@robelest/convex-auth 0.0.2-preview.1 → 0.0.2

package/src/component/public.ts

@@ -5,6 +5,14 @@ import { mutation, query } from "./_generated/server";
 // Users
 // ============================================================================
 
+/** List all users. */
+export const userList = query({
+  args: {},
+  handler: async (ctx) => {
+    return await ctx.db.query("user").collect();
+  },
+});
+
 /** Retrieve a user by their document ID. */
 export const userGetById = query({
   args: { userId: v.id("user") },
@@ -79,6 +87,17 @@ export const userPatch = mutation({
 // Accounts
 // ============================================================================
 
+/** List all accounts for a user. */
+export const accountListByUser = query({
+  args: { userId: v.id("user") },
+  handler: async (ctx, { userId }) => {
+    return await ctx.db
+      .query("account")
+      .withIndex("userIdAndProvider", (q) => q.eq("userId", userId as any))
+      .collect();
+  },
+});
+
 /** Look up an account by provider and provider-specific account ID. */
 export const accountGet = query({
   args: { provider: v.string(), providerAccountId: v.string() },
@@ -133,6 +152,14 @@ export const accountDelete = mutation({
 // Sessions
 // ============================================================================
 
+/** List all sessions. */
+export const sessionList = query({
+  args: {},
+  handler: async (ctx) => {
+    return await ctx.db.query("session").collect();
+  },
+});
+
 /** Create a new session for a user with an expiration time. */
 export const sessionCreate = mutation({
   args: { userId: v.id("user"), expirationTime: v.number() },
@@ -360,6 +387,150 @@ export const refreshTokenGetActive = query({
   },
 });
 
