@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/component/server/implementation/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","names":["serializeCookie","parseCookies"],"sources":["../../../../src/server/implementation/index.ts"],"sourcesContent":["import {\n  Auth,\n  GenericActionCtx,\n  GenericDataModel,\n  HttpRouter,\n  actionGeneric,\n  httpActionGeneric,\n  internalMutationGeneric,\n} from \"convex/server\";\nimport { ConvexError, GenericId, v } from \"convex/values\";\nimport { throwAuthError, isAuthError } from \"../errors\";\nimport { parse as parseCookies, serialize as serializeCookie } from \"cookie\";\nimport { redirectToParamCookie, useRedirectToParam } from \"../cookies\";\nimport type { FunctionReferenceFromExport } from \"../types\";\nimport {\n  configDefaults,\n  listAvailableProviders,\n  materializeProvider,\n} from \"../providers\";\nimport {\n  AuthProviderConfig,\n  ConvexAuthConfig,\n  CorsConfig,\n  HttpKeyContext,\n  UserOrderBy,\n  UserWhere,\n} from \"../types\";\nimport { requireEnv } from \"../utils\";\nimport {\n  ActionCtx,\n  MutationCtx,\n  KeyDoc,\n} from \"./types\";\nimport type { Tokens } from \"./types\";\nexport type { Doc, Tokens } from \"./types\";\nimport {\n  LOG_LEVELS,\n  TOKEN_SUB_CLAIM_DIVIDER,\n  logError,\n  logWithLevel,\n} from \"./utils\";\nimport { GetProviderOrThrowFunc } from \"./provider\";\nimport {\n  callCreateAccountFromCredentials,\n  callInvalidateSessions,\n  callModifyAccount,\n  callRetreiveAccountWithCredentials,\n  callSignOut,\n  callUserOAuth,\n  callVerifierSignature,\n  storeArgs,\n  storeImpl,\n} from \"./mutations/index\";\nimport { signInImpl } from \"./signin\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport {\n  generateApiKey,\n  hashApiKey,\n  buildScopeChecker,\n  validateScopes,\n  checkKeyRateLimit,\n} from \"./keys\";\nimport {\n  createOAuthAuthorizationURL,\n  handleOAuthCallback,\n} from \"../oauth\";\nimport type { OAuthMaterializedConfig } from \"../types\";\n\n/**\n * The type of the signIn Convex Action returned from the auth() helper.\n *\n * This type is exported for implementors of other client integrations.\n * However it is not stable, and may change until this library reaches 1.0.\n */\nexport type SignInAction = FunctionReferenceFromExport<\n  ReturnType<typeof Auth>[\"signIn\"]\n>;\n/**\n * The type of the signOut Convex Action returned from the auth() helper.\n *\n * This type is exported for implementors of other client integrations.\n * However it is not stable, and may change until this library reaches 1.0.\n */\nexport type SignOutAction = FunctionReferenceFromExport<\n  ReturnType<typeof Auth>[\"signOut\"]\n>;\n/**\n * Configure the Convex Auth library. Returns an object with\n * functions and `auth` helper. You must export the functions\n * from `convex/auth.ts` to make them callable:\n *\n * ```ts filename=\"convex/auth.ts\"\n * import { Auth } from \"@robelest/convex-auth/component\";\n * import { components } from \"./_generated/api\";\n *\n * export const { auth, signIn, signOut, store } = Auth({\n *   component: components.auth,\n *   providers: [],\n * });\n * ```\n *\n * @returns An object with fields you should reexport from your\n *          `convex/auth.ts` file.\n */\nexport function Auth(config_: ConvexAuthConfig) {\n  const config = configDefaults(config_);\n  const hasOAuth = config.providers.some(\n    (provider) => provider.type === \"oauth\",\n  );\n  const getProvider = (id: string, allowExtraProviders: boolean = false) => {\n    return (\n      config.providers.find((provider) => provider.id === id) ??\n      (allowExtraProviders\n        ? config.extraProviders.find((provider) => provider.id === id)\n        : undefined)\n    );\n  };\n  const getProviderOrThrow: GetProviderOrThrowFunc = (\n    id: string,\n    allowExtraProviders: boolean = false,\n  ) => {\n    const provider = getProvider(id, allowExtraProviders);\n    if (provider === undefined) {\n      const detail =\n        `Provider \\`${id}\\` is not configured, ` +\n        `available providers are ${listAvailableProviders(config, allowExtraProviders)}.`;\n      logWithLevel(LOG_LEVELS.ERROR, detail);\n      throwAuthError(\"PROVIDER_NOT_CONFIGURED\", detail, { provider: id });\n    }\n    return provider;\n  };\n  type ComponentCtx = Pick<\n    GenericActionCtx<GenericDataModel>,\n    \"runQuery\" | \"runMutation\"\n  >;\n  type ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, \"runQuery\">;\n  type ComponentAuthReadCtx = ComponentReadCtx & { auth: Auth };\n  type AccountCredentials = { id: string; secret?: string };\n  type CreateAccountArgs = {\n    provider: string;\n    account: AccountCredentials;\n    profile: Record<string, unknown>;\n    shouldLinkViaEmail?: boolean;\n    shouldLinkViaPhone?: boolean;\n  };\n  type RetrieveAccountArgs = { provider: string; account: AccountCredentials };\n  type UpdateAccountCredentialsArgs = {\n    provider: string;\n    account: { id: string; secret: string };\n  };\n\n  const auth = {\n    user: {\n      /**\n       * Get the current user's ID from the auth context, or `null` if\n       * not signed in.\n       *\n       * @param ctx - Any Convex context with an `auth` field (query, mutation, or action).\n       * @returns The user's `Id<\"user\">`, or `null` when unauthenticated.\n       */\n      current: async (ctx: { auth: Auth }) => {\n        const identity = await ctx.auth.getUserIdentity();\n        if (identity === null) {\n          return null;\n        }\n        const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n        return userId as GenericId<\"user\">;\n      },\n      /**\n       * Get the current user's ID, or throw if not signed in.\n       * Use this when authentication is required.\n       *\n       * @param ctx - Any Convex context with an `auth` field.\n       * @returns The user's `Id<\"user\">`.\n       * @throws `ConvexError` with code `NOT_SIGNED_IN` when unauthenticated.\n       */\n      require: async (ctx: { auth: Auth }) => {\n        const identity = await ctx.auth.getUserIdentity();\n        if (identity === null) {\n          throwAuthError(\"NOT_SIGNED_IN\");\n        }\n        const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n        return userId as GenericId<\"user\">;\n      },\n      /**\n       * Retrieve a user document by their ID.\n       *\n       * @param ctx - Convex context with `runQuery`.\n       * @param userId - The user document ID.\n       * @returns The user document, or `null` if not found.\n       */\n      get: async (ctx: ComponentReadCtx, userId: string) => {\n        return await ctx.runQuery(config.component.public.userGetById, { userId });\n      },\n      /**\n       * List users with optional filters, sorting, and pagination.\n       *\n       * @param opts.where - Optional filters (email, phone, name, anonymous).\n       * @param opts.limit - Max users to return (default 50).\n       * @param opts.cursor - Pagination cursor from a previous page.\n       * @param opts.orderBy - Sort field.\n       * @param opts.order - Sort direction.\n       * @returns `{ items, nextCursor }`.\n       */\n      list: async (\n        ctx: ComponentReadCtx,\n        opts: {\n          where?: UserWhere;\n          limit?: number;\n          cursor?: string | null;\n          orderBy?: UserOrderBy;\n          order?: \"asc\" | \"desc\";\n        } = {},\n      ) => {\n        return await ctx.runQuery(config.component.public.userList, opts);\n      },\n      /**\n       * Get the currently signed-in user's document, or `null` if not\n       * signed in. Convenience combining `current()` + `get()`.\n       *\n       * @param ctx - Convex context with `auth` and `runQuery`.\n       * @returns The user document, or `null` when unauthenticated.\n       */\n      viewer: async (ctx: ComponentAuthReadCtx) => {\n        const userId = await auth.user.current(ctx);\n        if (userId === null) {\n          return null;\n        }\n        return await ctx.runQuery(config.component.public.userGetById, { userId });\n      },\n      /**\n       * Update a user document with partial data.\n       *\n       * @param ctx - Convex context with `runMutation`.\n       * @param userId - The user document ID.\n       * @param data - Partial data to merge into the user document.\n       */\n      patch: async (\n        ctx: ComponentCtx,\n        userId: string,\n        data: Record<string, unknown>,\n      ) => {\n        await ctx.runMutation(config.component.public.userPatch, {\n          userId,\n          data,\n        });\n      },\n      /**\n       * Query a user's group memberships.\n       */\n      group: {\n        /**\n         * List all groups a user belongs to. Returns member records which\n         * include the `groupId`, `role`, `status`, and `extend` for each.\n         *\n         * This is a convenience wrapper around `auth.group.member.list`\n         * with `where: { userId }`.\n         */\n        list: async (\n          ctx: ComponentReadCtx,\n          opts: {\n            userId: string;\n            limit?: number;\n            cursor?: string | null;\n            order?: \"asc\" | \"desc\";\n          },\n        ) => {\n          return await ctx.runQuery(config.component.public.memberList, {\n            where: { userId: opts.userId },\n            limit: opts.limit,\n            cursor: opts.cursor,\n            order: opts.order,\n          });\n        },\n        /**\n         * Look up a user's membership in a specific group. Returns the member\n         * record (with role, status, extend) or `null` if the user is not\n         * a member.\n         */\n        get: async (\n          ctx: ComponentReadCtx,\n          opts: { userId: string; groupId: string },\n        ) => {\n          return await ctx.runQuery(\n            config.component.public.memberGetByGroupAndUser,\n            opts,\n          );\n        },\n      },\n    },\n    session: {\n      /**\n       * Get the current session ID from the auth context, or `null` if\n       * not signed in.\n       *\n       * @param ctx - Any Convex context with an `auth` field.\n       * @returns The session's `Id<\"session\">`, or `null` when unauthenticated.\n       */\n      current: async (ctx: { auth: Auth }) => {\n        const identity = await ctx.auth.getUserIdentity();\n        if (identity === null) {\n          return null;\n        }\n        const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n        return sessionId as GenericId<\"session\">;\n      },\n      /**\n       * Invalidate sessions for a user, optionally preserving specific sessions.\n       *\n       * @param ctx - Convex action context.\n       * @param args.userId - The user whose sessions to invalidate.\n       * @param args.except - Session IDs to preserve (e.g. the current session).\n       */\n      invalidate: async <DataModel extends GenericDataModel>(\n        ctx: GenericActionCtx<DataModel>,\n        args: {\n          userId: GenericId<\"user\">;\n          except?: GenericId<\"session\">[];\n        },\n      ): Promise<void> => {\n        const actionCtx = ctx as unknown as ActionCtx;\n        return await callInvalidateSessions(actionCtx, args);\n      },\n    },\n    account: {\n      /**\n       * Create an account and user for a credentials provider.\n       *\n       * @param ctx - Convex action context.\n       * @param args - Provider ID, account credentials, profile data, and link flags.\n       * @returns `{ account, user }` — the created account and user documents.\n       */\n      create: async <DataModel extends GenericDataModel>(\n        ctx: GenericActionCtx<DataModel>,\n        args: CreateAccountArgs,\n      ) => {\n        const actionCtx = ctx as unknown as ActionCtx;\n        return await callCreateAccountFromCredentials(actionCtx, args);\n      },\n      /**\n       * Retrieve an account and user for a credentials provider.\n       *\n       * @param ctx - Convex action context.\n       * @param args - Provider ID and account credentials (id, optional secret).\n       * @returns `{ account, user }` — the matched account and user documents.\n       * @throws `ConvexError` with code `ACCOUNT_NOT_FOUND` when no match exists.\n       */\n      get: async <DataModel extends GenericDataModel>(\n        ctx: GenericActionCtx<DataModel>,\n        args: RetrieveAccountArgs,\n      ) => {\n        const actionCtx = ctx as unknown as ActionCtx;\n        const result = await callRetreiveAccountWithCredentials(actionCtx, args);\n        if (typeof result === \"string\") {\n          throwAuthError(\"ACCOUNT_NOT_FOUND\", result);\n        }\n        return result;\n      },\n      /**\n       * Update account credentials (secret) for an existing account.\n       *\n       * @param ctx - Convex action context.\n       * @param args - Provider ID and new account credentials (id + secret).\n       */\n      update: async <DataModel extends GenericDataModel>(\n        ctx: GenericActionCtx<DataModel>,\n        args: UpdateAccountCredentialsArgs,\n      ): Promise<void> => {\n        const actionCtx = ctx as unknown as ActionCtx;\n        return await callModifyAccount(actionCtx, args);\n      },\n    },\n    provider: {\n      /**\n       * Sign in via another provider, typically from a credentials flow.\n       *\n       * @param ctx - Convex action context.\n       * @param provider - The provider config to sign in with.\n       * @param args - Optional account ID and params.\n       * @returns `{ userId, sessionId }` on success, or `null`.\n       */\n      signIn: async <DataModel extends GenericDataModel>(\n        ctx: GenericActionCtx<DataModel>,\n        provider: AuthProviderConfig,\n        args: {\n          accountId?: GenericId<\"account\">;\n          params?: Record<string, unknown>;\n        },\n      ) => {\n        const result = await signInImpl(\n          enrichCtx(ctx),\n          materializeProvider(provider),\n          // params type widened: Record<string, unknown> → Record<string, any>\n          args as { accountId?: GenericId<\"account\">; params?: Record<string, any> },\n          {\n            generateTokens: false,\n            allowExtraProviders: true,\n          },\n        );\n        return result.kind === \"signedIn\"\n          ? result.signedIn !== null\n            ? { userId: result.signedIn.userId, sessionId: result.signedIn.sessionId }\n            : null\n          : null;\n      },\n    },\n    /**\n     * Hierarchical group management. Groups can nest arbitrarily deep\n     * via `parentGroupId`. A root group has no parent.\n     *\n     * ```ts\n     * const groupId = await auth.group.create(ctx, { name: \"Acme Corp\" });\n     * const subGroupId = await auth.group.create(ctx, {\n     *   name: \"Engineering\",\n     *   parentGroupId: groupId,\n     * });\n     * ```\n     */\n    group: {\n      /**\n       * Create a new group. Omit `parentGroupId` for a root-level group,\n       * or provide it to create a nested group.\n       *\n       * @returns The ID of the newly created group.\n       */\n      create: async (\n        ctx: ComponentCtx,\n        data: {\n          name: string;\n          slug?: string;\n          type?: string;\n          parentGroupId?: string;\n          tags?: Array<{ key: string; value: string }>;\n          extend?: Record<string, unknown>;\n        },\n      ): Promise<string> => {\n        return (await ctx.runMutation(\n          config.component.public.groupCreate,\n          data,\n        )) as string;\n      },\n      /**\n       * Retrieve a group by its ID. Returns `null` if not found.\n       */\n      get: async (ctx: ComponentReadCtx, groupId: string) => {\n        return await ctx.runQuery(config.component.public.groupGet, { groupId });\n      },\n      /**\n       * List groups with optional filtering, sorting, and pagination.\n       *\n       * Empty `where` returns **all** groups.\n       *\n       * ```ts\n       * // All groups of type \"team\"\n       * await auth.group.list(ctx, { where: { type: \"team\" } });\n       *\n       * // Paginated\n       * const page1 = await auth.group.list(ctx, { limit: 10 });\n       * const page2 = await auth.group.list(ctx, { limit: 10, cursor: page1.nextCursor });\n       * ```\n       */\n      list: async (\n        ctx: ComponentReadCtx,\n        opts?: {\n          where?: {\n            slug?: string;\n            type?: string;\n            parentGroupId?: string;\n            name?: string;\n            isRoot?: boolean;\n            tagsAll?: Array<{ key: string; value: string }>;\n            tagsAny?: Array<{ key: string; value: string }>;\n          };\n          limit?: number;\n          cursor?: string | null;\n          orderBy?: \"_creationTime\" | \"name\" | \"slug\" | \"type\";\n          order?: \"asc\" | \"desc\";\n        },\n      ) => {\n        return await ctx.runQuery(config.component.public.groupList, {\n          where: opts?.where,\n          limit: opts?.limit,\n          cursor: opts?.cursor,\n          orderBy: opts?.orderBy,\n          order: opts?.order,\n        });\n      },\n      /**\n       * Update a group's fields (name, slug, tags, extend, parentGroupId).\n       */\n      update: async (\n        ctx: ComponentCtx,\n        groupId: string,\n        data: Record<string, unknown>,\n      ) => {\n        await ctx.runMutation(config.component.public.groupUpdate, { groupId, data });\n      },\n      /**\n       * Delete a group and cascade to all descendants. Deletes child groups\n       * (recursively), all members, and all invites for this group and its\n       * descendants.\n       */\n      delete: async (ctx: ComponentCtx, groupId: string) => {\n        await ctx.runMutation(config.component.public.groupDelete, { groupId });\n      },\n\n      /**\n       * Manage group membership. A member links a user to a group with an\n       * application-defined role string (e.g. \"owner\", \"admin\", \"member\").\n       *\n       * The auth component stores roles but does not enforce access control.\n       * Your application defines what each role means.\n       */\n      member: {\n        /**\n         * Add a user as a member of a group.\n         *\n         * @param data.groupId - The group to add the member to.\n         * @param data.userId - The user to add.\n         * @param data.role - Application-defined role (e.g. \"owner\", \"admin\", \"member\").\n         * @param data.status - Optional membership status (e.g. \"active\", \"suspended\").\n         * @param data.extend - Optional arbitrary JSON extension data.\n         * @throws ConvexError with code `DUPLICATE_MEMBERSHIP` if the user is\n         * already a member of the target group.\n         * @returns The ID of the new member record.\n         */\n        add: async (\n          ctx: ComponentCtx,\n          data: {\n            groupId: string;\n            userId: string;\n            role?: string;\n            status?: string;\n            extend?: Record<string, unknown>;\n          },\n        ): Promise<string> => {\n          return (await ctx.runMutation(\n            config.component.public.memberAdd,\n            data,\n          )) as string;\n        },\n        /**\n         * Retrieve a member record by its ID. Returns `null` if not found.\n         */\n        get: async (ctx: ComponentReadCtx, memberId: string) => {\n          return await ctx.runQuery(config.component.public.memberGet, { memberId });\n        },\n        /**\n         * List members with optional filtering, sorting, and pagination.\n         *\n         * ```ts\n         * // All members of a group\n         * await auth.group.member.list(ctx, { where: { groupId } });\n         *\n         * // Admins only\n         * await auth.group.member.list(ctx, { where: { groupId, role: \"admin\" } });\n         * ```\n         */\n        list: async (\n          ctx: ComponentReadCtx,\n          opts?: {\n            where?: {\n              groupId?: string;\n              userId?: string;\n              role?: string;\n              status?: string;\n            };\n            limit?: number;\n            cursor?: string | null;\n            orderBy?: \"_creationTime\" | \"role\" | \"status\";\n            order?: \"asc\" | \"desc\";\n          },\n        ) => {\n          return await ctx.runQuery(config.component.public.memberList, {\n            where: opts?.where,\n            limit: opts?.limit,\n            cursor: opts?.cursor,\n            orderBy: opts?.orderBy,\n            order: opts?.order,\n          });\n        },\n        /**\n         * Remove a member from a group by deleting the member record.\n         */\n        remove: async (ctx: ComponentCtx, memberId: string) => {\n          await ctx.runMutation(config.component.public.memberRemove, { memberId });\n        },\n        /**\n         * Update a member's fields (role, status, extend).\n         *\n         * ```ts\n         * await auth.group.member.update(ctx, memberId, { role: \"admin\" });\n         * ```\n         */\n        update: async (\n          ctx: ComponentCtx,\n          memberId: string,\n          data: Record<string, unknown>,\n        ) => {\n          await ctx.runMutation(config.component.public.memberUpdate, {\n            memberId,\n            data,\n          });\n        },\n      },\n\n    },\n    /**\n     * Manage platform-level invitations.\n     *\n     * Invites can optionally target a group by setting `groupId`, but they do\n     * not require groups and can be used in apps with user-only collaboration.\n     */\n    invite: {\n      /**\n       * Create a new invitation.\n       *\n       * @param data.groupId - Optional group to invite the user into.\n       * @param data.invitedByUserId - Optional user sending the invitation\n       *   (omit for CLI-generated invites).\n       * @param data.email - Optional email of the invitee (omit for\n       *   CLI-generated invite links where the email is unknown upfront).\n       * @param data.tokenHash - Hashed token for secure acceptance.\n       * @param data.role - Optional role to assign on acceptance.\n       * @param data.status - Initial status (typically \"pending\").\n       * @param data.expiresTime - Optional expiration timestamp (omit for\n       *   single-use, non-expiring invites).\n       * @param data.extend - Optional arbitrary JSON extension data.\n       * @throws ConvexError with code `DUPLICATE_INVITE` if a pending invite\n       * already exists for this email and scope.