@robelest/convex-auth 0.0.4-preview.16 → 0.0.4-preview.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authorization/index.d.ts +17 -0
- package/dist/authorization/index.d.ts.map +1 -0
- package/dist/authorization/index.js +17 -0
- package/dist/authorization/index.js.map +1 -0
- package/dist/client/index.js +73 -0
- package/dist/client/index.js.map +1 -1
- package/dist/component/_generated/component.d.ts +52 -0
- package/dist/component/_generated/component.d.ts.map +1 -1
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/convex.config.d.ts.map +1 -1
- package/dist/component/index.js +2 -2
- package/dist/component/model.d.ts +75 -75
- package/dist/component/model.d.ts.map +1 -1
- package/dist/component/model.js +2 -0
- package/dist/component/model.js.map +1 -1
- package/dist/component/public/factors.d.ts.map +1 -1
- package/dist/component/public/factors.js +1 -1
- package/dist/component/public/factors.js.map +1 -1
- package/dist/component/public/groups.d.ts +10 -2
- package/dist/component/public/groups.d.ts.map +1 -1
- package/dist/component/public/groups.js +92 -8
- package/dist/component/public/groups.js.map +1 -1
- package/dist/component/public/identity.d.ts.map +1 -1
- package/dist/component/public/identity.js +3 -3
- package/dist/component/public/identity.js.map +1 -1
- package/dist/component/public/shared.d.ts +4 -4
- package/dist/component/public/shared.d.ts.map +1 -1
- package/dist/component/public.d.ts +3 -3
- package/dist/component/public.js +2 -2
- package/dist/component/schema.d.ts +13 -2
- package/dist/component/schema.js +7 -5
- package/dist/component/schema.js.map +1 -1
- package/dist/component/server/auth.d.ts +4 -25
- package/dist/component/server/auth.d.ts.map +1 -1
- package/dist/component/server/auth.js +4 -10
- package/dist/component/server/auth.js.map +1 -1
- package/dist/component/server/domains/core.js +196 -131
- package/dist/component/server/domains/core.js.map +1 -1
- package/dist/component/server/factory.d.ts +3 -3
- package/dist/component/server/signin.js +20 -1
- package/dist/component/server/signin.js.map +1 -1
- package/dist/server/auth.d.ts +4 -25
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +4 -10
- package/dist/server/auth.js.map +1 -1
- package/dist/server/domains/core.d.ts +73 -58
- package/dist/server/domains/core.d.ts.map +1 -1
- package/dist/server/domains/core.js +196 -131
- package/dist/server/domains/core.js.map +1 -1
- package/dist/server/http.d.ts +2 -2
- package/dist/server/http.d.ts.map +1 -1
- package/dist/server/index.d.ts +108 -69
- package/dist/server/index.d.ts.map +1 -1
- package/dist/server/index.js +138 -54
- package/dist/server/index.js.map +1 -1
- package/dist/server/mutations/code.d.ts +9 -9
- package/dist/server/mutations/index.d.ts +69 -69
- package/dist/server/mutations/invalidate.d.ts +4 -4
- package/dist/server/mutations/invalidate.d.ts.map +1 -1
- package/dist/server/mutations/oauth.d.ts +7 -7
- package/dist/server/mutations/register.d.ts +9 -9
- package/dist/server/mutations/retrieve.d.ts +6 -6
- package/dist/server/mutations/retrieve.d.ts.map +1 -1
- package/dist/server/mutations/signature.d.ts +4 -4
- package/dist/server/mutations/signature.d.ts.map +1 -1
- package/dist/server/mutations/signin.d.ts +5 -5
- package/dist/server/mutations/signin.d.ts.map +1 -1
- package/dist/server/mutations/verify.d.ts +7 -7
- package/dist/server/signin.js +20 -1
- package/dist/server/signin.js.map +1 -1
- package/dist/server/version.d.ts +1 -1
- package/dist/server/version.js +1 -1
- package/dist/server/version.js.map +1 -1
- package/package.json +9 -5
- package/src/authorization/index.ts +37 -0
- package/src/client/index.ts +122 -0
- package/src/component/_generated/component.ts +64 -0
- package/src/component/index.ts +1 -1
- package/src/component/model.ts +2 -0
- package/src/component/public/factors.ts +3 -2
- package/src/component/public/groups.ts +142 -8
- package/src/component/public/identity.ts +9 -6
- package/src/component/schema.ts +14 -2
- package/src/server/auth.ts +9 -61
- package/src/server/domains/core.ts +235 -210
- package/src/server/index.ts +158 -75
- package/src/server/signin.ts +52 -0
- package/src/server/version.ts +1 -1
package/dist/server/index.js
CHANGED
|
@@ -12,7 +12,7 @@ const signInActionRef = makeFunctionReference("auth:signIn");
|
|
|
12
12
|
const signOutActionRef = makeFunctionReference("auth:signOut");
|
|
13
13
|
function requireSignedInUser(auth) {
|
|
14
14
|
return async (ctx) => {
|
|
15
|
-
return await auth.user.
