WIP: attempt to refactor api routes into server load functions

.woodpecker/build-image.yml

@@ -1,32 +0,0 @@
-when:
-  - event: [push]
-steps:
-  - name: echos
-    image: alpine
-    commands:
-      - echo $CI_REPO
-      - echo $CI_REPO_REMOTE_ID
-      - echo $CI_REPO_URL
-      - echo $CI_REPO_CLONE_URL
-      - echo $${CI_COMMIT_BRANCH/\\//-}
-      - echo $USERNAME:$PASSWORD
-    environment:
-      USERNAME:
-        from_secret: registry-username
-      PASSWORD:
-        from_secret: registry-password
-  - name: build
-    image: woodpeckerci/plugin-kaniko
-    settings:
-      registry: gitea.cazzzer.com
-      username:
-        from_secret: registry-username
-      password:
-        from_secret: registry-password
-      repo: gitea.cazzzer.com/${CI_REPO}
-      # replace '/' with '_' in branch name
-      # remove 'feature/' prefix in branch name
-      # tags: ${CI_COMMIT_BRANCH##feature/}
-      # auto_tag: true
-      tags: ci
-#      cache: true

README.md

@@ -33,8 +33,4 @@ bun run dev
 - [ ] Proper invite page
 - [ ] Proper error page for login without invite
 - [ ] Support file provider (for wg-quick)
-- [ ] Fix accessibility issues (lighthouse)
-- [ ] Add title to profile page (lighthouse)
 - [ ] wg-quick scripts (maybe?)
-- [ ] Get rid of api routes (maybe?)
-- [ ] Get rid of custom result types (maybe?)

src/lib/server/auth.ts

@@ -3,7 +3,7 @@ import { sha256 } from '@oslojs/crypto/sha2';
 import { encodeBase32LowerCaseNoPadding, encodeHexLowerCase } from '@oslojs/encoding';
 import { db } from '$lib/server/db';
 import * as table from '$lib/server/db/schema';
-import type { Cookies } from '@sveltejs/kit';
+import type { RequestEvent } from '@sveltejs/kit';
 import { dev } from '$app/environment';
 import { env } from '$env/dynamic/private';
 
@@ -22,14 +22,14 @@ export async function createSession(userId: string): Promise<table.Session> {
 	const session: table.Session = {
 		id: sessionId,
 		userId,
-		expiresAt: new Date(Date.now() + DAY_IN_MS * 30),
+		expiresAt: new Date(Date.now() + DAY_IN_MS * 30)
 	};
 	await db.insert(table.sessions).values(session);
 	return session;
 }
 
-export function setSessionTokenCookie(cookies: Cookies, sessionId: string, expiresAt: Date) {
+export function setSessionTokenCookie(event: RequestEvent, sessionId: string, expiresAt: Date) {
-	cookies.set(sessionCookieName, sessionId, {
+	event.cookies.set(sessionCookieName, sessionId, {
 		path: '/',
 		sameSite: 'lax',
 		httpOnly: true,
@@ -42,21 +42,16 @@ export async function invalidateSession(sessionId: string): Promise<void> {
 	await db.delete(table.sessions).where(eq(table.sessions.id, sessionId));
 }
 
-export function deleteSessionTokenCookie(cookies: Cookies) {
+export function deleteSessionTokenCookie(event: RequestEvent) {
-	cookies.delete(sessionCookieName, { path: '/' });
+	event.cookies.delete(sessionCookieName, { path: '/' });
 }
 
 export async function validateSession(sessionId: string) {
 	const [result] = await db
 		.select({
 			// Adjust user table here to tweak returned data
-			user: {
+			user: { id: table.users.id, authSource: table.users.authSource, username: table.users.username, name: table.users.name },
-				id: table.users.id,
+			session: table.sessions
-				authSource: table.users.authSource,
-				username: table.users.username,
-				name: table.users.name,
-			},
-			session: table.sessions,
 		})
 		.from(table.sessions)
 		.innerJoin(table.users, eq(table.sessions.userId, table.users.id))

