npm - @robelest/convex-auth - Versions diffs - 0.0.2-preview.0 → 0.0.2-preview.2 - Mend

@robelest/convex-auth 0.0.2-preview.0 → 0.0.2-preview.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (166) hide show

package/src/server/implementation/users.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { GenericId } from "convex/values";
 import { Doc, MutationCtx } from "./types.js";
 import { AuthProviderMaterializedConfig, ConvexAuthConfig } from "../types.js";
 import { LOG_LEVELS, logWithLevel } from "./utils.js";
-import { createAuthDb } from "./db.js";
+import { authDb } from "./db.js";
 type CreateOrUpdateUserArgs = {
   type: "oauth" | "credentials" | "email" | "phone" | "verification";
@@ -56,8 +56,7 @@ async function defaultCreateOrUpdateUser(
     args,
   });
   const existingUserId = existingAccount?.userId ?? null;
-  const authDb =
-    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const db = authDb(ctx, config);
   if (config.callbacks?.createOrUpdateUser !== undefined) {
     logWithLevel(LOG_LEVELS.DEBUG, "Using custom createOrUpdateUser callback");
     return await config.callbacks.createOrUpdateUser(ctx, {
@@ -136,11 +135,7 @@ async function defaultCreateOrUpdateUser(
   const existingOrLinkedUserId = userId;
   if (userId !== null) {
     try {
-      if (authDb !== null) {
-        await authDb.users.patch(userId, userData);
-      } else {
-        await ctx.db.patch(userId, userData);
-      }
+      await db.users.patch(userId, userData);
     } catch (error) {
       throw new Error(
         `Could not update user document with ID \`${userId}\`, ` +
@@ -150,10 +145,7 @@ async function defaultCreateOrUpdateUser(
       );
     }
   } else {
-    userId =
-      authDb !== null
-        ? ((await authDb.users.insert(userData)) as GenericId<"user">)
-        : await ctx.db.insert("user", userData);
+    userId = (await db.users.insert(userData)) as GenericId<"user">;
   }
   const afterUserCreatedOrUpdated = config.callbacks?.afterUserCreatedOrUpdated;
   if (afterUserCreatedOrUpdated !== undefined) {
@@ -180,16 +172,8 @@ async function uniqueUserWithVerifiedEmail(
   email: string,
   config: ConvexAuthConfig,
 ) {
-  if (config.component !== undefined) {
-    const authDb = createAuthDb(ctx, config.component);
-    return (await authDb.users.findByVerifiedEmail(email)) as Doc<"user"> | null;
-  }
-  const users = await ctx.db
-    .query("user")
-    .withIndex("email", (q) => q.eq("email", email))
-    .filter((q) => q.neq(q.field("emailVerificationTime"), undefined))
-    .take(2);
-  return users.length === 1 ? users[0] : null;
+  const db = authDb(ctx, config);
+  return (await db.users.findByVerifiedEmail(email)) as Doc<"user"> | null;
 }
 async function uniqueUserWithVerifiedPhone(
@@ -197,16 +181,8 @@ async function uniqueUserWithVerifiedPhone(
   phone: string,
   config: ConvexAuthConfig,
 ) {
-  if (config.component !== undefined) {
-    const authDb = createAuthDb(ctx, config.component);
-    return (await authDb.users.findByVerifiedPhone(phone)) as Doc<"user"> | null;
-  }
-  const users = await ctx.db
-    .query("user")
-    .withIndex("phone", (q) => q.eq("phone", phone))
-    .filter((q) => q.neq(q.field("phoneVerificationTime"), undefined))
-    .take(2);
-  return users.length === 1 ? users[0] : null;
+  const db = authDb(ctx, config);
+  return (await db.users.findByVerifiedPhone(phone)) as Doc<"user"> | null;
 }
 async function createOrUpdateAccount(
@@ -221,49 +197,29 @@ async function createOrUpdateAccount(
   args: CreateOrUpdateUserArgs,
   config: ConvexAuthConfig,
 ) {
-  const authDb =
-    config.component !== undefined ? createAuthDb(ctx, config.component) : null;
+  const db = authDb(ctx, config);
   const accountId =
     "existingAccount" in account
       ? account.existingAccount._id
-      : authDb !== null
-        ? ((await authDb.accounts.create({
-            userId,
-            provider: args.provider.id,
-            providerAccountId: account.providerAccountId,
-            secret: account.secret,
-          })) as GenericId<"account">)
-        : await ctx.db.insert("account", {
-            userId,
-            provider: args.provider.id,
-            providerAccountId: account.providerAccountId,
-            secret: account.secret,
-          });
+      : ((await db.accounts.create({
+          userId,
+          provider: args.provider.id,
+          providerAccountId: account.providerAccountId,
+          secret: account.secret,
+        })) as GenericId<"account">);
   // This is never used with the default `createOrUpdateUser` implementation,
   // but it is used for manual linking via custom `createOrUpdateUser`:
