@axium/server 0.37.1 → 0.38.0

package/dist/acl.d.ts

@@ -2,11 +2,14 @@ import { type AccessControl, type AccessControllable, type AccessTarget, type Us
 import type * as kysely from 'kysely';
 import type { WithRequired } from 'utilium';
 import * as db from './database.js';
+export interface DBAccessControllable extends Omit<AccessControllable, 'id'> {
+    id: string | kysely.Generated<string>;
+}
 type _TableNames = keyof {
     [K in keyof db.Schema as db.Schema[K] extends db.DBAccessControl ? K : never]: null;
 };
 type _TargetNames = keyof db.Schema & keyof {
-    [K in keyof db.Schema as db.Schema[K] extends AccessControllable ? (`acl.${K}` extends keyof db.Schema ? K : never) : never]: null;
+    [K in keyof db.Schema as db.Schema[K] extends DBAccessControllable ? `acl.${K}` extends keyof db.Schema ? K : never : never]: null;
 };
 /**
  * `never` causes a ton of problems, so we use `string` if none of the tables are shareable.
@@ -28,16 +31,19 @@ export interface ACLSelectionOptions {
     /** Instead of using the `id` from `table`, use the `id` from this instead */
     alias?: string;
 }
+/** Match ACL entries, optionally selecting for a given user-like object */
+export declare function match(user?: Pick<UserInternal, 'id' | 'roles' | 'tags'>): (eb: kysely.ExpressionBuilder<db.Schema, any>) => kysely.ExpressionWrapper<db.Schema, any, kysely.SqlBool>;
 /**
  * Helper to select all access controls for a given table, including the user information.
  * Optionally filter for the entries applicable to a specific user.
  * This includes entries matching the user's ID, roles, or tags along with the "public" entry where all three "target" columns are null.
  */
-export declare function from<const TB extends TargetName>(table: TB, opt?: ACLSelectionOptions): (eb: kysely.ExpressionBuilder<db.Schema, any>) => kysely.AliasedRawBuilder<Result<`acl.${TB}`>[], 'acl'>;
+export declare function from<const TB extends TargetName, const DB = db.Schema>(table: TB, opt?: ACLSelectionOptions): (eb: kysely.ExpressionBuilder<DB, any>) => kysely.AliasedRawBuilder<Result<`acl.${TB}`>[], 'acl'>;
 export declare function get<const TB extends TableName>(table: TB, itemId: string): Promise<WithRequired<Result<TB>, 'user'>[]>;
 export declare function update<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget, permissions: PermissionsFor<TB>): Promise<Result<TB>>;
 export declare function remove<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget): Promise<Result<TB>>;
 export declare function add<const TB extends TableName>(table: TB, itemId: string, target: AccessTarget): Promise<Result<TB>>;
+/** Check an ACL against a set of permissions. */
 export declare function check<const TB extends TableName>(acl: Result<TB>[], permissions: Partial<PermissionsFor<TB>>): Set<keyof PermissionsFor<TB>>;
 export declare function listTables(): Record<string, TableName>;
 export interface OptionsForWhere<TB extends TargetName> {

