@robelest/convex-auth 0.0.1

package/dist/server/oauth/authorizationUrl.js

@@ -0,0 +1,91 @@
+// This file corresponds to packages/core/src/lib/actions/signin/authorization-url.ts in the @auth/core package (commit 5af1f30a32e64591abc50ae4d2dba4682e525431).
+import * as checks from "./checks.js";
+import { callbackUrl, getAuthorizationSignature, } from "./convexAuth.js";
+import { logWithLevel } from "../implementation/utils.js";
+/**
+ * Generates an authorization/request token URL.
+ *
+ * [OAuth 2](https://www.oauth.com/oauth2-servers/authorization/the-authorization-request/)
+ */
+export async function getAuthorizationUrl(
+// ConvexAuth: we don't accept a query argument
+options) {
+    const { provider } = options;
+    let url = provider.authorization?.url;
+    // ConvexAuth: ConvexAuth does slightly different logic to determine the authorization endpoint
+    const { as, authorization: authorizationEndpoint, configSource } = provider;
+    if (!authorizationEndpoint) {
+        throw new TypeError("Could not determine the authorization endpoint.");
+    }
+    if (!url) {
+        url = new URL(authorizationEndpoint.url);
+    }
+    const authParams = url.searchParams;
+    // ConvexAuth: The logic for the callback URL is different from Auth.js
+    const redirect_uri = callbackUrl(provider.id);
+    // TODO(ConvexAuth): Support redirect proxy URLs.
+    // If we do so, update state.create to take the data value as an origin parameter (see the Auth.js code for ref).
+    // let data: string | undefined;
+    // if (!options.isOnRedirectProxy && provider.redirectProxyUrl) {
+    //   redirect_uri = provider.redirectProxyUrl;
+    //   data = provider.callbackUrl;
+    //   logger.debug("using redirect proxy", { redirect_uri, data });
+    // }
+    const params = Object.assign({
+        response_type: "code",
+        // clientId can technically be undefined, should we check this in assert.ts or rely on the Authorization Server to do it?
+        client_id: provider.clientId,
+        redirect_uri,
+        // @ts-expect-error TODO:
+        ...provider.authorization?.params,
+    }, Object.fromEntries(url.searchParams.entries() ?? []));
+    for (const k in params)
+        authParams.set(k, params[k]);
+    const cookies = [];
+    // ConvexAuth: no value passed for `origin` (Auth.js uses `data` from above)
+    const state = await checks.state.create(options);
+    if (state) {
+        authParams.set("state", state.value);
+        cookies.push(state.cookie);
+    }
+    // ConvexAuth: We need to save the value of the codeVerifier.
+    let codeVerifier;
+    if (provider.checks?.includes("pkce")) {
+        // ConvexAuth: we check where the config came from to help decide which branch to take here
+        if (configSource === "discovered" && !as.code_challenge_methods_supported?.includes("S256")) {
+            // We assume S256 PKCE support, if the server does not advertise that,
+            // a random `nonce` must be used for CSRF protection.
+            if (provider.type === "oidc")
+                provider.checks = ["nonce"];
+        }
+        else {
+            const pkce = await checks.pkce.create(options);
+            authParams.set("code_challenge", pkce.codeChallenge);
+            authParams.set("code_challenge_method", "S256");
+            cookies.push(pkce.cookie);
+            codeVerifier = pkce.codeVerifier;
+        }
+    }
+    const nonce = await checks.nonce.create(options);
+    if (nonce) {
+        authParams.set("nonce", nonce.value);
+        cookies.push(nonce.cookie);
+    }
+    // TODO: This does not work in normalizeOAuth because authorization endpoint can come from discovery
+    // Need to make normalizeOAuth async
+    if (provider.type === "oidc" && !url.searchParams.has("scope")) {
+        url.searchParams.set("scope", "openid profile email");
+    }
+    logWithLevel("DEBUG", "authorization url is ready", {
+        url,
+        cookies,
+        provider,
+    });
+    const convexAuthSignature = getAuthorizationSignature({
+        codeVerifier,
+        state: authParams.get("state") ?? undefined,
+        nonce: authParams.get("nonce") ?? undefined,
+    });
+    return { redirect: url.toString(), cookies, signature: convexAuthSignature };
+}
+//# sourceMappingURL=authorizationUrl.js.map

package/dist/server/oauth/authorizationUrl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorizationUrl.js","sourceRoot":"","sources":["../../../src/server/oauth/authorizationUrl.ts"],"names":[],"mappings":"AAAA,kKAAkK;AAClK,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAEtC,OAAO,EACL,WAAW,EACX,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAE1D;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;AACvC,+CAA+C;AAC/C,OAA0C;IAE1C,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE7B,IAAI,GAAG,GAAG,QAAQ,CAAC,aAAa,EAAE,GAAG,CAAC;IAEtC,+FAA+F;IAC/F,MAAM,EAAE,EAAE,EAAE,aAAa,EAAE,qBAAqB,EAAE,YAAY,EAAE,GAAG,QAAQ,CAAC;IAE5E,IAAI,CAAC,qBAAqB,EAAE,CAAC;QAC3B,MAAM,IAAI,SAAS,CAAC,iDAAiD,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,GAAG,GAAG,IAAI,GAAG,CAAC,qBAAqB,CAAC,GAAG,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC;IAEpC,uEAAuE;IACvE,MAAM,YAAY,GAAG,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC9C,iDAAiD;IACjD,iHAAiH;IACjH,gCAAgC;IAChC,iEAAiE;IACjE,8CAA8C;IAC9C,iCAAiC;IACjC,kEAAkE;IAClE,IAAI;IAEJ,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAC1B;QACE,aAAa,EAAE,MAAM;QACrB,yHAAyH;QACzH,SAAS,EAAE,QAAQ,CAAC,QAAQ;QAC5B,YAAY;QACZ,yBAAyB;QACzB,GAAG,QAAQ,CAAC,aAAa,EAAE,MAAM;KAClC,EACD,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAErD,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,MAAM;QAAE,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAErD,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,4EAA4E;IAC5E,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI,KAAK,EAAE,CAAC;QACV,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7B,CAAC;IAED,6DAA6D;IAC7D,IAAI,YAAgC,CAAC;IACrC,IAAI,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACtC,2FAA2F;QAC3F,IAAI,YAAY,KAAK,YAAY,IAAI,CAAC,EAAE,CAAC,gCAAgC,EAAE,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5F,sEAAsE;YACtE,qDAAqD;YACrD,IAAI,QAAQ,CAAC,IAAI,KAAK,MAAM;gBAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC/C,UAAU,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;YACrD,UAAU,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;YAChD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC1B,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QACnC,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI,KAAK,EAAE,CAAC;QACV,UAAU,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7B,CAAC;IAED,oGAAoG;IACpG,oCAAoC;IACpC,IAAI,QAAQ,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,sBAAsB,CAAC,CAAC;IACxD,CAAC;IAED,YAAY,CAAC,OAAO,EAAE,4BAA4B,EAAE;QAClD,GAAG;QACH,OAAO;QACP,QAAQ;KACT,CAAC,CAAC;IAEH,MAAM,mBAAmB,GAAG,yBAAyB,CAAC;QACpD,YAAY;QACZ,KAAK,EAAE,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,SAAS;QAC3C,KAAK,EAAE,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,SAAS;KAC5C,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,mBAAmB,EAAE,CAAC;AAC/E,CAAC"}

