npm - @robelest/convex-auth - Versions diffs - 0.0.1 - Mend

@robelest/convex-auth 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (280) hide show

package/README.md +6 -0
package/dist/bin.cjs +27733 -0
package/dist/client/index.d.ts +49 -0
package/dist/client/index.d.ts.map +1 -0
package/dist/client/index.js +283 -0
package/dist/client/index.js.map +1 -0
package/dist/component/_generated/api.d.ts +36 -0
package/dist/component/_generated/api.d.ts.map +1 -0
package/dist/component/_generated/api.js +31 -0
package/dist/component/_generated/api.js.map +1 -0
package/dist/component/_generated/component.d.ts +295 -0
package/dist/component/_generated/component.d.ts.map +1 -0
package/dist/component/_generated/component.js +11 -0
package/dist/component/_generated/component.js.map +1 -0
package/dist/component/_generated/dataModel.d.ts +46 -0
package/dist/component/_generated/dataModel.d.ts.map +1 -0
package/dist/component/_generated/dataModel.js +11 -0
package/dist/component/_generated/dataModel.js.map +1 -0
package/dist/component/_generated/server.d.ts +121 -0
package/dist/component/_generated/server.d.ts.map +1 -0
package/dist/component/_generated/server.js +78 -0
package/dist/component/_generated/server.js.map +1 -0
package/dist/component/convex.config.d.ts +3 -0
package/dist/component/convex.config.d.ts.map +1 -0
package/dist/component/convex.config.js +4 -0
package/dist/component/convex.config.js.map +1 -0
package/dist/component/index.d.ts +15 -0
package/dist/component/index.d.ts.map +1 -0
package/dist/component/index.js +13 -0
package/dist/component/index.js.map +1 -0
package/dist/component/public.d.ts +450 -0
package/dist/component/public.d.ts.map +1 -0
package/dist/component/public.js +528 -0
package/dist/component/public.js.map +1 -0
package/dist/component/schema.d.ts +107 -0
package/dist/component/schema.d.ts.map +1 -0
package/dist/component/schema.js +26 -0
package/dist/component/schema.js.map +1 -0
package/dist/providers/Anonymous.d.ts +50 -0
package/dist/providers/Anonymous.d.ts.map +1 -0
package/dist/providers/Anonymous.js +39 -0
package/dist/providers/Anonymous.js.map +1 -0
package/dist/providers/ConvexCredentials.d.ts +88 -0
package/dist/providers/ConvexCredentials.d.ts.map +1 -0
package/dist/providers/ConvexCredentials.js +37 -0
package/dist/providers/ConvexCredentials.js.map +1 -0
package/dist/providers/Email.d.ts +33 -0
package/dist/providers/Email.d.ts.map +1 -0
package/dist/providers/Email.js +50 -0
package/dist/providers/Email.js.map +1 -0
package/dist/providers/Password.d.ts +95 -0
package/dist/providers/Password.d.ts.map +1 -0
package/dist/providers/Password.js +174 -0
package/dist/providers/Password.js.map +1 -0
package/dist/providers/Phone.d.ts +22 -0
package/dist/providers/Phone.d.ts.map +1 -0
package/dist/providers/Phone.js +37 -0
package/dist/providers/Phone.js.map +1 -0
package/dist/server/convex_types.d.ts +17 -0
package/dist/server/convex_types.d.ts.map +1 -0
package/dist/server/convex_types.js +2 -0
package/dist/server/convex_types.js.map +1 -0
package/dist/server/cookies.d.ts +35 -0
package/dist/server/cookies.d.ts.map +1 -0
package/dist/server/cookies.js +34 -0
package/dist/server/cookies.js.map +1 -0
package/dist/server/implementation/db.d.ts +80 -0
package/dist/server/implementation/db.d.ts.map +1 -0
package/dist/server/implementation/db.js +59 -0
package/dist/server/implementation/db.js.map +1 -0
package/dist/server/implementation/index.d.ts +370 -0
package/dist/server/implementation/index.d.ts.map +1 -0
package/dist/server/implementation/index.js +521 -0
package/dist/server/implementation/index.js.map +1 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.d.ts +33 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.d.ts.map +1 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.js +71 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.js.map +1 -0
package/dist/server/implementation/mutations/createVerificationCode.d.ts +25 -0
package/dist/server/implementation/mutations/createVerificationCode.d.ts.map +1 -0
