@robelest/convex-auth 0.0.1

package/src/server/oauth/callback.ts

@@ -0,0 +1,243 @@
+// This maps to packages/core/src/lib/actions/callback/oauth/callback.ts in the @auth/core package (commit 5af1f30a32e64591abc50ae4d2dba4682e525431)
+
+import * as checks from "./checks.js";
+import * as o from "oauth4webapi";
+import { InternalOptions } from "./types.js";
+import { fetchOpt } from "./lib/utils/customFetch.js";
+import { Cookie } from "@auth/core/lib/utils/cookie.js";
+import { logWithLevel } from "../implementation/utils.js";
+import { Account, Profile, TokenSet } from "@auth/core/types.js";
+import { isOIDCProvider } from "./lib/utils/providers.js";
+import {
+  callbackUrl,
+  getAuthorizationSignature,
+} from "./convexAuth.js";
+
+function formUrlEncode(token: string) {
+  return encodeURIComponent(token).replace(/%20/g, "+");
+}
+
+/**
+ * Formats client_id and client_secret as an HTTP Basic Authentication header as per the OAuth 2.0
+ * specified in RFC6749.
+ */
+function clientSecretBasic(clientId: string, clientSecret: string) {
+  const username = formUrlEncode(clientId);
+  const password = formUrlEncode(clientSecret);
+  const credentials = btoa(`${username}:${password}`);
+  return `Basic ${credentials}`;
+}
+
+/**
+ * Handles the following OAuth steps.
+ * https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
+ * https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3
+ * https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest
+ *
+ * @note Although requesting userinfo is not required by the OAuth2.0 spec,
+ * we fetch it anyway. This is because we always want a user profile.
+ */
+export async function handleOAuth(
+  // ConvexAuth: `params` is a Record<string, string> instead of RequestInternal["query"]
+  params: Record<string, string>,
+  // ConvexAuth: `cookies` is a Record<string, string | undefined> instead of RequestInternal["cookies"]
+  cookies: Record<string, string | undefined>,
+  options: InternalOptions<"oauth" | "oidc">,
+): Promise<{
+  profile: Profile,
+  tokens: TokenSet & Pick<Account, "expires_at">,
+  cookies: Cookie[],
+  signature: string,
+}> {
+  const { provider } = options;
+
+  // ConvexAuth: The `token` property is not used here
+  const { userinfo, as } = provider;
+
+  const client: o.Client = {
+    client_id: provider.clientId,
+    ...provider.client,
+  };
+
+  let clientAuth: o.ClientAuth;
+
+  switch (client.token_endpoint_auth_method) {
+    // TODO: in the next breaking major version have undefined be `client_secret_post`
+    case undefined:
+    case "client_secret_basic":
+      // TODO: in the next breaking major version use o.ClientSecretBasic() here
+      clientAuth = (_as, _client, _body, headers) => {
+        headers.set(
+          "authorization",
+          clientSecretBasic(provider.clientId, provider.clientSecret!),
+        );
+      };
+      break;
+    case "client_secret_post":
+      clientAuth = o.ClientSecretPost(provider.clientSecret!);
+      break;
+    case "client_secret_jwt":
+      clientAuth = o.ClientSecretJwt(provider.clientSecret!);
+      break;
+    case "private_key_jwt":
+      clientAuth = o.PrivateKeyJwt(provider.token!.clientPrivateKey!, {
+        // TODO: review in the next breaking change
+        [o.modifyAssertion](_header, payload) {
+          payload.aud = [as.issuer, as.token_endpoint!];
+        },
+      });
+      break;
+    default:
+      throw new Error("unsupported client authentication method");
+  }
+
+  const resCookies: Cookie[] = [];
+
+  const state = await checks.state.use(cookies, resCookies, options);
+
+  let codeGrantParams: URLSearchParams;
+  try {
+    codeGrantParams = o.validateAuthResponse(
+      as,
+      client,
+      new URLSearchParams(params),
+      provider.checks.includes("state") ? state : o.skipStateCheck,
+    );
+  } catch (err) {
+    if (err instanceof o.AuthorizationResponseError) {
+      const cause = {
+        providerId: provider.id,
+        ...Object.fromEntries(err.cause.entries()),
+      };
+      logWithLevel("DEBUG", "OAuthCallbackError", cause);
