hfs 0.1.6 → 0.26.2

package/src/middlewares.js

@@ -0,0 +1,154 @@
+"use strict";
+// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.prepareState = exports.getProxyDetected = exports.someSecurity = exports.serveGuiAndSharedFiles = exports.sessions = exports.headRequests = exports.gzipper = void 0;
+const koa_compress_1 = __importDefault(require("koa-compress"));
+const koa_session_1 = __importDefault(require("koa-session"));
+const const_1 = require("./const");
+const const_2 = require("./const");
+const vfs_1 = require("./vfs");
+const misc_1 = require("./misc");
+const zip_1 = require("./zip");
+const serveFile_1 = require("./serveFile");
+const serveGuiFiles_1 = require("./serveGuiFiles");
+const koa_mount_1 = __importDefault(require("koa-mount"));
+const stream_1 = require("stream");
+const block_1 = require("./block");
+const perm_1 = require("./perm");
+const connections_1 = require("./connections");
+const basic_auth_1 = __importDefault(require("basic-auth"));
+const tssrp6a_1 = require("tssrp6a");
+const api_auth_1 = require("./api.auth");
+exports.gzipper = (0, koa_compress_1.default)({
+    threshold: 2048,
+    gzip: { flush: require('zlib').constants.Z_SYNC_FLUSH },
+    deflate: { flush: require('zlib').constants.Z_SYNC_FLUSH },
+    br: false,
+    filter(type) {
+        return /text|javascript|style/i.test(type);
+    },
+});
+const headRequests = async (ctx, next) => {
+    const head = ctx.method === 'HEAD';
+    if (head)
+        ctx.method = 'GET'; // let other middlewares work, so we can collect the size at the end
+    await next();
+    if (!head || ctx.body === undefined)
+        return;
+    const { length, status } = ctx.response;
+    if (ctx.body)
+        ctx.body = stream_1.Readable.from(''); // empty the body for this is a HEAD request. Using Readable avoids koa from trying to set length to 0
+    ctx.status = status;
+    if (length)
+        ctx.response.length = length;
+};
+exports.headRequests = headRequests;
+const sessions = (app) => (0, koa_session_1.default)({
+    key: 'hfs_$id',
+    signed: true,
+    rolling: true,
+    maxAge: const_1.SESSION_DURATION,
+}, app);
+exports.sessions = sessions;
+const serveFrontendFiles = (0, serveGuiFiles_1.serveGuiFiles)(process.env.FRONTEND_PROXY, const_2.FRONTEND_URI);
+const serveFrontendPrefixed = (0, koa_mount_1.default)(const_2.FRONTEND_URI.slice(0, -1), serveFrontendFiles);
+const serveAdminPrefixed = (0, koa_mount_1.default)(const_1.ADMIN_URI.slice(0, -1), (0, serveGuiFiles_1.serveGuiFiles)(process.env.ADMIN_PROXY, const_1.ADMIN_URI));
+const serveGuiAndSharedFiles = async (ctx, next) => {
+    const { path } = ctx;
+    if (ctx.body)
+        return next();
+    if (path.startsWith(const_2.FRONTEND_URI))
+        return serveFrontendPrefixed(ctx, next);
+    if (path + '/' === const_1.ADMIN_URI)
+        return ctx.redirect(const_1.ADMIN_URI);
+    if (path.startsWith(const_1.ADMIN_URI))
+        return serveAdminPrefixed(ctx, next);
+    const node = await (0, vfs_1.urlToNode)(path, ctx);
+    if (!node)
+        return ctx.status = 404;
+    const canRead = (0, vfs_1.hasPermission)(node, 'can_read', ctx);
+    const isFolder = await (0, vfs_1.nodeIsDirectory)(node);
+    if (isFolder && !path.endsWith('/'))
+        return ctx.redirect(path + '/');
+    if (canRead && !isFolder)
+        return node.source ? (0, serveFile_1.serveFileNode)(node)(ctx, next)
+            : next();
+    if (!canRead) {
+        ctx.status = (0, vfs_1.cantReadStatusCode)(node);
+        if (ctx.status === const_1.FORBIDDEN)
+            return;
+        const browserDetected = ctx.get('Upgrade-Insecure-Requests') || ctx.get('Sec-Fetch-Mode'); // ugh, heuristics
+        if (!browserDetected) // we don't want to trigger basic authentication on browsers, it's meant for download managers only
+            ctx.set('WWW-Authenticate', 'Basic'); // we support basic authentication
+        ctx.state.serveApp = true;
+        return serveFrontendFiles(ctx, next);
+    }
+    ctx.set({ server: 'HFS ' + const_1.BUILD_TIMESTAMP });
+    const { get } = ctx.query;
+    if (get === 'zip')
