@axium/server 0.8.0 → 0.10.0

package/dist/routes.d.ts

@@ -1,9 +1,10 @@
 import type { RequestMethod } from '@axium/core/requests';
-import type { LoadEvent, RequestEvent } from '@sveltejs/kit';
+import type { RequestEvent } from '@sveltejs/kit';
 import type { Component } from 'svelte';
 import type z from 'zod/v4';
 type _Params = Partial<Record<string, string>>;
-export type EndpointHandlers<Params extends _Params = _Params> = Partial<Record<RequestMethod, (event: RequestEvent<Params>) => object | Promise<object>>>;
+type MaybePromise<T> = T | Promise<T>;
+export type EndpointHandlers<Params extends _Params = _Params> = Partial<Record<RequestMethod, (event: RequestEvent<Params>) => MaybePromise<object | Response>>>;
 export type RouteParamOptions = z.ZodType;
 export interface CommonRouteOptions<Params extends _Params = _Params> {
     path: string;
@@ -15,6 +16,7 @@ export interface CommonRouteOptions<Params extends _Params = _Params> {
  * A route with server-side handlers for different HTTP methods.
  */
 export interface ServerRouteOptions<Params extends _Params = _Params> extends CommonRouteOptions<Params>, EndpointHandlers<Params> {
+    api?: boolean;
 }
 export interface WebRouteOptions extends CommonRouteOptions {
     load?(event: RequestEvent): object | Promise<object>;
@@ -25,31 +27,28 @@ export type RouteOptions = ServerRouteOptions | WebRouteOptions;
 export interface RouteCommon {
     path: string;
     params?: Record<string, RouteParamOptions>;
-    [kBuiltin]: boolean;
 }
 export interface ServerRoute extends RouteCommon, EndpointHandlers {
+    api: boolean;
     server: true;
 }
 export interface WebRoute extends RouteCommon {
     server: false;
-    load?(event: LoadEvent): object | Promise<object>;
-    page?: Component;
+    load?(event: RequestEvent): object | Promise<object>;
+    page: Component;
 }
 export type Route = ServerRoute | WebRoute;
 /**
  * @internal
  */
 export declare const routes: Map<string, Route>;
-declare const kBuiltin: unique symbol;
-export declare function addRoute(opt: RouteOptions, _routeMap?: Map<string, Route>): void;
+export declare function addRoute(opt: RouteOptions): void;
 /**
  * Resolve a request URL into a route.
  * This handles parsing of parameters in the URL.
  */
-export declare function resolveRoute<T extends Route>(event: RequestEvent | LoadEvent, _routeMap?: Map<string, T>): T | undefined;
-/**
- * This function marks all existing routes as built-in.
- * @internal
- */
-export declare function _markDefaults(): void;
+export declare function resolveRoute(event: {
+    url: URL;
+    params?: object;
+}): Route | undefined;
 export {};

