@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

package/dist/component/server/factory.js

@@ -0,0 +1,1134 @@
+import { isAuthError } from "./errors.js";
+import { AuthError, Fx } from "./fx.js";
+import { LOG_LEVELS, decryptSecret, encryptSecret, generateRandomString, logError, logWithLevel, requireEnv, sha256 } from "./utils.js";
+import { redirectToParamCookie, useRedirectToParam } from "./cookies.js";
+import { configDefaults, listAvailableProviders } from "./providers.js";
+import { callModifyAccount } from "./mutations/account.js";
+import { callInvalidateSessions } from "./mutations/invalidate.js";
+import { SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID, createEnterpriseOidcRuntime, createEnterpriseSamlMetadataXml, createEnterpriseSamlSignInRequest, createSamlPostBindingResponse, createServiceProviderMetadata, encodeEnterpriseSamlRelayState, enterpriseOidcProviderId, enterpriseSamlProviderId, getEnterpriseOidcUrls, getOidcConfig, getPublicOidcConfig, getSamlConfig, getSamlServiceProviderOptions, isEnterpriseSamlSourceActive, normalizeDomain, normalizeEnterprisePolicy, parseEnterpriseSamlLoginResponse, parseEnterpriseSamlLogoutMessage, parseSamlIdpMetadata, parseScimListRequest, parseScimPath, patchEnterprisePolicy, profileFromSamlExtract, scimError, scimJson, serializeScimGroup, serializeScimUser, upsertProtocolConfig, validateEnterpriseSamlLoginRelayState, withOidcSecretState } from "./sso.js";
+import { callUserOAuth } from "./mutations/oauth.js";
+import { callCreateAccountFromCredentials } from "./mutations/register.js";
+import { callRetrieveAccountWithCredentials } from "./mutations/retrieve.js";
+import { callVerifierSignature } from "./mutations/signature.js";
+import { callSignOut } from "./mutations/signout.js";
+import { storeArgs, storeImpl } from "./mutations/index.js";
+import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
+import { signInImpl } from "./signin.js";
+import { createCoreDomains } from "./domains/core.js";
+import { createSsoDomain } from "./domains/sso.js";
+import { addAuthRoutes, addOpenIdRoutes, addSSORoutes, convertErrorsToResponse, createHttpAction, createHttpRoute, getCookies } from "./http.js";
+import { createOAuthAuthorizationURL, handleOAuthCallback } from "./oauth.js";
+import { actionGeneric, internalMutationGeneric } from "convex/server";
+import { v } from "convex/values";
+import { serialize } from "cookie";
+
+//#region src/server/factory.ts
+const ENTERPRISE_OIDC_CLIENT_SECRET_KIND = "oidc_client_secret";
+/**
+* Configure the Convex Auth library. Returns an object with
+* functions and `auth` helper. You must export the functions
+* from `convex/auth.ts` to make them callable:
+*
+* ```ts filename="convex/auth.ts"
+* import { createAuth } from "@robelest/convex-auth/component";
+* import { components } from "./_generated/api";
+*
+* export const auth = createAuth(components.auth, {
+*   providers: [],
+* });
+* export const { signIn, signOut, store } = auth;
+* ```
+*
+* @returns An object with fields you should reexport from your
+*          `convex/auth.ts` file.
+*/
+function Auth(config_) {
+	const config = configDefaults(config_);
+	const hasOAuth = config.providers.some((provider) => provider.type === "oauth");
+	const hasSSO = config.providers.some((provider) => provider.type === "sso");
+	const getProviderOrThrow = (id, allowExtraProviders = false) => {
+		const provider = config.providers.find((configuredProvider) => configuredProvider.id === id) ?? (allowExtraProviders ? config.extraProviders.find((configuredProvider) => configuredProvider.id === id) : void 0);
+		if (provider === void 0) {
+			const detail = `Provider \`${id}\` is not configured, available providers are ${listAvailableProviders(config, allowExtraProviders)}.`;
+			logWithLevel(LOG_LEVELS.ERROR, detail);
+			throw new AuthError("PROVIDER_NOT_CONFIGURED", detail, { provider: id }).toConvexError();
+		}
+		return provider;
+	};
+	const getEnterpriseSecret = async (ctx, enterpriseId, kind) => {
+		return await ctx.runQuery(config.component.public.enterpriseSecretGet, {
+			enterpriseId,
+			kind
+		});
+	};
+	const getEnterpriseOidcConfigWithSecret = async (ctx, enterprise) => {
+		const oidc = getOidcConfig(enterprise.config);
+		const secret = await getEnterpriseSecret(ctx, enterprise._id, ENTERPRISE_OIDC_CLIENT_SECRET_KIND);
+		return {
+			...oidc,
+			...secret ? { clientSecret: await decryptSecret(secret.ciphertext) } : {}
+		};
+	};
+	const INVITE_TOKEN_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+	const INVITE_TOKEN_LENGTH = 48;
+	const enterpriseNotFoundError = "Enterprise not found.";
+	const ENTERPRISE_CONTROL_ROUTE_BASE = "/api/auth/sso";
+	const getPolicyFromEnterprise = (enterprise) => normalizeEnterprisePolicy(enterprise.policy);
+	const loadEnterpriseOrThrow = async (ctx, enterpriseId) => {
+		const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+		if (!enterprise) throw new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError).toConvexError();
+		return enterprise;
+	};
+	const loadActiveEnterpriseOrThrow = async (ctx, enterpriseId) => {
+		const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);
+		if (enterprise.status !== "active") throw new AuthError("INVALID_PARAMETERS", "Enterprise connection is not active.").toConvexError();
+		return enterprise;
+	};
+	const loadActiveEnterpriseSamlOrThrow = async (ctx, enterpriseId) => {
+		const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);
+		const loaded = {
+			source: {
+				kind: "enterprise",
+				id: enterpriseId
+			},
+			config: enterprise.config,
+			status: enterprise.status,
+			enterprise
+		};
+		if (!isEnterpriseSamlSourceActive(loaded)) throw new AuthError("INVALID_PARAMETERS", "Enterprise connection is not active.").toConvexError();
+		const saml = getSamlConfig(loaded.config);
+		if (!saml.idp?.metadataXml) throw new AuthError("PROVIDER_NOT_CONFIGURED", "SAML is not configured for this enterprise.").toConvexError();
+		return {
+			loaded,
+			enterprise,
+			saml
+		};
+	};
+	const loadEnterpriseOidcOrThrow = async (ctx, enterpriseId) => {
+		const enterprise = await loadActiveEnterpriseOrThrow(ctx, enterpriseId);
+		const oidc = await getEnterpriseOidcConfigWithSecret(ctx, enterprise);
+		if (oidc.enabled !== true) throw new AuthError("PROVIDER_NOT_CONFIGURED", "OIDC is not configured for this enterprise.").toConvexError();
+		return {
+			enterprise,
+			oidc
+		};
+	};
+	const validateEnterprisePolicy = (policy) => {
+		const checks = [];
+		checks.push({
+			name: "policy_version",
+			ok: policy.version === 1
+		});
+		checks.push({
+			name: "jit_default_role_ids_present",
+			ok: policy.provisioning.jit.mode !== "createUserAndMembership" || policy.provisioning.jit.defaultRoleIds.length > 0,
+			message: policy.provisioning.jit.mode === "createUserAndMembership" && policy.provisioning.jit.defaultRoleIds.length === 0 ? "At least one default roleId is required when JIT membership provisioning is enabled." : void 0
+		});
+		checks.push({
+			name: "jit_default_role_ids_known",
+			ok: policy.provisioning.jit.defaultRoleIds.every((roleId) => config.authorization.roles[roleId] !== void 0),
+			message: policy.provisioning.jit.defaultRoleIds.every((roleId) => config.authorization.roles[roleId] !== void 0) ? void 0 : "JIT defaultRoleIds contains unknown roleIds."
