@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

package/dist/server/index.js

@@ -1,14 +1,508 @@
 import { Fx } from "./fx.js";
 import { isLocalHost } from "./utils.js";
-import { ConvexError } from "convex/values";
-import { makeFunctionReference } from "convex/server";
+import { enterpriseConnectionWhereValidator, enterpriseDomainInputValidator, enterpriseDomainVerificationInputValidator, enterprisePolicyPatchValidator, enterpriseSamlAttributeMappingValidator, enterpriseSamlSpValidator, enterpriseStatusValidator } from "./enterpriseValidators.js";
+import { actionGeneric, makeFunctionReference, mutationGeneric, queryGeneric } from "convex/server";
+import { ConvexError, v } from "convex/values";
 import { parse, serialize } from "cookie";
 import { ConvexHttpClient } from "convex/browser";
 import { jwtDecode } from "jwt-decode";
 
 //#region src/server/index.ts
-const signInActionRef = makeFunctionReference("auth/session:start");
-const signOutActionRef = makeFunctionReference("auth/session:stop");
+const signInActionRef = makeFunctionReference("auth:signIn");
+const signOutActionRef = makeFunctionReference("auth:signOut");
+function requireSignedInUser(auth) {
+	return async (ctx) => {
+		return await auth.user.require(ctx);
+	};
+}
+function normalizeCreatorRoleIds(roles) {
+	return roles?.map((role) => typeof role === "string" ? role : role.id);
+}
+async function resolveMountedEnterpriseTarget(auth, ctx, target) {
+	if (target.groupId !== void 0) return {
+		enterpriseId: target.enterpriseId,
+		groupId: target.groupId,
+		resolvedGroupId: target.groupId
+	};
+	if (target.enterpriseId !== void 0) {
+		const enterprise = await auth.sso.admin.connection.get(ctx, target.enterpriseId);
+		if (enterprise === null) throw new ConvexError({
+			code: "INVALID_PARAMETERS",
+			message: "Enterprise not found."
+		});
+		return {
+			enterpriseId: enterprise._id,
+			groupId: enterprise.groupId,
+			resolvedGroupId: enterprise.groupId
+		};
+	}
+	if (target.domain !== void 0) {
+		const resolved = await auth.sso.admin.connection.getByDomain(ctx, target.domain);
+		if (resolved?.enterprise === void 0) throw new ConvexError({
+			code: "INVALID_PARAMETERS",
+			message: "Enterprise not found."
+		});
+		return {
+			enterpriseId: resolved.enterprise._id,
+			groupId: resolved.enterprise.groupId,
+			resolvedGroupId: resolved.enterprise.groupId
+		};
+	}
+	return {
+		enterpriseId: void 0,
+		groupId: void 0,
+		resolvedGroupId: null
+	};
+}
+function createMountedAdminAuthorizer(auth, options) {
+	const requireUserId = requireSignedInUser(auth);
+	return async (ctx, permission, target = {}) => {
+		const userId = await requireUserId(ctx);
+		if (!options?.admin?.authorized) throw new ConvexError({
+			code: "FORBIDDEN",
+			message: "Mounted enterprise admin APIs require an authorized callback."
+		});
+		const resolved = await resolveMountedEnterpriseTarget(auth, ctx, target);
+		await options.admin.authorized(ctx, {
+			userId,
+			permission,
+			enterpriseId: resolved.enterpriseId,
+			groupId: resolved.groupId,
+			resolvedGroupId: resolved.resolvedGroupId
+		});
+		return {
+			userId,
+			...resolved
+		};
+	};
+}
+/**
+* Build optional public SSO management actions that apps can mount under
+* `convex/auth/sso/**` when they want client-callable enterprise APIs.
+*
+* `admin` is for tenant-admin control-plane operations and should be mounted
+* with an explicit authorization policy. `client` is for end-user sign-in
+* helpers and does not require tenant-admin authorization.