package/dist/routes.js

@@ -1,39 +1,47 @@
+import { apps } from './apps.js';
+import config from './config.js';
+import { output } from './io.js';
+import { _unique } from './state.js';
 /**
  * @internal
  */
-export const routes = new Map();
-const kBuiltin = Symbol('kBuiltin');
-export function addRoute(opt, _routeMap = routes) {
-    const route = { ...opt, server: !('page' in opt), [kBuiltin]: false };
+export const routes = _unique('routes', new Map());
+export function addRoute(opt) {
+    const route = { ...opt, server: !('page' in opt) };
     if (!route.path.startsWith('/')) {
         throw new Error(`Route path must start with a slash: ${route.path}`);
     }
-    if (route.path.startsWith('/api/') && !route.server) {
+    if (route.path.startsWith('/api/'))
+        route.api = true;
+    if (route.api && !route.server)
         throw new Error(`API routes cannot have a client page: ${route.path}`);
-    }
-    _routeMap.set(route.path, route);
+    routes.set(route.path, route);
+    output.debug('Added route: ' + route.path);
 }
 /**
  * Resolve a request URL into a route.
  * This handles parsing of parameters in the URL.
  */
-export function resolveRoute(event, _routeMap = routes) {
+export function resolveRoute(event) {
     const { pathname } = event.url;
-    if (_routeMap.has(pathname) && !pathname.split('/').some(p => p.startsWith(':')))
-        return _routeMap.get(pathname);
+    if (routes.has(pathname) && !pathname.split('/').some(p => p.startsWith(':')))
+        return routes.get(pathname);
     // Otherwise we must have a parameterized route
-    routes: for (const route of _routeMap.values()) {
+    _routes: for (const route of routes.values()) {
         const params = {};
         // Split the path and route into parts, zipped together
         const pathParts = pathname.split('/').filter(Boolean);
+        // Skips routes in disabled apps
+        if (apps.has(pathParts[0]) && config.apps.disabled.includes(pathParts[0]))
+            continue;
         for (const routePart of route.path.split('/').filter(Boolean)) {
             const pathPart = pathParts.shift();
             if (!pathPart)
-                continue routes;
+                continue _routes;
             if (pathPart == routePart)
                 continue;
             if (!routePart.startsWith(':'))
-                continue routes;
+                continue _routes;
             params[routePart.slice(1)] = pathPart;
         }
         // we didn't find a match, since an exact match would have been found already
@@ -43,12 +51,3 @@ export function resolveRoute(event, _routeMap = routes) {
         return route;
     }
 }
-/**
- * This function marks all existing routes as built-in.
- * @internal
- */
-export function _markDefaults() {
-    for (const route of routes.values()) {
-        route[kBuiltin] = true;
-    }
-}

package/dist/serve.d.ts

@@ -0,0 +1,7 @@
+import type { Server } from 'node:http';
+export interface ServeOptions {
+    secure: boolean;
+    ssl_key: string;
+    ssl_cert: string;
+}
+export declare function serve(opt: Partial<ServeOptions>): Promise<Server>;

package/dist/serve.js

@@ -0,0 +1,11 @@
+import { readFileSync } from 'node:fs';
+import { createServer } from 'node:http';
+import { createServer as createSecureServer } from 'node:https';
+import config from './config.js';
+const _handlerPath = '../build/handler.js';
+export async function serve(opt) {
+    const { handler } = await import(_handlerPath);
+    if (!opt.secure && !config.web.secure)
+        return createServer(handler);
+    return createSecureServer({ key: readFileSync(opt.ssl_key || config.web.ssl_key), cert: readFileSync(opt.ssl_cert || config.web.ssl_cert) }, handler);
+}

package/dist/state.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Prevent duplicate shared state.
+ */
+export declare function _unique<T>(id: string, value: T): T;

package/dist/state.js

@@ -0,0 +1,22 @@
+import { styleText } from 'node:util';
+const sym = Symbol.for('Axium:state');
+globalThis[sym] ||= Object.create({ _errored: false });
+/**
+ * Prevent duplicate shared state.
+ */
+export function _unique(id, value) {
+    const state = globalThis[sym];
+    const _err = new Error();
+    Error.captureStackTrace(_err, _unique);
+    const stack = _err.stack.slice(6);
+    if (!(id in state)) {
+        state[id] = { value, stack };
+        return value;
+    }
+    if (!state._errored) {
+        console.error(styleText('red', 'Duplicate Axium server state! You might have multiple instances of the same module loaded.'));
+        state._errored = true;
+    }
+    console.warn(styleText('yellow', `Mitigating duplicate state! (${id})\n${stack}\nFrom original\n${state[id].stack}`));
+    return state[id].value;
+}

package/dist/sveltekit.d.ts

@@ -0,0 +1,8 @@
+import type { RequestEvent, ResolveOptions } from '@sveltejs/kit';
+/**
+ * @internal
+ */
+export declare function handle({ event, resolve, }: {
+    event: RequestEvent;
+    resolve: (event: RequestEvent, opts?: ResolveOptions) => Promise<Response>;
+}): Promise<Response>;

