@robelest/convex-auth 0.0.1

package/dist/server/implementation/mutations/verifyCodeAndSignIn.d.ts

@@ -0,0 +1,21 @@
+import { Infer } from "convex/values";
+import { ActionCtx, MutationCtx, SessionInfo } from "../types.js";
+import * as Provider from "../provider.js";
+export declare const verifyCodeAndSignInArgs: import("convex/values").VObject<{
+    provider?: string | undefined;
+    verifier?: string | undefined;
+    generateTokens: boolean;
+    params: any;
+    allowExtraProviders: boolean;
+}, {
+    params: import("convex/values").VAny<any, "required", string>;
+    provider: import("convex/values").VString<string | undefined, "optional">;
+    verifier: import("convex/values").VString<string | undefined, "optional">;
+    generateTokens: import("convex/values").VBoolean<boolean, "required">;
+    allowExtraProviders: import("convex/values").VBoolean<boolean, "required">;
+}, "required", "provider" | "verifier" | "generateTokens" | "params" | "allowExtraProviders" | `params.${string}`>;
+type ReturnType = null | SessionInfo;
+export declare function verifyCodeAndSignInImpl(ctx: MutationCtx, args: Infer<typeof verifyCodeAndSignInArgs>, getProviderOrThrow: Provider.GetProviderOrThrowFunc, config: Provider.Config): Promise<ReturnType>;
+export declare const callVerifyCodeAndSignIn: (ctx: ActionCtx, args: Infer<typeof verifyCodeAndSignInArgs>) => Promise<ReturnType>;
+export {};
+//# sourceMappingURL=verifyCodeAndSignIn.d.ts.map

package/dist/server/implementation/mutations/verifyCodeAndSignIn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyCodeAndSignIn.d.ts","sourceRoot":"","sources":["../../../../src/server/implementation/mutations/verifyCodeAndSignIn.ts"],"names":[],"mappings":"AAAA,OAAO,EAAa,KAAK,EAAK,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAMlE,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAW3C,eAAO,MAAM,uBAAuB;;;;;;;;;;;;kHAMlC,CAAC;AAEH,KAAK,UAAU,GAAG,IAAI,GAAG,WAAW,CAAC;AAErC,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE,KAAK,CAAC,OAAO,uBAAuB,CAAC,EAC3C,kBAAkB,EAAE,QAAQ,CAAC,sBAAsB,EACnD,MAAM,EAAE,QAAQ,CAAC,MAAM,GACtB,OAAO,CAAC,UAAU,CAAC,CAkDrB;AAED,eAAO,MAAM,uBAAuB,GAClC,KAAK,SAAS,EACd,MAAM,KAAK,CAAC,OAAO,uBAAuB,CAAC,KAC1C,OAAO,CAAC,UAAU,CAOpB,CAAC"}

package/dist/server/implementation/mutations/verifyCodeAndSignIn.js

@@ -0,0 +1,127 @@
+import { v } from "convex/values";
+import { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit, } from "../rateLimit.js";
+import { createNewAndDeleteExistingSession, getAuthSessionId, maybeGenerateTokensForSession, } from "../sessions.js";
+import { LOG_LEVELS, logWithLevel, sha256 } from "../utils.js";
+import { upsertUserAndAccount } from "../users.js";
+import { createAuthDb } from "../db.js";
+export const verifyCodeAndSignInArgs = v.object({
+    params: v.any(),
+    provider: v.optional(v.string()),
+    verifier: v.optional(v.string()),
+    generateTokens: v.boolean(),
+    allowExtraProviders: v.boolean(),
+});
+export async function verifyCodeAndSignInImpl(ctx, args, getProviderOrThrow, config) {
+    logWithLevel(LOG_LEVELS.DEBUG, "verifyCodeAndSignInImpl args:", {
+        params: { email: args.params.email, phone: args.params.phone },
+        provider: args.provider,
+        verifier: args.verifier,
+        generateTokens: args.generateTokens,
+        allowExtraProviders: args.allowExtraProviders,
+    });
+    const { generateTokens, provider, allowExtraProviders } = args;
+    const identifier = args.params.email ?? args.params.phone;
+    if (identifier !== undefined) {
+        if (await isSignInRateLimited(ctx, identifier, config)) {
+            logWithLevel(LOG_LEVELS.ERROR, "Too many failed attempts to verify code for this email");
+            return null;
+        }
+    }
+    const verifyResult = await verifyCodeOnly(ctx, args, provider ?? null, getProviderOrThrow, allowExtraProviders, config, await getAuthSessionId(ctx));
+    if (verifyResult === null) {
+        if (identifier !== undefined) {
+            await recordFailedSignIn(ctx, identifier, config);
+        }
+        return null;
+    }
+    if (identifier !== undefined) {
+        await resetSignInRateLimit(ctx, identifier, config);
+    }
+    const { userId } = verifyResult;
+    const sessionId = await createNewAndDeleteExistingSession(ctx, config, userId);
+    return await maybeGenerateTokensForSession(ctx, config, userId, sessionId, generateTokens);
+}
+export const callVerifyCodeAndSignIn = async (ctx, args) => {
+    return ctx.runMutation("auth:store", {
+        args: {
+            type: "verifyCodeAndSignIn",
+            ...args,
+        },
+    });
+};
+async function verifyCodeOnly(ctx, args, 
+/**
+ * There are two providers at play:
+ * 1. the provider that generated the code
+ * 2. the provider the account is tied to.
+ * This is because we allow signing into an account
+ * via another provider, see {@link signInViaProvider}.
+ * This is the first provider.
+ */
+methodProviderId, getProviderOrThrow, allowExtraProviders, config, sessionId) {
+    const authDb = config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+    const { params, verifier } = args;
+    const codeHash = await sha256(params.code);
+    const verificationCode = authDb !== null
+        ? await authDb.verificationCodes.getByCode(codeHash)
+        : await ctx.db
+            .query("verification")
+            .withIndex("code", (q) => q.eq("code", codeHash))
+            .unique();
+    if (verificationCode === null) {
+        logWithLevel(LOG_LEVELS.ERROR, "Invalid verification code");
+        return null;
+    }
+    if (authDb !== null) {
+        await authDb.verificationCodes.delete(verificationCode._id);
+    }
+    else {
+        await ctx.db.delete(verificationCode._id);
+    }
+    if (verificationCode.verifier !== verifier) {
+        logWithLevel(LOG_LEVELS.ERROR, "Invalid verifier");
+        return null;
+    }
+    if (verificationCode.expirationTime < Date.now()) {
+        logWithLevel(LOG_LEVELS.ERROR, "Expired verification code");
+        return null;
+    }
+    const { accountId, emailVerified, phoneVerified } = verificationCode;
+    const account = authDb !== null ? await authDb.accounts.getById(accountId) : await ctx.db.get(accountId);
+    if (account === null) {
+        logWithLevel(LOG_LEVELS.ERROR, "Account associated with this email has been deleted");
+        return null;
+    }
+    if (methodProviderId !== null &&
+        verificationCode.provider !== methodProviderId) {
+        logWithLevel(LOG_LEVELS.ERROR, `Invalid provider "${methodProviderId}" for given \`code\`, ` +
+            `which was generated by provider "${verificationCode.provider}"`);
+        return null;
+    }
+    // OTP providers perform an additional check against the provided
+    // params.
+    const methodProvider = getProviderOrThrow(verificationCode.provider, allowExtraProviders);
+    if (methodProvider !== null &&
+        (methodProvider.type === "email" || methodProvider.type === "phone") &&
+        methodProvider.authorize !== undefined) {
+        await methodProvider.authorize(args.params, account);
+    }
+    let userId = account.userId;
+    const provider = getProviderOrThrow(account.provider);
+    if (!(provider.type === "oauth" || provider.type === "oidc")) {
+        ({ userId } = await upsertUserAndAccount(ctx, sessionId, { existingAccount: account }, {
+            type: "verification",
+            provider,
+            profile: {
+                ...(emailVerified !== undefined
+                    ? { email: emailVerified, emailVerified: true }
+                    : {}),
+                ...(phoneVerified !== undefined
+                    ? { phone: phoneVerified, phoneVerified: true }
+                    : {}),
+            },
+        }, config));
+    }
+    return { providerAccountId: account.providerAccountId, userId };
+}
+//# sourceMappingURL=verifyCodeAndSignIn.js.map

