Depot API & v4 (#298)

* feat: nginx + torrential basics & services system

* fix: lint + i18n

* fix: update torrential to remove openssl

* feat: add torrential to Docker build

* feat: move to self hosted runner

* fix: move off self-hosted runner

* fix: update nginx.conf

* feat: torrential cache invalidation

* fix: update torrential for cache invalidation

* feat: integrity check task

* fix: lint

* feat: move to version ids

* fix: client fixes and client-side checks

* feat: new depot apis and version id fixes

* feat: update torrential

* feat: droplet bump and remove unsafe update functions

* fix: lint

* feat: v4 featureset: emulators, multi-launch commands

* fix: lint

* fix: mobile ui for game editor

* feat: launch options

* fix: lint

* fix: remove axios, use $fetch

* feat: metadata and task api improvements

* feat: task actions

* fix: slight styling issue

* feat: fix style and lints

* feat: totp backend routes

* feat: oidc groups

* fix: update drop-base

* feat: creation of passkeys & totp

* feat: totp signin

* feat: webauthn mfa/signin

* feat: launch selecting ui

* fix: manually running tasks

* feat: update add company game modal to use new SelectorGame

* feat: executor selector

* fix(docker): update rust to rust nightly for torrential build (#305)

* feat: new version ui

* feat: move package lookup to build time to allow for deno dev

* fix: lint

* feat: localisation cleanup

* feat: apply localisation cleanup

* feat: potential i18n refactor logic

* feat: remove args from commands

* fix: lint

* fix: lockfile

---------

Co-authored-by: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>

server/api/v1/admin/company/[id]/banner.post.ts

@@ -32,20 +32,20 @@ export default defineEventHandler(async (h3) => {
       statusMessage: "Upload at least one file.",
     });
 
-  try {
-    await objectHandler.deleteAsSystem(company.mBannerObjectId);
-    await prisma.company.update({
-      where: {
-        id: companyId,
-      },
-      data: {
-        mBannerObjectId: id,
-      },
-    });
-    await pull();
-  } catch {
+  await objectHandler.deleteAsSystem(company.mBannerObjectId);
+  const { count } = await prisma.company.updateMany({
+    where: {
+      id: companyId,
+    },
+    data: {
+      mBannerObjectId: id,
+    },
+  });
+  if (count == 0) {
     await dump();
+    throw createError({ statusCode: 404, message: "Company not found" });
   }
+  await pull();
 
   return { id: id };
 });

server/api/v1/admin/company/[id]/game.delete.ts

@@ -15,6 +15,15 @@ export default defineEventHandler(async (h3) => {
 
   const body = await readDropValidatedBody(h3, GameDelete);
 
+  const gameId = await prisma.game.findUnique({
+    where: { id: body.id },
+    select: { id: true },
+  });
+  if (!gameId)
+    throw createError({ statusCode: 404, message: "Game not found" });
+
+  // SAFETY: above check
+  // eslint-disable-next-line drop/no-prisma-delete
   await prisma.game.update({
     where: {
       id: body.id,

server/api/v1/admin/company/[id]/game.patch.ts

@@ -20,6 +20,11 @@ export default defineEventHandler(async (h3) => {
   const action = body.action === "developed" ? "developers" : "publishers";
   const actionType = body.enabled ? "connect" : "disconnect";
 
+  const game = await prisma.game.findUnique({ where: { id: body.id } });
+  if (!game) throw createError({ statusCode: 404, message: "Game not found" });
+
+  // Safe because we query the game above
+  // eslint-disable-next-line drop/no-prisma-delete
   await prisma.game.update({
     where: {
       id: body.id,

server/api/v1/admin/company/[id]/game.post.ts

@@ -43,6 +43,15 @@ export default defineEventHandler(async (h3) => {
       }
     : undefined;
 
+  const gameId = await prisma.game.findUnique({
+    where: { id: body.id },
+    select: { id: true },
+  });
+  if (!gameId)
+    throw createError({ statusCode: 404, message: "Game not found" });
+
+  // SAFETY: Above check makes this update okay
+  // eslint-disable-next-line drop/no-prisma-delete
   const game = await prisma.game.update({
     where: {
       id: body.id,

server/api/v1/admin/company/[id]/icon.post.ts

@@ -32,20 +32,21 @@ export default defineEventHandler(async (h3) => {
       statusMessage: "Upload at least one file.",
     });
 
-  try {
-    await objectHandler.deleteAsSystem(company.mLogoObjectId);
-    await prisma.company.update({
-      where: {
-        id: companyId,
-      },
-      data: {
-        mLogoObjectId: id,
-      },
-    });
-    await pull();
-  } catch {
+  await objectHandler.deleteAsSystem(company.mLogoObjectId);
+  const { count } = await prisma.company.updateMany({
+    where: {
+      id: companyId,
+    },
+    data: {
+      mLogoObjectId: id,
+    },
+  });
+  if (count == 0) {
     await dump();
+    throw createError({ statusCode: 404, message: "Company not found" });
   }
 
+  await pull();
+
   return { id: id };
 });

server/api/v1/admin/company/[id]/index.patch.ts

@@ -11,13 +11,17 @@ export default defineEventHandler(async (h3) => {
   const restOfTheBody = { ...body };
   delete restOfTheBody["id"];
 
-  const newObj = await prisma.company.update({
-    where: {
-      id: id,
-    },
-    data: restOfTheBody,
-    // I would put a select here, but it would be based on the body, and muck up the types
-  });
+  const newObj = (
+    await prisma.company.updateManyAndReturn({
+      where: {
+        id: id,
+      },
+      data: restOfTheBody,
+      // I would put a select here, but it would be based on the body, and muck up the types
+    })
+  ).at(0);
+  if (!newObj)
+    throw createError({ statusCode: 404, message: "Company not found" });
 
   return newObj;
 });

server/api/v1/admin/depot/index.post.ts

@@ -0,0 +1,21 @@
+import { type } from "arktype";
+import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+
+const CreateDepot = type({
+  endpoint: "string",
+}).configure(throwingArktype);
+
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["depot:new"]);
+  if (!allowed) throw createError({ statusCode: 403 });
+
+  const body = await readDropValidatedBody(h3, CreateDepot);
+
+  const depot = await prisma.depot.create({
+    data: { endpoint: body.endpoint },
+  });
+
+  return depot;
+});

server/api/v1/admin/depot/manifest.get.ts

@@ -0,0 +1,59 @@
+import { ArkErrors, type } from "arktype";
+import prisma from "~/server/internal/db/database";
+import type { H3Event } from "h3";
+import { castManifest } from "~/server/internal/library/manifest";
+
+const AUTHORIZATION_HEADER_PREFIX = "Bearer ";
+
+const Query = type({
+  game: "string",
+  version: "string",
+});
+
+export async function depotAuthorization(h3: H3Event) {
+  const authorization = getHeader(h3, "Authorization");
+  if (!authorization) throw createError({ statusCode: 403 });
+
+  if (!authorization.startsWith(AUTHORIZATION_HEADER_PREFIX))
+    throw createError({ statusCode: 403 });
+  const key = authorization.slice(AUTHORIZATION_HEADER_PREFIX.length);
+
+  const depot = await prisma.depot.findFirst({ where: { key } });
+  if (!depot) throw createError({ statusCode: 403 });
+}
+
+export default defineEventHandler(async (h3) => {
+  await depotAuthorization(h3);
+
+  const query = Query(getQuery(h3));
+  if (query instanceof ArkErrors)
+    throw createError({ statusCode: 400, message: query.summary });
+
+  const version = await prisma.gameVersion.findUnique({
+    where: {
+      gameId_versionId: {
+        gameId: query.game,
+        versionId: query.version,
+      },
+    },
+    select: {
+      dropletManifest: true,
+      versionPath: true,
+      game: {
+        select: {
+          library: true,
+          libraryPath: true,
+        },
+      },
+    },
+  });
+  if (!version)
+    throw createError({ statusCode: 404, message: "Game version not found" });
+
+  return {
+    manifest: castManifest(version.dropletManifest),
+    library: version.game.library,
+    libraryPath: version.game.libraryPath,
+    versionPath: version.versionPath,
+  };
+});

server/api/v1/admin/depot/versions.get.ts

@@ -0,0 +1,19 @@
+import prisma from "~/server/internal/db/database";
+import { depotAuthorization } from "./manifest.get";
+
+export default defineEventHandler(async (h3) => {
+  await depotAuthorization(h3);
+
+  const games = await prisma.game.findMany({
+    select: {
+      id: true,
+      versions: {
+        select: {
+          versionId: true,
+        },
+      },
+    },
+  });
+
+  return games;
+});

server/api/v1/admin/game/[id]/index.get.ts

@@ -1,9 +1,67 @@
-import type { GameVersion } from "~/prisma/client/client";
+import type { GameVersion, Prisma } from "~/prisma/client/client";
 import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 import libraryManager from "~/server/internal/library";
 
