npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.16 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1672 -24
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/index.d.ts +1 -1
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +343 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +54 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +515 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +116 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +596 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +406 -260
package/dist/component/schema.js +37 -32
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +161 -15
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -7
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +629 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +884 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1134 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +10 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +106 -38
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +163 -17
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -7
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +434 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +629 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +409 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +884 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +60 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1134 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +468 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +530 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +7 -7
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signin.d.ts +6 -6
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +11 -11
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +10 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +114 -77
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +2106 -9
package/src/component/index.ts +3 -1
package/src/component/model.ts +441 -0
package/src/component/public/enterprise.ts +753 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +932 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +119 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +68 -63
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +413 -18
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +1071 -0
package/src/server/domains/sso.ts +1749 -0
package/src/server/enterpriseValidators.ts +93 -0
package/src/server/factory.ts +2181 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +806 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +20 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +259 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +178 -83
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/src/server/sso.ts CHANGED Viewed

@@ -24,14 +24,22 @@ function ensureSamlifyValidator() {
   setSchemaValidator(_samlifyPermissiveValidator);
 }
 import { decodeIdToken } from "arctic";
-import { createRemoteJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+import {
+  createRemoteJWKSet,
+  customFetch,
+  decodeProtectedHeader,
+  jwtVerify,
+} from "jose";
 import type {
+  EnterprisePolicy,
+  EnterprisePolicyPatch,
   OAuthMaterializedConfig,
   OAuthProfile,
   SAMLAttributeMapping,
 } from "./types";
+/** @internal */
 export type ParsedSamlMetadata = {
   issuer: string;
   sso: {
@@ -48,8 +56,10 @@ export type ParsedSamlMetadata = {
   wantsSignedAuthnRequests: boolean;
 };
+/** @internal */
 export type EnterpriseSamlSource = { kind: "enterprise"; id: string };
+/** @internal */
 export type EnterpriseSamlRelayState = {
   source: EnterpriseSamlSource;
   signature: string;
@@ -58,18 +68,21 @@ export type EnterpriseSamlRelayState = {
   redirectTo?: string;
 };
+/** @internal */
 export type EnterpriseSamlUrls = {
   metadataUrl: string;
   acsUrl: string;
   sloUrl?: string;
 };
+/** @internal */
 export type EnterpriseSamlLoadedSource = {
