@codefox-inc/oauth-provider 0.2.0

package/dist/component/queries.d.ts

@@ -0,0 +1,127 @@
+/**
+ * Get OAuth Client by clientId
+ */
+export declare const getClient: import("convex/server").RegisteredQuery<"public", {
+    clientId: string;
+}, Promise<{
+    _id: import("convex/values").GenericId<"oauthClients">;
+    _creationTime: number;
+    description?: string | undefined;
+    logoUrl?: string | undefined;
+    website?: string | undefined;
+    tosUrl?: string | undefined;
+    policyUrl?: string | undefined;
+    clientSecret?: string | undefined;
+    isInternal?: boolean | undefined;
+    name: string;
+    clientId: string;
+    type: "public" | "confidential";
+    redirectUris: string[];
+    allowedScopes: string[];
+    createdAt: number;
+} | null>>;
+/**
+ * Get Refresh Token
+ *
+ * Note: Tokens are stored as SHA-256 hashes. This query hashes the input
+ * before lookup, with backward compatibility for plaintext tokens.
+ */
+export declare const getRefreshToken: import("convex/server").RegisteredQuery<"public", {
+    refreshToken: string;
+}, Promise<{
+    _id: import("convex/values").GenericId<"oauthTokens">;
+    _creationTime: number;
+    refreshToken?: string | undefined;
+    refreshTokenExpiresAt?: number | undefined;
+    authorizationCode?: string | undefined;
+    clientId: string;
+    userId: string;
+    scopes: string[];
+    expiresAt: number;
+    accessToken: string;
+} | null>>;
+/**
+ * List OAuth Clients (for admin)
+ */
+export declare const listClients: import("convex/server").RegisteredQuery<"public", {}, Promise<{
+    clientSecret: undefined;
+    _id: import("convex/values").GenericId<"oauthClients">;
+    _creationTime: number;
+    description?: string | undefined;
+    logoUrl?: string | undefined;
+    website?: string | undefined;
+    tosUrl?: string | undefined;
+    policyUrl?: string | undefined;
+    isInternal?: boolean | undefined;
+    name: string;
+    clientId: string;
+    type: "public" | "confidential";
+    redirectUris: string[];
+    allowedScopes: string[];
+    createdAt: number;
+}[]>>;
+/**
+ * Get tokens by user ID
+ */
+export declare const getTokensByUser: import("convex/server").RegisteredQuery<"public", {
+    userId: string;
+}, Promise<{
+    _id: import("convex/values").GenericId<"oauthTokens">;
+    _creationTime: number;
+    refreshToken?: string | undefined;
+    refreshTokenExpiresAt?: number | undefined;
+    authorizationCode?: string | undefined;
+    clientId: string;
+    userId: string;
+    scopes: string[];
+    expiresAt: number;
+    accessToken: string;
+}[]>>;
+/**
+ * Get authorization for a specific user-client pair
+ */
+export declare const getAuthorization: import("convex/server").RegisteredQuery<"public", {
+    clientId: string;
+    userId: string;
+}, Promise<{
+    _id: import("convex/values").GenericId<"oauthAuthorizations">;
+    _creationTime: number;
+    lastUsedAt?: number | undefined;
+    clientId: string;
+    userId: string;
+    scopes: string[];
+    authorizedAt: number;
+} | null>>;
+/**
+ * Check if authorization exists (for revocation check)
+ * Returns true if authorization is valid, false if revoked or not found
+ */
+export declare const hasAuthorization: import("convex/server").RegisteredQuery<"public", {
+    clientId: string;
+    userId: string;
+}, Promise<boolean>>;
+/**
+ * Check if user has any valid authorization (for OAuth token validation)
+ * If user has no authorizations, they shouldn't be able to access via OAuth
+ */
+export declare const hasAnyAuthorization: import("convex/server").RegisteredQuery<"public", {
+    userId: string;
+}, Promise<boolean>>;
+/**
+ * List all authorizations for a user (with client info)
+ */
+export declare const listUserAuthorizations: import("convex/server").RegisteredQuery<"public", {
+    userId: string;
+}, Promise<{
+    clientName: string;
+    clientLogoUrl: string | undefined;
+    clientWebsite: string | undefined;
+    _id: import("convex/values").GenericId<"oauthAuthorizations">;
+    _creationTime: number;
+    lastUsedAt?: number | undefined;
+    clientId: string;
+    userId: string;
+    scopes: string[];
+    authorizedAt: number;
+}[]>>;
+//# sourceMappingURL=queries.d.ts.map

