@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (328) hide show
  1. package/README.md +140 -9
  2. package/dist/bin.cjs +5957 -5478
  3. package/dist/client/index.d.ts +3 -7
  4. package/dist/client/index.d.ts.map +1 -1
  5. package/dist/client/index.js +27 -26
  6. package/dist/client/index.js.map +1 -1
  7. package/dist/component/_generated/api.d.ts +14 -0
  8. package/dist/component/_generated/api.d.ts.map +1 -1
  9. package/dist/component/_generated/api.js.map +1 -1
  10. package/dist/component/_generated/component.d.ts +1672 -24
  11. package/dist/component/_generated/component.d.ts.map +1 -1
  12. package/dist/component/convex.config.d.ts +2 -2
  13. package/dist/component/convex.config.d.ts.map +1 -1
  14. package/dist/component/index.d.ts +1 -1
  15. package/dist/component/index.js +2 -2
  16. package/dist/component/model.d.ts +153 -0
  17. package/dist/component/model.d.ts.map +1 -0
  18. package/dist/component/model.js +343 -0
  19. package/dist/component/model.js.map +1 -0
  20. package/dist/component/providers/sso.d.ts +1 -1
  21. package/dist/component/public/enterprise.d.ts +54 -0
  22. package/dist/component/public/enterprise.d.ts.map +1 -0
  23. package/dist/component/public/enterprise.js +515 -0
  24. package/dist/component/public/enterprise.js.map +1 -0
  25. package/dist/component/public/factors.d.ts +52 -0
  26. package/dist/component/public/factors.d.ts.map +1 -0
  27. package/dist/component/public/factors.js +285 -0
  28. package/dist/component/public/factors.js.map +1 -0
  29. package/dist/component/public/groups.d.ts +116 -0
  30. package/dist/component/public/groups.d.ts.map +1 -0
  31. package/dist/component/public/groups.js +596 -0
  32. package/dist/component/public/groups.js.map +1 -0
  33. package/dist/component/public/identity.d.ts +93 -0
  34. package/dist/component/public/identity.d.ts.map +1 -0
  35. package/dist/component/public/identity.js +426 -0
  36. package/dist/component/public/identity.js.map +1 -0
  37. package/dist/component/public/keys.d.ts +41 -0
  38. package/dist/component/public/keys.d.ts.map +1 -0
  39. package/dist/component/public/keys.js +157 -0
  40. package/dist/component/public/keys.js.map +1 -0
  41. package/dist/component/public/shared.d.ts +26 -0
  42. package/dist/component/public/shared.d.ts.map +1 -0
  43. package/dist/component/public/shared.js +32 -0
  44. package/dist/component/public/shared.js.map +1 -0
  45. package/dist/component/public.d.ts +9 -321
  46. package/dist/component/public.d.ts.map +1 -1
  47. package/dist/component/public.js +6 -2145
  48. package/dist/component/schema.d.ts +406 -260
  49. package/dist/component/schema.js +37 -32
  50. package/dist/component/schema.js.map +1 -1
  51. package/dist/component/server/auth.d.ts +161 -15
  52. package/dist/component/server/auth.d.ts.map +1 -1
  53. package/dist/component/server/auth.js +100 -7
  54. package/dist/component/server/auth.js.map +1 -1
  55. package/dist/component/server/cookies.js +3 -0
  56. package/dist/component/server/cookies.js.map +1 -1
  57. package/dist/component/server/db.js +1 -0
  58. package/dist/component/server/db.js.map +1 -1
  59. package/dist/component/server/device.js +3 -1
  60. package/dist/component/server/device.js.map +1 -1
  61. package/dist/component/server/domains/core.js +629 -0
  62. package/dist/component/server/domains/core.js.map +1 -0
  63. package/dist/component/server/domains/sso.js +884 -0
  64. package/dist/component/server/domains/sso.js.map +1 -0
  65. package/dist/component/server/factory.d.ts +136 -0
  66. package/dist/component/server/factory.d.ts.map +1 -0
  67. package/dist/component/server/factory.js +1134 -0
  68. package/dist/component/server/factory.js.map +1 -0
  69. package/dist/component/server/fx.js +2 -1
  70. package/dist/component/server/fx.js.map +1 -1
  71. package/dist/component/server/http.js +287 -0
  72. package/dist/component/server/http.js.map +1 -0
  73. package/dist/component/server/identity.js +13 -0
  74. package/dist/component/server/identity.js.map +1 -0
  75. package/dist/component/server/keys.js +4 -0
  76. package/dist/component/server/keys.js.map +1 -1
  77. package/dist/component/server/mutations/account.js +1 -1
  78. package/dist/component/server/mutations/index.js +2 -2
  79. package/dist/component/server/mutations/index.js.map +1 -1
  80. package/dist/component/server/mutations/invalidate.js +1 -1
  81. package/dist/component/server/mutations/oauth.js +10 -7
  82. package/dist/component/server/mutations/oauth.js.map +1 -1
  83. package/dist/component/server/mutations/refresh.js +1 -1
  84. package/dist/component/server/mutations/register.js +1 -1
  85. package/dist/component/server/mutations/retrieve.js +1 -1
  86. package/dist/component/server/mutations/signature.js +1 -1
  87. package/dist/component/server/mutations/store.js +6 -3
  88. package/dist/component/server/mutations/store.js.map +1 -1
  89. package/dist/component/server/mutations/verify.js +1 -1
  90. package/dist/component/server/oauth.js +3 -0
  91. package/dist/component/server/oauth.js.map +1 -1
  92. package/dist/component/server/passkey.js +3 -2
  93. package/dist/component/server/passkey.js.map +1 -1
  94. package/dist/component/server/provider.js +2 -0
  95. package/dist/component/server/provider.js.map +1 -1
  96. package/dist/component/server/providers.js +10 -0
  97. package/dist/component/server/providers.js.map +1 -1
  98. package/dist/component/server/ratelimit.js +3 -0
  99. package/dist/component/server/ratelimit.js.map +1 -1
  100. package/dist/component/server/redirects.js +2 -0
  101. package/dist/component/server/redirects.js.map +1 -1
  102. package/dist/component/server/refresh.js +5 -0
  103. package/dist/component/server/refresh.js.map +1 -1
  104. package/dist/component/server/sessions.js +5 -0
  105. package/dist/component/server/sessions.js.map +1 -1
  106. package/dist/component/server/signin.js +2 -1
  107. package/dist/component/server/signin.js.map +1 -1
  108. package/dist/component/server/sso.js +166 -19
  109. package/dist/component/server/sso.js.map +1 -1
  110. package/dist/component/server/tokens.js +1 -0
  111. package/dist/component/server/tokens.js.map +1 -1
  112. package/dist/component/server/totp.js +4 -2
  113. package/dist/component/server/totp.js.map +1 -1
  114. package/dist/component/server/types.d.ts +106 -38
  115. package/dist/component/server/types.d.ts.map +1 -1
  116. package/dist/component/server/types.js.map +1 -1
  117. package/dist/component/server/users.js +1 -0
  118. package/dist/component/server/users.js.map +1 -1
  119. package/dist/component/server/utils.js +44 -2
  120. package/dist/component/server/utils.js.map +1 -1
  121. package/dist/providers/anonymous.d.ts +1 -1
  122. package/dist/providers/credentials.d.ts +1 -1
  123. package/dist/providers/password.d.ts +1 -1
  124. package/dist/providers/sso.d.ts +1 -1
  125. package/dist/providers/sso.js.map +1 -1
  126. package/dist/server/auth.d.ts +163 -17
  127. package/dist/server/auth.d.ts.map +1 -1
  128. package/dist/server/auth.js +100 -7
  129. package/dist/server/auth.js.map +1 -1
  130. package/dist/server/cookies.d.ts +1 -38
  131. package/dist/server/cookies.js +3 -0
  132. package/dist/server/cookies.js.map +1 -1
  133. package/dist/server/db.d.ts +1 -125
  134. package/dist/server/db.js +1 -0
  135. package/dist/server/db.js.map +1 -1
  136. package/dist/server/device.d.ts +1 -24
  137. package/dist/server/device.js +3 -1
  138. package/dist/server/device.js.map +1 -1
  139. package/dist/server/domains/core.d.ts +434 -0
  140. package/dist/server/domains/core.d.ts.map +1 -0
  141. package/dist/server/domains/core.js +629 -0
  142. package/dist/server/domains/core.js.map +1 -0
  143. package/dist/server/domains/sso.d.ts +409 -0
  144. package/dist/server/domains/sso.d.ts.map +1 -0
  145. package/dist/server/domains/sso.js +884 -0
  146. package/dist/server/domains/sso.js.map +1 -0
  147. package/dist/server/enterpriseValidators.d.ts +1 -0
  148. package/dist/server/enterpriseValidators.js +60 -0
  149. package/dist/server/enterpriseValidators.js.map +1 -0
  150. package/dist/server/factory.d.ts +136 -0
  151. package/dist/server/factory.d.ts.map +1 -0
  152. package/dist/server/factory.js +1134 -0
  153. package/dist/server/factory.js.map +1 -0
  154. package/dist/server/fx.d.ts +1 -16
  155. package/dist/server/fx.d.ts.map +1 -1
  156. package/dist/server/fx.js +1 -0
  157. package/dist/server/fx.js.map +1 -1
  158. package/dist/server/http.d.ts +59 -0
  159. package/dist/server/http.d.ts.map +1 -0
  160. package/dist/server/http.js +287 -0
  161. package/dist/server/http.js.map +1 -0
  162. package/dist/server/identity.d.ts +1 -0
  163. package/dist/server/identity.js +13 -0
  164. package/dist/server/identity.js.map +1 -0
  165. package/dist/server/index.d.ts +468 -1
  166. package/dist/server/index.d.ts.map +1 -1
  167. package/dist/server/index.js +530 -36
  168. package/dist/server/index.js.map +1 -1
  169. package/dist/server/keys.d.ts +1 -57
  170. package/dist/server/keys.js +4 -0
  171. package/dist/server/keys.js.map +1 -1
  172. package/dist/server/mutations/account.d.ts +7 -7
  173. package/dist/server/mutations/account.d.ts.map +1 -1
  174. package/dist/server/mutations/code.d.ts +13 -13
  175. package/dist/server/mutations/code.d.ts.map +1 -1
  176. package/dist/server/mutations/index.d.ts +107 -107
  177. package/dist/server/mutations/index.d.ts.map +1 -1
  178. package/dist/server/mutations/index.js +1 -1
  179. package/dist/server/mutations/index.js.map +1 -1
  180. package/dist/server/mutations/invalidate.d.ts +5 -5
  181. package/dist/server/mutations/invalidate.d.ts.map +1 -1
  182. package/dist/server/mutations/oauth.d.ts +10 -10
  183. package/dist/server/mutations/oauth.d.ts.map +1 -1
  184. package/dist/server/mutations/oauth.js +9 -6
  185. package/dist/server/mutations/oauth.js.map +1 -1
  186. package/dist/server/mutations/refresh.d.ts +4 -4
  187. package/dist/server/mutations/register.d.ts +12 -12
  188. package/dist/server/mutations/register.d.ts.map +1 -1
  189. package/dist/server/mutations/retrieve.d.ts +7 -7
  190. package/dist/server/mutations/signature.d.ts +5 -5
  191. package/dist/server/mutations/signin.d.ts +6 -6
  192. package/dist/server/mutations/signin.d.ts.map +1 -1
  193. package/dist/server/mutations/signout.d.ts +1 -1
  194. package/dist/server/mutations/store.d.ts +3 -2
  195. package/dist/server/mutations/store.d.ts.map +1 -1
  196. package/dist/server/mutations/store.js +6 -3
  197. package/dist/server/mutations/store.js.map +1 -1
  198. package/dist/server/mutations/verifier.d.ts +1 -1
  199. package/dist/server/mutations/verify.d.ts +11 -11
  200. package/dist/server/mutations/verify.d.ts.map +1 -1
  201. package/dist/server/oauth.d.ts +1 -59
  202. package/dist/server/oauth.js +3 -0
  203. package/dist/server/oauth.js.map +1 -1
  204. package/dist/server/passkey.d.ts.map +1 -1
  205. package/dist/server/passkey.js +3 -2
  206. package/dist/server/passkey.js.map +1 -1
  207. package/dist/server/provider.d.ts +1 -14
  208. package/dist/server/provider.d.ts.map +1 -1
  209. package/dist/server/provider.js +2 -0
  210. package/dist/server/provider.js.map +1 -1
  211. package/dist/server/providers.js +10 -0
  212. package/dist/server/providers.js.map +1 -1
  213. package/dist/server/ratelimit.d.ts +1 -22
  214. package/dist/server/ratelimit.js +3 -0
  215. package/dist/server/ratelimit.js.map +1 -1
  216. package/dist/server/redirects.d.ts +1 -10
  217. package/dist/server/redirects.js +2 -0
  218. package/dist/server/redirects.js.map +1 -1
  219. package/dist/server/refresh.d.ts +1 -37
  220. package/dist/server/refresh.js +5 -0
  221. package/dist/server/refresh.js.map +1 -1
  222. package/dist/server/sessions.d.ts +1 -28
  223. package/dist/server/sessions.js +5 -0
  224. package/dist/server/sessions.js.map +1 -1
  225. package/dist/server/signin.d.ts +1 -55
  226. package/dist/server/signin.js +2 -1
  227. package/dist/server/signin.js.map +1 -1
  228. package/dist/server/sso.d.ts +1 -348
  229. package/dist/server/sso.js +165 -18
  230. package/dist/server/sso.js.map +1 -1
  231. package/dist/server/templates.d.ts +1 -21
  232. package/dist/server/templates.js +1 -0
  233. package/dist/server/templates.js.map +1 -1
  234. package/dist/server/tokens.d.ts +1 -11
  235. package/dist/server/tokens.js +1 -0
  236. package/dist/server/tokens.js.map +1 -1
  237. package/dist/server/totp.d.ts +1 -23
  238. package/dist/server/totp.js +4 -2
  239. package/dist/server/totp.js.map +1 -1
  240. package/dist/server/types.d.ts +114 -77
  241. package/dist/server/types.d.ts.map +1 -1
  242. package/dist/server/types.js.map +1 -1
  243. package/dist/server/users.d.ts +1 -31
  244. package/dist/server/users.js +1 -0
  245. package/dist/server/users.js.map +1 -1
  246. package/dist/server/utils.d.ts +1 -27
  247. package/dist/server/utils.js +44 -2
  248. package/dist/server/utils.js.map +1 -1
  249. package/dist/server/version.d.ts +1 -1
  250. package/dist/server/version.js +1 -1
  251. package/dist/server/version.js.map +1 -1
  252. package/package.json +4 -5
  253. package/src/cli/bin.ts +5 -0
  254. package/src/cli/index.ts +22 -9
  255. package/src/cli/keys.ts +3 -0
  256. package/src/client/index.ts +36 -37
  257. package/src/component/_generated/api.ts +14 -0
  258. package/src/component/_generated/component.ts +2106 -9
  259. package/src/component/index.ts +3 -1
  260. package/src/component/model.ts +441 -0
  261. package/src/component/public/enterprise.ts +753 -0
  262. package/src/component/public/factors.ts +332 -0
  263. package/src/component/public/groups.ts +932 -0
  264. package/src/component/public/identity.ts +566 -0
  265. package/src/component/public/keys.ts +209 -0
  266. package/src/component/public/shared.ts +119 -0
  267. package/src/component/public.ts +5 -2965
  268. package/src/component/schema.ts +68 -63
  269. package/src/providers/sso.ts +1 -1
  270. package/src/server/auth.ts +413 -18
  271. package/src/server/cookies.ts +3 -0
  272. package/src/server/db.ts +3 -0
  273. package/src/server/device.ts +3 -1
  274. package/src/server/domains/core.ts +1071 -0
  275. package/src/server/domains/sso.ts +1749 -0
  276. package/src/server/enterpriseValidators.ts +93 -0
  277. package/src/server/factory.ts +2181 -0
  278. package/src/server/fx.ts +1 -0
  279. package/src/server/http.ts +529 -0
  280. package/src/server/identity.ts +18 -0
  281. package/src/server/index.ts +806 -40
  282. package/src/server/keys.ts +4 -0
  283. package/src/server/mutations/index.ts +1 -1
  284. package/src/server/mutations/oauth.ts +36 -8
  285. package/src/server/mutations/store.ts +6 -3
  286. package/src/server/oauth.ts +6 -0
  287. package/src/server/passkey.ts +3 -2
  288. package/src/server/provider.ts +2 -0
  289. package/src/server/providers.ts +20 -0
  290. package/src/server/ratelimit.ts +3 -0
  291. package/src/server/redirects.ts +2 -0
  292. package/src/server/refresh.ts +5 -0
  293. package/src/server/sessions.ts +5 -0
  294. package/src/server/signin.ts +1 -0
  295. package/src/server/sso.ts +259 -17
  296. package/src/server/templates.ts +1 -0
  297. package/src/server/tokens.ts +1 -0
  298. package/src/server/totp.ts +4 -2
  299. package/src/server/types.ts +178 -83
  300. package/src/server/users.ts +1 -0
  301. package/src/server/utils.ts +71 -1
