@axium/server 0.9.0 → 0.10.0

package/{web/api/index.ts → dist/api/index.d.ts}

@@ -3,5 +3,3 @@ import './passkeys.js';
 import './register.js';
 import './session.js';
 import './users.js';
-export * from './schemas.js';
-export * from './utils.js';

package/dist/api/index.js

@@ -0,0 +1,5 @@
+import './metadata.js';
+import './passkeys.js';
+import './register.js';
+import './session.js';
+import './users.js';

package/dist/api/metadata.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/api/metadata.js

@@ -0,0 +1,28 @@
+import { requestMethods } from '@axium/core/requests';
+import { error } from '@sveltejs/kit';
+import pkg from '../../package.json' with { type: 'json' };
+import { config } from '../config.js';
+import { plugins } from '../plugins.js';
+import { addRoute, routes } from '../routes.js';
+addRoute({
+    path: '/api/metadata',
+    async GET() {
+        if (config.api.disable_metadata) {
+            error(401, { message: 'API metadata is disabled' });
+        }
+        return {
+            version: pkg.version,
+            routes: Object.fromEntries(routes
+                .entries()
+                .filter(([path]) => path.startsWith('/api/'))
+                .map(([path, route]) => [
+                path,
+                {
+                    params: Object.fromEntries(Object.entries(route.params || {}).map(([key, type]) => [key, type ? type.def.type : null])),
+                    methods: requestMethods.filter(m => m in route),
+                },
+            ])),
+            plugins: Object.fromEntries(plugins.values().map(plugin => [plugin.name, plugin.version])),
+        };
+    },
+});

package/dist/api/passkeys.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/api/passkeys.js

@@ -0,0 +1,50 @@
+import { PasskeyChangeable } from '@axium/core/schemas';
+import { error } from '@sveltejs/kit';
+import { omit } from 'utilium';
+import z from 'zod/v4';
+import { getPasskey } from '../auth.js';
+import { database as db } from '../database.js';
+import { addRoute } from '../routes.js';
+import { checkAuth, parseBody, withError } from '../requests.js';
+addRoute({
+    path: '/api/passkeys/:id',
+    params: {
+        id: z.string(),
+    },
+    async GET(event) {
+        const passkey = await getPasskey(event.params.id);
+        await checkAuth(event, passkey.userId);
+        return omit(passkey, 'counter', 'publicKey');
+    },
+    async PATCH(event) {
+        const body = await parseBody(event, PasskeyChangeable);
+        const passkey = await getPasskey(event.params.id);
+        await checkAuth(event, passkey.userId);
+        const result = await db
+            .updateTable('passkeys')
+            .set(body)
+            .where('id', '=', passkey.id)
+            .returningAll()
+            .executeTakeFirstOrThrow()
+            .catch(withError('Could not update passkey'));
+        return omit(result, 'counter', 'publicKey');
+    },
+    async DELETE(event) {
+        const passkey = await getPasskey(event.params.id);
+        await checkAuth(event, passkey.userId);
+        const { count } = await db
+            .selectFrom('passkeys')
+            .select(db.fn.countAll().as('count'))
+            .where('userId', '=', passkey.userId)
+            .executeTakeFirstOrThrow();
+        if (Number(count) <= 1)
+            error(409, 'At least one passkey is required');
+        const result = await db
+            .deleteFrom('passkeys')
+            .where('id', '=', passkey.id)
+            .returningAll()
+            .executeTakeFirstOrThrow()
+            .catch(withError('Could not delete passkey'));
+        return omit(result, 'counter', 'publicKey');
+    },
+});

package/dist/api/register.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/api/register.js