|
|
15
|
+
return await auth.user.id(ctx);
|
|
16
16
|
};
|
|
17
17
|
}
|
|
18
18
|
function normalizeCreatorRoleIds(roles) {
|
|
@@ -58,19 +58,28 @@ function createMountedAdminAuthorizer(auth, options) {
|
|
|
58
58
|
const requireUserId = requireSignedInUser(auth);
|
|
59
59
|
return async (ctx, permission, target = {}) => {
|
|
60
60
|
const userId = await requireUserId(ctx);
|
|
61
|
-
if (
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
}
|
|
61
|
+
if (userId === null) return {
|
|
62
|
+
ok: false,
|
|
63
|
+
code: "NOT_SIGNED_IN"
|
|
64
|
+
};
|
|
65
|
+
if (!options?.admin?.authorized) return {
|
|
66
|
+
ok: false,
|
|
67
|
+
code: "FORBIDDEN"
|
|
68
|
+
};
|
|
65
69
|
const resolved = await resolveMountedEnterpriseTarget(auth, ctx, target);
|
|
66
|
-
await options.admin.authorized(ctx, {
|
|
70
|
+
const authResult = await options.admin.authorized(ctx, {
|
|
67
71
|
userId,
|
|
68
72
|
permission,
|
|
69
73
|
enterpriseId: resolved.enterpriseId,
|
|
70
74
|
groupId: resolved.groupId,
|
|
71
75
|
resolvedGroupId: resolved.resolvedGroupId
|
|
72
76
|
});
|
|
77
|
+
if (authResult && !authResult.ok) return {
|
|
78
|
+
ok: false,
|
|
79
|
+
code: "FORBIDDEN"
|
|
80
|
+
};
|
|
73
81
|
return {
|
|
82
|
+
ok: true,
|
|
74
83
|
userId,
|
|
75
84
|
...resolved
|
|
76
85
|
};
|
|
@@ -99,7 +108,12 @@ function sso(auth, options) {
|
|
|
99
108
|
domain: v.optional(v.string())
|
|
100
109
|
},
|
|
101
110
|
handler: async (ctx, args) => {
|
|
102
|
-
const
|
|
111
|
+
const authResult = await authorize(ctx, "sso.connection.create", { groupId: args.groupId });
|
|
112
|
+
if (!authResult.ok) return {
|
|
113
|
+
ok: false,
|
|
114
|
+
code: authResult.code
|
|
115
|
+
};
|
|
116
|
+
const { userId } = authResult;
|
|
103
117
|
const createsGroup = args.groupId === void 0;
|
|
104
118
|
const groupId = args.groupId ?? (await auth.group.create(ctx, {
|
|
105
119
|
name: args.name?.trim() || args.slug?.trim() || "Enterprise",
|
|
@@ -131,21 +145,21 @@ function sso(auth, options) {
|
|
|
131
145
|
get: queryGeneric({
|
|
132
146
|
args: { enterpriseId: v.string() },
|
|
133
147
|
handler: async (ctx, args) => {
|
|
134
|
-
await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
|
|
148
|
+
if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
135
149
|
return await auth.sso.admin.connection.get(ctx, args.enterpriseId);
|
|
136
150
|
}
|
|
137
151
|
}),
|
|
138
152
|
getByGroup: queryGeneric({
|
|
139
153
|
args: { groupId: v.string() },
|
|
140
154
|
handler: async (ctx, args) => {
|
|
141
|
-
await authorize(ctx, "sso.connection.read", { groupId: args.groupId });
|
|
155
|
+
if (!(await authorize(ctx, "sso.connection.read", { groupId: args.groupId })).ok) return null;
|
|
142
156
|
return await auth.sso.admin.connection.getByGroup(ctx, args.groupId);
|
|
143
157
|
}
|
|
144
158
|
}),
|
|
145
159
|
getByDomain: queryGeneric({
|
|
146
160
|
args: { domain: v.string() },
|
|
147
161
|
handler: async (ctx, args) => {
|
|
148
|
-
await authorize(ctx, "sso.connection.read", { domain: args.domain });
|
|
162
|
+
if (!(await authorize(ctx, "sso.connection.read", { domain: args.domain })).ok) return null;
|
|
149
163
|
return await auth.sso.admin.connection.getByDomain(ctx, args.domain);
|
|
150
164
|
}
|
|
151
165
|
}),
|
|
@@ -158,7 +172,7 @@ function sso(auth, options) {
|
|
|
158
172
|
order: v.optional(v.union(v.literal("asc"), v.literal("desc")))
