@withstudiocms/auth-kit 0.1.0-beta.1

package/dist/modules/encryption.js

@@ -0,0 +1,65 @@
+import { createCipheriv, createDecipheriv } from "node:crypto";
+import { DynamicBuffer } from "@oslojs/binary";
+import { decodeBase64 } from "@oslojs/encoding";
+import { Effect } from "@withstudiocms/effect";
+import { useDecryptionError, useEncryptionError } from "../errors.js";
+const Encryption = (CMS_ENCRYPTION_KEY) => Effect.gen(function* () {
+  const getKey = useEncryptionError(() => decodeBase64(CMS_ENCRYPTION_KEY));
+  const _key = yield* getKey;
+  yield* useEncryptionError(() => {
+    if (_key.byteLength !== 16) {
+      throw new Error("CMS_ENCRYPTION_KEY must decode to 16 bytes for aes-128-gcm");
+    }
+  });
+  const _algorithm = "aes-128-gcm";
+  const encrypt = Effect.fn("@withstudiocms/AuthKit/modules/encryption.encrypt")(
+    (data) => useEncryptionError(() => {
+      const iv = new Uint8Array(16);
+      crypto.getRandomValues(iv);
+      const cipher = createCipheriv(_algorithm, _key, iv);
+      const encrypted = new DynamicBuffer(0);
+      encrypted.write(iv);
+      encrypted.write(cipher.update(data));
+      encrypted.write(cipher.final());
+      encrypted.write(cipher.getAuthTag());
+      return encrypted.bytes();
+    })
+  );
+  const encryptToString = Effect.fn("@withstudiocms/AuthKit/modules/encryption.encryptToString")(
+    function* (data) {
+      const encoded = yield* useEncryptionError(() => new TextEncoder().encode(data));
+      return yield* encrypt(encoded);
+    }
+  );
+  const decrypt = Effect.fn("@withstudiocms/AuthKit/modules/encryption.decrypt")(
+    (data) => useDecryptionError(() => {
+      const IV_LEN = 16;
+      const TAG_LEN = 16;
+      const MAX_LEN = IV_LEN + TAG_LEN;
+      if (data.byteLength < MAX_LEN) {
+        throw new Error("Invalid data");
+      }
+      const decipher = createDecipheriv(_algorithm, _key, data.slice(0, IV_LEN));
+      decipher.setAuthTag(data.slice(data.byteLength - TAG_LEN));
+      const decrypted = new DynamicBuffer(0);
+      decrypted.write(decipher.update(data.slice(IV_LEN, data.byteLength - TAG_LEN)));
+      decrypted.write(decipher.final());
+      return decrypted.bytes();
+    })
+  );
+  const decryptToString = Effect.fn("@withstudiocms/AuthKit/modules/encryption.decryptToString")(
+    function* (data) {
+      const decoded = yield* decrypt(data);
+      return yield* useDecryptionError(() => new TextDecoder().decode(decoded));
+    }
+  );
+  return {
+    encrypt,
+    encryptToString,
+    decrypt,
+    decryptToString
+  };
+});
+export {
+  Encryption
+};

package/dist/modules/index.d.ts

@@ -0,0 +1,4 @@
+export { Encryption as _Encryption } from './encryption.js';
+export { Password as _Password } from './password.js';
+export { Session as _Session } from './session.js';
+export { User as _User } from './user.js';

package/dist/modules/index.js

@@ -0,0 +1,10 @@
+import { Encryption } from "./encryption.js";
+import { Password } from "./password.js";
+import { Session } from "./session.js";
+import { User } from "./user.js";
+export {
+  Encryption as _Encryption,
+  Password as _Password,
+  Session as _Session,
+  User as _User
+};

