paskia 0.10.0__py3-none-any.whl → 0.10.2__py3-none-any.whl

paskia/frontend-build/auth/assets/{pow-2N9bxgAo.js → pow-DUr-T9XX.js}

@@ -1 +1 @@
-function v(e){const a=e.replace(/-/g,"+").replace(/_/g,"/"),t=a+"=".repeat((4-a.length%4)%4);return Uint8Array.from(atob(t),i=>i.charCodeAt(0))}function k(e){return btoa(String.fromCharCode(...e)).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}const h=["able","about","absent","abuse","access","acid","across","act","adapt","add","adjust","admit","adult","advice","affair","afraid","again","age","agree","ahead","aim","air","aisle","alarm","album","alert","alien","all","almost","alone","alpha","also","alter","always","amazed","among","amused","anchor","angle","animal","ankle","annual","answer","any","apart","appear","april","arch","are","argue","army","around","array","art","ascent","ash","ask","aspect","assume","asthma","atom","attack","audit","august","aunt","author","avoid","away","awful","axis","baby","back","bad","bag","ball","bamboo","bank","bar","base","battle","beach","become","beef","before","begin","behind","below","bench","best","better","beyond","bid","bike","bind","bio","birth","bitter","black","bleak","blind","blood","blue","board","body","boil","bomb","bone","book","border","boss","bottom","bounce","bowl","box","boy","brain","bread","bring","brown","brush","bubble","buck","budget","build","bulk","bundle","burden","bus","but","buyer","buzz","cable","cache","cage","cake","call","came","can","car","case","catch","cause","cave","celery","cement","census","cereal","change","check","child","choice","chunk","cigar","circle","city","civil","class","clean","client","close","club","coast","code","coffee","coil","cold","come","cool","copy","core","cost","cotton","couch","cover","coyote","craft","cream","crime","cross","cruel","cry","cube","cue","cult","cup","curve","custom","cute","cycle","dad","damage","danger","daring","dash","dawn","day","deal","debate","decide","deer","define","degree","deity","delay","demand","denial","depth","derive","design","detail","device","dial","dice","die","differ","dim","dinner","direct","dish","divert","dizzy","doctor","dog","dollar","domain","donate","door","dose","double","dove","draft","dream","drive","drop","drum","dry","duck","dumb","dune","during","dust","dutch","dwarf","eager","early","east","echo","eco","edge","edit","effort","egg","eight","either","elbow","elder","elite","else","embark","emerge","emily","employ","enable","end","enemy","engine","enjoy","enlist","enough","enrich","ensure","entire","envy","equal","era","erode","error","erupt","escape","essay","estate","ethics","evil","evoke","exact","excess","exist","exotic","expect","extent","eye","fabric","face","fade","faith","fall","family","fan","far","father","fault","feel","female","fence","fetch","fever","few","fiber","field","figure","file","find","first","fish","fit","fix","flat","flesh","flight","float","fluid","fly","foam","focus","fog","foil","follow","food","force","fossil","found","fox","frame","fresh","friend","frog","fruit","fuel","fun","fury","future","gadget","gain","galaxy","game","gap","garden","gas","gate","gauge","gaze","genius","ghost","giant","gift","giggle","ginger","girl","give","glass","glide","globe","glue","goal","god","gold","good","gospel","govern","gown","grant","great","grid","group","grunt","guard","guess","guide","gulf","gun","gym","habit","hair","half","hammer","hand","happy","hard","hat","have","hawk","hay","hazard","head","hedge","height","help","hen","hero","hidden","high","hill","hint","hip","hire","hobby","hockey","hold","home","honey","hood","hope","horse","host","hotel","hour","hover","how","hub","huge","human","hungry","hurt","hybrid","ice","icon","idea","idle","ignore","ill","image","immune","impact","income","index","infant","inhale","inject","inmate","inner","input","inside","into","invest","iron","island","issue","italy","item","ivory","jacket","jaguar","james","jar","jazz","jeans","jelly","jewel","job","joe","joke","joy","judge","juice","july","jump","june","just","kansas","kate","keep","kernel","key","kick","kid","kind","kiss","kit","kiwi","knee","knife","know","labor","lady","lag","lake","lamp","laptop","large","later","laugh","lava","law","layer","lazy","leader","left","legal","lemon","length","lesson","letter","level","liar","libya","lid","life","light","like","limit","line","lion","liquid","list","little","live","lizard","load","local","logic","long","loop","lost","loud","love","low","loyal","lucky","lumber","lunch","lust","luxury","lyrics","mad","magic","main","major","make","male","mammal","man","map","market","mass","matter","maze","mccoy","meadow","media","meet","melt","member","men","mercy","mesh","method","middle","milk","mimic","mind","mirror","miss","mix","mobile","model","mom","monkey","moon","more","mother","mouse","move","much","muffin","mule","must","mutual","myself","myth","naive","name","napkin","narrow","nasty","nation","near","neck","need","nephew","nerve","nest","net","never","news","next","nice","night","noble","noise","noodle","normal","nose","note","novel","now","number","nurse","nut","oak","obey","object","oblige","obtain","occur","ocean","odor","off","often","oil","okay","old","olive","omit","once","one","onion","online","open","opium","oppose","option","orange","orbit","order","organ","orient","orphan","other","outer","oval","oven","own","oxygen","oyster","ozone","pact","paddle","page","pair","palace","panel","paper","parade","past","path","pause","pave","paw","pay","peace","pen","people","pepper","permit","pet","philip","phone","phrase","piano","pick","piece","pig","pilot","pink","pipe","pistol","pitch","pizza","place","please","pluck","poem","point","polar","pond","pool","post","pot","pound","powder","praise","prefer","price","profit","public","pull","punch","pupil","purity","push","put","puzzle","qatar","quasi","queen","quite","quoted","rabbit","race","radio","rail","rally","ramp","range","rapid","rare","rather","raven","raw","razor","real","rebel","recall","red","reform","region","reject","relief","remain","rent","reopen","report","result","return","review","reward","rhythm","rib","rich","ride","rifle","right","ring","riot","ripple","risk","ritual","river","road","robot","rocket","room","rose","rotate","round","row","royal","rubber","rude","rug","rule","run","rural","sad","safe","sage","sail","salad","same","santa","sauce","save","say","scale","scene","school","scope","screen","scuba","sea","second","seed","self","semi","sense","series","settle","seven","shadow","she","ship","shock","shrimp","shy","sick","side","siege","sign","silver","simple","since","siren","sister","six","size","skate","sketch","ski","skull","slab","sleep","slight","slogan","slush","small","smile","smooth","snake","sniff","snow","soap","soccer","soda","soft","solid","son","soon","sort","south","space","speak","sphere","spirit","split","spoil","spring","spy","square","state","step","still","story","strong","stuff","style","submit","such","sudden","suffer","sugar","suit","summer","sun","supply","sure","swamp","sweet","switch","sword","symbol","syntax","syria","system","table","tackle","tag","tail","talk","tank","tape","target","task","tattoo","taxi","team","tell","ten","term","test","text","that","theme","this","three","thumb","tibet","ticket","tide","tight","tilt","time","tiny","tip","tired","tissue","title","toast","today","toe","toilet","token","tomato","tone","tool","top","torch","toss","total","toward","toy","trade","tree","trial","trophy","true","try","tube","tumble","tunnel","turn","twenty","twice","two","type","ugly","unable","uncle","under","unfair","unique","unlock","until","unveil","update","uphold","upon","upper","upset","urban","urge","usage","use","usual","vacuum","vague","valid","van","vapor","vast","vault","vein","velvet","vendor","very","vessel","viable","video","view","villa","violin","virus","visit","vital","vivid","vocal","voice","volume","vote","voyage","wage","wait","wall","want","war","wash","water","wave","way","wealth","web","weird","were","west","wet","what","when","whip","wide","wife","will","window","wire","wish","wolf","woman","wonder","wood","work","wrap","wreck","write","wrong","xander","xbox","xerox","xray","yang","yard","year","yellow","yes","yin","york","you","zane","zara","zebra","zen","zero","zippo","zone","zoo","zorro","zulu"],o=new Map;for(const e of h)for(let a=1;a<=Math.min(e.length,6);a++){const t=e.slice(0,a);o.has(t)||o.set(t,[]),o.get(t).push(e)}function w(e){if(!e)return[];const a=e.toLowerCase();return o.get(a)||[]}function x(e){const a=w(e);return a.length===1?a[0]:null}function z(e){if(!e)return!1;const a=e.toLowerCase();return h.includes(a)}function j(e){if(!e)return!0;const a=e.toLowerCase();return o.has(a)}async function A(e,a,t={}){const{signal:i}=t,m=performance.now(),n=e instanceof ArrayBuffer?new Uint8Array(e):e;if(!(n instanceof Uint8Array)||n.length!==8)throw new Error("Challenge must be exactly 8 bytes");const b=await crypto.subtle.importKey("raw",n,"PBKDF2",!1,["deriveBits"]),u=new Uint8Array(8*a);let l=0;const s=2047,r=new Uint32Array(2);for(let c=0;c<a;c++){if(i?.aborted)throw new DOMException("PoW operation aborted","AbortError");let p;do l++,++r[0]===4294967296&&++r[1],p=new Uint32Array(await crypto.subtle.deriveBits({name:"PBKDF2",salt:r,iterations:128,hash:"SHA-512"},b,32));while(p[0]&s);u.set(new Uint8Array(r.buffer),c*8)}const d=(performance.now()-m)/1e3,g=a*(s+1),f=(l/g).toFixed(1),y=l/((s+1)*d);return console.log(`PoW work=${a} solved in ${d.toFixed(2)}s (${f}x expected ${y.toFixed(1)} work/s)`),u}export{z as a,k as b,v as c,x as g,j as i,A as s,h as w};
+function v(e){const a=e.replace(/-/g,"+").replace(/_/g,"/"),t=a+"=".repeat((4-a.length%4)%4);return Uint8Array.from(atob(t),i=>i.charCodeAt(0))}function k(e){return btoa(String.fromCharCode(...e)).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}const h=["able","about","absent","abuse","access","acid","across","act","adapt","add","adjust","admit","adult","advice","affair","afraid","again","age","agree","ahead","aim","air","aisle","alarm","album","alert","alien","all","almost","alone","alpha","also","alter","always","amazed","among","amused","anchor","angle","animal","ankle","annual","answer","any","apart","appear","april","arch","are","argue","army","around","array","art","ascent","ash","ask","aspect","assume","asthma","atom","attack","audit","august","aunt","author","avoid","away","awful","axis","baby","back","bad","bag","ball","bamboo","bank","bar","base","battle","beach","become","beef","before","begin","behind","below","bench","best","better","beyond","bid","bike","bind","bio","birth","bitter","black","bleak","blind","blood","blue","board","body","boil","bomb","bone","book","border","boss","bottom","bounce","bowl","box","boy","brain","bread","bring","brown","brush","bubble","buck","budget","build","bulk","bundle","burden","bus","but","buyer","buzz","cable","cache","cage","cake","call","came","can","car","case","catch","cause","cave","celery","cement","census","cereal","change","check","child","choice","chunk","cigar","circle","city","civil","class","clean","client","close","club","coast","code","coffee","coil","cold","come","cool","copy","core","cost","cotton","couch","cover","coyote","craft","cream","crime","cross","cruel","cry","cube","cue","cult","cup","curve","custom","cute","cycle","dad","damage","danger","daring","dash","dawn","day","deal","debate","decide","deer","define","degree","deity","delay","demand","denial","depth","derive","design","detail","device","dial","dice","die","differ","dim","dinner","direct","dish","divert","dizzy","doctor","dog","dollar","domain","donate","door","dose","double","dove","draft","dream","drive","drop","drum","dry","duck","dumb","dune","during","dust","dutch","dwarf","eager","early","east","echo","eco","edge","edit","effort","egg","eight","either","elbow","elder","elite","else","embark","emerge","emily","employ","enable","end","enemy","engine","enjoy","enlist","enough","enrich","ensure","entire","envy","equal","era","erode","error","erupt","escape","essay","estate","ethics","evil","evoke","exact","excess","exist","exotic","expect","extent","eye","fabric","face","fade","faith","fall","family","fan","far","father","fault","feel","female","fence","fetch","fever","few","fiber","field","figure","file","find","first","fish","fit","fix","flat","flesh","flight","float","fluid","fly","foam","focus","fog","foil","follow","food","force","fossil","found","fox","frame","fresh","friend","frog","fruit","fuel","fun","fury","future","gadget","gain","galaxy","game","gap","garden","gas","gate","gauge","gaze","genius","ghost","giant","gift","giggle","ginger","girl","give","glass","glide","globe","glue","goal","god","gold","good","gospel","govern","gown","grant","great","grid","group","grunt","guard","guess","guide","gulf","gun","gym","habit","hair","half","hammer","hand","happy","hard","hat","have","hawk","hay","hazard","head","hedge","height","help","hen","hero","hidden","high","hill","hint","hip","hire","hobby","hockey","hold","home","honey","hood","hope","horse","host","hotel","hour","hover","how","hub","huge","human","hungry","hurt","hybrid","ice","icon","idea","idle","ignore","ill","image","immune","impact","income","index","infant","inhale","inject","inmate","inner","input","inside","into","invest","iron","island","issue","italy","item","ivory","jacket","jaguar","james","jar","jazz","jeans","jelly","jewel","job","joe","joke","joy","judge","juice","july","jump","june","just","kansas","kate","keep","kernel","key","kick","kid","kind","kiss","kit","kiwi","knee","knife","know","labor","lady","lag","lake","lamp","laptop","large","later","laugh","lava","law","layer","lazy","leader","left","legal","lemon","length","lesson","letter","level","liar","libya","lid","life","light","like","limit","line","lion","liquid","list","little","live","lizard","load","local","logic","long","loop","lost","loud","love","low","loyal","lucky","lumber","lunch","lust","luxury","lyrics","mad","magic","main","major","make","male","mammal","man","map","market","mass","matter","maze","mccoy","meadow","media","meet","melt","member","men","mercy","mesh","method","middle","milk","mimic","mind","mirror","miss","mix","mobile","model","mom","monkey","moon","more","mother","mouse","move","much","muffin","mule","must","mutual","myself","myth","naive","name","napkin","narrow","nasty","nation","near","neck","need","nephew","nerve","nest","net","never","news","next","nice","night","noble","noise","noodle","normal","nose","note","novel","now","number","nurse","nut","oak","obey","object","oblige","obtain","occur","ocean","odor","off","often","oil","okay","old","olive","omit","once","one","onion","online","open","opium","oppose","option","orange","orbit","order","organ","orient","orphan","other","outer","oval","oven","own","oxygen","oyster","ozone","pact","paddle","page","pair","palace","panel","paper","parade","past","path","pause","pave","paw","pay","peace","pen","people","pepper","permit","pet","philip","phone","phrase","piano","pick","piece","pig","pilot","pink","pipe","pistol","pitch","pizza","place","please","pluck","poem","point","polar","pond","pool","post","pot","pound","powder","praise","prefer","price","profit","public","pull","punch","pupil","purity","push","put","puzzle","qatar","quasi","queen","quite","quoted","rabbit","race","radio","rail","rally","ramp","range","rapid","rare","rather","raven","raw","razor","real","rebel","recall","red","reform","region","reject","relief","remain","rent","reopen","report","result","return","review","reward","rhythm","rib","rich","ride","rifle","right","ring","riot","ripple","risk","ritual","river","road","robot","rocket","room","rose","rotate","round","row","royal","rubber","rude","rug","rule","run","rural","sad","safe","sage","sail","salad","same","santa","sauce","save","say","scale","scene","school","scope","screen","scuba","sea","second","seed","self","semi","sense","series","settle","seven","shadow","she","ship","shock","shrimp","shy","sick","side","siege","sign","silver","simple","since","siren","sister","six","size","skate","sketch","ski","skull","slab","sleep","slight","slogan","slush","small","smile","smooth","snake","sniff","snow","soap","soccer","soda","soft","solid","son","soon","sort","south","space","speak","sphere","spirit","split","spoil","spring","spy","square","state","step","still","story","strong","stuff","style","submit","such","sudden","suffer","sugar","suit","summer","sun","supply","sure","swamp","sweet","switch","sword","symbol","syntax","syria","system","table","tackle","tag","tail","talk","tank","tape","target","task","tattoo","taxi","team","tell","ten","term","test","text","that","theme","this","three","thumb","tibet","ticket","tide","tight","tilt","time","tiny","tip","tired","tissue","title","toast","today","toe","toilet","token","tomato","tone","tool","top","torch","toss","total","toward","toy","trade","tree","trial","trophy","true","try","tube","tumble","tunnel","turn","twenty","twice","two","type","ugly","unable","uncle","under","unfair","unique","unlock","until","unveil","update","uphold","upon","upper","upset","urban","urge","usage","use","usual","vacuum","vague","valid","van","vapor","vast","vault","vein","velvet","vendor","very","vessel","viable","video","view","villa","violin","virus","visit","vital","vivid","vocal","voice","volume","vote","voyage","wage","wait","wall","want","war","wash","water","wave","way","wealth","web","weird","were","west","wet","what","when","whip","wide","wife","will","window","wire","wish","wolf","woman","wonder","wood","work","wrap","wreck","write","wrong","xander","xbox","xerox","xray","yang","yard","year","yellow","yes","yin","york","you","zane","zara","zebra","zen","zero","zippo","zone","zoo","zorro","zulu"],o=new Map;for(const e of h)for(let a=1;a<=Math.min(e.length,6);a++){const t=e.slice(0,a);o.has(t)||o.set(t,[]),o.get(t).push(e)}function w(e){if(!e)return[];const a=e.toLowerCase();return o.get(a)||[]}function x(e){const a=w(e);return a.length===1?a[0]:null}function z(e){if(!e)return!1;const a=e.toLowerCase();return h.includes(a)}function j(e){if(!e)return!0;const a=e.toLowerCase();return o.has(a)}async function A(e,a,t={}){const{signal:i}=t,m=performance.now(),n=e instanceof ArrayBuffer?new Uint8Array(e):e;if(!(n instanceof Uint8Array)||n.length!==8)throw new Error("Challenge must be exactly 8 bytes");const b=await crypto.subtle.importKey("raw",n,"PBKDF2",!1,["deriveBits"]),u=new Uint8Array(8*a);let l=0;const s=2047,r=new Uint32Array(2);for(let c=0;c<a;c++){if(i?.aborted)throw new DOMException("PoW operation aborted","AbortError");let p;do l++,++r[0]===4294967296&&++r[1],p=new Uint32Array(await crypto.subtle.deriveBits({name:"PBKDF2",salt:r,iterations:128,hash:"SHA-512"},b,32));while(p[0]&s);u.set(new Uint8Array(r.buffer),c*8)}const d=(performance.now()-m)/1e3,g=a*(s+1),f=(l/g).toFixed(1),y=l/((s+1)*d);return console.log(`PoW work=${a} solved in ${d.toFixed(2)}s (${f}x expected ${y.toFixed(1)} work/s)`),u}export{j as a,k as b,v as c,x as g,z as i,A as s,h as w};