\n       * @returns The ID of the new invite record.\n       */\n      create: async (\n        ctx: ComponentCtx,\n        data: {\n          groupId?: string;\n          invitedByUserId?: string;\n          email?: string;\n          tokenHash: string;\n          role?: string;\n          status: \"pending\" | \"accepted\" | \"revoked\" | \"expired\";\n          expiresTime?: number;\n          extend?: Record<string, unknown>;\n        },\n      ): Promise<string> => {\n        return (await ctx.runMutation(config.component.public.inviteCreate, data)) as string;\n      },\n      /**\n       * Retrieve an invite by its ID. Returns `null` if not found.\n       */\n      get: async (ctx: ComponentReadCtx, inviteId: string) => {\n        return await ctx.runQuery(config.component.public.inviteGet, { inviteId });\n      },\n      /**\n       * List invites with optional filtering, sorting, and pagination.\n       *\n       * ```ts\n       * // Pending invites for a group\n       * await auth.invite.list(ctx, { where: { groupId, status: \"pending\" } });\n       * ```\n       */\n      list: async (\n        ctx: ComponentReadCtx,\n        opts?: {\n          where?: {\n            tokenHash?: string;\n            groupId?: string;\n            status?: \"pending\" | \"accepted\" | \"revoked\" | \"expired\";\n            email?: string;\n            invitedByUserId?: string;\n            role?: string;\n            acceptedByUserId?: string;\n          };\n          limit?: number;\n          cursor?: string | null;\n          orderBy?: \"_creationTime\" | \"status\" | \"email\" | \"expiresTime\" | \"acceptedTime\";\n          order?: \"asc\" | \"desc\";\n        },\n      ) => {\n        return await ctx.runQuery(config.component.public.inviteList, {\n          where: opts?.where,\n          limit: opts?.limit,\n          cursor: opts?.cursor,\n          orderBy: opts?.orderBy,\n          order: opts?.order,\n        });\n      },\n      /**\n       * Accept an invitation. Marks the invite as \"accepted\" and records\n       * the timestamp. If the invite has a group, the caller is responsible\n       * for creating the member record via `auth.group.member.add` in the\n       * same Convex mutation for transactional safety.\n       *\n       * @param ctx - Convex context with `runMutation`.\n       * @param inviteId - The invite document ID.\n       * @param acceptedByUserId - User accepting the invite (recorded for audit).\n       * @throws `ConvexError` with code `INVITE_NOT_FOUND` when the invite does not exist.\n       * @throws `ConvexError` with code `INVITE_NOT_PENDING` when the invite is not in `pending` status.\n       *\n       * @example\n       * ```ts\n       * export const acceptInvite = mutation({\n       *   args: { inviteId: v.string() },\n       *   handler: async (ctx, { inviteId }) => {\n       *     const userId = await auth.user.require(ctx);\n       *     const invite = await auth.invite.get(ctx, inviteId);\n       *     if (!invite) throw new Error(\"Invite not found\");\n       *\n       *     await auth.invite.accept(ctx, inviteId);\n       *     if (invite.groupId) {\n       *       await auth.group.member.add(ctx, {\n       *         groupId: invite.groupId,\n       *         userId,\n       *         role: invite.role,\n       *       });\n       *     }\n       *   },\n       * });\n       * ```\n       */\n      accept: async (ctx: ComponentCtx, inviteId: string, acceptedByUserId?: string) => {\n        await ctx.runMutation(config.component.public.inviteAccept, {\n          inviteId,\n          ...(acceptedByUserId ? { acceptedByUserId } : {}),\n        });\n      },\n      /**\n       * Revoke a pending invitation.\n       *\n       * @param ctx - Convex context with `runMutation`.\n       * @param inviteId - The invite document ID.\n       * @throws `ConvexError` with code `INVITE_NOT_FOUND` when the invite does not exist.\n       * @throws `ConvexError` with code `INVITE_NOT_PENDING` when the invite is not in `pending` status.\n       */\n      revoke: async (ctx: ComponentCtx, inviteId: string) => {\n        await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });\n      },\n    },\n    /**\n     * Manage passkey credentials for users.\n     *\n     * ```ts\n     * const passkeys = await auth.passkey.list(ctx, { userId });\n     * await auth.passkey.rename(ctx, passkeyId, \"MacBook Touch ID\");\n     * await auth.passkey.remove(ctx, passkeyId);\n     * ```\n     */\n    passkey: {\n      /**\n       * List all passkeys for a user.\n       *\n       * @param opts.userId - The user whose passkeys to list.\n       * @returns Array of passkey records with credentialId, name, deviceType,\n       * backedUp, createdAt, and lastUsedAt.\n       */\n      list: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n        return await ctx.runQuery(\n          config.component.public.passkeyListByUserId,\n          opts,\n        );\n      },\n      /**\n       * Rename a passkey (set a user-friendly display name).\n       *\n       * @param passkeyId - The passkey document ID.\n       * @param name - New display name (e.g. \"MacBook Touch ID\").\n       */\n      rename: async (ctx: ComponentCtx, passkeyId: string, name: string) => {\n        await ctx.runMutation(\n          config.component.public.passkeyUpdateMeta,\n          { passkeyId, data: { name } },\n        );\n      },\n      /**\n       * Delete a passkey credential.\n       *\n       * @param passkeyId - The passkey document ID to remove.\n       */\n      remove: async (ctx: ComponentCtx, passkeyId: string) => {\n        await ctx.runMutation(\n          config.component.public.passkeyDelete,\n          { passkeyId },\n        );\n      },\n    },\n    /**\n     * Manage TOTP two-factor authentication enrollments for users.\n     *\n     * ```ts\n     * const enrollments = await auth.totp.list(ctx, { userId });\n     * await auth.totp.remove(ctx, totpId);\n     * ```\n     */\n    totp: {\n      /**\n       * List all TOTP enrollments for a user.\n       *\n       * @param opts.userId - The user whose enrollments to list.\n       * @returns Array of TOTP enrollment records.\n       */\n      list: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n        return await ctx.runQuery(\n          config.component.public.totpListByUserId,\n          opts,\n        );\n      },\n      /**\n       * Delete a TOTP enrollment.\n       *\n       * @param totpId - The TOTP document ID to remove.\n       */\n      remove: async (ctx: ComponentCtx, totpId: string) => {\n        await ctx.runMutation(\n          config.component.public.totpDelete,\n          { totpId },\n        );\n      },\n    },\n    /**\n     * Manage API keys for programmatic access.\n     *\n     * Keys use SHA-256 hashing (via `@oslojs/crypto`) and support\n     * scoped resource:action permissions with optional per-key rate limiting.\n     *\n     * ```ts\n     * const { keyId, raw } = await auth.key.create(ctx, {\n     *   userId,\n     *   name: \"CI Pipeline\",\n     *   scopes: [{ resource: \"users\", actions: [\"read\", \"list\"] }],\n     * });\n     * // raw = \"sk_live_abc123...\" — show once, never stored\n     *\n     * const result = await auth.key.verify(ctx, rawKey);\n     * result.scopes.can(\"users\", \"read\"); // true\n     * ```\n     */\n    key: {\n      /**\n       * Create a new API key. Returns the raw key **once** — it cannot\n       * be retrieved again after creation.\n       *\n       * @param opts.userId - The user this key belongs to.\n       * @param opts.name - Human-readable name (e.g. \"CI Pipeline\").\n       * @param opts.scopes - Resource:action permissions for this key.\n       * @param opts.rateLimit - Optional per-key rate limit override.\n       * @param opts.expiresAt - Optional expiration timestamp.\n       * @returns `{ keyId, raw }` where `raw` is the full key string.\n       */\n      create: async (\n        ctx: ComponentCtx,\n        opts: {\n          userId: string;\n          name: string;\n          scopes: import(\"../types.js\").KeyScope[];\n          rateLimit?: { maxRequests: number; windowMs: number };\n          expiresAt?: number;\n        },\n      ): Promise<{ keyId: string; raw: string }> => {\n        const prefix = config.apiKeys?.prefix ?? \"sk_live_\";\n\n        // Validate scopes against config if defined\n        validateScopes(opts.scopes, config.apiKeys?.scopes);\n\n        const { raw, hashedKey, displayPrefix } = await generateApiKey(prefix);\n\n        const keyId = (await ctx.runMutation(\n          config.component.public.keyInsert,\n          {\n            userId: opts.userId,\n            prefix: displayPrefix,\n            hashedKey,\n            name: opts.name,\n            scopes: opts.scopes,\n            rateLimit: opts.rateLimit ?? config.apiKeys?.defaultRateLimit,\n            expiresAt: opts.expiresAt,\n          },\n        )) as string;\n\n        return { keyId, raw };\n      },\n\n      /**\n       * Verify a raw API key string. Returns the userId and a scope checker\n       * if the key is valid, not revoked, not expired, and not rate-limited.\n       *\n       * Also updates `lastUsedAt` and rate limit state as a side effect.\n       *\n       * @throws Error if the key is invalid, revoked, expired, or rate-limited.\n       */\n      verify: async (\n        ctx: ComponentCtx,\n        rawKey: string,\n      ): Promise<{\n        userId: string;\n        keyId: string;\n        scopes: import(\"../types.js\").ScopeChecker;\n      }> => {\n        const hashedKey = await hashApiKey(rawKey);\n\n        const key = (await ctx.runQuery(\n          config.component.public.keyGetByHashedKey,\n          { hashedKey },\n        )) as KeyDoc | null;\n        if (!key) {\n          throwAuthError(\"INVALID_API_KEY\");\n        }\n        if (key.revoked) {\n          throwAuthError(\"API_KEY_REVOKED\");\n        }\n        if (key.expiresAt && key.expiresAt < Date.now()) {\n          throwAuthError(\"API_KEY_EXPIRED\");\n        }\n\n        // Check per-key rate limit\n        const patchData: Record<string, unknown> = { lastUsedAt: Date.now() };\n\n        if (key.rateLimit) {\n          const { limited, newState } = checkKeyRateLimit(\n            key.rateLimit,\n            key.rateLimitState ?? undefined,\n          );\n          if (limited) {\n            throwAuthError(\"API_KEY_RATE_LIMITED\");\n          }\n          patchData.rateLimitState = newState;\n        }\n\n        // Update lastUsedAt (and rate limit state if applicable)\n        await ctx.runMutation(config.component.public.keyPatch, {\n          keyId: key._id,\n          data: patchData,\n        });\n\n        return {\n          userId: key.userId,\n          keyId: key._id,\n          scopes: buildScopeChecker(key.scopes),\n        };\n      },\n\n      /**\n       * List API keys with optional filtering, sorting, and pagination.\n       * Never includes the raw key — only the display prefix.\n       *\n       * ```ts\n       * // All keys for a user\n       * await auth.key.list(ctx, { where: { userId } });\n       *\n       * // Only active (non-revoked)\n       * await auth.key.list(ctx, { where: { userId, revoked: false } });\n       * ```\n       */\n      list: async (\n        ctx: ComponentReadCtx,\n        opts?: {\n          where?: {\n            userId?: string;\n            revoked?: boolean;\n            name?: string;\n            prefix?: string;\n          };\n          limit?: number;\n          cursor?: string | null;\n          orderBy?: \"_creationTime\" | \"name\" | \"lastUsedAt\" | \"expiresAt\" | \"revoked\";\n          order?: \"asc\" | \"desc\";\n        },\n      ) => {\n        return await ctx.runQuery(config.component.public.keyList, {\n          where: opts?.where,\n          limit: opts?.limit,\n          cursor: opts?.cursor,\n          orderBy: opts?.orderBy,\n          order: opts?.order,\n        });\n      },\n\n      /**\n       * Get a single API key by its document ID.\n       * Returns `null` if not found.\n       */\n      get: async (ctx: ComponentReadCtx, keyId: string): Promise<KeyDoc | null> => {\n        return (await ctx.runQuery(\n          config.component.public.keyGetById,\n          { keyId },\n        )) as KeyDoc | null;\n      },\n\n      /**\n       * Update an API key's metadata (name, scopes, rate limit).\n       */\n      update: async (\n        ctx: ComponentCtx,\n        keyId: string,\n        data: {\n          name?: string;\n          scopes?: import(\"../types.js\").KeyScope[];\n          rateLimit?: { maxRequests: number; windowMs: number };\n        },\n      ) => {\n        if (data.scopes) {\n          validateScopes(data.scopes, config.apiKeys?.scopes);\n        }\n        await ctx.runMutation(config.component.public.keyPatch, {\n          keyId,\n          data,\n        });\n      },\n\n      /**\n       * Revoke an API key (soft delete). The key record is preserved\n       * for audit purposes but can no longer be used for authentication.\n       */\n      revoke: async (ctx: ComponentCtx, keyId: string) => {\n        await ctx.runMutation(config.component.public.keyPatch, {\n          keyId,\n          data: { revoked: true },\n        });\n      },\n\n      /**\n       * Hard delete an API key record.\n       */\n      remove: async (ctx: ComponentCtx, keyId: string) => {\n        await ctx.runMutation(config.component.public.keyDelete, {\n          keyId,\n        });\n      },\n    },\n    /**\n     * HTTP namespace — route registration and Bearer-authenticated endpoints.\n     */\n    http: {\n      /**\n       * Register core HTTP routes for JWT verification and OAuth sign-in.\n       *\n       * ```ts\n       * import { httpRouter } from \"convex/server\";\n       * import { auth } from \"./auth\";\n       *\n       * const http = httpRouter();\n       *\n       * auth.http.add(http);\n       *\n       * export default http;\n       * ```\n       *\n       * The following routes are handled always:\n       *\n       * - `/.well-known/openid-configuration`\n       * - `/.well-known/jwks.json`\n       *\n       * The following routes are handled if OAuth is configured:\n       *\n       * - `/api/auth/signin/*`\n       * - `/api/auth/callback/*`\n       *\n       * @param http your HTTP router\n       */\n      add: (http: HttpRouter) => {\n      http.route({\n        path: \"/.well-known/openid-configuration\",\n        method: \"GET\",\n        handler: httpActionGeneric(async () => {\n          return new Response(\n            JSON.stringify({\n              issuer: requireEnv(\"CONVEX_SITE_URL\"),\n              jwks_uri:\n                requireEnv(\"CONVEX_SITE_URL\") + \"/.well-known/jwks.json\",\n              authorization_endpoint:\n                requireEnv(\"CONVEX_SITE_URL\") + \"/oauth/authorize\",\n            }),\n            {\n              status: 200,\n              headers: {\n                \"Content-Type\": \"application/json\",\n                \"Cache-Control\":\n                  \"public, max-age=15, stale-while-revalidate=15, stale-if-error=86400\",\n              },\n            },\n          );\n        }),\n      });\n\n      http.route({\n        path: \"/.well-known/jwks.json\",\n        method: \"GET\",\n        handler: httpActionGeneric(async () => {\n          return new Response(requireEnv(\"JWKS\"), {\n            status: 200,\n            headers: {\n              \"Content-Type\": \"application/json\",\n              \"Cache-Control\":\n                \"public, max-age=15, stale-while-revalidate=15, stale-if-error=86400\",\n            },\n          });\n        }),\n      });\n\n      if (hasOAuth) {\n        http.route({\n          pathPrefix: \"/api/auth/signin/\",\n          method: \"GET\",\n          handler: httpActionGeneric(\n            convertErrorsToResponse(400, async (ctx, request) => {\n              const url = new URL(request.url);\n              const pathParts = url.pathname.split(\"/\");\n              const providerId = pathParts.at(-1)!;\n              if (providerId === null) {\n                throwAuthError(\"OAUTH_MISSING_PROVIDER\");\n              }\n              const verifier = url.searchParams.get(\"code\");\n              if (verifier === null) {\n                throwAuthError(\"OAUTH_MISSING_VERIFIER\");\n              }\n              const provider = getProviderOrThrow(providerId);\n\n              const oauthConfig = provider as OAuthMaterializedConfig;\n              const { redirect, cookies, signature } =\n                await createOAuthAuthorizationURL(\n                  providerId,\n                  oauthConfig.provider,\n                  oauthConfig,\n                );\n\n              await callVerifierSignature(ctx, {\n                verifier,\n                signature,\n              });\n\n              const redirectTo = url.searchParams.get(\"redirectTo\");\n              if (redirectTo !== null) {\n                cookies.push(redirectToParamCookie(providerId, redirectTo));\n              }\n\n              const headers = new Headers({ Location: redirect });\n              for (const { name, value, options } of cookies) {\n                headers.append(\n                  \"Set-Cookie\",\n                  serializeCookie(name, value, options as any),\n                );\n              }\n\n              return new Response(null, { status: 302, headers });\n            }),\n          ),\n        });\n\n        const callbackAction = httpActionGeneric(\n          async (genericCtx, request) => {\n            const ctx = genericCtx as unknown as ActionCtx;\n            const url = new URL(request.url);\n            const pathParts = url.pathname.split(\"/\");\n            const providerId = pathParts.at(-1)!;\n            logWithLevel(\n              LOG_LEVELS.DEBUG,\n              \"Handling OAuth callback for provider:\",\n              providerId,\n            );\n            const provider = getProviderOrThrow(providerId);\n\n            const cookies = getCookies(request);\n\n            const maybeRedirectTo = useRedirectToParam(provider.id, cookies);\n\n            const destinationUrl = await redirectAbsoluteUrl(config, {\n              redirectTo: maybeRedirectTo?.redirectTo,\n            });\n\n            const params = url.searchParams;\n\n            // Handle OAuth providers that use formData (such as Apple)\n            if (\n              request.headers.get(\"Content-Type\") ===\n              \"application/x-www-form-urlencoded\"\n            ) {\n              const formData = await request.formData();\n              for (const [key, value] of formData.entries()) {\n                if (typeof value === \"string\") {\n                  params.append(key, value);\n                }\n              }\n            }\n\n            try {\n              const oauthConfig = provider as OAuthMaterializedConfig;\n              const result = await handleOAuthCallback(\n                providerId,\n                oauthConfig.provider,\n                oauthConfig,\n                Object.fromEntries(params.entries()),\n                cookies,\n              );\n              const { id: profileId, ...profileData } = result.profile;\n              const { signature } = result;\n\n              const verificationCode = await callUserOAuth(ctx, {\n                provider: providerId,\n                providerAccountId: profileId,\n                profile: profileData,\n                signature,\n              });\n\n              return new Response(null, {\n                status: 302,\n                headers: {\n                  Location: setURLSearchParam(\n                    destinationUrl,\n                    \"code\",\n                    verificationCode,\n                  ),\n                  \"Cache-Control\": \"must-revalidate\",\n                },\n              });\n            } catch (error) {\n              logError(error);\n              return Response.redirect(destinationUrl);\n            }\n          },\n        );\n\n        http.route({\n          pathPrefix: \"/api/auth/callback/\",\n          method: \"GET\",\n          handler: callbackAction,\n        });\n\n        http.route({\n          pathPrefix: \"/api/auth/callback/\",\n          method: \"POST\",\n          handler: callbackAction,\n        });\n      }\n    },\n\n      /**\n       * Wrap an HTTP action handler with Bearer token authentication.\n       *\n       * Extracts the `Authorization: Bearer <key>` header, verifies the\n       * API key via `auth.key.verify()`, and injects `ctx.key` with the\n       * verified key info. Returns structured JSON error responses for\n       * missing/invalid/revoked/expired/rate-limited keys.\n       *\n       * If the handler returns a plain object, it is auto-wrapped in a\n       * `200 JSON` response. If it returns a `Response`, CORS headers\n       * are merged and the response is passed through.\n       *\n       * ```ts\n       * const handler = auth.http.action(async (ctx, request) => {\n       *   const data = await ctx.runQuery(api.data.get, { userId: ctx.key.userId });\n       *   return { data };\n       * });\n       * http.route({ path: \"/api/data\", method: \"GET\", handler });\n       * ```\n       *\n       * @param handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.\n       * @param options.scope - Optional scope check; returns 403 if the key lacks permission.\n       * @param options.cors - CORS config; defaults to permissive (`*`).\n       */\n      action: (\n        handler: (\n          ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,\n          request: Request,\n        ) => Promise<Response | Record<string, unknown>>,\n        options?: {\n          scope?: { resource: string; action: string };\n          cors?: CorsConfig;\n        },\n      ) => {\n        const corsConfig = options?.cors ?? {};\n        const corsHeaders: Record<string, string> = {\n          \"Access-Control-Allow-Origin\": corsConfig.origin ?? \"*\",\n          \"Access-Control-Allow-Methods\":\n            corsConfig.methods ?? \"GET,POST,PUT,PATCH,DELETE,OPTIONS\",\n          \"Access-Control-Allow-Headers\":\n            corsConfig.headers ?? \"Content-Type,Authorization\",\n        };\n\n        const jsonError = (\n          status: number,\n          code: string,\n          message: string,\n        ) =>\n          new Response(JSON.stringify({ error: message, code }), {\n            status,\n            headers: { ...corsHeaders, \"Content-Type\": \"application/json\" },\n          });\n\n        return httpActionGeneric(async (genericCtx, request) => {\n          const ctx = genericCtx as unknown as GenericActionCtx<GenericDataModel>;\n\n          try {\n            // 1. Extract Bearer token\n            const authHeader = request.headers.get(\"Authorization\");\n            if (!authHeader?.startsWith(\"Bearer \")) {\n              return jsonError(\n                401,\n                \"MISSING_BEARER_TOKEN\",\n                \"Missing or malformed Authorization: Bearer header.