@valentinkolb/cloud 0.1.0

package/src/services/auth-flows/index.ts

@@ -0,0 +1,6 @@
+import * as ipa from "./ipa";
+import * as magicLink from "./magic-link";
+
+export { ipa, magicLink };
+
+export const authFlows = { ipa, magicLink } as const;

package/src/services/auth-flows/ipa.ts

@@ -0,0 +1,128 @@
+import { sql } from "bun";
+import { accounts } from "../accounts";
+import { providers } from "../providers";
+import type { User } from "../../contracts/shared";
+
+type IpaLoginFailure =
+  | { ok: false; status: 401; reason: "password_expired"; message: string }
+  | { ok: false; status: 401; reason: "invalid_credentials"; message: string }
+  | { ok: false; status: 400; reason: "user_not_synced"; message: string }
+  | { ok: false; status: 400; reason: "user_not_found"; message: string }
+  | { ok: false; status: 403; reason: "account_expired"; message: string }
+  | { ok: false; status: 403; reason: "account_out_of_scope"; message: string }
+  | { ok: false; status: 503; reason: "sync_unavailable"; message: string };
+
+type IpaLoginSuccess = {
+  ok: true;
+  ipaSession: string;
+  userId: string;
+  user: User;
+};
+
+export type IpaLoginFlowResult = IpaLoginSuccess | IpaLoginFailure;
+
+const loadSyncedIpaUser = async (uid: string): Promise<{ ok: true; userId: string; user: User } | IpaLoginFailure> => {
+  const userRows = await sql`
+    SELECT id FROM auth.users
+    WHERE provider = 'ipa'
+      AND uid = ${uid}
+  `;
+  if (userRows.length === 0) {
+    return {
+      ok: false,
+      status: 400,
+      reason: "user_not_synced",
+      message: "Your account is not yet available. Please try again in a few minutes.",
+    };
+  }
+
+  const userId = userRows[0]!.id as string;
+  const user = await accounts.users.get({ id: userId });
+  if (!user) {
+    return {
+      ok: false,
+      status: 400,
+      reason: "user_not_found",
+      message: "User not found. Please try again.",
+    };
+  }
+
+  return { ok: true, userId, user };
+};
+
+export const login = async (params: { username: string; password: string }): Promise<IpaLoginFlowResult> => {
+  const loginResult = await providers.ipa.auth.login(params.username, params.password);
+  if (loginResult.status === "password_expired") {
+    return { ok: false, status: 401, reason: "password_expired", message: "Password expired" };
+  }
+  if (loginResult.status !== "success") {
+    return { ok: false, status: 401, reason: "invalid_credentials", message: "Invalid username or password" };
+  }
+
+  // Must reach a "synced" outcome before granting a session. Stale mirror rows
+  // (expired remotely, dropped from sync scope, or fetch failures) must never
+  // grant a fresh local session on the back of successful FreeIPA credentials.
+  const syncOutcome = await providers.ipa.sync.user(params.username);
+  switch (syncOutcome.status) {
+    case "synced":
+      break;
+    case "skipped_disabled":
+      break;
+    case "expired":
+      return {
+        ok: false,
+        status: 403,
+        reason: "account_expired",
+        message: "Your FreeIPA account is expired. Contact an administrator.",
+      };
+    case "out_of_scope":
+      return {
+        ok: false,
+        status: 403,
+        reason: "account_out_of_scope",
+        message: "Your FreeIPA account is no longer part of the sync scope. Contact an administrator.",
+      };
+    case "not_found_local":
+      return {
+        ok: false,
+        status: 400,
+        reason: "user_not_synced",
+        message: "Your account is not yet available. Please try again in a few minutes.",
+      };
+    case "fetch_failed":
+      return {
+        ok: false,
+        status: 503,
+        reason: "sync_unavailable",
+        message: "Could not verify your account with FreeIPA. Please try again.",
+      };
+  }
+
+  const userResult = await loadSyncedIpaUser(params.username);
+  if (!userResult.ok) return userResult;
+
+  return {
+    ok: true,
+    ipaSession: loginResult.session,
+    userId: userResult.userId,
+    user: userResult.user,
+  };
+};
+
+export const changeExpiredPassword = async (params: {
+  username: string;
+  currentPassword: string;
+  newPassword: string;
+}): Promise<IpaLoginFlowResult | { ok: false; status: number; reason: "change_failed"; message: string }> => {
+  const changeResult = await providers.ipa.auth.changeExpiredPassword(params);
+  if (!changeResult.ok) {
+    return {
+      ok: false,
+      status: changeResult.status,
+      reason: "change_failed",
+      message: changeResult.error,
+    };
+  }
+
+  return login({ username: params.username, password: params.newPassword });
+};

