npm - @valentinkolb/cloud - Versions diffs - 0.1.0 - Mend

@valentinkolb/cloud 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (196) hide show

package/package.json +69 -0
package/public/logo.svg +1 -0
package/scripts/build.ts +113 -0
package/scripts/preload.ts +73 -0
package/src/_internal/define-app.ts +399 -0
package/src/_internal/heartbeat.ts +33 -0
package/src/_internal/registry.ts +100 -0
package/src/_internal/runtime-context.ts +38 -0
package/src/api/accounts-entities.ts +134 -0
package/src/api/admin-lifecycle.ts +210 -0
package/src/api/auth/schemas.ts +28 -0
package/src/api/auth.ts +230 -0
package/src/api/index.ts +66 -0
package/src/api/me.ts +206 -0
package/src/api/search/schemas.ts +43 -0
package/src/api/search.ts +130 -0
package/src/clients/core.ts +19 -0
package/src/config/env.ts +23 -0
package/src/config/index.ts +6 -0
package/src/config/ssr.ts +58 -0
package/src/contracts/app.ts +140 -0
package/src/contracts/index.ts +5 -0
package/src/contracts/profile.ts +67 -0
package/src/contracts/registry.ts +50 -0
package/src/contracts/settings-types.ts +84 -0
package/src/contracts/shared.ts +258 -0
package/src/contracts/widgets.ts +121 -0
package/src/index.ts +6 -0
package/src/server/api/index.ts +1 -0
package/src/server/api/respond.ts +55 -0
package/src/server/api-client.ts +54 -0
package/src/server/app-context.ts +39 -0
package/src/server/index.ts +62 -0
package/src/server/middleware/auth.ts +168 -0
package/src/server/middleware/index.ts +7 -0
package/src/server/middleware/middleware.ts +47 -0
package/src/server/middleware/openapi.ts +126 -0
package/src/server/middleware/rate-limit.ts +126 -0
package/src/server/middleware/request-logger.ts +41 -0
package/src/server/middleware/validator.ts +35 -0
package/src/server/services/access.ts +294 -0
package/src/server/services/freeipa/client.ts +100 -0
package/src/server/services/freeipa/index.ts +9 -0
package/src/server/services/freeipa/session.ts +78 -0
package/src/server/services/freeipa/tls.ts +48 -0
package/src/server/services/freeipa/util.ts +60 -0
package/src/server/services/geo.ts +154 -0
package/src/server/services/index.ts +28 -0
package/src/server/services/services.ts +13 -0
package/src/services/account-lifecycle/audit.ts +41 -0
package/src/services/account-lifecycle/index.ts +907 -0
package/src/services/account-lifecycle/scheduler.ts +347 -0
package/src/services/account-model.ts +21 -0
package/src/services/accounts/app.ts +966 -0
package/src/services/accounts/authz.ts +22 -0
package/src/services/accounts/base-group.ts +11 -0
package/src/services/accounts/base-user.ts +45 -0
package/src/services/accounts/entities.ts +529 -0
package/src/services/accounts/group-sql.ts +106 -0
package/src/services/accounts/groups.ts +246 -0
package/src/services/accounts/index.ts +14 -0
package/src/services/accounts/ipa-data.ts +64 -0
package/src/services/accounts/lifecycle.ts +2 -0
package/src/services/accounts/local-groups.ts +491 -0
package/src/services/accounts/model.ts +135 -0
package/src/services/accounts/switching.ts +117 -0
package/src/services/accounts/users.ts +714 -0
package/src/services/auth-flows/index.ts +6 -0
package/src/services/auth-flows/ipa.ts +128 -0
package/src/services/auth-flows/magic-link.ts +119 -0
package/src/services/freeipa-config.ts +89 -0
package/src/services/index.ts +46 -0
package/src/services/ipa/auth.ts +122 -0
package/src/services/ipa/groups.ts +684 -0
package/src/services/ipa/guard.ts +17 -0
package/src/services/ipa/index.ts +17 -0
package/src/services/ipa/profile.ts +90 -0
package/src/services/ipa/search.ts +154 -0
package/src/services/ipa/sync.ts +740 -0
package/src/services/ipa/users.ts +794 -0
package/src/services/logging/index.ts +294 -0