+*/
+function sso(auth, options) {
+	const authorize = createMountedAdminAuthorizer(auth, options);
+	const adminRoleIds = normalizeCreatorRoleIds(options?.admin?.roles);
+	return {
+		admin: {
+			connection: {
+				create: mutationGeneric({
+					args: {
+						groupId: v.optional(v.string()),
+						name: v.optional(v.string()),
+						slug: v.optional(v.string()),
+						status: v.optional(enterpriseStatusValidator),
+						domain: v.optional(v.string())
+					},
+					handler: async (ctx, args) => {
+						const { userId } = await authorize(ctx, "sso.connection.create", { groupId: args.groupId });
+						const createsGroup = args.groupId === void 0;
+						const groupId = args.groupId ?? (await auth.group.create(ctx, {
+							name: args.name?.trim() || args.slug?.trim() || "Enterprise",
+							slug: args.slug,
+							type: "enterprise"
+						})).groupId;
+						if (createsGroup) await auth.member.create(ctx, {
+							groupId,
+							userId,
+							roleIds: adminRoleIds
+						});
+						const created = await auth.sso.admin.connection.create(ctx, {
+							groupId,
+							name: args.name,
+							slug: args.slug,
+							status: args.status
+						});
+						if (args.domain) await auth.sso.admin.connection.domain.set(ctx, created.enterpriseId, [{
+							domain: args.domain,
+							isPrimary: true
+						}]);
+						return {
+							...created,
+							groupId,
+							createdGroup: createsGroup
+						};
+					}
+				}),
+				get: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.connection.get(ctx, args.enterpriseId);
+					}
+				}),
+				getByGroup: queryGeneric({
+					args: { groupId: v.string() },
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.connection.read", { groupId: args.groupId });
+						return await auth.sso.admin.connection.getByGroup(ctx, args.groupId);
+					}
+				}),
+				getByDomain: queryGeneric({
+					args: { domain: v.string() },
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.connection.read", { domain: args.domain });
+						return await auth.sso.admin.connection.getByDomain(ctx, args.domain);
+					}
+				}),
+				list: queryGeneric({
+					args: {
+						where: v.optional(enterpriseConnectionWhereValidator),
+						limit: v.optional(v.number()),
+						cursor: v.optional(v.union(v.string(), v.null())),
+						orderBy: v.optional(v.string()),
+						order: v.optional(v.union(v.literal("asc"), v.literal("desc")))
+					},
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.connection.read", { groupId: args.where?.groupId });
+						return await auth.sso.admin.connection.list(ctx, args);
+					}
+				}),
+				update: mutationGeneric({
+					args: {
+						enterpriseId: v.string(),
+						data: v.object({
+							name: v.optional(v.string()),
+							slug: v.optional(v.string()),
+							status: v.optional(enterpriseStatusValidator)
+						})
+					},
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
+						await auth.sso.admin.connection.update(ctx, args.enterpriseId, args.data);
+						return {
+							ok: true,
+							enterpriseId: args.enterpriseId
+						};
+					}
+				}),
+				delete: mutationGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.connection.delete(ctx, args.enterpriseId);
+					}
+				}),
+				status: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.connection.status(ctx, args.enterpriseId);
+					}
+				}),
+				domain: {
+					list: queryGeneric({
+						args: { enterpriseId: v.string() },
+						handler: async (ctx, args) => {
+							await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
+							return await auth.sso.admin.connection.domain.list(ctx, args.enterpriseId);
+						}
+					}),
+					validate: queryGeneric({
+						args: { enterpriseId: v.string() },
+						handler: async (ctx, args) => {
+							await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
+							return await auth.sso.admin.connection.domain.validate(ctx, args.enterpriseId);
+						}
+					}),
+					set: mutationGeneric({
+						args: {
+							enterpriseId: v.string(),
+							domains: v.array(enterpriseDomainInputValidator)
+						},
+						handler: async (ctx, args) => {
+							await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
+							return await auth.sso.admin.connection.domain.set(ctx, args.enterpriseId, args.domains);
+						}
+					}),
+					verification: {
+						request: mutationGeneric({
+							args: enterpriseDomainVerificationInputValidator,
+							handler: async (ctx, args) => {
+								await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
+								return await auth.sso.admin.connection.domain.verification.request(ctx, args);
+							}
+						}),
+						confirm: actionGeneric({