\",\n              );\n            }\n            const rawKey = authHeader.slice(7);\n\n            // 2. Verify API key\n            let keyResult: { userId: string; keyId: string; scopes: import(\"../types.js\").ScopeChecker };\n            try {\n              keyResult = await auth.key.verify(ctx, rawKey);\n            } catch (error: unknown) {\n              if (isAuthError(error)) {\n                const { code, message } = error.data as { code: string; message: string };\n                return jsonError(403, code, message);\n              }\n              throw error;\n            }\n\n            // 3. Optional scope check\n            if (options?.scope) {\n              if (!keyResult.scopes.can(options.scope.resource, options.scope.action)) {\n                return jsonError(\n                  403,\n                  \"SCOPE_CHECK_FAILED\",\n                  \"This API key does not have the required permissions.\",\n                );\n              }\n            }\n\n            // 4. Enrich context with key info\n            const enrichedCtx = Object.assign(ctx, {\n              key: {\n                userId: keyResult.userId,\n                keyId: keyResult.keyId,\n                scopes: keyResult.scopes,\n              },\n            });\n\n            // 5. Call handler\n            const result = await handler(enrichedCtx, request);\n\n            // 6. Auto-wrap plain objects as JSON responses\n            if (result instanceof Response) {\n              // Merge CORS headers into existing response\n              const headers = new Headers(result.headers);\n              for (const [k, val] of Object.entries(corsHeaders)) {\n                if (!headers.has(k)) headers.set(k, val);\n              }\n              return new Response(result.body, {\n                status: result.status,\n                statusText: result.statusText,\n                headers,\n              });\n            }\n\n            return new Response(JSON.stringify(result), {\n              status: 200,\n              headers: { ...corsHeaders, \"Content-Type\": \"application/json\" },\n            });\n          } catch (error: unknown) {\n            logError(error);\n            return jsonError(500, \"INTERNAL_ERROR\", \"An unexpected error occurred.\");\n          }\n        });\n      },\n\n      /**\n       * Register a Bearer-authenticated route **and** its OPTIONS preflight\n       * in a single call.\n       *\n       * ```ts\n       * auth.http.route(http, {\n       *   path: \"/api/messages\",\n       *   method: \"POST\",\n       *   handler: async (ctx, request) => {\n       *     const { body } = await request.json();\n       *     await ctx.runMutation(internal.messages.sendAsUser, {\n       *       userId: ctx.key.userId,\n       *       body,\n       *     });\n       *     return { success: true };\n       *   },\n       * });\n       * ```\n       *\n       * @param http - The Convex HTTP router.\n       * @param routeConfig.path - The URL path to match.\n       * @param routeConfig.method - HTTP method (GET, POST, PUT, PATCH, DELETE).\n       * @param routeConfig.handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.\n       * @param routeConfig.scope - Optional scope check; returns 403 if the key lacks permission.\n       * @param routeConfig.cors - CORS config; defaults to permissive (`*`).\n       */\n      route: (\n        http: HttpRouter,\n        routeConfig: {\n          path: string;\n          method: \"GET\" | \"POST\" | \"PUT\" | \"PATCH\" | \"DELETE\";\n          handler: (\n            ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,\n            request: Request,\n          ) => Promise<Response | Record<string, unknown>>;\n          scope?: { resource: string; action: string };\n          cors?: CorsConfig;\n        },\n      ) => {\n        const corsConfig = routeConfig.cors ?? {};\n        const corsHeaders: Record<string, string> = {\n          \"Access-Control-Allow-Origin\": corsConfig.origin ?? \"*\",\n          \"Access-Control-Allow-Methods\":\n            corsConfig.methods ?? \"GET,POST,PUT,PATCH,DELETE,OPTIONS\",\n          \"Access-Control-Allow-Headers\":\n            corsConfig.headers ?? \"Content-Type,Authorization\",\n        };\n\n        // Register OPTIONS preflight\n        http.route({\n          path: routeConfig.path,\n          method: \"OPTIONS\",\n          handler: httpActionGeneric(async () => {\n            return new Response(null, { status: 204, headers: corsHeaders });\n          }),\n        });\n\n        // Register the main route with Bearer auth wrapping\n        http.route({\n          path: routeConfig.path,\n          method: routeConfig.method,\n          handler: auth.http.action(routeConfig.handler, {\n            scope: routeConfig.scope,\n            cors: routeConfig.cors,\n          }),\n        });\n      },\n    },\n  };\n  const enrichCtx = <DataModel extends GenericDataModel>(\n    ctx: GenericActionCtx<DataModel>,\n  ) => ({\n    ...ctx,\n    auth: {\n      ...ctx.auth,\n      config,\n      account: auth.account,\n      session: auth.session,\n      provider: auth.provider,\n    },\n  });\n\n  return {\n    /**\n     * Helper for configuring HTTP actions.\n     */\n    auth,\n    /**\n     * Action called by the client to sign the user in.\n     *\n     * Also used for refreshing the session.\n     */\n    signIn: actionGeneric({\n      args: {\n        provider: v.optional(v.string()),\n        params: v.optional(v.any()),\n        verifier: v.optional(v.string()),\n        refreshToken: v.optional(v.string()),\n        calledBy: v.optional(v.string()),\n      },\n      handler: async (\n        ctx,\n        args,\n      ): Promise<{\n        redirect?: string;\n        verifier?: string;\n        tokens?: Tokens | null;\n        started?: boolean;\n        options?: Record<string, any>;\n        totpRequired?: boolean;\n        totpSetup?: { uri: string; secret: string; totpId: string };\n        deviceCode?: {\n          deviceCode: string;\n          userCode: string;\n          verificationUri: string;\n          verificationUriComplete: string;\n          expiresIn: number;\n          interval: number;\n        };\n      }> => {\n        if (args.calledBy !== undefined) {\n          logWithLevel(\"INFO\", `\\`auth:signIn\\` called by ${args.calledBy}`);\n        }\n        const provider =\n          args.provider !== undefined\n            ? getProviderOrThrow(args.provider)\n            : null;\n        const result = await signInImpl(enrichCtx(ctx), provider, args, {\n          generateTokens: true,\n          allowExtraProviders: false,\n        });\n        switch (result.kind) {\n          case \"redirect\":\n            return { redirect: result.redirect, verifier: result.verifier };\n          case \"signedIn\":\n          case \"refreshTokens\":\n            return { tokens: result.signedIn?.tokens ?? null };\n          case \"started\":\n            return { started: true };\n          case \"passkeyOptions\":\n            return { options: result.options, verifier: result.verifier };\n          case \"totpRequired\":\n            return { totpRequired: true, verifier: result.verifier };\n          case \"totpSetup\":\n            return { totpSetup: { uri: result.uri, secret: result.secret, totpId: result.totpId }, verifier: result.verifier };\n          case \"deviceCode\":\n            return {\n              deviceCode: {\n                deviceCode: result.deviceCode,\n                userCode: result.userCode,\n                verificationUri: result.verificationUri,\n                verificationUriComplete: result.verificationUriComplete,\n                expiresIn: result.expiresIn,\n                interval: result.interval,\n              },\n            };\n          default: {\n            const _typecheck: never = result;\n            throwAuthError(\"INTERNAL_ERROR\", `Unexpected result from signIn, ${String(result)}`);\n          }\n        }\n      },\n    }),\n    /**\n     * Action called by the client to invalidate the current session.\n     */\n    signOut: actionGeneric({\n      args: {},\n      handler: async (ctx) => {\n        await callSignOut(ctx);\n      },\n    }),\n\n    /**\n     * Internal mutation used by the library to read and write\n     * to the database during signin and signout.\n     */\n    store: internalMutationGeneric({\n      args: storeArgs,\n      handler: async (ctx: MutationCtx, args) => {\n        return storeImpl(ctx, args, getProviderOrThrow, config);\n      },\n    }),\n\n  };\n}\n\nfunction convertErrorsToResponse(\n  errorStatusCode: number,\n  action: (ctx: GenericActionCtx<any>, request: Request) => Promise<Response>,\n) {\n  return async (ctx: GenericActionCtx<any>, request: Request) => {\n    try {\n      return await action(ctx, request);\n    } catch (error) {\n      if (isAuthError(error)) {\n        return new Response(\n          JSON.stringify({ code: error.data.code, message: error.data.message }),\n          {\n            status: errorStatusCode,\n            headers: { \"Content-Type\": \"application/json\" },\n          },\n        );\n      } else if (error instanceof ConvexError) {\n        return new Response(null, {\n          status: errorStatusCode,\n          statusText: typeof error.data === \"string\" ? error.data : \"Error\",\n        });\n      } else {\n        logError(error);\n        return new Response(null, {\n          status: 500,\n          statusText: \"Internal Server Error\",\n        });\n      }\n    }\n  };\n}\nfunction getCookies(request: Request): Record<string, string | undefined> {\n  return parseCookies(request.headers.get(\"Cookie\") ?? \"\");\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwGA,SAAgB,KAAK,SAA2B;CAC9C,MAAM,SAAS,eAAe,QAAQ;CACtC,MAAM,WAAW,OAAO,UAAU,MAC/B,aAAa,SAAS,SAAS,QACjC;CACD,MAAM,eAAe,IAAY,sBAA+B,UAAU;AACxE,SACE,OAAO,UAAU,MAAM,aAAa,SAAS,OAAO,GAAG,KACtD,sBACG,OAAO,eAAe,MAAM,aAAa,SAAS,OAAO,GAAG,GAC5D;;CAGR,MAAM,sBACJ,IACA,sBAA+B,UAC5B;EACH,MAAM,WAAW,YAAY,IAAI,oBAAoB;AACrD,MAAI,aAAa,QAAW;GAC1B,MAAM,SACJ,cAAc,GAAG,gDACU,uBAAuB,QAAQ,oBAAoB,CAAC;AACjF,gBAAa,WAAW,OAAO,OAAO;AACtC,kBAAe,2BAA2B,QAAQ,EAAE,UAAU,IAAI,CAAC;;AAErE,SAAO;;CAsBT,MAAM,OAAO;EACX,MAAM;GAQJ,SAAS,OAAO,QAAwB;IACtC,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,QAAI,aAAa,KACf,QAAO;IAET,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,wBAAwB;AAChE,WAAO;;GAUT,SAAS,OAAO,QAAwB;IACtC,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,QAAI,aAAa,KACf,gBAAe,gBAAgB;IAEjC,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,wBAAwB;AAChE,WAAO;;GAST,KAAK,OAAO,KAAuB,WAAmB;AACpD,WAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,aAAa,EAAE,QAAQ,CAAC;;GAY5E,MAAM,OACJ,KACA,OAMI,EAAE,KACH;AACH,WAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,UAAU,KAAK;;GASnE,QAAQ,OAAO,QAA8B;IAC3C,MAAM,SAAS,MAAM,KAAK,KAAK,QAAQ,IAAI;AAC3C,QAAI,WAAW,KACb,QAAO;AAET,WAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,aAAa,EAAE,QAAQ,CAAC;;GAS5E,OAAO,OACL,KACA,QACA,SACG;AACH,UAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;KACvD;KACA;KACD,CAAC;;GAKJ,OAAO;IAQL,MAAM,OACJ,KACA,SAMG;AACH,YAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;MAC5D,OAAO,EAAE,QAAQ,KAAK,QAAQ;MAC9B,OAAO,KAAK;MACZ,QAAQ,KAAK;MACb,OAAO,KAAK;MACb,CAAC;;IAOJ,KAAK,OACH,KACA,SACG;AACH,YAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,yBACxB,KACD;;IAEJ;GACF;EACD,SAAS;GAQP,SAAS,OAAO,QAAwB;IACtC,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,QAAI,aAAa,KACf,QAAO;IAET,MAAM,GAAG,aAAa,SAAS,QAAQ,MAAM,wBAAwB;AACrE,WAAO;;GAST,YAAY,OACV,KACA,SAIkB;AAElB,WAAO,MAAM,uBADK,KAC6B,KAAK;;GAEvD;EACD,SAAS;GAQP,QAAQ,OACN,KACA,SACG;AAEH,WAAO,MAAM,iCADK,KACuC,KAAK;;GAUhE,KAAK,OACH,KACA,SACG;IAEH,MAAM,SAAS,MAAM,mCADH,KACiD,KAAK;AACxE,QAAI,OAAO,WAAW,SACpB,gBAAe,qBAAqB,OAAO;AAE7C,WAAO;;GAQT,QAAQ,OACN,KACA,SACkB;AAElB,WAAO,MAAM,kBADK,KACwB,KAAK;;GAElD;EACD,UAAU,EASR,QAAQ,OACN,KACA,UACA,SAIG;GACH,MAAM,SAAS,MAAM,WACnB,UAAU,IAAI,EACd,oBAAoB,SAAS,EAE7B,MACA;IACE,gBAAgB;IAChB,qBAAqB;IACtB,CACF;AACD,UAAO,OAAO,SAAS,aACnB,OAAO,aAAa,OAClB;IAAE,QAAQ,OAAO,SAAS;IAAQ,WAAW,OAAO,SAAS;IAAW,GACxE,OACF;KAEP;EAaD,OAAO;GAOL,QAAQ,OACN,KACA,SAQoB;AACpB,WAAQ,MAAM,IAAI,YAChB,OAAO,UAAU,OAAO,aACxB,KACD;;GAKH,KAAK,OAAO,KAAuB,YAAoB;AACrD,WAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,UAAU,EAAE,SAAS,CAAC;;GAgB1E,MAAM,OACJ,KACA,SAeG;AACH,WAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW;KAC3D,OAAO,MAAM;KACb,OAAO,MAAM;KACb,QAAQ,MAAM;KACd,SAAS,MAAM;KACf,OAAO,MAAM;KACd,CAAC;;GAKJ,QAAQ,OACN,KACA,SACA,SACG;AACH,UAAM,IAAI,YAAY,OAAO,UAAU,OAAO,aAAa;KAAE;KAAS;KAAM,CAAC;;GAO/E,QAAQ,OAAO,KAAmB,YAAoB;AACpD,UAAM,IAAI,YAAY,OAAO,UAAU,OAAO,aAAa,EAAE,SAAS,CAAC;;GAUzE,QAAQ;IAaN,KAAK,OACH,KACA,SAOoB;AACpB,YAAQ,MAAM,IAAI,YAChB,OAAO,UAAU,OAAO,WACxB,KACD;;IAKH,KAAK,OAAO,KAAuB,aAAqB;AACtD,YAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW,EAAE,UAAU,CAAC;;IAa5E,MAAM,OACJ,KACA,SAYG;AACH,YAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;MAC5D,OAAO,MAAM;MACb,OAAO,MAAM;MACb,QAAQ,MAAM;MACd,SAAS,MAAM;MACf,OAAO,MAAM;MACd,CAAC;;IAKJ,QAAQ,OAAO,KAAmB,aAAqB;AACrD,WAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EAAE,UAAU,CAAC;;IAS3E,QAAQ,OACN,KACA,UACA,SACG;AACH,WAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc;MAC1D;MACA;MACD,CAAC;;IAEL;GAEF;EAOD,QAAQ;GAmBN,QAAQ,OACN,KACA,SAUoB;AACpB,WAAQ,MAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,KAAK;;GAK3E,KAAK,OAAO,KAAuB,aAAqB;AACtD,WAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW,EAAE,UAAU,CAAC;;GAU5E,MAAM,OACJ,KACA,SAeG;AACH,WAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;KAC5D,OAAO,MAAM;KACb,OAAO,MAAM;KACb,QAAQ,MAAM;KACd,SAAS,MAAM;KACf,OAAO,MAAM;KACd,CAAC;;GAmCJ,QAAQ,OAAO,KAAmB,UAAkB,qBAA8B;AAChF,UAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc;KAC1D;KACA,GAAI,mBAAmB,EAAE,kBAAkB,GAAG,EAAE;KACjD,CAAC;;GAUJ,QAAQ,OAAO,KAAmB,aAAqB;AACrD,UAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EAAE,UAAU,CAAC;;GAE5E;EAUD,SAAS;GAQP,MAAM,OAAO,KAAuB,SAA6B;AAC/D,WAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,qBACxB,KACD;;GAQH,QAAQ,OAAO,KAAmB,WAAmB,SAAiB;AACpE,UAAM,IAAI,YACR,OAAO,UAAU,OAAO,mBACxB;KAAE;KAAW,MAAM,EAAE,MAAM;KAAE,CAC9B;;GAOH,QAAQ,OAAO,KAAmB,cAAsB;AACtD,UAAM,IAAI,YACR,OAAO,UAAU,OAAO,eACxB,EAAE,WAAW,CACd;;GAEJ;EASD,MAAM;GAOJ,MAAM,OAAO,KAAuB,SAA6B;AAC/D,WAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,kBACxB,KACD;;GAOH,QAAQ,OAAO,KAAmB,WAAmB;AACnD,UAAM,IAAI,YACR,OAAO,UAAU,OAAO,YACxB,EAAE,QAAQ,CACX;;GAEJ;EAmBD,KAAK;GAYH,QAAQ,OACN,KACA,SAO4C;IAC5C,MAAM,SAAS,OAAO,SAAS,UAAU;AAGzC,mBAAe,KAAK,QAAQ,OAAO,SAAS,OAAO;IAEnD,MAAM,EAAE,KAAK,WAAW,kBAAkB,MAAM,eAAe,OAAO;AAetE,WAAO;KAAE,OAbM,MAAM,IAAI,YACvB,OAAO,UAAU,OAAO,WACxB;MACE,QAAQ,KAAK;MACb,QAAQ;MACR;MACA,MAAM,KAAK;MACX,QAAQ,KAAK;MACb,WAAW,KAAK,aAAa,OAAO,SAAS;MAC7C,WAAW,KAAK;MACjB,CACF;KAEe;KAAK;;GAWvB,QAAQ,OACN,KACA,WAKI;IACJ,MAAM,YAAY,MAAM,WAAW,OAAO;IAE1C,MAAM,MAAO,MAAM,IAAI,SACrB,OAAO,UAAU,OAAO,mBACxB,EAAE,WAAW,CACd;AACD,QAAI,CAAC,IACH,gBAAe,kBAAkB;AAEnC,QAAI,IAAI,QACN,gBAAe,kBAAkB;AAEnC,QAAI,IAAI,aAAa,IAAI,YAAY,KAAK,KAAK,CAC7C,gBAAe,kBAAkB;IAInC,MAAM,YAAqC,EAAE,YAAY,KAAK,KAAK,EAAE;AAErE,QAAI,IAAI,WAAW;KACjB,MAAM,EAAE,SAAS,aAAa,kBAC5B,IAAI,WACJ,IAAI,kBAAkB,OACvB;AACD,SAAI,QACF,gBAAe,uBAAuB;AAExC,eAAU,iBAAiB;;AAI7B,UAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;KACtD,OAAO,IAAI;KACX,MAAM;KACP,CAAC;AAEF,WAAO;KACL,QAAQ,IAAI;KACZ,OAAO,IAAI;KACX,QAAQ,kBAAkB,IAAI,OAAO;KACtC;;GAeH,MAAM,OACJ,KACA,SAYG;AACH,WAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,SAAS;KACzD,OAAO,MAAM;KACb,OAAO,MAAM;KACb,QAAQ,MAAM;KACd,SAAS,MAAM;KACf,OAAO,MAAM;KACd,CAAC;;GAOJ,KAAK,OAAO,KAAuB,UAA0C;AAC3E,WAAQ,MAAM,IAAI,SAChB,OAAO,UAAU,OAAO,YACxB,EAAE,OAAO,CACV;;GAMH,QAAQ,OACN,KACA,OACA,SAKG;AACH,QAAI,KAAK,OACP,gBAAe,KAAK,QAAQ,OAAO,SAAS,OAAO;AAErD,UAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;KACtD;KACA;KACD,CAAC;;GAOJ,QAAQ,OAAO,KAAmB,UAAkB;AAClD,UAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;KACtD;KACA,MAAM,EAAE,SAAS,MAAM;KACxB,CAAC;;GAMJ,QAAQ,OAAO,KAAmB,UAAkB;AAClD,UAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW,EACvD,OACD,CAAC;;GAEL;EAID,MAAM;GA2BJ,MAAM,SAAqB;AAC3B,SAAK,MAAM;KACT,MAAM;KACN,QAAQ;KACR,SAAS,kBAAkB,YAAY;AACrC,aAAO,IAAI,SACT,KAAK,UAAU;OACb,QAAQ,WAAW,kBAAkB;OACrC,UACE,WAAW,kBAAkB,GAAG;OAClC,wBACE,WAAW,kBAAkB,GAAG;OACnC,CAAC,EACF;OACE,QAAQ;OACR,SAAS;QACP,gBAAgB;QAChB,iBACE;QACH;OACF,CACF;OACD;KACH,CAAC;AAEF,SAAK,MAAM;KACT,MAAM;KACN,QAAQ;KACR,SAAS,kBAAkB,YAAY;AACrC,aAAO,IAAI,SAAS,WAAW,OAAO,EAAE;OACtC,QAAQ;OACR,SAAS;QACP,gBAAgB;QAChB,iBACE;QACH;OACF,CAAC;OACF;KACH,CAAC;AAEF,QAAI,UAAU;AACZ,UAAK,MAAM;MACT,YAAY;MACZ,QAAQ;MACR,SAAS,kBACP,wBAAwB,KAAK,OAAO,KAAK,YAAY;OACnD,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;OAEhC,MAAM,aADY,IAAI,SAAS,MAAM,IAAI,CACZ,GAAG,GAAG;AACnC,WAAI,eAAe,KACjB,gBAAe,yBAAyB;OAE1C,MAAM,WAAW,IAAI,aAAa,IAAI,OAAO;AAC7C,WAAI,aAAa,KACf,gBAAe,yBAAyB;OAI1C,MAAM,cAFW,mBAAmB,WAAW;OAG/C,MAAM,EAAE,UAAU,SAAS,cACzB,MAAM,4BACJ,YACA,YAAY,UACZ,YACD;AAEH,aAAM,sBAAsB,KAAK;QAC/B;QACA;QACD,CAAC;OAEF,MAAM,aAAa,IAAI,aAAa,IAAI,aAAa;AACrD,WAAI,eAAe,KACjB,SAAQ,KAAK,sBAAsB,YAAY,WAAW,CAAC;OAG7D,MAAM,UAAU,IAAI,QAAQ,EAAE,UAAU,UAAU,CAAC;AACnD,YAAK,MAAM,EAAE,MAAM,OAAO,aAAa,QACrC,SAAQ,OACN,cACAA,UAAgB,MAAM,OAAO,QAAe,CAC7C;AAGH,cAAO,IAAI,SAAS,MAAM;QAAE,QAAQ;QAAK;QAAS,CAAC;QACnD,CACH;MACF,CAAC;KAEF,MAAM,iBAAiB,kBACrB,OAAO,YAAY,YAAY;MAC7B,MAAM,MAAM;MACZ,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;MAEhC,MAAM,aADY,IAAI,SAAS,MAAM,IAAI,CACZ,GAAG,GAAG;AACnC,mBACE,WAAW,OACX,yCACA,WACD;MACD,MAAM,WAAW,mBAAmB,WAAW;MAE/C,MAAM,UAAU,WAAW,QAAQ;MAInC,MAAM,iBAAiB,MAAM,oBAAoB,QAAQ,EACvD,YAHsB,mBAAmB,SAAS,IAAI,QAAQ,EAGjC,YAC9B,CAAC;MAEF,MAAM,SAAS,IAAI;AAGnB,UACE,QAAQ,QAAQ,IAAI,eAAe,KACnC,qCACA;OACA,MAAM,WAAW,MAAM,QAAQ,UAAU;AACzC,YAAK,MAAM,CAAC,KAAK,UAAU,SAAS,SAAS,CAC3C,KAAI,OAAO,UAAU,SACnB,QAAO,OAAO,KAAK,MAAM;;AAK/B,UAAI;OACF,MAAM,cAAc;OACpB,MAAM,SAAS,MAAM,oBACnB,YACA,YAAY,UACZ,aACA,OAAO,YAAY,OAAO,SAAS,CAAC,EACpC,QACD;OACD,MAAM,EAAE,IAAI,WAAW,GAAG,gBAAgB,OAAO;OACjD,MAAM,EAAE,cAAc;OAEtB,MAAM,mBAAmB,MAAM,cAAc,KAAK;QAChD,UAAU;QACV,mBAAmB;QACnB,SAAS;QACT;QACD,CAAC;AAEF,cAAO,IAAI,SAAS,MAAM;QACxB,QAAQ;QACR,SAAS;SACP,UAAU,kBACR,gBACA,QACA,iBACD;SACD,iBAAiB;SAClB;QACF,CAAC;eACK,OAAO;AACd,gBAAS,MAAM;AACf,cAAO,SAAS,SAAS,eAAe;;OAG7C;AAED,UAAK,MAAM;MACT,YAAY;MACZ,QAAQ;MACR,SAAS;MACV,CAAC;AAEF,UAAK,MAAM;MACT,YAAY;MACZ,QAAQ;MACR,SAAS;MACV,CAAC;;;GA4BJ,SACE,SAIA,YAIG;IACH,MAAM,aAAa,SAAS,QAAQ,EAAE;IACtC,MAAM,cAAsC;KAC1C,+BAA+B,WAAW,UAAU;KACpD,gCACE,WAAW,WAAW;KACxB,gCACE,WAAW,WAAW;KACzB;IAED,MAAM,aACJ,QACA,MACA,YAEA,IAAI,SAAS,KAAK,UAAU;KAAE,OAAO;KAAS;KAAM,CAAC,EAAE;KACrD;KACA,SAAS;MAAE,GAAG;MAAa,gBAAgB;MAAoB;KAChE,CAAC;AAEJ,WAAO,kBAAkB,OAAO,YAAY,YAAY;KACtD,MAAM,MAAM;AAEZ,SAAI;MAEF,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,UAAI,CAAC,YAAY,WAAW,UAAU,CACpC,QAAO,UACL,KACA,wBACA,qDACD;MAEH,MAAM,SAAS,WAAW,MAAM,EAAE;MAGlC,IAAI;AACJ,UAAI;AACF,mBAAY,MAAM,KAAK,IAAI,OAAO,KAAK,OAAO;eACvC,OAAgB;AACvB,WAAI,YAAY,MAAM,EAAE;QACtB,MAAM,EAAE,MAAM,YAAY,MAAM;AAChC,eAAO,UAAU,KAAK,MAAM,QAAQ;;AAEtC,aAAM;;AAIR,UAAI,SAAS,OACX;WAAI,CAAC,UAAU,OAAO,IAAI,QAAQ,MAAM,UAAU,QAAQ,MAAM,OAAO,CACrE,QAAO,UACL,KACA,sBACA,uDACD;;MAcL,MAAM,SAAS,MAAM,QATD,OAAO,OAAO,KAAK,EACrC,KAAK;OACH,QAAQ,UAAU;OAClB,OAAO,UAAU;OACjB,QAAQ,UAAU;OACnB,EACF,CAAC,EAGwC,QAAQ;AAGlD,UAAI,kBAAkB,UAAU;OAE9B,MAAM,UAAU,IAAI,QAAQ,OAAO,QAAQ;AAC3C,YAAK,MAAM,CAAC,GAAG,QAAQ,OAAO,QAAQ,YAAY,CAChD,KAAI,CAAC,QAAQ,IAAI,EAAE,CAAE,SAAQ,IAAI,GAAG,IAAI;AAE1C,cAAO,IAAI,SAAS,OAAO,MAAM;QAC/B,QAAQ,OAAO;QACf,YAAY,OAAO;QACnB;QACD,CAAC;;AAGJ,aAAO,IAAI,SAAS,KAAK,UAAU,OAAO,EAAE;OAC1C,QAAQ;OACR,SAAS;QAAE,GAAG;QAAa,gBAAgB;QAAoB;OAChE,CAAC;cACK,OAAgB;AACvB,eAAS,MAAM;AACf,aAAO,UAAU,KAAK,kBAAkB,gCAAgC;;MAE1E;;GA6BJ,QACE,MACA,gBAUG;IACH,MAAM,aAAa,YAAY,QAAQ,EAAE;IACzC,MAAM,cAAsC;KAC1C,+BAA+B,WAAW,UAAU;KACpD,gCACE,WAAW,WAAW;KACxB,gCACE,WAAW,WAAW;KACzB;AAGD,SAAK,MAAM;KACT,MAAM,YAAY;KAClB,QAAQ;KACR,SAAS,kBAAkB,YAAY;AACrC,aAAO,IAAI,SAAS,MAAM;OAAE,QAAQ;OAAK,SAAS;OAAa,CAAC;OAChE;KACH,CAAC;AAGF,SAAK,MAAM;KACT,MAAM,YAAY;KAClB,QAAQ,YAAY;KACpB,SAAS,KAAK,KAAK,OAAO,YAAY,SAAS;MAC7C,OAAO,YAAY;MACnB,MAAM,YAAY;MACnB,CAAC;KACH,CAAC;;GAEL;EACF;CACD,MAAM,aACJ,SACI;EACJ,GAAG;EACH,MAAM;GACJ,GAAG,IAAI;GACP;GACA,SAAS,KAAK;GACd,SAAS,KAAK;GACd,UAAU,KAAK;GAChB;EACF;AAED,QAAO;EAIL;EAMA,QAAQ,cAAc;GACpB,MAAM;IACJ,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;IAChC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;IAC3B,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;IAChC,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;IACpC,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;IACjC;GACD,SAAS,OACP,KACA,SAiBI;AACJ,QAAI,KAAK,aAAa,OACpB,cAAa,QAAQ,6BAA6B,KAAK,WAAW;IAEpE,MAAM,WACJ,KAAK,aAAa,SACd,mBAAmB,KAAK,SAAS,GACjC;IACN,MAAM,SAAS,MAAM,WAAW,UAAU,IAAI,EAAE,UAAU,MAAM;KAC9D,gBAAgB;KAChB,qBAAqB;KACtB,CAAC;AACF,YAAQ,OAAO,MAAf;KACE,KAAK,WACH,QAAO;MAAE,UAAU,OAAO;MAAU,UAAU,OAAO;MAAU;KACjE,KAAK;KACL,KAAK,gBACH,QAAO,EAAE,QAAQ,OAAO,UAAU,UAAU,MAAM;KACpD,KAAK,UACH,QAAO,EAAE,SAAS,MAAM;KAC1B,KAAK,iBACH,QAAO;MAAE,SAAS,OAAO;MAAS,UAAU,OAAO;MAAU;KAC/D,KAAK,eACH,QAAO;MAAE,cAAc;MAAM,UAAU,OAAO;MAAU;KAC1D,KAAK,YACH,QAAO;MAAE,WAAW;OAAE,KAAK,OAAO;OAAK,QAAQ,OAAO;OAAQ,QAAQ,OAAO;OAAQ;MAAE,UAAU,OAAO;MAAU;KACpH,KAAK,aACH,QAAO,EACL,YAAY;MACV,YAAY,OAAO;MACnB,UAAU,OAAO;MACjB,iBAAiB,OAAO;MACxB,yBAAyB,OAAO;MAChC,WAAW,OAAO;MAClB,UAAU,OAAO;MAClB,EACF;KACH,QAEE,gBAAe,kBAAkB,kCAAkC,OAAO,OAAO,GAAG;;;GAI3F,CAAC;EAIF,SAAS,cAAc;GACrB,MAAM,EAAE;GACR,SAAS,OAAO,QAAQ;AACtB,UAAM,YAAY,IAAI;;GAEzB,CAAC;EAMF,OAAO,wBAAwB;GAC7B,MAAM;GACN,SAAS,OAAO,KAAkB,SAAS;AACzC,WAAO,UAAU,KAAK,MAAM,oBAAoB,OAAO;;GAE1D,CAAC;EAEH;;AAGH,SAAS,wBACP,iBACA,QACA;AACA,QAAO,OAAO,KAA4B,YAAqB;AAC7D,MAAI;AACF,UAAO,MAAM,OAAO,KAAK,QAAQ;WAC1B,OAAO;AACd,OAAI,YAAY,MAAM,CACpB,QAAO,IAAI,SACT,KAAK,UAAU;IAAE,MAAM,MAAM,KAAK;IAAM,SAAS,MAAM,KAAK;IAAS,CAAC,EACtE;IACE,QAAQ;IACR,SAAS,EAAE,gBAAgB,oBAAoB;IAChD,CACF;YACQ,iBAAiB,YAC1B,QAAO,IAAI,SAAS,MAAM;IACxB,QAAQ;IACR,YAAY,OAAO,MAAM,SAAS,WAAW,MAAM,OAAO;IAC3D,CAAC;QACG;AACL,aAAS,MAAM;AACf,WAAO,IAAI,SAAS,MAAM;KACxB,QAAQ;KACR,YAAY;KACb,CAAC;;;;;AAKV,SAAS,WAAW,SAAsD;AACxE,QAAOC,MAAa,QAAQ,QAAQ,IAAI,SAAS,IAAI,GAAG"}