package/src/services/notifications/email.ts +123 -0
package/src/services/notifications/index.ts +413 -0
package/src/services/postgres.ts +51 -0
package/src/services/providers/index.ts +27 -0
package/src/services/providers/local/auth.ts +13 -0
package/src/services/providers/local/index.ts +4 -0
package/src/services/providers/local/users.ts +255 -0
package/src/services/session/index.ts +137 -0
package/src/services/settings/api.ts +61 -0
package/src/services/settings/app.ts +101 -0
package/src/services/settings/crypto.ts +69 -0
package/src/services/settings/defaults.ts +824 -0
package/src/services/settings/index.ts +203 -0
package/src/services/settings/namespace.ts +9 -0
package/src/services/settings/snapshot.ts +49 -0
package/src/services/settings/store.ts +179 -0
package/src/services/settings/templates.ts +10 -0
package/src/services/weather/forecast.ts +287 -0
package/src/services/weather/geo.ts +110 -0
package/src/services/weather/index.ts +99 -0
package/src/services/weather/location.ts +24 -0
package/src/services/weather/locations.ts +125 -0
package/src/services/weather/migrate.ts +22 -0
package/src/services/weather/types.ts +61 -0
package/src/services/weather/ui.ts +50 -0
package/src/shared/account-display.ts +17 -0
package/src/shared/account-session.ts +15 -0
package/src/shared/icons.ts +109 -0
package/src/shared/index.ts +10 -0
package/src/shared/markdown/client.ts +130 -0
package/src/shared/markdown/extensions/code.ts +58 -0
package/src/shared/markdown/extensions/images.ts +43 -0
package/src/shared/markdown/extensions/info-blocks.ts +93 -0
package/src/shared/markdown/extensions/katex.ts +120 -0
package/src/shared/markdown/extensions/links.ts +34 -0
package/src/shared/markdown/extensions/tables.ts +88 -0
package/src/shared/markdown/extensions/task-list.ts +53 -0
package/src/shared/markdown/index.ts +97 -0
package/src/shared/markdown/shared.ts +36 -0
package/src/ssr/AdminLayout.tsx +42 -0
package/src/ssr/AdminSidebar.tsx +95 -0
package/src/ssr/Footer.island.tsx +62 -0
package/src/ssr/GlobalSearchDialog.tsx +389 -0
package/src/ssr/GlobalSearchHelpDialog.tsx +106 -0
package/src/ssr/GlobalSearchTrigger.island.tsx +42 -0
package/src/ssr/HotkeysHelpRail.island.tsx +99 -0
package/src/ssr/Layout.tsx +326 -0
package/src/ssr/MoreAppsDropdown.island.tsx +61 -0
package/src/ssr/NavMenu.island.tsx +108 -0
package/src/ssr/ThemeToggleRail.island.tsx +27 -0
package/src/ssr/index.ts +5 -0
package/src/ssr/islands/SearchBar.island.tsx +77 -0
package/src/ssr/islands/index.ts +1 -0
package/src/ssr/runtime.ts +22 -0
package/src/styles/base-popover.css +28 -0
package/src/styles/effects.css +65 -0
package/src/styles/global.css +133 -0
package/src/styles/input.css +54 -0
package/src/styles/tokens.css +35 -0
package/src/styles/utilities-buttons.css +125 -0
package/src/styles/utilities-feedback.css +65 -0
package/src/styles/utilities-layout.css +122 -0
package/src/styles/utilities-navigation.css +196 -0
package/src/types/ambient.d.ts +8 -0
package/src/ui/admin-settings.tsx +148 -0
package/src/ui/dialog-core.ts +146 -0
package/src/ui/filter/FilterChip.tsx +196 -0
package/src/ui/filter/index.ts +2 -0
package/src/ui/index.ts +19 -0
package/src/ui/input/Checkbox.tsx +55 -0
package/src/ui/input/ColorInput.tsx +122 -0
package/src/ui/input/DateTimeInput.tsx +86 -0
package/src/ui/input/ImageInput.tsx +170 -0
package/src/ui/input/NumberInput.tsx +113 -0
package/src/ui/input/PinInput.tsx +169 -0
package/src/ui/input/SegmentedControl.tsx +99 -0
package/src/ui/input/Select.tsx +288 -0
package/src/ui/input/SelectChip.tsx +61 -0
package/src/ui/input/Slider.tsx +118 -0
package/src/ui/input/Switch.tsx +62 -0
package/src/ui/input/TagsInput.tsx +115 -0
package/src/ui/input/TextInput.tsx +160 -0
