@robelest/convex-auth 0.0.2-preview.2 → 0.0.3-preview

package/src/server/portal-email.ts

@@ -0,0 +1,95 @@
+/**
+ * Styled dark-theme magic link email template for the Convex Auth Portal.
+ *
+ * Matches the portal's design system:
+ * - Background: #1e1c1a (body), #2a2825 (card)
+ * - Accent: #63a8f8 (Convex blue)
+ * - Text: #ffffff (headings), #b9b1aa (secondary), #8f8780 (muted)
+ * - Border: #4a4743
+ *
+ * @module
+ */
+
+const SHIELD_SVG = `<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 24 24" fill="none" stroke="#63a8f8" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M20 13c0 5-3.5 7.5-7.66 8.95a1 1 0 0 1-.67-.01C7.5 20.5 4 18 4 13V6a1 1 0 0 1 1-1c2 0 4.5-1.2 6.24-2.72a1.17 1.17 0 0 1 1.52 0C14.51 3.81 17 5 19 5a1 1 0 0 1 1 1z"/></svg>`;
+
+/**
+ * Generate the styled magic link email HTML.
+ *
+ * @param url - The magic link URL the user clicks to sign in.
+ * @param expiresInHours - How long the link is valid (shown in the email).
+ */
+export function portalMagicLinkEmail(
+  url: string,
+  expiresInHours: number = 24,
+): string {
+  const expiryText =
+    expiresInHours >= 24
+      ? `${Math.floor(expiresInHours / 24)} day${Math.floor(expiresInHours / 24) > 1 ? "s" : ""}`
+      : `${expiresInHours} hour${expiresInHours > 1 ? "s" : ""}`;
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <meta name="color-scheme" content="dark" />
+  <meta name="supported-color-schemes" content="dark" />
+  <title>Sign in to Convex Auth Portal</title>
+</head>
+<body style="margin:0;padding:0;background-color:#1e1c1a;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica Neue',Arial,sans-serif;">
+  <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background-color:#1e1c1a;padding:40px 16px;">
+    <tr>
+      <td align="center">
+        <table role="presentation" width="480" cellpadding="0" cellspacing="0" style="background-color:#2a2825;border:1px solid #4a4743;border-radius:8px;overflow:hidden;">
+          <!-- Header -->
+          <tr>
+            <td style="padding:32px 32px 0 32px;text-align:center;">
+              ${SHIELD_SVG}
+              <h1 style="margin:16px 0 0 0;font-size:20px;font-weight:600;color:#ffffff;line-height:1.3;">
+                Convex Auth Portal
+              </h1>
+            </td>
+          </tr>
+
+          <!-- Body -->
+          <tr>
+            <td style="padding:24px 32px;">
+              <p style="margin:0 0 20px 0;font-size:15px;line-height:1.6;color:#b9b1aa;">
+                Click the button below to sign in to the admin portal. This link will expire in ${expiryText}.
+              </p>
+
+              <!-- CTA Button -->
+              <table role="presentation" width="100%" cellpadding="0" cellspacing="0">
+                <tr>
+                  <td align="center" style="padding:8px 0 24px 0;">
+                    <a href="${url}" target="_blank" style="display:inline-block;background-color:#63a8f8;color:#0a0a0b;font-size:15px;font-weight:600;text-decoration:none;padding:12px 32px;border-radius:6px;line-height:1;">
+                      Sign in to Portal
+                    </a>
+                  </td>
+                </tr>
+              </table>
+
+              <p style="margin:0 0 16px 0;font-size:13px;line-height:1.6;color:#8f8780;">
+                If the button doesn't work, copy and paste this URL into your browser:
+              </p>
+              <p style="margin:0;font-size:13px;line-height:1.5;color:#63a8f8;word-break:break-all;">
+                ${url}
+              </p>
+            </td>
+          </tr>
+
+          <!-- Footer -->
+          <tr>
+            <td style="padding:20px 32px;border-top:1px solid #4a4743;">
+              <p style="margin:0;font-size:12px;line-height:1.5;color:#8f8780;text-align:center;">
+                If you didn't request this email, you can safely ignore it.
+              </p>
+            </td>
+          </tr>
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>`;
+}

package/src/server/provider_utils.ts

@@ -79,8 +79,41 @@ function materializeAndDefaultProviders(config_: ConvexAuthConfig) {
   );
   const config = { ...config_, providers };
 
