npm - @valentinkolb/cloud - Versions diffs - 0.3.1 → 0.5.0 - Mend

@valentinkolb/cloud 0.3.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (194) hide show

package/package.json +18 -8
package/scripts/preload.ts +78 -23
package/src/_internal/define-app.ts +119 -47
package/src/_internal/runtime-context.ts +1 -0
package/src/api/accounts-entities.ts +4 -0
package/src/api/admin-core-settings.ts +98 -0
package/src/api/announcements.ts +131 -0
package/src/api/auth/schemas.ts +24 -0
package/src/api/auth.ts +113 -10
package/src/api/index.ts +15 -25
package/src/api/me.ts +203 -14
package/src/api/search/schemas.ts +1 -0
package/src/api/search.ts +62 -8
package/src/config/ssr.ts +2 -9
package/src/contracts/announcements.test.ts +37 -0
package/src/contracts/announcements.ts +121 -0
package/src/contracts/app.ts +4 -0
package/src/contracts/index.ts +3 -2
package/src/contracts/registry.ts +4 -0
package/src/contracts/shared.ts +108 -1
package/src/desktop/index.ts +704 -0
package/src/desktop/solid.tsx +938 -0
package/src/server/api/index.ts +1 -1
package/src/server/api/respond.ts +50 -10
package/src/server/index.ts +44 -38
package/src/server/middleware/auth.ts +98 -9
package/src/server/middleware/index.ts +2 -1
package/src/server/middleware/settings.ts +26 -0
package/src/server/services/access.test.ts +197 -0
package/src/server/services/access.ts +254 -6
package/src/server/services/index.ts +14 -11
package/src/server/services/pagination.ts +22 -0
package/src/server/time.ts +45 -0
package/src/services/account-lifecycle/index.ts +142 -18
package/src/services/accounts/app.ts +658 -170
package/src/services/accounts/authz.test.ts +77 -0
package/src/services/accounts/authz.ts +22 -0
package/src/services/accounts/entities.ts +84 -5
package/src/services/accounts/groups.ts +30 -24
package/src/services/accounts/model.test.ts +30 -0
package/src/services/accounts/switching.test.ts +14 -0
package/src/services/accounts/switching.ts +15 -6
package/src/services/accounts/users.ts +75 -52
package/src/services/announcements/index.test.ts +32 -0
package/src/services/announcements/index.ts +224 -0
package/src/services/audit/index.test.ts +84 -0
package/src/services/audit/index.ts +431 -0
package/src/services/auth-flows/index.ts +9 -2
package/src/services/auth-flows/ipa.ts +0 -2
package/src/services/auth-flows/magic-link.ts +3 -2
package/src/services/auth-flows/password-reset.ts +284 -0
package/src/services/auth-flows/proxy-return.test.ts +24 -0
package/src/services/auth-flows/proxy-return.ts +49 -0
package/src/services/gateway.ts +162 -0
package/src/services/index.ts +44 -2
package/src/services/ipa/effective-groups.test.ts +33 -0
package/src/services/ipa/effective-groups.ts +70 -0
package/src/services/ipa/profile.ts +45 -3
package/src/services/ipa/search.ts +3 -5
package/src/services/ipa/service-account.ts +15 -0
package/src/services/ipa/sync-planning.test.ts +32 -0
package/src/services/ipa/sync-planning.ts +22 -0
package/src/services/ipa/sync.ts +110 -38
package/src/services/oauth-tokens.ts +104 -0
package/src/services/postgres.ts +21 -6
package/src/services/providers/local/auth.test.ts +22 -0
package/src/services/providers/local/auth.ts +46 -3
package/src/services/secrets.ts +10 -0
package/src/services/service-account-credentials.test.ts +210 -0
package/src/services/service-account-credentials.ts +715 -0
package/src/services/service-accounts.ts +188 -0
package/src/services/session/index.ts +7 -8
package/src/services/settings/app.ts +4 -20
package/src/services/settings/defaults.ts +64 -22
package/src/services/settings/store.ts +47 -0
package/src/services/weather/forecast.ts +40 -7
