@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/server/implementation/mutations/verify.js

@@ -1,105 +0,0 @@
-import { LOG_LEVELS, logWithLevel, sha256 } from "../utils.js";
-import { authDb } from "../db.js";
-import { createNewAndDeleteExistingSession, getAuthSessionId, maybeGenerateTokensForSession } from "../sessions.js";
-import { AUTH_STORE_REF } from "./store.js";
-import { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit } from "../ratelimit.js";
-import { upsertUserAndAccount } from "../users.js";
-import { v } from "convex/values";
-
-//#region src/server/implementation/mutations/verify.ts
-const verifyCodeAndSignInArgs = v.object({
-	params: v.any(),
-	provider: v.optional(v.string()),
-	verifier: v.optional(v.string()),
-	generateTokens: v.boolean(),
-	allowExtraProviders: v.boolean()
-});
-async function verifyCodeAndSignInImpl(ctx, args, getProviderOrThrow, config) {
-	logWithLevel(LOG_LEVELS.DEBUG, "verifyCodeAndSignInImpl args:", {
-		params: {
-			email: args.params.email,
-			phone: args.params.phone
-		},
-		provider: args.provider,
-		verifier: args.verifier,
-		generateTokens: args.generateTokens,
-		allowExtraProviders: args.allowExtraProviders
-	});
-	const { generateTokens, provider, allowExtraProviders } = args;
-	const identifier = args.params.email ?? args.params.phone;
-	if (identifier !== void 0) {
-		if (await isSignInRateLimited(ctx, identifier, config)) {
-			logWithLevel(LOG_LEVELS.ERROR, "Too many failed attempts to verify code for this email");
-			return null;
-		}
-	}
-	const verifyResult = await verifyCodeOnly(ctx, args, provider ?? null, getProviderOrThrow, allowExtraProviders, config, await getAuthSessionId(ctx));
-	if (verifyResult === null) {
-		if (identifier !== void 0) await recordFailedSignIn(ctx, identifier, config);
-		return null;
-	}
-	if (identifier !== void 0) await resetSignInRateLimit(ctx, identifier, config);
-	const { userId } = verifyResult;
-	return await maybeGenerateTokensForSession(ctx, config, userId, await createNewAndDeleteExistingSession(ctx, config, userId), generateTokens);
-}
-const callVerifyCodeAndSignIn = async (ctx, args) => {
-	return ctx.runMutation(AUTH_STORE_REF, { args: {
-		type: "verifyCodeAndSignIn",
-		...args
-	} });
-};
-async function verifyCodeOnly(ctx, args, methodProviderId, getProviderOrThrow, allowExtraProviders, config, sessionId) {
-	const db = authDb(ctx, config);
-	const { params, verifier } = args;
-	const codeHash = await sha256(params.code);
-	const verificationCode = await db.verificationCodes.getByCode(codeHash);
-	if (verificationCode === null) {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid verification code");
-		return null;
-	}
-	await db.verificationCodes.delete(verificationCode._id);
-	if (verificationCode.verifier !== verifier) {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid verifier");
-		return null;
-	}
-	if (verificationCode.expirationTime < Date.now()) {
-		logWithLevel(LOG_LEVELS.ERROR, "Expired verification code");
-		return null;
-	}
-	const { accountId, emailVerified, phoneVerified } = verificationCode;
-	const account = await db.accounts.getById(accountId);
-	if (account === null) {
-		logWithLevel(LOG_LEVELS.ERROR, "Account associated with this email has been deleted");
-		return null;
-	}
-	if (methodProviderId !== null && verificationCode.provider !== methodProviderId) {
-		logWithLevel(LOG_LEVELS.ERROR, `Invalid provider "${methodProviderId}" for given \`code\`, which was generated by provider "${verificationCode.provider}"`);
-		return null;
-	}
-	const methodProvider = getProviderOrThrow(verificationCode.provider, allowExtraProviders);
-	if (methodProvider !== null && (methodProvider.type === "email" || methodProvider.type === "phone") && methodProvider.authorize !== void 0) await methodProvider.authorize(args.params, account);
-	let userId = account.userId;
-	const provider = getProviderOrThrow(account.provider);
-	if (provider.type !== "oauth") ({userId} = await upsertUserAndAccount(ctx, sessionId, { existingAccount: account }, {
-		type: "verification",
-		provider,
-		profile: {
-			...emailVerified !== void 0 ? {
-				email: emailVerified,
-				emailVerified: true
-			} : {},
-			...phoneVerified !== void 0 ? {
-				phone: phoneVerified,
-				phoneVerified: true
-			} : {}
-		}
-	}, config));
-	return {
-		providerAccountId: account.providerAccountId,
-		userId
-	};
-}
-
-//#endregion
-export { callVerifyCodeAndSignIn, verifyCodeAndSignInArgs, verifyCodeAndSignInImpl };
-//# sourceMappingURL=verify.js.map

package/dist/server/implementation/mutations/verify.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"verify.js","names":[],"sources":["../../../../src/server/implementation/mutations/verify.ts"],"sourcesContent":["import { GenericId, Infer, v } from \"convex/values\";\nimport { ActionCtx, MutationCtx, SessionInfo } from \"../types\";\nimport {\n  isSignInRateLimited,\n  recordFailedSignIn,\n  resetSignInRateLimit,\n} from \"../ratelimit\";\nimport * as Provider from \"../provider\";\nimport {\n  createNewAndDeleteExistingSession,\n  getAuthSessionId,\n  maybeGenerateTokensForSession,\n} from \"../sessions\";\nimport { ConvexAuthConfig } from \"../../types\";\nimport { LOG_LEVELS, logWithLevel, sha256 } from \"../utils\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { authDb } from \"../db\";\nimport { AUTH_STORE_REF } from \"./store\";\n\nexport const verifyCodeAndSignInArgs = v.object({\n  params: v.any(),\n  provider: v.optional(v.string()),\n  verifier: v.optional(v.string()),\n  generateTokens: v.boolean(),\n  allowExtraProviders: v.boolean(),\n});\n\ntype ReturnType = null | SessionInfo;\n\nexport async function verifyCodeAndSignInImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof verifyCodeAndSignInArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"verifyCodeAndSignInImpl args:\", {\n    params: { email: args.params.email, phone: args.params.phone },\n    provider: args.provider,\n    verifier: args.verifier,\n    generateTokens: args.generateTokens,\n    allowExtraProviders: args.allowExtraProviders,\n  });\n  const { generateTokens, provider, allowExtraProviders } = args;\n  const identifier = args.params.email ?? args.params.phone;\n  if (identifier !== undefined) {\n    if (await isSignInRateLimited(ctx, identifier, config)) {\n      logWithLevel(\n        LOG_LEVELS.ERROR,\n        \"Too many failed attempts to verify code for this email\",\n      );\n      return null;\n    }\n  }\n  const verifyResult = await verifyCodeOnly(\n    ctx,\n    args,\n    provider ?? null,\n    getProviderOrThrow,\n    allowExtraProviders,\n    config,\n    await getAuthSessionId(ctx),\n  );\n  if (verifyResult === null) {\n    if (identifier !== undefined) {\n      await recordFailedSignIn(ctx, identifier, config);\n    }\n    return null;\n  }\n  if (identifier !== undefined) {\n    await resetSignInRateLimit(ctx, identifier, config);\n  }\n  const { userId } = verifyResult;\n  const sessionId = await createNewAndDeleteExistingSession(\n    ctx,\n    config,\n    userId,\n  );\n  return await maybeGenerateTokensForSession(\n    ctx,\n    config,\n    userId,\n    sessionId,\n    generateTokens,\n  );\n}\n\nexport const callVerifyCodeAndSignIn = async (\n  ctx: ActionCtx,\n  args: Infer<typeof verifyCodeAndSignInArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"verifyCodeAndSignIn\",\n      ...args,\n    },\n  });\n};\n\nasync function verifyCodeOnly(\n  ctx: MutationCtx,\n  args: {\n    params: any;\n    verifier?: string;\n    identifier?: string;\n  },\n  /**\n   * There are two providers at play:\n   * 1. the provider that generated the code\n   * 2. the provider the account is tied to.\n   * This is because we allow signing into an account\n   * via another provider, see {@link signInViaProvider}.\n   * This is the first provider.\n   */\n  methodProviderId: string | null,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  allowExtraProviders: boolean,\n  config: ConvexAuthConfig,\n  sessionId: GenericId<\"session\"> | null,\n) {\n  const db = authDb(ctx, config);\n  const { params, verifier } = args;\n  const codeHash = await sha256(params.code);\n  const verificationCode = await db.verificationCodes.getByCode(codeHash);\n  if (verificationCode === null) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid verification code\");\n    return null;\n  }\n  await db.verificationCodes.delete(verificationCode._id);\n  if (verificationCode.verifier !== verifier) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid verifier\");\n    return null;\n  }\n  if (verificationCode.expirationTime < Date.now()) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Expired verification code\");\n    return null;\n  }\n  const { accountId, emailVerified, phoneVerified } = verificationCode;\n  const account = await db.accounts.getById(accountId);\n  if (account === null) {\n    logWithLevel(\n      LOG_LEVELS.ERROR,\n      \"Account associated with this email has been deleted\",\n    );\n    return null;\n  }\n  if (\n    methodProviderId !== null &&\n    verificationCode.provider !== methodProviderId\n  ) {\n    logWithLevel(\n      LOG_LEVELS.ERROR,\n      `Invalid provider \"${methodProviderId}\" for given \\`code\\`, ` +\n        `which was generated by provider \"${verificationCode.provider}\"`,\n    );\n    return null;\n  }\n  // OTP providers perform an additional check against the provided\n  // params.\n  const methodProvider = getProviderOrThrow(\n    verificationCode.provider,\n    allowExtraProviders,\n  );\n  if (\n    methodProvider !== null &&\n    (methodProvider.type === \"email\" || methodProvider.type === \"phone\") &&\n    methodProvider.authorize !== undefined\n  ) {\n    await methodProvider.authorize(args.params, account);\n  }\n  let userId = account.userId;\n  const provider = getProviderOrThrow(account.provider);\n  if (provider.type !== \"oauth\") {\n    ({ userId } = await upsertUserAndAccount(\n      ctx,\n      sessionId,\n      { existingAccount: account },\n      {\n        type: \"verification\",\n        provider,\n        profile: {\n          ...(emailVerified !== undefined\n            ? { email: emailVerified, emailVerified: true }\n            : {}),\n          ...(phoneVerified !== undefined\n            ? { phone: phoneVerified, phoneVerified: true }\n            : {}),\n        },\n      },\n      config,\n    ));\n  }\n\n  return { providerAccountId: account.providerAccountId, userId };\n}\n"],"mappings":";;;;;;;;;AAmBA,MAAa,0BAA0B,EAAE,OAAO;CAC9C,QAAQ,EAAE,KAAK;CACf,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;CAChC,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;CAChC,gBAAgB,EAAE,SAAS;CAC3B,qBAAqB,EAAE,SAAS;CACjC,CAAC;AAIF,eAAsB,wBACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,iCAAiC;EAC9D,QAAQ;GAAE,OAAO,KAAK,OAAO;GAAO,OAAO,KAAK,OAAO;GAAO;EAC9D,UAAU,KAAK;EACf,UAAU,KAAK;EACf,gBAAgB,KAAK;EACrB,qBAAqB,KAAK;EAC3B,CAAC;CACF,MAAM,EAAE,gBAAgB,UAAU,wBAAwB;CAC1D,MAAM,aAAa,KAAK,OAAO,SAAS,KAAK,OAAO;AACpD,KAAI,eAAe,QACjB;MAAI,MAAM,oBAAoB,KAAK,YAAY,OAAO,EAAE;AACtD,gBACE,WAAW,OACX,yDACD;AACD,UAAO;;;CAGX,MAAM,eAAe,MAAM,eACzB,KACA,MACA,YAAY,MACZ,oBACA,qBACA,QACA,MAAM,iBAAiB,IAAI,CAC5B;AACD,KAAI,iBAAiB,MAAM;AACzB,MAAI,eAAe,OACjB,OAAM,mBAAmB,KAAK,YAAY,OAAO;AAEnD,SAAO;;AAET,KAAI,eAAe,OACjB,OAAM,qBAAqB,KAAK,YAAY,OAAO;CAErD,MAAM,EAAE,WAAW;AAMnB,QAAO,MAAM,8BACX,KACA,QACA,QARgB,MAAM,kCACtB,KACA,QACA,OACD,EAMC,eACD;;AAGH,MAAa,0BAA0B,OACrC,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,eAAe,eACb,KACA,MAaA,kBACA,oBACA,qBACA,QACA,WACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,EAAE,QAAQ,aAAa;CAC7B,MAAM,WAAW,MAAM,OAAO,OAAO,KAAK;CAC1C,MAAM,mBAAmB,MAAM,GAAG,kBAAkB,UAAU,SAAS;AACvE,KAAI,qBAAqB,MAAM;AAC7B,eAAa,WAAW,OAAO,4BAA4B;AAC3D,SAAO;;AAET,OAAM,GAAG,kBAAkB,OAAO,iBAAiB,IAAI;AACvD,KAAI,iBAAiB,aAAa,UAAU;AAC1C,eAAa,WAAW,OAAO,mBAAmB;AAClD,SAAO;;AAET,KAAI,iBAAiB,iBAAiB,KAAK,KAAK,EAAE;AAChD,eAAa,WAAW,OAAO,4BAA4B;AAC3D,SAAO;;CAET,MAAM,EAAE,WAAW,eAAe,kBAAkB;CACpD,MAAM,UAAU,MAAM,GAAG,SAAS,QAAQ,UAAU;AACpD,KAAI,YAAY,MAAM;AACpB,eACE,WAAW,OACX,sDACD;AACD,SAAO;;AAET,KACE,qBAAqB,QACrB,iBAAiB,aAAa,kBAC9B;AACA,eACE,WAAW,OACX,qBAAqB,iBAAiB,yDACA,iBAAiB,SAAS,GACjE;AACD,SAAO;;CAIT,MAAM,iBAAiB,mBACrB,iBAAiB,UACjB,oBACD;AACD,KACE,mBAAmB,SAClB,eAAe,SAAS,WAAW,eAAe,SAAS,YAC5D,eAAe,cAAc,OAE7B,OAAM,eAAe,UAAU,KAAK,QAAQ,QAAQ;CAEtD,IAAI,SAAS,QAAQ;CACrB,MAAM,WAAW,mBAAmB,QAAQ,SAAS;AACrD,KAAI,SAAS,SAAS,QACpB,EAAC,CAAE,UAAW,MAAM,qBAClB,KACA,WACA,EAAE,iBAAiB,SAAS,EAC5B;EACE,MAAM;EACN;EACA,SAAS;GACP,GAAI,kBAAkB,SAClB;IAAE,OAAO;IAAe,eAAe;IAAM,GAC7C,EAAE;GACN,GAAI,kBAAkB,SAClB;IAAE,OAAO;IAAe,eAAe;IAAM,GAC7C,EAAE;GACP;EACF,EACD,OACD;AAGH,QAAO;EAAE,mBAAmB,QAAQ;EAAmB;EAAQ"}

