npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.2 → 0.0.4-preview.21 - Mend

@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (798) hide show

package/README.md +67 -26
package/dist/authorization/index.d.ts +63 -0
package/dist/authorization/index.d.ts.map +1 -0
package/dist/authorization/index.js +63 -0
package/dist/authorization/index.js.map +1 -0
package/dist/bin.js +6185 -0
package/dist/client/core/types.d.ts +20 -0
package/dist/client/core/types.d.ts.map +1 -0
package/dist/client/index.d.ts +2 -299
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +407 -534
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +42 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +2546 -90
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/client/core/types.d.ts +2 -0
package/dist/component/client/index.d.ts +2 -0
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/functions.d.ts +11 -9
package/dist/component/functions.d.ts.map +1 -1
package/dist/component/functions.js.map +1 -1
package/dist/component/index.d.ts +7 -11
package/dist/component/index.js +2 -3
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +349 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/anonymous.d.ts +54 -0
package/dist/component/providers/anonymous.d.ts.map +1 -0
package/dist/component/providers/credentials.d.ts +5 -5
package/dist/component/providers/credentials.d.ts.map +1 -1
package/dist/component/providers/device.d.ts +67 -0
package/dist/component/providers/device.d.ts.map +1 -0
package/dist/component/providers/email.d.ts +62 -0
package/dist/component/providers/email.d.ts.map +1 -0
package/dist/component/providers/oauth.d.ts.map +1 -1
package/dist/component/providers/oauth.js.map +1 -1
package/dist/component/providers/passkey.d.ts +57 -0
package/dist/component/providers/passkey.d.ts.map +1 -0
package/dist/component/providers/password.d.ts +88 -0
package/dist/component/providers/password.d.ts.map +1 -0
package/dist/component/providers/phone.d.ts +48 -0
package/dist/component/providers/phone.d.ts.map +1 -0
package/dist/component/providers/sso.d.ts +50 -0
package/dist/component/providers/sso.d.ts.map +1 -0
package/dist/component/providers/totp.d.ts +45 -0
package/dist/component/providers/totp.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.d.ts +73 -0
package/dist/component/public/enterprise/audit.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.js +108 -0
package/dist/component/public/enterprise/audit.js.map +1 -0
package/dist/component/public/enterprise/core.d.ts +176 -0
package/dist/component/public/enterprise/core.d.ts.map +1 -0
package/dist/component/public/enterprise/core.js +292 -0
package/dist/component/public/enterprise/core.js.map +1 -0
package/dist/component/public/enterprise/domains.d.ts +174 -0
package/dist/component/public/enterprise/domains.d.ts.map +1 -0
package/dist/component/public/enterprise/domains.js +271 -0
package/dist/component/public/enterprise/domains.js.map +1 -0
package/dist/component/public/enterprise/scim.d.ts +245 -0
package/dist/component/public/enterprise/scim.d.ts.map +1 -0
package/dist/component/public/enterprise/scim.js +344 -0
package/dist/component/public/enterprise/scim.js.map +1 -0
package/dist/component/public/enterprise/secrets.d.ts +78 -0
package/dist/component/public/enterprise/secrets.d.ts.map +1 -0
package/dist/component/public/enterprise/secrets.js +118 -0
package/dist/component/public/enterprise/secrets.js.map +1 -0
package/dist/component/public/enterprise/webhooks.d.ts +211 -0
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -0
package/dist/component/public/enterprise/webhooks.js +300 -0
package/dist/component/public/enterprise/webhooks.js.map +1 -0
package/dist/component/public/factors/devices.d.ts +157 -0
package/dist/component/public/factors/devices.d.ts.map +1 -0
package/dist/component/public/factors/devices.js +216 -0
package/dist/component/public/factors/devices.js.map +1 -0
package/dist/component/public/factors/passkeys.d.ts +175 -0
package/dist/component/public/factors/passkeys.d.ts.map +1 -0
package/dist/component/public/factors/passkeys.js +238 -0
package/dist/component/public/factors/passkeys.js.map +1 -0
package/dist/component/public/factors/totp.d.ts +189 -0
package/dist/component/public/factors/totp.d.ts.map +1 -0
package/dist/component/public/factors/totp.js +254 -0
package/dist/component/public/factors/totp.js.map +1 -0
package/dist/component/public/groups/core.d.ts +137 -0
package/dist/component/public/groups/core.d.ts.map +1 -0
package/dist/component/public/groups/core.js +321 -0
package/dist/component/public/groups/core.js.map +1 -0
package/dist/component/public/groups/invites.d.ts +217 -0
package/dist/component/public/groups/invites.d.ts.map +1 -0
package/dist/component/public/groups/invites.js +457 -0
package/dist/component/public/groups/invites.js.map +1 -0
package/dist/component/public/groups/members.d.ts +204 -0
package/dist/component/public/groups/members.d.ts.map +1 -0
package/dist/component/public/groups/members.js +355 -0
package/dist/component/public/groups/members.js.map +1 -0
package/dist/component/public/identity/accounts.d.ts +147 -0
package/dist/component/public/identity/accounts.d.ts.map +1 -0
package/dist/component/public/identity/accounts.js +200 -0
package/dist/component/public/identity/accounts.js.map +1 -0
package/dist/component/public/identity/codes.d.ts +104 -0
package/dist/component/public/identity/codes.d.ts.map +1 -0
package/dist/component/public/identity/codes.js +140 -0
package/dist/component/public/identity/codes.js.map +1 -0
package/dist/component/public/identity/sessions.d.ts +128 -0
package/dist/component/public/identity/sessions.d.ts.map +1 -0
package/dist/component/public/identity/sessions.js +192 -0
package/dist/component/public/identity/sessions.js.map +1 -0
package/dist/component/public/identity/tokens.d.ts +169 -0
package/dist/component/public/identity/tokens.d.ts.map +1 -0
package/dist/component/public/identity/tokens.js +227 -0
package/dist/component/public/identity/tokens.js.map +1 -0
package/dist/component/public/identity/users.d.ts +212 -0
package/dist/component/public/identity/users.d.ts.map +1 -0
package/dist/component/public/identity/users.js +311 -0
package/dist/component/public/identity/users.js.map +1 -0
package/dist/component/public/identity/verifiers.d.ts +116 -0
package/dist/component/public/identity/verifiers.d.ts.map +1 -0
package/dist/component/public/identity/verifiers.js +154 -0
package/dist/component/public/identity/verifiers.js.map +1 -0
package/dist/component/public/security/keys.d.ts +209 -0
package/dist/component/public/security/keys.d.ts.map +1 -0
package/dist/component/public/security/keys.js +319 -0
package/dist/component/public/security/keys.js.map +1 -0
package/dist/component/public/security/limits.d.ts +114 -0
package/dist/component/public/security/limits.d.ts.map +1 -0
package/dist/component/public/security/limits.js +169 -0
package/dist/component/public/security/limits.js.map +1 -0
package/dist/component/public.d.ts +24 -271
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +21 -1229
package/dist/component/schema.d.ts +473 -110
package/dist/component/schema.js +162 -73
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +318 -373
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +204 -123
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/authError.js +34 -0
package/dist/component/server/authError.js.map +1 -0
package/dist/component/server/{providers.js → config.js} +43 -12
package/dist/component/server/config.js.map +1 -0
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/core.js +713 -0