package/dist/acl.js

@@ -1,6 +1,20 @@
 import { fromTarget } from '@axium/core';
 import { jsonArrayFrom } from 'kysely/helpers/postgres';
 import * as db from './database.js';
+/** Match ACL entries, optionally selecting for a given user-like object */
+export function match(user) {
+    return function (eb) {
+        const allNull = eb.and([eb('userId', 'is', null), eb('role', 'is', null), eb('tag', 'is', null)]);
+        if (!user)
+            return allNull;
+        const ors = [allNull, eb('userId', '=', user.id)];
+        if (user.roles.length)
+            ors.push(eb('role', 'in', user.roles));
+        if (user.tags.length)
+            ors.push(eb('tag', 'in', user.tags));
+        return eb.or(ors);
+    };
+}
 /**
  * Helper to select all access controls for a given table, including the user information.
  * Optionally filter for the entries applicable to a specific user.
@@ -12,17 +26,7 @@ export function from(table, opt = {}) {
         .selectAll()
         .$if(!opt.user, qb => qb.select(db.userFromId))
         .whereRef('_acl.itemId', '=', `${opt.alias || table}.id`)
-        .$if(!!opt.user, qb => qb.where(eb => {
-        const allNull = eb.and([eb('userId', 'is', null), eb('role', 'is', null), eb('tag', 'is', null)]);
-        if (!opt.user)
-            return allNull;
-        const ors = [allNull, eb('userId', '=', opt.user.id)];
-        if (opt.user.roles.length)
-            ors.push(eb('role', 'in', opt.user.roles));
-        if (opt.user.tags.length)
-            ors.push(eb('tag', 'in', opt.user.tags));
-        return eb.or(ors);
-    })))
+        .where(match(opt.user)))
         .$castTo()
         .as('acl');
 }
@@ -62,6 +66,7 @@ export async function add(table, itemId, target) {
         .$castTo()
         .executeTakeFirstOrThrow();
 }
+/** Check an ACL against a set of permissions. */
 export function check(acl, permissions) {
     const allowed = new Set();
     const all = new Set(Object.keys(permissions));
@@ -91,14 +96,7 @@ export function existsIn(table, user, options = {}) {
         .selectFrom(`acl.${table}`)
         // @ts-expect-error 2349
         .whereRef('itemId', '=', `${options.alias || `public.${table}`}.${options.itemId || 'id'}`)
-        .where((eb) => {
-        const ors = [eb('userId', '=', user.id)];
-        if (user.roles.length)
-            ors.push(eb('role', 'in', user.roles));
-        if (user.tags.length)
-            ors.push(eb('tag', 'in', user.tags));
-        return eb.or(ors);
-    }));
+        .where(match(user)));
 }
 /**
  * Use in a `where` to filter by items a user has access to

package/dist/api/admin.js

@@ -1,12 +1,14 @@
+import client from '@axium/client/package.json' with { type: 'json' };
 import { AuditFilter, Severity, UserAdminChange } from '@axium/core';
 import { debug, errorText, writeJSON } from '@axium/core/node/io';
-import { getVersionInfo } from '@axium/core/node/packages';
+import core from '@axium/core/package.json' with { type: 'json' };
 import { _findPlugin, plugins, PluginUpdate, serverConfigs } from '@axium/core/plugins';
 import { jsonObjectFrom } from 'kysely/helpers/postgres';
 import { mkdirSync } from 'node:fs';
 import { dirname } from 'node:path/posix';
 import { deepAssign, omit } from 'utilium';
 import * as z from 'zod';
+import $pkg from '../../package.json' with { type: 'json' };
 import { audit, events, getEvents } from '../audit.js';
 import { createVerification, requireSession } from '../auth.js';
 import { config } from '../config.js';
@@ -40,9 +42,9 @@ addRoute({
             configFiles: config.files.size,
             plugins: plugins.size,
             versions: {
-                server: await getVersionInfo('@axium/server'),
-                core: await getVersionInfo('@axium/core'),
-                client: await getVersionInfo('@axium/client'),
+                server: $pkg.version,
+                core: core.version,
+                client: client.version,
             },
         };
     },
@@ -51,9 +53,7 @@ addRoute({
     path: '/api/admin/plugins',
     async GET(req) {
         await assertAdmin(this, req);
-        return await Array.fromAsync(plugins
-            .values()
-            .map(async (p) => Object.assign(omit(p, '_hooks', '_client'), p.update_checks ? await getVersionInfo(p.specifier, p.loadedBy) : { latest: null })));
+        return await Array.fromAsync(plugins.values().map(p => omit(p, '_hooks', '_client')));
     },
     async POST(req) {
         await assertAdmin(this, req);

package/dist/api/register.js

@@ -64,7 +64,7 @@ async function POST(request) {
         deviceType: registrationInfo.credentialDeviceType,
         backedUp: registrationInfo.credentialBackedUp,
     }).catch(withError('Failed to create passkey', 500));
-    return await createSessionData(userId);
+    return await createSessionData(userId, request);
 }
 addRoute({
     path: '/api/register',

