@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (328) hide show
  1. package/README.md +140 -9
  2. package/dist/bin.cjs +5957 -5478
  3. package/dist/client/index.d.ts +3 -7
  4. package/dist/client/index.d.ts.map +1 -1
  5. package/dist/client/index.js +27 -26
  6. package/dist/client/index.js.map +1 -1
  7. package/dist/component/_generated/api.d.ts +14 -0
  8. package/dist/component/_generated/api.d.ts.map +1 -1
  9. package/dist/component/_generated/api.js.map +1 -1
  10. package/dist/component/_generated/component.d.ts +1672 -24
  11. package/dist/component/_generated/component.d.ts.map +1 -1
  12. package/dist/component/convex.config.d.ts +2 -2
  13. package/dist/component/convex.config.d.ts.map +1 -1
  14. package/dist/component/index.d.ts +1 -1
  15. package/dist/component/index.js +2 -2
  16. package/dist/component/model.d.ts +153 -0
  17. package/dist/component/model.d.ts.map +1 -0
  18. package/dist/component/model.js +343 -0
  19. package/dist/component/model.js.map +1 -0
  20. package/dist/component/providers/sso.d.ts +1 -1
  21. package/dist/component/public/enterprise.d.ts +54 -0
  22. package/dist/component/public/enterprise.d.ts.map +1 -0
  23. package/dist/component/public/enterprise.js +515 -0
  24. package/dist/component/public/enterprise.js.map +1 -0
  25. package/dist/component/public/factors.d.ts +52 -0
  26. package/dist/component/public/factors.d.ts.map +1 -0
  27. package/dist/component/public/factors.js +285 -0
  28. package/dist/component/public/factors.js.map +1 -0
  29. package/dist/component/public/groups.d.ts +116 -0
  30. package/dist/component/public/groups.d.ts.map +1 -0
  31. package/dist/component/public/groups.js +596 -0
  32. package/dist/component/public/groups.js.map +1 -0
  33. package/dist/component/public/identity.d.ts +93 -0
  34. package/dist/component/public/identity.d.ts.map +1 -0
  35. package/dist/component/public/identity.js +426 -0
  36. package/dist/component/public/identity.js.map +1 -0
  37. package/dist/component/public/keys.d.ts +41 -0
  38. package/dist/component/public/keys.d.ts.map +1 -0
  39. package/dist/component/public/keys.js +157 -0
  40. package/dist/component/public/keys.js.map +1 -0
  41. package/dist/component/public/shared.d.ts +26 -0
  42. package/dist/component/public/shared.d.ts.map +1 -0
  43. package/dist/component/public/shared.js +32 -0
  44. package/dist/component/public/shared.js.map +1 -0
  45. package/dist/component/public.d.ts +9 -321
  46. package/dist/component/public.d.ts.map +1 -1
  47. package/dist/component/public.js +6 -2145
  48. package/dist/component/schema.d.ts +406 -260
  49. package/dist/component/schema.js +37 -32
  50. package/dist/component/schema.js.map +1 -1
  51. package/dist/component/server/auth.d.ts +161 -15
  52. package/dist/component/server/auth.d.ts.map +1 -1
  53. package/dist/component/server/auth.js +100 -7
  54. package/dist/component/server/auth.js.map +1 -1
  55. package/dist/component/server/cookies.js +3 -0
  56. package/dist/component/server/cookies.js.map +1 -1
  57. package/dist/component/server/db.js +1 -0
  58. package/dist/component/server/db.js.map +1 -1
  59. package/dist/component/server/device.js +3 -1
  60. package/dist/component/server/device.js.map +1 -1
  61. package/dist/component/server/domains/core.js +629 -0
  62. package/dist/component/server/domains/core.js.map +1 -0
  63. package/dist/component/server/domains/sso.js +884 -0
  64. package/dist/component/server/domains/sso.js.map +1 -0
  65. package/dist/component/server/factory.d.ts +136 -0
  66. package/dist/component/server/factory.d.ts.map +1 -0
  67. package/dist/component/server/factory.js +1134 -0
  68. package/dist/component/server/factory.js.map +1 -0
  69. package/dist/component/server/fx.js +2 -1
  70. package/dist/component/server/fx.js.map +1 -1
  71. package/dist/component/server/http.js +287 -0
  72. package/dist/component/server/http.js.map +1 -0
  73. package/dist/component/server/identity.js +13 -0
  74. package/dist/component/server/identity.js.map +1 -0
  75. package/dist/component/server/keys.js +4 -0
  76. package/dist/component/server/keys.js.map +1 -1
  77. package/dist/component/server/mutations/account.js +1 -1
  78. package/dist/component/server/mutations/index.js +2 -2
  79. package/dist/component/server/mutations/index.js.map +1 -1
  80. package/dist/component/server/mutations/invalidate.js +1 -1
  81. package/dist/component/server/mutations/oauth.js +10 -7
  82. package/dist/component/server/mutations/oauth.js.map +1 -1
  83. package/dist/component/server/mutations/refresh.js +1 -1
  84. package/dist/component/server/mutations/register.js +1 -1
  85. package/dist/component/server/mutations/retrieve.js +1 -1
  86. package/dist/component/server/mutations/signature.js +1 -1
  87. package/dist/component/server/mutations/store.js +6 -3
  88. package/dist/component/server/mutations/store.js.map +1 -1
  89. package/dist/component/server/mutations/verify.js +1 -1
  90. package/dist/component/server/oauth.js +3 -0
  91. package/dist/component/server/oauth.js.map +1 -1
  92. package/dist/component/server/passkey.js +3 -2
  93. package/dist/component/server/passkey.js.map +1 -1
  94. package/dist/component/server/provider.js +2 -0
  95. package/dist/component/server/provider.js.map +1 -1
  96. package/dist/component/server/providers.js +10 -0
  97. package/dist/component/server/providers.js.map +1 -1
  98. package/dist/component/server/ratelimit.js +3 -0
  99. package/dist/component/server/ratelimit.js.map +1 -1
  100. package/dist/component/server/redirects.js +2 -0
  101. package/dist/component/server/redirects.js.map +1 -1
  102. package/dist/component/server/refresh.js +5 -0
  103. package/dist/component/server/refresh.js.map +1 -1
  104. package/dist/component/server/sessions.js +5 -0
  105. package/dist/component/server/sessions.js.map +1 -1
  106. package/dist/component/server/signin.js +2 -1
  107. package/dist/component/server/signin.js.map +1 -1
  108. package/dist/component/server/sso.js +166 -19
  109. package/dist/component/server/sso.js.map +1 -1
  110. package/dist/component/server/tokens.js +1 -0
  111. package/dist/component/server/tokens.js.map +1 -1
  112. package/dist/component/server/totp.js +4 -2
  113. package/dist/component/server/totp.js.map +1 -1
  114. package/dist/component/server/types.d.ts +106 -38
  115. package/dist/component/server/types.d.ts.map +1 -1
  116. package/dist/component/server/types.js.map +1 -1
  117. package/dist/component/server/users.js +1 -0
  118. package/dist/component/server/users.js.map +1 -1
  119. package/dist/component/server/utils.js +44 -2
  120. package/dist/component/server/utils.js.map +1 -1
  121. package/dist/providers/anonymous.d.ts +1 -1
  122. package/dist/providers/credentials.d.ts +1 -1
  123. package/dist/providers/password.d.ts +1 -1
  124. package/dist/providers/sso.d.ts +1 -1
  125. package/dist/providers/sso.js.map +1 -1
  126. package/dist/server/auth.d.ts +163 -17
  127. package/dist/server/auth.d.ts.map +1 -1
  128. package/dist/server/auth.js +100 -7
  129. package/dist/server/auth.js.map +1 -1
  130. package/dist/server/cookies.d.ts +1 -38
  131. package/dist/server/cookies.js +3 -0
  132. package/dist/server/cookies.js.map +1 -1
  133. package/dist/server/db.d.ts +1 -125
  134. package/dist/server/db.js +1 -0
  135. package/dist/server/db.js.map +1 -1
  136. package/dist/server/device.d.ts +1 -24
  137. package/dist/server/device.js +3 -1
  138. package/dist/server/device.js.map +1 -1
  139. package/dist/server/domains/core.d.ts +434 -0
  140. package/dist/server/domains/core.d.ts.map +1 -0
  141. package/dist/server/domains/core.js +629 -0
  142. package/dist/server/domains/core.js.map +1 -0
  143. package/dist/server/domains/sso.d.ts +409 -0
  144. package/dist/server/domains/sso.d.ts.map +1 -0
  145. package/dist/server/domains/sso.js +884 -0
  146. package/dist/server/domains/sso.js.map +1 -0
  147. package/dist/server/enterpriseValidators.d.ts +1 -0
  148. package/dist/server/enterpriseValidators.js +60 -0
  149. package/dist/server/enterpriseValidators.js.map +1 -0
  150. package/dist/server/factory.d.ts +136 -0
  151. package/dist/server/factory.d.ts.map +1 -0
  152. package/dist/server/factory.js +1134 -0
  153. package/dist/server/factory.js.map +1 -0
  154. package/dist/server/fx.d.ts +1 -16
  155. package/dist/server/fx.d.ts.map +1 -1
  156. package/dist/server/fx.js +1 -0
  157. package/dist/server/fx.js.map +1 -1
  158. package/dist/server/http.d.ts +59 -0
  159. package/dist/server/http.d.ts.map +1 -0
  160. package/dist/server/http.js +287 -0
  161. package/dist/server/http.js.map +1 -0
  162. package/dist/server/identity.d.ts +1 -0
  163. package/dist/server/identity.js +13 -0
  164. package/dist/server/identity.js.map +1 -0
  165. package/dist/server/index.d.ts +468 -1
  166. package/dist/server/index.d.ts.map +1 -1
  167. package/dist/server/index.js +530 -36
  168. package/dist/server/index.js.map +1 -1
  169. package/dist/server/keys.d.ts +1 -57
  170. package/dist/server/keys.js +4 -0
  171. package/dist/server/keys.js.map +1 -1
  172. package/dist/server/mutations/account.d.ts +7 -7
  173. package/dist/server/mutations/account.d.ts.map +1 -1
  174. package/dist/server/mutations/code.d.ts +13 -13
  175. package/dist/server/mutations/code.d.ts.map +1 -1
  176. package/dist/server/mutations/index.d.ts +107 -107
  177. package/dist/server/mutations/index.d.ts.map +1 -1
  178. package/dist/server/mutations/index.js +1 -1
  179. package/dist/server/mutations/index.js.map +1 -1
  180. package/dist/server/mutations/invalidate.d.ts +5 -5
  181. package/dist/server/mutations/invalidate.d.ts.map +1 -1
  182. package/dist/server/mutations/oauth.d.ts +10 -10
  183. package/dist/server/mutations/oauth.d.ts.map +1 -1
  184. package/dist/server/mutations/oauth.js +9 -6
  185. package/dist/server/mutations/oauth.js.map +1 -1
  186. package/dist/server/mutations/refresh.d.ts +4 -4
  187. package/dist/server/mutations/register.d.ts +12 -12
  188. package/dist/server/mutations/register.d.ts.map +1 -1
  189. package/dist/server/mutations/retrieve.d.ts +7 -7
  190. package/dist/server/mutations/signature.d.ts +5 -5
  191. package/dist/server/mutations/signin.d.ts +6 -6
  192. package/dist/server/mutations/signin.d.ts.map +1 -1
  193. package/dist/server/mutations/signout.d.ts +1 -1
  194. package/dist/server/mutations/store.d.ts +3 -2
  195. package/dist/server/mutations/store.d.ts.map +1 -1
  196. package/dist/server/mutations/store.js +6 -3
  197. package/dist/server/mutations/store.js.map +1 -1
  198. package/dist/server/mutations/verifier.d.ts +1 -1
  199. package/dist/server/mutations/verify.d.ts +11 -11
  200. package/dist/server/mutations/verify.d.ts.map +1 -1
  201. package/dist/server/oauth.d.ts +1 -59
  202. package/dist/server/oauth.js +3 -0
  203. package/dist/server/oauth.js.map +1 -1
  204. package/dist/server/passkey.d.ts.map +1 -1
  205. package/dist/server/passkey.js +3 -2
  206. package/dist/server/passkey.js.map +1 -1
  207. package/dist/server/provider.d.ts +1 -14
  208. package/dist/server/provider.d.ts.map +1 -1
  209. package/dist/server/provider.js +2 -0
  210. package/dist/server/provider.js.map +1 -1
  211. package/dist/server/providers.js +10 -0
  212. package/dist/server/providers.js.map +1 -1
  213. package/dist/server/ratelimit.d.ts +1 -22
  214. package/dist/server/ratelimit.js +3 -0
  215. package/dist/server/ratelimit.js.map +1 -1
  216. package/dist/server/redirects.d.ts +1 -10
  217. package/dist/server/redirects.js +2 -0
  218. package/dist/server/redirects.js.map +1 -1
  219. package/dist/server/refresh.d.ts +1 -37
  220. package/dist/server/refresh.js +5 -0
  221. package/dist/server/refresh.js.map +1 -1
  222. package/dist/server/sessions.d.ts +1 -28
  223. package/dist/server/sessions.js +5 -0
  224. package/dist/server/sessions.js.map +1 -1
  225. package/dist/server/signin.d.ts +1 -55
  226. package/dist/server/signin.js +2 -1
  227. package/dist/server/signin.js.map +1 -1
  228. package/dist/server/sso.d.ts +1 -348
  229. package/dist/server/sso.js +165 -18
  230. package/dist/server/sso.js.map +1 -1
  231. package/dist/server/templates.d.ts +1 -21
  232. package/dist/server/templates.js +1 -0
  233. package/dist/server/templates.js.map +1 -1
  234. package/dist/server/tokens.d.ts +1 -11
  235. package/dist/server/tokens.js +1 -0
  236. package/dist/server/tokens.js.map +1 -1
  237. package/dist/server/totp.d.ts +1 -23
  238. package/dist/server/totp.js +4 -2
  239. package/dist/server/totp.js.map +1 -1
  240. package/dist/server/types.d.ts +114 -77
  241. package/dist/server/types.d.ts.map +1 -1
  242. package/dist/server/types.js.map +1 -1
  243. package/dist/server/users.d.ts +1 -31
  244. package/dist/server/users.js +1 -0
  245. package/dist/server/users.js.map +1 -1
  246. package/dist/server/utils.d.ts +1 -27
  247. package/dist/server/utils.js +44 -2
  248. package/dist/server/utils.js.map +1 -1
  249. package/dist/server/version.d.ts +1 -1
  250. package/dist/server/version.js +1 -1
  251. package/dist/server/version.js.map +1 -1
  252. package/package.json +4 -5
  253. package/src/cli/bin.ts +5 -0
  254. package/src/cli/index.ts +22 -9
  255. package/src/cli/keys.ts +3 -0
  256. package/src/client/index.ts +36 -37
  257. package/src/component/_generated/api.ts +14 -0
  258. package/src/component/_generated/component.ts +2106 -9
  259. package/src/component/index.ts +3 -1
  260. package/src/component/model.ts +441 -0
  261. package/src/component/public/enterprise.ts +753 -0
  262. package/src/component/public/factors.ts +332 -0
  263. package/src/component/public/groups.ts +932 -0
  264. package/src/component/public/identity.ts +566 -0
  265. package/src/component/public/keys.ts +209 -0
  266. package/src/component/public/shared.ts +119 -0
  267. package/src/component/public.ts +5 -2965
  268. package/src/component/schema.ts +68 -63
  269. package/src/providers/sso.ts +1 -1
  270. package/src/server/auth.ts +413 -18
  271. package/src/server/cookies.ts +3 -0
  272. package/src/server/db.ts +3 -0
  273. package/src/server/device.ts +3 -1
  274. package/src/server/domains/core.ts +1071 -0
  275. package/src/server/domains/sso.ts +1749 -0
  276. package/src/server/enterpriseValidators.ts +93 -0
  277. package/src/server/factory.ts +2181 -0
  278. package/src/server/fx.ts +1 -0
  279. package/src/server/http.ts +529 -0
  280. package/src/server/identity.ts +18 -0
  281. package/src/server/index.ts +806 -40
  282. package/src/server/keys.ts +4 -0
  283. package/src/server/mutations/index.ts +1 -1
  284. package/src/server/mutations/oauth.ts +36 -8
  285. package/src/server/mutations/store.ts +6 -3
  286. package/src/server/oauth.ts +6 -0
  287. package/src/server/passkey.ts +3 -2
  288. package/src/server/provider.ts +2 -0
  289. package/src/server/providers.ts +20 -0
  290. package/src/server/ratelimit.ts +3 -0
  291. package/src/server/redirects.ts +2 -0
  292. package/src/server/refresh.ts +5 -0
  293. package/src/server/sessions.ts +5 -0
  294. package/src/server/signin.ts +1 -0
  295. package/src/server/sso.ts +259 -17
  296. package/src/server/templates.ts +1 -0
  297. package/src/server/tokens.ts +1 -0
  298. package/src/server/totp.ts +4 -2
  299. package/src/server/types.ts +178 -83
  300. package/src/server/users.ts +1 -0
  301. package/src/server/utils.ts +71 -1
  302. package/src/server/version.ts +1 -1
  303. package/dist/component/public.js.map +0 -1
  304. package/dist/component/server/implementation.d.ts +0 -1264
  305. package/dist/component/server/implementation.d.ts.map +0 -1
  306. package/dist/component/server/implementation.js +0 -2365
  307. package/dist/component/server/implementation.js.map +0 -1
  308. package/dist/server/cookies.d.ts.map +0 -1
  309. package/dist/server/db.d.ts.map +0 -1
  310. package/dist/server/device.d.ts.map +0 -1
  311. package/dist/server/implementation.d.ts +0 -1264
  312. package/dist/server/implementation.d.ts.map +0 -1
  313. package/dist/server/implementation.js +0 -2365
  314. package/dist/server/implementation.js.map +0 -1
  315. package/dist/server/keys.d.ts.map +0 -1
  316. package/dist/server/oauth.d.ts.map +0 -1
  317. package/dist/server/ratelimit.d.ts.map +0 -1
  318. package/dist/server/redirects.d.ts.map +0 -1
  319. package/dist/server/refresh.d.ts.map +0 -1
  320. package/dist/server/sessions.d.ts.map +0 -1
  321. package/dist/server/signin.d.ts.map +0 -1
  322. package/dist/server/sso.d.ts.map +0 -1
  323. package/dist/server/templates.d.ts.map +0 -1
  324. package/dist/server/tokens.d.ts.map +0 -1
  325. package/dist/server/totp.d.ts.map +0 -1
  326. package/dist/server/users.d.ts.map +0 -1
  327. package/dist/server/utils.d.ts.map +0 -1
  328. package/src/server/implementation.ts +0 -5336
package/dist/server/types.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"types.js","names":[],"sources":["../../src/server/types.ts"],"sourcesContent":["import {\n AnyDataModel,\n DataModelFromSchemaDefinition,\n DocumentByName,\n FunctionReference,\n GenericActionCtx,\n GenericDataModel,\n GenericMutationCtx,\n GenericQueryCtx,\n RegisteredAction,\n RegisteredMutation,\n RegisteredQuery,\n TableNamesInDataModel,\n} from \"convex/server\";\nimport { GenericId, Value } from \"convex/values\";\n\nimport schema from \"../component/schema\";\nimport { CredentialsUserConfig } from \"../providers/credentials\";\n\n// ============================================================================\n// Utility types\n// ============================================================================\n\n/** A value that is either `T` or a `PromiseLike<T>`. */\nexport type Awaitable<T> = T | PromiseLike<T>;\n\n/**\n * The config for the Convex Auth library, passed to `createAuth`.\n */\nexport type ConvexAuthConfig = {\n /**\n * A list of authentication provider configs.\n *\n * You can import existing configs from\n * `@robelest/convex-auth/providers/<provider-name>`\n */\n providers: AuthProviderConfig[];\n /**\n * Auth component reference from `components.auth`.\n *\n * Core auth storage operations are executed through\n * the component API boundary.\n */\n component: AuthComponentApi;\n /**\n * Session configuration.\n */\n session?: {\n /**\n * How long can a user session last without the user reauthenticating.\n *\n * Defaults to 30 days.\n */\n totalDurationMs?: number;\n /**\n * How long can a user session last without the user being active.\n *\n * Defaults to 30 days.\n */\n inactiveDurationMs?: number;\n };\n /**\n * JWT configuration.\n */\n jwt?: {\n /**\n * How long is the JWT valid for after it is signed initially.\n *\n * Defaults to 1 hour.\n */\n durationMs?: number;\n };\n /**\n * Sign-in configuration.\n */\n signIn?: {\n /**\n * How many times can the user fail to provide the correct credentials\n * (password, OTP) per hour.\n *\n * Defaults to 10 times per hour (that is 10 failed attempts, and then\n * allow another one every 6 minutes).\n */\n maxFailedAttemptsPerHour?: number;\n };\n /**\n * Lifecycle callbacks for customizing sign-in behavior.\n *\n * Use `redirect` to control post-OAuth redirect URLs, and\n * `createOrUpdateUser` or `afterUserCreatedOrUpdated` to\n * customize account linking and user document creation.\n */\n callbacks?: {\n /**\n * Control which URLs are allowed as a destination after OAuth sign-in\n * and for magic links:\n *\n * ```ts\n * import { createAuth } from \"@robelest/convex-auth/component\";\n * import { components } from \"./_generated/api\";\n *\n * const auth = createAuth(components.auth, {\n * providers: [google],\n * callbacks: {\n * async redirect({ redirectTo }) {\n * // Check that redirectTo is valid\n * // and return the relative or absolute URL\n * // to redirect to.\n * },\n * },\n * });\n * ```\n *\n * Convex Auth performs redirect only during OAuth sign-in. By default,\n * it redirects back to the URL specified via the `SITE_URL` environment\n * variable. Similarly magic links link to `SITE_URL`.\n *\n * You can customize that behavior by providing a `redirectTo` param\n * to the `signIn` function:\n *\n * ```ts\n * signIn(\"google\", { redirectTo: \"/dashboard\" })\n * ```\n *\n * You can even redirect to a different site.\n *\n * This callback, if specified, is then called with the provided\n * `redirectTo` param. Otherwise, only query params, relative paths\n * and URLs starting with `SITE_URL` are allowed.\n */\n redirect?: (params: {\n /**\n * The param value passed to the `signIn` function.\n */\n redirectTo: string;\n }) => Promise<string>;\n /**\n * Completely control account linking via this callback.\n *\n * This callback is called during the sign-in process,\n * before account creation and token generation.