package/dist/server/implementation/mutations/createVerificationCode.js +84 -0
package/dist/server/implementation/mutations/createVerificationCode.js.map +1 -0
package/dist/server/implementation/mutations/index.d.ts +304 -0
package/dist/server/implementation/mutations/index.d.ts.map +1 -0
package/dist/server/implementation/mutations/index.js +108 -0
package/dist/server/implementation/mutations/index.js.map +1 -0
package/dist/server/implementation/mutations/invalidateSessions.d.ts +13 -0
package/dist/server/implementation/mutations/invalidateSessions.d.ts.map +1 -0
package/dist/server/implementation/mutations/invalidateSessions.js +35 -0
package/dist/server/implementation/mutations/invalidateSessions.js.map +1 -0
package/dist/server/implementation/mutations/modifyAccount.d.ts +23 -0
package/dist/server/implementation/mutations/modifyAccount.d.ts.map +1 -0
package/dist/server/implementation/mutations/modifyAccount.js +48 -0
package/dist/server/implementation/mutations/modifyAccount.js.map +1 -0
package/dist/server/implementation/mutations/refreshSession.d.ts +16 -0
package/dist/server/implementation/mutations/refreshSession.d.ts.map +1 -0
package/dist/server/implementation/mutations/refreshSession.js +116 -0
package/dist/server/implementation/mutations/refreshSession.js.map +1 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.d.ts +27 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.d.ts.map +1 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.js +55 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.js.map +1 -0
package/dist/server/implementation/mutations/signIn.d.ts +17 -0
package/dist/server/implementation/mutations/signIn.d.ts.map +1 -0
package/dist/server/implementation/mutations/signIn.js +26 -0
package/dist/server/implementation/mutations/signIn.js.map +1 -0
package/dist/server/implementation/mutations/signOut.d.ts +11 -0
package/dist/server/implementation/mutations/signOut.d.ts.map +1 -0
package/dist/server/implementation/mutations/signOut.js +24 -0
package/dist/server/implementation/mutations/signOut.js.map +1 -0
package/dist/server/implementation/mutations/userOAuth.d.ts +19 -0
package/dist/server/implementation/mutations/userOAuth.d.ts.map +1 -0
package/dist/server/implementation/mutations/userOAuth.js +84 -0
package/dist/server/implementation/mutations/userOAuth.js.map +1 -0
package/dist/server/implementation/mutations/verifier.d.ts +8 -0
package/dist/server/implementation/mutations/verifier.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifier.js +19 -0
package/dist/server/implementation/mutations/verifier.js.map +1 -0
package/dist/server/implementation/mutations/verifierSignature.d.ts +15 -0
package/dist/server/implementation/mutations/verifierSignature.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifierSignature.js +29 -0
package/dist/server/implementation/mutations/verifierSignature.js.map +1 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.d.ts +21 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.js +127 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.js.map +1 -0
package/dist/server/implementation/provider.d.ts +6 -0
package/dist/server/implementation/provider.d.ts.map +1 -0
package/dist/server/implementation/provider.js +21 -0
package/dist/server/implementation/provider.js.map +1 -0
package/dist/server/implementation/rateLimit.d.ts +6 -0
package/dist/server/implementation/rateLimit.d.ts.map +1 -0
package/dist/server/implementation/rateLimit.js +76 -0
package/dist/server/implementation/rateLimit.js.map +1 -0
package/dist/server/implementation/redirects.d.ts +6 -0
package/dist/server/implementation/redirects.d.ts.map +1 -0
package/dist/server/implementation/redirects.js +40 -0
package/dist/server/implementation/redirects.js.map +1 -0
package/dist/server/implementation/refreshTokens.d.ts +40 -0
package/dist/server/implementation/refreshTokens.d.ts.map +1 -0
package/dist/server/implementation/refreshTokens.js +160 -0
package/dist/server/implementation/refreshTokens.js.map +1 -0
package/dist/server/implementation/sessions.d.ts +43 -0
