@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (328) hide show
  1. package/README.md +140 -9
  2. package/dist/bin.cjs +5957 -5478
  3. package/dist/client/index.d.ts +3 -7
  4. package/dist/client/index.d.ts.map +1 -1
  5. package/dist/client/index.js +27 -26
  6. package/dist/client/index.js.map +1 -1
  7. package/dist/component/_generated/api.d.ts +14 -0
  8. package/dist/component/_generated/api.d.ts.map +1 -1
  9. package/dist/component/_generated/api.js.map +1 -1
  10. package/dist/component/_generated/component.d.ts +1672 -24
  11. package/dist/component/_generated/component.d.ts.map +1 -1
  12. package/dist/component/convex.config.d.ts +2 -2
  13. package/dist/component/convex.config.d.ts.map +1 -1
  14. package/dist/component/index.d.ts +1 -1
  15. package/dist/component/index.js +2 -2
  16. package/dist/component/model.d.ts +153 -0
  17. package/dist/component/model.d.ts.map +1 -0
  18. package/dist/component/model.js +343 -0
  19. package/dist/component/model.js.map +1 -0
  20. package/dist/component/providers/sso.d.ts +1 -1
  21. package/dist/component/public/enterprise.d.ts +54 -0
  22. package/dist/component/public/enterprise.d.ts.map +1 -0
  23. package/dist/component/public/enterprise.js +515 -0
  24. package/dist/component/public/enterprise.js.map +1 -0
  25. package/dist/component/public/factors.d.ts +52 -0
  26. package/dist/component/public/factors.d.ts.map +1 -0
  27. package/dist/component/public/factors.js +285 -0
  28. package/dist/component/public/factors.js.map +1 -0
  29. package/dist/component/public/groups.d.ts +116 -0
  30. package/dist/component/public/groups.d.ts.map +1 -0
  31. package/dist/component/public/groups.js +596 -0
  32. package/dist/component/public/groups.js.map +1 -0
  33. package/dist/component/public/identity.d.ts +93 -0
  34. package/dist/component/public/identity.d.ts.map +1 -0
  35. package/dist/component/public/identity.js +426 -0
  36. package/dist/component/public/identity.js.map +1 -0
  37. package/dist/component/public/keys.d.ts +41 -0
  38. package/dist/component/public/keys.d.ts.map +1 -0
  39. package/dist/component/public/keys.js +157 -0
  40. package/dist/component/public/keys.js.map +1 -0
  41. package/dist/component/public/shared.d.ts +26 -0
  42. package/dist/component/public/shared.d.ts.map +1 -0
  43. package/dist/component/public/shared.js +32 -0
  44. package/dist/component/public/shared.js.map +1 -0
  45. package/dist/component/public.d.ts +9 -321
  46. package/dist/component/public.d.ts.map +1 -1
  47. package/dist/component/public.js +6 -2145
  48. package/dist/component/schema.d.ts +406 -260
  49. package/dist/component/schema.js +37 -32
  50. package/dist/component/schema.js.map +1 -1
  51. package/dist/component/server/auth.d.ts +161 -15
  52. package/dist/component/server/auth.d.ts.map +1 -1
  53. package/dist/component/server/auth.js +100 -7
  54. package/dist/component/server/auth.js.map +1 -1
  55. package/dist/component/server/cookies.js +3 -0
  56. package/dist/component/server/cookies.js.map +1 -1
  57. package/dist/component/server/db.js +1 -0
  58. package/dist/component/server/db.js.map +1 -1
  59. package/dist/component/server/device.js +3 -1
  60. package/dist/component/server/device.js.map +1 -1
  61. package/dist/component/server/domains/core.js +629 -0
  62. package/dist/component/server/domains/core.js.map +1 -0
  63. package/dist/component/server/domains/sso.js +884 -0
  64. package/dist/component/server/domains/sso.js.map +1 -0
  65. package/dist/component/server/factory.d.ts +136 -0
  66. package/dist/component/server/factory.d.ts.map +1 -0
  67. package/dist/component/server/factory.js +1134 -0
  68. package/dist/component/server/factory.js.map +1 -0
  69. package/dist/component/server/fx.js +2 -1
  70. package/dist/component/server/fx.js.map +1 -1
  71. package/dist/component/server/http.js +287 -0
  72. package/dist/component/server/http.js.map +1 -0
  73. package/dist/component/server/identity.js +13 -0
  74. package/dist/component/server/identity.js.map +1 -0
  75. package/dist/component/server/keys.js +4 -0
  76. package/dist/component/server/keys.js.map +1 -1
  77. package/dist/component/server/mutations/account.js +1 -1
  78. package/dist/component/server/mutations/index.js +2 -2
  79. package/dist/component/server/mutations/index.js.map +1 -1
  80. package/dist/component/server/mutations/invalidate.js +1 -1
  81. package/dist/component/server/mutations/oauth.js +10 -7
  82. package/dist/component/server/mutations/oauth.js.map +1 -1
  83. package/dist/component/server/mutations/refresh.js +1 -1
  84. package/dist/component/server/mutations/register.js +1 -1
  85. package/dist/component/server/mutations/retrieve.js +1 -1
  86. package/dist/component/server/mutations/signature.js +1 -1
  87. package/dist/component/server/mutations/store.js +6 -3
  88. package/dist/component/server/mutations/store.js.map +1 -1
  89. package/dist/component/server/mutations/verify.js +1 -1
  90. package/dist/component/server/oauth.js +3 -0
  91. package/dist/component/server/oauth.js.map +1 -1
  92. package/dist/component/server/passkey.js +3 -2
  93. package/dist/component/server/passkey.js.map +1 -1
  94. package/dist/component/server/provider.js +2 -0
  95. package/dist/component/server/provider.js.map +1 -1
  96. package/dist/component/server/providers.js +10 -0
  97. package/dist/component/server/providers.js.map +1 -1
  98. package/dist/component/server/ratelimit.js +3 -0
  99. package/dist/component/server/ratelimit.js.map +1 -1
  100. package/dist/component/server/redirects.js +2 -0
  101. package/dist/component/server/redirects.js.map +1 -1
  102. package/dist/component/server/refresh.js +5 -0
  103. package/dist/component/server/refresh.js.map +1 -1
  104. package/dist/component/server/sessions.js +5 -0
  105. package/dist/component/server/sessions.js.map +1 -1
  106. package/dist/component/server/signin.js +2 -1
  107. package/dist/component/server/signin.js.map +1 -1
  108. package/dist/component/server/sso.js +166 -19
  109. package/dist/component/server/sso.js.map +1 -1
  110. package/dist/component/server/tokens.js +1 -0
  111. package/dist/component/server/tokens.js.map +1 -1
  112. package/dist/component/server/totp.js +4 -2
  113. package/dist/component/server/totp.js.map +1 -1
  114. package/dist/component/server/types.d.ts +106 -38
  115. package/dist/component/server/types.d.ts.map +1 -1
  116. package/dist/component/server/types.js.map +1 -1
  117. package/dist/component/server/users.js +1 -0
  118. package/dist/component/server/users.js.map +1 -1
  119. package/dist/component/server/utils.js +44 -2
  120. package/dist/component/server/utils.js.map +1 -1
  121. package/dist/providers/anonymous.d.ts +1 -1
  122. package/dist/providers/credentials.d.ts +1 -1
  123. package/dist/providers/password.d.ts +1 -1
  124. package/dist/providers/sso.d.ts +1 -1
  125. package/dist/providers/sso.js.map +1 -1
  126. package/dist/server/auth.d.ts +163 -17
  127. package/dist/server/auth.d.ts.map +1 -1
  128. package/dist/server/auth.js +100 -7
  129. package/dist/server/auth.js.map +1 -1
  130. package/dist/server/cookies.d.ts +1 -38
  131. package/dist/server/cookies.js +3 -0
  132. package/dist/server/cookies.js.map +1 -1
  133. package/dist/server/db.d.ts +1 -125
  134. package/dist/server/db.js +1 -0
  135. package/dist/server/db.js.map +1 -1
  136. package/dist/server/device.d.ts +1 -24
  137. package/dist/server/device.js +3 -1
  138. package/dist/server/device.js.map +1 -1
  139. package/dist/server/domains/core.d.ts +434 -0
  140. package/dist/server/domains/core.d.ts.map +1 -0
  141. package/dist/server/domains/core.js +629 -0
  142. package/dist/server/domains/core.js.map +1 -0
  143. package/dist/server/domains/sso.d.ts +409 -0
  144. package/dist/server/domains/sso.d.ts.map +1 -0
  145. package/dist/server/domains/sso.js +884 -0
  146. package/dist/server/domains/sso.js.map +1 -0
  147. package/dist/server/enterpriseValidators.d.ts +1 -0
  148. package/dist/server/enterpriseValidators.js +60 -0
  149. package/dist/server/enterpriseValidators.js.map +1 -0
  150. package/dist/server/factory.d.ts +136 -0
  151. package/dist/server/factory.d.ts.map +1 -0
  152. package/dist/server/factory.js +1134 -0
  153. package/dist/server/factory.js.map +1 -0
  154. package/dist/server/fx.d.ts +1 -16
  155. package/dist/server/fx.d.ts.map +1 -1
  156. package/dist/server/fx.js +1 -0
  157. package/dist/server/fx.js.map +1 -1
  158. package/dist/server/http.d.ts +59 -0
  159. package/dist/server/http.d.ts.map +1 -0
  160. package/dist/server/http.js +287 -0
  161. package/dist/server/http.js.map +1 -0
  162. package/dist/server/identity.d.ts +1 -0
  163. package/dist/server/identity.js +13 -0
  164. package/dist/server/identity.js.map +1 -0
  165. package/dist/server/index.d.ts +468 -1
  166. package/dist/server/index.d.ts.map +1 -1
  167. package/dist/server/index.js +530 -36
  168. package/dist/server/index.js.map +1 -1
  169. package/dist/server/keys.d.ts +1 -57
  170. package/dist/server/keys.js +4 -0
  171. package/dist/server/keys.js.map +1 -1
  172. package/dist/server/mutations/account.d.ts +7 -7
  173. package/dist/server/mutations/account.d.ts.map +1 -1
  174. package/dist/server/mutations/code.d.ts +13 -13
  175. package/dist/server/mutations/code.d.ts.map +1 -1
  176. package/dist/server/mutations/index.d.ts +107 -107
  177. package/dist/server/mutations/index.d.ts.map +1 -1
  178. package/dist/server/mutations/index.js +1 -1
  179. package/dist/server/mutations/index.js.map +1 -1
  180. package/dist/server/mutations/invalidate.d.ts +5 -5
  181. package/dist/server/mutations/invalidate.d.ts.map +1 -1
  182. package/dist/server/mutations/oauth.d.ts +10 -10
  183. package/dist/server/mutations/oauth.d.ts.map +1 -1
  184. package/dist/server/mutations/oauth.js +9 -6
  185. package/dist/server/mutations/oauth.js.map +1 -1
  186. package/dist/server/mutations/refresh.d.ts +4 -4
  187. package/dist/server/mutations/register.d.ts +12 -12
  188. package/dist/server/mutations/register.d.ts.map +1 -1
  189. package/dist/server/mutations/retrieve.d.ts +7 -7
  190. package/dist/server/mutations/signature.d.ts +5 -5
  191. package/dist/server/mutations/signin.d.ts +6 -6
  192. package/dist/server/mutations/signin.d.ts.map +1 -1
  193. package/dist/server/mutations/signout.d.ts +1 -1
  194. package/dist/server/mutations/store.d.ts +3 -2
  195. package/dist/server/mutations/store.d.ts.map +1 -1
  196. package/dist/server/mutations/store.js +6 -3
  197. package/dist/server/mutations/store.js.map +1 -1
  198. package/dist/server/mutations/verifier.d.ts +1 -1
  199. package/dist/server/mutations/verify.d.ts +11 -11
  200. package/dist/server/mutations/verify.d.ts.map +1 -1
  201. package/dist/server/oauth.d.ts +1 -59
  202. package/dist/server/oauth.js +3 -0
  203. package/dist/server/oauth.js.map +1 -1
  204. package/dist/server/passkey.d.ts.map +1 -1
  205. package/dist/server/passkey.js +3 -2
  206. package/dist/server/passkey.js.map +1 -1
  207. package/dist/server/provider.d.ts +1 -14
  208. package/dist/server/provider.d.ts.map +1 -1
  209. package/dist/server/provider.js +2 -0
  210. package/dist/server/provider.js.map +1 -1
  211. package/dist/server/providers.js +10 -0
  212. package/dist/server/providers.js.map +1 -1
  213. package/dist/server/ratelimit.d.ts +1 -22
  214. package/dist/server/ratelimit.js +3 -0
  215. package/dist/server/ratelimit.js.map +1 -1
  216. package/dist/server/redirects.d.ts +1 -10
  217. package/dist/server/redirects.js +2 -0
  218. package/dist/server/redirects.js.map +1 -1
  219. package/dist/server/refresh.d.ts +1 -37
  220. package/dist/server/refresh.js +5 -0
  221. package/dist/server/refresh.js.map +1 -1
  222. package/dist/server/sessions.d.ts +1 -28
  223. package/dist/server/sessions.js +5 -0
  224. package/dist/server/sessions.js.map +1 -1
  225. package/dist/server/signin.d.ts +1 -55
  226. package/dist/server/signin.js +2 -1
  227. package/dist/server/signin.js.map +1 -1
  228. package/dist/server/sso.d.ts +1 -348
  229. package/dist/server/sso.js +165 -18
  230. package/dist/server/sso.js.map +1 -1
  231. package/dist/server/templates.d.ts +1 -21
  232. package/dist/server/templates.js +1 -0
  233. package/dist/server/templates.js.map +1 -1
  234. package/dist/server/tokens.d.ts +1 -11
  235. package/dist/server/tokens.js +1 -0
  236. package/dist/server/tokens.js.map +1 -1
  237. package/dist/server/totp.d.ts +1 -23
  238. package/dist/server/totp.js +4 -2
  239. package/dist/server/totp.js.map +1 -1
  240. package/dist/server/types.d.ts +114 -77
  241. package/dist/server/types.d.ts.map +1 -1
  242. package/dist/server/types.js.map +1 -1
  243. package/dist/server/users.d.ts +1 -31
  244. package/dist/server/users.js +1 -0
  245. package/dist/server/users.js.map +1 -1
  246. package/dist/server/utils.d.ts +1 -27
  247. package/dist/server/utils.js +44 -2
  248. package/dist/server/utils.js.map +1 -1
  249. package/dist/server/version.d.ts +1 -1
  250. package/dist/server/version.js +1 -1
  251. package/dist/server/version.js.map +1 -1
  252. package/package.json +4 -5
  253. package/src/cli/bin.ts +5 -0
  254. package/src/cli/index.ts +22 -9
  255. package/src/cli/keys.ts +3 -0
  256. package/src/client/index.ts +36 -37
  257. package/src/component/_generated/api.ts +14 -0
  258. package/src/component/_generated/component.ts +2106 -9
  259. package/src/component/index.ts +3 -1
  260. package/src/component/model.ts +441 -0
  261. package/src/component/public/enterprise.ts +753 -0
  262. package/src/component/public/factors.ts +332 -0
  263. package/src/component/public/groups.ts +932 -0
  264. package/src/component/public/identity.ts +566 -0
  265. package/src/component/public/keys.ts +209 -0
  266. package/src/component/public/shared.ts +119 -0
  267. package/src/component/public.ts +5 -2965
  268. package/src/component/schema.ts +68 -63
  269. package/src/providers/sso.ts +1 -1
  270. package/src/server/auth.ts +413 -18
  271. package/src/server/cookies.ts +3 -0
  272. package/src/server/db.ts +3 -0
  273. package/src/server/device.ts +3 -1
  274. package/src/server/domains/core.ts +1071 -0
  275. package/src/server/domains/sso.ts +1749 -0
  276. package/src/server/enterpriseValidators.ts +93 -0
  277. package/src/server/factory.ts +2181 -0
  278. package/src/server/fx.ts +1 -0
  279. package/src/server/http.ts +529 -0
  280. package/src/server/identity.ts +18 -0
  281. package/src/server/index.ts +806 -40
  282. package/src/server/keys.ts +4 -0
  283. package/src/server/mutations/index.ts +1 -1
  284. package/src/server/mutations/oauth.ts +36 -8
  285. package/src/server/mutations/store.ts +6 -3
  286. package/src/server/oauth.ts +6 -0
  287. package/src/server/passkey.ts +3 -2
  288. package/src/server/provider.ts +2 -0
  289. package/src/server/providers.ts +20 -0
  290. package/src/server/ratelimit.ts +3 -0
  291. package/src/server/redirects.ts +2 -0
  292. package/src/server/refresh.ts +5 -0
  293. package/src/server/sessions.ts +5 -0
  294. package/src/server/signin.ts +1 -0
  295. package/src/server/sso.ts +259 -17
  296. package/src/server/templates.ts +1 -0
  297. package/src/server/tokens.ts +1 -0
  298. package/src/server/totp.ts +4 -2
  299. package/src/server/types.ts +178 -83
  300. package/src/server/users.ts +1 -0