  302. package/src/server/version.ts +1 -1
  303. package/dist/component/public.js.map +0 -1
  304. package/dist/component/server/implementation.d.ts +0 -1264
  305. package/dist/component/server/implementation.d.ts.map +0 -1
  306. package/dist/component/server/implementation.js +0 -2365
  307. package/dist/component/server/implementation.js.map +0 -1
  308. package/dist/server/cookies.d.ts.map +0 -1
  309. package/dist/server/db.d.ts.map +0 -1
  310. package/dist/server/device.d.ts.map +0 -1
  311. package/dist/server/implementation.d.ts +0 -1264
  312. package/dist/server/implementation.d.ts.map +0 -1
  313. package/dist/server/implementation.js +0 -2365
  314. package/dist/server/implementation.js.map +0 -1
  315. package/dist/server/keys.d.ts.map +0 -1
  316. package/dist/server/oauth.d.ts.map +0 -1
  317. package/dist/server/ratelimit.d.ts.map +0 -1
  318. package/dist/server/redirects.d.ts.map +0 -1
  319. package/dist/server/refresh.d.ts.map +0 -1
  320. package/dist/server/sessions.d.ts.map +0 -1
  321. package/dist/server/signin.d.ts.map +0 -1
  322. package/dist/server/sso.d.ts.map +0 -1
  323. package/dist/server/templates.d.ts.map +0 -1
  324. package/dist/server/tokens.d.ts.map +0 -1
  325. package/dist/server/totp.d.ts.map +0 -1
  326. package/dist/server/users.d.ts.map +0 -1
  327. package/dist/server/utils.d.ts.map +0 -1
  328. package/src/server/implementation.ts +0 -5336
package/dist/component/server/http.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"http.js","names":["result","parseCookies"],"sources":["../../../src/server/http.ts"],"sourcesContent":["import {\n GenericActionCtx,\n GenericDataModel,\n HttpRouter,\n httpActionGeneric,\n} from \"convex/server\";\nimport { ConvexError } from \"convex/values\";\nimport { parse as parseCookies } from \"cookie\";\n\nimport { isAuthError } from \"./errors\";\nimport { AuthError, Fx } from \"./fx\";\nimport type { CorsConfig, HttpKeyContext } from \"./types\";\nimport { logError } from \"./utils\";\n\nexport function createHttpAction(auth: {\n key: { verify: (ctx: GenericActionCtx<any>, rawKey: string) => Promise<any> };\n}) {\n return (\n handler: (\n ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,\n request: Request,\n ) => Promise<Response | Record<string, unknown>>,\n options?: {\n scope?: { resource: string; action: string };\n cors?: CorsConfig;\n },\n ) => {\n const corsConfig = options?.cors ?? {};\n const corsHeaders: Record<string, string> = {\n \"Access-Control-Allow-Origin\": corsConfig.origin ?? \"*\",\n \"Access-Control-Allow-Methods\":\n corsConfig.methods ?? \"GET,POST,PUT,PATCH,DELETE,OPTIONS\",\n \"Access-Control-Allow-Headers\":\n corsConfig.headers ?? \"Content-Type,Authorization\",\n };\n\n return httpActionGeneric(async (genericCtx, request) => {\n return Fx.run(\n Fx.from({\n ok: async () => {\n const authHeader = request.headers.get(\"Authorization\");\n if (!authHeader?.startsWith(\"Bearer \")) {\n return new Response(\n JSON.stringify({\n error: \"Missing or malformed Authorization: Bearer header.\",\n code: \"MISSING_BEARER_TOKEN\",\n }),\n {\n status: 401,\n headers: {\n ...corsHeaders,\n \"Content-Type\": \"application/json\",\n },\n },\n );\n }\n const rawKey = authHeader.slice(7);\n\n const keyResult = await Fx.run(\n Fx.from({\n ok: () => auth.key.verify(genericCtx, rawKey),\n err: (error) => error,\n }).pipe(\n Fx.fold({\n ok: (result) => ({ ok: true, value: result }) as const,\n err: (error) => ({ ok: false, error }) as const,\n }),\n ),\n );\n\n if (!keyResult.ok) {\n if (isAuthError(keyResult.error)) {\n const { code, message } = keyResult.error.data as {\n code: string;\n message: string;\n };\n return new Response(JSON.stringify({ error: message, code }), {\n status: 403,\n headers: {\n ...corsHeaders,\n \"Content-Type\": \"application/json\",\n },\n });\n }\n throw keyResult.error;\n }\n\n if (\n options?.scope &&\n !keyResult.value.scopes.can(\n options.scope.resource,\n options.scope.action,\n )\n ) {\n return new Response(\n JSON.stringify({\n error: \"This API key does not have the required permissions.\",\n code: \"SCOPE_CHECK_FAILED\",\n }),\n {\n status: 403,\n headers: {\n ...corsHeaders,\n \"Content-Type\": \"application/json\",\n },\n },\n );\n }\n\n const enrichedCtx = Object.assign(genericCtx, {\n key: {\n userId: keyResult.value.userId,\n keyId: keyResult.value.keyId,\n scopes: keyResult.value.scopes,\n },\n });\n const result = await handler(enrichedCtx, request);\n\n if (result instanceof Response) {\n const headers = new Headers(result.headers);\n for (const [k, val] of Object.entries(corsHeaders)) {\n if (!headers.has(k)) headers.set(k, val);\n }\n return new Response(result.body, {\n status: result.status,\n statusText: result.statusText,\n headers,\n });\n }\n\n return new Response(JSON.stringify(result), {\n status: 200,\n headers: {\n ...corsHeaders,\n \"Content-Type\": \"application/json\",\n },\n });\n },\n err: (error) => error,\n }).pipe(\n Fx.recover((error) => {\n logError(error);\n return Fx.succeed(\n new Response(\n JSON.stringify({\n error: \"An unexpected error occurred.\",\n code: \"INTERNAL_ERROR\",\n }),\n {\n status: 500,\n headers: {\n ...corsHeaders,\n \"Content-Type\": \"application/json\",\n },\n },\n ),\n );\n }),\n ),\n );\n });\n };\n}\n\nexport function createHttpRoute(\n wrapAction: ReturnType<typeof createHttpAction>,\n) {\n return (\n http: { route: (config: any) => void },\n routeConfig: {\n path: string;\n method: \"GET\" | \"POST\" | \"PUT\" | \"PATCH\" | \"DELETE\";\n handler: (\n ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,\n request: Request,\n ) => Promise<Response | Record<string, unknown>>;\n scope?: { resource: string; action: string };\n cors?: CorsConfig;\n },\n ) => {\n const corsConfig = routeConfig.cors ?? {};\n const corsHeaders: Record<string, string> = {\n \"Access-Control-Allow-Origin\": corsConfig.origin ?? \"*\",\n \"Access-Control-Allow-Methods\":\n corsConfig.methods ?? \"GET,POST,PUT,PATCH,DELETE,OPTIONS\",\n \"Access-Control-Allow-Headers\":\n corsConfig.headers ?? \"Content-Type,Authorization\",\n };\n\n http.route({\n path: routeConfig.path,\n method: \"OPTIONS\",\n handler: httpActionGeneric(async () => {\n return new Response(null, { status: 204, headers: corsHeaders });\n }),\n });\n\n http.route({\n path: routeConfig.path,\n method: routeConfig.method,\n handler: wrapAction(routeConfig.handler, {\n scope: routeConfig.scope,\n cors: routeConfig.cors,\n }),\n });\n };\n}\n\nexport function convertErrorsToResponse(\n errorStatusCode: number,\n action: (ctx: GenericActionCtx<any>, request: Request) => Promise<Response>,\n) {\n return async (ctx: GenericActionCtx<any>, request: Request) => {\n return Fx.run(\n Fx.from({\n ok: () => action(ctx, request),\n err: (error) => error,\n }).pipe(\n Fx.recover((error) => {\n if (isAuthError(error)) {\n return Fx.succeed(\n new Response(\n JSON.stringify({\n code: error.data.code,\n message: error.data.message,\n }),\n {\n status: errorStatusCode,\n headers: { \"Content-Type\": \"application/json\" },\n },\n ),\n );\n } else if (error instanceof ConvexError) {\n return Fx.succeed(\n new Response(null, {\n status: errorStatusCode,\n statusText:\n typeof error.data === \"string\" ? error.data : \"Error\",\n }),\n );\n } else {\n logError(error);\n return Fx.succeed(\n new Response(null, {\n status: 500,\n statusText: \"Internal Server Error\",\n }),\n );\n }\n }),\n ),\n );\n };\n}\n\nexport function getCookies(\n request: Request,\n): Record<string, string | undefined> {\n return parseCookies(request.headers.get(\"Cookie\") ?? \"\");\n}\n\nexport type SSORuntimeRoute = {\n pathname?: string;\n enterpriseId: string;\n protocol: \"oidc\" | \"saml\" | \"scim\";\n rest: string[];\n};\n\nfunction parseEnterpriseRuntimeRoute(\n pathname: string,\n routeBase: string,\n): SSORuntimeRoute | null {\n const runtimePrefix = `${routeBase}/`;\n const runtimeParts = pathname.startsWith(runtimePrefix)\n ? pathname.slice(runtimePrefix.length).split(\"/\").filter(Boolean)\n : [];\n const [runtimeEnterpriseId, protocol, ...rest] = runtimeParts;\n if (\n runtimeEnterpriseId === undefined ||\n (protocol !== \"oidc\" && protocol !== \"saml\" && protocol !== \"scim\") ||\n rest.length === 0\n ) {\n return null;\n }\n return {\n pathname,\n enterpriseId: runtimeEnterpriseId,\n protocol,\n rest,\n };\n}\n\nexport function addOpenIdRoutes(\n http: HttpRouter,\n deps: {\n getIssuer: () => string;\n getJwks: () => string;\n },\n) {\n const cacheControl =\n \"public, max-age=15, stale-while-revalidate=15, stale-if-error=86400\";\n\n http.route({\n path: \"/.well-known/openid-configuration\",\n method: \"GET\",\n handler: httpActionGeneric(async () => {\n const issuer = deps.getIssuer();\n return new Response(\n JSON.stringify({\n issuer,\n jwks_uri: `${issuer}/.well-known/jwks.json`,\n }),\n {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n \"Cache-Control\": cacheControl,\n },\n },\n );\n }),\n });\n\n http.route({\n path: \"/.well-known/jwks.json\",\n method: \"GET\",\n handler: httpActionGeneric(async () => {\n return new Response(deps.getJwks(), {\n status: 200,\n headers: {\n \"Content-Type\": \"application/json\",\n \"Cache-Control\": cacheControl,\n },\n });\n }),\n });\n}\n\nexport function addAuthRoutes(\n http: HttpRouter,\n deps: {\n handleSignIn: (\n ctx: GenericActionCtx<any>,\n request: Request,\n ) => Promise<Response>;\n handleCallback: (\n ctx: GenericActionCtx<any>,\n request: Request,\n ) => Promise<Response>;\n },\n) {\n http.route({\n pathPrefix: \"/api/auth/signin/\",\n method: \"GET\",\n handler: httpActionGeneric(deps.handleSignIn),\n });\n\n const callbackHandler = httpActionGeneric(deps.handleCallback);\n\n http.route({\n pathPrefix: \"/api/auth/callback/\",\n method: \"GET\",\n handler: callbackHandler,\n });\n\n http.route({\n pathPrefix: \"/api/auth/callback/\",\n method: \"POST\",\n handler: callbackHandler,\n });\n}\n\nexport function addSSORoutes(\n http: HttpRouter,\n deps: {\n routeBase: string;\n convertErrorsToResponse: typeof convertErrorsToResponse;\n handleSamlMetadata: (\n ctx: GenericActionCtx<any>,\n request: Request,\n route: SSORuntimeRoute,\n ) => Promise<Response>;\n handleSamlSignIn: (\n ctx: GenericActionCtx<any>,\n request: Request,\n route: SSORuntimeRoute,\n ) => Promise<Response>;\n handleOidcSignIn: (\n ctx: GenericActionCtx<any>,\n request: Request,\n route: SSORuntimeRoute,\n ) => Promise<Response>;\n handleOidcCallback: (\n ctx: GenericActionCtx<any>,\n request: Request,\n route: SSORuntimeRoute,\n ) => Promise<Response>;\n handleSamlAcs: (\n ctx: GenericActionCtx<any>,\n request: Request,\n route: SSORuntimeRoute,\n ) => Promise<Response>;\n handleSamlSlo: (\n ctx: GenericActionCtx<any>,\n request: Request,\n route: SSORuntimeRoute,\n ) => Promise<Response>;\n handleScimRequest: (\n ctx: GenericActionCtx<any>,\n request: Request,\n ) => Promise<Response>;\n scimError: (status: number, scimType: string, detail: string) => Response;\n },\n) {\n const routePrefix = `${deps.routeBase}/`;\n\n http.route({\n pathPrefix: routePrefix,\n method: \"GET\",\n handler: httpActionGeneric(\n deps.convertErrorsToResponse(400, async (ctx, request) => {\n const route = parseEnterpriseRuntimeRoute(\n new URL(request.url).pathname,\n deps.routeBase,\n );\n if (!route) {\n throw new AuthError(\n \"INVALID_PARAMETERS\",\n \"Invalid enterprise runtime path.\",\n ).toConvexError();\n }\n if (route.protocol === \"saml\" && route.rest.length === 1) {\n if (route.rest[0] === \"metadata\") {\n return await deps.handleSamlMetadata(ctx, request, route);\n }\n if (route.rest[0] === \"signin\") {\n return await deps.handleSamlSignIn(ctx, request, route);\n }\n if (route.rest[0] === \"acs\") {\n return await deps.handleSamlAcs(ctx, request, route);\n }\n if (route.rest[0] === \"slo\") {\n return await deps.handleSamlSlo(ctx, request, route);\n }\n }\n if (route.protocol === \"oidc\" && route.rest.length === 1) {\n if (route.rest[0] === \"signin\") {\n return await deps.handleOidcSignIn(ctx, request, route);\n }\n if (route.rest[0] === \"callback\") {\n return await deps.handleOidcCallback(ctx, request, route);\n }\n }\n if (route.protocol === \"scim\" && route.rest[0] === \"v2\") {\n return await deps.handleScimRequest(ctx, request);\n }\n throw new AuthError(\n \"INVALID_PARAMETERS\",\n \"Invalid enterprise runtime path.\",\n ).toConvexError();\n }),\n ),\n });\n\n http.route({\n pathPrefix: routePrefix,\n method: \"POST\",\n handler: httpActionGeneric(\n deps.convertErrorsToResponse(400, async (ctx, request) => {\n const route = parseEnterpriseRuntimeRoute(\n new URL(request.url).pathname,\n deps.routeBase,\n );\n if (route?.protocol === \"saml\" && route.rest.length === 1) {\n if (route.rest[0] === \"acs\") {\n return await deps.handleSamlAcs(ctx, request, route);\n }\n if (route.rest[0] === \"slo\") {\n return await deps.handleSamlSlo(ctx, request, route);\n }\n }\n if (route?.protocol === \"scim\" && route.rest[0] === \"v2\") {\n return await deps.handleScimRequest(ctx, request);\n }\n throw new AuthError(\n \"INVALID_PARAMETERS\",\n \"Invalid enterprise runtime path.\",\n ).toConvexError();\n }),\n ),\n });\n\n http.route({\n pathPrefix: routePrefix,\n method: \"PUT\",\n handler: httpActionGeneric(\n deps.convertErrorsToResponse(400, async (ctx, request) => {\n const route = parseEnterpriseRuntimeRoute(\n new URL(request.url).pathname,\n deps.routeBase,\n );\n if (route?.protocol === \"scim\" && route.rest[0] === \"v2\") {\n return await deps.handleScimRequest(ctx, request);\n }\n throw new AuthError(\n \"INVALID_PARAMETERS\",\n \"Invalid enterprise runtime path.\",\n ).toConvexError();\n }),\n ),\n });\n\n for (const method of [\"PATCH\", \"DELETE\"] as const) {\n http.route({\n pathPrefix: routePrefix,\n method,\n handler: httpActionGeneric(async (ctx, request) => {\n const route = parseEnterpriseRuntimeRoute(\n new URL(request.url).pathname,\n deps.routeBase,\n );\n if (!route || route.protocol !== \"scim\" || route.rest[0] !== \"v2\") {\n return deps.scimError(404, \"notFound\", \"SCIM resource not found.