refactor: identity -> iam

modules/iam/routes/access/check-resource/handle.ts

@@ -0,0 +1,6 @@
+import { cerbos } from "../../../cerbos/client.ts";
+import route from "./spec.ts";
+
+export default route.access("session").handle(async ({ body: { resource, actions } }, { principal }) => {
+  return cerbos.checkResource({ principal, resource, actions });
+});

modules/iam/routes/access/check-resource/spec.ts

@@ -0,0 +1,16 @@
+import { route } from "@platform/relay";
+import z from "zod";
+
+export default route
+  .post("/api/v1/identity/access/check-resource")
+  .body(
+    z.strictObject({
+      resource: z.strictObject({
+        kind: z.string(),
+        id: z.string(),
+        attr: z.record(z.string(), z.any()),
+      }),
+      actions: z.array(z.string()),
+    }),
+  )
+  .response(z.any());

modules/iam/routes/access/check-resources/handle.ts

@@ -0,0 +1,6 @@
+import { cerbos } from "../../../cerbos/client.ts";
+import route from "./spec.ts";
+
+export default route.access("session").handle(async ({ body: resources }, { principal }) => {
+  return cerbos.checkResources({ principal, resources });
+});

modules/iam/routes/access/check-resources/spec.ts

@@ -0,0 +1,18 @@
+import { route } from "@platform/relay";
+import z from "zod";
+
+export default route
+  .post("/api/v1/identity/access/check-resources")
+  .body(
+    z.array(
+      z.strictObject({
+        resource: z.strictObject({
+          kind: z.string(),
+          id: z.string(),
+          attr: z.record(z.string(), z.any()),
+        }),
+        actions: z.array(z.string()),
+      }),
+    ),
+  )
+  .response(z.any());

modules/iam/routes/access/is-allowed/handle.ts

@@ -0,0 +1,6 @@
+import { cerbos } from "../../../cerbos/client.ts";
+import route from "./spec.ts";
+
+export default route.access("session").handle(async ({ body: { resource, action } }, { principal }) => {
+  return cerbos.isAllowed({ principal, resource, action });
+});

modules/iam/routes/access/is-allowed/spec.ts

@@ -0,0 +1,16 @@
+import { route } from "@platform/relay";
+import z from "zod";
+
+export default route
+  .post("/api/v1/identity/access/is-allowed")
+  .body(
+    z.strictObject({
+      resource: z.strictObject({
+        kind: z.string(),
+        id: z.string(),
+        attr: z.record(z.string(), z.any()),
+      }),
+      action: z.string(),
+    }),
+  )
+  .response(z.boolean());

modules/iam/routes/identities/get/handle.ts

@@ -0,0 +1,16 @@
+import { ForbiddenError, NotFoundError } from "@platform/relay";
+
+import { getPrincipalById } from "../../../services/database.ts";
+import route from "./spec.ts";
+
+export default route.access("session").handle(async ({ params: { id } }, { access }) => {
+  const principal = await getPrincipalById(id);
+  if (principal === undefined) {
+    return new NotFoundError("Identity does not exist, or has been removed.");
+  }
+  const decision = await access.isAllowed({ kind: "identity", id, attr: {} }, "read");
+  if (decision === false) {
+    return new ForbiddenError("You do not have permission to view this identity.");
+  }
+  return principal;
+});

modules/iam/routes/identities/get/spec.ts

@@ -0,0 +1,10 @@
+import { ForbiddenError, NotFoundError, route, UnauthorizedError } from "@platform/relay";
+import z from "zod";
+
+export default route
+  .get("/api/v1/identity/:id")
+  .params({
+    id: z.string(),
+  })
+  .errors([UnauthorizedError, ForbiddenError, NotFoundError])
+  .response(z.any());

modules/iam/routes/identities/update/handle.ts

@@ -0,0 +1,43 @@
+import { ForbiddenError, NotFoundError } from "@platform/relay";
+
+import { getPrincipalById, setPrincipalAttributesById } from "../../../services/database.ts";
+import route from "./spec.ts";
+
+export default route.access("session").handle(async ({ params: { id }, body: ops }, { access }) => {
+  const principal = await getPrincipalById(id);
+  if (principal === undefined) {
+    return new NotFoundError();
+  }
+  const decision = await access.isAllowed({ kind: "identity", id: principal.id, attr: principal.attr }, "update");
+  if (decision === false) {
+    return new ForbiddenError("You do not have permission to update this identity.");
+  }
+  const attr = principal.attr;
+  for (const op of ops) {
+    switch (op.type) {
+      case "add": {
+        attr[op.key] = op.value;
+        break;
+      }
+      case "push": {
+        if (attr[op.key] === undefined) {
+          attr[op.key] = op.values;
+        } else {
+          attr[op.key] = [...attr[op.key], ...op.values];
+        }
+        break;
+      }
+      case "pop": {
+        if (Array.isArray(attr[op.key])) {
+          attr[op.key] = attr[op.key].filter((value: any) => op.values.includes(value) === false);
+        }
+        break;
+      }
+      case "remove": {
+        delete attr[op.key];
+        break;
+      }
+    }
+  }
+  await setPrincipalAttributesById(id, attr);
+});