  301. package/src/server/utils.ts +71 -1
  302. package/src/server/version.ts +1 -1
  303. package/dist/component/public.js.map +0 -1
  304. package/dist/component/server/implementation.d.ts +0 -1264
  305. package/dist/component/server/implementation.d.ts.map +0 -1
  306. package/dist/component/server/implementation.js +0 -2365
  307. package/dist/component/server/implementation.js.map +0 -1
  308. package/dist/server/cookies.d.ts.map +0 -1
  309. package/dist/server/db.d.ts.map +0 -1
  310. package/dist/server/device.d.ts.map +0 -1
  311. package/dist/server/implementation.d.ts +0 -1264
  312. package/dist/server/implementation.d.ts.map +0 -1
  313. package/dist/server/implementation.js +0 -2365
  314. package/dist/server/implementation.js.map +0 -1
  315. package/dist/server/keys.d.ts.map +0 -1
  316. package/dist/server/oauth.d.ts.map +0 -1
  317. package/dist/server/ratelimit.d.ts.map +0 -1
  318. package/dist/server/redirects.d.ts.map +0 -1
  319. package/dist/server/refresh.d.ts.map +0 -1
  320. package/dist/server/sessions.d.ts.map +0 -1
  321. package/dist/server/signin.d.ts.map +0 -1
  322. package/dist/server/sso.d.ts.map +0 -1
  323. package/dist/server/templates.d.ts.map +0 -1
  324. package/dist/server/tokens.d.ts.map +0 -1
  325. package/dist/server/totp.d.ts.map +0 -1
  326. package/dist/server/users.d.ts.map +0 -1
  327. package/dist/server/utils.d.ts.map +0 -1
  328. package/src/server/implementation.ts +0 -5336
package/dist/server/passkey.js CHANGED
@@ -1,4 +1,5 @@
1
1
  import { AuthError, Fx } from "./fx.js";
2
+ import { userIdFromIdentitySubject } from "./identity.js";
2
3
  import { authDb } from "./db.js";
3
4
  import { callVerifierSignature } from "./mutations/signature.js";
4
5
  import { callSignIn } from "./mutations/signin.js";
@@ -107,7 +108,7 @@ function handlePasskeyFx(ctx, provider, args) {
107
108
  registerOptions: (_) => Fx.zip(Fx.from({
108
109
  ok: () => ctx.auth.getUserIdentity(),
109
110
  err: () => new AuthError("PASSKEY_AUTH_REQUIRED")
110
- }).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(id.subject.split("|")[0]))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => {
111
+ }).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(userIdFromIdentitySubject(id.subject)))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => {
111
112
  const challenge = new Uint8Array(32);
112
113
  crypto.getRandomValues(challenge);
113
114
  const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(challenge)));
@@ -162,7 +163,7 @@ function handlePasskeyFx(ctx, provider, args) {
162
163
  registerVerify: (_) => Fx.zip(Fx.from({
163
164
  ok: () => ctx.auth.getUserIdentity(),
164
165
  err: () => new AuthError("PASSKEY_AUTH_REQUIRED")
165
- }).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(id.subject.split("|")[0]))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => requirePasskeyVerifierFx(args.verifier).pipe(Fx.chain((verifier) => {
166
+ }).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(userIdFromIdentitySubject(id.subject)))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => requirePasskeyVerifierFx(args.verifier).pipe(Fx.chain((verifier) => {
166
167
  const clientData = parseClientDataJSON(decodeBase64urlIgnorePadding(params.clientDataJSON));
167
168
  return Fx.succeed(clientData).pipe(Fx.chain(verifyClientDataType(ClientDataType.Create, "webauthn.create")), Fx.chain(verifyOrigin(rp)), Fx.chain(verifyAndConsumeChallenge(ctx, verifier)), Fx.map(() => {
168
169
  return parseAttestationObject(decodeBase64urlIgnorePadding(params.attestationObject)).authenticatorData;
package/dist/server/passkey.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"passkey.js","names":["hasSiteUrl","hasRpId","siteUrl"],"sources":["../../src/server/passkey.ts"],"sourcesContent":["/**\n * Server-side WebAuthn ceremony logic for passkey authentication.\n *\n * Handles the four phases of the WebAuthn flow:\n * 1. registerOptions — generate PublicKeyCredentialCreationOptions\n * 2. registerVerify — verify attestation and store credential\n * 3. authOptions — generate PublicKeyCredentialRequestOptions\n * 4. authVerify — verify assertion signature and sign in\n *\n * Uses `@oslojs/webauthn` for attestation/assertion parsing and\n * `@oslojs/crypto` for signature verification.\n *\n * All functions return `Fx<A, AuthError>` composed via `Fx.chain` pipelines.\n *\n * @module\n */\n\nimport {\n p256,\n verifyECDSASignature,\n decodeSEC1PublicKey,\n decodePKIXECDSASignature,\n} from \"@oslojs/crypto/ecdsa\";\nimport {\n RSAPublicKey,\n decodePKCS1RSAPublicKey,\n sha256ObjectIdentifier,\n verifyRSASSAPKCS1v15Signature,\n} from \"@oslojs/crypto/rsa\";\nimport { sha256 } from \"@oslojs/crypto/sha2\";\nimport {\n encodeBase64urlNoPadding,\n decodeBase64urlIgnorePadding,\n} from \"@oslojs/encoding\";\nimport {\n parseAttestationObject,\n parseClientDataJSON,\n parseAuthenticatorData,\n createAssertionSignatureMessage,\n ClientDataType,\n coseAlgorithmES256,\n coseAlgorithmRS256,\n COSEKeyType,\n} from \"@oslojs/webauthn\";\nimport type { Fx as FxType } from \"@robelest/fx\";\n\nimport { authDb } from \"./db\";\nimport { AuthError, Fx } from \"./fx\";\nimport { callSignIn, callVerifier } from \"./mutations/index\";\nimport { callVerifierSignature } from \"./mutations/signature\";\nimport { PasskeyProviderConfig, GenericActionCtxWithAuthConfig } from \"./types\";\nimport {\n AuthDataModel,\n SessionInfo,\n queryUserById,\n queryUserByVerifiedEmail,\n queryPasskeysByUserId,\n queryPasskeyByCredentialId,\n queryVerifierById,\n mutatePasskeyInsert,\n mutatePasskeyUpdateCounter,\n mutateVerifierDelete,\n} from \"./types\";\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n// ============================================================================\n// Resolve RP options — Fx pipeline with validation\n// ============================================================================\n\n/** Resolved relying party configuration. */\ninterface RpOptions {\n rpName: string;\n rpId: string;\n origin: string | string[];\n attestation: string;\n userVerification: string;\n residentKey: string;\n authenticatorAttachment?: string;\n algorithms: number[];\n challengeExpirationMs: number;\n}\n\n/**\n * Resolve passkey relying party options from provider config and environment.\n *\n * Returns `Fx<RpOptions, AuthError>` — fails if neither SITE_URL nor rpId\n * is configured.\n */\nconst resolveRpOptionsFx = (\n provider: PasskeyProviderConfig,\n): FxType<RpOptions, AuthError> => {\n const siteUrl = process.env.SITE_URL;\n const hasSiteUrl = siteUrl !== undefined && siteUrl !== \"\";\n const hasRpId = provider.options.rpId !== undefined;\n\n return Fx.succeed({ siteUrl, hasSiteUrl, hasRpId }).pipe(\n Fx.chain(({ siteUrl, hasSiteUrl, hasRpId }) =>\n !hasSiteUrl && !hasRpId\n ? Fx.fail(\n new AuthError(\n \"PASSKEY_MISSING_CONFIG\",\n \"Passkey provider requires SITE_URL env var (your frontend URL) \" +\n \"or explicit rpId / origin in the provider config. \" +\n \"CONVEX_SITE_URL cannot be used because WebAuthn RP ID must match the frontend domain.\",\n ),\n )\n : Fx.succeed(siteUrl),\n ),\n Fx.map((siteUrl) => {\n const siteHostname = siteUrl ? new URL(siteUrl).hostname : undefined;\n return {\n rpName: provider.options.rpName ?? siteHostname ?? \"localhost\",\n rpId: provider.options.rpId ?? siteHostname ?? \"localhost\",\n origin: provider.options.origin ?? siteUrl ?? \"http://localhost\",\n attestation: provider.options.attestation ?? \"none\",\n userVerification: provider.options.userVerification ?? \"required\",\n residentKey: provider.options.residentKey ?? \"preferred\",\n authenticatorAttachment: provider.options.authenticatorAttachment,\n algorithms: provider.options.algorithms ?? [\n coseAlgorithmES256,\n coseAlgorithmRS256,\n ],\n challengeExpirationMs:\n provider.options.challengeExpirationMs ?? 300_000,\n };\n }),\n );\n};\n\n// ============================================================================\n// Composable validators — small functions (A) => Fx<B, AuthError>\n// ============================================================================\n\n/** Verify client data type matches expected WebAuthn ceremony type. */\nconst verifyClientDataType =\n <T extends { type: ClientDataType }>(\n expectedType: ClientDataType,\n label: string,\n ) =>\n (clientData: T): FxType<T, AuthError> =>\n clientData.type === expectedType\n ? Fx.succeed(clientData)\n : Fx.fail(\n new AuthError(\n \"PASSKEY_INVALID_CLIENT_DATA\",\n `Invalid client data type: expected ${label}`,\n ),\n );\n\n/** Verify origin is in the allowed list. */\nconst verifyOrigin =\n (rp: RpOptions) =>\n <T extends { origin: string }>(clientData: T): FxType<T, AuthError> => {\n const allowed = Array.isArray(rp.origin) ? rp.origin : [rp.origin];\n return allowed.includes(clientData.origin)\n ? Fx.succeed(clientData)\n : Fx.fail(\n new AuthError(\n \"PASSKEY_INVALID_ORIGIN\",\n `Invalid origin: ${clientData.origin}, expected one of: ${allowed.join(\", \")}`,\n ),\n );\n };\n\n/** Verify the challenge hash matches the stored verifier, then delete verifier. */\nconst verifyAndConsumeChallenge =\n (ctx: EnrichedActionCtx, verifierValue: string) =>\n <T extends { challenge: Uint8Array }>(\n clientData: T,\n ): FxType<T, AuthError> => {\n const challengeHash = encodeBase64urlNoPadding(\n new Uint8Array(sha256(clientData.challenge)),\n );\n return Fx.from({\n ok: () => queryVerifierById(ctx, verifierValue),\n err: () => new AuthError(\"PASSKEY_INVALID_CHALLENGE\"),\n }).pipe(\n Fx.chain((doc) =>\n !doc || doc.signature !== challengeHash\n ? Fx.fail(new AuthError(\"PASSKEY_INVALID_CHALLENGE\"))\n : Fx.succeed(doc),\n ),\n Fx.chain(() =>\n Fx.from({\n ok: () => mutateVerifierDelete(ctx, verifierValue),\n err: () => new AuthError(\"PASSKEY_INVALID_CHALLENGE\"),\n }),\n ),\n Fx.map(() => clientData),\n );\n };\n\n/** Verify RP ID hash matches. */\nconst verifyRpId =\n (rpId: string) =>\n <T extends { verifyRelyingPartyIdHash: (id: string) => boolean }>(\n authData: T,\n ): FxType<T, AuthError> =>\n authData.verifyRelyingPartyIdHash(rpId)\n ? Fx.succeed(authData)\n : Fx.fail(new AuthError(\"PASSKEY_RP_MISMATCH\"));\n\n/** Verify user presence and (optionally) user verification flags. */\nconst verifyUserFlags =\n (rp: RpOptions) =>\n <T extends { userPresent: boolean; userVerified: boolean }>(\n authData: T,\n ): FxType<T, AuthError> =>\n !authData.userPresent\n ? Fx.fail(new AuthError(\"PASSKEY_USER_PRESENCE\"))\n : rp.userVerification === \"required\" && !authData.userVerified\n ? Fx.fail(new AuthError(\"PASSKEY_USER_VERIFICATION\"))\n : Fx.succeed(authData);\n\n// ============================================================================\n// Registration flow\n// ============================================================================\n\n// ============================================================================\n// Authentication flow\n// ============================================================================\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\n/** Result type for all passkey flows. */\ntype PasskeyResult =\n | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string };\n\nconst PASSKEY_FLOW = {\n registerOptions: \"registerOptions\",\n registerVerify: \"registerVerify\",\n authOptions: \"authOptions\",\n authVerify: \"authVerify\",\n} as const;\n\nconst PASSKEY_FLOWS = [\n PASSKEY_FLOW.registerOptions,\n PASSKEY_FLOW.registerVerify,\n PASSKEY_FLOW.authOptions,\n PASSKEY_FLOW.authVerify,\n] as const;\n\ntype PasskeyDispatch =\n | { flow: typeof PASSKEY_FLOW.registerOptions }\n | { flow: typeof PASSKEY_FLOW.registerVerify }\n | { flow: typeof PASSKEY_FLOW.authOptions }\n | { flow: typeof PASSKEY_FLOW.authVerify };\n\nconst resolvePasskeyDispatchFx = (\n params: Record<string, unknown>,\n): FxType<PasskeyDispatch, AuthError> => {\n const flow = params.flow;\n return typeof flow === \"string\" && PASSKEY_FLOWS.includes(flow as never)\n ? Fx.succeed({ flow: flow as (typeof PASSKEY_FLOWS)[number] })\n : Fx.fail(\n new AuthError(\n \"PASSKEY_MISSING_FLOW\",\n \"Missing `flow` parameter. Expected one of: registerOptions, registerVerify, authOptions, authVerify\",\n ),\n );\n};\n\nconst requirePasskeyVerifierFx = (\n verifier: string | undefined,\n): FxType<string, AuthError> =>\n verifier != null\n ? Fx.succeed(verifier)\n : Fx.fail(new AuthError(\"PASSKEY_MISSING_VERIFIER\"));\n\n/**\n * Main passkey handler dispatched from signIn.ts.\n *\n * Routes to the appropriate phase based on `params.flow` via `dispatchFx`.\n */\nexport function handlePasskeyFx(\n ctx: EnrichedActionCtx,\n provider: PasskeyProviderConfig,\n args: {\n params?: Record<string, any>;\n verifier?: string;\n },\n): FxType<PasskeyResult, AuthError> {\n const params = (args.params ?? {}) as Record<string, any>;\n\n return resolvePasskeyDispatchFx(params).pipe(\n Fx.chain((dispatch) => {\n const flowFx: FxType<PasskeyResult, AuthError> = Fx.match(dispatch).on(\n \"flow\",\n {\n registerOptions: (_) =>\n Fx.zip(\n Fx.from({\n ok: () => ctx.auth.getUserIdentity(),\n err: () => new AuthError(\"PASSKEY_AUTH_REQUIRED\"),\n }).pipe(\n Fx.chain((id) =>\n id === null\n ? Fx.fail(new AuthError(\"PASSKEY_AUTH_REQUIRED\"))\n : Fx.succeed(id.subject.split(\"|\")[0]!),\n ),\n ),\n resolveRpOptionsFx(provider),\n ).pipe(\n Fx.chain(([userId, rp]) => {\n const challenge = new Uint8Array(32);\n crypto.getRandomValues(challenge);\n const challengeHash = encodeBase64urlNoPadding(\n new Uint8Array(sha256(challenge)),\n );\n\n return Fx.from({\n ok: async () => {\n const verifier = await callVerifier(ctx);\n await callVerifierSignature(ctx, {\n verifier,\n signature: challengeHash,\n });\n\n const user = await queryUserById(ctx, userId);\n const userName = params.userName ?? user?.email ?? \"user\";\n const userDisplayName =\n params.userDisplayName ?? user?.name ?? userName;\n\n const existing = await queryPasskeysByUserId(ctx, userId);\n const excludeCredentials = existing.map((pk) => ({\n id: pk.credentialId,\n transports: pk.transports,\n }));\n\n const userHandle = encodeBase64urlNoPadding(\n new TextEncoder().encode(userId),\n );\n\n const options = {\n rp: { name: rp.rpName, id: rp.rpId },\n user: {\n id: userHandle,\n name: userName,\n displayName: userDisplayName,\n },\n challenge: encodeBase64urlNoPadding(challenge),\n pubKeyCredParams: rp.algorithms.map((alg) => ({\n type: \"public-key\" as const,\n alg,\n })),\n timeout: rp.challengeExpirationMs,\n attestation: rp.attestation,\n authenticatorSelection: {\n residentKey: rp.residentKey,\n requireResidentKey: rp.residentKey === \"required\",\n userVerification: rp.userVerification,\n ...