+      throw new Error("OAuth Provider returned an error", { cause });
+    }
+    throw err;
+  }
+
+  const codeVerifier = await checks.pkce.use(cookies, resCookies, options);
+
+  // ConvexAuth: The logic for the callback URL is different from Auth.js
+  const redirect_uri = callbackUrl(provider.id);
+  // TODO(ConvexAuth): Support redirect proxy URLs
+  // if (!options.isOnRedirectProxy && provider.redirectProxyUrl) {
+  //   redirect_uri = provider.redirectProxyUrl;
+  // }
+
+  let codeGrantResponse = await o.authorizationCodeGrantRequest(
+    as,
+    client,
+    clientAuth,
+    codeGrantParams,
+    redirect_uri,
+    codeVerifier ?? "decoy",
+    {
+      // TODO: move away from allowing insecure HTTP requests
+      [o.allowInsecureRequests]: true,
+      [o.customFetch]: (...args) => {
+        if (!provider.checks.includes("pkce")) {
+          args[1].body.delete("code_verifier");
+        }
+        return fetchOpt(provider)[o.customFetch](...args);
+      },
+    },
+  );
+
+  if (provider.token?.conform) {
+    codeGrantResponse =
+      (await provider.token.conform(codeGrantResponse.clone())) ??
+      codeGrantResponse;
+  }
+
+  let profile: Profile = {};
+
+  // ConvexAuth: We use the value of the nonce later, aside from feeding it into the
+  // `processAuthorizationCodeResponse` function.
+  const nonce = await checks.nonce.use(cookies, resCookies, options);
+
+  const isOidc = isOIDCProvider(provider);
+  const processedCodeResponse = await o.processAuthorizationCodeResponse(
+    as,
+    client,
+    codeGrantResponse,
+    {
+      expectedNonce: nonce,
+      requireIdToken: isOidc,
+    },
+  );
+
+  const tokens: TokenSet & Pick<Account, "expires_at"> = processedCodeResponse;
+
+  if (isOidc) {
+    // ConvexAuth: the next few lines are changed slightly to make TypeScript happy
+    const idTokenClaimsOrUndefined = o.getValidatedIdTokenClaims(
+      processedCodeResponse,
+    );
+    if (idTokenClaimsOrUndefined === undefined) {
+      throw new Error("ID Token claims are missing");
+    }
+    const idTokenClaims = idTokenClaimsOrUndefined;
+    profile = idTokenClaims;
+
+    // Apple sends some of the user information in a `user` parameter as a stringified JSON.
+    // It also only does so the first time the user consents to share their information.
+    if (provider.id === "apple") {
+      try {
+        profile.user = JSON.parse(params?.user)
+        // ConvexAuth: disabled lint for empty block
+        // eslint-disable-next-line no-empty
+      } catch {}
+    } 
+    
+    if (provider.idToken === false) {
+      const userinfoResponse = await o.userInfoRequest(
+        as,
+        client,
+        processedCodeResponse.access_token,
+        {
+          ...fetchOpt(provider),
+          // TODO: move away from allowing insecure HTTP requests
+          [o.allowInsecureRequests]: true,
+        },
+      );
+
+      profile = await o.processUserInfoResponse(
+        as,
+        client,
+        idTokenClaims.sub,
+        userinfoResponse,
+      );
+    }
+  } else {
+    if (userinfo?.request) {
+      const _profile = await userinfo.request({ tokens, provider });
+      if (_profile instanceof Object) profile = _profile;
+    } else if (userinfo?.url) {
+      const userinfoResponse = await o.userInfoRequest(
+        as,
+        client,
+        processedCodeResponse.access_token,
+        fetchOpt(provider),
+      );
+      profile = await userinfoResponse.json();
+    } else {
+      throw new TypeError("No userinfo endpoint configured");
+    }
+  }
+
+  if (tokens.expires_in) {
+    tokens.expires_at =
+      Math.floor(Date.now() / 1000) + Number(tokens.expires_in);
+  }
+
+  // ConvexAuth: The Auth.js code would handle user + account creation here, but for
+  // ConvexAuth we want to handle that in a Convex function. Instead, we return the
+  // information needed for the mutation.
+
+  return {
+    profile,
+    tokens,
+    cookies: resCookies,
+    signature: getAuthorizationSignature({ codeVerifier, state, nonce }),
+  };
+}

