npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.15 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (323) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1513 -3
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +327 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +49 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +450 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +118 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +599 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +368 -258
package/dist/component/schema.js +23 -27
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +42 -7
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +70 -6
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +466 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +689 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1128 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +3 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +50 -35
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +44 -9
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +70 -6
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +320 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +466 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +340 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +689 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +56 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1128 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +432 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +486 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +1 -1
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signature.d.ts.map +1 -1
package/dist/server/mutations/signin.d.ts +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +4 -4
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +3 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +55 -71
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +1920 -3
package/src/component/index.ts +2 -0
package/src/component/model.ts +424 -0
package/src/component/public/enterprise.ts +654 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +951 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +117 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +47 -57
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +192 -9
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +916 -0
package/src/server/domains/sso.ts +1462 -0
package/src/server/enterpriseValidators.ts +88 -0
package/src/server/factory.ts +2168 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +712 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +3 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +251 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +85 -77
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/src/component/schema.ts CHANGED Viewed

@@ -1,6 +1,24 @@
 import { defineSchema, defineTable } from "convex/server";
 import { v } from "convex/values";
+import {
+  vApiKeyRateLimit,
+  vApiKeyRateLimitState,
+  vApiKeyScope,
+  vAuditActorType,
+  vAuditStatus,
+  vDeviceStatus,
+  vEnterprisePolicy,
+  vEnterpriseSecretKind,
+  vEnterpriseStatus,
+  vInviteStatus,
+  vScimResourceType,
+  vScimStatus,
+  vTag,
+  vWebhookDeliveryStatus,
+  vWebhookEndpointStatus,
+} from "./model";
 /**
  * Schema for the auth component.
  *
@@ -166,11 +184,7 @@ export default defineSchema({
     /** Minimum polling interval in seconds. */
     interval: v.number(),
     /** Current status of this device authorization session. */
-    status: v.union(
-      v.literal("pending"),
-      v.literal("authorized"),
-      v.literal("denied"),
-    ),
+    status: vDeviceStatus,
     /** Set when the user authorizes — links to the authorizing user. */
     userId: v.optional(v.id("User")),
     /** Set when the user authorizes — the session created for the device. */
@@ -201,7 +215,7 @@ export default defineSchema({
     type: v.optional(v.string()),
     parentGroupId: v.optional(v.id("Group")),
     /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */
-    tags: v.optional(v.array(v.object({ key: v.string(), value: v.string() }))),
+    tags: v.optional(v.array(vTag)),
     extend: v.optional(v.any()),
   })
     .index("slug", ["slug"])
@@ -253,12 +267,7 @@ export default defineSchema({
     email: v.optional(v.string()),
     tokenHash: v.string(),
     role: v.optional(v.string()),
-    status: v.union(
-      v.literal("pending"),
-      v.literal("accepted"),
-      v.literal("revoked"),
-      v.literal("expired"),
-    ),
+    status: vInviteStatus,
     expiresTime: v.optional(v.number()),
     acceptedByUserId: v.optional(v.id("User")),
     acceptedTime: v.optional(v.number()),
@@ -287,11 +296,8 @@ export default defineSchema({
     groupId: v.id("Group"),
     slug: v.optional(v.string()),
     name: v.optional(v.string()),
-    status: v.union(
-      v.literal("draft"),
-      v.literal("active"),
-      v.literal("disabled"),
-    ),
+    status: vEnterpriseStatus,
+    policy: v.optional(vEnterprisePolicy),
     config: v.optional(v.any()),
     extend: v.optional(v.any()),
   })
@@ -313,21 +319,30 @@ export default defineSchema({
     .index("group_id", ["groupId"])
     .index("domain", ["domain"]),
+  /**
+   * Encrypted enterprise secrets stored separately from protocol config.
+   */
+  EnterpriseSecret: defineTable({
+    enterpriseId: v.id("Enterprise"),
+    groupId: v.id("Group"),
+    kind: vEnterpriseSecretKind,
+    ciphertext: v.string(),
+    updatedAt: v.number(),
+  })
+    .index("enterprise_id", ["enterpriseId"])
+    .index("enterprise_id_kind", ["enterpriseId", "kind"])
+    .index("group_id", ["groupId"]),
   /**
    * SCIM configuration for an enterprise tenant.