package/dist/server/implementation/mutations/verifyCodeAndSignIn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyCodeAndSignIn.js","sourceRoot":"","sources":["../../../../src/server/implementation/mutations/verifyCodeAndSignIn.ts"],"names":[],"mappings":"AAAA,OAAO,EAAoB,CAAC,EAAE,MAAM,eAAe,CAAC;AAEpD,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,iCAAiC,EACjC,gBAAgB,EAChB,6BAA6B,GAC9B,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAExC,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,MAAM,EAAE,CAAC,CAAC,GAAG,EAAE;IACf,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAChC,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAChC,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;IAC3B,mBAAmB,EAAE,CAAC,CAAC,OAAO,EAAE;CACjC,CAAC,CAAC;AAIH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAgB,EAChB,IAA2C,EAC3C,kBAAmD,EACnD,MAAuB;IAEvB,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,+BAA+B,EAAE;QAC9D,MAAM,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;QAC9D,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;KAC9C,CAAC,CAAC;IACH,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,mBAAmB,EAAE,GAAG,IAAI,CAAC;IAC/D,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;IAC1D,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,MAAM,mBAAmB,CAAC,GAAG,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,CAAC;YACvD,YAAY,CACV,UAAU,CAAC,KAAK,EAChB,wDAAwD,CACzD,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,MAAM,YAAY,GAAG,MAAM,cAAc,CACvC,GAAG,EACH,IAAI,EACJ,QAAQ,IAAI,IAAI,EAChB,kBAAkB,EAClB,mBAAmB,EACnB,MAAM,EACN,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAC5B,CAAC;IACF,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QAC1B,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,kBAAkB,CAAC,GAAG,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,oBAAoB,CAAC,GAAG,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,EAAE,MAAM,EAAE,GAAG,YAAY,CAAC;IAChC,MAAM,SAAS,GAAG,MAAM,iCAAiC,CACvD,GAAG,EACH,MAAM,EACN,MAAM,CACP,CAAC;IACF,OAAO,MAAM,6BAA6B,CACxC,GAAG,EACH,MAAM,EACN,MAAM,EACN,SAAS,EACT,cAAc,CACf,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,uBAAuB,GAAG,KAAK,EAC1C,GAAc,EACd,IAA2C,EACtB,EAAE;IACvB,OAAO,GAAG,CAAC,WAAW,CAAC,YAAmB,EAAE;QAC1C,IAAI,EAAE;YACJ,IAAI,EAAE,qBAAqB;YAC3B,GAAG,IAAI;SACR;KACF,CAAC,CAAC;AACL,CAAC,CAAC;AAEF,KAAK,UAAU,cAAc,CAC3B,GAAgB,EAChB,IAIC;AACD;;;;;;;GAOG;AACH,gBAA+B,EAC/B,kBAAmD,EACnD,mBAA4B,EAC5B,MAAwB,EACxB,SAAsC;IAEtC,MAAM,MAAM,GACV,MAAM,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9E,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC;IAClC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,gBAAgB,GACpB,MAAM,KAAK,IAAI;QACb,CAAC,CAAC,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,QAAQ,CAAC;QACpD,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE;aACT,KAAK,CAAC,cAAc,CAAC;aACrB,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;aAChD,MAAM,EAAE,CAAC;IAClB,IAAI,gBAAgB,KAAK,IAAI,EAAE,CAAC;QAC9B,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,2BAA2B,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,MAAM,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC9D,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,gBAAgB,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC3C,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,kBAAkB,CAAC,CAAC;QACnD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,gBAAgB,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACjD,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,2BAA2B,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE,aAAa,EAAE,GAAG,gBAAgB,CAAC;IACrE,MAAM,OAAO,GACX,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3F,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,YAAY,CACV,UAAU,CAAC,KAAK,EAChB,qDAAqD,CACtD,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IACE,gBAAgB,KAAK,IAAI;QACzB,gBAAgB,CAAC,QAAQ,KAAK,gBAAgB,EAC9C,CAAC;QACD,YAAY,CACV,UAAU,CAAC,KAAK,EAChB,qBAAqB,gBAAgB,wBAAwB;YAC3D,oCAAoC,gBAAgB,CAAC,QAAQ,GAAG,CACnE,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IACD,iEAAiE;IACjE,UAAU;IACV,MAAM,cAAc,GAAG,kBAAkB,CACvC,gBAAgB,CAAC,QAAQ,EACzB,mBAAmB,CACpB,CAAC;IACF,IACE,cAAc,KAAK,IAAI;QACvB,CAAC,cAAc,CAAC,IAAI,KAAK,OAAO,IAAI,cAAc,CAAC,IAAI,KAAK,OAAO,CAAC;QACpE,cAAc,CAAC,SAAS,KAAK,SAAS,EACtC,CAAC;QACD,MAAM,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC5B,MAAM,QAAQ,GAAG,kBAAkB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtD,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,KAAK,OAAO,IAAI,QAAQ,CAAC,IAAI,KAAK,MAAM,CAAC,EAAE,CAAC;QAC7D,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,oBAAoB,CACtC,GAAG,EACH,SAAS,EACT,EAAE,eAAe,EAAE,OAAO,EAAE,EAC5B;YACE,IAAI,EAAE,cAAc;YACpB,QAAQ;YACR,OAAO,EAAE;gBACP,GAAG,CAAC,aAAa,KAAK,SAAS;oBAC7B,CAAC,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,IAAI,EAAE;oBAC/C,CAAC,CAAC,EAAE,CAAC;gBACP,GAAG,CAAC,aAAa,KAAK,SAAS;oBAC7B,CAAC,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,IAAI,EAAE;oBAC/C,CAAC,CAAC,EAAE,CAAC;aACR;SACF,EACD,MAAM,CACP,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,EAAE,MAAM,EAAE,CAAC;AAClE,CAAC"}

