@axium/server 0.9.0 → 0.10.0

package/web/api/session.ts

@@ -1,33 +0,0 @@
-import { authenticate } from '$lib/auth';
-import type { Result } from '@axium/core/api';
-import { connect, database as db } from '@axium/server/database';
-import { addRoute } from '@axium/server/routes';
-import { error } from '@sveltejs/kit';
-import { omit } from 'utilium';
-import { getToken, stripUser } from './utils';
-
-addRoute({
-	path: '/api/session',
-	async GET(event): Result<'GET', 'session'> {
-		const result = await authenticate(event);
-
-		if (!result) error(404, 'Session does not exist');
-
-		return {
-			...omit(result, 'token'),
-			user: stripUser(result.user, true),
-		};
-	},
-	async DELETE(event): Result<'DELETE', 'session'> {
-		const token = getToken(event);
-		connect();
-		const result = await db
-			.deleteFrom('sessions')
-			.where('sessions.token', '=', token)
-			.returningAll()
-			.executeTakeFirstOrThrow()
-			.catch((e: Error) => (e.message == 'no result' ? error(404, 'Session does not exist') : error(400, 'Invalid session')));
-
-		return omit(result, 'token');
-	},
-});

package/web/api/users.ts

@@ -1,351 +0,0 @@
-/** Register a new passkey for a new or existing user. */
-import type { Result } from '@axium/core/api';
-import { LogoutSessions, PasskeyAuthenticationResponse, UserAuthOptions } from '@axium/core/schemas';
-import { UserChangeable, type User } from '@axium/core/user';
-import {
-	createPasskey,
-	createVerification,
-	getPasskey,
-	getPasskeysByUserId,
-	getSessions,
-	getUser,
-	useVerification,
-} from '@axium/server/auth';
-import { config } from '@axium/server/config';
-import { connect, database as db } from '@axium/server/database';
-import { addRoute } from '@axium/server/routes';
-import {
-	generateAuthenticationOptions,
-	generateRegistrationOptions,
-	verifyAuthenticationResponse,
-	verifyRegistrationResponse,
-} from '@simplewebauthn/server';
-import { error, type RequestEvent } from '@sveltejs/kit';
-import { omit, pick } from 'utilium';
-import z from 'zod/v4';
-import { PasskeyRegistration } from './schemas.js';
-import { checkAuth, createSessionData, parseBody, stripUser, withError } from './utils.js';
-
-interface UserAuth {
-	data: string;
-	type: UserAuthOptions['type'];
-}
-
-const challenges = new Map<string, UserAuth>();
-
-const params = { id: z.uuid() };
-
-/**
- * Resolve a user's UUID using their email (in the future this might also include handles)
- */
-addRoute({
-	path: '/api/user_id',
-	async POST(event): Result<'POST', 'user_id'> {
-		const { value } = await parseBody(event, z.object({ using: z.literal('email'), value: z.email() }));
-
-		connect();
-		const { id } = await db.selectFrom('users').select('id').where('email', '=', value).executeTakeFirst();
-		return { id };
-	},
-});
-
-addRoute({
-	path: '/api/users/:id',
-	params,
-	async GET(event): Result<'GET', 'users/:id'> {
-		const { id: userId } = event.params;
-
-		const authed = await checkAuth(event, userId)
-			.then(() => true)
-			.catch(() => false);
-
-		return stripUser(await getUser(userId), authed);
-	},
-	async PATCH(event): Result<'PATCH', 'users/:id'> {
-		const { id: userId } = event.params;
-		const body: UserChangeable & Pick<User, 'emailVerified'> = await parseBody(event, UserChangeable);
-
-		await checkAuth(event, userId);
-
-		const user = await getUser(userId);
-		if (!user) error(404, { message: 'User does not exist' });
-
-		if ('email' in body) body.emailVerified = null;
-
-		const result = await db
-			.updateTable('users')
-			.set(body)
-			.where('id', '=', userId)
-			.returningAll()
-			.executeTakeFirstOrThrow()
-			.catch(withError('Failed to update user'));
-
-		return stripUser(result, true);
-	},
-	async DELETE(event): Result<'DELETE', 'users/:id'> {
-		const { id: userId } = event.params;
-
-		await checkAuth(event, userId, true);
-
-		const user = await getUser(userId);
-		if (!user) error(404, { message: 'User does not exist' });
