npm - @robelest/convex-auth - Versions diffs - 0.0.1 - Mend

@robelest/convex-auth 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (280) hide show

package/README.md +6 -0
package/dist/bin.cjs +27733 -0
package/dist/client/index.d.ts +49 -0
package/dist/client/index.d.ts.map +1 -0
package/dist/client/index.js +283 -0
package/dist/client/index.js.map +1 -0
package/dist/component/_generated/api.d.ts +36 -0
package/dist/component/_generated/api.d.ts.map +1 -0
package/dist/component/_generated/api.js +31 -0
package/dist/component/_generated/api.js.map +1 -0
package/dist/component/_generated/component.d.ts +295 -0
package/dist/component/_generated/component.d.ts.map +1 -0
package/dist/component/_generated/component.js +11 -0
package/dist/component/_generated/component.js.map +1 -0
package/dist/component/_generated/dataModel.d.ts +46 -0
package/dist/component/_generated/dataModel.d.ts.map +1 -0
package/dist/component/_generated/dataModel.js +11 -0
package/dist/component/_generated/dataModel.js.map +1 -0
package/dist/component/_generated/server.d.ts +121 -0
package/dist/component/_generated/server.d.ts.map +1 -0
package/dist/component/_generated/server.js +78 -0
package/dist/component/_generated/server.js.map +1 -0
package/dist/component/convex.config.d.ts +3 -0
package/dist/component/convex.config.d.ts.map +1 -0
package/dist/component/convex.config.js +4 -0
package/dist/component/convex.config.js.map +1 -0
package/dist/component/index.d.ts +15 -0
package/dist/component/index.d.ts.map +1 -0
package/dist/component/index.js +13 -0
package/dist/component/index.js.map +1 -0
package/dist/component/public.d.ts +450 -0
package/dist/component/public.d.ts.map +1 -0
package/dist/component/public.js +528 -0
package/dist/component/public.js.map +1 -0
package/dist/component/schema.d.ts +107 -0
package/dist/component/schema.d.ts.map +1 -0
package/dist/component/schema.js +26 -0
package/dist/component/schema.js.map +1 -0
package/dist/providers/Anonymous.d.ts +50 -0
package/dist/providers/Anonymous.d.ts.map +1 -0
package/dist/providers/Anonymous.js +39 -0
package/dist/providers/Anonymous.js.map +1 -0
package/dist/providers/ConvexCredentials.d.ts +88 -0
package/dist/providers/ConvexCredentials.d.ts.map +1 -0
package/dist/providers/ConvexCredentials.js +37 -0
package/dist/providers/ConvexCredentials.js.map +1 -0
package/dist/providers/Email.d.ts +33 -0
package/dist/providers/Email.d.ts.map +1 -0
package/dist/providers/Email.js +50 -0
package/dist/providers/Email.js.map +1 -0
package/dist/providers/Password.d.ts +95 -0
package/dist/providers/Password.d.ts.map +1 -0
package/dist/providers/Password.js +174 -0
package/dist/providers/Password.js.map +1 -0
package/dist/providers/Phone.d.ts +22 -0
package/dist/providers/Phone.d.ts.map +1 -0
package/dist/providers/Phone.js +37 -0
package/dist/providers/Phone.js.map +1 -0
package/dist/server/convex_types.d.ts +17 -0
package/dist/server/convex_types.d.ts.map +1 -0
package/dist/server/convex_types.js +2 -0
package/dist/server/convex_types.js.map +1 -0
package/dist/server/cookies.d.ts +35 -0
package/dist/server/cookies.d.ts.map +1 -0
package/dist/server/cookies.js +34 -0
package/dist/server/cookies.js.map +1 -0
package/dist/server/implementation/db.d.ts +80 -0
package/dist/server/implementation/db.d.ts.map +1 -0
package/dist/server/implementation/db.js +59 -0
package/dist/server/implementation/db.js.map +1 -0
package/dist/server/implementation/index.d.ts +370 -0
package/dist/server/implementation/index.d.ts.map +1 -0
package/dist/server/implementation/index.js +521 -0
package/dist/server/implementation/index.js.map +1 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.d.ts +33 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.d.ts.map +1 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.js +71 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.js.map +1 -0
package/dist/server/implementation/mutations/createVerificationCode.d.ts +25 -0
package/dist/server/implementation/mutations/createVerificationCode.d.ts.map +1 -0
package/dist/server/implementation/mutations/createVerificationCode.js +84 -0
package/dist/server/implementation/mutations/createVerificationCode.js.map +1 -0
package/dist/server/implementation/mutations/index.d.ts +304 -0
package/dist/server/implementation/mutations/index.d.ts.map +1 -0
package/dist/server/implementation/mutations/index.js +108 -0
package/dist/server/implementation/mutations/index.js.map +1 -0
package/dist/server/implementation/mutations/invalidateSessions.d.ts +13 -0
package/dist/server/implementation/mutations/invalidateSessions.d.ts.map +1 -0
package/dist/server/implementation/mutations/invalidateSessions.js +35 -0
package/dist/server/implementation/mutations/invalidateSessions.js.map +1 -0
package/dist/server/implementation/mutations/modifyAccount.d.ts +23 -0
package/dist/server/implementation/mutations/modifyAccount.d.ts.map +1 -0
package/dist/server/implementation/mutations/modifyAccount.js +48 -0
