npm - @valentinkolb/cloud - Versions diffs - 0.4.0 → 0.5.0 - Mend

@valentinkolb/cloud 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (193) hide show

package/package.json +18 -6
package/scripts/preload.ts +78 -23
package/src/_internal/define-app.ts +53 -46
package/src/api/accounts-entities.ts +4 -0
package/src/api/admin-core-settings.ts +98 -0
package/src/api/announcements.ts +131 -0
package/src/api/auth/schemas.ts +24 -0
package/src/api/auth.ts +113 -10
package/src/api/index.ts +7 -2
package/src/api/me.ts +203 -14
package/src/api/search/schemas.ts +1 -0
package/src/api/search.ts +62 -8
package/src/config/ssr.ts +2 -9
package/src/contracts/announcements.test.ts +37 -0
package/src/contracts/announcements.ts +121 -0
package/src/contracts/app.ts +2 -0
package/src/contracts/index.ts +3 -2
package/src/contracts/registry.ts +2 -0
package/src/contracts/shared.ts +108 -1
package/src/desktop/index.ts +704 -0
package/src/desktop/solid.tsx +938 -0
package/src/server/api/index.ts +1 -1
package/src/server/api/respond.ts +50 -10
package/src/server/index.ts +44 -38
package/src/server/middleware/auth.ts +98 -9
package/src/server/middleware/index.ts +2 -1
package/src/server/middleware/settings.ts +26 -0
package/src/server/services/access.test.ts +197 -0
package/src/server/services/access.ts +254 -6
package/src/server/services/index.ts +14 -11
package/src/server/services/pagination.ts +22 -0
package/src/server/time.ts +45 -0
package/src/services/account-lifecycle/index.ts +142 -18
package/src/services/accounts/app.ts +658 -170
package/src/services/accounts/authz.test.ts +77 -0
package/src/services/accounts/authz.ts +22 -0
package/src/services/accounts/entities.ts +84 -5
package/src/services/accounts/groups.ts +30 -24
package/src/services/accounts/model.test.ts +30 -0
package/src/services/accounts/switching.test.ts +14 -0
package/src/services/accounts/switching.ts +15 -6
package/src/services/accounts/users.ts +75 -52
package/src/services/announcements/index.test.ts +32 -0
package/src/services/announcements/index.ts +224 -0
package/src/services/audit/index.test.ts +84 -0
package/src/services/audit/index.ts +431 -0
package/src/services/auth-flows/index.ts +9 -2
package/src/services/auth-flows/ipa.ts +0 -2
package/src/services/auth-flows/magic-link.ts +3 -2
package/src/services/auth-flows/password-reset.ts +284 -0
package/src/services/auth-flows/proxy-return.test.ts +24 -0
package/src/services/auth-flows/proxy-return.ts +49 -0
package/src/services/gateway.ts +162 -0
package/src/services/index.ts +44 -2
package/src/services/ipa/effective-groups.test.ts +33 -0
package/src/services/ipa/effective-groups.ts +70 -0
package/src/services/ipa/profile.ts +45 -3
package/src/services/ipa/search.ts +3 -5
package/src/services/ipa/service-account.ts +15 -0
package/src/services/ipa/sync-planning.test.ts +32 -0
package/src/services/ipa/sync-planning.ts +22 -0
package/src/services/ipa/sync.ts +110 -38
package/src/services/oauth-tokens.ts +104 -0
package/src/services/postgres.ts +21 -6
package/src/services/providers/local/auth.test.ts +22 -0
package/src/services/providers/local/auth.ts +46 -3
package/src/services/secrets.ts +10 -0
package/src/services/service-account-credentials.test.ts +210 -0
package/src/services/service-account-credentials.ts +715 -0
package/src/services/service-accounts.ts +188 -0
package/src/services/session/index.ts +7 -8
package/src/services/settings/app.ts +4 -20
package/src/services/settings/defaults.ts +64 -22
package/src/services/settings/store.ts +47 -0
package/src/services/weather/forecast.ts +40 -7
package/src/services/webauthn.test.ts +36 -0
package/src/services/webauthn.ts +384 -0
package/src/shared/icons.ts +391 -100
package/src/shared/index.ts +7 -0
package/src/shared/markdown/extensions/code.ts +38 -1
package/src/shared/markdown/extensions/images.ts +39 -3
package/src/shared/markdown/extensions/info-blocks.ts +5 -5