package/src/ui/input/index.ts +13 -0
package/src/ui/input/types.ts +42 -0
package/src/ui/input/util.tsx +105 -0
package/src/ui/ipa/Avatar.tsx +28 -0
package/src/ui/ipa/GroupView.tsx +36 -0
package/src/ui/ipa/LoginBtn.tsx +16 -0
package/src/ui/ipa/UserView.tsx +58 -0
package/src/ui/ipa/index.ts +4 -0
package/src/ui/misc/ContextMenu.tsx +211 -0
package/src/ui/misc/CopyButton.tsx +28 -0
package/src/ui/misc/Dropdown.tsx +194 -0
package/src/ui/misc/EntitySearch.tsx +213 -0
package/src/ui/misc/Lightbox.tsx +194 -0
package/src/ui/misc/LinkCard.tsx +34 -0
package/src/ui/misc/LogEntriesTable.tsx +61 -0
package/src/ui/misc/MarkdownView.tsx +65 -0
package/src/ui/misc/Pagination.tsx +51 -0
package/src/ui/misc/PermissionEditor.tsx +379 -0
package/src/ui/misc/ProgressBar.tsx +47 -0
package/src/ui/misc/RemoveBtn.tsx +27 -0
package/src/ui/misc/StatCell.tsx +90 -0
package/src/ui/misc/index.ts +18 -0
package/src/ui/navigation.ts +32 -0
package/src/ui/prompts.tsx +854 -0
package/src/ui/sidebar.tsx +468 -0
package/src/ui/widgets/Widget.tsx +62 -0
package/src/ui/widgets/WidgetCard.tsx +19 -0
package/src/ui/widgets/WidgetHero.tsx +39 -0
package/src/ui/widgets/WidgetList.tsx +84 -0
package/src/ui/widgets/WidgetPills.tsx +68 -0
package/src/ui/widgets/WidgetStat.tsx +67 -0
package/src/ui/widgets/WidgetStatus.tsx +62 -0
package/src/ui/widgets/index.ts +9 -0

package/src/server/middleware/rate-limit.ts ADDED Viewed

@@ -0,0 +1,126 @@
+import type { Context } from "hono";
+import type { MiddlewareHandler } from "hono";
+import { createMiddleware } from "hono/factory";
+import { ratelimit } from "@valentinkolb/sync";
+import { auth, type AuthContext } from "./auth";
+import * as settings from "../../services/settings";
+import type { MessageResponse } from "../../contracts/shared";
+export type RateLimitRouteOverride = {
+  method?: string;
+  path: string | RegExp;
+  limitPerSecond?: number;
+  disabled?: boolean;
+};
+export type RateLimitConfig = {
+  limitPerSecond?: number;
+  windowSecs?: number;
+  keyBy?: "auto" | "ip" | "user";
+  routes?: RateLimitRouteOverride[];
+};
+type ResolvedRateLimit = {
+  disabled: boolean;
+  limitPerSecond: number;
+  windowSecs: number;
+};
+const DEFAULT_WINDOW_SECS = 1;
+const LIMITER_PREFIX = "cloud:rate-limit";
+const limiterCache = new Map<string, ReturnType<typeof ratelimit>>();
+const getClientIp = (c: Context): string =>
+  c.req.header("x-forwarded-for")?.split(",")[0]?.trim() ?? c.req.header("x-real-ip") ?? "unknown";
+const pathMatches = (requestPath: string, matcher: string | RegExp): boolean => {
+  if (matcher instanceof RegExp) return matcher.test(requestPath);
+  return requestPath === matcher || requestPath.startsWith(`${matcher}/`);
+};
+const resolveRouteOverride = (c: Context, overrides: RateLimitRouteOverride[] | undefined): RateLimitRouteOverride | undefined => {
+  if (!overrides || overrides.length === 0) return undefined;
+  return overrides.find((override) => {
+    if (override.method && override.method.toUpperCase() !== c.req.method.toUpperCase()) {
+      return false;
+    }
+    return pathMatches(c.req.path, override.path);
+  });
+};
+const resolveConfig = async (c: Context, config: RateLimitConfig): Promise<ResolvedRateLimit> => {
+  const override = resolveRouteOverride(c, config.routes);
+  if (override?.disabled) {
+    return {
+      disabled: true,
+      limitPerSecond: 0,
+      windowSecs: config.windowSecs ?? DEFAULT_WINDOW_SECS,
+    };
+  }
+  const configuredLimit = override?.limitPerSecond ?? config.limitPerSecond ?? null;
+  const limitPerSecond = configuredLimit ?? (await settings.get<number>("security.rate_limit_per_second"));
+  return {
+    disabled: false,