+// ============================================================================
+// Passkeys
+// ============================================================================
+
+/** Store a new passkey credential for a user. */
+export const passkeyInsert = mutation({
+  args: {
+    userId: v.id("user"),
+    credentialId: v.string(),
+    publicKey: v.bytes(),
+    algorithm: v.number(),
+    counter: v.number(),
+    transports: v.optional(v.array(v.string())),
+    deviceType: v.string(),
+    backedUp: v.boolean(),
+    name: v.optional(v.string()),
+    createdAt: v.number(),
+  },
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("passkey", args);
+  },
+});
+
+/** Look up a passkey by its credential ID. */
+export const passkeyGetByCredentialId = query({
+  args: { credentialId: v.string() },
+  handler: async (ctx, { credentialId }) => {
+    return await ctx.db
+      .query("passkey")
+      .withIndex("credentialId", (q) => q.eq("credentialId", credentialId))
+      .unique();
+  },
+});
+
+/** List all passkeys for a user. */
+export const passkeyListByUserId = query({
+  args: { userId: v.id("user") },
+  handler: async (ctx, { userId }) => {
+    return await ctx.db
+      .query("passkey")
+      .withIndex("userId", (q) => q.eq("userId", userId))
+      .collect();
+  },
+});
+
+/** Update a passkey's counter and last used timestamp after authentication. */
+export const passkeyUpdateCounter = mutation({
+  args: { passkeyId: v.id("passkey"), counter: v.number(), lastUsedAt: v.number() },
+  handler: async (ctx, { passkeyId, counter, lastUsedAt }) => {
+    await ctx.db.patch(passkeyId, { counter, lastUsedAt });
+  },
+});
+
+/** Update a passkey's metadata (name). */
+export const passkeyUpdateMeta = mutation({
+  args: { passkeyId: v.id("passkey"), data: v.any() },
+  handler: async (ctx, { passkeyId, data }) => {
+    await ctx.db.patch(passkeyId, data);
+  },
+});
+
+/** Delete a passkey credential. */
+export const passkeyDelete = mutation({
+  args: { passkeyId: v.id("passkey") },
+  handler: async (ctx, { passkeyId }) => {
+    await ctx.db.delete(passkeyId);
+  },
+});
+
+// ============================================================================
+// TOTP Two-Factor Authentication
+// ============================================================================
+
+/** Store a new TOTP enrollment for a user. */
+export const totpInsert = mutation({
+  args: {
+    userId: v.id("user"),
+    secret: v.bytes(),
+    digits: v.number(),
+    period: v.number(),
+    verified: v.boolean(),
+    name: v.optional(v.string()),
+    createdAt: v.number(),
+  },
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("totp", args);
+  },
+});
+
+/** Get a verified TOTP enrollment for a user (returns first match). */
+export const totpGetVerifiedByUserId = query({
+  args: { userId: v.id("user") },
+  handler: async (ctx, { userId }) => {
+    return await ctx.db
+      .query("totp")
+      .withIndex("userId", (q) => q.eq("userId", userId))
+      .filter((q) => q.eq(q.field("verified"), true))
+      .first();
+  },
+});
+
+/** List all TOTP enrollments for a user. */
+export const totpListByUserId = query({
+  args: { userId: v.id("user") },
+  handler: async (ctx, { userId }) => {
+    return await ctx.db
+      .query("totp")
+      .withIndex("userId", (q) => q.eq("userId", userId))
+      .collect();
+  },
+});
+
+/** Get a TOTP enrollment by its ID. */
+export const totpGetById = query({
+  args: { totpId: v.id("totp") },
+  handler: async (ctx, { totpId }) => {
+    return await ctx.db.get(totpId);
+  },
+});
+
+/** Mark a TOTP enrollment as verified (setup complete). */
+export const totpMarkVerified = mutation({
+  args: { totpId: v.id("totp"), lastUsedAt: v.number() },
+  handler: async (ctx, { totpId, lastUsedAt }) => {
+    await ctx.db.patch(totpId, { verified: true, lastUsedAt });
+  },
+});
+
+/** Update a TOTP enrollment's last used timestamp. */
+export const totpUpdateLastUsed = mutation({
+  args: { totpId: v.id("totp"), lastUsedAt: v.number() },
+  handler: async (ctx, { totpId, lastUsedAt }) => {
+    await ctx.db.patch(totpId, { lastUsedAt });
+  },
+});
+
+/** Delete a TOTP enrollment. */
+export const totpDelete = mutation({
+  args: { totpId: v.id("totp") },
+  handler: async (ctx, { totpId }) => {
+    await ctx.db.delete(totpId);
+  },
+});
+
 // ============================================================================
 // Rate Limits
 // ============================================================================
@@ -629,8 +800,8 @@ export const memberUpdate = mutation({
 export const inviteCreate = mutation({
   args: {
     groupId: v.optional(v.id("group")),
-    invitedByUserId: v.id("user"),
-    email: v.string(),
+    invitedByUserId: v.optional(v.id("user")),
+    email: v.optional(v.string()),
     tokenHash: v.string(),
     role: v.optional(v.string()),
     status: v.union(
@@ -639,42 +810,48 @@ export const inviteCreate = mutation({
       v.literal("revoked"),
       v.literal("expired"),
     ),
-    expiresTime: v.number(),
+    expiresTime: v.optional(v.number()),
     extend: v.optional(v.any()),
   },
   handler: async (ctx, args) => {
-    if (args.groupId !== undefined) {
-      const existingGroupInvite = await ctx.db
-        .query("invite")
-        .withIndex("groupIdAndStatus", (q) =>
-          q.eq("groupId", args.groupId).eq("status", "pending"),
-        )
-        .filter((q) => q.eq(q.field("email"), args.email))
-        .first();
-      if (existingGroupInvite !== null) {
-        throw new ConvexError({
-          code: "DUPLICATE_INVITE",
-          message: "A pending invite already exists for this email in this group",
-          email: args.email,
-          groupId: args.groupId,
-          existingInviteId: existingGroupInvite._id,
-        });
-      }
-    } else {
-      const existingPlatformInvite = await ctx.db
-        .query("invite")
-        .withIndex("emailAndStatus", (q) =>
-          q.eq("email", args.email).eq("status", "pending"),
-        )
-        .filter((q) => q.eq(q.field("groupId"), undefined))
-        .first();
-      if (existingPlatformInvite !== null) {
-        throw new ConvexError({
-          code: "DUPLICATE_INVITE",
-          message: "A pending platform invite already exists for this email",
-          email: args.email,
-          existingInviteId: existingPlatformInvite._id,
-        });
+    // Only check for duplicates when an email is provided.
+    // CLI-generated invites (no email) are always allowed.
+    if (args.email !== undefined) {
+      if (args.groupId !== undefined) {
+        const existingGroupInvite = await ctx.db
+          .query("invite")
+          .withIndex("groupIdAndStatus", (q) =>
+            q.eq("groupId", args.groupId).eq("status", "pending"),
+          )
+          .filter((q) => q.eq(q.field("email"), args.email))
+          .first();
+        if (existingGroupInvite !== null) {
+          throw new ConvexError({
+            code: "DUPLICATE_INVITE",
+            message:
+              "A pending invite already exists for this email in this group",
+            email: args.email,
+            groupId: args.groupId,
+            existingInviteId: existingGroupInvite._id,
+          });
+        }
+      } else {
+        const existingPlatformInvite = await ctx.db
+          .query("invite")
+          .withIndex("emailAndStatus", (q) =>
+            q.eq("email", args.email).eq("status", "pending"),
+          )
+          .filter((q) => q.eq(q.field("groupId"), undefined))
+          .first();
+        if (existingPlatformInvite !== null) {
+          throw new ConvexError({
+            code: "DUPLICATE_INVITE",
+            message:
+              "A pending platform invite already exists for this email",
+            email: args.email,
+            existingInviteId: existingPlatformInvite._id,
+          });
+        }
       }
     }
     return await ctx.db.insert("invite", args);
@@ -689,6 +866,17 @@ export const inviteGet = query({
   },
 });
 
