npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.16 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1672 -24
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/index.d.ts +1 -1
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +343 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +54 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +515 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +116 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +596 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +406 -260
package/dist/component/schema.js +37 -32
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +161 -15
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -7
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +629 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +884 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1134 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +10 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +106 -38
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +163 -17
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -7
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +434 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +629 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +409 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +884 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +60 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1134 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +468 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +530 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +7 -7
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signin.d.ts +6 -6
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +11 -11
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +10 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +114 -77
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +2106 -9
package/src/component/index.ts +3 -1
package/src/component/model.ts +441 -0
package/src/component/public/enterprise.ts +753 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +932 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +119 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +68 -63
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +413 -18
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +1071 -0
package/src/server/domains/sso.ts +1749 -0
package/src/server/enterpriseValidators.ts +93 -0
package/src/server/factory.ts +2181 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +806 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +20 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +259 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +178 -83
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/src/server/fx.ts CHANGED Viewed

@@ -100,6 +100,7 @@ function match<T>(
   );
 }
+/** @internal */
 export const Fx = {
   ...BaseFx,
   match,

package/src/server/http.ts ADDED Viewed

@@ -0,0 +1,529 @@
+import {
+  GenericActionCtx,
+  GenericDataModel,
+  HttpRouter,
+  httpActionGeneric,
+} from "convex/server";
+import { ConvexError } from "convex/values";
+import { parse as parseCookies } from "cookie";
+import { isAuthError } from "./errors";
+import { AuthError, Fx } from "./fx";
+import type { CorsConfig, HttpKeyContext } from "./types";
+import { logError } from "./utils";
+export function createHttpAction(auth: {
+  key: { verify: (ctx: GenericActionCtx<any>, rawKey: string) => Promise<any> };
+}) {
+  return (
+    handler: (
+      ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,
+      request: Request,
+    ) => Promise<Response | Record<string, unknown>>,
+    options?: {
+      scope?: { resource: string; action: string };
+      cors?: CorsConfig;
+    },
+  ) => {
+    const corsConfig = options?.cors ?? {};
+    const corsHeaders: Record<string, string> = {
+      "Access-Control-Allow-Origin": corsConfig.origin ?? "*",
+      "Access-Control-Allow-Methods":
+        corsConfig.methods ?? "GET,POST,PUT,PATCH,DELETE,OPTIONS",
+      "Access-Control-Allow-Headers":
+        corsConfig.headers ?? "Content-Type,Authorization",
+    };
+    return httpActionGeneric(async (genericCtx, request) => {
+      return Fx.run(
+        Fx.from({
+          ok: async () => {
+            const authHeader = request.headers.get("Authorization");
+            if (!authHeader?.startsWith("Bearer ")) {
+              return new Response(
+                JSON.stringify({
+                  error: "Missing or malformed Authorization: Bearer header.",
+                  code: "MISSING_BEARER_TOKEN",
+                }),
+                {
+                  status: 401,
+                  headers: {
+                    ...corsHeaders,
+                    "Content-Type": "application/json",
+                  },
