npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.16 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1672 -24
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/index.d.ts +1 -1
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +343 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +54 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +515 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +116 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +596 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +406 -260
package/dist/component/schema.js +37 -32
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +161 -15
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -7
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +629 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +884 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1134 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +10 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +106 -38
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +163 -17
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -7
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +434 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +629 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +409 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +884 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +60 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1134 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +468 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +530 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +7 -7
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signin.d.ts +6 -6
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +11 -11
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +10 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +114 -77
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +2106 -9
package/src/component/index.ts +3 -1
package/src/component/model.ts +441 -0
package/src/component/public/enterprise.ts +753 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +932 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +119 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +68 -63
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +413 -18
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +1071 -0
package/src/server/domains/sso.ts +1749 -0
package/src/server/enterpriseValidators.ts +93 -0
package/src/server/factory.ts +2181 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +806 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +20 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +259 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +178 -83
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/src/component/public/identity.ts ADDED Viewed

@@ -0,0 +1,566 @@
+import {
+  mutation,
+  query,
+  v,
+  vAccountDoc,
+  vAuthVerifierDoc,
+  vPaginated,
+  vRefreshTokenDoc,
+  vSessionDoc,
+  vUserDoc,
+  vVerificationCodeDoc,
+} from "./shared";
+// ============================================================================
+// Users
+// ============================================================================
+/**
+ * List users with optional filtering, sorting, and pagination.
+ *
+ * Returns `{ items, nextCursor }` — pass `nextCursor` back as `cursor`
+ * for the next page, or `null` when exhausted.
+ */
+export const userList = query({
+  args: {
+    where: v.optional(
+      v.object({
+        email: v.optional(v.string()),
+        phone: v.optional(v.string()),
+        isAnonymous: v.optional(v.boolean()),
+        name: v.optional(v.string()),
+      }),
+    ),
+    limit: v.optional(v.number()),
+    cursor: v.optional(v.union(v.string(), v.null())),
+    orderBy: v.optional(
+      v.union(
+        v.literal("_creationTime"),
+        v.literal("name"),
+        v.literal("email"),
+        v.literal("phone"),
+      ),
+    ),
+    order: v.optional(v.union(v.literal("asc"), v.literal("desc"))),
+  },
+  returns: vPaginated(vUserDoc),
+  handler: async (ctx, args) => {
+    const where = args.where ?? {};
+    const limit = Math.min(Math.max(args.limit ?? 50, 1), 100);
+    const order = args.order ?? "desc";
+    // Pick index based on where fields
+    let q;
+    if (where.email !== undefined) {
+      q = ctx.db
+        .query("User")
+        .withIndex("email", (idx) => idx.eq("email", where.email!));
+    } else if (where.phone !== undefined) {
+      q = ctx.db
+        .query("User")
+        .withIndex("phone", (idx) => idx.eq("phone", where.phone!));
+    } else {
+      q = ctx.db.query("User");
+    }
+    // Apply remaining filters
+    if (where.isAnonymous !== undefined) {
+      q = q.filter((f) => f.eq(f.field("isAnonymous"), where.isAnonymous!));
+    }
+    if (where.name !== undefined) {
+      q = q.filter((f) => f.eq(f.field("name"), where.name!));
+    }
+    // email/phone filters when not used as index
+    if (where.email !== undefined && where.phone !== undefined) {
+      q = q.filter((f) => f.eq(f.field("phone"), where.phone!));
+    }
+    q = q.order(order);
+    // Cursor-based pagination: skip past the cursor ID
+    const all = await q.collect();
+    let startIdx = 0;
+    if (args.cursor) {
+      const cursorIdx = all.findIndex((doc) => doc._id === args.cursor);
+      if (cursorIdx !== -1) {
+        startIdx = cursorIdx + 1;
+      }
+    }
+    const page = all.slice(startIdx, startIdx + limit + 1);
+    const hasMore = page.length > limit;
+    const items = hasMore ? page.slice(0, limit) : page;
+    const nextCursor = hasMore ? items[items.length - 1]._id : null;
+    return { items, nextCursor };
+  },
+});
+/** Retrieve a user by their document ID. */
+export const userGetById = query({
+  args: { userId: v.id("User") },
+  returns: v.union(vUserDoc, v.null()),
+  handler: async (ctx, { userId }) => {
+    return await ctx.db.get("User", userId);
+  },
+});
+/**
+ * Find a user by their verified email address. Returns `null` if no user
+ * has this email verified, or if multiple users share the same verified email
+ * (ambiguous — should not happen in normal operation).
