@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +140 -9
- package/dist/bin.cjs +5957 -5478
- package/dist/client/index.d.ts +3 -7
- package/dist/client/index.d.ts.map +1 -1
- package/dist/client/index.js +27 -26
- package/dist/client/index.js.map +1 -1
- package/dist/component/_generated/api.d.ts +14 -0
- package/dist/component/_generated/api.d.ts.map +1 -1
- package/dist/component/_generated/api.js.map +1 -1
- package/dist/component/_generated/component.d.ts +1513 -3
- package/dist/component/_generated/component.d.ts.map +1 -1
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/convex.config.d.ts.map +1 -1
- package/dist/component/model.d.ts +153 -0
- package/dist/component/model.d.ts.map +1 -0
- package/dist/component/model.js +327 -0
- package/dist/component/model.js.map +1 -0
- package/dist/component/providers/sso.d.ts +1 -1
- package/dist/component/public/enterprise.d.ts +49 -0
- package/dist/component/public/enterprise.d.ts.map +1 -0
- package/dist/component/public/enterprise.js +450 -0
- package/dist/component/public/enterprise.js.map +1 -0
- package/dist/component/public/factors.d.ts +52 -0
- package/dist/component/public/factors.d.ts.map +1 -0
- package/dist/component/public/factors.js +285 -0
- package/dist/component/public/factors.js.map +1 -0
- package/dist/component/public/groups.d.ts +118 -0
- package/dist/component/public/groups.d.ts.map +1 -0
- package/dist/component/public/groups.js +599 -0
- package/dist/component/public/groups.js.map +1 -0
- package/dist/component/public/identity.d.ts +93 -0
- package/dist/component/public/identity.d.ts.map +1 -0
- package/dist/component/public/identity.js +426 -0
- package/dist/component/public/identity.js.map +1 -0
- package/dist/component/public/keys.d.ts +41 -0
- package/dist/component/public/keys.d.ts.map +1 -0
- package/dist/component/public/keys.js +157 -0
- package/dist/component/public/keys.js.map +1 -0
- package/dist/component/public/shared.d.ts +26 -0
- package/dist/component/public/shared.d.ts.map +1 -0
- package/dist/component/public/shared.js +32 -0
- package/dist/component/public/shared.js.map +1 -0
- package/dist/component/public.d.ts +9 -321
- package/dist/component/public.d.ts.map +1 -1
- package/dist/component/public.js +6 -2145
- package/dist/component/schema.d.ts +368 -258
- package/dist/component/schema.js +23 -27
- package/dist/component/schema.js.map +1 -1
- package/dist/component/server/auth.d.ts +42 -7
- package/dist/component/server/auth.d.ts.map +1 -1
- package/dist/component/server/auth.js +70 -6
- package/dist/component/server/auth.js.map +1 -1
- package/dist/component/server/cookies.js +3 -0
- package/dist/component/server/cookies.js.map +1 -1
- package/dist/component/server/db.js +1 -0
- package/dist/component/server/db.js.map +1 -1
- package/dist/component/server/device.js +3 -1
- package/dist/component/server/device.js.map +1 -1
- package/dist/component/server/domains/core.js +466 -0
- package/dist/component/server/domains/core.js.map +1 -0
- package/dist/component/server/domains/sso.js +689 -0
- package/dist/component/server/domains/sso.js.map +1 -0
- package/dist/component/server/factory.d.ts +136 -0
- package/dist/component/server/factory.d.ts.map +1 -0
- package/dist/component/server/factory.js +1128 -0
- package/dist/component/server/factory.js.map +1 -0
- package/dist/component/server/fx.js +2 -1
- package/dist/component/server/fx.js.map +1 -1
- package/dist/component/server/http.js +287 -0
- package/dist/component/server/http.js.map +1 -0
- package/dist/component/server/identity.js +13 -0
- package/dist/component/server/identity.js.map +1 -0
- package/dist/component/server/keys.js +4 -0
- package/dist/component/server/keys.js.map +1 -1
- package/dist/component/server/mutations/account.js +1 -1
- package/dist/component/server/mutations/index.js +2 -2
- package/dist/component/server/mutations/index.js.map +1 -1
- package/dist/component/server/mutations/invalidate.js +1 -1
- package/dist/component/server/mutations/oauth.js +10 -7
- package/dist/component/server/mutations/oauth.js.map +1 -1
- package/dist/component/server/mutations/refresh.js +1 -1
- package/dist/component/server/mutations/register.js +1 -1
- package/dist/component/server/mutations/retrieve.js +1 -1
- package/dist/component/server/mutations/signature.js +1 -1
- package/dist/component/server/mutations/store.js +6 -3
- package/dist/component/server/mutations/store.js.map +1 -1
- package/dist/component/server/mutations/verify.js +1 -1
- package/dist/component/server/oauth.js +3 -0
- package/dist/component/server/oauth.js.map +1 -1
- package/dist/component/server/passkey.js +3 -2
- package/dist/component/server/passkey.js.map +1 -1
- package/dist/component/server/provider.js +2 -0
- package/dist/component/server/provider.js.map +1 -1
- package/dist/component/server/providers.js +3 -0
- package/dist/component/server/providers.js.map +1 -1
- package/dist/component/server/ratelimit.js +3 -0
- package/dist/component/server/ratelimit.js.map +1 -1
- package/dist/component/server/redirects.js +2 -0
- package/dist/component/server/redirects.js.map +1 -1
- package/dist/component/server/refresh.js +5 -0
- package/dist/component/server/refresh.js.map +1 -1
- package/dist/component/server/sessions.js +5 -0
- package/dist/component/server/sessions.js.map +1 -1
- package/dist/component/server/signin.js +2 -1
- package/dist/component/server/signin.js.map +1 -1
- package/dist/component/server/sso.js +166 -19
- package/dist/component/server/sso.js.map +1 -1
- package/dist/component/server/tokens.js +1 -0
- package/dist/component/server/tokens.js.map +1 -1
- package/dist/component/server/totp.js +4 -2
- package/dist/component/server/totp.js.map +1 -1
- package/dist/component/server/types.d.ts +50 -35
- package/dist/component/server/types.d.ts.map +1 -1
- package/dist/component/server/types.js.map +1 -1
- package/dist/component/server/users.js +1 -0
- package/dist/component/server/users.js.map +1 -1
- package/dist/component/server/utils.js +44 -2
- package/dist/component/server/utils.js.map +1 -1
- package/dist/providers/anonymous.d.ts +1 -1
- package/dist/providers/credentials.d.ts +1 -1
- package/dist/providers/password.d.ts +1 -1
- package/dist/providers/sso.d.ts +1 -1
- package/dist/providers/sso.js.map +1 -1
- package/dist/server/auth.d.ts +44 -9
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +70 -6
- package/dist/server/auth.js.map +1 -1
- package/dist/server/cookies.d.ts +1 -38
- package/dist/server/cookies.js +3 -0
- package/dist/server/cookies.js.map +1 -1
- package/dist/server/db.d.ts +1 -125
- package/dist/server/db.js +1 -0
- package/dist/server/db.js.map +1 -1
- package/dist/server/device.d.ts +1 -24
- package/dist/server/device.js +3 -1
- package/dist/server/device.js.map +1 -1
- package/dist/server/domains/core.d.ts +320 -0
- package/dist/server/domains/core.d.ts.map +1 -0
- package/dist/server/domains/core.js +466 -0
- package/dist/server/domains/core.js.map +1 -0
- package/dist/server/domains/sso.d.ts +340 -0
- package/dist/server/domains/sso.d.ts.map +1 -0
- package/dist/server/domains/sso.js +689 -0
- package/dist/server/domains/sso.js.map +1 -0
- package/dist/server/enterpriseValidators.d.ts +1 -0
- package/dist/server/enterpriseValidators.js +56 -0
- package/dist/server/enterpriseValidators.js.map +1 -0
- package/dist/server/factory.d.ts +136 -0
- package/dist/server/factory.d.ts.map +1 -0
- package/dist/server/factory.js +1128 -0
- package/dist/server/factory.js.map +1 -0
- package/dist/server/fx.d.ts +1 -16
- package/dist/server/fx.d.ts.map +1 -1
- package/dist/server/fx.js +1 -0
- package/dist/server/fx.js.map +1 -1
- package/dist/server/http.d.ts +59 -0
- package/dist/server/http.d.ts.map +1 -0
- package/dist/server/http.js +287 -0
- package/dist/server/http.js.map +1 -0
- package/dist/server/identity.d.ts +1 -0
- package/dist/server/identity.js +13 -0
- package/dist/server/identity.js.map +1 -0
- package/dist/server/index.d.ts +432 -1
- package/dist/server/index.d.ts.map +1 -1
- package/dist/server/index.js +486 -36
- package/dist/server/index.js.map +1 -1
- package/dist/server/keys.d.ts +1 -57
- package/dist/server/keys.js +4 -0
- package/dist/server/keys.js.map +1 -1
- package/dist/server/mutations/account.d.ts +7 -7
- package/dist/server/mutations/account.d.ts.map +1 -1
- package/dist/server/mutations/code.d.ts +13 -13
- package/dist/server/mutations/index.d.ts +107 -107
- package/dist/server/mutations/index.d.ts.map +1 -1
- package/dist/server/mutations/index.js +1 -1
- package/dist/server/mutations/index.js.map +1 -1
- package/dist/server/mutations/invalidate.d.ts +5 -5
- package/dist/server/mutations/oauth.d.ts +10 -10
- package/dist/server/mutations/oauth.d.ts.map +1 -1
- package/dist/server/mutations/oauth.js +9 -6
- package/dist/server/mutations/oauth.js.map +1 -1
- package/dist/server/mutations/refresh.d.ts +4 -4
- package/dist/server/mutations/register.d.ts +12 -12
- package/dist/server/mutations/register.d.ts.map +1 -1
- package/dist/server/mutations/retrieve.d.ts +1 -1
- package/dist/server/mutations/signature.d.ts +5 -5
- package/dist/server/mutations/signature.d.ts.map +1 -1
- package/dist/server/mutations/signin.d.ts +1 -1
- package/dist/server/mutations/signout.d.ts +1 -1
- package/dist/server/mutations/store.d.ts +3 -2
- package/dist/server/mutations/store.d.ts.map +1 -1
- package/dist/server/mutations/store.js +6 -3
- package/dist/server/mutations/store.js.map +1 -1
- package/dist/server/mutations/verifier.d.ts +1 -1
- package/dist/server/mutations/verify.d.ts +4 -4
- package/dist/server/oauth.d.ts +1 -59
- package/dist/server/oauth.js +3 -0
- package/dist/server/oauth.js.map +1 -1
- package/dist/server/passkey.d.ts.map +1 -1
- package/dist/server/passkey.js +3 -2
- package/dist/server/passkey.js.map +1 -1
- package/dist/server/provider.d.ts +1 -14
- package/dist/server/provider.d.ts.map +1 -1
- package/dist/server/provider.js +2 -0
- package/dist/server/provider.js.map +1 -1
- package/dist/server/providers.js +3 -0
- package/dist/server/providers.js.map +1 -1
- package/dist/server/ratelimit.d.ts +1 -22
- package/dist/server/ratelimit.js +3 -0
- package/dist/server/ratelimit.js.map +1 -1
- package/dist/server/redirects.d.ts +1 -10
- package/dist/server/redirects.js +2 -0
- package/dist/server/redirects.js.map +1 -1
- package/dist/server/refresh.d.ts +1 -37
