npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.16 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1672 -24
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/index.d.ts +1 -1
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +343 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +54 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +515 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +116 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +596 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +406 -260
package/dist/component/schema.js +37 -32
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +161 -15
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -7
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +629 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +884 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1134 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +10 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +106 -38
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +163 -17
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -7
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +434 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +629 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +409 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +884 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +60 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1134 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +468 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +530 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +7 -7
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signin.d.ts +6 -6
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +11 -11
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +10 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +114 -77
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +2106 -9
package/src/component/index.ts +3 -1
package/src/component/model.ts +441 -0
package/src/component/public/enterprise.ts +753 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +932 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +119 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +68 -63
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +413 -18
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +1071 -0
package/src/server/domains/sso.ts +1749 -0
package/src/server/enterpriseValidators.ts +93 -0
package/src/server/factory.ts +2181 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +806 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +20 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +259 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +178 -83
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/src/server/auth.ts CHANGED Viewed

@@ -8,12 +8,16 @@ import type { UserIdentity } from "convex/server";
 import type { GenericId } from "convex/values";
 import type { AuthApiRefs } from "../client/index";
+import { Auth as AuthFactory } from "./factory";
 import { Fx } from "./fx";
 import { AuthError } from "./fx";
-import { Auth as AuthFactory } from "./implementation";
 import type { Doc } from "./types";
 import type {
+  AuthAuthorizationConfig,
+  AuthGrant,
   AuthProviderConfig,
+  AuthRoleDefinition,
+  AuthRoleId,
   ConvexAuthConfig,
   HasDeviceProvider,
   HasPasskeyProvider,
@@ -31,8 +35,105 @@ import type {
  */
 export type AuthConfig = Omit<ConvexAuthConfig, "component">;
+type MemberApiWithAuthorization<
+  TAuthorization extends AuthAuthorizationConfig | undefined,
+> = Omit<
+  ReturnType<typeof AuthFactory>["auth"]["member"],
+  "create" | "list" | "update" | "inherit" | "require"
+> & {
+  create: (
+    ctx: Parameters<
+      ReturnType<typeof AuthFactory>["auth"]["member"]["create"]
+    >[0],
+    data: {
+      groupId: string;
+      userId: string;