+		});
+		checks.push({
+			name: "scim_reuse_supported",
+			ok: policy.provisioning.scimReuse.user === "externalId" || policy.provisioning.scimReuse.user === "none"
+		});
+		return checks;
+	};
+	const recordEnterpriseAuditEvent = async (ctx, data) => {
+		const { ok, ...rest } = data;
+		return await ctx.runMutation(config.component.public.enterpriseAuditEventCreate, {
+			...rest,
+			status: ok ? "success" : "failure",
+			occurredAt: Date.now()
+		});
+	};
+	const emitEnterpriseWebhookDeliveries = async (ctx, data) => {
+		const endpoints = await ctx.runQuery(config.component.public.enterpriseWebhookEndpointList, { enterpriseId: data.enterpriseId });
+		for (const endpoint of endpoints) {
+			if (endpoint.status !== "active" || !endpoint.subscriptions.includes(data.eventType)) continue;
+			await ctx.runMutation(config.component.public.enterpriseWebhookDeliveryEnqueue, {
+				enterpriseId: data.enterpriseId,
+				endpointId: endpoint._id,
+				auditEventId: data.auditEventId,
+				eventType: data.eventType,
+				payload: data.payload,
+				nextAttemptAt: Date.now()
+			});
+		}
+	};
+	const getEnterpriseScimContext = async (ctx, request) => {
+		const authHeader = request.headers.get("Authorization");
+		if (!authHeader?.startsWith("Bearer ")) throw new AuthError("MISSING_BEARER_TOKEN").toConvexError();
+		const token = authHeader.slice(7);
+		const scimConfig = await ctx.runQuery(config.component.public.enterpriseScimConfigGetByTokenHash, { tokenHash: await sha256(token) });
+		if (!scimConfig || scimConfig.status !== "active") throw new AuthError("INVALID_API_KEY", "Invalid SCIM token.").toConvexError();
+		const parsedPath = parseScimPath(new URL(request.url).pathname);
+		if (parsedPath.enterpriseId !== scimConfig.enterpriseId) throw new AuthError("INVALID_API_KEY", "SCIM token/tenant mismatch.").toConvexError();
+		const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: scimConfig.enterpriseId });
+		if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+		return {
+			scimConfig,
+			enterprise,
+			parsedPath
+		};
+	};
+	const SCIM_SCHEMAS = [{
+		id: SCIM_USER_SCHEMA_ID,
+		name: "User",
+		description: "User Account",
+		attributes: [
+			{
+				name: "userName",
+				type: "string",
+				required: true
+			},
+			{
+				name: "displayName",
+				type: "string"
+			},
+			{
+				name: "active",
+				type: "boolean"
+			},
+			{
+				name: "emails",
+				type: "complex",
+				multiValued: true
+			}
+		]
+	}, {
+		id: SCIM_GROUP_SCHEMA_ID,
+		name: "Group",
+		description: "Group",
+		attributes: [{
+			name: "displayName",
+			type: "string",
+			required: true
+		}, {
+			name: "members",
+			type: "complex",
+			multiValued: true
+		}]
+	}];
+	const SCIM_RESOURCE_TYPES = [{
+		id: "User",
+		name: "User",
+		endpoint: "/Users",
+		schema: SCIM_USER_SCHEMA_ID
+	}, {
+		id: "Group",
+		name: "Group",
+		endpoint: "/Groups",
+		schema: SCIM_GROUP_SCHEMA_ID
+	}];
+	const handleStaticScimCollection = (items, resourceId, opts) => {
+		if (resourceId !== void 0) {
+			const item = items.find((entry) => entry[opts.by] === decodeURIComponent(resourceId));
+			return item ? scimJson(item) : scimError(404, "notFound", opts.notFound);
+		}
+		return scimJson({
+			schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+			Resources: items,
+			totalResults: items.length,
+			startIndex: 1,
+			itemsPerPage: items.length
+		});
+	};
+	const filterScimCollection = (items, filter, filters) => {
+		if (!filter) return items;
+		const predicate = filters[filter.attribute];
+		if (!predicate) throw new Error("Unsupported SCIM filter.");
+		return items.filter((item) => predicate(item, filter.value));
+	};
+	const paginateScimCollection = (items, listRequest) => {
+		const start = listRequest.startIndex - 1;
+		return items.slice(start, start + listRequest.count);
+	};
+	const requireScimResourceId = (resourceId, label) => {
+		if (!resourceId) return scimError(400, "invalidPath", `${label} resource ID is required.`);
+		return null;
+	};
+	const readScimJson = async (request) => await request.json();
+	let auth;
+	auth = {
+		...createCoreDomains({
+			config,
+			getAuth: () => auth,
+			callInvalidateSessions,
+			callCreateAccountFromCredentials,
+			callRetrieveAccountWithCredentials,
+			callModifyAccount,
+			getEnrichCtx: () => enrichCtx,
+			inviteTokenAlphabet: INVITE_TOKEN_ALPHABET,
+			inviteTokenLength: INVITE_TOKEN_LENGTH
+		}),
+		sso: createSsoDomain({
+			config,
+			getAuth: () => auth,
+			normalizeEnterprisePolicy,
+			normalizeDomain,
+			getEnterpriseSecret,
+			loadEnterpriseOrThrow,
+			validateEnterprisePolicy,
+			recordEnterpriseAuditEvent,
+			emitEnterpriseWebhookDeliveries,
+			enterpriseNotFoundError,
+			ENTERPRISE_OIDC_CLIENT_SECRET_KIND,
+			requireEnv,
+			generateRandomString,
+			INVITE_TOKEN_ALPHABET,
+			sha256,
+			encryptSecret,
+			upsertProtocolConfig,
+			parseSamlIdpMetadata,
+			createServiceProviderMetadata,
+			getSamlServiceProviderOptions,
+			getPublicOidcConfig,
+			withOidcSecretState,
+			getOidcConfig,
+			getEnterpriseOidcUrls,
+			enterpriseOidcProviderId,
+			getPolicyFromEnterprise,
+			patchEnterprisePolicy
+		}),
+		http: {
+			add: (http) => {
+				addOpenIdRoutes(http, {
+					getIssuer: () => requireEnv("CONVEX_SITE_URL"),
+					getJwks: () => requireEnv("JWKS")
+				});
+				if (hasSSO) {
+					const handleSamlAcs = async (ctx, request, runtimeRoute) => Fx.run(Fx.gen(function* () {
+						yield* Fx.guard(runtimeRoute.protocol !== "saml" || runtimeRoute.rest.length !== 1 || runtimeRoute.rest[0] !== "acs", Fx.fail(new AuthError("INVALID_PARAMETERS", "Invalid enterprise runtime path.").toConvexError()));
+						const enterpriseId = runtimeRoute.enterpriseId;
+						const { loaded, enterprise, saml } = yield* Fx.from({
+							ok: () => loadActiveEnterpriseSamlOrThrow(ctx, enterpriseId),
+							err: (e) => e
+						});
+						const parsedResponse = yield* Fx.from({
+							ok: () => parseEnterpriseSamlLoginResponse({