package/src/server/oauth/checks.ts

@@ -0,0 +1,136 @@
+// This maps to packages/core/src/lib/actions/callback/oauth/checks.ts in the @auth/core package (commit 5af1f30a32e64591abc50ae4d2dba4682e525431)
+
+import * as o from "oauth4webapi";
+
+import type { InternalOptions } from "./types.js";
+import { Cookie } from "@auth/core/lib/utils/cookie.js";
+import { CookiesOptions } from "@auth/core/types.js";
+import { logWithLevel } from "../implementation/utils.js";
+
+const COOKIE_TTL = 60 * 15; // 15 minutes
+
+/** Returns a cookie with the given payload and options. */
+// ConvexAuth: Auth.js calls this `sealCookie` and encrypts the payload wrapped in a JWT.
+async function createCookie(
+  name: keyof CookiesOptions,
+  payload: string,
+  options: InternalOptions<"oauth" | "oidc">,
+): Promise<Cookie> {
+  const { cookies } = options;
+  const cookie = cookies[name];
+  const expires = new Date();
+  expires.setTime(expires.getTime() + COOKIE_TTL * 1000);
+
+  logWithLevel("DEBUG", `CREATE_${name.toUpperCase()}`, {
+    name: cookie.name,
+    payload,
+    COOKIE_TTL,
+    expires,
+  });
+
+  const cookieOptions = { ...cookie.options, expires };
+
+  return { name: cookie.name, value: payload, options: cookieOptions };
+}
+
+function clearCookie(
+  name: keyof CookiesOptions,
+  options: InternalOptions<"oauth" | "oidc">,
+  resCookies: Cookie[],
+) {
+  const { cookies } = options;
+  const cookie = cookies[name];
+  logWithLevel("DEBUG", `CLEAR_${name.toUpperCase()}`, { cookie });
+  resCookies.push({
+    name: cookie.name,
+    value: "",
+    options: { ...cookies[name].options, maxAge: 0 },
+  });
+}
+
+function useCookie(
+  check: "state" | "pkce" | "nonce",
+  name: keyof CookiesOptions,
+) {
+  return async function (
+    // ConvexAuth: `cookies` is a Record<string, string | undefined> instead of RequestInternal["cookies"]
+    cookies: Record<string, string | undefined>,
+    resCookies: Cookie[],
+    options: InternalOptions<"oidc">,
+  ) {
+    const { provider } = options;
+    if (!provider?.checks?.includes(check)) return;
+    const cookieValue = cookies?.[options.cookies[name].name];
+    logWithLevel("DEBUG", `USE_${name.toUpperCase()}`, { value: cookieValue });
+    clearCookie(name, options, resCookies);
+    return cookieValue;
+  };
+}
+
+/**
+ * @see https://www.rfc-editor.org/rfc/rfc7636
+ * @see https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/#pkce
+ */
+export const pkce = {
+  /** Creates a PKCE code challenge and verifier pair. The verifier is stored in the cookie. */
+  async create(options: InternalOptions<"oauth">) {
+    const codeVerifier = o.generateRandomCodeVerifier();
+    const codeChallenge = await o.calculatePKCECodeChallenge(codeVerifier);
+    const cookie = await createCookie("pkceCodeVerifier", codeVerifier, options);
+    return { cookie, codeChallenge: codeChallenge, codeVerifier };
+  },
+  /**
+   * Returns code_verifier if the provider is configured to use PKCE,
+   * and clears the container cookie afterwards.
+   * An error is thrown if the code_verifier is missing or invalid.
+   */
+  use: useCookie("pkce", "pkceCodeVerifier"),
+};
+
+/**
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-10.12
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
+ */
+export const state = {
+  /** Creates a state cookie with an optionally encoded body. */
+  async create(options: InternalOptions<"oauth">, origin?: string) {
+    const { provider } = options;
+    if (!provider.checks.includes("state")) {
+      if (origin) {
+        throw new Error(
+          "State data was provided but the provider is not configured to use state",
+        );
+      }
+      return;
+    }
+
+    const payload = o.generateRandomState();
+    const cookie = await createCookie("state", payload, options);
+    return { cookie, value: payload };
+  },
+  /**
+   * Returns state if the provider is configured to use state,
+   * and clears the container cookie afterwards.
+   * An error is thrown if the state is missing or invalid.
+   */
+  use: useCookie("state", "state"),
+};
+
+export const nonce = {
+  async create(options: InternalOptions<"oidc">) {
+    if (!options.provider.checks.includes("nonce")) return;
+    const value = o.generateRandomNonce();
+    const cookie = await createCookie("nonce", value, options);
+    return { cookie, value };
+  },
+  /**
+   * Returns nonce if the provider is configured to use nonce,
+   * and clears the container cookie afterwards.
+   * An error is thrown if the nonce is missing or invalid.
+   * @see https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes
+   * @see https://danielfett.de/2020/05/16/pkce-vs-nonce-equivalent-or-not/#nonce
+   */
+  use: useCookie("nonce", "nonce"),
+};
+
+// ConvexAuth: All WebAuthn checks are omitted.

