CaZzzer/vpgen
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: CaZzzer:develop
Branches Tags
CaZzzer:develop
CaZzzer:feature/wg-quick
CaZzzer:feature/invite
CaZzzer:feature/auth
CaZzzer:feature/auth-1
CaZzzer:feature/ci
CaZzzer:feature/api
CaZzzer:feature/provider-interface-1
CaZzzer:feature/provider-interface
CaZzzer:feature/logging
CaZzzer:feature/qrcode
CaZzzer:feature/trailing-slashes
CaZzzer:feature/opnsense
CaZzzer:master
..
compare: CaZzzer:feature/logging
Branches Tags
CaZzzer:feature/wg-quick
CaZzzer:develop
CaZzzer:feature/invite
CaZzzer:feature/auth
CaZzzer:feature/auth-1
CaZzzer:feature/ci
CaZzzer:feature/api
CaZzzer:feature/provider-interface-1
CaZzzer:feature/provider-interface
CaZzzer:feature/logging
CaZzzer:feature/qrcode
CaZzzer:feature/trailing-slashes
CaZzzer:feature/opnsense
CaZzzer:master

1 Commits
develop ... feature/lo

Author SHA1 Message Date
Yuri Tatishchev
b38ab19c3e
WIP: more proper logging 2025-01-09 15:01:03 -08:00
76 changed files with 625 additions and 2820 deletions
Show Stats Expand all files Collapse all files

10
.editorconfig
View File

@ -1,10 +0,0 @@
[*]
charset = utf-8
insert_final_newline = true
end_of_line = lf
indent_style = tab
indent_size = 2
max_line_length = 100
quote_type = single
trim_trailing_whitespace = true

16
.env.example
View File

@ -1,17 +1,7 @@
DATABASE_URL=file:local.db
PUBLIC_AUTH_AUTHENTIK_ENABLE=1
AUTH_AUTHENTIK_REQUIRE_INVITE=0
AUTH_AUTHENTIK_DOMAIN=auth.lab.cazzzer.com
AUTH_AUTHENTIK_CLIENT_ID=
AUTH_AUTHENTIK_CLIENT_SECRET=
PUBLIC_AUTH_GOOGLE_ENABLE=1
AUTH_GOOGLE_REQUIRE_INVITE=1
AUTH_GOOGLE_CLIENT_ID=
AUTH_GOOGLE_CLIENT_SECRET=
AUTH_INVITE_TOKEN=GUjdsz9aREFTEBYDrA3AajUE8oVys2xW
AUTH_DOMAIN=auth.lab.cazzzer.com
AUTH_CLIENT_ID=
AUTH_CLIENT_SECRET=
OPNSENSE_API_URL=https://opnsense.cazzzer.com
OPNSENSE_API_KEY=

6
.idea/bun.xml generated
View File

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="BunSettings">
<option name="bunPath" value="bun" />
</component>
</project>

2
.idea/modules.xml generated
View File

@ -2,7 +2,7 @@
<project version="4">
<component name="ProjectModuleManager">
<modules>
<module fileurl="file://$PROJECT_DIR$/.idea/vpgen.iml" filepath="$PROJECT_DIR$/.idea/vpgen.iml" />
<module fileurl="file://$PROJECT_DIR$/.idea/vpgen-sv5.iml" filepath="$PROJECT_DIR$/.idea/vpgen-sv5.iml" />
</modules>
</component>
</project>

0
.idea/vpgen.iml → .idea/vpgen-sv5.iml generated
View File

1
.npmrc
View File

@ -1,2 +1 @@
engine-strict=true
@jsr:registry=https://npm.jsr.io

15
.woodpecker/build-image.yml
View File

@ -1,15 +0,0 @@
when:
- event: [push]
steps:
- name: build
image: woodpeckerci/plugin-kaniko
settings:
registry: gitea.cazzzer.com
repo: ${CI_REPO,,}
# replace '/' in branch name
tags: ${CI_COMMIT_BRANCH/\//-}
cache: true
username:
from_secret: registry-username
password:
from_secret: registry-password

7
.zed/settings.json
View File

@ -1,7 +0,0 @@
// Folder-specific settings
//
// For a full list of overridable settings, and general information on folder-specific settings,
// see the documentation: https://zed.dev/docs/configuring-zed#settings-files
{
"formatter": "prettier"
}

8
Dockerfile
View File

@ -2,19 +2,19 @@
# see all versions at https://hub.docker.com/r/oven/bun/tags
FROM oven/bun:1-alpine AS base
WORKDIR /app
COPY package.json bun.lock /app/
COPY package.json bun.lockb /app/
# install dependencies into temp directory
# this will cache them and speed up future builds
FROM base AS install
RUN mkdir -p /temp/dev
COPY package.json bun.lock /temp/dev/
COPY package.json bun.lockb /temp/dev/
RUN cd /temp/dev && bun install --frozen-lockfile
# install with --production (exclude devDependencies)
RUN mkdir -p /temp/prod
COPY package.json bun.lock /temp/prod/
RUN cd /temp/prod && bun install --frozen-lockfile --production --ignore-scripts
COPY package.json bun.lockb /temp/prod/
RUN cd /temp/prod && bun install --frozen-lockfile --production
# copy node_modules from temp directory
# then copy all (non-ignored) project files into the image

