -23,7 +23,7 @@ export type WithACL<TB extends TargetName> = kysely.Selectable<db.Schema[TB]> &
     acl: Result<`acl.${TB}`>[];
 };
 export interface ACLSelectionOptions {
-    /** If specified, files by user UUID */
+    /** If specified, filters by user UUID */
     user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>;
     /** Instead of using the `id` from `table`, use the `id` from this instead */
     alias?: string;
@@ -34,8 +34,10 @@ export interface ACLSelectionOptions {
  * This includes entries matching the user's ID, roles, or tags along with the "public" entry where all three "target" columns are null.
  */
 export declare function from<const TB extends TargetName>(table: TB, opt?: ACLSelectionOptions): (eb: kysely.ExpressionBuilder<db.Schema, any>) => kysely.AliasedRawBuilder<Result<`acl.${TB}`>[], 'acl'>;
-export declare function get<const TB extends TableName>(table: TB, itemId: string): Promise<WithRequired<AccessControlInternal & kysely.Selectable<db.Schema[TB]>, 'user'>[]>;
-export declare function set<const TB extends TableName>(table: TB, itemId: string, data: AccessMap): Promise<(AccessControlInternal & kysely.Selectable<db.Schema[TB]>)[]>;
+export declare function get<const TB extends TableName>(table: TB, itemId: string): Promise<WithRequired<Result<TB>, 'user'>[]>;
+export declare function update<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget, permissions: PermissionsFor<TB>): Promise<Result<TB>>;
+export declare function remove<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget): Promise<Result<TB>>;
+export declare function add<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget): Promise<Result<TB>>;
 export declare function check<const TB extends TableName>(acl: Result<TB>[], permissions: Partial<PermissionsFor<TB>>): Set<keyof PermissionsFor<TB>>;
 export declare function listTables(): Record<string, TableName>;
 export {};

package/dist/acl.js

@@ -1,3 +1,4 @@
+import { fromTarget } from '@axium/core';
 import { jsonArrayFrom } from 'kysely/helpers/postgres';
 import * as db from './database.js';
 /**
@@ -9,8 +10,9 @@ export function from(table, opt = {}) {
     return (eb) => jsonArrayFrom(eb
         .selectFrom(`acl.${table} as _acl`)
         .selectAll()
-        .whereRef(`_acl.itemId`, '=', `${opt.alias || table}.id`)
-        .where(eb => {
+        .$if(!opt.user, qb => qb.select(db.userFromId))
+        .whereRef('_acl.itemId', '=', `${opt.alias || table}.id`)
+        .$if(!!opt.user, qb => qb.where(eb => {
         const allNull = eb.and([eb('userId', 'is', null), eb('role', 'is', null), eb('tag', 'is', null)]);
         if (!opt.user)
             return allNull;
@@ -20,27 +22,45 @@ export function from(table, opt = {}) {
         if (opt.user.tags.length)
             ors.push(eb('tag', 'in', opt.user.tags));
         return eb.or(ors);
-    }))
+    })))
         .$castTo()
         .as('acl');
 }
 export async function get(table, itemId) {
-    // @ts-expect-error 2349
-    return await db.database.selectFrom(table).where('itemId', '=', itemId).selectAll().select(db.userFromId).execute();
+    return await db.database
+        .selectFrom(table)
+        .where('itemId', '=', itemId)
+        .selectAll()
+        .select(db.userFromId)
+        .$castTo()
+        .execute();
 }
-export async function set(table, itemId, data) {
-    const entries = Object.entries(data).map(([userId, perm]) => ({ userId, ...perm }));
-    if (!entries.length)
-        return [];
+export async function update(table, itemId, target, permissions) {
     return await db.database
         .updateTable(table)
-        // @ts-expect-error 2349
-        .from(db.values(entries, 'data'))
-        .set()
-        .whereRef(`${table}.userId`, '=', 'data.userId')
+        .set(permissions)
         .where('itemId', '=', itemId)
+        .where(eb => eb.and(fromTarget(target)))
         .returningAll()
-        .execute();
+        .$castTo()
+        .executeTakeFirstOrThrow();
+}
+export async function remove(table, itemId, target) {
+    return await db.database
+        .deleteFrom(table)
+        .where('itemId', '=', itemId)
+        .where(eb => eb.and(fromTarget(target)))
+        .returningAll()
+        .$castTo()
+        .executeTakeFirstOrThrow();
+}
+export async function add(table, itemId, target) {
+    return await db.database
+        .insertInto(table)
+        .values({ itemId, ...fromTarget(target) })
+        .returningAll()
+        .$castTo()
+        .executeTakeFirstOrThrow();
 }
 export function check(acl, permissions) {
     const allowed = new Set();

