@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/component/server/implementation/mutations/retrieve.js

@@ -1,50 +0,0 @@
-import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
-import { authDb } from "../db.js";
-import { AUTH_STORE_REF } from "./store.js";
-import { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit } from "../ratelimit.js";
-import { verify } from "../provider.js";
-import { v } from "convex/values";
-
-//#region src/server/implementation/mutations/retrieve.ts
-const retrieveAccountWithCredentialsArgs = v.object({
-	provider: v.string(),
-	account: v.object({
-		id: v.string(),
-		secret: v.optional(v.string())
-	})
-});
-async function retrieveAccountWithCredentialsImpl(ctx, args, getProviderOrThrow, config) {
-	const { provider: providerId, account } = args;
-	const db = authDb(ctx, config);
-	logWithLevel(LOG_LEVELS.DEBUG, "retrieveAccountWithCredentialsImpl args:", {
-		provider: providerId,
-		account: {
-			id: account.id,
-			secret: maybeRedact(account.secret ?? "")
-		}
-	});
-	const existingAccount = await db.accounts.get(providerId, account.id);
-	if (existingAccount === null) return "InvalidAccountId";
-	if (account.secret !== void 0) {
-		if (await isSignInRateLimited(ctx, existingAccount._id, config)) return "TooManyFailedAttempts";
-		if (!await verify(getProviderOrThrow(providerId), account.secret, existingAccount.secret ?? "")) {
-			await recordFailedSignIn(ctx, existingAccount._id, config);
-			return "InvalidSecret";
-		}
-		await resetSignInRateLimit(ctx, existingAccount._id, config);
-	}
-	return {
-		account: existingAccount,
-		user: await db.users.getById(existingAccount.userId)
-	};
-}
-const callRetreiveAccountWithCredentials = async (ctx, args) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: {
-		type: "retrieveAccountWithCredentials",
-		...args
-	} });
-};
-
-//#endregion
-export { callRetreiveAccountWithCredentials, retrieveAccountWithCredentialsArgs, retrieveAccountWithCredentialsImpl };
-//# sourceMappingURL=retrieve.js.map

package/dist/component/server/implementation/mutations/retrieve.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"retrieve.js","names":["Provider.verify"],"sources":["../../../../../src/server/implementation/mutations/retrieve.ts"],"sourcesContent":["import { Infer, v } from \"convex/values\";\nimport { ActionCtx, Doc, MutationCtx } from \"../types\";\nimport {\n  isSignInRateLimited,\n  recordFailedSignIn,\n  resetSignInRateLimit,\n} from \"../ratelimit\";\nimport * as Provider from \"../provider\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\n\nexport const retrieveAccountWithCredentialsArgs = v.object({\n  provider: v.string(),\n  account: v.object({ id: v.string(), secret: v.optional(v.string()) }),\n});\n\ntype ReturnType =\n  | \"InvalidAccountId\"\n  | \"TooManyFailedAttempts\"\n  | \"InvalidSecret\"\n  | { account: Doc<\"account\">; user: Doc<\"user\"> };\n\nexport async function retrieveAccountWithCredentialsImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof retrieveAccountWithCredentialsArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  const { provider: providerId, account } = args;\n  const db = authDb(ctx, config);\n  logWithLevel(LOG_LEVELS.DEBUG, \"retrieveAccountWithCredentialsImpl args:\", {\n    provider: providerId,\n    account: {\n      id: account.id,\n      secret: maybeRedact(account.secret ?? \"\"),\n    },\n  });\n  const existingAccount = (await db.accounts.get(\n    providerId,\n    account.id,\n  )) as Doc<\"account\"> | null;\n  if (existingAccount === null) {\n    return \"InvalidAccountId\";\n  }\n  if (account.secret !== undefined) {\n    if (await isSignInRateLimited(ctx, existingAccount._id, config)) {\n      return \"TooManyFailedAttempts\";\n    }\n    if (\n      !(await Provider.verify(\n        getProviderOrThrow(providerId),\n        account.secret,\n        existingAccount.secret ?? \"\",\n      ))\n    ) {\n      await recordFailedSignIn(ctx, existingAccount._id, config);\n      return \"InvalidSecret\";\n    }\n    await resetSignInRateLimit(ctx, existingAccount._id, config);\n  }\n  return {\n    account: existingAccount,\n    // TODO: Ian removed this\n    user: (await db.users.getById(existingAccount.userId)) as unknown as Doc<\"user\">,\n  };\n}\n\nexport const callRetreiveAccountWithCredentials = async (\n  ctx: ActionCtx,\n  args: Infer<typeof retrieveAccountWithCredentialsArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"retrieveAccountWithCredentials\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;AAYA,MAAa,qCAAqC,EAAE,OAAO;CACzD,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAAE,CAAC;CACtE,CAAC;AAQF,eAAsB,mCACpB,KACA,MACA,oBACA,QACqB;CACrB,MAAM,EAAE,UAAU,YAAY,YAAY;CAC1C,MAAM,KAAK,OAAO,KAAK,OAAO;AAC9B,cAAa,WAAW,OAAO,4CAA4C;EACzE,UAAU;EACV,SAAS;GACP,IAAI,QAAQ;GACZ,QAAQ,YAAY,QAAQ,UAAU,GAAG;GAC1C;EACF,CAAC;CACF,MAAM,kBAAmB,MAAM,GAAG,SAAS,IACzC,YACA,QAAQ,GACT;AACD,KAAI,oBAAoB,KACtB,QAAO;AAET,KAAI,QAAQ,WAAW,QAAW;AAChC,MAAI,MAAM,oBAAoB,KAAK,gBAAgB,KAAK,OAAO,CAC7D,QAAO;AAET,MACE,CAAE,MAAMA,OACN,mBAAmB,WAAW,EAC9B,QAAQ,QACR,gBAAgB,UAAU,GAC3B,EACD;AACA,SAAM,mBAAmB,KAAK,gBAAgB,KAAK,OAAO;AAC1D,UAAO;;AAET,QAAM,qBAAqB,KAAK,gBAAgB,KAAK,OAAO;;AAE9D,QAAO;EACL,SAAS;EAET,MAAO,MAAM,GAAG,MAAM,QAAQ,gBAAgB,OAAO;EACtD;;AAGH,MAAa,qCAAqC,OAChD,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/component/server/implementation/mutations/signature.js

