alepha 0.13.1 → 0.13.2

package/dist/server-auth/index.browser.js

@@ -1,10 +1,6 @@
-import { $env, $hook, $inject, $module, Alepha, AlephaError, Descriptor, KIND, createDescriptor, t } from "alepha";
-import { $permission, $realm, $role, AlephaSecurity, JwtProvider, SecurityProvider, userAccountInfoSchema } from "alepha/security";
-import { $action, $route, AlephaServer, ForbiddenError, HttpClient, HttpError, ServerReply, ServerRouterProvider, ServerTimingProvider, UnauthorizedError, routeMethods } from "alepha/server";
-import { randomUUID, timingSafeEqual } from "node:crypto";
-import { $logger } from "alepha/logger";
-import { $retry } from "alepha/retry";
-import { ReadableStream } from "node:stream/web";
+import { $module, t } from "alepha";
+import { userAccountInfoSchema } from "alepha/security";
+import { apiLinksResponseSchema } from "alepha/server/links";
 
 //#region src/server-auth/constants/routes.ts
 const alephaServerAuthRoutes = {
@@ -27,980 +23,6 @@ const authenticationProviderSchema = t.object({
 	], { description: "Type of the authentication provider." })
 }, { title: "AuthenticationProvider" });
 
-//#endregion
-//#region src/server-security/providers/ServerBasicAuthProvider.ts
-var ServerBasicAuthProvider = class {
-	alepha = $inject(Alepha);
-	log = $logger();
-	routerProvider = $inject(ServerRouterProvider);
-	realm = "Secure Area";
-	/**
-	* Registered basic auth descriptors with their configurations
-	*/
-	registeredAuths = [];
-	/**
-	* Register a basic auth configuration (called by descriptors)
-	*/
-	registerAuth(config) {
-		this.registeredAuths.push(config);
-	}
-	onStart = $hook({
-		on: "start",
-		handler: async () => {
-			for (const auth of this.registeredAuths) if (auth.paths) for (const pattern of auth.paths) {
-				const matchedRoutes = this.routerProvider.getRoutes(pattern);
-				for (const route of matchedRoutes) route.secure = { basic: {
-					username: auth.username,
-					password: auth.password
-				} };
-			}
-			if (this.registeredAuths.length > 0) this.log.info(`Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`);
-		}
-	});
-	/**
-	* Hook into server:onRequest to check basic auth
-	*/
-	onRequest = $hook({
-		on: "server:onRequest",
-		handler: async ({ route, request }) => {
-			const routeAuth = route.secure;
-			if (typeof routeAuth === "object" && "basic" in routeAuth && routeAuth.basic) this.checkAuth(request, routeAuth.basic);
-		}
-	});
-	/**
-	* Hook into action:onRequest to check basic auth for actions
-	*/
-	onActionRequest = $hook({
-		on: "action:onRequest",
-		handler: async ({ action, request }) => {
-			const routeAuth = action.route.secure;
-			if (isBasicAuth(routeAuth)) this.checkAuth(request, routeAuth.basic);
-		}
-	});
-	/**
-	* Check basic authentication
-	*/
-	checkAuth(request, options) {
-		const authHeader = request.headers?.authorization;
-		if (!authHeader || !authHeader.startsWith("Basic ")) {
-			this.sendAuthRequired(request);
-			throw new HttpError({
-				status: 401,
-				message: "Authentication required"
-			});
-		}
-		const base64Credentials = authHeader.slice(6);
-		const credentials = Buffer.from(base64Credentials, "base64").toString("utf-8");
-		const colonIndex = credentials.indexOf(":");
-		const username = colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;
-		const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : "";
-		if (!this.timingSafeCredentialCheck(username, password, options.username, options.password)) {
-			this.sendAuthRequired(request);
-			this.log.warn(`Failed basic auth attempt for user`, { username });
-			throw new HttpError({
-				status: 401,
-				message: "Invalid credentials"
-			});
-		}
-	}
-	/**
-	* Performs a timing-safe comparison of credentials to prevent timing attacks.
-	* Always compares both username and password to avoid leaking which one is wrong.
