npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.16 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1672 -24
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/index.d.ts +1 -1
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +343 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +54 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +515 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +116 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +596 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +406 -260
package/dist/component/schema.js +37 -32
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +161 -15
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -7
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +629 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +884 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1134 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +10 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +106 -38
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +163 -17
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -7
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +434 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +629 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +409 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +884 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +60 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1134 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +468 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +530 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +7 -7
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signin.d.ts +6 -6
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +11 -11
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +10 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +114 -77
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +2106 -9
package/src/component/index.ts +3 -1
package/src/component/model.ts +441 -0
package/src/component/public/enterprise.ts +753 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +932 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +119 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +68 -63
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +413 -18
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +1071 -0
package/src/server/domains/sso.ts +1749 -0
package/src/server/enterpriseValidators.ts +93 -0
package/src/server/factory.ts +2181 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +806 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +20 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +259 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +178 -83
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/src/component/public/factors.ts ADDED Viewed

@@ -0,0 +1,332 @@
+import {
+  mutation,
+  query,
+  v,
+  vDeviceCodeDoc,
+  vDeviceStatus,
+  vPasskeyDoc,
+  vRateLimitResult,
+  vTotpFactorDoc,
+} from "./shared";
+// ============================================================================
+// Passkeys
+// ============================================================================
+/** Store a new passkey credential for a user. */
+export const passkeyInsert = mutation({
+  args: {
+    userId: v.id("User"),
+    credentialId: v.string(),
+    publicKey: v.bytes(),
+    algorithm: v.number(),
+    counter: v.number(),
+    transports: v.optional(v.array(v.string())),
+    deviceType: v.string(),
+    backedUp: v.boolean(),
+    name: v.optional(v.string()),
+    createdAt: v.number(),
+  },
+  returns: v.id("Passkey"),
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("Passkey", args);
+  },
+});
+/** Look up a passkey by its credential ID. */
+export const passkeyGetByCredentialId = query({
+  args: { credentialId: v.string() },
+  returns: v.union(vPasskeyDoc, v.null()),
+  handler: async (ctx, { credentialId }) => {
+    return await ctx.db
+      .query("Passkey")
+      .withIndex("credential_id", (q) => q.eq("credentialId", credentialId))
+      .unique();
+  },
+});
+/** List all passkeys for a user. */
+export const passkeyListByUserId = query({
+  args: { userId: v.id("User") },
+  returns: v.array(vPasskeyDoc),
