@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/server/implementation/redirects.d.ts

@@ -1,10 +0,0 @@
-import { ConvexAuthMaterializedConfig } from "../types.js";
-
-//#region src/server/implementation/redirects.d.ts
-declare function redirectAbsoluteUrl(config: ConvexAuthMaterializedConfig, params: {
-  redirectTo: unknown;
-}): Promise<string>;
-declare function setURLSearchParam(absoluteUrl: string, param: string, value: string): string;
-//#endregion
-export { redirectAbsoluteUrl, setURLSearchParam };
-//# sourceMappingURL=redirects.d.ts.map

package/dist/server/implementation/redirects.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"redirects.d.ts","names":[],"sources":["../../../src/server/implementation/redirects.ts"],"mappings":";;;iBAIsB,mBAAA,CACpB,MAAA,EAAQ,4BAAA,EACR,MAAA;EAAU,UAAA;AAAA,IAAqB,OAAA;AAAA,iBAwBjB,iBAAA,CACd,WAAA,UACA,KAAA,UACA,KAAA"}

package/dist/server/implementation/redirects.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"redirects.js","names":[],"sources":["../../../src/server/implementation/redirects.ts"],"sourcesContent":["import { ConvexAuthMaterializedConfig } from \"../types\";\nimport { requireEnv } from \"../utils\";\nimport { throwAuthError } from \"../errors\";\n\nexport async function redirectAbsoluteUrl(\n  config: ConvexAuthMaterializedConfig,\n  params: { redirectTo: unknown },\n) {\n  if (params.redirectTo !== undefined) {\n    if (typeof params.redirectTo !== \"string\") {\n      throwAuthError(\"INVALID_REDIRECT\", `Expected \\`redirectTo\\` to be a string, got ${params.redirectTo as any}`);\n    }\n    const redirectCallback =\n      config.callbacks?.redirect ?? defaultRedirectCallback;\n    return await redirectCallback(params as { redirectTo: string });\n  }\n  return siteUrl();\n}\n\nasync function defaultRedirectCallback({ redirectTo }: { redirectTo: string }) {\n  // Resolve relative paths against SITE_URL; absolute URLs are passed through\n  // as-is. The developer is trusted to provide valid redirect targets.\n  if (redirectTo.startsWith(\"?\") || redirectTo.startsWith(\"/\")) {\n    return `${siteUrl()}${redirectTo}`;\n  }\n  return redirectTo;\n}\n\n// Temporary work-around because Convex doesn't support\n// schemes other than http and https.\nexport function setURLSearchParam(\n  absoluteUrl: string,\n  param: string,\n  value: string,\n) {\n  const pattern = /([^:]+):(.*)/;\n  const [, scheme, rest] = absoluteUrl.match(pattern)!;\n  const hasNoDomain = /^\\/\\/(?:\\/|$|\\?)/.test(rest);\n  const startsWithPath = hasNoDomain && rest.startsWith(\"///\");\n  const url = new URL(\n    `http:${hasNoDomain ? \"//googblibok\" + rest.slice(2) : rest}`,\n  );\n  url.searchParams.set(param, value);\n  const [, , withParam] = url.toString().match(pattern)!;\n  return `${scheme}:${hasNoDomain ? (startsWithPath ? \"/\" : \"\") + \"//\" + withParam.slice(13) : withParam}`;\n}\n\nfunction siteUrl() {\n  return requireEnv(\"SITE_URL\").replace(/\\/$/, \"\");\n}\n"],"mappings":";;;;AAIA,eAAsB,oBACpB,QACA,QACA;AACA,KAAI,OAAO,eAAe,QAAW;AACnC,MAAI,OAAO,OAAO,eAAe,SAC/B,gBAAe,oBAAoB,+CAA+C,OAAO,aAAoB;AAI/G,SAAO,OADL,OAAO,WAAW,YAAY,yBACF,OAAiC;;AAEjE,QAAO,SAAS;;AAGlB,eAAe,wBAAwB,EAAE,cAAsC;AAG7E,KAAI,WAAW,WAAW,IAAI,IAAI,WAAW,WAAW,IAAI,CAC1D,QAAO,GAAG,SAAS,GAAG;AAExB,QAAO;;AAKT,SAAgB,kBACd,aACA,OACA,OACA;CACA,MAAM,UAAU;CAChB,MAAM,GAAG,QAAQ,QAAQ,YAAY,MAAM,QAAQ;CACnD,MAAM,cAAc,mBAAmB,KAAK,KAAK;CACjD,MAAM,iBAAiB,eAAe,KAAK,WAAW,MAAM;CAC5D,MAAM,MAAM,IAAI,IACd,QAAQ,cAAc,iBAAiB,KAAK,MAAM,EAAE,GAAG,OACxD;AACD,KAAI,aAAa,IAAI,OAAO,MAAM;CAClC,MAAM,KAAK,aAAa,IAAI,UAAU,CAAC,MAAM,QAAQ;AACrD,QAAO,GAAG,OAAO,GAAG,eAAe,iBAAiB,MAAM,MAAM,OAAO,UAAU,MAAM,GAAG,GAAG;;AAG/F,SAAS,UAAU;AACjB,QAAO,WAAW,WAAW,CAAC,QAAQ,OAAO,GAAG"}

package/dist/server/implementation/refresh.d.ts

@@ -1,37 +0,0 @@
-import { Doc, MutationCtx } from "./types.js";
-import { ConvexAuthConfig } from "../types.js";
-import { GenericId } from "convex/values";
-
-//#region src/server/implementation/refresh.d.ts
-declare const REFRESH_TOKEN_REUSE_WINDOW_MS: number;
-declare function createRefreshToken(ctx: MutationCtx, config: ConvexAuthConfig, sessionId: GenericId<"session">, parentRefreshTokenId: GenericId<"token"> | null): Promise<GenericId<"token">>;
-declare const formatRefreshToken: (refreshTokenId: GenericId<"token">, sessionId: GenericId<"session">) => string;
-declare const parseRefreshToken: (refreshToken: string) => {
-  refreshTokenId: GenericId<"token">;
-  sessionId: GenericId<"session">;
-};
-/**
- * Mark all refresh tokens descending from the given refresh token as invalid immediately.
- * This is used when we detect an invalid use of a refresh token, and want to revoke
- * the entire tree.
- *
- * @param ctx
- * @param refreshToken
- */
-declare function invalidateRefreshTokensInSubtree(ctx: MutationCtx, refreshToken: Doc<"token">, config: ConvexAuthConfig): Promise<Doc<"token">[]>;
-declare function deleteAllRefreshTokens(ctx: MutationCtx, sessionId: GenericId<"session">, config: ConvexAuthConfig): Promise<void>;
-declare function refreshTokenIfValid(ctx: MutationCtx, refreshTokenId: string, tokenSessionId: string, config: ConvexAuthConfig): Promise<{
-  session: Doc<"session">;
-  refreshTokenDoc: Doc<"token">;
-} | null>;
-/**
- * The active refresh token is the most recently created refresh token that has
- * never been used.
- *
- * @param ctx
- * @param sessionId
- */
-declare function loadActiveRefreshToken(ctx: MutationCtx, sessionId: GenericId<"session">, config: ConvexAuthConfig): Promise<Doc<"token"> | null>;
-//#endregion
-export { REFRESH_TOKEN_REUSE_WINDOW_MS, createRefreshToken, deleteAllRefreshTokens, formatRefreshToken, invalidateRefreshTokensInSubtree, loadActiveRefreshToken, parseRefreshToken, refreshTokenIfValid };
-//# sourceMappingURL=refresh.d.ts.map