+								request,
+								rootUrl: requireEnv("CONVEX_SITE_URL"),
+								source: {
+									kind: "enterprise",
+									id: enterprise._id
+								},
+								config: loaded.config
+							}),
+							err: (e) => new AuthError("OAUTH_PROVIDER_ERROR", `SAML response parse failed: ${e instanceof Error ? e.message : String(e)}`).toConvexError()
+						});
+						yield* Fx.from({
+							ok: () => {
+								validateEnterpriseSamlLoginRelayState({
+									relayState: parsedResponse.relayState,
+									source: {
+										kind: "enterprise",
+										id: enterprise._id
+									},
+									inResponseTo: parsedResponse.parsed.extract?.response?.inResponseTo
+								});
+								return Promise.resolve();
+							},
+							err: () => new AuthError("OAUTH_INVALID_STATE", "SAML RelayState did not match the pending login request.").toConvexError()
+						});
+						const { samlAttributes, samlSessionIndex, ...userProfile } = profileFromSamlExtract(parsedResponse.parsed.extract, saml.attributeMapping);
+						const profile = userProfile;
+						const maybeRedirectTo = useRedirectToParam(enterpriseSamlProviderId(enterprise._id), getCookies(request));
+						const verificationCode = yield* Fx.from({
+							ok: () => callUserOAuth(ctx, {
+								provider: enterpriseSamlProviderId(enterprise._id),
+								providerAccountId: profile.id,
+								profile,
+								signature: parsedResponse.relayState.signature,
+								accountExtend: {
+									identity: {
+										protocol: "saml",
+										enterpriseId: enterprise._id,
+										subject: profile.id,
+										entityId: typeof saml.entityId === "string" ? saml.entityId : void 0
+									},
+									saml: {
+										attributes: samlAttributes,
+										sessionIndex: samlSessionIndex
+									}
+								}
+							}),
+							err: (e) => e
+						});
+						const vurl = setURLSearchParam(yield* Fx.from({
+							ok: () => redirectAbsoluteUrl(config, { redirectTo: maybeRedirectTo?.redirectTo ?? (typeof parsedResponse.relayState.redirectTo === "string" ? parsedResponse.relayState.redirectTo : void 0) }),
+							err: (e) => e
+						}), "code", verificationCode);
+						const vheaders = new Headers({ Location: vurl });
+						vheaders.set("Cache-Control", "must-revalidate");
+						for (const { name, value, options } of maybeRedirectTo !== null ? [maybeRedirectTo.updatedCookie] : []) vheaders.append("Set-Cookie", serialize(name, value, options));
+						return new Response(null, {
+							status: 302,
+							headers: vheaders
+						});
+					}).pipe(Fx.recover((e) => Fx.fatal(e))));
+					const handleSamlSlo = async (ctx, request, runtimeRoute) => {
+						if (runtimeRoute.protocol !== "saml" || runtimeRoute.rest.length !== 1 || runtimeRoute.rest[0] !== "slo") throw new AuthError("INVALID_PARAMETERS", "Invalid enterprise runtime path.").toConvexError();
+						const { loaded, enterprise } = await loadActiveEnterpriseSamlOrThrow(ctx, runtimeRoute.enterpriseId);
+						const parsedMessage = await parseEnterpriseSamlLogoutMessage({
+							request,
+							rootUrl: requireEnv("CONVEX_SITE_URL"),
+							source: {
+								kind: "enterprise",
+								id: enterprise._id
+							},
+							config: loaded.config
+						});
+						if (parsedMessage.hasSamlRequest && parsedMessage.parsedRequest) {
+							const responseContext = parsedMessage.runtime.sp.createLogoutResponse(parsedMessage.runtime.idp, parsedMessage.parsedRequest.extract, parsedMessage.binding, parsedMessage.relayState ?? "");
+							if (parsedMessage.binding === "redirect") return new Response(null, {
+								status: 302,
+								headers: { Location: responseContext.context }
+							});
+							return createSamlPostBindingResponse({
+								endpoint: responseContext.entityEndpoint,
+								parameter: "SAMLResponse",
+								value: responseContext.context,
+								relayState: parsedMessage.relayState
+							});
+						}
+						if (parsedMessage.hasSamlResponse) return new Response(null, { status: 204 });
+						throw new AuthError("INVALID_PARAMETERS", "Missing SAML logout payload.").toConvexError();
+					};
+					const handleScimRequest = async (ctx, request) => {
+						try {
+							const { scimConfig, enterprise, parsedPath } = await getEnterpriseScimContext(ctx, request);
+							const state = {
+								ctx,
+								request,
+								url: new URL(request.url),
+								parsedPath,
+								enterprise,
+								scimConfig,
+								policy: getPolicyFromEnterprise(enterprise),
+								recordScimEvent: async (eventType, ok, subjectType, subjectId, metadata) => {
+									const auditEventId = await recordEnterpriseAuditEvent(ctx, {
+										enterpriseId: enterprise._id,
+										groupId: enterprise.groupId,
+										eventType,
+										actorType: "scim",
+										subjectType,
+										subjectId,
+										ok,
+										metadata
+									});
+									await emitEnterpriseWebhookDeliveries(ctx, {
+										enterpriseId: enterprise._id,
+										eventType,
+										auditEventId,
+										payload: {
+											enterpriseId: enterprise._id,
+											subjectId,
+											metadata
+										}
+									});
+								}
+							};
+							const handleUsersGet = async (state$1) => {
+								const members = await auth.member.list(state$1.ctx, {
+									where: { groupId: state$1.enterprise.groupId },
+									limit: 100
+								});
+								const identities = await state$1.ctx.runQuery(config.component.public.enterpriseScimIdentityListByEnterprise, { enterpriseId: state$1.enterprise._id });
+								const identityByUserId = new Map(identities.filter((identity) => identity.userId !== void 0).map((identity) => [identity.userId, identity]));
+								const users = (await Promise.all(members.items.map(async (member) => {
+									const user = await auth.user.get(state$1.ctx, member.userId);
+									return user ? {
+										user,
+										member,
+										identity: identityByUserId.get(user._id)
+									} : null;
+								}))).filter(Boolean);
