@robelest/convex-auth 0.0.2 → 0.0.3-preview.1

package/dist/server/email-templates.js

@@ -0,0 +1,74 @@
+/**
+ * Default email templates generated by the Auth library.
+ *
+ * These are used when the library sends emails on behalf of the developer
+ * (magic links, portal admin sign-in). The developer provides the transport
+ * via `email.send`; the library provides the content.
+ *
+ * @module
+ */
+/**
+ * Default magic link email template.
+ *
+ * Clean, minimal design that works across email clients.
+ * Used by the auto-registered `email` provider when `email` is
+ * configured in the Auth constructor.
+ */
+export function defaultMagicLinkEmail(url, host) {
+    const escapedHost = host.replace(/[&<>"']/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c]);
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Sign in to ${escapedHost}</title>
+</head>
+<body style="margin:0;padding:0;background-color:#f9fafb;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica Neue',Arial,sans-serif;">
+  <table role="presentation" width="100%" cellpadding="0" cellspacing="0" style="background-color:#f9fafb;padding:40px 16px;">
+    <tr>
+      <td align="center">
+        <table role="presentation" width="480" cellpadding="0" cellspacing="0" style="background-color:#ffffff;border:1px solid #e5e7eb;border-radius:8px;overflow:hidden;">
+          <tr>
+            <td style="padding:32px 32px 0 32px;text-align:center;">
+              <h1 style="margin:0 0 8px 0;font-size:20px;font-weight:600;color:#111827;line-height:1.3;">
+                Sign in to ${escapedHost}
+              </h1>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding:24px 32px;">
+              <p style="margin:0 0 24px 0;font-size:15px;line-height:1.6;color:#4b5563;text-align:center;">
+                Click the button below to sign in. This link will expire shortly.
+              </p>
+              <table role="presentation" width="100%" cellpadding="0" cellspacing="0">
+                <tr>
+                  <td align="center" style="padding:0 0 24px 0;">
+                    <a href="${url}" target="_blank" style="display:inline-block;background-color:#111827;color:#ffffff;font-size:15px;font-weight:600;text-decoration:none;padding:12px 32px;border-radius:6px;line-height:1;">
+                      Sign in
+                    </a>
+                  </td>
+                </tr>
+              </table>
+              <p style="margin:0 0 12px 0;font-size:13px;line-height:1.6;color:#9ca3af;">
+                If the button doesn't work, copy and paste this URL into your browser:
+              </p>
+              <p style="margin:0;font-size:13px;line-height:1.5;color:#6b7280;word-break:break-all;">
+                ${url}
+              </p>
+            </td>
+          </tr>
+          <tr>
+            <td style="padding:20px 32px;border-top:1px solid #e5e7eb;">
+              <p style="margin:0;font-size:12px;line-height:1.5;color:#9ca3af;text-align:center;">
+                If you didn't request this email, you can safely ignore it.
+              </p>
+            </td>
+          </tr>
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+</html>`;
+}
+//# sourceMappingURL=email-templates.js.map

package/dist/server/email-templates.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-templates.js","sourceRoot":"","sources":["../../src/server/email-templates.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,GAAW,EAAE,IAAY;IAC7D,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE,CACjD,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,CAAE,CAC9E,CAAC;IAEF,OAAO;;;;;sBAKa,WAAW;;;;;;;;;;6BAUJ,WAAW;;;;;;;;;;;;+BAYT,GAAG;;;;;;;;;;kBAUhB,GAAG;;;;;;;;;;;;;;;;QAgBb,CAAC;AACT,CAAC"}

package/dist/server/errors.d.ts

@@ -0,0 +1,146 @@
+/**
+ * Structured error handling for Convex Auth.
+ *
+ * Every error thrown by the auth system uses `ConvexError` with a
+ * `{ code, message }` payload so clients can distinguish error types
+ * and display user-friendly messages.
+ *
+ * @module
+ */
+import { ConvexError } from "convex/values";
+/**
+ * Map of every auth error code to its default human-readable message.
+ *
+ * Use the keys as the `code` argument to {@link throwAuthError}.
+ * Clients can match on these codes for conditional error handling.