@@ -0,0 +1,70 @@
+import { APIUserRegistration } from '@axium/core/schemas';
+import { generateRegistrationOptions, verifyRegistrationResponse } from '@simplewebauthn/server';
+import { error } from '@sveltejs/kit';
+import { randomUUID } from 'node:crypto';
+import z from 'zod/v4';
+import { createPasskey, getUser } from '../auth.js';
+import config from '../config.js';
+import { database as db } from '../database.js';
+import { addRoute } from '../routes.js';
+import { createSessionData, parseBody, withError } from '../requests.js';
+// Map of user ID => challenge
+const registrations = new Map();
+async function OPTIONS(event) {
+    const { name, email } = await parseBody(event, z.object({ name: z.string().optional(), email: z.email().optional() }));
+    const userId = randomUUID();
+    const user = await getUser(userId).catch(() => null);
+    if (user)
+        error(409, { message: 'Generated UUID is already in use, please retry.' });
+    const options = await generateRegistrationOptions({
+        rpName: config.auth.rp_name,
+        rpID: config.auth.rp_id,
+        userName: email ?? userId,
+        userDisplayName: name,
+        attestationType: 'none',
+        excludeCredentials: [],
+        authenticatorSelection: {
+            residentKey: 'preferred',
+            userVerification: 'preferred',
+            authenticatorAttachment: 'platform',
+        },
+    });
+    registrations.set(userId, options.challenge);
+    return { userId, options };
+}
+async function POST(event) {
+    const { userId, email, name, response } = await parseBody(event, APIUserRegistration);
+    const existing = await db.selectFrom('users').selectAll().where('email', '=', email).executeTakeFirst();
+    if (existing)
+        error(409, { message: 'Email already in use' });
+    const expectedChallenge = registrations.get(userId);
+    if (!expectedChallenge)
+        error(404, { message: 'No registration challenge found for this user' });
+    registrations.delete(userId);
+    const { verified, registrationInfo } = await verifyRegistrationResponse({
+        response,
+        expectedChallenge,
+        expectedOrigin: config.auth.origin,
+    }).catch(() => error(400, { message: 'Verification failed' }));
+    if (!verified || !registrationInfo)
+        error(401, { message: 'Verification failed' });
+    await db
+        .insertInto('users')
+        .values({ id: userId, name, email })
+        .executeTakeFirstOrThrow()
+        .catch(withError('Failed to create user'));
+    await createPasskey({
+        transports: [],
+        ...registrationInfo.credential,
+        userId,
+        deviceType: registrationInfo.credentialDeviceType,
+        backedUp: registrationInfo.credentialBackedUp,
+    }).catch(e => error(500, { message: 'Failed to create passkey' + (config.debug ? `: ${e.message}` : '') }));
+    return await createSessionData(event, userId);
+}
+addRoute({
+    path: '/api/register',
+    params: {},
+    OPTIONS,
+    POST,
+});

package/dist/api/session.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/api/session.js

@@ -0,0 +1,31 @@
+import { error } from '@sveltejs/kit';
+import { omit } from 'utilium';
+import { authenticate } from '../auth.js';
+import { connect, database as db } from '../database.js';
+import { addRoute } from '../routes.js';
+import { getToken, stripUser } from '../requests.js';
+addRoute({
+    path: '/api/session',
+    async GET(event) {
+        const result = await authenticate(event);
+        if (!result)
+            error(404, 'Session does not exist');
+        return {
+            ...omit(result, 'token'),
+            user: stripUser(result.user, true),
+        };
+    },
+    async DELETE(event) {
+        const token = getToken(event);
+        if (!token)
+            error(401, 'Missing token');
+        connect();
+        const result = await db
+            .deleteFrom('sessions')
+            .where('sessions.token', '=', token)
+            .returningAll()
+            .executeTakeFirstOrThrow()
+            .catch((e) => (e.message == 'no result' ? error(404, 'Session does not exist') : error(400, 'Invalid session')));
+        return omit(result, 'token');
+    },
+});

package/dist/api/users.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/api/users.js