- package/dist/server/refresh.js +5 -0
- package/dist/server/refresh.js.map +1 -1
- package/dist/server/sessions.d.ts +1 -28
- package/dist/server/sessions.js +5 -0
- package/dist/server/sessions.js.map +1 -1
- package/dist/server/signin.d.ts +1 -55
- package/dist/server/signin.js +2 -1
- package/dist/server/signin.js.map +1 -1
- package/dist/server/sso.d.ts +1 -348
- package/dist/server/sso.js +165 -18
- package/dist/server/sso.js.map +1 -1
- package/dist/server/templates.d.ts +1 -21
- package/dist/server/templates.js +1 -0
- package/dist/server/templates.js.map +1 -1
- package/dist/server/tokens.d.ts +1 -11
- package/dist/server/tokens.js +1 -0
- package/dist/server/tokens.js.map +1 -1
- package/dist/server/totp.d.ts +1 -23
- package/dist/server/totp.js +4 -2
- package/dist/server/totp.js.map +1 -1
- package/dist/server/types.d.ts +55 -71
- package/dist/server/types.d.ts.map +1 -1
- package/dist/server/types.js.map +1 -1
- package/dist/server/users.d.ts +1 -31
- package/dist/server/users.js +1 -0
- package/dist/server/users.js.map +1 -1
- package/dist/server/utils.d.ts +1 -27
- package/dist/server/utils.js +44 -2
- package/dist/server/utils.js.map +1 -1
- package/dist/server/version.d.ts +1 -1
- package/dist/server/version.js +1 -1
- package/dist/server/version.js.map +1 -1
- package/package.json +4 -5
- package/src/cli/bin.ts +5 -0
- package/src/cli/index.ts +22 -9
- package/src/cli/keys.ts +3 -0
- package/src/client/index.ts +36 -37
- package/src/component/_generated/api.ts +14 -0
- package/src/component/_generated/component.ts +1920 -3
- package/src/component/index.ts +2 -0
- package/src/component/model.ts +424 -0
- package/src/component/public/enterprise.ts +654 -0
- package/src/component/public/factors.ts +332 -0
- package/src/component/public/groups.ts +951 -0
- package/src/component/public/identity.ts +566 -0
- package/src/component/public/keys.ts +209 -0
- package/src/component/public/shared.ts +117 -0
- package/src/component/public.ts +5 -2965
- package/src/component/schema.ts +47 -57
- package/src/providers/sso.ts +1 -1
- package/src/server/auth.ts +192 -9
- package/src/server/cookies.ts +3 -0
- package/src/server/db.ts +3 -0
- package/src/server/device.ts +3 -1
- package/src/server/domains/core.ts +916 -0
- package/src/server/domains/sso.ts +1462 -0
- package/src/server/enterpriseValidators.ts +88 -0
- package/src/server/factory.ts +2168 -0
- package/src/server/fx.ts +1 -0
- package/src/server/http.ts +529 -0
- package/src/server/identity.ts +18 -0
- package/src/server/index.ts +712 -40
- package/src/server/keys.ts +4 -0
- package/src/server/mutations/index.ts +1 -1
- package/src/server/mutations/oauth.ts +36 -8
- package/src/server/mutations/store.ts +6 -3
- package/src/server/oauth.ts +6 -0
- package/src/server/passkey.ts +3 -2
- package/src/server/provider.ts +2 -0
- package/src/server/providers.ts +3 -0
- package/src/server/ratelimit.ts +3 -0
- package/src/server/redirects.ts +2 -0
- package/src/server/refresh.ts +5 -0
- package/src/server/sessions.ts +5 -0
- package/src/server/signin.ts +1 -0
- package/src/server/sso.ts +251 -17
- package/src/server/templates.ts +1 -0
- package/src/server/tokens.ts +1 -0
- package/src/server/totp.ts +4 -2
- package/src/server/types.ts +85 -77
- package/src/server/users.ts +1 -0
- package/src/server/utils.ts +71 -1
- package/src/server/version.ts +1 -1
- package/dist/component/public.js.map +0 -1
- package/dist/component/server/implementation.d.ts +0 -1264
- package/dist/component/server/implementation.d.ts.map +0 -1
- package/dist/component/server/implementation.js +0 -2365
- package/dist/component/server/implementation.js.map +0 -1
- package/dist/server/cookies.d.ts.map +0 -1
- package/dist/server/db.d.ts.map +0 -1
- package/dist/server/device.d.ts.map +0 -1
- package/dist/server/implementation.d.ts +0 -1264
- package/dist/server/implementation.d.ts.map +0 -1
- package/dist/server/implementation.js +0 -2365
- package/dist/server/implementation.js.map +0 -1
- package/dist/server/keys.d.ts.map +0 -1
- package/dist/server/oauth.d.ts.map +0 -1
- package/dist/server/ratelimit.d.ts.map +0 -1
- package/dist/server/redirects.d.ts.map +0 -1
- package/dist/server/refresh.d.ts.map +0 -1
- package/dist/server/sessions.d.ts.map +0 -1
- package/dist/server/signin.d.ts.map +0 -1
- package/dist/server/sso.d.ts.map +0 -1
- package/dist/server/templates.d.ts.map +0 -1
- package/dist/server/tokens.d.ts.map +0 -1
- package/dist/server/totp.d.ts.map +0 -1
- package/dist/server/users.d.ts.map +0 -1
- package/dist/server/utils.d.ts.map +0 -1
- package/src/server/implementation.ts +0 -5336
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { AuthError } from "./fx.js";
|
|
2
2
|
import { generateRandomString, requireEnv, sha256 } from "./utils.js";
|
|
3
|
+
import { userIdFromIdentitySubject } from "./identity.js";
|
|
3
4
|
import { callSignIn } from "./mutations/signin.js";
|
|
4
5
|
import { mutateDeviceAuthorize, mutateDeviceDelete, mutateDeviceInsert, mutateDeviceUpdateLastPolled, queryDeviceByCodeHash, queryDeviceByUserCode } from "./types.js";
|
|
5
6
|
import { Fx } from "@robelest/fx";
|
|
@@ -23,6 +24,7 @@ const DEVICE_FLOWS = [
|
|
|
23
24
|
"poll",
|
|
24
25
|
"verify"
|
|
25
26
|
];
|
|
27
|
+
/** @internal */
|
|
26
28
|
const handleDevice = (ctx, provider, args) => Fx.from({
|
|
27
29
|
ok: async () => {
|
|
28
30
|
const params = args.params ?? {};
|
|
@@ -81,7 +83,7 @@ const handleDevice = (ctx, provider, args) => Fx.from({
|
|
|
81
83
|
if (typeof params.userCode !== "string") throw new AuthError("DEVICE_INVALID_USER_CODE", "Missing `userCode` parameter for verify flow.");
|
|
82
84
|
const identity = await ctx.auth.getUserIdentity();
|
|
83
85
|
if (identity === null) throw new AuthError("NOT_SIGNED_IN", "You must be signed in to authorize a device.");
|
|
84
|
-
const userId = identity.subject
|
|
86
|
+
const userId = userIdFromIdentitySubject(identity.subject);
|
|
85
87
|
const doc = await queryDeviceByUserCode(ctx, params.userCode);
|
|
86
88
|
if (doc === null) throw new AuthError("DEVICE_INVALID_USER_CODE");
|
|
87
89
|
if (Date.now() > doc.expiresAt) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"device.js","names":["doc"],"sources":["../../../src/server/device.ts"],"sourcesContent":["/**\n * Server-side device authorization flow logic (RFC 8628).\n *\n * Handles the three phases of the device flow:\n * 1. (default) — Generate a device code + user code pair\n * 2. poll — Device checks whether the user has authorized yet\n * 3. verify — Authenticated user links a user code to their session\n *\n * Uses `@oslojs/crypto/random` for code generation and\n * `@oslojs/crypto/sha2` for hashing device codes before storage.\n */\n\nimport { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./fx\";\nimport { callSignIn } from \"./mutations/index\";\nimport { DeviceProviderConfig, GenericActionCtxWithAuthConfig } from \"./types\";\nimport {\n AuthDataModel,\n SessionInfo,\n mutateDeviceInsert,\n queryDeviceByCodeHash,\n queryDeviceByUserCode,\n mutateDeviceAuthorize,\n mutateDeviceUpdateLastPolled,\n mutateDeviceDelete,\n} from \"./types\";\nimport { generateRandomString, sha256 } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n// ============================================================================\n// Constants\n// ============================================================================\n\nconst DEVICE_CODE_ALPHABET =\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\nconst DEVICE_CODE_LENGTH = 40;\nconst DEVICE_FLOWS = [\"create\", \"poll\", \"verify\"] as const;\n\n// ============================================================================\n// Create flow\n// ============================================================================\n\n// ============================================================================\n// Poll flow — pipeline of validations + status dispatch\n// ============================================================================\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\ntype DeviceResult =\n | {\n kind: \"deviceCode\";\n deviceCode: string;\n userCode: string;\n verificationUri: string;\n verificationUriComplete: string;\n expiresIn: number;\n interval: number;\n }\n | { kind: \"signedIn\"; signedIn: SessionInfo | null };\n\nexport const handleDevice = (\n ctx: EnrichedActionCtx,\n provider: DeviceProviderConfig,\n args: { params?: Record<string, any> },\n): Fx<DeviceResult, AuthError> =>\n Fx.from({\n ok: async () => {\n const params = (args.params ?? {}) as Record<string, unknown>;\n const flow = (typeof params.flow === \"string\" ? params.flow : \"create\") as\n | \"create\"\n | \"poll\"\n | \"verify\";\n\n if (!DEVICE_FLOWS.some((candidate) => candidate === flow)) {\n throw new AuthError(\n \"DEVICE_MISSING_FLOW\",\n \"Missing `flow` parameter. Expected one of: create, poll, verify\",\n );\n }\n\n if (flow === \"create\") {\n const deviceCode = generateRandomString(\n DEVICE_CODE_LENGTH,\n DEVICE_CODE_ALPHABET,\n );\n const deviceCodeHash = await sha256(deviceCode);\n\n const rawUserCode = generateRandomString(\n provider.userCodeLength,\n provider.charset,\n );\n const mid = Math.floor(rawUserCode.length / 2);\n const userCode =\n rawUserCode.slice(0, mid) + \"-\" + rawUserCode.slice(mid);\n\n const expiresAt = Date.now() + provider.expiresIn * 1000;\n await mutateDeviceInsert(ctx, {\n deviceCodeHash,\n userCode,\n expiresAt,\n interval: provider.interval,\n status: \"pending\",\n });\n\n const verificationUri =\n provider.verificationUri ??\n `${process.env.SITE_URL ?? requireEnv(\"SITE_URL\")}/device`;\n\n return {\n kind: \"deviceCode\" as const,\n deviceCode,\n userCode,\n verificationUri,\n verificationUriComplete: `${verificationUri}?user_code=${encodeURIComponent(userCode)}`,\n expiresIn: provider.expiresIn,\n interval: provider.interval,\n };\n }\n\n if (flow === \"poll\") {\n if (typeof params.deviceCode !== \"string\") {\n throw new AuthError(\n \"DEVICE_MISSING_FLOW\",\n \"Missing `deviceCode` parameter for poll flow.\",\n );\n }\n\n const hash = await sha256(params.deviceCode);\n const doc = await queryDeviceByCodeHash(ctx, hash);\n if (doc === null) {\n throw new AuthError(\"DEVICE_CODE_EXPIRED\");\n }\n if (Date.now() > doc.expiresAt) {\n await mutateDeviceDelete(ctx, doc._id);\n throw new AuthError(\"DEVICE_CODE_EXPIRED\");\n }\n if (\n doc.lastPolledAt !== undefined &&\n (Date.now() - doc.lastPolledAt) / 1000 < doc.interval\n ) {\n throw new AuthError(\"DEVICE_SLOW_DOWN\");\n }\n\n await mutateDeviceUpdateLastPolled(ctx, doc._id, Date.now());\n\n if (doc.status === \"pending\") {\n throw new AuthError(\"DEVICE_AUTHORIZATION_PENDING\");\n }\n if (doc.status === \"denied\") {\n await mutateDeviceDelete(ctx, doc._id);\n throw new AuthError(\"DEVICE_CODE_DENIED\");\n }\n\n if (!doc.userId || !doc.sessionId) {\n throw new AuthError(\n \"INTERNAL_ERROR\",\n \"Authorized device code missing userId or sessionId\",\n );\n }\n\n await mutateDeviceDelete(ctx, doc._id);\n const signInResult = await callSignIn(ctx, {\n userId: doc.userId,\n sessionId: doc.sessionId,\n generateTokens: true,\n });\n return { kind: \"signedIn\" as const, signedIn: signInResult };\n }\n\n if (typeof params.userCode !== \"string\") {\n throw new AuthError(\n \"DEVICE_INVALID_USER_CODE\",\n \"Missing `userCode` parameter for verify flow.\",\n );\n }\n\n const identity = await ctx.auth.getUserIdentity();\n if (identity === null) {\n throw new AuthError(\n \"NOT_SIGNED_IN\",\n \"You must be signed in to authorize a device.\",\n );\n }\n\n const userId = identity.subject
