@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.15

package/dist/server/index.d.ts

@@ -1,4 +1,435 @@
+import { AuthApi } from "./auth.js";
+import * as convex_server3 from "convex/server";
+
 //#region src/server/index.d.ts
+type EnterpriseAdminPermission = "sso.connection.create" | "sso.connection.read" | "sso.connection.manage" | "sso.domain.manage" | "sso.protocol.manage" | "sso.policy.manage" | "sso.audit.read" | "sso.webhook.manage" | "scim.manage";
+type EnterpriseAdminAuthorizationInput = {
+  userId: string;
+  permission: EnterpriseAdminPermission;
+  enterpriseId?: string;
+  groupId?: string;
+  resolvedGroupId: string | null;
+};
+type EnterpriseAuthorizer = (ctx: {
+  auth: convex_server3.Auth;
+}, input: EnterpriseAdminAuthorizationInput) => Promise<void>;
+type MountedEnterpriseOptions = {
+  authorized?: EnterpriseAuthorizer;
+};
+type EnterpriseMountOptions = {
+  authorized: EnterpriseAuthorizer;
+};
+/**
+ * Build optional public SSO management actions that apps can mount under
+ * `convex/auth/sso/**` when they want client-callable enterprise APIs.
+ *
+ * `admin` is for tenant-admin control-plane operations and should be mounted
+ * with an explicit authorization policy. `client` is for end-user sign-in
+ * helpers and does not require tenant-admin authorization.
+ */
+declare function sso(auth: Pick<AuthApi, "group" | "member" | "sso" | "user">, options?: MountedEnterpriseOptions): {
+  admin: {
+    connection: {
+      create: convex_server3.RegisteredMutation<"public", {
+        name?: string | undefined;
+        status?: "draft" | "active" | "disabled" | undefined;
+        slug?: string | undefined;
+        groupId?: string | undefined;
+        domain?: string | undefined;
+      }, Promise<{
+        enterpriseId: any;
+        groupId: any;
+      }>>;
+      get: convex_server3.RegisteredQuery<"public", {
+        enterpriseId: string;
+      }, Promise<any>>;
+      getByGroup: convex_server3.RegisteredQuery<"public", {
+        groupId: string;
+      }, Promise<any>>;
+      getByDomain: convex_server3.RegisteredQuery<"public", {
+        domain: string;
+      }, Promise<any>>;
+      list: convex_server3.RegisteredQuery<"public", {
+        limit?: number | undefined;
+        where?: {
+          status?: "draft" | "active" | "disabled" | undefined;
+          slug?: string | undefined;
+          groupId?: string | undefined;
+        } | undefined;
+        cursor?: string | null | undefined;
+        orderBy?: string | undefined;
+        order?: "asc" | "desc" | undefined;
+      }, Promise<any>>;
+      update: convex_server3.RegisteredMutation<"public", {
+        enterpriseId: string;
+        data: {
+          name?: string | undefined;
+          status?: "draft" | "active" | "disabled" | undefined;
+          slug?: string | undefined;
+        };
+      }, Promise<null>>;
+      delete: convex_server3.RegisteredMutation<"public", {
+        enterpriseId: string;
+      }, Promise<null>>;
+      status: convex_server3.RegisteredQuery<"public", {
+        enterpriseId: string;
+      }, Promise<any>>;
+      domain: {
+        list: convex_server3.RegisteredQuery<"public", {
+          enterpriseId: string;
+        }, Promise<any>>;
+        validate: convex_server3.RegisteredQuery<"public", {
+          enterpriseId: string;
+        }, Promise<any>>;
+        set: convex_server3.RegisteredMutation<"public", {
+          enterpriseId: string;
+          domains: {
+            isPrimary?: boolean | undefined;
+            verifiedAt?: number | undefined;
+            domain: string;
+          }[];
+        }, Promise<null>>;
+      };
+    };
+    oidc: {
+      configure: convex_server3.RegisteredMutation<"public", {
+        scopes?: string[] | undefined;
+        issuer?: string | undefined;
+        discoveryUrl?: string | undefined;
+        clientSecret?: string | undefined;
+        authorizationParams?: Record<string, string> | undefined;
+        clockToleranceSeconds?: number | undefined;
+        strictIssuer?: boolean | undefined;
+        extraFields?: Record<string, string> | undefined;
+        enterpriseId: string;
+        clientId: string;
+      }, Promise<any>>;
+      get: convex_server3.RegisteredQuery<"public", {
+        enterpriseId: string;
+      }, Promise<any>>;
+      validate: convex_server3.RegisteredAction<"public", {
+        enterpriseId: string;
+      }, Promise<any>>;
+    };
+    saml: {