+    limitPerSecond: Math.max(1, Math.floor(limitPerSecond)),
+    windowSecs: Math.max(1, Math.floor(config.windowSecs ?? DEFAULT_WINDOW_SECS)),
+  };
+};
+const getLimiter = (limitPerSecond: number, windowSecs: number) => {
+  const cacheKey = `${limitPerSecond}:${windowSecs}`;
+  const cached = limiterCache.get(cacheKey);
+  if (cached) return cached;
+  const limiter = ratelimit({
+    id: cacheKey,
+    limit: limitPerSecond,
+    windowSecs,
+    prefix: LIMITER_PREFIX,
+  });
+  limiterCache.set(cacheKey, limiter);
+  return limiter;
+};
+const resolveIdentifier = async (c: Context<AuthContext>, keyBy: RateLimitConfig["keyBy"]): Promise<string> => {
+  if (keyBy === "ip") return `ip:${getClientIp(c)}`;
+  const token = auth.session.getToken(c);
+  if (!token) return `ip:${getClientIp(c)}`;
+  const data = await auth.session.getData(token);
+  if (!data) return `ip:${getClientIp(c)}`;
+  return `user:${data.userId}`;
+};
+/**
+ * Stateless per-route rate limiting middleware backed by @valentinkolb/sync.
+ * Keying defaults to user ID (when session exists), otherwise client IP.
+ */
+export const rateLimit = (config: RateLimitConfig = {}): MiddlewareHandler<AuthContext> =>
+  createMiddleware<AuthContext>(async (c, next) => {
+    const resolved = await resolveConfig(c, config);
+    if (resolved.disabled) {
+      await next();
+      return;
+    }
+    const keyBy = config.keyBy ?? "auto";
+    const identifier = await resolveIdentifier(c, keyBy);
+    const limiter = getLimiter(resolved.limitPerSecond, resolved.windowSecs);
+    const result = await limiter.check(identifier);
+    const resetInSeconds = Math.max(1, Math.ceil(result.resetIn / 1000));
+    c.header("X-RateLimit-Limit", String(resolved.limitPerSecond));
+    c.header("X-RateLimit-Remaining", String(result.remaining));
+    c.header("X-RateLimit-Reset", String(resetInSeconds));
+    if (result.limited) {
+      c.header("Retry-After", String(resetInSeconds));
+      return c.json({ message: "Rate limit exceeded" } as MessageResponse, 429);
+    }
+    await next();
+  });

package/src/server/middleware/request-logger.ts ADDED Viewed

@@ -0,0 +1,41 @@
+import { createMiddleware } from "hono/factory";
+import { logger } from "../../services/logging";
+import type { AuthContext } from "./auth";
+const log = logger("http");
+const SKIP_PREFIXES = ["/public/", "/_ssr/", "/favicon", "/branding/"];
+/**
+ * HTTP request logging middleware.
+ * Logs to DB based on response status:
+ * - 5xx → error (server errors)
+ * - 429 → warn (rate limiting)
+ * - 401/403 → info (auth flows)
+ * - Everything else (2xx, 3xx, 400, 404) → not logged (too noisy)
+ */
+export const requestLogger = createMiddleware<AuthContext>(async (c, next) => {
+  const path = c.req.path;
+  if (SKIP_PREFIXES.some((p) => path.startsWith(p))) return next();
+  const start = Date.now();
+  await next();
+  const status = c.res.status;
+  const duration = Date.now() - start;
+  const meta = {
+    method: c.req.method,
+    path,
+    status,
+    duration,
+    userId: c.get("user")?.id ?? null,
+  };
+  if (status >= 500) {
+    log.error(`${c.req.method} ${path} ${status}`, meta);
+  } else if (status === 429) {
+    log.warn(`${c.req.method} ${path} 429 rate-limited`, meta);
+  } else if (status === 401 || status === 403) {
+    log.info(`${c.req.method} ${path} ${status}`, meta);
+  }
+});

package/src/server/middleware/validator.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import { validator as honoValidator } from "hono-openapi";
+import type { ZodType } from "zod";
+import type { ValidationTargets, Context } from "hono";
+/**
+ * Zod validator middleware with pretty error messages and OpenAPI support.
