@robelest/convex-auth 0.0.2-preview.0 → 0.0.2-preview.2

package/src/server/implementation/mutations/verifyCodeAndSignIn.ts

@@ -14,7 +14,8 @@ import {
 import { ConvexAuthConfig } from "../../types.js";
 import { LOG_LEVELS, logWithLevel, sha256 } from "../utils.js";
 import { upsertUserAndAccount } from "../users.js";
-import { createAuthDb } from "../db.js";
+import { authDb } from "../db.js";
+import { AUTH_STORE_REF } from "./storeRef.js";
 
 export const verifyCodeAndSignInArgs = v.object({
   params: v.any(),
@@ -87,7 +88,7 @@ export const callVerifyCodeAndSignIn = async (
   ctx: ActionCtx,
   args: Infer<typeof verifyCodeAndSignInArgs>,
 ): Promise<ReturnType> => {
-  return ctx.runMutation("auth:store" as any, {
+  return ctx.runMutation(AUTH_STORE_REF, {
     args: {
       type: "verifyCodeAndSignIn",
       ...args,
@@ -116,26 +117,15 @@ async function verifyCodeOnly(
   config: ConvexAuthConfig,
   sessionId: GenericId<"session"> | null,
 ) {
-  const authDb =
-    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const db = authDb(ctx, config);
   const { params, verifier } = args;
   const codeHash = await sha256(params.code);
-  const verificationCode =
-    authDb !== null
-      ? await authDb.verificationCodes.getByCode(codeHash)
-      : await ctx.db
-          .query("verification")
-          .withIndex("code", (q) => q.eq("code", codeHash))
-          .unique();
+  const verificationCode = await db.verificationCodes.getByCode(codeHash);
   if (verificationCode === null) {
     logWithLevel(LOG_LEVELS.ERROR, "Invalid verification code");
     return null;
   }
-  if (authDb !== null) {
-    await authDb.verificationCodes.delete(verificationCode._id);
-  } else {
-    await ctx.db.delete(verificationCode._id);
-  }
+  await db.verificationCodes.delete(verificationCode._id);
   if (verificationCode.verifier !== verifier) {
     logWithLevel(LOG_LEVELS.ERROR, "Invalid verifier");
     return null;
@@ -145,8 +135,7 @@ async function verifyCodeOnly(
     return null;
   }
   const { accountId, emailVerified, phoneVerified } = verificationCode;
-  const account =
-    authDb !== null ? await authDb.accounts.getById(accountId) : await ctx.db.get(accountId);
+  const account = await db.accounts.getById(accountId);
   if (account === null) {
     logWithLevel(
       LOG_LEVELS.ERROR,

package/src/server/implementation/provider.ts

@@ -1,4 +1,5 @@
 import { AuthProviderMaterializedConfig } from "../types.js";
+import { ConvexAuthMaterializedConfig } from "../types.js";
 
 export async function hash(provider: any, secret: string) {
   if (provider.type !== "credentials") {
@@ -35,4 +36,4 @@ export type GetProviderOrThrowFunc = (
   allowExtraProviders?: boolean,
 ) => AuthProviderMaterializedConfig;
 
-export type Config = any;
+export type Config = ConvexAuthMaterializedConfig;

package/src/server/implementation/rateLimit.ts

@@ -1,6 +1,6 @@
 import { ConvexAuthConfig } from "../types.js";
 import { Doc, MutationCtx } from "./types.js";
-import { createAuthDb } from "./db.js";
+import { authDb } from "./db.js";
 
 const DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;
 