package/dist/modules/password.d.ts

@@ -0,0 +1,18 @@
+import { Effect } from '@withstudiocms/effect';
+import type { IScrypt } from '../types.js';
+/**
+ * Provides password hashing, verification, and strength checking utilities using Scrypt.
+ *
+ * @param Scrypt - An effectful Scrypt implementation for password hashing.
+ * @returns An Effect that yields an object containing:
+ * - `hashPassword`: Hashes a plain text password with optional salt.
+ * - `verifyPasswordHash`: Verifies a password against a hashed value.
+ * - `verifyPasswordStrength`: Checks if a password meets strength requirements.
+ *
+ * @module @withstudiocms/AuthKit/modules/password
+ */
+export declare const Password: (Scrypt: IScrypt) => Effect.Effect<{
+    readonly hashPassword: (password: string, _salt?: string | undefined) => Effect.Effect<string, import("@withstudiocms/effect/scrypt").ScryptError, never>;
+    readonly verifyPasswordHash: (hash: string, password: string) => Effect.Effect<boolean, import("@withstudiocms/effect/scrypt").ScryptError | import("../errors.js").PasswordError, never>;
+    readonly verifyPasswordStrength: (pass: string) => Effect.Effect<string | true, import("../errors.js").PasswordError | import("../errors.js").CheckIfUnsafeError | import("@effect/platform/HttpClientError").ResponseError, never>;
+}, never, never>;

package/dist/modules/password.js

@@ -0,0 +1,53 @@
+import { randomBytes } from "node:crypto";
+import { Effect } from "@withstudiocms/effect";
+import {
+  breakSecurePassword,
+  buildSecurePassword,
+  checkPwnedDB,
+  constantTimeEqual,
+  PASS_GEN1_0_PREFIX,
+  verifyPasswordLength,
+  verifySafe
+} from "../utils/password.js";
+const Password = (Scrypt) => Effect.gen(function* () {
+  const scrypt = yield* Scrypt;
+  const hashPassword = Effect.fn("@withstudiocms/AuthKit/modules/password.hashPassword")(
+    function* (password, _salt) {
+      const salt = _salt || randomBytes(16).toString("hex");
+      const hash = yield* scrypt.run(password + salt);
+      return yield* buildSecurePassword({
+        generation: PASS_GEN1_0_PREFIX,
+        salt,
+        hash: hash.toString("hex")
+      });
+    }
+  );
+  const verifyPasswordHash = Effect.fn(
+    "@withstudiocms/AuthKit/modules/password.verifyPasswordHash"
+  )(function* (hash, password) {
+    const { salt } = yield* breakSecurePassword(hash);
+    const newHash = yield* hashPassword(password, salt);
+    return constantTimeEqual(hash, newHash);
+  });
+  const verifyPasswordStrength = Effect.fn(
+    "@withstudiocms/AuthKit/modules/password.verifyPasswordStrength"
+  )(function* (pass) {
+    const [lengthCheck, unsafeCheck, pwnedCheck] = yield* Effect.all([
+      verifyPasswordLength(pass),
+      verifySafe(pass),
+      checkPwnedDB(pass)
+    ]);
+    if (lengthCheck) return lengthCheck;
+    if (unsafeCheck) return unsafeCheck;
+    if (pwnedCheck) return pwnedCheck;
+    return true;
+  });
+  return {
+    hashPassword,
+    verifyPasswordHash,
+    verifyPasswordStrength
+  };
+});
+export {
+  Password
+};

