@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

package/dist/server/refresh.js.map

@@ -1 +1 @@
-{"version":3,"file":"refresh.js","names":[],"sources":["../../src/server/refresh.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { AuthError } from \"./fx\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\nimport {\n  LOG_LEVELS,\n  REFRESH_TOKEN_DIVIDER,\n  logWithLevel,\n  maybeRedact,\n} from \"./utils\";\n\nconst DEFAULT_SESSION_INACTIVE_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days\nexport const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1000; // 10 seconds\n\n// ---------------------------------------------------------------------------\n// Refresh token CRUD\n// ---------------------------------------------------------------------------\n\n/**\n * Create a new refresh token for the given session.\n */\nexport async function createRefreshToken(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  sessionId: GenericId<\"Session\">,\n  parentRefreshTokenId: GenericId<\"RefreshToken\"> | null,\n): Promise<GenericId<\"RefreshToken\">> {\n  const expirationTime =\n    Date.now() +\n    (config.session?.inactiveDurationMs ??\n      (process.env.AUTH_SESSION_INACTIVE_DURATION_MS !== undefined\n        ? Number(process.env.AUTH_SESSION_INACTIVE_DURATION_MS)\n        : undefined) ??\n      DEFAULT_SESSION_INACTIVE_DURATION_MS);\n\n  return authDb(ctx, config).refreshTokens.create({\n    sessionId,\n    expirationTime,\n    parentRefreshTokenId: parentRefreshTokenId ?? undefined,\n  }) as Promise<GenericId<\"RefreshToken\">>;\n}\n\n/**\n * Parse a compound refresh token string into its constituent IDs.\n */\nexport const parseRefreshToken = (\n  refreshToken: string,\n): Fx<\n  {\n    refreshTokenId: GenericId<\"RefreshToken\">;\n    sessionId: GenericId<\"Session\">;\n  },\n  AuthError\n> => {\n  const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);\n  const msg = `Can't parse refresh token: ${maybeRedact(refreshToken)}`;\n  const refreshTokenIdFx: Fx<string, AuthError> =\n    refreshTokenId != null\n      ? Fx.succeed(refreshTokenId)\n      : Fx.fail(new AuthError(\"INVALID_REFRESH_TOKEN\", msg));\n\n  return refreshTokenIdFx.pipe(\n    Fx.chain((rtId) => {\n      const sessionIdFx: Fx<string, AuthError> =\n        sessionId != null\n          ? Fx.succeed(sessionId)\n          : Fx.fail(new AuthError(\"INVALID_REFRESH_TOKEN\", msg));\n      return sessionIdFx.pipe(\n        Fx.map((sId) => ({\n          refreshTokenId: rtId as GenericId<\"RefreshToken\">,\n          sessionId: sId as GenericId<\"Session\">,\n        })),\n      );\n    }),\n  );\n};\n\n/**\n * Mark all refresh tokens descending from the given refresh token as invalid\n * immediately. Used when we detect token reuse — revoke the entire tree.\n */\nexport async function invalidateRefreshTokensInSubtree(\n  ctx: MutationCtx,\n  refreshToken: Doc<\"RefreshToken\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const tokensToInvalidate = [refreshToken];\n  const visited = new Set<GenericId<\"RefreshToken\">>([refreshToken._id]);\n  let frontier: GenericId<\"RefreshToken\">[] = [refreshToken._id];\n  while (frontier.length > 0) {\n    const nextFrontier: GenericId<\"RefreshToken\">[] = [];\n    for (const currentTokenId of frontier) {\n      const children = (await db.refreshTokens.getChildren(\n        refreshToken.sessionId,\n        currentTokenId,\n      )) as Doc<\"RefreshToken\">[];\n      for (const child of children) {\n        if (visited.has(child._id)) continue;\n        visited.add(child._id);\n        tokensToInvalidate.push(child);\n        nextFrontier.push(child._id);\n      }\n    }\n    frontier = nextFrontier;\n  }\n  await Fx.run(\n    Fx.each(tokensToInvalidate, (token) =>\n      token.firstUsedTime === undefined ||\n      token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS\n        ? Fx.from({\n            ok: () =>\n              db.refreshTokens.patch(token._id, {\n                firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,\n              }),\n            err: (e) => e as never,\n          })\n        : Fx.unit,\n    ),\n  );\n  return tokensToInvalidate;\n}\n\n// ---------------------------------------------------------------------------\n// Validation pipeline — the core of refresh token handling\n// ---------------------------------------------------------------------------\n\n/**\n * Validate a refresh token and its associated session.\n *\n * Returns `null` on any validation failure (matching original semantics).\n * Each validation step is a small composable function chained with `Fx.chain`.\n * On failure, the error message is logged and the pipeline folds to `null`.\n */\nexport const refreshTokenIfValid = (\n  ctx: MutationCtx,\n  refreshTokenId: string,\n  tokenSessionId: string,\n  config: ConvexAuthConfig,\n): Fx<\n  { session: Doc<\"Session\">; refreshTokenDoc: Doc<\"RefreshToken\"> } | null,\n  never\n> => {\n  const db = authDb(ctx, config);\n\n  const fetchDoc = <T>(\n    promise: () => Promise<T | null>,\n    failMsg: string,\n  ): Fx<T | null, never> =>\n    Fx.from({ ok: promise, err: () => failMsg }).pipe(\n      Fx.recover((msg) => {\n        logWithLevel(LOG_LEVELS.ERROR, msg);\n        return Fx.succeed(null as T | null);\n      }),\n    );\n\n  // The entire validation is a single pipeline:\n  // fetch token → not null → not expired → session matches → fetch session → not null → not expired → combine\n  return fetchDoc(\n    () =>\n      db.refreshTokens.getById(\n        refreshTokenId as GenericId<\"RefreshToken\">,\n      ) as Promise<Doc<\"RefreshToken\"> | null>,\n    \"Invalid refresh token format\",\n  )\n    .pipe(\n      Fx.chain((doc) =>\n        doc !== null ? Fx.succeed(doc) : Fx.fail(\"Invalid refresh token\"),\n      ),\n      Fx.chain((doc) =>\n        doc.expirationTime >= Date.now()\n          ? Fx.succeed(doc)\n          : Fx.fail(\"Expired refresh token\"),\n      ),\n      Fx.chain((doc) =>\n        doc.sessionId === tokenSessionId\n          ? Fx.succeed(doc)\n          : Fx.fail(\"Invalid refresh token session ID\"),\n      ),\n    )\n    .pipe(\n      Fx.chain((doc: Doc<\"RefreshToken\">) =>\n        fetchDoc(\n          () =>\n            db.sessions.getById(\n              doc.sessionId,\n            ) as Promise<Doc<\"Session\"> | null>,\n          \"Invalid refresh token session format\",\n        ).pipe(\n          Fx.chain((session) =>\n            session !== null\n              ? Fx.succeed(session)\n              : Fx.fail(\"Invalid refresh token session\"),\n          ),\n          Fx.chain((session) =>\n            session.expirationTime >= Date.now()\n              ? Fx.succeed(session)\n              : Fx.fail(\"Expired refresh token session\"),\n          ),\n          Fx.map((session) => ({\n            session,\n            refreshTokenDoc: doc,\n          })),\n        ),\n      ),\n      Fx.fold({\n        ok: (result) => result,\n        err: (msg) => {\n          logWithLevel(LOG_LEVELS.ERROR, msg);\n          return null;\n        },\n      }),\n    );\n};\n"],"mappings":";;;;;;AAcA,MAAM,uCAAuC,MAAO,KAAK,KAAK,KAAK;AACnE,MAAa,gCAAgC,KAAK;;;;AASlD,eAAsB,mBACpB,KACA,QACA,WACA,sBACoC;CACpC,MAAM,iBACJ,KAAK,KAAK,IACT,OAAO,SAAS,uBACd,QAAQ,IAAI,sCAAsC,SAC/C,OAAO,QAAQ,IAAI,kCAAkC,GACrD,WACJ;AAEJ,QAAO,OAAO,KAAK,OAAO,CAAC,cAAc,OAAO;EAC9C;EACA;EACA,sBAAsB,wBAAwB;EAC/C,CAAC;;;;;AAMJ,MAAa,qBACX,iBAOG;CACH,MAAM,CAAC,gBAAgB,aAAa,aAAa,MAAM,sBAAsB;CAC7E,MAAM,MAAM,8BAA8B,YAAY,aAAa;AAMnE,SAJE,kBAAkB,OACd,GAAG,QAAQ,eAAe,GAC1B,GAAG,KAAK,IAAI,UAAU,yBAAyB,IAAI,CAAC,EAElC,KACtB,GAAG,OAAO,SAAS;AAKjB,UAHE,aAAa,OACT,GAAG,QAAQ,UAAU,GACrB,GAAG,KAAK,IAAI,UAAU,yBAAyB,IAAI,CAAC,EACvC,KACjB,GAAG,KAAK,SAAS;GACf,gBAAgB;GAChB,WAAW;GACZ,EAAE,CACJ;GACD,CACH;;;;;;AAOH,eAAsB,iCACpB,KACA,cACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,qBAAqB,CAAC,aAAa;CACzC,MAAM,UAAU,IAAI,IAA+B,CAAC,aAAa,IAAI,CAAC;CACtE,IAAI,WAAwC,CAAC,aAAa,IAAI;AAC9D,QAAO,SAAS,SAAS,GAAG;EAC1B,MAAM,eAA4C,EAAE;AACpD,OAAK,MAAM,kBAAkB,UAAU;GACrC,MAAM,WAAY,MAAM,GAAG,cAAc,YACvC,aAAa,WACb,eACD;AACD,QAAK,MAAM,SAAS,UAAU;AAC5B,QAAI,QAAQ,IAAI,MAAM,IAAI,CAAE;AAC5B,YAAQ,IAAI,MAAM,IAAI;AACtB,uBAAmB,KAAK,MAAM;AAC9B,iBAAa,KAAK,MAAM,IAAI;;;AAGhC,aAAW;;AAEb,OAAM,GAAG,IACP,GAAG,KAAK,qBAAqB,UAC3B,MAAM,kBAAkB,UACxB,MAAM,gBAAgB,KAAK,KAAK,GAAG,gCAC/B,GAAG,KAAK;EACN,UACE,GAAG,cAAc,MAAM,MAAM,KAAK,EAChC,eAAe,KAAK,KAAK,GAAG,+BAC7B,CAAC;EACJ,MAAM,MAAM;EACb,CAAC,GACF,GAAG,KACR,CACF;AACD,QAAO;;;;;;;;;AAcT,MAAa,uBACX,KACA,gBACA,gBACA,WAIG;CACH,MAAM,KAAK,OAAO,KAAK,OAAO;CAE9B,MAAM,YACJ,SACA,YAEA,GAAG,KAAK;EAAE,IAAI;EAAS,WAAW;EAAS,CAAC,CAAC,KAC3C,GAAG,SAAS,QAAQ;AAClB,eAAa,WAAW,OAAO,IAAI;AACnC,SAAO,GAAG,QAAQ,KAAiB;GACnC,CACH;AAIH,QAAO,eAEH,GAAG,cAAc,QACf,eACD,EACH,+BACD,CACE,KACC,GAAG,OAAO,QACR,QAAQ,OAAO,GAAG,QAAQ,IAAI,GAAG,GAAG,KAAK,wBAAwB,CAClE,EACD,GAAG,OAAO,QACR,IAAI,kBAAkB,KAAK,KAAK,GAC5B,GAAG,QAAQ,IAAI,GACf,GAAG,KAAK,wBAAwB,CACrC,EACD,GAAG,OAAO,QACR,IAAI,cAAc,iBACd,GAAG,QAAQ,IAAI,GACf,GAAG,KAAK,mCAAmC,CAChD,CACF,CACA,KACC,GAAG,OAAO,QACR,eAEI,GAAG,SAAS,QACV,IAAI,UACL,EACH,uCACD,CAAC,KACA,GAAG,OAAO,YACR,YAAY,OACR,GAAG,QAAQ,QAAQ,GACnB,GAAG,KAAK,gCAAgC,CAC7C,EACD,GAAG,OAAO,YACR,QAAQ,kBAAkB,KAAK,KAAK,GAChC,GAAG,QAAQ,QAAQ,GACnB,GAAG,KAAK,gCAAgC,CAC7C,EACD,GAAG,KAAK,aAAa;EACnB;EACA,iBAAiB;EAClB,EAAE,CACJ,CACF,EACD,GAAG,KAAK;EACN,KAAK,WAAW;EAChB,MAAM,QAAQ;AACZ,gBAAa,WAAW,OAAO,IAAI;AACnC,UAAO;;EAEV,CAAC,CACH"}