\n * If specified, this callback is responsible for creating\n * or updating the user document.\n *\n * For \"credentials\" providers, the callback is only called\n * when `createAccount` is called.\n */\n createOrUpdateUser?: (\n ctx: GenericMutationCtx<AnyDataModel>,\n args: {\n /**\n * If this is a sign-in to an existing account,\n * this is the existing user ID linked to that account.\n */\n existingUserId: GenericId<\"User\"> | null;\n /**\n * The provider type or \"verification\" if this callback is called\n * after an email or phone token verification.\n */\n type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n /**\n * The provider used for the sign-in, or the provider\n * tied to the account which is having the email or phone verified.\n */\n provider: AuthProviderMaterializedConfig;\n /**\n * - The profile returned by the OAuth provider's `profile` method.\n * - The profile passed to `createAccount` from a ConvexCredentials\n * config.\n * - The email address to which an email will be sent.\n * - The phone number to which a text will be sent.\n */\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n /**\n * The `shouldLink` argument passed to `createAccount`.\n */\n shouldLink?: boolean;\n },\n ) => Promise<GenericId<\"User\">>;\n /**\n * Perform additional writes after a user is created.\n *\n * This callback is called during the sign-in process,\n * after the user is created or updated,\n * before account creation and token generation.\n *\n * **This callback is only called if `createOrUpdateUser`\n * is not specified.** If `createOrUpdateUser` is specified,\n * you can perform any additional writes in that callback.\n *\n * For \"credentials\" providers, the callback is only called\n * when `createAccount` is called.\n */\n afterUserCreatedOrUpdated?: (\n ctx: GenericMutationCtx<AnyDataModel>,\n args: {\n /**\n * The ID of the user that is being signed in.\n */\n userId: GenericId<\"User\">;\n /**\n * If this is a sign-in to an existing account,\n * this is the existing user ID linked to that account.\n */\n existingUserId: GenericId<\"User\"> | null;\n /**\n * The provider type or \"verification\" if this callback is called\n * after an email or phone token verification.\n */\n type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n /**\n * The provider used for the sign-in, or the provider\n * tied to the account which is having the email or phone verified.\n */\n provider: AuthProviderMaterializedConfig;\n /**\n * - The profile returned by the OAuth provider's `profile` method.\n * - The profile passed to `createAccount` from a ConvexCredentials\n * config.\n * - The email address to which an email will be sent.\n * - The phone number to which a text will be sent.\n */\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n /**\n * The `shouldLink` argument passed to `createAccount`.\n */\n shouldLink?: boolean;\n },\n ) => Promise<void>;\n };\n};\n\n/**\n * Union of all supported auth provider config types.\n *\n * Includes Arctic-based OAuth providers (via the `OAuth()` factory),\n * plus library-native providers: credentials, email, phone, passkey\n * (WebAuthn), and TOTP (2FA). Each can be passed as a config object\n * or a factory function.\n */\nexport type AuthProviderConfig =\n | import(\"../providers/oauth\").OAuthProviderInstance\n | import(\"../providers/password\").Password\n | import(\"../providers/passkey\").Passkey\n | import(\"../providers/totp\").Totp\n | import(\"../providers/anonymous\").Anonymous\n | import(\"../providers/device\").Device\n | import(\"../providers/sso\").SSO\n | import(\"../providers/email\").Email\n | import(\"../providers/phone\").Phone\n | OAuthMaterializedConfig\n | ConvexCredentialsConfig\n | ((...args: any) => ConvexCredentialsConfig)\n | EmailConfig\n | ((...args: any) => EmailConfig)\n | PhoneConfig\n | ((...args: any) => PhoneConfig)\n | PasskeyProviderConfig\n | ((...args: any) => PasskeyProviderConfig)\n | TotpProviderConfig\n | ((...args: any) => TotpProviderConfig)\n | DeviceProviderConfig\n | ((...args: any) => DeviceProviderConfig)\n | SSOProviderConfig;\n\n/**\n * Minimal config stored for the SSO provider at runtime.\n * No options — enterprise configuration is entirely per-tenant runtime state.\n */\nexport interface SSOProviderConfig {\n id: string;\n type: \"sso\";\n}\n\n/**\n * Email provider config for magic link / OTP sign-in.\n */\nexport interface EmailConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> {\n /** Provider identifier (e.g. `\"email\"`, `\"resend\"`). */\n id: string;\n /** Discriminant for provider type routing. */\n type: \"email\";\n /** Display name for this provider. */\n name?: string;\n /** Sender address (e.g. `\"My App <noreply@example.com>\"`). */\n from?: string;\n /** Token expiration in seconds. Defaults to 86 400 (24 hours). */\n maxAge?: number;\n /**\n * Send the verification token to the user.\n *\n * Accepts an optional Convex action context as the second argument,\n * enabling use with Convex components like `@convex-dev/resend`.\n */\n sendVerificationRequest: (\n params: {\n identifier: string;\n url: string;\n expires: Date;\n provider: EmailConfig;\n token: string;\n request: Request;\n },\n ctx?: GenericActionCtx<AnyDataModel>,\n ) => Awaitable<void>;\n /**\n * Override to generate a custom verification token.\n * Tokens shorter than 24 characters are treated as OTPs and\n * require the original email to be re-submitted for verification.\n */\n generateVerificationToken?: () => Awaitable<string>;\n /**\n * Normalize the email address before storage / lookup.\n * Defaults to lowercasing and trimming whitespace.\n */\n normalizeIdentifier?: (identifier: string) => string;\n /**\n * Before the token is verified, check other\n * provided parameters.\n *\n * Used to make sure that OTPs are accompanied\n * with the correct email address.\n */\n authorize?: (\n /**\n * The values passed to the `signIn` function.\n */\n params: Record<string, Value | undefined>,\n account: GenericDoc<DataModel, \"Account\">,\n ) => Promise<void>;\n /** Raw user options before merging with defaults. */\n options: EmailUserConfig<DataModel>;\n}\n\n/**\n * Configurable options for an email provider config.\n */\nexport type EmailUserConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> = Omit<Partial<EmailConfig<DataModel>>, \"options\" | \"type\">;\n\n/**\n * Same as email provider config, but verifies\n * phone number instead of the email address.\n */\nexport interface PhoneConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> {\n id: string;\n type: \"phone\";\n /**\n * Token expiration in seconds.\n */\n maxAge: number;\n /**\n * Send the phone number verification request.\n */\n sendVerificationRequest: (\n params: {\n identifier: string;\n url: string;\n expires: Date;\n provider: PhoneConfig;\n token: string;\n },\n ctx: GenericActionCtxWithAuthConfig<DataModel>,\n ) => Promise<void>;\n /**\n * Defaults to `process.env.AUTH_<PROVIDER_ID>_KEY`.\n */\n apiKey?: string;\n /**\n * Override this to generate a custom token.\n * Note that the tokens are assumed to be cryptographically secure.\n * Any tokens shorter than 24 characters are assumed to not\n * be secure enough on their own, and require providing\n * the original `phone` used in the initial `signIn` call.\n * @returns\n */\n generateVerificationToken?: () => Promise<string>;\n /**\n * Normalize the phone number.\n * @param identifier Passed as `phone` in params of `signIn`.\n * @returns The phone number used in `sendVerificationRequest`.\n */\n normalizeIdentifier?: (identifier: string) => string;\n /**\n * Before the token is verified, check other\n * provided parameters.\n *\n * Used to make sure tha OTPs are accompanied\n * with the correct phone number.\n */\n authorize?: (\n /**\n * The values passed to the `signIn` function.\n */\n params: Record<string, Value | undefined>,\n account: GenericDoc<DataModel, \"Account\">,\n ) => Promise<void>;\n options: PhoneUserConfig<DataModel>;\n}\n\n/**\n * Configurable options for a phone provider config.\n */\nexport type PhoneUserConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> = Omit<Partial<PhoneConfig<DataModel>>, \"options\" | \"type\">;\n\n/**\n * Credentials provider config used by Convex Auth.\n */\nexport type ConvexCredentialsConfig = CredentialsUserConfig<any> & {\n type: \"credentials\";\n id: string;\n};\n\n/**\n * Configuration for the passkey (WebAuthn) provider.\n */\nexport interface PasskeyProviderConfig {\n id: string;\n type: \"passkey\";\n options: {\n /** Relying Party display name. Defaults to SITE_URL hostname. */\n rpName?: string;\n /** Relying Party ID (hostname). Defaults to SITE_URL hostname. */\n rpId?: string;\n /** Allowed origins for credential verification. Defaults to SITE_URL. */\n origin?: string | string[];\n /** Attestation conveyance preference. Defaults to \"none\". */\n attestation?: \"none\" | \"direct\";\n /** User verification requirement. Defaults to \"required\". */\n userVerification?: \"required\" | \"preferred\" | \"discouraged\";\n /** Resident key (discoverable credential) preference. Defaults to \"preferred\". */\n residentKey?: \"required\" | \"preferred\" | \"discouraged\";\n /** Restrict to platform or cross-platform authenticators. */\n authenticatorAttachment?: \"platform\" | \"cross-platform\";\n /** Supported COSE algorithms. Defaults to [-7 (ES256), -257 (RS256)]. */\n algorithms?: number[];\n /** Challenge expiration in ms. Defaults to 300_000 (5 minutes). */\n challengeExpirationMs?: number;\n };\n}\n\n/**\n * Configuration for the TOTP two-factor authentication provider.\n */\nexport interface TotpProviderConfig {\n id: string;\n type: \"totp\";\n options: {\n /** Issuer name shown in authenticator apps (e.g. \"My App\"). */\n issuer: string;\n /** Number of digits in each code (default: 6). */\n digits: number;\n /** Time period in seconds for code rotation (default: 30). */\n period: number;\n };\n}\n\n// ============================================================================\n// OAuth types (Arctic-based)\n// ============================================================================\n\n/**\n * Normalized user profile returned by an OAuth provider.\n *\n * `id` is the provider-specific account identifier (e.g. GitHub user ID).\n */\nexport interface OAuthProfile {\n id: string;\n name?: string;\n email?: string;\n image?: string;\n /** Additional claims from the ID token or userinfo endpoint. */\n [key: string]: unknown;\n}\n\n/**\n * Internal config shape for an OAuth provider after normalization.\n *\n * This is what the OAuth flow code receives — it maps to the user-facing\n * `OAuthConfig` from `@robelest/convex-auth/providers`.\n *\n * @internal\n */\nexport interface OAuthProviderConfig {\n /** OAuth scopes to request. */\n scopes?: string[];\n /** User-provided profile extraction callback. */\n profile?: (tokens: import(\"arctic\").OAuth2Tokens) => Promise<OAuthProfile>;\n}\n\n/** Credentials identifying a provider account (e.g. email + hashed password). */\nexport type AuthAccountCredentials = {\n /** Provider-specific account identifier (e.g. email address). */\n id: string;\n /** Optional secret (e.g. hashed password). */\n secret?: string;\n};\n\n/** Arguments for `auth.account.create()`. */\nexport type AuthCreateAccountArgs = {\n provider: string;\n account: AuthAccountCredentials;\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n shouldLinkViaEmail?: boolean;\n shouldLinkViaPhone?: boolean;\n};\n\n/** Arguments for `auth.account.get()`. */\nexport type AuthRetrieveAccountArgs = {\n provider: string;\n account: AuthAccountCredentials;\n};\n\n/** Arguments for `auth.account.update()`. */\nexport type AuthUpdateAccountArgs = {\n provider: string;\n account: {\n id: string;\n secret: string;\n };\n};\n\n/** Arguments for `auth.session.invalidate()`. */\nexport type AuthInvalidateSessionsArgs = {\n userId: GenericId<\"User\">;\n except?: GenericId<\"Session\">[];\n};\n\n/** Arguments for `auth.provider.signIn()`. */\nexport type AuthProviderSignInArgs = {\n accountId?: GenericId<\"Account\">;\n params?: Record<string, Value | undefined>;\n};\n\n/** Return type of `auth.provider.signIn()` — user and session IDs, or `null` on failure. */\nexport type AuthProviderSignInResult = {\n userId: GenericId<\"User\">;\n sessionId: GenericId<\"Session\">;\n} | null;\n\n/** Server-side auth helpers available on enriched action contexts. */\nexport type AuthServerHelpers = {\n account: {\n create: (\n ctx: GenericActionCtx<any>,\n args: AuthCreateAccountArgs,\n ) => Promise<{\n account: GenericDoc<GenericDataModel, \"Account\">;\n user: GenericDoc<GenericDataModel, \"User\">;\n }>;\n get: (\n ctx: GenericActionCtx<any>,\n args: AuthRetrieveAccountArgs,\n ) => Promise<{\n account: GenericDoc<GenericDataModel, \"Account\">;\n user: GenericDoc<GenericDataModel, \"User\">;\n }>;\n update: (\n ctx: GenericActionCtx<any>,\n args: AuthUpdateAccountArgs,\n ) => Promise<void>;\n };\n session: {\n current: (ctx: {\n auth: GenericActionCtx<GenericDataModel>[\"auth\"];\n }) => Promise<GenericId<\"Session\"> | null>;\n invalidate: (\n ctx: GenericActionCtx<any>,\n args: AuthInvalidateSessionsArgs,\n ) => Promise<void>;\n };\n provider: {\n signIn: (\n ctx: GenericActionCtx<any>,\n provider: AuthProviderConfig,\n args: AuthProviderSignInArgs,\n ) => Promise<AuthProviderSignInResult>;\n };\n};\n\n/**\n * Your `ActionCtx` enriched with `ctx.auth.config` field with\n * the config passed to `createAuth`.\n */\nexport type GenericActionCtxWithAuthConfig<DataModel extends GenericDataModel> =\n GenericActionCtx<DataModel> & {\n auth: GenericActionCtx<DataModel>[\"auth\"] & {\n config: ConvexAuthMaterializedConfig;\n } & AuthServerHelpers;\n };\n\n/**\n * The config for the Convex Auth library, passed to `createAuth`,\n * with defaults and initialized providers.\n *\n * See {@link ConvexAuthConfig}\n */\nexport type ConvexAuthMaterializedConfig = {\n providers: AuthProviderMaterializedConfig[];\n} & Pick<\n ConvexAuthConfig,\n \"component\" | \"session\" | \"jwt\" | \"signIn\" | \"callbacks\"\n>;\n\nexport interface SAMLAttributeMapping {\n subject?: string;\n email?: string;\n name?: string;\n firstName?: string;\n lastName?: string;\n}\n\n/**\n * Materialized OAuth provider config (Arctic-based).\n *\n * Carries the Arctic provider instance along with scopes and profile config.\n * Produced by materializing an `OAuthProviderInstance` during `configDefaults`.\n */\nexport interface OAuthMaterializedConfig {\n readonly id: string;\n readonly type: \"oauth\";\n /** The Arctic provider instance. */\n readonly provider: any;\n /** OAuth scopes to request. */\n readonly scopes: string[];\n /** User-provided profile extraction callback. */\n readonly profile?: (\n tokens: import(\"arctic\").OAuth2Tokens,\n ) => Promise<OAuthProfile>;\n /** Account-linking policy for OAuth identities. Defaults to verified email linking. */\n readonly accountLinking?: \"verifiedEmail\" | \"none\";\n}\n\n/**\n * Device authorization provider config (RFC 8628).\n *\n * Enables input-constrained devices (CLIs, TVs, IoT) to authenticate\n * by displaying a short code that the user enters on a secondary device.\n */\nexport interface DeviceProviderConfig {\n id: string;\n type: \"device\";\n /** User code character set. Default: `\"BCDFGHJKLMNPQRSTVWXZ\"` (base-20, no vowels). */\n charset: string;\n /** User code length. Default: 8. */\n userCodeLength: number;\n /** Device code + user code lifetime in seconds. Default: 900 (15 min). */\n expiresIn: number;\n /** Minimum polling interval in seconds. Default: 5. */\n interval: number;\n /**\n * Base URL for the verification page (e.g. `\"http://localhost:3000/device\"`).\n *\n * This is where users go to enter the device code. If not provided,\n * falls back to `SITE_URL + \"/device\"`.\n */\n verificationUri?: string;\n}\n\n/**\n * Materialized auth provider config — the fully resolved form stored at runtime.\n */\nexport type AuthProviderMaterializedConfig =\n | OAuthMaterializedConfig\n | EmailConfig\n | PhoneConfig\n | ConvexCredentialsConfig\n | PasskeyProviderConfig\n | TotpProviderConfig\n | DeviceProviderConfig\n | SSOProviderConfig;\n\n/**\n * Resolves to `true` when the providers list includes `SSO`, otherwise `false`.\n *\n * Used to make `auth.sso` conditionally present on the `createAuth`\n * return type — it only appears when `new SSO()` is in the providers array.\n */\nexport type HasSSO<P extends AuthProviderConfig[]> =\n import(\"../providers/sso\").SSO extends P[number] ? true : false;\n\nexport type HasPasskeyProvider<P extends AuthProviderConfig[]> =\n import(\"../providers/passkey\").Passkey extends P[number] ? true : false;\n\nexport type HasTotpProvider<P extends AuthProviderConfig[]> =\n import(\"../providers/totp\").Totp extends P[number] ? true : false;\n\nexport type HasDeviceProvider<P extends AuthProviderConfig[]> =\n import(\"../providers/device\").Device extends P[number] ? true : false;\n\n// ============================================================================\n// API Key types\n// ============================================================================\n\n/**\n * A single scope entry stored per API key.\n * Uses a resource:action pattern for structured permissions.\n *\n * ```ts\n * { resource: \"users\", actions: [\"read\", \"list\"] }\n * ```\n */\nexport interface KeyScope {\n resource: string;\n actions: string[];\n}\n\n/**\n * Result of scope verification. Provides a `.can()` helper\n * for checking if a key has a specific permission.\n *\n * ```ts\n * const result = await auth.key.verify(ctx, rawKey);\n * if (result.scopes.can(\"users\", \"read\")) {\n * // authorized\n * }\n * ```\n */\nexport interface ScopeChecker {\n /** Check if the key has permission for a given resource:action. */\n can(resource: string, action: string): boolean;\n /** The raw scope entries from the key. */\n scopes: KeyScope[];\n}\n\n/**\n * An API key record as returned by `auth.key.list()` and `auth.key.get()`.\n * Never includes the raw key material — only the display prefix.\n */\nexport interface KeyRecord {\n /** Document ID. */\n _id: string;\n /** Owner user ID. */\n userId: string;\n /** Display prefix (e.g. `\"sk_abc1\"`). Safe to show in UIs. */\n prefix: string;\n /** Human-readable name (e.g. \"CI Pipeline\"). */\n name: string;\n /** Resource:action permissions granted to this key. */\n scopes: KeyScope[];\n /** Per-key rate limit, if configured. */\n rateLimit?: { maxRequests: number; windowMs: number };\n /** Expiration timestamp (ms since epoch), or `undefined` for no expiry. */\n expiresAt?: number;\n /** Timestamp of last successful verification, or `undefined` if never used. */\n lastUsedAt?: number;\n /** Creation timestamp (ms since epoch). */\n createdAt: number;\n /** `true` when the key has been revoked (soft-deleted). */\n revoked: boolean;\n /** Arbitrary app-specific metadata attached to the key. */\n metadata?: Record<string, unknown>;\n}\n\n// ============================================================================\n// Unified List API types\n// ============================================================================\n\n/**\n * Options for paginated list queries. Every entity list method uses this\n * same shape with entity-specific `TWhere` and `TOrderBy` type parameters.\n *\n * ```ts\n * const result = await auth.group.list(ctx, {\n * where: { type: \"team\" },\n * limit: 20,\n * orderBy: \"name\",\n * order: \"asc\",\n * });\n * ```\n */\nexport type ListOptions<\n TWhere extends Record<string, unknown>,\n TOrderBy extends string,\n> = {\n /** Serializable filter — only known fields for the entity. */\n where?: TWhere;\n /** Maximum number of items to return. Defaults to 50, max 100. */\n limit?: number;\n /** Opaque cursor from a previous `ListResult.nextCursor`. */\n cursor?: string | null;\n /** Field to sort by. Defaults to `\"_creationTime\"`. */\n orderBy?: TOrderBy;\n /** Sort direction. Defaults to `\"desc\"`. */\n order?: \"asc\" | \"desc\";\n};\n\n/**\n * Paginated list result returned by every entity list method.\n */\nexport type ListResult<T> = {\n /** The page of items. */\n items: T[];\n /** Opaque cursor for the next page, or `null` when exhausted. */\n nextCursor: string | null;\n};\n\n// -- Per-entity Where / OrderBy types --\n\n/**\n * A single key/value tag for group classification.\n *\n * Tags are normalized at write time: both `key` and `value` are\n * trimmed and lowercased. Filtering is strict exact-match only.\n */\nexport type GroupTag = {\n key: string;\n value: string;\n};\n\n/** Filter fields for `auth.group.list()`. All optional. */\nexport type GroupWhere = {\n slug?: string;\n type?: string;\n parentGroupId?: string;\n name?: string;\n /** When `true`, return only root groups (no parent). When `false`, only non-root. */\n isRoot?: boolean;\n /**\n * Return only groups that have **all** of the specified tags.