@ramonclaudio/create-vexpo 0.1.0 → 0.1.2

package/dist/templates/default/convex/pushTokens.ts

@@ -1,35 +1,48 @@
 import { v } from "convex/values";
 
 import { internal } from "./_generated/api";
-import { internalMutation } from "./_generated/server";
+import { internalMutation, internalQuery } from "./_generated/server";
 import { authMutation, authQuery } from "./functions";
+import { rateLimitWithThrow } from "./rateLimit";
 import { deviceTypeValidator } from "./validators";
 
 const THIRTY_DAYS_MS = 30 * 24 * 60 * 60 * 1000;
+const NINETY_DAYS_MS = 90 * 24 * 60 * 60 * 1000;
 const CLEANUP_BATCH = 200;
 
 export const upsert = authMutation({
   args: { token: v.string(), deviceType: deviceTypeValidator },
   returns: v.id("pushTokens"),
   handler: async (ctx, { token, deviceType }) => {
+    await rateLimitWithThrow(ctx, "userAction", ctx.user._id.toString());
     const now = Date.now();
-    // Token may belong to a different user (device transferred), so read it
-    // by token first and reassign if needed.
     const existing = await ctx.db
       .query("pushTokens")
       .withIndex("by_token", (q) => q.eq("token", token))
       .unique();
 
     if (existing) {
+      // Same user: refresh timestamps and clear any prior revocation. The
+      // client only re-upserts after `getExpoPushTokenAsync` succeeds, so
+      // if we get here the token is alive again.
       if (existing.userId === ctx.user._id) {
-        await ctx.db.patch(existing._id, { updatedAt: now });
+        await ctx.db.patch(existing._id, {
+          updatedAt: now,
+          lastSeenAt: now,
+          revoked: false,
+          revokedAt: undefined,
+          lastErrorCode: undefined,
+        });
         return existing._id;
       }
-      // Reassign token to current user (device changed owners)
       await ctx.db.patch(existing._id, {
         userId: ctx.user._id,
         deviceType,
         updatedAt: now,
+        lastSeenAt: now,
+        revoked: false,
+        revokedAt: undefined,
+        lastErrorCode: undefined,
       });
       return existing._id;
     }
@@ -40,6 +53,8 @@ export const upsert = authMutation({
       deviceType,
       createdAt: now,
       updatedAt: now,
+      lastSeenAt: now,
+      revoked: false,
     });
   },
 });
@@ -48,6 +63,7 @@ export const remove = authMutation({
   args: { token: v.string() },
   returns: v.null(),
   handler: async (ctx, { token }) => {
+    await rateLimitWithThrow(ctx, "userAction", ctx.user._id.toString());
     const existing = await ctx.db
       .query("pushTokens")
       .withIndex("by_token", (q) => q.eq("token", token))
@@ -71,6 +87,10 @@ export const list = authQuery({
       deviceType: deviceTypeValidator,
       createdAt: v.number(),
       updatedAt: v.number(),
+      lastSeenAt: v.optional(v.number()),
+      revoked: v.optional(v.boolean()),
+      revokedAt: v.optional(v.number()),
+      lastErrorCode: v.optional(v.string()),
     }),
   ),
   handler: async (ctx) => {
@@ -85,6 +105,7 @@ export const removeAll = authMutation({
   args: {},
   returns: v.null(),
   handler: async (ctx) => {
+    await rateLimitWithThrow(ctx, "userAction", ctx.user._id.toString());
     const tokens = await ctx.db
       .query("pushTokens")
       .withIndex("by_user", (q) => q.eq("userId", ctx.user._id))
@@ -94,21 +115,97 @@ export const removeAll = authMutation({
   },
 });
 
