npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.2 → 0.0.4-preview.21 - Mend

@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (798) hide show

package/README.md +67 -26
package/dist/authorization/index.d.ts +63 -0
package/dist/authorization/index.d.ts.map +1 -0
package/dist/authorization/index.js +63 -0
package/dist/authorization/index.js.map +1 -0
package/dist/bin.js +6185 -0
package/dist/client/core/types.d.ts +20 -0
package/dist/client/core/types.d.ts.map +1 -0
package/dist/client/index.d.ts +2 -299
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +407 -534
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +42 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +2546 -90
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/client/core/types.d.ts +2 -0
package/dist/component/client/index.d.ts +2 -0
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/functions.d.ts +11 -9
package/dist/component/functions.d.ts.map +1 -1
package/dist/component/functions.js.map +1 -1
package/dist/component/index.d.ts +7 -11
package/dist/component/index.js +2 -3
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +349 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/anonymous.d.ts +54 -0
package/dist/component/providers/anonymous.d.ts.map +1 -0
package/dist/component/providers/credentials.d.ts +5 -5
package/dist/component/providers/credentials.d.ts.map +1 -1
package/dist/component/providers/device.d.ts +67 -0
package/dist/component/providers/device.d.ts.map +1 -0
package/dist/component/providers/email.d.ts +62 -0
package/dist/component/providers/email.d.ts.map +1 -0
package/dist/component/providers/oauth.d.ts.map +1 -1
package/dist/component/providers/oauth.js.map +1 -1
package/dist/component/providers/passkey.d.ts +57 -0
package/dist/component/providers/passkey.d.ts.map +1 -0
package/dist/component/providers/password.d.ts +88 -0
package/dist/component/providers/password.d.ts.map +1 -0
package/dist/component/providers/phone.d.ts +48 -0
package/dist/component/providers/phone.d.ts.map +1 -0
package/dist/component/providers/sso.d.ts +50 -0
package/dist/component/providers/sso.d.ts.map +1 -0
package/dist/component/providers/totp.d.ts +45 -0
package/dist/component/providers/totp.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.d.ts +73 -0
package/dist/component/public/enterprise/audit.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.js +108 -0
package/dist/component/public/enterprise/audit.js.map +1 -0
package/dist/component/public/enterprise/core.d.ts +176 -0
package/dist/component/public/enterprise/core.d.ts.map +1 -0
package/dist/component/public/enterprise/core.js +292 -0
package/dist/component/public/enterprise/core.js.map +1 -0
package/dist/component/public/enterprise/domains.d.ts +174 -0
package/dist/component/public/enterprise/domains.d.ts.map +1 -0
package/dist/component/public/enterprise/domains.js +271 -0
package/dist/component/public/enterprise/domains.js.map +1 -0
package/dist/component/public/enterprise/scim.d.ts +245 -0
package/dist/component/public/enterprise/scim.d.ts.map +1 -0
package/dist/component/public/enterprise/scim.js +344 -0
package/dist/component/public/enterprise/scim.js.map +1 -0
package/dist/component/public/enterprise/secrets.d.ts +78 -0
package/dist/component/public/enterprise/secrets.d.ts.map +1 -0
package/dist/component/public/enterprise/secrets.js +118 -0
package/dist/component/public/enterprise/secrets.js.map +1 -0
package/dist/component/public/enterprise/webhooks.d.ts +211 -0
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -0
package/dist/component/public/enterprise/webhooks.js +300 -0
package/dist/component/public/enterprise/webhooks.js.map +1 -0
package/dist/component/public/factors/devices.d.ts +157 -0
package/dist/component/public/factors/devices.d.ts.map +1 -0
package/dist/component/public/factors/devices.js +216 -0
package/dist/component/public/factors/devices.js.map +1 -0
package/dist/component/public/factors/passkeys.d.ts +175 -0
package/dist/component/public/factors/passkeys.d.ts.map +1 -0
package/dist/component/public/factors/passkeys.js +238 -0
package/dist/component/public/factors/passkeys.js.map +1 -0
package/dist/component/public/factors/totp.d.ts +189 -0
package/dist/component/public/factors/totp.d.ts.map +1 -0
package/dist/component/public/factors/totp.js +254 -0
package/dist/component/public/factors/totp.js.map +1 -0
package/dist/component/public/groups/core.d.ts +137 -0
package/dist/component/public/groups/core.d.ts.map +1 -0
package/dist/component/public/groups/core.js +321 -0
package/dist/component/public/groups/core.js.map +1 -0
package/dist/component/public/groups/invites.d.ts +217 -0
package/dist/component/public/groups/invites.d.ts.map +1 -0
package/dist/component/public/groups/invites.js +457 -0
package/dist/component/public/groups/invites.js.map +1 -0
package/dist/component/public/groups/members.d.ts +204 -0
package/dist/component/public/groups/members.d.ts.map +1 -0
package/dist/component/public/groups/members.js +355 -0
package/dist/component/public/groups/members.js.map +1 -0
package/dist/component/public/identity/accounts.d.ts +147 -0
package/dist/component/public/identity/accounts.d.ts.map +1 -0
package/dist/component/public/identity/accounts.js +200 -0
package/dist/component/public/identity/accounts.js.map +1 -0
package/dist/component/public/identity/codes.d.ts +104 -0
package/dist/component/public/identity/codes.d.ts.map +1 -0
package/dist/component/public/identity/codes.js +140 -0
package/dist/component/public/identity/codes.js.map +1 -0
package/dist/component/public/identity/sessions.d.ts +128 -0
package/dist/component/public/identity/sessions.d.ts.map +1 -0
package/dist/component/public/identity/sessions.js +192 -0
package/dist/component/public/identity/sessions.js.map +1 -0
package/dist/component/public/identity/tokens.d.ts +169 -0
package/dist/component/public/identity/tokens.d.ts.map +1 -0
package/dist/component/public/identity/tokens.js +227 -0
package/dist/component/public/identity/tokens.js.map +1 -0
package/dist/component/public/identity/users.d.ts +212 -0
package/dist/component/public/identity/users.d.ts.map +1 -0
package/dist/component/public/identity/users.js +311 -0
package/dist/component/public/identity/users.js.map +1 -0
package/dist/component/public/identity/verifiers.d.ts +116 -0
package/dist/component/public/identity/verifiers.d.ts.map +1 -0
package/dist/component/public/identity/verifiers.js +154 -0
package/dist/component/public/identity/verifiers.js.map +1 -0
package/dist/component/public/security/keys.d.ts +209 -0
package/dist/component/public/security/keys.d.ts.map +1 -0
package/dist/component/public/security/keys.js +319 -0
package/dist/component/public/security/keys.js.map +1 -0
package/dist/component/public/security/limits.d.ts +114 -0
package/dist/component/public/security/limits.d.ts.map +1 -0
package/dist/component/public/security/limits.js +169 -0
package/dist/component/public/security/limits.js.map +1 -0
package/dist/component/public.d.ts +24 -271
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +21 -1229
package/dist/component/schema.d.ts +473 -110
package/dist/component/schema.js +162 -73
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +318 -373
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +204 -123
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/authError.js +34 -0
package/dist/component/server/authError.js.map +1 -0
package/dist/component/server/{providers.js → config.js} +43 -12
package/dist/component/server/config.js.map +1 -0
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/core.js +713 -0
package/dist/component/server/core.js.map +1 -0
package/dist/component/server/crypto.js +38 -0
package/dist/component/server/crypto.js.map +1 -0
package/dist/component/server/{implementation/db.js → db.js} +2 -1
package/dist/component/server/db.js.map +1 -0
package/dist/component/server/device.js +109 -0
package/dist/component/server/device.js.map +1 -0
package/dist/component/server/enterprise/config.js +46 -0
package/dist/component/server/enterprise/config.js.map +1 -0
package/dist/component/server/enterprise/domain.js +885 -0
package/dist/component/server/enterprise/domain.js.map +1 -0