package/dist/component/queries.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"queries.d.ts","sourceRoot":"","sources":["../../src/component/queries.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;UAQpB,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;;UAsB1B,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;KAUtB,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;;KAQ1B,CAAC;AAMH;;GAEG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;UAa3B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;oBAc3B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;oBAW9B,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;KA2BjC,CAAC"}

package/dist/component/queries.js

@@ -0,0 +1,145 @@
+import { v } from "convex/values";
+import { query } from "./_generated/server";
+import { hashToken, isHashedToken } from "./token_security";
+/**
+ * Get OAuth Client by clientId
+ */
+export const getClient = query({
+    args: { clientId: v.string() },
+    handler: async (ctx, args) => {
+        return await ctx.db
+            .query("oauthClients")
+            .withIndex("by_client_id", (q) => q.eq("clientId", args.clientId))
+            .unique();
+    },
+});
+/**
+ * Get Refresh Token
+ *
+ * Note: Tokens are stored as SHA-256 hashes. This query hashes the input
+ * before lookup, with backward compatibility for plaintext tokens.
+ */
+export const getRefreshToken = query({
+    args: { refreshToken: v.string() },
+    handler: async (ctx, args) => {
+        // Hash the token for lookup
+        const refreshTokenHash = await hashToken(args.refreshToken);
+        // Try hash lookup first
+        let token = await ctx.db
+            .query("oauthTokens")
+            .withIndex("by_refresh_token", (q) => q.eq("refreshToken", refreshTokenHash))
+            .unique();
+        // Backward compatibility: try plaintext lookup if hash lookup fails
+        if (!token && !isHashedToken(args.refreshToken)) {
+            token = await ctx.db
+                .query("oauthTokens")
+                .withIndex("by_refresh_token", (q) => q.eq("refreshToken", args.refreshToken))
+                .unique();
+        }
+        return token;
+    },
+});
+/**
+ * List OAuth Clients (for admin)
+ */
+export const listClients = query({
+    args: {},
+    handler: async (ctx) => {
+        const clients = await ctx.db.query("oauthClients").collect();
+        // Don't return secrets
+        return clients.map(client => ({
+            ...client,
+            clientSecret: undefined,
+        }));
+    },
+});
+/**
+ * Get tokens by user ID
+ */
+export const getTokensByUser = query({
+    args: { userId: v.string() },
+    handler: async (ctx, args) => {
+        return await ctx.db
+            .query("oauthTokens")
+            .withIndex("by_user", (q) => q.eq("userId", args.userId))
+            .collect();
+    },
+});
+// --------------------------------------------------------------------------
+// Authorization Queries
+// --------------------------------------------------------------------------
+/**
+ * Get authorization for a specific user-client pair
+ */
+export const getAuthorization = query({
+    args: {
+        userId: v.string(),
+        clientId: v.string(),
+    },
+    handler: async (ctx, args) => {
+        return await ctx.db
+            .query("oauthAuthorizations")
+            .withIndex("by_user_client", (q) => q.eq("userId", args.userId).eq("clientId", args.clientId))
+            .unique();
+    },
+});
+/**
+ * Check if authorization exists (for revocation check)
+ * Returns true if authorization is valid, false if revoked or not found
+ */
+export const hasAuthorization = query({
+    args: {
+        userId: v.string(),
+        clientId: v.string(),
+    },
+    handler: async (ctx, args) => {
+        const auth = await ctx.db
+            .query("oauthAuthorizations")
+            .withIndex("by_user_client", (q) => q.eq("userId", args.userId).eq("clientId", args.clientId))
+            .unique();
+        return auth !== null;
+    },
+});
+/**
+ * Check if user has any valid authorization (for OAuth token validation)
+ * If user has no authorizations, they shouldn't be able to access via OAuth
+ */
+export const hasAnyAuthorization = query({
+    args: {
+        userId: v.string(),
+    },
+    handler: async (ctx, args) => {
+        const auth = await ctx.db
+            .query("oauthAuthorizations")
+            .withIndex("by_user", (q) => q.eq("userId", args.userId))
+            .first();
+        return auth !== null;
+    },
+});
+/**
+ * List all authorizations for a user (with client info)
+ */
+export const listUserAuthorizations = query({
+    args: { userId: v.string() },
+    handler: async (ctx, args) => {
+        const authorizations = await ctx.db
+            .query("oauthAuthorizations")
+            .withIndex("by_user", (q) => q.eq("userId", args.userId))
+            .collect();
+        // Enrich with client info
+        const result = await Promise.all(authorizations.map(async (auth) => {
+            const client = await ctx.db
+                .query("oauthClients")
+                .withIndex("by_client_id", (q) => q.eq("clientId", auth.clientId))
+                .unique();
+            return {
+                ...auth,
+                clientName: client?.name ?? "Unknown App",
+                clientLogoUrl: client?.logoUrl,
+                clientWebsite: client?.website,
+            };
+        }));
+        return result;
+    },
+});
+//# sourceMappingURL=queries.js.map