-export default defineEventHandler(async (h3) => {
+async function getGameVersionSize<
+  T extends Omit<GameVersion, "dropletManifest">,
+>(gameId: string, version: T) {
+  const size = await libraryManager.getGameVersionSize(
+    gameId,
+    version.versionId,
+  );
+  return { ...version, size };
+}
+
+export type AdminFetchGameType = Prisma.GameGetPayload<{
+  include: {
+    versions: {
+      include: {
+        setups: true;
+        launches: {
+          include: {
+            executor: {
+              include: {
+                gameVersion: {
+                  select: {
+                    versionId: true;
+                    displayName: true;
+                    versionPath: true;
+                    game: {
+                      select: {
+                        id: true;
+                        mName: true;
+                        mIconObjectId: true;
+                      };
+                    };
+                  };
+                };
+              };
+            };
+            executions: {
+              select: {
+                launchId: true;
+              };
+            };
+          };
+        };
+      };
+      omit: {
+        dropletManifest: true;
+      };
+    };
+    tags: true;
+  };
+}>;
+
+// Types in the route ensure we actually return the value as defined above
+export default defineEventHandler<
+  { body: never },
+  Promise<{
+    game: AdminFetchGameType;
+    unimportedVersions: string[] | undefined;
+  }>
+>(async (h3) => {
   const allowed = await aclManager.allowSystemACL(h3, ["game:read"]);
   if (!allowed) throw createError({ statusCode: 403 });
 
@@ -15,12 +73,42 @@ export default defineEventHandler(async (h3) => {
     },
     include: {
       versions: {
-        orderBy: {
-          versionIndex: "asc",
+        include: {
+          setups: true,
+          launches: {
+            include: {
+              executor: {
+                include: {
+                  gameVersion: {
+                    select: {
+                      versionId: true,
+                      displayName: true,
+                      versionPath: true,
+                      game: {
+                        select: {
+                          id: true,
+                          mName: true,
+                          mIconObjectId: true,
+                        },
+                      },
+                    },
+                  },
+                },
+              },
+              executions: {
+                select: {
+                  launchId: true,
+                },
+              },
+            },
+          },
         },
         omit: {
           dropletManifest: true,
         },
+        orderBy: {
+          versionIndex: "asc",
+        },
       },
       tags: true,
     },
@@ -29,16 +117,11 @@ export default defineEventHandler(async (h3) => {
   if (!game || !game.libraryId)
     throw createError({ statusCode: 404, statusMessage: "Game ID not found" });
 
-  const getGameVersionSize = async (version: GameVersion) => {
-    const size = await libraryManager.getGameVersionSize(
-      gameId,
-      version.versionName,
-    );
-    return { ...version, size };
-  };
   const gameWithVersionSize = {
     ...game,
-    versions: await Promise.all(game.versions.map(getGameVersionSize)),
+    versions: await Promise.all(
+      game.versions.map((v) => getGameVersionSize(gameId, v)),
+    ),
   };
 
   const unimportedVersions = await libraryManager.fetchUnimportedGameVersions(

server/api/v1/admin/game/[id]/index.patch.ts

@@ -11,13 +11,18 @@ export default defineEventHandler(async (h3) => {
   const restOfTheBody = { ...body };
   delete restOfTheBody["id"];
 
-  const newObj = await prisma.game.update({
-    where: {
-      id: id,
-    },
-    data: restOfTheBody,
-    // I would put a select here, but it would be based on the body, and muck up the types
-  });
+  const newObj = (
+    await prisma.game.updateManyAndReturn({
+      where: {
+        id: id,
+      },
+      data: restOfTheBody,
+      // I would put a select here, but it would be based on the body, and muck up the types
+    })
+  ).at(0);
+
+  if (!newObj)
+    throw createError({ statusCode: 404, message: "Game not found" });
 
   return newObj;
 });

server/api/v1/admin/game/[id]/metadata.post.ts

@@ -52,12 +52,17 @@ export default defineEventHandler(async (h3) => {
     }
   }
 
-  const newObject = await prisma.game.update({
-    where: {
-      id: gameId,
-    },
-    data: updateModel,
-  });
+  const newObject = (
+    await prisma.game.updateManyAndReturn({
+      where: {
+        id: gameId,
+      },
+      data: updateModel,
+    })
+  ).at(0);
+
+  if (!newObject)
+    throw createError({ statusCode: 404, message: "Game not found" });
 
   return newObject;
 });

server/api/v1/admin/game/[id]/tags.patch.ts

@@ -14,6 +14,14 @@ export default defineEventHandler(async (h3) => {
   const body = await readDropValidatedBody(h3, PatchTags);
   const id = getRouterParam(h3, "id")!;
 
+  const game = await prisma.game.findUnique({
+    where: { id },
+    select: { id: true },
+  });
+  if (!game) throw createError({ statusCode: 404, message: "Game not found" });
+
+  // SAFETY: Okay to disable due to check above
+  // eslint-disable-next-line drop/no-prisma-delete
   await prisma.game.update({
     where: {
       id,

server/api/v1/admin/game/[id]/versions/index.delete.ts

@@ -4,8 +4,7 @@ import aclManager from "~/server/internal/acls";
 import libraryManager from "~/server/internal/library";
 
 const DeleteVersion = type({
-  id: "string",
-  versionName: "string",
+  version: "string",
 }).configure(throwingArktype);
 
 export default defineEventHandler<{ body: typeof DeleteVersion }>(
@@ -17,8 +16,8 @@ export default defineEventHandler<{ body: typeof DeleteVersion }>(
 
     const body = await readDropValidatedBody(h3, DeleteVersion);
 
-    const gameId = body.id.toString();
-    const version = body.versionName.toString();
+    const gameId = getRouterParam(h3, "id")!;
+    const version = body.version.toString();
 
     await libraryManager.deleteGameVersion(gameId, version);
     return {};

server/api/v1/admin/game/[id]/versions/index.get.ts

@@ -0,0 +1,35 @@
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["game:read"]);
+  if (!allowed) throw createError({ statusCode: 403 });
+
+  const id = getRouterParam(h3, "id")!;
+
+  const game = await prisma.game.findUnique({
+    where: {
+      id,
+    },
+    select: {
+      versions: {
+        select: {
+          versionId: true,
+          displayName: true,
+          versionPath: true,
+          launches: {
+            select: {
+              launchId: true,
+              command: true,
+              name: true,
+              platform: true,
+            },
+          },
+        },
+      },
+    },
+  });
+  if (!game) throw createError({ statusCode: 404, message: "Game not found" });
+
+  return game.versions;
+});

server/api/v1/admin/game/[id]/versions/index.patch.ts

@@ -0,0 +1,67 @@
+import { type } from "arktype";
+import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+
+const UpdateVersionOrder = type({
+  versions: "string[]",
+}).configure(throwingArktype);
+
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["game:version:update"]);
+  if (!allowed) throw createError({ statusCode: 403 });
+
+  const body = await readDropValidatedBody(h3, UpdateVersionOrder);
+  const gameId = getRouterParam(h3, "id")!;
+  // We expect an array of the version names for this game
+  const unsortedVersions = await prisma.gameVersion.findMany({
+    where: {
+      versionId: { in: body.versions },
+    },
+    select: {
+      versionId: true,
+      versionIndex: true,
+      delta: true,
+      launches: { select: { platform: true } },
+    },
+  });
+
+  const versions = body.versions
+    .map((e) => unsortedVersions.find((v) => v.versionId === e))
+    .filter((e) => e !== undefined);
+
+  if (versions.length !== unsortedVersions.length)
+    throw createError({
+      statusCode: 500,
+      statusMessage: "Sorting versions yielded less results, somehow.",
+    });
+
+  // Validate the new order
+  const has: { [key: string]: boolean } = {};
+  for (const version of versions) {
+    for (const versionPlatform of version.launches.map((v) => v.platform)) {
+      if (version.delta && !has[versionPlatform])
+        throw createError({
+          statusCode: 400,
+          statusMessage: `"${version.versionId}" requires a base version to apply the delta to for platform ${versionPlatform}.`,
+        });
+      has[versionPlatform] = true;
+    }
+  }
+
+  await prisma.$transaction(
+    versions.map((version, versionIndex) =>
+      prisma.gameVersion.updateMany({
+        where: {
+          gameId: gameId,
+          versionId: version.versionId,
+        },
+        data: {
+          versionIndex: versionIndex,
+        },
+      }),
+    ),
+  );
+
+  return versions.map((v) => v.versionId);
+});

server/api/v1/admin/game/image/index.delete.ts

@@ -48,21 +48,23 @@ export default defineEventHandler<{
     game.mCoverObjectId = game.mImageLibraryObjectIds[0];
   }
 