\n * Each tag is matched exactly on normalized `(key, value)`.\n */\n tagsAll?: GroupTag[];\n /**\n * Return only groups that have **at least one** of the specified tags.\n * Each tag is matched exactly on normalized `(key, value)`.\n */\n tagsAny?: GroupTag[];\n};\n\n/** Sortable fields for `auth.group.list()`. */\nexport type GroupOrderBy = \"_creationTime\" | \"name\" | \"slug\" | \"type\";\n\n/** Filter fields for `auth.member.list()`. All optional. */\nexport type MemberWhere = {\n groupId?: string;\n userId?: string;\n role?: string;\n status?: string;\n};\n\n/** Sortable fields for `auth.member.list()`. */\nexport type MemberOrderBy = \"_creationTime\" | \"role\" | \"status\";\n\n/** Filter fields for `auth.invite.list()`. All optional. */\nexport type InviteWhere = {\n tokenHash?: string;\n groupId?: string;\n status?: \"pending\" | \"accepted\" | \"revoked\" | \"expired\";\n email?: string;\n invitedByUserId?: string;\n role?: string;\n acceptedByUserId?: string;\n};\n\n/** Sortable fields for `auth.invite.list()`. */\nexport type InviteOrderBy =\n | \"_creationTime\"\n | \"status\"\n | \"email\"\n | \"expiresTime\"\n | \"acceptedTime\";\n\n/** Filter fields for `auth.key.list()`. All optional. */\nexport type KeyWhere = {\n userId?: string;\n revoked?: boolean;\n name?: string;\n prefix?: string;\n};\n\n/** Sortable fields for `auth.key.list()`. */\nexport type KeyOrderBy =\n | \"_creationTime\"\n | \"name\"\n | \"lastUsedAt\"\n | \"expiresAt\"\n | \"revoked\";\n\n/** Filter fields for `auth.user.list()`. All optional. */\nexport type UserWhere = {\n email?: string;\n phone?: string;\n isAnonymous?: boolean;\n name?: string;\n};\n\n/** Sortable fields for `auth.user.list()`. */\nexport type UserOrderBy = \"_creationTime\" | \"name\" | \"email\" | \"phone\";\n\n// ============================================================================\n// HTTP Bearer Auth types\n// ============================================================================\n\n/**\n * Context injected into `auth.http.action()` and `auth.http.route()` handlers.\n *\n * The handler's `ctx` receives these fields after Bearer token verification:\n *\n * ```ts\n * auth.http.route(http, {\n * path: \"/api/data\",\n * method: \"GET\",\n * handler: async (ctx, request) => {\n * ctx.key.userId; // owner of the API key\n * ctx.key.keyId; // the key document ID\n * ctx.key.scopes.can(\"data\", \"read\"); // scope check\n * },\n * });\n * ```\n */\nexport interface HttpKeyContext {\n key: {\n /** The user ID that owns the verified API key. */\n userId: string;\n /** The API key document ID. */\n keyId: string;\n /** Scope checker for the verified key's permissions. */\n scopes: ScopeChecker;\n };\n}\n\n/**\n * CORS configuration for Bearer-authenticated HTTP endpoints.\n */\nexport interface CorsConfig {\n /** Allowed origin(s). Defaults to `\"*\"`. */\n origin?: string;\n /** Allowed HTTP methods. Defaults to `\"GET,POST,PUT,PATCH,DELETE,OPTIONS\"`. */\n methods?: string;\n /** Allowed request headers. Defaults to `\"Content-Type,Authorization\"`. */\n headers?: string;\n}\n\n/**\n * Component function references required by core auth runtime.\n *\n * @internal Consumers should not depend on this shape — it may change\n * between minor versions. Pass `components.auth` directly to `createAuth`.\n */\nexport type AuthComponentApi = {\n public: {\n userGetById: FunctionReference<\"query\", \"internal\">;\n userList: FunctionReference<\"query\", \"internal\">;\n userFindByVerifiedEmail: FunctionReference<\"query\", \"internal\">;\n userFindByVerifiedPhone: FunctionReference<\"query\", \"internal\">;\n userInsert: FunctionReference<\"mutation\", \"internal\">;\n userUpsert: FunctionReference<\"mutation\", \"internal\">;\n userPatch: FunctionReference<\"mutation\", \"internal\">;\n userDelete: FunctionReference<\"mutation\", \"internal\">;\n accountGet: FunctionReference<\"query\", \"internal\">;\n accountGetById: FunctionReference<\"query\", \"internal\">;\n accountInsert: FunctionReference<\"mutation\", \"internal\">;\n accountListByUser: FunctionReference<\"query\", \"internal\">;\n accountPatch: FunctionReference<\"mutation\", \"internal\">;\n accountDelete: FunctionReference<\"mutation\", \"internal\">;\n sessionCreate: FunctionReference<\"mutation\", \"internal\">;\n sessionGetById: FunctionReference<\"query\", \"internal\">;\n sessionDelete: FunctionReference<\"mutation\", \"internal\">;\n sessionListByUser: FunctionReference<\"query\", \"internal\">;\n verifierCreate: FunctionReference<\"mutation\", \"internal\">;\n verifierGetById: FunctionReference<\"query\", \"internal\">;\n verifierGetBySignature: FunctionReference<\"query\", \"internal\">;\n verifierPatch: FunctionReference<\"mutation\", \"internal\">;\n verifierDelete: FunctionReference<\"mutation\", \"internal\">;\n verificationCodeGetByAccountId: FunctionReference<\"query\", \"internal\">;\n verificationCodeGetByCode: FunctionReference<\"query\", \"internal\">;\n verificationCodeCreate: FunctionReference<\"mutation\", \"internal\">;\n verificationCodeDelete: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenCreate: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetById: FunctionReference<\"query\", \"internal\">;\n refreshTokenPatch: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetChildren: FunctionReference<\"query\", \"internal\">;\n refreshTokenListBySession: FunctionReference<\"query\", \"internal\">;\n refreshTokenDeleteAll: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetActive: FunctionReference<\"query\", \"internal\">;\n rateLimitGet: FunctionReference<\"query\", \"internal\">;\n rateLimitCreate: FunctionReference<\"mutation\", \"internal\">;\n rateLimitPatch: FunctionReference<\"mutation\", \"internal\">;\n rateLimitDelete: FunctionReference<\"mutation\", \"internal\">;\n groupCreate: FunctionReference<\"mutation\", \"internal\">;\n groupGet: FunctionReference<\"query\", \"internal\">;\n groupList: FunctionReference<\"query\", \"internal\">;\n groupUpdate: FunctionReference<\"mutation\", \"internal\">;\n groupDelete: FunctionReference<\"mutation\", \"internal\">;\n memberAdd: FunctionReference<\"mutation\", \"internal\">;\n memberGet: FunctionReference<\"query\", \"internal\">;\n memberList: FunctionReference<\"query\", \"internal\">;\n memberListByUser: FunctionReference<\"query\", \"internal\">;\n memberGetByGroupAndUser: FunctionReference<\"query\", \"internal\">;\n memberRemove: FunctionReference<\"mutation\", \"internal\">;\n memberUpdate: FunctionReference<\"mutation\", \"internal\">;\n inviteCreate: FunctionReference<\"mutation\", \"internal\">;\n inviteGet: FunctionReference<\"query\", \"internal\">;\n inviteGetByTokenHash: FunctionReference<\"query\", \"internal\">;\n inviteList: FunctionReference<\"query\", \"internal\">;\n inviteAccept: FunctionReference<\"mutation\", \"internal\">;\n inviteAcceptByToken: FunctionReference<\"mutation\", \"internal\">;\n inviteRevoke: FunctionReference<\"mutation\", \"internal\">;\n keyInsert: FunctionReference<\"mutation\", \"internal\">;\n keyGetByHashedKey: FunctionReference<\"query\", \"internal\">;\n keyGetById: FunctionReference<\"query\", \"internal\">;\n keyList: FunctionReference<\"query\", \"internal\">;\n keyListByUserId: FunctionReference<\"query\", \"internal\">;\n keyPatch: FunctionReference<\"mutation\", \"internal\">;\n keyDelete: FunctionReference<\"mutation\", \"internal\">;\n passkeyInsert: FunctionReference<\"mutation\", \"internal\">;\n passkeyGetByCredentialId: FunctionReference<\"query\", \"internal\">;\n passkeyListByUserId: FunctionReference<\"query\", \"internal\">;\n passkeyUpdateCounter: FunctionReference<\"mutation\", \"internal\">;\n passkeyUpdateMeta: FunctionReference<\"mutation\", \"internal\">;\n passkeyDelete: FunctionReference<\"mutation\", \"internal\">;\n totpInsert: FunctionReference<\"mutation\", \"internal\", any, any>;\n totpGetVerifiedByUserId: FunctionReference<\"query\", \"internal\", any, any>;\n totpListByUserId: FunctionReference<\"query\", \"internal\", any, any>;\n totpGetById: FunctionReference<\"query\", \"internal\", any, any>;\n totpMarkVerified: FunctionReference<\"mutation\", \"internal\", any, any>;\n totpUpdateLastUsed: FunctionReference<\"mutation\", \"internal\", any, any>;\n totpDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceInsert: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceGetByCodeHash: FunctionReference<\"query\", \"internal\", any, any>;\n deviceGetByUserCode: FunctionReference<\"query\", \"internal\", any, any>;\n deviceAuthorize: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceUpdateLastPolled: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseCreate: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseGet: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseGetByGroup: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseGetByDomain: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseList: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseUpdate: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseDomainAdd: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseDomainList: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseDomainDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseScimConfigUpsert: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimConfigGetByEnterprise: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimConfigGetByTokenHash: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityGet: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseScimIdentityGetByUser: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityGetByMappedGroup: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityListByEnterprise: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityUpsert: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityDelete: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseAuditEventCreate: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseAuditEventList: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseWebhookEndpointCreate: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookEndpointList: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookEndpointUpdate: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookDeliveryEnqueue: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookDeliveryListReady: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookDeliveryPatch: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n };\n};\n\n// ============================================================================\n// Convex document types (merged from convex_types)\n// ============================================================================\n\n/**\n * Convex document from a given table.\n */\nexport type GenericDoc<\n DataModel extends GenericDataModel,\n TableName extends TableNamesInDataModel<DataModel>,\n> = DocumentByName<DataModel, TableName> & {\n _id: GenericId<TableName>;\n _creationTime: number;\n};\n\n/**\n * @internal\n */\nexport type FunctionReferenceFromExport<Export> =\n Export extends RegisteredQuery<infer Visibility, infer Args, infer Output>\n ? FunctionReference<\"query\", Visibility, Args, ConvertReturnType<Output>>\n : Export extends RegisteredMutation<\n infer Visibility,\n infer Args,\n infer Output\n >\n ? FunctionReference<\n \"mutation\",\n Visibility,\n Args,\n ConvertReturnType<Output>\n >\n : Export extends RegisteredAction<\n infer Visibility,\n infer Args,\n infer Output\n >\n ? FunctionReference<\n \"action\",\n Visibility,\n Args,\n ConvertReturnType<Output>\n >\n : never;\n\ntype ConvertReturnType<T> = UndefinedToNull<Awaited<T>>;\n\ntype UndefinedToNull<T> = T extends void ? null : T;\n\n// Internal server data-model types (merged from former internalTypes.ts)\n\n/** Data model derived from the component schema. */\nexport type AuthDataModel = DataModelFromSchemaDefinition<typeof schema>;\n\n/** Action context typed to the auth component's data model. */\nexport type ActionCtx = GenericActionCtx<AuthDataModel>;\n\n/** Mutation context typed to the auth component's data model. */\nexport type MutationCtx = GenericMutationCtx<AuthDataModel>;\n\n/** Query context typed to the auth component's data model. */\nexport type QueryCtx = GenericQueryCtx<AuthDataModel>;\n\n/** A document from any table in the auth component schema. */\nexport type Doc<T extends TableNamesInDataModel<AuthDataModel>> = GenericDoc<\n AuthDataModel,\n T\n>;\n\n/** A pair of JWT access token and refresh token. */\nexport type Tokens = { token: string; refreshToken: string };\n\n/** Session information returned after authentication. */\nexport type SessionInfo = {\n userId: GenericId<\"User\">;\n sessionId: GenericId<\"Session\">;\n tokens: Tokens | null;\n};\n\n/** Session information with guaranteed non-null tokens. */\nexport type SessionInfoWithTokens = {\n userId: GenericId<\"User\">;\n sessionId: GenericId<\"Session\">;\n tokens: Tokens;\n};\n\n// ---------------------------------------------------------------------------\n// Cross-component document shapes\n// ---------------------------------------------------------------------------\n// These mirror the component schema tables. They exist so that server-side\n// code can work with typed results from cross-component queries/mutations\n// instead of casting to `any` at every field access.\n\nexport interface TotpDoc {\n _id: string;\n _creationTime: number;\n userId: string;\n secret: ArrayBuffer;\n digits: number;\n period: number;\n verified: boolean;\n name?: string;\n createdAt: number;\n lastUsedAt?: number;\n}\n\nexport interface PasskeyDoc {\n _id: string;\n _creationTime: number;\n userId: string;\n credentialId: string;\n publicKey: ArrayBuffer;\n algorithm: number;\n counter: number;\n transports?: string[];\n deviceType: string;\n backedUp: boolean;\n name?: string;\n createdAt: number;\n lastUsedAt?: number;\n}\n\nexport interface VerifierDoc {\n _id: string;\n _creationTime: number;\n signature?: string;\n sessionId?: string;\n}\n\n/**\n * Plain cross-component user document shape with `string` IDs.\n *\n * Used by internal typed wrappers (`queryUserById`, etc.) that operate\n * across the component boundary where Convex `Id<\"User\">` is erased\n * to a plain string. Not intended for consumer use — consumers should\n * use `UserDoc` (exported from `@robelest/convex-auth/component`)\n * which preserves typed `Id<\"User\">`.\n *\n * @internal\n */\nexport interface CrossComponentUserDoc {\n _id: string;\n _creationTime: number;\n email?: string;\n emailVerificationTime?: number;\n phone?: string;\n phoneVerificationTime?: number;\n name?: string;\n image?: string;\n isAnonymous?: boolean;\n}\n\nexport interface KeyDoc {\n _id: string;\n _creationTime: number;\n userId: string;\n prefix: string;\n hashedKey: string;\n name: string;\n scopes: Array<{ resource: string; actions: string[] }>;\n rateLimit?: { maxRequests: number; windowMs: number };\n rateLimitState?: { attemptsLeft: number; lastAttemptTime: number };\n expiresAt?: number;\n lastUsedAt?: number;\n createdAt: number;\n revoked: boolean;\n}\n\n// ---------------------------------------------------------------------------\n// Cross-component wrapper context\n// ---------------------------------------------------------------------------\n// Structural type accepted by all wrappers below. Works for both action and\n// mutation contexts — the only capabilities we need are runQuery / runMutation\n// and access to the component API via `auth.config.component`.\n\n/** @internal */\nexport type ComponentCallCtx = {\n runQuery: GenericActionCtx<AuthDataModel>[\"runQuery\"];\n runMutation: GenericActionCtx<AuthDataModel>[\"runMutation\"];\n auth: { config: { component: AuthComponentApi } };\n};\n\n// ---------------------------------------------------------------------------\n// Typed wrappers for cross-component calls\n// ---------------------------------------------------------------------------\n// Each wrapper encapsulates the single `as any` cast at the component\n// boundary so that callers get full type safety on both args and return\n// values.\n\n// -- User queries --\n\nexport async function queryUserById(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<CrossComponentUserDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.userGetById, {\n userId,\n })) as CrossComponentUserDoc | null;\n}\n\nexport async function queryUserByVerifiedEmail(\n ctx: ComponentCallCtx,\n email: string,\n): Promise<CrossComponentUserDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.userFindByVerifiedEmail,\n { email },\n )) as CrossComponentUserDoc | null;\n}\n\n// -- Verifier queries / mutations --\n\nexport async function queryVerifierById(\n ctx: ComponentCallCtx,\n verifierId: string,\n): Promise<VerifierDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.verifierGetById, {\n verifierId,\n })) as VerifierDoc | null;\n}\n\nexport async function mutateVerifierDelete(\n ctx: ComponentCallCtx,\n verifierId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.verifierDelete, {\n verifierId,\n });\n}\n\n// -- TOTP queries / mutations --\n\nexport async function queryTotpById(\n ctx: ComponentCallCtx,\n totpId: string,\n): Promise<TotpDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.totpGetById, {\n totpId,\n })) as TotpDoc | null;\n}\n\nexport async function queryTotpVerifiedByUserId(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<TotpDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.totpGetVerifiedByUserId,\n { userId },\n )) as TotpDoc | null;\n}\n\nexport async function mutateTotpInsert(\n ctx: ComponentCallCtx,\n args: {\n userId: string;\n secret: ArrayBuffer;\n digits: number;\n period: number;\n verified: boolean;\n name?: string;\n createdAt: number;\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.totpInsert,\n args,\n )) as string;\n}\n\nexport async function mutateTotpMarkVerified(\n ctx: ComponentCallCtx,\n totpId: string,\n lastUsedAt: number,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.totpMarkVerified, {\n totpId,\n lastUsedAt,\n });\n}\n\nexport async function mutateTotpUpdateLastUsed(\n ctx: ComponentCallCtx,\n totpId: string,\n lastUsedAt: number,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.totpUpdateLastUsed, {\n totpId,\n lastUsedAt,\n });\n}\n\n// -- Passkey queries / mutations --\n\nexport async function queryPasskeysByUserId(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<PasskeyDoc[]> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.passkeyListByUserId,\n { userId },\n )) as PasskeyDoc[];\n}\n\nexport async function queryPasskeyByCredentialId(\n ctx: ComponentCallCtx,\n credentialId: string,\n): Promise<PasskeyDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.passkeyGetByCredentialId,\n { credentialId },\n )) as PasskeyDoc | null;\n}\n\nexport async function mutatePasskeyInsert(\n ctx: ComponentCallCtx,\n args: {\n userId: string;\n credentialId: string;\n publicKey: ArrayBuffer | ArrayBufferLike;\n algorithm: number;\n counter: number;\n transports?: string[];\n deviceType: string;\n backedUp: boolean;\n name?: string;\n createdAt: number;\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.passkeyInsert,\n args,\n )) as string;\n}\n\nexport async function mutatePasskeyUpdateCounter(\n ctx: ComponentCallCtx,\n passkeyId: string,\n counter: number,\n lastUsedAt: number,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.passkeyUpdateCounter, {\n passkeyId,\n counter,\n lastUsedAt,\n });\n}\n\n// -- Key queries / mutations --\n\nexport async function mutateKeyInsert(\n ctx: ComponentCallCtx,\n args: {\n userId: string;\n prefix: string;\n hashedKey: string;\n name: string;\n scopes: Array<{ resource: string; actions: string[] }>;\n rateLimit?: { maxRequests: number; windowMs: number };\n expiresAt?: number;\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.keyInsert,\n args,\n )) as string;\n}\n\nexport async function queryKeysByUserId(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<KeyDoc[]> {\n return (await ctx.runQuery(ctx.auth.config.component.public.keyListByUserId, {\n userId,\n })) as KeyDoc[];\n}\n\nexport async function queryKeyById(\n ctx: ComponentCallCtx,\n keyId: string,\n): Promise<KeyDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.keyGetById, {\n keyId,\n })) as KeyDoc | null;\n}\n\nexport async function mutateKeyPatch(\n ctx: ComponentCallCtx,\n keyId: string,\n data: Record<string, unknown>,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.keyPatch, {\n keyId,\n data,\n });\n}\n\nexport async function mutateKeyDelete(\n ctx: ComponentCallCtx,\n