npm - @robelest/convex-auth - Versions diffs - 0.0.1 - Mend

@robelest/convex-auth 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (280) hide show

package/README.md +6 -0
package/dist/bin.cjs +27733 -0
package/dist/client/index.d.ts +49 -0
package/dist/client/index.d.ts.map +1 -0
package/dist/client/index.js +283 -0
package/dist/client/index.js.map +1 -0
package/dist/component/_generated/api.d.ts +36 -0
package/dist/component/_generated/api.d.ts.map +1 -0
package/dist/component/_generated/api.js +31 -0
package/dist/component/_generated/api.js.map +1 -0
package/dist/component/_generated/component.d.ts +295 -0
package/dist/component/_generated/component.d.ts.map +1 -0
package/dist/component/_generated/component.js +11 -0
package/dist/component/_generated/component.js.map +1 -0
package/dist/component/_generated/dataModel.d.ts +46 -0
package/dist/component/_generated/dataModel.d.ts.map +1 -0
package/dist/component/_generated/dataModel.js +11 -0
package/dist/component/_generated/dataModel.js.map +1 -0
package/dist/component/_generated/server.d.ts +121 -0
package/dist/component/_generated/server.d.ts.map +1 -0
package/dist/component/_generated/server.js +78 -0
package/dist/component/_generated/server.js.map +1 -0
package/dist/component/convex.config.d.ts +3 -0
package/dist/component/convex.config.d.ts.map +1 -0
package/dist/component/convex.config.js +4 -0
package/dist/component/convex.config.js.map +1 -0
package/dist/component/index.d.ts +15 -0
package/dist/component/index.d.ts.map +1 -0
package/dist/component/index.js +13 -0
package/dist/component/index.js.map +1 -0
package/dist/component/public.d.ts +450 -0
package/dist/component/public.d.ts.map +1 -0
package/dist/component/public.js +528 -0
package/dist/component/public.js.map +1 -0
package/dist/component/schema.d.ts +107 -0
package/dist/component/schema.d.ts.map +1 -0
package/dist/component/schema.js +26 -0
package/dist/component/schema.js.map +1 -0
package/dist/providers/Anonymous.d.ts +50 -0
package/dist/providers/Anonymous.d.ts.map +1 -0
package/dist/providers/Anonymous.js +39 -0
package/dist/providers/Anonymous.js.map +1 -0
package/dist/providers/ConvexCredentials.d.ts +88 -0
package/dist/providers/ConvexCredentials.d.ts.map +1 -0
package/dist/providers/ConvexCredentials.js +37 -0
package/dist/providers/ConvexCredentials.js.map +1 -0
package/dist/providers/Email.d.ts +33 -0
package/dist/providers/Email.d.ts.map +1 -0
package/dist/providers/Email.js +50 -0
package/dist/providers/Email.js.map +1 -0
package/dist/providers/Password.d.ts +95 -0
package/dist/providers/Password.d.ts.map +1 -0
package/dist/providers/Password.js +174 -0
package/dist/providers/Password.js.map +1 -0
package/dist/providers/Phone.d.ts +22 -0
package/dist/providers/Phone.d.ts.map +1 -0
package/dist/providers/Phone.js +37 -0
package/dist/providers/Phone.js.map +1 -0
package/dist/server/convex_types.d.ts +17 -0
package/dist/server/convex_types.d.ts.map +1 -0
package/dist/server/convex_types.js +2 -0
package/dist/server/convex_types.js.map +1 -0
package/dist/server/cookies.d.ts +35 -0
package/dist/server/cookies.d.ts.map +1 -0
package/dist/server/cookies.js +34 -0
package/dist/server/cookies.js.map +1 -0
package/dist/server/implementation/db.d.ts +80 -0
package/dist/server/implementation/db.d.ts.map +1 -0
package/dist/server/implementation/db.js +59 -0
package/dist/server/implementation/db.js.map +1 -0
package/dist/server/implementation/index.d.ts +370 -0
package/dist/server/implementation/index.d.ts.map +1 -0
package/dist/server/implementation/index.js +521 -0
package/dist/server/implementation/index.js.map +1 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.d.ts +33 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.d.ts.map +1 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.js +71 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.js.map +1 -0
package/dist/server/implementation/mutations/createVerificationCode.d.ts +25 -0
package/dist/server/implementation/mutations/createVerificationCode.d.ts.map +1 -0
package/dist/server/implementation/mutations/createVerificationCode.js +84 -0
package/dist/server/implementation/mutations/createVerificationCode.js.map +1 -0
package/dist/server/implementation/mutations/index.d.ts +304 -0
package/dist/server/implementation/mutations/index.d.ts.map +1 -0
package/dist/server/implementation/mutations/index.js +108 -0
package/dist/server/implementation/mutations/index.js.map +1 -0
package/dist/server/implementation/mutations/invalidateSessions.d.ts +13 -0
package/dist/server/implementation/mutations/invalidateSessions.d.ts.map +1 -0
package/dist/server/implementation/mutations/invalidateSessions.js +35 -0