+  // setEnvDefaults is from Auth.js and only works with Auth.js provider types.
+  // Filter out passkey and TOTP providers before passing to setEnvDefaults,
+  // then reinsert them at their original positions.
+  const passkeyIndices: number[] = [];
+  const passkeyProviders: AuthProviderMaterializedConfig[] = [];
+  const totpIndices: number[] = [];
+  const totpProviders: AuthProviderMaterializedConfig[] = [];
+  const filteredProviders = config.providers.filter((p, i) => {
+    if (p.type === "passkey") {
+      passkeyIndices.push(i);
+      passkeyProviders.push(p);
+      return false;
+    }
+    if (p.type === "totp") {
+      totpIndices.push(i);
+      totpProviders.push(p);
+      return false;
+    }
+    return true;
+  });
+
   // Unfortunately mutates its argument
-  setEnvDefaults(process.env, config as any);
+  const tempConfig = { ...config, providers: filteredProviders };
+  setEnvDefaults(process.env, tempConfig as any);
+
+  // Reinsert passkey and TOTP providers at their original positions
+  const merged = [...tempConfig.providers];
+  for (let i = 0; i < passkeyIndices.length; i++) {
+    merged.splice(passkeyIndices[i]!, 0, passkeyProviders[i]!);
+  }
+  for (let i = 0; i < totpIndices.length; i++) {
+    merged.splice(totpIndices[i]!, 0, totpProviders[i]!);
+  }
+  config.providers = merged;
+
   // Manually do this for new provider type
   config.providers.forEach((provider) => {
     if (provider.type === "phone") {
@@ -94,6 +127,14 @@ function materializeAndDefaultProviders(config_: ConvexAuthConfig) {
 }
 
 function providerDefaults(provider: AuthProviderMaterializedConfig) {
+  // Passkey providers don't use Auth.js options merge or OAuth normalization
+  if (provider.type === "passkey") {
+    return provider;
+  }
+  // TOTP providers don't use Auth.js options merge or OAuth normalization
+  if (provider.type === "totp") {
+    return provider;
+  }
   // TODO: Add `redirectProxyUrl` to oauth providers
   const merged = merge(
     provider,

package/src/server/types.ts

@@ -5,7 +5,7 @@ import {
   OAuth2Config,
   OIDCConfig,
 } from "@auth/core/providers";
-import { Theme } from "@auth/core/types";
+import { Awaitable, Theme } from "@auth/core/types";
 import {
   AnyDataModel,
   FunctionReference,
@@ -82,6 +82,60 @@ export type ConvexAuthConfig = {
      */
     maxFailedAttempsPerHour?: number;
   };
+  /**
+   * API key configuration for programmatic access.
+   *
+   * Enables `auth.key.*` helpers for creating, verifying, and managing
+   * API keys with scoped permissions and optional per-key rate limiting.
+   */
+  apiKeys?: ApiKeyConfig;
+  /**
+   * Email transport configuration.
+   *
+   * Required for magic link authentication and the admin portal.
+   * The library generates email content (subject, styled HTML); you
+   * provide the delivery mechanism — Resend, SendGrid, SES, Postmark,
+   * or any other provider.
+   *
+   * When configured, a magic link email provider (`id: "email"`) is
+   * auto-registered — no need to add a separate Auth.js email provider
+   * to `providers`.
+   *
+   * Works seamlessly with the `@convex-dev/resend` Convex component:
+   *
+   * ```ts
+   * import { Resend } from "@convex-dev/resend";
+   *
+   * const resend = new Resend(components.resend, { testMode: false });
+   *
+   * const auth = new Auth(components.auth, {
+   *   providers: [google],
+   *   email: {
+   *     from: "My App <noreply@example.com>",
+   *     send: (ctx, params) => resend.sendEmail(ctx, params),
+   *   },
+   * });
+   * ```
+   *
+   * Or with any email API directly:
+   *
+   * ```ts
+   * email: {
+   *   from: "My App <noreply@example.com>",
+   *   send: async (_ctx, { from, to, subject, html }) => {
+   *     await fetch("https://api.resend.com/emails", {
+   *       method: "POST",
+   *       headers: {
+   *         Authorization: `Bearer ${process.env.AUTH_RESEND_KEY}`,
+   *         "Content-Type": "application/json",
+   *       },
+   *       body: JSON.stringify({ from, to, subject, html }),
+   *     });
+   *   },
+   * },
+   * ```
+   */
+  email?: EmailTransport;
   callbacks?: {
     /**
      * Control which URLs are allowed as a destination after OAuth sign-in
@@ -245,7 +299,11 @@ export type AuthProviderConfig =
   | ConvexCredentialsConfig
   | ((...args: any) => ConvexCredentialsConfig)
   | PhoneConfig
-  | ((...args: any) => PhoneConfig);
+  | ((...args: any) => PhoneConfig)
+  | PasskeyProviderConfig
+  | ((...args: any) => PasskeyProviderConfig)
+  | TotpProviderConfig
+  | ((...args: any) => TotpProviderConfig);
 