package/dist/server/implementation/refresh.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"refresh.d.ts","names":[],"sources":["../../../src/server/implementation/refresh.ts"],"mappings":";;;;;cAca,6BAAA;AAAA,iBACS,kBAAA,CACpB,GAAA,EAAK,WAAA,EACL,MAAA,EAAQ,gBAAA,EACR,SAAA,EAAW,SAAA,aACX,oBAAA,EAAsB,SAAA,mBACrB,OAAA,CAAQ,SAAA;AAAA,cAeE,kBAAA,GACX,cAAA,EAAgB,SAAA,WAChB,SAAA,EAAW,SAAA;AAAA,cAKA,iBAAA,GACX,YAAA;EAEA,cAAA,EAAgB,SAAA;EAChB,SAAA,EAAW,SAAA;AAAA;AA/Bb;;;;;;;;AAAA,iBAmDsB,gCAAA,CACpB,GAAA,EAAK,WAAA,EACL,YAAA,EAAc,GAAA,WACd,MAAA,EAAQ,gBAAA,GAAgB,OAAA,CAAA,GAAA;AAAA,iBA+BJ,sBAAA,CACpB,GAAA,EAAK,WAAA,EACL,SAAA,EAAW,SAAA,aACX,MAAA,EAAQ,gBAAA,GAAgB,OAAA;AAAA,iBAKJ,mBAAA,CACpB,GAAA,EAAK,WAAA,EACL,cAAA,UACA,cAAA,UACA,MAAA,EAAQ,gBAAA,GAAgB,OAAA;;;;;;;;;;;iBAmDJ,sBAAA,CACpB,GAAA,EAAK,WAAA,EACL,SAAA,EAAW,SAAA,aACX,MAAA,EAAQ,gBAAA,GAAgB,OAAA,CAAA,GAAA"}

package/dist/server/implementation/refresh.js

@@ -1,109 +0,0 @@
-import { throwAuthError } from "../errors.js";
-import { LOG_LEVELS, REFRESH_TOKEN_DIVIDER, logWithLevel, maybeRedact, stringToNumber } from "./utils.js";
-import { authDb } from "./db.js";
-
-//#region src/server/implementation/refresh.ts
-const DEFAULT_SESSION_INACTIVE_DURATION_MS = 1e3 * 60 * 60 * 24 * 30;
-const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1e3;
-async function createRefreshToken(ctx, config, sessionId, parentRefreshTokenId) {
-	const db = authDb(ctx, config);
-	const expirationTime = Date.now() + (config.session?.inactiveDurationMs ?? stringToNumber(process.env.AUTH_SESSION_INACTIVE_DURATION_MS) ?? DEFAULT_SESSION_INACTIVE_DURATION_MS);
-	return await db.refreshTokens.create({
-		sessionId,
-		expirationTime,
-		parentRefreshTokenId: parentRefreshTokenId ?? void 0
-	});
-}
-const formatRefreshToken = (refreshTokenId, sessionId) => {
-	return `${refreshTokenId}${REFRESH_TOKEN_DIVIDER}${sessionId}`;
-};
-const parseRefreshToken = (refreshToken) => {
-	const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);
-	if (!refreshTokenId || !sessionId) throwAuthError("INVALID_REFRESH_TOKEN", `Can't parse refresh token: ${maybeRedact(refreshToken)}`);
-	return {
-		refreshTokenId,
-		sessionId
-	};
-};
-/**
-* Mark all refresh tokens descending from the given refresh token as invalid immediately.
-* This is used when we detect an invalid use of a refresh token, and want to revoke
-* the entire tree.
-*
-* @param ctx
-* @param refreshToken
-*/
-async function invalidateRefreshTokensInSubtree(ctx, refreshToken, config) {
-	const db = authDb(ctx, config);
-	const tokensToInvalidate = [refreshToken];
-	let frontier = [refreshToken._id];
-	while (frontier.length > 0) {
-		const nextFrontier = [];
-		for (const currentTokenId of frontier) {
-			const children = await db.refreshTokens.getChildren(refreshToken.sessionId, currentTokenId);
-			tokensToInvalidate.push(...children);
-			nextFrontier.push(...children.map((child) => child._id));
-		}
-		frontier = nextFrontier;
-	}
-	for (const token of tokensToInvalidate) if (token.firstUsedTime === void 0 || token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS) await db.refreshTokens.patch(token._id, { firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS });
-	return tokensToInvalidate;
-}
-async function deleteAllRefreshTokens(ctx, sessionId, config) {
-	await authDb(ctx, config).refreshTokens.deleteAll(sessionId);
-}
-async function refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config) {
-	const db = authDb(ctx, config);
-	let refreshTokenDoc;
-	try {
-		refreshTokenDoc = await db.refreshTokens.getById(refreshTokenId);
-	} catch {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token format");
-		return null;
-	}
-	if (refreshTokenDoc === null) {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token");
-		return null;
-	}
-	if (refreshTokenDoc.expirationTime < Date.now()) {
-		logWithLevel(LOG_LEVELS.ERROR, "Expired refresh token");
-		return null;
-	}
-	if (refreshTokenDoc.sessionId !== tokenSessionId) {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session ID");
-		return null;
-	}
-	let session;
-	try {
-		session = await db.sessions.getById(refreshTokenDoc.sessionId);
-	} catch {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session format");
-		return null;
-	}
-	if (session === null) {
-		logWithLevel(LOG_LEVELS.ERROR, "Invalid refresh token session");
-		return null;
-	}
-	if (session.expirationTime < Date.now()) {
-		logWithLevel(LOG_LEVELS.ERROR, "Expired refresh token session");
-		return null;
-	}
-	return {
-		session,
-		refreshTokenDoc
-	};
-}
-/**
-* The active refresh token is the most recently created refresh token that has
-* never been used.
-*
-* @param ctx
-* @param sessionId
-*/
-async function loadActiveRefreshToken(ctx, sessionId, config) {
-	return await authDb(ctx, config).refreshTokens.getActive(sessionId);
-}
-
-//#endregion
-export { REFRESH_TOKEN_REUSE_WINDOW_MS, createRefreshToken, deleteAllRefreshTokens, formatRefreshToken, invalidateRefreshTokensInSubtree, loadActiveRefreshToken, parseRefreshToken, refreshTokenIfValid };
-//# sourceMappingURL=refresh.js.map