src/routes/auth/+page.server.ts

@@ -1,14 +1,14 @@
-import { fail, redirect } from '@sveltejs/kit';
+import { fail, redirect } from "@sveltejs/kit";
-import { invalidateSession, deleteSessionTokenCookie } from '$lib/server/auth';
+import { invalidateSession, deleteSessionTokenCookie } from "$lib/server/auth";
-import type { Actions } from './$types';
+import type { Actions } from "./$types";
 
 export const actions: Actions = {
-	logout: async ({ locals, cookies }) => {
+	logout: async (event) => {
-		if (locals.session === null) {
+		if (event.locals.session === null) {
 			return fail(401);
 		}
-		await invalidateSession(locals.session.id);
+		await invalidateSession(event.locals.session.id);
-		deleteSessionTokenCookie(cookies);
+		deleteSessionTokenCookie(event);
-		redirect(302, '/');
+		return redirect(302, "/");
-	},
+	}
 };

src/routes/auth/authentik/callback/+server.ts

@@ -48,7 +48,7 @@ export async function GET(event: RequestEvent): Promise<Response> {
 
 	if (existingUser) {
 		const session = await createSession(existingUser.id);
-		setSessionTokenCookie(event.cookies, session.id, session.expiresAt);
+		setSessionTokenCookie(event, session.id, session.expiresAt);
 		return new Response(null, {
 			status: 302,
 			headers: {
@@ -67,7 +67,7 @@ export async function GET(event: RequestEvent): Promise<Response> {
 	try {
 		await db.insert(table.users).values(user);
 		const session = await createSession(user.id);
-		setSessionTokenCookie(event.cookies, session.id, session.expiresAt);
+		setSessionTokenCookie(event, session.id, session.expiresAt);
 	} catch (e) {
 		console.error('failed to create user', e);
 		return new Response(null, {

src/routes/auth/google/callback/+page.server.ts

@@ -1,17 +1,15 @@
-import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
+import { error } from '@sveltejs/kit';
-import { db } from '$lib/server/db';
-import * as table from '$lib/server/db/schema';
-import { google } from '$lib/server/oauth';
-import { error, redirect } from '@sveltejs/kit';
-import type { OAuth2Tokens } from 'arctic';
 import * as arctic from 'arctic';
+import { google } from '$lib/server/oauth';
+import { db } from '$lib/server/db';
 import { eq } from 'drizzle-orm';
+import * as table from '$lib/server/db/schema';
+import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
+import type { OAuth2Tokens } from 'arctic';
 import { assertGuard } from 'typia';
 import type { PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async (event) => {
+export const load: PageServerLoad = async ({ url, cookies }) => {
-	const { url, cookies } = event;
-
 	const code = url.searchParams.get('code');
 	const state = url.searchParams.get('state');
 	const storedState = cookies.get('google_oauth_state') ?? null;
@@ -19,12 +17,15 @@ export const load: PageServerLoad = async (event) => {
 
 	if (code === null || state === null || storedState === null || codeVerifier === null) {
 		error(400, 'Missing url parameters');
+		return;
 	}
 
 	const stateGeneratedToken = state.slice(0, storedState.length);
 	const stateInviteToken = state.slice(storedState.length);
 	if (stateGeneratedToken !== storedState) {
-		error(400, 'Invalid state in url');
+		return new Response(null, {
+			status: 400,
+		});
 	}
 
 	let tokens: OAuth2Tokens;
@@ -33,14 +34,20 @@ export const load: PageServerLoad = async (event) => {
 	} catch (e) {
 		if (e instanceof arctic.OAuth2RequestError) {
 			console.debug('Arctic: OAuth: invalid authorization code, credentials, or redirect URI', e);
-			throw error(400, 'Invalid authorization code');
+			return new Response(null, {
+				status: 400,
+			});
 		}
 		if (e instanceof arctic.ArcticFetchError) {
 			console.debug('Arctic: failed to call `fetch()`', e);
-			error(400, 'Failed to validate authorization code');
+			return new Response(null, {
+				status: 400,
+			});
 		}
-		console.error('Unxepcted error validating authorization code', code, e);
+
-		error(500);
+		return new Response(null, {
+			status: 500,
+		});
 	}
 
 	const idToken = tokens.idToken();
@@ -59,14 +66,22 @@ export const load: PageServerLoad = async (event) => {
 
