@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/component/server/implementation/passkey.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"passkey.js","names":[],"sources":["../../../../src/server/implementation/passkey.ts"],"sourcesContent":["/**\n * Server-side WebAuthn ceremony logic for passkey authentication.\n *\n * Handles the four phases of the WebAuthn flow:\n * 1. register-options — generate PublicKeyCredentialCreationOptions\n * 2. register-verify — verify attestation and store credential\n * 3. auth-options — generate PublicKeyCredentialRequestOptions\n * 4. auth-verify — verify assertion signature and sign in\n *\n * Uses `@oslojs/webauthn` for attestation/assertion parsing and\n * `@oslojs/crypto` for signature verification.\n */\n\nimport {\n  parseAttestationObject,\n  parseClientDataJSON,\n  parseAuthenticatorData,\n  createAssertionSignatureMessage,\n  ClientDataType,\n  coseAlgorithmES256,\n  coseAlgorithmRS256,\n  COSEKeyType,\n} from \"@oslojs/webauthn\";\nimport {\n  p256,\n  verifyECDSASignature,\n  decodeSEC1PublicKey,\n  decodePKIXECDSASignature,\n} from \"@oslojs/crypto/ecdsa\";\nimport {\n  RSAPublicKey,\n  decodePKCS1RSAPublicKey,\n  sha256ObjectIdentifier,\n  verifyRSASSAPKCS1v15Signature,\n} from \"@oslojs/crypto/rsa\";\nimport { sha256 } from \"@oslojs/crypto/sha2\";\nimport {\n  encodeBase64urlNoPadding,\n  decodeBase64urlIgnorePadding,\n} from \"@oslojs/encoding\";\nimport {\n  PasskeyProviderConfig,\n  GenericActionCtxWithAuthConfig,\n} from \"../types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  queryUserById,\n  queryUserByVerifiedEmail,\n  queryPasskeysByUserId,\n  queryPasskeyByCredentialId,\n  queryVerifierById,\n  mutatePasskeyInsert,\n  mutatePasskeyUpdateCounter,\n  mutateVerifierDelete,\n} from \"./types\";\nimport { callSignIn, callVerifier } from \"./mutations/index\";\nimport { callVerifierSignature } from \"./mutations/signature\";\nimport { authDb } from \"./db\";\nimport { throwAuthError } from \"../errors\";\n\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n/**\n * Resolve passkey relying party options from provider config and environment.\n */\nfunction resolveRpOptions(provider: PasskeyProviderConfig) {\n  // WebAuthn RP ID and origin must match the *frontend* domain, not the\n  // Convex backend.  SITE_URL is the canonical frontend URL\n  // (e.g. \"http://localhost:3000\" in dev, \"https://myapp.com\" in prod).\n  // CONVEX_SITE_URL points to the Convex cloud HTTP actions endpoint and\n  // must NOT be used here — the browser would reject the credential\n  // because the RP ID wouldn't match the page origin.\n  const siteUrl = process.env.SITE_URL;\n  if (!siteUrl && !provider.options.rpId) {\n    throwAuthError(\n      \"PASSKEY_MISSING_CONFIG\",\n      \"Passkey provider requires SITE_URL env var (your frontend URL) \" +\n      \"or explicit rpId / origin in the provider config. \" +\n      \"CONVEX_SITE_URL cannot be used because WebAuthn RP ID must match the frontend domain.\",\n    );\n  }\n  const siteHostname = siteUrl ? new URL(siteUrl).hostname : undefined;\n\n  return {\n    rpName: provider.options.rpName ?? siteHostname ?? \"localhost\",\n    rpId: provider.options.rpId ?? siteHostname ?? \"localhost\",\n    origin: provider.options.origin ?? siteUrl ?? \"http://localhost\",\n    attestation: provider.options.attestation ?? \"none\",\n    userVerification: provider.options.userVerification ?? \"required\",\n    residentKey: provider.options.residentKey ?? \"preferred\",\n    authenticatorAttachment: provider.options.authenticatorAttachment,\n    algorithms: provider.options.algorithms ?? [coseAlgorithmES256, coseAlgorithmRS256],\n    challengeExpirationMs: provider.options.challengeExpirationMs ?? 300_000,\n  };\n}\n\n/**\n * Generate a cryptographically random challenge.\n */\nfunction generateChallenge(): Uint8Array {\n  const challenge = new Uint8Array(32);\n  crypto.getRandomValues(challenge);\n  return challenge;\n}\n\n/**\n * Hash a challenge for storage in the verifier table's `signature` field.\n */\nfunction hashChallenge(challenge: Uint8Array): string {\n  return encodeBase64urlNoPadding(new Uint8Array(sha256(challenge)));\n}\n\n// ============================================================================\n// Registration flow\n// ============================================================================\n\n/**\n * Phase 1: Generate registration options.\n *\n * Requires an authenticated user — passkey registration always adds a\n * credential to an existing account.  The userId is taken from the\n * current session identity.\n */\nasync function handleRegisterOptions(\n  ctx: EnrichedActionCtx,\n  provider: PasskeyProviderConfig,\n  params: Record<string, any>,\n): Promise<{\n  kind: \"passkeyOptions\";\n  options: Record<string, any>;\n  verifier: string;\n}> {\n  // Passkey registration requires an authenticated user\n  const identity = await ctx.auth.getUserIdentity();\n  if (identity === null) {\n    throwAuthError(\"PASSKEY_AUTH_REQUIRED\");\n  }\n  const [userId] = identity.subject.split(\"|\");\n\n  const rp = resolveRpOptions(provider);\n  const challenge = generateChallenge();\n  const challengeHash = hashChallenge(challenge);\n\n  // Store the challenge hash in the verifier table\n  const verifier = await callVerifier(ctx);\n  await callVerifierSignature(ctx, {\n    verifier,\n    signature: challengeHash,\n  });\n\n  // Get the user's profile for credential metadata\n  const user = await queryUserById(ctx, userId!);\n  const userName = params.userName ?? user?.email ?? \"user\";\n  const userDisplayName = params.userDisplayName ?? user?.name ?? userName;\n\n  // Collect existing credentials to prevent re-registration\n  const existing = await queryPasskeysByUserId(ctx, userId!);\n  const excludeCredentials = existing.map((pk) => ({\n    id: pk.credentialId,\n    transports: pk.transports,\n  }));\n\n  // User handle is derived from the Convex userId\n  const userHandle = encodeBase64urlNoPadding(\n    new TextEncoder().encode(userId!),\n  );\n\n  const options = {\n    rp: {\n      name: rp.rpName,\n      id: rp.rpId,\n    },\n    user: {\n      id: userHandle,\n      name: userName,\n      displayName: userDisplayName,\n    },\n    challenge: encodeBase64urlNoPadding(challenge),\n    pubKeyCredParams: rp.algorithms.map((alg) => ({\n      type: \"public-key\" as const,\n      alg,\n    })),\n    timeout: rp.challengeExpirationMs,\n    attestation: rp.attestation,\n    authenticatorSelection: {\n      residentKey: rp.residentKey,\n      requireResidentKey: rp.residentKey === \"required\",\n      userVerification: rp.userVerification,\n      ...(rp.authenticatorAttachment\n        ? { authenticatorAttachment: rp.authenticatorAttachment }\n        : {}),\n    },\n    excludeCredentials,\n  };\n\n  return { kind: \"passkeyOptions\", options, verifier };\n}\n\n/**\n * Phase 2: Verify registration attestation and store the credential.\n *\n * Requires an authenticated user.  Parses the attestation, verifies the\n * challenge, extracts the public key, creates an account + passkey record\n * linked to the current user, and returns auth tokens.\n */\nasync function handleRegisterVerify(\n  ctx: EnrichedActionCtx,\n  provider: PasskeyProviderConfig,\n  params: Record<string, any>,\n  verifierValue: string | undefined,\n): Promise<{ kind: \"signedIn\"; signedIn: SessionInfo | null }> {\n  // Passkey registration requires an authenticated user\n  const identity = await ctx.auth.getUserIdentity();\n  if (identity === null) {\n    throwAuthError(\"PASSKEY_AUTH_REQUIRED\");\n  }\n  const [userId] = identity.subject.split(\"|\");\n\n  const rp = resolveRpOptions(provider);\n\n  if (!verifierValue) {\n    throwAuthError(\"PASSKEY_MISSING_VERIFIER\");\n  }\n\n  // Decode client data\n  const clientDataJSON = decodeBase64urlIgnorePadding(params.clientDataJSON);\n  const clientData = parseClientDataJSON(clientDataJSON);\n\n  // Verify client data type is \"webauthn.create\"\n  if (clientData.type !== ClientDataType.Create) {\n    throwAuthError(\"PASSKEY_INVALID_CLIENT_DATA\", \"Invalid client data type: expected webauthn.create\");\n  }\n\n  // Verify origin\n  const allowedOrigins = Array.isArray(rp.origin) ? rp.origin : [rp.origin];\n  if (!allowedOrigins.includes(clientData.origin)) {\n    throwAuthError(\n      \"PASSKEY_INVALID_ORIGIN\",\n      `Invalid origin: ${clientData.origin}, expected one of: ${allowedOrigins.join(\", \")}`,\n    );\n  }\n\n  // Verify challenge matches the stored verifier\n  const challengeHash = encodeBase64urlNoPadding(\n    new Uint8Array(sha256(clientData.challenge)),\n  );\n  const verifierDoc = await queryVerifierById(ctx, verifierValue);\n  if (!verifierDoc || verifierDoc.signature !