@valentinkolb/cloud 0.4.0 → 0.5.0

package/src/services/service-accounts.ts

@@ -0,0 +1,188 @@
+import { sql } from "bun";
+import { err, fail, ok, type Result } from "@valentinkolb/stdlib";
+import { isUniqueViolation } from "./postgres";
+
+export type ServiceAccountKind = "user_delegated" | "resource_bound";
+export type ServiceAccountStatus = "active" | "disabled";
+
+export type ServiceAccount = {
+  id: string;
+  name: string;
+  kind: ServiceAccountKind;
+  status: ServiceAccountStatus;
+  delegatedUserId: string | null;
+  appId: string | null;
+  resourceType: string | null;
+  resourceId: string | null;
+  createdBy: string | null;
+  createdAt: string;
+};
+
+type DbServiceAccount = {
+  id: string;
+  name: string;
+  kind: ServiceAccountKind;
+  status: ServiceAccountStatus;
+  delegated_user_id: string | null;
+  app_id: string | null;
+  resource_type: string | null;
+  resource_id: string | null;
+  created_by: string | null;
+  created_at: Date;
+};
+
+const mapServiceAccount = (row: DbServiceAccount): ServiceAccount => ({
+  id: row.id,
+  name: row.name,
+  kind: row.kind,
+  status: row.status,
+  delegatedUserId: row.delegated_user_id,
+  appId: row.app_id,
+  resourceType: row.resource_type,
+  resourceId: row.resource_id,
+  createdBy: row.created_by,
+  createdAt: row.created_at.toISOString(),
+});
+
+const trimRequired = (value: string): string => value.trim();
+
+const isForeignKeyViolation = (error: unknown): boolean => (error as { code?: string } | null)?.code === "23503";
+const RESOURCE_BOUND_UNIQUE_CONSTRAINT = "uniq_service_accounts_resource_bound";
+
+export const getByResource = async (params: {
+  appId: string;
+  resourceType: string;
+  resourceId: string;
+}): Promise<ServiceAccount | null> => {
+  const [row] = await sql<DbServiceAccount[]>`
+    SELECT id, name, kind, status, delegated_user_id, app_id, resource_type, resource_id, created_by, created_at
+    FROM auth.service_accounts
+    WHERE kind = 'resource_bound'
+      AND app_id = ${params.appId}
+      AND resource_type = ${params.resourceType}
+      AND resource_id = ${params.resourceId}
+    ORDER BY created_at ASC
+    LIMIT 1
+  `;
+  return row ? mapServiceAccount(row) : null;
+};
+
+export const get = async (params: { id: string }): Promise<ServiceAccount | null> => {
+  const [row] = await sql<DbServiceAccount[]>`
+    SELECT id, name, kind, status, delegated_user_id, app_id, resource_type, resource_id, created_by, created_at
+    FROM auth.service_accounts
+    WHERE id = ${params.id}::uuid
+  `;
+  return row ? mapServiceAccount(row) : null;
+};
+
+export const createUserDelegated = async (params: {
+  name: string;
+  delegatedUserId: string;
+  createdBy?: string | null;
+}): Promise<Result<ServiceAccount>> => {
+  const name = trimRequired(params.name);
+  if (!name) return fail(err.badInput("Service account name is required"));
+
+  try {
+    const [row] = await sql<DbServiceAccount[]>`
+      INSERT INTO auth.service_accounts (name, kind, delegated_user_id, created_by)
+      VALUES (${name}, 'user_delegated', ${params.delegatedUserId}::uuid, ${params.createdBy ?? null}::uuid)
+      RETURNING id, name, kind, status, delegated_user_id, app_id, resource_type, resource_id, created_by, created_at
+    `;
+    return row ? ok(mapServiceAccount(row)) : fail(err.internal("Failed to create service account"));
+  } catch (error) {
+    if (isForeignKeyViolation(error)) return fail(err.notFound("Delegated user"));
+    throw error;
+  }
+};
+
+export const createResourceBound = async (params: {
+  name: string;
+  appId: string;
+  resourceType: string;
+  resourceId: string;
+  createdBy?: string | null;
+}): Promise<Result<ServiceAccount>> => {
+  const name = trimRequired(params.name);
+  const appId = trimRequired(params.appId);
+  const resourceType = trimRequired(params.resourceType);
+  const resourceId = trimRequired(params.resourceId);
+  if (!name) return fail(err.badInput("Service account name is required"));
+  if (!appId || !resourceType || !resourceId) return fail(err.badInput("Resource binding is required"));
+
+  try {
+    const [row] = await sql<DbServiceAccount[]>`
+      INSERT INTO auth.service_accounts (name, kind, app_id, resource_type, resource_id, created_by)
+      VALUES (${name}, 'resource_bound', ${appId}, ${resourceType}, ${resourceId}, ${params.createdBy ?? null}::uuid)
+      RETURNING id, name, kind, status, delegated_user_id, app_id, resource_type, resource_id, created_by, created_at
+    `;
+    return row ? ok(mapServiceAccount(row)) : fail(err.internal("Failed to create service account"));
+  } catch (error) {
+    if (isForeignKeyViolation(error)) return fail(err.notFound("Creator"));
+    if (isUniqueViolation(error, RESOURCE_BOUND_UNIQUE_CONSTRAINT)) return fail(err.conflict("Resource service account"));
+    throw error;
+  }
+};
+
+export const getOrCreateResourceBound = async (params: {
+  name: string;
+  appId: string;
+  resourceType: string;
+  resourceId: string;
+  createdBy?: string | null;
+}): Promise<Result<ServiceAccount>> => {
+  const existing = await getByResource(params);
+  if (existing) return ok(existing);
+
+  const created = await createResourceBound(params);
+  if (created.ok || created.error.code !== "CONFLICT") return created;
+
+  const raced = await getByResource(params);
+  return raced ? ok(raced) : fail(err.internal("Failed to load resource service account"));
+};
+
+export const setStatus = async (params: { id: string; status: ServiceAccountStatus }): Promise<Result<void>> => {
+  const result = await sql`
+    UPDATE auth.service_accounts
+    SET status = ${params.status}
+    WHERE id = ${params.id}::uuid
+  `;
+  if (result.count === 0) return fail(err.notFound("Service account"));
+  return ok();
+};
+
+export const delete_ = async (params: { id: string }): Promise<Result<void>> => {
+  const result = await sql`
+    DELETE FROM auth.service_accounts
+    WHERE id = ${params.id}::uuid
+  `;
+  if (result.count === 0) return fail(err.notFound("Service account"));
+  return ok();
+};
+
+export const deleteForResource = async (params: {
+  appId: string;
+  resourceType: string;
+  resourceId: string;
+}): Promise<number> => {
+  const result = await sql`
+    DELETE FROM auth.service_accounts
+    WHERE kind = 'resource_bound'
+      AND app_id = ${params.appId}
+      AND resource_type = ${params.resourceType}
+      AND resource_id = ${params.resourceId}
+  `;
+  return result.count;
+};
+
+export const serviceAccounts = {
+  get,
+  createUserDelegated,
+  createResourceBound,
+  getByResource,
+  getOrCreateResourceBound,
+  setStatus,
+  delete: delete_,
+  deleteForResource,
+};