|
|
1
|
+
{"version":3,"file":"device.js","names":["doc"],"sources":["../../../src/server/device.ts"],"sourcesContent":["/**\n * Server-side device authorization flow logic (RFC 8628).\n *\n * Handles the three phases of the device flow:\n * 1. (default) — Generate a device code + user code pair\n * 2. poll — Device checks whether the user has authorized yet\n * 3. verify — Authenticated user links a user code to their session\n *\n * Uses `@oslojs/crypto/random` for code generation and\n * `@oslojs/crypto/sha2` for hashing device codes before storage.\n */\n\nimport { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./fx\";\nimport { userIdFromIdentitySubject } from \"./identity\";\nimport { callSignIn } from \"./mutations/index\";\nimport { DeviceProviderConfig, GenericActionCtxWithAuthConfig } from \"./types\";\nimport {\n AuthDataModel,\n SessionInfo,\n mutateDeviceInsert,\n queryDeviceByCodeHash,\n queryDeviceByUserCode,\n mutateDeviceAuthorize,\n mutateDeviceUpdateLastPolled,\n mutateDeviceDelete,\n} from \"./types\";\nimport { generateRandomString, sha256 } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n// ============================================================================\n// Constants\n// ============================================================================\n\nconst DEVICE_CODE_ALPHABET =\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\nconst DEVICE_CODE_LENGTH = 40;\nconst DEVICE_FLOWS = [\"create\", \"poll\", \"verify\"] as const;\n\n// ============================================================================\n// Create flow\n// ============================================================================\n\n// ============================================================================\n// Poll flow — pipeline of validations + status dispatch\n// ============================================================================\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\ntype DeviceResult =\n | {\n kind: \"deviceCode\";\n deviceCode: string;\n userCode: string;\n verificationUri: string;\n verificationUriComplete: string;\n expiresIn: number;\n interval: number;\n }\n | { kind: \"signedIn\"; signedIn: SessionInfo | null };\n\n/** @internal */\nexport const handleDevice = (\n ctx: EnrichedActionCtx,\n provider: DeviceProviderConfig,\n args: { params?: Record<string, any> },\n): Fx<DeviceResult, AuthError> =>\n Fx.from({\n ok: async () => {\n const params = (args.params ?? {}) as Record<string, unknown>;\n const flow = (typeof params.flow === \"string\" ? params.flow : \"create\") as\n | \"create\"\n | \"poll\"\n | \"verify\";\n\n if (!DEVICE_FLOWS.some((candidate) => candidate === flow)) {\n throw new AuthError(\n \"DEVICE_MISSING_FLOW\",\n \"Missing `flow` parameter. Expected one of: create, poll, verify\",\n );\n }\n\n if (flow === \"create\") {\n const deviceCode = generateRandomString(\n DEVICE_CODE_LENGTH,\n DEVICE_CODE_ALPHABET,\n );\n const deviceCodeHash = await sha256(deviceCode);\n\n const rawUserCode = generateRandomString(\n provider.userCodeLength,\n provider.charset,\n );\n const mid = Math.floor(rawUserCode.length / 2);\n const userCode =\n rawUserCode.slice(0, mid) + \"-\" + rawUserCode.slice(mid);\n\n const expiresAt = Date.now() + provider.expiresIn * 1000;\n await mutateDeviceInsert(ctx, {\n deviceCodeHash,\n userCode,\n expiresAt,\n interval: provider.interval,\n status: \"pending\",\n });\n\n const verificationUri =\n provider.verificationUri ??\n `${process.env.SITE_URL ?? requireEnv(\"SITE_URL\")}/device`;\n\n return {\n kind: \"deviceCode\" as const,\n deviceCode,\n userCode,\n verificationUri,\n verificationUriComplete: `${verificationUri}?user_code=${encodeURIComponent(userCode)}`,\n expiresIn: provider.expiresIn,\n interval: provider.interval,\n };\n }\n\n if (flow === \"poll\") {\n if (typeof params.deviceCode !== \"string\") {\n throw new AuthError(\n \"DEVICE_MISSING_FLOW\",\n \"Missing `deviceCode` parameter for poll flow.\",\n );\n }\n\n const hash = await sha256(params.deviceCode);\n const doc = await queryDeviceByCodeHash(ctx, hash);\n if (doc === null) {\n throw new AuthError(\"DEVICE_CODE_EXPIRED\");\n }\n if (Date.now() > doc.expiresAt) {\n await mutateDeviceDelete(ctx, doc._id);\n throw new AuthError(\"DEVICE_CODE_EXPIRED\");\n }\n if (\n doc.lastPolledAt !== undefined &&\n (Date.now() - doc.lastPolledAt) / 1000 < doc.interval\n ) {\n throw new AuthError(\"DEVICE_SLOW_DOWN\");\n }\n\n await mutateDeviceUpdateLastPolled(ctx, doc._id, Date.now());\n\n if (doc.status === \"pending\") {\n throw new AuthError(\"DEVICE_AUTHORIZATION_PENDING\");\n }\n if (doc.status === \"denied\") {\n await mutateDeviceDelete(ctx, doc._id);\n throw new AuthError(\"DEVICE_CODE_DENIED\");\n }\n\n if (!doc.userId || !doc.sessionId) {\n throw new AuthError(\n \"INTERNAL_ERROR\",\n \"Authorized device code missing userId or sessionId\",\n );\n }\n\n await mutateDeviceDelete(ctx, doc._id);\n const signInResult = await callSignIn(ctx, {\n userId: doc.userId,\n sessionId: doc.sessionId,\n generateTokens: true,\n });\n return { kind: \"signedIn\" as const, signedIn: signInResult };\n }\n\n if (typeof params.userCode !== \"string\") {\n throw new AuthError(\n \"DEVICE_INVALID_USER_CODE\",\n \"Missing `userCode` parameter for verify flow.\",\n );\n }\n\n const identity = await ctx.auth.getUserIdentity();\n if (identity === null) {\n throw new AuthError(\n \"NOT_SIGNED_IN\",\n \"You must be signed in to authorize a device.\",\n );\n }\n\n const userId = userIdFromIdentitySubject(identity.subject);\n const doc = await queryDeviceByUserCode(ctx, params.userCode);\n if (doc === null) {\n throw new AuthError(\"DEVICE_INVALID_USER_CODE\");\n }\n if (Date.now() > doc.expiresAt) {\n await mutateDeviceDelete(ctx, doc._id);\n throw new AuthError(\"DEVICE_CODE_EXPIRED\");\n }\n if (doc.status !== \"pending\") {\n throw new AuthError(\"DEVICE_ALREADY_AUTHORIZED\");\n }\n\n const signInResult = await callSignIn(ctx, {\n userId,\n generateTokens: false,\n });\n await mutateDeviceAuthorize(\n ctx,\n doc._id,\n signInResult.userId,\n signInResult.sessionId,\n );\n return { kind: \"signedIn\" as const, signedIn: null };\n },\n err: (e) =>\n e instanceof AuthError\n ? e\n : new AuthError(\"INTERNAL_ERROR\", `Device flow failed: ${String(e)}`),\n });\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAqCA,MAAM,uBACJ;AACF,MAAM,qBAAqB;AAC3B,MAAM,eAAe;CAAC;CAAU;CAAQ;CAAS;;AA2BjD,MAAa,gBACX,KACA,UACA,SAEA,GAAG,KAAK;CACN,IAAI,YAAY;EACd,MAAM,SAAU,KAAK,UAAU,EAAE;EACjC,MAAM,OAAQ,OAAO,OAAO,SAAS,WAAW,OAAO,OAAO;AAK9D,MAAI,CAAC,aAAa,MAAM,cAAc,cAAc,KAAK,CACvD,OAAM,IAAI,UACR,uBACA,kEACD;AAGH,MAAI,SAAS,UAAU;GACrB,MAAM,aAAa,qBACjB,oBACA,qBACD;GACD,MAAM,iBAAiB,MAAM,OAAO,WAAW;GAE/C,MAAM,cAAc,qBAClB,SAAS,gBACT,SAAS,QACV;GACD,MAAM,MAAM,KAAK,MAAM,YAAY,SAAS,EAAE;GAC9C,MAAM,WACJ,YAAY,MAAM,GAAG,IAAI,GAAG,MAAM,YAAY,MAAM,IAAI;AAG1D,SAAM,mBAAmB,KAAK;IAC5B;IACA;IACA,WAJgB,KAAK,KAAK,GAAG,SAAS,YAAY;IAKlD,UAAU,SAAS;IACnB,QAAQ;IACT,CAAC;GAEF,MAAM,kBACJ,SAAS,mBACT,GAAG,QAAQ,IAAI,YAAY,WAAW,WAAW,CAAC;AAEpD,UAAO;IACL,MAAM;IACN;IACA;IACA;IACA,yBAAyB,GAAG,gBAAgB,aAAa,mBAAmB,SAAS;IACrF,WAAW,SAAS;IACpB,UAAU,SAAS;IACpB;;AAGH,MAAI,SAAS,QAAQ;AACnB,OAAI,OAAO,OAAO,eAAe,SAC/B,OAAM,IAAI,UACR,uBACA,gDACD;GAIH,MAAMA,QAAM,MAAM,sBAAsB,KAD3B,MAAM,OAAO,OAAO,WAAW,CACM;AAClD,OAAIA,UAAQ,KACV,OAAM,IAAI,UAAU,sBAAsB;AAE5C,OAAI,KAAK,KAAK,GAAGA,MAAI,WAAW;AAC9B,UAAM,mBAAmB,KAAKA,MAAI,IAAI;AACtC,UAAM,IAAI,UAAU,sBAAsB;;AAE5C,OACEA,MAAI,iBAAiB,WACpB,KAAK,KAAK,GAAGA,MAAI,gBAAgB,MAAOA,MAAI,SAE7C,OAAM,IAAI,UAAU,mBAAmB;AAGzC,SAAM,6BAA6B,KAAKA,MAAI,KAAK,KAAK,KAAK,CAAC;AAE5D,OAAIA,MAAI,WAAW,UACjB,OAAM,IAAI,UAAU,+BAA+B;AAErD,OAAIA,MAAI,WAAW,UAAU;AAC3B,UAAM,mBAAmB,KAAKA,MAAI,IAAI;AACtC,UAAM,IAAI,UAAU,qBAAqB;;AAG3C,OAAI,CAACA,MAAI,UAAU,CAACA,MAAI,UACtB,OAAM,IAAI,UACR,kBACA,qDACD;AAGH,SAAM,mBAAmB,KAAKA,MAAI,IAAI;AAMtC,UAAO;IAAE,MAAM;IAAqB,UALf,MAAM,WAAW,KAAK;KACzC,QAAQA,MAAI;KACZ,WAAWA,MAAI;KACf,gBAAgB;KACjB,CAAC;IAC0D;;AAG9D,MAAI,OAAO,OAAO,aAAa,SAC7B,OAAM,IAAI,UACR,4BACA,gDACD;EAGH,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,MAAI,aAAa,KACf,OAAM,IAAI,UACR,iBACA,+CACD;EAGH,MAAM,SAAS,0BAA0B,SAAS,QAAQ;EAC1D,MAAM,MAAM,MAAM,sBAAsB,KAAK,OAAO,SAAS;AAC7D,MAAI,QAAQ,KACV,OAAM,IAAI,UAAU,2BAA2B;AAEjD,MAAI,KAAK,KAAK,GAAG,IAAI,WAAW;AAC9B,SAAM,mBAAmB,KAAK,IAAI,IAAI;AACtC,SAAM,IAAI,UAAU,sBAAsB;;AAE5C,MAAI,IAAI,WAAW,UACjB,OAAM,IAAI,UAAU,4BAA4B;EAGlD,MAAM,eAAe,MAAM,WAAW,KAAK;GACzC;GACA,gBAAgB;GACjB,CAAC;AACF,QAAM,sBACJ,KACA,IAAI,KACJ,aAAa,QACb,aAAa,UACd;AACD,SAAO;GAAE,MAAM;GAAqB,UAAU;GAAM;;CAEtD,MAAM,MACJ,aAAa,YACT,IACA,IAAI,UAAU,kBAAkB,uBAAuB,OAAO,EAAE,GAAG;CAC1E,CAAC"}
|
|
@@ -0,0 +1,466 @@
|
|
|
1
|
+
import { AuthError, Fx } from "../fx.js";
|
|
2
|
+
import { TOKEN_SUB_CLAIM_DIVIDER, generateRandomString, sha256 } from "../utils.js";
|
|
3
|
+
import { buildScopeChecker, checkKeyRateLimit, generateApiKey, hashApiKey } from "../keys.js";
|
|
4
|
+
import { materializeProvider } from "../providers.js";
|
|
5
|
+
import { signInImpl } from "../signin.js";
|
|
6
|
+
|
|
7
|
+
//#region src/server/domains/core.ts
|
|
8
|
+
/**
|
|
9
|
+
* Build the core auth domains that back the canonical app API surface.
