@axium/server 0.7.6 → 0.8.0

package/web/api/metadata.ts

@@ -0,0 +1,35 @@
+import type { Result } from '@axium/core/api';
+import { requestMethods } from '@axium/core/requests';
+import { config } from '@axium/server/config.js';
+import { plugins } from '@axium/server/plugins.js';
+import { addRoute, routes } from '@axium/server/routes.js';
+import { error } from '@sveltejs/kit';
+import pkg from '../../package.json' with { type: 'json' };
+
+addRoute({
+	path: '/api/metadata',
+	async GET(): Result<'GET', 'metadata'> {
+		if (config.api.disable_metadata) {
+			error(401, { message: 'API metadata is disabled' });
+		}
+
+		return {
+			version: pkg.version,
+			routes: Object.fromEntries(
+				routes
+					.entries()
+					.filter(([path]) => path.startsWith('/api/'))
+					.map(([path, route]) => [
+						path,
+						{
+							params: Object.fromEntries(
+								Object.entries(route.params || {}).map(([key, type]) => [key, type ? type.def.type : null])
+							),
+							methods: requestMethods.filter(m => m in route),
+						},
+					])
+			),
+			plugins: Object.fromEntries(plugins.values().map(plugin => [plugin.id, plugin.version])),
+		};
+	},
+});

package/web/api/passkeys.ts

@@ -0,0 +1,56 @@
+import type { Result } from '@axium/core/api';
+import { PasskeyChangeable } from '@axium/core/schemas';
+import { getPasskey } from '@axium/server/auth.js';
+import { database as db } from '@axium/server/database.js';
+import { addRoute } from '@axium/server/routes.js';
+import { error } from '@sveltejs/kit';
+import { omit } from 'utilium';
+import z from 'zod/v4';
+import { checkAuth, parseBody, withError } from './utils';
+
+addRoute({
+	path: '/api/passkeys/:id',
+	params: {
+		id: z.string(),
+	},
+	async GET(event): Result<'GET', 'passkeys/:id'> {
+		const passkey = await getPasskey(event.params.id);
+		await checkAuth(event, passkey.userId);
+		return omit(passkey, 'counter', 'publicKey');
+	},
+	async PATCH(event): Result<'PATCH', 'passkeys/:id'> {
+		const body = await parseBody(event, PasskeyChangeable);
+		const passkey = await getPasskey(event.params.id);
+		await checkAuth(event, passkey.userId);
+		const result = await db
+			.updateTable('passkeys')
+			.set(body)
+			.where('id', '=', passkey.id)
+			.returningAll()
+			.executeTakeFirstOrThrow()
+			.catch(withError('Could not update passkey'));
+
+		return omit(result, 'counter', 'publicKey');
+	},
+	async DELETE(event): Result<'DELETE', 'passkeys/:id'> {
+		const passkey = await getPasskey(event.params.id);
+		await checkAuth(event, passkey.userId);
+
+		const { count } = await db
+			.selectFrom('passkeys')
+			.select(db.fn.countAll().as('count'))
+			.where('userId', '=', passkey.userId)
+			.executeTakeFirstOrThrow();
+
+		if (Number(count) <= 1) error(409, 'At least one passkey is required');
+
+		const result = await db
+			.deleteFrom('passkeys')
+			.where('id', '=', passkey.id)
+			.returningAll()
+			.executeTakeFirstOrThrow()
+			.catch(withError('Could not delete passkey'));
+
+		return omit(result, 'counter', 'publicKey');
+	},
+});

package/web/api/readme.md

@@ -0,0 +1 @@
+This is the web-facing API, not a TypeScript API. In this directory you'll find the `addRoute` calls for the built-in `/api` routes along with the utilities and other helpers used.

