npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.2 → 0.0.4-preview.21 - Mend

@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (798) hide show

package/README.md +67 -26
package/dist/authorization/index.d.ts +63 -0
package/dist/authorization/index.d.ts.map +1 -0
package/dist/authorization/index.js +63 -0
package/dist/authorization/index.js.map +1 -0
package/dist/bin.js +6185 -0
package/dist/client/core/types.d.ts +20 -0
package/dist/client/core/types.d.ts.map +1 -0
package/dist/client/index.d.ts +2 -299
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +407 -534
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +42 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +2546 -90
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/client/core/types.d.ts +2 -0
package/dist/component/client/index.d.ts +2 -0
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/functions.d.ts +11 -9
package/dist/component/functions.d.ts.map +1 -1
package/dist/component/functions.js.map +1 -1
package/dist/component/index.d.ts +7 -11
package/dist/component/index.js +2 -3
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +349 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/anonymous.d.ts +54 -0
package/dist/component/providers/anonymous.d.ts.map +1 -0
package/dist/component/providers/credentials.d.ts +5 -5
package/dist/component/providers/credentials.d.ts.map +1 -1
package/dist/component/providers/device.d.ts +67 -0
package/dist/component/providers/device.d.ts.map +1 -0
package/dist/component/providers/email.d.ts +62 -0
package/dist/component/providers/email.d.ts.map +1 -0
package/dist/component/providers/oauth.d.ts.map +1 -1
package/dist/component/providers/oauth.js.map +1 -1
package/dist/component/providers/passkey.d.ts +57 -0
package/dist/component/providers/passkey.d.ts.map +1 -0
package/dist/component/providers/password.d.ts +88 -0
package/dist/component/providers/password.d.ts.map +1 -0
package/dist/component/providers/phone.d.ts +48 -0
package/dist/component/providers/phone.d.ts.map +1 -0
package/dist/component/providers/sso.d.ts +50 -0
package/dist/component/providers/sso.d.ts.map +1 -0
package/dist/component/providers/totp.d.ts +45 -0
package/dist/component/providers/totp.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.d.ts +73 -0
package/dist/component/public/enterprise/audit.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.js +108 -0
package/dist/component/public/enterprise/audit.js.map +1 -0
package/dist/component/public/enterprise/core.d.ts +176 -0
package/dist/component/public/enterprise/core.d.ts.map +1 -0
package/dist/component/public/enterprise/core.js +292 -0
package/dist/component/public/enterprise/core.js.map +1 -0
package/dist/component/public/enterprise/domains.d.ts +174 -0
package/dist/component/public/enterprise/domains.d.ts.map +1 -0
package/dist/component/public/enterprise/domains.js +271 -0
package/dist/component/public/enterprise/domains.js.map +1 -0
package/dist/component/public/enterprise/scim.d.ts +245 -0
package/dist/component/public/enterprise/scim.d.ts.map +1 -0
package/dist/component/public/enterprise/scim.js +344 -0
package/dist/component/public/enterprise/scim.js.map +1 -0
package/dist/component/public/enterprise/secrets.d.ts +78 -0
package/dist/component/public/enterprise/secrets.d.ts.map +1 -0
package/dist/component/public/enterprise/secrets.js +118 -0
package/dist/component/public/enterprise/secrets.js.map +1 -0
package/dist/component/public/enterprise/webhooks.d.ts +211 -0
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -0
package/dist/component/public/enterprise/webhooks.js +300 -0
package/dist/component/public/enterprise/webhooks.js.map +1 -0
package/dist/component/public/factors/devices.d.ts +157 -0
package/dist/component/public/factors/devices.d.ts.map +1 -0
package/dist/component/public/factors/devices.js +216 -0
package/dist/component/public/factors/devices.js.map +1 -0
package/dist/component/public/factors/passkeys.d.ts +175 -0
package/dist/component/public/factors/passkeys.d.ts.map +1 -0
package/dist/component/public/factors/passkeys.js +238 -0
package/dist/component/public/factors/passkeys.js.map +1 -0
package/dist/component/public/factors/totp.d.ts +189 -0
package/dist/component/public/factors/totp.d.ts.map +1 -0
package/dist/component/public/factors/totp.js +254 -0
package/dist/component/public/factors/totp.js.map +1 -0
package/dist/component/public/groups/core.d.ts +137 -0
package/dist/component/public/groups/core.d.ts.map +1 -0
package/dist/component/public/groups/core.js +321 -0
package/dist/component/public/groups/core.js.map +1 -0
package/dist/component/public/groups/invites.d.ts +217 -0
package/dist/component/public/groups/invites.d.ts.map +1 -0
package/dist/component/public/groups/invites.js +457 -0
package/dist/component/public/groups/invites.js.map +1 -0
package/dist/component/public/groups/members.d.ts +204 -0
package/dist/component/public/groups/members.d.ts.map +1 -0
package/dist/component/public/groups/members.js +355 -0
package/dist/component/public/groups/members.js.map +1 -0
package/dist/component/public/identity/accounts.d.ts +147 -0
package/dist/component/public/identity/accounts.d.ts.map +1 -0
package/dist/component/public/identity/accounts.js +200 -0
package/dist/component/public/identity/accounts.js.map +1 -0
package/dist/component/public/identity/codes.d.ts +104 -0
package/dist/component/public/identity/codes.d.ts.map +1 -0
package/dist/component/public/identity/codes.js +140 -0
package/dist/component/public/identity/codes.js.map +1 -0
package/dist/component/public/identity/sessions.d.ts +128 -0
package/dist/component/public/identity/sessions.d.ts.map +1 -0
package/dist/component/public/identity/sessions.js +192 -0
package/dist/component/public/identity/sessions.js.map +1 -0
package/dist/component/public/identity/tokens.d.ts +169 -0
package/dist/component/public/identity/tokens.d.ts.map +1 -0
package/dist/component/public/identity/tokens.js +227 -0
package/dist/component/public/identity/tokens.js.map +1 -0
package/dist/component/public/identity/users.d.ts +212 -0
package/dist/component/public/identity/users.d.ts.map +1 -0
package/dist/component/public/identity/users.js +311 -0
package/dist/component/public/identity/users.js.map +1 -0
package/dist/component/public/identity/verifiers.d.ts +116 -0
package/dist/component/public/identity/verifiers.d.ts.map +1 -0
package/dist/component/public/identity/verifiers.js +154 -0
package/dist/component/public/identity/verifiers.js.map +1 -0
package/dist/component/public/security/keys.d.ts +209 -0
package/dist/component/public/security/keys.d.ts.map +1 -0
package/dist/component/public/security/keys.js +319 -0
package/dist/component/public/security/keys.js.map +1 -0
package/dist/component/public/security/limits.d.ts +114 -0
package/dist/component/public/security/limits.d.ts.map +1 -0
package/dist/component/public/security/limits.js +169 -0
package/dist/component/public/security/limits.js.map +1 -0
package/dist/component/public.d.ts +24 -271
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +21 -1229
package/dist/component/schema.d.ts +473 -110
package/dist/component/schema.js +162 -73
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +318 -373
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +204 -123
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/authError.js +34 -0
package/dist/component/server/authError.js.map +1 -0
package/dist/component/server/{providers.js → config.js} +43 -12
package/dist/component/server/config.js.map +1 -0
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/core.js +713 -0
package/dist/component/server/core.js.map +1 -0
package/dist/component/server/crypto.js +38 -0
package/dist/component/server/crypto.js.map +1 -0
package/dist/component/server/{implementation/db.js → db.js} +2 -1
package/dist/component/server/db.js.map +1 -0
package/dist/component/server/device.js +109 -0
package/dist/component/server/device.js.map +1 -0
package/dist/component/server/enterprise/config.js +46 -0
package/dist/component/server/enterprise/config.js.map +1 -0
package/dist/component/server/enterprise/domain.js +885 -0
package/dist/component/server/enterprise/domain.js.map +1 -0
package/dist/component/server/enterprise/http.js +766 -0