+  handler: async (ctx, { userId }) => {
+    return await ctx.db
+      .query("Passkey")
+      .withIndex("user_id", (q) => q.eq("userId", userId))
+      .collect();
+  },
+});
+/** Update a passkey's counter and last used timestamp after authentication. */
+export const passkeyUpdateCounter = mutation({
+  args: {
+    passkeyId: v.id("Passkey"),
+    counter: v.number(),
+    lastUsedAt: v.number(),
+  },
+  returns: v.null(),
+  handler: async (ctx, { passkeyId, counter, lastUsedAt }) => {
+    await ctx.db.patch("Passkey", passkeyId, { counter, lastUsedAt });
+    return null;
+  },
+});
+/** Update a passkey's metadata (name). */
+export const passkeyUpdateMeta = mutation({
+  args: { passkeyId: v.id("Passkey"), data: v.any() },
+  returns: v.null(),
+  handler: async (ctx, { passkeyId, data }) => {
+    await ctx.db.patch("Passkey", passkeyId, data);
+    return null;
+  },
+});
+/** Delete a passkey credential. */
+export const passkeyDelete = mutation({
+  args: { passkeyId: v.id("Passkey") },
+  returns: v.null(),
+  handler: async (ctx, { passkeyId }) => {
+    await ctx.db.delete("Passkey", passkeyId);
+    return null;
+  },
+});
+// ============================================================================
+// TOTP Two-Factor Authentication
+// ============================================================================
+/** Store a new TOTP enrollment for a user. */
+export const totpInsert = mutation({
+  args: {
+    userId: v.id("User"),
+    secret: v.bytes(),
+    digits: v.number(),
+    period: v.number(),
+    verified: v.boolean(),
+    name: v.optional(v.string()),
+    createdAt: v.number(),
+  },
+  returns: v.id("TotpFactor"),
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("TotpFactor", args);
+  },
+});
+/** Get a verified TOTP enrollment for a user (returns first match). */
+export const totpGetVerifiedByUserId = query({
+  args: { userId: v.id("User") },
+  returns: v.union(vTotpFactorDoc, v.null()),
+  handler: async (ctx, { userId }) => {
+    return await ctx.db
+      .query("TotpFactor")
+      .withIndex("user_id", (q) => q.eq("userId", userId))
+      .filter((q) => q.eq(q.field("verified"), true))
+      .first();
+  },
+});
+/** List all TOTP enrollments for a user. */
+export const totpListByUserId = query({
+  args: { userId: v.id("User") },
+  returns: v.array(vTotpFactorDoc),
+  handler: async (ctx, { userId }) => {
+    return await ctx.db
+      .query("TotpFactor")
+      .withIndex("user_id", (q) => q.eq("userId", userId))
+      .collect();
+  },
+});
+/** Get a TOTP enrollment by its ID. */
+export const totpGetById = query({
+  args: { totpId: v.id("TotpFactor") },
+  returns: v.union(vTotpFactorDoc, v.null()),
+  handler: async (ctx, { totpId }) => {
+    return await ctx.db.get("TotpFactor", totpId);
+  },
+});
+/** Mark a TOTP enrollment as verified (setup complete). */
+export const totpMarkVerified = mutation({
+  args: { totpId: v.id("TotpFactor"), lastUsedAt: v.number() },
+  returns: v.null(),
+  handler: async (ctx, { totpId, lastUsedAt }) => {
+    await ctx.db.patch("TotpFactor", totpId, { verified: true, lastUsedAt });
+    return null;
+  },
+});
+/** Update a TOTP enrollment's last used timestamp. */
+export const totpUpdateLastUsed = mutation({
+  args: { totpId: v.id("TotpFactor"), lastUsedAt: v.number() },
+  returns: v.null(),
+  handler: async (ctx, { totpId, lastUsedAt }) => {
+    await ctx.db.patch("TotpFactor", totpId, { lastUsedAt });
+    return null;
+  },
+});
+/** Delete a TOTP enrollment. */
+export const totpDelete = mutation({
+  args: { totpId: v.id("TotpFactor") },
+  returns: v.null(),
+  handler: async (ctx, { totpId }) => {
+    await ctx.db.delete("TotpFactor", totpId);
+    return null;
+  },
+});
+// ============================================================================
+// Rate Limits
+// ============================================================================
+/** Look up a rate limit entry by its identifier. */
+export const rateLimitGet = query({
+  args: { identifier: v.string() },
+  returns: v.union(vRateLimitResult, v.null()),
+  handler: async (ctx, { identifier }) => {
+    const row = await ctx.db
+      .query("RateLimit")
