@robelest/convex-auth 0.0.4-preview.16 → 0.0.4-preview.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (88) hide show
  1. package/dist/authorization/index.d.ts +17 -0
  2. package/dist/authorization/index.d.ts.map +1 -0
  3. package/dist/authorization/index.js +17 -0
  4. package/dist/authorization/index.js.map +1 -0
  5. package/dist/client/index.js +73 -0
  6. package/dist/client/index.js.map +1 -1
  7. package/dist/component/_generated/component.d.ts +52 -0
  8. package/dist/component/_generated/component.d.ts.map +1 -1
  9. package/dist/component/convex.config.d.ts +2 -2
  10. package/dist/component/convex.config.d.ts.map +1 -1
  11. package/dist/component/index.js +2 -2
  12. package/dist/component/model.d.ts +75 -75
  13. package/dist/component/model.d.ts.map +1 -1
  14. package/dist/component/model.js +2 -0
  15. package/dist/component/model.js.map +1 -1
  16. package/dist/component/public/factors.d.ts.map +1 -1
  17. package/dist/component/public/factors.js +1 -1
  18. package/dist/component/public/factors.js.map +1 -1
  19. package/dist/component/public/groups.d.ts +10 -2
  20. package/dist/component/public/groups.d.ts.map +1 -1
  21. package/dist/component/public/groups.js +92 -8
  22. package/dist/component/public/groups.js.map +1 -1
  23. package/dist/component/public/identity.d.ts.map +1 -1
  24. package/dist/component/public/identity.js +3 -3
  25. package/dist/component/public/identity.js.map +1 -1
  26. package/dist/component/public/shared.d.ts +4 -4
  27. package/dist/component/public/shared.d.ts.map +1 -1
  28. package/dist/component/public.d.ts +3 -3
  29. package/dist/component/public.js +2 -2
  30. package/dist/component/schema.d.ts +13 -2
  31. package/dist/component/schema.js +7 -5
  32. package/dist/component/schema.js.map +1 -1
  33. package/dist/component/server/auth.d.ts +4 -25
  34. package/dist/component/server/auth.d.ts.map +1 -1
  35. package/dist/component/server/auth.js +4 -10
  36. package/dist/component/server/auth.js.map +1 -1
  37. package/dist/component/server/domains/core.js +196 -131
  38. package/dist/component/server/domains/core.js.map +1 -1
  39. package/dist/component/server/factory.d.ts +3 -3
  40. package/dist/component/server/signin.js +20 -1
  41. package/dist/component/server/signin.js.map +1 -1
  42. package/dist/server/auth.d.ts +4 -25
  43. package/dist/server/auth.d.ts.map +1 -1
  44. package/dist/server/auth.js +4 -10
  45. package/dist/server/auth.js.map +1 -1
  46. package/dist/server/domains/core.d.ts +73 -58
  47. package/dist/server/domains/core.d.ts.map +1 -1
  48. package/dist/server/domains/core.js +196 -131
  49. package/dist/server/domains/core.js.map +1 -1
  50. package/dist/server/http.d.ts +2 -2
  51. package/dist/server/http.d.ts.map +1 -1
  52. package/dist/server/index.d.ts +108 -69
  53. package/dist/server/index.d.ts.map +1 -1
  54. package/dist/server/index.js +138 -54
  55. package/dist/server/index.js.map +1 -1
  56. package/dist/server/mutations/code.d.ts +9 -9
  57. package/dist/server/mutations/index.d.ts +69 -69
  58. package/dist/server/mutations/invalidate.d.ts +4 -4
  59. package/dist/server/mutations/invalidate.d.ts.map +1 -1
  60. package/dist/server/mutations/oauth.d.ts +7 -7
  61. package/dist/server/mutations/register.d.ts +9 -9
  62. package/dist/server/mutations/retrieve.d.ts +6 -6
  63. package/dist/server/mutations/retrieve.d.ts.map +1 -1
  64. package/dist/server/mutations/signature.d.ts +4 -4
  65. package/dist/server/mutations/signature.d.ts.map +1 -1
  66. package/dist/server/mutations/signin.d.ts +5 -5
  67. package/dist/server/mutations/signin.d.ts.map +1 -1
  68. package/dist/server/mutations/verify.d.ts +7 -7
  69. package/dist/server/signin.js +20 -1
  70. package/dist/server/signin.js.map +1 -1
  71. package/dist/server/version.d.ts +1 -1
  72. package/dist/server/version.js +1 -1
  73. package/dist/server/version.js.map +1 -1
  74. package/package.json +9 -5
  75. package/src/authorization/index.ts +37 -0