+{"version":3,"file":"refresh.js","names":[],"sources":["../../src/server/refresh.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { AuthError } from \"./fx\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\nimport {\n  LOG_LEVELS,\n  REFRESH_TOKEN_DIVIDER,\n  logWithLevel,\n  maybeRedact,\n} from \"./utils\";\n\nconst DEFAULT_SESSION_INACTIVE_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days\n/** @internal */\nexport const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1000; // 10 seconds\n\n// ---------------------------------------------------------------------------\n// Refresh token CRUD\n// ---------------------------------------------------------------------------\n\n/**\n * Create a new refresh token for the given session.\n */\n/** @internal */\nexport async function createRefreshToken(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  sessionId: GenericId<\"Session\">,\n  parentRefreshTokenId: GenericId<\"RefreshToken\"> | null,\n): Promise<GenericId<\"RefreshToken\">> {\n  const expirationTime =\n    Date.now() +\n    (config.session?.inactiveDurationMs ??\n      (process.env.AUTH_SESSION_INACTIVE_DURATION_MS !== undefined\n        ? Number(process.env.AUTH_SESSION_INACTIVE_DURATION_MS)\n        : undefined) ??\n      DEFAULT_SESSION_INACTIVE_DURATION_MS);\n\n  return authDb(ctx, config).refreshTokens.create({\n    sessionId,\n    expirationTime,\n    parentRefreshTokenId: parentRefreshTokenId ?? undefined,\n  }) as Promise<GenericId<\"RefreshToken\">>;\n}\n\n/**\n * Parse a compound refresh token string into its constituent IDs.\n */\n/** @internal */\nexport const parseRefreshToken = (\n  refreshToken: string,\n): Fx<\n  {\n    refreshTokenId: GenericId<\"RefreshToken\">;\n    sessionId: GenericId<\"Session\">;\n  },\n  AuthError\n> => {\n  const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);\n  const msg = `Can't parse refresh token: ${maybeRedact(refreshToken)}`;\n  const refreshTokenIdFx: Fx<string, AuthError> =\n    refreshTokenId != null\n      ? Fx.succeed(refreshTokenId)\n      : Fx.fail(new AuthError(\"INVALID_REFRESH_TOKEN\", msg));\n\n  return refreshTokenIdFx.pipe(\n    Fx.chain((rtId) => {\n      const sessionIdFx: Fx<string, AuthError> =\n        sessionId != null\n          ? Fx.succeed(sessionId)\n          : Fx.fail(new AuthError(\"INVALID_REFRESH_TOKEN\", msg));\n      return sessionIdFx.pipe(\n        Fx.map((sId) => ({\n          refreshTokenId: rtId as GenericId<\"RefreshToken\">,\n          sessionId: sId as GenericId<\"Session\">,\n        })),\n      );\n    }),\n  );\n};\n\n/**\n * Mark all refresh tokens descending from the given refresh token as invalid\n * immediately. Used when we detect token reuse — revoke the entire tree.\n */\n/** @internal */\nexport async function invalidateRefreshTokensInSubtree(\n  ctx: MutationCtx,\n  refreshToken: Doc<\"RefreshToken\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const tokensToInvalidate = [refreshToken];\n  const visited = new Set<GenericId<\"RefreshToken\">>([refreshToken._id]);\n  let frontier: GenericId<\"RefreshToken\">[] = [refreshToken._id];\n  while (frontier.length > 0) {\n    const nextFrontier: GenericId<\"RefreshToken\">[] = [];\n    for (const currentTokenId of frontier) {\n      const children = (await db.refreshTokens.getChildren(\n        refreshToken.sessionId,\n        currentTokenId,\n      )) as Doc<\"RefreshToken\">[];\n      for (const child of children) {\n        if (visited.has(child._id)) continue;\n        visited.add(child._id);\n        tokensToInvalidate.push(child);\n        nextFrontier.push(child._id);\n      }\n    }\n    frontier = nextFrontier;\n  }\n  await Fx.run(\n    Fx.each(tokensToInvalidate, (token) =>\n      token.firstUsedTime === undefined ||\n      token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS\n        ? Fx.from({\n            ok: () =>\n              db.refreshTokens.patch(token._id, {\n                firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,\n              }),\n            err: (e) => e as never,\n          })\n        : Fx.unit,\n    ),\n  );\n  return tokensToInvalidate;\n}\n\n// ---------------------------------------------------------------------------\n// Validation pipeline — the core of refresh token handling\n// ---------------------------------------------------------------------------\n\n/**\n * Validate a refresh token and its associated session.\n *\n * Returns `null` on any validation failure (matching original semantics).\n * Each validation step is a small composable function chained with `Fx.chain`.\n * On failure, the error message is logged and the pipeline folds to `null`.\n */\n/** @internal */\nexport const refreshTokenIfValid = (\n  ctx: MutationCtx,\n  refreshTokenId: string,\n  tokenSessionId: string,\n  config: ConvexAuthConfig,\n): Fx<\n  { session: Doc<\"Session\">; refreshTokenDoc: Doc<\"RefreshToken\"> } | null,\n  never\n> => {\n  const db = authDb(ctx, config);\n\n  const fetchDoc = <T>(\n    promise: () => Promise<T | null>,\n    failMsg: string,\n  ): Fx<T | null, never> =>\n    Fx.from({ ok: promise, err: () => failMsg }).pipe(\n      Fx.recover((msg) => {\n        logWithLevel(LOG_LEVELS.ERROR, msg);\n        return Fx.succeed(null as T | null);\n      }),\n    );\n\n  // The entire validation is a single pipeline:\n  // fetch token → not null → not expired → session matches → fetch session → not null → not expired → combine\n  return fetchDoc(\n    () =>\n      db.refreshTokens.getById(\n        refreshTokenId as GenericId<\"RefreshToken\">,\n      ) as Promise<Doc<\"RefreshToken\"> | null>,\n    \"Invalid refresh token format\",\n  )\n    .pipe(\n      Fx.chain((doc) =>\n        doc !== null ? Fx.succeed(doc) : Fx.fail(\"Invalid refresh token\"),\n      ),\n      Fx.chain((doc) =>\n        doc.expirationTime >= Date.now()\n          ? Fx.succeed(doc)\n          : Fx.fail(\"Expired refresh token\"),\n      ),\n      Fx.chain((doc) =>\n        doc.sessionId === tokenSessionId\n          ? Fx.succeed(doc)\n          : Fx.fail(\"Invalid refresh token session ID\"),\n      ),\n    )\n    .pipe(\n      Fx.chain((doc: Doc<\"RefreshToken\">) =>\n        fetchDoc(\n          () =>\n            db.sessions.getById(\n              doc.sessionId,\n            ) as Promise<Doc<\"Session\"> | null>,\n          \"Invalid refresh token session format\",\n        ).pipe(\n          Fx.chain((session) =>\n            session !== null\n              ? Fx.succeed(session)\n              : Fx.fail(\"Invalid refresh token session\"),\n          ),\n          Fx.chain((session) =>\n            session.expirationTime >= Date.now()\n              ? Fx.succeed(session)\n              : Fx.fail(\"Expired refresh token session\"),\n          ),\n          Fx.map((session) => ({\n            session,\n            refreshTokenDoc: doc,\n          })),\n        ),\n      ),\n      Fx.fold({\n        ok: (result) => result,\n        err: (msg) => {\n          logWithLevel(LOG_LEVELS.ERROR, msg);\n          return null;\n        },\n      }),\n    );\n};\n"],"mappings":";;;;;;AAcA,MAAM,uCAAuC,MAAO,KAAK,KAAK,KAAK;;AAEnE,MAAa,gCAAgC,KAAK;;;;;AAUlD,eAAsB,mBACpB,KACA,QACA,WACA,sBACoC;CACpC,MAAM,iBACJ,KAAK,KAAK,IACT,OAAO,SAAS,uBACd,QAAQ,IAAI,sCAAsC,SAC/C,OAAO,QAAQ,IAAI,kCAAkC,GACrD,WACJ;AAEJ,QAAO,OAAO,KAAK,OAAO,CAAC,cAAc,OAAO;EAC9C;EACA;EACA,sBAAsB,wBAAwB;EAC/C,CAAC;;;;;;AAOJ,MAAa,qBACX,iBAOG;CACH,MAAM,CAAC,gBAAgB,aAAa,aAAa,MAAM,sBAAsB;CAC7E,MAAM,MAAM,8BAA8B,YAAY,aAAa;AAMnE,SAJE,kBAAkB,OACd,GAAG,QAAQ,eAAe,GAC1B,GAAG,KAAK,IAAI,UAAU,yBAAyB,IAAI,CAAC,EAElC,KACtB,GAAG,OAAO,SAAS;AAKjB,UAHE,aAAa,OACT,GAAG,QAAQ,UAAU,GACrB,GAAG,KAAK,IAAI,UAAU,yBAAyB,IAAI,CAAC,EACvC,KACjB,GAAG,KAAK,SAAS;GACf,gBAAgB;GAChB,WAAW;GACZ,EAAE,CACJ;GACD,CACH;;;;;;;AAQH,eAAsB,iCACpB,KACA,cACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,qBAAqB,CAAC,aAAa;CACzC,MAAM,UAAU,IAAI,IAA+B,CAAC,aAAa,IAAI,CAAC;CACtE,IAAI,WAAwC,CAAC,aAAa,IAAI;AAC9D,QAAO,SAAS,SAAS,GAAG;EAC1B,MAAM,eAA4C,EAAE;AACpD,OAAK,MAAM,kBAAkB,UAAU;GACrC,MAAM,WAAY,MAAM,GAAG,cAAc,YACvC,aAAa,WACb,eACD;AACD,QAAK,MAAM,SAAS,UAAU;AAC5B,QAAI,QAAQ,IAAI,MAAM,IAAI,CAAE;AAC5B,YAAQ,IAAI,MAAM,IAAI;AACtB,uBAAmB,KAAK,MAAM;AAC9B,iBAAa,KAAK,MAAM,IAAI;;;AAGhC,aAAW;;AAEb,OAAM,GAAG,IACP,GAAG,KAAK,qBAAqB,UAC3B,MAAM,kBAAkB,UACxB,MAAM,gBAAgB,KAAK,KAAK,GAAG,gCAC/B,GAAG,KAAK;EACN,UACE,GAAG,cAAc,MAAM,MAAM,KAAK,EAChC,eAAe,KAAK,KAAK,GAAG,+BAC7B,CAAC;EACJ,MAAM,MAAM;EACb,CAAC,GACF,GAAG,KACR,CACF;AACD,QAAO;;;;;;;;;;AAeT,MAAa,uBACX,KACA,gBACA,gBACA,WAIG;CACH,MAAM,KAAK,OAAO,KAAK,OAAO;CAE9B,MAAM,YACJ,SACA,YAEA,GAAG,KAAK;EAAE,IAAI;EAAS,WAAW;EAAS,CAAC,CAAC,KAC3C,GAAG,SAAS,QAAQ;AAClB,eAAa,WAAW,OAAO,IAAI;AACnC,SAAO,GAAG,QAAQ,KAAiB;GACnC,CACH;AAIH,QAAO,eAEH,GAAG,cAAc,QACf,eACD,EACH,+BACD,CACE,KACC,GAAG,OAAO,QACR,QAAQ,OAAO,GAAG,QAAQ,IAAI,GAAG,GAAG,KAAK,wBAAwB,CAClE,EACD,GAAG,OAAO,QACR,IAAI,kBAAkB,KAAK,KAAK,GAC5B,GAAG,QAAQ,IAAI,GACf,GAAG,KAAK,wBAAwB,CACrC,EACD,GAAG,OAAO,QACR,IAAI,cAAc,iBACd,GAAG,QAAQ,IAAI,GACf,GAAG,KAAK,mCAAmC,CAChD,CACF,CACA,KACC,GAAG,OAAO,QACR,eAEI,GAAG,SAAS,QACV,IAAI,UACL,EACH,uCACD,CAAC,KACA,GAAG,OAAO,YACR,YAAY,OACR,GAAG,QAAQ,QAAQ,GACnB,GAAG,KAAK,gCAAgC,CAC7C,EACD,GAAG,OAAO,YACR,QAAQ,kBAAkB,KAAK,KAAK,GAChC,GAAG,QAAQ,QAAQ,GACnB,GAAG,KAAK,gCAAgC,CAC7C,EACD,GAAG,KAAK,aAAa;EACnB;EACA,iBAAiB;EAClB,EAAE,CACJ,CACF,EACD,GAAG,KAAK;EACN,KAAK,WAAW;EAChB,MAAM,QAAQ;AACZ,gBAAa,WAAW,OAAO,IAAI;AACnC,UAAO;;EAEV,CAAC,CACH"}

