npm - @robelest/convex-auth - Versions diffs - 0.0.1 - Mend

@robelest/convex-auth 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (280) hide show

package/README.md +6 -0
package/dist/bin.cjs +27733 -0
package/dist/client/index.d.ts +49 -0
package/dist/client/index.d.ts.map +1 -0
package/dist/client/index.js +283 -0
package/dist/client/index.js.map +1 -0
package/dist/component/_generated/api.d.ts +36 -0
package/dist/component/_generated/api.d.ts.map +1 -0
package/dist/component/_generated/api.js +31 -0
package/dist/component/_generated/api.js.map +1 -0
package/dist/component/_generated/component.d.ts +295 -0
package/dist/component/_generated/component.d.ts.map +1 -0
package/dist/component/_generated/component.js +11 -0
package/dist/component/_generated/component.js.map +1 -0
package/dist/component/_generated/dataModel.d.ts +46 -0
package/dist/component/_generated/dataModel.d.ts.map +1 -0
package/dist/component/_generated/dataModel.js +11 -0
package/dist/component/_generated/dataModel.js.map +1 -0
package/dist/component/_generated/server.d.ts +121 -0
package/dist/component/_generated/server.d.ts.map +1 -0
package/dist/component/_generated/server.js +78 -0
package/dist/component/_generated/server.js.map +1 -0
package/dist/component/convex.config.d.ts +3 -0
package/dist/component/convex.config.d.ts.map +1 -0
package/dist/component/convex.config.js +4 -0
package/dist/component/convex.config.js.map +1 -0
package/dist/component/index.d.ts +15 -0
package/dist/component/index.d.ts.map +1 -0
package/dist/component/index.js +13 -0
package/dist/component/index.js.map +1 -0
package/dist/component/public.d.ts +450 -0
package/dist/component/public.d.ts.map +1 -0
package/dist/component/public.js +528 -0
package/dist/component/public.js.map +1 -0
package/dist/component/schema.d.ts +107 -0
package/dist/component/schema.d.ts.map +1 -0
package/dist/component/schema.js +26 -0
package/dist/component/schema.js.map +1 -0
package/dist/providers/Anonymous.d.ts +50 -0
package/dist/providers/Anonymous.d.ts.map +1 -0
package/dist/providers/Anonymous.js +39 -0
package/dist/providers/Anonymous.js.map +1 -0
package/dist/providers/ConvexCredentials.d.ts +88 -0
package/dist/providers/ConvexCredentials.d.ts.map +1 -0
package/dist/providers/ConvexCredentials.js +37 -0
package/dist/providers/ConvexCredentials.js.map +1 -0
package/dist/providers/Email.d.ts +33 -0
package/dist/providers/Email.d.ts.map +1 -0
package/dist/providers/Email.js +50 -0
package/dist/providers/Email.js.map +1 -0
package/dist/providers/Password.d.ts +95 -0
package/dist/providers/Password.d.ts.map +1 -0
package/dist/providers/Password.js +174 -0
package/dist/providers/Password.js.map +1 -0
package/dist/providers/Phone.d.ts +22 -0
package/dist/providers/Phone.d.ts.map +1 -0
package/dist/providers/Phone.js +37 -0
package/dist/providers/Phone.js.map +1 -0
package/dist/server/convex_types.d.ts +17 -0
package/dist/server/convex_types.d.ts.map +1 -0
package/dist/server/convex_types.js +2 -0
package/dist/server/convex_types.js.map +1 -0
package/dist/server/cookies.d.ts +35 -0
package/dist/server/cookies.d.ts.map +1 -0
package/dist/server/cookies.js +34 -0
package/dist/server/cookies.js.map +1 -0
package/dist/server/implementation/db.d.ts +80 -0
package/dist/server/implementation/db.d.ts.map +1 -0
package/dist/server/implementation/db.js +59 -0
package/dist/server/implementation/db.js.map +1 -0
package/dist/server/implementation/index.d.ts +370 -0
package/dist/server/implementation/index.d.ts.map +1 -0
package/dist/server/implementation/index.js +521 -0
package/dist/server/implementation/index.js.map +1 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.d.ts +33 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.d.ts.map +1 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.js +71 -0
package/dist/server/implementation/mutations/createAccountFromCredentials.js.map +1 -0
package/dist/server/implementation/mutations/createVerificationCode.d.ts +25 -0
package/dist/server/implementation/mutations/createVerificationCode.d.ts.map +1 -0
package/dist/server/implementation/mutations/createVerificationCode.js +84 -0
package/dist/server/implementation/mutations/createVerificationCode.js.map +1 -0
package/dist/server/implementation/mutations/index.d.ts +304 -0
package/dist/server/implementation/mutations/index.d.ts.map +1 -0