package/dist/server/implementation/mutations/invalidateSessions.js.map +1 -0
package/dist/server/implementation/mutations/modifyAccount.d.ts +23 -0
package/dist/server/implementation/mutations/modifyAccount.d.ts.map +1 -0
package/dist/server/implementation/mutations/modifyAccount.js +48 -0
package/dist/server/implementation/mutations/modifyAccount.js.map +1 -0
package/dist/server/implementation/mutations/refreshSession.d.ts +16 -0
package/dist/server/implementation/mutations/refreshSession.d.ts.map +1 -0
package/dist/server/implementation/mutations/refreshSession.js +116 -0
package/dist/server/implementation/mutations/refreshSession.js.map +1 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.d.ts +27 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.d.ts.map +1 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.js +55 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.js.map +1 -0
package/dist/server/implementation/mutations/signIn.d.ts +17 -0
package/dist/server/implementation/mutations/signIn.d.ts.map +1 -0
package/dist/server/implementation/mutations/signIn.js +26 -0
package/dist/server/implementation/mutations/signIn.js.map +1 -0
package/dist/server/implementation/mutations/signOut.d.ts +11 -0
package/dist/server/implementation/mutations/signOut.d.ts.map +1 -0
package/dist/server/implementation/mutations/signOut.js +24 -0
package/dist/server/implementation/mutations/signOut.js.map +1 -0
package/dist/server/implementation/mutations/userOAuth.d.ts +19 -0
package/dist/server/implementation/mutations/userOAuth.d.ts.map +1 -0
package/dist/server/implementation/mutations/userOAuth.js +84 -0
package/dist/server/implementation/mutations/userOAuth.js.map +1 -0
package/dist/server/implementation/mutations/verifier.d.ts +8 -0
package/dist/server/implementation/mutations/verifier.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifier.js +19 -0
package/dist/server/implementation/mutations/verifier.js.map +1 -0
package/dist/server/implementation/mutations/verifierSignature.d.ts +15 -0
package/dist/server/implementation/mutations/verifierSignature.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifierSignature.js +29 -0
package/dist/server/implementation/mutations/verifierSignature.js.map +1 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.d.ts +21 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.js +127 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.js.map +1 -0
package/dist/server/implementation/provider.d.ts +6 -0
package/dist/server/implementation/provider.d.ts.map +1 -0
package/dist/server/implementation/provider.js +21 -0
package/dist/server/implementation/provider.js.map +1 -0
package/dist/server/implementation/rateLimit.d.ts +6 -0
package/dist/server/implementation/rateLimit.d.ts.map +1 -0
package/dist/server/implementation/rateLimit.js +76 -0
package/dist/server/implementation/rateLimit.js.map +1 -0
package/dist/server/implementation/redirects.d.ts +6 -0
package/dist/server/implementation/redirects.d.ts.map +1 -0
package/dist/server/implementation/redirects.js +40 -0
package/dist/server/implementation/redirects.js.map +1 -0
package/dist/server/implementation/refreshTokens.d.ts +40 -0
package/dist/server/implementation/refreshTokens.d.ts.map +1 -0
package/dist/server/implementation/refreshTokens.js +160 -0
package/dist/server/implementation/refreshTokens.js.map +1 -0
package/dist/server/implementation/sessions.d.ts +43 -0
package/dist/server/implementation/sessions.d.ts.map +1 -0
package/dist/server/implementation/sessions.js +94 -0
package/dist/server/implementation/sessions.js.map +1 -0
package/dist/server/implementation/signIn.d.ts +31 -0
package/dist/server/implementation/signIn.d.ts.map +1 -0
package/dist/server/implementation/signIn.js +148 -0
package/dist/server/implementation/signIn.js.map +1 -0
package/dist/server/implementation/tokens.d.ts +7 -0
package/dist/server/implementation/tokens.d.ts.map +1 -0
package/dist/server/implementation/tokens.js +18 -0
package/dist/server/implementation/tokens.js.map +1 -0
package/dist/server/implementation/types.d.ts +288 -0
package/dist/server/implementation/types.d.ts.map +1 -0
package/dist/server/implementation/types.js +182 -0
package/dist/server/implementation/types.js.map +1 -0
package/dist/server/implementation/users.d.ts +27 -0
package/dist/server/implementation/users.d.ts.map +1 -0
package/dist/server/implementation/users.js +181 -0
package/dist/server/implementation/users.js.map +1 -0
package/dist/server/implementation/utils.d.ts +17 -0
package/dist/server/implementation/utils.d.ts.map +1 -0
package/dist/server/implementation/utils.js +72 -0
package/dist/server/implementation/utils.js.map +1 -0
package/dist/server/index.d.ts +17 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +54 -0