package/src/services/auth-flows/magic-link.ts

@@ -0,0 +1,119 @@
+import { sql } from "bun";
+import { accounts } from "../accounts";
+import { notifications } from "../notifications";
+import { providers } from "../providers";
+import * as settings from "../settings";
+import { renderTemplate } from "../settings/templates";
+import type { User } from "../../contracts/shared";
+
+export const request = async (params: { email: string }): Promise<
+  | { ok: true }
+  | { ok: false; status: 400; message: string }
+> => {
+  const userRows = await sql`SELECT uid, provider FROM auth.users WHERE mail = ${params.email}`;
+  const hasLocalUser = userRows.some((row: { provider: string | null }) => row.provider === "local");
+  const hasIpaUser = userRows.some((row: { provider: string | null }) => row.provider === "ipa");
+  const allowSelfRegistration = await settings.get<boolean>("user.allow_self_registration");
+
+  if (!hasLocalUser && !allowSelfRegistration) {
+    return {
+      ok: false,
+      status: 400,
+      message: "Only existing local accounts can sign in with email. Contact an administrator if you need access.",
+    };
+  }
+
+  if (!hasLocalUser && hasIpaUser) {
+    // Return ok without sending email to prevent account enumeration.
+    // IPA-only users must authenticate via Kerberos, not magic-link.
+    return { ok: true };
+  }
+
+  const token = await providers.local.auth.createMagicLinkToken({ email: params.email, ttlSeconds: 300 });
+  const rawAppUrl = await settings.get<string>("app.url");
+  const appUrl = rawAppUrl.startsWith("http") ? rawAppUrl : `https://${rawAppUrl}`;
+  const magicLink = `${appUrl}/auth/login?token=${token}`;
+
+  const appName = await settings.get<string>("app.name");
+  const template = await settings.get<string>("mail.magic_link_login");
+
+  await notifications.send({
+    type: "email",
+    recipient: params.email,
+    subject: `${appName} Login Code`,
+    rawHtml: renderTemplate(template, {
+      TOKEN: token,
+      MAGIC_LINK: magicLink,
+      APP_NAME: appName,
+    }),
+  });
+
+  return { ok: true };
+};
+
+export const verify = async (params: { token: string }): Promise<
+  | { ok: true; userId: string; user: User; email: string; createdGuest: boolean }
+  | { ok: false; status: 401; message: string }
+  | { ok: false; status: number; message: string }
+> => {
+  const payload = await providers.local.auth.consumeMagicLinkToken(params.token);
+  if (!payload) {
+    return { ok: false, status: 401, message: "Invalid or expired token" };
+  }
+
+  const { email } = payload;
+  // Reject expired accounts at login time, not just during cleanup. Without
+  // this, an expired local user / guest could still authenticate in the
+  // window between expiry and the next lifecycle run.
+  const userRows = await sql`
+    SELECT id, account_expires
+    FROM auth.users
+    WHERE mail = ${email} AND provider = 'local'
+      AND (account_expires IS NULL OR account_expires > now())
+    ORDER BY profile = 'user' DESC
+    LIMIT 1
+  `;
+
+  let userId: string;
+  let createdGuest = false;
+  if (userRows.length > 0) {
+    userId = userRows[0]!.id as string;
+  } else {
+    // Distinguish "no account" from "account expired" for a better error.
+    const expiredRows = await sql`
+      SELECT id
+      FROM auth.users
+      WHERE mail = ${email} AND provider = 'local'
+        AND account_expires IS NOT NULL AND account_expires <= now()
+      LIMIT 1
+    `;
+    if (expiredRows.length > 0) {
+      return {
+        ok: false,
+        status: 403,
+        message: "Your account has expired. Contact an administrator.",
+      };
+    }
+    const allowSelfRegistration = await settings.get<boolean>("user.allow_self_registration");
+    if (!allowSelfRegistration) {
+      return {
+        ok: false,
+        status: 401,
+        message: "Only existing local accounts can sign in with email. Contact an administrator if you need access.",
+      };
+    }
+    const guest = await providers.local.users.createGuest({ email });
+    if (!guest.ok) {
+      return { ok: false, status: guest.status, message: guest.error };
+    }
+    userId = guest.data.id;
+    createdGuest = true;
+  }
+
+  const user = await accounts.users.get({ id: userId });
+  if (!user) {
+    return { ok: false, status: 401, message: "User not found" };
+  }
+
+  return { ok: true, userId, user, email, createdGuest };
+};