package/dist/component/server/implementation/keys.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"keys.js","names":[],"sources":["../../../../src/server/implementation/keys.ts"],"sourcesContent":["/**\n * API Key crypto utilities.\n *\n * Uses `@oslojs/crypto` primitives for key generation and hashing:\n * - SHA-256 for hashing keys (API keys have high entropy, no need for bcrypt)\n * - Cryptographically secure random generation for key material\n *\n * @module\n */\n\nimport { sha256, generateRandomString } from \"./utils\";\nimport type { KeyScope, ScopeChecker } from \"../types\";\nimport { throwAuthError } from \"../errors\";\n\n// ============================================================================\n// Constants\n// ============================================================================\n\nconst DEFAULT_KEY_PREFIX = \"sk_live_\";\nconst KEY_RANDOM_LENGTH = 32;\nconst KEY_RANDOM_ALPHABET =\n  \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\n\n/**\n * How many characters of the full key to store as the visible prefix.\n * Includes the prefix string (e.g. \"sk_live_\") plus a few random chars.\n */\nconst VISIBLE_PREFIX_EXTRA_CHARS = 4;\n\n// ============================================================================\n// Key generation\n// ============================================================================\n\n/**\n * Generate a new API key.\n *\n * Returns the raw key (to be shown once to the user) and metadata for storage.\n * The raw key is `{prefix}{32 random alphanumeric chars}`.\n *\n * @param prefix - Key prefix, defaults to \"sk_live_\"\n * @returns `{ raw, hashedKey, displayPrefix }`\n */\nexport async function generateApiKey(prefix: string = DEFAULT_KEY_PREFIX): Promise<{\n  /** The full raw key — show to user once, never store. */\n  raw: string;\n  /** SHA-256 hex hash of the raw key — store this. */\n  hashedKey: string;\n  /** Truncated prefix for display (e.g. \"sk_live_aBc1...\"). */\n  displayPrefix: string;\n}> {\n  const randomPart = generateRandomString(KEY_RANDOM_LENGTH, KEY_RANDOM_ALPHABET);\n  const raw = `${prefix}${randomPart}`;\n  const hashedKey = await sha256(raw);\n  const displayPrefix = `${raw.substring(0, prefix.length + VISIBLE_PREFIX_EXTRA_CHARS)}...`;\n\n  return { raw, hashedKey, displayPrefix };\n}\n\n/**\n * Hash a raw API key for lookup.\n *\n * Used during Bearer token verification to find the stored key record.\n */\nexport async function hashApiKey(rawKey: string): Promise<string> {\n  return sha256(rawKey);\n}\n\n// ============================================================================\n// Scope checker\n// ============================================================================\n\n/**\n * Build a `ScopeChecker` from an array of `KeyScope` entries.\n *\n * The checker provides a `.can(resource, action)` method that returns `true`\n * if any scope entry grants the requested permission.\n *\n * A wildcard action `\"*\"` grants all actions on that resource.\n * A wildcard resource `\"*\"` grants the action on all resources.\n */\nexport function buildScopeChecker(scopes: KeyScope[]): ScopeChecker {\n  return {\n    scopes,\n    can(resource: string, action: string): boolean {\n      return scopes.some(\n        (scope) =>\n          (scope.resource === resource || scope.resource === \"*\") &&\n          (scope.actions.includes(action) || scope.actions.includes(\"*\")),\n      );\n    },\n  };\n}\n\n/**\n * Validate that requested scopes are a subset of the allowed scopes\n * defined in the API key config.\n *\n * @param requested - Scopes the user wants on the new key.\n * @param allowed - The scope definition from `apiKeys.scopes` config.\n * @throws Error if any requested scope is not in the allowed set.\n */\nexport function validateScopes(\n  requested: KeyScope[],\n  allowed: Record<string, string[]> | undefined,\n): void {\n  if (!allowed) {\n    // No scope restrictions configured — allow anything.\n    return;\n  }\n\n  for (const scope of requested) {\n    const allowedActions = allowed[scope.resource];\n    if (!allowedActions) {\n      throwAuthError(\n        \"API_KEY_INVALID_SCOPE\",\n        `Unknown resource \"${scope.resource}\" in API key scopes. Allowed resources: ${Object.keys(allowed).join(\", \")}`,\n      );\n    }\n    for (const action of scope.actions) {\n      if (action !== \"*\" && !allowedActions.includes(action)) {\n        throwAuthError(\n          \"API_KEY_INVALID_SCOPE\",\n          `Unknown action \"${action}\" for resource \"${scope.resource}\". Allowed actions: ${allowedActions.join(\", \")}`,\n        );\n      }\n    }\n  }\n}\n\n// ============================================================================\n// Per-key rate limiting (token-bucket)\n// ============================================================================\n\n/**\n * Check whether a key is rate-limited based on its stored state.\n *\n * Uses the same token-bucket algorithm as sign-in rate limiting:\n * tokens refill linearly over the configured window.\n *\n * @returns `{ limited: boolean; newState: { attemptsLeft, lastAttemptTime } }`\n */\nexport function checkKeyRateLimit(\n  rateLimit: { maxRequests: number; windowMs: number },\n  state: { attemptsLeft: number; lastAttemptTime: number } | undefined,\n): {\n  limited: boolean;\n  newState: { attemptsLeft: number; lastAttemptTime: number };\n} {\n  const now = Date.now();\n\n  if (!state) {\n    // First request — create initial state with one token consumed.\n    return {\n      limited: false,\n      newState: {\n        attemptsLeft: rateLimit.maxRequests - 1,\n        lastAttemptTime: now,\n      },\n    };\n  }\n\n  const elapsed = now - state.lastAttemptTime;\n  const refillRate = rateLimit.maxRequests / rateLimit.windowMs;\n  const refilled = Math.min(\n    rateLimit.maxRequests,\n    state.attemptsLeft + elapsed * refillRate,\n  );\n\n  if (refilled < 1) {\n    return {\n      limited: true,\n      newState: {\n        attemptsLeft: refilled,\n        lastAttemptTime: now,\n      },\n    };\n  }\n\n  return {\n    limited: false,\n    newState: {\n      attemptsLeft: refilled - 1,\n      lastAttemptTime: now,\n    },\n  };\n}\n"],"mappings":";;;;;;;;;;;;;AAkBA,MAAM,qBAAqB;AAC3B,MAAM,oBAAoB;AAC1B,MAAM,sBACJ;;;;;AAMF,MAAM,6BAA6B;;;;;;;;;;AAenC,eAAsB,eAAe,SAAiB,oBAOnD;CAED,MAAM,MAAM,GAAG,SADI,qBAAqB,mBAAmB,oBAAoB;AAK/E,QAAO;EAAE;EAAK,WAHI,MAAM,OAAO,IAAI;EAGV,eAFH,GAAG,IAAI,UAAU,GAAG,OAAO,SAAS,2BAA2B,CAAC;EAE9C;;;;;;;AAQ1C,eAAsB,WAAW,QAAiC;AAChE,QAAO,OAAO,OAAO;;;;;;;;;;;AAgBvB,SAAgB,kBAAkB,QAAkC;AAClE,QAAO;EACL;EACA,IAAI,UAAkB,QAAyB;AAC7C,UAAO,OAAO,MACX,WACE,MAAM,aAAa,YAAY,MAAM,aAAa,SAClD,MAAM,QAAQ,SAAS,OAAO,IAAI,MAAM,QAAQ,SAAS,IAAI,EACjE;;EAEJ;;;;;;;;;;AAWH,SAAgB,eACd,WACA,SACM;AACN,KAAI,CAAC,QAEH;AAGF,MAAK,MAAM,SAAS,WAAW;EAC7B,MAAM,iBAAiB,QAAQ,MAAM;AACrC,MAAI,CAAC,eACH,gBACE,yBACA,qBAAqB,MAAM,SAAS,0CAA0C,OAAO,KAAK,QAAQ,CAAC,KAAK,KAAK,GAC9G;AAEH,OAAK,MAAM,UAAU,MAAM,QACzB,KAAI,WAAW,OAAO,CAAC,eAAe,SAAS,OAAO,CACpD,gBACE,yBACA,mBAAmB,OAAO,kBAAkB,MAAM,SAAS,sBAAsB,eAAe,KAAK,KAAK,GAC3G;;;;;;;;;;;AAkBT,SAAgB,kBACd,WACA,OAIA;CACA,MAAM,MAAM,KAAK,KAAK;AAEtB,KAAI,CAAC,MAEH,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc,UAAU,cAAc;GACtC,iBAAiB;GAClB;EACF;CAGH,MAAM,UAAU,MAAM,MAAM;CAC5B,MAAM,aAAa,UAAU,cAAc,UAAU;CACrD,MAAM,WAAW,KAAK,IACpB,UAAU,aACV,MAAM,eAAe,UAAU,WAChC;AAED,KAAI,WAAW,EACb,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc;GACd,iBAAiB;GAClB;EACF;AAGH,QAAO;EACL,SAAS;EACT,UAAU;GACR,cAAc,WAAW;GACzB,iBAAiB;GAClB;EACF"}