paskia/frontend-build/auth/assets/reset-CkY9h28U.js

@@ -0,0 +1 @@
+import{_ as z,o as A,b as c,c as u,d as t,t as f,e as M,g as N,i as $,v as F,L as K,k as i,l as V,z as b,a6 as D,a7 as E,X as I,m as p,a8 as H,H as L,J as U,K as j}from"./_plugin-vue_export-helper-DJsHCwvl.js";const G={class:"app-shell"},J={key:0,class:"global-status",style:{display:"block"}},O={class:"view-root"},X={class:"surface surface--tight",style:{"max-width":"560px",margin:"0 auto",width:"100%"}},Y={class:"view-header",style:{"text-align":"center"}},q={class:"view-lede"},Q={key:0,class:"section-block"},W={key:1,class:"section-block"},Z={key:2,class:"section-block"},ee={class:"section-body"},se={class:"name-edit"},te=["disabled"],ae=["disabled"],ne={__name:"ResetApp",setup(ie){const o=I({show:!1,message:"",type:"info"}),d=i(!0),n=i(!1),l=i(""),x=i(null),g=i(null),m=i(""),y=i("");let v=null;const T=p(()=>g.value?.token_type||"your enrollment"),P=p(()=>d.value?"Preparing your secure enrollment…":h.value?`Finish up ${T.value}. You may edit the name below if needed, and it will be saved to your passkey.`:"This authentication link is no longer valid."),h=p(()=>!!(l.value&&g.value));function r(e,s="info",a=3e3){o.show=!0,o.message=e,o.type=s,v&&clearTimeout(v),a>0&&(v=setTimeout(()=>{o.show=!1},a))}async function R(){try{const e=await V();x.value=e,e?.rp_name&&(document.title=`${e.rp_name} · Passkey Setup`)}catch(e){console.warn("Unable to load settings",e)}}async function S(){if(l.value)try{g.value=await b("/auth/api/token-info",{method:"GET",headers:{Authorization:`Bearer ${l.value}`}}),m.value=g.value.display_name}catch(e){console.error("Failed to load token info",e);const s=e instanceof D?e.data?.detail||"The authentication link is invalid or expired.":E(e);y.value=s}}async function _(){if(!h.value||n.value)return;n.value=!0,r("Starting passkey registration…","info");let e;try{const s=m.value.trim()||null;e=await L.register(l.value,s)}catch(s){n.value=!1;const a=s?.message||"Passkey registration cancelled",w=a==="Passkey registration cancelled";r(w?a:`Registration failed: ${a}`,w?"info":"error",4e3);return}try{await B(e)}catch(s){n.value=!1;const a=s?.message||"Failed to establish session";r(a,"error",4e3);return}r("Passkey registered successfully!","success",800),setTimeout(()=>{n.value=!1,k()},800)}async function B(e){if(!e?.session_token)throw new Error("Registration response missing session_token");return await b("/auth/api/set-session",{method:"POST",headers:{Authorization:`Bearer ${e.session_token}`}})}function k(){const e=H.value||"/auth/";window.location.pathname!==e&&history.replaceState(null,"",e),window.location.reload()}function C(){const e=window.location.pathname.split("/").filter(Boolean);if(!e.length)return"";const s=e[e.length-1],a=e.slice(0,-1);return a.length>1||a.length===1&&a[0]!=="auth"||!s.includes(".")?"":s}return A(async()=>{if(l.value=C(),await R(),!l.value){const e="Reset link is missing or malformed.";y.value=e,r(e,"error",0),d.value=!1;return}await S(),d.value=!1}),(e,s)=>(c(),u("div",G,[o.show?(c(),u("div",J,[t("div",{class:M(["status",o.type])},f(o.message),3)])):N("",!0),t("main",O,[t("div",X,[t("header",Y,[s[1]||(s[1]=t("h1",null,"🔑 Registration",-1)),t("p",q,f(P.value),1)]),d.value?(c(),u("section",Q,[...s[2]||(s[2]=[t("div",{class:"section-body center"},[t("p",null,"Loading reset details…")],-1)])])):h.value?(c(),u("section",Z,[t("div",ee,[t("label",se,[s[3]||(s[3]=t("span",null,"👤 Name",-1)),$(t("input",{type:"text","onUpdate:modelValue":s[0]||(s[0]=a=>m.value=a),disabled:n.value,maxlength:"64",onKeyup:K(_,["enter"])},null,40,te),[[F,m.value]])]),t("button",{class:"btn-primary",disabled:n.value,onClick:_},f(n.value?"Registering…":"Register Passkey"),9,ae)])])):(c(),u("section",W,[t("div",{class:"section-body center"},[t("div",{class:"button-row center",style:{"justify-content":"center"}},[t("button",{class:"btn-secondary",onClick:k},"Return to sign-in")])])]))])])]))}},oe=z(ne,[["__scopeId","data-v-4830d223"]]);U(oe).mount("#app");j();