package/src/services/freeipa-config.ts

@@ -0,0 +1,89 @@
+import { coreSettings } from "./settings/api";
+import { setFreeIpaTlsResolver } from "../server/services/freeipa/tls";
+
+export type FreeIpaConfig = {
+  enabled: boolean;
+  configured: boolean;
+  url: string;
+  serviceUser: string;
+  servicePassword: string;
+  groupsAdmin: string[];
+  groupsBaseSync: string[];
+  groupsBaseIpaRealm: string[];
+  groupsExcluded: string[];
+  caCert: string;
+  allowInsecure: boolean;
+};
+
+const normalizeString = (value: unknown): string => (typeof value === "string" ? value.trim() : "");
+const normalizeStringList = (value: unknown, fallback: string[]): string[] => {
+  if (!Array.isArray(value)) return fallback;
+  const normalized = value.map((entry) => (typeof entry === "string" ? entry.trim() : "")).filter(Boolean);
+  return normalized.length > 0 ? normalized : fallback;
+};
+
+/**
+ * Read the full FreeIPA config snapshot from settings (Redis cache-aside +
+ * Postgres fallback). Always returns within Redis-TTL fresh data — no hidden
+ * dependency on request-lifecycle middleware.
+ */
+export const getFreeIpaConfig = async (): Promise<FreeIpaConfig> => {
+  const [
+    rawUrl,
+    rawServiceUser,
+    rawServicePassword,
+    rawEnabled,
+    rawAdmin,
+    rawBaseSync,
+    rawBaseIpaRealm,
+    rawExcluded,
+    rawCaCert,
+    rawAllowInsecure,
+  ] = await Promise.all([
+    coreSettings.get<string>("freeipa.url"),
+    coreSettings.get<string>("freeipa.service_user"),
+    coreSettings.get<string>("freeipa.service_password"),
+    coreSettings.get<boolean>("freeipa.enable"),
+    coreSettings.get<string[]>("freeipa.groups.admin"),
+    coreSettings.get<string[]>("freeipa.groups.base_sync"),
+    coreSettings.get<string[]>("freeipa.groups.base_ipa_realm"),
+    coreSettings.get<string[]>("freeipa.groups.excluded"),
+    coreSettings.get<string>("freeipa.ca_cert"),
+    coreSettings.get<boolean>("freeipa.allow_insecure"),
+  ]);
+
+  const url = normalizeString(rawUrl);
+  const serviceUser = normalizeString(rawServiceUser);
+  const servicePassword = normalizeString(rawServicePassword);
+  const enabled = Boolean(rawEnabled);
+  const configured = url.length > 0 && serviceUser.length > 0 && servicePassword.length > 0;
+
+  return {
+    enabled,
+    configured,
+    url,
+    serviceUser,
+    servicePassword,
+    groupsAdmin: normalizeStringList(rawAdmin, ["admins"]),
+    groupsBaseSync: normalizeStringList(rawBaseSync, ["users"]),
+    groupsBaseIpaRealm: normalizeStringList(rawBaseIpaRealm, ["cloud"]),
+    groupsExcluded: normalizeStringList(rawExcluded, ["editors", "trust admins", "admins"]),
+    caCert: normalizeString(rawCaCert),
+    allowInsecure: Boolean(rawAllowInsecure),
+  };
+};
+
+// ── TLS resolver wiring ──────────────────────────────────────────────────────
+// Register an async resolver at module load so the freeipa transport
+// (`server/services/freeipa/client.ts` + `session.ts`) can read TLS opts
+// without taking a hard dependency on settings (would create a layering cycle).
+//
+// Resolution order: ca_cert (proper, signed by your private CA) wins over
+// allow_insecure (lab/dev kill switch). When neither is set we return
+// undefined so Bun uses its default system trust store.
+setFreeIpaTlsResolver(async () => {
+  const config = await getFreeIpaConfig();
+  if (config.caCert) return { ca: config.caCert };
+  if (config.allowInsecure) return { rejectUnauthorized: false };
+  return undefined;
+});