package/dist/component/queries.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"queries.js","sourceRoot":"","sources":["../../src/component/queries.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,eAAe,CAAC;AAClC,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAE5D;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAG,KAAK,CAAC;IAC3B,IAAI,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE;IAC9B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,OAAO,MAAM,GAAG,CAAC,EAAE;aACd,KAAK,CAAC,cAAc,CAAC;aACrB,SAAS,CAAC,cAAc,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;aACjE,MAAM,EAAE,CAAC;IAClB,CAAC;CACJ,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,CAAC;IACjC,IAAI,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE;IAClC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,4BAA4B;QAC5B,MAAM,gBAAgB,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAE5D,wBAAwB;QACxB,IAAI,KAAK,GAAG,MAAM,GAAG,CAAC,EAAE;aACnB,KAAK,CAAC,aAAa,CAAC;aACpB,SAAS,CAAC,kBAAkB,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,EAAE,gBAAgB,CAAC,CAAC;aAC5E,MAAM,EAAE,CAAC;QAEd,oEAAoE;QACpE,IAAI,CAAC,KAAK,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9C,KAAK,GAAG,MAAM,GAAG,CAAC,EAAE;iBACf,KAAK,CAAC,aAAa,CAAC;iBACpB,SAAS,CAAC,kBAAkB,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;iBAC7E,MAAM,EAAE,CAAC;QAClB,CAAC;QAED,OAAO,KAAK,CAAC;IACjB,CAAC;CACJ,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,KAAK,CAAC;IAC7B,IAAI,EAAE,EAAE;IACR,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;QACnB,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,OAAO,EAAE,CAAC;QAC7D,uBAAuB;QACvB,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAC1B,GAAG,MAAM;YACT,YAAY,EAAE,SAAS;SAC1B,CAAC,CAAC,CAAC;IACR,CAAC;CACJ,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,CAAC;IACjC,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE;IAC5B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,OAAO,MAAM,GAAG,CAAC,EAAE;aACd,KAAK,CAAC,aAAa,CAAC;aACpB,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;aACxD,OAAO,EAAE,CAAC;IACnB,CAAC;CACJ,CAAC,CAAC;AAEH,6EAA6E;AAC7E,wBAAwB;AACxB,6EAA6E;AAE7E;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,CAAC;IAClC,IAAI,EAAE;QACF,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;KACvB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,OAAO,MAAM,GAAG,CAAC,EAAE;aACd,KAAK,CAAC,qBAAqB,CAAC;aAC5B,SAAS,CAAC,gBAAgB,EAAE,CAAC,CAAC,EAAE,EAAE,CAC/B,CAAC,CAAC,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAC5D;aACA,MAAM,EAAE,CAAC;IAClB,CAAC;CACJ,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,CAAC;IAClC,IAAI,EAAE;QACF,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;KACvB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,EAAE;aACpB,KAAK,CAAC,qBAAqB,CAAC;aAC5B,SAAS,CAAC,gBAAgB,EAAE,CAAC,CAAC,EAAE,EAAE,CAC/B,CAAC,CAAC,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAC5D;aACA,MAAM,EAAE,CAAC;QACd,OAAO,IAAI,KAAK,IAAI,CAAC;IACzB,CAAC;CACJ,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,KAAK,CAAC;IACrC,IAAI,EAAE;QACF,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;KACrB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,EAAE;aACpB,KAAK,CAAC,qBAAqB,CAAC;aAC5B,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;aACxD,KAAK,EAAE,CAAC;QACb,OAAO,IAAI,KAAK,IAAI,CAAC;IACzB,CAAC;CACJ,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,KAAK,CAAC;IACxC,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE;IAC5B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACzB,MAAM,cAAc,GAAG,MAAM,GAAG,CAAC,EAAE;aAC9B,KAAK,CAAC,qBAAqB,CAAC;aAC5B,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;aACxD,OAAO,EAAE,CAAC;QAEf,0BAA0B;QAC1B,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5B,cAAc,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;YAC9B,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,EAAE;iBACtB,KAAK,CAAC,cAAc,CAAC;iBACrB,SAAS,CAAC,cAAc,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;iBACjE,MAAM,EAAE,CAAC;YAEd,OAAO;gBACH,GAAG,IAAI;gBACP,UAAU,EAAE,MAAM,EAAE,IAAI,IAAI,aAAa;gBACzC,aAAa,EAAE,MAAM,EAAE,OAAO;gBAC9B,aAAa,EAAE,MAAM,EAAE,OAAO;aACjC,CAAC;QACN,CAAC,CAAC,CACL,CAAC;QAEF,OAAO,MAAM,CAAC;IAClB,CAAC;CACJ,CAAC,CAAC"}