package/dist/server/implementation/passkey.d.ts

@@ -1,24 +0,0 @@
-import { AuthDataModel, SessionInfo } from "./types.js";
-import { GenericActionCtxWithAuthConfig, PasskeyProviderConfig } from "../types.js";
-
-//#region src/server/implementation/passkey.d.ts
-type EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;
-/**
- * Main passkey handler dispatched from signIn.ts.
- *
- * Routes to the appropriate phase based on `params.flow`.
- */
-declare function handlePasskey(ctx: EnrichedActionCtx, provider: PasskeyProviderConfig, args: {
-  params?: Record<string, any>;
-  verifier?: string;
-}): Promise<{
-  kind: "signedIn";
-  signedIn: SessionInfo | null;
-} | {
-  kind: "passkeyOptions";
-  options: Record<string, any>;
-  verifier: string;
-}>;
-//#endregion
-export { handlePasskey };
-//# sourceMappingURL=passkey.d.ts.map

package/dist/server/implementation/passkey.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"passkey.d.ts","names":[],"sources":["../../../src/server/implementation/passkey.ts"],"mappings":";;;;KA8DK,iBAAA,GAAoB,8BAAA,CAA+B,aAAA;;;;;;iBA0flC,aAAA,CACpB,GAAA,EAAK,iBAAA,EACL,QAAA,EAAU,qBAAA,EACV,IAAA;EACE,MAAA,GAAS,MAAA;EACT,QAAA;AAAA,IAED,OAAA;EACG,IAAA;EAAkB,QAAA,EAAU,WAAA;AAAA;EAC5B,IAAA;EAAwB,OAAA,EAAS,MAAA;EAAqB,QAAA;AAAA"}