-  const result = await prisma.game.update({
-    where: {
-      id: gameId,
-    },
-    data: {
-      mBannerObjectId: game.mBannerObjectId,
-      mImageLibraryObjectIds: game.mImageLibraryObjectIds,
-      mCoverObjectId: game.mCoverObjectId,
-    },
-    select: {
-      mBannerObjectId: true,
-      mImageLibraryObjectIds: true,
-      mCoverObjectId: true,
-    },
-  });
+  const result = (
+    await prisma.game.updateManyAndReturn({
+      where: {
+        id: gameId,
+      },
+      data: {
+        mBannerObjectId: game.mBannerObjectId,
+        mImageLibraryObjectIds: game.mImageLibraryObjectIds,
+        mCoverObjectId: game.mCoverObjectId,
+      },
+      select: {
+        mBannerObjectId: true,
+        mImageLibraryObjectIds: true,
+        mCoverObjectId: true,
+      },
+    })
+  ).at(0);
 
   return result;
 });

server/api/v1/admin/game/image/index.post.ts

@@ -42,16 +42,18 @@ export default defineEventHandler(async (h3) => {
     throw createError({ statusCode: 400, statusMessage: "Invalid game ID" });
   }
 
-  const result = await prisma.game.update({
-    where: {
-      id: gameId,
-    },
-    data: {
-      mImageLibraryObjectIds: {
-        push: ids,
+  const result = (
+    await prisma.game.updateManyAndReturn({
+      where: {
+        id: gameId,
       },
-    },
-  });
+      data: {
+        mImageLibraryObjectIds: {
+          push: ids,
+        },
+      },
+    })
+  ).at(0);
 
   await pull();
   return result;

server/api/v1/admin/game/version/index.patch.ts

@@ -1,72 +0,0 @@
-import { type } from "arktype";
-import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
-import aclManager from "~/server/internal/acls";
-import prisma from "~/server/internal/db/database";
-
-const UpdateVersionOrder = type({
-  id: "string",
-  versions: "string[]",
-}).configure(throwingArktype);
-
-export default defineEventHandler<{ body: typeof UpdateVersionOrder }>(
-  async (h3) => {
-    const allowed = await aclManager.allowSystemACL(h3, [
-      "game:version:update",
-    ]);
-    if (!allowed) throw createError({ statusCode: 403 });
-
-    const body = await readDropValidatedBody(h3, UpdateVersionOrder);
-    const gameId = body.id;
-    // We expect an array of the version names for this game
-    const unsortedVersions = await prisma.gameVersion.findMany({
-      where: {
-        versionName: { in: body.versions },
-      },
-      select: {
-        versionName: true,
-        versionIndex: true,
-        delta: true,
-        platform: true,
-      },
-    });
-
-    const versions = body.versions
-      .map((e) => unsortedVersions.find((v) => v.versionName === e))
-      .filter((e) => e !== undefined);
-
-    if (versions.length !== unsortedVersions.length)
-      throw createError({
-        statusCode: 500,
-        statusMessage: "Sorting versions yielded less results, somehow.",
-      });
-
-    // Validate the new order
-    const has: { [key: string]: boolean } = {};
-    for (const version of versions) {
-      if (version.delta && !has[version.platform])
-        throw createError({
-          statusCode: 400,
-          statusMessage: `"${version.versionName}" requires a base version to apply the delta to.`,
-        });
-      has[version.platform] = true;
-    }
-
-    await prisma.$transaction(
-      versions.map((version, versionIndex) =>
-        prisma.gameVersion.update({
-          where: {
-            gameId_versionName: {
-              gameId: gameId,
-              versionName: version.versionName,
-            },
-          },
-          data: {
-            versionIndex: versionIndex,
-          },
-        }),
-      ),
-    );
-
-    return versions;
-  },
-);

server/api/v1/admin/import/version/index.post.ts

@@ -1,84 +1,77 @@
 import { type } from "arktype";
+import { Platform } from "~/prisma/client/enums";
 import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
 import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 import libraryManager from "~/server/internal/library";
-import { parsePlatform } from "~/server/internal/utils/parseplatform";
 
-const ImportVersion = type({
+export const ImportVersion = type({
   id: "string",
   version: "string",
+  displayName: "string?",
+
+  launches: type({
+    platform: type.valueOf(Platform),
+    name: "string",
+    launch: "string",
+    umuId: "string?",
+    executorId: "string?",
+  }).array(),
+
+  setups: type({
+    platform: type.valueOf(Platform),
+    launch: "string",
+  }).array(),
 
-  platform: "string",
-  launch: "string = ''",
-  launchArgs: "string = ''",
-  setup: "string = ''",
-  setupArgs: "string = ''",
   onlySetup: "boolean = false",
   delta: "boolean = false",
-  umuId: "string = ''",
 }).configure(throwingArktype);
 
 export default defineEventHandler(async (h3) => {
   const allowed = await aclManager.allowSystemACL(h3, ["import:version:new"]);
   if (!allowed) throw createError({ statusCode: 403 });
 
-  const {
-    id,
-    version,
-    platform,
-    launch,
-    launchArgs,
-    setup,
-    setupArgs,
-    onlySetup,
-    delta,
-    umuId,
-  } = await readDropValidatedBody(h3, ImportVersion);
+  const body = await readDropValidatedBody(h3, ImportVersion);
 
-  const platformParsed = parsePlatform(platform);
-  if (!platformParsed)
-    throw createError({ statusCode: 400, statusMessage: "Invalid platform." });
-
-  if (delta) {
-    const validOverlayVersions = await prisma.gameVersion.count({
-      where: { gameId: id, platform: platformParsed, delta: false },
-    });
-    if (validOverlayVersions == 0)
-      throw createError({
-        statusCode: 400,
-        statusMessage:
-          "Update mode requires a pre-existing version for this platform.",
+  if (body.delta) {
+    for (const platformObject of [...body.launches, ...body.setups].filter(
+      (v, i, a) => a.findIndex((k) => k.platform === v.platform) == i,
+    )) {
+      const validOverlayVersions = await prisma.gameVersion.count({
+        where: {
+          gameId: body.id,
+          delta: false,
+          launches: { some: { platform: platformObject.platform } },
+        },
       });
+      if (validOverlayVersions == 0)
+        throw createError({
+          statusCode: 400,
+          statusMessage: "Update mode requires a pre-existing version.",
+        });
+    }
   }
 
-  if (onlySetup) {
-    if (!setup)
+  if (body.onlySetup) {
+    if (body.setups.length == 0)
       throw createError({
         statusCode: 400,
         statusMessage: 'Setup required in "setup mode".',
       });
   } else {
-    if (!delta && !launch)
+    if (body.launches.length == 0)
       throw createError({
         statusCode: 400,
-        statusMessage: "Launch executable is required for non-update versions",
+        statusMessage: "Launch executable is required.",
       });
   }
 
   // startup & delta require more complex checking logic
-  const taskId = await libraryManager.importVersion(id, version, {
-    platform,
-    onlySetup,
-
-    launch,
-    launchArgs,
-    setup,
-    setupArgs,
-
-    umuId,
-    delta,
-  });
+  const taskId = await libraryManager.importVersion(
+    body.id,
+    body.version,
+    body,
+  );
   if (!taskId)
     throw createError({
       statusCode: 400,

server/api/v1/admin/import/version/preload.get.ts

@@ -14,15 +14,22 @@ export default defineEventHandler(async (h3) => {
       statusMessage: "Missing id or version in request params",
     });
 
-  const preload = await libraryManager.fetchUnimportedVersionInformation(
-    gameId,
-    versionName,
-  );
-  if (!preload)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Invalid game or version id/name",
-    });
+  try {
+    const preload = await libraryManager.fetchUnimportedVersionInformation(
+      gameId,
+      versionName,
+    );
+    if (!preload)
+      throw createError({
+        statusCode: 400,
+        statusMessage: "Invalid game or version id/name",
+      });
 