package/dist/sveltekit.js

@@ -0,0 +1,90 @@
+import { error, json, redirect } from '@sveltejs/kit';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path/posix';
+import { render } from 'svelte/server';
+import z from 'zod/v4';
+import { config } from './config.js';
+import { resolveRoute } from './routes.js';
+async function handleAPIRequest(event, route) {
+    const method = event.request.method;
+    const _warnings = [];
+    if (route.api && !event.request.headers.get('Accept')?.includes('application/json')) {
+        _warnings.push('Only application/json is supported');
+        event.request.headers.set('Accept', 'application/json');
+    }
+    for (const [key, type] of Object.entries(route.params || {})) {
+        if (!type)
+            continue;
+        try {
+            event.params[key] = type.parse(event.params[key]);
+        }
+        catch (e) {
+            error(400, `Invalid parameter: ${z.prettifyError(e)}`);
+        }
+    }
+    if (typeof route[method] != 'function')
+        error(405, `Method ${method} not allowed for ${route.path}`);
+    const result = await route[method](event);
+    if (result instanceof Response)
+        return result;
+    result._warnings ||= [];
+    result._warnings.push(..._warnings);
+    return json(result);
+}
+function handleError(e) {
+    if ('body' in e)
+        return json(e.body, { status: e.status });
+    console.error(e);
+    return json({ message: 'Internal Error' + (config.debug ? ': ' + e.message : '') }, { status: 500 });
+}
+const templatePath = join(import.meta.dirname, '../web/template.html');
+const template = readFileSync(templatePath, 'utf-8');
+function fillTemplate({ head, body }, env = {}, nonce = '') {
+    return (template
+        .replace('%sveltekit.head%', head)
+        .replace('%sveltekit.body%', body)
+        .replace(/%sveltekit\.assets%/g, config.web.assets)
+        // Unused for now.
+        .replace(/%sveltekit\.nonce%/g, nonce)
+        .replace(/%sveltekit\.env\.([^%]+)%/g, (_match, capture) => env[capture] ?? ''));
+}
+/**
+ * @internal
+ */
+export async function handle({ event, resolve, }) {
+    const route = resolveRoute(event);
+    if (!route && event.url.pathname === '/')
+        redirect(303, '/_axium/default');
+    if (config.debug)
+        console.log(event.request.method.padEnd(7), route ? route.path : event.url.pathname);
+    if (!route)
+        return await resolve(event).catch(handleError);
+    if (route.server == true) {
+        if (route.api)
+            return await handleAPIRequest(event, route).catch(handleError);
+        const run = route[event.request.method];
+        if (typeof run !== 'function') {
+            error(405, `Method ${event.request.method} not allowed for ${route.path}`);
+        }
+        try {
+            const result = await run(event);
+            if (result instanceof Response)
+                return result;
+            return json(result);
+        }
+        catch (e) {
+            return handleError(e);
+        }
+    }
+    const data = await route.load?.(event);
+    const body = fillTemplate(render(route.page));
+    return new Response(body, {
+        headers: {
+            'Content-Type': 'text/html; charset=utf-8',
+            'Cache-Control': 'no-cache, no-store, must-revalidate',
+            Pragma: 'no-cache',
+            Expires: '0',
+        },
+        status: 200,
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@axium/server",
-	"version": "0.8.0",
+	"version": "0.10.0",
 	"author": "James Prevett <axium@jamespre.dev> (https://jamespre.dev)",
 	"funding": {
 		"type": "individual",
@@ -19,13 +19,17 @@
 	"types": "dist/index.d.ts",
 	"exports": {
 		".": "./dist/index.js",
-		"./*": "./dist/*",
-		"./web": "./web/index.js",
-		"./web/*": "./web/*"
+		"./*": "./dist/*.js",
+		"./web/*": "./web/*",
+		"./$routes": "./routes",
+		"./svelte.config.js": "./svelte.config.js"
 	},
 	"files": [
+		"assets",
 		"dist",
-		"web"
+		"routes",
+		"web",
+		"svelte.config.js"
 	],
 	"bin": {
 		"axium": "dist/cli.js"
@@ -33,18 +37,22 @@
 	"scripts": {
 		"build": "tsc"
 	},
+	"peerDependencies": {
+		"@axium/client": ">=0.0.2",
+		"@axium/core": ">=0.3.0",
+		"utilium": "^2.3.8",
+		"zod": "^3.25.61"
+	},
 	"dependencies": {
+		"@axium/server": "file:.",
 		"@simplewebauthn/server": "^13.1.1",
 		"@sveltejs/kit": "^2.20.2",
 		"@types/pg": "^8.11.11",
 		"commander": "^13.1.0",
-		"kysely": "^0.27.5",
+		"kysely": "^0.28.0",
 		"logzen": "^0.7.0",
 		"mime": "^4.0.7",
-		"pg": "^8.14.1",
-		"utilium": "^2.3.8",
-		"zod": "^3.25.61",
-		"@axium/core": ">=0.2.0"
+		"pg": "^8.14.1"
 	},
 	"devDependencies": {
 		"@sveltejs/adapter-node": "^5.2.12",

