@axium/server 0.33.3 → 0.34.1

package/dist/acl.d.ts

@@ -1,4 +1,4 @@
-import type { AccessControl, AccessMap, UserInternal } from '@axium/core';
+import { type AccessControl, type AccessTarget, type UserInternal } from '@axium/core';
 import type * as kysely from 'kysely';
 import type { WithRequired } from 'utilium';
 import * as db from './database.js';
@@ -23,7 +23,7 @@ export type WithACL<TB extends TargetName> = kysely.Selectable<db.Schema[TB]> &
     acl: Result<`acl.${TB}`>[];
 };
 export interface ACLSelectionOptions {
-    /** If specified, files by user UUID */
+    /** If specified, filters by user UUID */
     user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>;
     /** Instead of using the `id` from `table`, use the `id` from this instead */
     alias?: string;
@@ -34,8 +34,10 @@ export interface ACLSelectionOptions {
  * This includes entries matching the user's ID, roles, or tags along with the "public" entry where all three "target" columns are null.
  */
 export declare function from<const TB extends TargetName>(table: TB, opt?: ACLSelectionOptions): (eb: kysely.ExpressionBuilder<db.Schema, any>) => kysely.AliasedRawBuilder<Result<`acl.${TB}`>[], 'acl'>;
-export declare function get<const TB extends TableName>(table: TB, itemId: string): Promise<WithRequired<AccessControlInternal & kysely.Selectable<db.Schema[TB]>, 'user'>[]>;
-export declare function set<const TB extends TableName>(table: TB, itemId: string, data: AccessMap): Promise<(AccessControlInternal & kysely.Selectable<db.Schema[TB]>)[]>;
+export declare function get<const TB extends TableName>(table: TB, itemId: string): Promise<WithRequired<Result<TB>, 'user'>[]>;
+export declare function update<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget, permissions: PermissionsFor<TB>): Promise<Result<TB>>;
+export declare function remove<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget): Promise<Result<TB>>;
+export declare function add<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget): Promise<Result<TB>>;
 export declare function check<const TB extends TableName>(acl: Result<TB>[], permissions: Partial<PermissionsFor<TB>>): Set<keyof PermissionsFor<TB>>;
 export declare function listTables(): Record<string, TableName>;
 export {};

package/dist/acl.js

@@ -1,3 +1,4 @@
+import { fromTarget } from '@axium/core';
 import { jsonArrayFrom } from 'kysely/helpers/postgres';
 import * as db from './database.js';
 /**
@@ -9,8 +10,9 @@ export function from(table, opt = {}) {
     return (eb) => jsonArrayFrom(eb
         .selectFrom(`acl.${table} as _acl`)
         .selectAll()
-        .whereRef(`_acl.itemId`, '=', `${opt.alias || table}.id`)
-        .where(eb => {
+        .$if(!opt.user, qb => qb.select(db.userFromId))
+        .whereRef('_acl.itemId', '=', `${opt.alias || table}.id`)
+        .$if(!!opt.user, qb => qb.where(eb => {
         const allNull = eb.and([eb('userId', 'is', null), eb('role', 'is', null), eb('tag', 'is', null)]);
         if (!opt.user)
             return allNull;
@@ -20,27 +22,45 @@ export function from(table, opt = {}) {
         if (opt.user.tags.length)
             ors.push(eb('tag', 'in', opt.user.tags));
         return eb.or(ors);
-    }))
+    })))
         .$castTo()
         .as('acl');
 }
 export async function get(table, itemId) {
-    // @ts-expect-error 2349
-    return await db.database.selectFrom(table).where('itemId', '=', itemId).selectAll().select(db.userFromId).execute();
+    return await db.database
+        .selectFrom(table)
+        .where('itemId', '=', itemId)
+        .selectAll()
+        .select(db.userFromId)
+        .$castTo()
+        .execute();
 }
-export async function set(table, itemId, data) {
-    const entries = Object.entries(data).map(([userId, perm]) => ({ userId, ...perm }));
-    if (!entries.length)
-        return [];
+export async function update(table, itemId, target, permissions) {
     return await db.database
         .updateTable(table)
-        // @ts-expect-error 2349
-        .from(db.values(entries, 'data'))
-        .set()
-        .whereRef(`${table}.userId`, '=', 'data.userId')
+        .set(permissions)
         .where('itemId', '=', itemId)
+        .where(eb => eb.and(fromTarget(target)))
         .returningAll()
-        .execute();
+        .$castTo()
+        .executeTakeFirstOrThrow();
+}
+export async function remove(table, itemId, target) {
+    return await db.database
+        .deleteFrom(table)
+        .where('itemId', '=', itemId)
+        .where(eb => eb.and(fromTarget(target)))
+        .returningAll()
+        .$castTo()
+        .executeTakeFirstOrThrow();
+}
+export async function add(table, itemId, target) {
+    return await db.database
+        .insertInto(table)
+        .values({ itemId, ...fromTarget(target) })
+        .returningAll()
+        .$castTo()
+        .executeTakeFirstOrThrow();
 }
 export function check(acl, permissions) {
     const allowed = new Set();