package/dist/component/server/enterprise/http.js.map +1 -0
package/dist/component/server/enterprise/oidc.js +248 -0
package/dist/component/server/enterprise/oidc.js.map +1 -0
package/dist/component/server/enterprise/policy.js +85 -0
package/dist/component/server/enterprise/policy.js.map +1 -0
package/dist/component/server/enterprise/saml.js +338 -0
package/dist/component/server/enterprise/saml.js.map +1 -0
package/dist/component/server/enterprise/scim.js +97 -0
package/dist/component/server/enterprise/scim.js.map +1 -0
package/dist/component/server/enterprise/shared.js +51 -0
package/dist/component/server/enterprise/shared.js.map +1 -0
package/dist/component/server/errors.d.ts +1 -0
package/dist/component/server/errors.js +24 -16
package/dist/component/server/errors.js.map +1 -1
package/dist/component/server/http.js +288 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/{server/implementation → component/server}/keys.js +9 -31
package/dist/component/server/keys.js.map +1 -0
package/dist/component/server/limits.js +61 -0
package/dist/component/server/limits.js.map +1 -0
package/dist/component/server/mutations/account.js +44 -0
package/dist/component/server/mutations/account.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/component/server/mutations/code.js.map +1 -0
package/dist/component/server/mutations/invalidate.js +32 -0
package/dist/component/server/mutations/invalidate.js.map +1 -0
package/dist/component/server/mutations/oauth.js +110 -0
package/dist/component/server/mutations/oauth.js.map +1 -0
package/dist/component/server/mutations/refresh.js +119 -0
package/dist/component/server/mutations/refresh.js.map +1 -0
package/dist/component/server/mutations/register.js +83 -0
package/dist/component/server/mutations/register.js.map +1 -0
package/dist/component/server/mutations/retrieve.js +65 -0
package/dist/component/server/mutations/retrieve.js.map +1 -0
package/dist/component/server/mutations/signature.js +32 -0
package/dist/component/server/mutations/signature.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/component/server/mutations/signin.js.map +1 -0
package/dist/component/server/mutations/signout.js +27 -0
package/dist/component/server/mutations/signout.js.map +1 -0
package/dist/component/server/mutations/store/refs.js +15 -0
package/dist/component/server/mutations/store/refs.js.map +1 -0
package/dist/component/server/mutations/store.js +85 -0
package/dist/component/server/mutations/store.js.map +1 -0
package/dist/component/server/mutations/verifier.js +18 -0
package/dist/component/server/mutations/verifier.js.map +1 -0
package/dist/component/server/mutations/verify.js +98 -0
package/dist/component/server/mutations/verify.js.map +1 -0
package/dist/component/server/oauth.js +106 -60
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +328 -0
package/dist/component/server/passkey.js.map +1 -0
package/dist/{server/implementation → component/server}/redirects.js +13 -11
package/dist/component/server/redirects.js.map +1 -0
package/dist/component/server/refresh.js +96 -0
package/dist/component/server/refresh.js.map +1 -0
package/dist/component/server/runtime.d.ts +136 -0
package/dist/component/server/runtime.d.ts.map +1 -0
package/dist/component/server/runtime.js +413 -0
package/dist/component/server/runtime.js.map +1 -0
package/dist/{server/implementation → component/server}/sessions.js +14 -8
package/dist/component/server/sessions.js.map +1 -0
package/dist/component/server/signin.js +201 -0
package/dist/component/server/signin.js.map +1 -0
package/dist/component/server/tokens.js +17 -0
package/dist/component/server/tokens.js.map +1 -0
package/dist/component/server/totp.js +148 -0
package/dist/component/server/totp.js.map +1 -0
package/dist/component/server/types.d.ts +387 -298
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/{implementation/types.js → types.js} +1 -1
package/dist/component/server/types.js.map +1 -0
package/dist/component/server/{implementation/users.js → users.js} +54 -35
package/dist/component/server/users.js.map +1 -0
package/dist/component/server/utils.js +110 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +369 -0
package/dist/core/types.d.ts.map +1 -0
package/dist/factors/device.js +105 -0
package/dist/factors/device.js.map +1 -0
package/dist/factors/passkey.js +181 -0
package/dist/factors/passkey.js.map +1 -0
package/dist/factors/totp.js +122 -0
package/dist/factors/totp.js.map +1 -0
package/dist/providers/anonymous.d.ts +3 -9
package/dist/providers/anonymous.d.ts.map +1 -1
package/dist/providers/anonymous.js +1 -18
package/dist/providers/anonymous.js.map +1 -1
package/dist/providers/credentials.d.ts +8 -10
package/dist/providers/credentials.d.ts.map +1 -1
package/dist/providers/credentials.js +3 -5
package/dist/providers/credentials.js.map +1 -1
package/dist/providers/device.d.ts +18 -10
package/dist/providers/device.d.ts.map +1 -1
package/dist/providers/device.js +4 -8
package/dist/providers/device.js.map +1 -1
package/dist/providers/email.d.ts +50 -23
package/dist/providers/email.d.ts.map +1 -1
package/dist/providers/email.js +58 -34
package/dist/providers/email.js.map +1 -1
package/dist/providers/index.d.ts +7 -3
package/dist/providers/index.js +4 -1
package/dist/providers/oauth.d.ts.map +1 -1
package/dist/providers/oauth.js.map +1 -1
package/dist/providers/passkey.d.ts +12 -9
package/dist/providers/passkey.d.ts.map +1 -1
package/dist/providers/passkey.js +1 -7
package/dist/providers/passkey.js.map +1 -1
package/dist/providers/password.d.ts +6 -12
package/dist/providers/password.d.ts.map +1 -1
package/dist/providers/password.js +189 -89
package/dist/providers/password.js.map +1 -1
package/dist/providers/phone.d.ts +40 -11
package/dist/providers/phone.d.ts.map +1 -1
package/dist/providers/phone.js +52 -21
package/dist/providers/phone.js.map +1 -1
package/dist/providers/sso.d.ts +50 -0
package/dist/providers/sso.d.ts.map +1 -0
package/dist/providers/sso.js +34 -0
package/dist/providers/sso.js.map +1 -0
package/dist/providers/totp.d.ts +12 -9
package/dist/providers/totp.d.ts.map +1 -1
package/dist/providers/totp.js +1 -7
package/dist/providers/totp.js.map +1 -1
package/dist/runtime/browser.js +68 -0
package/dist/runtime/browser.js.map +1 -0
package/dist/runtime/invite.js +51 -0
package/dist/runtime/invite.js.map +1 -0
package/dist/runtime/proxy.js +70 -0
package/dist/runtime/proxy.js.map +1 -0
package/dist/runtime/storage.js +37 -0
package/dist/runtime/storage.js.map +1 -0
package/dist/server/auth.d.ts +335 -370
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +204 -123
package/dist/server/auth.js.map +1 -1
package/dist/server/authError.d.ts +46 -0
package/dist/server/authError.d.ts.map +1 -0
package/dist/server/authError.js +34 -0
package/dist/server/authError.js.map +1 -0
package/dist/server/config.d.ts +1 -0
package/dist/server/{providers.js → config.js} +43 -12
package/dist/server/config.js.map +1 -0
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/core.d.ts +1436 -0
package/dist/server/core.d.ts.map +1 -0
package/dist/server/core.js +713 -0
package/dist/server/core.js.map +1 -0
package/dist/server/crypto.d.ts +8 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +38 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/db.d.ts +1 -0
package/dist/server/{implementation/db.js → db.js} +2 -1
package/dist/server/db.js.map +1 -0
package/dist/server/device.d.ts +1 -0
package/dist/server/device.js +109 -0
package/dist/server/device.js.map +1 -0
package/dist/server/enterprise/config.d.ts +1 -0
package/dist/server/enterprise/config.js +46 -0
package/dist/server/enterprise/config.js.map +1 -0
package/dist/server/enterprise/domain.d.ts +409 -0
package/dist/server/enterprise/domain.d.ts.map +1 -0
package/dist/server/enterprise/domain.js +885 -0
package/dist/server/enterprise/domain.js.map +1 -0
package/dist/server/enterprise/http.d.ts +26 -0
package/dist/server/enterprise/http.d.ts.map +1 -0
package/dist/server/enterprise/http.js +766 -0
package/dist/server/enterprise/http.js.map +1 -0
package/dist/server/enterprise/oidc.d.ts +1 -0
package/dist/server/enterprise/oidc.js +248 -0
package/dist/server/enterprise/oidc.js.map +1 -0
package/dist/server/enterprise/policy.d.ts +1 -0
package/dist/server/enterprise/policy.js +85 -0
package/dist/server/enterprise/policy.js.map +1 -0