-	*/
-	timingSafeCredentialCheck(inputUsername, inputPassword, expectedUsername, expectedPassword) {
-		const inputUserBuf = Buffer.from(inputUsername, "utf-8");
-		const expectedUserBuf = Buffer.from(expectedUsername, "utf-8");
-		const inputPassBuf = Buffer.from(inputPassword, "utf-8");
-		const expectedPassBuf = Buffer.from(expectedPassword, "utf-8");
-		return (this.safeCompare(inputUserBuf, expectedUserBuf) & this.safeCompare(inputPassBuf, expectedPassBuf)) === 1;
-	}
-	/**
-	* Compares two buffers in constant time, handling different lengths safely.
-	* Returns 1 if equal, 0 if not equal.
-	*/
-	safeCompare(input, expected) {
-		if (input.length !== expected.length) {
-			timingSafeEqual(input, input);
-			return 0;
-		}
-		return timingSafeEqual(input, expected) ? 1 : 0;
-	}
-	/**
-	* Send WWW-Authenticate header
-	*/
-	sendAuthRequired(request) {
-		request.reply.setHeader("WWW-Authenticate", `Basic realm="${this.realm}"`);
-	}
-};
-const isBasicAuth = (value) => {
-	return typeof value === "object" && !!value && "basic" in value && !!value.basic;
-};
-
-//#endregion
-//#region src/server-security/descriptors/$basicAuth.ts
-/**
-* Declares HTTP Basic Authentication for server routes.
-* This descriptor provides methods to protect routes with username/password authentication.
-*/
-const $basicAuth = (options) => {
-	return createDescriptor(BasicAuthDescriptor, options);
-};
-var BasicAuthDescriptor = class extends Descriptor {
-	serverBasicAuthProvider = $inject(ServerBasicAuthProvider);
-	get name() {
-		return this.options.name ?? `${this.config.propertyKey}`;
-	}
-	onInit() {
-		this.serverBasicAuthProvider.registerAuth(this.options);
-	}
-	/**
-	* Checks basic auth for the given request using this descriptor's configuration.
-	*/
-	check(request, options) {
-		const mergedOptions = {
-			...this.options,
-			...options
-		};
-		this.serverBasicAuthProvider.checkAuth(request, mergedOptions);
-	}
-};
-$basicAuth[KIND] = BasicAuthDescriptor;
-
-//#endregion
-//#region src/server-security/providers/ServerSecurityProvider.ts
-var ServerSecurityProvider = class {
-	log = $logger();
-	securityProvider = $inject(SecurityProvider);
-	jwtProvider = $inject(JwtProvider);
-	alepha = $inject(Alepha);
-	onConfigure = $hook({
-		on: "configure",
-		handler: async () => {
-			for (const action of this.alepha.descriptors($action)) {
-				if (action.options.disabled || action.options.secure === false || this.securityProvider.getRealms().length === 0) continue;
-				if (typeof action.options.secure !== "object") this.securityProvider.createPermission({
-					name: action.name,
-					group: action.group,
-					method: action.route.method,
-					path: action.route.path
-				});
-			}
-		}
-	});
-	onActionRequest = $hook({
-		on: "action:onRequest",
-		handler: async ({ action, request, options }) => {
-			if (action.options.secure === false && !options.user) {
-				this.log.trace("Skipping security check for route");
-				return;
-			}
-			if (isBasicAuth(action.route.secure)) return;
-			const permission = this.securityProvider.getPermissions().find((it) => it.path === action.route.path && it.method === action.route.method);
-			try {
-				request.user = this.createUserFromLocalFunctionContext(options, permission);
-				const route = action.route;
-				if (typeof route.secure === "object") this.check(request.user, route.secure);
-				this.alepha.state.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
-			} catch (error) {
-				if (action.options.secure || permission) throw error;
-				this.log.trace("Skipping security check for action");
-			}
-		}
-	});
-	onRequest = $hook({
-		on: "server:onRequest",
-		priority: "last",
-		handler: async ({ request, route }) => {
-			if (route.secure === false) {
-				this.log.trace("Skipping security check for route - explicitly disabled");
-				return;
-			}
-			if (isBasicAuth(route.secure)) return;
-			const permission = this.securityProvider.getPermissions().find((it) => it.path === route.path && it.method === route.method);
-			if (!request.headers.authorization && !route.secure && !permission) {
-				this.log.trace("Skipping security check for route - no authorization header and not secure");
-				return;
-			}
-			try {
-				request.user = await this.securityProvider.createUserFromToken(request.headers.authorization, { permission });
-				if (typeof route.secure === "object") this.check(request.user, route.secure);
-				this.alepha.state.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
-				this.log.trace("User set from request token", {
-					user: request.user,
-					permission
-				});
-			} catch (error) {
-				if (route.secure || permission) throw error;
-				this.log.trace("Skipping security check for route - error occurred", error);
-			}
-		}
-	});
-	check(user, secure) {
-		if (secure.realm) {
-			if (user.realm !== secure.realm) throw new ForbiddenError(`User must belong to realm '${secure.realm}' to access this route`);
-		}
-	}
-	/**
-	* Get the user account token for a local action call.