 /**
  * Extends the standard Auth.js email provider config
@@ -254,11 +312,30 @@ export type AuthProviderConfig =
 export interface EmailConfig<
   DataModel extends GenericDataModel = GenericDataModel,
 > extends AuthjsEmailConfig {
+  /**
+   * Send the verification token to the user.
+   *
+   * Overrides the Auth.js 1-arg signature to accept an optional
+   * Convex action context as the second argument. Library-native
+   * email providers use `ctx` to call `email.send(ctx, params)`.
+   */
+  sendVerificationRequest: (
+    params: {
+      identifier: string;
+      url: string;
+      expires: Date;
+      provider: AuthjsEmailConfig;
+      token: string;
+      theme: Theme;
+      request: Request;
+    },
+    ctx?: GenericActionCtx<AnyDataModel>,
+  ) => Awaitable<void>;
   /**
    * Before the token is verified, check other
    * provided parameters.
    *
-   * Used to make sure tha OTPs are accompanied
+   * Used to make sure that OTPs are accompanied
    * with the correct email address.
    */
   authorize?: (
@@ -354,6 +431,50 @@ export type ConvexCredentialsConfig = CredentialsUserConfig<any> & {
   id: string;
 };
 
+/**
+ * Configuration for the passkey (WebAuthn) provider.
+ */
+export interface PasskeyProviderConfig {
+  id: string;
+  type: "passkey";
+  options: {
+    /** Relying Party display name. Defaults to SITE_URL hostname. */
+    rpName?: string;
+    /** Relying Party ID (hostname). Defaults to SITE_URL hostname. */
+    rpId?: string;
+    /** Allowed origins for credential verification. Defaults to SITE_URL. */
+    origin?: string | string[];
+    /** Attestation conveyance preference. Defaults to "none". */
+    attestation?: "none" | "direct";
+    /** User verification requirement. Defaults to "required". */
+    userVerification?: "required" | "preferred" | "discouraged";
+    /** Resident key (discoverable credential) preference. Defaults to "preferred". */
+    residentKey?: "required" | "preferred" | "discouraged";
+    /** Restrict to platform or cross-platform authenticators. */
+    authenticatorAttachment?: "platform" | "cross-platform";
+    /** Supported COSE algorithms. Defaults to [-7 (ES256), -257 (RS256)]. */
+    algorithms?: number[];
+    /** Challenge expiration in ms. Defaults to 300_000 (5 minutes). */
+    challengeExpirationMs?: number;
+  };
+}
+
+/**
+ * Configuration for the TOTP two-factor authentication provider.
+ */
+export interface TotpProviderConfig {
+  id: string;
+  type: "totp";
+  options: {
+    /** Issuer name shown in authenticator apps (e.g. "My App"). */
+    issuer: string;
+    /** Number of digits in each code (default: 6). */
+    digits: number;
+    /** Time period in seconds for code rotation (default: 30). */
+    period: number;
+  };
+}
+
 export type AuthAccountCredentials = {
   id: string;
   secret?: string;
@@ -472,7 +593,146 @@ export type AuthProviderMaterializedConfig =
   | OAuth2Config<any>
   | EmailConfig
   | PhoneConfig
-  | ConvexCredentialsConfig;
+  | ConvexCredentialsConfig
+  | PasskeyProviderConfig
+  | TotpProviderConfig;
+
+// ============================================================================
+// Email transport types
+// ============================================================================
+
+/**
+ * Email delivery parameters passed to `EmailTransport.send`.
+ */
+export interface EmailMessage {
+  /** Sender address (from `email.from` in your Auth config). */
+  from: string;
+  /** Recipient email address. */
+  to: string;
+  /** Email subject line. */
+  subject: string;
+  /** HTML body content. */
+  html: string;
+}
+
+/**
+ * Email transport configuration for the Auth library.
+ *
+ * Provides a delivery mechanism for library-generated emails
+ * (magic links, portal admin sign-in). The library owns the
+ * email content; you provide the transport.
+ */
+export interface EmailTransport {
+  /** Sender address shown in the From field (e.g. "My App \<noreply@example.com\>"). */
+  from: string;
+  /**
+   * Deliver an email. Called by the library for magic links and portal emails.
+   *
+   * Receives the Convex action context as the first argument, enabling
+   * use with Convex components like `@convex-dev/resend`:
+   *
+   * ```ts
+   * send: (ctx, params) => resend.sendEmail(ctx, params)
+   * ```
+   *
+   * For plain HTTP email APIs, ignore the `ctx` parameter:
+   *
+   * ```ts
+   * send: async (_ctx, { from, to, subject, html }) => {
+   *   await fetch("https://api.resend.com/emails", { ... });
+   * }
+   * ```
+   */
+  send: (
+    ctx: GenericActionCtx<any>,
+    params: EmailMessage,
+  ) => Promise<void>;
+}
+
+// ============================================================================
+// API Key types
+// ============================================================================
+
+/**
+ * A single scope entry stored per API key.
+ * Uses a resource:action pattern for structured permissions.
+ *
+ * ```ts
+ * { resource: "users", actions: ["read", "list"] }
+ * ```
+ */
+export interface KeyScope {
+  resource: string;
+  actions: string[];
+}
+
+/**
+ * Result of scope verification. Provides a `.can()` helper
+ * for checking if a key has a specific permission.
+ *
+ * ```ts
+ * const result = await auth.key.verify(ctx, rawKey);
+ * if (result.scopes.can("users", "read")) {
+ *   // authorized
+ * }
+ * ```
+ */
+export interface ScopeChecker {
+  /** Check if the key has permission for a given resource:action. */
+  can(resource: string, action: string): boolean;
+  /** The raw scope entries from the key. */
+  scopes: KeyScope[];
+}
+
+/**
+ * Configuration for API key support on the Auth class.
+ *
+ * ```ts
+ * const auth = new Auth(components.auth, {
+ *   providers: [github],
+ *   apiKeys: {
+ *     scopes: {
+ *       users: ["read", "list", "create", "delete"],
+ *       messages: ["read", "write"],
+ *     },
+ *     defaultRateLimit: { maxRequests: 1000, windowMs: 3600000 },
+ *   },
+ * });
+ * ```
+ */
+export interface ApiKeyConfig {
+  /**
+   * Define the available resource:action scopes for your API keys.
+   * Keys can only be created with scopes that are a subset of these.
+   */
+  scopes?: Record<string, string[]>;
+  /**
+   * Default rate limit applied to new keys when not specified per-key.
+   * Uses a token-bucket algorithm.
+   */
+  defaultRateLimit?: { maxRequests: number; windowMs: number };
+  /**
+   * Key prefix. Defaults to `"sk_live_"`.
+   */
+  prefix?: string;
+}
+
+/**
+ * An API key record as returned by `auth.key.list()` and `auth.key.get()`.
+ * Never includes the raw key material — only the display prefix.
+ */
+export interface KeyRecord {
+  _id: string;
+  userId: string;
+  prefix: string;
+  name: string;
+  scopes: KeyScope[];
+  rateLimit?: { maxRequests: number; windowMs: number };
+  expiresAt?: number;
+  lastUsedAt?: number;
+  createdAt: number;
+  revoked: boolean;
+}
 