@@ -1,27 +0,0 @@
-import { throwAuthError } from "../../errors.js";
-import { authDb } from "../db.js";
-import { AUTH_STORE_REF } from "./store.js";
-import { v } from "convex/values";
-
-//#region src/server/implementation/mutations/signature.ts
-const verifierSignatureArgs = v.object({
-	verifier: v.string(),
-	signature: v.string()
-});
-async function verifierSignatureImpl(ctx, args, config) {
-	const { verifier, signature } = args;
-	const db = authDb(ctx, config);
-	const verifierDoc = await db.verifiers.getById(verifier);
-	if (verifierDoc === null) throwAuthError("INVALID_VERIFIER");
-	return await db.verifiers.patch(verifierDoc._id, { signature });
-}
-const callVerifierSignature = async (ctx, args) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: {
-		type: "verifierSignature",
-		...args
-	} });
-};
-
-//#endregion
-export { callVerifierSignature, verifierSignatureArgs, verifierSignatureImpl };
-//# sourceMappingURL=signature.js.map

package/dist/component/server/implementation/mutations/signature.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"signature.js","names":[],"sources":["../../../../../src/server/implementation/mutations/signature.ts"],"sourcesContent":["import { GenericId, Infer, v } from \"convex/values\";\nimport { ActionCtx, MutationCtx } from \"../types\";\nimport * as Provider from \"../provider\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\nimport { throwAuthError } from \"../../errors\";\n\nexport const verifierSignatureArgs = v.object({\n  verifier: v.string(),\n  signature: v.string(),\n});\n\ntype ReturnType = void;\n\nexport async function verifierSignatureImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof verifierSignatureArgs>,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  const { verifier, signature } = args;\n  const db = authDb(ctx, config);\n  const verifierDoc = await db.verifiers.getById(verifier as GenericId<\"verifier\">);\n  if (verifierDoc === null) {\n    throwAuthError(\"INVALID_VERIFIER\");\n  }\n  return await db.verifiers.patch(verifierDoc._id, { signature });\n}\n\nexport const callVerifierSignature = async (\n  ctx: ActionCtx,\n  args: Infer<typeof verifierSignatureArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"verifierSignature\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;AAOA,MAAa,wBAAwB,EAAE,OAAO;CAC5C,UAAU,EAAE,QAAQ;CACpB,WAAW,EAAE,QAAQ;CACtB,CAAC;AAIF,eAAsB,sBACpB,KACA,MACA,QACqB;CACrB,MAAM,EAAE,UAAU,cAAc;CAChC,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,cAAc,MAAM,GAAG,UAAU,QAAQ,SAAkC;AACjF,KAAI,gBAAgB,KAClB,gBAAe,mBAAmB;AAEpC,QAAO,MAAM,GAAG,UAAU,MAAM,YAAY,KAAK,EAAE,WAAW,CAAC;;AAGjE,MAAa,wBAAwB,OACnC,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/component/server/implementation/mutations/signin.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"signin.js","names":[],"sources":["../../../../../src/server/implementation/mutations/signin.ts"],"sourcesContent":["import { GenericId, Infer, v } from \"convex/values\";\nimport { ActionCtx, MutationCtx, SessionInfo } from \"../types\";\nimport * as Provider from \"../provider\";\nimport {\n  createNewAndDeleteExistingSession,\n  maybeGenerateTokensForSession,\n} from \"../sessions\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store\";\n\nexport const signInArgs = v.object({\n  userId: v.string(),\n  sessionId: v.optional(v.string()),\n  generateTokens: v.boolean(),\n});\n\ntype ReturnType = SessionInfo;\n\nexport async function signInImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof signInArgs>,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"signInImpl args:\", args);\n  const { userId, sessionId: existingSessionId, generateTokens } = args;\n  const typedUserId = userId as GenericId<\"user\">;\n  const typedExistingSessionId = existingSessionId as\n    | GenericId<\"session\">\n    | undefined;\n  const sessionId =\n    typedExistingSessionId ??\n    (await createNewAndDeleteExistingSession(ctx, config, typedUserId));\n  return await maybeGenerateTokensForSession(\n    ctx,\n    config,\n    typedUserId,\n    sessionId,\n    generateTokens,\n  );\n}\n\nexport const callSignIn = async (\n  ctx: ActionCtx,\n  args: Infer<typeof signInArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"signIn\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;AAUA,MAAa,aAAa,EAAE,OAAO;CACjC,QAAQ,EAAE,QAAQ;CAClB,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,gBAAgB,EAAE,SAAS;CAC5B,CAAC;AAIF,eAAsB,WACpB,KACA,MACA,QACqB;AACrB,cAAa,WAAW,OAAO,oBAAoB,KAAK;CACxD,MAAM,EAAE,QAAQ,WAAW,mBAAmB,mBAAmB;CACjE,MAAM,cAAc;AAOpB,QAAO,MAAM,8BACX,KACA,QACA,aAT6B,qBAK5B,MAAM,kCAAkC,KAAK,QAAQ,YAAY,EAMlE,eACD;;AAGH,MAAa,aAAa,OACxB,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/component/server/implementation/mutations/signout.js