package/dist/api/users.js

@@ -100,7 +100,7 @@ addRoute({
     path: '/api/users/:id/auth',
     params,
     async OPTIONS(request, { id: userId }) {
-        const { type } = await parseBody(request, UserAuthOptions);
+        const { type, client } = await parseBody(request, UserAuthOptions);
         const user = await getUser(userId).catch(withError('User does not exist', 404));
         if (user.isSuspended)
             error(403, 'User is suspended');
@@ -111,7 +111,7 @@ addRoute({
             rpID: config.auth.rp_id,
             allowCredentials: passkeys.map(passkey => pick(passkey, 'id', 'transports')),
         });
-        challenges.set(userId, { data: options.challenge, type });
+        challenges.set(userId, { data: options.challenge, type, client });
         return options;
     },
     async POST(request, { id: userId }) {
@@ -119,7 +119,7 @@ addRoute({
         const auth = challenges.get(userId);
         if (!auth)
             error(404, 'No challenge');
-        const { data: expectedChallenge, type } = auth;
+        const { data: expectedChallenge, type, client } = auth;
         challenges.delete(userId);
         const passkey = await getPasskey(response.id).catch(withError('Passkey does not exist', 404));
         if (passkey.userId !== userId)
@@ -137,14 +137,13 @@ addRoute({
             error(401, 'Verification failed');
         switch (type) {
             case 'login':
-                return await createSessionData(userId);
+                return await createSessionData(userId, request);
             case 'client_login':
-                /** @todo tag in DB so users can manage easier */
-                return await createSessionData(userId, { noCookie: true });
+                return await createSessionData(userId, request, { noCookie: true, clientUA: client });
             case 'action':
                 if ((Date.now() - passkey.createdAt.getTime()) / 60_000 < config.auth.passkey_probation)
                     error(403, 'You can not authorize sensitive actions with a newly created passkey');
-                return await createSessionData(userId, { elevated: true });
+                return await createSessionData(userId, request, { elevated: true });
         }
     },
 });
@@ -266,6 +265,6 @@ addRoute({
     async POST(request, { id: userId }) {
         const { token } = await parseBody(request, z.object({ token: z.string() }));
         await useVerification('login', userId, token).catch(withError('Invalid or expired verification token', 400));
-        return await createSessionData(userId);
+        return await createSessionData(userId, request);
     },
 });

package/dist/auth.d.ts

@@ -8,7 +8,7 @@ export declare function updateUser({ id, ...user }: WithRequired<Insertable<Sche
 export interface SessionInternal extends Session {
     token: string;
 }
-export declare function createSession(userId: string, elevated?: boolean): Promise<SessionInternal>;
+export declare function createSession(userId: string, name: string | null, elevated?: boolean): Promise<SessionInternal>;
 export interface SessionAndUser extends SessionInternal {
     user: UserInternal;
 }