package/dist/component/schema.d.ts

@@ -0,0 +1,116 @@
+declare const _default: import("convex/server").SchemaDefinition<{
+    /**
+     * OAuth Clients
+     * Registered applications that can request authorization
+     */
+    oauthClients: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        description?: string | undefined;
+        logoUrl?: string | undefined;
+        website?: string | undefined;
+        tosUrl?: string | undefined;
+        policyUrl?: string | undefined;
+        clientSecret?: string | undefined;
+        isInternal?: boolean | undefined;
+        name: string;
+        clientId: string;
+        type: "public" | "confidential";
+        redirectUris: string[];
+        allowedScopes: string[];
+        createdAt: number;
+    }, {
+        name: import("convex/values").VString<string, "required">;
+        description: import("convex/values").VString<string | undefined, "optional">;
+        logoUrl: import("convex/values").VString<string | undefined, "optional">;
+        website: import("convex/values").VString<string | undefined, "optional">;
+        tosUrl: import("convex/values").VString<string | undefined, "optional">;
+        policyUrl: import("convex/values").VString<string | undefined, "optional">;
+        clientId: import("convex/values").VString<string, "required">;
+        clientSecret: import("convex/values").VString<string | undefined, "optional">;
+        type: import("convex/values").VUnion<"public" | "confidential", [import("convex/values").VLiteral<"confidential", "required">, import("convex/values").VLiteral<"public", "required">], "required", never>;
+        redirectUris: import("convex/values").VArray<string[], import("convex/values").VString<string, "required">, "required">;
+        allowedScopes: import("convex/values").VArray<string[], import("convex/values").VString<string, "required">, "required">;
+        isInternal: import("convex/values").VBoolean<boolean | undefined, "optional">;
+        createdAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "name" | "description" | "logoUrl" | "website" | "tosUrl" | "policyUrl" | "clientId" | "clientSecret" | "type" | "redirectUris" | "allowedScopes" | "isInternal" | "createdAt">, {
+        by_client_id: ["clientId", "_creationTime"];
+    }, {}, {}>;
+    /**
+     * OAuth Authorization Codes
+     * Short-lived codes for authorization code flow
+     */
+    oauthCodes: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        nonce?: string | undefined;
+        usedAt?: number | undefined;
+        clientId: string;
+        code: string;
+        userId: string;
+        scopes: string[];
+        redirectUri: string;
+        codeChallenge: string;
+        codeChallengeMethod: string;
+        expiresAt: number;
+    }, {
+        code: import("convex/values").VString<string, "required">;
+        clientId: import("convex/values").VString<string, "required">;
+        userId: import("convex/values").VString<string, "required">;
+        scopes: import("convex/values").VArray<string[], import("convex/values").VString<string, "required">, "required">;
+        redirectUri: import("convex/values").VString<string, "required">;
+        codeChallenge: import("convex/values").VString<string, "required">;
+        codeChallengeMethod: import("convex/values").VString<string, "required">;