|
|
159
173
|
},
|
|
160
174
|
handler: async (ctx, args) => {
|
|
161
|
-
await authorize(ctx, "sso.connection.read", { groupId: args.where?.groupId });
|
|
175
|
+
if (!(await authorize(ctx, "sso.connection.read", { groupId: args.where?.groupId })).ok) return null;
|
|
162
176
|
return await auth.sso.admin.connection.list(ctx, args);
|
|
163
177
|
}
|
|
164
178
|
}),
|
|
@@ -172,7 +186,11 @@ function sso(auth, options) {
|
|
|
172
186
|
})
|
|
173
187
|
},
|
|
174
188
|
handler: async (ctx, args) => {
|
|
175
|
-
await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
|
|
189
|
+
const _auth = await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
|
|
190
|
+
if (!_auth.ok) return {
|
|
191
|
+
ok: false,
|
|
192
|
+
code: _auth.code
|
|
193
|
+
};
|
|
176
194
|
await auth.sso.admin.connection.update(ctx, args.enterpriseId, args.data);
|
|
177
195
|
return {
|
|
178
196
|
ok: true,
|
|
@@ -183,14 +201,18 @@ function sso(auth, options) {
|
|
|
183
201
|
delete: mutationGeneric({
|
|
184
202
|
args: { enterpriseId: v.string() },
|
|
185
203
|
handler: async (ctx, args) => {
|
|
186
|
-
await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
|
|
204
|
+
const _auth = await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
|
|
205
|
+
if (!_auth.ok) return {
|
|
206
|
+
ok: false,
|
|
207
|
+
code: _auth.code
|
|
208
|
+
};
|
|
187
209
|
return await auth.sso.admin.connection.delete(ctx, args.enterpriseId);
|
|
188
210
|
}
|
|
189
211
|
}),
|
|
190
212
|
status: queryGeneric({
|
|
191
213
|
args: { enterpriseId: v.string() },
|
|
192
214
|
handler: async (ctx, args) => {
|
|
193
|
-
await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
|
|
215
|
+
if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
194
216
|
return await auth.sso.admin.connection.status(ctx, args.enterpriseId);
|
|
195
217
|
}
|
|
196
218
|
}),
|
|
@@ -198,14 +220,14 @@ function sso(auth, options) {
|
|
|
198
220
|
list: queryGeneric({
|
|
199
221
|
args: { enterpriseId: v.string() },
|
|
200
222
|
handler: async (ctx, args) => {
|
|
201
|
-
await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
|
|
223
|
+
if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
202
224
|
return await auth.sso.admin.connection.domain.list(ctx, args.enterpriseId);
|
|
203
225
|
}
|
|
204
226
|
}),
|
|
205
227
|
validate: queryGeneric({
|
|
206
228
|
args: { enterpriseId: v.string() },
|
|
207
229
|
handler: async (ctx, args) => {
|
|
208
|
-
await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
|
|
230
|
+
if (!(await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
209
231
|
return await auth.sso.admin.connection.domain.validate(ctx, args.enterpriseId);
|
|
210
232
|
}
|
|
211
233
|
}),
|
|
@@ -215,7 +237,11 @@ function sso(auth, options) {
|
|
|
215
237
|
domains: v.array(enterpriseDomainInputValidator)
|
|
216
238
|
},
|
|
217
239
|
handler: async (ctx, args) => {
|
|
218
|
-
await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
|
|
240
|
+
const _auth = await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
|
|
241
|
+
if (!_auth.ok) return {
|
|
242
|
+
ok: false,
|
|
243
|
+
code: _auth.code
|
|
244
|
+
};
|
|
219
245
|
return await auth.sso.admin.connection.domain.set(ctx, args.enterpriseId, args.domains);
|
|
220
246
|
}
|
|
221
247
|
}),
|
|
@@ -223,14 +249,22 @@ function sso(auth, options) {
|
|
|
223
249
|
request: mutationGeneric({
|
|
224
250