package/dist/api/acl.js

@@ -1,9 +1,15 @@
-import { AccessMap } from '@axium/core/access';
 import * as z from 'zod';
 import * as acl from '../acl.js';
 import { error, parseBody, withError } from '../requests.js';
 import { addRoute } from '../routes.js';
 import { checkAuthForItem } from '../auth.js';
+import { AccessControlUpdate, AccessTarget } from '@axium/core';
+function getTable(itemType) {
+    const tables = acl.listTables();
+    if (!(itemType in tables))
+        error(400, 'Invalid item type: ' + itemType);
+    return tables[itemType];
+}
 addRoute({
     path: '/api/acl/:itemType/:itemId',
     params: {
@@ -11,17 +17,25 @@ addRoute({
         itemId: z.uuid(),
     },
     async GET(request, { itemType, itemId }) {
-        const tables = acl.listTables();
-        if (!(itemType in tables))
-            error(400, 'Invalid item type: ' + itemType);
-        return await acl.get(tables[itemType], itemId).catch(withError('Failed to get access controls'));
+        const table = getTable(itemType);
+        return await acl.get(table, itemId).catch(withError('Failed to get access controls'));
     },
-    async POST(request, { itemType, itemId }) {
-        const data = await parseBody(request, AccessMap);
-        const tables = acl.listTables();
-        if (!(itemType in tables))
-            error(400, 'Invalid item type: ' + itemType);
+    async PATCH(request, { itemType, itemId }) {
+        const table = getTable(itemType);
+        const { target, permissions } = await parseBody(request, AccessControlUpdate);
         await checkAuthForItem(request, itemType, itemId, { manage: true });
-        return await acl.set(tables[itemType], itemId, data);
+        return await acl.update(table, itemId, target, permissions);
+    },
+    async PUT(request, { itemType, itemId }) {
+        const table = getTable(itemType);
+        const target = await parseBody(request, AccessTarget);
+        await checkAuthForItem(request, itemType, itemId, { manage: true });
+        return await acl.add(table, itemId, target);
+    },
+    async DELETE(request, { itemType, itemId }) {
+        const table = getTable(itemType);
+        const target = await parseBody(request, AccessTarget);
+        await checkAuthForItem(request, itemType, itemId, { manage: true });
+        return await acl.remove(table, itemId, target);
     },
 });

package/dist/api/users.js

@@ -4,7 +4,7 @@ import * as webauthn from '@simplewebauthn/server';
 import { encodeUUID, omit, pick } from 'utilium';
 import * as z from 'zod';
 import { audit } from '../audit.js';
-import { checkAuthForUser, createPasskey, createVerification, getPasskey, getPasskeysByUserId, getSessions, getUser, useVerification, } from '../auth.js';
+import { checkAuthForUser, createPasskey, createVerification, getPasskey, getPasskeysByUserId, getSessions, getUser, requireSession, useVerification, } from '../auth.js';
 import { config } from '../config.js';
 import { database as db } from '../database.js';
 import { createSessionData, error, parseBody, stripUser, withError } from '../requests.js';
@@ -27,6 +27,29 @@ addRoute({
         return { id };
     },
 });
+addRoute({
+    path: '/api/users/discover',
+    async POST(request) {
+        const input = await parseBody(request, z.string());
+        if (config.user_discovery === 'disabled')
+            error(503, 'User discovery is disabled');
+        const { user } = (await requireSession(request).catch(() => null)) ?? {};
+        if (config.user_discovery != 'public' && !user)
+            error(401, 'User discovery restricted');
+        if (config.user_discovery == 'admin' && !user?.isAdmin)
+            error(403, 'User discovery is restricted to administrators');
+        const search = `%${input.trim().replaceAll(/[\\%_]/g, '\\$&')}%`;
+        const results = await db
+            .selectFrom('users')
+            .selectAll()
+            .limit(10)
+            .$if(!!user, qb => qb.where('id', '!=', user.id))
+            // @todo make `%...%` more robust against DoS? Consider using vectors or fancy indexing.
+            .where(eb => eb.or([eb('email', 'ilike', search), eb('name', 'ilike', search)]))
+            .execute();
+        return results.map(u => stripUser(u));
+    },
+});
 addRoute({
     path: '/api/users/:id',
     params,