+      roleIds?: AuthRoleId<TAuthorization>[];
+      status?: string;
+      extend?: Record<string, unknown>;
+    },
+  ) => Promise<{ ok: true; memberId: string }>;
+  list: (
+    ctx: Parameters<
+      ReturnType<typeof AuthFactory>["auth"]["member"]["list"]
+    >[0],
+    opts?: {
+      where?: {
+        groupId?: string;
+        userId?: string;
+        roleId?: AuthRoleId<TAuthorization>;
+        status?: string;
+      };
+      limit?: number;
+      cursor?: string | null;
+      orderBy?: "_creationTime" | "status";
+      order?: "asc" | "desc";
+    },
+  ) => ReturnType<ReturnType<typeof AuthFactory>["auth"]["member"]["list"]>;
+  update: (
+    ctx: Parameters<
+      ReturnType<typeof AuthFactory>["auth"]["member"]["update"]
+    >[0],
+    memberId: string,
+    data: Record<string, unknown> & { roleIds?: AuthRoleId<TAuthorization>[] },
+  ) => Promise<{ ok: true; memberId: string }>;
+  inherit: (
+    ctx: Parameters<
+      ReturnType<typeof AuthFactory>["auth"]["member"]["inherit"]
+    >[0],
+    opts: {
+      userId: string;
+      groupId: string;
+      roleIds?: AuthRoleId<TAuthorization>[];
+      grants?: AuthGrant<TAuthorization>[];
+      maxDepth?: number;
+    },
+  ) => ReturnType<ReturnType<typeof AuthFactory>["auth"]["member"]["inherit"]>;
+  require: (
+    ctx: Parameters<
+      ReturnType<typeof AuthFactory>["auth"]["member"]["require"]
+    >[0],
+    opts: {
+      userId: string;
+      groupId: string;
+      roleIds?: AuthRoleId<TAuthorization>[];
+      grants?: AuthGrant<TAuthorization>[];
+      maxDepth?: number;
+    },
+  ) => ReturnType<ReturnType<typeof AuthFactory>["auth"]["member"]["require"]>;
+};
+type AccessApiWithAuthorization<
+  TAuthorization extends AuthAuthorizationConfig | undefined,
+> = {
+  check: (
+    ctx: Parameters<
+      ReturnType<typeof AuthFactory>["auth"]["access"]["check"]
+    >[0],
+    opts: {
+      userId: string;
+      groupId: string;
+      grants: AuthGrant<TAuthorization>[];
+      maxDepth?: number;
+    },
+  ) => ReturnType<ReturnType<typeof AuthFactory>["auth"]["access"]["check"]>;
+  require: (
+    ctx: Parameters<
+      ReturnType<typeof AuthFactory>["auth"]["access"]["require"]
+    >[0],
+    opts: {
+      userId: string;
+      groupId: string;
+      grants: AuthGrant<TAuthorization>[];
+      maxDepth?: number;
+    },
+  ) => ReturnType<ReturnType<typeof AuthFactory>["auth"]["access"]["require"]>;
+};
 /** The base auth API surface, without conditional namespaces. */
-export type AuthApiBase = {
+export type AuthApiBase<
+  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
+> = {
   signIn: ReturnType<typeof AuthFactory>["signIn"];
   signOut: ReturnType<typeof AuthFactory>["signOut"];
   store: ReturnType<typeof AuthFactory>["store"];
@@ -41,24 +142,115 @@ export type AuthApiBase = {
   provider: ReturnType<typeof AuthFactory>["auth"]["provider"];
   account: ReturnType<typeof AuthFactory>["auth"]["account"];
   group: ReturnType<typeof AuthFactory>["auth"]["group"];
-  member: ReturnType<typeof AuthFactory>["auth"]["member"];
+  member: MemberApiWithAuthorization<TAuthorization>;
+  access: AccessApiWithAuthorization<TAuthorization>;
   invite: ReturnType<typeof AuthFactory>["auth"]["invite"];
   key: ReturnType<typeof AuthFactory>["auth"]["key"];
   http: ReturnType<typeof AuthFactory>["auth"]["http"];
 };
-/** Auth API with SSO namespace — present only when `new SSO()` is in providers. */
-export type AuthApi = AuthApiBase & {
-  sso: ReturnType<typeof AuthFactory>["auth"]["sso"];
+type InternalSsoApi = ReturnType<typeof AuthFactory>["auth"]["sso"];
+type PublicSsoAdminApi = {
+  connection: InternalSsoApi["connection"] & {
+    domain: {
+      list: InternalSsoApi["domain"]["list"];
+      validate: InternalSsoApi["domain"]["validate"];
+      set: (
+        ctx: Parameters<InternalSsoApi["connection"]["create"]>[0],
