@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +140 -9
- package/dist/bin.cjs +5957 -5478
- package/dist/client/index.d.ts +3 -7
- package/dist/client/index.d.ts.map +1 -1
- package/dist/client/index.js +27 -26
- package/dist/client/index.js.map +1 -1
- package/dist/component/_generated/api.d.ts +14 -0
- package/dist/component/_generated/api.d.ts.map +1 -1
- package/dist/component/_generated/api.js.map +1 -1
- package/dist/component/_generated/component.d.ts +1513 -3
- package/dist/component/_generated/component.d.ts.map +1 -1
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/convex.config.d.ts.map +1 -1
- package/dist/component/model.d.ts +153 -0
- package/dist/component/model.d.ts.map +1 -0
- package/dist/component/model.js +327 -0
- package/dist/component/model.js.map +1 -0
- package/dist/component/providers/sso.d.ts +1 -1
- package/dist/component/public/enterprise.d.ts +49 -0
- package/dist/component/public/enterprise.d.ts.map +1 -0
- package/dist/component/public/enterprise.js +450 -0
- package/dist/component/public/enterprise.js.map +1 -0
- package/dist/component/public/factors.d.ts +52 -0
- package/dist/component/public/factors.d.ts.map +1 -0
- package/dist/component/public/factors.js +285 -0
- package/dist/component/public/factors.js.map +1 -0
- package/dist/component/public/groups.d.ts +118 -0
- package/dist/component/public/groups.d.ts.map +1 -0
- package/dist/component/public/groups.js +599 -0
- package/dist/component/public/groups.js.map +1 -0
- package/dist/component/public/identity.d.ts +93 -0
- package/dist/component/public/identity.d.ts.map +1 -0
- package/dist/component/public/identity.js +426 -0
- package/dist/component/public/identity.js.map +1 -0
- package/dist/component/public/keys.d.ts +41 -0
- package/dist/component/public/keys.d.ts.map +1 -0
- package/dist/component/public/keys.js +157 -0
- package/dist/component/public/keys.js.map +1 -0
- package/dist/component/public/shared.d.ts +26 -0
- package/dist/component/public/shared.d.ts.map +1 -0
- package/dist/component/public/shared.js +32 -0
- package/dist/component/public/shared.js.map +1 -0
- package/dist/component/public.d.ts +9 -321
- package/dist/component/public.d.ts.map +1 -1
- package/dist/component/public.js +6 -2145
- package/dist/component/schema.d.ts +368 -258
- package/dist/component/schema.js +23 -27
- package/dist/component/schema.js.map +1 -1
- package/dist/component/server/auth.d.ts +42 -7
- package/dist/component/server/auth.d.ts.map +1 -1
- package/dist/component/server/auth.js +70 -6
- package/dist/component/server/auth.js.map +1 -1
- package/dist/component/server/cookies.js +3 -0
- package/dist/component/server/cookies.js.map +1 -1
- package/dist/component/server/db.js +1 -0
- package/dist/component/server/db.js.map +1 -1
- package/dist/component/server/device.js +3 -1
- package/dist/component/server/device.js.map +1 -1
- package/dist/component/server/domains/core.js +466 -0
- package/dist/component/server/domains/core.js.map +1 -0
- package/dist/component/server/domains/sso.js +689 -0
- package/dist/component/server/domains/sso.js.map +1 -0
- package/dist/component/server/factory.d.ts +136 -0
- package/dist/component/server/factory.d.ts.map +1 -0
- package/dist/component/server/factory.js +1128 -0
- package/dist/component/server/factory.js.map +1 -0
- package/dist/component/server/fx.js +2 -1
- package/dist/component/server/fx.js.map +1 -1
- package/dist/component/server/http.js +287 -0
- package/dist/component/server/http.js.map +1 -0
- package/dist/component/server/identity.js +13 -0
- package/dist/component/server/identity.js.map +1 -0
- package/dist/component/server/keys.js +4 -0
- package/dist/component/server/keys.js.map +1 -1
- package/dist/component/server/mutations/account.js +1 -1
- package/dist/component/server/mutations/index.js +2 -2
- package/dist/component/server/mutations/index.js.map +1 -1
- package/dist/component/server/mutations/invalidate.js +1 -1
- package/dist/component/server/mutations/oauth.js +10 -7
- package/dist/component/server/mutations/oauth.js.map +1 -1
- package/dist/component/server/mutations/refresh.js +1 -1
- package/dist/component/server/mutations/register.js +1 -1
- package/dist/component/server/mutations/retrieve.js +1 -1
- package/dist/component/server/mutations/signature.js +1 -1
- package/dist/component/server/mutations/store.js +6 -3
- package/dist/component/server/mutations/store.js.map +1 -1
- package/dist/component/server/mutations/verify.js +1 -1
- package/dist/component/server/oauth.js +3 -0
- package/dist/component/server/oauth.js.map +1 -1
- package/dist/component/server/passkey.js +3 -2
- package/dist/component/server/passkey.js.map +1 -1
- package/dist/component/server/provider.js +2 -0
- package/dist/component/server/provider.js.map +1 -1
- package/dist/component/server/providers.js +3 -0
- package/dist/component/server/providers.js.map +1 -1
- package/dist/component/server/ratelimit.js +3 -0
- package/dist/component/server/ratelimit.js.map +1 -1
- package/dist/component/server/redirects.js +2 -0
- package/dist/component/server/redirects.js.map +1 -1
- package/dist/component/server/refresh.js +5 -0
- package/dist/component/server/refresh.js.map +1 -1
- package/dist/component/server/sessions.js +5 -0
- package/dist/component/server/sessions.js.map +1 -1
- package/dist/component/server/signin.js +2 -1
- package/dist/component/server/signin.js.map +1 -1
- package/dist/component/server/sso.js +166 -19
- package/dist/component/server/sso.js.map +1 -1
- package/dist/component/server/tokens.js +1 -0
- package/dist/component/server/tokens.js.map +1 -1
- package/dist/component/server/totp.js +4 -2
- package/dist/component/server/totp.js.map +1 -1
- package/dist/component/server/types.d.ts +50 -35
- package/dist/component/server/types.d.ts.map +1 -1
- package/dist/component/server/types.js.map +1 -1
- package/dist/component/server/users.js +1 -0
- package/dist/component/server/users.js.map +1 -1
- package/dist/component/server/utils.js +44 -2
- package/dist/component/server/utils.js.map +1 -1
- package/dist/providers/anonymous.d.ts +1 -1
- package/dist/providers/credentials.d.ts +1 -1
- package/dist/providers/password.d.ts +1 -1
- package/dist/providers/sso.d.ts +1 -1
- package/dist/providers/sso.js.map +1 -1
- package/dist/server/auth.d.ts +44 -9
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +70 -6
- package/dist/server/auth.js.map +1 -1
- package/dist/server/cookies.d.ts +1 -38
- package/dist/server/cookies.js +3 -0
- package/dist/server/cookies.js.map +1 -1
- package/dist/server/db.d.ts +1 -125
- package/dist/server/db.js +1 -0
- package/dist/server/db.js.map +1 -1
- package/dist/server/device.d.ts +1 -24
- package/dist/server/device.js +3 -1
- package/dist/server/device.js.map +1 -1
- package/dist/server/domains/core.d.ts +320 -0
- package/dist/server/domains/core.d.ts.map +1 -0
- package/dist/server/domains/core.js +466 -0
- package/dist/server/domains/core.js.map +1 -0
- package/dist/server/domains/sso.d.ts +340 -0