package/dist/modules/session.d.ts

@@ -0,0 +1,34 @@
+import { Effect } from '@withstudiocms/effect';
+import type { APIContext, AstroGlobal } from 'astro';
+import { SessionError } from '../errors.js';
+import type { SessionConfig, SessionValidationResult } from '../types.js';
+/**
+ * Creates a session management module with the provided configuration.
+ *
+ * This factory function returns an object containing various session-related
+ * effectful operations, such as generating session tokens, creating and validating
+ * sessions, managing session cookies, and handling OAuth session tokens.
+ *
+ * @param config - The session configuration object. This is merged with the default session configuration.
+ * @returns An Effect that yields an object with session management methods:
+ * - `generateSessionToken`: Generates a secure random session token.
+ * - `createSession`: Creates a new session for a user.
+ * - `validateSessionToken`: Validates a session token, extends expiration if needed, and deletes expired sessions.
+ * - `invalidateSession`: Deletes a session by its ID.
+ * - `setSessionTokenCookie`: Sets a session token cookie in the provided context.
+ * - `deleteSessionTokenCookie`: Deletes the session token cookie in the provided context.
+ * - `setOAuthSessionTokenCookie`: Sets an OAuth session token cookie in the provided context.
+ * - `createUserSession`: Creates a new user session and sets the session token cookie.
+ *
+ * @throws {SessionError} If required session tools are not provided in the configuration.
+ */
+export declare const Session: (config: SessionConfig) => Effect.Effect<{
+    readonly generateSessionToken: () => Effect.Effect.AsEffect<Effect.Effect<string, SessionError, never>>;
+    readonly createSession: (token: string, userId: string) => Effect.Effect<import("../types.js").UserSession, SessionError, never>;
+    readonly validateSessionToken: (token: string) => Effect.Effect<SessionValidationResult, SessionError, never>;
+    readonly invalidateSession: (sessionId: string) => Effect.Effect.AsEffect<Effect.Effect<void, SessionError, never>>;
+    readonly setSessionTokenCookie: (context: APIContext<Record<string, any>, Record<string, string | undefined>> | AstroGlobal<Record<string, any>, import("astro/runtime/server/index.js").AstroComponentFactory, Record<string, string | undefined>>, token: string, expiresAt: Date, secure?: boolean | undefined) => Effect.Effect.AsEffect<Effect.Effect<void, SessionError, never>>;
+    readonly deleteSessionTokenCookie: (context: APIContext<Record<string, any>, Record<string, string | undefined>> | AstroGlobal<Record<string, any>, import("astro/runtime/server/index.js").AstroComponentFactory, Record<string, string | undefined>>, secure?: boolean | undefined) => Effect.Effect.AsEffect<Effect.Effect<void, SessionError, never>>;
+    readonly setOAuthSessionTokenCookie: (context: APIContext<Record<string, any>, Record<string, string | undefined>> | AstroGlobal<Record<string, any>, import("astro/runtime/server/index.js").AstroComponentFactory, Record<string, string | undefined>>, key: string, value: string, secure?: boolean | undefined) => Effect.Effect.AsEffect<Effect.Effect<void, SessionError, never>>;
+    readonly createUserSession: (userId: string, context: APIContext<Record<string, any>, Record<string, string | undefined>> | AstroGlobal<Record<string, any>, import("astro/runtime/server/index.js").AstroComponentFactory, Record<string, string | undefined>>, secure?: boolean | undefined) => Effect.Effect<void, SessionError, never>;
+}, SessionError, never>;