package/dist/server/enterprise/saml.d.ts +1 -0
package/dist/server/enterprise/saml.js +338 -0
package/dist/server/enterprise/saml.js.map +1 -0
package/dist/server/enterprise/scim.d.ts +1 -0
package/dist/server/enterprise/scim.js +97 -0
package/dist/server/enterprise/scim.js.map +1 -0
package/dist/server/enterprise/shared.d.ts +5 -0
package/dist/server/enterprise/shared.d.ts.map +1 -0
package/dist/server/enterprise/shared.js +51 -0
package/dist/server/enterprise/shared.js.map +1 -0
package/dist/server/enterprise/validators.d.ts +1 -0
package/dist/server/enterprise/validators.js +60 -0
package/dist/server/enterprise/validators.js.map +1 -0
package/dist/server/errors.d.ts +33 -1
package/dist/server/errors.d.ts.map +1 -1
package/dist/server/errors.js +44 -1
package/dist/server/errors.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +288 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +4 -182
package/dist/server/index.js +4 -376
package/dist/server/keys.d.ts +1 -0
package/dist/{component/server/implementation → server}/keys.js +9 -31
package/dist/server/keys.js.map +1 -0
package/dist/server/limits.d.ts +1 -0
package/dist/server/limits.js +61 -0
package/dist/server/limits.js.map +1 -0
package/dist/server/mounts.d.ts +647 -0
package/dist/server/mounts.d.ts.map +1 -0
package/dist/server/mounts.js +643 -0
package/dist/server/mounts.js.map +1 -0
package/dist/server/mutations/account.d.ts +30 -0
package/dist/server/mutations/account.d.ts.map +1 -0
package/dist/server/mutations/account.js +44 -0
package/dist/server/mutations/account.js.map +1 -0
package/dist/server/mutations/code.d.ts +30 -0
package/dist/server/mutations/code.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/server/mutations/code.js.map +1 -0
package/dist/server/mutations/index.d.ts +14 -0
package/dist/server/mutations/index.js +15 -0
package/dist/server/mutations/invalidate.d.ts +20 -0
package/dist/server/mutations/invalidate.d.ts.map +1 -0
package/dist/server/mutations/invalidate.js +32 -0
package/dist/server/mutations/invalidate.js.map +1 -0
package/dist/server/mutations/oauth.d.ts +28 -0
package/dist/server/mutations/oauth.d.ts.map +1 -0
package/dist/server/mutations/oauth.js +110 -0
package/dist/server/mutations/oauth.js.map +1 -0
package/dist/server/mutations/refresh.d.ts +21 -0
package/dist/server/mutations/refresh.d.ts.map +1 -0
package/dist/server/mutations/refresh.js +119 -0
package/dist/server/mutations/refresh.js.map +1 -0
package/dist/server/mutations/register.d.ts +38 -0
package/dist/server/mutations/register.d.ts.map +1 -0
package/dist/server/mutations/register.js +83 -0
package/dist/server/mutations/register.js.map +1 -0
package/dist/server/mutations/retrieve.d.ts +33 -0
package/dist/server/mutations/retrieve.d.ts.map +1 -0
package/dist/server/mutations/retrieve.js +65 -0
package/dist/server/mutations/retrieve.js.map +1 -0
package/dist/server/mutations/signature.d.ts +22 -0
package/dist/server/mutations/signature.d.ts.map +1 -0
package/dist/server/mutations/signature.js +32 -0
package/dist/server/mutations/signature.js.map +1 -0
package/dist/server/mutations/signin.d.ts +22 -0
package/dist/server/mutations/signin.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/server/mutations/signin.js.map +1 -0
package/dist/server/mutations/signout.d.ts +16 -0
package/dist/server/mutations/signout.d.ts.map +1 -0
package/dist/server/mutations/signout.js +27 -0
package/dist/server/mutations/signout.js.map +1 -0
package/dist/server/mutations/store/refs.d.ts +12 -0
package/dist/server/mutations/store/refs.d.ts.map +1 -0
package/dist/server/mutations/store/refs.js +15 -0
package/dist/server/mutations/store/refs.js.map +1 -0
package/dist/server/mutations/store.d.ts +306 -0
package/dist/server/mutations/store.d.ts.map +1 -0
package/dist/server/mutations/store.js +85 -0
package/dist/server/mutations/store.js.map +1 -0
package/dist/server/mutations/verifier.d.ts +13 -0
package/dist/server/mutations/verifier.d.ts.map +1 -0
package/dist/server/mutations/verifier.js +18 -0
package/dist/server/mutations/verifier.js.map +1 -0
package/dist/server/mutations/verify.d.ts +26 -0
package/dist/server/mutations/verify.d.ts.map +1 -0
package/dist/server/mutations/verify.js +98 -0
package/dist/server/mutations/verify.js.map +1 -0
package/dist/server/oauth.d.ts +1 -48
package/dist/server/oauth.js +107 -64
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +27 -0
package/dist/server/passkey.d.ts.map +1 -0
package/dist/server/passkey.js +328 -0
package/dist/server/passkey.js.map +1 -0
package/dist/server/redirects.d.ts +1 -0
package/dist/{component/server/implementation → server}/redirects.js +13 -11
package/dist/server/redirects.js.map +1 -0
package/dist/server/refresh.d.ts +1 -0
package/dist/server/refresh.js +96 -0
package/dist/server/refresh.js.map +1 -0
package/dist/server/runtime.d.ts +136 -0
package/dist/server/runtime.d.ts.map +1 -0
package/dist/server/runtime.js +413 -0
package/dist/server/runtime.js.map +1 -0
package/dist/server/sessions.d.ts +1 -0
package/dist/{component/server/implementation → server}/sessions.js +14 -8
package/dist/server/sessions.js.map +1 -0
package/dist/server/signin.d.ts +1 -0
package/dist/server/signin.js +201 -0
package/dist/server/signin.js.map +1 -0
package/dist/server/ssr.d.ts +226 -0
package/dist/server/ssr.d.ts.map +1 -0
package/dist/server/ssr.js +786 -0
package/dist/server/ssr.js.map +1 -0
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +2 -1
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -0
package/dist/server/tokens.js +17 -0
package/dist/server/tokens.js.map +1 -0
package/dist/server/totp.d.ts +1 -0
package/dist/server/totp.js +148 -0
package/dist/server/totp.js.map +1 -0
package/dist/server/types.d.ts +498 -306
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +108 -1
package/dist/server/types.js.map +1 -0
package/dist/server/users.d.ts +1 -0
package/dist/server/{implementation/users.js → users.js} +54 -35
package/dist/server/users.js.map +1 -0
package/dist/server/utils.d.ts +1 -6
package/dist/server/utils.js +110 -4
package/dist/server/utils.js.map +1 -1
package/package.json +49 -46
package/src/authorization/index.ts +83 -0
package/src/cli/bin.ts +5 -0
package/src/cli/command.ts +6 -5
package/src/cli/index.ts +456 -248
package/src/cli/keys.ts +3 -0
package/src/client/core/types.ts +437 -0
package/src/client/factors/device.ts +160 -0
package/src/client/factors/passkey.ts +282 -0
package/src/client/factors/totp.ts +150 -0
package/src/client/index.ts +745 -989
package/src/client/runtime/browser.ts +112 -0
package/src/client/runtime/invite.ts +65 -0
package/src/client/runtime/proxy.ts +111 -0
package/src/client/runtime/storage.ts +79 -0
package/src/component/_generated/api.ts +42 -0
package/src/component/_generated/component.ts +3123 -102
package/src/component/functions.ts +38 -22
package/src/component/index.ts +10 -20
package/src/component/model.ts +449 -0
package/src/component/public/enterprise/audit.ts +120 -0
package/src/component/public/enterprise/core.ts +354 -0
package/src/component/public/enterprise/domains.ts +323 -0
package/src/component/public/enterprise/scim.ts +396 -0
package/src/component/public/enterprise/secrets.ts +132 -0
package/src/component/public/enterprise/webhooks.ts +306 -0
package/src/component/public/factors/devices.ts +223 -0
package/src/component/public/factors/passkeys.ts +242 -0
package/src/component/public/factors/totp.ts +258 -0
package/src/component/public/groups/core.ts +481 -0
package/src/component/public/groups/invites.ts +602 -0
package/src/component/public/groups/members.ts +409 -0
package/src/component/public/identity/accounts.ts +206 -0
package/src/component/public/identity/codes.ts +148 -0
package/src/component/public/identity/sessions.ts +209 -0
package/src/component/public/identity/tokens.ts +250 -0
package/src/component/public/identity/users.ts +354 -0
package/src/component/public/identity/verifiers.ts +157 -0
package/src/component/public/security/keys.ts +365 -0
package/src/component/public/security/limits.ts +173 -0
package/src/component/public.ts +26 -1766
package/src/component/schema.ts +273 -100
package/src/providers/anonymous.ts +10 -20
package/src/providers/credentials.ts +14 -22
package/src/providers/device.ts +3 -14