+        return await (0, zip_1.zipStreamFromFolder)(node, ctx);
+    if (node.default) {
+        const def = await (0, vfs_1.urlToNode)(path + node.default, ctx);
+        return !def ? next()
+            : (0, vfs_1.hasPermission)(def, 'can_read', ctx) ? (0, serveFile_1.serveFileNode)(def)(ctx, next)
+                : ctx.status = (0, vfs_1.cantReadStatusCode)(def);
+    }
+    return serveFrontendFiles(ctx, next);
+};
+exports.serveGuiAndSharedFiles = serveGuiAndSharedFiles;
+let proxyDetected = false;
+const someSecurity = async (ctx, next) => {
+    ctx.request.ip = (0, connections_1.normalizeIp)(ctx.ip);
+    try {
+        let proxy = ctx.get('X-Forwarded-For');
+        // we have some dev-proxies to ignore
+        if (const_1.DEV && proxy && [process.env.FRONTEND_PROXY, process.env.ADMIN_PROXY].includes(ctx.get('X-Forwarded-port')))
+            proxy = '';
+        if ((0, misc_1.dirTraversal)(decodeURI(ctx.path)))
+            return ctx.status = 418;
+        if ((0, block_1.applyBlock)(ctx.socket, ctx.ip))
+            return;
+        proxyDetected || (proxyDetected = proxy > '');
+        ctx.state.proxiedFor = proxy;
+    }
+    catch (_a) {
+        return ctx.status = 418;
+    }
+    return next();
+};
+exports.someSecurity = someSecurity;
+// this is only about http proxies
+function getProxyDetected() {
+    return proxyDetected;
+}
+exports.getProxyDetected = getProxyDetected;
+const prepareState = async (ctx, next) => {
+    var _a;
+    // calculate these once and for all
+    ctx.state.account = (_a = await getHttpAccount(ctx)) !== null && _a !== void 0 ? _a : (0, perm_1.getAccount)((0, perm_1.getCurrentUsername)(ctx));
+    const conn = ctx.state.connection = (0, connections_1.socket2connection)(ctx.socket);
+    await next();
+    if (conn)
+        (0, connections_1.updateConnection)(conn, { ctx });
+};
+exports.prepareState = prepareState;
+async function getHttpAccount(ctx) {
+    const credentials = (0, basic_auth_1.default)(ctx.req);
+    const account = (0, perm_1.getAccount)((credentials === null || credentials === void 0 ? void 0 : credentials.name) || '');
+    if (account && await srpCheck(account.username, credentials.pass))
+        return account;
+}
+async function srpCheck(username, password) {
+    username = username.toLocaleLowerCase();
+    const account = (0, perm_1.getAccount)(username);
+    if (!(account === null || account === void 0 ? void 0 : account.srp) || !password)
+        return false;
+    const { step1, salt, pubKey } = await (0, api_auth_1.srpStep1)(account);
+    const client = new tssrp6a_1.SRPClientSession(new tssrp6a_1.SRPRoutines(new tssrp6a_1.SRPParameters()));
+    const clientRes1 = await client.step1(username, password);
+    const clientRes2 = await clientRes1.step2(BigInt(salt), BigInt(pubKey));
+    return await step1.step2(clientRes2.A, clientRes2.M1).then(() => true, () => false);
+}

package/src/misc.js

@@ -0,0 +1,160 @@
+"use strict";
+// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tryJson = exports.same = exports.isLocalHost = exports.with_ = exports.typedKeys = exports.objRenameKey = exports.onOff = exports.pendingPromise = exports.onlyTruthy = exports.truthy = exports.pattern2filter = exports.onFirstEvent = exports.onProcessExit = exports.randomId = exports.getOrSet = exports.wantArray = exports.wait = exports.objSameKeys = exports.setHidden = exports.prefix = exports.enforceFinal = exports.debounceAsync = void 0;
+const path_1 = require("path");
+const lodash_1 = __importDefault(require("lodash"));
+const assert_1 = __importDefault(require("assert"));
+__exportStar(require("./util-http"), exports);
+__exportStar(require("./util-generators"), exports);
+__exportStar(require("./util-files"), exports);
+const debounceAsync_1 = __importDefault(require("./debounceAsync"));
+exports.debounceAsync = debounceAsync_1.default;
+function enforceFinal(sub, s) {
+    return s.endsWith(sub) ? s : s + sub;
+}
+exports.enforceFinal = enforceFinal;
+function prefix(pre, v, post = '') {
+    return v ? pre + v + post : '';
+}
+exports.prefix = prefix;