package/dist/server/implementation/sessions.d.ts.map +1 -0
package/dist/server/implementation/sessions.js +94 -0
package/dist/server/implementation/sessions.js.map +1 -0
package/dist/server/implementation/signIn.d.ts +31 -0
package/dist/server/implementation/signIn.d.ts.map +1 -0
package/dist/server/implementation/signIn.js +148 -0
package/dist/server/implementation/signIn.js.map +1 -0
package/dist/server/implementation/tokens.d.ts +7 -0
package/dist/server/implementation/tokens.d.ts.map +1 -0
package/dist/server/implementation/tokens.js +18 -0
package/dist/server/implementation/tokens.js.map +1 -0
package/dist/server/implementation/types.d.ts +288 -0
package/dist/server/implementation/types.d.ts.map +1 -0
package/dist/server/implementation/types.js +182 -0
package/dist/server/implementation/types.js.map +1 -0
package/dist/server/implementation/users.d.ts +27 -0
package/dist/server/implementation/users.d.ts.map +1 -0
package/dist/server/implementation/users.js +181 -0
package/dist/server/implementation/users.js.map +1 -0
package/dist/server/implementation/utils.d.ts +17 -0
package/dist/server/implementation/utils.d.ts.map +1 -0
package/dist/server/implementation/utils.js +72 -0
package/dist/server/implementation/utils.js.map +1 -0
package/dist/server/index.d.ts +17 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +54 -0
package/dist/server/index.js.map +1 -0
package/dist/server/oauth/authorizationUrl.d.ts +13 -0
package/dist/server/oauth/authorizationUrl.d.ts.map +1 -0
package/dist/server/oauth/authorizationUrl.js +91 -0
package/dist/server/oauth/authorizationUrl.js.map +1 -0
package/dist/server/oauth/callback.d.ts +19 -0
package/dist/server/oauth/callback.d.ts.map +1 -0
package/dist/server/oauth/callback.js +173 -0
package/dist/server/oauth/callback.js.map +1 -0
package/dist/server/oauth/checks.d.ts +52 -0
package/dist/server/oauth/checks.d.ts.map +1 -0
package/dist/server/oauth/checks.js +106 -0
package/dist/server/oauth/checks.js.map +1 -0
package/dist/server/oauth/convexAuth.d.ts +12 -0
package/dist/server/oauth/convexAuth.d.ts.map +1 -0
package/dist/server/oauth/convexAuth.js +137 -0
package/dist/server/oauth/convexAuth.js.map +1 -0
package/dist/server/oauth/lib/utils/customFetch.d.ts +9 -0
package/dist/server/oauth/lib/utils/customFetch.d.ts.map +1 -0
package/dist/server/oauth/lib/utils/customFetch.js +11 -0
package/dist/server/oauth/lib/utils/customFetch.js.map +1 -0
package/dist/server/oauth/lib/utils/providers.d.ts +3 -0
package/dist/server/oauth/lib/utils/providers.d.ts.map +1 -0
package/dist/server/oauth/lib/utils/providers.js +7 -0
package/dist/server/oauth/lib/utils/providers.js.map +1 -0
package/dist/server/oauth/providers/oauth.d.ts +43 -0
package/dist/server/oauth/providers/oauth.d.ts.map +1 -0
package/dist/server/oauth/providers/oauth.js +3 -0
package/dist/server/oauth/providers/oauth.js.map +1 -0
package/dist/server/oauth/types.d.ts +24 -0
package/dist/server/oauth/types.d.ts.map +1 -0
package/dist/server/oauth/types.js +5 -0
package/dist/server/oauth/types.js.map +1 -0
package/dist/server/provider_utils.d.ts +76 -0
package/dist/server/provider_utils.d.ts.map +1 -0
package/dist/server/provider_utils.js +177 -0
package/dist/server/provider_utils.js.map +1 -0
package/dist/server/types.d.ts +412 -0
package/dist/server/types.d.ts.map +1 -0
package/dist/server/types.js +2 -0
package/dist/server/types.js.map +1 -0
package/dist/server/utils.d.ts +3 -0
package/dist/server/utils.d.ts.map +1 -0
package/dist/server/utils.js +11 -0
package/dist/server/utils.js.map +1 -0
package/package.json +126 -0
package/providers/Anonymous/package.json +6 -0
package/providers/ConvexCredentials/package.json +6 -0
package/providers/Email/package.json +6 -0
package/providers/Password/package.json +6 -0
package/providers/Phone/package.json +6 -0
package/server/package.json +6 -0
package/src/cli/command.ts +69 -0
package/src/cli/generateKeys.ts +20 -0
package/src/cli/index.ts +840 -0
package/src/client/index.ts +415 -0
package/src/component/_generated/api.ts +52 -0