+								const listRequest = parseScimListRequest(state$1.url);
+								const filtered = filterScimCollection(users, listRequest.filter, {
+									id: (item, value) => item.user._id === value,
+									externalId: (item, value) => item.identity?.externalId === value,
+									userName: (item, value) => item.user.email === value,
+									"emails.value": (item, value) => item.user.email === value,
+									active: (item, value) => String(item.identity?.active ?? item.member.status === "active") === value
+								});
+								if (state$1.parsedPath.resourceId) {
+									const resource = filtered.find(({ user }) => user._id === state$1.parsedPath.resourceId);
+									return resource ? scimJson(serializeScimUser({
+										id: resource.user._id,
+										user: resource.user,
+										externalId: resource.identity?.externalId,
+										location: `${state$1.url.origin}${state$1.url.pathname.replace(/\/[^/]+$/, "")}/${resource.user._id}`,
+										active: resource.identity?.active ?? resource.member.status === "active"
+									}), 200, { Location: `${state$1.url.origin}${state$1.url.pathname.replace(/\/[^/]+$/, "")}/${resource.user._id}` }) : scimError(404, "notFound", "User not found.");
+								}
+								const paged = paginateScimCollection(filtered, listRequest);
+								await state$1.recordScimEvent("enterprise.scim.read", true, "enterprise_scim", state$1.scimConfig._id);
+								return scimJson({
+									schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+									Resources: paged.map(({ user, identity, member }) => serializeScimUser({
+										id: user._id,
+										user,
+										externalId: identity?.externalId,
+										location: `${state$1.url.origin}${state$1.url.pathname}/${user._id}`,
+										active: identity?.active ?? member.status === "active"
+									})),
+									totalResults: filtered.length,
+									startIndex: listRequest.startIndex,
+									itemsPerPage: paged.length
+								});
+							};
+							const handleUsersPost = async (state$1) => {
+								const body = await readScimJson(state$1.request);
+								const primaryEmail = Array.isArray(body.emails) ? body.emails.find((entry) => entry.primary === true)?.value ?? body.emails[0]?.value : void 0;
+								const phone = Array.isArray(body.phoneNumbers) ? body.phoneNumbers[0]?.value : void 0;
+								const userId = await state$1.ctx.runMutation(config.component.public.userInsert, { data: {
+									name: body.displayName ?? body.name?.formatted,
+									email: primaryEmail ?? body.userName,
+									...typeof (primaryEmail ?? body.userName) === "string" ? { emailVerificationTime: Date.now() } : {},
+									phone,
+									...typeof phone === "string" ? { phoneVerificationTime: Date.now() } : {}
+								} });
+								try {
+									await auth.member.create(state$1.ctx, {
+										groupId: state$1.enterprise.groupId,
+										userId,
+										roleIds: state$1.policy.provisioning.jit.defaultRoleIds,
+										status: body.active === false ? "inactive" : "active"
+									});
+								} catch {}
+								if (typeof body.externalId === "string") await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
+									enterpriseId: state$1.enterprise._id,
+									groupId: state$1.enterprise.groupId,
+									resourceType: "user",
+									externalId: body.externalId,
+									userId,
+									active: body.active !== false,
+									raw: body,
+									lastProvisionedAt: Date.now()
+								});
+								await state$1.recordScimEvent("enterprise.scim.user.created", true, "user", userId);
+								const createdUser = await auth.user.get(state$1.ctx, userId);
+								const location = `${state$1.url.origin}${state$1.url.pathname}/${userId}`;
+								return scimJson(serializeScimUser({
+									id: userId,
+									user: createdUser ?? {},
+									externalId: body.externalId,
+									location,
+									active: body.active !== false
+								}), 201, { Location: location });
+							};
+							const handleUsersUpsert = async (state$1) => {
+								const missing = requireScimResourceId(state$1.parsedPath.resourceId, "User");
+								if (missing) return missing;
+								const userId = state$1.parsedPath.resourceId;
+								const existingUser = await auth.user.get(state$1.ctx, userId);
+								if (!existingUser) return scimError(404, "notFound", "User not found.");
+								const body = await readScimJson(state$1.request);
+								const patchData = {};
+								let nextActive;
+								if (state$1.request.method === "PUT") {
+									patchData.name = body.displayName ?? body.name?.formatted;
+									patchData.email = body.userName ?? (Array.isArray(body.emails) ? body.emails[0]?.value : void 0);
+									patchData.phone = Array.isArray(body.phoneNumbers) ? body.phoneNumbers[0]?.value : void 0;
+									if (typeof patchData.email === "string") patchData.emailVerificationTime = Date.now();
+									if (typeof patchData.phone === "string") patchData.phoneVerificationTime = Date.now();
+								} else for (const operation of Array.isArray(body.Operations) ? body.Operations : []) {
+									if (operation.path === "active") nextActive = operation.value;
+									if (operation.path === "displayName" || operation.path === "name.formatted") patchData.name = operation.value;
+									if (operation.path === "userName" || operation.path === "emails.value") {
+										patchData.email = operation.value;
+										if (typeof operation.value === "string") patchData.emailVerificationTime = Date.now();
+									}
+									if (operation.path === "phoneNumbers.value") {
+										patchData.phone = operation.value;
+										if (typeof operation.value === "string") patchData.phoneVerificationTime = Date.now();
+									}
+								}
+								await state$1.ctx.runMutation(config.component.public.userPatch, {
+									userId,
+									data: patchData
+								});
+								const membership = await auth.member.getByUserAndGroup(state$1.ctx, {