+                },
+              );
+            }
+            const rawKey = authHeader.slice(7);
+            const keyResult = await Fx.run(
+              Fx.from({
+                ok: () => auth.key.verify(genericCtx, rawKey),
+                err: (error) => error,
+              }).pipe(
+                Fx.fold({
+                  ok: (result) => ({ ok: true, value: result }) as const,
+                  err: (error) => ({ ok: false, error }) as const,
+                }),
+              ),
+            );
+            if (!keyResult.ok) {
+              if (isAuthError(keyResult.error)) {
+                const { code, message } = keyResult.error.data as {
+                  code: string;
+                  message: string;
+                };
+                return new Response(JSON.stringify({ error: message, code }), {
+                  status: 403,
+                  headers: {
+                    ...corsHeaders,
+                    "Content-Type": "application/json",
+                  },
+                });
+              }
+              throw keyResult.error;
+            }
+            if (
+              options?.scope &&
+              !keyResult.value.scopes.can(
+                options.scope.resource,
+                options.scope.action,
+              )
+            ) {
+              return new Response(
+                JSON.stringify({
+                  error: "This API key does not have the required permissions.",
+                  code: "SCOPE_CHECK_FAILED",
+                }),
+                {
+                  status: 403,
+                  headers: {
+                    ...corsHeaders,
+                    "Content-Type": "application/json",
+                  },
+                },
+              );
+            }
+            const enrichedCtx = Object.assign(genericCtx, {
+              key: {
+                userId: keyResult.value.userId,
+                keyId: keyResult.value.keyId,
+                scopes: keyResult.value.scopes,
+              },
+            });
+            const result = await handler(enrichedCtx, request);
+            if (result instanceof Response) {
+              const headers = new Headers(result.headers);
+              for (const [k, val] of Object.entries(corsHeaders)) {
+                if (!headers.has(k)) headers.set(k, val);
+              }
+              return new Response(result.body, {
+                status: result.status,
+                statusText: result.statusText,
+                headers,
+              });
+            }
+            return new Response(JSON.stringify(result), {
+              status: 200,
+              headers: {
+                ...corsHeaders,
+                "Content-Type": "application/json",
+              },
+            });
+          },
+          err: (error) => error,
+        }).pipe(
+          Fx.recover((error) => {
+            logError(error);
+            return Fx.succeed(
+              new Response(
+                JSON.stringify({
+                  error: "An unexpected error occurred.",
+                  code: "INTERNAL_ERROR",
+                }),
+                {
+                  status: 500,
+                  headers: {
+                    ...corsHeaders,
+                    "Content-Type": "application/json",
+                  },
+                },
+              ),
+            );
+          }),
+        ),
+      );
+    });
+  };
+}
+export function createHttpRoute(
+  wrapAction: ReturnType<typeof createHttpAction>,
+) {
+  return (
+    http: { route: (config: any) => void },
+    routeConfig: {
+      path: string;
+      method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+      handler: (
+        ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,
+        request: Request,
+      ) => Promise<Response | Record<string, unknown>>;
+      scope?: { resource: string; action: string };
+      cors?: CorsConfig;
+    },
+  ) => {
+    const corsConfig = routeConfig.cors ?? {};
+    const corsHeaders: Record<string, string> = {
+      "Access-Control-Allow-Origin": corsConfig.origin ?? "*",
+      "Access-Control-Allow-Methods":
+        corsConfig.methods ?? "GET,POST,PUT,PATCH,DELETE,OPTIONS",
+      "Access-Control-Allow-Headers":
+        corsConfig.headers ?? "Content-Type,Authorization",
+    };
+    http.route({
+      path: routeConfig.path,
+      method: "OPTIONS",
+      handler: httpActionGeneric(async () => {
+        return new Response(null, { status: 204, headers: corsHeaders });
+      }),
+    });
+    http.route({
+      path: routeConfig.path,
+      method: routeConfig.method,
+      handler: wrapAction(routeConfig.handler, {
+        scope: routeConfig.scope,
+        cors: routeConfig.cors,
+      }),
+    });
+  };
+}
+export function convertErrorsToResponse(