package/dist/server/index.js.map +1 -0
package/dist/server/oauth/authorizationUrl.d.ts +13 -0
package/dist/server/oauth/authorizationUrl.d.ts.map +1 -0
package/dist/server/oauth/authorizationUrl.js +91 -0
package/dist/server/oauth/authorizationUrl.js.map +1 -0
package/dist/server/oauth/callback.d.ts +19 -0
package/dist/server/oauth/callback.d.ts.map +1 -0
package/dist/server/oauth/callback.js +173 -0
package/dist/server/oauth/callback.js.map +1 -0
package/dist/server/oauth/checks.d.ts +52 -0
package/dist/server/oauth/checks.d.ts.map +1 -0
package/dist/server/oauth/checks.js +106 -0
package/dist/server/oauth/checks.js.map +1 -0
package/dist/server/oauth/convexAuth.d.ts +12 -0
package/dist/server/oauth/convexAuth.d.ts.map +1 -0
package/dist/server/oauth/convexAuth.js +137 -0
package/dist/server/oauth/convexAuth.js.map +1 -0
package/dist/server/oauth/lib/utils/customFetch.d.ts +9 -0
package/dist/server/oauth/lib/utils/customFetch.d.ts.map +1 -0
package/dist/server/oauth/lib/utils/customFetch.js +11 -0
package/dist/server/oauth/lib/utils/customFetch.js.map +1 -0
package/dist/server/oauth/lib/utils/providers.d.ts +3 -0
package/dist/server/oauth/lib/utils/providers.d.ts.map +1 -0
package/dist/server/oauth/lib/utils/providers.js +7 -0
package/dist/server/oauth/lib/utils/providers.js.map +1 -0
package/dist/server/oauth/providers/oauth.d.ts +43 -0
package/dist/server/oauth/providers/oauth.d.ts.map +1 -0
package/dist/server/oauth/providers/oauth.js +3 -0
package/dist/server/oauth/providers/oauth.js.map +1 -0
package/dist/server/oauth/types.d.ts +24 -0
package/dist/server/oauth/types.d.ts.map +1 -0
package/dist/server/oauth/types.js +5 -0
package/dist/server/oauth/types.js.map +1 -0
package/dist/server/provider_utils.d.ts +76 -0
package/dist/server/provider_utils.d.ts.map +1 -0
package/dist/server/provider_utils.js +177 -0
package/dist/server/provider_utils.js.map +1 -0
package/dist/server/types.d.ts +412 -0
package/dist/server/types.d.ts.map +1 -0
package/dist/server/types.js +2 -0
package/dist/server/types.js.map +1 -0
package/dist/server/utils.d.ts +3 -0
package/dist/server/utils.d.ts.map +1 -0
package/dist/server/utils.js +11 -0
package/dist/server/utils.js.map +1 -0
package/package.json +126 -0
package/providers/Anonymous/package.json +6 -0
package/providers/ConvexCredentials/package.json +6 -0
package/providers/Email/package.json +6 -0
package/providers/Password/package.json +6 -0
package/providers/Phone/package.json +6 -0
package/server/package.json +6 -0
package/src/cli/command.ts +69 -0
package/src/cli/generateKeys.ts +20 -0
package/src/cli/index.ts +840 -0
package/src/client/index.ts +415 -0
package/src/component/_generated/api.ts +52 -0
package/src/component/_generated/component.ts +586 -0
package/src/component/_generated/dataModel.ts +60 -0
package/src/component/_generated/server.ts +156 -0
package/src/component/convex.config.ts +5 -0
package/src/component/index.ts +40 -0
package/src/component/public.ts +607 -0
package/src/component/schema.ts +35 -0
package/src/providers/Anonymous.ts +79 -0
package/src/providers/ConvexCredentials.ts +108 -0
package/src/providers/Email.ts +60 -0
package/src/providers/Password.ts +253 -0
package/src/providers/Phone.ts +46 -0
package/src/server/convex_types.ts +55 -0
package/src/server/cookies.ts +42 -0
package/src/server/implementation/db.ts +125 -0
package/src/server/implementation/index.ts +815 -0
package/src/server/implementation/mutations/createAccountFromCredentials.ts +113 -0
package/src/server/implementation/mutations/createVerificationCode.ts +139 -0
package/src/server/implementation/mutations/index.ts +157 -0
package/src/server/implementation/mutations/invalidateSessions.ts +47 -0
package/src/server/implementation/mutations/modifyAccount.ts +65 -0
package/src/server/implementation/mutations/refreshSession.ts +188 -0
package/src/server/implementation/mutations/retrieveAccountWithCredentials.ts +87 -0
package/src/server/implementation/mutations/signIn.ts +51 -0
package/src/server/implementation/mutations/signOut.ts +38 -0
package/src/server/implementation/mutations/userOAuth.ts +112 -0
package/src/server/implementation/mutations/verifier.ts +29 -0
package/src/server/implementation/mutations/verifierSignature.ts +44 -0
package/src/server/implementation/mutations/verifyCodeAndSignIn.ts +205 -0
package/src/server/implementation/provider.ts +38 -0
package/src/server/implementation/rateLimit.ts +105 -0
package/src/server/implementation/redirects.ts +58 -0
package/src/server/implementation/refreshTokens.ts +221 -0
package/src/server/implementation/sessions.ts +155 -0
package/src/server/implementation/signIn.ts +253 -0
package/src/server/implementation/tokens.ts +29 -0