  76. package/src/client/index.ts +122 -0
  77. package/src/component/_generated/component.ts +64 -0
  78. package/src/component/index.ts +1 -1
  79. package/src/component/model.ts +2 -0
  80. package/src/component/public/factors.ts +3 -2
  81. package/src/component/public/groups.ts +142 -8
  82. package/src/component/public/identity.ts +9 -6
  83. package/src/component/schema.ts +14 -2
  84. package/src/server/auth.ts +9 -61
  85. package/src/server/domains/core.ts +235 -210
  86. package/src/server/index.ts +158 -75
  87. package/src/server/signin.ts +52 -0
  88. package/src/server/version.ts +1 -1
@@ -12,7 +12,7 @@ const signInActionRef = makeFunctionReference("auth:signIn");
12
12
  const signOutActionRef = makeFunctionReference("auth:signOut");
13
13
  function requireSignedInUser(auth) {
14
14
  return async (ctx) => {
15
- return await auth.user.require(ctx);
15
+ return await auth.user.id(ctx);
16
16
  };
17
17
  }
18
18
  function normalizeCreatorRoleIds(roles) {
@@ -58,19 +58,28 @@ function createMountedAdminAuthorizer(auth, options) {
58
58
  const requireUserId = requireSignedInUser(auth);
59
59
  return async (ctx, permission, target = {}) => {
60
60
  const userId = await requireUserId(ctx);
61
- if (!options?.admin?.authorized) throw new ConvexError({
62
- code: "FORBIDDEN",
63
- message: "Mounted enterprise admin APIs require an authorized callback."
64
- });
61
+ if (userId === null) return {
62
+ ok: false,
63
+ code: "NOT_SIGNED_IN"
64
+ };
65
+ if (!options?.admin?.authorized) return {
66
+ ok: false,
67
+ code: "FORBIDDEN"
68
+ };
65
69
  const resolved = await resolveMountedEnterpriseTarget(auth, ctx, target);
66
- await options.admin.authorized(ctx, {
70
+ const authResult = await options.admin.authorized(ctx, {
67
71
  userId,
68
72
  permission,
69
73
  enterpriseId: resolved.enterpriseId,
70
74
  groupId: resolved.groupId,
71
75
  resolvedGroupId: resolved.resolvedGroupId
72
76
  });
77
+ if (authResult && !authResult.ok) return {
78
+ ok: false,
79
+ code: "FORBIDDEN"
80
+ };
73
81
  return {
82
+ ok: true,
74
83
  userId,
75
84
  ...resolved
76
85
  };
@@ -99,7 +108,12 @@ function sso(auth, options) {
99
108
  domain: v.optional(v.string())
100
109
  },
101
110
  handler: async (ctx, args) => {
102
- const { userId } = await authorize(ctx, "sso.connection.create", { groupId: args.groupId });
111
+ const authResult = await authorize(ctx, "sso.connection.create", { groupId: args.groupId });
112
+ if (!authResult.ok) return {
113
+ ok: false,
114
+ code: authResult.code
115
+ };
116
+ const { userId } = authResult;
103
117
  const createsGroup = args.groupId === void 0;
104
118
  const groupId = args.groupId ?? (await auth.group.create(ctx, {
105
119
  name: args.name?.trim() || args.slug?.trim() || "Enterprise",
@@ -131,21 +145,21 @@ function sso(auth, options) {
131
145
  get: queryGeneric({
132
146
  args: { enterpriseId: v.string() },
133
147
  handler: async (ctx, args) => {
134
- await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
148
+ if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
135
149
  return await auth.sso.admin.connection.get(ctx, args.enterpriseId);
136
150
  }
137
151
  }),
138
152
  getByGroup: queryGeneric({
139
153
  args: { groupId: v.string() },
140
154
  handler: async (ctx, args) => {
141
- await authorize(ctx, "sso.connection.read", { groupId: args.groupId });
155
+ if (!(await authorize(ctx, "sso.connection.read", { groupId: args.groupId })).ok) return null;
142
156
  return await auth.sso.admin.connection.getByGroup(ctx, args.groupId);
143
157
  }
144
158
  }),
145
159
  getByDomain: queryGeneric({
146
160
  args: { domain: v.string() },
147
161
  handler: async (ctx, args) => {
148
- await authorize(ctx, "sso.connection.read", { domain: args.domain });
162
+ if (!(await authorize(ctx, "sso.connection.read", { domain: args.domain })).ok) return null;
149
163
  return await auth.sso.admin.connection.getByDomain(ctx, args.domain);