package/dist/server/implementation/refresh.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"refresh.js","names":[],"sources":["../../../src/server/implementation/refresh.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport { ConvexAuthConfig } from \"../types\";\nimport { throwAuthError } from \"../errors\";\nimport { Doc, MutationCtx } from \"./types\";\nimport {\n  LOG_LEVELS,\n  REFRESH_TOKEN_DIVIDER,\n  logWithLevel,\n  maybeRedact,\n  stringToNumber,\n} from \"./utils\";\nimport { authDb } from \"./db\";\n\nconst DEFAULT_SESSION_INACTIVE_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days\nexport const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1000; // 10 seconds\nexport async function createRefreshToken(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  sessionId: GenericId<\"session\">,\n  parentRefreshTokenId: GenericId<\"token\"> | null,\n): Promise<GenericId<\"token\">> {\n  const db = authDb(ctx, config);\n  const expirationTime =\n    Date.now() +\n    (config.session?.inactiveDurationMs ??\n      stringToNumber(process.env.AUTH_SESSION_INACTIVE_DURATION_MS) ??\n      DEFAULT_SESSION_INACTIVE_DURATION_MS);\n  const newRefreshTokenId = (await db.refreshTokens.create({\n    sessionId,\n    expirationTime,\n    parentRefreshTokenId: parentRefreshTokenId ?? undefined,\n  })) as GenericId<\"token\">;\n  return newRefreshTokenId;\n}\n\nexport const formatRefreshToken = (\n  refreshTokenId: GenericId<\"token\">,\n  sessionId: GenericId<\"session\">,\n) => {\n  return `${refreshTokenId}${REFRESH_TOKEN_DIVIDER}${sessionId}`;\n};\n\nexport const parseRefreshToken = (\n  refreshToken: string,\n): {\n  refreshTokenId: GenericId<\"token\">;\n  sessionId: GenericId<\"session\">;\n} => {\n  const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);\n  if (!refreshTokenId || !sessionId) {\n    throwAuthError(\"INVALID_REFRESH_TOKEN\", `Can't parse refresh token: ${maybeRedact(refreshToken)}`);\n  }\n  return {\n    refreshTokenId: refreshTokenId as GenericId<\"token\">,\n    sessionId: sessionId as GenericId<\"session\">,\n  };\n};\n\n/**\n * Mark all refresh tokens descending from the given refresh token as invalid immediately.\n * This is used when we detect an invalid use of a refresh token, and want to revoke\n * the entire tree.\n *\n * @param ctx\n * @param refreshToken\n */\nexport async function invalidateRefreshTokensInSubtree(\n  ctx: MutationCtx,\n  refreshToken: Doc<\"token\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const tokensToInvalidate = [refreshToken];\n  let frontier: GenericId<\"token\">[] = [refreshToken._id];\n  while (frontier.length > 0) {\n    const nextFrontier: GenericId<\"token\">[] = [];\n    for (const currentTokenId of frontier) {\n      const children = (await db.refreshTokens.getChildren(\n        refreshToken.sessionId,\n        currentTokenId,\n      )) as Doc<\"token\">[];\n      tokensToInvalidate.push(...children);\n      nextFrontier.push(...children.map((child) => child._id));\n    }\n    frontier = nextFrontier;\n  }\n  for (const token of tokensToInvalidate) {\n    // Mark these as used so they can't be used again (even within the reuse window)\n    if (\n      token.firstUsedTime === undefined ||\n      token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS\n    ) {\n      await db.refreshTokens.patch(token._id, {\n        firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,\n      });\n    }\n  }\n  return tokensToInvalidate;\n}\n\nexport async function deleteAllRefreshTokens(\n  ctx: MutationCtx,\n  sessionId: GenericId<\"session\">,\n  config: ConvexAuthConfig,\n) {\n  await authDb(ctx, config).refreshTokens.deleteAll(sessionId);\n}\n\nexport async function refreshTokenIfValid(\n  ctx: MutationCtx,\n  refreshTokenId: string,\n  tokenSessionId: string,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  let refreshTokenDoc: Doc<\"token\"> | null;\n  try {\n    refreshTokenDoc = (await db.refreshTokens.getById(\n      refreshTokenId as GenericId<\"token\">,\n    )) as Doc<\"token\"> | null;\n  } catch {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid refresh token format\");\n    return null;\n  }\n\n  if (refreshTokenDoc === null) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid refresh token\");\n    return null;\n  }\n  if (refreshTokenDoc.expirationTime < Date.now()) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Expired refresh token\");\n    return null;\n  }\n  if (refreshTokenDoc.sessionId !== tokenSessionId) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid refresh token session ID\");\n    return null;\n  }\n  let session: Doc<\"session\"> | null;\n  try {\n    session = (await db.sessions.getById(refreshTokenDoc.sessionId)) as\n      | Doc<\"session\">\n      | null;\n  } catch {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid refresh token session format\");\n    return null;\n  }\n  if (session === null) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Invalid refresh token session\");\n    return null;\n  }\n  if (session.expirationTime < Date.now()) {\n    logWithLevel(LOG_LEVELS.ERROR, \"Expired refresh token session\");\n    return null;\n  }\n  return { session, refreshTokenDoc };\n}\n/**\n * The active refresh token is the most recently created refresh token that has\n * never been used.\n *\n * @param ctx\n * @param sessionId\n */\nexport async function loadActiveRefreshToken(\n  ctx: MutationCtx,\n  sessionId: GenericId<\"session\">,\n  config: ConvexAuthConfig,\n) {\n  return (await authDb(ctx, config).refreshTokens.getActive(sessionId)) as\n    | Doc<\"token\">\n    | null;\n}\n"],"mappings":";;;;;AAaA,MAAM,uCAAuC,MAAO,KAAK,KAAK,KAAK;AACnE,MAAa,gCAAgC,KAAK;AAClD,eAAsB,mBACpB,KACA,QACA,WACA,sBAC6B;CAC7B,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,iBACJ,KAAK,KAAK,IACT,OAAO,SAAS,sBACf,eAAe,QAAQ,IAAI,kCAAkC,IAC7D;AAMJ,QAL2B,MAAM,GAAG,cAAc,OAAO;EACvD;EACA;EACA,sBAAsB,wBAAwB;EAC/C,CAAC;;AAIJ,MAAa,sBACX,gBACA,cACG;AACH,QAAO,GAAG,iBAAiB,wBAAwB;;AAGrD,MAAa,qBACX,iBAIG;CACH,MAAM,CAAC,gBAAgB,aAAa,aAAa,MAAM,sBAAsB;AAC7E,KAAI,CAAC,kBAAkB,CAAC,UACtB,gBAAe,yBAAyB,8BAA8B,YAAY,aAAa,GAAG;AAEpG,QAAO;EACW;EACL;EACZ;;;;;;;;;;AAWH,eAAsB,iCACpB,KACA,cACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,qBAAqB,CAAC,aAAa;CACzC,IAAI,WAAiC,CAAC,aAAa,IAAI;AACvD,QAAO,SAAS,SAAS,GAAG;EAC1B,MAAM,eAAqC,EAAE;AAC7C,OAAK,MAAM,kBAAkB,UAAU;GACrC,MAAM,WAAY,MAAM,GAAG,cAAc,YACvC,aAAa,WACb,eACD;AACD,sBAAmB,KAAK,GAAG,SAAS;AACpC,gBAAa,KAAK,GAAG,SAAS,KAAK,UAAU,MAAM,IAAI,CAAC;;AAE1D,aAAW;;AAEb,MAAK,MAAM,SAAS,mBAElB,KACE,MAAM,kBAAkB,UACxB,MAAM,gBAAgB,KAAK,KAAK,GAAG,8BAEnC,OAAM,GAAG,cAAc,MAAM,MAAM,KAAK,EACtC,eAAe,KAAK,KAAK,GAAG,+BAC7B,CAAC;AAGN,QAAO;;AAGT,eAAsB,uBACpB,KACA,WACA,QACA;AACA,OAAM,OAAO,KAAK,OAAO,CAAC,cAAc,UAAU,UAAU;;AAG9D,eAAsB,oBACpB,KACA,gBACA,gBACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,IAAI;AACJ,KAAI;AACF,oBAAmB,MAAM,GAAG,cAAc,QACxC,eACD;SACK;AACN,eAAa,WAAW,OAAO,+BAA+B;AAC9D,SAAO;;AAGT,KAAI,oBAAoB,MAAM;AAC5B,eAAa,WAAW,OAAO,wBAAwB;AACvD,SAAO;;AAET,KAAI,gBAAgB,iBAAiB,KAAK,KAAK,EAAE;AAC/C,eAAa,WAAW,OAAO,wBAAwB;AACvD,SAAO;;AAET,KAAI,gBAAgB,cAAc,gBAAgB;AAChD,eAAa,WAAW,OAAO,mCAAmC;AAClE,SAAO;;CAET,IAAI;AACJ,KAAI;AACF,YAAW,MAAM,GAAG,SAAS,QAAQ,gBAAgB,UAAU;SAGzD;AACN,eAAa,WAAW,OAAO,uCAAuC;AACtE,SAAO;;AAET,KAAI,YAAY,MAAM;AACpB,eAAa,WAAW,OAAO,gCAAgC;AAC/D,SAAO;;AAET,KAAI,QAAQ,iBAAiB,KAAK,KAAK,EAAE;AACvC,eAAa,WAAW,OAAO,gCAAgC;AAC/D,SAAO;;AAET,QAAO;EAAE;EAAS;EAAiB;;;;;;;;;AASrC,eAAsB,uBACpB,KACA,WACA,QACA;AACA,QAAQ,MAAM,OAAO,KAAK,OAAO,CAAC,cAAc,UAAU,UAAU"}

