@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +140 -9
- package/dist/bin.cjs +5957 -5478
- package/dist/client/index.d.ts +3 -7
- package/dist/client/index.d.ts.map +1 -1
- package/dist/client/index.js +27 -26
- package/dist/client/index.js.map +1 -1
- package/dist/component/_generated/api.d.ts +14 -0
- package/dist/component/_generated/api.d.ts.map +1 -1
- package/dist/component/_generated/api.js.map +1 -1
- package/dist/component/_generated/component.d.ts +1513 -3
- package/dist/component/_generated/component.d.ts.map +1 -1
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/convex.config.d.ts.map +1 -1
- package/dist/component/model.d.ts +153 -0
- package/dist/component/model.d.ts.map +1 -0
- package/dist/component/model.js +327 -0
- package/dist/component/model.js.map +1 -0
- package/dist/component/providers/sso.d.ts +1 -1
- package/dist/component/public/enterprise.d.ts +49 -0
- package/dist/component/public/enterprise.d.ts.map +1 -0
- package/dist/component/public/enterprise.js +450 -0
- package/dist/component/public/enterprise.js.map +1 -0
- package/dist/component/public/factors.d.ts +52 -0
- package/dist/component/public/factors.d.ts.map +1 -0
- package/dist/component/public/factors.js +285 -0
- package/dist/component/public/factors.js.map +1 -0
- package/dist/component/public/groups.d.ts +118 -0
- package/dist/component/public/groups.d.ts.map +1 -0
- package/dist/component/public/groups.js +599 -0
- package/dist/component/public/groups.js.map +1 -0
- package/dist/component/public/identity.d.ts +93 -0
- package/dist/component/public/identity.d.ts.map +1 -0
- package/dist/component/public/identity.js +426 -0
- package/dist/component/public/identity.js.map +1 -0
- package/dist/component/public/keys.d.ts +41 -0
- package/dist/component/public/keys.d.ts.map +1 -0
- package/dist/component/public/keys.js +157 -0
- package/dist/component/public/keys.js.map +1 -0
- package/dist/component/public/shared.d.ts +26 -0
- package/dist/component/public/shared.d.ts.map +1 -0
- package/dist/component/public/shared.js +32 -0
- package/dist/component/public/shared.js.map +1 -0
- package/dist/component/public.d.ts +9 -321
- package/dist/component/public.d.ts.map +1 -1
- package/dist/component/public.js +6 -2145
- package/dist/component/schema.d.ts +368 -258
- package/dist/component/schema.js +23 -27
- package/dist/component/schema.js.map +1 -1
- package/dist/component/server/auth.d.ts +42 -7
- package/dist/component/server/auth.d.ts.map +1 -1
- package/dist/component/server/auth.js +70 -6
- package/dist/component/server/auth.js.map +1 -1
- package/dist/component/server/cookies.js +3 -0
- package/dist/component/server/cookies.js.map +1 -1
- package/dist/component/server/db.js +1 -0
- package/dist/component/server/db.js.map +1 -1
- package/dist/component/server/device.js +3 -1
- package/dist/component/server/device.js.map +1 -1
- package/dist/component/server/domains/core.js +466 -0
- package/dist/component/server/domains/core.js.map +1 -0
- package/dist/component/server/domains/sso.js +689 -0
- package/dist/component/server/domains/sso.js.map +1 -0
- package/dist/component/server/factory.d.ts +136 -0
- package/dist/component/server/factory.d.ts.map +1 -0
- package/dist/component/server/factory.js +1128 -0
- package/dist/component/server/factory.js.map +1 -0
- package/dist/component/server/fx.js +2 -1
- package/dist/component/server/fx.js.map +1 -1
- package/dist/component/server/http.js +287 -0
- package/dist/component/server/http.js.map +1 -0
- package/dist/component/server/identity.js +13 -0
- package/dist/component/server/identity.js.map +1 -0
- package/dist/component/server/keys.js +4 -0
- package/dist/component/server/keys.js.map +1 -1
- package/dist/component/server/mutations/account.js +1 -1
- package/dist/component/server/mutations/index.js +2 -2
- package/dist/component/server/mutations/index.js.map +1 -1
- package/dist/component/server/mutations/invalidate.js +1 -1
- package/dist/component/server/mutations/oauth.js +10 -7