package/src/providers/email.ts +83 -47
package/src/providers/index.ts +7 -0
package/src/providers/oauth.ts +5 -3
package/src/providers/passkey.ts +0 -13
package/src/providers/password.ts +307 -130
package/src/providers/phone.ts +81 -37
package/src/providers/sso.ts +54 -0
package/src/providers/totp.ts +0 -13
package/src/samlify.d.ts +53 -0
package/src/server/auth.ts +701 -247
package/src/server/authError.ts +44 -0
package/src/server/{providers.ts → config.ts} +84 -15
package/src/server/cookies.ts +8 -1
package/src/server/core.ts +2095 -0
package/src/server/crypto.ts +88 -0
package/src/server/{implementation/db.ts → db.ts} +90 -15
package/src/server/device.ts +221 -0
package/src/server/enterprise/config.ts +51 -0
package/src/server/enterprise/domain.ts +1751 -0
package/src/server/enterprise/http.ts +1324 -0
package/src/server/enterprise/oidc.ts +500 -0
package/src/server/enterprise/policy.ts +128 -0
package/src/server/enterprise/saml.ts +578 -0
package/src/server/enterprise/scim.ts +135 -0
package/src/server/enterprise/shared.ts +134 -0
package/src/server/enterprise/validators.ts +93 -0
package/src/server/errors.ts +130 -119
package/src/server/http.ts +531 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +32 -650
package/src/server/{implementation/keys.ts → keys.ts} +16 -44
package/src/server/limits.ts +134 -0
package/src/server/mounts.ts +948 -0
package/src/server/mutations/account.ts +76 -0
package/src/server/{implementation/mutations → mutations}/code.ts +22 -11
package/src/server/mutations/index.ts +13 -0
package/src/server/mutations/invalidate.ts +50 -0
package/src/server/mutations/oauth.ts +237 -0
package/src/server/mutations/refresh.ts +298 -0
package/src/server/mutations/register.ts +200 -0
package/src/server/mutations/retrieve.ts +109 -0
package/src/server/mutations/signature.ts +50 -0
package/src/server/{implementation/mutations → mutations}/signin.ts +9 -7
package/src/server/mutations/signout.ts +43 -0
package/src/server/mutations/store/refs.ts +10 -0
package/src/server/mutations/store.ts +138 -0
package/src/server/mutations/verifier.ts +34 -0
package/src/server/mutations/verify.ts +202 -0
package/src/server/oauth.ts +243 -131
package/src/server/passkey.ts +784 -0
package/src/server/{implementation/redirects.ts → redirects.ts} +21 -16
package/src/server/refresh.ts +222 -0
package/src/server/runtime.ts +880 -0
package/src/server/{implementation/sessions.ts → sessions.ts} +33 -25
package/src/server/signin.ts +438 -0
package/src/server/ssr.ts +1764 -0
package/src/server/templates.ts +8 -3
package/src/server/{implementation/tokens.ts → tokens.ts} +11 -5
package/src/server/totp.ts +349 -0
package/src/server/types.ts +972 -207
package/src/server/{implementation/users.ts → users.ts} +129 -75
package/src/server/utils.ts +192 -5
package/src/test.ts +28 -4
package/dist/bin.cjs +0 -27757
package/dist/component/providers/email.js +0 -47
package/dist/component/providers/email.js.map +0 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation/db.js.map +0 -1
package/dist/component/server/implementation/device.js +0 -135
package/dist/component/server/implementation/device.js.map +0 -1
package/dist/component/server/implementation/index.d.ts +0 -870
package/dist/component/server/implementation/index.d.ts.map +0 -1
package/dist/component/server/implementation/index.js +0 -610
package/dist/component/server/implementation/index.js.map +0 -1
package/dist/component/server/implementation/keys.js.map +0 -1
package/dist/component/server/implementation/mutations/account.js +0 -39
package/dist/component/server/implementation/mutations/account.js.map +0 -1
package/dist/component/server/implementation/mutations/code.js.map +0 -1
package/dist/component/server/implementation/mutations/index.js +0 -70
package/dist/component/server/implementation/mutations/index.js.map +0 -1
package/dist/component/server/implementation/mutations/invalidate.js +0 -29
package/dist/component/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/component/server/implementation/mutations/oauth.js +0 -51
package/dist/component/server/implementation/mutations/oauth.js.map +0 -1
package/dist/component/server/implementation/mutations/refresh.js +0 -85
package/dist/component/server/implementation/mutations/refresh.js.map +0 -1
package/dist/component/server/implementation/mutations/register.js +0 -65
package/dist/component/server/implementation/mutations/register.js.map +0 -1
package/dist/component/server/implementation/mutations/retrieve.js +0 -50
package/dist/component/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/component/server/implementation/mutations/signature.js +0 -27
package/dist/component/server/implementation/mutations/signature.js.map +0 -1
package/dist/component/server/implementation/mutations/signin.js.map +0 -1
package/dist/component/server/implementation/mutations/signout.js +0 -27
package/dist/component/server/implementation/mutations/signout.js.map +0 -1
package/dist/component/server/implementation/mutations/store.js +0 -12
package/dist/component/server/implementation/mutations/store.js.map +0 -1
package/dist/component/server/implementation/mutations/verifier.js +0 -16
package/dist/component/server/implementation/mutations/verifier.js.map +0 -1
package/dist/component/server/implementation/mutations/verify.js +0 -105
package/dist/component/server/implementation/mutations/verify.js.map +0 -1
package/dist/component/server/implementation/passkey.js +0 -307
package/dist/component/server/implementation/passkey.js.map +0 -1
package/dist/component/server/implementation/provider.js +0 -19
package/dist/component/server/implementation/provider.js.map +0 -1
package/dist/component/server/implementation/ratelimit.js +0 -48
package/dist/component/server/implementation/ratelimit.js.map +0 -1
package/dist/component/server/implementation/redirects.js.map +0 -1
package/dist/component/server/implementation/refresh.js +0 -109
package/dist/component/server/implementation/refresh.js.map +0 -1
package/dist/component/server/implementation/sessions.js.map +0 -1
package/dist/component/server/implementation/signin.js +0 -148
package/dist/component/server/implementation/signin.js.map +0 -1
package/dist/component/server/implementation/tokens.js +0 -15
package/dist/component/server/implementation/tokens.js.map +0 -1
package/dist/component/server/implementation/totp.js +0 -142
package/dist/component/server/implementation/totp.js.map +0 -1
package/dist/component/server/implementation/types.d.ts +0 -42
package/dist/component/server/implementation/types.d.ts.map +0 -1
package/dist/component/server/implementation/types.js.map +0 -1
package/dist/component/server/implementation/users.js.map +0 -1
package/dist/component/server/implementation/utils.js +0 -56
package/dist/component/server/implementation/utils.js.map +0 -1
package/dist/component/server/providers.js.map +0 -1
package/dist/component/server/templates.js +0 -84
package/dist/component/server/templates.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/implementation/db.d.ts +0 -86
package/dist/server/implementation/db.d.ts.map +0 -1
package/dist/server/implementation/db.js.map +0 -1
package/dist/server/implementation/device.d.ts +0 -30
package/dist/server/implementation/device.d.ts.map +0 -1
package/dist/server/implementation/device.js +0 -135
package/dist/server/implementation/device.js.map +0 -1
package/dist/server/implementation/index.d.ts +0 -870
package/dist/server/implementation/index.d.ts.map +0 -1
package/dist/server/implementation/index.js +0 -610
package/dist/server/implementation/index.js.map +0 -1
package/dist/server/implementation/keys.d.ts +0 -66
package/dist/server/implementation/keys.d.ts.map +0 -1
package/dist/server/implementation/keys.js.map +0 -1
package/dist/server/implementation/mutations/account.d.ts +0 -27
package/dist/server/implementation/mutations/account.d.ts.map +0 -1
package/dist/server/implementation/mutations/account.js +0 -39
package/dist/server/implementation/mutations/account.js.map +0 -1
package/dist/server/implementation/mutations/code.d.ts +0 -29
package/dist/server/implementation/mutations/code.d.ts.map +0 -1
package/dist/server/implementation/mutations/code.js.map +0 -1
package/dist/server/implementation/mutations/index.d.ts +0 -310