package/dist/component/server/implementation/mutations/account.js

@@ -1,39 +0,0 @@
-import { throwAuthError } from "../../errors.js";
-import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
-import { authDb } from "../db.js";
-import { AUTH_STORE_REF } from "./store.js";
-import { hash } from "../provider.js";
-import { v } from "convex/values";
-
-//#region src/server/implementation/mutations/account.ts
-const modifyAccountArgs = v.object({
-	provider: v.string(),
-	account: v.object({
-		id: v.string(),
-		secret: v.string()
-	})
-});
-async function modifyAccountImpl(ctx, args, getProviderOrThrow, config) {
-	const { provider, account } = args;
-	const db = authDb(ctx, config);
-	logWithLevel(LOG_LEVELS.DEBUG, "retrieveAccountWithCredentialsImpl args:", {
-		provider,
-		account: {
-			id: account.id,
-			secret: maybeRedact(account.secret ?? "")
-		}
-	});
-	const existingAccount = await db.accounts.get(provider, account.id);
-	if (existingAccount === null) throwAuthError("ACCOUNT_NOT_FOUND", `Cannot modify account with ID ${account.id} because it does not exist`);
-	await db.accounts.patch(existingAccount._id, { secret: await hash(getProviderOrThrow(provider), account.secret) });
-}
-const callModifyAccount = async (ctx, args) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: {
-		type: "modifyAccount",
-		...args
-	} });
-};
-
-//#endregion
-export { callModifyAccount, modifyAccountArgs, modifyAccountImpl };
-//# sourceMappingURL=account.js.map