\");\n }\n return await deps.handleScimRequest(ctx, request);\n }),\n });\n }\n}\n"],"mappings":";;;;;;;;AAcA,SAAgB,iBAAiB,MAE9B;AACD,SACE,SAIA,YAIG;EACH,MAAM,aAAa,SAAS,QAAQ,EAAE;EACtC,MAAM,cAAsC;GAC1C,+BAA+B,WAAW,UAAU;GACpD,gCACE,WAAW,WAAW;GACxB,gCACE,WAAW,WAAW;GACzB;AAED,SAAO,kBAAkB,OAAO,YAAY,YAAY;AACtD,UAAO,GAAG,IACR,GAAG,KAAK;IACN,IAAI,YAAY;KACd,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,SAAI,CAAC,YAAY,WAAW,UAAU,CACpC,QAAO,IAAI,SACT,KAAK,UAAU;MACb,OAAO;MACP,MAAM;MACP,CAAC,EACF;MACE,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CACF;KAEH,MAAM,SAAS,WAAW,MAAM,EAAE;KAElC,MAAM,YAAY,MAAM,GAAG,IACzB,GAAG,KAAK;MACN,UAAU,KAAK,IAAI,OAAO,YAAY,OAAO;MAC7C,MAAM,UAAU;MACjB,CAAC,CAAC,KACD,GAAG,KAAK;MACN,KAAK,cAAY;OAAE,IAAI;OAAM,OAAOA;OAAQ;MAC5C,MAAM,WAAW;OAAE,IAAI;OAAO;OAAO;MACtC,CAAC,CACH,CACF;AAED,SAAI,CAAC,UAAU,IAAI;AACjB,UAAI,YAAY,UAAU,MAAM,EAAE;OAChC,MAAM,EAAE,MAAM,YAAY,UAAU,MAAM;AAI1C,cAAO,IAAI,SAAS,KAAK,UAAU;QAAE,OAAO;QAAS;QAAM,CAAC,EAAE;QAC5D,QAAQ;QACR,SAAS;SACP,GAAG;SACH,gBAAgB;SACjB;QACF,CAAC;;AAEJ,YAAM,UAAU;;AAGlB,SACE,SAAS,SACT,CAAC,UAAU,MAAM,OAAO,IACtB,QAAQ,MAAM,UACd,QAAQ,MAAM,OACf,CAED,QAAO,IAAI,SACT,KAAK,UAAU;MACb,OAAO;MACP,MAAM;MACP,CAAC,EACF;MACE,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CACF;KAUH,MAAM,SAAS,MAAM,QAPD,OAAO,OAAO,YAAY,EAC5C,KAAK;MACH,QAAQ,UAAU,MAAM;MACxB,OAAO,UAAU,MAAM;MACvB,QAAQ,UAAU,MAAM;MACzB,EACF,CAAC,EACwC,QAAQ;AAElD,SAAI,kBAAkB,UAAU;MAC9B,MAAM,UAAU,IAAI,QAAQ,OAAO,QAAQ;AAC3C,WAAK,MAAM,CAAC,GAAG,QAAQ,OAAO,QAAQ,YAAY,CAChD,KAAI,CAAC,QAAQ,IAAI,EAAE,CAAE,SAAQ,IAAI,GAAG,IAAI;AAE1C,aAAO,IAAI,SAAS,OAAO,MAAM;OAC/B,QAAQ,OAAO;OACf,YAAY,OAAO;OACnB;OACD,CAAC;;AAGJ,YAAO,IAAI,SAAS,KAAK,UAAU,OAAO,EAAE;MAC1C,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CAAC;;IAEJ,MAAM,UAAU;IACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAU;AACpB,aAAS,MAAM;AACf,WAAO,GAAG,QACR,IAAI,SACF,KAAK,UAAU;KACb,OAAO;KACP,MAAM;KACP,CAAC,EACF;KACE,QAAQ;KACR,SAAS;MACP,GAAG;MACH,gBAAgB;MACjB;KACF,CACF,CACF;KACD,CACH,CACF;IACD;;;AAIN,SAAgB,gBACd,YACA;AACA,SACE,MACA,gBAUG;EACH,MAAM,aAAa,YAAY,QAAQ,EAAE;EACzC,MAAM,cAAsC;GAC1C,+BAA+B,WAAW,UAAU;GACpD,gCACE,WAAW,WAAW;GACxB,gCACE,WAAW,WAAW;GACzB;AAED,OAAK,MAAM;GACT,MAAM,YAAY;GAClB,QAAQ;GACR,SAAS,kBAAkB,YAAY;AACrC,WAAO,IAAI,SAAS,MAAM;KAAE,QAAQ;KAAK,SAAS;KAAa,CAAC;KAChE;GACH,CAAC;AAEF,OAAK,MAAM;GACT,MAAM,YAAY;GAClB,QAAQ,YAAY;GACpB,SAAS,WAAW,YAAY,SAAS;IACvC,OAAO,YAAY;IACnB,MAAM,YAAY;IACnB,CAAC;GACH,CAAC;;;AAIN,SAAgB,wBACd,iBACA,QACA;AACA,QAAO,OAAO,KAA4B,YAAqB;AAC7D,SAAO,GAAG,IACR,GAAG,KAAK;GACN,UAAU,OAAO,KAAK,QAAQ;GAC9B,MAAM,UAAU;GACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAU;AACpB,OAAI,YAAY,MAAM,CACpB,QAAO,GAAG,QACR,IAAI,SACF,KAAK,UAAU;IACb,MAAM,MAAM,KAAK;IACjB,SAAS,MAAM,KAAK;IACrB,CAAC,EACF;IACE,QAAQ;IACR,SAAS,EAAE,gBAAgB,oBAAoB;IAChD,CACF,CACF;YACQ,iBAAiB,YAC1B,QAAO,GAAG,QACR,IAAI,SAAS,MAAM;IACjB,QAAQ;IACR,YACE,OAAO,MAAM,SAAS,WAAW,MAAM,OAAO;IACjD,CAAC,CACH;QACI;AACL,aAAS,MAAM;AACf,WAAO,GAAG,QACR,IAAI,SAAS,MAAM;KACjB,QAAQ;KACR,YAAY;KACb,CAAC,CACH;;IAEH,CACH,CACF;;;AAIL,SAAgB,WACd,SACoC;AACpC,QAAOC,MAAa,QAAQ,QAAQ,IAAI,SAAS,IAAI,GAAG;;AAU1D,SAAS,4BACP,UACA,WACwB;CACxB,MAAM,gBAAgB,GAAG,UAAU;CAInC,MAAM,CAAC,qBAAqB,UAAU,GAAG,QAHpB,SAAS,WAAW,cAAc,GACnD,SAAS,MAAM,cAAc,OAAO,CAAC,MAAM,IAAI,CAAC,OAAO,QAAQ,GAC/D,EAAE;AAEN,KACE,wBAAwB,UACvB,aAAa,UAAU,aAAa,UAAU,aAAa,UAC5D,KAAK,WAAW,EAEhB,QAAO;AAET,QAAO;EACL;EACA,cAAc;EACd;EACA;EACD;;AAGH,SAAgB,gBACd,MACA,MAIA;CACA,MAAM,eACJ;AAEF,MAAK,MAAM;EACT,MAAM;EACN,QAAQ;EACR,SAAS,kBAAkB,YAAY;GACrC,MAAM,SAAS,KAAK,WAAW;AAC/B,UAAO,IAAI,SACT,KAAK,UAAU;IACb;IACA,UAAU,GAAG,OAAO;IACrB,CAAC,EACF;IACE,QAAQ;IACR,SAAS;KACP,gBAAgB;KAChB,iBAAiB;KAClB;IACF,CACF;IACD;EACH,CAAC;AAEF,MAAK,MAAM;EACT,MAAM;EACN,QAAQ;EACR,SAAS,kBAAkB,YAAY;AACrC,UAAO,IAAI,SAAS,KAAK,SAAS,EAAE;IAClC,QAAQ;IACR,SAAS;KACP,gBAAgB;KAChB,iBAAiB;KAClB;IACF,CAAC;IACF;EACH,CAAC;;AAGJ,SAAgB,cACd,MACA,MAUA;AACA,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBAAkB,KAAK,aAAa;EAC9C,CAAC;CAEF,MAAM,kBAAkB,kBAAkB,KAAK,eAAe;AAE9D,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS;EACV,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS;EACV,CAAC;;AAGJ,SAAgB,aACd,MACA,MAuCA;CACA,MAAM,cAAc,GAAG,KAAK,UAAU;AAEtC,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,CAAC,MACH,OAAM,IAAI,UACR,sBACA,mCACD,CAAC,eAAe;AAEnB,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACxD,QAAI,MAAM,KAAK,OAAO,WACpB,QAAO,MAAM,KAAK,mBAAmB,KAAK,SAAS,MAAM;AAE3D,QAAI,MAAM,KAAK,OAAO,SACpB,QAAO,MAAM,KAAK,iBAAiB,KAAK,SAAS,MAAM;AAEzD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;AAEtD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;;AAGxD,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACxD,QAAI,MAAM,KAAK,OAAO,SACpB,QAAO,MAAM,KAAK,iBAAiB,KAAK,SAAS,MAAM;AAEzD,QAAI,MAAM,KAAK,OAAO,WACpB,QAAO,MAAM,KAAK,mBAAmB,KAAK,SAAS,MAAM;;AAG7D,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,OAAO,KACjD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,IAAI,UACR,sBACA,mCACD,CAAC,eAAe;IACjB,CACH;EACF,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACzD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;AAEtD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;;AAGxD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,OAAO,KAClD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,IAAI,UACR,sBACA,mCACD,CAAC,eAAe;IACjB,CACH;EACF,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,OAAO,KAClD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,IAAI,UACR,sBACA,mCACD,CAAC,eAAe;IACjB,CACH;EACF,CAAC;AAEF,MAAK,MAAM,UAAU,CAAC,SAAS,SAAS,CACtC,MAAK,MAAM;EACT,YAAY;EACZ;EACA,SAAS,kBAAkB,OAAO,KAAK,YAAY;GACjD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,CAAC,SAAS,MAAM,aAAa,UAAU,MAAM,KAAK,OAAO,KAC3D,QAAO,KAAK,UAAU,KAAK,YAAY,2BAA2B;AAEpE,UAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;IACjD;EACH,CAAC"}
package/dist/component/server/identity.js ADDED
@@ -0,0 +1,13 @@
1
+ import { AuthError } from "./fx.js";
2
+
3
+ //#region src/server/identity.ts
4
+ /** @internal */
5
+ function userIdFromIdentitySubject(subject) {
6
+ const [userId, ...rest] = subject.split("|");
7
+ if (typeof userId !== "string" || userId.length === 0 || rest.length === 0 || rest.some((segment) => segment.length === 0)) throw new AuthError("INTERNAL_ERROR", "Authenticated identity subject is malformed.");
8
+ return userId;
9
+ }
10
+
11
+ //#endregion
12
+ export { userIdFromIdentitySubject };
13
+ //# sourceMappingURL=identity.js.map
package/dist/component/server/identity.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"identity.js","names":[],"sources":["../../../src/server/identity.ts"],"sourcesContent":["import { AuthError } from \"./fx\";\n\n/** @internal */\nexport function userIdFromIdentitySubject(subject: string): string {\n const [userId, ...rest] = subject.split(\"|\");\n if (\n typeof userId !== \"string\" ||\n userId.length === 0 ||\n rest.length === 0 ||\n rest.some((segment) => segment.length === 0)\n ) {\n throw new AuthError(\n \"INTERNAL_ERROR\",\n \"Authenticated identity subject is malformed.\",\n );\n }\n return userId;\n}\n"],"mappings":";;;;AAGA,SAAgB,0BAA0B,SAAyB;CACjE,MAAM,CAAC,QAAQ,GAAG,QAAQ,QAAQ,MAAM,IAAI;AAC5C,KACE,OAAO,WAAW,YAClB,OAAO,WAAW,KAClB,KAAK,WAAW,KAChB,KAAK,MAAM,YAAY,QAAQ,WAAW,EAAE,CAE5C,OAAM,IAAI,UACR,kBACA,+CACD;AAEH,QAAO"}
package/dist/component/server/keys.js CHANGED
@@ -18,6 +18,7 @@ const VISIBLE_PREFIX_EXTRA_CHARS = 4;
18
18
  * @param prefix - Key prefix, defaults to "sk_"
19
19
  * @returns `{ raw, hashedKey, displayPrefix }`
20
20
  */
21
+ /** @internal */
21
22
  async function generateApiKey(prefix = DEFAULT_KEY_PREFIX) {
22
23
  const raw = `${prefix}${generateRandomString(KEY_RANDOM_LENGTH, KEY_RANDOM_ALPHABET)}`;
23
24
  return {
@@ -31,6 +32,7 @@ async function generateApiKey(prefix = DEFAULT_KEY_PREFIX) {
31
32
  *
32
33
  * Used during Bearer token verification to find the stored key record.
33
34
  */
35
+ /** @internal */
34
36
  async function hashApiKey(rawKey) {
35
37
  return sha256(rawKey);
36
38
  }
@@ -43,6 +45,7 @@ async function hashApiKey(rawKey) {
43
45
  * A wildcard action `"*"` grants all actions on that resource.
44
46
  * A wildcard resource `"*"` grants the action on all resources.
45
47
  */
48
+ /** @internal */
46
49
  function buildScopeChecker(scopes) {
47
50
  return {
48
51
  scopes,
@@ -59,6 +62,7 @@ function buildScopeChecker(scopes) {
59
62
  *
60
63
  * @returns `{ limited: boolean; newState: { attemptsLeft, lastAttemptTime } }`
61
64
  */
65
+ /** @internal */
62
66
  function checkKeyRateLimit(rateLimit, state) {
63
67
  const now = Date.now();
64
68
  if (!state) return {
package/dist/component/server/keys.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"keys.js","names":[],"sources":["../../../src/server/keys.ts"],"sourcesContent":["/**\n * API Key crypto utilities.\n *\n * Uses `@oslojs/crypto` primitives for key generation and hashing:\n * - SHA-256 for hashing keys (API keys have high entropy, no need for bcrypt)\n * - Cryptographically secure random generation for key material\n *\n * @module\n */\n\nimport type { KeyScope, ScopeChecker } from \"./types\";\nimport { sha256, generateRandomString } from \"./utils\";\n\n// ============================================================================\n// Constants\n// ============================================================================\n\nconst DEFAULT_KEY_PREFIX = \"sk_\";\nconst KEY_RANDOM_LENGTH = 32;\nconst KEY_RANDOM_ALPHABET =\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\n\n/**\n * How many characters of the full key to store as the visible prefix.\n * Includes the prefix string (e.g. \"sk_\") plus a few random chars.\n */\nconst VISIBLE_PREFIX_EXTRA_CHARS = 4;\n\n// ============================================================================\n// Key generation\n// ============================================================================\n\n/**\n * Generate a new API key.\n *\n * Returns the raw key (to be shown once to the user) and metadata for storage.\n * The raw key is `{prefix}{32 random alphanumeric chars}`.\n *\n * @param prefix - Key prefix, defaults to \"sk_\"\n * @returns `{ raw, hashedKey, displayPrefix }`\n */\nexport async function generateApiKey(\n prefix: string = DEFAULT_KEY_PREFIX,\n): Promise<{\n /** The full raw key — show to user once, never store. */\n raw: string;\n /** SHA-256 hex hash of the raw key — store this. */\n hashedKey: string;\n /** Truncated prefix for display (e.g. \"sk_aBc1...\"). */\n displayPrefix: string;\n}> {\n const randomPart = generateRandomString(\n KEY_RANDOM_LENGTH,\n KEY_RANDOM_ALPHABET,\n );\n const raw = `${prefix}${randomPart}`;\n const hashedKey = await sha256(raw);\n const displayPrefix = `${raw.substring(0, prefix.length + VISIBLE_PREFIX_EXTRA_CHARS)}...`;\n\n return { raw, hashedKey, displayPrefix };\n}\n\n/**\n * Hash a raw API key for lookup.\n *\n * Used during Bearer token verification to find the stored key record.\n */\nexport async function hashApiKey(rawKey: string): Promise<string> {\n return sha256(rawKey);\n}\n\n// ============================================================================\n// Scope checker\n// ============================================================================\n\n/**\n * Build a `ScopeChecker` from an array of `KeyScope` entries.\n *\n * The checker provides a `.can(resource, action)` method that returns `true`\n * if any scope entry grants the requested permission.\n *\n * A wildcard action `\"*\"` grants all actions on that resource.\n * A wildcard resource `\"*\"` grants the action on all resources.\n */\nexport function buildScopeChecker(scopes: KeyScope[]): ScopeChecker {\n return {\n scopes,\n can(resource: string, action: string): boolean {\n return scopes.some(\n (scope) =>\n (scope.resource === resource || scope.resource === \"*\") &&\n (scope.actions.includes(action) || scope.actions.includes(\"*\")),\n );\n },\n };\n}\n\n// ============================================================================\n// Per-key rate limiting (token-bucket)\n// ============================================================================\n\n/**\n * Check whether a key is rate-limited based on its stored state.\n *\n * Uses the same token-bucket algorithm as sign-in rate limiting:\n * tokens refill linearly over the configured window.\n *\n * @returns `{ limited: boolean; newState: { attemptsLeft, lastAttemptTime } }`\n */\nexport function checkKeyRateLimit(\n rateLimit: { maxRequests: number; windowMs: number },\n state: { attemptsLeft: number; lastAttemptTime: number } | undefined,\n): {\n limited: boolean;\n newState: { attemptsLeft: number; lastAttemptTime: number };\n} {\n const now = Date.now();\n\n if (!state) {\n // First request — create initial state with one token consumed.\n return {\n limited: false,\n newState: {\n attemptsLeft: rateLimit.maxRequests - 1,\n lastAttemptTime: now,\n },\n };\n }\n\n const elapsed = now - state.lastAttemptTime;\n const refillRate = rateLimit.maxRequests / rateLimit.windowMs;\n const refilled = Math.min(\n rateLimit.maxRequests,\n state.attemptsLeft + elapsed * refillRate,\n );\n\n if (refilled < 1) {\n return {\n limited: true,\n newState: {\n attemptsLeft: refilled,\n lastAttemptTime: now,\n },\n };\n }\n\n return {\n limited: false,\n newState: {\n attemptsLeft: refilled - 1,\n lastAttemptTime: now,\n },\n };\n}\n"],"mappings":";;;AAiBA,MAAM,qBAAqB;AAC3B,MAAM,oBAAoB;AAC1B,MAAM,sBACJ;;;;;AAMF,MAAM,6BAA6B;;;;;;;;;;AAenC,eAAsB,eACpB,SAAiB,oBAQhB;CAKD,MAAM,MAAM,GAAG,SAJI,qBACjB,mBACA,oBACD;AAKD,QAAO;EAAE;EAAK,WAHI,MAAM,OAAO,IAAI;EAGV,eAFH,GAAG,IAAI,UAAU,GAAG,OAAO,SAAS,2BAA2B,CAAC;EAE9C;;;;;;;AAQ1C,eAAsB,WAAW,QAAiC;AAChE,QAAO,OAAO,OAAO;;;;;;;;;;;AAgBvB,SAAgB,kBAAkB,QAAkC;AAClE,QAAO;EACL;EACA,IAAI,UAAkB,QAAyB;AAC7C,UAAO,OAAO,MACX,WACE,MAAM,aAAa,YAAY,MAAM,aAAa,SAClD,MAAM,QAAQ,SAAS,OAAO,IAAI,MAAM,QAAQ,SAAS,IAAI,EACjE;;EAEJ;;;;;;;;;;AAeH,SAAgB,kBACd,WACA,OAIA;CACA,MAAM,MAAM,KAAK,KAAK;AAEtB,KAAI,CAAC,MAEH,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc,UAAU,cAAc;GACtC,iBAAiB;GAClB;EACF;CAGH,MAAM,UAAU,MAAM,MAAM;CAC5B,MAAM,aAAa,UAAU,cAAc,UAAU;CACrD,MAAM,WAAW,KAAK,IACpB,UAAU,aACV,MAAM,eAAe,UAAU,WAChC;AAED,KAAI,WAAW,EACb,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc;GACd,iBAAiB;GAClB;EACF;AAGH,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc,WAAW;GACzB,iBAAiB;GAClB;EACF"}
1
+ {"version":3,"file":"keys.js","names":[],"sources":["../../../src/server/keys.ts"],"sourcesContent":["/**\n * API Key crypto utilities.\n *\n * Uses `@oslojs/crypto` primitives for key generation and hashing:\n * - SHA-256 for hashing keys (API keys have high entropy, no need for bcrypt)\n * - Cryptographically secure random generation for key material\n *\n * @module\n */\n\nimport type { KeyScope, ScopeChecker } from \"./types\";\nimport { sha256, generateRandomString } from \"./utils\";\n\n// ============================================================================\n// Constants\n// ============================================================================\n\nconst DEFAULT_KEY_PREFIX = \"sk_\";\nconst KEY_RANDOM_LENGTH = 32;\nconst KEY_RANDOM_ALPHABET =\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\n\n/**\n * How many characters of the full key to store as the visible prefix.\n * Includes the prefix string (e.g. \"sk_\") plus a few random chars.\n */\nconst VISIBLE_PREFIX_EXTRA_CHARS = 4;\n\n// ============================================================================\n// Key generation\n// ============================================================================\n\n/**\n * Generate a new API key.\n *\n * Returns the raw key (to be shown once to the user) and metadata for storage.\n * The raw key is `{prefix}{32 random alphanumeric chars}`.\n *\n * @param prefix - Key prefix, defaults to \"sk_\"\n * @returns `{ raw, hashedKey, displayPrefix }`\n */\n/** @internal */\nexport async function generateApiKey(\n prefix: string = DEFAULT_KEY_PREFIX,\n): Promise<{\n /** The full raw key — show to user once, never store. */\n raw: string;\n /** SHA-256 hex hash of the raw key — store this. */\n hashedKey: string;\n /** Truncated prefix for display (e.g. \"sk_aBc1...\"). */\n displayPrefix: string;\n}> {\n const randomPart = generateRandomString(\n KEY_RANDOM_LENGTH,\n KEY_RANDOM_ALPHABET,\n );\n const raw = `${prefix}${randomPart}`;\n const hashedKey = await sha256(raw);\n const displayPrefix = `${raw.substring(0, prefix.length + VISIBLE_PREFIX_EXTRA_CHARS)}...`;\n\n return { raw, hashedKey, displayPrefix };\n}\n\n/**\n * Hash a raw API key for lookup.\n *\n * Used during Bearer token verification to find the stored key record.\n */\n/** @internal */\nexport async function hashApiKey(rawKey: string): Promise<string> {\n return sha256(rawKey);\n}\n\n// ============================================================================\n// Scope checker\n// ============================================================================\n\n/**\n * Build a `ScopeChecker` from an array of `KeyScope` entries.