package/dist/server/implementation/provider.d.ts

@@ -0,0 +1,6 @@
+import { AuthProviderMaterializedConfig } from "../types.js";
+export declare function hash(provider: any, secret: string): Promise<any>;
+export declare function verify(provider: AuthProviderMaterializedConfig, secret: string, hash: string): Promise<boolean>;
+export type GetProviderOrThrowFunc = (provider: string, allowExtraProviders?: boolean) => AuthProviderMaterializedConfig;
+export type Config = any;
+//# sourceMappingURL=provider.d.ts.map

package/dist/server/implementation/provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,8BAA8B,EAAE,MAAM,aAAa,CAAC;AAE7D,wBAAsB,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,gBAWvD;AAED,wBAAsB,MAAM,CAC1B,QAAQ,EAAE,8BAA8B,EACxC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,oBAYb;AAED,MAAM,MAAM,sBAAsB,GAAG,CACnC,QAAQ,EAAE,MAAM,EAChB,mBAAmB,CAAC,EAAE,OAAO,KAC1B,8BAA8B,CAAC;AAEpC,MAAM,MAAM,MAAM,GAAG,GAAG,CAAC"}

package/dist/server/implementation/provider.js

@@ -0,0 +1,21 @@
+export async function hash(provider, secret) {
+    if (provider.type !== "credentials") {
+        throw new Error(`Provider ${provider.id} is not a credentials provider`);
+    }
+    const hashSecretFn = provider.crypto?.hashSecret;
+    if (hashSecretFn === undefined) {
+        throw new Error(`Provider ${provider.id} does not have a \`crypto.hashSecret\` function`);
+    }
+    return await hashSecretFn(secret);
+}
+export async function verify(provider, secret, hash) {
+    if (provider.type !== "credentials") {
+        throw new Error(`Provider ${provider.id} is not a credentials provider`);
+    }
+    const verifySecretFn = provider.crypto?.verifySecret;
+    if (verifySecretFn === undefined) {
+        throw new Error(`Provider ${provider.id} does not have a \`crypto.verifySecret\` function`);
+    }
+    return await verifySecretFn(secret, hash);
+}
+//# sourceMappingURL=provider.js.map

package/dist/server/implementation/provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.js","sourceRoot":"","sources":["../../../src/server/implementation/provider.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,QAAa,EAAE,MAAc;IACtD,IAAI,QAAQ,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,YAAY,QAAQ,CAAC,EAAE,gCAAgC,CAAC,CAAC;IAC3E,CAAC;IACD,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IACjD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,YAAY,QAAQ,CAAC,EAAE,iDAAiD,CACzE,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,YAAY,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,QAAwC,EACxC,MAAc,EACd,IAAY;IAEZ,IAAI,QAAQ,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,YAAY,QAAQ,CAAC,EAAE,gCAAgC,CAAC,CAAC;IAC3E,CAAC;IACD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IACrD,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CACb,YAAY,QAAQ,CAAC,EAAE,mDAAmD,CAC3E,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,cAAc,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;AAC5C,CAAC"}

package/dist/server/implementation/rateLimit.d.ts

@@ -0,0 +1,6 @@
+import { ConvexAuthConfig } from "../types.js";
+import { MutationCtx } from "./types.js";
+export declare function isSignInRateLimited(ctx: MutationCtx, identifier: string, config: ConvexAuthConfig): Promise<boolean>;
+export declare function recordFailedSignIn(ctx: MutationCtx, identifier: string, config: ConvexAuthConfig): Promise<void>;
+export declare function resetSignInRateLimit(ctx: MutationCtx, identifier: string, config: ConvexAuthConfig): Promise<void>;
+//# sourceMappingURL=rateLimit.d.ts.map

package/dist/server/implementation/rateLimit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rateLimit.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/rateLimit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAO,WAAW,EAAE,MAAM,YAAY,CAAC;AAK9C,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,WAAW,EAChB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,gBAAgB,oBAOzB;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,WAAW,EAChB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,gBAAgB,iBA+BzB;AAED,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,WAAW,EAChB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,gBAAgB,iBAYzB"}