@@ -1,27 +0,0 @@
-import { authDb } from "../db.js";
-import { deleteSession, getAuthSessionId } from "../sessions.js";
-import { AUTH_STORE_REF } from "./store.js";
-
-//#region src/server/implementation/mutations/signout.ts
-async function signOutImpl(ctx, config) {
-	const db = authDb(ctx, config);
-	const sessionId = await getAuthSessionId(ctx);
-	if (sessionId !== null) {
-		const session = await db.sessions.getById(sessionId);
-		if (session !== null) {
-			await deleteSession(ctx, session, config);
-			return {
-				userId: session.userId,
-				sessionId: session._id
-			};
-		}
-	}
-	return null;
-}
-const callSignOut = async (ctx) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: { type: "signOut" } });
-};
-
-//#endregion
-export { callSignOut, signOutImpl };
-//# sourceMappingURL=signout.js.map

package/dist/component/server/implementation/mutations/signout.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"signout.js","names":[],"sources":["../../../../../src/server/implementation/mutations/signout.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport { ActionCtx, MutationCtx } from \"../types\";\nimport { deleteSession, getAuthSessionId } from \"../sessions\";\nimport * as Provider from \"../provider\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\n\ntype ReturnType = {\n  userId: GenericId<\"user\">;\n  sessionId: GenericId<\"session\">;\n} | null;\n\nexport async function signOutImpl(\n  ctx: MutationCtx,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  const db = authDb(ctx, config);\n  const sessionId = await getAuthSessionId(ctx);\n  if (sessionId !== null) {\n    const session = await db.sessions.getById(sessionId);\n    if (session !== null) {\n      await deleteSession(ctx, session, config);\n      return { userId: session.userId, sessionId: session._id };\n    }\n  }\n  return null;\n}\n\nexport const callSignOut = async (ctx: ActionCtx): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"signOut\",\n    },\n  });\n};\n"],"mappings":";;;;;AAYA,eAAsB,YACpB,KACA,QACqB;CACrB,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,YAAY,MAAM,iBAAiB,IAAI;AAC7C,KAAI,cAAc,MAAM;EACtB,MAAM,UAAU,MAAM,GAAG,SAAS,QAAQ,UAAU;AACpD,MAAI,YAAY,MAAM;AACpB,SAAM,cAAc,KAAK,SAAS,OAAO;AACzC,UAAO;IAAE,QAAQ,QAAQ;IAAQ,WAAW,QAAQ;IAAK;;;AAG7D,QAAO;;AAGT,MAAa,cAAc,OAAO,QAAkC;AAClE,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM,EACJ,MAAM,WACP,EACF,CAAC"}

package/dist/component/server/implementation/mutations/store.js

@@ -1,12 +0,0 @@
-//#region src/server/implementation/mutations/store.ts
-/**
-* Internal function reference for the library's store dispatch mutation.
-*
-* This remains string-based because the library code cannot import the
-* consumer app's generated `internal` API module.
-*/
-const AUTH_STORE_REF = "auth:store";
-
-//#endregion
-export { AUTH_STORE_REF };
-//# sourceMappingURL=store.js.map

package/dist/component/server/implementation/mutations/store.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"store.js","names":[],"sources":["../../../../../src/server/implementation/mutations/store.ts"],"sourcesContent":["/**\n * Internal function reference for the library's store dispatch mutation.\n *\n * This remains string-based because the library code cannot import the\n * consumer app's generated `internal` API module.\n */\nexport const AUTH_STORE_REF = \"auth:store\" as any;\n"],"mappings":";;;;;;;AAMA,MAAa,iBAAiB"}

package/dist/component/server/implementation/mutations/verifier.js

@@ -1,16 +0,0 @@
-import { authDb } from "../db.js";
-import { getAuthSessionId } from "../sessions.js";
-import { AUTH_STORE_REF } from "./store.js";
-
-//#region src/server/implementation/mutations/verifier.ts
-async function verifierImpl(ctx, config) {
-	const sessionId = await getAuthSessionId(ctx) ?? void 0;
-	return await authDb(ctx, config).verifiers.create(sessionId);
-}
-const callVerifier = async (ctx) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: { type: "verifier" } });
-};
-
-//#endregion
-export { callVerifier, verifierImpl };
-//# sourceMappingURL=verifier.js.map

package/dist/component/server/implementation/mutations/verifier.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"verifier.js","names":[],"sources":["../../../../../src/server/implementation/mutations/verifier.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport { ActionCtx, MutationCtx } from \"../types\";\nimport { getAuthSessionId } from \"../sessions\";\nimport * as Provider from \"../provider\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\n\ntype ReturnType = GenericId<\"verifier\">;\n\nexport async function verifierImpl(\n  ctx: MutationCtx,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  const sessionId = (await getAuthSessionId(ctx)) ?? undefined;\n  return (await authDb(ctx, config).verifiers.create(sessionId)) as ReturnType;\n}\n\nexport const callVerifier = async (ctx: ActionCtx): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"verifier\",\n    },\n  });\n};\n"],"mappings":";;;;;AASA,eAAsB,aACpB,KACA,QACqB;CACrB,MAAM,YAAa,MAAM,iBAAiB,IAAI,IAAK;AACnD,QAAQ,MAAM,OAAO,KAAK,OAAO,CAAC,UAAU,OAAO,UAAU;;AAG/D,MAAa,eAAe,OAAO,QAAwC;AACzE,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM,EACJ,MAAM,YACP,EACF,CAAC"}