package/dist/server/implementation/mutations/index.js +108 -0
package/dist/server/implementation/mutations/index.js.map +1 -0
package/dist/server/implementation/mutations/invalidateSessions.d.ts +13 -0
package/dist/server/implementation/mutations/invalidateSessions.d.ts.map +1 -0
package/dist/server/implementation/mutations/invalidateSessions.js +35 -0
package/dist/server/implementation/mutations/invalidateSessions.js.map +1 -0
package/dist/server/implementation/mutations/modifyAccount.d.ts +23 -0
package/dist/server/implementation/mutations/modifyAccount.d.ts.map +1 -0
package/dist/server/implementation/mutations/modifyAccount.js +48 -0
package/dist/server/implementation/mutations/modifyAccount.js.map +1 -0
package/dist/server/implementation/mutations/refreshSession.d.ts +16 -0
package/dist/server/implementation/mutations/refreshSession.d.ts.map +1 -0
package/dist/server/implementation/mutations/refreshSession.js +116 -0
package/dist/server/implementation/mutations/refreshSession.js.map +1 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.d.ts +27 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.d.ts.map +1 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.js +55 -0
package/dist/server/implementation/mutations/retrieveAccountWithCredentials.js.map +1 -0
package/dist/server/implementation/mutations/signIn.d.ts +17 -0
package/dist/server/implementation/mutations/signIn.d.ts.map +1 -0
package/dist/server/implementation/mutations/signIn.js +26 -0
package/dist/server/implementation/mutations/signIn.js.map +1 -0
package/dist/server/implementation/mutations/signOut.d.ts +11 -0
package/dist/server/implementation/mutations/signOut.d.ts.map +1 -0
package/dist/server/implementation/mutations/signOut.js +24 -0
package/dist/server/implementation/mutations/signOut.js.map +1 -0
package/dist/server/implementation/mutations/userOAuth.d.ts +19 -0
package/dist/server/implementation/mutations/userOAuth.d.ts.map +1 -0
package/dist/server/implementation/mutations/userOAuth.js +84 -0
package/dist/server/implementation/mutations/userOAuth.js.map +1 -0
package/dist/server/implementation/mutations/verifier.d.ts +8 -0
package/dist/server/implementation/mutations/verifier.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifier.js +19 -0
package/dist/server/implementation/mutations/verifier.js.map +1 -0
package/dist/server/implementation/mutations/verifierSignature.d.ts +15 -0
package/dist/server/implementation/mutations/verifierSignature.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifierSignature.js +29 -0
package/dist/server/implementation/mutations/verifierSignature.js.map +1 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.d.ts +21 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.d.ts.map +1 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.js +127 -0
package/dist/server/implementation/mutations/verifyCodeAndSignIn.js.map +1 -0
package/dist/server/implementation/provider.d.ts +6 -0
package/dist/server/implementation/provider.d.ts.map +1 -0
package/dist/server/implementation/provider.js +21 -0
package/dist/server/implementation/provider.js.map +1 -0
package/dist/server/implementation/rateLimit.d.ts +6 -0
package/dist/server/implementation/rateLimit.d.ts.map +1 -0
package/dist/server/implementation/rateLimit.js +76 -0
package/dist/server/implementation/rateLimit.js.map +1 -0
package/dist/server/implementation/redirects.d.ts +6 -0
package/dist/server/implementation/redirects.d.ts.map +1 -0
package/dist/server/implementation/redirects.js +40 -0
package/dist/server/implementation/redirects.js.map +1 -0
package/dist/server/implementation/refreshTokens.d.ts +40 -0
package/dist/server/implementation/refreshTokens.d.ts.map +1 -0
package/dist/server/implementation/refreshTokens.js +160 -0
package/dist/server/implementation/refreshTokens.js.map +1 -0
package/dist/server/implementation/sessions.d.ts +43 -0
package/dist/server/implementation/sessions.d.ts.map +1 -0
package/dist/server/implementation/sessions.js +94 -0
package/dist/server/implementation/sessions.js.map +1 -0
package/dist/server/implementation/signIn.d.ts +31 -0
package/dist/server/implementation/signIn.d.ts.map +1 -0
package/dist/server/implementation/signIn.js +148 -0
package/dist/server/implementation/signIn.js.map +1 -0
package/dist/server/implementation/tokens.d.ts +7 -0
package/dist/server/implementation/tokens.d.ts.map +1 -0