+ *
+ * @example
+ * ```ts
+ * throwAuthError("NOT_SIGNED_IN");
+ * // ConvexError { data: { code: "NOT_SIGNED_IN", message: "You must be signed in..." } }
+ * ```
+ */
+export declare const AUTH_ERRORS: {
+    readonly PROVIDER_NOT_CONFIGURED: "This sign-in method is not available.";
+    readonly EMAIL_CONFIG_REQUIRED: "Email transport is not configured. Configure email in your Auth constructor.";
+    readonly MISSING_ENV_VAR: "A required server environment variable is missing.";
+    readonly MISSING_ACTION_CONTEXT: "Action context is required for this operation.";
+    readonly NOT_SIGNED_IN: "You must be signed in to perform this action.";
+    readonly INVALID_VERIFICATION_CODE: "Invalid or expired verification code.";
+    readonly INVALID_REFRESH_TOKEN: "Your session has expired. Please sign in again.";
+    readonly SIGN_IN_MISSING_PARAMS: "Cannot sign in: missing provider, code, or refresh token.";
+    readonly UNSUPPORTED_PROVIDER_TYPE: "This provider type is not supported.";
+    readonly INVALID_REDIRECT: "Invalid redirect URL.";
+    readonly EMAIL_SEND_FAILED: "Failed to send verification email. Please try again.";
+    readonly PORTAL_NOT_AUTHORIZED: "This email does not have portal admin access. Ask an admin for an invite link.";
+    readonly PORTAL_UNKNOWN_ACTION: "Unknown portal action.";
+    readonly INVITE_TOKEN_REQUIRED: "Invite token is required.";
+    readonly INVALID_INVITE: "Invalid or expired invite token.";
+    readonly INVITE_ALREADY_USED: "This invite has already been used.";
+    readonly INVITE_EXPIRED: "This invite has expired.";
+    readonly INVALID_API_KEY: "Invalid API key.";
+    readonly API_KEY_REVOKED: "This API key has been revoked.";
+    readonly API_KEY_EXPIRED: "This API key has expired.";
+    readonly API_KEY_RATE_LIMITED: "API key rate limit exceeded. Please try again later.";
+    readonly API_KEY_INVALID_SCOPE: "Invalid scope requested for API key.";
+    readonly OAUTH_MISSING_PROVIDER: "Missing OAuth provider ID.";
+    readonly OAUTH_MISSING_VERIFIER: "Missing sign-in verifier.";
+    readonly OAUTH_INVALID_STATE: "Invalid OAuth state. Please try signing in again.";
+    readonly OAUTH_PROVIDER_ERROR: "The sign-in provider returned an error.";
+    readonly OAUTH_MISSING_ID_TOKEN: "ID token claims are missing from the provider response.";
+    readonly OAUTH_INVALID_PROFILE: "The sign-in provider returned an invalid profile.";
+    readonly OAUTH_UNSUPPORTED_AUTH_METHOD: "Unsupported OAuth client authentication method.";
+    readonly OAUTH_NO_USERINFO: "No userinfo endpoint configured for this provider.";
+    readonly ACCOUNT_ALREADY_EXISTS: "An account with these credentials already exists.";
+    readonly ACCOUNT_NOT_FOUND: "Account not found.";
+    readonly INVALID_CREDENTIALS_PROVIDER: "This provider does not support credential operations.";
+    readonly MISSING_CRYPTO_FUNCTION: "This provider is missing a required cryptographic function.";
+    readonly USER_UPDATE_FAILED: "Could not update the user record.";
+    readonly INVALID_VERIFIER: "Invalid or expired verifier.";
+    readonly PASSKEY_MISSING_CONFIG: "Passkey provider requires SITE_URL or explicit rpId configuration.";
+    readonly PASSKEY_AUTH_REQUIRED: "Sign in first, then add a passkey to your account.";
+    readonly PASSKEY_MISSING_VERIFIER: "Missing verifier for passkey operation.";
+    readonly PASSKEY_INVALID_CLIENT_DATA: "Invalid passkey client data.";
+    readonly PASSKEY_INVALID_ORIGIN: "Passkey origin does not match the expected value.";
+    readonly PASSKEY_INVALID_CHALLENGE: "Invalid or expired passkey challenge.";
+    readonly PASSKEY_RP_MISMATCH: "Relying party ID mismatch.";
+    readonly PASSKEY_USER_PRESENCE: "User presence flag not set.";
+    readonly PASSKEY_USER_VERIFICATION: "User verification required but not performed.";
+    readonly PASSKEY_NO_CREDENTIAL: "No credential in attestation.";
+    readonly PASSKEY_UNSUPPORTED_ALGORITHM: "Unsupported passkey algorithm.";
+    readonly PASSKEY_INVALID_SIGNATURE: "Invalid passkey signature.";
+    readonly PASSKEY_UNKNOWN_CREDENTIAL: "Unknown passkey credential.";
+    readonly PASSKEY_COUNTER_ERROR: "Authenticator counter did not increase — possible credential cloning detected.";
+    readonly PASSKEY_MISSING_FLOW: "Missing passkey flow parameter.";
+    readonly PASSKEY_UNKNOWN_FLOW: "Unknown passkey flow.";
+    readonly TOTP_AUTH_REQUIRED: "Sign in first, then set up two-factor authentication.";
+    readonly TOTP_MISSING_VERIFIER: "Missing verifier for TOTP operation.";
+    readonly TOTP_MISSING_CODE: "Missing TOTP code.";
+    readonly TOTP_MISSING_ID: "Missing TOTP enrollment ID.";
+    readonly TOTP_NOT_FOUND: "TOTP enrollment not found.";
+    readonly TOTP_ALREADY_VERIFIED: "TOTP enrollment is already verified.";
+    readonly TOTP_INVALID_CODE: "Invalid TOTP code.";
+    readonly TOTP_INVALID_VERIFIER: "Invalid or expired TOTP verifier.";
+    readonly TOTP_NO_ENROLLMENT: "No verified TOTP enrollment found.";
+    readonly TOTP_MISSING_FLOW: "Missing TOTP flow parameter.";
+    readonly TOTP_UNKNOWN_FLOW: "Unknown TOTP flow.";
+    readonly INTERNAL_ERROR: "An unexpected error occurred.";
+};
+/** Union of all recognized auth error code strings (keys of {@link AUTH_ERRORS}). */
+export type AuthErrorCode = keyof typeof AUTH_ERRORS;
+/**
+ * Throw a structured `ConvexError` with `{ code, message }`.