- package/dist/server/domains/sso.d.ts.map +1 -0
- package/dist/server/domains/sso.js +689 -0
- package/dist/server/domains/sso.js.map +1 -0
- package/dist/server/enterpriseValidators.d.ts +1 -0
- package/dist/server/enterpriseValidators.js +56 -0
- package/dist/server/enterpriseValidators.js.map +1 -0
- package/dist/server/factory.d.ts +136 -0
- package/dist/server/factory.d.ts.map +1 -0
- package/dist/server/factory.js +1128 -0
- package/dist/server/factory.js.map +1 -0
- package/dist/server/fx.d.ts +1 -16
- package/dist/server/fx.d.ts.map +1 -1
- package/dist/server/fx.js +1 -0
- package/dist/server/fx.js.map +1 -1
- package/dist/server/http.d.ts +59 -0
- package/dist/server/http.d.ts.map +1 -0
- package/dist/server/http.js +287 -0
- package/dist/server/http.js.map +1 -0
- package/dist/server/identity.d.ts +1 -0
- package/dist/server/identity.js +13 -0
- package/dist/server/identity.js.map +1 -0
- package/dist/server/index.d.ts +432 -1
- package/dist/server/index.d.ts.map +1 -1
- package/dist/server/index.js +486 -36
- package/dist/server/index.js.map +1 -1
- package/dist/server/keys.d.ts +1 -57
- package/dist/server/keys.js +4 -0
- package/dist/server/keys.js.map +1 -1
- package/dist/server/mutations/account.d.ts +7 -7
- package/dist/server/mutations/account.d.ts.map +1 -1
- package/dist/server/mutations/code.d.ts +13 -13
- package/dist/server/mutations/index.d.ts +107 -107
- package/dist/server/mutations/index.d.ts.map +1 -1
- package/dist/server/mutations/index.js +1 -1
- package/dist/server/mutations/index.js.map +1 -1
- package/dist/server/mutations/invalidate.d.ts +5 -5
- package/dist/server/mutations/oauth.d.ts +10 -10
- package/dist/server/mutations/oauth.d.ts.map +1 -1
- package/dist/server/mutations/oauth.js +9 -6
- package/dist/server/mutations/oauth.js.map +1 -1
- package/dist/server/mutations/refresh.d.ts +4 -4
- package/dist/server/mutations/register.d.ts +12 -12
- package/dist/server/mutations/register.d.ts.map +1 -1
- package/dist/server/mutations/retrieve.d.ts +1 -1
- package/dist/server/mutations/signature.d.ts +5 -5
- package/dist/server/mutations/signature.d.ts.map +1 -1
- package/dist/server/mutations/signin.d.ts +1 -1
- package/dist/server/mutations/signout.d.ts +1 -1
- package/dist/server/mutations/store.d.ts +3 -2
- package/dist/server/mutations/store.d.ts.map +1 -1
- package/dist/server/mutations/store.js +6 -3
- package/dist/server/mutations/store.js.map +1 -1
- package/dist/server/mutations/verifier.d.ts +1 -1
- package/dist/server/mutations/verify.d.ts +4 -4
- package/dist/server/oauth.d.ts +1 -59
- package/dist/server/oauth.js +3 -0
- package/dist/server/oauth.js.map +1 -1
- package/dist/server/passkey.d.ts.map +1 -1
- package/dist/server/passkey.js +3 -2
- package/dist/server/passkey.js.map +1 -1
- package/dist/server/provider.d.ts +1 -14
- package/dist/server/provider.d.ts.map +1 -1
- package/dist/server/provider.js +2 -0
- package/dist/server/provider.js.map +1 -1
- package/dist/server/providers.js +3 -0
- package/dist/server/providers.js.map +1 -1
- package/dist/server/ratelimit.d.ts +1 -22
- package/dist/server/ratelimit.js +3 -0
- package/dist/server/ratelimit.js.map +1 -1
- package/dist/server/redirects.d.ts +1 -10
- package/dist/server/redirects.js +2 -0
- package/dist/server/redirects.js.map +1 -1
- package/dist/server/refresh.d.ts +1 -37
- package/dist/server/refresh.js +5 -0
- package/dist/server/refresh.js.map +1 -1
- package/dist/server/sessions.d.ts +1 -28
- package/dist/server/sessions.js +5 -0
- package/dist/server/sessions.js.map +1 -1
- package/dist/server/signin.d.ts +1 -55
- package/dist/server/signin.js +2 -1
- package/dist/server/signin.js.map +1 -1
- package/dist/server/sso.d.ts +1 -348
- package/dist/server/sso.js +165 -18
- package/dist/server/sso.js.map +1 -1
- package/dist/server/templates.d.ts +1 -21
- package/dist/server/templates.js +1 -0
- package/dist/server/templates.js.map +1 -1
- package/dist/server/tokens.d.ts +1 -11
- package/dist/server/tokens.js +1 -0
- package/dist/server/tokens.js.map +1 -1
- package/dist/server/totp.d.ts +1 -23
- package/dist/server/totp.js +4 -2
- package/dist/server/totp.js.map +1 -1
- package/dist/server/types.d.ts +55 -71
- package/dist/server/types.d.ts.map +1 -1
- package/dist/server/types.js.map +1 -1
- package/dist/server/users.d.ts +1 -31
- package/dist/server/users.js +1 -0
- package/dist/server/users.js.map +1 -1
- package/dist/server/utils.d.ts +1 -27
- package/dist/server/utils.js +44 -2
- package/dist/server/utils.js.map +1 -1
- package/dist/server/version.d.ts +1 -1
- package/dist/server/version.js +1 -1
- package/dist/server/version.js.map +1 -1
- package/package.json +4 -5
- package/src/cli/bin.ts +5 -0
- package/src/cli/index.ts +22 -9
- package/src/cli/keys.ts +3 -0
- package/src/client/index.ts +36 -37
- package/src/component/_generated/api.ts +14 -0
- package/src/component/_generated/component.ts +1920 -3
- package/src/component/index.ts +2 -0
- package/src/component/model.ts +424 -0
- package/src/component/public/enterprise.ts +654 -0
- package/src/component/public/factors.ts +332 -0
- package/src/component/public/groups.ts +951 -0
- package/src/component/public/identity.ts +566 -0
- package/src/component/public/keys.ts +209 -0
- package/src/component/public/shared.ts +117 -0
- package/src/component/public.ts +5 -2965
- package/src/component/schema.ts +47 -57
- package/src/providers/sso.ts +1 -1
- package/src/server/auth.ts +192 -9
- package/src/server/cookies.ts +3 -0
- package/src/server/db.ts +3 -0
- package/src/server/device.ts +3 -1
- package/src/server/domains/core.ts +916 -0
- package/src/server/domains/sso.ts +1462 -0
- package/src/server/enterpriseValidators.ts +88 -0
- package/src/server/factory.ts +2168 -0
- package/src/server/fx.ts +1 -0
- package/src/server/http.ts +529 -0
- package/src/server/identity.ts +18 -0
- package/src/server/index.ts +712 -40
- package/src/server/keys.ts +4 -0
- package/src/server/mutations/index.ts +1 -1
- package/src/server/mutations/oauth.ts +36 -8
- package/src/server/mutations/store.ts +6 -3
- package/src/server/oauth.ts +6 -0
- package/src/server/passkey.ts +3 -2
- package/src/server/provider.ts +2 -0
- package/src/server/providers.ts +3 -0
- package/src/server/ratelimit.ts +3 -0
- package/src/server/redirects.ts +2 -0
- package/src/server/refresh.ts +5 -0
- package/src/server/sessions.ts +5 -0
- package/src/server/signin.ts +1 -0
- package/src/server/sso.ts +251 -17
- package/src/server/templates.ts +1 -0
- package/src/server/tokens.ts +1 -0
- package/src/server/totp.ts +4 -2
- package/src/server/types.ts +85 -77
- package/src/server/users.ts +1 -0
- package/src/server/utils.ts +71 -1
- package/src/server/version.ts +1 -1
- package/dist/component/public.js.map +0 -1
- package/dist/component/server/implementation.d.ts +0 -1264
- package/dist/component/server/implementation.d.ts.map +0 -1
- package/dist/component/server/implementation.js +0 -2365
- package/dist/component/server/implementation.js.map +0 -1