package/dist/server/oauth/callback.d.ts

@@ -0,0 +1,19 @@
+import { InternalOptions } from "./types.js";
+import { Cookie } from "@auth/core/lib/utils/cookie.js";
+import { Account, Profile, TokenSet } from "@auth/core/types.js";
+/**
+ * Handles the following OAuth steps.
+ * https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
+ * https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3
+ * https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest
+ *
+ * @note Although requesting userinfo is not required by the OAuth2.0 spec,
+ * we fetch it anyway. This is because we always want a user profile.
+ */
+export declare function handleOAuth(params: Record<string, string>, cookies: Record<string, string | undefined>, options: InternalOptions<"oauth" | "oidc">): Promise<{
+    profile: Profile;
+    tokens: TokenSet & Pick<Account, "expires_at">;
+    cookies: Cookie[];
+    signature: string;
+}>;
+//# sourceMappingURL=callback.d.ts.map

package/dist/server/oauth/callback.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/callback.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAE7C,OAAO,EAAE,MAAM,EAAE,MAAM,gCAAgC,CAAC;AAExD,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAsBjE;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAE/B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAE9B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,EAC3C,OAAO,EAAE,eAAe,CAAC,OAAO,GAAG,MAAM,CAAC,GACzC,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAC/C,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC,CAgMD"}