|
args: enterpriseDomainVerificationInputValidator,
|
|
225
251
|
handler: async (ctx, args) => {
|
|
226
|
-
await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
|
|
252
|
+
const _auth = await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
|
|
253
|
+
if (!_auth.ok) return {
|
|
254
|
+
ok: false,
|
|
255
|
+
code: _auth.code
|
|
256
|
+
};
|
|
227
257
|
return await auth.sso.admin.connection.domain.verification.request(ctx, args);
|
|
228
258
|
}
|
|
229
259
|
}),
|
|
230
260
|
confirm: actionGeneric({
|
|
231
261
|
args: enterpriseDomainVerificationInputValidator,
|
|
232
262
|
handler: async (ctx, args) => {
|
|
233
|
-
await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
|
|
263
|
+
const _auth = await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
|
|
264
|
+
if (!_auth.ok) return {
|
|
265
|
+
ok: false,
|
|
266
|
+
code: _auth.code
|
|
267
|
+
};
|
|
234
268
|
return await auth.sso.admin.connection.domain.verification.confirm(ctx, args);
|
|
235
269
|
}
|
|
236
270
|
})
|
|
@@ -252,21 +286,29 @@ function sso(auth, options) {
|
|
|
252
286
|
extraFields: v.optional(v.record(v.string(), v.string()))
|
|
253
287
|
},
|
|
254
288
|
handler: async (ctx, args) => {
|
|
255
|
-
await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
|
|
289
|
+
const _auth = await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
|
|
290
|
+
if (!_auth.ok) return {
|
|
291
|
+
ok: false,
|
|
292
|
+
code: _auth.code
|
|
293
|
+
};
|
|
256
294
|
return await auth.sso.admin.oidc.configure(ctx, args);
|
|
257
295
|
}
|
|
258
296
|
}),
|
|
259
297
|
get: queryGeneric({
|
|
260
298
|
args: { enterpriseId: v.string() },
|
|
261
299
|
handler: async (ctx, args) => {
|
|
262
|
-
await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
|
|
300
|
+
if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
263
301
|
return await auth.sso.admin.oidc.get(ctx, args.enterpriseId);
|
|
264
302
|
}
|
|
265
303
|
}),
|
|
266
304
|
validate: actionGeneric({
|
|
267
305
|
args: { enterpriseId: v.string() },
|
|
268
306
|
handler: async (ctx, args) => {
|
|
269
|
-
await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
|
|
307
|
+
const _auth = await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
|
|
308
|
+
if (!_auth.ok) return {
|
|
309
|
+
ok: false,
|
|
310
|
+
code: _auth.code
|
|
311
|
+
};
|
|
270
312
|
return await auth.sso.admin.oidc.validate(ctx, args.enterpriseId);
|
|
271
313
|
}
|
|
272
314
|
})
|
|
@@ -283,14 +325,18 @@ function sso(auth, options) {
|
|
|
283
325
|
sp: v.optional(enterpriseSamlSpValidator)
|
|
284
326
|
},
|
|
285
327
|
handler: async (ctx, args) => {
|
|
286
|
-
await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
|
|
328
|
+
const _auth = await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
|
|
329
|
+
if (!_auth.ok) return {
|
|
330
|
+
ok: false,
|
|
331
|
+
code: _auth.code
|
|
332
|
+
};
|
|
287
333
|
return await auth.sso.admin.saml.configure(ctx, args);
|
|
288
334
|
}
|
|
289
335
|
}),
|
|
290
336
|
validate: queryGeneric({
|
|
291
337
|
args: { enterpriseId: v.string() },
|
|
292
338
|
handler: async (ctx, args) => {
|
|
293
|
-
await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
|
|
339
|
+
if (!(await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
294
340
|
return await auth.sso.admin.saml.validate(ctx, args.enterpriseId);
|
|
295
341
|
}
|
|
296
342
|
})
|
|