package/dist/server/sessions.d.ts

@@ -1,28 +1 @@
-import { ConvexAuthConfig, Doc, MutationCtx, SessionInfo } from "./types.js";
-import { GenericId } from "convex/values";
-import { Auth } from "convex/server";
-
-//#region src/server/sessions.d.ts
-declare function maybeGenerateTokensForSession(ctx: MutationCtx, config: ConvexAuthConfig, userId: GenericId<"User">, sessionId: GenericId<"Session">, generateTokens: boolean): Promise<SessionInfo>;
-declare function createNewAndDeleteExistingSession(ctx: MutationCtx, config: ConvexAuthConfig, userId: GenericId<"User">): Promise<GenericId<"Session">>;
-declare function generateTokensForSession(ctx: MutationCtx, config: ConvexAuthConfig, args: {
-  userId: GenericId<"User">;
-  sessionId: GenericId<"Session">;
-  issuedRefreshTokenId: GenericId<"RefreshToken"> | null;
-  parentRefreshTokenId: GenericId<"RefreshToken"> | null;
-}): Promise<{
-  token: string;
-  refreshToken: string;
-}>;
-declare function deleteSession(ctx: MutationCtx, session: Doc<"Session">, config: ConvexAuthConfig): Promise<void>;
-/**
- * Return the current session ID from the auth identity subject.
- *
- * Internal helper used by auth runtime internals and `auth.session.current`.
- */
-declare function getAuthSessionId(ctx: {
-  auth: Auth;
-}): Promise<GenericId<"Session"> | null>;
-//#endregion
-export { createNewAndDeleteExistingSession, deleteSession, generateTokensForSession, getAuthSessionId, maybeGenerateTokensForSession };
-//# sourceMappingURL=sessions.d.ts.map
+export { };

package/dist/server/sessions.js

@@ -5,6 +5,7 @@ import { generateToken } from "./tokens.js";
 
 //#region src/server/sessions.ts
 const DEFAULT_SESSION_TOTAL_DURATION_MS = 1e3 * 60 * 60 * 24 * 30;
+/** @internal */
 async function maybeGenerateTokensForSession(ctx, config, userId, sessionId, generateTokens) {
 	return {
 		userId,
@@ -17,6 +18,7 @@ async function maybeGenerateTokensForSession(ctx, config, userId, sessionId, gen
 		}) : null
 	};
 }
+/** @internal */
 async function createNewAndDeleteExistingSession(ctx, config, userId) {
 	const db = authDb(ctx, config);
 	const existingSessionId = await getAuthSessionId(ctx);
@@ -26,6 +28,7 @@ async function createNewAndDeleteExistingSession(ctx, config, userId) {
 	}
 	return await createSession(ctx, userId, config);
 }
+/** @internal */
 async function generateTokensForSession(ctx, config, args) {
 	const ids = {
 		userId: args.userId,
@@ -44,6 +47,7 @@ async function createSession(ctx, userId, config) {
 	const expirationTime = Date.now() + (config.session?.totalDurationMs ?? (process.env.AUTH_SESSION_TOTAL_DURATION_MS !== void 0 ? Number(process.env.AUTH_SESSION_TOTAL_DURATION_MS) : void 0) ?? DEFAULT_SESSION_TOTAL_DURATION_MS);
 	return await db.sessions.create(userId, expirationTime);
 }
+/** @internal */
 async function deleteSession(ctx, session, config) {
 	const db = authDb(ctx, config);
 	await db.sessions.delete(session._id);
@@ -54,6 +58,7 @@ async function deleteSession(ctx, session, config) {
 *
 * Internal helper used by auth runtime internals and `auth.session.current`.
 */
+/** @internal */
 async function getAuthSessionId(ctx) {
 	const identity = await ctx.auth.getUserIdentity();
 	if (identity === null) return null;