package/src/component/_generated/component.ts +586 -0
package/src/component/_generated/dataModel.ts +60 -0
package/src/component/_generated/server.ts +156 -0
package/src/component/convex.config.ts +5 -0
package/src/component/index.ts +40 -0
package/src/component/public.ts +607 -0
package/src/component/schema.ts +35 -0
package/src/providers/Anonymous.ts +79 -0
package/src/providers/ConvexCredentials.ts +108 -0
package/src/providers/Email.ts +60 -0
package/src/providers/Password.ts +253 -0
package/src/providers/Phone.ts +46 -0
package/src/server/convex_types.ts +55 -0
package/src/server/cookies.ts +42 -0
package/src/server/implementation/db.ts +125 -0
package/src/server/implementation/index.ts +815 -0
package/src/server/implementation/mutations/createAccountFromCredentials.ts +113 -0
package/src/server/implementation/mutations/createVerificationCode.ts +139 -0
package/src/server/implementation/mutations/index.ts +157 -0
package/src/server/implementation/mutations/invalidateSessions.ts +47 -0
package/src/server/implementation/mutations/modifyAccount.ts +65 -0
package/src/server/implementation/mutations/refreshSession.ts +188 -0
package/src/server/implementation/mutations/retrieveAccountWithCredentials.ts +87 -0
package/src/server/implementation/mutations/signIn.ts +51 -0
package/src/server/implementation/mutations/signOut.ts +38 -0
package/src/server/implementation/mutations/userOAuth.ts +112 -0
package/src/server/implementation/mutations/verifier.ts +29 -0
package/src/server/implementation/mutations/verifierSignature.ts +44 -0
package/src/server/implementation/mutations/verifyCodeAndSignIn.ts +205 -0
package/src/server/implementation/provider.ts +38 -0
package/src/server/implementation/rateLimit.ts +105 -0
package/src/server/implementation/redirects.ts +58 -0
package/src/server/implementation/refreshTokens.ts +221 -0
package/src/server/implementation/sessions.ts +155 -0
package/src/server/implementation/signIn.ts +253 -0
package/src/server/implementation/tokens.ts +29 -0
package/src/server/implementation/types.ts +220 -0
package/src/server/implementation/users.ts +286 -0
package/src/server/implementation/utils.ts +91 -0
package/src/server/index.ts +74 -0
package/src/server/oauth/NOTICE.txt +21 -0
package/src/server/oauth/README.md +7 -0
package/src/server/oauth/authorizationUrl.ts +113 -0
package/src/server/oauth/callback.ts +243 -0
package/src/server/oauth/checks.ts +136 -0
package/src/server/oauth/convexAuth.ts +168 -0
package/src/server/oauth/lib/utils/customFetch.ts +18 -0
package/src/server/oauth/lib/utils/providers.ts +12 -0
package/src/server/oauth/providers/oauth.ts +56 -0
package/src/server/oauth/types.ts +60 -0
package/src/server/provider_utils.ts +222 -0
package/src/server/types.ts +470 -0
package/src/server/utils.ts +12 -0
package/src/test.ts +24 -0

package/src/server/implementation/signIn.ts ADDED Viewed

@@ -0,0 +1,253 @@
+import { GenericId } from "convex/values";
+import {
+  AuthProviderMaterializedConfig,
+  ConvexCredentialsConfig,
+  EmailConfig,
+  GenericActionCtxWithAuthConfig,
+  PhoneConfig,
+} from "../types.js";
+import {
+  AuthDataModel,
+  SessionInfo,
+  SessionInfoWithTokens,
+  Tokens,
+} from "./types.js";
+import {
+  callCreateVerificationCode,
+  callRefreshSession,
+  callSignIn,
+  callVerifier,
+  callVerifyCodeAndSignIn,
+} from "./mutations/index.js";
+import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
+import { requireEnv } from "../utils.js";
+import { OAuth2Config, OIDCConfig } from "@auth/core/providers/oauth.js";
+import { generateRandomString } from "./utils.js";
+const DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 60 * 60 * 24; // 24 hours
+type EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;
+export async function signInImpl(
+  ctx: EnrichedActionCtx,
+  provider: AuthProviderMaterializedConfig | null,
+  args: {
+    accountId?: GenericId<"account">;
+    params?: Record<string, any>;
+    verifier?: string;
+    refreshToken?: string;
+    calledBy?: string;
+  },
+  options: {
+    generateTokens: boolean;