+function setHidden(dest, src) {
+    return Object.defineProperties(dest, objSameKeys(src, value => ({
+        enumerable: false,
+        writable: true,
+        value,
+    })));
+}
+exports.setHidden = setHidden;
+function objSameKeys(src, newValue) {
+    return Object.fromEntries(Object.entries(src).map(([k, v]) => [k, newValue(v, k)]));
+}
+exports.objSameKeys = objSameKeys;
+function wait(ms) {
+    return new Promise(res => setTimeout(res, ms));
+}
+exports.wait = wait;
+function wantArray(x) {
+    return x == null ? [] : Array.isArray(x) ? x : [x];
+}
+exports.wantArray = wantArray;
+function getOrSet(o, k, creator) {
+    return k in o ? o[k]
+        : (o[k] = creator());
+}
+exports.getOrSet = getOrSet;
+function randomId(len = 10) {
+    // 10 chars is 51+bits, the max we can give. 8 is 41+bits
+    if (len > 10)
+        throw Error('bad length');
+    return Math.random()
+        .toString(36)
+        .substring(2, 2 + len)
+        .replace(/l/g, 'L'); // avoid confusion reading l1
+}
+exports.randomId = randomId;
+const cbs = new Set();
+function onProcessExit(cb) {
+    cbs.add(cb);
+    return () => cbs.delete(cb);
+}
+exports.onProcessExit = onProcessExit;
+onFirstEvent(process, ['exit', 'SIGQUIT', 'SIGTERM', 'SIGINT', 'SIGHUP'], signal => Promise.allSettled(Array.from(cbs).map(cb => cb(signal))).then(() => process.exit(0)));
+function onFirstEvent(emitter, events, cb) {
+    let already = false;
+    for (const e of events)
+        emitter.on(e, (...args) => {
+            if (already)
+                return;
+            already = true;
+            cb(...args);
+        });
+}
+exports.onFirstEvent = onFirstEvent;
+function pattern2filter(pattern) {
+    const re = new RegExp(lodash_1.default.escapeRegExp(pattern), 'i');
+    return (s) => !s || !pattern || re.test((0, path_1.basename)(s));
+}
+exports.pattern2filter = pattern2filter;
+function truthy(value) {
+    return Boolean(value);
+}
+exports.truthy = truthy;
+function onlyTruthy(arr) {
+    return arr.filter(truthy);
+}
+exports.onlyTruthy = onlyTruthy;
+function pendingPromise() {
+    let takeOut;
+    const ret = new Promise((resolve, reject) => takeOut = { resolve, reject });
+    return Object.assign(ret, takeOut);
+}
+exports.pendingPromise = pendingPromise;
+// install multiple handlers and returns a handy 'uninstall' function which requires no parameter. Pass a map {event:handler}
+function onOff(em, events) {
+    events = { ...events }; // avoid later modifications, as we need this later for uninstallation
+    for (const [k, cb] of Object.entries(events))
+        for (const e of k.split(' '))
+            em.on(e, cb);
+    return () => {
+        for (const [k, cb] of Object.entries(events))
+            for (const e of k.split(' '))
+                em.off(e, cb);
+    };
+}
+exports.onOff = onOff;
+function objRenameKey(o, from, to) {
+    if (!o || !o.hasOwnProperty(from) || from === to)
+        return;
+    o[to] = o[from];
+    delete o[from];
+    return true;
+}
+exports.objRenameKey = objRenameKey;
+function typedKeys(o) {
+    return Object.keys(o);
+}
+exports.typedKeys = typedKeys;
+function with_(par, cb) {
+    return cb(par);
+}
+exports.with_ = with_;
+function isLocalHost(c) {
+    const ip = c.socket.remoteAddress; // don't use Context.ip as it is subject to proxied ips, and that's no use for localhost detection
+    return ip && (ip === '::1' || ip.endsWith('127.0.0.1'));
+}
+exports.isLocalHost = isLocalHost;
+function same(a, b) {
+    try {
+        assert_1.default.deepStrictEqual(a, b);
+        return true;
+    }
+    catch (_a) {
+        return false;
+    }
+}
+exports.same = same;
+function tryJson(s) {
+    try {
+        return s && JSON.parse(s);
+    }
+    catch (_a) { }
+}
+exports.tryJson = tryJson;

package/src/pbkdf2.js

@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pbkdf2Verify = exports.pbkdf2 = void 0;
+// @ts-nocheck
+const node_crypto_1 = require("node:crypto");
+// FROM https://gist.github.com/chrisveness/770ee96945ec12ac84f134bf538d89fb
+/**
+ * Returns PBKDF2 derived key from supplied password.