-
-		const result = await db
-			.deleteFrom('users')
-			.where('id', '=', userId)
-			.returningAll()
-			.executeTakeFirstOrThrow()
-			.catch(withError('Failed to delete user'));
-
-		return result;
-	},
-});
-
-addRoute({
-	path: '/api/users/:id/full',
-	params,
-	async GET(event): Result<'GET', 'users/:id/full'> {
-		const { id: userId } = event.params;
-
-		await checkAuth(event, userId);
-
-		const user = stripUser(await getUser(userId), true);
-
-		const sessions = await getSessions(userId);
-
-		return {
-			...user,
-			sessions: sessions.map(s => omit(s, 'token')),
-		};
-	},
-});
-
-addRoute({
-	path: '/api/users/:id/auth',
-	params,
-	async OPTIONS(event): Result<'OPTIONS', 'users/:id/auth'> {
-		const { id: userId } = event.params;
-		const { type } = await parseBody(event, UserAuthOptions);
-
-		const user = await getUser(userId);
-		if (!user) error(404, { message: 'User does not exist' });
-
-		const passkeys = await getPasskeysByUserId(userId);
-
-		if (!passkeys) error(409, { message: 'No passkeys exists for this user' });
-
-		const options = await generateAuthenticationOptions({
-			rpID: config.auth.rp_id,
-			allowCredentials: passkeys.map(passkey => pick(passkey, 'id', 'transports')),
-		});
-
-		challenges.set(userId, { data: options.challenge, type });
-
-		return options;
-	},
-	async POST(event: RequestEvent): Result<'POST', 'users/:id/auth'> {
-		const { id: userId } = event.params;
-		const response = await parseBody(event, PasskeyAuthenticationResponse);
-
-		const auth = challenges.get(userId);
-		if (!auth) error(404, { message: 'No challenge found for this user' });
-		const { data: expectedChallenge, type } = auth;
-		challenges.delete(userId);
-
-		const user = await getUser(userId);
-		if (!user) error(404, { message: 'User does not exist' });
-
-		const passkey = await getPasskey(response.id);
-		if (!passkey) error(404, { message: 'Passkey does not exist' });
-
-		if (passkey.userId !== userId) error(403, { message: 'Passkey does not belong to this user' });
-
-		const { verified } = await verifyAuthenticationResponse({
-			response,
-			credential: passkey,
-			expectedChallenge,
-			expectedOrigin: config.auth.origin,
-			expectedRPID: config.auth.rp_id,
-		}).catch(withError('Verification failed', 400));
-
-		if (!verified) error(401, { message: 'Verification failed' });
-
-		switch (type) {
-			case 'login':
-				return await createSessionData(event, userId);
-			case 'action':
-				if ((Date.now() - passkey.createdAt.getTime()) / 60_000 < config.auth.passkey_probation)
-					error(403, { message: 'You can not authorize sensitive actions with a newly created passkey' });
-
-				return await createSessionData(event, userId, true);
-		}
-	},
-});
-
-// Map of user ID => challenge
-const registrations = new Map<string, string>();
-
-addRoute({
-	path: '/api/users/:id/passkeys',
-	params,
-	/**
-	 * Get passkey registration options for a user.
-	 */
-	async OPTIONS(event: RequestEvent): Result<'OPTIONS', 'users/:id/passkeys'> {
-		const { id: userId } = event.params;
-
-		const user = await getUser(userId);
-		if (!user) error(404, { message: 'User does not exist' });
-
-		const existing = await getPasskeysByUserId(userId);
-
-		await checkAuth(event, userId);
-
-		const options = await generateRegistrationOptions({
-			rpName: config.auth.rp_name,
-			rpID: config.auth.rp_id,
-			userName: userId,
-			userDisplayName: user.email,
-			attestationType: 'none',
-			excludeCredentials: existing.map(passkey => pick(passkey, 'id', 'transports')),
-			authenticatorSelection: {
-				residentKey: 'preferred',
-				userVerification: 'preferred',
-				authenticatorAttachment: 'platform',
-			},
-		});
-
-		registrations.set(userId, options.challenge);
-
-		return options;
-	},
-
-	/**
-	 * Get passkeys for a user.
-	 */
-	async GET(event: RequestEvent): Result<'GET', 'users/:id/passkeys'> {
-		const { id: userId } = event.params;
-