package/dist/component/server/core.js.map +1 -0
package/dist/component/server/crypto.js +38 -0
package/dist/component/server/crypto.js.map +1 -0
package/dist/component/server/{implementation/db.js → db.js} +2 -1
package/dist/component/server/db.js.map +1 -0
package/dist/component/server/device.js +109 -0
package/dist/component/server/device.js.map +1 -0
package/dist/component/server/enterprise/config.js +46 -0
package/dist/component/server/enterprise/config.js.map +1 -0
package/dist/component/server/enterprise/domain.js +885 -0
package/dist/component/server/enterprise/domain.js.map +1 -0
package/dist/component/server/enterprise/http.js +766 -0
package/dist/component/server/enterprise/http.js.map +1 -0
package/dist/component/server/enterprise/oidc.js +248 -0
package/dist/component/server/enterprise/oidc.js.map +1 -0
package/dist/component/server/enterprise/policy.js +85 -0
package/dist/component/server/enterprise/policy.js.map +1 -0
package/dist/component/server/enterprise/saml.js +338 -0
package/dist/component/server/enterprise/saml.js.map +1 -0
package/dist/component/server/enterprise/scim.js +97 -0
package/dist/component/server/enterprise/scim.js.map +1 -0
package/dist/component/server/enterprise/shared.js +51 -0
package/dist/component/server/enterprise/shared.js.map +1 -0
package/dist/component/server/errors.d.ts +1 -0
package/dist/component/server/errors.js +24 -16
package/dist/component/server/errors.js.map +1 -1
package/dist/component/server/http.js +288 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/{server/implementation → component/server}/keys.js +9 -31
package/dist/component/server/keys.js.map +1 -0
package/dist/component/server/limits.js +61 -0
package/dist/component/server/limits.js.map +1 -0
package/dist/component/server/mutations/account.js +44 -0
package/dist/component/server/mutations/account.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/component/server/mutations/code.js.map +1 -0
package/dist/component/server/mutations/invalidate.js +32 -0
package/dist/component/server/mutations/invalidate.js.map +1 -0
package/dist/component/server/mutations/oauth.js +110 -0
package/dist/component/server/mutations/oauth.js.map +1 -0
package/dist/component/server/mutations/refresh.js +119 -0
package/dist/component/server/mutations/refresh.js.map +1 -0
package/dist/component/server/mutations/register.js +83 -0
package/dist/component/server/mutations/register.js.map +1 -0
package/dist/component/server/mutations/retrieve.js +65 -0
package/dist/component/server/mutations/retrieve.js.map +1 -0
package/dist/component/server/mutations/signature.js +32 -0
package/dist/component/server/mutations/signature.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/component/server/mutations/signin.js.map +1 -0
package/dist/component/server/mutations/signout.js +27 -0
package/dist/component/server/mutations/signout.js.map +1 -0
package/dist/component/server/mutations/store/refs.js +15 -0
package/dist/component/server/mutations/store/refs.js.map +1 -0
package/dist/component/server/mutations/store.js +85 -0
package/dist/component/server/mutations/store.js.map +1 -0
package/dist/component/server/mutations/verifier.js +18 -0
package/dist/component/server/mutations/verifier.js.map +1 -0
package/dist/component/server/mutations/verify.js +98 -0
package/dist/component/server/mutations/verify.js.map +1 -0
package/dist/component/server/oauth.js +106 -60
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +328 -0
package/dist/component/server/passkey.js.map +1 -0
package/dist/{server/implementation → component/server}/redirects.js +13 -11
package/dist/component/server/redirects.js.map +1 -0
package/dist/component/server/refresh.js +96 -0
package/dist/component/server/refresh.js.map +1 -0
package/dist/component/server/runtime.d.ts +136 -0
package/dist/component/server/runtime.d.ts.map +1 -0
package/dist/component/server/runtime.js +413 -0
package/dist/component/server/runtime.js.map +1 -0
package/dist/{server/implementation → component/server}/sessions.js +14 -8
package/dist/component/server/sessions.js.map +1 -0
package/dist/component/server/signin.js +201 -0
package/dist/component/server/signin.js.map +1 -0
package/dist/component/server/tokens.js +17 -0
package/dist/component/server/tokens.js.map +1 -0
package/dist/component/server/totp.js +148 -0
package/dist/component/server/totp.js.map +1 -0
package/dist/component/server/types.d.ts +387 -298
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/{implementation/types.js → types.js} +1 -1
package/dist/component/server/types.js.map +1 -0
package/dist/component/server/{implementation/users.js → users.js} +54 -35
package/dist/component/server/users.js.map +1 -0
package/dist/component/server/utils.js +110 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +369 -0
package/dist/core/types.d.ts.map +1 -0
package/dist/factors/device.js +105 -0
package/dist/factors/device.js.map +1 -0
package/dist/factors/passkey.js +181 -0
package/dist/factors/passkey.js.map +1 -0
package/dist/factors/totp.js +122 -0
package/dist/factors/totp.js.map +1 -0
package/dist/providers/anonymous.d.ts +3 -9
package/dist/providers/anonymous.d.ts.map +1 -1
package/dist/providers/anonymous.js +1 -18
package/dist/providers/anonymous.js.map +1 -1
package/dist/providers/credentials.d.ts +8 -10
package/dist/providers/credentials.d.ts.map +1 -1
package/dist/providers/credentials.js +3 -5
package/dist/providers/credentials.js.map +1 -1
package/dist/providers/device.d.ts +18 -10
package/dist/providers/device.d.ts.map +1 -1
package/dist/providers/device.js +4 -8
package/dist/providers/device.js.map +1 -1
package/dist/providers/email.d.ts +50 -23
package/dist/providers/email.d.ts.map +1 -1
package/dist/providers/email.js +58 -34
package/dist/providers/email.js.map +1 -1
package/dist/providers/index.d.ts +7 -3
package/dist/providers/index.js +4 -1
package/dist/providers/oauth.d.ts.map +1 -1
package/dist/providers/oauth.js.map +1 -1
package/dist/providers/passkey.d.ts +12 -9
package/dist/providers/passkey.d.ts.map +1 -1
package/dist/providers/passkey.js +1 -7
package/dist/providers/passkey.js.map +1 -1
package/dist/providers/password.d.ts +6 -12
package/dist/providers/password.d.ts.map +1 -1
package/dist/providers/password.js +189 -89
package/dist/providers/password.js.map +1 -1
package/dist/providers/phone.d.ts +40 -11
package/dist/providers/phone.d.ts.map +1 -1
package/dist/providers/phone.js +52 -21
package/dist/providers/phone.js.map +1 -1
package/dist/providers/sso.d.ts +50 -0
package/dist/providers/sso.d.ts.map +1 -0
package/dist/providers/sso.js +34 -0
package/dist/providers/sso.js.map +1 -0
package/dist/providers/totp.d.ts +12 -9
package/dist/providers/totp.d.ts.map +1 -1
package/dist/providers/totp.js +1 -7
package/dist/providers/totp.js.map +1 -1
package/dist/runtime/browser.js +68 -0
package/dist/runtime/browser.js.map +1 -0
package/dist/runtime/invite.js +51 -0
package/dist/runtime/invite.js.map +1 -0
package/dist/runtime/proxy.js +70 -0
package/dist/runtime/proxy.js.map +1 -0
package/dist/runtime/storage.js +37 -0
package/dist/runtime/storage.js.map +1 -0
package/dist/server/auth.d.ts +335 -370
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +204 -123
package/dist/server/auth.js.map +1 -1
package/dist/server/authError.d.ts +46 -0
package/dist/server/authError.d.ts.map +1 -0
package/dist/server/authError.js +34 -0
package/dist/server/authError.js.map +1 -0
package/dist/server/config.d.ts +1 -0
package/dist/server/{providers.js → config.js} +43 -12
package/dist/server/config.js.map +1 -0