+ *
+ * @param code    Machine-readable error code from `AUTH_ERRORS`.
+ * @param message Optional override for the default human-readable message.
+ * @param context Optional extra fields merged into the error payload.
+ */
+export declare function throwAuthError(code: AuthErrorCode, message?: string, context?: Record<string, unknown>): never;
+/**
+ * Type guard: check whether a caught value is a structured auth `ConvexError`.
+ *
+ * @param error - The caught value (typically from a `catch` block).
+ * @returns `true` when `error` is a `ConvexError` with `{ code, message }` data.
+ *
+ * @example
+ * ```ts
+ * try { await auth.signIn('email', { email }); }
+ * catch (e) {
+ *   if (isAuthError(e)) console.log(e.data.code); // "EMAIL_SEND_FAILED"
+ * }
+ * ```
+ */
+export declare function isAuthError(error: unknown): error is ConvexError<{
+    code: AuthErrorCode;
+    message: string;
+}>;
+/**
+ * Extract `{ code, message }` from a caught error.
+ *
+ * Works for `ConvexError` (from Convex actions), plain `Error`
+ * instances, and structured auth errors. Returns `null` when the
+ * value is not an error object.
+ *
+ * @param error - The caught value to parse.
+ * @returns `{ code, message }` when extractable, or `null`.
+ *   When `code` is `null`, the error is not a structured auth error
+ *   but `message` still contains the error text.
+ *
+ * @example
+ * ```ts
+ * try {
+ *   await auth.signIn("email", { email });
+ * } catch (e) {
+ *   const err = parseAuthError(e);
+ *   if (err?.code === "EMAIL_SEND_FAILED") { ... }
+ * }
+ * ```
+ */
+export declare function parseAuthError(error: unknown): {
+    code: AuthErrorCode;
+    message: string;
+} | {
+    code: null;
+    message: string;
+} | null;
+//# sourceMappingURL=errors.d.ts.map

package/dist/server/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAM5C;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsJmB,CAAC;AAE5C,qFAAqF;AACrF,MAAM,MAAM,aAAa,GAAG,MAAM,OAAO,WAAW,CAAC;AAMrD;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,aAAa,EACnB,OAAO,CAAC,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,KAAK,CAMP;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,WAAW,CACzB,KAAK,EAAE,OAAO,GACb,KAAK,IAAI,WAAW,CAAC;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAQhE;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,OAAO,GACb;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAYnF"}

package/dist/server/errors.js

@@ -0,0 +1,176 @@
+/**
+ * Structured error handling for Convex Auth.
+ *
+ * Every error thrown by the auth system uses `ConvexError` with a
+ * `{ code, message }` payload so clients can distinguish error types
+ * and display user-friendly messages.
+ *
+ * @module
+ */
+import { ConvexError } from "convex/values";
+// ============================================================================
+// Error code → default message map  (single source of truth)
+// ============================================================================
+/**
+ * Map of every auth error code to its default human-readable message.
+ *
+ * Use the keys as the `code` argument to {@link throwAuthError}.
+ * Clients can match on these codes for conditional error handling.