package/dist/server/sessions.js.map

@@ -1 +1 @@
-{"version":3,"file":"sessions.js","names":[],"sources":["../../src/server/sessions.ts"],"sourcesContent":["import { Auth } from \"convex/server\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { createRefreshToken } from \"./refresh\";\nimport { generateToken } from \"./tokens\";\nimport { Doc, MutationCtx, SessionInfo } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\nimport {\n  LOG_LEVELS,\n  TOKEN_SUB_CLAIM_DIVIDER,\n  REFRESH_TOKEN_DIVIDER,\n  logWithLevel,\n  maybeRedact,\n} from \"./utils\";\n\nconst DEFAULT_SESSION_TOTAL_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days\n\nexport async function maybeGenerateTokensForSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  userId: GenericId<\"User\">,\n  sessionId: GenericId<\"Session\">,\n  generateTokens: boolean,\n): Promise<SessionInfo> {\n  return {\n    userId,\n    sessionId,\n    tokens: generateTokens\n      ? await generateTokensForSession(ctx, config, {\n          userId,\n          sessionId,\n          issuedRefreshTokenId: null,\n          parentRefreshTokenId: null,\n        })\n      : null,\n  };\n}\n\nexport async function createNewAndDeleteExistingSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  userId: GenericId<\"User\">,\n) {\n  const db = authDb(ctx, config);\n  const existingSessionId = await getAuthSessionId(ctx);\n  if (existingSessionId !== null) {\n    const existingSession = await db.sessions.getById(existingSessionId);\n    if (existingSession !== null) {\n      await deleteSession(ctx, existingSession, config);\n    }\n  }\n  return await createSession(ctx, userId, config);\n}\n\nexport async function generateTokensForSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  args: {\n    userId: GenericId<\"User\">;\n    sessionId: GenericId<\"Session\">;\n    issuedRefreshTokenId: GenericId<\"RefreshToken\"> | null;\n    parentRefreshTokenId: GenericId<\"RefreshToken\"> | null;\n  },\n) {\n  const ids = { userId: args.userId, sessionId: args.sessionId };\n  const refreshTokenId =\n    args.issuedRefreshTokenId ??\n    (await createRefreshToken(\n      ctx,\n      config,\n      args.sessionId,\n      args.parentRefreshTokenId,\n    ));\n  const result = {\n    token: await generateToken(ids, config),\n    refreshToken: `${refreshTokenId}${REFRESH_TOKEN_DIVIDER}${args.sessionId}`,\n  };\n  logWithLevel(\n    LOG_LEVELS.DEBUG,\n    `Generated token ${maybeRedact(result.token)} and refresh token ${maybeRedact(refreshTokenId)} for session ${maybeRedact(args.sessionId)}`,\n  );\n  return result;\n}\n\nasync function createSession(\n  ctx: MutationCtx,\n  userId: GenericId<\"User\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const expirationTime =\n    Date.now() +\n    (config.session?.totalDurationMs ??\n      (process.env.AUTH_SESSION_TOTAL_DURATION_MS !== undefined\n        ? Number(process.env.AUTH_SESSION_TOTAL_DURATION_MS)\n        : undefined) ??\n      DEFAULT_SESSION_TOTAL_DURATION_MS);\n  return (await db.sessions.create(\n    userId,\n    expirationTime,\n  )) as GenericId<\"Session\">;\n}\n\nexport async function deleteSession(\n  ctx: MutationCtx,\n  session: Doc<\"Session\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  await db.sessions.delete(session._id);\n  await db.refreshTokens.deleteAll(session._id);\n}\n\n/**\n * Return the current session ID from the auth identity subject.\n *\n * Internal helper used by auth runtime internals and `auth.session.current`.\n */\nexport async function getAuthSessionId(ctx: { auth: Auth }) {\n  const identity = await ctx.auth.getUserIdentity();\n  if (identity === null) {\n    return null;\n  }\n  const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n  return sessionId as GenericId<\"Session\">;\n}\n"],"mappings":";;;;;;AAgBA,MAAM,oCAAoC,MAAO,KAAK,KAAK,KAAK;AAEhE,eAAsB,8BACpB,KACA,QACA,QACA,WACA,gBACsB;AACtB,QAAO;EACL;EACA;EACA,QAAQ,iBACJ,MAAM,yBAAyB,KAAK,QAAQ;GAC1C;GACA;GACA,sBAAsB;GACtB,sBAAsB;GACvB,CAAC,GACF;EACL;;AAGH,eAAsB,kCACpB,KACA,QACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,oBAAoB,MAAM,iBAAiB,IAAI;AACrD,KAAI,sBAAsB,MAAM;EAC9B,MAAM,kBAAkB,MAAM,GAAG,SAAS,QAAQ,kBAAkB;AACpE,MAAI,oBAAoB,KACtB,OAAM,cAAc,KAAK,iBAAiB,OAAO;;AAGrD,QAAO,MAAM,cAAc,KAAK,QAAQ,OAAO;;AAGjD,eAAsB,yBACpB,KACA,QACA,MAMA;CACA,MAAM,MAAM;EAAE,QAAQ,KAAK;EAAQ,WAAW,KAAK;EAAW;CAC9D,MAAM,iBACJ,KAAK,wBACJ,MAAM,mBACL,KACA,QACA,KAAK,WACL,KAAK,qBACN;CACH,MAAM,SAAS;EACb,OAAO,MAAM,cAAc,KAAK,OAAO;EACvC,cAAc,GAAG,iBAAiB,wBAAwB,KAAK;EAChE;AACD,cACE,WAAW,OACX,mBAAmB,YAAY,OAAO,MAAM,CAAC,qBAAqB,YAAY,eAAe,CAAC,eAAe,YAAY,KAAK,UAAU,GACzI;AACD,QAAO;;AAGT,eAAe,cACb,KACA,QACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,iBACJ,KAAK,KAAK,IACT,OAAO,SAAS,oBACd,QAAQ,IAAI,mCAAmC,SAC5C,OAAO,QAAQ,IAAI,+BAA+B,GAClD,WACJ;AACJ,QAAQ,MAAM,GAAG,SAAS,OACxB,QACA,eACD;;AAGH,eAAsB,cACpB,KACA,SACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;AAC9B,OAAM,GAAG,SAAS,OAAO,QAAQ,IAAI;AACrC,OAAM,GAAG,cAAc,UAAU,QAAQ,IAAI;;;;;;;AAQ/C,eAAsB,iBAAiB,KAAqB;CAC1D,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,QAAO;CAET,MAAM,GAAG,aAAa,SAAS,QAAQ,MAAM,wBAAwB;AACrE,QAAO"}
+{"version":3,"file":"sessions.js","names":[],"sources":["../../src/server/sessions.ts"],"sourcesContent":["import { Auth } from \"convex/server\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { createRefreshToken } from \"./refresh\";\nimport { generateToken } from \"./tokens\";\nimport { Doc, MutationCtx, SessionInfo } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\nimport {\n  LOG_LEVELS,\n  TOKEN_SUB_CLAIM_DIVIDER,\n  REFRESH_TOKEN_DIVIDER,\n  logWithLevel,\n  maybeRedact,\n} from \"./utils\";\n\nconst DEFAULT_SESSION_TOTAL_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days\n\n/** @internal */\nexport async function maybeGenerateTokensForSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  userId: GenericId<\"User\">,\n  sessionId: GenericId<\"Session\">,\n  generateTokens: boolean,\n): Promise<SessionInfo> {\n  return {\n    userId,\n    sessionId,\n    tokens: generateTokens\n      ? await generateTokensForSession(ctx, config, {\n          userId,\n          sessionId,\n          issuedRefreshTokenId: null,\n          parentRefreshTokenId: null,\n        })\n      : null,\n  };\n}\n\n/** @internal */\nexport async function createNewAndDeleteExistingSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  userId: GenericId<\"User\">,\n) {\n  const db = authDb(ctx, config);\n  const existingSessionId = await getAuthSessionId(ctx);\n  if (existingSessionId !== null) {\n    const existingSession = await db.sessions.getById(existingSessionId);\n    if (existingSession !== null) {\n      await deleteSession(ctx, existingSession, config);\n    }\n  }\n  return await createSession(ctx, userId, config);\n}\n\n/** @internal */\nexport async function generateTokensForSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  args: {\n    userId: GenericId<\"User\">;\n    sessionId: GenericId<\"Session\">;\n    issuedRefreshTokenId: GenericId<\"RefreshToken\"> | null;\n    parentRefreshTokenId: GenericId<\"RefreshToken\"> | null;\n  },\n) {\n  const ids = { userId: args.userId, sessionId: args.sessionId };\n  const refreshTokenId =\n    args.issuedRefreshTokenId ??\n    (await createRefreshToken(\n      ctx,\n      config,\n      args.sessionId,\n      args.parentRefreshTokenId,\n    ));\n  const result = {\n    token: await generateToken(ids, config),\n    refreshToken: `${refreshTokenId}${REFRESH_TOKEN_DIVIDER}${args.sessionId}`,\n  };\n  logWithLevel(\n    LOG_LEVELS.DEBUG,\n    `Generated token ${maybeRedact(result.token)} and refresh token ${maybeRedact(refreshTokenId)} for session ${maybeRedact(args.sessionId)}`,\n  );\n  return result;\n}\n\nasync function createSession(\n  ctx: MutationCtx,\n  userId: GenericId<\"User\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const expirationTime =\n    Date.now() +\n    (config.session?.totalDurationMs ??\n      (process.env.AUTH_SESSION_TOTAL_DURATION_MS !== undefined\n        ? Number(process.env.AUTH_SESSION_TOTAL_DURATION_MS)\n        : undefined) ??\n      DEFAULT_SESSION_TOTAL_DURATION_MS);\n  return (await db.sessions.create(\n    userId,\n    expirationTime,\n  )) as GenericId<\"Session\">;\n}\n\n/** @internal */\nexport async function deleteSession(\n  ctx: MutationCtx,\n  session: Doc<\"Session\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  await db.sessions.delete(session._id);\n  await db.refreshTokens.deleteAll(session._id);\n}\n\n/**\n * Return the current session ID from the auth identity subject.\n *\n * Internal helper used by auth runtime internals and `auth.session.current`.\n */\n/** @internal */\nexport async function getAuthSessionId(ctx: { auth: Auth }) {\n  const identity = await ctx.auth.getUserIdentity();\n  if (identity === null) {\n    return null;\n  }\n  const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n  return sessionId as GenericId<\"Session\">;\n}\n"],"mappings":";;;;;;AAgBA,MAAM,oCAAoC,MAAO,KAAK,KAAK,KAAK;;AAGhE,eAAsB,8BACpB,KACA,QACA,QACA,WACA,gBACsB;AACtB,QAAO;EACL;EACA;EACA,QAAQ,iBACJ,MAAM,yBAAyB,KAAK,QAAQ;GAC1C;GACA;GACA,sBAAsB;GACtB,sBAAsB;GACvB,CAAC,GACF;EACL;;;AAIH,eAAsB,kCACpB,KACA,QACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,oBAAoB,MAAM,iBAAiB,IAAI;AACrD,KAAI,sBAAsB,MAAM;EAC9B,MAAM,kBAAkB,MAAM,GAAG,SAAS,QAAQ,kBAAkB;AACpE,MAAI,oBAAoB,KACtB,OAAM,cAAc,KAAK,iBAAiB,OAAO;;AAGrD,QAAO,MAAM,cAAc,KAAK,QAAQ,OAAO;;;AAIjD,eAAsB,yBACpB,KACA,QACA,MAMA;CACA,MAAM,MAAM;EAAE,QAAQ,KAAK;EAAQ,WAAW,KAAK;EAAW;CAC9D,MAAM,iBACJ,KAAK,wBACJ,MAAM,mBACL,KACA,QACA,KAAK,WACL,KAAK,qBACN;CACH,MAAM,SAAS;EACb,OAAO,MAAM,cAAc,KAAK,OAAO;EACvC,cAAc,GAAG,iBAAiB,wBAAwB,KAAK;EAChE;AACD,cACE,WAAW,OACX,mBAAmB,YAAY,OAAO,MAAM,CAAC,qBAAqB,YAAY,eAAe,CAAC,eAAe,YAAY,KAAK,UAAU,GACzI;AACD,QAAO;;AAGT,eAAe,cACb,KACA,QACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,iBACJ,KAAK,KAAK,IACT,OAAO,SAAS,oBACd,QAAQ,IAAI,mCAAmC,SAC5C,OAAO,QAAQ,IAAI,+BAA+B,GAClD,WACJ;AACJ,QAAQ,MAAM,GAAG,SAAS,OACxB,QACA,eACD;;;AAIH,eAAsB,cACpB,KACA,SACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;AAC9B,OAAM,GAAG,SAAS,OAAO,QAAQ,IAAI;AACrC,OAAM,GAAG,cAAc,UAAU,QAAQ,IAAI;;;;;;;;AAS/C,eAAsB,iBAAiB,KAAqB;CAC1D,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,QAAO;CAET,MAAM,GAAG,aAAa,SAAS,QAAQ,MAAM,wBAAwB;AACrE,QAAO"}

package/dist/server/signin.d.ts

@@ -1,55 +1 @@
-import { AuthDataModel, AuthProviderMaterializedConfig, GenericActionCtxWithAuthConfig, SessionInfo, Tokens } from "./types.js";
-import { GenericId } from "convex/values";
-
-//#region src/server/signin.d.ts
-type EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;
-type SignInResult = {
-  kind: "signedIn";
-  signedIn: SessionInfo | null;
-} | {
-  kind: "refreshTokens";
-  signedIn: {
-    tokens: Tokens;
-  };
-} | {
-  kind: "started";
-  started: true;
-} | {
-  kind: "redirect";
-  redirect: string;
-  verifier: string;
-} | {
-  kind: "passkeyOptions";
-  options: Record<string, any>;
-  verifier: string;
-} | {
-  kind: "totpRequired";
-  verifier: string;
-} | {
-  kind: "totpSetup";
-  uri: string;
-  secret: string;
-  verifier: string;
-  totpId: string;
-} | {
-  kind: "deviceCode";
-  deviceCode: string;
-  userCode: string;
-  verificationUri: string;
-  verificationUriComplete: string;
-  expiresIn: number;
-  interval: number;
-};
-declare function signInImpl(ctx: EnrichedActionCtx, provider: AuthProviderMaterializedConfig | null, args: {
-  accountId?: GenericId<"Account">;
-  params?: Record<string, any>;
-  verifier?: string;
-  refreshToken?: string;
-  calledBy?: string;
-}, options: {
-  generateTokens: boolean;
-  allowExtraProviders: boolean;
-}): Promise<SignInResult>;
-//#endregion
-export { signInImpl };
-//# sourceMappingURL=signin.d.ts.map
+export { };

package/dist/server/signin.js

@@ -6,14 +6,15 @@ import { callVerifierSignature } from "./mutations/signature.js";
 import { callSignIn } from "./mutations/signin.js";
 import { callVerifier } from "./mutations/verifier.js";
 import { callVerifyCodeAndSignIn } from "./mutations/verify.js";
-import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
 import { queryTotpVerifiedByUserId } from "./types.js";
 import { handleDevice } from "./device.js";
 import { handlePasskey as handlePasskeyFx } from "./passkey.js";
+import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
 import { handleTotp } from "./totp.js";
 