+        nonce: import("convex/values").VString<string | undefined, "optional">;
+        expiresAt: import("convex/values").VFloat64<number, "required">;
+        usedAt: import("convex/values").VFloat64<number | undefined, "optional">;
+    }, "required", "clientId" | "code" | "userId" | "scopes" | "redirectUri" | "codeChallenge" | "codeChallengeMethod" | "nonce" | "expiresAt" | "usedAt">, {
+        by_code: ["code", "_creationTime"];
+    }, {}, {}>;
+    /**
+     * OAuth Tokens
+     * Access and Refresh tokens
+     */
+    oauthTokens: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        refreshToken?: string | undefined;
+        refreshTokenExpiresAt?: number | undefined;
+        authorizationCode?: string | undefined;
+        clientId: string;
+        userId: string;
+        scopes: string[];
+        expiresAt: number;
+        accessToken: string;
+    }, {
+        accessToken: import("convex/values").VString<string, "required">;
+        refreshToken: import("convex/values").VString<string | undefined, "optional">;
+        clientId: import("convex/values").VString<string, "required">;
+        userId: import("convex/values").VString<string, "required">;
+        scopes: import("convex/values").VArray<string[], import("convex/values").VString<string, "required">, "required">;
+        expiresAt: import("convex/values").VFloat64<number, "required">;
+        refreshTokenExpiresAt: import("convex/values").VFloat64<number | undefined, "optional">;
+        authorizationCode: import("convex/values").VString<string | undefined, "optional">;
+    }, "required", "clientId" | "userId" | "scopes" | "expiresAt" | "accessToken" | "refreshToken" | "refreshTokenExpiresAt" | "authorizationCode">, {
+        by_access_token: ["accessToken", "_creationTime"];
+        by_refresh_token: ["refreshToken", "_creationTime"];
+        by_user: ["userId", "_creationTime"];
+        by_authorization_code: ["authorizationCode", "_creationTime"];
+    }, {}, {}>;
+    /**
+     * OAuth Authorizations
+     * User consent records - persists beyond token expiry
+     */
+    oauthAuthorizations: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        lastUsedAt?: number | undefined;
+        clientId: string;
+        userId: string;
+        scopes: string[];
+        authorizedAt: number;
+    }, {
+        userId: import("convex/values").VString<string, "required">;
+        clientId: import("convex/values").VString<string, "required">;
+        scopes: import("convex/values").VArray<string[], import("convex/values").VString<string, "required">, "required">;
+        authorizedAt: import("convex/values").VFloat64<number, "required">;
+        lastUsedAt: import("convex/values").VFloat64<number | undefined, "optional">;
+    }, "required", "clientId" | "userId" | "scopes" | "authorizedAt" | "lastUsedAt">, {
+        by_user: ["userId", "_creationTime"];
+        by_user_client: ["userId", "clientId", "_creationTime"];
+    }, {}, {}>;
+}, true>;
+export default _default;
+//# sourceMappingURL=schema.d.ts.map

package/dist/component/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/component/schema.ts"],"names":[],"mappings":";IAII;;;OAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAsBH;;;OAGG;;;;;;;;;;;;;;;;;;;;;;;;;;IAiBH;;;OAGG;;;;;;;;;;;;;;;;;;;;;;;;;IAoBH;;;OAGG;;;;;;;;;;;;;;;;;;AAxEP,wBAwFG"}