== challengeHash) {\n    throwAuthError(\"PASSKEY_INVALID_CHALLENGE\");\n  }\n\n  // Clean up the verifier\n  await mutateVerifierDelete(ctx, verifierValue);\n\n  // Parse attestation object\n  const attestationObjectBytes = decodeBase64urlIgnorePadding(params.attestationObject);\n  const attestation = parseAttestationObject(attestationObjectBytes);\n  const authenticatorData = attestation.authenticatorData;\n\n  // Verify RP ID hash\n  if (!authenticatorData.verifyRelyingPartyIdHash(rp.rpId)) {\n    throwAuthError(\"PASSKEY_RP_MISMATCH\");\n  }\n\n  // Verify user presence and verification flags\n  if (!authenticatorData.userPresent) {\n    throwAuthError(\"PASSKEY_USER_PRESENCE\");\n  }\n  if (rp.userVerification === \"required\" && !authenticatorData.userVerified) {\n    throwAuthError(\"PASSKEY_USER_VERIFICATION\");\n  }\n\n  // Extract credential\n  const credential = authenticatorData.credential;\n  if (!credential) {\n    throwAuthError(\"PASSKEY_NO_CREDENTIAL\");\n  }\n\n  const credentialId = encodeBase64urlNoPadding(credential.id);\n  const publicKey = credential.publicKey;\n\n  // Determine algorithm and encode the public key for storage\n  let algorithm: number;\n  let publicKeyBytes: Uint8Array;\n\n  if (publicKey.isAlgorithmDefined()) {\n    algorithm = publicKey.algorithm();\n  } else {\n    const keyType = publicKey.type();\n    algorithm =\n      keyType === COSEKeyType.EC2\n        ? coseAlgorithmES256\n        : keyType === COSEKeyType.RSA\n          ? coseAlgorithmRS256\n          : coseAlgorithmES256;\n  }\n\n  if (algorithm === coseAlgorithmES256) {\n    const ec2 = publicKey.ec2();\n    // Encode as SEC1 uncompressed point (0x04 || x || y)\n    const xBytes = bigintToBytes(ec2.x, 32);\n    const yBytes = bigintToBytes(ec2.y, 32);\n    publicKeyBytes = new Uint8Array(65);\n    publicKeyBytes[0] = 0x04;\n    publicKeyBytes.set(xBytes, 1);\n    publicKeyBytes.set(yBytes, 33);\n  } else if (algorithm === coseAlgorithmRS256) {\n    const rsa = publicKey.rsa();\n    const rsaPubKey = new RSAPublicKey(rsa.n, rsa.e);\n    publicKeyBytes = rsaPubKey.encodePKCS1();\n  } else {\n    throwAuthError(\"PASSKEY_UNSUPPORTED_ALGORITHM\", `Unsupported algorithm: ${algorithm}`);\n  }\n\n  const deviceType = params.deviceType ?? \"single-device\";\n  const backedUp = params.backedUp ?? false;\n\n  // Create an account record linking the passkey to the current user.\n  // Unlike unauthenticated flows, we don't create a new user — we\n  // attach the passkey credential to the existing authenticated user.\n  const db = authDb(ctx, ctx.auth.config);\n  await db.accounts.create({\n    userId: userId!,\n    provider: provider.id,\n    providerAccountId: credentialId,\n  });\n\n  // Store the passkey credential\n  await mutatePasskeyInsert(ctx, {\n    userId: userId!,\n    credentialId,\n    publicKey: publicKeyBytes.buffer.slice(\n      publicKeyBytes.byteOffset,\n      publicKeyBytes.byteOffset + publicKeyBytes.byteLength,\n    ),\n    algorithm,\n    counter: authenticatorData.signatureCounter,\n    transports: params.transports,\n    deviceType,\n    backedUp,\n    name: params.passkeyName,\n    createdAt: Date.now(),\n  });\n\n  // Return tokens for the existing session\n  const signInResult = await callSignIn(ctx, {\n    userId: userId!,\n    generateTokens: true,\n  });\n\n  return { kind: \"signedIn\", signedIn: signInResult };\n}\n\n// ============================================================================\n// Authentication flow\n// ============================================================================\n\n/**\n * Phase 3: Generate authentication options.\n *\n * Creates a challenge and returns PublicKeyCredentialRequestOptions.\n * If an email is provided, scopes allowCredentials to that user's passkeys.\n */\nasync function handleAuthOptions(\n  ctx: EnrichedActionCtx,\n  provider: PasskeyProviderConfig,\n  params: Record<string, any>,\n): Promise<{\n  kind: \"passkeyOptions\";\n  options: Record<string, any>;\n  verifier: string;\n}> {\n  const rp = resolveRpOptions(provider);\n  const challenge = generateChallenge();\n  const challengeHash = hashChallenge(challenge);\n\n  // Store the challenge hash in the verifier table\n  const verifier = await callVerifier(ctx);\n  await callVerifierSignature(ctx, {\n    verifier,\n    signature: challengeHash,\n  });\n\n  // Build allowCredentials if email is provided\n  let allowCredentials: Array<{ type: string; id: string; transports?: string[] }> | undefined;\n  if (params.email) {\n    // Look up user by email, then find their passkeys\n    const user = await queryUserByVerifiedEmail(ctx, params.email);\n    if (user) {\n      const passkeys = await queryPasskeysByUserId(ctx, user._id);\n      if (passkeys.length > 0) {\n        allowCredentials = passkeys.map((pk) => ({\n          type: \"public-key\",\n          id: pk.credentialId,\n          transports: pk.transports,\n        }));\n      }\n    }\n  }\n\n  const options: Record<string, any> = {\n    challenge: encodeBase64urlNoPadding(challenge),\n    timeout: rp.challengeExpirationMs,\n    rpId: rp.rpId,\n    userVerification: rp.userVerification,\n  };\n\n  if (allowCredentials) {\n    options.allowCredentials = allowCredentials;\n  }\n\n  return { kind: \"passkeyOptions\", options, verifier };\n}\n\n/**\n * Phase 4: Verify authentication assertion and sign in.\n *\n * Verifies the signature against the stored public key, checks the counter,\n * and creates a session.\n */\nasync function handleAuthVerify(\n  ctx: EnrichedActionCtx,\n  provider: PasskeyProviderConfig,\n  params: Record<string, any>,\n  verifierValue: string | undefined,\n): Promise<{ kind: \"signedIn\"; signedIn: SessionInfo | null }> {\n  const rp = resolveRpOptions(provider);\n\n  if (!verifierValue) {\n    throwAuthError(\"PASSKEY_MISSING_VERIFIER\");\n  }\n\n  // Decode client data\n  const clientDataJSON = decodeBase64urlIgnorePadding(params.clientDataJSON);\n  const clientData = parseClientDataJSON(clientDataJSON);\n\n  // Verify client data type is \"webauthn.get\"\n  if (clientData.type !== ClientDataType.Get) {\n    throwAuthError(\"PASSKEY_INVALID_CLIENT_DATA\", \"Invalid client data type: expected webauthn.get\");\n  }\n\n  // Verify origin\n  const allowedOrigins = Array.isArray(rp.origin) ? rp.origin : [rp.origin];\n  if (!allowedOrigins.includes(clientData.origin)) {\n    throwAuthError(\n      \"PASSKEY_INVALID_ORIGIN\",\n      `Invalid origin: ${clientData.origin}, expected one of: ${allowedOrigins.join(\", \")}`,\n    );\n  }\n\n  // Verify challenge matches the stored verifier\n  const challengeHash = encodeBase64urlNoPadding(\n    new Uint8Array(sha256(clientData.challenge)),\n  );\n  const verifierDoc = await queryVerifierById(ctx, verifierValue);\n  if (!verifierDoc || verifierDoc.signature !== challengeHash) {\n    throwAuthError(\"PASSKEY_INVALID_CHALLENGE\");\n  }\n\n  // Clean up the verifier\n  await mutateVerifierDelete(ctx, verifierValue);\n\n  // Look up the credential\n  const credentialId = params.credentialId;\n  if (!credentialId) {\n    throwAuthError(\"PASSKEY_UNKNOWN_CREDENTIAL\", \"Missing credential ID\");\n  }\n\n  const passkey = await queryPasskeyByCredentialId(ctx, credentialId);\n  if (!passkey) {\n    throwAuthError(\"PASSKEY_UNKNOWN_CREDENTIAL\", \"Unknown credential\");\n  }\n\n  // Parse authenticator data\n  const authenticatorDataBytes = decodeBase64urlIgnorePadding(params.authenticatorData);\n  const authenticatorData = parseAuthenticatorData(authenticatorDataBytes);\n\n  // Verify RP ID hash\n  if (!authenticatorData.verifyRelyingPartyIdHash(rp.rpId)) {\n    throwAuthError(\"PASSKEY_RP_MISMATCH\");\n  }\n\n  // Verify user presence\n  if (!authenticatorData.userPresent) {\n    throwAuthError(\"PASSKEY_USER_PRESENCE\");\n  }\n  if (rp.userVerification === \"required\" && !authenticatorData.userVerified) {\n    throwAuthError(\"PASSKEY_USER_VERIFICATION\");\n  }\n\n  // Verify signature\n  const signature = decodeBase64urlIgnorePadding(params.signature);\n  const signatureMessage = createAssertionSignatureMessage(\n    authenticatorDataBytes,\n    clientDataJSON,\n  );\n  const messageHash = sha256(signatureMessage);\n\n  const storedPublicKeyBytes = new Uint8Array(passkey.publicKey);\n\n  if (passkey.algorithm === coseAlgorithmES256) {\n    // EC P-256 verification\n    const ecPublicKey = decodeSEC1PublicKey(p256, storedPublicKeyBytes);\n    // WebAuthn signatures for EC keys are DER/ASN.1 (PKIX) encoded\n    const ecdsaSignature = decodePKIXECDSASignature(signature);\n    const valid = verifyECDSASignature(\n      ecPublicKey,\n      messageHash,\n      ecdsaSignature,\n    );\n    if (!valid) {\n      throwAuthError(\"PASSKEY_INVALID_SIGNATURE\");\n    }\n  } else if (passkey.algorithm === coseAlgorithmRS256) {\n    // RSA PKCS#1 v1.5 with SHA-256 verification\n    // Decode the stored PKCS#1 public key\n    const rsaPublicKey = decodePKCS1RSAPublicKey(storedPublicKeyBytes);\n    const valid = verifyRSASSAPKCS1v15Signature(\n      rsaPublicKey,\n      sha256ObjectIdentifier,\n      messageHash,\n      signature,\n    );\n    if (!valid) {\n      throwAuthError(\"PASSKEY_INVALID_SIGNATURE\");\n    }\n  } else {\n    throwAuthError(\"PASSKEY_UNSUPPORTED_ALGORITHM\", `Unsupported algorithm: ${passkey.algorithm}`);\n  }\n\n  // Verify counter (clone detection)\n  // Counter of 0 means the authenticator doesn't support counters\n  if (\n    passkey.counter !