150
164
  }
151
165
  }),
@@ -158,7 +172,7 @@ function sso(auth, options) {
158
172
  order: v.optional(v.union(v.literal("asc"), v.literal("desc")))
159
173
  },
160
174
  handler: async (ctx, args) => {
161
- await authorize(ctx, "sso.connection.read", { groupId: args.where?.groupId });
175
+ if (!(await authorize(ctx, "sso.connection.read", { groupId: args.where?.groupId })).ok) return null;
162
176
  return await auth.sso.admin.connection.list(ctx, args);
163
177
  }
164
178
  }),
@@ -172,7 +186,11 @@ function sso(auth, options) {
172
186
  })
173
187
  },
174
188
  handler: async (ctx, args) => {
175
- await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
189
+ const _auth = await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
190
+ if (!_auth.ok) return {
191
+ ok: false,
192
+ code: _auth.code
193
+ };
176
194
  await auth.sso.admin.connection.update(ctx, args.enterpriseId, args.data);
177
195
  return {
178
196
  ok: true,
@@ -183,14 +201,18 @@ function sso(auth, options) {
183
201
  delete: mutationGeneric({
184
202
  args: { enterpriseId: v.string() },
185
203
  handler: async (ctx, args) => {
186
- await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
204
+ const _auth = await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
205
+ if (!_auth.ok) return {
206
+ ok: false,
207
+ code: _auth.code
208
+ };
187
209
  return await auth.sso.admin.connection.delete(ctx, args.enterpriseId);
188
210
  }
189
211
  }),
190
212
  status: queryGeneric({
191
213
  args: { enterpriseId: v.string() },
192
214
  handler: async (ctx, args) => {
193
- await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
215
+ if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
194
216
  return await auth.sso.admin.connection.status(ctx, args.enterpriseId);
195
217
  }
196
218
  }),
@@ -198,14 +220,14 @@ function sso(auth, options) {
198
220
  list: queryGeneric({
199
221
  args: { enterpriseId: v.string() },
200
222
  handler: async (ctx, args) => {
201
- await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
223
+ if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
202
224
  return await auth.sso.admin.connection.domain.list(ctx, args.enterpriseId);
203
225
  }
204
226
  }),
205
227
  validate: queryGeneric({
206
228
  args: { enterpriseId: v.string() },
207
229
  handler: async (ctx, args) => {
208
- await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
230
+ if (!(await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId })).ok) return null;
209
231
  return await auth.sso.admin.connection.domain.validate(ctx, args.enterpriseId);
210
232
  }
211
233
  }),
@@ -215,7 +237,11 @@ function sso(auth, options) {
215
237
  domains: v.array(enterpriseDomainInputValidator)
216
238
  },
217
239
  handler: async (ctx, args) => {
218
- await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
240
+ const _auth = await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
241
+ if (!_auth.ok) return {
242
+ ok: false,
243
+ code: _auth.code
244
+ };
219
245
  return await auth.sso.admin.connection.domain.set(ctx, args.enterpriseId, args.domains);
220
246
  }
221
247
  }),
@@ -223,14 +249,22 @@ function sso(auth, options) {
223
249
  request: mutationGeneric({
224
250
  args: enterpriseDomainVerificationInputValidator,
225
251
  handler: async (ctx, args) => {
226
- await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
252
+ const _auth = await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
253
+ if (!_auth.ok) return {
254
+ ok: false,
255
+ code: _auth.code
256
+ };
227
257
  return await auth.sso.admin.connection.domain.verification.request(ctx, args);
228
258
  }
229
259
  }),
230
260
  confirm: actionGeneric({
231
261
  args: enterpriseDomainVerificationInputValidator,
232
262
  handler: async (ctx, args) => {
233
- await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
263
+ const _auth = await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