+ */
+export const userFindByVerifiedEmail = query({
+  args: { email: v.string() },
+  returns: v.union(vUserDoc, v.null()),
+  handler: async (ctx, { email }) => {
+    const users = await ctx.db
+      .query("User")
+      .withIndex("email", (q) => q.eq("email", email))
+      .filter((q) => q.neq(q.field("emailVerificationTime"), undefined))
+      .take(2);
+    return users.length === 1 ? users[0] : null;
+  },
+});
+/**
+ * Find a user by their verified phone number. Returns `null` if no user
+ * has this phone verified, or if multiple users share the same verified phone
+ * (ambiguous — should not happen in normal operation).
+ */
+export const userFindByVerifiedPhone = query({
+  args: { phone: v.string() },
+  returns: v.union(vUserDoc, v.null()),
+  handler: async (ctx, { phone }) => {
+    const users = await ctx.db
+      .query("User")
+      .withIndex("phone", (q) => q.eq("phone", phone))
+      .filter((q) => q.neq(q.field("phoneVerificationTime"), undefined))
+      .take(2);
+    return users.length === 1 ? users[0] : null;
+  },
+});
+/** Insert a new user document. */
+export const userInsert = mutation({
+  args: { data: v.any() },
+  returns: v.id("User"),
+  handler: async (ctx, { data }) => {
+    return await ctx.db.insert("User", data);
+  },
+});
+/** Insert a new user or update an existing one. */
+export const userUpsert = mutation({
+  args: { userId: v.optional(v.id("User")), data: v.any() },
+  returns: v.id("User"),
+  handler: async (ctx, { userId, data }) => {
+    if (userId !== undefined) {
+      await ctx.db.patch("User", userId, data);
+      return userId;
+    }
+    return await ctx.db.insert("User", data);
+  },
+});
+/** Patch an existing user document with partial data. */
+export const userPatch = mutation({
+  args: { userId: v.id("User"), data: v.any() },
+  returns: v.null(),
+  handler: async (ctx, { userId, data }) => {
+    await ctx.db.patch("User", userId, data);
+    return null;
+  },
+});
+/** Delete a user document by ID. No-op if the user does not exist. */
+export const userDelete = mutation({
+  args: { userId: v.id("User") },
+  returns: v.null(),
+  handler: async (ctx, { userId }) => {
+    if ((await ctx.db.get("User", userId)) !== null) {
+      await ctx.db.delete("User", userId);
+    }
+    return null;
+  },
+});
+// ============================================================================
+// Accounts
+// ============================================================================
+/** List all accounts for a user. */
+export const accountListByUser = query({
+  args: { userId: v.id("User") },
+  returns: v.array(vAccountDoc),
+  handler: async (ctx, { userId }) => {
+    return await ctx.db
+      .query("Account")
+      .withIndex("user_id_provider", (q) => q.eq("userId", userId as any))
+      .collect();
+  },
+});
+/** Look up an account by provider and provider-specific account ID. */
+export const accountGet = query({
+  args: { provider: v.string(), providerAccountId: v.string() },
+  returns: v.union(vAccountDoc, v.null()),
+  handler: async (ctx, { provider, providerAccountId }) => {
+    return await ctx.db
+      .query("Account")
+      .withIndex("provider_account_id", (q) =>
+        q.eq("provider", provider).eq("providerAccountId", providerAccountId),
+      )
+      .unique();
+  },
+});
+/** Retrieve an account by its document ID. */
+export const accountGetById = query({
+  args: { accountId: v.id("Account") },
+  returns: v.union(vAccountDoc, v.null()),
+  handler: async (ctx, { accountId }) => {
+    return await ctx.db.get("Account", accountId);