+ *
+ * Stored key can subsequently be used to verify that a password matches the original password used
+ * to derive the key, using pbkdf2Verify().
+ *
+ * @param   {String} password - Password to be hashed using key derivation function.
+ * @param   {Number} [iterations=1e6] - Number of iterations of HMAC function to apply.
+ * @returns {String} Derived key as base64 string.
+ *
+ * @example
+ *   const key = await pbkdf2('pāşšŵōřđ'); // eg 'djAxBRKXWNWPyXgpKWHld8SWJA9CQFmLyMbNet7Rle5RLKJAkBCllLfM6tPFa7bAis0lSTiB'
+ */
+async function pbkdf2(password, iterations = 1e6) {
+    const pwUtf8 = new TextEncoder().encode(password); // encode pw as UTF-8
+    const pwKey = await node_crypto_1.webcrypto.subtle.importKey('raw', pwUtf8, 'PBKDF2', false, ['deriveBits']); // create pw key
+    const saltUint8 = node_crypto_1.webcrypto.getRandomValues(new Uint8Array(16)); // get random salt
+    const params = { name: 'PBKDF2', hash: 'SHA-256', salt: saltUint8, iterations: iterations }; // pbkdf2 params
+    const keyBuffer = await node_crypto_1.webcrypto.subtle.deriveBits(params, pwKey, 256); // derive key
+    const keyArray = Array.from(new Uint8Array(keyBuffer)); // key as byte array
+    const saltArray = Array.from(new Uint8Array(saltUint8)); // salt as byte array
+    const iterHex = ('000000' + iterations.toString(16)).slice(-6); // iter’n count as hex
+    const iterArray = iterHex.match(/.{2}/g).map(byte => parseInt(byte, 16)); // iter’ns as byte array
+    const compositeArray = [].concat(saltArray, iterArray, keyArray); // combined array
+    const compositeStr = compositeArray.map(byte => String.fromCharCode(byte)).join(''); // combined as string
+    // encode as base64
+    return btoa('v01' + compositeStr); // return composite key
+}
+exports.pbkdf2 = pbkdf2;
+/**
+ * Verifies whether the supplied password matches the password previously used to generate the key.
+ *
+ * @param   {String}  key - Key previously generated with pbkdf2().
+ * @param   {String}  password - Password to be matched against previously derived key.
+ * @returns {boolean} Whether password matches key.
+ *
+ * @example
+ *   const match = await pbkdf2Verify(key, 'pāşšŵōřđ'); // true
+ */
+async function pbkdf2Verify(key, password) {
+    let compositeStr = null; // composite key is salt, iteration count, and derived key
+    try {
+        compositeStr = atob(key);
+    }
+    catch (e) {
+        throw new Error('Invalid key');
+    } // decode from base64
+    const version = compositeStr.slice(0, 3); //  3 bytes
+    const saltStr = compositeStr.slice(3, 19); // 16 bytes (128 bits)
+    const iterStr = compositeStr.slice(19, 22); //  3 bytes
+    const keyStr = compositeStr.slice(22, 54); // 32 bytes (256 bits)
+    if (version !== 'v01')
+        throw new Error('Invalid key');
+    // -- recover salt & iterations from stored (composite) key
+    const saltUint8 = new Uint8Array(saltStr.match(/./g).map(ch => ch.charCodeAt(0))); // salt as Uint8Array
+    // note: cannot use TextEncoder().encode(saltStr) as it generates UTF-8
+    const iterHex = iterStr.match(/./g).map(ch => ch.charCodeAt(0).toString(16)).join(''); // iter’n count as hex
+    const iterations = parseInt(iterHex, 16); // iter’ns
+    // -- generate new key from stored salt & iterations and supplied password
+    const pwUtf8 = new TextEncoder().encode(password); // encode pw as UTF-8
+    const pwKey = await node_crypto_1.webcrypto.subtle.importKey('raw', pwUtf8, 'PBKDF2', false, ['deriveBits']); // create pw key
+    const params = { name: 'PBKDF2', hash: 'SHA-256', salt: saltUint8, iterations: iterations }; // pbkdf params
+    const keyBuffer = await node_crypto_1.webcrypto.subtle.deriveBits(params, pwKey, 256); // derive key
+    const keyArray = Array.from(new Uint8Array(keyBuffer)); // key as byte array
+    const keyStrNew = keyArray.map(byte => String.fromCharCode(byte)).join(''); // key as string