+        enterpriseId: string,
+        domains: Array<{
+          domain: string;
+          isPrimary?: boolean;
+        }>,
+      ) => Promise<{
+        ok: true;
+        enterpriseId: string;
+        domains: Array<{
+          domainId: string;
+          domain: string;
+          isPrimary: boolean;
+          verified: boolean;
+          verifiedAt: number | null;
+        }>;
+      }>;
+      verification: {
+        request: (
+          ctx: Parameters<InternalSsoApi["connection"]["create"]>[0],
+          args: { enterpriseId: string; domain: string },
+        ) => Promise<{
+          ok: true;
+          enterpriseId: string;
+          domain: string;
+          requestedAt: number;
+          expiresAt: number;
+          challenge: {
+            recordType: "TXT";
+            recordName: string;
+            recordValue: string;
+          };
+        }>;
+        confirm: (
+          ctx: Parameters<InternalSsoApi["connection"]["create"]>[0],
+          args: { enterpriseId: string; domain: string },
+        ) => Promise<{
+          ok: boolean;
+          enterpriseId: string;
+          domain: string;
+          verifiedAt?: number;
+          checks: Array<{ name: string; ok: boolean; message?: string }>;
+        }>;
+      };
+    };
+  };
+  oidc: Omit<InternalSsoApi["oidc"], "signIn">;
+  saml: Omit<InternalSsoApi["saml"], "metadata">;
+  policy: InternalSsoApi["policy"];
+  audit: {
+    list: InternalSsoApi["audit"]["list"];
+  };
+  webhook: {
+    endpoint: InternalSsoApi["webhook"]["endpoint"];
+    delivery: {
+      list: InternalSsoApi["webhook"]["delivery"]["list"];
+    };
+  };
+};
+type PublicSsoClientApi = {
+  signIn: InternalSsoApi["oidc"]["signIn"];
+  metadata: InternalSsoApi["saml"]["metadata"];
+};
+type PublicSsoApi = {
+  admin: PublicSsoAdminApi;
+  client: PublicSsoClientApi;
+};
+type PublicScimApi = {
+  admin: Omit<InternalSsoApi["scim"], "getConfigByToken" | "identity">;
+};
+/** Auth API with enterprise namespaces — present only when `new SSO()` is in providers. */
+export type AuthApi<
+  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
+> = AuthApiBase<TAuthorization> & {
+  sso: PublicSsoApi;
+  scim: PublicScimApi;
 };
 /**
  * The return type of `createAuth`. Conditional namespaces:
- * - `auth.sso` — only when `new SSO()` is in providers
+ * - `auth.sso` and `auth.scim` — only when `new SSO()` is in providers
  * - `auth.clientApi` — typed API refs for the client SDK with capabilities
  */
-export type ConvexAuthResult<P extends AuthProviderConfig[]> =
-  HasSSO<P> extends true ? AuthApi : AuthApiBase;
+export type ConvexAuthResult<
+  P extends AuthProviderConfig[],
+  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
+> =
+  HasSSO<P> extends true
+    ? AuthApi<TAuthorization>
+    : AuthApiBase<TAuthorization>;
 /**
  * Infer the typed `AuthApiRefs` for the client SDK from a `createAuth` call.
@@ -72,7 +264,7 @@ export type ConvexAuthResult<P extends AuthProviderConfig[]> =
  * // Frontend
  * import type { auth } from "../convex/auth";
  * import type { InferClientApi } from "@robelest/convex-auth/component";
- * const c = client<InferClientApi<typeof auth>>({ convex, api: { ... } });
+ * const c = client<InferClientApi<typeof auth>>({ convex, api: api.auth });
  * ```
  */
 export type InferClientApi<T> =
@@ -94,19 +286,182 @@ export type AuthLike = Pick<AuthApiBase, "user">;
 /**
  * Create an auth API object.
  *
- * When `new SSO()` is included in providers, `auth.sso` is available
- * on the returned object. Without it, `auth.sso` is absent and
- * accessing it is a TypeScript compile error.
+ * When `new SSO()` is included in providers, `auth.sso` and `auth.scim`
+ * are available on the returned object. Without it, those namespaces are
+ * absent and accessing them is a TypeScript compile error.