package/dist/component/server/implementation/mutations/account.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"account.js","names":[],"sources":["../../../../../src/server/implementation/mutations/account.ts"],"sourcesContent":["import { Infer, v } from \"convex/values\";\nimport { ActionCtx, MutationCtx } from \"../types\";\nimport { GetProviderOrThrowFunc, hash } from \"../provider\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport * as Provider from \"../provider\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\nimport { throwAuthError } from \"../../errors\";\n\nexport const modifyAccountArgs = v.object({\n  provider: v.string(),\n  account: v.object({ id: v.string(), secret: v.string() }),\n});\n\nexport async function modifyAccountImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof modifyAccountArgs>,\n  getProviderOrThrow: GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<void> {\n  const { provider, account } = args;\n  const db = authDb(ctx, config);\n  logWithLevel(LOG_LEVELS.DEBUG, \"retrieveAccountWithCredentialsImpl args:\", {\n    provider: provider,\n    account: {\n      id: account.id,\n      secret: maybeRedact(account.secret ?? \"\"),\n    },\n  });\n  const existingAccount = await db.accounts.get(provider, account.id);\n  if (existingAccount === null) {\n    throwAuthError(\"ACCOUNT_NOT_FOUND\", `Cannot modify account with ID ${account.id} because it does not exist`);\n  }\n  await db.accounts.patch(existingAccount._id, {\n    secret: await hash(getProviderOrThrow(provider), account.secret),\n  });\n  return;\n}\n\nexport const callModifyAccount = async (\n  ctx: ActionCtx,\n  args: Infer<typeof modifyAccountArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"modifyAccount\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;AASA,MAAa,oBAAoB,EAAE,OAAO;CACxC,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,QAAQ;EAAE,CAAC;CAC1D,CAAC;AAEF,eAAsB,kBACpB,KACA,MACA,oBACA,QACe;CACf,MAAM,EAAE,UAAU,YAAY;CAC9B,MAAM,KAAK,OAAO,KAAK,OAAO;AAC9B,cAAa,WAAW,OAAO,4CAA4C;EAC/D;EACV,SAAS;GACP,IAAI,QAAQ;GACZ,QAAQ,YAAY,QAAQ,UAAU,GAAG;GAC1C;EACF,CAAC;CACF,MAAM,kBAAkB,MAAM,GAAG,SAAS,IAAI,UAAU,QAAQ,GAAG;AACnE,KAAI,oBAAoB,KACtB,gBAAe,qBAAqB,iCAAiC,QAAQ,GAAG,4BAA4B;AAE9G,OAAM,GAAG,SAAS,MAAM,gBAAgB,KAAK,EAC3C,QAAQ,MAAM,KAAK,mBAAmB,SAAS,EAAE,QAAQ,OAAO,EACjE,CAAC;;AAIJ,MAAa,oBAAoB,OAC/B,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/component/server/implementation/mutations/code.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"code.js","names":[],"sources":["../../../../../src/server/implementation/mutations/code.ts"],"sourcesContent":["import { GenericId, Infer, v } from \"convex/values\";\nimport { ActionCtx, MutationCtx } from \"../types\";\nimport * as Provider from \"../provider\";\nimport { EmailConfig, PhoneConfig } from \"../../types\";\nimport { getAccountOrThrow, upsertUserAndAccount } from \"../users\";\nimport { getAuthSessionId } from \"../sessions\";\nimport { LOG_LEVELS, logWithLevel, sha256 } from \"../utils\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\n\nexport const createVerificationCodeArgs = v.object({\n  accountId: v.optional(v.string()),\n  provider: v.string(),\n  email: v.optional(v.string()),\n  phone: v.optional(v.string()),\n  code: v.string(),\n  expirationTime: v.number(),\n  allowExtraProviders: v.boolean(),\n});\n\ntype ReturnType = string;\n\nexport async function createVerificationCodeImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof createVerificationCodeArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"createVerificationCodeImpl args:\", args);\n  const {\n    email,\n    phone,\n    code,\n    expirationTime,\n    provider: providerId,\n    accountId: existingAccountId,\n    allowExtraProviders,\n  } = args;\n  const db = authDb(ctx, config);\n  const typedExistingAccountId = existingAccountId as\n    | GenericId<\"account\">\n    | undefined;\n  const existingAccount =\n    typedExistingAccountId !== undefined\n      ? await getAccountOrThrow(ctx, typedExistingAccountId, config)\n      : await db.accounts.get(providerId, email ?? phone!);\n\n  const provider = getProviderOrThrow(providerId, allowExtraProviders) as\n    | EmailConfig\n    | PhoneConfig;\n  const { accountId } = await upsertUserAndAccount(\n    ctx,\n    await getAuthSessionId(ctx),\n    existingAccount !== null\n      ? { existingAccount }\n      : { providerAccountId: email ?? phone! },\n    provider.type === \"email\"\n      ? { type: \"email\", provider, profile: { email: email! } }\n      : { type: \"phone\", provider, profile: { phone: phone! } },\n    config,\n  );\n  await generateUniqueVerificationCode(\n    ctx,\n    accountId,\n    providerId,\n    code,\n    expirationTime,\n    { email, phone },\n    config,\n  );\n  return email ?? phone!;\n}\n\nexport const callCreateVerificationCode = async (\n  ctx: ActionCtx,\n  args: Infer<typeof createVerificationCodeArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"createVerificationCode\",\n      ...args,\n    },\n  });\n};\n\nasync function generateUniqueVerificationCode(\n  ctx: MutationCtx,\n  accountId: GenericId<\"account\">,\n  provider: string,\n  code: string,\n  expirationTime: number,\n  { email, phone }: { email?: string; phone?: string },\n  config: Provider.Config,\n) {\n  const db = authDb(ctx, config);\n  const existingCode = await db.verificationCodes.getByAccountId(accountId);\n  if (existingCode !== null) {\n    await db.verificationCodes.delete(existingCode._id);\n  }\n  await db.verificationCodes.create({\n    accountId,\n    provider,\n    code: await sha256(code),\n    expirationTime,\n    emailVerified: email,\n    phoneVerified: phone,\n  });\n}\n"],"mappings":";;;;;;;;AAUA,MAAa,6BAA6B,EAAE,OAAO;CACjD,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,UAAU,EAAE,QAAQ;CACpB,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,MAAM,EAAE,QAAQ;CAChB,gBAAgB,EAAE,QAAQ;CAC1B,qBAAqB,EAAE,SAAS;CACjC,CAAC;AAIF,eAAsB,2BACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,oCAAoC,KAAK;CACxE,MAAM,EACJ,OACA,OACA,MACA,gBACA,UAAU,YACV,WAAW,mBACX,wBACE;CACJ,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,yBAAyB;CAG/B,MAAM,kBACJ,2BAA2B,SACvB,MAAM,kBAAkB,KAAK,wBAAwB,OAAO,GAC5D,MAAM,GAAG,SAAS,IAAI,YAAY,SAAS,MAAO;CAExD,MAAM,WAAW,mBAAmB,YAAY,oBAAoB;CAGpE,MAAM,EAAE,cAAc,MAAM,qBAC1B,KACA,MAAM,iBAAiB,IAAI,EAC3B,oBAAoB,OAChB,EAAE,iBAAiB,GACnB,EAAE,mBAAmB,SAAS,OAAQ,EAC1C,SAAS,SAAS,UACd;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,GACvD;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,EAC3D,OACD;AACD,OAAM,+BACJ,KACA,WACA,YACA,MACA,gBACA;EAAE;EAAO;EAAO,EAChB,OACD;AACD,QAAO,SAAS;;AAGlB,MAAa,6BAA6B,OACxC,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,eAAe,+BACb,KACA,WACA,UACA,MACA,gBACA,EAAE,OAAO,SACT,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,eAAe,MAAM,GAAG,kBAAkB,eAAe,UAAU;AACzE,KAAI,iBAAiB,KACnB,OAAM,GAAG,kBAAkB,OAAO,aAAa,IAAI;AAErD,OAAM,GAAG,kBAAkB,OAAO;EAChC;EACA;EACA,MAAM,MAAM,OAAO,KAAK;EACxB;EACA,eAAe;EACf,eAAe;EAChB,CAAC"}

package/dist/component/server/implementation/mutations/index.js

@@ -1,70 +0,0 @@
-import { LOG_LEVELS, logWithLevel } from "../utils.js";
-import { callSignIn, signInArgs, signInImpl } from "./signin.js";
-import { callSignOut, signOutImpl } from "./signout.js";
-import { callRefreshSession, refreshSessionArgs, refreshSessionImpl } from "./refresh.js";
-import { callVerifyCodeAndSignIn, verifyCodeAndSignInArgs, verifyCodeAndSignInImpl } from "./verify.js";
-import { callVerifierSignature, verifierSignatureArgs, verifierSignatureImpl } from "./signature.js";
-import { callUserOAuth, userOAuthArgs, userOAuthImpl } from "./oauth.js";
-import { callCreateVerificationCode, createVerificationCodeArgs, createVerificationCodeImpl } from "./code.js";
-import { callCreateAccountFromCredentials, createAccountFromCredentialsArgs, createAccountFromCredentialsImpl } from "./register.js";
-import { callRetreiveAccountWithCredentials, retrieveAccountWithCredentialsArgs, retrieveAccountWithCredentialsImpl } from "./retrieve.js";
-import { callModifyAccount, modifyAccountArgs, modifyAccountImpl } from "./account.js";
-import { callInvalidateSessions, invalidateSessionsArgs, invalidateSessionsImpl } from "./invalidate.js";
-import { callVerifier, verifierImpl } from "./verifier.js";
-import { v } from "convex/values";
-
-//#region src/server/implementation/mutations/index.ts
-const storeArgs = v.object({ args: v.union(v.object({
-	type: v.literal("signIn"),
-	...signInArgs.fields
-}), v.object({ type: v.literal("signOut") }), v.object({
-	type: v.literal("refreshSession"),
-	...refreshSessionArgs.fields
-}), v.object({
-	type: v.literal("verifyCodeAndSignIn"),
-	...verifyCodeAndSignInArgs.fields
-}), v.object({ type: v.literal("verifier") }), v.object({
-	type: v.literal("verifierSignature"),
-	...verifierSignatureArgs.fields
-}), v.object({
-	type: v.literal("userOAuth"),
-	...userOAuthArgs.fields
-}), v.object({
-	type: v.literal("createVerificationCode"),
-	...createVerificationCodeArgs.fields
-}), v.object({
-	type: v.literal("createAccountFromCredentials"),
-	...createAccountFromCredentialsArgs.fields
-}), v.object({
-	type: v.literal("retrieveAccountWithCredentials"),
-	...retrieveAccountWithCredentialsArgs.fields
-}), v.object({
-	type: v.literal("modifyAccount"),
-	...modifyAccountArgs.fields
-}), v.object({
-	type: v.literal("invalidateSessions"),
-	...invalidateSessionsArgs.fields
-})) });
-const storeImpl = async (ctx, fnArgs, getProviderOrThrow, config) => {
-	const args = fnArgs.args;
-	logWithLevel(LOG_LEVELS.INFO, `\`auth:store\` type: ${args.type}`);
-	switch (args.type) {
-		case "signIn": return signInImpl(ctx, args, config);
-		case "signOut": return signOutImpl(ctx, config);
-		case "refreshSession": return refreshSessionImpl(ctx, args, getProviderOrThrow, config);
-		case "verifyCodeAndSignIn": return verifyCodeAndSignInImpl(ctx, args, getProviderOrThrow, config);
-		case "verifier": return verifierImpl(ctx, config);
-		case "verifierSignature": return verifierSignatureImpl(ctx, args, config);
-		case "userOAuth": return userOAuthImpl(ctx, args, getProviderOrThrow, config);
-		case "createVerificationCode": return createVerificationCodeImpl(ctx, args, getProviderOrThrow, config);
-		case "createAccountFromCredentials": return createAccountFromCredentialsImpl(ctx, args, getProviderOrThrow, config);
-		case "retrieveAccountWithCredentials": return retrieveAccountWithCredentialsImpl(ctx, args, getProviderOrThrow, config);
-		case "modifyAccount": return modifyAccountImpl(ctx, args, getProviderOrThrow, config);
-		case "invalidateSessions": return invalidateSessionsImpl(ctx, args, config);
-		default:
-	}
-};
-
-//#endregion
-export { storeArgs, storeImpl };
-//# sourceMappingURL=index.js.map

package/dist/component/server/implementation/mutations/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../../../../src/server/implementation/mutations/index.ts"],"sourcesContent":["import { Infer, v } from \"convex/values\";\nimport { MutationCtx } from \"../types\";\nimport { signInArgs, signInImpl } from \"./signin\";\nimport { signOutImpl } from \"./signout\";\nimport { refreshSessionArgs, refreshSessionImpl } from \"./refresh\";\nimport {\n  verifyCodeAndSignInArgs,\n  verifyCodeAndSignInImpl,\n} from \"./verify\";\nimport {\n  verifierSignatureArgs,\n  verifierSignatureImpl,\n} from \"./signature\";\nimport { userOAuthArgs, userOAuthImpl } from \"./oauth\";\nimport {\n  createVerificationCodeArgs,\n  createVerificationCodeImpl,\n} from \"./code\";\nimport {\n  createAccountFromCredentialsArgs,\n  createAccountFromCredentialsImpl,\n} from \"./register\";\nimport {\n  retrieveAccountWithCredentialsArgs,\n  retrieveAccountWithCredentialsImpl,\n} from \"./retrieve\";\nimport { modifyAccountArgs, modifyAccountImpl } from \"./account\";\nimport {\n  invalidateSessionsArgs,\n  invalidateSessionsImpl,\n} from \"./invalidate\";\nimport * as Provider from \"../provider\";\nimport { verifierImpl } from \"./verifier\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nexport { callInvalidateSessions } from \"./invalidate\";\nexport { callModifyAccount } from \"./account\";\nexport { callRetreiveAccountWithCredentials } from \"./retrieve\";\nexport { callCreateAccountFromCredentials } from \"./register\";\nexport { callCreateVerificationCode } from \"./code\";\nexport { callUserOAuth } from \"./oauth\";\nexport { callVerifierSignature } from \"./signature\";\nexport { callVerifyCodeAndSignIn } from \"./verify\";\nexport { callVerifier } from \"./verifier\";\nexport { callRefreshSession } from \"./refresh\";\nexport { callSignOut } from \"./signout\";\nexport { callSignIn } from \"./signin\";\n\nexport const storeArgs = v.object({\n  args: v.union(\n    v.object({\n      type: v.literal(\"signIn\"),\n      ...signInArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"signOut\"),\n    }),\n    v.object({\n      type: v.literal(\"refreshSession\"),\n      ...refreshSessionArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"verifyCodeAndSignIn\"),\n      ...verifyCodeAndSignInArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"verifier\"),\n    }),\n    v.object({\n      type: v.literal(\"verifierSignature\"),\n      ...verifierSignatureArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"userOAuth\"),\n      ...userOAuthArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"createVerificationCode\"),\n      ...createVerificationCodeArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"createAccountFromCredentials\"),\n      ...createAccountFromCredentialsArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"retrieveAccountWithCredentials\"),\n      ...retrieveAccountWithCredentialsArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"modifyAccount\"),\n      ...modifyAccountArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"invalidateSessions\"),\n      ...invalidateSessionsArgs.fields,\n    }),\n  ),\n});\n\nexport const storeImpl = async (\n  ctx: MutationCtx,\n  fnArgs: Infer<typeof storeArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n) => {\n  const args = fnArgs.args;\n  logWithLevel(LOG_LEVELS.INFO, `\\`auth:store\\` type: ${args.type}`);\n  switch (args.type) {\n    case \"signIn\": {\n      return signInImpl(ctx, args, config);\n    }\n    case \"signOut\": {\n      return signOutImpl(ctx, config);\n    }\n    case \"refreshSession\": {\n      return refreshSessionImpl(ctx, args, getProviderOrThrow, config);\n    }\n    case \"verifyCodeAndSignIn\": {\n      return verifyCodeAndSignInImpl(ctx, args, getProviderOrThrow, config);\n    }\n    case \"verifier\": {\n      return verifierImpl(ctx, config);\n    }\n    case \"verifierSignature\": {\n      return verifierSignatureImpl(ctx, args, config);\n    }\n    case \"userOAuth\": {\n      return userOAuthImpl(ctx, args, getProviderOrThrow, config);\n    }\n    case \"createVerificationCode\": {\n      return createVerificationCodeImpl(ctx, args, getProviderOrThrow, config);\n    }\n    case \"createAccountFromCredentials\": {\n      return createAccountFromCredentialsImpl(\n        ctx,\n        args,\n        getProviderOrThrow,\n        config,\n      );\n    }\n    case \"retrieveAccountWithCredentials\": {\n      return retrieveAccountWithCredentialsImpl(\n        ctx,\n        args,\n        getProviderOrThrow,\n        config,\n      );\n    }\n    case \"modifyAccount\": {\n      return modifyAccountImpl(ctx, args, getProviderOrThrow, config);\n    }\n    case \"invalidateSessions\": {\n      return invalidateSessionsImpl(ctx, args, config);\n    }\n    default:\n      args satisfies never;\n  }\n};\n"],"mappings":";;;;;;;;;;;;;;;;AA+CA,MAAa,YAAY,EAAE,OAAO,EAChC,MAAM,EAAE,MACN,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,SAAS;CACzB,GAAG,WAAW;CACf,CAAC,EACF,EAAE,OAAO,EACP,MAAM,EAAE,QAAQ,UAAU,EAC3B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,iBAAiB;CACjC,GAAG,mBAAmB;CACvB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,sBAAsB;CACtC,GAAG,wBAAwB;CAC5B,CAAC,EACF,EAAE,OAAO,EACP,MAAM,EAAE,QAAQ,WAAW,EAC5B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,oBAAoB;CACpC,GAAG,sBAAsB;CAC1B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,YAAY;CAC5B,GAAG,cAAc;CAClB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,yBAAyB;CACzC,GAAG,2BAA2B;CAC/B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,+BAA+B;CAC/C,GAAG,iCAAiC;CACrC,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,iCAAiC;CACjD,GAAG,mCAAmC;CACvC,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,gBAAgB;CAChC,GAAG,kBAAkB;CACtB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,qBAAqB;CACrC,GAAG,uBAAuB;CAC3B,CAAC,CACH,EACF,CAAC;AAEF,MAAa,YAAY,OACvB,KACA,QACA,oBACA,WACG;CACH,MAAM,OAAO,OAAO;AACpB,cAAa,WAAW,MAAM,wBAAwB,KAAK,OAAO;AAClE,SAAQ,KAAK,MAAb;EACE,KAAK,SACH,QAAO,WAAW,KAAK,MAAM,OAAO;EAEtC,KAAK,UACH,QAAO,YAAY,KAAK,OAAO;EAEjC,KAAK,iBACH,QAAO,mBAAmB,KAAK,MAAM,oBAAoB,OAAO;EAElE,KAAK,sBACH,QAAO,wBAAwB,KAAK,MAAM,oBAAoB,OAAO;EAEvE,KAAK,WACH,QAAO,aAAa,KAAK,OAAO;EAElC,KAAK,oBACH,QAAO,sBAAsB,KAAK,MAAM,OAAO;EAEjD,KAAK,YACH,QAAO,cAAc,KAAK,MAAM,oBAAoB,OAAO;EAE7D,KAAK,yBACH,QAAO,2BAA2B,KAAK,MAAM,oBAAoB,OAAO;EAE1E,KAAK,+BACH,QAAO,iCACL,KACA,MACA,oBACA,OACD;EAEH,KAAK,iCACH,QAAO,mCACL,KACA,MACA,oBACA,OACD;EAEH,KAAK,gBACH,QAAO,kBAAkB,KAAK,MAAM,oBAAoB,OAAO;EAEjE,KAAK,qBACH,QAAO,uBAAuB,KAAK,MAAM,OAAO;EAElD"}