package/dist/component/server/enterprise/http.js +766 -0
package/dist/component/server/enterprise/http.js.map +1 -0
package/dist/component/server/enterprise/oidc.js +248 -0
package/dist/component/server/enterprise/oidc.js.map +1 -0
package/dist/component/server/enterprise/policy.js +85 -0
package/dist/component/server/enterprise/policy.js.map +1 -0
package/dist/component/server/enterprise/saml.js +338 -0
package/dist/component/server/enterprise/saml.js.map +1 -0
package/dist/component/server/enterprise/scim.js +97 -0
package/dist/component/server/enterprise/scim.js.map +1 -0
package/dist/component/server/enterprise/shared.js +51 -0
package/dist/component/server/enterprise/shared.js.map +1 -0
package/dist/component/server/errors.d.ts +1 -0
package/dist/component/server/errors.js +24 -16
package/dist/component/server/errors.js.map +1 -1
package/dist/component/server/http.js +288 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/{server/implementation → component/server}/keys.js +9 -31
package/dist/component/server/keys.js.map +1 -0
package/dist/component/server/limits.js +61 -0
package/dist/component/server/limits.js.map +1 -0
package/dist/component/server/mutations/account.js +44 -0
package/dist/component/server/mutations/account.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/component/server/mutations/code.js.map +1 -0
package/dist/component/server/mutations/invalidate.js +32 -0
package/dist/component/server/mutations/invalidate.js.map +1 -0
package/dist/component/server/mutations/oauth.js +110 -0
package/dist/component/server/mutations/oauth.js.map +1 -0
package/dist/component/server/mutations/refresh.js +119 -0
package/dist/component/server/mutations/refresh.js.map +1 -0
package/dist/component/server/mutations/register.js +83 -0
package/dist/component/server/mutations/register.js.map +1 -0
package/dist/component/server/mutations/retrieve.js +65 -0
package/dist/component/server/mutations/retrieve.js.map +1 -0
package/dist/component/server/mutations/signature.js +32 -0
package/dist/component/server/mutations/signature.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/component/server/mutations/signin.js.map +1 -0
package/dist/component/server/mutations/signout.js +27 -0
package/dist/component/server/mutations/signout.js.map +1 -0
package/dist/component/server/mutations/store/refs.js +15 -0
package/dist/component/server/mutations/store/refs.js.map +1 -0
package/dist/component/server/mutations/store.js +85 -0
package/dist/component/server/mutations/store.js.map +1 -0
package/dist/component/server/mutations/verifier.js +18 -0
package/dist/component/server/mutations/verifier.js.map +1 -0
package/dist/component/server/mutations/verify.js +98 -0
package/dist/component/server/mutations/verify.js.map +1 -0
package/dist/component/server/oauth.js +106 -60
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +328 -0
package/dist/component/server/passkey.js.map +1 -0
package/dist/{server/implementation → component/server}/redirects.js +13 -11
package/dist/component/server/redirects.js.map +1 -0
package/dist/component/server/refresh.js +96 -0
package/dist/component/server/refresh.js.map +1 -0
package/dist/component/server/runtime.d.ts +136 -0
package/dist/component/server/runtime.d.ts.map +1 -0
package/dist/component/server/runtime.js +413 -0
package/dist/component/server/runtime.js.map +1 -0
package/dist/{server/implementation → component/server}/sessions.js +14 -8
package/dist/component/server/sessions.js.map +1 -0
package/dist/component/server/signin.js +201 -0
package/dist/component/server/signin.js.map +1 -0
package/dist/component/server/tokens.js +17 -0
package/dist/component/server/tokens.js.map +1 -0
package/dist/component/server/totp.js +148 -0
package/dist/component/server/totp.js.map +1 -0
package/dist/component/server/types.d.ts +387 -298
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/{implementation/types.js → types.js} +1 -1
package/dist/component/server/types.js.map +1 -0
package/dist/component/server/{implementation/users.js → users.js} +54 -35
package/dist/component/server/users.js.map +1 -0
package/dist/component/server/utils.js +110 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +369 -0
package/dist/core/types.d.ts.map +1 -0
package/dist/factors/device.js +105 -0
package/dist/factors/device.js.map +1 -0
package/dist/factors/passkey.js +181 -0
package/dist/factors/passkey.js.map +1 -0
package/dist/factors/totp.js +122 -0
package/dist/factors/totp.js.map +1 -0
package/dist/providers/anonymous.d.ts +3 -9
package/dist/providers/anonymous.d.ts.map +1 -1
package/dist/providers/anonymous.js +1 -18
package/dist/providers/anonymous.js.map +1 -1
package/dist/providers/credentials.d.ts +8 -10
package/dist/providers/credentials.d.ts.map +1 -1
package/dist/providers/credentials.js +3 -5
package/dist/providers/credentials.js.map +1 -1
package/dist/providers/device.d.ts +18 -10
package/dist/providers/device.d.ts.map +1 -1
package/dist/providers/device.js +4 -8
package/dist/providers/device.js.map +1 -1
package/dist/providers/email.d.ts +50 -23
package/dist/providers/email.d.ts.map +1 -1
package/dist/providers/email.js +58 -34
package/dist/providers/email.js.map +1 -1
package/dist/providers/index.d.ts +7 -3
package/dist/providers/index.js +4 -1
package/dist/providers/oauth.d.ts.map +1 -1
package/dist/providers/oauth.js.map +1 -1
package/dist/providers/passkey.d.ts +12 -9
package/dist/providers/passkey.d.ts.map +1 -1
package/dist/providers/passkey.js +1 -7
package/dist/providers/passkey.js.map +1 -1
package/dist/providers/password.d.ts +6 -12
package/dist/providers/password.d.ts.map +1 -1
package/dist/providers/password.js +189 -89
package/dist/providers/password.js.map +1 -1
package/dist/providers/phone.d.ts +40 -11
package/dist/providers/phone.d.ts.map +1 -1
package/dist/providers/phone.js +52 -21
package/dist/providers/phone.js.map +1 -1
package/dist/providers/sso.d.ts +50 -0
package/dist/providers/sso.d.ts.map +1 -0
package/dist/providers/sso.js +34 -0
package/dist/providers/sso.js.map +1 -0
package/dist/providers/totp.d.ts +12 -9
package/dist/providers/totp.d.ts.map +1 -1
package/dist/providers/totp.js +1 -7
package/dist/providers/totp.js.map +1 -1
package/dist/runtime/browser.js +68 -0
package/dist/runtime/browser.js.map +1 -0
package/dist/runtime/invite.js +51 -0
package/dist/runtime/invite.js.map +1 -0
package/dist/runtime/proxy.js +70 -0
package/dist/runtime/proxy.js.map +1 -0
package/dist/runtime/storage.js +37 -0
package/dist/runtime/storage.js.map +1 -0
package/dist/server/auth.d.ts +335 -370
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +204 -123
package/dist/server/auth.js.map +1 -1
package/dist/server/authError.d.ts +46 -0
package/dist/server/authError.d.ts.map +1 -0
package/dist/server/authError.js +34 -0
package/dist/server/authError.js.map +1 -0
package/dist/server/config.d.ts +1 -0
package/dist/server/{providers.js → config.js} +43 -12
package/dist/server/config.js.map +1 -0
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/core.d.ts +1436 -0
package/dist/server/core.d.ts.map +1 -0
package/dist/server/core.js +713 -0
package/dist/server/core.js.map +1 -0
package/dist/server/crypto.d.ts +8 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +38 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/db.d.ts +1 -0
package/dist/server/{implementation/db.js → db.js} +2 -1
package/dist/server/db.js.map +1 -0
package/dist/server/device.d.ts +1 -0
package/dist/server/device.js +109 -0
package/dist/server/device.js.map +1 -0
package/dist/server/enterprise/config.d.ts +1 -0
package/dist/server/enterprise/config.js +46 -0
package/dist/server/enterprise/config.js.map +1 -0
package/dist/server/enterprise/domain.d.ts +409 -0
package/dist/server/enterprise/domain.d.ts.map +1 -0
package/dist/server/enterprise/domain.js +885 -0
package/dist/server/enterprise/domain.js.map +1 -0
package/dist/server/enterprise/http.d.ts +26 -0
package/dist/server/enterprise/http.d.ts.map +1 -0
package/dist/server/enterprise/http.js +766 -0
package/dist/server/enterprise/http.js.map +1 -0
package/dist/server/enterprise/oidc.d.ts +1 -0
package/dist/server/enterprise/oidc.js +248 -0
package/dist/server/enterprise/oidc.js.map +1 -0