paskia/frontend-build/auth/assets/restricted-C9cJlHkd.js

@@ -0,0 +1 @@
+import{o as f,b as w,x as k,u as g,k as y,J as _,K as T}from"./_plugin-vue_export-helper-DJsHCwvl.js";import{a as i,g as v}from"./theme-C2WysaSw.js";import{R as A}from"./RestrictedAuth-DWKMTEV3.js";import"./pow-DUr-T9XX.js";function h(){return new URLSearchParams(location.hash.slice(1)).get("theme")||v()||""}i(h(),".surface");addEventListener("hashchange",()=>i(h(),".surface"));const R={__name:"RestrictedApi",setup(u){const n=y(null);function d(){const a=window.location.pathname.match(/\/auth\/([^/]+)$/);if(a){const r=a[1],c=r.split(".");if(c.length===5&&c.every(l=>l.length>0))return r}return null}const o=new URLSearchParams(window.location.hash.slice(1)),p=["reauth","forbidden"].includes(o.get("mode"))?o.get("mode"):"login";function t(e){window.parent&&window.parent!==window&&window.parent.postMessage(e,"*")}function m(e){t({type:"auth-success",authenticated:!0,sessionToken:e.session_token})}function s(){t({type:"auth-back"})}return f(()=>{n.value=d(),t({type:"auth-ready"}),window.addEventListener("keydown",e=>{e.key==="Escape"&&s()})}),(e,a)=>(w(),k(A,{mode:g(p),"remote-auth-token":n.value,onAuthenticated:m,onBack:s},null,8,["mode","remote-auth-token"]))}};_(R).mount("#app");T();

paskia/frontend-build/auth/assets/theme-C2WysaSw.js

@@ -0,0 +1 @@
+const l={light:{"color-canvas":"#ffffff","color-surface":"#eff6ff","color-surface-subtle":"#dbeafe","color-border":"#2563eb","color-border-strong":"#1e40af","color-heading":"#1e3a8a","color-text":"#1e293b","color-text-muted":"#475569","color-link":"#1d4ed8","color-link-hover":"#1e40af","color-accent":"#2563eb","color-accent-strong":"#1e40af","color-accent-contrast":"#ffffff","color-success-text":"#166534","color-success-bg":"#dcfce7","color-error-text":"#b91c1c","color-error-bg":"#fee2e2","color-info-text":"#1e40af","color-info-bg":"#dbeafe","color-danger":"#dc2626","shadow-soft":"0 10px 30px rgba(30, 64, 175, 0.15)"},dark:{"color-canvas":"#0f172a","color-surface":"#141b2f","color-surface-subtle":"#1b243b","color-border":"#25304a","color-border-strong":"#3d4d6b","color-heading":"#fff","color-text":"#e2e8f0","color-text-muted":"#94a3b8","color-link":"#60a5fa","color-link-hover":"#93c5fd","color-accent":"#60a5fa","color-accent-strong":"#3b82f6","color-accent-contrast":"#0b1120","color-success-text":"#34d399","color-success-bg":"#1a4d2e","color-error-text":"#fca5a5","color-error-bg":"#4a1f1f","color-info-text":"#bae6fd","color-info-bg":"#1e3a5f","color-danger":"#f87171","shadow-soft":"0 0 0 #000000"}},s="theme-override",a="theme-transition",n="paskia-theme";function f(o,c=":root",t=!1){if(t){let e=document.getElementById(a);e||(e=document.createElement("style"),e.id=a,e.textContent="*, *::before, *::after { transition: background-color 0.3s, color 0.3s, border-color 0.3s, box-shadow 0.3s !important; }",document.head.appendChild(e)),setTimeout(()=>document.getElementById(a)?.remove(),350)}if(document.getElementById(s)?.remove(),o&&l[o]){const e=`${c} { ${Object.entries(l[o]).map(([d,i])=>`--${d}: ${i}`).join("; ")}; }`,r=document.createElement("style");r.id=s,r.textContent=e,document.head.appendChild(r)}}function m(){return localStorage.getItem(n)||""}function b(o){o?localStorage.setItem(n,o):localStorage.removeItem(n)}function u(){f(m())}function g(o,c=!1){const t=o?.user?.theme||"";b(t),f(t,":root",c)}export{f as a,m as g,u as i,g as u};

paskia/frontend-build/auth/index.html

@@ -4,14 +4,15 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Auth Profile</title>
-    <script type="module" crossorigin src="/auth/assets/auth-DvHf8hgy.js"></script>
-    <link rel="modulepreload" crossorigin href="/auth/assets/_plugin-vue_export-helper-D2l53SUz.js">
+    <script type="module" crossorigin src="/auth/assets/auth-Pe-PKe8b.js"></script>
+    <link rel="modulepreload" crossorigin href="/auth/assets/_plugin-vue_export-helper-DJsHCwvl.js">
+    <link rel="modulepreload" crossorigin href="/auth/assets/theme-C2WysaSw.js">
     <link rel="modulepreload" crossorigin href="/auth/assets/helpers-DzjFIx78.js">
-    <link rel="modulepreload" crossorigin href="/auth/assets/AccessDenied-DAdzg_MJ.js">
-    <link rel="modulepreload" crossorigin href="/auth/assets/pow-2N9bxgAo.js">
-    <link rel="stylesheet" crossorigin href="/auth/assets/_plugin-vue_export-helper-DYJ24FZK.css">
-    <link rel="stylesheet" crossorigin href="/auth/assets/AccessDenied-C29NZI95.css">
-    <link rel="stylesheet" crossorigin href="/auth/assets/auth-BKq4T2K2.css">
+    <link rel="modulepreload" crossorigin href="/auth/assets/AccessDenied-Licr0tqA.js">
+    <link rel="modulepreload" crossorigin href="/auth/assets/pow-DUr-T9XX.js">
+    <link rel="stylesheet" crossorigin href="/auth/assets/_plugin-vue_export-helper-DUBf8-iM.css">
+    <link rel="stylesheet" crossorigin href="/auth/assets/AccessDenied-CVQZxSIL.css">
+    <link rel="stylesheet" crossorigin href="/auth/assets/auth-B4EpDxom.css">
   </head>
   <body>
     <div id="app"></div>