-  return preload;
+    return preload;
+  } catch (e) {
+    throw createError({
+      statusCode: 500,
+      message: `Failed to fetch preload information for ${gameId}: ${e}`,
+    });
+  }
 });

server/api/v1/admin/library/sources/index.patch.ts

@@ -31,15 +31,15 @@ export default defineEventHandler<{ body: typeof UpdateLibrarySource.infer }>(
 
     const constructor = libraryConstructors[source.backend];
 
-    try {
-      const newLibrary = constructor(body.options, source.id);
+    const newLibrary = constructor(body.options, source.id);
 
-      // Test we can actually use it
-      if ((await newLibrary.listGames()) === undefined) {
-        throw "Library failed to fetch games.";
-      }
+    // Test we can actually use it
+    if ((await newLibrary.listGames()) === undefined) {
+      throw "Library failed to fetch games.";
+    }
 
-      const updatedSource = await prisma.library.update({
+    const updatedSource = (
+      await prisma.library.updateManyAndReturn({
         where: {
           id: source.id,
         },
@@ -47,22 +47,22 @@ export default defineEventHandler<{ body: typeof UpdateLibrarySource.infer }>(
           name: body.name,
           options: body.options,
         },
-      });
-
-      libraryManager.removeLibrary(source.id);
-      libraryManager.addLibrary(newLibrary);
-
-      const workingSource: WorkingLibrarySource = {
-        ...updatedSource,
-        working: true,
-      };
-
-      return workingSource;
-    } catch (e) {
+      })
+    ).at(0);
+    if (!updatedSource)
       throw createError({
-        statusCode: 400,
-        statusMessage: `Failed to create source: ${e}`,
+        statusCode: 404,
+        message: "Library source not found",
       });
-    }
+
+    libraryManager.removeLibrary(source.id);
+    libraryManager.addLibrary(newLibrary);
+
+    const workingSource: WorkingLibrarySource = {
+      ...updatedSource,
+      working: true,
+    };
+
+    return workingSource;
   },
 );

server/api/v1/admin/search/game.get.ts

@@ -0,0 +1,39 @@
+import { ArkErrors, type } from "arktype";
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+import type { GameMetadataSearchResult } from "~/server/internal/metadata/types";
+
+const Query = type({
+  q: "string",
+});
+
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["game:read"]);
+  if (!allowed) throw createError({ statusCode: 403 });
+
+  const query = Query(getQuery(h3));
+  if (query instanceof ArkErrors)
+    throw createError({ statusCode: 400, message: query.summary });
+
+  const results: {
+    id: string;
+    mName: string;
+    mIconObjectId: string;
+    mShortDescription: string;
+    mReleased: string;
+  }[] =
+    await prisma.$queryRaw`SELECT id, "mName", "mIconObjectId", "mShortDescription", "mReleased" FROM "Game" WHERE SIMILARITY("mName", ${query.q}) > 0.2 ORDER BY SIMILARITY("mName", ${query.q}) DESC;`;
+
+  const resultsMapped = results.map(
+    (v) =>
+      ({
+        id: v.id,
+        name: v.mName,
+        icon: v.mIconObjectId,
+        description: v.mShortDescription,
+        year: new Date(v.mReleased).getFullYear(),
+      }) satisfies GameMetadataSearchResult,
+  );
+
+  return resultsMapped;
+});

server/api/v1/admin/services/index.get.ts

@@ -0,0 +1,10 @@
+import aclManager from "~/server/internal/acls";
+import serviceManager from "~/server/internal/services";
+
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["maintenance:read"]);
+  if (!allowed) throw createError({ statusCode: 403 });
+
+  const healthcheck = serviceManager.healthchecks();
+  return healthcheck;
+});

server/api/v1/auth/mfa/index.get.ts

@@ -0,0 +1,22 @@
+import sessionHandler from "~/server/internal/session";
+import prisma from "~/server/internal/db/database";
+
+export default defineEventHandler(async (h3) => {
+  const session = await sessionHandler.getSession(h3);
+  if (!session || !session.authenticated || session.authenticated.level == 0)
+    throw createError({
+      statusCode: 403,
+      message: "Sign in before completing MFA",
+    });
+
+  const linkedMFAMec = await prisma.linkedMFAMec.findMany({
+    where: {
+      userId: session.authenticated.userId,
+    },
+    select: {
+      mec: true,
+    },
+  });
+
+  return linkedMFAMec.map((v) => v.mec);
+});

server/api/v1/auth/mfa/totp.post.ts

@@ -0,0 +1,48 @@
+import sessionHandler from "~/server/internal/session";
+import { type } from "arktype";
+import prisma from "~/server/internal/db/database";
+import { MFAMec } from "~/prisma/client/client";
+import type { TOTPv1Credentials } from "~/server/internal/auth/totp";
+import { dropDecodeArrayBase64 } from "~/server/internal/auth/totp";
+import { SecretKey, totp } from "otp-io";
+import { hmac } from "otp-io/crypto-web";
+import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
+
+const TOTPBody = type({
+  code: "string",
+}).configure(throwingArktype);
+
+export default defineEventHandler(async (h3) => {
+  const session = await sessionHandler.getSession(h3);
+  if (!session || !session.authenticated || session.authenticated.level == 0)
+    throw createError({
+      statusCode: 403,
+      message: "Sign in before completing MFA",
+    });
+
+  const body = await readDropValidatedBody(h3, TOTPBody);
+
+  const linkedMFAMec = await prisma.linkedMFAMec.findUnique({
+    where: {
+      userId_mec: {
+        userId: session.authenticated.userId,
+        mec: MFAMec.TOTP,
+      },
+    },
+  });
+  if (!linkedMFAMec)
+    throw createError({ statusCode: 400, message: "TOTP not enabled" });
+
+  const secret = (linkedMFAMec.credentials as unknown as TOTPv1Credentials)
+    .secret;
+  const secretKeyBuffer = dropDecodeArrayBase64(secret);
+  const secretKey = new SecretKey(secretKeyBuffer);
+
+  const code = await totp(hmac, { secret: secretKey });
+  if (code !== body.code)
+    throw createError({ statusCode: 403, message: "Invalid TOTP code." });
+
+  await sessionHandler.mfa(h3, 10);
+
+  return {};
+});

server/api/v1/auth/mfa/webauthn/finish.post.ts

@@ -0,0 +1,108 @@
+import { verifyAuthenticationResponse } from "@simplewebauthn/server";
+import { MFAMec } from "~/prisma/client/enums";
+import { dropDecodeArrayBase64 } from "~/server/internal/auth/totp";
+import type { WebAuthNv1Credentials } from "~/server/internal/auth/webauthn";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import { systemConfig } from "~/server/internal/config/sys-conf";
+import prisma from "~/server/internal/db/database";
+import sessionHandler from "~/server/internal/session";
+
+export default defineEventHandler(async (h3) => {
+  const session = await sessionHandler.getSession(h3);
+  if (!session || !session.authenticated || session.authenticated.level == 0)
+    throw createError({
+      statusCode: 403,
+      message: "Sign in before completing MFA",
+    });
+
+  const body = await readBody(h3);
+  const credentialId = body?.id;
+  if (!credentialId || typeof credentialId !== "string")
+    throw createError({
+      statusCode: 400,
+      message: "Missing credential id in body.",
+    });
+
+  const optionsRaw = await sessionHandler.getSessionDataKey<string>(
+    h3,
+    "webauthn/options",
+  );
+  if (!optionsRaw)
+    throw createError({
+      statusCode: 400,
+      message: "WebAuthn setup not started for this session.",
+    });
+  const options = JSON.parse(optionsRaw);
+  await sessionHandler.deleteSessionDataKey(h3, "webauthn/challenge");
+
+  const mfaMec = await prisma.linkedMFAMec.findUnique({
+    where: {
+      userId_mec: {
+        userId: session.authenticated.userId,
+        mec: MFAMec.WebAuthn,
+      },
+    },
+  });
+  if (!mfaMec)
+    throw createError({ statusCode: 400, message: "WebAuthn not enabled" });
+
+  const rpID = await getRpId();
+  const passkeys = (mfaMec.credentials as unknown as WebAuthNv1Credentials)
+    .passkeys;
+  const passkeyIndex = passkeys.findIndex((v) => v.id === body.id);
+  if (passkeyIndex == -1)
+    throw createError({ statusCode: 400, message: "Invalid credential ID." });
+  const passkey = passkeys[passkeyIndex];
+
+  const externalUrl = await systemConfig.getExternalUrl();
+  const url = new URL(externalUrl);
+
+  let verification;
+  try {
+    verification = await verifyAuthenticationResponse({
+      response: body,
+      expectedChallenge: options.challenge,
+      expectedOrigin: url.origin,
+      expectedRPID: rpID,
+      credential: {
+        id: passkey.id,
+        publicKey: Buffer.from(dropDecodeArrayBase64(passkey.publicKey)),
+        counter: passkey.counter,
+        transports: passkey.transports ?? [],
+      },
+    });
+  } catch (error) {
+    throw createError({
+      statusCode: 400,
+      message: (error as string)?.toString(),
+    });
+  }
+
+  const { verified } = verification;
+  if (!verified)
+    throw createError({ statusCode: 403, message: "Invalid passkey." });
+
+  const { authenticationInfo } = verification;
+  const { newCounter } = authenticationInfo;
+
+  passkeys[passkeyIndex].counter = newCounter;
+  (mfaMec.credentials as unknown as WebAuthNv1Credentials).passkeys = passkeys;
+
+  // Safe because we query it at the start of the route
+  // eslint-disable-next-line drop/no-prisma-delete
+  await prisma.linkedMFAMec.update({
+    where: {
+      userId_mec: {
+        userId: session.authenticated.userId,
+        mec: MFAMec.WebAuthn,
+      },
+    },
+    data: {
+      credentials: mfaMec.credentials!,
+    },
+  });
+
+  await sessionHandler.mfa(h3, 10);
+
+  return {};
+});