- package/dist/component/server/mutations/oauth.js.map +1 -1
- package/dist/component/server/mutations/refresh.js +1 -1
- package/dist/component/server/mutations/register.js +1 -1
- package/dist/component/server/mutations/retrieve.js +1 -1
- package/dist/component/server/mutations/signature.js +1 -1
- package/dist/component/server/mutations/store.js +6 -3
- package/dist/component/server/mutations/store.js.map +1 -1
- package/dist/component/server/mutations/verify.js +1 -1
- package/dist/component/server/oauth.js +3 -0
- package/dist/component/server/oauth.js.map +1 -1
- package/dist/component/server/passkey.js +3 -2
- package/dist/component/server/passkey.js.map +1 -1
- package/dist/component/server/provider.js +2 -0
- package/dist/component/server/provider.js.map +1 -1
- package/dist/component/server/providers.js +3 -0
- package/dist/component/server/providers.js.map +1 -1
- package/dist/component/server/ratelimit.js +3 -0
- package/dist/component/server/ratelimit.js.map +1 -1
- package/dist/component/server/redirects.js +2 -0
- package/dist/component/server/redirects.js.map +1 -1
- package/dist/component/server/refresh.js +5 -0
- package/dist/component/server/refresh.js.map +1 -1
- package/dist/component/server/sessions.js +5 -0
- package/dist/component/server/sessions.js.map +1 -1
- package/dist/component/server/signin.js +2 -1
- package/dist/component/server/signin.js.map +1 -1
- package/dist/component/server/sso.js +166 -19
- package/dist/component/server/sso.js.map +1 -1
- package/dist/component/server/tokens.js +1 -0
- package/dist/component/server/tokens.js.map +1 -1
- package/dist/component/server/totp.js +4 -2
- package/dist/component/server/totp.js.map +1 -1
- package/dist/component/server/types.d.ts +50 -35
- package/dist/component/server/types.d.ts.map +1 -1
- package/dist/component/server/types.js.map +1 -1
- package/dist/component/server/users.js +1 -0
- package/dist/component/server/users.js.map +1 -1
- package/dist/component/server/utils.js +44 -2
- package/dist/component/server/utils.js.map +1 -1
- package/dist/providers/anonymous.d.ts +1 -1
- package/dist/providers/credentials.d.ts +1 -1
- package/dist/providers/password.d.ts +1 -1
- package/dist/providers/sso.d.ts +1 -1
- package/dist/providers/sso.js.map +1 -1
- package/dist/server/auth.d.ts +44 -9
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +70 -6
- package/dist/server/auth.js.map +1 -1
- package/dist/server/cookies.d.ts +1 -38
- package/dist/server/cookies.js +3 -0
- package/dist/server/cookies.js.map +1 -1
- package/dist/server/db.d.ts +1 -125
- package/dist/server/db.js +1 -0
- package/dist/server/db.js.map +1 -1
- package/dist/server/device.d.ts +1 -24
- package/dist/server/device.js +3 -1
- package/dist/server/device.js.map +1 -1
- package/dist/server/domains/core.d.ts +320 -0
- package/dist/server/domains/core.d.ts.map +1 -0
- package/dist/server/domains/core.js +466 -0
- package/dist/server/domains/core.js.map +1 -0
- package/dist/server/domains/sso.d.ts +340 -0
- package/dist/server/domains/sso.d.ts.map +1 -0
- package/dist/server/domains/sso.js +689 -0
- package/dist/server/domains/sso.js.map +1 -0
- package/dist/server/enterpriseValidators.d.ts +1 -0
- package/dist/server/enterpriseValidators.js +56 -0
- package/dist/server/enterpriseValidators.js.map +1 -0
- package/dist/server/factory.d.ts +136 -0
- package/dist/server/factory.d.ts.map +1 -0
- package/dist/server/factory.js +1128 -0
- package/dist/server/factory.js.map +1 -0
- package/dist/server/fx.d.ts +1 -16
- package/dist/server/fx.d.ts.map +1 -1
- package/dist/server/fx.js +1 -0
- package/dist/server/fx.js.map +1 -1
- package/dist/server/http.d.ts +59 -0
- package/dist/server/http.d.ts.map +1 -0
- package/dist/server/http.js +287 -0
- package/dist/server/http.js.map +1 -0
- package/dist/server/identity.d.ts +1 -0
- package/dist/server/identity.js +13 -0
- package/dist/server/identity.js.map +1 -0
- package/dist/server/index.d.ts +432 -1