   if (
     "existingAccount" in account &&
     account.existingAccount.userId !== userId
   ) {
-    if (authDb !== null) {
-      await authDb.accounts.patch(accountId, { userId });
-    } else {
-      await ctx.db.patch(accountId, { userId });
-    }
+    await db.accounts.patch(accountId, { userId });
   }
   if (args.profile.emailVerified) {
-    if (authDb !== null) {
-      await authDb.accounts.patch(accountId, { emailVerified: args.profile.email });
-    } else {
-      await ctx.db.patch(accountId, { emailVerified: args.profile.email });
-    }
+    await db.accounts.patch(accountId, { emailVerified: args.profile.email });
   }
   if (args.profile.phoneVerified) {
-    if (authDb !== null) {
-      await authDb.accounts.patch(accountId, { phoneVerified: args.profile.phone });
-    } else {
-      await ctx.db.patch(accountId, { phoneVerified: args.profile.phone });
-    }
+    await db.accounts.patch(accountId, { phoneVerified: args.profile.phone });
   }
   return accountId;
 }
@@ -273,10 +229,7 @@ export async function getAccountOrThrow(
   existingAccountId: GenericId<"account">,
   config: ConvexAuthConfig,
 ) {
-  const existingAccount =
-    config.component !== undefined
-      ? await createAuthDb(ctx, config.component).accounts.getById(existingAccountId)
-      : await ctx.db.get(existingAccountId);
+  const existingAccount = await authDb(ctx, config).accounts.getById(existingAccountId);
   if (existingAccount === null) {
     throw new Error(
       `Expected an account to exist for ID "${existingAccountId}"`,

package/src/server/index.ts CHANGED Viewed

@@ -1,4 +1,10 @@
+import { ConvexHttpClient } from "convex/browser";
+import { jwtDecode } from "jwt-decode";
 import { parse, serialize } from "cookie";
+import type {
+  SignInAction,
+  SignOutAction,
+} from "./implementation/index.js";
 import { isLocalHost } from "./utils.js";
 export type AuthCookieConfig = {
@@ -11,6 +17,20 @@ export type AuthCookies = {
   verifier: string | null;
 };
+export type ServerOptions = {
+  /** Convex deployment URL. */
+  url: string;
+  apiRoute?: string;
+  cookieMaxAge?: number | null;
+  verbose?: boolean;
+  shouldHandleCode?: ((request: Request) => boolean | Promise<boolean>) | boolean;
+};
+export type RefreshResult = {
+  response?: Response;
+  cookies?: string[];
+};
 export function authCookieNames(host?: string) {
   const prefix = isLocalHost(host) ? "" : "__Host-";
   return {
@@ -72,3 +92,356 @@ export function shouldProxyAuthAction(pathname: string, apiRoute: string) {
   }
   return pathname === apiRoute || pathname === `${apiRoute}/`;
 }
+const REQUIRED_TOKEN_LIFETIME_MS = 60_000;
+const MINIMUM_REQUIRED_TOKEN_LIFETIME_MS = 10_000;
+type DecodedToken = { exp?: number; iat?: number };
+export function server(options: ServerOptions) {
+  const convexUrl = options.url;
+  const apiRoute = options.apiRoute ?? "/api/auth";
+  const cookieConfig = { maxAge: options.cookieMaxAge ?? null };
+  const verbose = options.verbose ?? false;
+  const logVerbose = (message: string) => {
+    if (!verbose) {
+      return;
+    }
+    console.debug(
+      `${new Date().toISOString()} [convex-auth/server] ${message}`,
+    );
+  };
+  const cookieHost = (request: Request) => {
+    return request.headers.get("host") ?? new URL(request.url).host;
+  };
+  const parseRequestCookies = (request: Request) => {
+    return parseAuthCookies(request.headers.get("cookie"), cookieHost(request));
+  };
+  const attachCookies = (response: Response, cookies: string[]) => {
+    for (const value of cookies) {
+      response.headers.append("Set-Cookie", value);
+    }
+    return response;
+  };
+  const jsonResponse = (body: unknown, status = 200) => {
+    return new Response(JSON.stringify(body), {
+      status,
+      headers: {
+        "Content-Type": "application/json",
+      },
+    });
+  };
+  const isCorsRequest = (request: Request) => {
+    const originHeader = request.headers.get("origin");
+    if (originHeader === null) {
+      return false;
+    }
+    const requestUrl = new URL(request.url);
+    const originUrl = new URL(originHeader);
+    return (
+      originUrl.host !== requestUrl.host ||
+      originUrl.protocol !== requestUrl.protocol
+    );
+  };
+  const decodeToken = (token: string): DecodedToken | null => {
+    try {
+      return jwtDecode<DecodedToken>(token);
+    } catch {
+      return null;
+    }
+  };
+  const convexClient = (token?: string | null) => {
+    const client = new ConvexHttpClient(convexUrl);
+    if (token !== undefined && token !== null) {
+      client.setAuth(token);
+    }
+    return client;
+  };
+  const refreshTokens = async (