- package/dist/server/cookies.d.ts.map +0 -1
- package/dist/server/db.d.ts.map +0 -1
- package/dist/server/device.d.ts.map +0 -1
- package/dist/server/implementation.d.ts +0 -1264
- package/dist/server/implementation.d.ts.map +0 -1
- package/dist/server/implementation.js +0 -2365
- package/dist/server/implementation.js.map +0 -1
- package/dist/server/keys.d.ts.map +0 -1
- package/dist/server/oauth.d.ts.map +0 -1
- package/dist/server/ratelimit.d.ts.map +0 -1
- package/dist/server/redirects.d.ts.map +0 -1
- package/dist/server/refresh.d.ts.map +0 -1
- package/dist/server/sessions.d.ts.map +0 -1
- package/dist/server/signin.d.ts.map +0 -1
- package/dist/server/sso.d.ts.map +0 -1
- package/dist/server/templates.d.ts.map +0 -1
- package/dist/server/tokens.d.ts.map +0 -1
- package/dist/server/totp.d.ts.map +0 -1
- package/dist/server/users.d.ts.map +0 -1
- package/dist/server/utils.d.ts.map +0 -1
- package/src/server/implementation.ts +0 -5336
package/src/server/index.ts
CHANGED
|
@@ -1,21 +1,693 @@
|
|
|
1
1
|
import { ConvexHttpClient } from "convex/browser";
|
|
2
|
-
import {
|
|
3
|
-
|
|
2
|
+
import {
|
|
3
|
+
actionGeneric,
|
|
4
|
+
makeFunctionReference,
|
|
5
|
+
mutationGeneric,
|
|
6
|
+
queryGeneric,
|
|
7
|
+
} from "convex/server";
|
|
8
|
+
import { ConvexError, v } from "convex/values";
|
|
4
9
|
import { parse, serialize } from "cookie";
|
|
5
10
|
import { jwtDecode } from "jwt-decode";
|
|
6
11
|
|
|
7
|
-
import {
|
|
12
|
+
import type { AuthApi } from "./auth";
|
|
13
|
+
import {
|
|
14
|
+
enterpriseConnectionWhereValidator,
|
|
15
|
+
enterpriseDomainInputValidator,
|
|
16
|
+
enterprisePolicyPatchValidator,
|
|
17
|
+
enterpriseSamlAttributeMappingValidator,
|
|
18
|
+
enterpriseSamlSpValidator,
|
|
19
|
+
enterpriseStatusValidator,
|
|
20
|
+
} from "./enterpriseValidators";
|
|
8
21
|
import type {
|
|
9
22
|
SignInAction,
|
|
10
23
|
SignInActionResult,
|
|
11
24
|
SignOutAction,
|
|
12
|
-
} from "./
|
|
25
|
+
} from "./factory";
|
|
26
|
+
import { Fx } from "./fx";
|
|
13
27
|
import { isLocalHost } from "./utils";
|
|
14
28
|
|
|
15
|
-
const signInActionRef: SignInAction =
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
29
|
+
const signInActionRef: SignInAction = makeFunctionReference("auth:signIn");
|
|
30
|
+
const signOutActionRef: SignOutAction = makeFunctionReference("auth:signOut");
|
|
31
|
+
|
|
32
|
+
export type EnterpriseAdminPermission =
|
|
33
|
+
| "sso.connection.create"
|
|
34
|
+
| "sso.connection.read"
|
|
35
|
+
| "sso.connection.manage"
|
|
36
|
+
| "sso.domain.manage"
|
|
37
|
+
| "sso.protocol.manage"
|
|
38
|
+
| "sso.policy.manage"
|
|
39
|
+
| "sso.audit.read"
|
|
40
|
+
| "sso.webhook.manage"
|
|
41
|
+
| "scim.manage";
|
|
42
|
+
|
|
43
|
+
export type EnterpriseAdminAuthorizationInput = {
|
|
44
|
+
userId: string;
|
|
45
|
+
permission: EnterpriseAdminPermission;
|
|
46
|
+
enterpriseId?: string;
|
|
47
|
+
groupId?: string;
|
|
48
|
+
resolvedGroupId: string | null;
|
|
49
|
+
};
|
|
50
|
+
|
|
51
|
+
export type EnterpriseAuthorizer = (
|
|
52
|
+
ctx: { auth: import("convex/server").Auth },
|
|
53
|
+
input: EnterpriseAdminAuthorizationInput,
|
|
54
|
+
) => Promise<void>;
|
|
55
|
+
|
|
56
|
+
type MountedEnterpriseOptions = {
|
|
57
|
+
authorized?: EnterpriseAuthorizer;
|
|
58
|
+
};
|
|
59
|
+
|
|
60
|
+
export type EnterpriseMountOptions = {
|
|
61
|
+
authorized: EnterpriseAuthorizer;
|
|
62
|
+
};
|
|
63
|
+
|
|
64
|
+
type MountedEnterpriseTarget = {
|
|
65
|
+
enterpriseId?: string;
|
|
66
|
+
groupId?: string;
|
|
67
|
+
domain?: string;
|
|
68
|
+
};
|
|
69
|
+
|
|
70
|
+
function requireSignedInUser(auth: Pick<AuthApi, "user">) {
|
|
71
|
+
return async (ctx: { auth: import("convex/server").Auth }) => {
|
|
72
|
+
return await auth.user.require(ctx as never);
|
|
73
|
+
};
|
|
74
|
+
}
|
|
75
|
+
|
|
76
|
+
async function resolveMountedEnterpriseTarget(
|
|
77
|
+
auth: Pick<AuthApi, "sso">,
|
|
78
|
+
ctx: { auth: import("convex/server").Auth },
|
|
79
|
+
target: MountedEnterpriseTarget,
|
|
80
|
+
) {
|
|
81
|
+
if (target.groupId !== undefined) {
|
|
82
|
+
return {
|
|
83
|
+
enterpriseId: target.enterpriseId,
|
|
84
|
+
groupId: target.groupId,
|
|
85
|
+
resolvedGroupId: target.groupId,
|
|
86
|
+
};
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
if (target.enterpriseId !== undefined) {
|
|
90
|
+
const enterprise = await auth.sso.admin.connection.get(
|
|
91
|
+
ctx as never,
|
|
92
|
+
target.enterpriseId,
|
|
93
|
+
);
|
|
94
|
+
if (enterprise === null) {
|
|
95
|
+
throw new ConvexError({
|
|
96
|
+
code: "INVALID_PARAMETERS",
|
|
97
|
+
message: "Enterprise not found.",
|
|
98
|
+
});
|
|
99
|
+
}
|
|
100
|
+
return {
|
|
101
|
+
enterpriseId: enterprise._id,
|
|
102
|
+
groupId: enterprise.groupId,
|
|
103
|
+
resolvedGroupId: enterprise.groupId,
|
|
104
|
+
};
|
|
105
|
+
}
|
|
106
|
+
|
|
107
|
+
if (target.domain !== undefined) {
|
|
108
|
+
const resolved = await auth.sso.admin.connection.getByDomain(
|
|
109
|
+
ctx as never,
|
|
110
|
+
target.domain,
|
|
111
|
+
);
|
|
112
|
+
if (resolved?.enterprise === undefined) {
|
|
113
|
+
throw new ConvexError({
|
|
114
|
+
code: "INVALID_PARAMETERS",
|
|
115
|
+
message: "Enterprise not found.",
|
|
116
|
+
});
|
|
117
|
+
}
|
|
118
|
+
return {
|
|
119
|
+
enterpriseId: resolved.enterprise._id,
|
|
120
|
+
groupId: resolved.enterprise.groupId,
|
|
121
|
+
resolvedGroupId: resolved.enterprise.groupId,
|
|
122
|
+
};
|
|
123
|
+
}
|
|
124
|
+
|
|
125
|
+
return {
|
|
126
|
+
enterpriseId: undefined,
|
|
127
|
+
groupId: undefined,
|
|
128
|
+
resolvedGroupId: null,
|
|
129
|
+
};
|
|
130
|
+
}
|
|
131
|
+
|
|
132
|
+
function createMountedAdminAuthorizer(
|
|
133
|
+
auth: Pick<AuthApi, "sso" | "user">,
|
|
134
|
+
options?: MountedEnterpriseOptions,
|
|
135
|
+
) {
|
|
136
|
+
const requireUserId = requireSignedInUser(auth);
|
|
137
|
+
|
|
138
|
+
return async (
|
|
139
|
+
ctx: { auth: import("convex/server").Auth },
|
|
140
|
+
permission: EnterpriseAdminPermission,
|
|
141
|
+
target: MountedEnterpriseTarget = {},
|
|
142
|
+
) => {
|
|
143
|
+
const userId = await requireUserId(ctx);
|
|
144
|
+
if (!options?.authorized) {
|
|
145
|
+
throw new ConvexError({
|
|
146
|
+
code: "FORBIDDEN",
|
|
147
|
+
message:
|
|
148
|
+
"Mounted enterprise admin APIs require an authorized callback.",
|
|
149
|
+
});
|
|
150
|
+
}
|
|
151
|
+
const resolved = await resolveMountedEnterpriseTarget(auth, ctx, target);
|
|
152
|
+
await options.authorized(ctx, {
|
|
153
|
+
userId,
|
|
154
|
+
permission,
|
|
155
|
+
enterpriseId: resolved.enterpriseId,
|
|
156
|
+
groupId: resolved.groupId,
|
|
157
|
+
resolvedGroupId: resolved.resolvedGroupId,
|
|
158
|
+
});
|
|
159
|
+
return { userId, ...resolved };
|
|
160
|
+
};
|
|
161
|
+
}
|
|
162
|
+
|
|
163
|
+
/**
|
|
164
|
+
* Build optional public SSO management actions that apps can mount under
|
|
165
|
+
* `convex/auth/sso/**` when they want client-callable enterprise APIs.