package/dist/server/implementation/mutations/index.d.ts.map +0 -1
package/dist/server/implementation/mutations/index.js +0 -70
package/dist/server/implementation/mutations/index.js.map +0 -1
package/dist/server/implementation/mutations/invalidate.d.ts +0 -18
package/dist/server/implementation/mutations/invalidate.d.ts.map +0 -1
package/dist/server/implementation/mutations/invalidate.js +0 -29
package/dist/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/server/implementation/mutations/oauth.d.ts +0 -23
package/dist/server/implementation/mutations/oauth.d.ts.map +0 -1
package/dist/server/implementation/mutations/oauth.js +0 -51
package/dist/server/implementation/mutations/oauth.js.map +0 -1
package/dist/server/implementation/mutations/refresh.d.ts +0 -20
package/dist/server/implementation/mutations/refresh.d.ts.map +0 -1
package/dist/server/implementation/mutations/refresh.js +0 -85
package/dist/server/implementation/mutations/refresh.js.map +0 -1
package/dist/server/implementation/mutations/register.d.ts +0 -37
package/dist/server/implementation/mutations/register.d.ts.map +0 -1
package/dist/server/implementation/mutations/register.js +0 -65
package/dist/server/implementation/mutations/register.js.map +0 -1
package/dist/server/implementation/mutations/retrieve.d.ts +0 -31
package/dist/server/implementation/mutations/retrieve.d.ts.map +0 -1
package/dist/server/implementation/mutations/retrieve.js +0 -50
package/dist/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/server/implementation/mutations/signature.d.ts +0 -19
package/dist/server/implementation/mutations/signature.d.ts.map +0 -1
package/dist/server/implementation/mutations/signature.js +0 -27
package/dist/server/implementation/mutations/signature.js.map +0 -1
package/dist/server/implementation/mutations/signin.d.ts +0 -21
package/dist/server/implementation/mutations/signin.d.ts.map +0 -1
package/dist/server/implementation/mutations/signin.js.map +0 -1
package/dist/server/implementation/mutations/signout.d.ts +0 -14
package/dist/server/implementation/mutations/signout.d.ts.map +0 -1
package/dist/server/implementation/mutations/signout.js +0 -27
package/dist/server/implementation/mutations/signout.js.map +0 -1
package/dist/server/implementation/mutations/store.d.ts +0 -11
package/dist/server/implementation/mutations/store.d.ts.map +0 -1
package/dist/server/implementation/mutations/store.js +0 -12
package/dist/server/implementation/mutations/store.js.map +0 -1
package/dist/server/implementation/mutations/verifier.d.ts +0 -11
package/dist/server/implementation/mutations/verifier.d.ts.map +0 -1
package/dist/server/implementation/mutations/verifier.js +0 -16
package/dist/server/implementation/mutations/verifier.js.map +0 -1
package/dist/server/implementation/mutations/verify.d.ts +0 -25
package/dist/server/implementation/mutations/verify.d.ts.map +0 -1
package/dist/server/implementation/mutations/verify.js +0 -105
package/dist/server/implementation/mutations/verify.js.map +0 -1
package/dist/server/implementation/passkey.d.ts +0 -24
package/dist/server/implementation/passkey.d.ts.map +0 -1
package/dist/server/implementation/passkey.js +0 -307
package/dist/server/implementation/passkey.js.map +0 -1
package/dist/server/implementation/provider.d.ts +0 -10
package/dist/server/implementation/provider.d.ts.map +0 -1
package/dist/server/implementation/provider.js +0 -19
package/dist/server/implementation/provider.js.map +0 -1
package/dist/server/implementation/ratelimit.d.ts +0 -10
package/dist/server/implementation/ratelimit.d.ts.map +0 -1
package/dist/server/implementation/ratelimit.js +0 -48
package/dist/server/implementation/ratelimit.js.map +0 -1
package/dist/server/implementation/redirects.d.ts +0 -10
package/dist/server/implementation/redirects.d.ts.map +0 -1
package/dist/server/implementation/redirects.js.map +0 -1
package/dist/server/implementation/refresh.d.ts +0 -37
package/dist/server/implementation/refresh.d.ts.map +0 -1
package/dist/server/implementation/refresh.js +0 -109
package/dist/server/implementation/refresh.js.map +0 -1
package/dist/server/implementation/sessions.d.ts +0 -29
package/dist/server/implementation/sessions.d.ts.map +0 -1
package/dist/server/implementation/sessions.js.map +0 -1
package/dist/server/implementation/signin.d.ts +0 -55
package/dist/server/implementation/signin.d.ts.map +0 -1
package/dist/server/implementation/signin.js +0 -148
package/dist/server/implementation/signin.js.map +0 -1
package/dist/server/implementation/tokens.d.ts +0 -11
package/dist/server/implementation/tokens.d.ts.map +0 -1
package/dist/server/implementation/tokens.js +0 -15
package/dist/server/implementation/tokens.js.map +0 -1
package/dist/server/implementation/totp.d.ts +0 -31
package/dist/server/implementation/totp.d.ts.map +0 -1
package/dist/server/implementation/totp.js +0 -142
package/dist/server/implementation/totp.js.map +0 -1
package/dist/server/implementation/types.d.ts +0 -189
package/dist/server/implementation/types.d.ts.map +0 -1
package/dist/server/implementation/types.js +0 -97
package/dist/server/implementation/types.js.map +0 -1
package/dist/server/implementation/users.d.ts +0 -30
package/dist/server/implementation/users.d.ts.map +0 -1
package/dist/server/implementation/users.js.map +0 -1
package/dist/server/implementation/utils.d.ts +0 -19
package/dist/server/implementation/utils.d.ts.map +0 -1
package/dist/server/implementation/utils.js +0 -56
package/dist/server/implementation/utils.js.map +0 -1
package/dist/server/index.d.ts.map +0 -1
package/dist/server/index.js.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/providers.d.ts +0 -72
package/dist/server/providers.d.ts.map +0 -1
package/dist/server/providers.js.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/dist/server/version.d.ts +0 -5
package/dist/server/version.d.ts.map +0 -1
package/dist/server/version.js +0 -6
package/dist/server/version.js.map +0 -1
package/src/cli/utils.ts +0 -248
package/src/server/implementation/device.ts +0 -307
package/src/server/implementation/index.ts +0 -1583
package/src/server/implementation/mutations/account.ts +0 -50
package/src/server/implementation/mutations/index.ts +0 -157
package/src/server/implementation/mutations/invalidate.ts +0 -42
package/src/server/implementation/mutations/oauth.ts +0 -73
package/src/server/implementation/mutations/refresh.ts +0 -175
package/src/server/implementation/mutations/register.ts +0 -100
package/src/server/implementation/mutations/retrieve.ts +0 -79
package/src/server/implementation/mutations/signature.ts +0 -39
package/src/server/implementation/mutations/signout.ts +0 -35
package/src/server/implementation/mutations/store.ts +0 -7
package/src/server/implementation/mutations/verifier.ts +0 -24
package/src/server/implementation/mutations/verify.ts +0 -194
package/src/server/implementation/passkey.ts +0 -620
package/src/server/implementation/provider.ts +0 -36
package/src/server/implementation/ratelimit.ts +0 -79
package/src/server/implementation/refresh.ts +0 -172
package/src/server/implementation/signin.ts +0 -296
package/src/server/implementation/totp.ts +0 -342
package/src/server/implementation/types.ts +0 -444
package/src/server/implementation/utils.ts +0 -91
package/src/server/version.ts +0 -2

package/src/server/enterprise/saml.ts ADDED Viewed

@@ -0,0 +1,578 @@
+import {
+  decodeBase64urlIgnorePadding,
+  encodeBase64urlNoPadding,
+} from "@oslojs/encoding";
+import {
+  Constants,
+  IdentityProvider,
+  ServiceProvider,
+  setSchemaValidator,
+} from "@robelest/samlify";
+import type { SAMLAttributeMapping } from "../types";
+import { getSamlConfig } from "./config";
+import type {
+  EnterpriseSamlHttpRequest,
+  EnterpriseSamlRelayState,
+  EnterpriseSamlSource,
+  ParsedSamlMetadata,
+} from "./shared";
+import { asRecord, getEnterpriseSamlUrls } from "./shared";
+// Samlify requires a schema validator to be registered before parsing any SAML
+// response. We use a permissive validator that always resolves because Convex's
+// edge runtime has no file-system access for XML schema files, and structural
+// correctness is already ensured by the XML parser. This is called directly
+// before each parse operation since Convex can restart the V8 isolate between
+// requests, resetting module-level state.