 	if (existingUser) {
 		const session = await createSession(existingUser.id);
-		setSessionTokenCookie(cookies, session.id, session.expiresAt);
+		setSessionTokenCookie(event, session.id, session.expiresAt);
-		redirect(302, '/');
+		return new Response(null, {
+			status: 302,
+			headers: {
+				Location: '/',
+			},
+		});
 	}
 
 	if (!isValidInviteToken(stateInviteToken)) {
 		const message =
 			stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
-		error(403, 'Not Authorized: ' + message);
+
+		return new Response('Not Authorized: ' + message, {
+			status: 403,
+		});
 	}
 
 	const user: table.User = {
@@ -82,7 +97,12 @@ export const load: PageServerLoad = async (event) => {
 
 	const session = await createSession(user.id);
 
-	setSessionTokenCookie(cookies, session.id, session.expiresAt);
+	setSessionTokenCookie(event, session.id, session.expiresAt);
 
-	redirect(302, '/');
+	return new Response(null, {
+		status: 302,
+		headers: {
+			Location: '/',
+		},
+	});
 };

src/routes/auth/google/callback/+server.ts

@@ -0,0 +1,109 @@
+import type { RequestHandler } from './$types';
+import * as arctic from 'arctic';
+import { google } from '$lib/server/oauth';
+import { db } from '$lib/server/db';
+import { eq } from 'drizzle-orm';
+import * as table from '$lib/server/db/schema';
+import { createSession, isValidInviteToken, setSessionTokenCookie } from '$lib/server/auth';
+import type { OAuth2Tokens } from 'arctic';
+import { assertGuard } from 'typia';
+
+export const GET: RequestHandler = async (event) => {
+	const { url, cookies } = event;
+	const code = url.searchParams.get('code');
+	const state = url.searchParams.get('state');
+	const storedState = cookies.get('google_oauth_state') ?? null;
+	const codeVerifier = cookies.get('google_code_verifier') ?? null;
+
+	if (code === null || state === null || storedState === null || codeVerifier === null) {
+		return new Response(null, {
+			status: 400,
+		});
+	}
+
+	const stateGeneratedToken = state.slice(0, storedState.length);
+	const stateInviteToken = state.slice(storedState.length);
+	if (stateGeneratedToken !== storedState) {
+		return new Response(null, {
+			status: 400,
+		});
+	}
+
+	let tokens: OAuth2Tokens;
+	try {
+		tokens = await google.validateAuthorizationCode(code, codeVerifier);
+	} catch (e) {
+		if (e instanceof arctic.OAuth2RequestError) {
+			console.debug('Arctic: OAuth: invalid authorization code, credentials, or redirect URI', e);
+			return new Response(null, {
+				status: 400,
+			});
+		}
+		if (e instanceof arctic.ArcticFetchError) {
+			console.debug('Arctic: failed to call `fetch()`', e);
+			return new Response(null, {
+				status: 400,
+			});
+		}
+
+		return new Response(null, {
+			status: 500,
+		});
+	}
+
+	const idToken = tokens.idToken();
+	const claims = arctic.decodeIdToken(idToken);
+
+	console.log('claims', claims);
+
+	assertGuard<{
+		sub: string;
+		email: string;
+		name: string;
+	}>(claims);
+
+	const userId = claims.sub;
+	const existingUser = await db.query.users.findFirst({ where: eq(table.users.id, userId) });
+
+	if (existingUser) {
+		const session = await createSession(existingUser.id);
+		setSessionTokenCookie(event, session.id, session.expiresAt);
+		return new Response(null, {
+			status: 302,
+			headers: {
+				Location: '/',
+			},
+		});
+	}
+
+	if (!isValidInviteToken(stateInviteToken)) {
+		const message =
+			stateInviteToken.length === 0 ? 'sign up with an invite link first' : 'invalid invite link';
+
+		return new Response('Not Authorized: ' + message, {
+			status: 403,
+		});
+	}
+
+	const user: table.User = {
+		id: userId,
+		authSource: 'google',
+		username: claims.email,
+		name: claims.name,
+	};
+
+	// TODO: proper error handling, delete cookies
+	await db.insert(table.users).values(user);
+	console.log('created user', user, 'with invite token', stateInviteToken);
+
+	const session = await createSession(user.id);
+
+	setSessionTokenCookie(event, session.id, session.expiresAt);
+
+	return new Response(null, {
+		status: 302,
+		headers: {
+			Location: '/',
+		},
+	});
+};

