@valentinkolb/cloud 0.1.0

package/src/server/services/freeipa/tls.ts

@@ -0,0 +1,48 @@
+/**
+ * TLS resolver slot for FreeIPA transport (`client.ts`, `session.ts`).
+ *
+ * The transport layer cannot directly read settings (would create a cycle:
+ * `services/freeipa-config.ts` already depends on `server/services/freeipa/`).
+ * Instead, the layer that owns settings registers a resolver via
+ * `setFreeIpaTlsResolver()` and the transport calls `getFreeIpaTls()` per fetch.
+ *
+ * Resolver is async — it reads through the Redis cache-aside settings layer.
+ * Returns Bun fetch `tls` options or `undefined` for system trust.
+ * Resolution order is the resolver's concern (typically: ca_cert > allow_insecure > undefined).
+ */
+// `BunFetchRequestInitTLS` is declared as a global (see bun-types/globals.d.ts)
+// and not exported from the "bun" module. Use `Bun.TLSOptions` — fetch's `tls`
+// option accepts it (the global extends it with `checkServerIdentity` which we
+// don't need).
+type FreeIpaTls = Bun.TLSOptions;
+
+let resolver: (() => Promise<FreeIpaTls | undefined>) | null = null;
+
+export const setFreeIpaTlsResolver = (
+  fn: (() => Promise<FreeIpaTls | undefined>) | null,
+): void => {
+  resolver = fn;
+};
+
+export const getFreeIpaTls = async (): Promise<FreeIpaTls | undefined> => {
+  return (await resolver?.()) ?? undefined;
+};
+
+/**
+ * Stable fingerprint of the current TLS config — used as a cache-key suffix
+ * (e.g. for the cached service session) so that flipping `allow_insecure` or
+ * rotating `ca_cert` forces re-establishment of cached connections.
+ */
+export const getFreeIpaTlsFingerprint = async (): Promise<string> => {
+  const tls = await getFreeIpaTls();
+  if (!tls) return "sys";
+  if (tls.ca && typeof tls.ca === "string" && tls.ca.length > 0) {
+    // Cheap non-cryptographic hash; collision risk is irrelevant here (only
+    // used to detect "did the cert change").
+    let h = 0;
+    for (let i = 0; i < tls.ca.length; i++) h = ((h << 5) - h + tls.ca.charCodeAt(i)) | 0;
+    return `ca:${(h >>> 0).toString(16)}`;
+  }
+  if (tls.rejectUnauthorized === false) return "insec";
+  return "sys";
+};

package/src/server/services/freeipa/util.ts

@@ -0,0 +1,60 @@
+export class IpaError extends Error {
+  constructor(
+    message: string,
+    public readonly code?: number,
+    public readonly data?: unknown,
+  ) {
+    super(message);
+    this.name = "IpaError";
+  }
+}
+
+export type DbRow = Record<string, unknown>;
+
+export const str = (val: unknown): string => {
+  if (Array.isArray(val)) return String(val[0] ?? "");
+  return String(val ?? "");
+};
+
+export const num = (val: unknown): number | null => {
+  const raw = Array.isArray(val) ? val[0] : val;
+  const n = Number(raw);
+  return Number.isNaN(n) ? null : n;
+};
+
+export const parseGeneralizedTime = (val: unknown): Date | null => {
+  let raw = Array.isArray(val) ? val[0] : val;
+  if (raw && typeof raw === "object" && "__datetime__" in raw) {
+    raw = (raw as Record<string, unknown>).__datetime__;
+  }
+  const s = typeof raw === "string" ? raw : "";
+  if (!s || s.length < 14) return null;
+  const iso = `${s.slice(0, 4)}-${s.slice(4, 6)}-${s.slice(6, 8)}T${s.slice(8, 10)}:${s.slice(10, 12)}:${s.slice(12, 14)}Z`;
+  const d = new Date(iso);
+  return Number.isNaN(d.getTime()) ? null : d;
+};
+
+export const toGeneralizedTime = (date: Date): string => {
+  const y = date.getUTCFullYear();
+  const m = String(date.getUTCMonth() + 1).padStart(2, "0");
+  const d = String(date.getUTCDate()).padStart(2, "0");
+  const h = String(date.getUTCHours()).padStart(2, "0");
+  const min = String(date.getUTCMinutes()).padStart(2, "0");
+  const s = String(date.getUTCSeconds()).padStart(2, "0");
+  return `${y}${m}${d}${h}${min}${s}Z`;
+};
+
+export const escapeLike = (value: string): string => value.replace(/\\/g, "\\\\").replace(/%/g, "\\%").replace(/_/g, "\\_");
+
+export const toExcludedGroupsSet = (groups: string[]): Set<string> => new Set(groups.map((group) => group.trim()).filter(Boolean));
+
+export const mapIpaErrorCode = (code: number): 400 | 401 | 403 => {
+  if (code === 4001) return 401;
+  if (code === 4301) return 403;
+  return 400;
+};
+
+export const toPgTextArray = (values: string[] | null | undefined): string => {
+  if (!Array.isArray(values) || values.length === 0) return "{}";
+  return `{${values.map((value) => `"${value.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`).join(",")}}`;
+};

