Merge branch 'dev' into private-site-ha

server/db/pg/driver.ts

@@ -1,7 +1,7 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
+import { createPool } from "./poolConfig";
 
 function createDb() {
     const config = readConfigFile();
@@ -39,12 +39,17 @@ function createDb() {
 
     // Create connection pools instead of individual connections
     const poolConfig = config.postgres.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "primary"
+    );
 
     const replicas = [];
 
@@ -55,14 +60,15 @@ function createDb() {
             })
         );
     } else {
+        const maxReplicaConnections = poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -85,3 +91,4 @@ export const primaryDb = db.$primary;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
 >[0];
+export const DB_TYPE: "pg" | "sqlite" = "pg";

server/db/pg/logsDriver.ts

@@ -1,9 +1,9 @@
 import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
 import { readConfigFile } from "@server/lib/readConfigFile";
 import { withReplicas } from "drizzle-orm/pg-core";
 import { build } from "@server/build";
 import { db as mainDb, primaryDb as mainPrimaryDb } from "./driver";
+import { createPool } from "./poolConfig";
 
 function createLogsDb() {
     // Only use separate logs database in SaaS builds
@@ -42,12 +42,17 @@ function createLogsDb() {
 
     // Create separate connection pool for logs database
     const poolConfig = logsConfig?.pool || config.postgres?.pool;
-    const primaryPool = new Pool({
+    const maxConnections = poolConfig?.max_connections || 20;
+    const idleTimeoutMs = poolConfig?.idle_timeout_ms || 30000;
+    const connectionTimeoutMs = poolConfig?.connection_timeout_ms || 5000;
+
+    const primaryPool = createPool(
         connectionString,
-        max: poolConfig?.max_connections || 20,
-        idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-        connectionTimeoutMillis: poolConfig?.connection_timeout_ms || 5000
-    });
+        maxConnections,
+        idleTimeoutMs,
+        connectionTimeoutMs,
+        "logs-primary"
+    );
 
     const replicas = [];
 
@@ -58,14 +63,16 @@ function createLogsDb() {
             })
         );
     } else {
+        const maxReplicaConnections =
+            poolConfig?.max_replica_connections || 20;
         for (const conn of replicaConnections) {
-            const replicaPool = new Pool({
-                connectionString: conn.connection_string,
-                max: poolConfig?.max_replica_connections || 20,
-                idleTimeoutMillis: poolConfig?.idle_timeout_ms || 30000,
-                connectionTimeoutMillis:
-                    poolConfig?.connection_timeout_ms || 5000
-            });
+            const replicaPool = createPool(
+                conn.connection_string,
+                maxReplicaConnections,
+                idleTimeoutMs,
+                connectionTimeoutMs,
+                "logs-replica"
+            );
             replicas.push(
                 DrizzlePostgres(replicaPool, {
                     logger: process.env.QUERY_LOGGING == "true"
@@ -84,4 +91,4 @@ function createLogsDb() {
 
 export const logsDb = createLogsDb();
 export default logsDb;
-export const primaryLogsDb = logsDb.$primary;
+export const primaryLogsDb = logsDb.$primary;

server/db/pg/poolConfig.ts

@@ -0,0 +1,63 @@
+import { Pool, PoolConfig } from "pg";
+import logger from "@server/logger";
+
+export function createPoolConfig(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number
+): PoolConfig {
+    return {
+        connectionString,
+        max: maxConnections,
+        idleTimeoutMillis: idleTimeoutMs,
+        connectionTimeoutMillis: connectionTimeoutMs,
+        // TCP keepalive to prevent silent connection drops by NAT gateways,
+        // load balancers, and other intermediate network devices (e.g. AWS
+        // NAT Gateway drops idle TCP connections after ~350s)
+        keepAlive: true,
+        keepAliveInitialDelayMillis: 10000, // send first keepalive after 10s of idle
+        // Allow connections to be released and recreated more aggressively
+        // to avoid stale connections building up
+        allowExitOnIdle: false
+    };
+}
+
+export function attachPoolErrorHandlers(pool: Pool, label: string): void {
+    pool.on("error", (err) => {
+        // This catches errors on idle clients in the pool. Without this
+        // handler an unexpected disconnect would crash the process.
+        logger.error(
+            `Unexpected error on idle ${label} database client: ${err.message}`
+        );
+    });
+
+    pool.on("connect", (client) => {
+        // Set a statement timeout on every new connection so a single slow
+        // query can't block the pool forever
+        client.query("SET statement_timeout = '30s'").catch((err: Error) => {
+            logger.warn(
+                `Failed to set statement_timeout on ${label} client: ${err.message}`
+            );
+        });
+    });
+}
+
+export function createPool(
+    connectionString: string,
+    maxConnections: number,
+    idleTimeoutMs: number,
+    connectionTimeoutMs: number,
+    label: string
+): Pool {
+    const pool = new Pool(
+        createPoolConfig(
+            connectionString,
+            maxConnections,
+            idleTimeoutMs,
+            connectionTimeoutMs
+        )
+    );
+    attachPoolErrorHandlers(pool, label);
+    return pool;
+}

