@valentinkolb/cloud 0.4.0 → 0.5.0

package/src/server/api/index.ts

@@ -1 +1 @@
-export { api, respond } from "./respond";
+export { api, respond, respondMessage } from "./respond";

package/src/server/api/respond.ts

@@ -1,9 +1,16 @@
-import type { Context } from "hono";
-import { isServiceError, type Result } from "@valentinkolb/stdlib";
+import { isServiceError, ok, type Result, type ServiceError } from "@valentinkolb/stdlib";
+import type { Context, TypedResponse } from "hono";
+import type { StatusCode } from "hono/utils/http-status";
 
-type LegacyResult<T = void> = { ok: true; data: T } | { ok: false; error: string; status: number };
+type LegacyErrorStatus = ServiceError["status"] | 413;
+type LegacyErrorResult<S extends number = number> = { ok: false; error: string; status: S };
+type LegacyResult<T = void> = { ok: true; data: T } | LegacyErrorResult;
 
 type AnyResult<T = unknown> = Result<T> | LegacyResult<T>;
+type ResultOrFn<T> = T | Promise<T> | (() => T | Promise<T>);
+type SuccessStatus = 200 | 201;
+type ErrorStatus = ServiceError["status"] | LegacyErrorStatus;
+type JsonTypedResponse<T, Status extends StatusCode> = TypedResponse<T, Status, "json">;
 
 type ErrorResponseBody = {
   message: string;
@@ -35,21 +42,54 @@ const toErrorResponse = (result: AnyResult): [ErrorResponseBody, number] => {
   return [{ message: "Internal server error", code: "INTERNAL" }, 500];
 };
 
-export const respond = async <T>(
+export async function respond<E extends ServiceError>(
   c: Context,
-  resultOrFn: AnyResult<T> | Promise<AnyResult<T>> | (() => AnyResult<T> | Promise<AnyResult<T>>),
-  successStatus = 200,
-) => {
+  resultOrFn: ResultOrFn<Result<never, E>>,
+  successStatus?: SuccessStatus,
+): Promise<JsonTypedResponse<ErrorResponseBody, E["status"]>>;
+export async function respond<T>(
+  c: Context,
+  resultOrFn: ResultOrFn<Result<T, never>>,
+  successStatus?: SuccessStatus,
+): Promise<JsonTypedResponse<T, SuccessStatus>>;
+export async function respond<T, E extends ServiceError>(
+  c: Context,
+  resultOrFn: ResultOrFn<Result<T, E>>,
+  successStatus?: SuccessStatus,
+): Promise<JsonTypedResponse<T, SuccessStatus> | JsonTypedResponse<ErrorResponseBody, E["status"]>>;
+export async function respond<S extends LegacyErrorStatus>(
+  c: Context,
+  resultOrFn: ResultOrFn<LegacyErrorResult<S>>,
+  successStatus?: SuccessStatus,
+): Promise<JsonTypedResponse<ErrorResponseBody, S>>;
+export async function respond<T>(
+  c: Context,
+  resultOrFn: ResultOrFn<AnyResult<T>>,
+  successStatus?: SuccessStatus,
+): Promise<JsonTypedResponse<T, SuccessStatus> | JsonTypedResponse<ErrorResponseBody, ErrorStatus>>;
+export async function respond<T>(
+  c: Context,
+  resultOrFn: ResultOrFn<AnyResult<T>>,
+  successStatus: SuccessStatus = 200,
+): Promise<JsonTypedResponse<T, SuccessStatus> | JsonTypedResponse<ErrorResponseBody, ErrorStatus>> {
   const result = typeof resultOrFn === "function" ? await resultOrFn() : await resultOrFn;
 
   if (!result.ok) {
     const [body, status] = toErrorResponse(result);
-    return c.json(body, status as 400 | 401 | 403 | 404 | 409 | 500);
+    return c.json(body, status as 400 | 401 | 403 | 404 | 409 | 413 | 500) as JsonTypedResponse<ErrorResponseBody, ErrorStatus>;
   }
 