package/dist/server/implementation/mutations/modifyAccount.js.map +1 -0
package/dist/server/implementation/mutations/refreshSession.d.ts +16 -0
package/dist/server/implementation/mutations/refreshSession.d.ts.map +1 -0
package/dist/server/implementation/mutations/refreshSession.js +116 -0
package/dist/server/implementation/mutations/refreshSession.js.map +1 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.d.ts +27 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.d.ts.map +1 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.js +55 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.js.map +1 -0
package/dist/server/implementation/mutations/signIn.d.ts +17 -0
package/dist/server/implementation/mutations/signIn.d.ts.map +1 -0
package/dist/server/implementation/mutations/signIn.js +26 -0
package/dist/server/implementation/mutations/signIn.js.map +1 -0
package/dist/server/implementation/mutations/signOut.d.ts +11 -0
package/dist/server/implementation/mutations/signOut.d.ts.map +1 -0
package/dist/server/implementation/mutations/signOut.js +24 -0
package/dist/server/implementation/mutations/signOut.js.map +1 -0
package/dist/server/implementation/mutations/userOAuth.d.ts +19 -0
package/dist/server/implementation/mutations/userOAuth.d.ts.map +1 -0
package/dist/server/implementation/mutations/userOAuth.js +84 -0
package/dist/server/implementation/mutations/userOAuth.js.map +1 -0
package/dist/server/implementation/mutations/verifier.d.ts +8 -0
package/dist/server/implementation/mutations/verifier.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifier.js +19 -0
package/dist/server/implementation/mutations/verifier.js.map +1 -0
package/dist/server/implementation/mutations/verifierSignature.d.ts +15 -0
package/dist/server/implementation/mutations/verifierSignature.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifierSignature.js +29 -0
package/dist/server/implementation/mutations/verifierSignature.js.map +1 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.d.ts +21 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.js +127 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.js.map +1 -0
package/dist/server/implementation/provider.d.ts +6 -0
package/dist/server/implementation/provider.d.ts.map +1 -0
package/dist/server/implementation/provider.js +21 -0
package/dist/server/implementation/provider.js.map +1 -0
package/dist/server/implementation/rateLimit.d.ts +6 -0
package/dist/server/implementation/rateLimit.d.ts.map +1 -0
package/dist/server/implementation/rateLimit.js +76 -0
package/dist/server/implementation/rateLimit.js.map +1 -0
package/dist/server/implementation/redirects.d.ts +6 -0
package/dist/server/implementation/redirects.d.ts.map +1 -0
package/dist/server/implementation/redirects.js +40 -0
package/dist/server/implementation/redirects.js.map +1 -0
package/dist/server/implementation/refreshTokens.d.ts +40 -0
package/dist/server/implementation/refreshTokens.d.ts.map +1 -0
package/dist/server/implementation/refreshTokens.js +160 -0
package/dist/server/implementation/refreshTokens.js.map +1 -0
package/dist/server/implementation/sessions.d.ts +43 -0
package/dist/server/implementation/sessions.d.ts.map +1 -0
package/dist/server/implementation/sessions.js +94 -0
package/dist/server/implementation/sessions.js.map +1 -0
package/dist/server/implementation/signIn.d.ts +31 -0
package/dist/server/implementation/signIn.d.ts.map +1 -0
package/dist/server/implementation/signIn.js +148 -0
package/dist/server/implementation/signIn.js.map +1 -0
package/dist/server/implementation/tokens.d.ts +7 -0
package/dist/server/implementation/tokens.d.ts.map +1 -0
package/dist/server/implementation/tokens.js +18 -0
package/dist/server/implementation/tokens.js.map +1 -0
package/dist/server/implementation/types.d.ts +288 -0
package/dist/server/implementation/types.d.ts.map +1 -0
package/dist/server/implementation/types.js +182 -0
package/dist/server/implementation/types.js.map +1 -0
package/dist/server/implementation/users.d.ts +27 -0
package/dist/server/implementation/users.d.ts.map +1 -0
package/dist/server/implementation/users.js +181 -0
package/dist/server/implementation/users.js.map +1 -0
package/dist/server/implementation/utils.d.ts +17 -0
package/dist/server/implementation/utils.d.ts.map +1 -0
package/dist/server/implementation/utils.js +72 -0
package/dist/server/implementation/utils.js.map +1 -0
package/dist/server/index.d.ts +17 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +54 -0
package/dist/server/index.js.map +1 -0
package/dist/server/oauth/authorizationUrl.d.ts +13 -0
package/dist/server/oauth/authorizationUrl.d.ts.map +1 -0
package/dist/server/oauth/authorizationUrl.js +91 -0
package/dist/server/oauth/authorizationUrl.js.map +1 -0
package/dist/server/oauth/callback.d.ts +19 -0
package/dist/server/oauth/callback.d.ts.map +1 -0
package/dist/server/oauth/callback.js +173 -0
package/dist/server/oauth/callback.js.map +1 -0
package/dist/server/oauth/checks.d.ts +52 -0