- package/dist/server/index.d.ts.map +1 -1
- package/dist/server/index.js +486 -36
- package/dist/server/index.js.map +1 -1
- package/dist/server/keys.d.ts +1 -57
- package/dist/server/keys.js +4 -0
- package/dist/server/keys.js.map +1 -1
- package/dist/server/mutations/account.d.ts +7 -7
- package/dist/server/mutations/account.d.ts.map +1 -1
- package/dist/server/mutations/code.d.ts +13 -13
- package/dist/server/mutations/index.d.ts +107 -107
- package/dist/server/mutations/index.d.ts.map +1 -1
- package/dist/server/mutations/index.js +1 -1
- package/dist/server/mutations/index.js.map +1 -1
- package/dist/server/mutations/invalidate.d.ts +5 -5
- package/dist/server/mutations/oauth.d.ts +10 -10
- package/dist/server/mutations/oauth.d.ts.map +1 -1
- package/dist/server/mutations/oauth.js +9 -6
- package/dist/server/mutations/oauth.js.map +1 -1
- package/dist/server/mutations/refresh.d.ts +4 -4
- package/dist/server/mutations/register.d.ts +12 -12
- package/dist/server/mutations/register.d.ts.map +1 -1
- package/dist/server/mutations/retrieve.d.ts +1 -1
- package/dist/server/mutations/signature.d.ts +5 -5
- package/dist/server/mutations/signature.d.ts.map +1 -1
- package/dist/server/mutations/signin.d.ts +1 -1
- package/dist/server/mutations/signout.d.ts +1 -1
- package/dist/server/mutations/store.d.ts +3 -2
- package/dist/server/mutations/store.d.ts.map +1 -1
- package/dist/server/mutations/store.js +6 -3
- package/dist/server/mutations/store.js.map +1 -1
- package/dist/server/mutations/verifier.d.ts +1 -1
- package/dist/server/mutations/verify.d.ts +4 -4
- package/dist/server/oauth.d.ts +1 -59
- package/dist/server/oauth.js +3 -0
- package/dist/server/oauth.js.map +1 -1
- package/dist/server/passkey.d.ts.map +1 -1
- package/dist/server/passkey.js +3 -2
- package/dist/server/passkey.js.map +1 -1
- package/dist/server/provider.d.ts +1 -14
- package/dist/server/provider.d.ts.map +1 -1
- package/dist/server/provider.js +2 -0
- package/dist/server/provider.js.map +1 -1
- package/dist/server/providers.js +3 -0
- package/dist/server/providers.js.map +1 -1
- package/dist/server/ratelimit.d.ts +1 -22
- package/dist/server/ratelimit.js +3 -0
- package/dist/server/ratelimit.js.map +1 -1
- package/dist/server/redirects.d.ts +1 -10
- package/dist/server/redirects.js +2 -0
- package/dist/server/redirects.js.map +1 -1
- package/dist/server/refresh.d.ts +1 -37
- package/dist/server/refresh.js +5 -0
- package/dist/server/refresh.js.map +1 -1
- package/dist/server/sessions.d.ts +1 -28
- package/dist/server/sessions.js +5 -0
- package/dist/server/sessions.js.map +1 -1
- package/dist/server/signin.d.ts +1 -55
- package/dist/server/signin.js +2 -1
- package/dist/server/signin.js.map +1 -1
- package/dist/server/sso.d.ts +1 -348
- package/dist/server/sso.js +165 -18
- package/dist/server/sso.js.map +1 -1
- package/dist/server/templates.d.ts +1 -21
- package/dist/server/templates.js +1 -0
- package/dist/server/templates.js.map +1 -1
- package/dist/server/tokens.d.ts +1 -11
- package/dist/server/tokens.js +1 -0
- package/dist/server/tokens.js.map +1 -1
- package/dist/server/totp.d.ts +1 -23
- package/dist/server/totp.js +4 -2
- package/dist/server/totp.js.map +1 -1
- package/dist/server/types.d.ts +55 -71
- package/dist/server/types.d.ts.map +1 -1
- package/dist/server/types.js.map +1 -1
- package/dist/server/users.d.ts +1 -31
- package/dist/server/users.js +1 -0
- package/dist/server/users.js.map +1 -1
- package/dist/server/utils.d.ts +1 -27
- package/dist/server/utils.js +44 -2
- package/dist/server/utils.js.map +1 -1
- package/dist/server/version.d.ts +1 -1
- package/dist/server/version.js +1 -1
- package/dist/server/version.js.map +1 -1
- package/package.json +4 -5
- package/src/cli/bin.ts +5 -0
- package/src/cli/index.ts +22 -9
- package/src/cli/keys.ts +3 -0
- package/src/client/index.ts +36 -37
- package/src/component/_generated/api.ts +14 -0
- package/src/component/_generated/component.ts +1920 -3