package/dist/modules/session.js

@@ -0,0 +1,152 @@
+import { encodeBase32LowerCaseNoPadding } from "@oslojs/encoding";
+import { Effect } from "@withstudiocms/effect";
+import { SessionError, useSessionError, useSessionErrorPromise } from "../errors.js";
+import { defaultSessionConfig, makeExpirationDate, makeSessionId } from "../utils/session.js";
+const Session = (config) => Effect.gen(function* () {
+  const { expTime, cookieName, sessionTools } = {
+    ...defaultSessionConfig,
+    ...config
+  };
+  if (!sessionTools) {
+    return yield* Effect.fail(
+      new SessionError({ cause: "Session tools must be provided in the configuration" })
+    );
+  }
+  if (!Number.isFinite(expTime) || expTime <= 0) {
+    return yield* Effect.fail(
+      new SessionError({
+        cause: "Invalid session config: expTime must be a positive number (ms)"
+      })
+    );
+  }
+  if (typeof cookieName !== "string" || cookieName.trim().length === 0) {
+    return yield* Effect.fail(
+      new SessionError({ cause: "Invalid session config: cookieName must be a non-empty string" })
+    );
+  }
+  const expTimeHalf = expTime / 2;
+  const defaultSecure = process.env.NODE_ENV === "production";
+  const generateSessionToken = Effect.fn(
+    "@withstudiocms/AuthKit/modules/session.generateSessionToken"
+  )(
+    () => useSessionError(() => {
+      const data = new Uint8Array(20);
+      const random = crypto.getRandomValues(data);
+      const returnable = encodeBase32LowerCaseNoPadding(random);
+      return returnable;
+    })
+  );
+  const createSession = Effect.fn("@withstudiocms/AuthKit/modules/session.createSession")(
+    function* (token, userId) {
+      const [sessionId, expirationDate] = yield* Effect.all([
+        makeSessionId(token),
+        makeExpirationDate(expTime)
+      ]);
+      return yield* useSessionErrorPromise(
+        () => sessionTools.createSession({ expiresAt: expirationDate, id: sessionId, userId })
+      );
+    }
+  );
+  const validateSessionToken = Effect.fn(
+    "@withstudiocms/AuthKit/modules/session.validateSessionToken"
+  )(function* (token) {
+    const sessionId = yield* makeSessionId(token);
+    const nullSession = {
+      session: null,
+      user: null
+    };
+    const result = yield* useSessionErrorPromise(
+      () => sessionTools.sessionAndUserData(sessionId)
+    );
+    if (!result.length) {
+      return nullSession;
+    }
+    const userSession = result[0];
+    if (!userSession) {
+      return nullSession;
+    }
+    const { user, session } = userSession;
+    const now = Date.now();
+    const expiresAtMs = session.expiresAt instanceof Date ? session.expiresAt.getTime() : new Date(session.expiresAt).getTime();
+    if (!Number.isFinite(expiresAtMs)) {
+      yield* useSessionErrorPromise(() => sessionTools.deleteSession(session.id));
+      return nullSession;
+    }
+    if (now >= expiresAtMs) {
+      yield* useSessionErrorPromise(() => sessionTools.deleteSession(session.id));
+      return nullSession;
+    }
+    let sessionOut = session;
+    if (now >= expiresAtMs - expTimeHalf) {
+      const expiresAt = new Date(now + expTime);
+      yield* useSessionErrorPromise(
+        () => sessionTools.updateSession(session.id, { ...session, expiresAt })
+      );
+      sessionOut = { ...session, expiresAt };
+    }
+    return { session: sessionOut, user };
+  });
+  const invalidateSession = Effect.fn("@withstudiocms/AuthKit/modules/session.invalidateSession")(
+    (sessionId) => useSessionErrorPromise(() => sessionTools.deleteSession(sessionId))
+  );
+  const setSessionTokenCookie = Effect.fn(
+    "@withstudiocms/AuthKit/modules/session.setSessionTokenCookie"
+  )(
+    (context, token, expiresAt, secure) => useSessionError(
+      () => context.cookies.set(cookieName, token, {
+        httpOnly: true,
+        sameSite: "lax",
+        secure: secure ?? defaultSecure,
+        expires: expiresAt,
+        path: "/"
+      })
+    )
+  );
+  const deleteSessionTokenCookie = Effect.fn(
+    "@withstudiocms/AuthKit/modules/session.deleteSessionTokenCookie"
+  )(
+    (context, secure) => useSessionError(
+      () => context.cookies.set(cookieName, "", {
+        httpOnly: true,
+        sameSite: "lax",
+        secure: secure ?? defaultSecure,
+        maxAge: 0,
+        path: "/"
+      })
+    )
+  );
+  const setOAuthSessionTokenCookie = Effect.fn(
+    "@withstudiocms/AuthKit/modules/session.setOAuthSessionTokenCookie"
+  )(
+    (context, key, value, secure) => useSessionError(
+      () => context.cookies.set(key, value, {
+        httpOnly: true,
+        sameSite: "lax",
+        secure: secure ?? defaultSecure,
+        maxAge: 60 * 10,
+        path: "/"
+      })
+    )
+  );
+  const createUserSession = Effect.fn("@withstudiocms/AuthKit/modules/session.createUserSession")(
+    function* (userId, context, secure) {
+      const sessionToken = yield* generateSessionToken();
+      const expirationDate = yield* makeExpirationDate(expTime);
+      yield* createSession(sessionToken, userId);
+      yield* setSessionTokenCookie(context, sessionToken, expirationDate, secure);
+    }
+  );
+  return {
+    generateSessionToken,
+    createSession,
+    validateSessionToken,
+    invalidateSession,
+    setSessionTokenCookie,
+    deleteSessionTokenCookie,
+    setOAuthSessionTokenCookie,
+    createUserSession
+  };
+});
+export {
+  Session
+};