package/{web/routes → routes}/account/+page.svelte

@@ -1,32 +1,47 @@
 <script lang="ts">
+	import { goto } from '$app/navigation';
+	import ClipboardCopy from '$lib/ClipboardCopy.svelte';
 	import FormDialog from '$lib/FormDialog.svelte';
 	import Icon from '$lib/icons/Icon.svelte';
 	import {
-		currentSession,
+		createPasskey,
 		deletePasskey,
+		deleteUser,
+		emailVerificationEnabled,
+		getCurrentSession,
 		getPasskeys,
+		getSessions,
+		logout,
+		logoutAll,
 		sendVerificationEmail,
 		updatePasskey,
 		updateUser,
-		createPasskey,
-		deleteUser,
 	} from '@axium/client/user';
-	import type { Passkey } from '@axium/core/api';
+	import type { Passkey, Session } from '@axium/core/api';
 	import { getUserImage, type User } from '@axium/core/user';
 
 	const dialogs = $state<Record<string, HTMLDialogElement>>({});
 
 	let verificationSent = $state(false);
+	let currentSession = $state<Session & { user: User }>();
 	let user = $state<User>();
+	let canVerify = $state(false);
+	let passkeys = $state<Passkey[]>([]);
+	let sessions = $state<Session[]>([]);
 
 	async function ready() {
-		const session = await currentSession();
-		user = session.user;
+		currentSession = await getCurrentSession().catch(() => {
+			goto('/login?after=/account');
+			return null;
+		})!;
+		user = currentSession.user;
 
 		passkeys = await getPasskeys(user.id);
-	}
 
-	let passkeys = $state<Passkey[]>([]);
+		sessions = await getSessions(user.id);
+
+		canVerify = await emailVerificationEnabled(user.id);
+	}
 
 	async function _editUser(data) {
 		const result = await updateUser(user.id, data);
@@ -39,14 +54,8 @@
 </svelte:head>
 
 {#snippet action(name: string, i: string = 'pen')}
-	<button
-		style:display="contents"
-		style:cursor="pointer"
-		onclick={() => {
-			dialogs[name].showModal();
-		}}
-	>
-		<Icon {i} />
+	<button style:display="contents" onclick={() => dialogs[name].showModal()}>
+		<Icon {i} --size="16px" />
 	</button>
 {/snippet}
 
@@ -56,9 +65,10 @@
 		<p class="greeting">Welcome, {user.name}</p>
 
 		<div class="section main">
-			<div class="item">
-				<span class="subtle">Name</span>
-				<span>{user.name}</span>
+			<h3>Personal Information</h3>
+			<div class="item info">
+				<p class="subtle">Name</p>
+				<p>{user.name}</p>
 				{@render action('edit_name')}
 			</div>
 			<FormDialog bind:dialog={dialogs.edit_name} submit={_editUser} submitText="Change">
@@ -67,20 +77,20 @@
 					<input name="name" type="text" value={user.name || ''} required />
 				</div>
 			</FormDialog>
-			<div class="item">
-				<span class="subtle">Email</span>
-				<span>
+			<div class="item info">
+				<p class="subtle">Email</p>
+				<p>
 					{user.email}
 					{#if user.emailVerified}
-						<dfn title="Email verified on {new Date(user.emailVerified).toLocaleDateString()}">
+						<dfn title="Email verified on {user.emailVerified.toLocaleDateString()}">
 							<Icon i="regular/circle-check" />
 						</dfn>
-					{:else}
+					{:else if canVerify}
 						<button onclick={() => sendVerificationEmail(user.id).then(() => (verificationSent = true))}>
 							{verificationSent ? 'Verification email sent' : 'Verify'}
 						</button>
 					{/if}
-				</span>
+				</p>
 				{@render action('edit_email')}
 			</div>
 			<FormDialog bind:dialog={dialogs.edit_email} submit={_editUser} submitText="Change">
@@ -90,16 +100,20 @@
 				</div>
 			</FormDialog>
 
