@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.15

package/dist/server/mutations/oauth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.d.ts","names":[],"sources":["../../../src/server/mutations/oauth.ts"],"mappings":";;;;;;;;;cAqBa,aAAA,kBAAa,OAAA;;;;;;;YAMxB,eAAA,CAAA,OAAA;;;;;;KA8CG,UAAA;AAAA,iBAEW,aAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,aAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA,EAAY,SAAA;AAAA,cAoHL,aAAA,qBAAyC,gBAAA,EACpD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,aAAA,MAClB,OAAA,CAAQ,UAAA"}
+{"version":3,"file":"oauth.d.ts","names":[],"sources":["../../../src/server/mutations/oauth.ts"],"mappings":";;;;;;;;;cAsBa,aAAA,kBAAa,OAAA;;;;;;;YAMxB,eAAA,CAAA,OAAA;;;;;;KA8CG,UAAA;AAAA,iBAEW,aAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,aAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA,EAAY,SAAA;AAAA,cA+IL,aAAA,qBAAyC,gBAAA,EACpD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,aAAA,MAClB,OAAA,CAAQ,UAAA"}

package/dist/server/mutations/oauth.js

@@ -3,7 +3,7 @@ import { generateRandomString, logWithLevel, sha256 } from "../utils.js";
 import { authDb } from "../db.js";
 import { AUTH_STORE_REF } from "./store.js";
 import { upsertUserAndAccount } from "../users.js";
-import { ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, createSyntheticOAuthMaterializedConfig, isEnterpriseProviderId } from "../sso.js";
+import { ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, createSyntheticOAuthMaterializedConfig, isEnterpriseProviderId, normalizeEnterprisePolicy } from "../sso.js";
 import { Fx } from "@robelest/fx";
 import { v } from "convex/values";
 
@@ -47,7 +47,10 @@ function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
 		const db = authDb(ctx, config);
 		const existingAccount = yield* Fx.promise(() => db.accounts.get(provider, providerAccountId));
 		const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length) : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX) ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length) : null;
-		const existingScimIdentity = enterpriseId !== null && existingAccount === null ? yield* Fx.promise(() => ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {
+		const enterprise = enterpriseId !== null ? yield* Fx.promise(() => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId })) : null;
+		const enterprisePolicy = enterprise ? normalizeEnterprisePolicy(enterprise.policy) : null;
+		const enterpriseProtocol = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) ? "oidc" : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX) ? "saml" : null;
+		const existingScimIdentity = enterpriseId !== null && existingAccount === null && enterprisePolicy?.provisioning.scimReuse.user === "externalId" ? yield* Fx.promise(() => ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {
 			enterpriseId,
 			resourceType: "user",
 			externalId: providerAccountId
@@ -58,14 +61,14 @@ function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
 		}).pipe(Fx.chain((doc) => doc === null ? Fx.fail(new AuthError("OAUTH_INVALID_STATE")) : Fx.succeed(doc)));
 		const { accountId } = yield* Fx.promise(() => upsertUserAndAccount(ctx, verifier.sessionId ?? null, existingAccount !== null ? { existingAccount } : { providerAccountId }, {
 			type: "oauth",
-			provider: isEnterpriseProviderId(provider) ? createSyntheticOAuthMaterializedConfig(provider) : getProviderOrThrow(provider),
+			provider: isEnterpriseProviderId(provider) ? createSyntheticOAuthMaterializedConfig(provider, { accountLinking: enterpriseProtocol === "oidc" ? enterprisePolicy?.identity.accountLinking.oidc : enterpriseProtocol === "saml" ? enterprisePolicy?.identity.accountLinking.saml : void 0 }) : getProviderOrThrow(provider),
 			profile,
 			accountExtend: normalizeAccountExtend(provider, providerAccountId, accountExtend)
 		}, config, existingScimIdentity?.userId ? { existingUserId: existingScimIdentity.userId } : void 0));
-		if (enterpriseId !== null) {
+		if (enterpriseId !== null && enterprisePolicy?.provisioning.jit.mode === "createUserAndMembership") {
 			const userId = (yield* Fx.promise(() => db.accounts.getById(accountId)))?.userId;
 			if (userId) {
-				const groupId = (yield* Fx.promise(() => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId })))?.groupId;
+				const groupId = enterprise?.groupId;
 				if (groupId) {
 					if ((yield* Fx.promise(() => ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
 						userId,
@@ -73,7 +76,7 @@ function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
 					}))) === null) yield* Fx.promise(() => ctx.runMutation(config.component.public.memberAdd, {
 						groupId,
 						userId,
-						role: "member",
+						role: enterprisePolicy.provisioning.jit.defaultRole,
 						status: "active"
 					}));
 				}