package/dist/component/schema.js

@@ -0,0 +1,77 @@
+import { defineSchema, defineTable } from "convex/server";
+import { v } from "convex/values";
+export default defineSchema({
+    /**
+     * OAuth Clients
+     * Registered applications that can request authorization
+     */
+    oauthClients: defineTable({
+        name: v.string(),
+        description: v.optional(v.string()),
+        logoUrl: v.optional(v.string()),
+        website: v.optional(v.string()),
+        tosUrl: v.optional(v.string()),
+        policyUrl: v.optional(v.string()),
+        // Client Credentials
+        clientId: v.string(), // Public ID (UUID v4)
+        clientSecret: v.optional(v.string()), // Hashed Secret (for confidential clients)
+        type: v.union(v.literal("confidential"), v.literal("public")),
+        redirectUris: v.array(v.string()), // Must be exact match
+        allowedScopes: v.array(v.string()), // e.g. ["openid", "profile", "email"]
+        isInternal: v.optional(v.boolean()), // Internal tool flag
+        createdAt: v.number(),
+    }).index("by_client_id", ["clientId"]),
+    /**
+     * OAuth Authorization Codes
+     * Short-lived codes for authorization code flow
+     */
+    oauthCodes: defineTable({
+        code: v.string(),
+        clientId: v.string(),
+        userId: v.string(), // Convex users table Id (string, not v.id since component doesn't know about users table)
+        scopes: v.array(v.string()),
+        redirectUri: v.string(),
+        // PKCE
+        codeChallenge: v.string(),
+        codeChallengeMethod: v.string(), // "S256" or "plain"
+        nonce: v.optional(v.string()), // OIDC Nonce
+        expiresAt: v.number(), // Usually 10 minutes
+        usedAt: v.optional(v.number()), // RFC Line 1136: Track code usage for replay detection
+    }).index("by_code", ["code"]),
+    /**
+     * OAuth Tokens
+     * Access and Refresh tokens
+     */
+    oauthTokens: defineTable({
+        accessToken: v.string(),
+        refreshToken: v.optional(v.string()),
+        clientId: v.string(),
+        userId: v.string(), // Convex users table Id (string)
+        scopes: v.array(v.string()),
+        expiresAt: v.number(), // Access Token Expiry
+        refreshTokenExpiresAt: v.optional(v.number()), // Refresh Token Expiry
+        // RFC Line 1136: Track which authorization code issued this token for replay detection
+        authorizationCode: v.optional(v.string()), // Hashed authorization code
+    })
+        .index("by_access_token", ["accessToken"])
+        .index("by_refresh_token", ["refreshToken"])
+        .index("by_user", ["userId"])
+        .index("by_authorization_code", ["authorizationCode"]),
+    /**
+     * OAuth Authorizations
+     * User consent records - persists beyond token expiry
+     */
+    oauthAuthorizations: defineTable({
+        userId: v.string(), // Convex users table Id (string)
+        clientId: v.string(),
+        // Authorized scopes
+        scopes: v.array(v.string()),
+        // When the user first authorized this client
+        authorizedAt: v.number(),
+        // Last time a token was issued for this authorization
+        lastUsedAt: v.optional(v.number()),
+    })
+        .index("by_user", ["userId"])
+        .index("by_user_client", ["userId", "clientId"]),
+});
+//# sourceMappingURL=schema.js.map