package/src/server/implementation/types.ts +220 -0
package/src/server/implementation/users.ts +286 -0
package/src/server/implementation/utils.ts +91 -0
package/src/server/index.ts +74 -0
package/src/server/oauth/NOTICE.txt +21 -0
package/src/server/oauth/README.md +7 -0
package/src/server/oauth/authorizationUrl.ts +113 -0
package/src/server/oauth/callback.ts +243 -0
package/src/server/oauth/checks.ts +136 -0
package/src/server/oauth/convexAuth.ts +168 -0
package/src/server/oauth/lib/utils/customFetch.ts +18 -0
package/src/server/oauth/lib/utils/providers.ts +12 -0
package/src/server/oauth/providers/oauth.ts +56 -0
package/src/server/oauth/types.ts +60 -0
package/src/server/provider_utils.ts +222 -0
package/src/server/types.ts +470 -0
package/src/server/utils.ts +12 -0
package/src/test.ts +24 -0

package/src/server/implementation/mutations/createAccountFromCredentials.ts ADDED Viewed

@@ -0,0 +1,113 @@
+import { Infer, v } from "convex/values";
+import { ActionCtx, Doc, MutationCtx } from "../types.js";
+import * as Provider from "../provider.js";
+import { ConvexCredentialsConfig } from "../../types.js";
+import { upsertUserAndAccount } from "../users.js";
+import { getAuthSessionId } from "../sessions.js";
+import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
+import { createAuthDb } from "../db.js";
+export const createAccountFromCredentialsArgs = v.object({
+  provider: v.string(),
+  account: v.object({ id: v.string(), secret: v.optional(v.string()) }),
+  profile: v.any(),
+  shouldLinkViaEmail: v.optional(v.boolean()),
+  shouldLinkViaPhone: v.optional(v.boolean()),
+});
+type ReturnType = { account: Doc<"account">; user: Doc<"user"> };
+export async function createAccountFromCredentialsImpl(
+  ctx: MutationCtx,
+  args: Infer<typeof createAccountFromCredentialsArgs>,
+  getProviderOrThrow: Provider.GetProviderOrThrowFunc,
+  config: Provider.Config,
+): Promise<ReturnType> {
+  logWithLevel(LOG_LEVELS.DEBUG, "createAccountFromCredentialsImpl args:", {
+    provider: args.provider,
+    account: {
+      id: args.account.id,
+      secret: maybeRedact(args.account.secret ?? ""),
+    },
+  });
+  const {
+    provider: providerId,
+    account,
+    profile,
+    shouldLinkViaEmail,
+    shouldLinkViaPhone,
+  } = args;
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const provider = getProviderOrThrow(providerId) as ConvexCredentialsConfig;
+  const existingAccount =
+    authDb !== null
+      ? ((await authDb.accounts.get(provider.id, account.id)) as Doc<"account"> | null)
+      : await ctx.db
+          .query("account")
+          .withIndex("providerAndAccountId", (q) =>
+            q.eq("provider", provider.id).eq("providerAccountId", account.id),
+          )
+          .unique();
+  if (existingAccount !== null) {
+    if (
+      account.secret !== undefined &&
+      !(await Provider.verify(
+        provider,
+        account.secret,
+        existingAccount.secret ?? "",
+      ))
+    ) {
+      throw new Error(`Account ${account.id} already exists`);
+    }
+    return {
+      account: existingAccount,
+      // TODO: Ian removed this,
+      user:
+        authDb !== null
+          ? ((await authDb.users.getById(existingAccount.userId)) as unknown as Doc<"user">)
+          : (await ctx.db.get(existingAccount.userId))!,
+    };
+  }
+  const secret =
+    account.secret !== undefined
+      ? await Provider.hash(provider, account.secret)
+      : undefined;
+  const { userId, accountId } = await upsertUserAndAccount(
+    ctx,
+    await getAuthSessionId(ctx),
+    { providerAccountId: account.id, secret },
+    {
+      type: "credentials",
+      provider,
+      profile,
+      shouldLinkViaEmail,
+      shouldLinkViaPhone,
+    },
+    config,
+  );
+  return {
+    account:
+      authDb !== null
+        ? ((await authDb.accounts.getById(accountId)) as Doc<"account">)
+        : (await ctx.db.get(accountId))!,
+    user:
+      authDb !== null
+        ? ((await authDb.users.getById(userId)) as unknown as Doc<"user">)
+        : (await ctx.db.get(userId))!,
+  };
+}
+export const callCreateAccountFromCredentials = async (
+  ctx: ActionCtx,
+  args: Infer<typeof createAccountFromCredentialsArgs>,
+): Promise<ReturnType> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "createAccountFromCredentials",
+      ...args,
+    },
+  });
+};

package/src/server/implementation/mutations/createVerificationCode.ts ADDED Viewed

@@ -0,0 +1,139 @@
+import { GenericId, Infer, v } from "convex/values";
+import { ActionCtx, MutationCtx } from "../types.js";
+import * as Provider from "../provider.js";
+import { EmailConfig, PhoneConfig } from "../../types.js";