package/dist/server/oauth/callback.js

@@ -0,0 +1,173 @@
+// This maps to packages/core/src/lib/actions/callback/oauth/callback.ts in the @auth/core package (commit 5af1f30a32e64591abc50ae4d2dba4682e525431)
+import * as checks from "./checks.js";
+import * as o from "oauth4webapi";
+import { fetchOpt } from "./lib/utils/customFetch.js";
+import { logWithLevel } from "../implementation/utils.js";
+import { isOIDCProvider } from "./lib/utils/providers.js";
+import { callbackUrl, getAuthorizationSignature, } from "./convexAuth.js";
+function formUrlEncode(token) {
+    return encodeURIComponent(token).replace(/%20/g, "+");
+}
+/**
+ * Formats client_id and client_secret as an HTTP Basic Authentication header as per the OAuth 2.0
+ * specified in RFC6749.
+ */
+function clientSecretBasic(clientId, clientSecret) {
+    const username = formUrlEncode(clientId);
+    const password = formUrlEncode(clientSecret);
+    const credentials = btoa(`${username}:${password}`);
+    return `Basic ${credentials}`;
+}
+/**
+ * Handles the following OAuth steps.
+ * https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
+ * https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3
+ * https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest
+ *
+ * @note Although requesting userinfo is not required by the OAuth2.0 spec,
+ * we fetch it anyway. This is because we always want a user profile.
+ */
+export async function handleOAuth(
+// ConvexAuth: `params` is a Record<string, string> instead of RequestInternal["query"]
+params, 
+// ConvexAuth: `cookies` is a Record<string, string | undefined> instead of RequestInternal["cookies"]
+cookies, options) {
+    const { provider } = options;
+    // ConvexAuth: The `token` property is not used here
+    const { userinfo, as } = provider;
+    const client = {
+        client_id: provider.clientId,
+        ...provider.client,
+    };
+    let clientAuth;
+    switch (client.token_endpoint_auth_method) {
+        // TODO: in the next breaking major version have undefined be `client_secret_post`
+        case undefined:
+        case "client_secret_basic":
+            // TODO: in the next breaking major version use o.ClientSecretBasic() here
+            clientAuth = (_as, _client, _body, headers) => {
+                headers.set("authorization", clientSecretBasic(provider.clientId, provider.clientSecret));
+            };
+            break;
+        case "client_secret_post":
+            clientAuth = o.ClientSecretPost(provider.clientSecret);
+            break;
+        case "client_secret_jwt":
+            clientAuth = o.ClientSecretJwt(provider.clientSecret);
+            break;
+        case "private_key_jwt":
+            clientAuth = o.PrivateKeyJwt(provider.token.clientPrivateKey, {
+                // TODO: review in the next breaking change
+                [o.modifyAssertion](_header, payload) {
+                    payload.aud = [as.issuer, as.token_endpoint];
+                },
+            });
+            break;
+        default:
+            throw new Error("unsupported client authentication method");
+    }
+    const resCookies = [];
+    const state = await checks.state.use(cookies, resCookies, options);
+    let codeGrantParams;
+    try {
+        codeGrantParams = o.validateAuthResponse(as, client, new URLSearchParams(params), provider.checks.includes("state") ? state : o.skipStateCheck);
+    }
+    catch (err) {
+        if (err instanceof o.AuthorizationResponseError) {
+            const cause = {
+                providerId: provider.id,
+                ...Object.fromEntries(err.cause.entries()),
+            };
+            logWithLevel("DEBUG", "OAuthCallbackError", cause);
+            throw new Error("OAuth Provider returned an error", { cause });
+        }
+        throw err;
+    }
+    const codeVerifier = await checks.pkce.use(cookies, resCookies, options);
+    // ConvexAuth: The logic for the callback URL is different from Auth.js
+    const redirect_uri = callbackUrl(provider.id);
+    // TODO(ConvexAuth): Support redirect proxy URLs
+    // if (!options.isOnRedirectProxy && provider.redirectProxyUrl) {
+    //   redirect_uri = provider.redirectProxyUrl;
+    // }
+    let codeGrantResponse = await o.authorizationCodeGrantRequest(as, client, clientAuth, codeGrantParams, redirect_uri, codeVerifier ?? "decoy", {
+        // TODO: move away from allowing insecure HTTP requests
+        [o.allowInsecureRequests]: true,
+        [o.customFetch]: (...args) => {
+            if (!provider.checks.includes("pkce")) {
+                args[1].body.delete("code_verifier");
+            }
+            return fetchOpt(provider)[o.customFetch](...args);
+        },
+    });
+    if (provider.token?.conform) {
+        codeGrantResponse =
+            (await provider.token.conform(codeGrantResponse.clone())) ??
+                codeGrantResponse;
+    }
+    let profile = {};
+    // ConvexAuth: We use the value of the nonce later, aside from feeding it into the
+    // `processAuthorizationCodeResponse` function.
+    const nonce = await checks.nonce.use(cookies, resCookies, options);
+    const isOidc = isOIDCProvider(provider);
+    const processedCodeResponse = await o.processAuthorizationCodeResponse(as, client, codeGrantResponse, {
+        expectedNonce: nonce,
+        requireIdToken: isOidc,
+    });
+    const tokens = processedCodeResponse;
+    if (isOidc) {
+        // ConvexAuth: the next few lines are changed slightly to make TypeScript happy
+        const idTokenClaimsOrUndefined = o.getValidatedIdTokenClaims(processedCodeResponse);
+        if (idTokenClaimsOrUndefined === undefined) {
+            throw new Error("ID Token claims are missing");
+        }
+        const idTokenClaims = idTokenClaimsOrUndefined;
+        profile = idTokenClaims;
+        // Apple sends some of the user information in a `user` parameter as a stringified JSON.
+        // It also only does so the first time the user consents to share their information.
+        if (provider.id === "apple") {
+            try {
+                profile.user = JSON.parse(params?.user);
+                // ConvexAuth: disabled lint for empty block
+                // eslint-disable-next-line no-empty
+            }
+            catch { }
+        }
+        if (provider.idToken === false) {
+            const userinfoResponse = await o.userInfoRequest(as, client, processedCodeResponse.access_token, {
+                ...fetchOpt(provider),
+                // TODO: move away from allowing insecure HTTP requests
+                [o.allowInsecureRequests]: true,
+            });
+            profile = await o.processUserInfoResponse(as, client, idTokenClaims.sub, userinfoResponse);
+        }
+    }
+    else {
+        if (userinfo?.request) {
+            const _profile = await userinfo.request({ tokens, provider });
+            if (_profile instanceof Object)
+                profile = _profile;
+        }
+        else if (userinfo?.url) {
+            const userinfoResponse = await o.userInfoRequest(as, client, processedCodeResponse.access_token, fetchOpt(provider));
+            profile = await userinfoResponse.json();
+        }
+        else {
+            throw new TypeError("No userinfo endpoint configured");
+        }
+    }
+    if (tokens.expires_in) {
+        tokens.expires_at =
+            Math.floor(Date.now() / 1000) + Number(tokens.expires_in);
+    }
+    // ConvexAuth: The Auth.js code would handle user + account creation here, but for
+    // ConvexAuth we want to handle that in a Convex function. Instead, we return the
+    // information needed for the mutation.
+    return {
+        profile,
+        tokens,
+        cookies: resCookies,
+        signature: getAuthorizationSignature({ codeVerifier, state, nonce }),
+    };
+}
+//# sourceMappingURL=callback.js.map