package/dist/server/oauth/checks.d.ts.map +1 -0
package/dist/server/oauth/checks.js +106 -0
package/dist/server/oauth/checks.js.map +1 -0
package/dist/server/oauth/convexAuth.d.ts +12 -0
package/dist/server/oauth/convexAuth.d.ts.map +1 -0
package/dist/server/oauth/convexAuth.js +137 -0
package/dist/server/oauth/convexAuth.js.map +1 -0
package/dist/server/oauth/lib/utils/customFetch.d.ts +9 -0
package/dist/server/oauth/lib/utils/customFetch.d.ts.map +1 -0
package/dist/server/oauth/lib/utils/customFetch.js +11 -0
package/dist/server/oauth/lib/utils/customFetch.js.map +1 -0
package/dist/server/oauth/lib/utils/providers.d.ts +3 -0
package/dist/server/oauth/lib/utils/providers.d.ts.map +1 -0
package/dist/server/oauth/lib/utils/providers.js +7 -0
package/dist/server/oauth/lib/utils/providers.js.map +1 -0
package/dist/server/oauth/providers/oauth.d.ts +43 -0
package/dist/server/oauth/providers/oauth.d.ts.map +1 -0
package/dist/server/oauth/providers/oauth.js +3 -0
package/dist/server/oauth/providers/oauth.js.map +1 -0
package/dist/server/oauth/types.d.ts +24 -0
package/dist/server/oauth/types.d.ts.map +1 -0
package/dist/server/oauth/types.js +5 -0
package/dist/server/oauth/types.js.map +1 -0
package/dist/server/provider_utils.d.ts +76 -0
package/dist/server/provider_utils.d.ts.map +1 -0
package/dist/server/provider_utils.js +177 -0
package/dist/server/provider_utils.js.map +1 -0
package/dist/server/types.d.ts +412 -0
package/dist/server/types.d.ts.map +1 -0
package/dist/server/types.js +2 -0
package/dist/server/types.js.map +1 -0
package/dist/server/utils.d.ts +3 -0
package/dist/server/utils.d.ts.map +1 -0
package/dist/server/utils.js +11 -0
package/dist/server/utils.js.map +1 -0
package/package.json +126 -0
package/providers/Anonymous/package.json +6 -0
package/providers/ConvexCredentials/package.json +6 -0
package/providers/Email/package.json +6 -0
package/providers/Password/package.json +6 -0
package/providers/Phone/package.json +6 -0
package/server/package.json +6 -0
package/src/cli/command.ts +69 -0
package/src/cli/generateKeys.ts +20 -0
package/src/cli/index.ts +840 -0
package/src/client/index.ts +415 -0
package/src/component/_generated/api.ts +52 -0
package/src/component/_generated/component.ts +586 -0
package/src/component/_generated/dataModel.ts +60 -0
package/src/component/_generated/server.ts +156 -0
package/src/component/convex.config.ts +5 -0
package/src/component/index.ts +40 -0
package/src/component/public.ts +607 -0
package/src/component/schema.ts +35 -0
package/src/providers/Anonymous.ts +79 -0
package/src/providers/ConvexCredentials.ts +108 -0
package/src/providers/Email.ts +60 -0
package/src/providers/Password.ts +253 -0
package/src/providers/Phone.ts +46 -0
package/src/server/convex_types.ts +55 -0
package/src/server/cookies.ts +42 -0
package/src/server/implementation/db.ts +125 -0
package/src/server/implementation/index.ts +815 -0
package/src/server/implementation/mutations/createAccountFromCredentials.ts +113 -0
package/src/server/implementation/mutations/createVerificationCode.ts +139 -0
package/src/server/implementation/mutations/index.ts +157 -0
package/src/server/implementation/mutations/invalidateSessions.ts +47 -0
package/src/server/implementation/mutations/modifyAccount.ts +65 -0
package/src/server/implementation/mutations/refreshSession.ts +188 -0
package/src/server/implementation/mutations/retrieveAccountWithCredentials.ts +87 -0
package/src/server/implementation/mutations/signIn.ts +51 -0
package/src/server/implementation/mutations/signOut.ts +38 -0
package/src/server/implementation/mutations/userOAuth.ts +112 -0
package/src/server/implementation/mutations/verifier.ts +29 -0
package/src/server/implementation/mutations/verifierSignature.ts +44 -0
package/src/server/implementation/mutations/verifyCodeAndSignIn.ts +205 -0
package/src/server/implementation/provider.ts +38 -0
package/src/server/implementation/rateLimit.ts +105 -0
package/src/server/implementation/redirects.ts +58 -0
package/src/server/implementation/refreshTokens.ts +221 -0
package/src/server/implementation/sessions.ts +155 -0
package/src/server/implementation/signIn.ts +253 -0
package/src/server/implementation/tokens.ts +29 -0
package/src/server/implementation/types.ts +220 -0
package/src/server/implementation/users.ts +286 -0
package/src/server/implementation/utils.ts +91 -0
package/src/server/index.ts +74 -0
package/src/server/oauth/NOTICE.txt +21 -0
package/src/server/oauth/README.md +7 -0
package/src/server/oauth/authorizationUrl.ts +113 -0
package/src/server/oauth/callback.ts +243 -0
package/src/server/oauth/checks.ts +136 -0
package/src/server/oauth/convexAuth.ts +168 -0
package/src/server/oauth/lib/utils/customFetch.ts +18 -0
package/src/server/oauth/lib/utils/providers.ts +12 -0
package/src/server/oauth/providers/oauth.ts +56 -0
package/src/server/oauth/types.ts +60 -0
package/src/server/provider_utils.ts +222 -0
package/src/server/types.ts +470 -0
package/src/server/utils.ts +12 -0
package/src/test.ts +24 -0