+import { getAccountOrThrow, upsertUserAndAccount } from "../users.js";
+import { getAuthSessionId } from "../sessions.js";
+import { LOG_LEVELS, logWithLevel, sha256 } from "../utils.js";
+import { createAuthDb } from "../db.js";
+export const createVerificationCodeArgs = v.object({
+  accountId: v.optional(v.string()),
+  provider: v.string(),
+  email: v.optional(v.string()),
+  phone: v.optional(v.string()),
+  code: v.string(),
+  expirationTime: v.number(),
+  allowExtraProviders: v.boolean(),
+});
+type ReturnType = string;
+export async function createVerificationCodeImpl(
+  ctx: MutationCtx,
+  args: Infer<typeof createVerificationCodeArgs>,
+  getProviderOrThrow: Provider.GetProviderOrThrowFunc,
+  config: Provider.Config,
+): Promise<ReturnType> {
+  logWithLevel(LOG_LEVELS.DEBUG, "createVerificationCodeImpl args:", args);
+  const {
+    email,
+    phone,
+    code,
+    expirationTime,
+    provider: providerId,
+    accountId: existingAccountId,
+    allowExtraProviders,
+  } = args;
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const typedExistingAccountId = existingAccountId as
+    | GenericId<"account">
+    | undefined;
+  const existingAccount =
+    typedExistingAccountId !== undefined
+      ? await getAccountOrThrow(ctx, typedExistingAccountId, config)
+      : authDb !== null
+        ? await authDb.accounts.get(providerId, email ?? phone!)
+        : await ctx.db
+            .query("account")
+            .withIndex("providerAndAccountId", (q) =>
+              q
+                .eq("provider", providerId)
+                .eq("providerAccountId", email ?? phone!),
+            )
+            .unique();
+  const provider = getProviderOrThrow(providerId, allowExtraProviders) as
+    | EmailConfig
+    | PhoneConfig;
+  const { accountId } = await upsertUserAndAccount(
+    ctx,
+    await getAuthSessionId(ctx),
+    existingAccount !== null
+      ? { existingAccount }
+      : { providerAccountId: email ?? phone! },
+    provider.type === "email"
+      ? { type: "email", provider, profile: { email: email! } }
+      : { type: "phone", provider, profile: { phone: phone! } },
+    config,
+  );
+  await generateUniqueVerificationCode(
+    ctx,
+    accountId,
+    providerId,
+    code,
+    expirationTime,
+    { email, phone },
+    config,
+  );
+  return email ?? phone!;
+}
+export const callCreateVerificationCode = async (
+  ctx: ActionCtx,
+  args: Infer<typeof createVerificationCodeArgs>,
+): Promise<ReturnType> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "createVerificationCode",
+      ...args,
+    },
+  });
+};
+async function generateUniqueVerificationCode(
+  ctx: MutationCtx,
+  accountId: GenericId<"account">,
+  provider: string,
+  code: string,
+  expirationTime: number,
+  { email, phone }: { email?: string; phone?: string },
+  config: Provider.Config,
+) {
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const existingCode =
+    authDb !== null
+      ? await authDb.verificationCodes.getByAccountId(accountId)
+      : await ctx.db
+          .query("verification")
+          .withIndex("accountId", (q) => q.eq("accountId", accountId))
+          .unique();
+  if (existingCode !== null) {
+    if (authDb !== null) {
+      await authDb.verificationCodes.delete(existingCode._id);
+    } else {
+      await ctx.db.delete(existingCode._id);
+    }
+  }
+  if (authDb !== null) {
+    await authDb.verificationCodes.create({
+      accountId,
+      provider,
+      code: await sha256(code),
+      expirationTime,
+      emailVerified: email,
+      phoneVerified: phone,
+    });
+  } else {
+    await ctx.db.insert("verification", {
+      accountId,
+      provider,
+      code: await sha256(code),
+      expirationTime,
+      emailVerified: email,
+      phoneVerified: phone,
+    });
+  }
+}

package/src/server/implementation/mutations/index.ts ADDED Viewed

@@ -0,0 +1,157 @@
+import { Infer, v } from "convex/values";
+import { MutationCtx } from "../types.js";
+import { signInArgs, signInImpl } from "./signIn.js";
+import { signOutImpl } from "./signOut.js";
+import { refreshSessionArgs, refreshSessionImpl } from "./refreshSession.js";
+import {
+  verifyCodeAndSignInArgs,
+  verifyCodeAndSignInImpl,
+} from "./verifyCodeAndSignIn.js";
+import {
+  verifierSignatureArgs,
+  verifierSignatureImpl,
+} from "./verifierSignature.js";
+import { userOAuthArgs, userOAuthImpl } from "./userOAuth.js";
+import {
+  createVerificationCodeArgs,
+  createVerificationCodeImpl,
+} from "./createVerificationCode.js";
+import {
+  createAccountFromCredentialsArgs,
+  createAccountFromCredentialsImpl,
+} from "./createAccountFromCredentials.js";
+import {
+  retrieveAccountWithCredentialsArgs,