package/dist/component/server/implementation/mutations/verify.js

@@ -1,105 +0,0 @@
-import { LOG_LEVELS, logWithLevel, sha256 } from "../utils.js";
-import { authDb } from "../db.js";
-import { createNewAndDeleteExistingSession, getAuthSessionId, maybeGenerateTokensForSession } from "../sessions.js";
-import { AUTH_STORE_REF } from "./store.js";
-import { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit } from "../ratelimit.js";
-import { upsertUserAndAccount } from "../users.js";
-import { v } from "convex/values";
-
-//#region src/server/implementation/mutations/verify.ts
-const verifyCodeAndSignInArgs = v.object({
-	params: v.any(),
-	provider: v.optional(v.string()),
-	verifier: v.optional(v.string()),
-	generateTokens: v.boolean(),
-	allowExtraProviders: v.boolean()
-});
-async function verifyCodeAndSignInImpl(ctx, args, getProviderOrThrow, config) {
-	logWithLevel(LOG_LEVELS.DEBUG, "verifyCodeAndSignInImpl args:", {
-		params: {
-			email: args.params.email,
-			phone: args.params.phone
-		},
-		provider: args.provider,
-		verifier: args.verifier,
-		generateTokens: args.generateTokens,
-		allowExtraProviders: args.allowExtraProviders
-	});
-	const { generateTokens, provider, allowExtraProviders } = args;
-	const identifier = args.params.email ?? args.params.phone;
-	if (identifier !== void 0) {
-		if (await isSignInRateLimited(ctx, identifier, config)) {
-			logWithLevel(LOG_LEVELS.ERROR, "Too many failed attempts to verify code for this email");
-			return null;
-		}
-	}
-	const verifyResult = await verifyCodeOnly(ctx, args, provider ?? null, getProviderOrThrow, allowExtraProviders, config, await getAuthSessionId(ctx));
-	if (verifyResult === null) {
-		if (identifier !== void 0) await recordFailedSignIn(ctx, identifier, config);
-		return null;
-	}
-	if (identifier !== void 0) await resetSignInRateLimit(ctx, identifier, config);
-	const { userId } = verifyResult;
-	return await maybeGenerateTokensForSession(ctx, config, userId, await createNewAndDeleteExistingSession(ctx, config, userId), generateTokens);
-}
-const callVerifyCodeAndSignIn = async (ctx, args) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: {
-		type: "verifyCodeAndSignIn",
-		...args
-	} });
-};
-async function verifyCodeOnly(ctx, args, methodProviderId, getProviderOrThrow, allowExtraProviders, config, sessionId) {
-	const db = authDb(ctx, config);
-	const { params, verifier } = args;
-	const codeHash = await sha256(params.code);
-	const verificationCode = await db.verificationCodes.getByCode(codeHash);
-	if (verificationCode === null) {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid verification code");
-		return null;
-	}
-	await db.verificationCodes.delete(verificationCode._id);
-	if (verificationCode.verifier !== verifier) {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid verifier");
-		return null;
-	}
-	if (verificationCode.expirationTime < Date.now()) {
-		logWithLevel(LOG_LEVELS.ERROR, "Expired verification code");
-		return null;
-	}
-	const { accountId, emailVerified, phoneVerified } = verificationCode;
-	const account = await db.accounts.getById(accountId);
-	if (account === null) {
-		logWithLevel(LOG_LEVELS.ERROR, "Account associated with this email has been deleted");
-		return null;
-	}
-	if (methodProviderId !== null && verificationCode.provider !== methodProviderId) {
-		logWithLevel(LOG_LEVELS.ERROR, `Invalid provider "${methodProviderId}" for given \`code\`, which was generated by provider "${verificationCode.provider}"`);
-		return null;
-	}
-	const methodProvider = getProviderOrThrow(verificationCode.provider, allowExtraProviders);
-	if (methodProvider !== null && (methodProvider.type === "email" || methodProvider.type === "phone") && methodProvider.authorize !== void 0) await methodProvider.authorize(args.params, account);
-	let userId = account.userId;
-	const provider = getProviderOrThrow(account.provider);
-	if (provider.type !== "oauth") ({userId} = await upsertUserAndAccount(ctx, sessionId, { existingAccount: account }, {
-		type: "verification",
-		provider,
-		profile: {
-			...emailVerified !== void 0 ? {
-				email: emailVerified,
-				emailVerified: true
-			} : {},
-			...phoneVerified !== void 0 ? {
-				phone: phoneVerified,
-				phoneVerified: true
-			} : {}
-		}
-	}, config));
-	return {
-		providerAccountId: account.providerAccountId,
-		userId
-	};
-}
-
-//#endregion
-export { callVerifyCodeAndSignIn, verifyCodeAndSignInArgs, verifyCodeAndSignInImpl };
-//# sourceMappingURL=verify.js.map