57
README.md
View File

@ -1,29 +1,40 @@
# VPGen
# sv
One-click WireGuard config generator, work in progress.
Everything you need to build a Svelte project, powered by [`sv`](https://github.com/sveltejs/cli).
## Why?
## Creating a project
Make it easier to share VPN access with friends/family,
making use of existing networking infrastructure.
If you're seeing this, you've probably already done this step. Congrats!
## How?
```bash
# create a new project in the current directory
npx sv create
Currently, the supported backend is [OPNsense](https://opnsense.org/).
VPGen just creates WireGuard clients on the configured interface via the OPNsense API.
Future plans include supporting other API backends (e.g. [Netmaker](https://github.com/gravitl/netmaker))
and [wg-quick](https://www.wireguard.com/quickstart/) for standalone setups.
## Development
Development uses bun.
An additional prepare step is needed to set up typia for type validation.
For example .env settings, see [.env.example](.env.example)
```shell
bun install
bun run prepare
bun run dev
# create a new project in my-app
npx sv create my-app
```
## Developing
Once you've created a project and installed dependencies with `npm install` (or `pnpm install` or `yarn`), start a development server:
```bash
npm run dev
# or start the server and open the app in a new browser tab
npm run dev -- --open
```
## Building
To create a production version of your app:
```bash
npm run build
```
You can preview the production build with `npm run preview`.
> To deploy your app, you may need to install an [adapter](https://svelte.dev/docs/kit/adapters) for your target environment.
When deploying, set `ORIGIN` to the URL of your site to prevent cross-site request errors.

25
bruno/opnsense-api/Delete Client.bru
View File

@ -1,25 +0,0 @@
meta {
name: Delete Client
type: http
seq: 11
}
post {
url: {{base}}/api/wireguard/client/delClient/:clientUuid
body: none
auth: inherit
}
params:path {
clientUuid: d484d381-4d6f-4444-8e9d-9cda7b5b2243
}
body:json {
{
"current": 1,
"rowCount": 7,
"sort": {},
"servers": ["{{serverUuid}}"],
"searchPhrase": "{{searchPhrase}}"
}
}

1216
bun.lock
View File

File diff suppressed because it is too large Load Diff

BIN
bun.lockb Executable file
View File

Binary file not shown.

1
bunfig.toml Normal file
View File

@ -0,0 +1 @@
logLevel = "info"

1
drizzle/0001_equal_unicorn.sql
View File

@ -1 +0,0 @@
ALTER TABLE `users` ADD `auth_source` text DEFAULT 'authentik' NOT NULL;

1
drizzle/0002_minor_black_panther.sql
View File

@ -1 +0,0 @@
ALTER TABLE `devices` DROP COLUMN `opnsense_id`;

229
drizzle/meta/0001_snapshot.json
View File

@ -1,229 +0,0 @@
{
"version": "6",
"dialect": "sqlite",
"id": "cc1fa973-1e9c-4bd6-b082-d7cf36f7342c",
"prevId": "48b7ce55-58f1-4b97-a144-ca733576dba6",
"tables": {
"devices": {
"name": "devices",
"columns": {
"id": {
"name": "id",
"type": "integer",
"primaryKey": true,
"notNull": true,
"autoincrement": true
},
"user_id": {
"name": "user_id",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"name": {
"name": "name",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"opnsense_id": {
"name": "opnsense_id",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"public_key": {
"name": "public_key",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"private_key": {
"name": "private_key",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"pre_shared_key": {
"name": "pre_shared_key",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"devices_public_key_unique": {
"name": "devices_public_key_unique",
"columns": [
"public_key"
],
"isUnique": true
}
},
"foreignKeys": {
"devices_user_id_users_id_fk": {
"name": "devices_user_id_users_id_fk",
"tableFrom": "devices",
"tableTo": "users",
"columnsFrom": [
"user_id"
],
"columnsTo": [
"id"
],
"onDelete": "no action",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"ip_allocations": {
"name": "ip_allocations",
"columns": {
"id": {
"name": "id",
"type": "integer",
"primaryKey": true,
"notNull": true,
"autoincrement": true
},
"device_id": {
"name": "device_id",
"type": "integer",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"ip_allocations_device_id_unique": {
"name": "ip_allocations_device_id_unique",
"columns": [
"device_id"
],
"isUnique": true
}
},
"foreignKeys": {
"ip_allocations_device_id_devices_id_fk": {
"name": "ip_allocations_device_id_devices_id_fk",
"tableFrom": "ip_allocations",
"tableTo": "devices",
"columnsFrom": [
"device_id"
],
"columnsTo": [
"id"
],
"onDelete": "set null",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"sessions": {
"name": "sessions",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"user_id": {
"name": "user_id",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"expires_at": {
"name": "expires_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
}
},
"indexes": {},
"foreignKeys": {
"sessions_user_id_users_id_fk": {
"name": "sessions_user_id_users_id_fk",
"tableFrom": "sessions",
"tableTo": "users",
"columnsFrom": [
"user_id"
],
"columnsTo": [
"id"
],
"onDelete": "no action",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"users": {
"name": "users",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"auth_source": {
"name": "auth_source",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false,
"default": "'authentik'"
},
"username": {
"name": "username",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"name": {
"name": "name",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
}
},
"indexes": {},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
}
},
"views": {},
"enums": {},
"_meta": {
"schemas": {},
"tables": {},
"columns": {}
},
"internal": {
"indexes": {}
}
}

222
drizzle/meta/0002_snapshot.json
View File

@ -1,222 +0,0 @@
{
"version": "6",
"dialect": "sqlite",
"id": "0b364191-58d0-46a3-8372-4a30b0b88d85",
"prevId": "cc1fa973-1e9c-4bd6-b082-d7cf36f7342c",
"tables": {
"devices": {
"name": "devices",
"columns": {
"id": {
"name": "id",
"type": "integer",
"primaryKey": true,
"notNull": true,
"autoincrement": true
},
"user_id": {
"name": "user_id",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"name": {
"name": "name",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"public_key": {
"name": "public_key",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"private_key": {
"name": "private_key",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
},
"pre_shared_key": {
"name": "pre_shared_key",
"type": "text",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"devices_public_key_unique": {
"name": "devices_public_key_unique",
"columns": [
"public_key"
],
"isUnique": true
}
},
"foreignKeys": {
"devices_user_id_users_id_fk": {
"name": "devices_user_id_users_id_fk",
"tableFrom": "devices",
"tableTo": "users",
"columnsFrom": [
"user_id"
],
"columnsTo": [
"id"
],
"onDelete": "no action",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"ip_allocations": {
"name": "ip_allocations",
"columns": {
"id": {
"name": "id",
"type": "integer",
"primaryKey": true,
"notNull": true,
"autoincrement": true
},
"device_id": {
"name": "device_id",
"type": "integer",
"primaryKey": false,
"notNull": false,
"autoincrement": false
}
},
"indexes": {
"ip_allocations_device_id_unique": {
"name": "ip_allocations_device_id_unique",
"columns": [
"device_id"
],
"isUnique": true
}
},
"foreignKeys": {
"ip_allocations_device_id_devices_id_fk": {
"name": "ip_allocations_device_id_devices_id_fk",
"tableFrom": "ip_allocations",
"tableTo": "devices",
"columnsFrom": [
"device_id"
],
"columnsTo": [
"id"
],
"onDelete": "set null",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"sessions": {
"name": "sessions",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"user_id": {
"name": "user_id",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"expires_at": {
"name": "expires_at",
"type": "integer",
"primaryKey": false,
"notNull": true,
"autoincrement": false
}
},
"indexes": {},
"foreignKeys": {
"sessions_user_id_users_id_fk": {
"name": "sessions_user_id_users_id_fk",
"tableFrom": "sessions",
"tableTo": "users",
"columnsFrom": [
"user_id"
],
"columnsTo": [
"id"
],
"onDelete": "no action",
"onUpdate": "no action"
}
},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
},
"users": {
"name": "users",
"columns": {
"id": {
"name": "id",
"type": "text",
"primaryKey": true,
"notNull": true,
"autoincrement": false
},
"auth_source": {
"name": "auth_source",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false,
"default": "'authentik'"
},
"username": {
"name": "username",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
},
"name": {
"name": "name",
"type": "text",
"primaryKey": false,
"notNull": true,
"autoincrement": false
}
},
"indexes": {},
"foreignKeys": {},
"compositePrimaryKeys": {},
"uniqueConstraints": {},
"checkConstraints": {}
}
},
"views": {},
"enums": {},
"_meta": {
"schemas": {},
"tables": {},
"columns": {}
},
"internal": {
"indexes": {}
}
}

14
drizzle/meta/_journal.json
View File

@ -8,20 +8,6 @@
"when": 1736295566569,
"tag": "0000_fair_tarantula",
"breakpoints": true
},
{
"idx": 1,
"version": "6",
"when": 1741936760967,
"tag": "0001_equal_unicorn",
"breakpoints": true
},
{
"idx": 2,
"version": "6",
"when": 1743389268079,
"tag": "0002_minor_black_panther",
"breakpoints": true
}
]
}

53
package.json
View File

@ -1,7 +1,6 @@
{
"name": "vpgen",
"name": "vpgen-sv5",
"version": "0.0.1",
"license": "AGPL-3.0-or-later",
"type": "module",
"scripts": {
"dev": "vite dev",
@ -15,52 +14,48 @@
"db:generate": "drizzle-kit generate",
"db:migrate": "drizzle-kit migrate",
"db:studio": "drizzle-kit studio",
"db:seed": "bun run ./src/lib/server/db/seed.ts",
"prepare": "ts-patch install"
"db:seed": "bun run ./src/lib/server/db/seed.ts"
},
"devDependencies": {
"@lucide/svelte": "^0.487.0",
"@oslojs/crypto": "^1.0.1",
"@oslojs/encoding": "^1.1.0",
"@ryoppippi/unplugin-typia": "npm:@jsr/ryoppippi__unplugin-typia",
"@sveltejs/adapter-auto": "^3.3.1",
"@sveltejs/adapter-node": "^5.2.12",
"@sveltejs/kit": "^2.20.7",
"@sveltejs/adapter-node": "^5.2.11",
"@sveltejs/kit": "^2.15.0",