package/dist/auth.js

@@ -13,10 +13,11 @@ export async function updateUser({ id, ...user }) {
 }
 const in30days = () => new Date(Date.now() + 2592000000);
 const in10minutes = () => new Date(Date.now() + 600000);
-export async function createSession(userId, elevated = false) {
+export async function createSession(userId, name, elevated = false) {
     const session = {
         id: randomUUID(),
         userId,
+        name,
         token: randomBytes(64).toString('base64'),
         expires: elevated ? in10minutes() : in30days(),
         elevated,
@@ -117,7 +118,7 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
         .selectFrom(itemType)
         .selectAll()
         .where('id', '=', itemId)
-        .$if(!!userId, eb => eb.select(acl.from(itemType, { user })))
+        .select(acl.from(itemType, { user }))
         .executeTakeFirstOrThrow()
         .catch(e => {
         if (e.message.includes('no rows'))
@@ -137,33 +138,40 @@ export async function authSessionForItem(itemType, itemId, permissions, session,
     if (userId == item.userId)
         return result;
     result.fromACL = true;
-    let current = item;
-    for (let i = 0; i < 25; i++) {
-        try {
-            if (!current.acl || !current.acl.length)
-                error(403, 'Item is not shared with you');
-            const missing = Array.from(acl.check(current.acl, permissions));
-            if (missing.length)
-                error(403, 'Missing permissions: ' + missing.join(', '));
-            return result;
-        }
-        catch (e) {
-            if (!current.parentId || !recursive)
+    const matchingControls = recursive
+        ? await db
+            .withRecursive('parents', qc => qc.selectFrom(itemType)
+            .select(['id', 'parentId'])
+            .$castTo()
+            .select(acl.from(itemType, { user }))
+            .select(eb => eb.lit(0).as('depth'))
+            .where('id', '=', itemId)
+            .unionAll(qc.selectFrom(`${itemType} as item`)
+            .select(['item.id', 'item.parentId'])
+            .innerJoin('parents as p', 'item.id', 'p.parentId')
+            .select(eb => eb(eb.ref('p.depth'), '+', eb.lit(1)).as('depth'))
+            .select(acl.from(itemType, { user, alias: 'item' }))))
+            .selectFrom('parents')
+            .select('acl')
+            .execute()
+            .then(parents => parents.flatMap(p => p.acl))
+            .catch(e => {
+            if (!(e instanceof Error))
                 throw e;
-            current = (await db
-                .selectFrom(itemType)
-                .selectAll()
-                .where('id', '=', current.parentId)
-                .$if(!!userId, eb => eb.select(acl.from(itemType, { user })))
-                .executeTakeFirstOrThrow()
-                .catch(e => {
-                if (e.message.includes('no rows'))
-                    error(404, itemType + ' not found');
-                throw e;
-            }));
-        }
-    }
-    error(403, 'You do not have permissions for any of the last 25 parent items');
+            switch (e.message) {
+                case 'column "parentId" does not exist':
+                    error(500, `${itemType} does not support recursive ACLs`);
+                default:
+                    throw e;
+            }
+        })
+        : item.acl;
+    if (!matchingControls.length)
+        error(403, 'Item is not shared with you');
+    const missing = Array.from(acl.check(matchingControls, permissions));
+    if (missing.length)
+        error(403, 'Missing permissions: ' + missing.join(', '));
+    return result;
 }
 /**
  * Authenticate a request against an "item" which has an ACL table.

package/dist/database.d.ts

@@ -29,7 +29,7 @@ export type TablesMatching<T> = (string & keyof Schema) & keyof {
  */
 export declare function userFromId<TB extends TablesMatching<{
     userId: string;
-}>>(builder: kysely.ExpressionBuilder<Schema, TB>): kysely.AliasedRawBuilder<UserInternal, 'user' | TB>;
+}>, const DB extends Schema = Schema>(builder: kysely.ExpressionBuilder<DB, TB>): kysely.AliasedRawBuilder<UserInternal, 'user' | TB>;
 /**
  * Used for `update ... set ... from`
  */

package/dist/db/schema.json

@@ -77,6 +77,16 @@
                     }
                 }
             }
+        },
+        {
+            "delta": true,
+            "alter_tables": {
+                "sessions": {
+                    "add_columns": {
+                        "name": { "type": "text" }
+                    }
+                }
+            }
         }
     ],
     "wipe": ["users", "verifications", "passkeys", "sessions", "audit_log"]

package/dist/requests.d.ts

@@ -35,11 +35,13 @@ export declare function json(data: object, init?: ResponseInit): Response;
 export declare function parseBody<const Schema extends z.ZodType>(request: Request, schema: Schema): Promise<z.infer<Schema>>;
 export declare function parseSearch<const Schema extends z.ZodType>(request: Request, schema: Schema): z.infer<Schema>;
 export declare function getToken(request: Request, sensitive?: boolean): string | undefined;
+export declare function getPrettyUA(request: Request, uaOverride?: string): Promise<string | null>;
 export interface CreateSessionOptions {
     elevated?: boolean;
     noCookie?: boolean;
+    clientUA?: string;
 }
-export declare function createSessionData(userId: string, { elevated, noCookie }?: CreateSessionOptions): Promise<Response>;
+export declare function createSessionData(userId: string, request: Request, { elevated, noCookie, clientUA }?: CreateSessionOptions): Promise<Response>;
 export declare function stripUser(user: UserInternal, includeProtected?: boolean): User;
 export declare function withError(text: string, code?: number): (e: Error | ResponseError) => never;
 export declare function handleAPIRequest(request: Request, params: Record<string, any>, route: ServerRoute): Promise<Response>;