- package/src/component/index.ts +2 -0
- package/src/component/model.ts +424 -0
- package/src/component/public/enterprise.ts +654 -0
- package/src/component/public/factors.ts +332 -0
- package/src/component/public/groups.ts +951 -0
- package/src/component/public/identity.ts +566 -0
- package/src/component/public/keys.ts +209 -0
- package/src/component/public/shared.ts +117 -0
- package/src/component/public.ts +5 -2965
- package/src/component/schema.ts +47 -57
- package/src/providers/sso.ts +1 -1
- package/src/server/auth.ts +192 -9
- package/src/server/cookies.ts +3 -0
- package/src/server/db.ts +3 -0
- package/src/server/device.ts +3 -1
- package/src/server/domains/core.ts +916 -0
- package/src/server/domains/sso.ts +1462 -0
- package/src/server/enterpriseValidators.ts +88 -0
- package/src/server/factory.ts +2168 -0
- package/src/server/fx.ts +1 -0
- package/src/server/http.ts +529 -0
- package/src/server/identity.ts +18 -0
- package/src/server/index.ts +712 -40
- package/src/server/keys.ts +4 -0
- package/src/server/mutations/index.ts +1 -1
- package/src/server/mutations/oauth.ts +36 -8
- package/src/server/mutations/store.ts +6 -3
- package/src/server/oauth.ts +6 -0
- package/src/server/passkey.ts +3 -2
- package/src/server/provider.ts +2 -0
- package/src/server/providers.ts +3 -0
- package/src/server/ratelimit.ts +3 -0
- package/src/server/redirects.ts +2 -0
- package/src/server/refresh.ts +5 -0
- package/src/server/sessions.ts +5 -0
- package/src/server/signin.ts +1 -0
- package/src/server/sso.ts +251 -17
- package/src/server/templates.ts +1 -0
- package/src/server/tokens.ts +1 -0
- package/src/server/totp.ts +4 -2
- package/src/server/types.ts +85 -77
- package/src/server/users.ts +1 -0
- package/src/server/utils.ts +71 -1
- package/src/server/version.ts +1 -1
- package/dist/component/public.js.map +0 -1
- package/dist/component/server/implementation.d.ts +0 -1264
- package/dist/component/server/implementation.d.ts.map +0 -1
- package/dist/component/server/implementation.js +0 -2365
- package/dist/component/server/implementation.js.map +0 -1
- package/dist/server/cookies.d.ts.map +0 -1
- package/dist/server/db.d.ts.map +0 -1
- package/dist/server/device.d.ts.map +0 -1
- package/dist/server/implementation.d.ts +0 -1264
- package/dist/server/implementation.d.ts.map +0 -1
- package/dist/server/implementation.js +0 -2365
- package/dist/server/implementation.js.map +0 -1
- package/dist/server/keys.d.ts.map +0 -1
- package/dist/server/oauth.d.ts.map +0 -1
- package/dist/server/ratelimit.d.ts.map +0 -1
- package/dist/server/redirects.d.ts.map +0 -1
- package/dist/server/refresh.d.ts.map +0 -1
- package/dist/server/sessions.d.ts.map +0 -1
- package/dist/server/signin.d.ts.map +0 -1
- package/dist/server/sso.d.ts.map +0 -1
- package/dist/server/templates.d.ts.map +0 -1
- package/dist/server/tokens.d.ts.map +0 -1
- package/dist/server/totp.d.ts.map +0 -1
- package/dist/server/users.d.ts.map +0 -1
- package/dist/server/utils.d.ts.map +0 -1
- package/src/server/implementation.ts +0 -5336
package/src/server/keys.ts
CHANGED
|
@@ -39,6 +39,7 @@ const VISIBLE_PREFIX_EXTRA_CHARS = 4;
|
|
|
39
39
|
* @param prefix - Key prefix, defaults to "sk_"
|
|
40
40
|
* @returns `{ raw, hashedKey, displayPrefix }`
|
|
41
41
|
*/
|
|
42
|
+
/** @internal */
|
|
42
43
|
export async function generateApiKey(
|
|
43
44
|
prefix: string = DEFAULT_KEY_PREFIX,
|
|
44
45
|
): Promise<{
|
|
@@ -65,6 +66,7 @@ export async function generateApiKey(
|
|
|
65
66
|
*
|
|
66
67
|
* Used during Bearer token verification to find the stored key record.
|
|
67
68
|
*/
|
|
69
|
+
/** @internal */
|
|
68
70
|
export async function hashApiKey(rawKey: string): Promise<string> {
|
|
69
71
|
return sha256(rawKey);
|
|
70
72
|
}
|
|
@@ -82,6 +84,7 @@ export async function hashApiKey(rawKey: string): Promise<string> {
|
|
|
82
84
|
* A wildcard action `"*"` grants all actions on that resource.
|
|
83
85
|
* A wildcard resource `"*"` grants the action on all resources.