server/db/pg/schema/privateSchema.ts

@@ -7,7 +7,9 @@ import {
     bigint,
     real,
     text,
-    index
+    index,
+    primaryKey,
+    uniqueIndex
 } from "drizzle-orm/pg-core";
 import { InferSelectModel } from "drizzle-orm";
 import {
@@ -17,7 +19,9 @@ import {
     users,
     exitNodes,
     sessions,
-    clients
+    clients,
+    siteResources,
+    sites
 } from "./schema";
 
 export const certificates = pgTable("certificates", {
@@ -89,7 +93,9 @@ export const subscriptions = pgTable("subscriptions", {
 
 export const subscriptionItems = pgTable("subscriptionItems", {
     subscriptionItemId: serial("subscriptionItemId").primaryKey(),
-    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", { length: 255 }),
+    stripeSubscriptionItemId: varchar("stripeSubscriptionItemId", {
+        length: 255
+    }),
     subscriptionId: varchar("subscriptionId", { length: 255 })
         .notNull()
         .references(() => subscriptions.subscriptionId, {
@@ -286,6 +292,7 @@ export const accessAuditLog = pgTable(
         actor: varchar("actor", { length: 255 }),
         actorId: varchar("actorId", { length: 255 }),
         resourceId: integer("resourceId"),
+        siteResourceId: integer("siteResourceId"),
         ip: varchar("ip", { length: 45 }),
         type: varchar("type", { length: 100 }).notNull(),
         action: boolean("action").notNull(),
@@ -302,6 +309,45 @@ export const accessAuditLog = pgTable(
     ]
 );
 
+export const connectionAuditLog = pgTable(
+    "connectionAuditLog",
+    {
+        id: serial("id").primaryKey(),
+        sessionId: text("sessionId").notNull(),
+        siteResourceId: integer("siteResourceId").references(
+            () => siteResources.siteResourceId,
+            { onDelete: "cascade" }
+        ),
+        orgId: text("orgId").references(() => orgs.orgId, {
+            onDelete: "cascade"
+        }),
+        siteId: integer("siteId").references(() => sites.siteId, {
+            onDelete: "cascade"
+        }),
+        clientId: integer("clientId").references(() => clients.clientId, {
+            onDelete: "cascade"
+        }),
+        userId: text("userId").references(() => users.userId, {
+            onDelete: "cascade"
+        }),
+        sourceAddr: text("sourceAddr").notNull(),
+        destAddr: text("destAddr").notNull(),
+        protocol: text("protocol").notNull(),
+        startedAt: integer("startedAt").notNull(),
+        endedAt: integer("endedAt"),
+        bytesTx: integer("bytesTx"),
+        bytesRx: integer("bytesRx")
+    },
+    (table) => [
+        index("idx_accessAuditLog_startedAt").on(table.startedAt),
+        index("idx_accessAuditLog_org_startedAt").on(
+            table.orgId,
+            table.startedAt
+        ),
+        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
+    ]
+);
+
 export const approvals = pgTable("approvals", {
     approvalId: serial("approvalId").primaryKey(),
     timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
@@ -329,13 +375,89 @@ export const approvals = pgTable("approvals", {
 });
 
 export const bannedEmails = pgTable("bannedEmails", {
-    email: varchar("email", { length: 255 }).primaryKey(),
+    email: varchar("email", { length: 255 }).primaryKey()
 });
 
 export const bannedIps = pgTable("bannedIps", {
-    ip: varchar("ip", { length: 255 }).primaryKey(),
+    ip: varchar("ip", { length: 255 }).primaryKey()
 });
 