package/dist/requests.js

@@ -62,8 +62,29 @@ export function getToken(request, sensitive = false) {
         return cookie.parse(request.headers.get('cookie') || '')[sensitive ? 'elevated_token' : 'session_token'];
     }
 }
-export async function createSessionData(userId, { elevated = false, noCookie } = {}) {
-    const { token, expires } = await createSession(userId, elevated);
+const uaParserExtension = {
+    browser: [[/(axium[- ]client)\/([\d.]+)/i], ['name', 'version']],
+};
+export async function getPrettyUA(request, uaOverride) {
+    const uaString = uaOverride || request.headers.get('User-Agent') || '';
+    try {
+        const { UAParser } = await import('ua-parser-js');
+        const ua = UAParser(uaString, uaParserExtension);
+        return [
+            ua.browser.name,
+            ua.browser.name && /axium[- ]client/i.test(ua.browser.name) ? ua.browser.version : ua.browser.major,
+            ua.os.name && ' on ' + ua.os.name,
+        ]
+            .filter(p => p)
+            .join(' ');
+    }
+    catch {
+        return null;
+    }
+}
+export async function createSessionData(userId, request, { elevated = false, noCookie, clientUA } = {}) {
+    const name = await getPrettyUA(request, clientUA);
+    const { token, expires } = await createSession(userId, name, elevated);
     const response = json({ userId, token: elevated ? '[[redacted:elevated]]' : token }, { status: 201 });
     if (noCookie)
         return response;

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@axium/server",
-	"version": "0.37.1",
+	"version": "0.38.0",
 	"author": "James Prevett <axium@jamespre.dev>",
 	"funding": {
 		"type": "individual",
@@ -47,8 +47,8 @@
 		"clean": "rm -rf build .svelte-kit node_modules/{.vite,.vite-temp}"
 	},
 	"peerDependencies": {
-		"@axium/client": ">=0.13.0",
-		"@axium/core": ">=0.20.0",
+		"@axium/client": ">=0.17.0",
+		"@axium/core": ">=0.21.0",
 		"kysely": "^0.28.0",
 		"utilium": "^2.6.0",
 		"zod": "^4.0.5"
@@ -66,5 +66,8 @@
 	"devDependencies": {
 		"@sveltejs/adapter-node": "^5.2.12",
 		"vite-plugin-mkcert": "^1.17.8"
+	},
+	"optionalDependencies": {
+		"ua-parser-js": "^2.0.9"
 	}
 }

package/routes/account/+page.svelte

@@ -1,6 +1,6 @@
 <script lang="ts">
+	import { fetchAPI, text } from '@axium/client';
 	import { ClipboardCopy, FormDialog, Icon, Logout, SessionList, ZodForm } from '@axium/client/components';
-	import { fetchAPI } from '@axium/client/requests';
 	import '@axium/client/styles/account';
 	import { createPasskey, deletePasskey, deleteUser, sendVerificationEmail, updatePasskey, updateUser } from '@axium/client/user';
 	import { preferenceLabels, Preferences } from '@axium/core/preferences';
@@ -23,7 +23,7 @@
 </script>
 
 <svelte:head>
-	<title>Your Account</title>
+	<title>{text('page.account.title')}</title>
 </svelte:head>
 
 {#snippet action(name: string, i: string = 'pen')}
@@ -34,95 +34,101 @@
 
 <div class="Account flex-content">
 	<div id="pfp-container">
-		<img id="pfp" src={getUserImage(user)} alt="User profile" width="100px" height="100px" />
+		<img id="pfp" src={getUserImage(user)} alt={text('page.account.profile_alt')} width="100px" height="100px" />
 	</div>
-	<p class="greeting">Welcome, {user.name}</p>
+	<p class="greeting">{text('page.account.greeting', { name: user.name })}</p>
 