+ * Uses hono-openapi validator for automatic OpenAPI schema generation.
+ *
+ * @param target - Where to validate: "json", "query", "param", "header", "cookie", or "form"
+ * @param schema - Zod schema to validate against
+ * @returns Hono middleware that validates request data and returns 400 on failure
+ *
+ * @example
+ * ```ts
+ * app.post("/users", v("json", CreateUserSchema), async (c) => {
+ *   const data = c.req.valid("json"); // Fully typed!
+ *   // ...
+ * });
+ * ```
+ */
+export const validator = <Target extends keyof ValidationTargets, T extends ZodType>(target: Target, schema: T) =>
+  honoValidator(target, schema, (result, c: Context) => {
+    if (!result.success) {
+      // Standard Schema returns issues array on failure
+      const errorMessage = result.error
+        ?.map((issue) => {
+          const path = issue.path?.map((p) => (typeof p === "object" && "key" in p ? String(p.key) : String(p))).join(".");
+          return path ? `${path}: ${issue.message}` : issue.message;
+        })
+        .join(", ");
+      return c.json({ message: errorMessage || "Validation failed" }, 400);
+    }
+  });
+export const v = validator;

package/src/server/services/access.ts ADDED Viewed

@@ -0,0 +1,294 @@
+import { sql } from "bun";
+import { err, fail, ok, type Result } from "@valentinkolb/stdlib";
+// ==========================
+// Permission Levels
+// ==========================
+export const PERMISSION_LEVELS = ["none", "read", "write", "admin"] as const;
+export type PermissionLevel = (typeof PERMISSION_LEVELS)[number];
+/** Compare permission levels (returns true if a >= b) */
+export const hasPermission = (userLevel: PermissionLevel, requiredLevel: PermissionLevel): boolean => {
+  const levels = PERMISSION_LEVELS;
+  return levels.indexOf(userLevel) >= levels.indexOf(requiredLevel);
+};
+// ==========================
+// Principal Types
+// ==========================
+export type PrincipalType = "user" | "group" | "authenticated" | "public";
+export type Principal =
+  | { type: "user"; userId: string }
+  | { type: "group"; groupId: string }
+  | { type: "authenticated" }
+  | { type: "public" };
+// ==========================
+// Access Entry Types
+// ==========================
+export type AccessEntry = {
+  id: string;
+  principal: Principal;
+  permission: PermissionLevel;
+  createdAt: string;
+  // Resolved display info (populated by service)
+  displayName?: string;
+};
+type DbAccess = {
+  id: string;
+  user_id: string | null;
+  group_id: string | null;
+  authenticated_only: boolean;
+  permission: PermissionLevel;
+  created_at: Date;
+};
+// ==========================
+// Helper Functions
+// ==========================
+/**
+ * Converts UUID strings into a PostgreSQL uuid[] literal for relation queries.
+ */
+const toPgUuidArray = (values: string[] | null | undefined): string => {
+  if (!Array.isArray(values) || values.length === 0) return "{}";
+  return `{${values.join(",")}}`;
+};
+/**
+ * Builds a typed access principal from one database access row.
+ */
+const principalFromDb = (row: DbAccess): Principal => {
+  if (row.user_id) return { type: "user", userId: row.user_id };
+  if (row.group_id) return { type: "group", groupId: row.group_id };
+  if (row.authenticated_only) return { type: "authenticated" };
+  return { type: "public" };
+};
+/**
+ * Maps raw access rows into the normalized AccessEntry shape used by app services.
+ */
+const mapToAccessEntry = (row: DbAccess): AccessEntry => ({
+  id: row.id,
+  principal: principalFromDb(row),
+  permission: row.permission,
+  createdAt: row.created_at.toISOString(),
+});
+// ==========================
+// Core Access Service
+// ==========================
+/**
+ * Create a new access entry.