@@ -21,34 +21,20 @@ export async function recordFailedSignIn(
   identifier: string,
   config: ConvexAuthConfig,
 ) {
+  const db = authDb(ctx, config);
   const state = await getRateLimitState(ctx, identifier, config);
   if (state !== null) {
-    if (config.component !== undefined) {
-      await createAuthDb(ctx, config.component).rateLimits.patch(state.limit._id, {
-        attemptsLeft: state.attempsLeft - 1,
-        lastAttemptTime: Date.now(),
-      });
-    } else {
-      await ctx.db.patch(state.limit._id, {
-        attemptsLeft: state.attempsLeft - 1,
-        lastAttemptTime: Date.now(),
-      });
-    }
+    await db.rateLimits.patch(state.limit._id, {
+      attemptsLeft: state.attempsLeft - 1,
+      lastAttemptTime: Date.now(),
+    });
   } else {
     const maxAttempsPerHour = configuredMaxAttempsPerHour(config);
-    if (config.component !== undefined) {
-      await createAuthDb(ctx, config.component).rateLimits.create({
-        identifier,
-        attemptsLeft: maxAttempsPerHour - 1,
-        lastAttemptTime: Date.now(),
-      });
-    } else {
-      await ctx.db.insert("limit", {
-        identifier,
-        attemptsLeft: maxAttempsPerHour - 1,
-        lastAttemptTime: Date.now(),
-      });
-    }
+    await db.rateLimits.create({
+      identifier,
+      attemptsLeft: maxAttempsPerHour - 1,
+      lastAttemptTime: Date.now(),
+    });
   }
 }
 
@@ -59,13 +45,7 @@ export async function resetSignInRateLimit(
 ) {
   const existingState = await getRateLimitState(ctx, identifier, config);
   if (existingState !== null) {
-    if (config.component !== undefined) {
-      await createAuthDb(ctx, config.component).rateLimits.delete(
-        existingState.limit._id,
-      );
-    } else {
-      await ctx.db.delete(existingState.limit._id);
-    }
+    await authDb(ctx, config).rateLimits.delete(existingState.limit._id);
   }
 }
 
@@ -76,15 +56,9 @@ async function getRateLimitState(
 ) {
   const now = Date.now();
   const maxAttempsPerHour = configuredMaxAttempsPerHour(config);
-  const limit =
-    config.component !== undefined
-      ? ((await createAuthDb(ctx, config.component).rateLimits.get(identifier)) as
-          | Doc<"limit">
-          | null)
-      : await ctx.db
-          .query("limit")
-          .withIndex("identifier", (q) => q.eq("identifier", identifier))
-          .unique();
+  const limit = (await authDb(ctx, config).rateLimits.get(identifier)) as
+    | Doc<"limit">
+    | null;
   if (limit === null) {
     return null;
   }

package/src/server/implementation/refreshTokens.ts

@@ -8,7 +8,7 @@ import {
   maybeRedact,
   stringToNumber,
 } from "./utils.js";
-import { createAuthDb } from "./db.js";
+import { authDb } from "./db.js";
 
 const DEFAULT_SESSION_INACTIVE_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days
 export const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1000; // 10 seconds
@@ -17,24 +17,18 @@ export async function createRefreshToken(
   config: ConvexAuthConfig,
   sessionId: GenericId<"session">,
   parentRefreshTokenId: GenericId<"token"> | null,
-) {
+): Promise<GenericId<"token">> {
+  const db = authDb(ctx, config);
   const expirationTime =
     Date.now() +
     (config.session?.inactiveDurationMs ??
       stringToNumber(process.env.AUTH_SESSION_INACTIVE_DURATION_MS) ??
       DEFAULT_SESSION_INACTIVE_DURATION_MS);
-  if (config.component !== undefined) {
-    return (await createAuthDb(ctx, config.component).refreshTokens.create({
-      sessionId,
-      expirationTime,
-      parentRefreshTokenId: parentRefreshTokenId ?? undefined,
-    })) as GenericId<"token">;
-  }
-  const newRefreshTokenId = await ctx.db.insert("token", {
+  const newRefreshTokenId = (await db.refreshTokens.create({
     sessionId,
     expirationTime,
     parentRefreshTokenId: parentRefreshTokenId ?? undefined,
-  });
+  })) as GenericId<"token">;
   return newRefreshTokenId;
 }
 