+									groupId: state$1.enterprise.groupId,
+									userId
+								});
+								if (membership) await auth.member.update(state$1.ctx, membership._id, { status: body.active === false || nextActive === false ? "inactive" : "active" });
+								await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
+									enterpriseId: state$1.enterprise._id,
+									groupId: state$1.enterprise.groupId,
+									resourceType: "user",
+									externalId: typeof body.externalId === "string" ? body.externalId : (await state$1.ctx.runQuery(config.component.public.enterpriseScimIdentityGetByEnterpriseAndUser, {
+										enterpriseId: state$1.enterprise._id,
+										userId
+									}))?.externalId ?? userId,
+									userId,
+									active: body.active !== false && nextActive !== false,
+									raw: body,
+									lastProvisionedAt: Date.now()
+								});
+								await state$1.recordScimEvent("enterprise.scim.user.updated", true, "user", userId);
+								const updatedUser = await auth.user.get(state$1.ctx, userId);
+								const location = `${state$1.url.origin}${state$1.url.pathname}`;
+								return scimJson(serializeScimUser({
+									id: userId,
+									user: updatedUser ?? existingUser,
+									externalId: typeof body.externalId === "string" ? body.externalId : void 0,
+									location,
+									active: body.active !== false && nextActive !== false
+								}), 200, { Location: location });
+							};
+							const handleUsersDelete = async (state$1) => {
+								const missing = requireScimResourceId(state$1.parsedPath.resourceId, "User");
+								if (missing) return missing;
+								const userId = state$1.parsedPath.resourceId;
+								const membership = await auth.member.getByUserAndGroup(state$1.ctx, {
+									groupId: state$1.enterprise.groupId,
+									userId
+								});
+								if (membership) await auth.member.delete(state$1.ctx, membership._id);
+								const identity = await state$1.ctx.runQuery(config.component.public.enterpriseScimIdentityGetByEnterpriseAndUser, {
+									enterpriseId: state$1.enterprise._id,
+									userId
+								});
+								if (identity) if (state$1.policy.provisioning.deprovision.mode === "hard") await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityDelete, { identityId: identity._id });
+								else await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
+									enterpriseId: identity.enterpriseId,
+									groupId: identity.groupId,
+									resourceType: identity.resourceType,
+									externalId: identity.externalId,
+									userId: identity.userId,
+									mappedGroupId: identity.mappedGroupId,
+									active: false,
+									raw: identity.raw,
+									lastProvisionedAt: Date.now()
+								});
+								await state$1.recordScimEvent("enterprise.scim.user.deleted", true, "user", userId);
+								return new Response(null, { status: 204 });
+							};
+							const handleGroupsGet = async (state$1) => {
+								const groupsList = await auth.group.list(state$1.ctx, {
+									where: { parentGroupId: state$1.enterprise.groupId },
+									limit: 100
+								});
+								const identities = await state$1.ctx.runQuery(config.component.public.enterpriseScimIdentityListByEnterprise, { enterpriseId: state$1.enterprise._id });
+								const identityByGroupId = new Map(identities.filter((identity) => identity.mappedGroupId !== void 0).map((identity) => [identity.mappedGroupId, identity]));
+								const groups = groupsList.items.map((group) => ({
+									group,
+									identity: identityByGroupId.get(group._id)
+								}));
+								const listRequest = parseScimListRequest(state$1.url);
+								const filtered = filterScimCollection(groups, listRequest.filter, {
+									id: (item, value) => item.group._id === value,
+									externalId: (item, value) => item.identity?.externalId === value,
+									displayName: (item, value) => item.group.name === value
+								});
+								if (state$1.parsedPath.resourceId) {
+									const resource = filtered.find(({ group }) => group._id === state$1.parsedPath.resourceId);
+									if (!resource) return scimError(404, "notFound", "Group not found.");
+									const members = (await auth.member.list(state$1.ctx, {
+										where: {
+											groupId: resource.group._id,
+											status: "active"
+										},
+										limit: 100
+									})).items.map((member) => ({ value: member.userId }));
+									const location = `${state$1.url.origin}${state$1.url.pathname.replace(/\/[^/]+$/, "")}/${resource.group._id}`;
+									return scimJson(serializeScimGroup({
+										id: resource.group._id,
+										group: resource.group,
+										externalId: resource.identity?.externalId,
+										location,
+										members
+									}), 200, { Location: location });
+								}
+								const paged = paginateScimCollection(filtered, listRequest);
+								return scimJson({
+									schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
+									Resources: paged.map(({ group, identity }) => serializeScimGroup({
+										id: group._id,
+										group,
+										externalId: identity?.externalId,
+										location: `${state$1.url.origin}${state$1.url.pathname}/${group._id}`
+									})),
+									totalResults: filtered.length,
+									startIndex: listRequest.startIndex,
+									itemsPerPage: paged.length
+								});
+							};
+							const handleGroupsPost = async (state$1) => {
+								const body = await readScimJson(state$1.request);
+								const { groupId } = await auth.group.create(state$1.ctx, {
+									name: String(body.displayName ?? "Group"),
+									parentGroupId: state$1.enterprise.groupId,
+									type: "organization"
+								});
+								await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
+									enterpriseId: state$1.enterprise._id,
+									groupId: state$1.enterprise.groupId,
+									resourceType: "group",
+									externalId: body.externalId ?? groupId,
+									mappedGroupId: groupId,
+									active: true,