   source: EnterpriseSamlSource;
   config: unknown;
   status?: string;
 };
+/** @internal */
 export type EnterpriseSamlHttpRequest = {
   url: URL;
   body: Record<string, string>;
@@ -80,35 +93,44 @@ export type EnterpriseSamlHttpRequest = {
   hasSamlResponse: boolean;
 };
+/** @internal */
 export type ScimListRequest = {
   startIndex: number;
   count: number;
   filter?: { attribute: string; value: string };
 };
+/** @internal */
 export const SCIM_USER_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:User";
+/** @internal */
 export const SCIM_GROUP_SCHEMA_ID =
   "urn:ietf:params:scim:schemas:core:2.0:Group";
+/** @internal */
 export const ENTERPRISE_OIDC_PROVIDER_PREFIX = "enterprise:oidc:";
+/** @internal */
 export const ENTERPRISE_SAML_PROVIDER_PREFIX = "enterprise:saml:";
 const OIDC_JWKS_CACHE = new Map<
   string,
   ReturnType<typeof createRemoteJWKSet>
 >();
+/** @internal */
 export function normalizeDomain(domain: string): string {
   return domain.trim().toLowerCase().replace(/^@+/, "");
 }
+/** @internal */
 export function enterpriseOidcProviderId(enterpriseId: string): string {
   return `${ENTERPRISE_OIDC_PROVIDER_PREFIX}${enterpriseId}`;
 }
+/** @internal */
 export function enterpriseSamlProviderId(enterpriseId: string): string {
   return `${ENTERPRISE_SAML_PROVIDER_PREFIX}${enterpriseId}`;
 }
+/** @internal */
 export function getEnterpriseSamlUrls(opts: {
   rootUrl: string;
   source: EnterpriseSamlSource;
@@ -124,6 +146,7 @@ export function getEnterpriseSamlUrls(opts: {
   };
 }
+/** @internal */
 export function getEnterpriseOidcUrls(opts: {
   rootUrl: string;
   enterpriseId: string;
@@ -135,12 +158,14 @@ export function getEnterpriseOidcUrls(opts: {
   };
 }
+/** @internal */
 export function isEnterpriseSamlSourceActive(
   source: EnterpriseSamlLoadedSource,
 ) {
   return source.status === "active";
 }
+/** @internal */
 export function isEnterpriseProviderId(providerId: string): boolean {
   return (
     providerId.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) ||
@@ -153,6 +178,132 @@ const asRecord = (value: unknown) =>
     ? (value as Record<string, any>)
     : null;
+/** @internal */
+export const DEFAULT_ENTERPRISE_POLICY: EnterprisePolicy = {
+  version: 1,
+  identity: {
+    accountLinking: {
+      oidc: "verifiedEmail",
+      saml: "verifiedEmail",
+    },
+  },
+  provisioning: {
+    scimReuse: {
+      user: "externalId",
+    },
+    jit: {
+      mode: "createUserAndMembership",
+      defaultRoleIds: [],
+    },
+    deprovision: {
+      mode: "soft",
+    },
+  },
+};
+/** @internal */
+export function normalizeEnterprisePolicy(policy: unknown): EnterprisePolicy {
+  const input = asRecord(policy) ?? {};
+  const identity = asRecord(input.identity) ?? {};
+  const accountLinking = asRecord(identity.accountLinking) ?? {};
+  const provisioning = asRecord(input.provisioning) ?? {};
+  const scimReuse = asRecord(provisioning.scimReuse) ?? {};
+  const jit = asRecord(provisioning.jit) ?? {};
+  const deprovision = asRecord(provisioning.deprovision) ?? {};
+  const extend = asRecord(input.extend) ?? undefined;
+  return {
+    version: 1,
+    identity: {
+      accountLinking: {
+        oidc:
+          accountLinking.oidc === "none"
+            ? "none"
+            : DEFAULT_ENTERPRISE_POLICY.identity.accountLinking.oidc,
+        saml:
+          accountLinking.saml === "none"
+            ? "none"
+            : DEFAULT_ENTERPRISE_POLICY.identity.accountLinking.saml,
+      },
+    },
+    provisioning: {
+      scimReuse: {
+        user:
+          scimReuse.user === "none"
+            ? "none"
+            : DEFAULT_ENTERPRISE_POLICY.provisioning.scimReuse.user,
+      },
+      jit: {
+        mode:
+          jit.mode === "off" ||
+          jit.mode === "createUser" ||
+          jit.mode === "createUserAndMembership"
+            ? jit.mode
+            : DEFAULT_ENTERPRISE_POLICY.provisioning.jit.mode,