package/dist/server/enterprise/policy.d.ts +1 -0
package/dist/server/enterprise/policy.js +85 -0
package/dist/server/enterprise/policy.js.map +1 -0
package/dist/server/enterprise/saml.d.ts +1 -0
package/dist/server/enterprise/saml.js +338 -0
package/dist/server/enterprise/saml.js.map +1 -0
package/dist/server/enterprise/scim.d.ts +1 -0
package/dist/server/enterprise/scim.js +97 -0
package/dist/server/enterprise/scim.js.map +1 -0
package/dist/server/enterprise/shared.d.ts +5 -0
package/dist/server/enterprise/shared.d.ts.map +1 -0
package/dist/server/enterprise/shared.js +51 -0
package/dist/server/enterprise/shared.js.map +1 -0
package/dist/server/enterprise/validators.d.ts +1 -0
package/dist/server/enterprise/validators.js +60 -0
package/dist/server/enterprise/validators.js.map +1 -0
package/dist/server/errors.d.ts +33 -1
package/dist/server/errors.d.ts.map +1 -1
package/dist/server/errors.js +44 -1
package/dist/server/errors.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +288 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +4 -182
package/dist/server/index.js +4 -376
package/dist/server/keys.d.ts +1 -0
package/dist/{component/server/implementation → server}/keys.js +9 -31
package/dist/server/keys.js.map +1 -0
package/dist/server/limits.d.ts +1 -0
package/dist/server/limits.js +61 -0
package/dist/server/limits.js.map +1 -0
package/dist/server/mounts.d.ts +647 -0
package/dist/server/mounts.d.ts.map +1 -0
package/dist/server/mounts.js +643 -0
package/dist/server/mounts.js.map +1 -0
package/dist/server/mutations/account.d.ts +30 -0
package/dist/server/mutations/account.d.ts.map +1 -0
package/dist/server/mutations/account.js +44 -0
package/dist/server/mutations/account.js.map +1 -0
package/dist/server/mutations/code.d.ts +30 -0
package/dist/server/mutations/code.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/server/mutations/code.js.map +1 -0
package/dist/server/mutations/index.d.ts +14 -0
package/dist/server/mutations/index.js +15 -0
package/dist/server/mutations/invalidate.d.ts +20 -0
package/dist/server/mutations/invalidate.d.ts.map +1 -0
package/dist/server/mutations/invalidate.js +32 -0
package/dist/server/mutations/invalidate.js.map +1 -0
package/dist/server/mutations/oauth.d.ts +28 -0
package/dist/server/mutations/oauth.d.ts.map +1 -0
package/dist/server/mutations/oauth.js +110 -0
package/dist/server/mutations/oauth.js.map +1 -0
package/dist/server/mutations/refresh.d.ts +21 -0
package/dist/server/mutations/refresh.d.ts.map +1 -0
package/dist/server/mutations/refresh.js +119 -0
package/dist/server/mutations/refresh.js.map +1 -0
package/dist/server/mutations/register.d.ts +38 -0
package/dist/server/mutations/register.d.ts.map +1 -0
package/dist/server/mutations/register.js +83 -0
package/dist/server/mutations/register.js.map +1 -0
package/dist/server/mutations/retrieve.d.ts +33 -0
package/dist/server/mutations/retrieve.d.ts.map +1 -0
package/dist/server/mutations/retrieve.js +65 -0
package/dist/server/mutations/retrieve.js.map +1 -0
package/dist/server/mutations/signature.d.ts +22 -0
package/dist/server/mutations/signature.d.ts.map +1 -0
package/dist/server/mutations/signature.js +32 -0
package/dist/server/mutations/signature.js.map +1 -0
package/dist/server/mutations/signin.d.ts +22 -0
package/dist/server/mutations/signin.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/server/mutations/signin.js.map +1 -0
package/dist/server/mutations/signout.d.ts +16 -0
package/dist/server/mutations/signout.d.ts.map +1 -0
package/dist/server/mutations/signout.js +27 -0
package/dist/server/mutations/signout.js.map +1 -0
package/dist/server/mutations/store/refs.d.ts +12 -0
package/dist/server/mutations/store/refs.d.ts.map +1 -0
package/dist/server/mutations/store/refs.js +15 -0
package/dist/server/mutations/store/refs.js.map +1 -0
package/dist/server/mutations/store.d.ts +306 -0
package/dist/server/mutations/store.d.ts.map +1 -0
package/dist/server/mutations/store.js +85 -0
package/dist/server/mutations/store.js.map +1 -0
package/dist/server/mutations/verifier.d.ts +13 -0
package/dist/server/mutations/verifier.d.ts.map +1 -0
package/dist/server/mutations/verifier.js +18 -0
package/dist/server/mutations/verifier.js.map +1 -0
package/dist/server/mutations/verify.d.ts +26 -0
package/dist/server/mutations/verify.d.ts.map +1 -0
package/dist/server/mutations/verify.js +98 -0
package/dist/server/mutations/verify.js.map +1 -0
package/dist/server/oauth.d.ts +1 -48
package/dist/server/oauth.js +107 -64
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +27 -0
package/dist/server/passkey.d.ts.map +1 -0
package/dist/server/passkey.js +328 -0
package/dist/server/passkey.js.map +1 -0
package/dist/server/redirects.d.ts +1 -0
package/dist/{component/server/implementation → server}/redirects.js +13 -11
package/dist/server/redirects.js.map +1 -0
package/dist/server/refresh.d.ts +1 -0
package/dist/server/refresh.js +96 -0
package/dist/server/refresh.js.map +1 -0
package/dist/server/runtime.d.ts +136 -0
package/dist/server/runtime.d.ts.map +1 -0
package/dist/server/runtime.js +413 -0
package/dist/server/runtime.js.map +1 -0
package/dist/server/sessions.d.ts +1 -0
package/dist/{component/server/implementation → server}/sessions.js +14 -8
package/dist/server/sessions.js.map +1 -0
package/dist/server/signin.d.ts +1 -0
package/dist/server/signin.js +201 -0
package/dist/server/signin.js.map +1 -0
package/dist/server/ssr.d.ts +226 -0
package/dist/server/ssr.d.ts.map +1 -0
package/dist/server/ssr.js +786 -0
package/dist/server/ssr.js.map +1 -0
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +2 -1
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -0
package/dist/server/tokens.js +17 -0
package/dist/server/tokens.js.map +1 -0
package/dist/server/totp.d.ts +1 -0
package/dist/server/totp.js +148 -0
package/dist/server/totp.js.map +1 -0
package/dist/server/types.d.ts +498 -306
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +108 -1
package/dist/server/types.js.map +1 -0
package/dist/server/users.d.ts +1 -0
package/dist/server/{implementation/users.js → users.js} +54 -35
package/dist/server/users.js.map +1 -0
package/dist/server/utils.d.ts +1 -6
package/dist/server/utils.js +110 -4
package/dist/server/utils.js.map +1 -1
package/package.json +49 -46
package/src/authorization/index.ts +83 -0
package/src/cli/bin.ts +5 -0
package/src/cli/command.ts +6 -5
package/src/cli/index.ts +456 -248
package/src/cli/keys.ts +3 -0
package/src/client/core/types.ts +437 -0
package/src/client/factors/device.ts +160 -0
package/src/client/factors/passkey.ts +282 -0
package/src/client/factors/totp.ts +150 -0
package/src/client/index.ts +745 -989
package/src/client/runtime/browser.ts +112 -0
package/src/client/runtime/invite.ts +65 -0
package/src/client/runtime/proxy.ts +111 -0
package/src/client/runtime/storage.ts +79 -0
package/src/component/_generated/api.ts +42 -0
package/src/component/_generated/component.ts +3123 -102
package/src/component/functions.ts +38 -22
package/src/component/index.ts +10 -20
package/src/component/model.ts +449 -0
package/src/component/public/enterprise/audit.ts +120 -0
package/src/component/public/enterprise/core.ts +354 -0
package/src/component/public/enterprise/domains.ts +323 -0
package/src/component/public/enterprise/scim.ts +396 -0
package/src/component/public/enterprise/secrets.ts +132 -0
package/src/component/public/enterprise/webhooks.ts +306 -0
package/src/component/public/factors/devices.ts +223 -0
package/src/component/public/factors/passkeys.ts +242 -0
package/src/component/public/factors/totp.ts +258 -0
package/src/component/public/groups/core.ts +481 -0
package/src/component/public/groups/invites.ts +602 -0
package/src/component/public/groups/members.ts +409 -0
package/src/component/public/identity/accounts.ts +206 -0
package/src/component/public/identity/codes.ts +148 -0
package/src/component/public/identity/sessions.ts +209 -0
package/src/component/public/identity/tokens.ts +250 -0
package/src/component/public/identity/users.ts +354 -0
package/src/component/public/identity/verifiers.ts +157 -0
package/src/component/public/security/keys.ts +365 -0
package/src/component/public/security/limits.ts +173 -0