 //#region src/server/signin.ts
 const DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 3600 * 24;
+/** @internal */
 async function signInImpl(ctx, provider, args, options) {
 	const fx = signInFx(ctx, provider, args, options);
 	return Fx.run(fx.pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));

package/dist/server/signin.js.map

@@ -1 +1 @@
-{"version":3,"file":"signin.js","names":[],"sources":["../../src/server/signin.ts"],"sourcesContent":["import type { Fx as FxType } from \"@robelest/fx\";\nimport { GenericId } from \"convex/values\";\n\nimport { handleDevice } from \"./device\";\nimport { AuthError, Fx } from \"./fx\";\nimport {\n  callCreateVerificationCode,\n  callRefreshSession,\n  callSignIn,\n  callVerifier,\n  callVerifierSignature,\n  callVerifyCodeAndSignIn,\n} from \"./mutations/index\";\nimport { handlePasskeyFx } from \"./passkey\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport { handleTotp } from \"./totp\";\nimport {\n  AuthProviderMaterializedConfig,\n  ConvexCredentialsConfig,\n  EmailConfig,\n  GenericActionCtxWithAuthConfig,\n  PhoneConfig,\n} from \"./types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  SessionInfoWithTokens,\n  Tokens,\n  queryTotpVerifiedByUserId,\n} from \"./types\";\nimport type { OAuthMaterializedConfig } from \"./types\";\nimport { generateRandomString } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\nconst DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 60 * 60 * 24; // 24 hours\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\ntype SignInResult =\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"refreshTokens\"; signedIn: { tokens: Tokens } }\n  | { kind: \"started\"; started: true }\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n  | { kind: \"totpRequired\"; verifier: string }\n  | {\n      kind: \"totpSetup\";\n      uri: string;\n      secret: string;\n      verifier: string;\n      totpId: string;\n    }\n  | {\n      kind: \"deviceCode\";\n      deviceCode: string;\n      userCode: string;\n      verificationUri: string;\n      verificationUriComplete: string;\n      expiresIn: number;\n      interval: number;\n    };\n\nexport async function signInImpl(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): Promise<SignInResult> {\n  const fx = signInFx(ctx, provider, args, options);\n  return Fx.run(\n    fx.pipe(Fx.recover((e) => Fx.fatal((e as AuthError).toConvexError()))),\n  );\n}\n\n/**\n * Core sign-in pipeline as an Fx generator.\n *\n * Handles: refresh tokens, verification codes, then dispatches by\n * provider type using a dispatch map (no if-chain).\n */\nfunction signInFx(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<SignInResult, AuthError> {\n  return Fx.gen(function* () {\n    // --- Refresh token (no provider) ---\n    if (provider === null && args.refreshToken) {\n      const tokens = yield* Fx.promise(() =>\n        callRefreshSession(ctx, { refreshToken: args.refreshToken! }),\n      );\n      if (tokens === null) {\n        return { kind: \"signedIn\" as const, signedIn: null };\n      }\n      return { kind: \"refreshTokens\" as const, signedIn: { tokens } };\n    }\n\n    // --- Verify code (no provider, code present) ---\n    if (provider === null && args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return { kind: \"signedIn\" as const, signedIn: result };\n    }\n\n    // --- Provider is required past this point ---\n    const resolvedProvider = yield* provider != null\n      ? Fx.succeed(provider)\n      : Fx.fail(new AuthError(\"SIGN_IN_MISSING_PARAMS\"));\n\n    // --- Dispatch by provider type ---\n    return yield* Fx.match(resolvedProvider).on(\"type\", {\n      email: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      phone: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      credentials: (p) => handleCredentialsFx(ctx, p, args, options),\n      oauth: (p) => handleOAuthProviderFx(ctx, p, args, options),\n      passkey: (p) => handlePasskeyFx(ctx, p, args),\n      totp: (p) => handleTotp(ctx, p, args),\n      device: (p) => handleDevice(ctx, p, args),\n    });\n  });\n}\n\n// ============================================================================\n// Email / Phone\n// ============================================================================\n\nfunction handleEmailAndPhoneProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: EmailConfig | PhoneConfig,\n  args: {\n    params?: Record<string, any>;\n    accountId?: GenericId<\"Account\">;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"started\"; started: true }\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          provider: provider.id,\n          generateTokens: options.generateTokens,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      const verified = yield* result != null\n        ? Fx.succeed(result)\n        : Fx.fail(new AuthError(\"INVALID_VERIFICATION_CODE\"));\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: verified as SessionInfoWithTokens,\n      };\n    }\n\n    // --- Send verification code path ---\n    const alphabet =\n      \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\";\n    const code = provider.generateVerificationToken\n      ? yield* Fx.from({\n          ok: async () => provider.generateVerificationToken!(),\n          err: () =>\n            new AuthError(\n              \"INTERNAL_ERROR\",\n              \"Failed to generate verification token\",\n            ),\n        })\n      : generateRandomString(32, alphabet);\n    const expirationTime =\n      Date.now() +\n      (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1000;\n\n    const identifier = yield* Fx.promise(() =>\n      callCreateVerificationCode(ctx, {\n        provider: provider.id,\n        accountId: args.accountId,\n        email: args.params?.email,\n        phone: args.params?.phone,\n        code,\n        expirationTime,\n        allowExtraProviders: options.allowExtraProviders,\n      }),\n    );\n    const destination = yield* Fx.promise(() =>\n      redirectAbsoluteUrl(\n        ctx.auth.config,\n        (args.params ?? {}) as { redirectTo: unknown },\n      ),\n    );\n    const verificationArgs = {\n      identifier,\n      url: setURLSearchParam(destination, \"code\", code),\n      token: code,\n      expires: new Date(expirationTime),\n    };\n    yield* Fx.match(provider).on(\"type\", {\n      email: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              {\n                ...verificationArgs,\n                provider: p,\n                request: new Request(\"http://localhost\"),\n              },\n              ctx,\n            ),\n          err: () =>\n            new AuthError(\"INTERNAL_ERROR\", \"Failed to send email code\"),\n        }),\n      phone: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              { ...verificationArgs, provider: p },\n              ctx,\n            ),\n          err: () =>\n            new AuthError(\"INTERNAL_ERROR\", \"Failed to send phone code\"),\n        }),\n    });\n    return { kind: \"started\" as const, started: true as const };\n  });\n}\n\n// ============================================================================\n// Credentials\n// ============================================================================\n\nfunction handleCredentialsFx(\n  ctx: EnrichedActionCtx,\n  provider: ConvexCredentialsConfig,\n  args: {\n    params?: Record<string, any>;\n  },\n  options: {\n    generateTokens: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"totpRequired\"; verifier: string },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    const result = yield* Fx.promise(() =>\n      provider.authorize(args.params ?? {}, ctx),\n    );\n    if (result === null) {\n      return { kind: \"signedIn\" as const, signedIn: null };\n    }\n\n    // Check if user has TOTP 2FA enrolled before issuing tokens\n    const hasTotpEnrolled = yield* Fx.promise(async () => {\n      const totpDoc = await queryTotpVerifiedByUserId(ctx, result.userId);\n      return totpDoc !== null;\n    });\n    if (hasTotpEnrolled) {\n      // Create session but withhold tokens — TOTP verification needed\n      yield* Fx.promise(() =>\n        callSignIn(ctx, {\n          userId: result.userId,\n          sessionId: result.sessionId,\n          generateTokens: false,\n        }),\n      );\n      // Store userId in verifier so the TOTP verify flow can complete sign-in\n      const verifier = yield* Fx.promise(() => callVerifier(ctx));\n      yield* Fx.promise(() =>\n        callVerifierSignature(ctx, {\n          verifier,\n          signature: JSON.stringify({ userId: result.userId }),\n        }),\n      );\n      return { kind: \"totpRequired\" as const, verifier };\n    }\n\n    const idsAndTokens = yield* Fx.promise(() =>\n      callSignIn(ctx, {\n        userId: result.userId,\n        sessionId: result.sessionId,\n        generateTokens: options.generateTokens,\n      }),\n    );\n    return { kind: \"signedIn\" as const, signedIn: idsAndTokens };\n  });\n}\n\n// ============================================================================\n// OAuth\n// ============================================================================\n\nfunction handleOAuthProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: OAuthMaterializedConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n  options: {\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens | null }\n  | { kind: \"redirect\"; redirect: string; verifier: string },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: result as SessionInfoWithTokens | null,\n      };\n    }\n\n    // --- Build redirect URL ---\n    const redirect = new URL(\n      (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\")) +\n        `/api/auth/signin/${provider.id}`,\n    );\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (args.params?.redirectTo !