-	* There are three possible sources for the user:
-	* - `options.user`: the user passed in the options
-	* - `"system"`: the system user from the state (you MUST set state `server.security.system.user`)
-	* - `"context"`: the user from the request context (you MUST be in an HTTP request context)
-	*
-	* Priority order: `options.user` > `"system"` > `"context"`.
-	*
-	* In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.
-	*/
-	createUserFromLocalFunctionContext(options, permission) {
-		const fromOptions = typeof options.user === "object" ? options.user : void 0;
-		const type = typeof options.user === "string" ? options.user : void 0;
-		let user;
-		const fromContext = this.alepha.context.get("request")?.user;
-		const fromSystem = this.alepha.state.get("alepha.server.security.system.user");
-		if (type === "system") user = fromSystem;
-		else if (type === "context") user = fromContext;
-		else user = fromOptions ?? fromContext ?? fromSystem;
-		if (!user) {
-			if (this.alepha.isTest() && !("user" in options)) return this.createTestUser();
-			throw new UnauthorizedError("User is required for calling this action");
-		}
-		const roles = user.roles ?? (this.alepha.isTest() ? this.securityProvider.getRoles().map((role) => role.name) : []);
-		let ownership;
-		if (permission) {
-			const result = this.securityProvider.checkPermission(permission, ...roles);
-			if (!result.isAuthorized) throw new ForbiddenError(`Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`);
-			ownership = result.ownership;
-		}
-		return {
-			...user,
-			ownership
-		};
-	}
-	createTestUser() {
-		return {
-			id: randomUUID(),
-			name: "Test",
-			roles: this.securityProvider.getRoles().map((role) => role.name)
-		};
-	}
-	onClientRequest = $hook({
-		on: "client:onRequest",
-		handler: async ({ request, options }) => {
-			if (!this.alepha.isTest()) return;
-			if ("user" in options && options.user === void 0) return;
-			request.headers = new Headers(request.headers);
-			if (!request.headers.has("authorization")) {
-				const test = this.createTestUser();
-				const user = typeof options?.user === "object" ? options.user : void 0;
-				const sub = user?.id ?? test.id;
-				const roles = user?.roles ?? test.roles;
-				const token = await this.jwtProvider.create({
-					sub,
-					roles
-				}, user?.realm ?? this.securityProvider.getRealms()[0]?.name);
-				request.headers.set("authorization", `Bearer ${token}`);
-			}
-		}
-	});
-};
-
-//#endregion
-//#region src/server-security/index.ts
-/**
-* Plugin for Alepha Server that provides security features. Based on the Alepha Security module.
-*
-* By default, all $action will be guarded by a permission check.
-*
-* @see {@link ServerSecurityProvider}
-* @module alepha.server.security
-*/
-const AlephaServerSecurity = $module({
-	name: "alepha.server.security",
-	descriptors: [
-		$realm,
-		$role,
-		$permission,
-		$basicAuth
-	],
-	services: [
-		AlephaServer,
-		AlephaSecurity,
-		ServerSecurityProvider,
-		ServerBasicAuthProvider
-	]
-});
-
-//#endregion
-//#region src/server-links/schemas/apiLinksResponseSchema.ts
-const apiLinkSchema = t.object({
-	name: t.text({ description: "Name of the API link, used for identification." }),
-	group: t.optional(t.text({ description: "Group to which the API link belongs, used for categorization." })),
-	path: t.text({ description: "Pathname used to access the API link." }),
-	method: t.optional(t.text({ description: "HTTP method used for the API link, e.g., GET, POST, etc. If not specified, defaults to GET." })),
-	requestBodyType: t.optional(t.text({ description: "Type of the request body for the API link. Default is application/json for POST/PUT/PATCH, null for others." })),
-	service: t.optional(t.text({ description: "Service name associated with the API link, used for service discovery." }))
-});
-const apiLinksResponseSchema = t.object({
-	prefix: t.optional(t.text()),
-	links: t.array(apiLinkSchema)
-});
-
-//#endregion
-//#region src/server-links/providers/LinkProvider.ts
-/**
-* Browser, SSR friendly, service to handle links.