@@ -299,7 +345,7 @@ function sso(auth, options) {
|
|
|
299
345
|
get: queryGeneric({
|
|
300
346
|
args: { enterpriseId: v.string() },
|
|
301
347
|
handler: async (ctx, args) => {
|
|
302
|
-
await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId });
|
|
348
|
+
if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
303
349
|
return await auth.sso.admin.policy.get(ctx, args.enterpriseId);
|
|
304
350
|
}
|
|
305
351
|
}),
|
|
@@ -309,14 +355,18 @@ function sso(auth, options) {
|
|
|
309
355
|
patch: enterprisePolicyPatchValidator
|
|
310
356
|
},
|
|
311
357
|
handler: async (ctx, args) => {
|
|
312
|
-
await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId });
|
|
358
|
+
const _auth = await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId });
|
|
359
|
+
if (!_auth.ok) return {
|
|
360
|
+
ok: false,
|
|
361
|
+
code: _auth.code
|
|
362
|
+
};
|
|
313
363
|
return await auth.sso.admin.policy.update(ctx, args.enterpriseId, args.patch);
|
|
314
364
|
}
|
|
315
365
|
}),
|
|
316
366
|
validate: queryGeneric({
|
|
317
367
|
args: { enterpriseId: v.string() },
|
|
318
368
|
handler: async (ctx, args) => {
|
|
319
|
-
await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId });
|
|
369
|
+
if (!(await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
320
370
|
return await auth.sso.admin.policy.validate(ctx, args.enterpriseId);
|
|
321
371
|
}
|
|
322
372
|
})
|
|
@@ -328,10 +378,10 @@ function sso(auth, options) {
|
|
|
328
378
|
limit: v.optional(v.number())
|
|
329
379
|
},
|
|
330
380
|
handler: async (ctx, args) => {
|
|
331
|
-
await authorize(ctx, "sso.audit.read", {
|
|
381
|
+
if (!(await authorize(ctx, "sso.audit.read", {
|
|
332
382
|
enterpriseId: args.enterpriseId,
|
|
333
383
|
groupId: args.groupId
|
|
334
|
-
});
|
|
384
|
+
})).ok) return null;
|
|
335
385
|
return await auth.sso.admin.audit.list(ctx, args);
|
|
336
386
|
}
|
|
337
387
|
}) },
|
|
@@ -342,7 +392,7 @@ function sso(auth, options) {
|
|
|
342
392
|
limit: v.optional(v.number())
|
|
343
393
|
},
|
|
344
394
|
handler: async (ctx, args) => {
|
|
345
|
-
await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId });
|
|
395
|
+
if (!(await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
346
396
|
return await auth.sso.admin.webhook.delivery.list(ctx, args);
|
|
347
397
|
}
|
|
348
398
|
}) },
|
|
@@ -356,7 +406,12 @@ function sso(auth, options) {
|
|
|
356
406
|
createdByUserId: v.optional(v.string())
|
|
357
407
|
},
|
|
358
408
|
handler: async (ctx, args) => {
|
|
359
|
-
const
|
|
409
|
+
const authResult = await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId });
|
|
410
|
+
if (!authResult.ok) return {
|
|
411
|
+
ok: false,
|
|
412
|
+
code: authResult.code
|
|
413
|
+
};
|
|
414
|
+
const { userId } = authResult;
|
|
360
415
|
return {
|
|
361
416
|
_id: (await auth.sso.admin.webhook.endpoint.create(ctx, {
|
|
362
417
|
...args,
|
|
@@ -374,7 +429,7 @@ function sso(auth, options) {
|
|
|
374
429
|
list: queryGeneric({
|
|
375
430
|
args: { enterpriseId: v.string() },
|
|
376
431
|
handler: async (ctx, args) => {
|
|
377
|
-
await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId });
|
|
432
|
+
if (!(await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
378
433
|
return (await auth.sso.admin.webhook.endpoint.list(ctx, args.enterpriseId)).map((endpoint) => {
|
|
379
434
|
const { secretHash: _secretHash, ...rest } = endpoint;
|
|
380
