npm - @robelest/convex-auth - Versions diffs - 0.0.2 → 0.0.3-preview.1 - Mend

@robelest/convex-auth 0.0.2 → 0.0.3-preview.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (173) hide show

package/dist/bin.cjs +1 -1
package/dist/client/index.d.ts +33 -9
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +79 -13
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/component.d.ts +48 -0
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/index.d.ts +10 -4
package/dist/component/index.d.ts.map +1 -1
package/dist/component/index.js +8 -3
package/dist/component/index.js.map +1 -1
package/dist/component/public.d.ts +163 -3
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +124 -0
package/dist/component/public.js.map +1 -1
package/dist/component/schema.d.ts +81 -2
package/dist/component/schema.d.ts.map +1 -1
package/dist/component/schema.js +45 -0
package/dist/component/schema.js.map +1 -1
package/dist/providers/anonymous.d.ts +3 -0
package/dist/providers/anonymous.d.ts.map +1 -1
package/dist/providers/anonymous.js +3 -0
package/dist/providers/anonymous.js.map +1 -1
package/dist/providers/credentials.d.ts +3 -0
package/dist/providers/credentials.d.ts.map +1 -1
package/dist/providers/credentials.js +3 -0
package/dist/providers/credentials.js.map +1 -1
package/dist/providers/email.d.ts +3 -0
package/dist/providers/email.d.ts.map +1 -1
package/dist/providers/email.js +3 -0
package/dist/providers/email.js.map +1 -1
package/dist/providers/passkey.d.ts +7 -1
package/dist/providers/passkey.d.ts.map +1 -1
package/dist/providers/passkey.js +7 -1
package/dist/providers/passkey.js.map +1 -1
package/dist/providers/password.d.ts +3 -0
package/dist/providers/password.d.ts.map +1 -1
package/dist/providers/password.js +3 -0
package/dist/providers/password.js.map +1 -1
package/dist/providers/phone.d.ts +3 -0
package/dist/providers/phone.d.ts.map +1 -1
package/dist/providers/phone.js +3 -0
package/dist/providers/phone.js.map +1 -1
package/dist/providers/totp.d.ts +8 -0
package/dist/providers/totp.d.ts.map +1 -1
package/dist/providers/totp.js +8 -0
package/dist/providers/totp.js.map +1 -1
package/dist/server/convex-auth.d.ts +185 -25
package/dist/server/convex-auth.d.ts.map +1 -1
package/dist/server/convex-auth.js +317 -58
package/dist/server/convex-auth.js.map +1 -1
package/dist/server/email-templates.d.ts +18 -0
package/dist/server/email-templates.d.ts.map +1 -0
package/dist/server/email-templates.js +74 -0
package/dist/server/email-templates.js.map +1 -0
package/dist/server/errors.d.ts +146 -0
package/dist/server/errors.d.ts.map +1 -0
package/dist/server/errors.js +176 -0
package/dist/server/errors.js.map +1 -0
package/dist/server/implementation/apiKey.d.ts +74 -0
package/dist/server/implementation/apiKey.d.ts.map +1 -0
package/dist/server/implementation/apiKey.js +139 -0
package/dist/server/implementation/apiKey.js.map +1 -0
package/dist/server/implementation/index.d.ts +151 -14
package/dist/server/implementation/index.d.ts.map +1 -1
package/dist/server/implementation/index.js +216 -24
package/dist/server/implementation/index.js.map +1 -1
package/dist/server/implementation/mutations/createAccountFromCredentials.d.ts.map +1 -1
package/dist/server/implementation/mutations/createAccountFromCredentials.js +2 -1
package/dist/server/implementation/mutations/createAccountFromCredentials.js.map +1 -1
package/dist/server/implementation/mutations/createVerificationCode.d.ts +2 -2
package/dist/server/implementation/mutations/index.d.ts +6 -6
package/dist/server/implementation/mutations/modifyAccount.d.ts.map +1 -1
package/dist/server/implementation/mutations/modifyAccount.js +2 -1
package/dist/server/implementation/mutations/modifyAccount.js.map +1 -1
package/dist/server/implementation/mutations/userOAuth.d.ts.map +1 -1
package/dist/server/implementation/mutations/userOAuth.js +2 -1
package/dist/server/implementation/mutations/userOAuth.js.map +1 -1
package/dist/server/implementation/mutations/verifierSignature.d.ts.map +1 -1
package/dist/server/implementation/mutations/verifierSignature.js +2 -1
package/dist/server/implementation/mutations/verifierSignature.js.map +1 -1
package/dist/server/implementation/passkey.d.ts.map +1 -1
package/dist/server/implementation/passkey.js +28 -29