|
|
84
86
|
*/
|
|
87
|
+
/** @internal */
|
|
85
88
|
export function buildScopeChecker(scopes: KeyScope[]): ScopeChecker {
|
|
86
89
|
return {
|
|
87
90
|
scopes,
|
|
@@ -107,6 +110,7 @@ export function buildScopeChecker(scopes: KeyScope[]): ScopeChecker {
|
|
|
107
110
|
*
|
|
108
111
|
* @returns `{ limited: boolean; newState: { attemptsLeft, lastAttemptTime } }`
|
|
109
112
|
*/
|
|
113
|
+
/** @internal */
|
|
110
114
|
export function checkKeyRateLimit(
|
|
111
115
|
rateLimit: { maxRequests: number; windowMs: number },
|
|
112
116
|
state: { attemptsLeft: number; lastAttemptTime: number } | undefined,
|
|
@@ -96,7 +96,7 @@ export const storeImpl = async (
|
|
|
96
96
|
config: Provider.Config,
|
|
97
97
|
) => {
|
|
98
98
|
const args = fnArgs.args;
|
|
99
|
-
logWithLevel(LOG_LEVELS.INFO, `\`auth
|
|
99
|
+
logWithLevel(LOG_LEVELS.INFO, `\`auth:store\` type: ${args.type}`);
|
|
100
100
|
return Fx.run(
|
|
101
101
|
Fx.match(args, args.type, {
|
|
102
102
|
signIn: (a) =>
|
|
@@ -10,6 +10,7 @@ import {
|
|
|
10
10
|
ENTERPRISE_SAML_PROVIDER_PREFIX,
|
|
11
11
|
createSyntheticOAuthMaterializedConfig,
|
|
12
12
|
isEnterpriseProviderId,
|
|
13
|
+
normalizeEnterprisePolicy,
|
|
13
14
|
} from "../sso";
|
|
14
15
|
import { MutationCtx } from "../types";
|
|
15
16
|
import type { AuthProviderMaterializedConfig } from "../types";
|
|
@@ -92,9 +93,29 @@ export function userOAuthImpl(
|
|
|
92
93
|
: provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)
|
|
93
94
|
? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length)
|
|
94
95
|
: null;
|
|
95
|
-
|
|
96
|
+
const enterprise =
|
|
97
|
+
enterpriseId !== null
|
|
98
|
+
? yield* Fx.promise(() =>
|
|
99
|
+
ctx.runQuery(config.component.public.enterpriseGet, {
|
|
100
|
+
enterpriseId,
|
|
101
|
+
}),
|
|
102
|
+
)
|
|
103
|
+
: null;
|
|
104
|
+
const enterprisePolicy = enterprise
|
|
105
|
+
? normalizeEnterprisePolicy(enterprise.policy)
|
|
106
|
+
: null;
|
|
107
|
+
const enterpriseProtocol = provider.startsWith(
|
|
108
|
+
ENTERPRISE_OIDC_PROVIDER_PREFIX,
|
|
109
|
+
)
|
|
110
|
+
? "oidc"
|
|
111
|
+
: provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)
|
|
112
|
+
? "saml"
|
|
113
|
+
: null;
|
|
114
|
+
|
|
96
115
|
const existingScimIdentity =
|
|
97
|
-
enterpriseId !== null &&
|
|
116
|
+
enterpriseId !== null &&
|
|
117
|
+
existingAccount === null &&
|
|
118
|
+
enterprisePolicy?.provisioning.scimReuse.user === "externalId"
|
|
98
119
|
? yield* Fx.promise(() =>
|
|
99
120
|
ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {
|
|
100
121
|
enterpriseId,
|
|
@@ -123,7 +144,14 @@ export function userOAuthImpl(
|
|
|
123
144
|
{
|
|
124
145
|
type: "oauth",
|
|
125
146
|
provider: (isEnterpriseProviderId(provider)
|
|
126
|
-
? createSyntheticOAuthMaterializedConfig(provider
|
|
147
|
+
? createSyntheticOAuthMaterializedConfig(provider, {
|
|
148
|
+
accountLinking:
|
|
149
|
+
enterpriseProtocol === "oidc"
|
|
150
|
+
? enterprisePolicy?.identity.accountLinking.oidc
|
|
151
|
+
: enterpriseProtocol === "saml"
|
|
152
|
+
? enterprisePolicy?.identity.accountLinking.saml
|
|
153
|
+
: undefined,
|
|
154
|
+
})
|
|
127
155
|
: getProviderOrThrow(provider)) as AuthProviderMaterializedConfig,
|
|
128
156
|
profile,
|
|
129
157
|
accountExtend: normalizeAccountExtend(
|
|
@@ -142,13 +170,13 @@ export function userOAuthImpl(
|
|
|
142
170
|
// JIT group provisioning: if this is an enterprise SSO sign-in and the
|
|
143
171
|
// enterprise connection has a groupId, auto-add the user as a member of
|
|
144
172
|
// that group if they aren't already a member.
|
|
145
|
-
if (
|
|
173
|
+
if (
|
|
174
|
+
enterpriseId !== null &&
|
|
175
|
+
enterprisePolicy?.provisioning.jit.mode === "createUserAndMembership"
|
|
176
|
+
) {
|
|
146
177
|
const account = yield* Fx.promise(() => db.accounts.getById(accountId));
|
|
147
178
|
const userId = account?.userId;
|
|
148
179
|
if (userId) {
|
|
149
|
-
const enterprise = yield* Fx.promise(() =>
|
|
150
|
-
ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId }),
|
|
151
|
-
);
|
|
152
180
|
const groupId = (enterprise as any)?.groupId as string | undefined;
|
|
153
181
|
if (groupId) {
|
|
154
182
|
const existingMembership = yield* Fx.promise(() =>
|
|
@@ -162,7 +190,7 @@ export function userOAuthImpl(
|
|
|
162
190
|
ctx.runMutation(config.component.public.memberAdd, {
|
|
163
191
|
groupId,
|
|
164
192
|
userId,
|
|
165
|
-
role:
|
|
193
|
+
role: enterprisePolicy.provisioning.jit.defaultRole,
|
|
166
194
|
status: "active",
|
|
167
195
|
}),
|
|
168
196
|
);
|
|
@@ -1,7 +1,10 @@
|
|
|
1
|
+
import { makeFunctionReference } from "convex/server";
|
|
2
|
+
|
|
1
3
|
/**
|
|
2
4
|
* Internal function reference for the library's store dispatch mutation.