"@sveltejs/vite-plugin-svelte": "^5.0.3",
"@tailwindcss/container-queries": "^0.1.1",
"@tailwindcss/forms": "^0.5.10",
"@tailwindcss/typography": "^0.5.16",
"@types/better-sqlite3": "^7.6.13",
"@tailwindcss/forms": "^0.5.9",
"@tailwindcss/typography": "^0.5.15",
"@types/better-sqlite3": "^7.6.12",
"@types/eslint": "^9.6.1",
"@types/qrcode-svg": "^1.1.5",
"arctic": "^2.3.4",
"autoprefixer": "^10.4.21",
"bits-ui": "^1.3.19",
"arctic": "^2.3.3",
"autoprefixer": "^10.4.20",
"bits-ui": "^0.22.0",
"clsx": "^2.1.1",
"eslint": "^9.25.1",
"eslint": "^9.17.0",
"eslint-config-prettier": "^9.1.0",
"eslint-plugin-svelte": "^2.46.1",
"globals": "^15.15.0",
"globals": "^15.14.0",
"ip-address": "^10.0.1",
"prettier": "^3.5.3",
"prettier-plugin-svelte": "^3.3.3",
"prettier-plugin-tailwindcss": "^0.6.11",
"lucide-svelte": "^0.469.0",
"prettier": "^3.4.2",
"prettier-plugin-svelte": "^3.3.2",
"prettier-plugin-tailwindcss": "^0.6.9",
"qrcode-svg": "^1.1.0",
"svelte": "^5.28.1",
"svelte-check": "^4.1.6",
"svelte": "^5.16.0",
"svelte-check": "^4.1.1",
"tailwind-merge": "^2.6.0",
"tailwind-variants": "^0.3.1",
"tailwind-variants": "^0.3.0",
"tailwindcss": "^3.4.17",
"tailwindcss-animate": "^1.0.7",
"ts-patch": "^3.3.0",
"typescript": "~5.8.3",
"typescript-eslint": "^8.31.0",
"typia": "^8.2.0",
"vite": "^6.3.2"
"typescript": "^5.7.2",
"typescript-eslint": "^8.18.2",
"vite": "^6.0.6"
},
"dependencies": {
"@libsql/client": "^0.14.0",
"drizzle-kit": "^0.30.6",
"drizzle-orm": "^0.38.4"
"drizzle-kit": "^0.30.1",
"drizzle-orm": "^0.38.3"
}
}

5
src/hooks.server.ts
View File

@ -2,9 +2,10 @@ import { type Handle, redirect } from '@sveltejs/kit';
import { sequence } from '@sveltejs/kit/hooks';
import { dev } from '$app/environment';
import * as auth from '$lib/server/auth';
import wgProvider from '$lib/server/wg-provider';
import { fetchOpnsenseServer } from '$lib/server/opnsense';
await wgProvider.init();
// fetch opnsense server info on startup
await fetchOpnsenseServer();
const handleAuth: Handle = async ({ event, resolve }) => {
const sessionId = event.cookies.get(auth.sessionCookieName);

13
src/lib/assets/google.svg
View File

@ -1,13 +0,0 @@
<svg width="40" height="40" viewBox="10 10 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
<g clip-path="url(#clip0_710_6221)">
<path d="M29.6 20.2273C29.6 19.5182 29.5364 18.8364 29.4182 18.1818H20V22.05H25.3818C25.15 23.3 24.4455 24.3591 23.3864 25.0682V27.5773H26.6182C28.5091 25.8364 29.6 23.2727 29.6 20.2273Z" fill="#4285F4"/>
<path d="M20 30C22.7 30 24.9636 29.1045 26.6181 27.5773L23.3863 25.0682C22.4909 25.6682 21.3454 26.0227 20 26.0227C17.3954 26.0227 15.1909 24.2636 14.4045 21.9H11.0636V24.4909C12.7091 27.7591 16.0909 30 20 30Z" fill="#34A853"/>
<path d="M14.4045 21.9C14.2045 21.3 14.0909 20.6591 14.0909 20C14.0909 19.3409 14.2045 18.7 14.4045 18.1V15.5091H11.0636C10.3864 16.8591 10 18.3864 10 20C10 21.6136 10.3864 23.1409 11.0636 24.4909L14.4045 21.9Z" fill="#FBBC04"/>
<path d="M20 13.9773C21.4681 13.9773 22.7863 14.4818 23.8227 15.4727L26.6909 12.6045C24.9591 10.9909 22.6954 10 20 10C16.0909 10 12.7091 12.2409 11.0636 15.5091L14.4045 18.1C15.1909 15.7364 17.3954 13.9773 20 13.9773Z" fill="#E94235"/>
</g>
<defs>
<clipPath id="clip0_710_6221">
<rect width="20" height="20" fill="white" transform="translate(10 10)"/>
</clipPath>
</defs>
</svg>
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 KiB

9
src/lib/auth.ts
View File

@ -1,9 +0,0 @@
import { envToBool } from '$lib/utils';
import { env } from '$env/dynamic/public';
export type AuthProvider = 'authentik' | 'google';
export const enabledAuthProviders: Record<AuthProvider, boolean> = {
authentik: envToBool(env.PUBLIC_AUTH_AUTHENTIK_ENABLE),
google: envToBool(env.PUBLIC_AUTH_GOOGLE_ENABLE),
};

28
src/lib/components/app/auth-form/auth-button.svelte
View File

@ -1,28 +0,0 @@
<script lang="ts">
import { LucideLoaderCircle } from '@lucide/svelte';
import { Button } from '$lib/components/ui/button';
interface Props {
providerName: string;
displayName: string;
iconSrc: string;
inviteToken?: string;
}
let { providerName, displayName, inviteToken, iconSrc }: Props = $props();
let submitted = $state(false);
</script>
<form method="get" onsubmit={() => (submitted = true)} action="/auth/{providerName}">
{#if inviteToken}
<input type="hidden" value={inviteToken} name="invite" />
{/if}
<Button type="submit" disabled={submitted}>
{#if submitted}
<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
{:else}
<img class="mr-2 h-4 w-4" alt="{displayName} Logo" src={iconSrc} />
{/if}
Sign {inviteToken ? 'up' : 'in'} with {displayName}
</Button>
</form>

45
src/lib/components/app/auth-form/auth-form.svelte
View File

@ -1,26 +1,31 @@
<script lang="ts">
import { LucideLoaderCircle } from 'lucide-svelte';
import { Button } from '$lib/components/ui/button';
import { cn } from '$lib/utils.js';
import googleIcon from '$lib/assets/google.svg';
import { enabledAuthProviders } from '$lib/auth';
import AuthButton from './auth-button.svelte';
interface Props {
inviteToken?: string;
class?: string;
}
let { inviteToken, class: className }: Props = $props();
let { class: className, ...rest }: { class?: string; rest?: { [p: string]: unknown } } = $props();
let isLoading = $state(false);
</script>
<div class={cn('flex gap-6', className)}>
{#if enabledAuthProviders.authentik}
<AuthButton
providerName="authentik"
displayName="Authentik"
iconSrc="https://auth.cazzzer.com/static/dist/assets/icons/icon.svg"
{inviteToken}
/>
{/if}
{#if enabledAuthProviders.google}
<AuthButton providerName="google" displayName="Google" iconSrc={googleIcon} {inviteToken} />
{/if}
<div class={cn('flex gap-6', className)} {...rest}>
<form method="get" action="/auth/authentik">
<Button
type="submit"
onclick={() => {
isLoading = true;
}}
>
{#if isLoading}
<LucideLoaderCircle class="mr-2 h-4 w-4 animate-spin" />
{:else}
<img
class="mr-2 h-4 w-4"
alt="Authentik Logo"
src="https://auth.cazzzer.com/static/dist/assets/icons/icon.svg"
/>
{/if}
Sign in with Authentik
</Button>
</form>
</div>

2
src/lib/components/app/code-snippet/code-snippet.svelte
View File

@ -1,6 +1,6 @@
<script lang="ts">
import { Button } from '$lib/components/ui/button';
import { LucideClipboardCopy, LucideDownload } from '@lucide/svelte';
import { LucideClipboardCopy, LucideDownload } from 'lucide-svelte';
const {
data,

2
src/lib/components/ui/badge/badge.svelte
View File

@ -43,7 +43,7 @@
this={href ? "a" : "span"}
bind:this={ref}
{href}
class={cn(badgeVariants({ variant }), className)}
class={cn(badgeVariants({ variant, className }))}
{...restProps}
>
{@render children?.()}

4
src/lib/components/ui/button/button.svelte
View File

@ -56,7 +56,7 @@
{#if href}
<a
bind:this={ref}
class={cn(buttonVariants({ variant, size }), className)}
class={cn(buttonVariants({ variant, size, className }))}
{href}
{...restProps}
>
@ -65,7 +65,7 @@
{:else}
<button
bind:this={ref}
class={cn(buttonVariants({ variant, size }), className)}
class={cn(buttonVariants({ variant, size, className }))}
{type}
{...restProps}
>

4
src/lib/components/ui/checkbox/checkbox.svelte
View File

@ -1,7 +1,7 @@
<script lang="ts">
import { Checkbox as CheckboxPrimitive, type WithoutChildrenOrChild } from "bits-ui";
import Check from "@lucide/svelte/icons/check";
import Minus from "@lucide/svelte/icons/minus";
import Check from "lucide-svelte/icons/check";
import Minus from "lucide-svelte/icons/minus";
import { cn } from "$lib/utils.js";
let {

2
src/lib/components/ui/dialog/dialog-content.svelte
View File

@ -1,6 +1,6 @@
<script lang="ts">
import { Dialog as DialogPrimitive, type WithoutChildrenOrChild } from "bits-ui";
import X from "@lucide/svelte/icons/x";
import X from "lucide-svelte/icons/x";
import type { Snippet } from "svelte";
import * as Dialog from "./index.js";
import { cn } from "$lib/utils.js";

5
src/lib/components/ui/dialog/dialog-description.svelte
View File

@ -5,6 +5,7 @@
let {
ref = $bindable(null),
class: className,
children,
...restProps
}: DialogPrimitive.DescriptionProps = $props();
</script>
@ -13,4 +14,6 @@
bind:ref
class={cn("text-muted-foreground text-sm", className)}
{...restProps}
/>
>
{@render children?.()}
</DialogPrimitive.Description>

5
src/lib/components/ui/dialog/dialog-overlay.svelte
View File

@ -5,6 +5,7 @@
let {
ref = $bindable(null),
class: className,
children,
...restProps
}: DialogPrimitive.OverlayProps = $props();
</script>
@ -16,4 +17,6 @@
className
)}
{...restProps}
/>
>
{@render children?.()}
</DialogPrimitive.Overlay>

5
src/lib/components/ui/dialog/dialog-title.svelte
View File

@ -5,6 +5,7 @@
let {
ref = $bindable(null),
class: className,
children,
...restProps
}: DialogPrimitive.TitleProps = $props();
</script>
@ -13,4 +14,6 @@
bind:ref
class={cn("text-lg font-semibold leading-none tracking-tight", className)}
{...restProps}
/>
>
{@render children?.()}
</DialogPrimitive.Title>

46
src/lib/components/ui/input/input.svelte
View File

@ -1,46 +1,22 @@
<script lang="ts">
import type { HTMLInputAttributes, HTMLInputTypeAttribute } from "svelte/elements";
import type { HTMLInputAttributes } from "svelte/elements";
import type { WithElementRef } from "bits-ui";
import { cn } from "$lib/utils.js";
type InputType = Exclude<HTMLInputTypeAttribute, "file">;
type Props = WithElementRef<
Omit<HTMLInputAttributes, "type"> &
({ type: "file"; files?: FileList } | { type?: InputType; files?: undefined })
>;
let {
ref = $bindable(null),
value = $bindable(),
type,
files = $bindable(),
class: className,
...restProps
}: Props = $props();
}: WithElementRef<HTMLInputAttributes> = $props();
</script>
{#if type === "file"}
<input
bind:this={ref}
class={cn(
"border-input bg-background ring-offset-background placeholder:text-muted-foreground focus-visible:ring-ring flex h-10 w-full rounded-md border px-3 py-2 text-base file:border-0 file:bg-transparent file:text-sm file:font-medium focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
className
)}
type="file"
bind:files
bind:value
{...restProps}
/>
{:else}
<input
bind:this={ref}
class={cn(