+ *
+ * @example
+ * ```ts
+ * throwAuthError("NOT_SIGNED_IN");
+ * // ConvexError { data: { code: "NOT_SIGNED_IN", message: "You must be signed in..." } }
+ * ```
+ */
+export const AUTH_ERRORS = {
+    // ---- Configuration ----
+    PROVIDER_NOT_CONFIGURED: "This sign-in method is not available.",
+    EMAIL_CONFIG_REQUIRED: "Email transport is not configured. Configure email in your Auth constructor.",
+    MISSING_ENV_VAR: "A required server environment variable is missing.",
+    MISSING_ACTION_CONTEXT: "Action context is required for this operation.",
+    // ---- Authentication ----
+    NOT_SIGNED_IN: "You must be signed in to perform this action.",
+    INVALID_VERIFICATION_CODE: "Invalid or expired verification code.",
+    INVALID_REFRESH_TOKEN: "Your session has expired. Please sign in again.",
+    SIGN_IN_MISSING_PARAMS: "Cannot sign in: missing provider, code, or refresh token.",
+    UNSUPPORTED_PROVIDER_TYPE: "This provider type is not supported.",
+    INVALID_REDIRECT: "Invalid redirect URL.",
+    // ---- Email / Phone ----
+    EMAIL_SEND_FAILED: "Failed to send verification email. Please try again.",
+    // ---- Portal ----
+    PORTAL_NOT_AUTHORIZED: "This email does not have portal admin access. Ask an admin for an invite link.",
+    PORTAL_UNKNOWN_ACTION: "Unknown portal action.",
+    INVITE_TOKEN_REQUIRED: "Invite token is required.",
+    INVALID_INVITE: "Invalid or expired invite token.",
+    INVITE_ALREADY_USED: "This invite has already been used.",
+    INVITE_EXPIRED: "This invite has expired.",
+    // ---- API Keys ----
+    INVALID_API_KEY: "Invalid API key.",
+    API_KEY_REVOKED: "This API key has been revoked.",
+    API_KEY_EXPIRED: "This API key has expired.",
+    API_KEY_RATE_LIMITED: "API key rate limit exceeded. Please try again later.",
+    API_KEY_INVALID_SCOPE: "Invalid scope requested for API key.",
+    // ---- OAuth ----
+    OAUTH_MISSING_PROVIDER: "Missing OAuth provider ID.",
+    OAUTH_MISSING_VERIFIER: "Missing sign-in verifier.",
+    OAUTH_INVALID_STATE: "Invalid OAuth state. Please try signing in again.",
+    OAUTH_PROVIDER_ERROR: "The sign-in provider returned an error.",
+    OAUTH_MISSING_ID_TOKEN: "ID token claims are missing from the provider response.",
+    OAUTH_INVALID_PROFILE: "The sign-in provider returned an invalid profile.",
+    OAUTH_UNSUPPORTED_AUTH_METHOD: "Unsupported OAuth client authentication method.",
+    OAUTH_NO_USERINFO: "No userinfo endpoint configured for this provider.",
+    // ---- Credentials ----
+    ACCOUNT_ALREADY_EXISTS: "An account with these credentials already exists.",
+    ACCOUNT_NOT_FOUND: "Account not found.",
+    INVALID_CREDENTIALS_PROVIDER: "This provider does not support credential operations.",
+    MISSING_CRYPTO_FUNCTION: "This provider is missing a required cryptographic function.",
+    USER_UPDATE_FAILED: "Could not update the user record.",
+    // ---- Verifier ----
+    INVALID_VERIFIER: "Invalid or expired verifier.",
+    // ---- Passkey ----
+    PASSKEY_MISSING_CONFIG: "Passkey provider requires SITE_URL or explicit rpId configuration.",
+    PASSKEY_AUTH_REQUIRED: "Sign in first, then add a passkey to your account.",
+    PASSKEY_MISSING_VERIFIER: "Missing verifier for passkey operation.",
+    PASSKEY_INVALID_CLIENT_DATA: "Invalid passkey client data.",
+    PASSKEY_INVALID_ORIGIN: "Passkey origin does not match the expected value.",
+    PASSKEY_INVALID_CHALLENGE: "Invalid or expired passkey challenge.",
+    PASSKEY_RP_MISMATCH: "Relying party ID mismatch.",
+    PASSKEY_USER_PRESENCE: "User presence flag not set.",
+    PASSKEY_USER_VERIFICATION: "User verification required but not performed.",
+    PASSKEY_NO_CREDENTIAL: "No credential in attestation.",
+    PASSKEY_UNSUPPORTED_ALGORITHM: "Unsupported passkey algorithm.",
+    PASSKEY_INVALID_SIGNATURE: "Invalid passkey signature.",
+    PASSKEY_UNKNOWN_CREDENTIAL: "Unknown passkey credential.",
+    PASSKEY_COUNTER_ERROR: "Authenticator counter did not increase — possible credential cloning detected.",
+    PASSKEY_MISSING_FLOW: "Missing passkey flow parameter.",
+    PASSKEY_UNKNOWN_FLOW: "Unknown passkey flow.",
+    // ---- TOTP ----
+    TOTP_AUTH_REQUIRED: "Sign in first, then set up two-factor authentication.",
+    TOTP_MISSING_VERIFIER: "Missing verifier for TOTP operation.",
+    TOTP_MISSING_CODE: "Missing TOTP code.",
+    TOTP_MISSING_ID: "Missing TOTP enrollment ID.",
+    TOTP_NOT_FOUND: "TOTP enrollment not found.",
+    TOTP_ALREADY_VERIFIED: "TOTP enrollment is already verified.",
+    TOTP_INVALID_CODE: "Invalid TOTP code.",
+    TOTP_INVALID_VERIFIER: "Invalid or expired TOTP verifier.",
+    TOTP_NO_ENROLLMENT: "No verified TOTP enrollment found.",
+    TOTP_MISSING_FLOW: "Missing TOTP flow parameter.",
+    TOTP_UNKNOWN_FLOW: "Unknown TOTP flow.",
+    // ---- Internal (should never reach user) ----
+    INTERNAL_ERROR: "An unexpected error occurred.",
+};
+// ============================================================================
+// Error helpers
+// ============================================================================
+/**
+ * Throw a structured `ConvexError` with `{ code, message }`.