== undefined) {\n      yield* Fx.guard(\n        typeof args.params.redirectTo !== \"string\",\n        Fx.fail(\n          new AuthError(\n            \"INVALID_REDIRECT\",\n            `Expected \\`redirectTo\\` to be a string, got ${args.params.redirectTo}`,\n          ),\n        ),\n      );\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;AAkCA,MAAM,6CAA6C,OAAU;AA4B7D,eAAsB,WACpB,KACA,UACA,MAOA,SAIuB;CACvB,MAAM,KAAK,SAAS,KAAK,UAAU,MAAM,QAAQ;AACjD,QAAO,GAAG,IACR,GAAG,KAAK,GAAG,SAAS,MAAM,GAAG,MAAO,EAAgB,eAAe,CAAC,CAAC,CAAC,CACvE;;;;;;;;AASH,SAAS,SACP,KACA,UACA,MAOA,SAIiC;AACjC,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,aAAa,QAAQ,KAAK,cAAc;GAC1C,MAAM,SAAS,OAAO,GAAG,cACvB,mBAAmB,KAAK,EAAE,cAAc,KAAK,cAAe,CAAC,CAC9D;AACD,OAAI,WAAW,KACb,QAAO;IAAE,MAAM;IAAqB,UAAU;IAAM;AAEtD,UAAO;IAAE,MAAM;IAA0B,UAAU,EAAE,QAAQ;IAAE;;AAIjE,MAAI,aAAa,QAAQ,KAAK,QAAQ,SAAS,OAS7C,QAAO;GAAE,MAAM;GAAqB,UARrB,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GACqD;EAIxD,MAAM,mBAAmB,OAAO,YAAY,OACxC,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,yBAAyB,CAAC;AAGpD,SAAO,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,QAAQ;GAClD,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,cAAc,MAAM,oBAAoB,KAAK,GAAG,MAAM,QAAQ;GAC9D,QAAQ,MAAM,sBAAsB,KAAK,GAAG,MAAM,QAAQ;GAC1D,UAAU,MAAM,gBAAgB,KAAK,GAAG,KAAK;GAC7C,OAAO,MAAM,WAAW,KAAK,GAAG,KAAK;GACrC,SAAS,MAAM,aAAa,KAAK,GAAG,KAAK;GAC1C,CAAC;GACF;;AAOJ,SAAS,8BACP,KACA,UACA,MAIA,SAQA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,QAAW;GACnC,MAAM,SAAS,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,SAAS;IACnB,gBAAgB,QAAQ;IACxB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;AAID,UAAO;IACL,MAAM;IACN,UALe,OAAO,UAAU,OAC9B,GAAG,QAAQ,OAAO,GAClB,GAAG,KAAK,IAAI,UAAU,4BAA4B,CAAC;IAItD;;EAMH,MAAM,OAAO,SAAS,4BAClB,OAAO,GAAG,KAAK;GACb,IAAI,YAAY,SAAS,2BAA4B;GACrD,WACE,IAAI,UACF,kBACA,wCACD;GACJ,CAAC,GACF,qBAAqB,IAVvB,iEAUoC;EACtC,MAAM,iBACJ,KAAK,KAAK,IACT,SAAS,UAAU,8CAA8C;EAmBpE,MAAM,mBAAmB;GACvB,YAlBiB,OAAO,GAAG,cAC3B,2BAA2B,KAAK;IAC9B,UAAU,SAAS;IACnB,WAAW,KAAK;IAChB,OAAO,KAAK,QAAQ;IACpB,OAAO,KAAK,QAAQ;IACpB;IACA;IACA,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GASC,KAAK,kBARa,OAAO,GAAG,cAC5B,oBACE,IAAI,KAAK,QACR,KAAK,UAAU,EAAE,CACnB,CACF,EAGqC,QAAQ,KAAK;GACjD,OAAO;GACP,SAAS,IAAI,KAAK,eAAe;GAClC;AACD,SAAO,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ;GACnC,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KACE,GAAG;KACH,UAAU;KACV,SAAS,IAAI,QAAQ,mBAAmB;KACzC,EACD,IACD;IACH,WACE,IAAI,UAAU,kBAAkB,4BAA4B;IAC/D,CAAC;GACJ,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KAAE,GAAG;KAAkB,UAAU;KAAG,EACpC,IACD;IACH,WACE,IAAI,UAAU,kBAAkB,4BAA4B;IAC/D,CAAC;GACL,CAAC;AACF,SAAO;GAAE,MAAM;GAAoB,SAAS;GAAe;GAC3D;;AAOJ,SAAS,oBACP,KACA,UACA,MAGA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,SAAS,OAAO,GAAG,cACvB,SAAS,UAAU,KAAK,UAAU,EAAE,EAAE,IAAI,CAC3C;AACD,MAAI,WAAW,KACb,QAAO;GAAE,MAAM;GAAqB,UAAU;GAAM;AAQtD,MAJwB,OAAO,GAAG,QAAQ,YAAY;AAEpD,UADgB,MAAM,0BAA0B,KAAK,OAAO,OAAO,KAChD;IACnB,EACmB;AAEnB,UAAO,GAAG,cACR,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB;IACjB,CAAC,CACH;GAED,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,UAAO,GAAG,cACR,sBAAsB,KAAK;IACzB;IACA,WAAW,KAAK,UAAU,EAAE,QAAQ,OAAO,QAAQ,CAAC;IACrD,CAAC,CACH;AACD,UAAO;IAAE,MAAM;IAAyB;IAAU;;AAUpD,SAAO;GAAE,MAAM;GAAqB,UAPf,OAAO,GAAG,cAC7B,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB,QAAQ;IACzB,CAAC,CACH;GAC2D;GAC5D;;AAOJ,SAAS,sBACP,KACA,UACA,MAIA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,OASxB,QAAO;GACL,MAAM;GACN,UAVa,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GAIA;EAIH,MAAM,WAAW,IAAI,KAClB,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB,IAChE,oBAAoB,SAAS,KAChC;EACD,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,KAAK,QAAQ,eAAe,QAAW;AACzC,UAAO,GAAG,MACR,OAAO,KAAK,OAAO,eAAe,UAClC,GAAG,KACD,IAAI,UACF,oBACA,+CAA+C,KAAK,OAAO,aAC5D,CACF,CACF;AACD,YAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD"}
+{"version":3,"file":"signin.js","names":[],"sources":["../../src/server/signin.ts"],"sourcesContent":["import type { Fx as FxType } from \"@robelest/fx\";\nimport { GenericId } from \"convex/values\";\n\nimport { handleDevice } from \"./device\";\nimport { AuthError, Fx } from \"./fx\";\nimport {\n  callCreateVerificationCode,\n  callRefreshSession,\n  callSignIn,\n  callVerifier,\n  callVerifierSignature,\n  callVerifyCodeAndSignIn,\n} from \"./mutations/index\";\nimport { handlePasskeyFx } from \"./passkey\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport { handleTotp } from \"./totp\";\nimport {\n  AuthProviderMaterializedConfig,\n  ConvexCredentialsConfig,\n  EmailConfig,\n  GenericActionCtxWithAuthConfig,\n  PhoneConfig,\n} from \"./types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  SessionInfoWithTokens,\n  Tokens,\n  queryTotpVerifiedByUserId,\n} from \"./types\";\nimport type { OAuthMaterializedConfig } from \"./types\";\nimport { generateRandomString } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\nconst DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 60 * 60 * 24; // 24 hours\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\ntype SignInResult =\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"refreshTokens\"; signedIn: { tokens: Tokens } }\n  | { kind: \"started\"; started: true }\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n  | { kind: \"totpRequired\"; verifier: string }\n  | {\n      kind: \"totpSetup\";\n      uri: string;\n      secret: string;\n      verifier: string;\n      totpId: string;\n    }\n  | {\n      kind: \"deviceCode\";\n      deviceCode: string;\n      userCode: string;\n      verificationUri: string;\n      verificationUriComplete: string;\n      expiresIn: number;\n      interval: number;\n    };\n\n/** @internal */\nexport async function signInImpl(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): Promise<SignInResult> {\n  const fx = signInFx(ctx, provider, args, options);\n  return Fx.run(\n    fx.pipe(Fx.recover((e) => Fx.fatal((e as AuthError).toConvexError()))),\n  );\n}\n\n/**\n * Core sign-in pipeline as an Fx generator.\n *\n * Handles: refresh tokens, verification codes, then dispatches by\n * provider type using a dispatch map (no if-chain).\n */\nfunction signInFx(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<SignInResult, AuthError> {\n  return Fx.gen(function* () {\n    // --- Refresh token (no provider) ---\n    if (provider === null && args.refreshToken) {\n      const tokens = yield* Fx.promise(() =>\n        callRefreshSession(ctx, { refreshToken: args.refreshToken! }),\n      );\n      if (tokens === null) {\n        return { kind: \"signedIn\" as const, signedIn: null };\n      }\n      return { kind: \"refreshTokens\" as const, signedIn: { tokens } };\n    }\n\n    // --- Verify code (no provider, code present) ---\n    if (provider === null && args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return { kind: \"signedIn\" as const, signedIn: result };\n    }\n\n    // --- Provider is required past this point ---\n    const resolvedProvider = yield* provider != null\n      ? Fx.succeed(provider)\n      : Fx.fail(new AuthError(\"SIGN_IN_MISSING_PARAMS\"));\n\n    // --- Dispatch by provider type ---\n    return yield* Fx.match(resolvedProvider).on(\"type\", {\n      email: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      phone: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      credentials: (p) => handleCredentialsFx(ctx, p, args, options),\n      oauth: (p) => handleOAuthProviderFx(ctx, p, args, options),\n      passkey: (p) => handlePasskeyFx(ctx, p, args),\n      totp: (p) => handleTotp(ctx, p, args),\n      device: (p) => handleDevice(ctx, p, args),\n    });\n  });\n}\n\n// ============================================================================\n// Email / Phone\n// ============================================================================\n\nfunction handleEmailAndPhoneProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: EmailConfig | PhoneConfig,\n  args: {\n    params?: Record<string, any>;\n    accountId?: GenericId<\"Account\">;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"started\"; started: true }\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          provider: provider.id,\n          generateTokens: options.generateTokens,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      const verified = yield* result != null\n        ? Fx.succeed(result)\n        : Fx.fail(new AuthError(\"INVALID_VERIFICATION_CODE\"));\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: verified as SessionInfoWithTokens,\n      };\n    }\n\n    // --- Send verification code path ---\n    const alphabet =\n      \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\";\n    const code = provider.generateVerificationToken\n      ? yield* Fx.from({\n          ok: async () => provider.generateVerificationToken!