package/dist/server/implementation/sessions.d.ts

@@ -1,29 +0,0 @@
-import { Doc, MutationCtx, SessionInfo } from "./types.js";
-import { ConvexAuthConfig } from "../types.js";
-import { Auth } from "convex/server";
-import { GenericId } from "convex/values";
-
-//#region src/server/implementation/sessions.d.ts
-declare function maybeGenerateTokensForSession(ctx: MutationCtx, config: ConvexAuthConfig, userId: GenericId<"user">, sessionId: GenericId<"session">, generateTokens: boolean): Promise<SessionInfo>;
-declare function createNewAndDeleteExistingSession(ctx: MutationCtx, config: ConvexAuthConfig, userId: GenericId<"user">): Promise<GenericId<"session">>;
-declare function generateTokensForSession(ctx: MutationCtx, config: ConvexAuthConfig, args: {
-  userId: GenericId<"user">;
-  sessionId: GenericId<"session">;
-  issuedRefreshTokenId: GenericId<"token"> | null;
-  parentRefreshTokenId: GenericId<"token"> | null;
-}): Promise<{
-  token: string;
-  refreshToken: string;
-}>;
-declare function deleteSession(ctx: MutationCtx, session: Doc<"session">, config: ConvexAuthConfig): Promise<void>;
-/**
- * Return the current session ID from the auth identity subject.
- *
- * Internal helper used by auth runtime internals and `auth.session.current`.
- */
-declare function getAuthSessionId(ctx: {
-  auth: Auth;
-}): Promise<GenericId<"session"> | null>;
-//#endregion
-export { createNewAndDeleteExistingSession, deleteSession, generateTokensForSession, getAuthSessionId, maybeGenerateTokensForSession };
-//# sourceMappingURL=sessions.d.ts.map

package/dist/server/implementation/sessions.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"sessions.d.ts","names":[],"sources":["../../../src/server/implementation/sessions.ts"],"mappings":";;;;;;iBAqBsB,6BAAA,CACpB,GAAA,EAAK,WAAA,EACL,MAAA,EAAQ,gBAAA,EACR,MAAA,EAAQ,SAAA,UACR,SAAA,EAAW,SAAA,aACX,cAAA,YACC,OAAA,CAAQ,WAAA;AAAA,iBAeW,iCAAA,CACpB,GAAA,EAAK,WAAA,EACL,MAAA,EAAQ,gBAAA,EACR,MAAA,EAAQ,SAAA,WAAiB,OAAA,CAAA,SAAA;AAAA,iBAaL,wBAAA,CACpB,GAAA,EAAK,WAAA,EACL,MAAA,EAAQ,gBAAA,EACR,IAAA;EACE,MAAA,EAAQ,SAAA;EACR,SAAA,EAAW,SAAA;EACX,oBAAA,EAAsB,SAAA;EACtB,oBAAA,EAAsB,SAAA;AAAA,IACvB,OAAA;;;;iBAoCmB,aAAA,CACpB,GAAA,EAAK,WAAA,EACL,OAAA,EAAS,GAAA,aACT,MAAA,EAAQ,gBAAA,GAAgB,OAAA;;;;;;iBAWJ,gBAAA,CAAiB,GAAA;EAAO,IAAA,EAAM,IAAA;AAAA,IAAM,OAAA,CAAA,SAAA"}

package/dist/server/implementation/sessions.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"sessions.js","names":[],"sources":["../../../src/server/implementation/sessions.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport { ConvexAuthConfig } from \"../types\";\nimport { Doc, MutationCtx, SessionInfo } from \"./types\";\nimport { Auth } from \"convex/server\";\nimport {\n  LOG_LEVELS,\n  TOKEN_SUB_CLAIM_DIVIDER,\n  logWithLevel,\n  maybeRedact,\n  stringToNumber,\n} from \"./utils\";\nimport { generateToken } from \"./tokens\";\nimport {\n  createRefreshToken,\n  formatRefreshToken,\n  deleteAllRefreshTokens,\n} from \"./refresh\";\nimport { authDb } from \"./db\";\n\nconst DEFAULT_SESSION_TOTAL_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days\n\nexport async function maybeGenerateTokensForSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  userId: GenericId<\"user\">,\n  sessionId: GenericId<\"session\">,\n  generateTokens: boolean,\n): Promise<SessionInfo> {\n  return {\n    userId,\n    sessionId,\n    tokens: generateTokens\n      ? await generateTokensForSession(ctx, config, {\n          userId,\n          sessionId,\n          issuedRefreshTokenId: null,\n          parentRefreshTokenId: null,\n        })\n      : null,\n  };\n}\n\nexport async function createNewAndDeleteExistingSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  userId: GenericId<\"user\">,\n) {\n  const db = authDb(ctx, config);\n  const existingSessionId = await getAuthSessionId(ctx);\n  if (existingSessionId !== null) {\n    const existingSession = await db.sessions.getById(existingSessionId);\n    if (existingSession !== null) {\n      await deleteSession(ctx, existingSession, config);\n    }\n  }\n  return await createSession(ctx, userId, config);\n}\n\nexport async function generateTokensForSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  args: {\n    userId: GenericId<\"user\">;\n    sessionId: GenericId<\"session\">;\n    issuedRefreshTokenId: GenericId<\"token\"> | null;\n    parentRefreshTokenId: GenericId<\"token\"> | null;\n  },\n) {\n  const ids = { userId: args.userId, sessionId: args.sessionId };\n  const refreshTokenId =\n    args.issuedRefreshTokenId ??\n    (await createRefreshToken(\n      ctx,\n      config,\n      args.sessionId,\n      args.parentRefreshTokenId,\n    ));\n  const result = {\n    token: await generateToken(ids, config),\n    refreshToken: formatRefreshToken(refreshTokenId, args.sessionId),\n  };\n  logWithLevel(\n    LOG_LEVELS.DEBUG,\n    `Generated token ${maybeRedact(result.token)} and refresh token ${maybeRedact(refreshTokenId)} for session ${maybeRedact(args.sessionId)}`,\n  );\n  return result;\n}\n\nasync function createSession(\n  ctx: MutationCtx,\n  userId: GenericId<\"user\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const expirationTime =\n    Date.now() +\n    (config.session?.totalDurationMs ??\n      stringToNumber(process.env.AUTH_SESSION_TOTAL_DURATION_MS) ??\n      DEFAULT_SESSION_TOTAL_DURATION_MS);\n  return (await db.sessions.create(userId, expirationTime)) as GenericId<\"session\">;\n}\n\nexport async function deleteSession(\n  ctx: MutationCtx,\n  session: Doc<\"session\">,\n  config: ConvexAuthConfig,\n) {\n  await authDb(ctx, config).sessions.delete(session._id);\n  await deleteAllRefreshTokens(ctx, session._id, config);\n}\n\n/**\n * Return the current session ID from the auth identity subject.\n *\n * Internal helper used by auth runtime internals and `auth.session.current`.\n */\nexport async function getAuthSessionId(ctx: { auth: Auth }) {\n  const identity = await ctx.auth.getUserIdentity();\n  if (identity === null) {\n    return null;\n  }\n  const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n  return sessionId as GenericId<\"session\">;\n}\n"],"mappings":";;;;;;AAmBA,MAAM,oCAAoC,MAAO,KAAK,KAAK,KAAK;AAEhE,eAAsB,8BACpB,KACA,QACA,QACA,WACA,gBACsB;AACtB,QAAO;EACL;EACA;EACA,QAAQ,iBACJ,MAAM,yBAAyB,KAAK,QAAQ;GAC1C;GACA;GACA,sBAAsB;GACtB,sBAAsB;GACvB,CAAC,GACF;EACL;;AAGH,eAAsB,kCACpB,KACA,QACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,oBAAoB,MAAM,iBAAiB,IAAI;AACrD,KAAI,sBAAsB,MAAM;EAC9B,MAAM,kBAAkB,MAAM,GAAG,SAAS,QAAQ,kBAAkB;AACpE,MAAI,oBAAoB,KACtB,OAAM,cAAc,KAAK,iBAAiB,OAAO;;AAGrD,QAAO,MAAM,cAAc,KAAK,QAAQ,OAAO;;AAGjD,eAAsB,yBACpB,KACA,QACA,MAMA;CACA,MAAM,MAAM;EAAE,QAAQ,KAAK;EAAQ,WAAW,KAAK;EAAW;CAC9D,MAAM,iBACJ,KAAK,wBACJ,MAAM,mBACL,KACA,QACA,KAAK,WACL,KAAK,qBACN;CACH,MAAM,SAAS;EACb,OAAO,MAAM,cAAc,KAAK,OAAO;EACvC,cAAc,mBAAmB,gBAAgB,KAAK,UAAU;EACjE;AACD,cACE,WAAW,OACX,mBAAmB,YAAY,OAAO,MAAM,CAAC,qBAAqB,YAAY,eAAe,CAAC,eAAe,YAAY,KAAK,UAAU,GACzI;AACD,QAAO;;AAGT,eAAe,cACb,KACA,QACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,iBACJ,KAAK,KAAK,IACT,OAAO,SAAS,mBACf,eAAe,QAAQ,IAAI,+BAA+B,IAC1D;AACJ,QAAQ,MAAM,GAAG,SAAS,OAAO,QAAQ,eAAe;;AAG1D,eAAsB,cACpB,KACA,SACA,QACA;AACA,OAAM,OAAO,KAAK,OAAO,CAAC,SAAS,OAAO,QAAQ,IAAI;AACtD,OAAM,uBAAuB,KAAK,QAAQ,KAAK,OAAO;;;;;;;AAQxD,eAAsB,iBAAiB,KAAqB;CAC1D,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,QAAO;CAET,MAAM,GAAG,aAAa,SAAS,QAAQ,MAAM,wBAAwB;AACrE,QAAO"}