\n *\n * The checker provides a `.can(resource, action)` method that returns `true`\n * if any scope entry grants the requested permission.\n *\n * A wildcard action `\"*\"` grants all actions on that resource.\n * A wildcard resource `\"*\"` grants the action on all resources.\n */\n/** @internal */\nexport function buildScopeChecker(scopes: KeyScope[]): ScopeChecker {\n return {\n scopes,\n can(resource: string, action: string): boolean {\n return scopes.some(\n (scope) =>\n (scope.resource === resource || scope.resource === \"*\") &&\n (scope.actions.includes(action) || scope.actions.includes(\"*\")),\n );\n },\n };\n}\n\n// ============================================================================\n// Per-key rate limiting (token-bucket)\n// ============================================================================\n\n/**\n * Check whether a key is rate-limited based on its stored state.\n *\n * Uses the same token-bucket algorithm as sign-in rate limiting:\n * tokens refill linearly over the configured window.\n *\n * @returns `{ limited: boolean; newState: { attemptsLeft, lastAttemptTime } }`\n */\n/** @internal */\nexport function checkKeyRateLimit(\n rateLimit: { maxRequests: number; windowMs: number },\n state: { attemptsLeft: number; lastAttemptTime: number } | undefined,\n): {\n limited: boolean;\n newState: { attemptsLeft: number; lastAttemptTime: number };\n} {\n const now = Date.now();\n\n if (!state) {\n // First request — create initial state with one token consumed.\n return {\n limited: false,\n newState: {\n attemptsLeft: rateLimit.maxRequests - 1,\n lastAttemptTime: now,\n },\n };\n }\n\n const elapsed = now - state.lastAttemptTime;\n const refillRate = rateLimit.maxRequests / rateLimit.windowMs;\n const refilled = Math.min(\n rateLimit.maxRequests,\n state.attemptsLeft + elapsed * refillRate,\n );\n\n if (refilled < 1) {\n return {\n limited: true,\n newState: {\n attemptsLeft: refilled,\n lastAttemptTime: now,\n },\n };\n }\n\n return {\n limited: false,\n newState: {\n attemptsLeft: refilled - 1,\n lastAttemptTime: now,\n },\n };\n}\n"],"mappings":";;;AAiBA,MAAM,qBAAqB;AAC3B,MAAM,oBAAoB;AAC1B,MAAM,sBACJ;;;;;AAMF,MAAM,6BAA6B;;;;;;;;;;;AAgBnC,eAAsB,eACpB,SAAiB,oBAQhB;CAKD,MAAM,MAAM,GAAG,SAJI,qBACjB,mBACA,oBACD;AAKD,QAAO;EAAE;EAAK,WAHI,MAAM,OAAO,IAAI;EAGV,eAFH,GAAG,IAAI,UAAU,GAAG,OAAO,SAAS,2BAA2B,CAAC;EAE9C;;;;;;;;AAS1C,eAAsB,WAAW,QAAiC;AAChE,QAAO,OAAO,OAAO;;;;;;;;;;;;AAiBvB,SAAgB,kBAAkB,QAAkC;AAClE,QAAO;EACL;EACA,IAAI,UAAkB,QAAyB;AAC7C,UAAO,OAAO,MACX,WACE,MAAM,aAAa,YAAY,MAAM,aAAa,SAClD,MAAM,QAAQ,SAAS,OAAO,IAAI,MAAM,QAAQ,SAAS,IAAI,EACjE;;EAEJ;;;;;;;;;;;AAgBH,SAAgB,kBACd,WACA,OAIA;CACA,MAAM,MAAM,KAAK,KAAK;AAEtB,KAAI,CAAC,MAEH,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc,UAAU,cAAc;GACtC,iBAAiB;GAClB;EACF;CAGH,MAAM,UAAU,MAAM,MAAM;CAC5B,MAAM,aAAa,UAAU,cAAc,UAAU;CACrD,MAAM,WAAW,KAAK,IACpB,UAAU,aACV,MAAM,eAAe,UAAU,WAChC;AAED,KAAI,WAAW,EACb,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc;GACd,iBAAiB;GAClB;EACF;AAGH,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc,WAAW;GACzB,iBAAiB;GAClB;EACF"}
package/dist/component/server/mutations/account.js CHANGED
@@ -3,8 +3,8 @@ import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
3
3
  import { authDb } from "../db.js";
4
4
  import { hash } from "../provider.js";
5
5
  import { AUTH_STORE_REF } from "./store.js";
6
- import { Fx } from "@robelest/fx";
7
6
  import { v } from "convex/values";
7
+ import { Fx } from "@robelest/fx";
8
8
 
9
9
  //#region src/server/mutations/account.ts
10
10
  const modifyAccountArgs = v.object({
package/dist/component/server/mutations/index.js CHANGED
@@ -11,8 +11,8 @@ import { callSignIn, signInArgs, signInImpl } from "./signin.js";
11
11
  import { callSignOut, signOutImpl } from "./signout.js";
12
12
  import { callVerifier, verifierImpl } from "./verifier.js";
13
13
  import { callVerifyCodeAndSignIn, verifyCodeAndSignInArgs, verifyCodeAndSignInImpl } from "./verify.js";
14
- import { Fx } from "@robelest/fx";
15
14
  import { v } from "convex/values";
15
+ import { Fx } from "@robelest/fx";
16
16
 
17
17
  //#region src/server/mutations/index.ts
18
18
  const storeArgs = v.object({ args: v.union(v.object({
@@ -48,7 +48,7 @@ const storeArgs = v.object({ args: v.union(v.object({
48
48
  })) });
49
49
  const storeImpl = async (ctx, fnArgs, getProviderOrThrow, config) => {
50
50
  const args = fnArgs.args;
51
- logWithLevel(LOG_LEVELS.INFO, `\`auth/store:run\` type: ${args.type}`);
51
+ logWithLevel(LOG_LEVELS.INFO, `\`auth:store\` type: ${args.type}`);
52
52
  return Fx.run(Fx.match(args, args.type, {
53
53
  signIn: (a) => Fx.from({
54
54
  ok: () => signInImpl(ctx, a, config),
package/dist/component/server/mutations/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","names":[],"sources":["../../../../src/server/mutations/index.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../provider\";\nimport { MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport { modifyAccountArgs, modifyAccountImpl } from \"./account\";\nimport { createVerificationCodeArgs, createVerificationCodeImpl } from \"./code\";\nimport { invalidateSessionsArgs, invalidateSessionsImpl } from \"./invalidate\";\nimport { userOAuthArgs, userOAuthImpl } from \"./oauth\";\nimport { refreshSessionArgs, refreshSessionImpl } from \"./refresh\";\nimport {\n createAccountFromCredentialsArgs,\n createAccountFromCredentialsImpl,\n} from \"./register\";\nimport {\n retrieveAccountWithCredentialsArgs,\n retrieveAccountWithCredentialsImpl,\n} from \"./retrieve\";\nimport { verifierSignatureArgs, verifierSignatureImpl } from \"./signature\";\nimport { signInArgs, signInImpl } from \"./signin\";\nimport { signOutImpl } from \"./signout\";\nimport { verifierImpl } from \"./verifier\";\nimport { verifyCodeAndSignInArgs, verifyCodeAndSignInImpl } from \"./verify\";\nexport { callInvalidateSessions } from \"./invalidate\";\nexport { callModifyAccount } from \"./account\";\nexport {\n callRetrieveAccountWithCredentials,\n callRetreiveAccountWithCredentials,\n} from \"./retrieve\";\nexport { callCreateAccountFromCredentials } from \"./register\";\nexport { callCreateVerificationCode } from \"./code\";\nexport { callUserOAuth } from \"./oauth\";\nexport { callVerifierSignature } from \"./signature\";\nexport { callVerifyCodeAndSignIn } from \"./verify\";\nexport { callVerifier } from \"./verifier\";\nexport { callRefreshSession } from \"./refresh\";\nexport { callSignOut } from \"./signout\";\nexport { callSignIn } from \"./signin\";\n\nexport const storeArgs = v.object({\n args: v.union(\n v.object({\n type: v.literal(\"signIn\"),\n ...signInArgs.fields,\n }),\n v.object({\n type: v.literal(\"signOut\"),\n }),\n v.object({\n type: v.literal(\"refreshSession\"),\n ...refreshSessionArgs.fields,\n }),\n v.object({\n type: v.literal(\"verifyCodeAndSignIn\"),\n ...verifyCodeAndSignInArgs.fields,\n }),\n v.object({\n type: v.literal(\"verifier\"),\n }),\n v.object({\n type: v.literal(\"verifierSignature\"),\n ...verifierSignatureArgs.fields,\n }),\n v.object({\n type: v.literal(\"userOAuth\"),\n ...userOAuthArgs.fields,\n }),\n v.object({\n type: v.literal(\"createVerificationCode\"),\n ...createVerificationCodeArgs.fields,\n }),\n v.object({\n type: v.literal(\"createAccountFromCredentials\"),\n ...createAccountFromCredentialsArgs.fields,\n }),\n v.object({\n type: v.literal(\"retrieveAccountWithCredentials\"),\n ...retrieveAccountWithCredentialsArgs.fields,\n }),\n v.object({\n type: v.literal(\"modifyAccount\"),\n ...modifyAccountArgs.fields,\n }),\n v.object({\n type: v.literal(\"invalidateSessions\"),\n ...invalidateSessionsArgs.fields,\n }),\n ),\n});\n\nexport const storeImpl = async (\n ctx: MutationCtx,\n fnArgs: Infer<typeof storeArgs>,\n getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n config: Provider.Config,\n) => {\n const args = fnArgs.args;\n logWithLevel(LOG_LEVELS.INFO, `\\`auth/store:run\\` type: ${args.type}`);\n return Fx.run(\n Fx.match(args, args.type, {\n signIn: (a) =>\n Fx.from({\n ok: () => signInImpl(ctx, a, config),\n err: (e) => e as never,\n }),\n signOut: () => signOutImpl(ctx, config),\n refreshSession: (a) =>\n Fx.from({\n ok: () => refreshSessionImpl(ctx, a, getProviderOrThrow, config),\n err: (e) => e as never,\n }),\n verifyCodeAndSignIn: (a) =>\n Fx.from({\n ok: () => verifyCodeAndSignInImpl(ctx, a, getProviderOrThrow, config),\n err: (e) => e as never,\n }),\n verifier: () => verifierImpl(ctx, config),\n verifierSignature: (a) =>\n verifierSignatureImpl(ctx, a, config).pipe(\n Fx.recover((e) => Fx.fatal(e.toConvexError())),\n ),\n userOAuth: (a) =>\n userOAuthImpl(ctx, a, getProviderOrThrow, config).pipe(\n Fx.recover((e) => Fx.fatal(e.toConvexError())),\n ),\n createVerificationCode: (a) =>\n Fx.from({\n ok: () =>\n createVerificationCodeImpl(ctx, a, getProviderOrThrow, config),\n err: (e) => e as never,\n }),\n createAccountFromCredentials: (a) =>\n Fx.from({\n ok: () =>\n createAccountFromCredentialsImpl(\n ctx,\n a,\n getProviderOrThrow,\n config,\n ),\n err: (e) => e as never,\n }),\n retrieveAccountWithCredentials: (a) =>\n retrieveAccountWithCredentialsImpl(ctx, a, getProviderOrThrow, config),\n modifyAccount: (a) =>\n modifyAccountImpl(ctx, a, getProviderOrThrow, config).pipe(\n Fx.recover((e) => Fx.fatal(e.toConvexError())),\n ),\n invalidateSessions: (a) => invalidateSessionsImpl(ctx, a, config),\n }),\n );\n};\n"],"mappings":";;;;;;;;;;;;;;;;;AAwCA,MAAa,YAAY,EAAE,OAAO,EAChC,MAAM,EAAE,MACN,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,SAAS;CACzB,GAAG,WAAW;CACf,CAAC,EACF,EAAE,OAAO,EACP,MAAM,EAAE,QAAQ,UAAU,EAC3B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,iBAAiB;CACjC,GAAG,mBAAmB;CACvB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,sBAAsB;CACtC,GAAG,wBAAwB;CAC5B,CAAC,EACF,EAAE,OAAO,EACP,MAAM,EAAE,QAAQ,WAAW,EAC5B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,oBAAoB;CACpC,GAAG,sBAAsB;CAC1B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,YAAY;CAC5B,GAAG,cAAc;CAClB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,yBAAyB;CACzC,GAAG,2BAA2B;CAC/B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,+BAA+B;CAC/C,GAAG,iCAAiC;CACrC,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,iCAAiC;CACjD,GAAG,mCAAmC;CACvC,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,gBAAgB;CAChC,GAAG,kBAAkB;CACtB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,qBAAqB;CACrC,GAAG,uBAAuB;CAC3B,CAAC,CACH,EACF,CAAC;AAEF,MAAa,YAAY,OACvB,KACA,QACA,oBACA,WACG;CACH,MAAM,OAAO,OAAO;AACpB,cAAa,WAAW,MAAM,4BAA4B,KAAK,OAAO;AACtE,QAAO,GAAG,IACR,GAAG,MAAM,MAAM,KAAK,MAAM;EACxB,SAAS,MACP,GAAG,KAAK;GACN,UAAU,WAAW,KAAK,GAAG,OAAO;GACpC,MAAM,MAAM;GACb,CAAC;EACJ,eAAe,YAAY,KAAK,OAAO;EACvC,iBAAiB,MACf,GAAG,KAAK;GACN,UAAU,mBAAmB,KAAK,GAAG,oBAAoB,OAAO;GAChE,MAAM,MAAM;GACb,CAAC;EACJ,sBAAsB,MACpB,GAAG,KAAK;GACN,UAAU,wBAAwB,KAAK,GAAG,oBAAoB,OAAO;GACrE,MAAM,MAAM;GACb,CAAC;EACJ,gBAAgB,aAAa,KAAK,OAAO;EACzC,oBAAoB,MAClB,sBAAsB,KAAK,GAAG,OAAO,CAAC,KACpC,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAC/C;EACH,YAAY,MACV,cAAc,KAAK,GAAG,oBAAoB,OAAO,CAAC,KAChD,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAC/C;EACH,yBAAyB,MACvB,GAAG,KAAK;GACN,UACE,2BAA2B,KAAK,GAAG,oBAAoB,OAAO;GAChE,MAAM,MAAM;GACb,CAAC;EACJ,+BAA+B,MAC7B,GAAG,KAAK;GACN,UACE,iCACE,KACA,GACA,oBACA,OACD;GACH,MAAM,MAAM;GACb,CAAC;EACJ,iCAAiC,MAC/B,mCAAmC,KAAK,GAAG,oBAAoB,OAAO;EACxE,gBAAgB,MACd,kBAAkB,KAAK,GAAG,oBAAoB,OAAO,CAAC,KACpD,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAC/C;EACH,qBAAqB,MAAM,uBAAuB,KAAK,GAAG,OAAO;EAClE,CAAC,CACH"}
1
+ {"version":3,"file":"index.js","names":[],"sources":["../../../../src/server/mutations/index.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../provider\";\nimport { MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport { modifyAccountArgs, modifyAccountImpl } from \"./account\";\nimport { createVerificationCodeArgs, createVerificationCodeImpl } from \"./code\";\nimport { invalidateSessionsArgs, invalidateSessionsImpl } from \"./invalidate\";\nimport { userOAuthArgs, userOAuthImpl } from \"./oauth\";\nimport { refreshSessionArgs, refreshSessionImpl } from \"./refresh\";\nimport {\n createAccountFromCredentialsArgs,\n createAccountFromCredentialsImpl,\n} from \"./register\";\nimport {\n retrieveAccountWithCredentialsArgs,\n retrieveAccountWithCredentialsImpl,\n} from \"./retrieve\";\nimport { verifierSignatureArgs, verifierSignatureImpl } from \"./signature\";\nimport { signInArgs, signInImpl } from \"./signin\";\nimport { signOutImpl } from \"./signout\";\nimport { verifierImpl } from \"./verifier\";\nimport { verifyCodeAndSignInArgs, verifyCodeAndSignInImpl } from \"./verify\";\nexport { callInvalidateSessions } from \"./invalidate\";\nexport { callModifyAccount } from \"./account\";\nexport {\n callRetrieveAccountWithCredentials,\n callRetreiveAccountWithCredentials,\n} from \"./retrieve\";\nexport { callCreateAccountFromCredentials } from \"./register\";\nexport { callCreateVerificationCode } from \"./code\";\nexport { callUserOAuth } from \"./oauth\";\nexport { callVerifierSignature } from \"./signature\";\nexport { callVerifyCodeAndSignIn } from \"./verify\";\nexport { callVerifier } from \"./verifier\";\nexport { callRefreshSession } from \"./refresh\";\nexport { callSignOut } from \"./signout\";\nexport { callSignIn } from \"./signin\";\n\nexport const storeArgs = v.object({\n args: v.union(\n v.object({\n type: v.literal(\"signIn\"),\n ...signInArgs.fields,\n }),\n v.object({\n type: v.literal(\"signOut\"),\n }),\n v.object({\n type: v.literal(\"refreshSession\"),\n ...refreshSessionArgs.fields,\n }),\n v.object({\n type: v.literal(\"verifyCodeAndSignIn\"),\n ...verifyCodeAndSignInArgs.fields,\n }),\n v.object({\n type: v.literal(\"verifier\"),\n }),\n v.object({\n type: v.literal(\"verifierSignature\"),\n ...verifierSignatureArgs.fields,\n }),\n v.object({\n type: v.literal(\"userOAuth\"),\n ...userOAuthArgs.fields,\n }),\n v.object({\n type: v.literal(\"createVerificationCode\"),\n ...createVerificationCodeArgs.fields,\n }),\n v.object({\n type: v.literal(\"createAccountFromCredentials\"),\n ...createAccountFromCredentialsArgs.fields,\n }),\n v.object({\n type: v.literal(\"retrieveAccountWithCredentials\"),\n ...retrieveAccountWithCredentialsArgs.fields,\n }),\n v.object({\n type: v.literal(\"modifyAccount\"),\n ...modifyAccountArgs.fields,\n }),\n v.object({\n type: v.literal(\"invalidateSessions\"),\n ...invalidateSessionsArgs.fields,\n }),\n ),\n});\n\nexport const storeImpl = async (\n ctx: MutationCtx,\n fnArgs: Infer<typeof storeArgs>,\n getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n config: Provider.Config,\n) => {\n const args = fnArgs.args;\n logWithLevel(LOG_LEVELS.INFO, `\\`auth:store\\` type: ${args.type}`);\n return Fx.run(\n Fx.match(args, args.type, {\n signIn: (a) =>\n Fx.from({\n ok: () => signInImpl(ctx, a, config),\n err: (e) => e as never,\n }),\n signOut: () => signOutImpl(ctx, config),\n refreshSession: (a) =>\n Fx.from({\n ok: () => refreshSessionImpl(ctx, a, getProviderOrThrow, config),\n err: (e) => e as never,\n }),\n verifyCodeAndSignIn: (a) =>\n Fx.from({\n ok: () => verifyCodeAndSignInImpl(ctx, a, getProviderOrThrow, config),\n err: (e) => e as never,\n }),\n