|
|
166
|
+
*
|
|
167
|
+
* `admin` is for tenant-admin control-plane operations and should be mounted
|
|
168
|
+
* with an explicit authorization policy. `client` is for end-user sign-in
|
|
169
|
+
* helpers and does not require tenant-admin authorization.
|
|
170
|
+
*/
|
|
171
|
+
export function sso(
|
|
172
|
+
auth: Pick<AuthApi, "group" | "member" | "sso" | "user">,
|
|
173
|
+
options?: MountedEnterpriseOptions,
|
|
174
|
+
) {
|
|
175
|
+
const authorize = createMountedAdminAuthorizer(auth, options);
|
|
176
|
+
|
|
177
|
+
return {
|
|
178
|
+
admin: {
|
|
179
|
+
connection: {
|
|
180
|
+
create: mutationGeneric({
|
|
181
|
+
args: {
|
|
182
|
+
groupId: v.optional(v.string()),
|
|
183
|
+
name: v.optional(v.string()),
|
|
184
|
+
slug: v.optional(v.string()),
|
|
185
|
+
status: v.optional(enterpriseStatusValidator),
|
|
186
|
+
domain: v.optional(v.string()),
|
|
187
|
+
},
|
|
188
|
+
handler: async (ctx, args) => {
|
|
189
|
+
const { userId } = await authorize(ctx, "sso.connection.create", {
|
|
190
|
+
groupId: args.groupId,
|
|
191
|
+
});
|
|
192
|
+
const createsGroup = args.groupId === undefined;
|
|
193
|
+
const groupId =
|
|
194
|
+
args.groupId ??
|
|
195
|
+
(await auth.group.create(ctx as never, {
|
|
196
|
+
name: args.name?.trim() || args.slug?.trim() || "Enterprise",
|
|
197
|
+
slug: args.slug,
|
|
198
|
+
type: "enterprise",
|
|
199
|
+
}));
|
|
200
|
+
if (createsGroup) {
|
|
201
|
+
await auth.member.add(ctx as never, {
|
|
202
|
+
groupId,
|
|
203
|
+
userId,
|
|
204
|
+
role: "admin",
|
|
205
|
+
});
|
|
206
|
+
}
|
|
207
|
+
const enterpriseId = await auth.sso.admin.connection.create(
|
|
208
|
+
ctx as never,
|
|
209
|
+
{
|
|
210
|
+
groupId,
|
|
211
|
+
name: args.name,
|
|
212
|
+
slug: args.slug,
|
|
213
|
+
status: args.status,
|
|
214
|
+
},
|
|
215
|
+
);
|
|
216
|
+
if (args.domain) {
|
|
217
|
+
await auth.sso.admin.connection.domain.set(
|
|
218
|
+
ctx as never,
|
|
219
|
+
enterpriseId,
|
|
220
|
+
[{ domain: args.domain, isPrimary: true }],
|
|
221
|
+
);
|
|
222
|
+
}
|
|
223
|
+
return { enterpriseId, groupId };
|
|
224
|
+
},
|
|
225
|
+
}),
|
|
226
|
+
get: queryGeneric({
|
|
227
|
+
args: { enterpriseId: v.string() },
|
|
228
|
+
handler: async (ctx, args) => {
|
|
229
|
+
await authorize(ctx, "sso.connection.read", {
|
|
230
|
+
enterpriseId: args.enterpriseId,
|
|
231
|
+
});
|
|
232
|
+
return await auth.sso.admin.connection.get(
|
|
233
|
+
ctx as never,
|
|
234
|
+
args.enterpriseId,
|
|
235
|
+
);
|
|
236
|
+
},
|
|
237
|
+
}),
|
|
238
|
+
getByGroup: queryGeneric({
|
|
239
|
+
args: { groupId: v.string() },
|
|
240
|
+
handler: async (ctx, args) => {
|
|
241
|
+
await authorize(ctx, "sso.connection.read", {
|
|
242
|
+
groupId: args.groupId,
|
|
243
|
+
});
|
|
244
|
+
return await auth.sso.admin.connection.getByGroup(
|
|
245
|
+
ctx as never,
|
|
246
|
+
args.groupId,
|
|
247
|
+
);
|
|
248
|
+
},
|
|
249
|
+
}),
|
|
250
|
+
getByDomain: queryGeneric({
|
|
251
|
+
args: { domain: v.string() },
|
|
252
|
+
handler: async (ctx, args) => {
|
|
253
|
+
await authorize(ctx, "sso.connection.read", {
|
|
254
|
+
domain: args.domain,
|
|
255
|
+
});
|
|
256
|
+
return await auth.sso.admin.connection.getByDomain(
|
|
257
|
+
ctx as never,
|
|
258
|
+
args.domain,
|
|
259
|
+
);
|
|
260
|
+
},
|
|
261
|
+
}),
|
|
262
|
+
list: queryGeneric({
|
|
263
|
+
args: {
|
|
264
|
+
where: v.optional(enterpriseConnectionWhereValidator),
|
|
265
|
+
limit: v.optional(v.number()),
|
|
266
|
+
cursor: v.optional(v.union(v.string(), v.null())),
|
|
267
|
+
orderBy: v.optional(v.string()),
|
|
268
|
+
order: v.optional(v.union(v.literal("asc"), v.literal("desc"))),
|
|
269
|
+
},
|
|
270
|
+
handler: async (ctx, args) => {
|
|
271
|
+
await authorize(ctx, "sso.connection.read", {
|
|
272
|
+
groupId: args.where?.groupId,
|
|
273
|
+
});
|
|
274
|
+
return await auth.sso.admin.connection.list(
|
|
275
|
+
ctx as never,
|
|
276
|
+
args as never,
|
|
277
|
+
);
|
|
278
|
+
},
|
|
279
|
+
}),
|
|
280
|
+
update: mutationGeneric({
|
|
281
|
+
args: {
|
|
282
|
+
enterpriseId: v.string(),
|
|
283
|
+
data: v.object({
|
|
284
|
+
name: v.optional(v.string()),
|
|
285
|
+
slug: v.optional(v.string()),
|
|
286
|
+
status: v.optional(enterpriseStatusValidator),
|
|
287
|
+
}),
|
|
288
|
+
},
|
|
289
|
+
handler: async (ctx, args) => {
|
|
290
|
+
await authorize(ctx, "sso.connection.manage", {
|
|
291
|
+
enterpriseId: args.enterpriseId,
|
|
292
|
+
});
|
|
293
|
+
await auth.sso.admin.connection.update(
|
|
294
|
+
ctx as never,
|
|
295
|
+
args.enterpriseId,
|
|
296
|
+
args.data,
|
|
297
|
+
);
|
|
298
|
+
return null;
|
|
299
|
+
},
|
|
300
|
+
}),
|
|
301
|
+
delete: mutationGeneric({
|
|
302
|
+
args: { enterpriseId: v.string() },
|
|
303
|
+
handler: async (ctx, args) => {
|
|
304
|
+
await authorize(ctx, "sso.connection.manage", {
|
|
305
|
+
enterpriseId: args.enterpriseId,
|
|
306
|
+
});
|
|
307
|
+
await auth.sso.admin.connection.delete(