-		const user = await getUser(userId);
-		if (!user) error(404, { message: 'User does not exist' });
-
-		await checkAuth(event, userId);
-
-		const passkeys = await getPasskeysByUserId(userId);
-
-		return passkeys.map(p => omit(p, 'publicKey', 'counter'));
-	},
-
-	/**
-	 * Register a new passkey for an existing user.
-	 */
-	async PUT(event: RequestEvent): Result<'PUT', 'users/:id/passkeys'> {
-		const { id: userId } = event.params;
-		const response = await parseBody(event, PasskeyRegistration);
-
-		const user = await getUser(userId);
-		if (!user) error(404, { message: 'User does not exist' });
-
-		await checkAuth(event, userId);
-
-		const expectedChallenge = registrations.get(userId);
-		if (!expectedChallenge) error(404, { message: 'No registration challenge found for this user' });
-		registrations.delete(userId);
-
-		const { verified, registrationInfo } = await verifyRegistrationResponse({
-			response,
-			expectedChallenge,
-			expectedOrigin: config.auth.origin,
-		}).catch(withError('Verification failed', 400));
-
-		if (!verified || !registrationInfo) error(401, { message: 'Verification failed' });
-
-		const passkey = await createPasskey({
-			transports: [],
-			...registrationInfo.credential,
-			userId,
-			deviceType: registrationInfo.credentialDeviceType,
-			backedUp: registrationInfo.credentialBackedUp,
-		}).catch(withError('Failed to create passkey'));
-
-		return omit(passkey, 'publicKey', 'counter');
-	},
-});
-
-addRoute({
-	path: '/api/users/:id/sessions',
-	params,
-	async GET(event): Result<'POST', 'users/:id/sessions'> {
-		const { id: userId } = event.params;
-
-		await checkAuth(event, userId);
-
-		return (await getSessions(userId).catch(e => error(503, 'Failed to get sessions' + (config.debug ? ': ' + e : '')))).map(s =>
-			omit(s, 'token')
-		);
-	},
-	async DELETE(event: RequestEvent): Result<'DELETE', 'users/:id/sessions'> {
-		const { id: userId } = event.params;
-		const body = await parseBody(event, LogoutSessions);
-
-		await checkAuth(event, userId, body.confirm_all);
-
-		const query = body.confirm_all ? db.deleteFrom('sessions') : db.deleteFrom('sessions').where('sessions.id', 'in', body.id);
-
-		const result = await query
-			.where('sessions.userId', '=', userId)
-			.returningAll()
-			.execute()
-			.catch(withError('Failed to delete one or more sessions'));
-
-		return result.map(s => omit(s, 'token'));
-	},
-});
-
-addRoute({
-	path: '/api/users/:id/verify_email',
-	params,
-	async OPTIONS(event): Result<'OPTIONS', 'users/:id/verify_email'> {
-		const { id: userId } = event.params;
-
-		if (!config.auth.email_verification) return { enabled: false };
-
-		await checkAuth(event, userId);
-
-		const user = await getUser(userId);
-		if (!user) error(404, { message: 'User does not exist' });
-
-		if (!config.auth.email_verification) return { enabled: false };
-
-		return { enabled: true };
-	},
-	async GET(event): Result<'GET', 'users/:id/verify_email'> {
-		const { id: userId } = event.params;
-
-		await checkAuth(event, userId);
-
-		const user = await getUser(userId);
-		if (!user) error(404, { message: 'User does not exist' });
-
-		if (user.emailVerified) error(409, { message: 'Email already verified' });
-
-		const verification = await createVerification('verify_email', userId, config.auth.verification_timeout * 60);
-
-		return omit(verification, 'token', 'role');
-	},
-	async POST(event: RequestEvent): Result<'POST', 'users/:id/verify_email'> {
-		const { id: userId } = event.params;
-		const { token } = await parseBody(event, z.object({ token: z.string() }));
-
-		await checkAuth(event, userId);
-
-		const user = await getUser(userId);
-		if (!user) error(404, { message: 'User does not exist' });
-
-		if (user.emailVerified) error(409, { message: 'Email already verified' });
-
-		await useVerification('verify_email', userId, token).catch(withError('Invalid or expired verification token', 400));
-
-		return {};
-	},
-});