package/src/server/implementation/mutations/retrieveAccountWithCredentials.ts ADDED Viewed

@@ -0,0 +1,87 @@
+import { Infer, v } from "convex/values";
+import { ActionCtx, Doc, MutationCtx } from "../types.js";
+import {
+  isSignInRateLimited,
+  recordFailedSignIn,
+  resetSignInRateLimit,
+} from "../rateLimit.js";
+import * as Provider from "../provider.js";
+import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
+import { createAuthDb } from "../db.js";
+export const retrieveAccountWithCredentialsArgs = v.object({
+  provider: v.string(),
+  account: v.object({ id: v.string(), secret: v.optional(v.string()) }),
+});
+type ReturnType =
+  | "InvalidAccountId"
+  | "TooManyFailedAttempts"
+  | "InvalidSecret"
+  | { account: Doc<"account">; user: Doc<"user"> };
+export async function retrieveAccountWithCredentialsImpl(
+  ctx: MutationCtx,
+  args: Infer<typeof retrieveAccountWithCredentialsArgs>,
+  getProviderOrThrow: Provider.GetProviderOrThrowFunc,
+  config: Provider.Config,
+): Promise<ReturnType> {
+  const { provider: providerId, account } = args;
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  logWithLevel(LOG_LEVELS.DEBUG, "retrieveAccountWithCredentialsImpl args:", {
+    provider: providerId,
+    account: {
+      id: account.id,
+      secret: maybeRedact(account.secret ?? ""),
+    },
+  });
+  const existingAccount =
+    authDb !== null
+      ? ((await authDb.accounts.get(providerId, account.id)) as Doc<"account"> | null)
+      : await ctx.db
+          .query("account")
+          .withIndex("providerAndAccountId", (q) =>
+            q.eq("provider", providerId).eq("providerAccountId", account.id),
+          )
+          .unique();
+  if (existingAccount === null) {
+    return "InvalidAccountId";
+  }
+  if (account.secret !== undefined) {
+    if (await isSignInRateLimited(ctx, existingAccount._id, config)) {
+      return "TooManyFailedAttempts";
+    }
+    if (
+      !(await Provider.verify(
+        getProviderOrThrow(providerId),
+        account.secret,
+        existingAccount.secret ?? "",
+      ))
+    ) {
+      await recordFailedSignIn(ctx, existingAccount._id, config);
+      return "InvalidSecret";
+    }
+    await resetSignInRateLimit(ctx, existingAccount._id, config);
+  }
+  return {
+    account: existingAccount,
+    // TODO: Ian removed this
+    user:
+      authDb !== null
+        ? ((await authDb.users.getById(existingAccount.userId)) as unknown as Doc<"user">)
+        : (await ctx.db.get(existingAccount.userId))!,
+  };
+}
+export const callRetreiveAccountWithCredentials = async (
+  ctx: ActionCtx,
+  args: Infer<typeof retrieveAccountWithCredentialsArgs>,
+): Promise<ReturnType> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "retrieveAccountWithCredentials",
+      ...args,
+    },
+  });
+};