    */
   EnterpriseScimConfig: defineTable({
     enterpriseId: v.id("Enterprise"),
     groupId: v.id("Group"),
-    status: v.union(
-      v.literal("draft"),
-      v.literal("active"),
-      v.literal("disabled"),
-    ),
+    status: vScimStatus,
     basePath: v.string(),
     tokenHash: v.string(),
     lastRotatedAt: v.optional(v.number()),
-    deprovisionMode: v.optional(v.union(v.literal("soft"), v.literal("hard"))),
     extend: v.optional(v.any()),
   })
     .index("enterprise_id", ["enterpriseId"])
@@ -341,7 +356,7 @@ export default defineSchema({
   EnterpriseScimIdentity: defineTable({
     enterpriseId: v.id("Enterprise"),
     groupId: v.id("Group"),
-    resourceType: v.union(v.literal("user"), v.literal("group")),
+    resourceType: vScimResourceType,
     externalId: v.string(),
     userId: v.optional(v.id("User")),
     mappedGroupId: v.optional(v.id("Group")),
@@ -356,6 +371,7 @@ export default defineSchema({
       "resourceType",
       "externalId",
     ])
+    .index("enterprise_id_user_id", ["enterpriseId", "userId"])
     .index("user_id", ["userId"])
     .index("mapped_group_id", ["mappedGroupId"]),
@@ -366,17 +382,11 @@ export default defineSchema({
     enterpriseId: v.id("Enterprise"),
     groupId: v.id("Group"),
     eventType: v.string(),
-    actorType: v.union(
-      v.literal("user"),
-      v.literal("system"),
-      v.literal("scim"),
-      v.literal("api_key"),
-      v.literal("webhook"),
-    ),
+    actorType: vAuditActorType,
     actorId: v.optional(v.string()),
     subjectType: v.string(),
     subjectId: v.optional(v.string()),
-    status: v.union(v.literal("success"), v.literal("failure")),
+    status: vAuditStatus,
     occurredAt: v.number(),
     requestId: v.optional(v.string()),
     ip: v.optional(v.string()),
@@ -393,7 +403,7 @@ export default defineSchema({
     enterpriseId: v.id("Enterprise"),
     groupId: v.id("Group"),
     url: v.string(),
-    status: v.union(v.literal("active"), v.literal("disabled")),
+    status: vWebhookEndpointStatus,
     secretHash: v.string(),
     subscriptions: v.array(v.string()),
     createdByUserId: v.optional(v.id("User")),
@@ -414,12 +424,7 @@ export default defineSchema({
     endpointId: v.id("EnterpriseWebhookEndpoint"),
     auditEventId: v.optional(v.id("EnterpriseAuditEvent")),
     eventType: v.string(),
-    status: v.union(
-      v.literal("pending"),
-      v.literal("processing"),
-      v.literal("delivered"),
-      v.literal("failed"),
-    ),
+    status: vWebhookDeliveryStatus,
     attemptCount: v.number(),
     nextAttemptAt: v.number(),
     lastAttemptAt: v.optional(v.number()),
@@ -454,26 +459,11 @@ export default defineSchema({
     /** User-assigned name (e.g. "CI Pipeline", "Production API"). */
     name: v.string(),
     /** Scoped permissions: [{ resource: "users", actions: ["read", "list"] }]. */
-    scopes: v.array(
-      v.object({
-        resource: v.string(),
-        actions: v.array(v.string()),
-      }),
-    ),
+    scopes: v.array(vApiKeyScope),
     /** Optional per-key rate limit configuration. */
-    rateLimit: v.optional(
-      v.object({
-        maxRequests: v.number(),
-        windowMs: v.number(),
-      }),
-    ),
+    rateLimit: v.optional(vApiKeyRateLimit),
     /** Rate limit state tracking (token-bucket). */
-    rateLimitState: v.optional(
-      v.object({
-        attemptsLeft: v.number(),
-        lastAttemptTime: v.number(),