package/src/server/oauth/convexAuth.ts

@@ -0,0 +1,168 @@
+import { CookieOption, CookiesOptions } from "@auth/core/types.js";
+import { requireEnv } from "../utils.js";
+import { InternalProvider } from "./types.js";
+import { SHARED_COOKIE_OPTIONS } from "../cookies.js";
+import { fetchOpt } from "./lib/utils/customFetch.js";
+import * as o from "oauth4webapi";
+import { normalizeEndpoint } from "../provider_utils.js";
+import { isLocalHost } from "../utils.js";
+import { OAuthConfig } from "@auth/core/providers/oauth.js";
+
+// ConvexAuth: The logic for the callback URL is different from Auth.js
+export function callbackUrl(providerId: string) {
+  return (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv("CONVEX_SITE_URL")) + "/api/auth/callback/" + providerId;
+}
+
+// ConvexAuth: This is a ConvexAuth specific function that produces a string that the
+// Convex functions will validate
+export function getAuthorizationSignature({
+  codeVerifier,
+  state,
+  nonce,
+}: {
+  codeVerifier?: string;
+  state?: string;
+  nonce?: string;
+}) {
+  return [codeVerifier, state, nonce]
+    .filter((param) => param !== undefined)
+    .join(" ");
+}
+
+function oauthStateCookieName(
+  type: "state" | "pkce" | "nonce",
+  providerId: string,
+) {
+  return (!isLocalHost(process.env.CONVEX_SITE_URL) ? "__Host-" : "") + providerId + "OAuth" + type;
+}
+
+export const defaultCookiesOptions: (
+  providerId: string,
+) => Record<keyof CookiesOptions, CookieOption> = (providerId) => {
+  return {
+    pkceCodeVerifier: {
+      name: oauthStateCookieName("pkce", providerId),
+      options: {
+        ...SHARED_COOKIE_OPTIONS,
+      },
+    },
+    state: {
+      name: oauthStateCookieName("state", providerId),
+      options: {
+        ...SHARED_COOKIE_OPTIONS,
+      },
+    },
+    nonce: {
+      name: oauthStateCookieName("nonce", providerId),
+      options: {
+        ...SHARED_COOKIE_OPTIONS,
+      },
+    },
+    // ConvexAuth: We don't support webauthn, so this value doesn't actually matter
+    webauthnChallenge: {
+      name: "ConvexAuth_shouldNotBeUsed_webauthnChallenge",
+      options: {
+        ...SHARED_COOKIE_OPTIONS,
+      },
+    },
+    // ConvexAuth: We don't use these cookies, so their values should never be used
+    sessionToken: {
+      name: "ConvexAuth_shouldNotBeUsed_sessionToken",
+      options: {
+        ...SHARED_COOKIE_OPTIONS,
+      },
+    },
+    callbackUrl: {
+      name: "ConvexAuth_shouldNotBeUsed_callbackUrl",
+      options: {
+        ...SHARED_COOKIE_OPTIONS,
+      },
+    },
+    csrfToken: {
+      name: "ConvexAuth_shouldNotBeUsed_csrfToken",
+      options: {
+        ...SHARED_COOKIE_OPTIONS,
+      },
+    },
+  };
+};
+
+export async function oAuthConfigToInternalProvider(config: OAuthConfig<any>): Promise<InternalProvider<"oauth" | "oidc">> {
+  // Only do service discovery if the provider does not have the required configuration
+  if (!config.authorization || !config.token || !config.userinfo) {
+    // Taken from https://github.com/nextauthjs/next-auth/blob/a7491dcb9355ff2d01fb8e9236636605e2090145/packages/core/src/lib/actions/callback/oauth/callback.ts#L63
+    if (!config.issuer) {
+      throw new Error(
+        `Provider \`${config.id}\` is missing an \`issuer\` URL configuration. Consult the provider docs.`,
+      );
+    }
+
+    const issuer = new URL(config.issuer);
+    // TODO: move away from allowing insecure HTTP requests
+    const discoveryResponse = await o.discoveryRequest(issuer, {
+      ...fetchOpt(config),
+      [o.allowInsecureRequests]: true,
+    });
+    const discoveredAs = await o.processDiscoveryResponse(
+      issuer,
+      discoveryResponse,
+    );
+
+    if (!discoveredAs.token_endpoint)
+      throw new TypeError(
+        "TODO: Authorization server did not provide a token endpoint.",
+      );
+
+    const as: o.AuthorizationServer = discoveredAs;
+    return {
+      ...config,
+      checks: config.checks!,
+      profile: config.profile!,
+      account: config.account!,
+      clientId: config.clientId!,
+      idToken: config.type === "oidc" ? config.idToken : undefined,
+      // ConvexAuth: Apparently it's important for us to normalize the endpoint after
+      // service discovery (https://github.com/get-convex/convex-auth/commit/35bf716bfb0d29dbce1cbca318973b0732f75015)
+      authorization: normalizeEndpoint({
+        ...config.authorization,
+        url: as.authorization_endpoint,
+      }),
+      token: normalizeEndpoint({
+        ...config.token,
+        url: as.token_endpoint,
+      }),
+      userinfo: as.userinfo_endpoint
+        ? normalizeEndpoint({
+            ...config.userinfo,
+            url: as.userinfo_endpoint,
+          })
+        : config.userinfo,
+      as,
+      configSource: "discovered"
+    };
+  }
+
+  const authorization = normalizeEndpoint(config.authorization);
+  const token = normalizeEndpoint(config.token);
+  const userinfo = config.userinfo
+    ? normalizeEndpoint(config.userinfo)
+    : undefined;
+  return {
+    ...config,
+    checks: config.checks!,
+    profile: config.profile!,
+    account: config.account!,
+    clientId: config.clientId!,
+    idToken: config.type === "oidc" ? config.idToken : undefined,
+    authorization,
+    token,
+    userinfo,
+    as: {
+      issuer: config.issuer ?? "theremustbeastringhere.dev",
+      authorization_endpoint: authorization?.url.toString(),
+      token_endpoint: token?.url.toString(),
+      userinfo_endpoint: userinfo?.url.toString(),
+    },
+    configSource: "provided",
+  };
+}