+export const siteProvisioningKeys = pgTable("siteProvisioningKeys", {
+    siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
+        length: 255
+    }).primaryKey(),
+    name: varchar("name", { length: 255 }).notNull(),
+    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
+    lastChars: varchar("lastChars", { length: 4 }).notNull(),
+    createdAt: varchar("dateCreated", { length: 255 }).notNull(),
+    lastUsed: varchar("lastUsed", { length: 255 }),
+    maxBatchSize: integer("maxBatchSize"), // null = no limit
+    numUsed: integer("numUsed").notNull().default(0),
+    validUntil: varchar("validUntil", { length: 255 }),
+    approveNewSites: boolean("approveNewSites").notNull().default(true)
+});
+
+export const siteProvisioningKeyOrg = pgTable(
+    "siteProvisioningKeyOrg",
+    {
+        siteProvisioningKeyId: varchar("siteProvisioningKeyId", {
+            length: 255
+        })
+            .notNull()
+            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
+                onDelete: "cascade"
+            }),
+        orgId: varchar("orgId", { length: 255 })
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" })
+    },
+    (table) => [
+        primaryKey({
+            columns: [table.siteProvisioningKeyId, table.orgId]
+        })
+    ]
+);
+
+export const eventStreamingDestinations = pgTable(
+    "eventStreamingDestinations",
+    {
+        destinationId: serial("destinationId").primaryKey(),
+        orgId: varchar("orgId", { length: 255 })
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        sendConnectionLogs: boolean("sendConnectionLogs").notNull().default(false),
+        sendRequestLogs: boolean("sendRequestLogs").notNull().default(false),
+        sendActionLogs: boolean("sendActionLogs").notNull().default(false),
+        sendAccessLogs: boolean("sendAccessLogs").notNull().default(false),
+        type: varchar("type", { length: 50 }).notNull(), // e.g. "http", "kafka", etc.
+        config: text("config").notNull(), // JSON string with the configuration for the destination
+        enabled: boolean("enabled").notNull().default(true),
+        createdAt: bigint("createdAt", { mode: "number" }).notNull(),
+        updatedAt: bigint("updatedAt", { mode: "number" }).notNull()
+    }
+);
+
+export const eventStreamingCursors = pgTable(
+    "eventStreamingCursors",
+    {
+        cursorId: serial("cursorId").primaryKey(),
+        destinationId: integer("destinationId")
+            .notNull()
+            .references(() => eventStreamingDestinations.destinationId, {
+                onDelete: "cascade"
+            }),
+        logType: varchar("logType", { length: 50 }).notNull(), // "request" | "action" | "access" | "connection"
+        lastSentId: bigint("lastSentId", { mode: "number" }).notNull().default(0),
+        lastSentAt: bigint("lastSentAt", { mode: "number" }) // epoch milliseconds, null if never sent
+    },
+    (table) => [
+        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
+            table.destinationId,
+            table.logType
+        )
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -357,3 +479,19 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
+export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
+export type SessionTransferToken = InferSelectModel<
+    typeof sessionTransferToken
+>;
+export type BannedEmail = InferSelectModel<typeof bannedEmails>;
+export type BannedIp = InferSelectModel<typeof bannedIps>;
+export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
+export type SiteProvisioningKeyOrg = InferSelectModel<
+    typeof siteProvisioningKeyOrg
+>;
+export type EventStreamingDestination = InferSelectModel<
+    typeof eventStreamingDestinations
+>;
+export type EventStreamingCursor = InferSelectModel<
+    typeof eventStreamingCursors
+>;

server/db/pg/schema/schema.ts

@@ -6,9 +6,11 @@ import {
     index,
     integer,
     pgTable,
+    primaryKey,
     real,
     serial,
     text,
+    unique,
     varchar
 } from "drizzle-orm/pg-core";
 
@@ -55,6 +57,9 @@ export const orgs = pgTable("orgs", {
     settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
         .notNull()
         .default(0),
+    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0),
     sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
     sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
     isBillingOrg: boolean("isBillingOrg"),
@@ -95,7 +100,8 @@ export const sites = pgTable("sites", {
     publicKey: varchar("publicKey"),
     lastHolePunch: bigint("lastHolePunch", { mode: "number" }),
     listenPort: integer("listenPort"),
-    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true)
+    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true),
+    status: varchar("status").$type<"pending" | "approved">().default("approved")
 });
 
 export const resources = pgTable("resources", {
@@ -319,7 +325,8 @@ export const users = pgTable("user", {
     termsVersion: varchar("termsVersion"),
     marketingEmailConsent: boolean("marketingEmailConsent").default(false),
     serverAdmin: boolean("serverAdmin").notNull().default(false),
-    lastPasswordChange: bigint("lastPasswordChange", { mode: "number" })
+    lastPasswordChange: bigint("lastPasswordChange", { mode: "number" }),
+    locale: varchar("locale")
 });
 