keyId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.keyDelete, { keyId });\n}\n\n// -- Device authorization queries / mutations --\n\nexport interface DeviceDoc {\n _id: string;\n _creationTime: number;\n deviceCodeHash: string;\n userCode: string;\n expiresAt: number;\n interval: number;\n status: \"pending\" | \"authorized\" | \"denied\";\n userId?: string;\n sessionId?: string;\n lastPolledAt?: number;\n}\n\nexport async function mutateDeviceInsert(\n ctx: ComponentCallCtx,\n args: {\n deviceCodeHash: string;\n userCode: string;\n expiresAt: number;\n interval: number;\n status: \"pending\" | \"authorized\" | \"denied\";\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.deviceInsert,\n args,\n )) as string;\n}\n\nexport async function queryDeviceByCodeHash(\n ctx: ComponentCallCtx,\n deviceCodeHash: string,\n): Promise<DeviceDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.deviceGetByCodeHash,\n { deviceCodeHash },\n )) as DeviceDoc | null;\n}\n\nexport async function queryDeviceByUserCode(\n ctx: ComponentCallCtx,\n userCode: string,\n): Promise<DeviceDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.deviceGetByUserCode,\n { userCode },\n )) as DeviceDoc | null;\n}\n\nexport async function mutateDeviceAuthorize(\n ctx: ComponentCallCtx,\n deviceId: string,\n userId: string,\n sessionId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.deviceAuthorize, {\n deviceId,\n userId,\n sessionId,\n });\n}\n\nexport async function mutateDeviceUpdateLastPolled(\n ctx: ComponentCallCtx,\n deviceId: string,\n lastPolledAt: number,\n): Promise<void> {\n await ctx.runMutation(\n ctx.auth.config.component.public.deviceUpdateLastPolled,\n { deviceId, lastPolledAt },\n );\n}\n\nexport async function mutateDeviceDelete(\n ctx: ComponentCallCtx,\n deviceId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.deviceDelete, {\n deviceId,\n });\n}\n"],"mappings":";AA+zCA,eAAsB,cACpB,KACA,QACuC;AACvC,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,aAAa,EACvE,QACD,CAAC;;AAGJ,eAAsB,yBACpB,KACA,OACuC;AACvC,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,yBACjC,EAAE,OAAO,CACV;;AAKH,eAAsB,kBACpB,KACA,YAC6B;AAC7B,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,iBAAiB,EAC3E,YACD,CAAC;;AAGJ,eAAsB,qBACpB,KACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,gBAAgB,EACrE,YACD,CAAC;;AAKJ,eAAsB,cACpB,KACA,QACyB;AACzB,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,aAAa,EACvE,QACD,CAAC;;AAGJ,eAAsB,0BACpB,KACA,QACyB;AACzB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,yBACjC,EAAE,QAAQ,CACX;;AAGH,eAAsB,iBACpB,KACA,MASiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,YACjC,KACD;;AAGH,eAAsB,uBACpB,KACA,QACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,kBAAkB;EACvE;EACA;EACD,CAAC;;AAGJ,eAAsB,yBACpB,KACA,QACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,oBAAoB;EACzE;EACA;EACD,CAAC;;AAKJ,eAAsB,sBACpB,KACA,QACuB;AACvB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,QAAQ,CACX;;AAGH,eAAsB,2BACpB,KACA,cAC4B;AAC5B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,0BACjC,EAAE,cAAc,CACjB;;AAGH,eAAsB,oBACpB,KACA,MAYiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,eACjC,KACD;;AAGH,eAAsB,2BACpB,KACA,WACA,SACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,sBAAsB;EAC3E;EACA;EACA;EACD,CAAC;;AAKJ,eAAsB,gBACpB,KACA,MASiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,WACjC,KACD;;AAGH,eAAsB,kBACpB,KACA,QACmB;AACnB,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,iBAAiB,EAC3E,QACD,CAAC;;AAGJ,eAAsB,aACpB,KACA,OACwB;AACxB,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,YAAY,EACtE,OACD,CAAC;;AAGJ,eAAsB,eACpB,KACA,OACA,MACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,UAAU;EAC/D;EACA;EACD,CAAC;;AAGJ,eAAsB,gBACpB,KACA,OACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,WAAW,EAAE,OAAO,CAAC;;AAkB9E,eAAsB,mBACpB,KACA,MAOiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,cACjC,KACD;;AAGH,eAAsB,sBACpB,KACA,gBAC2B;AAC3B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,gBAAgB,CACnB;;AAGH,eAAsB,sBACpB,KACA,UAC2B;AAC3B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,UAAU,CACb;;AAGH,eAAsB,sBACpB,KACA,UACA,QACA,WACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,iBAAiB;EACtE;EACA;EACA;EACD,CAAC;;AAGJ,eAAsB,6BACpB,KACA,UACA,cACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,wBACjC;EAAE;EAAU;EAAc,CAC3B;;AAGH,eAAsB,mBACpB,KACA,UACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,cAAc,EACnE,UACD,CAAC"}
1
+ {"version":3,"file":"types.js","names":[],"sources":["../../src/server/types.ts"],"sourcesContent":["import {\n AnyDataModel,\n DataModelFromSchemaDefinition,\n DocumentByName,\n FunctionReference,\n GenericActionCtx,\n GenericDataModel,\n GenericMutationCtx,\n GenericQueryCtx,\n RegisteredAction,\n RegisteredMutation,\n RegisteredQuery,\n TableNamesInDataModel,\n} from \"convex/server\";\nimport type { Infer } from \"convex/values\";\nimport { GenericId, Value } from \"convex/values\";\n\nimport {\n vApiKeyDoc,\n vAuthVerifierDoc,\n vDeviceCodeDoc,\n vPasskeyDoc,\n vTotpFactorDoc,\n vUserDoc,\n} from \"../component/model\";\nimport schema from \"../component/schema\";\nimport { CredentialsUserConfig } from \"../providers/credentials\";\n\n// ============================================================================\n// Utility types\n// ============================================================================\n\n/** A value that is either `T` or a `PromiseLike<T>`. */\nexport type Awaitable<T> = T | PromiseLike<T>;\n\nexport type AuthRoleDefinition = {\n id?: string;\n label?: string;\n grants: string[];\n};\n\nexport type AuthAuthorizationConfig = {\n roles: Record<string, AuthRoleDefinition>;\n};\n\nexport type AuthRoleId<\n TAuthorization extends AuthAuthorizationConfig | undefined,\n> = TAuthorization extends { roles: infer TRoles extends Record<string, any> }\n ? keyof TRoles & string\n : string;\n\nexport type AuthGrant<\n TAuthorization extends AuthAuthorizationConfig | undefined,\n> = TAuthorization extends {\n roles: infer TRoles extends Record<string, { grants: readonly any[] }>;\n}\n ? TRoles[keyof TRoles][\"grants\"][number] & string\n : string;\n\n/**\n * The config for the Convex Auth library, passed to `createAuth`.\n */\nexport type ConvexAuthConfig = {\n /**\n * A list of authentication provider configs.\n *\n * You can import existing configs from\n * `@robelest/convex-auth/providers/<provider-name>`\n */\n providers: AuthProviderConfig[];\n /**\n * Auth component reference from `components.auth`.\n *\n * Core auth storage operations are executed through\n * the component API boundary.\n */\n component: AuthComponentApi;\n /**\n * Session configuration.\n */\n session?: {\n /**\n * How long can a user session last without the user reauthenticating.\n *\n * Defaults to 30 days.\n */\n totalDurationMs?: number;\n /**\n * How long can a user session last without the user being active.\n *\n * Defaults to 30 days.\n */\n inactiveDurationMs?: number;\n };\n /**\n * JWT configuration.\n */\n jwt?: {\n /**\n * How long is the JWT valid for after it is signed initially.\n *\n * Defaults to 1 hour.\n */\n durationMs?: number;\n };\n /**\n * Sign-in configuration.\n */\n signIn?: {\n /**\n * How many times can the user fail to provide the correct credentials\n * (password, OTP) per hour.\n *\n * Defaults to 10 times per hour (that is 10 failed attempts, and then\n * allow another one every 6 minutes).\n */\n maxFailedAttemptsPerHour?: number;\n };\n /**\n * Lifecycle callbacks for customizing sign-in behavior.\n *\n * Use `redirect` to control post-OAuth redirect URLs, and\n * `createOrUpdateUser` or `afterUserCreatedOrUpdated` to\n * customize account linking and user document creation.\n */\n callbacks?: {\n /**\n * Control which URLs are allowed as a destination after OAuth sign-in\n * and for magic links:\n *\n * ```ts\n * import { createAuth } from \"@robelest/convex-auth/component\";\n * import { components } from \"./_generated/api\";\n *\n * const auth = createAuth(components.auth, {\n * providers: [google],\n * callbacks: {\n * async redirect({ redirectTo }) {\n * // Check that redirectTo is valid\n * // and return the relative or absolute URL\n * // to redirect to.\n * },\n * },\n * });\n * ```\n *\n * Convex Auth performs redirect only during OAuth sign-in. By default,\n * it redirects back to the URL specified via the `SITE_URL` environment\n * variable. Similarly magic links link to `SITE_URL`.\n *\n * You can customize that behavior by providing a `redirectTo` param\n * to the `signIn` function:\n *\n * ```ts\n * signIn(\"google\", { redirectTo: \"/dashboard\" })\n * ```\n *\n * You can even redirect to a different site.\n *\n * This callback, if specified, is then called with the provided\n * `redirectTo` param. Otherwise, only query params, relative paths\n * and URLs starting with `SITE_URL` are allowed.\n */\n redirect?: (params: {\n /**\n * The param value passed to the `signIn` function.\n */\n redirectTo: string;\n }) => Promise<string>;\n /**\n * Completely control account linking via this callback.\n *\n * This callback is called during the sign-in process,\n * before account creation and token generation.\n * If specified, this callback is responsible for creating\n * or updating the user document.\n *\n * For \"credentials\" providers, the callback is only called\n * when `createAccount` is called.\n */\n createOrUpdateUser?: (\n ctx: GenericMutationCtx<AnyDataModel>,\n args: {\n /**\n * If this is a sign-in to an existing account,\n * this is the existing user ID linked to that account.\n */\n existingUserId: GenericId<\"User\"> | null;\n /**\n * The provider type or \"verification\" if this callback is called\n * after an email or phone token verification.\n */\n type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n /**\n * The provider used for the sign-in, or the provider\n * tied to the account which is having the email or phone verified.\n */\n provider: AuthProviderMaterializedConfig;\n /**\n * - The profile returned by the OAuth provider's `profile` method.\n * - The profile passed to `createAccount` from a ConvexCredentials\n * config.\n * - The email address to which an email will be sent.\n * - The phone number to which a text will be sent.\n */\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n /**\n * The `shouldLink` argument passed to `createAccount`.\n */\n shouldLink?: boolean;\n },\n ) => Promise<GenericId<\"User\">>;\n /**\n * Perform additional writes after a user is created.\n *\n * This callback is called during the sign-in process,\n * after the user is created or updated,\n * before account creation and token generation.\n *\n * **This callback is only called if `createOrUpdateUser`\n * is not specified.** If `createOrUpdateUser` is specified,\n * you can perform any additional writes in that callback.\n *\n * For \"credentials\" providers, the callback is only called\n * when `createAccount` is called.\n */\n afterUserCreatedOrUpdated?: (\n ctx: GenericMutationCtx<AnyDataModel>,\n args: {\n /**\n * The ID of the user that is being signed in.\n */\n userId: GenericId<\"User\">;\n /**\n * If this is a sign-in to an existing account,\n * this is the existing user ID linked to that account.\n */\n existingUserId: GenericId<\"User\"> | null;\n /**\n * The provider type or \"verification\" if this callback is called\n * after an email or phone token verification.\n */\n type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n /**\n * The provider used for the sign-in, or the provider\n * tied to the account which is having the email or phone verified.\n */\n provider: AuthProviderMaterializedConfig;\n /**\n * - The profile returned by the OAuth provider's `profile` method.\n * - The profile passed to `createAccount` from a ConvexCredentials\n * config.\n * - The email address to which an email will be sent.\n * - The phone number to which a text will be sent.\n */\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n /**\n * The `shouldLink` argument passed to `createAccount`.\n */\n shouldLink?: boolean;\n },\n ) => Promise<void>;\n };\n /**\n * Application-defined role and grant model used by membership access checks.\n */\n authorization?: {\n roles: Record<\n string,\n {\n label?: string;\n grants: string[];\n }\n >;\n };\n};\n\n/**\n * Union of all supported auth provider config types.\n *\n * Includes Arctic-based OAuth providers (via the `OAuth()` factory),\n * plus library-native providers: credentials, email, phone, passkey\n * (WebAuthn), and TOTP (2FA). Each can be passed as a config object\n * or a factory function.\n */\nexport type AuthProviderConfig =\n | import(\"../providers/oauth\").OAuthProviderInstance\n | import(\"../providers/password\").Password\n | import(\"../providers/passkey\").Passkey\n | import(\"../providers/totp\").Totp\n | import(\"../providers/anonymous\").Anonymous\n | import(\"../providers/device\").Device\n | import(\"../providers/sso\").SSO\n | import(\"../providers/email\").Email\n | import(\"../providers/phone\").Phone\n | OAuthMaterializedConfig\n | ConvexCredentialsConfig\n | ((...args: any) => ConvexCredentialsConfig)\n | EmailConfig\n | ((...args: any) => EmailConfig)\n | PhoneConfig\n | ((...args: any) => PhoneConfig)\n | PasskeyProviderConfig\n | ((...args: any) => PasskeyProviderConfig)\n | TotpProviderConfig\n | ((...args: any) => TotpProviderConfig)\n | DeviceProviderConfig\n | ((...args: any) => DeviceProviderConfig)\n | SSOProviderConfig;\n\n/**\n * Minimal config stored for the SSO provider at runtime.\n * No options — enterprise configuration is entirely per-tenant runtime state.\n */\nexport interface SSOProviderConfig {\n id: string;\n type: \"sso\";\n}\n\nexport type EnterpriseAccountLinkingPolicy = \"verifiedEmail\" | \"none\";\n\nexport type EnterpriseScimReuseUserPolicy = \"externalId\" | \"none\";\n\nexport type EnterpriseJitProvisioningMode =\n | \"off\"\n | \"createUser\"\n | \"createUserAndMembership\";\n\nexport type EnterpriseDeprovisionMode = \"soft\" | \"hard\";\n\nexport interface EnterprisePolicy {\n version: 1;\n identity: {\n accountLinking: {\n oidc: EnterpriseAccountLinkingPolicy;\n saml: EnterpriseAccountLinkingPolicy;\n };\n };\n provisioning: {\n scimReuse: {\n user: EnterpriseScimReuseUserPolicy;\n };\n jit: {\n mode: EnterpriseJitProvisioningMode;\n defaultRoleIds: string[];\n };\n deprovision: {\n mode: EnterpriseDeprovisionMode;\n };\n };\n extend?: Record<string, unknown>;\n}\n\nexport interface EnterprisePolicyPatch {\n identity?: {\n accountLinking?: {\n oidc?: EnterpriseAccountLinkingPolicy;\n saml?: EnterpriseAccountLinkingPolicy;\n };\n };\n provisioning?: {\n scimReuse?: {\n user?: EnterpriseScimReuseUserPolicy;\n };\n jit?: {\n mode?: EnterpriseJitProvisioningMode;\n defaultRoleIds?: string[];\n };\n deprovision?: {\n mode?: EnterpriseDeprovisionMode;\n };\n };\n extend?: Record<string, unknown>;\n}\n\n/**\n * Email provider config for magic link / OTP sign-in.\n */\nexport interface EmailConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> {\n /** Provider identifier (e.g. `\"email\"`, `\"resend\"`). */\n id: string;\n /** Discriminant for provider type routing. */\n type: \"email\";\n /** Display name for this provider. */\n name?: string;\n /** Sender address (e.g. `\"My App <noreply@example.com>\"`). */\n from?: string;\n /** Token expiration in seconds. Defaults to 86 400 (24 hours). */\n maxAge?: number;\n /**\n * Send the verification token to the user.\n *\n * Accepts an optional Convex action context as the second argument,\n * enabling use with Convex components like `@convex-dev/resend`.\n */\n sendVerificationRequest: (\n params: {\n identifier: string;\n url: string;\n expires: Date;\n provider: EmailConfig;\n token: string;\n request: Request;\n },\n ctx?: GenericActionCtx<AnyDataModel>,\n ) => Awaitable<void>;\n /**\n * Override to generate a custom verification token.\n * Tokens shorter than 24 characters are treated as OTPs and\n * require the original email to be re-submitted for verification.\n */\n generateVerificationToken?: () => Awaitable<string>;\n /**\n * Normalize the email address before storage / lookup.\n * Defaults to lowercasing and trimming whitespace.\n */\n normalizeIdentifier?: (identifier: string) => string;\n /**\n * Before the token is verified, check other\n * provided parameters.\n *\n * Used to make sure that OTPs are accompanied\n * with the correct email address.\n */\n authorize?: (\n /**\n * The values passed to the `signIn` function.\n */\n params: Record<string, Value | undefined>,\n account: GenericDoc<DataModel, \"Account\">,\n ) => Promise<void>;\n /** Raw user options before merging with defaults. */\n options: EmailUserConfig<DataModel>;\n}\n\n/**\n * Configurable options for an email provider config.\n */\nexport type EmailUserConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> = Omit<Partial<EmailConfig<DataModel>>, \"options\" | \"type\">;\n\n/**\n * Same as email provider config, but verifies\n * phone number instead of the email address.\n */\nexport interface PhoneConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> {\n id: string;\n type: \"phone\";\n /**\n * Token expiration in seconds.\n */\n maxAge: number;\n /**\n * Send the phone number verification request.\n */\n sendVerificationRequest: (\n params: {\n identifier: string;\n url: string;\n expires: Date;\n provider: PhoneConfig;\n token: string;\n },\n ctx: GenericActionCtxWithAuthConfig<DataModel>,\n ) => Promise<void>;\n /**\n * Defaults to `process.env.AUTH_<PROVIDER_ID>_KEY`.\n */\n apiKey?: string;\n /**\n * Override this to generate a custom token.\n * Note that the tokens are assumed to be cryptographically secure.\n * Any tokens shorter than 24 characters are assumed to not\n * be secure enough on their own, and require providing\n * the original `phone` used in the initial `signIn` call.\n * @returns\n */\n generateVerificationToken?: () => Promise<string>;\n /**\n * Normalize the phone number.\n * @param identifier Passed as `phone` in params of `signIn`.\n * @returns The phone number used in `sendVerificationRequest`.\n */\n normalizeIdentifier?: (identifier: string) => string;\n /**\n * Before the token is verified, check other\n * provided parameters.\n *\n * Used to make sure tha OTPs are accompanied\n * with the correct phone number.\n */\n authorize?: (\n /**\n * The values passed to the `signIn` function.\n */\n params: Record<string, Value | undefined>,\n account: GenericDoc<DataModel, \"Account\">,\n ) => Promise<void>;\n options: PhoneUserConfig<DataModel>;\n}\n\n/**\n * Configurable options for a phone provider config.\n */\nexport type PhoneUserConfig<\n DataModel extends GenericDataModel = GenericDataModel,\n> = Omit<Partial<PhoneConfig<DataModel>>, \"options\" | \"type\">;\n\n/**\n * Credentials provider config used by Convex Auth.\n */\nexport type ConvexCredentialsConfig = CredentialsUserConfig<any> & {\n type: \"credentials\";\n id: string;\n};\n\n/**\n * Configuration for the passkey (WebAuthn) provider.\n */\nexport interface PasskeyProviderConfig {\n id: string;\n type: \"passkey\";\n options: {\n /** Relying Party display name. Defaults to SITE_URL hostname. */\n rpName?: string;\n /** Relying Party ID (hostname). Defaults to SITE_URL hostname. */\n rpId?: string;\n /** Allowed origins for credential verification. Defaults to SITE_URL. */\n origin?: string | string[];\n /** Attestation conveyance preference. Defaults to \"none\". */\n attestation?: \"none\" | \"direct\";\n /** User verification requirement. Defaults to \"required\". */\n userVerification?: \"required\" | \"preferred\" | \"discouraged\";\n /** Resident key (discoverable credential) preference. Defaults to \"preferred\". */\n residentKey?: \"required\" | \"preferred\" | \"discouraged\";\n /** Restrict to platform or cross-platform authenticators. */\n authenticatorAttachment?: \"platform\" | \"cross-platform\";\n /** Supported COSE algorithms. Defaults to [-7 (ES256), -257 (RS256)]. */\n algorithms?: number[];\n /** Challenge expiration in ms. Defaults to 300_000 (5 minutes). */\n challengeExpirationMs?: number;\n };\n}\n\n/**\n * Configuration for the TOTP two-factor authentication provider.\n */\nexport interface TotpProviderConfig {\n id: string;\n type: \"totp\";\n options: {\n /** Issuer name shown in authenticator apps (e.g. \"My App\"). */\n issuer: string;\n /** Number of digits in each code (default: 6). */\n digits: number;\n /** Time period in seconds for code rotation (default: 30). */\n period: number;\n };\n}\n\n// ============================================================================\n// OAuth types (Arctic-based)\n// ============================================================================\n\n/**\n * Normalized user profile returned by an OAuth provider.