package/web/api/register.ts

@@ -0,0 +1,83 @@
+/** Register a new user. */
+import type { Result } from '@axium/core/api';
+import { APIUserRegistration } from '@axium/core/schemas';
+import { createPasskey, getUser, getUserByEmail } from '@axium/server/auth.js';
+import config from '@axium/server/config.js';
+import { database as db, type Schema } from '@axium/server/database.js';
+import { addRoute } from '@axium/server/routes.js';
+import { generateRegistrationOptions, verifyRegistrationResponse } from '@simplewebauthn/server';
+import { error, type RequestEvent } from '@sveltejs/kit';
+import { randomUUID } from 'node:crypto';
+import z from 'zod/v4';
+import { createSessionData, parseBody, withError } from './utils.js';
+
+// Map of user ID => challenge
+const registrations = new Map<string, string>();
+
+async function OPTIONS(event: RequestEvent): Result<'OPTIONS', 'register'> {
+	const { name, email } = await parseBody(event, z.object({ name: z.string().optional(), email: z.email().optional() }));
+
+	const userId = randomUUID();
+	const user = await getUser(userId);
+	if (user) error(409, { message: 'Generated UUID is already in use, please retry.' });
+
+	const options = await generateRegistrationOptions({
+		rpName: config.auth.rp_name,
+		rpID: config.auth.rp_id,
+		userName: email ?? userId,
+		userDisplayName: name,
+		attestationType: 'none',
+		excludeCredentials: [],
+		authenticatorSelection: {
+			residentKey: 'preferred',
+			userVerification: 'preferred',
+			authenticatorAttachment: 'platform',
+		},
+	});
+
+	registrations.set(userId, options.challenge);
+
+	return { userId, options };
+}
+
+async function POST(event: RequestEvent): Result<'POST', 'register'> {
+	const { userId, email, name, response } = await parseBody(event, APIUserRegistration);
+
+	const existing = await getUserByEmail(email);
+	if (existing) error(409, { message: 'Email already in use' });
+
+	const expectedChallenge = registrations.get(userId);
+	if (!expectedChallenge) error(404, { message: 'No registration challenge found for this user' });
+	registrations.delete(userId);
+
+	const { verified, registrationInfo } = await verifyRegistrationResponse({
+		response,
+		expectedChallenge,
+		expectedOrigin: config.auth.origin,
+	}).catch(() => error(400, { message: 'Verification failed' }));
+
+	if (!verified || !registrationInfo) error(401, { message: 'Verification failed' });
+
+	await db
+		.insertInto('users')
+		.values({ id: userId, name, email } as Schema['users'])
+		.executeTakeFirstOrThrow()
+		.catch(withError('Failed to create user'));
+
+	await createPasskey({
+		transports: [],
+		...registrationInfo.credential,
+		userId,
+		deviceType: registrationInfo.credentialDeviceType,
+		backedUp: registrationInfo.credentialBackedUp,
+	}).catch(e => error(500, { message: 'Failed to create passkey' + (config.debug ? `: ${e.message}` : '') }));
+
+	return await createSessionData(event, userId);
+}
+
+addRoute({
+	path: '/api/register',
+	params: {},
+	OPTIONS,
+	POST,
+});

package/web/api/schemas.ts

@@ -0,0 +1,22 @@
+import type { AuthenticatorTransportFuture } from '@simplewebauthn/server';
+import z from 'zod/v4';
+
+const transports = ['ble', 'cable', 'hybrid', 'internal', 'nfc', 'smart-card', 'usb'] satisfies AuthenticatorTransportFuture[];
+
+export const authenticatorAttachment = z.enum(['platform', 'cross-platform'] satisfies AuthenticatorAttachment[]).optional();
+
+export const PasskeyRegistration = z.object({
+	id: z.string(),
+	rawId: z.string(),
+	response: z.object({
+		clientDataJSON: z.string(),
+		attestationObject: z.string(),
+		authenticatorData: z.string().optional(),
+		transports: z.array(z.enum(transports)).optional(),
+		publicKeyAlgorithm: z.number().optional(),
+		publicKey: z.string().optional(),
+	}),
+	authenticatorAttachment,
+	clientExtensionResults: z.record(z.any(), z.any()),
+	type: z.literal('public-key'),
+});