+ *
+ * @param code    Machine-readable error code from `AUTH_ERRORS`.
+ * @param message Optional override for the default human-readable message.
+ * @param context Optional extra fields merged into the error payload.
+ */
+export function throwAuthError(code, message, context) {
+    throw new ConvexError({
+        code,
+        message: message ?? AUTH_ERRORS[code],
+        ...context,
+    });
+}
+/**
+ * Type guard: check whether a caught value is a structured auth `ConvexError`.
+ *
+ * @param error - The caught value (typically from a `catch` block).
+ * @returns `true` when `error` is a `ConvexError` with `{ code, message }` data.
+ *
+ * @example
+ * ```ts
+ * try { await auth.signIn('email', { email }); }
+ * catch (e) {
+ *   if (isAuthError(e)) console.log(e.data.code); // "EMAIL_SEND_FAILED"
+ * }
+ * ```
+ */
+export function isAuthError(error) {
+    return (error instanceof ConvexError &&
+        typeof error.data === "object" &&
+        error.data !== null &&
+        "code" in error.data &&
+        "message" in error.data);
+}
+/**
+ * Extract `{ code, message }` from a caught error.
+ *
+ * Works for `ConvexError` (from Convex actions), plain `Error`
+ * instances, and structured auth errors. Returns `null` when the
+ * value is not an error object.
+ *
+ * @param error - The caught value to parse.
+ * @returns `{ code, message }` when extractable, or `null`.
+ *   When `code` is `null`, the error is not a structured auth error
+ *   but `message` still contains the error text.
+ *
+ * @example
+ * ```ts
+ * try {
+ *   await auth.signIn("email", { email });
+ * } catch (e) {
+ *   const err = parseAuthError(e);
+ *   if (err?.code === "EMAIL_SEND_FAILED") { ... }
+ * }
+ * ```
+ */
+export function parseAuthError(error) {
+    if (isAuthError(error)) {
+        const { code, message } = error.data;
+        return { code, message };
+    }
+    if (error instanceof ConvexError && typeof error.data === "string") {
+        return { code: null, message: error.data };
+    }
+    if (error instanceof Error) {
+        return { code: null, message: error.message };
+    }
+    return null;
+}
+//# sourceMappingURL=errors.js.map

package/dist/server/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/server/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,+EAA+E;AAC/E,6DAA6D;AAC7D,+EAA+E;AAE/E;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,0BAA0B;IAC1B,uBAAuB,EACrB,uCAAuC;IACzC,qBAAqB,EACnB,8EAA8E;IAChF,eAAe,EACb,oDAAoD;IACtD,sBAAsB,EACpB,gDAAgD;IAElD,2BAA2B;IAC3B,aAAa,EACX,+CAA+C;IACjD,yBAAyB,EACvB,uCAAuC;IACzC,qBAAqB,EACnB,iDAAiD;IACnD,sBAAsB,EACpB,2DAA2D;IAC7D,yBAAyB,EACvB,sCAAsC;IACxC,gBAAgB,EACd,uBAAuB;IAEzB,0BAA0B;IAC1B,iBAAiB,EACf,sDAAsD;IAExD,mBAAmB;IACnB,qBAAqB,EACnB,gFAAgF;IAClF,qBAAqB,EACnB,wBAAwB;IAC1B,qBAAqB,EACnB,2BAA2B;IAC7B,cAAc,EACZ,kCAAkC;IACpC,mBAAmB,EACjB,oCAAoC;IACtC,cAAc,EACZ,0BAA0B;IAE5B,qBAAqB;IACrB,eAAe,EACb,kBAAkB;IACpB,eAAe,EACb,gCAAgC;IAClC,eAAe,EACb,2BAA2B;IAC7B,oBAAoB,EAClB,sDAAsD;IACxD,qBAAqB,EACnB,sCAAsC;IAExC,kBAAkB;IAClB,sBAAsB,EACpB,4BAA4B;IAC9B,sBAAsB,EACpB,2BAA2B;IAC7B,mBAAmB,EACjB,mDAAmD;IACrD,oBAAoB,EAClB,yCAAyC;IAC3C,sBAAsB,EACpB,yDAAyD;IAC3D,qBAAqB,EACnB,mDAAmD;IACrD,6BAA6B,EAC3B,iDAAiD;IACnD,iBAAiB,EACf,oDAAoD;IAEtD,wBAAwB;IACxB,sBAAsB,EACpB,mDAAmD;IACrD,iBAAiB,EACf,oBAAoB;IACtB,4BAA4B,EAC1B,uDAAuD;IACzD,uBAAuB,EACrB,6DAA6D;IAC/D,kBAAkB,EAChB,mCAAmC;IAErC,qBAAqB;IACrB,gBAAgB,EACd,8BAA8B;IAEhC,oBAAoB;IACpB,sBAAsB,EACpB,oEAAoE;IACtE,qBAAqB,EACnB,oDAAoD