 /**
  * Component function references required by core auth runtime.
@@ -528,8 +788,29 @@ export type AuthComponentApi = {
     memberUpdate: FunctionReference<"mutation", "internal">;
     inviteCreate: FunctionReference<"mutation", "internal">;
     inviteGet: FunctionReference<"query", "internal">;
+    inviteGetByTokenHash: FunctionReference<"query", "internal">;
     inviteList: FunctionReference<"query", "internal">;
     inviteAccept: FunctionReference<"mutation", "internal">;
     inviteRevoke: FunctionReference<"mutation", "internal">;
+    keyInsert: FunctionReference<"mutation", "internal">;
+    keyGetByHashedKey: FunctionReference<"query", "internal">;
+    keyGetById: FunctionReference<"query", "internal">;
+    keyList: FunctionReference<"query", "internal">;
+    keyListByUserId: FunctionReference<"query", "internal">;
+    keyPatch: FunctionReference<"mutation", "internal">;
+    keyDelete: FunctionReference<"mutation", "internal">;
+    passkeyInsert: FunctionReference<"mutation", "internal">;
+    passkeyGetByCredentialId: FunctionReference<"query", "internal">;
+    passkeyListByUserId: FunctionReference<"query", "internal">;
+    passkeyUpdateCounter: FunctionReference<"mutation", "internal">;
+    passkeyUpdateMeta: FunctionReference<"mutation", "internal">;
+    passkeyDelete: FunctionReference<"mutation", "internal">;
+    totpInsert: FunctionReference<"mutation", "internal", any, any>;
+    totpGetVerifiedByUserId: FunctionReference<"query", "internal", any, any>;
+    totpListByUserId: FunctionReference<"query", "internal", any, any>;
+    totpGetById: FunctionReference<"query", "internal", any, any>;
+    totpMarkVerified: FunctionReference<"mutation", "internal", any, any>;
+    totpUpdateLastUsed: FunctionReference<"mutation", "internal", any, any>;
+    totpDelete: FunctionReference<"mutation", "internal", any, any>;
   };
 };

package/src/server/version.ts

@@ -0,0 +1,2 @@
+// Auto-generated by scripts/generate-version.js — do not edit.
+export const AUTH_VERSION = "0.0.3-preview";