-*/
-var LinkProvider = class LinkProvider {
-	static path = {
-		apiLinks: "/api/_links",
-		apiSchema: "/api/_links/:name/schema"
-	};
-	log = $logger();
-	alepha = $inject(Alepha);
-	httpClient = $inject(HttpClient);
-	serverLinks = [];
-	/**
-	* Get applicative links registered on the server.
-	* This does not include lazy-loaded remote links.
-	*/
-	getServerLinks() {
-		if (this.alepha.isBrowser()) {
-			this.log.warn("Getting server links in the browser is not supported. Use `fetchLinks` to get links from the server.");
-			return [];
-		}
-		return this.serverLinks;
-	}
-	/**
-	* Register a new link for the application.
-	*/
-	registerLink(link) {
-		if (this.alepha.isBrowser()) {
-			this.log.warn("Registering links in the browser is not supported. Use `fetchLinks` to get links from the server.");
-			return;
-		}
-		if (!link.handler && !link.host) throw new AlephaError("Can't create link - 'handler' or 'host' is required");
-		if (this.serverLinks.some((l) => l.name === link.name)) this.serverLinks = this.serverLinks.filter((l) => l.name !== link.name);
-		this.serverLinks.push(link);
-	}
-	get links() {
-		const apiLinks = this.alepha.state.get("alepha.server.request.apiLinks")?.links;
-		if (apiLinks) {
-			if (this.alepha.isBrowser()) return apiLinks;
-			const links = [];
-			for (const link of apiLinks) {
-				const originalLink = this.serverLinks.find((l) => l.name === link.name);
-				if (originalLink) links.push(originalLink);
-			}
-			return links;
-		}
-		return this.serverLinks ?? [];
-	}
-	/**
-	* Force browser to refresh links from the server.
-	*/
-	async fetchLinks() {
-		const { data } = await this.httpClient.fetch(`${LinkProvider.path.apiLinks}`, {
-			method: "GET",
-			schema: { response: apiLinksResponseSchema }
-		});
-		this.alepha.state.set("alepha.server.request.apiLinks", data);
-		return data.links;
-	}
-	/**
-	* Create a virtual client that can be used to call actions.
-	*
-	* Use js Proxy under the hood.
-	*/
-	client(scope = {}) {
-		return new Proxy({}, { get: (_, prop) => {
-			if (typeof prop !== "string") return;
-			return this.createVirtualAction(prop, scope);
-		} });
-	}
-	/**
-	* Check if a link with the given name exists.
-	* @param name
-	*/
-	can(name) {
-		return this.links.some((link) => link.name === name);
-	}
-	/**
-	* Resolve a link by its name and call it.
-	* - If link is local, it will call the local handler.
-	* - If link is remote, it will make a fetch request to the remote server.
-	*/
-	async follow(name, config = {}, options = {}) {
-		this.log.trace("Following link", {
-			name,
-			config,
-			options
-		});
-		const link = await this.getLinkByName(name, options);
-		if (link.handler && !options.request) {
-			this.log.trace("Local link found", { name });
-			return link.handler({
-				method: link.method,
-				url: new URL(`http://localhost${link.path}`),
-				query: config.query ?? {},
-				body: config.body ?? {},
-				params: config.params ?? {},
-				headers: config.headers ?? {},
-				metadata: {},
-				reply: new ServerReply()
-			}, options);
-		}
-		this.log.trace("Remote link found", {
-			name,
-			host: link.host,
-			service: link.service
-		});
-		return this.followRemote(link, config, options).then((response) => response.data);
-	}
-	createVirtualAction(name, scope = {}) {
-		const $ = async (config = {}, options = {}) => {
-			return this.follow(name, config, {
-				...scope,
-				...options
-			});
-		};
-		Object.defineProperty($, "name", {
-			value: name,
-			writable: false
-		});
-		$.run = async (config = {}, options = {}) => {
-			return this.follow(name, config, {
-				...scope,
-				...options
-			});
-		};
-		$.fetch = async (config = {}, options = {}) => {
-			const link = await this.getLinkByName(name, scope);
-			return this.followRemote(link, config, options);
-		};
-		$.can = () => {