 	<div id="info" class="section main">
-		<h3>Personal Information</h3>
+		<h3>{text('page.account.personal_info')}</h3>
 		<div class="item info">
-			<p class="subtle">Name</p>
+			<p class="subtle">{text('generic.username')}</p>
 			<p>{user.name}</p>
 			{@render action('edit_name')}
 		</div>
-		<FormDialog id="edit_name" submit={_editUser} submitText="Change">
+		<FormDialog id="edit_name" submit={_editUser} submitText={text('generic.change')}>
 			<div>
-				<label for="name">What do you want to be called?</label>
+				<label for="name">{text('page.account.edit_name')}</label>
 				<input name="name" type="text" value={user.name || ''} required />
 			</div>
 		</FormDialog>
 		<div class="item info">
-			<p class="subtle">Email</p>
+			<p class="subtle">{text('generic.email')}</p>
 			<p>
 				{user.email}
 				{#if user.emailVerified}
-					<dfn title="Email verified on {user.emailVerified.toLocaleDateString()}">
+					<dfn title={text('page.account.email_verified_on', { date: user.emailVerified.toLocaleDateString() })}>
 						<Icon i="regular/circle-check" />
 					</dfn>
 				{:else if canVerify}
 					<button onclick={() => sendVerificationEmail(user.id).then(() => (verificationSent = true))}>
-						{verificationSent ? 'Verification email sent' : 'Verify'}
+						{verificationSent ? text('page.account.verification_sent') : text('page.account.verify')}
 					</button>
 				{/if}
 			</p>
 			{@render action('edit_email')}
 		</div>
-		<FormDialog id="edit_email" submit={_editUser} submitText="Change">
+		<FormDialog id="edit_email" submit={_editUser} submitText={text('generic.change')}>
 			<div>
-				<label for="email">Email Address</label>
+				<label for="email">{text('page.account.edit_email')}</label>
 				<input name="email" type="email" value={user.email || ''} required />
 			</div>
 		</FormDialog>
 
 		<div class="item info">
-			<p class="subtle">User ID <dfn title="This is your UUID. It can't be changed."><Icon i="regular/circle-info" /></dfn></p>
+			<p class="subtle">
+				{text('page.account.user_id')} <dfn title={text('page.account.user_id_hint')}><Icon i="regular/circle-info" /></dfn>
+			</p>
 			<p>{user.id}</p>
 			<ClipboardCopy value={user.id} --size="16px" />
 		</div>
 		<div class="inline-button-container">
-			<button command="show-modal" commandfor="logout" class="inline-button signout">Sign Out</button>
-			<button command="show-modal" commandfor="delete" class="inline-button danger">Delete Account</button>
+			<button command="show-modal" commandfor="logout" class="inline-button logout">{text('generic.logout')}</button>
+			<button command="show-modal" commandfor="delete" class="inline-button danger">{text('page.account.delete_account')}</button>
 			<Logout />
 			<FormDialog
 				id="delete"
 				submit={() => deleteUser(user.id).then(() => (window.location.href = '/'))}
-				submitText="Delete Account"
+				submitText={text('page.account.delete_account')}
 				submitDanger
 			>
-				<p>Are you sure you want to delete your account?<br />This action can't be undone.</p>
+				<p>{text('page.account.delete_account_confirm')}<br />{text('generic.action_irreversible')}</p>
 			</FormDialog>
 		</div>
 	</div>
 