server/api/v1/auth/mfa/webauthn/start.post.ts

@@ -0,0 +1,49 @@
+import { generateAuthenticationOptions } from "@simplewebauthn/server";
+import { MFAMec } from "~/prisma/client/enums";
+import type { WebAuthNv1Credentials } from "~/server/internal/auth/webauthn";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import prisma from "~/server/internal/db/database";
+import sessionHandler from "~/server/internal/session";
+
+export default defineEventHandler(async (h3) => {
+  const session = await sessionHandler.getSession(h3);
+  if (!session || !session.authenticated || session.authenticated.level == 0)
+    throw createError({
+      statusCode: 403,
+      message: "Sign in before completing MFA",
+    });
+
+  const mec = await prisma.linkedMFAMec.findUnique({
+    where: {
+      userId_mec: {
+        userId: session.authenticated.userId,
+        mec: MFAMec.WebAuthn,
+      },
+    },
+  });
+  if (!mec)
+    throw createError({
+      statusCode: 400,
+      message: "WebAuthn not enabled on account.",
+    });
+
+  const rpID = await getRpId();
+  const passkeys = (mec.credentials as unknown as WebAuthNv1Credentials)
+    .passkeys;
+
+  const options = await generateAuthenticationOptions({
+    rpID,
+    allowCredentials: passkeys.map((v) => ({
+      id: v.id,
+      transports: v.transports ?? [],
+    })),
+  });
+
+  await sessionHandler.setSessionDataKey(
+    h3,
+    "webauthn/options",
+    JSON.stringify(options),
+  );
+
+  return options;
+});

server/api/v1/auth/passkey/finish.post.ts

@@ -0,0 +1,105 @@
+import { verifyAuthenticationResponse } from "@simplewebauthn/server";
+import { MFAMec } from "~/prisma/client/enums";
+import { dropDecodeArrayBase64 } from "~/server/internal/auth/totp";
+import type { WebAuthNv1Credentials } from "~/server/internal/auth/webauthn";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import { systemConfig } from "~/server/internal/config/sys-conf";
+import prisma from "~/server/internal/db/database";
+import sessionHandler from "~/server/internal/session";
+
+export default defineEventHandler(async (h3) => {
+  const body = await readBody(h3);
+  const credentialId = body?.id;
+  if (!credentialId || typeof credentialId !== "string")
+    throw createError({
+      statusCode: 400,
+      message: "Missing credential id in body.",
+    });
+
+  const optionsRaw = await sessionHandler.getSessionDataKey<string>(
+    h3,
+    "webauthn/options",
+  );
+  if (!optionsRaw)
+    throw createError({
+      statusCode: 400,
+      message: "WebAuthn setup not started for this session.",
+    });
+  const options = JSON.parse(optionsRaw);
+  await sessionHandler.deleteSessionDataKey(h3, "webauthn/challenge");
+
+  // See WebAuthNv1Credentials for schema
+  const mfaMec = await prisma.linkedMFAMec.findFirst({
+    where: {
+      credentials: {
+        path: ["passkeys"],
+        array_contains: [
+          {
+            id: credentialId,
+          },
+        ],
+      },
+    },
+  });
+  if (!mfaMec)
+    throw createError({ statusCode: 404, message: "Passkey not found" });
+
+  const passkeys = (mfaMec.credentials as unknown as WebAuthNv1Credentials)
+    .passkeys;
+  const passkeyIndex = passkeys.findIndex((v) => v.id === credentialId);
+  const passkey = passkeys[passkeyIndex]; // Exists guarantee by database
+
+  const rpID = await getRpId();
+  const externalUrl = await systemConfig.getExternalUrl();
+  const url = new URL(externalUrl);
+
+  let verification;
+  try {
+    verification = await verifyAuthenticationResponse({
+      response: body,
+      expectedChallenge: options.challenge,
+      expectedOrigin: url.origin,
+      expectedRPID: rpID,
+      credential: {
+        id: passkey.id,
+        publicKey: Buffer.from(dropDecodeArrayBase64(passkey.publicKey)),
+        counter: passkey.counter,
+        transports: passkey.transports ?? [],
+      },
+    });
+  } catch (error) {
+    throw createError({
+      statusCode: 400,
+      message: (error as string)?.toString(),
+    });
+  }
+
+  const { verified } = verification;
+  if (!verified)
+    throw createError({ statusCode: 403, message: "Invalid passkey." });
+
+  const { authenticationInfo } = verification;
+  const { newCounter } = authenticationInfo;
+
+  passkeys[passkeyIndex].counter = newCounter;
+  (mfaMec.credentials as unknown as WebAuthNv1Credentials).passkeys = passkeys;
+
+  // Safe because we query it before
+  // eslint-disable-next-line drop/no-prisma-delete
+  await prisma.linkedMFAMec.update({
+    where: {
+      userId_mec: {
+        userId: mfaMec.userId,
+        mec: MFAMec.WebAuthn,
+      },
+    },
+    data: {
+      credentials: mfaMec.credentials!,
+    },
+  });
+
+  await sessionHandler.signin(h3, mfaMec.userId, true);
+  await sessionHandler.mfa(h3, 10);
+
+  return {};
+});

server/api/v1/auth/passkey/start.post.ts

@@ -0,0 +1,26 @@
+import { generateAuthenticationOptions } from "@simplewebauthn/server";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import sessionHandler from "~/server/internal/session";
+
+export default defineEventHandler(async (h3) => {
+  const rpID = await getRpId();
+
+  const options = await generateAuthenticationOptions({
+    rpID,
+    allowCredentials: [],
+  });
+
+  if (
+    !(await sessionHandler.setSessionDataKey(
+      h3,
+      "webauthn/options",
+      JSON.stringify(options),
+    ))
+  )
+    throw createError({
+      statusCode: 500,
+      message: "Failed to set session data key",
+    });
+
+  return options;
+});

server/api/v1/auth/signin/simple.post.ts

@@ -84,8 +84,17 @@ export default defineEventHandler<{
       });
 
     // TODO: send user to forgot password screen or something to force them to change their password to new system
-    await sessionHandler.signin(h3, authMek.userId, body.rememberMe);
-    return { result: true, userId: authMek.userId };
+    const result = await sessionHandler.signin(
+      h3,
+      authMek.userId,
+      body.rememberMe,
+    );
+    if (result === "fail")
+      throw createError({
+        statusCode: 500,
+        message: "Failed to create session",
+      });
+    return { userId: authMek.userId, result };
   }
 
   // V2: argon2
@@ -102,6 +111,12 @@ export default defineEventHandler<{
       statusMessage: t("errors.auth.invalidUserOrPass"),
     });
 
-  await sessionHandler.signin(h3, authMek.userId, body.rememberMe);
-  return { result: true, userId: authMek.userId };
+  const result = await sessionHandler.signin(
+    h3,
+    authMek.userId,
+    body.rememberMe,
+  );
+  if (result == "fail")
+    throw createError({ statusCode: 500, message: "Failed to create session" });
+  return { userId: authMek.userId, result };
 });

server/api/v1/client/auth/callback/index.post.ts

@@ -2,8 +2,9 @@ import clientHandler from "~/server/internal/clients/handler";
 import sessionHandler from "~/server/internal/session";
 
 export default defineEventHandler(async (h3) => {
-  const user = await sessionHandler.getSession(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const session = await sessionHandler.getSession(h3);
+  if (!session || !session.authenticated)
+    throw createError({ statusCode: 403 });
 
   const body = await readBody(h3);
   const clientId = await body.id;
@@ -15,7 +16,7 @@ export default defineEventHandler(async (h3) => {
       statusMessage: "Invalid or expired client ID.",
     });
 