-			<div class="item">
-				<p class="subtle">User ID <dfn title="This is your UUID."><Icon i="regular/circle-info" /></dfn></p>
+			<div class="item info">
+				<p class="subtle">User ID <dfn title="This is your UUID. It can't be changed."><Icon i="regular/circle-info" /></dfn></p>
 				<p>{user.id}</p>
+				<ClipboardCopy value={user.id} --size="16px" />
 			</div>
 			<span>
 				<a class="signout" href="/logout"><button>Sign out</button></a>
-				<button style:cursor="pointer" onclick={() => dialogs.delete.showModal()} style:width="fit-content" class="danger"
-					>Delete Account</button
+				<button style:cursor="pointer" onclick={() => dialogs.delete.showModal()} class="danger">Delete Account</button>
+				<FormDialog
+					bind:dialog={dialogs.delete}
+					submit={() => deleteUser(user.id).then(() => goto('/'))}
+					submitText="Delete Account"
+					submitDanger
 				>
-				<FormDialog bind:dialog={dialogs.delete} submit={() => deleteUser(user.id)} submitText="Delete Account" submitDanger>
 					<p>Are you sure you want to delete your account?<br />This action can't be undone.</p>
 				</FormDialog>
 			</span>
@@ -108,25 +122,25 @@
 		<div class="section main">
 			<h3>Passkeys</h3>
 			{#each passkeys as passkey}
-				<div class="passkey">
+				<div class="item passkey">
 					<dfn title={passkey.deviceType == 'multiDevice' ? 'Multiple devices' : 'Single device'}>
-						<Icon i={passkey.deviceType == 'multiDevice' ? 'laptop-mobile' : 'mobile'} />
+						<Icon i={passkey.deviceType == 'multiDevice' ? 'laptop-mobile' : 'mobile'} --size="16px" />
 					</dfn>
 					<dfn title="This passkey is {passkey.backedUp ? '' : 'not '}backed up">
-						<Icon i={passkey.backedUp ? 'circle-check' : 'circle-xmark'} />
+						<Icon i={passkey.backedUp ? 'circle-check' : 'circle-xmark'} --size="16px" />
 					</dfn>
-					<p>Created {new Date(passkey.createdAt).toLocaleString()}</p>
 					{#if passkey.name}
 						<p>{passkey.name}</p>
 					{:else}
 						<p class="subtle"><i>Unnamed</i></p>
 					{/if}
+					<p>Created {passkey.createdAt.toLocaleString()}</p>
 					{@render action('edit_passkey#' + passkey.id)}
 					{#if passkeys.length > 1}
 						{@render action('delete_passkey#' + passkey.id, 'trash')}
 					{:else}
 						<dfn title="You must have at least one passkey" class="disabled">
-							<Icon i="trash-slash" --fill="#888" />
+							<Icon i="trash-slash" --fill="#888" --size="16px" />
 						</dfn>
 					{/if}
 				</div>
@@ -153,12 +167,56 @@
 					<p>Are you sure you want to delete this passkey?<br />This action can't be undone.</p>
 				</FormDialog>
 			{/each}
-			<button onclick={() => createPasskey(user.id).then(passkeys.push.bind(passkeys))}><Icon i="plus" /> Create</button>
+			<span>
+				<button onclick={() => createPasskey(user.id).then(passkeys.push.bind(passkeys))}><Icon i="plus" /> Create</button>
+			</span>
+		</div>
+
+		<div class="section main">
+			<h3>Sessions</h3>
+			{#each sessions as session}
+				<div class="item session">
+					<p>
+						{session.id.slice(0, 4)}...{session.id.slice(-4)}
+						{#if session.id == currentSession.id}
+							<span class="current">Current</span>
+						{/if}
+						{#if session.elevated}
+							<span class="elevated">Elevated</span>
+						{/if}
+					</p>
+					<p>Created {session.created.toLocaleString()}</p>
+					<p>Expires {session.expires.toLocaleString()}</p>
+					{@render action('logout#' + session.id, 'right-from-bracket')}
+				</div>
+				<FormDialog
+					bind:dialog={dialogs['logout#' + session.id]}
+					submit={() =>
+						logout(user.id, session.id).then(() => {
+							if (session.id == currentSession.id) goto('/');
+							else sessions.splice(sessions.indexOf(session), 1);
+						})}
+					submitText="Logout"
+				>
+					<p>Are you sure you want to log out this session?</p>
+				</FormDialog>
+			{/each}
+			<span>
+				<button onclick={() => dialogs.logout_all.showModal()} class="danger">Logout All</button>
+			</span>
+			<FormDialog
+				bind:dialog={dialogs['logout_all']}
+				submit={() => logoutAll(user.id).then(() => goto('/'))}
+				submitText="Logout All Sessions"
+				submitDanger
+			>
+				<p>Are you sure you want to log out all sessions?</p>
+			</FormDialog>
 		</div>
 	</div>
 {:catch error}
 	<div class="error">
-		<h3>Failed to load your account</h3>
+		<h3>Failed to load account</h3>
 		<p>{'message' in error ? error.message : error}</p>
 	</div>
 {/await}
@@ -191,12 +249,16 @@
 