package/dist/server/mutations/oauth.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.js","names":[],"sources":["../../../src/server/mutations/oauth.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../fx\";\nimport * as Provider from \"../provider\";\nimport {\n  ENTERPRISE_OIDC_PROVIDER_PREFIX,\n  ENTERPRISE_SAML_PROVIDER_PREFIX,\n  createSyntheticOAuthMaterializedConfig,\n  isEnterpriseProviderId,\n} from \"../sso\";\nimport { MutationCtx } from \"../types\";\nimport type { AuthProviderMaterializedConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { generateRandomString, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store\";\n\nconst OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes\n\nexport const userOAuthArgs = v.object({\n  provider: v.string(),\n  providerAccountId: v.string(),\n  profile: v.any(),\n  signature: v.string(),\n  accountExtend: v.optional(v.any()),\n});\n\nfunction normalizeAccountExtend(\n  provider: string,\n  providerAccountId: string,\n  accountExtend: unknown,\n) {\n  const baseIdentity: Record<string, unknown> = {\n    type: \"oauth\",\n    provider,\n    providerAccountId,\n  };\n  if (provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-oidc\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_OIDC_PROVIDER_PREFIX.length,\n    );\n  }\n  if (provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-saml\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_SAML_PROVIDER_PREFIX.length,\n    );\n  }\n  const provided =\n    typeof accountExtend === \"object\" &&\n    accountExtend !== null &&\n    !Array.isArray(accountExtend)\n      ? (accountExtend as Record<string, unknown>)\n      : undefined;\n  const providedIdentity =\n    provided &&\n    typeof provided.identity === \"object\" &&\n    provided.identity !== null &&\n    !Array.isArray(provided.identity)\n      ? (provided.identity as Record<string, unknown>)\n      : undefined;\n  return {\n    ...provided,\n    identity: {\n      ...baseIdentity,\n      ...providedIdentity,\n    },\n  };\n}\n\ntype ReturnType = string;\n\nexport function userOAuthImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof userOAuthArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Fx<ReturnType, AuthError> {\n  return Fx.gen(function* () {\n    logWithLevel(\"DEBUG\", \"userOAuthImpl args:\", args);\n    const { profile, provider, providerAccountId, signature, accountExtend } =\n      args;\n    const db = authDb(ctx, config);\n    const existingAccount = yield* Fx.promise(() =>\n      db.accounts.get(provider, providerAccountId),\n    );\n    const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)\n      ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length)\n      : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n        ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length)\n        : null;\n    // Always try to reuse SCIM-provisioned user by externalId for enterprise sign-ins.\n    const existingScimIdentity =\n      enterpriseId !== null && existingAccount === null\n        ? yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {\n              enterpriseId,\n              resourceType: \"user\",\n              externalId: providerAccountId,\n            }),\n          )\n        : null;\n\n    const verifier = yield* Fx.from({\n      ok: () => db.verifiers.getBySignature(signature),\n      err: () => new AuthError(\"OAUTH_INVALID_STATE\"),\n    }).pipe(\n      Fx.chain((doc) =>\n        doc === null\n          ? Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\"))\n          : Fx.succeed(doc),\n      ),\n    );\n\n    const { accountId } = yield* Fx.promise(() =>\n      upsertUserAndAccount(\n        ctx,\n        verifier.sessionId ?? null,\n        existingAccount !== null ? { existingAccount } : { providerAccountId },\n        {\n          type: \"oauth\",\n          provider: (isEnterpriseProviderId(provider)\n            ? createSyntheticOAuthMaterializedConfig(provider)\n            : getProviderOrThrow(provider)) as AuthProviderMaterializedConfig,\n          profile,\n          accountExtend: normalizeAccountExtend(\n            provider,\n            providerAccountId,\n            accountExtend,\n          ),\n        },\n        config,\n        existingScimIdentity?.userId\n          ? { existingUserId: existingScimIdentity.userId }\n          : undefined,\n      ),\n    );\n\n    // JIT group provisioning: if this is an enterprise SSO sign-in and the\n    // enterprise connection has a groupId, auto-add the user as a member of\n    // that group if they aren't already a member.\n    if (enterpriseId !== null) {\n      const account = yield* Fx.promise(() => db.accounts.getById(accountId));\n      const userId = account?.userId;\n      if (userId) {\n        const enterprise = yield* Fx.promise(() =>\n          ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId }),\n        );\n        const groupId = (enterprise as any)?.groupId as string | undefined;\n        if (groupId) {\n          const existingMembership = yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.memberGetByGroupAndUser, {\n              userId,\n              groupId,\n            }),\n          );\n          if (existingMembership === null) {\n            yield* Fx.promise(() =>\n              ctx.runMutation(config.component.public.memberAdd, {\n                groupId,\n                userId,\n                role: \"member\",\n                status: \"active\",\n              }),\n            );\n          }\n        }\n      }\n    }\n\n    const code = generateRandomString(8, \"0123456789\");\n    yield* Fx.promise(() => db.verifiers.delete(verifier._id));\n    const existingVerificationCode = yield* Fx.promise(() =>\n      db.verificationCodes.getByAccountId(accountId),\n    );\n    if (existingVerificationCode !== null) {\n      yield* Fx.promise(() =>\n        db.verificationCodes.delete(existingVerificationCode._id),\n      );\n    }\n    yield* Fx.promise(async () =>\n      db.verificationCodes.create({\n        code: await sha256(code),\n        accountId,\n        provider,\n        expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,\n        verifier: verifier._id,\n      }),\n    );\n    return code;\n  });\n}\n\nexport const callUserOAuth = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof userOAuthArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"userOAuth\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;;AAmBA,MAAM,8BAA8B,MAAO,KAAK;AAEhD,MAAa,gBAAgB,EAAE,OAAO;CACpC,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,SAAS,EAAE,KAAK;CAChB,WAAW,EAAE,QAAQ;CACrB,eAAe,EAAE,SAAS,EAAE,KAAK,CAAC;CACnC,CAAC;AAEF,SAAS,uBACP,UACA,mBACA,eACA;CACA,MAAM,eAAwC;EAC5C,MAAM;EACN;EACA;EACD;AACD,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;AAEH,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;CAEH,MAAM,WACJ,OAAO,kBAAkB,YACzB,kBAAkB,QAClB,CAAC,MAAM,QAAQ,cAAc,GACxB,gBACD;CACN,MAAM,mBACJ,YACA,OAAO,SAAS,aAAa,YAC7B,SAAS,aAAa,QACtB,CAAC,MAAM,QAAQ,SAAS,SAAS,GAC5B,SAAS,WACV;AACN,QAAO;EACL,GAAG;EACH,UAAU;GACR,GAAG;GACH,GAAG;GACJ;EACF;;AAKH,SAAgB,cACd,KACA,MACA,oBACA,QAC2B;AAC3B,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,SAAS,uBAAuB,KAAK;EAClD,MAAM,EAAE,SAAS,UAAU,mBAAmB,WAAW,kBACvD;EACF,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,kBAAkB,CAC7C;EACD,MAAM,eAAe,SAAS,WAAW,gCAAgC,GACrE,SAAS,MAAM,gCAAgC,OAAO,GACtD,SAAS,WAAW,gCAAgC,GAClD,SAAS,MAAM,gCAAgC,OAAO,GACtD;EAEN,MAAM,uBACJ,iBAAiB,QAAQ,oBAAoB,OACzC,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,2BAA2B;GAC9D;GACA,cAAc;GACd,YAAY;GACb,CAAC,CACH,GACD;EAEN,MAAM,WAAW,OAAO,GAAG,KAAK;GAC9B,UAAU,GAAG,UAAU,eAAe,UAAU;GAChD,WAAW,IAAI,UAAU,sBAAsB;GAChD,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,GAC7C,GAAG,QAAQ,IAAI,CACpB,CACF;EAED,MAAM,EAAE,cAAc,OAAO,GAAG,cAC9B,qBACE,KACA,SAAS,aAAa,MACtB,oBAAoB,OAAO,EAAE,iBAAiB,GAAG,EAAE,mBAAmB,EACtE;GACE,MAAM;GACN,UAAW,uBAAuB,SAAS,GACvC,uCAAuC,SAAS,GAChD,mBAAmB,SAAS;GAChC;GACA,eAAe,uBACb,UACA,mBACA,cACD;GACF,EACD,QACA,sBAAsB,SAClB,EAAE,gBAAgB,qBAAqB,QAAQ,GAC/C,OACL,CACF;AAKD,MAAI,iBAAiB,MAAM;GAEzB,MAAM,UADU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC,GAC/C;AACxB,OAAI,QAAQ;IAIV,MAAM,WAHa,OAAO,GAAG,cAC3B,IAAI,SAAS,OAAO,UAAU,OAAO,eAAe,EAAE,cAAc,CAAC,CACtE,GACoC;AACrC,QAAI,SAOF;UAN2B,OAAO,GAAG,cACnC,IAAI,SAAS,OAAO,UAAU,OAAO,yBAAyB;MAC5D;MACA;MACD,CAAC,CACH,MAC0B,KACzB,QAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;MACjD;MACA;MACA,MAAM;MACN,QAAQ;MACT,CAAC,CACH;;;;EAMT,MAAM,OAAO,qBAAqB,GAAG,aAAa;AAClD,SAAO,GAAG,cAAc,GAAG,UAAU,OAAO,SAAS,IAAI,CAAC;EAC1D,MAAM,2BAA2B,OAAO,GAAG,cACzC,GAAG,kBAAkB,eAAe,UAAU,CAC/C;AACD,MAAI,6BAA6B,KAC/B,QAAO,GAAG,cACR,GAAG,kBAAkB,OAAO,yBAAyB,IAAI,CAC1D;AAEH,SAAO,GAAG,QAAQ,YAChB,GAAG,kBAAkB,OAAO;GAC1B,MAAM,MAAM,OAAO,KAAK;GACxB;GACA;GACA,gBAAgB,KAAK,KAAK,GAAG;GAC7B,UAAU,SAAS;GACpB,CAAC,CACH;AACD,SAAO;GACP;;AAGJ,MAAa,gBAAgB,OAC3B,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}
+{"version":3,"file":"oauth.js","names":[],"sources":["../../../src/server/mutations/oauth.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../fx\";\nimport * as Provider from \"../provider\";\nimport {\n  ENTERPRISE_OIDC_PROVIDER_PREFIX,\n  ENTERPRISE_SAML_PROVIDER_PREFIX,\n  createSyntheticOAuthMaterializedConfig,\n  isEnterpriseProviderId,\n  normalizeEnterprisePolicy,\n} from \"../sso\";\nimport { MutationCtx } from \"../types\";\nimport type { AuthProviderMaterializedConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { generateRandomString, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store\";\n\nconst OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes\n\nexport const userOAuthArgs = v.object({\n  provider: v.string(),\n  providerAccountId: v.string(),\n  profile: v.any(),\n  signature: v.string(),\n  accountExtend: v.optional(v.any()),\n});\n\nfunction normalizeAccountExtend(\n  provider: string,\n  providerAccountId: string,\n  accountExtend: unknown,\n) {\n  const baseIdentity: Record<string, unknown> = {\n    type: \"oauth\",\n    provider,\n    providerAccountId,\n  };\n  if (provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-oidc\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_OIDC_PROVIDER_PREFIX.length,\n    );\n  }\n  if (provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-saml\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_SAML_PROVIDER_PREFIX.length,\n    );\n  }\n  const provided =\n    typeof accountExtend === \"object\" &&\n    accountExtend !== null &&\n    !Array.isArray(accountExtend)\n      ? (accountExtend as Record<string, unknown>)\n      : undefined;\n  const providedIdentity =\n    provided &&\n    typeof provided.identity === \"object\" &&\n    provided.identity !== null &&\n    !Array.isArray(provided.identity)\n      ? (provided.identity as Record<string, unknown>)\n      : undefined;\n  return {\n    ...provided,\n    identity: {\n      ...baseIdentity,\n      ...providedIdentity,\n    },\n  };\n}\n\ntype ReturnType = string;\n\nexport function userOAuthImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof userOAuthArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Fx<ReturnType, AuthError> {\n  return Fx.gen(function* () {\n    logWithLevel(\"DEBUG\", \"userOAuthImpl args:\", args);\n    const { profile, provider, providerAccountId, signature, accountExtend } =\n      args;\n    const db = authDb(ctx, config);\n    const existingAccount = yield* Fx.promise(() =>\n      db.accounts.get(provider, providerAccountId),\n    );\n    const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)\n      ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length)\n      : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n        ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length)\n        : null;\n    const enterprise =\n      enterpriseId !== null\n        ? yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.enterpriseGet, {\n              enterpriseId,\n            }),\n          )\n        : null;\n    const enterprisePolicy = enterprise\n      ? normalizeEnterprisePolicy(enterprise.policy)\n      : null;\n    const enterpriseProtocol = provider.startsWith(\n      ENTERPRISE_OIDC_PROVIDER_PREFIX,\n    )\n      ? \"oidc\"\n      : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n        ? \"saml\"\n        : null;\n\n    const existingScimIdentity =\n      enterpriseId !== null &&\n      existingAccount === null &&\n      enterprisePolicy?.provisioning.scimReuse.user === \"externalId\"\n        ? yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {\n              enterpriseId,\n              resourceType: \"user\",\n              externalId: providerAccountId,\n            }),\n          )\n        : null;\n\n    const verifier = yield* Fx.from({\n      ok: () => db.verifiers.getBySignature(signature),\n      err: () => new AuthError(\"OAUTH_INVALID_STATE\"),\n    }).pipe(\n      Fx.chain((doc) =>\n        doc === null\n          ? Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\"))\n          : Fx.succeed(doc),\n      ),\n    );\n\n    const { accountId } = yield* Fx.promise(() =>\n      upsertUserAndAccount(\n        ctx,\n        verifier.sessionId ?? null,\n        existingAccount !== null ? { existingAccount } : { providerAccountId },\n        {\n          type: \"oauth\",\n          provider: (isEnterpriseProviderId(provider)\n            ? createSyntheticOAuthMaterializedConfig(provider, {\n                accountLinking:\n                  enterpriseProtocol === \"oidc\"\n                    ? enterprisePolicy?.identity.accountLinking.oidc\n                    : enterpriseProtocol === \"saml\"\n                      ? enterprisePolicy?.identity.accountLinking.saml\n                      : undefined,\n              })\n            : getProviderOrThrow(provider)) as AuthProviderMaterializedConfig,\n          profile,\n          accountExtend: normalizeAccountExtend(\n            provider,\n            providerAccountId,\n            accountExtend,\n          ),\n        },\n        config,\n        existingScimIdentity?.userId\n          ? { existingUserId: existingScimIdentity.userId }\n          : undefined,\n      ),\n    );\n\n    // JIT group provisioning: if this is an enterprise SSO sign-in and the\n    // enterprise connection has a groupId, auto-add the user as a member of\n    // that group if they aren't already a member.\n    if (\n      enterpriseId !== null &&\n      enterprisePolicy?.provisioning.jit.mode === \"createUserAndMembership\"\n    ) {\n      const account = yield* Fx.promise(() => db.accounts.getById(accountId));\n      const userId = account?.userId;\n      if (userId) {\n        const groupId = (enterprise as any)?.groupId as string | undefined;\n        if (groupId) {\n          const existingMembership = yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.memberGetByGroupAndUser, {\n              userId,\n              groupId,\n            }),\n          );\n          if (existingMembership === null) {\n            yield* Fx.promise(() =>\n              ctx.runMutation(config.component.public.memberAdd, {\n                groupId,\n                userId,\n                role: enterprisePolicy.provisioning.jit.defaultRole,\n                status: \"active\",\n              }),\n            );\n          }\n        }\n      }\n    }\n\n    const code = generateRandomString(8, \"0123456789\");\n    yield* Fx.promise(() => db.verifiers.delete(verifier._id));\n    const existingVerificationCode = yield* Fx.promise(() =>\n      db.verificationCodes.getByAccountId(accountId),\n    );\n    if (existingVerificationCode !== null) {\n      yield* Fx.promise(() =>\n        db.verificationCodes.delete(existingVerificationCode._id),\n      );\n    }\n    yield* Fx.promise(async () =>\n      db.verificationCodes.create({\n        code: await sha256(code),\n        accountId,\n        provider,\n        expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,\n        verifier: verifier._id,\n      }),\n    );\n    return code;\n  });\n}\n\nexport const callUserOAuth = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof userOAuthArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"userOAuth\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;;AAoBA,MAAM,8BAA8B,MAAO,KAAK;AAEhD,MAAa,gBAAgB,EAAE,OAAO;CACpC,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,SAAS,EAAE,KAAK;CAChB,WAAW,EAAE,QAAQ;CACrB,eAAe,EAAE,SAAS,EAAE,KAAK,CAAC;CACnC,CAAC;AAEF,SAAS,uBACP,UACA,mBACA,eACA;CACA,MAAM,eAAwC;EAC5C,MAAM;EACN;EACA;EACD;AACD,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;AAEH,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;CAEH,MAAM,WACJ,OAAO,kBAAkB,YACzB,kBAAkB,QAClB,CAAC,MAAM,QAAQ,cAAc,GACxB,gBACD;CACN,MAAM,mBACJ,YACA,OAAO,SAAS,aAAa,YAC7B,SAAS,aAAa,QACtB,CAAC,MAAM,QAAQ,SAAS,SAAS,GAC5B,SAAS,WACV;AACN,QAAO;EACL,GAAG;EACH,UAAU;GACR,GAAG;GACH,GAAG;GACJ;EACF;;AAKH,SAAgB,cACd,KACA,MACA,oBACA,QAC2B;AAC3B,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,SAAS,uBAAuB,KAAK;EAClD,MAAM,EAAE,SAAS,UAAU,mBAAmB,WAAW,kBACvD;EACF,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,kBAAkB,CAC7C;EACD,MAAM,eAAe,SAAS,WAAW,gCAAgC,GACrE,SAAS,MAAM,gCAAgC,OAAO,GACtD,SAAS,WAAW,gCAAgC,GAClD,SAAS,MAAM,gCAAgC,OAAO,GACtD;EACN,MAAM,aACJ,iBAAiB,OACb,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,eAAe,EAClD,cACD,CAAC,CACH,GACD;EACN,MAAM,mBAAmB,aACrB,0BAA0B,WAAW,OAAO,GAC5C;EACJ,MAAM,qBAAqB,SAAS,WAClC,gCACD,GACG,SACA,SAAS,WAAW,gCAAgC,GAClD,SACA;EAEN,MAAM,uBACJ,iBAAiB,QACjB,oBAAoB,QACpB,kBAAkB,aAAa,UAAU,SAAS,eAC9C,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,2BAA2B;GAC9D;GACA,cAAc;GACd,YAAY;GACb,CAAC,CACH,GACD;EAEN,MAAM,WAAW,OAAO,GAAG,KAAK;GAC9B,UAAU,GAAG,UAAU,eAAe,UAAU;GAChD,WAAW,IAAI,UAAU,sBAAsB;GAChD,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,GAC7C,GAAG,QAAQ,IAAI,CACpB,CACF;EAED,MAAM,EAAE,cAAc,OAAO,GAAG,cAC9B,qBACE,KACA,SAAS,aAAa,MACtB,oBAAoB,OAAO,EAAE,iBAAiB,GAAG,EAAE,mBAAmB,EACtE;GACE,MAAM;GACN,UAAW,uBAAuB,SAAS,GACvC,uCAAuC,UAAU,EAC/C,gBACE,uBAAuB,SACnB,kBAAkB,SAAS,eAAe,OAC1C,uBAAuB,SACrB,kBAAkB,SAAS,eAAe,OAC1C,QACT,CAAC,GACF,mBAAmB,SAAS;GAChC;GACA,eAAe,uBACb,UACA,mBACA,cACD;GACF,EACD,QACA,sBAAsB,SAClB,EAAE,gBAAgB,qBAAqB,QAAQ,GAC/C,OACL,CACF;AAKD,MACE,iBAAiB,QACjB,kBAAkB,aAAa,IAAI,SAAS,2BAC5C;GAEA,MAAM,UADU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC,GAC/C;AACxB,OAAI,QAAQ;IACV,MAAM,UAAW,YAAoB;AACrC,QAAI,SAOF;UAN2B,OAAO,GAAG,cACnC,IAAI,SAAS,OAAO,UAAU,OAAO,yBAAyB;MAC5D;MACA;MACD,CAAC,CACH,MAC0B,KACzB,QAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;MACjD;MACA;MACA,MAAM,iBAAiB,aAAa,IAAI;MACxC,QAAQ;MACT,CAAC,CACH;;;;EAMT,MAAM,OAAO,qBAAqB,GAAG,aAAa;AAClD,SAAO,GAAG,cAAc,GAAG,UAAU,OAAO,SAAS,IAAI,CAAC;EAC1D,MAAM,2BAA2B,OAAO,GAAG,cACzC,GAAG,kBAAkB,eAAe,UAAU,CAC/C;AACD,MAAI,6BAA6B,KAC/B,QAAO,GAAG,cACR,GAAG,kBAAkB,OAAO,yBAAyB,IAAI,CAC1D;AAEH,SAAO,GAAG,QAAQ,YAChB,GAAG,kBAAkB,OAAO;GAC1B,MAAM,MAAM,OAAO,KAAK;GACxB;GACA;GACA,gBAAgB,KAAK,KAAK,GAAG;GAC7B,UAAU,SAAS;GACpB,CAAC,CACH;AACD,SAAO;GACP;;AAGJ,MAAa,gBAAgB,OAC3B,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/server/mutations/refresh.d.ts