+ * Returns the created entry ID.
+ */
+export const createAccess = async (params: { principal: Principal; permission: PermissionLevel }): Promise<Result<{ id: string }>> => {
+  const { principal, permission } = params;
+  let userId: string | null = null;
+  let groupId: string | null = null;
+  let authenticatedOnly = false;
+  if (principal.type === "user") {
+    userId = principal.userId;
+    // Verify user exists
+    const [user] = await sql<{ id: string }[]>`
+      SELECT id FROM auth.users WHERE id = ${userId}::uuid
+    `;
+    if (!user) {
+      return fail(err.notFound("User"));
+    }
+  } else if (principal.type === "group") {
+    groupId = principal.groupId;
+    // Verify group exists
+    const [group] = await sql<{ id: string }[]>`
+      SELECT id FROM auth.groups WHERE id = ${groupId}::uuid
+    `;
+    if (!group) {
+      return fail(err.notFound("Group"));
+    }
+  } else if (principal.type === "authenticated") {
+    authenticatedOnly = true;
+  }
+  // public: user/group null, authenticated_only false
+  const [row] = await sql<{ id: string }[]>`
+    INSERT INTO auth.access (user_id, group_id, authenticated_only, permission)
+    VALUES (${userId}::uuid, ${groupId}::uuid, ${authenticatedOnly}, ${permission}::auth.permission_level)
+    RETURNING id
+  `;
+  if (!row) {
+    return fail(err.internal("Failed to create access entry"));
+  }
+  return ok({ id: row.id });
+};
+/**
+ * Get an access entry by ID.
+ */
+export const getAccess = async (params: { id: string }): Promise<AccessEntry | null> => {
+  const [row] = await sql<DbAccess[]>`
+    SELECT id, user_id, group_id, authenticated_only, permission, created_at
+    FROM auth.access
+    WHERE id = ${params.id}::uuid
+  `;
+  return row ? mapToAccessEntry(row) : null;
+};
+/**
+ * Update an access entry's permission level.
+ */
+export const updateAccess = async (params: { id: string; permission: PermissionLevel }): Promise<Result<void>> => {
+  const result = await sql`
+    UPDATE auth.access
+    SET permission = ${params.permission}::auth.permission_level
+    WHERE id = ${params.id}::uuid
+  `;
+  if (result.count === 0) {
+    return fail(err.notFound("Access entry"));
+  }
+  return ok();
+};
+/**
+ * Delete an access entry.
+ */
+export const deleteAccess = async (params: { id: string }): Promise<Result<void>> => {
+  const result = await sql`
+    DELETE FROM auth.access
+    WHERE id = ${params.id}::uuid
+  `;
+  if (result.count === 0) {
+    return fail(err.notFound("Access entry"));
+  }
+  return ok();
+};
+// ==========================
+// Resource Access Helpers
+// ==========================
+/**
+ * Generic interface for resource access junction tables.
+ * Each app implements this to connect their resources to auth.access.
+ */
+export type ResourceAccessAdapter<TResourceId = string> = {
+  /** Get all access entries for a resource */
+  list: (resourceId: TResourceId) => Promise<AccessEntry[]>;
+  /** Add an access entry to a resource */
+  add: (resourceId: TResourceId, accessId: string) => Promise<Result<void>>;
+  /** Remove an access entry from a resource */
+  remove: (resourceId: TResourceId, accessId: string) => Promise<Result<void>>;
+  /** Count access entries for a resource */
+  count: (resourceId: TResourceId) => Promise<number>;
+};
+/**
+ * Get the effective permission level for a user on a resource.