+      configure: convex_server3.RegisteredAction<"public", {
+        domains?: string[] | undefined;
+        metadataXml?: string | undefined;
+        metadataUrl?: string | undefined;
+        signAuthnRequests?: boolean | undefined;
+        attributeMapping?: {
+          email?: string | undefined;
+          name?: string | undefined;
+          subject?: string | undefined;
+          firstName?: string | undefined;
+          lastName?: string | undefined;
+        } | undefined;
+        sp?: {
+          entityId?: string | undefined;
+          acsUrl?: string | undefined;
+          sloUrl?: string | undefined;
+          signingCert?: string | string[] | undefined;
+          encryptCert?: string | string[] | undefined;
+          privateKey?: string | undefined;
+          privateKeyPass?: string | undefined;
+          encPrivateKey?: string | undefined;
+          encPrivateKeyPass?: string | undefined;
+        } | undefined;
+        enterpriseId: string;
+      }, Promise<any>>;
+      validate: convex_server3.RegisteredQuery<"public", {
+        enterpriseId: string;
+      }, Promise<any>>;
+    };
+    policy: {
+      get: convex_server3.RegisteredQuery<"public", {
+        enterpriseId: string;
+      }, Promise<any>>;
+      update: convex_server3.RegisteredMutation<"public", {
+        enterpriseId: string;
+        patch: {
+          identity?: {
+            accountLinking?: {
+              oidc?: "verifiedEmail" | "none" | undefined;
+              saml?: "verifiedEmail" | "none" | undefined;
+            } | undefined;
+          } | undefined;
+          provisioning?: {
+            scimReuse?: {
+              user?: "none" | "externalId" | undefined;
+            } | undefined;
+            jit?: {
+              mode?: "off" | "createUser" | "createUserAndMembership" | undefined;
+              defaultRole?: string | undefined;
+            } | undefined;
+            deprovision?: {
+              mode?: "soft" | "hard" | undefined;
+            } | undefined;
+          } | undefined;
+        };
+      }, Promise<any>>;
+      validate: convex_server3.RegisteredQuery<"public", {
+        enterpriseId: string;
+      }, Promise<any>>;
+    };
+    audit: {
+      list: convex_server3.RegisteredQuery<"public", {
+        limit?: number | undefined;
+        groupId?: string | undefined;
+        enterpriseId?: string | undefined;
+      }, Promise<any>>;
+    };
+    webhook: {
+      endpoint: {
+        create: convex_server3.RegisteredMutation<"public", {
+          createdByUserId?: string | undefined;
+          secret: string;
+          enterpriseId: string;
+          url: string;
+          subscriptions: string[];
+        }, Promise<{
+          _id: any;
+          enterpriseId: string;
+          url: string;
+          subscriptions: string[];
+          createdByUserId: any;
+          status: string;
+          failureCount: number;
+        }>>;
+        list: convex_server3.RegisteredQuery<"public", {
+          enterpriseId: string;
+        }, Promise<any>>;
+        disable: convex_server3.RegisteredMutation<"public", {
+          endpointId: string;
+        }, Promise<null>>;
+      };
+    };
+  };
+  client: {
+    signIn: convex_server3.RegisteredQuery<"public", {
+      email?: string | undefined;
+      enterpriseId?: string | undefined;
+      domain?: string | undefined;
+      redirectTo?: string | undefined;
+    }, Promise<any>>;
+    metadata: convex_server3.RegisteredQuery<"public", {
+      entityId?: string | undefined;
+      acsUrl?: string | undefined;
+      sloUrl?: string | undefined;
+      enterpriseId: string;
+    }, Promise<any>>;
+  };
+};
+/**
+ * Build optional public SCIM management actions that apps can mount under
+ * `convex/auth/scim/**` when they want client-callable enterprise admin APIs.
+ */
+declare function scim(auth: Pick<AuthApi, "scim" | "sso" | "user">, options?: MountedEnterpriseOptions): {
+  admin: {
+    configure: convex_server3.RegisteredMutation<"public", {
+      status?: "draft" | "active" | "disabled" | undefined;
+      basePath?: string | undefined;
+      enterpriseId: string;
+    }, Promise<any>>;
+    get: convex_server3.RegisteredQuery<"public", {
+      enterpriseId: string;
+    }, Promise<any>>;
+    validate: convex_server3.RegisteredQuery<"public", {
+      enterpriseId: string;
+    }, Promise<any>>;
+  };
+};
+/**
+ * Build a flat mounted enterprise API surface for app-owned Convex exports.