(rp.authenticatorAttachment\n ? {\n authenticatorAttachment:\n rp.authenticatorAttachment,\n }\n : {}),\n },\n excludeCredentials,\n };\n\n return {\n kind: \"passkeyOptions\" as const,\n options,\n verifier,\n };\n },\n err: () => new AuthError(\"INTERNAL_ERROR\"),\n });\n }),\n ),\n registerVerify: (_) =>\n Fx.zip(\n Fx.from({\n ok: () => ctx.auth.getUserIdentity(),\n err: () => new AuthError(\"PASSKEY_AUTH_REQUIRED\"),\n }).pipe(\n Fx.chain((id) =>\n id === null\n ? Fx.fail(new AuthError(\"PASSKEY_AUTH_REQUIRED\"))\n : Fx.succeed(id.subject.split(\"|\")[0]!),\n ),\n ),\n resolveRpOptionsFx(provider),\n ).pipe(\n Fx.chain(([userId, rp]) =>\n requirePasskeyVerifierFx(args.verifier).pipe(\n Fx.chain((verifier) => {\n const clientDataJSON = decodeBase64urlIgnorePadding(\n params.clientDataJSON,\n );\n const clientData = parseClientDataJSON(clientDataJSON);\n\n const verifiedClientDataFx = Fx.succeed(clientData).pipe(\n Fx.chain(\n verifyClientDataType(\n ClientDataType.Create,\n \"webauthn.create\",\n ),\n ),\n Fx.chain(verifyOrigin(rp)),\n Fx.chain(verifyAndConsumeChallenge(ctx, verifier)),\n Fx.map(() => {\n const attestationObjectBytes =\n decodeBase64urlIgnorePadding(\n params.attestationObject,\n );\n const attestation = parseAttestationObject(\n attestationObjectBytes,\n );\n return attestation.authenticatorData;\n }),\n );\n\n return verifiedClientDataFx.pipe(\n Fx.chain(verifyRpId(rp.rpId)),\n Fx.chain(verifyUserFlags(rp)),\n Fx.chain((authData) => {\n if (authData.credential == null) {\n return Fx.fail(\n new AuthError(\"PASSKEY_NO_CREDENTIAL\"),\n );\n }\n return Fx.succeed({\n authData,\n credential: authData.credential,\n });\n }),\n Fx.chain(({ authData, credential }) => {\n const credentialId = encodeBase64urlNoPadding(\n credential.id,\n );\n const publicKey = credential.publicKey;\n\n let algorithm: number;\n if (publicKey.isAlgorithmDefined()) {\n algorithm = publicKey.algorithm();\n } else {\n const keyType = publicKey.type();\n algorithm =\n keyType === COSEKeyType.EC2\n ? coseAlgorithmES256\n : keyType === COSEKeyType.RSA\n ? coseAlgorithmRS256\n : coseAlgorithmES256;\n }\n\n const handlers: Record<\n number,\n (() => FxType<Uint8Array, AuthError>) | undefined\n > = {\n [coseAlgorithmES256]: () => {\n const ec2 = publicKey.ec2();\n const xBytes = new Uint8Array(32);\n let vx = ec2.x;\n for (let i = 31; i >= 0; i--) {\n xBytes[i] = Number(vx & 0xffn);\n vx >>= 8n;\n }\n const yBytes = new Uint8Array(32);\n let vy = ec2.y;\n for (let i = 31; i >= 0; i--) {\n yBytes[i] = Number(vy & 0xffn);\n vy >>= 8n;\n }\n const bytes = new Uint8Array(65);\n bytes[0] = 0x04;\n bytes.set(xBytes, 1);\n bytes.set(yBytes, 33);\n return Fx.succeed(bytes);\n },\n [coseAlgorithmRS256]: () => {\n const rsa = publicKey.rsa();\n const rsaPubKey = new RSAPublicKey(rsa.n, rsa.e);\n return Fx.succeed(rsaPubKey.encodePKCS1());\n },\n };\n\n const handler = handlers[algorithm];\n return (\n handler\n ? handler()\n : Fx.fail(\n new AuthError(\n \"PASSKEY_UNSUPPORTED_ALGORITHM\",\n `Unsupported algorithm: ${algorithm}`,\n ),\n )\n ).pipe(\n Fx.chain((publicKeyBytes) =>\n Fx.from({\n ok: async () => {\n const deviceType =\n params.deviceType ?? \"single-device\";\n const backedUp = params.backedUp ?? false;\n\n const db = authDb(ctx, ctx.auth.config);\n await db.accounts.create({\n userId,\n provider: provider.id,\n providerAccountId: credentialId,\n });\n\n await mutatePasskeyInsert(ctx, {\n userId,\n credentialId,\n publicKey: publicKeyBytes.buffer.slice(\n publicKeyBytes.byteOffset,\n publicKeyBytes.byteOffset +\n publicKeyBytes.byteLength,\n ),\n algorithm,\n counter: authData.signatureCounter,\n transports: params.transports,\n deviceType,\n backedUp,\n name: params.passkeyName,\n createdAt: Date.now(),\n });\n\n const signInResult = await callSignIn(ctx, {\n userId,\n generateTokens: true,\n });\n\n return {\n kind: \"signedIn\" as const,\n signedIn: signInResult,\n };\n },\n err: () => new AuthError(\"INTERNAL_ERROR\"),\n }),\n ),\n );\n }),\n );\n }),\n ),\n ),\n ),\n authOptions: (_) =>\n resolveRpOptionsFx(provider).pipe(\n Fx.chain((rp) => {\n const challenge = new Uint8Array(32);\n crypto.getRandomValues(challenge);\n const challengeHash = encodeBase64urlNoPadding(\n new Uint8Array(sha256(challenge)),\n );\n\n return Fx.from({\n ok: async () => {\n const verifier = await callVerifier(ctx);\n await callVerifierSignature(ctx, {\n verifier,\n signature: challengeHash,\n });\n\n let allowCredentials:\n | Array<{\n type: string;\n id: string;\n transports?: string[];\n }>\n | undefined;\n if (params.email) {\n const user = await queryUserByVerifiedEmail(\n ctx,\n params.email,\n );\n if (user) {\n const passkeys = await queryPasskeysByUserId(\n ctx,\n user._id,\n );\n if (passkeys.length > 0) {\n allowCredentials = passkeys.map((pk) => ({\n type: \"public-key\",\n id: pk.credentialId,\n transports: pk.transports,\n }));\n }\n }\n }\n\n const options: Record<string, any> = {\n challenge: encodeBase64urlNoPadding(challenge),\n timeout: rp.challengeExpirationMs,\n rpId: rp.rpId,\n userVerification: rp.userVerification,\n };\n\n if (allowCredentials) {\n options.allowCredentials = allowCredentials;\n }\n\n return {\n kind: \"passkeyOptions\" as const,\n options,\n verifier,\n };\n },\n err: () => new AuthError(\"INTERNAL_ERROR\"),\n });\n }),\n ),\n authVerify: (_) =>\n Fx.zip(\n resolveRpOptionsFx(provider),\n requirePasskeyVerifierFx(args.verifier),\n ).pipe(\n Fx.chain(([rp, verifier]) => {\n const clientDataJSON = decodeBase64urlIgnorePadding(\n params.clientDataJSON,\n );\n const clientData = parseClientDataJSON(clientDataJSON);\n\n const verifiedClientDataFx = Fx.succeed(clientData).pipe(\n Fx.chain(\n verifyClientDataType(ClientDataType.Get, \"webauthn.get\"),\n ),\n Fx.chain(verifyOrigin(rp)),\n Fx.chain(verifyAndConsumeChallenge(ctx, verifier)),\n Fx.chain(() =>\n params.credentialId != null\n ? Fx.succeed(params.credentialId as string)\n : Fx.fail(\n new AuthError(\n \"PASSKEY_UNKNOWN_CREDENTIAL\",\n \"Missing credential ID\",\n ),\n ),\n ),\n );\n\n return verifiedClientDataFx.pipe(\n Fx.chain((credentialId) =>\n Fx.from({\n ok: () => queryPasskeyByCredentialId(ctx, credentialId),\n err: () => new AuthError(\"PASSKEY_UNKNOWN_CREDENTIAL\"),\n }).pipe(\n Fx.chain((passkey) =>\n passkey\n ? Fx.succeed(passkey)\n : Fx.fail(\n new AuthError(\n \"PASSKEY_UNKNOWN_CREDENTIAL\",\n \"Unknown credential\",\n ),\n ),\n ),\n ),\n ),\n Fx.chain((passkey) => {\n const authenticatorDataBytes = decodeBase64urlIgnorePadding(\n params.authenticatorData,\n );\n const authenticatorData = parseAuthenticatorData(\n authenticatorDataBytes,\n );\n\n const signature = decodeBase64urlIgnorePadding(\n params.signature,\n );\n const signatureMessage = createAssertionSignatureMessage(\n authenticatorDataBytes,\n clientDataJSON,\n );\n const messageHash = sha256(signatureMessage);\n\n const checkedAuthenticatorFx = Fx.succeed(\n authenticatorData,\n ).pipe(\n Fx.chain(verifyRpId(rp.rpId)),\n Fx.chain(verifyUserFlags(rp)),\n );\n\n const signatureVerifiedFx = checkedAuthenticatorFx.pipe(\n Fx.chain(() => {\n const storedPublicKeyBytes = new Uint8Array(\n passkey.publicKey,\n );\n const algorithmHandlers: Record<\n number,\n (() => FxType<void, AuthError>) | undefined\n > = {\n [coseAlgorithmES256]: () => {\n const ecPublicKey = decodeSEC1PublicKey(\n p256,\n storedPublicKeyBytes,\n );\n const ecdsaSignature =\n decodePKIXECDSASignature(signature);\n const valid = verifyECDSASignature(\n ecPublicKey,\n messageHash,\n ecdsaSignature,\n );\n return valid\n ? Fx.succeed(undefined as void)\n : Fx.fail(\n new AuthError(\"PASSKEY_INVALID_SIGNATURE\"),\n );\n },\n [coseAlgorithmRS256]: () => {\n const rsaPublicKey =\n decodePKCS1RSAPublicKey(storedPublicKeyBytes);\n const valid = verifyRSASSAPKCS1v15Signature(\n rsaPublicKey,\n sha256ObjectIdentifier,\n messageHash,\n signature,\n );\n return valid\n ? Fx.succeed(undefined as void)\n : Fx.fail(\n new AuthError(\"PASSKEY_INVALID_SIGNATURE\"),\n );\n },\n };\n\n const handler = algorithmHandlers[passkey.algorithm];\n return handler\n ? handler()\n : Fx.fail(\n new AuthError(\n \"PASSKEY_UNSUPPORTED_ALGORITHM\",\n `Unsupported algorithm: ${passkey.algorithm}`,\n ),\n );\n }),\n );\n\n const counterValidatedFx = signatureVerifiedFx.pipe(\n Fx.chain(() =>\n passkey.counter !== 0 &&\n authenticatorData.signatureCounter !== 0 &&\n authenticatorData.signatureCounter <= passkey.counter\n ? Fx.fail(new AuthError(\"PASSKEY_COUNTER_ERROR\"))\n : Fx.succeed(authenticatorData),\n ),\n );\n\n return counterValidatedFx.pipe(\n Fx.chain(() =>\n Fx.from({\n ok: async () => {\n await mutatePasskeyUpdateCounter(\n ctx,\n passkey._id,\n authenticatorData.signatureCounter,\n Date.now(),\n );\n\n const signInResult = await callSignIn(ctx, {\n userId: passkey.userId,\n generateTokens: true,\n });\n\n return {\n kind: \"signedIn\" as const,\n signedIn: signInResult,\n };\n },\n err: () => new AuthError(\"INTERNAL_ERROR\"),\n }),\n ),\n );\n }),\n );\n }),\n ),\n },\n );\n return flowFx;\n }),\n );\n}\n\n// Keep backward-compatible export name — callers can migrate to handlePasskeyFx\nexport { handlePasskeyFx as handlePasskey };\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyFA,MAAM,sBACJ,aACiC;CACjC,MAAM,UAAU,QAAQ,IAAI;CAC5B,MAAM,aAAa,YAAY,UAAa,YAAY;CACxD,MAAM,UAAU,SAAS,QAAQ,SAAS;AAE1C,QAAO,GAAG,QAAQ;EAAE;EAAS;EAAY;EAAS,CAAC,CAAC,KAClD,GAAG,OAAO,EAAE,oBAAS,0BAAY,yBAC/B,CAACA,gBAAc,CAACC,YACZ,GAAG,KACD,IAAI,UACF,0BACA,yMAGD,CACF,GACD,GAAG,QAAQC,UAAQ,CACxB,EACD,GAAG,KAAK,cAAY;EAClB,MAAM,eAAeA,YAAU,IAAI,IAAIA,UAAQ,CAAC,WAAW;AAC3D,SAAO;GACL,QAAQ,SAAS,QAAQ,UAAU,gBAAgB;GACnD,MAAM,SAAS,QAAQ,QAAQ,gBAAgB;GAC/C,QAAQ,SAAS,QAAQ,UAAUA,aAAW;GAC9C,aAAa,SAAS,QAAQ,eAAe;GAC7C,kBAAkB,SAAS,QAAQ,oBAAoB;GACvD,aAAa,SAAS,QAAQ,eAAe;GAC7C,yBAAyB,SAAS,QAAQ;GAC1C,YAAY,SAAS,QAAQ,cAAc,CACzC,oBACA,mBACD;GACD,uBACE,SAAS,QAAQ,yBAAyB;GAC7C;GACD,CACH;;;AAQH,MAAM,wBAEF,cACA,WAED,eACC,WAAW,SAAS,eAChB,GAAG,QAAQ,WAAW,GACtB,GAAG,KACD,IAAI,UACF,+BACA,sCAAsC,QACvC,CACF;;AAGT,MAAM,gBACH,QAC8B,eAAwC;CACrE,MAAM,UAAU,MAAM,QAAQ,GAAG,OAAO,GAAG,GAAG,SAAS,CAAC,GAAG,OAAO;AAClE,QAAO,QAAQ,SAAS,WAAW,OAAO,GACtC,GAAG,QAAQ,WAAW,GACtB,GAAG,KACD,IAAI,UACF,0BACA,mBAAmB,WAAW,OAAO,qBAAqB,QAAQ,KAAK,KAAK,GAC7E,CACF;;;AAIT,MAAM,6BACH,KAAwB,mBAEvB,eACyB;CACzB,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,WAAW,UAAU,CAAC,CAC7C;AACD,QAAO,GAAG,KAAK;EACb,UAAU,kBAAkB,KAAK,cAAc;EAC/C,WAAW,IAAI,UAAU,4BAA4B;EACtD,CAAC,CAAC,KACD,GAAG,OAAO,QACR,CAAC,OAAO,IAAI,cAAc,gBACtB,GAAG,KAAK,IAAI,UAAU,4BAA4B,CAAC,GACnD,GAAG,QAAQ,IAAI,CACpB,EACD,GAAG,YACD,GAAG,KAAK;EACN,UAAU,qBAAqB,KAAK,cAAc;EAClD,WAAW,IAAI,UAAU,4BAA4B;EACtD,CAAC,CACH,EACD,GAAG,UAAU,WAAW,CACzB;;;AAIL,MAAM,cACH,UAEC,aAEA,SAAS,yBAAyB,KAAK,GACnC,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC;;AAGrD,MAAM,mBACH,QAEC,aAEA,CAAC,SAAS,cACN,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,qBAAqB,cAAc,CAAC,SAAS,eAC9C,GAAG,KAAK,IAAI,UAAU,4BAA4B,CAAC,GACnD,GAAG,QAAQ,SAAS;AAmB9B,MAAM,eAAe;CACnB,iBAAiB;CACjB,gBAAgB;CAChB,aAAa;CACb,YAAY;CACb;AAED,MAAM,gBAAgB;CACpB,aAAa;CACb,aAAa;CACb,aAAa;CACb,aAAa;CACd;AAQD,MAAM,4BACJ,WACuC;CACvC,MAAM,OAAO,OAAO;AACpB,QAAO,OAAO,SAAS,YAAY,cAAc,SAAS,KAAc,GACpE,GAAG,QAAQ,EAAQ,MAAwC,CAAC,GAC5D,GAAG,KACD,IAAI,UACF,wBACA,sGACD,CACF;;AAGP,MAAM,4BACJ,aAEA,YAAY,OACR,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,2BAA2B,CAAC;;;;;;AAOxD,SAAgB,gBACd,KACA,UACA,MAIkC;CAClC,MAAM,SAAU,KAAK,UAAU,EAAE;AAEjC,QAAO,yBAAyB,OAAO,CAAC,KACtC,GAAG,OAAO,aAAa;AAwerB,SAveiD,GAAG,MAAM,SAAS,CAAC,GAClE,QACA;GACE,kBAAkB,MAChB,GAAG,IACD,GAAG,KAAK;IACN,UAAU,IAAI,KAAK,iBAAiB;IACpC,WAAW,IAAI,UAAU,wBAAwB;IAClD,CAAC,CAAC,KACD,GAAG,OAAO,OACR,OAAO,OACH,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,QAAQ,GAAG,QAAQ,MAAM,IAAI,CAAC,GAAI,CAC1C,CACF,EACD,mBAAmB,SAAS,CAC7B,CAAC,KACA,GAAG,OAAO,CAAC,QAAQ,QAAQ;IACzB,MAAM,YAAY,IAAI,WAAW,GAAG;AACpC,WAAO,gBAAgB,UAAU;IACjC,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,UAAU,CAAC,CAClC;AAED,WAAO,GAAG,KAAK;KACb,IAAI,YAAY;MACd,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,YAAM,sBAAsB,KAAK;OAC/B;OACA,WAAW;OACZ,CAAC;MAEF,MAAM,OAAO,MAAM,cAAc,KAAK,OAAO;MAC7C,MAAM,WAAW,OAAO,YAAY,MAAM,SAAS;MACnD,MAAM,kBACJ,OAAO,mBAAmB,MAAM,QAAQ;MAG1C,MAAM,sBADW,MAAM,sBAAsB,KAAK,OAAO,EACrB,KAAK,QAAQ;OAC/C,IAAI,GAAG;OACP,YAAY,GAAG;OAChB,EAAE;MAEH,MAAM,aAAa,yBACjB,IAAI,aAAa,CAAC,OAAO,OAAO,CACjC;AA8BD,aAAO;OACL,MAAM;OACN,SA9Bc;QACd,IAAI;SAAE,MAAM,GAAG;SAAQ,IAAI,GAAG;SAAM;QACpC,MAAM;SACJ,IAAI;SACJ,MAAM;SACN,aAAa;SACd;QACD,WAAW,yBAAyB,UAAU;QAC9C,kBAAkB,GAAG,WAAW,KAAK,SAAS;SAC5C,MAAM;SACN;SACD,EAAE;QACH,SAAS,GAAG;QACZ,aAAa,GAAG;QAChB,wBAAwB;SACtB,aAAa,GAAG;SAChB,oBAAoB,GAAG,gBAAgB;SACvC,kBAAkB,GAAG;SACrB,GAAI,GAAG,0BACH,EACE,yBACE,GAAG,yBACN,GACD,EAAE;SACP;QACD;QACD;OAKC;OACD;;KAEH,WAAW,IAAI,UAAU,iBAAiB;KAC3C,CAAC;KACF,CACH;GACH,iBAAiB,MACf,GAAG,IACD,GAAG,KAAK;IACN,UAAU,IAAI,KAAK,iBAAiB;IACpC,WAAW,IAAI,UAAU,wBAAwB;IAClD,CAAC,CAAC,KACD,GAAG,OAAO,OACR,OAAO,OACH,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,QAAQ,GAAG,QAAQ,MAAM,IAAI,CAAC,GAAI,CAC1C,CACF,EACD,mBAAmB,SAAS,CAC7B,CAAC,KACA,GAAG,OAAO,CAAC,QAAQ,QACjB,yBAAyB,KAAK,SAAS,CAAC,KACtC,GAAG,OAAO,aAAa;IAIrB,MAAM,aAAa,oBAHI,6BACrB,OAAO,eACR,CACqD;AAuBtD,WArB6B,GAAG,QAAQ,WAAW,CAAC,KAClD,GAAG,MACD,qBACE,eAAe,QACf,kBACD,CACF,EACD,GAAG,MAAM,aAAa,GAAG,CAAC,EAC1B,GAAG,MAAM,0BAA0B,KAAK,SAAS,CAAC,EAClD,GAAG,UAAU;AAQX,YAHoB,uBAHlB,6BACE,OAAO,kBACR,CAGF,CACkB;MACnB,CACH,CAE2B,KAC1B,GAAG,MAAM,WAAW,GAAG,KAAK,CAAC,EAC7B,GAAG,MAAM,gBAAgB,GAAG,CAAC,EAC7B,GAAG,OAAO,aAAa;AACrB,SAAI,SAAS,cAAc,KACzB,QAAO,GAAG,KACR,IAAI,UAAU,wBAAwB,CACvC;AAEH,YAAO,GAAG,QAAQ;MAChB;MACA,YAAY,SAAS;MACtB,CAAC;MACF,EACF,GAAG,OAAO,EAAE,UAAU,iBAAiB;KACrC,MAAM,eAAe,yBACnB,WAAW,GACZ;KACD,MAAM,YAAY,WAAW;KAE7B,IAAI;AACJ,SAAI,UAAU,oBAAoB,CAChC,aAAY,UAAU,WAAW;UAC5B;MACL,MAAM,UAAU,UAAU,MAAM;AAChC,kBACE,YAAY,YAAY,MACpB,qBACA,YAAY,YAAY,MACtB,qBACA;;KAkCV,MAAM,UA5BF;OACD,2BAA2B;OAC1B,MAAM,MAAM,UAAU,KAAK;OAC3B,MAAM,SAAS,IAAI,WAAW,GAAG;OACjC,IAAI,KAAK,IAAI;AACb,YAAK,IAAI,IAAI,IAAI,KAAK,GAAG,KAAK;AAC5B,eAAO,KAAK,OAAO,KAAK,KAAM;AAC9B,eAAO;;OAET,MAAM,SAAS,IAAI,WAAW,GAAG;OACjC,IAAI,KAAK,IAAI;AACb,YAAK,IAAI,IAAI,IAAI,KAAK,GAAG,KAAK;AAC5B,eAAO,KAAK,OAAO,KAAK,KAAM;AAC9B,eAAO;;OAET,MAAM,QAAQ,IAAI,WAAW,GAAG;AAChC,aAAM,KAAK;AACX,aAAM,IAAI,QAAQ,EAAE;AACpB,aAAM,IAAI,QAAQ,GAAG;AACrB,cAAO,GAAG,QAAQ,MAAM;;OAEzB,2BAA2B;OAC1B,MAAM,MAAM,UAAU,KAAK;OAC3B,MAAM,YAAY,IAAI,aAAa,IAAI,GAAG,IAAI,EAAE;AAChD,cAAO,GAAG,QAAQ,UAAU,aAAa,CAAC;;MAE7C,CAEwB;AACzB,aACE,UACI,SAAS,GACT,GAAG,KACD,IAAI,UACF,iCACA,0BAA0B,YAC3B,CACF,EACL,KACA,GAAG,OAAO,mBACR,GAAG,KAAK;MACN,IAAI,YAAY;OACd,MAAM,aACJ,OAAO,cAAc;OACvB,MAAM,WAAW,OAAO,YAAY;AAGpC,aADW,OAAO,KAAK,IAAI,KAAK,OAAO,CAC9B,SAAS,OAAO;QACvB;QACA,UAAU,SAAS;QACnB,mBAAmB;QACpB,CAAC;AAEF,aAAM,oBAAoB,KAAK;QAC7B;QACA;QACA,WAAW,eAAe,OAAO,MAC/B,eAAe,YACf,eAAe,aACb,eAAe,WAClB;QACD;QACA,SAAS,SAAS;QAClB,YAAY,OAAO;QACnB;QACA;QACA,MAAM,OAAO;QACb,WAAW,KAAK,KAAK;QACtB,CAAC;AAOF,cAAO;QACL,MAAM;QACN,UAPmB,MAAM,WAAW,KAAK;SACzC;SACA,gBAAgB;SACjB,CAAC;QAKD;;MAEH,WAAW,IAAI,UAAU,iBAAiB;MAC3C,CAAC,CACH,CACF;MACD,CACH;KACD,CACH,CACF,CACF;GACH,cAAc,MACZ,mBAAmB,SAAS,CAAC,KAC3B,GAAG,OAAO,OAAO;IACf,MAAM,YAAY,IAAI,WAAW,GAAG;AACpC,WAAO,gBAAgB,UAAU;IACjC,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,UAAU,CAAC,CAClC;AAED,WAAO,GAAG,KAAK;KACb,IAAI,YAAY;MACd,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,YAAM,sBAAsB,KAAK;OAC/B;OACA,WAAW;OACZ,CAAC;MAEF,IAAI;AAOJ,UAAI,OAAO,OAAO;OAChB,MAAM,OAAO,MAAM,yBACjB,KACA,OAAO,MACR;AACD,WAAI,MAAM;QACR,MAAM,WAAW,MAAM,sBACrB,KACA,KAAK,IACN;AACD,YAAI,SAAS,SAAS,EACpB,oBAAmB,SAAS,KAAK,QAAQ;SACvC,MAAM;SACN,IAAI,GAAG;SACP,YAAY,GAAG;SAChB,EAAE;;;MAKT,MAAM,UAA+B;OACnC,WAAW,yBAAyB,UAAU;OAC9C,SAAS,GAAG;OACZ,MAAM,GAAG;OACT,kBAAkB,GAAG;OACtB;AAED,UAAI,iBACF,SAAQ,mBAAmB;AAG7B,aAAO;OACL,MAAM;OACN;OACA;OACD;;KAEH,WAAW,IAAI,UAAU,iBAAiB;KAC3C,CAAC;KACF,CACH;GACH,aAAa,MACX,GAAG,IACD,mBAAmB,SAAS,EAC5B,yBAAyB,KAAK,SAAS,CACxC,CAAC,KACA,GAAG,OAAO,CAAC,IAAI,cAAc;IAC3B,MAAM,iBAAiB,6BACrB,OAAO,eACR;IACD,MAAM,aAAa,oBAAoB,eAAe;AAoBtD,WAlB6B,GAAG,QAAQ,WAAW,CAAC,KAClD,GAAG,MACD,qBAAqB,eAAe,KAAK,eAAe,CACzD,EACD,GAAG,MAAM,aAAa,GAAG,CAAC,EAC1B,GAAG,MAAM,0BAA0B,KAAK,SAAS,CAAC,EAClD,GAAG,YACD,OAAO,gBAAgB,OACnB,GAAG,QAAQ,OAAO,aAAuB,GACzC,GAAG,KACD,IAAI,UACF,8BACA,wBACD,CACF,CACN,CACF,CAE2B,KAC1B,GAAG,OAAO,iBACR,GAAG,KAAK;KACN,UAAU,2BAA2B,KAAK,aAAa;KACvD,WAAW,IAAI,UAAU,6BAA6B;KACvD,CAAC,CAAC,KACD,GAAG,OAAO,YACR,UACI,GAAG,QAAQ,QAAQ,GACnB,GAAG,KACD,IAAI,UACF,8BACA,qBACD,CACF,CACN,CACF,CACF,EACD,GAAG,OAAO,YAAY;KACpB,MAAM,yBAAyB,6BAC7B,OAAO,kBACR;KACD,MAAM,oBAAoB,uBACxB,uBACD;KAED,MAAM,YAAY,6BAChB,OAAO,UACR;KAKD,MAAM,cAAc,OAJK,gCACvB,wBACA,eACD,CAC2C;AA2E5C,YAzE+B,GAAG,QAChC,kBACD,CAAC,KACA,GAAG,MAAM,WAAW,GAAG,KAAK,CAAC,EAC7B,GAAG,MAAM,gBAAgB,GAAG,CAAC,CAC9B,CAEkD,KACjD,GAAG,YAAY;MACb,MAAM,uBAAuB,IAAI,WAC/B,QAAQ,UACT;MAwCD,MAAM,UApCF;QACD,2BAA2B;AAY1B,eALc,qBANM,oBAClB,MACA,qBACD,EAKC,aAHA,yBAAyB,UAAU,CAKpC,GAEG,GAAG,QAAQ,OAAkB,GAC7B,GAAG,KACD,IAAI,UAAU,4BAA4B,CAC3C;;QAEN,2BAA2B;AAS1B,eANc,8BADZ,wBAAwB,qBAAqB,EAG7C,wBACA,aACA,UACD,GAEG,GAAG,QAAQ,OAAkB,GAC7B,GAAG,KACD,IAAI,UAAU,4BAA4B,CAC3C;;OAER,CAEiC,QAAQ;AAC1C,aAAO,UACH,SAAS,GACT,GAAG,KACD,IAAI,UACF,iCACA,0BAA0B,QAAQ,YACnC,CACF;OACL,CACH,CAE8C,KAC7C,GAAG,YACD,QAAQ,YAAY,KACpB,kBAAkB,qBAAqB,KACvC,kBAAkB,oBAAoB,QAAQ,UAC1C,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,QAAQ,kBAAkB,CAClC,CACF,CAEyB,KACxB,GAAG,YACD,GAAG,KAAK;MACN,IAAI,YAAY;AACd,aAAM,2BACJ,KACA,QAAQ,KACR,kBAAkB,kBAClB,KAAK,KAAK,CACX;AAOD,cAAO;QACL,MAAM;QACN,UAPmB,MAAM,WAAW,KAAK;SACzC,QAAQ,QAAQ;SAChB,gBAAgB;SACjB,CAAC;QAKD;;MAEH,WAAW,IAAI,UAAU,iBAAiB;MAC3C,CAAC,CACH,CACF;MACD,CACH;KACD,CACH;GACJ,CACF;GAED,CACH"}