paskia/frontend-build/auth/restricted/index.html

@@ -3,12 +3,13 @@
   <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <script type="module" crossorigin src="/auth/assets/restricted-CW0drE_k.js"></script>
-    <link rel="modulepreload" crossorigin href="/auth/assets/_plugin-vue_export-helper-D2l53SUz.js">
-    <link rel="modulepreload" crossorigin href="/auth/assets/pow-2N9bxgAo.js">
-    <link rel="modulepreload" crossorigin href="/auth/assets/RestrictedAuth-BSusdAfp.js">
-    <link rel="stylesheet" crossorigin href="/auth/assets/_plugin-vue_export-helper-DYJ24FZK.css">
-    <link rel="stylesheet" crossorigin href="/auth/assets/RestrictedAuth-BOdNrlQB.css">
+    <script type="module" crossorigin src="/auth/assets/restricted-C9cJlHkd.js"></script>
+    <link rel="modulepreload" crossorigin href="/auth/assets/_plugin-vue_export-helper-DJsHCwvl.js">
+    <link rel="modulepreload" crossorigin href="/auth/assets/theme-C2WysaSw.js">
+    <link rel="modulepreload" crossorigin href="/auth/assets/pow-DUr-T9XX.js">
+    <link rel="modulepreload" crossorigin href="/auth/assets/RestrictedAuth-DWKMTEV3.js">
+    <link rel="stylesheet" crossorigin href="/auth/assets/_plugin-vue_export-helper-DUBf8-iM.css">
+    <link rel="stylesheet" crossorigin href="/auth/assets/RestrictedAuth-0MFeNWS2.css">
   </head>
   <body>
     <div id="app"></div>

paskia/frontend-build/int/forward/index.html

@@ -4,13 +4,13 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Access Restricted</title>
-    <script type="module" crossorigin src="/auth/assets/forward-C86Jm_Uq.js"></script>
-    <link rel="modulepreload" crossorigin href="/auth/assets/_plugin-vue_export-helper-D2l53SUz.js">
-    <link rel="modulepreload" crossorigin href="/auth/assets/pow-2N9bxgAo.js">
-    <link rel="modulepreload" crossorigin href="/auth/assets/RestrictedAuth-BSusdAfp.js">
+    <script type="module" crossorigin src="/auth/assets/forward-BC0p23CH.js"></script>
+    <link rel="modulepreload" crossorigin href="/auth/assets/_plugin-vue_export-helper-DJsHCwvl.js">
+    <link rel="modulepreload" crossorigin href="/auth/assets/pow-DUr-T9XX.js">
+    <link rel="modulepreload" crossorigin href="/auth/assets/RestrictedAuth-DWKMTEV3.js">
     <link rel="modulepreload" crossorigin href="/auth/assets/helpers-DzjFIx78.js">
-    <link rel="stylesheet" crossorigin href="/auth/assets/_plugin-vue_export-helper-DYJ24FZK.css">
-    <link rel="stylesheet" crossorigin href="/auth/assets/RestrictedAuth-BOdNrlQB.css">
+    <link rel="stylesheet" crossorigin href="/auth/assets/_plugin-vue_export-helper-DUBf8-iM.css">
+    <link rel="stylesheet" crossorigin href="/auth/assets/RestrictedAuth-0MFeNWS2.css">
   </head>
   <body>
     <div id="app"></div>

paskia/frontend-build/int/reset/index.html

@@ -4,9 +4,9 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Complete Passkey Setup</title>
-    <script type="module" crossorigin src="/auth/assets/reset-D71FG0VL.js"></script>
-    <link rel="modulepreload" crossorigin href="/auth/assets/_plugin-vue_export-helper-D2l53SUz.js">
-    <link rel="stylesheet" crossorigin href="/auth/assets/_plugin-vue_export-helper-DYJ24FZK.css">
+    <script type="module" crossorigin src="/auth/assets/reset-CkY9h28U.js"></script>
+    <link rel="modulepreload" crossorigin href="/auth/assets/_plugin-vue_export-helper-DJsHCwvl.js">
+    <link rel="stylesheet" crossorigin href="/auth/assets/_plugin-vue_export-helper-DUBf8-iM.css">
     <link rel="stylesheet" crossorigin href="/auth/assets/reset-B8PlNXuP.css">
   </head>
   <body>

paskia/util/apistructs.py

@@ -0,0 +1,110 @@
+"""API response utilities using msgspec for JSON serialization.
+
+msgspec handles UUID and datetime conversion automatically.
+API structs inherit from db structs with kw_only=True to add uuid/key fields.
+"""
+
+from datetime import UTC, datetime
+from uuid import UUID
+
+import msgspec
+
+from paskia.db.structs import Org, Permission, Role, User
+from paskia.util import useragent
+
+
+def _utc_datetime(dt: datetime | None) -> datetime | None:
+    """Convert datetime to UTC, handling both aware and naive datetimes."""
+    if dt is None:
+        return None
+    if dt.tzinfo:
+        return dt.astimezone(UTC)
+    return dt.replace(tzinfo=UTC)
+
+
+def format_datetime(dt: datetime | None) -> str | None:
+    """Format a datetime to ISO 8601 string with Z suffix for UTC."""
+    if dt is None:
+        return None
+    utc_dt = _utc_datetime(dt)
+    return utc_dt.isoformat().replace("+00:00", "Z") if utc_dt else None
+
+
+# -------------------------------------------------------------------------
+# API structs - inherit from db structs, add uuid for serialization
+# -------------------------------------------------------------------------
+
+
+class ApiUser(User, kw_only=True):
+    """User with uuid serialized."""
+
+    uuid: UUID
+
+    @classmethod
+    def from_db(cls, u: User) -> "ApiUser":
+        return cls(uuid=u.uuid, **msgspec.structs.asdict(u))
+
+
+class ApiOrg(Org, kw_only=True):
+    """Org with uuid serialized."""
+
+    uuid: UUID
+
+    @classmethod
+    def from_db(cls, o: Org) -> "ApiOrg":
+        return cls(uuid=o.uuid, **msgspec.structs.asdict(o))
+
+
+class ApiRole(Role, kw_only=True):
+    """Role with uuid serialized."""
+
+    uuid: UUID
+
+    @classmethod
+    def from_db(cls, r: Role) -> "ApiRole":
+        return cls(uuid=r.uuid, **msgspec.structs.asdict(r))
+
+
+class ApiPermission(Permission, kw_only=True):
+    """Permission with uuid serialized."""
+
+    uuid: UUID
+
+    @classmethod
+    def from_db(cls, p: Permission) -> "ApiPermission":
+        return cls(uuid=p.uuid, **msgspec.structs.asdict(p))
+
+
+class ApiSession(msgspec.Struct):
+    """Session for API responses with computed fields."""
+
+    id: str
+    credential_uuid: UUID = msgspec.field(name="credential")
+    host: str
+    ip: str
+    user_agent: str
+    last_renewed: datetime
+    is_current: bool = False
+    is_current_host: bool = False
+
+    @classmethod
+    def from_db(
+        cls,
+        s,  # Session
+        *,
+        current_key: str,
+        normalized_host: str | None,
+        expires_delta,  # timedelta
+    ) -> "ApiSession":
+        return cls(
+            id=s.key,
+            credential_uuid=s.credential_uuid,
+            host=s.host,
+            ip=s.ip,
+            user_agent=useragent.compact_user_agent(s.user_agent),
+            last_renewed=s.expiry - expires_delta,
+            is_current=s.key == current_key,
+            is_current_host=bool(
+                normalized_host and s.host and s.host == normalized_host
+            ),
+        )