+ *
+ * The returned object contains tenant-admin SSO and SCIM control-plane
+ * functions plus end-user enterprise sign-in helpers. The `authorized`
+ * callback is required for admin operations.
+ */
+declare function enterprise(auth: Pick<AuthApi, "group" | "member" | "scim" | "sso" | "user">, options: EnterpriseMountOptions): {
+  createConnection: convex_server3.RegisteredMutation<"public", {
+    name?: string | undefined;
+    status?: "draft" | "active" | "disabled" | undefined;
+    slug?: string | undefined;
+    groupId?: string | undefined;
+    domain?: string | undefined;
+  }, Promise<{
+    enterpriseId: any;
+    groupId: any;
+  }>>;
+  getConnection: convex_server3.RegisteredQuery<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  getConnectionByGroup: convex_server3.RegisteredQuery<"public", {
+    groupId: string;
+  }, Promise<any>>;
+  getConnectionByDomain: convex_server3.RegisteredQuery<"public", {
+    domain: string;
+  }, Promise<any>>;
+  listConnections: convex_server3.RegisteredQuery<"public", {
+    limit?: number | undefined;
+    where?: {
+      status?: "draft" | "active" | "disabled" | undefined;
+      slug?: string | undefined;
+      groupId?: string | undefined;
+    } | undefined;
+    cursor?: string | null | undefined;
+    orderBy?: string | undefined;
+    order?: "asc" | "desc" | undefined;
+  }, Promise<any>>;
+  updateConnection: convex_server3.RegisteredMutation<"public", {
+    enterpriseId: string;
+    data: {
+      name?: string | undefined;
+      status?: "draft" | "active" | "disabled" | undefined;
+      slug?: string | undefined;
+    };
+  }, Promise<null>>;
+  deleteConnection: convex_server3.RegisteredMutation<"public", {
+    enterpriseId: string;
+  }, Promise<null>>;
+  getConnectionStatus: convex_server3.RegisteredQuery<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  listDomains: convex_server3.RegisteredQuery<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  validateDomains: convex_server3.RegisteredQuery<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  setDomains: convex_server3.RegisteredMutation<"public", {
+    enterpriseId: string;
+    domains: {
+      isPrimary?: boolean | undefined;
+      verifiedAt?: number | undefined;
+      domain: string;
+    }[];
+  }, Promise<null>>;
+  configureOidc: convex_server3.RegisteredMutation<"public", {
+    scopes?: string[] | undefined;
+    issuer?: string | undefined;
+    discoveryUrl?: string | undefined;
+    clientSecret?: string | undefined;
+    authorizationParams?: Record<string, string> | undefined;
+    clockToleranceSeconds?: number | undefined;
+    strictIssuer?: boolean | undefined;
+    extraFields?: Record<string, string> | undefined;
+    enterpriseId: string;
+    clientId: string;
+  }, Promise<any>>;
+  getOidc: convex_server3.RegisteredQuery<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  validateOidc: convex_server3.RegisteredAction<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  configureSaml: convex_server3.RegisteredAction<"public", {
+    domains?: string[] | undefined;
+    metadataXml?: string | undefined;
+    metadataUrl?: string | undefined;
+    signAuthnRequests?: boolean | undefined;
+    attributeMapping?: {
+      email?: string | undefined;
+      name?: string | undefined;
+      subject?: string | undefined;
+      firstName?: string | undefined;