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/core.d.ts +1436 -0
package/dist/server/core.d.ts.map +1 -0
package/dist/server/core.js +713 -0
package/dist/server/core.js.map +1 -0
package/dist/server/crypto.d.ts +8 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +38 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/db.d.ts +1 -0
package/dist/server/{implementation/db.js → db.js} +2 -1
package/dist/server/db.js.map +1 -0
package/dist/server/device.d.ts +1 -0
package/dist/server/device.js +109 -0
package/dist/server/device.js.map +1 -0
package/dist/server/enterprise/config.d.ts +1 -0
package/dist/server/enterprise/config.js +46 -0
package/dist/server/enterprise/config.js.map +1 -0
package/dist/server/enterprise/domain.d.ts +409 -0
package/dist/server/enterprise/domain.d.ts.map +1 -0
package/dist/server/enterprise/domain.js +885 -0
package/dist/server/enterprise/domain.js.map +1 -0
package/dist/server/enterprise/http.d.ts +26 -0
package/dist/server/enterprise/http.d.ts.map +1 -0
package/dist/server/enterprise/http.js +766 -0
package/dist/server/enterprise/http.js.map +1 -0
package/dist/server/enterprise/oidc.d.ts +1 -0
package/dist/server/enterprise/oidc.js +248 -0
package/dist/server/enterprise/oidc.js.map +1 -0
package/dist/server/enterprise/policy.d.ts +1 -0
package/dist/server/enterprise/policy.js +85 -0
package/dist/server/enterprise/policy.js.map +1 -0
package/dist/server/enterprise/saml.d.ts +1 -0
package/dist/server/enterprise/saml.js +338 -0
package/dist/server/enterprise/saml.js.map +1 -0
package/dist/server/enterprise/scim.d.ts +1 -0
package/dist/server/enterprise/scim.js +97 -0
package/dist/server/enterprise/scim.js.map +1 -0
package/dist/server/enterprise/shared.d.ts +5 -0
package/dist/server/enterprise/shared.d.ts.map +1 -0
package/dist/server/enterprise/shared.js +51 -0
package/dist/server/enterprise/shared.js.map +1 -0
package/dist/server/enterprise/validators.d.ts +1 -0
package/dist/server/enterprise/validators.js +60 -0
package/dist/server/enterprise/validators.js.map +1 -0
package/dist/server/errors.d.ts +33 -1
package/dist/server/errors.d.ts.map +1 -1
package/dist/server/errors.js +44 -1
package/dist/server/errors.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +288 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +4 -182
package/dist/server/index.js +4 -376
package/dist/server/keys.d.ts +1 -0
package/dist/{component/server/implementation → server}/keys.js +9 -31
package/dist/server/keys.js.map +1 -0
package/dist/server/limits.d.ts +1 -0
package/dist/server/limits.js +61 -0
package/dist/server/limits.js.map +1 -0
package/dist/server/mounts.d.ts +647 -0
package/dist/server/mounts.d.ts.map +1 -0
package/dist/server/mounts.js +643 -0
package/dist/server/mounts.js.map +1 -0
package/dist/server/mutations/account.d.ts +30 -0
package/dist/server/mutations/account.d.ts.map +1 -0
package/dist/server/mutations/account.js +44 -0
package/dist/server/mutations/account.js.map +1 -0
package/dist/server/mutations/code.d.ts +30 -0
package/dist/server/mutations/code.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/server/mutations/code.js.map +1 -0
package/dist/server/mutations/index.d.ts +14 -0
package/dist/server/mutations/index.js +15 -0
package/dist/server/mutations/invalidate.d.ts +20 -0
package/dist/server/mutations/invalidate.d.ts.map +1 -0
package/dist/server/mutations/invalidate.js +32 -0
package/dist/server/mutations/invalidate.js.map +1 -0
package/dist/server/mutations/oauth.d.ts +28 -0
package/dist/server/mutations/oauth.d.ts.map +1 -0
package/dist/server/mutations/oauth.js +110 -0
package/dist/server/mutations/oauth.js.map +1 -0
package/dist/server/mutations/refresh.d.ts +21 -0
package/dist/server/mutations/refresh.d.ts.map +1 -0
package/dist/server/mutations/refresh.js +119 -0
package/dist/server/mutations/refresh.js.map +1 -0
package/dist/server/mutations/register.d.ts +38 -0
package/dist/server/mutations/register.d.ts.map +1 -0
package/dist/server/mutations/register.js +83 -0
package/dist/server/mutations/register.js.map +1 -0
package/dist/server/mutations/retrieve.d.ts +33 -0
package/dist/server/mutations/retrieve.d.ts.map +1 -0
package/dist/server/mutations/retrieve.js +65 -0
package/dist/server/mutations/retrieve.js.map +1 -0
package/dist/server/mutations/signature.d.ts +22 -0
package/dist/server/mutations/signature.d.ts.map +1 -0
package/dist/server/mutations/signature.js +32 -0
package/dist/server/mutations/signature.js.map +1 -0
package/dist/server/mutations/signin.d.ts +22 -0
package/dist/server/mutations/signin.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/server/mutations/signin.js.map +1 -0
package/dist/server/mutations/signout.d.ts +16 -0
package/dist/server/mutations/signout.d.ts.map +1 -0
package/dist/server/mutations/signout.js +27 -0
package/dist/server/mutations/signout.js.map +1 -0
package/dist/server/mutations/store/refs.d.ts +12 -0
package/dist/server/mutations/store/refs.d.ts.map +1 -0
package/dist/server/mutations/store/refs.js +15 -0
package/dist/server/mutations/store/refs.js.map +1 -0
package/dist/server/mutations/store.d.ts +306 -0
package/dist/server/mutations/store.d.ts.map +1 -0
package/dist/server/mutations/store.js +85 -0
package/dist/server/mutations/store.js.map +1 -0
package/dist/server/mutations/verifier.d.ts +13 -0
package/dist/server/mutations/verifier.d.ts.map +1 -0
package/dist/server/mutations/verifier.js +18 -0
package/dist/server/mutations/verifier.js.map +1 -0
package/dist/server/mutations/verify.d.ts +26 -0
package/dist/server/mutations/verify.d.ts.map +1 -0
package/dist/server/mutations/verify.js +98 -0
package/dist/server/mutations/verify.js.map +1 -0
package/dist/server/oauth.d.ts +1 -48
package/dist/server/oauth.js +107 -64
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +27 -0
package/dist/server/passkey.d.ts.map +1 -0
package/dist/server/passkey.js +328 -0
package/dist/server/passkey.js.map +1 -0
package/dist/server/redirects.d.ts +1 -0
package/dist/{component/server/implementation → server}/redirects.js +13 -11
package/dist/server/redirects.js.map +1 -0
package/dist/server/refresh.d.ts +1 -0
package/dist/server/refresh.js +96 -0
package/dist/server/refresh.js.map +1 -0
package/dist/server/runtime.d.ts +136 -0
package/dist/server/runtime.d.ts.map +1 -0
package/dist/server/runtime.js +413 -0
package/dist/server/runtime.js.map +1 -0
package/dist/server/sessions.d.ts +1 -0
package/dist/{component/server/implementation → server}/sessions.js +14 -8
package/dist/server/sessions.js.map +1 -0
package/dist/server/signin.d.ts +1 -0
package/dist/server/signin.js +201 -0
package/dist/server/signin.js.map +1 -0
package/dist/server/ssr.d.ts +226 -0
package/dist/server/ssr.d.ts.map +1 -0
package/dist/server/ssr.js +786 -0
package/dist/server/ssr.js.map +1 -0
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +2 -1
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -0
package/dist/server/tokens.js +17 -0
package/dist/server/tokens.js.map +1 -0
package/dist/server/totp.d.ts +1 -0
package/dist/server/totp.js +148 -0
package/dist/server/totp.js.map +1 -0
package/dist/server/types.d.ts +498 -306
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +108 -1
package/dist/server/types.js.map +1 -0
package/dist/server/users.d.ts +1 -0
package/dist/server/{implementation/users.js → users.js} +54 -35
package/dist/server/users.js.map +1 -0
package/dist/server/utils.d.ts +1 -6
package/dist/server/utils.js +110 -4
package/dist/server/utils.js.map +1 -1
package/package.json +49 -46
package/src/authorization/index.ts +83 -0
package/src/cli/bin.ts +5 -0