== 0 &&\n    authenticatorData.signatureCounter !== 0 &&\n    authenticatorData.signatureCounter <= passkey.counter\n  ) {\n    throwAuthError(\"PASSKEY_COUNTER_ERROR\");\n  }\n\n  // Update counter and last used timestamp\n  await mutatePasskeyUpdateCounter(\n    ctx,\n    passkey._id,\n    authenticatorData.signatureCounter,\n    Date.now(),\n  );\n\n  // Sign in the user\n  const signInResult = await callSignIn(ctx, {\n    userId: passkey.userId,\n    generateTokens: true,\n  });\n\n  return { kind: \"signedIn\", signedIn: signInResult };\n}\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\n/**\n * Main passkey handler dispatched from signIn.ts.\n *\n * Routes to the appropriate phase based on `params.flow`.\n */\nexport async function handlePasskey(\n  ctx: EnrichedActionCtx,\n  provider: PasskeyProviderConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n): Promise<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n> {\n  const flow = args.params?.flow;\n  if (!flow) {\n    throwAuthError(\n      \"PASSKEY_MISSING_FLOW\",\n      \"Missing `flow` parameter. Expected one of: register-options, register-verify, auth-options, auth-verify\",\n    );\n  }\n\n  switch (flow) {\n    case \"register-options\":\n      return handleRegisterOptions(ctx, provider, args.params ?? {});\n    case \"register-verify\":\n      return handleRegisterVerify(ctx, provider, args.params ?? {}, args.verifier);\n    case \"auth-options\":\n      return handleAuthOptions(ctx, provider, args.params ?? {});\n    case \"auth-verify\":\n      return handleAuthVerify(ctx, provider, args.params ?? {}, args.verifier);\n    default:\n      throwAuthError(\n        \"PASSKEY_UNKNOWN_FLOW\",\n        `Unknown passkey flow: ${flow}. Expected one of: register-options, register-verify, auth-options, auth-verify`,\n      );\n  }\n}\n\n// ============================================================================\n// Helpers\n// ============================================================================\n\n/**\n * Convert a bigint to a fixed-size big-endian byte array.\n */\nfunction bigintToBytes(value: bigint, length: number): Uint8Array {\n  const bytes = new Uint8Array(length);\n  let v = value;\n  for (let i = length - 1; i >= 0; i--) {\n    bytes[i] = Number(v & 0xffn);\n    v >>= 8n;\n  }\n  return bytes;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmEA,SAAS,iBAAiB,UAAiC;CAOzD,MAAM,UAAU,QAAQ,IAAI;AAC5B,KAAI,CAAC,WAAW,CAAC,SAAS,QAAQ,KAChC,gBACE,0BACA,yMAGD;CAEH,MAAM,eAAe,UAAU,IAAI,IAAI,QAAQ,CAAC,WAAW;AAE3D,QAAO;EACL,QAAQ,SAAS,QAAQ,UAAU,gBAAgB;EACnD,MAAM,SAAS,QAAQ,QAAQ,gBAAgB;EAC/C,QAAQ,SAAS,QAAQ,UAAU,WAAW;EAC9C,aAAa,SAAS,QAAQ,eAAe;EAC7C,kBAAkB,SAAS,QAAQ,oBAAoB;EACvD,aAAa,SAAS,QAAQ,eAAe;EAC7C,yBAAyB,SAAS,QAAQ;EAC1C,YAAY,SAAS,QAAQ,cAAc,CAAC,oBAAoB,mBAAmB;EACnF,uBAAuB,SAAS,QAAQ,yBAAyB;EAClE;;;;;AAMH,SAAS,oBAAgC;CACvC,MAAM,YAAY,IAAI,WAAW,GAAG;AACpC,QAAO,gBAAgB,UAAU;AACjC,QAAO;;;;;AAMT,SAAS,cAAc,WAA+B;AACpD,QAAO,yBAAyB,IAAI,WAAW,OAAO,UAAU,CAAC,CAAC;;;;;;;;;AAcpE,eAAe,sBACb,KACA,UACA,QAKC;CAED,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,gBAAe,wBAAwB;CAEzC,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,IAAI;CAE5C,MAAM,KAAK,iBAAiB,SAAS;CACrC,MAAM,YAAY,mBAAmB;CACrC,MAAM,gBAAgB,cAAc,UAAU;CAG9C,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,OAAM,sBAAsB,KAAK;EAC/B;EACA,WAAW;EACZ,CAAC;CAGF,MAAM,OAAO,MAAM,cAAc,KAAK,OAAQ;CAC9C,MAAM,WAAW,OAAO,YAAY,MAAM,SAAS;CACnD,MAAM,kBAAkB,OAAO,mBAAmB,MAAM,QAAQ;CAIhE,MAAM,sBADW,MAAM,sBAAsB,KAAK,OAAQ,EACtB,KAAK,QAAQ;EAC/C,IAAI,GAAG;EACP,YAAY,GAAG;EAChB,EAAE;CAGH,MAAM,aAAa,yBACjB,IAAI,aAAa,CAAC,OAAO,OAAQ,CAClC;AA8BD,QAAO;EAAE,MAAM;EAAkB,SA5BjB;GACd,IAAI;IACF,MAAM,GAAG;IACT,IAAI,GAAG;IACR;GACD,MAAM;IACJ,IAAI;IACJ,MAAM;IACN,aAAa;IACd;GACD,WAAW,yBAAyB,UAAU;GAC9C,kBAAkB,GAAG,WAAW,KAAK,SAAS;IAC5C,MAAM;IACN;IACD,EAAE;GACH,SAAS,GAAG;GACZ,aAAa,GAAG;GAChB,wBAAwB;IACtB,aAAa,GAAG;IAChB,oBAAoB,GAAG,gBAAgB;IACvC,kBAAkB,GAAG;IACrB,GAAI,GAAG,0BACH,EAAE,yBAAyB,GAAG,yBAAyB,GACvD,EAAE;IACP;GACD;GACD;EAEyC;EAAU;;;;;;;;;AAUtD,eAAe,qBACb,KACA,UACA,QACA,eAC6D;CAE7D,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,gBAAe,wBAAwB;CAEzC,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,IAAI;CAE5C,MAAM,KAAK,iBAAiB,SAAS;AAErC,KAAI,CAAC,cACH,gBAAe,2BAA2B;CAK5C,MAAM,aAAa,oBADI,6BAA6B,OAAO,eAAe,CACpB;AAGtD,KAAI,WAAW,SAAS,eAAe,OACrC,gBAAe,+BAA+B,qDAAqD;CAIrG,MAAM,iBAAiB,MAAM,QAAQ,GAAG,OAAO,GAAG,GAAG,SAAS,CAAC,GAAG,OAAO;AACzE,KAAI,CAAC,eAAe,SAAS,WAAW,OAAO,CAC7C,gBACE,0BACA,mBAAmB,WAAW,OAAO,qBAAqB,eAAe,KAAK,KAAK,GACpF;CAIH,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,WAAW,UAAU,CAAC,CAC7C;CACD,MAAM,cAAc,MAAM,kBAAkB,KAAK,cAAc;AAC/D,KAAI,CAAC,eAAe,YAAY,cAAc,cAC5C,gBAAe,4BAA4B;AAI7C,OAAM,qBAAqB,KAAK,cAAc;CAK9C,MAAM,oBADc,uBADW,6BAA6B,OAAO,kBAAkB,CACnB,CAC5B;AAGtC,KAAI,CAAC,kBAAkB,yBAAyB,GAAG,KAAK,CACtD,gBAAe,sBAAsB;AAIvC,KAAI,CAAC,kBAAkB,YACrB,gBAAe,wBAAwB;AAEzC,KAAI,GAAG,qBAAqB,cAAc,CAAC,kBAAkB,aAC3D,gBAAe,4BAA4B;CAI7C,MAAM,aAAa,kBAAkB;AACrC,KAAI,CAAC,WACH,gBAAe,wBAAwB;CAGzC,MAAM,eAAe,yBAAyB,WAAW,GAAG;CAC5D,MAAM,YAAY,WAAW;CAG7B,IAAI;CACJ,IAAI;AAEJ,KAAI,UAAU,oBAAoB,CAChC,aAAY,UAAU,WAAW;MAC5B;EACL,MAAM,UAAU,UAAU,MAAM;AAChC,cACE,YAAY,YAAY,MACpB,qBACA,YAAY,YAAY,MACtB,qBACA;;AAGV,KAAI,cAAc,oBAAoB;EACpC,MAAM,MAAM,UAAU,KAAK;EAE3B,MAAM,SAAS,cAAc,IAAI,GAAG,GAAG;EACvC,MAAM,SAAS,cAAc,IAAI,GAAG,GAAG;AACvC,mBAAiB,IAAI,WAAW,GAAG;AACnC,iBAAe,KAAK;AACpB,iBAAe,IAAI,QAAQ,EAAE;AAC7B,iBAAe,IAAI,QAAQ,GAAG;YACrB,cAAc,oBAAoB;EAC3C,MAAM,MAAM,UAAU,KAAK;AAE3B,mBADkB,IAAI,aAAa,IAAI,GAAG,IAAI,EAAE,CACrB,aAAa;OAExC,gBAAe,iCAAiC,0BAA0B,YAAY;CAGxF,MAAM,aAAa,OAAO,cAAc;CACxC,MAAM,WAAW,OAAO,YAAY;AAMpC,OADW,OAAO,KAAK,IAAI,KAAK,OAAO,CAC9B,SAAS,OAAO;EACf;EACR,UAAU,SAAS;EACnB,mBAAmB;EACpB,CAAC;AAGF,OAAM,oBAAoB,KAAK;EACrB;EACR;EACA,WAAW,eAAe,OAAO,MAC/B,eAAe,YACf,eAAe,aAAa,eAAe,WAC5C;EACD;EACA,SAAS,kBAAkB;EAC3B,YAAY,OAAO;EACnB;EACA;EACA,MAAM,OAAO;EACb,WAAW,KAAK,KAAK;EACtB,CAAC;AAQF,QAAO;EAAE,MAAM;EAAY,UALN,MAAM,WAAW,KAAK;GACjC;GACR,gBAAgB;GACjB,CAAC;EAEiD;;;;;;;;AAarD,eAAe,kBACb,KACA,UACA,QAKC;CACD,MAAM,KAAK,iBAAiB,SAAS;CACrC,MAAM,YAAY,mBAAmB;CACrC,MAAM,gBAAgB,cAAc,UAAU;CAG9C,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,OAAM,sBAAsB,KAAK;EAC/B;EACA,WAAW;EACZ,CAAC;CAGF,IAAI;AACJ,KAAI,OAAO,OAAO;EAEhB,MAAM,OAAO,MAAM,yBAAyB,KAAK,OAAO,MAAM;AAC9D,MAAI,MAAM;GACR,MAAM,WAAW,MAAM,sBAAsB,KAAK,KAAK,IAAI;AAC3D,OAAI,SAAS,SAAS,EACpB,oBAAmB,SAAS,KAAK,QAAQ;IACvC,MAAM;IACN,IAAI,GAAG;IACP,YAAY,GAAG;IAChB,EAAE;;;CAKT,MAAM,UAA+B;EACnC,WAAW,yBAAyB,UAAU;EAC9C,SAAS,GAAG;EACZ,MAAM,GAAG;EACT,kBAAkB,GAAG;EACtB;AAED,KAAI,iBACF,SAAQ,mBAAmB;AAG7B,QAAO;EAAE,MAAM;EAAkB;EAAS;EAAU;;;;;;;;AAStD,eAAe,iBACb,KACA,UACA,QACA,eAC6D;CAC7D,MAAM,KAAK,iBAAiB,SAAS;AAErC,KAAI,CAAC,cACH,gBAAe,2BAA2B;CAI5C,MAAM,iBAAiB,6BAA6B,OAAO,eAAe;CAC1E,MAAM,aAAa,oBAAoB,eAAe;AAGtD,KAAI,WAAW,SAAS,eAAe,IACrC,gBAAe,+BAA+B,kDAAkD;CAIlG,MAAM,iBAAiB,MAAM,QAAQ,GAAG,OAAO,GAAG,GAAG,SAAS,CAAC,GAAG,OAAO;AACzE,KAAI,CAAC,eAAe,SAAS,WAAW,OAAO,CAC7C,gBACE,0BACA,mBAAmB,WAAW,OAAO,qBAAqB,eAAe,KAAK,KAAK,GACpF;CAIH,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,WAAW,UAAU,CAAC,CAC7C;CACD,MAAM,cAAc,MAAM,kBAAkB,KAAK,cAAc;AAC/D,KAAI,CAAC,eAAe,YAAY,cAAc,cAC5C,gBAAe,4BAA4B;AAI7C,OAAM,qBAAqB,KAAK,cAAc;CAG9C,MAAM,eAAe,OAAO;AAC5B,KAAI,CAAC,aACH,gBAAe,8BAA8B,wBAAwB;CAGvE,MAAM,UAAU,MAAM,2BAA2B,KAAK,aAAa;AACnE,KAAI,CAAC,QACH,gBAAe,8BAA8B,qBAAqB;CAIpE,MAAM,yBAAyB,6BAA6B,OAAO,kBAAkB;CACrF,MAAM,oBAAoB,uBAAuB,uBAAuB;AAGxE,KAAI,CAAC,kBAAkB,yBAAyB,GAAG,KAAK,CACtD,gBAAe,sBAAsB;AAIvC,KAAI,CAAC,kBAAkB,YACrB,gBAAe,wBAAwB;AAEzC,KAAI,GAAG,qBAAqB,cAAc,CAAC,kBAAkB,aAC3D,gBAAe,4BAA4B;CAI7C,MAAM,YAAY,6BAA6B,OAAO,UAAU;CAKhE,MAAM,cAAc,OAJK,gCACvB,wBACA,eACD,CAC2C;CAE5C,MAAM,uBAAuB,IAAI,WAAW,QAAQ,UAAU;AAE9D,KAAI,QAAQ,cAAc,oBAUxB;MAAI,CALU,qBAHM,oBAAoB,MAAM,qBAAqB,EAKjE,aAHqB,yBAAyB,UAAU,CAKzD,CAEC,gBAAe,4BAA4B;YAEpC,QAAQ,cAAc,oBAU/B;MAAI,CANU,8BADO,wBAAwB,qBAAqB,EAGhE,wBACA,aACA,UACD,CAEC,gBAAe,4BAA4B;OAG7C,gBAAe,iCAAiC,0BAA0B,QAAQ,YAAY;AAKhG,KACE,QAAQ,YAAY,KACpB,kBAAkB,qBAAqB,KACvC,kBAAkB,oBAAoB,QAAQ,QAE9C,gBAAe,wBAAwB;AAIzC,OAAM,2BACJ,KACA,QAAQ,KACR,kBAAkB,kBAClB,KAAK,KAAK,CACX;AAQD,QAAO;EAAE,MAAM;EAAY,UALN,MAAM,WAAW,KAAK;GACzC,QAAQ,QAAQ;GAChB,gBAAgB;GACjB,CAAC;EAEiD;;;;;;;AAYrD,eAAsB,cACpB,KACA,UACA,MAOA;CACA,MAAM,OAAO,KAAK,QAAQ;AAC1B,KAAI,CAAC,KACH,gBACE,wBACA,0GACD;AAGH,SAAQ,MAAR;EACE,KAAK,mBACH,QAAO,sBAAsB,KAAK,UAAU,KAAK,UAAU,EAAE,CAAC;EAChE,KAAK,kBACH,QAAO,qBAAqB,KAAK,UAAU,KAAK,UAAU,EAAE,EAAE,KAAK,SAAS;EAC9E,KAAK,eACH,QAAO,kBAAkB,KAAK,UAAU,KAAK,UAAU,EAAE,CAAC;EAC5D,KAAK,cACH,QAAO,iBAAiB,KAAK,UAAU,KAAK,UAAU,EAAE,EAAE,KAAK,SAAS;EAC1E,QACE,gBACE,wBACA,yBAAyB,KAAK,iFAC/B;;;;;;AAWP,SAAS,cAAc,OAAe,QAA4B;CAChE,MAAM,QAAQ,IAAI,WAAW,OAAO;CACpC,IAAI,IAAI;AACR,MAAK,IAAI,IAAI,SAAS,GAAG,KAAK,GAAG,KAAK;AACpC,QAAM,KAAK,OAAO,IAAI,KAAM;AAC5B,QAAM;;AAER,QAAO"}