 export const newts = pgTable("newt", {
@@ -367,9 +374,6 @@ export const userOrgs = pgTable("userOrgs", {
             onDelete: "cascade"
         })
         .notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId),
     isOwner: boolean("isOwner").notNull().default(false),
     autoProvisioned: boolean("autoProvisioned").default(false),
     pamUsername: varchar("pamUsername") // cleaned username for ssh and such
@@ -418,6 +422,22 @@ export const roles = pgTable("roles", {
     sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
+export const userOrgRoles = pgTable(
+    "userOrgRoles",
+    {
+        userId: varchar("userId")
+            .notNull()
+            .references(() => users.userId, { onDelete: "cascade" }),
+        orgId: varchar("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
+);
+
 export const roleActions = pgTable("roleActions", {
     roleId: integer("roleId")
         .notNull()
@@ -485,12 +505,22 @@ export const userInvites = pgTable("userInvites", {
         .references(() => orgs.orgId, { onDelete: "cascade" }),
     email: varchar("email").notNull(),
     expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
-    tokenHash: varchar("token").notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId, { onDelete: "cascade" })
+    tokenHash: varchar("token").notNull()
 });
 
+export const userInviteRoles = pgTable(
+    "userInviteRoles",
+    {
+        inviteId: varchar("inviteId")
+            .notNull()
+            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
+);
+
 export const resourcePincode = pgTable("resourcePincode", {
     pincodeId: serial("pincodeId").primaryKey(),
     resourceId: integer("resourceId")
@@ -1066,7 +1096,9 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
+export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
+export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;

server/db/queries/verifySessionQueries.ts

@@ -1,4 +1,12 @@
-import { db, loginPage, LoginPage, loginPageOrg, Org, orgs, roles } from "@server/db";
+import {
+    db,
+    loginPage,
+    LoginPage,
+    loginPageOrg,
+    Org,
+    orgs,
+    roles
+} from "@server/db";
 import {
     Resource,
     ResourcePassword,
@@ -12,13 +20,12 @@ import {
     resources,
     roleResources,
     sessions,
-    userOrgs,
     userResources,
     users,
     ResourceHeaderAuthExtendedCompatibility,
     resourceHeaderAuthExtendedCompatibility
 } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray } from "drizzle-orm";
 
 export type ResourceWithAuth = {
     resource: Resource | null;
@@ -104,24 +111,15 @@ export async function getUserSessionWithUser(
 }
 
 /**
- * Get user organization role
+ * Get role name by role ID (for display).
  */
-export async function getUserOrgRole(userId: string, orgId: string) {
-    const userOrgRole = await db
-        .select({
-            userId: userOrgs.userId,
-            orgId: userOrgs.orgId,
-            roleId: userOrgs.roleId,
-            isOwner: userOrgs.isOwner,
-            autoProvisioned: userOrgs.autoProvisioned,
-            roleName: roles.name
-        })
-        .from(userOrgs)
-        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
-        .leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
+export async function getRoleName(roleId: number): Promise<string | null> {
+    const [row] = await db
+        .select({ name: roles.name })
+        .from(roles)
+        .where(eq(roles.roleId, roleId))
         .limit(1);
-
-    return userOrgRole.length > 0 ? userOrgRole[0] : null;
+    return row?.name ?? null;
 }
 
 /**
@@ -129,7 +127,7 @@ export async function getUserOrgRole(userId: string, orgId: string) {
  */
 export async function getRoleResourceAccess(
     resourceId: number,
-    roleId: number
+    roleIds: number[]
 ) {
     const roleResourceAccess = await db
         .select()
@@ -137,12 +135,11 @@ export async function getRoleResourceAccess(
         .where(
             and(
                 eq(roleResources.resourceId, resourceId),
-                eq(roleResources.roleId, roleId)
+                inArray(roleResources.roleId, roleIds)
             )
-        )
-        .limit(1);
+        );
 
-    return roleResourceAccess.length > 0 ? roleResourceAccess[0] : null;
+    return roleResourceAccess.length > 0 ? roleResourceAccess : null;
 }
 