package/dist/server/implementation/tokens.js +18 -0
package/dist/server/implementation/tokens.js.map +1 -0
package/dist/server/implementation/types.d.ts +288 -0
package/dist/server/implementation/types.d.ts.map +1 -0
package/dist/server/implementation/types.js +182 -0
package/dist/server/implementation/types.js.map +1 -0
package/dist/server/implementation/users.d.ts +27 -0
package/dist/server/implementation/users.d.ts.map +1 -0
package/dist/server/implementation/users.js +181 -0
package/dist/server/implementation/users.js.map +1 -0
package/dist/server/implementation/utils.d.ts +17 -0
package/dist/server/implementation/utils.d.ts.map +1 -0
package/dist/server/implementation/utils.js +72 -0
package/dist/server/implementation/utils.js.map +1 -0
package/dist/server/index.d.ts +17 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +54 -0
package/dist/server/index.js.map +1 -0
package/dist/server/oauth/authorizationUrl.d.ts +13 -0
package/dist/server/oauth/authorizationUrl.d.ts.map +1 -0
package/dist/server/oauth/authorizationUrl.js +91 -0
package/dist/server/oauth/authorizationUrl.js.map +1 -0
package/dist/server/oauth/callback.d.ts +19 -0
package/dist/server/oauth/callback.d.ts.map +1 -0
package/dist/server/oauth/callback.js +173 -0
package/dist/server/oauth/callback.js.map +1 -0
package/dist/server/oauth/checks.d.ts +52 -0
package/dist/server/oauth/checks.d.ts.map +1 -0
package/dist/server/oauth/checks.js +106 -0
package/dist/server/oauth/checks.js.map +1 -0
package/dist/server/oauth/convexAuth.d.ts +12 -0
package/dist/server/oauth/convexAuth.d.ts.map +1 -0
package/dist/server/oauth/convexAuth.js +137 -0
package/dist/server/oauth/convexAuth.js.map +1 -0
package/dist/server/oauth/lib/utils/customFetch.d.ts +9 -0
package/dist/server/oauth/lib/utils/customFetch.d.ts.map +1 -0
package/dist/server/oauth/lib/utils/customFetch.js +11 -0
package/dist/server/oauth/lib/utils/customFetch.js.map +1 -0
package/dist/server/oauth/lib/utils/providers.d.ts +3 -0
package/dist/server/oauth/lib/utils/providers.d.ts.map +1 -0
package/dist/server/oauth/lib/utils/providers.js +7 -0
package/dist/server/oauth/lib/utils/providers.js.map +1 -0
package/dist/server/oauth/providers/oauth.d.ts +43 -0
package/dist/server/oauth/providers/oauth.d.ts.map +1 -0
package/dist/server/oauth/providers/oauth.js +3 -0
package/dist/server/oauth/providers/oauth.js.map +1 -0
package/dist/server/oauth/types.d.ts +24 -0
package/dist/server/oauth/types.d.ts.map +1 -0
package/dist/server/oauth/types.js +5 -0
package/dist/server/oauth/types.js.map +1 -0
package/dist/server/provider_utils.d.ts +76 -0
package/dist/server/provider_utils.d.ts.map +1 -0
package/dist/server/provider_utils.js +177 -0
package/dist/server/provider_utils.js.map +1 -0
package/dist/server/types.d.ts +412 -0
package/dist/server/types.d.ts.map +1 -0
package/dist/server/types.js +2 -0
package/dist/server/types.js.map +1 -0
package/dist/server/utils.d.ts +3 -0
package/dist/server/utils.d.ts.map +1 -0
package/dist/server/utils.js +11 -0
package/dist/server/utils.js.map +1 -0
package/package.json +126 -0
package/providers/Anonymous/package.json +6 -0
package/providers/ConvexCredentials/package.json +6 -0
package/providers/Email/package.json +6 -0
package/providers/Password/package.json +6 -0
package/providers/Phone/package.json +6 -0
package/server/package.json +6 -0
package/src/cli/command.ts +69 -0
package/src/cli/generateKeys.ts +20 -0
package/src/cli/index.ts +840 -0
package/src/client/index.ts +415 -0
package/src/component/_generated/api.ts +52 -0
package/src/component/_generated/component.ts +586 -0
package/src/component/_generated/dataModel.ts +60 -0
package/src/component/_generated/server.ts +156 -0
package/src/component/convex.config.ts +5 -0
package/src/component/index.ts +40 -0
package/src/component/public.ts +607 -0
package/src/component/schema.ts +35 -0
package/src/providers/Anonymous.ts +79 -0
package/src/providers/ConvexCredentials.ts +108 -0
package/src/providers/Email.ts +60 -0
package/src/providers/Password.ts +253 -0
package/src/providers/Phone.ts +46 -0
package/src/server/convex_types.ts +55 -0
package/src/server/cookies.ts +42 -0
package/src/server/implementation/db.ts +125 -0
package/src/server/implementation/index.ts +815 -0
package/src/server/implementation/mutations/createAccountFromCredentials.ts +113 -0