\n *\n * `id` is the provider-specific account identifier (e.g. GitHub user ID).\n */\nexport interface OAuthProfile {\n id: string;\n name?: string;\n email?: string;\n image?: string;\n /** Additional claims from the ID token or userinfo endpoint. */\n [key: string]: unknown;\n}\n\n/**\n * Internal config shape for an OAuth provider after normalization.\n *\n * This is what the OAuth flow code receives — it maps to the user-facing\n * `OAuthConfig` from `@robelest/convex-auth/providers`.\n *\n * @internal\n */\nexport interface OAuthProviderConfig {\n /** OAuth scopes to request. */\n scopes?: string[];\n /** User-provided profile extraction callback. */\n profile?: (tokens: import(\"arctic\").OAuth2Tokens) => Promise<OAuthProfile>;\n}\n\n/** Credentials identifying a provider account (e.g. email + hashed password). */\nexport type AuthAccountCredentials = {\n /** Provider-specific account identifier (e.g. email address). */\n id: string;\n /** Optional secret (e.g. hashed password). */\n secret?: string;\n};\n\n/** Arguments for `auth.account.create()`. */\nexport type AuthCreateAccountArgs = {\n provider: string;\n account: AuthAccountCredentials;\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n shouldLinkViaEmail?: boolean;\n shouldLinkViaPhone?: boolean;\n};\n\n/** Arguments for `auth.account.get()`. */\nexport type AuthRetrieveAccountArgs = {\n provider: string;\n account: AuthAccountCredentials;\n};\n\n/** Arguments for `auth.account.update()`. */\nexport type AuthUpdateAccountArgs = {\n provider: string;\n account: {\n id: string;\n secret: string;\n };\n};\n\n/** Arguments for `auth.session.invalidate()`. */\nexport type AuthInvalidateSessionsArgs = {\n userId: GenericId<\"User\">;\n except?: GenericId<\"Session\">[];\n};\n\n/** Arguments for `auth.provider.signIn()`. */\nexport type AuthProviderSignInArgs = {\n accountId?: GenericId<\"Account\">;\n params?: Record<string, Value | undefined>;\n};\n\n/** Return type of `auth.provider.signIn()` — user and session IDs, or `null` on failure. */\nexport type AuthProviderSignInResult = {\n userId: GenericId<\"User\">;\n sessionId: GenericId<\"Session\">;\n} | null;\n\n/** Server-side auth helpers available on enriched action contexts. */\nexport type AuthServerHelpers = {\n account: {\n create: (\n ctx: GenericActionCtx<any>,\n args: AuthCreateAccountArgs,\n ) => Promise<{\n ok: true;\n account: GenericDoc<GenericDataModel, \"Account\">;\n user: GenericDoc<GenericDataModel, \"User\">;\n }>;\n get: (\n ctx: GenericActionCtx<any>,\n args: AuthRetrieveAccountArgs,\n ) => Promise<{\n account: GenericDoc<GenericDataModel, \"Account\">;\n user: GenericDoc<GenericDataModel, \"User\">;\n }>;\n update: (\n ctx: GenericActionCtx<any>,\n args: AuthUpdateAccountArgs,\n ) => Promise<{ ok: true; accountId: GenericId<\"Account\"> }>;\n };\n session: {\n current: (ctx: {\n auth: GenericActionCtx<GenericDataModel>[\"auth\"];\n }) => Promise<GenericId<\"Session\"> | null>;\n invalidate: (\n ctx: GenericActionCtx<any>,\n args: AuthInvalidateSessionsArgs,\n ) => Promise<{\n ok: true;\n userId: GenericId<\"User\">;\n except: GenericId<\"Session\">[];\n }>;\n };\n access: {\n check: (\n ctx: GenericActionCtx<any>,\n args: {\n userId: GenericId<\"User\">;\n groupId: GenericId<\"Group\">;\n grants: string[];\n maxDepth?: number;\n },\n ) => Promise<{\n ok: boolean;\n grants: string[];\n missingGrants: string[];\n roleIds: string[];\n matchedGroupId: GenericId<\"Group\"> | null;\n membership: GenericDoc<GenericDataModel, \"GroupMember\"> | null;\n isDirect: boolean;\n isInherited: boolean;\n depth: number | null;\n }>;\n };\n provider: {\n signIn: (\n ctx: GenericActionCtx<any>,\n provider: AuthProviderConfig,\n args: AuthProviderSignInArgs,\n ) => Promise<AuthProviderSignInResult>;\n };\n};\n\n/**\n * Your `ActionCtx` enriched with `ctx.auth.config` field with\n * the config passed to `createAuth`.\n */\nexport type GenericActionCtxWithAuthConfig<DataModel extends GenericDataModel> =\n GenericActionCtx<DataModel> & {\n auth: GenericActionCtx<DataModel>[\"auth\"] & {\n config: ConvexAuthMaterializedConfig;\n } & AuthServerHelpers;\n };\n\n/**\n * The config for the Convex Auth library, passed to `createAuth`,\n * with defaults and initialized providers.\n *\n * See {@link ConvexAuthConfig}\n */\nexport type ConvexAuthMaterializedConfig = {\n providers: AuthProviderMaterializedConfig[];\n} & Pick<\n ConvexAuthConfig,\n \"component\" | \"session\" | \"jwt\" | \"signIn\" | \"callbacks\" | \"authorization\"\n>;\n\nexport interface SAMLAttributeMapping {\n subject?: string;\n email?: string;\n name?: string;\n firstName?: string;\n lastName?: string;\n}\n\n/**\n * Materialized OAuth provider config (Arctic-based).\n *\n * Carries the Arctic provider instance along with scopes and profile config.\n * Produced by materializing an `OAuthProviderInstance` during `configDefaults`.\n */\nexport interface OAuthMaterializedConfig {\n readonly id: string;\n readonly type: \"oauth\";\n /** The Arctic provider instance. */\n readonly provider: any;\n /** OAuth scopes to request. */\n readonly scopes: string[];\n /** User-provided profile extraction callback. */\n readonly profile?: (\n tokens: import(\"arctic\").OAuth2Tokens,\n ) => Promise<OAuthProfile>;\n /** Account-linking policy for OAuth identities. Defaults to verified email linking. */\n readonly accountLinking?: \"verifiedEmail\" | \"none\";\n}\n\n/**\n * Device authorization provider config (RFC 8628).\n *\n * Enables input-constrained devices (CLIs, TVs, IoT) to authenticate\n * by displaying a short code that the user enters on a secondary device.\n */\nexport interface DeviceProviderConfig {\n id: string;\n type: \"device\";\n /** User code character set. Default: `\"BCDFGHJKLMNPQRSTVWXZ\"` (base-20, no vowels). */\n charset: string;\n /** User code length. Default: 8. */\n userCodeLength: number;\n /** Device code + user code lifetime in seconds. Default: 900 (15 min). */\n expiresIn: number;\n /** Minimum polling interval in seconds. Default: 5. */\n interval: number;\n /**\n * Base URL for the verification page (e.g. `\"http://localhost:3000/device\"`).\n *\n * This is where users go to enter the device code. If not provided,\n * falls back to `SITE_URL + \"/device\"`.\n */\n verificationUri?: string;\n}\n\n/**\n * Materialized auth provider config — the fully resolved form stored at runtime.\n */\nexport type AuthProviderMaterializedConfig =\n | OAuthMaterializedConfig\n | EmailConfig\n | PhoneConfig\n | ConvexCredentialsConfig\n | PasskeyProviderConfig\n | TotpProviderConfig\n | DeviceProviderConfig\n | SSOProviderConfig;\n\n/**\n * Resolves to `true` when the providers list includes `SSO`, otherwise `false`.\n *\n * Used to make `auth.sso` conditionally present on the `createAuth`\n * return type — it only appears when `new SSO()` is in the providers array.\n */\nexport type HasSSO<P extends AuthProviderConfig[]> =\n import(\"../providers/sso\").SSO extends P[number] ? true : false;\n\nexport type HasPasskeyProvider<P extends AuthProviderConfig[]> =\n import(\"../providers/passkey\").Passkey extends P[number] ? true : false;\n\nexport type HasTotpProvider<P extends AuthProviderConfig[]> =\n import(\"../providers/totp\").Totp extends P[number] ? true : false;\n\nexport type HasDeviceProvider<P extends AuthProviderConfig[]> =\n import(\"../providers/device\").Device extends P[number] ? true : false;\n\n// ============================================================================\n// API Key types\n// ============================================================================\n\n/**\n * A single scope entry stored per API key.\n * Uses a resource:action pattern for structured permissions.\n *\n * ```ts\n * { resource: \"users\", actions: [\"read\", \"list\"] }\n * ```\n */\nexport interface KeyScope {\n resource: string;\n actions: string[];\n}\n\n/**\n * Result of scope verification. Provides a `.can()` helper\n * for checking if a key has a specific permission.\n *\n * ```ts\n * const result = await auth.key.verify(ctx, rawKey);\n * if (result.scopes.can(\"users\", \"read\")) {\n * // authorized\n * }\n * ```\n */\nexport interface ScopeChecker {\n /** Check if the key has permission for a given resource:action. */\n can(resource: string, action: string): boolean;\n /** The raw scope entries from the key. */\n scopes: KeyScope[];\n}\n\n/**\n * An API key record as returned by `auth.key.list()` and `auth.key.get()`.\n * Never includes the raw key material — only the display prefix.\n */\nexport interface KeyRecord {\n /** Document ID. */\n _id: string;\n /** Owner user ID. */\n userId: string;\n /** Display prefix (e.g. `\"sk_abc1\"`). Safe to show in UIs. */\n prefix: string;\n /** Human-readable name (e.g. \"CI Pipeline\"). */\n name: string;\n /** Resource:action permissions granted to this key. */\n scopes: KeyScope[];\n /** Per-key rate limit, if configured. */\n rateLimit?: { maxRequests: number; windowMs: number };\n /** Expiration timestamp (ms since epoch), or `undefined` for no expiry. */\n expiresAt?: number;\n /** Timestamp of last successful verification, or `undefined` if never used. */\n lastUsedAt?: number;\n /** Creation timestamp (ms since epoch). */\n createdAt: number;\n /** `true` when the key has been revoked (soft-deleted). */\n revoked: boolean;\n /** Arbitrary app-specific metadata attached to the key. */\n metadata?: Record<string, unknown>;\n}\n\n// ============================================================================\n// Unified List API types\n// ============================================================================\n\n/**\n * Options for paginated list queries. Every entity list method uses this\n * same shape with entity-specific `TWhere` and `TOrderBy` type parameters.\n *\n * ```ts\n * const result = await auth.group.list(ctx, {\n * where: { type: \"team\" },\n * limit: 20,\n * orderBy: \"name\",\n * order: \"asc\",\n * });\n * ```\n */\nexport type ListOptions<\n TWhere extends Record<string, unknown>,\n TOrderBy extends string,\n> = {\n /** Serializable filter — only known fields for the entity. */\n where?: TWhere;\n /** Maximum number of items to return. Defaults to 50, max 100. */\n limit?: number;\n /** Opaque cursor from a previous `ListResult.nextCursor`. */\n cursor?: string | null;\n /** Field to sort by. Defaults to `\"_creationTime\"`. */\n orderBy?: TOrderBy;\n /** Sort direction. Defaults to `\"desc\"`. */\n order?: \"asc\" | \"desc\";\n};\n\n/**\n * Paginated list result returned by every entity list method.\n */\nexport type ListResult<T> = {\n /** The page of items. */\n items: T[];\n /** Opaque cursor for the next page, or `null` when exhausted. */\n nextCursor: string | null;\n};\n\n// -- Per-entity Where / OrderBy types --\n\n/**\n * A single key/value tag for group classification.\n *\n * Tags are normalized at write time: both `key` and `value` are\n * trimmed and lowercased. Filtering is strict exact-match only.\n */\nexport type GroupTag = {\n key: string;\n value: string;\n};\n\n/** Filter fields for `auth.group.list()`. All optional. */\nexport type GroupWhere = {\n slug?: string;\n type?: string;\n parentGroupId?: string;\n name?: string;\n /** When `true`, return only root groups (no parent). When `false`, only non-root. */\n isRoot?: boolean;\n /**\n * Return only groups that have **all** of the specified tags.\n * Each tag is matched exactly on normalized `(key, value)`.\n */\n tagsAll?: GroupTag[];\n /**\n * Return only groups that have **at least one** of the specified tags.\n * Each tag is matched exactly on normalized `(key, value)`.\n */\n tagsAny?: GroupTag[];\n};\n\n/** Sortable fields for `auth.group.list()`. */\nexport type GroupOrderBy = \"_creationTime\" | \"name\" | \"slug\" | \"type\";\n\n/** Filter fields for `auth.member.list()`. All optional. */\nexport type MemberWhere = {\n groupId?: string;\n userId?: string;\n roleId?: string;\n status?: string;\n};\n\n/** Sortable fields for `auth.member.list()`. */\nexport type MemberOrderBy = \"_creationTime\" | \"status\";\n\n/** Filter fields for `auth.invite.list()`. All optional. */\nexport type InviteWhere = {\n tokenHash?: string;\n groupId?: string;\n status?: \"pending\" | \"accepted\" | \"revoked\" | \"expired\";\n email?: string;\n invitedByUserId?: string;\n roleId?: string;\n acceptedByUserId?: string;\n};\n\n/** Sortable fields for `auth.invite.list()`. */\nexport type InviteOrderBy =\n | \"_creationTime\"\n | \"status\"\n | \"email\"\n | \"expiresTime\"\n | \"acceptedTime\";\n\n/** Filter fields for `auth.key.list()`. All optional. */\nexport type KeyWhere = {\n userId?: string;\n revoked?: boolean;\n name?: string;\n prefix?: string;\n};\n\n/** Sortable fields for `auth.key.list()`. */\nexport type KeyOrderBy =\n | \"_creationTime\"\n | \"name\"\n | \"lastUsedAt\"\n | \"expiresAt\"\n | \"revoked\";\n\n/** Filter fields for `auth.user.list()`. All optional. */\nexport type UserWhere = {\n email?: string;\n phone?: string;\n isAnonymous?: boolean;\n name?: string;\n};\n\n/** Sortable fields for `auth.user.list()`. */\nexport type UserOrderBy = \"_creationTime\" | \"name\" | \"email\" | \"phone\";\n\n// ============================================================================\n// HTTP Bearer Auth types\n// ============================================================================\n\n/**\n * Context injected into `auth.http.action()` and `auth.http.route()` handlers.\n *\n * The handler's `ctx` receives these fields after Bearer token verification:\n *\n * ```ts\n * auth.http.route(http, {\n * path: \"/api/data\",\n * method: \"GET\",\n * handler: async (ctx, request) => {\n * ctx.key.userId; // owner of the API key\n * ctx.key.keyId; // the key document ID\n * ctx.key.scopes.can(\"data\", \"read\"); // scope check\n * },\n * });\n * ```\n */\nexport interface HttpKeyContext {\n key: {\n /** The user ID that owns the verified API key. */\n userId: string;\n /** The API key document ID. */\n keyId: string;\n /** Scope checker for the verified key's permissions. */\n scopes: ScopeChecker;\n };\n}\n\n/**\n * CORS configuration for Bearer-authenticated HTTP endpoints.\n */\nexport interface CorsConfig {\n /** Allowed origin(s). Defaults to `\"*\"`. */\n origin?: string;\n /** Allowed HTTP methods. Defaults to `\"GET,POST,PUT,PATCH,DELETE,OPTIONS\"`. */\n methods?: string;\n /** Allowed request headers. Defaults to `\"Content-Type,Authorization\"`. */\n headers?: string;\n}\n\n/**\n * Component function references required by core auth runtime.\n *\n * @internal Consumers should not depend on this shape — it may change\n * between minor versions. Pass `components.auth` directly to `createAuth`.\n */\nexport type AuthComponentApi = {\n public: {\n userGetById: FunctionReference<\"query\", \"internal\">;\n userList: FunctionReference<\"query\", \"internal\">;\n userFindByVerifiedEmail: FunctionReference<\"query\", \"internal\">;\n userFindByVerifiedPhone: FunctionReference<\"query\", \"internal\">;\n userInsert: FunctionReference<\"mutation\", \"internal\">;\n userUpsert: FunctionReference<\"mutation\", \"internal\">;\n userPatch: FunctionReference<\"mutation\", \"internal\">;\n userDelete: FunctionReference<\"mutation\", \"internal\">;\n accountGet: FunctionReference<\"query\", \"internal\">;\n accountGetById: FunctionReference<\"query\", \"internal\">;\n accountInsert: FunctionReference<\"mutation\", \"internal\">;\n accountListByUser: FunctionReference<\"query\", \"internal\">;\n accountPatch: FunctionReference<\"mutation\", \"internal\">;\n accountDelete: FunctionReference<\"mutation\", \"internal\">;\n sessionCreate: FunctionReference<\"mutation\", \"internal\">;\n sessionGetById: FunctionReference<\"query\", \"internal\">;\n sessionDelete: FunctionReference<\"mutation\", \"internal\">;\n sessionListByUser: FunctionReference<\"query\", \"internal\">;\n verifierCreate: FunctionReference<\"mutation\", \"internal\">;\n verifierGetById: FunctionReference<\"query\", \"internal\">;\n verifierGetBySignature: FunctionReference<\"query\", \"internal\">;\n verifierPatch: FunctionReference<\"mutation\", \"internal\">;\n verifierDelete: FunctionReference<\"mutation\", \"internal\">;\n verificationCodeGetByAccountId: FunctionReference<\"query\", \"internal\">;\n verificationCodeGetByCode: FunctionReference<\"query\", \"internal\">;\n verificationCodeCreate: FunctionReference<\"mutation\", \"internal\">;\n verificationCodeDelete: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenCreate: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetById: FunctionReference<\"query\", \"internal\">;\n refreshTokenPatch: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetChildren: FunctionReference<\"query\", \"internal\">;\n refreshTokenListBySession: FunctionReference<\"query\", \"internal\">;\n refreshTokenDeleteAll: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetActive: FunctionReference<\"query\", \"internal\">;\n rateLimitGet: FunctionReference<\"query\", \"internal\">;\n rateLimitCreate: FunctionReference<\"mutation\", \"internal\">;\n rateLimitPatch: FunctionReference<\"mutation\", \"internal\">;\n rateLimitDelete: FunctionReference<\"mutation\", \"internal\">;\n groupCreate: FunctionReference<\"mutation\", \"internal\">;\n groupGet: FunctionReference<\"query\", \"internal\">;\n groupList: FunctionReference<\"query\", \"internal\">;\n groupUpdate: FunctionReference<\"mutation\", \"internal\">;\n groupDelete: FunctionReference<\"mutation\", \"internal\">;\n memberAdd: FunctionReference<\"mutation\", \"internal\">;\n memberGet: FunctionReference<\"query\", \"internal\">;\n memberList: FunctionReference<\"query\", \"internal\">;\n memberListByUser: FunctionReference<\"query\", \"internal\">;\n memberGetByGroupAndUser: FunctionReference<\"query\", \"internal\">;\n memberRemove: FunctionReference<\"mutation\", \"internal\">;\n memberUpdate: FunctionReference<\"mutation\", \"internal\">;\n inviteCreate: FunctionReference<\"mutation\", \"internal\">;\n inviteGet: FunctionReference<\"query\", \"internal\">;\n inviteGetByTokenHash: FunctionReference<\"query\", \"internal\">;\n inviteList: FunctionReference<\"query\", \"internal\">;\n inviteAccept: FunctionReference<\"mutation\", \"internal\">;\n inviteAcceptByToken: FunctionReference<\"mutation\", \"internal\">;\n inviteRevoke: FunctionReference<\"mutation\", \"internal\">;\n keyInsert: FunctionReference<\"mutation\", \"internal\">;\n keyGetByHashedKey: FunctionReference<\"query\", \"internal\">;\n keyGetById: FunctionReference<\"query\", \"internal\">;\n keyList: FunctionReference<\"query\", \"internal\">;\n keyListByUserId: FunctionReference<\"query\", \"internal\">;\n keyPatch: FunctionReference<\"mutation\", \"internal\">;\n keyDelete: FunctionReference<\"mutation\", \"internal\">;\n passkeyInsert: FunctionReference<\"mutation\", \"internal\">;\n passkeyGetByCredentialId: FunctionReference<\"query\", \"internal\">;\n passkeyListByUserId: FunctionReference<\"query\", \"internal\">;\n passkeyUpdateCounter: FunctionReference<\"mutation\", \"internal\">;\n passkeyUpdateMeta: FunctionReference<\"mutation\", \"internal\">;\n passkeyDelete: FunctionReference<\"mutation\", \"internal\">;\n totpInsert: FunctionReference<\"mutation\", \"internal\", any, any>;\n totpGetVerifiedByUserId: FunctionReference<\"query\", \"internal\", any, any>;\n totpListByUserId: FunctionReference<\"query\", \"internal\", any, any>;\n totpGetById: FunctionReference<\"query\", \"internal\", any, any>;\n totpMarkVerified: FunctionReference<\"mutation\", \"internal\", any, any>;\n totpUpdateLastUsed: FunctionReference<\"mutation\", \"internal\", any, any>;\n totpDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceInsert: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceGetByCodeHash: FunctionReference<\"query\", \"internal\", any, any>;\n deviceGetByUserCode: FunctionReference<\"query\", \"internal\", any, any>;\n deviceAuthorize: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceUpdateLastPolled: FunctionReference<\"mutation\", \"internal\", any, any>;\n deviceDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseCreate: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseGet: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseGetByGroup: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseGetByDomain: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseList: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseUpdate: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseDomainAdd: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseDomainList: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseDomainDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseDomainVerificationGet: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseDomainVerificationUpsert: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseDomainVerificationDelete: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseDomainVerify: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseSecretUpsert: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseSecretGet: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseSecretDelete: FunctionReference<\"mutation\", \"internal\", any, any>;\n enterpriseScimConfigUpsert: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimConfigGetByEnterprise: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimConfigGetByTokenHash: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityGet: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseScimIdentityGetByUser: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityGetByEnterpriseAndUser: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityGetByMappedGroup: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityListByEnterprise: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityUpsert: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseScimIdentityDelete: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseAuditEventCreate: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseAuditEventList: FunctionReference<\"query\", \"internal\", any, any>;\n enterpriseWebhookEndpointCreate: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookEndpointList: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookEndpointGet: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookEndpointUpdate: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookDeliveryEnqueue: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookDeliveryListReady: FunctionReference<\n \"query\",\n \"internal\",\n any,\n any\n >;\n enterpriseWebhookDeliveryPatch: FunctionReference<\n \"mutation\",\n \"internal\",\n any,\n any\n >;\n };\n};\n\n// ============================================================================\n// Convex document types (merged from convex_types)\n// ============================================================================\n\n/**\n * Convex document from a given table.