package/src/shared/markdown/extensions/mark.ts +48 -0
package/src/shared/markdown/extensions/sub-sup.ts +60 -0
package/src/shared/markdown/extensions/tables.ts +79 -58
package/src/shared/markdown/formula.test.ts +1089 -0
package/src/shared/markdown/formula.ts +1187 -0
package/src/shared/markdown/index.ts +76 -2
package/src/shared/mock-cover.ts +130 -0
package/src/shared/redirect.test.ts +49 -0
package/src/shared/redirect.ts +52 -0
package/src/shared/theme.test.ts +24 -0
package/src/shared/theme.ts +68 -0
package/src/shared/time.ts +13 -0
package/src/ssr/AdminLayout.tsx +7 -3
package/src/ssr/AdminSidebar.tsx +115 -49
package/src/ssr/AppLaunchpad.island.tsx +176 -0
package/src/ssr/Footer.island.tsx +3 -8
package/src/ssr/GlobalAnnouncements.island.tsx +141 -0
package/src/ssr/GlobalSearchDialog.tsx +545 -117
package/src/ssr/HotkeysHelpRail.island.tsx +3 -70
package/src/ssr/Layout.tsx +74 -66
package/src/ssr/LayoutBreadcrumbs.island.tsx +44 -0
package/src/ssr/LayoutHelp.tsx +266 -0
package/src/ssr/NavMenu.island.tsx +0 -39
package/src/ssr/ThemeToggleRail.island.tsx +3 -3
package/src/ssr/TimezoneCookie.island.tsx +23 -0
package/src/ssr/islands/index.ts +13 -0
package/src/styles/base-popover.css +5 -2
package/src/styles/effects.css +87 -6
package/src/styles/global.css +146 -9
package/src/styles/input.css +3 -1
package/src/styles/utilities-buttons.css +133 -27
package/src/styles/utilities-code-display.css +67 -0
package/src/styles/utilities-completion.css +223 -0
package/src/styles/utilities-detail.css +73 -0
package/src/styles/utilities-feedback.css +16 -15
package/src/styles/utilities-layout.css +42 -2
package/src/styles/utilities-markdown-editor.css +472 -0
package/src/styles/utilities-navigation.css +63 -8
package/src/styles/utilities-script.css +84 -0
package/src/styles/utilities-table-tile.css +229 -0
package/src/types/ambient.d.ts +9 -0
package/src/ui/completion/behaviors.test.ts +95 -0
package/src/ui/completion/behaviors.ts +205 -0
package/src/ui/completion/engine.ts +368 -0
package/src/ui/completion/index.ts +40 -0
package/src/ui/completion/overlay.ts +92 -0
package/src/ui/dialog-core.ts +173 -45
package/src/ui/filter/FilterChip.tsx +42 -40
package/src/ui/index.ts +11 -12
package/src/ui/input/AutocompleteEditor.tsx +656 -0
package/src/ui/input/CheckboxCard.tsx +91 -0
package/src/ui/input/Combobox.tsx +375 -0
package/src/ui/input/DatePicker.tsx +846 -0
package/src/ui/input/DateTimeInput.tsx +29 -4
package/src/ui/input/FileDropzone.tsx +116 -0
package/src/ui/input/IconInput.tsx +116 -0
package/src/ui/input/ImageInput.tsx +19 -2
package/src/ui/input/MultiSelectInput.tsx +448 -0
package/src/ui/input/NumberInput.tsx +417 -61
package/src/ui/input/SegmentedControl.tsx +2 -2
package/src/ui/input/Select.tsx +172 -10
package/src/ui/input/Slider.tsx +3 -4
package/src/ui/input/Switch.tsx +3 -2
package/src/ui/input/TemplateEditor.tsx +212 -0
package/src/ui/input/TextInput.tsx +144 -13
package/src/ui/input/index.ts +53 -8
package/src/ui/input/markdown/MarkdownEditor.tsx +774 -0
package/src/ui/input/markdown/Toolbar.tsx +90 -0
package/src/ui/input/markdown/actions.ts +233 -0
package/src/ui/input/markdown/active-formats.ts +94 -0
package/src/ui/input/markdown/behaviors.ts +193 -0
package/src/ui/input/markdown/code-zone.ts +23 -0
package/src/ui/input/markdown/highlight.ts +316 -0
package/src/ui/layout.ts +22 -0
package/src/ui/misc/AppOverview.tsx +105 -0
package/src/ui/misc/AppWorkspace.tsx +607 -0
package/src/ui/misc/Calendar.tsx +1291 -0
package/src/ui/misc/Chart.tsx +162 -0
package/src/ui/misc/CodeDisplay.tsx +54 -0
package/src/ui/misc/ContextMenu.tsx +2 -2
package/src/ui/misc/DataTable.tsx +269 -0
package/src/ui/misc/DockWorkspace.tsx +425 -0
package/src/ui/misc/Docs.tsx +153 -0
package/src/ui/misc/Dropdown.tsx +2 -2
package/src/ui/misc/EntitySearch.tsx +260 -129
package/src/ui/misc/LinkCard.tsx +14 -2