package/src/services/webauthn.test.ts +36 -0
package/src/services/webauthn.ts +384 -0
package/src/shared/icons.ts +391 -100
package/src/shared/index.ts +7 -0
package/src/shared/markdown/extensions/code.ts +38 -1
package/src/shared/markdown/extensions/images.ts +39 -3
package/src/shared/markdown/extensions/info-blocks.ts +5 -5
package/src/shared/markdown/extensions/mark.ts +48 -0
package/src/shared/markdown/extensions/sub-sup.ts +60 -0
package/src/shared/markdown/extensions/tables.ts +79 -58
package/src/shared/markdown/formula.test.ts +1089 -0
package/src/shared/markdown/formula.ts +1187 -0
package/src/shared/markdown/index.ts +76 -2
package/src/shared/mock-cover.ts +130 -0
package/src/shared/redirect.test.ts +49 -0
package/src/shared/redirect.ts +52 -0
package/src/shared/theme.test.ts +24 -0
package/src/shared/theme.ts +68 -0
package/src/shared/time.ts +13 -0
package/src/ssr/AdminLayout.tsx +7 -3
package/src/ssr/AdminSidebar.tsx +115 -49
package/src/ssr/AppLaunchpad.island.tsx +176 -0
package/src/ssr/Footer.island.tsx +3 -8
package/src/ssr/GlobalAnnouncements.island.tsx +141 -0
package/src/ssr/GlobalSearchDialog.tsx +545 -117
package/src/ssr/HotkeysHelpRail.island.tsx +3 -70
package/src/ssr/Layout.tsx +74 -66
package/src/ssr/LayoutBreadcrumbs.island.tsx +44 -0
package/src/ssr/LayoutHelp.tsx +266 -0
package/src/ssr/NavMenu.island.tsx +0 -39
package/src/ssr/ThemeToggleRail.island.tsx +3 -3
package/src/ssr/TimezoneCookie.island.tsx +23 -0
package/src/ssr/islands/index.ts +13 -0
package/src/styles/base-popover.css +5 -2
package/src/styles/effects.css +87 -6
package/src/styles/global.css +146 -9
package/src/styles/input.css +3 -1
package/src/styles/utilities-buttons.css +133 -27
package/src/styles/utilities-code-display.css +67 -0
package/src/styles/utilities-completion.css +223 -0
package/src/styles/utilities-detail.css +73 -0
package/src/styles/utilities-feedback.css +16 -15
package/src/styles/utilities-layout.css +42 -2
package/src/styles/utilities-markdown-editor.css +472 -0
package/src/styles/utilities-navigation.css +63 -8
package/src/styles/utilities-script.css +84 -0
package/src/styles/utilities-table-tile.css +229 -0
package/src/types/ambient.d.ts +9 -0
package/src/ui/completion/behaviors.test.ts +95 -0
package/src/ui/completion/behaviors.ts +205 -0
package/src/ui/completion/engine.ts +368 -0
package/src/ui/completion/index.ts +40 -0
package/src/ui/completion/overlay.ts +92 -0
package/src/ui/dialog-core.ts +173 -45
package/src/ui/filter/FilterChip.tsx +42 -40
package/src/ui/index.ts +11 -12
package/src/ui/input/AutocompleteEditor.tsx +656 -0
package/src/ui/input/CheckboxCard.tsx +91 -0
package/src/ui/input/Combobox.tsx +375 -0
package/src/ui/input/DatePicker.tsx +846 -0
package/src/ui/input/DateTimeInput.tsx +29 -4
package/src/ui/input/FileDropzone.tsx +116 -0
package/src/ui/input/IconInput.tsx +116 -0
package/src/ui/input/ImageInput.tsx +19 -2
package/src/ui/input/MultiSelectInput.tsx +448 -0
package/src/ui/input/NumberInput.tsx +417 -61
package/src/ui/input/SegmentedControl.tsx +2 -2
package/src/ui/input/Select.tsx +172 -10
package/src/ui/input/Slider.tsx +3 -4
package/src/ui/input/Switch.tsx +3 -2
package/src/ui/input/TemplateEditor.tsx +212 -0
package/src/ui/input/TextInput.tsx +144 -13
package/src/ui/input/index.ts +53 -8
package/src/ui/input/markdown/MarkdownEditor.tsx +774 -0
package/src/ui/input/markdown/Toolbar.tsx +90 -0
package/src/ui/input/markdown/actions.ts +233 -0
package/src/ui/input/markdown/active-formats.ts +94 -0
package/src/ui/input/markdown/behaviors.ts +193 -0
package/src/ui/input/markdown/code-zone.ts +23 -0
