@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/server/implementation/totp.js

@@ -1,142 +0,0 @@
-import { throwAuthError } from "../errors.js";
-import { callSignIn } from "./mutations/signin.js";
-import { callVerifierSignature } from "./mutations/signature.js";
-import { callVerifier } from "./mutations/verifier.js";
-import { mutateTotpInsert, mutateTotpMarkVerified, mutateTotpUpdateLastUsed, mutateVerifierDelete, queryTotpById, queryTotpVerifiedByUserId, queryUserById, queryVerifierById } from "./types.js";
-import { encodeBase32LowerCaseNoPadding } from "@oslojs/encoding";
-import { createTOTPKeyURI, verifyTOTPWithGracePeriod } from "@oslojs/otp";
-
-//#region src/server/implementation/totp.ts
-/**
-* Server-side TOTP ceremony logic for two-factor authentication.
-*
-* Handles the three phases of the TOTP flow:
-* 1. setup   — generate a TOTP secret and `otpauth://` URI for enrollment
-* 2. confirm — verify the first code from the authenticator app and mark
-*              the enrollment as verified
-* 3. verify  — verify a TOTP code during sign-in (2FA challenge)
-*
-* Uses `@oslojs/otp` for TOTP generation / verification and
-* `@oslojs/encoding` for base-32 secret encoding.
-*/
-/**
-* Phase 1: Generate a TOTP secret and enrollment URI.
-*
-* Requires an authenticated user — TOTP enrollment always adds a second
-* factor to an existing account.  The userId is taken from the current
-* session identity.
-*/
-async function handleSetup(ctx, provider, params) {
-	const identity = await ctx.auth.getUserIdentity();
-	if (identity === null) throwAuthError("TOTP_AUTH_REQUIRED");
-	const [userId] = identity.subject.split("|");
-	const secret = new Uint8Array(20);
-	crypto.getRandomValues(secret);
-	let accountName = params.accountName;
-	if (!accountName) accountName = (await queryUserById(ctx, userId))?.email ?? "user";
-	const uri = createTOTPKeyURI(provider.options.issuer, accountName, secret, provider.options.period, provider.options.digits);
-	const base32Secret = encodeBase32LowerCaseNoPadding(secret);
-	const verifier = await callVerifier(ctx);
-	await callVerifierSignature(ctx, {
-		verifier,
-		signature: JSON.stringify({
-			secret: Array.from(secret),
-			userId,
-			digits: provider.options.digits,
-			period: provider.options.period
-		})
-	});
-	return {
-		kind: "totpSetup",
-		uri,
-		secret: base32Secret,
-		verifier,
-		totpId: await mutateTotpInsert(ctx, {
-			userId,
-			secret: secret.buffer.slice(secret.byteOffset, secret.byteOffset + secret.byteLength),
-			digits: provider.options.digits,
-			period: provider.options.period,
-			verified: false,
-			name: params.name,
-			createdAt: Date.now()
-		})
-	};
-}
-/**
-* Phase 2: Verify the first code from the authenticator app.
-*
-* Requires an authenticated user.  Marks the TOTP enrollment as verified
-* after confirming the code is correct.
-*/
-async function handleConfirm(ctx, provider, params, verifierValue) {
-	const identity = await ctx.auth.getUserIdentity();
-	if (identity === null) throwAuthError("TOTP_AUTH_REQUIRED");
-	const [userId] = identity.subject.split("|");
-	if (!verifierValue) throwAuthError("TOTP_MISSING_VERIFIER");
-	if (!params.code) throwAuthError("TOTP_MISSING_CODE");
-	if (!params.totpId) throwAuthError("TOTP_MISSING_ID");
-	const totpDoc = await queryTotpById(ctx, params.totpId);
-	if (!totpDoc) throwAuthError("TOTP_NOT_FOUND");
-	if (totpDoc.verified) throwAuthError("TOTP_ALREADY_VERIFIED");
-	if (!verifyTOTPWithGracePeriod(new Uint8Array(totpDoc.secret), provider.options.period, provider.options.digits, params.code, 30)) throwAuthError("TOTP_INVALID_CODE");
-	await mutateTotpMarkVerified(ctx, params.totpId, Date.now());
-	await mutateVerifierDelete(ctx, verifierValue);
-	return {
-		kind: "signedIn",
-		signedIn: await callSignIn(ctx, {
-			userId,
-			generateTokens: true
-		})
-	};
-}
-/**
-* Phase 3: Verify a TOTP code during sign-in.
-*
-* Does NOT require an authenticated user — this runs mid-sign-in as a
-* second-factor challenge.  The userId is retrieved from the stored verifier.
-*/
-async function handleVerify(ctx, provider, params, verifierValue) {
-	if (!verifierValue) throwAuthError("TOTP_MISSING_VERIFIER");
-	if (!params.code) throwAuthError("TOTP_MISSING_CODE");
-	const verifierDoc = await queryVerifierById(ctx, verifierValue);
-	if (!verifierDoc) throwAuthError("TOTP_INVALID_VERIFIER");
-	const userId = JSON.parse(verifierDoc.signature).userId;
-	const totpDoc = await queryTotpVerifiedByUserId(ctx, userId);
-	if (!totpDoc) throwAuthError("TOTP_NO_ENROLLMENT");
-	if (!verifyTOTPWithGracePeriod(new Uint8Array(totpDoc.secret), totpDoc.period, totpDoc.digits, params.code, 30)) throwAuthError("TOTP_INVALID_CODE");
-	await mutateTotpUpdateLastUsed(ctx, totpDoc._id, Date.now());
-	await mutateVerifierDelete(ctx, verifierValue);
-	return {
-		kind: "signedIn",
-		signedIn: await callSignIn(ctx, {
-			userId,
-			generateTokens: true
-		})
-	};
-}
-/**
-* Main TOTP handler dispatched from signIn.ts.