package/dist/component/server/implementation/mutations/invalidate.js

@@ -1,29 +0,0 @@
-import { LOG_LEVELS, logWithLevel } from "../utils.js";
-import { authDb } from "../db.js";
-import { deleteSession } from "../sessions.js";
-import { AUTH_STORE_REF } from "./store.js";
-import { v } from "convex/values";
-
-//#region src/server/implementation/mutations/invalidate.ts
-const invalidateSessionsArgs = v.object({
-	userId: v.string(),
-	except: v.optional(v.array(v.string()))
-});
-const callInvalidateSessions = async (ctx, args) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: {
-		type: "invalidateSessions",
-		...args
-	} });
-};
-const invalidateSessionsImpl = async (ctx, args, config) => {
-	logWithLevel(LOG_LEVELS.DEBUG, "invalidateSessionsImpl args:", args);
-	const { userId, except } = args;
-	const exceptSet = new Set(except ?? []);
-	const typedUserId = userId;
-	const sessions = await authDb(ctx, config).sessions.listByUser(typedUserId);
-	for (const session of sessions) if (!exceptSet.has(session._id)) await deleteSession(ctx, session, config);
-};
-
-//#endregion
-export { callInvalidateSessions, invalidateSessionsArgs, invalidateSessionsImpl };
-//# sourceMappingURL=invalidate.js.map

package/dist/component/server/implementation/mutations/invalidate.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"invalidate.js","names":[],"sources":["../../../../../src/server/implementation/mutations/invalidate.ts"],"sourcesContent":["import { GenericId, Infer, v } from \"convex/values\";\nimport { deleteSession } from \"../sessions\";\nimport { ActionCtx, MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport * as Provider from \"../provider\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\n\nexport const invalidateSessionsArgs = v.object({\n  userId: v.string(),\n  except: v.optional(v.array(v.string())),\n});\n\nexport const callInvalidateSessions = async (\n  ctx: ActionCtx,\n  args: Infer<typeof invalidateSessionsArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"invalidateSessions\",\n      ...args,\n    },\n  });\n};\n\nexport const invalidateSessionsImpl = async (\n  ctx: MutationCtx,\n  args: Infer<typeof invalidateSessionsArgs>,\n  config: Provider.Config,\n): Promise<void> => {\n  logWithLevel(LOG_LEVELS.DEBUG, \"invalidateSessionsImpl args:\", args);\n  const { userId, except } = args;\n  const exceptSet = new Set(except ?? []);\n  const typedUserId = userId as GenericId<\"user\">;\n  const sessions = await authDb(ctx, config).sessions.listByUser(typedUserId);\n  for (const session of sessions) {\n    if (!exceptSet.has(session._id)) {\n      await deleteSession(ctx, session, config);\n    }\n  }\n  return;\n};\n"],"mappings":";;;;;;;AAQA,MAAa,yBAAyB,EAAE,OAAO;CAC7C,QAAQ,EAAE,QAAQ;CAClB,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CACxC,CAAC;AAEF,MAAa,yBAAyB,OACpC,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,MAAa,yBAAyB,OACpC,KACA,MACA,WACkB;AAClB,cAAa,WAAW,OAAO,gCAAgC,KAAK;CACpE,MAAM,EAAE,QAAQ,WAAW;CAC3B,MAAM,YAAY,IAAI,IAAI,UAAU,EAAE,CAAC;CACvC,MAAM,cAAc;CACpB,MAAM,WAAW,MAAM,OAAO,KAAK,OAAO,CAAC,SAAS,WAAW,YAAY;AAC3E,MAAK,MAAM,WAAW,SACpB,KAAI,CAAC,UAAU,IAAI,QAAQ,IAAI,CAC7B,OAAM,cAAc,KAAK,SAAS,OAAO"}

package/dist/component/server/implementation/mutations/oauth.js

@@ -1,51 +0,0 @@
-import { throwAuthError } from "../../errors.js";
-import { generateRandomString, logWithLevel, sha256 } from "../utils.js";
-import { authDb } from "../db.js";
-import { AUTH_STORE_REF } from "./store.js";
-import { upsertUserAndAccount } from "../users.js";
-import { v } from "convex/values";
-
-//#region src/server/implementation/mutations/oauth.ts
-const OAUTH_SIGN_IN_EXPIRATION_MS = 1e3 * 60 * 2;
-const userOAuthArgs = v.object({
-	provider: v.string(),
-	providerAccountId: v.string(),
-	profile: v.any(),
-	signature: v.string()
-});
-async function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
-	logWithLevel("DEBUG", "userOAuthImpl args:", args);
-	const { profile, provider, providerAccountId, signature } = args;
-	const db = authDb(ctx, config);
-	const providerConfig = getProviderOrThrow(provider);
-	const existingAccount = await db.accounts.get(provider, providerAccountId);
-	const verifier = await db.verifiers.getBySignature(signature);
-	if (verifier === null) throwAuthError("OAUTH_INVALID_STATE");
-	const { accountId } = await upsertUserAndAccount(ctx, verifier.sessionId ?? null, existingAccount !== null ? { existingAccount } : { providerAccountId }, {
-		type: "oauth",
-		provider: providerConfig,
-		profile
-	}, config);
-	const code = generateRandomString(8, "0123456789");
-	await db.verifiers.delete(verifier._id);
-	const existingVerificationCode = await db.verificationCodes.getByAccountId(accountId);
-	if (existingVerificationCode !== null) await db.verificationCodes.delete(existingVerificationCode._id);
-	await db.verificationCodes.create({
-		code: await sha256(code),
-		accountId,
-		provider,
-		expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,
-		verifier: verifier._id
-	});
-	return code;
-}
-const callUserOAuth = async (ctx, args) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: {
-		type: "userOAuth",
-		...args
-	} });
-};
-
-//#endregion
-export { callUserOAuth, userOAuthArgs, userOAuthImpl };
-//# sourceMappingURL=oauth.js.map

package/dist/component/server/implementation/mutations/oauth.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth.js","names":[],"sources":["../../../../../src/server/implementation/mutations/oauth.ts"],"sourcesContent":["import { Infer, v } from \"convex/values\";\nimport { ActionCtx, MutationCtx } from \"../types\";\nimport * as Provider from \"../provider\";\nimport type { AuthProviderMaterializedConfig } from \"../../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { generateRandomString, logWithLevel, sha256 } from \"../utils\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\nimport { throwAuthError } from \"../../errors\";\n\nconst OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes\n\nexport const userOAuthArgs = v.object({\n  provider: v.string(),\n  providerAccountId: v.string(),\n  profile: v.any(),\n  signature: v.string(),\n});\n\ntype ReturnType = string;\n\nexport async function userOAuthImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof userOAuthArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(\"DEBUG\", \"userOAuthImpl args:\", args);\n  const { profile, provider, providerAccountId, signature } = args;\n  const db = authDb(ctx, config);\n  const providerConfig = getProviderOrThrow(provider) as AuthProviderMaterializedConfig;\n  const existingAccount = await db.accounts.get(provider, providerAccountId);\n\n  const verifier = await db.verifiers.getBySignature(signature);\n  if (verifier === null) {\n    throwAuthError(\"OAUTH_INVALID_STATE\");\n  }\n\n  const { accountId } = await upsertUserAndAccount(\n    ctx,\n    verifier.sessionId ?? null,\n    existingAccount !== null ? { existingAccount } : { providerAccountId },\n    { type: \"oauth\", provider: providerConfig, profile },\n    config,\n  );\n\n  const code = generateRandomString(8, \"0123456789\");\n  await db.verifiers.delete(verifier._id);\n  const existingVerificationCode = await db.verificationCodes.getByAccountId(accountId);\n  if (existingVerificationCode !== null) {\n    await db.verificationCodes.delete(existingVerificationCode._id);\n  }\n  await db.verificationCodes.create({\n      code: await sha256(code),\n      accountId,\n      provider,\n      expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,\n      verifier: verifier._id,\n    });\n  return code;\n}\n\nexport const callUserOAuth = async (\n  ctx: ActionCtx,\n  args: Infer<typeof userOAuthArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"userOAuth\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;AAUA,MAAM,8BAA8B,MAAO,KAAK;AAEhD,MAAa,gBAAgB,EAAE,OAAO;CACpC,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,SAAS,EAAE,KAAK;CAChB,WAAW,EAAE,QAAQ;CACtB,CAAC;AAIF,eAAsB,cACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,SAAS,uBAAuB,KAAK;CAClD,MAAM,EAAE,SAAS,UAAU,mBAAmB,cAAc;CAC5D,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,iBAAiB,mBAAmB,SAAS;CACnD,MAAM,kBAAkB,MAAM,GAAG,SAAS,IAAI,UAAU,kBAAkB;CAE1E,MAAM,WAAW,MAAM,GAAG,UAAU,eAAe,UAAU;AAC7D,KAAI,aAAa,KACf,gBAAe,sBAAsB;CAGvC,MAAM,EAAE,cAAc,MAAM,qBAC1B,KACA,SAAS,aAAa,MACtB,oBAAoB,OAAO,EAAE,iBAAiB,GAAG,EAAE,mBAAmB,EACtE;EAAE,MAAM;EAAS,UAAU;EAAgB;EAAS,EACpD,OACD;CAED,MAAM,OAAO,qBAAqB,GAAG,aAAa;AAClD,OAAM,GAAG,UAAU,OAAO,SAAS,IAAI;CACvC,MAAM,2BAA2B,MAAM,GAAG,kBAAkB,eAAe,UAAU;AACrF,KAAI,6BAA6B,KAC/B,OAAM,GAAG,kBAAkB,OAAO,yBAAyB,IAAI;AAEjE,OAAM,GAAG,kBAAkB,OAAO;EAC9B,MAAM,MAAM,OAAO,KAAK;EACxB;EACA;EACA,gBAAgB,KAAK,KAAK,GAAG;EAC7B,UAAU,SAAS;EACpB,CAAC;AACJ,QAAO;;AAGT,MAAa,gBAAgB,OAC3B,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/component/server/implementation/mutations/refresh.js

@@ -1,85 +0,0 @@
-import { logWithLevel, maybeRedact } from "../utils.js";
-import { authDb } from "../db.js";
-import { REFRESH_TOKEN_REUSE_WINDOW_MS, deleteAllRefreshTokens, invalidateRefreshTokensInSubtree, loadActiveRefreshToken, parseRefreshToken, refreshTokenIfValid } from "../refresh.js";
-import { generateTokensForSession } from "../sessions.js";
-import { AUTH_STORE_REF } from "./store.js";
-import { v } from "convex/values";
-
-//#region src/server/implementation/mutations/refresh.ts
-const refreshSessionArgs = v.object({ refreshToken: v.string() });
-async function refreshSessionImpl(ctx, args, getProviderOrThrow, config) {
-	const db = authDb(ctx, config);
-	const { refreshToken } = args;
-	const { refreshTokenId, sessionId: tokenSessionId } = parseRefreshToken(refreshToken);
-	logWithLevel("DEBUG", `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(tokenSessionId)}`);
-	const validationResult = await refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config);
-	if (validationResult === null) {
-		let session$1 = null;
-		try {
-			session$1 = await db.sessions.getById(tokenSessionId);
-		} catch {
-			logWithLevel("DEBUG", "Skipping invalid session id during refresh cleanup");
-		}
-		if (session$1 !== null) await db.sessions.delete(session$1._id);
-		try {
-			await deleteAllRefreshTokens(ctx, tokenSessionId, config);
-		} catch {
-			logWithLevel("DEBUG", "Skipping invalid token session id during refresh token cleanup");
-		}
-		return null;
-	}
-	const { session } = validationResult;
-	const sessionId = session._id;
-	const userId = session.userId;
-	const tokenFirstUsed = validationResult.refreshTokenDoc.firstUsedTime;
-	if (tokenFirstUsed === void 0) {
-		await db.refreshTokens.patch(refreshTokenId, { firstUsedTime: Date.now() });
-		const result = await generateTokensForSession(ctx, config, {
-			userId,
-			sessionId,
-			issuedRefreshTokenId: null,
-			parentRefreshTokenId: refreshTokenId
-		});
-		const { refreshTokenId: newRefreshTokenId } = parseRefreshToken(result.refreshToken);
-		logWithLevel("DEBUG", `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (first use) for new refresh token ${maybeRedact(newRefreshTokenId)}`);
-		return result;
-	}
-	const activeRefreshToken = await loadActiveRefreshToken(ctx, tokenSessionId, config);
-	logWithLevel("DEBUG", `Active refresh token: ${maybeRedact(activeRefreshToken?._id ?? "(none)")}, parent ${maybeRedact(activeRefreshToken?.parentRefreshTokenId ?? "(none)")}`);
-	if (activeRefreshToken !== null && activeRefreshToken.parentRefreshTokenId === refreshTokenId) {
-		logWithLevel("DEBUG", `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} is parent of active refresh token ${maybeRedact(activeRefreshToken._id)}, so returning that token`);
-		return await generateTokensForSession(ctx, config, {
-			userId,
-			sessionId,
-			issuedRefreshTokenId: activeRefreshToken._id,
-			parentRefreshTokenId: refreshTokenId
-		});
-	}
-	if (tokenFirstUsed + REFRESH_TOKEN_REUSE_WINDOW_MS > Date.now()) {
-		const result = await generateTokensForSession(ctx, config, {
-			userId,
-			sessionId,
-			issuedRefreshTokenId: null,
-			parentRefreshTokenId: refreshTokenId
-		});
-		const { refreshTokenId: newRefreshTokenId } = parseRefreshToken(result.refreshToken);
-		logWithLevel("DEBUG", `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (reuse) for new refresh token ${maybeRedact(newRefreshTokenId)}`);
-		return result;
-	} else {
-		logWithLevel("ERROR", "Refresh token used outside of reuse window");
-		logWithLevel("DEBUG", `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} being used outside of reuse window, so invalidating all refresh tokens in subtree`);
-		const tokensToInvalidate = await invalidateRefreshTokensInSubtree(ctx, validationResult.refreshTokenDoc, config);
-		logWithLevel("DEBUG", `Invalidated ${tokensToInvalidate.length} refresh tokens in subtree: ${tokensToInvalidate.map((token) => maybeRedact(token._id)).join(", ")}`);
-		return null;
-	}
-}
-const callRefreshSession = async (ctx, args) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: {
-		type: "refreshSession",
-		...args
-	} });
-};
-
-//#endregion
-export { callRefreshSession, refreshSessionArgs, refreshSessionImpl };
-//# sourceMappingURL=refresh.js.map