264
+ if (!_auth.ok) return {
265
+ ok: false,
266
+ code: _auth.code
267
+ };
234
268
  return await auth.sso.admin.connection.domain.verification.confirm(ctx, args);
235
269
  }
236
270
  })
@@ -252,21 +286,29 @@ function sso(auth, options) {
252
286
  extraFields: v.optional(v.record(v.string(), v.string()))
253
287
  },
254
288
  handler: async (ctx, args) => {
255
- await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
289
+ const _auth = await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
290
+ if (!_auth.ok) return {
291
+ ok: false,
292
+ code: _auth.code
293
+ };
256
294
  return await auth.sso.admin.oidc.configure(ctx, args);
257
295
  }
258
296
  }),
259
297
  get: queryGeneric({
260
298
  args: { enterpriseId: v.string() },
261
299
  handler: async (ctx, args) => {
262
- await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
300
+ if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
263
301
  return await auth.sso.admin.oidc.get(ctx, args.enterpriseId);
264
302
  }
265
303
  }),
266
304
  validate: actionGeneric({
267
305
  args: { enterpriseId: v.string() },
268
306
  handler: async (ctx, args) => {
269
- await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
307
+ const _auth = await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
308
+ if (!_auth.ok) return {
309
+ ok: false,
310
+ code: _auth.code
311
+ };
270
312
  return await auth.sso.admin.oidc.validate(ctx, args.enterpriseId);
271
313
  }
272
314
  })
@@ -283,14 +325,18 @@ function sso(auth, options) {
283
325
  sp: v.optional(enterpriseSamlSpValidator)
284
326
  },
285
327
  handler: async (ctx, args) => {
286
- await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
328
+ const _auth = await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
329
+ if (!_auth.ok) return {
330
+ ok: false,
331
+ code: _auth.code
332
+ };
287
333
  return await auth.sso.admin.saml.configure(ctx, args);
288
334
  }
289
335
  }),
290
336
  validate: queryGeneric({
291
337
  args: { enterpriseId: v.string() },
292
338
  handler: async (ctx, args) => {
293
- await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
339
+ if (!(await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId })).ok) return null;
294
340
  return await auth.sso.admin.saml.validate(ctx, args.enterpriseId);
295
341
  }
296
342
  })
@@ -299,7 +345,7 @@ function sso(auth, options) {
299
345
  get: queryGeneric({
300
346
  args: { enterpriseId: v.string() },
301
347
  handler: async (ctx, args) => {
302
- await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
348
+ if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
303
349
  return await auth.sso.admin.policy.get(ctx, args.enterpriseId);
304
350
  }
305
351
  }),
@@ -309,14 +355,18 @@ function sso(auth, options) {
309
355
  patch: enterprisePolicyPatchValidator
310
356
  },
311
357
  handler: async (ctx, args) => {
312
- await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId });
358
+ const _auth = await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId });
359
+ if (!_auth.ok) return {
360
+ ok: false,
361
+ code: _auth.code
362
+ };
313
363
  return await auth.sso.admin.policy.update(ctx, args.enterpriseId, args.patch);
314
364
  }
315
365
  }),
316
366
  validate: queryGeneric({
317
367
  args: { enterpriseId: v.string() },
318
368
  handler: async (ctx, args) => {
319
- await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId });
369
+ if (!(await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId })).ok) return null;
320
370
  return await auth.sso.admin.policy.validate(ctx, args.enterpriseId);
321
371
  }
322
372
  })
@@ -328,10 +378,10 @@ function sso(auth, options) {
328
378
  limit: v.optional(v.number())
329
379
  },
330
380
  handler: async (ctx, args) => {
331
- await authorize(ctx, "sso.audit.read", {
381
+ if (!(await authorize(ctx, "sso.audit.read", {
332
382
  enterpriseId: args.enterpriseId,
333
383
  groupId: args.groupId
334
- });