+							args: enterpriseDomainVerificationInputValidator,
+							handler: async (ctx, args) => {
+								await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
+								return await auth.sso.admin.connection.domain.verification.confirm(ctx, args);
+							}
+						})
+					}
+				}
+			},
+			oidc: {
+				configure: mutationGeneric({
+					args: {
+						enterpriseId: v.string(),
+						issuer: v.optional(v.string()),
+						discoveryUrl: v.optional(v.string()),
+						clientId: v.string(),
+						clientSecret: v.optional(v.string()),
+						scopes: v.optional(v.array(v.string())),
+						authorizationParams: v.optional(v.record(v.string(), v.string())),
+						clockToleranceSeconds: v.optional(v.number()),
+						strictIssuer: v.optional(v.boolean()),
+						extraFields: v.optional(v.record(v.string(), v.string()))
+					},
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.oidc.configure(ctx, args);
+					}
+				}),
+				get: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.oidc.get(ctx, args.enterpriseId);
+					}
+				}),
+				validate: actionGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.oidc.validate(ctx, args.enterpriseId);
+					}
+				})
+			},
+			saml: {
+				configure: actionGeneric({
+					args: {
+						enterpriseId: v.string(),
+						metadataXml: v.optional(v.string()),
+						metadataUrl: v.optional(v.string()),
+						domains: v.optional(v.array(v.string())),
+						signAuthnRequests: v.optional(v.boolean()),
+						attributeMapping: v.optional(enterpriseSamlAttributeMappingValidator),
+						sp: v.optional(enterpriseSamlSpValidator)
+					},
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.saml.configure(ctx, args);
+					}
+				}),
+				validate: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.saml.validate(ctx, args.enterpriseId);
+					}
+				})
+			},
+			policy: {
+				get: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.policy.get(ctx, args.enterpriseId);
+					}
+				}),
+				update: mutationGeneric({
+					args: {
+						enterpriseId: v.string(),
+						patch: enterprisePolicyPatchValidator
+					},
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.policy.update(ctx, args.enterpriseId, args.patch);
+					}
+				}),
+				validate: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.policy.validate(ctx, args.enterpriseId);
+					}
+				})
+			},
+			audit: { list: queryGeneric({
+				args: {
+					enterpriseId: v.optional(v.string()),
+					groupId: v.optional(v.string()),
+					limit: v.optional(v.number())
+				},
+				handler: async (ctx, args) => {
+					await authorize(ctx, "sso.audit.read", {
+						enterpriseId: args.enterpriseId,
+						groupId: args.groupId
+					});
+					return await auth.sso.admin.audit.list(ctx, args);
+				}
+			}) },
+			webhook: {
+				delivery: { list: queryGeneric({
+					args: {
+						enterpriseId: v.string(),
+						limit: v.optional(v.number())
+					},
+					handler: async (ctx, args) => {
+						await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId });
+						return await auth.sso.admin.webhook.delivery.list(ctx, args);
+					}
+				}) },
+				endpoint: {
+					create: mutationGeneric({
+						args: {
+							enterpriseId: v.string(),
+							url: v.string(),
+							secret: v.string(),
+							subscriptions: v.array(v.string()),
+							createdByUserId: v.optional(v.string())
+						},
+						handler: async (ctx, args) => {
+							const { userId } = await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId });
+							return {
+								_id: (await auth.sso.admin.webhook.endpoint.create(ctx, {
+									...args,
+									createdByUserId: args.createdByUserId ?? userId
+								})).endpointId,
+								enterpriseId: args.enterpriseId,
+								url: args.url,
+								subscriptions: args.subscriptions,
+								createdByUserId: args.createdByUserId ?? userId,
+								status: "active",
+								failureCount: 0
+							};
+						}
+					}),
+					list: queryGeneric({
+						args: { enterpriseId: v.string() },
+						handler: async (ctx, args) => {
+							await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId });
+							return (await auth.sso.admin.webhook.endpoint.list(ctx, args.enterpriseId)).map((endpoint) => {
+								const { secretHash: _secretHash, ...rest } = endpoint;
+								return rest;
+							});
+						}
+					}),
+					disable: mutationGeneric({
+						args: { endpointId: v.string() },
+						handler: async (ctx, args) => {
+							const endpoint = await auth.sso.admin.webhook.endpoint.get(ctx, args.endpointId);
+							if (!endpoint) throw new ConvexError({
+								code: "INVALID_PARAMETERS",
+								message: "Webhook endpoint not found."