+const _samlifyPermissiveValidator = {
+  validate: (_xml: string) => Promise.resolve("OK"),
+};
+function ensureSamlifyValidator() {
+  setSchemaValidator(_samlifyPermissiveValidator);
+}
+/** @internal */
+export function createSamlPostBindingResponse(opts: {
+  endpoint: string;
+  parameter: "SAMLRequest" | "SAMLResponse";
+  value: string;
+  relayState?: string;
+}) {
+  const fields = [
+    `<input type="hidden" name="${opts.parameter}" value="${opts.value.replace(/"/g, "&quot;")}" />`,
+    opts.relayState
+      ? `<input type="hidden" name="RelayState" value="${opts.relayState.replace(/"/g, "&quot;")}" />`
+      : "",
+  ].join("");
+  return new Response(
+    `<!doctype html><html><body><form method="POST" action="${opts.endpoint}">${fields}</form><script>document.forms[0].submit();</script></body></html>`,
+    { status: 200, headers: { "Content-Type": "text/html; charset=utf-8" } },
+  );
+}
+/** @internal */
+export function decodeRelayState(
+  value: string | null,
+): Record<string, unknown> {
+  if (!value) {
+    return {};
+  }
+  try {
+    return JSON.parse(
+      new TextDecoder().decode(decodeBase64urlIgnorePadding(value)),
+    );
+  } catch {
+    return {};
+  }
+}
+/** @internal */
+export function encodeEnterpriseSamlRelayState(
+  value: EnterpriseSamlRelayState,
+) {
+  return encodeBase64urlNoPadding(
+    new TextEncoder().encode(
+      JSON.stringify({
+        source: `${value.source.kind}:${value.source.id}`,
+        signature: value.signature,
+        requestId: value.requestId,
+        state: value.state,
+        redirectTo: value.redirectTo,
+      }),
+    ),
+  );
+}
+/** @internal */
+export function decodeEnterpriseSamlRelayStateOrThrow(
+  value: string | null,
+): EnterpriseSamlRelayState {
+  if (!value) {
+    throw new Error("Missing SAML RelayState.");
+  }
+  const decoded = decodeRelayState(value);
+  if (
+    typeof decoded.source !== "string" ||
+    typeof decoded.signature !== "string" ||
+    typeof decoded.requestId !== "string" ||
+    typeof decoded.state !== "string"
+  ) {
+    throw new Error("Invalid SAML RelayState.");
+  }
+  const [kind, ...rest] = decoded.source.split(":");
+  const id = rest.join(":");
+  if (kind !== "enterprise" || id.length === 0) {
+    throw new Error("Invalid enterprise SAML source.");
+  }
+  return {
+    source: { kind, id } as EnterpriseSamlSource,
+    signature: decoded.signature,
+    requestId: decoded.requestId,
+    state: decoded.state,
+    redirectTo:
+      typeof decoded.redirectTo === "string" ? decoded.redirectTo : undefined,
+  };
+}
+/** @internal */
+export async function readRequestBody(
+  request: Request,
+): Promise<Record<string, string>> {
+  const contentType = request.headers.get("Content-Type") ?? "";
+  if (
+    contentType.includes("application/x-www-form-urlencoded") ||
+    contentType.includes("multipart/form-data")
+  ) {
+    const form = await request.formData();
+    const body: Record<string, string> = {};
+    form.forEach((value, key) => {
+      body[key] = typeof value === "string" ? value : value.name;
+    });
+    return body;
+  }
+  return {};
+}
+/** @internal */
+export async function readEnterpriseSamlHttpRequest(
+  request: Request,
+): Promise<EnterpriseSamlHttpRequest> {
+  const url = new URL(request.url);
+  const body = await readRequestBody(request);
+  const query = Object.fromEntries(url.searchParams);
+  const binding =
+    request.method === "GET"
+      ? "redirect"
+      : body.SAMLResponse || body.SAMLRequest
+        ? "post"
+        : "redirect";
+  return {
+    url,
+    body,
+    query,
+    binding,
+    relayState:
+      body.RelayState ?? url.searchParams.get("RelayState") ?? undefined,
+    hasSamlRequest: Boolean(
+      body.SAMLRequest ?? url.searchParams.get("SAMLRequest"),
+    ),
+    hasSamlResponse: Boolean(
+      body.SAMLResponse ?? url.searchParams.get("SAMLResponse"),
+    ),
+  };
+}
+/** @internal */
+export function parseSamlIdpMetadata(metadata: string): ParsedSamlMetadata {
+  const idp = IdentityProvider({ metadata });
+  const entityMeta = idp.entityMeta;
+  const normalizeService = (value: unknown): string | undefined => {
+    return typeof value === "string" && value.length > 0 ? value : undefined;
+  };
+  return {
+    issuer: entityMeta.getEntityID(),
+    sso: {
+      redirect: normalizeService(entityMeta.getSingleSignOnService("redirect")),
+      post: normalizeService(entityMeta.getSingleSignOnService("post")),
+    },
+    slo: {
+      redirect: normalizeService(entityMeta.getSingleLogoutService("redirect")),
+      post: normalizeService(entityMeta.getSingleLogoutService("post")),
+    },
+    signingCert: entityMeta.getX509Certificate("signing"),
+    encryptionCert: entityMeta.getX509Certificate("encrypt"),
+    nameIdFormats: (() => {
+      const nameIdFormat = entityMeta.getNameIDFormat();
+      return Array.isArray(nameIdFormat) ? nameIdFormat : [];
+    })(),
+    wantsSignedAuthnRequests: entityMeta.isWantAuthnRequestsSigned(),
+  };
+}
+/** @internal */
+export function createServiceProviderMetadata(opts: {
+  entityId: string;
+  acsUrl: string;
+  sloUrl?: string;
+  authnRequestsSigned?: boolean;
+  signingCert?: string | string[];
+  encryptCert?: string | string[];
+  privateKey?: string;
+  privateKeyPass?: string;
+  encPrivateKey?: string;
+  encPrivateKeyPass?: string;
+}) {
+  const binding = Constants.namespace.binding;
+  const sp = ServiceProvider({
+    entityID: opts.entityId,
+    authnRequestsSigned: opts.authnRequestsSigned ?? false,
+    privateKey: opts.privateKey,
+    privateKeyPass: opts.privateKeyPass,
+    signingCert: opts.signingCert,
+    encryptCert: opts.encryptCert,
+    encPrivateKey: opts.encPrivateKey,
+    encPrivateKeyPass: opts.encPrivateKeyPass,
+    assertionConsumerService: [
+      {
+        Binding: binding.post,
+        Location: opts.acsUrl,
+      },
+    ],
+    singleLogoutService: opts.sloUrl
+      ? [
+          {
+            Binding: binding.redirect,
+            Location: opts.sloUrl,
+          },
+          {
+            Binding: binding.post,