"border-input bg-background ring-offset-background placeholder:text-muted-foreground focus-visible:ring-ring flex h-10 w-full rounded-md border px-3 py-2 text-base file:border-0 file:bg-transparent file:text-sm file:font-medium focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
className
)}
{type}
bind:value
{...restProps}
/>
{/if}
<input
bind:this={ref}
class={cn(
"border-input bg-background ring-offset-background placeholder:text-muted-foreground focus-visible:ring-ring flex h-10 w-full rounded-md border px-3 py-2 text-base file:border-0 file:bg-transparent file:text-sm file:font-medium focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
className
)}
bind:value
{...restProps}
/>

5
src/lib/components/ui/label/label.svelte
View File

@ -5,6 +5,7 @@
let {
ref = $bindable(null),
class: className,
children,
...restProps
}: LabelPrimitive.RootProps = $props();
</script>
@ -16,4 +17,6 @@
className
)}
{...restProps}
/>
>
{@render children?.()}
</LabelPrimitive.Root>

5
src/lib/components/ui/tabs/tabs-content.svelte
View File

@ -5,6 +5,7 @@
let {
ref = $bindable(null),
class: className,
children,
...restProps
}: TabsPrimitive.ContentProps = $props();
</script>
@ -16,4 +17,6 @@
className
)}
{...restProps}
/>
>
{@render children?.()}
</TabsPrimitive.Content>

5
src/lib/components/ui/tabs/tabs-list.svelte
View File

@ -5,6 +5,7 @@
let {
ref = $bindable(null),
class: className,
children,
...restProps
}: TabsPrimitive.ListProps = $props();
</script>
@ -16,4 +17,6 @@
className
)}
{...restProps}
/>
>
{@render children?.()}
</TabsPrimitive.List>

5
src/lib/components/ui/tabs/tabs-trigger.svelte
View File

@ -5,6 +5,7 @@
let {
ref = $bindable(null),
class: className,
children,
...restProps
}: TabsPrimitive.TriggerProps = $props();
</script>
@ -16,4 +17,6 @@
className
)}
{...restProps}
/>
>
{@render children?.()}
</TabsPrimitive.Trigger>

3
src/lib/opnsense/index.ts Normal file
View File

@ -0,0 +1,3 @@
export function opnsenseSanitezedUsername(username: string) {
return username.slice(0, 63).replace(/[^a-zA-Z0-9_-]/g, '_');
}

0
src/lib/server/wg-providers/opnsense/types.ts → src/lib/opnsense/wg.ts
View File

26
src/lib/server/auth.ts
View File

@ -3,9 +3,8 @@ import { sha256 } from '@oslojs/crypto/sha2';
import { encodeBase32LowerCaseNoPadding, encodeHexLowerCase } from '@oslojs/encoding';
import { db } from '$lib/server/db';
import * as table from '$lib/server/db/schema';
import type { Cookies } from '@sveltejs/kit';
import type { RequestEvent } from '@sveltejs/kit';
import { dev } from '$app/environment';
import { env } from '$env/dynamic/private';
const DAY_IN_MS = 1000 * 60 * 60 * 24;
@ -22,14 +21,14 @@ export async function createSession(userId: string): Promise<table.Session> {
const session: table.Session = {
id: sessionId,
userId,
expiresAt: new Date(Date.now() + DAY_IN_MS * 30),
expiresAt: new Date(Date.now() + DAY_IN_MS * 30)
};
await db.insert(table.sessions).values(session);
return session;
}
export function setSessionTokenCookie(cookies: Cookies, sessionId: string, expiresAt: Date) {
cookies.set(sessionCookieName, sessionId, {
export function setSessionTokenCookie(event: RequestEvent, sessionId: string, expiresAt: Date) {
event.cookies.set(sessionCookieName, sessionId, {
path: '/',
sameSite: 'lax',
httpOnly: true,
@ -42,21 +41,16 @@ export async function invalidateSession(sessionId: string): Promise<void> {
await db.delete(table.sessions).where(eq(table.sessions.id, sessionId));
}
export function deleteSessionTokenCookie(cookies: Cookies) {
cookies.delete(sessionCookieName, { path: '/' });
export function deleteSessionTokenCookie(event: RequestEvent) {
event.cookies.delete(sessionCookieName, { path: '/' });
}
export async function validateSession(sessionId: string) {
const [result] = await db
.select({
// Adjust user table here to tweak returned data
user: {
id: table.users.id,
authSource: table.users.authSource,
username: table.users.username,
name: table.users.name,
},
session: table.sessions,
user: { id: table.users.id, username: table.users.username, name: table.users.name },
session: table.sessions
})
.from(table.sessions)
.innerJoin(table.users, eq(table.sessions.userId, table.users.id))
@ -85,8 +79,4 @@ export async function validateSession(sessionId: string) {
return { session, user };
}
export function isValidInviteToken(inviteToken: string) {
return inviteToken === env.AUTH_INVITE_TOKEN;
}
export type SessionValidationResult = Awaited<ReturnType<typeof validateSession>>;

3
src/lib/server/db/schema.ts
View File

@ -3,7 +3,6 @@ import { relations } from 'drizzle-orm';
export const users = sqliteTable('users', {
id: text('id').primaryKey(),
authSource: text('auth_source').notNull().default('authentik'),
username: text('username').notNull(),
name: text('name').notNull(),
});
@ -36,6 +35,8 @@ export const devices = sqliteTable('devices', {
.notNull()
.references(() => users.id),
name: text('name').notNull(),
// questioning whether this should be nullable
opnsenseId: text('opnsense_id'),
publicKey: text('public_key').notNull().unique(),
// nullable for the possibility of a user supplying their own private key
privateKey: text('private_key'),

2
src/lib/server/db/seed.ts
View File

@ -2,7 +2,7 @@ import { ipAllocations, users, devices } from './schema';
import { eq } from 'drizzle-orm';
import assert from 'node:assert';
import { drizzle } from 'drizzle-orm/libsql';
import * as schema from './schema';
import * as schema from '$lib/server/db/schema';
assert(process.env.DATABASE_URL, 'DATABASE_URL is not set');
const db = drizzle(process.env.DATABASE_URL, { schema });

219
src/lib/server/devices.ts Normal file
View File

@ -0,0 +1,219 @@
import type { User } from '$lib/server/db/schema';
import { ipAllocations, devices } from '$lib/server/db/schema';
import { db } from '$lib/server/db';
import { opnsenseAuth, opnsenseUrl, serverPublicKey, serverUuid } from '$lib/server/opnsense';
import { Address4, Address6 } from 'ip-address';
import { env } from '$env/dynamic/private';
import { and, count, eq, isNull } from 'drizzle-orm';
import { err, ok, type Result } from '$lib/types';
import type { DeviceDetails } from '$lib/devices';
import { opnsenseSanitezedUsername } from '$lib/opnsense';
export async function findDevices(userId: string) {
return db.query.devices.findMany({
columns: {
id: true,
name: true,
publicKey: true,
privateKey: true,
preSharedKey: true,
},
with: {
ipAllocation: true,
},
where: eq(devices.userId, userId),
});
}
export async function findDevice(userId: string, deviceId: number) {
return db.query.devices.findFirst({
columns: {
id: true,
name: true,
publicKey: true,
privateKey: true,
preSharedKey: true,
},
with: {
ipAllocation: true,
},
where: and(eq(devices.userId, userId), eq(devices.id, deviceId)),
});
}
export function mapDeviceToDetails(
device: Awaited<ReturnType<typeof findDevices>>[0],
): DeviceDetails {
const ips = getIpsFromIndex(device.ipAllocation.id);
return {
id: device.id,
name: device.name,
publicKey: device.publicKey,
privateKey: device.privateKey,
preSharedKey: device.preSharedKey,
ips,
vpnPublicKey: serverPublicKey,
vpnEndpoint: env.VPN_ENDPOINT,
vpnDns: env.VPN_DNS,
};
}
export async function createDevice(params: {
name: string;
user: User;
}): Promise<Result<number, [400 | 500, string]>> {
// check if user exceeds the limit of devices
const [{ deviceCount }] = await db
.select({ deviceCount: count() })
.from(devices)
.where(eq(devices.userId, params.user.id));
if (deviceCount >= parseInt(env.MAX_CLIENTS_PER_USER))
return err([400, 'Maximum number of devices reached'] as [400, string]);
// this is going to be quite long
// 1. fetch params for new device from opnsense api
// 2.1 get an allocation for the device
// 2.2. insert new device into db
// 2.3. update the allocation with the device id
// 3. create the client in opnsense
// 4. reconfigure opnsense to enable the new client
return await db.transaction(async (tx) => {
const [keys, availableAllocation, lastAllocation] = await Promise.all([
// fetch params for new device from opnsense api
getKeys(),
// find first unallocated IP
await tx.query.ipAllocations.findFirst({
columns: {
id: true,
},
where: isNull(ipAllocations.deviceId),
}),
// find last allocation to check if we have any IPs left
await tx.query.ipAllocations.findFirst({
columns: {
id: true,
},
orderBy: (ipAllocations, { desc }) => desc(ipAllocations.id),
}),
]);
// check for existing allocation or if we have any IPs left
if (!availableAllocation && lastAllocation && lastAllocation.id >= parseInt(env.IP_MAX_INDEX)) {
return err([500, 'No more IP addresses available'] as [500, string]);
}
// use existing allocation or create a new one
const ipAllocationId =
availableAllocation?.id ??
(await tx.insert(ipAllocations).values({}).returning({ id: ipAllocations.id }))[0].id;
// transaction savepoint after creating a new IP allocation
// TODO: not sure if this is needed
return await tx.transaction(async (tx2) => {
// create new device in db
const [newDevice] = await tx2
.insert(devices)
.values({
userId: params.user.id,
name: params.name,
publicKey: keys.pubkey,
privateKey: keys.privkey,
preSharedKey: keys.psk,
})
.returning({ id: devices.id });
// update IP allocation with device ID
await tx2
.update(ipAllocations)
.set({ deviceId: newDevice.id })
.where(eq(ipAllocations.id, ipAllocationId));
// create client in opnsense
const opnsenseRes = await opnsenseCreateClient({
username: params.user.username,
pubkey: keys.pubkey,
psk: keys.psk,
allowedIps: getIpsFromIndex(ipAllocationId).join(','),
});
const opnsenseResJson = await opnsenseRes.json();
if (opnsenseResJson['result'] !== 'saved') {
tx2.rollback();
console.error(`Error creating client in OPNsense: \n${opnsenseResJson}`);
return err([500, 'Error creating client in OPNsense'] as [500, string]);
}
// reconfigure opnsense
await opnsenseReconfigure();
return ok(newDevice.id);
});
});
}
async function getKeys() {
// fetch key pair from opnsense
const options: RequestInit = {
method: 'GET',
headers: {
Authorization: opnsenseAuth,
Accept: 'application/json',
},
};
const resKeyPair = await fetch(`${opnsenseUrl}/api/wireguard/server/key_pair`, options);