@@ -1,14 +1,14 @@
 import { MutationCtx } from "../types.js";
 import { Config, GetProviderOrThrowFunc } from "../provider.js";
-import * as convex_values99 from "convex/values";
-import { Infer } from "convex/values";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values88 from "convex/values";
+import { Infer } from "convex/values";
 
 //#region src/server/mutations/refresh.d.ts
-declare const refreshSessionArgs: convex_values99.VObject<{
+declare const refreshSessionArgs: convex_values88.VObject<{
   refreshToken: string;
 }, {
-  refreshToken: convex_values99.VString<string, "required">;
+  refreshToken: convex_values88.VString<string, "required">;
 }, "required", "refreshToken">;
 type RefreshResult = null | {
   token: string;

package/dist/server/mutations/register.d.ts

@@ -1,32 +1,32 @@
 import { Doc, MutationCtx } from "../types.js";
 import { Config, GetProviderOrThrowFunc } from "../provider.js";
-import * as convex_values0 from "convex/values";
-import { Infer } from "convex/values";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values90 from "convex/values";
+import { Infer } from "convex/values";
 
 //#region src/server/mutations/register.d.ts
-declare const createAccountFromCredentialsArgs: convex_values0.VObject<{
+declare const createAccountFromCredentialsArgs: convex_values90.VObject<{
   shouldLinkViaEmail?: boolean | undefined;
   shouldLinkViaPhone?: boolean | undefined;
   provider: string;
+  profile: any;
   account: {
     secret?: string | undefined;
     id: string;
   };
-  profile: any;
 }, {
-  provider: convex_values0.VString<string, "required">;
-  account: convex_values0.VObject<{
+  provider: convex_values90.VString<string, "required">;
+  account: convex_values90.VObject<{
     secret?: string | undefined;
     id: string;
   }, {
-    id: convex_values0.VString<string, "required">;
-    secret: convex_values0.VString<string | undefined, "optional">;
+    id: convex_values90.VString<string, "required">;
+    secret: convex_values90.VString<string | undefined, "optional">;
   }, "required", "id" | "secret">;
-  profile: convex_values0.VAny<any, "required", string>;
-  shouldLinkViaEmail: convex_values0.VBoolean<boolean | undefined, "optional">;
-  shouldLinkViaPhone: convex_values0.VBoolean<boolean | undefined, "optional">;
-}, "required", "provider" | "account" | "profile" | "shouldLinkViaEmail" | "shouldLinkViaPhone" | "account.id" | "account.secret" | `profile.${string}`>;
+  profile: convex_values90.VAny<any, "required", string>;
+  shouldLinkViaEmail: convex_values90.VBoolean<boolean | undefined, "optional">;
+  shouldLinkViaPhone: convex_values90.VBoolean<boolean | undefined, "optional">;
+}, "required", "provider" | "profile" | `profile.${string}` | "account" | "shouldLinkViaEmail" | "shouldLinkViaPhone" | "account.id" | "account.secret">;
 type ReturnType = {
   account: Doc<"Account">;
   user: Doc<"User">;

package/dist/server/mutations/register.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register.d.ts","names":[],"sources":["../../../src/server/mutations/register.ts"],"mappings":";;;;;;;cAca,gCAAA,iBAAgC,OAAA;;;;;;;;;;YAM3C,cAAA,CAAA,OAAA;;;;;;;;;;;;KAEG,UAAA;EAAe,OAAA,EAAS,GAAA;EAAgB,IAAA,EAAM,GAAA;AAAA;AAAA,iBAE7B,gCAAA,CACpB,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,gCAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,OAAA,CAAQ,UAAA;AAAA,cA8JE,gCAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,gCAAA,MAClB,OAAA,CAAQ,UAAA"}
+{"version":3,"file":"register.d.ts","names":[],"sources":["../../../src/server/mutations/register.ts"],"mappings":";;;;;;;cAca,gCAAA,kBAAgC,OAAA;;;;;;;;;;YAM3C,eAAA,CAAA,OAAA;;;;;;;;;;;;KAEG,UAAA;EAAe,OAAA,EAAS,GAAA;EAAgB,IAAA,EAAM,GAAA;AAAA;AAAA,iBAE7B,gCAAA,CACpB,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,gCAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,OAAA,CAAQ,UAAA;AAAA,cA8JE,gCAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,gCAAA,MAClB,OAAA,CAAQ,UAAA"}

package/dist/server/mutations/retrieve.d.ts

@@ -1,9 +1,9 @@
 import { Doc, MutationCtx } from "../types.js";
 import { Config, GetProviderOrThrowFunc } from "../provider.js";
 import { Fx } from "@robelest/fx";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
 import * as convex_values101 from "convex/values";
 import { Infer } from "convex/values";
-import { GenericActionCtx, GenericDataModel } from "convex/server";
 
 //#region src/server/mutations/retrieve.d.ts
 declare const retrieveAccountWithCredentialsArgs: convex_values101.VObject<{

package/dist/server/mutations/signature.d.ts

@@ -2,17 +2,17 @@ import { MutationCtx } from "../types.js";
 import { AuthError } from "../fx.js";
 import { Config } from "../provider.js";
 import { Fx } from "@robelest/fx";
-import * as convex_values116 from "convex/values";
-import { Infer } from "convex/values";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values98 from "convex/values";
+import { Infer } from "convex/values";
 
 //#region src/server/mutations/signature.d.ts
-declare const verifierSignatureArgs: convex_values116.VObject<{
+declare const verifierSignatureArgs: convex_values98.VObject<{
   verifier: string;
   signature: string;
 }, {
-  verifier: convex_values116.VString<string, "required">;
-  signature: convex_values116.VString<string, "required">;
+  verifier: convex_values98.VString<string, "required">;
+  signature: convex_values98.VString<string, "required">;
 }, "required", "verifier" | "signature">;
 type ReturnType = void;
 declare function verifierSignatureImpl(ctx: MutationCtx, args: Infer<typeof verifierSignatureArgs>, config: Config): Fx<ReturnType, AuthError>;

package/dist/server/mutations/signature.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"signature.d.ts","names":[],"sources":["../../../src/server/mutations/signature.ts"],"mappings":";;;;;;;;;cAUa,qBAAA,mBAAqB,OAAA;;;;YAGhC,gBAAA,CAAA,OAAA;;;KAEG,UAAA;AAAA,iBAEW,qBAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,qBAAA,GACnB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA,EAAY,SAAA;AAAA,cAkBL,qBAAA,qBAAiD,gBAAA,EAC5D,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,qBAAA,MAClB,OAAA"}
+{"version":3,"file":"signature.d.ts","names":[],"sources":["../../../src/server/mutations/signature.ts"],"mappings":";;;;;;;;;cAUa,qBAAA,kBAAqB,OAAA;;;;YAGhC,eAAA,CAAA,OAAA;;;KAEG,UAAA;AAAA,iBAEW,qBAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,qBAAA,GACnB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA,EAAY,SAAA;AAAA,cAkBL,qBAAA,qBAAiD,gBAAA,EAC5D,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,qBAAA,MAClB,OAAA"}

package/dist/server/mutations/signin.d.ts

@@ -1,8 +1,8 @@
 import { MutationCtx, SessionInfo } from "../types.js";
 import { Config } from "../provider.js";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
 import * as convex_values106 from "convex/values";
 import { Infer } from "convex/values";
-import { GenericActionCtx, GenericDataModel } from "convex/server";
 
 //#region src/server/mutations/signin.d.ts
 declare const signInArgs: convex_values106.VObject<{

package/dist/server/mutations/signout.d.ts

@@ -1,8 +1,8 @@
 import { MutationCtx } from "../types.js";
 import { Config } from "../provider.js";
 import { Fx } from "@robelest/fx";
-import { GenericId } from "convex/values";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
+import { GenericId } from "convex/values";
 