package/dist/component/server/implementation/provider.js

@@ -1,19 +0,0 @@
-import { throwAuthError } from "../errors.js";
-
-//#region src/server/implementation/provider.ts
-async function hash(provider, secret) {
-	if (provider.type !== "credentials") throwAuthError("INVALID_CREDENTIALS_PROVIDER", `Provider ${provider.id} is not a credentials provider`, { provider: provider.id });
-	const hashSecretFn = provider.crypto?.hashSecret;
-	if (hashSecretFn === void 0) throwAuthError("MISSING_CRYPTO_FUNCTION", `Provider ${provider.id} does not have a \`crypto.hashSecret\` function`, { provider: provider.id });
-	return await hashSecretFn(secret);
-}
-async function verify(provider, secret, hash) {
-	if (provider.type !== "credentials") throwAuthError("INVALID_CREDENTIALS_PROVIDER", `Provider ${provider.id} is not a credentials provider`, { provider: provider.id });
-	const verifySecretFn = provider.crypto?.verifySecret;
-	if (verifySecretFn === void 0) throwAuthError("MISSING_CRYPTO_FUNCTION", `Provider ${provider.id} does not have a \`crypto.verifySecret\` function`, { provider: provider.id });
-	return await verifySecretFn(secret, hash);
-}
-
-//#endregion
-export { hash, verify };
-//# sourceMappingURL=provider.js.map

package/dist/component/server/implementation/provider.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"provider.js","names":[],"sources":["../../../../src/server/implementation/provider.ts"],"sourcesContent":["import { AuthProviderMaterializedConfig } from \"../types\";\nimport { ConvexAuthMaterializedConfig } from \"../types\";\nimport { throwAuthError } from \"../errors\";\n\nexport async function hash(provider: any, secret: string) {\n  if (provider.type !== \"credentials\") {\n    throwAuthError(\"INVALID_CREDENTIALS_PROVIDER\", `Provider ${provider.id} is not a credentials provider`, { provider: provider.id });\n  }\n  const hashSecretFn = provider.crypto?.hashSecret;\n  if (hashSecretFn === undefined) {\n    throwAuthError(\"MISSING_CRYPTO_FUNCTION\", `Provider ${provider.id} does not have a \\`crypto.hashSecret\\` function`, { provider: provider.id });\n  }\n  return await hashSecretFn(secret);\n}\n\nexport async function verify(\n  provider: AuthProviderMaterializedConfig,\n  secret: string,\n  hash: string,\n) {\n  if (provider.type !== \"credentials\") {\n    throwAuthError(\"INVALID_CREDENTIALS_PROVIDER\", `Provider ${provider.id} is not a credentials provider`, { provider: provider.id });\n  }\n  const verifySecretFn = provider.crypto?.verifySecret;\n  if (verifySecretFn === undefined) {\n    throwAuthError(\"MISSING_CRYPTO_FUNCTION\", `Provider ${provider.id} does not have a \\`crypto.verifySecret\\` function`, { provider: provider.id });\n  }\n  return await verifySecretFn(secret, hash);\n}\n\nexport type GetProviderOrThrowFunc = (\n  provider: string,\n  allowExtraProviders?: boolean,\n) => AuthProviderMaterializedConfig;\n\nexport type Config = ConvexAuthMaterializedConfig;\n"],"mappings":";;;AAIA,eAAsB,KAAK,UAAe,QAAgB;AACxD,KAAI,SAAS,SAAS,cACpB,gBAAe,gCAAgC,YAAY,SAAS,GAAG,iCAAiC,EAAE,UAAU,SAAS,IAAI,CAAC;CAEpI,MAAM,eAAe,SAAS,QAAQ;AACtC,KAAI,iBAAiB,OACnB,gBAAe,2BAA2B,YAAY,SAAS,GAAG,kDAAkD,EAAE,UAAU,SAAS,IAAI,CAAC;AAEhJ,QAAO,MAAM,aAAa,OAAO;;AAGnC,eAAsB,OACpB,UACA,QACA,MACA;AACA,KAAI,SAAS,SAAS,cACpB,gBAAe,gCAAgC,YAAY,SAAS,GAAG,iCAAiC,EAAE,UAAU,SAAS,IAAI,CAAC;CAEpI,MAAM,iBAAiB,SAAS,QAAQ;AACxC,KAAI,mBAAmB,OACrB,gBAAe,2BAA2B,YAAY,SAAS,GAAG,oDAAoD,EAAE,UAAU,SAAS,IAAI,CAAC;AAElJ,QAAO,MAAM,eAAe,QAAQ,KAAK"}

package/dist/component/server/implementation/ratelimit.js

@@ -1,48 +0,0 @@
-import { authDb } from "./db.js";
-
-//#region src/server/implementation/ratelimit.ts
-const DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;
-async function isSignInRateLimited(ctx, identifier, config) {
-	const state = await getRateLimitState(ctx, identifier, config);
-	if (state === null) return false;
-	return state.attempsLeft < 1;
-}
-async function recordFailedSignIn(ctx, identifier, config) {
-	const db = authDb(ctx, config);
-	const state = await getRateLimitState(ctx, identifier, config);
-	if (state !== null) await db.rateLimits.patch(state.limit._id, {
-		attemptsLeft: state.attempsLeft - 1,
-		lastAttemptTime: Date.now()
-	});
-	else {
-		const maxAttempsPerHour = configuredMaxAttempsPerHour(config);
-		await db.rateLimits.create({
-			identifier,
-			attemptsLeft: maxAttempsPerHour - 1,
-			lastAttemptTime: Date.now()
-		});
-	}
-}
-async function resetSignInRateLimit(ctx, identifier, config) {
-	const existingState = await getRateLimitState(ctx, identifier, config);
-	if (existingState !== null) await authDb(ctx, config).rateLimits.delete(existingState.limit._id);
-}
-async function getRateLimitState(ctx, identifier, config) {
-	const now = Date.now();
-	const maxAttempsPerHour = configuredMaxAttempsPerHour(config);
-	const limit = await authDb(ctx, config).rateLimits.get(identifier);
-	if (limit === null) return null;
-	const elapsed = now - limit.lastAttemptTime;
-	const maxAttempsPerMs = maxAttempsPerHour / (3600 * 1e3);
-	return {
-		limit,
-		attempsLeft: Math.min(maxAttempsPerHour, limit.attemptsLeft + elapsed * maxAttempsPerMs)
-	};
-}
-function configuredMaxAttempsPerHour(config) {
-	return config.signIn?.maxFailedAttempsPerHour ?? DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR;
-}
-
-//#endregion
-export { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit };
-//# sourceMappingURL=ratelimit.js.map

package/dist/component/server/implementation/ratelimit.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"ratelimit.js","names":[],"sources":["../../../../src/server/implementation/ratelimit.ts"],"sourcesContent":["import { ConvexAuthConfig } from \"../types\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { authDb } from \"./db\";\n\nconst DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;\n\nexport async function isSignInRateLimited(\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n) {\n  const state = await getRateLimitState(ctx, identifier, config);\n  if (state === null) {\n    return false;\n  }\n  return state.attempsLeft < 1;\n}\n\nexport async function recordFailedSignIn(\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const state = await getRateLimitState(ctx, identifier, config);\n  if (state !== null) {\n    await db.rateLimits.patch(state.limit._id, {\n      attemptsLeft: state.attempsLeft - 1,\n      lastAttemptTime: Date.now(),\n    });\n  } else {\n    const maxAttempsPerHour = configuredMaxAttempsPerHour(config);\n    await db.rateLimits.create({\n      identifier,\n      attemptsLeft: maxAttempsPerHour - 1,\n      lastAttemptTime: Date.now(),\n    });\n  }\n}\n\nexport async function resetSignInRateLimit(\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n) {\n  const existingState = await getRateLimitState(ctx, identifier, config);\n  if (existingState !== null) {\n    await authDb(ctx, config).rateLimits.delete(existingState.limit._id);\n  }\n}\n\nasync function getRateLimitState(\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n) {\n  const now = Date.now();\n  const maxAttempsPerHour = configuredMaxAttempsPerHour(config);\n  const limit = (await authDb(ctx, config).rateLimits.get(identifier)) as\n    | Doc<\"limit\">\n    | null;\n  if (limit === null) {\n    return null;\n  }\n  const elapsed = now - limit.lastAttemptTime;\n  const maxAttempsPerMs = maxAttempsPerHour / (60 * 60 * 1000);\n  const attempsLeft = Math.min(\n    maxAttempsPerHour,\n    limit.attemptsLeft + elapsed * maxAttempsPerMs,\n  );\n  return { limit, attempsLeft };\n}\n\nfunction configuredMaxAttempsPerHour(config: ConvexAuthConfig) {\n  return (\n    config.signIn?.maxFailedAttempsPerHour ??\n    DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR\n  );\n}\n"],"mappings":";;;AAIA,MAAM,wCAAwC;AAE9C,eAAsB,oBACpB,KACA,YACA,QACA;CACA,MAAM,QAAQ,MAAM,kBAAkB,KAAK,YAAY,OAAO;AAC9D,KAAI,UAAU,KACZ,QAAO;AAET,QAAO,MAAM,cAAc;;AAG7B,eAAsB,mBACpB,KACA,YACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,QAAQ,MAAM,kBAAkB,KAAK,YAAY,OAAO;AAC9D,KAAI,UAAU,KACZ,OAAM,GAAG,WAAW,MAAM,MAAM,MAAM,KAAK;EACzC,cAAc,MAAM,cAAc;EAClC,iBAAiB,KAAK,KAAK;EAC5B,CAAC;MACG;EACL,MAAM,oBAAoB,4BAA4B,OAAO;AAC7D,QAAM,GAAG,WAAW,OAAO;GACzB;GACA,cAAc,oBAAoB;GAClC,iBAAiB,KAAK,KAAK;GAC5B,CAAC;;;AAIN,eAAsB,qBACpB,KACA,YACA,QACA;CACA,MAAM,gBAAgB,MAAM,kBAAkB,KAAK,YAAY,OAAO;AACtE,KAAI,kBAAkB,KACpB,OAAM,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO,cAAc,MAAM,IAAI;;AAIxE,eAAe,kBACb,KACA,YACA,QACA;CACA,MAAM,MAAM,KAAK,KAAK;CACtB,MAAM,oBAAoB,4BAA4B,OAAO;CAC7D,MAAM,QAAS,MAAM,OAAO,KAAK,OAAO,CAAC,WAAW,IAAI,WAAW;AAGnE,KAAI,UAAU,KACZ,QAAO;CAET,MAAM,UAAU,MAAM,MAAM;CAC5B,MAAM,kBAAkB,qBAAqB,OAAU;AAKvD,QAAO;EAAE;EAAO,aAJI,KAAK,IACvB,mBACA,MAAM,eAAe,UAAU,gBAChC;EAC4B;;AAG/B,SAAS,4BAA4B,QAA0B;AAC7D,QACE,OAAO,QAAQ,2BACf"}