package/src/server/implementation/mutations/createVerificationCode.ts +139 -0
package/src/server/implementation/mutations/index.ts +157 -0
package/src/server/implementation/mutations/invalidateSessions.ts +47 -0
package/src/server/implementation/mutations/modifyAccount.ts +65 -0
package/src/server/implementation/mutations/refreshSession.ts +188 -0
package/src/server/implementation/mutations/retrieveAccountWithCredentials.ts +87 -0
package/src/server/implementation/mutations/signIn.ts +51 -0
package/src/server/implementation/mutations/signOut.ts +38 -0
package/src/server/implementation/mutations/userOAuth.ts +112 -0
package/src/server/implementation/mutations/verifier.ts +29 -0
package/src/server/implementation/mutations/verifierSignature.ts +44 -0
package/src/server/implementation/mutations/verifyCodeAndSignIn.ts +205 -0
package/src/server/implementation/provider.ts +38 -0
package/src/server/implementation/rateLimit.ts +105 -0
package/src/server/implementation/redirects.ts +58 -0
package/src/server/implementation/refreshTokens.ts +221 -0
package/src/server/implementation/sessions.ts +155 -0
package/src/server/implementation/signIn.ts +253 -0
package/src/server/implementation/tokens.ts +29 -0
package/src/server/implementation/types.ts +220 -0
package/src/server/implementation/users.ts +286 -0
package/src/server/implementation/utils.ts +91 -0
package/src/server/index.ts +74 -0
package/src/server/oauth/NOTICE.txt +21 -0
package/src/server/oauth/README.md +7 -0
package/src/server/oauth/authorizationUrl.ts +113 -0
package/src/server/oauth/callback.ts +243 -0
package/src/server/oauth/checks.ts +136 -0
package/src/server/oauth/convexAuth.ts +168 -0
package/src/server/oauth/lib/utils/customFetch.ts +18 -0
package/src/server/oauth/lib/utils/providers.ts +12 -0
package/src/server/oauth/providers/oauth.ts +56 -0
package/src/server/oauth/types.ts +60 -0
package/src/server/provider_utils.ts +222 -0
package/src/server/types.ts +470 -0
package/src/server/utils.ts +12 -0
package/src/test.ts +24 -0

package/src/server/implementation/users.ts ADDED Viewed

@@ -0,0 +1,286 @@
+import { GenericId } from "convex/values";
+import { Doc, MutationCtx } from "./types.js";
+import { AuthProviderMaterializedConfig, ConvexAuthConfig } from "../types.js";
+import { LOG_LEVELS, logWithLevel } from "./utils.js";
+import { createAuthDb } from "./db.js";
+type CreateOrUpdateUserArgs = {
+  type: "oauth" | "credentials" | "email" | "phone" | "verification";
+  provider: AuthProviderMaterializedConfig;
+  profile: Record<string, unknown> & {
+    email?: string;
+    phone?: string;
+    emailVerified?: boolean;
+    phoneVerified?: boolean;
+  };
+  shouldLinkViaEmail?: boolean;
+  shouldLinkViaPhone?: boolean;
+};
+export async function upsertUserAndAccount(
+  ctx: MutationCtx,
+  sessionId: GenericId<"session"> | null,
+  account:
+    | { existingAccount: Doc<"account"> }
+    | {
+        providerAccountId: string;
+        secret?: string;
+      },
+  args: CreateOrUpdateUserArgs,
+  config: ConvexAuthConfig,
+): Promise<{
+  userId: GenericId<"user">;
+  accountId: GenericId<"account">;
+}> {
+  const userId = await defaultCreateOrUpdateUser(
+    ctx,
+    sessionId,
+    "existingAccount" in account ? account.existingAccount : null,
+    args,
+    config,
+  );
+  const accountId = await createOrUpdateAccount(ctx, userId, account, args, config);
+  return { userId, accountId };
+}
+async function defaultCreateOrUpdateUser(
+  ctx: MutationCtx,
+  existingSessionId: GenericId<"session"> | null,
+  existingAccount: Doc<"account"> | null,
+  args: CreateOrUpdateUserArgs,
+  config: ConvexAuthConfig,
+) {
+  logWithLevel(LOG_LEVELS.DEBUG, "defaultCreateOrUpdateUser args:", {
+    existingAccountId: existingAccount?._id,
+    existingSessionId,
+    args,
+  });
+  const existingUserId = existingAccount?.userId ?? null;
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  if (config.callbacks?.createOrUpdateUser !== undefined) {
+    logWithLevel(LOG_LEVELS.DEBUG, "Using custom createOrUpdateUser callback");
+    return await config.callbacks.createOrUpdateUser(ctx, {
+      existingUserId,
+      ...args,
+    });
+  }
+  const {
+    provider,
+    profile: {
+      emailVerified: profileEmailVerified,
+      phoneVerified: profilePhoneVerified,
+      ...profile
+    },
+  } = args;
+  const emailVerified =
+    profileEmailVerified ??