+      lastName?: string | undefined;
+    } | undefined;
+    sp?: {
+      entityId?: string | undefined;
+      acsUrl?: string | undefined;
+      sloUrl?: string | undefined;
+      signingCert?: string | string[] | undefined;
+      encryptCert?: string | string[] | undefined;
+      privateKey?: string | undefined;
+      privateKeyPass?: string | undefined;
+      encPrivateKey?: string | undefined;
+      encPrivateKeyPass?: string | undefined;
+    } | undefined;
+    enterpriseId: string;
+  }, Promise<any>>;
+  validateSaml: convex_server3.RegisteredQuery<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  getPolicy: convex_server3.RegisteredQuery<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  updatePolicy: convex_server3.RegisteredMutation<"public", {
+    enterpriseId: string;
+    patch: {
+      identity?: {
+        accountLinking?: {
+          oidc?: "verifiedEmail" | "none" | undefined;
+          saml?: "verifiedEmail" | "none" | undefined;
+        } | undefined;
+      } | undefined;
+      provisioning?: {
+        scimReuse?: {
+          user?: "none" | "externalId" | undefined;
+        } | undefined;
+        jit?: {
+          mode?: "off" | "createUser" | "createUserAndMembership" | undefined;
+          defaultRole?: string | undefined;
+        } | undefined;
+        deprovision?: {
+          mode?: "soft" | "hard" | undefined;
+        } | undefined;
+      } | undefined;
+    };
+  }, Promise<any>>;
+  validatePolicy: convex_server3.RegisteredQuery<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  listAudit: convex_server3.RegisteredQuery<"public", {
+    limit?: number | undefined;
+    groupId?: string | undefined;
+    enterpriseId?: string | undefined;
+  }, Promise<any>>;
+  createWebhookEndpoint: convex_server3.RegisteredMutation<"public", {
+    createdByUserId?: string | undefined;
+    secret: string;
+    enterpriseId: string;
+    url: string;
+    subscriptions: string[];
+  }, Promise<{
+    _id: any;
+    enterpriseId: string;
+    url: string;
+    subscriptions: string[];
+    createdByUserId: any;
+    status: string;
+    failureCount: number;
+  }>>;
+  listWebhookEndpoints: convex_server3.RegisteredQuery<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  disableWebhookEndpoint: convex_server3.RegisteredMutation<"public", {
+    endpointId: string;
+  }, Promise<null>>;
+  configureScim: convex_server3.RegisteredMutation<"public", {
+    status?: "draft" | "active" | "disabled" | undefined;
+    basePath?: string | undefined;
+    enterpriseId: string;
+  }, Promise<any>>;
+  getScim: convex_server3.RegisteredQuery<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  validateScim: convex_server3.RegisteredQuery<"public", {
+    enterpriseId: string;
+  }, Promise<any>>;
+  signIn: convex_server3.RegisteredQuery<"public", {
+    email?: string | undefined;
+    enterpriseId?: string | undefined;
+    domain?: string | undefined;
+    redirectTo?: string | undefined;
+  }, Promise<any>>;
+  metadata: convex_server3.RegisteredQuery<"public", {
+    entityId?: string | undefined;
+    acsUrl?: string | undefined;
+    sloUrl?: string | undefined;
+    enterpriseId: string;
+  }, Promise<any>>;
+};
 /** Cookie lifetime configuration for auth tokens. */
 type AuthCookieConfig = {
   /** Maximum age in seconds, or `null` for session cookies. */maxAge: number | null;