package/dist/server/implementation/passkey.js.map +1 -1
package/dist/server/implementation/provider.d.ts.map +1 -1
package/dist/server/implementation/provider.js +5 -4
package/dist/server/implementation/provider.js.map +1 -1
package/dist/server/implementation/redirects.d.ts.map +1 -1
package/dist/server/implementation/redirects.js +2 -1
package/dist/server/implementation/redirects.js.map +1 -1
package/dist/server/implementation/refreshTokens.d.ts.map +1 -1
package/dist/server/implementation/refreshTokens.js +2 -1
package/dist/server/implementation/refreshTokens.js.map +1 -1
package/dist/server/implementation/signIn.d.ts.map +1 -1
package/dist/server/implementation/signIn.js +8 -18
package/dist/server/implementation/signIn.js.map +1 -1
package/dist/server/implementation/totp.d.ts.map +1 -1
package/dist/server/implementation/totp.js +16 -17
package/dist/server/implementation/totp.js.map +1 -1
package/dist/server/implementation/users.d.ts.map +1 -1
package/dist/server/implementation/users.js +3 -2
package/dist/server/implementation/users.js.map +1 -1
package/dist/server/index.d.ts +157 -3
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +180 -17
package/dist/server/index.js.map +1 -1
package/dist/server/oauth/authorizationUrl.d.ts.map +1 -1
package/dist/server/oauth/authorizationUrl.js +2 -1
package/dist/server/oauth/authorizationUrl.js.map +1 -1
package/dist/server/oauth/callback.d.ts.map +1 -1
package/dist/server/oauth/callback.js +5 -4
package/dist/server/oauth/callback.js.map +1 -1
package/dist/server/oauth/checks.d.ts.map +1 -1
package/dist/server/oauth/checks.js +2 -1
package/dist/server/oauth/checks.js.map +1 -1
package/dist/server/oauth/convexAuth.d.ts.map +1 -1
package/dist/server/oauth/convexAuth.js +3 -2
package/dist/server/oauth/convexAuth.js.map +1 -1
package/dist/server/provider_utils.d.ts +2 -0
package/dist/server/provider_utils.d.ts.map +1 -1
package/dist/server/types.d.ts +240 -5
package/dist/server/types.d.ts.map +1 -1
package/dist/server/utils.d.ts.map +1 -1
package/dist/server/utils.js +2 -1
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +2 -0
package/dist/server/version.d.ts.map +1 -0
package/dist/server/version.js +3 -0
package/dist/server/version.js.map +1 -0
package/package.json +7 -2
package/src/cli/index.ts +1 -1
package/src/cli/utils.ts +248 -0
package/src/client/index.ts +105 -15
package/src/component/_generated/component.ts +61 -0
package/src/component/index.ts +11 -2
package/src/component/public.ts +142 -0
package/src/component/schema.ts +52 -0
package/src/providers/anonymous.ts +3 -0
package/src/providers/credentials.ts +3 -0
package/src/providers/email.ts +3 -0
package/src/providers/passkey.ts +8 -1
package/src/providers/password.ts +3 -0
package/src/providers/phone.ts +3 -0
package/src/providers/totp.ts +9 -0
package/src/server/convex-auth.ts +385 -73
package/src/server/email-templates.ts +77 -0
package/src/server/errors.ts +269 -0
package/src/server/implementation/apiKey.ts +186 -0
package/src/server/implementation/index.ts +288 -28
package/src/server/implementation/mutations/createAccountFromCredentials.ts +2 -1
package/src/server/implementation/mutations/modifyAccount.ts +2 -3
package/src/server/implementation/mutations/userOAuth.ts +2 -1
package/src/server/implementation/mutations/verifierSignature.ts +2 -1
package/src/server/implementation/passkey.ts +33 -35
package/src/server/implementation/provider.ts +5 -8
package/src/server/implementation/redirects.ts +2 -3
package/src/server/implementation/refreshTokens.ts +2 -1
package/src/server/implementation/signIn.ts +9 -18
package/src/server/implementation/totp.ts +18 -21
package/src/server/implementation/users.ts +4 -7
package/src/server/index.ts +240 -37
package/src/server/oauth/authorizationUrl.ts +2 -1
package/src/server/oauth/callback.ts +5 -4
package/src/server/oauth/checks.ts +3 -1
package/src/server/oauth/convexAuth.ts +6 -3
package/src/server/types.ts +254 -5
package/src/server/utils.ts +3 -1
package/src/server/version.ts +2 -0
package/dist/server/portal.d.ts +0 -116
package/dist/server/portal.d.ts.map +0 -1
package/dist/server/portal.js +0 -294
package/dist/server/portal.js.map +0 -1
package/src/server/portal.ts +0 -375