435
|
return rest;
|
|
@@ -385,14 +440,18 @@ function sso(auth, options) {
|
|
|
385
440
|
args: { endpointId: v.string() },
|
|
386
441
|
handler: async (ctx, args) => {
|
|
387
442
|
const endpoint = await auth.sso.admin.webhook.endpoint.get(ctx, args.endpointId);
|
|
388
|
-
if (!endpoint)
|
|
389
|
-
|
|
390
|
-
|
|
391
|
-
}
|
|
392
|
-
await authorize(ctx, "sso.webhook.manage", {
|
|
443
|
+
if (!endpoint) return {
|
|
444
|
+
ok: false,
|
|
445
|
+
code: "INVALID_PARAMETERS"
|
|
446
|
+
};
|
|
447
|
+
const _auth = await authorize(ctx, "sso.webhook.manage", {
|
|
393
448
|
enterpriseId: endpoint.enterpriseId,
|
|
394
449
|
groupId: endpoint.groupId
|
|
395
450
|
});
|
|
451
|
+
if (!_auth.ok) return {
|
|
452
|
+
ok: false,
|
|
453
|
+
code: _auth.code
|
|
454
|
+
};
|
|
396
455
|
return await auth.sso.admin.webhook.endpoint.disable(ctx, args.endpointId);
|
|
397
456
|
}
|
|
398
457
|
})
|
|
@@ -439,21 +498,25 @@ function scim(auth, options) {
|
|
|
439
498
|
status: v.optional(enterpriseStatusValidator)
|
|
440
499
|
},
|
|
441
500
|
handler: async (ctx, args) => {
|
|
442
|
-
await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
|
|
501
|
+
const _auth = await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
|
|
502
|
+
if (!_auth.ok) return {
|
|
503
|
+
ok: false,
|
|
504
|
+
code: _auth.code
|
|
505
|
+
};
|
|
443
506
|
return await auth.scim.admin.configure(ctx, args);
|
|
444
507
|
}
|
|
445
508
|
}),
|
|
446
509
|
get: queryGeneric({
|
|
447
510
|
args: { enterpriseId: v.string() },
|
|
448
511
|
handler: async (ctx, args) => {
|
|
449
|
-
await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
|
|
512
|
+
if (!(await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
450
513
|
return await auth.scim.admin.get(ctx, args.enterpriseId);
|
|
451
514
|
}
|
|
452
515
|
}),
|
|
453
516
|
validate: queryGeneric({
|
|
454
517
|
args: { enterpriseId: v.string() },
|
|
455
518
|
handler: async (ctx, args) => {
|
|
456
|
-
await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
|
|
519
|
+
if (!(await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId })).ok) return null;
|
|
457
520
|
return await auth.scim.admin.validate(ctx, args.enterpriseId);
|
|
458
521
|
}
|
|
459
522
|
})
|
|
@@ -702,6 +765,23 @@ function canParseUrl(value) {
|
|
|
702
765
|
return false;
|
|
703
766
|
}
|
|
704
767
|
}
|
|
768
|
+
function serializeAuthCookie(cookie) {
|
|
769
|
+
const parts = [`${cookie.name}=${cookie.value}`, `Path=${cookie.options.path}`];
|
|
770
|
+
if (cookie.options.httpOnly) parts.push("HttpOnly");
|
|
771
|
+
if (cookie.options.secure) parts.push("Secure");
|
|
772
|
+
if (cookie.options.sameSite) parts.push(`SameSite=${cookie.options.sameSite}`);
|
|
773
|
+
if (cookie.options.maxAge !== void 0) parts.push(`Max-Age=${cookie.options.maxAge}`);
|
|
774
|
+
if (cookie.options.expires) parts.push(`Expires=${cookie.options.expires.toUTCString()}`);
|
|
775
|
+
return parts.join("; ");
|
|
776
|
+
}
|
|
777
|
+
function buildRedirectResponse(location, cookies) {
|
|
778
|
+
const headers = new Headers({ Location: location });
|
|
779
|
+
for (const cookie of cookies) headers.append("Set-Cookie", serializeAuthCookie(cookie));
|
|
780
|
+
return new Response(null, {
|
|
781
|
+
status: 302,
|
|
782
|
+
headers
|
|
783
|
+
});
|
|
784
|
+
}
|
|
705
785
|
function deriveCookieNamespaceFromUrl(url) {
|
|
706
786
|