+        defaultRoleIds: Array.isArray(jit.defaultRoleIds)
+          ? Array.from(
+              new Set(
+                jit.defaultRoleIds.filter(
+                  (value): value is string =>
+                    typeof value === "string" && value.length > 0,
+                ),
+              ),
+            )
+          : typeof jit.defaultRole === "string" && jit.defaultRole.length > 0
+            ? [jit.defaultRole]
+            : DEFAULT_ENTERPRISE_POLICY.provisioning.jit.defaultRoleIds,
+      },
+      deprovision: {
+        mode:
+          deprovision.mode === "hard"
+            ? "hard"
+            : DEFAULT_ENTERPRISE_POLICY.provisioning.deprovision.mode,
+      },
+    },
+    ...(extend ? { extend } : {}),
+  };
+}
+/** @internal */
+export function patchEnterprisePolicy(
+  current: unknown,
+  patch: EnterprisePolicyPatch,
+): EnterprisePolicy {
+  const base = normalizeEnterprisePolicy(current);
+  return normalizeEnterprisePolicy({
+    ...base,
+    ...patch,
+    identity: {
+      ...base.identity,
+      ...patch.identity,
+      accountLinking: {
+        ...base.identity.accountLinking,
+        ...patch.identity?.accountLinking,
+      },
+    },
+    provisioning: {
+      ...base.provisioning,
+      ...patch.provisioning,
+      scimReuse: {
+        ...base.provisioning.scimReuse,
+        ...patch.provisioning?.scimReuse,
+      },
+      jit: {
+        ...base.provisioning.jit,
+        ...patch.provisioning?.jit,
+      },
+      deprovision: {
+        ...base.provisioning.deprovision,
+        ...patch.provisioning?.deprovision,
+      },
+    },
+    extend:
+      patch.extend === undefined
+        ? base.extend
+        : { ...base.extend, ...patch.extend },
+  });
+}
 const getProtocolConfig = (config: unknown, protocol: "oidc" | "saml") => {
   const base = asRecord(config);
   const direct = base?.[protocol];
@@ -160,14 +311,35 @@ const getProtocolConfig = (config: unknown, protocol: "oidc" | "saml") => {
   return asRecord(direct) ?? asRecord(viaProtocols) ?? {};
 };
+/** @internal */
 export function getOidcConfig(config: unknown): Record<string, any> {
   return getProtocolConfig(config, "oidc");
 }
+/** @internal */
+export function getPublicOidcConfig(config: unknown): Record<string, any> {
+  const oidc = getOidcConfig(config);
+  const { clientSecret: _clientSecret, ...publicOidc } = oidc;
+  return publicOidc;
+}
+/** @internal */
+export function withOidcSecretState(
+  config: Record<string, any>,
+  hasClientSecret: boolean,
+) {
+  return {
+    ...config,
+    hasClientSecret,
+  };
+}
+/** @internal */
 export function getSamlConfig(config: unknown): Record<string, any> {
   return getProtocolConfig(config, "saml");
 }
+/** @internal */
 export function upsertProtocolConfig(
   config: unknown,
   protocol: "oidc" | "saml",
@@ -182,6 +354,7 @@ export function upsertProtocolConfig(
   return { ...base, protocols };
 }
+/** @internal */
 export function createSamlPostBindingResponse(opts: {
   endpoint: string;
   parameter: "SAMLRequest" | "SAMLResponse";
@@ -200,6 +373,7 @@ export function createSamlPostBindingResponse(opts: {
   );
 }
+/** @internal */
 export function decodeRelayState(
   value: string | null,
 ): Record<string, unknown> {
@@ -215,6 +389,7 @@ export function decodeRelayState(
   }
 }
+/** @internal */
 export function encodeEnterpriseSamlRelayState(
   value: EnterpriseSamlRelayState,
 ) {
@@ -231,6 +406,7 @@ export function encodeEnterpriseSamlRelayState(
   );
 }
+/** @internal */
 export function decodeEnterpriseSamlRelayStateOrThrow(
   value: string | null,
 ): EnterpriseSamlRelayState {
@@ -261,6 +437,7 @@ export function decodeEnterpriseSamlRelayStateOrThrow(
   };
 }
+/** @internal */
 export async function readRequestBody(
   request: Request,
 ): Promise<Record<string, string>> {
@@ -279,6 +456,7 @@ export async function readRequestBody(
   return {};
 }
+/** @internal */