package/dist/component/server/implementation/redirects.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"redirects.js","names":[],"sources":["../../../../src/server/implementation/redirects.ts"],"sourcesContent":["import { ConvexAuthMaterializedConfig } from \"../types\";\nimport { requireEnv } from \"../utils\";\nimport { throwAuthError } from \"../errors\";\n\nexport async function redirectAbsoluteUrl(\n  config: ConvexAuthMaterializedConfig,\n  params: { redirectTo: unknown },\n) {\n  if (params.redirectTo !== undefined) {\n    if (typeof params.redirectTo !== \"string\") {\n      throwAuthError(\"INVALID_REDIRECT\", `Expected \\`redirectTo\\` to be a string, got ${params.redirectTo as any}`);\n    }\n    const redirectCallback =\n      config.callbacks?.redirect ?? defaultRedirectCallback;\n    return await redirectCallback(params as { redirectTo: string });\n  }\n  return siteUrl();\n}\n\nasync function defaultRedirectCallback({ redirectTo }: { redirectTo: string }) {\n  // Resolve relative paths against SITE_URL; absolute URLs are passed through\n  // as-is. The developer is trusted to provide valid redirect targets.\n  if (redirectTo.startsWith(\"?\") || redirectTo.startsWith(\"/\")) {\n    return `${siteUrl()}${redirectTo}`;\n  }\n  return redirectTo;\n}\n\n// Temporary work-around because Convex doesn't support\n// schemes other than http and https.\nexport function setURLSearchParam(\n  absoluteUrl: string,\n  param: string,\n  value: string,\n) {\n  const pattern = /([^:]+):(.*)/;\n  const [, scheme, rest] = absoluteUrl.match(pattern)!;\n  const hasNoDomain = /^\\/\\/(?:\\/|$|\\?)/.test(rest);\n  const startsWithPath = hasNoDomain && rest.startsWith(\"///\");\n  const url = new URL(\n    `http:${hasNoDomain ? \"//googblibok\" + rest.slice(2) : rest}`,\n  );\n  url.searchParams.set(param, value);\n  const [, , withParam] = url.toString().match(pattern)!;\n  return `${scheme}:${hasNoDomain ? (startsWithPath ? \"/\" : \"\") + \"//\" + withParam.slice(13) : withParam}`;\n}\n\nfunction siteUrl() {\n  return requireEnv(\"SITE_URL\").replace(/\\/$/, \"\");\n}\n"],"mappings":";;;;AAIA,eAAsB,oBACpB,QACA,QACA;AACA,KAAI,OAAO,eAAe,QAAW;AACnC,MAAI,OAAO,OAAO,eAAe,SAC/B,gBAAe,oBAAoB,+CAA+C,OAAO,aAAoB;AAI/G,SAAO,OADL,OAAO,WAAW,YAAY,yBACF,OAAiC;;AAEjE,QAAO,SAAS;;AAGlB,eAAe,wBAAwB,EAAE,cAAsC;AAG7E,KAAI,WAAW,WAAW,IAAI,IAAI,WAAW,WAAW,IAAI,CAC1D,QAAO,GAAG,SAAS,GAAG;AAExB,QAAO;;AAKT,SAAgB,kBACd,aACA,OACA,OACA;CACA,MAAM,UAAU;CAChB,MAAM,GAAG,QAAQ,QAAQ,YAAY,MAAM,QAAQ;CACnD,MAAM,cAAc,mBAAmB,KAAK,KAAK;CACjD,MAAM,iBAAiB,eAAe,KAAK,WAAW,MAAM;CAC5D,MAAM,MAAM,IAAI,IACd,QAAQ,cAAc,iBAAiB,KAAK,MAAM,EAAE,GAAG,OACxD;AACD,KAAI,aAAa,IAAI,OAAO,MAAM;CAClC,MAAM,KAAK,aAAa,IAAI,UAAU,CAAC,MAAM,QAAQ;AACrD,QAAO,GAAG,OAAO,GAAG,eAAe,iBAAiB,MAAM,MAAM,OAAO,UAAU,MAAM,GAAG,GAAG;;AAG/F,SAAS,UAAU;AACjB,QAAO,WAAW,WAAW,CAAC,QAAQ,OAAO,GAAG"}

package/dist/component/server/implementation/refresh.js

@@ -1,109 +0,0 @@
-import { throwAuthError } from "../errors.js";
-import { LOG_LEVELS, REFRESH_TOKEN_DIVIDER, logWithLevel, maybeRedact, stringToNumber } from "./utils.js";
-import { authDb } from "./db.js";
-
-//#region src/server/implementation/refresh.ts
-const DEFAULT_SESSION_INACTIVE_DURATION_MS = 1e3 * 60 * 60 * 24 * 30;
-const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1e3;
-async function createRefreshToken(ctx, config, sessionId, parentRefreshTokenId) {
-	const db = authDb(ctx, config);
-	const expirationTime = Date.now() + (config.session?.inactiveDurationMs ?? stringToNumber(process.env.AUTH_SESSION_INACTIVE_DURATION_MS) ?? DEFAULT_SESSION_INACTIVE_DURATION_MS);
-	return await db.refreshTokens.create({
-		sessionId,
-		expirationTime,
-		parentRefreshTokenId: parentRefreshTokenId ?? void 0
-	});
-}
-const formatRefreshToken = (refreshTokenId, sessionId) => {
-	return `${refreshTokenId}${REFRESH_TOKEN_DIVIDER}${sessionId}`;
-};
-const parseRefreshToken = (refreshToken) => {
-	const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);
-	if (!refreshTokenId || !sessionId) throwAuthError("INVALID_REFRESH_TOKEN", `Can't parse refresh token: ${maybeRedact(refreshToken)}`);
-	return {
-		refreshTokenId,
-		sessionId
-	};
-};
-/**
-* Mark all refresh tokens descending from the given refresh token as invalid immediately.
-* This is used when we detect an invalid use of a refresh token, and want to revoke
-* the entire tree.
-*
-* @param ctx
-* @param refreshToken
-*/
-async function invalidateRefreshTokensInSubtree(ctx, refreshToken, config) {
-	const db = authDb(ctx, config);
-	const tokensToInvalidate = [refreshToken];
-	let frontier = [refreshToken._id];
-	while (frontier.length > 0) {
-		const nextFrontier = [];
-		for (const currentTokenId of frontier) {
-			const children = await db.refreshTokens.getChildren(refreshToken.sessionId, currentTokenId);
-			tokensToInvalidate.push(...children);
-			nextFrontier.push(...children.map((child) => child._id));
-		}
-		frontier = nextFrontier;
-	}
-	for (const token of tokensToInvalidate) if (token.firstUsedTime === void 0 || token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS) await db.refreshTokens.patch(token._id, { firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS });
-	return tokensToInvalidate;
-}
-async function deleteAllRefreshTokens(ctx, sessionId, config) {
-	await authDb(ctx, config).refreshTokens.deleteAll(sessionId);
-}
-async function refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config) {
-	const db = authDb(ctx, config);
-	let refreshTokenDoc;
-	try {
-		refreshTokenDoc = await db.refreshTokens.getById(refreshTokenId);
-	} catch {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token format");
-		return null;
-	}
-	if (refreshTokenDoc === null) {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token");
-		return null;
-	}
-	if (refreshTokenDoc.expirationTime < Date.now()) {
-		logWithLevel(LOG_LEVELS.ERROR, "Expired refresh token");
-		return null;
-	}
-	if (refreshTokenDoc.sessionId !== tokenSessionId) {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session ID");
-		return null;
-	}
-	let session;
-	try {
-		session = await db.sessions.getById(refreshTokenDoc.sessionId);
-	} catch {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session format");
-		return null;
-	}
-	if (session === null) {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session");
-		return null;
-	}
-	if (session.expirationTime < Date.now()) {
-		logWithLevel(LOG_LEVELS.ERROR, "Expired refresh token session");
-		return null;
-	}
-	return {
-		session,
-		refreshTokenDoc
-	};
-}
-/**
-* The active refresh token is the most recently created refresh token that has
-* never been used.
-*
-* @param ctx
-* @param sessionId
-*/
-async function loadActiveRefreshToken(ctx, sessionId, config) {
-	return await authDb(ctx, config).refreshTokens.getActive(sessionId);
-}
-
-//#endregion
-export { REFRESH_TOKEN_REUSE_WINDOW_MS, createRefreshToken, deleteAllRefreshTokens, formatRefreshToken, invalidateRefreshTokensInSubtree, loadActiveRefreshToken, parseRefreshToken, refreshTokenIfValid };
-//# sourceMappingURL=refresh.js.map