package/dist/server/oauth/callback.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.js","sourceRoot":"","sources":["../../../src/server/oauth/callback.ts"],"names":[],"mappings":"AAAA,oJAAoJ;AAEpJ,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,CAAC,MAAM,cAAc,CAAC;AAElC,OAAO,EAAE,QAAQ,EAAE,MAAM,4BAA4B,CAAC;AAEtD,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAE1D,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EACL,WAAW,EACX,yBAAyB,GAC1B,MAAM,iBAAiB,CAAC;AAEzB,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;AACxD,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CAAC,QAAgB,EAAE,YAAoB;IAC/D,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,QAAQ,IAAI,QAAQ,EAAE,CAAC,CAAC;IACpD,OAAO,SAAS,WAAW,EAAE,CAAC;AAChC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;AAC/B,uFAAuF;AACvF,MAA8B;AAC9B,sGAAsG;AACtG,OAA2C,EAC3C,OAA0C;IAO1C,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE7B,oDAAoD;IACpD,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,QAAQ,CAAC;IAElC,MAAM,MAAM,GAAa;QACvB,SAAS,EAAE,QAAQ,CAAC,QAAQ;QAC5B,GAAG,QAAQ,CAAC,MAAM;KACnB,CAAC;IAEF,IAAI,UAAwB,CAAC;IAE7B,QAAQ,MAAM,CAAC,0BAA0B,EAAE,CAAC;QAC1C,kFAAkF;QAClF,KAAK,SAAS,CAAC;QACf,KAAK,qBAAqB;YACxB,0EAA0E;YAC1E,UAAU,GAAG,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;gBAC5C,OAAO,CAAC,GAAG,CACT,eAAe,EACf,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,YAAa,CAAC,CAC7D,CAAC;YACJ,CAAC,CAAC;YACF,MAAM;QACR,KAAK,oBAAoB;YACvB,UAAU,GAAG,CAAC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,YAAa,CAAC,CAAC;YACxD,MAAM;QACR,KAAK,mBAAmB;YACtB,UAAU,GAAG,CAAC,CAAC,eAAe,CAAC,QAAQ,CAAC,YAAa,CAAC,CAAC;YACvD,MAAM;QACR,KAAK,iBAAiB;YACpB,UAAU,GAAG,CAAC,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAM,CAAC,gBAAiB,EAAE;gBAC9D,2CAA2C;gBAC3C,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,OAAO,EAAE,OAAO;oBAClC,OAAO,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,cAAe,CAAC,CAAC;gBAChD,CAAC;aACF,CAAC,CAAC;YACH,MAAM;QACR;YACE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAChE,CAAC;IAED,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IAEnE,IAAI,eAAgC,CAAC;IACrC,IAAI,CAAC;QACH,eAAe,GAAG,CAAC,CAAC,oBAAoB,CACtC,EAAE,EACF,MAAM,EACN,IAAI,eAAe,CAAC,MAAM,CAAC,EAC3B,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAC7D,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,CAAC,CAAC,0BAA0B,EAAE,CAAC;YAChD,MAAM,KAAK,GAAG;gBACZ,UAAU,EAAE,QAAQ,CAAC,EAAE;gBACvB,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;aAC3C,CAAC;YACF,YAAY,CAAC,OAAO,EAAE,oBAAoB,EAAE,KAAK,CAAC,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,kCAAkC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IAEzE,uEAAuE;IACvE,MAAM,YAAY,GAAG,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC9C,gDAAgD;IAChD,iEAAiE;IACjE,8CAA8C;IAC9C,IAAI;IAEJ,IAAI,iBAAiB,GAAG,MAAM,CAAC,CAAC,6BAA6B,CAC3D,EAAE,EACF,MAAM,EACN,UAAU,EACV,eAAe,EACf,YAAY,EACZ,YAAY,IAAI,OAAO,EACvB;QACE,uDAAuD;QACvD,CAAC,CAAC,CAAC,qBAAqB,CAAC,EAAE,IAAI;QAC/B,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,EAAE;YAC3B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBACtC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;YACvC,CAAC;YACD,OAAO,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QACpD,CAAC;KACF,CACF,CAAC;IAEF,IAAI,QAAQ,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;QAC5B,iBAAiB;YACf,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,EAAE,CAAC,CAAC;gBACzD,iBAAiB,CAAC;IACtB,CAAC;IAED,IAAI,OAAO,GAAY,EAAE,CAAC;IAE1B,kFAAkF;IAClF,+CAA+C;IAC/C,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IAEnE,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,qBAAqB,GAAG,MAAM,CAAC,CAAC,gCAAgC,CACpE,EAAE,EACF,MAAM,EACN,iBAAiB,EACjB;QACE,aAAa,EAAE,KAAK;QACpB,cAAc,EAAE,MAAM;KACvB,CACF,CAAC;IAEF,MAAM,MAAM,GAA2C,qBAAqB,CAAC;IAE7E,IAAI,MAAM,EAAE,CAAC;QACX,+EAA+E;QAC/E,MAAM,wBAAwB,GAAG,CAAC,CAAC,yBAAyB,CAC1D,qBAAqB,CACtB,CAAC;QACF,IAAI,wBAAwB,KAAK,SAAS,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,MAAM,aAAa,GAAG,wBAAwB,CAAC;QAC/C,OAAO,GAAG,aAAa,CAAC;QAExB,wFAAwF;QACxF,oFAAoF;QACpF,IAAI,QAAQ,CAAC,EAAE,KAAK,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;gBACvC,4CAA4C;gBAC5C,oCAAoC;YACtC,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACZ,CAAC;QAED,IAAI,QAAQ,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAC/B,MAAM,gBAAgB,GAAG,MAAM,CAAC,CAAC,eAAe,CAC9C,EAAE,EACF,MAAM,EACN,qBAAqB,CAAC,YAAY,EAClC;gBACE,GAAG,QAAQ,CAAC,QAAQ,CAAC;gBACrB,uDAAuD;gBACvD,CAAC,CAAC,CAAC,qBAAqB,CAAC,EAAE,IAAI;aAChC,CACF,CAAC;YAEF,OAAO,GAAG,MAAM,CAAC,CAAC,uBAAuB,CACvC,EAAE,EACF,MAAM,EACN,aAAa,CAAC,GAAG,EACjB,gBAAgB,CACjB,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,QAAQ,EAAE,OAAO,EAAE,CAAC;YACtB,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC9D,IAAI,QAAQ,YAAY,MAAM;gBAAE,OAAO,GAAG,QAAQ,CAAC;QACrD,CAAC;aAAM,IAAI,QAAQ,EAAE,GAAG,EAAE,CAAC;YACzB,MAAM,gBAAgB,GAAG,MAAM,CAAC,CAAC,eAAe,CAC9C,EAAE,EACF,MAAM,EACN,qBAAqB,CAAC,YAAY,EAClC,QAAQ,CAAC,QAAQ,CAAC,CACnB,CAAC;YACF,OAAO,GAAG,MAAM,gBAAgB,CAAC,IAAI,EAAE,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,SAAS,CAAC,iCAAiC,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,MAAM,CAAC,UAAU;YACf,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC9D,CAAC;IAED,kFAAkF;IAClF,iFAAiF;IACjF,uCAAuC;IAEvC,OAAO;QACL,OAAO;QACP,MAAM;QACN,OAAO,EAAE,UAAU;QACnB,SAAS,EAAE,yBAAyB,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;KACrE,CAAC;AACJ,CAAC"}