|
|
3
5
|
*
|
|
4
|
-
*
|
|
5
|
-
*
|
|
6
|
+
* The package cannot import the consumer app's generated `api` module,
|
|
7
|
+
* so it uses a canonical function reference name that matches the app-level
|
|
8
|
+
* `export const { store } = auth` surface.
|
|
6
9
|
*/
|
|
7
|
-
export const AUTH_STORE_REF = "auth
|
|
10
|
+
export const AUTH_STORE_REF = makeFunctionReference("auth:store") as any;
|
package/src/server/oauth.ts
CHANGED
|
@@ -33,6 +33,7 @@ type OAuthProviderConfigLike = {
|
|
|
33
33
|
// ============================================================================
|
|
34
34
|
|
|
35
35
|
/** A cookie to be set on the HTTP response. */
|
|
36
|
+
/** @internal */
|
|
36
37
|
export interface OAuthCookie {
|
|
37
38
|
name: string;
|
|
38
39
|
value: string;
|
|
@@ -40,6 +41,7 @@ export interface OAuthCookie {
|
|
|
40
41
|
}
|
|
41
42
|
|
|
42
43
|
/** Result of creating an authorization URL. */
|
|
44
|
+
/** @internal */
|
|
43
45
|
export interface AuthorizationResult {
|
|
44
46
|
redirect: string;
|
|
45
47
|
cookies: OAuthCookie[];
|
|
@@ -47,6 +49,7 @@ export interface AuthorizationResult {
|
|
|
47
49
|
}
|
|
48
50
|
|
|
49
51
|
/** Result of handling an OAuth callback. */
|
|
52
|
+
/** @internal */
|
|
50
53
|
export interface CallbackResult {
|
|
51
54
|
profile: OAuthProfile;
|
|
52
55
|
providerAccountId: string;
|
|
@@ -98,6 +101,7 @@ function clearCookie(
|
|
|
98
101
|
* Creates a signature string from the OAuth state parameters.
|
|
99
102
|
* This is stored in the verifier table and validated during callback.
|
|
100
103
|
*/
|
|
104
|
+
/** @internal */
|
|
101
105
|
export function getAuthorizationSignature({
|
|
102
106
|
codeVerifier,
|
|
103
107
|
state,
|
|
@@ -251,6 +255,7 @@ function validateProfileId(
|
|
|
251
255
|
*
|
|
252
256
|
* Handles PKCE detection, state generation, and cookie creation.
|
|
253
257
|
*/
|
|
258
|
+
/** @internal */
|
|
254
259
|
export async function createOAuthAuthorizationURL(
|
|
255
260
|
providerId: string,
|
|
256
261
|
arcticProvider: any,
|
|
@@ -305,6 +310,7 @@ export async function createOAuthAuthorizationURL(
|
|
|
305
310
|
*
|
|
306
311
|
* Returns `Fx<CallbackResult, AuthError>` composed via `Fx.gen`.
|
|
307
312
|
*/
|
|
313
|
+
/** @internal */
|
|
308
314
|
export function handleOAuthCallback(
|
|
309
315
|
providerId: string,
|
|
310
316
|
arcticProvider: any,
|
package/src/server/passkey.ts
CHANGED
|
@@ -46,6 +46,7 @@ import type { Fx as FxType } from "@robelest/fx";
|
|
|
46
46
|
|
|
47
47
|
import { authDb } from "./db";
|
|
48
48
|
import { AuthError, Fx } from "./fx";
|
|
49
|
+
import { userIdFromIdentitySubject } from "./identity";
|
|
49
50
|
import { callSignIn, callVerifier } from "./mutations/index";
|
|
50
51
|
import { callVerifierSignature } from "./mutations/signature";
|
|
51
52
|
import { PasskeyProviderConfig, GenericActionCtxWithAuthConfig } from "./types";
|
|
@@ -300,7 +301,7 @@ export function handlePasskeyFx(
|
|
|
300
301
|
Fx.chain((id) =>
|
|
301
302
|
id === null
|
|
302
303
|
? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED"))
|
|
303
|
-
: Fx.succeed(id.subject
|
|
304
|
+
: Fx.succeed(userIdFromIdentitySubject(id.subject)),
|
|
304
305
|
),
|
|
305
306
|
),
|
|
306
307
|
resolveRpOptionsFx(provider),
|
|
@@ -382,7 +383,7 @@ export function handlePasskeyFx(
|
|
|
382
383
|
Fx.chain((id) =>
|
|
383
384
|
id === null
|
|
384
385
|
? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED"))
|
|
385
|
-
: Fx.succeed(id.subject
|
|
386
|
+
: Fx.succeed(userIdFromIdentitySubject(id.subject)),
|
|
386
387
|
),
|
|
387
388
|
),
|
|
388
389
|
resolveRpOptionsFx(provider),
|
package/src/server/provider.ts
CHANGED
|
@@ -11,6 +11,7 @@ import { errorMessage } from "./utils";
|
|
|
11
11
|
* Validates that the provider is a credentials provider and has the
|
|
12
12
|
* required crypto function, returning typed errors through the Fx channel.