+export const listActiveByUser = internalQuery({
+  args: { userId: v.id("users") },
+  returns: v.array(
+    v.object({
+      _id: v.id("pushTokens"),
+      token: v.string(),
+    }),
+  ),
+  handler: async (ctx, { userId }) => {
+    const rows = await ctx.db
+      .query("pushTokens")
+      .withIndex("by_user", (q) => q.eq("userId", userId))
+      .collect();
+    return rows.filter((r) => !r.revoked).map((r) => ({ _id: r._id, token: r.token }));
+  },
+});
+
+/**
+ * Tombstone tokens whose Expo Push receipts came back with a permanent
+ * error. The row sticks around for 30 days so a transient client retry
+ * doesn't resurrect a dead device, then `cleanupStale` drops it.
+ *
+ * `errorCode` is one of Expo's documented values: `DeviceNotRegistered`,
+ * `InvalidCredentials`, `MismatchSenderId`, etc. Only the permanent codes
+ * are passed here; transient errors stay active.
+ *
+ * https://docs.expo.dev/push-notifications/sending-notifications/#individual-push-notification-errors
+ */
+export const markRevoked = internalMutation({
+  args: {
+    tokenIds: v.array(v.id("pushTokens")),
+    errorCode: v.string(),
+  },
+  returns: v.number(),
+  handler: async (ctx, { tokenIds, errorCode }) => {
+    const now = Date.now();
+    let revoked = 0;
+    for (const id of tokenIds) {
+      const row = await ctx.db.get(id);
+      if (!row) continue;
+      await ctx.db.patch(id, {
+        revoked: true,
+        revokedAt: now,
+        updatedAt: now,
+        lastErrorCode: errorCode,
+      });
+      revoked++;
+    }
+    return revoked;
+  },
+});
+
 /**
- * Delete push tokens older than 30 days, in bounded batches. Reschedules
- * itself when more rows remain so we never load an unbounded set into memory.
+ * Daily cleanup. Drops revoked rows older than 30 days and stale rows
+ * never re-upserted in 90 days. Bounded batches; reschedules when more
+ * rows remain so we never load an unbounded set into memory.
+ *
+ * The old behavior keyed on `_creationTime`, which deleted long-lived
+ * rows even when the device was active. The correct signal is
+ * `updatedAt`, which the client touches on every successful re-upsert.
  */
 export const cleanupStale = internalMutation({
   args: {},
   returns: v.number(),
   handler: async (ctx) => {
-    const cutoff = Date.now() - THIRTY_DAYS_MS;
-    const batch = await ctx.db.query("pushTokens").order("asc").take(CLEANUP_BATCH);
-    const stale = batch.filter((t) => t._creationTime < cutoff);
-    await Promise.all(stale.map((t) => ctx.db.delete(t._id)));
-    if (batch.length === CLEANUP_BATCH) {
+    const now = Date.now();
+    const revokedCutoff = now - THIRTY_DAYS_MS;
+    const staleCutoff = now - NINETY_DAYS_MS;
+
+    // The index is [revoked, updatedAt] and Convex orders `false < true`, so an
+    // unbounded ascending scan returns every active row before any tombstone;
+    // at scale the revoked rows would never be reached. Range each partition
+    // explicitly. Active rows are always written with `revoked: false`, so the
+    // two ranges together cover every row.
+    const revoked = await ctx.db
+      .query("pushTokens")
+      .withIndex("by_revoked_updatedAt", (q) =>
+        q.eq("revoked", true).lt("updatedAt", revokedCutoff),
+      )
+      .take(CLEANUP_BATCH);
+    const stale = await ctx.db
+      .query("pushTokens")
+      .withIndex("by_revoked_updatedAt", (q) => q.eq("revoked", false).lt("updatedAt", staleCutoff))
+      .take(CLEANUP_BATCH);
+
+    const removable = [...revoked, ...stale];
+    await Promise.all(removable.map((t) => ctx.db.delete(t._id)));
+
+    if (revoked.length === CLEANUP_BATCH || stale.length === CLEANUP_BATCH) {
       await ctx.scheduler.runAfter(0, internal.pushTokens.cleanupStale, {});
     }
-    return stale.length;
+    return removable.length;
   },
 });

package/dist/templates/default/convex/rateLimit.ts

@@ -1,26 +1,9 @@
-/**
- * Rate Limiting Configuration
- *
- * Uses the @convex-dev/rate-limiter component for application-level rate
- * limiting.
- *
- * Authentication-related rate limiting (sign-in, sign-up, password reset)
- * is handled by Better Auth at the HTTP layer. See convex/auth.ts.
- *
- * @see https://www.convex.dev/components/rate-limiter
- */
-
 import { HOUR, MINUTE, RateLimiter } from "@convex-dev/rate-limiter";
 
 import { components } from "./_generated/api";
 import type { MutationCtx } from "./_generated/server";
 