package/src/services/index.ts

@@ -0,0 +1,46 @@
+export { ipa } from "./ipa";
+export { accounts } from "./accounts";
+export { accountsAppService } from "./accounts";
+export { providers } from "./providers";
+export { authFlows } from "./auth-flows";
+export { toPgTextArray, toPgUuidArray, escapeLikePattern } from "./postgres";
+
+export { logger, logging } from "./logging";
+export type { LogEntry } from "./logging";
+
+export { notifications } from "./notifications";
+export type {
+  NotificationType,
+  NotificationStatus,
+  SendNotificationParams,
+  SendToUserParams,
+  NotificationMessage,
+} from "./notifications";
+
+export { session } from "./session";
+
+export { accountLifecycle } from "./account-lifecycle";
+export type { AccountLifecycleService } from "./account-lifecycle";
+export { lifecycleJobs } from "./account-lifecycle/scheduler";
+
+export { settings } from "./settings/namespace";
+export { loadCache, get, set, remove, getAll } from "./settings";
+export type { SettingEntry } from "./settings";
+export { SETTINGS, SETTINGS_MAP, SETTING_GROUPS, GROUP_LABELS, registerSettings, registerGroupLabel } from "./settings/defaults";
+export { validateSettingValue, normalizeSettingValue, getSettingLabel } from "./settings/defaults";
+export type { SettingDef, SettingKind, SettingOption } from "./settings/defaults";
+export { renderTemplate } from "./settings/templates";
+export { settingsService } from "./settings/app";
+export type { SettingsService } from "./settings/app";
+
+// Typed async API + cache-aside primitives.
+export { coreSettings, createSettingsAPI } from "./settings/api";
+export type { SettingsAPI } from "./settings/api";
+export { readKey as settingsReadKey, writeKey as settingsWriteKey, deleteKey as settingsDeleteKey, bulkRead as settingsBulkRead, allKnownKeys as settingsAllKnownKeys } from "./settings/store";
+export { loadSnapshot as loadSettingsSnapshot } from "./settings/snapshot";
+
+export { weatherService } from "./weather";
+export type { WeatherService, WeatherData, DailyForecast, CurrentWeather, HourlyForecast, WeatherIcon } from "./weather";
+export { migrate as migrateWeather } from "./weather/migrate";
+export { getFreeIpaConfig } from "./freeipa-config";
+export type { FreeIpaConfig } from "./freeipa-config";