+  },
+});
+/** Create a new account linking a user to an auth provider. */
+export const accountInsert = mutation({
+  args: {
+    userId: v.id("User"),
+    provider: v.string(),
+    providerAccountId: v.string(),
+    secret: v.optional(v.string()),
+    extend: v.optional(v.any()),
+  },
+  returns: v.id("Account"),
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("Account", args as any);
+  },
+});
+/** Patch an existing account document with partial data. */
+export const accountPatch = mutation({
+  args: { accountId: v.id("Account"), data: v.any() },
+  returns: v.null(),
+  handler: async (ctx, { accountId, data }) => {
+    await ctx.db.patch("Account", accountId, data);
+    return null;
+  },
+});
+/** Delete an account document. */
+export const accountDelete = mutation({
+  args: { accountId: v.id("Account") },
+  returns: v.null(),
+  handler: async (ctx, { accountId }) => {
+    await ctx.db.delete("Account", accountId);
+    return null;
+  },
+});
+// ============================================================================
+// Sessions
+// ============================================================================
+/**
+ * List sessions with optional filtering and pagination.
+ *
+ * Returns `{ items, nextCursor }`.
+ */
+export const sessionList = query({
+  args: {
+    where: v.optional(
+      v.object({
+        userId: v.optional(v.id("User")),
+      }),
+    ),
+    limit: v.optional(v.number()),
+    cursor: v.optional(v.union(v.string(), v.null())),
+    order: v.optional(v.union(v.literal("asc"), v.literal("desc"))),
+  },
+  returns: vPaginated(vSessionDoc),
+  handler: async (ctx, args) => {
+    const where = args.where ?? {};
+    const limit = Math.min(Math.max(args.limit ?? 50, 1), 100);
+    const order = args.order ?? "desc";
+    let q;
+    if (where.userId !== undefined) {
+      q = ctx.db
+        .query("Session")
+        .withIndex("user_id", (idx) => idx.eq("userId", where.userId!));
+    } else {
+      q = ctx.db.query("Session");
+    }
+    q = q.order(order);
+    const all = await q.collect();
+    let startIdx = 0;
+    if (args.cursor) {
+      const cursorIdx = all.findIndex((doc) => doc._id === args.cursor);
+      if (cursorIdx !== -1) {
+        startIdx = cursorIdx + 1;
+      }
+    }
+    const page = all.slice(startIdx, startIdx + limit + 1);
+    const hasMore = page.length > limit;
+    const items = hasMore ? page.slice(0, limit) : page;
+    const nextCursor = hasMore ? items[items.length - 1]._id : null;
+    return { items, nextCursor };
+  },
+});
+/** Create a new session for a user with an expiration time. */
+export const sessionCreate = mutation({
+  args: { userId: v.id("User"), expirationTime: v.number() },
+  returns: v.id("Session"),
+  handler: async (ctx, { userId, expirationTime }) => {
+    return await ctx.db.insert("Session", {
+      userId: userId as any,
+      expirationTime,
+    });
+  },
+});
+/** Retrieve a session by its document ID. */
+export const sessionGetById = query({
+  args: { sessionId: v.id("Session") },
+  returns: v.union(vSessionDoc, v.null()),
+  handler: async (ctx, { sessionId }) => {
+    return await ctx.db.get("Session", sessionId);
+  },
+});
+/** Delete a session. No-op if the session does not exist. */
+export const sessionDelete = mutation({
+  args: { sessionId: v.id("Session") },
+  returns: v.null(),
+  handler: async (ctx, { sessionId }) => {
+    if ((await ctx.db.get("Session", sessionId)) !== null) {
+      await ctx.db.delete("Session", sessionId);
+    }
+    return null;
+  },
+});