-      }),
-    ),
+    rateLimitState: v.optional(vApiKeyRateLimitState),
     /** Expiration timestamp. Null/undefined = never expires. */
     expiresAt: v.optional(v.number()),
     lastUsedAt: v.optional(v.number()),

package/src/providers/sso.ts CHANGED Viewed

@@ -14,7 +14,7 @@
  * });
  *
  * // auth.sso is now available
- * await auth.sso.oidc.configure(ctx, { enterpriseId, clientId, ... });
+ * await auth.sso.admin.oidc.configure(ctx, { enterpriseId, clientId, ... });
  * ```
  *
  * Without `new SSO()` in the providers list, `auth.sso` is not

package/src/server/auth.ts CHANGED Viewed

@@ -8,9 +8,9 @@ import type { UserIdentity } from "convex/server";
 import type { GenericId } from "convex/values";
 import type { AuthApiRefs } from "../client/index";
+import { Auth as AuthFactory } from "./factory";
 import { Fx } from "./fx";
 import { AuthError } from "./fx";
-import { Auth as AuthFactory } from "./implementation";
 import type { Doc } from "./types";
 import type {
   AuthProviderConfig,
@@ -47,14 +47,58 @@ export type AuthApiBase = {
   http: ReturnType<typeof AuthFactory>["auth"]["http"];
 };
-/** Auth API with SSO namespace — present only when `new SSO()` is in providers. */
+type InternalSsoApi = ReturnType<typeof AuthFactory>["auth"]["sso"];
+type PublicSsoAdminApi = {
+  connection: InternalSsoApi["connection"] & {
+    domain: {
+      list: InternalSsoApi["domain"]["list"];
+      validate: InternalSsoApi["domain"]["validate"];
+      set: (
+        ctx: Parameters<InternalSsoApi["connection"]["create"]>[0],
+        enterpriseId: string,
+        domains: Array<{
+          domain: string;
+          isPrimary?: boolean;
+          verifiedAt?: number;
+        }>,
+      ) => Promise<void>;
+    };
+  };
+  oidc: Omit<InternalSsoApi["oidc"], "signIn">;
+  saml: Omit<InternalSsoApi["saml"], "metadata">;
+  policy: InternalSsoApi["policy"];
+  audit: {
+    list: InternalSsoApi["audit"]["list"];
+  };
+  webhook: {
+    endpoint: InternalSsoApi["webhook"]["endpoint"];
+  };
+};
+type PublicSsoClientApi = {
+  signIn: InternalSsoApi["oidc"]["signIn"];
+  metadata: InternalSsoApi["saml"]["metadata"];
+};
+type PublicSsoApi = {
+  admin: PublicSsoAdminApi;
+  client: PublicSsoClientApi;
+};
+type PublicScimApi = {
+  admin: Omit<InternalSsoApi["scim"], "getConfigByToken" | "identity">;
+};
+/** Auth API with enterprise namespaces — present only when `new SSO()` is in providers. */
 export type AuthApi = AuthApiBase & {
-  sso: ReturnType<typeof AuthFactory>["auth"]["sso"];
+  sso: PublicSsoApi;
+  scim: PublicScimApi;
 };
 /**
  * The return type of `createAuth`. Conditional namespaces:
- * - `auth.sso` — only when `new SSO()` is in providers
+ * - `auth.sso` and `auth.scim` — only when `new SSO()` is in providers
  * - `auth.clientApi` — typed API refs for the client SDK with capabilities
  */
 export type ConvexAuthResult<P extends AuthProviderConfig[]> =
@@ -72,7 +116,7 @@ export type ConvexAuthResult<P extends AuthProviderConfig[]> =
  * // Frontend
  * import type { auth } from "../convex/auth";
  * import type { InferClientApi } from "@robelest/convex-auth/component";
- * const c = client<InferClientApi<typeof auth>>({ convex, api: { ... } });
+ * const c = client<InferClientApi<typeof auth>>({ convex, api: api.auth });
  * ```
  */
 export type InferClientApi<T> =
@@ -94,9 +138,9 @@ export type AuthLike = Pick<AuthApiBase, "user">;
 /**
  * Create an auth API object.