const resPsk = await fetch(`${opnsenseUrl}/api/wireguard/client/psk`, options);
const keyPair = await resKeyPair.json();
const psk = await resPsk.json();
return {
pubkey: keyPair['pubkey'] as string,
privkey: keyPair['privkey'] as string,
psk: psk['psk'] as string,
};
}
export function getIpsFromIndex(ipIndex: number) {
ipIndex -= 1; // 1-indexed in the db
const v4StartingAddr = new Address4(env.IPV4_STARTING_ADDR);
const v6StartingAddr = new Address6(env.IPV6_STARTING_ADDR);
const v4Allowed = Address4.fromBigInt(v4StartingAddr.bigInt() + BigInt(ipIndex));
const v6Offset = BigInt(ipIndex) << (128n - BigInt(env.IPV6_CLIENT_PREFIX_SIZE));
const v6Allowed = Address6.fromBigInt(v6StartingAddr.bigInt() + v6Offset);
const v6AllowedShort = v6Allowed.parsedAddress.join(':');
return [v4Allowed.address + '/32', v6AllowedShort + '/' + env.IPV6_CLIENT_PREFIX_SIZE];
}
async function opnsenseCreateClient(params: {
username: string;
pubkey: string;
psk: string;
allowedIps: string;
}) {
return fetch(`${opnsenseUrl}/api/wireguard/client/addClientBuilder`, {
method: 'POST',
headers: {
Authorization: opnsenseAuth,
Accept: 'application/json',
'Content-Type': 'application/json',
},
body: JSON.stringify({
configbuilder: {
enabled: '1',
name: `vpgen-${opnsenseSanitezedUsername(params.username)}`,
pubkey: params.pubkey,
psk: params.psk,
tunneladdress: params.allowedIps,
server: serverUuid,
endpoint: env.VPN_ENDPOINT,
},
}),
});
}
async function opnsenseReconfigure() {
return fetch(`${opnsenseUrl}/api/wireguard/service/reconfigure`, {
method: 'POST',
headers: {
Authorization: opnsenseAuth,
Accept: 'application/json',
},
});
}

94
src/lib/server/devices/create.ts
View File

@ -1,94 +0,0 @@
import { devices, ipAllocations, type User } from '$lib/server/db/schema';
import { err, ok, type Result } from '$lib/types';
import { db } from '$lib/server/db';
import { count, eq, isNull } from 'drizzle-orm';
import { env } from '$env/dynamic/private';
import { getIpsFromIndex } from './utils';
import wgProvider from '$lib/server/wg-provider';
export async function createDevice(params: {
name: string;
user: User;
}): Promise<Result<number, [400 | 500, string]>> {
// check if user exceeds the limit of devices
const [{ deviceCount }] = await db
.select({ deviceCount: count() })
.from(devices)
.where(eq(devices.userId, params.user.id));
if (deviceCount >= parseInt(env.MAX_CLIENTS_PER_USER))
return err([400, 'Maximum number of devices reached'] as [400, string]);
// 1. fetch params for new device from provider
// 2.1 get an allocation for the device
// 2.2. insert new device into db
// 2.3. update the allocation with the device id
// 3. create the client in provider
return await db.transaction(async (tx) => {
const [keysResult, availableAllocation, lastAllocation] = await Promise.all([
// fetch params for new device from provider
wgProvider.generateKeys(),
// find first unallocated IP
await tx.query.ipAllocations.findFirst({
columns: {
id: true,
},
where: isNull(ipAllocations.deviceId),
}),
// find last allocation to check if we have any IPs left
await tx.query.ipAllocations.findFirst({
columns: {
id: true,
},
orderBy: (ipAllocations, { desc }) => desc(ipAllocations.id),
}),
]);
if (keysResult?._tag === 'err') return err([500, 'Failed to get keys']);
const keys = keysResult.value;
// check for existing allocation or if we have any IPs left
if (!availableAllocation && lastAllocation && lastAllocation.id >= parseInt(env.IP_MAX_INDEX)) {
return err([500, 'No more IP addresses available']);
}
// use existing allocation or create a new one
const ipAllocationId =
availableAllocation?.id ??
(await tx.insert(ipAllocations).values({}).returning({ id: ipAllocations.id }))[0].id;
// transaction savepoint after creating a new IP allocation
// TODO: not sure if this is needed
return await tx.transaction(async (tx2) => {
// create new device in db
const [newDevice] = await tx2
.insert(devices)
.values({
userId: params.user.id,
name: params.name,
publicKey: keys.publicKey,
privateKey: keys.privateKey,
preSharedKey: keys.preSharedKey,
})
.returning({ id: devices.id });
// update IP allocation with device ID
await tx2
.update(ipAllocations)
.set({ deviceId: newDevice.id })
.where(eq(ipAllocations.id, ipAllocationId));
// create client in provider
const providerRes = await wgProvider.createClient({
user: params.user,
publicKey: keys.publicKey,
preSharedKey: keys.preSharedKey,
allowedIps: getIpsFromIndex(ipAllocationId).join(','),
});
if (providerRes._tag === 'err') {
tx2.rollback();
return err([500, 'Failed to create client in provider']);
}
return ok(newDevice.id);
});
});
}

27
src/lib/server/devices/delete.ts
View File

@ -1,27 +0,0 @@
import { and, eq } from 'drizzle-orm';
import { db } from '$lib/server/db';
import { devices } from '$lib/server/db/schema';
import { err, ok, type Result } from '$lib/types';
import wgProvider from '$lib/server/wg-provider';
export async function deleteDevice(
userId: string,
deviceId: number,
): Promise<Result<null, [400 | 500, string]>> {
const device = await db.query.devices.findFirst({
columns: {
publicKey: true,
},
where: and(eq(devices.userId, userId), eq(devices.id, deviceId)),
});
if (!device) return err([400, 'Device not found']);
const providerDeletionResult = await wgProvider.deleteClient(device.publicKey);
if (providerDeletionResult._tag === 'err') {
console.error('failed to delete provider client for device', deviceId, device.publicKey);
return err([500, 'Error deleting client in provider']);
}
await db.delete(devices).where(eq(devices.id, deviceId));
return ok(null);
}

56
src/lib/server/devices/find.ts
View File

@ -1,56 +0,0 @@
import { db } from '$lib/server/db';
import { and, eq } from 'drizzle-orm';
import { devices } from '$lib/server/db/schema';
import type { DeviceDetails } from '$lib/devices';
import { env } from '$env/dynamic/private';
import { getIpsFromIndex } from '$lib/server/devices/index';
import wgProvider from '$lib/server/wg-provider';
export async function findDevices(userId: string) {
return db.query.devices.findMany({
columns: {
id: true,
name: true,
publicKey: true,
privateKey: true,
preSharedKey: true,
},
with: {
ipAllocation: true,
},
where: eq(devices.userId, userId),
});
}
export async function findDevice(userId: string, deviceId: number) {
return db.query.devices.findFirst({
columns: {
id: true,
name: true,
publicKey: true,
privateKey: true,
preSharedKey: true,
},
with: {
ipAllocation: true,
},
where: and(eq(devices.userId, userId), eq(devices.id, deviceId)),
});
}
export function mapDeviceToDetails(
device: Awaited<ReturnType<typeof findDevices>>[0],
): DeviceDetails {
const ips = getIpsFromIndex(device.ipAllocation.id);
return {
id: device.id,
name: device.name,
publicKey: device.publicKey,
privateKey: device.privateKey,
preSharedKey: device.preSharedKey,
ips,
vpnPublicKey: wgProvider.getServerPublicKey(),
vpnEndpoint: env.VPN_ENDPOINT,
vpnDns: env.VPN_DNS,
};
}

3
src/lib/server/devices/index.ts
View File

@ -1,3 +0,0 @@
export { findDevices, findDevice, mapDeviceToDetails } from './find';
export { createDevice } from './create';
export { getIpsFromIndex } from './utils';

14
src/lib/server/devices/utils.ts
View File

@ -1,14 +0,0 @@
import { Address4, Address6 } from 'ip-address';
import { env } from '$env/dynamic/private';
export function getIpsFromIndex(ipIndex: number) {
ipIndex -= 1; // 1-indexed in the db
const v4StartingAddr = new Address4(env.IPV4_STARTING_ADDR);
const v6StartingAddr = new Address6(env.IPV6_STARTING_ADDR);
const v4Allowed = Address4.fromBigInt(v4StartingAddr.bigInt() + BigInt(ipIndex));
const v6Offset = BigInt(ipIndex) << (128n - BigInt(env.IPV6_CLIENT_PREFIX_SIZE));
const v6Allowed = Address6.fromBigInt(v6StartingAddr.bigInt() + v6Offset);
const v6AllowedShort = v6Allowed.parsedAddress.join(':');
return [v4Allowed.address + '/32', v6AllowedShort + '/' + env.IPV6_CLIENT_PREFIX_SIZE];
}

34
src/lib/server/oauth-providers/authentik.ts
View File

@ -1,34 +0,0 @@
import { envToBool } from '$lib/utils';
import { env } from '$env/dynamic/private';
import { Authentik, decodeIdToken } from 'arctic';
import { assertGuard } from 'typia';
import type { IOAuthProvider } from '$lib/server/oauth';
const authentikProvider = new Authentik(
env.AUTH_AUTHENTIK_DOMAIN,
env.AUTH_AUTHENTIK_CLIENT_ID,
env.AUTH_AUTHENTIK_CLIENT_SECRET,
`${env.ORIGIN}/auth/authentik/callback`,
);
export const authentik: IOAuthProvider = {
requireInvite: envToBool(env.AUTH_AUTHENTIK_REQUIRE_INVITE, true),
createAuthorizationURL: (state: string, codeVerifier: string) => {
const scopes = ['openid', 'profile'];
return authentikProvider.createAuthorizationURL(state, codeVerifier, scopes);
},
validateAuthorizationCode: async (code: string, codeVerifier: string) => {
const tokens = await authentikProvider.validateAuthorizationCode(code, codeVerifier);
const claims = decodeIdToken(tokens.idToken());
assertGuard<{
sub: string;
name: string;
preferred_username: string;
}>(claims);
return {
sub: claims.sub,
name: claims.name,
username: claims.preferred_username,
};
},
};

33
src/lib/server/oauth-providers/google.ts
View File

@ -1,33 +0,0 @@
import { decodeIdToken, Google } from 'arctic';
import { env } from '$env/dynamic/private';
import { envToBool } from '$lib/utils';
import { assertGuard } from 'typia';
import type { IOAuthProvider } from '$lib/server/oauth';
const googleProvider = new Google(
env.AUTH_GOOGLE_CLIENT_ID,
env.AUTH_GOOGLE_CLIENT_SECRET,
`${env.ORIGIN}/auth/google/callback`,
);
export const google: IOAuthProvider = {
requireInvite: envToBool(env.AUTH_GOOGLE_REQUIRE_INVITE, true),
createAuthorizationURL: (state: string, codeVerifier: string) => {
const scopes = ['openid', 'profile', 'email'];
return googleProvider.createAuthorizationURL(state, codeVerifier, scopes);
},
validateAuthorizationCode: async (code: string, codeVerifier: string) => {
const tokens = await googleProvider.validateAuthorizationCode(code, codeVerifier);
const claims = decodeIdToken(tokens.idToken());
assertGuard<{
sub: string;
email: string;
name: string;