package/dist/server/implementation/passkey.js

@@ -1,307 +0,0 @@
-import { throwAuthError } from "../errors.js";
-import { authDb } from "./db.js";
-import { callSignIn } from "./mutations/signin.js";
-import { callVerifierSignature } from "./mutations/signature.js";
-import { callVerifier } from "./mutations/verifier.js";
-import { mutatePasskeyInsert, mutatePasskeyUpdateCounter, mutateVerifierDelete, queryPasskeyByCredentialId, queryPasskeysByUserId, queryUserById, queryUserByVerifiedEmail, queryVerifierById } from "./types.js";
-import { sha256 } from "@oslojs/crypto/sha2";
-import { decodeBase64urlIgnorePadding, encodeBase64urlNoPadding } from "@oslojs/encoding";
-import { COSEKeyType, ClientDataType, coseAlgorithmES256, coseAlgorithmRS256, createAssertionSignatureMessage, parseAttestationObject, parseAuthenticatorData, parseClientDataJSON } from "@oslojs/webauthn";
-import { decodePKIXECDSASignature, decodeSEC1PublicKey, p256, verifyECDSASignature } from "@oslojs/crypto/ecdsa";
-import { RSAPublicKey, decodePKCS1RSAPublicKey, sha256ObjectIdentifier, verifyRSASSAPKCS1v15Signature } from "@oslojs/crypto/rsa";
-
-//#region src/server/implementation/passkey.ts
-/**
-* Server-side WebAuthn ceremony logic for passkey authentication.
-*
-* Handles the four phases of the WebAuthn flow:
-* 1. register-options — generate PublicKeyCredentialCreationOptions
-* 2. register-verify — verify attestation and store credential
-* 3. auth-options — generate PublicKeyCredentialRequestOptions
-* 4. auth-verify — verify assertion signature and sign in
-*
-* Uses `@oslojs/webauthn` for attestation/assertion parsing and
-* `@oslojs/crypto` for signature verification.
-*/
-/**
-* Resolve passkey relying party options from provider config and environment.
-*/
-function resolveRpOptions(provider) {
-	const siteUrl = process.env.SITE_URL;
-	if (!siteUrl && !provider.options.rpId) throwAuthError("PASSKEY_MISSING_CONFIG", "Passkey provider requires SITE_URL env var (your frontend URL) or explicit rpId / origin in the provider config. CONVEX_SITE_URL cannot be used because WebAuthn RP ID must match the frontend domain.");
-	const siteHostname = siteUrl ? new URL(siteUrl).hostname : void 0;
-	return {
-		rpName: provider.options.rpName ?? siteHostname ?? "localhost",
-		rpId: provider.options.rpId ?? siteHostname ?? "localhost",
-		origin: provider.options.origin ?? siteUrl ?? "http://localhost",
-		attestation: provider.options.attestation ?? "none",
-		userVerification: provider.options.userVerification ?? "required",
-		residentKey: provider.options.residentKey ?? "preferred",
-		authenticatorAttachment: provider.options.authenticatorAttachment,
-		algorithms: provider.options.algorithms ?? [coseAlgorithmES256, coseAlgorithmRS256],
-		challengeExpirationMs: provider.options.challengeExpirationMs ?? 3e5
-	};
-}
-/**
-* Generate a cryptographically random challenge.
-*/
-function generateChallenge() {
-	const challenge = new Uint8Array(32);
-	crypto.getRandomValues(challenge);
-	return challenge;
-}
-/**
-* Hash a challenge for storage in the verifier table's `signature` field.
-*/
-function hashChallenge(challenge) {
-	return encodeBase64urlNoPadding(new Uint8Array(sha256(challenge)));
-}
-/**
-* Phase 1: Generate registration options.
-*
-* Requires an authenticated user — passkey registration always adds a
-* credential to an existing account.  The userId is taken from the
-* current session identity.
-*/
-async function handleRegisterOptions(ctx, provider, params) {
-	const identity = await ctx.auth.getUserIdentity();
-	if (identity === null) throwAuthError("PASSKEY_AUTH_REQUIRED");
-	const [userId] = identity.subject.split("|");
-	const rp = resolveRpOptions(provider);
-	const challenge = generateChallenge();
-	const challengeHash = hashChallenge(challenge);
-	const verifier = await callVerifier(ctx);
-	await callVerifierSignature(ctx, {
-		verifier,
-		signature: challengeHash
-	});
-	const user = await queryUserById(ctx, userId);
-	const userName = params.userName ?? user?.email ?? "user";
-	const userDisplayName = params.userDisplayName ?? user?.name ?? userName;
-	const excludeCredentials = (await queryPasskeysByUserId(ctx, userId)).map((pk) => ({
-		id: pk.credentialId,
-		transports: pk.transports
-	}));
-	const userHandle = encodeBase64urlNoPadding(new TextEncoder().encode(userId));
-	return {
-		kind: "passkeyOptions",
-		options: {
-			rp: {
-				name: rp.rpName,
-				id: rp.rpId
-			},
-			user: {
-				id: userHandle,
-				name: userName,
-				displayName: userDisplayName
-			},
-			challenge: encodeBase64urlNoPadding(challenge),
-			pubKeyCredParams: rp.algorithms.map((alg) => ({
-				type: "public-key",
-				alg
-			})),
-			timeout: rp.challengeExpirationMs,
-			attestation: rp.attestation,
-			authenticatorSelection: {
-				residentKey: rp.residentKey,
-				requireResidentKey: rp.residentKey === "required",
-				userVerification: rp.userVerification,
-				...rp.authenticatorAttachment ? { authenticatorAttachment: rp.authenticatorAttachment } : {}
-			},
-			excludeCredentials
-		},
-		verifier
-	};
-}
-/**
-* Phase 2: Verify registration attestation and store the credential.
-*
-* Requires an authenticated user.  Parses the attestation, verifies the
-* challenge, extracts the public key, creates an account + passkey record
-* linked to the current user, and returns auth tokens.
-*/
-async function handleRegisterVerify(ctx, provider, params, verifierValue) {
-	const identity = await ctx.auth.getUserIdentity();
-	if (identity === null) throwAuthError("PASSKEY_AUTH_REQUIRED");
-	const [userId] = identity.subject.split("|");
-	const rp = resolveRpOptions(provider);
-	if (!verifierValue) throwAuthError("PASSKEY_MISSING_VERIFIER");
-	const clientData = parseClientDataJSON(decodeBase64urlIgnorePadding(params.clientDataJSON));
-	if (clientData.type !== ClientDataType.Create) throwAuthError("PASSKEY_INVALID_CLIENT_DATA", "Invalid client data type: expected webauthn.create");
-	const allowedOrigins = Array.isArray(rp.origin) ? rp.origin : [rp.origin];
-	if (!allowedOrigins.includes(clientData.origin)) throwAuthError("PASSKEY_INVALID_ORIGIN", `Invalid origin: ${clientData.origin}, expected one of: ${allowedOrigins.join(", ")}`);
-	const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(clientData.challenge)));
-	const verifierDoc = await queryVerifierById(ctx, verifierValue);
-	if (!verifierDoc || verifierDoc.signature !== challengeHash) throwAuthError("PASSKEY_INVALID_CHALLENGE");
-	await mutateVerifierDelete(ctx, verifierValue);
-	const authenticatorData = parseAttestationObject(decodeBase64urlIgnorePadding(params.attestationObject)).authenticatorData;
-	if (!authenticatorData.verifyRelyingPartyIdHash(rp.rpId)) throwAuthError("PASSKEY_RP_MISMATCH");
-	if (!authenticatorData.userPresent) throwAuthError("PASSKEY_USER_PRESENCE");
-	if (rp.userVerification === "required" && !authenticatorData.userVerified) throwAuthError("PASSKEY_USER_VERIFICATION");
-	const credential = authenticatorData.credential;
-	if (!credential) throwAuthError("PASSKEY_NO_CREDENTIAL");
-	const credentialId = encodeBase64urlNoPadding(credential.id);
-	const publicKey = credential.publicKey;
-	let algorithm;
-	let publicKeyBytes;
-	if (publicKey.isAlgorithmDefined()) algorithm = publicKey.algorithm();
-	else {
-		const keyType = publicKey.type();
-		algorithm = keyType === COSEKeyType.EC2 ? coseAlgorithmES256 : keyType === COSEKeyType.RSA ? coseAlgorithmRS256 : coseAlgorithmES256;
-	}
-	if (algorithm === coseAlgorithmES256) {
-		const ec2 = publicKey.ec2();
-		const xBytes = bigintToBytes(ec2.x, 32);
-		const yBytes = bigintToBytes(ec2.y, 32);
-		publicKeyBytes = new Uint8Array(65);
-		publicKeyBytes[0] = 4;
-		publicKeyBytes.set(xBytes, 1);
-		publicKeyBytes.set(yBytes, 33);
-	} else if (algorithm === coseAlgorithmRS256) {
-		const rsa = publicKey.rsa();
-		publicKeyBytes = new RSAPublicKey(rsa.n, rsa.e).encodePKCS1();
-	} else throwAuthError("PASSKEY_UNSUPPORTED_ALGORITHM", `Unsupported algorithm: ${algorithm}`);
-	const deviceType = params.deviceType ?? "single-device";
-	const backedUp = params.backedUp ?? false;
-	await authDb(ctx, ctx.auth.config).accounts.create({
-		userId,
-		provider: provider.id,
-		providerAccountId: credentialId
-	});
-	await mutatePasskeyInsert(ctx, {
-		userId,
-		credentialId,
-		publicKey: publicKeyBytes.buffer.slice(publicKeyBytes.byteOffset, publicKeyBytes.byteOffset + publicKeyBytes.byteLength),
-		algorithm,
-		counter: authenticatorData.signatureCounter,
-		transports: params.transports,
-		deviceType,
-		backedUp,
-		name: params.passkeyName,
-		createdAt: Date.now()
-	});
-	return {
-		kind: "signedIn",
-		signedIn: await callSignIn(ctx, {
-			userId,
-			generateTokens: true
-		})
-	};
-}
-/**
-* Phase 3: Generate authentication options.
-*
-* Creates a challenge and returns PublicKeyCredentialRequestOptions.
-* If an email is provided, scopes allowCredentials to that user's passkeys.
-*/
-async function handleAuthOptions(ctx, provider, params) {
-	const rp = resolveRpOptions(provider);
-	const challenge = generateChallenge();
-	const challengeHash = hashChallenge(challenge);
-	const verifier = await callVerifier(ctx);
-	await callVerifierSignature(ctx, {
-		verifier,
-		signature: challengeHash
-	});
-	let allowCredentials;
-	if (params.email) {
-		const user = await queryUserByVerifiedEmail(ctx, params.email);
-		if (user) {
-			const passkeys = await queryPasskeysByUserId(ctx, user._id);
-			if (passkeys.length > 0) allowCredentials = passkeys.map((pk) => ({
-				type: "public-key",
-				id: pk.credentialId,
-				transports: pk.transports
-			}));
-		}
-	}
-	const options = {
-		challenge: encodeBase64urlNoPadding(challenge),
-		timeout: rp.challengeExpirationMs,
-		rpId: rp.rpId,
-		userVerification: rp.userVerification
-	};
-	if (allowCredentials) options.allowCredentials = allowCredentials;
-	return {
-		kind: "passkeyOptions",
-		options,
-		verifier
-	};
-}
-/**
-* Phase 4: Verify authentication assertion and sign in.
-*
-* Verifies the signature against the stored public key, checks the counter,
-* and creates a session.
-*/
-async function handleAuthVerify(ctx, provider, params, verifierValue) {
-	const rp = resolveRpOptions(provider);
-	if (!verifierValue) throwAuthError("PASSKEY_MISSING_VERIFIER");
-	const clientDataJSON = decodeBase64urlIgnorePadding(params.clientDataJSON);
-	const clientData = parseClientDataJSON(clientDataJSON);
-	if (clientData.type !== ClientDataType.Get) throwAuthError("PASSKEY_INVALID_CLIENT_DATA", "Invalid client data type: expected webauthn.get");
-	const allowedOrigins = Array.isArray(rp.origin) ? rp.origin : [rp.origin];
-	if (!allowedOrigins.includes(clientData.origin)) throwAuthError("PASSKEY_INVALID_ORIGIN", `Invalid origin: ${clientData.origin}, expected one of: ${allowedOrigins.join(", ")}`);
-	const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(clientData.challenge)));
-	const verifierDoc = await queryVerifierById(ctx, verifierValue);
-	if (!verifierDoc || verifierDoc.signature !== challengeHash) throwAuthError("PASSKEY_INVALID_CHALLENGE");
-	await mutateVerifierDelete(ctx, verifierValue);
-	const credentialId = params.credentialId;
-	if (!credentialId) throwAuthError("PASSKEY_UNKNOWN_CREDENTIAL", "Missing credential ID");
-	const passkey = await queryPasskeyByCredentialId(ctx, credentialId);
-	if (!passkey) throwAuthError("PASSKEY_UNKNOWN_CREDENTIAL", "Unknown credential");
-	const authenticatorDataBytes = decodeBase64urlIgnorePadding(params.authenticatorData);
-	const authenticatorData = parseAuthenticatorData(authenticatorDataBytes);
-	if (!authenticatorData.verifyRelyingPartyIdHash(rp.rpId)) throwAuthError("PASSKEY_RP_MISMATCH");
-	if (!authenticatorData.userPresent) throwAuthError("PASSKEY_USER_PRESENCE");
-	if (rp.userVerification === "required" && !authenticatorData.userVerified) throwAuthError("PASSKEY_USER_VERIFICATION");
-	const signature = decodeBase64urlIgnorePadding(params.signature);
-	const messageHash = sha256(createAssertionSignatureMessage(authenticatorDataBytes, clientDataJSON));
-	const storedPublicKeyBytes = new Uint8Array(passkey.publicKey);
-	if (passkey.algorithm === coseAlgorithmES256) {
-		if (!verifyECDSASignature(decodeSEC1PublicKey(p256, storedPublicKeyBytes), messageHash, decodePKIXECDSASignature(signature))) throwAuthError("PASSKEY_INVALID_SIGNATURE");
-	} else if (passkey.algorithm === coseAlgorithmRS256) {
-		if (!verifyRSASSAPKCS1v15Signature(decodePKCS1RSAPublicKey(storedPublicKeyBytes), sha256ObjectIdentifier, messageHash, signature)) throwAuthError("PASSKEY_INVALID_SIGNATURE");
-	} else throwAuthError("PASSKEY_UNSUPPORTED_ALGORITHM", `Unsupported algorithm: ${passkey.algorithm}`);
-	if (passkey.counter !== 0 && authenticatorData.signatureCounter !== 0 && authenticatorData.signatureCounter <= passkey.counter) throwAuthError("PASSKEY_COUNTER_ERROR");
-	await mutatePasskeyUpdateCounter(ctx, passkey._id, authenticatorData.signatureCounter, Date.now());
-	return {
-		kind: "signedIn",
-		signedIn: await callSignIn(ctx, {
-			userId: passkey.userId,
-			generateTokens: true
-		})
-	};
-}
-/**
-* Main passkey handler dispatched from signIn.ts.
-*
-* Routes to the appropriate phase based on `params.flow`.
-*/
-async function handlePasskey(ctx, provider, args) {
-	const flow = args.params?.flow;
-	if (!flow) throwAuthError("PASSKEY_MISSING_FLOW", "Missing `flow` parameter. Expected one of: register-options, register-verify, auth-options, auth-verify");
-	switch (flow) {
-		case "register-options": return handleRegisterOptions(ctx, provider, args.params ?? {});
-		case "register-verify": return handleRegisterVerify(ctx, provider, args.params ?? {}, args.verifier);
-		case "auth-options": return handleAuthOptions(ctx, provider, args.params ?? {});
-		case "auth-verify": return handleAuthVerify(ctx, provider, args.params ?? {}, args.verifier);
-		default: throwAuthError("PASSKEY_UNKNOWN_FLOW", `Unknown passkey flow: ${flow}. Expected one of: register-options, register-verify, auth-options, auth-verify`);
-	}
-}
-/**
-* Convert a bigint to a fixed-size big-endian byte array.
-*/
-function bigintToBytes(value, length) {
-	const bytes = new Uint8Array(length);
-	let v = value;
-	for (let i = length - 1; i >= 0; i--) {
-		bytes[i] = Number(v & 255n);
-		v >>= 8n;
-	}
-	return bytes;
-}
-
-//#endregion
-export { handlePasskey };
-//# sourceMappingURL=passkey.js.map