package/dist/modules/user.d.ts

@@ -0,0 +1,85 @@
+import { Effect } from '@withstudiocms/effect';
+import type { APIContext, AstroGlobal } from 'astro';
+import { UserError } from '../errors.js';
+import type { CombinedUserData, UserConfig, UserData, UserSessionData } from '../types.js';
+import { UserPermissionLevel } from '../types.js';
+/**
+ * Factory function to create user-related operations for authentication and user management.
+ *
+ * This function initializes and returns a set of user management utilities, including
+ * username validation, avatar creation, user creation (local and OAuth), password management,
+ * user data retrieval, and permission checks. It requires configuration for password hashing,
+ * session management, and user tools.
+ *
+ * @param config - The configuration object for user management.
+ * @param config.Scrypt - The password hashing implementation.
+ * @param config.session - The session management configuration.
+ * @param config.userTools - Utilities for user data access, creation, and notification.
+ * @returns An Effect generator yielding an object with user management methods:
+ * - `verifyUsernameInput`: Validates a username against length, character, and safety rules.
+ * - `createUserAvatar`: Generates a Libravatar URL for a user's email.
+ * - `createLocalUser`: Creates a new local user with the provided details.
+ * - `createOAuthUser`: Creates a new user with OAuth credentials.
+ * - `updateUserPassword`: Updates a user's password.
+ * - `getUserPasswordHash`: Retrieves the password hash for a user.
+ * - `getUserFromEmail`: Retrieves a user by their email address.
+ * - `getUserData`: Retrieves user session data from the provided context.
+ * - `getUserPermissionLevel`: Gets the user's permission level as an enum.
+ * - `isUserAllowed`: Checks if a user has the required permission level.
+ *
+ * @example
+ * ```typescript
+ * const userModule = User({ Scrypt, session, userTools });
+ * ```
+ */
+export declare const User: ({ Scrypt, session, userTools }: UserConfig) => Effect.Effect<{
+    readonly verifyUsernameInput: (username: string) => Effect.Effect<string | true, import("../errors.js").CheckIfUnsafeError | UserError, never>;
+    readonly createUserAvatar: (email: string) => Effect.Effect.AsEffect<Effect.Effect<string, UserError, never>>;
+    readonly createLocalUser: (name: string, username: string, email: string, password: string) => Effect.Effect<{
+        name: string;
+        username: string;
+        id: string;
+        url: string | null;
+        email: string | null;
+        avatar: string | null;
+        password: string | null;
+        updatedAt: Date | null;
+        createdAt: Date | null;
+        emailVerified: boolean;
+        notifications: string | null;
+    }, import("@withstudiocms/effect/scrypt").ScryptError | UserError, never>;
+    readonly createOAuthUser: (data: UserData, oAuthFields: {
+        provider: string;
+        providerUserId: string;
+    }) => Effect.Effect<{
+        name: string;
+        username: string;
+        id: string;
+        url: string | null;
+        email: string | null;
+        avatar: string | null;
+        password: string | null;
+        updatedAt: Date | null;
+        createdAt: Date | null;
+        emailVerified: boolean;
+        notifications: string | null;
+    }, UserError, never>;
+    readonly updateUserPassword: (userId: string, password: string) => Effect.Effect<{
+        name: string;
+        username: string;
+        id: string;
+        url: string | null;
+        email: string | null;
+        avatar: string | null;
+        password: string | null;
+        updatedAt: Date | null;
+        createdAt: Date | null;
+        emailVerified: boolean;
+        notifications: string | null;
+    }, import("@withstudiocms/effect/scrypt").ScryptError | UserError, never>;
+    readonly getUserPasswordHash: (userId: string) => Effect.Effect<string, UserError, never>;
+    readonly getUserFromEmail: (email: string) => Effect.Effect.AsEffect<Effect.Effect<CombinedUserData | null | undefined, UserError, never>>;
+    readonly getUserData: (context: APIContext<Record<string, any>, Record<string, string | undefined>> | AstroGlobal<Record<string, any>, import("astro/runtime/server/index.js").AstroComponentFactory, Record<string, string | undefined>>) => Effect.Effect<UserSessionData, import("../errors.js").SessionError | UserError, never>;
+    readonly getUserPermissionLevel: (userData: UserSessionData | CombinedUserData | null) => Effect.Effect<UserPermissionLevel, UserError, never>;
+    readonly isUserAllowed: (userData: UserSessionData | CombinedUserData | null, requiredPerms: "owner" | "admin" | "editor" | "visitor" | "unknown") => Effect.Effect<boolean, UserError, never>;
+}, import("../errors.js").SessionError | UserError, never>;