|
|
13
13
|
*/
|
|
14
|
+
/** @internal */
|
|
14
15
|
export const hash = (provider: any, secret: string): Fx<string, AuthError> =>
|
|
15
16
|
Fx.gen(function* () {
|
|
16
17
|
if (provider.type !== "credentials") {
|
|
@@ -44,6 +45,7 @@ export const hash = (provider: any, secret: string): Fx<string, AuthError> =>
|
|
|
44
45
|
/**
|
|
45
46
|
* Verify a secret against a hash using the provider's `crypto.verifySecret` function.
|
|
46
47
|
*/
|
|
48
|
+
/** @internal */
|
|
47
49
|
export const verify = (
|
|
48
50
|
provider: AuthProviderMaterializedConfig,
|
|
49
51
|
secret: string,
|
package/src/server/providers.ts
CHANGED
|
@@ -33,6 +33,7 @@ function isClassProvider(
|
|
|
33
33
|
*
|
|
34
34
|
* @internal
|
|
35
35
|
*/
|
|
36
|
+
/** @internal */
|
|
36
37
|
export function configDefaults(config_: ConvexAuthConfig) {
|
|
37
38
|
const config = materializeAndDefaultProviders(config_);
|
|
38
39
|
// Collect extra providers from credentials providers
|
|
@@ -52,6 +53,7 @@ export function configDefaults(config_: ConvexAuthConfig) {
|
|
|
52
53
|
*
|
|
53
54
|
* @internal
|
|
54
55
|
*/
|
|
56
|
+
/** @internal */
|
|
55
57
|
export function materializeProvider(provider: AuthProviderConfig) {
|
|
56
58
|
const config = { providers: [provider], component: {} as any };
|
|
57
59
|
materializeAndDefaultProviders(config);
|
|
@@ -63,6 +65,7 @@ export function materializeProvider(provider: AuthProviderConfig) {
|
|
|
63
65
|
*
|
|
64
66
|
* @internal
|
|
65
67
|
*/
|
|
68
|
+
/** @internal */
|
|
66
69
|
export function listAvailableProviders(
|
|
67
70
|
config: ReturnType<typeof configDefaults>,
|
|
68
71
|
allowExtraProviders: boolean,
|
package/src/server/ratelimit.ts
CHANGED
|
@@ -11,6 +11,7 @@ const DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;
|
|
|
11
11
|
/**
|
|
12
12
|
* Check whether the given identifier is currently rate-limited.
|
|
13
13
|
*/
|
|
14
|
+
/** @internal */
|
|
14
15
|
export const isSignInRateLimited = (
|
|
15
16
|
ctx: MutationCtx,
|
|
16
17
|
identifier: string,
|
|
@@ -25,6 +26,7 @@ export const isSignInRateLimited = (
|
|
|
25
26
|
*
|
|
26
27
|
* If a record exists, decrement; otherwise create.
|
|
27
28
|
*/
|
|
29
|
+
/** @internal */
|
|
28
30
|
export const recordFailedSignIn = (
|
|
29
31
|
ctx: MutationCtx,
|
|
30
32
|
identifier: string,
|
|
@@ -67,6 +69,7 @@ export const recordFailedSignIn = (
|
|
|
67
69
|
/**
|
|
68
70
|
* Reset the rate limit for the given identifier (e.g. after successful sign-in).
|
|
69
71
|
*/
|
|
72
|
+
/** @internal */
|
|
70
73
|
export const resetSignInRateLimit = (
|
|
71
74
|
ctx: MutationCtx,
|
|
72
75
|
identifier: string,
|
package/src/server/redirects.ts
CHANGED
|
@@ -2,6 +2,7 @@ import { AuthError } from "./fx";
|
|
|
2
2
|
import { ConvexAuthMaterializedConfig } from "./types";
|
|
3
3
|
import { requireEnv } from "./utils";
|
|
4
4
|
|
|
5
|
+
/** @internal */
|
|
5
6
|
export async function redirectAbsoluteUrl(
|
|
6
7
|
config: ConvexAuthMaterializedConfig,
|
|
7
8
|
params: { redirectTo: unknown },
|
|
@@ -35,6 +36,7 @@ async function defaultRedirectCallback({ redirectTo }: { redirectTo: string }) {
|
|
|
35
36
|
|
|
36
37
|
// Temporary work-around because Convex doesn't support
|
|
37
38
|
// schemes other than http and https.