package/src/server/implementation/mutations/signIn.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import { GenericId, Infer, v } from "convex/values";
+import { ActionCtx, MutationCtx, SessionInfo } from "../types.js";
+import * as Provider from "../provider.js";
+import {
+  createNewAndDeleteExistingSession,
+  maybeGenerateTokensForSession,
+} from "../sessions.js";
+import { LOG_LEVELS, logWithLevel } from "../utils.js";
+export const signInArgs = v.object({
+  userId: v.string(),
+  sessionId: v.optional(v.string()),
+  generateTokens: v.boolean(),
+});
+type ReturnType = SessionInfo;
+export async function signInImpl(
+  ctx: MutationCtx,
+  args: Infer<typeof signInArgs>,
+  config: Provider.Config,
+): Promise<ReturnType> {
+  logWithLevel(LOG_LEVELS.DEBUG, "signInImpl args:", args);
+  const { userId, sessionId: existingSessionId, generateTokens } = args;
+  const typedUserId = userId as GenericId<"user">;
+  const typedExistingSessionId = existingSessionId as
+    | GenericId<"session">
+    | undefined;
+  const sessionId =
+    typedExistingSessionId ??
+    (await createNewAndDeleteExistingSession(ctx, config, typedUserId));
+  return await maybeGenerateTokensForSession(
+    ctx,
+    config,
+    typedUserId,
+    sessionId,
+    generateTokens,
+  );
+}
+export const callSignIn = async (
+  ctx: ActionCtx,
+  args: Infer<typeof signInArgs>,
+): Promise<ReturnType> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "signIn",
+      ...args,
+    },
+  });
+};

package/src/server/implementation/mutations/signOut.ts ADDED Viewed

@@ -0,0 +1,38 @@
+import { GenericId } from "convex/values";
+import { ActionCtx, MutationCtx } from "../types.js";
+import { deleteSession, getAuthSessionId } from "../sessions.js";
+import * as Provider from "../provider.js";
+import { createAuthDb } from "../db.js";
+type ReturnType = {
+  userId: GenericId<"user">;
+  sessionId: GenericId<"session">;
+} | null;
+export async function signOutImpl(
+  ctx: MutationCtx,
+  config: Provider.Config,
+): Promise<ReturnType> {
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const sessionId = await getAuthSessionId(ctx);
+  if (sessionId !== null) {
+    const session =
+      authDb !== null
+        ? await authDb.sessions.getById(sessionId)
+        : await ctx.db.get(sessionId);
+    if (session !== null) {
+      await deleteSession(ctx, session, config);
+      return { userId: session.userId, sessionId: session._id };
+    }
+  }
+  return null;
+}
+export const callSignOut = async (ctx: ActionCtx): Promise<void> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "signOut",
+    },
+  });
+};