+    allowExtraProviders: boolean;
+  },
+): Promise<
+  | { kind: "signedIn"; signedIn: SessionInfo | null }
+  // refresh tokens
+  | { kind: "refreshTokens"; signedIn: { tokens: Tokens } }
+  // Multi-step flows like magic link + OTP
+  | { kind: "started"; started: true }
+  // OAuth2 and OIDC flows
+  | { kind: "redirect"; redirect: string; verifier: string }
+> {
+  if (provider === null && args.refreshToken) {
+    const tokens: Tokens = (await callRefreshSession(ctx, {
+      refreshToken: args.refreshToken,
+    }))!;
+    return { kind: "refreshTokens", signedIn: { tokens } };
+  }
+  if (provider === null && args.params?.code !== undefined) {
+    const result = await callVerifyCodeAndSignIn(ctx, {
+      params: args.params,
+      verifier: args.verifier,
+      generateTokens: true,
+      allowExtraProviders: options.allowExtraProviders,
+    });
+    return {
+      kind: "signedIn",
+      signedIn: result,
+    };
+  }
+  if (provider === null) {
+    throw new Error(
+      "Cannot sign in: Missing `provider`, `params.code` or `refreshToken`",
+    );
+  }
+  if (provider.type === "email" || provider.type === "phone") {
+    return handleEmailAndPhoneProvider(ctx, provider, args, options);
+  }
+  if (provider.type === "credentials") {
+    return handleCredentials(ctx, provider, args, options);
+  }
+  if (provider.type === "oauth" || provider.type === "oidc") {
+    return handleOAuthProvider(ctx, provider, args, options);
+  }
+  const _typecheck: never = provider;
+  throw new Error(
+    `Provider type ${(provider as any).type} is not supported yet`,
+  );
+}
+async function handleEmailAndPhoneProvider(
+  ctx: EnrichedActionCtx,
+  provider: EmailConfig | PhoneConfig,
+  args: {
+    params?: Record<string, any>;
+    accountId?: GenericId<"account">;
+  },
+  options: {
+    generateTokens: boolean;
+    allowExtraProviders: boolean;
+  },
+): Promise<
+  | { kind: "started"; started: true }
+  | { kind: "signedIn"; signedIn: SessionInfoWithTokens }
+> {
+  if (args.params?.code !== undefined) {
+    const result = await callVerifyCodeAndSignIn(ctx, {
+      params: args.params,
+      provider: provider.id,
+      generateTokens: options.generateTokens,
+      allowExtraProviders: options.allowExtraProviders,
+    });
+    if (result === null) {
+      throw new Error("Could not verify code");
+    }
+    return {
+      kind: "signedIn",
+      signedIn: result as SessionInfoWithTokens,
+    };
+  }
+  const alphabet =
+    "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+  const code = provider.generateVerificationToken
+    ? await provider.generateVerificationToken()
+    : generateRandomString(32, alphabet);
+  const expirationTime =
+    Date.now() +
+    (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1000;
+  const identifier = await callCreateVerificationCode(ctx, {
+    provider: provider.id,
+    accountId: args.accountId,
+    email: args.params?.email,
+    phone: args.params?.phone,
+    code,
+    expirationTime,
+    allowExtraProviders: options.allowExtraProviders,
+  });
+  const destination = await redirectAbsoluteUrl(
+    ctx.auth.config,
+    (args.params ?? {}) as { redirectTo: unknown },
+  );
+  const verificationArgs = {
+    identifier,
+    url: setURLSearchParam(destination, "code", code),
+    token: code,
+    expires: new Date(expirationTime),
+  };
+  if (provider.type === "email") {
+    await provider.sendVerificationRequest(
+      {
+        ...verificationArgs,
+        provider: {
+          ...provider,
+          from:
+            // Simplifies demo configuration of Resend
+            provider.from === "Auth.js <no-reply@authjs.dev>" &&
+            provider.id === "resend"
+              ? "My App <onboarding@resend.dev>"
+              : provider.from,
+        },
+        request: new Request("http://localhost"), // TODO: Document
+        theme: ctx.auth.config.theme,
+      },
+      // @ts-expect-error Figure out typing for email providers so they can
+      // access ctx.