  *
- * When `new SSO()` is included in providers, `auth.sso` is available
- * on the returned object. Without it, `auth.sso` is absent and
- * accessing it is a TypeScript compile error.
+ * When `new SSO()` is included in providers, `auth.sso` and `auth.scim`
+ * are available on the returned object. Without it, those namespaces are
+ * absent and accessing them is a TypeScript compile error.
  */
 export function createAuth<P extends AuthProviderConfig[]>(
   component: ConvexAuthConfig["component"],
@@ -107,6 +151,138 @@ export function createAuth<P extends AuthProviderConfig[]>(
     component,
     providers: [...config.providers],
   });
+  const {
+    domain: domainApi,
+    scim: scimApi,
+    connection: connectionApi,
+    audit: auditApi,
+    webhook: webhookApi,
+    oidc: oidcApi,
+    saml: samlApi,
+    ...restSso
+  } = authResult.auth.sso as InternalSsoApi;
+  type SetEnterpriseDomains = PublicSsoAdminApi["connection"]["domain"]["set"];
+  type EnterpriseDomainInput = Array<{
+    domain: string;
+    isPrimary?: boolean;
+    verifiedAt?: number;
+  }>;
+  const setEnterpriseDomains: PublicSsoAdminApi["connection"]["domain"]["set"] =
+    async (
+      ctx: Parameters<SetEnterpriseDomains>[0],
+      enterpriseId: Parameters<SetEnterpriseDomains>[1],
+      domains: EnterpriseDomainInput,
+    ) => {
+      const enterprise = await connectionApi.get(ctx, enterpriseId);
+      if (enterprise === null) {
+        throw new AuthError(
+          "INVALID_PARAMETERS",
+          "Enterprise not found.",
+        ).toConvexError();
+      }
+      const normalized = domains.map((entry: (typeof domains)[number]) => ({
+        ...entry,
+        domain: entry.domain.trim().toLowerCase(),
+      }));
+      const deduped = new Map<string, (typeof normalized)[number]>();
+      for (const entry of normalized) {
+        if (entry.domain.length === 0) {
+          throw new AuthError(
+            "INVALID_PARAMETERS",
+            "Domain must not be empty.",
+          ).toConvexError();
+        }
+        if (deduped.has(entry.domain)) {
+          throw new AuthError(
+            "INVALID_PARAMETERS",
+            `Duplicate domain: ${entry.domain}`,
+          ).toConvexError();
+        }
+        deduped.set(entry.domain, entry);
+      }
+      const nextDomains = [...deduped.values()];
+      const primaryCount = nextDomains.filter(
+        (entry) => entry.isPrimary,
+      ).length;
+      if (primaryCount > 1) {
+        throw new AuthError(
+          "INVALID_PARAMETERS",
+          "Only one primary domain may be set.",
+        ).toConvexError();
+      }
+      if (nextDomains.length > 0 && primaryCount === 0) {
+        nextDomains[0] = { ...nextDomains[0], isPrimary: true };
+      }
+      const currentDomains = await domainApi.list(ctx, enterpriseId);
+      const currentByDomain = new Map<string, (typeof currentDomains)[number]>(
+        currentDomains.map((entry: (typeof currentDomains)[number]) => [
+          entry.domain.toLowerCase(),
+          entry,
+        ]),
+      );
+      for (const existing of currentDomains) {
+        if (!deduped.has(existing.domain.toLowerCase())) {
+          await domainApi.remove(ctx, existing._id);
+        }
+      }
+      for (const nextDomain of nextDomains) {
+        const current = currentByDomain.get(nextDomain.domain);
+        if (
+          current &&
+          current.isPrimary === Boolean(nextDomain.isPrimary) &&
+          current.verifiedAt === (nextDomain.verifiedAt ?? current.verifiedAt)