 //#region src/server/mutations/signout.d.ts
 type ReturnType = {

package/dist/server/mutations/store.d.ts

@@ -2,8 +2,9 @@
 /**
  * Internal function reference for the library's store dispatch mutation.
  *
- * This remains string-based because the library code cannot import the
- * consumer app's generated `internal` API module.
+ * The package cannot import the consumer app's generated `api` module,
+ * so it uses a canonical function reference name that matches the app-level
+ * `export const { store } = auth` surface.
  */
 declare const AUTH_STORE_REF: any;
 //#endregion

package/dist/server/mutations/store.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"store.d.ts","names":[],"sources":["../../../src/server/mutations/store.ts"],"mappings":";;AAMA;;;;;cAAa,cAAA"}
+{"version":3,"file":"store.d.ts","names":[],"sources":["../../../src/server/mutations/store.ts"],"mappings":";;AASA;;;;;;cAAa,cAAA"}

package/dist/server/mutations/store.js

@@ -1,11 +1,14 @@
+import { makeFunctionReference } from "convex/server";
+
 //#region src/server/mutations/store.ts
 /**
 * Internal function reference for the library's store dispatch mutation.
 *
-* This remains string-based because the library code cannot import the
-* consumer app's generated `internal` API module.
+* The package cannot import the consumer app's generated `api` module,
+* so it uses a canonical function reference name that matches the app-level
+* `export const { store } = auth` surface.
 */
-const AUTH_STORE_REF = "auth/store:run";
+const AUTH_STORE_REF = makeFunctionReference("auth:store");
 
 //#endregion
 export { AUTH_STORE_REF };

package/dist/server/mutations/store.js.map

@@ -1 +1 @@
-{"version":3,"file":"store.js","names":[],"sources":["../../../src/server/mutations/store.ts"],"sourcesContent":["/**\n * Internal function reference for the library's store dispatch mutation.\n *\n * This remains string-based because the library code cannot import the\n * consumer app's generated `internal` API module.\n */\nexport const AUTH_STORE_REF = \"auth/store:run\" as any;\n"],"mappings":";;;;;;;AAMA,MAAa,iBAAiB"}
+{"version":3,"file":"store.js","names":[],"sources":["../../../src/server/mutations/store.ts"],"sourcesContent":["import { makeFunctionReference } from \"convex/server\";\n\n/**\n * Internal function reference for the library's store dispatch mutation.\n *\n * The package cannot import the consumer app's generated `api` module,\n * so it uses a canonical function reference name that matches the app-level\n * `export const { store } = auth` surface.\n */\nexport const AUTH_STORE_REF = makeFunctionReference(\"auth:store\") as any;\n"],"mappings":";;;;;;;;;;AASA,MAAa,iBAAiB,sBAAsB,aAAa"}

package/dist/server/mutations/verifier.d.ts

@@ -1,8 +1,8 @@
 import { MutationCtx } from "../types.js";
 import { Config } from "../provider.js";
 import { Fx } from "@robelest/fx";
-import { GenericId } from "convex/values";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
+import { GenericId } from "convex/values";
 
 //#region src/server/mutations/verifier.d.ts
 type ReturnType = GenericId<"AuthVerifier">;

package/dist/server/mutations/verify.d.ts

@@ -1,23 +1,23 @@
 import { MutationCtx, SessionInfo } from "../types.js";
 import { Config, GetProviderOrThrowFunc } from "../provider.js";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
 import * as convex_values110 from "convex/values";
 import { Infer } from "convex/values";
-import { GenericActionCtx, GenericDataModel } from "convex/server";
 
 //#region src/server/mutations/verify.d.ts
 declare const verifyCodeAndSignInArgs: convex_values110.VObject<{
   provider?: string | undefined;
   verifier?: string | undefined;
-  allowExtraProviders: boolean;
-  generateTokens: boolean;
   params: any;
+  generateTokens: boolean;
+  allowExtraProviders: boolean;
 }, {
   params: convex_values110.VAny<any, "required", string>;
   provider: convex_values110.VString<string | undefined, "optional">;
   verifier: convex_values110.VString<string | undefined, "optional">;
   generateTokens: convex_values110.VBoolean<boolean, "required">;
   allowExtraProviders: convex_values110.VBoolean<boolean, "required">;
-}, "required", "provider" | "verifier" | "allowExtraProviders" | "generateTokens" | "params" | `params.${string}`>;
+}, "required", "provider" | "params" | "verifier" | "generateTokens" | "allowExtraProviders" | `params.${string}`>;
 type ReturnType = null | SessionInfo;
 declare function verifyCodeAndSignInImpl(ctx: MutationCtx, args: Infer<typeof verifyCodeAndSignInArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Promise<ReturnType>;
 declare const callVerifyCodeAndSignIn: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof verifyCodeAndSignInArgs>) => Promise<ReturnType>;

package/dist/server/oauth.d.ts

@@ -1,59 +1 @@
-import { OAuthProfile } from "./types.js";
-import { AuthError } from "./fx.js";
-import * as arctic from "arctic";
-
-//#region src/server/oauth.d.ts
-type OAuthProviderConfigLike = {
-  scopes?: string[];
-  profile?: (tokens: arctic.OAuth2Tokens) => Promise<OAuthProfile>;
-  nonce?: boolean;
-  validateTokens?: (tokens: arctic.OAuth2Tokens, ctx: {
-    nonce?: string;
-  }) => Promise<void>;
-};
-/** A cookie to be set on the HTTP response. */
-interface OAuthCookie {
-  name: string;
-  value: string;
-  options: Record<string, unknown>;
-}
-/** Result of creating an authorization URL. */
-interface AuthorizationResult {
-  redirect: string;
-  cookies: OAuthCookie[];
-  signature: string;
-}
-/** Result of handling an OAuth callback. */
-interface CallbackResult {
-  profile: OAuthProfile;
-  providerAccountId: string;
-  cookies: OAuthCookie[];
-  signature: string;
-}
-/**
- * Creates a signature string from the OAuth state parameters.
- * This is stored in the verifier table and validated during callback.
- */
-declare function getAuthorizationSignature({
-  codeVerifier,
-  state
-}: {
-  codeVerifier?: string;
-  state?: string;
-}): string;
-/**
- * Create an OAuth authorization URL using an Arctic provider.
- *
- * Handles PKCE detection, state generation, and cookie creation.
- */
-declare function createOAuthAuthorizationURL(providerId: string, arcticProvider: any, oauthConfig: OAuthProviderConfigLike): Promise<AuthorizationResult>;
-/**
- * Handle the OAuth callback: validate state, exchange code for tokens,
- * extract profile.
- *
- * Returns `Fx<CallbackResult, AuthError>` composed via `Fx.gen`.
- */
-declare function handleOAuthCallback(providerId: string, arcticProvider: any, oauthConfig: OAuthProviderConfigLike, params: Record<string, string>, cookies: Record<string, string | undefined>): Fx<CallbackResult, AuthError>;
-//#endregion
-export { AuthorizationResult, CallbackResult, OAuthCookie, createOAuthAuthorizationURL, getAuthorizationSignature, handleOAuthCallback };
-//# sourceMappingURL=oauth.d.ts.map
+export { };

package/dist/server/oauth.js

@@ -45,6 +45,7 @@ function clearCookie(type, providerId) {
 * Creates a signature string from the OAuth state parameters.
 * This is stored in the verifier table and validated during callback.
 */
+/** @internal */
 function getAuthorizationSignature({ codeVerifier, state }) {
 	return [codeVerifier, state].filter((param) => param !== void 0).join(" ");
 }
@@ -107,6 +108,7 @@ function validateProfileId(providerId, profile) {
 *
 * Handles PKCE detection, state generation, and cookie creation.
 */
+/** @internal */
 async function createOAuthAuthorizationURL(providerId, arcticProvider, oauthConfig) {
 	const state = arctic.generateState();
 	const cookies = [];
@@ -145,6 +147,7 @@ async function createOAuthAuthorizationURL(providerId, arcticProvider, oauthConf
 *
 * Returns `Fx<CallbackResult, AuthError>` composed via `Fx.gen`.
 */
+/** @internal */
 function handleOAuthCallback(providerId, arcticProvider, oauthConfig, params, cookies) {
 	return Fx.gen(function* () {
 		const resCookies = [];