src/routes/connections/+page.server.ts

@@ -0,0 +1,47 @@
+import type { PageServerLoad } from './$types';
+import type { ConnectionDetails } from '$lib/connections';
+import { findDevices } from '$lib/server/devices';
+import wgProvider from '$lib/server/wg-provider';
+import { error } from '@sveltejs/kit';
+
+export const load: PageServerLoad = async ({ locals, setHeaders, depends }) => {
+	if (!locals.user) {
+		error(401, 'Unauthorized');
+	}
+	console.debug('/connections');
+
+	const peersResult = await wgProvider.findConnections(locals.user);
+	if (peersResult._tag === 'err') return error(500, peersResult.error.message);
+
+	const devices = await findDevices(locals.user.id);
+	console.debug('/connections: fetched db devices');
+
+	// TODO: this is all garbage performance
+	// filter devices with no recent handshakes
+	const peers = peersResult.value.filter((peer) => peer.latestHandshake);
+
+	// start from devices, to treat db as the source of truth
+	const connections: ConnectionDetails[] = [];
+	for (const device of devices) {
+		const peerData = peers.find((peer) => peer.publicKey === device.publicKey);
+		if (!peerData) continue;
+		connections.push({
+			deviceId: device.id,
+			deviceName: device.name,
+			devicePublicKey: device.publicKey,
+			deviceIps: peerData.allowedIps.split(','),
+			endpoint: peerData.endpoint,
+			// swap rx and tx, since the opnsense values are from the server perspective
+			transferRx: peerData.transferTx,
+			transferTx: peerData.transferRx,
+			latestHandshake: peerData.latestHandshake,
+		});
+	}
+
+	setHeaders({
+		'Cache-Control': 'max-age=5',
+	});
+
+	depends('connections');
+	return { connections };
+};

src/routes/connections/+page.svelte

@@ -1,6 +1,6 @@
 <script lang="ts">
 	import type { PageData } from './$types';
-	import { invalidate } from '$app/navigation';
+	import { invalidate, invalidateAll } from '$app/navigation';
 	import * as Table from '$lib/components/ui/table';
 	import { Badge } from '$lib/components/ui/badge';
 
@@ -10,7 +10,7 @@
 		// refresh every 5 seconds
 		const interval = setInterval(() => {
 			console.log('Refreshing connections');
-			invalidate('/api/connections');
+			invalidate('/connections');
 		}, 5000);
 
 		return () => clearInterval(interval);

src/routes/connections/+page.ts

@@ -1,9 +0,0 @@
-import type { PageLoad } from './$types';
-import type { ConnectionDetails } from '$lib/connections';
-
-export const load: PageLoad = async ({ fetch }) => {
-	const res = await fetch('/api/connections');
-	const connections = await res.json() as ConnectionDetails[];
-
-	return { connections };
-};

src/routes/devices/+page.server.ts

@@ -1,7 +1,15 @@
-import type { Actions } from './$types';
+import type { Actions, PageServerLoad } from './$types';
-import { createDevice } from '$lib/server/devices';
+import { createDevice, findDevices, mapDeviceToDetails } from '$lib/server/devices';
 import { error, fail, redirect } from '@sveltejs/kit';
-import wgProvider from '$lib/server/wg-provider';
+
+export const load: PageServerLoad = async (event) => {
+	if (!event.locals.user) {
+		error(401, 'Unauthorized');
+	}
+
+	const devices = await findDevices(event.locals.user.id);
+	return { devices };
+};
 
 export const actions = {
 	create: async (event) => {

src/routes/devices/+page.ts

@@ -1,9 +0,0 @@
-import type { PageLoad } from './$types';
-import type { DeviceDetails } from '$lib/devices';
-
-export const load: PageLoad = async ({ fetch }) => {
-	const res = await fetch('/api/devices');
-	const { devices } = await res.json() as { devices: DeviceDetails[] };
-
-	return { devices };
-};