package/dist/component/server/implementation/mutations/verify.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"verify.js","names":[],"sources":["../../../../../src/server/implementation/mutations/verify.ts"],"sourcesContent":["import { GenericId, Infer, v } from \"convex/values\";\nimport { ActionCtx, MutationCtx, SessionInfo } from \"../types\";\nimport {\n  isSignInRateLimited,\n  recordFailedSignIn,\n  resetSignInRateLimit,\n} from \"../ratelimit\";\nimport * as Provider from \"../provider\";\nimport {\n  createNewAndDeleteExistingSession,\n  getAuthSessionId,\n  maybeGenerateTokensForSession,\n} from \"../sessions\";\nimport { ConvexAuthConfig } from \"../../types\";\nimport { LOG_LEVELS, logWithLevel, sha256 } from \"../utils\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\n\nexport const verifyCodeAndSignInArgs = v.object({\n  params: v.any(),\n  provider: v.optional(v.string()),\n  verifier: v.optional(v.string()),\n  generateTokens: v.boolean(),\n  allowExtraProviders: v.boolean(),\n});\n\ntype ReturnType = null | SessionInfo;\n\nexport async function verifyCodeAndSignInImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof verifyCodeAndSignInArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"verifyCodeAndSignInImpl args:\", {\n    params: { email: args.params.email, phone: args.params.phone },\n    provider: args.provider,\n    verifier: args.verifier,\n    generateTokens: args.generateTokens,\n    allowExtraProviders: args.allowExtraProviders,\n  });\n  const { generateTokens, provider, allowExtraProviders } = args;\n  const identifier = args.params.email ?? args.params.phone;\n  if (identifier !== undefined) {\n    if (await isSignInRateLimited(ctx, identifier, config)) {\n      logWithLevel(\n        LOG_LEVELS.ERROR,\n        \"Too many failed attempts to verify code for this email\",\n      );\n      return null;\n    }\n  }\n  const verifyResult = await verifyCodeOnly(\n    ctx,\n    args,\n    provider ?? null,\n    getProviderOrThrow,\n    allowExtraProviders,\n    config,\n    await getAuthSessionId(ctx),\n  );\n  if (verifyResult === null) {\n    if (identifier !== undefined) {\n      await recordFailedSignIn(ctx, identifier, config);\n    }\n    return null;\n  }\n  if (identifier !== undefined) {\n    await resetSignInRateLimit(ctx, identifier, config);\n  }\n  const { userId } = verifyResult;\n  const sessionId = await createNewAndDeleteExistingSession(\n    ctx,\n    config,\n    userId,\n  );\n  return await maybeGenerateTokensForSession(\n    ctx,\n    config,\n    userId,\n    sessionId,\n    generateTokens,\n  );\n}\n\nexport const callVerifyCodeAndSignIn = async (\n  ctx: ActionCtx,\n  args: Infer<typeof verifyCodeAndSignInArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"verifyCodeAndSignIn\",\n      ...args,\n    },\n  });\n};\n\nasync function verifyCodeOnly(\n  ctx: MutationCtx,\n  args: {\n    params: any;\n    verifier?: string;\n    identifier?: string;\n  },\n  /**\n   * There are two providers at play:\n   * 1. the provider that generated the code\n   * 2. the provider the account is tied to.\n   * This is because we allow signing into an account\n   * via another provider, see {@link signInViaProvider}.\n   * This is the first provider.\n   */\n  methodProviderId: string | null,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  allowExtraProviders: boolean,\n  config: ConvexAuthConfig,\n  sessionId: GenericId<\"session\"> | null,\n) {\n  const db = authDb(ctx, config);\n  const { params, verifier } = args;\n  const codeHash = await sha256(params.code);\n  const verificationCode = await db.verificationCodes.getByCode(codeHash);\n  if (verificationCode === null) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid verification code\");\n    return null;\n  }\n  await db.verificationCodes.delete(verificationCode._id);\n  if (verificationCode.verifier !== verifier) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid verifier\");\n    return null;\n  }\n  if (verificationCode.expirationTime < Date.now()) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Expired verification code\");\n    return null;\n  }\n  const { accountId, emailVerified, phoneVerified } = verificationCode;\n  const account = await db.accounts.getById(accountId);\n  if (account === null) {\n    logWithLevel(\n      LOG_LEVELS.ERROR,\n      \"Account associated with this email has been deleted\",\n    );\n    return null;\n  }\n  if (\n    methodProviderId !== null &&\n    verificationCode.provider !== methodProviderId\n  ) {\n    logWithLevel(\n      LOG_LEVELS.ERROR,\n      `Invalid provider \"${methodProviderId}\" for given \\`code\\`, ` +\n        `which was generated by provider \"${verificationCode.provider}\"`,\n    );\n    return null;\n  }\n  // OTP providers perform an additional check against the provided\n  // params.\n  const methodProvider = getProviderOrThrow(\n    verificationCode.provider,\n    allowExtraProviders,\n  );\n  if (\n    methodProvider !== null &&\n    (methodProvider.type === \"email\" || methodProvider.type === \"phone\") &&\n    methodProvider.authorize !== undefined\n  ) {\n    await methodProvider.authorize(args.params, account);\n  }\n  let userId = account.userId;\n  const provider = getProviderOrThrow(account.provider);\n  if (provider.type !== \"oauth\") {\n    ({ userId } = await upsertUserAndAccount(\n      ctx,\n      sessionId,\n      { existingAccount: account },\n      {\n        type: \"verification\",\n        provider,\n        profile: {\n          ...(emailVerified !== undefined\n            ? { email: emailVerified, emailVerified: true }\n            : {}),\n          ...(phoneVerified !== undefined\n            ? { phone: phoneVerified, phoneVerified: true }\n            : {}),\n        },\n      },\n      config,\n    ));\n  }\n\n  return { providerAccountId: account.providerAccountId, userId };\n}\n"],"mappings":";;;;;;;;;AAmBA,MAAa,0BAA0B,EAAE,OAAO;CAC9C,QAAQ,EAAE,KAAK;CACf,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;CAChC,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;CAChC,gBAAgB,EAAE,SAAS;CAC3B,qBAAqB,EAAE,SAAS;CACjC,CAAC;AAIF,eAAsB,wBACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,iCAAiC;EAC9D,QAAQ;GAAE,OAAO,KAAK,OAAO;GAAO,OAAO,KAAK,OAAO;GAAO;EAC9D,UAAU,KAAK;EACf,UAAU,KAAK;EACf,gBAAgB,KAAK;EACrB,qBAAqB,KAAK;EAC3B,CAAC;CACF,MAAM,EAAE,gBAAgB,UAAU,wBAAwB;CAC1D,MAAM,aAAa,KAAK,OAAO,SAAS,KAAK,OAAO;AACpD,KAAI,eAAe,QACjB;MAAI,MAAM,oBAAoB,KAAK,YAAY,OAAO,EAAE;AACtD,gBACE,WAAW,OACX,yDACD;AACD,UAAO;;;CAGX,MAAM,eAAe,MAAM,eACzB,KACA,MACA,YAAY,MACZ,oBACA,qBACA,QACA,MAAM,iBAAiB,IAAI,CAC5B;AACD,KAAI,iBAAiB,MAAM;AACzB,MAAI,eAAe,OACjB,OAAM,mBAAmB,KAAK,YAAY,OAAO;AAEnD,SAAO;;AAET,KAAI,eAAe,OACjB,OAAM,qBAAqB,KAAK,YAAY,OAAO;CAErD,MAAM,EAAE,WAAW;AAMnB,QAAO,MAAM,8BACX,KACA,QACA,QARgB,MAAM,kCACtB,KACA,QACA,OACD,EAMC,eACD;;AAGH,MAAa,0BAA0B,OACrC,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,eAAe,eACb,KACA,MAaA,kBACA,oBACA,qBACA,QACA,WACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,EAAE,QAAQ,aAAa;CAC7B,MAAM,WAAW,MAAM,OAAO,OAAO,KAAK;CAC1C,MAAM,mBAAmB,MAAM,GAAG,kBAAkB,UAAU,SAAS;AACvE,KAAI,qBAAqB,MAAM;AAC7B,eAAa,WAAW,OAAO,4BAA4B;AAC3D,SAAO;;AAET,OAAM,GAAG,kBAAkB,OAAO,iBAAiB,IAAI;AACvD,KAAI,iBAAiB,aAAa,UAAU;AAC1C,eAAa,WAAW,OAAO,mBAAmB;AAClD,SAAO;;AAET,KAAI,iBAAiB,iBAAiB,KAAK,KAAK,EAAE;AAChD,eAAa,WAAW,OAAO,4BAA4B;AAC3D,SAAO;;CAET,MAAM,EAAE,WAAW,eAAe,kBAAkB;CACpD,MAAM,UAAU,MAAM,GAAG,SAAS,QAAQ,UAAU;AACpD,KAAI,YAAY,MAAM;AACpB,eACE,WAAW,OACX,sDACD;AACD,SAAO;;AAET,KACE,qBAAqB,QACrB,iBAAiB,aAAa,kBAC9B;AACA,eACE,WAAW,OACX,qBAAqB,iBAAiB,yDACA,iBAAiB,SAAS,GACjE;AACD,SAAO;;CAIT,MAAM,iBAAiB,mBACrB,iBAAiB,UACjB,oBACD;AACD,KACE,mBAAmB,SAClB,eAAe,SAAS,WAAW,eAAe,SAAS,YAC5D,eAAe,cAAc,OAE7B,OAAM,eAAe,UAAU,KAAK,QAAQ,QAAQ;CAEtD,IAAI,SAAS,QAAQ;CACrB,MAAM,WAAW,mBAAmB,QAAQ,SAAS;AACrD,KAAI,SAAS,SAAS,QACpB,EAAC,CAAE,UAAW,MAAM,qBAClB,KACA,WACA,EAAE,iBAAiB,SAAS,EAC5B;EACE,MAAM;EACN;EACA,SAAS;GACP,GAAI,kBAAkB,SAClB;IAAE,OAAO;IAAe,eAAe;IAAM,GAC7C,EAAE;GACN,GAAI,kBAAkB,SAClB;IAAE,OAAO;IAAe,eAAe;IAAM,GAC7C,EAAE;GACP;EACF,EACD,OACD;AAGH,QAAO;EAAE,mBAAmB,QAAQ;EAAmB;EAAQ"}