package/dist/server/implementation/rateLimit.js

@@ -0,0 +1,76 @@
+import { createAuthDb } from "./db.js";
+const DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;
+export async function isSignInRateLimited(ctx, identifier, config) {
+    const state = await getRateLimitState(ctx, identifier, config);
+    if (state === null) {
+        return false;
+    }
+    return state.attempsLeft < 1;
+}
+export async function recordFailedSignIn(ctx, identifier, config) {
+    const state = await getRateLimitState(ctx, identifier, config);
+    if (state !== null) {
+        if (config.component !== undefined) {
+            await createAuthDb(ctx, config.component).rateLimits.patch(state.limit._id, {
+                attemptsLeft: state.attempsLeft - 1,
+                lastAttemptTime: Date.now(),
+            });
+        }
+        else {
+            await ctx.db.patch(state.limit._id, {
+                attemptsLeft: state.attempsLeft - 1,
+                lastAttemptTime: Date.now(),
+            });
+        }
+    }
+    else {
+        const maxAttempsPerHour = configuredMaxAttempsPerHour(config);
+        if (config.component !== undefined) {
+            await createAuthDb(ctx, config.component).rateLimits.create({
+                identifier,
+                attemptsLeft: maxAttempsPerHour - 1,
+                lastAttemptTime: Date.now(),
+            });
+        }
+        else {
+            await ctx.db.insert("limit", {
+                identifier,
+                attemptsLeft: maxAttempsPerHour - 1,
+                lastAttemptTime: Date.now(),
+            });
+        }
+    }
+}
+export async function resetSignInRateLimit(ctx, identifier, config) {
+    const existingState = await getRateLimitState(ctx, identifier, config);
+    if (existingState !== null) {
+        if (config.component !== undefined) {
+            await createAuthDb(ctx, config.component).rateLimits.delete(existingState.limit._id);
+        }
+        else {
+            await ctx.db.delete(existingState.limit._id);
+        }
+    }
+}
+async function getRateLimitState(ctx, identifier, config) {
+    const now = Date.now();
+    const maxAttempsPerHour = configuredMaxAttempsPerHour(config);
+    const limit = config.component !== undefined
+        ? (await createAuthDb(ctx, config.component).rateLimits.get(identifier))
+        : await ctx.db
+            .query("limit")
+            .withIndex("identifier", (q) => q.eq("identifier", identifier))
+            .unique();
+    if (limit === null) {
+        return null;
+    }
+    const elapsed = now - limit.lastAttemptTime;
+    const maxAttempsPerMs = maxAttempsPerHour / (60 * 60 * 1000);
+    const attempsLeft = Math.min(maxAttempsPerHour, limit.attemptsLeft + elapsed * maxAttempsPerMs);
+    return { limit, attempsLeft };
+}
+function configuredMaxAttempsPerHour(config) {
+    return (config.signIn?.maxFailedAttempsPerHour ??
+        DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR);
+}
+//# sourceMappingURL=rateLimit.js.map

package/dist/server/implementation/rateLimit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rateLimit.js","sourceRoot":"","sources":["../../../src/server/implementation/rateLimit.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvC,MAAM,qCAAqC,GAAG,EAAE,CAAC;AAEjD,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,GAAgB,EAChB,UAAkB,EAClB,MAAwB;IAExB,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,GAAG,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;IAC/D,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,GAAgB,EAChB,UAAkB,EAClB,MAAwB;IAExB,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,GAAG,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;IAC/D,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE;gBAC1E,YAAY,EAAE,KAAK,CAAC,WAAW,GAAG,CAAC;gBACnC,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE;aAC5B,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE;gBAClC,YAAY,EAAE,KAAK,CAAC,WAAW,GAAG,CAAC;gBACnC,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE;aAC5B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,iBAAiB,GAAG,2BAA2B,CAAC,MAAM,CAAC,CAAC;QAC9D,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC;gBAC1D,UAAU;gBACV,YAAY,EAAE,iBAAiB,GAAG,CAAC;gBACnC,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE;aAC5B,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE;gBAC3B,UAAU;gBACV,YAAY,EAAE,iBAAiB,GAAG,CAAC;gBACnC,eAAe,EAAE,IAAI,CAAC,GAAG,EAAE;aAC5B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,GAAgB,EAChB,UAAkB,EAClB,MAAwB;IAExB,MAAM,aAAa,GAAG,MAAM,iBAAiB,CAAC,GAAG,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;IACvE,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3B,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,UAAU,CAAC,MAAM,CACzD,aAAa,CAAC,KAAK,CAAC,GAAG,CACxB,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,GAAgB,EAChB,UAAkB,EAClB,MAAwB;IAExB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,iBAAiB,GAAG,2BAA2B,CAAC,MAAM,CAAC,CAAC;IAC9D,MAAM,KAAK,GACT,MAAM,CAAC,SAAS,KAAK,SAAS;QAC5B,CAAC,CAAE,CAAC,MAAM,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAE7D;QACX,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE;aACT,KAAK,CAAC,OAAO,CAAC;aACd,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;aAC9D,MAAM,EAAE,CAAC;IAClB,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,GAAG,KAAK,CAAC,eAAe,CAAC;IAC5C,MAAM,eAAe,GAAG,iBAAiB,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7D,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAC1B,iBAAiB,EACjB,KAAK,CAAC,YAAY,GAAG,OAAO,GAAG,eAAe,CAC/C,CAAC;IACF,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC;AAChC,CAAC;AAED,SAAS,2BAA2B,CAAC,MAAwB;IAC3D,OAAO,CACL,MAAM,CAAC,MAAM,EAAE,uBAAuB;QACtC,qCAAqC,CACtC,CAAC;AACJ,CAAC"}