\n */\nexport type GenericDoc<\n DataModel extends GenericDataModel,\n TableName extends TableNamesInDataModel<DataModel>,\n> = DocumentByName<DataModel, TableName> & {\n _id: GenericId<TableName>;\n _creationTime: number;\n};\n\n/**\n * @internal\n */\nexport type FunctionReferenceFromExport<Export> =\n Export extends RegisteredQuery<infer Visibility, infer Args, infer Output>\n ? FunctionReference<\"query\", Visibility, Args, ConvertReturnType<Output>>\n : Export extends RegisteredMutation<\n infer Visibility,\n infer Args,\n infer Output\n >\n ? FunctionReference<\n \"mutation\",\n Visibility,\n Args,\n ConvertReturnType<Output>\n >\n : Export extends RegisteredAction<\n infer Visibility,\n infer Args,\n infer Output\n >\n ? FunctionReference<\n \"action\",\n Visibility,\n Args,\n ConvertReturnType<Output>\n >\n : never;\n\ntype ConvertReturnType<T> = UndefinedToNull<Awaited<T>>;\n\ntype UndefinedToNull<T> = T extends void ? null : T;\n\n// Internal server data-model types (merged from former internalTypes.ts)\n\n/** Data model derived from the component schema. */\nexport type AuthDataModel = DataModelFromSchemaDefinition<typeof schema>;\n\n/** Action context typed to the auth component's data model. */\nexport type ActionCtx = GenericActionCtx<AuthDataModel>;\n\n/** Mutation context typed to the auth component's data model. */\nexport type MutationCtx = GenericMutationCtx<AuthDataModel>;\n\n/** Query context typed to the auth component's data model. */\nexport type QueryCtx = GenericQueryCtx<AuthDataModel>;\n\n/** A document from any table in the auth component schema. */\nexport type Doc<T extends TableNamesInDataModel<AuthDataModel>> = GenericDoc<\n AuthDataModel,\n T\n>;\n\n/** A pair of JWT access token and refresh token. */\nexport type Tokens = { token: string; refreshToken: string };\n\n/** Session information returned after authentication. */\nexport type SessionInfo = {\n userId: GenericId<\"User\">;\n sessionId: GenericId<\"Session\">;\n tokens: Tokens | null;\n};\n\n/** Session information with guaranteed non-null tokens. */\nexport type SessionInfoWithTokens = {\n userId: GenericId<\"User\">;\n sessionId: GenericId<\"Session\">;\n tokens: Tokens;\n};\n\n// ---------------------------------------------------------------------------\n// Cross-component document shapes\n// ---------------------------------------------------------------------------\n// These mirror the component schema tables. They exist so that server-side\n// code can work with typed results from cross-component queries/mutations\n// instead of casting to `any` at every field access.\n\nexport type TotpDoc = Infer<typeof vTotpFactorDoc>;\n\nexport type PasskeyDoc = Infer<typeof vPasskeyDoc>;\n\nexport type VerifierDoc = Infer<typeof vAuthVerifierDoc>;\n\n/**\n * Cross-component user document shape inferred from the component validator.\n *\n * Used by internal typed wrappers (`queryUserById`, etc.) so server code stays\n * aligned with the component runtime contract. Not intended for consumer use —\n * consumers should use `UserDoc` (exported from\n * `@robelest/convex-auth/component`).\n *\n * @internal\n */\nexport type CrossComponentUserDoc = Infer<typeof vUserDoc>;\n\nexport type KeyDoc = Infer<typeof vApiKeyDoc>;\n\n// ---------------------------------------------------------------------------\n// Cross-component wrapper context\n// ---------------------------------------------------------------------------\n// Structural type accepted by all wrappers below. Works for both action and\n// mutation contexts — the only capabilities we need are runQuery / runMutation\n// and access to the component API via `auth.config.component`.\n\n/** @internal */\nexport type ComponentCallCtx = {\n runQuery: GenericActionCtx<AuthDataModel>[\"runQuery\"];\n runMutation: GenericActionCtx<AuthDataModel>[\"runMutation\"];\n auth: { config: { component: AuthComponentApi } };\n};\n\n// ---------------------------------------------------------------------------\n// Typed wrappers for cross-component calls\n// ---------------------------------------------------------------------------\n// Each wrapper encapsulates the single `as any` cast at the component\n// boundary so that callers get full type safety on both args and return\n// values.\n\n// -- User queries --\n\nexport async function queryUserById(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<CrossComponentUserDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.userGetById, {\n userId,\n })) as CrossComponentUserDoc | null;\n}\n\nexport async function queryUserByVerifiedEmail(\n ctx: ComponentCallCtx,\n email: string,\n): Promise<CrossComponentUserDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.userFindByVerifiedEmail,\n { email },\n )) as CrossComponentUserDoc | null;\n}\n\n// -- Verifier queries / mutations --\n\nexport async function queryVerifierById(\n ctx: ComponentCallCtx,\n verifierId: string,\n): Promise<VerifierDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.verifierGetById, {\n verifierId,\n })) as VerifierDoc | null;\n}\n\nexport async function mutateVerifierDelete(\n ctx: ComponentCallCtx,\n verifierId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.verifierDelete, {\n verifierId,\n });\n}\n\n// -- TOTP queries / mutations --\n\nexport async function queryTotpById(\n ctx: ComponentCallCtx,\n totpId: string,\n): Promise<TotpDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.totpGetById, {\n totpId,\n })) as TotpDoc | null;\n}\n\nexport async function queryTotpVerifiedByUserId(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<TotpDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.totpGetVerifiedByUserId,\n { userId },\n )) as TotpDoc | null;\n}\n\nexport async function mutateTotpInsert(\n ctx: ComponentCallCtx,\n args: {\n userId: string;\n secret: ArrayBuffer;\n digits: number;\n period: number;\n verified: boolean;\n name?: string;\n createdAt: number;\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.totpInsert,\n args,\n )) as string;\n}\n\nexport async function mutateTotpMarkVerified(\n ctx: ComponentCallCtx,\n totpId: string,\n lastUsedAt: number,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.totpMarkVerified, {\n totpId,\n lastUsedAt,\n });\n}\n\nexport async function mutateTotpUpdateLastUsed(\n ctx: ComponentCallCtx,\n totpId: string,\n lastUsedAt: number,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.totpUpdateLastUsed, {\n totpId,\n lastUsedAt,\n });\n}\n\n// -- Passkey queries / mutations --\n\nexport async function queryPasskeysByUserId(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<PasskeyDoc[]> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.passkeyListByUserId,\n { userId },\n )) as PasskeyDoc[];\n}\n\nexport async function queryPasskeyByCredentialId(\n ctx: ComponentCallCtx,\n credentialId: string,\n): Promise<PasskeyDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.passkeyGetByCredentialId,\n { credentialId },\n )) as PasskeyDoc | null;\n}\n\nexport async function mutatePasskeyInsert(\n ctx: ComponentCallCtx,\n args: {\n userId: string;\n credentialId: string;\n publicKey: ArrayBuffer | ArrayBufferLike;\n algorithm: number;\n counter: number;\n transports?: string[];\n deviceType: string;\n backedUp: boolean;\n name?: string;\n createdAt: number;\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.passkeyInsert,\n args,\n )) as string;\n}\n\nexport async function mutatePasskeyUpdateCounter(\n ctx: ComponentCallCtx,\n passkeyId: string,\n counter: number,\n lastUsedAt: number,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.passkeyUpdateCounter, {\n passkeyId,\n counter,\n lastUsedAt,\n });\n}\n\n// -- Key queries / mutations --\n\nexport async function mutateKeyInsert(\n ctx: ComponentCallCtx,\n args: {\n userId: string;\n prefix: string;\n hashedKey: string;\n name: string;\n scopes: Array<{ resource: string; actions: string[] }>;\n rateLimit?: { maxRequests: number; windowMs: number };\n expiresAt?: number;\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.keyInsert,\n args,\n )) as string;\n}\n\nexport async function queryKeysByUserId(\n ctx: ComponentCallCtx,\n userId: string,\n): Promise<KeyDoc[]> {\n return (await ctx.runQuery(ctx.auth.config.component.public.keyListByUserId, {\n userId,\n })) as KeyDoc[];\n}\n\nexport async function queryKeyById(\n ctx: ComponentCallCtx,\n keyId: string,\n): Promise<KeyDoc | null> {\n return (await ctx.runQuery(ctx.auth.config.component.public.keyGetById, {\n keyId,\n })) as KeyDoc | null;\n}\n\nexport async function mutateKeyPatch(\n ctx: ComponentCallCtx,\n keyId: string,\n data: Record<string, unknown>,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.keyPatch, {\n keyId,\n data,\n });\n}\n\nexport async function mutateKeyDelete(\n ctx: ComponentCallCtx,\n keyId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.keyDelete, { keyId });\n}\n\n// -- Device authorization queries / mutations --\n\nexport type DeviceDoc = Infer<typeof vDeviceCodeDoc>;\n\nexport async function mutateDeviceInsert(\n ctx: ComponentCallCtx,\n args: {\n deviceCodeHash: string;\n userCode: string;\n expiresAt: number;\n interval: number;\n status: \"pending\" | \"authorized\" | \"denied\";\n },\n): Promise<string> {\n return (await ctx.runMutation(\n ctx.auth.config.component.public.deviceInsert,\n args,\n )) as string;\n}\n\nexport async function queryDeviceByCodeHash(\n ctx: ComponentCallCtx,\n deviceCodeHash: string,\n): Promise<DeviceDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.deviceGetByCodeHash,\n { deviceCodeHash },\n )) as DeviceDoc | null;\n}\n\nexport async function queryDeviceByUserCode(\n ctx: ComponentCallCtx,\n userCode: string,\n): Promise<DeviceDoc | null> {\n return (await ctx.runQuery(\n ctx.auth.config.component.public.deviceGetByUserCode,\n { userCode },\n )) as DeviceDoc | null;\n}\n\nexport async function mutateDeviceAuthorize(\n ctx: ComponentCallCtx,\n deviceId: string,\n userId: string,\n sessionId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.deviceAuthorize, {\n deviceId,\n userId,\n sessionId,\n });\n}\n\nexport async function mutateDeviceUpdateLastPolled(\n ctx: ComponentCallCtx,\n deviceId: string,\n lastPolledAt: number,\n): Promise<void> {\n await ctx.runMutation(\n ctx.auth.config.component.public.deviceUpdateLastPolled,\n { deviceId, lastPolledAt },\n );\n}\n\nexport async function mutateDeviceDelete(\n ctx: ComponentCallCtx,\n deviceId: string,\n): Promise<void> {\n await ctx.runMutation(ctx.auth.config.component.public.deviceDelete, {\n deviceId,\n });\n}\n"],"mappings":";AAy6CA,eAAsB,cACpB,KACA,QACuC;AACvC,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,aAAa,EACvE,QACD,CAAC;;AAGJ,eAAsB,yBACpB,KACA,OACuC;AACvC,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,yBACjC,EAAE,OAAO,CACV;;AAKH,eAAsB,kBACpB,KACA,YAC6B;AAC7B,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,iBAAiB,EAC3E,YACD,CAAC;;AAGJ,eAAsB,qBACpB,KACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,gBAAgB,EACrE,YACD,CAAC;;AAKJ,eAAsB,cACpB,KACA,QACyB;AACzB,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,aAAa,EACvE,QACD,CAAC;;AAGJ,eAAsB,0BACpB,KACA,QACyB;AACzB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,yBACjC,EAAE,QAAQ,CACX;;AAGH,eAAsB,iBACpB,KACA,MASiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,YACjC,KACD;;AAGH,eAAsB,uBACpB,KACA,QACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,kBAAkB;EACvE;EACA;EACD,CAAC;;AAGJ,eAAsB,yBACpB,KACA,QACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,oBAAoB;EACzE;EACA;EACD,CAAC;;AAKJ,eAAsB,sBACpB,KACA,QACuB;AACvB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,QAAQ,CACX;;AAGH,eAAsB,2BACpB,KACA,cAC4B;AAC5B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,0BACjC,EAAE,cAAc,CACjB;;AAGH,eAAsB,oBACpB,KACA,MAYiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,eACjC,KACD;;AAGH,eAAsB,2BACpB,KACA,WACA,SACA,YACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,sBAAsB;EAC3E;EACA;EACA;EACD,CAAC;;AAKJ,eAAsB,gBACpB,KACA,MASiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,WACjC,KACD;;AAGH,eAAsB,kBACpB,KACA,QACmB;AACnB,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,iBAAiB,EAC3E,QACD,CAAC;;AAGJ,eAAsB,aACpB,KACA,OACwB;AACxB,QAAQ,MAAM,IAAI,SAAS,IAAI,KAAK,OAAO,UAAU,OAAO,YAAY,EACtE,OACD,CAAC;;AAGJ,eAAsB,eACpB,KACA,OACA,MACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,UAAU;EAC/D;EACA;EACD,CAAC;;AAGJ,eAAsB,gBACpB,KACA,OACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,WAAW,EAAE,OAAO,CAAC;;AAO9E,eAAsB,mBACpB,KACA,MAOiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,cACjC,KACD;;AAGH,eAAsB,sBACpB,KACA,gBAC2B;AAC3B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,gBAAgB,CACnB;;AAGH,eAAsB,sBACpB,KACA,UAC2B;AAC3B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,UAAU,CACb;;AAGH,eAAsB,sBACpB,KACA,UACA,QACA,WACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,iBAAiB;EACtE;EACA;EACA;EACD,CAAC;;AAGJ,eAAsB,6BACpB,KACA,UACA,cACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,wBACjC;EAAE;EAAU;EAAc,CAC3B;;AAGH,eAAsB,mBACpB,KACA,UACe;AACf,OAAM,IAAI,YAAY,IAAI,KAAK,OAAO,UAAU,OAAO,cAAc,EACnE,UACD,CAAC"}
package/dist/server/users.d.ts CHANGED
@@ -1,31 +1 @@
1
- import { AuthProviderMaterializedConfig, ConvexAuthConfig, Doc, MutationCtx } from "./types.js";
2
- import { GenericId } from "convex/values";
3
-
4
- //#region src/server/users.d.ts
5
- type CreateOrUpdateUserArgs = {
6
- type: "oauth" | "credentials" | "email" | "phone" | "verification";
7
- provider: AuthProviderMaterializedConfig;
8
- profile: Record<string, unknown> & {
9
- email?: string;
10
- phone?: string;
11
- emailVerified?: boolean;
12
- phoneVerified?: boolean;
13
- };
14
- accountExtend?: Record<string, unknown>;
15
- shouldLinkViaEmail?: boolean;
16
- shouldLinkViaPhone?: boolean;
17
- };
18
- declare function upsertUserAndAccount(ctx: MutationCtx, sessionId: GenericId<"Session"> | null, account: {
19
- existingAccount: Doc<"Account">;
20
- } | {
21
- providerAccountId: string;
22
- secret?: string;
23
- }, args: CreateOrUpdateUserArgs, config: ConvexAuthConfig, opts?: {
24
- existingUserId?: GenericId<"User">;
25
- }): Promise<{
26
- userId: GenericId<"User">;
27
- accountId: GenericId<"Account">;
28
- }>;
29
- //#endregion
30
- export { upsertUserAndAccount };
31
- //# sourceMappingURL=users.d.ts.map
1
+ export { };
package/dist/server/users.js CHANGED
@@ -12,6 +12,7 @@ function mergeExtend(existing, incoming) {
12
12
  ...incoming
13
13
  } : incoming;
14
14
  }
15
+ /** @internal */
15
16
  async function upsertUserAndAccount(ctx, sessionId, account, args, config, opts) {
16
17
  const userId = await defaultCreateOrUpdateUser(ctx, sessionId, "existingAccount" in account ? account.existingAccount : null, args, config, opts?.existingUserId ?? null);
17
18
  return {
package/dist/server/users.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"users.js","names":[],"sources":["../../src/server/users.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { AuthError } from \"./fx\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { AuthProviderMaterializedConfig, ConvexAuthConfig } from \"./types\";\nimport { LOG_LEVELS, logWithLevel } from \"./utils\";\n\ntype CreateOrUpdateUserArgs = {\n type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n provider: AuthProviderMaterializedConfig;\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n accountExtend?: Record<string, unknown>;\n shouldLinkViaEmail?: boolean;\n shouldLinkViaPhone?: boolean;\n};\n\nfunction mergeExtend(\n existing: unknown,\n incoming: Record<string, unknown> | undefined,\n) {\n if (!incoming) {\n return undefined;\n }\n const existingRecord =\n typeof existing === \"object\" &&\n existing !== null &&\n !Array.isArray(existing)\n ? (existing as Record<string, unknown>)\n : undefined;\n return existingRecord ? { ...existingRecord, ...incoming } : incoming;\n}\n\nexport async function upsertUserAndAccount(\n ctx: MutationCtx,\n sessionId: GenericId<\"Session\"> | null,\n account:\n | { existingAccount: Doc<\"Account\"> }\n | {\n providerAccountId: string;\n secret?: string;\n },\n args: CreateOrUpdateUserArgs,\n config: ConvexAuthConfig,\n opts?: { existingUserId?: GenericId<\"User\"> },\n): Promise<{\n userId: GenericId<\"User\">;\n accountId: GenericId<\"Account\">;\n}> {\n const userId = await defaultCreateOrUpdateUser(\n ctx,\n sessionId,\n \"existingAccount\" in account ? account.existingAccount : null,\n args,\n config,\n opts?.existingUserId ?? null,\n );\n const accountId = await createOrUpdateAccount(\n ctx,\n userId,\n account,\n args,\n config,\n );\n return { userId, accountId };\n}\n\nasync function defaultCreateOrUpdateUser(\n ctx: MutationCtx,\n existingSessionId: GenericId<\"Session\"> | null,\n existingAccount: Doc<\"Account\"> | null,\n args: CreateOrUpdateUserArgs,\n config: ConvexAuthConfig,\n existingUserIdOverride: GenericId<\"User\"> | null,\n) {\n logWithLevel(LOG_LEVELS.DEBUG, \"defaultCreateOrUpdateUser args:\", {\n existingAccountId: existingAccount?._id,\n existingSessionId,\n args,\n });\n const existingUserId = existingAccount?.userId ?? null;\n const db = authDb(ctx, config);\n if (config.callbacks?.createOrUpdateUser !== undefined) {\n logWithLevel(LOG_LEVELS.DEBUG, \"Using custom createOrUpdateUser callback\");\n return await config.callbacks.createOrUpdateUser(ctx, {\n existingUserId,\n ...args,\n });\n }\n\n const {\n provider,\n profile: {\n id: _profileId,\n emailVerified: profileEmailVerified,\n phoneVerified: profilePhoneVerified,\n ...profile\n },\n } = args;\n const emailVerified =\n profileEmailVerified ??\n (provider.type === \"oauth\" && provider.accountLinking !== \"none\");\n const phoneVerified = profilePhoneVerified ?? false;\n const shouldLinkViaEmail =\n args.shouldLinkViaEmail || emailVerified || provider.type === \"email\";\n const shouldLinkViaPhone =\n args.shouldLinkViaPhone || phoneVerified || provider.type === \"phone\";\n\n let userId = existingUserId ?? existingUserIdOverride;\n if (existingUserId === null) {\n const existingUserWithVerifiedEmailId =\n typeof profile.email === \"string\" && shouldLinkViaEmail\n ? ((await uniqueUserWithVerifiedEmail(ctx, profile.email, config))\n ?._id ?? null)\n : null;\n\n const existingUserWithVerifiedPhoneId =\n typeof profile.phone === \"string\" && shouldLinkViaPhone\n ? ((await uniqueUserWithVerifiedPhone(ctx, profile.phone, config))\n ?._id ?? null)\n : null;\n const linkDispatch = {\n tag:\n existingUserWithVerifiedEmailId !== null &&\n existingUserWithVerifiedPhoneId !== null\n ? \"both\"\n : existingUserWithVerifiedEmailId !== null\n ? \"email\"\n : existingUserWithVerifiedPhoneId !