 	.section .item {
 		display: grid;
-		grid-template-columns: 10em 1fr 2em;
 		align-items: center;
 		width: 100%;
 		gap: 1em;
 		text-wrap: nowrap;
+		border-top: 1px solid #8888;
 		padding-bottom: 1em;
+	}
+
+	.info {
+		grid-template-columns: 10em 1fr 2em;
 
 		> :first-child {
 			margin-left: 1em;
@@ -204,21 +266,26 @@
 	}
 
 	.passkey {
-		display: grid;
 		grid-template-columns: 1em 1em 1fr 1fr 1em 1em;
-		border-top: 1px solid #8888;
-		align-items: center;
-		width: 100%;
-		gap: 1em;
-		text-wrap: nowrap;
-		padding-bottom: 1em;
 
-		dfn {
+		dfn:not(.disabled) {
 			cursor: help;
 		}
+	}
+
+	.session {
+		grid-template-columns: 1fr 1fr 1fr 1em;
+
+		.current {
+			border-radius: 2em;
+			padding: 0 0.5em;
+			background-color: #337;
+		}
 
-		dfn.disabled {
-			cursor: not-allowed;
+		.elevated {
+			border-radius: 2em;
+			padding: 0 0.5em;
+			background-color: #733;
 		}
 	}
 </style>

package/svelte.config.js

@@ -0,0 +1,36 @@
+import node from '@sveltejs/adapter-node';
+import { vitePreprocess } from '@sveltejs/vite-plugin-svelte';
+import { join } from 'node:path/posix';
+
+/**
+ * Paths relative to the directory of this file.
+ * This allows this file to be imported from other projects and still resolve to the correct paths.
+ */
+const fixed = p => join(import.meta.dirname, p);
+
+/** @type {import('@sveltejs/kit').Config} */
+export default {
+	compilerOptions: {
+		runes: true,
+	},
+	preprocess: vitePreprocess({ script: true }),
+	vitePlugin: {
+		exclude: '@axium/server/**',
+	},
+	kit: {
+		adapter: node(),
+		alias: {
+			$stores: fixed('web/stores'),
+			$lib: fixed('web/lib'),
+		},
+		files: {
+			routes: 'routes',
+			lib: fixed('web/lib'),
+			assets: fixed('assets'),
+			appTemplate: fixed('web/template.html'),
+			hooks: {
+				server: fixed('web/hooks.server.ts'),
+			},
+		},
+	},
+};