-  return c.json(result.data, successStatus as 200 | 201);
-};
+  return c.json(result.data, successStatus as 200 | 201) as JsonTypedResponse<T, SuccessStatus>;
+}
+
+export const respondMessage = (c: Context, resultPromise: Promise<Result<void>>, message: string) =>
+  respond(c, async () => {
+    const result = await resultPromise;
+    if (!result.ok) return result;
+    return ok({ message });
+  });
 
 export const api = {
   respond,
+  respondMessage,
 } as const;

package/src/server/index.ts

@@ -1,62 +1,68 @@
-export { api, respond } from "./api";
-export { api as apiClient } from "./api-client";
+export { api, respond, respondMessage } from "./api";
 export type { CreateApiClientConfig } from "./api-client";
-
+export { api as apiClient } from "./api-client";
+export type { AppContext } from "./app-context";
+export type { AuthContext, RateLimitConfig, RateLimitRouteOverride } from "./middleware";
 export {
-  middleware,
   auth,
-  jsonResponse,
   imageResponse,
+  jsonResponse,
+  middleware,
   openApiMeta,
-  requiresAuth,
+  rateLimit,
+  requestLogger,
   requiresAdmin,
+  requiresAuth,
   requiresIpa,
   requiresIpaUser,
   requiresUser,
-  rateLimit,
-  requestLogger,
-  validator,
   v,
+  validator,
 } from "./middleware";
-export type { AuthContext, RateLimitConfig, RateLimitRouteOverride } from "./middleware";
-export type { AppContext } from "./app-context";
+export type {
+  AccessEntry,
+  AccessSubject,
+  AccessUser,
+  AccessUserSource,
+  GeoPlace,
+  GeoService,
+  PageParams,
+  Paginated,
+  PermissionLevel,
+  Principal,
+  PrincipalType,
+  ResourceAccessAdapter,
+  Result,
+  ServiceError,
+  ServiceErrorCode,
+} from "./services";
+export type { RequestActor, ServiceAccountRequestActor, UserRequestActor } from "./middleware";
 
 export {
-  services,
+  createAccess,
+  deleteAccess,
+  err,
+  fail,
   freeipa,
-  images,
-  password,
   generatePassword,
   geo,
   geoService,
-  PERMISSION_LEVELS,
-  hasPermission,
-  createAccess,
   getAccess,
-  updateAccess,
-  deleteAccess,
   getEffectivePermission,
-  resolveDisplayNames,
+  hasPermission,
+  images,
+  isServiceError,
+  listUsersWithAccess,
   ok,
   okMany,
-  fail,
-  err,
-  unwrap,
+  PERMISSION_LEVELS,
   paginate,
+  paginateItems,
+  password,
+  resolveDisplayNames,
+  services,
   tryCatch,
-  isServiceError,
-} from "./services";
-export type {
-  AccessEntry,
-  PermissionLevel,
-  PrincipalType,
-  Principal,
-  ResourceAccessAdapter,
-  GeoService,
-  GeoPlace,
-  Result,
-  Paginated,
-  PageParams,
-  ServiceError,
-  ServiceErrorCode,
+  unwrap,
+  updateAccess,
 } from "./services";
+export { getDateConfig, getTimeZone, TIMEZONE_COOKIE, time } from "./time";

package/src/server/middleware/auth.ts

@@ -2,17 +2,45 @@ import type { Context } from "hono";
 import { createMiddleware } from "hono/factory";
 import type { MessageResponse, Role, RoleOrSpecial, User, UserProfile, UserProvider } from "../../contracts/shared";
 import { accounts } from "../../services/accounts";
+import { oauthTokens } from "../../services/oauth-tokens";
 import { session } from "../../services/session";
+import { serviceAccountCredentials } from "../../services/service-account-credentials";
+import { createLoginRedirectUrl } from "../../shared/redirect";
+import type { ServiceAccount } from "../../services/service-accounts";
+import type { AccessSubject } from "../services/access";
 
 // ==========================
 // Types
 // ==========================
 
+export type UserRequestActor = {
+  kind: "user";
+  user: User;
+};
+
+export type ServiceAccountRequestActor =
+  | {
+      kind: "service_account";
+      serviceAccount: ServiceAccount;
+      delegatedUser: User;
+      scopes: string[];
+    }
+  | {
+      kind: "service_account";
+      serviceAccount: ServiceAccount;
+      delegatedUser: null;
+      scopes: string[];
+    };
+
+export type RequestActor = UserRequestActor | ServiceAccountRequestActor;
+
 /** Hono context with authenticated user variables. */
 export type AuthContext = {
   Variables: {
+    actor: RequestActor;
+    accessSubject: AccessSubject;
     user: User;
-    sessionToken: string;
+    sessionToken?: string;
   };
 };
 