@@ -74,27 +68,16 @@ export async function invalidateRefreshTokensInSubtree(
   refreshToken: Doc<"token">,
   config: ConvexAuthConfig,
 ) {
-  const authDb =
-    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const db = authDb(ctx, config);
   const tokensToInvalidate = [refreshToken];
-  let frontier = [refreshToken._id];
+  let frontier: GenericId<"token">[] = [refreshToken._id];
   while (frontier.length > 0) {
-    const nextFrontier = [];
+    const nextFrontier: GenericId<"token">[] = [];
     for (const currentTokenId of frontier) {
-      const children =
-        authDb !== null
-          ? ((await authDb.refreshTokens.getChildren(
-              refreshToken.sessionId,
-              currentTokenId,
-            )) as Doc<"token">[])
-          : await ctx.db
-              .query("token")
-              .withIndex("sessionIdAndParentRefreshTokenId", (q) =>
-                q
-                  .eq("sessionId", refreshToken.sessionId)
-                  .eq("parentRefreshTokenId", currentTokenId),
-              )
-              .collect();
+      const children = (await db.refreshTokens.getChildren(
+        refreshToken.sessionId,
+        currentTokenId,
+      )) as Doc<"token">[];
       tokensToInvalidate.push(...children);
       nextFrontier.push(...children.map((child) => child._id));
     }
@@ -106,15 +89,9 @@ export async function invalidateRefreshTokensInSubtree(
       token.firstUsedTime === undefined ||
       token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS
     ) {
-      if (authDb !== null) {
-        await authDb.refreshTokens.patch(token._id, {
-          firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,
-        });
-      } else {
-        await ctx.db.patch(token._id, {
-          firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,
-        });
-      }
+      await db.refreshTokens.patch(token._id, {
+        firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,
+      });
     }
   }
   return tokensToInvalidate;
@@ -125,19 +102,7 @@ export async function deleteAllRefreshTokens(
   sessionId: GenericId<"session">,
   config: ConvexAuthConfig,
 ) {
-  if (config.component !== undefined) {
-    await createAuthDb(ctx, config.component).refreshTokens.deleteAll(sessionId);
-    return;
-  }
-  const existingRefreshTokens = await ctx.db
-    .query("token")
-    .withIndex("sessionIdAndParentRefreshTokenId", (q) =>
-      q.eq("sessionId", sessionId),
-    )
-    .collect();
-  for (const refreshTokenDoc of existingRefreshTokens) {
-    await ctx.db.delete(refreshTokenDoc._id);
-  }
+  await authDb(ctx, config).refreshTokens.deleteAll(sessionId);
 }
 
 export async function refreshTokenIfValid(
@@ -146,16 +111,12 @@ export async function refreshTokenIfValid(
   tokenSessionId: string,
   config: ConvexAuthConfig,
 ) {
-  const authDb =
-    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const db = authDb(ctx, config);
   let refreshTokenDoc: Doc<"token"> | null;
   try {
-    refreshTokenDoc =
-      authDb !== null
-        ? ((await authDb.refreshTokens.getById(
-            refreshTokenId as GenericId<"token">,
-          )) as Doc<"token"> | null)
-        : await ctx.db.get(refreshTokenId as GenericId<"token">);
+    refreshTokenDoc = (await db.refreshTokens.getById(
+      refreshTokenId as GenericId<"token">,
+    )) as Doc<"token"> | null;
   } catch {
     logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token format");
     return null;
@@ -175,12 +136,9 @@ export async function refreshTokenIfValid(
   }
   let session: Doc<"session"> | null;
   try {
-    session =
-      authDb !== null
-        ? ((await authDb.sessions.getById(refreshTokenDoc.sessionId)) as
-            | Doc<"session">
-            | null)
-        : await ctx.db.get(refreshTokenDoc.sessionId);
+    session = (await db.sessions.getById(refreshTokenDoc.sessionId)) as
+      | Doc<"session">
+      | null;
   } catch {
     logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session format");
     return null;
@@ -207,15 +165,7 @@ export async function loadActiveRefreshToken(
   sessionId: GenericId<"session">,
   config: ConvexAuthConfig,
 ) {
-  if (config.component !== undefined) {
-    return (await createAuthDb(ctx, config.component).refreshTokens.getActive(
-      sessionId,
-    )) as Doc<"token"> | null;
-  }
-  return ctx.db
-    .query("token")
-    .withIndex("sessionId", (q) => q.eq("sessionId", sessionId))
-    .filter((q) => q.eq(q.field("firstUsedTime"), undefined))
-    .order("desc")
-    .first();
+  return (await authDb(ctx, config).refreshTokens.getActive(sessionId)) as
+    | Doc<"token">
+    | null;
 }