verifier: () => verifierImpl(ctx, config),\n verifierSignature: (a) =>\n verifierSignatureImpl(ctx, a, config).pipe(\n Fx.recover((e) => Fx.fatal(e.toConvexError())),\n ),\n userOAuth: (a) =>\n userOAuthImpl(ctx, a, getProviderOrThrow, config).pipe(\n Fx.recover((e) => Fx.fatal(e.toConvexError())),\n ),\n createVerificationCode: (a) =>\n Fx.from({\n ok: () =>\n createVerificationCodeImpl(ctx, a, getProviderOrThrow, config),\n err: (e) => e as never,\n }),\n createAccountFromCredentials: (a) =>\n Fx.from({\n ok: () =>\n createAccountFromCredentialsImpl(\n ctx,\n a,\n getProviderOrThrow,\n config,\n ),\n err: (e) => e as never,\n }),\n retrieveAccountWithCredentials: (a) =>\n retrieveAccountWithCredentialsImpl(ctx, a, getProviderOrThrow, config),\n modifyAccount: (a) =>\n modifyAccountImpl(ctx, a, getProviderOrThrow, config).pipe(\n Fx.recover((e) => Fx.fatal(e.toConvexError())),\n ),\n invalidateSessions: (a) => invalidateSessionsImpl(ctx, a, config),\n }),\n );\n};\n"],"mappings":";;;;;;;;;;;;;;;;;AAwCA,MAAa,YAAY,EAAE,OAAO,EAChC,MAAM,EAAE,MACN,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,SAAS;CACzB,GAAG,WAAW;CACf,CAAC,EACF,EAAE,OAAO,EACP,MAAM,EAAE,QAAQ,UAAU,EAC3B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,iBAAiB;CACjC,GAAG,mBAAmB;CACvB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,sBAAsB;CACtC,GAAG,wBAAwB;CAC5B,CAAC,EACF,EAAE,OAAO,EACP,MAAM,EAAE,QAAQ,WAAW,EAC5B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,oBAAoB;CACpC,GAAG,sBAAsB;CAC1B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,YAAY;CAC5B,GAAG,cAAc;CAClB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,yBAAyB;CACzC,GAAG,2BAA2B;CAC/B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,+BAA+B;CAC/C,GAAG,iCAAiC;CACrC,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,iCAAiC;CACjD,GAAG,mCAAmC;CACvC,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,gBAAgB;CAChC,GAAG,kBAAkB;CACtB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,qBAAqB;CACrC,GAAG,uBAAuB;CAC3B,CAAC,CACH,EACF,CAAC;AAEF,MAAa,YAAY,OACvB,KACA,QACA,oBACA,WACG;CACH,MAAM,OAAO,OAAO;AACpB,cAAa,WAAW,MAAM,wBAAwB,KAAK,OAAO;AAClE,QAAO,GAAG,IACR,GAAG,MAAM,MAAM,KAAK,MAAM;EACxB,SAAS,MACP,GAAG,KAAK;GACN,UAAU,WAAW,KAAK,GAAG,OAAO;GACpC,MAAM,MAAM;GACb,CAAC;EACJ,eAAe,YAAY,KAAK,OAAO;EACvC,iBAAiB,MACf,GAAG,KAAK;GACN,UAAU,mBAAmB,KAAK,GAAG,oBAAoB,OAAO;GAChE,MAAM,MAAM;GACb,CAAC;EACJ,sBAAsB,MACpB,GAAG,KAAK;GACN,UAAU,wBAAwB,KAAK,GAAG,oBAAoB,OAAO;GACrE,MAAM,MAAM;GACb,CAAC;EACJ,gBAAgB,aAAa,KAAK,OAAO;EACzC,oBAAoB,MAClB,sBAAsB,KAAK,GAAG,OAAO,CAAC,KACpC,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAC/C;EACH,YAAY,MACV,cAAc,KAAK,GAAG,oBAAoB,OAAO,CAAC,KAChD,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAC/C;EACH,yBAAyB,MACvB,GAAG,KAAK;GACN,UACE,2BAA2B,KAAK,GAAG,oBAAoB,OAAO;GAChE,MAAM,MAAM;GACb,CAAC;EACJ,+BAA+B,MAC7B,GAAG,KAAK;GACN,UACE,iCACE,KACA,GACA,oBACA,OACD;GACH,MAAM,MAAM;GACb,CAAC;EACJ,iCAAiC,MAC/B,mCAAmC,KAAK,GAAG,oBAAoB,OAAO;EACxE,gBAAgB,MACd,kBAAkB,KAAK,GAAG,oBAAoB,OAAO,CAAC,KACpD,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAC/C;EACH,qBAAqB,MAAM,uBAAuB,KAAK,GAAG,OAAO;EAClE,CAAC,CACH"}
package/dist/component/server/mutations/invalidate.js CHANGED
@@ -2,8 +2,8 @@ import { LOG_LEVELS, logWithLevel } from "../utils.js";
2
2
  import { authDb } from "../db.js";
3
3
  import { AUTH_STORE_REF } from "./store.js";
4
4
  import { deleteSession } from "../sessions.js";
5
- import { Fx } from "@robelest/fx";
6
5
  import { v } from "convex/values";
6
+ import { Fx } from "@robelest/fx";
7
7
 
8
8
  //#region src/server/mutations/invalidate.ts
9
9
  const invalidateSessionsArgs = v.object({
package/dist/component/server/mutations/oauth.js CHANGED
@@ -3,9 +3,9 @@ import { generateRandomString, logWithLevel, sha256 } from "../utils.js";
3
3
  import { authDb } from "../db.js";
4
4
  import { AUTH_STORE_REF } from "./store.js";
5
5
  import { upsertUserAndAccount } from "../users.js";
6
- import { ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, createSyntheticOAuthMaterializedConfig, isEnterpriseProviderId } from "../sso.js";
7
- import { Fx } from "@robelest/fx";
6
+ import { ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, createSyntheticOAuthMaterializedConfig, isEnterpriseProviderId, normalizeEnterprisePolicy } from "../sso.js";
8
7
  import { v } from "convex/values";
8
+ import { Fx } from "@robelest/fx";
9
9
 
10
10
  //#region src/server/mutations/oauth.ts
11
11
  const OAUTH_SIGN_IN_EXPIRATION_MS = 1e3 * 60 * 2;
@@ -47,7 +47,10 @@ function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
47
47
  const db = authDb(ctx, config);
48
48
  const existingAccount = yield* Fx.promise(() => db.accounts.get(provider, providerAccountId));
49
49
  const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length) : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX) ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length) : null;
50
- const existingScimIdentity = enterpriseId !== null && existingAccount === null ? yield* Fx.promise(() => ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {
50
+ const enterprise = enterpriseId !== null ? yield* Fx.promise(() => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId })) : null;
51
+ const enterprisePolicy = enterprise ? normalizeEnterprisePolicy(enterprise.policy) : null;
52
+ const enterpriseProtocol = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) ? "oidc" : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX) ? "saml" : null;
53
+ const existingScimIdentity = enterpriseId !== null && existingAccount === null && enterprisePolicy?.provisioning.scimReuse.user === "externalId" ? yield* Fx.promise(() => ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {
51
54
  enterpriseId,
52
55
  resourceType: "user",
53
56
  externalId: providerAccountId
@@ -58,14 +61,14 @@ function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
58
61
  }).pipe(Fx.chain((doc) => doc === null ? Fx.fail(new AuthError("OAUTH_INVALID_STATE")) : Fx.succeed(doc)));
59
62
  const { accountId } = yield* Fx.promise(() => upsertUserAndAccount(ctx, verifier.sessionId ?? null, existingAccount !== null ? { existingAccount } : { providerAccountId }, {
60
63
  type: "oauth",
61
- provider: isEnterpriseProviderId(provider) ? createSyntheticOAuthMaterializedConfig(provider) : getProviderOrThrow(provider),
64
+ provider: isEnterpriseProviderId(provider) ? createSyntheticOAuthMaterializedConfig(provider, { accountLinking: enterpriseProtocol === "oidc" ? enterprisePolicy?.identity.accountLinking.oidc : enterpriseProtocol === "saml" ? enterprisePolicy?.identity.accountLinking.saml : void 0 }) : getProviderOrThrow(provider),
62
65
  profile,
63
66
  accountExtend: normalizeAccountExtend(provider, providerAccountId, accountExtend)
64
67
  }, config, existingScimIdentity?.userId ? { existingUserId: existingScimIdentity.userId } : void 0));
65
- if (enterpriseId !== null) {
68
+ if (enterpriseId !== null && enterprisePolicy?.provisioning.jit.mode === "createUserAndMembership") {
66
69
  const userId = (yield* Fx.promise(() => db.accounts.getById(accountId)))?.userId;
67
70
  if (userId) {
68
- const groupId = (yield* Fx.promise(() => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId })))?.groupId;
71
+ const groupId = enterprise?.groupId;
69
72
  if (groupId) {
70
73
  if ((yield* Fx.promise(() => ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
71
74
  userId,
@@ -73,7 +76,7 @@ function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
73
76
  }))) === null) yield* Fx.promise(() => ctx.runMutation(config.component.public.memberAdd, {
74
77
  groupId,
75
78
  userId,
76
- role: "member",
79
+ roleIds: enterprisePolicy.provisioning.jit.defaultRoleIds,
77
80
  status: "active"
78
81
  }));
79
82
  }
package/dist/component/server/mutations/oauth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth.js","names":[],"sources":["../../../../src/server/mutations/oauth.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../fx\";\nimport * as Provider from \"../provider\";\nimport {\n ENTERPRISE_OIDC_PROVIDER_PREFIX,\n ENTERPRISE_SAML_PROVIDER_PREFIX,\n createSyntheticOAuthMaterializedConfig,\n isEnterpriseProviderId,\n} from \"../sso\";\nimport { MutationCtx } from \"../types\";\nimport type { AuthProviderMaterializedConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { generateRandomString, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store\";\n\nconst OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes\n\nexport const userOAuthArgs = v.object({\n provider: v.string(),\n providerAccountId: v.string(),\n profile: v.any(),\n signature: v.string(),\n accountExtend: v.optional(v.any()),\n});\n\nfunction normalizeAccountExtend(\n provider: string,\n providerAccountId: string,\n accountExtend: unknown,\n) {\n const baseIdentity: Record<string, unknown> = {\n type: \"oauth\",\n provider,\n providerAccountId,\n };\n if (provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)) {\n baseIdentity.type = \"enterprise-oidc\";\n baseIdentity.enterpriseId = provider.slice(\n ENTERPRISE_OIDC_PROVIDER_PREFIX.length,\n );\n }\n if (provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)) {\n baseIdentity.type = \"enterprise-saml\";\n baseIdentity.enterpriseId = provider.slice(\n ENTERPRISE_SAML_PROVIDER_PREFIX.length,\n );\n }\n const provided =\n typeof accountExtend === \"object\" &&\n accountExtend !== null &&\n !Array.isArray(accountExtend)\n ? (accountExtend as Record<string, unknown>)\n : undefined;\n const providedIdentity =\n provided &&\n typeof provided.identity === \"object\" &&\n provided.identity !== null &&\n !Array.isArray(provided.identity)\n ? (provided.identity as Record<string, unknown>)\n : undefined;\n return {\n ...provided,\n identity: {\n ...baseIdentity,\n ...providedIdentity,\n },\n };\n}\n\ntype ReturnType = string;\n\nexport function userOAuthImpl(\n ctx: MutationCtx,\n args: Infer<typeof userOAuthArgs>,\n getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n config: Provider.Config,\n): Fx<ReturnType, AuthError> {\n return Fx.gen(function* () {\n logWithLevel(\"DEBUG\", \"userOAuthImpl args:\", args);\n const { profile, provider, providerAccountId, signature, accountExtend } =\n args;\n const db = authDb(ctx, config);\n const existingAccount = yield* Fx.promise(() =>\n db.accounts.get(provider, providerAccountId),\n );\n const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)\n ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length)\n : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length)\n : null;\n // Always try to reuse SCIM-provisioned user by externalId for enterprise sign-ins.\n const existingScimIdentity =\n enterpriseId !== null && existingAccount === null\n ? yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {\n enterpriseId,\n resourceType: \"user\",\n externalId: providerAccountId,\n }),\n )\n : null;\n\n const verifier = yield* Fx.from({\n ok: () => db.verifiers.getBySignature(signature),\n err: () => new AuthError(\"OAUTH_INVALID_STATE\"),\n }).pipe(\n Fx.chain((doc) =>\n doc === null\n ? Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\"))\n : Fx.succeed(doc),\n ),\n );\n\n const { accountId } = yield* Fx.promise(() =>\n upsertUserAndAccount(\n ctx,\n verifier.sessionId ?? null,\n existingAccount !== null ? { existingAccount } : { providerAccountId },\n {\n type: \"oauth\",\n provider: (isEnterpriseProviderId(provider)\n ? createSyntheticOAuthMaterializedConfig(provider)\n : getProviderOrThrow(provider)) as AuthProviderMaterializedConfig,\n profile,\n accountExtend: normalizeAccountExtend(\n provider,\n providerAccountId,\n accountExtend,\n ),\n },\n config,\n existingScimIdentity?.userId\n ? { existingUserId: existingScimIdentity.userId }\n : undefined,\n ),\n );\n\n // JIT group provisioning: if this is an enterprise SSO sign-in and the\n // enterprise connection has a groupId, auto-add the user as a member of\n // that group if they aren't already a member.\n if (enterpriseId !== null) {\n const account = yield* Fx.promise(() => db.accounts.getById(accountId));\n const userId = account?.userId;\n if (userId) {\n const enterprise = yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId }),\n );\n const groupId = (enterprise as any)?.groupId as string | undefined;\n if (groupId) {\n const existingMembership = yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.memberGetByGroupAndUser, {\n userId,\n groupId,\n }),\n );\n if (existingMembership === null) {\n yield* Fx.promise(() =>\n ctx.runMutation(config.component.public.memberAdd, {\n groupId,\n userId,\n role: \"member\",\n status: \"active\",\n }),\n );\n }\n }\n }\n }\n\n const code = generateRandomString(8, \"0123456789\");\n yield* Fx.promise(() => db.verifiers.delete(verifier._id));\n const existingVerificationCode = yield* Fx.promise(() =>\n db.verificationCodes.getByAccountId(accountId),\n );\n if (existingVerificationCode !== null) {\n yield* Fx.promise(() =>\n db.verificationCodes.delete(existingVerificationCode._id),\n );\n }\n yield* Fx.promise(async () =>\n db.verificationCodes.create({\n code: await sha256(code),\n accountId,\n provider,\n expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,\n verifier: verifier._id,\n }),\n );\n return code;\n });\n}\n\nexport const callUserOAuth = async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: Infer<typeof userOAuthArgs>,\n): Promise<ReturnType> => {\n return ctx.runMutation(AUTH_STORE_REF, {\n args: {\n type: \"userOAuth\",\n ...args,\n },\n });\n};\n"],"mappings":";;;;;;;;;;AAmBA,MAAM,8BAA8B,MAAO,KAAK;AAEhD,MAAa,gBAAgB,EAAE,OAAO;CACpC,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,SAAS,EAAE,KAAK;CAChB,WAAW,EAAE,QAAQ;CACrB,eAAe,EAAE,SAAS,EAAE,KAAK,CAAC;CACnC,CAAC;AAEF,SAAS,uBACP,UACA,mBACA,eACA;CACA,MAAM,eAAwC;EAC5C,MAAM;EACN;EACA;EACD;AACD,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;AAEH,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;CAEH,MAAM,WACJ,OAAO,kBAAkB,YACzB,kBAAkB,QAClB,CAAC,MAAM,QAAQ,cAAc,GACxB,gBACD;CACN,MAAM,mBACJ,YACA,OAAO,SAAS,aAAa,YAC7B,SAAS,aAAa,QACtB,CAAC,MAAM,QAAQ,SAAS,SAAS,GAC5B,SAAS,WACV;AACN,QAAO;EACL,GAAG;EACH,UAAU;GACR,GAAG;GACH,GAAG;GACJ;EACF;;AAKH,SAAgB,cACd,KACA,MACA,oBACA,QAC2B;AAC3B,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,SAAS,uBAAuB,KAAK;EAClD,MAAM,EAAE,SAAS,UAAU,mBAAmB,WAAW,kBACvD;EACF,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,kBAAkB,CAC7C;EACD,MAAM,eAAe,SAAS,WAAW,gCAAgC,GACrE,SAAS,MAAM,gCAAgC,OAAO,GACtD,SAAS,WAAW,gCAAgC,GAClD,SAAS,MAAM,gCAAgC,OAAO,GACtD;EAEN,MAAM,uBACJ,iBAAiB,QAAQ,oBAAoB,OACzC,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,2BAA2B;GAC9D;GACA,cAAc;GACd,YAAY;GACb,CAAC,CACH,GACD;EAEN,MAAM,WAAW,OAAO,GAAG,KAAK;GAC9B,UAAU,GAAG,UAAU,eAAe,UAAU;GAChD,WAAW,IAAI,UAAU,sBAAsB;GAChD,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,GAC7C,GAAG,QAAQ,IAAI,CACpB,CACF;EAED,MAAM,EAAE,cAAc,OAAO,GAAG,cAC9B,qBACE,KACA,SAAS,aAAa,MACtB,oBAAoB,OAAO,EAAE,iBAAiB,GAAG,EAAE,mBAAmB,EACtE;GACE,MAAM;GACN,UAAW,uBAAuB,SAAS,GACvC,uCAAuC,SAAS,GAChD,mBAAmB,SAAS;GAChC;GACA,eAAe,uBACb,UACA,mBACA,cACD;GACF,EACD,QACA,sBAAsB,SAClB,EAAE,gBAAgB,qBAAqB,QAAQ,GAC/C,OACL,CACF;AAKD,MAAI,iBAAiB,MAAM;GAEzB,MAAM,UADU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC,GAC/C;AACxB,OAAI,QAAQ;IAIV,MAAM,WAHa,OAAO,GAAG,cAC3B,IAAI,SAAS,OAAO,UAAU,OAAO,eAAe,EAAE,cAAc,CAAC,CACtE,GACoC;AACrC,QAAI,SAOF;UAN2B,OAAO,GAAG,cACnC,IAAI,SAAS,OAAO,UAAU,OAAO,yBAAyB;MAC5D;MACA;MACD,CAAC,CACH,MAC0B,KACzB,QAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;MACjD;MACA;MACA,MAAM;MACN,QAAQ;MACT,CAAC,CACH;;;;EAMT,MAAM,OAAO,qBAAqB,GAAG,aAAa;AAClD,SAAO,GAAG,cAAc,GAAG,UAAU,OAAO,SAAS,IAAI,CAAC;EAC1D,MAAM,2BAA2B,OAAO,GAAG,cACzC,GAAG,kBAAkB,eAAe,UAAU,CAC/C;AACD,MAAI,6BAA6B,KAC/B,QAAO,GAAG,cACR,GAAG,kBAAkB,OAAO,yBAAyB,IAAI,CAC1D;AAEH,SAAO,GAAG,QAAQ,YAChB,GAAG,kBAAkB,OAAO;GAC1B,MAAM,MAAM,OAAO,KAAK;GACxB;GACA;GACA,gBAAgB,KAAK,KAAK,GAAG;GAC7B,UAAU,SAAS;GACpB,CAAC,CACH;AACD,SAAO;GACP;;AAGJ,MAAa,gBAAgB,OAC3B,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}