@@ -45,17 +73,74 @@ const handleReject = (c: Context, options: RoleOptions, reason: "unauthenticated
   return c.json({ message: "Insufficient permissions" } as MessageResponse, 403);
 };
 
-const loadSessionUser = async (c: Context<AuthContext>): Promise<{ token: string | null; user: User | null }> => {
+const loadAuthenticatedActor = async (c: Context<AuthContext>): Promise<{
+  token: string | null;
+  user: User | null;
+  actor: RequestActor | null;
+}> => {
   const token = session.getToken(c);
   const data = token ? await session.getData(token) : null;
   const user = data ? await accounts.users.get({ id: data.userId }) : null;
 
   if (user && token) {
+    c.set("actor", { kind: "user", user });
+    c.set("accessSubject", { type: "user", userId: user.id });
     c.set("user", user);
     c.set("sessionToken", token);
   }
 
-  return { token, user };
+  if (user) return { token, user, actor: { kind: "user", user } };
+
+  const bearer = session.getBearerToken(c);
+  if (bearer && serviceAccountCredentials.isApiToken(bearer)) {
+    const authResult = await serviceAccountCredentials.authenticateApiToken(bearer);
+    if (!authResult) return { token: null, user: null, actor: null };
+
+    const actor: RequestActor = {
+      kind: "service_account",
+      serviceAccount: authResult.serviceAccount,
+      delegatedUser: authResult.delegatedUser,
+      scopes: authResult.credential.scopes,
+    };
+    c.set("actor", actor);
+    if (authResult.delegatedUser) {
+      c.set("accessSubject", { type: "user", userId: authResult.delegatedUser.id });
+      c.set("user", authResult.delegatedUser);
+    } else {
+      c.set("accessSubject", { type: "service_account", serviceAccountId: authResult.serviceAccount.id });
+    }
+    return { token: null, user: authResult.delegatedUser, actor };
+  }
+
+  if (bearer) {
+    const authResult = await oauthTokens.verifyAccessToken(bearer);
+    if (!authResult) return { token: null, user: null, actor: null };
+
+    if (authResult.kind === "user") {
+      const actor: RequestActor = { kind: "user", user: authResult.user };
+      c.set("actor", actor);
+      c.set("accessSubject", { type: "user", userId: authResult.user.id });
+      c.set("user", authResult.user);
+      return { token: null, user: authResult.user, actor };
+    }
+
+    const actor: RequestActor = {
+      kind: "service_account",
+      serviceAccount: authResult.serviceAccount,
+      delegatedUser: authResult.delegatedUser,
+      scopes: authResult.scopes,
+    };
+    c.set("actor", actor);
+    if (authResult.delegatedUser) {
+      c.set("accessSubject", { type: "user", userId: authResult.delegatedUser.id });
+      c.set("user", authResult.delegatedUser);
+    } else {
+      c.set("accessSubject", { type: "service_account", serviceAccountId: authResult.serviceAccount.id });
+    }
+    return { token: null, user: authResult.delegatedUser, actor };
+  }
+
+  return { token: null, user: null, actor: null };
 };
 
 /**
@@ -92,22 +177,22 @@ const requireRole = (...args: (RoleOrSpecial | RoleOptions)[]) => {
   return createMiddleware<AuthContext>(async (c, next) => {
     // "*" = no check at all, pass through (but try to load user)
     if (roles.includes("*")) {
-      await loadSessionUser(c);
+      await loadAuthenticatedActor(c);
       return next();
     }
 
-    const { user } = await loadSessionUser(c);
+    const { user, actor } = await loadAuthenticatedActor(c);
 
     // "anonymous" = must NOT be logged in
     if (roles.includes("anonymous")) {
-      if (user) {
+      if (actor) {
         return handleReject(c, options, "forbidden");
       }
       return next();
     }
 
     // All other roles require authentication
-    if (!user) {
+    if (!actor) {
       return handleReject(c, options, "unauthenticated");
     }
 
@@ -116,6 +201,10 @@ const requireRole = (...args: (RoleOrSpecial | RoleOptions)[]) => {
       return next();
     }
 