package/dist/server/oauth/checks.d.ts

@@ -0,0 +1,52 @@
+import type { InternalOptions } from "./types.js";
+import { Cookie } from "@auth/core/lib/utils/cookie.js";
+/**
+ * @see https://www.rfc-editor.org/rfc/rfc7636
+ * @see https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/#pkce
+ */
+export declare const pkce: {
+    /** Creates a PKCE code challenge and verifier pair. The verifier is stored in the cookie. */
+    create(options: InternalOptions<"oauth">): Promise<{
+        cookie: Cookie;
+        codeChallenge: string;
+        codeVerifier: string;
+    }>;
+    /**
+     * Returns code_verifier if the provider is configured to use PKCE,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the code_verifier is missing or invalid.
+     */
+    use: (cookies: Record<string, string | undefined>, resCookies: Cookie[], options: InternalOptions<"oidc">) => Promise<string | undefined>;
+};
+/**
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-10.12
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
+ */
+export declare const state: {
+    /** Creates a state cookie with an optionally encoded body. */
+    create(options: InternalOptions<"oauth">, origin?: string): Promise<{
+        cookie: Cookie;
+        value: string;
+    } | undefined>;
+    /**
+     * Returns state if the provider is configured to use state,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the state is missing or invalid.
+     */
+    use: (cookies: Record<string, string | undefined>, resCookies: Cookie[], options: InternalOptions<"oidc">) => Promise<string | undefined>;
+};
+export declare const nonce: {
+    create(options: InternalOptions<"oidc">): Promise<{
+        cookie: Cookie;
+        value: string;
+    } | undefined>;
+    /**
+     * Returns nonce if the provider is configured to use nonce,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the nonce is missing or invalid.
+     * @see https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes
+     * @see https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/#nonce
+     */
+    use: (cookies: Record<string, string | undefined>, resCookies: Cookie[], options: InternalOptions<"oidc">) => Promise<string | undefined>;
+};
+//# sourceMappingURL=checks.d.ts.map

package/dist/server/oauth/checks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"checks.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/checks.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,MAAM,EAAE,MAAM,gCAAgC,CAAC;AAgExD;;;GAGG;AACH,eAAO,MAAM,IAAI;IACf,6FAA6F;oBACvE,eAAe,CAAC,OAAO,CAAC;;;;;IAM9C;;;;OAIG;mBA7BQ,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,cAC/B,MAAM,EAAE,WACX,eAAe,CAAC,MAAM,CAAC;CA6BnC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,KAAK;IAChB,8DAA8D;oBACxC,eAAe,CAAC,OAAO,CAAC,WAAW,MAAM;;;;IAe/D;;;;OAIG;mBA1DQ,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,cAC/B,MAAM,EAAE,WACX,eAAe,CAAC,MAAM,CAAC;CA0DnC,CAAC;AAEF,eAAO,MAAM,KAAK;oBACM,eAAe,CAAC,MAAM,CAAC;;;;IAM7C;;;;;;OAMG;mBA3EQ,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,cAC/B,MAAM,EAAE,WACX,eAAe,CAAC,MAAM,CAAC;CA2EnC,CAAC"}

package/dist/server/oauth/checks.js

@@ -0,0 +1,106 @@
+// This maps to packages/core/src/lib/actions/callback/oauth/checks.ts in the @auth/core package (commit 5af1f30a32e64591abc50ae4d2dba4682e525431)
+import * as o from "oauth4webapi";
+import { logWithLevel } from "../implementation/utils.js";
+const COOKIE_TTL = 60 * 15; // 15 minutes
+/** Returns a cookie with the given payload and options. */
+// ConvexAuth: Auth.js calls this `sealCookie` and encrypts the payload wrapped in a JWT.
+async function createCookie(name, payload, options) {
+    const { cookies } = options;
+    const cookie = cookies[name];
+    const expires = new Date();
+    expires.setTime(expires.getTime() + COOKIE_TTL * 1000);
+    logWithLevel("DEBUG", `CREATE_${name.toUpperCase()}`, {
+        name: cookie.name,
+        payload,
+        COOKIE_TTL,
+        expires,
+    });
+    const cookieOptions = { ...cookie.options, expires };
+    return { name: cookie.name, value: payload, options: cookieOptions };
+}
+function clearCookie(name, options, resCookies) {
+    const { cookies } = options;
+    const cookie = cookies[name];
+    logWithLevel("DEBUG", `CLEAR_${name.toUpperCase()}`, { cookie });
+    resCookies.push({
+        name: cookie.name,
+        value: "",
+        options: { ...cookies[name].options, maxAge: 0 },
+    });
+}
+function useCookie(check, name) {
+    return async function (
+    // ConvexAuth: `cookies` is a Record<string, string | undefined> instead of RequestInternal["cookies"]
+    cookies, resCookies, options) {
+        const { provider } = options;
+        if (!provider?.checks?.includes(check))
+            return;
+        const cookieValue = cookies?.[options.cookies[name].name];
+        logWithLevel("DEBUG", `USE_${name.toUpperCase()}`, { value: cookieValue });
+        clearCookie(name, options, resCookies);
+        return cookieValue;
+    };
+}
+/**
+ * @see https://www.rfc-editor.org/rfc/rfc7636
+ * @see https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/#pkce
+ */
+export const pkce = {
+    /** Creates a PKCE code challenge and verifier pair. The verifier is stored in the cookie. */
+    async create(options) {
+        const codeVerifier = o.generateRandomCodeVerifier();
+        const codeChallenge = await o.calculatePKCECodeChallenge(codeVerifier);
+        const cookie = await createCookie("pkceCodeVerifier", codeVerifier, options);
+        return { cookie, codeChallenge: codeChallenge, codeVerifier };
+    },
+    /**
+     * Returns code_verifier if the provider is configured to use PKCE,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the code_verifier is missing or invalid.
+     */
+    use: useCookie("pkce", "pkceCodeVerifier"),
+};
+/**
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-10.12
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
+ */
+export const state = {
+    /** Creates a state cookie with an optionally encoded body. */
+    async create(options, origin) {
+        const { provider } = options;
+        if (!provider.checks.includes("state")) {
+            if (origin) {
+                throw new Error("State data was provided but the provider is not configured to use state");
+            }
+            return;
+        }
+        const payload = o.generateRandomState();
+        const cookie = await createCookie("state", payload, options);
+        return { cookie, value: payload };
+    },
+    /**
+     * Returns state if the provider is configured to use state,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the state is missing or invalid.
+     */
+    use: useCookie("state", "state"),
+};
+export const nonce = {
+    async create(options) {
+        if (!options.provider.checks.includes("nonce"))
+            return;
+        const value = o.generateRandomNonce();
+        const cookie = await createCookie("nonce", value, options);
+        return { cookie, value };
+    },
+    /**
+     * Returns nonce if the provider is configured to use nonce,
+     * and clears the container cookie afterwards.
+     * An error is thrown if the nonce is missing or invalid.
+     * @see https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes
+     * @see https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/#nonce
+     */
+    use: useCookie("nonce", "nonce"),
+};
+// ConvexAuth: All WebAuthn checks are omitted.
+//# sourceMappingURL=checks.js.map