@@ -0,0 +1,244 @@
+import { LogoutSessions, PasskeyAuthenticationResponse, PasskeyRegistration, UserAuthOptions } from '@axium/core/schemas';
+import { UserChangeable } from '@axium/core/user';
+import { generateAuthenticationOptions, generateRegistrationOptions, verifyAuthenticationResponse, verifyRegistrationResponse, } from '@simplewebauthn/server';
+import { error } from '@sveltejs/kit';
+import { omit, pick } from 'utilium';
+import z from 'zod/v4';
+import { createPasskey, createVerification, getPasskey, getPasskeysByUserId, getSessions, getUser, useVerification, } from '../auth.js';
+import { config } from '../config.js';
+import { connect, database as db } from '../database.js';
+import { addRoute } from '../routes.js';
+import { checkAuth, createSessionData, parseBody, stripUser, withError } from '../requests.js';
+const challenges = new Map();
+const params = { id: z.uuid() };
+/**
+ * Resolve a user's UUID using their email (in the future this might also include handles)
+ */
+addRoute({
+    path: '/api/user_id',
+    async POST(event) {
+        const { value } = await parseBody(event, z.object({ using: z.literal('email'), value: z.email() }));
+        connect();
+        const { id } = await db
+            .selectFrom('users')
+            .select('id')
+            .where('email', '=', value)
+            .executeTakeFirstOrThrow()
+            .catch(withError('User not found', 404));
+        return { id };
+    },
+});
+addRoute({
+    path: '/api/users/:id',
+    params,
+    async GET(event) {
+        const userId = event.params.id;
+        const authed = await checkAuth(event, userId).catch(() => null);
+        const user = authed?.user || (await getUser(userId).catch(withError('User does not exist', 404)));
+        return stripUser(user, !!authed);
+    },
+    async PATCH(event) {
+        const userId = event.params.id;
+        const body = await parseBody(event, UserChangeable);
+        await checkAuth(event, userId);
+        if ('email' in body)
+            body.emailVerified = null;
+        const result = await db
+            .updateTable('users')
+            .set(body)
+            .where('id', '=', userId)
+            .returningAll()
+            .executeTakeFirstOrThrow()
+            .catch(withError('Failed to update user'));
+        return stripUser(result, true);
+    },
+    async DELETE(event) {
+        const userId = event.params.id;
+        await checkAuth(event, userId, true);
+        const result = await db
+            .deleteFrom('users')
+            .where('id', '=', userId)
+            .returningAll()
+            .executeTakeFirstOrThrow()
+            .catch(withError('Failed to delete user'));
+        return result;
+    },
+});
+addRoute({
+    path: '/api/users/:id/full',
+    params,
+    async GET(event) {
+        const userId = event.params.id;
+        const { user } = await checkAuth(event, userId);
+        const sessions = await getSessions(userId);
+        return {
+            ...stripUser(user, true),
+            sessions: sessions.map(s => omit(s, 'token')),
+        };
+    },
+});
+addRoute({
+    path: '/api/users/:id/auth',
+    params,
+    async OPTIONS(event) {
+        const userId = event.params.id;
+        const { type } = await parseBody(event, UserAuthOptions);
+        await getUser(userId).catch(withError('User does not exist', 404));
+        const passkeys = await getPasskeysByUserId(userId);
+        if (!passkeys)
+            error(409, { message: 'No passkeys exists for this user' });
+        const options = await generateAuthenticationOptions({
+            rpID: config.auth.rp_id,
+            allowCredentials: passkeys.map(passkey => pick(passkey, 'id', 'transports')),
+        });
+        challenges.set(userId, { data: options.challenge, type });
+        return options;
+    },
+    async POST(event) {
+        const userId = event.params.id;
+        const response = await parseBody(event, PasskeyAuthenticationResponse);
+        const auth = challenges.get(userId);
+        if (!auth)
+            error(404, { message: 'No challenge' });
+        const { data: expectedChallenge, type } = auth;
+        challenges.delete(userId);
+        const passkey = await getPasskey(response.id).catch(withError('Passkey does not exist', 404));
+        if (passkey.userId !== userId)
+            error(403, { message: 'Passkey does not belong to this user' });
+        const { verified } = await verifyAuthenticationResponse({
+            response,
+            credential: passkey,
+            expectedChallenge,
+            expectedOrigin: config.auth.origin,
+            expectedRPID: config.auth.rp_id,
+        }).catch(withError('Verification failed', 400));
+        if (!verified)
+            error(401, { message: 'Verification failed' });
+        switch (type) {
+            case 'login':
+                return await createSessionData(event, userId);
+            case 'action':
+                if ((Date.now() - passkey.createdAt.getTime()) / 60_000 < config.auth.passkey_probation)