package/src/cli/command.ts +6 -5
package/src/cli/index.ts +456 -248
package/src/cli/keys.ts +3 -0
package/src/client/core/types.ts +437 -0
package/src/client/factors/device.ts +160 -0
package/src/client/factors/passkey.ts +282 -0
package/src/client/factors/totp.ts +150 -0
package/src/client/index.ts +745 -989
package/src/client/runtime/browser.ts +112 -0
package/src/client/runtime/invite.ts +65 -0
package/src/client/runtime/proxy.ts +111 -0
package/src/client/runtime/storage.ts +79 -0
package/src/component/_generated/api.ts +42 -0
package/src/component/_generated/component.ts +3123 -102
package/src/component/functions.ts +38 -22
package/src/component/index.ts +10 -20
package/src/component/model.ts +449 -0
package/src/component/public/enterprise/audit.ts +120 -0
package/src/component/public/enterprise/core.ts +354 -0
package/src/component/public/enterprise/domains.ts +323 -0
package/src/component/public/enterprise/scim.ts +396 -0
package/src/component/public/enterprise/secrets.ts +132 -0
package/src/component/public/enterprise/webhooks.ts +306 -0
package/src/component/public/factors/devices.ts +223 -0
package/src/component/public/factors/passkeys.ts +242 -0
package/src/component/public/factors/totp.ts +258 -0
package/src/component/public/groups/core.ts +481 -0
package/src/component/public/groups/invites.ts +602 -0
package/src/component/public/groups/members.ts +409 -0
package/src/component/public/identity/accounts.ts +206 -0
package/src/component/public/identity/codes.ts +148 -0
package/src/component/public/identity/sessions.ts +209 -0
package/src/component/public/identity/tokens.ts +250 -0
package/src/component/public/identity/users.ts +354 -0
package/src/component/public/identity/verifiers.ts +157 -0
package/src/component/public/security/keys.ts +365 -0
package/src/component/public/security/limits.ts +173 -0
package/src/component/public.ts +26 -1766
package/src/component/schema.ts +273 -100
package/src/providers/anonymous.ts +10 -20
package/src/providers/credentials.ts +14 -22
package/src/providers/device.ts +3 -14
package/src/providers/email.ts +83 -47
package/src/providers/index.ts +7 -0
package/src/providers/oauth.ts +5 -3
package/src/providers/passkey.ts +0 -13
package/src/providers/password.ts +307 -130
package/src/providers/phone.ts +81 -37
package/src/providers/sso.ts +54 -0
package/src/providers/totp.ts +0 -13
package/src/samlify.d.ts +53 -0
package/src/server/auth.ts +701 -247
package/src/server/authError.ts +44 -0
package/src/server/{providers.ts → config.ts} +84 -15
package/src/server/cookies.ts +8 -1
package/src/server/core.ts +2095 -0
package/src/server/crypto.ts +88 -0
package/src/server/{implementation/db.ts → db.ts} +90 -15
package/src/server/device.ts +221 -0
package/src/server/enterprise/config.ts +51 -0
package/src/server/enterprise/domain.ts +1751 -0
package/src/server/enterprise/http.ts +1324 -0
package/src/server/enterprise/oidc.ts +500 -0
package/src/server/enterprise/policy.ts +128 -0
package/src/server/enterprise/saml.ts +578 -0
package/src/server/enterprise/scim.ts +135 -0
package/src/server/enterprise/shared.ts +134 -0
package/src/server/enterprise/validators.ts +93 -0
package/src/server/errors.ts +130 -119
package/src/server/http.ts +531 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +32 -650
package/src/server/{implementation/keys.ts → keys.ts} +16 -44
package/src/server/limits.ts +134 -0
package/src/server/mounts.ts +948 -0
package/src/server/mutations/account.ts +76 -0
package/src/server/{implementation/mutations → mutations}/code.ts +22 -11
package/src/server/mutations/index.ts +13 -0
package/src/server/mutations/invalidate.ts +50 -0
package/src/server/mutations/oauth.ts +237 -0
package/src/server/mutations/refresh.ts +298 -0
package/src/server/mutations/register.ts +200 -0
package/src/server/mutations/retrieve.ts +109 -0
package/src/server/mutations/signature.ts +50 -0
package/src/server/{implementation/mutations → mutations}/signin.ts +9 -7
package/src/server/mutations/signout.ts +43 -0
package/src/server/mutations/store/refs.ts +10 -0
package/src/server/mutations/store.ts +138 -0
package/src/server/mutations/verifier.ts +34 -0
package/src/server/mutations/verify.ts +202 -0
package/src/server/oauth.ts +243 -131
package/src/server/passkey.ts +784 -0
package/src/server/{implementation/redirects.ts → redirects.ts} +21 -16
package/src/server/refresh.ts +222 -0
package/src/server/runtime.ts +880 -0
package/src/server/{implementation/sessions.ts → sessions.ts} +33 -25
package/src/server/signin.ts +438 -0
package/src/server/ssr.ts +1764 -0
package/src/server/templates.ts +8 -3
package/src/server/{implementation/tokens.ts → tokens.ts} +11 -5
package/src/server/totp.ts +349 -0
package/src/server/types.ts +972 -207
package/src/server/{implementation/users.ts → users.ts} +129 -75
package/src/server/utils.ts +192 -5
package/src/test.ts +28 -4
package/dist/bin.cjs +0 -27757
package/dist/component/providers/email.js +0 -47
package/dist/component/providers/email.js.map +0 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation/db.js.map +0 -1
package/dist/component/server/implementation/device.js +0 -135
package/dist/component/server/implementation/device.js.map +0 -1
package/dist/component/server/implementation/index.d.ts +0 -870
package/dist/component/server/implementation/index.d.ts.map +0 -1
package/dist/component/server/implementation/index.js +0 -610
package/dist/component/server/implementation/index.js.map +0 -1
package/dist/component/server/implementation/keys.js.map +0 -1
package/dist/component/server/implementation/mutations/account.js +0 -39
package/dist/component/server/implementation/mutations/account.js.map +0 -1
package/dist/component/server/implementation/mutations/code.js.map +0 -1
package/dist/component/server/implementation/mutations/index.js +0 -70
package/dist/component/server/implementation/mutations/index.js.map +0 -1
package/dist/component/server/implementation/mutations/invalidate.js +0 -29
package/dist/component/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/component/server/implementation/mutations/oauth.js +0 -51
package/dist/component/server/implementation/mutations/oauth.js.map +0 -1
package/dist/component/server/implementation/mutations/refresh.js +0 -85
package/dist/component/server/implementation/mutations/refresh.js.map +0 -1
package/dist/component/server/implementation/mutations/register.js +0 -65
package/dist/component/server/implementation/mutations/register.js.map +0 -1
package/dist/component/server/implementation/mutations/retrieve.js +0 -50
package/dist/component/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/component/server/implementation/mutations/signature.js +0 -27
package/dist/component/server/implementation/mutations/signature.js.map +0 -1
package/dist/component/server/implementation/mutations/signin.js.map +0 -1
package/dist/component/server/implementation/mutations/signout.js +0 -27
package/dist/component/server/implementation/mutations/signout.js.map +0 -1
package/dist/component/server/implementation/mutations/store.js +0 -12
package/dist/component/server/implementation/mutations/store.js.map +0 -1
package/dist/component/server/implementation/mutations/verifier.js +0 -16
package/dist/component/server/implementation/mutations/verifier.js.map +0 -1
package/dist/component/server/implementation/mutations/verify.js +0 -105
package/dist/component/server/implementation/mutations/verify.js.map +0 -1
package/dist/component/server/implementation/passkey.js +0 -307
package/dist/component/server/implementation/passkey.js.map +0 -1
