@robelest/convex-auth 0.0.1

package/src/server/implementation/rateLimit.ts

@@ -0,0 +1,105 @@
+import { ConvexAuthConfig } from "../types.js";
+import { Doc, MutationCtx } from "./types.js";
+import { createAuthDb } from "./db.js";
+
+const DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;
+
+export async function isSignInRateLimited(
+  ctx: MutationCtx,
+  identifier: string,
+  config: ConvexAuthConfig,
+) {
+  const state = await getRateLimitState(ctx, identifier, config);
+  if (state === null) {
+    return false;
+  }
+  return state.attempsLeft < 1;
+}
+
+export async function recordFailedSignIn(
+  ctx: MutationCtx,
+  identifier: string,
+  config: ConvexAuthConfig,
+) {
+  const state = await getRateLimitState(ctx, identifier, config);
+  if (state !== null) {
+    if (config.component !== undefined) {
+      await createAuthDb(ctx, config.component).rateLimits.patch(state.limit._id, {
+        attemptsLeft: state.attempsLeft - 1,
+        lastAttemptTime: Date.now(),
+      });
+    } else {
+      await ctx.db.patch(state.limit._id, {
+        attemptsLeft: state.attempsLeft - 1,
+        lastAttemptTime: Date.now(),
+      });
+    }
+  } else {
+    const maxAttempsPerHour = configuredMaxAttempsPerHour(config);
+    if (config.component !== undefined) {
+      await createAuthDb(ctx, config.component).rateLimits.create({
+        identifier,
+        attemptsLeft: maxAttempsPerHour - 1,
+        lastAttemptTime: Date.now(),
+      });
+    } else {
+      await ctx.db.insert("limit", {
+        identifier,
+        attemptsLeft: maxAttempsPerHour - 1,
+        lastAttemptTime: Date.now(),
+      });
+    }
+  }
+}
+
+export async function resetSignInRateLimit(
+  ctx: MutationCtx,
+  identifier: string,
+  config: ConvexAuthConfig,
+) {
+  const existingState = await getRateLimitState(ctx, identifier, config);
+  if (existingState !== null) {
+    if (config.component !== undefined) {
+      await createAuthDb(ctx, config.component).rateLimits.delete(
+        existingState.limit._id,
+      );
+    } else {
+      await ctx.db.delete(existingState.limit._id);
+    }
+  }
+}
+
+async function getRateLimitState(
+  ctx: MutationCtx,
+  identifier: string,
+  config: ConvexAuthConfig,
+) {
+  const now = Date.now();
+  const maxAttempsPerHour = configuredMaxAttempsPerHour(config);
+  const limit =
+    config.component !== undefined
+      ? ((await createAuthDb(ctx, config.component).rateLimits.get(identifier)) as
+          | Doc<"limit">
+          | null)
+      : await ctx.db
+          .query("limit")
+          .withIndex("identifier", (q) => q.eq("identifier", identifier))
+          .unique();
+  if (limit === null) {
+    return null;
+  }
+  const elapsed = now - limit.lastAttemptTime;
+  const maxAttempsPerMs = maxAttempsPerHour / (60 * 60 * 1000);
+  const attempsLeft = Math.min(
+    maxAttempsPerHour,
+    limit.attemptsLeft + elapsed * maxAttempsPerMs,
+  );
+  return { limit, attempsLeft };
+}
+
+function configuredMaxAttempsPerHour(config: ConvexAuthConfig) {
+  return (
+    config.signIn?.maxFailedAttempsPerHour ??
+    DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR
+  );
+}