+/** List all sessions for a user. */
+export const sessionListByUser = query({
+  args: { userId: v.id("User") },
+  returns: v.array(vSessionDoc),
+  handler: async (ctx, { userId }) => {
+    return await ctx.db
+      .query("Session")
+      .withIndex("user_id", (q) => q.eq("userId", userId as any))
+      .collect();
+  },
+});
+// ============================================================================
+// Verifiers
+// ============================================================================
+/** Create a new PKCE verifier, optionally linked to a session. */
+export const verifierCreate = mutation({
+  args: { sessionId: v.optional(v.id("Session")) },
+  returns: v.id("AuthVerifier"),
+  handler: async (ctx, { sessionId }) => {
+    return await ctx.db.insert("AuthVerifier", { sessionId: sessionId as any });
+  },
+});
+/** Retrieve a verifier by its document ID. */
+export const verifierGetById = query({
+  args: { verifierId: v.id("AuthVerifier") },
+  returns: v.union(vAuthVerifierDoc, v.null()),
+  handler: async (ctx, { verifierId }) => {
+    return await ctx.db.get("AuthVerifier", verifierId);
+  },
+});
+/** Look up a verifier by its cryptographic signature. */
+export const verifierGetBySignature = query({
+  args: { signature: v.string() },
+  returns: v.union(vAuthVerifierDoc, v.null()),
+  handler: async (ctx, { signature }) => {
+    return await ctx.db
+      .query("AuthVerifier")
+      .withIndex("signature", (q) => q.eq("signature", signature))
+      .unique();
+  },
+});
+/** Patch a verifier document with partial data. */
+export const verifierPatch = mutation({
+  args: { verifierId: v.id("AuthVerifier"), data: v.any() },
+  returns: v.null(),
+  handler: async (ctx, { verifierId, data }) => {
+    await ctx.db.patch("AuthVerifier", verifierId, data);
+    return null;
+  },
+});
+/** Delete a verifier document. */
+export const verifierDelete = mutation({
+  args: { verifierId: v.id("AuthVerifier") },
+  returns: v.null(),
+  handler: async (ctx, { verifierId }) => {
+    await ctx.db.delete("AuthVerifier", verifierId);
+    return null;
+  },
+});
+// ============================================================================
+// Verification Codes
+// ============================================================================
+/** Find a verification code by its associated account ID. */
+export const verificationCodeGetByAccountId = query({
+  args: { accountId: v.id("Account") },
+  returns: v.union(vVerificationCodeDoc, v.null()),
+  handler: async (ctx, { accountId }) => {
+    return await ctx.db
+      .query("VerificationCode")
+      .withIndex("account_id", (q) => q.eq("accountId", accountId as any))
+      .unique();
+  },
+});
+/** Find a verification code by its code string. */
+export const verificationCodeGetByCode = query({
+  args: { code: v.string() },
+  returns: v.union(vVerificationCodeDoc, v.null()),
+  handler: async (ctx, { code }) => {
+    return await ctx.db
+      .query("VerificationCode")
+      .withIndex("code", (q) => q.eq("code", code))
+      .unique();
+  },
+});
+/** Create a new verification code for OTP, magic link, or OAuth flows. */
+export const verificationCodeCreate = mutation({
+  args: {
+    accountId: v.id("Account"),
+    provider: v.string(),
+    code: v.string(),
+    expirationTime: v.number(),
+    verifier: v.optional(v.string()),
+    emailVerified: v.optional(v.string()),
+    phoneVerified: v.optional(v.string()),
+  },
+  returns: v.id("VerificationCode"),
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("VerificationCode", args as any);
+  },