+    return keyStrNew === keyStr; // test if newly generated key matches stored key
+}
+exports.pbkdf2Verify = pbkdf2Verify;

package/src/perm.js

@@ -0,0 +1,176 @@
+"use strict";
+// This file is part of HFS - Copyright 2021-2022, Massimo Melina <a@rejetto.com> - License https://www.gnu.org/licenses/gpl-3.0.txt
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.anyAccountCanLoginAdmin = exports.accountCanLoginAdmin = exports.accountCanLogin = exports.accountHasPassword = exports.getFromAccount = exports.delAccount = exports.setAccount = exports.addAccount = exports.renameAccount = exports.updateAccount = exports.allowClearTextLogin = exports.saveSrpInfo = exports.getAccount = exports.getCurrentUsernameExpanded = exports.getCurrentUsername = exports.getAccounts = void 0;
+const lodash_1 = __importDefault(require("lodash"));
+const crypt_1 = require("./crypt");
+const misc_1 = require("./misc");
+const config_1 = require("./config");
+const tssrp6a_1 = require("tssrp6a");
+const events_1 = __importDefault(require("./events"));
+let accounts = {};
+function getAccounts() {
+    return accounts;
+}
+exports.getAccounts = getAccounts;
+function getCurrentUsername(ctx) {
+    var _a, _b;
+    return ((_a = ctx.state.account) === null || _a === void 0 ? void 0 : _a.username) || ((_b = ctx.session) === null || _b === void 0 ? void 0 : _b.username) || '';
+}
+exports.getCurrentUsername = getCurrentUsername;
+// provides the username and all other usernames it inherits based on the 'belongs' attribute. Useful to check permissions
+function getCurrentUsernameExpanded(ctx) {
+    const who = getCurrentUsername(ctx);
+    if (!who)
+        return [];
+    const ret = [who];
+    for (const u of ret) {
+        const a = getAccount(u);
+        if (a === null || a === void 0 ? void 0 : a.belongs)
+            ret.push(...a.belongs);
+    }
+    return ret;
+}
+exports.getCurrentUsernameExpanded = getCurrentUsernameExpanded;
+function getAccount(username) {
+    return username ? accounts[username] : undefined;
+}
+exports.getAccount = getAccount;
+function saveSrpInfo(account, salt, verifier) {
+    account.srp = String(salt) + '|' + String(verifier);
+}
+exports.saveSrpInfo = saveSrpInfo;
+exports.allowClearTextLogin = (0, config_1.defineConfig)('allow_clear_text_login');
+const srp6aNimbusRoutines = new tssrp6a_1.SRPRoutines(new tssrp6a_1.SRPParameters());
+async function updateAccount(account, changer) {
+    const was = JSON.stringify(account);
+    await (changer === null || changer === void 0 ? void 0 : changer(account));
+    const { username } = account;
+    if (account.password) {
+        console.debug('hashing password for', username);
+        if (exports.allowClearTextLogin.get())
+            account.hashed_password = await (0, crypt_1.hashPassword)(account.password);
+        const res = await (0, tssrp6a_1.createVerifierAndSalt)(srp6aNimbusRoutines, username, account.password);
+        saveSrpInfo(account, res.s, res.v);
+        delete account.password;
+    }
+    else if (!account.srp && account.hashed_password) {
+        console.log('please reset password for account', username);
+        process.exit(1);
+    }
+    if (account.belongs)
+        account.belongs = (0, misc_1.wantArray)(account.belongs).filter(b => b in accounts // at this stage the group record may still be null if specified later in the file
+            || console.error(`account ${username} belongs to non-existing ${b}`));
+    if (was !== JSON.stringify(account))
+        saveAccountsAsap();
+}
+exports.updateAccount = updateAccount;
+const saveAccountsAsap = config_1.saveConfigAsap;
+const accountsConfig = (0, config_1.defineConfig)('accounts', {});
+accountsConfig.sub(async (v) => {
+    // we should validate content here
+    accounts = v; // keep local reference
+    await Promise.all(lodash_1.default.map(accounts, async (rec, k) => {
+        const norm = normalizeUsername(k);