+							});
+							await authorize(ctx, "sso.webhook.manage", {
+								enterpriseId: endpoint.enterpriseId,
+								groupId: endpoint.groupId
+							});
+							return await auth.sso.admin.webhook.endpoint.disable(ctx, args.endpointId);
+						}
+					})
+				}
+			}
+		},
+		client: {
+			signIn: queryGeneric({
+				args: {
+					enterpriseId: v.optional(v.string()),
+					email: v.optional(v.string()),
+					domain: v.optional(v.string()),
+					redirectTo: v.optional(v.string())
+				},
+				handler: async (ctx, args) => {
+					return await auth.sso.client.signIn(ctx, args);
+				}
+			}),
+			metadata: queryGeneric({
+				args: {
+					enterpriseId: v.string(),
+					entityId: v.optional(v.string()),
+					acsUrl: v.optional(v.string()),
+					sloUrl: v.optional(v.string())
+				},
+				handler: async (ctx, args) => {
+					return await auth.sso.client.metadata(ctx, args);
+				}
+			})
+		}
+	};
+}
+/**
+* Build optional public SCIM management actions that apps can mount under
+* `convex/auth/scim/**` when they want client-callable enterprise admin APIs.
+*/
+function scim(auth, options) {
+	const authorize = createMountedAdminAuthorizer(auth, options);
+	return { admin: {
+		configure: mutationGeneric({
+			args: {
+				enterpriseId: v.string(),
+				basePath: v.optional(v.string()),
+				status: v.optional(enterpriseStatusValidator)
+			},
+			handler: async (ctx, args) => {
+				await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
+				return await auth.scim.admin.configure(ctx, args);
+			}
+		}),
+		get: queryGeneric({
+			args: { enterpriseId: v.string() },
+			handler: async (ctx, args) => {
+				await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
+				return await auth.scim.admin.get(ctx, args.enterpriseId);
+			}
+		}),
+		validate: queryGeneric({
+			args: { enterpriseId: v.string() },
+			handler: async (ctx, args) => {
+				await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
+				return await auth.scim.admin.validate(ctx, args.enterpriseId);
+			}
+		})
+	} };
+}
+/**
+* Build a flat mounted enterprise API surface for app-owned Convex exports.
+*
+* The returned object contains tenant-admin SSO and SCIM control-plane
+* functions plus end-user enterprise sign-in helpers. The `authorized`
+* callback is required for admin operations.
+*/
+function enterprise(auth, options) {
+	const mountedSso = sso(auth, { admin: options.admin });
+	const mountedScim = scim(auth, { admin: { authorized: options.admin.authorized } });
+	return {
+		createConnection: mountedSso.admin.connection.create,
+		getConnection: mountedSso.admin.connection.get,
+		getConnectionByGroup: mountedSso.admin.connection.getByGroup,
+		getConnectionByDomain: mountedSso.admin.connection.getByDomain,
+		listConnections: mountedSso.admin.connection.list,
+		updateConnection: mountedSso.admin.connection.update,
+		deleteConnection: mountedSso.admin.connection.delete,
+		getConnectionStatus: mountedSso.admin.connection.status,
+		listDomains: mountedSso.admin.connection.domain.list,
+		validateDomains: mountedSso.admin.connection.domain.validate,
+		setDomains: mountedSso.admin.connection.domain.set,
+		requestDomainVerification: mountedSso.admin.connection.domain.verification.request,
+		confirmDomainVerification: mountedSso.admin.connection.domain.verification.confirm,
+		configureOidc: mountedSso.admin.oidc.configure,
+		getOidc: mountedSso.admin.oidc.get,
+		validateOidc: mountedSso.admin.oidc.validate,
+		configureSaml: mountedSso.admin.saml.configure,
+		validateSaml: mountedSso.admin.saml.validate,
+		getPolicy: mountedSso.admin.policy.get,
+		updatePolicy: mountedSso.admin.policy.update,
+		validatePolicy: mountedSso.admin.policy.validate,
+		listAudit: mountedSso.admin.audit.list,
+		createWebhookEndpoint: mountedSso.admin.webhook.endpoint.create,
+		listWebhookEndpoints: mountedSso.admin.webhook.endpoint.list,
+		listWebhookDeliveries: mountedSso.admin.webhook.delivery.list,
+		disableWebhookEndpoint: mountedSso.admin.webhook.endpoint.disable,
+		configureScim: mountedScim.admin.configure,
+		getScim: mountedScim.admin.get,
+		validateScim: mountedScim.admin.validate,
+		signIn: mountedSso.client.signIn,
+		metadata: mountedSso.client.metadata
+	};
+}
 const TOKEN_COOKIE_BASE_NAME = "__convexAuthJWT";
 const REFRESH_COOKIE_BASE_NAME = "__convexAuthRefreshToken";
 const VERIFIER_COOKIE_BASE_NAME = "__convexAuthOAuthVerifier";
@@ -316,7 +810,7 @@ function server(options) {
 			if (body === null) return new Response("Invalid request body", { status: 400 });
 			const action = body.action;
 			const args = typeof body.args === "object" && body.args !== null ? body.args : {};
-			const actionDispatch = action === "auth/session:start" ? { action: "sessionStart" } : action === "auth/session:stop" ? { action: "sessionStop" } : null;
+			const actionDispatch = action === "auth:signIn" ? { action: "sessionStart" } : action === "auth:signOut" ? { action: "sessionStop" } : null;
 			if (actionDispatch === null) return new Response("Invalid action", { status: 400 });
 			const host = request.headers.get("host") ?? new URL(request.url).host;
 			const currentCookies = parseAuthCookies(request.headers.get("cookie"), host, cookieNamespace);
@@ -476,12 +970,12 @@ function server(options) {
 										const refreshed = await new ConvexHttpClient(convexUrl).action(signInActionRef, { refreshToken });
 										const refreshedTokens = await Fx.run(Fx.match(refreshed, refreshed.kind, {
 											signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
-											redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for sign-out fallback refresh")),
-											started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for sign-out fallback refresh")),
-											passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for sign-out fallback refresh")),
-											totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for sign-out fallback refresh")),
-											totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for sign-out fallback refresh")),