+      .withIndex("by_identifier", (q) => q.eq("identifier", identifier))
+      .unique();
+    if (row === null) {
+      return null;
+    }
+    return {
+      ...row,
+      attemptsLeft: row.attempts_left,
+      lastAttemptTime: row.last_attempt_time,
+    };
+  },
+});
+/** Create a new rate limit entry. */
+export const rateLimitCreate = mutation({
+  args: {
+    identifier: v.string(),
+    attemptsLeft: v.number(),
+    lastAttemptTime: v.number(),
+  },
+  returns: v.id("RateLimit"),
+  handler: async (ctx, { identifier, attemptsLeft, lastAttemptTime }) => {
+    return await ctx.db.insert("RateLimit", {
+      identifier,
+      attempts_left: attemptsLeft,
+      last_attempt_time: lastAttemptTime,
+    });
+  },
+});
+/** Patch a rate limit entry with partial data. */
+export const rateLimitPatch = mutation({
+  args: { rateLimitId: v.id("RateLimit"), data: v.any() },
+  returns: v.null(),
+  handler: async (ctx, { rateLimitId, data }) => {
+    const nextData: Record<string, unknown> = { ...data };
+    if (nextData.attemptsLeft !== undefined) {
+      nextData.attempts_left = nextData.attemptsLeft;
+      delete nextData.attemptsLeft;
+    }
+    if (nextData.lastAttemptTime !== undefined) {
+      nextData.last_attempt_time = nextData.lastAttemptTime;
+      delete nextData.lastAttemptTime;
+    }
+    await ctx.db.patch("RateLimit", rateLimitId, nextData);
+    return null;
+  },
+});
+/** Delete a rate limit entry. */
+export const rateLimitDelete = mutation({
+  args: { rateLimitId: v.id("RateLimit") },
+  returns: v.null(),
+  handler: async (ctx, { rateLimitId }) => {
+    await ctx.db.delete("RateLimit", rateLimitId);
+    return null;
+  },
+});
+// ============================================================================
+// Device Authorization (RFC 8628)
+// ============================================================================
+/** Insert a new device authorization record. */
+export const deviceInsert = mutation({
+  args: {
+    deviceCodeHash: v.string(),
+    userCode: v.string(),
+    expiresAt: v.number(),
+    interval: v.number(),
+    status: vDeviceStatus,
+  },
+  returns: v.id("DeviceCode"),
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("DeviceCode", args);
+  },
+});
+/** Look up a device authorization by its hashed device code. */
+export const deviceGetByCodeHash = query({
+  args: { deviceCodeHash: v.string() },
+  returns: v.union(vDeviceCodeDoc, v.null()),
+  handler: async (ctx, { deviceCodeHash }) => {
+    return await ctx.db
+      .query("DeviceCode")
+      .withIndex("device_code_hash", (q) =>
+        q.eq("deviceCodeHash", deviceCodeHash),
+      )
+      .first();
+  },
+});
+/** Look up a pending device authorization by its user code. */
+export const deviceGetByUserCode = query({
+  args: { userCode: v.string() },
+  returns: v.union(vDeviceCodeDoc, v.null()),
+  handler: async (ctx, { userCode }) => {
+    return await ctx.db
+      .query("DeviceCode")
+      .withIndex("user_code_status", (q) =>
+        q.eq("userCode", userCode).eq("status", "pending"),
+      )
+      .first();
+  },
+});
+/** Authorize a device code — link it to a user and session. */
+export const deviceAuthorize = mutation({
+  args: {
+    deviceId: v.id("DeviceCode"),
+    userId: v.id("User"),
+    sessionId: v.id("Session"),
+  },
+  returns: v.null(),
+  handler: async (ctx, { deviceId, userId, sessionId }) => {
+    await ctx.db.patch("DeviceCode", deviceId, {
+      status: "authorized",
+      userId,
+      sessionId,
+    });
+    return null;
+  },
+});
+/** Update the last-polled timestamp on a device authorization record. */
+export const deviceUpdateLastPolled = mutation({
+  args: { deviceId: v.id("DeviceCode"), lastPolledAt: v.number() },
+  returns: v.null(),
+  handler: async (ctx, { deviceId, lastPolledAt }) => {
+    await ctx.db.patch("DeviceCode", deviceId, { lastPolledAt });
+    return null;
+  },
+});
+/** Delete a device authorization record (cleanup after use or expiry). */
+export const deviceDelete = mutation({
+  args: { deviceId: v.id("DeviceCode") },
+  returns: v.null(),
+  handler: async (ctx, { deviceId }) => {
+    await ctx.db.delete("DeviceCode", deviceId);
+    return null;
+  },
+});