-			return this.can(name);
-		};
-		return $;
-	}
-	async followRemote(link, config = {}, options = {}) {
-		options.request ??= {};
-		options.request.headers = new Headers(options.request.headers);
-		const als = this.alepha.context.get("request");
-		if (als?.headers.authorization) options.request.headers.set("authorization", als.headers.authorization);
-		const context = this.alepha.context.get("context");
-		if (typeof context === "string") options.request.headers.set("x-request-id", context);
-		const action = {
-			...link,
-			schema: {
-				body: t.any(),
-				response: t.any()
-			}
-		};
-		if (!link.host && link.service) action.path = `/${link.service}${action.path}`;
-		action.path = `${action.prefix ?? "/api"}${action.path}`;
-		action.prefix = void 0;
-		return this.httpClient.fetchAction({
-			host: link.host,
-			config,
-			options,
-			action
-		});
-	}
-	async getLinkByName(name, options = {}) {
-		if (this.alepha.isBrowser() && !this.alepha.state.get("alepha.server.request.apiLinks")) await this.fetchLinks();
-		const link = this.links.find((a) => a.name === name && (!options.group || a.group === options.group) && (!options.service || options.service === a.service));
-		if (!link) {
-			const error = new UnauthorizedError(`Action ${name} not found.`);
-			await this.alepha.events.emit("client:onError", {
-				route: link,
-				error
-			});
-			throw error;
-		}
-		if (options.hostname) return {
-			...link,
-			host: options.hostname
-		};
-		return link;
-	}
-};
-
-//#endregion
-//#region src/server-links/descriptors/$client.ts
-/**
-* Create a new client.
-*/
-const $client = (scope) => {
-	return $inject(LinkProvider).client(scope);
-};
-$client[KIND] = "$client";
-
-//#endregion
-//#region src/server-links/descriptors/$remote.ts
-/**
-* $remote is a descriptor that allows you to define remote service access.
-*
-* Use it only when you have 2 or more services that need to communicate with each other.
-*
-* All remote services can be exposed as actions, ... or not.
-*
-* You can add a service account if you want to use a security layer.
-*/
-const $remote = (options) => {
-	return createDescriptor(RemoteDescriptor, options);
-};
-var RemoteDescriptor = class extends Descriptor {
-	get name() {
-		return this.options.name ?? this.config.propertyKey;
-	}
-};
-$remote[KIND] = RemoteDescriptor;
-
-//#endregion
-//#region src/server-proxy/descriptors/$proxy.ts
-/**
-* Creates a proxy descriptor to forward requests to another server.
-*
-* This descriptor enables you to create reverse proxy functionality, allowing your Alepha server
-* to forward requests to other services while maintaining a unified API surface. It's particularly
-* useful for microservice architectures, API gateways, or when you need to aggregate multiple
-* services behind a single endpoint.
-*
-* **Key Features**
-*
-* - **Path-based routing**: Match specific paths or patterns to proxy
-* - **Dynamic targets**: Support both static and dynamic target resolution
-* - **Request/Response hooks**: Modify requests before forwarding and responses after receiving
-* - **URL rewriting**: Transform URLs before forwarding to the target
-* - **Conditional proxying**: Enable/disable proxies based on environment or conditions
-*
-* @example
-* **Basic proxy setup:**
-* ```ts
-* import { $proxy } from "alepha/server/proxy";
-*
-* class ApiGateway {
-*   // Forward all /api/* requests to external service
-*   api = $proxy({
-*     path: "/api/*",
-*     target: "https://api.example.com"
-*   });
-* }
-* ```
-*
-* @example
-* **Dynamic target with environment-based routing:**
-* ```ts
-* class ApiGateway {
-*   // Route to different environments based on configuration
-*   api = $proxy({
-*     path: "/api/*",
-*     target: () => process.env.NODE_ENV === "production"
-*       ? "https://api.prod.example.com"