package/src/component/public.ts +26 -1766
package/src/component/schema.ts +273 -100
package/src/providers/anonymous.ts +10 -20
package/src/providers/credentials.ts +14 -22
package/src/providers/device.ts +3 -14
package/src/providers/email.ts +83 -47
package/src/providers/index.ts +7 -0
package/src/providers/oauth.ts +5 -3
package/src/providers/passkey.ts +0 -13
package/src/providers/password.ts +307 -130
package/src/providers/phone.ts +81 -37
package/src/providers/sso.ts +54 -0
package/src/providers/totp.ts +0 -13
package/src/samlify.d.ts +53 -0
package/src/server/auth.ts +701 -247
package/src/server/authError.ts +44 -0
package/src/server/{providers.ts → config.ts} +84 -15
package/src/server/cookies.ts +8 -1
package/src/server/core.ts +2095 -0
package/src/server/crypto.ts +88 -0
package/src/server/{implementation/db.ts → db.ts} +90 -15
package/src/server/device.ts +221 -0
package/src/server/enterprise/config.ts +51 -0
package/src/server/enterprise/domain.ts +1751 -0
package/src/server/enterprise/http.ts +1324 -0
package/src/server/enterprise/oidc.ts +500 -0
package/src/server/enterprise/policy.ts +128 -0
package/src/server/enterprise/saml.ts +578 -0
package/src/server/enterprise/scim.ts +135 -0
package/src/server/enterprise/shared.ts +134 -0
package/src/server/enterprise/validators.ts +93 -0
package/src/server/errors.ts +130 -119
package/src/server/http.ts +531 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +32 -650
package/src/server/{implementation/keys.ts → keys.ts} +16 -44
package/src/server/limits.ts +134 -0
package/src/server/mounts.ts +948 -0
package/src/server/mutations/account.ts +76 -0
package/src/server/{implementation/mutations → mutations}/code.ts +22 -11
package/src/server/mutations/index.ts +13 -0
package/src/server/mutations/invalidate.ts +50 -0
package/src/server/mutations/oauth.ts +237 -0
package/src/server/mutations/refresh.ts +298 -0
package/src/server/mutations/register.ts +200 -0
package/src/server/mutations/retrieve.ts +109 -0
package/src/server/mutations/signature.ts +50 -0
package/src/server/{implementation/mutations → mutations}/signin.ts +9 -7
package/src/server/mutations/signout.ts +43 -0
package/src/server/mutations/store/refs.ts +10 -0
package/src/server/mutations/store.ts +138 -0
package/src/server/mutations/verifier.ts +34 -0
package/src/server/mutations/verify.ts +202 -0
package/src/server/oauth.ts +243 -131
package/src/server/passkey.ts +784 -0
package/src/server/{implementation/redirects.ts → redirects.ts} +21 -16
package/src/server/refresh.ts +222 -0
package/src/server/runtime.ts +880 -0
package/src/server/{implementation/sessions.ts → sessions.ts} +33 -25
package/src/server/signin.ts +438 -0
package/src/server/ssr.ts +1764 -0
package/src/server/templates.ts +8 -3
package/src/server/{implementation/tokens.ts → tokens.ts} +11 -5
package/src/server/totp.ts +349 -0
package/src/server/types.ts +972 -207
package/src/server/{implementation/users.ts → users.ts} +129 -75
package/src/server/utils.ts +192 -5
package/src/test.ts +28 -4
package/dist/bin.cjs +0 -27757
package/dist/component/providers/email.js +0 -47
package/dist/component/providers/email.js.map +0 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation/db.js.map +0 -1
package/dist/component/server/implementation/device.js +0 -135
package/dist/component/server/implementation/device.js.map +0 -1
package/dist/component/server/implementation/index.d.ts +0 -870
package/dist/component/server/implementation/index.d.ts.map +0 -1
package/dist/component/server/implementation/index.js +0 -610
package/dist/component/server/implementation/index.js.map +0 -1
package/dist/component/server/implementation/keys.js.map +0 -1
package/dist/component/server/implementation/mutations/account.js +0 -39
package/dist/component/server/implementation/mutations/account.js.map +0 -1
package/dist/component/server/implementation/mutations/code.js.map +0 -1
package/dist/component/server/implementation/mutations/index.js +0 -70
package/dist/component/server/implementation/mutations/index.js.map +0 -1
package/dist/component/server/implementation/mutations/invalidate.js +0 -29
package/dist/component/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/component/server/implementation/mutations/oauth.js +0 -51
package/dist/component/server/implementation/mutations/oauth.js.map +0 -1
package/dist/component/server/implementation/mutations/refresh.js +0 -85
package/dist/component/server/implementation/mutations/refresh.js.map +0 -1
package/dist/component/server/implementation/mutations/register.js +0 -65
package/dist/component/server/implementation/mutations/register.js.map +0 -1
package/dist/component/server/implementation/mutations/retrieve.js +0 -50
package/dist/component/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/component/server/implementation/mutations/signature.js +0 -27
package/dist/component/server/implementation/mutations/signature.js.map +0 -1
package/dist/component/server/implementation/mutations/signin.js.map +0 -1
package/dist/component/server/implementation/mutations/signout.js +0 -27
package/dist/component/server/implementation/mutations/signout.js.map +0 -1
package/dist/component/server/implementation/mutations/store.js +0 -12
package/dist/component/server/implementation/mutations/store.js.map +0 -1
package/dist/component/server/implementation/mutations/verifier.js +0 -16
package/dist/component/server/implementation/mutations/verifier.js.map +0 -1
package/dist/component/server/implementation/mutations/verify.js +0 -105
package/dist/component/server/implementation/mutations/verify.js.map +0 -1
package/dist/component/server/implementation/passkey.js +0 -307
package/dist/component/server/implementation/passkey.js.map +0 -1
package/dist/component/server/implementation/provider.js +0 -19
package/dist/component/server/implementation/provider.js.map +0 -1
package/dist/component/server/implementation/ratelimit.js +0 -48
package/dist/component/server/implementation/ratelimit.js.map +0 -1
package/dist/component/server/implementation/redirects.js.map +0 -1
package/dist/component/server/implementation/refresh.js +0 -109
package/dist/component/server/implementation/refresh.js.map +0 -1
package/dist/component/server/implementation/sessions.js.map +0 -1
package/dist/component/server/implementation/signin.js +0 -148
package/dist/component/server/implementation/signin.js.map +0 -1
package/dist/component/server/implementation/tokens.js +0 -15
package/dist/component/server/implementation/tokens.js.map +0 -1
package/dist/component/server/implementation/totp.js +0 -142
package/dist/component/server/implementation/totp.js.map +0 -1
package/dist/component/server/implementation/types.d.ts +0 -42
package/dist/component/server/implementation/types.d.ts.map +0 -1
package/dist/component/server/implementation/types.js.map +0 -1
package/dist/component/server/implementation/users.js.map +0 -1
package/dist/component/server/implementation/utils.js +0 -56
package/dist/component/server/implementation/utils.js.map +0 -1
package/dist/component/server/providers.js.map +0 -1
package/dist/component/server/templates.js +0 -84
package/dist/component/server/templates.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/implementation/db.d.ts +0 -86
package/dist/server/implementation/db.d.ts.map +0 -1
package/dist/server/implementation/db.js.map +0 -1
package/dist/server/implementation/device.d.ts +0 -30
package/dist/server/implementation/device.d.ts.map +0 -1
package/dist/server/implementation/device.js +0 -135
package/dist/server/implementation/device.js.map +0 -1
package/dist/server/implementation/index.d.ts +0 -870
package/dist/server/implementation/index.d.ts.map +0 -1
package/dist/server/implementation/index.js +0 -610
package/dist/server/implementation/index.js.map +0 -1
package/dist/server/implementation/keys.d.ts +0 -66
package/dist/server/implementation/keys.d.ts.map +0 -1
package/dist/server/implementation/keys.js.map +0 -1
package/dist/server/implementation/mutations/account.d.ts +0 -27
package/dist/server/implementation/mutations/account.d.ts.map +0 -1
package/dist/server/implementation/mutations/account.js +0 -39
package/dist/server/implementation/mutations/account.js.map +0 -1