package/dist/server/implementation/signin.d.ts

@@ -1,55 +0,0 @@
-import { AuthDataModel, SessionInfo, Tokens } from "./types.js";
-import { AuthProviderMaterializedConfig, GenericActionCtxWithAuthConfig } from "../types.js";
-import { GenericId } from "convex/values";
-
-//#region src/server/implementation/signin.d.ts
-type EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;
-declare function signInImpl(ctx: EnrichedActionCtx, provider: AuthProviderMaterializedConfig | null, args: {
-  accountId?: GenericId<"account">;
-  params?: Record<string, any>;
-  verifier?: string;
-  refreshToken?: string;
-  calledBy?: string;
-}, options: {
-  generateTokens: boolean;
-  allowExtraProviders: boolean;
-}): Promise<{
-  kind: "signedIn";
-  signedIn: SessionInfo | null;
-} | {
-  kind: "refreshTokens";
-  signedIn: {
-    tokens: Tokens;
-  };
-} | {
-  kind: "started";
-  started: true;
-} | {
-  kind: "redirect";
-  redirect: string;
-  verifier: string;
-} | {
-  kind: "passkeyOptions";
-  options: Record<string, any>;
-  verifier: string;
-} | {
-  kind: "totpRequired";
-  verifier: string;
-} | {
-  kind: "totpSetup";
-  uri: string;
-  secret: string;
-  verifier: string;
-  totpId: string;
-} | {
-  kind: "deviceCode";
-  deviceCode: string;
-  userCode: string;
-  verificationUri: string;
-  verificationUriComplete: string;
-  expiresIn: number;
-  interval: number;
-}>;
-//#endregion
-export { signInImpl };
-//# sourceMappingURL=signin.d.ts.map

package/dist/server/implementation/signin.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"signin.d.ts","names":[],"sources":["../../../src/server/implementation/signin.ts"],"mappings":";;;;;KAiCK,iBAAA,GAAoB,8BAAA,CAA+B,aAAA;AAAA,iBAElC,UAAA,CACpB,GAAA,EAAK,iBAAA,EACL,QAAA,EAAU,8BAAA,SACV,IAAA;EACE,SAAA,GAAY,SAAA;EACZ,MAAA,GAAS,MAAA;EACT,QAAA;EACA,YAAA;EACA,QAAA;AAAA,GAEF,OAAA;EACE,cAAA;EACA,mBAAA;AAAA,IAED,OAAA;EACG,IAAA;EAAkB,QAAA,EAAU,WAAA;AAAA;EAE5B,IAAA;EAAuB,QAAA;IAAY,MAAA,EAAQ,MAAA;EAAA;AAAA;EAE3C,IAAA;EAAiB,OAAA;AAAA;EAEjB,IAAA;EAAkB,QAAA;EAAkB,QAAA;AAAA;EAEpC,IAAA;EAAwB,OAAA,EAAS,MAAA;EAAqB,QAAA;AAAA;EAEtD,IAAA;EAAsB,QAAA;AAAA;EAEtB,IAAA;EAAmB,GAAA;EAAa,MAAA;EAAgB,QAAA;EAAkB,MAAA;AAAA;EAGlE,IAAA;EACA,UAAA;EACA,QAAA;EACA,eAAA;EACA,uBAAA;EACA,SAAA;EACA,QAAA;AAAA"}

package/dist/server/implementation/signin.js

@@ -1,148 +0,0 @@
-import { throwAuthError } from "../errors.js";
-import { requireEnv } from "../utils.js";
-import { generateRandomString } from "./utils.js";
-import { callSignIn } from "./mutations/signin.js";
-import { callRefreshSession } from "./mutations/refresh.js";
-import { callVerifyCodeAndSignIn } from "./mutations/verify.js";
-import { callVerifierSignature } from "./mutations/signature.js";
-import { callCreateVerificationCode } from "./mutations/code.js";
-import { callVerifier } from "./mutations/verifier.js";
-import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
-import { handlePasskey } from "./passkey.js";
-import { checkTotpRequired, handleTotp } from "./totp.js";
-import { handleDevice } from "./device.js";
-
-//#region src/server/implementation/signin.ts
-const DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 3600 * 24;
-async function signInImpl(ctx, provider, args, options) {
-	if (provider === null && args.refreshToken) {
-		const tokens = await callRefreshSession(ctx, { refreshToken: args.refreshToken });
-		if (tokens === null) return {
-			kind: "signedIn",
-			signedIn: null
-		};
-		return {
-			kind: "refreshTokens",
-			signedIn: { tokens }
-		};
-	}
-	if (provider === null && args.params?.code !== void 0) return {
-		kind: "signedIn",
-		signedIn: await callVerifyCodeAndSignIn(ctx, {
-			params: args.params,
-			verifier: args.verifier,
-			generateTokens: true,
-			allowExtraProviders: options.allowExtraProviders
-		})
-	};
-	if (provider === null) throwAuthError("SIGN_IN_MISSING_PARAMS");
-	if (provider.type === "email" || provider.type === "phone") return handleEmailAndPhoneProvider(ctx, provider, args, options);
-	if (provider.type === "credentials") return handleCredentials(ctx, provider, args, options);
-	if (provider.type === "oauth") return handleOAuthProvider(ctx, provider, args, options);
-	if (provider.type === "passkey") return handlePasskey(ctx, provider, args);
-	if (provider.type === "totp") return handleTotp(ctx, provider, args);
-	if (provider.type === "device") return handleDevice(ctx, provider, args);
-	throwAuthError("UNSUPPORTED_PROVIDER_TYPE", `Provider type ${provider.type} is not supported yet`);
-}
-async function handleEmailAndPhoneProvider(ctx, provider, args, options) {
-	if (args.params?.code !== void 0) {
-		const result = await callVerifyCodeAndSignIn(ctx, {
-			params: args.params,
-			provider: provider.id,
-			generateTokens: options.generateTokens,
-			allowExtraProviders: options.allowExtraProviders
-		});
-		if (result === null) throwAuthError("INVALID_VERIFICATION_CODE");
-		return {
-			kind: "signedIn",
-			signedIn: result
-		};
-	}
-	const code = provider.generateVerificationToken ? await provider.generateVerificationToken() : generateRandomString(32, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
-	const expirationTime = Date.now() + (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1e3;
-	const verificationArgs = {
-		identifier: await callCreateVerificationCode(ctx, {
-			provider: provider.id,
-			accountId: args.accountId,
-			email: args.params?.email,
-			phone: args.params?.phone,
-			code,
-			expirationTime,
-			allowExtraProviders: options.allowExtraProviders
-		}),
-		url: setURLSearchParam(await redirectAbsoluteUrl(ctx.auth.config, args.params ?? {}), "code", code),
-		token: code,
-		expires: new Date(expirationTime)
-	};
-	if (provider.type === "email") await provider.sendVerificationRequest({
-		...verificationArgs,
-		provider,
-		request: new Request("http://localhost")
-	}, ctx);
-	else if (provider.type === "phone") await provider.sendVerificationRequest({
-		...verificationArgs,
-		provider
-	}, ctx);
-	return {
-		kind: "started",
-		started: true
-	};
-}
-async function handleCredentials(ctx, provider, args, options) {
-	const result = await provider.authorize(args.params ?? {}, ctx);
-	if (result === null) return {
-		kind: "signedIn",
-		signedIn: null
-	};
-	if (await checkTotpRequired(ctx, result.userId)) {
-		await callSignIn(ctx, {
-			userId: result.userId,
-			sessionId: result.sessionId,
-			generateTokens: false
-		});
-		const verifier = await callVerifier(ctx);
-		await callVerifierSignature(ctx, {
-			verifier,
-			signature: JSON.stringify({ userId: result.userId })
-		});
-		return {
-			kind: "totpRequired",
-			verifier
-		};
-	}
-	return {
-		kind: "signedIn",
-		signedIn: await callSignIn(ctx, {
-			userId: result.userId,
-			sessionId: result.sessionId,
-			generateTokens: options.generateTokens
-		})
-	};
-}
-async function handleOAuthProvider(ctx, provider, args, options) {
-	if (args.params?.code !== void 0) return {
-		kind: "signedIn",
-		signedIn: await callVerifyCodeAndSignIn(ctx, {
-			params: args.params,
-			verifier: args.verifier,
-			generateTokens: true,
-			allowExtraProviders: options.allowExtraProviders
-		})
-	};
-	const redirect = new URL((process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv("CONVEX_SITE_URL")) + `/api/auth/signin/${provider.id}`);
-	const verifier = await callVerifier(ctx);
-	redirect.searchParams.set("code", verifier);
-	if (args.params?.redirectTo !== void 0) {
-		if (typeof args.params.redirectTo !== "string") throwAuthError("INVALID_REDIRECT", `Expected \`redirectTo\` to be a string, got ${args.params.redirectTo}`);
-		redirect.searchParams.set("redirectTo", args.params.redirectTo);
-	}
-	return {
-		kind: "redirect",
-		redirect: redirect.toString(),
-		verifier
-	};
-}
-
-//#endregion
-export { signInImpl };
-//# sourceMappingURL=signin.js.map