package/src/server/implementation/sessions.ts

@@ -15,7 +15,7 @@ import {
   formatRefreshToken,
   deleteAllRefreshTokens,
 } from "./refreshTokens.js";
-import { createAuthDb } from "./db.js";
+import { authDb } from "./db.js";
 
 const DEFAULT_SESSION_TOTAL_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days
 
@@ -45,14 +45,10 @@ export async function createNewAndDeleteExistingSession(
   config: ConvexAuthConfig,
   userId: GenericId<"user">,
 ) {
-  const authDb =
-    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const db = authDb(ctx, config);
   const existingSessionId = await getAuthSessionId(ctx);
   if (existingSessionId !== null) {
-    const existingSession =
-      authDb !== null
-        ? await authDb.sessions.getById(existingSessionId)
-        : await ctx.db.get(existingSessionId);
+    const existingSession = await db.sessions.getById(existingSessionId);
     if (existingSession !== null) {
       await deleteSession(ctx, existingSession, config);
     }
@@ -95,18 +91,13 @@ async function createSession(
   userId: GenericId<"user">,
   config: ConvexAuthConfig,
 ) {
+  const db = authDb(ctx, config);
   const expirationTime =
     Date.now() +
     (config.session?.totalDurationMs ??
       stringToNumber(process.env.AUTH_SESSION_TOTAL_DURATION_MS) ??
       DEFAULT_SESSION_TOTAL_DURATION_MS);
-  if (config.component !== undefined) {
-    return (await createAuthDb(ctx, config.component).sessions.create(
-      userId,
-      expirationTime,
-    )) as GenericId<"session">;
-  }
-  return await ctx.db.insert("session", { expirationTime, userId });
+  return (await db.sessions.create(userId, expirationTime)) as GenericId<"session">;
 }
 
 export async function deleteSession(
@@ -114,36 +105,14 @@ export async function deleteSession(
   session: Doc<"session">,
   config: ConvexAuthConfig,
 ) {
-  if (config.component !== undefined) {
-    await createAuthDb(ctx, config.component).sessions.delete(session._id);
-  } else {
-    await ctx.db.delete(session._id);
-  }
+  await authDb(ctx, config).sessions.delete(session._id);
   await deleteAllRefreshTokens(ctx, session._id, config);
 }
 
 /**
- * Return the current session ID.
- *
- * ```ts filename="convex/myFunctions.tsx"
- * import { mutation } from "./_generated/server";
- * import { getAuthSessionId } from "@robelest/convex-auth/component";
- *
- * export const doSomething = mutation({
- *   args: {/* ... *\/},
- *   handler: async (ctx, args) => {
- *     const sessionId = await getAuthSessionId(ctx);
- *     if (sessionId === null) {
- *       throw new Error("Client is not authenticated!")
- *     }
- *     const session = await ctx.db.get(sessionId);
- *     // ...
- *   },
- * });
- * ```
+ * Return the current session ID from the auth identity subject.
  *
- * @param ctx query, mutation or action `ctx`
- * @returns the session ID or `null` if the client isn't authenticated
+ * Internal helper used by auth runtime internals and `auth.session.current`.
  */
 export async function getAuthSessionId(ctx: { auth: Auth }) {
   const identity = await ctx.auth.getUserIdentity();

package/src/server/implementation/types.ts

@@ -4,215 +4,40 @@ import {
   GenericMutationCtx,
   GenericQueryCtx,
   TableNamesInDataModel,
-  defineSchema,
-  defineTable,
 } from "convex/server";
-import { GenericId, v } from "convex/values";
+import { GenericId } from "convex/values";
 import { GenericDoc } from "../convex_types.js";
+import schema from "../../component/schema.js";
 