package/dist/component/server/implementation/refresh.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"refresh.js","names":[],"sources":["../../../../src/server/implementation/refresh.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport { ConvexAuthConfig } from \"../types\";\nimport { throwAuthError } from \"../errors\";\nimport { Doc, MutationCtx } from \"./types\";\nimport {\n  LOG_LEVELS,\n  REFRESH_TOKEN_DIVIDER,\n  logWithLevel,\n  maybeRedact,\n  stringToNumber,\n} from \"./utils\";\nimport { authDb } from \"./db\";\n\nconst DEFAULT_SESSION_INACTIVE_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days\nexport const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1000; // 10 seconds\nexport async function createRefreshToken(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  sessionId: GenericId<\"session\">,\n  parentRefreshTokenId: GenericId<\"token\"> | null,\n): Promise<GenericId<\"token\">> {\n  const db = authDb(ctx, config);\n  const expirationTime =\n    Date.now() +\n    (config.session?.inactiveDurationMs ??\n      stringToNumber(process.env.AUTH_SESSION_INACTIVE_DURATION_MS) ??\n      DEFAULT_SESSION_INACTIVE_DURATION_MS);\n  const newRefreshTokenId = (await db.refreshTokens.create({\n    sessionId,\n    expirationTime,\n    parentRefreshTokenId: parentRefreshTokenId ?? undefined,\n  })) as GenericId<\"token\">;\n  return newRefreshTokenId;\n}\n\nexport const formatRefreshToken = (\n  refreshTokenId: GenericId<\"token\">,\n  sessionId: GenericId<\"session\">,\n) => {\n  return `${refreshTokenId}${REFRESH_TOKEN_DIVIDER}${sessionId}`;\n};\n\nexport const parseRefreshToken = (\n  refreshToken: string,\n): {\n  refreshTokenId: GenericId<\"token\">;\n  sessionId: GenericId<\"session\">;\n} => {\n  const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);\n  if (!refreshTokenId || !sessionId) {\n    throwAuthError(\"INVALID_REFRESH_TOKEN\", `Can't parse refresh token: ${maybeRedact(refreshToken)}`);\n  }\n  return {\n    refreshTokenId: refreshTokenId as GenericId<\"token\">,\n    sessionId: sessionId as GenericId<\"session\">,\n  };\n};\n\n/**\n * Mark all refresh tokens descending from the given refresh token as invalid immediately.\n * This is used when we detect an invalid use of a refresh token, and want to revoke\n * the entire tree.\n *\n * @param ctx\n * @param refreshToken\n */\nexport async function invalidateRefreshTokensInSubtree(\n  ctx: MutationCtx,\n  refreshToken: Doc<\"token\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const tokensToInvalidate = [refreshToken];\n  let frontier: GenericId<\"token\">[] = [refreshToken._id];\n  while (frontier.length > 0) {\n    const nextFrontier: GenericId<\"token\">[] = [];\n    for (const currentTokenId of frontier) {\n      const children = (await db.refreshTokens.getChildren(\n        refreshToken.sessionId,\n        currentTokenId,\n      )) as Doc<\"token\">[];\n      tokensToInvalidate.push(...children);\n      nextFrontier.push(...children.map((child) => child._id));\n    }\n    frontier = nextFrontier;\n  }\n  for (const token of tokensToInvalidate) {\n    // Mark these as used so they can't be used again (even within the reuse window)\n    if (\n      token.firstUsedTime === undefined ||\n      token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS\n    ) {\n      await db.refreshTokens.patch(token._id, {\n        firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,\n      });\n    }\n  }\n  return tokensToInvalidate;\n}\n\nexport async function deleteAllRefreshTokens(\n  ctx: MutationCtx,\n  sessionId: GenericId<\"session\">,\n  config: ConvexAuthConfig,\n) {\n  await authDb(ctx, config).refreshTokens.deleteAll(sessionId);\n}\n\nexport async function refreshTokenIfValid(\n  ctx: MutationCtx,\n  refreshTokenId: string,\n  tokenSessionId: string,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  let refreshTokenDoc: Doc<\"token\"> | null;\n  try {\n    refreshTokenDoc = (await db.refreshTokens.getById(\n      refreshTokenId as GenericId<\"token\">,\n    )) as Doc<\"token\"> | null;\n  } catch {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid refresh token format\");\n    return null;\n  }\n\n  if (refreshTokenDoc === null) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid refresh token\");\n    return null;\n  }\n  if (refreshTokenDoc.expirationTime < Date.now()) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Expired refresh token\");\n    return null;\n  }\n  if (refreshTokenDoc.sessionId !== tokenSessionId) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid refresh token session ID\");\n    return null;\n  }\n  let session: Doc<\"session\"> | null;\n  try {\n    session = (await db.sessions.getById(refreshTokenDoc.sessionId)) as\n      | Doc<\"session\">\n      | null;\n  } catch {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid refresh token session format\");\n    return null;\n  }\n  if (session === null) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid refresh token session\");\n    return null;\n  }\n  if (session.expirationTime < Date.now()) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Expired refresh token session\");\n    return null;\n  }\n  return { session, refreshTokenDoc };\n}\n/**\n * The active refresh token is the most recently created refresh token that has\n * never been used.\n *\n * @param ctx\n * @param sessionId\n */\nexport async function loadActiveRefreshToken(\n  ctx: MutationCtx,\n  sessionId: GenericId<\"session\">,\n  config: ConvexAuthConfig,\n) {\n  return (await authDb(ctx, config).refreshTokens.getActive(sessionId)) as\n    | Doc<\"token\">\n    | null;\n}\n"],"mappings":";;;;;AAaA,MAAM,uCAAuC,MAAO,KAAK,KAAK,KAAK;AACnE,MAAa,gCAAgC,KAAK;AAClD,eAAsB,mBACpB,KACA,QACA,WACA,sBAC6B;CAC7B,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,iBACJ,KAAK,KAAK,IACT,OAAO,SAAS,sBACf,eAAe,QAAQ,IAAI,kCAAkC,IAC7D;AAMJ,QAL2B,MAAM,GAAG,cAAc,OAAO;EACvD;EACA;EACA,sBAAsB,wBAAwB;EAC/C,CAAC;;AAIJ,MAAa,sBACX,gBACA,cACG;AACH,QAAO,GAAG,iBAAiB,wBAAwB;;AAGrD,MAAa,qBACX,iBAIG;CACH,MAAM,CAAC,gBAAgB,aAAa,aAAa,MAAM,sBAAsB;AAC7E,KAAI,CAAC,kBAAkB,CAAC,UACtB,gBAAe,yBAAyB,8BAA8B,YAAY,aAAa,GAAG;AAEpG,QAAO;EACW;EACL;EACZ;;;;;;;;;;AAWH,eAAsB,iCACpB,KACA,cACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,qBAAqB,CAAC,aAAa;CACzC,IAAI,WAAiC,CAAC,aAAa,IAAI;AACvD,QAAO,SAAS,SAAS,GAAG;EAC1B,MAAM,eAAqC,EAAE;AAC7C,OAAK,MAAM,kBAAkB,UAAU;GACrC,MAAM,WAAY,MAAM,GAAG,cAAc,YACvC,aAAa,WACb,eACD;AACD,sBAAmB,KAAK,GAAG,SAAS;AACpC,gBAAa,KAAK,GAAG,SAAS,KAAK,UAAU,MAAM,IAAI,CAAC;;AAE1D,aAAW;;AAEb,MAAK,MAAM,SAAS,mBAElB,KACE,MAAM,kBAAkB,UACxB,MAAM,gBAAgB,KAAK,KAAK,GAAG,8BAEnC,OAAM,GAAG,cAAc,MAAM,MAAM,KAAK,EACtC,eAAe,KAAK,KAAK,GAAG,+BAC7B,CAAC;AAGN,QAAO;;AAGT,eAAsB,uBACpB,KACA,WACA,QACA;AACA,OAAM,OAAO,KAAK,OAAO,CAAC,cAAc,UAAU,UAAU;;AAG9D,eAAsB,oBACpB,KACA,gBACA,gBACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,IAAI;AACJ,KAAI;AACF,oBAAmB,MAAM,GAAG,cAAc,QACxC,eACD;SACK;AACN,eAAa,WAAW,OAAO,+BAA+B;AAC9D,SAAO;;AAGT,KAAI,oBAAoB,MAAM;AAC5B,eAAa,WAAW,OAAO,wBAAwB;AACvD,SAAO;;AAET,KAAI,gBAAgB,iBAAiB,KAAK,KAAK,EAAE;AAC/C,eAAa,WAAW,OAAO,wBAAwB;AACvD,SAAO;;AAET,KAAI,gBAAgB,cAAc,gBAAgB;AAChD,eAAa,WAAW,OAAO,mCAAmC;AAClE,SAAO;;CAET,IAAI;AACJ,KAAI;AACF,YAAW,MAAM,GAAG,SAAS,QAAQ,gBAAgB,UAAU;SAGzD;AACN,eAAa,WAAW,OAAO,uCAAuC;AACtE,SAAO;;AAET,KAAI,YAAY,MAAM;AACpB,eAAa,WAAW,OAAO,gCAAgC;AAC/D,SAAO;;AAET,KAAI,QAAQ,iBAAiB,KAAK,KAAK,EAAE;AACvC,eAAa,WAAW,OAAO,gCAAgC;AAC/D,SAAO;;AAET,QAAO;EAAE;EAAS;EAAiB;;;;;;;;;AASrC,eAAsB,uBACpB,KACA,WACA,QACA;AACA,QAAQ,MAAM,OAAO,KAAK,OAAO,CAAC,cAAc,UAAU,UAAU"}

package/dist/component/server/implementation/sessions.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"sessions.js","names":[],"sources":["../../../../src/server/implementation/sessions.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport { ConvexAuthConfig } from \"../types\";\nimport { Doc, MutationCtx, SessionInfo } from \"./types\";\nimport { Auth } from \"convex/server\";\nimport {\n  LOG_LEVELS,\n  TOKEN_SUB_CLAIM_DIVIDER,\n  logWithLevel,\n  maybeRedact,\n  stringToNumber,\n} from \"./utils\";\nimport { generateToken } from \"./tokens\";\nimport {\n  createRefreshToken,\n  formatRefreshToken,\n  deleteAllRefreshTokens,\n} from \"./refresh\";\nimport { authDb } from \"./db\";\n\nconst DEFAULT_SESSION_TOTAL_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days\n\nexport async function maybeGenerateTokensForSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  userId: GenericId<\"user\">,\n  sessionId: GenericId<\"session\">,\n  generateTokens: boolean,\n): Promise<SessionInfo> {\n  return {\n    userId,\n    sessionId,\n    tokens: generateTokens\n      ? await generateTokensForSession(ctx, config, {\n          userId,\n          sessionId,\n          issuedRefreshTokenId: null,\n          parentRefreshTokenId: null,\n        })\n      : null,\n  };\n}\n\nexport async function createNewAndDeleteExistingSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  userId: GenericId<\"user\">,\n) {\n  const db = authDb(ctx, config);\n  const existingSessionId = await getAuthSessionId(ctx);\n  if (existingSessionId !== null) {\n    const existingSession = await db.sessions.getById(existingSessionId);\n    if (existingSession !== null) {\n      await deleteSession(ctx, existingSession, config);\n    }\n  }\n  return await createSession(ctx, userId, config);\n}\n\nexport async function generateTokensForSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  args: {\n    userId: GenericId<\"user\">;\n    sessionId: GenericId<\"session\">;\n    issuedRefreshTokenId: GenericId<\"token\"> | null;\n    parentRefreshTokenId: GenericId<\"token\"> | null;\n  },\n) {\n  const ids = { userId: args.userId, sessionId: args.sessionId };\n  const refreshTokenId =\n    args.issuedRefreshTokenId ??\n    (await createRefreshToken(\n      ctx,\n      config,\n      args.sessionId,\n      args.parentRefreshTokenId,\n    ));\n  const result = {\n    token: await generateToken(ids, config),\n    refreshToken: formatRefreshToken(refreshTokenId, args.sessionId),\n  };\n  logWithLevel(\n    LOG_LEVELS.DEBUG,\n    `Generated token ${maybeRedact(result.token)} and refresh token ${maybeRedact(refreshTokenId)} for session ${maybeRedact(args.sessionId)}`,\n  );\n  return result;\n}\n\nasync function createSession(\n  ctx: MutationCtx,\n  userId: GenericId<\"user\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const expirationTime =\n    Date.now() +\n    (config.session?.totalDurationMs ??\n      stringToNumber(process.env.AUTH_SESSION_TOTAL_DURATION_MS) ??\n      DEFAULT_SESSION_TOTAL_DURATION_MS);\n  return (await db.sessions.create(userId, expirationTime)) as GenericId<\"session\">;\n}\n\nexport async function deleteSession(\n  ctx: MutationCtx,\n  session: Doc<\"session\">,\n  config: ConvexAuthConfig,\n) {\n  await authDb(ctx, config).sessions.delete(session._id);\n  await deleteAllRefreshTokens(ctx, session._id, config);\n}\n\n/**\n * Return the current session ID from the auth identity subject.\n *\n * Internal helper used by auth runtime internals and `auth.session.current`.\n */\nexport async function getAuthSessionId(ctx: { auth: Auth }) {\n  const identity = await ctx.auth.getUserIdentity();\n  if (identity === null) {\n    return null;\n  }\n  const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n  return sessionId as GenericId<\"session\">;\n}\n"],"mappings":";;;;;;AAmBA,MAAM,oCAAoC,MAAO,KAAK,KAAK,KAAK;AAEhE,eAAsB,8BACpB,KACA,QACA,QACA,WACA,gBACsB;AACtB,QAAO;EACL;EACA;EACA,QAAQ,iBACJ,MAAM,yBAAyB,KAAK,QAAQ;GAC1C;GACA;GACA,sBAAsB;GACtB,sBAAsB;GACvB,CAAC,GACF;EACL;;AAGH,eAAsB,kCACpB,KACA,QACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,oBAAoB,MAAM,iBAAiB,IAAI;AACrD,KAAI,sBAAsB,MAAM;EAC9B,MAAM,kBAAkB,MAAM,GAAG,SAAS,QAAQ,kBAAkB;AACpE,MAAI,oBAAoB,KACtB,OAAM,cAAc,KAAK,iBAAiB,OAAO;;AAGrD,QAAO,MAAM,cAAc,KAAK,QAAQ,OAAO;;AAGjD,eAAsB,yBACpB,KACA,QACA,MAMA;CACA,MAAM,MAAM;EAAE,QAAQ,KAAK;EAAQ,WAAW,KAAK;EAAW;CAC9D,MAAM,iBACJ,KAAK,wBACJ,MAAM,mBACL,KACA,QACA,KAAK,WACL,KAAK,qBACN;CACH,MAAM,SAAS;EACb,OAAO,MAAM,cAAc,KAAK,OAAO;EACvC,cAAc,mBAAmB,gBAAgB,KAAK,UAAU;EACjE;AACD,cACE,WAAW,OACX,mBAAmB,YAAY,OAAO,MAAM,CAAC,qBAAqB,YAAY,eAAe,CAAC,eAAe,YAAY,KAAK,UAAU,GACzI;AACD,QAAO;;AAGT,eAAe,cACb,KACA,QACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,iBACJ,KAAK,KAAK,IACT,OAAO,SAAS,mBACf,eAAe,QAAQ,IAAI,+BAA+B,IAC1D;AACJ,QAAQ,MAAM,GAAG,SAAS,OAAO,QAAQ,eAAe;;AAG1D,eAAsB,cACpB,KACA,SACA,QACA;AACA,OAAM,OAAO,KAAK,OAAO,CAAC,SAAS,OAAO,QAAQ,IAAI;AACtD,OAAM,uBAAuB,KAAK,QAAQ,KAAK,OAAO;;;;;;;AAQxD,eAAsB,iBAAiB,KAAqB;CAC1D,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,QAAO;CAET,MAAM,GAAG,aAAa,SAAS,QAAQ,MAAM,wBAAwB;AACrE,QAAO"}