modules/iam/routes/identities/update/spec.ts

@@ -0,0 +1,29 @@
+import { ForbiddenError, NotFoundError, route, UnauthorizedError } from "@platform/relay";
+import z from "zod";
+
+export default route
+  .put("/api/v1/identity/:id")
+  .params({
+    id: z.string(),
+  })
+  .body(
+    z.array(
+      z.union([
+        z.strictObject({
+          type: z.union([z.literal("add")]),
+          key: z.string(),
+          value: z.any(),
+        }),
+        z.strictObject({
+          type: z.union([z.literal("push"), z.literal("pop")]),
+          key: z.string(),
+          values: z.array(z.any()),
+        }),
+        z.strictObject({
+          type: z.union([z.literal("remove")]),
+          key: z.string(),
+        }),
+      ]),
+    ),
+  )
+  .errors([UnauthorizedError, ForbiddenError, NotFoundError]);

modules/iam/routes/login/code/handle.ts

@@ -0,0 +1,16 @@
+import { NotFoundError } from "@platform/relay";
+
+import { auth } from "../../../services/auth.ts";
+import { logger } from "../../../services/logger.ts";
+import route from "./spec.ts";
+
+export default route.access("public").handle(async ({ body: { email, otp } }) => {
+  const response = await auth.api.signInEmailOTP({ body: { email, otp }, asResponse: true, returnHeaders: true });
+  if (response.status !== 200) {
+    logger.error("OTP Signin Failed", await response.json());
+    return new NotFoundError();
+  }
+  return new Response(null, {
+    headers: response.headers,
+  });
+});

modules/iam/routes/login/code/spec.ts

@@ -0,0 +1,14 @@
+import { route } from "@platform/relay";
+import z from "zod";
+
+export default route
+  .post("/api/v1/identity/login/code")
+  .body(
+    z.strictObject({
+      email: z.string(),
+      otp: z.string(),
+    }),
+  )
+  .query({
+    next: z.string().optional(),
+  });

modules/iam/routes/login/email/handle.ts

@@ -0,0 +1,14 @@
+import { auth } from "../../../services/auth.ts";
+import { logger } from "../../../services/logger.ts";
+import route from "./spec.ts";
+
+export default route.access("public").handle(async ({ body: { email } }) => {
+  const response = await auth.api.sendVerificationOTP({ body: { email, type: "sign-in" } });
+  if (response.success === false) {
+    logger.info({
+      type: "auth:passwordless",
+      message: "OTP Email verification failed.",
+      received: email,
+    });
+  }
+});

modules/iam/routes/login/email/spec.ts

@@ -0,0 +1,8 @@
+import { route } from "@platform/relay";
+import z from "zod";
+
+export default route.post("/api/v1/identity/login/email").body(
+  z.object({
+    email: z.email(),
+  }),
+);

modules/iam/routes/login/password/handle.ts

@@ -0,0 +1,36 @@
+import { logger } from "@platform/logger";
+import { BadRequestError } from "@platform/relay";
+import cookie from "cookie";
+
+import { auth } from "../../../auth.ts";
+import { config } from "../../../config.ts";
+import { password } from "../../../crypto/password.ts";
+import { getPasswordStrategyByAlias } from "../../../database.ts";
+import route from "./spec.ts";
+
+export default route.access("public").handle(async ({ body: { alias, password: userPassword } }) => {
+  const strategy = await getPasswordStrategyByAlias(alias);
+  if (strategy === undefined) {
+    return logger.info({
+      type: "auth:password",
+      message: "Failed to get account with 'password' strategy.",
+      alias,
+    });
+  }
+
+  const isValidPassword = await password.verify(userPassword, strategy.password);
+  if (isValidPassword === false) {
+    return new BadRequestError("Invalid email/password provided.");
+  }
+
+  return new Response(null, {
+    status: 204,
+    headers: {
+      "set-cookie": cookie.serialize(
+        "token",
+        await auth.generate({ id: strategy.accountId }, "1 week"),
+        config.cookie(1000 * 60 * 60 * 24 * 7),
+      ),
+    },
+  });
+});

modules/iam/routes/login/password/spec.ts

@@ -0,0 +1,9 @@
+import { route } from "@platform/relay";
+import z from "zod";
+
+export default route.post("/api/v1/identities/login/password").body(
+  z.object({
+    alias: z.string(),
+    password: z.string(),
+  }),
+);