package/src/server/services/geo.ts

@@ -0,0 +1,154 @@
+import { err, fail, ok, paginate, type PageParams, type Paginated, type Result } from "@valentinkolb/stdlib";
+
+type GeoApiPlace = {
+  name?: string;
+  latitude?: number;
+  longitude?: number;
+  country_code?: string;
+  admin1_code?: string;
+  feature_class?: string;
+  feature_code?: string;
+};
+
+type GeoApiSearchResponse = {
+  places?: GeoApiPlace[];
+};
+
+export type GeoPlace = {
+  name: string;
+  lat: number;
+  lon: number;
+  country?: string;
+  state?: string;
+  featureClass?: string;
+  featureCode?: string;
+};
+
+/**
+ * Normalizes and validates geo API base URLs before outbound requests.
+ */
+const normalizeBaseUrl = (baseUrl: string): Result<string> => {
+  const value = baseUrl.trim();
+  if (!value) {
+    return fail(err.badInput("Geo API base URL is required"));
+  }
+  return ok(value.replace(/\/$/, ""));
+};
+
+/**
+ * Maps one geo API place record to the internal place model and drops invalid rows.
+ */
+const toPlace = (place: GeoApiPlace): GeoPlace | null => {
+  if (typeof place.name !== "string" || typeof place.latitude !== "number" || typeof place.longitude !== "number") {
+    return null;
+  }
+
+  return {
+    name: place.name,
+    lat: place.latitude,
+    lon: place.longitude,
+    country: place.country_code,
+    state: place.admin1_code,
+    featureClass: place.feature_class,
+    featureCode: place.feature_code,
+  };
+};
+
+/**
+ * Searches places through the configured geo API and returns paginated, normalized matches.
+ */
+const list = async (config: {
+  baseUrl: string;
+  pagination?: PageParams;
+  filter: {
+    query: string;
+    country?: string;
+    featureClass?: string;
+    featureCode?: string;
+  };
+}): Promise<Result<Paginated<GeoPlace>>> => {
+  const query = config.filter.query.trim();
+  if (!query) {
+    const { page, perPage } = paginate(config.pagination);
+    return ok({
+      items: [],
+      page,
+      perPage,
+      total: 0,
+      hasNext: false,
+    });
+  }
+
+  const baseUrlResult = normalizeBaseUrl(config.baseUrl);
+  if (!baseUrlResult.ok) return baseUrlResult;
+
+  const params = new URLSearchParams({ q: query });
+  if (config.filter.country?.trim()) {
+    params.set("country", config.filter.country.trim());
+  }
+
+  try {
+    const res = await fetch(`${baseUrlResult.data}/geo/search?${params}`);
+    if (!res.ok) {
+      return fail(err.internal(`Geo search failed with status ${res.status}`));
+    }
+
+    const body = (await res.json()) as GeoApiSearchResponse;
+    const mapped = (body.places ?? []).map(toPlace).filter((place): place is GeoPlace => place !== null);
+
+    const filtered = mapped.filter((place) => {
+      if (config.filter.featureClass && place.featureClass !== config.filter.featureClass) {
+        return false;
+      }
+      if (config.filter.featureCode && place.featureCode !== config.filter.featureCode) {
+        return false;
+      }
+      return true;
+    });
+
+    const { page, perPage, offset } = paginate(config.pagination);
+    const items = filtered.slice(offset, offset + perPage);
+    return ok({
+      items,
+      page,
+      perPage,
+      total: filtered.length,
+      hasNext: page * perPage < filtered.length,
+    });
+  } catch (error) {
+    return fail(err.internal(`Geo search request failed: ${error instanceof Error ? error.message : String(error)}`));
+  }
+};
+
+/**
+ * Resolves one place by coordinates via reverse geocoding.
+ */
+const get = async (config: { baseUrl: string; lat: number; lon: number }): Promise<Result<GeoPlace | null>> => {
+  const baseUrlResult = normalizeBaseUrl(config.baseUrl);
+  if (!baseUrlResult.ok) return baseUrlResult;
+
+  try {
+    const res = await fetch(`${baseUrlResult.data}/geo/reverse?lat=${config.lat}&lng=${config.lon}`);
+    if (!res.ok) {
+      return fail(err.internal(`Geo reverse lookup failed with status ${res.status}`));
+    }
+
+    const body = (await res.json()) as GeoApiSearchResponse;
+    const first = (body.places ?? []).map(toPlace).find((place): place is GeoPlace => place !== null);
+
+    return ok(first ?? null);
+  } catch (error) {
+    return fail(err.internal(`Geo reverse request failed: ${error instanceof Error ? error.message : String(error)}`));
+  }
+};
+
+export const geoService = {
+  place: {
+    list,
+    get,
+  },
+};
+
+export type GeoService = typeof geoService;
+
+export const geo = geoService;