package/dist/server/implementation/redirects.d.ts

@@ -0,0 +1,6 @@
+import { ConvexAuthMaterializedConfig } from "../types.js";
+export declare function redirectAbsoluteUrl(config: ConvexAuthMaterializedConfig, params: {
+    redirectTo: unknown;
+}): Promise<string>;
+export declare function setURLSearchParam(absoluteUrl: string, param: string, value: string): string;
+//# sourceMappingURL=redirects.d.ts.map

package/dist/server/implementation/redirects.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redirects.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/redirects.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAG3D,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,4BAA4B,EACpC,MAAM,EAAE;IAAE,UAAU,EAAE,OAAO,CAAA;CAAE,mBAahC;AAoBD,wBAAgB,iBAAiB,CAC/B,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,UAYd"}

package/dist/server/implementation/redirects.js

@@ -0,0 +1,40 @@
+import { requireEnv } from "../utils.js";
+export async function redirectAbsoluteUrl(config, params) {
+    if (params.redirectTo !== undefined) {
+        if (typeof params.redirectTo !== "string") {
+            throw new Error(`Expected \`redirectTo\` to be a string, got ${params.redirectTo}`);
+        }
+        const redirectCallback = config.callbacks?.redirect ?? defaultRedirectCallback;
+        return await redirectCallback(params);
+    }
+    return siteUrl();
+}
+async function defaultRedirectCallback({ redirectTo }) {
+    const baseUrl = siteUrl();
+    if (redirectTo.startsWith("?") || redirectTo.startsWith("/")) {
+        return `${baseUrl}${redirectTo}`;
+    }
+    if (redirectTo.startsWith(baseUrl)) {
+        const after = redirectTo[baseUrl.length];
+        if (after === undefined || after === "?" || after === "/") {
+            return redirectTo;
+        }
+    }
+    throw new Error(`Invalid \`redirectTo\` ${redirectTo} for configured SITE_URL: ${baseUrl.toString()}`);
+}
+// Temporary work-around because Convex doesn't support
+// schemes other than http and https.
+export function setURLSearchParam(absoluteUrl, param, value) {
+    const pattern = /([^:]+):(.*)/;
+    const [, scheme, rest] = absoluteUrl.match(pattern);
+    const hasNoDomain = /^\/\/(?:\/|$|\?)/.test(rest);
+    const startsWithPath = hasNoDomain && rest.startsWith("///");
+    const url = new URL(`http:${hasNoDomain ? "//googblibok" + rest.slice(2) : rest}`);
+    url.searchParams.set(param, value);
+    const [, , withParam] = url.toString().match(pattern);
+    return `${scheme}:${hasNoDomain ? (startsWithPath ? "/" : "") + "//" + withParam.slice(13) : withParam}`;
+}
+function siteUrl() {
+    return requireEnv("SITE_URL").replace(/\/$/, "");
+}
+//# sourceMappingURL=redirects.js.map

package/dist/server/implementation/redirects.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redirects.js","sourceRoot":"","sources":["../../../src/server/implementation/redirects.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAoC,EACpC,MAA+B;IAE/B,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACpC,IAAI,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CACb,+CAA+C,MAAM,CAAC,UAAiB,EAAE,CAC1E,CAAC;QACJ,CAAC;QACD,MAAM,gBAAgB,GACpB,MAAM,CAAC,SAAS,EAAE,QAAQ,IAAI,uBAAuB,CAAC;QACxD,OAAO,MAAM,gBAAgB,CAAC,MAAgC,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,uBAAuB,CAAC,EAAE,UAAU,EAA0B;IAC3E,MAAM,OAAO,GAAG,OAAO,EAAE,CAAC;IAC1B,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7D,OAAO,GAAG,OAAO,GAAG,UAAU,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;YAC1D,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CACb,0BAA0B,UAAU,6BAA6B,OAAO,CAAC,QAAQ,EAAE,EAAE,CACtF,CAAC;AACJ,CAAC;AAED,uDAAuD;AACvD,qCAAqC;AACrC,MAAM,UAAU,iBAAiB,CAC/B,WAAmB,EACnB,KAAa,EACb,KAAa;IAEb,MAAM,OAAO,GAAG,cAAc,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAE,CAAC;IACrD,MAAM,WAAW,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClD,MAAM,cAAc,GAAG,WAAW,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,QAAQ,WAAW,CAAC,CAAC,CAAC,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAC9D,CAAC;IACF,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACnC,MAAM,CAAC,EAAE,AAAD,EAAG,SAAS,CAAC,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,OAAO,CAAE,CAAC;IACvD,OAAO,GAAG,MAAM,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;AAC3G,CAAC;AAED,SAAS,OAAO;IACd,OAAO,UAAU,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACnD,CAAC"}

package/dist/server/implementation/refreshTokens.d.ts

@@ -0,0 +1,40 @@
+import { GenericId } from "convex/values";
+import { ConvexAuthConfig } from "../types.js";
+import { Doc, MutationCtx } from "./types.js";
+export declare const REFRESH_TOKEN_REUSE_WINDOW_MS: number;
+export declare function createRefreshToken(ctx: MutationCtx, config: ConvexAuthConfig, sessionId: GenericId<"session">, parentRefreshTokenId: GenericId<"token"> | null): Promise<GenericId<"token">>;
+export declare const formatRefreshToken: (refreshTokenId: GenericId<"token">, sessionId: GenericId<"session">) => string;
+export declare const parseRefreshToken: (refreshToken: string) => {
+    refreshTokenId: GenericId<"token">;
+    sessionId: GenericId<"session">;
+};
+/**
+ * Mark all refresh tokens descending from the given refresh token as invalid immediately.
+ * This is used when we detect an invalid use of a refresh token, and want to revoke
+ * the entire tree.
+ *
+ * @param ctx
+ * @param refreshToken
+ */
+export declare function invalidateRefreshTokensInSubtree(ctx: MutationCtx, refreshToken: Doc<"token">, config: ConvexAuthConfig): Promise<Doc<"token">[]>;
+export declare function deleteAllRefreshTokens(ctx: MutationCtx, sessionId: GenericId<"session">, config: ConvexAuthConfig): Promise<void>;
+export declare function refreshTokenIfValid(ctx: MutationCtx, refreshTokenId: string, tokenSessionId: string, config: ConvexAuthConfig): Promise<{
+    session: Doc<"session">;
+    refreshTokenDoc: Doc<"token">;
+} | null>;
+/**
+ * The active refresh token is the most recently created refresh token that has
+ * never been used.
+ *
+ * @param ctx
+ * @param sessionId
+ */
+export declare function loadActiveRefreshToken(ctx: MutationCtx, sessionId: GenericId<"session">, config: ConvexAuthConfig): Promise<{
+    _id: GenericId<"token">;
+    _creationTime: number;
+    firstUsedTime?: number | undefined;
+    parentRefreshTokenId?: GenericId<"token"> | undefined;
+    expirationTime: number;
+    sessionId: GenericId<"session">;
+} | null>;
+//# sourceMappingURL=refreshTokens.d.ts.map