package/dist/component/server/implementation/passkey.js

@@ -1,307 +0,0 @@
-import { throwAuthError } from "../errors.js";
-import { authDb } from "./db.js";
-import { callSignIn } from "./mutations/signin.js";
-import { callVerifierSignature } from "./mutations/signature.js";
-import { callVerifier } from "./mutations/verifier.js";
-import { mutatePasskeyInsert, mutatePasskeyUpdateCounter, mutateVerifierDelete, queryPasskeyByCredentialId, queryPasskeysByUserId, queryUserById, queryUserByVerifiedEmail, queryVerifierById } from "./types.js";
-import { sha256 } from "@oslojs/crypto/sha2";
-import { decodeBase64urlIgnorePadding, encodeBase64urlNoPadding } from "@oslojs/encoding";
-import { COSEKeyType, ClientDataType, coseAlgorithmES256, coseAlgorithmRS256, createAssertionSignatureMessage, parseAttestationObject, parseAuthenticatorData, parseClientDataJSON } from "@oslojs/webauthn";
-import { decodePKIXECDSASignature, decodeSEC1PublicKey, p256, verifyECDSASignature } from "@oslojs/crypto/ecdsa";
-import { RSAPublicKey, decodePKCS1RSAPublicKey, sha256ObjectIdentifier, verifyRSASSAPKCS1v15Signature } from "@oslojs/crypto/rsa";
-
-//#region src/server/implementation/passkey.ts
-/**
-* Server-side WebAuthn ceremony logic for passkey authentication.
-*
-* Handles the four phases of the WebAuthn flow:
-* 1. register-options — generate PublicKeyCredentialCreationOptions
-* 2. register-verify — verify attestation and store credential
-* 3. auth-options — generate PublicKeyCredentialRequestOptions
-* 4. auth-verify — verify assertion signature and sign in
-*
-* Uses `@oslojs/webauthn` for attestation/assertion parsing and
-* `@oslojs/crypto` for signature verification.
-*/
-/**
-* Resolve passkey relying party options from provider config and environment.
-*/
-function resolveRpOptions(provider) {
-	const siteUrl = process.env.SITE_URL;
-	if (!siteUrl && !provider.options.rpId) throwAuthError("PASSKEY_MISSING_CONFIG", "Passkey provider requires SITE_URL env var (your frontend URL) or explicit rpId / origin in the provider config. CONVEX_SITE_URL cannot be used because WebAuthn RP ID must match the frontend domain.");
-	const siteHostname = siteUrl ? new URL(siteUrl).hostname : void 0;
-	return {
-		rpName: provider.options.rpName ?? siteHostname ?? "localhost",
-		rpId: provider.options.rpId ?? siteHostname ?? "localhost",
-		origin: provider.options.origin ?? siteUrl ?? "http://localhost",
-		attestation: provider.options.attestation ?? "none",
-		userVerification: provider.options.userVerification ?? "required",
-		residentKey: provider.options.residentKey ?? "preferred",
-		authenticatorAttachment: provider.options.authenticatorAttachment,
-		algorithms: provider.options.algorithms ?? [coseAlgorithmES256, coseAlgorithmRS256],
-		challengeExpirationMs: provider.options.challengeExpirationMs ?? 3e5
-	};
-}
-/**
-* Generate a cryptographically random challenge.
-*/
-function generateChallenge() {
-	const challenge = new Uint8Array(32);
-	crypto.getRandomValues(challenge);
-	return challenge;
-}
-/**
-* Hash a challenge for storage in the verifier table's `signature` field.
-*/
-function hashChallenge(challenge) {
-	return encodeBase64urlNoPadding(new Uint8Array(sha256(challenge)));
-}
-/**
-* Phase 1: Generate registration options.
-*
-* Requires an authenticated user — passkey registration always adds a
-* credential to an existing account.  The userId is taken from the
-* current session identity.
-*/
-async function handleRegisterOptions(ctx, provider, params) {
-	const identity = await ctx.auth.getUserIdentity();
-	if (identity === null) throwAuthError("PASSKEY_AUTH_REQUIRED");
-	const [userId] = identity.subject.split("|");
-	const rp = resolveRpOptions(provider);
-	const challenge = generateChallenge();
-	const challengeHash = hashChallenge(challenge);
-	const verifier = await callVerifier(ctx);
-	await callVerifierSignature(ctx, {
-		verifier,
-		signature: challengeHash
-	});
-	const user = await queryUserById(ctx, userId);
-	const userName = params.userName ?? user?.email ?? "user";
-	const userDisplayName = params.userDisplayName ?? user?.name ?? userName;
-	const excludeCredentials = (await queryPasskeysByUserId(ctx, userId)).map((pk) => ({
-		id: pk.credentialId,
-		transports: pk.transports
-	}));
-	const userHandle = encodeBase64urlNoPadding(new TextEncoder().encode(userId));
-	return {
-		kind: "passkeyOptions",
-		options: {
-			rp: {
-				name: rp.rpName,
-				id: rp.rpId
-			},
-			user: {
-				id: userHandle,
-				name: userName,
-				displayName: userDisplayName
-			},
-			challenge: encodeBase64urlNoPadding(challenge),
-			pubKeyCredParams: rp.algorithms.map((alg) => ({
-				type: "public-key",
-				alg
-			})),
-			timeout: rp.challengeExpirationMs,
-			attestation: rp.attestation,
-			authenticatorSelection: {
