npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.16 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1672 -24
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/index.d.ts +1 -1
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +343 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +54 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +515 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +116 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +596 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +406 -260
package/dist/component/schema.js +37 -32
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +161 -15
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -7
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +629 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +884 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1134 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +10 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +106 -38
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +163 -17
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -7
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +434 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +629 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +409 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +884 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +60 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1134 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +468 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +530 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +7 -7
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signin.d.ts +6 -6
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +11 -11
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +10 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +114 -77
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +2106 -9
package/src/component/index.ts +3 -1
package/src/component/model.ts +441 -0
package/src/component/public/enterprise.ts +753 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +932 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +119 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +68 -63
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +413 -18
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +1071 -0
package/src/server/domains/sso.ts +1749 -0
package/src/server/enterpriseValidators.ts +93 -0
package/src/server/factory.ts +2181 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +806 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +20 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +259 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +178 -83
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/src/server/types.ts CHANGED Viewed

@@ -12,8 +12,17 @@ import {
   RegisteredQuery,
   TableNamesInDataModel,
 } from "convex/server";
+import type { Infer } from "convex/values";
 import { GenericId, Value } from "convex/values";
+import {
+  vApiKeyDoc,
+  vAuthVerifierDoc,
+  vDeviceCodeDoc,
+  vPasskeyDoc,
+  vTotpFactorDoc,
+  vUserDoc,
+} from "../component/model";
 import schema from "../component/schema";
 import { CredentialsUserConfig } from "../providers/credentials";
@@ -24,6 +33,30 @@ import { CredentialsUserConfig } from "../providers/credentials";
 /** A value that is either `T` or a `PromiseLike<T>`. */
 export type Awaitable<T> = T | PromiseLike<T>;
+export type AuthRoleDefinition = {
+  id?: string;
+  label?: string;
+  grants: string[];
+};
+export type AuthAuthorizationConfig = {
+  roles: Record<string, AuthRoleDefinition>;
+};
+export type AuthRoleId<
+  TAuthorization extends AuthAuthorizationConfig | undefined,
+> = TAuthorization extends { roles: infer TRoles extends Record<string, any> }
+  ? keyof TRoles & string
+  : string;
+export type AuthGrant<
+  TAuthorization extends AuthAuthorizationConfig | undefined,
+> = TAuthorization extends {
+  roles: infer TRoles extends Record<string, { grants: readonly any[] }>;
+}
+  ? TRoles[keyof TRoles]["grants"][number] & string
+  : string;
 /**
  * The config for the Convex Auth library, passed to `createAuth`.
  */
@@ -238,6 +271,18 @@ export type ConvexAuthConfig = {
       },
     ) => Promise<void>;
   };
+  /**
+   * Application-defined role and grant model used by membership access checks.
+   */
+  authorization?: {