+    ((provider.type === "oauth" || provider.type === "oidc") &&
+      provider.allowDangerousEmailAccountLinking !== false);
+  const phoneVerified = profilePhoneVerified ?? false;
+  const shouldLinkViaEmail =
+    args.shouldLinkViaEmail || emailVerified || provider.type === "email";
+  const shouldLinkViaPhone =
+    args.shouldLinkViaPhone || phoneVerified || provider.type === "phone";
+  let userId = existingUserId;
+  if (existingUserId === null) {
+    const existingUserWithVerifiedEmailId =
+      typeof profile.email === "string" && shouldLinkViaEmail
+        ? (await uniqueUserWithVerifiedEmail(ctx, profile.email, config))?._id ??
+          null
+        : null;
+    const existingUserWithVerifiedPhoneId =
+      typeof profile.phone === "string" && shouldLinkViaPhone
+        ? (await uniqueUserWithVerifiedPhone(ctx, profile.phone, config))?._id ??
+          null
+        : null;
+    // If there is both email and phone verified user
+    // already we can't link.
+    if (
+      existingUserWithVerifiedEmailId !== null &&
+      existingUserWithVerifiedPhoneId !== null
+    ) {
+      logWithLevel(
+        LOG_LEVELS.DEBUG,
+        `Found existing email and phone verified users, so not linking: email: ${existingUserWithVerifiedEmailId}, phone: ${existingUserWithVerifiedPhoneId}`,
+      );
+      userId = null;
+    } else if (existingUserWithVerifiedEmailId !== null) {
+      logWithLevel(
+        LOG_LEVELS.DEBUG,
+        `Found existing email verified user, linking: ${existingUserWithVerifiedEmailId}`,
+      );
+      userId = existingUserWithVerifiedEmailId;
+    } else if (existingUserWithVerifiedPhoneId !== null) {
+      logWithLevel(
+        LOG_LEVELS.DEBUG,
+        `Found existing phone verified user, linking: ${existingUserWithVerifiedPhoneId}`,
+      );
+      userId = existingUserWithVerifiedPhoneId;
+    } else {
+      logWithLevel(
+        LOG_LEVELS.DEBUG,
+        "No existing verified users found, creating new user",
+      );
+      userId = null;
+    }
+  }
+  const userData = {
+    ...(emailVerified ? { emailVerificationTime: Date.now() } : null),
+    ...(phoneVerified ? { phoneVerificationTime: Date.now() } : null),
+    ...profile,
+  };
+  const existingOrLinkedUserId = userId;
+  if (userId !== null) {
+    try {
+      if (authDb !== null) {
+        await authDb.users.patch(userId, userData);
+      } else {
+        await ctx.db.patch(userId, userData);
+      }
+    } catch (error) {
+      throw new Error(
+        `Could not update user document with ID \`${userId}\`, ` +
+          `either the user has been deleted but their account has not, ` +
+          `or the profile data doesn't match the \`users\` table schema: ` +
+          `${(error as Error).message}`,
+      );
+    }
+  } else {
+    userId =
+      authDb !== null
+        ? ((await authDb.users.insert(userData)) as GenericId<"user">)
+        : await ctx.db.insert("user", userData);
+  }
+  const afterUserCreatedOrUpdated = config.callbacks?.afterUserCreatedOrUpdated;
+  if (afterUserCreatedOrUpdated !== undefined) {
+    logWithLevel(
+      LOG_LEVELS.DEBUG,
+      "Calling custom afterUserCreatedOrUpdated callback",
+    );
+    await afterUserCreatedOrUpdated(ctx, {
+      userId,
+      existingUserId: existingOrLinkedUserId,
+      ...args,
+    });
+  } else {
+    logWithLevel(
+      LOG_LEVELS.DEBUG,
+      "No custom afterUserCreatedOrUpdated callback, skipping",
+    );
+  }
+  return userId;
+}
+async function uniqueUserWithVerifiedEmail(
+  ctx: MutationCtx,
+  email: string,
+  config: ConvexAuthConfig,
+) {
+  if (config.component !== undefined) {
+    const authDb = createAuthDb(ctx, config.component);
+    return (await authDb.users.findByVerifiedEmail(email)) as Doc<"user"> | null;
+  }
+  const users = await ctx.db
+    .query("user")
+    .withIndex("email", (q) => q.eq("email", email))
+    .filter((q) => q.neq(q.field("emailVerificationTime"), undefined))
+    .take(2);
+  return users.length === 1 ? users[0] : null;