+  errorStatusCode: number,
+  action: (ctx: GenericActionCtx<any>, request: Request) => Promise<Response>,
+) {
+  return async (ctx: GenericActionCtx<any>, request: Request) => {
+    return Fx.run(
+      Fx.from({
+        ok: () => action(ctx, request),
+        err: (error) => error,
+      }).pipe(
+        Fx.recover((error) => {
+          if (isAuthError(error)) {
+            return Fx.succeed(
+              new Response(
+                JSON.stringify({
+                  code: error.data.code,
+                  message: error.data.message,
+                }),
+                {
+                  status: errorStatusCode,
+                  headers: { "Content-Type": "application/json" },
+                },
+              ),
+            );
+          } else if (error instanceof ConvexError) {
+            return Fx.succeed(
+              new Response(null, {
+                status: errorStatusCode,
+                statusText:
+                  typeof error.data === "string" ? error.data : "Error",
+              }),
+            );
+          } else {
+            logError(error);
+            return Fx.succeed(
+              new Response(null, {
+                status: 500,
+                statusText: "Internal Server Error",
+              }),
+            );
+          }
+        }),
+      ),
+    );
+  };
+}
+export function getCookies(
+  request: Request,
+): Record<string, string | undefined> {
+  return parseCookies(request.headers.get("Cookie") ?? "");
+}
+export type SSORuntimeRoute = {
+  pathname?: string;
+  enterpriseId: string;
+  protocol: "oidc" | "saml" | "scim";
+  rest: string[];
+};
+function parseEnterpriseRuntimeRoute(
+  pathname: string,
+  routeBase: string,
+): SSORuntimeRoute | null {
+  const runtimePrefix = `${routeBase}/`;
+  const runtimeParts = pathname.startsWith(runtimePrefix)
+    ? pathname.slice(runtimePrefix.length).split("/").filter(Boolean)
+    : [];
+  const [runtimeEnterpriseId, protocol, ...rest] = runtimeParts;
+  if (
+    runtimeEnterpriseId === undefined ||
+    (protocol !== "oidc" && protocol !== "saml" && protocol !== "scim") ||
+    rest.length === 0
+  ) {
+    return null;
+  }
+  return {
+    pathname,
+    enterpriseId: runtimeEnterpriseId,
+    protocol,
+    rest,
+  };
+}
+export function addOpenIdRoutes(
+  http: HttpRouter,
+  deps: {
+    getIssuer: () => string;
+    getJwks: () => string;
+  },
+) {
+  const cacheControl =
+    "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400";
+  http.route({
+    path: "/.well-known/openid-configuration",
+    method: "GET",
+    handler: httpActionGeneric(async () => {
+      const issuer = deps.getIssuer();
+      return new Response(
+        JSON.stringify({
+          issuer,
+          jwks_uri: `${issuer}/.well-known/jwks.json`,
+        }),
+        {
+          status: 200,
+          headers: {
+            "Content-Type": "application/json",
+            "Cache-Control": cacheControl,
+          },
+        },
+      );
+    }),
+  });
+  http.route({
+    path: "/.well-known/jwks.json",
+    method: "GET",
+    handler: httpActionGeneric(async () => {
+      return new Response(deps.getJwks(), {
+        status: 200,
+        headers: {
+          "Content-Type": "application/json",
+          "Cache-Control": cacheControl,
+        },
+      });
+    }),
+  });
+}
+export function addAuthRoutes(
+  http: HttpRouter,
+  deps: {
+    handleSignIn: (
+      ctx: GenericActionCtx<any>,
+      request: Request,
+    ) => Promise<Response>;
+    handleCallback: (
+      ctx: GenericActionCtx<any>,
+      request: Request,
+    ) => Promise<Response>;
+  },
+) {
+  http.route({
+    pathPrefix: "/api/auth/signin/",
+    method: "GET",
+    handler: httpActionGeneric(deps.handleSignIn),
+  });
+  const callbackHandler = httpActionGeneric(deps.handleCallback);
+  http.route({
+    pathPrefix: "/api/auth/callback/",
+    method: "GET",
+    handler: callbackHandler,
+  });
+  http.route({
+    pathPrefix: "/api/auth/callback/",
+    method: "POST",
+    handler: callbackHandler,
+  });
+}
+export function addSSORoutes(
+  http: HttpRouter,
+  deps: {
+    routeBase: string;
+    convertErrorsToResponse: typeof convertErrorsToResponse;
+    handleSamlMetadata: (
+      ctx: GenericActionCtx<any>,
+      request: Request,
+      route: SSORuntimeRoute,
+    ) => Promise<Response>;
+    handleSamlSignIn: (
+      ctx: GenericActionCtx<any>,
+      request: Request,
+      route: SSORuntimeRoute,
+    ) => Promise<Response>;
+    handleOidcSignIn: (
+      ctx: GenericActionCtx<any>,
+      request: Request,
+      route: SSORuntimeRoute,
+    ) => Promise<Response>;
+    handleOidcCallback: (
+      ctx: GenericActionCtx<any>,
+      request: Request,
+      route: SSORuntimeRoute,
+    ) => Promise<Response>;
+    handleSamlAcs: (