package/src/services/session/index.ts

@@ -14,7 +14,6 @@ import * as settings from "../settings";
  */
 type SessionData = {
   userId: string;
-  ipaSession: string | null;
   gen: number;
 };
 
@@ -48,6 +47,8 @@ const parseBearer = (header: string | undefined): string | null => {
   return match?.[1] ?? null;
 };
 
+const isCloudApiToken = (token: string | null): boolean => Boolean(token?.startsWith("cld_"));
+
 export const session = {
   /**
    * Get session token from cookie or Authorization header.
@@ -59,18 +60,20 @@ export const session = {
   getToken: (c: Context): string | null => {
     const cookie = getCookie(c, "session_token");
     const bearer = parseBearer(c.req.header("Authorization"));
-    return cookie || bearer || null;
+    return cookie || (isCloudApiToken(bearer) ? null : bearer) || null;
   },
 
+  getBearerToken: (c: Context): string | null => parseBearer(c.req.header("Authorization")),
+
   parseToken,
 
-  create: async (c: Context, userId: string, ipaSession: string | null = null): Promise<string> => {
+  create: async (c: Context, userId: string): Promise<string> => {
     const randomToken = crypto.randomUUID();
     const expiryHours = await settings.get<number>("user.session.expiry_hours");
     const ttl = expiryHours * 60 * 60;
 
     const gen = await readGen(userId);
-    const data: SessionData = { userId, ipaSession, gen };
+    const data: SessionData = { userId, gen };
     await redis.set(sessionKey(userId, randomToken), JSON.stringify(data), "EX", ttl);
 
     await sql`UPDATE auth.users SET last_login_local = now() WHERE id = ${userId}`;
@@ -130,8 +133,4 @@ export const session = {
     return data;
   },
 