1
+ {"version":3,"file":"passkey.js","names":["hasSiteUrl","hasRpId","siteUrl"],"sources":["../../src/server/passkey.ts"],"sourcesContent":["/**\n * Server-side WebAuthn ceremony logic for passkey authentication.\n *\n * Handles the four phases of the WebAuthn flow:\n * 1. registerOptions — generate PublicKeyCredentialCreationOptions\n * 2. registerVerify — verify attestation and store credential\n * 3. authOptions — generate PublicKeyCredentialRequestOptions\n * 4. authVerify — verify assertion signature and sign in\n *\n * Uses `@oslojs/webauthn` for attestation/assertion parsing and\n * `@oslojs/crypto` for signature verification.\n *\n * All functions return `Fx<A, AuthError>` composed via `Fx.chain` pipelines.\n *\n * @module\n */\n\nimport {\n p256,\n verifyECDSASignature,\n decodeSEC1PublicKey,\n decodePKIXECDSASignature,\n} from \"@oslojs/crypto/ecdsa\";\nimport {\n RSAPublicKey,\n decodePKCS1RSAPublicKey,\n sha256ObjectIdentifier,\n verifyRSASSAPKCS1v15Signature,\n} from \"@oslojs/crypto/rsa\";\nimport { sha256 } from \"@oslojs/crypto/sha2\";\nimport {\n encodeBase64urlNoPadding,\n decodeBase64urlIgnorePadding,\n} from \"@oslojs/encoding\";\nimport {\n parseAttestationObject,\n parseClientDataJSON,\n parseAuthenticatorData,\n createAssertionSignatureMessage,\n ClientDataType,\n coseAlgorithmES256,\n coseAlgorithmRS256,\n COSEKeyType,\n} from \"@oslojs/webauthn\";\nimport type { Fx as FxType } from \"@robelest/fx\";\n\nimport { authDb } from \"./db\";\nimport { AuthError, Fx } from \"./fx\";\nimport { userIdFromIdentitySubject } from \"./identity\";\nimport { callSignIn, callVerifier } from \"./mutations/index\";\nimport { callVerifierSignature } from \"./mutations/signature\";\nimport { PasskeyProviderConfig, GenericActionCtxWithAuthConfig } from \"./types\";\nimport {\n AuthDataModel,\n SessionInfo,\n queryUserById,\n queryUserByVerifiedEmail,\n queryPasskeysByUserId,\n queryPasskeyByCredentialId,\n queryVerifierById,\n mutatePasskeyInsert,\n mutatePasskeyUpdateCounter,\n mutateVerifierDelete,\n} from \"./types\";\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n// ============================================================================\n// Resolve RP options — Fx pipeline with validation\n// ============================================================================\n\n/** Resolved relying party configuration. */\ninterface RpOptions {\n rpName: string;\n rpId: string;\n origin: string | string[];\n attestation: string;\n userVerification: string;\n residentKey: string;\n authenticatorAttachment?: string;\n algorithms: number[];\n challengeExpirationMs: number;\n}\n\n/**\n * Resolve passkey relying party options from provider config and environment.\n *\n * Returns `Fx<RpOptions, AuthError>` — fails if neither SITE_URL nor rpId\n * is configured.\n */\nconst resolveRpOptionsFx = (\n provider: PasskeyProviderConfig,\n): FxType<RpOptions, AuthError> => {\n const siteUrl = process.env.SITE_URL;\n const hasSiteUrl = siteUrl !== undefined && siteUrl !== \"\";\n const hasRpId = provider.options.rpId !== undefined;\n\n return Fx.succeed({ siteUrl, hasSiteUrl, hasRpId }).pipe(\n Fx.chain(({ siteUrl, hasSiteUrl, hasRpId }) =>\n !hasSiteUrl && !hasRpId\n ? Fx.fail(\n new AuthError(\n \"PASSKEY_MISSING_CONFIG\",\n \"Passkey provider requires SITE_URL env var (your frontend URL) \" +\n \"or explicit rpId / origin in the provider config. \" +\n \"CONVEX_SITE_URL cannot be used because WebAuthn RP ID must match the frontend domain.\",\n ),\n )\n : Fx.succeed(siteUrl),\n ),\n Fx.map((siteUrl) => {\n const siteHostname = siteUrl ? new URL(siteUrl).hostname : undefined;\n return {\n rpName: provider.options.rpName ?? siteHostname ?? \"localhost\",\n rpId: provider.options.rpId ?? siteHostname ?? \"localhost\",\n origin: provider.options.origin ?? siteUrl ?? \"http://localhost\",\n attestation: provider.options.attestation ?? \"none\",\n userVerification: provider.options.userVerification ?? \"required\",\n residentKey: provider.options.residentKey ?? \"preferred\",\n authenticatorAttachment: provider.options.authenticatorAttachment,\n algorithms: provider.options.algorithms ?? [\n coseAlgorithmES256,\n coseAlgorithmRS256,\n ],\n challengeExpirationMs:\n provider.options.challengeExpirationMs ?? 300_000,\n };\n }),\n );\n};\n\n// ============================================================================\n// Composable validators — small functions (A) => Fx<B, AuthError>\n// ============================================================================\n\n/** Verify client data type matches expected WebAuthn ceremony type. */\nconst verifyClientDataType =\n <T extends { type: ClientDataType }>(\n expectedType: ClientDataType,\n label: string,\n ) =>\n (clientData: T): FxType<T, AuthError> =>\n clientData.type === expectedType\n ? Fx.succeed(clientData)\n : Fx.fail(\n new AuthError(\n \"PASSKEY_INVALID_CLIENT_DATA\",\n `Invalid client data type: expected ${label}`,\n ),\n );\n\n/** Verify origin is in the allowed list. */\nconst verifyOrigin =\n (rp: RpOptions) =>\n <T extends { origin: string }>(clientData: T): FxType<T, AuthError> => {\n const allowed = Array.isArray(rp.origin) ? rp.origin : [rp.origin];\n return allowed.includes(clientData.origin)\n ? Fx.succeed(clientData)\n : Fx.fail(\n new AuthError(\n \"PASSKEY_INVALID_ORIGIN\",\n `Invalid origin: ${clientData.origin}, expected one of: ${allowed.join(\", \")}`,\n ),\n );\n };\n\n/** Verify the challenge hash matches the stored verifier, then delete verifier. */\nconst verifyAndConsumeChallenge =\n (ctx: EnrichedActionCtx, verifierValue: string) =>\n <T extends { challenge: Uint8Array }>(\n clientData: T,\n ): FxType<T, AuthError> => {\n const challengeHash = encodeBase64urlNoPadding(\n new Uint8Array(sha256(clientData.challenge)),\n );\n return Fx.from({\n ok: () => queryVerifierById(ctx, verifierValue),\n err: () => new AuthError(\"PASSKEY_INVALID_CHALLENGE\"),\n }).pipe(\n Fx.chain((doc) =>\n !doc || doc.signature !== challengeHash\n ? Fx.fail(new AuthError(\"PASSKEY_INVALID_CHALLENGE\"))\n : Fx.succeed(doc),\n ),\n Fx.chain(() =>\n Fx.from({\n ok: () => mutateVerifierDelete(ctx, verifierValue),\n err: () => new AuthError(\"PASSKEY_INVALID_CHALLENGE\"),\n }),\n ),\n Fx.map(() => clientData),\n );\n };\n\n/** Verify RP ID hash matches. */\nconst verifyRpId =\n (rpId: string) =>\n <T extends { verifyRelyingPartyIdHash: (id: string) => boolean }>(\n authData: T,\n ): FxType<T, AuthError> =>\n authData.verifyRelyingPartyIdHash(rpId)\n ? Fx.succeed(authData)\n : Fx.fail(new AuthError(\"PASSKEY_RP_MISMATCH\"));\n\n/** Verify user presence and (optionally) user verification flags. */\nconst verifyUserFlags =\n (rp: RpOptions) =>\n <T extends { userPresent: boolean; userVerified: boolean }>(\n authData: T,\n ): FxType<T, AuthError> =>\n !authData.userPresent\n ? Fx.fail(new AuthError(\"PASSKEY_USER_PRESENCE\"))\n : rp.userVerification === \"required\" && !authData.userVerified\n ? Fx.fail(new AuthError(\"PASSKEY_USER_VERIFICATION\"))\n : Fx.succeed(authData);\n\n// ============================================================================\n// Registration flow\n// ============================================================================\n\n// ============================================================================\n// Authentication flow\n// ============================================================================\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\n/** Result type for all passkey flows. */\ntype PasskeyResult =\n | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string };\n\nconst PASSKEY_FLOW = {\n registerOptions: \"registerOptions\",\n registerVerify: \"registerVerify\",\n authOptions: \"authOptions\",\n authVerify: \"authVerify\",\n} as const;\n\nconst PASSKEY_FLOWS = [\n PASSKEY_FLOW.registerOptions,\n PASSKEY_FLOW.registerVerify,\n PASSKEY_FLOW.authOptions,\n PASSKEY_FLOW.authVerify,\n] as const;\n\ntype PasskeyDispatch =\n | { flow: typeof PASSKEY_FLOW.registerOptions }\n | { flow: typeof PASSKEY_FLOW.registerVerify }\n | { flow: typeof PASSKEY_FLOW.authOptions }\n | { flow: typeof PASSKEY_FLOW.authVerify };\n\nconst resolvePasskeyDispatchFx = (\n params: Record<string, unknown>,\n): FxType<PasskeyDispatch, AuthError> => {\n const flow = params.flow;\n return typeof flow === \"string\" && PASSKEY_FLOWS.includes(flow as never)\n ? Fx.succeed({ flow: flow as (typeof PASSKEY_FLOWS)[number] })\n : Fx.fail(\n new AuthError(\n \"PASSKEY_MISSING_FLOW\",\n \"Missing `flow` parameter. Expected one of: registerOptions, registerVerify, authOptions, authVerify\",\n ),\n );\n};\n\nconst requirePasskeyVerifierFx = (\n verifier: string | undefined,\n): FxType<string, AuthError> =>\n verifier != null\n ? Fx.succeed(verifier)\n : Fx.fail(new AuthError(\"PASSKEY_MISSING_VERIFIER\"));\n\n/**\n * Main passkey handler dispatched from signIn.ts.\n *\n * Routes to the appropriate phase based on `params.flow` via `dispatchFx`.\n */\nexport function handlePasskeyFx(\n ctx: EnrichedActionCtx,\n provider: PasskeyProviderConfig,\n args: {\n params?: Record<string, any>;\n verifier?: string;\n },\n): FxType<PasskeyResult, AuthError> {\n const params = (args.params ?? {}) as Record<string, any>;\n\n return resolvePasskeyDispatchFx(params).pipe(\n Fx.chain((dispatch) => {\n const flowFx: FxType<PasskeyResult, AuthError> = Fx.match(dispatch).on(\n \"flow\",\n {\n registerOptions: (_) =>\n Fx.zip(\n Fx.from({\n ok: () => ctx.auth.getUserIdentity(),\n err: () => new AuthError(\"PASSKEY_AUTH_REQUIRED\"),\n }).pipe(\n Fx.chain((id) =>\n id === null\n ? Fx.fail(new AuthError(\"PASSKEY_AUTH_REQUIRED\"))\n : Fx.succeed(userIdFromIdentitySubject(id.subject)),\n ),\n ),\n resolveRpOptionsFx(provider),\n ).pipe(\n Fx.chain(([userId, rp]) => {\n const challenge = new Uint8Array(32);\n crypto.getRandomValues(challenge);\n const challengeHash = encodeBase64urlNoPadding(\n new Uint8Array(sha256(challenge)),\n );\n\n return Fx.from({\n ok: async () => {\n const verifier = await callVerifier(ctx);\n await callVerifierSignature(ctx, {\n verifier,\n signature: challengeHash,\n });\n\n const user = await queryUserById(ctx, userId);\n const userName = params.userName ?? user?.email ?? \"user\";\n const userDisplayName =\n params.userDisplayName ?? user?.name ?? userName;\n\n const existing = await queryPasskeysByUserId(ctx, userId);\n const excludeCredentials = existing.map((pk) => ({\n id: pk.credentialId,\n transports: pk.transports,\n }));\n\n const userHandle = encodeBase64urlNoPadding(\n new TextEncoder().encode(userId),\n );\n\n const options = {\n rp: { name: rp.rpName, id: rp.rpId },\n user: {\n id: userHandle,\n name: userName,\n displayName: userDisplayName,\n },\n challenge: encodeBase64urlNoPadding(challenge),\n pubKeyCredParams: rp.algorithms.map((alg) => ({\n type: \"public-key\" as const,\n alg,\n })),\n timeout: rp.challengeExpirationMs,\n attestation: rp.attestation,\n authenticatorSelection: {\n residentKey: rp.residentKey,\n requireResidentKey: rp.residentKey === \"required\",\n userVerification: rp.userVerification,\n ...(rp.authenticatorAttachment\n ? {\n authenticatorAttachment:\n rp.authenticatorAttachment,\n }\n : {}),\n },\n excludeCredentials,\n };\n\n return {\n kind: \"passkeyOptions\" as const,\n options,\n verifier,\n };\n },\n err: () => new AuthError(\"INTERNAL_ERROR\"),\n });\n }),\n ),\n registerVerify: (_) =>\n Fx.zip(\n Fx.from({\n ok: () => ctx.auth.getUserIdentity(),\n err: () => new AuthError(\"PASSKEY_AUTH_REQUIRED\"),\n }).pipe(\n Fx.chain((id) =>\n id === null\n ? Fx.fail(new AuthError(\"PASSKEY_AUTH_REQUIRED\"))\n : Fx.succeed(userIdFromIdentitySubject(id.subject)),\n ),\n ),\n resolveRpOptionsFx(provider),\n ).pipe(\n Fx.chain(([userId, rp]) =>\n requirePasskeyVerifierFx(args.verifier).pipe(\n Fx.chain((verifier) => {\n const clientDataJSON = decodeBase64urlIgnorePadding(\n params.clientDataJSON,\n );\n const clientData = parseClientDataJSON(clientDataJSON);\n\n const verifiedClientDataFx = Fx.succeed(clientData).pipe(\n Fx.chain(\n verifyClientDataType(\n ClientDataType.Create,\n \"webauthn.create\",\n ),\n ),\n Fx.chain(verifyOrigin(rp)),\n Fx.chain(verifyAndConsumeChallenge(ctx, verifier)),\n Fx.map(() => {\n const attestationObjectBytes =\n decodeBase64urlIgnorePadding(\n params.attestationObject,\n );\n const attestation = parseAttestationObject(\n attestationObjectBytes,\n );\n return attestation.authenticatorData;\n }),\n );\n\n return verifiedClientDataFx.pipe(\n Fx.chain(verifyRpId(rp.rpId)),\n Fx.chain(verifyUserFlags(rp)),\n Fx.chain((authData) => {\n if (authData.credential == null) {\n return Fx.fail(\n new AuthError(\"PASSKEY_NO_CREDENTIAL\"),\n );\n }\n return Fx.succeed({\n authData,\n credential: authData.credential,\n });\n }),\n Fx.chain(({ authData, credential }) => {\n const credentialId = encodeBase64urlNoPadding(\n credential.id,\n );\n const publicKey = credential.publicKey;\n\n let algorithm: number;\n if (publicKey.isAlgorithmDefined()) {\n algorithm = publicKey.algorithm();\n } else {\n const keyType = publicKey.type();\n algorithm =\n keyType === COSEKeyType.EC2\n ? coseAlgorithmES256\n : keyType === COSEKeyType.RSA\n ? coseAlgorithmRS256\n : coseAlgorithmES256;\n }\n\n const handlers: Record<\n number,\n (() => FxType<Uint8Array, AuthError>) | undefined\n > = {\n [coseAlgorithmES256]: () => {\n const ec2 = publicKey.ec2();\n const xBytes = new Uint8Array(32);\n let vx = ec2.x;\n for (let i = 31; i >= 0; i--) {\n xBytes[i] = Number(vx & 0xffn);\n vx >>= 8n;\n }\n const yBytes = new Uint8Array(32);\n let vy = ec2.y;\n for (let i = 31; i >= 0; i--) {\n yBytes[i] = Number(vy & 0xffn);\n vy >>= 8n;\n }\n const bytes = new Uint8Array(65);\n bytes[0] = 0x04;\n bytes.set(xBytes, 1);\n bytes.set(yBytes, 33);\n return Fx.succeed(bytes);\n },\n [coseAlgorithmRS256]: () => {\n const rsa = publicKey.rsa();\n const rsaPubKey = new RSAPublicKey(rsa.n, rsa.e);\n return Fx.succeed(rsaPubKey.encodePKCS1());\n },\n };\n\n const handler = handlers[algorithm];\n return (\n handler\n ? handler()\n : Fx.fail(\n new AuthError(\n \"PASSKEY_UNSUPPORTED_ALGORITHM\",\n `Unsupported algorithm: ${algorithm}`,\n ),\n )\n ).pipe(\n Fx.chain((publicKeyBytes) =>\n Fx.from({\n ok: async () => {\n const deviceType =\n params.deviceType ?? \"single-device\";\n const backedUp = params.backedUp ?? false;\n\n const db = authDb(ctx, ctx.auth.config);\n await db.accounts.create({\n userId,\n provider: provider.id,\n providerAccountId: credentialId,\n });\n\n await mutatePasskeyInsert(ctx, {\n userId,\n credentialId,\n publicKey: publicKeyBytes.buffer.slice(\n publicKeyBytes.byteOffset,\n publicKeyBytes.byteOffset +\n publicKeyBytes.byteLength,\n ),\n algorithm,\n counter: authData.signatureCounter,\n transports: params.transports,\n deviceType,\n backedUp,\n name: params.passkeyName,\n createdAt: Date.now(),\n });\n\n const signInResult = await callSignIn(ctx, {\n userId,\n generateTokens: true,\n });\n\n return {\n kind: \"signedIn\" as const,\n signedIn: signInResult,\n };\n },\n err: () => new AuthError(\"INTERNAL_ERROR\"),\n }),\n ),\n );\n }),\n );\n }),\n ),\n ),\n ),\n authOptions: (_) =>\n resolveRpOptionsFx(provider).pipe(\n Fx.chain((rp) => {\n const challenge = new Uint8Array(32);\n crypto.getRandomValues(challenge);\n const challengeHash = encodeBase64urlNoPadding(\n new Uint8Array(sha256(challenge)),\n );\n\n return Fx.from({\n ok: async () => {\n const verifier = await callVerifier(ctx);\n await callVerifierSignature(ctx, {\n verifier,\n signature: challengeHash,\n });\n\n let allowCredentials:\n | Array<{\n type: string;\n id: string;\n transports?: string[];\n }>\n | undefined;\n if (params.email) {\n const user = await queryUserByVerifiedEmail(\n ctx,\n params.email,\n );\n if (user) {\n const passkeys = await queryPasskeysByUserId(\n ctx,\n user._id,\n );\n if (passkeys.length > 0) {\n allowCredentials = passkeys.map((pk) => ({\n type: \"public-key\",\n id: pk.credentialId,\n transports: pk.transports,\n }));\n }\n }\n }\n\n const options: Record<string, any> = {\n challenge: encodeBase64urlNoPadding(challenge),\n timeout: rp.challengeExpirationMs,\n rpId: rp.rpId,\n userVerification: rp.userVerification,\n };\n\n if (allowCredentials) {\n options.allowCredentials = allowCredentials;\n }\n\n return {\n kind: \"passkeyOptions\" as const,\n options,\n verifier,\n };\n },\n err: () => new AuthError(\"INTERNAL_ERROR\"),\n });\n }),\n ),\n authVerify: (_) =>\n Fx.zip(\n resolveRpOptionsFx(provider),\n requirePasskeyVerifierFx(args.verifier),\n ).pipe(\n Fx.chain(([rp, verifier]) => {\n const clientDataJSON = decodeBase64urlIgnorePadding(\n params.clientDataJSON,\n );\n const clientData = parseClientDataJSON(clientDataJSON);\n\n const verifiedClientDataFx = Fx.succeed(clientData).pipe(\n Fx.chain(\n verifyClientDataType(ClientDataType.Get, \"webauthn.get\"),\n ),\n Fx.chain(verifyOrigin(rp)),\n Fx.chain(verifyAndConsumeChallenge(ctx, verifier)),\n Fx.chain(() =>\n params.credentialId != null\n ? Fx.succeed(params.credentialId as string)\n : Fx.fail(\n new AuthError(\n \"PASSKEY_UNKNOWN_CREDENTIAL\",\n \"Missing credential ID\",\n ),\n ),\n ),\n );\n\n return verifiedClientDataFx.pipe(\n Fx.chain((credentialId) =>\n Fx.from({\n ok: () => queryPasskeyByCredentialId(ctx, credentialId),\n err: () => new AuthError(\"PASSKEY_UNKNOWN_CREDENTIAL\"),\n }).pipe(\n Fx.chain((passkey) =>\n passkey\n ? Fx.succeed(passkey)\n : Fx.fail(\n new AuthError(\n \"PASSKEY_UNKNOWN_CREDENTIAL\",\n \"Unknown credential\",\n ),\n ),\n ),\n ),\n ),\n Fx.chain((passkey) => {\n const authenticatorDataBytes = decodeBase64urlIgnorePadding(\n params.authenticatorData,\n );\n const authenticatorData = parseAuthenticatorData(\n authenticatorDataBytes,\n );\n\n const signature = decodeBase64urlIgnorePadding(\n params.signature,\n );\n const signatureMessage = createAssertionSignatureMessage(\n authenticatorDataBytes,\n clientDataJSON,\n );\n const messageHash = sha256(signatureMessage);\n\n const checkedAuthenticatorFx = Fx.succeed(\n authenticatorData,\n ).pipe(\n Fx.chain(verifyRpId(rp.rpId)),\n Fx.chain(verifyUserFlags(rp)),\n );\n\n const signatureVerifiedFx = checkedAuthenticatorFx.pipe(\n Fx.chain(() => {\n const storedPublicKeyBytes = new Uint8Array(\n passkey.publicKey,\n );\n const algorithmHandlers: Record<\n number,\n (() => FxType<void, AuthError>) | undefined\n > = {\n [coseAlgorithmES256]: () => {\n const ecPublicKey = decodeSEC1PublicKey(\n p256,\n storedPublicKeyBytes,\n );\n const ecdsaSignature =\n decodePKIXECDSASignature(signature);\n const valid = verifyECDSASignature(\n ecPublicKey,\n messageHash,\n ecdsaSignature,\n );\n return valid\n ? Fx.succeed(undefined as void)\n : Fx.fail(\n new AuthError(\"PASSKEY_INVALID_SIGNATURE\"),\n );\n },\n [coseAlgorithmRS256]: () => {\n const rsaPublicKey =\n decodePKCS1RSAPublicKey(storedPublicKeyBytes);\n const valid = verifyRSASSAPKCS1v15Signature(\n rsaPublicKey,\n sha256ObjectIdentifier,\n messageHash,\n signature,\n );\n return valid\n ? Fx.succeed(undefined as void)\n : Fx.fail(\n new AuthError(\"PASSKEY_INVALID_SIGNATURE\"),\n );\n },\n };\n\n const handler = algorithmHandlers[passkey.algorithm];\n return handler\n ? handler()\n : Fx.fail(\n new AuthError(\n \"PASSKEY_UNSUPPORTED_ALGORITHM\",\n `Unsupported algorithm: ${passkey.algorithm}`,\n ),\n );\n }),\n );\n\n const counterValidatedFx = signatureVerifiedFx.pipe(\n Fx.chain(() =>\n passkey.counter !== 0 &&\n authenticatorData.signatureCounter !== 0 &&\n authenticatorData.signatureCounter <= passkey.counter\n ? Fx.fail(new AuthError(\"PASSKEY_COUNTER_ERROR\"))\n : Fx.succeed(authenticatorData),\n ),\n );\n\n return counterValidatedFx.pipe(\n Fx.chain(() =>\n Fx.from({\n ok: async () => {\n await mutatePasskeyUpdateCounter(\n ctx,\n passkey._id,\n authenticatorData.signatureCounter,\n Date.now(),\n );\n\n const signInResult = await callSignIn(ctx, {\n userId: passkey.userId,\n generateTokens: true,\n });\n\n return {\n kind: \"signedIn\" as const,\n signedIn: signInResult,\n };\n },\n err: () => new AuthError(\"INTERNAL_ERROR\"),\n }),\n ),\n );\n }),\n );\n }),\n ),\n },\n );\n return flowFx;\n }),\n );\n}\n\n// Keep backward-compatible export name — callers can migrate to handlePasskeyFx\nexport { handlePasskeyFx as handlePasskey };\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0FA,MAAM,sBACJ,aACiC;CACjC,MAAM,UAAU,QAAQ,IAAI;CAC5B,MAAM,aAAa,YAAY,UAAa,YAAY;CACxD,MAAM,UAAU,SAAS,QAAQ,SAAS;AAE1C,QAAO,GAAG,QAAQ;EAAE;EAAS;EAAY;EAAS,CAAC,CAAC,KAClD,GAAG,OAAO,EAAE,oBAAS,0BAAY,yBAC/B,CAACA,gBAAc,CAACC,YACZ,GAAG,KACD,IAAI,UACF,0BACA,yMAGD,CACF,GACD,GAAG,QAAQC,UAAQ,CACxB,EACD,GAAG,KAAK,cAAY;EAClB,MAAM,eAAeA,YAAU,IAAI,IAAIA,UAAQ,CAAC,WAAW;AAC3D,SAAO;GACL,QAAQ,SAAS,QAAQ,UAAU,gBAAgB;GACnD,MAAM,SAAS,QAAQ,QAAQ,gBAAgB;GAC/C,QAAQ,SAAS,QAAQ,UAAUA,aAAW;GAC9C,aAAa,SAAS,QAAQ,eAAe;GAC7C,kBAAkB,SAAS,QAAQ,oBAAoB;GACvD,aAAa,SAAS,QAAQ,eAAe;GAC7C,yBAAyB,SAAS,QAAQ;GAC1C,YAAY,SAAS,QAAQ,cAAc,CACzC,oBACA,mBACD;GACD,uBACE,SAAS,QAAQ,yBAAyB;GAC7C;GACD,CACH;;;AAQH,MAAM,wBAEF,cACA,WAED,eACC,WAAW,SAAS,eAChB,GAAG,QAAQ,WAAW,GACtB,GAAG,KACD,IAAI,UACF,+BACA,sCAAsC,QACvC,CACF;;AAGT,MAAM,gBACH,QAC8B,eAAwC;CACrE,MAAM,UAAU,MAAM,QAAQ,GAAG,OAAO,GAAG,GAAG,SAAS,CAAC,GAAG,OAAO;AAClE,QAAO,QAAQ,SAAS,WAAW,OAAO,GACtC,GAAG,QAAQ,WAAW,GACtB,GAAG,KACD,IAAI,UACF,0BACA,mBAAmB,WAAW,OAAO,qBAAqB,QAAQ,KAAK,KAAK,GAC7E,CACF;;;AAIT,MAAM,6BACH,KAAwB,mBAEvB,eACyB;CACzB,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,WAAW,UAAU,CAAC,CAC7C;AACD,QAAO,GAAG,KAAK;EACb,UAAU,kBAAkB,KAAK,cAAc;EAC/C,WAAW,IAAI,UAAU,4BAA4B;EACtD,CAAC,CAAC,KACD,GAAG,OAAO,QACR,CAAC,OAAO,IAAI,cAAc,gBACtB,GAAG,KAAK,IAAI,UAAU,4BAA4B,CAAC,GACnD,GAAG,QAAQ,IAAI,CACpB,EACD,GAAG,YACD,GAAG,KAAK;EACN,UAAU,qBAAqB,KAAK,cAAc;EAClD,WAAW,IAAI,UAAU,4BAA4B;EACtD,CAAC,CACH,EACD,GAAG,UAAU,WAAW,CACzB;;;AAIL,MAAM,cACH,UAEC,aAEA,SAAS,yBAAyB,KAAK,GACnC,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC;;AAGrD,MAAM,mBACH,QAEC,aAEA,CAAC,SAAS,cACN,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,qBAAqB,cAAc,CAAC,SAAS,eAC9C,GAAG,KAAK,IAAI,UAAU,4BAA4B,CAAC,GACnD,GAAG,QAAQ,SAAS;AAmB9B,MAAM,eAAe;CACnB,iBAAiB;CACjB,gBAAgB;CAChB,aAAa;CACb,YAAY;CACb;AAED,MAAM,gBAAgB;CACpB,aAAa;CACb,aAAa;CACb,aAAa;CACb,aAAa;CACd;AAQD,MAAM,4BACJ,WACuC;CACvC,MAAM,OAAO,OAAO;AACpB,QAAO,OAAO,SAAS,YAAY,cAAc,SAAS,KAAc,GACpE,GAAG,QAAQ,EAAQ,MAAwC,CAAC,GAC5D,GAAG,KACD,IAAI,UACF,wBACA,sGACD,CACF;;AAGP,MAAM,4BACJ,aAEA,YAAY,OACR,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,2BAA2B,CAAC;;;;;;AAOxD,SAAgB,gBACd,KACA,UACA,MAIkC;CAClC,MAAM,SAAU,KAAK,UAAU,EAAE;AAEjC,QAAO,yBAAyB,OAAO,CAAC,KACtC,GAAG,OAAO,aAAa;AAwerB,SAveiD,GAAG,MAAM,SAAS,CAAC,GAClE,QACA;GACE,kBAAkB,MAChB,GAAG,IACD,GAAG,KAAK;IACN,UAAU,IAAI,KAAK,iBAAiB;IACpC,WAAW,IAAI,UAAU,wBAAwB;IAClD,CAAC,CAAC,KACD,GAAG,OAAO,OACR,OAAO,OACH,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,QAAQ,0BAA0B,GAAG,QAAQ,CAAC,CACtD,CACF,EACD,mBAAmB,SAAS,CAC7B,CAAC,KACA,GAAG,OAAO,CAAC,QAAQ,QAAQ;IACzB,MAAM,YAAY,IAAI,WAAW,GAAG;AACpC,WAAO,gBAAgB,UAAU;IACjC,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,UAAU,CAAC,CAClC;AAED,WAAO,GAAG,KAAK;KACb,IAAI,YAAY;MACd,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,YAAM,sBAAsB,KAAK;OAC/B;OACA,WAAW;OACZ,CAAC;MAEF,MAAM,OAAO,MAAM,cAAc,KAAK,OAAO;MAC7C,MAAM,WAAW,OAAO,YAAY,MAAM,SAAS;MACnD,MAAM,kBACJ,OAAO,mBAAmB,MAAM,QAAQ;MAG1C,MAAM,sBADW,MAAM,sBAAsB,KAAK,OAAO,EACrB,KAAK,QAAQ;OAC/C,IAAI,GAAG;OACP,YAAY,GAAG;OAChB,EAAE;MAEH,MAAM,aAAa,yBACjB,IAAI,aAAa,CAAC,OAAO,OAAO,CACjC;AA8BD,aAAO;OACL,MAAM;OACN,SA9Bc;QACd,IAAI;SAAE,MAAM,GAAG;SAAQ,IAAI,GAAG;SAAM;QACpC,MAAM;SACJ,IAAI;SACJ,MAAM;SACN,aAAa;SACd;QACD,WAAW,yBAAyB,UAAU;QAC9C,kBAAkB,GAAG,WAAW,KAAK,SAAS;SAC5C,MAAM;SACN;SACD,EAAE;QACH,SAAS,GAAG;QACZ,aAAa,GAAG;QAChB,wBAAwB;SACtB,aAAa,GAAG;SAChB,oBAAoB,GAAG,gBAAgB;SACvC,kBAAkB,GAAG;SACrB,GAAI,GAAG,0BACH,EACE,yBACE,GAAG,yBACN,GACD,EAAE;SACP;QACD;QACD;OAKC;OACD;;KAEH,WAAW,IAAI,UAAU,iBAAiB;KAC3C,CAAC;KACF,CACH;GACH,iBAAiB,MACf,GAAG,IACD,GAAG,KAAK;IACN,UAAU,IAAI,KAAK,iBAAiB;IACpC,WAAW,IAAI,UAAU,wBAAwB;IAClD,CAAC,CAAC,KACD,GAAG,OAAO,OACR,OAAO,OACH,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,QAAQ,0BAA0B,GAAG,QAAQ,CAAC,CACtD,CACF,EACD,mBAAmB,SAAS,CAC7B,CAAC,KACA,GAAG,OAAO,CAAC,QAAQ,QACjB,yBAAyB,KAAK,SAAS,CAAC,KACtC,GAAG,OAAO,aAAa;IAIrB,MAAM,aAAa,oBAHI,6BACrB,OAAO,eACR,CACqD;AAuBtD,WArB6B,GAAG,QAAQ,WAAW,CAAC,KAClD,GAAG,MACD,qBACE,eAAe,QACf,kBACD,CACF,EACD,GAAG,MAAM,aAAa,GAAG,CAAC,EAC1B,GAAG,MAAM,0BAA0B,KAAK,SAAS,CAAC,EAClD,GAAG,UAAU;AAQX,YAHoB,uBAHlB,6BACE,OAAO,kBACR,CAGF,CACkB;MACnB,CACH,CAE2B,KAC1B,GAAG,MAAM,WAAW,GAAG,KAAK,CAAC,EAC7B,GAAG,MAAM,gBAAgB,GAAG,CAAC,EAC7B,GAAG,OAAO,aAAa;AACrB,SAAI,SAAS,cAAc,KACzB,QAAO,GAAG,KACR,IAAI,UAAU,wBAAwB,CACvC;AAEH,YAAO,GAAG,QAAQ;MAChB;MACA,YAAY,SAAS;MACtB,CAAC;MACF,EACF,GAAG,OAAO,EAAE,UAAU,iBAAiB;KACrC,MAAM,eAAe,yBACnB,WAAW,GACZ;KACD,MAAM,YAAY,WAAW;KAE7B,IAAI;AACJ,SAAI,UAAU,oBAAoB,CAChC,aAAY,UAAU,WAAW;UAC5B;MACL,MAAM,UAAU,UAAU,MAAM;AAChC,kBACE,YAAY,YAAY,MACpB,qBACA,YAAY,YAAY,MACtB,qBACA;;KAkCV,MAAM,UA5BF;OACD,2BAA2B;OAC1B,MAAM,MAAM,UAAU,KAAK;OAC3B,MAAM,SAAS,IAAI,WAAW,GAAG;OACjC,IAAI,KAAK,IAAI;AACb,YAAK,IAAI,IAAI,IAAI,KAAK,GAAG,KAAK;AAC5B,eAAO,KAAK,OAAO,KAAK,KAAM;AAC9B,eAAO;;OAET,MAAM,SAAS,IAAI,WAAW,GAAG;OACjC,IAAI,KAAK,IAAI;AACb,YAAK,IAAI,IAAI,IAAI,KAAK,GAAG,KAAK;AAC5B,eAAO,KAAK,OAAO,KAAK,KAAM;AAC9B,eAAO;;OAET,MAAM,QAAQ,IAAI,WAAW,GAAG;AAChC,aAAM,KAAK;AACX,aAAM,IAAI,QAAQ,EAAE;AACpB,aAAM,IAAI,QAAQ,GAAG;AACrB,cAAO,GAAG,QAAQ,MAAM;;OAEzB,2BAA2B;OAC1B,MAAM,MAAM,UAAU,KAAK;OAC3B,MAAM,YAAY,IAAI,aAAa,IAAI,GAAG,IAAI,EAAE;AAChD,cAAO,GAAG,QAAQ,UAAU,aAAa,CAAC;;MAE7C,CAEwB;AACzB,aACE,UACI,SAAS,GACT,GAAG,KACD,IAAI,UACF,iCACA,0BAA0B,YAC3B,CACF,EACL,KACA,GAAG,OAAO,mBACR,GAAG,KAAK;MACN,IAAI,YAAY;OACd,MAAM,aACJ,OAAO,cAAc;OACvB,MAAM,WAAW,OAAO,YAAY;AAGpC,aADW,OAAO,KAAK,IAAI,KAAK,OAAO,CAC9B,SAAS,OAAO;QACvB;QACA,UAAU,SAAS;QACnB,mBAAmB;QACpB,CAAC;AAEF,aAAM,oBAAoB,KAAK;QAC7B;QACA;QACA,WAAW,eAAe,OAAO,MAC/B,eAAe,YACf,eAAe,aACb,eAAe,WAClB;QACD;QACA,SAAS,SAAS;QAClB,YAAY,OAAO;QACnB;QACA;QACA,MAAM,OAAO;QACb,WAAW,KAAK,KAAK;QACtB,CAAC;AAOF,cAAO;QACL,MAAM;QACN,UAPmB,MAAM,WAAW,KAAK;SACzC;SACA,gBAAgB;SACjB,CAAC;QAKD;;MAEH,WAAW,IAAI,UAAU,iBAAiB;MAC3C,CAAC,CACH,CACF;MACD,CACH;KACD,CACH,CACF,CACF;GACH,cAAc,MACZ,mBAAmB,SAAS,CAAC,KAC3B,GAAG,OAAO,OAAO;IACf,MAAM,YAAY,IAAI,WAAW,GAAG;AACpC,WAAO,gBAAgB,UAAU;IACjC,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,UAAU,CAAC,CAClC;AAED,WAAO,GAAG,KAAK;KACb,IAAI,YAAY;MACd,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,YAAM,sBAAsB,KAAK;OAC/B;OACA,WAAW;OACZ,CAAC;MAEF,IAAI;AAOJ,UAAI,OAAO,OAAO;OAChB,MAAM,OAAO,MAAM,yBACjB,KACA,OAAO,MACR;AACD,WAAI,MAAM;QACR,MAAM,WAAW,MAAM,sBACrB,KACA,KAAK,IACN;AACD,YAAI,SAAS,SAAS,EACpB,oBAAmB,SAAS,KAAK,QAAQ;SACvC,MAAM;SACN,IAAI,GAAG;SACP,YAAY,GAAG;SAChB,EAAE;;;MAKT,MAAM,UAA+B;OACnC,WAAW,yBAAyB,UAAU;OAC9C,SAAS,GAAG;OACZ,MAAM,GAAG;OACT,kBAAkB,GAAG;OACtB;AAED,UAAI,iBACF,SAAQ,mBAAmB;AAG7B,aAAO;OACL,MAAM;OACN;OACA;OACD;;KAEH,WAAW,IAAI,UAAU,iBAAiB;KAC3C,CAAC;KACF,CACH;GACH,aAAa,MACX,GAAG,IACD,mBAAmB,SAAS,EAC5B,yBAAyB,KAAK,SAAS,CACxC,CAAC,KACA,GAAG,OAAO,CAAC,IAAI,cAAc;IAC3B,MAAM,iBAAiB,6BACrB,OAAO,eACR;IACD,MAAM,aAAa,oBAAoB,eAAe;AAoBtD,WAlB6B,GAAG,QAAQ,WAAW,CAAC,KAClD,GAAG,MACD,qBAAqB,eAAe,KAAK,eAAe,CACzD,EACD,GAAG,MAAM,aAAa,GAAG,CAAC,EAC1B,GAAG,MAAM,0BAA0B,KAAK,SAAS,CAAC,EAClD,GAAG,YACD,OAAO,gBAAgB,OACnB,GAAG,QAAQ,OAAO,aAAuB,GACzC,GAAG,KACD,IAAI,UACF,8BACA,wBACD,CACF,CACN,CACF,CAE2B,KAC1B,GAAG,OAAO,iBACR,GAAG,KAAK;KACN,UAAU,2BAA2B,KAAK,aAAa;KACvD,WAAW,IAAI,UAAU,6BAA6B;KACvD,CAAC,CAAC,KACD,GAAG,OAAO,YACR,UACI,GAAG,QAAQ,QAAQ,GACnB,GAAG,KACD,IAAI,UACF,8BACA,qBACD,CACF,CACN,CACF,CACF,EACD,GAAG,OAAO,YAAY;KACpB,MAAM,yBAAyB,6BAC7B,OAAO,kBACR;KACD,MAAM,oBAAoB,uBACxB,uBACD;KAED,MAAM,YAAY,6BAChB,OAAO,UACR;KAKD,MAAM,cAAc,OAJK,gCACvB,wBACA,eACD,CAC2C;AA2E5C,YAzE+B,GAAG,QAChC,kBACD,CAAC,KACA,GAAG,MAAM,WAAW,GAAG,KAAK,CAAC,EAC7B,GAAG,MAAM,gBAAgB,GAAG,CAAC,CAC9B,CAEkD,KACjD,GAAG,YAAY;MACb,MAAM,uBAAuB,IAAI,WAC/B,QAAQ,UACT;MAwCD,MAAM,UApCF;QACD,2BAA2B;AAY1B,eALc,qBANM,oBAClB,MACA,qBACD,EAKC,aAHA,yBAAyB,UAAU,CAKpC,GAEG,GAAG,QAAQ,OAAkB,GAC7B,GAAG,KACD,IAAI,UAAU,4BAA4B,CAC3C;;QAEN,2BAA2B;AAS1B,eANc,8BADZ,wBAAwB,qBAAqB,EAG7C,wBACA,aACA,UACD,GAEG,GAAG,QAAQ,OAAkB,GAC7B,GAAG,KACD,IAAI,UAAU,4BAA4B,CAC3C;;OAER,CAEiC,QAAQ;AAC1C,aAAO,UACH,SAAS,GACT,GAAG,KACD,IAAI,UACF,iCACA,0BAA0B,QAAQ,YACnC,CACF;OACL,CACH,CAE8C,KAC7C,GAAG,YACD,QAAQ,YAAY,KACpB,kBAAkB,qBAAqB,KACvC,kBAAkB,oBAAoB,QAAQ,UAC1C,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,QAAQ,kBAAkB,CAClC,CACF,CAEyB,KACxB,GAAG,YACD,GAAG,KAAK;MACN,IAAI,YAAY;AACd,aAAM,2BACJ,KACA,QAAQ,KACR,kBAAkB,kBAClB,KAAK,KAAK,CACX;AAOD,cAAO;QACL,MAAM;QACN,UAPmB,MAAM,WAAW,KAAK;SACzC,QAAQ,QAAQ;SAChB,gBAAgB;SACjB,CAAC;QAKD;;MAEH,WAAW,IAAI,UAAU,iBAAiB;MAC3C,CAAC,CACH,CACF;MACD,CACH;KACD,CACH;GACJ,CACF;GAED,CACH"}
package/dist/server/provider.d.ts CHANGED
@@ -1,21 +1,8 @@
1
1
  import { AuthProviderMaterializedConfig, ConvexAuthMaterializedConfig } from "./types.js";
2
- import { AuthError } from "./fx.js";
3
- import { Fx } from "@robelest/fx";
4
2
 
5
3
  //#region src/server/provider.d.ts
6
- /**
7
- * Hash a secret using the provider's `crypto.hashSecret` function.
8
- *
9
- * Validates that the provider is a credentials provider and has the
10
- * required crypto function, returning typed errors through the Fx channel.