-				residentKey: rp.residentKey,
-				requireResidentKey: rp.residentKey === "required",
-				userVerification: rp.userVerification,
-				...rp.authenticatorAttachment ? { authenticatorAttachment: rp.authenticatorAttachment } : {}
-			},
-			excludeCredentials
-		},
-		verifier
-	};
-}
-/**
-* Phase 2: Verify registration attestation and store the credential.
-*
-* Requires an authenticated user.  Parses the attestation, verifies the
-* challenge, extracts the public key, creates an account + passkey record
-* linked to the current user, and returns auth tokens.
-*/
-async function handleRegisterVerify(ctx, provider, params, verifierValue) {
-	const identity = await ctx.auth.getUserIdentity();
-	if (identity === null) throwAuthError("PASSKEY_AUTH_REQUIRED");
-	const [userId] = identity.subject.split("|");
-	const rp = resolveRpOptions(provider);
-	if (!verifierValue) throwAuthError("PASSKEY_MISSING_VERIFIER");
-	const clientData = parseClientDataJSON(decodeBase64urlIgnorePadding(params.clientDataJSON));
-	if (clientData.type !== ClientDataType.Create) throwAuthError("PASSKEY_INVALID_CLIENT_DATA", "Invalid client data type: expected webauthn.create");
-	const allowedOrigins = Array.isArray(rp.origin) ? rp.origin : [rp.origin];
-	if (!allowedOrigins.includes(clientData.origin)) throwAuthError("PASSKEY_INVALID_ORIGIN", `Invalid origin: ${clientData.origin}, expected one of: ${allowedOrigins.join(", ")}`);
-	const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(clientData.challenge)));
-	const verifierDoc = await queryVerifierById(ctx, verifierValue);
-	if (!verifierDoc || verifierDoc.signature !== challengeHash) throwAuthError("PASSKEY_INVALID_CHALLENGE");
-	await mutateVerifierDelete(ctx, verifierValue);
-	const authenticatorData = parseAttestationObject(decodeBase64urlIgnorePadding(params.attestationObject)).authenticatorData;
-	if (!authenticatorData.verifyRelyingPartyIdHash(rp.rpId)) throwAuthError("PASSKEY_RP_MISMATCH");
-	if (!authenticatorData.userPresent) throwAuthError("PASSKEY_USER_PRESENCE");
-	if (rp.userVerification === "required" && !authenticatorData.userVerified) throwAuthError("PASSKEY_USER_VERIFICATION");
-	const credential = authenticatorData.credential;
-	if (!credential) throwAuthError("PASSKEY_NO_CREDENTIAL");
-	const credentialId = encodeBase64urlNoPadding(credential.id);
-	const publicKey = credential.publicKey;
-	let algorithm;
-	let publicKeyBytes;
-	if (publicKey.isAlgorithmDefined()) algorithm = publicKey.algorithm();
-	else {
-		const keyType = publicKey.type();
-		algorithm = keyType === COSEKeyType.EC2 ? coseAlgorithmES256 : keyType === COSEKeyType.RSA ? coseAlgorithmRS256 : coseAlgorithmES256;
-	}
-	if (algorithm === coseAlgorithmES256) {
-		const ec2 = publicKey.ec2();
-		const xBytes = bigintToBytes(ec2.x, 32);
-		const yBytes = bigintToBytes(ec2.y, 32);
-		publicKeyBytes = new Uint8Array(65);
-		publicKeyBytes[0] = 4;
-		publicKeyBytes.set(xBytes, 1);
-		publicKeyBytes.set(yBytes, 33);
-	} else if (algorithm === coseAlgorithmRS256) {
-		const rsa = publicKey.rsa();
-		publicKeyBytes = new RSAPublicKey(rsa.n, rsa.e).encodePKCS1();
-	} else throwAuthError("PASSKEY_UNSUPPORTED_ALGORITHM", `Unsupported algorithm: ${algorithm}`);
-	const deviceType = params.deviceType ?? "single-device";
-	const backedUp = params.backedUp ?? false;
-	await authDb(ctx, ctx.auth.config).accounts.create({
-		userId,
-		provider: provider.id,
-		providerAccountId: credentialId
-	});
-	await mutatePasskeyInsert(ctx, {
-		userId,
-		credentialId,
-		publicKey: publicKeyBytes.buffer.slice(publicKeyBytes.byteOffset, publicKeyBytes.byteOffset + publicKeyBytes.byteLength),
-		algorithm,
-		counter: authenticatorData.signatureCounter,
-		transports: params.transports,
-		deviceType,
-		backedUp,
-		name: params.passkeyName,
-		createdAt: Date.now()
-	});
-	return {
-		kind: "signedIn",
-		signedIn: await callSignIn(ctx, {
-			userId,
-			generateTokens: true
-		})
-	};
-}
-/**
-* Phase 3: Generate authentication options.
-*
-* Creates a challenge and returns PublicKeyCredentialRequestOptions.
-* If an email is provided, scopes allowCredentials to that user's passkeys.
-*/
-async function handleAuthOptions(ctx, provider, params) {
-	const rp = resolveRpOptions(provider);
-	const challenge = generateChallenge();
-	const challengeHash = hashChallenge(challenge);
-	const verifier = await callVerifier(ctx);
-	await callVerifierSignature(ctx, {
-		verifier,
-		signature: challengeHash
-	});
-	let allowCredentials;
-	if (params.email) {
-		const user = await queryUserByVerifiedEmail(ctx, params.email);
-		if (user) {
-			const passkeys = await queryPasskeysByUserId(ctx, user._id);
-			if (passkeys.length > 0) allowCredentials = passkeys.map((pk) => ({
-				type: "public-key",
-				id: pk.credentialId,