+    request: Request,
+  ): Promise<{ token: string; refreshToken: string } | null | undefined> => {
+    const cookies = parseRequestCookies(request);
+    const { token, refreshToken } = cookies;
+    if (refreshToken === null && token === null) {
+      logVerbose("No auth cookies found, skipping refresh");
+      return undefined;
+    }
+    if (refreshToken === null || token === null) {
+      logVerbose("Only one auth cookie present, clearing auth cookies");
+      return null;
+    }
+    const decodedToken = decodeToken(token);
+    if (decodedToken?.exp === undefined || decodedToken.iat === undefined) {
+      logVerbose("Failed to decode token, clearing auth cookies");
+      return null;
+    }
+    const totalTokenLifetimeMs = decodedToken.exp * 1000 - decodedToken.iat * 1000;
+    const minimumExpiration =
+      Date.now() +
+      Math.min(
+        REQUIRED_TOKEN_LIFETIME_MS,
+        Math.max(MINIMUM_REQUIRED_TOKEN_LIFETIME_MS, totalTokenLifetimeMs / 10),
+      );
+    if (decodedToken.exp * 1000 > minimumExpiration) {
+      logVerbose("Token valid long enough, skipping refresh");
+      return undefined;
+    }
+    try {
+      const result = await convexClient().action(
+        "auth:signIn" as unknown as SignInAction,
+        {
+          refreshToken,
+        },
+      );
+      if (result.tokens === undefined) {
+        throw new Error("Invalid `auth:signIn` result for token refresh");
+      }
+      logVerbose(`Refreshed tokens, null=${result.tokens === null}`);
+      return result.tokens;
+    } catch (error) {
+      console.error(error);
+      logVerbose("Token refresh failed, clearing auth cookies");
+      return null;
+    }
+  };
+  return {
+    token(request: Request): string | null {
+      return parseRequestCookies(request).token;
+    },
+    async verify(request: Request): Promise<boolean> {
+      const token = parseRequestCookies(request).token;
+      if (token === null) {
+        return false;
+      }
+      const decodedToken = decodeToken(token);
+      if (decodedToken?.exp === undefined) {
+        return false;
+      }
+      return decodedToken.exp * 1000 > Date.now();
+    },
+    async proxy(request: Request): Promise<Response> {
+      const requestUrl = new URL(request.url);
+      if (!shouldProxyAuthAction(requestUrl.pathname, apiRoute)) {
+        return new Response("Invalid route", { status: 404 });
+      }
+      if (request.method !== "POST") {
+        return new Response("Invalid method", { status: 405 });
+      }
+      if (isCorsRequest(request)) {
+        return new Response("Invalid origin", { status: 403 });
+      }
+      const body = await request.json();
+      const action = body.action as string;
+      const args = (body.args ?? {}) as Record<string, any>;
+      if (action !== "auth:signIn" && action !== "auth:signOut") {
+        return new Response("Invalid action", { status: 400 });
+      }
+      const currentCookies = parseRequestCookies(request);
+      const host = cookieHost(request);
+      if (action === "auth:signIn") {
+        if (args.refreshToken !== undefined) {
+          if (currentCookies.refreshToken === null) {
+            return jsonResponse({ tokens: null });
+          }
+          args.refreshToken = currentCookies.refreshToken;
+        }
+        const client = convexClient(
+          args.refreshToken !== undefined || args.params?.code !== undefined
+            ? null
+            : currentCookies.token,
+        );
+        try {
+          const result = await client.action(
+            "auth:signIn" as unknown as SignInAction,
+            args,
+          );
+          if (result.redirect !== undefined) {
+            const response = jsonResponse({ redirect: result.redirect });
+            return attachCookies(
+              response,
+              serializeAuthCookies(
+                {
+                  ...currentCookies,
+                  verifier: result.verifier ?? null,
+                },
+                host,
+                cookieConfig,
+              ),
+            );
+          }
+          if (result.tokens !== undefined) {
+            const response = jsonResponse({
+              tokens:
+                result.tokens === null
+                  ? null
+                  : { token: result.tokens.token, refreshToken: "dummy" },
+            });
+            return attachCookies(
+              response,
+              serializeAuthCookies(
+                {
+                  token: result.tokens?.token ?? null,
+                  refreshToken: result.tokens?.refreshToken ?? null,
+                  verifier: null,
+                },
+                host,