== null\n ? \"phone\"\n : \"none\",\n existingUserWithVerifiedEmailId,\n existingUserWithVerifiedPhoneId,\n } as const;\n\n const linkHandlers = {\n both: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n `Found existing email and phone verified users, so not linking: email: ${linkDispatch.existingUserWithVerifiedEmailId}, phone: ${linkDispatch.existingUserWithVerifiedPhoneId}`,\n );\n return null;\n }),\n email: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n `Found existing email verified user, linking: ${linkDispatch.existingUserWithVerifiedEmailId}`,\n );\n return linkDispatch.existingUserWithVerifiedEmailId;\n }),\n phone: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n `Found existing phone verified user, linking: ${linkDispatch.existingUserWithVerifiedPhoneId}`,\n );\n return linkDispatch.existingUserWithVerifiedPhoneId;\n }),\n none: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n \"No existing verified users found, creating new user\",\n );\n return null;\n }),\n } as const;\n\n userId = await Fx.run(linkHandlers[linkDispatch.tag]());\n }\n const userData = {\n ...(emailVerified ? { emailVerificationTime: Date.now() } : null),\n ...(phoneVerified ? { phoneVerificationTime: Date.now() } : null),\n ...profile,\n };\n const existingOrLinkedUserId = userId;\n if (userId !== null) {\n await Fx.run(\n Fx.from({\n ok: () => db.users.patch(userId!, userData),\n err: (error) =>\n new AuthError(\n \"USER_UPDATE_FAILED\",\n `Could not update user document with ID \\`${userId}\\`, ` +\n `either the user has been deleted but their account has not, ` +\n `or the profile data doesn't match the \\`users\\` table schema: ` +\n `${(error as Error).message}`,\n ),\n }).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),\n );\n } else {\n userId = (await db.users.insert(userData)) as GenericId<\"User\">;\n }\n const afterUserCreatedOrUpdated = config.callbacks?.afterUserCreatedOrUpdated;\n if (afterUserCreatedOrUpdated !== undefined) {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n \"Calling custom afterUserCreatedOrUpdated callback\",\n );\n await afterUserCreatedOrUpdated(ctx, {\n userId,\n existingUserId: existingOrLinkedUserId,\n ...args,\n });\n } else {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n \"No custom afterUserCreatedOrUpdated callback, skipping\",\n );\n }\n return userId;\n}\n\nasync function uniqueUserWithVerifiedEmail(\n ctx: MutationCtx,\n email: string,\n config: ConvexAuthConfig,\n) {\n const db = authDb(ctx, config);\n return (await db.users.findByVerifiedEmail(email)) as Doc<\"User\"> | null;\n}\n\nasync function uniqueUserWithVerifiedPhone(\n ctx: MutationCtx,\n phone: string,\n config: ConvexAuthConfig,\n) {\n const db = authDb(ctx, config);\n return (await db.users.findByVerifiedPhone(phone)) as Doc<\"User\"> | null;\n}\n\nasync function createOrUpdateAccount(\n ctx: MutationCtx,\n userId: GenericId<\"User\">,\n account:\n | { existingAccount: Doc<\"Account\"> }\n | {\n providerAccountId: string;\n secret?: string;\n },\n args: CreateOrUpdateUserArgs,\n config: ConvexAuthConfig,\n) {\n const db = authDb(ctx, config);\n const mergedExtend =\n \"existingAccount\" in account\n ? mergeExtend(account.existingAccount.extend, args.accountExtend)\n : args.accountExtend;\n const accountId =\n \"existingAccount\" in account\n ? account.existingAccount._id\n : ((await db.accounts.create({\n userId,\n provider: args.provider.id,\n providerAccountId: account.providerAccountId,\n secret: account.secret,\n extend: mergedExtend,\n })) as GenericId<\"Account\">);\n // This is never used with the default `createOrUpdateUser` implementation,\n // but it is used for manual linking via custom `createOrUpdateUser`:\n if (\n \"existingAccount\" in account &&\n account.existingAccount.userId !== userId\n ) {\n await db.accounts.patch(accountId, { userId });\n }\n const accountPatchData: Record<string, unknown> = {};\n if (mergedExtend) {\n accountPatchData.extend = mergedExtend;\n }\n if (args.profile.emailVerified) {\n accountPatchData.emailVerified = args.profile.email;\n }\n if (args.profile.phoneVerified) {\n accountPatchData.phoneVerified = args.profile.phone;\n }\n if (Object.keys(accountPatchData).length > 0) {\n await db.accounts.patch(accountId, accountPatchData);\n }\n return accountId;\n}\n"],"mappings":";;;;;;AAuBA,SAAS,YACP,UACA,UACA;AACA,KAAI,CAAC,SACH;CAEF,MAAM,iBACJ,OAAO,aAAa,YACpB,aAAa,QACb,CAAC,MAAM,QAAQ,SAAS,GACnB,WACD;AACN,QAAO,iBAAiB;EAAE,GAAG;EAAgB,GAAG;EAAU,GAAG;;AAG/D,eAAsB,qBACpB,KACA,WACA,SAMA,MACA,QACA,MAIC;CACD,MAAM,SAAS,MAAM,0BACnB,KACA,WACA,qBAAqB,UAAU,QAAQ,kBAAkB,MACzD,MACA,QACA,MAAM,kBAAkB,KACzB;AAQD,QAAO;EAAE;EAAQ,WAPC,MAAM,sBACtB,KACA,QACA,SACA,MACA,OACD;EAC2B;;AAG9B,eAAe,0BACb,KACA,mBACA,iBACA,MACA,QACA,wBACA;AACA,cAAa,WAAW,OAAO,mCAAmC;EAChE,mBAAmB,iBAAiB;EACpC;EACA;EACD,CAAC;CACF,MAAM,iBAAiB,iBAAiB,UAAU;CAClD,MAAM,KAAK,OAAO,KAAK,OAAO;AAC9B,KAAI,OAAO,WAAW,uBAAuB,QAAW;AACtD,eAAa,WAAW,OAAO,2CAA2C;AAC1E,SAAO,MAAM,OAAO,UAAU,mBAAmB,KAAK;GACpD;GACA,GAAG;GACJ,CAAC;;CAGJ,MAAM,EACJ,UACA,SAAS,EACP,IAAI,YACJ,eAAe,sBACf,eAAe,sBACf,GAAG,cAEH;CACJ,MAAM,gBACJ,yBACC,SAAS,SAAS,WAAW,SAAS,mBAAmB;CAC5D,MAAM,gBAAgB,wBAAwB;CAC9C,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAChE,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAEhE,IAAI,SAAS,kBAAkB;AAC/B,KAAI,mBAAmB,MAAM;EAC3B,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAC/B,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAC3D,OAAO,OACX;EAEN,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAC/B,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAC3D,OAAO,OACX;EACN,MAAM,eAAe;GACnB,KACE,oCAAoC,QACpC,oCAAoC,OAChC,SACA,oCAAoC,OAClC,UACA,oCAAoC,OAClC,UACA;GACV;GACA;GACD;AAqCD,WAAS,MAAM,GAAG,IAnCG;GACnB,YACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,yEAAyE,aAAa,gCAAgC,WAAW,aAAa,kCAC/I;AACD,WAAO;KACP;GACJ,aACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,gDAAgD,aAAa,kCAC9D;AACD,WAAO,aAAa;KACpB;GACJ,aACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,gDAAgD,aAAa,kCAC9D;AACD,WAAO,aAAa;KACpB;GACJ,YACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,sDACD;AACD,WAAO;KACP;GACL,CAEkC,aAAa,MAAM,CAAC;;CAEzD,MAAM,WAAW;EACf,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAG;EACJ;CACD,MAAM,yBAAyB;AAC/B,KAAI,WAAW,KACb,OAAM,GAAG,IACP,GAAG,KAAK;EACN,UAAU,GAAG,MAAM,MAAM,QAAS,SAAS;EAC3C,MAAM,UACJ,IAAI,UACF,sBACA,4CAA4C,OAAO,gIAG7C,MAAgB,UACvB;EACJ,CAAC,CAAC,KAAK,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CACxD;KAED,UAAU,MAAM,GAAG,MAAM,OAAO,SAAS;CAE3C,MAAM,4BAA4B,OAAO,WAAW;AACpD,KAAI,8BAA8B,QAAW;AAC3C,eACE,WAAW,OACX,oDACD;AACD,QAAM,0BAA0B,KAAK;GACnC;GACA,gBAAgB;GAChB,GAAG;GACJ,CAAC;OAEF,cACE,WAAW,OACX,yDACD;AAEH,QAAO;;AAGT,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,sBACb,KACA,QACA,SAMA,MACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,eACJ,qBAAqB,UACjB,YAAY,QAAQ,gBAAgB,QAAQ,KAAK,cAAc,GAC/D,KAAK;CACX,MAAM,YACJ,qBAAqB,UACjB,QAAQ,gBAAgB,MACtB,MAAM,GAAG,SAAS,OAAO;EACzB;EACA,UAAU,KAAK,SAAS;EACxB,mBAAmB,QAAQ;EAC3B,QAAQ,QAAQ;EAChB,QAAQ;EACT,CAAC;AAGR,KACE,qBAAqB,WACrB,QAAQ,gBAAgB,WAAW,OAEnC,OAAM,GAAG,SAAS,MAAM,WAAW,EAAE,QAAQ,CAAC;CAEhD,MAAM,mBAA4C,EAAE;AACpD,KAAI,aACF,kBAAiB,SAAS;AAE5B,KAAI,KAAK,QAAQ,cACf,kBAAiB,gBAAgB,KAAK,QAAQ;AAEhD,KAAI,KAAK,QAAQ,cACf,kBAAiB,gBAAgB,KAAK,QAAQ;AAEhD,KAAI,OAAO,KAAK,iBAAiB,CAAC,SAAS,EACzC,OAAM,GAAG,SAAS,MAAM,WAAW,iBAAiB;AAEtD,QAAO"}
1
+ {"version":3,"file":"users.js","names":[],"sources":["../../src/server/users.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { AuthError } from \"./fx\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { AuthProviderMaterializedConfig, ConvexAuthConfig } from \"./types\";\nimport { LOG_LEVELS, logWithLevel } from \"./utils\";\n\ntype CreateOrUpdateUserArgs = {\n type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n provider: AuthProviderMaterializedConfig;\n profile: Record<string, unknown> & {\n email?: string;\n phone?: string;\n emailVerified?: boolean;\n phoneVerified?: boolean;\n };\n accountExtend?: Record<string, unknown>;\n shouldLinkViaEmail?: boolean;\n shouldLinkViaPhone?: boolean;\n};\n\nfunction mergeExtend(\n existing: unknown,\n incoming: Record<string, unknown> | undefined,\n) {\n if (!incoming) {\n return undefined;\n }\n const existingRecord =\n typeof existing === \"object\" &&\n existing !== null &&\n !Array.isArray(existing)\n ? (existing as Record<string, unknown>)\n : undefined;\n return existingRecord ? { ...existingRecord, ...incoming } : incoming;\n}\n\n/** @internal */\nexport async function upsertUserAndAccount(\n ctx: MutationCtx,\n sessionId: GenericId<\"Session\"> | null,\n account:\n | { existingAccount: Doc<\"Account\"> }\n | {\n providerAccountId: string;\n secret?: string;\n },\n args: CreateOrUpdateUserArgs,\n config: ConvexAuthConfig,\n opts?: { existingUserId?: GenericId<\"User\"> },\n): Promise<{\n userId: GenericId<\"User\">;\n accountId: GenericId<\"Account\">;\n}> {\n const userId = await defaultCreateOrUpdateUser(\n ctx,\n sessionId,\n \"existingAccount\" in account ? account.existingAccount : null,\n args,\n config,\n opts?.existingUserId ?? null,\n );\n const accountId = await createOrUpdateAccount(\n ctx,\n userId,\n account,\n args,\n config,\n );\n return { userId, accountId };\n}\n\nasync function defaultCreateOrUpdateUser(\n ctx: MutationCtx,\n existingSessionId: GenericId<\"Session\"> | null,\n existingAccount: Doc<\"Account\"> | null,\n args: CreateOrUpdateUserArgs,\n config: ConvexAuthConfig,\n existingUserIdOverride: GenericId<\"User\"> | null,\n) {\n logWithLevel(LOG_LEVELS.DEBUG, \"defaultCreateOrUpdateUser args:\", {\n existingAccountId: existingAccount?._id,\n existingSessionId,\n args,\n });\n const existingUserId = existingAccount?.userId ?? null;\n const db = authDb(ctx, config);\n if (config.callbacks?.createOrUpdateUser !== undefined) {\n logWithLevel(LOG_LEVELS.DEBUG, \"Using custom createOrUpdateUser callback\");\n return await config.callbacks.createOrUpdateUser(ctx, {\n existingUserId,\n ...args,\n });\n }\n\n const {\n provider,\n profile: {\n id: _profileId,\n emailVerified: profileEmailVerified,\n phoneVerified: profilePhoneVerified,\n ...profile\n },\n } = args;\n const emailVerified =\n profileEmailVerified ??\n (provider.type === \"oauth\" && provider.accountLinking !== \"none\");\n const phoneVerified = profilePhoneVerified ?? false;\n const shouldLinkViaEmail =\n args.shouldLinkViaEmail || emailVerified || provider.type === \"email\";\n const shouldLinkViaPhone =\n args.shouldLinkViaPhone || phoneVerified || provider.type === \"phone\";\n\n let userId = existingUserId ?? existingUserIdOverride;\n if (existingUserId === null) {\n const existingUserWithVerifiedEmailId =\n typeof profile.email === \"string\" && shouldLinkViaEmail\n ? ((await uniqueUserWithVerifiedEmail(ctx, profile.email, config))\n ?._id ?? null)\n : null;\n\n const existingUserWithVerifiedPhoneId =\n typeof profile.phone === \"string\" && shouldLinkViaPhone\n ? ((await uniqueUserWithVerifiedPhone(ctx, profile.phone, config))\n ?._id ?? null)\n : null;\n const linkDispatch = {\n tag:\n existingUserWithVerifiedEmailId !== null &&\n existingUserWithVerifiedPhoneId !== null\n ? \"both\"\n : existingUserWithVerifiedEmailId !== null\n ? \"email\"\n : existingUserWithVerifiedPhoneId !== null\n ? \"phone\"\n : \"none\",\n existingUserWithVerifiedEmailId,\n existingUserWithVerifiedPhoneId,\n } as const;\n\n const linkHandlers = {\n both: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n `Found existing email and phone verified users, so not linking: email: ${linkDispatch.existingUserWithVerifiedEmailId}, phone: ${linkDispatch.existingUserWithVerifiedPhoneId}`,\n );\n return null;\n }),\n email: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n `Found existing email verified user, linking: ${linkDispatch.existingUserWithVerifiedEmailId}`,\n );\n return linkDispatch.existingUserWithVerifiedEmailId;\n }),\n phone: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n `Found existing phone verified user, linking: ${linkDispatch.existingUserWithVerifiedPhoneId}`,\n );\n return linkDispatch.existingUserWithVerifiedPhoneId;\n }),\n none: () =>\n Fx.sync(() => {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n \"No existing verified users found, creating new user\",\n );\n return null;\n }),\n } as const;\n\n userId = await Fx.run(linkHandlers[linkDispatch.tag]());\n }\n const userData = {\n ...(emailVerified ? { emailVerificationTime: Date.now() } : null),\n ...(phoneVerified ? { phoneVerificationTime: Date.now() } : null),\n ...profile,\n };\n const existingOrLinkedUserId = userId;\n if (userId !== null) {\n await Fx.run(\n Fx.from({\n ok: () => db.users.patch(userId!, userData),\n err: (error) =>\n new AuthError(\n \"USER_UPDATE_FAILED\",\n `Could not update user document with ID \\`${userId}\\`, ` +\n `either the user has been deleted but their account has not, ` +\n `or the profile data doesn't match the \\`users\\` table schema: ` +\n `${(error as Error).message}`,\n ),\n }).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),\n );\n } else {\n userId = (await db.users.insert(userData)) as GenericId<\"User\">;\n }\n const afterUserCreatedOrUpdated = config.callbacks?.afterUserCreatedOrUpdated;\n if (afterUserCreatedOrUpdated !== undefined) {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n \"Calling custom afterUserCreatedOrUpdated callback\",\n );\n await afterUserCreatedOrUpdated(ctx, {\n userId,\n existingUserId: existingOrLinkedUserId,\n ...args,\n });\n } else {\n logWithLevel(\n LOG_LEVELS.DEBUG,\n \"No custom afterUserCreatedOrUpdated callback, skipping\",\n );\n }\n return userId;\n}\n\nasync function uniqueUserWithVerifiedEmail(\n ctx: MutationCtx,\n email: string,\n config: ConvexAuthConfig,\n) {\n const db = authDb(ctx, config);\n return (await db.users.findByVerifiedEmail(email)) as Doc<\"User\"> | null;\n}\n\nasync function uniqueUserWithVerifiedPhone(\n ctx: MutationCtx,\n phone: string,\n config: ConvexAuthConfig,\n) {\n const db = authDb(ctx, config);\n return (await db.users.findByVerifiedPhone(phone)) as Doc<\"User\"> | null;\n}\n\nasync function createOrUpdateAccount(\n ctx: MutationCtx,\n userId: GenericId<\"User\">,\n account:\n | { existingAccount: Doc<\"Account\"> }\n | {\n providerAccountId: string;\n secret?: string;\n },\n args: CreateOrUpdateUserArgs,\n config: ConvexAuthConfig,\n) {\n const db = authDb(ctx, config);\n const mergedExtend =\n \"existingAccount\" in account\n ? mergeExtend(account.existingAccount.extend, args.accountExtend)\n : args.accountExtend;\n const accountId =\n \"existingAccount\" in account\n ? account.existingAccount._id\n : ((await db.accounts.create({\n userId,\n provider: args.provider.id,\n providerAccountId: account.providerAccountId,\n secret: account.secret,\n extend: mergedExtend,\n })) as GenericId<\"Account\">);\n // This is never used with the default `createOrUpdateUser` implementation,\n // but it is used for manual linking via custom `createOrUpdateUser`:\n if (\n \"existingAccount\" in account &&\n account.existingAccount.userId !== userId\n ) {\n await db.accounts.patch(accountId, { userId });\n }\n const accountPatchData: Record<string, unknown> = {};\n if (mergedExtend) {\n accountPatchData.extend = mergedExtend;\n }\n if (args.profile.emailVerified) {\n accountPatchData.emailVerified = args.profile.email;\n }\n if (args.profile.phoneVerified) {\n accountPatchData.phoneVerified = args.profile.phone;\n }\n if (Object.keys(accountPatchData).length > 0) {\n await db.accounts.patch(accountId, accountPatchData);\n }\n return accountId;\n}\n"],"mappings":";;;;;;AAuBA,SAAS,YACP,UACA,UACA;AACA,KAAI,CAAC,SACH;CAEF,MAAM,iBACJ,OAAO,aAAa,YACpB,aAAa,QACb,CAAC,MAAM,QAAQ,SAAS,GACnB,WACD;AACN,QAAO,iBAAiB;EAAE,GAAG;EAAgB,GAAG;EAAU,GAAG;;;AAI/D,eAAsB,qBACpB,KACA,WACA,SAMA,MACA,QACA,MAIC;CACD,MAAM,SAAS,MAAM,0BACnB,KACA,WACA,qBAAqB,UAAU,QAAQ,kBAAkB,MACzD,MACA,QACA,MAAM,kBAAkB,KACzB;AAQD,QAAO;EAAE;EAAQ,WAPC,MAAM,sBACtB,KACA,QACA,SACA,MACA,OACD;EAC2B;;AAG9B,eAAe,0BACb,KACA,mBACA,iBACA,MACA,QACA,wBACA;AACA,cAAa,WAAW,OAAO,mCAAmC;EAChE,mBAAmB,iBAAiB;EACpC;EACA;EACD,CAAC;CACF,MAAM,iBAAiB,iBAAiB,UAAU;CAClD,MAAM,KAAK,OAAO,KAAK,OAAO;AAC9B,KAAI,OAAO,WAAW,uBAAuB,QAAW;AACtD,eAAa,WAAW,OAAO,2CAA2C;AAC1E,SAAO,MAAM,OAAO,UAAU,mBAAmB,KAAK;GACpD;GACA,GAAG;GACJ,CAAC;;CAGJ,MAAM,EACJ,UACA,SAAS,EACP,IAAI,YACJ,eAAe,sBACf,eAAe,sBACf,GAAG,cAEH;CACJ,MAAM,gBACJ,yBACC,SAAS,SAAS,WAAW,SAAS,mBAAmB;CAC5D,MAAM,gBAAgB,wBAAwB;CAC9C,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAChE,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAEhE,IAAI,SAAS,kBAAkB;AAC/B,KAAI,mBAAmB,MAAM;EAC3B,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAC/B,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAC3D,OAAO,OACX;EAEN,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAC/B,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAC3D,OAAO,OACX;EACN,MAAM,eAAe;GACnB,KACE,oCAAoC,QACpC,oCAAoC,OAChC,SACA,oCAAoC,OAClC,UACA,oCAAoC,OAClC,UACA;GACV;GACA;GACD;AAqCD,WAAS,MAAM,GAAG,IAnCG;GACnB,YACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,yEAAyE,aAAa,gCAAgC,WAAW,aAAa,kCAC/I;AACD,WAAO;KACP;GACJ,aACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,gDAAgD,aAAa,kCAC9D;AACD,WAAO,aAAa;KACpB;GACJ,aACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,gDAAgD,aAAa,kCAC9D;AACD,WAAO,aAAa;KACpB;GACJ,YACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,sDACD;AACD,WAAO;KACP;GACL,CAEkC,aAAa,MAAM,CAAC;;CAEzD,MAAM,WAAW;EACf,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAG;EACJ;CACD,MAAM,yBAAyB;AAC/B,KAAI,WAAW,KACb,OAAM,GAAG,IACP,GAAG,KAAK;EACN,UAAU,GAAG,MAAM,MAAM,QAAS,SAAS;EAC3C,MAAM,UACJ,IAAI,UACF,sBACA,4CAA4C,OAAO,gIAG7C,MAAgB,UACvB;EACJ,CAAC,CAAC,KAAK,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CACxD;KAED,UAAU,MAAM,GAAG,MAAM,OAAO,SAAS;CAE3C,MAAM,4BAA4B,OAAO,WAAW;AACpD,KAAI,8BAA8B,QAAW;AAC3C,eACE,WAAW,OACX,oDACD;AACD,QAAM,0BAA0B,KAAK;GACnC;GACA,gBAAgB;GAChB,GAAG;GACJ,CAAC;OAEF,cACE,WAAW,OACX,yDACD;AAEH,QAAO;;AAGT,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,sBACb,KACA,QACA,SAMA,MACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,eACJ,qBAAqB,UACjB,YAAY,QAAQ,gBAAgB,QAAQ,KAAK,cAAc,GAC/D,KAAK;CACX,MAAM,YACJ,qBAAqB,UACjB,QAAQ,gBAAgB,MACtB,MAAM,GAAG,SAAS,OAAO;EACzB;EACA,UAAU,KAAK,SAAS;EACxB,mBAAmB,QAAQ;EAC3B,QAAQ,QAAQ;EAChB,QAAQ;EACT,CAAC;AAGR,KACE,qBAAqB,WACrB,QAAQ,gBAAgB,WAAW,OAEnC,OAAM,GAAG,SAAS,MAAM,WAAW,EAAE,QAAQ,CAAC;CAEhD,MAAM,mBAA4C,EAAE;AACpD,KAAI,aACF,kBAAiB,SAAS;AAE5B,KAAI,KAAK,QAAQ,cACf,kBAAiB,gBAAgB,KAAK,QAAQ;AAEhD,KAAI,KAAK,QAAQ,cACf,kBAAiB,gBAAgB,KAAK,QAAQ;AAEhD,KAAI,OAAO,KAAK,iBAAiB,CAAC,SAAS,EACzC,OAAM,GAAG,SAAS,MAAM,WAAW,iBAAiB;AAEtD,QAAO"}
package/dist/server/utils.d.ts CHANGED
@@ -1,27 +1 @@
1
- //#region src/server/utils.d.ts
2
- /**
3
- * Require an environment variable to be set, throwing at config time if missing.
4
- *
5
- * Uses `AuthError.toConvexError()` directly since this is a synchronous guard
6
- * called inline in many expressions — not suitable for Fx pipeline wrapping.
7
- */
8
- declare function requireEnv(name: string): string;
9
- declare function isLocalHost(host?: string): boolean;
10
- declare const TOKEN_SUB_CLAIM_DIVIDER = "|";
11
- declare const REFRESH_TOKEN_DIVIDER = "|";
12
- declare function sha256(input: string): Promise<string>;
13
- declare function generateRandomString(length: number, alphabet: string): string;
14
- declare function errorMessage(error: unknown): string;
15
- declare function logError(error: unknown): void;
16
- declare const LOG_LEVELS: {
17
- readonly ERROR: "ERROR";
18
- readonly WARN: "WARN";
19
- readonly INFO: "INFO";
20
- readonly DEBUG: "DEBUG";
21
- };
22
- type LogLevel = keyof typeof LOG_LEVELS;
23
- declare function logWithLevel(level: LogLevel, ...args: unknown[]): void;
24
- declare function maybeRedact(value: string): string;
25
- //#endregion
26
- export { LOG_LEVELS, REFRESH_TOKEN_DIVIDER, TOKEN_SUB_CLAIM_DIVIDER, errorMessage, generateRandomString, isLocalHost, logError, logWithLevel, maybeRedact, requireEnv, sha256 };
27
- //# sourceMappingURL=utils.d.ts.map
1
+ export { };
package/dist/server/utils.js CHANGED
@@ -1,7 +1,7 @@
1
1
  import { AuthError } from "./fx.js";
2
2
  import { generateRandomString as generateRandomString$1 } from "@oslojs/crypto/random";
3
3
  import { sha256 as sha256$1 } from "@oslojs/crypto/sha2";
4
- import { encodeHexLowerCase } from "@oslojs/encoding";
4
+ import { decodeBase64urlIgnorePadding, encodeBase64urlNoPadding, encodeHexLowerCase } from "@oslojs/encoding";
5
5
 
6
6
  //#region src/server/utils.ts
7
7
  /**
@@ -10,11 +10,13 @@ import { encodeHexLowerCase } from "@oslojs/encoding";
10
10
  * Uses `AuthError.toConvexError()` directly since this is a synchronous guard
11
11
  * called inline in many expressions — not suitable for Fx pipeline wrapping.