package/web/api/session.ts

@@ -0,0 +1,33 @@
+import { authenticate } from '$lib/auth';
+import type { Result } from '@axium/core/api';
+import { connect, database as db } from '@axium/server/database.js';
+import { addRoute } from '@axium/server/routes.js';
+import { error } from '@sveltejs/kit';
+import { omit } from 'utilium';
+import { getToken, stripUser } from './utils';
+
+addRoute({
+	path: '/api/session',
+	async GET(event): Result<'GET', 'session'> {
+		const result = await authenticate(event);
+
+		if (!result) error(404, 'Session does not exist');
+
+		return {
+			...omit(result, 'token'),
+			user: stripUser(result.user, true),
+		};
+	},
+	async DELETE(event): Result<'DELETE', 'session'> {
+		const token = getToken(event);
+		connect();
+		const result = await db
+			.deleteFrom('sessions')
+			.where('sessions.token', '=', token)
+			.returningAll()
+			.executeTakeFirstOrThrow()
+			.catch((e: Error) => (e.message == 'no result' ? error(404, 'Session does not exist') : error(400, 'Invalid session')));
+
+		return omit(result, 'token');
+	},
+});

package/web/api/users.ts

@@ -0,0 +1,340 @@
+/** Register a new passkey for a new or existing user. */
+import type { Result } from '@axium/core/api';
+import { PasskeyAuthenticationResponse, UserAuthOptions } from '@axium/core/schemas';
+import { UserChangeable, type User } from '@axium/core/user';
+import {
+	createPasskey,
+	createVerification,
+	getPasskey,
+	getPasskeysByUserId,
+	getSession,
+	getSessions,
+	getUser,
+	useVerification,
+} from '@axium/server/auth.js';
+import { config } from '@axium/server/config.js';
+import { connect, database as db } from '@axium/server/database.js';
+import { addRoute } from '@axium/server/routes.js';
+import {
+	generateAuthenticationOptions,
+	generateRegistrationOptions,
+	verifyAuthenticationResponse,
+	verifyRegistrationResponse,
+} from '@simplewebauthn/server';
+import { error, type RequestEvent } from '@sveltejs/kit';
+import { omit, pick } from 'utilium';
+import z from 'zod/v4';
+import { PasskeyRegistration } from './schemas.js';
+import { checkAuth, createSessionData, parseBody, stripUser, withError } from './utils.js';
+
+interface UserAuth {
+	data: string;
+	type: UserAuthOptions['type'];
+}
+
+const challenges = new Map<string, UserAuth>();
+
+const params = { id: z.uuid() };
+
+/**
+ * Resolve a user's UUID using their email (in the future this might also include handles)
+ */
+addRoute({
+	path: '/api/user_id',
+	async POST(event): Result<'POST', 'user_id'> {
+		const { value } = await parseBody(event, z.object({ using: z.literal('email'), value: z.email() }));
+
+		connect();
+		const { id } = await db.selectFrom('users').select('id').where('email', '=', value).executeTakeFirst();
+		return { id };
+	},
+});
+
+addRoute({
+	path: '/api/users/:id',
+	params,
+	async GET(event): Result<'GET', 'users/:id'> {
+		const { id: userId } = event.params;
+
+		const authed = await checkAuth(event, userId)
+			.then(() => true)
+			.catch(() => false);
+
+		return stripUser(await getUser(userId), authed);
+	},
+	async PATCH(event): Result<'PATCH', 'users/:id'> {
+		const { id: userId } = event.params;
+		const body: UserChangeable & Pick<User, 'emailVerified'> = await parseBody(event, UserChangeable);
+
+		await checkAuth(event, userId);
+
+		const user = await getUser(userId);
+		if (!user) error(404, { message: 'User does not exist' });
+
+		if ('email' in body) body.emailVerified = null;
+
+		const result = await db
+			.updateTable('users')
+			.set(body)
+			.where('id', '=', userId)
+			.returningAll()
+			.executeTakeFirstOrThrow()
+			.catch(withError('Failed to update user'));
+
+		return stripUser(result, true);
+	},
+	async DELETE(event): Result<'DELETE', 'users/:id'> {
+		const { id: userId } = event.params;
+