if (!canParseUrl(url)) return DERIVED_COOKIE_NAMESPACE_FALLBACK;
|
|
707
787
|
const parsed = new URL(url);
|
|
@@ -1031,6 +1111,7 @@ function server(options) {
|
|
|
1031
1111
|
const corsDispatch = originHeader !== null && (originUrl === null || originUrl.host !== normalizedHost || originUrl.protocol !== protocol) ? { kind: "crossOrigin" } : { kind: "sameOrigin" };
|
|
1032
1112
|
const corsRefreshResult = await Fx.run(Fx.match(corsDispatch, corsDispatch.kind, {
|
|
1033
1113
|
crossOrigin: () => ({
|
|
1114
|
+
redirect: false,
|
|
1034
1115
|
cookies: [],
|
|
1035
1116
|
token: null
|
|
1036
1117
|
}),
|
|
@@ -1070,32 +1151,33 @@ function server(options) {
|
|
|
1070
1151
|
}).pipe(Fx.fold({
|
|
1071
1152
|
ok: (result) => {
|
|
1072
1153
|
redirectUrl.searchParams.delete("code");
|
|
1154
|
+
const cookies = structuredAuthCookies({
|
|
1155
|
+
token: result.tokens?.token ?? null,
|
|
1156
|
+
refreshToken: result.tokens?.refreshToken ?? null,
|
|
1157
|
+
verifier: null
|
|
1158
|
+
}, host, cookieConfig, cookieNamespace);
|
|
1073
1159
|
return {
|
|
1074
|
-
|
|
1075
|
-
|
|
1076
|
-
refreshToken: result.tokens?.refreshToken ?? null,
|
|
1077
|
-
verifier: null
|
|
1078
|
-
}, host, cookieConfig, cookieNamespace),
|
|
1079
|
-
redirect: redirectUrl.toString(),
|
|
1080
|
-
token: result.tokens?.token ?? null
|
|
1160
|
+
redirect: true,
|
|
1161
|
+
response: buildRedirectResponse(redirectUrl.toString(), cookies)
|
|
1081
1162
|
};
|
|
1082
1163
|
},
|
|
1083
1164
|
err: (error) => {
|
|
1084
1165
|
console.error("[convex-auth/server] code exchange failed", error);
|
|
1085
1166
|
const errorCode = error instanceof ConvexError && typeof error.data === "object" && error.data !== null && typeof error.data.code === "string" ? error.data.code : null;
|
|
1086
1167
|
if (!(errorCode === "OAUTH_INVALID_STATE" || errorCode === "OAUTH_PROVIDER_ERROR" || errorCode === "OAUTH_MISSING_ID_TOKEN" || errorCode === "OAUTH_INVALID_PROFILE" || errorCode === "OAUTH_MISSING_VERIFIER" || errorCode === "INVALID_VERIFIER" || errorCode === "INVALID_VERIFICATION_CODE")) return {
|
|
1168
|
+
redirect: false,
|
|
1087
1169
|
cookies: [],
|
|
1088
1170
|
token: currentCookies.token
|
|
1089
1171
|
};
|
|
1090
1172
|
redirectUrl.searchParams.delete("code");
|
|
1173
|
+
const cookies = structuredAuthCookies({
|
|
1174
|
+
token: currentCookies.token,
|
|
1175
|
+
refreshToken: currentCookies.refreshToken,
|
|
1176
|
+
verifier: null
|
|
1177
|
+
}, host, cookieConfig, cookieNamespace);
|
|
1091
1178
|
return {
|
|
1092
|
-
|
|
1093
|
-
|
|
1094
|
-
refreshToken: currentCookies.refreshToken,
|
|
1095
|
-
verifier: null
|
|
1096
|
-
}, host, cookieConfig, cookieNamespace),
|
|
1097
|
-
redirect: redirectUrl.toString(),
|
|
1098
|
-
token: currentCookies.token
|
|
1179
|
+
redirect: true,
|
|
1180
|
+
response: buildRedirectResponse(redirectUrl.toString(), cookies)
|
|
1099
1181
|
};
|
|
1100
1182
|
}
|
|
1101
1183
|
})));
|
|
@@ -1264,10 +1346,12 @@ function server(options) {
|
|
|
1264
1346
|
});
|
|
1265
1347
|
}));
|
|
1266
1348
|
if (tokens === void 0) return {
|
|
1349
|
+
redirect: false,
|
|
1267
1350
|
cookies: [],
|
|
1268
1351
|
token: currentToken
|
|
1269
1352
|
};
|
|
1270
1353
|
return {
|
|
1354
|
+
redirect: false,
|
|
1271
1355
|
cookies: structuredAuthCookies({
|
|
1272
1356
|
token: tokens?.token ?? null,
|
|
1273
1357
|
refreshToken: tokens?.refreshToken ?? null,
|