+  retrieveAccountWithCredentialsImpl,
+} from "./retrieveAccountWithCredentials.js";
+import { modifyAccountArgs, modifyAccountImpl } from "./modifyAccount.js";
+import {
+  invalidateSessionsArgs,
+  invalidateSessionsImpl,
+} from "./invalidateSessions.js";
+import * as Provider from "../provider.js";
+import { verifierImpl } from "./verifier.js";
+import { LOG_LEVELS, logWithLevel } from "../utils.js";
+export { callInvalidateSessions } from "./invalidateSessions.js";
+export { callModifyAccount } from "./modifyAccount.js";
+export { callRetreiveAccountWithCredentials } from "./retrieveAccountWithCredentials.js";
+export { callCreateAccountFromCredentials } from "./createAccountFromCredentials.js";
+export { callCreateVerificationCode } from "./createVerificationCode.js";
+export { callUserOAuth } from "./userOAuth.js";
+export { callVerifierSignature } from "./verifierSignature.js";
+export { callVerifyCodeAndSignIn } from "./verifyCodeAndSignIn.js";
+export { callVerifier } from "./verifier.js";
+export { callRefreshSession } from "./refreshSession.js";
+export { callSignOut } from "./signOut.js";
+export { callSignIn } from "./signIn.js";
+export const storeArgs = v.object({
+  args: v.union(
+    v.object({
+      type: v.literal("signIn"),
+      ...signInArgs.fields,
+    }),
+    v.object({
+      type: v.literal("signOut"),
+    }),
+    v.object({
+      type: v.literal("refreshSession"),
+      ...refreshSessionArgs.fields,
+    }),
+    v.object({
+      type: v.literal("verifyCodeAndSignIn"),
+      ...verifyCodeAndSignInArgs.fields,
+    }),
+    v.object({
+      type: v.literal("verifier"),
+    }),
+    v.object({
+      type: v.literal("verifierSignature"),
+      ...verifierSignatureArgs.fields,
+    }),
+    v.object({
+      type: v.literal("userOAuth"),
+      ...userOAuthArgs.fields,
+    }),
+    v.object({
+      type: v.literal("createVerificationCode"),
+      ...createVerificationCodeArgs.fields,
+    }),
+    v.object({
+      type: v.literal("createAccountFromCredentials"),
+      ...createAccountFromCredentialsArgs.fields,
+    }),
+    v.object({
+      type: v.literal("retrieveAccountWithCredentials"),
+      ...retrieveAccountWithCredentialsArgs.fields,
+    }),
+    v.object({
+      type: v.literal("modifyAccount"),
+      ...modifyAccountArgs.fields,
+    }),
+    v.object({
+      type: v.literal("invalidateSessions"),
+      ...invalidateSessionsArgs.fields,
+    }),
+  ),
+});
+export const storeImpl = async (
+  ctx: MutationCtx,
+  fnArgs: Infer<typeof storeArgs>,
+  getProviderOrThrow: Provider.GetProviderOrThrowFunc,
+  config: Provider.Config,
+) => {
+  const args = fnArgs.args;
+  logWithLevel(LOG_LEVELS.INFO, `\`auth:store\` type: ${args.type}`);
+  switch (args.type) {
+    case "signIn": {
+      return signInImpl(ctx, args, config);
+    }
+    case "signOut": {
+      return signOutImpl(ctx, config);
+    }
+    case "refreshSession": {
+      return refreshSessionImpl(ctx, args, getProviderOrThrow, config);
+    }
+    case "verifyCodeAndSignIn": {
+      return verifyCodeAndSignInImpl(ctx, args, getProviderOrThrow, config);
+    }
+    case "verifier": {
+      return verifierImpl(ctx, config);
+    }
+    case "verifierSignature": {
+      return verifierSignatureImpl(ctx, args, config);
+    }
+    case "userOAuth": {
+      return userOAuthImpl(ctx, args, getProviderOrThrow, config);
+    }
+    case "createVerificationCode": {
+      return createVerificationCodeImpl(ctx, args, getProviderOrThrow, config);
+    }
+    case "createAccountFromCredentials": {
+      return createAccountFromCredentialsImpl(
+        ctx,
+        args,
+        getProviderOrThrow,
+        config,
+      );
+    }
+    case "retrieveAccountWithCredentials": {
+      return retrieveAccountWithCredentialsImpl(
+        ctx,
+        args,
+        getProviderOrThrow,
+        config,
+      );
+    }
+    case "modifyAccount": {
+      return modifyAccountImpl(ctx, args, getProviderOrThrow, config);
+    }
+    case "invalidateSessions": {
+      return invalidateSessionsImpl(ctx, args, config);
+    }
+    default:
+      args satisfies never;
+  }
+};

package/src/server/implementation/mutations/invalidateSessions.ts ADDED Viewed

@@ -0,0 +1,47 @@
+import { GenericId, Infer, v } from "convex/values";
+import { deleteSession } from "../sessions.js";
+import { ActionCtx, MutationCtx } from "../types.js";
+import { LOG_LEVELS, logWithLevel } from "../utils.js";
+import * as Provider from "../provider.js";
+import { createAuthDb } from "../db.js";
+export const invalidateSessionsArgs = v.object({
+  userId: v.string(),
+  except: v.optional(v.array(v.string())),
+});