package/src/ui/misc/LogEntriesTable.tsx +34 -31
package/src/ui/misc/Pagination.tsx +31 -12
package/src/ui/misc/PanelDialog.tsx +109 -0
package/src/ui/misc/Panes.tsx +873 -0
package/src/ui/misc/PermissionEditor.tsx +358 -262
package/src/ui/misc/Placeholder.tsx +40 -0
package/src/ui/misc/ProgressBar.tsx +1 -1
package/src/ui/misc/ResourceApiKeys.tsx +260 -0
package/src/ui/misc/SettingsModal.tsx +150 -0
package/src/ui/misc/StatCell.tsx +182 -40
package/src/ui/misc/StatGrid.tsx +149 -0
package/src/ui/misc/StructuredDataPreview.tsx +107 -0
package/src/ui/misc/code-highlight.ts +213 -0
package/src/ui/misc/index.ts +93 -12
package/src/ui/prompts.tsx +362 -312
package/src/ui/toast.ts +384 -0
package/src/ui/widgets/Widget.tsx +12 -4
package/src/ssr/MoreAppsDropdown.island.tsx +0 -61
package/src/ui/ipa/GroupView.tsx +0 -36
package/src/ui/ipa/LoginBtn.tsx +0 -16
package/src/ui/ipa/UserView.tsx +0 -58
package/src/ui/ipa/index.ts +0 -4
package/src/ui/navigation.ts +0 -32
package/src/ui/sidebar.tsx +0 -468
/package/src/ui/{ipa → misc}/Avatar.tsx +0 -0

package/src/services/account-lifecycle/index.ts CHANGED Viewed

@@ -3,14 +3,18 @@ import type { User } from "../../contracts/shared";
 import { logger } from "../logging";
 import { notifications } from "../notifications";
 import { applyIpaAccountTransitionPolicy } from "../accounts/switching";
+import { audit } from "../audit";
 import { get as getSetting } from "../settings";
 import { renderTemplate } from "../settings/templates";
 import { session } from "../session";
 import { getConfiguredExpiryDays, parseIpaAccountTransitionPolicy } from "../account-model";
 import { getFreeIpaConfig } from "../freeipa-config";
+import { getServiceIpaSession } from "../ipa/service-account";
+import { buildEffectiveIpaGroupsByUid } from "../ipa/effective-groups";
+import { providers } from "../providers";
 import { parsePgJsonRecord } from "../postgres";
 import { dates } from "../../shared";
-import { freeipa } from "../../server/services";
+import { err, fail, freeipa, ok, type Result } from "../../server/services";
 import { writeDeletedAccountAudit } from "./audit";
 import { getIpaUrl } from "../ipa/guard";
@@ -55,6 +59,99 @@ const getGuestExpiresDays = async (): Promise<number> => {
 const getDeletedAccountsRetentionDays = async (): Promise<number> => settingInt("user.account.deleted_accounts_retention_days", 365);
 const getReminderHistoryRetentionDays = async (): Promise<number> => settingInt("user.account.reminder_history_retention_days", 365);
+const readIpaList = (config: { response: Awaited<ReturnType<typeof freeipa.client.call>>; entity: string }): Result<Record<string, unknown>[]> => {
+  if (config.response.error) {
+    return fail(err.internal(`Could not verify FreeIPA ${config.entity} before extension.`));
+  }
+  const records = config.response.result?.result;
+  if (!Array.isArray(records)) {
+    return fail(err.internal(`Could not verify FreeIPA ${config.entity} before extension.`));
+  }
+  return ok(records as Record<string, unknown>[]);
+};
+const verifyCurrentIpaSyncScope = async (uid: string): Promise<Result<void>> => {
+  const config = await getFreeIpaConfig();
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) {
+    return fail({
+      code: serviceSession.status === 400 ? "BAD_INPUT" : "INTERNAL",
+      message: serviceSession.error,
+      status: serviceSession.status,
+    });
+  }
+  const groupsRes = await freeipa.client.call({
+    url: config.url,
+    ipaSession: serviceSession.data,
+    method: "group_find",
+    args: [],
+    options: {
+      sizelimit: 0,
+      no_members: false,
+      all: true,
+    },
+  });
+  const groups = readIpaList({ response: groupsRes, entity: "groups" });
+  if (!groups.ok) return fail(groups.error);
+  const effectiveGroupsByUid = buildEffectiveIpaGroupsByUid(
+    groups.data.map((raw) => ({