+        if (!rec) // an empty object in yaml is stored as null
+            rec = accounts[norm] = { username: norm };
+        else
+            (0, misc_1.objRenameKey)(accounts, k, norm);
+        (0, misc_1.setHidden)(rec, { username: norm });
+        await updateAccount(rec);
+    }));
+});
+function normalizeUsername(username) {
+    return username.toLocaleLowerCase();
+}
+function renameAccount(from, to) {
+    from = normalizeUsername(from);
+    to = normalizeUsername(to);
+    if (!to || !accounts[from] || accounts[to])
+        return false;
+    if (to === from)
+        return true;
+    (0, misc_1.objRenameKey)(accounts, from, to);
+    updateReferences();
+    saveAccountsAsap();
+    return true;
+    function updateReferences() {
+        var _a;
+        (0, misc_1.setHidden)(accounts[to], { username: to });
+        for (const a of Object.values(accounts)) {
+            const idx = (_a = a.belongs) === null || _a === void 0 ? void 0 : _a.indexOf(from);
+            if (idx !== undefined && idx >= 0)
+                a.belongs[idx] = to;
+        }
+        events_1.default.emit('accountRenamed', from, to); // everybody, take care of your stuff
+    }
+}
+exports.renameAccount = renameAccount;
+// we consider all the following fields, when falsy, as equivalent to be missing. If this changes in the future, please adjust addAccount and setAccount
+const assignableProps = ['redirect', 'ignore_limits', 'belongs', 'admin'];
+function addAccount(username, props) {
+    if (!username || accounts[username])
+        return;
+    const copy = (0, misc_1.setHidden)(lodash_1.default.pickBy(lodash_1.default.pick(props, assignableProps), Boolean), { username }); // have the field in the object but hidden so that stringification won't include it
+    accountsConfig.set(accounts => Object.assign(accounts, { [username]: copy }));
+    saveAccountsAsap().then();
+    return copy;
+}
+exports.addAccount = addAccount;
+function setAccount(username, changes) {
+    const acc = getAccount(username);
+    if (!acc)
+        return false;
+    const rest = lodash_1.default.pick(changes, assignableProps);
+    for (const [k, v] of Object.entries(rest))
+        if (!v)
+            rest[k] = undefined;
+    Object.assign(acc, rest);
+    if (changes.username)
+        renameAccount(username, changes.username);
+    saveAccountsAsap().then();
+    return true;
+}
+exports.setAccount = setAccount;
+function delAccount(username) {
+    if (!getAccount(username))
+        return false;
+    accountsConfig.set(accounts => Object.assign(accounts, { [username]: undefined }));
+    saveAccountsAsap().then();
+    return true;
+}
+exports.delAccount = delAccount;
+// get some property from account, searching in its groups if necessary. Search is breadth-first, and this determines priority of inheritance.
+function getFromAccount(account, getter) {
+    const search = [account];
+    for (const accountOrUsername of search) {
+        const a = typeof accountOrUsername === 'string' ? getAccount(accountOrUsername) : accountOrUsername;
+        if (!a)
+            continue;
+        const res = getter(a);
+        if (res !== undefined)
+            return res;
+        if (a.belongs)
+            search.push(...a.belongs);
+    }
+}
+exports.getFromAccount = getFromAccount;
+function accountHasPassword(account) {
+    return Boolean(account.password || account.hashed_password || account.srp);
+}
+exports.accountHasPassword = accountHasPassword;
+function accountCanLogin(account) {
+    return accountHasPassword(account);
+}
+exports.accountCanLogin = accountCanLogin;
+function accountCanLoginAdmin(account) {
+    return accountCanLogin(account) && getFromAccount(account, a => a.admin);
+}
+exports.accountCanLoginAdmin = accountCanLoginAdmin;
+function anyAccountCanLoginAdmin() {
+    return Object.values(accounts).find(accountCanLoginAdmin);
+}
+exports.anyAccountCanLoginAdmin = anyAccountCanLoginAdmin;