package/dist/modules/user.js

@@ -0,0 +1,169 @@
+import { Effect } from "@withstudiocms/effect";
+import { UserError, useSessionError, useUserError, useUserErrorPromise } from "../errors.js";
+import { UserPermissionLevel } from "../types.js";
+import libravatar from "../utils/libravatar.js";
+import {
+  getDefaultUserSession,
+  getLevel,
+  parseRequiredPerms,
+  verifyUsernameCharacters,
+  verifyUsernameLength,
+  verifyUsernameSafe
+} from "../utils/user.js";
+import { Password as _Password } from "./password.js";
+import { Session as _Session } from "./session.js";
+const User = ({ Scrypt, session, userTools }) => Effect.gen(function* () {
+  const [Password, Session] = yield* Effect.all([_Password(Scrypt), _Session(session)]);
+  if (!userTools) {
+    return yield* Effect.fail(new UserError({ cause: "User tools are not available" }));
+  }
+  const notifier = userTools.notifier;
+  const verifyUsernameInput = Effect.fn(
+    "@withstudiocms/AuthKit/modules/user.verifyUsernameInput"
+  )(function* (username) {
+    const [testLength, usernameChars, safeCheck] = yield* Effect.all([
+      verifyUsernameLength(username),
+      verifyUsernameCharacters(username),
+      verifyUsernameSafe(username)
+    ]);
+    if (testLength) return testLength;
+    if (usernameChars) return usernameChars;
+    if (safeCheck) return safeCheck;
+    return true;
+  });
+  const createUserAvatar = Effect.fn("@withstudiocms/AuthKit/modules/user.createUserAvatar")(
+    (email) => useUserErrorPromise(
+      async () => libravatar.getAvatarUrl({ email, https: true, size: 400, default: "retro" })
+    )
+  );
+  const createLocalUser = Effect.fn("@withstudiocms/AuthKit/modules/user.createLocalUser")(
+    function* (name, username, email, password) {
+      const [passwordHash, avatar, id] = yield* Effect.all([
+        Password.hashPassword(password),
+        createUserAvatar(email),
+        useUserError(() => userTools.idGenerator())
+      ]);
+      const createdAt = /* @__PURE__ */ new Date();
+      const createdUser = yield* useUserErrorPromise(
+        () => userTools.createLocalUser({
+          id,
+          name,
+          username,
+          email,
+          createdAt,
+          avatar,
+          updatedAt: createdAt,
+          password: passwordHash,
+          emailVerified: false,
+          notifications: null,
+          url: null
+        })
+      );
+      if (notifier) {
+        yield* useUserErrorPromise(() => notifier.admin("new_user", createdUser.username));
+      }
+      return createdUser;
+    }
+  );
+  const createOAuthUser = Effect.fn("@withstudiocms/AuthKit/modules/user.createOAuthUser")(
+    function* (data, oAuthFields) {
+      const createdUser = yield* useUserErrorPromise(() => userTools.createLocalUser(data));
+      yield* useUserErrorPromise(
+        () => userTools.createOAuthUser({
+          userId: createdUser.id,
+          ...oAuthFields
+        })
+      );
+      if (notifier) {
+        yield* useUserErrorPromise(() => notifier.admin("new_user", createdUser.username));
+      }