384
+ })).ok) return null;
335
385
  return await auth.sso.admin.audit.list(ctx, args);
336
386
  }
337
387
  }) },
@@ -342,7 +392,7 @@ function sso(auth, options) {
342
392
  limit: v.optional(v.number())
343
393
  },
344
394
  handler: async (ctx, args) => {
345
- await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId });
395
+ if (!(await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId })).ok) return null;
346
396
  return await auth.sso.admin.webhook.delivery.list(ctx, args);
347
397
  }
348
398
  }) },
@@ -356,7 +406,12 @@ function sso(auth, options) {
356
406
  createdByUserId: v.optional(v.string())
357
407
  },
358
408
  handler: async (ctx, args) => {
359
- const { userId } = await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId });
409
+ const authResult = await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId });
410
+ if (!authResult.ok) return {
411
+ ok: false,
412
+ code: authResult.code
413
+ };
414
+ const { userId } = authResult;
360
415
  return {
361
416
  _id: (await auth.sso.admin.webhook.endpoint.create(ctx, {
362
417
  ...args,
@@ -374,7 +429,7 @@ function sso(auth, options) {
374
429
  list: queryGeneric({
375
430
  args: { enterpriseId: v.string() },
376
431
  handler: async (ctx, args) => {
377
- await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId });
432
+ if (!(await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId })).ok) return null;
378
433
  return (await auth.sso.admin.webhook.endpoint.list(ctx, args.enterpriseId)).map((endpoint) => {
379
434
  const { secretHash: _secretHash, ...rest } = endpoint;
380
435
  return rest;
@@ -385,14 +440,18 @@ function sso(auth, options) {
385
440
  args: { endpointId: v.string() },
386
441
  handler: async (ctx, args) => {
387
442
  const endpoint = await auth.sso.admin.webhook.endpoint.get(ctx, args.endpointId);
388
- if (!endpoint) throw new ConvexError({
389
- code: "INVALID_PARAMETERS",
390
- message: "Webhook endpoint not found."
391
- });
392
- await authorize(ctx, "sso.webhook.manage", {
443
+ if (!endpoint) return {
444
+ ok: false,
445
+ code: "INVALID_PARAMETERS"
446
+ };
447
+ const _auth = await authorize(ctx, "sso.webhook.manage", {
393
448
  enterpriseId: endpoint.enterpriseId,
394
449
  groupId: endpoint.groupId
395
450
  });
451
+ if (!_auth.ok) return {
452
+ ok: false,
453
+ code: _auth.code
454
+ };
396
455
  return await auth.sso.admin.webhook.endpoint.disable(ctx, args.endpointId);
397
456
  }
398
457
  })
@@ -439,21 +498,25 @@ function scim(auth, options) {
439
498
  status: v.optional(enterpriseStatusValidator)
440
499
  },
441
500
  handler: async (ctx, args) => {
442
- await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
501
+ const _auth = await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
502
+ if (!_auth.ok) return {
503
+ ok: false,
504
+ code: _auth.code
505
+ };
443
506
  return await auth.scim.admin.configure(ctx, args);
444
507
  }
445
508
  }),
446
509
  get: queryGeneric({
447
510
  args: { enterpriseId: v.string() },
448
511
  handler: async (ctx, args) => {
449
- await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
512
+ if (!(await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId })).ok) return null;
450
513
  return await auth.scim.admin.get(ctx, args.enterpriseId);
451
514
  }
452
515
  }),
453
516
  validate: queryGeneric({
454
517
  args: { enterpriseId: v.string() },
455
518
  handler: async (ctx, args) => {
456
- await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
519
+ if (!(await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId })).ok) return null;
457
520
  return await auth.scim.admin.validate(ctx, args.enterpriseId);
458
521
  }
459
522
  })
@@ -702,6 +765,23 @@ function canParseUrl(value) {
702
765
  return false;
703
766
  }
704
767
  }
768
+ function serializeAuthCookie(cookie) {
769
+ const parts = [`${cookie.name}=${cookie.value}`, `Path=${cookie.options.path}`];
770