package/dist/server/implementation/signin.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"signin.js","names":[],"sources":["../../../src/server/implementation/signin.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport {\n  AuthProviderMaterializedConfig,\n  ConvexCredentialsConfig,\n  EmailConfig,\n  GenericActionCtxWithAuthConfig,\n  PhoneConfig,\n} from \"../types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  SessionInfoWithTokens,\n  Tokens,\n} from \"./types\";\nimport {\n  callCreateVerificationCode,\n  callRefreshSession,\n  callSignIn,\n  callVerifier,\n  callVerifierSignature,\n  callVerifyCodeAndSignIn,\n} from \"./mutations/index\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport { requireEnv } from \"../utils\";\nimport type { OAuthMaterializedConfig } from \"../types\";\nimport { generateRandomString } from \"./utils\";\nimport { handlePasskey } from \"./passkey\";\nimport { handleTotp, checkTotpRequired } from \"./totp\";\nimport { handleDevice } from \"./device\";\nimport { throwAuthError } from \"../errors\";\n\nconst DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 60 * 60 * 24; // 24 hours\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\nexport async function signInImpl(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): Promise<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  // refresh tokens\n  | { kind: \"refreshTokens\"; signedIn: { tokens: Tokens } }\n  // Multi-step flows like magic link + OTP\n  | { kind: \"started\"; started: true }\n  // OAuth flows\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n  // Passkey options (challenge + credential options)\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n  // TOTP 2FA required after credentials sign-in\n  | { kind: \"totpRequired\"; verifier: string }\n  // TOTP setup response (enrollment)\n  | { kind: \"totpSetup\"; uri: string; secret: string; verifier: string; totpId: string }\n  // Device authorization (RFC 8628) — codes for the device to display\n  | {\n      kind: \"deviceCode\";\n      deviceCode: string;\n      userCode: string;\n      verificationUri: string;\n      verificationUriComplete: string;\n      expiresIn: number;\n      interval: number;\n    }\n> {\n  if (provider === null && args.refreshToken) {\n    const tokens = await callRefreshSession(ctx, {\n      refreshToken: args.refreshToken,\n    });\n    if (tokens === null) {\n      return { kind: \"signedIn\", signedIn: null };\n    }\n    return { kind: \"refreshTokens\", signedIn: { tokens } };\n  }\n  if (provider === null && args.params?.code !== undefined) {\n    const result = await callVerifyCodeAndSignIn(ctx, {\n      params: args.params,\n      verifier: args.verifier,\n      generateTokens: true,\n      allowExtraProviders: options.allowExtraProviders,\n    });\n    return {\n      kind: \"signedIn\",\n      signedIn: result,\n    };\n  }\n\n  if (provider === null) {\n    throwAuthError(\"SIGN_IN_MISSING_PARAMS\");\n  }\n  if (provider.type === \"email\" || provider.type === \"phone\") {\n    return handleEmailAndPhoneProvider(ctx, provider, args, options);\n  }\n  if (provider.type === \"credentials\") {\n    return handleCredentials(ctx, provider, args, options);\n  }\n  if (provider.type === \"oauth\") {\n    return handleOAuthProvider(ctx, provider, args, options);\n  }\n  if (provider.type === \"passkey\") {\n    return handlePasskey(ctx, provider, args);\n  }\n  if (provider.type === \"totp\") {\n    return handleTotp(ctx, provider, args);\n  }\n  if (provider.type === \"device\") {\n    return handleDevice(ctx, provider, args);\n  }\n  const _typecheck: never = provider;\n  throwAuthError(\n    \"UNSUPPORTED_PROVIDER_TYPE\",\n    `Provider type ${(provider as any).type} is not supported yet`,\n  );\n}\n\nasync function handleEmailAndPhoneProvider(\n  ctx: EnrichedActionCtx,\n  provider: EmailConfig | PhoneConfig,\n  args: {\n    params?: Record<string, any>;\n    accountId?: GenericId<\"account\">;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): Promise<\n  | { kind: \"started\"; started: true }\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens }\n> {\n  if (args.params?.code !== undefined) {\n    const result = await callVerifyCodeAndSignIn(ctx, {\n      params: args.params,\n      provider: provider.id,\n      generateTokens: options.generateTokens,\n      allowExtraProviders: options.allowExtraProviders,\n    });\n    if (result === null) {\n      throwAuthError(\"INVALID_VERIFICATION_CODE\");\n    }\n    return {\n      kind: \"signedIn\",\n      signedIn: result as SessionInfoWithTokens,\n    };\n  }\n\n  const alphabet =\n    \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\";\n  const code = provider.generateVerificationToken\n    ? await provider.generateVerificationToken()\n    : generateRandomString(32, alphabet);\n  const expirationTime =\n    Date.now() +\n    (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1000;\n\n  const identifier = await callCreateVerificationCode(ctx, {\n    provider: provider.id,\n    accountId: args.accountId,\n    email: args.params?.email,\n    phone: args.params?.phone,\n    code,\n    expirationTime,\n    allowExtraProviders: options.allowExtraProviders,\n  });\n  const destination = await redirectAbsoluteUrl(\n    ctx.auth.config,\n    (args.params ?? {}) as { redirectTo: unknown },\n  );\n  const verificationArgs = {\n    identifier,\n    url: setURLSearchParam(destination, \"code\", code),\n    token: code,\n    expires: new Date(expirationTime),\n  };\n  if (provider.type === \"email\") {\n    await provider.sendVerificationRequest(\n      {\n        ...verificationArgs,\n        provider,\n        request: new Request(\"http://localhost\"),\n      },\n      ctx,\n    );\n  } else if (provider.type === \"phone\") {\n    await provider.sendVerificationRequest(\n      { ...verificationArgs, provider },\n      ctx,\n    );\n  }\n  return { kind: \"started\", started: true };\n}\n\nasync function