+                    error(403, { message: 'You can not authorize sensitive actions with a newly created passkey' });
+                return await createSessionData(event, userId, true);
+        }
+    },
+});
+// Map of user ID => challenge
+const registrations = new Map();
+addRoute({
+    path: '/api/users/:id/passkeys',
+    params,
+    /**
+     * Get passkey registration options for a user.
+     */
+    async OPTIONS(event) {
+        const userId = event.params.id;
+        const existing = await getPasskeysByUserId(userId);
+        const { user } = await checkAuth(event, userId);
+        const options = await generateRegistrationOptions({
+            rpName: config.auth.rp_name,
+            rpID: config.auth.rp_id,
+            userName: userId,
+            userDisplayName: user.email,
+            attestationType: 'none',
+            excludeCredentials: existing.map(passkey => pick(passkey, 'id', 'transports')),
+            authenticatorSelection: {
+                residentKey: 'preferred',
+                userVerification: 'preferred',
+                authenticatorAttachment: 'platform',
+            },
+        });
+        registrations.set(userId, options.challenge);
+        return options;
+    },
+    /**
+     * Get passkeys for a user.
+     */
+    async GET(event) {
+        const userId = event.params.id;
+        await checkAuth(event, userId);
+        const passkeys = await getPasskeysByUserId(userId);
+        return passkeys.map(p => omit(p, 'publicKey', 'counter'));
+    },
+    /**
+     * Register a new passkey for an existing user.
+     */
+    async PUT(event) {
+        const userId = event.params.id;
+        const response = await parseBody(event, PasskeyRegistration);
+        await checkAuth(event, userId);
+        const expectedChallenge = registrations.get(userId);
+        if (!expectedChallenge)
+            error(404, { message: 'No registration challenge found for this user' });
+        registrations.delete(userId);
+        const { verified, registrationInfo } = await verifyRegistrationResponse({
+            response,
+            expectedChallenge,
+            expectedOrigin: config.auth.origin,
+        }).catch(withError('Verification failed', 400));
+        if (!verified || !registrationInfo)
+            error(401, { message: 'Verification failed' });
+        const passkey = await createPasskey({
+            transports: [],
+            ...registrationInfo.credential,
+            userId,
+            deviceType: registrationInfo.credentialDeviceType,
+            backedUp: registrationInfo.credentialBackedUp,
+        }).catch(withError('Failed to create passkey'));
+        return omit(passkey, 'publicKey', 'counter');
+    },
+});
+addRoute({
+    path: '/api/users/:id/sessions',
+    params,
+    async GET(event) {
+        const userId = event.params.id;
+        await checkAuth(event, userId);
+        return (await getSessions(userId).catch(e => error(503, 'Failed to get sessions' + (config.debug ? ': ' + e : '')))).map(s => omit(s, 'token'));
+    },
+    async DELETE(event) {
+        const userId = event.params.id;
+        const body = await parseBody(event, LogoutSessions);
+        await checkAuth(event, userId, body.confirm_all);
+        if (!body.confirm_all && !Array.isArray(body.id))
+            error(400, { message: 'Invalid request body' });
+        const query = body.confirm_all ? db.deleteFrom('sessions') : db.deleteFrom('sessions').where('sessions.id', 'in', body.id);
+        const result = await query
+            .where('sessions.userId', '=', userId)
+            .returningAll()
+            .execute()
+            .catch(withError('Failed to delete one or more sessions'));
+        return result.map(s => omit(s, 'token'));
+    },
+});
+addRoute({
+    path: '/api/users/:id/verify_email',
+    params,
+    async OPTIONS(event) {
+        const userId = event.params.id;
+        if (!config.auth.email_verification)
+            return { enabled: false };
+        await checkAuth(event, userId);
+        if (!config.auth.email_verification)
+            return { enabled: false };
+        return { enabled: true };
+    },
+    async GET(event) {
+        const userId = event.params.id;
+        const { user } = await checkAuth(event, userId);
+        if (user.emailVerified)
+            error(409, { message: 'Email already verified' });
+        const verification = await createVerification('verify_email', userId, config.auth.verification_timeout * 60);
+        return omit(verification, 'token', 'role');
+    },
+    async POST(event) {
+        const userId = event.params.id;
+        const { token } = await parseBody(event, z.object({ token: z.string() }));
+        const { user } = await checkAuth(event, userId);
+        if (user.emailVerified)
+            error(409, { message: 'Email already verified' });
+        await useVerification('verify_email', userId, token).catch(withError('Invalid or expired verification token', 400));
+        return {};
+    },
+});