package/src/ui/input/markdown/highlight.ts +316 -0
package/src/ui/layout.ts +22 -0
package/src/ui/misc/AppOverview.tsx +105 -0
package/src/ui/misc/AppWorkspace.tsx +607 -0
package/src/ui/misc/Calendar.tsx +1291 -0
package/src/ui/misc/Chart.tsx +162 -0
package/src/ui/misc/CodeDisplay.tsx +54 -0
package/src/ui/misc/ContextMenu.tsx +2 -2
package/src/ui/misc/DataTable.tsx +269 -0
package/src/ui/misc/DockWorkspace.tsx +425 -0
package/src/ui/misc/Docs.tsx +153 -0
package/src/ui/misc/Dropdown.tsx +2 -2
package/src/ui/misc/EntitySearch.tsx +260 -129
package/src/ui/misc/LinkCard.tsx +14 -2
package/src/ui/misc/LogEntriesTable.tsx +34 -31
package/src/ui/misc/Pagination.tsx +31 -12
package/src/ui/misc/PanelDialog.tsx +109 -0
package/src/ui/misc/Panes.tsx +873 -0
package/src/ui/misc/PermissionEditor.tsx +358 -262
package/src/ui/misc/Placeholder.tsx +40 -0
package/src/ui/misc/ProgressBar.tsx +1 -1
package/src/ui/misc/ResourceApiKeys.tsx +260 -0
package/src/ui/misc/SettingsModal.tsx +150 -0
package/src/ui/misc/StatCell.tsx +182 -40
package/src/ui/misc/StatGrid.tsx +149 -0
package/src/ui/misc/StructuredDataPreview.tsx +107 -0
package/src/ui/misc/code-highlight.ts +213 -0
package/src/ui/misc/index.ts +93 -12
package/src/ui/prompts.tsx +362 -312
package/src/ui/toast.ts +384 -0
package/src/ui/widgets/Widget.tsx +12 -4
package/src/ssr/MoreAppsDropdown.island.tsx +0 -61
package/src/ui/ipa/GroupView.tsx +0 -36
package/src/ui/ipa/LoginBtn.tsx +0 -16
package/src/ui/ipa/UserView.tsx +0 -58
package/src/ui/ipa/index.ts +0 -4
package/src/ui/navigation.ts +0 -32
package/src/ui/sidebar.tsx +0 -468
/package/src/ui/{ipa → misc}/Avatar.tsx +0 -0

package/src/services/audit/index.ts ADDED Viewed

@@ -0,0 +1,431 @@
+import { sql, type SQL } from "bun";
+import type { PaginationParams, UserProvider } from "../../contracts/shared";
+import { err, fail, ok, paginate, type PageParams, type Paginated, type Result, type ServiceError } from "../../server/services";
+import { escapeLikePattern, parsePgJsonRecord, toPgTextArray } from "../postgres";
+import { logger } from "../logging";
+export type AuditOutcome = "allowed" | "denied" | "failed";
+export type AuditActionGroup = "service_accounts";
+export type AuditActor = {
+  userId?: string | null;
+  uid?: string | null;
+  provider?: UserProvider | string | null;
+  roles?: readonly string[] | null;
+};
+export type AuditTarget = {
+  type?: string | null;
+  id?: string | null;
+  label?: string | null;
+  provider?: UserProvider | string | null;
+};
+export type AuditEvent = {
+  id: number;
+  createdAt: string;
+  action: string;
+  outcome: AuditOutcome;
+  actor: {
+    userId: string | null;
+    uid: string | null;
+    provider: string | null;
+    roles: string[];
+  };
+  target: {
+    type: string | null;
+    id: string | null;
+    label: string | null;
+    provider: string | null;
+  };
+  reason: string | null;
+  errorCode: string | null;
+  errorMessage: string | null;
+  requestId: string | null;
+  metadata: Record<string, unknown>;
+};
+export type AuditListFilter = {
+  search?: string;
+  actor?: string;
+  target?: string;
+  action?: string;
+  actionGroup?: AuditActionGroup;
+  serviceAccountId?: string;
+  outcome?: AuditOutcome;
+  provider?: UserProvider | string;
+  days?: number;
+};
+export type SelfServiceAuditActivity = {
+  id: number;
+  createdAt: string;
+  action: string;
+  label: string;
+  outcome: AuditOutcome;
+  context: string | null;
+};
+export type AuditRecordParams = {
+  action: string;
+  outcome: AuditOutcome;
+  actor?: AuditActor | null;
+  target?: AuditTarget | null;
+  reason?: string | null;