1
+ {"version":3,"file":"oauth.js","names":[],"sources":["../../../../src/server/mutations/oauth.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../fx\";\nimport * as Provider from \"../provider\";\nimport {\n ENTERPRISE_OIDC_PROVIDER_PREFIX,\n ENTERPRISE_SAML_PROVIDER_PREFIX,\n createSyntheticOAuthMaterializedConfig,\n isEnterpriseProviderId,\n normalizeEnterprisePolicy,\n} from \"../sso\";\nimport { MutationCtx } from \"../types\";\nimport type { AuthProviderMaterializedConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { generateRandomString, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store\";\n\nconst OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes\n\nexport const userOAuthArgs = v.object({\n provider: v.string(),\n providerAccountId: v.string(),\n profile: v.any(),\n signature: v.string(),\n accountExtend: v.optional(v.any()),\n});\n\nfunction normalizeAccountExtend(\n provider: string,\n providerAccountId: string,\n accountExtend: unknown,\n) {\n const baseIdentity: Record<string, unknown> = {\n type: \"oauth\",\n provider,\n providerAccountId,\n };\n if (provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)) {\n baseIdentity.type = \"enterprise-oidc\";\n baseIdentity.enterpriseId = provider.slice(\n ENTERPRISE_OIDC_PROVIDER_PREFIX.length,\n );\n }\n if (provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)) {\n baseIdentity.type = \"enterprise-saml\";\n baseIdentity.enterpriseId = provider.slice(\n ENTERPRISE_SAML_PROVIDER_PREFIX.length,\n );\n }\n const provided =\n typeof accountExtend === \"object\" &&\n accountExtend !== null &&\n !Array.isArray(accountExtend)\n ? (accountExtend as Record<string, unknown>)\n : undefined;\n const providedIdentity =\n provided &&\n typeof provided.identity === \"object\" &&\n provided.identity !== null &&\n !Array.isArray(provided.identity)\n ? (provided.identity as Record<string, unknown>)\n : undefined;\n return {\n ...provided,\n identity: {\n ...baseIdentity,\n ...providedIdentity,\n },\n };\n}\n\ntype ReturnType = string;\n\nexport function userOAuthImpl(\n ctx: MutationCtx,\n args: Infer<typeof userOAuthArgs>,\n getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n config: Provider.Config,\n): Fx<ReturnType, AuthError> {\n return Fx.gen(function* () {\n logWithLevel(\"DEBUG\", \"userOAuthImpl args:\", args);\n const { profile, provider, providerAccountId, signature, accountExtend } =\n args;\n const db = authDb(ctx, config);\n const existingAccount = yield* Fx.promise(() =>\n db.accounts.get(provider, providerAccountId),\n );\n const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)\n ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length)\n : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length)\n : null;\n const enterprise =\n enterpriseId !== null\n ? yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.enterpriseGet, {\n enterpriseId,\n }),\n )\n : null;\n const enterprisePolicy = enterprise\n ? normalizeEnterprisePolicy(enterprise.policy)\n : null;\n const enterpriseProtocol = provider.startsWith(\n ENTERPRISE_OIDC_PROVIDER_PREFIX,\n )\n ? \"oidc\"\n : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n ? \"saml\"\n : null;\n\n const existingScimIdentity =\n enterpriseId !== null &&\n existingAccount === null &&\n enterprisePolicy?.provisioning.scimReuse.user === \"externalId\"\n ? yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {\n enterpriseId,\n resourceType: \"user\",\n externalId: providerAccountId,\n }),\n )\n : null;\n\n const verifier = yield* Fx.from({\n ok: () => db.verifiers.getBySignature(signature),\n err: () => new AuthError(\"OAUTH_INVALID_STATE\"),\n }).pipe(\n Fx.chain((doc) =>\n doc === null\n ? Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\"))\n : Fx.succeed(doc),\n ),\n );\n\n const { accountId } = yield* Fx.promise(() =>\n upsertUserAndAccount(\n ctx,\n verifier.sessionId ?? null,\n existingAccount !== null ? { existingAccount } : { providerAccountId },\n {\n type: \"oauth\",\n provider: (isEnterpriseProviderId(provider)\n ? createSyntheticOAuthMaterializedConfig(provider, {\n accountLinking:\n enterpriseProtocol === \"oidc\"\n ? enterprisePolicy?.identity.accountLinking.oidc\n : enterpriseProtocol === \"saml\"\n ? enterprisePolicy?.identity.accountLinking.saml\n : undefined,\n })\n : getProviderOrThrow(provider)) as AuthProviderMaterializedConfig,\n profile,\n accountExtend: normalizeAccountExtend(\n provider,\n providerAccountId,\n accountExtend,\n ),\n },\n config,\n existingScimIdentity?.userId\n ? { existingUserId: existingScimIdentity.userId }\n : undefined,\n ),\n );\n\n // JIT group provisioning: if this is an enterprise SSO sign-in and the\n // enterprise connection has a groupId, auto-add the user as a member of\n // that group if they aren't already a member.\n if (\n enterpriseId !== null &&\n enterprisePolicy?.provisioning.jit.mode === \"createUserAndMembership\"\n ) {\n const account = yield* Fx.promise(() => db.accounts.getById(accountId));\n const userId = account?.userId;\n if (userId) {\n const groupId = (enterprise as any)?.groupId as string | undefined;\n if (groupId) {\n const existingMembership = yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.memberGetByGroupAndUser, {\n userId,\n groupId,\n }),\n );\n if (existingMembership === null) {\n yield* Fx.promise(() =>\n ctx.runMutation(config.component.public.memberAdd, {\n groupId,\n userId,\n roleIds: enterprisePolicy.provisioning.jit.defaultRoleIds,\n status: \"active\",\n }),\n );\n }\n }\n }\n }\n\n const code = generateRandomString(8, \"0123456789\");\n yield* Fx.promise(() => db.verifiers.delete(verifier._id));\n const existingVerificationCode = yield* Fx.promise(() =>\n db.verificationCodes.getByAccountId(accountId),\n );\n if (existingVerificationCode !== null) {\n yield* Fx.promise(() =>\n db.verificationCodes.delete(existingVerificationCode._id),\n );\n }\n yield* Fx.promise(async () =>\n db.verificationCodes.create({\n code: await sha256(code),\n accountId,\n provider,\n expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,\n verifier: verifier._id,\n }),\n );\n return code;\n });\n}\n\nexport const callUserOAuth = async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: Infer<typeof userOAuthArgs>,\n): Promise<ReturnType> => {\n return ctx.runMutation(AUTH_STORE_REF, {\n args: {\n type: \"userOAuth\",\n ...args,\n },\n });\n};\n"],"mappings":";;;;;;;;;;AAoBA,MAAM,8BAA8B,MAAO,KAAK;AAEhD,MAAa,gBAAgB,EAAE,OAAO;CACpC,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,SAAS,EAAE,KAAK;CAChB,WAAW,EAAE,QAAQ;CACrB,eAAe,EAAE,SAAS,EAAE,KAAK,CAAC;CACnC,CAAC;AAEF,SAAS,uBACP,UACA,mBACA,eACA;CACA,MAAM,eAAwC;EAC5C,MAAM;EACN;EACA;EACD;AACD,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;AAEH,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;CAEH,MAAM,WACJ,OAAO,kBAAkB,YACzB,kBAAkB,QAClB,CAAC,MAAM,QAAQ,cAAc,GACxB,gBACD;CACN,MAAM,mBACJ,YACA,OAAO,SAAS,aAAa,YAC7B,SAAS,aAAa,QACtB,CAAC,MAAM,QAAQ,SAAS,SAAS,GAC5B,SAAS,WACV;AACN,QAAO;EACL,GAAG;EACH,UAAU;GACR,GAAG;GACH,GAAG;GACJ;EACF;;AAKH,SAAgB,cACd,KACA,MACA,oBACA,QAC2B;AAC3B,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,SAAS,uBAAuB,KAAK;EAClD,MAAM,EAAE,SAAS,UAAU,mBAAmB,WAAW,kBACvD;EACF,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,kBAAkB,CAC7C;EACD,MAAM,eAAe,SAAS,WAAW,gCAAgC,GACrE,SAAS,MAAM,gCAAgC,OAAO,GACtD,SAAS,WAAW,gCAAgC,GAClD,SAAS,MAAM,gCAAgC,OAAO,GACtD;EACN,MAAM,aACJ,iBAAiB,OACb,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,eAAe,EAClD,cACD,CAAC,CACH,GACD;EACN,MAAM,mBAAmB,aACrB,0BAA0B,WAAW,OAAO,GAC5C;EACJ,MAAM,qBAAqB,SAAS,WAClC,gCACD,GACG,SACA,SAAS,WAAW,gCAAgC,GAClD,SACA;EAEN,MAAM,uBACJ,iBAAiB,QACjB,oBAAoB,QACpB,kBAAkB,aAAa,UAAU,SAAS,eAC9C,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,2BAA2B;GAC9D;GACA,cAAc;GACd,YAAY;GACb,CAAC,CACH,GACD;EAEN,MAAM,WAAW,OAAO,GAAG,KAAK;GAC9B,UAAU,GAAG,UAAU,eAAe,UAAU;GAChD,WAAW,IAAI,UAAU,sBAAsB;GAChD,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,GAC7C,GAAG,QAAQ,IAAI,CACpB,CACF;EAED,MAAM,EAAE,cAAc,OAAO,GAAG,cAC9B,qBACE,KACA,SAAS,aAAa,MACtB,oBAAoB,OAAO,EAAE,iBAAiB,GAAG,EAAE,mBAAmB,EACtE;GACE,MAAM;GACN,UAAW,uBAAuB,SAAS,GACvC,uCAAuC,UAAU,EAC/C,gBACE,uBAAuB,SACnB,kBAAkB,SAAS,eAAe,OAC1C,uBAAuB,SACrB,kBAAkB,SAAS,eAAe,OAC1C,QACT,CAAC,GACF,mBAAmB,SAAS;GAChC;GACA,eAAe,uBACb,UACA,mBACA,cACD;GACF,EACD,QACA,sBAAsB,SAClB,EAAE,gBAAgB,qBAAqB,QAAQ,GAC/C,OACL,CACF;AAKD,MACE,iBAAiB,QACjB,kBAAkB,aAAa,IAAI,SAAS,2BAC5C;GAEA,MAAM,UADU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC,GAC/C;AACxB,OAAI,QAAQ;IACV,MAAM,UAAW,YAAoB;AACrC,QAAI,SAOF;UAN2B,OAAO,GAAG,cACnC,IAAI,SAAS,OAAO,UAAU,OAAO,yBAAyB;MAC5D;MACA;MACD,CAAC,CACH,MAC0B,KACzB,QAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;MACjD;MACA;MACA,SAAS,iBAAiB,aAAa,IAAI;MAC3C,QAAQ;MACT,CAAC,CACH;;;;EAMT,MAAM,OAAO,qBAAqB,GAAG,aAAa;AAClD,SAAO,GAAG,cAAc,GAAG,UAAU,OAAO,SAAS,IAAI,CAAC;EAC1D,MAAM,2BAA2B,OAAO,GAAG,cACzC,GAAG,kBAAkB,eAAe,UAAU,CAC/C;AACD,MAAI,6BAA6B,KAC/B,QAAO,GAAG,cACR,GAAG,kBAAkB,OAAO,yBAAyB,IAAI,CAC1D;AAEH,SAAO,GAAG,QAAQ,YAChB,GAAG,kBAAkB,OAAO;GAC1B,MAAM,MAAM,OAAO,KAAK;GACxB;GACA;GACA,gBAAgB,KAAK,KAAK,GAAG;GAC7B,UAAU,SAAS;GACpB,CAAC,CACH;AACD,SAAO;GACP;;AAGJ,MAAa,gBAAgB,OAC3B,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}
package/dist/component/server/mutations/refresh.js CHANGED
@@ -3,8 +3,8 @@ import { authDb } from "../db.js";
3
3
  import { AUTH_STORE_REF } from "./store.js";
4
4
  import { REFRESH_TOKEN_REUSE_WINDOW_MS, invalidateRefreshTokensInSubtree, parseRefreshToken, refreshTokenIfValid } from "../refresh.js";
5
5
  import { generateTokensForSession } from "../sessions.js";
6
- import { Fx } from "@robelest/fx";
7
6
  import { v } from "convex/values";
7
+ import { Fx } from "@robelest/fx";
8
8
 
9
9
  //#region src/server/mutations/refresh.ts
10
10
  const refreshSessionArgs = v.object({ refreshToken: v.string() });
package/dist/component/server/mutations/register.js CHANGED
@@ -5,8 +5,8 @@ import { hash, verify } from "../provider.js";
5
5
  import { AUTH_STORE_REF } from "./store.js";
6
6
  import { getAuthSessionId } from "../sessions.js";
7
7
  import { upsertUserAndAccount } from "../users.js";
8
- import { Fx } from "@robelest/fx";
9
8
  import { v } from "convex/values";
9
+ import { Fx } from "@robelest/fx";
10
10
 
11
11
  //#region src/server/mutations/register.ts
12
12
  const createAccountFromCredentialsArgs = v.object({
package/dist/component/server/mutations/retrieve.js CHANGED
@@ -4,8 +4,8 @@ import { authDb } from "../db.js";
4
4
  import { verify } from "../provider.js";
5
5
  import { AUTH_STORE_REF } from "./store.js";
6
6
  import { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit } from "../ratelimit.js";
7
- import { Fx } from "@robelest/fx";
8
7
  import { v } from "convex/values";
8
+ import { Fx } from "@robelest/fx";
9
9
 
10
10
  //#region src/server/mutations/retrieve.ts
11
11
  const retrieveAccountWithCredentialsArgs = v.object({
package/dist/component/server/mutations/signature.js CHANGED
@@ -1,8 +1,8 @@
1
1
  import { AuthError } from "../fx.js";
2
2
  import { authDb } from "../db.js";
3
3
  import { AUTH_STORE_REF } from "./store.js";
4
- import { Fx } from "@robelest/fx";
5
4
  import { v } from "convex/values";
5
+ import { Fx } from "@robelest/fx";
6
6
 
7
7
  //#region src/server/mutations/signature.ts
8
8
  const verifierSignatureArgs = v.object({
package/dist/component/server/mutations/store.js CHANGED
@@ -1,11 +1,14 @@
1
+ import { makeFunctionReference } from "convex/server";
2
+
1
3
  //#region src/server/mutations/store.ts
2
4
  /**
3
5
  * Internal function reference for the library's store dispatch mutation.
4
6
  *
5
- * This remains string-based because the library code cannot import the
6
- * consumer app's generated `internal` API module.
7
+ * The package cannot import the consumer app's generated `api` module,
8
+ * so it uses a canonical function reference name that matches the app-level
9
+ * `export const { store } = auth` surface.
7
10
  */
8
- const AUTH_STORE_REF = "auth/store:run";
11
+ const AUTH_STORE_REF = makeFunctionReference("auth:store");
9
12
 
10
13
  //#endregion
11
14
  export { AUTH_STORE_REF };
package/dist/component/server/mutations/store.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"store.js","names":[],"sources":["../../../../src/server/mutations/store.ts"],"sourcesContent":["/**\n * Internal function reference for the library's store dispatch mutation.\n *\n * This remains string-based because the library code cannot import the\n * consumer app's generated `internal` API module.\n */\nexport const AUTH_STORE_REF = \"auth/store:run\" as any;\n"],"mappings":";;;;;;;AAMA,MAAa,iBAAiB"}
1
+ {"version":3,"file":"store.js","names":[],"sources":["../../../../src/server/mutations/store.ts"],"sourcesContent":["import { makeFunctionReference } from \"convex/server\";\n\n/**\n * Internal function reference for the library's store dispatch mutation.\n *\n * The package cannot import the consumer app's generated `api` module,\n * so it uses a canonical function reference name that matches the app-level\n * `export const { store } = auth` surface.\n */\nexport const AUTH_STORE_REF = makeFunctionReference(\"auth:store\") as any;\n"],"mappings":";;;;;;;;;;AASA,MAAa,iBAAiB,sBAAsB,aAAa"}
package/dist/component/server/mutations/verify.js CHANGED
@@ -5,8 +5,8 @@ import { createNewAndDeleteExistingSession, getAuthSessionId, maybeGenerateToken
5
5
  import { upsertUserAndAccount } from "../users.js";
6
6
  import { createSyntheticOAuthMaterializedConfig, isEnterpriseProviderId } from "../sso.js";
7
7
  import { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit } from "../ratelimit.js";
8
- import { Fx } from "@robelest/fx";
9
8
  import { v } from "convex/values";
9
+ import { Fx } from "@robelest/fx";
10
10
 
11
11
  //#region src/server/mutations/verify.ts
12
12
  const verifyCodeAndSignInArgs = v.object({
package/dist/component/server/oauth.js CHANGED
@@ -45,6 +45,7 @@ function clearCookie(type, providerId) {
45
45
  * Creates a signature string from the OAuth state parameters.
46
46
  * This is stored in the verifier table and validated during callback.
47
47
  */
48
+ /** @internal */
48
49
  function getAuthorizationSignature({ codeVerifier, state }) {
49
50
  return [codeVerifier, state].filter((param) => param !== void 0).join(" ");
50
51
  }
@@ -107,6 +108,7 @@ function validateProfileId(providerId, profile) {
107
108
  *
108
109
  * Handles PKCE detection, state generation, and cookie creation.
109
110
  */
111
+ /** @internal */
110
112
  async function createOAuthAuthorizationURL(providerId, arcticProvider, oauthConfig) {
111
113
  const state = arctic.generateState();
112
114
  const cookies = [];
@@ -145,6 +147,7 @@ async function createOAuthAuthorizationURL(providerId, arcticProvider, oauthConf
145
147
  *
146
148
  * Returns `Fx<CallbackResult, AuthError>` composed via `Fx.gen`.