+    if (!user) {
+      return handleReject(c, options, "forbidden");
+    }
+
     // Check if user has at least one required role
     const hasRequiredRole = roles.some((role) => user.roles.includes(role as Role));
     if (!hasRequiredRole) {
@@ -133,12 +222,12 @@ const redirect = (url: string): RoleOptions => ({
 
 /** Preset: Redirect to login page with returnTo parameter */
 const redirectToLogin: RoleOptions = {
-  onReject: (c) => `/auth/login?redirectTo=${encodeURIComponent(new URL(c.req.url).pathname)}`,
+  onReject: (c) => createLoginRedirectUrl(c.req.url),
 };
 
 const requireAccount = (options: AccountOptions) =>
   createMiddleware<AuthContext>(async (c, next) => {
-    const { user } = await loadSessionUser(c);
+    const { user } = await loadAuthenticatedActor(c);
 
     if (!user) {
       return handleReject(c, options, "unauthenticated");

package/src/server/middleware/index.ts

@@ -1,6 +1,7 @@
 export { middleware } from "./middleware";
 
-export { auth, type AuthContext } from "./auth";
+export { auth, type AuthContext, type RequestActor, type ServiceAccountRequestActor, type UserRequestActor } from "./auth";
+export type { AccessSubject } from "../services/access";
 export { jsonResponse, imageResponse, openApiMeta, requiresAuth, requiresAdmin, requiresIpa, requiresIpaUser, requiresUser } from "./openapi";
 export { rateLimit, type RateLimitConfig, type RateLimitRouteOverride } from "./rate-limit";
 export { requestLogger } from "./request-logger";

package/src/server/middleware/settings.ts

@@ -13,9 +13,25 @@
  * `.use()` path instead.
  */
 import { createMiddleware } from "hono/factory";
+import {
+  type ActiveAnnouncementsResponse,
+  type AnnouncementCookieState,
+  parseAnnouncementCookieHeader,
+} from "../../contracts/announcements";
+import { announcements } from "../../services/announcements";
+import { logger } from "../../services/logging";
 import { loadSnapshot } from "../../services/settings/snapshot";
 
 const DEFAULT_SKIP = ["/public/", "/_ssr/", "/branding/", "/favicon"] as const;
+const ANNOUNCEMENT_SKIP = ["/api/", "/public/", "/_ssr/", "/branding/", "/favicon"] as const;
+const log = logger("middleware:settings");
+
+export type LayoutAnnouncementsState = ActiveAnnouncementsResponse & {
+  cookieState: AnnouncementCookieState;
+};
+
+const shouldLoadAnnouncements = (path: string, cookieHeader: string | null): boolean =>
+  Boolean(cookieHeader?.match(/(?:^|;\s*)session_token=/)) && !ANNOUNCEMENT_SKIP.some((prefix) => path.startsWith(prefix));
 
 export const settings = (opts?: { skipPrefixes?: readonly string[] }) => {
   const skip = opts?.skipPrefixes ?? DEFAULT_SKIP;
@@ -24,6 +40,16 @@ export const settings = (opts?: { skipPrefixes?: readonly string[] }) => {
     if (!skip.some((p) => path.startsWith(p))) {
       (c as unknown as { set: (k: string, v: unknown) => void }).set("settings", await loadSnapshot());
     }
+    const cookieHeader = c.req.header("Cookie") ?? null;
+    if (shouldLoadAnnouncements(path, cookieHeader)) {
+      const cookieState = parseAnnouncementCookieHeader(cookieHeader);
+      try {
+        const active = await announcements.active.forState({ state: cookieState });
+        (c as unknown as { set: (k: string, v: unknown) => void }).set("announcements", { ...active, cookieState });
+      } catch (error) {
+        log.warn("Failed to preload announcements", { error: error instanceof Error ? error.message : String(error) });
+      }
+    }
     await next();
   });
 };