+            Location: opts.sloUrl,
+          },
+        ]
+      : undefined,
+  });
+  return sp.getMetadata();
+}
+/** @internal */
+export function createEnterpriseSamlMetadataXml(opts: {
+  rootUrl: string;
+  source: EnterpriseSamlSource;
+  config: unknown;
+}) {
+  return createServiceProviderMetadata(
+    getSamlServiceProviderOptions({
+      rootUrl: opts.rootUrl,
+      source: opts.source,
+      config: opts.config,
+    }),
+  );
+}
+/** @internal */
+export function getSamlServiceProviderOptions(opts: {
+  rootUrl: string;
+  source: EnterpriseSamlSource;
+  config: unknown;
+  overrides?: {
+    entityId?: string;
+    acsUrl?: string;
+    sloUrl?: string;
+  };
+  relayState?: string;
+}) {
+  const saml = getSamlConfig(opts.config);
+  const sp = asRecord(saml.sp) ?? {};
+  const urls = getEnterpriseSamlUrls({
+    rootUrl: opts.rootUrl,
+    source: opts.source,
+  });
+  return {
+    entityId: opts.overrides?.entityId ?? sp.entityId ?? urls.metadataUrl,
+    acsUrl: opts.overrides?.acsUrl ?? sp.acsUrl ?? urls.acsUrl,
+    sloUrl: opts.overrides?.sloUrl ?? sp.sloUrl ?? urls.sloUrl,
+    relayState: opts.relayState,
+    authnRequestsSigned: saml.signAuthnRequests,
+    signingCert: sp.signingCert,
+    encryptCert: sp.encryptCert,
+    privateKey: sp.privateKey,
+    privateKeyPass: sp.privateKeyPass,
+    encPrivateKey: sp.encPrivateKey,
+    encPrivateKeyPass: sp.encPrivateKeyPass,
+  };
+}
+/** @internal */
+export function createSamlServiceProvider(opts: {
+  entityId: string;
+  acsUrl: string;
+  sloUrl?: string;
+  relayState?: string;
+  authnRequestsSigned?: boolean;
+  signingCert?: string | string[];
+  encryptCert?: string | string[];
+  privateKey?: string;
+  privateKeyPass?: string;
+  encPrivateKey?: string;
+  encPrivateKeyPass?: string;
+}) {
+  const binding = Constants.namespace.binding;
+  return ServiceProvider({
+    entityID: opts.entityId,
+    relayState: opts.relayState ?? "",
+    authnRequestsSigned: opts.authnRequestsSigned ?? false,
+    privateKey: opts.privateKey,
+    privateKeyPass: opts.privateKeyPass,
+    signingCert: opts.signingCert,
+    encryptCert: opts.encryptCert,
+    encPrivateKey: opts.encPrivateKey,
+    encPrivateKeyPass: opts.encPrivateKeyPass,
+    assertionConsumerService: [
+      {
+        Binding: binding.post,
+        Location: opts.acsUrl,
+      },
+    ],
+    singleLogoutService: opts.sloUrl
+      ? [
+          { Binding: binding.redirect, Location: opts.sloUrl },
+          { Binding: binding.post, Location: opts.sloUrl },
+        ]
+      : undefined,
+  });
+}
+/** @internal */
+export function createEnterpriseSamlRuntime(opts: {
+  rootUrl: string;
+  source: EnterpriseSamlSource;
+  config: unknown;
+  relayState?: string;
+  overrides?: {
+    entityId?: string;
+    acsUrl?: string;
+    sloUrl?: string;
+  };
+}) {
+  const saml = getSamlConfig(opts.config);
+  const spOptions = getSamlServiceProviderOptions({
+    rootUrl: opts.rootUrl,
+    source: opts.source,
+    config: opts.config,
+    relayState: opts.relayState,
+    overrides: opts.overrides,
+  });
+  if (typeof saml.idp?.metadataXml !== "string") {
+    throw new Error("SAML IdP metadata is missing.");
+  }
+  return {
+    saml,
+    sp: createSamlServiceProvider(spOptions),
+    idp: IdentityProvider({ metadata: saml.idp.metadataXml }),
+    urls: getEnterpriseSamlUrls({ rootUrl: opts.rootUrl, source: opts.source }),
+  };
+}
+/** @internal */
+export function createEnterpriseSamlSignInRequest(opts: {
+  rootUrl: string;
+  source: EnterpriseSamlSource;
+  config: unknown;
+  state: string;
+  signature: string;
+  redirectTo?: string;
+}) {
+  const runtime = createEnterpriseSamlRuntime({
+    rootUrl: opts.rootUrl,
+    source: opts.source,
+    config: opts.config,
+  });
+  const binding = runtime.saml.idp.sso?.redirect ? "redirect" : "post";
+  const loginRequest = runtime.sp.createLoginRequest(
+    runtime.idp,
+    binding as any,
+  ) as any;
+  const relayState = encodeEnterpriseSamlRelayState({
+    source: opts.source,
+    signature: opts.signature,
+    requestId: loginRequest.id,
+    state: opts.state,
+    redirectTo: opts.redirectTo,
+  });
+  return {
+    requestId: loginRequest.id as string,
+    binding,
+    relayState,
+    redirectUrl:
+      binding === "redirect"
+        ? (() => {
+            const redirectUrl = new URL(loginRequest.context);
+            redirectUrl.searchParams.set("RelayState", relayState);
+            return redirectUrl.toString();
+          })()
+        : undefined,
+    post:
+      binding === "post"
+        ? {
+            endpoint: loginRequest.entityEndpoint as string,
+            value: loginRequest.context as string,
+          }
+        : undefined,
+  };
+}
+/** @internal */
+export async function parseEnterpriseSamlLoginResponse(opts: {
+  request: Request;
+  rootUrl: string;
+  source: EnterpriseSamlSource;
+  config: unknown;
+}) {
+  ensureSamlifyValidator();
+  const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);
+  const runtime = createEnterpriseSamlRuntime({
+    rootUrl: opts.rootUrl,
+    source: opts.source,
+    config: opts.config,
+  });
+  const parsed = (await runtime.sp.parseLoginResponse(
+    runtime.idp as any,
+    httpRequest.binding as any,
+    {
+      query: httpRequest.query,
+      body: httpRequest.body,
+    },
+  )) as any;
+  // Check for weak SAML algorithms and warn.
+  warnWeakSamlAlgorithms(parsed);
+  return {
+    ...httpRequest,
+    runtime,
+    parsed,
+    relayState: decodeEnterpriseSamlRelayStateOrThrow(
+      httpRequest.relayState ?? null,
+    ),
+  };
+}
+const WEAK_SAML_ALGORITHMS = new Set([
+  // Signature algorithms
+  "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+  "http://www.w3.org/2000/09/xmldsig#dsa-sha1",
+  // Digest algorithms
+  "http://www.w3.org/2000/09/xmldsig#sha1",
+  // Key encryption
+  "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
+  // Data encryption
+  "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
+]);
+/**
+ * Warn when the SAML response uses weak cryptographic algorithms
+ * such as SHA-1, RSA 1.5, or 3DES.