-/**
- * Rate limiter instance using the component.
- * Defines all application rate limits in one place.
- */
 export const rateLimiter = new RateLimiter(components.rateLimiter, {
-  // Read operations: permissive for good UX, sharded for throughput
   apiRead: {
     kind: "token bucket",
     rate: 100,
@@ -29,7 +12,6 @@ export const rateLimiter = new RateLimiter(components.rateLimiter, {
     shards: 2,
   },
 
-  // Write operations: stricter to prevent abuse
   apiWrite: {
     kind: "token bucket",
     rate: 30,
@@ -37,7 +19,6 @@ export const rateLimiter = new RateLimiter(components.rateLimiter, {
     capacity: 10,
   },
 
-  // General authenticated user actions
   userAction: {
     kind: "token bucket",
     rate: 60,
@@ -45,17 +26,21 @@ export const rateLimiter = new RateLimiter(components.rateLimiter, {
     capacity: 10,
   },
 
-  // For operations that MUST eventually succeed (use with reserve: true)
+  // Sensitive account mutations (delete/restore). A throttle, not a hard block:
+  // a legitimate one-shot call never approaches the capacity-5 bucket, and a
+  // throttled caller's tokens refill at `rate`, so a retry after the
+  // `retryAfter` window succeeds. That, not `reserve`, is how these "must
+  // eventually succeed" (reserve returns ok-with-retryAfter, which `throws`
+  // would reject anyway, and is meant for deferred/scheduled work, not a
+  // synchronous mutation that returns its result inline). Apple 5.1.1(v) in-app
+  // deletion still works: a real user deletes once.
   criticalAction: {
     kind: "token bucket",
     rate: 10,
     period: MINUTE,
     capacity: 5,
-    maxReserved: 20,
   },
 
-  // Avatar uploads (product-specific). Generous burst capacity so users
-  // tweaking their photo a few times in a row don't trip it.
   avatarUpload: { kind: "token bucket", rate: 30, period: HOUR, capacity: 10 },
 });
 
@@ -66,9 +51,6 @@ export type RateLimitName =
   | "criticalAction"
   | "avatarUpload";
 
-/**
- * Apply a rate limit and throw automatically if exceeded.
- */
 export async function rateLimitWithThrow(
   ctx: MutationCtx,
   name: RateLimitName,
@@ -77,16 +59,3 @@ export async function rateLimitWithThrow(
 ) {
   return rateLimiter.limit(ctx, name, { key, count, throws: true });
 }
-
-/**
- * Consume rate limit tokens without throwing.
- * Returns { ok, retryAfter } so HTTP callers can build a 429 response.
- */
-export async function consumeLimit(
-  ctx: MutationCtx,
-  name: RateLimitName,
-  key?: string,
-  count?: number,
-) {
-  return rateLimiter.limit(ctx, name, { key, count });
-}

package/dist/templates/default/convex/schema.ts

@@ -3,26 +3,69 @@ import { v } from "convex/values";
 
 export default defineSchema(
   {
-    // App-specific user row mirrored from Better Auth via auth triggers.
-    // Identity fields (name, email, username, image) live on the Better Auth
-    // user component and are merged in at read time by safeGetAuthenticatedUser.
     users: defineTable({
       authId: v.string(),
       bio: v.optional(v.string()),
       avatar: v.optional(v.id("_storage")),
       createdAt: v.number(),
       updatedAt: v.number(),
-    }).index("authId", ["authId"]),
+      deletedAt: v.optional(v.number()),
+    })
+      .index("authId", ["authId"])
+      .index("by_deletedAt", ["deletedAt"]),
+
+    accountDeletionAudit: defineTable({
+      userId: v.id("users"),
+      authId: v.string(),
+      event: v.union(v.literal("requested"), v.literal("restored"), v.literal("permanent")),
+      at: v.number(),
+    })
+      .index("by_user", ["userId"])
+      .index("by_event_at", ["event", "at"]),
 