|
|
10
|
+
*/
|
|
11
|
+
function createCoreDomains(deps) {
|
|
12
|
+
const { config, getAuth, callInvalidateSessions, callCreateAccountFromCredentials, callRetrieveAccountWithCredentials, callModifyAccount, getEnrichCtx, inviteTokenAlphabet, inviteTokenLength } = deps;
|
|
13
|
+
const user = {
|
|
14
|
+
current: async (ctx, request) => {
|
|
15
|
+
const identity = await ctx.auth.getUserIdentity();
|
|
16
|
+
if (identity !== null) {
|
|
17
|
+
const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
|
|
18
|
+
return userId;
|
|
19
|
+
}
|
|
20
|
+
if (request !== void 0 && "runMutation" in ctx && ctx.runMutation) {
|
|
21
|
+
const authHeader = request.headers.get("Authorization");
|
|
22
|
+
if (authHeader?.startsWith("Bearer sk_")) {
|
|
23
|
+
const rawKey = authHeader.slice(7);
|
|
24
|
+
try {
|
|
25
|
+
return (await getAuth().key.verify(ctx, rawKey)).userId;
|
|
26
|
+
} catch {
|
|
27
|
+
return null;
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
return null;
|
|
32
|
+
},
|
|
33
|
+
require: async (ctx, request) => {
|
|
34
|
+
const userId = await user.current(ctx, request);
|
|
35
|
+
if (userId === null) throw new AuthError("NOT_SIGNED_IN").toConvexError();
|
|
36
|
+
return userId;
|
|
37
|
+
},
|
|
38
|
+
get: async (ctx, userId) => {
|
|
39
|
+
return await ctx.runQuery(config.component.public.userGetById, { userId });
|
|
40
|
+
},
|
|
41
|
+
list: async (ctx, opts = {}) => {
|
|
42
|
+
return await ctx.runQuery(config.component.public.userList, opts);
|
|
43
|
+
},
|
|
44
|
+
viewer: async (ctx) => {
|
|
45
|
+
const userId = await user.current(ctx);
|
|
46
|
+
if (userId === null) return null;
|
|
47
|
+
return await ctx.runQuery(config.component.public.userGetById, { userId });
|
|
48
|
+
},
|
|
49
|
+
patch: async (ctx, userId, data) => {
|
|
50
|
+
await ctx.runMutation(config.component.public.userPatch, {
|
|
51
|
+
userId,
|
|
52
|
+
data
|
|
53
|
+
});
|
|
54
|
+
},
|
|
55
|
+
setActiveGroup: async (ctx, opts) => {
|
|
56
|
+
const doc = await user.get(ctx, opts.userId);
|
|
57
|
+
const existingExtend = doc !== null && doc.extend !== null && typeof doc.extend === "object" && !Array.isArray(doc.extend) ? { ...doc.extend } : {};
|
|
58
|
+
if (opts.groupId === null) {
|
|
59
|
+
const { lastActiveGroup: _omit, ...rest } = existingExtend;
|
|
60
|
+
await user.patch(ctx, opts.userId, { extend: rest });
|
|
61
|
+
return;
|
|
62
|
+
}
|
|
63
|
+
await user.patch(ctx, opts.userId, { extend: {
|
|
64
|
+
...existingExtend,
|
|
65
|
+
lastActiveGroup: opts.groupId
|
|
66
|
+
} });
|
|
67
|
+
},
|
|
68
|
+
getActiveGroup: async (ctx, opts) => {
|
|
69
|
+
const doc = await user.get(ctx, opts.userId);
|
|
70
|
+
if (doc !== null && doc.extend !== null && typeof doc.extend === "object" && !Array.isArray(doc.extend)) {
|
|
71
|
+
const val = doc.extend.lastActiveGroup;
|
|
72
|
+
if (typeof val === "string") return val;
|
|
73
|
+
}
|
|
74
|
+
return null;
|
|
75
|
+
},
|
|
76
|
+
remove: async (ctx, userId, opts) => {
|
|
77
|
+
const cascade = opts?.cascade !== false;
|
|
78
|
+
const [sessions, accounts, keys, members, passkeys, totps] = await Promise.all([
|
|
79
|
+
ctx.runQuery(config.component.public.sessionListByUser, { userId }),
|
|
80
|
+
ctx.runQuery(config.component.public.accountListByUser, { userId }),
|
|
81
|
+
ctx.runQuery(config.component.public.keyListByUserId, { userId }),
|
|
82
|
+
ctx.runQuery(config.component.public.memberListByUser, { userId }),
|
|
83
|
+
ctx.runQuery(config.component.public.passkeyListByUserId, { userId }),
|
|
84
|
+
ctx.runQuery(config.component.public.totpListByUserId, { userId })
|
|
85
|
+
]);
|
|
86
|
+
const totalLinked = sessions.length + accounts.length + keys.length + members.length + passkeys.length + totps.length;
|
|
87
|
+
if (!cascade && totalLinked > 0) throw new AuthError("INVALID_PARAMETERS", `Cannot delete user with ${totalLinked} linked records. Pass { cascade: true } to delete all linked records, or remove them manually first.`).toConvexError();
|
|
88
|
+
const deletions = [];
|
|
89
|
+
for (const s of sessions) deletions.push(ctx.runMutation(config.component.public.sessionDelete, { sessionId: s._id }));
|
|
90
|
+
for (const a of accounts) deletions.push(ctx.runMutation(config.component.public.accountDelete, { accountId: a._id }));
|
|
91
|
+
for (const k of keys) deletions.push(ctx.runMutation(config.component.public.keyDelete, { keyId: k._id }));
|
|
92
|
+
for (const m of members) deletions.push(ctx.runMutation(config.component.public.memberRemove, { memberId: m._id }));
|
|
93
|
+
for (const p of passkeys) deletions.push(ctx.runMutation(config.component.public.passkeyDelete, { passkeyId: p._id }));
|
|
94
|
+
for (const t of totps) deletions.push(ctx.runMutation(config.component.public.totpDelete, { totpId: t._id }));
|
|
95
|
+
await Promise.all(deletions);
|
|
96
|
+
await ctx.runMutation(config.component.public.userDelete, { userId });
|
|
97
|
+
}
|
|
98
|
+
};
|
|
99
|
+
const session = {
|
|
100
|
+
current: async (ctx) => {
|
|
101
|
+
const identity = await ctx.auth.getUserIdentity();
|
|
102
|
+
if (identity === null) return null;
|
|
103
|
+
const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
|
|
104
|
+
return sessionId;
|
|
105
|
+
},
|
|
106
|
+
invalidate: async (ctx, args) => callInvalidateSessions(ctx, args),
|
|
107
|
+
get: async (ctx, sessionId) => {
|
|
108
|
+
return await ctx.runQuery(config.component.public.sessionGetById, { sessionId });
|
|
109
|
+
},
|
|
110
|
+
list: async (ctx, opts) => {
|
|
111
|
+
return await ctx.runQuery(config.component.public.sessionListByUser, { userId: opts.userId });
|
|
112
|
+
}
|
|
113
|
+
};
|
|
114
|
+
const account = {
|
|
115
|
+
create: async (ctx, args) => {
|
|
116
|
+
return await callCreateAccountFromCredentials(ctx, args);
|
|
117
|
+
},
|
|
118
|
+
get: async (ctx, args) => {
|
|
119
|
+
const result = await callRetrieveAccountWithCredentials(ctx, args);
|
|
120
|
+
if (typeof result === "string") throw new AuthError("ACCOUNT_NOT_FOUND", result).toConvexError();
|
|
121
|
+
return result;
|
|
122
|
+
},
|
|
123
|
+
update: async (ctx, args) => {
|
|
124
|
+
return await callModifyAccount(ctx, args);
|
|
125
|
+
},
|
|
126
|
+
remove: async (ctx, accountId) => {
|
|
127
|
+
const doc = await ctx.runQuery(config.component.public.accountGetById, { accountId });
|
|
128
|
+
if (doc === null) throw new AuthError("ACCOUNT_NOT_FOUND", "Account not found.").toConvexError();
|
|
129
|
+
if ((await ctx.runQuery(config.component.public.accountListByUser, { userId: doc.userId })).length <= 1) throw new AuthError("INVALID_PARAMETERS", "Cannot unlink the user's only account. This would lock them out.").toConvexError();
|
|
130
|
+
await ctx.runMutation(config.component.public.accountDelete, { accountId });
|
|
131
|
+
},
|
|
132
|
+
listPasskeys: async (ctx, opts) => {
|
|
133
|
+
return await ctx.runQuery(config.component.public.passkeyListByUserId, opts);
|
|
134
|
+
},
|
|
135
|
+
renamePasskey: async (ctx, passkeyId, name) => {
|
|
136
|
+
await ctx.runMutation(config.component.public.passkeyUpdateMeta, {
|
|
137
|
+
passkeyId,
|
|
138
|
+
data: { name }
|
|
139
|
+
});
|
|
140
|
+
},
|
|
141
|
+
removePasskey: async (ctx, passkeyId) => {
|
|
142
|
+
await ctx.runMutation(config.component.public.passkeyDelete, { passkeyId });
|
|
143
|
+
},
|
|
144
|
+
listTotps: async (ctx, opts) => {
|
|
145
|
+
return await ctx.runQuery(config.component.public.totpListByUserId, opts);
|
|
146
|
+
},
|
|
147
|
+
removeTotp: async (ctx, totpId) => {
|
|
148
|
+
await ctx.runMutation(config.component.public.totpDelete, { totpId });
|
|
149
|
+
}
|
|
150
|
+
};
|
|
151
|
+
const provider = { signIn: async (ctx, providerConfig, args) => {
|
|
152
|
+
const result = await signInImpl(getEnrichCtx()(ctx), materializeProvider(providerConfig), args, {
|
|
153
|
+
generateTokens: false,
|
|
154
|
+
allowExtraProviders: true
|
|
155
|
+
});
|
|
156
|
+
return result.kind === "signedIn" ? result.signedIn !== null ? {
|
|
157
|
+
userId: result.signedIn.userId,
|
|
158
|
+
sessionId: result.signedIn.sessionId
|
|
159
|
+
} : null : null;
|
|
160
|
+
} };
|
|
161
|
+
const group = {
|
|
162
|
+
create: async (ctx, data) => {
|
|
163
|
+
return await ctx.runMutation(config.component.public.groupCreate, data);
|
|
164
|
+
},
|
|
165
|
+
get: async (ctx, groupId) => {
|
|
166
|
+
return await ctx.runQuery(config.component.public.groupGet, { groupId });
|
|
167
|
+
},
|
|
168
|
+
list: async (ctx, opts) => {
|
|
169
|
+
return await ctx.runQuery(config.component.public.groupList, {
|
|
170
|
+
where: opts?.where,
|
|
171
|
+
limit: opts?.limit,
|
|
172
|
+
cursor: opts?.cursor,
|
|
173
|
+
orderBy: opts?.orderBy,
|
|
174
|
+
order: opts?.order
|
|
175
|
+
});
|
|
176
|
+
},
|
|
177
|
+
update: async (ctx, groupId, data) => {
|
|
178
|
+
await ctx.runMutation(config.component.public.groupUpdate, {
|
|
179
|
+
groupId,
|
|
180
|
+
data
|
|
181
|
+
});
|
|
182
|
+
},
|
|
183
|
+
delete: async (ctx, groupId) => {
|
|
184
|
+
await ctx.runMutation(config.component.public.groupDelete, { groupId });
|
|
185
|
+
},
|
|
186
|
+
ancestors: async (ctx, opts) => {
|
|
187
|
+
const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
|
|
188
|
+
const visited = /* @__PURE__ */ new Set();
|
|
189
|
+
const ancestors = [];
|
|
190
|
+
let cycleDetected = false;
|
|
191
|
+
let maxDepthReached = false;
|
|
192
|
+
let currentGroupId = opts.groupId;
|
|
193
|
+
let depth = 0;
|
|
194
|
+
let isFirst = true;
|
|
195
|
+
while (currentGroupId !== void 0) {
|
|
196
|
+
if (depth > maxDepth) {
|
|
197
|
+
maxDepthReached = true;
|
|
198
|
+
break;
|
|
199
|
+
}
|
|
200
|
+
if (visited.has(currentGroupId)) {
|
|
201
|
+
cycleDetected = true;
|
|
202
|
+
break;
|
|
203
|
+
}
|
|
204
|
+
visited.add(currentGroupId);
|
|
205
|
+
const doc = await group.get(ctx, currentGroupId);
|
|
206
|
+
if (doc === null) break;
|
|
207
|
+
if (isFirst) {
|
|
208
|
+
isFirst = false;
|
|
209
|
+
if (opts.includeSelf) ancestors.push(doc);
|
|
210
|
+
currentGroupId = doc.parentGroupId;
|
|
211
|
+
depth += 1;
|
|
212
|
+
continue;
|
|
213
|
+
}
|
|
214
|
+
ancestors.push(doc);
|
|
215
|
+
currentGroupId = doc.parentGroupId;
|
|
216
|
+
depth += 1;
|
|
217
|
+
}
|
|
218
|
+
return {
|
|
219
|
+
ancestors,
|
|
220
|
+
cycleDetected,
|
|
221
|
+
maxDepthReached
|
|
222
|
+
};
|
|
223
|
+
}
|
|
224
|
+
};
|
|
225
|
+
const member = {
|
|
226
|
+
add: async (ctx, data) => {
|
|
227
|
+
return await ctx.runMutation(config.component.public.memberAdd, data);
|
|
228
|
+
},
|
|
229
|
+
get: async (ctx, memberId) => {
|
|
230
|
+
return await ctx.runQuery(config.component.public.memberGet, { memberId });
|
|
231
|
+
},
|
|
232
|
+
getByUserAndGroup: async (ctx, opts) => {
|
|
233
|
+
return await ctx.runQuery(config.component.public.memberGetByGroupAndUser, opts);