11
- */
12
- declare const hash: (provider: any, secret: string) => Fx<string, AuthError>;
13
- /**
14
- * Verify a secret against a hash using the provider's `crypto.verifySecret` function.
15
- */
16
- declare const verify: (provider: AuthProviderMaterializedConfig, secret: string, hashValue: string) => Fx<boolean, AuthError>;
17
4
  type GetProviderOrThrowFunc = (provider: string, allowExtraProviders?: boolean) => AuthProviderMaterializedConfig;
18
5
  type Config = ConvexAuthMaterializedConfig;
19
6
  //#endregion
20
- export { Config, GetProviderOrThrowFunc, hash, verify };
7
+ export { Config, GetProviderOrThrowFunc };
21
8
  //# sourceMappingURL=provider.d.ts.map
package/dist/server/provider.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"provider.d.ts","names":[],"sources":["../../src/server/provider.ts"],"mappings":";;;;;;AAaA;;;;;cAAa,IAAA,GAAQ,QAAA,OAAe,MAAA,aAAiB,EAAA,SAAW,SAAA;;;;cAiCnD,MAAA,GACX,QAAA,EAAU,8BAAA,EACV,MAAA,UACA,SAAA,aACC,EAAA,UAAY,SAAA;AAAA,KA8BH,sBAAA,IACV,QAAA,UACA,mBAAA,eACG,8BAAA;AAAA,KAEO,MAAA,GAAS,4BAAA"}
1
+ {"version":3,"file":"provider.d.ts","names":[],"sources":["../../src/server/provider.ts"],"mappings":";;;KAkFY,sBAAA,IACV,QAAA,UACA,mBAAA,eACG,8BAAA;AAAA,KAEO,MAAA,GAAS,4BAAA"}
package/dist/server/provider.js CHANGED
@@ -9,6 +9,7 @@ import { Fx } from "@robelest/fx";
9
9
  * Validates that the provider is a credentials provider and has the
10
10
  * required crypto function, returning typed errors through the Fx channel.
11
11
  */
12
+ /** @internal */
12
13
  const hash = (provider, secret) => Fx.gen(function* () {
13
14
  if (provider.type !== "credentials") return yield* Fx.fail(new AuthError("INVALID_CREDENTIALS_PROVIDER", `Provider ${provider.id} is not a credentials provider`));
14
15
  const hashSecretFn = provider.crypto?.hashSecret;
@@ -21,6 +22,7 @@ const hash = (provider, secret) => Fx.gen(function* () {
21
22
  /**
22
23
  * Verify a secret against a hash using the provider's `crypto.verifySecret` function.
23
24
  */
25
+ /** @internal */
24
26
  const verify = (provider, secret, hashValue) => Fx.gen(function* () {
25
27
  if (provider.type !== "credentials") return yield* Fx.fail(new AuthError("INVALID_CREDENTIALS_PROVIDER", `Provider ${provider.id} is not a credentials provider`));
26
28
  const verifySecretFn = provider.crypto?.verifySecret;
package/dist/server/provider.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"provider.js","names":[],"sources":["../../src/server/provider.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./fx\";\nimport { AuthProviderMaterializedConfig } from \"./types\";\nimport { ConvexAuthMaterializedConfig } from \"./types\";\nimport { errorMessage } from \"./utils\";\n\n/**\n * Hash a secret using the provider's `crypto.hashSecret` function.\n *\n * Validates that the provider is a credentials provider and has the\n * required crypto function, returning typed errors through the Fx channel.\n */\nexport const hash = (provider: any, secret: string): Fx<string, AuthError> =>\n Fx.gen(function* () {\n if (provider.type !== \"credentials\") {\n return yield* Fx.fail(\n new AuthError(\n \"INVALID_CREDENTIALS_PROVIDER\",\n `Provider ${provider.id} is not a credentials provider`,\n ),\n );\n }\n\n const hashSecretFn = provider.crypto?.hashSecret as\n | ((s: string) => Promise<string>)\n | undefined;\n if (!hashSecretFn) {\n return yield* Fx.fail(\n new AuthError(\n \"MISSING_CRYPTO_FUNCTION\",\n `Provider ${provider.id} does not have a \\`crypto.hashSecret\\` function`,\n ),\n );\n }\n\n return yield* Fx.from({\n ok: () => hashSecretFn(secret),\n err: (e) =>\n new AuthError(\"INTERNAL_ERROR\", `Hash failed: ${errorMessage(e)}`),\n });\n });\n\n/**\n * Verify a secret against a hash using the provider's `crypto.verifySecret` function.\n */\nexport const verify = (\n provider: AuthProviderMaterializedConfig,\n secret: string,\n hashValue: string,\n): Fx<boolean, AuthError> =>\n Fx.gen(function* () {\n if (provider.type !== \"credentials\") {\n return yield* Fx.fail(\n new AuthError(\n \"INVALID_CREDENTIALS_PROVIDER\",\n `Provider ${provider.id} is not a credentials provider`,\n ),\n );\n }\n\n const verifySecretFn = (provider as any).crypto?.verifySecret as\n | ((s: string, h: string) => Promise<boolean>)\n | undefined;\n if (!verifySecretFn) {\n return yield* Fx.fail(\n new AuthError(\n \"MISSING_CRYPTO_FUNCTION\",\n `Provider ${provider.id} does not have a \\`crypto.verifySecret\\` function`,\n ),\n );\n }\n\n return yield* Fx.from({\n ok: () => verifySecretFn(secret, hashValue),\n err: (e) =>\n new AuthError(\"INTERNAL_ERROR\", `Verify failed: ${errorMessage(e)}`),\n });\n });\n\nexport type GetProviderOrThrowFunc = (\n provider: string,\n allowExtraProviders?: boolean,\n) => AuthProviderMaterializedConfig;\n\nexport type Config = ConvexAuthMaterializedConfig;\n"],"mappings":";;;;;;;;;;;AAaA,MAAa,QAAQ,UAAe,WAClC,GAAG,IAAI,aAAa;AAClB,KAAI,SAAS,SAAS,cACpB,QAAO,OAAO,GAAG,KACf,IAAI,UACF,gCACA,YAAY,SAAS,GAAG,gCACzB,CACF;CAGH,MAAM,eAAe,SAAS,QAAQ;AAGtC,KAAI,CAAC,aACH,QAAO,OAAO,GAAG,KACf,IAAI,UACF,2BACA,YAAY,SAAS,GAAG,iDACzB,CACF;AAGH,QAAO,OAAO,GAAG,KAAK;EACpB,UAAU,aAAa,OAAO;EAC9B,MAAM,MACJ,IAAI,UAAU,kBAAkB,gBAAgB,aAAa,EAAE,GAAG;EACrE,CAAC;EACF;;;;AAKJ,MAAa,UACX,UACA,QACA,cAEA,GAAG,IAAI,aAAa;AAClB,KAAI,SAAS,SAAS,cACpB,QAAO,OAAO,GAAG,KACf,IAAI,UACF,gCACA,YAAY,SAAS,GAAG,gCACzB,CACF;CAGH,MAAM,iBAAkB,SAAiB,QAAQ;AAGjD,KAAI,CAAC,eACH,QAAO,OAAO,GAAG,KACf,IAAI,UACF,2BACA,YAAY,SAAS,GAAG,mDACzB,CACF;AAGH,QAAO,OAAO,GAAG,KAAK;EACpB,UAAU,eAAe,QAAQ,UAAU;EAC3C,MAAM,MACJ,IAAI,UAAU,kBAAkB,kBAAkB,aAAa,EAAE,GAAG;EACvE,CAAC;EACF"}
1
+ {"version":3,"file":"provider.js","names":[],"sources":["../../src/server/provider.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./fx\";\nimport { AuthProviderMaterializedConfig } from \"./types\";\nimport { ConvexAuthMaterializedConfig } from \"./types\";\nimport { errorMessage } from \"./utils\";\n\n/**\n * Hash a secret using the provider's `crypto.hashSecret` function.\n *\n * Validates that the provider is a credentials provider and has the\n * required crypto function, returning typed errors through the Fx channel.\n */\n/** @internal */\nexport const hash = (provider: any, secret: string): Fx<string, AuthError> =>\n Fx.gen(function* () {\n if (provider.type !== \"credentials\") {\n return yield* Fx.fail(\n new AuthError(\n \"INVALID_CREDENTIALS_PROVIDER\",\n `Provider ${provider.id} is not a credentials provider`,\n ),\n );\n }\n\n const hashSecretFn = provider.crypto?.hashSecret as\n | ((s: string) => Promise<string>)\n | undefined;\n if (!hashSecretFn) {\n return yield* Fx.fail(\n new AuthError(\n \"MISSING_CRYPTO_FUNCTION\",\n `Provider ${provider.id} does not have a \\`crypto.hashSecret\\` function`,\n ),\n );\n }\n\n return yield* Fx.from({\n ok: () => hashSecretFn(secret),\n err: (e) =>\n new AuthError(\"INTERNAL_ERROR\", `Hash failed: ${errorMessage(e)}`),\n });\n });\n\n/**\n * Verify a secret against a hash using the provider's `crypto.verifySecret` function.\n */\n/** @internal */\nexport const verify = (\n provider: AuthProviderMaterializedConfig,\n secret: string,\n hashValue: string,\n): Fx<boolean, AuthError> =>\n Fx.gen(function* () {\n if (provider.type !== \"credentials\") {\n return yield* Fx.fail(\n new AuthError(\n \"INVALID_CREDENTIALS_PROVIDER\",\n `Provider ${provider.id} is not a credentials provider`,\n ),\n );\n }\n\n const verifySecretFn = (provider as any).crypto?.verifySecret as\n | ((s: string, h: string) => Promise<boolean>)\n | undefined;\n if (!verifySecretFn) {\n return yield* Fx.fail(\n new AuthError(\n \"MISSING_CRYPTO_FUNCTION\",\n `Provider ${provider.id} does not have a \\`crypto.verifySecret\\` function`,\n ),\n );\n }\n\n return yield* Fx.from({\n ok: () => verifySecretFn(secret, hashValue),\n err: (e) =>\n new AuthError(\"INTERNAL_ERROR\", `Verify failed: ${errorMessage(e)}`),\n });\n });\n\nexport type GetProviderOrThrowFunc = (\n provider: string,\n allowExtraProviders?: boolean,\n) => AuthProviderMaterializedConfig;\n\nexport type Config = ConvexAuthMaterializedConfig;\n"],"mappings":";;;;;;;;;;;;AAcA,MAAa,QAAQ,UAAe,WAClC,GAAG,IAAI,aAAa;AAClB,KAAI,SAAS,SAAS,cACpB,QAAO,OAAO,GAAG,KACf,IAAI,UACF,gCACA,YAAY,SAAS,GAAG,gCACzB,CACF;CAGH,MAAM,eAAe,SAAS,QAAQ;AAGtC,KAAI,CAAC,aACH,QAAO,OAAO,GAAG,KACf,IAAI,UACF,2BACA,YAAY,SAAS,GAAG,iDACzB,CACF;AAGH,QAAO,OAAO,GAAG,KAAK;EACpB,UAAU,aAAa,OAAO;EAC9B,MAAM,MACJ,IAAI,UAAU,kBAAkB,gBAAgB,aAAa,EAAE,GAAG;EACrE,CAAC;EACF;;;;;AAMJ,MAAa,UACX,UACA,QACA,cAEA,GAAG,IAAI,aAAa;AAClB,KAAI,SAAS,SAAS,cACpB,QAAO,OAAO,GAAG,KACf,IAAI,UACF,gCACA,YAAY,SAAS,GAAG,gCACzB,CACF;CAGH,MAAM,iBAAkB,SAAiB,QAAQ;AAGjD,KAAI,CAAC,eACH,QAAO,OAAO,GAAG,KACf,IAAI,UACF,2BACA,YAAY,SAAS,GAAG,mDACzB,CACF;AAGH,QAAO,OAAO,GAAG,KAAK;EACpB,UAAU,eAAe,QAAQ,UAAU;EAC3C,MAAM,MACJ,IAAI,UAAU,kBAAkB,kBAAkB,aAAa,EAAE,GAAG;EACvE,CAAC;EACF"}
package/dist/server/providers.js CHANGED
@@ -10,11 +10,13 @@ function isClassProvider(provider) {
10
10
  *
11
11
  * @internal
12
12
  */
13
+ /** @internal */
13
14
  function configDefaults(config_) {
14
15
  const config = materializeAndDefaultProviders(config_);
15
16
  const extraProviders = config.providers.filter((p) => p.type === "credentials").map((p) => p.extraProviders).flat().filter((p) => p !== void 0);
16
17
  return {
17
18
  ...config,
19
+ authorization: normalizeAuthorizationConfig(config.authorization),
18
20
  extraProviders: materializeProviders(extraProviders)
19
21
  };
20
22
  }
@@ -23,6 +25,7 @@ function configDefaults(config_) {
23
25
  *
24
26
  * @internal
25
27
  */
28
+ /** @internal */
26
29
  function materializeProvider(provider) {
27
30
  const config = {
28
31
  providers: [provider],
@@ -36,6 +39,7 @@ function materializeProvider(provider) {
36
39
  *
37
40
  * @internal
38
41
  */
42
+ /** @internal */
39
43
  function listAvailableProviders(config, allowExtraProviders) {
40
44
  const availableProviders = config.providers.concat(allowExtraProviders ? config.extraProviders : []).map((provider) => `\`${provider.id}\``);
41
45
  return availableProviders.length > 0 ? availableProviders.join(", ") : "no providers have been configured";
@@ -93,6 +97,12 @@ function materializeAndDefaultProviders(config_) {
93
97
  });
94
98
  return config;
95
99
  }
100
+ function normalizeAuthorizationConfig(authorization) {
101
+ return { roles: Object.fromEntries(Object.entries(authorization?.roles ?? {}).map(([roleId, role]) => [roleId, {
102
+ ...role.label ? { label: role.label } : {},
103
+ grants: Array.from(new Set(role.grants)).sort()
104
+ }])) };
105
+ }
96
106
  /**
97
107
  * Materialize an Arctic-based `OAuthProviderInstance` into the runtime config.
98
108
  */
package/dist/server/providers.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"providers.js","names":[],"sources":["../../src/server/providers.ts"],"sourcesContent":["import {\n isOAuthProvider,\n type OAuthProviderInstance,\n} from \"../providers/oauth\";\nimport {\n AuthProviderConfig,\n AuthProviderMaterializedConfig,\n ConvexAuthConfig,\n OAuthMaterializedConfig,\n} from \"./types\";\n\n// ============================================================================\n// Provider class detection\n// ============================================================================\n\n/** Check if something is a new-style class provider with `_toMaterialized()`. */\nfunction isClassProvider(\n provider: any,\n): provider is { _toMaterialized(): AuthProviderMaterializedConfig } {\n return (\n typeof provider === \"object\" &&\n provider !== null &&\n typeof provider._toMaterialized === \"function\"\n );\n}\n\n// ============================================================================\n// Public API\n// ============================================================================\n\n/**\n * Resolve raw provider configs into materialized form and apply defaults.\n *\n * @internal\n */\nexport function configDefaults(config_: ConvexAuthConfig) {\n const config = materializeAndDefaultProviders(config_);\n // Collect extra providers from credentials providers\n const extraProviders = config.providers\n .filter((p) => p.type === \"credentials\")\n .map((p) => p.extraProviders)\n .flat()\n .filter((p) => p !== undefined);\n return {\n ...config,\n extraProviders: materializeProviders(extraProviders),\n };\n}\n\n/**\n * Materialize a single provider config into its runtime form.\n *\n * @internal\n */\nexport function materializeProvider(provider: AuthProviderConfig) {\n const config = { providers: [provider], component: {} as any };\n materializeAndDefaultProviders(config);\n return config.providers[0] as AuthProviderMaterializedConfig;\n}\n\n/**\n * List available provider IDs for error messages.