;IACtD,wBAAwB,EACtB,yCAAyC;IAC3C,2BAA2B,EACzB,8BAA8B;IAChC,sBAAsB,EACpB,mDAAmD;IACrD,yBAAyB,EACvB,uCAAuC;IACzC,mBAAmB,EACjB,4BAA4B;IAC9B,qBAAqB,EACnB,6BAA6B;IAC/B,yBAAyB,EACvB,+CAA+C;IACjD,qBAAqB,EACnB,+BAA+B;IACjC,6BAA6B,EAC3B,gCAAgC;IAClC,yBAAyB,EACvB,4BAA4B;IAC9B,0BAA0B,EACxB,6BAA6B;IAC/B,qBAAqB,EACnB,gFAAgF;IAClF,oBAAoB,EAClB,iCAAiC;IACnC,oBAAoB,EAClB,uBAAuB;IAEzB,iBAAiB;IACjB,kBAAkB,EAChB,uDAAuD;IACzD,qBAAqB,EACnB,sCAAsC;IACxC,iBAAiB,EACf,oBAAoB;IACtB,eAAe,EACb,6BAA6B;IAC/B,cAAc,EACZ,4BAA4B;IAC9B,qBAAqB,EACnB,sCAAsC;IACxC,iBAAiB,EACf,oBAAoB;IACtB,qBAAqB,EACnB,mCAAmC;IACrC,kBAAkB,EAChB,oCAAoC;IACtC,iBAAiB,EACf,8BAA8B;IAChC,iBAAiB,EACf,oBAAoB;IAEtB,+CAA+C;IAC/C,cAAc,EACZ,+BAA+B;CACQ,CAAC;AAK5C,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,IAAmB,EACnB,OAAgB,EAChB,OAAiC;IAEjC,MAAM,IAAI,WAAW,CAAC;QACpB,IAAI;QACJ,OAAO,EAAE,OAAO,IAAI,WAAW,CAAC,IAAI,CAAC;QACrC,GAAG,OAAO;KACX,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,WAAW,CACzB,KAAc;IAEd,OAAO,CACL,KAAK,YAAY,WAAW;QAC5B,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAC9B,KAAK,CAAC,IAAI,KAAK,IAAI;QACnB,MAAM,IAAI,KAAK,CAAC,IAAI;QACpB,SAAS,IAAI,KAAK,CAAC,IAAI,CACxB,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,cAAc,CAC5B,KAAc;IAEd,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC,IAAgD,CAAC;QACjF,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IAC3B,CAAC;IACD,IAAI,KAAK,YAAY,WAAW,IAAI,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACnE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7C,CAAC;IACD,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;QAC3B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;IAChD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/server/implementation/apiKey.d.ts

@@ -0,0 +1,74 @@
+/**
+ * API Key crypto utilities.
+ *
+ * Uses `@oslojs/crypto` primitives for key generation and hashing:
+ * - SHA-256 for hashing keys (API keys have high entropy, no need for bcrypt)
+ * - Cryptographically secure random generation for key material
+ *
+ * @module
+ */
+import type { KeyScope, ScopeChecker } from "../types.js";
+/**
+ * Generate a new API key.
+ *
+ * Returns the raw key (to be shown once to the user) and metadata for storage.
+ * The raw key is `{prefix}{32 random alphanumeric chars}`.
+ *
+ * @param prefix - Key prefix, defaults to "sk_live_"
+ * @returns `{ raw, hashedKey, displayPrefix }`
+ */
+export declare function generateApiKey(prefix?: string): Promise<{
+    /** The full raw key — show to user once, never store. */
+    raw: string;
+    /** SHA-256 hex hash of the raw key — store this. */
+    hashedKey: string;
+    /** Truncated prefix for display (e.g. "sk_live_aBc1..."). */
+    displayPrefix: string;
+}>;
+/**
+ * Hash a raw API key for lookup.
+ *
+ * Used during Bearer token verification to find the stored key record.
+ */
+export declare function hashApiKey(rawKey: string): Promise<string>;
+/**
+ * Build a `ScopeChecker` from an array of `KeyScope` entries.
+ *
+ * The checker provides a `.can(resource, action)` method that returns `true`
+ * if any scope entry grants the requested permission.
+ *
+ * A wildcard action `"*"` grants all actions on that resource.
+ * A wildcard resource `"*"` grants the action on all resources.
+ */
+export declare function buildScopeChecker(scopes: KeyScope[]): ScopeChecker;
+/**
+ * Validate that requested scopes are a subset of the allowed scopes
+ * defined in the API key config.
+ *
+ * @param requested - Scopes the user wants on the new key.