 	<div id="passkeys" class="section main">
-		<h3>Passkeys</h3>
+		<h3>{text('page.account.passkeys.title')}</h3>
 		{#each passkeys as passkey}
 			<div class="item passkey">
 				<p>
-					<dfn title={passkey.deviceType == 'multiDevice' ? 'Multiple devices' : 'Single device'}>
+					<dfn
+						title={passkey.deviceType == 'multiDevice'
+							? text('page.account.passkeys.multi_device')
+							: text('page.account.passkeys.single_device')}
+					>
 						<Icon i={passkey.deviceType == 'multiDevice' ? 'laptop-mobile' : 'mobile'} --size="16px" />
 					</dfn>
-					<dfn title="This passkey is {passkey.backedUp ? '' : 'not '}backed up">
+					<dfn title={passkey.backedUp ? text('page.account.passkeys.backed_up') : text('page.account.passkeys.not_backed_up')}>
 						<Icon i={passkey.backedUp ? 'circle-check' : 'circle-xmark'} --size="16px" />
 					</dfn>
 					{#if passkey.name}
 						<p>{passkey.name}</p>
 					{:else}
-						<p class="subtle"><i>Unnamed</i></p>
+						<p class="subtle"><i>{text('generic.unnamed')}</i></p>
 					{/if}
 				</p>
-				<p>Created {passkey.createdAt.toLocaleString()}</p>
+				<p>{text('page.account.passkeys.created', { date: passkey.createdAt.toLocaleString() })}</p>
 				<button commandfor="edit_passkey:{passkey.id}" command="show-modal" class="icon-text">
 					<Icon i="pen" --size="16px" />
-					<span class="mobile-only">Rename</span>
+					<span class="mobile-only">{text('page.account.passkeys.rename')}</span>
 				</button>
 				{#if passkeys.length > 1}
 					<button commandfor="delete_passkey:{passkey.id}" command="show-modal" class="icon-text">
 						<Icon i="trash" --size="16px" />
-						<span class="mobile-only">Delete</span>
+						<span class="mobile-only">{text('page.account.passkeys.delete')}</span>
 					</button>
 				{:else}
-					<dfn title="You must have at least one passkey" class="disabled icon-text mobile-hide">
+					<dfn title={text('page.account.passkeys.min_one')} class="disabled icon-text mobile-hide">
 						<Icon i="trash-slash" --fill="#888" --size="16px" />
 					</dfn>
 				{/if}
@@ -130,39 +136,40 @@
 			<FormDialog
 				id={'edit_passkey:' + passkey.id}
 				submit={data => {
-					if (typeof data.name != 'string') throw 'Passkey name must be a string';
+					if (typeof data.name != 'string') throw text('page.account.passkeys.name_type_error');
 					passkey.name = data.name;
 					return updatePasskey(passkey.id, data);
 				}}
-				submitText="Change"
+				submitText={text('generic.change')}
 			>
 				<div>
-					<label for="name">Passkey Name</label>
+					<label for="name">{text('page.account.passkeys.edit_name')}</label>
 					<input name="name" type="text" value={passkey.name || ''} />
 				</div>
 			</FormDialog>
 			<FormDialog
 				id={'delete_passkey:' + passkey.id}
 				submit={() => deletePasskey(passkey.id).then(() => passkeys.splice(passkeys.indexOf(passkey), 1))}
-				submitText="Delete"
+				submitText={text('page.account.passkeys.delete')}
 				submitDanger={true}
 			>
-				<p>Are you sure you want to delete this passkey?<br />This action can't be undone.</p>
+				<p>{text('page.account.passkeys.delete_confirm')}<br />{text('generic.action_irreversible')}</p>
 			</FormDialog>
 		{/each}
 
 		<button onclick={() => createPasskey(user.id).then(passkeys.push.bind(passkeys))} class="inline-button icon-text">
-			<Icon i="plus" /> Create
+			<Icon i="plus" />
+			{text('page.account.passkeys.create')}
 		</button>
 	</div>
 
 	<div id="sessions" class="section main">
-		<h3>Sessions</h3>
+		<h3>{text('page.account.sessions')}</h3>
 		<SessionList {sessions} {currentSession} {user} redirectAfterLogoutAll />
 	</div>
 
 	<div id="preferences" class="section main">
-		<h3>Preferences</h3>
+		<h3>{text('page.account.preferences')}</h3>
 		<ZodForm
 			bind:rootValue={user.preferences}
 			idPrefix="preferences"