-											deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for sign-out fallback refresh"))
+											redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
+											started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
+											passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
+											totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
+											totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
+											deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh"))
 										}));
 										const fallbackSignOutDispatch = refreshedTokens !== null ? {
 											kind: "signOutWithRefreshed",
@@ -563,12 +1057,12 @@ function server(options) {
 								kind: "signedIn",
 								tokens: await Fx.run(Fx.match(result, result.kind, {
 									signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
-									redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for code exchange")),
-									started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for code exchange")),
-									passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for code exchange")),
-									totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for code exchange")),
-									totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for code exchange")),
-									deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for code exchange"))
+									redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange")),
+									started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange")),
+									passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange")),
+									totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange")),
+									totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange")),
+									deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange"))
 								}))
 							};
 						},
@@ -661,12 +1155,12 @@ function server(options) {
 								const result = await new ConvexHttpClient(convexUrl).action(signInActionRef, { refreshToken: refreshTokenValue });
 								const tokens$1 = await Fx.run(Fx.match(result, result.kind, {
 									signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
-									redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-									started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-									passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-									totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-									totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-									deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh"))
+									redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+									started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+									passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+									totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+									totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+									deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh"))
 								}));
 								if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refreshed tokens, null=${tokens$1 === null}`);
 								return tokens$1;
@@ -708,12 +1202,12 @@ function server(options) {
 										const result = await new ConvexHttpClient(convexUrl).action(signInActionRef, { refreshToken: refreshTokenValue });
 										const tokens$1 = await Fx.run(Fx.match(result, result.kind, {
 											signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
-											redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-											started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-											passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-											totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-											totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-											deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh"))
+											redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+											started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+											passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+											totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+											totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+											deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh"))
 										}));
 										if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refreshed tokens, null=${tokens$1 === null}`);
 										return tokens$1;
@@ -743,12 +1237,12 @@ function server(options) {
 											const result = await new ConvexHttpClient(convexUrl).action(signInActionRef, { refreshToken: refreshTokenValue });
 											const tokens$1 = await Fx.run(Fx.match(result, result.kind, {
 												signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
-												redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-												started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-												passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-												totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-												totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh")),
-												deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth/session:start` result for token refresh"))
+												redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+												started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+												passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+												totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+												totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
+												deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh"))
 											}));
 											if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refreshed tokens, null=${tokens$1 === null}`);
 											return tokens$1;
@@ -786,5 +1280,5 @@ function server(options) {
 }
 
 //#endregion
-export { authCookieNames, parseAuthCookies, serializeAuthCookies, server, shouldProxyAuthAction, structuredAuthCookies };
+export { authCookieNames, enterprise, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies };
 //# sourceMappingURL=index.js.map