package/dist/server/implementation/refreshTokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refreshTokens.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/refreshTokens.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAW9C,eAAO,MAAM,6BAA6B,QAAY,CAAC;AACvD,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,WAAW,EAChB,MAAM,EAAE,gBAAgB,EACxB,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,oBAAoB,EAAE,SAAS,CAAC,OAAO,CAAC,GAAG,IAAI,+BAoBhD;AAED,eAAO,MAAM,kBAAkB,GAC7B,gBAAgB,SAAS,CAAC,OAAO,CAAC,EAClC,WAAW,SAAS,CAAC,SAAS,CAAC,WAGhC,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,cAAc,MAAM,KACnB;IACD,cAAc,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;IACnC,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;CAUjC,CAAC;AAEF;;;;;;;GAOG;AACH,wBAAsB,gCAAgC,CACpD,GAAG,EAAE,WAAW,EAChB,YAAY,EAAE,GAAG,CAAC,OAAO,CAAC,EAC1B,MAAM,EAAE,gBAAgB,2BA8CzB;AAED,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,WAAW,EAChB,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,MAAM,EAAE,gBAAgB,iBAezB;AAED,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,WAAW,EAChB,cAAc,EAAE,MAAM,EACtB,cAAc,EAAE,MAAM,EACtB,MAAM,EAAE,gBAAgB;;;UAkDzB;AACD;;;;;;GAMG;AACH,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,WAAW,EAChB,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,MAAM,EAAE,gBAAgB;;;;;;;UAazB"}

package/dist/server/implementation/refreshTokens.js

@@ -0,0 +1,160 @@
+import { LOG_LEVELS, REFRESH_TOKEN_DIVIDER, logWithLevel, maybeRedact, stringToNumber, } from "./utils.js";
+import { createAuthDb } from "./db.js";
+const DEFAULT_SESSION_INACTIVE_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days
+export const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1000; // 10 seconds
+export async function createRefreshToken(ctx, config, sessionId, parentRefreshTokenId) {
+    const expirationTime = Date.now() +
+        (config.session?.inactiveDurationMs ??
+            stringToNumber(process.env.AUTH_SESSION_INACTIVE_DURATION_MS) ??
+            DEFAULT_SESSION_INACTIVE_DURATION_MS);
+    if (config.component !== undefined) {
+        return (await createAuthDb(ctx, config.component).refreshTokens.create({
+            sessionId,
+            expirationTime,
+            parentRefreshTokenId: parentRefreshTokenId ?? undefined,
+        }));
+    }
+    const newRefreshTokenId = await ctx.db.insert("token", {
+        sessionId,
+        expirationTime,
+        parentRefreshTokenId: parentRefreshTokenId ?? undefined,
+    });
+    return newRefreshTokenId;
+}
+export const formatRefreshToken = (refreshTokenId, sessionId) => {
+    return `${refreshTokenId}${REFRESH_TOKEN_DIVIDER}${sessionId}`;
+};
+export const parseRefreshToken = (refreshToken) => {
+    const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);
+    if (!refreshTokenId || !sessionId) {
+        throw new Error(`Can't parse refresh token: ${maybeRedact(refreshToken)}`);
+    }
+    return {
+        refreshTokenId: refreshTokenId,
+        sessionId: sessionId,
+    };
+};
+/**
+ * Mark all refresh tokens descending from the given refresh token as invalid immediately.
+ * This is used when we detect an invalid use of a refresh token, and want to revoke
+ * the entire tree.
+ *
+ * @param ctx
+ * @param refreshToken
+ */
+export async function invalidateRefreshTokensInSubtree(ctx, refreshToken, config) {
+    const authDb = config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+    const tokensToInvalidate = [refreshToken];
+    let frontier = [refreshToken._id];
+    while (frontier.length > 0) {
+        const nextFrontier = [];
+        for (const currentTokenId of frontier) {
+            const children = authDb !== null
+                ? (await authDb.refreshTokens.getChildren(refreshToken.sessionId, currentTokenId))
+                : await ctx.db
+                    .query("token")
+                    .withIndex("sessionIdAndParentRefreshTokenId", (q) => q
+                    .eq("sessionId", refreshToken.sessionId)
+                    .eq("parentRefreshTokenId", currentTokenId))
+                    .collect();
+            tokensToInvalidate.push(...children);
+            nextFrontier.push(...children.map((child) => child._id));
+        }
+        frontier = nextFrontier;
+    }
+    for (const token of tokensToInvalidate) {
+        // Mark these as used so they can't be used again (even within the reuse window)
+        if (token.firstUsedTime === undefined ||
+            token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS) {
+            if (authDb !== null) {
+                await authDb.refreshTokens.patch(token._id, {
+                    firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,
+                });
+            }
+            else {
+                await ctx.db.patch(token._id, {
+                    firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,
+                });
+            }
+        }
+    }
+    return tokensToInvalidate;
+}
+export async function deleteAllRefreshTokens(ctx, sessionId, config) {
+    if (config.component !== undefined) {
+        await createAuthDb(ctx, config.component).refreshTokens.deleteAll(sessionId);
+        return;
+    }
+    const existingRefreshTokens = await ctx.db
+        .query("token")
+        .withIndex("sessionIdAndParentRefreshTokenId", (q) => q.eq("sessionId", sessionId))
+        .collect();
+    for (const refreshTokenDoc of existingRefreshTokens) {
+        await ctx.db.delete(refreshTokenDoc._id);
+    }
+}
+export async function refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config) {
+    const authDb = config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+    let refreshTokenDoc;
+    try {
+        refreshTokenDoc =
+            authDb !== null
+                ? (await authDb.refreshTokens.getById(refreshTokenId))
+                : await ctx.db.get(refreshTokenId);
+    }
+    catch {
+        logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token format");
+        return null;
+    }
+    if (refreshTokenDoc === null) {
+        logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token");
+        return null;
+    }
+    if (refreshTokenDoc.expirationTime < Date.now()) {
+        logWithLevel(LOG_LEVELS.ERROR, "Expired refresh token");
+        return null;
+    }
+    if (refreshTokenDoc.sessionId !== tokenSessionId) {
+        logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session ID");
+        return null;
+    }
+    let session;
+    try {
+        session =
+            authDb !== null
+                ? (await authDb.sessions.getById(refreshTokenDoc.sessionId))
+                : await ctx.db.get(refreshTokenDoc.sessionId);
+    }
+    catch {
+        logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session format");
+        return null;
+    }
+    if (session === null) {
+        logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session");
+        return null;
+    }
+    if (session.expirationTime < Date.now()) {
+        logWithLevel(LOG_LEVELS.ERROR, "Expired refresh token session");
+        return null;
+    }
+    return { session, refreshTokenDoc };
+}
+/**
+ * The active refresh token is the most recently created refresh token that has
+ * never been used.
+ *
+ * @param ctx
+ * @param sessionId
+ */
+export async function loadActiveRefreshToken(ctx, sessionId, config) {
+    if (config.component !== undefined) {
+        return (await createAuthDb(ctx, config.component).refreshTokens.getActive(sessionId));
+    }
+    return ctx.db
+        .query("token")
+        .withIndex("sessionId", (q) => q.eq("sessionId", sessionId))
+        .filter((q) => q.eq(q.field("firstUsedTime"), undefined))
+        .order("desc")
+        .first();
+}
+//# sourceMappingURL=refreshTokens.js.map