-				transports: pk.transports
-			}));
-		}
-	}
-	const options = {
-		challenge: encodeBase64urlNoPadding(challenge),
-		timeout: rp.challengeExpirationMs,
-		rpId: rp.rpId,
-		userVerification: rp.userVerification
-	};
-	if (allowCredentials) options.allowCredentials = allowCredentials;
-	return {
-		kind: "passkeyOptions",
-		options,
-		verifier
-	};
-}
-/**
-* Phase 4: Verify authentication assertion and sign in.
-*
-* Verifies the signature against the stored public key, checks the counter,
-* and creates a session.
-*/
-async function handleAuthVerify(ctx, provider, params, verifierValue) {
-	const rp = resolveRpOptions(provider);
-	if (!verifierValue) throwAuthError("PASSKEY_MISSING_VERIFIER");
-	const clientDataJSON = decodeBase64urlIgnorePadding(params.clientDataJSON);
-	const clientData = parseClientDataJSON(clientDataJSON);
-	if (clientData.type !== ClientDataType.Get) throwAuthError("PASSKEY_INVALID_CLIENT_DATA", "Invalid client data type: expected webauthn.get");
-	const allowedOrigins = Array.isArray(rp.origin) ? rp.origin : [rp.origin];
-	if (!allowedOrigins.includes(clientData.origin)) throwAuthError("PASSKEY_INVALID_ORIGIN", `Invalid origin: ${clientData.origin}, expected one of: ${allowedOrigins.join(", ")}`);
-	const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(clientData.challenge)));
-	const verifierDoc = await queryVerifierById(ctx, verifierValue);
-	if (!verifierDoc || verifierDoc.signature !== challengeHash) throwAuthError("PASSKEY_INVALID_CHALLENGE");
-	await mutateVerifierDelete(ctx, verifierValue);
-	const credentialId = params.credentialId;
-	if (!credentialId) throwAuthError("PASSKEY_UNKNOWN_CREDENTIAL", "Missing credential ID");
-	const passkey = await queryPasskeyByCredentialId(ctx, credentialId);
-	if (!passkey) throwAuthError("PASSKEY_UNKNOWN_CREDENTIAL", "Unknown credential");
-	const authenticatorDataBytes = decodeBase64urlIgnorePadding(params.authenticatorData);
-	const authenticatorData = parseAuthenticatorData(authenticatorDataBytes);
-	if (!authenticatorData.verifyRelyingPartyIdHash(rp.rpId)) throwAuthError("PASSKEY_RP_MISMATCH");
-	if (!authenticatorData.userPresent) throwAuthError("PASSKEY_USER_PRESENCE");
-	if (rp.userVerification === "required" && !authenticatorData.userVerified) throwAuthError("PASSKEY_USER_VERIFICATION");
-	const signature = decodeBase64urlIgnorePadding(params.signature);
-	const messageHash = sha256(createAssertionSignatureMessage(authenticatorDataBytes, clientDataJSON));
-	const storedPublicKeyBytes = new Uint8Array(passkey.publicKey);
-	if (passkey.algorithm === coseAlgorithmES256) {
-		if (!verifyECDSASignature(decodeSEC1PublicKey(p256, storedPublicKeyBytes), messageHash, decodePKIXECDSASignature(signature))) throwAuthError("PASSKEY_INVALID_SIGNATURE");
-	} else if (passkey.algorithm === coseAlgorithmRS256) {
-		if (!verifyRSASSAPKCS1v15Signature(decodePKCS1RSAPublicKey(storedPublicKeyBytes), sha256ObjectIdentifier, messageHash, signature)) throwAuthError("PASSKEY_INVALID_SIGNATURE");
-	} else throwAuthError("PASSKEY_UNSUPPORTED_ALGORITHM", `Unsupported algorithm: ${passkey.algorithm}`);
-	if (passkey.counter !== 0 && authenticatorData.signatureCounter !== 0 && authenticatorData.signatureCounter <= passkey.counter) throwAuthError("PASSKEY_COUNTER_ERROR");
-	await mutatePasskeyUpdateCounter(ctx, passkey._id, authenticatorData.signatureCounter, Date.now());
-	return {
-		kind: "signedIn",
-		signedIn: await callSignIn(ctx, {
-			userId: passkey.userId,
-			generateTokens: true
-		})
-	};
-}
-/**
-* Main passkey handler dispatched from signIn.ts.
-*
-* Routes to the appropriate phase based on `params.flow`.
-*/
-async function handlePasskey(ctx, provider, args) {
-	const flow = args.params?.flow;
-	if (!flow) throwAuthError("PASSKEY_MISSING_FLOW", "Missing `flow` parameter. Expected one of: register-options, register-verify, auth-options, auth-verify");
-	switch (flow) {
-		case "register-options": return handleRegisterOptions(ctx, provider, args.params ?? {});
-		case "register-verify": return handleRegisterVerify(ctx, provider, args.params ?? {}, args.verifier);
-		case "auth-options": return handleAuthOptions(ctx, provider, args.params ?? {});
-		case "auth-verify": return handleAuthVerify(ctx, provider, args.params ?? {}, args.verifier);
-		default: throwAuthError("PASSKEY_UNKNOWN_FLOW", `Unknown passkey flow: ${flow}. Expected one of: register-options, register-verify, auth-options, auth-verify`);
-	}
-}
-/**
-* Convert a bigint to a fixed-size big-endian byte array.
-*/
-function bigintToBytes(value, length) {
-	const bytes = new Uint8Array(length);
-	let v = value;
-	for (let i = length - 1; i >= 0; i--) {
-		bytes[i] = Number(v & 255n);
-		v >>= 8n;
-	}
-	return bytes;
-}
-
-//#endregion
-export { handlePasskey };
-//# sourceMappingURL=passkey.js.map