package/dist/server/oauth.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.js","names":[],"sources":["../../src/server/oauth.ts"],"sourcesContent":["/**\n * Arctic-based OAuth flow implementation.\n *\n * Uses Arctic for OAuth provider integration.\n *\n * All functions return `Fx<A, AuthError>` composed via `Fx.gen` pipelines.\n *\n * @internal\n * @module\n */\n\nimport { Fx } from \"@robelest/fx\";\nimport * as arctic from \"arctic\";\n\nimport { SHARED_COOKIE_OPTIONS } from \"./cookies\";\nimport { AuthError } from \"./fx\";\nimport type { OAuthProfile } from \"./types\";\nimport { logWithLevel } from \"./utils\";\nimport { isLocalHost } from \"./utils\";\n\ntype OAuthProviderConfigLike = {\n  scopes?: string[];\n  profile?: (tokens: arctic.OAuth2Tokens) => Promise<OAuthProfile>;\n  nonce?: boolean;\n  validateTokens?: (\n    tokens: arctic.OAuth2Tokens,\n    ctx: { nonce?: string },\n  ) => Promise<void>;\n};\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/** A cookie to be set on the HTTP response. */\nexport interface OAuthCookie {\n  name: string;\n  value: string;\n  options: Record<string, unknown>;\n}\n\n/** Result of creating an authorization URL. */\nexport interface AuthorizationResult {\n  redirect: string;\n  cookies: OAuthCookie[];\n  signature: string;\n}\n\n/** Result of handling an OAuth callback. */\nexport interface CallbackResult {\n  profile: OAuthProfile;\n  providerAccountId: string;\n  cookies: OAuthCookie[];\n  signature: string;\n}\n\n// ============================================================================\n// Cookie helpers\n// ============================================================================\n\nconst COOKIE_TTL = 60 * 15; // 15 minutes\n\nfunction oauthCookieName(type: \"state\" | \"pkce\" | \"nonce\", providerId: string) {\n  const prefix = !isLocalHost(process.env.CONVEX_SITE_URL) ? \"__Host-\" : \"\";\n  return prefix + providerId + \"OAuth\" + type;\n}\n\nfunction createCookie(\n  type: \"state\" | \"pkce\" | \"nonce\",\n  providerId: string,\n  value: string,\n): OAuthCookie {\n  const expires = new Date();\n  expires.setTime(expires.getTime() + COOKIE_TTL * 1000);\n  return {\n    name: oauthCookieName(type, providerId),\n    value,\n    options: { ...SHARED_COOKIE_OPTIONS, expires },\n  };\n}\n\nfunction clearCookie(\n  type: \"state\" | \"pkce\" | \"nonce\",\n  providerId: string,\n): OAuthCookie {\n  return {\n    name: oauthCookieName(type, providerId),\n    value: \"\",\n    options: { ...SHARED_COOKIE_OPTIONS, maxAge: 0 },\n  };\n}\n\n// ============================================================================\n// Signature (ConvexAuth-specific verifier mechanism)\n// ============================================================================\n\n/**\n * Creates a signature string from the OAuth state parameters.\n * This is stored in the verifier table and validated during callback.\n */\nexport function getAuthorizationSignature({\n  codeVerifier,\n  state,\n}: {\n  codeVerifier?: string;\n  state?: string;\n}) {\n  return [codeVerifier, state].filter((param) => param !== undefined).join(\" \");\n}\n\n// ============================================================================\n// PKCE Detection\n// ============================================================================\n\n/**\n * Detect whether an Arctic provider uses PKCE by checking the arity\n * of `createAuthorizationURL`. PKCE providers take 3 args\n * (state, codeVerifier, scopes), non-PKCE take 2 (state, scopes).\n */\nfunction isPKCEProvider(provider: any): boolean {\n  return (\n    typeof provider.createAuthorizationURL === \"function\" &&\n    provider.createAuthorizationURL.length >= 3\n  );\n}\n\n// ============================================================================\n// Token exchange — wraps Arctic's validateAuthorizationCode\n// ============================================================================\n\n/**\n * Exchange the authorization code for tokens via Arctic.\n * Maps Arctic-specific errors to typed `AuthError` failures.\n */\nfunction exchangeCode(\n  arcticProvider: any,\n  code: string,\n  codeVerifier: string | undefined,\n): Fx<arctic.OAuth2Tokens, AuthError> {\n  return Fx.from({\n    ok: () =>\n      isPKCEProvider(arcticProvider)\n        ? arcticProvider.validateAuthorizationCode(code, codeVerifier)\n        : arcticProvider.validateAuthorizationCode(code),\n    err: (e) => {\n      if (e instanceof arctic.OAuth2RequestError) {\n        return new AuthError(\n          \"OAUTH_PROVIDER_ERROR\",\n          `Token exchange failed: ${e.code}`,\n        );\n      }\n      if (e instanceof arctic.ArcticFetchError) {\n        return new AuthError(\n          \"OAUTH_PROVIDER_ERROR\",\n          `Network error during token exchange: ${e.message}`,\n        );\n      }\n      // Unknown error — treat as unrecoverable defect; we surface it as\n      // an AuthError here so the pipeline type stays Fx<_, AuthError>.\n      // The original `throw e` re-throw is replicated via Fx.fatal below.\n      return new AuthError(\n        \"OAUTH_PROVIDER_ERROR\",\n        `Unexpected error during token exchange: ${e instanceof Error ? e.message : String(e)}`,\n      );\n    },\n  }).pipe(\n    Fx.chain((tokens) => {\n      // If the original error was neither OAuth2RequestError nor\n      // ArcticFetchError the old code re-threw it raw. We replicate that\n      // by checking whether we created an \"Unexpected\" marker message\n      // — but since `Fx.from` already mapped it, we just pass through.\n      return Fx.succeed(tokens);\n    }),\n  );\n}\n\n/**\n * Extract the user profile from tokens using the config callback,\n * OIDC auto-decode, or fail if neither is available.\n */\nfunction extractProfile(\n  providerId: string,\n  oauthConfig: OAuthProviderConfigLike,\n  tokens: arctic.OAuth2Tokens,\n): Fx<OAuthProfile, AuthError> {\n  const hasIdToken =\n    \"id_token\" in tokens.data &&\n    typeof (tokens.data as any).id_token === \"string\";\n  const profileSource = oauthConfig.profile\n    ? { source: \"callback\" as const }\n    : hasIdToken\n      ? { source: \"idToken\" as const }\n      : { source: \"missing\" as const };\n\n  return Fx.match(profileSource, profileSource.source, {\n    callback: (_profileSource) =>\n      Fx.from({\n        ok: () => oauthConfig.profile!(tokens),\n        err: (e) =>\n          new AuthError(\n            \"OAUTH_INVALID_PROFILE\",\n            `Profile callback threw: ${e instanceof Error ? e.message : String(e)}`,\n          ),\n      }),\n    idToken: (_profileSource) => {\n      const claims = arctic.decodeIdToken(tokens.idToken()) as Record<\n        string,\n        unknown\n      >;\n      return Fx.succeed({\n        id: (claims.sub as string) ?? crypto.randomUUID(),\n        name: (claims.name as string) ?? undefined,\n        email: (claims.email as string) ?? undefined,\n        image: (claims.picture as string) ?? undefined,\n      });\n    },\n    missing: (_profileSource) =>\n      Fx.fail(\n        new AuthError(\n          \"OAUTH_INVALID_PROFILE\",\n          `Provider \"${providerId}\" does not return an ID token. ` +\n            `Add a \\`profile\\` callback in the OAuth() config to extract user info from the access token.`,\n        ),\n      ),\n  });\n}\n\n/**\n * Validate that the profile has a non-empty string `id`.\n */\nfunction validateProfileId(\n  providerId: string,\n  profile: OAuthProfile,\n): Fx<OAuthProfile, AuthError> {\n  return typeof profile.id === \"string\" && profile.id\n    ? Fx.succeed(profile)\n    : Fx.fail(\n        new AuthError(\n          \"OAUTH_INVALID_PROFILE\",\n          `The profile callback for \"${providerId}\" must return an object with a string \\`id\\` field.`,\n        ),\n      );\n}\n\n// ============================================================================\n// Authorization URL creation\n// ============================================================================\n\n/**\n * Create an OAuth authorization URL using an Arctic provider.\n *\n * Handles PKCE detection, state generation, and cookie creation.\n */\nexport async function createOAuthAuthorizationURL(\n  providerId: string,\n  arcticProvider: any,\n  oauthConfig: OAuthProviderConfigLike,\n): Promise<AuthorizationResult> {\n  const state = arctic.generateState();\n  const cookies: OAuthCookie[] = [];\n  let codeVerifier: string | undefined;\n\n  const scopes = oauthConfig.scopes ?? [];\n\n  let url: URL;\n\n  if (isPKCEProvider(arcticProvider)) {\n    codeVerifier = arctic.generateCodeVerifier();\n    url = arcticProvider.createAuthorizationURL(state, codeVerifier, scopes);\n    cookies.push(createCookie(\"pkce\", providerId, codeVerifier));\n  } else {\n    url = arcticProvider.createAuthorizationURL(state, scopes);\n  }\n\n  cookies.push(createCookie(\"state\", providerId, state));\n\n  if (oauthConfig.nonce === true) {\n    const nonce = arctic.generateState();\n    url.searchParams.set(\"nonce\", nonce);\n    cookies.push(createCookie(\"nonce\", providerId, nonce));\n  }\n\n  logWithLevel(\"DEBUG\", \"OAuth authorization URL created\", {\n    url: url.toString(),\n    providerId,\n    hasPKCE: !!codeVerifier,\n  });\n\n  const signature = getAuthorizationSignature({ codeVerifier, state });\n\n  return {\n    redirect: url.toString(),\n    cookies,\n    signature,\n  };\n}\n\n// ============================================================================\n// OAuth callback handling\n// ============================================================================\n\n/**\n * Handle the OAuth callback: validate state, exchange code for tokens,\n * extract profile.\n *\n * Returns `Fx<CallbackResult, AuthError>` composed via `Fx.gen`.\n */\nexport function handleOAuthCallback(\n  providerId: string,\n  arcticProvider: any,\n  oauthConfig: OAuthProviderConfigLike,\n  params: Record<string, string>,\n  cookies: Record<string, string | undefined>,\n): Fx<CallbackResult, AuthError> {\n  return Fx.gen(function* () {\n    const resCookies: OAuthCookie[] = [];\n\n    // 1. Validate state\n    const stateCookieName = oauthCookieName(\"state\", providerId);\n    const storedState = cookies[stateCookieName];\n    const returnedState = params.state;\n\n    yield* Fx.guard(\n      !storedState || !returnedState || storedState !== returnedState,\n      Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\")),\n    );\n    resCookies.push(clearCookie(\"state\", providerId));\n\n    // Check for error from provider\n    if (params.error) {\n      const cause = {\n        providerId,\n        error: params.error,\n        error_description: params.error_description,\n      };\n      logWithLevel(\"DEBUG\", \"OAuthCallbackError\", cause);\n      yield* Fx.fail(\n        new AuthError(\n          \"OAUTH_PROVIDER_ERROR\",\n          \"OAuth provider returned an error\",\n          {\n            cause: JSON.stringify(cause),\n          },\n        ),\n      );\n    }\n\n    // 2. Get code\n    const code = yield* params.code != null\n      ? Fx.succeed(params.code)\n      : Fx.fail(\n          new AuthError(\n            \"OAUTH_PROVIDER_ERROR\",\n            \"Missing authorization code in callback\",\n          ),\n        );\n\n    // 3. Read PKCE verifier from cookie if applicable\n    let codeVerifier: string | undefined;\n    if (isPKCEProvider(arcticProvider)) {\n      const pkceCookieName = oauthCookieName(\"pkce\", providerId);\n      codeVerifier = yield* cookies[pkceCookieName] != null\n        ? Fx.succeed(cookies[pkceCookieName]!)\n        : Fx.fail(\n            new AuthError(\n              \"OAUTH_MISSING_VERIFIER\",\n              \"Missing PKCE verifier cookie for OAuth callback\",\n            ),\n          );\n      resCookies.push(clearCookie(\"pkce\", providerId));\n    }\n\n    let nonce: string | undefined;\n    if (oauthConfig.nonce === true) {\n      const nonceCookieName = oauthCookieName(\"nonce\", providerId);\n      nonce = yield* cookies[nonceCookieName] != null\n        ? Fx.succeed(cookies[nonceCookieName]!)\n        : Fx.fail(\n            new AuthError(\n              \"OAUTH_PROVIDER_ERROR\",\n              \"Missing nonce cookie for OAuth callback\",\n            ),\n          );\n      resCookies.push(clearCookie(\"nonce\", providerId));\n    }\n\n    // 4. Exchange code for tokens\n    const tokens = yield* exchangeCode(arcticProvider, code, codeVerifier);\n\n    if (oauthConfig.validateTokens !== undefined) {\n      yield* Fx.from({\n        ok: () => oauthConfig.validateTokens!(tokens, { nonce }),\n        err: (e) =>\n          new AuthError(\n            \"OAUTH_PROVIDER_ERROR\",\n            `Token validation failed: ${e instanceof Error ? e.message : String(e)}`,\n          ),\n      });\n    }\n\n    // 5. Extract profile\n    const rawProfile = yield* extractProfile(providerId, oauthConfig, tokens);\n    const profile = yield* validateProfileId(providerId, rawProfile);\n\n    logWithLevel(\"DEBUG\", \"OAuth callback profile extracted\", {\n      providerId,\n      profileId: profile.id,\n    });\n\n    // 6. Compute signature for verifier validation\n    const state = storedState!;\n    const signature = getAuthorizationSignature({ codeVerifier, state });\n\n    return {\n      profile,\n      providerAccountId: profile.id,\n      cookies: resCookies,\n      signature,\n    };\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA4DA,MAAM,aAAa;AAEnB,SAAS,gBAAgB,MAAkC,YAAoB;AAE7E,SADe,CAAC,YAAY,QAAQ,IAAI,gBAAgB,GAAG,YAAY,MACvD,aAAa,UAAU;;AAGzC,SAAS,aACP,MACA,YACA,OACa;CACb,MAAM,0BAAU,IAAI,MAAM;AAC1B,SAAQ,QAAQ,QAAQ,SAAS,GAAG,aAAa,IAAK;AACtD,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC;EACA,SAAS;GAAE,GAAG;GAAuB;GAAS;EAC/C;;AAGH,SAAS,YACP,MACA,YACa;AACb,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC,OAAO;EACP,SAAS;GAAE,GAAG;GAAuB,QAAQ;GAAG;EACjD;;;;;;AAWH,SAAgB,0BAA0B,EACxC,cACA,SAIC;AACD,QAAO,CAAC,cAAc,MAAM,CAAC,QAAQ,UAAU,UAAU,OAAU,CAAC,KAAK,IAAI;;;;;;;AAY/E,SAAS,eAAe,UAAwB;AAC9C,QACE,OAAO,SAAS,2BAA2B,cAC3C,SAAS,uBAAuB,UAAU;;;;;;AAY9C,SAAS,aACP,gBACA,MACA,cACoC;AACpC,QAAO,GAAG,KAAK;EACb,UACE,eAAe,eAAe,GAC1B,eAAe,0BAA0B,MAAM,aAAa,GAC5D,eAAe,0BAA0B,KAAK;EACpD,MAAM,MAAM;AACV,OAAI,aAAa,OAAO,mBACtB,QAAO,IAAI,UACT,wBACA,0BAA0B,EAAE,OAC7B;AAEH,OAAI,aAAa,OAAO,iBACtB,QAAO,IAAI,UACT,wBACA,wCAAwC,EAAE,UAC3C;AAKH,UAAO,IAAI,UACT,wBACA,2CAA2C,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACtF;;EAEJ,CAAC,CAAC,KACD,GAAG,OAAO,WAAW;AAKnB,SAAO,GAAG,QAAQ,OAAO;GACzB,CACH;;;;;;AAOH,SAAS,eACP,YACA,aACA,QAC6B;CAC7B,MAAM,aACJ,cAAc,OAAO,QACrB,OAAQ,OAAO,KAAa,aAAa;CAC3C,MAAM,gBAAgB,YAAY,UAC9B,EAAE,QAAQ,YAAqB,GAC/B,aACE,EAAE,QAAQ,WAAoB,GAC9B,EAAE,QAAQ,WAAoB;AAEpC,QAAO,GAAG,MAAM,eAAe,cAAc,QAAQ;EACnD,WAAW,mBACT,GAAG,KAAK;GACN,UAAU,YAAY,QAAS,OAAO;GACtC,MAAM,MACJ,IAAI,UACF,yBACA,2BAA2B,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACtE;GACJ,CAAC;EACJ,UAAU,mBAAmB;GAC3B,MAAM,SAAS,OAAO,cAAc,OAAO,SAAS,CAAC;AAIrD,UAAO,GAAG,QAAQ;IAChB,IAAK,OAAO,OAAkB,OAAO,YAAY;IACjD,MAAO,OAAO,QAAmB;IACjC,OAAQ,OAAO,SAAoB;IACnC,OAAQ,OAAO,WAAsB;IACtC,CAAC;;EAEJ,UAAU,mBACR,GAAG,KACD,IAAI,UACF,yBACA,aAAa,WAAW,6HAEzB,CACF;EACJ,CAAC;;;;;AAMJ,SAAS,kBACP,YACA,SAC6B;AAC7B,QAAO,OAAO,QAAQ,OAAO,YAAY,QAAQ,KAC7C,GAAG,QAAQ,QAAQ,GACnB,GAAG,KACD,IAAI,UACF,yBACA,6BAA6B,WAAW,qDACzC,CACF;;;;;;;AAYP,eAAsB,4BACpB,YACA,gBACA,aAC8B;CAC9B,MAAM,QAAQ,OAAO,eAAe;CACpC,MAAM,UAAyB,EAAE;CACjC,IAAI;CAEJ,MAAM,SAAS,YAAY,UAAU,EAAE;CAEvC,IAAI;AAEJ,KAAI,eAAe,eAAe,EAAE;AAClC,iBAAe,OAAO,sBAAsB;AAC5C,QAAM,eAAe,uBAAuB,OAAO,cAAc,OAAO;AACxE,UAAQ,KAAK,aAAa,QAAQ,YAAY,aAAa,CAAC;OAE5D,OAAM,eAAe,uBAAuB,OAAO,OAAO;AAG5D,SAAQ,KAAK,aAAa,SAAS,YAAY,MAAM,CAAC;AAEtD,KAAI,YAAY,UAAU,MAAM;EAC9B,MAAM,QAAQ,OAAO,eAAe;AACpC,MAAI,aAAa,IAAI,SAAS,MAAM;AACpC,UAAQ,KAAK,aAAa,SAAS,YAAY,MAAM,CAAC;;AAGxD,cAAa,SAAS,mCAAmC;EACvD,KAAK,IAAI,UAAU;EACnB;EACA,SAAS,CAAC,CAAC;EACZ,CAAC;CAEF,MAAM,YAAY,0BAA0B;EAAE;EAAc;EAAO,CAAC;AAEpE,QAAO;EACL,UAAU,IAAI,UAAU;EACxB;EACA;EACD;;;;;;;;AAaH,SAAgB,oBACd,YACA,gBACA,aACA,QACA,SAC+B;AAC/B,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,aAA4B,EAAE;EAIpC,MAAM,cAAc,QADI,gBAAgB,SAAS,WAAW;EAE5D,MAAM,gBAAgB,OAAO;AAE7B,SAAO,GAAG,MACR,CAAC,eAAe,CAAC,iBAAiB,gBAAgB,eAClD,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,CAC9C;AACD,aAAW,KAAK,YAAY,SAAS,WAAW,CAAC;AAGjD,MAAI,OAAO,OAAO;GAChB,MAAM,QAAQ;IACZ;IACA,OAAO,OAAO;IACd,mBAAmB,OAAO;IAC3B;AACD,gBAAa,SAAS,sBAAsB,MAAM;AAClD,UAAO,GAAG,KACR,IAAI,UACF,wBACA,oCACA,EACE,OAAO,KAAK,UAAU,MAAM,EAC7B,CACF,CACF;;EAIH,MAAM,OAAO,OAAO,OAAO,QAAQ,OAC/B,GAAG,QAAQ,OAAO,KAAK,GACvB,GAAG,KACD,IAAI,UACF,wBACA,yCACD,CACF;EAGL,IAAI;AACJ,MAAI,eAAe,eAAe,EAAE;GAClC,MAAM,iBAAiB,gBAAgB,QAAQ,WAAW;AAC1D,kBAAe,OAAO,QAAQ,mBAAmB,OAC7C,GAAG,QAAQ,QAAQ,gBAAiB,GACpC,GAAG,KACD,IAAI,UACF,0BACA,kDACD,CACF;AACL,cAAW,KAAK,YAAY,QAAQ,WAAW,CAAC;;EAGlD,IAAI;AACJ,MAAI,YAAY,UAAU,MAAM;GAC9B,MAAM,kBAAkB,gBAAgB,SAAS,WAAW;AAC5D,WAAQ,OAAO,QAAQ,oBAAoB,OACvC,GAAG,QAAQ,QAAQ,iBAAkB,GACrC,GAAG,KACD,IAAI,UACF,wBACA,0CACD,CACF;AACL,cAAW,KAAK,YAAY,SAAS,WAAW,CAAC;;EAInD,MAAM,SAAS,OAAO,aAAa,gBAAgB,MAAM,aAAa;AAEtE,MAAI,YAAY,mBAAmB,OACjC,QAAO,GAAG,KAAK;GACb,UAAU,YAAY,eAAgB,QAAQ,EAAE,OAAO,CAAC;GACxD,MAAM,MACJ,IAAI,UACF,wBACA,4BAA4B,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACvE;GACJ,CAAC;EAKJ,MAAM,UAAU,OAAO,kBAAkB,YADtB,OAAO,eAAe,YAAY,aAAa,OAAO,CACT;AAEhE,eAAa,SAAS,oCAAoC;GACxD;GACA,WAAW,QAAQ;GACpB,CAAC;EAIF,MAAM,YAAY,0BAA0B;GAAE;GAAc,OAD9C;GACqD,CAAC;AAEpE,SAAO;GACL;GACA,mBAAmB,QAAQ;GAC3B,SAAS;GACT;GACD;GACD"}