package/src/server/oauth/lib/utils/customFetch.ts

@@ -0,0 +1,18 @@
+// This file is adapted from packages/core/src/lib/utils/custom-fetch.ts in the @auth/core package (commit 5af1f30a32e64591abc50ae4d2dba4682e525431).
+
+import * as o from "oauth4webapi";
+import type { InternalProvider } from "../../types";
+import { customFetch } from "@auth/core";
+import { OAuthConfig } from "@auth/core/providers/index.js";
+// ConvexAuth:re-export the symbol from @auth/core
+export { customFetch } from "@auth/core";
+
+type FetchOptResult = {
+  [o.customFetch]: typeof fetch;
+};
+
+// ConvexAuth: Expose this internal function so we can use it.
+// ConvexAuth: Make a version that works on InternalProvider and OAuthConfig
+export function fetchOpt(providerOrConfig: InternalProvider<"oauth" | "oidc"> | OAuthConfig<any>): FetchOptResult {
+  return { [o.customFetch]: providerOrConfig[customFetch] ?? fetch };
+}

package/src/server/oauth/lib/utils/providers.ts

@@ -0,0 +1,12 @@
+// This file maps to packages/core/src/lib/utils/providers.ts in the @auth/core package (commit 5af1f30a32e64591abc50ae4d2dba4682e525431).
+
+import { InternalProvider } from "../../types.js";
+
+export function isOIDCProvider(
+  provider: InternalProvider<"oidc" | "oauth">,
+): provider is InternalProvider<"oidc"> {
+  return provider.type === "oidc";
+}
+
+// ConvexAuth: There are several more functions in the original file which we don't need,
+// and are omitted here.