+    // On a permanent Expo Push error we tombstone (set `revoked`) instead of
+    // deleting, so a race-condition re-upsert doesn't resurrect a dead token.
     pushTokens: defineTable({
       userId: v.id("users"),
       token: v.string(),
       deviceType: v.literal("ios"),
       createdAt: v.number(),
       updatedAt: v.number(),
+      lastSeenAt: v.optional(v.number()),
+      revoked: v.optional(v.boolean()),
+      revokedAt: v.optional(v.number()),
+      lastErrorCode: v.optional(v.string()),
     })
       .index("by_user", ["userId"])
-      .index("by_token", ["token"]),
+      .index("by_token", ["token"])
+      .index("by_revoked_updatedAt", ["revoked", "updatedAt"]),
+
+    // We expire unused challenges after the TTL so a stolen App Attest
+    // challenge can't be replayed later.
+    appAttestChallenges: defineTable({
+      nonce: v.string(),
+      expiresAt: v.number(),
+      used: v.optional(v.boolean()),
+    })
+      .index("by_nonce", ["nonce"])
+      .index("by_expiresAt", ["expiresAt"]),
+
+    appAttestKeys: defineTable({
+      // Apple's keyId (base64-encoded SHA256 of the public key per
+      // App Attest spec).
+      keyId: v.string(),
+      publicKey: v.string(),
+      // Monotonic counter from the most recent assertion. Reject any
+      // assertion with a counter not strictly greater than this.
+      counter: v.number(),
+      // Dev attestations (`appattestdevelop`) are allowed in non-production
+      // Convex env but should never appear in a production app's signed binary.
+      environment: v.union(v.literal("development"), v.literal("production")),
+      attestedAt: v.number(),
+      userId: v.optional(v.id("users")),
+    })
+      .index("by_keyId", ["keyId"])
+      .index("by_user", ["userId"]),
   },
   { strictTableNameTypes: true },
 );

package/dist/templates/default/convex/tsconfig.json

@@ -8,6 +8,7 @@
     "allowSyntheticDefaultImports": true,
     "target": "ESNext",
     "lib": ["ES2021", "dom"],
+    "types": ["node"],
     "forceConsistentCasingInFileNames": true,
     "module": "ESNext",
     "isolatedModules": true,

package/dist/templates/default/convex/users.ts

@@ -1,16 +1,9 @@
-/**
- * User Queries and Mutations
- *
- * CRUD operations for the app users table.
- * Identity fields (name, email, username, image) live on the Better Auth user
- * and are merged in at read time by safeGetAuthenticatedUser in auth.ts.
- */
-
 import { v } from "convex/values";
 
-import { components } from "./_generated/api";
+import { components, internal } from "./_generated/api";
 import type { Id } from "./_generated/dataModel";
 import type { MutationCtx } from "./_generated/server";
+import { internalMutation } from "./_generated/server";
 import { authComponent, authUserValidator } from "./auth";
 import { validationError } from "./errors";
 import { authMutation, optionalAuthQuery } from "./functions";
@@ -22,14 +15,6 @@ import {
   validateBio,
 } from "./validators";
 
-// ============================================================================
-// Queries
-// ============================================================================
-
-/**
- * Get the current authenticated user's profile with resolved avatar URL.
- * Returns null when unauthenticated.
- */
 export const getMe = optionalAuthQuery({
   args: {},
   returns: v.union(authUserValidator, v.null()),
@@ -39,10 +24,8 @@ export const getMe = optionalAuthQuery({
 });
 
 /**
- * Get a user by app user id with Better Auth identity fields merged in.
  * Accepts an arbitrary string and normalizes it via `ctx.db.normalizeId`,
- * so untrusted inputs can be passed straight through. Returns null when the
- * id is malformed or either record is missing.
+ * so untrusted inputs can be passed straight through.
  */
 export const getUser = optionalAuthQuery({
   args: { userId: v.string() },
@@ -75,10 +58,6 @@ export const getUser = optionalAuthQuery({
   },
 });
 
-/**
- * List users (paginated) with Better Auth identity fields merged in.
- * Entries with a missing Better Auth record are skipped.
- */
 export const listUsers = optionalAuthQuery({
   args: {
     cursor: v.optional(v.string()),
@@ -122,14 +101,6 @@ export const listUsers = optionalAuthQuery({
   },
 });
 
-// ============================================================================
-// Mutations
-// ============================================================================
-
-/**
- * Update the current user's bio. Name and username changes go through
- * Better Auth directly via authClient.updateUser on the client.
- */
 export const updateProfile = authMutation({
   args: userProfileUpdateFields,
   returns: v.id("users"),
@@ -150,10 +121,6 @@ export const updateProfile = authMutation({
   },
 });
 