 /**

server/db/regions.ts

@@ -0,0 +1,196 @@
+// Regions of the World
+// as of 2025-10-25
+//
+// Adapted according to the United Nations Geoscheme
+// see https://www.unicode.org/cldr/charts/48/supplemental/territory_containment_un_m_49.html
+// see https://unstats.un.org/unsd/methodology/m49
+
+export const REGIONS = [
+    {
+        name: "regionAfrica",
+        id: "002",
+        includes: [
+            {
+                name: "regionNorthernAfrica",
+                id: "015",
+                countries: ["DZ", "EG", "LY", "MA", "SD", "TN", "EH"]
+            },
+            {
+                name: "regionEasternAfrica",
+                id: "014",
+                countries: ["IO", "BI", "KM", "DJ", "ER", "ET", "TF", "KE", "MG", "MW", "MU", "YT", "MZ", "RE", "RW", "SC", "SO", "SS", "UG", "ZM", "ZW"]
+            },
+            {
+                name: "regionMiddleAfrica",
+                id: "017",
+                countries: ["AO", "CM", "CF", "TD", "CG", "CD", "GQ", "GA", "ST"]
+            },
+            {
+                name: "regionSouthernAfrica",
+                id: "018",
+                countries: ["BW", "SZ", "LS", "NA", "ZA"]
+            },
+            {
+                name: "regionWesternAfrica",
+                id: "011",
+                countries: ["BJ", "BF", "CV", "CI", "GM", "GH", "GN", "GW", "LR", "ML", "MR", "NE", "NG", "SH", "SN", "SL", "TG"]
+            }
+        ]
+    },
+    {
+        name: "regionAmericas",
+        id: "019",
+        includes: [
+            {
+                name: "regionCaribbean",
+                id: "029",
+                countries: ["AI", "AG", "AW", "BS", "BB", "BQ", "VG", "KY", "CU", "CW", "DM", "DO", "GD", "GP", "HT", "JM", "MQ", "MS", "PR", "BL", "KN", "LC", "MF", "VC", "SX", "TT", "TC", "VI"]
+            },
+            {
+                name: "regionCentralAmerica",
+                id: "013",
+                countries: ["BZ", "CR", "SV", "GT", "HN", "MX", "NI", "PA"]
+            },
+            {
+                name: "regionSouthAmerica",
+                id: "005",
+                countries: ["AR", "BO", "BV", "BR", "CL", "CO", "EC", "FK", "GF", "GY", "PY", "PE", "GS", "SR", "UY", "VE"]
+            },
+            {
+                name: "regionNorthernAmerica",
+                id: "021",
+                countries: ["BM", "CA", "GL", "PM", "US"]
+            }
+        ]
+    },
+    {
+        name: "regionAsia",
+        id: "142",
+        includes: [
+            {
+                name: "regionCentralAsia",
+                id: "143",
+                countries: ["KZ", "KG", "TJ", "TM", "UZ"]
+            },
+            {
+                name: "regionEasternAsia",
+                id: "030",
+                countries: ["CN", "HK", "MO", "KP", "JP", "MN", "KR"]
+            },
+            {
+                name: "regionSouthEasternAsia",
+                id: "035",
+                countries: ["BN", "KH", "ID", "LA", "MY", "MM", "PH", "SG", "TH", "TL", "VN"]
+            },
+            {
+                name: "regionSouthernAsia",
+                id: "034",
+                countries: ["AF", "BD", "BT", "IN", "IR", "MV", "NP", "PK", "LK"]
+            },
+            {
+                name: "regionWesternAsia",
+                id: "145",
+                countries: ["AM", "AZ", "BH", "CY", "GE", "IQ", "IL", "JO", "KW", "LB", "OM", "QA", "SA", "PS", "SY", "TR", "AE", "YE"]
+            }
+        ]
+    },
+    {
+        name: "regionEurope",
+        id: "150",
+        includes: [
+            {
+                name: "regionEasternEurope",
+                id: "151",
+                countries: ["BY", "BG", "CZ", "HU", "PL", "MD", "RO", "RU", "SK", "UA"]
+            },
+            {
+                name: "regionNorthernEurope",
+                id: "154",
+                countries: ["AX", "DK", "EE", "FO", "FI", "GG", "IS", "IE", "IM", "JE", "LV", "LT", "NO", "SJ", "SE", "GB"]
+            },
+            {
+                name: "regionSouthernEurope",
+                id: "039",
+                countries: ["AL", "AD", "BA", "HR", "GI", "GR", "VA", "IT", "MT", "ME", "MK", "PT", "SM", "RS", "SI", "ES"]
+            },
+            {
+                name: "regionWesternEurope",
+                id: "155",
+                countries: ["AT", "BE", "FR", "DE", "LI", "LU", "MC", "NL", "CH"]
+            }
+        ]
+    },
+    {
+        name: "regionOceania",
+        id: "009",
+        includes: [
+            {
+                name: "regionAustraliaAndNewZealand",
+                id: "053",
+                countries: ["AU", "CX", "CC", "HM", "NZ", "NF"]
+            },
+            {
+                name: "regionMelanesia",
+                id: "054",
+                countries: ["FJ", "NC", "PG", "SB", "VU"]
+            },
+            {
+                name: "regionMicronesia",
+                id: "057",
+                countries: ["GU", "KI", "MH", "FM", "NR", "MP", "PW", "UM"]
+            },
+            {
+                name: "regionPolynesia",
+                id: "061",
+                countries: ["AS", "CK", "PF", "NU", "PN", "WS", "TK", "TO", "TV", "WF"]
+            }
+        ]
+    }
+];
+
+type Subregion = {
+    name: string;
+    id: string;
+    countries: string[];
+};
+
+type Region = {
+    name: string;
+    id: string;
+    includes: Subregion[];
+};
+
+export function getRegionNameById(regionId: string): string | undefined {
+    // Check top-level regions
+    const region = REGIONS.find((r) => r.id === regionId);
+    if (region) {
+        return region.name;
+    }
+
+    // Check subregions
+    for (const region of REGIONS) {
+        for (const subregion of region.includes) {
+            if (subregion.id === regionId) {
+                return subregion.name;
+            }
+        }
+    }
+
+    return undefined;
+}
+
+export function isValidRegionId(regionId: string): boolean {
+    // Check top-level regions
+    if (REGIONS.find((r) => r.id === regionId)) {
+        return true;
+    }
+
+    // Check subregions
+    for (const region of REGIONS) {
+        if (region.includes.find((s) => s.id === regionId)) {
+            return true;
+        }
+    }
+
+    return false;
+}