package/dist/component/server/implementation/provider.js +0 -19
package/dist/component/server/implementation/provider.js.map +0 -1
package/dist/component/server/implementation/ratelimit.js +0 -48
package/dist/component/server/implementation/ratelimit.js.map +0 -1
package/dist/component/server/implementation/redirects.js.map +0 -1
package/dist/component/server/implementation/refresh.js +0 -109
package/dist/component/server/implementation/refresh.js.map +0 -1
package/dist/component/server/implementation/sessions.js.map +0 -1
package/dist/component/server/implementation/signin.js +0 -148
package/dist/component/server/implementation/signin.js.map +0 -1
package/dist/component/server/implementation/tokens.js +0 -15
package/dist/component/server/implementation/tokens.js.map +0 -1
package/dist/component/server/implementation/totp.js +0 -142
package/dist/component/server/implementation/totp.js.map +0 -1
package/dist/component/server/implementation/types.d.ts +0 -42
package/dist/component/server/implementation/types.d.ts.map +0 -1
package/dist/component/server/implementation/types.js.map +0 -1
package/dist/component/server/implementation/users.js.map +0 -1
package/dist/component/server/implementation/utils.js +0 -56
package/dist/component/server/implementation/utils.js.map +0 -1
package/dist/component/server/providers.js.map +0 -1
package/dist/component/server/templates.js +0 -84
package/dist/component/server/templates.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/implementation/db.d.ts +0 -86
package/dist/server/implementation/db.d.ts.map +0 -1
package/dist/server/implementation/db.js.map +0 -1
package/dist/server/implementation/device.d.ts +0 -30
package/dist/server/implementation/device.d.ts.map +0 -1
package/dist/server/implementation/device.js +0 -135
package/dist/server/implementation/device.js.map +0 -1
package/dist/server/implementation/index.d.ts +0 -870
package/dist/server/implementation/index.d.ts.map +0 -1
package/dist/server/implementation/index.js +0 -610
package/dist/server/implementation/index.js.map +0 -1
package/dist/server/implementation/keys.d.ts +0 -66
package/dist/server/implementation/keys.d.ts.map +0 -1
package/dist/server/implementation/keys.js.map +0 -1
package/dist/server/implementation/mutations/account.d.ts +0 -27
package/dist/server/implementation/mutations/account.d.ts.map +0 -1
package/dist/server/implementation/mutations/account.js +0 -39
package/dist/server/implementation/mutations/account.js.map +0 -1
package/dist/server/implementation/mutations/code.d.ts +0 -29
package/dist/server/implementation/mutations/code.d.ts.map +0 -1
package/dist/server/implementation/mutations/code.js.map +0 -1
package/dist/server/implementation/mutations/index.d.ts +0 -310
package/dist/server/implementation/mutations/index.d.ts.map +0 -1
package/dist/server/implementation/mutations/index.js +0 -70
package/dist/server/implementation/mutations/index.js.map +0 -1
package/dist/server/implementation/mutations/invalidate.d.ts +0 -18
package/dist/server/implementation/mutations/invalidate.d.ts.map +0 -1
package/dist/server/implementation/mutations/invalidate.js +0 -29
package/dist/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/server/implementation/mutations/oauth.d.ts +0 -23
package/dist/server/implementation/mutations/oauth.d.ts.map +0 -1
package/dist/server/implementation/mutations/oauth.js +0 -51
package/dist/server/implementation/mutations/oauth.js.map +0 -1
package/dist/server/implementation/mutations/refresh.d.ts +0 -20
package/dist/server/implementation/mutations/refresh.d.ts.map +0 -1
package/dist/server/implementation/mutations/refresh.js +0 -85
package/dist/server/implementation/mutations/refresh.js.map +0 -1
package/dist/server/implementation/mutations/register.d.ts +0 -37
package/dist/server/implementation/mutations/register.d.ts.map +0 -1
package/dist/server/implementation/mutations/register.js +0 -65
package/dist/server/implementation/mutations/register.js.map +0 -1
package/dist/server/implementation/mutations/retrieve.d.ts +0 -31
package/dist/server/implementation/mutations/retrieve.d.ts.map +0 -1
package/dist/server/implementation/mutations/retrieve.js +0 -50
package/dist/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/server/implementation/mutations/signature.d.ts +0 -19
package/dist/server/implementation/mutations/signature.d.ts.map +0 -1
package/dist/server/implementation/mutations/signature.js +0 -27
package/dist/server/implementation/mutations/signature.js.map +0 -1
package/dist/server/implementation/mutations/signin.d.ts +0 -21
package/dist/server/implementation/mutations/signin.d.ts.map +0 -1
package/dist/server/implementation/mutations/signin.js.map +0 -1
package/dist/server/implementation/mutations/signout.d.ts +0 -14
package/dist/server/implementation/mutations/signout.d.ts.map +0 -1
package/dist/server/implementation/mutations/signout.js +0 -27
package/dist/server/implementation/mutations/signout.js.map +0 -1
package/dist/server/implementation/mutations/store.d.ts +0 -11
package/dist/server/implementation/mutations/store.d.ts.map +0 -1
package/dist/server/implementation/mutations/store.js +0 -12
package/dist/server/implementation/mutations/store.js.map +0 -1
package/dist/server/implementation/mutations/verifier.d.ts +0 -11
package/dist/server/implementation/mutations/verifier.d.ts.map +0 -1
package/dist/server/implementation/mutations/verifier.js +0 -16
package/dist/server/implementation/mutations/verifier.js.map +0 -1
package/dist/server/implementation/mutations/verify.d.ts +0 -25
package/dist/server/implementation/mutations/verify.d.ts.map +0 -1
package/dist/server/implementation/mutations/verify.js +0 -105
package/dist/server/implementation/mutations/verify.js.map +0 -1
package/dist/server/implementation/passkey.d.ts +0 -24
package/dist/server/implementation/passkey.d.ts.map +0 -1
package/dist/server/implementation/passkey.js +0 -307
package/dist/server/implementation/passkey.js.map +0 -1
package/dist/server/implementation/provider.d.ts +0 -10
package/dist/server/implementation/provider.d.ts.map +0 -1
package/dist/server/implementation/provider.js +0 -19
package/dist/server/implementation/provider.js.map +0 -1
package/dist/server/implementation/ratelimit.d.ts +0 -10
package/dist/server/implementation/ratelimit.d.ts.map +0 -1
package/dist/server/implementation/ratelimit.js +0 -48
package/dist/server/implementation/ratelimit.js.map +0 -1
package/dist/server/implementation/redirects.d.ts +0 -10
package/dist/server/implementation/redirects.d.ts.map +0 -1
package/dist/server/implementation/redirects.js.map +0 -1
package/dist/server/implementation/refresh.d.ts +0 -37
package/dist/server/implementation/refresh.d.ts.map +0 -1
package/dist/server/implementation/refresh.js +0 -109
package/dist/server/implementation/refresh.js.map +0 -1
package/dist/server/implementation/sessions.d.ts +0 -29
package/dist/server/implementation/sessions.d.ts.map +0 -1
package/dist/server/implementation/sessions.js.map +0 -1
package/dist/server/implementation/signin.d.ts +0 -55
package/dist/server/implementation/signin.d.ts.map +0 -1
package/dist/server/implementation/signin.js +0 -148
package/dist/server/implementation/signin.js.map +0 -1
package/dist/server/implementation/tokens.d.ts +0 -11
package/dist/server/implementation/tokens.d.ts.map +0 -1
package/dist/server/implementation/tokens.js +0 -15
package/dist/server/implementation/tokens.js.map +0 -1
package/dist/server/implementation/totp.d.ts +0 -31
package/dist/server/implementation/totp.d.ts.map +0 -1
package/dist/server/implementation/totp.js +0 -142