|
|
234
|
+
},
|
|
235
|
+
list: async (ctx, opts) => {
|
|
236
|
+
return await ctx.runQuery(config.component.public.memberList, {
|
|
237
|
+
where: opts?.where,
|
|
238
|
+
limit: opts?.limit,
|
|
239
|
+
cursor: opts?.cursor,
|
|
240
|
+
orderBy: opts?.orderBy,
|
|
241
|
+
order: opts?.order
|
|
242
|
+
});
|
|
243
|
+
},
|
|
244
|
+
remove: async (ctx, memberId) => {
|
|
245
|
+
await ctx.runMutation(config.component.public.memberRemove, { memberId });
|
|
246
|
+
},
|
|
247
|
+
update: async (ctx, memberId, data) => {
|
|
248
|
+
await ctx.runMutation(config.component.public.memberUpdate, {
|
|
249
|
+
memberId,
|
|
250
|
+
data
|
|
251
|
+
});
|
|
252
|
+
},
|
|
253
|
+
inherit: async (ctx, opts) => {
|
|
254
|
+
const roleFilter = opts.roles !== void 0 && opts.roles.length > 0 ? new Set(opts.roles) : null;
|
|
255
|
+
const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
|
|
256
|
+
const visited = /* @__PURE__ */ new Set();
|
|
257
|
+
const traversedGroupIds = [];
|
|
258
|
+
let currentGroupId = opts.groupId;
|
|
259
|
+
let depth = 0;
|
|
260
|
+
let cycleDetected = false;
|
|
261
|
+
let maxDepthReached = false;
|
|
262
|
+
while (currentGroupId !== void 0) {
|
|
263
|
+
if (depth > maxDepth) {
|
|
264
|
+
maxDepthReached = true;
|
|
265
|
+
break;
|
|
266
|
+
}
|
|
267
|
+
if (visited.has(currentGroupId)) {
|
|
268
|
+
cycleDetected = true;
|
|
269
|
+
break;
|
|
270
|
+
}
|
|
271
|
+
visited.add(currentGroupId);
|
|
272
|
+
traversedGroupIds.push(currentGroupId);
|
|
273
|
+
const membership = await member.getByUserAndGroup(ctx, {
|
|
274
|
+
userId: opts.userId,
|
|
275
|
+
groupId: currentGroupId
|
|
276
|
+
});
|
|
277
|
+
if (membership !== null && (roleFilter === null || roleFilter.has(membership.role))) return {
|
|
278
|
+
requestedGroupId: opts.groupId,
|
|
279
|
+
matchedGroupId: currentGroupId,
|
|
280
|
+
membership,
|
|
281
|
+
depth,
|
|
282
|
+
isDirect: depth === 0,
|
|
283
|
+
isInherited: depth > 0,
|
|
284
|
+
traversedGroupIds,
|
|
285
|
+
cycleDetected: false,
|
|
286
|
+
maxDepthReached: false
|
|
287
|
+
};
|
|
288
|
+
const doc = await group.get(ctx, currentGroupId);
|
|
289
|
+
if (doc === null || doc.parentGroupId === void 0) break;
|
|
290
|
+
currentGroupId = doc.parentGroupId;
|
|
291
|
+
depth += 1;
|
|
292
|
+
}
|
|
293
|
+
return {
|
|
294
|
+
requestedGroupId: opts.groupId,
|
|
295
|
+
matchedGroupId: null,
|
|
296
|
+
membership: null,
|
|
297
|
+
depth: null,
|
|
298
|
+
isDirect: false,
|
|
299
|
+
isInherited: false,
|
|
300
|
+
traversedGroupIds,
|
|
301
|
+
cycleDetected,
|
|
302
|
+
maxDepthReached
|
|
303
|
+
};
|
|
304
|
+
},
|
|
305
|
+
require: async (ctx, opts) => {
|
|
306
|
+
const result = await member.inherit(ctx, opts);
|
|
307
|
+
if (result.membership === null) throw new AuthError("FORBIDDEN", `User ${opts.userId} has no membership on group ${opts.groupId} or its ancestors.`).toConvexError();
|
|
308
|
+
return {
|
|
309
|
+
membership: result.membership,
|
|
310
|
+
matchedGroupId: result.matchedGroupId,
|
|
311
|
+
isDirect: result.isDirect,
|
|
312
|
+
isInherited: result.isInherited,
|
|
313
|
+
depth: result.depth
|
|
314
|
+
};
|
|
315
|
+
}
|
|
316
|
+
};
|
|
317
|
+
const invite = {
|
|
318
|
+
create: async (ctx, data) => {
|
|
319
|
+
const token = generateRandomString(inviteTokenLength, inviteTokenAlphabet);
|
|
320
|
+
const tokenHash = await sha256(token);
|
|
321
|
+
return {
|
|
322
|
+
inviteId: await ctx.runMutation(config.component.public.inviteCreate, {
|
|
323
|
+
...data,
|
|
324
|
+
tokenHash,
|
|
325
|
+
status: "pending"
|
|
326
|
+
}),
|
|
327
|
+
token
|
|
328
|
+
};
|
|
329
|
+
},
|
|
330
|
+
get: async (ctx, inviteId) => {
|
|
331
|
+
return await ctx.runQuery(config.component.public.inviteGet, { inviteId });
|
|
332
|
+
},
|
|
333
|
+
token: {
|
|
334
|
+
get: async (ctx, token) => {
|
|
335
|
+
const tokenHash = await sha256(token);
|
|
336
|
+
return await ctx.runQuery(config.component.public.inviteGetByTokenHash, { tokenHash });
|
|
337
|
+
},
|
|
338
|
+
accept: async (ctx, args) => {
|
|
339
|
+
const tokenHash = await sha256(args.token);
|
|
340
|
+
return await ctx.runMutation(config.component.public.inviteAcceptByToken, {
|
|
341
|
+
tokenHash,
|
|
342
|
+
acceptedByUserId: args.acceptedByUserId
|
|
343
|
+
});
|
|
344
|
+
}
|
|
345
|
+
},
|
|
346
|
+
list: async (ctx, opts) => {
|
|
347
|
+
return await ctx.runQuery(config.component.public.inviteList, {
|
|
348
|
+
where: opts?.where,
|
|
349
|
+
limit: opts?.limit,
|
|
350
|
+
cursor: opts?.cursor,
|
|
351
|
+
orderBy: opts?.orderBy,
|
|
352
|
+
order: opts?.order
|
|
353
|
+
});
|
|
354
|
+
},
|
|
355
|
+
accept: async (ctx, inviteId, acceptedByUserId) => {
|
|
356
|
+
await ctx.runMutation(config.component.public.inviteAccept, {
|
|
357
|
+
inviteId,
|
|
358
|
+
...acceptedByUserId ? { acceptedByUserId } : {}
|
|
359
|
+
});
|
|
360
|
+
},
|
|
361
|
+
revoke: async (ctx, inviteId) => {
|
|
362
|
+
await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });
|
|
363
|
+
}
|
|
364
|
+
};
|
|
365
|
+
const key = {
|
|
366
|
+
create: async (ctx, opts) => {
|
|
367
|
+
const { raw, hashedKey, displayPrefix } = await generateApiKey("sk_");
|
|
368
|
+
return {
|
|
369
|
+
keyId: await ctx.runMutation(config.component.public.keyInsert, {
|
|
370
|
+
userId: opts.userId,
|
|
371
|
+
prefix: displayPrefix,
|
|
372
|
+
hashedKey,
|
|
373
|
+
name: opts.name,
|
|
374
|
+
scopes: opts.scopes,
|
|
375
|
+
rateLimit: opts.rateLimit,
|
|
376
|
+
expiresAt: opts.expiresAt,
|
|
377
|
+
metadata: opts.metadata
|
|
378
|
+
}),
|
|
379
|
+
raw
|
|
380
|
+
};
|
|
381
|
+
},
|
|
382
|
+
verify: async (ctx, rawKey) => {
|
|
383
|
+
const hashedKey = await hashApiKey(rawKey);
|
|
384
|
+
const doc = await ctx.runQuery(config.component.public.keyGetByHashedKey, { hashedKey });
|
|
385
|
+
return Fx.run(Fx.gen(function* () {
|
|
386
|
+
yield* Fx.guard(!doc, Fx.fail(new AuthError("INVALID_API_KEY")));
|
|
387
|
+
const k = doc;
|
|
388
|
+
yield* Fx.guard(k.revoked, Fx.fail(new AuthError("API_KEY_REVOKED")));
|
|
389
|
+
yield* Fx.guard(!!(k.expiresAt && k.expiresAt < Date.now()), Fx.fail(new AuthError("API_KEY_EXPIRED")));
|
|
390
|
+
const patchData = { lastUsedAt: Date.now() };
|
|
391
|
+
if (k.rateLimit) {
|
|
392
|
+
const { limited, newState } = checkKeyRateLimit(k.rateLimit, k.rateLimitState ?? void 0);
|
|
393
|
+
yield* Fx.guard(limited, Fx.fail(new AuthError("API_KEY_RATE_LIMITED")));
|
|
394
|
+
patchData.rateLimitState = newState;
|
|
395
|
+
}
|
|
396
|
+
yield* Fx.promise(() => ctx.runMutation(config.component.public.keyPatch, {
|
|
397
|
+
keyId: k._id,
|
|
398
|
+
data: patchData
|
|
399
|
+
}));
|
|
400
|
+
return {
|
|
401
|
+
userId: k.userId,
|
|
402
|
+
keyId: k._id,
|
|
403
|
+
scopes: buildScopeChecker(k.scopes)
|
|
404
|
+
};
|
|
405
|
+
}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
|
|
406
|
+
},
|
|
407
|
+
list: async (ctx, opts) => {
|
|
408
|
+
return await ctx.runQuery(config.component.public.keyList, {
|
|
409
|
+
where: opts?.where,
|
|
410
|
+
limit: opts?.limit,
|
|
411
|
+
cursor: opts?.cursor,
|
|
412
|
+
orderBy: opts?.orderBy,
|
|
413
|
+
order: opts?.order
|
|
414
|
+
});
|
|
415
|
+
},
|
|
416
|
+
get: async (ctx, keyId) => {
|
|
417
|
+
return await ctx.runQuery(config.component.public.keyGetById, { keyId });
|
|
418
|
+
},
|
|
419
|
+
update: async (ctx, keyId, data) => {
|
|
420
|
+
await ctx.runMutation(config.component.public.keyPatch, {
|
|
421
|
+
keyId,
|
|
422
|
+
data
|
|
423
|
+
});
|
|
424
|
+
},
|
|
425
|
+
revoke: async (ctx, keyId) => {
|
|
426
|
+
await ctx.runMutation(config.component.public.keyPatch, {
|
|
427
|
+
keyId,
|
|
428
|
+
data: { revoked: true }
|
|
429
|
+
});
|
|
430
|
+
},
|
|
431
|
+
remove: async (ctx, keyId) => {
|
|
432
|
+
await ctx.runMutation(config.component.public.keyDelete, { keyId });
|
|
433
|
+
},
|
|
434
|
+
rotate: async (ctx, keyId, opts) => {
|
|
435
|
+
const existing = await ctx.runQuery(config.component.public.keyGetById, { keyId });
|
|
436
|
+
if (!existing) throw new AuthError("INVALID_PARAMETERS", "API key not found.").toConvexError();
|
|
437
|
+
if (existing.revoked === true) throw new AuthError("API_KEY_REVOKED", "Cannot rotate a key that is already revoked.").toConvexError();
|
|
438
|
+
await ctx.runMutation(config.component.public.keyPatch, {
|
|
439
|
+
keyId,
|
|
440
|
+
data: { revoked: true }
|
|
441
|
+
});
|
|
442
|
+
return await key.create(ctx, {
|
|
443
|
+
userId: existing.userId,
|
|
444
|
+
name: opts?.name ?? existing.name,
|
|
445
|
+
scopes: existing.scopes ?? [],
|
|
446
|
+
rateLimit: existing.rateLimit,
|
|
447
|
+
expiresAt: opts?.expiresAt,
|
|
448
|
+
metadata: existing.metadata
|
|
449
|
+
});
|
|
450
|
+
}
|
|
451
|
+
};
|
|
452
|
+
return {
|
|
453
|
+
user,
|
|
454
|
+
session,
|
|
455
|
+
account,
|
|
456
|
+
provider,
|
|
457
|
+
group,
|
|
458
|
+
member,
|
|
459
|
+
invite,
|
|
460
|
+
key
|
|
461
|
+
};
|
|
462
|
+
}
|
|
463
|
+
|
|
464
|
+
//#endregion
|
|
465
|
+
export { createCoreDomains };
|
|
466
|
+
//# sourceMappingURL=core.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"core.js","names":[],"sources":["../../../../src/server/domains/core.ts"],"sourcesContent":["import { Auth, GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId } from \"convex/values\";\n\nimport { AuthError, Fx } from \"../fx\";\nimport {\n buildScopeChecker,\n checkKeyRateLimit,\n generateApiKey,\n hashApiKey,\n} from \"../keys\";\nimport { materializeProvider } from \"../providers\";\nimport { signInImpl } from \"../signin\";\nimport type {\n AuthProviderConfig,\n KeyDoc,\n KeyScope,\n ScopeChecker,\n UserOrderBy,\n UserWhere,\n} from \"../types\";\nimport {\n generateRandomString,\n sha256,\n TOKEN_SUB_CLAIM_DIVIDER,\n} from \"../utils\";\n\ntype ComponentCtx = Pick<\n GenericActionCtx<GenericDataModel>,\n \"runQuery\" | \"runMutation\"\n>;\ntype ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, \"runQuery\">;\ntype ComponentAuthReadCtx = ComponentReadCtx & { auth: Auth };\ntype AccountCredentials = { id: string; secret?: string };\ntype CreateAccountArgs = {\n provider: string;\n account: AccountCredentials;\n profile: Record<string, unknown>;\n shouldLinkViaEmail?: boolean;\n shouldLinkViaPhone?: boolean;\n};\ntype RetrieveAccountArgs = { provider: string; account: AccountCredentials };\ntype UpdateAccountCredentialsArgs = {\n provider: string;\n account: { id: string; secret: string };\n};\n\ntype CoreDeps = {\n config: any;\n getAuth: () => any;\n callInvalidateSessions: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: { userId: GenericId<\"User\">; except?: GenericId<\"Session\">[] },\n ) => Promise<void>;\n callCreateAccountFromCredentials: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: CreateAccountArgs,\n ) => Promise<any>;\n callRetrieveAccountWithCredentials: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: RetrieveAccountArgs,\n ) => Promise<any>;\n callModifyAccount: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: UpdateAccountCredentialsArgs,\n ) => Promise<void>;\n getEnrichCtx: () => <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n ) => any;\n inviteTokenAlphabet: string;\n inviteTokenLength: number;\n};\n\n/**\n * Build the core auth domains that back the canonical app API surface.