package/dist/audit.js

@@ -20,8 +20,6 @@ export function styleSeverity(sev, align = false) {
     return styleText(severityFormat[sev], text.toUpperCase());
 }
 function output(event) {
-    if (event.severity > Severity[capitalize(config.audit.min_severity)])
-        return;
     console.error('[audit]', styleText('dim', io.prettyDate(event.timestamp)), styleSeverity(event.severity), event.name);
 }
 export async function audit_raw(event) {
@@ -29,6 +27,8 @@ export async function audit_raw(event) {
         io.warn('[audit] Ignoring raw event (disabled)');
         return;
     }
+    if (event.severity > Severity[capitalize(config.audit.min_severity)])
+        return;
     const result = await database.insertInto('audit_log').values(event).returningAll().executeTakeFirstOrThrow();
     output(result);
 }
@@ -48,6 +48,8 @@ export async function audit(eventName, userId, extra) {
         io.warn('Ignoring audit event with unknown event name: ' + eventName);
         return;
     }
+    if (cfg.severity > Severity[capitalize(config.audit.min_severity)])
+        return;
     try {
         if (cfg.extra)
             extra = cfg.extra.parse(extra);

package/dist/config.d.ts

@@ -9,8 +9,8 @@ export declare const Config: z.ZodObject<{
     audit: z.ZodOptional<z.ZodObject<{
         allow_raw: z.ZodOptional<z.ZodBoolean>;
         retention: z.ZodOptional<z.ZodNumber>;
-        min_severity: z.ZodOptional<z.ZodLiteral<"Emergency" | "Alert" | "Critical" | "Error" | "Warning" | "Notice" | "Info" | "Debug" | "emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug">>;
-        auto_suspend: z.ZodOptional<z.ZodLiteral<"Emergency" | "Alert" | "Critical" | "Error" | "Warning" | "Notice" | "Info" | "Debug" | "emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug">>;
+        min_severity: z.ZodOptional<z.ZodLiteral<"emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug">>;
+        auto_suspend: z.ZodOptional<z.ZodLiteral<"emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug">>;
     }, z.core.$loose>>;
     auth: z.ZodOptional<z.ZodObject<{
         passkey_probation: z.ZodOptional<z.ZodNumber>;
@@ -41,6 +41,7 @@ export declare const Config: z.ZodObject<{
     origin: z.ZodOptional<z.ZodString>;
     request_size_limit: z.ZodOptional<z.ZodOptional<z.ZodNumber>>;
     show_duplicate_state: z.ZodOptional<z.ZodBoolean>;
+    user_discovery: z.ZodOptional<z.ZodLiteral<"disabled" | "user" | "admin" | "public">>;
     verifications: z.ZodOptional<z.ZodObject<{
         timeout: z.ZodOptional<z.ZodNumber>;
         email: z.ZodOptional<z.ZodBoolean>;
@@ -85,8 +86,8 @@ export declare const ConfigFile: z.ZodObject<{
     audit: z.ZodOptional<z.ZodOptional<z.ZodObject<{
         allow_raw: z.ZodOptional<z.ZodBoolean>;
         retention: z.ZodOptional<z.ZodNumber>;
-        min_severity: z.ZodOptional<z.ZodLiteral<"Emergency" | "Alert" | "Critical" | "Error" | "Warning" | "Notice" | "Info" | "Debug" | "emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug">>;
-        auto_suspend: z.ZodOptional<z.ZodLiteral<"Emergency" | "Alert" | "Critical" | "Error" | "Warning" | "Notice" | "Info" | "Debug" | "emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug">>;
+        min_severity: z.ZodOptional<z.ZodLiteral<"emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug">>;
+        auto_suspend: z.ZodOptional<z.ZodLiteral<"emergency" | "alert" | "critical" | "error" | "warning" | "notice" | "info" | "debug">>;
     }, z.core.$loose>>>;
     auth: z.ZodOptional<z.ZodOptional<z.ZodObject<{
         passkey_probation: z.ZodOptional<z.ZodNumber>;
@@ -117,6 +118,7 @@ export declare const ConfigFile: z.ZodObject<{
     origin: z.ZodOptional<z.ZodOptional<z.ZodString>>;
     request_size_limit: z.ZodOptional<z.ZodOptional<z.ZodOptional<z.ZodNumber>>>;
     show_duplicate_state: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
+    user_discovery: z.ZodOptional<z.ZodOptional<z.ZodLiteral<"disabled" | "user" | "admin" | "public">>>;
     verifications: z.ZodOptional<z.ZodOptional<z.ZodObject<{
         timeout: z.ZodOptional<z.ZodNumber>;
         email: z.ZodOptional<z.ZodBoolean>;