modules/iam/routes/login/sudo/handle.ts

@@ -0,0 +1,39 @@
+import route from "./spec.ts";
+
+export default route.access("public").handle(async () => {
+  // const code = await Passwordless.createCode({ tenantId: "public", email });
+  // if (code.status !== "OK") {
+  //   return logger.info({
+  //     type: "auth:passwordless",
+  //     message: "Create code failed.",
+  //     received: email,
+  //   });
+  // }
+  // logger.info({
+  //   type: "auth:passwordless",
+  //   data: {
+  //     deviceId: code.deviceId,
+  //     preAuthSessionId: code.preAuthSessionId,
+  //     userInputCode: code.userInputCode,
+  //   },
+  // });
+  // const response = await Passwordless.consumeCode({
+  //   tenantId: "public",
+  //   preAuthSessionId: code.preAuthSessionId,
+  //   deviceId: code.deviceId,
+  //   userInputCode: code.userInputCode,
+  // });
+  // if (response.status !== "OK") {
+  //   return new NotFoundError();
+  // }
+  // logger.info({
+  //   type: "code:claimed",
+  //   session: true,
+  //   message: "Identity resolved",
+  //   user: response.user.toJson(),
+  // });
+  // return new Response(null, {
+  //   status: 200,
+  //   headers: await getSessionHeaders("public", response.recipeUserId),
+  // });
+});

modules/iam/routes/login/sudo/spec.ts

@@ -0,0 +1,8 @@
+import { route } from "@platform/relay";
+import z from "zod";
+
+export default route.post("/api/v1/identities/login/sudo").body(
+  z.object({
+    email: z.email(),
+  }),
+);

modules/iam/routes/me/handle.ts

@@ -0,0 +1,5 @@
+import route from "./spec.ts";
+
+export default route.access("session").handle(async ({ principal }) => {
+  return principal;
+});

modules/iam/routes/me/spec.ts

@@ -0,0 +1,4 @@
+import { NotFoundError, route, UnauthorizedError } from "@platform/relay";
+import z from "zod";
+
+export default route.get("/api/v1/identity/me").errors([UnauthorizedError, NotFoundError]).response(z.any());

modules/iam/routes/roles/handle.ts

@@ -0,0 +1,33 @@
+import { ForbiddenError, NotFoundError } from "@platform/relay";
+
+import { getPrincipalById, setPrincipalRolesById } from "../../services/database.ts";
+import route from "./spec.ts";
+
+export default route.access("session").handle(async ({ params: { id }, body: ops }, { access }) => {
+  const principal = await getPrincipalById(id);
+  if (principal === undefined) {
+    return new NotFoundError();
+  }
+  const decision = await access.isAllowed({ kind: "role", id: principal.id, attr: principal.attr }, "manage");
+  if (decision === false) {
+    return new ForbiddenError("You do not have permission to modify roles for this identity.");
+  }
+  const roles: Set<string> = new Set(principal.roles);
+  for (const op of ops) {
+    switch (op.type) {
+      case "add": {
+        for (const role of op.roles) {
+          roles.add(role);
+        }
+        break;
+      }
+      case "remove": {
+        for (const role of op.roles) {
+          roles.delete(role);
+        }
+        break;
+      }
+    }
+  }
+  await setPrincipalRolesById(id, Array.from(roles));
+});

modules/iam/routes/roles/spec.ts

@@ -0,0 +1,19 @@
+import { ForbiddenError, NotFoundError, route, UnauthorizedError } from "@platform/relay";
+import z from "zod";
+
+export default route
+  .put("/api/v1/identity/:id/roles")
+  .params({
+    id: z.string(),
+  })
+  .body(
+    z.array(
+      z.union([
+        z.strictObject({
+          type: z.union([z.literal("add"), z.literal("remove")]),
+          roles: z.array(z.any()),
+        }),
+      ]),
+    ),
+  )
+  .errors([UnauthorizedError, ForbiddenError, NotFoundError]);

modules/iam/routes/session/resolve/handle.ts

@@ -0,0 +1,17 @@
+import { NotFoundError } from "@platform/relay";
+
+import { config } from "../../../config.ts";
+import { getPrincipalByUserId } from "../../../services/database.ts";
+import { getSessionByRequestHeader } from "../../../services/session.ts";
+import route from "./spec.ts";
+
+export default route.access(["internal:public", config.internal.privateKey]).handle(async ({ request }) => {
+  const session = await getSessionByRequestHeader(request.headers);
+  if (session === undefined) {
+    return new NotFoundError();
+  }
+  return {
+    session,
+    principal: await getPrincipalByUserId(session.userId),
+  };
+});

modules/iam/routes/session/resolve/spec.ts

@@ -0,0 +1,12 @@
+import { route } from "@platform/relay";
+import z from "zod";
+
+import { PrincipalSchema } from "../../../models/principal.ts";
+import { SessionSchema } from "../../../models/session.ts";
+
+export default route.get("/api/v1/identity/session").response(
+  z.object({
+    session: SessionSchema,
+    principal: PrincipalSchema,
+  }),
+);