+  error?: Pick<ServiceError, "code" | "message"> | { code?: string | null; message?: string | null } | null;
+  requestId?: string | null;
+  metadata?: Record<string, unknown> | null;
+};
+type AuditDb = typeof sql;
+type DbAuditRow = {
+  id: number;
+  created_at: Date | string;
+  action: string;
+  outcome: string;
+  actor_user_id: string | null;
+  actor_uid: string | null;
+  actor_provider: string | null;
+  actor_roles: string[] | null;
+  target_type: string | null;
+  target_id: string | null;
+  target_label: string | null;
+  target_provider: string | null;
+  reason: string | null;
+  error_code: string | null;
+  error_message: string | null;
+  request_id: string | null;
+  metadata: Record<string, unknown> | string | null;
+};
+const log = logger("audit");
+const SENSITIVE_KEY_PATTERN = /(password|secret|token|cookie|authorization|api[_-]?key|private[_-]?key|session|ipa[_-]?session)/i;
+const REDACTED = "[REDACTED]";
+const MAX_STRING_LENGTH = 500;
+const MAX_ARRAY_LENGTH = 50;
+const MAX_DEPTH = 8;
+const SELF_SERVICE_ACTION_LABELS = {
+  "accounts.user.change_own_password": "Password changed",
+  "accounts.user.remove_self": "Account deleted",
+  "accounts.user.update": "Profile updated",
+  "accounts.request.create": "Account request submitted",
+  "accounts.request.withdraw": "Account request withdrawn",
+  "accounts.user.extend_account": "Account extended",
+  "service_account_credential.create": "API key created",
+  "service_account_credential.revoke": "API key revoked",
+  "service_account_credential.authenticate": "API key used",
+  "webauthn_credential.create": "Passkey added",
+  "webauthn_credential.delete": "Passkey removed",
+  "webauthn_credential.authenticate": "Passkey used",
+} as const satisfies Record<string, string>;
+const SELF_SERVICE_ACTIONS = Object.keys(SELF_SERVICE_ACTION_LABELS);
+const asString = (value: string | null | undefined): string | null => {
+  const trimmed = value?.trim();
+  return trimmed ? trimmed : null;
+};
+const asRoleArray = (roles: readonly string[] | null | undefined): string[] => [...new Set((roles ?? []).map((role) => role.trim()).filter(Boolean))];
+export const sanitizeAuditMetadata = (value: unknown, depth = 0): unknown => {
+  if (value == null) return null;
+  if (value instanceof Date) return value.toISOString();
+  if (typeof value === "string") return value.length > MAX_STRING_LENGTH ? `${value.slice(0, MAX_STRING_LENGTH)}...` : value;
+  if (typeof value === "number" || typeof value === "boolean") return value;
+  if (typeof value === "bigint") return value.toString();
+  if (typeof value !== "object") return null;
+  if (depth >= MAX_DEPTH) return "[MAX_DEPTH]";
+  if (Array.isArray(value)) {
+    const items = value.slice(0, MAX_ARRAY_LENGTH).map((item) => sanitizeAuditMetadata(item, depth + 1));
+    if (value.length > MAX_ARRAY_LENGTH) items.push(`[${value.length - MAX_ARRAY_LENGTH} more]`);
+    return items;
+  }
+  const out: Record<string, unknown> = {};
+  for (const [key, child] of Object.entries(value as Record<string, unknown>)) {
+    out[key] = SENSITIVE_KEY_PATTERN.test(key) ? REDACTED : sanitizeAuditMetadata(child, depth + 1);
+  }
+  return out;
+};
+export const sanitizeAuditText = (value: string | null | undefined): string | null => {
+  const text = asString(value);
+  if (!text) return null;
+  if (SENSITIVE_KEY_PATTERN.test(text)) return REDACTED;
+  return text.length > MAX_STRING_LENGTH ? `${text.slice(0, MAX_STRING_LENGTH)}...` : text;
+};
+const mapRow = (row: DbAuditRow): AuditEvent => ({
+  id: Number(row.id),