package/web/api/utils.ts

@@ -1,66 +0,0 @@
-import { userProtectedFields, userPublicFields, type User } from '@axium/core/user';
-import type { NewSessionResponse } from '@axium/core/api';
-import { createSession, getSessionAndUser, type UserInternal } from '@axium/server/auth';
-import { config } from '@axium/server/config';
-import { error, type RequestEvent } from '@sveltejs/kit';
-import { pick } from 'utilium';
-import z from 'zod/v4';
-
-export async function parseBody<const Schema extends z.ZodType, const Result extends z.infer<Schema> = z.infer<Schema>>(
-	event: RequestEvent,
-	schema: Schema
-): Promise<Result> {
-	const contentType = event.request.headers.get('content-type');
-	if (!contentType || !contentType.includes('application/json')) error(415, { message: 'Invalid content type' });
-
-	const body: unknown = await event.request.json().catch(() => error(415, { message: 'Invalid JSON' }));
-
-	try {
-		return schema.parse(body) as Result;
-	} catch (e: any) {
-		error(400, { message: z.prettifyError(e) });
-	}
-}
-
-export function getToken(event: RequestEvent, sensitive: boolean = false): string | undefined {
-	const header_token = event.request.headers.get('Authorization')?.replace('Bearer ', '');
-	if (header_token) return header_token;
-
-	if (config.debug || config.api.cookie_auth) {
-		return event.cookies.get(sensitive ? 'elevated_token' : 'session_token');
-	}
-}
-
-export async function checkAuth(event: RequestEvent, userId: string, sensitive: boolean = false): Promise<void> {
-	const token = getToken(event, sensitive);
-
-	if (!token) throw error(401, { message: 'Missing token' });
-
-	const { user, elevated } = await getSessionAndUser(token).catch(() => error(401, { message: 'Invalid or expired session' }));
-
-	if (user?.id !== userId /* && !user.isAdmin */) error(403, { message: 'User ID mismatch' });
-
-	if (!elevated && sensitive) error(403, 'This token can not be used for sensitive actions');
-}
-
-export async function createSessionData(event: RequestEvent, userId: string, elevated: boolean = false): Promise<NewSessionResponse> {
-	const { token } = await createSession(userId, elevated);
-
-	if (elevated) {
-		event.cookies.set('elevated_token', token, { httpOnly: true, path: '/', expires: new Date(Date.now() + 10 * 60_000) });
-		return { userId, token: '[[redacted:elevated]]' };
-	} else {
-		event.cookies.set('session_token', token, { httpOnly: config.auth.secure_cookies, path: '/' });
-		return { userId, token };
-	}
-}
-
-export function stripUser(user: UserInternal, includeProtected: boolean = false): User {
-	return pick(user, ...userPublicFields, ...(includeProtected ? userProtectedFields : []));
-}
-
-export function withError(text: string, code: number = 500) {
-	return function (e: Error) {
-		error(code, { message: text + (config.debug ? `: ${e.message}` : '') });
-	};
-}

package/web/app.html

@@ -1,14 +0,0 @@
-<!doctype html>
-<html lang="en">
-	<head>
-		<meta charset="utf-8" />
-		<link rel="icon" href="%sveltekit.assets%/favicon.svg" />
-		<meta name="viewport" content="width=device-width, initial-scale=1" />
-		<meta name="color-scheme" content="dark light" />
-		%sveltekit.head%
-	</head>
-
-	<body>
-		<div style="display: contents">%sveltekit.body%</div>
-	</body>
-</html>

package/web/auth.ts

@@ -1,8 +0,0 @@
-import { allLogLevels } from 'logzen';
-import { createWriteStream } from 'node:fs';
-import { join } from 'node:path/posix';
-import config from '../dist/config.js';
-import { findDir, logger } from '../dist/io.js';
-
-logger.attach(createWriteStream(join(findDir(false), 'server.log')), { output: allLogLevels });
-await config.loadDefaults();

package/web/index.server.ts

@@ -1 +0,0 @@
-export * from './utils.js';

package/web/index.ts

@@ -1 +0,0 @@
-export * from './lib/index.js';

package/web/lib/auth.ts

@@ -1,12 +0,0 @@
-import type { SessionInternal, UserInternal } from '@axium/server/auth';
-import { getSessionAndUser } from '@axium/server/auth';
-import type { RequestEvent } from '@sveltejs/kit';
-
-export async function authenticate(event: RequestEvent): Promise<(SessionInternal & { user: UserInternal | null }) | null> {
-	const maybe_header = event.request.headers.get('Authorization');
-	const token = maybe_header?.startsWith('Bearer ') ? maybe_header.slice(7) : event.cookies.get('session_token');
-
-	if (!token) return null;
-
-	return await getSessionAndUser(token).catch(() => null);
-}