}>(claims);
return {
sub: claims.sub,
name: claims.name,
username: claims.email,
};
},
};

2
src/lib/server/oauth-providers/index.ts
View File

@ -1,2 +0,0 @@
export { authentik } from './authentik';
export { google } from './google';

26
src/lib/server/oauth.ts
View File

@ -1,19 +1,9 @@
import type { AuthProvider } from '$lib/auth';
import { authentik, google } from '$lib/server/oauth-providers';
import { Authentik } from 'arctic';
import { env } from '$env/dynamic/private';
export interface IOAuthClaims {
sub: string;
name: string;
username: string;
}
export interface IOAuthProvider {
readonly requireInvite: boolean;
createAuthorizationURL(state: string, codeVerifier: string): URL;
validateAuthorizationCode(code: string, codeVerifier: string): Promise<IOAuthClaims>;
}
export const oauthProviders: Record<AuthProvider, IOAuthProvider> = {
authentik,
google,
};
export const authentik = new Authentik(
env.AUTH_DOMAIN,
env.AUTH_CLIENT_ID,
env.AUTH_CLIENT_SECRET,
`${env.ORIGIN}/auth/authentik/callback`,
);

49
src/lib/server/opnsense/index.ts Normal file
View File

@ -0,0 +1,49 @@
import { env } from '$env/dynamic/private';
import assert from 'node:assert';
import { encodeBasicCredentials } from 'arctic/dist/request';
import { dev } from '$app/environment';
import type { OpnsenseWgServers } from '$lib/opnsense/wg';
export const opnsenseUrl = env.OPNSENSE_API_URL;
export const opnsenseAuth =
'Basic ' + encodeBasicCredentials(env.OPNSENSE_API_KEY, env.OPNSENSE_API_SECRET);
export const opnsenseIfname = env.OPNSENSE_WG_IFNAME;
// unset secret for security
if (!dev) env.OPNSENSE_API_SECRET = '';
export let serverUuid: string, serverPublicKey: string;
export async function fetchOpnsenseServer() {
// this might be pretty bad if the server is down and in a bunch of other cases
// TODO: write a retry loop later
const resServers = await fetch(`${opnsenseUrl}/api/wireguard/client/list_servers`, {
method: 'GET',
headers: {
Authorization: opnsenseAuth,
Accept: 'application/json',
},
});
assert(resServers.ok, 'Failed to fetch OPNsense WireGuard servers');
const servers = (await resServers.json()) as OpnsenseWgServers;
assert.equal(servers.status, 'ok', 'Failed to fetch OPNsense WireGuard servers');
const uuid = servers.rows.find((server) => server.name === opnsenseIfname)?.uuid;
assert(uuid, 'Failed to find server UUID for OPNsense WireGuard server');
serverUuid = uuid;
console.info('OPNsense WireGuard server UUID:', serverUuid);
const resServerInfo = await fetch(
`${opnsenseUrl}/api/wireguard/client/get_server_info/${serverUuid}`,
{
method: 'GET',
headers: {
Authorization: opnsenseAuth,
Accept: 'application/json',
},
},
);
assert(resServerInfo.ok, 'Failed to fetch OPNsense WireGuard server info');
const serverInfo = await resServerInfo.json();
assert.equal(serverInfo.status, 'ok', 'Failed to fetch OPNsense WireGuard server info');
serverPublicKey = serverInfo['pubkey'];
}

38
src/lib/server/types/index.ts
View File

@ -1,38 +0,0 @@
import type { Result } from '$lib/types';
import type { User } from '$lib/server/db/schema';
export interface IWgProvider {
init(): Promise<Result<null, Error>>;
getServerPublicKey(): string;
generateKeys(): Promise<Result<WgKeys, Error>>;
createClient(params: CreateClientParams): Promise<Result<null, Error>>;
findConnections(user: User): Promise<Result<ClientConnection[], Error>>;
deleteClient(publicKey: string): Promise<Result<null, Error>>;
}
export type WgKeys = {
publicKey: string;
privateKey: string;
preSharedKey: string;
};
export type CreateClientParams = {
user: User;
publicKey: string;
preSharedKey: string;
allowedIps: string;
}
export type ClientConnection = {
publicKey: string;
endpoint: string;
allowedIps: string;
transferRx: number;
transferTx: number;
latestHandshake: number;
}

12
src/lib/server/wg-provider.ts
View File

@ -1,12 +0,0 @@
import { WgProviderOpnsense } from '$lib/server/wg-providers/opnsense';
import { env } from '$env/dynamic/private';
import type { IWgProvider } from '$lib/server/types';
const wgProvider: IWgProvider = new WgProviderOpnsense({
opnsenseUrl: env.OPNSENSE_API_URL,
opnsenseApiKey: env.OPNSENSE_API_KEY,
opnsenseApiSecret: env.OPNSENSE_API_SECRET,
opnsenseWgIfname: env.OPNSENSE_WG_IFNAME,
});
export default wgProvider;

244
src/lib/server/wg-providers/opnsense/index.ts
View File

@ -1,244 +0,0 @@
import type { ClientConnection, CreateClientParams, IWgProvider, WgKeys } from '$lib/server/types';
import { encodeBasicCredentials } from 'arctic/dist/request';
import { is } from 'typia';
import type { OpnsenseWgPeers, OpnsenseWgServers } from '$lib/server/wg-providers/opnsense/types';
import { err, ok, type Result } from '$lib/types';
import assert from 'node:assert';
import type { User } from '$lib/server/db/schema';
export class WgProviderOpnsense implements IWgProvider {
private opnsenseUrl: string;
private opnsenseAuth: string;
private opnsenseIfname: string;
private opnsenseWgServerUuid: string | undefined;
private opnsenseWgServerPublicKey: string | undefined;
public constructor(params: OpnsenseParams) {
this.opnsenseUrl = params.opnsenseUrl;
this.opnsenseAuth =
'Basic ' + encodeBasicCredentials(params.opnsenseApiKey, params.opnsenseApiSecret);
this.opnsenseIfname = params.opnsenseWgIfname;
}
public async init(): Promise<Result<null, Error>> {
const resServers = await fetch(`${this.opnsenseUrl}/api/wireguard/client/list_servers`, {
method: 'GET',
headers: {
Authorization: this.opnsenseAuth,
Accept: 'application/json',
},
});
const servers = await resServers.json();
if (!is<OpnsenseWgServers>(servers)) {
console.error('Unexpected response for OPNsense WireGuard servers', servers);
return err(new Error('Failed to fetch OPNsense WireGuard servers'));
}
const uuid = servers.rows.find((server) => server.name === this.opnsenseIfname)?.uuid;
if (!uuid) {
console.error('OPNsense WireGuard servers', servers);
return err(new Error('Failed to find server UUID for OPNsense WireGuard server'));
}
const resServerInfo = await fetch(
`${this.opnsenseUrl}/api/wireguard/client/get_server_info/${uuid}`,
{
method: 'GET',
headers: {
Authorization: this.opnsenseAuth,
Accept: 'application/json',
},
},
);
const serverInfo = await resServerInfo.json();
const serverPublicKey = serverInfo['pubkey'];
if (serverInfo['status'] !== 'ok' || typeof serverPublicKey !== 'string') {
console.error('Failed to fetch OPNsense WireGuard server info', serverInfo);
return err(new Error('Failed to fetch OPNsense WireGuard server info'));
}
console.debug('OPNsense WireGuard server UUID:', uuid);
console.debug('OPNsense WireGuard server public key:', serverPublicKey);
this.opnsenseWgServerUuid = uuid;
this.opnsenseWgServerPublicKey = serverPublicKey;
return ok(null);
}
getServerPublicKey(): string {
assert(
this.opnsenseWgServerPublicKey,
'OPNsense server public key not set, init() must be called first',
);
return this.opnsenseWgServerPublicKey;
}
public async generateKeys(): Promise<Result<WgKeys, Error>> {
const options: RequestInit = {
method: 'GET',
headers: {
Authorization: this.opnsenseAuth,
Accept: 'application/json',
},
};
const resKeyPair = await fetch(`${this.opnsenseUrl}/api/wireguard/server/key_pair`, options);
const resPsk = await fetch(`${this.opnsenseUrl}/api/wireguard/client/psk`, options);
const keyPair = await resKeyPair.json();
const psk = await resPsk.json();
if (!is<{ pubkey: string; privkey: string }>(keyPair)) {
console.error('Unexpected response for OPNsense key pair', keyPair);
return err(new Error('Failed to fetch OPNsense key pair'));
}
if (!is<{ psk: string }>(psk)) {
console.error('Unexpected response for OPNsense PSK', psk);
return err(new Error('Failed to fetch OPNsense PSK'));
}
return ok({
publicKey: keyPair.pubkey,
privateKey: keyPair.privkey,
preSharedKey: psk.psk,
});
}
async createClient(params: CreateClientParams): Promise<Result<null, Error>> {
assert(this.opnsenseWgServerUuid, 'OPNsense server UUID not set, init() must be called first');
const createClientRes = await fetch(
`${this.opnsenseUrl}/api/wireguard/client/addClientBuilder`,
{
method: 'POST',
headers: {
Authorization: this.opnsenseAuth,
Accept: 'application/json',
'Content-Type': 'application/json',
},
body: JSON.stringify({
configbuilder: {
enabled: '1',
name: `vpgen-${opnsenseSanitezedUsername(params.user.username)}`,
pubkey: params.publicKey,
psk: params.preSharedKey,
tunneladdress: params.allowedIps,
server: this.opnsenseWgServerUuid,
endpoint: '',
},
}),
},
);
const createClientResJson = await createClientRes.json();
if (createClientResJson['result'] !== 'saved') {
console.error('Error creating client in OPNsense', createClientResJson);
return err(new Error('Failed to create client in OPNsense'));
}
const reconfigureRes = await fetch(`${this.opnsenseUrl}/api/wireguard/service/reconfigure`, {
method: 'POST',
headers: {
Authorization: this.opnsenseAuth,
Accept: 'application/json',
},
});
if (reconfigureRes.status !== 200) {
console.error('Error reconfiguring OPNsense', reconfigureRes);
return err(new Error('Failed to reconfigure OPNsense'));
}
return ok(null);
}
async findConnections(user: User): Promise<Result<ClientConnection[], Error>> {
const res = await fetch(`${this.opnsenseUrl}/api/wireguard/service/show`, {
method: 'POST',
headers: {
Authorization: this.opnsenseAuth,
Accept: 'application/json',
'Content-Type': 'application/json',
},
body: JSON.stringify({
current: 1,
// "rowCount": 7,
sort: {},
// TODO: use a more unique search phrase
// unfortunately 64 character limit,
// but it should be fine if users can't change their own username
searchPhrase: `vpgen-${opnsenseSanitezedUsername(user.username)}`,
type: ['peer'],
}),
});
const peers = await res.json();
if (!is<OpnsenseWgPeers>(peers)) {
console.error('Unexpected response for OPNsense WireGuard peers', peers);
return err(new Error('Failed to fetch OPNsense WireGuard peers'));
}
return ok(
peers.rows.map((peer) => {
return {
publicKey: peer['public-key'],
endpoint: peer['endpoint'],
allowedIps: peer['allowed-ips'],
transferRx: peer['transfer-rx'],
transferTx: peer['transfer-tx'],