+/** Retrieve an invite by its token hash. Returns `null` if not found. */
+export const inviteGetByTokenHash = query({
+  args: { tokenHash: v.string() },
+  handler: async (ctx, { tokenHash }) => {
+    return await ctx.db
+      .query("invite")
+      .withIndex("tokenHash", (q) => q.eq("tokenHash", tokenHash))
+      .unique();
+  },
+});
+
 /**
  * List invites, optionally filtered by group and/or status.
  * Both `groupId` and `status` are optional filters.
@@ -740,8 +928,11 @@ export const inviteList = query({
  * The caller is responsible for creating the corresponding member record.
  */
 export const inviteAccept = mutation({
-  args: { inviteId: v.id("invite") },
-  handler: async (ctx, { inviteId }) => {
+  args: {
+    inviteId: v.id("invite"),
+    acceptedByUserId: v.optional(v.id("user")),
+  },
+  handler: async (ctx, { inviteId, acceptedByUserId }) => {
     const invite = await ctx.db.get(inviteId);
     if (invite === null) {
       throw new ConvexError({
@@ -761,6 +952,7 @@ export const inviteAccept = mutation({
     await ctx.db.patch(inviteId, {
       status: "accepted",
       acceptedTime: Date.now(),
+      ...(acceptedByUserId ? { acceptedByUserId } : {}),
     });
   },
 });
@@ -793,3 +985,5 @@ export const inviteRevoke = mutation({
     await ctx.db.patch(inviteId, { status: "revoked" });
   },
 });
+
+

package/src/component/schema.ts

@@ -96,6 +96,61 @@ export default defineSchema({
     signature: v.optional(v.string()),
   }).index("signature", ["signature"]),
 
+  /**
+   * WebAuthn passkey credentials. Each credential links a user to a
+   * registered authenticator (Touch ID, Face ID, security key, etc.).
+   * A user can have multiple passkeys across different devices.
+   */
+  passkey: defineTable({
+    userId: v.id("user"),
+    /** Base64url-encoded credential ID from the authenticator. */
+    credentialId: v.string(),
+    /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */
+    publicKey: v.bytes(),
+    /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */
+    algorithm: v.number(),
+    /** Signature counter for clone detection. Many authenticators return 0. */
+    counter: v.number(),
+    /** Authenticator transport hints (e.g. "internal", "hybrid", "usb", "ble", "nfc"). */
+    transports: v.optional(v.array(v.string())),
+    /** Whether this is a single-device or multi-device (synced) credential. */
+    deviceType: v.string(),
+    /** Whether the credential is backed up (synced passkey). */
+    backedUp: v.boolean(),
+    /** User-assigned friendly name (e.g. "MacBook Touch ID"). */
+    name: v.optional(v.string()),
+    createdAt: v.number(),
+    lastUsedAt: v.optional(v.number()),
+  })
+    .index("userId", ["userId"])
+    .index("credentialId", ["credentialId"]),
+
+  /**
+   * TOTP two-factor authentication secrets. Each record links a user to
+   * an authenticator app. A user can have multiple TOTP enrollments
+   * (e.g. different authenticator apps) but typically has one.
+   *
+   * The `verified` flag indicates whether the user has completed setup
+   * by successfully entering a code from their authenticator app.
+   * Unverified enrollments are in-progress setup that can be discarded.
+   */
+  totp: defineTable({
+    userId: v.id("user"),
+    /** Raw TOTP secret key bytes. */
+    secret: v.bytes(),
+    /** Number of digits in each code (typically 6). */
+    digits: v.number(),
+    /** Time period in seconds for code rotation (typically 30). */
+    period: v.number(),
+    /** Whether setup has been confirmed with a valid code. */
+    verified: v.boolean(),
+    /** User-assigned friendly name (e.g. "Google Authenticator"). */
+    name: v.optional(v.string()),
+    createdAt: v.number(),
+    lastUsedAt: v.optional(v.number()),
+  })
+    .index("userId", ["userId"]),
+
   /**
    * Rate limit tracking for OTP and password sign-in attempts.
    */
@@ -136,14 +191,17 @@ export default defineSchema({
     .index("userId", ["userId"]),
 