|
|
308
|
+
ctx as never,
|
|
309
|
+
args.enterpriseId,
|
|
310
|
+
);
|
|
311
|
+
return null;
|
|
312
|
+
},
|
|
313
|
+
}),
|
|
314
|
+
status: queryGeneric({
|
|
315
|
+
args: { enterpriseId: v.string() },
|
|
316
|
+
handler: async (ctx, args) => {
|
|
317
|
+
await authorize(ctx, "sso.connection.read", {
|
|
318
|
+
enterpriseId: args.enterpriseId,
|
|
319
|
+
});
|
|
320
|
+
return await auth.sso.admin.connection.status(
|
|
321
|
+
ctx as never,
|
|
322
|
+
args.enterpriseId,
|
|
323
|
+
);
|
|
324
|
+
},
|
|
325
|
+
}),
|
|
326
|
+
domain: {
|
|
327
|
+
list: queryGeneric({
|
|
328
|
+
args: { enterpriseId: v.string() },
|
|
329
|
+
handler: async (ctx, args) => {
|
|
330
|
+
await authorize(ctx, "sso.connection.read", {
|
|
331
|
+
enterpriseId: args.enterpriseId,
|
|
332
|
+
});
|
|
333
|
+
return await auth.sso.admin.connection.domain.list(
|
|
334
|
+
ctx as never,
|
|
335
|
+
args.enterpriseId,
|
|
336
|
+
);
|
|
337
|
+
},
|
|
338
|
+
}),
|
|
339
|
+
validate: queryGeneric({
|
|
340
|
+
args: { enterpriseId: v.string() },
|
|
341
|
+
handler: async (ctx, args) => {
|
|
342
|
+
await authorize(ctx, "sso.domain.manage", {
|
|
343
|
+
enterpriseId: args.enterpriseId,
|
|
344
|
+
});
|
|
345
|
+
return await auth.sso.admin.connection.domain.validate(
|
|
346
|
+
ctx as never,
|
|
347
|
+
args.enterpriseId,
|
|
348
|
+
);
|
|
349
|
+
},
|
|
350
|
+
}),
|
|
351
|
+
set: mutationGeneric({
|
|
352
|
+
args: {
|
|
353
|
+
enterpriseId: v.string(),
|
|
354
|
+
domains: v.array(enterpriseDomainInputValidator),
|
|
355
|
+
},
|
|
356
|
+
handler: async (ctx, args) => {
|
|
357
|
+
await authorize(ctx, "sso.domain.manage", {
|
|
358
|
+
enterpriseId: args.enterpriseId,
|
|
359
|
+
});
|
|
360
|
+
await auth.sso.admin.connection.domain.set(
|
|
361
|
+
ctx as never,
|
|
362
|
+
args.enterpriseId,
|
|
363
|
+
args.domains,
|
|
364
|
+
);
|
|
365
|
+
return null;
|
|
366
|
+
},
|
|
367
|
+
}),
|
|
368
|
+
},
|
|
369
|
+
},
|
|
370
|
+
oidc: {
|
|
371
|
+
configure: mutationGeneric({
|
|
372
|
+
args: {
|
|
373
|
+
enterpriseId: v.string(),
|
|
374
|
+
issuer: v.optional(v.string()),
|
|
375
|
+
discoveryUrl: v.optional(v.string()),
|
|
376
|
+
clientId: v.string(),
|
|
377
|
+
clientSecret: v.optional(v.string()),
|
|
378
|
+
scopes: v.optional(v.array(v.string())),
|
|
379
|
+
authorizationParams: v.optional(v.record(v.string(), v.string())),
|
|
380
|
+
clockToleranceSeconds: v.optional(v.number()),
|
|
381
|
+
strictIssuer: v.optional(v.boolean()),
|
|
382
|
+
extraFields: v.optional(v.record(v.string(), v.string())),
|
|
383
|
+
},
|
|
384
|
+
handler: async (ctx, args) => {
|
|
385
|
+
await authorize(ctx, "sso.protocol.manage", {
|
|
386
|
+
enterpriseId: args.enterpriseId,
|
|
387
|
+
});
|
|
388
|
+
return await auth.sso.admin.oidc.configure(ctx as never, args);
|
|
389
|
+
},
|
|
390
|
+
}),
|
|
391
|
+
get: queryGeneric({
|
|
392
|
+
args: { enterpriseId: v.string() },
|
|
393
|
+
handler: async (ctx, args) => {
|
|
394
|
+
await authorize(ctx, "sso.connection.read", {
|
|
395
|
+
enterpriseId: args.enterpriseId,
|
|
396
|
+
});
|
|
397
|
+
return await auth.sso.admin.oidc.get(
|
|
398
|
+
ctx as never,
|
|
399
|
+
args.enterpriseId,
|
|
400
|
+
);
|
|
401
|
+
},
|
|
402
|
+
}),
|
|
403
|
+
validate: actionGeneric({
|
|
404
|
+
args: { enterpriseId: v.string() },
|
|
405
|
+
handler: async (ctx, args) => {
|
|
406
|
+
await authorize(ctx, "sso.protocol.manage", {
|
|
407
|
+
enterpriseId: args.enterpriseId,
|
|
408
|
+
});
|
|
409
|
+
return await auth.sso.admin.oidc.validate(
|
|
410
|
+
ctx as never,
|
|
411
|
+
args.enterpriseId,
|
|
412
|
+
);
|
|
413
|
+
},
|
|
414
|
+
}),
|
|
415
|
+
},
|
|
416
|
+
saml: {
|
|
417
|
+
configure: actionGeneric({
|
|
418
|
+
args: {
|
|
419
|
+
enterpriseId: v.string(),
|
|
420
|
+
metadataXml: v.optional(v.string()),
|
|
421
|
+
metadataUrl: v.optional(v.string()),
|
|
422
|
+
domains: v.optional(v.array(v.string())),
|
|
423
|
+
signAuthnRequests: v.optional(v.boolean()),
|
|
424
|
+
attributeMapping: v.optional(
|
|
425
|
+
enterpriseSamlAttributeMappingValidator,
|
|
426
|
+
),
|
|
427
|
+
sp: v.optional(enterpriseSamlSpValidator),
|
|
428
|
+
},
|
|
429
|
+
handler: async (ctx, args) => {
|
|
430
|
+
await authorize(ctx, "sso.protocol.manage", {
|
|
431
|
+
enterpriseId: args.enterpriseId,
|
|
432
|
+
});
|
|
433
|
+
return await auth.sso.admin.saml.configure(ctx as never, args);
|
|
434
|
+
},
|
|
435
|
+
}),
|
|
436
|
+
validate: queryGeneric({
|
|
437
|
+
args: { enterpriseId: v.string() },
|
|
438
|
+
handler: async (ctx, args) => {
|
|
439
|
+
await authorize(ctx, "sso.protocol.manage", {
|
|
440
|
+
enterpriseId: args.enterpriseId,
|
|
441
|
+
});
|
|
442
|
+
return await auth.sso.admin.saml.validate(
|
|
443
|
+
ctx as never,
|
|
444
|
+
args.enterpriseId,
|
|
445
|
+
);
|
|
446
|
+
},
|
|
447
|
+
}),
|
|
448
|
+
},
|
|
449
|
+
policy: {
|
|
450
|
+
get: queryGeneric({
|
|
451
|
+