package/dist/server/implementation/refreshTokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refreshTokens.js","sourceRoot":"","sources":["../../../src/server/implementation/refreshTokens.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,UAAU,EACV,qBAAqB,EACrB,YAAY,EACZ,WAAW,EACX,cAAc,GACf,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvC,MAAM,oCAAoC,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AACjF,MAAM,CAAC,MAAM,6BAA6B,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;AACrE,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,GAAgB,EAChB,MAAwB,EACxB,SAA+B,EAC/B,oBAA+C;IAE/C,MAAM,cAAc,GAClB,IAAI,CAAC,GAAG,EAAE;QACV,CAAC,MAAM,CAAC,OAAO,EAAE,kBAAkB;YACjC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC;YAC7D,oCAAoC,CAAC,CAAC;IAC1C,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACnC,OAAO,CAAC,MAAM,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC;YACrE,SAAS;YACT,cAAc;YACd,oBAAoB,EAAE,oBAAoB,IAAI,SAAS;SACxD,CAAC,CAAuB,CAAC;IAC5B,CAAC;IACD,MAAM,iBAAiB,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE;QACrD,SAAS;QACT,cAAc;QACd,oBAAoB,EAAE,oBAAoB,IAAI,SAAS;KACxD,CAAC,CAAC;IACH,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAChC,cAAkC,EAClC,SAA+B,EAC/B,EAAE;IACF,OAAO,GAAG,cAAc,GAAG,qBAAqB,GAAG,SAAS,EAAE,CAAC;AACjE,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAC/B,YAAoB,EAIpB,EAAE;IACF,MAAM,CAAC,cAAc,EAAE,SAAS,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAC9E,IAAI,CAAC,cAAc,IAAI,CAAC,SAAS,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,8BAA8B,WAAW,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO;QACL,cAAc,EAAE,cAAoC;QACpD,SAAS,EAAE,SAAiC;KAC7C,CAAC;AACJ,CAAC,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,GAAgB,EAChB,YAA0B,EAC1B,MAAwB;IAExB,MAAM,MAAM,GACV,MAAM,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9E,MAAM,kBAAkB,GAAG,CAAC,YAAY,CAAC,CAAC;IAC1C,IAAI,QAAQ,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;IAClC,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,YAAY,GAAG,EAAE,CAAC;QACxB,KAAK,MAAM,cAAc,IAAI,QAAQ,EAAE,CAAC;YACtC,MAAM,QAAQ,GACZ,MAAM,KAAK,IAAI;gBACb,CAAC,CAAE,CAAC,MAAM,MAAM,CAAC,aAAa,CAAC,WAAW,CACtC,YAAY,CAAC,SAAS,EACtB,cAAc,CACf,CAAoB;gBACvB,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE;qBACT,KAAK,CAAC,OAAO,CAAC;qBACd,SAAS,CAAC,kCAAkC,EAAE,CAAC,CAAC,EAAE,EAAE,CACnD,CAAC;qBACE,EAAE,CAAC,WAAW,EAAE,YAAY,CAAC,SAAS,CAAC;qBACvC,EAAE,CAAC,sBAAsB,EAAE,cAAc,CAAC,CAC9C;qBACA,OAAO,EAAE,CAAC;YACnB,kBAAkB,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YACrC,YAAY,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3D,CAAC;QACD,QAAQ,GAAG,YAAY,CAAC;IAC1B,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,kBAAkB,EAAE,CAAC;QACvC,gFAAgF;QAChF,IACE,KAAK,CAAC,aAAa,KAAK,SAAS;YACjC,KAAK,CAAC,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,6BAA6B,EAChE,CAAC;YACD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;gBACpB,MAAM,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE;oBAC1C,aAAa,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,6BAA6B;iBAC1D,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE;oBAC5B,aAAa,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,6BAA6B;iBAC1D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,GAAgB,EAChB,SAA+B,EAC/B,MAAwB;IAExB,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,aAAa,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QAC7E,OAAO;IACT,CAAC;IACD,MAAM,qBAAqB,GAAG,MAAM,GAAG,CAAC,EAAE;SACvC,KAAK,CAAC,OAAO,CAAC;SACd,SAAS,CAAC,kCAAkC,EAAE,CAAC,CAAC,EAAE,EAAE,CACnD,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE,SAAS,CAAC,CAC7B;SACA,OAAO,EAAE,CAAC;IACb,KAAK,MAAM,eAAe,IAAI,qBAAqB,EAAE,CAAC;QACpD,MAAM,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,GAAgB,EAChB,cAAsB,EACtB,cAAsB,EACtB,MAAwB;IAExB,MAAM,MAAM,GACV,MAAM,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9E,IAAI,eAAoC,CAAC;IACzC,IAAI,CAAC;QACH,eAAe;YACb,MAAM,KAAK,IAAI;gBACb,CAAC,CAAE,CAAC,MAAM,MAAM,CAAC,aAAa,CAAC,OAAO,CAClC,cAAoC,CACrC,CAAyB;gBAC5B,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,cAAoC,CAAC,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,8BAA8B,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,eAAe,KAAK,IAAI,EAAE,CAAC;QAC7B,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,eAAe,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAChD,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,eAAe,CAAC,SAAS,KAAK,cAAc,EAAE,CAAC;QACjD,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,kCAAkC,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAA8B,CAAC;IACnC,IAAI,CAAC;QACH,OAAO;YACL,MAAM,KAAK,IAAI;gBACb,CAAC,CAAE,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,eAAe,CAAC,SAAS,CAAC,CAEjD;gBACX,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,sCAAsC,CAAC,CAAC;QACvE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,+BAA+B,CAAC,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QACxC,YAAY,CAAC,UAAU,CAAC,KAAK,EAAE,+BAA+B,CAAC,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;AACtC,CAAC;AACD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,GAAgB,EAChB,SAA+B,EAC/B,MAAwB;IAExB,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACnC,OAAO,CAAC,MAAM,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,aAAa,CAAC,SAAS,CACvE,SAAS,CACV,CAAwB,CAAC;IAC5B,CAAC;IACD,OAAO,GAAG,CAAC,EAAE;SACV,KAAK,CAAC,OAAO,CAAC;SACd,SAAS,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;SAC3D,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,SAAS,CAAC,CAAC;SACxD,KAAK,CAAC,MAAM,CAAC;SACb,KAAK,EAAE,CAAC;AACb,CAAC"}