   /**
-   * Group invitations. Tracks pending, accepted, revoked, and expired
-   * invitations to join a group. Uses a hashed token for secure
-   * invitation links.
+   * Invitations. Tracks pending, accepted, revoked, and expired
+   * invitations. Optionally scoped to a group via `groupId`, or
+   * platform-level when `groupId` is omitted.
+   *
+   * `email` and `invitedByUserId` are optional to support CLI-generated
+   * invite links where neither is known upfront (e.g. portal admin invites).
    */
   invite: defineTable({
     groupId: v.optional(v.id("group")),
-    invitedByUserId: v.id("user"),
-    email: v.string(),
+    invitedByUserId: v.optional(v.id("user")),
+    email: v.optional(v.string()),
     tokenHash: v.string(),
     role: v.optional(v.string()),
     status: v.union(
@@ -152,7 +210,7 @@ export default defineSchema({
       v.literal("revoked"),
       v.literal("expired"),
     ),
-    expiresTime: v.number(),
+    expiresTime: v.optional(v.number()),
     acceptedByUserId: v.optional(v.id("user")),
     acceptedTime: v.optional(v.number()),
     extend: v.optional(v.any()),
@@ -162,5 +220,10 @@ export default defineSchema({
     .index("emailAndStatus", ["email", "status"])
     .index("invitedByUserIdAndStatus", ["invitedByUserId", "status"])
     .index("groupId", ["groupId"])
-    .index("groupIdAndStatus", ["groupId", "status"]),
+    .index("groupIdAndStatus", ["groupId", "status"])
+    .index("roleAndStatusAndAcceptedByUserId", [
+      "role",
+      "status",
+      "acceptedByUserId",
+    ]),
 });

package/src/providers/{Anonymous.ts → anonymous.ts}

@@ -1,22 +1,21 @@
 /**
- * Configure {@link Anonymous} provider given an {@link AnonymousConfig}.
+ * Configure {@link anonymous} provider given an {@link AnonymousConfig}.
  *
  * ```ts
- * import { Anonymous } from "@robelest/convex-auth/providers/Anonymous";
- * import { convexAuth } from "@robelest/convex-auth/component";
+ * import anonymous from "@robelest/convex-auth/providers/anonymous";
+ * import { Auth } from "@robelest/convex-auth/component";
  *
- * export const { auth, signIn, signOut, store } = convexAuth({
- *   providers: [Anonymous],
+ * export const { auth, signIn, signOut, store } = Auth({
+ *   providers: [anonymous],
  * });
  * ```
  *
  * @module
  */
 
-import convexCredentials from "@robelest/convex-auth/providers/ConvexCredentials";
+import credentials from "@robelest/convex-auth/providers/credentials";
 import {
   GenericActionCtxWithAuthConfig,
-  createAccount,
 } from "@robelest/convex-auth/component";
 import {
   DocumentByName,
@@ -26,12 +25,12 @@ import {
 import { Value } from "convex/values";
 
 /**
- * The available options to an {@link Anonymous} provider for Convex Auth.
+ * The available options to an {@link anonymous} provider for Convex Auth.
  */
 export interface AnonymousConfig<DataModel extends GenericDataModel> {
   /**
    * Uniquely identifies the provider, allowing to use
-   * multiple different {@link Anonymous} providers.
+   * multiple different {@link anonymous} providers.
    */
   id?: string;
   /**
@@ -62,11 +61,11 @@ export default function anonymous<DataModel extends GenericDataModel>(
   config: AnonymousConfig<DataModel> = {},
 ) {
   const provider = config.id ?? "anonymous";
-  return convexCredentials<DataModel>({
+  return credentials<DataModel>({
     id: "anonymous",
     authorize: async (params, ctx) => {
       const profile = config.profile?.(params, ctx) ?? { isAnonymous: true };
-      const { user } = await createAccount(ctx, {
+      const { user } = await ctx.auth.account.create(ctx, {
         provider,
         account: { id: crypto.randomUUID() },
         profile: profile as any,