+      ctx,
+    );
+  } else if (provider.type === "phone") {
+    await provider.sendVerificationRequest(
+      { ...verificationArgs, provider },
+      ctx,
+    );
+  }
+  return { kind: "started", started: true };
+}
+async function handleCredentials(
+  ctx: EnrichedActionCtx,
+  provider: ConvexCredentialsConfig,
+  args: {
+    params?: Record<string, any>;
+  },
+  options: {
+    generateTokens: boolean;
+  },
+): Promise<{ kind: "signedIn"; signedIn: SessionInfo | null }> {
+  const result = await provider.authorize(args.params ?? {}, ctx);
+  if (result === null) {
+    return { kind: "signedIn", signedIn: null };
+  }
+  const idsAndTokens = await callSignIn(ctx, {
+    userId: result.userId,
+    sessionId: result.sessionId,
+    generateTokens: options.generateTokens,
+  });
+  return {
+    kind: "signedIn",
+    signedIn: idsAndTokens,
+  };
+}
+async function handleOAuthProvider(
+  ctx: EnrichedActionCtx,
+  provider: OAuth2Config<any> | OIDCConfig<any>,
+  args: {
+    params?: Record<string, any>;
+    verifier?: string;
+  },
+  options: {
+    allowExtraProviders: boolean;
+  },
+): Promise<
+  | { kind: "signedIn"; signedIn: SessionInfoWithTokens | null }
+  | { kind: "redirect"; redirect: string; verifier: string }
+> {
+  // We have this action because:
+  // 1. We remember the current sessionId if any, so we can link accounts
+  // 2. The client doesn't need to know the HTTP Actions URL
+  //    of the backend (this simplifies using local backend)
+  // 3. The client doesn't need to know which provider is of which type,
+  //    and hence which provider requires client-side redirect
+  // 4. On mobile the client can complete the flow manually
+  if (args.params?.code !== undefined) {
+    const result = await callVerifyCodeAndSignIn(ctx, {
+      params: args.params,
+      verifier: args.verifier,
+      generateTokens: true,
+      allowExtraProviders: options.allowExtraProviders,
+    });
+    return {
+      kind: "signedIn",
+      signedIn: result as SessionInfoWithTokens | null,
+    };
+  }
+  const redirect = new URL(
+    (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv("CONVEX_SITE_URL")) + `/api/auth/signin/${provider.id}`,
+  );
+  const verifier = await callVerifier(ctx);
+  redirect.searchParams.set("code", verifier);
+  if (args.params?.redirectTo !== undefined) {
+    if (typeof args.params.redirectTo !== "string") {
+      throw new Error(
+        `Expected \`redirectTo\` to be a string, got ${args.params.redirectTo}`,
+      );
+    }
+    redirect.searchParams.set("redirectTo", args.params.redirectTo);
+  }
+  return { kind: "redirect", redirect: redirect.toString(), verifier };
+}

package/src/server/implementation/tokens.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { GenericId } from "convex/values";
+import { ConvexAuthConfig } from "../types.js";
+import { SignJWT, importPKCS8 } from "jose";
+import { requireEnv } from "../utils.js";
+import { TOKEN_SUB_CLAIM_DIVIDER } from "./utils.js";
+const DEFAULT_JWT_DURATION_MS = 1000 * 60 * 60; // 1 hour
+export async function generateToken(
+  args: {
+    userId: GenericId<"user">;
+    sessionId: GenericId<"session">;
+  },
+  config: ConvexAuthConfig,
+) {
+  const privateKey = await importPKCS8(requireEnv("JWT_PRIVATE_KEY"), "RS256");
+  const expirationTime = new Date(
+    Date.now() + (config.jwt?.durationMs ?? DEFAULT_JWT_DURATION_MS),
+  );
+  return await new SignJWT({
+    sub: args.userId + TOKEN_SUB_CLAIM_DIVIDER + args.sessionId,
+  })
+    .setProtectedHeader({ alg: "RS256" })
+    .setIssuedAt()
+    .setIssuer(requireEnv("CONVEX_SITE_URL"))
+    .setAudience("convex")
+    .setExpirationTime(expirationTime)
+    .sign(privateKey);
+}

package/src/server/implementation/types.ts ADDED Viewed

@@ -0,0 +1,220 @@
+import {
+  DataModelFromSchemaDefinition,
+  GenericActionCtx,
+  GenericMutationCtx,
+  GenericQueryCtx,
+  TableNamesInDataModel,
+  defineSchema,
+  defineTable,
+} from "convex/server";
+import { GenericId, v } from "convex/values";
+import { GenericDoc } from "../convex_types.js";
+/**
+ * The table definitions required by the library.