package/dist/server/oauth/checks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"checks.js","sourceRoot":"","sources":["../../../src/server/oauth/checks.ts"],"names":[],"mappings":"AAAA,kJAAkJ;AAElJ,OAAO,KAAK,CAAC,MAAM,cAAc,CAAC;AAKlC,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAE1D,MAAM,UAAU,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,aAAa;AAEzC,2DAA2D;AAC3D,yFAAyF;AACzF,KAAK,UAAU,YAAY,CACzB,IAA0B,EAC1B,OAAe,EACf,OAA0C;IAE1C,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;IAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,OAAO,GAAG,IAAI,IAAI,EAAE,CAAC;IAC3B,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,UAAU,GAAG,IAAI,CAAC,CAAC;IAEvD,YAAY,CAAC,OAAO,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE,EAAE,EAAE;QACpD,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,OAAO;QACP,UAAU;QACV,OAAO;KACR,CAAC,CAAC;IAEH,MAAM,aAAa,GAAG,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;IAErD,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC;AACvE,CAAC;AAED,SAAS,WAAW,CAClB,IAA0B,EAC1B,OAA0C,EAC1C,UAAoB;IAEpB,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;IAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7B,YAAY,CAAC,OAAO,EAAE,SAAS,IAAI,CAAC,WAAW,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IACjE,UAAU,CAAC,IAAI,CAAC;QACd,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,KAAK,EAAE,EAAE;QACT,OAAO,EAAE,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC,EAAE;KACjD,CAAC,CAAC;AACL,CAAC;AAED,SAAS,SAAS,CAChB,KAAiC,EACjC,IAA0B;IAE1B,OAAO,KAAK;IACV,sGAAsG;IACtG,OAA2C,EAC3C,UAAoB,EACpB,OAAgC;QAEhC,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAC7B,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC;YAAE,OAAO;QAC/C,MAAM,WAAW,GAAG,OAAO,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1D,YAAY,CAAC,OAAO,EAAE,OAAO,IAAI,CAAC,WAAW,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QAC3E,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QACvC,OAAO,WAAW,CAAC;IACrB,CAAC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,IAAI,GAAG;IAClB,6FAA6F;IAC7F,KAAK,CAAC,MAAM,CAAC,OAAiC;QAC5C,MAAM,YAAY,GAAG,CAAC,CAAC,0BAA0B,EAAE,CAAC;QACpD,MAAM,aAAa,GAAG,MAAM,CAAC,CAAC,0BAA0B,CAAC,YAAY,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,kBAAkB,EAAE,YAAY,EAAE,OAAO,CAAC,CAAC;QAC7E,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC;IAChE,CAAC;IACD;;;;OAIG;IACH,GAAG,EAAE,SAAS,CAAC,MAAM,EAAE,kBAAkB,CAAC;CAC3C,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,KAAK,GAAG;IACnB,8DAA8D;IAC9D,KAAK,CAAC,MAAM,CAAC,OAAiC,EAAE,MAAe;QAC7D,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAC7B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACvC,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,IAAI,KAAK,CACb,yEAAyE,CAC1E,CAAC;YACJ,CAAC;YACD,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,CAAC,CAAC,mBAAmB,EAAE,CAAC;QACxC,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC7D,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IACpC,CAAC;IACD;;;;OAIG;IACH,GAAG,EAAE,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC;CACjC,CAAC;AAEF,MAAM,CAAC,MAAM,KAAK,GAAG;IACnB,KAAK,CAAC,MAAM,CAAC,OAAgC;QAC3C,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;YAAE,OAAO;QACvD,MAAM,KAAK,GAAG,CAAC,CAAC,mBAAmB,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;QAC3D,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC3B,CAAC;IACD;;;;;;OAMG;IACH,GAAG,EAAE,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC;CACjC,CAAC;AAEF,+CAA+C"}

package/dist/server/oauth/convexAuth.d.ts

@@ -0,0 +1,12 @@
+import { CookieOption, CookiesOptions } from "@auth/core/types.js";
+import { InternalProvider } from "./types.js";
+import { OAuthConfig } from "@auth/core/providers/oauth.js";
+export declare function callbackUrl(providerId: string): string;
+export declare function getAuthorizationSignature({ codeVerifier, state, nonce, }: {
+    codeVerifier?: string;
+    state?: string;
+    nonce?: string;
+}): string;
+export declare const defaultCookiesOptions: (providerId: string) => Record<keyof CookiesOptions, CookieOption>;
+export declare function oAuthConfigToInternalProvider(config: OAuthConfig<any>): Promise<InternalProvider<"oauth" | "oidc">>;
+//# sourceMappingURL=convexAuth.d.ts.map

package/dist/server/oauth/convexAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"convexAuth.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/convexAuth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAEnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAM9C,OAAO,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAC;AAG5D,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,UAE7C;AAID,wBAAgB,yBAAyB,CAAC,EACxC,YAAY,EACZ,KAAK,EACL,KAAK,GACN,EAAE;IACD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,UAIA;AASD,eAAO,MAAM,qBAAqB,EAAE,CAClC,UAAU,EAAE,MAAM,KACf,MAAM,CAAC,MAAM,cAAc,EAAE,YAAY,CA+C7C,CAAC;AAEF,wBAAsB,6BAA6B,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,OAAO,GAAG,MAAM,CAAC,CAAC,CA8EzH"}