\n */\nexport function createCoreDomains(deps: CoreDeps) {\n const {\n config,\n getAuth,\n callInvalidateSessions,\n callCreateAccountFromCredentials,\n callRetrieveAccountWithCredentials,\n callModifyAccount,\n getEnrichCtx,\n inviteTokenAlphabet,\n inviteTokenLength,\n } = deps;\n\n const user = {\n current: async (\n ctx: { auth: Auth } & Partial<ComponentCtx>,\n request?: Request,\n ): Promise<string | null> => {\n const identity = await ctx.auth.getUserIdentity();\n if (identity !== null) {\n const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n return userId;\n }\n if (request !== undefined && \"runMutation\" in ctx && ctx.runMutation) {\n const authHeader = request.headers.get(\"Authorization\");\n if (authHeader?.startsWith(\"Bearer sk_\")) {\n const rawKey = authHeader.slice(7);\n try {\n const result = await getAuth().key.verify(\n ctx as ComponentCtx,\n rawKey,\n );\n return result.userId;\n } catch {\n return null;\n }\n }\n }\n return null;\n },\n require: async (\n ctx: { auth: Auth } & Partial<ComponentCtx>,\n request?: Request,\n ): Promise<string> => {\n const userId = await user.current(ctx, request);\n if (userId === null) {\n throw new AuthError(\"NOT_SIGNED_IN\").toConvexError();\n }\n return userId;\n },\n get: async (ctx: ComponentReadCtx, userId: string) => {\n return await ctx.runQuery(config.component.public.userGetById, {\n userId,\n });\n },\n list: async (\n ctx: ComponentReadCtx,\n opts: {\n where?: UserWhere;\n limit?: number;\n cursor?: string | null;\n orderBy?: UserOrderBy;\n order?: \"asc\" | \"desc\";\n } = {},\n ) => {\n return await ctx.runQuery(config.component.public.userList, opts);\n },\n viewer: async (ctx: ComponentAuthReadCtx) => {\n const userId = await user.current(ctx);\n if (userId === null) return null;\n return await ctx.runQuery(config.component.public.userGetById, {\n userId,\n });\n },\n patch: async (\n ctx: ComponentCtx,\n userId: string,\n data: Record<string, unknown>,\n ) => {\n await ctx.runMutation(config.component.public.userPatch, {\n userId,\n data,\n });\n },\n setActiveGroup: async (\n ctx: ComponentCtx,\n opts: { userId: string; groupId: string | null },\n ) => {\n const doc = await user.get(ctx, opts.userId);\n const existingExtend =\n doc !== null &&\n doc.extend !== null &&\n typeof doc.extend === \"object\" &&\n !Array.isArray(doc.extend)\n ? { ...(doc.extend as Record<string, unknown>) }\n : {};\n if (opts.groupId === null) {\n const { lastActiveGroup: _omit, ...rest } = existingExtend;\n await user.patch(ctx, opts.userId, { extend: rest });\n return;\n }\n await user.patch(ctx, opts.userId, {\n extend: { ...existingExtend, lastActiveGroup: opts.groupId },\n });\n },\n getActiveGroup: async (\n ctx: ComponentReadCtx,\n opts: { userId: string },\n ): Promise<string | null> => {\n const doc = await user.get(ctx, opts.userId);\n if (\n doc !== null &&\n doc.extend !== null &&\n typeof doc.extend === \"object\" &&\n !Array.isArray(doc.extend)\n ) {\n const val = (doc.extend as Record<string, unknown>).lastActiveGroup;\n if (typeof val === \"string\") return val;\n }\n return null;\n },\n remove: async (\n ctx: ComponentCtx,\n userId: string,\n opts?: { cascade?: boolean },\n ): Promise<void> => {\n const cascade = opts?.cascade !== false;\n const [sessions, accounts, keys, members, passkeys, totps] =\n await Promise.all([\n ctx.runQuery(config.component.public.sessionListByUser, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.accountListByUser, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.keyListByUserId, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.memberListByUser, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.passkeyListByUserId, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.totpListByUserId, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ]);\n const totalLinked =\n sessions.length +\n accounts.length +\n keys.length +\n members.length +\n passkeys.length +\n totps.length;\n if (!cascade && totalLinked > 0) {\n throw new AuthError(\n \"INVALID_PARAMETERS\",\n `Cannot delete user with ${totalLinked} linked records. Pass { cascade: true } to delete all linked records, or remove them manually first.`,\n ).toConvexError();\n }\n const deletions: Promise<unknown>[] = [];\n for (const s of sessions)\n deletions.push(\n ctx.runMutation(config.component.public.sessionDelete, {\n sessionId: s._id,\n }),\n );\n for (const a of accounts)\n deletions.push(\n ctx.runMutation(config.component.public.accountDelete, {\n accountId: a._id,\n }),\n );\n for (const k of keys)\n deletions.push(\n ctx.runMutation(config.component.public.keyDelete, { keyId: k._id }),\n );\n for (const m of members)\n deletions.push(\n ctx.runMutation(config.component.public.memberRemove, {\n memberId: m._id,\n }),\n );\n for (const p of passkeys)\n deletions.push(\n ctx.runMutation(config.component.public.passkeyDelete, {\n passkeyId: p._id,\n }),\n );\n for (const t of totps)\n deletions.push(\n ctx.runMutation(config.component.public.totpDelete, {\n totpId: t._id,\n }),\n );\n await Promise.all(deletions);\n await ctx.runMutation(config.component.public.userDelete, { userId });\n },\n };\n\n const session = {\n current: async (ctx: { auth: Auth }) => {\n const identity = await ctx.auth.getUserIdentity();\n if (identity === null) return null;\n const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n return sessionId as GenericId<\"Session\">;\n },\n invalidate: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: { userId: GenericId<\"User\">; except?: GenericId<\"Session\">[] },\n ) => callInvalidateSessions(ctx, args),\n get: async (ctx: ComponentReadCtx, sessionId: string) => {\n return await ctx.runQuery(config.component.public.sessionGetById, {\n sessionId,\n });\n },\n list: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n return await ctx.runQuery(config.component.public.sessionListByUser, {\n userId: opts.userId,\n });\n },\n };\n\n const account = {\n create: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: CreateAccountArgs,\n ) => {\n return await callCreateAccountFromCredentials(ctx, args);\n },\n get: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: RetrieveAccountArgs,\n ) => {\n const result = await callRetrieveAccountWithCredentials(ctx, args);\n if (typeof result === \"string\") {\n throw new AuthError(\"ACCOUNT_NOT_FOUND\", result).toConvexError();\n }\n return result;\n },\n update: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: UpdateAccountCredentialsArgs,\n ): Promise<void> => {\n return await callModifyAccount(ctx, args);\n },\n remove: async (ctx: ComponentCtx, accountId: string): Promise<void> => {\n const doc = await ctx.runQuery(config.component.public.accountGetById, {\n accountId,\n });\n if (doc === null) {\n throw new AuthError(\n \"ACCOUNT_NOT_FOUND\",\n \"Account not found.\",\n ).toConvexError();\n }\n const allAccounts = (await ctx.runQuery(\n config.component.public.accountListByUser,\n { userId: (doc as any).userId },\n )) as Array<{ _id: string }>;\n if (allAccounts.length <= 1) {\n throw new AuthError(\n \"INVALID_PARAMETERS\",\n \"Cannot unlink the user's only account. This would lock them out.\",\n ).toConvexError();\n }\n await ctx.runMutation(config.component.public.accountDelete, {\n accountId,\n });\n },\n listPasskeys: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n return await ctx.runQuery(\n config.component.public.passkeyListByUserId,\n opts,\n );\n },\n renamePasskey: async (\n ctx: ComponentCtx,\n passkeyId: string,\n name: string,\n ) => {\n await ctx.runMutation(config.component.public.passkeyUpdateMeta, {\n passkeyId,\n data: { name },\n });\n },\n removePasskey: async (ctx: ComponentCtx, passkeyId: string) => {\n await ctx.runMutation(config.component.public.passkeyDelete, {\n passkeyId,\n });\n },\n listTotps: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n return await ctx.runQuery(config.component.public.totpListByUserId, opts);\n },\n removeTotp: async (ctx: ComponentCtx, totpId: string) => {\n await ctx.runMutation(config.component.public.totpDelete, { totpId });\n },\n };\n\n const provider = {\n signIn: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n providerConfig: AuthProviderConfig,\n args: {\n accountId?: GenericId<\"Account\">;\n params?: Record<string, unknown>;\n },\n ) => {\n const result = await signInImpl(\n getEnrichCtx()(ctx),\n materializeProvider(providerConfig),\n args as {\n accountId?: GenericId<\"Account\">;\n params?: Record<string, any>;\n },\n { generateTokens: false, allowExtraProviders: true },\n );\n return result.kind === \"signedIn\"\n ? result.signedIn !== null\n ? {\n userId: result.signedIn.userId,\n sessionId: result.signedIn.sessionId,\n }\n : null\n : null;\n },\n };\n\n const group = {\n create: async (\n ctx: ComponentCtx,\n data: {\n name: string;\n slug?: string;\n type?: string;\n parentGroupId?: string;\n tags?: Array<{ key: string; value: string }>;\n extend?: Record<string, unknown>;\n },\n ): Promise<string> => {\n return (await ctx.runMutation(\n config.component.public.groupCreate,\n data,\n )) as string;\n },\n get: async (ctx: ComponentReadCtx, groupId: string) => {\n return await ctx.runQuery(config.component.public.groupGet, { groupId });\n },\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n slug?: string;\n type?: string;\n parentGroupId?: string;\n name?: string;\n isRoot?: boolean;\n tagsAll?: Array<{ key: string; value: string }>;\n tagsAny?: Array<{ key: string; value: string }>;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?: \"_creationTime\" | \"name\" | \"slug\" | \"type\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.groupList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n update: async (\n ctx: ComponentCtx,\n groupId: string,\n data: Record<string, unknown>,\n ) => {\n await ctx.runMutation(config.component.public.groupUpdate, {\n groupId,\n data,\n });\n },\n delete: async (ctx: ComponentCtx, groupId: string) => {\n await ctx.runMutation(config.component.public.groupDelete, { groupId });\n },\n ancestors: async (\n ctx: ComponentReadCtx,\n opts: { groupId: string; maxDepth?: number; includeSelf?: boolean },\n ) => {\n const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));\n const visited = new Set<string>();\n const ancestors: any[] = [];\n let cycleDetected = false;\n let maxDepthReached = false;\n let currentGroupId: string | undefined = opts.groupId;\n let depth = 0;\n let isFirst = true;\n while (currentGroupId !