latestHandshake: peer['latest-handshake'] * 1000,
};
}),
);
}
async deleteClient(publicKey: string): Promise<Result<null, Error>> {
const client = await this.findOpnsenseClient(publicKey);
const clientUuid = client?.uuid;
if (typeof clientUuid !== 'string') {
console.error('Failed to get OPNsense client UUID for deletion', client);
return err(new Error('Failed to get OPNsense client UUID for deletion'));
}
const res = await fetch(`${this.opnsenseUrl}/api/wireguard/client/delClient/${clientUuid}`, {
method: 'POST',
headers: {
Authorization: this.opnsenseAuth,
Accept: 'application/json',
},
});
const resJson = await res.json();
if (resJson['result'] !== 'deleted') {
console.error('Failed to delete OPNsense client', resJson);
return err(new Error('Failed to delete OPNsense client'));
}
return ok(null);
}
private async findOpnsenseClient(publicKey: string) {
const res = await fetch(`${this.opnsenseUrl}/api/wireguard/client/searchClient`, {
method: 'POST',
headers: {
Authorization: this.opnsenseAuth,
Accept: 'application/json',
'Content-Type': 'application/json',
},
body: JSON.stringify({
current: 1,
sort: {},
searchPhrase: publicKey,
type: ['peer'],
}),
});
return (await res.json())?.rows?.[0] ?? null;
}
}
function opnsenseSanitezedUsername(username: string) {
return username.slice(0, 63).replace(/[^a-zA-Z0-9_-]/g, '_');
}
export type OpnsenseParams = {
opnsenseUrl: string;
opnsenseApiKey: string;
opnsenseApiSecret: string;
opnsenseWgIfname: string;
};

29
src/lib/types/index.ts
View File

@ -1,2 +1,27 @@
export type { Result } from './result';
export { ok, err } from './result';
class Ok<T> {
readonly _tag = 'ok';
value: T;
constructor(value: T) {
this.value = value;
}
}
class Err<E> {
readonly _tag = 'err';
error: E;
constructor(error: E) {
this.error = error;
}
}
export type Result<T, E> = Ok<T> | Err<E>;
export function err<E>(e: E): Err<E> {
return new Err(e);
}
export function ok<T>(t: T): Ok<T> {
return new Ok(t);
}

27
src/lib/types/result.ts
View File

@ -1,27 +0,0 @@
class Ok<T> {
readonly _tag = 'ok';
value: T;
constructor(value: T) {
this.value = value;
}
}
class Err<E> {
readonly _tag = 'err';
error: E;
constructor(error: E) {
this.error = error;
}
}
export type Result<T, E> = Ok<T> | Err<E>;
export function err<E>(e: E): Err<E> {
return new Err(e);
}
export function ok<T>(t: T): Ok<T> {
return new Ok(t);
}

8
src/lib/utils.ts
View File

@ -4,11 +4,3 @@ import { twMerge } from "tailwind-merge";
export function cn(...inputs: ClassValue[]) {
return twMerge(clsx(inputs));
}
export function envToBool(value: string | undefined, defaultValue = false): boolean {
if (typeof value === "undefined") {
return defaultValue;
}
return ['true', '1', 'yes'].includes(value.toLowerCase());
}

51
src/routes/api/connections/+server.ts
View File

@ -1,43 +1,44 @@
import { error } from '@sveltejs/kit';
import type { RequestHandler } from './$types';
import { opnsenseAuth, opnsenseUrl } from '$lib/server/opnsense';
import type { OpnsenseWgPeers } from '$lib/opnsense/wg';
import { findDevices } from '$lib/server/devices';
import type { ConnectionDetails } from '$lib/connections';
import type { Result } from '$lib/types';
import type { ClientConnection } from '$lib/server/types';
import wgProvider from '$lib/server/wg-provider';
import { opnsenseSanitezedUsername } from '$lib/opnsense';
export const GET: RequestHandler = async (event) => {
if (!event.locals.user) {
return error(401, 'Unauthorized');
}
console.debug('/api/connections');
const peersResult: Result<ClientConnection[], Error> = await wgProvider.findConnections(event.locals.user);
if (peersResult._tag === 'err') return error(500, peersResult.error.message);
const peers = await fetchOpnsensePeers(event.locals.user.username);
console.debug('/api/connections: fetched opnsense peers', peers.rowCount);
const devices = await findDevices(event.locals.user.id);
console.debug('/api/connections: fetched db devices');
if (!peers) {
return error(500, 'Error getting info from OPNsense API');
}
// TODO: this is all garbage performance
// filter devices with no recent handshakes
const peers = peersResult.value.filter((peer) => peer.latestHandshake);
peers.rows = peers.rows.filter((peer) => peer['latest-handshake']);
// start from devices, to treat db as the source of truth
const connections: ConnectionDetails[] = [];
for (const device of devices) {
const peerData = peers.find((peer) => peer.publicKey === device.publicKey);
const peerData = peers.rows.find((peer) => peer['public-key'] === device.publicKey);
if (!peerData) continue;
connections.push({
deviceId: device.id,
deviceName: device.name,
devicePublicKey: device.publicKey,
deviceIps: peerData.allowedIps.split(','),
endpoint: peerData.endpoint,
deviceIps: peerData['allowed-ips'].split(','),
endpoint: peerData['endpoint'],
// swap rx and tx, since the opnsense values are from the server perspective
transferRx: peerData.transferTx,
transferTx: peerData.transferRx,
latestHandshake: peerData.latestHandshake,
transferRx: peerData['transfer-tx'],
transferTx: peerData['transfer-rx'],
latestHandshake: peerData['latest-handshake'] * 1000,
});
}
@ -48,3 +49,25 @@ export const GET: RequestHandler = async (event) => {
},
});
};
async function fetchOpnsensePeers(username: string) {
const res = await fetch(`${opnsenseUrl}/api/wireguard/service/show`, {
method: 'POST',
headers: {
Authorization: opnsenseAuth,
Accept: 'application/json',
'Content-Type': 'application/json',
},
body: JSON.stringify({
current: 1,
// "rowCount": 7,
sort: {},
// TODO: use a more unique search phrase
// unfortunately 64 character limit,
// but it should be fine if users can't change their own username
searchPhrase: `vpgen-${opnsenseSanitezedUsername(username)}`,
type: ['peer'],
}),
});
return (await res.json()) as OpnsenseWgPeers;
}

18
src/routes/auth/+page.server.ts
View File

@ -1,14 +1,14 @@
import { fail, redirect } from '@sveltejs/kit';
import { invalidateSession, deleteSessionTokenCookie } from '$lib/server/auth';
import type { Actions } from './$types';
import { fail, redirect } from "@sveltejs/kit";
import { invalidateSession, deleteSessionTokenCookie } from "$lib/server/auth";
import type { Actions } from "./$types";
export const actions: Actions = {
logout: async ({ locals, cookies }) => {
if (locals.session === null) {
logout: async (event) => {
if (event.locals.session === null) {
return fail(401);
}
await invalidateSession(locals.session.id);
deleteSessionTokenCookie(cookies);
redirect(302, '/');
},
await invalidateSession(event.locals.session.id);
deleteSessionTokenCookie(event);
return redirect(302, "/");
}
};

36
src/routes/auth/[provider]/+server.ts
View File

@ -1,36 +0,0 @@
import { generateCodeVerifier, generateState } from 'arctic';
import { oauthProviders } from '$lib/server/oauth';
import { is } from 'typia';
import { type AuthProvider, enabledAuthProviders } from '$lib/auth';
export async function GET({ params: { provider }, url, cookies }) {
if (!is<AuthProvider>(provider) || !enabledAuthProviders[provider]) {
return new Response(null, { status: 404 });
}
const oauthProvider = oauthProviders[provider];
const inviteToken = url.searchParams.get('invite') ?? '';
const state = generateState();
const codeVerifier = generateCodeVerifier();
const authUrl = oauthProvider.createAuthorizationURL(state + inviteToken, codeVerifier);
cookies.set(`${provider}_oauth_state`, state, {
path: '/',
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
cookies.set(`${provider}_code_verifier`, codeVerifier, {
path: '/',
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: 'lax',
});
return new Response(null, {
status: 302,
headers: {
Location: authUrl.toString(),
},
});
}

76
src/routes/auth/[provider]/callback/+page.server.ts
View File

@ -1,76 +0,0 @@
import { is } from 'typia';
import type { PageServerLoad } from './$types';
import { error, redirect } from '@sveltejs/kit';
import { type AuthProvider, enabledAuthProviders } from '$lib/auth';
import { oauthProviders } from '$lib/server/oauth';
import { ArcticFetchError, OAuth2RequestError } from 'arctic';
import { db } from '$lib/server/db';
import * as table from '$lib/server/db/schema';
import { eq } from 'drizzle-orm';
import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
export const load: PageServerLoad = async ({ params: { provider }, url, cookies }) => {
if (!is<AuthProvider>(provider) || !enabledAuthProviders[provider]) {
error(404);
}
const oauthProvider = oauthProviders[provider];
const code = url.searchParams.get('code');
const state = url.searchParams.get('state');
const storedState = cookies.get(`${provider}_oauth_state`) ?? null;
const codeVerifier = cookies.get(`${provider}_code_verifier`) ?? null;
if (code === null || state === null || storedState === null || codeVerifier === null) {
error(400, 'Missing url parameters');
}
const stateGeneratedToken = state.slice(0, storedState.length);
const stateInviteToken = state.slice(storedState.length);
if (stateGeneratedToken !== storedState) {
error(400, 'Invalid state in url');
}
let claims;
try {
claims = await oauthProvider.validateAuthorizationCode(code, codeVerifier);
} catch (e) {
if (e instanceof OAuth2RequestError) {
console.debug('Arctic: OAuth: invalid authorization code, credentials, or redirect URI', e);
error(400, 'Invalid authorization code');
}
if (e instanceof ArcticFetchError) {
console.debug('Arctic: failed to call `fetch()`', e);
error(400, 'Failed to validate authorization code');
}
console.error('Unexpected error validating authorization code', code, e);
error(500);
}
const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, claims.sub) });
if (existingUser) {
const session = await createSession(existingUser.id);
setSessionTokenCookie(cookies, session.id, session.expiresAt);
redirect(302, '/');
}
if (oauthProvider.requireInvite && !isValidInviteToken(stateInviteToken)) {
const message =
stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
error(403, 'Not Authorized: ' + message);
}
const user: table.User = {
id: claims.sub,
authSource: provider,
username: claims.username,