-*       : "https://api.dev.example.com"
-*   });
-* }
-* ```
-*
-* @example
-* **Advanced proxy with request/response modification:**
-* ```ts
-* class SecureProxy {
-*   secure = $proxy({
-*     path: "/secure/*",
-*     target: "https://secure-api.example.com",
-*     beforeRequest: async (request, proxyRequest) => {
-*       // Add authentication headers
-*       proxyRequest.headers = {
-*         ...proxyRequest.headers,
-*         'Authorization': `Bearer ${await getServiceToken()}`,
-*         'X-Forwarded-For': request.headers['x-forwarded-for'] || request.ip
-*       };
-*     },
-*     afterResponse: async (request, proxyResponse) => {
-*       // Log response for monitoring
-*       console.log(`Proxied ${request.url} -> ${proxyResponse.status}`);
-*     },
-*     rewrite: (url) => {
-*       // Remove /secure prefix when forwarding
-*       url.pathname = url.pathname.replace('/secure', '');
-*     }
-*   });
-* }
-* ```
-*
-* @example
-* **Conditional proxy based on feature flags:**
-* ```ts
-* class FeatureProxy {
-*   newApi = $proxy({
-*     path: "/v2/*",
-*     target: "https://new-api.example.com",
-*     disabled: !process.env.ENABLE_V2_API // Disable if feature flag is off
-*   });
-* }
-* ```
-*/
-const $proxy = (options) => {
-	return createDescriptor(ProxyDescriptor, options);
-};
-var ProxyDescriptor = class extends Descriptor {};
-$proxy[KIND] = ProxyDescriptor;
-
-//#endregion
-//#region src/server-proxy/providers/ServerProxyProvider.ts
-var ServerProxyProvider = class {
-	log = $logger();
-	routerProvider = $inject(ServerRouterProvider);
-	alepha = $inject(Alepha);
-	configure = $hook({
-		on: "configure",
-		handler: () => {
-			for (const proxy of this.alepha.descriptors($proxy)) this.createProxy(proxy.options);
-		}
-	});
-	createProxy(options) {
-		if (options.disabled) return;
-		const path = options.path;
-		const target = typeof options.target === "function" ? options.target() : options.target;
-		if (!path.endsWith("/*")) throw new AlephaError("Proxy path should end with '/*'");
-		const handler = this.createProxyHandler(target, options);
-		for (const method of routeMethods) this.routerProvider.createRoute({
-			method,
-			path,
-			handler
-		});
-		this.log.info("Proxying", {
-			path,
-			target
-		});
-	}
-	createProxyHandler(target, options) {
-		return async (request) => {
-			const url = new URL(target + request.url.pathname);
-			if (request.url.search) url.search = request.url.search;
-			options.rewrite?.(url);
-			const requestInit = {
-				url: url.toString(),
-				method: request.method,
-				headers: {
-					...request.headers,
-					"accept-encoding": "identity"
-				},
-				body: this.getRawRequestBody(request)
-			};
-			if (requestInit.body) requestInit.duplex = "half";
-			if (options.beforeRequest) await options.beforeRequest(request, requestInit);
-			this.log.debug("Proxying request", {
-				url: url.toString(),
-				method: request.method,
-				headers: request.headers
-			});
-			const response = await fetch(requestInit.url, requestInit);
-			request.reply.status = response.status;
-			request.reply.headers = Object.fromEntries(response.headers.entries());
-			request.reply.body = response.body;
-			this.log.debug("Received response", {
-				status: request.reply.status,
-				headers: request.reply.headers
-			});
-			if (options.afterResponse) await options.afterResponse(request, response);
-		};
-	}
-	getRawRequestBody(req) {
-		const { method } = req;
-		if (method === "GET" || method === "HEAD" || method === "OPTIONS") return;
-		if (req.raw?.web?.req) return req.raw.web.req.body;
-		if (req.raw?.node?.req) {
-			const nodeReq = req.raw.node.req;
-			return ReadableStream.from(nodeReq);
-		}
-	}
-};
-
-//#endregion
-//#region src/server-proxy/index.ts
-/**
-* Plugin for Alepha that provides a proxy server functionality.