== undefined) {\n if (depth > maxDepth) {\n maxDepthReached = true;\n break;\n }\n if (visited.has(currentGroupId)) {\n cycleDetected = true;\n break;\n }\n visited.add(currentGroupId);\n const doc = await group.get(ctx, currentGroupId);\n if (doc === null) break;\n if (isFirst) {\n isFirst = false;\n if (opts.includeSelf) ancestors.push(doc);\n currentGroupId = doc.parentGroupId;\n depth += 1;\n continue;\n }\n ancestors.push(doc);\n currentGroupId = doc.parentGroupId;\n depth += 1;\n }\n return { ancestors, cycleDetected, maxDepthReached };\n },\n };\n\n const member = {\n add: async (\n ctx: ComponentCtx,\n data: {\n groupId: string;\n userId: string;\n role?: string;\n status?: string;\n extend?: Record<string, unknown>;\n },\n ): Promise<string> => {\n return (await ctx.runMutation(\n config.component.public.memberAdd,\n data,\n )) as string;\n },\n get: async (ctx: ComponentReadCtx, memberId: string) => {\n return await ctx.runQuery(config.component.public.memberGet, {\n memberId,\n });\n },\n getByUserAndGroup: async (\n ctx: ComponentReadCtx,\n opts: { userId: string; groupId: string },\n ) => {\n return await ctx.runQuery(\n config.component.public.memberGetByGroupAndUser,\n opts,\n );\n },\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n groupId?: string;\n userId?: string;\n role?: string;\n status?: string;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?: \"_creationTime\" | \"role\" | \"status\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.memberList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n remove: async (ctx: ComponentCtx, memberId: string) => {\n await ctx.runMutation(config.component.public.memberRemove, { memberId });\n },\n update: async (\n ctx: ComponentCtx,\n memberId: string,\n data: Record<string, unknown>,\n ) => {\n await ctx.runMutation(config.component.public.memberUpdate, {\n memberId,\n data,\n });\n },\n inherit: async (\n ctx: ComponentReadCtx,\n opts: {\n userId: string;\n groupId: string;\n roles?: string[];\n maxDepth?: number;\n },\n ) => {\n const roleFilter =\n opts.roles !== undefined && opts.roles.length > 0\n ? new Set(opts.roles)\n : null;\n const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));\n const visited = new Set<string>();\n const traversedGroupIds: string[] = [];\n let currentGroupId: string | undefined = opts.groupId;\n let depth = 0;\n let cycleDetected = false;\n let maxDepthReached = false;\n while (currentGroupId !== undefined) {\n if (depth > maxDepth) {\n maxDepthReached = true;\n break;\n }\n if (visited.has(currentGroupId)) {\n cycleDetected = true;\n break;\n }\n visited.add(currentGroupId);\n traversedGroupIds.push(currentGroupId);\n const membership = await member.getByUserAndGroup(ctx, {\n userId: opts.userId,\n groupId: currentGroupId,\n });\n if (\n membership !== null &&\n (roleFilter === null || roleFilter.has(membership.role))\n ) {\n return {\n requestedGroupId: opts.groupId,\n matchedGroupId: currentGroupId,\n membership,\n depth,\n isDirect: depth === 0,\n isInherited: depth > 0,\n traversedGroupIds,\n cycleDetected: false,\n maxDepthReached: false,\n };\n }\n const doc = await group.get(ctx, currentGroupId);\n if (doc === null || doc.parentGroupId === undefined) break;\n currentGroupId = doc.parentGroupId;\n depth += 1;\n }\n return {\n requestedGroupId: opts.groupId,\n matchedGroupId: null,\n membership: null,\n depth: null,\n isDirect: false,\n isInherited: false,\n traversedGroupIds,\n cycleDetected,\n maxDepthReached,\n };\n },\n require: async (\n ctx: ComponentReadCtx,\n opts: {\n userId: string;\n groupId: string;\n roles?: string[];\n maxDepth?: number;\n },\n ) => {\n const result = await member.inherit(ctx, opts);\n if (result.membership === null) {\n throw new AuthError(\n \"FORBIDDEN\",\n `User ${opts.userId} has no membership on group ${opts.groupId} or its ancestors.`,\n ).toConvexError();\n }\n return {\n membership: result.membership,\n matchedGroupId: result.matchedGroupId,\n isDirect: result.isDirect,\n isInherited: result.isInherited,\n depth: result.depth,\n };\n },\n };\n\n const invite = {\n create: async (\n ctx: ComponentCtx,\n data: {\n groupId?: string;\n invitedByUserId?: string;\n email?: string;\n role?: string;\n expiresTime?: number;\n extend?: Record<string, unknown>;\n },\n ): Promise<{ inviteId: string; token: string }> => {\n const token = generateRandomString(\n inviteTokenLength,\n inviteTokenAlphabet,\n );\n const tokenHash = await sha256(token);\n const inviteId = (await ctx.runMutation(\n config.component.public.inviteCreate,\n { ...data, tokenHash, status: \"pending\" },\n )) as string;\n return { inviteId, token };\n },\n get: async (ctx: ComponentReadCtx, inviteId: string) => {\n return await ctx.runQuery(config.component.public.inviteGet, {\n inviteId,\n });\n },\n token: {\n get: async (ctx: ComponentReadCtx, token: string) => {\n const tokenHash = await sha256(token);\n return await ctx.runQuery(\n config.component.public.inviteGetByTokenHash,\n { tokenHash },\n );\n },\n accept: async (\n ctx: ComponentCtx,\n args: { token: string; acceptedByUserId: string },\n ) => {\n const tokenHash = await sha256(args.token);\n return await ctx.runMutation(\n config.component.public.inviteAcceptByToken,\n { tokenHash, acceptedByUserId: args.acceptedByUserId },\n );\n },\n },\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n tokenHash?: string;\n groupId?: string;\n status?: \"pending\" | \"accepted\" | \"revoked\" | \"expired\";\n email?: string;\n invitedByUserId?: string;\n role?: string;\n acceptedByUserId?: string;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?:\n | \"_creationTime\"\n | \"status\"\n | \"email\"\n | \"expiresTime\"\n | \"acceptedTime\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.inviteList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n accept: async (\n ctx: ComponentCtx,\n inviteId: string,\n acceptedByUserId?: string,\n ) => {\n await ctx.runMutation(config.component.public.inviteAccept, {\n inviteId,\n ...(acceptedByUserId ? { acceptedByUserId } : {}),\n });\n },\n revoke: async (ctx: ComponentCtx, inviteId: string) => {\n await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });\n },\n };\n\n const key = {\n create: async (\n ctx: ComponentCtx,\n opts: {\n userId: string;\n name: string;\n scopes: KeyScope[];\n rateLimit?: { maxRequests: number; windowMs: number };\n expiresAt?: number;\n metadata?: Record<string, unknown>;\n },\n ): Promise<{ keyId: string; raw: string }> => {\n const { raw, hashedKey, displayPrefix } = await generateApiKey(\"sk_\");\n const keyId = (await ctx.runMutation(config.component.public.keyInsert, {\n userId: opts.userId,\n prefix: displayPrefix,\n hashedKey,\n name: opts.name,\n scopes: opts.scopes,\n rateLimit: opts.rateLimit,\n expiresAt: opts.expiresAt,\n metadata: opts.metadata,\n })) as string;\n return { keyId, raw };\n },\n verify: async (\n ctx: ComponentCtx,\n rawKey: string,\n ): Promise<{ userId: string; keyId: string; scopes: ScopeChecker }> => {\n const hashedKey = await hashApiKey(rawKey);\n const doc = (await ctx.runQuery(\n config.component.public.keyGetByHashedKey,\n { hashedKey },\n )) as KeyDoc | null;\n return Fx.run(\n Fx.gen(function* () {\n yield* Fx.guard(!doc, Fx.fail(new AuthError(\"INVALID_API_KEY\")));\n const k = doc!;\n yield* Fx.guard(k.revoked, Fx.fail(new AuthError(\"API_KEY_REVOKED\")));\n yield* Fx.guard(\n !!(k.expiresAt && k.expiresAt < Date.now()),\n Fx.fail(new AuthError(\"API_KEY_EXPIRED\")),\n );\n const patchData: Record<string, unknown> = { lastUsedAt: Date.now() };\n if (k.rateLimit) {\n const { limited, newState } = checkKeyRateLimit(\n k.rateLimit,\n k.rateLimitState ?? undefined,\n );\n yield* Fx.guard(\n limited,\n Fx.fail(new AuthError(\"API_KEY_RATE_LIMITED\")),\n );\n patchData.rateLimitState = newState;\n }\n yield* Fx.promise(() =>\n ctx.runMutation(config.component.public.keyPatch, {\n keyId: k._id,\n data: patchData,\n }),\n );\n return {\n userId: k.userId,\n keyId: k._id,\n scopes: buildScopeChecker(k.scopes),\n };\n }).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),\n );\n },\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n userId?: string;\n revoked?: boolean;\n name?: string;\n prefix?: string;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?:\n | \"_creationTime\"\n | \"name\"\n | \"lastUsedAt\"\n | \"expiresAt\"\n | \"revoked\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.keyList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n get: async (\n ctx: ComponentReadCtx,\n keyId: string,\n ): Promise<KeyDoc | null> => {\n return (await ctx.runQuery(config.component.public.keyGetById, {\n keyId,\n })) as KeyDoc | null;\n },\n update: async (\n ctx: ComponentCtx,\n keyId: string,\n data: {\n name?: string;\n scopes?: KeyScope[];\n rateLimit?: { maxRequests: number; windowMs: number };\n },\n ) => {\n await ctx.runMutation(config.component.public.keyPatch, { keyId, data });\n },\n revoke: async (ctx: ComponentCtx, keyId: string) => {\n await ctx.runMutation(config.component.public.keyPatch, {\n keyId,\n data: { revoked: true },\n });\n },\n remove: async (ctx: ComponentCtx, keyId: string) => {\n await ctx.runMutation(config.component.public.keyDelete, { keyId });\n },\n rotate: async (\n ctx: ComponentCtx,\n keyId: string,\n opts?: { name?: string; expiresAt?: number },\n ): Promise<{ keyId: string; raw: string }> => {\n const existing = await ctx.runQuery(config.component.public.keyGetById, {\n keyId,\n });\n if (!existing)\n throw new AuthError(\n \"INVALID_PARAMETERS\",\n \"API key not found.\",\n ).toConvexError();\n if ((existing as any).revoked === true) {\n throw new AuthError(\n \"API_KEY_REVOKED\",\n \"Cannot rotate a key that is already revoked.