\n *\n * @internal\n */\nexport function listAvailableProviders(\n config: ReturnType<typeof configDefaults>,\n allowExtraProviders: boolean,\n) {\n const availableProviders = config.providers\n .concat(allowExtraProviders ? config.extraProviders : [])\n .map((provider) => `\\`${provider.id}\\``);\n return availableProviders.length > 0\n ? availableProviders.join(\", \")\n : \"no providers have been configured\";\n}\n\n// ============================================================================\n// Internal helpers\n// ============================================================================\n\nfunction materializeProviders(providers: AuthProviderConfig[]) {\n const config = { providers, component: {} as any };\n materializeAndDefaultProviders(config);\n return config.providers as AuthProviderMaterializedConfig[];\n}\n\ntype ProviderMaterializationDispatch =\n | { tag: \"oauth\"; raw: OAuthProviderInstance }\n | {\n tag: \"class\";\n raw: { _toMaterialized(): AuthProviderMaterializedConfig };\n }\n | { tag: \"factoryOrObject\"; raw: AuthProviderConfig };\n\ntype ProviderMaterializationHandlers<T> = {\n oauth: (\n dispatch: Extract<ProviderMaterializationDispatch, { tag: \"oauth\" }>,\n ) => T;\n class: (\n dispatch: Extract<ProviderMaterializationDispatch, { tag: \"class\" }>,\n ) => T;\n factoryOrObject: (\n dispatch: Extract<\n ProviderMaterializationDispatch,\n { tag: \"factoryOrObject\" }\n >,\n ) => T;\n};\n\nfunction decodeProviderMaterializationDispatch(\n raw: AuthProviderConfig,\n): ProviderMaterializationDispatch {\n if (isOAuthProvider(raw)) {\n return { tag: \"oauth\", raw };\n }\n if (isClassProvider(raw)) {\n return { tag: \"class\", raw };\n }\n return { tag: \"factoryOrObject\", raw };\n}\n\nfunction matchProviderMaterializationDispatch<T>(\n dispatch: ProviderMaterializationDispatch,\n handlers: ProviderMaterializationHandlers<T>,\n): T {\n return (\n handlers[dispatch.tag] as (dispatch: ProviderMaterializationDispatch) => T\n )(dispatch);\n}\n\nfunction materializeProviderConfig(raw: AuthProviderConfig) {\n const dispatch = decodeProviderMaterializationDispatch(raw);\n return matchProviderMaterializationDispatch(dispatch, {\n oauth: (d) => materializeOAuthProvider(d.raw),\n class: (d) => d.raw._toMaterialized(),\n factoryOrObject: (d) => {\n const resolved = typeof d.raw === \"function\" ? d.raw() : (d.raw as any);\n const merged = resolved.options\n ? { ...resolved, ...resolved.options }\n : resolved;\n return merged as AuthProviderMaterializedConfig;\n },\n });\n}\n\nfunction materializeAndDefaultProviders(config_: ConvexAuthConfig) {\n const allProviders: AuthProviderMaterializedConfig[] = [];\n\n for (const raw of config_.providers) {\n allProviders.push(materializeProviderConfig(raw));\n }\n\n const config = { ...config_, providers: allProviders };\n\n // Set phone provider API key from env\n config.providers.forEach((provider) => {\n if (provider.type === \"phone\") {\n const ID = provider.id.toUpperCase().replace(/-/g, \"_\");\n provider.apiKey ??= process.env[`AUTH_${ID}_KEY`];\n }\n });\n\n return config;\n}\n\n/**\n * Materialize an Arctic-based `OAuthProviderInstance` into the runtime config.\n */\nfunction materializeOAuthProvider(\n instance: OAuthProviderInstance,\n): OAuthMaterializedConfig {\n return {\n id: instance.id,\n type: \"oauth\",\n provider: instance.provider,\n scopes: instance.scopes,\n profile: instance.profile,\n };\n}\n"],"mappings":";;;;AAgBA,SAAS,gBACP,UACmE;AACnE,QACE,OAAO,aAAa,YACpB,aAAa,QACb,OAAO,SAAS,oBAAoB;;;;;;;AAaxC,SAAgB,eAAe,SAA2B;CACxD,MAAM,SAAS,+BAA+B,QAAQ;CAEtD,MAAM,iBAAiB,OAAO,UAC3B,QAAQ,MAAM,EAAE,SAAS,cAAc,CACvC,KAAK,MAAM,EAAE,eAAe,CAC5B,MAAM,CACN,QAAQ,MAAM,MAAM,OAAU;AACjC,QAAO;EACL,GAAG;EACH,gBAAgB,qBAAqB,eAAe;EACrD;;;;;;;AAQH,SAAgB,oBAAoB,UAA8B;CAChE,MAAM,SAAS;EAAE,WAAW,CAAC,SAAS;EAAE,WAAW,EAAE;EAAS;AAC9D,gCAA+B,OAAO;AACtC,QAAO,OAAO,UAAU;;;;;;;AAQ1B,SAAgB,uBACd,QACA,qBACA;CACA,MAAM,qBAAqB,OAAO,UAC/B,OAAO,sBAAsB,OAAO,iBAAiB,EAAE,CAAC,CACxD,KAAK,aAAa,KAAK,SAAS,GAAG,IAAI;AAC1C,QAAO,mBAAmB,SAAS,IAC/B,mBAAmB,KAAK,KAAK,GAC7B;;AAON,SAAS,qBAAqB,WAAiC;CAC7D,MAAM,SAAS;EAAE;EAAW,WAAW,EAAE;EAAS;AAClD,gCAA+B,OAAO;AACtC,QAAO,OAAO;;AA0BhB,SAAS,sCACP,KACiC;AACjC,KAAI,gBAAgB,IAAI,CACtB,QAAO;EAAE,KAAK;EAAS;EAAK;AAE9B,KAAI,gBAAgB,IAAI,CACtB,QAAO;EAAE,KAAK;EAAS;EAAK;AAE9B,QAAO;EAAE,KAAK;EAAmB;EAAK;;AAGxC,SAAS,qCACP,UACA,UACG;AACH,QACE,SAAS,SAAS,KAClB,SAAS;;AAGb,SAAS,0BAA0B,KAAyB;AAE1D,QAAO,qCADU,sCAAsC,IAAI,EACL;EACpD,QAAQ,MAAM,yBAAyB,EAAE,IAAI;EAC7C,QAAQ,MAAM,EAAE,IAAI,iBAAiB;EACrC,kBAAkB,MAAM;GACtB,MAAM,WAAW,OAAO,EAAE,QAAQ,aAAa,EAAE,KAAK,GAAI,EAAE;AAI5D,UAHe,SAAS,UACpB;IAAE,GAAG;IAAU,GAAG,SAAS;IAAS,GACpC;;EAGP,CAAC;;AAGJ,SAAS,+BAA+B,SAA2B;CACjE,MAAM,eAAiD,EAAE;AAEzD,MAAK,MAAM,OAAO,QAAQ,UACxB,cAAa,KAAK,0BAA0B,IAAI,CAAC;CAGnD,MAAM,SAAS;EAAE,GAAG;EAAS,WAAW;EAAc;AAGtD,QAAO,UAAU,SAAS,aAAa;AACrC,MAAI,SAAS,SAAS,SAAS;GAC7B,MAAM,KAAK,SAAS,GAAG,aAAa,CAAC,QAAQ,MAAM,IAAI;AACvD,YAAS,WAAW,QAAQ,IAAI,QAAQ,GAAG;;GAE7C;AAEF,QAAO;;;;;AAMT,SAAS,yBACP,UACyB;AACzB,QAAO;EACL,IAAI,SAAS;EACb,MAAM;EACN,UAAU,SAAS;EACnB,QAAQ,SAAS;EACjB,SAAS,SAAS;EACnB"}
1
+ {"version":3,"file":"providers.js","names":[],"sources":["../../src/server/providers.ts"],"sourcesContent":["import {\n isOAuthProvider,\n type OAuthProviderInstance,\n} from \"../providers/oauth\";\nimport {\n AuthAuthorizationConfig,\n AuthProviderConfig,\n AuthProviderMaterializedConfig,\n ConvexAuthConfig,\n OAuthMaterializedConfig,\n} from \"./types\";\n\n// ============================================================================\n// Provider class detection\n// ============================================================================\n\n/** Check if something is a new-style class provider with `_toMaterialized()`. */\nfunction isClassProvider(\n provider: any,\n): provider is { _toMaterialized(): AuthProviderMaterializedConfig } {\n return (\n typeof provider === \"object\" &&\n provider !== null &&\n typeof provider._toMaterialized === \"function\"\n );\n}\n\n// ============================================================================\n// Public API\n// ============================================================================\n\n/**\n * Resolve raw provider configs into materialized form and apply defaults.\n *\n * @internal\n */\n/** @internal */\nexport function configDefaults(config_: ConvexAuthConfig) {\n const config = materializeAndDefaultProviders(config_);\n // Collect extra providers from credentials providers\n const extraProviders = config.providers\n .filter((p) => p.type === \"credentials\")\n .map((p) => p.extraProviders)\n .flat()\n .filter((p) => p !== undefined);\n return {\n ...config,\n authorization: normalizeAuthorizationConfig(config.authorization),\n extraProviders: materializeProviders(extraProviders),\n };\n}\n\n/**\n * Materialize a single provider config into its runtime form.\n *\n * @internal\n */\n/** @internal */\nexport function materializeProvider(provider: AuthProviderConfig) {\n const config = { providers: [provider], component: {} as any };\n materializeAndDefaultProviders(config);\n return config.providers[0] as AuthProviderMaterializedConfig;\n}\n\n/**\n * List available provider IDs for error messages.\n *\n * @internal\n */\n/** @internal */\nexport function listAvailableProviders(\n config: ReturnType<typeof configDefaults>,\n allowExtraProviders: boolean,\n) {\n const availableProviders = config.providers\n .concat(allowExtraProviders ? config.extraProviders : [])\n .map((provider) => `\\`${provider.id}\\``);\n return availableProviders.length > 0\n ? availableProviders.join(\", \")\n : \"no providers have been configured\";\n}\n\n// ============================================================================\n// Internal helpers\n// ============================================================================\n\nfunction materializeProviders(providers: AuthProviderConfig[]) {\n const config = { providers, component: {} as any };\n materializeAndDefaultProviders(config);\n return config.providers as AuthProviderMaterializedConfig[];\n}\n\ntype ProviderMaterializationDispatch =\n | { tag: \"oauth\"; raw: OAuthProviderInstance }\n | {\n tag: \"class\";\n raw: { _toMaterialized(): AuthProviderMaterializedConfig };\n }\n | { tag: \"factoryOrObject\"; raw: AuthProviderConfig };\n\ntype ProviderMaterializationHandlers<T> = {\n oauth: (\n dispatch: Extract<ProviderMaterializationDispatch, { tag: \"oauth\" }>,\n ) => T;\n class: (\n dispatch: Extract<ProviderMaterializationDispatch, { tag: \"class\" }>,\n ) => T;\n factoryOrObject: (\n dispatch: Extract<\n ProviderMaterializationDispatch,\n { tag: \"factoryOrObject\" }\n >,\n ) => T;\n};\n\nfunction decodeProviderMaterializationDispatch(\n raw: AuthProviderConfig,\n): ProviderMaterializationDispatch {\n if (isOAuthProvider(raw)) {\n return { tag: \"oauth\", raw };\n }\n if (isClassProvider(raw)) {\n return { tag: \"class\", raw };\n }\n return { tag: \"factoryOrObject\", raw };\n}\n\nfunction matchProviderMaterializationDispatch<T>(\n dispatch: ProviderMaterializationDispatch,\n handlers: ProviderMaterializationHandlers<T>,\n): T {\n return (\n handlers[dispatch.tag] as (dispatch: ProviderMaterializationDispatch) => T\n )(dispatch);\n}\n\nfunction materializeProviderConfig(raw: AuthProviderConfig) {\n const dispatch = decodeProviderMaterializationDispatch(raw);\n return matchProviderMaterializationDispatch(dispatch, {\n oauth: (d) => materializeOAuthProvider(d.raw),\n class: (d) => d.raw._toMaterialized(),\n factoryOrObject: (d) => {\n const resolved = typeof d.raw === \"function\" ? d.raw() : (d.raw as any);\n const merged = resolved.options\n ? { ...resolved, ...resolved.options }\n : resolved;\n return merged as AuthProviderMaterializedConfig;\n },\n });\n}\n\nfunction materializeAndDefaultProviders(config_: ConvexAuthConfig) {\n const allProviders: AuthProviderMaterializedConfig[] = [];\n\n for (const raw of config_.providers) {\n allProviders.push(materializeProviderConfig(raw));\n }\n\n const config = { ...config_, providers: allProviders };\n\n // Set phone provider API key from env\n config.providers.forEach((provider) => {\n if (provider.type === \"phone\") {\n const ID = provider.id.toUpperCase().replace(/-/g, \"_\");\n provider.apiKey ??= process.env[`AUTH_${ID}_KEY`];\n }\n });\n\n return config;\n}\n\nfunction normalizeAuthorizationConfig(\n authorization: ConvexAuthConfig[\"authorization\"],\n): AuthAuthorizationConfig {\n const roles = Object.fromEntries(\n Object.entries(authorization?.roles ?? {}).map(([roleId, role]) => [\n roleId,\n {\n ...(role.label ? { label: role.label } : {}),\n grants: Array.from(new Set(role.grants)).sort(),\n },\n ]),\n );\n return { roles };\n}\n\n/**\n * Materialize an Arctic-based `OAuthProviderInstance` into the runtime config.\n */\nfunction materializeOAuthProvider(\n instance: OAuthProviderInstance,\n): OAuthMaterializedConfig {\n return {\n id: instance.id,\n type: \"oauth\",\n provider: instance.provider,\n scopes: instance.scopes,\n profile: instance.profile,\n };\n}\n"],"mappings":";;;;AAiBA,SAAS,gBACP,UACmE;AACnE,QACE,OAAO,aAAa,YACpB,aAAa,QACb,OAAO,SAAS,oBAAoB;;;;;;;;AAcxC,SAAgB,eAAe,SAA2B;CACxD,MAAM,SAAS,+BAA+B,QAAQ;CAEtD,MAAM,iBAAiB,OAAO,UAC3B,QAAQ,MAAM,EAAE,SAAS,cAAc,CACvC,KAAK,MAAM,EAAE,eAAe,CAC5B,MAAM,CACN,QAAQ,MAAM,MAAM,OAAU;AACjC,QAAO;EACL,GAAG;EACH,eAAe,6BAA6B,OAAO,cAAc;EACjE,gBAAgB,qBAAqB,eAAe;EACrD;;;;;;;;AASH,SAAgB,oBAAoB,UAA8B;CAChE,MAAM,SAAS;EAAE,WAAW,CAAC,SAAS;EAAE,WAAW,EAAE;EAAS;AAC9D,gCAA+B,OAAO;AACtC,QAAO,OAAO,UAAU;;;;;;;;AAS1B,SAAgB,uBACd,QACA,qBACA;CACA,MAAM,qBAAqB,OAAO,UAC/B,OAAO,sBAAsB,OAAO,iBAAiB,EAAE,CAAC,CACxD,KAAK,aAAa,KAAK,SAAS,GAAG,IAAI;AAC1C,QAAO,mBAAmB,SAAS,IAC/B,mBAAmB,KAAK,KAAK,GAC7B;;AAON,SAAS,qBAAqB,WAAiC;CAC7D,MAAM,SAAS;EAAE;EAAW,WAAW,EAAE;EAAS;AAClD,gCAA+B,OAAO;AACtC,QAAO,OAAO;;AA0BhB,SAAS,sCACP,KACiC;AACjC,KAAI,gBAAgB,IAAI,CACtB,QAAO;EAAE,KAAK;EAAS;EAAK;AAE9B,KAAI,gBAAgB,IAAI,CACtB,QAAO;EAAE,KAAK;EAAS;EAAK;AAE9B,QAAO;EAAE,KAAK;EAAmB;EAAK;;AAGxC,SAAS,qCACP,UACA,UACG;AACH,QACE,SAAS,SAAS,KAClB,SAAS;;AAGb,SAAS,0BAA0B,KAAyB;AAE1D,QAAO,qCADU,sCAAsC,IAAI,EACL;EACpD,QAAQ,MAAM,yBAAyB,EAAE,IAAI;EAC7C,QAAQ,MAAM,EAAE,IAAI,iBAAiB;EACrC,kBAAkB,MAAM;GACtB,MAAM,WAAW,OAAO,EAAE,QAAQ,aAAa,EAAE,KAAK,GAAI,EAAE;AAI5D,UAHe,SAAS,UACpB;IAAE,GAAG;IAAU,GAAG,SAAS;IAAS,GACpC;;EAGP,CAAC;;AAGJ,SAAS,+BAA+B,SAA2B;CACjE,MAAM,eAAiD,EAAE;AAEzD,MAAK,MAAM,OAAO,QAAQ,UACxB,cAAa,KAAK,0BAA0B,IAAI,CAAC;CAGnD,MAAM,SAAS;EAAE,GAAG;EAAS,WAAW;EAAc;AAGtD,QAAO,UAAU,SAAS,aAAa;AACrC,MAAI,SAAS,SAAS,SAAS;GAC7B,MAAM,KAAK,SAAS,GAAG,aAAa,CAAC,QAAQ,MAAM,IAAI;AACvD,YAAS,WAAW,QAAQ,IAAI,QAAQ,GAAG;;GAE7C;AAEF,QAAO;;AAGT,SAAS,6BACP,eACyB;AAUzB,QAAO,EAAE,OATK,OAAO,YACnB,OAAO,QAAQ,eAAe,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,UAAU,CACjE,QACA;EACE,GAAI,KAAK,QAAQ,EAAE,OAAO,KAAK,OAAO,GAAG,EAAE;EAC3C,QAAQ,MAAM,KAAK,IAAI,IAAI,KAAK,OAAO,CAAC,CAAC,MAAM;EAChD,CACF,CAAC,CACH,EACe;;;;;AAMlB,SAAS,yBACP,UACyB;AACzB,QAAO;EACL,IAAI,SAAS;EACb,MAAM;EACN,UAAU,SAAS;EACnB,QAAQ,SAAS;EACjB,SAAS,SAAS;EACnB"}
package/dist/server/ratelimit.d.ts CHANGED
@@ -1,22 +1 @@
1
- import { ConvexAuthConfig, MutationCtx } from "./types.js";
2
- import { AuthError } from "./fx.js";
3
- import { Fx } from "@robelest/fx";
4
-
5
- //#region src/server/ratelimit.d.ts
6
- /**
7
- * Check whether the given identifier is currently rate-limited.
8
- */
9
- declare const isSignInRateLimited: (ctx: MutationCtx, identifier: string, config: ConvexAuthConfig) => Fx<boolean, AuthError>;
10
- /**
11
- * Record a failed sign-in attempt for the given identifier.
12
- *
13
- * If a record exists, decrement; otherwise create.
14
- */
15
- declare const recordFailedSignIn: (ctx: MutationCtx, identifier: string, config: ConvexAuthConfig) => Fx<void, AuthError>;
16
- /**
17
- * Reset the rate limit for the given identifier (e.g. after successful sign-in).
18
- */
19
- declare const resetSignInRateLimit: (ctx: MutationCtx, identifier: string, config: ConvexAuthConfig) => Fx<void, AuthError>;
20
- //#endregion
21
- export { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit };
22
- //# sourceMappingURL=ratelimit.d.ts.map
1
+ export { };
package/dist/server/ratelimit.js CHANGED
@@ -8,12 +8,14 @@ const DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;
8
8
  /**
9
9
  * Check whether the given identifier is currently rate-limited.
10
10
  */
11
+ /** @internal */
11
12
  const isSignInRateLimited = (ctx, identifier, config) => getRateLimitState(ctx, identifier, config).pipe(Fx.map((state) => state !== null && state.attemptsLeft < 1));
12
13
  /**
13
14
  * Record a failed sign-in attempt for the given identifier.
14
15
  *
15
16
  * If a record exists, decrement; otherwise create.
16
17
  */
18
+ /** @internal */
17
19
  const recordFailedSignIn = (ctx, identifier, config) => getRateLimitState(ctx, identifier, config).pipe(Fx.chain((state) => state !== null ? Fx.from({
18
20
  ok: () => authDb(ctx, config).rateLimits.patch(state.limit._id, {
19
21
  attemptsLeft: state.attemptsLeft - 1,
@@ -31,6 +33,7 @@ const recordFailedSignIn = (ctx, identifier, config) => getRateLimitState(ctx, i
31
33
  /**
32
34
  * Reset the rate limit for the given identifier (e.g. after successful sign-in).