+		await checkAuth(event, userId, true);
+
+		const user = await getUser(userId);
+		if (!user) error(404, { message: 'User does not exist' });
+
+		const result = await db
+			.deleteFrom('users')
+			.where('id', '=', userId)
+			.returningAll()
+			.executeTakeFirstOrThrow()
+			.catch(withError('Failed to delete user'));
+
+		return result;
+	},
+});
+
+addRoute({
+	path: '/api/users/:id/full',
+	params,
+	async GET(event): Result<'GET', 'users/:id/full'> {
+		const { id: userId } = event.params;
+
+		await checkAuth(event, userId);
+
+		const user = stripUser(await getUser(userId), true);
+
+		const sessions = await getSessions(userId);
+
+		return {
+			...user,
+			sessions: sessions.map(s => omit(s, 'token')),
+		};
+	},
+});
+
+addRoute({
+	path: '/api/users/:id/auth',
+	params,
+	async OPTIONS(event): Result<'OPTIONS', 'users/:id/auth'> {
+		const { id: userId } = event.params;
+		const { type } = await parseBody(event, UserAuthOptions);
+
+		const user = await getUser(userId);
+		if (!user) error(404, { message: 'User does not exist' });
+
+		const passkeys = await getPasskeysByUserId(userId);
+
+		if (!passkeys) error(409, { message: 'No passkeys exists for this user' });
+
+		const options = await generateAuthenticationOptions({
+			rpID: config.auth.rp_id,
+			allowCredentials: passkeys.map(passkey => pick(passkey, 'id', 'transports')),
+		});
+
+		challenges.set(userId, { data: options.challenge, type });
+
+		return options;
+	},
+	async POST(event: RequestEvent): Result<'POST', 'users/:id/auth'> {
+		const { id: userId } = event.params;
+		const response = await parseBody(event, PasskeyAuthenticationResponse);
+
+		const auth = challenges.get(userId);
+		if (!auth) error(404, { message: 'No challenge found for this user' });
+		const { data: expectedChallenge, type } = auth;
+		challenges.delete(userId);
+
+		const user = await getUser(userId);
+		if (!user) error(404, { message: 'User does not exist' });
+
+		const passkey = await getPasskey(response.id);
+		if (!passkey) error(404, { message: 'Passkey does not exist' });
+
+		if (passkey.userId !== userId) error(403, { message: 'Passkey does not belong to this user' });
+
+		const { verified } = await verifyAuthenticationResponse({
+			response,
+			credential: passkey,
+			expectedChallenge,
+			expectedOrigin: config.auth.origin,
+			expectedRPID: config.auth.rp_id,
+		}).catch(withError('Verification failed', 400));
+
+		if (!verified) error(401, { message: 'Verification failed' });
+
+		switch (type) {
+			case 'login':
+				return await createSessionData(event, userId);
+			case 'action':
+				if ((Date.now() - passkey.createdAt.getTime()) / 60_000 < config.auth.passkey_probation)
+					error(403, { message: 'You can not authorize sensitive actions with a newly created passkey' });
+
+				return await createSessionData(event, userId, true);
+		}
+	},
+});
+
+// Map of user ID => challenge
+const registrations = new Map<string, string>();
+
+addRoute({
+	path: '/api/users/:id/passkeys',
+	params,
+	/**
+	 * Get passkey registration options for a user.
+	 */
+	async OPTIONS(event: RequestEvent): Result<'OPTIONS', 'users/:id/passkeys'> {
+		const { id: userId } = event.params;
+
+		const user = await getUser(userId);
+		if (!user) error(404, { message: 'User does not exist' });
+
+		const existing = await getPasskeysByUserId(userId);
+
+		await checkAuth(event, userId);
+
+		const options = await generateRegistrationOptions({
+			rpName: config.auth.rp_name,
+			rpID: config.auth.rp_id,
+			userName: userId,
+			userDisplayName: user.email,
+			attestationType: 'none',
+			excludeCredentials: existing.map(passkey => pick(passkey, 'id', 'transports')),
+			authenticatorSelection: {
+				residentKey: 'preferred',
+				userVerification: 'preferred',
+				authenticatorAttachment: 'platform',
+			},