package/dist/apps.d.ts

@@ -1,5 +1,3 @@
-import type { LoadEvent, RequestEvent } from '@sveltejs/kit';
-import type { WebRoute, WebRouteOptions } from './routes.js';
 export interface CreateAppOptions {
     id: string;
     name?: string;
@@ -8,8 +6,5 @@ export declare const apps: Map<string, App>;
 export declare class App {
     readonly id: string;
     name: string;
-    protected readonly routes: Map<string, WebRoute>;
     constructor(opt: CreateAppOptions);
-    addRoute(route: WebRouteOptions): void;
-    resolveRoute(event: RequestEvent | LoadEvent): WebRoute | undefined;
 }

package/dist/apps.js

@@ -1,20 +1,13 @@
 import { pick } from 'utilium';
-import { addRoute, resolveRoute } from './routes.js';
-export const apps = new Map();
+import { _unique } from './state.js';
+export const apps = _unique('apps', new Map());
 export class App {
     id;
     name;
-    routes = new Map();
     constructor(opt) {
         if (apps.has(opt.id))
             throw new ReferenceError(`App with ID "${opt.id}" already exists.`);
         Object.assign(this, pick(opt, 'id', 'name'));
         apps.set(this.id, this);
     }
-    addRoute(route) {
-        addRoute(route, this.routes);
-    }
-    resolveRoute(event) {
-        return resolveRoute(event, this.routes);
-    }
 }