 export async function readEnterpriseSamlHttpRequest(
   request: Request,
 ): Promise<EnterpriseSamlHttpRequest> {
@@ -319,11 +497,13 @@ async function discoverOidcConfiguration(config: Record<string, any>) {
     throw new Error("Enterprise OIDC requires an issuer or discoveryUrl.");
   }
+  const oidcFetch = createEnterpriseOidcFetch(config, config.issuer);
   return await Fx.run(
     Fx.defer(() =>
       Fx.from({
         ok: async () => {
-          const response = await fetch(discoveryUrl);
+          const response = await oidcFetch(discoveryUrl);
           if (!response.ok) {
             throw new Error(
               `Failed to discover OIDC configuration: ${response.status}`,
@@ -360,11 +540,46 @@ async function discoverOidcConfiguration(config: Record<string, any>) {
   );
 }
-function getOidcJwks(url: string) {
-  let jwks = OIDC_JWKS_CACHE.get(url);
+function createEnterpriseOidcFetch(
+  config: Record<string, any>,
+  discoveredIssuer?: string,
+) {
+  const runtimeOrigin =
+    typeof config.discoveryUrl === "string"
+      ? new URL(config.discoveryUrl).origin
+      : undefined;
+  const externalHost =
+    typeof config.issuer === "string"
+      ? new URL(config.issuer).host
+      : typeof discoveredIssuer === "string"
+        ? new URL(discoveredIssuer).host
+        : undefined;
+  return async (input: string | URL, init?: RequestInit) => {
+    const url = new URL(typeof input === "string" ? input : input.toString());
+    const rewrittenUrl =
+      runtimeOrigin !== undefined && url.origin !== runtimeOrigin
+        ? new URL(`${runtimeOrigin}${url.pathname}${url.search}`)
+        : url;
+    const headers = new Headers(init?.headers);
+    if (runtimeOrigin !== undefined && externalHost !== undefined) {
+      headers.set("host", externalHost);
+    }
+    return await fetch(rewrittenUrl, { ...init, headers });
+  };
+}
+function getOidcJwks(
+  url: string,
+  fetchImpl?: ReturnType<typeof createEnterpriseOidcFetch>,
+) {
+  const cacheKey = fetchImpl ? `${url}::custom` : url;
+  let jwks = OIDC_JWKS_CACHE.get(cacheKey);
   if (!jwks) {
-    jwks = createRemoteJWKSet(new URL(url));
-    OIDC_JWKS_CACHE.set(url, jwks);
+    jwks = fetchImpl
+      ? createRemoteJWKSet(new URL(url), { [customFetch]: fetchImpl })
+      : createRemoteJWKSet(new URL(url));
+    OIDC_JWKS_CACHE.set(cacheKey, jwks);
   }
   return jwks;
 }
@@ -378,10 +593,11 @@ function userInfoProfileFx(opts: {
   accessToken: string;
   verifiedClaims: Record<string, unknown>;
   verifiedProfile: OAuthProfile & { emailVerified?: boolean };
+  fetchImpl?: ReturnType<typeof createEnterpriseOidcFetch>;
 }) {
   return Fx.from({
     ok: async () => {
-      const response = await fetch(opts.endpoint, {
+      const response = await (opts.fetchImpl ?? fetch)(opts.endpoint, {
         headers: { Authorization: `Bearer ${opts.accessToken}` },
       });
       if (!response.ok) {
@@ -438,6 +654,7 @@ function userInfoProfileFx(opts: {
   );
 }
+/** @internal */
 export async function createEnterpriseOidcProvider(
   config: Record<string, any>,
   redirectUri: string,
@@ -478,6 +695,10 @@ export async function createEnterpriseOidcProvider(
     : [];
   const userinfoEndpoint =
     (discovery.userinfo_endpoint as string | undefined) ?? undefined;
+  const oidcFetch = createEnterpriseOidcFetch(
+    config,
+    discovery.issuer as string,
+  );
   const scopes = Array.isArray(config.scopes)
     ? config.scopes.filter(
         (value: unknown): value is string => typeof value === "string",
@@ -501,7 +722,7 @@ export async function createEnterpriseOidcProvider(
           ...getIssuerCandidates(discoveredIssuer),
         ]),
       );
-  const jwks = getOidcJwks(jwksUri);
+  const jwks = getOidcJwks(jwksUri, oidcFetch);
   let verifiedClaims: Record<string, unknown> | null = null;
   let verifiedProfile: (OAuthProfile & { emailVerified?: boolean }) | null =
     null;
@@ -563,7 +784,7 @@ export async function createEnterpriseOidcProvider(