package/src/services/ipa/auth.ts

@@ -0,0 +1,122 @@
+import { freeipa } from "../../server/services";
+import { getFreeIpaTls } from "../../server/services/freeipa/tls";
+import type { MutationResult } from "../../contracts/shared";
+import { getFreeIpaConfig } from "../freeipa-config";
+
+const getEnabledConfig = async (): Promise<MutationResult<{ url: string; serviceUser: string; servicePassword: string }>> => {
+  const config = await getFreeIpaConfig();
+  if (!config.enabled) {
+    return { ok: false, error: "FreeIPA is disabled.", status: 400 };
+  }
+  if (!config.configured) {
+    return { ok: false, error: "FreeIPA is enabled but not fully configured.", status: 500 };
+  }
+  return {
+    ok: true,
+    data: {
+      url: config.url,
+      serviceUser: config.serviceUser,
+      servicePassword: config.servicePassword,
+    },
+  };
+};
+
+// ==========================
+// Login
+// ==========================
+
+export type LoginResult = { status: "success"; session: string } | { status: "password_expired" } | { status: "failed" };
+export const login = async (username: string, password: string): Promise<LoginResult> => {
+  const config = await getEnabledConfig();
+  if (!config.ok) return { status: "failed" };
+  return freeipa.session.login({ url: config.data.url, username, password });
+};
+
+export const getServiceSession = async (): Promise<string> => {
+  const config = await getEnabledConfig();
+  if (!config.ok) {
+    throw new Error(config.error);
+  }
+  return freeipa.session.getServiceSession({
+    url: config.data.url,
+    serviceUser: config.data.serviceUser,
+    servicePassword: config.data.servicePassword,
+  });
+};
+
+// ==========================
+// Change Password (for expired passwords, no session required)
+// ==========================
+
+/**
+ * Change an expired or temporary password using FreeIPA's change_password endpoint.
+ * This endpoint works without an active session.
+ */
+export const changeExpiredPassword = async (params: {
+  username: string;
+  currentPassword: string;
+  newPassword: string;
+}): Promise<MutationResult<void>> => {
+  const { username, currentPassword, newPassword } = params;
+  const config = await getEnabledConfig();
+  if (!config.ok) return config;
+
+  const tls = await getFreeIpaTls();
+  const res = await fetch(`${freeipa.client.baseUrl(config.data.url)}/ipa/session/change_password`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Referer: `${freeipa.client.baseUrl(config.data.url)}/ipa`,
+      Accept: "text/plain",
+    },
+    body: new URLSearchParams({
+      user: username,
+      old_password: currentPassword,
+      new_password: newPassword,
+    }),
+    ...(tls ? { tls } : {}),
+  });
+
+  // FreeIPA returns X-IPA-Pwchange-Result header
+  const pwchangeResult = res.headers.get("X-IPA-Pwchange-Result");
+  if (pwchangeResult !== "ok") {
+    const body = await res.text();
+    const policyMatch = body.match(/policy-error[^:]*:\s*(.+)/i);
+    const message = policyMatch?.[1] ?? "Failed to change password. Check your current password and try again.";
+    return { ok: false, error: message, status: 400 };
+  }
+
+  return { ok: true, data: undefined };
+};
+
+// ==========================
+// Change Password (with session, for authenticated users)
+// ==========================
+
+/**
+ * Change password for an authenticated user using their session.
+ */
+export const changePassword = async (params: { ipaSession: string; uid: string; newPassword: string }): Promise<MutationResult<void>> => {
+  const { ipaSession, uid, newPassword } = params;
+  const config = await getEnabledConfig();
+  if (!config.ok) return config;
+
+  const response = await freeipa.client.call({
+    url: config.data.url,
+    ipaSession,
+    method: "user_mod",
+    args: [uid],
+    options: {
+      userpassword: newPassword,
+    },
+  });
+  if (response.error) {
+    return {
+      ok: false,
+      error: response.error.message ?? "Failed to change password.",
+      status: freeipa.util.mapIpaErrorCode(response.error.code),
+    };
+  }
+
+  return { ok: true, data: undefined };
+};