paskia/util/frontend.py

@@ -0,0 +1,75 @@
+import asyncio
+import mimetypes
+import os
+from importlib import resources
+from pathlib import Path
+
+import httpx
+
+__all__ = ["path", "file", "read", "is_dev_mode"]
+
+
+def _get_dev_server() -> str | None:
+    """Get the dev server URL from environment, or None if not in dev mode."""
+    return os.environ.get("FASTAPI_VUE_FRONTEND_URL") or None
+
+
+def _resolve_static_dir() -> Path:
+    # Try packaged path via importlib.resources (works for wheel/installed).
+    try:  # pragma: no cover - trivial path resolution
+        pkg_dir = resources.files("paskia") / "frontend-build"
+        fs_path = Path(str(pkg_dir))
+        if fs_path.is_dir():
+            return fs_path
+    except Exception:  # pragma: no cover - defensive
+        pass
+    # Fallback for editable/development before build.
+    return Path(__file__).parent.parent / "frontend-build"
+
+
+path: Path = _resolve_static_dir()
+
+
+def file(*parts: str) -> Path:
+    """Return a child path under the static root."""
+    return path.joinpath(*parts)
+
+
+def is_dev_mode() -> bool:
+    """Check if we're running in dev mode (Vite frontend server)."""
+    return bool(_get_dev_server())
+
+
+async def read(filepath: str) -> tuple[bytes, int, dict[str, str]]:
+    """Read file content and return response tuple.
+
+    In dev mode, fetches from the Vite dev server.
+    In production, reads from the static build directory.
+
+    Args:
+        filepath: Path relative to frontend root, e.g. "/auth/index.html"
+
+    Returns:
+        Tuple of (content, status_code, headers) suitable for
+        FastAPI Response(*args) or Sanic raw response.
+    """
+    if is_dev_mode():
+        dev_server = _get_dev_server()
+        async with httpx.AsyncClient() as client:
+            resp = await client.get(f"{dev_server}{filepath}")
+            resp.raise_for_status()
+            mime = resp.headers.get("content-type", "application/octet-stream")
+            # Strip charset suffix if present
+            mime = mime.split(";")[0].strip()
+            return resp.content, resp.status_code, {"content-type": mime}
+    else:
+        # Production: read from static build
+        file_path = path / filepath.lstrip("/")
+        content = await _read_file_async(file_path)
+        mime, _ = mimetypes.guess_type(str(file_path))
+        return content, 200, {"content-type": mime or "application/octet-stream"}
+
+
+async def _read_file_async(file_path: Path) -> bytes:
+    """Read file asynchronously using asyncio.to_thread."""
+    return await asyncio.to_thread(file_path.read_bytes)

paskia/util/hostutil.py

@@ -0,0 +1,75 @@
+"""Utilities for determining the auth UI host and base URLs."""
+
+import json
+import os
+from functools import lru_cache
+from urllib.parse import urlparse, urlsplit
+
+
+@lru_cache(maxsize=1)
+def _load_config() -> dict:
+    """Load PASKIA_CONFIG JSON."""
+    config_json = os.getenv("PASKIA_CONFIG")
+    if not config_json:
+        return {}
+    return json.loads(config_json)
+
+
+def is_root_mode() -> bool:
+    return _load_config().get("auth_host") is not None
+
+
+def dedicated_auth_host() -> str | None:
+    """Return configured auth_host netloc, or None."""
+    auth_host = _load_config().get("auth_host")
+    if not auth_host:
+        return None
+
+    parsed = urlparse(auth_host if "://" in auth_host else f"//{auth_host}")
+    return parsed.netloc or parsed.path or None
+
+
+def ui_base_path() -> str:
+    return "/" if is_root_mode() else "/auth/"
+
+
+def auth_site_url() -> str:
+    """Return the base URL for the auth site UI (computed at startup)."""
+    cfg = _load_config()
+    return cfg.get("site_url", "https://localhost") + cfg.get("site_path", "/auth/")
+
+
+def reset_link_url(token: str) -> str:
+    """Generate a reset link URL for the given token."""
+    return f"{auth_site_url()}{token}"
+
+
+def normalize_origin(origin: str) -> str:
+    """Normalize an origin URL by adding https:// if no scheme is present."""
+    if "://" not in origin:
+        return f"https://{origin}"
+    return origin
+
+
+def reload_config() -> None:
+    _load_config.cache_clear()
+
+
+def normalize_host(raw_host: str | None) -> str | None:
+    """Normalize a Host header preserving port (exact match required)."""
+    if not raw_host:
+        return None
+    candidate = raw_host.strip()
+    if not candidate:
+        return None
+    # urlsplit to parse (add // for scheme-less); prefer netloc to retain port.
+    parsed = urlsplit(candidate if "//" in candidate else f"//{candidate}")
+    netloc = parsed.netloc or parsed.path or ""
+    # Strip IPv6 brackets around host part but retain port suffix.
+    if netloc.startswith("["):
+        # format: [ipv6]:port or [ipv6]
+        if "]" in netloc:
+            host_part, _, rest = netloc.partition("]")
+            port_part = rest.lstrip(":")
+            netloc = host_part.strip("[]") + (f":{port_part}" if port_part else "")
+    return netloc.lower() or None