package/dist/server/implementation/passkey.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"passkey.js","names":[],"sources":["../../../src/server/implementation/passkey.ts"],"sourcesContent":["/**\n * Server-side WebAuthn ceremony logic for passkey authentication.\n *\n * Handles the four phases of the WebAuthn flow:\n * 1. register-options — generate PublicKeyCredentialCreationOptions\n * 2. register-verify — verify attestation and store credential\n * 3. auth-options — generate PublicKeyCredentialRequestOptions\n * 4. auth-verify — verify assertion signature and sign in\n *\n * Uses `@oslojs/webauthn` for attestation/assertion parsing and\n * `@oslojs/crypto` for signature verification.\n */\n\nimport {\n  parseAttestationObject,\n  parseClientDataJSON,\n  parseAuthenticatorData,\n  createAssertionSignatureMessage,\n  ClientDataType,\n  coseAlgorithmES256,\n  coseAlgorithmRS256,\n  COSEKeyType,\n} from \"@oslojs/webauthn\";\nimport {\n  p256,\n  verifyECDSASignature,\n  decodeSEC1PublicKey,\n  decodePKIXECDSASignature,\n} from \"@oslojs/crypto/ecdsa\";\nimport {\n  RSAPublicKey,\n  decodePKCS1RSAPublicKey,\n  sha256ObjectIdentifier,\n  verifyRSASSAPKCS1v15Signature,\n} from \"@oslojs/crypto/rsa\";\nimport { sha256 } from \"@oslojs/crypto/sha2\";\nimport {\n  encodeBase64urlNoPadding,\n  decodeBase64urlIgnorePadding,\n} from \"@oslojs/encoding\";\nimport {\n  PasskeyProviderConfig,\n  GenericActionCtxWithAuthConfig,\n} from \"../types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  queryUserById,\n  queryUserByVerifiedEmail,\n  queryPasskeysByUserId,\n  queryPasskeyByCredentialId,\n  queryVerifierById,\n  mutatePasskeyInsert,\n  mutatePasskeyUpdateCounter,\n  mutateVerifierDelete,\n} from \"./types\";\nimport { callSignIn, callVerifier } from \"./mutations/index\";\nimport { callVerifierSignature } from \"./mutations/signature\";\nimport { authDb } from \"./db\";\nimport { throwAuthError } from \"../errors\";\n\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n/**\n * Resolve passkey relying party options from provider config and environment.\n */\nfunction resolveRpOptions(provider: PasskeyProviderConfig) {\n  // WebAuthn RP ID and origin must match the *frontend* domain, not the\n  // Convex backend.  SITE_URL is the canonical frontend URL\n  // (e.g. \"http://localhost:3000\" in dev, \"https://myapp.com\" in prod).\n  // CONVEX_SITE_URL points to the Convex cloud HTTP actions endpoint and\n  // must NOT be used here — the browser would reject the credential\n  // because the RP ID wouldn't match the page origin.\n  const siteUrl = process.env.SITE_URL;\n  if (!siteUrl && !provider.options.rpId) {\n    throwAuthError(\n      \"PASSKEY_MISSING_CONFIG\",\n      \"Passkey provider requires SITE_URL env var (your frontend URL) \" +\n      \"or explicit rpId / origin in the provider config. \" +\n      \"CONVEX_SITE_URL cannot be used because WebAuthn RP ID must match the frontend domain.\",\n    );\n  }\n  const siteHostname = siteUrl ? new URL(siteUrl).hostname : undefined;\n\n  return {\n    rpName: provider.options.rpName ?? siteHostname ?? \"localhost\",\n    rpId: provider.options.rpId ?? siteHostname ?? \"localhost\",\n    origin: provider.options.origin ?? siteUrl ?? \"http://localhost\",\n    attestation: provider.options.attestation ?? \"none\",\n    userVerification: provider.options.userVerification ?? \"required\",\n    residentKey: provider.options.residentKey ?? \"preferred\",\n    authenticatorAttachment: provider.options.authenticatorAttachment,\n    algorithms: provider.options.algorithms ?? [coseAlgorithmES256, coseAlgorithmRS256],\n    challengeExpirationMs: provider.options.challengeExpirationMs ?? 300_000,\n  };\n}\n\n/**\n * Generate a cryptographically random challenge.\n */\nfunction generateChallenge(): Uint8Array {\n  const challenge = new Uint8Array(32);\n  crypto.getRandomValues(challenge);\n  return challenge;\n}\n\n/**\n * Hash a challenge for storage in the verifier table's `signature` field.\n */\nfunction hashChallenge(challenge: Uint8Array): string {\n  return encodeBase64urlNoPadding(new Uint8Array(sha256(challenge)));\n}\n\n// ============================================================================\n// Registration flow\n// ============================================================================\n\n/**\n * Phase 1: Generate registration options.\n *\n * Requires an authenticated user — passkey registration always adds a\n * credential to an existing account.  The userId is taken from the\n * current session identity.\n */\nasync function handleRegisterOptions(\n  ctx: EnrichedActionCtx,\n  provider: PasskeyProviderConfig,\n  params: Record<string, any>,\n): Promise<{\n  kind: \"passkeyOptions\";\n  options: Record<string, any>;\n  verifier: string;\n}> {\n  // Passkey registration requires an authenticated user\n  const identity = await ctx.auth.getUserIdentity();\n  if (identity === null) {\n    throwAuthError(\"PASSKEY_AUTH_REQUIRED\");\n  }\n  const [userId] = identity.subject.split(\"|\");\n\n  const rp = resolveRpOptions(provider);\n  const challenge = generateChallenge();\n  const challengeHash = hashChallenge(challenge);\n\n  // Store the challenge hash in the verifier table\n  const verifier = await callVerifier(ctx);\n  await callVerifierSignature(ctx, {\n    verifier,\n    signature: challengeHash,\n  });\n\n  // Get the user's profile for credential metadata\n  const user = await queryUserById(ctx, userId!);\n  const userName = params.userName ?? user?.email ?? \"user\";\n  const userDisplayName = params.userDisplayName ?? user?.name ?? userName;\n\n  // Collect existing credentials to prevent re-registration\n  const existing = await queryPasskeysByUserId(ctx, userId!);\n  const excludeCredentials = existing.map((pk) => ({\n    id: pk.credentialId,\n    transports: pk.transports,\n  }));\n\n  // User handle is derived from the Convex userId\n  const userHandle = encodeBase64urlNoPadding(\n    new TextEncoder().encode(userId!),\n  );\n\n  const options = {\n    rp: {\n      name: rp.rpName,\n      id: rp.rpId,\n    },\n    user: {\n      id: userHandle,\n      name: userName,\n      displayName: userDisplayName,\n    },\n    challenge: encodeBase64urlNoPadding(challenge),\n    pubKeyCredParams: rp.algorithms.map((alg) => ({\n      type: \"public-key\" as const,\n      alg,\n    })),\n    timeout: rp.challengeExpirationMs,\n    attestation: rp.attestation,\n    authenticatorSelection: {\n      residentKey: rp.residentKey,\n      requireResidentKey: rp.residentKey === \"required\",\n      userVerification: rp.userVerification,\n      ...(rp.authenticatorAttachment\n        ? { authenticatorAttachment: rp.authenticatorAttachment }\n        : {}),\n    },\n    excludeCredentials,\n  };\n\n  return { kind: \"passkeyOptions\", options, verifier };\n}\n\n/**\n * Phase 2: Verify registration attestation and store the credential.\n *\n * Requires an authenticated user.  Parses the attestation, verifies the\n * challenge, extracts the public key, creates an account + passkey record\n * linked to the current user, and returns auth tokens.\n */\nasync function handleRegisterVerify(\n  ctx: EnrichedActionCtx,\n  provider: PasskeyProviderConfig,\n  params: Record<string, any>,\n  verifierValue: string | undefined,\n): Promise<{ kind: \"signedIn\"; signedIn: SessionInfo | null }> {\n  // Passkey registration requires an authenticated user\n  const identity = await ctx.auth.getUserIdentity();\n  if (identity === null) {\n    throwAuthError(\"PASSKEY_AUTH_REQUIRED\");\n  }\n  const [userId] = identity.subject.split(\"|\");\n\n  const rp = resolveRpOptions(provider);\n\n  if (!verifierValue) {\n    throwAuthError(\"PASSKEY_MISSING_VERIFIER\");\n  }\n\n  // Decode client data\n  const clientDataJSON = decodeBase64urlIgnorePadding(params.clientDataJSON);\n  const clientData = parseClientDataJSON(clientDataJSON);\n\n  // Verify client data type is \"webauthn.create\"\n  if (clientData.type !== ClientDataType.Create) {\n    throwAuthError(\"PASSKEY_INVALID_CLIENT_DATA\", \"Invalid client data type: expected webauthn.create\");\n  }\n\n  // Verify origin\n  const allowedOrigins = Array.isArray(rp.origin) ? rp.origin : [rp.origin];\n  if (!allowedOrigins.includes(clientData.origin)) {\n    throwAuthError(\n      \"PASSKEY_INVALID_ORIGIN\",\n      `Invalid origin: ${clientData.origin}, expected one of: ${allowedOrigins.join(\", \")}`,\n    );\n  }\n\n  // Verify challenge matches the stored verifier\n  const challengeHash = encodeBase64urlNoPadding(\n    new Uint8Array(sha256(clientData.challenge)),\n  );\n  const verifierDoc = await queryVerifierById(ctx, verifierValue);\n  if (!verifierDoc || verifierDoc.signature !