server/db/sqlite/driver.ts

@@ -23,7 +23,8 @@ export default db;
 export const primaryDb = db;
 export type Transaction = Parameters<
     Parameters<(typeof db)["transaction"]>[0]
->[0];
+    >[0];
+export const DB_TYPE: "pg" | "sqlite" = "sqlite";
 
 function checkFileExists(filePath: string): boolean {
     try {

server/db/sqlite/schema/privateSchema.ts

@@ -2,11 +2,22 @@ import { InferSelectModel } from "drizzle-orm";
 import {
     index,
     integer,
+    primaryKey,
     real,
     sqliteTable,
-    text
+    text,
+    uniqueIndex
 } from "drizzle-orm/sqlite-core";
-import { clients, domains, exitNodes, orgs, sessions, users } from "./schema";
+import {
+    clients,
+    domains,
+    exitNodes,
+    orgs,
+    sessions,
+    siteResources,
+    sites,
+    users
+} from "./schema";
 
 export const certificates = sqliteTable("certificates", {
     certId: integer("certId").primaryKey({ autoIncrement: true }),
@@ -278,6 +289,7 @@ export const accessAuditLog = sqliteTable(
         actor: text("actor"),
         actorId: text("actorId"),
         resourceId: integer("resourceId"),
+        siteResourceId: integer("siteResourceId"),
         ip: text("ip"),
         location: text("location"),
         type: text("type").notNull(),
@@ -294,6 +306,45 @@ export const accessAuditLog = sqliteTable(
     ]
 );
 
+export const connectionAuditLog = sqliteTable(
+    "connectionAuditLog",
+    {
+        id: integer("id").primaryKey({ autoIncrement: true }),
+        sessionId: text("sessionId").notNull(),
+        siteResourceId: integer("siteResourceId").references(
+            () => siteResources.siteResourceId,
+            { onDelete: "cascade" }
+        ),
+        orgId: text("orgId").references(() => orgs.orgId, {
+            onDelete: "cascade"
+        }),
+        siteId: integer("siteId").references(() => sites.siteId, {
+            onDelete: "cascade"
+        }),
+        clientId: integer("clientId").references(() => clients.clientId, {
+            onDelete: "cascade"
+        }),
+        userId: text("userId").references(() => users.userId, {
+            onDelete: "cascade"
+        }),
+        sourceAddr: text("sourceAddr").notNull(),
+        destAddr: text("destAddr").notNull(),
+        protocol: text("protocol").notNull(),
+        startedAt: integer("startedAt").notNull(),
+        endedAt: integer("endedAt"),
+        bytesTx: integer("bytesTx"),
+        bytesRx: integer("bytesRx")
+    },
+    (table) => [
+        index("idx_accessAuditLog_startedAt").on(table.startedAt),
+        index("idx_accessAuditLog_org_startedAt").on(
+            table.orgId,
+            table.startedAt
+        ),
+        index("idx_accessAuditLog_siteResourceId").on(table.siteResourceId)
+    ]
+);
+
 export const approvals = sqliteTable("approvals", {
     approvalId: integer("approvalId").primaryKey({ autoIncrement: true }),
     timestamp: integer("timestamp").notNull(), // this is EPOCH time in seconds
@@ -318,7 +369,6 @@ export const approvals = sqliteTable("approvals", {
         .notNull()
 });
 