+{"version":3,"file":"oauth.js","names":[],"sources":["../../src/server/oauth.ts"],"sourcesContent":["/**\n * Arctic-based OAuth flow implementation.\n *\n * Uses Arctic for OAuth provider integration.\n *\n * All functions return `Fx<A, AuthError>` composed via `Fx.gen` pipelines.\n *\n * @internal\n * @module\n */\n\nimport { Fx } from \"@robelest/fx\";\nimport * as arctic from \"arctic\";\n\nimport { SHARED_COOKIE_OPTIONS } from \"./cookies\";\nimport { AuthError } from \"./fx\";\nimport type { OAuthProfile } from \"./types\";\nimport { logWithLevel } from \"./utils\";\nimport { isLocalHost } from \"./utils\";\n\ntype OAuthProviderConfigLike = {\n  scopes?: string[];\n  profile?: (tokens: arctic.OAuth2Tokens) => Promise<OAuthProfile>;\n  nonce?: boolean;\n  validateTokens?: (\n    tokens: arctic.OAuth2Tokens,\n    ctx: { nonce?: string },\n  ) => Promise<void>;\n};\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/** A cookie to be set on the HTTP response. */\n/** @internal */\nexport interface OAuthCookie {\n  name: string;\n  value: string;\n  options: Record<string, unknown>;\n}\n\n/** Result of creating an authorization URL. */\n/** @internal */\nexport interface AuthorizationResult {\n  redirect: string;\n  cookies: OAuthCookie[];\n  signature: string;\n}\n\n/** Result of handling an OAuth callback. */\n/** @internal */\nexport interface CallbackResult {\n  profile: OAuthProfile;\n  providerAccountId: string;\n  cookies: OAuthCookie[];\n  signature: string;\n}\n\n// ============================================================================\n// Cookie helpers\n// ============================================================================\n\nconst COOKIE_TTL = 60 * 15; // 15 minutes\n\nfunction oauthCookieName(type: \"state\" | \"pkce\" | \"nonce\", providerId: string) {\n  const prefix = !isLocalHost(process.env.CONVEX_SITE_URL) ? \"__Host-\" : \"\";\n  return prefix + providerId + \"OAuth\" + type;\n}\n\nfunction createCookie(\n  type: \"state\" | \"pkce\" | \"nonce\",\n  providerId: string,\n  value: string,\n): OAuthCookie {\n  const expires = new Date();\n  expires.setTime(expires.getTime() + COOKIE_TTL * 1000);\n  return {\n    name: oauthCookieName(type, providerId),\n    value,\n    options: { ...SHARED_COOKIE_OPTIONS, expires },\n  };\n}\n\nfunction clearCookie(\n  type: \"state\" | \"pkce\" | \"nonce\",\n  providerId: string,\n): OAuthCookie {\n  return {\n    name: oauthCookieName(type, providerId),\n    value: \"\",\n    options: { ...SHARED_COOKIE_OPTIONS, maxAge: 0 },\n  };\n}\n\n// ============================================================================\n// Signature (ConvexAuth-specific verifier mechanism)\n// ============================================================================\n\n/**\n * Creates a signature string from the OAuth state parameters.\n * This is stored in the verifier table and validated during callback.\n */\n/** @internal */\nexport function getAuthorizationSignature({\n  codeVerifier,\n  state,\n}: {\n  codeVerifier?: string;\n  state?: string;\n}) {\n  return [codeVerifier, state].filter((param) => param !== undefined).join(\" \");\n}\n\n// ============================================================================\n// PKCE Detection\n// ============================================================================\n\n/**\n * Detect whether an Arctic provider uses PKCE by checking the arity\n * of `createAuthorizationURL`. PKCE providers take 3 args\n * (state, codeVerifier, scopes), non-PKCE take 2 (state, scopes).\n */\nfunction isPKCEProvider(provider: any): boolean {\n  return (\n    typeof provider.createAuthorizationURL === \"function\" &&\n    provider.createAuthorizationURL.length >= 3\n  );\n}\n\n// ============================================================================\n// Token exchange — wraps Arctic's validateAuthorizationCode\n// ============================================================================\n\n/**\n * Exchange the authorization code for tokens via Arctic.\n * Maps Arctic-specific errors to typed `AuthError` failures.\n */\nfunction exchangeCode(\n  arcticProvider: any,\n  code: string,\n  codeVerifier: string | undefined,\n): Fx<arctic.OAuth2Tokens, AuthError> {\n  return Fx.from({\n    ok: () =>\n      isPKCEProvider(arcticProvider)\n        ? arcticProvider.validateAuthorizationCode(code, codeVerifier)\n        : arcticProvider.validateAuthorizationCode(code),\n    err: (e) => {\n      if (e instanceof arctic.OAuth2RequestError) {\n        return new AuthError(\n          \"OAUTH_PROVIDER_ERROR\",\n          `Token exchange failed: ${e.code}`,\n        );\n      }\n      if (e instanceof arctic.ArcticFetchError) {\n        return new AuthError(\n          \"OAUTH_PROVIDER_ERROR\",\n          `Network error during token exchange: ${e.message}`,\n        );\n      }\n      // Unknown error — treat as unrecoverable defect; we surface it as\n      // an AuthError here so the pipeline type stays Fx<_, AuthError>.\n      // The original `throw e` re-throw is replicated via Fx.fatal below.\n      return new AuthError(\n        \"OAUTH_PROVIDER_ERROR\",\n        `Unexpected error during token exchange: ${e instanceof Error ? e.message : String(e)}`,\n      );\n    },\n  }).pipe(\n    Fx.chain((tokens) => {\n      // If the original error was neither OAuth2RequestError nor\n      // ArcticFetchError the old code re-threw it raw. We replicate that\n      // by checking whether we created an \"Unexpected\" marker message\n      // — but since `Fx.from` already mapped it, we just pass through.\n      return Fx.succeed(tokens);\n    }),\n  );\n}\n\n/**\n * Extract the user profile from tokens using the config callback,\n * OIDC auto-decode, or fail if neither is available.\n */\nfunction extractProfile(\n  providerId: string,\n  oauthConfig: OAuthProviderConfigLike,\n  tokens: arctic.OAuth2Tokens,\n): Fx<OAuthProfile, AuthError> {\n  const hasIdToken =\n    \"id_token\" in tokens.data &&\n    typeof (tokens.data as any).id_token === \"string\";\n  const profileSource = oauthConfig.profile\n    ? { source: \"callback\" as const }\n    : hasIdToken\n      ? { source: \"idToken\" as const }\n      : { source: \"missing\" as const };\n\n  return Fx.match(profileSource, profileSource.source, {\n    callback: (_profileSource) =>\n      Fx.from({\n        ok: () => oauthConfig.profile!(tokens),\n        err: (e) =>\n          new AuthError(\n            \"OAUTH_INVALID_PROFILE\",\n            `Profile callback threw: ${e instanceof Error ? e.message : String(e)}`,\n          ),\n      }),\n    idToken: (_profileSource) => {\n      const claims = arctic.decodeIdToken(tokens.idToken()) as Record<\n        string,\n        unknown\n      >;\n      return Fx.succeed({\n        id: (claims.sub as string) ?? crypto.randomUUID(),\n        name: (claims.name as string) ?? undefined,\n        email: (claims.email as string) ?? undefined,\n        image: (claims.picture as string) ?? undefined,\n      });\n    },\n    missing: (_profileSource) =>\n      Fx.fail(\n        new AuthError(\n          \"OAUTH_INVALID_PROFILE\",\n          `Provider \"${providerId}\" does not return an ID token. ` +\n            `Add a \\`profile\\` callback in the OAuth() config to extract user info from the access token.`,\n        ),\n      ),\n  });\n}\n\n/**\n * Validate that the profile has a non-empty string `id`.\n */\nfunction validateProfileId(\n  providerId: string,\n  profile: OAuthProfile,\n): Fx<OAuthProfile, AuthError> {\n  return typeof profile.id === \"string\" && profile.id\n    ? Fx.succeed(profile)\n    : Fx.fail(\n        new AuthError(\n          \"OAUTH_INVALID_PROFILE\",\n          `The profile callback for \"${providerId}\" must return an object with a string \\`id\\` field.`,\n        ),\n      );\n}\n\n// ============================================================================\n// Authorization URL creation\n// ============================================================================\n\n/**\n * Create an OAuth authorization URL using an Arctic provider.\n *\n * Handles PKCE detection, state generation, and cookie creation.\n */\n/** @internal */\nexport async function createOAuthAuthorizationURL(\n  providerId: string,\n  arcticProvider: any,\n  oauthConfig: OAuthProviderConfigLike,\n): Promise<AuthorizationResult> {\n  const state = arctic.generateState();\n  const cookies: OAuthCookie[] = [];\n  let codeVerifier: string | undefined;\n\n  const scopes = oauthConfig.scopes ?? [];\n\n  let url: URL;\n\n  if (isPKCEProvider(arcticProvider)) {\n    codeVerifier = arctic.generateCodeVerifier();\n    url = arcticProvider.createAuthorizationURL(state, codeVerifier, scopes);\n    cookies.push(createCookie(\"pkce\", providerId, codeVerifier));\n  } else {\n    url = arcticProvider.createAuthorizationURL(state, scopes);\n  }\n\n  cookies.push(createCookie(\"state\", providerId, state));\n\n  if (oauthConfig.nonce === true) {\n    const nonce = arctic.generateState();\n    url.searchParams.set(\"nonce\", nonce);\n    cookies.push(createCookie(\"nonce\", providerId, nonce));\n  }\n\n  logWithLevel(\"DEBUG\", \"OAuth authorization URL created\", {\n    url: url.toString(),\n    providerId,\n    hasPKCE: !!codeVerifier,\n  });\n\n  const signature = getAuthorizationSignature({ codeVerifier, state });\n\n  return {\n    redirect: url.toString(),\n    cookies,\n    signature,\n  };\n}\n\n// ============================================================================\n// OAuth callback handling\n// ============================================================================\n\n/**\n * Handle the OAuth callback: validate state, exchange code for tokens,\n * extract profile.\n *\n * Returns `Fx<CallbackResult, AuthError>` composed via `Fx.gen`.\n */\n/** @internal */\nexport function handleOAuthCallback(\n  providerId: string,\n  arcticProvider: any,\n  oauthConfig: OAuthProviderConfigLike,\n  params: Record<string, string>,\n  cookies: Record<string, string | undefined>,\n): Fx<CallbackResult, AuthError> {\n  return Fx.gen(function* () {\n    const resCookies: OAuthCookie[] = [];\n\n    // 1. Validate state\n    const stateCookieName = oauthCookieName(\"state\", providerId);\n    const storedState = cookies[stateCookieName];\n    const returnedState = params.state;\n\n    yield* Fx.guard(\n      !storedState || !returnedState || storedState !== returnedState,\n      Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\")),\n    );\n    resCookies.push(clearCookie(\"state\", providerId));\n\n    // Check for error from provider\n    if (params.error) {\n      const cause = {\n        providerId,\n        error: params.error,\n        error_description: params.error_description,\n      };\n      logWithLevel(\"DEBUG\", \"OAuthCallbackError\", cause);\n      yield* Fx.fail(\n        new AuthError(\n          \"OAUTH_PROVIDER_ERROR\",\n          \"OAuth provider returned an error\",\n          {\n            cause: JSON.stringify(cause),\n          },\n        ),\n      );\n    }\n\n    // 2. Get code\n    const code = yield* params.code != null\n      ? Fx.succeed(params.code)\n      : Fx.fail(\n          new AuthError(\n            \"OAUTH_PROVIDER_ERROR\",\n            \"Missing authorization code in callback\",\n          ),\n        );\n\n    // 3. Read PKCE verifier from cookie if applicable\n    let codeVerifier: string | undefined;\n    if (isPKCEProvider(arcticProvider)) {\n      const pkceCookieName = oauthCookieName(\"pkce\", providerId);\n      codeVerifier = yield* cookies[pkceCookieName] != null\n        ? Fx.succeed(cookies[pkceCookieName]!)\n        : Fx.fail(\n            new AuthError(\n              \"OAUTH_MISSING_VERIFIER\",\n              \"Missing PKCE verifier cookie for OAuth callback\",\n            ),\n          );\n      resCookies.push(clearCookie(\"pkce\", providerId));\n    }\n\n    let nonce: string | undefined;\n    if (oauthConfig.nonce === true) {\n      const nonceCookieName = oauthCookieName(\"nonce\", providerId);\n      nonce = yield* cookies[nonceCookieName] != null\n        ? Fx.succeed(cookies[nonceCookieName]!)\n        : Fx.fail(\n            new AuthError(\n              \"OAUTH_PROVIDER_ERROR\",\n              \"Missing nonce cookie for OAuth callback\",\n            ),\n          );\n      resCookies.push(clearCookie(\"nonce\", providerId));\n    }\n\n    // 4. Exchange code for tokens\n    const tokens = yield* exchangeCode(arcticProvider, code, codeVerifier);\n\n    if (oauthConfig.validateTokens !== undefined) {\n      yield* Fx.from({\n        ok: () => oauthConfig.validateTokens!(tokens, { nonce }),\n        err: (e) =>\n          new AuthError(\n            \"OAUTH_PROVIDER_ERROR\",\n            `Token validation failed: ${e instanceof Error ? e.message : String(e)}`,\n          ),\n      });\n    }\n\n    // 5. Extract profile\n    const rawProfile = yield* extractProfile(providerId, oauthConfig, tokens);\n    const profile = yield* validateProfileId(providerId, rawProfile);\n\n    logWithLevel(\"DEBUG\", \"OAuth callback profile extracted\", {\n      providerId,\n      profileId: profile.id,\n    });\n\n    // 6. Compute signature for verifier validation\n    const state = storedState!;\n    const signature = getAuthorizationSignature({ codeVerifier, state });\n\n    return {\n      profile,\n      providerAccountId: profile.id,\n      cookies: resCookies,\n      signature,\n    };\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA+DA,MAAM,aAAa;AAEnB,SAAS,gBAAgB,MAAkC,YAAoB;AAE7E,SADe,CAAC,YAAY,QAAQ,IAAI,gBAAgB,GAAG,YAAY,MACvD,aAAa,UAAU;;AAGzC,SAAS,aACP,MACA,YACA,OACa;CACb,MAAM,0BAAU,IAAI,MAAM;AAC1B,SAAQ,QAAQ,QAAQ,SAAS,GAAG,aAAa,IAAK;AACtD,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC;EACA,SAAS;GAAE,GAAG;GAAuB;GAAS;EAC/C;;AAGH,SAAS,YACP,MACA,YACa;AACb,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC,OAAO;EACP,SAAS;GAAE,GAAG;GAAuB,QAAQ;GAAG;EACjD;;;;;;;AAYH,SAAgB,0BAA0B,EACxC,cACA,SAIC;AACD,QAAO,CAAC,cAAc,MAAM,CAAC,QAAQ,UAAU,UAAU,OAAU,CAAC,KAAK,IAAI;;;;;;;AAY/E,SAAS,eAAe,UAAwB;AAC9C,QACE,OAAO,SAAS,2BAA2B,cAC3C,SAAS,uBAAuB,UAAU;;;;;;AAY9C,SAAS,aACP,gBACA,MACA,cACoC;AACpC,QAAO,GAAG,KAAK;EACb,UACE,eAAe,eAAe,GAC1B,eAAe,0BAA0B,MAAM,aAAa,GAC5D,eAAe,0BAA0B,KAAK;EACpD,MAAM,MAAM;AACV,OAAI,aAAa,OAAO,mBACtB,QAAO,IAAI,UACT,wBACA,0BAA0B,EAAE,OAC7B;AAEH,OAAI,aAAa,OAAO,iBACtB,QAAO,IAAI,UACT,wBACA,wCAAwC,EAAE,UAC3C;AAKH,UAAO,IAAI,UACT,wBACA,2CAA2C,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACtF;;EAEJ,CAAC,CAAC,KACD,GAAG,OAAO,WAAW;AAKnB,SAAO,GAAG,QAAQ,OAAO;GACzB,CACH;;;;;;AAOH,SAAS,eACP,YACA,aACA,QAC6B;CAC7B,MAAM,aACJ,cAAc,OAAO,QACrB,OAAQ,OAAO,KAAa,aAAa;CAC3C,MAAM,gBAAgB,YAAY,UAC9B,EAAE,QAAQ,YAAqB,GAC/B,aACE,EAAE,QAAQ,WAAoB,GAC9B,EAAE,QAAQ,WAAoB;AAEpC,QAAO,GAAG,MAAM,eAAe,cAAc,QAAQ;EACnD,WAAW,mBACT,GAAG,KAAK;GACN,UAAU,YAAY,QAAS,OAAO;GACtC,MAAM,MACJ,IAAI,UACF,yBACA,2BAA2B,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACtE;GACJ,CAAC;EACJ,UAAU,mBAAmB;GAC3B,MAAM,SAAS,OAAO,cAAc,OAAO,SAAS,CAAC;AAIrD,UAAO,GAAG,QAAQ;IAChB,IAAK,OAAO,OAAkB,OAAO,YAAY;IACjD,MAAO,OAAO,QAAmB;IACjC,OAAQ,OAAO,SAAoB;IACnC,OAAQ,OAAO,WAAsB;IACtC,CAAC;;EAEJ,UAAU,mBACR,GAAG,KACD,IAAI,UACF,yBACA,aAAa,WAAW,6HAEzB,CACF;EACJ,CAAC;;;;;AAMJ,SAAS,kBACP,YACA,SAC6B;AAC7B,QAAO,OAAO,QAAQ,OAAO,YAAY,QAAQ,KAC7C,GAAG,QAAQ,QAAQ,GACnB,GAAG,KACD,IAAI,UACF,yBACA,6BAA6B,WAAW,qDACzC,CACF;;;;;;;;AAaP,eAAsB,4BACpB,YACA,gBACA,aAC8B;CAC9B,MAAM,QAAQ,OAAO,eAAe;CACpC,MAAM,UAAyB,EAAE;CACjC,IAAI;CAEJ,MAAM,SAAS,YAAY,UAAU,EAAE;CAEvC,IAAI;AAEJ,KAAI,eAAe,eAAe,EAAE;AAClC,iBAAe,OAAO,sBAAsB;AAC5C,QAAM,eAAe,uBAAuB,OAAO,cAAc,OAAO;AACxE,UAAQ,KAAK,aAAa,QAAQ,YAAY,aAAa,CAAC;OAE5D,OAAM,eAAe,uBAAuB,OAAO,OAAO;AAG5D,SAAQ,KAAK,aAAa,SAAS,YAAY,MAAM,CAAC;AAEtD,KAAI,YAAY,UAAU,MAAM;EAC9B,MAAM,QAAQ,OAAO,eAAe;AACpC,MAAI,aAAa,IAAI,SAAS,MAAM;AACpC,UAAQ,KAAK,aAAa,SAAS,YAAY,MAAM,CAAC;;AAGxD,cAAa,SAAS,mCAAmC;EACvD,KAAK,IAAI,UAAU;EACnB;EACA,SAAS,CAAC,CAAC;EACZ,CAAC;CAEF,MAAM,YAAY,0BAA0B;EAAE;EAAc;EAAO,CAAC;AAEpE,QAAO;EACL,UAAU,IAAI,UAAU;EACxB;EACA;EACD;;;;;;;;;AAcH,SAAgB,oBACd,YACA,gBACA,aACA,QACA,SAC+B;AAC/B,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,aAA4B,EAAE;EAIpC,MAAM,cAAc,QADI,gBAAgB,SAAS,WAAW;EAE5D,MAAM,gBAAgB,OAAO;AAE7B,SAAO,GAAG,MACR,CAAC,eAAe,CAAC,iBAAiB,gBAAgB,eAClD,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,CAC9C;AACD,aAAW,KAAK,YAAY,SAAS,WAAW,CAAC;AAGjD,MAAI,OAAO,OAAO;GAChB,MAAM,QAAQ;IACZ;IACA,OAAO,OAAO;IACd,mBAAmB,OAAO;IAC3B;AACD,gBAAa,SAAS,sBAAsB,MAAM;AAClD,UAAO,GAAG,KACR,IAAI,UACF,wBACA,oCACA,EACE,OAAO,KAAK,UAAU,MAAM,EAC7B,CACF,CACF;;EAIH,MAAM,OAAO,OAAO,OAAO,QAAQ,OAC/B,GAAG,QAAQ,OAAO,KAAK,GACvB,GAAG,KACD,IAAI,UACF,wBACA,yCACD,CACF;EAGL,IAAI;AACJ,MAAI,eAAe,eAAe,EAAE;GAClC,MAAM,iBAAiB,gBAAgB,QAAQ,WAAW;AAC1D,kBAAe,OAAO,QAAQ,mBAAmB,OAC7C,GAAG,QAAQ,QAAQ,gBAAiB,GACpC,GAAG,KACD,IAAI,UACF,0BACA,kDACD,CACF;AACL,cAAW,KAAK,YAAY,QAAQ,WAAW,CAAC;;EAGlD,IAAI;AACJ,MAAI,YAAY,UAAU,MAAM;GAC9B,MAAM,kBAAkB,gBAAgB,SAAS,WAAW;AAC5D,WAAQ,OAAO,QAAQ,oBAAoB,OACvC,GAAG,QAAQ,QAAQ,iBAAkB,GACrC,GAAG,KACD,IAAI,UACF,wBACA,0CACD,CACF;AACL,cAAW,KAAK,YAAY,SAAS,WAAW,CAAC;;EAInD,MAAM,SAAS,OAAO,aAAa,gBAAgB,MAAM,aAAa;AAEtE,MAAI,YAAY,mBAAmB,OACjC,QAAO,GAAG,KAAK;GACb,UAAU,YAAY,eAAgB,QAAQ,EAAE,OAAO,CAAC;GACxD,MAAM,MACJ,IAAI,UACF,wBACA,4BAA4B,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACvE;GACJ,CAAC;EAKJ,MAAM,UAAU,OAAO,kBAAkB,YADtB,OAAO,eAAe,YAAY,aAAa,OAAO,CACT;AAEhE,eAAa,SAAS,oCAAoC;GACxD;GACA,WAAW,QAAQ;GACpB,CAAC;EAIF,MAAM,YAAY,0BAA0B;GAAE;GAAc,OAD9C;GACqD,CAAC;AAEpE,SAAO;GACL;GACA,mBAAmB,QAAQ;GAC3B,SAAS;GACT;GACD;GACD"}