|
|
39
|
+
/** @internal */
|
|
38
40
|
export function setURLSearchParam(
|
|
39
41
|
absoluteUrl: string,
|
|
40
42
|
param: string,
|
package/src/server/refresh.ts
CHANGED
|
@@ -13,6 +13,7 @@ import {
|
|
|
13
13
|
} from "./utils";
|
|
14
14
|
|
|
15
15
|
const DEFAULT_SESSION_INACTIVE_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days
|
|
16
|
+
/** @internal */
|
|
16
17
|
export const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1000; // 10 seconds
|
|
17
18
|
|
|
18
19
|
// ---------------------------------------------------------------------------
|
|
@@ -22,6 +23,7 @@ export const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1000; // 10 seconds
|
|
|
22
23
|
/**
|
|
23
24
|
* Create a new refresh token for the given session.
|
|
24
25
|
*/
|
|
26
|
+
/** @internal */
|
|
25
27
|
export async function createRefreshToken(
|
|
26
28
|
ctx: MutationCtx,
|
|
27
29
|
config: ConvexAuthConfig,
|
|
@@ -46,6 +48,7 @@ export async function createRefreshToken(
|
|
|
46
48
|
/**
|
|
47
49
|
* Parse a compound refresh token string into its constituent IDs.
|
|
48
50
|
*/
|
|
51
|
+
/** @internal */
|
|
49
52
|
export const parseRefreshToken = (
|
|
50
53
|
refreshToken: string,
|
|
51
54
|
): Fx<
|
|
@@ -82,6 +85,7 @@ export const parseRefreshToken = (
|
|
|
82
85
|
* Mark all refresh tokens descending from the given refresh token as invalid
|
|
83
86
|
* immediately. Used when we detect token reuse — revoke the entire tree.
|
|
84
87
|
*/
|
|
88
|
+
/** @internal */
|
|
85
89
|
export async function invalidateRefreshTokensInSubtree(
|
|
86
90
|
ctx: MutationCtx,
|
|
87
91
|
refreshToken: Doc<"RefreshToken">,
|
|
@@ -135,6 +139,7 @@ export async function invalidateRefreshTokensInSubtree(
|
|
|
135
139
|
* Each validation step is a small composable function chained with `Fx.chain`.
|
|
136
140
|
* On failure, the error message is logged and the pipeline folds to `null`.
|
|
137
141
|
*/
|
|
142
|
+
/** @internal */
|
|
138
143
|
export const refreshTokenIfValid = (
|
|
139
144
|
ctx: MutationCtx,
|
|
140
145
|
refreshTokenId: string,
|
package/src/server/sessions.ts
CHANGED
|
@@ -16,6 +16,7 @@ import {
|
|
|
16
16
|
|
|
17
17
|
const DEFAULT_SESSION_TOTAL_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days
|
|
18
18
|
|
|
19
|
+
/** @internal */
|
|
19
20
|
export async function maybeGenerateTokensForSession(
|
|
20
21
|
ctx: MutationCtx,
|
|
21
22
|
config: ConvexAuthConfig,
|
|
@@ -37,6 +38,7 @@ export async function maybeGenerateTokensForSession(
|
|
|
37
38
|
};
|
|
38
39
|
}
|
|
39
40
|
|
|
41
|
+
/** @internal */
|
|
40
42
|
export async function createNewAndDeleteExistingSession(
|
|
41
43
|
ctx: MutationCtx,
|
|
42
44
|
config: ConvexAuthConfig,
|
|
@@ -53,6 +55,7 @@ export async function createNewAndDeleteExistingSession(
|
|
|
53
55
|
return await createSession(ctx, userId, config);
|
|
54
56
|
}
|
|
55
57
|
|
|
58
|
+
/** @internal */
|
|
56
59
|
export async function generateTokensForSession(
|
|
57
60
|
ctx: MutationCtx,
|
|
58
61
|
config: ConvexAuthConfig,
|
|
@@ -102,6 +105,7 @@ async function createSession(
|
|
|
102
105
|
)) as GenericId<"Session">;
|
|
103
106
|
}
|
|
104
107
|
|
|
108
|
+
/** @internal */
|
|
105
109
|
export async function deleteSession(
|
|
106
110
|
ctx: MutationCtx,
|
|
107
111
|
session: Doc<"Session">,
|
|
@@ -117,6 +121,7 @@ export async function deleteSession(
|
|
|
117
121
|
*
|
|
118
122
|
* Internal helper used by auth runtime internals and `auth.session.current`.
|
|
119
123
|
*/
|
|
124
|
+
/** @internal */
|
|
120
125
|
export async function getAuthSessionId(ctx: { auth: Auth }) {
|
|
121
126
|
const identity = await ctx.auth.getUserIdentity();
|
|
122
127
|
if (identity === null) {
|