+									raw: body,
+									lastProvisionedAt: Date.now()
+								});
+								for (const member of Array.isArray(body.members) ? body.members : []) try {
+									await auth.member.create(state$1.ctx, {
+										groupId,
+										userId: String(member.value),
+										roleIds: state$1.policy.provisioning.jit.defaultRoleIds,
+										status: "active"
+									});
+								} catch {}
+								await state$1.recordScimEvent("enterprise.scim.group.created", true, "group", groupId);
+								const group = await auth.group.get(state$1.ctx, groupId);
+								const location = `${state$1.url.origin}${state$1.url.pathname}/${groupId}`;
+								return scimJson(serializeScimGroup({
+									id: groupId,
+									group: group ?? {},
+									externalId: body.externalId,
+									location,
+									members: (await auth.member.list(state$1.ctx, {
+										where: {
+											groupId,
+											status: "active"
+										},
+										limit: 100
+									})).items.map((member) => ({ value: member.userId }))
+								}), 201, { Location: location });
+							};
+							const handleGroupsPatch = async (state$1) => {
+								const missing = requireScimResourceId(state$1.parsedPath.resourceId, "Group");
+								if (missing) return missing;
+								const groupId = state$1.parsedPath.resourceId;
+								const body = await readScimJson(state$1.request);
+								for (const operation of Array.isArray(body.Operations) ? body.Operations : []) {
+									if (operation.path === "displayName") await auth.group.update(state$1.ctx, groupId, { name: operation.value });
+									if (operation.path === "members" && operation.op === "add") for (const member of Array.isArray(operation.value) ? operation.value : []) try {
+										await auth.member.create(state$1.ctx, {
+											groupId,
+											userId: String(member.value),
+											roleIds: state$1.policy.provisioning.jit.defaultRoleIds,
+											status: "active"
+										});
+									} catch {}
+									if (operation.path === "members" && operation.op === "replace") {
+										const currentMembers = (await auth.member.list(state$1.ctx, {
+											where: {
+												groupId,
+												status: "active"
+											},
+											limit: 100
+										})).items;
+										const currentUserIds = new Set(currentMembers.map((member) => member.userId));
+										const nextUserIds = new Set((Array.isArray(operation.value) ? operation.value : []).map((member) => String(member.value)));
+										for (const member of currentMembers) if (!nextUserIds.has(member.userId)) await auth.member.delete(state$1.ctx, member._id);
+										for (const userId of nextUserIds.values()) if (!currentUserIds.has(userId)) try {
+											await auth.member.create(state$1.ctx, {
+												groupId,
+												userId,
+												roleIds: state$1.policy.provisioning.jit.defaultRoleIds,
+												status: "active"
+											});
+										} catch {}
+									}
+									if (typeof operation.path === "string" && operation.op === "remove" && operation.path.startsWith("members[")) {
+										const userId = operation.path.match(/^members\[value eq "([^"]+)"\]$/)?.[1];
+										if (userId) {
+											const membership = await auth.member.getByUserAndGroup(state$1.ctx, {
+												groupId,
+												userId
+											});
+											if (membership) await auth.member.delete(state$1.ctx, membership._id);
+										}
+									}
+								}
+								await state$1.recordScimEvent("enterprise.scim.group.updated", true, "group", groupId);
+								const group = await auth.group.get(state$1.ctx, groupId);
+								const location = `${state$1.url.origin}${state$1.url.pathname}`;
+								const members = (await auth.member.list(state$1.ctx, {
+									where: {
+										groupId,
+										status: "active"
+									},
+									limit: 100
+								})).items;
+								return scimJson(serializeScimGroup({
+									id: groupId,
+									group: group ?? {},
+									location,
+									members: members.map((member) => ({ value: member.userId }))
+								}), 200, { Location: location });
+							};
+							const handleGroupsDelete = async (state$1) => {
+								const missing = requireScimResourceId(state$1.parsedPath.resourceId, "Group");
+								if (missing) return missing;
+								const groupId = state$1.parsedPath.resourceId;
+								await auth.group.delete(state$1.ctx, groupId);
+								const identity = await state$1.ctx.runQuery(config.component.public.enterpriseScimIdentityGetByMappedGroup, { mappedGroupId: groupId });
+								if (identity) await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityDelete, { identityId: identity._id });
+								await state$1.recordScimEvent("enterprise.scim.group.deleted", true, "group", groupId);
+								return new Response(null, { status: 204 });
+							};
+							const handler = {
+								ServiceProviderConfig: { GET: async () => scimJson({
+									schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+									patch: { supported: true },
+									bulk: {
+										supported: false,
+										maxOperations: 0,
+										maxPayloadSize: 0
+									},
+									filter: {
+										supported: true,
+										maxResults: 100
+									},
+									changePassword: { supported: false },
+									sort: { supported: false },
+									etag: { supported: false },
+									authenticationSchemes: [{
+										type: "oauthbearertoken",
+										name: "Bearer Token",
+										description: "Use the SCIM token generated by Convex Auth enterprise."
+									}]
+								}) },
+								Schemas: { GET: async (state$1) => handleStaticScimCollection(SCIM_SCHEMAS, state$1.parsedPath.resourceId, {
+									by: "id",
+									notFound: "Schema not found."
+								}) },
+								ResourceTypes: { GET: async (state$1) => handleStaticScimCollection(SCIM_RESOURCE_TYPES, state$1.parsedPath.resourceId, {
+									by: "name",
+									notFound: "Resource type not found."