package/dist/auth.d.ts

@@ -1,40 +1,27 @@
 import type { Passkey, Session, Verification } from '@axium/core/api';
 import type { User } from '@axium/core/user';
+import type { RequestEvent } from '@sveltejs/kit';
 export interface UserInternal extends User {
     password?: string | null;
     salt?: string | null;
 }
-export declare function getUser(id: string): Promise<{
-    name: string;
+export declare function getUser(id: string): Promise<UserInternal>;
+export declare function updateUser({ id, ...user }: UserInternal): Promise<{
     id: string;
-    image: string | null | undefined;
-    email: string;
-    emailVerified: Date | null | undefined;
-    preferences: import("@axium/core/user").Preferences | undefined;
-} | null>;
-export declare function getUserByEmail(email: string): Promise<{
     name: string;
-    id: string;
-    image: string | null | undefined;
     email: string;
     emailVerified: Date | null | undefined;
-    preferences: import("@axium/core/user").Preferences | undefined;
-} | null>;
-export declare function updateUser({ id, ...user }: UserInternal): Promise<{
-    name: string;
-    id: string;
     image: string | null | undefined;
-    email: string;
-    emailVerified: Date | null | undefined;
     preferences: import("@axium/core/user").Preferences | undefined;
 }>;
 export interface SessionInternal extends Session {
     token: string;
 }
 export declare function createSession(userId: string, elevated?: boolean): Promise<SessionInternal>;
-export declare function getSessionAndUser(token: string): Promise<SessionInternal & {
-    user: UserInternal | null;
-}>;
+export interface SessionAndUser extends SessionInternal {
+    user: UserInternal;
+}
+export declare function getSessionAndUser(token: string): Promise<SessionAndUser>;
 export declare function getSession(sessionId: string): Promise<SessionInternal>;
 export declare function getSessions(userId: string): Promise<SessionInternal[]>;
 export type VerificationRole = 'verify_email' | 'login';
@@ -52,7 +39,8 @@ export interface PasskeyInternal extends Passkey {
     publicKey: Uint8Array;
     counter: number;
 }
-export declare function getPasskey(id: string): Promise<PasskeyInternal | null>;
+export declare function getPasskey(id: string): Promise<PasskeyInternal>;
 export declare function createPasskey(passkey: Omit<PasskeyInternal, 'createdAt'>): Promise<PasskeyInternal>;
 export declare function getPasskeysByUserId(userId: string): Promise<PasskeyInternal[]>;
 export declare function updatePasskeyCounter(id: PasskeyInternal['id'], newCounter: PasskeyInternal['counter']): Promise<PasskeyInternal>;
+export declare function authenticate(event: RequestEvent): Promise<SessionAndUser | null>;

package/dist/auth.js

@@ -3,17 +3,7 @@ import { randomBytes, randomUUID } from 'node:crypto';
 import { connect, database as db } from './database.js';
 export async function getUser(id) {
     connect();
-    const result = await db.selectFrom('users').selectAll().where('id', '=', id).executeTakeFirst();
-    if (!result)
-        return null;
-    return result;
-}
-export async function getUserByEmail(email) {
-    connect();
-    const result = await db.selectFrom('users').selectAll().where('email', '=', email).executeTakeFirst();
-    if (!result)
-        return null;
-    return result;
+    return await db.selectFrom('users').selectAll().where('id', '=', id).executeTakeFirstOrThrow();
 }
 export async function updateUser({ id, ...user }) {
     connect();
@@ -43,9 +33,9 @@ export async function getSessionAndUser(token) {
         .select(eb => jsonObjectFrom(eb.selectFrom('users').selectAll().whereRef('users.id', '=', 'sessions.userId')).as('user'))
         .where('sessions.token', '=', token)
         .where('sessions.expires', '>', new Date())
-        .executeTakeFirst();
-    if (!result)
-        throw new Error('Session not found');
+        .executeTakeFirstOrThrow();
+    if (!result.user)
+        throw new Error('Session references non-existing user');
     return result;
 }
 export async function getSession(sessionId) {
@@ -86,10 +76,7 @@ export async function useVerification(role, userId, token) {
 }
 export async function getPasskey(id) {
     connect();
-    const result = await db.selectFrom('passkeys').selectAll().where('id', '=', id).executeTakeFirst();
-    if (!result)
-        return null;
-    return result;
+    return await db.selectFrom('passkeys').selectAll().where('id', '=', id).executeTakeFirstOrThrow();
 }
 export async function createPasskey(passkey) {
     connect();
@@ -108,3 +95,10 @@ export async function updatePasskeyCounter(id, newCounter) {
         throw new Error('Passkey not found');
     return passkey;
 }
+export async function authenticate(event) {
+    const maybe_header = event.request.headers.get('Authorization');
+    const token = maybe_header?.startsWith('Bearer ') ? maybe_header.slice(7) : event.cookies.get('session_token');
+    if (!token)
+        return null;
+    return await getSessionAndUser(token).catch(() => null);
+}