+      return createdUser;
+    }
+  );
+  const updateUserPassword = Effect.fn("@withstudiocms/AuthKit/modules/user.updateUserPassword")(
+    function* (userId, password) {
+      const newHash = yield* Password.hashPassword(password);
+      return yield* useUserErrorPromise(
+        () => userTools.updateLocalUser(userId, { password: newHash })
+      );
+    }
+  );
+  const getUserPasswordHash = Effect.fn(
+    "@withstudiocms/AuthKit/modules/user.getUserPasswordHash"
+  )(function* (userId) {
+    const user = yield* useUserErrorPromise(() => userTools.getUserById(userId));
+    if (!user) return yield* Effect.fail(new UserError({ cause: "User not found" }));
+    if (!user.password)
+      return yield* Effect.fail(new UserError({ cause: "User has no password" }));
+    return user.password;
+  });
+  const getUserFromEmail = Effect.fn("@withstudiocms/AuthKit/modules/user.getUserFromEmail")(
+    (email) => useUserErrorPromise(() => userTools.getUserByEmail(email))
+  );
+  const getUserData = Effect.fn("@withstudiocms/AuthKit/modules/user.getUserData")(function* (context) {
+    const sessionToken = yield* useSessionError(
+      () => context.cookies.get(session.cookieName)?.value
+    );
+    if (!sessionToken) {
+      return yield* getDefaultUserSession();
+    }
+    const { session: ses, user } = yield* Session.validateSessionToken(sessionToken);
+    if (!ses || !user) {
+      yield* Session.deleteSessionTokenCookie(context);
+      return yield* getDefaultUserSession();
+    }
+    const rankToPermissionLevel = {
+      owner: "owner",
+      admin: "admin",
+      editor: "editor",
+      visitor: "visitor"
+    };
+    const result = yield* useUserErrorPromise(() => userTools.getCurrentPermissions(user.id));
+    const permissionLevel = result && rankToPermissionLevel[result.rank] || "unknown";
+    const out = {
+      isLoggedIn: true,
+      user,
+      permissionLevel
+    };
+    return out;
+  });
+  const getUserPermissionLevel = Effect.fn(
+    "@withstudiocms/AuthKit/modules/user.getUserPermissionLevel"
+  )(function* (userData) {
+    const level = yield* getLevel(userData);
+    switch (level) {
+      case "owner":
+        return UserPermissionLevel.owner;
+      case "admin":
+        return UserPermissionLevel.admin;
+      case "editor":
+        return UserPermissionLevel.editor;
+      case "visitor":
+        return UserPermissionLevel.visitor;
+      default:
+        return UserPermissionLevel.unknown;
+    }
+  });
+  const isUserAllowed = Effect.fn("@withstudiocms/AuthKit/modules/user.isUserAllowed")(function* (userData, requiredPerms) {
+    const [userLevel, neededLevel] = yield* Effect.all([
+      getUserPermissionLevel(userData),
+      parseRequiredPerms(requiredPerms)
+    ]);
+    return userLevel >= neededLevel;
+  });
+  return {
+    verifyUsernameInput,
+    createUserAvatar,
+    createLocalUser,
+    createOAuthUser,
+    updateUserPassword,
+    getUserPasswordHash,
+    getUserFromEmail,
+    getUserData,
+    getUserPermissionLevel,
+    isUserAllowed
+  };
+});
+export {
+  User
+};