+export const callInvalidateSessions = async (
+  ctx: ActionCtx,
+  args: Infer<typeof invalidateSessionsArgs>,
+): Promise<void> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "invalidateSessions",
+      ...args,
+    },
+  });
+};
+export const invalidateSessionsImpl = async (
+  ctx: MutationCtx,
+  args: Infer<typeof invalidateSessionsArgs>,
+  config: Provider.Config,
+): Promise<void> => {
+  logWithLevel(LOG_LEVELS.DEBUG, "invalidateSessionsImpl args:", args);
+  const { userId, except } = args;
+  const exceptSet = new Set(except ?? []);
+  const typedUserId = userId as GenericId<"user">;
+  const sessions =
+    config.component !== undefined
+      ? await createAuthDb(ctx, config.component).sessions.listByUser(typedUserId)
+      : await ctx.db
+          .query("session")
+          .withIndex("userId", (q) => q.eq("userId", typedUserId))
+          .collect();
+  for (const session of sessions) {
+    if (!exceptSet.has(session._id)) {
+      await deleteSession(ctx, session, config);
+    }
+  }
+  return;
+};

package/src/server/implementation/mutations/modifyAccount.ts ADDED Viewed

@@ -0,0 +1,65 @@
+import { Infer, v } from "convex/values";
+import { ActionCtx, MutationCtx } from "../types.js";
+import { GetProviderOrThrowFunc, hash } from "../provider.js";
+import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
+import * as Provider from "../provider.js";
+import { createAuthDb } from "../db.js";
+export const modifyAccountArgs = v.object({
+  provider: v.string(),
+  account: v.object({ id: v.string(), secret: v.string() }),
+});
+export async function modifyAccountImpl(
+  ctx: MutationCtx,
+  args: Infer<typeof modifyAccountArgs>,
+  getProviderOrThrow: GetProviderOrThrowFunc,
+  config: Provider.Config,
+): Promise<void> {
+  const { provider, account } = args;
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  logWithLevel(LOG_LEVELS.DEBUG, "retrieveAccountWithCredentialsImpl args:", {
+    provider: provider,
+    account: {
+      id: account.id,
+      secret: maybeRedact(account.secret ?? ""),
+    },
+  });
+  const existingAccount =
+    authDb !== null
+      ? await authDb.accounts.get(provider, account.id)
+      : await ctx.db
+          .query("account")
+          .withIndex("providerAndAccountId", (q) =>
+            q.eq("provider", provider).eq("providerAccountId", account.id),
+          )
+          .unique();
+  if (existingAccount === null) {
+    throw new Error(
+      `Cannot modify account with ID ${account.id} because it does not exist`,
+    );
+  }
+  if (authDb !== null) {
+    await authDb.accounts.patch(existingAccount._id, {
+      secret: await hash(getProviderOrThrow(provider), account.secret),
+    });
+  } else {
+    await ctx.db.patch(existingAccount._id, {
+      secret: await hash(getProviderOrThrow(provider), account.secret),
+    });
+  }
+  return;
+}
+export const callModifyAccount = async (
+  ctx: ActionCtx,
+  args: Infer<typeof modifyAccountArgs>,
+): Promise<void> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "modifyAccount",
+      ...args,
+    },
+  });
+};

package/src/server/implementation/mutations/refreshSession.ts ADDED Viewed

@@ -0,0 +1,188 @@
+import { Infer, v } from "convex/values";
+import { ActionCtx, MutationCtx } from "../types.js";
+import * as Provider from "../provider.js";
+import { logWithLevel, maybeRedact } from "../utils.js";
+import {
+  deleteAllRefreshTokens,
+  invalidateRefreshTokensInSubtree,
+  loadActiveRefreshToken,
+  parseRefreshToken,
+  REFRESH_TOKEN_REUSE_WINDOW_MS,
+  refreshTokenIfValid,
+} from "../refreshTokens.js";
+import { generateTokensForSession } from "../sessions.js";
+import { createAuthDb } from "../db.js";
+export const refreshSessionArgs = v.object({
+  refreshToken: v.string(),
+});
+type ReturnType = null | {
+  token: string;
+  refreshToken: string;
+};
+export async function refreshSessionImpl(
+  ctx: MutationCtx,
+  args: Infer<typeof refreshSessionArgs>,
+  getProviderOrThrow: Provider.GetProviderOrThrowFunc,
+  config: Provider.Config,
+): Promise<ReturnType> {
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const { refreshToken } = args;
+  const { refreshTokenId, sessionId: tokenSessionId } =
+    parseRefreshToken(refreshToken);
+  logWithLevel(
+    "DEBUG",
+    `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(
+      tokenSessionId,
+    )}`,
+  );
+  const validationResult = await refreshTokenIfValid(
+    ctx,
+    refreshTokenId,
+    tokenSessionId,
+    config,
+  );
+  if (validationResult === null) {
+    // Replicating `deleteSession` but ensuring that we delete both the session
+    // and the refresh token, even if one of them is missing.