-
 export const bannedEmails = sqliteTable("bannedEmails", {
     email: text("email").primaryKey()
 });
@@ -327,6 +377,84 @@ export const bannedIps = sqliteTable("bannedIps", {
     ip: text("ip").primaryKey()
 });
 
+export const siteProvisioningKeys = sqliteTable("siteProvisioningKeys", {
+    siteProvisioningKeyId: text("siteProvisioningKeyId").primaryKey(),
+    name: text("name").notNull(),
+    siteProvisioningKeyHash: text("siteProvisioningKeyHash").notNull(),
+    lastChars: text("lastChars").notNull(),
+    createdAt: text("dateCreated").notNull(),
+    lastUsed: text("lastUsed"),
+    maxBatchSize: integer("maxBatchSize"), // null = no limit
+    numUsed: integer("numUsed").notNull().default(0),
+    validUntil: text("validUntil"),
+    approveNewSites: integer("approveNewSites", { mode: "boolean" })
+        .notNull()
+        .default(true)
+});
+
+export const siteProvisioningKeyOrg = sqliteTable(
+    "siteProvisioningKeyOrg",
+    {
+        siteProvisioningKeyId: text("siteProvisioningKeyId")
+            .notNull()
+            .references(() => siteProvisioningKeys.siteProvisioningKeyId, {
+                onDelete: "cascade"
+            }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" })
+    },
+    (table) => [
+        primaryKey({
+            columns: [table.siteProvisioningKeyId, table.orgId]
+        })
+    ]
+);
+
+export const eventStreamingDestinations = sqliteTable(
+    "eventStreamingDestinations",
+    {
+        destinationId: integer("destinationId").primaryKey({
+            autoIncrement: true
+        }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        sendConnectionLogs: integer("sendConnectionLogs", { mode: "boolean" }).notNull().default(false),
+        sendRequestLogs: integer("sendRequestLogs", { mode: "boolean" }).notNull().default(false),
+        sendActionLogs: integer("sendActionLogs", { mode: "boolean" }).notNull().default(false),
+        sendAccessLogs: integer("sendAccessLogs", { mode: "boolean" }).notNull().default(false),
+        type: text("type").notNull(), // e.g. "http", "kafka", etc.
+        config: text("config").notNull(), // JSON string with the configuration for the destination
+        enabled: integer("enabled", { mode: "boolean" })
+            .notNull()
+            .default(true),
+        createdAt: integer("createdAt").notNull(),
+        updatedAt: integer("updatedAt").notNull()
+    }
+);
+
+export const eventStreamingCursors = sqliteTable(
+    "eventStreamingCursors",
+    {
+        cursorId: integer("cursorId").primaryKey({ autoIncrement: true }),
+        destinationId: integer("destinationId")
+            .notNull()
+            .references(() => eventStreamingDestinations.destinationId, {
+                onDelete: "cascade"
+            }),
+        logType: text("logType").notNull(), // "request" | "action" | "access" | "connection"
+        lastSentId: integer("lastSentId").notNull().default(0),
+        lastSentAt: integer("lastSentAt") // epoch milliseconds, null if never sent
+    },
+    (table) => [
+        uniqueIndex("idx_eventStreamingCursors_dest_type").on(
+            table.destinationId,
+            table.logType
+        )
+    ]
+);
+
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;
@@ -348,3 +476,13 @@ export type LoginPage = InferSelectModel<typeof loginPage>;
 export type LoginPageBranding = InferSelectModel<typeof loginPageBranding>;
 export type ActionAuditLog = InferSelectModel<typeof actionAuditLog>;
 export type AccessAuditLog = InferSelectModel<typeof accessAuditLog>;
+export type ConnectionAuditLog = InferSelectModel<typeof connectionAuditLog>;
+export type BannedEmail = InferSelectModel<typeof bannedEmails>;
+export type BannedIp = InferSelectModel<typeof bannedIps>;
+export type SiteProvisioningKey = InferSelectModel<typeof siteProvisioningKeys>;
+export type EventStreamingDestination = InferSelectModel<
+    typeof eventStreamingDestinations
+>;
+export type EventStreamingCursor = InferSelectModel<
+    typeof eventStreamingCursors
+>;