       if (codeVerifier) {
         body.set("code_verifier", codeVerifier);
       }
-      const response = await fetch(tokenEndpoint, {
+      const response = await oidcFetch(tokenEndpoint, {
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },
         body,
@@ -692,6 +913,7 @@ export async function createEnterpriseOidcProvider(
             accessToken: tokens.accessToken(),
             verifiedClaims,
             verifiedProfile,
+            fetchImpl: oidcFetch,
           }),
         );
         if (userInfoProfile !== null) {
@@ -705,18 +927,23 @@ export async function createEnterpriseOidcProvider(
   return { provider, oauthConfig };
 }
+/** @internal */
 export function createSyntheticOAuthMaterializedConfig(
   providerId: string,
+  options?: {
+    accountLinking?: OAuthMaterializedConfig["accountLinking"];
+  },
 ): OAuthMaterializedConfig {
   return {
     id: providerId,
     type: "oauth",
     provider: null,
     scopes: [],
-    accountLinking: "verifiedEmail",
+    accountLinking: options?.accountLinking ?? "verifiedEmail",
   };
 }
+/** @internal */
 export function parseSamlIdpMetadata(metadata: string): ParsedSamlMetadata {
   const idp = IdentityProvider({ metadata });
   const entityMeta = idp.entityMeta;
@@ -745,6 +972,7 @@ export function parseSamlIdpMetadata(metadata: string): ParsedSamlMetadata {
   };
 }
+/** @internal */
 export function createServiceProviderMetadata(opts: {
   entityId: string;
   acsUrl: string;
@@ -789,6 +1017,7 @@ export function createServiceProviderMetadata(opts: {
   return sp.getMetadata();
 }
+/** @internal */
 export function createEnterpriseSamlMetadataXml(opts: {
   rootUrl: string;
   source: EnterpriseSamlSource;
@@ -803,6 +1032,7 @@ export function createEnterpriseSamlMetadataXml(opts: {
   );
 }
+/** @internal */
 export function getSamlServiceProviderOptions(opts: {
   rootUrl: string;
   source: EnterpriseSamlSource;
@@ -835,6 +1065,7 @@ export function getSamlServiceProviderOptions(opts: {
   };
 }
+/** @internal */
 export function createSamlServiceProvider(opts: {
   entityId: string;
   acsUrl: string;
@@ -874,6 +1105,7 @@ export function createSamlServiceProvider(opts: {
   });
 }
+/** @internal */
 export function createEnterpriseSamlRuntime(opts: {
   rootUrl: string;
   source: EnterpriseSamlSource;
@@ -904,6 +1136,7 @@ export function createEnterpriseSamlRuntime(opts: {
   };
 }
+/** @internal */
 export function createEnterpriseSamlSignInRequest(opts: {
   rootUrl: string;
   source: EnterpriseSamlSource;
@@ -951,6 +1184,7 @@ export function createEnterpriseSamlSignInRequest(opts: {
   };
 }
+/** @internal */
 export async function parseEnterpriseSamlLoginResponse(opts: {
   request: Request;
   rootUrl: string;
@@ -1026,6 +1260,7 @@ function warnDeprecatedSamlAlgorithms(parsed: any) {
   }
 }
+/** @internal */
 export function validateEnterpriseSamlLoginRelayState(opts: {
   relayState: EnterpriseSamlRelayState;
   source: EnterpriseSamlSource;
@@ -1040,6 +1275,7 @@ export function validateEnterpriseSamlLoginRelayState(opts: {
   }
 }
+/** @internal */
 export async function parseEnterpriseSamlLogoutMessage(opts: {
   request: Request;
   rootUrl: string;
@@ -1071,23 +1307,23 @@ export async function parseEnterpriseSamlLogoutMessage(opts: {
   };
 }
+/** @internal */
 export async function createEnterpriseOidcRuntime(opts: {
   rootUrl: string;
   enterpriseId: string;
-  config: unknown;
+  oidc: Record<string, any>;
 }) {
-  const oidc = getOidcConfig(opts.config);
   const providerId = enterpriseOidcProviderId(opts.enterpriseId);
   const urls = getEnterpriseOidcUrls({
     rootUrl: opts.rootUrl,
     enterpriseId: opts.enterpriseId,
   });
   const { provider, oauthConfig } = await createEnterpriseOidcProvider(
-    oidc,
+    opts.oidc,
     urls.callbackUrl,
   );
   return {
-    oidc,
+    oidc: opts.oidc,
     providerId,
     provider,
     oauthConfig,