package/dist/server/implementation/sessions.d.ts

@@ -0,0 +1,43 @@
+import { GenericId } from "convex/values";
+import { ConvexAuthConfig } from "../types.js";
+import { Doc, MutationCtx, SessionInfo } from "./types.js";
+import { Auth } from "convex/server";
+export declare function maybeGenerateTokensForSession(ctx: MutationCtx, config: ConvexAuthConfig, userId: GenericId<"user">, sessionId: GenericId<"session">, generateTokens: boolean): Promise<SessionInfo>;
+export declare function createNewAndDeleteExistingSession(ctx: MutationCtx, config: ConvexAuthConfig, userId: GenericId<"user">): Promise<GenericId<"session">>;
+export declare function generateTokensForSession(ctx: MutationCtx, config: ConvexAuthConfig, args: {
+    userId: GenericId<"user">;
+    sessionId: GenericId<"session">;
+    issuedRefreshTokenId: GenericId<"token"> | null;
+    parentRefreshTokenId: GenericId<"token"> | null;
+}): Promise<{
+    token: string;
+    refreshToken: string;
+}>;
+export declare function deleteSession(ctx: MutationCtx, session: Doc<"session">, config: ConvexAuthConfig): Promise<void>;
+/**
+ * Return the current session ID.
+ *
+ * ```ts filename="convex/myFunctions.tsx"
+ * import { mutation } from "./_generated/server";
+ * import { getAuthSessionId } from "@robelest/convex-auth/component";
+ *
+ * export const doSomething = mutation({
+ *   args: {/* ... *\/},
+ *   handler: async (ctx, args) => {
+ *     const sessionId = await getAuthSessionId(ctx);
+ *     if (sessionId === null) {
+ *       throw new Error("Client is not authenticated!")
+ *     }
+ *     const session = await ctx.db.get(sessionId);
+ *     // ...
+ *   },
+ * });
+ * ```
+ *
+ * @param ctx query, mutation or action `ctx`
+ * @returns the session ID or `null` if the client isn't authenticated
+ */
+export declare function getAuthSessionId(ctx: {
+    auth: Auth;
+}): Promise<GenericId<"session"> | null>;
+//# sourceMappingURL=sessions.d.ts.map

package/dist/server/implementation/sessions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/sessions.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAkBrC,wBAAsB,6BAA6B,CACjD,GAAG,EAAE,WAAW,EAChB,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,SAAS,CAAC,MAAM,CAAC,EACzB,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,cAAc,EAAE,OAAO,GACtB,OAAO,CAAC,WAAW,CAAC,CAatB;AAED,wBAAsB,iCAAiC,CACrD,GAAG,EAAE,WAAW,EAChB,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,SAAS,CAAC,MAAM,CAAC,iCAe1B;AAED,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,WAAW,EAChB,MAAM,EAAE,gBAAgB,EACxB,IAAI,EAAE;IACJ,MAAM,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1B,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAChC,oBAAoB,EAAE,SAAS,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC;IAChD,oBAAoB,EAAE,SAAS,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC;CACjD;;;GAoBF;AAqBD,wBAAsB,aAAa,CACjC,GAAG,EAAE,WAAW,EAChB,OAAO,EAAE,GAAG,CAAC,SAAS,CAAC,EACvB,MAAM,EAAE,gBAAgB,iBAQzB;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,gBAAgB,CAAC,GAAG,EAAE;IAAE,IAAI,EAAE,IAAI,CAAA;CAAE,wCAOzD"}