server/db/sqlite/schema/schema.ts

@@ -1,6 +1,13 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
-import { index, integer, sqliteTable, text } from "drizzle-orm/sqlite-core";
+import {
+    index,
+    integer,
+    primaryKey,
+    sqliteTable,
+    text,
+    unique
+} from "drizzle-orm/sqlite-core";
 
 export const domains = sqliteTable("domains", {
     domainId: text("domainId").primaryKey(),
@@ -47,6 +54,9 @@ export const orgs = sqliteTable("orgs", {
     settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
         .notNull()
         .default(0),
+    settingsLogRetentionDaysConnection: integer("settingsLogRetentionDaysConnection") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
+        .notNull()
+        .default(0),
     sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
     sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
     isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
@@ -103,7 +113,8 @@ export const sites = sqliteTable("sites", {
     listenPort: integer("listenPort"),
     dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
         .notNull()
-        .default(true)
+        .default(true),
+    status: text("status").$type<"pending" | "approved">().default("approved")
 });
 
 export const resources = sqliteTable("resources", {
@@ -353,7 +364,8 @@ export const users = sqliteTable("user", {
     serverAdmin: integer("serverAdmin", { mode: "boolean" })
         .notNull()
         .default(false),
-    lastPasswordChange: integer("lastPasswordChange")
+    lastPasswordChange: integer("lastPasswordChange"),
+    locale: text("locale")
 });
 
 export const securityKeys = sqliteTable("webauthnCredentials", {
@@ -674,9 +686,6 @@ export const userOrgs = sqliteTable("userOrgs", {
             onDelete: "cascade"
         })
         .notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId),
     isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
     autoProvisioned: integer("autoProvisioned", {
         mode: "boolean"
@@ -731,6 +740,22 @@ export const roles = sqliteTable("roles", {
     sshUnixGroups: text("sshUnixGroups").default("[]")
 });
 
+export const userOrgRoles = sqliteTable(
+    "userOrgRoles",
+    {
+        userId: text("userId")
+            .notNull()
+            .references(() => users.userId, { onDelete: "cascade" }),
+        orgId: text("orgId")
+            .notNull()
+            .references(() => orgs.orgId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [unique().on(t.userId, t.orgId, t.roleId)]
+);
+
 export const roleActions = sqliteTable("roleActions", {
     roleId: integer("roleId")
         .notNull()
@@ -816,12 +841,22 @@ export const userInvites = sqliteTable("userInvites", {
         .references(() => orgs.orgId, { onDelete: "cascade" }),
     email: text("email").notNull(),
     expiresAt: integer("expiresAt").notNull(),
-    tokenHash: text("token").notNull(),
-    roleId: integer("roleId")
-        .notNull()
-        .references(() => roles.roleId, { onDelete: "cascade" })
+    tokenHash: text("token").notNull()
 });
 
+export const userInviteRoles = sqliteTable(
+    "userInviteRoles",
+    {
+        inviteId: text("inviteId")
+            .notNull()
+            .references(() => userInvites.inviteId, { onDelete: "cascade" }),
+        roleId: integer("roleId")
+            .notNull()
+            .references(() => roles.roleId, { onDelete: "cascade" })
+    },
+    (t) => [primaryKey({ columns: [t.inviteId, t.roleId] })]
+);
+
 export const resourcePincode = sqliteTable("resourcePincode", {
     pincodeId: integer("pincodeId").primaryKey({
         autoIncrement: true
@@ -1164,7 +1199,9 @@ export type UserSite = InferSelectModel<typeof userSites>;
 export type RoleResource = InferSelectModel<typeof roleResources>;
 export type UserResource = InferSelectModel<typeof userResources>;
 export type UserInvite = InferSelectModel<typeof userInvites>;
+export type UserInviteRole = InferSelectModel<typeof userInviteRoles>;
 export type UserOrg = InferSelectModel<typeof userOrgs>;
+export type UserOrgRole = InferSelectModel<typeof userOrgRoles>;
 export type ResourceSession = InferSelectModel<typeof resourceSessions>;
 export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
 export type ResourcePassword = InferSelectModel<typeof resourcePassword>;