package/dist/server/implementation/totp.js.map +0 -1
package/dist/server/implementation/types.d.ts +0 -189
package/dist/server/implementation/types.d.ts.map +0 -1
package/dist/server/implementation/types.js +0 -97
package/dist/server/implementation/types.js.map +0 -1
package/dist/server/implementation/users.d.ts +0 -30
package/dist/server/implementation/users.d.ts.map +0 -1
package/dist/server/implementation/users.js.map +0 -1
package/dist/server/implementation/utils.d.ts +0 -19
package/dist/server/implementation/utils.d.ts.map +0 -1
package/dist/server/implementation/utils.js +0 -56
package/dist/server/implementation/utils.js.map +0 -1
package/dist/server/index.d.ts.map +0 -1
package/dist/server/index.js.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/providers.d.ts +0 -72
package/dist/server/providers.d.ts.map +0 -1
package/dist/server/providers.js.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/dist/server/version.d.ts +0 -5
package/dist/server/version.d.ts.map +0 -1
package/dist/server/version.js +0 -6
package/dist/server/version.js.map +0 -1
package/src/cli/utils.ts +0 -248
package/src/server/implementation/device.ts +0 -307
package/src/server/implementation/index.ts +0 -1583
package/src/server/implementation/mutations/account.ts +0 -50
package/src/server/implementation/mutations/index.ts +0 -157
package/src/server/implementation/mutations/invalidate.ts +0 -42
package/src/server/implementation/mutations/oauth.ts +0 -73
package/src/server/implementation/mutations/refresh.ts +0 -175
package/src/server/implementation/mutations/register.ts +0 -100
package/src/server/implementation/mutations/retrieve.ts +0 -79
package/src/server/implementation/mutations/signature.ts +0 -39
package/src/server/implementation/mutations/signout.ts +0 -35
package/src/server/implementation/mutations/store.ts +0 -7
package/src/server/implementation/mutations/verifier.ts +0 -24
package/src/server/implementation/mutations/verify.ts +0 -194
package/src/server/implementation/passkey.ts +0 -620
package/src/server/implementation/provider.ts +0 -36
package/src/server/implementation/ratelimit.ts +0 -79
package/src/server/implementation/refresh.ts +0 -172
package/src/server/implementation/signin.ts +0 -296
package/src/server/implementation/totp.ts +0 -342
package/src/server/implementation/types.ts +0 -444
package/src/server/implementation/utils.ts +0 -91
package/src/server/version.ts +0 -2

package/src/server/enterprise/oidc.ts ADDED Viewed

@@ -0,0 +1,500 @@
+import { sha256 } from "@oslojs/crypto/sha2";
+import { encodeBase64urlNoPadding } from "@oslojs/encoding";
+import { Fx } from "@robelest/fx";
+import { decodeIdToken } from "arctic";
+import {
+  createRemoteJWKSet,
+  customFetch,
+  decodeProtectedHeader,
+  jwtVerify,
+} from "jose";
+import type { OAuthMaterializedConfig, OAuthProfile } from "../types";
+import { enterpriseOidcProviderId, getEnterpriseOidcUrls } from "./shared";
+const OIDC_JWKS_CACHE = new Map<
+  string,
+  ReturnType<typeof createRemoteJWKSet>
+>();
+async function discoverOidcConfiguration(config: Record<string, any>) {
+  const discoveryUrl =
+    typeof config.discoveryUrl === "string"
+      ? config.discoveryUrl
+      : typeof config.issuer === "string"
+        ? `${config.issuer.replace(/\/$/, "")}/.well-known/openid-configuration`
+        : null;
+  if (!discoveryUrl) {
+    throw new Error("Enterprise OIDC requires an issuer or discoveryUrl.");
+  }
+  const oidcFetch = createEnterpriseOidcFetch(config, config.issuer);
+  return await Fx.run(
+    Fx.defer(() =>
+      Fx.from({
+        ok: async () => {
+          const response = await oidcFetch(discoveryUrl);
+          if (!response.ok) {
+            throw new Error(
+              `Failed to discover OIDC configuration: ${response.status}`,
+            );
+          }
+          const discovery = (await response.json()) as Record<string, any>;
+          if (
+            typeof discovery.issuer !== "string" ||
+            typeof discovery.authorization_endpoint !== "string" ||
+            typeof discovery.token_endpoint !== "string" ||
+            typeof discovery.jwks_uri !== "string"
+          ) {
+            throw new Error(
+              "OIDC discovery document is missing required fields.",
+            );
+          }
+          return discovery;
+        },
+        err: (error) =>
+          error instanceof Error ? error : new Error(String(error)),
+      }),
+    ).pipe(
+      Fx.timeout(10_000),
+      Fx.retry(
+        Fx.retry.compose(
+          Fx.retry.jittered(Fx.retry.exponential(200)),
+          Fx.retry.recurs(2),
+        ),
+      ),
+      Fx.recover((error) =>
+        Fx.fail(error instanceof Error ? error : new Error(String(error))),
+      ),
+    ),
+  );
+}
+function createEnterpriseOidcFetch(
+  config: Record<string, any>,
+  discoveredIssuer?: string,
+) {
+  const runtimeOrigin =
+    typeof config.discoveryUrl === "string"
+      ? new URL(config.discoveryUrl).origin
+      : undefined;
+  const externalHost =
+    typeof config.issuer === "string"
+      ? new URL(config.issuer).host
+      : typeof discoveredIssuer === "string"
+        ? new URL(discoveredIssuer).host
+        : undefined;
+  return async (input: string | URL, init?: RequestInit) => {
+    const url = new URL(typeof input === "string" ? input : input.toString());
+    const rewrittenUrl =
+      runtimeOrigin !== undefined && url.origin !== runtimeOrigin
+        ? new URL(`${runtimeOrigin}${url.pathname}${url.search}`)
+        : url;
+    const headers = new Headers(init?.headers);
+    if (runtimeOrigin !== undefined && externalHost !== undefined) {
+      headers.set("host", externalHost);
+    }
+    return await fetch(rewrittenUrl, { ...init, headers });
+  };
+}
+function getOidcJwks(
+  url: string,
+  fetchImpl?: ReturnType<typeof createEnterpriseOidcFetch>,
+) {
+  const cacheKey = fetchImpl ? `${url}::custom` : url;
+  let jwks = OIDC_JWKS_CACHE.get(cacheKey);
+  if (!jwks) {
+    jwks = fetchImpl
+      ? createRemoteJWKSet(new URL(url), { [customFetch]: fetchImpl })
+      : createRemoteJWKSet(new URL(url));
+    OIDC_JWKS_CACHE.set(cacheKey, jwks);
+  }
+  return jwks;
+}
+type UserInfoFetchFailure =
+  | { kind: "transport"; error: unknown }
+  | { kind: "subject-mismatch" };
+function userInfoProfileFx(opts: {
+  endpoint: string;
+  accessToken: string;
+  verifiedClaims: Record<string, unknown>;
+  verifiedProfile: OAuthProfile & { emailVerified?: boolean };
+  fetchImpl?: ReturnType<typeof createEnterpriseOidcFetch>;
+}) {
+  return Fx.from({
+    ok: async () => {
+      const response = await (opts.fetchImpl ?? fetch)(opts.endpoint, {
+        headers: { Authorization: `Bearer ${opts.accessToken}` },
+      });
+      if (!response.ok) {
+        throw new Error(`OIDC userinfo request failed: ${response.status}`);
+      }
+      return (await response.json()) as Record<string, unknown>;
+    },
+    err: (error): UserInfoFetchFailure => ({ kind: "transport", error }),
+  }).pipe(
+    Fx.chain((userInfo) => {
+      const userInfoSubject =
+        typeof userInfo.sub === "string" ? userInfo.sub : undefined;
+      const tokenSubject =
+        typeof opts.verifiedClaims.sub === "string"
+          ? opts.verifiedClaims.sub
+          : undefined;
+      return userInfoSubject !== undefined &&
+        tokenSubject !== undefined &&
+        userInfoSubject !== tokenSubject
+        ? Fx.fail({ kind: "subject-mismatch" } as const)
+        : Fx.succeed({
+            id:
+              userInfoSubject ??