package/dist/api/acl.js

@@ -1,9 +1,15 @@
-import { AccessMap } from '@axium/core/access';
 import * as z from 'zod';
 import * as acl from '../acl.js';
 import { error, parseBody, withError } from '../requests.js';
 import { addRoute } from '../routes.js';
 import { checkAuthForItem } from '../auth.js';
+import { AccessControlUpdate, AccessTarget } from '@axium/core';
+function getTable(itemType) {
+    const tables = acl.listTables();
+    if (!(itemType in tables))
+        error(400, 'Invalid item type: ' + itemType);
+    return tables[itemType];
+}
 addRoute({
     path: '/api/acl/:itemType/:itemId',
     params: {
@@ -11,17 +17,25 @@ addRoute({
         itemId: z.uuid(),
     },
     async GET(request, { itemType, itemId }) {
-        const tables = acl.listTables();
-        if (!(itemType in tables))
-            error(400, 'Invalid item type: ' + itemType);
-        return await acl.get(tables[itemType], itemId).catch(withError('Failed to get access controls'));
+        const table = getTable(itemType);
+        return await acl.get(table, itemId).catch(withError('Failed to get access controls'));
     },
-    async POST(request, { itemType, itemId }) {
-        const data = await parseBody(request, AccessMap);
-        const tables = acl.listTables();
-        if (!(itemType in tables))
-            error(400, 'Invalid item type: ' + itemType);
+    async PATCH(request, { itemType, itemId }) {
+        const table = getTable(itemType);
+        const { target, permissions } = await parseBody(request, AccessControlUpdate);
         await checkAuthForItem(request, itemType, itemId, { manage: true });
-        return await acl.set(tables[itemType], itemId, data);
+        return await acl.update(table, itemId, target, permissions);
+    },
+    async PUT(request, { itemType, itemId }) {
+        const table = getTable(itemType);
+        const target = await parseBody(request, AccessTarget);
+        await checkAuthForItem(request, itemType, itemId, { manage: true });
+        return await acl.add(table, itemId, target);
+    },
+    async DELETE(request, { itemType, itemId }) {
+        const table = getTable(itemType);
+        const target = await parseBody(request, AccessTarget);
+        await checkAuthForItem(request, itemType, itemId, { manage: true });
+        return await acl.remove(table, itemId, target);
     },
 });

package/dist/api/users.js

@@ -4,7 +4,7 @@ import * as webauthn from '@simplewebauthn/server';
 import { encodeUUID, omit, pick } from 'utilium';
 import * as z from 'zod';
 import { audit } from '../audit.js';
-import { checkAuthForUser, createPasskey, createVerification, getPasskey, getPasskeysByUserId, getSessions, getUser, useVerification, } from '../auth.js';
+import { checkAuthForUser, createPasskey, createVerification, getPasskey, getPasskeysByUserId, getSessions, getUser, requireSession, useVerification, } from '../auth.js';
 import { config } from '../config.js';
 import { database as db } from '../database.js';
 import { createSessionData, error, parseBody, stripUser, withError } from '../requests.js';
@@ -27,6 +27,29 @@ addRoute({
         return { id };
     },
 });
+addRoute({
+    path: '/api/users/discover',
+    async POST(request) {
+        const input = await parseBody(request, z.string());
+        if (config.user_discovery === 'disabled')
+            error(503, 'User discovery is disabled');
+        const { user } = (await requireSession(request).catch(() => null)) ?? {};
+        if (config.user_discovery != 'public' && !user)
+            error(401, 'User discovery restricted');
+        if (config.user_discovery == 'admin' && !user?.isAdmin)
+            error(403, 'User discovery is restricted to administrators');
+        const search = `%${input.trim().replaceAll(/[\\%_]/g, '\\$&')}%`;
+        const results = await db
+            .selectFrom('users')
+            .selectAll()
+            .limit(10)
+            .$if(!!user, qb => qb.where('id', '!=', user.id))
+            // @todo make `%...%` more robust against DoS? Consider using vectors or fancy indexing.
+            .where(eb => eb.or([eb('email', 'ilike', search), eb('name', 'ilike', search)]))
+            .execute();
+        return results.map(u => stripUser(u));
+    },
+});
 addRoute({
     path: '/api/users/:id',
     params,

package/dist/config.d.ts

@@ -41,6 +41,7 @@ export declare const Config: z.ZodObject<{
     origin: z.ZodOptional<z.ZodString>;
     request_size_limit: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
     show_duplicate_state: z.ZodOptional<z.ZodBoolean>;
+    user_discovery: z.ZodOptional<z.ZodLiteral<"disabled" | "user" | "admin" | "public">>;
     verifications: z.ZodOptional<z.ZodObject<{
         timeout: z.ZodOptional<z.ZodNumber>;
         email: z.ZodOptional<z.ZodBoolean>;
@@ -117,6 +118,7 @@ export declare const ConfigFile: z.ZodObject<{
     origin: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     request_size_limit: z.ZodOptional<z.ZodOptional<z.ZodOptional<z.ZodNumber>>>;
     show_duplicate_state: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
+    user_discovery: z.ZodOptional<z.ZodOptional<z.ZodLiteral<"disabled" | "user" | "admin" | "public">>>;
     verifications: z.ZodOptional<z.ZodOptional<z.ZodObject<{
         timeout: z.ZodOptional<z.ZodNumber>;
         email: z.ZodOptional<z.ZodBoolean>;