== challengeHash) {\n    throwAuthError(\"PASSKEY_INVALID_CHALLENGE\");\n  }\n\n  // Clean up the verifier\n  await mutateVerifierDelete(ctx, verifierValue);\n\n  // Parse attestation object\n  const attestationObjectBytes = decodeBase64urlIgnorePadding(params.attestationObject);\n  const attestation = parseAttestationObject(attestationObjectBytes);\n  const authenticatorData = attestation.authenticatorData;\n\n  // Verify RP ID hash\n  if (!authenticatorData.verifyRelyingPartyIdHash(rp.rpId)) {\n    throwAuthError(\"PASSKEY_RP_MISMATCH\");\n  }\n\n  // Verify user presence and verification flags\n  if (!authenticatorData.userPresent) {\n    throwAuthError(\"PASSKEY_USER_PRESENCE\");\n  }\n  if (rp.userVerification === \"required\" && !authenticatorData.userVerified) {\n    throwAuthError(\"PASSKEY_USER_VERIFICATION\");\n  }\n\n  // Extract credential\n  const credential = authenticatorData.credential;\n  if (!credential) {\n    throwAuthError(\"PASSKEY_NO_CREDENTIAL\");\n  }\n\n  const credentialId = encodeBase64urlNoPadding(credential.id);\n  const publicKey = credential.publicKey;\n\n  // Determine algorithm and encode the public key for storage\n  let algorithm: number;\n  let publicKeyBytes: Uint8Array;\n\n  if (publicKey.isAlgorithmDefined()) {\n    algorithm = publicKey.algorithm();\n  } else {\n    const keyType = publicKey.type();\n    algorithm =\n      keyType === COSEKeyType.EC2\n        ? coseAlgorithmES256\n        : keyType === COSEKeyType.RSA\n          ? coseAlgorithmRS256\n          : coseAlgorithmES256;\n  }\n\n  if (algorithm === coseAlgorithmES256) {\n    const ec2 = publicKey.ec2();\n    // Encode as SEC1 uncompressed point (0x04 || x || y)\n    const xBytes = bigintToBytes(ec2.x, 32);\n    const yBytes = bigintToBytes(ec2.y, 32);\n    publicKeyBytes = new Uint8Array(65);\n    publicKeyBytes[0] = 0x04;\n    publicKeyBytes.set(xBytes, 1);\n    publicKeyBytes.set(yBytes, 33);\n  } else if (algorithm === coseAlgorithmRS256) {\n    const rsa = publicKey.rsa();\n    const rsaPubKey = new RSAPublicKey(rsa.n, rsa.e);\n    publicKeyBytes = rsaPubKey.encodePKCS1();\n  } else {\n    throwAuthError(\"PASSKEY_UNSUPPORTED_ALGORITHM\", `Unsupported algorithm: ${algorithm}`);\n  }\n\n  const deviceType = params.deviceType ?? \"single-device\";\n  const backedUp = params.backedUp ?? false;\n\n  // Create an account record linking the passkey to the current user.\n  // Unlike unauthenticated flows, we don't create a new user — we\n  // attach the passkey credential to the existing authenticated user.\n  const db = authDb(ctx, ctx.auth.config);\n  await db.accounts.create({\n    userId: userId!,\n    provider: provider.id,\n    providerAccountId: credentialId,\n  });\n\n  // Store the passkey credential\n  await mutatePasskeyInsert(ctx, {\n    userId: userId!,\n    credentialId,\n    publicKey: publicKeyBytes.buffer.slice(\n      publicKeyBytes.byteOffset,\n      publicKeyBytes.byteOffset + publicKeyBytes.byteLength,\n    ),\n    algorithm,\n    counter: authenticatorData.signatureCounter,\n    transports: params.transports,\n    deviceType,\n    backedUp,\n    name: params.passkeyName,\n    createdAt: Date.now(),\n  });\n\n  // Return tokens for the existing session\n  const signInResult = await callSignIn(ctx, {\n    userId: userId!,\n    generateTokens: true,\n  });\n\n  return { kind: \"signedIn\", signedIn: signInResult };\n}\n\n// ============================================================================\n// Authentication flow\n// ============================================================================\n\n/**\n * Phase 3: Generate authentication options.\n *\n * Creates a challenge and returns PublicKeyCredentialRequestOptions.\n * If an email is provided, scopes allowCredentials to that user's passkeys.\n */\nasync function handleAuthOptions(\n  ctx: EnrichedActionCtx,\n  provider: PasskeyProviderConfig,\n  params: Record<string, any>,\n): Promise<{\n  kind: \"passkeyOptions\";\n  options: Record<string, any>;\n  verifier: string;\n}> {\n  const rp = resolveRpOptions(provider);\n  const challenge = generateChallenge();\n  const challengeHash = hashChallenge(challenge);\n\n  // Store the challenge hash in the verifier table\n  const verifier = await callVerifier(ctx);\n  await callVerifierSignature(ctx, {\n    verifier,\n    signature: challengeHash,\n  });\n\n  // Build allowCredentials if email is provided\n  let allowCredentials: Array<{ type: string; id: string; transports?: string[] }> | undefined;\n  if (params.email) {\n    // Look up user by email, then find their passkeys\n    const user = await queryUserByVerifiedEmail(ctx, params.email);\n    if (user) {\n      const passkeys = await queryPasskeysByUserId(ctx, user._id);\n      if (passkeys.length > 0) {\n        allowCredentials = passkeys.map((pk) => ({\n          type: \"public-key\",\n          id: pk.credentialId,\n          transports: pk.transports,\n        }));\n      }\n    }\n  }\n\n  const options: Record<string, any> = {\n    challenge: encodeBase64urlNoPadding(challenge),\n    timeout: rp.challengeExpirationMs,\n    rpId: rp.rpId,\n    userVerification: rp.userVerification,\n  };\n\n  if (allowCredentials) {\n    options.allowCredentials = allowCredentials;\n  }\n\n  return { kind: \"passkeyOptions\", options, verifier };\n}\n\n/**\n * Phase 4: Verify authentication assertion and sign in.\n *\n * Verifies the signature against the stored public key, checks the counter,\n * and creates a session.\n */\nasync function handleAuthVerify(\n  ctx: EnrichedActionCtx,\n  provider: PasskeyProviderConfig,\n  params: Record<string, any>,\n  verifierValue: string | undefined,\n): Promise<{ kind: \"signedIn\"; signedIn: SessionInfo | null }> {\n  const rp = resolveRpOptions(provider);\n\n  if (!verifierValue) {\n    throwAuthError(\"PASSKEY_MISSING_VERIFIER\");\n  }\n\n  // Decode client data\n  const clientDataJSON = decodeBase64urlIgnorePadding(params.clientDataJSON);\n  const clientData = parseClientDataJSON(clientDataJSON);\n\n  // Verify client data type is \"webauthn.get\"\n  if (clientData.type !== ClientDataType.Get) {\n    throwAuthError(\"PASSKEY_INVALID_CLIENT_DATA\", \"Invalid client data type: expected webauthn.get\");\n  }\n\n  // Verify origin\n  const allowedOrigins = Array.isArray(rp.origin) ? rp.origin : [rp.origin];\n  if (!allowedOrigins.includes(clientData.origin)) {\n    throwAuthError(\n      \"PASSKEY_INVALID_ORIGIN\",\n      `Invalid origin: ${clientData.origin}, expected one of: ${allowedOrigins.join(\", \")}`,\n    );\n  }\n\n  // Verify challenge matches the stored verifier\n  const challengeHash = encodeBase64urlNoPadding(\n    new Uint8Array(sha256(clientData.challenge)),\n  );\n  const verifierDoc = await queryVerifierById(ctx, verifierValue);\n  if (!verifierDoc || verifierDoc.signature !== challengeHash) {\n    throwAuthError(\"PASSKEY_INVALID_CHALLENGE\");\n  }\n\n  // Clean up the verifier\n  await mutateVerifierDelete(ctx, verifierValue);\n\n  // Look up the credential\n  const credentialId = params.credentialId;\n  if (!credentialId) {\n    throwAuthError(\"PASSKEY_UNKNOWN_CREDENTIAL\", \"Missing credential ID\");\n  }\n\n  const passkey = await queryPasskeyByCredentialId(ctx, credentialId);\n  if (!passkey) {\n    throwAuthError(\"PASSKEY_UNKNOWN_CREDENTIAL\", \"Unknown credential\");\n  }\n\n  // Parse authenticator data\n  const authenticatorDataBytes = decodeBase64urlIgnorePadding(params.authenticatorData);\n  const authenticatorData = parseAuthenticatorData(authenticatorDataBytes);\n\n  // Verify RP ID hash\n  if (!authenticatorData.verifyRelyingPartyIdHash(rp.rpId)) {\n    throwAuthError(\"PASSKEY_RP_MISMATCH\");\n  }\n\n  // Verify user presence\n  if (!authenticatorData.userPresent) {\n    throwAuthError(\"PASSKEY_USER_PRESENCE\");\n  }\n  if (rp.userVerification === \"required\" && !authenticatorData.userVerified) {\n    throwAuthError(\"PASSKEY_USER_VERIFICATION\");\n  }\n\n  // Verify signature\n  const signature = decodeBase64urlIgnorePadding(params.signature);\n  const signatureMessage = createAssertionSignatureMessage(\n    authenticatorDataBytes,\n    clientDataJSON,\n  );\n  const messageHash = sha256(signatureMessage);\n\n  const storedPublicKeyBytes = new Uint8Array(passkey.publicKey);\n\n  if (passkey.algorithm === coseAlgorithmES256) {\n    // EC P-256 verification\n    const ecPublicKey = decodeSEC1PublicKey(p256, storedPublicKeyBytes);\n    // WebAuthn signatures for EC keys are DER/ASN.1 (PKIX) encoded\n    const ecdsaSignature = decodePKIXECDSASignature(signature);\n    const valid = verifyECDSASignature(\n      ecPublicKey,\n      messageHash,\n      ecdsaSignature,\n    );\n    if (!valid) {\n      throwAuthError(\"PASSKEY_INVALID_SIGNATURE\");\n    }\n  } else if (passkey.algorithm === coseAlgorithmRS256) {\n    // RSA PKCS#1 v1.5 with SHA-256 verification\n    // Decode the stored PKCS#1 public key\n    const rsaPublicKey = decodePKCS1RSAPublicKey(storedPublicKeyBytes);\n    const valid = verifyRSASSAPKCS1v15Signature(\n      rsaPublicKey,\n      sha256ObjectIdentifier,\n      messageHash,\n      signature,\n    );\n    if (!valid) {\n      throwAuthError(\"PASSKEY_INVALID_SIGNATURE\");\n    }\n  } else {\n    throwAuthError(\"PASSKEY_UNSUPPORTED_ALGORITHM\", `Unsupported algorithm: ${passkey.algorithm}`);\n  }\n\n  // Verify counter (clone detection)\n  // Counter of 0 means the authenticator doesn't support counters\n  if (\n    passkey.counter !