+								}) },
+								Users: {
+									GET: handleUsersGet,
+									POST: handleUsersPost,
+									PATCH: handleUsersUpsert,
+									PUT: handleUsersUpsert,
+									DELETE: handleUsersDelete
+								},
+								Groups: {
+									GET: handleGroupsGet,
+									POST: handleGroupsPost,
+									PATCH: handleGroupsPatch,
+									DELETE: handleGroupsDelete
+								}
+							}[state.parsedPath.resource]?.[state.request.method];
+							return handler ? await handler(state) : scimError(404, "notFound", "SCIM resource not found.");
+						} catch (error) {
+							if (error instanceof Error && error.message === "Unsupported SCIM filter.") return scimError(400, "invalidFilter", error.message);
+							if (isAuthError(error)) {
+								const code = error.data.code;
+								return scimError(code === "MISSING_BEARER_TOKEN" || code === "INVALID_API_KEY" ? 401 : 400, code, error.data.message);
+							}
+							throw error;
+						}
+					};
+					addSSORoutes(http, {
+						routeBase: ENTERPRISE_CONTROL_ROUTE_BASE,
+						convertErrorsToResponse,
+						handleSamlMetadata: async (ctx, _request, runtimeRoute) => {
+							const { loaded } = await loadActiveEnterpriseSamlOrThrow(ctx, runtimeRoute.enterpriseId);
+							return new Response(createEnterpriseSamlMetadataXml({
+								rootUrl: requireEnv("CONVEX_SITE_URL"),
+								source: loaded.source,
+								config: loaded.config
+							}), {
+								status: 200,
+								headers: { "Content-Type": "application/xml" }
+							});
+						},
+						handleSamlSignIn: async (ctx, request, runtimeRoute) => {
+							const url = new URL(request.url);
+							const verifier = url.searchParams.get("code");
+							if (!verifier) throw new AuthError("OAUTH_MISSING_VERIFIER").toConvexError();
+							const { loaded, enterprise } = await loadActiveEnterpriseSamlOrThrow(ctx, runtimeRoute.enterpriseId);
+							const state = generateRandomString(24, INVITE_TOKEN_ALPHABET);
+							const signInRequest = createEnterpriseSamlSignInRequest({
+								rootUrl: requireEnv("CONVEX_SITE_URL"),
+								source: {
+									kind: "enterprise",
+									id: enterprise._id
+								},
+								config: loaded.config,
+								state,
+								signature: `saml ${enterprise._id} pending ${state}`,
+								redirectTo: url.searchParams.get("redirectTo") ?? void 0
+							});
+							const signature = `saml ${enterprise._id} ${signInRequest.requestId} ${state}`;
+							await callVerifierSignature(ctx, {
+								verifier,
+								signature
+							});
+							const redirectTo = url.searchParams.get("redirectTo");
+							const redirectCookies = redirectTo !== null ? [redirectToParamCookie(enterpriseSamlProviderId(enterprise._id), redirectTo)] : [];
+							const relayState = encodeEnterpriseSamlRelayState({
+								source: {
+									kind: "enterprise",
+									id: enterprise._id
+								},
+								signature,
+								requestId: signInRequest.requestId,
+								state,
+								redirectTo: url.searchParams.get("redirectTo") ?? void 0
+							});
+							if (signInRequest.binding === "redirect" && signInRequest.redirectUrl) {
+								const redirectUrl = new URL(signInRequest.redirectUrl);
+								redirectUrl.searchParams.set("RelayState", relayState);
+								const headers = new Headers({ Location: redirectUrl.toString() });
+								for (const { name, value, options } of redirectCookies) headers.append("Set-Cookie", serialize(name, value, options));
+								return new Response(null, {
+									status: 302,
+									headers
+								});
+							}
+							const response = createSamlPostBindingResponse({
+								endpoint: signInRequest.post.endpoint,
+								parameter: "SAMLRequest",
+								value: signInRequest.post.value,
+								relayState
+							});
+							for (const { name, value, options } of redirectCookies) response.headers.append("Set-Cookie", serialize(name, value, options));
+							return response;
+						},
+						handleOidcSignIn: async (ctx, request, runtimeRoute) => {
+							const url = new URL(request.url);
+							const verifier = url.searchParams.get("code");
+							if (!verifier) throw new AuthError("OAUTH_MISSING_VERIFIER").toConvexError();
+							const { enterprise, oidc } = await loadEnterpriseOidcOrThrow(ctx, runtimeRoute.enterpriseId);
+							const { providerId, provider, oauthConfig } = await createEnterpriseOidcRuntime({
+								rootUrl: requireEnv("CONVEX_SITE_URL"),
+								enterpriseId: enterprise._id,
+								oidc
+							});
+							const { redirect, cookies, signature } = await createOAuthAuthorizationURL(providerId, provider, oauthConfig);
+							await callVerifierSignature(ctx, {
+								verifier,
+								signature
+							});
+							const redirectTo = url.searchParams.get("redirectTo");
+							const headers_ = new Headers({ Location: redirect });
+							for (const { name, value, options } of [...cookies, ...redirectTo !== null ? [redirectToParamCookie(providerId, redirectTo)] : []]) headers_.append("Set-Cookie", serialize(name, value, options));
+							return new Response(null, {
+								status: 302,
+								headers: headers_
+							});
+						},
+						handleOidcCallback: async (ctx, request, runtimeRoute) => {
+							const url = new URL(request.url);
+							const { enterprise, oidc } = await loadEnterpriseOidcOrThrow(ctx, runtimeRoute.enterpriseId);
+							const { providerId, provider, oauthConfig } = await createEnterpriseOidcRuntime({
+								rootUrl: requireEnv("CONVEX_SITE_URL"),
+								enterpriseId: enterprise._id,
+								oidc
+							});
+							const cookies = getCookies(request);
+							const maybeRedirectTo = useRedirectToParam(providerId, cookies);
+							const destinationUrl = await redirectAbsoluteUrl(config, { redirectTo: maybeRedirectTo?.redirectTo });
+							const params = url.searchParams;
+							const result = await Fx.run(handleOAuthCallback(providerId, provider, oauthConfig, Object.fromEntries(params.entries()), cookies));
+							const extraFields = oidc.extraFields;
+							let profile = result.profile;
+							if (extraFields && typeof profile === "object" && profile) {
+								const extend = {};
+								for (const [claimName, fieldName] of Object.entries(extraFields)) if (claimName in profile) extend[fieldName] = profile[claimName];
+								if (Object.keys(extend).length > 0) profile = {
+									...profile,
+									extend
+								};
+							}
+							const verificationCode = await callUserOAuth(ctx, {
+								provider: providerId,
+								providerAccountId: result.providerAccountId,
+								profile,
+								signature: result.signature,
+								accountExtend: { identity: {
+									protocol: "oidc",
+									enterpriseId: enterprise._id,
+									subject: result.providerAccountId,
+									issuer: typeof oidc.issuer === "string" ? oidc.issuer : void 0,