-  if (client.userId != user.userId)
+  if (client.userId != session.authenticated.userId)
     throw createError({
       statusCode: 403,
       statusMessage: "Not allowed to authorize this client.",

server/api/v1/client/auth/code/index.get.ts

@@ -3,7 +3,7 @@ import sessionHandler from "~/server/internal/session";
 
 export default defineEventHandler(async (h3) => {
   const user = await sessionHandler.getSession(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  if (!user || !user.authenticated) throw createError({ statusCode: 403 });
 
   const query = getQuery(h3);
   const code = query.code?.toString()?.toUpperCase();

server/api/v1/client/auth/code/index.post.ts

@@ -3,7 +3,7 @@ import sessionHandler from "~/server/internal/session";
 
 export default defineEventHandler(async (h3) => {
   const user = await sessionHandler.getSession(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  if (!user || !user.authenticated) throw createError({ statusCode: 403 });
 
   const body = await readBody(h3);
   const clientId = await body.id;
@@ -15,7 +15,7 @@ export default defineEventHandler(async (h3) => {
       statusMessage: "Invalid or expired client ID.",
     });
 
-  if (client.userId != user.userId)
+  if (client.userId != user.authenticated.userId)
     throw createError({
       statusCode: 403,
       statusMessage: "Not allowed to authorize this client.",

server/api/v1/client/auth/index.get.ts

@@ -2,8 +2,9 @@ import clientHandler from "~/server/internal/clients/handler";
 import sessionHandler from "~/server/internal/session";
 
 export default defineEventHandler(async (h3) => {
-  const user = await sessionHandler.getSession(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const session = await sessionHandler.getSession(h3);
+  if (!session || !session.authenticated)
+    throw createError({ statusCode: 403 });
 
   const query = getQuery(h3);
   const providedClientId = query.id?.toString();
@@ -20,13 +21,16 @@ export default defineEventHandler(async (h3) => {
       statusMessage: "Request not found.",
     });
 
-  if (client.userId && user.userId !== client.userId)
+  if (client.userId && session.authenticated.userId !== client.userId)
     throw createError({
       statusCode: 400,
       statusMessage: "Client already claimed.",
     });
 
-  await clientHandler.attachUserId(providedClientId, user.userId);
+  await clientHandler.attachUserId(
+    providedClientId,
+    session.authenticated.userId,
+  );
 
   return client.data;
 });

server/api/v1/client/auth/initiate.post.ts

@@ -31,19 +31,20 @@ export default defineEventHandler(async (h3) => {
       statusMessage: "Invalid or unsupported platform",
     });
 
-  const capabilityIterable = Object.entries(capabilities) as Array<
-    [InternalClientCapability, object]
-  >;
-  if (
-    capabilityIterable.length > 0 &&
-    capabilityIterable
-      .map(([capability]) => validCapabilities.find((v) => capability == v))
-      .filter((e) => e).length == 0
-  )
-    throw createError({
-      statusCode: 400,
-      message: "Invalid capabilities.",
-    });
+  const capabilityIterableRaw = Object.entries(capabilities);
+  const capabilityIterable = capabilityIterableRaw.map(
+    ([capability, value]) => {
+      const actualCapability = validCapabilities.find(
+        (v) => capability.toLowerCase() == v.toLowerCase(),
+      );
+      if (!actualCapability)
+        throw createError({
+          statusCode: 400,
+          message: "Invalid capabilities.",
+        });
+      return [actualCapability, value];
+    },
+  ) as Array<[InternalClientCapability, object]>;
 
   if (
     capabilityIterable.length > 0 &&
@@ -63,7 +64,7 @@ export default defineEventHandler(async (h3) => {
   const result = await clientHandler.initiate({
     name: body.name,
     platform,
-    capabilities,
+    capabilities: Object.fromEntries(capabilityIterable),
     mode: body.mode,
   });
 

server/api/v1/client/capability/index.post.ts

@@ -1,4 +1,3 @@
-import type { InternalClientCapability } from "~/server/internal/clients/capabilities";
 import capabilityManager, {
   validCapabilities,
 } from "~/server/internal/clients/capabilities";
@@ -23,9 +22,11 @@ export default defineClientEventHandler(
         statusMessage: "configuration must be an object",
       });
 
-    const capability = rawCapability as InternalClientCapability;
+    const capability = validCapabilities.find(
+      (v) => v.toLowerCase() === rawCapability.toLowerCase(),
+    );
 
-    if (!validCapabilities.includes(capability))
+    if (!capability)
       throw createError({
         statusCode: 400,
         statusMessage: "Invalid capability.",

server/api/v1/client/chunk.get.ts

@@ -1,83 +0,0 @@
-import cacheHandler from "~/server/internal/cache";
-import { defineClientEventHandler } from "~/server/internal/clients/event-handler";
-import prisma from "~/server/internal/db/database";
-import libraryManager from "~/server/internal/library";
-
-const chunkSize = 1024 * 1024 * 64;
-
-const gameLookupCache = cacheHandler.createCache<{
-  libraryId: string | null;
-  libraryPath: string;
-}>("downloadGameLookupCache");
-
-export default defineClientEventHandler(async (h3) => {
-  const query = getQuery(h3);
-  const gameId = query.id?.toString();
-  const versionName = query.version?.toString();
-  const filename = query.name?.toString();
-  const chunkIndex = parseInt(query.chunk?.toString() ?? "?");
-
-  if (!gameId || !versionName || !filename || Number.isNaN(chunkIndex))
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Invalid chunk arguments",
-    });
-
-  let game = await gameLookupCache.getItem(gameId);
-  if (!game) {
-    game = await prisma.game.findUnique({
-      where: {
-        id: gameId,
-      },
-      select: {
-        libraryId: true,
-        libraryPath: true,
-      },
-    });
-    if (!game || !game.libraryId)
-      throw createError({ statusCode: 400, statusMessage: "Invalid game ID" });
-
-    await gameLookupCache.setItem(gameId, game);
-  }
-
-  if (!game.libraryId)
-    throw createError({
-      statusCode: 500,
-      statusMessage: "Somehow, we got here.",
-    });
-
-  const peek = await libraryManager.peekFile(
-    game.libraryId,
-    game.libraryPath,
-    versionName,
-    filename,
-  );
-  if (!peek)
-    throw createError({ status: 400, statusMessage: "Failed to peek file" });
-
-  const start = chunkIndex * chunkSize;
-  const end = Math.min((chunkIndex + 1) * chunkSize, peek.size);
-  const currentChunkSize = end - start;
-  setHeader(h3, "Content-Length", currentChunkSize);
-
-  if (start >= end)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Invalid chunk index",
-    });
-
-  const gameReadStream = await libraryManager.readFile(
-    game.libraryId,
-    game.libraryPath,
-    versionName,
-    filename,
-    { start, end },
-  );
-  if (!gameReadStream)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Failed to create stream",
-    });
-
-  return sendStream(h3, gameReadStream);
-});

server/api/v1/client/game/[id]/version/[versionid]/index.get.ts

@@ -3,22 +3,29 @@ import prisma from "~/server/internal/db/database";
 import libraryManager from "~/server/internal/library";
 
 export default defineClientEventHandler(async (h3) => {
-  const query = getQuery(h3);
-  const id = query.id?.toString();
-  const version = query.version?.toString();
+  const id = getRouterParam(h3, "id");
+  const version = getRouterParam(h3, "versionid");
   if (!id || !version)
     throw createError({
       statusCode: 400,
-      statusMessage: "Missing id or version in query",
+      statusMessage: "Missing id or version in route params",
     });
 
   const gameVersion = await prisma.gameVersion.findUnique({
     where: {
-      gameId_versionName: {
+      gameId_versionId: {
         gameId: id,
-        versionName: version,
+        versionId: version,
       },
     },
+    include: {
+      launches: {
+        include: {
+          executor: true,
+        },
+      },
+      setups: true,
+    },
   });
 
   if (!gameVersion)

server/api/v1/client/game/manifest.get.ts

@@ -1,5 +1,5 @@
 import { defineClientEventHandler } from "~/server/internal/clients/event-handler";
-import manifestGenerator from "~/server/internal/downloads/manifest";
+import prisma from "~/server/internal/db/database";
 
 export default defineClientEventHandler(async (h3) => {
   const query = getQuery(h3);
@@ -11,11 +11,14 @@ export default defineClientEventHandler(async (h3) => {
       statusMessage: "Missing id or version in query",
     });
 