== 0 &&\n    authenticatorData.signatureCounter !== 0 &&\n    authenticatorData.signatureCounter <= passkey.counter\n  ) {\n    throwAuthError(\"PASSKEY_COUNTER_ERROR\");\n  }\n\n  // Update counter and last used timestamp\n  await mutatePasskeyUpdateCounter(\n    ctx,\n    passkey._id,\n    authenticatorData.signatureCounter,\n    Date.now(),\n  );\n\n  // Sign in the user\n  const signInResult = await callSignIn(ctx, {\n    userId: passkey.userId,\n    generateTokens: true,\n  });\n\n  return { kind: \"signedIn\", signedIn: signInResult };\n}\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\n/**\n * Main passkey handler dispatched from signIn.ts.\n *\n * Routes to the appropriate phase based on `params.flow`.\n */\nexport async function handlePasskey(\n  ctx: EnrichedActionCtx,\n  provider: PasskeyProviderConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n): Promise<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n> {\n  const flow = args.params?.flow;\n  if (!flow) {\n    throwAuthError(\n      \"PASSKEY_MISSING_FLOW\",\n      \"Missing `flow` parameter. Expected one of: register-options, register-verify, auth-options, auth-verify\",\n    );\n  }\n\n  switch (flow) {\n    case \"register-options\":\n      return handleRegisterOptions(ctx, provider, args.params ?? {});\n    case \"register-verify\":\n      return handleRegisterVerify(ctx, provider, args.params ?? {}, args.verifier);\n    case \"auth-options\":\n      return handleAuthOptions(ctx, provider, args.params ?? {});\n    case \"auth-verify\":\n      return handleAuthVerify(ctx, provider, args.params ?? {}, args.verifier);\n    default:\n      throwAuthError(\n        \"PASSKEY_UNKNOWN_FLOW\",\n        `Unknown passkey flow: ${flow}. Expected one of: register-options, register-verify, auth-options, auth-verify`,\n      );\n  }\n}\n\n// ============================================================================\n// Helpers\n// ============================================================================\n\n/**\n * Convert a bigint to a fixed-size big-endian byte array.\n */\nfunction bigintToBytes(value: bigint, length: number): Uint8Array {\n  const bytes = new Uint8Array(length);\n  let v = value;\n  for (let i = length - 1; i >= 0; i--) {\n    bytes[i] = Number(v & 0xffn);\n    v >>= 8n;\n  }\n  return bytes;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmEA,SAAS,iBAAiB,UAAiC;CAOzD,MAAM,UAAU,QAAQ,IAAI;AAC5B,KAAI,CAAC,WAAW,CAAC,SAAS,QAAQ,KAChC,gBACE,0BACA,yMAGD;CAEH,MAAM,eAAe,UAAU,IAAI,IAAI,QAAQ,CAAC,WAAW;AAE3D,QAAO;EACL,QAAQ,SAAS,QAAQ,UAAU,gBAAgB;EACnD,MAAM,SAAS,QAAQ,QAAQ,gBAAgB;EAC/C,QAAQ,SAAS,QAAQ,UAAU,WAAW;EAC9C,aAAa,SAAS,QAAQ,eAAe;EAC7C,kBAAkB,SAAS,QAAQ,oBAAoB;EACvD,aAAa,SAAS,QAAQ,eAAe;EAC7C,yBAAyB,SAAS,QAAQ;EAC1C,YAAY,SAAS,QAAQ,cAAc,CAAC,oBAAoB,mBAAmB;EACnF,uBAAuB,SAAS,QAAQ,yBAAyB;EAClE;;;;;AAMH,SAAS,oBAAgC;CACvC,MAAM,YAAY,IAAI,WAAW,GAAG;AACpC,QAAO,gBAAgB,UAAU;AACjC,QAAO;;;;;AAMT,SAAS,cAAc,WAA+B;AACpD,QAAO,yBAAyB,IAAI,WAAW,OAAO,UAAU,CAAC,CAAC;;;;;;;;;AAcpE,eAAe,sBACb,KACA,UACA,QAKC;CAED,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,gBAAe,wBAAwB;CAEzC,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,IAAI;CAE5C,MAAM,KAAK,iBAAiB,SAAS;CACrC,MAAM,YAAY,mBAAmB;CACrC,MAAM,gBAAgB,cAAc,UAAU;CAG9C,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,OAAM,sBAAsB,KAAK;EAC/B;EACA,WAAW;EACZ,CAAC;CAGF,MAAM,OAAO,MAAM,cAAc,KAAK,OAAQ;CAC9C,MAAM,WAAW,OAAO,YAAY,MAAM,SAAS;CACnD,MAAM,kBAAkB,OAAO,mBAAmB,MAAM,QAAQ;CAIhE,MAAM,sBADW,MAAM,sBAAsB,KAAK,OAAQ,EACtB,KAAK,QAAQ;EAC/C,IAAI,GAAG;EACP,YAAY,GAAG;EAChB,EAAE;CAGH,MAAM,aAAa,yBACjB,IAAI,aAAa,CAAC,OAAO,OAAQ,CAClC;AA8BD,QAAO;EAAE,MAAM;EAAkB,SA5BjB;GACd,IAAI;IACF,MAAM,GAAG;IACT,IAAI,GAAG;IACR;GACD,MAAM;IACJ,IAAI;IACJ,MAAM;IACN,aAAa;IACd;GACD,WAAW,yBAAyB,UAAU;GAC9C,kBAAkB,GAAG,WAAW,KAAK,SAAS;IAC5C,MAAM;IACN;IACD,EAAE;GACH,SAAS,GAAG;GACZ,aAAa,GAAG;GAChB,wBAAwB;IACtB,aAAa,GAAG;IAChB,oBAAoB,GAAG,gBAAgB;IACvC,kBAAkB,GAAG;IACrB,GAAI,GAAG,0BACH,EAAE,yBAAyB,GAAG,yBAAyB,GACvD,EAAE;IACP;GACD;GACD;EAEyC;EAAU;;;;;;;;;AAUtD,eAAe,qBACb,KACA,UACA,QACA,eAC6D;CAE7D,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,gBAAe,wBAAwB;CAEzC,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,IAAI;CAE5C,MAAM,KAAK,iBAAiB,SAAS;AAErC,KAAI,CAAC,cACH,gBAAe,2BAA2B;CAK5C,MAAM,aAAa,oBADI,6BAA6B,OAAO,eAAe,CACpB;AAGtD,KAAI,WAAW,SAAS,eAAe,OACrC,gBAAe,+BAA+B,qDAAqD;CAIrG,MAAM,iBAAiB,MAAM,QAAQ,GAAG,OAAO,GAAG,GAAG,SAAS,CAAC,GAAG,OAAO;AACzE,KAAI,CAAC,eAAe,SAAS,WAAW,OAAO,CAC7C,gBACE,0BACA,mBAAmB,WAAW,OAAO,qBAAqB,eAAe,KAAK,KAAK,GACpF;CAIH,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,WAAW,UAAU,CAAC,CAC7C;CACD,MAAM,cAAc,MAAM,kBAAkB,KAAK,cAAc;AAC/D,KAAI,CAAC,eAAe,YAAY,cAAc,cAC5C,gBAAe,4BAA4B;AAI7C,OAAM,qBAAqB,KAAK,cAAc;CAK9C,MAAM,oBADc,uBADW,6BAA6B,OAAO,kBAAkB,CACnB,CAC5B;AAGtC,KAAI,CAAC,kBAAkB,yBAAyB,GAAG,KAAK,CACtD,gBAAe,sBAAsB;AAIvC,KAAI,CAAC,kBAAkB,YACrB,gBAAe,wBAAwB;AAEzC,KAAI,GAAG,qBAAqB,cAAc,CAAC,kBAAkB,aAC3D,gBAAe,4BAA4B;CAI7C,MAAM,aAAa,kBAAkB;AACrC,KAAI,CAAC,WACH,gBAAe,wBAAwB;CAGzC,MAAM,eAAe,yBAAyB,WAAW,GAAG;CAC5D,MAAM,YAAY,WAAW;CAG7B,IAAI;CACJ,IAAI;AAEJ,KAAI,UAAU,oBAAoB,CAChC,aAAY,UAAU,WAAW;MAC5B;EACL,MAAM,UAAU,UAAU,MAAM;AAChC,cACE,YAAY,YAAY,MACpB,qBACA,YAAY,YAAY,MACtB,qBACA;;AAGV,KAAI,cAAc,oBAAoB;EACpC,MAAM,MAAM,UAAU,KAAK;EAE3B,MAAM,SAAS,cAAc,IAAI,GAAG,GAAG;EACvC,MAAM,SAAS,cAAc,IAAI,GAAG,GAAG;AACvC,mBAAiB,IAAI,WAAW,GAAG;AACnC,iBAAe,KAAK;AACpB,iBAAe,IAAI,QAAQ,EAAE;AAC7B,iBAAe,IAAI,QAAQ,GAAG;YACrB,cAAc,oBAAoB;EAC3C,MAAM,MAAM,UAAU,KAAK;AAE3B,mBADkB,IAAI,aAAa,IAAI,GAAG,IAAI,EAAE,CACrB,aAAa;OAExC,gBAAe,iCAAiC,0BAA0B,YAAY;CAGxF,MAAM,aAAa,OAAO,cAAc;CACxC,MAAM,WAAW,OAAO,YAAY;AAMpC,OADW,OAAO,KAAK,IAAI,KAAK,OAAO,CAC9B,SAAS,OAAO;EACf;EACR,UAAU,SAAS;EACnB,mBAAmB;EACpB,CAAC;AAGF,OAAM,oBAAoB,KAAK;EACrB;EACR;EACA,WAAW,eAAe,OAAO,MAC/B,eAAe,YACf,eAAe,aAAa,eAAe,WAC5C;EACD;EACA,SAAS,kBAAkB;EAC3B,YAAY,OAAO;EACnB;EACA;EACA,MAAM,OAAO;EACb,WAAW,KAAK,KAAK;EACtB,CAAC;AAQF,QAAO;EAAE,MAAM;EAAY,UALN,MAAM,WAAW,KAAK;GACjC;GACR,gBAAgB;GACjB,CAAC;EAEiD;;;;;;;;AAarD,eAAe,kBACb,KACA,UACA,QAKC;CACD,MAAM,KAAK,iBAAiB,SAAS;CACrC,MAAM,YAAY,mBAAmB;CACrC,MAAM,gBAAgB,cAAc,UAAU;CAG9C,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,OAAM,sBAAsB,KAAK;EAC/B;EACA,WAAW;EACZ,CAAC;CAGF,IAAI;AACJ,KAAI,OAAO,OAAO;EAEhB,MAAM,OAAO,MAAM,yBAAyB,KAAK,OAAO,MAAM;AAC9D,MAAI,MAAM;GACR,MAAM,WAAW,MAAM,sBAAsB,KAAK,KAAK,IAAI;AAC3D,OAAI,SAAS,SAAS,EACpB,oBAAmB,SAAS,KAAK,QAAQ;IACvC,MAAM;IACN,IAAI,GAAG;IACP,YAAY,GAAG;IAChB,EAAE;;;CAKT,MAAM,UAA+B;EACnC,WAAW,yBAAyB,UAAU;EAC9C,SAAS,GAAG;EACZ,MAAM,GAAG;EACT,kBAAkB,GAAG;EACtB;AAED,KAAI,iBACF,SAAQ,mBAAmB;AAG7B,QAAO;EAAE,MAAM;EAAkB;EAAS;EAAU;;;;;;;;AAStD,eAAe,iBACb,KACA,UACA,QACA,eAC6D;CAC7D,MAAM,KAAK,iBAAiB,SAAS;AAErC,KAAI,CAAC,cACH,gBAAe,2BAA2B;CAI5C,MAAM,iBAAiB,6BAA6B,OAAO,eAAe;CAC1E,MAAM,aAAa,oBAAoB,eAAe;AAGtD,KAAI,WAAW,SAAS,eAAe,IACrC,gBAAe,+BAA+B,kDAAkD;CAIlG,MAAM,iBAAiB,MAAM,QAAQ,GAAG,OAAO,GAAG,GAAG,SAAS,CAAC,GAAG,OAAO;AACzE,KAAI,CAAC,eAAe,SAAS,WAAW,OAAO,CAC7C,gBACE,0BACA,mBAAmB,WAAW,OAAO,qBAAqB,eAAe,KAAK,KAAK,GACpF;CAIH,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,WAAW,UAAU,CAAC,CAC7C;CACD,MAAM,cAAc,MAAM,kBAAkB,KAAK,cAAc;AAC/D,KAAI,CAAC,eAAe,YAAY,cAAc,cAC5C,gBAAe,4BAA4B;AAI7C,OAAM,qBAAqB,KAAK,cAAc;CAG9C,MAAM,eAAe,OAAO;AAC5B,KAAI,CAAC,aACH,gBAAe,8BAA8B,wBAAwB;CAGvE,MAAM,UAAU,MAAM,2BAA2B,KAAK,aAAa;AACnE,KAAI,CAAC,QACH,gBAAe,8BAA8B,qBAAqB;CAIpE,MAAM,yBAAyB,6BAA6B,OAAO,kBAAkB;CACrF,MAAM,oBAAoB,uBAAuB,uBAAuB;AAGxE,KAAI,CAAC,kBAAkB,yBAAyB,GAAG,KAAK,CACtD,gBAAe,sBAAsB;AAIvC,KAAI,CAAC,kBAAkB,YACrB,gBAAe,wBAAwB;AAEzC,KAAI,GAAG,qBAAqB,cAAc,CAAC,kBAAkB,aAC3D,gBAAe,4BAA4B;CAI7C,MAAM,YAAY,6BAA6B,OAAO,UAAU;CAKhE,MAAM,cAAc,OAJK,gCACvB,wBACA,eACD,CAC2C;CAE5C,MAAM,uBAAuB,IAAI,WAAW,QAAQ,UAAU;AAE9D,KAAI,QAAQ,cAAc,oBAUxB;MAAI,CALU,qBAHM,oBAAoB,MAAM,qBAAqB,EAKjE,aAHqB,yBAAyB,UAAU,CAKzD,CAEC,gBAAe,4BAA4B;YAEpC,QAAQ,cAAc,oBAU/B;MAAI,CANU,8BADO,wBAAwB,qBAAqB,EAGhE,wBACA,aACA,UACD,CAEC,gBAAe,4BAA4B;OAG7C,gBAAe,iCAAiC,0BAA0B,QAAQ,YAAY;AAKhG,KACE,QAAQ,YAAY,KACpB,kBAAkB,qBAAqB,KACvC,kBAAkB,oBAAoB,QAAQ,QAE9C,gBAAe,wBAAwB;AAIzC,OAAM,2BACJ,KACA,QAAQ,KACR,kBAAkB,kBAClB,KAAK,KAAK,CACX;AAQD,QAAO;EAAE,MAAM;EAAY,UALN,MAAM,WAAW,KAAK;GACzC,QAAQ,QAAQ;GAChB,gBAAgB;GACjB,CAAC;EAEiD;;;;;;;AAYrD,eAAsB,cACpB,KACA,UACA,MAOA;CACA,MAAM,OAAO,KAAK,QAAQ;AAC1B,KAAI,CAAC,KACH,gBACE,wBACA,0GACD;AAGH,SAAQ,MAAR;EACE,KAAK,mBACH,QAAO,sBAAsB,KAAK,UAAU,KAAK,UAAU,EAAE,CAAC;EAChE,KAAK,kBACH,QAAO,qBAAqB,KAAK,UAAU,KAAK,UAAU,EAAE,EAAE,KAAK,SAAS;EAC9E,KAAK,eACH,QAAO,kBAAkB,KAAK,UAAU,KAAK,UAAU,EAAE,CAAC;EAC5D,KAAK,cACH,QAAO,iBAAiB,KAAK,UAAU,KAAK,UAAU,EAAE,EAAE,KAAK,SAAS;EAC1E,QACE,gBACE,wBACA,yBAAyB,KAAK,iFAC/B;;;;;;AAWP,SAAS,cAAc,OAAe,QAA4B;CAChE,MAAM,QAAQ,IAAI,WAAW,OAAO;CACpC,IAAI,IAAI;AACR,MAAK,IAAI,IAAI,SAAS,GAAG,KAAK,GAAG,KAAK;AACpC,QAAM,KAAK,OAAO,IAAI,KAAM;AAC5B,QAAM;;AAER,QAAO"}