-/**
- * The table definitions required by the library.
- *
- * Your schema must include these so that the indexes
- * are set up:
- *
- *
- * ```ts filename="convex/schema.ts"
- * import { defineSchema } from "convex/server";
- * import { authTables } from "@robelest/convex-auth/component";
- *
- * const schema = defineSchema({
- *   ...authTables,
- * });
- *
- * export default schema;
- * ```
- *
- * You can inline the table definitions into your schema
- * and extend them with additional optional and required
- * fields. See https://labs.convex.dev/auth/setup/schema
- * for more details.
- */
-export const authTables = {
-  /**
-   * Users.
-   */
-  user: defineTable({
-    name: v.optional(v.string()),
-    image: v.optional(v.string()),
-    email: v.optional(v.string()),
-    emailVerificationTime: v.optional(v.number()),
-    phone: v.optional(v.string()),
-    phoneVerificationTime: v.optional(v.number()),
-    isAnonymous: v.optional(v.boolean()),
-  })
-    .index("email", ["email"])
-    .index("phone", ["phone"]),
-  /**
-   * Sessions.
-   * A single user can have multiple active sessions.
-   * See [Session document lifecycle](https://labs.convex.dev/auth/advanced#session-document-lifecycle).
-   */
-  session: defineTable({
-    userId: v.id("user"),
-    expirationTime: v.number(),
-  }).index("userId", ["userId"]),
-  /**
-   * Accounts. An account corresponds to
-   * a single authentication provider.
-   * A single user can have multiple accounts linked.
-   */
-  account: defineTable({
-    userId: v.id("user"),
-    provider: v.string(),
-    providerAccountId: v.string(),
-    secret: v.optional(v.string()),
-    emailVerified: v.optional(v.string()),
-    phoneVerified: v.optional(v.string()),
-  })
-    .index("userIdAndProvider", ["userId", "provider"])
-    .index("providerAndAccountId", ["provider", "providerAccountId"]),
-  /**
-   * Refresh tokens.
-   * Refresh tokens are generally meant to be used once, to be exchanged for another
-   * refresh token and a JWT access token, but with a few exceptions:
-   * - The "active refresh token" is the most recently created refresh token that has
-   *   not been used yet. The parent of the active refresh token can always be used to
-   *   obtain the active refresh token.
-   * - A refresh token can be used within a 10 second window ("reuse window") to
-   *   obtain a new refresh token.
-   * - On any invalid use of a refresh token, the token itself and all its descendants
-   *   are invalidated.
-   */
-  token: defineTable({
-    sessionId: v.id("session"),
-    expirationTime: v.number(),
-    firstUsedTime: v.optional(v.number()),
-    // This is the ID of the refresh token that was exchanged to create this one.
-    parentRefreshTokenId: v.optional(v.id("token")),
-  })
-    // Sort by creationTime
-    .index("sessionId", ["sessionId"])
-    .index("sessionIdAndParentRefreshTokenId", [
-      "sessionId",
-      "parentRefreshTokenId",
-    ]),
-  /**
-   * Verification codes:
-   * - OTP tokens
-   * - magic link tokens
-   * - OAuth codes
-   */
-  verification: defineTable({
-    accountId: v.id("account"),
-    provider: v.string(),
-    code: v.string(),
-    expirationTime: v.number(),
-    verifier: v.optional(v.string()),
-    emailVerified: v.optional(v.string()),
-    phoneVerified: v.optional(v.string()),
-  })
-    .index("accountId", ["accountId"])
-    .index("code", ["code"]),
-  /**
-   * PKCE verifiers for OAuth.
-   */
-  verifier: defineTable({
-    sessionId: v.optional(v.id("session")),
-    signature: v.optional(v.string()),
-  }).index("signature", ["signature"]),
-  /**
-   * Rate limits for OTP and password sign-in.
-   */
-  limit: defineTable({
-    identifier: v.string(),
-    lastAttemptTime: v.number(),
-    attemptsLeft: v.number(),
-  }).index("identifier", ["identifier"]),
+/** Data model derived from the component schema. */
+export type AuthDataModel = DataModelFromSchemaDefinition<typeof schema>;
 