+  createdAt: row.created_at instanceof Date ? row.created_at.toISOString() : row.created_at,
+  action: row.action,
+  outcome: row.outcome as AuditOutcome,
+  actor: {
+    userId: row.actor_user_id,
+    uid: row.actor_uid,
+    provider: row.actor_provider,
+    roles: row.actor_roles ?? [],
+  },
+  target: {
+    type: row.target_type,
+    id: row.target_id,
+    label: row.target_label,
+    provider: row.target_provider,
+  },
+  reason: row.reason,
+  errorCode: row.error_code,
+  errorMessage: row.error_message,
+  requestId: row.request_id,
+  metadata: parsePgJsonRecord(row.metadata) ?? {},
+});
+const mapSelfServiceActivityRow = (row: DbAuditRow): SelfServiceAuditActivity => ({
+  id: Number(row.id),
+  createdAt: row.created_at instanceof Date ? row.created_at.toISOString() : row.created_at,
+  action: row.action,
+  label: SELF_SERVICE_ACTION_LABELS[row.action as keyof typeof SELF_SERVICE_ACTION_LABELS] ?? row.action,
+  outcome: row.outcome as AuditOutcome,
+  context: row.target_label ?? null,
+});
+const outcomeForError = (error: Pick<ServiceError, "status"> | null | undefined): AuditOutcome => {
+  if (!error) return "allowed";
+  return error.status === 401 || error.status === 403 ? "denied" : "failed";
+};
+const record = async (params: AuditRecordParams, db: AuditDb = sql): Promise<void> => {
+  try {
+    const actorRoles = asRoleArray(params.actor?.roles);
+    const metadata = (sanitizeAuditMetadata(params.metadata ?? {}) as Record<string, unknown>) ?? {};
+    await db`
+      INSERT INTO audit.events (
+        action,
+        outcome,
+        actor_user_id,
+        actor_uid,
+        actor_provider,
+        actor_roles,
+        target_type,
+        target_id,
+        target_label,
+        target_provider,
+        reason,
+        error_code,
+        error_message,
+        request_id,
+        metadata
+      )
+      VALUES (
+        ${params.action},
+        ${params.outcome},
+        ${asString(params.actor?.userId)}::uuid,
+        ${asString(params.actor?.uid)},
+        ${asString(params.actor?.provider)},
+        ${toPgTextArray(actorRoles)}::text[],
+        ${asString(params.target?.type)},
+        ${asString(params.target?.id)},
+        ${asString(params.target?.label)},
+        ${asString(params.target?.provider)},
+        ${sanitizeAuditText(params.reason)},
+        ${asString(params.error?.code ?? null)},
+        ${sanitizeAuditText(params.error?.message ?? null)},
+        ${asString(params.requestId)},
+        ${JSON.stringify(metadata)}::jsonb
+      )
+    `;
+  } catch (error) {
+    log.error("Audit write failed", {
+      action: params.action,
+      outcome: params.outcome,
+      error: error instanceof Error ? error.message : String(error),
+    });
+    throw error;
+  }
+};
+const recordResult = async <T,>(params: {
+  action: string;
+  actor?: AuditActor | null;
+  target?: AuditTarget | null;
+  metadata?: Record<string, unknown> | null;
+  result: Result<T>;
+  db?: AuditDb;
+}): Promise<Result<T>> => {
+  await record({
+    action: params.action,
+    actor: params.actor,
+    target: params.target,
+    metadata: params.metadata,
+    outcome: params.result.ok ? "allowed" : outcomeForError(params.result.error),
+    reason: params.result.ok ? null : params.result.error.message,
+    error: params.result.ok ? null : params.result.error,
+  }, params.db);
+  return params.result;
+};
+/**
+ * Use only after an irreversible side effect already happened. Authorization
+ * checks and pre-mutation validation must keep using `record`/`recordResult`
+ * so missing audit storage can still fail closed before anything changes.