args: { enterpriseId: v.string() },
|
|
452
|
+
handler: async (ctx, args) => {
|
|
453
|
+
await authorize(ctx, "sso.connection.read", {
|
|
454
|
+
enterpriseId: args.enterpriseId,
|
|
455
|
+
});
|
|
456
|
+
return await auth.sso.admin.policy.get(
|
|
457
|
+
ctx as never,
|
|
458
|
+
args.enterpriseId,
|
|
459
|
+
);
|
|
460
|
+
},
|
|
461
|
+
}),
|
|
462
|
+
update: mutationGeneric({
|
|
463
|
+
args: {
|
|
464
|
+
enterpriseId: v.string(),
|
|
465
|
+
patch: enterprisePolicyPatchValidator,
|
|
466
|
+
},
|
|
467
|
+
handler: async (ctx, args) => {
|
|
468
|
+
await authorize(ctx, "sso.policy.manage", {
|
|
469
|
+
enterpriseId: args.enterpriseId,
|
|
470
|
+
});
|
|
471
|
+
return await auth.sso.admin.policy.update(
|
|
472
|
+
ctx as never,
|
|
473
|
+
args.enterpriseId,
|
|
474
|
+
args.patch,
|
|
475
|
+
);
|
|
476
|
+
},
|
|
477
|
+
}),
|
|
478
|
+
validate: queryGeneric({
|
|
479
|
+
args: { enterpriseId: v.string() },
|
|
480
|
+
handler: async (ctx, args) => {
|
|
481
|
+
await authorize(ctx, "sso.policy.manage", {
|
|
482
|
+
enterpriseId: args.enterpriseId,
|
|
483
|
+
});
|
|
484
|
+
return await auth.sso.admin.policy.validate(
|
|
485
|
+
ctx as never,
|
|
486
|
+
args.enterpriseId,
|
|
487
|
+
);
|
|
488
|
+
},
|
|
489
|
+
}),
|
|
490
|
+
},
|
|
491
|
+
audit: {
|
|
492
|
+
list: queryGeneric({
|
|
493
|
+
args: {
|
|
494
|
+
enterpriseId: v.optional(v.string()),
|
|
495
|
+
groupId: v.optional(v.string()),
|
|
496
|
+
limit: v.optional(v.number()),
|
|
497
|
+
},
|
|
498
|
+
handler: async (ctx, args) => {
|
|
499
|
+
await authorize(ctx, "sso.audit.read", {
|
|
500
|
+
enterpriseId: args.enterpriseId,
|
|
501
|
+
groupId: args.groupId,
|
|
502
|
+
});
|
|
503
|
+
return await auth.sso.admin.audit.list(ctx as never, args);
|
|
504
|
+
},
|
|
505
|
+
}),
|
|
506
|
+
},
|
|
507
|
+
webhook: {
|
|
508
|
+
endpoint: {
|
|
509
|
+
create: mutationGeneric({
|
|
510
|
+
args: {
|
|
511
|
+
enterpriseId: v.string(),
|
|
512
|
+
url: v.string(),
|
|
513
|
+
secret: v.string(),
|
|
514
|
+
subscriptions: v.array(v.string()),
|
|
515
|
+
createdByUserId: v.optional(v.string()),
|
|
516
|
+
},
|
|
517
|
+
handler: async (ctx, args) => {
|
|
518
|
+
const { userId } = await authorize(ctx, "sso.webhook.manage", {
|
|
519
|
+
enterpriseId: args.enterpriseId,
|
|
520
|
+
});
|
|
521
|
+
const result = await auth.sso.admin.webhook.endpoint.create(
|
|
522
|
+
ctx as never,
|
|
523
|
+
{
|
|
524
|
+
...args,
|
|
525
|
+
createdByUserId: args.createdByUserId ?? userId,
|
|
526
|
+
},
|
|
527
|
+
);
|
|
528
|
+
return {
|
|
529
|
+
_id: result.endpointId,
|
|
530
|
+
enterpriseId: args.enterpriseId,
|
|
531
|
+
url: args.url,
|
|
532
|
+
subscriptions: args.subscriptions,
|
|
533
|
+
createdByUserId: args.createdByUserId ?? userId,
|
|
534
|
+
status: "active",
|
|
535
|
+
failureCount: 0,
|
|
536
|
+
};
|
|
537
|
+
},
|
|
538
|
+
}),
|
|
539
|
+
list: queryGeneric({
|
|
540
|
+
args: { enterpriseId: v.string() },
|
|
541
|
+
handler: async (ctx, args) => {
|
|
542
|
+
await authorize(ctx, "sso.webhook.manage", {
|
|
543
|
+
enterpriseId: args.enterpriseId,
|
|
544
|
+
});
|
|
545
|
+
const endpoints = await auth.sso.admin.webhook.endpoint.list(
|
|
546
|
+
ctx as never,
|
|
547
|
+
args.enterpriseId,
|
|
548
|
+
);
|
|
549
|
+
return endpoints.map((endpoint: Record<string, unknown>) => {
|
|
550
|
+
const { secretHash: _secretHash, ...rest } = endpoint;
|
|
551
|
+
return rest;
|
|
552
|
+
});
|
|
553
|
+
},
|
|
554
|
+
}),
|
|
555
|
+
disable: mutationGeneric({
|
|
556
|
+
args: { endpointId: v.string() },
|
|
557
|
+
handler: async (ctx, args) => {
|
|
558
|
+
await authorize(ctx, "sso.webhook.manage");
|
|
559
|
+
await auth.sso.admin.webhook.endpoint.disable(
|
|
560
|
+
ctx as never,
|
|
561
|
+
args.endpointId,
|
|
562
|
+
);
|
|
563
|
+
return null;
|
|
564
|
+
},
|
|
565
|
+
}),
|
|
566
|
+
},
|
|
567
|
+
},
|
|
568
|
+
},
|
|
569
|
+
client: {
|
|
570
|
+
signIn: queryGeneric({
|
|
571
|
+
args: {
|
|
572
|
+
enterpriseId: v.optional(v.string()),
|
|
573
|
+
email: v.optional(v.string()),
|
|
574
|
+
domain: v.optional(v.string()),
|
|
575
|
+
redirectTo: v.optional(v.string()),
|
|
576
|
+
},
|
|
577
|
+
handler: async (ctx, args) => {
|
|
578
|
+
return await auth.sso.client.signIn(ctx as never, args);
|
|
579
|
+
},
|
|
580
|
+
}),
|
|
581
|
+
metadata: queryGeneric({
|
|
582
|
+
args: {
|
|
583
|
+
enterpriseId: v.string(),
|
|
584
|
+
entityId: v.optional(v.string()),
|
|
585
|
+
acsUrl: v.optional(v.string()),
|
|
586
|
+
sloUrl: v.optional(v.string()),
|
|
587
|
+
},
|
|
588
|
+
handler: async (ctx, args) => {
|
|
589
|
+
return await auth.sso.client.metadata(ctx as never, args);
|
|
590
|
+
},
|
|
591
|
+
}),
|
|
592
|
+
},
|
|
593
|
+
};
|
|
594
|
+
}
|
|
595
|
+
|
|
596
|
+
/**
|
|
597
|
+
* Build optional public SCIM management actions that apps can mount under
|
|
598
|
+
* `convex/auth/scim/**` when they want client-callable enterprise admin APIs.