package/src/server/implementation/mutations/userOAuth.ts ADDED Viewed

@@ -0,0 +1,112 @@
+import { Infer, v } from "convex/values";
+import { ActionCtx, MutationCtx } from "../types.js";
+import * as Provider from "../provider.js";
+import { OAuthConfig } from "@auth/core/providers/oauth.js";
+import { upsertUserAndAccount } from "../users.js";
+import { generateRandomString, logWithLevel, sha256 } from "../utils.js";
+import { createAuthDb } from "../db.js";
+const OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes
+export const userOAuthArgs = v.object({
+  provider: v.string(),
+  providerAccountId: v.string(),
+  profile: v.any(),
+  signature: v.string(),
+});
+type ReturnType = string;
+export async function userOAuthImpl(
+  ctx: MutationCtx,
+  args: Infer<typeof userOAuthArgs>,
+  getProviderOrThrow: Provider.GetProviderOrThrowFunc,
+  config: Provider.Config,
+): Promise<ReturnType> {
+  logWithLevel("DEBUG", "userOAuthImpl args:", args);
+  const { profile, provider, providerAccountId, signature } = args;
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const providerConfig = getProviderOrThrow(provider) as OAuthConfig<any>;
+  const existingAccount =
+    authDb !== null
+      ? await authDb.accounts.get(provider, providerAccountId)
+      : await ctx.db
+          .query("account")
+          .withIndex("providerAndAccountId", (q) =>
+            q.eq("provider", provider).eq("providerAccountId", providerAccountId),
+          )
+          .unique();
+  const verifier =
+    authDb !== null
+      ? await authDb.verifiers.getBySignature(signature)
+      : await ctx.db
+          .query("verifier")
+          .withIndex("signature", (q) => q.eq("signature", signature))
+          .unique();
+  if (verifier === null) {
+    throw new Error("Invalid state");
+  }
+  const { accountId } = await upsertUserAndAccount(
+    ctx,
+    verifier.sessionId ?? null,
+    existingAccount !== null ? { existingAccount } : { providerAccountId },
+    { type: "oauth", provider: providerConfig, profile },
+    config,
+  );
+  const code = generateRandomString(8, "0123456789");
+  if (authDb !== null) {
+    await authDb.verifiers.delete(verifier._id);
+  } else {
+    await ctx.db.delete(verifier._id);
+  }
+  const existingVerificationCode =
+    authDb !== null
+      ? await authDb.verificationCodes.getByAccountId(accountId)
+      : await ctx.db
+          .query("verification")
+          .withIndex("accountId", (q) => q.eq("accountId", accountId))
+          .unique();
+  if (existingVerificationCode !== null) {
+    if (authDb !== null) {
+      await authDb.verificationCodes.delete(existingVerificationCode._id);
+    } else {
+      await ctx.db.delete(existingVerificationCode._id);
+    }
+  }
+  if (authDb !== null) {
+    await authDb.verificationCodes.create({
+      code: await sha256(code),
+      accountId,
+      provider,
+      expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,
+      verifier: verifier._id,
+    });
+  } else {
+    await ctx.db.insert("verification", {
+      code: await sha256(code),
+      accountId,
+      provider,
+      expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,
+      // The use of a verifier means we don't need an identifier
+      // during verification.
+      verifier: verifier._id,
+    });
+  }
+  return code;
+}
+export const callUserOAuth = async (
+  ctx: ActionCtx,
+  args: Infer<typeof userOAuthArgs>,
+): Promise<ReturnType> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "userOAuth",
+      ...args,
+    },
+  });
+};

package/src/server/implementation/mutations/verifier.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { GenericId } from "convex/values";
+import { ActionCtx, MutationCtx } from "../types.js";
+import { getAuthSessionId } from "../sessions.js";
+import * as Provider from "../provider.js";
+import { createAuthDb } from "../db.js";
+type ReturnType = GenericId<"verifier">;
+export async function verifierImpl(
+  ctx: MutationCtx,
+  config: Provider.Config,
+): Promise<ReturnType> {
+  const sessionId = (await getAuthSessionId(ctx)) ?? undefined;
+  if (config.component !== undefined) {
+    return (await createAuthDb(ctx, config.component).verifiers.create(sessionId)) as
+      ReturnType;
+  }
+  return await ctx.db.insert("verifier", {
+    sessionId,
+  });
+}
+export const callVerifier = async (ctx: ActionCtx): Promise<ReturnType> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "verifier",
+    },
+  });
+};