+      ctx: GenericActionCtx<any>,
+      request: Request,
+      route: SSORuntimeRoute,
+    ) => Promise<Response>;
+    handleSamlSlo: (
+      ctx: GenericActionCtx<any>,
+      request: Request,
+      route: SSORuntimeRoute,
+    ) => Promise<Response>;
+    handleScimRequest: (
+      ctx: GenericActionCtx<any>,
+      request: Request,
+    ) => Promise<Response>;
+    scimError: (status: number, scimType: string, detail: string) => Response;
+  },
+) {
+  const routePrefix = `${deps.routeBase}/`;
+  http.route({
+    pathPrefix: routePrefix,
+    method: "GET",
+    handler: httpActionGeneric(
+      deps.convertErrorsToResponse(400, async (ctx, request) => {
+        const route = parseEnterpriseRuntimeRoute(
+          new URL(request.url).pathname,
+          deps.routeBase,
+        );
+        if (!route) {
+          throw new AuthError(
+            "INVALID_PARAMETERS",
+            "Invalid enterprise runtime path.",
+          ).toConvexError();
+        }
+        if (route.protocol === "saml" && route.rest.length === 1) {
+          if (route.rest[0] === "metadata") {
+            return await deps.handleSamlMetadata(ctx, request, route);
+          }
+          if (route.rest[0] === "signin") {
+            return await deps.handleSamlSignIn(ctx, request, route);
+          }
+          if (route.rest[0] === "acs") {
+            return await deps.handleSamlAcs(ctx, request, route);
+          }
+          if (route.rest[0] === "slo") {
+            return await deps.handleSamlSlo(ctx, request, route);
+          }
+        }
+        if (route.protocol === "oidc" && route.rest.length === 1) {
+          if (route.rest[0] === "signin") {
+            return await deps.handleOidcSignIn(ctx, request, route);
+          }
+          if (route.rest[0] === "callback") {
+            return await deps.handleOidcCallback(ctx, request, route);
+          }
+        }
+        if (route.protocol === "scim" && route.rest[0] === "v2") {
+          return await deps.handleScimRequest(ctx, request);
+        }
+        throw new AuthError(
+          "INVALID_PARAMETERS",
+          "Invalid enterprise runtime path.",
+        ).toConvexError();
+      }),
+    ),
+  });
+  http.route({
+    pathPrefix: routePrefix,
+    method: "POST",
+    handler: httpActionGeneric(
+      deps.convertErrorsToResponse(400, async (ctx, request) => {
+        const route = parseEnterpriseRuntimeRoute(
+          new URL(request.url).pathname,
+          deps.routeBase,
+        );
+        if (route?.protocol === "saml" && route.rest.length === 1) {
+          if (route.rest[0] === "acs") {
+            return await deps.handleSamlAcs(ctx, request, route);
+          }
+          if (route.rest[0] === "slo") {
+            return await deps.handleSamlSlo(ctx, request, route);
+          }
+        }
+        if (route?.protocol === "scim" && route.rest[0] === "v2") {
+          return await deps.handleScimRequest(ctx, request);
+        }
+        throw new AuthError(
+          "INVALID_PARAMETERS",
+          "Invalid enterprise runtime path.",
+        ).toConvexError();
+      }),
+    ),
+  });
+  http.route({
+    pathPrefix: routePrefix,
+    method: "PUT",
+    handler: httpActionGeneric(
+      deps.convertErrorsToResponse(400, async (ctx, request) => {
+        const route = parseEnterpriseRuntimeRoute(
+          new URL(request.url).pathname,
+          deps.routeBase,
+        );
+        if (route?.protocol === "scim" && route.rest[0] === "v2") {
+          return await deps.handleScimRequest(ctx, request);
+        }
+        throw new AuthError(
+          "INVALID_PARAMETERS",
+          "Invalid enterprise runtime path.",
+        ).toConvexError();
+      }),
+    ),
+  });
+  for (const method of ["PATCH", "DELETE"] as const) {
+    http.route({
+      pathPrefix: routePrefix,
+      method,
+      handler: httpActionGeneric(async (ctx, request) => {
+        const route = parseEnterpriseRuntimeRoute(
+          new URL(request.url).pathname,
+          deps.routeBase,
+        );
+        if (!route || route.protocol !== "scim" || route.rest[0] !== "v2") {
+          return deps.scimError(404, "notFound", "SCIM resource not found.");
+        }
+        return await deps.handleScimRequest(ctx, request);
+      }),
+    });
+  }
+}

package/src/server/identity.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { AuthError } from "./fx";
+/** @internal */
+export function userIdFromIdentitySubject(subject: string): string {
+  const [userId, ...rest] = subject.split("|");
+  if (
+    typeof userId !== "string" ||
+    userId.length === 0 ||
+    rest.length === 0 ||
+    rest.some((segment) => segment.length === 0)
+  ) {
+    throw new AuthError(
+      "INTERNAL_ERROR",
+      "Authenticated identity subject is malformed.",
+    );
+  }
+  return userId;
+}