|
|
599
|
+
*/
|
|
600
|
+
export function scim(
|
|
601
|
+
auth: Pick<AuthApi, "scim" | "sso" | "user">,
|
|
602
|
+
options?: MountedEnterpriseOptions,
|
|
603
|
+
) {
|
|
604
|
+
const authorize = createMountedAdminAuthorizer(auth, options);
|
|
605
|
+
|
|
606
|
+
return {
|
|
607
|
+
admin: {
|
|
608
|
+
configure: mutationGeneric({
|
|
609
|
+
args: {
|
|
610
|
+
enterpriseId: v.string(),
|
|
611
|
+
basePath: v.optional(v.string()),
|
|
612
|
+
status: v.optional(enterpriseStatusValidator),
|
|
613
|
+
},
|
|
614
|
+
handler: async (ctx, args) => {
|
|
615
|
+
await authorize(ctx, "scim.manage", {
|
|
616
|
+
enterpriseId: args.enterpriseId,
|
|
617
|
+
});
|
|
618
|
+
return await auth.scim.admin.configure(ctx as never, args);
|
|
619
|
+
},
|
|
620
|
+
}),
|
|
621
|
+
get: queryGeneric({
|
|
622
|
+
args: { enterpriseId: v.string() },
|
|
623
|
+
handler: async (ctx, args) => {
|
|
624
|
+
await authorize(ctx, "scim.manage", {
|
|
625
|
+
enterpriseId: args.enterpriseId,
|
|
626
|
+
});
|
|
627
|
+
return await auth.scim.admin.get(ctx as never, args.enterpriseId);
|
|
628
|
+
},
|
|
629
|
+
}),
|
|
630
|
+
validate: queryGeneric({
|
|
631
|
+
args: { enterpriseId: v.string() },
|
|
632
|
+
handler: async (ctx, args) => {
|
|
633
|
+
await authorize(ctx, "scim.manage", {
|
|
634
|
+
enterpriseId: args.enterpriseId,
|
|
635
|
+
});
|
|
636
|
+
return await auth.scim.admin.validate(
|
|
637
|
+
ctx as never,
|
|
638
|
+
args.enterpriseId,
|
|
639
|
+
);
|
|
640
|
+
},
|
|
641
|
+
}),
|
|
642
|
+
},
|
|
643
|
+
};
|
|
644
|
+
}
|
|
645
|
+
|
|
646
|
+
/**
|
|
647
|
+
* Build a flat mounted enterprise API surface for app-owned Convex exports.
|
|
648
|
+
*
|
|
649
|
+
* The returned object contains tenant-admin SSO and SCIM control-plane
|
|
650
|
+
* functions plus end-user enterprise sign-in helpers. The `authorized`
|
|
651
|
+
* callback is required for admin operations.
|
|
652
|
+
*/
|
|
653
|
+
export function enterprise(
|
|
654
|
+
auth: Pick<AuthApi, "group" | "member" | "scim" | "sso" | "user">,
|
|
655
|
+
options: EnterpriseMountOptions,
|
|
656
|
+
) {
|
|
657
|
+
const mountedSso = sso(auth, { authorized: options.authorized });
|
|
658
|
+
const mountedScim = scim(auth, { authorized: options.authorized });
|
|
659
|
+
|
|
660
|
+
return {
|
|
661
|
+
createConnection: mountedSso.admin.connection.create,
|
|
662
|
+
getConnection: mountedSso.admin.connection.get,
|
|
663
|
+
getConnectionByGroup: mountedSso.admin.connection.getByGroup,
|
|
664
|
+
getConnectionByDomain: mountedSso.admin.connection.getByDomain,
|
|
665
|
+
listConnections: mountedSso.admin.connection.list,
|
|
666
|
+
updateConnection: mountedSso.admin.connection.update,
|
|
667
|
+
deleteConnection: mountedSso.admin.connection.delete,
|
|
668
|
+
getConnectionStatus: mountedSso.admin.connection.status,
|
|
669
|
+
listDomains: mountedSso.admin.connection.domain.list,
|
|
670
|
+
validateDomains: mountedSso.admin.connection.domain.validate,
|
|
671
|
+
setDomains: mountedSso.admin.connection.domain.set,
|
|
672
|
+
configureOidc: mountedSso.admin.oidc.configure,
|
|
673
|
+
getOidc: mountedSso.admin.oidc.get,
|
|
674
|
+
validateOidc: mountedSso.admin.oidc.validate,
|
|
675
|
+
configureSaml: mountedSso.admin.saml.configure,
|
|
676
|
+
validateSaml: mountedSso.admin.saml.validate,
|
|
677
|
+
getPolicy: mountedSso.admin.policy.get,
|
|
678
|
+
updatePolicy: mountedSso.admin.policy.update,
|
|
679
|
+
validatePolicy: mountedSso.admin.policy.validate,
|
|
680
|
+
listAudit: mountedSso.admin.audit.list,
|
|
681
|
+
createWebhookEndpoint: mountedSso.admin.webhook.endpoint.create,
|
|
682
|
+
listWebhookEndpoints: mountedSso.admin.webhook.endpoint.list,
|
|
683
|
+
disableWebhookEndpoint: mountedSso.admin.webhook.endpoint.disable,
|
|
684
|
+
configureScim: mountedScim.admin.configure,
|
|
685
|
+
getScim: mountedScim.admin.get,
|
|
686
|
+
validateScim: mountedScim.admin.validate,
|
|
687
|
+
signIn: mountedSso.client.signIn,
|
|
688
|
+
metadata: mountedSso.client.metadata,
|
|
689
|
+
};
|
|
690
|
+
}
|
|
19
691
|
|
|
20
692
|
/** Cookie lifetime configuration for auth tokens. */
|
|
21
693
|
export type AuthCookieConfig = {
|
|
@@ -588,9 +1260,9 @@ export function server(options: ServerOptions) {
|
|
|
588
1260
|
: {};
|
|
589
1261
|
|
|
590
1262
|
const actionDispatch =
|
|
591
|
-
action === "auth
|
|
1263
|
+
action === "auth:signIn"
|
|
592
1264
|
? { action: "sessionStart" as const }
|
|
593
|
-
: action === "auth
|
|
1265
|
+
: action === "auth:signOut"
|
|
594
1266
|
? { action: "sessionStop" as const }
|
|
595
1267
|
: null;
|
|
596
1268
|
|
|
@@ -943,37 +1615,37 @@ export function server(options: ServerOptions) {
|
|
|
943
1615
|
redirect: () =>
|
|
944
1616
|
Fx.fatal(
|
|
945
1617
|
new Error(
|
|
946
|
-
"Invalid `auth
|
|
1618
|
+
"Invalid `auth:signIn` result for sign-out fallback refresh",
|
|
947
1619
|
),
|
|
948
1620
|
),
|
|
949
1621
|
started: () =>
|
|
950
1622
|
Fx.fatal(
|
|
951
1623
|
new Error(
|
|
952
|
-
"Invalid `auth
|
|
1624
|
+
"Invalid `auth:signIn` result for sign-out fallback refresh",
|
|
953
1625
|
),
|
|
954
1626
|
),
|
|
955
1627
|
passkeyOptions: () =>
|
|
956
1628
|
Fx.fatal(
|
|
957
1629
|
new Error(
|
|
958
|
-
"Invalid `auth
|
|
1630
|
+
"Invalid `auth:signIn` result for sign-out fallback refresh",
|
|
959
1631
|
),
|
|
960
1632
|
),
|
|
961
1633
|
totpRequired: () =>
|
|
962
1634
|
Fx.fatal(
|
|
963
1635
|
new Error(
|
|
964
|
-
"Invalid `auth
|
|
1636
|
+
"Invalid `auth:signIn` result for sign-out fallback refresh",
|
|
965
1637
|
),
|
|
966
1638
|
),
|
|
967
1639
|
totpSetup: () =>
|
|
968
1640
|
Fx.fatal(
|
|
969
1641
|
new Error(
|
|
970
|
-
"Invalid `auth
|
|
1642
|
+
"Invalid `auth:signIn` result for sign-out fallback refresh",
|