package/src/server/services/access.test.ts

@@ -0,0 +1,197 @@
+import { describe, expect, test } from "bun:test";
+import { sql } from "bun";
+import { createAccess, deleteAccess, getEffectivePermission, listUsersWithAccess } from "./access";
+
+type Fixture = {
+  accessIds: string[];
+  userIds: {
+    direct: string;
+    group: string;
+    nested: string;
+    outside: string;
+  };
+  groupIds: {
+    parent: string;
+    child: string;
+  };
+  serviceAccountId: string;
+};
+
+const canUseDatabase = async () => {
+  try {
+    const [row] = await sql<{ users: string | null; groups: string | null; access: string | null }[]>`
+      SELECT
+        to_regclass('auth.users')::text AS users,
+        to_regclass('auth.groups')::text AS groups,
+        to_regclass('auth.access')::text AS access
+    `;
+    return Boolean(row?.users && row.groups && row.access);
+  } catch {
+    return false;
+  }
+};
+
+const insertUser = async (suffix: string, label: string) => {
+  const [row] = await sql<{ id: string }[]>`
+    INSERT INTO auth.users (uid, provider, profile, display_name, mail)
+    VALUES (${`access-helper-${label}-${suffix}`}, 'local', 'user', ${`Access ${label}`}, ${`${label}.${suffix}@example.test`})
+    RETURNING id
+  `;
+  return row!.id;
+};
+
+const insertGroup = async (suffix: string, label: string) => {
+  const [row] = await sql<{ id: string }[]>`
+    INSERT INTO auth.groups (cn, provider, name, description)
+    VALUES (${`access-helper-${label}-${suffix}`}, 'local', ${`Access ${label}`}, ${`Access ${label} test group`})
+    RETURNING id
+  `;
+  return row!.id;
+};
+
+const createFixture = async (): Promise<Fixture> => {
+  const suffix = crypto.randomUUID();
+  const directUserId = await insertUser(suffix, "direct");
+  const groupUserId = await insertUser(suffix, "group");
+  const nestedUserId = await insertUser(suffix, "nested");
+  const outsideUserId = await insertUser(suffix, "outside");
+  const parentGroupId = await insertGroup(suffix, "parent");
+  const childGroupId = await insertGroup(suffix, "child");
+  const [serviceAccount] = await sql<{ id: string }[]>`
+    INSERT INTO auth.service_accounts (name, kind, app_id, resource_type, resource_id)
+    VALUES (${`Access service ${suffix}`}, 'resource_bound', 'access-test', 'fixture', ${suffix})
+    RETURNING id
+  `;
+
+  await sql`INSERT INTO auth.user_groups_v2 (user_id, group_id) VALUES (${groupUserId}::uuid, ${parentGroupId}::uuid)`;
+  await sql`INSERT INTO auth.user_groups_v2 (user_id, group_id) VALUES (${nestedUserId}::uuid, ${childGroupId}::uuid)`;
+  await sql`INSERT INTO auth.group_groups_v2 (parent_group_id, child_group_id) VALUES (${parentGroupId}::uuid, ${childGroupId}::uuid)`;
+
+  const [directAccess] = await sql<{ id: string }[]>`
+    INSERT INTO auth.access (user_id, permission)
+    VALUES (${directUserId}::uuid, 'read')
+    RETURNING id
+  `;
+  const [groupAccess] = await sql<{ id: string }[]>`
+    INSERT INTO auth.access (group_id, permission)
+    VALUES (${parentGroupId}::uuid, 'write')
+    RETURNING id
+  `;
+  const [publicAccess] = await sql<{ id: string }[]>`
+    INSERT INTO auth.access (permission)
+    VALUES ('admin')
+    RETURNING id
+  `;
+  const [authenticatedAccess] = await sql<{ id: string }[]>`
+    INSERT INTO auth.access (authenticated_only, permission)
+    VALUES (TRUE, 'admin')
+    RETURNING id
+  `;
+
+  return {
+    accessIds: [directAccess!.id, groupAccess!.id, publicAccess!.id, authenticatedAccess!.id],
+    userIds: {
+      direct: directUserId,
+      group: groupUserId,
+      nested: nestedUserId,
+      outside: outsideUserId,
+    },
+    groupIds: {
+      parent: parentGroupId,
+      child: childGroupId,
+    },
+    serviceAccountId: serviceAccount!.id,
+  };
+};
+
+const cleanupFixture = async (fixture: Fixture) => {
+  for (const accessId of fixture.accessIds) {
+    await sql`DELETE FROM auth.access WHERE id = ${accessId}::uuid`;
+  }