handleCredentials(\n  ctx: EnrichedActionCtx,\n  provider: ConvexCredentialsConfig,\n  args: {\n    params?: Record<string, any>;\n  },\n  options: {\n    generateTokens: boolean;\n  },\n): Promise<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"totpRequired\"; verifier: string }\n> {\n  const result = await provider.authorize(args.params ?? {}, ctx);\n  if (result === null) {\n    return { kind: \"signedIn\", signedIn: null };\n  }\n  // Check if user has TOTP 2FA enrolled before issuing tokens\n  const hasTotpEnrolled = await checkTotpRequired(ctx, result.userId);\n  if (hasTotpEnrolled) {\n    // Create session but withhold tokens — TOTP verification needed\n    await callSignIn(ctx, {\n      userId: result.userId,\n      sessionId: result.sessionId,\n      generateTokens: false,\n    });\n    // Store userId in verifier so the TOTP verify flow can complete sign-in\n    const verifier = await callVerifier(ctx);\n    await callVerifierSignature(ctx, {\n      verifier,\n      signature: JSON.stringify({ userId: result.userId }),\n    });\n    return { kind: \"totpRequired\", verifier };\n  }\n\n  const idsAndTokens = await callSignIn(ctx, {\n    userId: result.userId,\n    sessionId: result.sessionId,\n    generateTokens: options.generateTokens,\n  });\n  return {\n    kind: \"signedIn\",\n    signedIn: idsAndTokens,\n  };\n}\n\nasync function handleOAuthProvider(\n  ctx: EnrichedActionCtx,\n  provider: OAuthMaterializedConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n  options: {\n    allowExtraProviders: boolean;\n  },\n): Promise<\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens | null }\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n> {\n  // We have this action because:\n  // 1. We remember the current sessionId if any, so we can link accounts\n  // 2. The client doesn't need to know the HTTP Actions URL\n  //    of the backend (this simplifies using local backend)\n  // 3. The client doesn't need to know which provider is of which type,\n  //    and hence which provider requires client-side redirect\n  // 4. On mobile the client can complete the flow manually\n  if (args.params?.code !== undefined) {\n    const result = await callVerifyCodeAndSignIn(ctx, {\n      params: args.params,\n      verifier: args.verifier,\n      generateTokens: true,\n      allowExtraProviders: options.allowExtraProviders,\n    });\n    return {\n      kind: \"signedIn\",\n      signedIn: result as SessionInfoWithTokens | null,\n    };\n  }\n  const redirect = new URL(\n    (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\")) + `/api/auth/signin/${provider.id}`,\n  );\n  const verifier = await callVerifier(ctx);\n  redirect.searchParams.set(\"code\", verifier);\n  if (args.params?.redirectTo !== undefined) {\n    if (typeof args.params.redirectTo !== \"string\") {\n      throwAuthError(\n        \"INVALID_REDIRECT\",\n        `Expected \\`redirectTo\\` to be a string, got ${args.params.redirectTo}`,\n      );\n    }\n    redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n  }\n  return { kind: \"redirect\", redirect: redirect.toString(), verifier };\n}\n"],"mappings":";;;;;;;;;;;;;;;AA+BA,MAAM,6CAA6C,OAAU;AAI7D,eAAsB,WACpB,KACA,UACA,MAOA,SA4BA;AACA,KAAI,aAAa,QAAQ,KAAK,cAAc;EAC1C,MAAM,SAAS,MAAM,mBAAmB,KAAK,EAC3C,cAAc,KAAK,cACpB,CAAC;AACF,MAAI,WAAW,KACb,QAAO;GAAE,MAAM;GAAY,UAAU;GAAM;AAE7C,SAAO;GAAE,MAAM;GAAiB,UAAU,EAAE,QAAQ;GAAE;;AAExD,KAAI,aAAa,QAAQ,KAAK,QAAQ,SAAS,OAO7C,QAAO;EACL,MAAM;EACN,UARa,MAAM,wBAAwB,KAAK;GAChD,QAAQ,KAAK;GACb,UAAU,KAAK;GACf,gBAAgB;GAChB,qBAAqB,QAAQ;GAC9B,CAAC;EAID;AAGH,KAAI,aAAa,KACf,gBAAe,yBAAyB;AAE1C,KAAI,SAAS,SAAS,WAAW,SAAS,SAAS,QACjD,QAAO,4BAA4B,KAAK,UAAU,MAAM,QAAQ;AAElE,KAAI,SAAS,SAAS,cACpB,QAAO,kBAAkB,KAAK,UAAU,MAAM,QAAQ;AAExD,KAAI,SAAS,SAAS,QACpB,QAAO,oBAAoB,KAAK,UAAU,MAAM,QAAQ;AAE1D,KAAI,SAAS,SAAS,UACpB,QAAO,cAAc,KAAK,UAAU,KAAK;AAE3C,KAAI,SAAS,SAAS,OACpB,QAAO,WAAW,KAAK,UAAU,KAAK;AAExC,KAAI,SAAS,SAAS,SACpB,QAAO,aAAa,KAAK,UAAU,KAAK;AAG1C,gBACE,6BACA,iBAAkB,SAAiB,KAAK,uBACzC;;AAGH,eAAe,4BACb,KACA,UACA,MAIA,SAOA;AACA,KAAI,KAAK,QAAQ,SAAS,QAAW;EACnC,MAAM,SAAS,MAAM,wBAAwB,KAAK;GAChD,QAAQ,KAAK;GACb,UAAU,SAAS;GACnB,gBAAgB,QAAQ;GACxB,qBAAqB,QAAQ;GAC9B,CAAC;AACF,MAAI,WAAW,KACb,gBAAe,4BAA4B;AAE7C,SAAO;GACL,MAAM;GACN,UAAU;GACX;;CAKH,MAAM,OAAO,SAAS,4BAClB,MAAM,SAAS,2BAA2B,GAC1C,qBAAqB,IAHvB,iEAGoC;CACtC,MAAM,iBACJ,KAAK,KAAK,IACT,SAAS,UAAU,8CAA8C;CAepE,MAAM,mBAAmB;EACvB,YAdiB,MAAM,2BAA2B,KAAK;GACvD,UAAU,SAAS;GACnB,WAAW,KAAK;GAChB,OAAO,KAAK,QAAQ;GACpB,OAAO,KAAK,QAAQ;GACpB;GACA;GACA,qBAAqB,QAAQ;GAC9B,CAAC;EAOA,KAAK,kBANa,MAAM,oBACxB,IAAI,KAAK,QACR,KAAK,UAAU,EAAE,CACnB,EAGqC,QAAQ,KAAK;EACjD,OAAO;EACP,SAAS,IAAI,KAAK,eAAe;EAClC;AACD,KAAI,SAAS,SAAS,QACpB,OAAM,SAAS,wBACb;EACE,GAAG;EACH;EACA,SAAS,IAAI,QAAQ,mBAAmB;EACzC,EACD,IACD;UACQ,SAAS,SAAS,QAC3B,OAAM,SAAS,wBACb;EAAE,GAAG;EAAkB;EAAU,EACjC,IACD;AAEH,QAAO;EAAE,MAAM;EAAW,SAAS;EAAM;;AAG3C,eAAe,kBACb,KACA,UACA,MAGA,SAMA;CACA,MAAM,SAAS,MAAM,SAAS,UAAU,KAAK,UAAU,EAAE,EAAE,IAAI;AAC/D,KAAI,WAAW,KACb,QAAO;EAAE,MAAM;EAAY,UAAU;EAAM;AAI7C,KADwB,MAAM,kBAAkB,KAAK,OAAO,OAAO,EAC9C;AAEnB,QAAM,WAAW,KAAK;GACpB,QAAQ,OAAO;GACf,WAAW,OAAO;GAClB,gBAAgB;GACjB,CAAC;EAEF,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,QAAM,sBAAsB,KAAK;GAC/B;GACA,WAAW,KAAK,UAAU,EAAE,QAAQ,OAAO,QAAQ,CAAC;GACrD,CAAC;AACF,SAAO;GAAE,MAAM;GAAgB;GAAU;;AAQ3C,QAAO;EACL,MAAM;EACN,UAPmB,MAAM,WAAW,KAAK;GACzC,QAAQ,OAAO;GACf,WAAW,OAAO;GAClB,gBAAgB,QAAQ;GACzB,CAAC;EAID;;AAGH,eAAe,oBACb,KACA,UACA,MAIA,SAMA;AAQA,KAAI,KAAK,QAAQ,SAAS,OAOxB,QAAO;EACL,MAAM;EACN,UARa,MAAM,wBAAwB,KAAK;GAChD,QAAQ,KAAK;GACb,UAAU,KAAK;GACf,gBAAgB;GAChB,qBAAqB,QAAQ;GAC9B,CAAC;EAID;CAEH,MAAM,WAAW,IAAI,KAClB,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB,IAAI,oBAAoB,SAAS,KACpG;CACD,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,UAAS,aAAa,IAAI,QAAQ,SAAS;AAC3C,KAAI,KAAK,QAAQ,eAAe,QAAW;AACzC,MAAI,OAAO,KAAK,OAAO,eAAe,SACpC,gBACE,oBACA,+CAA+C,KAAK,OAAO,aAC5D;AAEH,WAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;;AAEjE,QAAO;EAAE,MAAM;EAAY,UAAU,SAAS,UAAU;EAAE;EAAU"}