  */
-export function createAuth<P extends AuthProviderConfig[]>(
+export function createAuth<
+  P extends AuthProviderConfig[],
+  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
+>(
   component: ConvexAuthConfig["component"],
-  config: Omit<AuthConfig, "providers"> & { providers: P },
-): ConvexAuthResult<P> {
+  config: Omit<AuthConfig, "providers" | "authorization"> & {
+    providers: P;
+    authorization?: TAuthorization;
+  },
+): ConvexAuthResult<P, TAuthorization> {
   const authResult = AuthFactory({
     ...config,
     component,
     providers: [...config.providers],
   });
+  const {
+    domain: domainApi,
+    scim: scimApi,
+    connection: connectionApi,
+    audit: auditApi,
+    webhook: webhookApi,
+    oidc: oidcApi,
+    saml: samlApi,
+    ...restSso
+  } = authResult.auth.sso as InternalSsoApi;
+  type SetEnterpriseDomains = PublicSsoAdminApi["connection"]["domain"]["set"];
+  type EnterpriseDomainInput = Array<{
+    domain: string;
+    isPrimary?: boolean;
+  }>;
+  const setEnterpriseDomains: PublicSsoAdminApi["connection"]["domain"]["set"] =
+    async (
+      ctx: Parameters<SetEnterpriseDomains>[0],
+      enterpriseId: Parameters<SetEnterpriseDomains>[1],
+      domains: EnterpriseDomainInput,
+    ) => {
+      const enterprise = await connectionApi.get(ctx, enterpriseId);
+      if (enterprise === null) {
+        throw new AuthError(
+          "INVALID_PARAMETERS",
+          "Enterprise not found.",
+        ).toConvexError();
+      }
+      const normalized = domains.map((entry: (typeof domains)[number]) => ({
+        ...entry,
+        domain: entry.domain.trim().toLowerCase(),
+      }));
+      const deduped = new Map<string, (typeof normalized)[number]>();
+      for (const entry of normalized) {
+        if (entry.domain.length === 0) {
+          throw new AuthError(
+            "INVALID_PARAMETERS",
+            "Domain must not be empty.",
+          ).toConvexError();
+        }
+        if (deduped.has(entry.domain)) {
+          throw new AuthError(
+            "INVALID_PARAMETERS",
+            `Duplicate domain: ${entry.domain}`,
+          ).toConvexError();
+        }
+        deduped.set(entry.domain, entry);
+      }
+      const nextDomains = [...deduped.values()];
+      const primaryCount = nextDomains.filter(
+        (entry) => entry.isPrimary,
+      ).length;
+      if (primaryCount > 1) {
+        throw new AuthError(
+          "INVALID_PARAMETERS",
+          "Only one primary domain may be set.",
+        ).toConvexError();
+      }
+      if (nextDomains.length > 0 && primaryCount === 0) {
+        nextDomains[0] = { ...nextDomains[0], isPrimary: true };
+      }
+      const currentDomains = await domainApi.list(ctx, enterpriseId);
+      const currentByDomain = new Map<string, (typeof currentDomains)[number]>(
+        currentDomains.map((entry: (typeof currentDomains)[number]) => [
+          entry.domain.toLowerCase(),
+          entry,
+        ]),
+      );
+      for (const existing of currentDomains) {
+        if (!deduped.has(existing.domain.toLowerCase())) {
+          await domainApi.remove(ctx, existing._id);
+        }
+      }
+      for (const nextDomain of nextDomains) {
+        const current = currentByDomain.get(nextDomain.domain);
+        if (current && current.isPrimary === Boolean(nextDomain.isPrimary)) {
+          continue;
+        }
+        if (current) {
+          await domainApi.remove(ctx, current._id);
+        }
+        const domainId = await domainApi.add(ctx, {
+          enterpriseId: enterprise._id,
+          groupId: enterprise.groupId,
+          domain: nextDomain.domain,
+          isPrimary: nextDomain.isPrimary,
+        });
+        if (current?.verifiedAt !== undefined) {
+          await (ctx as any).runMutation(
+            component.public.enterpriseDomainVerify,
+            {
+              domainId,
+              verifiedAt: current.verifiedAt,
+            },
+          );
+        }
+      }
+      const updatedDomains = await domainApi.list(ctx, enterpriseId);
+      return {
+        ok: true as const,
+        enterpriseId,
+        domains: updatedDomains.map(
+          (domain: (typeof updatedDomains)[number]) => ({
+            domainId: domain._id,
+            domain: domain.domain,
+            isPrimary: domain.isPrimary,
+            verified: domain.verifiedAt !== undefined,