-*
-* Routes to the appropriate phase based on `params.flow`.
-*/
-async function handleTotp(ctx, provider, args) {
-	const flow = args.params?.flow;
-	if (!flow) throwAuthError("TOTP_MISSING_FLOW", "Missing `flow` parameter. Expected one of: setup, confirm, verify");
-	switch (flow) {
-		case "setup": return handleSetup(ctx, provider, args.params ?? {});
-		case "confirm": return handleConfirm(ctx, provider, args.params ?? {}, args.verifier);
-		case "verify": return handleVerify(ctx, provider, args.params ?? {}, args.verifier);
-		default: throwAuthError("TOTP_UNKNOWN_FLOW", `Unknown TOTP flow: ${flow}. Expected one of: setup, confirm, verify`);
-	}
-}
-/**
-* Check if a user has a verified TOTP enrollment.
-* Called after credentials sign-in to determine if 2FA is needed.
-*/
-async function checkTotpRequired(ctx, userId) {
-	return await queryTotpVerifiedByUserId(ctx, userId) !== null;
-}
-
-//#endregion
-export { checkTotpRequired, handleTotp };
-//# sourceMappingURL=totp.js.map

package/dist/server/implementation/totp.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"totp.js","names":[],"sources":["../../../src/server/implementation/totp.ts"],"sourcesContent":["/**\n * Server-side TOTP ceremony logic for two-factor authentication.\n *\n * Handles the three phases of the TOTP flow:\n * 1. setup   — generate a TOTP secret and `otpauth://` URI for enrollment\n * 2. confirm — verify the first code from the authenticator app and mark\n *              the enrollment as verified\n * 3. verify  — verify a TOTP code during sign-in (2FA challenge)\n *\n * Uses `@oslojs/otp` for TOTP generation / verification and\n * `@oslojs/encoding` for base-32 secret encoding.\n */\n\nimport {\n  verifyTOTPWithGracePeriod,\n  createTOTPKeyURI,\n} from \"@oslojs/otp\";\nimport { encodeBase32LowerCaseNoPadding } from \"@oslojs/encoding\";\nimport {\n  TotpProviderConfig,\n  GenericActionCtxWithAuthConfig,\n} from \"../types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  queryUserById,\n  queryTotpById,\n  queryTotpVerifiedByUserId,\n  queryVerifierById,\n  mutateTotpInsert,\n  mutateTotpMarkVerified,\n  mutateTotpUpdateLastUsed,\n  mutateVerifierDelete,\n} from \"./types\";\nimport { callSignIn, callVerifier } from \"./mutations/index\";\nimport { callVerifierSignature } from \"./mutations/signature\";\nimport { throwAuthError } from \"../errors\";\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n// ============================================================================\n// Setup flow\n// ============================================================================\n\n/**\n * Phase 1: Generate a TOTP secret and enrollment URI.\n *\n * Requires an authenticated user — TOTP enrollment always adds a second\n * factor to an existing account.  The userId is taken from the current\n * session identity.\n */\nasync function handleSetup(\n  ctx: EnrichedActionCtx,\n  provider: TotpProviderConfig,\n  params: Record<string, any>,\n): Promise<{\n  kind: \"totpSetup\";\n  uri: string;\n  secret: string;\n  verifier: string;\n  totpId: string;\n}> {\n  // TOTP enrollment requires an authenticated user\n  const identity = await ctx.auth.getUserIdentity();\n  if (identity === null) {\n    throwAuthError(\"TOTP_AUTH_REQUIRED\");\n  }\n  const [userId] = identity.subject.split(\"|\");\n\n  // Generate a 20-byte random secret (160 bits, per RFC 4226 recommendation)\n  const secret = new Uint8Array(20);\n  crypto.getRandomValues(secret);\n\n  // Resolve the account name for the otpauth:// URI\n  let accountName: string = params.accountName as string;\n  if (!accountName) {\n    const user = await queryUserById(ctx, userId!);\n    accountName = user?.email ?? \"user\";\n  }\n\n  // Build the otpauth:// URI for QR code scanning\n  const uri = createTOTPKeyURI(\n    provider.options.issuer,\n    accountName,\n    secret,\n    provider.options.period,\n    provider.options.digits,\n  );\n\n  // Encode the secret as base-32 for manual entry\n  const base32Secret = encodeBase32LowerCaseNoPadding(secret);\n\n  // Store enrolment metadata in a verifier so we can correlate the confirm step\n  const verifier = await callVerifier(ctx);\n  await callVerifierSignature(ctx, {\n    verifier,\n    signature: JSON.stringify({\n      secret: Array.from(secret),\n      userId,\n      digits: provider.options.digits,\n      period: provider.options.period,\n    }),\n  });\n\n  // Insert an UNVERIFIED TOTP record in the DB\n  const totpId = await mutateTotpInsert(ctx, {\n    userId: userId!,\n    secret: secret.buffer.slice(\n      secret.byteOffset,\n      secret.byteOffset + secret.byteLength,\n    ),\n    digits: provider.options.digits,\n    period: provider.options.period,\n    verified: false,\n    name: params.name,\n    createdAt: Date.now(),\n  });\n\n  return {\n    kind: \"totpSetup\" as const,\n    uri,\n    secret: base32Secret,\n    verifier,\n    totpId,\n  };\n}\n\n// ============================================================================\n// Confirm flow\n// ============================================================================\n\n/**\n * Phase 2: Verify the first code from the authenticator app.\n *\n * Requires an authenticated user.  Marks the TOTP enrollment as verified\n * after confirming the code is correct.\n */\nasync function handleConfirm(\n  ctx: EnrichedActionCtx,\n  provider: TotpProviderConfig,\n  params: Record<string, any>,\n  verifierValue: string | undefined,\n): Promise<{ kind: \"signedIn\"; signedIn: SessionInfo | null }> {\n  // TOTP confirmation requires an authenticated user\n  const identity = await ctx.auth.getUserIdentity();\n  if (identity === null) {\n    throwAuthError(\"TOTP_AUTH_REQUIRED\");\n  }\n  const [userId] = identity.subject.split(\"|\");\n\n  if (!verifierValue) {\n    throwAuthError(\"TOTP_MISSING_VERIFIER\");\n  }\n  if (!params.code) {\n    throwAuthError(\"TOTP_MISSING_CODE\");\n  }\n  if (!params.totpId) {\n    throwAuthError(\"TOTP_MISSING_ID\");\n  }\n\n  // Look up the TOTP record\n  const totpDoc = await queryTotpById(ctx, params.totpId);\n  if (!totpDoc) {\n    throwAuthError(\"TOTP_NOT_FOUND\");\n  }\n  if (totpDoc.verified) {\n    throwAuthError(\"TOTP_ALREADY_VERIFIED\");\n  }\n\n  // Extract the secret from the TOTP record\n  const secret = new Uint8Array(totpDoc.secret);\n\n  // Verify the code with a 30-second grace period\n  const valid = verifyTOTPWithGracePeriod(\n    secret,\n    provider.options.period,\n    provider.options.digits,\n    params.code,\n    30,\n  );\n  if (!valid) {\n    throwAuthError(\"TOTP_INVALID_CODE\");\n  }\n\n  // Mark the enrollment as verified\n  await mutateTotpMarkVerified(ctx, params.totpId, Date.now());\n\n  // Clean up the verifier\n  await mutateVerifierDelete(ctx, verifierValue);\n\n  // Return tokens for the existing session\n  const signInResult = await callSignIn(ctx, {\n    userId: userId!,\n    generateTokens: true,\n  });\n\n  return { kind: \"signedIn\", signedIn: signInResult };\n}\n\n// ============================================================================\n// Verify flow (2FA during sign-in)\n// ============================================================================\n\n/**\n * Phase 3: Verify a TOTP code during sign-in.\n *\n * Does NOT require an authenticated user — this runs mid-sign-in as a\n * second-factor challenge.  The userId is retrieved from the stored verifier.\n */\nasync function handleVerify(\n  ctx: EnrichedActionCtx,\n  provider: TotpProviderConfig,\n  params: Record<string, any>,\n  verifierValue: string | undefined,\n): Promise<{ kind: \"signedIn\"; signedIn: SessionInfo | null }> {\n  if (!verifierValue) {\n    throwAuthError(\"TOTP_MISSING_VERIFIER\");\n  }\n  if (!params.code) {\n    throwAuthError(\"TOTP_MISSING_CODE\");\n  }\n\n  // Look up the verifier to retrieve the stored userId\n  const verifierDoc = await queryVerifierById(ctx, verifierValue);\n  if (!verifierDoc) {\n    throwAuthError(\"TOTP_INVALID_VERIFIER\");\n  }\n\n  // Parse the signature to extract userId\n  const signatureData = JSON.parse(verifierDoc.signature!);\n  const userId = signatureData.userId as string;\n\n  // Look up the user's verified TOTP enrollment\n  const totpDoc = await queryTotpVerifiedByUserId(ctx, userId);\n  if (!totpDoc) {\n    throwAuthError(\"TOTP_NO_ENROLLMENT\");\n  }\n\n  // Extract the secret from the TOTP record\n  const secret = new Uint8Array(totpDoc.secret);\n\n  // Verify the code with a 30-second grace period\n  const valid = verifyTOTPWithGracePeriod(\n    secret,\n    totpDoc.period,\n    totpDoc.digits,\n    params.code,\n    30,\n  );\n  if (!valid) {\n    throwAuthError(\"TOTP_INVALID_CODE\");\n  }\n\n  // Update last used timestamp\n  await mutateTotpUpdateLastUsed(ctx, totpDoc._id, Date.now());\n\n  // Clean up the verifier\n  await mutateVerifierDelete(ctx, verifierValue);\n\n  // Sign in the user with tokens\n  const signInResult = await callSignIn(ctx, {\n    userId,\n    generateTokens: true,\n  });\n\n  return { kind: \"signedIn\", signedIn: signInResult };\n}\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\n/**\n * Main TOTP handler dispatched from signIn.ts.