package/src/server/implementation/mutations/verifierSignature.ts ADDED Viewed

@@ -0,0 +1,44 @@
+import { GenericId, Infer, v } from "convex/values";
+import { ActionCtx, MutationCtx } from "../types.js";
+import * as Provider from "../provider.js";
+import { createAuthDb } from "../db.js";
+export const verifierSignatureArgs = v.object({
+  verifier: v.string(),
+  signature: v.string(),
+});
+type ReturnType = void;
+export async function verifierSignatureImpl(
+  ctx: MutationCtx,
+  args: Infer<typeof verifierSignatureArgs>,
+  config: Provider.Config,
+): Promise<ReturnType> {
+  const { verifier, signature } = args;
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const verifierDoc =
+    authDb !== null
+      ? await authDb.verifiers.getById(verifier as GenericId<"verifier">)
+      : await ctx.db.get(verifier as GenericId<"verifier">);
+  if (verifierDoc === null) {
+    throw new Error("Invalid verifier");
+  }
+  if (authDb !== null) {
+    return await authDb.verifiers.patch(verifierDoc._id, { signature });
+  }
+  return await ctx.db.patch(verifierDoc._id, { signature });
+}
+export const callVerifierSignature = async (
+  ctx: ActionCtx,
+  args: Infer<typeof verifierSignatureArgs>,
+): Promise<void> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "verifierSignature",
+      ...args,
+    },
+  });
+};

package/src/server/implementation/mutations/verifyCodeAndSignIn.ts ADDED Viewed

@@ -0,0 +1,205 @@
+import { GenericId, Infer, v } from "convex/values";
+import { ActionCtx, MutationCtx, SessionInfo } from "../types.js";
+import {
+  isSignInRateLimited,
+  recordFailedSignIn,
+  resetSignInRateLimit,
+} from "../rateLimit.js";
+import * as Provider from "../provider.js";
+import {
+  createNewAndDeleteExistingSession,
+  getAuthSessionId,
+  maybeGenerateTokensForSession,
+} from "../sessions.js";
+import { ConvexAuthConfig } from "../../types.js";
+import { LOG_LEVELS, logWithLevel, sha256 } from "../utils.js";
+import { upsertUserAndAccount } from "../users.js";
+import { createAuthDb } from "../db.js";
+export const verifyCodeAndSignInArgs = v.object({
+  params: v.any(),
+  provider: v.optional(v.string()),
+  verifier: v.optional(v.string()),
+  generateTokens: v.boolean(),
+  allowExtraProviders: v.boolean(),
+});
+type ReturnType = null | SessionInfo;
+export async function verifyCodeAndSignInImpl(
+  ctx: MutationCtx,
+  args: Infer<typeof verifyCodeAndSignInArgs>,
+  getProviderOrThrow: Provider.GetProviderOrThrowFunc,
+  config: Provider.Config,
+): Promise<ReturnType> {
+  logWithLevel(LOG_LEVELS.DEBUG, "verifyCodeAndSignInImpl args:", {
+    params: { email: args.params.email, phone: args.params.phone },
+    provider: args.provider,
+    verifier: args.verifier,
+    generateTokens: args.generateTokens,
+    allowExtraProviders: args.allowExtraProviders,
+  });
+  const { generateTokens, provider, allowExtraProviders } = args;
+  const identifier = args.params.email ?? args.params.phone;
+  if (identifier !== undefined) {
+    if (await isSignInRateLimited(ctx, identifier, config)) {
+      logWithLevel(
+        LOG_LEVELS.ERROR,
+        "Too many failed attempts to verify code for this email",
+      );
+      return null;
+    }
+  }
+  const verifyResult = await verifyCodeOnly(
+    ctx,
+    args,
+    provider ?? null,
+    getProviderOrThrow,
+    allowExtraProviders,
+    config,
+    await getAuthSessionId(ctx),
+  );
+  if (verifyResult === null) {
+    if (identifier !== undefined) {
+      await recordFailedSignIn(ctx, identifier, config);
+    }
+    return null;
+  }
+  if (identifier !== undefined) {
+    await resetSignInRateLimit(ctx, identifier, config);
+  }
+  const { userId } = verifyResult;
+  const sessionId = await createNewAndDeleteExistingSession(
+    ctx,
+    config,
+    userId,
+  );
+  return await maybeGenerateTokensForSession(
+    ctx,
+    config,
+    userId,
+    sessionId,
+    generateTokens,
+  );
+}
+export const callVerifyCodeAndSignIn = async (
+  ctx: ActionCtx,
+  args: Infer<typeof verifyCodeAndSignInArgs>,
+): Promise<ReturnType> => {
+  return ctx.runMutation("auth:store" as any, {
+    args: {
+      type: "verifyCodeAndSignIn",
+      ...args,
+    },
+  });
+};
+async function verifyCodeOnly(
+  ctx: MutationCtx,
+  args: {
+    params: any;
+    verifier?: string;
+    identifier?: string;
+  },
+  /**
+   * There are two providers at play:
+   * 1. the provider that generated the code
+   * 2. the provider the account is tied to.
+   * This is because we allow signing into an account
+   * via another provider, see {@link signInViaProvider}.
+   * This is the first provider.
+   */
+  methodProviderId: string | null,
+  getProviderOrThrow: Provider.GetProviderOrThrowFunc,
+  allowExtraProviders: boolean,
+  config: ConvexAuthConfig,
+  sessionId: GenericId<"session"> | null,
+) {
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const { params, verifier } = args;
+  const codeHash = await sha256(params.code);
+  const verificationCode =
+    authDb !== null
+      ? await authDb.verificationCodes.getByCode(codeHash)
+      : await ctx.db
+          .query("verification")
+          .withIndex("code", (q) => q.eq("code", codeHash))
+          .unique();
+  if (verificationCode === null) {
+    logWithLevel(LOG_LEVELS.ERROR, "Invalid verification code");
+    return null;
+  }
+  if (authDb !== null) {
+    await authDb.verificationCodes.delete(verificationCode._id);
+  } else {
+    await ctx.db.delete(verificationCode._id);
+  }
+  if (verificationCode.verifier !== verifier) {
+    logWithLevel(LOG_LEVELS.ERROR, "Invalid verifier");
+    return null;
+  }
+  if (verificationCode.expirationTime < Date.now()) {
+    logWithLevel(LOG_LEVELS.ERROR, "Expired verification code");
+    return null;
+  }
+  const { accountId, emailVerified, phoneVerified } = verificationCode;
+  const account =
+    authDb !== null ? await authDb.accounts.getById(accountId) : await ctx.db.get(accountId);
+  if (account === null) {
+    logWithLevel(
+      LOG_LEVELS.ERROR,
+      "Account associated with this email has been deleted",
+    );
+    return null;
+  }
+  if (
+    methodProviderId !== null &&
+    verificationCode.provider !== methodProviderId
+  ) {
+    logWithLevel(
+      LOG_LEVELS.ERROR,
+      `Invalid provider "${methodProviderId}" for given \`code\`, ` +
+        `which was generated by provider "${verificationCode.provider}"`,
+    );
+    return null;
+  }
+  // OTP providers perform an additional check against the provided
+  // params.
+  const methodProvider = getProviderOrThrow(
+    verificationCode.provider,
+    allowExtraProviders,
+  );
+  if (
+    methodProvider !== null &&
+    (methodProvider.type === "email" || methodProvider.type === "phone") &&
+    methodProvider.authorize !== undefined
+  ) {
+    await methodProvider.authorize(args.params, account);
+  }
+  let userId = account.userId;
+  const provider = getProviderOrThrow(account.provider);
+  if (!(provider.type === "oauth" || provider.type === "oidc")) {
+    ({ userId } = await upsertUserAndAccount(
+      ctx,
+      sessionId,
+      { existingAccount: account },
+      {
+        type: "verification",
+        provider,
+        profile: {
+          ...(emailVerified !== undefined
+            ? { email: emailVerified, emailVerified: true }
+            : {}),
+          ...(phoneVerified !== undefined
+            ? { phone: phoneVerified, phoneVerified: true }
+            : {}),
+        },
+      },
+      config,
+    ));
+  }
+  return { providerAccountId: account.providerAccountId, userId };
+}