+    roles: Record<
+      string,
+      {
+        label?: string;
+        grants: string[];
+      }
+    >;
+  };
 };
 /**
@@ -282,6 +327,62 @@ export interface SSOProviderConfig {
   type: "sso";
 }
+export type EnterpriseAccountLinkingPolicy = "verifiedEmail" | "none";
+export type EnterpriseScimReuseUserPolicy = "externalId" | "none";
+export type EnterpriseJitProvisioningMode =
+  | "off"
+  | "createUser"
+  | "createUserAndMembership";
+export type EnterpriseDeprovisionMode = "soft" | "hard";
+export interface EnterprisePolicy {
+  version: 1;
+  identity: {
+    accountLinking: {
+      oidc: EnterpriseAccountLinkingPolicy;
+      saml: EnterpriseAccountLinkingPolicy;
+    };
+  };
+  provisioning: {
+    scimReuse: {
+      user: EnterpriseScimReuseUserPolicy;
+    };
+    jit: {
+      mode: EnterpriseJitProvisioningMode;
+      defaultRoleIds: string[];
+    };
+    deprovision: {
+      mode: EnterpriseDeprovisionMode;
+    };
+  };
+  extend?: Record<string, unknown>;
+}
+export interface EnterprisePolicyPatch {
+  identity?: {
+    accountLinking?: {
+      oidc?: EnterpriseAccountLinkingPolicy;
+      saml?: EnterpriseAccountLinkingPolicy;
+    };
+  };
+  provisioning?: {
+    scimReuse?: {
+      user?: EnterpriseScimReuseUserPolicy;
+    };
+    jit?: {
+      mode?: EnterpriseJitProvisioningMode;
+      defaultRoleIds?: string[];
+    };
+    deprovision?: {
+      mode?: EnterpriseDeprovisionMode;
+    };
+  };
+  extend?: Record<string, unknown>;
+}
 /**
  * Email provider config for magic link / OTP sign-in.
  */
@@ -567,6 +668,7 @@ export type AuthServerHelpers = {
       ctx: GenericActionCtx<any>,
       args: AuthCreateAccountArgs,
     ) => Promise<{
+      ok: true;
       account: GenericDoc<GenericDataModel, "Account">;
       user: GenericDoc<GenericDataModel, "User">;
     }>;
@@ -580,7 +682,7 @@ export type AuthServerHelpers = {
     update: (
       ctx: GenericActionCtx<any>,
       args: AuthUpdateAccountArgs,
-    ) => Promise<void>;
+    ) => Promise<{ ok: true; accountId: GenericId<"Account"> }>;
   };
   session: {
     current: (ctx: {
@@ -589,7 +691,32 @@ export type AuthServerHelpers = {
     invalidate: (
       ctx: GenericActionCtx<any>,
       args: AuthInvalidateSessionsArgs,
-    ) => Promise<void>;
+    ) => Promise<{
+      ok: true;
+      userId: GenericId<"User">;
+      except: GenericId<"Session">[];
+    }>;
+  };
+  access: {
+    check: (
+      ctx: GenericActionCtx<any>,
+      args: {
+        userId: GenericId<"User">;
+        groupId: GenericId<"Group">;
+        grants: string[];
+        maxDepth?: number;
+      },
+    ) => Promise<{
+      ok: boolean;
+      grants: string[];
+      missingGrants: string[];
+      roleIds: string[];
+      matchedGroupId: GenericId<"Group"> | null;
+      membership: GenericDoc<GenericDataModel, "GroupMember"> | null;
+      isDirect: boolean;
+      isInherited: boolean;
+      depth: number | null;
+    }>;
   };
   provider: {
     signIn: (
@@ -621,7 +748,7 @@ export type ConvexAuthMaterializedConfig = {
   providers: AuthProviderMaterializedConfig[];
 } & Pick<
   ConvexAuthConfig,
-  "component" | "session" | "jwt" | "signIn" | "callbacks"
+  "component" | "session" | "jwt" | "signIn" | "callbacks" | "authorization"
 >;
 export interface SAMLAttributeMapping {
@@ -857,12 +984,12 @@ export type GroupOrderBy = "_creationTime" | "name" | "slug" | "type";
 export type MemberWhere = {
   groupId?: string;
   userId?: string;
-  role?: string;
+  roleId?: string;
   status?: string;
 };
 /** Sortable fields for `auth.member.list()`. */
-export type MemberOrderBy = "_creationTime" | "role" | "status";
+export type MemberOrderBy = "_creationTime" | "status";
 /** Filter fields for `auth.invite.list()`. All optional. */
 export type InviteWhere = {
@@ -871,7 +998,7 @@ export type InviteWhere = {
   status?: "pending" | "accepted" | "revoked" | "expired";
   email?: string;
   invitedByUserId?: string;
-  role?: string;
+  roleId?: string;
   acceptedByUserId?: string;
 };
@@ -1055,6 +1182,28 @@ export type AuthComponentApi = {
     enterpriseDomainAdd: FunctionReference<"mutation", "internal", any, any>;
     enterpriseDomainList: FunctionReference<"query", "internal", any, any>;
     enterpriseDomainDelete: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseDomainVerificationGet: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseDomainVerificationUpsert: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseDomainVerificationDelete: FunctionReference<