package/dist/server/implementation/tokens.d.ts

@@ -1,11 +0,0 @@
-import { ConvexAuthConfig } from "../types.js";
-import { GenericId } from "convex/values";
-
-//#region src/server/implementation/tokens.d.ts
-declare function generateToken(args: {
-  userId: GenericId<"user">;
-  sessionId: GenericId<"session">;
-}, config: ConvexAuthConfig): Promise<string>;
-//#endregion
-export { generateToken };
-//# sourceMappingURL=tokens.d.ts.map

package/dist/server/implementation/tokens.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"tokens.d.ts","names":[],"sources":["../../../src/server/implementation/tokens.ts"],"mappings":";;;;iBAQsB,aAAA,CACpB,IAAA;EACE,MAAA,EAAQ,SAAA;EACR,SAAA,EAAW,SAAA;AAAA,GAEb,MAAA,EAAQ,gBAAA,GAAgB,OAAA"}

package/dist/server/implementation/tokens.js

@@ -1,15 +0,0 @@
-import { requireEnv } from "../utils.js";
-import { TOKEN_SUB_CLAIM_DIVIDER } from "./utils.js";
-import { SignJWT, importPKCS8 } from "jose";
-
-//#region src/server/implementation/tokens.ts
-const DEFAULT_JWT_DURATION_MS = 1e3 * 60 * 60;
-async function generateToken(args, config) {
-	const privateKey = await importPKCS8(requireEnv("JWT_PRIVATE_KEY"), "RS256");
-	const expirationTime = new Date(Date.now() + (config.jwt?.durationMs ?? DEFAULT_JWT_DURATION_MS));
-	return await new SignJWT({ sub: args.userId + TOKEN_SUB_CLAIM_DIVIDER + args.sessionId }).setProtectedHeader({ alg: "RS256" }).setIssuedAt().setIssuer(requireEnv("CONVEX_SITE_URL")).setAudience("convex").setExpirationTime(expirationTime).sign(privateKey);
-}
-
-//#endregion
-export { generateToken };
-//# sourceMappingURL=tokens.js.map

package/dist/server/implementation/tokens.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"tokens.js","names":[],"sources":["../../../src/server/implementation/tokens.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport { ConvexAuthConfig } from \"../types\";\nimport { SignJWT, importPKCS8 } from \"jose\";\nimport { requireEnv } from \"../utils\";\nimport { TOKEN_SUB_CLAIM_DIVIDER } from \"./utils\";\n\nconst DEFAULT_JWT_DURATION_MS = 1000 * 60 * 60; // 1 hour\n\nexport async function generateToken(\n  args: {\n    userId: GenericId<\"user\">;\n    sessionId: GenericId<\"session\">;\n  },\n  config: ConvexAuthConfig,\n) {\n  const privateKey = await importPKCS8(requireEnv(\"JWT_PRIVATE_KEY\"), \"RS256\");\n  const expirationTime = new Date(\n    Date.now() + (config.jwt?.durationMs ?? DEFAULT_JWT_DURATION_MS),\n  );\n  return await new SignJWT({\n    sub: args.userId + TOKEN_SUB_CLAIM_DIVIDER + args.sessionId,\n  })\n    .setProtectedHeader({ alg: \"RS256\" })\n    .setIssuedAt()\n    .setIssuer(requireEnv(\"CONVEX_SITE_URL\"))\n    .setAudience(\"convex\")\n    .setExpirationTime(expirationTime)\n    .sign(privateKey);\n}\n"],"mappings":";;;;;AAMA,MAAM,0BAA0B,MAAO,KAAK;AAE5C,eAAsB,cACpB,MAIA,QACA;CACA,MAAM,aAAa,MAAM,YAAY,WAAW,kBAAkB,EAAE,QAAQ;CAC5E,MAAM,iBAAiB,IAAI,KACzB,KAAK,KAAK,IAAI,OAAO,KAAK,cAAc,yBACzC;AACD,QAAO,MAAM,IAAI,QAAQ,EACvB,KAAK,KAAK,SAAS,0BAA0B,KAAK,WACnD,CAAC,CACC,mBAAmB,EAAE,KAAK,SAAS,CAAC,CACpC,aAAa,CACb,UAAU,WAAW,kBAAkB,CAAC,CACxC,YAAY,SAAS,CACrB,kBAAkB,eAAe,CACjC,KAAK,WAAW"}

package/dist/server/implementation/totp.d.ts

@@ -1,31 +0,0 @@
-import { AuthDataModel, SessionInfo } from "./types.js";
-import { GenericActionCtxWithAuthConfig, TotpProviderConfig } from "../types.js";
-
-//#region src/server/implementation/totp.d.ts
-type EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;
-/**
- * Main TOTP handler dispatched from signIn.ts.
- *
- * Routes to the appropriate phase based on `params.flow`.
- */
-declare function handleTotp(ctx: EnrichedActionCtx, provider: TotpProviderConfig, args: {
-  params?: Record<string, any>;
-  verifier?: string;
-}): Promise<{
-  kind: "signedIn";
-  signedIn: SessionInfo | null;
-} | {
-  kind: "totpSetup";
-  uri: string;
-  secret: string;
-  verifier: string;
-  totpId: string;
-}>;
-/**
- * Check if a user has a verified TOTP enrollment.
- * Called after credentials sign-in to determine if 2FA is needed.
- */
-declare function checkTotpRequired(ctx: EnrichedActionCtx, userId: string): Promise<boolean>;
-//#endregion
-export { checkTotpRequired, handleTotp };
-//# sourceMappingURL=totp.d.ts.map

package/dist/server/implementation/totp.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"totp.d.ts","names":[],"sources":["../../../src/server/implementation/totp.ts"],"mappings":";;;;KAsCK,iBAAA,GAAoB,8BAAA,CAA+B,aAAA;;;;;;iBA+OlC,UAAA,CACpB,GAAA,EAAK,iBAAA,EACL,QAAA,EAAU,kBAAA,EACV,IAAA;EACE,MAAA,GAAS,MAAA;EACT,QAAA;AAAA,IAED,OAAA;EACG,IAAA;EAAkB,QAAA,EAAU,WAAA;AAAA;EAE5B,IAAA;EACA,GAAA;EACA,MAAA;EACA,QAAA;EACA,MAAA;AAAA;;;;;iBA4CgB,iBAAA,CACpB,GAAA,EAAK,iBAAA,EACL,MAAA,WACC,OAAA"}