package/src/server/implementation/provider.ts ADDED Viewed

@@ -0,0 +1,38 @@
+import { AuthProviderMaterializedConfig } from "../types.js";
+export async function hash(provider: any, secret: string) {
+  if (provider.type !== "credentials") {
+    throw new Error(`Provider ${provider.id} is not a credentials provider`);
+  }
+  const hashSecretFn = provider.crypto?.hashSecret;
+  if (hashSecretFn === undefined) {
+    throw new Error(
+      `Provider ${provider.id} does not have a \`crypto.hashSecret\` function`,
+    );
+  }
+  return await hashSecretFn(secret);
+}
+export async function verify(
+  provider: AuthProviderMaterializedConfig,
+  secret: string,
+  hash: string,
+) {
+  if (provider.type !== "credentials") {
+    throw new Error(`Provider ${provider.id} is not a credentials provider`);
+  }
+  const verifySecretFn = provider.crypto?.verifySecret;
+  if (verifySecretFn === undefined) {
+    throw new Error(
+      `Provider ${provider.id} does not have a \`crypto.verifySecret\` function`,
+    );
+  }
+  return await verifySecretFn(secret, hash);
+}
+export type GetProviderOrThrowFunc = (
+  provider: string,
+  allowExtraProviders?: boolean,
+) => AuthProviderMaterializedConfig;
+export type Config = any;