(),\n          err: () =>\n            new AuthError(\n              \"INTERNAL_ERROR\",\n              \"Failed to generate verification token\",\n            ),\n        })\n      : generateRandomString(32, alphabet);\n    const expirationTime =\n      Date.now() +\n      (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1000;\n\n    const identifier = yield* Fx.promise(() =>\n      callCreateVerificationCode(ctx, {\n        provider: provider.id,\n        accountId: args.accountId,\n        email: args.params?.email,\n        phone: args.params?.phone,\n        code,\n        expirationTime,\n        allowExtraProviders: options.allowExtraProviders,\n      }),\n    );\n    const destination = yield* Fx.promise(() =>\n      redirectAbsoluteUrl(\n        ctx.auth.config,\n        (args.params ?? {}) as { redirectTo: unknown },\n      ),\n    );\n    const verificationArgs = {\n      identifier,\n      url: setURLSearchParam(destination, \"code\", code),\n      token: code,\n      expires: new Date(expirationTime),\n    };\n    yield* Fx.match(provider).on(\"type\", {\n      email: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              {\n                ...verificationArgs,\n                provider: p,\n                request: new Request(\"http://localhost\"),\n              },\n              ctx,\n            ),\n          err: () =>\n            new AuthError(\"INTERNAL_ERROR\", \"Failed to send email code\"),\n        }),\n      phone: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              { ...verificationArgs, provider: p },\n              ctx,\n            ),\n          err: () =>\n            new AuthError(\"INTERNAL_ERROR\", \"Failed to send phone code\"),\n        }),\n    });\n    return { kind: \"started\" as const, started: true as const };\n  });\n}\n\n// ============================================================================\n// Credentials\n// ============================================================================\n\nfunction handleCredentialsFx(\n  ctx: EnrichedActionCtx,\n  provider: ConvexCredentialsConfig,\n  args: {\n    params?: Record<string, any>;\n  },\n  options: {\n    generateTokens: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"totpRequired\"; verifier: string },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    const result = yield* Fx.promise(() =>\n      provider.authorize(args.params ?? {}, ctx),\n    );\n    if (result === null) {\n      return { kind: \"signedIn\" as const, signedIn: null };\n    }\n\n    // Check if user has TOTP 2FA enrolled before issuing tokens\n    const hasTotpEnrolled = yield* Fx.promise(async () => {\n      const totpDoc = await queryTotpVerifiedByUserId(ctx, result.userId);\n      return totpDoc !== null;\n    });\n    if (hasTotpEnrolled) {\n      // Create session but withhold tokens — TOTP verification needed\n      yield* Fx.promise(() =>\n        callSignIn(ctx, {\n          userId: result.userId,\n          sessionId: result.sessionId,\n          generateTokens: false,\n        }),\n      );\n      // Store userId in verifier so the TOTP verify flow can complete sign-in\n      const verifier = yield* Fx.promise(() => callVerifier(ctx));\n      yield* Fx.promise(() =>\n        callVerifierSignature(ctx, {\n          verifier,\n          signature: JSON.stringify({ userId: result.userId }),\n        }),\n      );\n      return { kind: \"totpRequired\" as const, verifier };\n    }\n\n    const idsAndTokens = yield* Fx.promise(() =>\n      callSignIn(ctx, {\n        userId: result.userId,\n        sessionId: result.sessionId,\n        generateTokens: options.generateTokens,\n      }),\n    );\n    return { kind: \"signedIn\" as const, signedIn: idsAndTokens };\n  });\n}\n\n// ============================================================================\n// OAuth\n// ============================================================================\n\nfunction handleOAuthProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: OAuthMaterializedConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n  options: {\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens | null }\n  | { kind: \"redirect\"; redirect: string; verifier: string },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: result as SessionInfoWithTokens | null,\n      };\n    }\n\n    // --- Build redirect URL ---\n    const redirect = new URL(\n      (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\")) +\n        `/api/auth/signin/${provider.id}`,\n    );\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (args.params?.redirectTo !== undefined) {\n      yield* Fx.guard(\n        typeof args.params.redirectTo !== \"string\",\n        Fx.fail(\n          new AuthError(\n            \"INVALID_REDIRECT\",\n            `Expected \\`redirectTo\\` to be a string, got ${args.params.redirectTo}`,\n          ),\n        ),\n      );\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;AAkCA,MAAM,6CAA6C,OAAU;;AA6B7D,eAAsB,WACpB,KACA,UACA,MAOA,SAIuB;CACvB,MAAM,KAAK,SAAS,KAAK,UAAU,MAAM,QAAQ;AACjD,QAAO,GAAG,IACR,GAAG,KAAK,GAAG,SAAS,MAAM,GAAG,MAAO,EAAgB,eAAe,CAAC,CAAC,CAAC,CACvE;;;;;;;;AASH,SAAS,SACP,KACA,UACA,MAOA,SAIiC;AACjC,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,aAAa,QAAQ,KAAK,cAAc;GAC1C,MAAM,SAAS,OAAO,GAAG,cACvB,mBAAmB,KAAK,EAAE,cAAc,KAAK,cAAe,CAAC,CAC9D;AACD,OAAI,WAAW,KACb,QAAO;IAAE,MAAM;IAAqB,UAAU;IAAM;AAEtD,UAAO;IAAE,MAAM;IAA0B,UAAU,EAAE,QAAQ;IAAE;;AAIjE,MAAI,aAAa,QAAQ,KAAK,QAAQ,SAAS,OAS7C,QAAO;GAAE,MAAM;GAAqB,UARrB,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GACqD;EAIxD,MAAM,mBAAmB,OAAO,YAAY,OACxC,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,yBAAyB,CAAC;AAGpD,SAAO,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,QAAQ;GAClD,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,cAAc,MAAM,oBAAoB,KAAK,GAAG,MAAM,QAAQ;GAC9D,QAAQ,MAAM,sBAAsB,KAAK,GAAG,MAAM,QAAQ;GAC1D,UAAU,MAAM,gBAAgB,KAAK,GAAG,KAAK;GAC7C,OAAO,MAAM,WAAW,KAAK,GAAG,KAAK;GACrC,SAAS,MAAM,aAAa,KAAK,GAAG,KAAK;GAC1C,CAAC;GACF;;AAOJ,SAAS,8BACP,KACA,UACA,MAIA,SAQA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,QAAW;GACnC,MAAM,SAAS,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,SAAS;IACnB,gBAAgB,QAAQ;IACxB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;AAID,UAAO;IACL,MAAM;IACN,UALe,OAAO,UAAU,OAC9B,GAAG,QAAQ,OAAO,GAClB,GAAG,KAAK,IAAI,UAAU,4BAA4B,CAAC;IAItD;;EAMH,MAAM,OAAO,SAAS,4BAClB,OAAO,GAAG,KAAK;GACb,IAAI,YAAY,SAAS,2BAA4B;GACrD,WACE,IAAI,UACF,kBACA,wCACD;GACJ,CAAC,GACF,qBAAqB,IAVvB,iEAUoC;EACtC,MAAM,iBACJ,KAAK,KAAK,IACT,SAAS,UAAU,8CAA8C;EAmBpE,MAAM,mBAAmB;GACvB,YAlBiB,OAAO,GAAG,cAC3B,2BAA2B,KAAK;IAC9B,UAAU,SAAS;IACnB,WAAW,KAAK;IAChB,OAAO,KAAK,QAAQ;IACpB,OAAO,KAAK,QAAQ;IACpB;IACA;IACA,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GASC,KAAK,kBARa,OAAO,GAAG,cAC5B,oBACE,IAAI,KAAK,QACR,KAAK,UAAU,EAAE,CACnB,CACF,EAGqC,QAAQ,KAAK;GACjD,OAAO;GACP,SAAS,IAAI,KAAK,eAAe;GAClC;AACD,SAAO,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ;GACnC,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KACE,GAAG;KACH,UAAU;KACV,SAAS,IAAI,QAAQ,mBAAmB;KACzC,EACD,IACD;IACH,WACE,IAAI,UAAU,kBAAkB,4BAA4B;IAC/D,CAAC;GACJ,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KAAE,GAAG;KAAkB,UAAU;KAAG,EACpC,IACD;IACH,WACE,IAAI,UAAU,kBAAkB,4BAA4B;IAC/D,CAAC;GACL,CAAC;AACF,SAAO;GAAE,MAAM;GAAoB,SAAS;GAAe;GAC3D;;AAOJ,SAAS,oBACP,KACA,UACA,MAGA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,SAAS,OAAO,GAAG,cACvB,SAAS,UAAU,KAAK,UAAU,EAAE,EAAE,IAAI,CAC3C;AACD,MAAI,WAAW,KACb,QAAO;GAAE,MAAM;GAAqB,UAAU;GAAM;AAQtD,MAJwB,OAAO,GAAG,QAAQ,YAAY;AAEpD,UADgB,MAAM,0BAA0B,KAAK,OAAO,OAAO,KAChD;IACnB,EACmB;AAEnB,UAAO,GAAG,cACR,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB;IACjB,CAAC,CACH;GAED,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,UAAO,GAAG,cACR,sBAAsB,KAAK;IACzB;IACA,WAAW,KAAK,UAAU,EAAE,QAAQ,OAAO,QAAQ,CAAC;IACrD,CAAC,CACH;AACD,UAAO;IAAE,MAAM;IAAyB;IAAU;;AAUpD,SAAO;GAAE,MAAM;GAAqB,UAPf,OAAO,GAAG,cAC7B,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB,QAAQ;IACzB,CAAC,CACH;GAC2D;GAC5D;;AAOJ,SAAS,sBACP,KACA,UACA,MAIA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,OASxB,QAAO;GACL,MAAM;GACN,UAVa,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GAIA;EAIH,MAAM,WAAW,IAAI,KAClB,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB,IAChE,oBAAoB,SAAS,KAChC;EACD,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,KAAK,QAAQ,eAAe,QAAW;AACzC,UAAO,GAAG,MACR,OAAO,KAAK,OAAO,eAAe,UAClC,GAAG,KACD,IAAI,UACF,oBACA,+CAA+C,KAAK,OAAO,aAC5D,CACF,CACF;AACD,YAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD"}