package/web/lib/index.ts

@@ -1,5 +0,0 @@
-export { default as Dialog } from './Dialog.svelte';
-export { default as FormDialog } from './FormDialog.svelte';
-export * from './icons/index.js';
-export { default as Toast } from './Toast.svelte';
-export { default as UserCard } from './UserCard.svelte';

package/web/routes/+layout.svelte

@@ -1,6 +0,0 @@
-<script lang="ts">
-	import '$lib/styles.css';
-	const { children } = $props();
-</script>
-
-{@render children()}

package/web/routes/[...path]/+page.server.ts

@@ -1,13 +0,0 @@
-import { error, redirect, type LoadEvent } from '@sveltejs/kit';
-import { resolveRoute } from '@axium/server/routes';
-
-export async function load(event: LoadEvent) {
-	const route = resolveRoute(event);
-
-	if (!route && event.url.pathname === '/') redirect(303, '/_axium/default');
-	if (!route) error(404);
-
-	if (route.server == true) error(409, 'This is a server route, not a page route');
-
-	return await route.load(event);
-}

package/web/routes/[appId]/[...page]/+page.server.ts

@@ -1,14 +0,0 @@
-import { error, type LoadEvent } from '@sveltejs/kit';
-import { apps } from '@axium/server/apps';
-
-export async function load(event: LoadEvent) {
-	const app = apps.get(event.params.appId);
-
-	if (!app) error(404);
-
-	const route = app.resolveRoute(event);
-
-	if (!route) error(404);
-
-	return await route.load(event);
-}

package/web/routes/api/[...path]/+server.ts

@@ -1,49 +0,0 @@
-import type { RequestMethod } from '@axium/core/requests';
-import { resolveRoute } from '@axium/server/routes';
-import { config } from '@axium/server/config';
-import { error, json, type RequestEvent, type RequestHandler } from '@sveltejs/kit';
-import z from 'zod/v4';
-
-function handler(method: RequestMethod): RequestHandler {
-	return async function (event: RequestEvent): Promise<Response> {
-		const _warnings: string[] = [];
-		if (!event.request.headers.get('Accept')?.includes('application/json')) {
-			_warnings.push('Only application/json is supported');
-			event.request.headers.set('Accept', 'application/json');
-		}
-
-		const route = resolveRoute(event);
-
-		if (!route) error(404, 'Route not found');
-		if (!route.server) error(503, 'Route is not a server route');
-
-		if (config.debug) console.log(event.request.method, route.path);
-
-		for (const [key, type] of Object.entries(route.params || {})) {
-			if (!type) continue;
-
-			try {
-				event.params[key] = type.parse(event.params[key]) as any;
-			} catch (e: any) {
-				error(400, `Invalid parameter: ${z.prettifyError(e)}`);
-			}
-		}
-
-		if (typeof route[method] != 'function') error(405, `Method ${method} not allowed for ${route.path}`);
-
-		const result: object & { _warnings?: string[] } = await route[method](event);
-
-		result._warnings ||= [];
-		result._warnings.push(..._warnings);
-
-		return json(result);
-	};
-}
-
-export const HEAD = handler('HEAD');
-export const GET = handler('GET');
-export const POST = handler('POST');
-export const PUT = handler('PUT');
-export const DELETE = handler('DELETE');
-export const PATCH = handler('PATCH');
-export const OPTIONS = handler('OPTIONS');

package/web/utils.ts

@@ -1,26 +0,0 @@
-import type { ActionFailure, RequestEvent } from '@sveltejs/kit';
-import { fail } from '@sveltejs/kit';
-import z from 'zod/v4';
-
-// eslint-disable-next-line @typescript-eslint/no-empty-object-type
-export interface FormFail<S extends z.ZodType, E extends object = object> extends ActionFailure<z.infer<S> & { error: string } & E> {}
-
-export async function parseForm<S extends z.ZodObject, E extends object = object>(
-	event: RequestEvent,
-	schema: S,
-	errorData?: E
-): Promise<[z.infer<S>, FormFail<S, E> | null]> {
-	const formData = Object.fromEntries(await event.request.formData());
-	const { data, error, success } = schema.safeParse(formData);
-
-	if (success) return [data, null];
-
-	return [
-		data,
-		fail(400, {
-			...data,
-			...errorData,
-			error: z.prettifyError(error),
-		}),
-	];
-}