package/src/component/public.ts CHANGED Viewed

@@ -986,4 +986,146 @@ export const inviteRevoke = mutation({
   },
 });
+// ============================================================================
+// API Keys
+// ============================================================================
+/**
+ * Insert a new API key record.
+ *
+ * The caller is responsible for hashing the raw key before passing it here —
+ * this function only stores the hash and metadata.
+ */
+export const keyInsert = mutation({
+  args: {
+    userId: v.id("user"),
+    prefix: v.string(),
+    hashedKey: v.string(),
+    name: v.string(),
+    scopes: v.array(
+      v.object({
+        resource: v.string(),
+        actions: v.array(v.string()),
+      }),
+    ),
+    rateLimit: v.optional(
+      v.object({
+        maxRequests: v.number(),
+        windowMs: v.number(),
+      }),
+    ),
+    expiresAt: v.optional(v.number()),
+  },
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("key", {
+      ...args,
+      createdAt: Date.now(),
+      revoked: false,
+    });
+  },
+});
+/**
+ * Look up an API key by its SHA-256 hash.
+ *
+ * Used during Bearer token verification. Returns the full key record
+ * (including rate limit state) or `null` if not found.
+ */
+export const keyGetByHashedKey = query({
+  args: { hashedKey: v.string() },
+  handler: async (ctx, { hashedKey }) => {
+    return await ctx.db
+      .query("key")
+      .withIndex("hashedKey", (q) => q.eq("hashedKey", hashedKey))
+      .first();
+  },
+});
+/** List all API keys for a user. */
+export const keyListByUserId = query({
+  args: { userId: v.id("user") },
+  handler: async (ctx, { userId }) => {
+    return await ctx.db
+      .query("key")
+      .withIndex("userId", (q) => q.eq("userId", userId))
+      .collect();
+  },
+});
+/** List all API keys across all users (for portal admin). */
+export const keyList = query({
+  args: {},
+  handler: async (ctx) => {
+    return await ctx.db.query("key").collect();
+  },
+});
+/** Get a single API key by document ID. */
+export const keyGetById = query({
+  args: { keyId: v.id("key") },
+  handler: async (ctx, { keyId }) => {
+    return await ctx.db.get(keyId);
+  },
+});
+/**
+ * Patch an API key record. Used for updating name, scopes, rate limit config,
+ * revocation, and lastUsedAt / rate limit state tracking.
+ */
+export const keyPatch = mutation({
+  args: {
+    keyId: v.id("key"),
+    data: v.object({
+      name: v.optional(v.string()),
+      scopes: v.optional(
+        v.array(
+          v.object({
+            resource: v.string(),
+            actions: v.array(v.string()),
+          }),
+        ),
+      ),
+      rateLimit: v.optional(
+        v.object({
+          maxRequests: v.number(),
+          windowMs: v.number(),
+        }),
+      ),
+      rateLimitState: v.optional(
+        v.object({
+          attemptsLeft: v.number(),
+          lastAttemptTime: v.number(),
+        }),
+      ),
+      revoked: v.optional(v.boolean()),
+      lastUsedAt: v.optional(v.number()),
+    }),
+  },
+  handler: async (ctx, { keyId, data }) => {
+    const key = await ctx.db.get(keyId);
+    if (key === null) {
+      throw new ConvexError({
+        code: "KEY_NOT_FOUND",
+        message: "API key not found",
+        keyId,
+      });
+    }
+    await ctx.db.patch(keyId, data);
+  },
+});
+/** Hard delete an API key record. */
+export const keyDelete = mutation({
+  args: { keyId: v.id("key") },
+  handler: async (ctx, { keyId }) => {
+    const key = await ctx.db.get(keyId);
+    if (key === null) {
+      throw new ConvexError({
+        code: "KEY_NOT_FOUND",
+        message: "API key not found",
+        keyId,
+      });
+    }
+    await ctx.db.delete(keyId);
+  },
+});