+ */
+function warnWeakSamlAlgorithms(parsed: any) {
+  try {
+    const sigAlg =
+      parsed?.extract?.signature?.signatureAlgorithm ??
+      parsed?.extract?.response?.signatureAlgorithm;
+    const digestAlg = parsed?.extract?.signature?.digestAlgorithm;
+    if (sigAlg && WEAK_SAML_ALGORITHMS.has(sigAlg)) {
+      console.warn(
+        `[convex-auth] SAML response uses weak signature algorithm: ${sigAlg}. ` +
+          `Consider upgrading your IdP to use RSA-SHA256 or stronger.`,
+      );
+    }
+    if (digestAlg && WEAK_SAML_ALGORITHMS.has(digestAlg)) {
+      console.warn(
+        `[convex-auth] SAML response uses weak digest algorithm: ${digestAlg}. ` +
+          `Consider upgrading your IdP to use SHA-256 or stronger.`,
+      );
+    }
+  } catch {
+    // Non-critical — don't break auth flow for algorithm check failures
+  }
+}
+/** @internal */
+export function validateEnterpriseSamlLoginRelayState(opts: {
+  relayState: EnterpriseSamlRelayState;
+  source: EnterpriseSamlSource;
+  inResponseTo?: string;
+}) {
+  if (
+    opts.relayState.source.kind !== opts.source.kind ||
+    opts.relayState.source.id !== opts.source.id ||
+    opts.relayState.requestId !== opts.inResponseTo
+  ) {
+    throw new Error("SAML RelayState did not match the pending login request.");
+  }
+}
+/** @internal */
+export async function parseEnterpriseSamlLogoutMessage(opts: {
+  request: Request;
+  rootUrl: string;
+  source: EnterpriseSamlSource;
+  config: unknown;
+}) {
+  ensureSamlifyValidator();
+  const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);
+  const runtime = createEnterpriseSamlRuntime({
+    rootUrl: opts.rootUrl,
+    source: opts.source,
+    config: opts.config,
+    relayState: httpRequest.relayState,
+  });
+  const parsedRequest = httpRequest.hasSamlRequest
+    ? ((await runtime.sp.parseLogoutRequest(
+        runtime.idp as any,
+        httpRequest.binding as any,
+        {
+          query: httpRequest.query,
+          body: httpRequest.body,
+        },
+      )) as any)
+    : undefined;
+  return {
+    ...httpRequest,
+    runtime,
+    parsedRequest,
+  };
+}
+/** @internal */
+export function profileFromSamlExtract(
+  extract: any,
+  mapping?: SAMLAttributeMapping,
+) {
+  const attributes =
+    typeof extract?.attributes === "object" && extract.attributes !== null
+      ? (extract.attributes as Record<string, unknown>)
+      : {};
+  const resolveFirst = (...keys: Array<string | undefined>) => {
+    for (const key of keys) {
+      if (!key) {
+        continue;
+      }
+      const attribute = attributes[key];
+      const value = Array.isArray(attribute) ? attribute[0] : attribute;
+      if (value !== undefined) {
+        return value;
+      }
+    }
+    return undefined;
+  };
+  const fieldResolvers = {
+    email: () => resolveFirst(mapping?.email),
+    name: () =>
+      resolveFirst(mapping?.name) ??
+      ([resolveFirst(mapping?.firstName), resolveFirst(mapping?.lastName)]
+        .filter(Boolean)
+        .join(" ") ||
+        undefined),
+    subject: () =>
+      resolveFirst(mapping?.subject) ?? (extract?.nameID as string | undefined),
+  } as const;
+  const subject = fieldResolvers.subject() as string | undefined;
+  if (subject === undefined) {
+    throw new Error(
+      "SAML profile is missing a subject. Configure `attributeMapping.subject` or ensure the assertion includes a NameID.",
+    );
+  }
+  const email = fieldResolvers.email() as string | undefined;
+  const name = fieldResolvers.name() as string | undefined;
+  return {
+    id: subject,
+    email,
+    emailVerified: typeof email === "string" ? true : undefined,
+    name,
+    samlAttributes: attributes,
+    samlSessionIndex: extract?.sessionIndex?.SessionIndex as string | undefined,
+  };
+}

package/src/server/enterprise/scim.ts ADDED Viewed

@@ -0,0 +1,135 @@
+import type { ScimListRequest } from "./shared";
+import { SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID } from "./shared";
+/** @internal */
+export function parseScimPath(pathname: string) {
+  const parts = pathname.split("/").filter(Boolean);
+  const [api, auth, sso, enterpriseId, protocol, version, ...rest] = parts;
+  if (
+    api !== "api" ||
+    auth !== "auth" ||
+    sso !== "sso" ||
+    !enterpriseId ||
+    enterpriseId === "setup" ||
+    protocol !== "scim" ||
+    version !== "v2"
+  ) {
+    return {
+      enterpriseId: "",
+      resource: "",
+      resourceId: undefined,
+    };
+  }
+  return {
+    enterpriseId,
+    resource: rest[0] ?? "",
+    resourceId: rest[1],
+  };
+}
+/** @internal */
+export function parseScimListRequest(url: URL): ScimListRequest {
+  const startIndex = Math.max(
+    1,
+    Number(url.searchParams.get("startIndex") ?? "1"),
+  );
+  const count = Math.min(
+    100,
+    Math.max(1, Number(url.searchParams.get("count") ?? "100")),
+  );
+  const filterParam = url.searchParams.get("filter");
+  const filter = filterParam
+    ? (() => {
+        const match = filterParam.match(/^([A-Za-z0-9_.]+)\s+eq\s+"([^"]+)"$/);
+        if (!match) {
+          throw new Error("Unsupported SCIM filter.");
+        }
+        return { attribute: match[1]!, value: match[2]! };
+      })()
+    : undefined;
+  return { startIndex, count, filter };
+}
+/** @internal */
+export function scimJson(data: unknown, status = 200, headers?: HeadersInit) {
+  const responseHeaders = new Headers({
+    "Content-Type": "application/scim+json",
+  });
+  if (headers) {
+    new Headers(headers).forEach((value, key) => {
+      responseHeaders.set(key, value);
+    });
+  }
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: responseHeaders,
+  });
+}
+/** @internal */
+export function scimError(status: number, scimType: string, detail: string) {
+  return scimJson(
+    {
+      schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+      status: String(status),
+      scimType,
+      detail,
+    },
+    status,
+  );
+}
+/** @internal */
+export function serializeScimUser(args: {
+  id: string;
+  user: Record<string, any>;
+  externalId?: string;
+  active?: boolean;
+  location?: string;
+}) {
+  return {
+    schemas: [SCIM_USER_SCHEMA_ID],
+    id: args.id,
+    externalId: args.externalId,
+    meta: {
+      resourceType: "User",
+      location: args.location,
+    },
+    userName: args.user.email ?? args.user.phone ?? args.user.name ?? args.id,
+    active: args.active ?? true,
+    name:
+      args.user.name !== undefined ? { formatted: args.user.name } : undefined,
+    emails:
+      typeof args.user.email === "string"
+        ? [{ value: args.user.email, primary: true }]
+        : undefined,
+    phoneNumbers:
+      typeof args.user.phone === "string"
+        ? [{ value: args.user.phone, primary: true }]
+        : undefined,
+    displayName: args.user.name,
+  };
+}
+/** @internal */
+export function serializeScimGroup(args: {
+  id: string;
+  group: Record<string, any>;
+  externalId?: string;
+  members?: Array<{ value: string; display?: string }>;
+  location?: string;
+}) {
+  return {
+    schemas: [SCIM_GROUP_SCHEMA_ID],
+    id: args.id,
+    externalId: args.externalId,
+    meta: {
+      resourceType: "Group",
+      location: args.location,
+    },
+    displayName: args.group.name ?? args.id,
+    members: args.members ?? [],
+  };
+}