\n *\n * Routes to the appropriate phase based on `params.flow`.\n */\nexport async function handleTotp(\n  ctx: EnrichedActionCtx,\n  provider: TotpProviderConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n): Promise<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | {\n      kind: \"totpSetup\";\n      uri: string;\n      secret: string;\n      verifier: string;\n      totpId: string;\n    }\n> {\n  const flow = args.params?.flow;\n  if (!flow) {\n    throwAuthError(\n      \"TOTP_MISSING_FLOW\",\n      \"Missing `flow` parameter. Expected one of: setup, confirm, verify\",\n    );\n  }\n\n  switch (flow) {\n    case \"setup\":\n      return handleSetup(ctx, provider, args.params ?? {});\n    case \"confirm\":\n      return handleConfirm(\n        ctx,\n        provider,\n        args.params ?? {},\n        args.verifier,\n      );\n    case \"verify\":\n      return handleVerify(\n        ctx,\n        provider,\n        args.params ?? {},\n        args.verifier,\n      );\n    default:\n      throwAuthError(\n        \"TOTP_UNKNOWN_FLOW\",\n        `Unknown TOTP flow: ${flow}. Expected one of: setup, confirm, verify`,\n      );\n  }\n}\n\n// ============================================================================\n// Helpers\n// ============================================================================\n\n/**\n * Check if a user has a verified TOTP enrollment.\n * Called after credentials sign-in to determine if 2FA is needed.\n */\nexport async function checkTotpRequired(\n  ctx: EnrichedActionCtx,\n  userId: string,\n): Promise<boolean> {\n  const totpDoc = await queryTotpVerifiedByUserId(ctx, userId);\n  return totpDoc !== null;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmDA,eAAe,YACb,KACA,UACA,QAOC;CAED,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,gBAAe,qBAAqB;CAEtC,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,IAAI;CAG5C,MAAM,SAAS,IAAI,WAAW,GAAG;AACjC,QAAO,gBAAgB,OAAO;CAG9B,IAAI,cAAsB,OAAO;AACjC,KAAI,CAAC,YAEH,gBADa,MAAM,cAAc,KAAK,OAAQ,GAC1B,SAAS;CAI/B,MAAM,MAAM,iBACV,SAAS,QAAQ,QACjB,aACA,QACA,SAAS,QAAQ,QACjB,SAAS,QAAQ,OAClB;CAGD,MAAM,eAAe,+BAA+B,OAAO;CAG3D,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,OAAM,sBAAsB,KAAK;EAC/B;EACA,WAAW,KAAK,UAAU;GACxB,QAAQ,MAAM,KAAK,OAAO;GAC1B;GACA,QAAQ,SAAS,QAAQ;GACzB,QAAQ,SAAS,QAAQ;GAC1B,CAAC;EACH,CAAC;AAgBF,QAAO;EACL,MAAM;EACN;EACA,QAAQ;EACR;EACA,QAlBa,MAAM,iBAAiB,KAAK;GACjC;GACR,QAAQ,OAAO,OAAO,MACpB,OAAO,YACP,OAAO,aAAa,OAAO,WAC5B;GACD,QAAQ,SAAS,QAAQ;GACzB,QAAQ,SAAS,QAAQ;GACzB,UAAU;GACV,MAAM,OAAO;GACb,WAAW,KAAK,KAAK;GACtB,CAAC;EAQD;;;;;;;;AAaH,eAAe,cACb,KACA,UACA,QACA,eAC6D;CAE7D,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,gBAAe,qBAAqB;CAEtC,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,IAAI;AAE5C,KAAI,CAAC,cACH,gBAAe,wBAAwB;AAEzC,KAAI,CAAC,OAAO,KACV,gBAAe,oBAAoB;AAErC,KAAI,CAAC,OAAO,OACV,gBAAe,kBAAkB;CAInC,MAAM,UAAU,MAAM,cAAc,KAAK,OAAO,OAAO;AACvD,KAAI,CAAC,QACH,gBAAe,iBAAiB;AAElC,KAAI,QAAQ,SACV,gBAAe,wBAAwB;AAczC,KAAI,CAPU,0BAHC,IAAI,WAAW,QAAQ,OAAO,EAK3C,SAAS,QAAQ,QACjB,SAAS,QAAQ,QACjB,OAAO,MACP,GACD,CAEC,gBAAe,oBAAoB;AAIrC,OAAM,uBAAuB,KAAK,OAAO,QAAQ,KAAK,KAAK,CAAC;AAG5D,OAAM,qBAAqB,KAAK,cAAc;AAQ9C,QAAO;EAAE,MAAM;EAAY,UALN,MAAM,WAAW,KAAK;GACjC;GACR,gBAAgB;GACjB,CAAC;EAEiD;;;;;;;;AAarD,eAAe,aACb,KACA,UACA,QACA,eAC6D;AAC7D,KAAI,CAAC,cACH,gBAAe,wBAAwB;AAEzC,KAAI,CAAC,OAAO,KACV,gBAAe,oBAAoB;CAIrC,MAAM,cAAc,MAAM,kBAAkB,KAAK,cAAc;AAC/D,KAAI,CAAC,YACH,gBAAe,wBAAwB;CAKzC,MAAM,SADgB,KAAK,MAAM,YAAY,UAAW,CAC3B;CAG7B,MAAM,UAAU,MAAM,0BAA0B,KAAK,OAAO;AAC5D,KAAI,CAAC,QACH,gBAAe,qBAAqB;AActC,KAAI,CAPU,0BAHC,IAAI,WAAW,QAAQ,OAAO,EAK3C,QAAQ,QACR,QAAQ,QACR,OAAO,MACP,GACD,CAEC,gBAAe,oBAAoB;AAIrC,OAAM,yBAAyB,KAAK,QAAQ,KAAK,KAAK,KAAK,CAAC;AAG5D,OAAM,qBAAqB,KAAK,cAAc;AAQ9C,QAAO;EAAE,MAAM;EAAY,UALN,MAAM,WAAW,KAAK;GACzC;GACA,gBAAgB;GACjB,CAAC;EAEiD;;;;;;;AAYrD,eAAsB,WACpB,KACA,UACA,MAaA;CACA,MAAM,OAAO,KAAK,QAAQ;AAC1B,KAAI,CAAC,KACH,gBACE,qBACA,oEACD;AAGH,SAAQ,MAAR;EACE,KAAK,QACH,QAAO,YAAY,KAAK,UAAU,KAAK,UAAU,EAAE,CAAC;EACtD,KAAK,UACH,QAAO,cACL,KACA,UACA,KAAK,UAAU,EAAE,EACjB,KAAK,SACN;EACH,KAAK,SACH,QAAO,aACL,KACA,UACA,KAAK,UAAU,EAAE,EACjB,KAAK,SACN;EACH,QACE,gBACE,qBACA,sBAAsB,KAAK,2CAC5B;;;;;;;AAYP,eAAsB,kBACpB,KACA,QACkB;AAElB,QADgB,MAAM,0BAA0B,KAAK,OAAO,KACzC"}