-  const manifest = await manifestGenerator.generateManifest(id, version);
+  const manifest = await prisma.gameVersion.findUnique({
+    where: { gameId_versionId: { gameId: id, versionId: version } },
+    select: { dropletManifest: true },
+  });
   if (!manifest)
     throw createError({
       statusCode: 400,
       statusMessage: "Invalid game or version, or no versions added.",
     });
-  return manifest;
+  return manifest.dropletManifest;
 });

server/api/v1/client/game/versions.get.ts

@@ -20,6 +20,10 @@ export default defineClientEventHandler(async (h3) => {
     omit: {
       dropletManifest: true,
     },
+    include: {
+      launches: true,
+      setups: true,
+    },
   });
 
   return versions;

server/api/v1/client/user/webtoken.post.ts

@@ -14,6 +14,7 @@ export default defineClientEventHandler(
       "store:read",
       "collections:read",
       "object:read",
+      "settings:read",
     ];
 
     const token = await prisma.aPIToken.create({

server/api/v1/depot/STUB.md

@@ -0,0 +1,3 @@
+# Don't add anything here
+
+This route is overriden by the reverse proxy, and forwarded to the Rust depot.

server/api/v1/games/[id]/index.get.ts

@@ -16,7 +16,12 @@ export default defineEventHandler(async (h3) => {
   const game = await prisma.game.findUnique({
     where: { id: gameId },
     include: {
-      versions: true,
+      versions: {
+        include: {
+          launches: true,
+          setups: true,
+        },
+      },
       publishers: {
         select: {
           id: true,

server/api/v1/notifications/[id]/read.post.ts

@@ -20,15 +20,17 @@ export default defineEventHandler(async (h3) => {
     userIds.push("system");
   }
 
-  const notification = await prisma.notification.update({
-    where: {
-      id: notificationId,
-      userId: { in: userIds },
-    },
-    data: {
-      read: true,
-    },
-  });
+  const notification = (
+    await prisma.notification.updateManyAndReturn({
+      where: {
+        id: notificationId,
+        userId: { in: userIds },
+      },
+      data: {
+        read: true,
+      },
+    })
+  ).at(0);
 
   if (!notification)
     throw createError({

server/api/v1/store/index.get.ts

@@ -49,11 +49,15 @@ export default defineEventHandler(async (h3) => {
     ? {
         versions: {
           some: {
-            platform: {
-              in: options.platform
-                .split(",")
-                .map(parsePlatform)
-                .filter((e) => e !== undefined),
+            launches: {
+              some: {
+                platform: {
+                  in: options.platform
+                    .split(",")
+                    .map(parsePlatform)
+                    .filter((e) => e !== undefined),
+                },
+              },
             },
           },
         },

server/api/v1/user/auth/index.get.ts

@@ -0,0 +1,19 @@
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+import { AuthMec } from "~/prisma/client/enums";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, []); // No ACLs only allows session authentication
+  if (!userId) throw createError({ statusCode: 403 });
+
+  const authMecs = await prisma.linkedAuthMec.findMany({
+    where: {
+      userId,
+    },
+    omit: {
+      credentials: true,
+    },
+  });
+  const authMecMap = Object.fromEntries(authMecs.map((v) => [v.mec, v]));
+  return { mecs: authMecMap, available: Object.keys(AuthMec) };
+});

server/api/v1/user/mfa/index.get.ts

@@ -0,0 +1,38 @@
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+import { MFAMec } from "~/prisma/client/enums";
+import type { WebAuthNv1Credentials } from "~/server/internal/auth/webauthn";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, []); // No ACLs only allows session authentication
+  if (!userId) throw createError({ statusCode: 403 });
+
+  const mfaMecs = await prisma.linkedMFAMec.findMany({
+    where: {
+      userId,
+    },
+  });
+  // Sanitise and convert to map
+  const mfaMecMap = Object.fromEntries(
+    mfaMecs.map((v) => {
+      switch (v.mec) {
+        case MFAMec.TOTP:
+          v.credentials = {};
+          break;
+        case MFAMec.WebAuthn: {
+          const newCredentials = (
+            v.credentials as unknown as WebAuthNv1Credentials
+          ).passkeys.map((v) => ({
+            name: v.name,
+            id: v.id,
+            created: v.created,
+          }));
+          v.credentials = newCredentials;
+          break;
+        }
+      }
+      return [v.mec, v];
+    }),
+  );
+  return { mecs: mfaMecMap, available: Object.keys(MFAMec) };
+});

server/api/v1/user/mfa/totp/finish.post.ts

@@ -0,0 +1,61 @@
+import aclManager from "~/server/internal/acls";
+import { totp, SecretKey } from "otp-io";
+import { hmac } from "otp-io/crypto";
+import prisma from "~/server/internal/db/database";
+import { MFAMec } from "~/prisma/client/client";
+import type { TOTPv1Credentials } from "~/server/internal/auth/totp";
+import { dropDecodeArrayBase64 } from "~/server/internal/auth/totp";
+import { createError } from "h3";
+import { type } from "arktype";
+import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
+
+const TOTPEnableBody = type({
+  code: "string",
+}).configure(throwingArktype);
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.allowUserSuperlevel(h3); // No ACLs only allows session authentication
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      message: "Not signed in or superlevelled.",
+    });
+
+  const body = await readDropValidatedBody(h3, TOTPEnableBody);
+
+  const existing = await prisma.linkedMFAMec.findUnique({
+    where: {
+      userId_mec: {
+        userId,
+        mec: MFAMec.TOTP,
+      },
+      enabled: false,
+    },
+  });
+  if (!existing)
+    throw createError({ statusCode: 400, message: "TOTP not started" });
+
+  const secret = (existing.credentials as unknown as TOTPv1Credentials).secret;
+  const secretKeyBuffer = dropDecodeArrayBase64(secret);
+  const secretKey = new SecretKey(secretKeyBuffer);
+
+  const code = await totp(hmac, { secret: secretKey });
+  if (body.code !== code)
+    throw createError({ statusCode: 400, message: "Invalid TOTP code." });
+
+  // Safe because we're updating something we just queried
+  // eslint-disable-next-line drop/no-prisma-delete
+  await prisma.linkedMFAMec.update({
+    where: {
+      userId_mec: {
+        userId,
+        mec: MFAMec.TOTP,
+      },
+    },
+    data: {
+      enabled: true,
+    },
+  });
+
+  return;
+});

server/api/v1/user/mfa/totp/start.post.ts

@@ -0,0 +1,63 @@
+import aclManager from "~/server/internal/acls";
+import { generateKey, getKeyUri } from "otp-io";
+import { randomBytes } from "otp-io/crypto";
+import prisma from "~/server/internal/db/database";
+import { MFAMec } from "~/prisma/client/client";
+import type { TOTPv1Credentials } from "~/server/internal/auth/totp";
+import { dropEncodeArrayBase64 } from "~/server/internal/auth/totp";
+import { b32e } from "~/server/internal/auth/base32";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.allowUserSuperlevel(h3); // No ACLs only allows session authentication
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      message: "Not signed in or superlevelled.",
+    });
+
+  const existing = await prisma.linkedMFAMec.findUnique({
+    where: {
+      userId_mec: {
+        userId,
+        mec: MFAMec.TOTP,
+      },
+    },
+  });
+
+  if (existing) {
+    if (!existing.enabled) {
+      // Safe because we're updating something we just queried
+      // eslint-disable-next-line drop/no-prisma-delete
+      await prisma.linkedMFAMec.delete({
+        where: { userId_mec: { userId: existing.userId, mec: existing.mec } },
+      });
+    } else {
+      throw createError({
+        statusCode: 400,
+        message: "Cannot set up TOTP authentication if already exists.",
+      });
+    }
+  }
+
+  const secret = generateKey(randomBytes, /* bytes: */ 20); // 5-20 good for Google Authenticator
+  const url = getKeyUri({
+    type: "totp",
+    secret,
+    name: userId,
+    issuer: "Drop",
+  });
+
+  await prisma.linkedMFAMec.create({
+    data: {
+      userId,
+      mec: MFAMec.TOTP,
+      version: 1,
+      credentials: {
+        secret: dropEncodeArrayBase64(secret.bytes),
+      } satisfies TOTPv1Credentials,
+      enabled: false,
+    },
+  });
+
+  return { url, secret: b32e(secret.bytes) };
+});