+ *
+ * Your schema must include these so that the indexes
+ * are set up:
+ *
+ *
+ * ```ts filename="convex/schema.ts"
+ * import { defineSchema } from "convex/server";
+ * import { authTables } from "@robelest/convex-auth/component";
+ *
+ * const schema = defineSchema({
+ *   ...authTables,
+ * });
+ *
+ * export default schema;
+ * ```
+ *
+ * You can inline the table definitions into your schema
+ * and extend them with additional optional and required
+ * fields. See https://labs.convex.dev/auth/setup/schema
+ * for more details.
+ */
+export const authTables = {
+  /**
+   * Users.
+   */
+  user: defineTable({
+    name: v.optional(v.string()),
+    image: v.optional(v.string()),
+    email: v.optional(v.string()),
+    emailVerificationTime: v.optional(v.number()),
+    phone: v.optional(v.string()),
+    phoneVerificationTime: v.optional(v.number()),
+    isAnonymous: v.optional(v.boolean()),
+  })
+    .index("email", ["email"])
+    .index("phone", ["phone"]),
+  /**
+   * Sessions.
+   * A single user can have multiple active sessions.
+   * See [Session document lifecycle](https://labs.convex.dev/auth/advanced#session-document-lifecycle).
+   */
+  session: defineTable({
+    userId: v.id("user"),
+    expirationTime: v.number(),
+  }).index("userId", ["userId"]),
+  /**
+   * Accounts. An account corresponds to
+   * a single authentication provider.
+   * A single user can have multiple accounts linked.
+   */
+  account: defineTable({
+    userId: v.id("user"),
+    provider: v.string(),
+    providerAccountId: v.string(),
+    secret: v.optional(v.string()),
+    emailVerified: v.optional(v.string()),
+    phoneVerified: v.optional(v.string()),
+  })
+    .index("userIdAndProvider", ["userId", "provider"])
+    .index("providerAndAccountId", ["provider", "providerAccountId"]),
+  /**
+   * Refresh tokens.
+   * Refresh tokens are generally meant to be used once, to be exchanged for another
+   * refresh token and a JWT access token, but with a few exceptions:
+   * - The "active refresh token" is the most recently created refresh token that has
+   *   not been used yet. The parent of the active refresh token can always be used to
+   *   obtain the active refresh token.
+   * - A refresh token can be used within a 10 second window ("reuse window") to
+   *   obtain a new refresh token.
+   * - On any invalid use of a refresh token, the token itself and all its descendants
+   *   are invalidated.
+   */
+  token: defineTable({
+    sessionId: v.id("session"),
+    expirationTime: v.number(),
+    firstUsedTime: v.optional(v.number()),
+    // This is the ID of the refresh token that was exchanged to create this one.
+    parentRefreshTokenId: v.optional(v.id("token")),
+  })
+    // Sort by creationTime
+    .index("sessionId", ["sessionId"])
+    .index("sessionIdAndParentRefreshTokenId", [
+      "sessionId",
+      "parentRefreshTokenId",
+    ]),
+  /**
+   * Verification codes:
+   * - OTP tokens
+   * - magic link tokens
+   * - OAuth codes
+   */
+  verification: defineTable({
+    accountId: v.id("account"),
+    provider: v.string(),
+    code: v.string(),
+    expirationTime: v.number(),
+    verifier: v.optional(v.string()),
+    emailVerified: v.optional(v.string()),
+    phoneVerified: v.optional(v.string()),
+  })
+    .index("accountId", ["accountId"])
+    .index("code", ["code"]),
+  /**
+   * PKCE verifiers for OAuth.