-  getIpaSession: async (token: string): Promise<string | null> => {
-    const data = await session.getData(token);
-    return data?.ipaSession ?? null;
-  },
 };

package/src/services/settings/app.ts

@@ -6,25 +6,12 @@
  * Lives in cloud-lib because every app that has app-scoped settings needs
  * the same API to render its admin form (files, weather, etc.).
  */
-import { err, fail, ok, paginate, type PageParams, type Paginated } from "@valentinkolb/stdlib";
+import { paginateItems } from "../../server/services";
+import { err, fail, ok, type PageParams, type Paginated } from "@valentinkolb/stdlib";
 import * as settingsPrimitives from ".";
 import type { SettingEntry } from ".";
 import { SETTINGS_MAP, validateSettingValue } from "./defaults";
 
-const paginateEntries = <T>(items: T[], pagination?: PageParams): Paginated<T> => {
-  if (!pagination) {
-    return { items, page: 1, perPage: items.length, total: items.length, hasNext: false };
-  }
-  const { page, perPage, offset } = paginate(pagination);
-  return {
-    items: items.slice(offset, offset + perPage),
-    page,
-    perPage,
-    total: items.length,
-    hasNext: page * perPage < items.length,
-  };
-};
-
 /**
  * Redact secret-kind setting values before they leave the server.
  *
@@ -42,10 +29,7 @@ const redactSecretValue = (entry: SettingEntry): SettingEntry => {
 
 export const settingsService = {
   entry: {
-    list: async (config?: {
-      pagination?: PageParams;
-      filter?: { query?: string; group?: string };
-    }): Promise<Paginated<SettingEntry>> => {
+    list: async (config?: { pagination?: PageParams; filter?: { query?: string; group?: string } }): Promise<Paginated<SettingEntry>> => {
       const entries = await settingsPrimitives.getAll();
       const query = config?.filter?.query?.trim().toLowerCase();
       const group = config?.filter?.group?.trim().toLowerCase();
@@ -62,7 +46,7 @@ export const settingsService = {
         })
         .map(redactSecretValue);
 
-      return paginateEntries(filtered, config?.pagination);
+      return paginateItems(filtered, config?.pagination);
     },
     update: async (config: { key: string; value: unknown }) => {
       if (!SETTINGS_MAP.has(config.key)) {

package/src/services/settings/defaults.ts

@@ -10,6 +10,7 @@
  */
 
 import type { SettingKind, SettingOption } from "../../contracts/shared";
+
 export type { SettingKind, SettingOption };
 
 type SettingEnvResolver = () => unknown;
@@ -24,16 +25,7 @@ type SettingCommon = {
   envBootstrap?: SettingEnvResolver;
 };
 
-type SettingStringLikeKind =
-  | "string"
-  | "text"
-  | "email"
-  | "url"
-  | "secret"
-  | "image"
-  | "cron"
-  | "timezone"
-  | "template";
+type SettingStringLikeKind = "string" | "text" | "email" | "url" | "secret" | "image" | "cron" | "timezone" | "template";
 
 type StringLikeSettingDef = SettingCommon & {
   kind: SettingStringLikeKind;
@@ -77,9 +69,7 @@ export type SettingDef =
   | StringListSettingDef
   | NumberListSettingDef;
 
-export type SettingValidationResult =
-  | { ok: true; value: SettingDef["default"] }
-  | { ok: false; error: string };
+export type SettingValidationResult = { ok: true; value: SettingDef["default"] } | { ok: false; error: string };
 