+		});
+
+		registrations.set(userId, options.challenge);
+
+		return options;
+	},
+
+	/**
+	 * Get passkeys for a user.
+	 */
+	async GET(event: RequestEvent): Result<'GET', 'users/:id/passkeys'> {
+		const { id: userId } = event.params;
+
+		const user = await getUser(userId);
+		if (!user) error(404, { message: 'User does not exist' });
+
+		await checkAuth(event, userId);
+
+		const passkeys = await getPasskeysByUserId(userId);
+
+		return passkeys.map(p => omit(p, 'publicKey', 'counter'));
+	},
+
+	/**
+	 * Register a new passkey for an existing user.
+	 */
+	async PUT(event: RequestEvent): Result<'PUT', 'users/:id/passkeys'> {
+		const { id: userId } = event.params;
+		const response = await parseBody(event, PasskeyRegistration);
+
+		const user = await getUser(userId);
+		if (!user) error(404, { message: 'User does not exist' });
+
+		await checkAuth(event, userId);
+
+		const expectedChallenge = registrations.get(userId);
+		if (!expectedChallenge) error(404, { message: 'No registration challenge found for this user' });
+		registrations.delete(userId);
+
+		const { verified, registrationInfo } = await verifyRegistrationResponse({
+			response,
+			expectedChallenge,
+			expectedOrigin: config.auth.origin,
+		}).catch(withError('Verification failed', 400));
+
+		if (!verified || !registrationInfo) error(401, { message: 'Verification failed' });
+
+		const passkey = await createPasskey({
+			transports: [],
+			...registrationInfo.credential,
+			userId,
+			deviceType: registrationInfo.credentialDeviceType,
+			backedUp: registrationInfo.credentialBackedUp,
+		}).catch(withError('Failed to create passkey'));
+
+		return omit(passkey, 'publicKey', 'counter');
+	},
+});
+
+addRoute({
+	path: '/api/users/:id/sessions',
+	params,
+	async GET(event): Result<'POST', 'users/:id/sessions'> {
+		const { id: userId } = event.params;
+
+		await checkAuth(event, userId);
+
+		return (await getSessions(userId).catch(e => error(503, 'Failed to get sessions' + (config.debug ? ': ' + e : '')))).map(s =>
+			pick(s, 'id', 'expires')
+		);
+	},
+	async DELETE(event: RequestEvent): Result<'DELETE', 'users/:id/sessions'> {
+		const { id: userId } = event.params;
+		const { id: sessionId } = await parseBody(event, z.object({ id: z.uuid() }));
+
+		await checkAuth(event, userId);
+
+		const session = await getSession(sessionId).catch(withError('Session does not exist', 404));
+
+		if (session.userId !== userId) error(403, { message: 'Session does not belong to the user' });
+
+		await db
+			.deleteFrom('sessions')
+			.where('sessions.id', '=', session.id)
+			.executeTakeFirstOrThrow()
+			.catch(withError('Failed to delete session'));
+
+		return;
+	},
+});
+
+addRoute({
+	path: '/api/users/:id/verify_email',
+	params,
+	async GET(event): Result<'GET', 'users/:id/verify_email'> {
+		const { id: userId } = event.params;
+
+		await checkAuth(event, userId);
+
+		const user = await getUser(userId);
+		if (!user) error(404, { message: 'User does not exist' });
+
+		if (user.emailVerified) error(409, { message: 'Email already verified' });
+
+		const verification = await createVerification('verify_email', userId, config.auth.verification_timeout * 60);
+
+		return omit(verification, 'token', 'role');
+	},
+	async POST(event: RequestEvent): Result<'POST', 'users/:id/verify_email'> {
+		const { id: userId } = event.params;
+		const { token } = await parseBody(event, z.object({ token: z.string() }));
+
+		await checkAuth(event, userId);
+
+		const user = await getUser(userId);
+		if (!user) error(404, { message: 'User does not exist' });
+
+		if (user.emailVerified) error(409, { message: 'Email already verified' });
+
+		await useVerification('verify_email', userId, token).catch(withError('Invalid or expired verification token', 400));
+
+		return {};
+	},
+});