+            verifiedAt: domain.verifiedAt ?? null,
+          }),
+        ),
+      };
+    };
+  const publicSso: PublicSsoApi = {
+    admin: {
+      ...restSso,
+      oidc: {
+        ...oidcApi,
+      },
+      saml: {
+        ...samlApi,
+      },
+      connection: {
+        ...connectionApi,
+        domain: {
+          list: domainApi.list,
+          validate: domainApi.validate,
+          set: setEnterpriseDomains,
+          verification: {
+            request: domainApi.verification.request,
+            confirm: domainApi.verification.confirm,
+          },
+        },
+      },
+      policy: restSso.policy,
+      audit: {
+        list: auditApi.list,
+      },
+      webhook: {
+        endpoint: webhookApi.endpoint,
+        delivery: {
+          list: webhookApi.delivery.list,
+        },
+      },
+    },
+    client: {
+      signIn: oidcApi.signIn,
+      metadata: samlApi.metadata,
+    },
+  };
   return {
     signIn: authResult.signIn,
@@ -118,11 +473,51 @@ export function createAuth<P extends AuthProviderConfig[]>(
     account: authResult.auth.account,
     group: authResult.auth.group,
     member: authResult.auth.member,
+    access: authResult.auth.access,
     invite: authResult.auth.invite,
     key: authResult.auth.key,
-    sso: authResult.auth.sso,
+    sso: publicSso,
+    scim: {
+      admin: {
+        configure: scimApi.configure,
+        get: scimApi.get,
+        validate: scimApi.validate,
+      },
+    },
     http: authResult.auth.http,
-  } as ConvexAuthResult<P>;
+  } as unknown as ConvexAuthResult<P, TAuthorization>;
+}
+export function defineRoles<
+  const TRoles extends Record<
+    string,
+    { label?: string; grants: readonly string[] }
+  >,
+>(
+  roles: TRoles,
+): {
+  [K in keyof TRoles]: {
+    id: K & string;
+    label?: TRoles[K]["label"];
+    grants: Array<TRoles[K]["grants"][number] & string>;
+  };
+} {
+  return Object.fromEntries(
+    Object.entries(roles).map(([id, role]) => [
+      id,
+      {
+        id,
+        ...(role.label ? { label: role.label } : {}),
+        grants: [...role.grants],
+      },
+    ]),
+  ) as {
+    [K in keyof TRoles]: {
+      id: K & string;
+      label?: TRoles[K]["label"];
+      grants: Array<TRoles[K]["grants"][number] & string>;
+    };
+  };
 }
 // ============================================================================

package/src/server/cookies.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { isLocalHost } from "./utils";
+/** @internal */
 export const SHARED_COOKIE_OPTIONS = {
   httpOnly: true,
   sameSite: "none" as const,
@@ -9,6 +10,7 @@ export const SHARED_COOKIE_OPTIONS = {
 };
 const REDIRECT_MAX_AGE = 60 * 15; // 15 minutes in seconds
+/** @internal */
 export function redirectToParamCookie(providerId: string, redirectTo: string) {
   return {
     name: redirectToParamCookieName(providerId),
@@ -17,6 +19,7 @@ export function redirectToParamCookie(providerId: string, redirectTo: string) {
   };
 }
+/** @internal */
 export function useRedirectToParam(
   providerId: string,
   cookies: Record<string, string | undefined>,

package/src/server/db.ts CHANGED Viewed

@@ -56,10 +56,13 @@ type AuthComponentApiLike = {
   };
 };
+/** @internal */
 export type AuthDbConfig = { component: AuthComponentApiLike };
+/** @internal */
 export type AuthDb = ReturnType<typeof authDb>;
+/** @internal */
 export function authDb(ctx: CtxLike, config: AuthDbConfig) {
   const component = config.component;
   return {

package/src/server/device.ts CHANGED Viewed

@@ -13,6 +13,7 @@
 import { Fx } from "@robelest/fx";
 import { AuthError } from "./fx";
+import { userIdFromIdentitySubject } from "./identity";
 import { callSignIn } from "./mutations/index";
 import { DeviceProviderConfig, GenericActionCtxWithAuthConfig } from "./types";
 import {
@@ -63,6 +64,7 @@ type DeviceResult =
     }
   | { kind: "signedIn"; signedIn: SessionInfo | null };
+/** @internal */
 export const handleDevice = (
   ctx: EnrichedActionCtx,
   provider: DeviceProviderConfig,
@@ -187,7 +189,7 @@ export const handleDevice = (
         );
       }
-      const userId = identity.subject.split("|")[0]!;
+      const userId = userIdFromIdentitySubject(identity.subject);
       const doc = await queryDeviceByUserCode(ctx, params.userCode);
       if (doc === null) {
         throw new AuthError("DEVICE_INVALID_USER_CODE");