 const envString = (key: string): string | undefined => {
   const value = process.env[key]?.trim();
@@ -116,7 +106,8 @@ export const SETTINGS: SettingDef[] = [
     label: "URL",
     kind: "string",
     default: "localhost:3000",
-    description: "Public-facing application URL used for links in emails, OAuth redirects, and WebSocket connections (with or without scheme)",
+    description:
+      "Public-facing application URL used for links in emails, OAuth redirects, and WebSocket connections (with or without scheme)",
     placeholder: "e.g. https://cloud.example.org",
     group: "app",
     envFallback: () => envString("APP_URL"),
@@ -209,7 +200,8 @@ export const SETTINGS: SettingDef[] = [
     label: "CA Certificate (PEM)",
     kind: "text",
     default: "",
-    description: "Paste the FreeIPA root CA in PEM format to trust self-signed/private-CA servers without disabling validation. Preferred over allow_insecure.",
+    description:
+      "Paste the FreeIPA root CA in PEM format to trust self-signed/private-CA servers without disabling validation. Preferred over allow_insecure.",
     placeholder: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
     group: "freeipa",
   },
@@ -218,7 +210,8 @@ export const SETTINGS: SettingDef[] = [
     label: "Allow Insecure TLS",
     kind: "boolean",
     default: false,
-    description: "Skip TLS certificate validation entirely. Use only for local dev — disables MITM protection. Ignored when ca_cert is set.",
+    description:
+      "Skip TLS certificate validation entirely. Use only for local dev — disables MITM protection. Ignored when ca_cert is set.",
     group: "freeipa",
   },
   {
@@ -445,6 +438,20 @@ export const SETTINGS: SettingDef[] = [
     group: "mail",
     templateVars: ["TOKEN", "MAGIC_LINK", "APP_NAME"],
   },
+  {
+    key: "mail.password_reset",
+    label: "Password Reset Template",
+    kind: "template",
+    default: `<p>You requested a password reset for your {{APP_NAME}} account.</p>
+<p style="text-align:center;margin:24px 0;">
+  <a href="{{RESET_LINK}}" target="_blank" style="color:#3b82f6;text-decoration:underline;">Set a new password</a>
+</p>
+<p style="color:#71717a;font-size:12px;margin:0 0 8px 0;">This link expires in 15 minutes. Never share this link with anyone. If you didn't request this, you can ignore this email.</p>
+{{#CONTACT_EMAIL}}<p style="color:#71717a;font-size:12px;margin:0;">If you need help, contact <a href="mailto:{{CONTACT_EMAIL}}">{{CONTACT_EMAIL}}</a>.</p>{{/CONTACT_EMAIL}}`,
+    description: "Password reset email template (HTML). Subject: {{APP_NAME}} Password Reset",
+    group: "mail",
+    templateVars: ["RESET_LINK", "APP_NAME", "CONTACT_EMAIL"],
+  },
   {
     key: "mail.account_expiry_reminder",
     label: "Account Expiry Reminder Template",
@@ -530,7 +537,7 @@ export const SETTINGS: SettingDef[] = [
   // Three pages, three modes each:
   //   mode = "local"    → render markdown from `legal.<kind>.content`
   //   mode = "external" → 302-redirect to `legal.<kind>.url`
-  // All three pages live in the settings app (mounts: /impressum,
+  // All three pages live in Core (mounts: /impressum,
   // /legal/privacy, /legal/terms).
   {
     key: "legal.terms.mode",
@@ -622,6 +629,45 @@ export const SETTINGS: SettingDef[] = [
     placeholder: "https://example.org/imprint",
     group: "legal",
   },
+
+  {
+    key: "notebooks.reindex_cron",
+    label: "Reindex Cron",
+    kind: "cron",
+    default: "0 */12 * * *",
+    description: "Five-field cron schedule for the periodic note-refs reindex job (links, tags, attachments) in app.timezone.",
+    group: "notebooks",
+  },
+  {
+    key: "notebooks.snapshot_cron",
+    label: "Snapshot Cron",
+    kind: "cron",
+    default: "0 3 * * *",
+    description: "Five-field cron schedule for automatic notebook S3 snapshots in app.timezone.",
+    group: "notebooks",
+  },
+  {
+    key: "notebooks.max_attachment_size_mb",
+    label: "Max Attachment Size",
+    kind: "number",
+    default: 10,
+    min: 1,
+    max: 200,
+    description:
+      "Per-file upload limit for notebook attachments (megabytes). Oversize images are auto-resized client-side before the upload hits this gate; non-image files exceeding the limit are rejected with a clear error.",
+    group: "notebooks",
+  },
+  {
+    key: "notebooks.max_image_dimension_px",
+    label: "Max Image Side",
+    kind: "number",
+    default: 2048,
+    min: 256,
+    max: 8192,
+    description:
+      "Longest-side cap (pixels) applied when an oversize image is auto-resized before upload. Aspect ratio is preserved; PNG inputs stay PNG, everything else becomes WebP at quality 0.85.",
+    group: "notebooks",
+  },
 ];
 