+ * @param allowed - The scope definition from `apiKeys.scopes` config.
+ * @throws Error if any requested scope is not in the allowed set.
+ */
+export declare function validateScopes(requested: KeyScope[], allowed: Record<string, string[]> | undefined): void;
+/**
+ * Check whether a key is rate-limited based on its stored state.
+ *
+ * Uses the same token-bucket algorithm as sign-in rate limiting:
+ * tokens refill linearly over the configured window.
+ *
+ * @returns `{ limited: boolean; newState: { attemptsLeft, lastAttemptTime } }`
+ */
+export declare function checkKeyRateLimit(rateLimit: {
+    maxRequests: number;
+    windowMs: number;
+}, state: {
+    attemptsLeft: number;
+    lastAttemptTime: number;
+} | undefined): {
+    limited: boolean;
+    newState: {
+        attemptsLeft: number;
+        lastAttemptTime: number;
+    };
+};
+//# sourceMappingURL=apiKey.d.ts.map

package/dist/server/implementation/apiKey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apiKey.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/apiKey.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAsB1D;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAAC,MAAM,GAAE,MAA2B,GAAG,OAAO,CAAC;IACjF,yDAAyD;IACzD,GAAG,EAAE,MAAM,CAAC;IACZ,oDAAoD;IACpD,SAAS,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC,CAOD;AAED;;;;GAIG;AACH,wBAAsB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAEhE;AAMD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,QAAQ,EAAE,GAAG,YAAY,CAWlE;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,QAAQ,EAAE,EACrB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,GAAG,SAAS,GAC5C,IAAI,CAuBN;AAMD;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EACpD,KAAK,EAAE;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,GACnE;IACD,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,CAAA;KAAE,CAAC;CAC7D,CAsCA"}

package/dist/server/implementation/apiKey.js

@@ -0,0 +1,139 @@
+/**
+ * API Key crypto utilities.
+ *
+ * Uses `@oslojs/crypto` primitives for key generation and hashing:
+ * - SHA-256 for hashing keys (API keys have high entropy, no need for bcrypt)
+ * - Cryptographically secure random generation for key material
+ *
+ * @module
+ */
+import { sha256, generateRandomString } from "./utils.js";
+import { throwAuthError } from "../errors.js";
+// ============================================================================
+// Constants
+// ============================================================================
+const DEFAULT_KEY_PREFIX = "sk_live_";
+const KEY_RANDOM_LENGTH = 32;
+const KEY_RANDOM_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+/**
+ * How many characters of the full key to store as the visible prefix.
+ * Includes the prefix string (e.g. "sk_live_") plus a few random chars.
+ */
+const VISIBLE_PREFIX_EXTRA_CHARS = 4;
+// ============================================================================
+// Key generation
+// ============================================================================
+/**
+ * Generate a new API key.
+ *
+ * Returns the raw key (to be shown once to the user) and metadata for storage.
+ * The raw key is `{prefix}{32 random alphanumeric chars}`.
+ *
+ * @param prefix - Key prefix, defaults to "sk_live_"
+ * @returns `{ raw, hashedKey, displayPrefix }`
+ */
+export async function generateApiKey(prefix = DEFAULT_KEY_PREFIX) {
+    const randomPart = generateRandomString(KEY_RANDOM_LENGTH, KEY_RANDOM_ALPHABET);
+    const raw = `${prefix}${randomPart}`;
+    const hashedKey = await sha256(raw);
+    const displayPrefix = `${raw.substring(0, prefix.length + VISIBLE_PREFIX_EXTRA_CHARS)}...`;
+    return { raw, hashedKey, displayPrefix };
+}
+/**
+ * Hash a raw API key for lookup.
+ *
+ * Used during Bearer token verification to find the stored key record.
+ */
+export async function hashApiKey(rawKey) {
+    return sha256(rawKey);
+}
+// ============================================================================
+// Scope checker
+// ============================================================================
+/**
+ * Build a `ScopeChecker` from an array of `KeyScope` entries.
+ *
+ * The checker provides a `.can(resource, action)` method that returns `true`
+ * if any scope entry grants the requested permission.
+ *
+ * A wildcard action `"*"` grants all actions on that resource.
+ * A wildcard resource `"*"` grants the action on all resources.
+ */
+export function buildScopeChecker(scopes) {
+    return {
+        scopes,
+        can(resource, action) {
+            return scopes.some((scope) => (scope.resource === resource || scope.resource === "*") &&
+                (scope.actions.includes(action) || scope.actions.includes("*")));
+        },
+    };
+}
+/**
+ * Validate that requested scopes are a subset of the allowed scopes
+ * defined in the API key config.
+ *
+ * @param requested - Scopes the user wants on the new key.
+ * @param allowed - The scope definition from `apiKeys.scopes` config.
+ * @throws Error if any requested scope is not in the allowed set.
+ */
+export function validateScopes(requested, allowed) {
+    if (!allowed) {
+        // No scope restrictions configured — allow anything.