\",\n ).toConvexError();\n }\n await ctx.runMutation(config.component.public.keyPatch, {\n keyId,\n data: { revoked: true },\n });\n return await key.create(ctx, {\n userId: (existing as any).userId,\n name: opts?.name ?? (existing as any).name,\n scopes: (existing as any).scopes ?? [],\n rateLimit: (existing as any).rateLimit,\n expiresAt: opts?.expiresAt,\n metadata: (existing as any).metadata,\n });\n },\n };\n\n return { user, session, account, provider, group, member, invite, key };\n}\n"],"mappings":";;;;;;;;;;AA2EA,SAAgB,kBAAkB,MAAgB;CAChD,MAAM,EACJ,QACA,SACA,wBACA,kCACA,oCACA,mBACA,cACA,qBACA,sBACE;CAEJ,MAAM,OAAO;EACX,SAAS,OACP,KACA,YAC2B;GAC3B,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,OAAI,aAAa,MAAM;IACrB,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,wBAAwB;AAChE,WAAO;;AAET,OAAI,YAAY,UAAa,iBAAiB,OAAO,IAAI,aAAa;IACpE,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,QAAI,YAAY,WAAW,aAAa,EAAE;KACxC,MAAM,SAAS,WAAW,MAAM,EAAE;AAClC,SAAI;AAKF,cAJe,MAAM,SAAS,CAAC,IAAI,OACjC,KACA,OACD,EACa;aACR;AACN,aAAO;;;;AAIb,UAAO;;EAET,SAAS,OACP,KACA,YACoB;GACpB,MAAM,SAAS,MAAM,KAAK,QAAQ,KAAK,QAAQ;AAC/C,OAAI,WAAW,KACb,OAAM,IAAI,UAAU,gBAAgB,CAAC,eAAe;AAEtD,UAAO;;EAET,KAAK,OAAO,KAAuB,WAAmB;AACpD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,aAAa,EAC7D,QACD,CAAC;;EAEJ,MAAM,OACJ,KACA,OAMI,EAAE,KACH;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,UAAU,KAAK;;EAEnE,QAAQ,OAAO,QAA8B;GAC3C,MAAM,SAAS,MAAM,KAAK,QAAQ,IAAI;AACtC,OAAI,WAAW,KAAM,QAAO;AAC5B,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,aAAa,EAC7D,QACD,CAAC;;EAEJ,OAAO,OACL,KACA,QACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;IACvD;IACA;IACD,CAAC;;EAEJ,gBAAgB,OACd,KACA,SACG;GACH,MAAM,MAAM,MAAM,KAAK,IAAI,KAAK,KAAK,OAAO;GAC5C,MAAM,iBACJ,QAAQ,QACR,IAAI,WAAW,QACf,OAAO,IAAI,WAAW,YACtB,CAAC,MAAM,QAAQ,IAAI,OAAO,GACtB,EAAE,GAAI,IAAI,QAAoC,GAC9C,EAAE;AACR,OAAI,KAAK,YAAY,MAAM;IACzB,MAAM,EAAE,iBAAiB,OAAO,GAAG,SAAS;AAC5C,UAAM,KAAK,MAAM,KAAK,KAAK,QAAQ,EAAE,QAAQ,MAAM,CAAC;AACpD;;AAEF,SAAM,KAAK,MAAM,KAAK,KAAK,QAAQ,EACjC,QAAQ;IAAE,GAAG;IAAgB,iBAAiB,KAAK;IAAS,EAC7D,CAAC;;EAEJ,gBAAgB,OACd,KACA,SAC2B;GAC3B,MAAM,MAAM,MAAM,KAAK,IAAI,KAAK,KAAK,OAAO;AAC5C,OACE,QAAQ,QACR,IAAI,WAAW,QACf,OAAO,IAAI,WAAW,YACtB,CAAC,MAAM,QAAQ,IAAI,OAAO,EAC1B;IACA,MAAM,MAAO,IAAI,OAAmC;AACpD,QAAI,OAAO,QAAQ,SAAU,QAAO;;AAEtC,UAAO;;EAET,QAAQ,OACN,KACA,QACA,SACkB;GAClB,MAAM,UAAU,MAAM,YAAY;GAClC,MAAM,CAAC,UAAU,UAAU,MAAM,SAAS,UAAU,SAClD,MAAM,QAAQ,IAAI;IAChB,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACtD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACtD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,iBAAiB,EACpD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,kBAAkB,EACrD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,qBAAqB,EACxD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,kBAAkB,EACrD,QACD,CAAC;IACH,CAAC;GACJ,MAAM,cACJ,SAAS,SACT,SAAS,SACT,KAAK,SACL,QAAQ,SACR,SAAS,SACT,MAAM;AACR,OAAI,CAAC,WAAW,cAAc,EAC5B,OAAM,IAAI,UACR,sBACA,2BAA2B,YAAY,sGACxC,CAAC,eAAe;GAEnB,MAAM,YAAgC,EAAE;AACxC,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,KACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW,EAAE,OAAO,EAAE,KAAK,CAAC,CACrE;AACH,QAAK,MAAM,KAAK,QACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EACpD,UAAU,EAAE,KACb,CAAC,CACH;AACH,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,MACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAClD,QAAQ,EAAE,KACX,CAAC,CACH;AACH,SAAM,QAAQ,IAAI,UAAU;AAC5B,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAAE,QAAQ,CAAC;;EAExE;CAED,MAAM,UAAU;EACd,SAAS,OAAO,QAAwB;GACtC,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,OAAI,aAAa,KAAM,QAAO;GAC9B,MAAM,GAAG,aAAa,SAAS,QAAQ,MAAM,wBAAwB;AACrE,UAAO;;EAET,YAAY,OACV,KACA,SACG,uBAAuB,KAAK,KAAK;EACtC,KAAK,OAAO,KAAuB,cAAsB;AACvD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,gBAAgB,EAChE,WACD,CAAC;;EAEJ,MAAM,OAAO,KAAuB,SAA6B;AAC/D,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACnE,QAAQ,KAAK,QACd,CAAC;;EAEL;CAED,MAAM,UAAU;EACd,QAAQ,OACN,KACA,SACG;AACH,UAAO,MAAM,iCAAiC,KAAK,KAAK;;EAE1D,KAAK,OACH,KACA,SACG;GACH,MAAM,SAAS,MAAM,mCAAmC,KAAK,KAAK;AAClE,OAAI,OAAO,WAAW,SACpB,OAAM,IAAI,UAAU,qBAAqB,OAAO,CAAC,eAAe;AAElE,UAAO;;EAET,QAAQ,OACN,KACA,SACkB;AAClB,UAAO,MAAM,kBAAkB,KAAK,KAAK;;EAE3C,QAAQ,OAAO,KAAmB,cAAqC;GACrE,MAAM,MAAM,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,gBAAgB,EACrE,WACD,CAAC;AACF,OAAI,QAAQ,KACV,OAAM,IAAI,UACR,qBACA,qBACD,CAAC,eAAe;AAMnB,QAJqB,MAAM,IAAI,SAC7B,OAAO,UAAU,OAAO,mBACxB,EAAE,QAAS,IAAY,QAAQ,CAChC,EACe,UAAU,EACxB,OAAM,IAAI,UACR,sBACA,mEACD,CAAC,eAAe;AAEnB,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EAC3D,WACD,CAAC;;EAEJ,cAAc,OAAO,KAAuB,SAA6B;AACvE,UAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,qBACxB,KACD;;EAEH,eAAe,OACb,KACA,WACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,mBAAmB;IAC/D;IACA,MAAM,EAAE,MAAM;IACf,CAAC;;EAEJ,eAAe,OAAO,KAAmB,cAAsB;AAC7D,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EAC3D,WACD,CAAC;;EAEJ,WAAW,OAAO,KAAuB,SAA6B;AACpE,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,kBAAkB,KAAK;;EAE3E,YAAY,OAAO,KAAmB,WAAmB;AACvD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAAE,QAAQ,CAAC;;EAExE;CAED,MAAM,WAAW,EACf,QAAQ,OACN,KACA,gBACA,SAIG;EACH,MAAM,SAAS,MAAM,WACnB,cAAc,CAAC,IAAI,EACnB,oBAAoB,eAAe,EACnC,MAIA;GAAE,gBAAgB;GAAO,qBAAqB;GAAM,CACrD;AACD,SAAO,OAAO,SAAS,aACnB,OAAO,aAAa,OAClB;GACE,QAAQ,OAAO,SAAS;GACxB,WAAW,OAAO,SAAS;GAC5B,GACD,OACF;IAEP;CAED,MAAM,QAAQ;EACZ,QAAQ,OACN,KACA,SAQoB;AACpB,UAAQ,MAAM,IAAI,YAChB,OAAO,UAAU,OAAO,aACxB,KACD;;EAEH,KAAK,OAAO,KAAuB,YAAoB;AACrD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,UAAU,EAAE,SAAS,CAAC;;EAE1E,MAAM,OACJ,KACA,SAeG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW;IAC3D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,QAAQ,OACN,KACA,SACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,aAAa;IACzD;IACA;IACD,CAAC;;EAEJ,QAAQ,OAAO,KAAmB,YAAoB;AACpD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,aAAa,EAAE,SAAS,CAAC;;EAEzE,WAAW,OACT,KACA,SACG;GACH,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,YAAY,GAAG,CAAC;GAC7D,MAAM,0BAAU,IAAI,KAAa;GACjC,MAAM,YAAmB,EAAE;GAC3B,IAAI,gBAAgB;GACpB,IAAI,kBAAkB;GACtB,IAAI,iBAAqC,KAAK;GAC9C,IAAI,QAAQ;GACZ,IAAI,UAAU;AACd,UAAO,mBAAmB,QAAW;AACnC,QAAI,QAAQ,UAAU;AACpB,uBAAkB;AAClB;;AAEF,QAAI,QAAQ,IAAI,eAAe,EAAE;AAC/B,qBAAgB;AAChB;;AAEF,YAAQ,IAAI,eAAe;IAC3B,MAAM,MAAM,MAAM,MAAM,IAAI,KAAK,eAAe;AAChD,QAAI,QAAQ,KAAM;AAClB,QAAI,SAAS;AACX,eAAU;AACV,SAAI,KAAK,YAAa,WAAU,KAAK,IAAI;AACzC,sBAAiB,IAAI;AACrB,cAAS;AACT;;AAEF,cAAU,KAAK,IAAI;AACnB,qBAAiB,IAAI;AACrB,aAAS;;AAEX,UAAO;IAAE;IAAW;IAAe;IAAiB;;EAEvD;CAED,MAAM,SAAS;EACb,KAAK,OACH,KACA,SAOoB;AACpB,UAAQ,MAAM,IAAI,YAChB,OAAO,UAAU,OAAO,WACxB,KACD;;EAEH,KAAK,OAAO,KAAuB,aAAqB;AACtD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW,EAC3D,UACD,CAAC;;EAEJ,mBAAmB,OACjB,KACA,SACG;AACH,UAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,yBACxB,KACD;;EAEH,MAAM,OACJ,KACA,SAYG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;IAC5D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,QAAQ,OAAO,KAAmB,aAAqB;AACrD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EAAE,UAAU,CAAC;;EAE3E,QAAQ,OACN,KACA,UACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc;IAC1D;IACA;IACD,CAAC;;EAEJ,SAAS,OACP,KACA,SAMG;GACH,MAAM,aACJ,KAAK,UAAU,UAAa,KAAK,MAAM,SAAS,IAC5C,IAAI,IAAI,KAAK,MAAM,GACnB;GACN,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,YAAY,GAAG,CAAC;GAC7D,MAAM,0BAAU,IAAI,KAAa;GACjC,MAAM,oBAA8B,EAAE;GACtC,IAAI,iBAAqC,KAAK;GAC9C,IAAI,QAAQ;GACZ,IAAI,gBAAgB;GACpB,IAAI,kBAAkB;AACtB,UAAO,mBAAmB,QAAW;AACnC,QAAI,QAAQ,UAAU;AACpB,uBAAkB;AAClB;;AAEF,QAAI,QAAQ,IAAI,eAAe,EAAE;AAC/B,qBAAgB;AAChB;;AAEF,YAAQ,IAAI,eAAe;AAC3B,sBAAkB,KAAK,eAAe;IACtC,MAAM,aAAa,MAAM,OAAO,kBAAkB,KAAK;KACrD,QAAQ,KAAK;KACb,SAAS;KACV,CAAC;AACF,QACE,eAAe,SACd,eAAe,QAAQ,WAAW,IAAI,WAAW,KAAK,EAEvD,QAAO;KACL,kBAAkB,KAAK;KACvB,gBAAgB;KAChB;KACA;KACA,UAAU,UAAU;KACpB,aAAa,QAAQ;KACrB;KACA,eAAe;KACf,iBAAiB;KAClB;IAEH,MAAM,MAAM,MAAM,MAAM,IAAI,KAAK,eAAe;AAChD,QAAI,QAAQ,QAAQ,IAAI,kBAAkB,OAAW;AACrD,qBAAiB,IAAI;AACrB,aAAS;;AAEX,UAAO;IACL,kBAAkB,KAAK;IACvB,gBAAgB;IAChB,YAAY;IACZ,OAAO;IACP,UAAU;IACV,aAAa;IACb;IACA;IACA;IACD;;EAEH,SAAS,OACP,KACA,SAMG;GACH,MAAM,SAAS,MAAM,OAAO,QAAQ,KAAK,KAAK;AAC9C,OAAI,OAAO,eAAe,KACxB,OAAM,IAAI,UACR,aACA,QAAQ,KAAK,OAAO,8BAA8B,KAAK,QAAQ,oBAChE,CAAC,eAAe;AAEnB,UAAO;IACL,YAAY,OAAO;IACnB,gBAAgB,OAAO;IACvB,UAAU,OAAO;IACjB,aAAa,OAAO;IACpB,OAAO,OAAO;IACf;;EAEJ;CAED,MAAM,SAAS;EACb,QAAQ,OACN,KACA,SAQiD;GACjD,MAAM,QAAQ,qBACZ,mBACA,oBACD;GACD,MAAM,YAAY,MAAM,OAAO,MAAM;AAKrC,UAAO;IAAE,UAJS,MAAM,IAAI,YAC1B,OAAO,UAAU,OAAO,cACxB;KAAE,GAAG;KAAM;KAAW,QAAQ;KAAW,CAC1C;IACkB;IAAO;;EAE5B,KAAK,OAAO,KAAuB,aAAqB;AACtD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW,EAC3D,UACD,CAAC;;EAEJ,OAAO;GACL,KAAK,OAAO,KAAuB,UAAkB;IACnD,MAAM,YAAY,MAAM,OAAO,MAAM;AACrC,WAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,sBACxB,EAAE,WAAW,CACd;;GAEH,QAAQ,OACN,KACA,SACG;IACH,MAAM,YAAY,MAAM,OAAO,KAAK,MAAM;AAC1C,WAAO,MAAM,IAAI,YACf,OAAO,UAAU,OAAO,qBACxB;KAAE;KAAW,kBAAkB,KAAK;KAAkB,CACvD;;GAEJ;EACD,MAAM,OACJ,KACA,SAoBG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;IAC5D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,QAAQ,OACN,KACA,UACA,qBACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc;IAC1D;IACA,GAAI,mBAAmB,EAAE,kBAAkB,GAAG,EAAE;IACjD,CAAC;;EAEJ,QAAQ,OAAO,KAAmB,aAAqB;AACrD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EAAE,UAAU,CAAC;;EAE5E;CAED,MAAM,MAAM;EACV,QAAQ,OACN,KACA,SAQ4C;GAC5C,MAAM,EAAE,KAAK,WAAW,kBAAkB,MAAM,eAAe,MAAM;AAWrE,UAAO;IAAE,OAVM,MAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;KACtE,QAAQ,KAAK;KACb,QAAQ;KACR;KACA,MAAM,KAAK;KACX,QAAQ,KAAK;KACb,WAAW,KAAK;KAChB,WAAW,KAAK;KAChB,UAAU,KAAK;KAChB,CAAC;IACc;IAAK;;EAEvB,QAAQ,OACN,KACA,WACqE;GACrE,MAAM,YAAY,MAAM,WAAW,OAAO;GAC1C,MAAM,MAAO,MAAM,IAAI,SACrB,OAAO,UAAU,OAAO,mBACxB,EAAE,WAAW,CACd;AACD,UAAO,GAAG,IACR,GAAG,IAAI,aAAa;AAClB,WAAO,GAAG,MAAM,CAAC,KAAK,GAAG,KAAK,IAAI,UAAU,kBAAkB,CAAC,CAAC;IAChE,MAAM,IAAI;AACV,WAAO,GAAG,MAAM,EAAE,SAAS,GAAG,KAAK,IAAI,UAAU,kBAAkB,CAAC,CAAC;AACrE,WAAO,GAAG,MACR,CAAC,EAAE,EAAE,aAAa,EAAE,YAAY,KAAK,KAAK,GAC1C,GAAG,KAAK,IAAI,UAAU,kBAAkB,CAAC,CAC1C;IACD,MAAM,YAAqC,EAAE,YAAY,KAAK,KAAK,EAAE;AACrE,QAAI,EAAE,WAAW;KACf,MAAM,EAAE,SAAS,aAAa,kBAC5B,EAAE,WACF,EAAE,kBAAkB,OACrB;AACD,YAAO,GAAG,MACR,SACA,GAAG,KAAK,IAAI,UAAU,uBAAuB,CAAC,CAC/C;AACD,eAAU,iBAAiB;;AAE7B,WAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;KAChD,OAAO,EAAE;KACT,MAAM;KACP,CAAC,CACH;AACD,WAAO;KACL,QAAQ,EAAE;KACV,OAAO,EAAE;KACT,QAAQ,kBAAkB,EAAE,OAAO;KACpC;KACD,CAAC,KAAK,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CACxD;;EAEH,MAAM,OACJ,KACA,SAiBG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,SAAS;IACzD,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,KAAK,OACH,KACA,UAC2B;AAC3B,UAAQ,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY,EAC7D,OACD,CAAC;;EAEJ,QAAQ,OACN,KACA,OACA,SAKG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IAAE;IAAO;IAAM,CAAC;;EAE1E,QAAQ,OAAO,KAAmB,UAAkB;AAClD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IACtD;IACA,MAAM,EAAE,SAAS,MAAM;IACxB,CAAC;;EAEJ,QAAQ,OAAO,KAAmB,UAAkB;AAClD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW,EAAE,OAAO,CAAC;;EAErE,QAAQ,OACN,KACA,OACA,SAC4C;GAC5C,MAAM,WAAW,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY,EACtE,OACD,CAAC;AACF,OAAI,CAAC,SACH,OAAM,IAAI,UACR,sBACA,qBACD,CAAC,eAAe;AACnB,OAAK,SAAiB,YAAY,KAChC,OAAM,IAAI,UACR,mBACA,+CACD,CAAC,eAAe;AAEnB,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IACtD;IACA,MAAM,EAAE,SAAS,MAAM;IACxB,CAAC;AACF,UAAO,MAAM,IAAI,OAAO,KAAK;IAC3B,QAAS,SAAiB;IAC1B,MAAM,MAAM,QAAS,SAAiB;IACtC,QAAS,SAAiB,UAAU,EAAE;IACtC,WAAY,SAAiB;IAC7B,WAAW,MAAM;IACjB,UAAW,SAAiB;IAC7B,CAAC;;EAEL;AAED,QAAO;EAAE;EAAM;EAAS;EAAS;EAAU;EAAO;EAAQ;EAAQ;EAAK"}
|