package/src/server/oauth/providers/oauth.ts

@@ -0,0 +1,56 @@
+// This maps to packages/core/src/providers/oauth.ts in the @auth/core package (commit 5af1f30a32e64591abc50ae4d2dba4682e525431)
+
+// ConvexAuth: only a few types were brought in.
+
+import {
+  OAuth2Config,
+  OAuthConfig,
+  OAuthEndpointType,
+  OIDCConfig,
+  TokenEndpointHandler,
+  UserinfoEndpointHandler,
+} from "@auth/core/providers/index.js";
+import { PrivateKey } from "oauth4webapi";
+
+/**
+ * We parsed `authorization`, `token` and `userinfo`
+ * to always contain a valid `URL`, with the params
+ * @internal
+ */
+export type OAuthConfigInternal<Profile> = Omit<
+  OAuthConfig<Profile>,
+  OAuthEndpointType | "redirectProxyUrl"
+> & {
+  authorization?: { url: URL };
+  token?: {
+    url: URL;
+    request?: TokenEndpointHandler["request"];
+    clientPrivateKey?: CryptoKey | PrivateKey;
+    /**
+     * @internal
+     * @deprecated
+     */
+    conform?: TokenEndpointHandler["conform"];
+  };
+  userinfo?: { url: URL; request?: UserinfoEndpointHandler["request"] };
+  /**
+   * Reconstructed from {@link OAuth2Config.redirectProxyUrl},
+   * adding the callback action and provider id onto the URL.
+   *
+   * If defined, it is favoured over {@link OAuthConfigInternal.callbackUrl} in the authorization request.
+   *
+   * When {@link InternalOptions.isOnRedirectProxy} is set, the actual value is saved in the decoded `state.origin` parameter.
+   *
+   * @example `"https://auth.example.com/api/auth/callback/:provider"`
+   *
+   */
+  redirectProxyUrl?: OAuth2Config<Profile>["redirectProxyUrl"];
+} & Pick<
+    Required<OAuthConfig<Profile>>,
+    "clientId" | "checks" | "profile" | "account"
+  >;
+
+export type OIDCConfigInternal<Profile> = OAuthConfigInternal<Profile> & {
+  checks: OIDCConfig<Profile>["checks"];
+  idToken: OIDCConfig<Profile>["idToken"];
+};

package/src/server/oauth/types.ts

@@ -0,0 +1,60 @@
+// This maps to packages/core/src/types.ts in the @auth/core package (commit 5af1f30a32e64591abc50ae4d2dba4682e525431).
+
+import * as AuthCoreJwt from "@auth/core/jwt";
+import { CookieOption, CookiesOptions } from "@auth/core/types.js";
+import { OAuthConfigInternal, OIDCConfigInternal } from "./providers/oauth.js";
+import { ProviderType } from "@auth/core/providers/index.js";
+import * as o from "oauth4webapi";
+
+export type ConvexAuthProviderType = "oauth" | "oidc";
+
+export type ConfigSource = "discovered" | "provided";
+
+// ConvexAuth: Auth.js has a more complex type for this, ours is stripped down.
+export type InternalProvider<T = ProviderType> = (T extends "oauth"
+  ? OAuthConfigInternal<any>
+  : T extends "oidc"
+    ? OIDCConfigInternal<any>
+    : never)  & {as: o.AuthorizationServer, configSource: ConfigSource}
+
+
+// ConvexAuth: `secret` is internal to @auth/core, so we copy its type here
+export type JWTOptions = AuthCoreJwt.JWTOptions & { secret: string | string[] };
+
+/** @internal */
+export interface InternalOptions<TProviderType extends ConvexAuthProviderType> {
+  // providers: InternalProvider<TProviderType>[];
+  // url: URL;
+  // ConvexAuth: omit this option for now
+  // action: AuthAction;
+  provider: InternalProvider<TProviderType>;
+  // csrfToken?: string;
+  /**
+   * `true` if the [Double-submit CSRF check](https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf) was succesful
+   * or [`skipCSRFCheck`](https://authjs.dev/reference/core#skipcsrfcheck) was enabled.
+   */
+  // csrfTokenVerified?: boolean;
+  // secret: string | string[];
+  // ConvexAuth: omit the following options for now
+  //   theme: Theme;
+  //   debug: boolean;
+  //   logger: LoggerInstance;
+  //   session: NonNullable<Required<AuthConfig["session"]>>;
+  //   pages: Partial<PagesOptions>;
+  // jwt: JWTOptions;
+  //   events: NonNullable<AuthConfig["events"]>;
+  //   adapter: Required<Adapter> | undefined;
+  //   callbacks: NonNullable<Required<AuthConfig["callbacks"]>>;
+  cookies: Record<keyof CookiesOptions, CookieOption>;
+  // callbackUrl: string;
+  /**
+   * If true, the OAuth callback is being proxied by the server to the original URL.
+   * See also {@link OAuthConfigInternal.redirectProxyUrl}.
+   */
+  // isOnRedirectProxy: boolean;
+  //   experimental: NonNullable<AuthConfig["experimental"]>;
+  // basePath: string;
+}
+
+// ConvexAuth: There are several more types in the original file which we don't need,
+// and are omitted here.