package/dist/component/server/implementation/signin.js

@@ -1,148 +0,0 @@
-import { throwAuthError } from "../errors.js";
-import { requireEnv } from "../utils.js";
-import { generateRandomString } from "./utils.js";
-import { callSignIn } from "./mutations/signin.js";
-import { callRefreshSession } from "./mutations/refresh.js";
-import { callVerifyCodeAndSignIn } from "./mutations/verify.js";
-import { callVerifierSignature } from "./mutations/signature.js";
-import { callCreateVerificationCode } from "./mutations/code.js";
-import { callVerifier } from "./mutations/verifier.js";
-import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
-import { handlePasskey } from "./passkey.js";
-import { checkTotpRequired, handleTotp } from "./totp.js";
-import { handleDevice } from "./device.js";
-
-//#region src/server/implementation/signin.ts
-const DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 3600 * 24;
-async function signInImpl(ctx, provider, args, options) {
-	if (provider === null && args.refreshToken) {
-		const tokens = await callRefreshSession(ctx, { refreshToken: args.refreshToken });
-		if (tokens === null) return {
-			kind: "signedIn",
-			signedIn: null
-		};
-		return {
-			kind: "refreshTokens",
-			signedIn: { tokens }
-		};
-	}
-	if (provider === null && args.params?.code !== void 0) return {
-		kind: "signedIn",
-		signedIn: await callVerifyCodeAndSignIn(ctx, {
-			params: args.params,
-			verifier: args.verifier,
-			generateTokens: true,
-			allowExtraProviders: options.allowExtraProviders
-		})
-	};
-	if (provider === null) throwAuthError("SIGN_IN_MISSING_PARAMS");
-	if (provider.type === "email" || provider.type === "phone") return handleEmailAndPhoneProvider(ctx, provider, args, options);
-	if (provider.type === "credentials") return handleCredentials(ctx, provider, args, options);
-	if (provider.type === "oauth") return handleOAuthProvider(ctx, provider, args, options);
-	if (provider.type === "passkey") return handlePasskey(ctx, provider, args);
-	if (provider.type === "totp") return handleTotp(ctx, provider, args);
-	if (provider.type === "device") return handleDevice(ctx, provider, args);
-	throwAuthError("UNSUPPORTED_PROVIDER_TYPE", `Provider type ${provider.type} is not supported yet`);
-}
-async function handleEmailAndPhoneProvider(ctx, provider, args, options) {
-	if (args.params?.code !== void 0) {
-		const result = await callVerifyCodeAndSignIn(ctx, {
-			params: args.params,
-			provider: provider.id,
-			generateTokens: options.generateTokens,
-			allowExtraProviders: options.allowExtraProviders
-		});
-		if (result === null) throwAuthError("INVALID_VERIFICATION_CODE");
-		return {
-			kind: "signedIn",
-			signedIn: result
-		};
-	}
-	const code = provider.generateVerificationToken ? await provider.generateVerificationToken() : generateRandomString(32, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
-	const expirationTime = Date.now() + (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1e3;
-	const verificationArgs = {
-		identifier: await callCreateVerificationCode(ctx, {
-			provider: provider.id,
-			accountId: args.accountId,
-			email: args.params?.email,
-			phone: args.params?.phone,
-			code,
-			expirationTime,
-			allowExtraProviders: options.allowExtraProviders
-		}),
-		url: setURLSearchParam(await redirectAbsoluteUrl(ctx.auth.config, args.params ?? {}), "code", code),
-		token: code,
-		expires: new Date(expirationTime)
-	};
-	if (provider.type === "email") await provider.sendVerificationRequest({
-		...verificationArgs,
-		provider,
-		request: new Request("http://localhost")
-	}, ctx);
-	else if (provider.type === "phone") await provider.sendVerificationRequest({
-		...verificationArgs,
-		provider
-	}, ctx);
-	return {
-		kind: "started",
-		started: true
-	};
-}
-async function handleCredentials(ctx, provider, args, options) {
-	const result = await provider.authorize(args.params ?? {}, ctx);
-	if (result === null) return {
-		kind: "signedIn",
-		signedIn: null
-	};
-	if (await checkTotpRequired(ctx, result.userId)) {
-		await callSignIn(ctx, {
-			userId: result.userId,
-			sessionId: result.sessionId,
-			generateTokens: false
-		});
-		const verifier = await callVerifier(ctx);
-		await callVerifierSignature(ctx, {
-			verifier,
-			signature: JSON.stringify({ userId: result.userId })
-		});
-		return {
-			kind: "totpRequired",
-			verifier
-		};
-	}
-	return {
-		kind: "signedIn",
-		signedIn: await callSignIn(ctx, {
-			userId: result.userId,
-			sessionId: result.sessionId,
-			generateTokens: options.generateTokens
-		})
-	};
-}
-async function handleOAuthProvider(ctx, provider, args, options) {
-	if (args.params?.code !== void 0) return {
-		kind: "signedIn",
-		signedIn: await callVerifyCodeAndSignIn(ctx, {
-			params: args.params,
-			verifier: args.verifier,
-			generateTokens: true,
-			allowExtraProviders: options.allowExtraProviders
-		})
-	};
-	const redirect = new URL((process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv("CONVEX_SITE_URL")) + `/api/auth/signin/${provider.id}`);
-	const verifier = await callVerifier(ctx);
-	redirect.searchParams.set("code", verifier);
-	if (args.params?.redirectTo !== void 0) {
-		if (typeof args.params.redirectTo !== "string") throwAuthError("INVALID_REDIRECT", `Expected \`redirectTo\` to be a string, got ${args.params.redirectTo}`);
-		redirect.searchParams.set("redirectTo", args.params.redirectTo);
-	}
-	return {
-		kind: "redirect",
-		redirect: redirect.toString(),
-		verifier
-	};
-}
-
-//#endregion
-export { signInImpl };
-//# sourceMappingURL=signin.js.map