package/dist/config.js

@@ -1,15 +1,14 @@
+import { serverConfigs, toBaseName } from '@axium/core';
 import * as io from '@axium/core/node/io';
 import { loadPlugin } from '@axium/core/node/plugins';
 import { levelText } from 'logzen';
 import { existsSync, readFileSync, writeFileSync } from 'node:fs';
 import { dirname, join, resolve } from 'node:path/posix';
-import { capitalize, deepAssign, omit } from 'utilium';
+import { deepAssign, omit } from 'utilium';
 import * as z from 'zod';
 import { dirs, logger, systemDir } from './io.js';
 import { _duplicateStateWarnings, _unique } from './state.js';
-import { serverConfigs, toBaseName } from '@axium/core';
 const audit_severity_levels = ['emergency', 'alert', 'critical', 'error', 'warning', 'notice', 'info', 'debug'];
-const z_audit_severity = z.literal([...audit_severity_levels, ...audit_severity_levels.map(capitalize)]);
 export const Config = z
     .looseObject({
     /** Whether /api/admin is enabled */
@@ -25,8 +24,9 @@ export const Config = z
         allow_raw: z.boolean(),
         /** How many days to keep events in the audit log */
         retention: z.number().min(0),
-        min_severity: z_audit_severity,
-        auto_suspend: z_audit_severity,
+        /** Minimum severity level. Less severe events will be ignored. */
+        min_severity: z.literal(audit_severity_levels),
+        auto_suspend: z.literal(audit_severity_levels),
     })
         .partial(),
     auth: z
@@ -61,6 +61,8 @@ export const Config = z
     origin: z.string(),
     request_size_limit: z.number().min(0).optional(),
     show_duplicate_state: z.boolean(),
+    /** Who can use the user discovery API. For example, setting to `admin` means regular users need to type a full email in the ACL dialog and won't be shown results */
+    user_discovery: z.literal(['disabled', 'admin', 'user', 'public']),
     verifications: z
         .looseObject({
         /** In minutes */
@@ -127,6 +129,7 @@ export const defaultConfig = {
     origin: 'https://test.localhost',
     show_duplicate_state: false,
     request_size_limit: 0,
+    user_discovery: 'user',
     verifications: {
         timeout: 60,
         email: false,

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@axium/server",
-	"version": "0.33.3",
+	"version": "0.34.1",
 	"author": "James Prevett <axium@jamespre.dev>",
 	"funding": {
 		"type": "individual",
@@ -47,8 +47,8 @@
 		"clean": "rm -rf build .svelte-kit node_modules/{.vite,.vite-temp}"
 	},
 	"peerDependencies": {
-		"@axium/client": ">=0.12.3",
-		"@axium/core": ">=0.18.0",
+		"@axium/client": ">=0.13.0",
+		"@axium/core": ">=0.19.0",
 		"kysely": "^0.28.0",
 		"utilium": "^2.6.0",
 		"zod": "^4.0.5"

package/schemas/config.json

@@ -40,15 +40,7 @@
                         "warning",
                         "notice",
                         "info",
-                        "debug",
-                        "Emergency",
-                        "Alert",
-                        "Critical",
-                        "Error",
-                        "Warning",
-                        "Notice",
-                        "Info",
-                        "Debug"
+                        "debug"
                     ]
                 },
                 "auto_suspend": {
@@ -61,15 +53,7 @@
                         "warning",
                         "notice",
                         "info",
-                        "debug",
-                        "Emergency",
-                        "Alert",
-                        "Critical",
-                        "Error",
-                        "Warning",
-                        "Notice",
-                        "Info",
-                        "Debug"
+                        "debug"
                     ]
                 }
             },
@@ -154,6 +138,15 @@
         "show_duplicate_state": {
             "type": "boolean"
         },
+        "user_discovery": {
+            "type": "string",
+            "enum": [
+                "disabled",
+                "admin",
+                "user",
+                "public"
+            ]
+        },
         "verifications": {
             "type": "object",
             "properties": {