package/src/component/schema.ts CHANGED Viewed

@@ -226,4 +226,56 @@ export default defineSchema({
       "status",
       "acceptedByUserId",
     ]),
+  /**
+   * API keys for programmatic access. Each key links a user to a set of
+   * scoped permissions and optional per-key rate limiting.
+   *
+   * The raw key is never stored — only a SHA-256 hash. A short prefix
+   * (e.g. "sk_live_abc1...") is kept for display in the portal.
+   *
+   * Keys support:
+   * - **Scoped permissions**: resource:action pairs (e.g. users:read)
+   * - **Per-key rate limiting**: token-bucket with configurable window
+   * - **Expiration**: optional TTL
+   * - **Soft revocation**: `revoked` flag preserves audit trail
+   */
+  key: defineTable({
+    userId: v.id("user"),
+    /** First chars of the key for display (e.g. "sk_live_abc1..."). */
+    prefix: v.string(),
+    /** SHA-256 hex hash of the full raw key. */
+    hashedKey: v.string(),
+    /** User-assigned name (e.g. "CI Pipeline", "Production API"). */
+    name: v.string(),
+    /** Scoped permissions: [{ resource: "users", actions: ["read", "list"] }]. */
+    scopes: v.array(
+      v.object({
+        resource: v.string(),
+        actions: v.array(v.string()),
+      }),
+    ),
+    /** Optional per-key rate limit configuration. */
+    rateLimit: v.optional(
+      v.object({
+        maxRequests: v.number(),
+        windowMs: v.number(),
+      }),
+    ),
+    /** Rate limit state tracking (token-bucket). */
+    rateLimitState: v.optional(
+      v.object({
+        attemptsLeft: v.number(),
+        lastAttemptTime: v.number(),
+      }),
+    ),
+    /** Expiration timestamp. Null/undefined = never expires. */
+    expiresAt: v.optional(v.number()),
+    lastUsedAt: v.optional(v.number()),
+    createdAt: v.number(),
+    /** Soft-revoke flag. Revoked keys are kept for audit trail. */
+    revoked: v.boolean(),
+  })
+    .index("userId", ["userId"])
+    .index("hashedKey", ["hashedKey"]),
 });