package/dist/component/server/implementation/signin.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"signin.js","names":[],"sources":["../../../../src/server/implementation/signin.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport {\n  AuthProviderMaterializedConfig,\n  ConvexCredentialsConfig,\n  EmailConfig,\n  GenericActionCtxWithAuthConfig,\n  PhoneConfig,\n} from \"../types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  SessionInfoWithTokens,\n  Tokens,\n} from \"./types\";\nimport {\n  callCreateVerificationCode,\n  callRefreshSession,\n  callSignIn,\n  callVerifier,\n  callVerifierSignature,\n  callVerifyCodeAndSignIn,\n} from \"./mutations/index\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport { requireEnv } from \"../utils\";\nimport type { OAuthMaterializedConfig } from \"../types\";\nimport { generateRandomString } from \"./utils\";\nimport { handlePasskey } from \"./passkey\";\nimport { handleTotp, checkTotpRequired } from \"./totp\";\nimport { handleDevice } from \"./device\";\nimport { throwAuthError } from \"../errors\";\n\nconst DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 60 * 60 * 24; // 24 hours\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\nexport async function signInImpl(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): Promise<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  // refresh tokens\n  | { kind: \"refreshTokens\"; signedIn: { tokens: Tokens } }\n  // Multi-step flows like magic link + OTP\n  | { kind: \"started\"; started: true }\n  // OAuth flows\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n  // Passkey options (challenge + credential options)\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n  // TOTP 2FA required after credentials sign-in\n  | { kind: \"totpRequired\"; verifier: string }\n  // TOTP setup response (enrollment)\n  | { kind: \"totpSetup\"; uri: string; secret: string; verifier: string; totpId: string }\n  // Device authorization (RFC 8628) — codes for the device to display\n  | {\n      kind: \"deviceCode\";\n      deviceCode: string;\n      userCode: string;\n      verificationUri: string;\n      verificationUriComplete: string;\n      expiresIn: number;\n      interval: number;\n    }\n> {\n  if (provider === null && args.refreshToken) {\n    const tokens = await callRefreshSession(ctx, {\n      refreshToken: args.refreshToken,\n    });\n    if (tokens === null) {\n      return { kind: \"signedIn\", signedIn: null };\n    }\n    return { kind: \"refreshTokens\", signedIn: { tokens } };\n  }\n  if (provider === null && args.params?.code !== undefined) {\n    const result = await callVerifyCodeAndSignIn(ctx, {\n      params: args.params,\n      verifier: args.verifier,\n      generateTokens: true,\n      allowExtraProviders: options.allowExtraProviders,\n    });\n    return {\n      kind: \"signedIn\",\n      signedIn: result,\n    };\n  }\n\n  if (provider === null) {\n    throwAuthError(\"SIGN_IN_MISSING_PARAMS\");\n  }\n  if (provider.type === \"email\" || provider.type === \"phone\") {\n    return handleEmailAndPhoneProvider(ctx, provider, args, options);\n  }\n  if (provider.type === \"credentials\") {\n    return handleCredentials(ctx, provider, args, options);\n  }\n  if (provider.type === \"oauth\") {\n    return handleOAuthProvider(ctx, provider, args, options);\n  }\n  if (provider.type === \"passkey\") {\n    return handlePasskey(ctx, provider, args);\n  }\n  if (provider.type === \"totp\") {\n    return handleTotp(ctx, provider, args);\n  }\n  if (provider.type === \"device\") {\n    return handleDevice(ctx, provider, args);\n  }\n  const _typecheck: never = provider;\n  throwAuthError(\n    \"UNSUPPORTED_PROVIDER_TYPE\",\n    `Provider type ${(provider as any).type} is not supported yet`,\n  );\n}\n\nasync function handleEmailAndPhoneProvider(\n  ctx: EnrichedActionCtx,\n  provider: EmailConfig | PhoneConfig,\n  args: {\n    params?: Record<string, any>;\n    accountId?: GenericId<\"account\">;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): Promise<\n  | { kind: \"started\"; started: true }\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens }\n> {\n  if (args.params?.code !== undefined) {\n    const result = await callVerifyCodeAndSignIn(ctx, {\n      params: args.params,\n      provider: provider.id,\n      generateTokens: options.generateTokens,\n      allowExtraProviders: options.allowExtraProviders,\n    });\n    if (result === null) {\n      throwAuthError(\"INVALID_VERIFICATION_CODE\");\n    }\n    return {\n      kind: \"signedIn\",\n      signedIn: result as SessionInfoWithTokens,\n    };\n  }\n\n  const alphabet =\n    \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\";\n  const code = provider.generateVerificationToken\n    ? await provider.generateVerificationToken()\n    : generateRandomString(32, alphabet);\n  const expirationTime =\n    Date.now() +\n    (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1000;\n\n  const identifier = await callCreateVerificationCode(ctx, {\n    provider: provider.id,\n    accountId: args.accountId,\n    email: args.params?.email,\n    phone: args.params?.phone,\n    code,\n    expirationTime,\n    allowExtraProviders: options.allowExtraProviders,\n  });\n  const destination = await redirectAbsoluteUrl(\n    ctx.auth.config,\n    (args.params ?? {}) as { redirectTo: unknown },\n  );\n  const verificationArgs = {\n    identifier,\n    url: setURLSearchParam(destination, \"code\", code),\n    token: code,\n    expires: new Date(expirationTime),\n  };\n  if (provider.type === \"email\") {\n    await provider.sendVerificationRequest(\n      {\n        ...verificationArgs,\n        provider,\n        request: new Request(\"http://localhost\"),\n      },\n      ctx,\n    );\n  } else if (provider.type === \"phone\") {\n    await provider.sendVerificationRequest(\n      { ...verificationArgs, provider },\n      ctx,\n    );\n  }\n  return { kind: \"started\", started: true };\n}\n\nasync function handleCredentials(\n  ctx: EnrichedActionCtx,\n  provider: ConvexCredentialsConfig,\n  args: {\n    params?: Record<string, any>;\n  },\n  options: {\n    generateTokens: boolean;\n  },\n): Promise<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"totpRequired\"; verifier: string }\n> {\n  const result = await provider.authorize(args.params ?? {}, ctx);\n  if (result === null) {\n    return { kind: \"signedIn\", signedIn: null };\n  }\n  // Check if user has TOTP 2FA enrolled before issuing tokens\n  const hasTotpEnrolled = await checkTotpRequired(ctx, result.userId);\n  if (hasTotpEnrolled) {\n    // Create session but withhold tokens — TOTP verification needed\n    await callSignIn(ctx, {\n      userId: result.userId,\n      sessionId: result.sessionId,\n      generateTokens: false,\n    });\n    // Store userId in verifier so the TOTP verify flow can complete sign-in\n    const verifier = await callVerifier(ctx);\n    await callVerifierSignature(ctx, {\n      verifier,\n      signature: JSON.stringify({ userId: result.userId }),\n    });\n    return { kind: \"totpRequired\", verifier };\n  }\n\n  const idsAndTokens = await callSignIn(ctx, {\n    userId: result.userId,\n    sessionId: result.sessionId,\n    generateTokens: options.generateTokens,\n  });\n  return {\n    kind: \"signedIn\",\n    signedIn: idsAndTokens,\n  };\n}\n\nasync function handleOAuthProvider(\n  ctx: EnrichedActionCtx,\n  provider: OAuthMaterializedConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n  options: {\n    allowExtraProviders: boolean;\n  },\n): Promise<\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens | null }\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n> {\n  // We have this action because:\n  // 1. We remember the current sessionId if any, so we can link accounts\n  // 2. The client doesn't need to know the HTTP Actions URL\n  //    of the backend (this simplifies using local backend)\n  // 3. The client doesn't need to know which provider is of which type,\n  //    and hence which provider requires client-side redirect\n  // 4. On mobile the client can complete the flow manually\n  if (args.params?.code !== undefined) {\n    const result = await callVerifyCodeAndSignIn(ctx, {\n      params: args.params,\n      verifier: args.verifier,\n      generateTokens: true,\n      allowExtraProviders: options.allowExtraProviders,\n    });\n    return {\n      kind: \"signedIn\",\n      signedIn: result as SessionInfoWithTokens | null,\n    };\n  }\n  const redirect = new URL(\n    (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\")) + `/api/auth/signin/${provider.id}`,\n  );\n  const verifier = await callVerifier(ctx);\n  redirect.searchParams.set(\"code\", verifier);\n  if (args.params?.redirectTo !== undefined) {\n    if (typeof args.params.redirectTo !== \"string\") {\n      throwAuthError(\n        \"INVALID_REDIRECT\",\n        `Expected \\`redirectTo\\` to be a string, got ${args.params.redirectTo}`,\n      );\n    }\n    redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n  }\n  return { kind: \"redirect\", redirect: redirect.toString(), verifier };\n}\n"],"mappings":";;;;;;;;;;;;;;;AA+BA,MAAM,6CAA6C,OAAU;AAI7D,eAAsB,WACpB,KACA,UACA,MAOA,SA4BA;AACA,KAAI,aAAa,QAAQ,KAAK,cAAc;EAC1C,MAAM,SAAS,MAAM,mBAAmB,KAAK,EAC3C,cAAc,KAAK,cACpB,CAAC;AACF,MAAI,WAAW,KACb,QAAO;GAAE,MAAM;GAAY,UAAU;GAAM;AAE7C,SAAO;GAAE,MAAM;GAAiB,UAAU,EAAE,QAAQ;GAAE;;AAExD,KAAI,aAAa,QAAQ,KAAK,QAAQ,SAAS,OAO7C,QAAO;EACL,MAAM;EACN,UARa,MAAM,wBAAwB,KAAK;GAChD,QAAQ,KAAK;GACb,UAAU,KAAK;GACf,gBAAgB;GAChB,qBAAqB,QAAQ;GAC9B,CAAC;EAID;AAGH,KAAI,aAAa,KACf,gBAAe,yBAAyB;AAE1C,KAAI,SAAS,SAAS,WAAW,SAAS,SAAS,QACjD,QAAO,4BAA4B,KAAK,UAAU,MAAM,QAAQ;AAElE,KAAI,SAAS,SAAS,cACpB,QAAO,kBAAkB,KAAK,UAAU,MAAM,QAAQ;AAExD,KAAI,SAAS,SAAS,QACpB,QAAO,oBAAoB,KAAK,UAAU,MAAM,QAAQ;AAE1D,KAAI,SAAS,SAAS,UACpB,QAAO,cAAc,KAAK,UAAU,KAAK;AAE3C,KAAI,SAAS,SAAS,OACpB,QAAO,WAAW,KAAK,UAAU,KAAK;AAExC,KAAI,SAAS,SAAS,SACpB,QAAO,aAAa,KAAK,UAAU,KAAK;AAG1C,gBACE,6BACA,iBAAkB,SAAiB,KAAK,uBACzC;;AAGH,eAAe,4BACb,KACA,UACA,MAIA,SAOA;AACA,KAAI,KAAK,QAAQ,SAAS,QAAW;EACnC,MAAM,SAAS,MAAM,wBAAwB,KAAK;GAChD,QAAQ,KAAK;GACb,UAAU,SAAS;GACnB,gBAAgB,QAAQ;GACxB,qBAAqB,QAAQ;GAC9B,CAAC;AACF,MAAI,WAAW,KACb,gBAAe,4BAA4B;AAE7C,SAAO;GACL,MAAM;GACN,UAAU;GACX;;CAKH,MAAM,OAAO,SAAS,4BAClB,MAAM,SAAS,2BAA2B,GAC1C,qBAAqB,IAHvB,iEAGoC;CACtC,MAAM,iBACJ,KAAK,KAAK,IACT,SAAS,UAAU,8CAA8C;CAepE,MAAM,mBAAmB;EACvB,YAdiB,MAAM,2BAA2B,KAAK;GACvD,UAAU,SAAS;GACnB,WAAW,KAAK;GAChB,OAAO,KAAK,QAAQ;GACpB,OAAO,KAAK,QAAQ;GACpB;GACA;GACA,qBAAqB,QAAQ;GAC9B,CAAC;EAOA,KAAK,kBANa,MAAM,oBACxB,IAAI,KAAK,QACR,KAAK,UAAU,EAAE,CACnB,EAGqC,QAAQ,KAAK;EACjD,OAAO;EACP,SAAS,IAAI,KAAK,eAAe;EAClC;AACD,KAAI,SAAS,SAAS,QACpB,OAAM,SAAS,wBACb;EACE,GAAG;EACH;EACA,SAAS,IAAI,QAAQ,mBAAmB;EACzC,EACD,IACD;UACQ,SAAS,SAAS,QAC3B,OAAM,SAAS,wBACb;EAAE,GAAG;EAAkB;EAAU,EACjC,IACD;AAEH,QAAO;EAAE,MAAM;EAAW,SAAS;EAAM;;AAG3C,eAAe,kBACb,KACA,UACA,MAGA,SAMA;CACA,MAAM,SAAS,MAAM,SAAS,UAAU,KAAK,UAAU,EAAE,EAAE,IAAI;AAC/D,KAAI,WAAW,KACb,QAAO;EAAE,MAAM;EAAY,UAAU;EAAM;AAI7C,KADwB,MAAM,kBAAkB,KAAK,OAAO,OAAO,EAC9C;AAEnB,QAAM,WAAW,KAAK;GACpB,QAAQ,OAAO;GACf,WAAW,OAAO;GAClB,gBAAgB;GACjB,CAAC;EAEF,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,QAAM,sBAAsB,KAAK;GAC/B;GACA,WAAW,KAAK,UAAU,EAAE,QAAQ,OAAO,QAAQ,CAAC;GACrD,CAAC;AACF,SAAO;GAAE,MAAM;GAAgB;GAAU;;AAQ3C,QAAO;EACL,MAAM;EACN,UAPmB,MAAM,WAAW,KAAK;GACzC,QAAQ,OAAO;GACf,WAAW,OAAO;GAClB,gBAAgB,QAAQ;GACzB,CAAC;EAID;;AAGH,eAAe,oBACb,KACA,UACA,MAIA,SAMA;AAQA,KAAI,KAAK,QAAQ,SAAS,OAOxB,QAAO;EACL,MAAM;EACN,UARa,MAAM,wBAAwB,KAAK;GAChD,QAAQ,KAAK;GACb,UAAU,KAAK;GACf,gBAAgB;GAChB,qBAAqB,QAAQ;GAC9B,CAAC;EAID;CAEH,MAAM,WAAW,IAAI,KAClB,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB,IAAI,oBAAoB,SAAS,KACpG;CACD,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,UAAS,aAAa,IAAI,QAAQ,SAAS;AAC3C,KAAI,KAAK,QAAQ,eAAe,QAAW;AACzC,MAAI,OAAO,KAAK,OAAO,eAAe,SACpC,gBACE,oBACA,+CAA+C,KAAK,OAAO,aAC5D;AAEH,WAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;;AAEjE,QAAO;EAAE,MAAM;EAAY,UAAU,SAAS,UAAU;EAAE;EAAU"}

package/dist/component/server/implementation/tokens.js

@@ -1,15 +0,0 @@
-import { requireEnv } from "../utils.js";
-import { TOKEN_SUB_CLAIM_DIVIDER } from "./utils.js";
-import { SignJWT, importPKCS8 } from "jose";
-
-//#region src/server/implementation/tokens.ts
-const DEFAULT_JWT_DURATION_MS = 1e3 * 60 * 60;
-async function generateToken(args, config) {
-	const privateKey = await importPKCS8(requireEnv("JWT_PRIVATE_KEY"), "RS256");
-	const expirationTime = new Date(Date.now() + (config.jwt?.durationMs ?? DEFAULT_JWT_DURATION_MS));
-	return await new SignJWT({ sub: args.userId + TOKEN_SUB_CLAIM_DIVIDER + args.sessionId }).setProtectedHeader({ alg: "RS256" }).setIssuedAt().setIssuer(requireEnv("CONVEX_SITE_URL")).setAudience("convex").setExpirationTime(expirationTime).sign(privateKey);
-}
-
-//#endregion
-export { generateToken };
-//# sourceMappingURL=tokens.js.map

package/dist/component/server/implementation/tokens.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"tokens.js","names":[],"sources":["../../../../src/server/implementation/tokens.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport { ConvexAuthConfig } from \"../types\";\nimport { SignJWT, importPKCS8 } from \"jose\";\nimport { requireEnv } from \"../utils\";\nimport { TOKEN_SUB_CLAIM_DIVIDER } from \"./utils\";\n\nconst DEFAULT_JWT_DURATION_MS = 1000 * 60 * 60; // 1 hour\n\nexport async function generateToken(\n  args: {\n    userId: GenericId<\"user\">;\n    sessionId: GenericId<\"session\">;\n  },\n  config: ConvexAuthConfig,\n) {\n  const privateKey = await importPKCS8(requireEnv(\"JWT_PRIVATE_KEY\"), \"RS256\");\n  const expirationTime = new Date(\n    Date.now() + (config.jwt?.durationMs ?? DEFAULT_JWT_DURATION_MS),\n  );\n  return await new SignJWT({\n    sub: args.userId + TOKEN_SUB_CLAIM_DIVIDER + args.sessionId,\n  })\n    .setProtectedHeader({ alg: \"RS256\" })\n    .setIssuedAt()\n    .setIssuer(requireEnv(\"CONVEX_SITE_URL\"))\n    .setAudience(\"convex\")\n    .setExpirationTime(expirationTime)\n    .sign(privateKey);\n}\n"],"mappings":";;;;;AAMA,MAAM,0BAA0B,MAAO,KAAK;AAE5C,eAAsB,cACpB,MAIA,QACA;CACA,MAAM,aAAa,MAAM,YAAY,WAAW,kBAAkB,EAAE,QAAQ;CAC5E,MAAM,iBAAiB,IAAI,KACzB,KAAK,KAAK,IAAI,OAAO,KAAK,cAAc,yBACzC;AACD,QAAO,MAAM,IAAI,QAAQ,EACvB,KAAK,KAAK,SAAS,0BAA0B,KAAK,WACnD,CAAC,CACC,mBAAmB,EAAE,KAAK,SAAS,CAAC,CACpC,aAAa,CACb,UAAU,WAAW,kBAAkB,CAAC,CACxC,YAAY,SAAS,CACrB,kBAAkB,eAAe,CACjC,KAAK,WAAW"}