+   */
+  verifier: defineTable({
+    sessionId: v.optional(v.id("session")),
+    signature: v.optional(v.string()),
+  }).index("signature", ["signature"]),
+  /**
+   * Rate limits for OTP and password sign-in.
+   */
+  limit: defineTable({
+    identifier: v.string(),
+    lastAttemptTime: v.number(),
+    attemptsLeft: v.number(),
+  }).index("identifier", ["identifier"]),
+  organization: defineTable({
+    name: v.string(),
+    slug: v.optional(v.string()),
+    ownerUserId: v.optional(v.id("user")),
+    parentOrganizationId: v.optional(v.id("organization")),
+    metadata: v.optional(v.any()),
+  })
+    .index("slug", ["slug"])
+    .index("ownerUserId", ["ownerUserId"])
+    .index("parentOrganizationId", ["parentOrganizationId"]),
+  team: defineTable({
+    organizationId: v.id("organization"),
+    name: v.string(),
+    slug: v.optional(v.string()),
+    parentTeamId: v.optional(v.id("team")),
+    metadata: v.optional(v.any()),
+  })
+    .index("organizationId", ["organizationId"])
+    .index("organizationIdAndSlug", ["organizationId", "slug"])
+    .index("parentTeamId", ["parentTeamId"]),
+  teamRelation: defineTable({
+    organizationId: v.id("organization"),
+    parentTeamId: v.id("team"),
+    childTeamId: v.id("team"),
+    relation: v.optional(v.string()),
+  })
+    .index("organizationId", ["organizationId"])
+    .index("organizationIdAndParentTeamId", ["organizationId", "parentTeamId"])
+    .index("organizationIdAndChildTeamId", ["organizationId", "childTeamId"]),
+  member: defineTable({
+    organizationId: v.id("organization"),
+    userId: v.id("user"),
+    teamId: v.optional(v.id("team")),
+    role: v.optional(v.string()),
+    status: v.optional(v.string()),
+    metadata: v.optional(v.any()),
+  })
+    .index("organizationId", ["organizationId"])
+    .index("organizationIdAndUserId", ["organizationId", "userId"])
+    .index("teamId", ["teamId"])
+    .index("userId", ["userId"]),
+  invite: defineTable({
+    organizationId: v.optional(v.id("organization")),
+    teamId: v.optional(v.id("team")),
+    invitedByUserId: v.id("user"),
+    email: v.string(),
+    tokenHash: v.string(),
+    role: v.optional(v.string()),
+    status: v.union(
+      v.literal("pending"),
+      v.literal("accepted"),
+      v.literal("revoked"),
+      v.literal("expired"),
+    ),
+    expiresTime: v.number(),
+    acceptedByUserId: v.optional(v.id("user")),
+    acceptedTime: v.optional(v.number()),
+    metadata: v.optional(v.any()),
+  })
+    .index("tokenHash", ["tokenHash"])
+    .index("emailAndStatus", ["email", "status"])
+    .index("invitedByUserIdAndStatus", ["invitedByUserId", "status"])
+    .index("organizationId", ["organizationId"])
+    .index("organizationIdAndStatus", ["organizationId", "status"]),
+};
+type DefaultSchema = ReturnType<typeof defineSchema<typeof authTables>>;
+export type AuthDataModel = DataModelFromSchemaDefinition<DefaultSchema>;
+export type ActionCtx = GenericActionCtx<AuthDataModel>;
+export type MutationCtx = GenericMutationCtx<AuthDataModel>;
+export type QueryCtx = GenericQueryCtx<AuthDataModel>;
+export type Doc<T extends TableNamesInDataModel<AuthDataModel>> = GenericDoc<
+  AuthDataModel,
+  T
+>;
+export type Tokens = { token: string; refreshToken: string };
+export type SessionInfo = {
+  userId: GenericId<"user">;
+  sessionId: GenericId<"session">;
+  tokens: Tokens | null;
+};
+export type SessionInfoWithTokens = {
+  userId: GenericId<"user">;
+  sessionId: GenericId<"session">;
+  tokens: Tokens;
+};