+}
+async function uniqueUserWithVerifiedPhone(
+  ctx: MutationCtx,
+  phone: string,
+  config: ConvexAuthConfig,
+) {
+  if (config.component !== undefined) {
+    const authDb = createAuthDb(ctx, config.component);
+    return (await authDb.users.findByVerifiedPhone(phone)) as Doc<"user"> | null;
+  }
+  const users = await ctx.db
+    .query("user")
+    .withIndex("phone", (q) => q.eq("phone", phone))
+    .filter((q) => q.neq(q.field("phoneVerificationTime"), undefined))
+    .take(2);
+  return users.length === 1 ? users[0] : null;
+}
+async function createOrUpdateAccount(
+  ctx: MutationCtx,
+  userId: GenericId<"user">,
+  account:
+    | { existingAccount: Doc<"account"> }
+    | {
+        providerAccountId: string;
+        secret?: string;
+      },
+  args: CreateOrUpdateUserArgs,
+  config: ConvexAuthConfig,
+) {
+  const authDb =
+    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const accountId =
+    "existingAccount" in account
+      ? account.existingAccount._id
+      : authDb !== null
+        ? ((await authDb.accounts.create({
+            userId,
+            provider: args.provider.id,
+            providerAccountId: account.providerAccountId,
+            secret: account.secret,
+          })) as GenericId<"account">)
+        : await ctx.db.insert("account", {
+            userId,
+            provider: args.provider.id,
+            providerAccountId: account.providerAccountId,
+            secret: account.secret,
+          });
+  // This is never used with the default `createOrUpdateUser` implementation,
+  // but it is used for manual linking via custom `createOrUpdateUser`:
+  if (
+    "existingAccount" in account &&
+    account.existingAccount.userId !== userId
+  ) {
+    if (authDb !== null) {
+      await authDb.accounts.patch(accountId, { userId });
+    } else {
+      await ctx.db.patch(accountId, { userId });
+    }
+  }
+  if (args.profile.emailVerified) {
+    if (authDb !== null) {
+      await authDb.accounts.patch(accountId, { emailVerified: args.profile.email });
+    } else {
+      await ctx.db.patch(accountId, { emailVerified: args.profile.email });
+    }
+  }
+  if (args.profile.phoneVerified) {
+    if (authDb !== null) {
+      await authDb.accounts.patch(accountId, { phoneVerified: args.profile.phone });
+    } else {
+      await ctx.db.patch(accountId, { phoneVerified: args.profile.phone });
+    }
+  }
+  return accountId;
+}
+export async function getAccountOrThrow(
+  ctx: MutationCtx,
+  existingAccountId: GenericId<"account">,
+  config: ConvexAuthConfig,
+) {
+  const existingAccount =
+    config.component !== undefined
+      ? await createAuthDb(ctx, config.component).accounts.getById(existingAccountId)
+      : await ctx.db.get(existingAccountId);
+  if (existingAccount === null) {
+    throw new Error(
+      `Expected an account to exist for ID "${existingAccountId}"`,
+    );
+  }
+  return existingAccount;
+}

package/src/server/implementation/utils.ts ADDED Viewed

@@ -0,0 +1,91 @@
+import { sha256 as rawSha256 } from "@oslojs/crypto/sha2";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import {
+  RandomReader,
+  generateRandomString as osloGenerateRandomString,
+} from "@oslojs/crypto/random";
+export const TOKEN_SUB_CLAIM_DIVIDER = "|";
+export const REFRESH_TOKEN_DIVIDER = "|";
+export function stringToNumber(value: string | undefined) {
+  return value !== undefined ? Number(value) : undefined;
+}
+export async function sha256(input: string) {
+  return encodeHexLowerCase(rawSha256(new TextEncoder().encode(input)));
+}
+export function generateRandomString(length: number, alphabet: string) {
+  const random: RandomReader = {
+    read(bytes) {
+      crypto.getRandomValues(bytes);
+    },
+  };
+  return osloGenerateRandomString(random, alphabet, length);
+}
+export function logError(error: unknown) {
+  logWithLevel(
+    LOG_LEVELS.ERROR,
+    error instanceof Error
+      ? error.message + "\n" + error.stack?.replace("\\n", "\n")
+      : error,
+  );
+}