package/src/server/implementation/redirects.ts

@@ -0,0 +1,58 @@
+import { ConvexAuthMaterializedConfig } from "../types.js";
+import { requireEnv } from "../utils.js";
+
+export async function redirectAbsoluteUrl(
+  config: ConvexAuthMaterializedConfig,
+  params: { redirectTo: unknown },
+) {
+  if (params.redirectTo !== undefined) {
+    if (typeof params.redirectTo !== "string") {
+      throw new Error(
+        `Expected \`redirectTo\` to be a string, got ${params.redirectTo as any}`,
+      );
+    }
+    const redirectCallback =
+      config.callbacks?.redirect ?? defaultRedirectCallback;
+    return await redirectCallback(params as { redirectTo: string });
+  }
+  return siteUrl();
+}
+
+async function defaultRedirectCallback({ redirectTo }: { redirectTo: string }) {
+  const baseUrl = siteUrl();
+  if (redirectTo.startsWith("?") || redirectTo.startsWith("/")) {
+    return `${baseUrl}${redirectTo}`;
+  }
+  if (redirectTo.startsWith(baseUrl)) {
+    const after = redirectTo[baseUrl.length];
+    if (after === undefined || after === "?" || after === "/") {
+      return redirectTo;
+    }
+  }
+  throw new Error(
+    `Invalid \`redirectTo\` ${redirectTo} for configured SITE_URL: ${baseUrl.toString()}`,
+  );
+}
+
+// Temporary work-around because Convex doesn't support
+// schemes other than http and https.
+export function setURLSearchParam(
+  absoluteUrl: string,
+  param: string,
+  value: string,
+) {
+  const pattern = /([^:]+):(.*)/;
+  const [, scheme, rest] = absoluteUrl.match(pattern)!;
+  const hasNoDomain = /^\/\/(?:\/|$|\?)/.test(rest);
+  const startsWithPath = hasNoDomain && rest.startsWith("///");
+  const url = new URL(
+    `http:${hasNoDomain ? "//googblibok" + rest.slice(2) : rest}`,
+  );
+  url.searchParams.set(param, value);
+  const [, , withParam] = url.toString().match(pattern)!;
+  return `${scheme}:${hasNoDomain ? (startsWithPath ? "/" : "") + "//" + withParam.slice(13) : withParam}`;
+}
+
+function siteUrl() {
+  return requireEnv("SITE_URL").replace(/\/$/, "");
+}