paskia/util/htmlutil.py

@@ -0,0 +1,47 @@
+"""Utility functions for HTML manipulation."""
+
+import re
+
+
+def patch_html_data_attrs(html: bytes, **data_attrs: str) -> bytes:
+    """Patch HTML by adding data attributes to the <html> tag.
+
+    If an <html> tag exists, adds data attributes to it.
+    If no <html> tag exists, prepends one with the data attributes.
+
+    Args:
+        html: The HTML content as bytes
+        **data_attrs: Key-value pairs for data attributes (e.g., mode='reauth')
+
+    Returns:
+        Modified HTML as bytes
+
+    Examples:
+        >>> patch_html_data_attrs(b'<html><body>test</body></html>', mode='reauth')
+        b'<html data-mode="reauth"><body>test</body></html>'
+
+        >>> patch_html_data_attrs(b'<body>test</body>', mode='reauth')
+        b'<html data-mode="reauth"><body>test</body>'
+    """
+    if not data_attrs:
+        return html
+
+    html_str = html.decode("utf-8")
+
+    # Build the data attributes string
+    attrs_str = " ".join(f'data-{key}="{value}"' for key, value in data_attrs.items())
+
+    # Check if there's an <html> tag (case-insensitive, may have existing attributes)
+    html_tag_pattern = re.compile(r"<html([^>]*)>", re.IGNORECASE)
+    match = html_tag_pattern.search(html_str)
+
+    if match:
+        # Insert data attributes into existing <html> tag
+        existing_attrs = match.group(1)
+        new_tag = f"<html{existing_attrs} {attrs_str}>"
+        html_str = html_tag_pattern.sub(new_tag, html_str, count=1)
+    else:
+        # Prepend <html> tag with data attributes
+        html_str = f"<html {attrs_str}>" + html_str
+
+    return html_str.encode("utf-8")

paskia/util/passphrase.py

@@ -0,0 +1,20 @@
+import secrets
+
+from paskia.util.wordlist import words
+
+N_WORDS = 5
+N_WORDS_SHORT = 3
+
+wset = set(words)
+
+
+def generate(n=N_WORDS, sep="."):
+    """Generate a password of random words without repeating any word."""
+    wl = words.copy()
+    return sep.join(wl.pop(secrets.randbelow(len(wl))) for i in range(n))
+
+
+def is_well_formed(passphrase: str, n=N_WORDS, sep=".") -> bool:
+    """Check if the passphrase is well-formed according to the regex pattern."""
+    p = passphrase.split(sep)
+    return len(p) == n and all(w in wset for w in passphrase.split("."))

paskia/util/permutil.py

@@ -0,0 +1,43 @@
+"""Minimal permission helpers with '*' wildcard support (no DB expansion)."""
+
+from collections.abc import Sequence
+from fnmatch import fnmatchcase
+
+from paskia import db
+from paskia.util.hostutil import normalize_host
+
+__all__ = ["has_any", "has_all", "session_context"]
+
+
+def _match(perms: set[str], patterns: Sequence[str]):
+    return (
+        any(fnmatchcase(p, pat) for p in perms) if "*" in pat else pat in perms
+        for pat in patterns
+    )
+
+
+def _get_effective_scopes(ctx) -> set[str]:
+    """Get effective permission scopes from context.
+
+    Returns scopes from ctx.permissions (filtered by org) if available,
+    otherwise falls back to ctx.role.permissions for backwards compatibility.
+    """
+    if ctx.permissions:
+        return {p.scope for p in ctx.permissions}
+    # Fallback for contexts without effective permissions computed
+    return set(ctx.role.permissions or [])
+
+
+def has_any(ctx, patterns: Sequence[str]) -> bool:
+    return any(_match(_get_effective_scopes(ctx), patterns)) if ctx else False
+
+
+def has_all(ctx, patterns: Sequence[str]) -> bool:
+    return all(_match(_get_effective_scopes(ctx), patterns)) if ctx else False
+
+
+async def session_context(auth: str | None, host: str | None = None):
+    if not auth:
+        return None
+    normalized_host = normalize_host(host) if host else None
+    return db.data().session_ctx(auth, normalized_host)

paskia/util/pow.py

@@ -0,0 +1,45 @@
+"""
+Proof of Work utility using PBKDF2-SHA512.
+
+The PoW requires finding nonces where PBKDF2(challenge, nonce) produces
+output with a zero first byte. Each work unit requires finding one such nonce.
+All valid nonces are concatenated into a solution for server verification.
+"""
+
+import hashlib
+import secrets
+
+EASY = 2  # Around 0.25s
+NORMAL = 8  # Around 1s
+HARD = 32  # Around 4s
+
+
+def generate_challenge() -> bytes:
+    """Generate a random 8-byte challenge."""
+    return secrets.token_bytes(8)
+
+
+def verify_pow(challenge: bytes, solution: bytes, work: int = NORMAL) -> None:
+    """Verify a Proof of Work solution.
+
+    Args:
+        challenge: 8-byte server-provided challenge
+        solution: Concatenated 8-byte nonces (8 * work bytes)
+        work: Number of work units expected
+
+    Raises:
+        ValueError: If the solution is invalid
+    """
+    if len(challenge) != 8:
+        raise ValueError("Invalid challenge length")
+
+    if len(solution) != 8 * work:
+        raise ValueError("Invalid solution length")
+
+    # Verify each work unit - check that PBKDF2 output starts with 0x00
+    for i in range(work):
+        nonce = solution[i * 8 : (i + 1) * 8]
+        # Require first byte of PBKDF2-SHA512 to be zero
+        result = hashlib.pbkdf2_hmac("sha512", challenge, nonce, 128, 2)
+        if result[0] or result[1] & 0x07:
+            raise ValueError("Invalid PoW solution")

paskia/util/querysafe.py

@@ -0,0 +1,11 @@
+import re
+
+_SAFE_RE = re.compile(r"^[A-Za-z0-9:._~-]+$")
+
+
+def assert_safe(value: str, *, field: str = "value") -> None:
+    if not isinstance(value, str) or not value or not _SAFE_RE.match(value):
+        raise ValueError(f"{field} must match ^[A-Za-z0-9:._~-]+$")
+
+
+__all__ = ["assert_safe"]