+ * Returns the highest permission from:
+ * - Direct user access
+ * - Group memberships
+ * - Public access
+ */
+export const getEffectivePermission = async (params: {
+  accessIds: string[];
+  userId: string | null;
+  userGroups: string[];
+}): Promise<PermissionLevel> => {
+  const accessIds = params.accessIds ?? [];
+  const userId = params.userId;
+  const userGroups = params.userGroups ?? [];
+  if (accessIds.length === 0) return "none";
+  // Query all matching access entries
+  const rows = await sql<{ permission: PermissionLevel }[]>`
+    SELECT permission
+    FROM auth.access
+    WHERE id = ANY(${toPgUuidArray(accessIds)}::uuid[])
+      AND (
+        user_id = ${userId}::uuid
+        OR group_id = ANY(${toPgUuidArray(userGroups)}::uuid[])
+        OR (${userId}::uuid IS NOT NULL AND authenticated_only = true)
+        OR (user_id IS NULL AND group_id IS NULL AND authenticated_only = false)
+      )
+    ORDER BY
+      CASE permission
+        WHEN 'admin' THEN 4
+        WHEN 'write' THEN 3
+        WHEN 'read' THEN 2
+        WHEN 'none' THEN 1
+      END DESC
+    LIMIT 1
+  `;
+  return rows[0]?.permission ?? "none";
+};
+/**
+ * Resolve display names for access entries.
+ * Populates the displayName field based on principal type.
+ */
+export const resolveDisplayNames = async (entries: AccessEntry[]): Promise<AccessEntry[]> => {
+  const userIds = entries.filter((e) => e.principal.type === "user").map((e) => (e.principal as { type: "user"; userId: string }).userId);
+  const groupIds = entries
+    .filter((e) => e.principal.type === "group")
+    .map((e) => (e.principal as { type: "group"; groupId: string }).groupId);
+  // Fetch user display names
+  const userNames = new Map<string, string>();
+  if (userIds.length > 0) {
+    const users = await sql<{ id: string; display_name: string; uid: string }[]>`
+      SELECT id, display_name, uid
+      FROM auth.users
+      WHERE id = ANY(${toPgUuidArray(userIds)}::uuid[])
+    `;
+    for (const u of users) {
+      userNames.set(u.id, u.display_name || u.uid);
+    }
+  }
+  const groupNames = new Map<string, string>();
+  if (groupIds.length > 0) {
+    const groups = await sql<{ id: string; name: string }[]>`
+      SELECT id, name
+      FROM auth.groups
+      WHERE id = ANY(${toPgUuidArray(groupIds)}::uuid[])
+    `;
+    for (const group of groups) {
+      groupNames.set(group.id, group.name);
+    }
+  }
+  return entries.map((entry) => {
+    let displayName: string;
+    switch (entry.principal.type) {
+      case "user":
+        displayName = userNames.get(entry.principal.userId) ?? "Unknown User";
+        break;
+      case "group":
+        displayName = groupNames.get(entry.principal.groupId) ?? "Unknown Group";
+        break;
+      case "authenticated":
+        displayName = "All users (incl. guests)";
+        break;
+      case "public":
+        displayName = "Public";
+        break;
+    }
+    return { ...entry, displayName };
+  });
+};

package/src/server/services/freeipa/client.ts ADDED Viewed

@@ -0,0 +1,100 @@
+import { getFreeIpaTls } from "./tls";
+export type IpaRpcResult = {
+  result: unknown;
+  count: number;
+  truncated: boolean;
+  summary: string | null;
+};
+export type IpaRpcResponse = {
+  result: IpaRpcResult | null;
+  error: { code: number; message: string; name: string } | null;
+  id: number;
+};
+export const baseUrl = (url: string): string => `https://${url}`;
+const isNoModificationError = (error: IpaRpcResponse["error"]): boolean =>
+  error?.code === 4202 && (error.message ?? "").toLowerCase().includes("no modifications to be performed");
+export const call = async (
+  config: {
+    url: string;
+    ipaSession: string;
+    method: string;
+    args?: unknown[];
+    options?: Record<string, unknown>;
+  },
+): Promise<IpaRpcResponse> => {
+  const tls = await getFreeIpaTls();
+  const res = await fetch(`${baseUrl(config.url)}/ipa/session/json`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Referer: `${baseUrl(config.url)}/ipa`,
+      Accept: "application/json",
+      Cookie: `ipa_session=${config.ipaSession}`,
+    },
+    body: JSON.stringify({
+      method: config.method,
+      params: [config.args ?? [], { ...(config.options ?? {}), version: "2.251" }],
+      id: 0,
+    }),
+    ...(tls ? { tls } : {}),
+  });
+  if (!res.ok || !res.headers.get("content-type")?.includes("json")) {
+    const text = await res.text();
+    console.error("[freeipa:client] Non-JSON response", {