package/dist/server/oauth/convexAuth.js

@@ -0,0 +1,137 @@
+import { requireEnv } from "../utils.js";
+import { SHARED_COOKIE_OPTIONS } from "../cookies.js";
+import { fetchOpt } from "./lib/utils/customFetch.js";
+import * as o from "oauth4webapi";
+import { normalizeEndpoint } from "../provider_utils.js";
+import { isLocalHost } from "../utils.js";
+// ConvexAuth: The logic for the callback URL is different from Auth.js
+export function callbackUrl(providerId) {
+    return (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv("CONVEX_SITE_URL")) + "/api/auth/callback/" + providerId;
+}
+// ConvexAuth: This is a ConvexAuth specific function that produces a string that the
+// Convex functions will validate
+export function getAuthorizationSignature({ codeVerifier, state, nonce, }) {
+    return [codeVerifier, state, nonce]
+        .filter((param) => param !== undefined)
+        .join(" ");
+}
+function oauthStateCookieName(type, providerId) {
+    return (!isLocalHost(process.env.CONVEX_SITE_URL) ? "__Host-" : "") + providerId + "OAuth" + type;
+}
+export const defaultCookiesOptions = (providerId) => {
+    return {
+        pkceCodeVerifier: {
+            name: oauthStateCookieName("pkce", providerId),
+            options: {
+                ...SHARED_COOKIE_OPTIONS,
+            },
+        },
+        state: {
+            name: oauthStateCookieName("state", providerId),
+            options: {
+                ...SHARED_COOKIE_OPTIONS,
+            },
+        },
+        nonce: {
+            name: oauthStateCookieName("nonce", providerId),
+            options: {
+                ...SHARED_COOKIE_OPTIONS,
+            },
+        },
+        // ConvexAuth: We don't support webauthn, so this value doesn't actually matter
+        webauthnChallenge: {
+            name: "ConvexAuth_shouldNotBeUsed_webauthnChallenge",
+            options: {
+                ...SHARED_COOKIE_OPTIONS,
+            },
+        },
+        // ConvexAuth: We don't use these cookies, so their values should never be used
+        sessionToken: {
+            name: "ConvexAuth_shouldNotBeUsed_sessionToken",
+            options: {
+                ...SHARED_COOKIE_OPTIONS,
+            },
+        },
+        callbackUrl: {
+            name: "ConvexAuth_shouldNotBeUsed_callbackUrl",
+            options: {
+                ...SHARED_COOKIE_OPTIONS,
+            },
+        },
+        csrfToken: {
+            name: "ConvexAuth_shouldNotBeUsed_csrfToken",
+            options: {
+                ...SHARED_COOKIE_OPTIONS,
+            },
+        },
+    };
+};
+export async function oAuthConfigToInternalProvider(config) {
+    // Only do service discovery if the provider does not have the required configuration
+    if (!config.authorization || !config.token || !config.userinfo) {
+        // Taken from https://github.com/nextauthjs/next-auth/blob/a7491dcb9355ff2d01fb8e9236636605e2090145/packages/core/src/lib/actions/callback/oauth/callback.ts#L63
+        if (!config.issuer) {
+            throw new Error(`Provider \`${config.id}\` is missing an \`issuer\` URL configuration. Consult the provider docs.`);
+        }
+        const issuer = new URL(config.issuer);
+        // TODO: move away from allowing insecure HTTP requests
+        const discoveryResponse = await o.discoveryRequest(issuer, {
+            ...fetchOpt(config),
+            [o.allowInsecureRequests]: true,
+        });
+        const discoveredAs = await o.processDiscoveryResponse(issuer, discoveryResponse);
+        if (!discoveredAs.token_endpoint)
+            throw new TypeError("TODO: Authorization server did not provide a token endpoint.");
+        const as = discoveredAs;
+        return {
+            ...config,
+            checks: config.checks,
+            profile: config.profile,
+            account: config.account,
+            clientId: config.clientId,
+            idToken: config.type === "oidc" ? config.idToken : undefined,
+            // ConvexAuth: Apparently it's important for us to normalize the endpoint after
+            // service discovery (https://github.com/get-convex/convex-auth/commit/35bf716bfb0d29dbce1cbca318973b0732f75015)
+            authorization: normalizeEndpoint({
+                ...config.authorization,
+                url: as.authorization_endpoint,
+            }),
+            token: normalizeEndpoint({
+                ...config.token,
+                url: as.token_endpoint,
+            }),
+            userinfo: as.userinfo_endpoint
+                ? normalizeEndpoint({
+                    ...config.userinfo,
+                    url: as.userinfo_endpoint,
+                })
+                : config.userinfo,
+            as,
+            configSource: "discovered"
+        };
+    }
+    const authorization = normalizeEndpoint(config.authorization);
+    const token = normalizeEndpoint(config.token);
+    const userinfo = config.userinfo
+        ? normalizeEndpoint(config.userinfo)
+        : undefined;
+    return {
+        ...config,
+        checks: config.checks,
+        profile: config.profile,
+        account: config.account,
+        clientId: config.clientId,
+        idToken: config.type === "oidc" ? config.idToken : undefined,
+        authorization,
+        token,
+        userinfo,
+        as: {
+            issuer: config.issuer ?? "theremustbeastringhere.dev",
+            authorization_endpoint: authorization?.url.toString(),
+            token_endpoint: token?.url.toString(),
+            userinfo_endpoint: userinfo?.url.toString(),
+        },
+        configSource: "provided",
+    };
+}
+//# sourceMappingURL=convexAuth.js.map