+ */
+const recordResultAfterSideEffect = async <T,>(params: {
+  action: string;
+  actor?: AuditActor | null;
+  target?: AuditTarget | null;
+  metadata?: Record<string, unknown> | null;
+  result: Result<T>;
+}): Promise<Result<T>> => {
+  try {
+    await recordResult(params);
+  } catch (error) {
+    log.error("Post-side-effect audit write failed", {
+      action: params.action,
+      outcome: params.result.ok ? "allowed" : outcomeForError(params.result.error),
+      error: error instanceof Error ? error.message : String(error),
+    });
+  }
+  return params.result;
+};
+const deny = async <T,>(params: {
+  action: string;
+  actor?: AuditActor | null;
+  target?: AuditTarget | null;
+  message?: string;
+  metadata?: Record<string, unknown> | null;
+}): Promise<Result<T>> => {
+  const error = err.forbidden(params.message ?? "Access denied");
+  await record({
+    action: params.action,
+    actor: params.actor,
+    target: params.target,
+    metadata: params.metadata,
+    outcome: "denied",
+    reason: error.message,
+    error,
+  });
+  return fail(error);
+};
+const buildWhere = (filter: AuditListFilter = {}) => {
+  const conditions: SQL.Query<unknown>[] = [sql`TRUE`];
+  const search = filter.search?.trim();
+  const actor = filter.actor?.trim();
+  const target = filter.target?.trim();
+  const provider = filter.provider?.trim();
+  const days = filter.days && Number.isFinite(filter.days) && filter.days > 0 ? Math.min(Math.floor(filter.days), 3650) : null;
+  if (search) {
+    const pattern = `%${escapeLikePattern(search)}%`;
+    conditions.push(sql`(
+      action ILIKE ${pattern} ESCAPE '\\'
+      OR COALESCE(actor_user_id::text, '') ILIKE ${pattern} ESCAPE '\\'
+      OR COALESCE(actor_uid, '') ILIKE ${pattern} ESCAPE '\\'
+      OR COALESCE(target_label, '') ILIKE ${pattern} ESCAPE '\\'
+      OR COALESCE(target_id, '') ILIKE ${pattern} ESCAPE '\\'
+      OR COALESCE(reason, '') ILIKE ${pattern} ESCAPE '\\'
+      OR COALESCE(error_message, '') ILIKE ${pattern} ESCAPE '\\'
+      OR metadata::text ILIKE ${pattern} ESCAPE '\\'
+    )`);
+  }
+  if (actor) {
+    const pattern = `%${escapeLikePattern(actor)}%`;
+    conditions.push(sql`(actor_user_id::text = ${actor} OR COALESCE(actor_uid, '') ILIKE ${pattern} ESCAPE '\\')`);
+  }
+  if (target) {
+    const pattern = `%${escapeLikePattern(target)}%`;
+    conditions.push(sql`(target_id = ${target} OR COALESCE(target_label, '') ILIKE ${pattern} ESCAPE '\\')`);
+  }
+  if (filter.action?.trim()) conditions.push(sql`action = ${filter.action.trim()}`);
+  if (filter.actionGroup === "service_accounts") {
+    conditions.push(sql`(
+      action LIKE 'service_account%'
+      OR target_type IN ('service_account', 'service_account_credential')
+      OR metadata ? 'serviceAccountId'
+    )`);
+  }
+  if (filter.serviceAccountId?.trim()) {
+    const serviceAccountId = filter.serviceAccountId.trim();
+    conditions.push(sql`(
+      (target_type = 'service_account' AND target_id = ${serviceAccountId})
+      OR metadata->>'serviceAccountId' = ${serviceAccountId}
+    )`);
+  }
+  if (filter.outcome) conditions.push(sql`outcome = ${filter.outcome}`);
+  if (provider) conditions.push(sql`(actor_provider = ${provider} OR target_provider = ${provider})`);
+  if (days) conditions.push(sql`created_at >= now() - ${`${days} days`}::interval`);
+  return conditions.reduce((acc, condition) => sql`${acc} AND ${condition}`);
+};
+const list = async (config: {
+  pagination?: PageParams;
+  filter?: AuditListFilter;
+}): Promise<Paginated<AuditEvent>> => {
+  const { page, perPage, offset } = paginate(config.pagination);
+  const where = buildWhere(config.filter);
+  const [countRows, rows] = await Promise.all([