package/dist/component/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/component/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC1D,OAAO,EAAE,CAAC,EAAE,MAAM,eAAe,CAAC;AAElC,eAAe,YAAY,CAAC;IACxB;;;OAGG;IACH,YAAY,EAAE,WAAW,CAAC;QACtB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACnC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/B,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/B,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC9B,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAEjC,qBAAqB;QACrB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,sBAAsB;QAC5C,YAAY,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,2CAA2C;QACjF,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAE7D,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,sBAAsB;QACzD,aAAa,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,sCAAsC;QAE1E,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,qBAAqB;QAE1D,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACxB,CAAC,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,UAAU,CAAC,CAAC;IAEtC;;;OAGG;IACH,UAAU,EAAE,WAAW,CAAC;QACpB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;QACpB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,0FAA0F;QAC9G,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC3B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;QAEvB,OAAO;QACP,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,mBAAmB,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,oBAAoB;QACrD,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,aAAa;QAE5C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,qBAAqB;QAC5C,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,uDAAuD;KAC1F,CAAC,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC,CAAC;IAE7B;;;OAGG;IACH,WAAW,EAAE,WAAW,CAAC;QACrB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;QACvB,YAAY,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAEpC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;QACpB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,iCAAiC;QACrD,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAE3B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,sBAAsB;QAC7C,qBAAqB,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,uBAAuB;QAEtE,uFAAuF;QACvF,iBAAiB,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,4BAA4B;KAC1E,CAAC;SACG,KAAK,CAAC,iBAAiB,EAAE,CAAC,aAAa,CAAC,CAAC;SACzC,KAAK,CAAC,kBAAkB,EAAE,CAAC,cAAc,CAAC,CAAC;SAC3C,KAAK,CAAC,SAAS,EAAE,CAAC,QAAQ,CAAC,CAAC;SAC5B,KAAK,CAAC,uBAAuB,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAE1D;;;OAGG;IACH,mBAAmB,EAAE,WAAW,CAAC;QAC7B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,iCAAiC;QACrD,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;QAEpB,oBAAoB;QACpB,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAE3B,6CAA6C;QAC7C,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QAExB,sDAAsD;QACtD,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KACrC,CAAC;SACG,KAAK,CAAC,SAAS,EAAE,CAAC,QAAQ,CAAC,CAAC;SAC5B,KAAK,CAAC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;CACvD,CAAC,CAAC"}

package/dist/component/token_security.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Token Security Utilities for OAuth Provider (Web Crypto API)
+ *
+ * Provides secure token hashing for database storage.
+ * Tokens are hashed using SHA-256 before storage - the original token
+ * value is never stored, only returned to the client during issuance.
+ *
+ * This is more secure than encryption because:
+ * 1. Even with DB access + encryption key, tokens can't be recovered
+ * 2. Token validation only requires hash comparison
+ * 3. Clients already have the original token
+ *
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+ */
+/**
+ * Creates a SHA-256 hash of a token for secure storage.
+ *
+ * @param token - The plaintext token to hash
+ * @returns Hex-encoded hash suitable for database storage and indexing
+ *
+ * @example
+ * ```typescript
+ * const accessToken = generateCode(64);
+ * const accessTokenHash = await hashToken(accessToken);
+ * // Store accessTokenHash in DB, return accessToken to client
+ * ```
+ */
+export declare function hashToken(token: string): Promise<string>;
+/**
+ * Verifies a token against its stored hash.
+ *
+ * @param token - The plaintext token to verify
+ * @param hash - The stored hash to compare against
+ * @returns true if the token matches the hash
+ */
+export declare function verifyToken(token: string, hash: string): Promise<boolean>;
+/**
+ * Checks if a value looks like a SHA-256 hash (64 hex characters).
+ * Used for backward compatibility during migration.
+ *
+ * @param value - The value to check
+ * @returns true if the value appears to be a hash
+ */
+export declare function isHashedToken(value: string): boolean;
+/**
+ * Hash a token if it's not already hashed.
+ * Used for backward compatibility during migration.
+ *
+ * @param token - Token that may or may not be hashed
+ * @returns The hash (either computed or passed through if already hashed)
+ */
+export declare function ensureHashed(token: string): Promise<string>;
+//# sourceMappingURL=token_security.d.ts.map

package/dist/component/token_security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token_security.d.ts","sourceRoot":"","sources":["../../src/component/token_security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AASH;;;;;;;;;;;;GAYG;AACH,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAU9D;AAiBD;;;;;;GAMG;AACH,wBAAsB,WAAW,CAC7B,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CAIlB;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEpD;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKjE"}