-/**
- * Generate an upload URL for avatar images.
- * The URL expires in 1 hour.
- */
 export const generateAvatarUploadUrl = authMutation({
   args: {},
   returns: v.string(),
@@ -164,8 +131,6 @@ export const generateAvatarUploadUrl = authMutation({
 });
 
 /**
- * Update the current user's avatar with a storage id.
- * Deletes the previous uploaded avatar from storage if one exists.
  * Does not touch Better Auth's image field - that's for provider-supplied URLs.
  */
 export const updateAvatar = authMutation({
@@ -185,11 +150,6 @@ export const updateAvatar = authMutation({
   },
 });
 
-/**
- * Delete the current user's uploaded avatar.
- * Removes the file from storage and clears the avatar field. After deletion,
- * Better Auth's image (e.g. OAuth provider avatar) is used as the fallback.
- */
 export const deleteAvatar = authMutation({
   args: {},
   returns: v.object({ success: v.boolean() }),
@@ -207,43 +167,165 @@ export const deleteAvatar = authMutation({
   },
 });
 
+// 30-day grace window between a user requesting deletion and the row
+// being permanently purged. Apple's 5.1.1(v) requires deletability from
+// within the app; the window lets a confused tap be recovered. After it
+// expires, `internal.users.hardDeleteExpired` purges everything irreversibly.
+export const ACCOUNT_DELETION_GRACE_MS = 30 * 24 * 60 * 60 * 1000;
+const HARD_DELETE_BATCH = 50;
+
 /**
- * Delete the current user's account.
- * Removes app-owned data (push tokens) and all Better Auth records.
- * The `users` row is dropped by the auth `onDelete` trigger.
+ * Better Auth credentials stay intact until the 30-day window expires so a
+ * returning user can call `restoreAccount` to undo the request.
+ *
+ * Apple `revokeRefreshToken` runs at the hard-delete pass, not here, so
+ * a user who restores within the window can still use Sign in with Apple
+ * without re-granting authorization in iOS Settings.
  */
 export const deleteAccount = authMutation({
   args: {},
-  returns: v.object({ success: v.boolean() }),
+  returns: v.object({ success: v.boolean(), deletedAt: v.number() }),
   handler: async (ctx) => {
+    await rateLimitWithThrow(ctx, "criticalAction", ctx.user._id.toString());
     const authUserId = ctx.user.authUserId;
+    const userId = ctx.user._id;
+    const now = Date.now();
+
+    if (ctx.user.deletedAt) {
+      return { success: true, deletedAt: ctx.user.deletedAt };
+    }
 
     const pushTokens = await ctx.db
       .query("pushTokens")
-      .withIndex("by_user", (q) => q.eq("userId", ctx.user._id))
+      .withIndex("by_user", (q) => q.eq("userId", userId))
       .collect();
     await Promise.all(pushTokens.map((t) => ctx.db.delete(t._id)));
 
-    const authUser = await authComponent.safeGetAuthUser(ctx);
-
     await deleteAllByUserId(ctx, "session", authUserId);
-    await deleteAllByUserId(ctx, "account", authUserId);
-    await deleteAllByUserId(ctx, "twoFactor", authUserId);
-    await deleteAllByUserId(ctx, "oauthAccessToken", authUserId);
-    await deleteAllByUserId(ctx, "oauthConsent", authUserId);
-    await deleteAllByUserId(ctx, "oauthApplication", authUserId);
-    if (authUser?.email) await deleteVerificationByIdentifier(ctx, authUser.email);
-
-    // Deleting the Better Auth user fires the `onDelete` trigger which
-    // removes the matching app users row and frees the avatar blob.
-    await ctx.runMutation(components.betterAuth.adapter.deleteOne, {
-      input: { model: "user", where: [{ field: "_id", value: authUserId }] },
+
+    await ctx.db.patch(userId, { deletedAt: now, updatedAt: now });
+
+    await ctx.db.insert("accountDeletionAudit", {
+      userId,
+      authId: authUserId,
+      event: "requested",
+      at: now,
+    });
+
+    return { success: true, deletedAt: now };
+  },
+});
+
+export const restoreAccount = authMutation({
+  args: {},
+  returns: v.object({ success: v.boolean() }),
+  handler: async (ctx) => {
+    await rateLimitWithThrow(ctx, "criticalAction", ctx.user._id.toString());
+    const now = Date.now();
+
+    if (!ctx.user.deletedAt) return { success: true };
+
+    await ctx.db.patch(ctx.user._id, { deletedAt: undefined, updatedAt: now });
+
+    await ctx.db.insert("accountDeletionAudit", {
+      userId: ctx.user._id,
+      authId: ctx.user.authUserId,
+      event: "restored",
+      at: now,
     });
 
     return { success: true };
   },
 });
 