12
12
  */
13
+ /** @internal */
13
14
  function requireEnv(name) {
14
15
  const value = process.env[name];
15
16
  if (value === void 0) throw new AuthError("MISSING_ENV_VAR", `Missing environment variable \`${name}\``, { variable: name }).toConvexError();
16
17
  return value;
17
18
  }
19
+ /** @internal */
18
20
  function isLocalHost(host) {
19
21
  if (host === void 0) return false;
20
22
  const raw = host.includes("://") ? host : `http://${host}`;
@@ -26,28 +28,36 @@ function isLocalHost(host) {
26
28
  }
27
29
  return url.hostname === "localhost" || url.hostname === "127.0.0.1" || url.hostname === "::1";
28
30
  }
31
+ /** @internal */
29
32
  const TOKEN_SUB_CLAIM_DIVIDER = "|";
33
+ /** @internal */
30
34
  const REFRESH_TOKEN_DIVIDER = "|";
35
+ /** @internal */
31
36
  async function sha256(input) {
32
37
  return encodeHexLowerCase(sha256$1(new TextEncoder().encode(input)));
33
38
  }
39
+ /** @internal */
34
40
  function generateRandomString(length, alphabet) {
35
41
  return generateRandomString$1({ read(bytes) {
36
42
  crypto.getRandomValues(bytes);
37
43
  } }, alphabet, length);
38
44
  }
45
+ /** @internal */
39
46
  function errorMessage(error) {
40
47
  return error instanceof Error ? error.message : String(error);
41
48
  }
49
+ /** @internal */
42
50
  function logError(error) {
43
51
  logWithLevel(LOG_LEVELS.ERROR, error instanceof Error ? error.message + "\n" + error.stack?.replace("\\n", "\n") : error);
44
52
  }
53
+ /** @internal */
45
54
  const LOG_LEVELS = {
46
55
  ERROR: "ERROR",
47
56
  WARN: "WARN",
48
57
  INFO: "INFO",
49
58
  DEBUG: "DEBUG"
50
59
  };
60
+ /** @internal */
51
61
  function logWithLevel(level, ...args) {
52
62
  const configuredLogLevel = LOG_LEVELS[process.env.AUTH_LOG_LEVEL ?? "INFO"] ?? "INFO";
53
63
  switch (level) {
@@ -66,6 +76,7 @@ function logWithLevel(level, ...args) {
66
76
  }
67
77
  }
68
78
  const UNREDACTED_LENGTH = 5;
79
+ /** @internal */
69
80
  function maybeRedact(value) {
70
81
  if (value === "") return "";
71
82
  if (process.env.AUTH_LOG_SECRETS !== "true") {
@@ -73,7 +84,38 @@ function maybeRedact(value) {
73
84
  return value.substring(0, UNREDACTED_LENGTH) + "<redacted>" + value.substring(value.length - UNREDACTED_LENGTH);
74
85
  } else return value;
75
86
  }
87
+ const SECRET_KEY_ENV = "AUTH_SECRET_ENCRYPTION_KEY";
88
+ const SECRET_IV_LENGTH = 12;
89
+ function toArrayBuffer(bytes) {
90
+ return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
91
+ }
92
+ async function getSecretCryptoKey() {
93
+ const material = requireEnv(SECRET_KEY_ENV);
94
+ const rawKey = sha256$1(new TextEncoder().encode(material));
95
+ return await crypto.subtle.importKey("raw", toArrayBuffer(rawKey), { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
96
+ }
97
+ /** @internal */
98
+ async function encryptSecret(value) {
99
+ const key = await getSecretCryptoKey();
100
+ const iv = crypto.getRandomValues(new Uint8Array(SECRET_IV_LENGTH));
101
+ const encrypted = await crypto.subtle.encrypt({
102
+ name: "AES-GCM",
103
+ iv: toArrayBuffer(iv)
104
+ }, key, toArrayBuffer(new TextEncoder().encode(value)));
105
+ return `${encodeBase64urlNoPadding(iv)}.${encodeBase64urlNoPadding(new Uint8Array(encrypted))}`;
106
+ }
107
+ /** @internal */
108
+ async function decryptSecret(ciphertext) {
109
+ const [ivEncoded, payloadEncoded] = ciphertext.split(".");
110
+ if (!ivEncoded || !payloadEncoded) throw new AuthError("INVALID_PARAMETERS", "Stored enterprise secret is malformed.").toConvexError();
111
+ const key = await getSecretCryptoKey();
112
+ const decrypted = await crypto.subtle.decrypt({
113
+ name: "AES-GCM",
114
+ iv: toArrayBuffer(decodeBase64urlIgnorePadding(ivEncoded))
115
+ }, key, toArrayBuffer(decodeBase64urlIgnorePadding(payloadEncoded)));
116
+ return new TextDecoder().decode(decrypted);
117
+ }
76
118
 
77
119
  //#endregion
78
- export { LOG_LEVELS, REFRESH_TOKEN_DIVIDER, TOKEN_SUB_CLAIM_DIVIDER, errorMessage, generateRandomString, isLocalHost, logError, logWithLevel, maybeRedact, requireEnv, sha256 };
120
+ export { LOG_LEVELS, REFRESH_TOKEN_DIVIDER, TOKEN_SUB_CLAIM_DIVIDER, decryptSecret, encryptSecret, errorMessage, generateRandomString, isLocalHost, logError, logWithLevel, maybeRedact, requireEnv, sha256 };
79
121
  //# sourceMappingURL=utils.js.map
package/dist/server/utils.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"utils.js","names":["rawSha256","osloGenerateRandomString"],"sources":["../../src/server/utils.ts"],"sourcesContent":["import {\n RandomReader,\n generateRandomString as osloGenerateRandomString,\n} from \"@oslojs/crypto/random\";\nimport { sha256 as rawSha256 } from \"@oslojs/crypto/sha2\";\nimport { encodeHexLowerCase } from \"@oslojs/encoding\";\n\nimport { AuthError } from \"./fx\";\n\n/**\n * Require an environment variable to be set, throwing at config time if missing.\n *\n * Uses `AuthError.toConvexError()` directly since this is a synchronous guard\n * called inline in many expressions — not suitable for Fx pipeline wrapping.\n */\nexport function requireEnv(name: string) {\n const value = process.env[name];\n if (value === undefined) {\n throw new AuthError(\n \"MISSING_ENV_VAR\",\n `Missing environment variable \\`${name}\\``,\n { variable: name },\n ).toConvexError();\n }\n return value;\n}\n\nexport function isLocalHost(host?: string) {\n if (host === undefined) {\n return false;\n }\n const raw = host.includes(\"://\") ? host : `http://${host}`;\n let url: URL;\n try {\n url = new URL(raw);\n } catch {\n return false;\n }\n return (\n url.hostname === \"localhost\" ||\n url.hostname === \"127.0.0.1\" ||\n url.hostname === \"::1\"\n );\n}\n\n// Internal server utilities (merged from former internalUtils.ts)\n\nexport const TOKEN_SUB_CLAIM_DIVIDER = \"|\";\nexport const REFRESH_TOKEN_DIVIDER = \"|\";\n\nexport async function sha256(input: string) {\n return encodeHexLowerCase(rawSha256(new TextEncoder().encode(input)));\n}\n\nexport function generateRandomString(length: number, alphabet: string) {\n const random: RandomReader = {\n read(bytes) {\n crypto.getRandomValues(bytes as Uint8Array<ArrayBuffer>);\n },\n };\n\n return osloGenerateRandomString(random, alphabet, length);\n}\n\nexport function errorMessage(error: unknown) {\n return error instanceof Error ? error.message : String(error);\n}\n\nexport function logError(error: unknown) {\n logWithLevel(\n LOG_LEVELS.ERROR,\n error instanceof Error\n ? error.message + \"\\n\" + error.stack?.replace(\"\\\\n\", \"\\n\")\n : error,\n );\n}\n\nexport const LOG_LEVELS = {\n ERROR: \"ERROR\",\n WARN: \"WARN\",\n INFO: \"INFO\",\n DEBUG: \"DEBUG\",\n} as const;\ntype LogLevel = keyof typeof LOG_LEVELS;\n\nexport function logWithLevel(level: LogLevel, ...args: unknown[]) {\n const configuredLogLevel =\n LOG_LEVELS[\n (process.env.AUTH_LOG_LEVEL as LogLevel | undefined) ?? \"INFO\"\n ] ?? \"INFO\";\n switch (level) {\n case \"ERROR\":\n console.error(...args);\n break;\n case \"WARN\":\n if (configuredLogLevel !== \"ERROR\") {\n console.warn(...args);\n }\n break;\n case \"INFO\":\n if (configuredLogLevel === \"INFO\" || configuredLogLevel === \"DEBUG\") {\n console.info(...args);\n }\n break;\n case \"DEBUG\":\n if (configuredLogLevel === \"DEBUG\") {\n console.debug(...args);\n }\n break;\n }\n}\n\nconst UNREDACTED_LENGTH = 5;\nexport function maybeRedact(value: string) {\n if (value === \"\") {\n return \"\";\n }\n const shouldRedact = process.env.AUTH_LOG_SECRETS !== \"true\";\n if (shouldRedact) {\n if (value.length < UNREDACTED_LENGTH * 2) {\n return \"<redacted>\";\n }\n return (\n value.substring(0, UNREDACTED_LENGTH) +\n \"<redacted>\" +\n value.substring(value.length - UNREDACTED_LENGTH)\n );\n } else {\n return value;\n }\n}\n"],"mappings":";;;;;;;;;;;;AAeA,SAAgB,WAAW,MAAc;CACvC,MAAM,QAAQ,QAAQ,IAAI;AAC1B,KAAI,UAAU,OACZ,OAAM,IAAI,UACR,mBACA,kCAAkC,KAAK,KACvC,EAAE,UAAU,MAAM,CACnB,CAAC,eAAe;AAEnB,QAAO;;AAGT,SAAgB,YAAY,MAAe;AACzC,KAAI,SAAS,OACX,QAAO;CAET,MAAM,MAAM,KAAK,SAAS,MAAM,GAAG,OAAO,UAAU;CACpD,IAAI;AACJ,KAAI;AACF,QAAM,IAAI,IAAI,IAAI;SACZ;AACN,SAAO;;AAET,QACE,IAAI,aAAa,eACjB,IAAI,aAAa,eACjB,IAAI,aAAa;;AAMrB,MAAa,0BAA0B;AACvC,MAAa,wBAAwB;AAErC,eAAsB,OAAO,OAAe;AAC1C,QAAO,mBAAmBA,SAAU,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAAC;;AAGvE,SAAgB,qBAAqB,QAAgB,UAAkB;AAOrE,QAAOC,uBANsB,EAC3B,KAAK,OAAO;AACV,SAAO,gBAAgB,MAAiC;IAE3D,EAEuC,UAAU,OAAO;;AAG3D,SAAgB,aAAa,OAAgB;AAC3C,QAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;;AAG/D,SAAgB,SAAS,OAAgB;AACvC,cACE,WAAW,OACX,iBAAiB,QACb,MAAM,UAAU,OAAO,MAAM,OAAO,QAAQ,OAAO,KAAK,GACxD,MACL;;AAGH,MAAa,aAAa;CACxB,OAAO;CACP,MAAM;CACN,MAAM;CACN,OAAO;CACR;AAGD,SAAgB,aAAa,OAAiB,GAAG,MAAiB;CAChE,MAAM,qBACJ,WACG,QAAQ,IAAI,kBAA2C,WACrD;AACP,SAAQ,OAAR;EACE,KAAK;AACH,WAAQ,MAAM,GAAG,KAAK;AACtB;EACF,KAAK;AACH,OAAI,uBAAuB,QACzB,SAAQ,KAAK,GAAG,KAAK;AAEvB;EACF,KAAK;AACH,OAAI,uBAAuB,UAAU,uBAAuB,QAC1D,SAAQ,KAAK,GAAG,KAAK;AAEvB;EACF,KAAK;AACH,OAAI,uBAAuB,QACzB,SAAQ,MAAM,GAAG,KAAK;AAExB;;;AAIN,MAAM,oBAAoB;AAC1B,SAAgB,YAAY,OAAe;AACzC,KAAI,UAAU,GACZ,QAAO;AAGT,KADqB,QAAQ,IAAI,qBAAqB,QACpC;AAChB,MAAI,MAAM,SAAS,oBAAoB,EACrC,QAAO;AAET,SACE,MAAM,UAAU,GAAG,kBAAkB,GACrC,eACA,MAAM,UAAU,MAAM,SAAS,kBAAkB;OAGnD,QAAO"}
1
+ {"version":3,"file":"utils.js","names":["rawSha256","osloGenerateRandomString"],"sources":["../../src/server/utils.ts"],"sourcesContent":["import {\n RandomReader,\n generateRandomString as osloGenerateRandomString,\n} from \"@oslojs/crypto/random\";\nimport { sha256 as rawSha256 } from \"@oslojs/crypto/sha2\";\nimport {\n decodeBase64urlIgnorePadding,\n encodeBase64urlNoPadding,\n encodeHexLowerCase,\n} from \"@oslojs/encoding\";\n\nimport { AuthError } from \"./fx\";\n\n/**\n * Require an environment variable to be set, throwing at config time if missing.\n *\n * Uses `AuthError.toConvexError()` directly since this is a synchronous guard\n * called inline in many expressions — not suitable for Fx pipeline wrapping.\n */\n/** @internal */\nexport function requireEnv(name: string) {\n const value = process.env[name];\n if (value === undefined) {\n throw new AuthError(\n \"MISSING_ENV_VAR\",\n `Missing environment variable \\`${name}\\``,\n { variable: name },\n ).toConvexError();\n }\n return value;\n}\n\n/** @internal */\nexport function isLocalHost(host?: string) {\n if (host === undefined) {\n return false;\n }\n const raw = host.includes(\"://\") ? host : `http://${host}`;\n let url: URL;\n try {\n url = new URL(raw);\n } catch {\n return false;\n }\n return (\n url.hostname === \"localhost\" ||\n url.hostname === \"127.0.0.1\" ||\n url.hostname === \"::1\"\n );\n}\n\n// Internal server utilities (merged from former internalUtils.ts)\n\n/** @internal */\nexport const TOKEN_SUB_CLAIM_DIVIDER = \"|\";\n/** @internal */\nexport const REFRESH_TOKEN_DIVIDER = \"|\";\n\n/** @internal */\nexport async function sha256(input: string) {\n return encodeHexLowerCase(rawSha256(new TextEncoder().encode(input)));\n}\n\n/** @internal */\nexport function generateRandomString(length: number, alphabet: string) {\n const random: RandomReader = {\n read(bytes) {\n crypto.getRandomValues(bytes as Uint8Array<ArrayBuffer>);\n },\n };\n\n return osloGenerateRandomString(random, alphabet, length);\n}\n\n/** @internal */\nexport function errorMessage(error: unknown) {\n return error instanceof Error ? error.message : String(error);\n}\n\n/** @internal */\nexport function logError(error: unknown) {\n logWithLevel(\n LOG_LEVELS.ERROR,\n error instanceof Error\n ? error.message + \"\\n\" + error.stack?.replace(\"\\\\n\", \"\\n\")\n : error,\n );\n}\n\n/** @internal */\nexport const LOG_LEVELS = {\n ERROR: \"ERROR\",\n WARN: \"WARN\",\n INFO: \"INFO\",\n DEBUG: \"DEBUG\",\n} as const;\ntype LogLevel = keyof typeof LOG_LEVELS;\n\n/** @internal */\nexport function logWithLevel(level: LogLevel, ...args: unknown[]) {\n const configuredLogLevel =\n LOG_LEVELS[\n (process.env.AUTH_LOG_LEVEL as LogLevel | undefined) ?? \"INFO\"\n ] ?? \"INFO\";\n switch (level) {\n case \"ERROR\":\n console.error(...args);\n break;\n case \"WARN\":\n if (configuredLogLevel !== \"ERROR\") {\n console.warn(...args);\n }\n break;\n case \"INFO\":\n if (configuredLogLevel === \"INFO\" || configuredLogLevel === \"DEBUG\") {\n console.info(...args);\n }\n break;\n case \"DEBUG\":\n if (configuredLogLevel === \"DEBUG\") {\n console.debug(...args);\n }\n break;\n }\n}\n\nconst UNREDACTED_LENGTH = 5;\n/** @internal */\nexport function maybeRedact(value: string) {\n if (value === \"\") {\n return \"\";\n }\n const shouldRedact = process.env.AUTH_LOG_SECRETS !== \"true\";\n if (shouldRedact) {\n if (value.length < UNREDACTED_LENGTH * 2) {\n return \"<redacted>\";\n }\n return (\n value.substring(0, UNREDACTED_LENGTH) +\n \"<redacted>\" +\n value.substring(value.length - UNREDACTED_LENGTH)\n );\n } else {\n return value;\n }\n}\n\nconst SECRET_KEY_ENV = \"AUTH_SECRET_ENCRYPTION_KEY\";\nconst SECRET_IV_LENGTH = 12;\n\nfunction toArrayBuffer(bytes: Uint8Array) {\n return bytes.buffer.slice(\n bytes.byteOffset,\n bytes.byteOffset + bytes.byteLength,\n ) as ArrayBuffer;\n}\n\nasync function getSecretCryptoKey() {\n const material = requireEnv(SECRET_KEY_ENV);\n const rawKey = rawSha256(new TextEncoder().encode(material));\n return await crypto.subtle.importKey(\n \"raw\",\n toArrayBuffer(rawKey),\n { name: \"AES-GCM\" },\n false,\n [\"encrypt\", \"decrypt\"],\n );\n}\n\n/** @internal */\nexport async function encryptSecret(value: string) {\n const key = await getSecretCryptoKey();\n const iv = crypto.getRandomValues(new Uint8Array(SECRET_IV_LENGTH));\n const encrypted = await crypto.subtle.encrypt(\n { name: \"AES-GCM\", iv: toArrayBuffer(iv) },\n key,\n toArrayBuffer(new TextEncoder().encode(value)),\n );\n return `${encodeBase64urlNoPadding(iv)}.${encodeBase64urlNoPadding(new Uint8Array(encrypted))}`;\n}\n\n/** @internal */\nexport async function decryptSecret(ciphertext: string) {\n const [ivEncoded, payloadEncoded] = ciphertext.split(\".\");\n if (!ivEncoded || !payloadEncoded) {\n throw new AuthError(\n \"INVALID_PARAMETERS\",\n \"Stored enterprise secret is malformed.\",\n ).toConvexError();\n }\n const key = await getSecretCryptoKey();\n const decrypted = await crypto.subtle.decrypt(\n {\n name: \"AES-GCM\",\n iv: toArrayBuffer(decodeBase64urlIgnorePadding(ivEncoded)),\n },\n key,\n toArrayBuffer(decodeBase64urlIgnorePadding(payloadEncoded)),\n );\n return new TextDecoder().decode(decrypted);\n}\n"],"mappings":";;;;;;;;;;;;;AAoBA,SAAgB,WAAW,MAAc;CACvC,MAAM,QAAQ,QAAQ,IAAI;AAC1B,KAAI,UAAU,OACZ,OAAM,IAAI,UACR,mBACA,kCAAkC,KAAK,KACvC,EAAE,UAAU,MAAM,CACnB,CAAC,eAAe;AAEnB,QAAO;;;AAIT,SAAgB,YAAY,MAAe;AACzC,KAAI,SAAS,OACX,QAAO;CAET,MAAM,MAAM,KAAK,SAAS,MAAM,GAAG,OAAO,UAAU;CACpD,IAAI;AACJ,KAAI;AACF,QAAM,IAAI,IAAI,IAAI;SACZ;AACN,SAAO;;AAET,QACE,IAAI,aAAa,eACjB,IAAI,aAAa,eACjB,IAAI,aAAa;;;AAOrB,MAAa,0BAA0B;;AAEvC,MAAa,wBAAwB;;AAGrC,eAAsB,OAAO,OAAe;AAC1C,QAAO,mBAAmBA,SAAU,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAAC;;;AAIvE,SAAgB,qBAAqB,QAAgB,UAAkB;AAOrE,QAAOC,uBANsB,EAC3B,KAAK,OAAO;AACV,SAAO,gBAAgB,MAAiC;IAE3D,EAEuC,UAAU,OAAO;;;AAI3D,SAAgB,aAAa,OAAgB;AAC3C,QAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;;;AAI/D,SAAgB,SAAS,OAAgB;AACvC,cACE,WAAW,OACX,iBAAiB,QACb,MAAM,UAAU,OAAO,MAAM,OAAO,QAAQ,OAAO,KAAK,GACxD,MACL;;;AAIH,MAAa,aAAa;CACxB,OAAO;CACP,MAAM;CACN,MAAM;CACN,OAAO;CACR;;AAID,SAAgB,aAAa,OAAiB,GAAG,MAAiB;CAChE,MAAM,qBACJ,WACG,QAAQ,IAAI,kBAA2C,WACrD;AACP,SAAQ,OAAR;EACE,KAAK;AACH,WAAQ,MAAM,GAAG,KAAK;AACtB;EACF,KAAK;AACH,OAAI,uBAAuB,QACzB,SAAQ,KAAK,GAAG,KAAK;AAEvB;EACF,KAAK;AACH,OAAI,uBAAuB,UAAU,uBAAuB,QAC1D,SAAQ,KAAK,GAAG,KAAK;AAEvB;EACF,KAAK;AACH,OAAI,uBAAuB,QACzB,SAAQ,MAAM,GAAG,KAAK;AAExB;;;AAIN,MAAM,oBAAoB;;AAE1B,SAAgB,YAAY,OAAe;AACzC,KAAI,UAAU,GACZ,QAAO;AAGT,KADqB,QAAQ,IAAI,qBAAqB,QACpC;AAChB,MAAI,MAAM,SAAS,oBAAoB,EACrC,QAAO;AAET,SACE,MAAM,UAAU,GAAG,kBAAkB,GACrC,eACA,MAAM,UAAU,MAAM,SAAS,kBAAkB;OAGnD,QAAO;;AAIX,MAAM,iBAAiB;AACvB,MAAM,mBAAmB;AAEzB,SAAS,cAAc,OAAmB;AACxC,QAAO,MAAM,OAAO,MAClB,MAAM,YACN,MAAM,aAAa,MAAM,WAC1B;;AAGH,eAAe,qBAAqB;CAClC,MAAM,WAAW,WAAW,eAAe;CAC3C,MAAM,SAASD,SAAU,IAAI,aAAa,CAAC,OAAO,SAAS,CAAC;AAC5D,QAAO,MAAM,OAAO,OAAO,UACzB,OACA,cAAc,OAAO,EACrB,EAAE,MAAM,WAAW,EACnB,OACA,CAAC,WAAW,UAAU,CACvB;;;AAIH,eAAsB,cAAc,OAAe;CACjD,MAAM,MAAM,MAAM,oBAAoB;CACtC,MAAM,KAAK,OAAO,gBAAgB,IAAI,WAAW,iBAAiB,CAAC;CACnE,MAAM,YAAY,MAAM,OAAO,OAAO,QACpC;EAAE,MAAM;EAAW,IAAI,cAAc,GAAG;EAAE,EAC1C,KACA,cAAc,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAC/C;AACD,QAAO,GAAG,yBAAyB,GAAG,CAAC,GAAG,yBAAyB,IAAI,WAAW,UAAU,CAAC;;;AAI/F,eAAsB,cAAc,YAAoB;CACtD,MAAM,CAAC,WAAW,kBAAkB,WAAW,MAAM,IAAI;AACzD,KAAI,CAAC,aAAa,CAAC,eACjB,OAAM,IAAI,UACR,sBACA,yCACD,CAAC,eAAe;CAEnB,MAAM,MAAM,MAAM,oBAAoB;CACtC,MAAM,YAAY,MAAM,OAAO,OAAO,QACpC;EACE,MAAM;EACN,IAAI,cAAc,6BAA6B,UAAU,CAAC;EAC3D,EACD,KACA,cAAc,6BAA6B,eAAe,CAAC,CAC5D;AACD,QAAO,IAAI,aAAa,CAAC,OAAO,UAAU"}
package/dist/server/version.d.ts CHANGED
@@ -1,5 +1,5 @@
1
1
  //#region src/server/version.d.ts
2
- declare const AUTH_VERSION = "0.0.4-preview.13";
2
+ declare const AUTH_VERSION = "0.0.4-preview.16";
3
3
  //#endregion
4
4
  export { AUTH_VERSION };
5
5
  //# sourceMappingURL=version.d.ts.map
package/dist/server/version.js CHANGED
@@ -1,5 +1,5 @@
1
1
  //#region src/server/version.ts
2
- const AUTH_VERSION = "0.0.4-preview.13";
2
+ const AUTH_VERSION = "0.0.4-preview.16";
3
3
 
4
4
  //#endregion
5
5
  export { AUTH_VERSION };
package/dist/server/version.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"version.js","names":[],"sources":["../../src/server/version.ts"],"sourcesContent":["// Auto-generated by scripts/generate-version.js — do not edit.\nexport const AUTH_VERSION = \"0.0.4-preview.13\";\n"],"mappings":";AACA,MAAa,eAAe"}
1
+ {"version":3,"file":"version.js","names":[],"sources":["../../src/server/version.ts"],"sourcesContent":["// Auto-generated by scripts/generate-version.js — do not edit.\nexport const AUTH_VERSION = \"0.0.4-preview.16\";\n"],"mappings":";AACA,MAAa,eAAe"}