package/dist/server/passkey.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"passkey.d.ts","names":[],"sources":["../../src/server/passkey.ts"],"mappings":";;;;;KAgEK,iBAAA,GAAoB,8BAAA,CAA+B,aAAA;;KAoKnD,aAAA;EACC,IAAA;EAAkB,QAAA,EAAU,WAAA;AAAA;EAC5B,IAAA;EAAwB,OAAA,EAAS,MAAA;EAAqB,QAAA;AAAA;;;;;;iBAgD5C,eAAA,CACd,GAAA,EAAK,iBAAA,EACL,QAAA,EAAU,qBAAA,EACV,IAAA;EACE,MAAA,GAAS,MAAA;EACT,QAAA;AAAA,IAED,EAAA,CAAO,aAAA,EAAe,SAAA"}
+{"version":3,"file":"passkey.d.ts","names":[],"sources":["../../src/server/passkey.ts"],"mappings":";;;;;KAiEK,iBAAA,GAAoB,8BAAA,CAA+B,aAAA;;KAoKnD,aAAA;EACC,IAAA;EAAkB,QAAA,EAAU,WAAA;AAAA;EAC5B,IAAA;EAAwB,OAAA,EAAS,MAAA;EAAqB,QAAA;AAAA;;;;;;iBAgD5C,eAAA,CACd,GAAA,EAAK,iBAAA,EACL,QAAA,EAAU,qBAAA,EACV,IAAA;EACE,MAAA,GAAS,MAAA;EACT,QAAA;AAAA,IAED,EAAA,CAAO,aAAA,EAAe,SAAA"}