+        ) {
+          continue;
+        }
+        if (current) {
+          await domainApi.remove(ctx, current._id);
+        }
+        await domainApi.add(ctx, {
+          enterpriseId: enterprise._id,
+          groupId: enterprise.groupId,
+          domain: nextDomain.domain,
+          isPrimary: nextDomain.isPrimary,
+          verifiedAt: nextDomain.verifiedAt ?? current?.verifiedAt,
+        });
+      }
+    };
+  const publicSso: PublicSsoApi = {
+    admin: {
+      ...restSso,
+      oidc: {
+        ...oidcApi,
+      },
+      saml: {
+        ...samlApi,
+      },
+      connection: {
+        ...connectionApi,
+        domain: {
+          list: domainApi.list,
+          validate: domainApi.validate,
+          set: setEnterpriseDomains,
+        },
+      },
+      policy: restSso.policy,
+      audit: {
+        list: auditApi.list,
+      },
+      webhook: {
+        endpoint: webhookApi.endpoint,
+      },
+    },
+    client: {
+      signIn: oidcApi.signIn,
+      metadata: samlApi.metadata,
+    },
+  };
   return {
     signIn: authResult.signIn,
@@ -120,7 +296,14 @@ export function createAuth<P extends AuthProviderConfig[]>(
     member: authResult.auth.member,
     invite: authResult.auth.invite,
     key: authResult.auth.key,
-    sso: authResult.auth.sso,
+    sso: publicSso,
+    scim: {
+      admin: {
+        configure: scimApi.configure,
+        get: scimApi.get,
+        validate: scimApi.validate,
+      },
+    },
     http: authResult.auth.http,
   } as ConvexAuthResult<P>;
 }

package/src/server/cookies.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { isLocalHost } from "./utils";
+/** @internal */
 export const SHARED_COOKIE_OPTIONS = {
   httpOnly: true,
   sameSite: "none" as const,
@@ -9,6 +10,7 @@ export const SHARED_COOKIE_OPTIONS = {
 };
 const REDIRECT_MAX_AGE = 60 * 15; // 15 minutes in seconds
+/** @internal */
 export function redirectToParamCookie(providerId: string, redirectTo: string) {
   return {
     name: redirectToParamCookieName(providerId),
@@ -17,6 +19,7 @@ export function redirectToParamCookie(providerId: string, redirectTo: string) {
   };
 }
+/** @internal */
 export function useRedirectToParam(
   providerId: string,
   cookies: Record<string, string | undefined>,

package/src/server/db.ts CHANGED Viewed

@@ -56,10 +56,13 @@ type AuthComponentApiLike = {
   };
 };
+/** @internal */
 export type AuthDbConfig = { component: AuthComponentApiLike };
+/** @internal */
 export type AuthDb = ReturnType<typeof authDb>;
+/** @internal */
 export function authDb(ctx: CtxLike, config: AuthDbConfig) {
   const component = config.component;
   return {

package/src/server/device.ts CHANGED Viewed

@@ -13,6 +13,7 @@
 import { Fx } from "@robelest/fx";
 import { AuthError } from "./fx";
+import { userIdFromIdentitySubject } from "./identity";
 import { callSignIn } from "./mutations/index";
 import { DeviceProviderConfig, GenericActionCtxWithAuthConfig } from "./types";
 import {
@@ -63,6 +64,7 @@ type DeviceResult =
     }
   | { kind: "signedIn"; signedIn: SessionInfo | null };
+/** @internal */
 export const handleDevice = (
   ctx: EnrichedActionCtx,
   provider: DeviceProviderConfig,
@@ -187,7 +189,7 @@ export const handleDevice = (
         );
       }
-      const userId = identity.subject.split("|")[0]!;
+      const userId = userIdFromIdentitySubject(identity.subject);
       const doc = await queryDeviceByUserCode(ctx, params.userCode);
       if (doc === null) {
         throw new AuthError("DEVICE_INVALID_USER_CODE");