+      cn: freeipa.util.str(raw.cn),
+      users: (raw.member_user as string[]) ?? [],
+      groups: (raw.member_group as string[]) ?? [],
+    })),
+  );
+  const effectiveGroups = effectiveGroupsByUid.get(uid) ?? [];
+  if (!config.groupsBaseSync.some((group) => effectiveGroups.includes(group))) {
+    return fail(err.forbidden("Your FreeIPA account is no longer in sync scope and cannot be extended."));
+  }
+  return ok();
+};
+const readFreshLocalIpaAccountExpiry = async (uid: string): Promise<Result<Date | null>> => {
+  const rows = await sql<DbRow[]>`
+    SELECT account_expires
+    FROM auth.users
+    WHERE uid = ${uid} AND provider = 'ipa'
+  `;
+  const row = rows[0];
+  if (!row) return fail(err.notFound("Your FreeIPA account was not found locally."));
+  return ok((row.account_expires as Date | null | undefined) ?? null);
+};
+const verifyIpaExtensionFreshness = async (uid: string): Promise<Result<{ accountExpires: Date }>> => {
+  const currentScope = await verifyCurrentIpaSyncScope(uid);
+  if (!currentScope.ok) return fail(currentScope.error);
+  const freshness = await providers.ipa.sync.user(uid).catch((error) => ({
+    status: "fetch_failed" as const,
+    error: error instanceof Error ? error.message : String(error),
+  }));
+  switch (freshness.status) {
+    case "synced": {
+      const accountExpires = await readFreshLocalIpaAccountExpiry(uid);
+      if (!accountExpires.ok) return accountExpires;
+      if (accountExpires.data === null) {
+        return fail(err.badInput("Accounts without an expiration date cannot be extended."));
+      }
+      return ok({ accountExpires: accountExpires.data });
+    }
+    case "expired":
+      return fail(err.badInput("Your FreeIPA account is expired and cannot be extended."));
+    case "out_of_scope":
+      return fail(err.forbidden("Your FreeIPA account is no longer in sync scope and cannot be extended."));
+    case "not_found_local":
+      return fail(err.notFound("Your FreeIPA account was not found locally."));
+    case "fetch_failed":
+      return fail(err.internal("Could not verify your FreeIPA account before extension."));
+    case "skipped_disabled":
+      return fail(err.badInput("FreeIPA is disabled."));
+  }
+};
 const parseReminderDays = async (): Promise<number[]> => {
   const raw = await getSetting<number[]>("user.account.reminder_days");
   const parsed = Array.isArray(raw) ? raw.filter((entry) => Number.isInteger(entry) && entry > 0) : [];
@@ -675,20 +772,47 @@ export const accountLifecycle = {
   extendCurrentUserAccount: async (config: {
     user: User;
-    ipaSession?: string | null;
-  }): Promise<{ message: string; newExpiry?: string }> => {
+  }): Promise<Result<{ message: string; newExpiry?: string }>> => {
+    const auditParams = (result: Result<{ message: string; newExpiry?: string }>) => ({
+      action: "accounts.user.extend_account",
+      actor: {
+        userId: config.user.id,
+        uid: config.user.uid,
+        provider: config.user.provider,
+        roles: config.user.roles,
+      },
+      target: { type: "user", id: config.user.id, label: config.user.uid, provider: config.user.provider },
+      result,
+    });
+    const recordResult = (result: Result<{ message: string; newExpiry?: string }>) =>
+      audit.recordResult(auditParams(result));
+    const recordCompletedMutation = (result: Result<{ message: string; newExpiry?: string }>) =>
+      result.ok ? audit.recordResultAfterSideEffect(auditParams(result)) : audit.recordResult(auditParams(result));
+    if (config.user.accountExpires === null) {
+      return recordResult(fail(err.badInput("Accounts without an expiration date cannot be extended.")));
+    }
     if (config.user.provider === "ipa") {
       const freeIpaConfig = (await getFreeIpaConfig());
       if (!freeIpaConfig.enabled) {