package/dist/server/implementation/mutations/code.d.ts +0 -29
package/dist/server/implementation/mutations/code.d.ts.map +0 -1
package/dist/server/implementation/mutations/code.js.map +0 -1
package/dist/server/implementation/mutations/index.d.ts +0 -310
package/dist/server/implementation/mutations/index.d.ts.map +0 -1
package/dist/server/implementation/mutations/index.js +0 -70
package/dist/server/implementation/mutations/index.js.map +0 -1
package/dist/server/implementation/mutations/invalidate.d.ts +0 -18
package/dist/server/implementation/mutations/invalidate.d.ts.map +0 -1
package/dist/server/implementation/mutations/invalidate.js +0 -29
package/dist/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/server/implementation/mutations/oauth.d.ts +0 -23
package/dist/server/implementation/mutations/oauth.d.ts.map +0 -1
package/dist/server/implementation/mutations/oauth.js +0 -51
package/dist/server/implementation/mutations/oauth.js.map +0 -1
package/dist/server/implementation/mutations/refresh.d.ts +0 -20
package/dist/server/implementation/mutations/refresh.d.ts.map +0 -1
package/dist/server/implementation/mutations/refresh.js +0 -85
package/dist/server/implementation/mutations/refresh.js.map +0 -1
package/dist/server/implementation/mutations/register.d.ts +0 -37
package/dist/server/implementation/mutations/register.d.ts.map +0 -1
package/dist/server/implementation/mutations/register.js +0 -65
package/dist/server/implementation/mutations/register.js.map +0 -1
package/dist/server/implementation/mutations/retrieve.d.ts +0 -31
package/dist/server/implementation/mutations/retrieve.d.ts.map +0 -1
package/dist/server/implementation/mutations/retrieve.js +0 -50
package/dist/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/server/implementation/mutations/signature.d.ts +0 -19
package/dist/server/implementation/mutations/signature.d.ts.map +0 -1
package/dist/server/implementation/mutations/signature.js +0 -27
package/dist/server/implementation/mutations/signature.js.map +0 -1
package/dist/server/implementation/mutations/signin.d.ts +0 -21
package/dist/server/implementation/mutations/signin.d.ts.map +0 -1
package/dist/server/implementation/mutations/signin.js.map +0 -1
package/dist/server/implementation/mutations/signout.d.ts +0 -14
package/dist/server/implementation/mutations/signout.d.ts.map +0 -1
package/dist/server/implementation/mutations/signout.js +0 -27
package/dist/server/implementation/mutations/signout.js.map +0 -1
package/dist/server/implementation/mutations/store.d.ts +0 -11
package/dist/server/implementation/mutations/store.d.ts.map +0 -1
package/dist/server/implementation/mutations/store.js +0 -12
package/dist/server/implementation/mutations/store.js.map +0 -1
package/dist/server/implementation/mutations/verifier.d.ts +0 -11
package/dist/server/implementation/mutations/verifier.d.ts.map +0 -1
package/dist/server/implementation/mutations/verifier.js +0 -16
package/dist/server/implementation/mutations/verifier.js.map +0 -1
package/dist/server/implementation/mutations/verify.d.ts +0 -25
package/dist/server/implementation/mutations/verify.d.ts.map +0 -1
package/dist/server/implementation/mutations/verify.js +0 -105
package/dist/server/implementation/mutations/verify.js.map +0 -1
package/dist/server/implementation/passkey.d.ts +0 -24
package/dist/server/implementation/passkey.d.ts.map +0 -1
package/dist/server/implementation/passkey.js +0 -307
package/dist/server/implementation/passkey.js.map +0 -1
package/dist/server/implementation/provider.d.ts +0 -10
package/dist/server/implementation/provider.d.ts.map +0 -1
package/dist/server/implementation/provider.js +0 -19
package/dist/server/implementation/provider.js.map +0 -1
package/dist/server/implementation/ratelimit.d.ts +0 -10
package/dist/server/implementation/ratelimit.d.ts.map +0 -1
package/dist/server/implementation/ratelimit.js +0 -48
package/dist/server/implementation/ratelimit.js.map +0 -1
package/dist/server/implementation/redirects.d.ts +0 -10
package/dist/server/implementation/redirects.d.ts.map +0 -1
package/dist/server/implementation/redirects.js.map +0 -1
package/dist/server/implementation/refresh.d.ts +0 -37
package/dist/server/implementation/refresh.d.ts.map +0 -1
package/dist/server/implementation/refresh.js +0 -109
package/dist/server/implementation/refresh.js.map +0 -1
package/dist/server/implementation/sessions.d.ts +0 -29
package/dist/server/implementation/sessions.d.ts.map +0 -1
package/dist/server/implementation/sessions.js.map +0 -1
package/dist/server/implementation/signin.d.ts +0 -55
package/dist/server/implementation/signin.d.ts.map +0 -1
package/dist/server/implementation/signin.js +0 -148
package/dist/server/implementation/signin.js.map +0 -1
package/dist/server/implementation/tokens.d.ts +0 -11
package/dist/server/implementation/tokens.d.ts.map +0 -1
package/dist/server/implementation/tokens.js +0 -15
package/dist/server/implementation/tokens.js.map +0 -1
package/dist/server/implementation/totp.d.ts +0 -31
package/dist/server/implementation/totp.d.ts.map +0 -1
package/dist/server/implementation/totp.js +0 -142
package/dist/server/implementation/totp.js.map +0 -1
package/dist/server/implementation/types.d.ts +0 -189
package/dist/server/implementation/types.d.ts.map +0 -1
package/dist/server/implementation/types.js +0 -97
package/dist/server/implementation/types.js.map +0 -1
package/dist/server/implementation/users.d.ts +0 -30
package/dist/server/implementation/users.d.ts.map +0 -1
package/dist/server/implementation/users.js.map +0 -1
package/dist/server/implementation/utils.d.ts +0 -19
package/dist/server/implementation/utils.d.ts.map +0 -1
package/dist/server/implementation/utils.js +0 -56
package/dist/server/implementation/utils.js.map +0 -1
package/dist/server/index.d.ts.map +0 -1
package/dist/server/index.js.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/providers.d.ts +0 -72
package/dist/server/providers.d.ts.map +0 -1
package/dist/server/providers.js.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/dist/server/version.d.ts +0 -5
package/dist/server/version.d.ts.map +0 -1
package/dist/server/version.js +0 -6
package/dist/server/version.js.map +0 -1
package/src/cli/utils.ts +0 -248
package/src/server/implementation/device.ts +0 -307
package/src/server/implementation/index.ts +0 -1583
package/src/server/implementation/mutations/account.ts +0 -50
package/src/server/implementation/mutations/index.ts +0 -157
package/src/server/implementation/mutations/invalidate.ts +0 -42
package/src/server/implementation/mutations/oauth.ts +0 -73
package/src/server/implementation/mutations/refresh.ts +0 -175
package/src/server/implementation/mutations/register.ts +0 -100
package/src/server/implementation/mutations/retrieve.ts +0 -79
package/src/server/implementation/mutations/signature.ts +0 -39
package/src/server/implementation/mutations/signout.ts +0 -35
package/src/server/implementation/mutations/store.ts +0 -7
package/src/server/implementation/mutations/verifier.ts +0 -24
package/src/server/implementation/mutations/verify.ts +0 -194
package/src/server/implementation/passkey.ts +0 -620
package/src/server/implementation/provider.ts +0 -36
package/src/server/implementation/ratelimit.ts +0 -79
package/src/server/implementation/refresh.ts +0 -172
package/src/server/implementation/signin.ts +0 -296
package/src/server/implementation/totp.ts +0 -342
package/src/server/implementation/types.ts +0 -444
package/src/server/implementation/utils.ts +0 -91
package/src/server/version.ts +0 -2

package/src/server/passkey.ts ADDED Viewed

@@ -0,0 +1,784 @@
+/**
+ * Server-side WebAuthn ceremony logic for passkey authentication.
+ *
+ * Handles the four phases of the WebAuthn flow:
+ * 1. registerOptions — generate PublicKeyCredentialCreationOptions
+ * 2. registerVerify — verify attestation and store credential
+ * 3. authOptions — generate PublicKeyCredentialRequestOptions
+ * 4. authVerify — verify assertion signature and sign in
+ *
+ * Uses `@oslojs/webauthn` for attestation/assertion parsing and
+ * `@oslojs/crypto` for signature verification.
+ *
+ * All functions return `Fx<A, AuthError>` composed via `Fx.chain` pipelines.