+ if (cookie.options.httpOnly) parts.push("HttpOnly");
771
+ if (cookie.options.secure) parts.push("Secure");
772
+ if (cookie.options.sameSite) parts.push(`SameSite=${cookie.options.sameSite}`);
773
+ if (cookie.options.maxAge !== void 0) parts.push(`Max-Age=${cookie.options.maxAge}`);
774
+ if (cookie.options.expires) parts.push(`Expires=${cookie.options.expires.toUTCString()}`);
775
+ return parts.join("; ");
776
+ }
777
+ function buildRedirectResponse(location, cookies) {
778
+ const headers = new Headers({ Location: location });
779
+ for (const cookie of cookies) headers.append("Set-Cookie", serializeAuthCookie(cookie));
780
+ return new Response(null, {
781
+ status: 302,
782
+ headers
783
+ });
784
+ }
705
785
  function deriveCookieNamespaceFromUrl(url) {
706
786
  if (!canParseUrl(url)) return DERIVED_COOKIE_NAMESPACE_FALLBACK;
707
787
  const parsed = new URL(url);
@@ -1031,6 +1111,7 @@ function server(options) {
1031
1111
  const corsDispatch = originHeader !== null && (originUrl === null || originUrl.host !== normalizedHost || originUrl.protocol !== protocol) ? { kind: "crossOrigin" } : { kind: "sameOrigin" };
1032
1112
  const corsRefreshResult = await Fx.run(Fx.match(corsDispatch, corsDispatch.kind, {
1033
1113
  crossOrigin: () => ({
1114
+ redirect: false,
1034
1115
  cookies: [],
1035
1116
  token: null
1036
1117
  }),
@@ -1070,32 +1151,33 @@ function server(options) {
1070
1151
  }).pipe(Fx.fold({
1071
1152
  ok: (result) => {
1072
1153
  redirectUrl.searchParams.delete("code");
1154
+ const cookies = structuredAuthCookies({
1155
+ token: result.tokens?.token ?? null,
1156
+ refreshToken: result.tokens?.refreshToken ?? null,
1157
+ verifier: null
1158
+ }, host, cookieConfig, cookieNamespace);
1073
1159
  return {
1074
- cookies: structuredAuthCookies({
1075
- token: result.tokens?.token ?? null,
1076
- refreshToken: result.tokens?.refreshToken ?? null,
1077
- verifier: null
1078
- }, host, cookieConfig, cookieNamespace),
1079
- redirect: redirectUrl.toString(),
1080
- token: result.tokens?.token ?? null
1160
+ redirect: true,
1161
+ response: buildRedirectResponse(redirectUrl.toString(), cookies)
1081
1162
  };
1082
1163
  },
1083
1164
  err: (error) => {
1084
1165
  console.error("[convex-auth/server] code exchange failed", error);
1085
1166
  const errorCode = error instanceof ConvexError && typeof error.data === "object" && error.data !== null && typeof error.data.code === "string" ? error.data.code : null;
1086
1167
  if (!(errorCode === "OAUTH_INVALID_STATE" || errorCode === "OAUTH_PROVIDER_ERROR" || errorCode === "OAUTH_MISSING_ID_TOKEN" || errorCode === "OAUTH_INVALID_PROFILE" || errorCode === "OAUTH_MISSING_VERIFIER" || errorCode === "INVALID_VERIFIER" || errorCode === "INVALID_VERIFICATION_CODE")) return {
1168
+ redirect: false,
1087
1169
  cookies: [],
1088
1170
  token: currentCookies.token
1089
1171
  };
1090
1172
  redirectUrl.searchParams.delete("code");
1173
+ const cookies = structuredAuthCookies({
1174
+ token: currentCookies.token,
1175
+ refreshToken: currentCookies.refreshToken,
1176
+ verifier: null
1177
+ }, host, cookieConfig, cookieNamespace);
1091
1178
  return {
1092
- cookies: structuredAuthCookies({
1093
- token: currentCookies.token,
1094
- refreshToken: currentCookies.refreshToken,
1095
- verifier: null
1096
- }, host, cookieConfig, cookieNamespace),
1097
- redirect: redirectUrl.toString(),
1098
- token: currentCookies.token
1179
+ redirect: true,
1180
+ response: buildRedirectResponse(redirectUrl.toString(), cookies)
1099
1181
  };
1100
1182
  }
1101
1183
  })));
@@ -1264,10 +1346,12 @@ function server(options) {
1264
1346
  });
1265
1347
  }));
1266
1348
  if (tokens === void 0) return {
1349
+ redirect: false,
1267
1350
  cookies: [],
1268
1351
  token: currentToken
1269
1352
  };
1270
1353
  return {
1354
+ redirect: false,
1271
1355
  cookies: structuredAuthCookies({
1272
1356
  token: tokens?.token ?? null,
1273
1357
  refreshToken: tokens?.refreshToken ?? null,