+    let session = null;
+    try {
+      session =
+        authDb !== null
+          ? await authDb.sessions.getById(tokenSessionId)
+          : await ctx.db.get(tokenSessionId);
+    } catch {
+      logWithLevel("DEBUG", "Skipping invalid session id during refresh cleanup");
+    }
+    if (session !== null) {
+      if (authDb !== null) {
+        await authDb.sessions.delete(session._id);
+      } else {
+        await ctx.db.delete(session._id);
+      }
+    }
+    try {
+      await deleteAllRefreshTokens(ctx, tokenSessionId, config);
+    } catch {
+      logWithLevel(
+        "DEBUG",
+        "Skipping invalid token session id during refresh token cleanup",
+      );
+    }
+    return null;
+  }
+  const { session } = validationResult;
+  const sessionId = session._id;
+  const userId = session.userId;
+  const tokenFirstUsed = validationResult.refreshTokenDoc.firstUsedTime;
+  // First use -- mark as used and generate new refresh token
+  if (tokenFirstUsed === undefined) {
+    if (authDb !== null) {
+      await authDb.refreshTokens.patch(refreshTokenId, {
+        firstUsedTime: Date.now(),
+      });
+    } else {
+      await ctx.db.patch(refreshTokenId, {
+        firstUsedTime: Date.now(),
+      });
+    }
+    const result = await generateTokensForSession(ctx, config, {
+      userId,
+      sessionId,
+      issuedRefreshTokenId: null,
+      parentRefreshTokenId: refreshTokenId,
+    });
+    const { refreshTokenId: newRefreshTokenId } = parseRefreshToken(
+      result.refreshToken,
+    );
+    logWithLevel(
+      "DEBUG",
+      `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (first use) for new refresh token ${maybeRedact(newRefreshTokenId)}`,
+    );
+    return result;
+  }
+  // Token has been used before
+  // Check if parent of active refresh token
+  const activeRefreshToken = await loadActiveRefreshToken(
+    ctx,
+    tokenSessionId,
+    config,
+  );
+  logWithLevel(
+    "DEBUG",
+    `Active refresh token: ${maybeRedact(activeRefreshToken?._id ?? "(none)")}, parent ${maybeRedact(activeRefreshToken?.parentRefreshTokenId ?? "(none)")}`,
+  );
+  if (
+    activeRefreshToken !== null &&
+    activeRefreshToken.parentRefreshTokenId === refreshTokenId
+  ) {
+    logWithLevel(
+      "DEBUG",
+      `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} is parent of active refresh token ${maybeRedact(activeRefreshToken._id)}, so returning that token`,
+    );
+    const result = await generateTokensForSession(ctx, config, {
+      userId,
+      sessionId,
+      issuedRefreshTokenId: activeRefreshToken._id,
+      parentRefreshTokenId: refreshTokenId,
+    });
+    return result;
+  }
+  // Check if within reuse window
+  if (tokenFirstUsed + REFRESH_TOKEN_REUSE_WINDOW_MS > Date.now()) {
+    const result = await generateTokensForSession(ctx, config, {
+      userId,
+      sessionId,
+      issuedRefreshTokenId: null,
+      parentRefreshTokenId: refreshTokenId,
+    });
+    const { refreshTokenId: newRefreshTokenId } = parseRefreshToken(
+      result.refreshToken,
+    );
+    logWithLevel(
+      "DEBUG",
+      `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (reuse) for new refresh token ${maybeRedact(newRefreshTokenId)}`,
+    );
+    return result;
+  } else {
+    // Outside of reuse window -- invalidate all refresh tokens in subtree
+    logWithLevel("ERROR", "Refresh token used outside of reuse window");
+    logWithLevel(
+      "DEBUG",
+      `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} being used outside of reuse window, so invalidating all refresh tokens in subtree`,
+    );
+    const tokensToInvalidate = await invalidateRefreshTokensInSubtree(
+      ctx,
+      validationResult.refreshTokenDoc,
+      config,
+    );
+    logWithLevel(
+      "DEBUG",
+      `Invalidated ${tokensToInvalidate.length} refresh tokens in subtree: ${tokensToInvalidate
+        .map((token) => maybeRedact(token._id))
+        .join(", ")}`,
+    );
+    return null;
+  }
+}
+export const callRefreshSession = async (
+  ctx: ActionCtx,
+  args: Infer<typeof refreshSessionArgs>,
+): Promise<ReturnType> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "refreshSession",
+      ...args,
+    },
+  });
+};