147
149
  */
150
+ /** @internal */
148
151
  function handleOAuthCallback(providerId, arcticProvider, oauthConfig, params, cookies) {
149
152
  return Fx.gen(function* () {
150
153
  const resCookies = [];
package/dist/component/server/oauth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth.js","names":[],"sources":["../../../src/server/oauth.ts"],"sourcesContent":["/**\n * Arctic-based OAuth flow implementation.\n *\n * Uses Arctic for OAuth provider integration.\n *\n * All functions return `Fx<A, AuthError>` composed via `Fx.gen` pipelines.\n *\n * @internal\n * @module\n */\n\nimport { Fx } from \"@robelest/fx\";\nimport * as arctic from \"arctic\";\n\nimport { SHARED_COOKIE_OPTIONS } from \"./cookies\";\nimport { AuthError } from \"./fx\";\nimport type { OAuthProfile } from \"./types\";\nimport { logWithLevel } from \"./utils\";\nimport { isLocalHost } from \"./utils\";\n\ntype OAuthProviderConfigLike = {\n scopes?: string[];\n profile?: (tokens: arctic.OAuth2Tokens) => Promise<OAuthProfile>;\n nonce?: boolean;\n validateTokens?: (\n tokens: arctic.OAuth2Tokens,\n ctx: { nonce?: string },\n ) => Promise<void>;\n};\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/** A cookie to be set on the HTTP response. */\nexport interface OAuthCookie {\n name: string;\n value: string;\n options: Record<string, unknown>;\n}\n\n/** Result of creating an authorization URL. */\nexport interface AuthorizationResult {\n redirect: string;\n cookies: OAuthCookie[];\n signature: string;\n}\n\n/** Result of handling an OAuth callback. */\nexport interface CallbackResult {\n profile: OAuthProfile;\n providerAccountId: string;\n cookies: OAuthCookie[];\n signature: string;\n}\n\n// ============================================================================\n// Cookie helpers\n// ============================================================================\n\nconst COOKIE_TTL = 60 * 15; // 15 minutes\n\nfunction oauthCookieName(type: \"state\" | \"pkce\" | \"nonce\", providerId: string) {\n const prefix = !isLocalHost(process.env.CONVEX_SITE_URL) ? \"__Host-\" : \"\";\n return prefix + providerId + \"OAuth\" + type;\n}\n\nfunction createCookie(\n type: \"state\" | \"pkce\" | \"nonce\",\n providerId: string,\n value: string,\n): OAuthCookie {\n const expires = new Date();\n expires.setTime(expires.getTime() + COOKIE_TTL * 1000);\n return {\n name: oauthCookieName(type, providerId),\n value,\n options: { ...SHARED_COOKIE_OPTIONS, expires },\n };\n}\n\nfunction clearCookie(\n type: \"state\" | \"pkce\" | \"nonce\",\n providerId: string,\n): OAuthCookie {\n return {\n name: oauthCookieName(type, providerId),\n value: \"\",\n options: { ...SHARED_COOKIE_OPTIONS, maxAge: 0 },\n };\n}\n\n// ============================================================================\n// Signature (ConvexAuth-specific verifier mechanism)\n// ============================================================================\n\n/**\n * Creates a signature string from the OAuth state parameters.\n * This is stored in the verifier table and validated during callback.\n */\nexport function getAuthorizationSignature({\n codeVerifier,\n state,\n}: {\n codeVerifier?: string;\n state?: string;\n}) {\n return [codeVerifier, state].filter((param) => param !== undefined).join(\" \");\n}\n\n// ============================================================================\n// PKCE Detection\n// ============================================================================\n\n/**\n * Detect whether an Arctic provider uses PKCE by checking the arity\n * of `createAuthorizationURL`. PKCE providers take 3 args\n * (state, codeVerifier, scopes), non-PKCE take 2 (state, scopes).\n */\nfunction isPKCEProvider(provider: any): boolean {\n return (\n typeof provider.createAuthorizationURL === \"function\" &&\n provider.createAuthorizationURL.length >= 3\n );\n}\n\n// ============================================================================\n// Token exchange — wraps Arctic's validateAuthorizationCode\n// ============================================================================\n\n/**\n * Exchange the authorization code for tokens via Arctic.\n * Maps Arctic-specific errors to typed `AuthError` failures.\n */\nfunction exchangeCode(\n arcticProvider: any,\n code: string,\n codeVerifier: string | undefined,\n): Fx<arctic.OAuth2Tokens, AuthError> {\n return Fx.from({\n ok: () =>\n isPKCEProvider(arcticProvider)\n ? arcticProvider.validateAuthorizationCode(code, codeVerifier)\n : arcticProvider.validateAuthorizationCode(code),\n err: (e) => {\n if (e instanceof arctic.OAuth2RequestError) {\n return new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n `Token exchange failed: ${e.code}`,\n );\n }\n if (e instanceof arctic.ArcticFetchError) {\n return new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n `Network error during token exchange: ${e.message}`,\n );\n }\n // Unknown error — treat as unrecoverable defect; we surface it as\n // an AuthError here so the pipeline type stays Fx<_, AuthError>.\n // The original `throw e` re-throw is replicated via Fx.fatal below.\n return new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n `Unexpected error during token exchange: ${e instanceof Error ? e.message : String(e)}`,\n );\n },\n }).pipe(\n Fx.chain((tokens) => {\n // If the original error was neither OAuth2RequestError nor\n // ArcticFetchError the old code re-threw it raw. We replicate that\n // by checking whether we created an \"Unexpected\" marker message\n // — but since `Fx.from` already mapped it, we just pass through.\n return Fx.succeed(tokens);\n }),\n );\n}\n\n/**\n * Extract the user profile from tokens using the config callback,\n * OIDC auto-decode, or fail if neither is available.\n */\nfunction extractProfile(\n providerId: string,\n oauthConfig: OAuthProviderConfigLike,\n tokens: arctic.OAuth2Tokens,\n): Fx<OAuthProfile, AuthError> {\n const hasIdToken =\n \"id_token\" in tokens.data &&\n typeof (tokens.data as any).id_token === \"string\";\n const profileSource = oauthConfig.profile\n ? { source: \"callback\" as const }\n : hasIdToken\n ? { source: \"idToken\" as const }\n : { source: \"missing\" as const };\n\n return Fx.match(profileSource, profileSource.source, {\n callback: (_profileSource) =>\n Fx.from({\n ok: () => oauthConfig.profile!(tokens),\n err: (e) =>\n new AuthError(\n \"OAUTH_INVALID_PROFILE\",\n `Profile callback threw: ${e instanceof Error ? e.message : String(e)}`,\n ),\n }),\n idToken: (_profileSource) => {\n const claims = arctic.decodeIdToken(tokens.idToken()) as Record<\n string,\n unknown\n >;\n return Fx.succeed({\n id: (claims.sub as string) ?? crypto.randomUUID(),\n name: (claims.name as string) ?? undefined,\n email: (claims.email as string) ?? undefined,\n image: (claims.picture as string) ?? undefined,\n });\n },\n missing: (_profileSource) =>\n Fx.fail(\n new AuthError(\n \"OAUTH_INVALID_PROFILE\",\n `Provider \"${providerId}\" does not return an ID token. ` +\n `Add a \\`profile\\` callback in the OAuth() config to extract user info from the access token.`,\n ),\n ),\n });\n}\n\n/**\n * Validate that the profile has a non-empty string `id`.\n */\nfunction validateProfileId(\n providerId: string,\n profile: OAuthProfile,\n): Fx<OAuthProfile, AuthError> {\n return typeof profile.id === \"string\" && profile.id\n ? Fx.succeed(profile)\n : Fx.fail(\n new AuthError(\n \"OAUTH_INVALID_PROFILE\",\n `The profile callback for \"${providerId}\" must return an object with a string \\`id\\` field.`,\n ),\n );\n}\n\n// ============================================================================\n// Authorization URL creation\n// ============================================================================\n\n/**\n * Create an OAuth authorization URL using an Arctic provider.\n *\n * Handles PKCE detection, state generation, and cookie creation.\n */\nexport async function createOAuthAuthorizationURL(\n providerId: string,\n arcticProvider: any,\n oauthConfig: OAuthProviderConfigLike,\n): Promise<AuthorizationResult> {\n const state = arctic.generateState();\n const cookies: OAuthCookie[] = [];\n let codeVerifier: string | undefined;\n\n const scopes = oauthConfig.scopes ?? [];\n\n let url: URL;\n\n if (isPKCEProvider(arcticProvider)) {\n codeVerifier = arctic.generateCodeVerifier();\n url = arcticProvider.createAuthorizationURL(state, codeVerifier, scopes);\n cookies.push(createCookie(\"pkce\", providerId, codeVerifier));\n } else {\n url = arcticProvider.createAuthorizationURL(state, scopes);\n }\n\n cookies.push(createCookie(\"state\", providerId, state));\n\n if (oauthConfig.nonce === true) {\n const nonce = arctic.generateState();\n url.searchParams.set(\"nonce\", nonce);\n cookies.push(createCookie(\"nonce\", providerId, nonce));\n }\n\n logWithLevel(\"DEBUG\", \"OAuth authorization URL created\", {\n url: url.toString(),\n providerId,\n hasPKCE: !!codeVerifier,\n });\n\n const signature = getAuthorizationSignature({ codeVerifier, state });\n\n return {\n redirect: url.toString(),\n cookies,\n signature,\n };\n}\n\n// ============================================================================\n// OAuth callback handling\n// ============================================================================\n\n/**\n * Handle the OAuth callback: validate state, exchange code for tokens,\n * extract profile.\n *\n * Returns `Fx<CallbackResult, AuthError>` composed via `Fx.gen`.\n */\nexport function handleOAuthCallback(\n providerId: string,\n arcticProvider: any,\n oauthConfig: OAuthProviderConfigLike,\n params: Record<string, string>,\n cookies: Record<string, string | undefined>,\n): Fx<CallbackResult, AuthError> {\n return Fx.gen(function* () {\n const resCookies: OAuthCookie[] = [];\n\n // 1. Validate state\n const stateCookieName = oauthCookieName(\"state\", providerId);\n const storedState = cookies[stateCookieName];\n const returnedState = params.state;\n\n yield* Fx.guard(\n !storedState || !returnedState || storedState !== returnedState,\n Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\")),\n );\n resCookies.push(clearCookie(\"state\", providerId));\n\n // Check for error from provider\n if (params.error) {\n const cause = {\n providerId,\n error: params.error,\n error_description: params.error_description,\n };\n logWithLevel(\"DEBUG\", \"OAuthCallbackError\", cause);\n yield* Fx.fail(\n new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n \"OAuth provider returned an error\",\n {\n cause: JSON.stringify(cause),\n },\n ),\n );\n }\n\n // 2. Get code\n const code = yield* params.code != null\n ? Fx.succeed(params.code)\n : Fx.fail(\n new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n \"Missing authorization code in callback\",\n ),\n );\n\n // 3. Read PKCE verifier from cookie if applicable\n let codeVerifier: string | undefined;\n if (isPKCEProvider(arcticProvider)) {\n const pkceCookieName = oauthCookieName(\"pkce\", providerId);\n codeVerifier = yield* cookies[pkceCookieName] != null\n ? Fx.succeed(cookies[pkceCookieName]!)\n : Fx.fail(\n new AuthError(\n \"OAUTH_MISSING_VERIFIER\",\n \"Missing PKCE verifier cookie for OAuth callback\",\n ),\n );\n resCookies.push(clearCookie(\"pkce\", providerId));\n }\n\n let nonce: string | undefined;\n if (oauthConfig.nonce === true) {\n const nonceCookieName = oauthCookieName(\"nonce\", providerId);\n nonce = yield* cookies[nonceCookieName] != null\n ? Fx.succeed(cookies[nonceCookieName]!)\n : Fx.fail(\n new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n \"Missing nonce cookie for OAuth callback\",\n ),\n );\n resCookies.push(clearCookie(\"nonce\", providerId));\n }\n\n // 4. Exchange code for tokens\n const tokens = yield* exchangeCode(arcticProvider, code, codeVerifier);\n\n if (oauthConfig.validateTokens !== undefined) {\n yield* Fx.from({\n ok: () => oauthConfig.validateTokens!(tokens, { nonce }),\n err: (e) =>\n new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n `Token validation failed: ${e instanceof Error ? e.message : String(e)}`,\n ),\n });\n }\n\n // 5. Extract profile\n const rawProfile = yield* extractProfile(providerId, oauthConfig, tokens);\n const profile = yield* validateProfileId(providerId, rawProfile);\n\n logWithLevel(\"DEBUG\", \"OAuth callback profile extracted\", {\n providerId,\n profileId: profile.id,\n });\n\n // 6. Compute signature for verifier validation\n const state = storedState!;\n const signature = getAuthorizationSignature({ codeVerifier, state });\n\n return {\n profile,\n providerAccountId: profile.id,\n cookies: resCookies,\n signature,\n };\n });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA4DA,MAAM,aAAa;AAEnB,SAAS,gBAAgB,MAAkC,YAAoB;AAE7E,SADe,CAAC,YAAY,QAAQ,IAAI,gBAAgB,GAAG,YAAY,MACvD,aAAa,UAAU;;AAGzC,SAAS,aACP,MACA,YACA,OACa;CACb,MAAM,0BAAU,IAAI,MAAM;AAC1B,SAAQ,QAAQ,QAAQ,SAAS,GAAG,aAAa,IAAK;AACtD,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC;EACA,SAAS;GAAE,GAAG;GAAuB;GAAS;EAC/C;;AAGH,SAAS,YACP,MACA,YACa;AACb,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC,OAAO;EACP,SAAS;GAAE,GAAG;GAAuB,QAAQ;GAAG;EACjD;;;;;;AAWH,SAAgB,0BAA0B,EACxC,cACA,SAIC;AACD,QAAO,CAAC,cAAc,MAAM,CAAC,QAAQ,UAAU,UAAU,OAAU,CAAC,KAAK,IAAI;;;;;;;AAY/E,SAAS,eAAe,UAAwB;AAC9C,QACE,OAAO,SAAS,2BAA2B,cAC3C,SAAS,uBAAuB,UAAU;;;;;;AAY9C,SAAS,aACP,gBACA,MACA,cACoC;AACpC,QAAO,GAAG,KAAK;EACb,UACE,eAAe,eAAe,GAC1B,eAAe,0BAA0B,MAAM,aAAa,GAC5D,eAAe,0BAA0B,KAAK;EACpD,MAAM,MAAM;AACV,OAAI,aAAa,OAAO,mBACtB,QAAO,IAAI,UACT,wBACA,0BAA0B,EAAE,OAC7B;AAEH,OAAI,aAAa,OAAO,iBACtB,QAAO,IAAI,UACT,wBACA,wCAAwC,EAAE,UAC3C;AAKH,UAAO,IAAI,UACT,wBACA,2CAA2C,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACtF;;EAEJ,CAAC,CAAC,KACD,GAAG,OAAO,WAAW;AAKnB,SAAO,GAAG,QAAQ,OAAO;GACzB,CACH;;;;;;AAOH,SAAS,eACP,YACA,aACA,QAC6B;CAC7B,MAAM,aACJ,cAAc,OAAO,QACrB,OAAQ,OAAO,KAAa,aAAa;CAC3C,MAAM,gBAAgB,YAAY,UAC9B,EAAE,QAAQ,YAAqB,GAC/B,aACE,EAAE,QAAQ,WAAoB,GAC9B,EAAE,QAAQ,WAAoB;AAEpC,QAAO,GAAG,MAAM,eAAe,cAAc,QAAQ;EACnD,WAAW,mBACT,GAAG,KAAK;GACN,UAAU,YAAY,QAAS,OAAO;GACtC,MAAM,MACJ,IAAI,UACF,yBACA,2BAA2B,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACtE;GACJ,CAAC;EACJ,UAAU,mBAAmB;GAC3B,MAAM,SAAS,OAAO,cAAc,OAAO,SAAS,CAAC;AAIrD,UAAO,GAAG,QAAQ;IAChB,IAAK,OAAO,OAAkB,OAAO,YAAY;IACjD,MAAO,OAAO,QAAmB;IACjC,OAAQ,OAAO,SAAoB;IACnC,OAAQ,OAAO,WAAsB;IACtC,CAAC;;EAEJ,UAAU,mBACR,GAAG,KACD,IAAI,UACF,yBACA,aAAa,WAAW,6HAEzB,CACF;EACJ,CAAC;;;;;AAMJ,SAAS,kBACP,YACA,SAC6B;AAC7B,QAAO,OAAO,QAAQ,OAAO,YAAY,QAAQ,KAC7C,GAAG,QAAQ,QAAQ,GACnB,GAAG,KACD,IAAI,UACF,yBACA,6BAA6B,WAAW,qDACzC,CACF;;;;;;;AAYP,eAAsB,4BACpB,YACA,gBACA,aAC8B;CAC9B,MAAM,QAAQ,OAAO,eAAe;CACpC,MAAM,UAAyB,EAAE;CACjC,IAAI;CAEJ,MAAM,SAAS,YAAY,UAAU,EAAE;CAEvC,IAAI;AAEJ,KAAI,eAAe,eAAe,EAAE;AAClC,iBAAe,OAAO,sBAAsB;AAC5C,QAAM,eAAe,uBAAuB,OAAO,cAAc,OAAO;AACxE,UAAQ,KAAK,aAAa,QAAQ,YAAY,aAAa,CAAC;OAE5D,OAAM,eAAe,uBAAuB,OAAO,OAAO;AAG5D,SAAQ,KAAK,aAAa,SAAS,YAAY,MAAM,CAAC;AAEtD,KAAI,YAAY,UAAU,MAAM;EAC9B,MAAM,QAAQ,OAAO,eAAe;AACpC,MAAI,aAAa,IAAI,SAAS,MAAM;AACpC,UAAQ,KAAK,aAAa,SAAS,YAAY,MAAM,CAAC;;AAGxD,cAAa,SAAS,mCAAmC;EACvD,KAAK,IAAI,UAAU;EACnB;EACA,SAAS,CAAC,CAAC;EACZ,CAAC;CAEF,MAAM,YAAY,0BAA0B;EAAE;EAAc;EAAO,CAAC;AAEpE,QAAO;EACL,UAAU,IAAI,UAAU;EACxB;EACA;EACD;;;;;;;;AAaH,SAAgB,oBACd,YACA,gBACA,aACA,QACA,SAC+B;AAC/B,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,aAA4B,EAAE;EAIpC,MAAM,cAAc,QADI,gBAAgB,SAAS,WAAW;EAE5D,MAAM,gBAAgB,OAAO;AAE7B,SAAO,GAAG,MACR,CAAC,eAAe,CAAC,iBAAiB,gBAAgB,eAClD,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,CAC9C;AACD,aAAW,KAAK,YAAY,SAAS,WAAW,CAAC;AAGjD,MAAI,OAAO,OAAO;GAChB,MAAM,QAAQ;IACZ;IACA,OAAO,OAAO;IACd,mBAAmB,OAAO;IAC3B;AACD,gBAAa,SAAS,sBAAsB,MAAM;AAClD,UAAO,GAAG,KACR,IAAI,UACF,wBACA,oCACA,EACE,OAAO,KAAK,UAAU,MAAM,EAC7B,CACF,CACF;;EAIH,MAAM,OAAO,OAAO,OAAO,QAAQ,OAC/B,GAAG,QAAQ,OAAO,KAAK,GACvB,GAAG,KACD,IAAI,UACF,wBACA,yCACD,CACF;EAGL,IAAI;AACJ,MAAI,eAAe,eAAe,EAAE;GAClC,MAAM,iBAAiB,gBAAgB,QAAQ,WAAW;AAC1D,kBAAe,OAAO,QAAQ,mBAAmB,OAC7C,GAAG,QAAQ,QAAQ,gBAAiB,GACpC,GAAG,KACD,IAAI,UACF,0BACA,kDACD,CACF;AACL,cAAW,KAAK,YAAY,QAAQ,WAAW,CAAC;;EAGlD,IAAI;AACJ,MAAI,YAAY,UAAU,MAAM;GAC9B,MAAM,kBAAkB,gBAAgB,SAAS,WAAW;AAC5D,WAAQ,OAAO,QAAQ,oBAAoB,OACvC,GAAG,QAAQ,QAAQ,iBAAkB,GACrC,GAAG,KACD,IAAI,UACF,wBACA,0CACD,CACF;AACL,cAAW,KAAK,YAAY,SAAS,WAAW,CAAC;;EAInD,MAAM,SAAS,OAAO,aAAa,gBAAgB,MAAM,aAAa;AAEtE,MAAI,YAAY,mBAAmB,OACjC,QAAO,GAAG,KAAK;GACb,UAAU,YAAY,eAAgB,QAAQ,EAAE,OAAO,CAAC;GACxD,MAAM,MACJ,IAAI,UACF,wBACA,4BAA4B,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACvE;GACJ,CAAC;EAKJ,MAAM,UAAU,OAAO,kBAAkB,YADtB,OAAO,eAAe,YAAY,aAAa,OAAO,CACT;AAEhE,eAAa,SAAS,oCAAoC;GACxD;GACA,WAAW,QAAQ;GACpB,CAAC;EAIF,MAAM,YAAY,0BAA0B;GAAE;GAAc,OAD9C;GACqD,CAAC;AAEpE,SAAO;GACL;GACA,mBAAmB,QAAQ;GAC3B,SAAS;GACT;GACD;GACD"}
1