package/src/providers/{ConvexCredentials.ts → credentials.ts}

@@ -1,16 +1,16 @@
 /**
- * Configure {@link ConvexCredentials} provider given a {@link ConvexCredentialsUserConfig}.
+ * Configure {@link credentials} provider given a {@link CredentialsUserConfig}.
  *
  * This is for a very custom authentication implementation, often you can
- * use the [`Password`](https://labs.convex.dev/auth/api_reference/providers/Password) provider instead.
+ * use the [`password`](https://labs.convex.dev/auth/api_reference/providers/password) provider instead.
  *
  * ```ts
- * import ConvexCredentials from "@robelest/convex-auth/providers/ConvexCredentials";
- * import { convexAuth } from "@robelest/convex-auth/component";
+ * import credentials from "@robelest/convex-auth/providers/credentials";
+ * import { Auth } from "@robelest/convex-auth/component";
  *
- * export const { auth, signIn, signOut, store } = convexAuth({
+ * export const { auth, signIn, signOut, store } = Auth({
  *   providers: [
- *     ConvexCredentials({
+ *     credentials({
  *       authorize: async (credentials, ctx) => {
  *         // Your custom logic here...
  *       },
@@ -31,14 +31,14 @@ import { GenericDataModel } from "convex/server";
 import { GenericId, Value } from "convex/values";
 
 /**
- * The available options to a {@link ConvexCredentials} provider for Convex Auth.
+ * The available options to a {@link credentials} provider for Convex Auth.
  */
-export interface ConvexCredentialsUserConfig<
+export interface CredentialsUserConfig<
   DataModel extends GenericDataModel = GenericDataModel,
 > {
   /**
    * Uniquely identifies the provider, allowing to use
-   * multiple different {@link ConvexCredentials} providers.
+   * multiple different {@link credentials} providers.
    */
   id?: string;
   /**
@@ -95,8 +95,8 @@ export interface ConvexCredentialsUserConfig<
  * The Credentials provider allows you to handle signing in with arbitrary credentials,
  * such as a username and password, domain, or two factor authentication or hardware device (e.g. YubiKey U2F / FIDO).
  */
-export default function convexCredentials<DataModel extends GenericDataModel>(
-  config: ConvexCredentialsUserConfig<DataModel>,
+export default function credentials<DataModel extends GenericDataModel>(
+  config: CredentialsUserConfig<DataModel>,
 ): ConvexCredentialsConfig {
   return {
     id: "credentials",

package/src/providers/{Email.ts → email.ts}

@@ -19,19 +19,19 @@ import { EmailConfig, EmailUserConfig } from "../server/types.js";
  * you can override the `authorize` method to skip the check:
  *
  * ```ts
- * import Email from "@robelest/convex-auth/providers/Email";
- * import { convexAuth } from "@robelest/convex-auth/component";
+ * import email from "@robelest/convex-auth/providers/email";
+ * import { Auth } from "@robelest/convex-auth/component";
  *
- * export const { auth, signIn, signOut, store } = convexAuth({
+ * export const { auth, signIn, signOut, store } = Auth({
  *   providers: [
- *     Email({ authorize: undefined }),
+ *     email({ authorize: undefined }),
  *   ],
  * });
  * ```
  *
  * Make sure the token has high enough entropy to be secure.
  */
-export function Email<DataModel extends GenericDataModel>(
+export default function email<DataModel extends GenericDataModel>(
   config: EmailUserConfig<DataModel> &
     Pick<EmailConfig, "sendVerificationRequest">,
 ): EmailConfig<DataModel> {

package/src/providers/passkey.ts

@@ -0,0 +1,35 @@
+import { PasskeyProviderConfig } from "../server/types.js";
+
+/**
+ * Passkey (WebAuthn) authentication provider.
+ *
+ * Enables passwordless authentication via biometrics, security keys,
+ * and synced passkeys using the Web Authentication API.
+ *
+ * ```ts
+ * import passkey from "@robelest/convex-auth/providers/passkey";
+ *
+ * export const { auth, signIn, signOut, store } = Auth({
+ *   component: components.auth,
+ *   providers: [passkey()],
+ * });
+ * ```
+ *
+ * @param config Optional configuration for the relying party and credential options.
+ */
+export default function passkey(
+  config?: Partial<PasskeyProviderConfig["options"]>,
+): PasskeyProviderConfig {
+  return {
+    id: "passkey",
+    type: "passkey",
+    options: {
+      attestation: "none",
+      userVerification: "required",
+      residentKey: "preferred",
+      algorithms: [-7, -257], // ES256, RS256
+      challengeExpirationMs: 300_000, // 5 minutes
+      ...config,
+    },
+  };
+}