package/dist/server/passkey.js

@@ -1,4 +1,5 @@
 import { AuthError, Fx } from "./fx.js";
+import { userIdFromIdentitySubject } from "./identity.js";
 import { authDb } from "./db.js";
 import { callVerifierSignature } from "./mutations/signature.js";
 import { callSignIn } from "./mutations/signin.js";
@@ -107,7 +108,7 @@ function handlePasskeyFx(ctx, provider, args) {
 			registerOptions: (_) => Fx.zip(Fx.from({
 				ok: () => ctx.auth.getUserIdentity(),
 				err: () => new AuthError("PASSKEY_AUTH_REQUIRED")
-			}).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(id.subject.split("|")[0]))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => {
+			}).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(userIdFromIdentitySubject(id.subject)))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => {
 				const challenge = new Uint8Array(32);
 				crypto.getRandomValues(challenge);
 				const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(challenge)));
@@ -162,7 +163,7 @@ function handlePasskeyFx(ctx, provider, args) {
 			registerVerify: (_) => Fx.zip(Fx.from({
 				ok: () => ctx.auth.getUserIdentity(),
 				err: () => new AuthError("PASSKEY_AUTH_REQUIRED")
-			}).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(id.subject.split("|")[0]))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => requirePasskeyVerifierFx(args.verifier).pipe(Fx.chain((verifier) => {
+			}).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(userIdFromIdentitySubject(id.subject)))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => requirePasskeyVerifierFx(args.verifier).pipe(Fx.chain((verifier) => {
 				const clientData = parseClientDataJSON(decodeBase64urlIgnorePadding(params.clientDataJSON));
 				return Fx.succeed(clientData).pipe(Fx.chain(verifyClientDataType(ClientDataType.Create, "webauthn.create")), Fx.chain(verifyOrigin(rp)), Fx.chain(verifyAndConsumeChallenge(ctx, verifier)), Fx.map(() => {
 					return parseAttestationObject(decodeBase64urlIgnorePadding(params.attestationObject)).authenticatorData;