+									discoveryUrl: typeof oidc.discoveryUrl === "string" ? oidc.discoveryUrl : void 0
+								} }
+							});
+							const headers = new Headers({ Location: setURLSearchParam(destinationUrl, "code", verificationCode) });
+							for (const { name, value, options } of result.cookies) headers.append("Set-Cookie", serialize(name, value, options));
+							if (maybeRedirectTo) headers.append("Set-Cookie", serialize(maybeRedirectTo.updatedCookie.name, maybeRedirectTo.updatedCookie.value, maybeRedirectTo.updatedCookie.options));
+							return new Response(null, {
+								status: 302,
+								headers
+							});
+						},
+						handleSamlAcs,
+						handleSamlSlo,
+						handleScimRequest,
+						scimError
+					});
+				}
+				if (hasOAuth) addAuthRoutes(http, {
+					handleSignIn: convertErrorsToResponse(400, async (ctx, request) => {
+						const url = new URL(request.url);
+						const providerId = url.pathname.split("/").at(-1);
+						if (providerId === null) throw new AuthError("OAUTH_MISSING_PROVIDER").toConvexError();
+						const verifier = url.searchParams.get("code");
+						if (verifier === null) throw new AuthError("OAUTH_MISSING_VERIFIER").toConvexError();
+						const oauthConfig = getProviderOrThrow(providerId);
+						const { redirect, cookies, signature } = await createOAuthAuthorizationURL(providerId, oauthConfig.provider, oauthConfig);
+						await callVerifierSignature(ctx, {
+							verifier,
+							signature
+						});
+						const redirectTo = url.searchParams.get("redirectTo");
+						if (redirectTo !== null) cookies.push(redirectToParamCookie(providerId, redirectTo));
+						const headers = new Headers({ Location: redirect });
+						for (const { name, value, options } of cookies) headers.append("Set-Cookie", serialize(name, value, options));
+						return new Response(null, {
+							status: 302,
+							headers
+						});
+					}),
+					handleCallback: async (ctx, request) => {
+						const url = new URL(request.url);
+						const providerId = new URL(request.url).pathname.split("/").at(-1);
+						if (!providerId) throw new AuthError("OAUTH_MISSING_PROVIDER").toConvexError();
+						logWithLevel(LOG_LEVELS.DEBUG, "Handling OAuth callback for provider:", providerId);
+						const provider = getProviderOrThrow(providerId);
+						const cookies = getCookies(request);
+						const maybeRedirectTo = useRedirectToParam(provider.id, cookies);
+						const destinationUrl = await redirectAbsoluteUrl(config, { redirectTo: maybeRedirectTo?.redirectTo });
+						const params = url.searchParams;
+						if (request.headers.get("Content-Type") === "application/x-www-form-urlencoded") (await request.formData()).forEach((value, key) => {
+							if (typeof value === "string") params.append(key, value);
+						});
+						return Fx.run(Fx.from({
+							ok: async () => {
+								const oauthConfig = provider;
+								const result = await Fx.run(handleOAuthCallback(providerId, oauthConfig.provider, oauthConfig, Object.fromEntries(params.entries()), cookies));
+								const oauthCookies = result.cookies;
+								const { id: profileId, ...profileData } = result.profile;
+								const { signature } = result;
+								const redirUrl = setURLSearchParam(destinationUrl, "code", await callUserOAuth(ctx, {
+									provider: providerId,
+									providerAccountId: profileId,
+									profile: profileData,
+									signature
+								}));
+								const redirHeaders = new Headers({ Location: redirUrl });
+								redirHeaders.set("Cache-Control", "must-revalidate");
+								for (const { name, value, options } of [...oauthCookies, ...maybeRedirectTo !== null ? [maybeRedirectTo.updatedCookie] : []]) redirHeaders.append("Set-Cookie", serialize(name, value, options));
+								return new Response(null, {
+									status: 302,
+									headers: redirHeaders
+								});
+							},
+							err: (error) => error
+						}).pipe(Fx.recover((error) => {
+							logError(error);
+							const respHeaders = new Headers({ Location: destinationUrl });
+							for (const { name, value, options } of maybeRedirectTo !== null ? [maybeRedirectTo.updatedCookie] : []) respHeaders.append("Set-Cookie", serialize(name, value, options));
+							return Fx.succeed(new Response(null, {
+								status: 302,
+								headers: respHeaders
+							}));
+						})));
+					}
+				});
+			},
+			action: createHttpAction(auth),
+			route: createHttpRoute(createHttpAction(auth))
+		}
+	};
+	const enrichCtx = (ctx) => ({
+		...ctx,
+		auth: {
+			...ctx.auth,
+			config,
+			account: auth.account,
+			session: auth.session,
+			access: auth.access,
+			provider: auth.provider
+		}
+	});
+	return {
+		auth,
+		signIn: actionGeneric({
+			args: {
+				provider: v.optional(v.string()),
+				params: v.optional(v.any()),
+				verifier: v.optional(v.string()),
+				refreshToken: v.optional(v.string()),
+				calledBy: v.optional(v.string())
+			},
+			handler: async (ctx, args) => {
+				if (args.calledBy !== void 0) logWithLevel("INFO", `\`auth:signIn\` called by ${args.calledBy}`);
+				const provider = args.provider !== void 0 ? getProviderOrThrow(args.provider) : null;
+				const result = await signInImpl(enrichCtx(ctx), provider, args, {
+					generateTokens: true,
+					allowExtraProviders: false
+				});
+				return Fx.run(Fx.match(result, result.kind, {
+					redirect: (r) => Fx.succeed({
+						kind: "redirect",
+						redirect: r.redirect,
+						verifier: r.verifier
+					}),
+					signedIn: (r) => Fx.succeed({
+						kind: "signedIn",
+						tokens: r.signedIn?.tokens ?? null
+					}),
+					refreshTokens: (r) => Fx.succeed({
+						kind: "signedIn",
+						tokens: r.signedIn?.tokens ?? null
+					}),
+					started: () => Fx.succeed({ kind: "started" }),
+					passkeyOptions: (r) => Fx.succeed({
+						kind: "passkeyOptions",
+						options: r.options,
+						verifier: r.verifier
+					}),
+					totpRequired: (r) => Fx.succeed({
+						kind: "totpRequired",
+						verifier: r.verifier
+					}),
+					totpSetup: (r) => Fx.succeed({
+						kind: "totpSetup",
+						totpSetup: {
+							uri: r.uri,
+							secret: r.secret,
+							totpId: r.totpId
+						},
+						verifier: r.verifier
+					}),
+					deviceCode: (r) => Fx.succeed({
+						kind: "deviceCode",
+						deviceCode: {
+							deviceCode: r.deviceCode,
+							userCode: r.userCode,
+							verificationUri: r.verificationUri,
+							verificationUriComplete: r.verificationUriComplete,
+							expiresIn: r.expiresIn,
+							interval: r.interval
+						}
+					})
+				}));
+			}
+		}),
+		signOut: actionGeneric({
+			args: {},
+			handler: async (ctx) => {
+				await callSignOut(ctx);
+			}
+		}),
+		store: internalMutationGeneric({
+			args: storeArgs,
+			handler: async (ctx, args) => {
+				return storeImpl(ctx, args, getProviderOrThrow, config);
+			}
+		})
+	};
+}
+
+//#endregion
+export { Auth };
+//# sourceMappingURL=factory.js.map