+  for (const groupId of Object.values(fixture.groupIds)) {
+    await sql`DELETE FROM auth.group_groups_v2 WHERE parent_group_id = ${groupId}::uuid OR child_group_id = ${groupId}::uuid`;
+    await sql`DELETE FROM auth.user_groups_v2 WHERE group_id = ${groupId}::uuid`;
+  }
+  for (const groupId of Object.values(fixture.groupIds)) {
+    await sql`DELETE FROM auth.groups WHERE id = ${groupId}::uuid`;
+  }
+  await sql`DELETE FROM auth.service_accounts WHERE id = ${fixture.serviceAccountId}::uuid`;
+  for (const userId of Object.values(fixture.userIds)) {
+    await sql`DELETE FROM auth.users WHERE id = ${userId}::uuid`;
+  }
+};
+
+describe("listUsersWithAccess", () => {
+  test("expands direct and recursive group access without exposing mail", async () => {
+    if (!(await canUseDatabase())) {
+      console.warn("Skipping access helper DB test: auth tables are not available.");
+      return;
+    }
+
+    const fixture = await createFixture();
+    try {
+      const users = await listUsersWithAccess({ accessIds: fixture.accessIds, limit: 20 });
+      const byId = new Map(users.map((user) => [user.id, user]));
+
+      expect(byId.has(fixture.userIds.direct)).toBe(true);
+      expect(byId.has(fixture.userIds.group)).toBe(true);
+      expect(byId.has(fixture.userIds.nested)).toBe(true);
+      expect(byId.has(fixture.userIds.outside)).toBe(false);
+
+      expect(byId.get(fixture.userIds.direct)?.source).toEqual({ type: "direct" });
+      expect(byId.get(fixture.userIds.nested)?.source).toEqual({
+        type: "group",
+        groupId: fixture.groupIds.parent,
+        groupName: "Access parent",
+      });
+      expect(byId.get(fixture.userIds.nested)?.permission).toBe("write");
+      expect("mail" in byId.get(fixture.userIds.nested)!).toBe(false);
+
+      const groupSearch = await listUsersWithAccess({ accessIds: fixture.accessIds, search: "parent", limit: 20 });
+      expect(groupSearch.map((user) => user.id)).toContain(fixture.userIds.nested);
+
+      const explicitUsers = await listUsersWithAccess({
+        accessIds: fixture.accessIds,
+        userIds: [fixture.userIds.nested, fixture.userIds.outside],
+      });
+      expect(explicitUsers.map((user) => user.id)).toEqual([fixture.userIds.nested]);
+
+      const writers = await listUsersWithAccess({ accessIds: fixture.accessIds, minimumPermission: "write", limit: 20 });
+      expect(writers.map((user) => user.id)).not.toContain(fixture.userIds.direct);
+      expect(writers.map((user) => user.id)).toContain(fixture.userIds.group);
+
+      const serviceAccountPublicPermission = await getEffectivePermission({
+        accessIds: fixture.accessIds,
+        userId: null,
+        userGroups: [],
+        serviceAccountId: fixture.serviceAccountId,
+      });
+      expect(serviceAccountPublicPermission).toBe("none");
+
+      const serviceAccountAccess = await createAccess({
+        principal: { type: "service_account", serviceAccountId: fixture.serviceAccountId },
+        permission: "write",
+      });
+      expect(serviceAccountAccess.ok).toBe(true);
+      if (!serviceAccountAccess.ok) return;
+      fixture.accessIds.push(serviceAccountAccess.data.id);
+
+      const serviceAccountPermission = await getEffectivePermission({
+        accessIds: [serviceAccountAccess.data.id],
+        userId: null,
+        userGroups: [],
+        serviceAccountId: fixture.serviceAccountId,
+      });
+      expect(serviceAccountPermission).toBe("write");
+
+      const serviceAccountUsers = await listUsersWithAccess({ accessIds: [serviceAccountAccess.data.id], limit: 20 });
+      expect(serviceAccountUsers).toEqual([]);
+
+      const deleteResult = await deleteAccess({ id: serviceAccountAccess.data.id });
+      expect(deleteResult.ok).toBe(true);
+      fixture.accessIds = fixture.accessIds.filter((id) => id !== serviceAccountAccess.data.id);
+    } finally {
+      await cleanupFixture(fixture);
+    }
+  });
+});