+      "mutation",
+      "internal",
+      any,
+      any
+    >;
+    enterpriseDomainVerify: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseSecretUpsert: FunctionReference<"mutation", "internal", any, any>;
+    enterpriseSecretGet: FunctionReference<"query", "internal", any, any>;
+    enterpriseSecretDelete: FunctionReference<"mutation", "internal", any, any>;
     enterpriseScimConfigUpsert: FunctionReference<
       "mutation",
       "internal",
@@ -1080,6 +1229,12 @@ export type AuthComponentApi = {
       any,
       any
     >;
+    enterpriseScimIdentityGetByEnterpriseAndUser: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
     enterpriseScimIdentityGetByMappedGroup: FunctionReference<
       "query",
       "internal",
@@ -1123,6 +1278,12 @@ export type AuthComponentApi = {
       any,
       any
     >;
+    enterpriseWebhookEndpointGet: FunctionReference<
+      "query",
+      "internal",
+      any,
+      any
+    >;
     enterpriseWebhookEndpointUpdate: FunctionReference<
       "mutation",
       "internal",
@@ -1243,80 +1404,25 @@ export type SessionInfoWithTokens = {
 // code can work with typed results from cross-component queries/mutations
 // instead of casting to `any` at every field access.
-export interface TotpDoc {
-  _id: string;
-  _creationTime: number;
-  userId: string;
-  secret: ArrayBuffer;
-  digits: number;
-  period: number;
-  verified: boolean;
-  name?: string;
-  createdAt: number;
-  lastUsedAt?: number;
-}
+export type TotpDoc = Infer<typeof vTotpFactorDoc>;
-export interface PasskeyDoc {
-  _id: string;
-  _creationTime: number;
-  userId: string;
-  credentialId: string;
-  publicKey: ArrayBuffer;
-  algorithm: number;
-  counter: number;
-  transports?: string[];
-  deviceType: string;
-  backedUp: boolean;
-  name?: string;
-  createdAt: number;
-  lastUsedAt?: number;
-}
+export type PasskeyDoc = Infer<typeof vPasskeyDoc>;
-export interface VerifierDoc {
-  _id: string;
-  _creationTime: number;
-  signature?: string;
-  sessionId?: string;
-}
+export type VerifierDoc = Infer<typeof vAuthVerifierDoc>;
 /**
- * Plain cross-component user document shape with `string` IDs.
+ * Cross-component user document shape inferred from the component validator.
  *
- * Used by internal typed wrappers (`queryUserById`, etc.) that operate
- * across the component boundary where Convex `Id<"User">` is erased
- * to a plain string. Not intended for consumer use — consumers should
- * use `UserDoc` (exported from `@robelest/convex-auth/component`)
- * which preserves typed `Id<"User">`.
+ * Used by internal typed wrappers (`queryUserById`, etc.) so server code stays
+ * aligned with the component runtime contract. Not intended for consumer use —
+ * consumers should use `UserDoc` (exported from
+ * `@robelest/convex-auth/component`).
  *
  * @internal
  */
-export interface CrossComponentUserDoc {
-  _id: string;
-  _creationTime: number;
-  email?: string;
-  emailVerificationTime?: number;
-  phone?: string;
-  phoneVerificationTime?: number;
-  name?: string;
-  image?: string;
-  isAnonymous?: boolean;
-}
+export type CrossComponentUserDoc = Infer<typeof vUserDoc>;
-export interface KeyDoc {
-  _id: string;
-  _creationTime: number;
-  userId: string;
-  prefix: string;
-  hashedKey: string;
-  name: string;
-  scopes: Array<{ resource: string; actions: string[] }>;
-  rateLimit?: { maxRequests: number; windowMs: number };
-  rateLimitState?: { attemptsLeft: number; lastAttemptTime: number };
-  expiresAt?: number;
-  lastUsedAt?: number;
-  createdAt: number;
-  revoked: boolean;
-}
+export type KeyDoc = Infer<typeof vApiKeyDoc>;
 // ---------------------------------------------------------------------------
 // Cross-component wrapper context
@@ -1555,18 +1661,7 @@ export async function mutateKeyDelete(
 // -- Device authorization queries / mutations --
-export interface DeviceDoc {
-  _id: string;
-  _creationTime: number;
-  deviceCodeHash: string;
-  userCode: string;
-  expiresAt: number;
-  interval: number;
-  status: "pending" | "authorized" | "denied";
-  userId?: string;
-  sessionId?: string;
-  lastPolledAt?: number;
-}
+export type DeviceDoc = Infer<typeof vDeviceCodeDoc>;
 export async function mutateDeviceInsert(
   ctx: ComponentCallCtx,