 const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
@@ -645,11 +691,7 @@ const parseStringList = (value: unknown): string[] | null => {
 };
 
 const parseNumberList = (value: unknown): number[] | null => {
-  const rawValues = Array.isArray(value)
-    ? value
-    : typeof value === "string"
-      ? value.split(/[,\n]/).map((entry) => entry.trim())
-      : null;
+  const rawValues = Array.isArray(value) ? value : typeof value === "string" ? value.split(/[,\n]/).map((entry) => entry.trim()) : null;
 
   if (!rawValues) return null;
 

package/src/services/settings/store.ts

@@ -22,6 +22,13 @@ const REDIS_KEY = (k: string) => `settings:${k}`;
 const REDIS_TTL_SEC = 300;
 
 type StoredRow = { key: string; value: string };
+type LegacyStoredRow = { key: string; value: string; updated_at: Date | string | null };
+
+export type LegacySettingRow = {
+  key: string;
+  updatedAt: string | null;
+  decryptable: boolean;
+};
 
 /**
  * Resolve the env-fallback or default value for a key whose DB row is missing
@@ -147,6 +154,46 @@ export const bulkRead = async (keys: readonly string[]): Promise<Map<string, unk
  */
 export const allKnownKeys = (): string[] => SETTINGS.map((d) => d.key);
 
+const knownKeysWith = (extraKnownKeys: readonly string[]) => Array.from(new Set([...allKnownKeys(), ...extraKnownKeys]));
+
+export const listLegacyKeys = async (extraKnownKeys: readonly string[] = []): Promise<LegacySettingRow[]> => {
+  const knownKeys = knownKeysWith(extraKnownKeys);
+  const rows = await sql<LegacyStoredRow[]>`
+    SELECT key, value, updated_at
+    FROM settings.entries
+    WHERE NOT (key = ANY(${toPgTextArray(knownKeys)}::text[]))
+    ORDER BY updated_at DESC NULLS LAST, key ASC
+  `;
+
+  const legacy: LegacySettingRow[] = [];
+  for (const row of rows) {
+    let decryptable = true;
+    try {
+      await decryptValue(row.value);
+    } catch {
+      decryptable = false;
+    }
+    legacy.push({
+      key: row.key,
+      updatedAt: row.updated_at ? new Date(row.updated_at).toISOString() : null,
+      decryptable,
+    });
+  }
+  return legacy;
+};
+
+export const deleteLegacyKeys = async (extraKnownKeys: readonly string[] = []): Promise<{ deleted: string[] }> => {
+  const knownKeys = knownKeysWith(extraKnownKeys);
+  const rows = await sql<{ key: string }[]>`
+    DELETE FROM settings.entries
+    WHERE NOT (key = ANY(${toPgTextArray(knownKeys)}::text[]))
+    RETURNING key
+  `;
+  const deleted = rows.map((row) => row.key);
+  if (deleted.length > 0) await redis.del(...deleted.map(REDIS_KEY));
+  return { deleted };
+};
+
 /**
  * Encrypt the value, upsert the DB row, invalidate the Redis key.
  *

package/src/services/weather/forecast.ts

@@ -1,17 +1,40 @@
 import { redis } from "bun";
-import { coreSettings } from "../settings/api";
 import { logger } from "../logging";
+import { coreSettings } from "../settings/api";
 import type { CurrentWeather, DailyForecast, HourlyForecast, WeatherData, WeatherIcon } from "./types";
 
 const log = logger("weather");
 
 const BRIGHTSKY_API = "https://api.brightsky.dev";
+const BRIGHTSKY_TIMEOUT_MS = 400;
 
 export type ForecastLocationConfig = {
   lat?: string;
   lon?: string;
 };
 
+type ResolvedForecastLocation = {
+  lat: string;
+  lon: string;
+};
+
+const resolveForecastLocation = async (config?: ForecastLocationConfig): Promise<ResolvedForecastLocation | null> => {
+  const lat = (config?.lat ?? (await coreSettings.get<string>("weather.default_lat"))).trim();
+  const lon = (config?.lon ?? (await coreSettings.get<string>("weather.default_lon"))).trim();
+
+  if (!lat || !lon) {
+    log.error("Weather default coordinates are not configured", {
+      missing: [
+        !lat ? "weather.default_lat" : null,
+        !lon ? "weather.default_lon" : null,
+      ].filter(Boolean),
+    });
+    return null;
+  }
+
+  return { lat, lon };
+};
+
 /** Brightsky current_weather API response */
 type BrightskyCurrentResponse = {
   weather: {
@@ -81,9 +104,12 @@ const getCacheKey = (lat: string, lon: string): string => {
 