name: claims.name,
};
await db.insert(table.users).values(user);
console.log('created user', user, 'using provider', provider, 'with invite token', stateInviteToken);
const session = await createSession(user.id);
setSessionTokenCookie(cookies, session.id, session.expiresAt);
redirect(302, '/');
};

30
src/routes/auth/authentik/+server.ts Normal file
View File

@ -0,0 +1,30 @@
import { generateState, generateCodeVerifier } from "arctic";
import { authentik } from "$lib/server/oauth";
import type { RequestEvent } from "@sveltejs/kit";
export async function GET(event: RequestEvent): Promise<Response> {
const state = generateState();
const codeVerifier = generateCodeVerifier();
const url = authentik.createAuthorizationURL(state, codeVerifier, ["openid", "profile"]);
event.cookies.set("authentik_oauth_state", state, {
path: "/",
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: "lax"
});
event.cookies.set("authentik_code_verifier", codeVerifier, {
path: "/",
httpOnly: true,
maxAge: 60 * 10, // 10 minutes
sameSite: "lax"
});
return new Response(null, {
status: 302,
headers: {
Location: url.toString()
}
});
}

78
src/routes/auth/authentik/callback/+server.ts Normal file
View File

@ -0,0 +1,78 @@
import { createSession, setSessionTokenCookie } from "$lib/server/auth";
import { authentik } from "$lib/server/oauth";
import { decodeIdToken } from "arctic";
import type { RequestEvent } from "@sveltejs/kit";
import type { OAuth2Tokens } from "arctic";
import { db } from '$lib/server/db';
import { eq } from 'drizzle-orm';
import * as table from '$lib/server/db/schema';
export async function GET(event: RequestEvent): Promise<Response> {
const code = event.url.searchParams.get("code");
const state = event.url.searchParams.get("state");
const storedState = event.cookies.get("authentik_oauth_state") ?? null;
const codeVerifier = event.cookies.get("authentik_code_verifier") ?? null;
if (code === null || state === null || storedState === null || codeVerifier === null) {
return new Response(null, {
status: 400
});
}
if (state !== storedState) {
return new Response(null, {
status: 400
});
}
let tokens: OAuth2Tokens;
try {
tokens = await authentik.validateAuthorizationCode(code, codeVerifier);
} catch (e) {
// Invalid code or client credentials
return new Response(null, {
status: 400
});
}
const claims = decodeIdToken(tokens.idToken()) as { sub: string, preferred_username: string, name: string };
console.info("claims", claims);
const userId: string = claims.sub;
const username: string = claims.preferred_username;
const existingUser = await db.query.users.findFirst({where: eq(table.users.id, userId)});
if (existingUser) {
const session = await createSession(existingUser.id);
setSessionTokenCookie(event, session.id, session.expiresAt);
return new Response(null, {
status: 302,
headers: {
Location: "/"
}
});
}
const user: table.User = {
id: userId,
username,
name: claims.name as string,
};
try {
await db.insert(table.users).values(user);
const session = await createSession(user.id);
setSessionTokenCookie(event, session.id, session.expiresAt);
} catch (e) {
console.error('failed to create user', e);
return new Response(null, {
status: 500
});
}
return new Response(null, {
status: 302,
headers: {
Location: "/"
}
});
}

5
src/routes/devices/+page.server.ts
View File

@ -1,14 +1,13 @@
import type { Actions } from './$types';
import { createDevice } from '$lib/server/devices';
import { error, fail, redirect } from '@sveltejs/kit';
import wgProvider from '$lib/server/wg-provider';
import { error, redirect } from '@sveltejs/kit';
export const actions = {
create: async (event) => {
if (!event.locals.user) return error(401, 'Unauthorized');
const formData = await event.request.formData();
const name = formData.get('name');
if (typeof name !== 'string' || name.trim() === '') return fail(400, { name, invalid: true });
if (typeof name !== 'string' || name.trim() === '') return error(400, 'Invalid name');
const res = await createDevice({
name: name.trim(),
user: event.locals.user,

16
src/routes/devices/+page.svelte
View File

@ -4,11 +4,10 @@
import { Badge } from '$lib/components/ui/badge';
import { Button, buttonVariants } from '$lib/components/ui/button';
import { Input } from '$lib/components/ui/input';
import { LucideLoaderCircle, LucidePlus } from '@lucide/svelte';
import { LucideLoaderCircle, LucidePlus } from 'lucide-svelte';
import type { PageData } from './$types';
import { Label } from '$lib/components/ui/label';
import { page } from '$app/state';
import DeleteDevice from './delete-device.svelte';
const { data }: { data: PageData } = $props();
@ -57,9 +56,6 @@
<Badge class="select-auto bg-background" variant="secondary">{ip}</Badge>
{/each}
</Table.Cell>
<Table.Cell class="py-0">
<DeleteDevice device={device} />
</Table.Cell>
</Table.Row>
{/each}
</Table.Body>
@ -90,11 +86,11 @@
class="max-w-[20ch]"
/>
</div>
<Dialog.Footer class="gap-y-2">
{#if submitted}
<LucideLoaderCircle class="size-4 animate-spin place-self-center" />
{/if}
<Button type="submit" disabled={submitted} class="">
<Dialog.Footer>
<Button type="submit" disabled={submitted}>
{#if submitted}
<LucideLoaderCircle class="size-4 mr-2 animate-spin" />
{/if}
Add
</Button>
</Dialog.Footer>

23
src/routes/devices/[id]/+page.server.ts
View File

@ -1,23 +0,0 @@
import { error, redirect } from '@sveltejs/kit';
import { deleteDevice } from '$lib/server/devices/delete';
import type { Actions } from './$types';
export const actions = {
delete: async (event) => {
if (!event.locals.user) return error(401, 'Unauthorized');
const deviceId = Number.parseInt(event.params.id);
if (Number.isNaN(deviceId)) return error(400, 'Invalid device id');
const res = await deleteDevice(event.locals.user.id, deviceId);
switch (res._tag) {
case 'ok': {
return redirect(303, '/devices');
}
case 'err': {
const [status, message] = res.error;
return error(status, message);
}
}
},
} satisfies Actions;

6
src/routes/devices/[id]/+page.svelte
View File

@ -3,7 +3,6 @@
import QRCode from 'qrcode-svg';
import { CodeSnippet } from '$lib/components/app/code-snippet';
import { WireguardGuide } from '$lib/components/app/wireguard-guide';
import DeleteDevice from '../delete-device.svelte';
const { data }: { data: PageData } = $props();
@ -26,10 +25,7 @@
<title>{data.device.name}</title>
</svelte:head>
<div class="flex justify-between">
<h1 class="w-fit rounded-lg bg-accent p-2 text-lg">{data.device.name}</h1>
<DeleteDevice device={data.device} />
</div>
<h1 class="w-fit rounded-lg bg-accent p-2 text-lg">{data.device.name}</h1>
<section id="device-configuration" class="flex flex-wrap items-center justify-center gap-4">
<CodeSnippet data={data.config} filename={deviceWgCleanedName} copy download />

39
src/routes/devices/delete-device.svelte
View File

@ -1,39 +0,0 @@
<script>
import { Button, buttonVariants } from '$lib/components/ui/button';
import * as Dialog from '$lib/components/ui/dialog';
import { LucideLoaderCircle, LucideTrash } from '@lucide/svelte';
const { device } = $props();
let submitted = $state(false);
</script>
<Dialog.Root>
<Dialog.Trigger class={buttonVariants({ variant: 'destructive', size: 'sm', class: 'bg-accent hover:bg-destructive' })}>
<LucideTrash />
</Dialog.Trigger>
<Dialog.Content>
<form class="contents" method="post" action="/devices/{device.id}?/delete"
onsubmit={() => submitted = true}
>
<Dialog.Header>
Are you sure you want to permanently delete "{device.name}"?
</Dialog.Header>
You will no longer be able to connect from this device.
<Dialog.Footer class="gap-y-2">
{#if submitted}
<LucideLoaderCircle class="size-4 animate-spin place-self-center" />
{/if}
<Button type="submit" variant="destructive" disabled={submitted}>
Delete
</Button>
<Dialog.Close>
{#snippet child({ props })}
<Button {...props} disabled={submitted}>
Cancel
</Button>
{/snippet}
</Dialog.Close>
</Dialog.Footer>
</form>
</Dialog.Content>
</Dialog.Root>

8
src/routes/invite/[id]/+layout.server.ts
View File

@ -1,8 +0,0 @@
import type { LayoutServerLoad } from './$types';
import { redirect } from '@sveltejs/kit';
import { isValidInviteToken } from '$lib/server/auth';
export const load: LayoutServerLoad = ({ params, locals }) => {
if (!isValidInviteToken(params.id)) redirect(302, '/');
if (locals.user !== null) redirect(302, '/');
};

16
src/routes/invite/[id]/+page.svelte
View File

@ -1,16 +0,0 @@
<script lang="ts">
import { AuthForm } from '$lib/components/app/auth-form';
import { page } from '$app/state';
let inviteToken = page.params.id;
</script>
<svelte:head>
<title>You are Invited to VPGen</title>
</svelte:head>
<h1 class="mb-2 scroll-m-20 text-center text-3xl font-extrabold tracking-tight lg:text-4xl">
You are invited to VPGen
</h1>
<AuthForm {inviteToken} />

2
src/routes/user/+page.svelte
View File

@ -1,7 +1,7 @@
<script lang="ts">
import { invalidate, invalidateAll } from '$app/navigation';
import { Button } from '$lib/components/ui/button';
import { LucideLoaderCircle, LucideLogOut, LucideRefreshCw } from '@lucide/svelte';
import { LucideLoaderCircle, LucideLogOut, LucideRefreshCw } from 'lucide-svelte';
import { CodeSnippet } from '$lib/components/app/code-snippet/index.js';
let { data } = $props();

10
tsconfig.json
View File

@ -9,17 +9,11 @@
"skipLibCheck": true,
"sourceMap": true,
"strict": true,
"moduleResolution": "bundler",
"plugins": [
{
"transform": "typia/lib/transform"
}
],
"strictNullChecks": true
"moduleResolution": "bundler"
}
// Path aliases are handled by https://svelte.dev/docs/kit/configuration#alias
// except $lib which is handled by https://svelte.dev/docs/kit/configuration#files
//
// If you want to overwrite includes/excludes, make sure to copy over the relevant includes/excludes
// from the referenced tsconfig.json - TypeScript does not merge them in
}
}

3
vite.config.ts
View File

@ -1,7 +1,6 @@
import { sveltekit } from '@sveltejs/kit/vite';
import { defineConfig } from 'vite';
import UnpluginTypia from '@ryoppippi/unplugin-typia/vite';
export default defineConfig({
plugins: [sveltekit(), UnpluginTypia()],
plugins: [sveltekit()]
});