+        return;
+    }
+    for (const scope of requested) {
+        const allowedActions = allowed[scope.resource];
+        if (!allowedActions) {
+            throwAuthError("API_KEY_INVALID_SCOPE", `Unknown resource "${scope.resource}" in API key scopes. Allowed resources: ${Object.keys(allowed).join(", ")}`);
+        }
+        for (const action of scope.actions) {
+            if (action !== "*" && !allowedActions.includes(action)) {
+                throwAuthError("API_KEY_INVALID_SCOPE", `Unknown action "${action}" for resource "${scope.resource}". Allowed actions: ${allowedActions.join(", ")}`);
+            }
+        }
+    }
+}
+// ============================================================================
+// Per-key rate limiting (token-bucket)
+// ============================================================================
+/**
+ * Check whether a key is rate-limited based on its stored state.
+ *
+ * Uses the same token-bucket algorithm as sign-in rate limiting:
+ * tokens refill linearly over the configured window.
+ *
+ * @returns `{ limited: boolean; newState: { attemptsLeft, lastAttemptTime } }`
+ */
+export function checkKeyRateLimit(rateLimit, state) {
+    const now = Date.now();
+    if (!state) {
+        // First request — create initial state with one token consumed.
+        return {
+            limited: false,
+            newState: {
+                attemptsLeft: rateLimit.maxRequests - 1,
+                lastAttemptTime: now,
+            },
+        };
+    }
+    const elapsed = now - state.lastAttemptTime;
+    const refillRate = rateLimit.maxRequests / rateLimit.windowMs;
+    const refilled = Math.min(rateLimit.maxRequests, state.attemptsLeft + elapsed * refillRate);
+    if (refilled < 1) {
+        return {
+            limited: true,
+            newState: {
+                attemptsLeft: refilled,
+                lastAttemptTime: now,
+            },
+        };
+    }
+    return {
+        limited: false,
+        newState: {
+            attemptsLeft: refilled - 1,
+            lastAttemptTime: now,
+        },
+    };
+}
+//# sourceMappingURL=apiKey.js.map

package/dist/server/implementation/apiKey.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"apiKey.js","sourceRoot":"","sources":["../../../src/server/implementation/apiKey.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,MAAM,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAE1D,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,kBAAkB,GAAG,UAAU,CAAC;AACtC,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAC7B,MAAM,mBAAmB,GACvB,gEAAgE,CAAC;AAEnE;;;GAGG;AACH,MAAM,0BAA0B,GAAG,CAAC,CAAC;AAErC,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,SAAiB,kBAAkB;IAQtE,MAAM,UAAU,GAAG,oBAAoB,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IAChF,MAAM,GAAG,GAAG,GAAG,MAAM,GAAG,UAAU,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,aAAa,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,GAAG,0BAA0B,CAAC,KAAK,CAAC;IAE3F,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC;AAC3C,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAc;IAC7C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC;AACxB,CAAC;AAED,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAkB;IAClD,OAAO;QACL,MAAM;QACN,GAAG,CAAC,QAAgB,EAAE,MAAc;YAClC,OAAO,MAAM,CAAC,IAAI,CAChB,CAAC,KAAK,EAAE,EAAE,CACR,CAAC,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,KAAK,GAAG,CAAC;gBACvD,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAClE,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAC5B,SAAqB,EACrB,OAA6C;IAE7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,qDAAqD;QACrD,OAAO;IACT,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,cAAc,CACZ,uBAAuB,EACvB,qBAAqB,KAAK,CAAC,QAAQ,2CAA2C,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAChH,CAAC;QACJ,CAAC;QACD,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YACnC,IAAI,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBACvD,cAAc,CACZ,uBAAuB,EACvB,mBAAmB,MAAM,mBAAmB,KAAK,CAAC,QAAQ,uBAAuB,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC7G,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,uCAAuC;AACvC,+EAA+E;AAE/E;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAAoD,EACpD,KAAoE;IAKpE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,gEAAgE;QAChE,OAAO;YACL,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE;gBACR,YAAY,EAAE,SAAS,CAAC,WAAW,GAAG,CAAC;gBACvC,eAAe,EAAE,GAAG;aACrB;SACF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,GAAG,KAAK,CAAC,eAAe,CAAC;IAC5C,MAAM,UAAU,GAAG,SAAS,CAAC,WAAW,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CACvB,SAAS,CAAC,WAAW,EACrB,KAAK,CAAC,YAAY,GAAG,OAAO,GAAG,UAAU,CAC1C,CAAC;IAEF,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QACjB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE;gBACR,YAAY,EAAE,QAAQ;gBACtB,eAAe,EAAE,GAAG;aACrB;SACF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK;QACd,QAAQ,EAAE;YACR,YAAY,EAAE,QAAQ,GAAG,CAAC;YAC1B,eAAe,EAAE,GAAG;SACrB;KACF,CAAC;AACJ,CAAC"}