33
35
  */
36
+ /** @internal */
34
37
  const resetSignInRateLimit = (ctx, identifier, config) => getRateLimitState(ctx, identifier, config).pipe(Fx.chain((state) => state !== null ? Fx.from({
35
38
  ok: () => authDb(ctx, config).rateLimits.delete(state.limit._id),
36
39
  err: (e) => new AuthError("INTERNAL_ERROR", `Failed to delete rate limit: ${errorMessage(e)}`)
package/dist/server/ratelimit.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"ratelimit.js","names":[],"sources":["../../src/server/ratelimit.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\n\nimport { authDb } from \"./db\";\nimport { AuthError } from \"./fx\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\nimport { errorMessage } from \"./utils\";\n\nconst DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;\n\n/**\n * Check whether the given identifier is currently rate-limited.\n */\nexport const isSignInRateLimited = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<boolean, AuthError> =>\n getRateLimitState(ctx, identifier, config).pipe(\n Fx.map((state) => state !== null && state.attemptsLeft < 1),\n );\n\n/**\n * Record a failed sign-in attempt for the given identifier.\n *\n * If a record exists, decrement; otherwise create.\n */\nexport const recordFailedSignIn = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<void, AuthError> =>\n getRateLimitState(ctx, identifier, config).pipe(\n Fx.chain((state) =>\n state !== null\n ? Fx.from({\n ok: () =>\n authDb(ctx, config).rateLimits.patch(state.limit._id, {\n attemptsLeft: state.attemptsLeft - 1,\n lastAttemptTime: Date.now(),\n }),\n err: (e) =>\n new AuthError(\n \"INTERNAL_ERROR\",\n `Failed to patch rate limit: ${errorMessage(e)}`,\n ),\n })\n : Fx.from({\n ok: () =>\n authDb(ctx, config).rateLimits.create({\n identifier,\n attemptsLeft:\n (config.signIn?.maxFailedAttemptsPerHour ??\n DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR) - 1,\n lastAttemptTime: Date.now(),\n }),\n err: (e) =>\n new AuthError(\n \"INTERNAL_ERROR\",\n `Failed to create rate limit: ${errorMessage(e)}`,\n ),\n }),\n ),\n Fx.map(() => undefined),\n );\n\n/**\n * Reset the rate limit for the given identifier (e.g. after successful sign-in).\n */\nexport const resetSignInRateLimit = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<void, AuthError> =>\n getRateLimitState(ctx, identifier, config).pipe(\n Fx.chain((state) =>\n state !== null\n ? Fx.from({\n ok: () => authDb(ctx, config).rateLimits.delete(state.limit._id),\n err: (e) =>\n new AuthError(\n \"INTERNAL_ERROR\",\n `Failed to delete rate limit: ${errorMessage(e)}`,\n ),\n })\n : Fx.unit,\n ),\n );\n\n// ---------------------------------------------------------------------------\n// Internal\n// ---------------------------------------------------------------------------\n\ntype RateLimitState = {\n limit: Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number };\n attemptsLeft: number;\n} | null;\n\nconst getRateLimitState = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<RateLimitState, AuthError> => {\n const now = Date.now();\n const maxAttemptsPerHour =\n config.signIn?.maxFailedAttemptsPerHour ??\n DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR;\n\n return Fx.from({\n ok: () => authDb(ctx, config).rateLimits.get(identifier),\n err: (e) =>\n new AuthError(\n \"INTERNAL_ERROR\",\n `Failed to get rate limit: ${errorMessage(e)}`,\n ),\n }).pipe(\n Fx.map((raw) => {\n const limit = raw as\n | (Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number })\n | null;\n if (limit === null) return null;\n const elapsed = now - limit.lastAttemptTime;\n const maxAttemptsPerMs = maxAttemptsPerHour / (60 * 60 * 1000);\n const attemptsLeft = Math.min(\n maxAttemptsPerHour,\n limit.attemptsLeft + elapsed * maxAttemptsPerMs,\n );\n return { limit, attemptsLeft };\n }),\n );\n};\n"],"mappings":";;;;;;AAQA,MAAM,wCAAwC;;;;AAK9C,MAAa,uBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,KAAK,UAAU,UAAU,QAAQ,MAAM,eAAe,EAAE,CAC5D;;;;;;AAOH,MAAa,sBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,OAAO,UACR,UAAU,OACN,GAAG,KAAK;CACN,UACE,OAAO,KAAK,OAAO,CAAC,WAAW,MAAM,MAAM,MAAM,KAAK;EACpD,cAAc,MAAM,eAAe;EACnC,iBAAiB,KAAK,KAAK;EAC5B,CAAC;CACJ,MAAM,MACJ,IAAI,UACF,kBACA,+BAA+B,aAAa,EAAE,GAC/C;CACJ,CAAC,GACF,GAAG,KAAK;CACN,UACE,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO;EACpC;EACA,eACG,OAAO,QAAQ,4BACd,yCAAyC;EAC7C,iBAAiB,KAAK,KAAK;EAC5B,CAAC;CACJ,MAAM,MACJ,IAAI,UACF,kBACA,gCAAgC,aAAa,EAAE,GAChD;CACJ,CAAC,CACP,EACD,GAAG,UAAU,OAAU,CACxB;;;;AAKH,MAAa,wBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,OAAO,UACR,UAAU,OACN,GAAG,KAAK;CACN,UAAU,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO,MAAM,MAAM,IAAI;CAChE,MAAM,MACJ,IAAI,UACF,kBACA,gCAAgC,aAAa,EAAE,GAChD;CACJ,CAAC,GACF,GAAG,KACR,CACF;AAWH,MAAM,qBACJ,KACA,YACA,WACkC;CAClC,MAAM,MAAM,KAAK,KAAK;CACtB,MAAM,qBACJ,OAAO,QAAQ,4BACf;AAEF,QAAO,GAAG,KAAK;EACb,UAAU,OAAO,KAAK,OAAO,CAAC,WAAW,IAAI,WAAW;EACxD,MAAM,MACJ,IAAI,UACF,kBACA,6BAA6B,aAAa,EAAE,GAC7C;EACJ,CAAC,CAAC,KACD,GAAG,KAAK,QAAQ;EACd,MAAM,QAAQ;AAGd,MAAI,UAAU,KAAM,QAAO;EAC3B,MAAM,UAAU,MAAM,MAAM;EAC5B,MAAM,mBAAmB,sBAAsB,OAAU;AAKzD,SAAO;GAAE;GAAO,cAJK,KAAK,IACxB,oBACA,MAAM,eAAe,UAAU,iBAChC;GAC6B;GAC9B,CACH"}
1
+ {"version":3,"file":"ratelimit.js","names":[],"sources":["../../src/server/ratelimit.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\n\nimport { authDb } from \"./db\";\nimport { AuthError } from \"./fx\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\nimport { errorMessage } from \"./utils\";\n\nconst DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;\n\n/**\n * Check whether the given identifier is currently rate-limited.\n */\n/** @internal */\nexport const isSignInRateLimited = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<boolean, AuthError> =>\n getRateLimitState(ctx, identifier, config).pipe(\n Fx.map((state) => state !== null && state.attemptsLeft < 1),\n );\n\n/**\n * Record a failed sign-in attempt for the given identifier.\n *\n * If a record exists, decrement; otherwise create.\n */\n/** @internal */\nexport const recordFailedSignIn = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<void, AuthError> =>\n getRateLimitState(ctx, identifier, config).pipe(\n Fx.chain((state) =>\n state !== null\n ? Fx.from({\n ok: () =>\n authDb(ctx, config).rateLimits.patch(state.limit._id, {\n attemptsLeft: state.attemptsLeft - 1,\n lastAttemptTime: Date.now(),\n }),\n err: (e) =>\n new AuthError(\n \"INTERNAL_ERROR\",\n `Failed to patch rate limit: ${errorMessage(e)}`,\n ),\n })\n : Fx.from({\n ok: () =>\n authDb(ctx, config).rateLimits.create({\n identifier,\n attemptsLeft:\n (config.signIn?.maxFailedAttemptsPerHour ??\n DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR) - 1,\n lastAttemptTime: Date.now(),\n }),\n err: (e) =>\n new AuthError(\n \"INTERNAL_ERROR\",\n `Failed to create rate limit: ${errorMessage(e)}`,\n ),\n }),\n ),\n Fx.map(() => undefined),\n );\n\n/**\n * Reset the rate limit for the given identifier (e.g. after successful sign-in).\n */\n/** @internal */\nexport const resetSignInRateLimit = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<void, AuthError> =>\n getRateLimitState(ctx, identifier, config).pipe(\n Fx.chain((state) =>\n state !== null\n ? Fx.from({\n ok: () => authDb(ctx, config).rateLimits.delete(state.limit._id),\n err: (e) =>\n new AuthError(\n \"INTERNAL_ERROR\",\n `Failed to delete rate limit: ${errorMessage(e)}`,\n ),\n })\n : Fx.unit,\n ),\n );\n\n// ---------------------------------------------------------------------------\n// Internal\n// ---------------------------------------------------------------------------\n\ntype RateLimitState = {\n limit: Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number };\n attemptsLeft: number;\n} | null;\n\nconst getRateLimitState = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<RateLimitState, AuthError> => {\n const now = Date.now();\n const maxAttemptsPerHour =\n config.signIn?.maxFailedAttemptsPerHour ??\n DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR;\n\n return Fx.from({\n ok: () => authDb(ctx, config).rateLimits.get(identifier),\n err: (e) =>\n new AuthError(\n \"INTERNAL_ERROR\",\n `Failed to get rate limit: ${errorMessage(e)}`,\n ),\n }).pipe(\n Fx.map((raw) => {\n const limit = raw as\n | (Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number })\n | null;\n if (limit === null) return null;\n const elapsed = now - limit.lastAttemptTime;\n const maxAttemptsPerMs = maxAttemptsPerHour / (60 * 60 * 1000);\n const attemptsLeft = Math.min(\n maxAttemptsPerHour,\n limit.attemptsLeft + elapsed * maxAttemptsPerMs,\n );\n return { limit, attemptsLeft };\n }),\n );\n};\n"],"mappings":";;;;;;AAQA,MAAM,wCAAwC;;;;;AAM9C,MAAa,uBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,KAAK,UAAU,UAAU,QAAQ,MAAM,eAAe,EAAE,CAC5D;;;;;;;AAQH,MAAa,sBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,OAAO,UACR,UAAU,OACN,GAAG,KAAK;CACN,UACE,OAAO,KAAK,OAAO,CAAC,WAAW,MAAM,MAAM,MAAM,KAAK;EACpD,cAAc,MAAM,eAAe;EACnC,iBAAiB,KAAK,KAAK;EAC5B,CAAC;CACJ,MAAM,MACJ,IAAI,UACF,kBACA,+BAA+B,aAAa,EAAE,GAC/C;CACJ,CAAC,GACF,GAAG,KAAK;CACN,UACE,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO;EACpC;EACA,eACG,OAAO,QAAQ,4BACd,yCAAyC;EAC7C,iBAAiB,KAAK,KAAK;EAC5B,CAAC;CACJ,MAAM,MACJ,IAAI,UACF,kBACA,gCAAgC,aAAa,EAAE,GAChD;CACJ,CAAC,CACP,EACD,GAAG,UAAU,OAAU,CACxB;;;;;AAMH,MAAa,wBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,OAAO,UACR,UAAU,OACN,GAAG,KAAK;CACN,UAAU,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO,MAAM,MAAM,IAAI;CAChE,MAAM,MACJ,IAAI,UACF,kBACA,gCAAgC,aAAa,EAAE,GAChD;CACJ,CAAC,GACF,GAAG,KACR,CACF;AAWH,MAAM,qBACJ,KACA,YACA,WACkC;CAClC,MAAM,MAAM,KAAK,KAAK;CACtB,MAAM,qBACJ,OAAO,QAAQ,4BACf;AAEF,QAAO,GAAG,KAAK;EACb,UAAU,OAAO,KAAK,OAAO,CAAC,WAAW,IAAI,WAAW;EACxD,MAAM,MACJ,IAAI,UACF,kBACA,6BAA6B,aAAa,EAAE,GAC7C;EACJ,CAAC,CAAC,KACD,GAAG,KAAK,QAAQ;EACd,MAAM,QAAQ;AAGd,MAAI,UAAU,KAAM,QAAO;EAC3B,MAAM,UAAU,MAAM,MAAM;EAC5B,MAAM,mBAAmB,sBAAsB,OAAU;AAKzD,SAAO;GAAE;GAAO,cAJK,KAAK,IACxB,oBACA,MAAM,eAAe,UAAU,iBAChC;GAC6B;GAC9B,CACH"}
package/dist/server/redirects.d.ts CHANGED
@@ -1,10 +1 @@
1
- import { ConvexAuthMaterializedConfig } from "./types.js";
2
-
3
- //#region src/server/redirects.d.ts
4
- declare function redirectAbsoluteUrl(config: ConvexAuthMaterializedConfig, params: {
5
- redirectTo: unknown;
6
- }): Promise<string>;
7
- declare function setURLSearchParam(absoluteUrl: string, param: string, value: string): string;
8
- //#endregion
9
- export { redirectAbsoluteUrl, setURLSearchParam };
10
- //# sourceMappingURL=redirects.d.ts.map
1
+ export { };
package/dist/server/redirects.js CHANGED
@@ -2,6 +2,7 @@ import { AuthError } from "./fx.js";
2
2
  import { requireEnv } from "./utils.js";
3
3
 
4
4
  //#region src/server/redirects.ts
5
+ /** @internal */
5
6
  async function redirectAbsoluteUrl(config, params) {
6
7
  if (params.redirectTo === void 0) return requireEnv("SITE_URL").replace(/\/$/, "");
7
8
  if (typeof params.redirectTo !== "string") throw new AuthError("INVALID_REDIRECT", `Expected \`redirectTo\` to be a string, got ${params.redirectTo}`);
@@ -16,6 +17,7 @@ async function defaultRedirectCallback({ redirectTo }) {
16
17
  if (redirectTo.startsWith("?") || redirectTo.startsWith("/")) return `${requireEnv("SITE_URL").replace(/\/$/, "")}${redirectTo}`;
17
18
  return redirectTo;
18
19
  }
20
+ /** @internal */
19
21
  function setURLSearchParam(absoluteUrl, param, value) {
20
22
  const pattern = /([^:]+):(.*)/;
21
23
  const [, scheme, rest] = absoluteUrl.match(pattern);
package/dist/server/redirects.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"redirects.js","names":[],"sources":["../../src/server/redirects.ts"],"sourcesContent":["import { AuthError } from \"./fx\";\nimport { ConvexAuthMaterializedConfig } from \"./types\";\nimport { requireEnv } from \"./utils\";\n\nexport async function redirectAbsoluteUrl(\n config: ConvexAuthMaterializedConfig,\n params: { redirectTo: unknown },\n) {\n if (params.redirectTo === undefined) {\n return requireEnv(\"SITE_URL\").replace(/\\/$/, \"\");\n }\n if (typeof params.redirectTo !== \"string\") {\n throw new AuthError(\n \"INVALID_REDIRECT\",\n `Expected \\`redirectTo\\` to be a string, got ${params.redirectTo as any}`,\n );\n }\n const redirectCallback =\n config.callbacks?.redirect ?? defaultRedirectCallback;\n try {\n return await redirectCallback({ redirectTo: params.redirectTo });\n } catch {\n throw new AuthError(\"INTERNAL_ERROR\");\n }\n}\n\nasync function defaultRedirectCallback({ redirectTo }: { redirectTo: string }) {\n // Resolve relative paths against SITE_URL; absolute URLs are passed through\n // as-is. The developer is trusted to provide valid redirect targets.\n if (redirectTo.startsWith(\"?\") || redirectTo.startsWith(\"/\")) {\n return `${requireEnv(\"SITE_URL\").replace(/\\/$/, \"\")}${redirectTo}`;\n }\n return redirectTo;\n}\n\n// Temporary work-around because Convex doesn't support\n// schemes other than http and https.\nexport function setURLSearchParam(\n absoluteUrl: string,\n param: string,\n value: string,\n) {\n const pattern = /([^:]+):(.*)/;\n const [, scheme, rest] = absoluteUrl.match(pattern)!;\n const hasNoDomain = /^\\/\\/(?:\\/|$|\\?)/.test(rest);\n const startsWithPath = hasNoDomain && rest.startsWith(\"///\");\n const url = new URL(\n `http:${hasNoDomain ? \"//googblibok\" + rest.slice(2) : rest}`,\n );\n url.searchParams.set(param, value);\n const [, , withParam] = url.toString().match(pattern)!;\n return `${scheme}:${hasNoDomain ? (startsWithPath ? \"/\" : \"\") + \"//\" + withParam.slice(13) : withParam}`;\n}\n"],"mappings":";;;;AAIA,eAAsB,oBACpB,QACA,QACA;AACA,KAAI,OAAO,eAAe,OACxB,QAAO,WAAW,WAAW,CAAC,QAAQ,OAAO,GAAG;AAElD,KAAI,OAAO,OAAO,eAAe,SAC/B,OAAM,IAAI,UACR,oBACA,+CAA+C,OAAO,aACvD;CAEH,MAAM,mBACJ,OAAO,WAAW,YAAY;AAChC,KAAI;AACF,SAAO,MAAM,iBAAiB,EAAE,YAAY,OAAO,YAAY,CAAC;SAC1D;AACN,QAAM,IAAI,UAAU,iBAAiB;;;AAIzC,eAAe,wBAAwB,EAAE,cAAsC;AAG7E,KAAI,WAAW,WAAW,IAAI,IAAI,WAAW,WAAW,IAAI,CAC1D,QAAO,GAAG,WAAW,WAAW,CAAC,QAAQ,OAAO,GAAG,GAAG;AAExD,QAAO;;AAKT,SAAgB,kBACd,aACA,OACA,OACA;CACA,MAAM,UAAU;CAChB,MAAM,GAAG,QAAQ,QAAQ,YAAY,MAAM,QAAQ;CACnD,MAAM,cAAc,mBAAmB,KAAK,KAAK;CACjD,MAAM,iBAAiB,eAAe,KAAK,WAAW,MAAM;CAC5D,MAAM,MAAM,IAAI,IACd,QAAQ,cAAc,iBAAiB,KAAK,MAAM,EAAE,GAAG,OACxD;AACD,KAAI,aAAa,IAAI,OAAO,MAAM;CAClC,MAAM,KAAK,aAAa,IAAI,UAAU,CAAC,MAAM,QAAQ;AACrD,QAAO,GAAG,OAAO,GAAG,eAAe,iBAAiB,MAAM,MAAM,OAAO,UAAU,MAAM,GAAG,GAAG"}
1
+ {"version":3,"file":"redirects.js","names":[],"sources":["../../src/server/redirects.ts"],"sourcesContent":["import { AuthError } from \"./fx\";\nimport { ConvexAuthMaterializedConfig } from \"./types\";\nimport { requireEnv } from \"./utils\";\n\n/** @internal */\nexport async function redirectAbsoluteUrl(\n config: ConvexAuthMaterializedConfig,\n params: { redirectTo: unknown },\n) {\n if (params.redirectTo === undefined) {\n return requireEnv(\"SITE_URL\").replace(/\\/$/, \"\");\n }\n if (typeof params.redirectTo !== \"string\") {\n throw new AuthError(\n \"INVALID_REDIRECT\",\n `Expected \\`redirectTo\\` to be a string, got ${params.redirectTo as any}`,\n );\n }\n const redirectCallback =\n config.callbacks?.redirect ?? defaultRedirectCallback;\n try {\n return await redirectCallback({ redirectTo: params.redirectTo });\n } catch {\n throw new AuthError(\"INTERNAL_ERROR\");\n }\n}\n\nasync function defaultRedirectCallback({ redirectTo }: { redirectTo: string }) {\n // Resolve relative paths against SITE_URL; absolute URLs are passed through\n // as-is. The developer is trusted to provide valid redirect targets.\n if (redirectTo.startsWith(\"?\") || redirectTo.startsWith(\"/\")) {\n return `${requireEnv(\"SITE_URL\").replace(/\\/$/, \"\")}${redirectTo}`;\n }\n return redirectTo;\n}\n\n// Temporary work-around because Convex doesn't support\n// schemes other than http and https.\n/** @internal */\nexport function setURLSearchParam(\n absoluteUrl: string,\n param: string,\n value: string,\n) {\n const pattern = /([^:]+):(.*)/;\n const [, scheme, rest] = absoluteUrl.match(pattern)!;\n const hasNoDomain = /^\\/\\/(?:\\/|$|\\?)/.test(rest);\n const startsWithPath = hasNoDomain && rest.startsWith(\"///\");\n const url = new URL(\n `http:${hasNoDomain ? \"//googblibok\" + rest.slice(2) : rest}`,\n );\n url.searchParams.set(param, value);\n const [, , withParam] = url.toString().match(pattern)!;\n return `${scheme}:${hasNoDomain ? (startsWithPath ? \"/\" : \"\") + \"//\" + withParam.slice(13) : withParam}`;\n}\n"],"mappings":";;;;;AAKA,eAAsB,oBACpB,QACA,QACA;AACA,KAAI,OAAO,eAAe,OACxB,QAAO,WAAW,WAAW,CAAC,QAAQ,OAAO,GAAG;AAElD,KAAI,OAAO,OAAO,eAAe,SAC/B,OAAM,IAAI,UACR,oBACA,+CAA+C,OAAO,aACvD;CAEH,MAAM,mBACJ,OAAO,WAAW,YAAY;AAChC,KAAI;AACF,SAAO,MAAM,iBAAiB,EAAE,YAAY,OAAO,YAAY,CAAC;SAC1D;AACN,QAAM,IAAI,UAAU,iBAAiB;;;AAIzC,eAAe,wBAAwB,EAAE,cAAsC;AAG7E,KAAI,WAAW,WAAW,IAAI,IAAI,WAAW,WAAW,IAAI,CAC1D,QAAO,GAAG,WAAW,WAAW,CAAC,QAAQ,OAAO,GAAG,GAAG;AAExD,QAAO;;;AAMT,SAAgB,kBACd,aACA,OACA,OACA;CACA,MAAM,UAAU;CAChB,MAAM,GAAG,QAAQ,QAAQ,YAAY,MAAM,QAAQ;CACnD,MAAM,cAAc,mBAAmB,KAAK,KAAK;CACjD,MAAM,iBAAiB,eAAe,KAAK,WAAW,MAAM;CAC5D,MAAM,MAAM,IAAI,IACd,QAAQ,cAAc,iBAAiB,KAAK,MAAM,EAAE,GAAG,OACxD;AACD,KAAI,aAAa,IAAI,OAAO,MAAM;CAClC,MAAM,KAAK,aAAa,IAAI,UAAU,CAAC,MAAM,QAAQ;AACrD,QAAO,GAAG,OAAO,GAAG,eAAe,iBAAiB,MAAM,MAAM,OAAO,UAAU,MAAM,GAAG,GAAG"}
package/dist/server/refresh.d.ts CHANGED
@@ -1,37 +1 @@
1
- import { ConvexAuthConfig, Doc, MutationCtx } from "./types.js";
2
- import { AuthError } from "./fx.js";
3
- import { Fx } from "@robelest/fx";
4
- import { GenericId } from "convex/values";
5
-
6
- //#region src/server/refresh.d.ts
7
- declare const REFRESH_TOKEN_REUSE_WINDOW_MS: number;
8
- /**
9
- * Create a new refresh token for the given session.
10
- */
11
- declare function createRefreshToken(ctx: MutationCtx, config: ConvexAuthConfig, sessionId: GenericId<"Session">, parentRefreshTokenId: GenericId<"RefreshToken"> | null): Promise<GenericId<"RefreshToken">>;
12
- /**
13
- * Parse a compound refresh token string into its constituent IDs.
14
- */
15
- declare const parseRefreshToken: (refreshToken: string) => Fx<{
16
- refreshTokenId: GenericId<"RefreshToken">;
17
- sessionId: GenericId<"Session">;
18
- }, AuthError>;
19
- /**
20
- * Mark all refresh tokens descending from the given refresh token as invalid
21
- * immediately. Used when we detect token reuse — revoke the entire tree.
22
- */
23
- declare function invalidateRefreshTokensInSubtree(ctx: MutationCtx, refreshToken: Doc<"RefreshToken">, config: ConvexAuthConfig): Promise<Doc<"RefreshToken">[]>;
24
- /**
25
- * Validate a refresh token and its associated session.
26
- *
27
- * Returns `null` on any validation failure (matching original semantics).
28
- * Each validation step is a small composable function chained with `Fx.chain`.
29
- * On failure, the error message is logged and the pipeline folds to `null`.
30
- */
31
- declare const refreshTokenIfValid: (ctx: MutationCtx, refreshTokenId: string, tokenSessionId: string, config: ConvexAuthConfig) => Fx<{
32
- session: Doc<"Session">;
33
- refreshTokenDoc: Doc<"RefreshToken">;
34
- } | null, never>;
35
- //#endregion
36
- export { REFRESH_TOKEN_REUSE_WINDOW_MS, createRefreshToken, invalidateRefreshTokensInSubtree, parseRefreshToken, refreshTokenIfValid };
37
- //# sourceMappingURL=refresh.d.ts.map
1
+ export { };
package/dist/server/refresh.js CHANGED
@@ -5,10 +5,12 @@ import { Fx } from "@robelest/fx";
5
5
 
6
6
  //#region src/server/refresh.ts
7
7
  const DEFAULT_SESSION_INACTIVE_DURATION_MS = 1e3 * 60 * 60 * 24 * 30;
8
+ /** @internal */
8
9
  const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1e3;
9
10
  /**
10
11
  * Create a new refresh token for the given session.
11
12
  */
13
+ /** @internal */
12
14
  async function createRefreshToken(ctx, config, sessionId, parentRefreshTokenId) {
13
15
  const expirationTime = Date.now() + (config.session?.inactiveDurationMs ?? (process.env.AUTH_SESSION_INACTIVE_DURATION_MS !== void 0 ? Number(process.env.AUTH_SESSION_INACTIVE_DURATION_MS) : void 0) ?? DEFAULT_SESSION_INACTIVE_DURATION_MS);
14
16
  return authDb(ctx, config).refreshTokens.create({
@@ -20,6 +22,7 @@ async function createRefreshToken(ctx, config, sessionId, parentRefreshTokenId)
20
22
  /**
21
23
  * Parse a compound refresh token string into its constituent IDs.
22
24
  */
25
+ /** @internal */
23
26
  const parseRefreshToken = (refreshToken) => {
24
27
  const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);
25
28
  const msg = `Can't parse refresh token: ${maybeRedact(refreshToken)}`;
@@ -34,6 +37,7 @@ const parseRefreshToken = (refreshToken) => {
34
37
  * Mark all refresh tokens descending from the given refresh token as invalid
35
38
  * immediately. Used when we detect token reuse — revoke the entire tree.
36
39
  */
40
+ /** @internal */
37
41
  async function invalidateRefreshTokensInSubtree(ctx, refreshToken, config) {
38
42
  const db = authDb(ctx, config);
39
43
  const tokensToInvalidate = [refreshToken];
@@ -65,6 +69,7 @@ async function invalidateRefreshTokensInSubtree(ctx, refreshToken, config) {
65
69
  * Each validation step is a small composable function chained with `Fx.chain`.
66
70
  * On failure, the error message is logged and the pipeline folds to `null`.
67
71
  */
72
+ /** @internal */
68
73
  const refreshTokenIfValid = (ctx, refreshTokenId, tokenSessionId, config) => {
69
74
  const db = authDb(ctx, config);
70
75
  const fetchDoc = (promise, failMsg) => Fx.from({