+/**
+ * Revokes Apple Sign In refresh tokens per Apple App Store guideline
+ * 5.1.1(v): "If people used Sign in with Apple to create an account
+ * within your app, you revoke the associated tokens when they delete
+ * their account."
+ *
+ * Deleting the Better Auth user fires the `onDelete` trigger that drops
+ * the app users row and frees the avatar blob.
+ */
+export const hardDeleteExpired = internalMutation({
+  args: {},
+  returns: v.number(),
+  handler: async (ctx) => {
+    const cutoff = Date.now() - ACCOUNT_DELETION_GRACE_MS;
+    // Range to rows that have `deletedAt` set. Convex orders
+    // `undefined < null < numbers`, so an unbounded scan returns every active
+    // user (deletedAt unset) before any tombstone, and the purge would never
+    // reach a soft-deleted row once active users exceed the batch size.
+    const expired = await ctx.db
+      .query("users")
+      .withIndex("by_deletedAt", (q) => q.gt("deletedAt", undefined))
+      .order("asc")
+      .take(HARD_DELETE_BATCH);
+
+    const purgeable = expired.filter(
+      (u) => typeof u.deletedAt === "number" && u.deletedAt < cutoff,
+    );
+
+    for (const user of purgeable) {
+      await purgeUser(ctx, user.authId, user._id);
+    }
+
+    if (expired.length === HARD_DELETE_BATCH && purgeable.length > 0) {
+      await ctx.scheduler.runAfter(0, internal.users.hardDeleteExpired, {});
+    }
+
+    return purgeable.length;
+  },
+});
+
+async function purgeUser(ctx: MutationCtx, authUserId: string, userId: Id<"users">): Promise<void> {
+  // Snapshot the email before tearing down Better Auth so we can also
+  // drop any pending verification rows keyed on it.
+  const authUser = (await ctx.runQuery(components.betterAuth.adapter.findOne, {
+    model: "user",
+    where: [{ field: "_id", value: authUserId }],
+  })) as { email?: string } | null;
+
+  // Revoke Apple Sign In refresh tokens before deleting the account rows.
+  // Schedule (not await) so a slow Apple endpoint doesn't hold the
+  // mutation transaction open.
+  const appleAccounts = (await ctx.runQuery(components.betterAuth.adapter.findMany, {
+    model: "account",
+    where: [
+      { field: "userId", value: authUserId },
+      { field: "providerId", value: "apple", connector: "AND" },
+    ],
+    paginationOpts: { numItems: 100, cursor: null },
+  })) as { page: Array<Record<string, unknown>> };
+  for (const account of appleAccounts.page) {
+    const token = account.refreshToken;
+    if (typeof token === "string" && token.length > 0) {
+      await ctx.scheduler.runAfter(0, internal.apple.revokeRefreshToken, {
+        refreshToken: token,
+      });
+    }
+  }
+
+  await deleteAllByUserId(ctx, "session", authUserId);
+  await deleteAllByUserId(ctx, "account", authUserId);
+  await deleteAllByUserId(ctx, "twoFactor", authUserId);
+  await deleteAllByUserId(ctx, "oauthAccessToken", authUserId);
+  await deleteAllByUserId(ctx, "oauthConsent", authUserId);
+  await deleteAllByUserId(ctx, "oauthApplication", authUserId);
+  if (authUser?.email) await deleteVerificationByIdentifier(ctx, authUser.email);
+
+  await ctx.runMutation(components.betterAuth.adapter.deleteOne, {
+    input: { model: "user", where: [{ field: "_id", value: authUserId }] },
+  });
+
+  await ctx.db.insert("accountDeletionAudit", {
+    userId,
+    authId: authUserId,
+    event: "permanent",
+    at: Date.now(),
+  });
+}
+
 type UserIdModel =
   | "session"
   | "account"