 /** Fetch current weather from Brightsky API. */
 const fetchCurrentFromApi = async (lat: string, lon: string): Promise<CurrentWeather | null> => {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), BRIGHTSKY_TIMEOUT_MS);
+
   try {
     const url = `${BRIGHTSKY_API}/current_weather?lat=${lat}&lon=${lon}`;
-    const response = await fetch(url);
+    const response = await fetch(url, { signal: controller.signal });
 
     if (!response.ok) {
       log.error("Brightsky API error", { status: response.status });
@@ -119,15 +145,20 @@ const fetchCurrentFromApi = async (lat: string, lon: string): Promise<CurrentWea
   } catch (error) {
     log.error("Failed to fetch from Brightsky", {
       error: error instanceof Error ? error.message : String(error),
+      timeoutMs: BRIGHTSKY_TIMEOUT_MS,
     });
     return null;
+  } finally {
+    clearTimeout(timeout);
   }
 };
 
 /** Get current weather, using Redis cache. */
 export const getCurrentWeather = async (config?: ForecastLocationConfig): Promise<CurrentWeather | null> => {
-  const lat = config?.lat ?? (await coreSettings.get<string>("weather.default_lat"));
-  const lon = config?.lon ?? (await coreSettings.get<string>("weather.default_lon"));
+  const location = await resolveForecastLocation(config);
+  if (!location) return null;
+
+  const { lat, lon } = location;
   const cacheKey = getCacheKey(lat, lon);
 
   const cached = await redis.get(cacheKey);
@@ -257,8 +288,10 @@ const fetchForecastFromApi = async (lat: string, lon: string): Promise<{ hourly:
 
 /** Get full weather data including forecasts. */
 export const getWeatherData = async (config?: ForecastLocationConfig): Promise<WeatherData | null> => {
-  const lat = config?.lat ?? (await coreSettings.get<string>("weather.default_lat"));
-  const lon = config?.lon ?? (await coreSettings.get<string>("weather.default_lon"));
+  const location = await resolveForecastLocation(config);
+  if (!location) return null;
+
+  const { lat, lon } = location;
   const cacheKey = `weather:full:${lat}:${lon}`;
 
   const cached = await redis.get(cacheKey);
@@ -270,7 +303,7 @@ export const getWeatherData = async (config?: ForecastLocationConfig): Promise<W
     }
   }
 
-  const [current, forecast] = await Promise.all([getCurrentWeather(config), fetchForecastFromApi(lat, lon)]);
+  const [current, forecast] = await Promise.all([getCurrentWeather(location), fetchForecastFromApi(lat, lon)]);
 
   if (!current) return null;
 

package/src/services/webauthn.test.ts

@@ -0,0 +1,36 @@
+import { describe, expect, test } from "bun:test";
+import { resolveWebAuthnRp } from "./webauthn";
+
+describe("resolveWebAuthnRp", () => {
+  test("derives rp id and origin from https app url", () => {
+    expect(resolveWebAuthnRp({ appUrl: "https://cloud.example/app", appName: "Cloud" })).toEqual({
+      rpName: "Cloud",
+      rpID: "cloud.example",
+      origin: "https://cloud.example",
+    });
+  });
+
+  test("accepts localhost over http for development", () => {
+    expect(resolveWebAuthnRp({ appUrl: "http://localhost:3000", appName: "" })).toEqual({
+      rpName: "Cloud",
+      rpID: "localhost",
+      origin: "http://localhost:3000",
+    });
+    expect(resolveWebAuthnRp({ appUrl: "localhost:3000", appName: "Cloud" })).toEqual({
+      rpName: "Cloud",
+      rpID: "localhost",
+      origin: "http://localhost:3000",
+    });
+    expect(resolveWebAuthnRp({ appUrl: "http://[::1]:3000", appName: "Cloud" })).toEqual({
+      rpName: "Cloud",
+      rpID: "[::1]",
+      origin: "http://[::1]:3000",
+    });
+  });
+
+  test("rejects non-local insecure origins", () => {
+    expect(() => resolveWebAuthnRp({ appUrl: "http://cloud.example", appName: "Cloud" })).toThrow(
+      "WebAuthn requires an HTTPS app.url",
+    );
+  });
+});