package/dist/server/implementation/types.d.ts

@@ -1,189 +0,0 @@
-import { _default } from "../../component/schema.js";
-import { AuthComponentApi, GenericDoc } from "../types.js";
-import { DataModelFromSchemaDefinition, GenericActionCtx, GenericMutationCtx, GenericQueryCtx, TableNamesInDataModel } from "convex/server";
-import { GenericId } from "convex/values";
-
-//#region src/server/implementation/types.d.ts
-/** Data model derived from the component schema. */
-type AuthDataModel = DataModelFromSchemaDefinition<typeof _default>;
-/** Action context typed to the auth component's data model. */
-type ActionCtx = GenericActionCtx<AuthDataModel>;
-/** Mutation context typed to the auth component's data model. */
-type MutationCtx = GenericMutationCtx<AuthDataModel>;
-/** Query context typed to the auth component's data model. */
-type QueryCtx = GenericQueryCtx<AuthDataModel>;
-/** A document from any table in the auth component schema. */
-type Doc<T extends TableNamesInDataModel<AuthDataModel>> = GenericDoc<AuthDataModel, T>;
-/** A pair of JWT access token and refresh token. */
-type Tokens = {
-  token: string;
-  refreshToken: string;
-};
-/** Session information returned after authentication. */
-type SessionInfo = {
-  userId: GenericId<"user">;
-  sessionId: GenericId<"session">;
-  tokens: Tokens | null;
-};
-/** Session information with guaranteed non-null tokens. */
-type SessionInfoWithTokens = {
-  userId: GenericId<"user">;
-  sessionId: GenericId<"session">;
-  tokens: Tokens;
-};
-interface TotpDoc {
-  _id: string;
-  _creationTime: number;
-  userId: string;
-  secret: ArrayBuffer;
-  digits: number;
-  period: number;
-  verified: boolean;
-  name?: string;
-  createdAt: number;
-  lastUsedAt?: number;
-}
-interface PasskeyDoc {
-  _id: string;
-  _creationTime: number;
-  userId: string;
-  credentialId: string;
-  publicKey: ArrayBuffer;
-  algorithm: number;
-  counter: number;
-  transports?: string[];
-  deviceType: string;
-  backedUp: boolean;
-  name?: string;
-  createdAt: number;
-  lastUsedAt?: number;
-}
-interface VerifierDoc {
-  _id: string;
-  _creationTime: number;
-  signature?: string;
-  sessionId?: string;
-}
-interface UserDoc {
-  _id: string;
-  _creationTime: number;
-  email?: string;
-  emailVerificationTime?: number;
-  phone?: string;
-  phoneVerificationTime?: number;
-  name?: string;
-  image?: string;
-  isAnonymous?: boolean;
-}
-interface KeyDoc {
-  _id: string;
-  _creationTime: number;
-  userId: string;
-  prefix: string;
-  hashedKey: string;
-  name: string;
-  scopes: Array<{
-    resource: string;
-    actions: string[];
-  }>;
-  rateLimit?: {
-    maxRequests: number;
-    windowMs: number;
-  };
-  rateLimitState?: {
-    attemptsLeft: number;
-    lastAttemptTime: number;
-  };
-  expiresAt?: number;
-  lastUsedAt?: number;
-  createdAt: number;
-  revoked: boolean;
-}
-/** @internal */
-type ComponentCallCtx = {
-  runQuery: GenericActionCtx<AuthDataModel>["runQuery"];
-  runMutation: GenericActionCtx<AuthDataModel>["runMutation"];
-  auth: {
-    config: {
-      component: AuthComponentApi;
-    };
-  };
-};
-declare function queryUserById(ctx: ComponentCallCtx, userId: string): Promise<UserDoc | null>;
-declare function queryUserByVerifiedEmail(ctx: ComponentCallCtx, email: string): Promise<UserDoc | null>;
-declare function queryVerifierById(ctx: ComponentCallCtx, verifierId: string): Promise<VerifierDoc | null>;
-declare function mutateVerifierDelete(ctx: ComponentCallCtx, verifierId: string): Promise<void>;
-declare function queryTotpById(ctx: ComponentCallCtx, totpId: string): Promise<TotpDoc | null>;
-declare function queryTotpVerifiedByUserId(ctx: ComponentCallCtx, userId: string): Promise<TotpDoc | null>;
-declare function mutateTotpInsert(ctx: ComponentCallCtx, args: {
-  userId: string;
-  secret: ArrayBuffer;
-  digits: number;
-  period: number;
-  verified: boolean;
-  name?: string;
-  createdAt: number;