+ *
+ * @module
+ */
+import {
+  p256,
+  verifyECDSASignature,
+  decodeSEC1PublicKey,
+  decodePKIXECDSASignature,
+} from "@oslojs/crypto/ecdsa";
+import {
+  RSAPublicKey,
+  decodePKCS1RSAPublicKey,
+  sha256ObjectIdentifier,
+  verifyRSASSAPKCS1v15Signature,
+} from "@oslojs/crypto/rsa";
+import { sha256 } from "@oslojs/crypto/sha2";
+import {
+  encodeBase64urlNoPadding,
+  decodeBase64urlIgnorePadding,
+} from "@oslojs/encoding";
+import {
+  parseAttestationObject,
+  parseClientDataJSON,
+  parseAuthenticatorData,
+  createAssertionSignatureMessage,
+  ClientDataType,
+  coseAlgorithmES256,
+  coseAlgorithmRS256,
+  COSEKeyType,
+} from "@oslojs/webauthn";
+import type { Fx as FxType } from "@robelest/fx";
+import { authDb } from "./db";
+import { Fx } from "@robelest/fx";
+import { AuthError } from "./authError";
+import { userIdFromIdentitySubject } from "./identity";
+import { callSignIn, callVerifier } from "./mutations/index";
+import { callVerifierSignature } from "./mutations/signature";
+import { PasskeyProviderConfig, GenericActionCtxWithAuthConfig } from "./types";
+import {
+  AuthDataModel,
+  SessionInfo,
+  queryUserById,
+  queryUserByVerifiedEmail,
+  queryPasskeysByUserId,
+  queryPasskeyByCredentialId,
+  queryVerifierById,
+  mutatePasskeyInsert,
+  mutatePasskeyUpdateCounter,
+  mutateVerifierDelete,
+} from "./types";
+type EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;
+// ============================================================================
+// Resolve RP options — Fx pipeline with validation
+// ============================================================================
+/** Resolved relying party configuration. */
+interface RpOptions {
+  rpName: string;
+  rpId: string;
+  origin: string | string[];
+  attestation: string;
+  userVerification: string;
+  residentKey: string;
+  authenticatorAttachment?: string;
+  algorithms: number[];
+  challengeExpirationMs: number;
+}
+/**
+ * Resolve passkey relying party options from provider config and environment.
+ *
+ * Returns `Fx<RpOptions, AuthError>` — fails if neither SITE_URL nor rpId
+ * is configured.
+ */
+const resolveRpOptionsFx = (
+  provider: PasskeyProviderConfig,
+): FxType<RpOptions, AuthError> => {
+  const siteUrl = process.env.SITE_URL;
+  const hasSiteUrl = siteUrl !== undefined && siteUrl !== "";
+  const hasRpId = provider.options.rpId !== undefined;
+  return Fx.succeed({ siteUrl, hasSiteUrl, hasRpId }).pipe(
+    Fx.chain(({ siteUrl, hasSiteUrl, hasRpId }) =>
+      !hasSiteUrl && !hasRpId
+        ? Fx.fail(
+            new AuthError(
+              "PASSKEY_MISSING_CONFIG",
+              "Passkey provider requires SITE_URL env var (your frontend URL) " +
+                "or explicit rpId / origin in the provider config. " +
+                "CONVEX_SITE_URL cannot be used because WebAuthn RP ID must match the frontend domain.",
+            ),
+          )
+        : Fx.succeed(siteUrl),
+    ),
+    Fx.map((siteUrl) => {
+      const siteHostname = siteUrl ? new URL(siteUrl).hostname : undefined;
+      return {
+        rpName: provider.options.rpName ?? siteHostname ?? "localhost",
+        rpId: provider.options.rpId ?? siteHostname ?? "localhost",
+        origin: provider.options.origin ?? siteUrl ?? "http://localhost",
+        attestation: provider.options.attestation ?? "none",
+        userVerification: provider.options.userVerification ?? "required",
+        residentKey: provider.options.residentKey ?? "preferred",
+        authenticatorAttachment: provider.options.authenticatorAttachment,
+        algorithms: provider.options.algorithms ?? [
+          coseAlgorithmES256,
+          coseAlgorithmRS256,
+        ],
+        challengeExpirationMs:
+          provider.options.challengeExpirationMs ?? 300_000,
+      };
+    }),
+  );
+};
+// ============================================================================
+// Composable validators — small functions (A) => Fx<B, AuthError>
+// ============================================================================
+/** Verify client data type matches expected WebAuthn ceremony type. */
+const verifyClientDataType =
+  <T extends { type: ClientDataType }>(
+    expectedType: ClientDataType,
+    label: string,
+  ) =>
+  (clientData: T): FxType<T, AuthError> =>
+    clientData.type === expectedType
+      ? Fx.succeed(clientData)
+      : Fx.fail(
+          new AuthError(
+            "PASSKEY_INVALID_CLIENT_DATA",
+            `Invalid client data type: expected ${label}`,
+          ),
+        );
+/** Verify origin is in the allowed list. */
+const verifyOrigin =
+  (rp: RpOptions) =>
+  <T extends { origin: string }>(clientData: T): FxType<T, AuthError> => {
+    const allowed = Array.isArray(rp.origin) ? rp.origin : [rp.origin];
+    return allowed.includes(clientData.origin)
+      ? Fx.succeed(clientData)
+      : Fx.fail(
+          new AuthError(
+            "PASSKEY_INVALID_ORIGIN",
+            `Invalid origin: ${clientData.origin}, expected one of: ${allowed.join(", ")}`,
+          ),
+        );
+  };
+/** Verify the challenge hash matches the stored verifier, then delete verifier. */
+const verifyAndConsumeChallenge =
+  (ctx: EnrichedActionCtx, verifierValue: string) =>
+  <T extends { challenge: Uint8Array }>(
+    clientData: T,
+  ): FxType<T, AuthError> => {
+    const challengeHash = encodeBase64urlNoPadding(
+      new Uint8Array(sha256(clientData.challenge)),
+    );
+    return Fx.from({
+      ok: () => queryVerifierById(ctx, verifierValue),
+      err: () => new AuthError("PASSKEY_INVALID_CHALLENGE"),
+    }).pipe(
+      Fx.chain((doc) =>
+        !doc || doc.signature !== challengeHash
+          ? Fx.fail(new AuthError("PASSKEY_INVALID_CHALLENGE"))
+          : Fx.succeed(doc),
+      ),
+      Fx.chain(() =>
+        Fx.from({
+          ok: () => mutateVerifierDelete(ctx, verifierValue),
+          err: () => new AuthError("PASSKEY_INVALID_CHALLENGE"),
+        }),
+      ),
+      Fx.map(() => clientData),
+    );
+  };
+/** Verify RP ID hash matches. */
+const verifyRpId =
+  (rpId: string) =>
+  <T extends { verifyRelyingPartyIdHash: (id: string) => boolean }>(
+    authData: T,
+  ): FxType<T, AuthError> =>
+    authData.verifyRelyingPartyIdHash(rpId)
+      ? Fx.succeed(authData)
+      : Fx.fail(new AuthError("PASSKEY_RP_MISMATCH"));
+/** Verify user presence and (optionally) user verification flags. */
+const verifyUserFlags =
+  (rp: RpOptions) =>
+  <T extends { userPresent: boolean; userVerified: boolean }>(
+    authData: T,
+  ): FxType<T, AuthError> =>
+    !authData.userPresent
+      ? Fx.fail(new AuthError("PASSKEY_USER_PRESENCE"))
+      : rp.userVerification === "required" && !authData.userVerified
+        ? Fx.fail(new AuthError("PASSKEY_USER_VERIFICATION"))
+        : Fx.succeed(authData);
+// ============================================================================
+// Registration flow
+// ============================================================================
+// ============================================================================
+// Authentication flow
+// ============================================================================
+// ============================================================================
+// Main dispatch
+// ============================================================================
+/** Result type for all passkey flows. */
+type PasskeyResult =
+  | { kind: "signedIn"; signedIn: SessionInfo | null }
+  | { kind: "passkeyOptions"; options: Record<string, any>; verifier: string };
+const PASSKEY_FLOW = {
+  registerOptions: "registerOptions",
+  registerVerify: "registerVerify",
+  authOptions: "authOptions",
+  authVerify: "authVerify",
+} as const;
+const PASSKEY_FLOWS = [
+  PASSKEY_FLOW.registerOptions,
+  PASSKEY_FLOW.registerVerify,
+  PASSKEY_FLOW.authOptions,
+  PASSKEY_FLOW.authVerify,
+] as const;
+type PasskeyDispatch =
+  | { flow: typeof PASSKEY_FLOW.registerOptions }
+  | { flow: typeof PASSKEY_FLOW.registerVerify }
+  | { flow: typeof PASSKEY_FLOW.authOptions }
+  | { flow: typeof PASSKEY_FLOW.authVerify };
+const resolvePasskeyDispatchFx = (
+  params: Record<string, unknown>,
+): FxType<PasskeyDispatch, AuthError> => {
+  const flow = params.flow;
+  return typeof flow === "string" && PASSKEY_FLOWS.includes(flow as never)
+    ? Fx.succeed({ flow: flow as (typeof PASSKEY_FLOWS)[number] })
+    : Fx.fail(
+        new AuthError(
+          "PASSKEY_MISSING_FLOW",
+          "Missing `flow` parameter. Expected one of: registerOptions, registerVerify, authOptions, authVerify",
+        ),
+      );
+};
+const requirePasskeyVerifierFx = (
+  verifier: string | undefined,
+): FxType<string, AuthError> =>
+  verifier != null
+    ? Fx.succeed(verifier)
+    : Fx.fail(new AuthError("PASSKEY_MISSING_VERIFIER"));
+/**
+ * Main passkey handler dispatched from signIn.ts.