package/src/server/implementation/refreshTokens.ts

@@ -0,0 +1,221 @@
+import { GenericId } from "convex/values";
+import { ConvexAuthConfig } from "../types.js";
+import { Doc, MutationCtx } from "./types.js";
+import {
+  LOG_LEVELS,
+  REFRESH_TOKEN_DIVIDER,
+  logWithLevel,
+  maybeRedact,
+  stringToNumber,
+} from "./utils.js";
+import { createAuthDb } from "./db.js";
+
+const DEFAULT_SESSION_INACTIVE_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days
+export const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1000; // 10 seconds
+export async function createRefreshToken(
+  ctx: MutationCtx,
+  config: ConvexAuthConfig,
+  sessionId: GenericId<"session">,
+  parentRefreshTokenId: GenericId<"token"> | null,
+) {
+  const expirationTime =
+    Date.now() +
+    (config.session?.inactiveDurationMs ??
+      stringToNumber(process.env.AUTH_SESSION_INACTIVE_DURATION_MS) ??
+      DEFAULT_SESSION_INACTIVE_DURATION_MS);
+  if (config.component !== undefined) {
+    return (await createAuthDb(ctx, config.component).refreshTokens.create({
+      sessionId,
+      expirationTime,
+      parentRefreshTokenId: parentRefreshTokenId ?? undefined,
+    })) as GenericId<"token">;
+  }
+  const newRefreshTokenId = await ctx.db.insert("token", {
+    sessionId,
+    expirationTime,
+    parentRefreshTokenId: parentRefreshTokenId ?? undefined,
+  });
+  return newRefreshTokenId;
+}
+
+export const formatRefreshToken = (
+  refreshTokenId: GenericId<"token">,
+  sessionId: GenericId<"session">,
+) => {
+  return `${refreshTokenId}${REFRESH_TOKEN_DIVIDER}${sessionId}`;
+};
+
+export const parseRefreshToken = (
+  refreshToken: string,
+): {
+  refreshTokenId: GenericId<"token">;
+  sessionId: GenericId<"session">;
+} => {
+  const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);
+  if (!refreshTokenId || !sessionId) {
+    throw new Error(`Can't parse refresh token: ${maybeRedact(refreshToken)}`);
+  }
+  return {
+    refreshTokenId: refreshTokenId as GenericId<"token">,
+    sessionId: sessionId as GenericId<"session">,
+  };
+};
+
+/**
+ * Mark all refresh tokens descending from the given refresh token as invalid immediately.
+ * This is used when we detect an invalid use of a refresh token, and want to revoke
+ * the entire tree.
+ *
+ * @param ctx
+ * @param refreshToken
+ */
+export async function invalidateRefreshTokensInSubtree(
+  ctx: MutationCtx,
+  refreshToken: Doc<"token">,
+  config: ConvexAuthConfig,
+) {
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const tokensToInvalidate = [refreshToken];
+  let frontier = [refreshToken._id];
+  while (frontier.length > 0) {
+    const nextFrontier = [];
+    for (const currentTokenId of frontier) {
+      const children =
+        authDb !== null
+          ? ((await authDb.refreshTokens.getChildren(
+              refreshToken.sessionId,
+              currentTokenId,
+            )) as Doc<"token">[])
+          : await ctx.db
+              .query("token")
+              .withIndex("sessionIdAndParentRefreshTokenId", (q) =>
+                q
+                  .eq("sessionId", refreshToken.sessionId)
+                  .eq("parentRefreshTokenId", currentTokenId),
+              )
+              .collect();
+      tokensToInvalidate.push(...children);
+      nextFrontier.push(...children.map((child) => child._id));
+    }
+    frontier = nextFrontier;
+  }
+  for (const token of tokensToInvalidate) {
+    // Mark these as used so they can't be used again (even within the reuse window)
+    if (
+      token.firstUsedTime === undefined ||
+      token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS
+    ) {
+      if (authDb !== null) {
+        await authDb.refreshTokens.patch(token._id, {
+          firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,
+        });
+      } else {
+        await ctx.db.patch(token._id, {
+          firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,
+        });
+      }
+    }
+  }
+  return tokensToInvalidate;
+}
+
+export async function deleteAllRefreshTokens(
+  ctx: MutationCtx,
+  sessionId: GenericId<"session">,
+  config: ConvexAuthConfig,
+) {
+  if (config.component !== undefined) {
+    await createAuthDb(ctx, config.component).refreshTokens.deleteAll(sessionId);
+    return;
+  }
+  const existingRefreshTokens = await ctx.db
+    .query("token")
+    .withIndex("sessionIdAndParentRefreshTokenId", (q) =>
+      q.eq("sessionId", sessionId),
+    )
+    .collect();
+  for (const refreshTokenDoc of existingRefreshTokens) {
+    await ctx.db.delete(refreshTokenDoc._id);
+  }
+}
+
+export async function refreshTokenIfValid(
+  ctx: MutationCtx,
+  refreshTokenId: string,
+  tokenSessionId: string,
+  config: ConvexAuthConfig,
+) {
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  let refreshTokenDoc: Doc<"token"> | null;
+  try {
+    refreshTokenDoc =
+      authDb !== null
+        ? ((await authDb.refreshTokens.getById(
+            refreshTokenId as GenericId<"token">,
+          )) as Doc<"token"> | null)
+        : await ctx.db.get(refreshTokenId as GenericId<"token">);
+  } catch {
+    logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token format");
+    return null;
+  }
+
+  if (refreshTokenDoc === null) {
+    logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token");
+    return null;
+  }
+  if (refreshTokenDoc.expirationTime < Date.now()) {
+    logWithLevel(LOG_LEVELS.ERROR, "Expired refresh token");
+    return null;
+  }
+  if (refreshTokenDoc.sessionId !== tokenSessionId) {
+    logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session ID");
+    return null;
+  }
+  let session: Doc<"session"> | null;
+  try {
+    session =
+      authDb !== null
+        ? ((await authDb.sessions.getById(refreshTokenDoc.sessionId)) as
+            | Doc<"session">
+            | null)
+        : await ctx.db.get(refreshTokenDoc.sessionId);
+  } catch {
+    logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session format");
+    return null;
+  }
+  if (session === null) {
+    logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session");
+    return null;
+  }
+  if (session.expirationTime < Date.now()) {
+    logWithLevel(LOG_LEVELS.ERROR, "Expired refresh token session");
+    return null;
+  }
+  return { session, refreshTokenDoc };
+}
+/**
+ * The active refresh token is the most recently created refresh token that has
+ * never been used.
+ *
+ * @param ctx
+ * @param sessionId
+ */
+export async function loadActiveRefreshToken(
+  ctx: MutationCtx,
+  sessionId: GenericId<"session">,
+  config: ConvexAuthConfig,
+) {
+  if (config.component !== undefined) {
+    return (await createAuthDb(ctx, config.component).refreshTokens.getActive(
+      sessionId,
+    )) as Doc<"token"> | null;
+  }
+  return ctx.db
+    .query("token")
+    .withIndex("sessionId", (q) => q.eq("sessionId", sessionId))
+    .filter((q) => q.eq(q.field("firstUsedTime"), undefined))
+    .order("desc")
+    .first();
+}