package/src/providers/anonymous.ts CHANGED Viewed

@@ -56,6 +56,9 @@ export interface AnonymousConfig<DataModel extends GenericDataModel> {
  * An anonymous authentication provider.
  *
  * This provider doesn't require any user-provided information.
+ *
+ * @param config - Optional overrides (custom ID, profile, etc.).
+ * @returns A `ConvexCredentialsConfig` to include in your `providers` array.
  */
 export default function anonymous<DataModel extends GenericDataModel>(
   config: AnonymousConfig<DataModel> = {},

package/src/providers/credentials.ts CHANGED Viewed

@@ -94,6 +94,9 @@ export interface CredentialsUserConfig<
 /**
  * The Credentials provider allows you to handle signing in with arbitrary credentials,
  * such as a username and password, domain, or two factor authentication or hardware device (e.g. YubiKey U2F / FIDO).
+ *
+ * @param config - Credential-specific options (authorize callback, profile, etc.).
+ * @returns A `ConvexCredentialsConfig` to include in your `providers` array.
  */
 export default function credentials<DataModel extends GenericDataModel>(
   config: CredentialsUserConfig<DataModel>,

package/src/providers/email.ts CHANGED Viewed

@@ -30,6 +30,9 @@ import { EmailConfig, EmailUserConfig } from "../server/types.js";
  * ```
  *
  * Make sure the token has high enough entropy to be secure.
+ *
+ * @param config - Email provider options including `sendVerificationRequest`.
+ * @returns An `EmailConfig` to include in your `providers` array.
  */
 export default function email<DataModel extends GenericDataModel>(
   config: EmailUserConfig<DataModel> &

package/src/providers/passkey.ts CHANGED Viewed

@@ -1,3 +1,9 @@
+/**
+ * Passkey (WebAuthn) authentication provider.
+ *
+ * @module
+ */
 import { PasskeyProviderConfig } from "../server/types.js";
 /**
@@ -15,7 +21,8 @@ import { PasskeyProviderConfig } from "../server/types.js";
  * });
  * ```
  *
- * @param config Optional configuration for the relying party and credential options.
+ * @param config - Optional relying party and credential options.
+ * @returns A `PasskeyProviderConfig` to include in your `providers` array.
  */
 export default function passkey(
   config?: Partial<PasskeyProviderConfig["options"]>,

package/src/providers/password.ts CHANGED Viewed

@@ -105,6 +105,9 @@ export interface PasswordConfig<DataModel extends GenericDataModel> {
  *
  * Email verification is not required unless you pass
  * an email provider to the `verify` option.
+ *
+ * @param config - Password options (custom ID, crypto, verify, profile, etc.).
+ * @returns A `ConvexCredentialsConfig` to include in your `providers` array.
  */
 export default function password<DataModel extends GenericDataModel>(
   config: PasswordConfig<DataModel> = {},

package/src/providers/phone.ts CHANGED Viewed

@@ -19,6 +19,9 @@ import { PhoneConfig, PhoneUserConfig } from "../server/types.js";
  * When you use this function to create your config, it
  * checks that there is a `phone` field during token verification
  * that matches the `phone` used during the initial `signIn` call.
+ *
+ * @param config - Phone provider options including `sendVerificationRequest`.
+ * @returns A `PhoneConfig` to include in your `providers` array.
  */
 export default function phone<DataModel extends GenericDataModel>(
   config: PhoneUserConfig & Pick<PhoneConfig, "sendVerificationRequest">,

package/src/providers/totp.ts CHANGED Viewed

@@ -1,3 +1,9 @@
+/**
+ * TOTP (Time-based One-Time Password) two-factor authentication provider.
+ *
+ * @module
+ */
 import { TotpProviderConfig } from "../server/types.js";
 /**
@@ -10,6 +16,9 @@ import { TotpProviderConfig } from "../server/types.js";
  *   providers: [TOTP({ issuer: "My App" })],
  * });
  * ```
+ *
+ * @param config - TOTP options: issuer name, digit count, and period.
+ * @returns A `TotpProviderConfig` to include in your `providers` array.
  */
 export default function totp(
   config?: Partial<TotpProviderConfig["options"]>,