+ *
+ * Routes to the appropriate phase based on `params.flow` via `dispatchFx`.
+ */
+export function handlePasskeyFx(
+  ctx: EnrichedActionCtx,
+  provider: PasskeyProviderConfig,
+  args: {
+    params?: Record<string, any>;
+    verifier?: string;
+  },
+): FxType<PasskeyResult, AuthError> {
+  const params = (args.params ?? {}) as Record<string, any>;
+  return resolvePasskeyDispatchFx(params).pipe(
+    Fx.chain((dispatch) => {
+      const flowFx: FxType<PasskeyResult, AuthError> = Fx.match(dispatch).on(
+        "flow",
+        {
+          registerOptions: (_) =>
+            Fx.zip(
+              Fx.from({
+                ok: () => ctx.auth.getUserIdentity(),
+                err: () => new AuthError("PASSKEY_AUTH_REQUIRED"),
+              }).pipe(
+                Fx.chain((id) =>
+                  id === null
+                    ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED"))
+                    : Fx.succeed(userIdFromIdentitySubject(id.subject)),
+                ),
+              ),
+              resolveRpOptionsFx(provider),
+            ).pipe(
+              Fx.chain(([userId, rp]) => {
+                const challenge = new Uint8Array(32);
+                crypto.getRandomValues(challenge);
+                const challengeHash = encodeBase64urlNoPadding(
+                  new Uint8Array(sha256(challenge)),
+                );
+                return Fx.from({
+                  ok: async () => {
+                    const verifier = await callVerifier(ctx);
+                    await callVerifierSignature(ctx, {
+                      verifier,
+                      signature: challengeHash,
+                    });
+                    const user = await queryUserById(ctx, userId);
+                    const userName = params.userName ?? user?.email ?? "user";
+                    const userDisplayName =
+                      params.userDisplayName ?? user?.name ?? userName;
+                    const existing = await queryPasskeysByUserId(ctx, userId);
+                    const excludeCredentials = existing.map((pk) => ({
+                      id: pk.credentialId,
+                      transports: pk.transports,
+                    }));
+                    const userHandle = encodeBase64urlNoPadding(
+                      new TextEncoder().encode(userId),
+                    );
+                    const options = {
+                      rp: { name: rp.rpName, id: rp.rpId },
+                      user: {
+                        id: userHandle,
+                        name: userName,
+                        displayName: userDisplayName,
+                      },
+                      challenge: encodeBase64urlNoPadding(challenge),
+                      pubKeyCredParams: rp.algorithms.map((alg) => ({
+                        type: "public-key" as const,
+                        alg,
+                      })),
+                      timeout: rp.challengeExpirationMs,
+                      attestation: rp.attestation,
+                      authenticatorSelection: {
+                        residentKey: rp.residentKey,
+                        requireResidentKey: rp.residentKey === "required",
+                        userVerification: rp.userVerification,
+                        ...(rp.authenticatorAttachment
+                          ? {
+                              authenticatorAttachment:
+                                rp.authenticatorAttachment,
+                            }
+                          : {}),
+                      },
+                      excludeCredentials,
+                    };
+                    return {
+                      kind: "passkeyOptions" as const,
+                      options,
+                      verifier,
+                    };
+                  },
+                  err: () => new AuthError("INTERNAL_ERROR"),
+                });
+              }),
+            ),
+          registerVerify: (_) =>
+            Fx.zip(
+              Fx.from({
+                ok: () => ctx.auth.getUserIdentity(),
+                err: () => new AuthError("PASSKEY_AUTH_REQUIRED"),
+              }).pipe(
+                Fx.chain((id) =>
+                  id === null
+                    ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED"))
+                    : Fx.succeed(userIdFromIdentitySubject(id.subject)),
+                ),
+              ),
+              resolveRpOptionsFx(provider),
+            ).pipe(
+              Fx.chain(([userId, rp]) =>
+                requirePasskeyVerifierFx(args.verifier).pipe(
+                  Fx.chain((verifier) => {
+                    const clientDataJSON = decodeBase64urlIgnorePadding(
+                      params.clientDataJSON,
+                    );
+                    const clientData = parseClientDataJSON(clientDataJSON);
+                    const verifiedClientDataFx = Fx.succeed(clientData).pipe(
+                      Fx.chain(
+                        verifyClientDataType(
+                          ClientDataType.Create,
+                          "webauthn.create",
+                        ),
+                      ),
+                      Fx.chain(verifyOrigin(rp)),
+                      Fx.chain(verifyAndConsumeChallenge(ctx, verifier)),
+                      Fx.map(() => {
+                        const attestationObjectBytes =
+                          decodeBase64urlIgnorePadding(
+                            params.attestationObject,
+                          );
+                        const attestation = parseAttestationObject(
+                          attestationObjectBytes,
+                        );
+                        return attestation.authenticatorData;
+                      }),
+                    );
+                    return verifiedClientDataFx.pipe(
+                      Fx.chain(verifyRpId(rp.rpId)),
+                      Fx.chain(verifyUserFlags(rp)),
+                      Fx.chain((authData) => {
+                        if (authData.credential == null) {
+                          return Fx.fail(
+                            new AuthError("PASSKEY_NO_CREDENTIAL"),
+                          );
+                        }
+                        return Fx.succeed({
+                          authData,
+                          credential: authData.credential,
+                        });
+                      }),
+                      Fx.chain(({ authData, credential }) => {
+                        const credentialId = encodeBase64urlNoPadding(
+                          credential.id,
+                        );
+                        const publicKey = credential.publicKey;
+                        let algorithm: number;
+                        if (publicKey.isAlgorithmDefined()) {
+                          algorithm = publicKey.algorithm();
+                        } else {
+                          const keyType = publicKey.type();
+                          algorithm =
+                            keyType === COSEKeyType.EC2
+                              ? coseAlgorithmES256
+                              : keyType === COSEKeyType.RSA
+                                ? coseAlgorithmRS256
+                                : coseAlgorithmES256;
+                        }
+                        const handlers: Record<
+                          number,
+                          (() => FxType<Uint8Array, AuthError>) | undefined
+                        > = {
+                          [coseAlgorithmES256]: () => {
+                            const ec2 = publicKey.ec2();
+                            const xBytes = new Uint8Array(32);
+                            let vx = ec2.x;
+                            for (let i = 31; i >= 0; i--) {
+                              xBytes[i] = Number(vx & 0xffn);
+                              vx >>= 8n;
+                            }
+                            const yBytes = new Uint8Array(32);
+                            let vy = ec2.y;
+                            for (let i = 31; i >= 0; i--) {
+                              yBytes[i] = Number(vy & 0xffn);
+                              vy >>= 8n;
+                            }
+                            const bytes = new Uint8Array(65);
+                            bytes[0] = 0x04;
+                            bytes.set(xBytes, 1);
+                            bytes.set(yBytes, 33);
+                            return Fx.succeed(bytes);
+                          },
+                          [coseAlgorithmRS256]: () => {
+                            const rsa = publicKey.rsa();
+                            const rsaPubKey = new RSAPublicKey(rsa.n, rsa.e);
+                            return Fx.succeed(rsaPubKey.encodePKCS1());
+                          },
+                        };
+                        const handler = handlers[algorithm];
+                        return (
+                          handler
+                            ? handler()
+                            : Fx.fail(
+                                new AuthError(
+                                  "PASSKEY_UNSUPPORTED_ALGORITHM",
+                                  `Unsupported algorithm: ${algorithm}`,
+                                ),
+                              )
+                        ).pipe(
+                          Fx.chain((publicKeyBytes) =>
+                            Fx.from({
+                              ok: async () => {
+                                const deviceType =
+                                  params.deviceType ?? "single-device";
+                                const backedUp = params.backedUp ?? false;
+                                const db = authDb(ctx, ctx.auth.config);
+                                await db.accounts.create({
+                                  userId,
+                                  provider: provider.id,
+                                  providerAccountId: credentialId,
+                                });
+                                await mutatePasskeyInsert(ctx, {
+                                  userId,
+                                  credentialId,
+                                  publicKey: publicKeyBytes.buffer.slice(
+                                    publicKeyBytes.byteOffset,
+                                    publicKeyBytes.byteOffset +
+                                      publicKeyBytes.byteLength,
+                                  ),
+                                  algorithm,
+                                  counter: authData.signatureCounter,
+                                  transports: params.transports,
+                                  deviceType,