@@ -195,5 +626,5 @@ declare function server(options: ServerOptions): {
   refresh(request: Request): Promise<RefreshResult>;
 };
 //#endregion
-export { AuthCookie, AuthCookieConfig, AuthCookies, RefreshResult, ServerOptions, authCookieNames, parseAuthCookies, serializeAuthCookies, server, shouldProxyAuthAction, structuredAuthCookies };
+export { AuthCookie, AuthCookieConfig, AuthCookies, EnterpriseAdminAuthorizationInput, EnterpriseAdminPermission, EnterpriseAuthorizer, EnterpriseMountOptions, RefreshResult, ServerOptions, authCookieNames, enterprise, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies };
 //# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/server/index.ts"],"mappings":";;KAoBY,gBAAA;EAAgB,6DAE1B,MAAA;AAAA;;KAIU,WAAA;EAAW,mDAErB,KAAA,iBAFqB;EAIrB,YAAA;EAEA,QAAA;AAAA;;KAIU,UAAA;EACV,IAAA;EACA,KAAA;EACA,OAAA;IACE,IAAA;IACA,QAAA;IACA,MAAA;IACA,QAAA;IACA,MAAA;IACA,OAAA,GAAU,IAAA;EAAA;AAAA;;;;KAOF,aAAA;EAAA,wEAEV,GAAA;;;;;;;EAOA,eAAA;EAgBA;;;;EAXA,QAAA,WAoB4C;EAlB5C,YAAA,kBAsBU;EApBV,OAAA;;;;;;;EAOA,eAAA;EAmBK;AAkBP;;;;;;EA7BE,gBAAA,KACM,OAAA,EAAS,OAAA,eAAsB,OAAA;AAAA;AAAA,KAI3B,aAAA;mDAEV,OAAA,EAAS,UAAA,IA4CK;EA1Cd,QAAA;EAEA,KAAA;AAAA;;;;;;AA8EF;;;;;iBA5DgB,eAAA,CACd,IAAA,WACA,eAAA;;;;;;;AAuHF;;;;;;iBAnGgB,gBAAA,CACd,YAAA,6BACA,IAAA,WACA,eAAA,mBACC,WAAA;;;;;;;;;;;AA0LH;iBAxJgB,oBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA;;;;AA4PF;;;iBAnMgB,qBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA,mBACC,UAAA;;;;;;;;;;;iBAsFa,qBAAA,CAAsB,QAAA,UAAkB,QAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAwGxC,MAAA,CAAO,OAAA,EAAS,aAAA;;;;;;;iBAqBb,OAAA;;;;;;;;;;kBAiBO,OAAA,GAAU,OAAA;;;;;;;;;;;;iBAoCX,OAAA,GAAU,OAAA,CAAQ,QAAA;;;;;;;;;;;;;;mBAyiBhB,OAAA,GAAU,OAAA,CAAQ,aAAA;AAAA"}
+{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/server/index.ts"],"mappings":";;;;KA+BY,yBAAA;AAAA,KAWA,iCAAA;EACV,MAAA;EACA,UAAA,EAAY,yBAAA;EACZ,YAAA;EACA,OAAA;EACA,eAAA;AAAA;AAAA,KAGU,oBAAA,IACV,GAAA;EAAO,IAAA,EADuB,cAAA,CACO,IAAA;AAAA,GACrC,KAAA,EAAO,iCAAA,KACJ,OAAA;AAAA,KAEA,wBAAA;EACH,UAAA,GAAa,oBAAA;AAAA;AAAA,KAGH,sBAAA;EACV,UAAA,EAAY,oBAAA;AAAA;;;;AAVd;;;;;iBAwHgB,GAAA,CACd,IAAA,EAAM,IAAA,CAAK,OAAA,wCACX,OAAA,GAAU,wBAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA2aI,IAAA,CACd,IAAA,EAAM,IAAA,CAAK,OAAA,4BACX,OAAA,GAAU,wBAAA;;;;;;;;;;;;;;;;;;;;;;iBAmDI,UAAA,CACd,IAAA,EAAM,IAAA,CAAK,OAAA,iDACX,OAAA,EAAS,sBAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAsCC,gBAAA;+DAEV,MAAA;AAAA;;KAIU,WAAA;qDAEV,KAAA;EAEA,YAAA;EAEA,QAAA;AAAA;;KAIU,UAAA;EACV,IAAA;EACA,KAAA;EACA,OAAA;IACE,IAAA;IACA,QAAA;IACA,MAAA;IACA,QAAA;IACA,MAAA;IACA,OAAA,GAAU,IAAA;EAAA;AAAA;;;;KAOF,aAAA;0EAEV,GAAA;;;;;;;EAOA,eAAA;;;;;EAKA,QAAA;EAEA,YAAA;EAEA,OAAA;;;;;;;EAOA,eAAA;;;;;;;;EAQA,gBAAA,KACM,OAAA,EAAS,OAAA,eAAsB,OAAA;AAAA;AAAA,KAI3B,aAAA;mDAEV,OAAA,EAAS,UAAA;EAET,QAAA;EAEA,KAAA;AAAA;;;;;;;;;;;iBAkBc,eAAA,CACd,IAAA,WACA,eAAA;;;;;;;;;;;;;iBAoBc,gBAAA,CACd,YAAA,6BACA,IAAA,WACA,eAAA,mBACC,WAAA;;;;;;;;;;;;iBAkCa,oBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA;;;;;;;iBAyDc,qBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA,mBACC,UAAA;;;;;;;;;;;iBAsFa,qBAAA,CAAsB,QAAA,UAAkB,QAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAwGxC,MAAA,CAAO,OAAA,EAAS,aAAA;;;;;;;iBAqBb,OAAA;;;;;;;;;;kBAiBO,OAAA,GAAU,OAAA;;;;;;;;;AAhcpC;;;iBAoeyB,OAAA,GAAU,OAAA,CAAQ,QAAA;EAlenC;AAIR;;;;;;;;;AAUA;;;mBA6/B2B,OAAA,GAAU,OAAA,CAAQ,aAAA;AAAA"}