+      method: config.method,
+      status: res.status,
+      body: text.slice(0, 200),
+    });
+    if (res.status === 401 || text.includes("Invalid Authentication") || text.includes("GSSAPI Error")) {
+      return {
+        result: null,
+        error: {
+          code: 403,
+          message: "Your IPA session has expired or is invalid. Please log out and log in again to refresh your session.",
+          name: "SessionExpired",
+        },
+        id: 0,
+      };
+    }
+    return {
+      result: null,
+      error: {
+        code: res.status,
+        message: "Non-JSON response from IPA",
+        name: "FetchError",
+      },
+      id: 0,
+    };
+  }
+  const response = (await res.json()) as IpaRpcResponse;
+  if (response.error) {
+    if (isNoModificationError(response.error)) {
+      return {
+        result: {
+          result: null,
+          count: 0,
+          truncated: false,
+          summary: response.error.message,
+        },
+        error: null,
+        id: response.id,
+      };
+    }
+    console.error("[freeipa:client] RPC failed", {
+      method: config.method,
+      code: response.error.code,
+      message: response.error.message,
+    });
+  }
+  return response;
+};

package/src/server/services/freeipa/index.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import * as client from "./client";
+import * as session from "./session";
+import * as util from "./util";
+export const freeipa = {
+  client,
+  session,
+  util,
+} as const;

package/src/server/services/freeipa/session.ts ADDED Viewed

@@ -0,0 +1,78 @@
+import { baseUrl, call } from "./client";
+import { getFreeIpaTls, getFreeIpaTlsFingerprint } from "./tls";
+export type LoginResult = { status: "success"; session: string } | { status: "password_expired" } | { status: "failed" };
+export const login = async (config: { url: string; username: string; password: string }): Promise<LoginResult> => {
+  const tls = await getFreeIpaTls();
+  const res = await fetch(`${baseUrl(config.url)}/ipa/session/login_password`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Referer: `${baseUrl(config.url)}/ipa`,
+      Accept: "text/plain",
+    },
+    body: new URLSearchParams({ user: config.username, password: config.password }),
+    redirect: "manual",
+    ...(tls ? { tls } : {}),
+  });
+  const rejectionReason = res.headers.get("X-IPA-Rejection-Reason");
+  if (rejectionReason === "password-expired") {
+    return { status: "password_expired" };
+  }
+  if (!res.ok && res.status !== 303) return { status: "failed" };
+  const cookies = res.headers.getSetCookie?.() ?? [];
+  for (const cookie of cookies) {
+    const match = cookie.match(/ipa_session=([^;]+)/);
+    if (match?.[1]) return { status: "success", session: match[1] };
+  }
+  const single = res.headers.get("set-cookie") ?? "";
+  const match = single.match(/ipa_session=([^;]+)/);
+  return match?.[1] ? { status: "success", session: match[1] } : { status: "failed" };
+};
+let svcSession: string | null = null;
+let svcSessionPromise: Promise<string> | null = null;
+let svcSessionKey: string | null = null;
+export const getServiceSession = async (config: {
+  url: string;
+  serviceUser: string;
+  servicePassword: string;
+}): Promise<string> => {
+  // Include TLS fingerprint so toggling allow_insecure or rotating ca_cert
+  // forces a re-login (otherwise the cached session keeps using the old TLS
+  // trust anchor for fetches that wouldn't have succeeded under it).
+  const currentKey = `${config.url}::${config.serviceUser}::${await getFreeIpaTlsFingerprint()}`;
+  if (svcSessionKey !== currentKey) {
+    svcSession = null;
+    svcSessionKey = currentKey;
+  }
+  if (svcSession) {
+    const check = await call({ url: config.url, ipaSession: svcSession, method: "ping", args: [] });
+    if (!check.error) return svcSession;
+  }
+  if (!svcSessionPromise) {
+    svcSessionPromise = (async () => {
+      const result = await login({
+        url: config.url,
+        username: config.serviceUser,
+        password: config.servicePassword,
+      });
+      if (result.status !== "success") {
+        console.error("[freeipa:session] Service account auth failed");
+        throw new Error("Failed to authenticate FreeIPA service account. Check freeipa.url/freeipa.service_user/freeipa.service_password.");
+      }
+      svcSession = result.session;
+      return result.session;
+    })().finally(() => {
+      svcSessionPromise = null;
+    });
+  }
+  return svcSessionPromise;
+};