package/dist/config.js

@@ -61,6 +61,8 @@ export const Config = z
     origin: z.string(),
     request_size_limit: z.number().min(0).optional(),
     show_duplicate_state: z.boolean(),
+    /** Who can use the user discovery API. For example, setting to `admin` means regular users need to type a full email in the ACL dialog and won't be shown results */
+    user_discovery: z.literal(['disabled', 'admin', 'user', 'public']),
     verifications: z
         .looseObject({
         /** In minutes */
@@ -127,6 +129,7 @@ export const defaultConfig = {
     origin: 'https://test.localhost',
     show_duplicate_state: false,
     request_size_limit: 0,
+    user_discovery: 'user',
     verifications: {
         timeout: 60,
         email: false,

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@axium/server",
-	"version": "0.33.2",
+	"version": "0.34.0",
 	"author": "James Prevett <axium@jamespre.dev>",
 	"funding": {
 		"type": "individual",
@@ -47,8 +47,8 @@
 		"clean": "rm -rf build .svelte-kit node_modules/{.vite,.vite-temp}"
 	},
 	"peerDependencies": {
-		"@axium/client": ">=0.12.0",
-		"@axium/core": ">=0.18.0",
+		"@axium/client": ">=0.13.0",
+		"@axium/core": ">=0.19.0",
 		"kysely": "^0.28.0",
 		"utilium": "^2.6.0",
 		"zod": "^4.0.5"

package/routes/admin/+layout.svelte

@@ -1,95 +1,8 @@
 <script lang="ts">
-	import { Icon } from '@axium/client/components';
-	import { capitalize } from 'utilium';
-
+	import SidebarLayout from '@axium/client/components/SidebarLayout';
 	let { children, data } = $props();
 </script>
 
-<div id="admin-container">
-	<div id="admin-sidebar">
-		{#each data.tabs as { href, name, icon: i, active }}
-			<a {href} class={['item', 'icon-text', active && 'active']}><Icon {i} /> <span class="sidebar-text">{capitalize(name)}</span></a
-			>
-		{/each}
-	</div>
-
-	<div id="admin-content">
-		{@render children()}
-	</div>
-</div>
-
-<style>
-	#admin-container {
-		display: grid;
-		grid-template-columns: 15em 1fr;
-		height: 100%;
-	}
-
-	#admin-sidebar {
-		grid-column: 1;
-		width: 100%;
-		display: inline-flex;
-		flex-direction: column;
-		gap: 0.5em;
-		background-color: var(--bg-alt);
-		padding: 1em;
-		padding-left: 0;
-		border-radius: 0 1em 1em 0;
-	}
-
-	.item {
-		padding: 0.3em 0.5em;
-		border-radius: 0.25em 1em 1em 0.25em;
-	}
-
-	.item:hover {
-		background-color: var(--bg-strong);
-		cursor: pointer;
-	}
-
-	.item.active {
-		background-color: var(--bg-strong);
-	}
-
-	#admin-content {
-		grid-column: 2;
-		padding: 1em;
-		overflow-x: hidden;
-		overflow-y: scroll;
-	}
-
-	@media (width < 700px) {
-		#admin-container {
-			grid-template-columns: 1fr;
-		}
-
-		#admin-content {
-			padding-bottom: 4em;
-			grid-column: 1;
-		}
-
-		#admin-sidebar {
-			position: fixed;
-			grid-column: unset;
-			inset: auto 0 0;
-			border-radius: 1em;
-			display: flex;
-			flex-direction: row;
-			justify-content: space-around;
-			gap: 1em;
-			padding: 0.5em;
-			z-index: 6;
-		}
-
-		.sidebar-text {
-			display: none;
-		}
-
-		.item {
-			flex: 1 1 0;
-			border-radius: 1em;
-			padding: 1em;
-			justify-content: center;
-		}
-	}
-</style>
+<SidebarLayout tabs={data.tabs}>
+	{@render children()}
+</SidebarLayout>

package/schemas/config.json

@@ -154,6 +154,15 @@
         "show_duplicate_state": {
             "type": "boolean"
         },
+        "user_discovery": {
+            "type": "string",
+            "enum": [
+                "disabled",
+                "admin",
+                "user",
+                "public"
+            ]
+        },
         "verifications": {
             "type": "object",
             "properties": {