|
971
1643
|
),
|
|
972
1644
|
),
|
|
973
1645
|
deviceCode: () =>
|
|
974
1646
|
Fx.fatal(
|
|
975
1647
|
new Error(
|
|
976
|
-
"Invalid `auth
|
|
1648
|
+
"Invalid `auth:signIn` result for sign-out fallback refresh",
|
|
977
1649
|
),
|
|
978
1650
|
),
|
|
979
1651
|
}),
|
|
@@ -1146,37 +1818,37 @@ export function server(options: ServerOptions) {
|
|
|
1146
1818
|
redirect: () =>
|
|
1147
1819
|
Fx.fatal(
|
|
1148
1820
|
new Error(
|
|
1149
|
-
"Invalid `auth
|
|
1821
|
+
"Invalid `auth:signIn` result for code exchange",
|
|
1150
1822
|
),
|
|
1151
1823
|
),
|
|
1152
1824
|
started: () =>
|
|
1153
1825
|
Fx.fatal(
|
|
1154
1826
|
new Error(
|
|
1155
|
-
"Invalid `auth
|
|
1827
|
+
"Invalid `auth:signIn` result for code exchange",
|
|
1156
1828
|
),
|
|
1157
1829
|
),
|
|
1158
1830
|
passkeyOptions: () =>
|
|
1159
1831
|
Fx.fatal(
|
|
1160
1832
|
new Error(
|
|
1161
|
-
"Invalid `auth
|
|
1833
|
+
"Invalid `auth:signIn` result for code exchange",
|
|
1162
1834
|
),
|
|
1163
1835
|
),
|
|
1164
1836
|
totpRequired: () =>
|
|
1165
1837
|
Fx.fatal(
|
|
1166
1838
|
new Error(
|
|
1167
|
-
"Invalid `auth
|
|
1839
|
+
"Invalid `auth:signIn` result for code exchange",
|
|
1168
1840
|
),
|
|
1169
1841
|
),
|
|
1170
1842
|
totpSetup: () =>
|
|
1171
1843
|
Fx.fatal(
|
|
1172
1844
|
new Error(
|
|
1173
|
-
"Invalid `auth
|
|
1845
|
+
"Invalid `auth:signIn` result for code exchange",
|
|
1174
1846
|
),
|
|
1175
1847
|
),
|
|
1176
1848
|
deviceCode: () =>
|
|
1177
1849
|
Fx.fatal(
|
|
1178
1850
|
new Error(
|
|
1179
|
-
"Invalid `auth
|
|
1851
|
+
"Invalid `auth:signIn` result for code exchange",
|
|
1180
1852
|
),
|
|
1181
1853
|
),
|
|
1182
1854
|
}),
|
|
@@ -1367,37 +2039,37 @@ export function server(options: ServerOptions) {
|
|
|
1367
2039
|
redirect: () =>
|
|
1368
2040
|
Fx.fatal(
|
|
1369
2041
|
new Error(
|
|
1370
|
-
"Invalid `auth
|
|
2042
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1371
2043
|
),
|
|
1372
2044
|
),
|
|
1373
2045
|
started: () =>
|
|
1374
2046
|
Fx.fatal(
|
|
1375
2047
|
new Error(
|
|
1376
|
-
"Invalid `auth
|
|
2048
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1377
2049
|
),
|
|
1378
2050
|
),
|
|
1379
2051
|
passkeyOptions: () =>
|
|
1380
2052
|
Fx.fatal(
|
|
1381
2053
|
new Error(
|
|
1382
|
-
"Invalid `auth
|
|
2054
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1383
2055
|
),
|
|
1384
2056
|
),
|
|
1385
2057
|
totpRequired: () =>
|
|
1386
2058
|
Fx.fatal(
|
|
1387
2059
|
new Error(
|
|
1388
|
-
"Invalid `auth
|
|
2060
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1389
2061
|
),
|
|
1390
2062
|
),
|
|
1391
2063
|
totpSetup: () =>
|
|
1392
2064
|
Fx.fatal(
|
|
1393
2065
|
new Error(
|
|
1394
|
-
"Invalid `auth
|
|
2066
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1395
2067
|
),
|
|
1396
2068
|
),
|
|
1397
2069
|
deviceCode: () =>
|
|
1398
2070
|
Fx.fatal(
|
|
1399
2071
|
new Error(
|
|
1400
|
-
"Invalid `auth
|
|
2072
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1401
2073
|
),
|
|
1402
2074
|
),
|
|
1403
2075
|
}),
|
|
@@ -1518,37 +2190,37 @@ export function server(options: ServerOptions) {
|
|
|
1518
2190
|
redirect: () =>
|
|
1519
2191
|
Fx.fatal(
|
|
1520
2192
|
new Error(
|
|
1521
|
-
"Invalid `auth
|
|
2193
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1522
2194
|
),
|
|
1523
2195
|
),
|
|
1524
2196
|
started: () =>
|
|
1525
2197
|
Fx.fatal(
|
|
1526
2198
|
new Error(
|
|
1527
|
-
"Invalid `auth
|
|
2199
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1528
2200
|
),
|
|
1529
2201
|
),
|
|
1530
2202
|
passkeyOptions: () =>
|
|
1531
2203
|
Fx.fatal(
|
|
1532
2204
|
new Error(
|
|
1533
|
-
"Invalid `auth
|
|
2205
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1534
2206
|
),
|
|
1535
2207
|
),
|
|
1536
2208
|
totpRequired: () =>
|
|
1537
2209
|
Fx.fatal(
|
|
1538
2210
|
new Error(
|
|
1539
|
-
"Invalid `auth
|
|
2211
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1540
2212
|
),
|
|
1541
2213
|
),
|
|
1542
2214
|
totpSetup: () =>
|
|
1543
2215
|
Fx.fatal(
|
|
1544
2216
|
new Error(
|
|
1545
|
-
"Invalid `auth
|
|
2217
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1546
2218
|
),
|
|
1547
2219
|
),
|
|
1548
2220
|
deviceCode: () =>
|
|
1549
2221
|
Fx.fatal(
|
|
1550
2222
|
new Error(
|
|
1551
|
-
"Invalid `auth
|
|
2223
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1552
2224
|
),
|
|
1553
2225
|
),
|
|
1554
2226
|
}),
|
|
@@ -1643,37 +2315,37 @@ export function server(options: ServerOptions) {
|
|
|
1643
2315
|
redirect: () =>
|
|
1644
2316
|
Fx.fatal(
|
|
1645
2317
|
new Error(
|
|
1646
|
-
"Invalid `auth
|
|
2318
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1647
2319
|
),
|
|
1648
2320
|
),
|
|
1649
2321
|
started: () =>
|
|
1650
2322
|
Fx.fatal(
|
|
1651
2323
|
new Error(
|
|
1652
|
-
"Invalid `auth
|
|
2324
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1653
2325
|
),
|
|
1654
2326
|
),
|
|
1655
2327
|
passkeyOptions: () =>
|
|
1656
2328
|
Fx.fatal(
|
|
1657
2329
|
new Error(
|
|
1658
|
-
"Invalid `auth
|
|
2330
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1659
2331
|
),
|
|
1660
2332
|
),
|
|
1661
2333
|
totpRequired: () =>
|
|
1662
2334
|
Fx.fatal(
|
|
1663
2335
|
new Error(
|
|
1664
|
-
"Invalid `auth
|
|
2336
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1665
2337
|
),
|
|
1666
2338
|
),
|
|
1667
2339
|
totpSetup: () =>
|
|
1668
2340
|
Fx.fatal(
|
|
1669
2341
|
new Error(
|
|
1670
|
-
"Invalid `auth
|
|
2342
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1671
2343
|
),
|
|
1672
2344
|
),
|
|
1673
2345
|
deviceCode: () =>
|
|
1674
2346
|
Fx.fatal(
|
|
1675
2347
|
new Error(
|
|
1676
|
-
"Invalid `auth
|
|
2348
|
+
"Invalid `auth:signIn` result for token refresh",
|
|
1677
2349
|
),
|
|
1678
2350
|
),
|
|
1679
2351
|
}),
|