+export const LOG_LEVELS = {
+  ERROR: "ERROR",
+  WARN: "WARN",
+  INFO: "INFO",
+  DEBUG: "DEBUG",
+} as const;
+type LogLevel = keyof typeof LOG_LEVELS;
+export function logWithLevel(level: LogLevel, ...args: unknown[]) {
+  const configuredLogLevel =
+    LOG_LEVELS[
+      (process.env.AUTH_LOG_LEVEL as LogLevel | undefined) ?? "INFO"
+    ] ?? "INFO";
+  switch (level) {
+    case "ERROR":
+      console.error(...args);
+      break;
+    case "WARN":
+      if (configuredLogLevel !== "ERROR") {
+        console.warn(...args);
+      }
+      break;
+    case "INFO":
+      if (configuredLogLevel === "INFO" || configuredLogLevel === "DEBUG") {
+        console.info(...args);
+      }
+      break;
+    case "DEBUG":
+      if (configuredLogLevel === "DEBUG") {
+        console.debug(...args);
+      }
+      break;
+  }
+}
+const UNREDACTED_LENGTH = 5;
+export function maybeRedact(value: string) {
+  if (value === "") {
+    return "";
+  }
+  const shouldRedact = process.env.AUTH_LOG_SECRETS !== "true";
+  if (shouldRedact) {
+    if (value.length < UNREDACTED_LENGTH * 2) {
+      return "<redacted>";
+    }
+    return (
+      value.substring(0, UNREDACTED_LENGTH) +
+      "<redacted>" +
+      value.substring(value.length - UNREDACTED_LENGTH)
+    );
+  } else {
+    return value;
+  }
+}

package/src/server/index.ts ADDED Viewed

@@ -0,0 +1,74 @@
+import { parse, serialize } from "cookie";
+import { isLocalHost } from "./utils.js";
+export type AuthCookieConfig = {
+  maxAge: number | null;
+};
+export type AuthCookies = {
+  token: string | null;
+  refreshToken: string | null;
+  verifier: string | null;
+};
+export function authCookieNames(host?: string) {
+  const prefix = isLocalHost(host) ? "" : "__Host-";
+  return {
+    token: `${prefix}__convexAuthJWT`,
+    refreshToken: `${prefix}__convexAuthRefreshToken`,
+    verifier: `${prefix}__convexAuthOAuthVerifier`,
+  };
+}
+export function parseAuthCookies(
+  cookieHeader: string | null | undefined,
+  host?: string,
+): AuthCookies {
+  const names = authCookieNames(host);
+  const parsed = parse(cookieHeader ?? "");
+  return {
+    token: parsed[names.token] ?? null,
+    refreshToken: parsed[names.refreshToken] ?? null,
+    verifier: parsed[names.verifier] ?? null,
+  };
+}
+export function serializeAuthCookies(
+  cookies: AuthCookies,
+  host?: string,
+  config: AuthCookieConfig = { maxAge: null },
+) {
+  const names = authCookieNames(host);
+  const secure = !isLocalHost(host);
+  const base = {
+    path: "/",
+    httpOnly: true,
+    sameSite: "lax" as const,
+    secure,
+  };
+  const maxAge = config.maxAge ?? undefined;
+  return [
+    serialize(names.token, cookies.token ?? "", {
+      ...base,
+      maxAge: cookies.token === null ? 0 : maxAge,
+      expires: cookies.token === null ? new Date(0) : undefined,
+    }),
+    serialize(names.refreshToken, cookies.refreshToken ?? "", {
+      ...base,
+      maxAge: cookies.refreshToken === null ? 0 : maxAge,
+      expires: cookies.refreshToken === null ? new Date(0) : undefined,
+    }),
+    serialize(names.verifier, cookies.verifier ?? "", {
+      ...base,
+      maxAge: cookies.verifier === null ? 0 : maxAge,
+      expires: cookies.verifier === null ? new Date(0) : undefined,
+    }),
+  ];
+}
+export function shouldProxyAuthAction(pathname: string, apiRoute: string) {
+  if (apiRoute.endsWith("/")) {
+    return pathname === apiRoute || pathname === apiRoute.slice(0, -1);
+  }
+  return pathname === apiRoute || pathname === `${apiRoute}/`;
+}

package/src/server/oauth/NOTICE.txt ADDED Viewed

@@ -0,0 +1,21 @@
+Some code in this directory is derived from the Auth.js project
+(https://github.com/nextauthjs/next-auth), and is used according to the terms
+of that project's license.
+---------
+ISC License
+Copyright (c) 2022-2024, Balázs Orbán
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

package/src/server/oauth/README.md ADDED Viewed

@@ -0,0 +1,7 @@
+The code in this directory is meant to handle OAuth2 and OIDC flows.