package/dist/server/implementation/provider.d.ts

@@ -1,10 +0,0 @@
-import { AuthProviderMaterializedConfig, ConvexAuthMaterializedConfig } from "../types.js";
-
-//#region src/server/implementation/provider.d.ts
-declare function hash(provider: any, secret: string): Promise<any>;
-declare function verify(provider: AuthProviderMaterializedConfig, secret: string, hash: string): Promise<boolean>;
-type GetProviderOrThrowFunc = (provider: string, allowExtraProviders?: boolean) => AuthProviderMaterializedConfig;
-type Config = ConvexAuthMaterializedConfig;
-//#endregion
-export { Config, GetProviderOrThrowFunc, hash, verify };
-//# sourceMappingURL=provider.d.ts.map

package/dist/server/implementation/provider.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"provider.d.ts","names":[],"sources":["../../../src/server/implementation/provider.ts"],"mappings":";;;iBAIsB,IAAA,CAAK,QAAA,OAAe,MAAA,WAAc,OAAA;AAAA,iBAWlC,MAAA,CACpB,QAAA,EAAU,8BAAA,EACV,MAAA,UACA,IAAA,WAAY,OAAA;AAAA,KAYF,sBAAA,IACV,QAAA,UACA,mBAAA,eACG,8BAAA;AAAA,KAEO,MAAA,GAAS,4BAAA"}

package/dist/server/implementation/provider.js

@@ -1,19 +0,0 @@
-import { throwAuthError } from "../errors.js";
-
-//#region src/server/implementation/provider.ts
-async function hash(provider, secret) {
-	if (provider.type !== "credentials") throwAuthError("INVALID_CREDENTIALS_PROVIDER", `Provider ${provider.id} is not a credentials provider`, { provider: provider.id });
-	const hashSecretFn = provider.crypto?.hashSecret;
-	if (hashSecretFn === void 0) throwAuthError("MISSING_CRYPTO_FUNCTION", `Provider ${provider.id} does not have a \`crypto.hashSecret\` function`, { provider: provider.id });
-	return await hashSecretFn(secret);
-}
-async function verify(provider, secret, hash) {
-	if (provider.type !== "credentials") throwAuthError("INVALID_CREDENTIALS_PROVIDER", `Provider ${provider.id} is not a credentials provider`, { provider: provider.id });
-	const verifySecretFn = provider.crypto?.verifySecret;
-	if (verifySecretFn === void 0) throwAuthError("MISSING_CRYPTO_FUNCTION", `Provider ${provider.id} does not have a \`crypto.verifySecret\` function`, { provider: provider.id });
-	return await verifySecretFn(secret, hash);
-}
-
-//#endregion
-export { hash, verify };
-//# sourceMappingURL=provider.js.map