+});
+/** Delete a verification code document. */
+export const verificationCodeDelete = mutation({
+  args: { verificationCodeId: v.id("VerificationCode") },
+  returns: v.null(),
+  handler: async (ctx, { verificationCodeId }) => {
+    await ctx.db.delete("VerificationCode", verificationCodeId);
+    return null;
+  },
+});
+// ============================================================================
+// Refresh Tokens
+// ============================================================================
+/** Create a new refresh token for a session. */
+export const refreshTokenCreate = mutation({
+  args: {
+    sessionId: v.id("Session"),
+    expirationTime: v.number(),
+    parentRefreshTokenId: v.optional(v.id("RefreshToken")),
+  },
+  returns: v.id("RefreshToken"),
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("RefreshToken", args as any);
+  },
+});
+/** Retrieve a refresh token by its document ID. */
+export const refreshTokenGetById = query({
+  args: { refreshTokenId: v.id("RefreshToken") },
+  returns: v.union(vRefreshTokenDoc, v.null()),
+  handler: async (ctx, { refreshTokenId }) => {
+    return await ctx.db.get("RefreshToken", refreshTokenId);
+  },
+});
+/** Patch a refresh token document with partial data. */
+export const refreshTokenPatch = mutation({
+  args: { refreshTokenId: v.id("RefreshToken"), data: v.any() },
+  returns: v.null(),
+  handler: async (ctx, { refreshTokenId, data }) => {
+    await ctx.db.patch("RefreshToken", refreshTokenId, data);
+    return null;
+  },
+});
+/** Get child tokens that were created by exchanging a specific parent token. */
+export const refreshTokenGetChildren = query({
+  args: {
+    sessionId: v.id("Session"),
+    parentRefreshTokenId: v.id("RefreshToken"),
+  },
+  returns: v.array(vRefreshTokenDoc),
+  handler: async (ctx, { sessionId, parentRefreshTokenId }) => {
+    return await ctx.db
+      .query("RefreshToken")
+      .withIndex("session_id_parent_refresh_token_id", (q) =>
+        q
+          .eq("sessionId", sessionId as any)
+          .eq("parentRefreshTokenId", parentRefreshTokenId as any),
+      )
+      .collect();
+  },
+});
+/** List all refresh tokens for a session. */
+export const refreshTokenListBySession = query({
+  args: { sessionId: v.id("Session") },
+  returns: v.array(vRefreshTokenDoc),
+  handler: async (ctx, { sessionId }) => {
+    return await ctx.db
+      .query("RefreshToken")
+      .withIndex("session_id_parent_refresh_token_id", (q) =>
+        q.eq("sessionId", sessionId as any),
+      )
+      .collect();
+  },
+});
+/** Delete all refresh tokens for a session. */
+export const refreshTokenDeleteAll = mutation({
+  args: { sessionId: v.id("Session") },
+  returns: v.null(),
+  handler: async (ctx, { sessionId }) => {
+    const tokens = await ctx.db
+      .query("RefreshToken")
+      .withIndex("session_id_parent_refresh_token_id", (q) =>
+        q.eq("sessionId", sessionId as any),
+      )
+      .collect();
+    await Promise.all(
+      tokens.map((token) => ctx.db.delete("RefreshToken", token._id)),
+    );
+    return null;
+  },
+});
+/** Get the active (unused) refresh token for a session. */
+export const refreshTokenGetActive = query({
+  args: { sessionId: v.id("Session") },
+  returns: v.union(vRefreshTokenDoc, v.null()),
+  handler: async (ctx, { sessionId }) => {
+    return await ctx.db
+      .query("RefreshToken")
+      .withIndex("session_id", (q) => q.eq("sessionId", sessionId as any))
+      .filter((q) => q.eq(q.field("firstUsedTime"), undefined))
+      .order("desc")
+      .first();
+  },
+});