-}): Promise<string>;
-declare function mutateTotpMarkVerified(ctx: ComponentCallCtx, totpId: string, lastUsedAt: number): Promise<void>;
-declare function mutateTotpUpdateLastUsed(ctx: ComponentCallCtx, totpId: string, lastUsedAt: number): Promise<void>;
-declare function queryPasskeysByUserId(ctx: ComponentCallCtx, userId: string): Promise<PasskeyDoc[]>;
-declare function queryPasskeyByCredentialId(ctx: ComponentCallCtx, credentialId: string): Promise<PasskeyDoc | null>;
-declare function mutatePasskeyInsert(ctx: ComponentCallCtx, args: {
-  userId: string;
-  credentialId: string;
-  publicKey: ArrayBuffer | ArrayBufferLike;
-  algorithm: number;
-  counter: number;
-  transports?: string[];
-  deviceType: string;
-  backedUp: boolean;
-  name?: string;
-  createdAt: number;
-}): Promise<string>;
-declare function mutatePasskeyUpdateCounter(ctx: ComponentCallCtx, passkeyId: string, counter: number, lastUsedAt: number): Promise<void>;
-declare function mutateKeyInsert(ctx: ComponentCallCtx, args: {
-  userId: string;
-  prefix: string;
-  hashedKey: string;
-  name: string;
-  scopes: Array<{
-    resource: string;
-    actions: string[];
-  }>;
-  rateLimit?: {
-    maxRequests: number;
-    windowMs: number;
-  };
-  expiresAt?: number;
-}): Promise<string>;
-declare function queryKeysByUserId(ctx: ComponentCallCtx, userId: string): Promise<KeyDoc[]>;
-declare function queryKeyById(ctx: ComponentCallCtx, keyId: string): Promise<KeyDoc | null>;
-declare function mutateKeyPatch(ctx: ComponentCallCtx, keyId: string, data: Record<string, unknown>): Promise<void>;
-declare function mutateKeyDelete(ctx: ComponentCallCtx, keyId: string): Promise<void>;
-interface DeviceDoc {
-  _id: string;
-  _creationTime: number;
-  deviceCodeHash: string;
-  userCode: string;
-  expiresAt: number;
-  interval: number;
-  status: "pending" | "authorized" | "denied";
-  userId?: string;
-  sessionId?: string;
-  lastPolledAt?: number;
-}
-declare function mutateDeviceInsert(ctx: ComponentCallCtx, args: {
-  deviceCodeHash: string;
-  userCode: string;
-  expiresAt: number;
-  interval: number;
-  status: "pending" | "authorized" | "denied";
-}): Promise<string>;
-declare function queryDeviceByCodeHash(ctx: ComponentCallCtx, deviceCodeHash: string): Promise<DeviceDoc | null>;
-declare function queryDeviceByUserCode(ctx: ComponentCallCtx, userCode: string): Promise<DeviceDoc | null>;
-declare function mutateDeviceAuthorize(ctx: ComponentCallCtx, deviceId: string, userId: string, sessionId: string): Promise<void>;
-declare function mutateDeviceUpdateLastPolled(ctx: ComponentCallCtx, deviceId: string, lastPolledAt: number): Promise<void>;
-declare function mutateDeviceDelete(ctx: ComponentCallCtx, deviceId: string): Promise<void>;
-//#endregion
-export { ActionCtx, AuthDataModel, ComponentCallCtx, DeviceDoc, Doc, KeyDoc, MutationCtx, PasskeyDoc, QueryCtx, SessionInfo, SessionInfoWithTokens, Tokens, TotpDoc, UserDoc, VerifierDoc, mutateDeviceAuthorize, mutateDeviceDelete, mutateDeviceInsert, mutateDeviceUpdateLastPolled, mutateKeyDelete, mutateKeyInsert, mutateKeyPatch, mutatePasskeyInsert, mutatePasskeyUpdateCounter, mutateTotpInsert, mutateTotpMarkVerified, mutateTotpUpdateLastUsed, mutateVerifierDelete, queryDeviceByCodeHash, queryDeviceByUserCode, queryKeyById, queryKeysByUserId, queryPasskeyByCredentialId, queryPasskeysByUserId, queryTotpById, queryTotpVerifiedByUserId, queryUserById, queryUserByVerifiedEmail, queryVerifierById };
-//# sourceMappingURL=types.d.ts.map

package/dist/server/implementation/types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.ts","names":[],"sources":["../../../src/server/implementation/types.ts"],"mappings":";;;;;;;KAaY,aAAA,GAAgB,6BAAA,QAAqC,QAAA;;KAGrD,SAAA,GAAY,gBAAA,CAAiB,aAAA;;KAG7B,WAAA,GAAc,kBAAA,CAAmB,aAAA;AAH7C;AAAA,KAMY,QAAA,GAAW,eAAA,CAAgB,aAAA;;KAG3B,GAAA,WAAc,qBAAA,CAAsB,aAAA,KAAkB,UAAA,CAChE,aAAA,EACA,CAAA;;KAIU,MAAA;EAAW,KAAA;EAAe,YAAA;AAAA;;KAG1B,WAAA;EACV,MAAA,EAAQ,SAAA;EACR,SAAA,EAAW,SAAA;EACX,MAAA,EAAQ,MAAA;AAAA;AAZV;AAAA,KAgBY,qBAAA;EACV,MAAA,EAAQ,SAAA;EACR,SAAA,EAAW,SAAA;EACX,MAAA,EAAQ,MAAA;AAAA;AAAA,UAUO,OAAA;EACf,GAAA;EACA,aAAA;EACA,MAAA;EACA,MAAA,EAAQ,WAAA;EACR,MAAA;EACA,MAAA;EACA,QAAA;EACA,IAAA;EACA,SAAA;EACA,UAAA;AAAA;AAAA,UAGe,UAAA;EACf,GAAA;EACA,aAAA;EACA,MAAA;EACA,YAAA;EACA,SAAA,EAAW,WAAA;EACX,SAAA;EACA,OAAA;EACA,UAAA;EACA,UAAA;EACA,QAAA;EACA,IAAA;EACA,SAAA;EACA,UAAA;AAAA;AAAA,UAGe,WAAA;EACf,GAAA;EACA,aAAA;EACA,SAAA;EACA,SAAA;AAAA;AAAA,UAGe,OAAA;EACf,GAAA;EACA,aAAA;EACA,KAAA;EACA,qBAAA;EACA,KAAA;EACA,qBAAA;EACA,IAAA;EACA,KAAA;EACA,WAAA;AAAA;AAAA,UAGe,MAAA;EACf,GAAA;EACA,aAAA;EACA,MAAA;EACA,MAAA;EACA,SAAA;EACA,IAAA;EACA,MAAA,EAAQ,KAAA;IAAQ,QAAA;IAAkB,OAAA;EAAA;EAClC,SAAA;IAAc,WAAA;IAAqB,QAAA;EAAA;EACnC,cAAA;IAAmB,YAAA;IAAsB,eAAA;EAAA;EACzC,SAAA;EACA,UAAA;EACA,SAAA;EACA,OAAA;AAAA;;KAWU,gBAAA;EACV,QAAA,EAAU,gBAAA,CAAiB,aAAA;EAC3B,WAAA,EAAa,gBAAA,CAAiB,aAAA;EAC9B,IAAA;IAAQ,MAAA;MAAU,SAAA,EAAW,gBAAA;IAAA;EAAA;AAAA;AAAA,iBAYT,aAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,WACC,OAAA,CAAQ,OAAA;AAAA,iBAOW,wBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,KAAA,WACC,OAAA,CAAQ,OAAA;AAAA,iBASW,iBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,UAAA,WACC,OAAA,CAAQ,WAAA;AAAA,iBAOW,oBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,UAAA,WACC,OAAA;AAAA,iBASmB,aAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,WACC,OAAA,CAAQ,OAAA;AAAA,iBAOW,yBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,WACC,OAAA,CAAQ,OAAA;AAAA,iBAOW,gBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,IAAA;EACE,MAAA;EACA,MAAA,EAAQ,WAAA;EACR,MAAA;EACA,MAAA;EACA,QAAA;EACA,IAAA;EACA,SAAA;AAAA,IAED,OAAA;AAAA,iBAOmB,sBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,UACA,UAAA,WACC,OAAA;AAAA,iBAOmB,wBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,UACA,UAAA,WACC,OAAA;AAAA,iBASmB,qBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,WACC,OAAA,CAAQ,UAAA;AAAA,iBAOW,0BAAA,CACpB,GAAA,EAAK,gBAAA,EACL,YAAA,WACC,OAAA,CAAQ,UAAA;AAAA,iBAOW,mBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,IAAA;EACE,MAAA;EACA,YAAA;EACA,SAAA,EAAW,WAAA,GAAc,eAAA;EACzB,SAAA;EACA,OAAA;EACA,UAAA;EACA,UAAA;EACA,QAAA;EACA,IAAA;EACA,SAAA;AAAA,IAED,OAAA;AAAA,iBAOmB,0BAAA,CACpB,GAAA,EAAK,gBAAA,EACL,SAAA,UACA,OAAA,UACA,UAAA,WACC,OAAA;AAAA,iBASmB,eAAA,CACpB,GAAA,EAAK,gBAAA,EACL,IAAA;EACE,MAAA;EACA,MAAA;EACA,SAAA;EACA,IAAA;EACA,MAAA,EAAQ,KAAA;IAAQ,QAAA;IAAkB,OAAA;EAAA;EAClC,SAAA;IAAc,WAAA;IAAqB,QAAA;EAAA;EACnC,SAAA;AAAA,IAED,OAAA;AAAA,iBAOmB,iBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,MAAA,WACC,OAAA,CAAQ,MAAA;AAAA,iBAOW,YAAA,CACpB,GAAA,EAAK,gBAAA,EACL,KAAA,WACC,OAAA,CAAQ,MAAA;AAAA,iBAOW,cAAA,CACpB,GAAA,EAAK,gBAAA,EACL,KAAA,UACA,IAAA,EAAM,MAAA,oBACL,OAAA;AAAA,iBAOmB,eAAA,CACpB,GAAA,EAAK,gBAAA,EACL,KAAA,WACC,OAAA;AAAA,UASc,SAAA;EACf,GAAA;EACA,aAAA;EACA,cAAA;EACA,QAAA;EACA,SAAA;EACA,QAAA;EACA,MAAA;EACA,MAAA;EACA,SAAA;EACA,YAAA;AAAA;AAAA,iBAGoB,kBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,IAAA;EACE,cAAA;EACA,QAAA;EACA,SAAA;EACA,QAAA;EACA,MAAA;AAAA,IAED,OAAA;AAAA,iBAOmB,qBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,cAAA,WACC,OAAA,CAAQ,SAAA;AAAA,iBAOW,qBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,QAAA,WACC,OAAA,CAAQ,SAAA;AAAA,iBAOW,qBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,QAAA,UACA,MAAA,UACA,SAAA,WACC,OAAA;AAAA,iBAOmB,4BAAA,CACpB,GAAA,EAAK,gBAAA,EACL,QAAA,UACA,YAAA,WACC,OAAA;AAAA,iBAOmB,kBAAA,CACpB,GAAA,EAAK,gBAAA,EACL,QAAA,WACC,OAAA"}

package/dist/server/implementation/types.js

@@ -1,97 +0,0 @@
-//#region src/server/implementation/types.ts
-async function queryUserById(ctx, userId) {
-	return await ctx.runQuery(ctx.auth.config.component.public.userGetById, { userId });
-}
-async function queryUserByVerifiedEmail(ctx, email) {
-	return await ctx.runQuery(ctx.auth.config.component.public.userFindByVerifiedEmail, { email });
-}
-async function queryVerifierById(ctx, verifierId) {
-	return await ctx.runQuery(ctx.auth.config.component.public.verifierGetById, { verifierId });
-}
-async function mutateVerifierDelete(ctx, verifierId) {
-	await ctx.runMutation(ctx.auth.config.component.public.verifierDelete, { verifierId });
-}
-async function queryTotpById(ctx, totpId) {
-	return await ctx.runQuery(ctx.auth.config.component.public.totpGetById, { totpId });
-}
-async function queryTotpVerifiedByUserId(ctx, userId) {
-	return await ctx.runQuery(ctx.auth.config.component.public.totpGetVerifiedByUserId, { userId });
-}
-async function mutateTotpInsert(ctx, args) {
-	return await ctx.runMutation(ctx.auth.config.component.public.totpInsert, args);
-}
-async function mutateTotpMarkVerified(ctx, totpId, lastUsedAt) {
-	await ctx.runMutation(ctx.auth.config.component.public.totpMarkVerified, {