+                cookieConfig,
+              ),
+            );
+          }
+          return jsonResponse(result);
+        } catch (error) {
+          const response = jsonResponse({ error: (error as Error).message }, 400);
+          return attachCookies(
+            response,
+            serializeAuthCookies(
+              {
+                token: null,
+                refreshToken: null,
+                verifier: null,
+              },
+              host,
+              cookieConfig,
+            ),
+          );
+        }
+      }
+      try {
+        await convexClient(currentCookies.token).action(
+          "auth:signOut" as unknown as SignOutAction,
+        );
+      } catch (error) {
+        console.error(error);
+      }
+      return attachCookies(
+        jsonResponse(null),
+        serializeAuthCookies(
+          {
+            token: null,
+            refreshToken: null,
+            verifier: null,
+          },
+          host,
+          cookieConfig,
+        ),
+      );
+    },
+    async refresh(request: Request): Promise<RefreshResult> {
+      const host = cookieHost(request);
+      if (isCorsRequest(request)) {
+        return {
+          cookies: serializeAuthCookies(
+            {
+              token: null,
+              refreshToken: null,
+              verifier: null,
+            },
+            host,
+            cookieConfig,
+          ),
+        };
+      }
+      const requestUrl = new URL(request.url);
+      const code = requestUrl.searchParams.get("code");
+      const shouldHandleCode =
+        options.shouldHandleCode === undefined
+          ? true
+          : typeof options.shouldHandleCode === "function"
+            ? await options.shouldHandleCode(request)
+            : options.shouldHandleCode;
+      if (
+        code !== null &&
+        request.method === "GET" &&
+        request.headers.get("accept")?.includes("text/html") &&
+        shouldHandleCode
+      ) {
+        const requestCookies = parseRequestCookies(request);
+        const redirectUrl = new URL(requestUrl);
+        redirectUrl.searchParams.delete("code");
+        try {
+          const result = await convexClient().action(
+            "auth:signIn" as unknown as SignInAction,
+            {
+              params: { code },
+              verifier: requestCookies.verifier ?? undefined,
+            },
+          );
+          if (result.tokens === undefined) {
+            throw new Error("Invalid `auth:signIn` result for code exchange");
+          }
+          const response = Response.redirect(redirectUrl.toString(), 302);
+          return {
+            response: attachCookies(
+              response,
+              serializeAuthCookies(
+                {
+                  token: result.tokens?.token ?? null,
+                  refreshToken: result.tokens?.refreshToken ?? null,
+                  verifier: null,
+                },
+                host,
+                cookieConfig,
+              ),
+            ),
+          };
+        } catch (error) {
+          console.error(error);
+          const response = Response.redirect(redirectUrl.toString(), 302);
+          return {
+            response: attachCookies(
+              response,
+              serializeAuthCookies(
+                {
+                  token: null,
+                  refreshToken: null,
+                  verifier: null,
+                },
+                host,
+                cookieConfig,
+              ),
+            ),
+          };
+        }
+      }
+      const tokens = await refreshTokens(request);
+      if (tokens === undefined) {
+        return {};
+      }
+      return {
+        cookies: serializeAuthCookies(
+          {
+            token: tokens?.token ?? null,
+            refreshToken: tokens?.refreshToken ?? null,
+            verifier: null,
+          },
+          host,
+          cookieConfig,
+        ),
+      };
+    },
+  };
+}

package/src/server/provider_utils.ts CHANGED Viewed

@@ -59,13 +59,13 @@ export function configDefaults(config_: ConvexAuthConfig) {
  * @internal
  */
 export function materializeProvider(provider: AuthProviderConfig) {
-  const config = { providers: [provider] };
+  const config = { providers: [provider], component: {} as any };
   materializeAndDefaultProviders(config);
   return config.providers[0] as AuthProviderMaterializedConfig;
 }
 function materializeProviders(providers: AuthProviderConfig[]) {
-  const config = { providers };
+  const config = { providers, component: {} as any };
   materializeAndDefaultProviders(config);
   return config.providers as AuthProviderMaterializedConfig[];
 }