package/src/server/services/index.ts

@@ -0,0 +1,28 @@
+// Cloud-specific server services
+export { services } from "./services";
+export { freeipa } from "./freeipa";
+
+export {
+  PERMISSION_LEVELS,
+  hasPermission,
+  createAccess,
+  getAccess,
+  updateAccess,
+  deleteAccess,
+  getEffectivePermission,
+  resolveDisplayNames,
+} from "./access";
+export type { AccessEntry, PermissionLevel, PrincipalType, Principal, ResourceAccessAdapter } from "./access";
+
+export { geo, geoService } from "./geo";
+export type { GeoService, GeoPlace } from "./geo";
+
+// Re-export from stdlib for backward compatibility
+// Prefer importing directly from @valentinkolb/stdlib
+import { svg as _svg, password as _password } from "@valentinkolb/stdlib";
+export { ok, okMany, fail, err, unwrap, paginate, tryCatch, isServiceError, crypto, svg, password } from "@valentinkolb/stdlib";
+export type { Result, Paginated, PageParams, ServiceError, ServiceErrorCode } from "@valentinkolb/stdlib";
+
+// Compat aliases for old API names
+export const images = { generateFallback: _svg.generateAvatar, parseWebpDataUrl: _svg.parseWebpDataUrl };
+export const generatePassword = _password.random;

package/src/server/services/services.ts

@@ -0,0 +1,13 @@
+import * as access from "./access";
+import { freeipa } from "./freeipa";
+import { geo } from "./geo";
+import { svg, password, ok, okMany, fail, err, unwrap, paginate, tryCatch, isServiceError } from "@valentinkolb/stdlib";
+
+export const services = {
+  access,
+  freeipa,
+  geo,
+  images: { generateFallback: svg.generateAvatar, parseWebpDataUrl: svg.parseWebpDataUrl },
+  password,
+  result: { ok, okMany, fail, err, unwrap, paginate, tryCatch, isServiceError },
+} as const;

package/src/services/account-lifecycle/audit.ts

@@ -0,0 +1,41 @@
+import { sql } from "bun";
+import type { UserProfile, UserProvider } from "../../contracts/shared";
+
+export type DeletedAccountReason =
+  | "ipa_expired_demoted"
+  | "ipa_expired_deleted"
+  | "sync_out_of_scope_demoted"
+  | "sync_out_of_scope_deleted"
+  | "guest_expired_deleted"
+  | "local_user_expired_deleted"
+  | "manual_delete"
+  | "manual_demote";
+
+type SqlExecutor = typeof sql;
+
+export const writeDeletedAccountAudit = async (config: {
+  userId: string;
+  uid: string;
+  mail: string | null;
+  displayName: string | null;
+  previousProvider: UserProvider;
+  previousProfile: UserProfile;
+  reason: DeletedAccountReason;
+  meta?: Record<string, unknown>;
+  db?: SqlExecutor;
+}): Promise<void> => {
+  const db = config.db ?? sql;
+  await db`
+    INSERT INTO auth.deleted_accounts (deleted_user_id, uid, mail, display_name, previous_provider, previous_profile, reason, meta)
+    VALUES (
+      ${config.userId}::uuid,
+      ${config.uid},
+      ${config.mail},
+      ${config.displayName},
+      ${config.previousProvider},
+      ${config.previousProfile},
+      ${config.reason},
+      ${JSON.stringify(config.meta ?? {})}::jsonb
+    )
+  `;
+};