+              (typeof opts.verifiedClaims.sub === "string"
+                ? opts.verifiedClaims.sub
+                : undefined) ??
+              crypto.randomUUID(),
+            email:
+              typeof userInfo.email === "string"
+                ? userInfo.email
+                : opts.verifiedProfile.email,
+            emailVerified:
+              typeof userInfo.email_verified === "boolean"
+                ? userInfo.email_verified
+                : opts.verifiedProfile.emailVerified,
+            name:
+              typeof userInfo.name === "string"
+                ? userInfo.name
+                : opts.verifiedProfile.name,
+            image:
+              typeof userInfo.picture === "string"
+                ? userInfo.picture
+                : opts.verifiedProfile.image,
+          } as OAuthProfile & { emailVerified?: boolean });
+    }),
+    Fx.recover((failure) => {
+      if (failure.kind === "transport") {
+        return Fx.succeed(null);
+      }
+      return Fx.fail(
+        new Error("OIDC userinfo subject does not match ID token subject."),
+      );
+    }),
+  );
+}
+/** @internal */
+export async function createEnterpriseOidcProvider(
+  config: Record<string, any>,
+  redirectUri: string,
+) {
+  const discovery = await discoverOidcConfiguration(config);
+  const expectedIssuer = String(config.issuer ?? discovery.issuer).replace(
+    /\/$/,
+    "",
+  );
+  const discoveredIssuer = String(discovery.issuer).replace(/\/$/, "");
+  const strictIssuer = config.strictIssuer === true;
+  if (
+    typeof config.issuer === "string" &&
+    expectedIssuer !== discoveredIssuer
+  ) {
+    if (strictIssuer) {
+      throw new Error(
+        `Configured OIDC issuer mismatch. configured=${expectedIssuer} discovery=${discoveredIssuer}`,
+      );
+    }
+    console.warn(
+      "Configured OIDC issuer differs from discovery issuer; accepting both for token verification.",
+      {
+        configuredIssuer: expectedIssuer,
+        discoveryIssuer: discoveredIssuer,
+      },
+    );
+  }
+  const authorizationEndpoint = discovery.authorization_endpoint as string;
+  const tokenEndpoint = discovery.token_endpoint as string;
+  const jwksUri = String(config.jwksUri ?? discovery.jwks_uri);
+  const supportedIdTokenSigningAlgs = Array.isArray(
+    discovery.id_token_signing_alg_values_supported,
+  )
+    ? discovery.id_token_signing_alg_values_supported.filter(
+        (value: unknown): value is string => typeof value === "string",
+      )
+    : [];
+  const userinfoEndpoint =
+    (discovery.userinfo_endpoint as string | undefined) ?? undefined;
+  const oidcFetch = createEnterpriseOidcFetch(
+    config,
+    discovery.issuer as string,
+  );
+  const scopes = Array.isArray(config.scopes)
+    ? config.scopes.filter(
+        (value: unknown): value is string => typeof value === "string",
+      )
+    : ["openid", "profile", "email"];
+  const expectedAudience = config.audience ?? String(config.clientId);
+  const getIssuerCandidates = (issuer: string) => {
+    const candidates = [issuer];
+    if (issuer.startsWith("https://")) {
+      candidates.push(`http://${issuer.slice("https://".length)}`);
+    } else if (issuer.startsWith("http://")) {
+      candidates.push(`https://${issuer.slice("http://".length)}`);
+    }
+    return candidates;
+  };
+  const expectedIssuers = strictIssuer
+    ? [expectedIssuer]
+    : Array.from(
+        new Set([
+          ...getIssuerCandidates(expectedIssuer),
+          ...getIssuerCandidates(discoveredIssuer),
+        ]),
+      );
+  const jwks = getOidcJwks(jwksUri, oidcFetch);
+  let verifiedClaims: Record<string, unknown> | null = null;
+  let verifiedProfile: (OAuthProfile & { emailVerified?: boolean }) | null =
+    null;
+  const normalizeProfile = (claims: Record<string, unknown>) => ({
+    id: typeof claims.sub === "string" ? claims.sub : crypto.randomUUID(),
+    email: typeof claims.email === "string" ? claims.email : undefined,
+    emailVerified:
+      typeof claims.email_verified === "boolean"
+        ? claims.email_verified
+        : undefined,
+    name: typeof claims.name === "string" ? claims.name : undefined,
+    image: typeof claims.picture === "string" ? claims.picture : undefined,
+  });
+  const provider = {
+    createAuthorizationURL(
+      state: string,
+      codeVerifier: string,
+      requestedScopes: string[],
+    ) {
+      const url = new URL(authorizationEndpoint);
+      url.searchParams.set("response_type", "code");
+      url.searchParams.set("client_id", String(config.clientId));
+      url.searchParams.set("redirect_uri", redirectUri);
+      url.searchParams.set(
+        "scope",
+        (requestedScopes.length > 0 ? requestedScopes : scopes).join(" "),
+      );
+      url.searchParams.set("state", state);
+      url.searchParams.set("code_challenge_method", "S256");
+      url.searchParams.set(
+        "code_challenge",
+        encodeBase64urlNoPadding(
+          sha256(new TextEncoder().encode(codeVerifier)),
+        ),
+      );
+      const authorizationParams =
+        typeof config.authorizationParams === "object" &&
+        config.authorizationParams !== null
+          ? (config.authorizationParams as Record<string, unknown>)
+          : {};
+      for (const [key, value] of Object.entries(authorizationParams)) {
+        if (typeof value === "string") {
+          url.searchParams.set(key, value);
+        }
+      }
+      return url;
+    },
+    async validateAuthorizationCode(code: string, codeVerifier?: string) {
+      const body = new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: redirectUri,
+        client_id: String(config.clientId),
+      });
+      if (typeof config.clientSecret === "string") {
+        body.set("client_secret", config.clientSecret);
+      }
+      if (codeVerifier) {
+        body.set("code_verifier", codeVerifier);
+      }
+      const response = await oidcFetch(tokenEndpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body,
+      });
+      if (!response.ok) {
+        throw new Error(`OIDC token exchange failed: ${response.status}`);
+      }
+      const data = (await response.json()) as Record<string, any>;
+      return {
+        data,
+        idToken() {
+          if (typeof data.id_token !== "string") {
+            throw new Error("OIDC response is missing id_token.");
+          }
+          return data.id_token;
+        },
+        accessToken() {
+          if (typeof data.access_token !== "string") {
+            throw new Error("OIDC response is missing access_token.");
+          }
+          return data.access_token;
+        },
+      };
+    },
+  };
+  const oauthConfig = {
+    scopes,
+    nonce: true,
+    validateTokens: async (tokens: any, ctx: { nonce?: string }) => {
+      const verified = await Fx.run(
+        Fx.gen(function* () {
+          yield* Fx.guard(
+            ctx.nonce === undefined,
+            Fx.fail(new Error("OIDC nonce is required.")),
+          );
+          const idToken = tokens.idToken();
+          const protectedHeader = decodeProtectedHeader(idToken);
+          const tokenAlg = protectedHeader.alg;
+          const useSymmetricValidation =
+            typeof tokenAlg === "string" &&
+            (tokenAlg === "HS256" ||
+              tokenAlg === "HS384" ||
+              tokenAlg === "HS512") &&
+            supportedIdTokenSigningAlgs.includes(tokenAlg);
+          const verificationOptions = {
+            audience: expectedAudience,
+            requiredClaims: ["iss", "sub", "aud", "exp", "iat"],
+            clockTolerance: config.clockToleranceSeconds ?? 10,
+          } as const;