+    sql<{ count: number }[]>`SELECT COUNT(*)::int AS count FROM audit.events WHERE ${where}`,
+    sql<DbAuditRow[]>`
+      SELECT *
+      FROM audit.events
+      WHERE ${where}
+      ORDER BY created_at DESC, id DESC
+      LIMIT ${perPage}
+      OFFSET ${offset}
+    `,
+  ]);
+  const total = countRows[0]?.count ?? 0;
+  return {
+    items: rows.map(mapRow),
+    page,
+    perPage,
+    total,
+    hasNext: page * perPage < total,
+  };
+};
+const listSelfServiceActivity = async (config: {
+  userId: string;
+  pagination?: PageParams;
+  days?: number;
+}): Promise<Paginated<SelfServiceAuditActivity>> => {
+  const { page, perPage, offset } = paginate(config.pagination);
+  const days = config.days && Number.isFinite(config.days) && config.days > 0 ? Math.min(Math.floor(config.days), 365) : 30;
+  const where = sql`
+    actor_user_id = ${config.userId}::uuid
+    AND action = ANY(${toPgTextArray(SELF_SERVICE_ACTIONS)}::text[])
+    AND created_at >= now() - ${`${days} days`}::interval
+  `;
+  const [countRows, rows] = await Promise.all([
+    sql<{ count: number }[]>`SELECT COUNT(*)::int AS count FROM audit.events WHERE ${where}`,
+    sql<DbAuditRow[]>`
+      SELECT *
+      FROM audit.events
+      WHERE ${where}
+      ORDER BY created_at DESC, id DESC
+      LIMIT ${perPage}
+      OFFSET ${offset}
+    `,
+  ]);
+  const total = countRows[0]?.count ?? 0;
+  return {
+    items: rows.map(mapSelfServiceActivityRow),
+    page,
+    perPage,
+    total,
+    hasNext: page * perPage < total,
+  };
+};
+export const audit = {
+  record,
+  recordResult,
+  recordResultAfterSideEffect,
+  deny,
+  list,
+  listSelfServiceActivity,
+};

package/src/services/auth-flows/index.ts CHANGED Viewed

@@ -1,6 +1,13 @@
 import * as ipa from "./ipa";
 import * as magicLink from "./magic-link";
+import * as passwordReset from "./password-reset";
+import * as proxyReturn from "./proxy-return";
-export { ipa, magicLink };
+export { ipa, magicLink, passwordReset, proxyReturn };
-export const authFlows = { ipa, magicLink } as const;
+export const authFlows = {
+  ipa,
+  magicLink,
+  passwordReset,
+  proxyReturn,
+} as const;

package/src/services/auth-flows/ipa.ts CHANGED Viewed

@@ -14,7 +14,6 @@ type IpaLoginFailure =
 type IpaLoginSuccess = {
   ok: true;
-  ipaSession: string;
   userId: string;
   user: User;
 };
@@ -103,7 +102,6 @@ export const login = async (params: { username: string; password: string }): Pro
   return {
     ok: true,
-    ipaSession: loginResult.session,
     userId: userResult.userId,
     user: userResult.user,
   };

package/src/services/auth-flows/magic-link.ts CHANGED Viewed

@@ -5,8 +5,9 @@ import { providers } from "../providers";
 import * as settings from "../settings";
 import { renderTemplate } from "../settings/templates";
 import type { User } from "../../contracts/shared";
+import { createAuthLoginUrl } from "../../shared/redirect";
-export const request = async (params: { email: string }): Promise<
+export const request = async (params: { email: string; redirectTo?: string }): Promise<
   | { ok: true }
   | { ok: false; status: 400; message: string }
 > => {
@@ -32,7 +33,7 @@ export const request = async (params: { email: string }): Promise<
   const token = await providers.local.auth.createMagicLinkToken({ email: params.email, ttlSeconds: 300 });
   const rawAppUrl = await settings.get<string>("app.url");
   const appUrl = rawAppUrl.startsWith("http") ? rawAppUrl : `https://${rawAppUrl}`;
-  const magicLink = `${appUrl}/auth/login?token=${token}`;
+  const magicLink = createAuthLoginUrl(appUrl, { token, redirectTo: params.redirectTo });
   const appName = await settings.get<string>("app.name");
   const template = await settings.get<string>("mail.magic_link_login");