package/dist/component/token_security.js

@@ -0,0 +1,91 @@
+/**
+ * Token Security Utilities for OAuth Provider (Web Crypto API)
+ *
+ * Provides secure token hashing for database storage.
+ * Tokens are hashed using SHA-256 before storage - the original token
+ * value is never stored, only returned to the client during issuance.
+ *
+ * This is more secure than encryption because:
+ * 1. Even with DB access + encryption key, tokens can't be recovered
+ * 2. Token validation only requires hash comparison
+ * 3. Clients already have the original token
+ *
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
+ */
+/**
+ * Convert string to Uint8Array
+ */
+function stringToBytes(str) {
+    return new TextEncoder().encode(str);
+}
+/**
+ * Creates a SHA-256 hash of a token for secure storage.
+ *
+ * @param token - The plaintext token to hash
+ * @returns Hex-encoded hash suitable for database storage and indexing
+ *
+ * @example
+ * ```typescript
+ * const accessToken = generateCode(64);
+ * const accessTokenHash = await hashToken(accessToken);
+ * // Store accessTokenHash in DB, return accessToken to client
+ * ```
+ */
+export async function hashToken(token) {
+    const tokenBytes = stringToBytes(token);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", tokenBytes.buffer);
+    const hashArray = new Uint8Array(hashBuffer);
+    return Array.from(hashArray)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+/**
+ * Timing-safe string comparison to prevent timing attacks.
+ * Compares two strings in constant time regardless of where they differ.
+ */
+function timingSafeEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return result === 0;
+}
+/**
+ * Verifies a token against its stored hash.
+ *
+ * @param token - The plaintext token to verify
+ * @param hash - The stored hash to compare against
+ * @returns true if the token matches the hash
+ */
+export async function verifyToken(token, hash) {
+    const tokenHash = await hashToken(token);
+    // Use timing-safe comparison to prevent timing attacks
+    return timingSafeEqual(tokenHash, hash);
+}
+/**
+ * Checks if a value looks like a SHA-256 hash (64 hex characters).
+ * Used for backward compatibility during migration.
+ *
+ * @param value - The value to check
+ * @returns true if the value appears to be a hash
+ */
+export function isHashedToken(value) {
+    return /^[a-f0-9]{64}$/.test(value);
+}
+/**
+ * Hash a token if it's not already hashed.
+ * Used for backward compatibility during migration.
+ *
+ * @param token - Token that may or may not be hashed
+ * @returns The hash (either computed or passed through if already hashed)
+ */
+export async function ensureHashed(token) {
+    if (isHashedToken(token)) {
+        return token;
+    }
+    return hashToken(token);
+}
+//# sourceMappingURL=token_security.js.map

package/dist/component/token_security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token_security.js","sourceRoot":"","sources":["../../src/component/token_security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH;;GAEG;AACH,SAAS,aAAa,CAAC,GAAW;IAC9B,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;AACzC,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAAa;IACzC,MAAM,UAAU,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC,SAAS,EACT,UAAU,CAAC,MAAqB,CACnC,CAAC;IACF,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IAC7C,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;SACvB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CAAC,CAAS,EAAE,CAAS;IACzC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACjB,CAAC;IACD,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,MAAM,KAAK,CAAC,CAAC;AACxB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC7B,KAAa,EACb,IAAY;IAEZ,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;IACzC,uDAAuD;IACvD,OAAO,eAAe,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,KAAa;IACvC,OAAO,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAa;IAC5C,IAAI,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC;IACjB,CAAC;IACD,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC;AAC5B,CAAC"}

package/dist/lib/convex-types.d.ts

@@ -0,0 +1,21 @@
+import type { FunctionReference, FunctionVisibility, FunctionArgs, FunctionReturnType } from "convex/server";
+/**
+ * Convex component common Context types
+ *
+ * Unified RunQueryCtx, RunMutationCtx, RunActionCtx that were defined separately in each package.
+ *
+ * Using generics, infer return value types from FunctionReference.
+ * - FunctionVisibility: supports both internal/public functions
+ * - FunctionArgs<F>: extracts function argument types
+ * - FunctionReturnType<F>: extracts function return value types
+ */
+export type RunQueryCtx = {
+    runQuery<F extends FunctionReference<"query", FunctionVisibility>>(query: F, args: FunctionArgs<F>): Promise<FunctionReturnType<F>>;
+};
+export type RunMutationCtx = RunQueryCtx & {
+    runMutation<F extends FunctionReference<"mutation", FunctionVisibility>>(mutation: F, args: FunctionArgs<F>): Promise<FunctionReturnType<F>>;
+};
+export type RunActionCtx = RunMutationCtx & {
+    runAction<F extends FunctionReference<"action", FunctionVisibility>>(action: F, args: FunctionArgs<F>): Promise<FunctionReturnType<F>>;
+};
+//# sourceMappingURL=convex-types.d.ts.map