package/dist/server/implementation/provider.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"provider.js","names":[],"sources":["../../../src/server/implementation/provider.ts"],"sourcesContent":["import { AuthProviderMaterializedConfig } from \"../types\";\nimport { ConvexAuthMaterializedConfig } from \"../types\";\nimport { throwAuthError } from \"../errors\";\n\nexport async function hash(provider: any, secret: string) {\n  if (provider.type !== \"credentials\") {\n    throwAuthError(\"INVALID_CREDENTIALS_PROVIDER\", `Provider ${provider.id} is not a credentials provider`, { provider: provider.id });\n  }\n  const hashSecretFn = provider.crypto?.hashSecret;\n  if (hashSecretFn === undefined) {\n    throwAuthError(\"MISSING_CRYPTO_FUNCTION\", `Provider ${provider.id} does not have a \\`crypto.hashSecret\\` function`, { provider: provider.id });\n  }\n  return await hashSecretFn(secret);\n}\n\nexport async function verify(\n  provider: AuthProviderMaterializedConfig,\n  secret: string,\n  hash: string,\n) {\n  if (provider.type !== \"credentials\") {\n    throwAuthError(\"INVALID_CREDENTIALS_PROVIDER\", `Provider ${provider.id} is not a credentials provider`, { provider: provider.id });\n  }\n  const verifySecretFn = provider.crypto?.verifySecret;\n  if (verifySecretFn === undefined) {\n    throwAuthError(\"MISSING_CRYPTO_FUNCTION\", `Provider ${provider.id} does not have a \\`crypto.verifySecret\\` function`, { provider: provider.id });\n  }\n  return await verifySecretFn(secret, hash);\n}\n\nexport type GetProviderOrThrowFunc = (\n  provider: string,\n  allowExtraProviders?: boolean,\n) => AuthProviderMaterializedConfig;\n\nexport type Config = ConvexAuthMaterializedConfig;\n"],"mappings":";;;AAIA,eAAsB,KAAK,UAAe,QAAgB;AACxD,KAAI,SAAS,SAAS,cACpB,gBAAe,gCAAgC,YAAY,SAAS,GAAG,iCAAiC,EAAE,UAAU,SAAS,IAAI,CAAC;CAEpI,MAAM,eAAe,SAAS,QAAQ;AACtC,KAAI,iBAAiB,OACnB,gBAAe,2BAA2B,YAAY,SAAS,GAAG,kDAAkD,EAAE,UAAU,SAAS,IAAI,CAAC;AAEhJ,QAAO,MAAM,aAAa,OAAO;;AAGnC,eAAsB,OACpB,UACA,QACA,MACA;AACA,KAAI,SAAS,SAAS,cACpB,gBAAe,gCAAgC,YAAY,SAAS,GAAG,iCAAiC,EAAE,UAAU,SAAS,IAAI,CAAC;CAEpI,MAAM,iBAAiB,SAAS,QAAQ;AACxC,KAAI,mBAAmB,OACrB,gBAAe,2BAA2B,YAAY,SAAS,GAAG,oDAAoD,EAAE,UAAU,SAAS,IAAI,CAAC;AAElJ,QAAO,MAAM,eAAe,QAAQ,KAAK"}

package/dist/server/implementation/ratelimit.d.ts

@@ -1,10 +0,0 @@
-import { MutationCtx } from "./types.js";
-import { ConvexAuthConfig } from "../types.js";
-
-//#region src/server/implementation/ratelimit.d.ts
-declare function isSignInRateLimited(ctx: MutationCtx, identifier: string, config: ConvexAuthConfig): Promise<boolean>;
-declare function recordFailedSignIn(ctx: MutationCtx, identifier: string, config: ConvexAuthConfig): Promise<void>;
-declare function resetSignInRateLimit(ctx: MutationCtx, identifier: string, config: ConvexAuthConfig): Promise<void>;
-//#endregion
-export { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit };
-//# sourceMappingURL=ratelimit.d.ts.map

package/dist/server/implementation/ratelimit.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ratelimit.d.ts","names":[],"sources":["../../../src/server/implementation/ratelimit.ts"],"mappings":";;;;iBAMsB,mBAAA,CACpB,GAAA,EAAK,WAAA,EACL,UAAA,UACA,MAAA,EAAQ,gBAAA,GAAgB,OAAA;AAAA,iBASJ,kBAAA,CACpB,GAAA,EAAK,WAAA,EACL,UAAA,UACA,MAAA,EAAQ,gBAAA,GAAgB,OAAA;AAAA,iBAmBJ,oBAAA,CACpB,GAAA,EAAK,WAAA,EACL,UAAA,UACA,MAAA,EAAQ,gBAAA,GAAgB,OAAA"}

package/dist/server/implementation/ratelimit.js

@@ -1,48 +0,0 @@
-import { authDb } from "./db.js";
-
-//#region src/server/implementation/ratelimit.ts
-const DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;
-async function isSignInRateLimited(ctx, identifier, config) {
-	const state = await getRateLimitState(ctx, identifier, config);
-	if (state === null) return false;
-	return state.attempsLeft < 1;
-}
-async function recordFailedSignIn(ctx, identifier, config) {
-	const db = authDb(ctx, config);
-	const state = await getRateLimitState(ctx, identifier, config);
-	if (state !== null) await db.rateLimits.patch(state.limit._id, {
-		attemptsLeft: state.attempsLeft - 1,
-		lastAttemptTime: Date.now()
-	});
-	else {
-		const maxAttempsPerHour = configuredMaxAttempsPerHour(config);
-		await db.rateLimits.create({
-			identifier,
-			attemptsLeft: maxAttempsPerHour - 1,
-			lastAttemptTime: Date.now()
-		});
-	}
-}
-async function resetSignInRateLimit(ctx, identifier, config) {
-	const existingState = await getRateLimitState(ctx, identifier, config);
-	if (existingState !== null) await authDb(ctx, config).rateLimits.delete(existingState.limit._id);
-}
-async function getRateLimitState(ctx, identifier, config) {
-	const now = Date.now();
-	const maxAttempsPerHour = configuredMaxAttempsPerHour(config);
-	const limit = await authDb(ctx, config).rateLimits.get(identifier);
-	if (limit === null) return null;
-	const elapsed = now - limit.lastAttemptTime;
-	const maxAttempsPerMs = maxAttempsPerHour / (3600 * 1e3);
-	return {
-		limit,
-		attempsLeft: Math.min(maxAttempsPerHour, limit.attemptsLeft + elapsed * maxAttempsPerMs)
-	};
-}
-function configuredMaxAttempsPerHour(config) {
-	return config.signIn?.maxFailedAttempsPerHour ?? DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR;
-}
-
-//#endregion
-export { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit };
-//# sourceMappingURL=ratelimit.js.map

package/dist/server/implementation/ratelimit.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"ratelimit.js","names":[],"sources":["../../../src/server/implementation/ratelimit.ts"],"sourcesContent":["import { ConvexAuthConfig } from \"../types\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { authDb } from \"./db\";\n\nconst DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;\n\nexport async function isSignInRateLimited(\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n) {\n  const state = await getRateLimitState(ctx, identifier, config);\n  if (state === null) {\n    return false;\n  }\n  return state.attempsLeft < 1;\n}\n\nexport async function recordFailedSignIn(\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const state = await getRateLimitState(ctx, identifier, config);\n  if (state !== null) {\n    await db.rateLimits.patch(state.limit._id, {\n      attemptsLeft: state.attempsLeft - 1,\n      lastAttemptTime: Date.now(),\n    });\n  } else {\n    const maxAttempsPerHour = configuredMaxAttempsPerHour(config);\n    await db.rateLimits.create({\n      identifier,\n      attemptsLeft: maxAttempsPerHour - 1,\n      lastAttemptTime: Date.now(),\n    });\n  }\n}\n\nexport async function resetSignInRateLimit(\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n) {\n  const existingState = await getRateLimitState(ctx, identifier, config);\n  if (existingState !== null) {\n    await authDb(ctx, config).rateLimits.delete(existingState.limit._id);\n  }\n}\n\nasync function getRateLimitState(\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n) {\n  const now = Date.now();\n  const maxAttempsPerHour = configuredMaxAttempsPerHour(config);\n  const limit = (await authDb(ctx, config).rateLimits.get(identifier)) as\n    | Doc<\"limit\">\n    | null;\n  if (limit === null) {\n    return null;\n  }\n  const elapsed = now - limit.lastAttemptTime;\n  const maxAttempsPerMs = maxAttempsPerHour / (60 * 60 * 1000);\n  const attempsLeft = Math.min(\n    maxAttempsPerHour,\n    limit.attemptsLeft + elapsed * maxAttempsPerMs,\n  );\n  return { limit, attempsLeft };\n}\n\nfunction configuredMaxAttempsPerHour(config: ConvexAuthConfig) {\n  return (\n    config.signIn?.maxFailedAttempsPerHour ??\n    DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR\n  );\n}\n"],"mappings":";;;AAIA,MAAM,wCAAwC;AAE9C,eAAsB,oBACpB,KACA,YACA,QACA;CACA,MAAM,QAAQ,MAAM,kBAAkB,KAAK,YAAY,OAAO;AAC9D,KAAI,UAAU,KACZ,QAAO;AAET,QAAO,MAAM,cAAc;;AAG7B,eAAsB,mBACpB,KACA,YACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,QAAQ,MAAM,kBAAkB,KAAK,YAAY,OAAO;AAC9D,KAAI,UAAU,KACZ,OAAM,GAAG,WAAW,MAAM,MAAM,MAAM,KAAK;EACzC,cAAc,MAAM,cAAc;EAClC,iBAAiB,KAAK,KAAK;EAC5B,CAAC;MACG;EACL,MAAM,oBAAoB,4BAA4B,OAAO;AAC7D,QAAM,GAAG,WAAW,OAAO;GACzB;GACA,cAAc,oBAAoB;GAClC,iBAAiB,KAAK,KAAK;GAC5B,CAAC;;;AAIN,eAAsB,qBACpB,KACA,YACA,QACA;CACA,MAAM,gBAAgB,MAAM,kBAAkB,KAAK,YAAY,OAAO;AACtE,KAAI,kBAAkB,KACpB,OAAM,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO,cAAc,MAAM,IAAI;;AAIxE,eAAe,kBACb,KACA,YACA,QACA;CACA,MAAM,MAAM,KAAK,KAAK;CACtB,MAAM,oBAAoB,4BAA4B,OAAO;CAC7D,MAAM,QAAS,MAAM,OAAO,KAAK,OAAO,CAAC,WAAW,IAAI,WAAW;AAGnE,KAAI,UAAU,KACZ,QAAO;CAET,MAAM,UAAU,MAAM,MAAM;CAC5B,MAAM,kBAAkB,qBAAqB,OAAU;AAKvD,QAAO;EAAE;EAAO,aAJI,KAAK,IACvB,mBACA,MAAM,eAAe,UAAU,gBAChC;EAC4B;;AAG/B,SAAS,4BAA4B,QAA0B;AAC7D,QACE,OAAO,QAAQ,2BACf"}