+          const verification = yield* Fx.from({
+            ok: () =>
+              useSymmetricValidation
+                ? jwtVerify(
+                    idToken,
+                    (() => {
+                      if (typeof config.clientSecret !== "string") {
+                        throw new Error(
+                          "OIDC provider uses symmetric ID token signatures but clientSecret is missing.",
+                        );
+                      }
+                      return new TextEncoder().encode(config.clientSecret);
+                    })(),
+                    verificationOptions as any,
+                  )
+                : jwtVerify(idToken, jwks as any, verificationOptions as any),
+            err: (error) =>
+              error instanceof Error ? error : new Error(String(error)),
+          });
+          const payload = verification.payload as Record<string, unknown>;
+          const tokenIssuerRaw =
+            typeof payload.iss === "string" ? payload.iss : undefined;
+          const tokenIssuer =
+            typeof tokenIssuerRaw === "string"
+              ? tokenIssuerRaw.replace(/\/$/, "")
+              : undefined;
+          yield* Fx.guard(
+            !tokenIssuer || !expectedIssuers.includes(tokenIssuer),
+            Fx.fail(
+              new Error(
+                `OIDC token issuer mismatch. Received: ${tokenIssuer ?? "<missing>"}. Expected one of: ${expectedIssuers.join(", ")}`,
+              ),
+            ),
+          );
+          yield* Fx.guard(
+            payload.nonce !== ctx.nonce,
+            Fx.fail(new Error("OIDC nonce mismatch.")),
+          );
+          yield* Fx.guard(
+            Array.isArray(payload.aud) &&
+              payload.aud.length > 1 &&
+              payload.azp !== String(config.clientId),
+            Fx.fail(
+              new Error("OIDC authorized party does not match client ID."),
+            ),
+          );
+          return payload;
+        }),
+      );
+      verifiedClaims = verified;
+      verifiedProfile = normalizeProfile(verified);
+    },
+    accountLinking: config.accountLinking,
+    profile: async (tokens: any): Promise<OAuthProfile> => {
+      if (verifiedProfile === null || verifiedClaims === null) {
+        const claims = decodeIdToken(tokens.idToken()) as Record<
+          string,
+          unknown
+        >;
+        verifiedClaims = claims;
+        verifiedProfile = normalizeProfile(claims);
+      }
+      if (userinfoEndpoint && typeof tokens.accessToken === "function") {
+        const userInfoProfile = await Fx.run(
+          userInfoProfileFx({
+            endpoint: userinfoEndpoint,
+            accessToken: tokens.accessToken(),
+            verifiedClaims,
+            verifiedProfile,
+            fetchImpl: oidcFetch,
+          }),
+        );
+        if (userInfoProfile !== null) {
+          return userInfoProfile;
+        }
+      }
+      return verifiedProfile;
+    },
+  } as const;
+  return { provider, oauthConfig };
+}
+/** @internal */
+export function createSyntheticOAuthMaterializedConfig(
+  providerId: string,
+  options?: {
+    accountLinking?: OAuthMaterializedConfig["accountLinking"];
+  },
+): OAuthMaterializedConfig {
+  return {
+    id: providerId,
+    type: "oauth",
+    provider: null,
+    scopes: [],
+    accountLinking: options?.accountLinking ?? "verifiedEmail",
+  };
+}
+/** @internal */
+export async function createEnterpriseOidcRuntime(opts: {
+  rootUrl: string;
+  enterpriseId: string;
+  oidc: Record<string, any>;
+}) {
+  const providerId = enterpriseOidcProviderId(opts.enterpriseId);
+  const urls = getEnterpriseOidcUrls({
+    rootUrl: opts.rootUrl,
+    enterpriseId: opts.enterpriseId,
+  });
+  const { provider, oauthConfig } = await createEnterpriseOidcProvider(
+    opts.oidc,
+    urls.callbackUrl,
+  );
+  return {
+    oidc: opts.oidc,
+    providerId,
+    provider,
+    oauthConfig,
+    ...urls,
+  };
+}

package/src/server/enterprise/policy.ts ADDED Viewed

@@ -0,0 +1,128 @@
+import type { EnterprisePolicy, EnterprisePolicyPatch } from "../types";
+import { asRecord } from "./shared";
+/** @internal */
+export const DEFAULT_ENTERPRISE_POLICY: EnterprisePolicy = {
+  version: 1,
+  identity: {
+    accountLinking: {
+      oidc: "verifiedEmail",
+      saml: "verifiedEmail",
+    },
+  },
+  provisioning: {
+    scimReuse: {
+      user: "externalId",
+    },
+    jit: {
+      mode: "createUserAndMembership",
+      defaultRoleIds: [],
+    },
+    deprovision: {
+      mode: "soft",
+    },
+  },
+};
+/** @internal */
+export function normalizeEnterprisePolicy(policy: unknown): EnterprisePolicy {
+  const input = asRecord(policy) ?? {};
+  const identity = asRecord(input.identity) ?? {};
+  const accountLinking = asRecord(identity.accountLinking) ?? {};
+  const provisioning = asRecord(input.provisioning) ?? {};
+  const scimReuse = asRecord(provisioning.scimReuse) ?? {};
+  const jit = asRecord(provisioning.jit) ?? {};
+  const deprovision = asRecord(provisioning.deprovision) ?? {};
+  const extend = asRecord(input.extend) ?? undefined;
+  return {
+    version: 1,
+    identity: {
+      accountLinking: {
+        oidc:
+          accountLinking.oidc === "none"
+            ? "none"
+            : DEFAULT_ENTERPRISE_POLICY.identity.accountLinking.oidc,
+        saml:
+          accountLinking.saml === "none"
+            ? "none"
+            : DEFAULT_ENTERPRISE_POLICY.identity.accountLinking.saml,
+      },
+    },
+    provisioning: {
+      scimReuse: {
+        user:
+          scimReuse.user === "none"
+            ? "none"
+            : DEFAULT_ENTERPRISE_POLICY.provisioning.scimReuse.user,
+      },
+      jit: {
+        mode:
+          jit.mode === "off" ||
+          jit.mode === "createUser" ||
+          jit.mode === "createUserAndMembership"
+            ? jit.mode
+            : DEFAULT_ENTERPRISE_POLICY.provisioning.jit.mode,
+        defaultRoleIds: Array.isArray(jit.defaultRoleIds)
+          ? Array.from(
+              new Set(
+                jit.defaultRoleIds.filter(
+                  (value): value is string =>
+                    typeof value === "string" && value.length > 0,
+                ),
+              ),
+            )
+          : typeof jit.defaultRole === "string" && jit.defaultRole.length > 0
+            ? [jit.defaultRole]
+            : DEFAULT_ENTERPRISE_POLICY.provisioning.jit.defaultRoleIds,
+      },
+      deprovision: {
+        mode:
+          deprovision.mode === "hard"
+            ? "hard"
+            : DEFAULT_ENTERPRISE_POLICY.provisioning.deprovision.mode,
+      },
+    },
+    ...(extend ? { extend } : {}),
+  };
+}
+/** @internal */
+export function patchEnterprisePolicy(
+  current: unknown,
+  patch: EnterprisePolicyPatch,
+): EnterprisePolicy {
+  const base = normalizeEnterprisePolicy(current);
+  return normalizeEnterprisePolicy({
+    ...base,
+    ...patch,
+    identity: {
+      ...base.identity,
+      ...patch.identity,
+      accountLinking: {
+        ...base.identity.accountLinking,
+        ...patch.identity?.accountLinking,
+      },
+    },
+    provisioning: {
+      ...base.provisioning,
+      ...patch.provisioning,
+      scimReuse: {
+        ...base.provisioning.scimReuse,
+        ...patch.provisioning?.scimReuse,
+      },
+      jit: {
+        ...base.provisioning.jit,
+        ...patch.provisioning?.jit,
+      },
+      deprovision: {
+        ...base.provisioning.deprovision,
+        ...patch.provisioning?.deprovision,
+      },
+    },
+    extend:
+      patch.extend === undefined
+        ? base.extend
+        : { ...base.extend, ...patch.extend },
+  });
+}