+                                  backedUp,
+                                  name: params.passkeyName,
+                                  createdAt: Date.now(),
+                                });
+                                const signInResult = await callSignIn(ctx, {
+                                  userId,
+                                  generateTokens: true,
+                                });
+                                return {
+                                  kind: "signedIn" as const,
+                                  signedIn: signInResult,
+                                };
+                              },
+                              err: () => new AuthError("INTERNAL_ERROR"),
+                            }),
+                          ),
+                        );
+                      }),
+                    );
+                  }),
+                ),
+              ),
+            ),
+          authOptions: (_) =>
+            resolveRpOptionsFx(provider).pipe(
+              Fx.chain((rp) => {
+                const challenge = new Uint8Array(32);
+                crypto.getRandomValues(challenge);
+                const challengeHash = encodeBase64urlNoPadding(
+                  new Uint8Array(sha256(challenge)),
+                );
+                return Fx.from({
+                  ok: async () => {
+                    const verifier = await callVerifier(ctx);
+                    await callVerifierSignature(ctx, {
+                      verifier,
+                      signature: challengeHash,
+                    });
+                    let allowCredentials:
+                      | Array<{
+                          type: string;
+                          id: string;
+                          transports?: string[];
+                        }>
+                      | undefined;
+                    if (params.email) {
+                      const user = await queryUserByVerifiedEmail(
+                        ctx,
+                        params.email,
+                      );
+                      if (user) {
+                        const passkeys = await queryPasskeysByUserId(
+                          ctx,
+                          user._id,
+                        );
+                        if (passkeys.length > 0) {
+                          allowCredentials = passkeys.map((pk) => ({
+                            type: "public-key",
+                            id: pk.credentialId,
+                            transports: pk.transports,
+                          }));
+                        }
+                      }
+                    }
+                    const options: Record<string, any> = {
+                      challenge: encodeBase64urlNoPadding(challenge),
+                      timeout: rp.challengeExpirationMs,
+                      rpId: rp.rpId,
+                      userVerification: rp.userVerification,
+                    };
+                    if (allowCredentials) {
+                      options.allowCredentials = allowCredentials;
+                    }
+                    return {
+                      kind: "passkeyOptions" as const,
+                      options,
+                      verifier,
+                    };
+                  },
+                  err: () => new AuthError("INTERNAL_ERROR"),
+                });
+              }),
+            ),
+          authVerify: (_) =>
+            Fx.zip(
+              resolveRpOptionsFx(provider),
+              requirePasskeyVerifierFx(args.verifier),
+            ).pipe(
+              Fx.chain(([rp, verifier]) => {
+                const clientDataJSON = decodeBase64urlIgnorePadding(
+                  params.clientDataJSON,
+                );
+                const clientData = parseClientDataJSON(clientDataJSON);
+                const verifiedClientDataFx = Fx.succeed(clientData).pipe(
+                  Fx.chain(
+                    verifyClientDataType(ClientDataType.Get, "webauthn.get"),
+                  ),
+                  Fx.chain(verifyOrigin(rp)),
+                  Fx.chain(verifyAndConsumeChallenge(ctx, verifier)),
+                  Fx.chain(() =>
+                    params.credentialId != null
+                      ? Fx.succeed(params.credentialId as string)
+                      : Fx.fail(
+                          new AuthError(
+                            "PASSKEY_UNKNOWN_CREDENTIAL",
+                            "Missing credential ID",
+                          ),
+                        ),
+                  ),
+                );
+                return verifiedClientDataFx.pipe(
+                  Fx.chain((credentialId) =>
+                    Fx.from({
+                      ok: () => queryPasskeyByCredentialId(ctx, credentialId),
+                      err: () => new AuthError("PASSKEY_UNKNOWN_CREDENTIAL"),
+                    }).pipe(
+                      Fx.chain((passkey) =>
+                        passkey
+                          ? Fx.succeed(passkey)
+                          : Fx.fail(
+                              new AuthError(
+                                "PASSKEY_UNKNOWN_CREDENTIAL",
+                                "Unknown credential",
+                              ),
+                            ),
+                      ),
+                    ),
+                  ),
+                  Fx.chain((passkey) => {
+                    const authenticatorDataBytes = decodeBase64urlIgnorePadding(
+                      params.authenticatorData,
+                    );
+                    const authenticatorData = parseAuthenticatorData(
+                      authenticatorDataBytes,
+                    );
+                    const signature = decodeBase64urlIgnorePadding(
+                      params.signature,
+                    );
+                    const signatureMessage = createAssertionSignatureMessage(
+                      authenticatorDataBytes,
+                      clientDataJSON,
+                    );
+                    const messageHash = sha256(signatureMessage);
+                    const checkedAuthenticatorFx = Fx.succeed(
+                      authenticatorData,
+                    ).pipe(
+                      Fx.chain(verifyRpId(rp.rpId)),
+                      Fx.chain(verifyUserFlags(rp)),
+                    );
+                    const signatureVerifiedFx = checkedAuthenticatorFx.pipe(
+                      Fx.chain(() => {
+                        const storedPublicKeyBytes = new Uint8Array(
+                          passkey.publicKey,
+                        );
+                        const algorithmHandlers: Record<
+                          number,
+                          (() => FxType<void, AuthError>) | undefined
+                        > = {
+                          [coseAlgorithmES256]: () => {
+                            const ecPublicKey = decodeSEC1PublicKey(
+                              p256,
+                              storedPublicKeyBytes,
+                            );
+                            const ecdsaSignature =
+                              decodePKIXECDSASignature(signature);
+                            const valid = verifyECDSASignature(
+                              ecPublicKey,
+                              messageHash,
+                              ecdsaSignature,
+                            );
+                            return valid
+                              ? Fx.succeed(undefined as void)
+                              : Fx.fail(
+                                  new AuthError("PASSKEY_INVALID_SIGNATURE"),
+                                );
+                          },
+                          [coseAlgorithmRS256]: () => {
+                            const rsaPublicKey =
+                              decodePKCS1RSAPublicKey(storedPublicKeyBytes);
+                            const valid = verifyRSASSAPKCS1v15Signature(
+                              rsaPublicKey,
+                              sha256ObjectIdentifier,
+                              messageHash,
+                              signature,
+                            );
+                            return valid
+                              ? Fx.succeed(undefined as void)
+                              : Fx.fail(
+                                  new AuthError("PASSKEY_INVALID_SIGNATURE"),
+                                );
+                          },
+                        };
+                        const handler = algorithmHandlers[passkey.algorithm];
+                        return handler
+                          ? handler()
+                          : Fx.fail(
+                              new AuthError(
+                                "PASSKEY_UNSUPPORTED_ALGORITHM",
+                                `Unsupported algorithm: ${passkey.algorithm}`,
+                              ),
+                            );
+                      }),
+                    );
+                    const counterValidatedFx = signatureVerifiedFx.pipe(
+                      Fx.chain(() =>
+                        passkey.counter !== 0 &&
+                        authenticatorData.signatureCounter !== 0 &&
+                        authenticatorData.signatureCounter <= passkey.counter
+                          ? Fx.fail(new AuthError("PASSKEY_COUNTER_ERROR"))
+                          : Fx.succeed(authenticatorData),
+                      ),
+                    );
+                    return counterValidatedFx.pipe(
+                      Fx.chain(() =>
+                        Fx.from({
+                          ok: async () => {
+                            await mutatePasskeyUpdateCounter(
+                              ctx,
+                              passkey._id,
+                              authenticatorData.signatureCounter,
+                              Date.now(),
+                            );
+                            const signInResult = await callSignIn(ctx, {
+                              userId: passkey.userId,
+                              generateTokens: true,
+                            });
+                            return {
+                              kind: "signedIn" as const,
+                              signedIn: signInResult,
+                            };
+                          },
+                          err: () => new AuthError("INTERNAL_ERROR"),
+                        }),
+                      ),
+                    );
+                  }),
+                );
+              }),
+            ),
+        },
+      );
+      return flowFx;
+    }),
+  );
+}