@@ -1095,6 +1331,7 @@ export async function createEnterpriseOidcRuntime(opts: {
   };
 }
+/** @internal */
 export function profileFromSamlExtract(
   extract: any,
   mapping?: SAMLAttributeMapping,
@@ -1145,15 +1382,15 @@ export function profileFromSamlExtract(
   };
 }
+/** @internal */
 export function parseScimPath(pathname: string) {
   const parts = pathname.split("/").filter(Boolean);
-  const [api, auth, enterprise, enterpriseId, protocol, version, ...rest] =
-    parts;
+  const [api, auth, sso, enterpriseId, protocol, version, ...rest] = parts;
   if (
     api !== "api" ||
     auth !== "auth" ||
-    enterprise !== "enterprise" ||
+    sso !== "sso" ||
     !enterpriseId ||
     enterpriseId === "setup" ||
     protocol !== "scim" ||
@@ -1173,6 +1410,7 @@ export function parseScimPath(pathname: string) {
   };
 }
+/** @internal */
 export function parseScimListRequest(url: URL): ScimListRequest {
   const startIndex = Math.max(
     1,
@@ -1195,6 +1433,7 @@ export function parseScimListRequest(url: URL): ScimListRequest {
   return { startIndex, count, filter };
 }
+/** @internal */
 export function scimJson(data: unknown, status = 200, headers?: HeadersInit) {
   const responseHeaders = new Headers({
     "Content-Type": "application/scim+json",
@@ -1210,6 +1449,7 @@ export function scimJson(data: unknown, status = 200, headers?: HeadersInit) {
   });
 }
+/** @internal */
 export function scimError(status: number, scimType: string, detail: string) {
   return scimJson(
     {
@@ -1222,6 +1462,7 @@ export function scimError(status: number, scimType: string, detail: string) {
   );
 }
+/** @internal */
 export function serializeScimUser(args: {
   id: string;
   user: Record<string, any>;
@@ -1253,6 +1494,7 @@ export function serializeScimUser(args: {
   };
 }
+/** @internal */
 export function serializeScimGroup(args: {
   id: string;
   group: Record<string, any>;

package/src/server/templates.ts CHANGED Viewed

@@ -15,6 +15,7 @@
  * Used by the auto-registered `email` provider when `email` is
  * configured in `createAuth(...)`.
  */
+/** @internal */
 export function defaultMagicLinkEmail(url: string, host: string): string {
   const escapedHost = host.replace(
     /[&<>"']/g,

package/src/server/tokens.ts CHANGED Viewed

@@ -10,6 +10,7 @@ const TOKEN_JTI_LENGTH = 24;
 const TOKEN_JTI_ALPHABET =
   "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+/** @internal */
 export async function generateToken(
   args: {
     userId: GenericId<"User">;

package/src/server/totp.ts CHANGED Viewed

@@ -12,6 +12,7 @@ import { verifyTOTPWithGracePeriod, createTOTPKeyURI } from "@oslojs/otp";
 import type { Fx as FxType } from "@robelest/fx";
 import { AuthError, Fx } from "./fx";
+import { userIdFromIdentitySubject } from "./identity";
 import { callSignIn, callVerifier } from "./mutations/index";
 import { callVerifierSignature } from "./mutations/signature";
 import { TotpProviderConfig, GenericActionCtxWithAuthConfig } from "./types";
@@ -134,6 +135,7 @@ const resolveTotpDispatchFx = (
     ),
   );
+/** @internal */
 export const handleTotp = (
   ctx: EnrichedActionCtx,
   provider: TotpProviderConfig,
@@ -152,7 +154,7 @@ export const handleTotp = (
             Fx.chain((identity) =>
               identity === null
                 ? Fx.fail(new AuthError("TOTP_AUTH_REQUIRED"))
-                : Fx.succeed(identity.subject.split("|")[0]!),
+                : Fx.succeed(userIdFromIdentitySubject(identity.subject)),
             ),
             Fx.chain((userId) =>
               Fx.from({
@@ -224,7 +226,7 @@ export const handleTotp = (
             Fx.chain((identity) =>
               identity === null
                 ? Fx.fail(new AuthError("TOTP_AUTH_REQUIRED"))
-                : Fx.succeed(identity.subject.split("|")[0]!),
+                : Fx.succeed(userIdFromIdentitySubject(identity.subject)),
             ),
             Fx.chain((userId) =>
               Fx.from({