package/dist/server/oauth/convexAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"convexAuth.js","sourceRoot":"","sources":["../../../src/server/oauth/convexAuth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,4BAA4B,CAAC;AACtD,OAAO,KAAK,CAAC,MAAM,cAAc,CAAC;AAClC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG1C,uEAAuE;AACvE,MAAM,UAAU,WAAW,CAAC,UAAkB;IAC5C,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,UAAU,CAAC,iBAAiB,CAAC,CAAC,GAAG,qBAAqB,GAAG,UAAU,CAAC;AAClH,CAAC;AAED,qFAAqF;AACrF,iCAAiC;AACjC,MAAM,UAAU,yBAAyB,CAAC,EACxC,YAAY,EACZ,KAAK,EACL,KAAK,GAKN;IACC,OAAO,CAAC,YAAY,EAAE,KAAK,EAAE,KAAK,CAAC;SAChC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,SAAS,CAAC;SACtC,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,SAAS,oBAAoB,CAC3B,IAAgC,EAChC,UAAkB;IAElB,OAAO,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,UAAU,GAAG,OAAO,GAAG,IAAI,CAAC;AACpG,CAAC;AAED,MAAM,CAAC,MAAM,qBAAqB,GAEgB,CAAC,UAAU,EAAE,EAAE;IAC/D,OAAO;QACL,gBAAgB,EAAE;YAChB,IAAI,EAAE,oBAAoB,CAAC,MAAM,EAAE,UAAU,CAAC;YAC9C,OAAO,EAAE;gBACP,GAAG,qBAAqB;aACzB;SACF;QACD,KAAK,EAAE;YACL,IAAI,EAAE,oBAAoB,CAAC,OAAO,EAAE,UAAU,CAAC;YAC/C,OAAO,EAAE;gBACP,GAAG,qBAAqB;aACzB;SACF;QACD,KAAK,EAAE;YACL,IAAI,EAAE,oBAAoB,CAAC,OAAO,EAAE,UAAU,CAAC;YAC/C,OAAO,EAAE;gBACP,GAAG,qBAAqB;aACzB;SACF;QACD,+EAA+E;QAC/E,iBAAiB,EAAE;YACjB,IAAI,EAAE,8CAA8C;YACpD,OAAO,EAAE;gBACP,GAAG,qBAAqB;aACzB;SACF;QACD,+EAA+E;QAC/E,YAAY,EAAE;YACZ,IAAI,EAAE,yCAAyC;YAC/C,OAAO,EAAE;gBACP,GAAG,qBAAqB;aACzB;SACF;QACD,WAAW,EAAE;YACX,IAAI,EAAE,wCAAwC;YAC9C,OAAO,EAAE;gBACP,GAAG,qBAAqB;aACzB;SACF;QACD,SAAS,EAAE;YACT,IAAI,EAAE,sCAAsC;YAC5C,OAAO,EAAE;gBACP,GAAG,qBAAqB;aACzB;SACF;KACF,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,6BAA6B,CAAC,MAAwB;IAC1E,qFAAqF;IACrF,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC/D,gKAAgK;QAChK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CACb,cAAc,MAAM,CAAC,EAAE,2EAA2E,CACnG,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACtC,uDAAuD;QACvD,MAAM,iBAAiB,GAAG,MAAM,CAAC,CAAC,gBAAgB,CAAC,MAAM,EAAE;YACzD,GAAG,QAAQ,CAAC,MAAM,CAAC;YACnB,CAAC,CAAC,CAAC,qBAAqB,CAAC,EAAE,IAAI;SAChC,CAAC,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,CAAC,CAAC,wBAAwB,CACnD,MAAM,EACN,iBAAiB,CAClB,CAAC;QAEF,IAAI,CAAC,YAAY,CAAC,cAAc;YAC9B,MAAM,IAAI,SAAS,CACjB,8DAA8D,CAC/D,CAAC;QAEJ,MAAM,EAAE,GAA0B,YAAY,CAAC;QAC/C,OAAO;YACL,GAAG,MAAM;YACT,MAAM,EAAE,MAAM,CAAC,MAAO;YACtB,OAAO,EAAE,MAAM,CAAC,OAAQ;YACxB,OAAO,EAAE,MAAM,CAAC,OAAQ;YACxB,QAAQ,EAAE,MAAM,CAAC,QAAS;YAC1B,OAAO,EAAE,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;YAC5D,+EAA+E;YAC/E,gHAAgH;YAChH,aAAa,EAAE,iBAAiB,CAAC;gBAC/B,GAAG,MAAM,CAAC,aAAa;gBACvB,GAAG,EAAE,EAAE,CAAC,sBAAsB;aAC/B,CAAC;YACF,KAAK,EAAE,iBAAiB,CAAC;gBACvB,GAAG,MAAM,CAAC,KAAK;gBACf,GAAG,EAAE,EAAE,CAAC,cAAc;aACvB,CAAC;YACF,QAAQ,EAAE,EAAE,CAAC,iBAAiB;gBAC5B,CAAC,CAAC,iBAAiB,CAAC;oBAChB,GAAG,MAAM,CAAC,QAAQ;oBAClB,GAAG,EAAE,EAAE,CAAC,iBAAiB;iBAC1B,CAAC;gBACJ,CAAC,CAAC,MAAM,CAAC,QAAQ;YACnB,EAAE;YACF,YAAY,EAAE,YAAY;SAC3B,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAG,iBAAiB,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,iBAAiB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ;QAC9B,CAAC,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC;QACpC,CAAC,CAAC,SAAS,CAAC;IACd,OAAO;QACL,GAAG,MAAM;QACT,MAAM,EAAE,MAAM,CAAC,MAAO;QACtB,OAAO,EAAE,MAAM,CAAC,OAAQ;QACxB,OAAO,EAAE,MAAM,CAAC,OAAQ;QACxB,QAAQ,EAAE,MAAM,CAAC,QAAS;QAC1B,OAAO,EAAE,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;QAC5D,aAAa;QACb,KAAK;QACL,QAAQ;QACR,EAAE,EAAE;YACF,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,4BAA4B;YACrD,sBAAsB,EAAE,aAAa,EAAE,GAAG,CAAC,QAAQ,EAAE;YACrD,cAAc,EAAE,KAAK,EAAE,GAAG,CAAC,QAAQ,EAAE;YACrC,iBAAiB,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE;SAC5C;QACD,YAAY,EAAE,UAAU;KACzB,CAAC;AACJ,CAAC"}