package/dist/server/sso.d.ts

@@ -1,348 +1 @@
-import { OAuthMaterializedConfig, OAuthProfile, SAMLAttributeMapping } from "./types.js";
-
-//#region src/server/sso.d.ts
-type ParsedSamlMetadata = {
-  issuer: string;
-  sso: {
-    redirect?: string;
-    post?: string;
-  };
-  slo: {
-    redirect?: string;
-    post?: string;
-  };
-  signingCert: string | string[] | null;
-  encryptionCert: string | string[] | null;
-  nameIdFormats: string[];
-  wantsSignedAuthnRequests: boolean;
-};
-type EnterpriseSamlSource = {
-  kind: "enterprise";
-  id: string;
-};
-type EnterpriseSamlRelayState = {
-  source: EnterpriseSamlSource;
-  signature: string;
-  requestId: string;
-  state: string;
-  redirectTo?: string;
-};
-type EnterpriseSamlUrls = {
-  metadataUrl: string;
-  acsUrl: string;
-  sloUrl?: string;
-};
-type EnterpriseSamlLoadedSource = {
-  source: EnterpriseSamlSource;
-  config: unknown;
-  status?: string;
-};
-type EnterpriseSamlHttpRequest = {
-  url: URL;
-  body: Record<string, string>;
-  query: Record<string, string>;
-  binding: "redirect" | "post";
-  relayState?: string;
-  hasSamlRequest: boolean;
-  hasSamlResponse: boolean;
-};
-type ScimListRequest = {
-  startIndex: number;
-  count: number;
-  filter?: {
-    attribute: string;
-    value: string;
-  };
-};
-declare const SCIM_USER_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:User";
-declare const SCIM_GROUP_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:Group";
-declare const ENTERPRISE_OIDC_PROVIDER_PREFIX = "enterprise:oidc:";
-declare const ENTERPRISE_SAML_PROVIDER_PREFIX = "enterprise:saml:";
-declare function normalizeDomain(domain: string): string;
-declare function enterpriseOidcProviderId(enterpriseId: string): string;
-declare function enterpriseSamlProviderId(enterpriseId: string): string;
-declare function getEnterpriseSamlUrls(opts: {
-  rootUrl: string;
-  source: EnterpriseSamlSource;
-}): EnterpriseSamlUrls;
-declare function getEnterpriseOidcUrls(opts: {
-  rootUrl: string;
-  enterpriseId: string;
-}): {
-  signInUrl: string;
-  callbackUrl: string;
-};
-declare function isEnterpriseSamlSourceActive(source: EnterpriseSamlLoadedSource): boolean;
-declare function isEnterpriseProviderId(providerId: string): boolean;
-declare function getOidcConfig(config: unknown): Record<string, any>;
-declare function getSamlConfig(config: unknown): Record<string, any>;
-declare function upsertProtocolConfig(config: unknown, protocol: "oidc" | "saml", protocolConfig: Record<string, unknown>): {
-  protocols: Record<string, any>;
-};
-declare function createSamlPostBindingResponse(opts: {
-  endpoint: string;
-  parameter: "SAMLRequest" | "SAMLResponse";
-  value: string;
-  relayState?: string;
-}): Response;
-declare function decodeRelayState(value: string | null): Record<string, unknown>;
-declare function encodeEnterpriseSamlRelayState(value: EnterpriseSamlRelayState): string;
-declare function decodeEnterpriseSamlRelayStateOrThrow(value: string | null): EnterpriseSamlRelayState;
-declare function readRequestBody(request: Request): Promise<Record<string, string>>;
-declare function readEnterpriseSamlHttpRequest(request: Request): Promise<EnterpriseSamlHttpRequest>;
-declare function createEnterpriseOidcProvider(config: Record<string, any>, redirectUri: string): Promise<{
-  provider: {
-    createAuthorizationURL(state: string, codeVerifier: string, requestedScopes: string[]): URL;
-    validateAuthorizationCode(code: string, codeVerifier?: string): Promise<{
-      data: Record<string, any>;
-      idToken(): string;
-      accessToken(): string;
-    }>;
-  };
-  oauthConfig: {
-    readonly scopes: string[];
-    readonly nonce: true;
-    readonly validateTokens: (tokens: any, ctx: {
-      nonce?: string;
-    }) => Promise<void>;
-    readonly accountLinking: any;
-    readonly profile: (tokens: any) => Promise<OAuthProfile>;
-  };
-}>;
-declare function createSyntheticOAuthMaterializedConfig(providerId: string): OAuthMaterializedConfig;
-declare function parseSamlIdpMetadata(metadata: string): ParsedSamlMetadata;
-declare function createServiceProviderMetadata(opts: {
-  entityId: string;
-  acsUrl: string;
-  sloUrl?: string;
-  authnRequestsSigned?: boolean;
-  signingCert?: string | string[];
-  encryptCert?: string | string[];
-  privateKey?: string;
-  privateKeyPass?: string;
-  encPrivateKey?: string;
-  encPrivateKeyPass?: string;
-}): any;
-declare function createEnterpriseSamlMetadataXml(opts: {
-  rootUrl: string;
-  source: EnterpriseSamlSource;
-  config: unknown;
-}): any;
-declare function getSamlServiceProviderOptions(opts: {
-  rootUrl: string;
-  source: EnterpriseSamlSource;
-  config: unknown;
-  overrides?: {
-    entityId?: string;
-    acsUrl?: string;
-    sloUrl?: string;
-  };
-  relayState?: string;
-}): {
-  entityId: any;
-  acsUrl: any;
-  sloUrl: any;
-  relayState: string | undefined;
-  authnRequestsSigned: any;
-  signingCert: any;
-  encryptCert: any;
-  privateKey: any;
-  privateKeyPass: any;
-  encPrivateKey: any;
-  encPrivateKeyPass: any;
-};
-declare function createSamlServiceProvider(opts: {
-  entityId: string;
-  acsUrl: string;
-  sloUrl?: string;
-  relayState?: string;
-  authnRequestsSigned?: boolean;
-  signingCert?: string | string[];
-  encryptCert?: string | string[];
-  privateKey?: string;
-  privateKeyPass?: string;
-  encPrivateKey?: string;
-  encPrivateKeyPass?: string;
-}): any;
-declare function createEnterpriseSamlRuntime(opts: {
-  rootUrl: string;
-  source: EnterpriseSamlSource;
-  config: unknown;
-  relayState?: string;
-  overrides?: {
-    entityId?: string;
-    acsUrl?: string;
-    sloUrl?: string;
-  };
-}): {
-  saml: Record<string, any>;
-  sp: any;
-  idp: any;
-  urls: EnterpriseSamlUrls;
-};
-declare function createEnterpriseSamlSignInRequest(opts: {
-  rootUrl: string;
-  source: EnterpriseSamlSource;
-  config: unknown;
-  state: string;
-  signature: string;
-  redirectTo?: string;
-}): {
-  requestId: string;
-  binding: string;
-  relayState: string;
-  redirectUrl: string | undefined;
-  post: {
-    endpoint: string;
-    value: string;
-  } | undefined;
-};
-declare function parseEnterpriseSamlLoginResponse(opts: {
-  request: Request;
-  rootUrl: string;
-  source: EnterpriseSamlSource;
-  config: unknown;
-}): Promise<{
-  runtime: {
-    saml: Record<string, any>;
-    sp: any;
-    idp: any;
-    urls: EnterpriseSamlUrls;
-  };
-  parsed: any;
-  relayState: EnterpriseSamlRelayState;
-  url: URL;
-  body: Record<string, string>;
-  query: Record<string, string>;
-  binding: "redirect" | "post";
-  hasSamlRequest: boolean;
-  hasSamlResponse: boolean;
-}>;
-declare function validateEnterpriseSamlLoginRelayState(opts: {
-  relayState: EnterpriseSamlRelayState;
-  source: EnterpriseSamlSource;
-  inResponseTo?: string;
-}): void;
-declare function parseEnterpriseSamlLogoutMessage(opts: {
-  request: Request;
-  rootUrl: string;
-  source: EnterpriseSamlSource;
-  config: unknown;
-}): Promise<{
-  runtime: {
-    saml: Record<string, any>;
-    sp: any;
-    idp: any;
-    urls: EnterpriseSamlUrls;
-  };
-  parsedRequest: any;
-  url: URL;
-  body: Record<string, string>;
-  query: Record<string, string>;
-  binding: "redirect" | "post";
-  relayState?: string;
-  hasSamlRequest: boolean;
-  hasSamlResponse: boolean;
-}>;
-declare function createEnterpriseOidcRuntime(opts: {
-  rootUrl: string;
-  enterpriseId: string;
-  config: unknown;
-}): Promise<{
-  signInUrl: string;
-  callbackUrl: string;
-  oidc: Record<string, any>;
-  providerId: string;
-  provider: {
-    createAuthorizationURL(state: string, codeVerifier: string, requestedScopes: string[]): URL;
-    validateAuthorizationCode(code: string, codeVerifier?: string): Promise<{
-      data: Record<string, any>;
-      idToken(): string;
-      accessToken(): string;
-    }>;
-  };
-  oauthConfig: {
-    readonly scopes: string[];
-    readonly nonce: true;
-    readonly validateTokens: (tokens: any, ctx: {
-      nonce?: string;
-    }) => Promise<void>;
-    readonly accountLinking: any;
-    readonly profile: (tokens: any) => Promise<OAuthProfile>;
-  };
-}>;
-declare function profileFromSamlExtract(extract: any, mapping?: SAMLAttributeMapping): {
-  id: string;
-  email: string | undefined;
-  emailVerified: boolean | undefined;
-  name: string | undefined;
-  samlAttributes: Record<string, unknown>;
-  samlSessionIndex: string | undefined;
-};
-declare function parseScimPath(pathname: string): {
-  enterpriseId: string;
-  resource: string;
-  resourceId: undefined;
-} | {
-  enterpriseId: string;
-  resource: string;
-  resourceId: string;
-};
-declare function parseScimListRequest(url: URL): ScimListRequest;
-declare function scimJson(data: unknown, status?: number, headers?: HeadersInit): Response;
-declare function scimError(status: number, scimType: string, detail: string): Response;
-declare function serializeScimUser(args: {
-  id: string;
-  user: Record<string, any>;
-  externalId?: string;
-  active?: boolean;
-  location?: string;
-}): {
-  schemas: string[];
-  id: string;
-  externalId: string | undefined;
-  meta: {
-    resourceType: string;
-    location: string | undefined;
-  };
-  userName: any;
-  active: boolean;
-  name: {
-    formatted: any;
-  } | undefined;
-  emails: {
-    value: string;
-    primary: boolean;
-  }[] | undefined;
-  phoneNumbers: {
-    value: string;
-    primary: boolean;
-  }[] | undefined;
-  displayName: any;
-};
-declare function serializeScimGroup(args: {
-  id: string;
-  group: Record<string, any>;
-  externalId?: string;
-  members?: Array<{
-    value: string;
-    display?: string;
-  }>;
-  location?: string;
-}): {
-  schemas: string[];
-  id: string;
-  externalId: string | undefined;
-  meta: {
-    resourceType: string;
-    location: string | undefined;
-  };
-  displayName: any;
-  members: {
-    value: string;
-    display?: string;
-  }[];
-};
-//#endregion
-export { ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, EnterpriseSamlHttpRequest, EnterpriseSamlLoadedSource, EnterpriseSamlRelayState, EnterpriseSamlSource, EnterpriseSamlUrls, ParsedSamlMetadata, SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID, ScimListRequest, createEnterpriseOidcProvider, createEnterpriseOidcRuntime, createEnterpriseSamlMetadataXml, createEnterpriseSamlRuntime, createEnterpriseSamlSignInRequest, createSamlPostBindingResponse, createSamlServiceProvider, createServiceProviderMetadata, createSyntheticOAuthMaterializedConfig, decodeEnterpriseSamlRelayStateOrThrow, decodeRelayState, encodeEnterpriseSamlRelayState, enterpriseOidcProviderId, enterpriseSamlProviderId, getEnterpriseOidcUrls, getEnterpriseSamlUrls, getOidcConfig, getSamlConfig, getSamlServiceProviderOptions, isEnterpriseProviderId, isEnterpriseSamlSourceActive, normalizeDomain, parseEnterpriseSamlLoginResponse, parseEnterpriseSamlLogoutMessage, parseSamlIdpMetadata, parseScimListRequest, parseScimPath, profileFromSamlExtract, readEnterpriseSamlHttpRequest, readRequestBody, scimError, scimJson, serializeScimGroup, serializeScimUser, upsertProtocolConfig, validateEnterpriseSamlLoginRelayState };
-//# sourceMappingURL=sso.d.ts.map
+export { };