-*
-* @see {@link $proxy}
-* @module alepha.server.proxy
-*/
-const AlephaServerProxy = $module({
-	name: "alepha.server.proxy",
-	descriptors: [$proxy],
-	services: [AlephaServer, ServerProxyProvider]
-});
-
-//#endregion
-//#region src/server-links/providers/RemoteDescriptorProvider.ts
-const envSchema$1 = t.object({ SERVER_API_PREFIX: t.text({
-	description: "Prefix for all API routes (e.g. $action).",
-	default: "/api"
-}) });
-var RemoteDescriptorProvider = class {
-	env = $env(envSchema$1);
-	alepha = $inject(Alepha);
-	proxyProvider = $inject(ServerProxyProvider);
-	linkProvider = $inject(LinkProvider);
-	remotes = [];
-	log = $logger();
-	getRemotes() {
-		return this.remotes;
-	}
-	configure = $hook({
-		on: "configure",
-		handler: async () => {
-			const remotes = this.alepha.descriptors($remote);
-			for (const remote of remotes) await this.registerRemote(remote);
-		}
-	});
-	start = $hook({
-		on: "start",
-		handler: async () => {
-			for (const remote of this.remotes) {
-				const token = typeof remote.serviceAccount?.token === "function" ? await remote.serviceAccount.token() : void 0;
-				if (!remote.internal) continue;
-				const { links } = await remote.links({ authorization: token });
-				for (const link of links) {
-					let path = link.path.replace(remote.prefix, "");
-					if (link.service) path = `/${link.service}${path}`;
-					this.linkProvider.registerLink({
-						...link,
-						prefix: remote.prefix,
-						path,
-						method: link.method ?? "GET",
-						host: remote.url,
-						service: remote.name
-					});
-				}
-				this.log.info(`Remote '${remote.name}' OK`, {
-					links: remote.links.length,
-					prefix: remote.prefix
-				});
-			}
-		}
-	});
-	async registerRemote(value) {
-		const options = value.options;
-		const url = typeof options.url === "string" ? options.url : options.url();
-		const linkPath = LinkProvider.path.apiLinks;
-		const name = value.name;
-		const proxy = typeof options.proxy === "object" ? options.proxy : {};
-		const remote = {
-			url,
-			name,
-			prefix: "/api",
-			serviceAccount: options.serviceAccount,
-			proxy: !!options.proxy,
-			internal: !proxy.noInternal,
-			schema: async (opts) => {
-				const { authorization, name: name$1 } = opts;
-				return await fetch(`${url}${linkPath}/${name$1}/schema`, { headers: new Headers(authorization ? { authorization } : {}) }).then((it) => it.json());
-			},
-			links: async (opts) => {
-				const { authorization } = opts;
-				const remoteApi = await this.fetchLinks.run({
-					service: name,
-					url: `${url}${linkPath}`,
-					authorization
-				});
-				if (remoteApi.prefix != null) remote.prefix = remoteApi.prefix;
-				return remoteApi;
-			}
-		};
-		this.remotes.push(remote);
-		if (options.proxy) this.proxyProvider.createProxy({
-			path: `${this.env.SERVER_API_PREFIX}/${name}/*`,
-			target: url,
-			rewrite: (url$1) => {
-				url$1.pathname = url$1.pathname.replace(`${this.env.SERVER_API_PREFIX}/${name}`, remote.prefix);
-			},
-			...proxy
-		});
-	}
-	fetchLinks = $retry({
-		max: 10,
-		backoff: { initial: 1e3 },
-		onError: (_, attempt, { service, url }) => {
-			this.log.warn(`Failed to fetch links, retry (${attempt})...`, {
-				service,
-				url
-			});
-		},
-		handler: async (opts) => {
-			const { url, authorization } = opts;
-			const response = await fetch(url, { headers: new Headers(authorization ? { authorization } : {}) });
-			if (!response.ok) throw new Error(`Failed to fetch links from ${url}`);
-			return this.alepha.codec.decode(apiLinksResponseSchema, await response.json());
-		}
-	});
-};
-
-//#endregion
-//#region src/server-links/providers/ServerLinksProvider.ts
-const envSchema = t.object({ SERVER_API_PREFIX: t.text({
-	description: "Prefix for all API routes (e.g. $action).",
-	default: "/api"
-}) });
-var ServerLinksProvider = class {
-	env = $env(envSchema);
-	alepha = $inject(Alepha);
-	linkProvider = $inject(LinkProvider);
-	remoteProvider = $inject(RemoteDescriptorProvider);
-	serverTimingProvider = $inject(ServerTimingProvider);
-	get prefix() {
-		return this.env.SERVER_API_PREFIX;
-	}
-	onRoute = $hook({
-		on: "configure",
-		handler: () => {
-			for (const action of this.alepha.descriptors($action)) this.linkProvider.registerLink({
-				name: action.name,
-				group: action.group,
-				schema: action.options.schema,
-				requestBodyType: action.getBodyContentType(),
-				secured: action.options.secure ?? true,
-				method: action.method === "GET" ? void 0 : action.method,
-				prefix: action.prefix,
-				path: action.path,
-				handler: (config, options = {}) => action.run(config, options)
-			});
-		}
-	});
-	/**
-	* First API - Get all API links for the user.
-	*
-	* This is based on the user's permissions.
-	*/
-	links = $route({
-		path: LinkProvider.path.apiLinks,
-		schema: { response: apiLinksResponseSchema },
-		handler: ({ user, headers }) => {
-			return this.getUserApiLinks({
-				user,
-				authorization: headers.authorization
-			});
-		}
-	});
-	/**
-	* Second API - Get schema for a specific API link.