package/web/api/utils.ts

@@ -0,0 +1,66 @@
+import { userProtectedFields, userPublicFields, type User } from '@axium/core/user';
+import type { NewSessionResponse } from '@axium/core/api';
+import { createSession, getSessionAndUser, type UserInternal } from '@axium/server/auth.js';
+import { config } from '@axium/server/config.js';
+import { error, type RequestEvent } from '@sveltejs/kit';
+import { pick } from 'utilium';
+import z from 'zod/v4';
+
+export async function parseBody<const Schema extends z.ZodType, const Result extends z.infer<Schema> = z.infer<Schema>>(
+	event: RequestEvent,
+	schema: Schema
+): Promise<Result> {
+	const contentType = event.request.headers.get('content-type');
+	if (!contentType || !contentType.includes('application/json')) error(415, { message: 'Invalid content type' });
+
+	const body: unknown = await event.request.json().catch(() => error(415, { message: 'Invalid JSON' }));
+
+	try {
+		return schema.parse(body) as Result;
+	} catch (e: any) {
+		error(400, { message: z.prettifyError(e) });
+	}
+}
+
+export function getToken(event: RequestEvent, sensitive: boolean = false): string | undefined {
+	const header_token = event.request.headers.get('Authorization')?.replace('Bearer ', '');
+	if (header_token) return header_token;
+
+	if (config.debug || config.api.cookie_auth) {
+		return event.cookies.get(sensitive ? 'elevated_token' : 'session_token');
+	}
+}
+
+export async function checkAuth(event: RequestEvent, userId: string, sensitive: boolean = false): Promise<void> {
+	const token = getToken(event, sensitive);
+
+	if (!token) throw error(401, { message: 'Missing token' });
+
+	const { user, elevated } = await getSessionAndUser(token).catch(() => error(401, { message: 'Invalid or expired session' }));
+
+	if (user?.id !== userId /* && !user.isAdmin */) error(403, { message: 'User ID mismatch' });
+
+	if (!elevated && sensitive) error(403, 'This token can not be used for sensitive actions');
+}
+
+export async function createSessionData(event: RequestEvent, userId: string, elevated: boolean = false): Promise<NewSessionResponse> {
+	const { token } = await createSession(userId, elevated);
+
+	if (elevated) {
+		event.cookies.set('elevated_token', token, { httpOnly: true, path: '/', expires: new Date(Date.now() + 10 * 60_000) });
+		return { userId, token: '[[redacted:elevated]]' };
+	} else {
+		event.cookies.set('session_token', token, { httpOnly: config.auth.secure_cookies, path: '/' });
+		return { userId, token };
+	}
+}
+
+export function stripUser(user: UserInternal, includeProtected: boolean = false): User {
+	return pick(user, ...userPublicFields, ...(includeProtected ? userProtectedFields : []));
+}
+
+export function withError(text: string, code: number = 500) {
+	return function (e: Error) {
+		error(code, { message: text + (config.debug ? `: ${e.message}` : '') });
+	};
+}

package/web/auth.ts

@@ -1,12 +1,8 @@
-import { SvelteKitAuth } from '@auth/sveltekit';
+import { allLogLevels } from 'logzen';
 import { createWriteStream } from 'node:fs';
 import { join } from 'node:path/posix';
-import { getConfig } from '../dist/auth.js';
 import config from '../dist/config.js';
 import { findDir, logger } from '../dist/io.js';
-import { allLogLevels } from 'logzen';
 
 logger.attach(createWriteStream(join(findDir(false), 'server.log')), { output: allLogLevels });
 await config.loadDefaults();
-
-export const { handle, signIn, signOut } = SvelteKitAuth(getConfig());

package/web/hooks.server.ts

@@ -1 +1,6 @@
-export { handle } from './auth.js';
+import { loadDefaultConfigs } from '@axium/server/config.js';
+import { _markDefaults } from '@axium/server/routes.js';
+import './api/index.js';
+
+_markDefaults();
+await loadDefaultConfigs();

package/web/index.server.ts

@@ -1,2 +1 @@
-export * from './actions.js';
 export * from './utils.js';

package/web/lib/Dialog.svelte

@@ -1,12 +1,9 @@
 <script>
-	let { show, children, onclose = () => (show = false), ...rest } = $props();
-
-	let dialog = $state();
-	$effect(() => show && dialog.showModal());
-	$effect(() => !show && dialog.close());
+	let { children, dialog = $bindable(), ...rest } = $props();
+	import './styles.css';
 </script>
 
-<dialog bind:this={dialog} {onclose} {...rest}>
+<dialog bind:this={dialog} {...rest}>
 	{@render children()}
 </dialog>