server/api/v1/user/mfa/webauthn/finish.post.ts

@@ -0,0 +1,110 @@
+import aclManager from "~/server/internal/acls";
+import { dropEncodeArrayBase64 } from "~/server/internal/auth/totp";
+import type { WebAuthNv1Credentials } from "~/server/internal/auth/webauthn";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import prisma from "~/server/internal/db/database";
+import { MFAMec } from "~/prisma/client/enums";
+import sessionHandler from "~/server/internal/session";
+import type { PublicKeyCredentialCreationOptionsJSON } from "@simplewebauthn/server";
+import { verifyRegistrationResponse } from "@simplewebauthn/server";
+import { systemConfig } from "~/server/internal/config/sys-conf";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.allowUserSuperlevel(h3); // No ACLs only allows session authentication
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      message: "Not signed in or superlevelled.",
+    });
+
+  const body = await readBody(h3);
+
+  const optionsRaw = await sessionHandler.getSessionDataKey<string>(
+    h3,
+    "webauthn/options",
+  );
+  if (!optionsRaw)
+    throw createError({
+      statusCode: 400,
+      message: "WebAuthn not started for this session.",
+    });
+  const options: PublicKeyCredentialCreationOptionsJSON =
+    JSON.parse(optionsRaw);
+  await sessionHandler.deleteSessionDataKey(h3, "webauthn/options");
+
+  const rpID = await getRpId();
+  const externalUrl = await systemConfig.getExternalUrl();
+  const url = new URL(externalUrl);
+
+  let verification;
+  try {
+    verification = await verifyRegistrationResponse({
+      response: body,
+      expectedChallenge: options.challenge,
+      expectedOrigin: url.origin,
+      expectedRPID: rpID,
+    });
+  } catch (error) {
+    console.error(error);
+    throw createError({
+      statusCode: 400,
+      message: (error as string)?.toString(),
+    });
+  }
+
+  const webauthnMec =
+    (await prisma.linkedMFAMec.findUnique({
+      where: { userId_mec: { userId, mec: MFAMec.WebAuthn } },
+    })) ??
+    (await prisma.linkedMFAMec.create({
+      data: {
+        userId,
+        mec: MFAMec.WebAuthn,
+        credentials: { passkeys: [] } satisfies WebAuthNv1Credentials,
+        version: 1,
+      },
+    }));
+
+  const { verified, registrationInfo } = verification;
+  if (!verified)
+    throw createError({
+      statusCode: 400,
+      message: "Failed to verify passkey.",
+    });
+  const { credential, credentialDeviceType, credentialBackedUp } =
+    registrationInfo!;
+
+  const name = await sessionHandler.getSessionDataKey<string>(
+    h3,
+    "webauthn/passkeyname",
+  );
+
+  (webauthnMec.credentials as unknown as WebAuthNv1Credentials).passkeys.push({
+    name: name ?? "My New Passkey",
+    created: Date.now(),
+    userId,
+    webAuthnUserId: options.user.id,
+    id: credential.id,
+    publicKey: dropEncodeArrayBase64(credential.publicKey),
+    counter: credential.counter,
+    transports: credential.transports,
+    deviceType: credentialDeviceType,
+    backedUp: credentialBackedUp,
+  });
+
+  // Safe because we're updating something we just queried
+  // eslint-disable-next-line drop/no-prisma-delete
+  await prisma.linkedMFAMec.update({
+    where: {
+      userId_mec: {
+        userId: webauthnMec.userId,
+        mec: webauthnMec.mec,
+      },
+    },
+    data: {
+      credentials: webauthnMec.credentials!,
+    },
+  });
+
+  return;
+});

server/api/v1/user/mfa/webauthn/start.post.ts

@@ -0,0 +1,56 @@
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+import sessionHandler from "~/server/internal/session";
+import { generateRegistrationOptions } from "@simplewebauthn/server";
+import { getRpId } from "~/server/internal/auth/webauthn";
+import { type } from "arktype";
+import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
+
+const CreatePasskey = type({
+  name: "string",
+}).configure(throwingArktype);
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.allowUserSuperlevel(h3); // No ACLs only allows session authentication
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      message: "Not signed in or superlevelled.",
+    });
+
+  const body = await readDropValidatedBody(h3, CreatePasskey);
+
+  const user = await prisma.user.findUnique({
+    where: { id: userId },
+    select: { displayName: true, username: true },
+  });
+  if (!user)
+    throw createError({
+      statusCode: 500,
+      message: "Session refers to non-existed user.",
+    });
+
+  const rpID = await getRpId();
+
+  const registrationOptions = await generateRegistrationOptions({
+    rpID,
+    rpName: "Drop",
+    userName: user.username,
+    attestationType: "none",
+    authenticatorSelection: {
+      requireResidentKey: true,
+      residentKey: "required",
+      userVerification: "preferred",
+    },
+  });
+
+  await sessionHandler.setSessionDataKey(
+    h3,
+    "webauthn/options",
+    JSON.stringify(registrationOptions),
+  );
+
+  await sessionHandler.setSessionDataKey(h3, "webauthn/passkeyname", body.name);
+
+  return registrationOptions;
+});

server/api/v1/user/superlevel.ts

@@ -0,0 +1,6 @@
+import aclManager from "~/server/internal/acls";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.allowUserSuperlevel(h3);
+  return userId !== undefined;
+});

server/api/v2/client/chunk.post.ts

@@ -1,95 +0,0 @@
-import { type } from "arktype";
-import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
-import contextManager from "~/server/internal/downloads/coordinator";
-import libraryManager from "~/server/internal/library";
-import { logger } from "~/server/internal/logging";
-
-const GetChunk = type({
-  context: "string",
-  files: type({
-    filename: "string",
-    chunkIndex: "number",
-  })
-    .array()
-    .atLeastLength(1)
-    .atMostLength(256),
-}).configure(throwingArktype);
-
-export default defineEventHandler(async (h3) => {
-  const body = await readDropValidatedBody(h3, GetChunk);
-
-  const context = await contextManager.fetchContext(body.context);
-  if (!context)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Invalid download context.",
-    });
-
-  const streamFiles = [];
-
-  for (const file of body.files) {
-    const manifestFile = context.manifest[file.filename];
-    if (!manifestFile)
-      throw createError({
-        statusCode: 400,
-        statusMessage: `Unknown file: ${file.filename}`,
-      });
-
-    const start = manifestFile.lengths
-      .slice(0, file.chunkIndex)
-      .reduce((a, b) => a + b, 0);
-    const end = start + manifestFile.lengths[file.chunkIndex];
-
-    streamFiles.push({ filename: file.filename, start, end });
-  }
-
-  setHeader(
-    h3,
-    "Content-Lengths",
-    streamFiles.map((e) => e.end - e.start).join(","),
-  ); // Non-standard header, but we're cool like that 😎
-
-  const streams = await Promise.all(
-    streamFiles.map(async (file) => {
-      const gameReadStream = await libraryManager.readFile(
-        context.libraryId,
-        context.libraryPath,
-        context.versionName,
-        file.filename,
-        { start: file.start, end: file.end },
-      );
-      if (!gameReadStream)
-        throw createError({
-          statusCode: 500,
-          statusMessage: "Failed to create read stream",
-        });
-      return { ...file, stream: gameReadStream };
-    }),
-  );
-
-  for (const file of streams) {
-    let length = 0;
-    await file.stream.pipeTo(
-      new WritableStream({
-        write(chunk) {
-          h3.node.res.write(chunk);
-          length += chunk.length;
-        },
-      }),
-    );
-
-    if (length != file.end - file.start) {
-      logger.warn(
-        `failed to read enough from ${file.filename}. read ${length}, required: ${file.end - file.start}`,
-      );
-      throw createError({
-        statusCode: 500,
-        statusMessage: "Failed to read enough from stream.",
-      });
-    }
-  }
-
-  await h3.node.res.end();
-
-  return;
-});

server/api/v2/client/context.post.ts

@@ -1,22 +0,0 @@
-import { type } from "arktype";
-import { readDropValidatedBody, throwingArktype } from "~/server/arktype";
-import { defineClientEventHandler } from "~/server/internal/clients/event-handler";
-import contextManager from "~/server/internal/downloads/coordinator";
-
-const CreateContext = type({
-  game: "string",
-  version: "string",
-}).configure(throwingArktype);
-
-export default defineClientEventHandler(async (h3) => {
-  const body = await readDropValidatedBody(h3, CreateContext);
-
-  const context = await contextManager.createContext(body.game, body.version);
-  if (!context)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Invalid game or version",
-    });
-
-  return { context };
-});