+The code is adapted from the @auth/core package, but since some of their types
+and functions used are internal, they're copied over but with similar structure.
+Everything that deviates from the original code is marked with a "ConvexAuth:"
+comment.

package/src/server/oauth/authorizationUrl.ts ADDED Viewed

@@ -0,0 +1,113 @@
+// This file corresponds to packages/core/src/lib/actions/signin/authorization-url.ts in the @auth/core package (commit 5af1f30a32e64591abc50ae4d2dba4682e525431).
+import * as checks from "./checks.js";
+import { InternalOptions } from "./types.js";
+import {
+  callbackUrl,
+  getAuthorizationSignature,
+} from "./convexAuth.js";
+import { Cookie } from "@auth/core/lib/utils/cookie.js";
+import { logWithLevel } from "../implementation/utils.js";
+/**
+ * Generates an authorization/request token URL.
+ *
+ * [OAuth 2](https://www.oauth.com/oauth2-servers/authorization/the-authorization-request/)
+ */
+export async function getAuthorizationUrl(
+  // ConvexAuth: we don't accept a query argument
+  options: InternalOptions<"oauth" | "oidc">,
+) {
+  const { provider } = options;
+  let url = provider.authorization?.url;
+  // ConvexAuth: ConvexAuth does slightly different logic to determine the authorization endpoint
+  const { as, authorization: authorizationEndpoint, configSource } = provider;
+  if (!authorizationEndpoint) {
+    throw new TypeError("Could not determine the authorization endpoint.");
+  }
+  if (!url) {
+    url = new URL(authorizationEndpoint.url);
+  }
+  const authParams = url.searchParams;
+  // ConvexAuth: The logic for the callback URL is different from Auth.js
+  const redirect_uri = callbackUrl(provider.id);
+  // TODO(ConvexAuth): Support redirect proxy URLs.
+  // If we do so, update state.create to take the data value as an origin parameter (see the Auth.js code for ref).
+  // let data: string | undefined;
+  // if (!options.isOnRedirectProxy && provider.redirectProxyUrl) {
+  //   redirect_uri = provider.redirectProxyUrl;
+  //   data = provider.callbackUrl;
+  //   logger.debug("using redirect proxy", { redirect_uri, data });
+  // }
+  const params = Object.assign(
+    {
+      response_type: "code",
+      // clientId can technically be undefined, should we check this in assert.ts or rely on the Authorization Server to do it?
+      client_id: provider.clientId,
+      redirect_uri,
+      // @ts-expect-error TODO:
+      ...provider.authorization?.params,
+    },
+    Object.fromEntries(url.searchParams.entries() ?? []),
+    // ConvexAuth: no query arguments are combined in the params
+  );
+  for (const k in params) authParams.set(k, params[k]);
+  const cookies: Cookie[] = [];
+  // ConvexAuth: no value passed for `origin` (Auth.js uses `data` from above)
+  const state = await checks.state.create(options);
+  if (state) {
+    authParams.set("state", state.value);
+    cookies.push(state.cookie);
+  }
+  // ConvexAuth: We need to save the value of the codeVerifier.
+  let codeVerifier: string | undefined;
+  if (provider.checks?.includes("pkce")) {
+    // ConvexAuth: we check where the config came from to help decide which branch to take here
+    if (configSource === "discovered" && !as.code_challenge_methods_supported?.includes("S256")) {
+      // We assume S256 PKCE support, if the server does not advertise that,
+      // a random `nonce` must be used for CSRF protection.
+      if (provider.type === "oidc") provider.checks = ["nonce"];
+    } else {
+      const pkce = await checks.pkce.create(options);
+      authParams.set("code_challenge", pkce.codeChallenge);
+      authParams.set("code_challenge_method", "S256");
+      cookies.push(pkce.cookie);
+      codeVerifier = pkce.codeVerifier;
+    }
+  }
+  const nonce = await checks.nonce.create(options);
+  if (nonce) {
+    authParams.set("nonce", nonce.value);
+    cookies.push(nonce.cookie);
+  }
+  // TODO: This does not work in normalizeOAuth because authorization endpoint can come from discovery
+  // Need to make normalizeOAuth async
+  if (provider.type === "oidc" && !url.searchParams.has("scope")) {
+    url.searchParams.set("scope", "openid profile email");
+  }
+  logWithLevel("DEBUG", "authorization url is ready", {
+    url,
+    cookies,
+    provider,
+  });
+  const convexAuthSignature = getAuthorizationSignature({
+    codeVerifier,
+    state: authParams.get("state") ?? undefined,
+    nonce: authParams.get("nonce") ?? undefined,
+  });
+  return { redirect: url.toString(), cookies, signature: convexAuthSignature };
+}