-	*
-	* Note: Body/Response schema are not included in `links` API because it's TOO BIG.
-	* I mean for 150+ links, you got 50ms of serialization time.
-	*/
-	schema = $route({
-		path: LinkProvider.path.apiSchema,
-		schema: {
-			params: t.object({ name: t.text() }),
-			response: t.json()
-		},
-		handler: ({ params, user, headers }) => {
-			return this.getSchemaByName(params.name, {
-				user,
-				authorization: headers.authorization
-			});
-		}
-	});
-	async getSchemaByName(name, options = {}) {
-		const authorization = options.authorization;
-		const api = await this.getUserApiLinks({
-			user: options.user,
-			authorization
-		});
-		for (const link of api.links) if (link.name === name) {
-			if (link.service) return this.remoteProvider.getRemotes().find((it) => it.name === link.service)?.schema({
-				name,
-				authorization
-			});
-			return this.linkProvider.getServerLinks().find((it) => it.name === name)?.schema ?? {};
-		}
-		return {};
-	}
-	/**
-	* Retrieves API links for the user based on their permissions.
-	* Will check on local links and remote links.
-	*/
-	async getUserApiLinks(options) {
-		const { user } = options;
-		let permissions;
-		let permissionMap;
-		const hasSecurity = this.alepha.has(SecurityProvider);
-		if (hasSecurity && user) {
-			permissions = this.alepha.inject(SecurityProvider).getPermissions(user);
-			permissionMap = new Map(permissions.map((it) => [`${it.group}:${it.name}`, it]));
-		}
-		const userLinks = [];
-		for (const permission of permissions ?? []) if (!permission.path && !permission.method && permission.name && permission.group) userLinks.push({
-			path: "",
-			name: permission.name,
-			group: permission.group
-		});
-		for (const link of this.linkProvider.getServerLinks()) {
-			if (link.host) continue;
-			if (hasSecurity && link.secured) {
-				if (!user) continue;
-				if (typeof link.secured === "object" && link.secured.realm) {
-					if (user.realm !== link.secured.realm) continue;
-				} else if (permissionMap) {
-					if (!permissionMap.has(`${link.group}:${link.name}`)) continue;
-				}
-			}
-			userLinks.push({
-				name: link.name,
-				group: link.group,
-				requestBodyType: link.requestBodyType,
-				method: link.method,
-				path: link.path
-			});
-		}
-		this.serverTimingProvider.beginTiming("fetchRemoteLinks");
-		const promises = this.remoteProvider.getRemotes().filter((it) => it.proxy).map(async (remote) => {
-			const { links, prefix } = await remote.links(options);
-			return links.map((link) => {
-				let path = link.path.replace(prefix ?? "/api", "");
-				if (link.service) path = `/${link.service}${path}`;
-				return {
-					...link,
-					path,
-					proxy: true,
-					service: remote.name
-				};
-			});
-		});
-		userLinks.push(...(await Promise.all(promises)).flat());
-		this.serverTimingProvider.endTiming("fetchRemoteLinks");
-		return {
-			prefix: this.env.SERVER_API_PREFIX,
-			links: userLinks
-		};
-	}
-};
-
-//#endregion
-//#region src/server-links/index.ts
-/**
-* Provides server-side link management and remote capabilities for client-server interactions.
-*
-* The server-links module enables declarative link definitions using `$remote` and `$client` descriptors,
-* facilitating seamless API endpoint management and client-server communication. It integrates with server
-* security features to ensure safe and controlled access to resources.
-*
-* @see {@link $remote}
-* @see {@link $client}
-* @module alepha.server.links
-*/
-const AlephaServerLinks = $module({
-	name: "alepha.server.links",
-	descriptors: [$remote, $client],
-	services: [
-		AlephaServer,
-		ServerLinksProvider,
-		RemoteDescriptorProvider,
-		LinkProvider
-	]
-});
-
 //#endregion
 //#region src/server-auth/schemas/tokensSchema.ts
 const tokensSchema = t.object({
@@ -1033,7 +55,7 @@ const userinfoResponseSchema = t.object({
 //#region src/server-auth/index.browser.ts
 const AlephaServerAuth = $module({
 	name: "alepha.server.auth",
-	descriptors: [],
+	primitives: [],
 	services: []
 });