-  organization: defineTable({
-    name: v.string(),
-    slug: v.optional(v.string()),
-    ownerUserId: v.optional(v.id("user")),
-    parentOrganizationId: v.optional(v.id("organization")),
-    metadata: v.optional(v.any()),
-  })
-    .index("slug", ["slug"])
-    .index("ownerUserId", ["ownerUserId"])
-    .index("parentOrganizationId", ["parentOrganizationId"]),
-  team: defineTable({
-    organizationId: v.id("organization"),
-    name: v.string(),
-    slug: v.optional(v.string()),
-    parentTeamId: v.optional(v.id("team")),
-    metadata: v.optional(v.any()),
-  })
-    .index("organizationId", ["organizationId"])
-    .index("organizationIdAndSlug", ["organizationId", "slug"])
-    .index("parentTeamId", ["parentTeamId"]),
-  teamRelation: defineTable({
-    organizationId: v.id("organization"),
-    parentTeamId: v.id("team"),
-    childTeamId: v.id("team"),
-    relation: v.optional(v.string()),
-  })
-    .index("organizationId", ["organizationId"])
-    .index("organizationIdAndParentTeamId", ["organizationId", "parentTeamId"])
-    .index("organizationIdAndChildTeamId", ["organizationId", "childTeamId"]),
-  member: defineTable({
-    organizationId: v.id("organization"),
-    userId: v.id("user"),
-    teamId: v.optional(v.id("team")),
-    role: v.optional(v.string()),
-    status: v.optional(v.string()),
-    metadata: v.optional(v.any()),
-  })
-    .index("organizationId", ["organizationId"])
-    .index("organizationIdAndUserId", ["organizationId", "userId"])
-    .index("teamId", ["teamId"])
-    .index("userId", ["userId"]),
-  invite: defineTable({
-    organizationId: v.optional(v.id("organization")),
-    teamId: v.optional(v.id("team")),
-    invitedByUserId: v.id("user"),
-    email: v.string(),
-    tokenHash: v.string(),
-    role: v.optional(v.string()),
-    status: v.union(
-      v.literal("pending"),
-      v.literal("accepted"),
-      v.literal("revoked"),
-      v.literal("expired"),
-    ),
-    expiresTime: v.number(),
-    acceptedByUserId: v.optional(v.id("user")),
-    acceptedTime: v.optional(v.number()),
-    metadata: v.optional(v.any()),
-  })
-    .index("tokenHash", ["tokenHash"])
-    .index("emailAndStatus", ["email", "status"])
-    .index("invitedByUserIdAndStatus", ["invitedByUserId", "status"])
-    .index("organizationId", ["organizationId"])
-    .index("organizationIdAndStatus", ["organizationId", "status"]),
-};
-
-type DefaultSchema = ReturnType<typeof defineSchema<typeof authTables>>;
-
-export type AuthDataModel = DataModelFromSchemaDefinition<DefaultSchema>;
+/** Action context typed to the auth component's data model. */
 export type ActionCtx = GenericActionCtx<AuthDataModel>;
+
+/** Mutation context typed to the auth component's data model. */
 export type MutationCtx = GenericMutationCtx<AuthDataModel>;
+
+/** Query context typed to the auth component's data model. */
 export type QueryCtx = GenericQueryCtx<AuthDataModel>;
+
+/** A document from any table in the auth component schema. */
 export type Doc<T extends TableNamesInDataModel<AuthDataModel>> = GenericDoc<
   AuthDataModel,
   T
 >;
 
+/** A pair of JWT access token and refresh token. */
 export type Tokens = { token: string; refreshToken: string };
+
+/** Session information returned after authentication. */
 export type SessionInfo = {
   userId: GenericId<"user">;
   sessionId: GenericId<"session">;
   tokens: Tokens | null;
 };
+
+/** Session information with guaranteed non-null tokens. */
 export type SessionInfoWithTokens = {
   userId: GenericId<"user">;
   sessionId: GenericId<"session">;