-        return { message: "FreeIPA is disabled." };
+        return recordResult(ok({ message: "FreeIPA is disabled." }));
       }
       const configuredDays = await getIpaExpiresDays();
       if (configuredDays <= 0) {
-        return { message: "Automatic account expiry is disabled for IPA accounts." };
+        return recordResult(ok({ message: "Automatic account expiry is disabled for IPA accounts." }));
       }
-      if (!config.ipaSession) {
-        throw new Error("IPA session required to extend an IPA-backed account.");
+      const freshness = await verifyIpaExtensionFreshness(config.user.uid);
+      if (!freshness.ok) return recordResult(fail(freshness.error));
+      const serviceSession = await getServiceIpaSession();
+      if (!serviceSession.ok) {
+        return recordResult(fail({
+          code: serviceSession.status === 400 ? "BAD_INPUT" : "INTERNAL",
+          message: serviceSession.error,
+          status: serviceSession.status,
+        }));
       }
       const expiresAt = new Date(Date.now() + configuredDays * DAY_MS);
@@ -697,13 +821,13 @@ export const accountLifecycle = {
       const response = await freeipa.client.call({
         url: freeIpaConfig.url,
-        ipaSession: config.ipaSession,
+        ipaSession: serviceSession.data,
         method: "user_mod",
         args: [config.user.uid],
         options: { krbprincipalexpiration: ipaExpiry },
       });
       if (response.error) {
-        throw new Error(response.error.message || "Failed to extend IPA account.");
+        return recordResult(fail(err.badInput(response.error.message || "Failed to extend IPA account.")));
       }
       await sql`
@@ -717,10 +841,10 @@ export const accountLifecycle = {
         ON CONFLICT (user_id) DO UPDATE SET synced_at = EXCLUDED.synced_at
       `;
-      return {
+      return recordCompletedMutation(ok({
         message: `Account extended until ${dates.formatDate(expiresAt)}.`,
         newExpiry: expiresAt.toISOString(),
-      };
+      }));
     }
     if (config.user.provider === "local" && config.user.profile === "guest") {
@@ -731,7 +855,7 @@ export const accountLifecycle = {
           SET account_expires = NULL
           WHERE id = ${config.user.id}::uuid
         `;
-        return { message: "Guest account expiry is disabled." };
+        return recordCompletedMutation(ok({ message: "Guest account expiry is disabled." }));
       }
       const expiresAt = new Date(Date.now() + guestDays * DAY_MS);
@@ -741,10 +865,10 @@ export const accountLifecycle = {
         WHERE id = ${config.user.id}::uuid
       `;
-      return {
+      return recordCompletedMutation(ok({
         message: `Guest account extended until ${dates.formatDate(expiresAt)}.`,
         newExpiry: expiresAt.toISOString(),
-      };
+      }));
     }
     if (config.user.provider === "local" && config.user.profile === "user") {
@@ -755,7 +879,7 @@ export const accountLifecycle = {
           SET account_expires = NULL
           WHERE id = ${config.user.id}::uuid
         `;
-        return { message: "Local user account expiry is disabled." };
+        return recordCompletedMutation(ok({ message: "Local user account expiry is disabled." }));
       }
       const expiresAt = new Date(Date.now() + localUserDays * DAY_MS);
@@ -765,13 +889,13 @@ export const accountLifecycle = {
         WHERE id = ${config.user.id}::uuid
       `;
-      return {
+      return recordCompletedMutation(ok({
         message: `Account extended until ${dates.formatDate(expiresAt)}.`,
         newExpiry: expiresAt.toISOString(),
-      };
+      }));
     }
-    return { message: "Your account does not support extension." };
+    return recordResult(ok({ message: "Your account does not support extension." }));
   },
   listDeletedAccounts: async (config: { page: number; perPage: number; reason?: string; search?: string }) => {