package/src/server/implementation/sessions.ts

@@ -0,0 +1,155 @@
+import { GenericId } from "convex/values";
+import { ConvexAuthConfig } from "../types.js";
+import { Doc, MutationCtx, SessionInfo } from "./types.js";
+import { Auth } from "convex/server";
+import {
+  LOG_LEVELS,
+  TOKEN_SUB_CLAIM_DIVIDER,
+  logWithLevel,
+  maybeRedact,
+  stringToNumber,
+} from "./utils.js";
+import { generateToken } from "./tokens.js";
+import {
+  createRefreshToken,
+  formatRefreshToken,
+  deleteAllRefreshTokens,
+} from "./refreshTokens.js";
+import { createAuthDb } from "./db.js";
+
+const DEFAULT_SESSION_TOTAL_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days
+
+export async function maybeGenerateTokensForSession(
+  ctx: MutationCtx,
+  config: ConvexAuthConfig,
+  userId: GenericId<"user">,
+  sessionId: GenericId<"session">,
+  generateTokens: boolean,
+): Promise<SessionInfo> {
+  return {
+    userId,
+    sessionId,
+    tokens: generateTokens
+      ? await generateTokensForSession(ctx, config, {
+          userId,
+          sessionId,
+          issuedRefreshTokenId: null,
+          parentRefreshTokenId: null,
+        })
+      : null,
+  };
+}
+
+export async function createNewAndDeleteExistingSession(
+  ctx: MutationCtx,
+  config: ConvexAuthConfig,
+  userId: GenericId<"user">,
+) {
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const existingSessionId = await getAuthSessionId(ctx);
+  if (existingSessionId !== null) {
+    const existingSession =
+      authDb !== null
+        ? await authDb.sessions.getById(existingSessionId)
+        : await ctx.db.get(existingSessionId);
+    if (existingSession !== null) {
+      await deleteSession(ctx, existingSession, config);
+    }
+  }
+  return await createSession(ctx, userId, config);
+}
+
+export async function generateTokensForSession(
+  ctx: MutationCtx,
+  config: ConvexAuthConfig,
+  args: {
+    userId: GenericId<"user">;
+    sessionId: GenericId<"session">;
+    issuedRefreshTokenId: GenericId<"token"> | null;
+    parentRefreshTokenId: GenericId<"token"> | null;
+  },
+) {
+  const ids = { userId: args.userId, sessionId: args.sessionId };
+  const refreshTokenId =
+    args.issuedRefreshTokenId ??
+    (await createRefreshToken(
+      ctx,
+      config,
+      args.sessionId,
+      args.parentRefreshTokenId,
+    ));
+  const result = {
+    token: await generateToken(ids, config),
+    refreshToken: formatRefreshToken(refreshTokenId, args.sessionId),
+  };
+  logWithLevel(
+    LOG_LEVELS.DEBUG,
+    `Generated token ${maybeRedact(result.token)} and refresh token ${maybeRedact(refreshTokenId)} for session ${maybeRedact(args.sessionId)}`,
+  );
+  return result;
+}
+
+async function createSession(
+  ctx: MutationCtx,
+  userId: GenericId<"user">,
+  config: ConvexAuthConfig,
+) {
+  const expirationTime =
+    Date.now() +
+    (config.session?.totalDurationMs ??
+      stringToNumber(process.env.AUTH_SESSION_TOTAL_DURATION_MS) ??
+      DEFAULT_SESSION_TOTAL_DURATION_MS);
+  if (config.component !== undefined) {
+    return (await createAuthDb(ctx, config.component).sessions.create(
+      userId,
+      expirationTime,
+    )) as GenericId<"session">;
+  }
+  return await ctx.db.insert("session", { expirationTime, userId });
+}
+
+export async function deleteSession(
+  ctx: MutationCtx,
+  session: Doc<"session">,
+  config: ConvexAuthConfig,
+) {
+  if (config.component !== undefined) {
+    await createAuthDb(ctx, config.component).sessions.delete(session._id);
+  } else {
+    await ctx.db.delete(session._id);
+  }
+  await deleteAllRefreshTokens(ctx, session._id, config);
+}
+
+/**
+ * Return the current session ID.
+ *
+ * ```ts filename="convex/myFunctions.tsx"
+ * import { mutation } from "./_generated/server";
+ * import { getAuthSessionId } from "@robelest/convex-auth/component";
+ *
+ * export const doSomething = mutation({
+ *   args: {/* ... *\/},
+ *   handler: async (ctx, args) => {
+ *     const sessionId = await getAuthSessionId(ctx);
+ *     if (sessionId === null) {
+ *       throw new Error("Client is not authenticated!")
+ *     }
+ *     const session = await ctx.db.get(sessionId);
+ *     // ...
+ *   },
+ * });
+ * ```
+ *
+ * @param ctx query, mutation or action `ctx`
+ * @returns the session ID or `null` if the client isn't authenticated
+ */
+export async function getAuthSessionId(ctx: { auth: Auth }) {
+  const identity = await ctx.auth.getUserIdentity();
+  if (identity === null) {
+    return null;
+  }
+  const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
+  return sessionId as GenericId<"session">;
+}