package/dist/component/server/implementation/mutations/refresh.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"refresh.js","names":["session"],"sources":["../../../../../src/server/implementation/mutations/refresh.ts"],"sourcesContent":["import { Infer, v } from \"convex/values\";\nimport { ActionCtx, Doc, MutationCtx } from \"../types\";\nimport * as Provider from \"../provider\";\nimport { logWithLevel, maybeRedact } from \"../utils\";\nimport {\n  deleteAllRefreshTokens,\n  invalidateRefreshTokensInSubtree,\n  loadActiveRefreshToken,\n  parseRefreshToken,\n  REFRESH_TOKEN_REUSE_WINDOW_MS,\n  refreshTokenIfValid,\n} from \"../refresh\";\nimport { generateTokensForSession } from \"../sessions\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\n\nexport const refreshSessionArgs = v.object({\n  refreshToken: v.string(),\n});\n\ntype ReturnType = null | {\n  token: string;\n  refreshToken: string;\n};\n\nexport async function refreshSessionImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof refreshSessionArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  const db = authDb(ctx, config);\n  const { refreshToken } = args;\n  const { refreshTokenId, sessionId: tokenSessionId } =\n    parseRefreshToken(refreshToken);\n  logWithLevel(\n    \"DEBUG\",\n    `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(\n      tokenSessionId,\n    )}`,\n  );\n  const validationResult = await refreshTokenIfValid(\n    ctx,\n    refreshTokenId,\n    tokenSessionId,\n    config,\n  );\n\n  if (validationResult === null) {\n    // Replicating `deleteSession` but ensuring that we delete both the session\n    // and the refresh token, even if one of them is missing.\n    let session: Doc<\"session\"> | null = null;\n    try {\n      session = await db.sessions.getById(tokenSessionId);\n    } catch {\n      logWithLevel(\"DEBUG\", \"Skipping invalid session id during refresh cleanup\");\n    }\n    if (session !== null) {\n      await db.sessions.delete(session._id);\n    }\n    try {\n      await deleteAllRefreshTokens(ctx, tokenSessionId, config);\n    } catch {\n      logWithLevel(\n        \"DEBUG\",\n        \"Skipping invalid token session id during refresh token cleanup\",\n      );\n    }\n    return null;\n  }\n  const { session } = validationResult;\n  const sessionId = session._id;\n  const userId = session.userId;\n\n  const tokenFirstUsed = validationResult.refreshTokenDoc.firstUsedTime;\n\n  // First use -- mark as used and generate new refresh token\n  if (tokenFirstUsed === undefined) {\n    await db.refreshTokens.patch(refreshTokenId, {\n      firstUsedTime: Date.now(),\n    });\n    const result = await generateTokensForSession(ctx, config, {\n      userId,\n      sessionId,\n      issuedRefreshTokenId: null,\n      parentRefreshTokenId: refreshTokenId,\n    });\n    const { refreshTokenId: newRefreshTokenId } = parseRefreshToken(\n      result.refreshToken,\n    );\n    logWithLevel(\n      \"DEBUG\",\n      `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (first use) for new refresh token ${maybeRedact(newRefreshTokenId)}`,\n    );\n    return result;\n  }\n\n  // Token has been used before\n  // Check if parent of active refresh token\n  const activeRefreshToken = await loadActiveRefreshToken(\n    ctx,\n    tokenSessionId,\n    config,\n  );\n  logWithLevel(\n    \"DEBUG\",\n    `Active refresh token: ${maybeRedact(activeRefreshToken?._id ?? \"(none)\")}, parent ${maybeRedact(activeRefreshToken?.parentRefreshTokenId ?? \"(none)\")}`,\n  );\n  if (\n    activeRefreshToken !== null &&\n    activeRefreshToken.parentRefreshTokenId === refreshTokenId\n  ) {\n    logWithLevel(\n      \"DEBUG\",\n      `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} is parent of active refresh token ${maybeRedact(activeRefreshToken._id)}, so returning that token`,\n    );\n\n    const result = await generateTokensForSession(ctx, config, {\n      userId,\n      sessionId,\n      issuedRefreshTokenId: activeRefreshToken._id,\n      parentRefreshTokenId: refreshTokenId,\n    });\n    return result;\n  }\n\n  // Check if within reuse window\n  if (tokenFirstUsed + REFRESH_TOKEN_REUSE_WINDOW_MS > Date.now()) {\n    const result = await generateTokensForSession(ctx, config, {\n      userId,\n      sessionId,\n      issuedRefreshTokenId: null,\n      parentRefreshTokenId: refreshTokenId,\n    });\n    const { refreshTokenId: newRefreshTokenId } = parseRefreshToken(\n      result.refreshToken,\n    );\n    logWithLevel(\n      \"DEBUG\",\n      `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (reuse) for new refresh token ${maybeRedact(newRefreshTokenId)}`,\n    );\n    return result;\n  } else {\n    // Outside of reuse window -- invalidate all refresh tokens in subtree\n    logWithLevel(\"ERROR\", \"Refresh token used outside of reuse window\");\n    logWithLevel(\n      \"DEBUG\",\n      `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} being used outside of reuse window, so invalidating all refresh tokens in subtree`,\n    );\n    const tokensToInvalidate = await invalidateRefreshTokensInSubtree(\n      ctx,\n      validationResult.refreshTokenDoc,\n      config,\n    );\n    logWithLevel(\n      \"DEBUG\",\n      `Invalidated ${tokensToInvalidate.length} refresh tokens in subtree: ${tokensToInvalidate\n        .map((token) => maybeRedact(token._id))\n        .join(\", \")}`,\n    );\n    return null;\n  }\n}\n\nexport const callRefreshSession = async (\n  ctx: ActionCtx,\n  args: Infer<typeof refreshSessionArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"refreshSession\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;AAgBA,MAAa,qBAAqB,EAAE,OAAO,EACzC,cAAc,EAAE,QAAQ,EACzB,CAAC;AAOF,eAAsB,mBACpB,KACA,MACA,oBACA,QACqB;CACrB,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,EAAE,iBAAiB;CACzB,MAAM,EAAE,gBAAgB,WAAW,mBACjC,kBAAkB,aAAa;AACjC,cACE,SACA,sCAAsC,YAAY,eAAe,CAAC,eAAe,YAC/E,eACD,GACF;CACD,MAAM,mBAAmB,MAAM,oBAC7B,KACA,gBACA,gBACA,OACD;AAED,KAAI,qBAAqB,MAAM;EAG7B,IAAIA,YAAiC;AACrC,MAAI;AACF,eAAU,MAAM,GAAG,SAAS,QAAQ,eAAe;UAC7C;AACN,gBAAa,SAAS,qDAAqD;;AAE7E,MAAIA,cAAY,KACd,OAAM,GAAG,SAAS,OAAOA,UAAQ,IAAI;AAEvC,MAAI;AACF,SAAM,uBAAuB,KAAK,gBAAgB,OAAO;UACnD;AACN,gBACE,SACA,iEACD;;AAEH,SAAO;;CAET,MAAM,EAAE,YAAY;CACpB,MAAM,YAAY,QAAQ;CAC1B,MAAM,SAAS,QAAQ;CAEvB,MAAM,iBAAiB,iBAAiB,gBAAgB;AAGxD,KAAI,mBAAmB,QAAW;AAChC,QAAM,GAAG,cAAc,MAAM,gBAAgB,EAC3C,eAAe,KAAK,KAAK,EAC1B,CAAC;EACF,MAAM,SAAS,MAAM,yBAAyB,KAAK,QAAQ;GACzD;GACA;GACA,sBAAsB;GACtB,sBAAsB;GACvB,CAAC;EACF,MAAM,EAAE,gBAAgB,sBAAsB,kBAC5C,OAAO,aACR;AACD,eACE,SACA,aAAa,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,qCAAqC,YAAY,kBAAkB,GACnI;AACD,SAAO;;CAKT,MAAM,qBAAqB,MAAM,uBAC/B,KACA,gBACA,OACD;AACD,cACE,SACA,yBAAyB,YAAY,oBAAoB,OAAO,SAAS,CAAC,WAAW,YAAY,oBAAoB,wBAAwB,SAAS,GACvJ;AACD,KACE,uBAAuB,QACvB,mBAAmB,yBAAyB,gBAC5C;AACA,eACE,SACA,SAAS,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,qCAAqC,YAAY,mBAAmB,IAAI,CAAC,2BACrI;AAQD,SANe,MAAM,yBAAyB,KAAK,QAAQ;GACzD;GACA;GACA,sBAAsB,mBAAmB;GACzC,sBAAsB;GACvB,CAAC;;AAKJ,KAAI,iBAAiB,gCAAgC,KAAK,KAAK,EAAE;EAC/D,MAAM,SAAS,MAAM,yBAAyB,KAAK,QAAQ;GACzD;GACA;GACA,sBAAsB;GACtB,sBAAsB;GACvB,CAAC;EACF,MAAM,EAAE,gBAAgB,sBAAsB,kBAC5C,OAAO,aACR;AACD,eACE,SACA,aAAa,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,iCAAiC,YAAY,kBAAkB,GAC/H;AACD,SAAO;QACF;AAEL,eAAa,SAAS,6CAA6C;AACnE,eACE,SACA,SAAS,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,oFAC5D;EACD,MAAM,qBAAqB,MAAM,iCAC/B,KACA,iBAAiB,iBACjB,OACD;AACD,eACE,SACA,eAAe,mBAAmB,OAAO,8BAA8B,mBACpE,KAAK,UAAU,YAAY,MAAM,IAAI,CAAC,CACtC,KAAK,KAAK,GACd;AACD,SAAO;;;AAIX,MAAa,qBAAqB,OAChC,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/component/server/implementation/mutations/register.js

@@ -1,65 +0,0 @@
-import { throwAuthError } from "../../errors.js";
-import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
-import { authDb } from "../db.js";
-import { getAuthSessionId } from "../sessions.js";
-import { AUTH_STORE_REF } from "./store.js";
-import { upsertUserAndAccount } from "../users.js";
-import { hash, verify } from "../provider.js";
-import { v } from "convex/values";
-
-//#region src/server/implementation/mutations/register.ts
-const createAccountFromCredentialsArgs = v.object({
-	provider: v.string(),
-	account: v.object({
-		id: v.string(),
-		secret: v.optional(v.string())
-	}),
-	profile: v.any(),
-	shouldLinkViaEmail: v.optional(v.boolean()),
-	shouldLinkViaPhone: v.optional(v.boolean())
-});
-async function createAccountFromCredentialsImpl(ctx, args, getProviderOrThrow, config) {
-	logWithLevel(LOG_LEVELS.DEBUG, "createAccountFromCredentialsImpl args:", {
-		provider: args.provider,
-		account: {
-			id: args.account.id,
-			secret: maybeRedact(args.account.secret ?? "")
-		}
-	});
-	const { provider: providerId, account, profile, shouldLinkViaEmail, shouldLinkViaPhone } = args;
-	const db = authDb(ctx, config);
-	const provider = getProviderOrThrow(providerId);
-	const existingAccount = await db.accounts.get(provider.id, account.id);
-	if (existingAccount !== null) {
-		if (account.secret !== void 0 && !await verify(provider, account.secret, existingAccount.secret ?? "")) throwAuthError("ACCOUNT_ALREADY_EXISTS", `Account ${account.id} already exists`);
-		return {
-			account: existingAccount,
-			user: await db.users.getById(existingAccount.userId)
-		};
-	}
-	const secret = account.secret !== void 0 ? await hash(provider, account.secret) : void 0;
-	const { userId, accountId } = await upsertUserAndAccount(ctx, await getAuthSessionId(ctx), {
-		providerAccountId: account.id,
-		secret
-	}, {
-		type: "credentials",
-		provider,
-		profile,
-		shouldLinkViaEmail,
-		shouldLinkViaPhone
-	}, config);
-	return {
-		account: await db.accounts.getById(accountId),
-		user: await db.users.getById(userId)
-	};
-}
-const callCreateAccountFromCredentials = async (ctx, args) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: {
-		type: "createAccountFromCredentials",
-		...args
-	} });
-};
-
-//#endregion
-export { callCreateAccountFromCredentials, createAccountFromCredentialsArgs, createAccountFromCredentialsImpl };
-//# sourceMappingURL=register.js.map

package/dist/component/server/implementation/mutations/register.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"register.js","names":["Provider.verify","Provider.hash"],"sources":["../../../../../src/server/implementation/mutations/register.ts"],"sourcesContent":["import { Infer, v } from \"convex/values\";\nimport { ActionCtx, Doc, MutationCtx } from \"../types\";\nimport * as Provider from \"../provider\";\nimport { ConvexCredentialsConfig } from \"../../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { getAuthSessionId } from \"../sessions\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\nimport { throwAuthError } from \"../../errors\";\n\nexport const createAccountFromCredentialsArgs = v.object({\n  provider: v.string(),\n  account: v.object({ id: v.string(), secret: v.optional(v.string()) }),\n  profile: v.any(),\n  shouldLinkViaEmail: v.optional(v.boolean()),\n  shouldLinkViaPhone: v.optional(v.boolean()),\n});\n\ntype ReturnType = { account: Doc<\"account\">; user: Doc<\"user\"> };\n\nexport async function createAccountFromCredentialsImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof createAccountFromCredentialsArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"createAccountFromCredentialsImpl args:\", {\n    provider: args.provider,\n    account: {\n      id: args.account.id,\n      secret: maybeRedact(args.account.secret ?? \"\"),\n    },\n  });\n  const {\n    provider: providerId,\n    account,\n    profile,\n    shouldLinkViaEmail,\n    shouldLinkViaPhone,\n  } = args;\n  const db = authDb(ctx, config);\n  const provider = getProviderOrThrow(providerId) as ConvexCredentialsConfig;\n  const existingAccount = (await db.accounts.get(\n    provider.id,\n    account.id,\n  )) as Doc<\"account\"> | null;\n  if (existingAccount !== null) {\n    if (\n      account.secret !== undefined &&\n      !(await Provider.verify(\n        provider,\n        account.secret,\n        existingAccount.secret ?? \"\",\n      ))\n    ) {\n      throwAuthError(\"ACCOUNT_ALREADY_EXISTS\", `Account ${account.id} already exists`);\n    }\n    return {\n      account: existingAccount,\n      // TODO: Ian removed this,\n      user: (await db.users.getById(existingAccount.userId)) as unknown as Doc<\"user\">,\n    };\n  }\n\n  const secret =\n    account.secret !== undefined\n      ? await Provider.hash(provider, account.secret)\n      : undefined;\n  const { userId, accountId } = await upsertUserAndAccount(\n    ctx,\n    await getAuthSessionId(ctx),\n    { providerAccountId: account.id, secret },\n    {\n      type: \"credentials\",\n      provider,\n      profile,\n      shouldLinkViaEmail,\n      shouldLinkViaPhone,\n    },\n    config,\n  );\n\n  return {\n    account: (await db.accounts.getById(accountId)) as Doc<\"account\">,\n    user: (await db.users.getById(userId)) as unknown as Doc<\"user\">,\n  };\n}\n\nexport const callCreateAccountFromCredentials = async (\n  ctx: ActionCtx,\n  args: Infer<typeof createAccountFromCredentialsArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"createAccountFromCredentials\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;;AAWA,MAAa,mCAAmC,EAAE,OAAO;CACvD,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAAE,CAAC;CACrE,SAAS,EAAE,KAAK;CAChB,oBAAoB,EAAE,SAAS,EAAE,SAAS,CAAC;CAC3C,oBAAoB,EAAE,SAAS,EAAE,SAAS,CAAC;CAC5C,CAAC;AAIF,eAAsB,iCACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,0CAA0C;EACvE,UAAU,KAAK;EACf,SAAS;GACP,IAAI,KAAK,QAAQ;GACjB,QAAQ,YAAY,KAAK,QAAQ,UAAU,GAAG;GAC/C;EACF,CAAC;CACF,MAAM,EACJ,UAAU,YACV,SACA,SACA,oBACA,uBACE;CACJ,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,WAAW,mBAAmB,WAAW;CAC/C,MAAM,kBAAmB,MAAM,GAAG,SAAS,IACzC,SAAS,IACT,QAAQ,GACT;AACD,KAAI,oBAAoB,MAAM;AAC5B,MACE,QAAQ,WAAW,UACnB,CAAE,MAAMA,OACN,UACA,QAAQ,QACR,gBAAgB,UAAU,GAC3B,CAED,gBAAe,0BAA0B,WAAW,QAAQ,GAAG,iBAAiB;AAElF,SAAO;GACL,SAAS;GAET,MAAO,MAAM,GAAG,MAAM,QAAQ,gBAAgB,OAAO;GACtD;;CAGH,MAAM,SACJ,QAAQ,WAAW,SACf,MAAMC,KAAc,UAAU,QAAQ,OAAO,GAC7C;CACN,MAAM,EAAE,QAAQ,cAAc,MAAM,qBAClC,KACA,MAAM,iBAAiB,IAAI,EAC3B;EAAE,mBAAmB,QAAQ;EAAI;EAAQ,EACzC;EACE,MAAM;EACN;EACA;EACA;EACA;EACD,EACD,OACD;AAED,QAAO;EACL,SAAU,MAAM,GAAG,SAAS,QAAQ,UAAU;EAC9C,MAAO,MAAM,GAAG,MAAM,QAAQ,OAAO;EACtC;;AAGH,MAAa,mCAAmC,OAC9C,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}