package/src/server/users.ts CHANGED Viewed

@@ -37,6 +37,7 @@ function mergeExtend(
   return existingRecord ? { ...existingRecord, ...incoming } : incoming;
 }
+/** @internal */
 export async function upsertUserAndAccount(
   ctx: MutationCtx,
   sessionId: GenericId<"Session"> | null,

package/src/server/utils.ts CHANGED Viewed

@@ -3,7 +3,11 @@ import {
   generateRandomString as osloGenerateRandomString,
 } from "@oslojs/crypto/random";
 import { sha256 as rawSha256 } from "@oslojs/crypto/sha2";
-import { encodeHexLowerCase } from "@oslojs/encoding";
+import {
+  decodeBase64urlIgnorePadding,
+  encodeBase64urlNoPadding,
+  encodeHexLowerCase,
+} from "@oslojs/encoding";
 import { AuthError } from "./fx";
@@ -13,6 +17,7 @@ import { AuthError } from "./fx";
  * Uses `AuthError.toConvexError()` directly since this is a synchronous guard
  * called inline in many expressions — not suitable for Fx pipeline wrapping.
  */
+/** @internal */
 export function requireEnv(name: string) {
   const value = process.env[name];
   if (value === undefined) {
@@ -25,6 +30,7 @@ export function requireEnv(name: string) {
   return value;
 }
+/** @internal */
 export function isLocalHost(host?: string) {
   if (host === undefined) {
     return false;
@@ -45,13 +51,17 @@ export function isLocalHost(host?: string) {
 // Internal server utilities (merged from former internalUtils.ts)
+/** @internal */
 export const TOKEN_SUB_CLAIM_DIVIDER = "|";
+/** @internal */
 export const REFRESH_TOKEN_DIVIDER = "|";
+/** @internal */
 export async function sha256(input: string) {
   return encodeHexLowerCase(rawSha256(new TextEncoder().encode(input)));
 }
+/** @internal */
 export function generateRandomString(length: number, alphabet: string) {
   const random: RandomReader = {
     read(bytes) {
@@ -62,10 +72,12 @@ export function generateRandomString(length: number, alphabet: string) {
   return osloGenerateRandomString(random, alphabet, length);
 }
+/** @internal */
 export function errorMessage(error: unknown) {
   return error instanceof Error ? error.message : String(error);
 }
+/** @internal */
 export function logError(error: unknown) {
   logWithLevel(
     LOG_LEVELS.ERROR,
@@ -75,6 +87,7 @@ export function logError(error: unknown) {
   );
 }
+/** @internal */
 export const LOG_LEVELS = {
   ERROR: "ERROR",
   WARN: "WARN",
@@ -83,6 +96,7 @@ export const LOG_LEVELS = {
 } as const;
 type LogLevel = keyof typeof LOG_LEVELS;
+/** @internal */
 export function logWithLevel(level: LogLevel, ...args: unknown[]) {
   const configuredLogLevel =
     LOG_LEVELS[
@@ -111,6 +125,7 @@ export function logWithLevel(level: LogLevel, ...args: unknown[]) {
 }
 const UNREDACTED_LENGTH = 5;
+/** @internal */
 export function maybeRedact(value: string) {
   if (value === "") {
     return "";
@@ -129,3 +144,58 @@ export function maybeRedact(value: string) {
     return value;
   }
 }
+const SECRET_KEY_ENV = "AUTH_SECRET_ENCRYPTION_KEY";
+const SECRET_IV_LENGTH = 12;
+function toArrayBuffer(bytes: Uint8Array) {
+  return bytes.buffer.slice(
+    bytes.byteOffset,
+    bytes.byteOffset + bytes.byteLength,
+  ) as ArrayBuffer;
+}
+async function getSecretCryptoKey() {
+  const material = requireEnv(SECRET_KEY_ENV);
+  const rawKey = rawSha256(new TextEncoder().encode(material));
+  return await crypto.subtle.importKey(
+    "raw",
+    toArrayBuffer(rawKey),
+    { name: "AES-GCM" },
+    false,
+    ["encrypt", "decrypt"],
+  );
+}
+/** @internal */
+export async function encryptSecret(value: string) {
+  const key = await getSecretCryptoKey();
+  const iv = crypto.getRandomValues(new Uint8Array(SECRET_IV_LENGTH));
+  const encrypted = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv: toArrayBuffer(iv) },
+    key,
+    toArrayBuffer(new TextEncoder().encode(value)),
+  );
+  return `${encodeBase64urlNoPadding(iv)}.${encodeBase64urlNoPadding(new Uint8Array(encrypted))}`;
+}
+/** @internal */
+export async function decryptSecret(ciphertext: string) {
+  const [ivEncoded, payloadEncoded] = ciphertext.split(".");
+  if (!ivEncoded || !payloadEncoded) {
+    throw new AuthError(
+      "INVALID_PARAMETERS",
+      "Stored enterprise secret is malformed.",
+    ).toConvexError();
+  }
+  const key = await getSecretCryptoKey();
+  const decrypted = await crypto.subtle.decrypt(
+    {
+      name: "AES-GCM",
+      iv: toArrayBuffer(decodeBase64urlIgnorePadding(ivEncoded)),
+    },
+    key,
+    toArrayBuffer(decodeBase64urlIgnorePadding(payloadEncoded)),
+  );
+  return new TextDecoder().decode(decrypted);
+}

package/src/server/version.ts CHANGED Viewed

@@ -1,2 +1,2 @@
 // Auto-generated by scripts/generate-version.js — do not edit.
-export const AUTH_VERSION = "0.0.4-preview.13";
+export const AUTH_VERSION = "0.0.4-preview.16";