+ {"version":3,"file":"oauth.js","names":[],"sources":["../../../src/server/oauth.ts"],"sourcesContent":["/**\n * Arctic-based OAuth flow implementation.\n *\n * Uses Arctic for OAuth provider integration.\n *\n * All functions return `Fx<A, AuthError>` composed via `Fx.gen` pipelines.\n *\n * @internal\n * @module\n */\n\nimport { Fx } from \"@robelest/fx\";\nimport * as arctic from \"arctic\";\n\nimport { SHARED_COOKIE_OPTIONS } from \"./cookies\";\nimport { AuthError } from \"./fx\";\nimport type { OAuthProfile } from \"./types\";\nimport { logWithLevel } from \"./utils\";\nimport { isLocalHost } from \"./utils\";\n\ntype OAuthProviderConfigLike = {\n scopes?: string[];\n profile?: (tokens: arctic.OAuth2Tokens) => Promise<OAuthProfile>;\n nonce?: boolean;\n validateTokens?: (\n tokens: arctic.OAuth2Tokens,\n ctx: { nonce?: string },\n ) => Promise<void>;\n};\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/** A cookie to be set on the HTTP response. */\n/** @internal */\nexport interface OAuthCookie {\n name: string;\n value: string;\n options: Record<string, unknown>;\n}\n\n/** Result of creating an authorization URL. */\n/** @internal */\nexport interface AuthorizationResult {\n redirect: string;\n cookies: OAuthCookie[];\n signature: string;\n}\n\n/** Result of handling an OAuth callback. */\n/** @internal */\nexport interface CallbackResult {\n profile: OAuthProfile;\n providerAccountId: string;\n cookies: OAuthCookie[];\n signature: string;\n}\n\n// ============================================================================\n// Cookie helpers\n// ============================================================================\n\nconst COOKIE_TTL = 60 * 15; // 15 minutes\n\nfunction oauthCookieName(type: \"state\" | \"pkce\" | \"nonce\", providerId: string) {\n const prefix = !isLocalHost(process.env.CONVEX_SITE_URL) ? \"__Host-\" : \"\";\n return prefix + providerId + \"OAuth\" + type;\n}\n\nfunction createCookie(\n type: \"state\" | \"pkce\" | \"nonce\",\n providerId: string,\n value: string,\n): OAuthCookie {\n const expires = new Date();\n expires.setTime(expires.getTime() + COOKIE_TTL * 1000);\n return {\n name: oauthCookieName(type, providerId),\n value,\n options: { ...SHARED_COOKIE_OPTIONS, expires },\n };\n}\n\nfunction clearCookie(\n type: \"state\" | \"pkce\" | \"nonce\",\n providerId: string,\n): OAuthCookie {\n return {\n name: oauthCookieName(type, providerId),\n value: \"\",\n options: { ...SHARED_COOKIE_OPTIONS, maxAge: 0 },\n };\n}\n\n// ============================================================================\n// Signature (ConvexAuth-specific verifier mechanism)\n// ============================================================================\n\n/**\n * Creates a signature string from the OAuth state parameters.\n * This is stored in the verifier table and validated during callback.\n */\n/** @internal */\nexport function getAuthorizationSignature({\n codeVerifier,\n state,\n}: {\n codeVerifier?: string;\n state?: string;\n}) {\n return [codeVerifier, state].filter((param) => param !== undefined).join(\" \");\n}\n\n// ============================================================================\n// PKCE Detection\n// ============================================================================\n\n/**\n * Detect whether an Arctic provider uses PKCE by checking the arity\n * of `createAuthorizationURL`. PKCE providers take 3 args\n * (state, codeVerifier, scopes), non-PKCE take 2 (state, scopes).\n */\nfunction isPKCEProvider(provider: any): boolean {\n return (\n typeof provider.createAuthorizationURL === \"function\" &&\n provider.createAuthorizationURL.length >= 3\n );\n}\n\n// ============================================================================\n// Token exchange — wraps Arctic's validateAuthorizationCode\n// ============================================================================\n\n/**\n * Exchange the authorization code for tokens via Arctic.\n * Maps Arctic-specific errors to typed `AuthError` failures.\n */\nfunction exchangeCode(\n arcticProvider: any,\n code: string,\n codeVerifier: string | undefined,\n): Fx<arctic.OAuth2Tokens, AuthError> {\n return Fx.from({\n ok: () =>\n isPKCEProvider(arcticProvider)\n ? arcticProvider.validateAuthorizationCode(code, codeVerifier)\n : arcticProvider.validateAuthorizationCode(code),\n err: (e) => {\n if (e instanceof arctic.OAuth2RequestError) {\n return new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n `Token exchange failed: ${e.code}`,\n );\n }\n if (e instanceof arctic.ArcticFetchError) {\n return new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n `Network error during token exchange: ${e.message}`,\n );\n }\n // Unknown error — treat as unrecoverable defect; we surface it as\n // an AuthError here so the pipeline type stays Fx<_, AuthError>.\n // The original `throw e` re-throw is replicated via Fx.fatal below.\n return new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n `Unexpected error during token exchange: ${e instanceof Error ? e.message : String(e)}`,\n );\n },\n }).pipe(\n Fx.chain((tokens) => {\n // If the original error was neither OAuth2RequestError nor\n // ArcticFetchError the old code re-threw it raw. We replicate that\n // by checking whether we created an \"Unexpected\" marker message\n // — but since `Fx.from` already mapped it, we just pass through.\n return Fx.succeed(tokens);\n }),\n );\n}\n\n/**\n * Extract the user profile from tokens using the config callback,\n * OIDC auto-decode, or fail if neither is available.\n */\nfunction extractProfile(\n providerId: string,\n oauthConfig: OAuthProviderConfigLike,\n tokens: arctic.OAuth2Tokens,\n): Fx<OAuthProfile, AuthError> {\n const hasIdToken =\n \"id_token\" in tokens.data &&\n typeof (tokens.data as any).id_token === \"string\";\n const profileSource = oauthConfig.profile\n ? { source: \"callback\" as const }\n : hasIdToken\n ? { source: \"idToken\" as const }\n : { source: \"missing\" as const };\n\n return Fx.match(profileSource, profileSource.source, {\n callback: (_profileSource) =>\n Fx.from({\n ok: () => oauthConfig.profile!(tokens),\n err: (e) =>\n new AuthError(\n \"OAUTH_INVALID_PROFILE\",\n `Profile callback threw: ${e instanceof Error ? e.message : String(e)}`,\n ),\n }),\n idToken: (_profileSource) => {\n const claims = arctic.decodeIdToken(tokens.idToken()) as Record<\n string,\n unknown\n >;\n return Fx.succeed({\n id: (claims.sub as string) ?? crypto.randomUUID(),\n name: (claims.name as string) ?? undefined,\n email: (claims.email as string) ?? undefined,\n image: (claims.picture as string) ?? undefined,\n });\n },\n missing: (_profileSource) =>\n Fx.fail(\n new AuthError(\n \"OAUTH_INVALID_PROFILE\",\n `Provider \"${providerId}\" does not return an ID token. ` +\n `Add a \\`profile\\` callback in the OAuth() config to extract user info from the access token.`,\n ),\n ),\n });\n}\n\n/**\n * Validate that the profile has a non-empty string `id`.\n */\nfunction validateProfileId(\n providerId: string,\n profile: OAuthProfile,\n): Fx<OAuthProfile, AuthError> {\n return typeof profile.id === \"string\" && profile.id\n ? Fx.succeed(profile)\n : Fx.fail(\n new AuthError(\n \"OAUTH_INVALID_PROFILE\",\n `The profile callback for \"${providerId}\" must return an object with a string \\`id\\` field.`,\n ),\n );\n}\n\n// ============================================================================\n// Authorization URL creation\n// ============================================================================\n\n/**\n * Create an OAuth authorization URL using an Arctic provider.\n *\n * Handles PKCE detection, state generation, and cookie creation.\n */\n/** @internal */\nexport async function createOAuthAuthorizationURL(\n providerId: string,\n arcticProvider: any,\n oauthConfig: OAuthProviderConfigLike,\n): Promise<AuthorizationResult> {\n const state = arctic.generateState();\n const cookies: OAuthCookie[] = [];\n let codeVerifier: string | undefined;\n\n const scopes = oauthConfig.scopes ?? [];\n\n let url: URL;\n\n if (isPKCEProvider(arcticProvider)) {\n codeVerifier = arctic.generateCodeVerifier();\n url = arcticProvider.createAuthorizationURL(state, codeVerifier, scopes);\n cookies.push(createCookie(\"pkce\", providerId, codeVerifier));\n } else {\n url = arcticProvider.createAuthorizationURL(state, scopes);\n }\n\n cookies.push(createCookie(\"state\", providerId, state));\n\n if (oauthConfig.nonce === true) {\n const nonce = arctic.generateState();\n url.searchParams.set(\"nonce\", nonce);\n cookies.push(createCookie(\"nonce\", providerId, nonce));\n }\n\n logWithLevel(\"DEBUG\", \"OAuth authorization URL created\", {\n url: url.toString(),\n providerId,\n hasPKCE: !!codeVerifier,\n });\n\n const signature = getAuthorizationSignature({ codeVerifier, state });\n\n return {\n redirect: url.toString(),\n cookies,\n signature,\n };\n}\n\n// ============================================================================\n// OAuth callback handling\n// ============================================================================\n\n/**\n * Handle the OAuth callback: validate state, exchange code for tokens,\n * extract profile.\n *\n * Returns `Fx<CallbackResult, AuthError>` composed via `Fx.gen`.\n */\n/** @internal */\nexport function handleOAuthCallback(\n providerId: string,\n arcticProvider: any,\n oauthConfig: OAuthProviderConfigLike,\n params: Record<string, string>,\n cookies: Record<string, string | undefined>,\n): Fx<CallbackResult, AuthError> {\n return Fx.gen(function* () {\n const resCookies: OAuthCookie[] = [];\n\n // 1. Validate state\n const stateCookieName = oauthCookieName(\"state\", providerId);\n const storedState = cookies[stateCookieName];\n const returnedState = params.state;\n\n yield* Fx.guard(\n !storedState || !returnedState || storedState !== returnedState,\n Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\")),\n );\n resCookies.push(clearCookie(\"state\", providerId));\n\n // Check for error from provider\n if (params.error) {\n const cause = {\n providerId,\n error: params.error,\n error_description: params.error_description,\n };\n logWithLevel(\"DEBUG\", \"OAuthCallbackError\", cause);\n yield* Fx.fail(\n new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n \"OAuth provider returned an error\",\n {\n cause: JSON.stringify(cause),\n },\n ),\n );\n }\n\n // 2. Get code\n const code = yield* params.code != null\n ? Fx.succeed(params.code)\n : Fx.fail(\n new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n \"Missing authorization code in callback\",\n ),\n );\n\n // 3. Read PKCE verifier from cookie if applicable\n let codeVerifier: string | undefined;\n if (isPKCEProvider(arcticProvider)) {\n const pkceCookieName = oauthCookieName(\"pkce\", providerId);\n codeVerifier = yield* cookies[pkceCookieName] != null\n ? Fx.succeed(cookies[pkceCookieName]!)\n : Fx.fail(\n new AuthError(\n \"OAUTH_MISSING_VERIFIER\",\n \"Missing PKCE verifier cookie for OAuth callback\",\n ),\n );\n resCookies.push(clearCookie(\"pkce\", providerId));\n }\n\n let nonce: string | undefined;\n if (oauthConfig.nonce === true) {\n const nonceCookieName = oauthCookieName(\"nonce\", providerId);\n nonce = yield* cookies[nonceCookieName] != null\n ? Fx.succeed(cookies[nonceCookieName]!)\n : Fx.fail(\n new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n \"Missing nonce cookie for OAuth callback\",\n ),\n );\n resCookies.push(clearCookie(\"nonce\", providerId));\n }\n\n // 4. Exchange code for tokens\n const tokens = yield* exchangeCode(arcticProvider, code, codeVerifier);\n\n if (oauthConfig.validateTokens !== undefined) {\n yield* Fx.from({\n ok: () => oauthConfig.validateTokens!(tokens, { nonce }),\n err: (e) =>\n new AuthError(\n \"OAUTH_PROVIDER_ERROR\",\n `Token validation failed: ${e instanceof Error ? e.message : String(e)}`,\n ),\n });\n }\n\n // 5. Extract profile\n const rawProfile = yield* extractProfile(providerId, oauthConfig, tokens);\n const profile = yield* validateProfileId(providerId, rawProfile);\n\n logWithLevel(\"DEBUG\", \"OAuth callback profile extracted\", {\n providerId,\n profileId: profile.id,\n });\n\n // 6. Compute signature for verifier validation\n const state = storedState!;\n const signature = getAuthorizationSignature({ codeVerifier, state });\n\n return {\n profile,\n providerAccountId: profile.id,\n cookies: resCookies,\n signature,\n };\n });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA+DA,MAAM,aAAa;AAEnB,SAAS,gBAAgB,MAAkC,YAAoB;AAE7E,SADe,CAAC,YAAY,QAAQ,IAAI,gBAAgB,GAAG,YAAY,MACvD,aAAa,UAAU;;AAGzC,SAAS,aACP,MACA,YACA,OACa;CACb,MAAM,0BAAU,IAAI,MAAM;AAC1B,SAAQ,QAAQ,QAAQ,SAAS,GAAG,aAAa,IAAK;AACtD,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC;EACA,SAAS;GAAE,GAAG;GAAuB;GAAS;EAC/C;;AAGH,SAAS,YACP,MACA,YACa;AACb,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC,OAAO;EACP,SAAS;GAAE,GAAG;GAAuB,QAAQ;GAAG;EACjD;;;;;;;AAYH,SAAgB,0BAA0B,EACxC,cACA,SAIC;AACD,QAAO,CAAC,cAAc,MAAM,CAAC,QAAQ,UAAU,UAAU,OAAU,CAAC,KAAK,IAAI;;;;;;;AAY/E,SAAS,eAAe,UAAwB;AAC9C,QACE,OAAO,SAAS,2BAA2B,cAC3C,SAAS,uBAAuB,UAAU;;;;;;AAY9C,SAAS,aACP,gBACA,MACA,cACoC;AACpC,QAAO,GAAG,KAAK;EACb,UACE,eAAe,eAAe,GAC1B,eAAe,0BAA0B,MAAM,aAAa,GAC5D,eAAe,0BAA0B,KAAK;EACpD,MAAM,MAAM;AACV,OAAI,aAAa,OAAO,mBACtB,QAAO,IAAI,UACT,wBACA,0BAA0B,EAAE,OAC7B;AAEH,OAAI,aAAa,OAAO,iBACtB,QAAO,IAAI,UACT,wBACA,wCAAwC,EAAE,UAC3C;AAKH,UAAO,IAAI,UACT,wBACA,2CAA2C,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACtF;;EAEJ,CAAC,CAAC,KACD,GAAG,OAAO,WAAW;AAKnB,SAAO,GAAG,QAAQ,OAAO;GACzB,CACH;;;;;;AAOH,SAAS,eACP,YACA,aACA,QAC6B;CAC7B,MAAM,aACJ,cAAc,OAAO,QACrB,OAAQ,OAAO,KAAa,aAAa;CAC3C,MAAM,gBAAgB,YAAY,UAC9B,EAAE,QAAQ,YAAqB,GAC/B,aACE,EAAE,QAAQ,WAAoB,GAC9B,EAAE,QAAQ,WAAoB;AAEpC,QAAO,GAAG,MAAM,eAAe,cAAc,QAAQ;EACnD,WAAW,mBACT,GAAG,KAAK;GACN,UAAU,YAAY,QAAS,OAAO;GACtC,MAAM,MACJ,IAAI,UACF,yBACA,2BAA2B,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACtE;GACJ,CAAC;EACJ,UAAU,mBAAmB;GAC3B,MAAM,SAAS,OAAO,cAAc,OAAO,SAAS,CAAC;AAIrD,UAAO,GAAG,QAAQ;IAChB,IAAK,OAAO,OAAkB,OAAO,YAAY;IACjD,MAAO,OAAO,QAAmB;IACjC,OAAQ,OAAO,SAAoB;IACnC,OAAQ,OAAO,WAAsB;IACtC,CAAC;;EAEJ,UAAU,mBACR,GAAG,KACD,IAAI,UACF,yBACA,aAAa,WAAW,6HAEzB,CACF;EACJ,CAAC;;;;;AAMJ,SAAS,kBACP,YACA,SAC6B;AAC7B,QAAO,OAAO,QAAQ,OAAO,YAAY,QAAQ,KAC7C,GAAG,QAAQ,QAAQ,GACnB,GAAG,KACD,IAAI,UACF,yBACA,6BAA6B,WAAW,qDACzC,CACF;;;;;;;;AAaP,eAAsB,4BACpB,YACA,gBACA,aAC8B;CAC9B,MAAM,QAAQ,OAAO,eAAe;CACpC,MAAM,UAAyB,EAAE;CACjC,IAAI;CAEJ,MAAM,SAAS,YAAY,UAAU,EAAE;CAEvC,IAAI;AAEJ,KAAI,eAAe,eAAe,EAAE;AAClC,iBAAe,OAAO,sBAAsB;AAC5C,QAAM,eAAe,uBAAuB,OAAO,cAAc,OAAO;AACxE,UAAQ,KAAK,aAAa,QAAQ,YAAY,aAAa,CAAC;OAE5D,OAAM,eAAe,uBAAuB,OAAO,OAAO;AAG5D,SAAQ,KAAK,aAAa,SAAS,YAAY,MAAM,CAAC;AAEtD,KAAI,YAAY,UAAU,MAAM;EAC9B,MAAM,QAAQ,OAAO,eAAe;AACpC,MAAI,aAAa,IAAI,SAAS,MAAM;AACpC,UAAQ,KAAK,aAAa,SAAS,YAAY,MAAM,CAAC;;AAGxD,cAAa,SAAS,mCAAmC;EACvD,KAAK,IAAI,UAAU;EACnB;EACA,SAAS,CAAC,CAAC;EACZ,CAAC;CAEF,MAAM,YAAY,0BAA0B;EAAE;EAAc;EAAO,CAAC;AAEpE,QAAO;EACL,UAAU,IAAI,UAAU;EACxB;EACA;EACD;;;;;;;;;AAcH,SAAgB,oBACd,YACA,gBACA,aACA,QACA,SAC+B;AAC/B,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,aAA4B,EAAE;EAIpC,MAAM,cAAc,QADI,gBAAgB,SAAS,WAAW;EAE5D,MAAM,gBAAgB,OAAO;AAE7B,SAAO,GAAG,MACR,CAAC,eAAe,CAAC,iBAAiB,gBAAgB,eAClD,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,CAC9C;AACD,aAAW,KAAK,YAAY,SAAS,WAAW,CAAC;AAGjD,MAAI,OAAO,OAAO;GAChB,MAAM,QAAQ;IACZ;IACA,OAAO,OAAO;IACd,mBAAmB,OAAO;IAC3B;AACD,gBAAa,SAAS,sBAAsB,MAAM;AAClD,UAAO,GAAG,KACR,IAAI,UACF,wBACA,oCACA,EACE,OAAO,KAAK,UAAU,MAAM,EAC7B,CACF,CACF;;EAIH,MAAM,OAAO,OAAO,OAAO,QAAQ,OAC/B,GAAG,QAAQ,OAAO,KAAK,GACvB,GAAG,KACD,IAAI,UACF,wBACA,yCACD,CACF;EAGL,IAAI;AACJ,MAAI,eAAe,eAAe,EAAE;GAClC,MAAM,iBAAiB,gBAAgB,QAAQ,WAAW;AAC1D,kBAAe,OAAO,QAAQ,mBAAmB,OAC7C,GAAG,QAAQ,QAAQ,gBAAiB,GACpC,GAAG,KACD,IAAI,UACF,0BACA,kDACD,CACF;AACL,cAAW,KAAK,YAAY,QAAQ,WAAW,CAAC;;EAGlD,IAAI;AACJ,MAAI,YAAY,UAAU,MAAM;GAC9B,MAAM,kBAAkB,gBAAgB,SAAS,WAAW;AAC5D,WAAQ,OAAO,QAAQ,oBAAoB,OACvC,GAAG,QAAQ,QAAQ,iBAAkB,GACrC,GAAG,KACD,IAAI,UACF,wBACA,0CACD,CACF;AACL,cAAW,KAAK,YAAY,SAAS,WAAW,CAAC;;EAInD,MAAM,SAAS,OAAO,aAAa,gBAAgB,MAAM,aAAa;AAEtE,MAAI,YAAY,mBAAmB,OACjC,QAAO,GAAG,KAAK;GACb,UAAU,YAAY,eAAgB,QAAQ,EAAE,OAAO,CAAC;GACxD,MAAM,MACJ,IAAI,UACF,wBACA,4BAA4B,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACvE;GACJ,CAAC;EAKJ,MAAM,UAAU,OAAO,kBAAkB,YADtB,OAAO,eAAe,YAAY,aAAa,OAAO,CACT;AAEhE,eAAa,SAAS,oCAAoC;GACxD;GACA,WAAW,QAAQ;GACpB,CAAC;EAIF,MAAM,YAAY,0BAA0B;GAAE;GAAc,OAD9C;GACqD,CAAC;AAEpE,SAAO;GACL;GACA,mBAAmB,QAAQ;GAC3B,SAAS;GACT;GACD;GACD"}
package/dist/component/server/passkey.js CHANGED
@@ -1,4 +1,5 @@
1
1
  import { AuthError, Fx } from "./fx.js";
2
+ import { userIdFromIdentitySubject } from "./identity.js";
2
3
  import { authDb } from "./db.js";
3
4
  import { callVerifierSignature } from "./mutations/signature.js";
4
5
  import { callSignIn } from "./mutations/signin.js";
@@ -107,7 +108,7 @@ function handlePasskeyFx(ctx, provider, args) {
107
108
  registerOptions: (_) => Fx.zip(Fx.from({
108
109
  ok: () => ctx.auth.getUserIdentity(),
109
110
  err: () => new AuthError("PASSKEY_AUTH_REQUIRED")
110
- }).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(id.subject.split("|")[0]))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => {
111
+ }).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(userIdFromIdentitySubject(id.subject)))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => {
111
112
  const challenge = new Uint8Array(32);
112
113
  crypto.getRandomValues(challenge);
113
114
  const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(challenge)));
@@ -162,7 +163,7 @@ function handlePasskeyFx(ctx, provider, args) {
162
163
  registerVerify: (_) => Fx.zip(Fx.from({
163
164
  ok: () => ctx.auth.getUserIdentity(),
164
165
  err: () => new AuthError("PASSKEY_AUTH_REQUIRED")
165
- }).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(id.subject.split("|")[0]))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => requirePasskeyVerifierFx(args.verifier).pipe(Fx.chain((verifier) => {
166
+ }).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(userIdFromIdentitySubject(id.subject)))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => requirePasskeyVerifierFx(args.verifier).pipe(Fx.chain((verifier) => {
166
167
  const clientData = parseClientDataJSON(decodeBase64urlIgnorePadding(params.clientDataJSON));
167
168
  return Fx.succeed(clientData).pipe(Fx.chain(verifyClientDataType(ClientDataType.Create, "webauthn.create")), Fx.chain(verifyOrigin(rp)), Fx.chain(verifyAndConsumeChallenge(ctx, verifier)), Fx.map(() => {
168
169
  return parseAttestationObject(decodeBase64urlIgnorePadding(params.attestationObject)).authenticatorData;