-		totpId,
-		lastUsedAt
-	});
-}
-async function mutateTotpUpdateLastUsed(ctx, totpId, lastUsedAt) {
-	await ctx.runMutation(ctx.auth.config.component.public.totpUpdateLastUsed, {
-		totpId,
-		lastUsedAt
-	});
-}
-async function queryPasskeysByUserId(ctx, userId) {
-	return await ctx.runQuery(ctx.auth.config.component.public.passkeyListByUserId, { userId });
-}
-async function queryPasskeyByCredentialId(ctx, credentialId) {
-	return await ctx.runQuery(ctx.auth.config.component.public.passkeyGetByCredentialId, { credentialId });
-}
-async function mutatePasskeyInsert(ctx, args) {
-	return await ctx.runMutation(ctx.auth.config.component.public.passkeyInsert, args);
-}
-async function mutatePasskeyUpdateCounter(ctx, passkeyId, counter, lastUsedAt) {
-	await ctx.runMutation(ctx.auth.config.component.public.passkeyUpdateCounter, {
-		passkeyId,
-		counter,
-		lastUsedAt
-	});
-}
-async function mutateKeyInsert(ctx, args) {
-	return await ctx.runMutation(ctx.auth.config.component.public.keyInsert, args);
-}
-async function queryKeysByUserId(ctx, userId) {
-	return await ctx.runQuery(ctx.auth.config.component.public.keyListByUserId, { userId });
-}
-async function queryKeyById(ctx, keyId) {
-	return await ctx.runQuery(ctx.auth.config.component.public.keyGetById, { keyId });
-}
-async function mutateKeyPatch(ctx, keyId, data) {
-	await ctx.runMutation(ctx.auth.config.component.public.keyPatch, {
-		keyId,
-		data
-	});
-}
-async function mutateKeyDelete(ctx, keyId) {
-	await ctx.runMutation(ctx.auth.config.component.public.keyDelete, { keyId });
-}
-async function mutateDeviceInsert(ctx, args) {
-	return await ctx.runMutation(ctx.auth.config.component.public.deviceInsert, args);
-}
-async function queryDeviceByCodeHash(ctx, deviceCodeHash) {
-	return await ctx.runQuery(ctx.auth.config.component.public.deviceGetByCodeHash, { deviceCodeHash });
-}
-async function queryDeviceByUserCode(ctx, userCode) {
-	return await ctx.runQuery(ctx.auth.config.component.public.deviceGetByUserCode, { userCode });
-}
-async function mutateDeviceAuthorize(ctx, deviceId, userId, sessionId) {
-	await ctx.runMutation(ctx.auth.config.component.public.deviceAuthorize, {
-		deviceId,
-		userId,
-		sessionId
-	});
-}
-async function mutateDeviceUpdateLastPolled(ctx, deviceId, lastPolledAt) {
-	await ctx.runMutation(ctx.auth.config.component.public.deviceUpdateLastPolled, {
-		deviceId,
-		lastPolledAt
-	});
-}
-async function mutateDeviceDelete(ctx, deviceId) {
-	await ctx.runMutation(ctx.auth.config.component.public.deviceDelete, { deviceId });
-}
-
-//#endregion
-export { mutateDeviceAuthorize, mutateDeviceDelete, mutateDeviceInsert, mutateDeviceUpdateLastPolled, mutateKeyDelete, mutateKeyInsert, mutateKeyPatch, mutatePasskeyInsert, mutatePasskeyUpdateCounter, mutateTotpInsert, mutateTotpMarkVerified, mutateTotpUpdateLastUsed, mutateVerifierDelete, queryDeviceByCodeHash, queryDeviceByUserCode, queryKeyById, queryKeysByUserId, queryPasskeyByCredentialId, queryPasskeysByUserId, queryTotpById, queryTotpVerifiedByUserId, queryUserById, queryUserByVerifiedEmail, queryVerifierById };
-//# sourceMappingURL=types.js.map

package/dist/server/implementation/types.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.js","names":[],"sources":["../../../src/server/implementation/types.ts"],"sourcesContent":["import {\n  DataModelFromSchemaDefinition,\n  GenericActionCtx,\n  GenericMutationCtx,\n  GenericQueryCtx,\n  TableNamesInDataModel,\n} from \"convex/server\";\nimport { GenericId } from \"convex/values\";\nimport { GenericDoc } from \"../types\";\nimport schema from \"../../component/schema\";\nimport { AuthComponentApi } from \"../types\";\n\n/** Data model derived from the component schema. */\nexport type AuthDataModel = DataModelFromSchemaDefinition<typeof schema>;\n\n/** Action context typed to the auth component's data model. */\nexport type ActionCtx = GenericActionCtx<AuthDataModel>;\n\n/** Mutation context typed to the auth component's data model. */\nexport type MutationCtx = GenericMutationCtx<AuthDataModel>;\n\n/** Query context typed to the auth component's data model. */\nexport type QueryCtx = GenericQueryCtx<AuthDataModel>;\n\n/** A document from any table in the auth component schema. */\nexport type Doc<T extends TableNamesInDataModel<AuthDataModel>> = GenericDoc<\n  AuthDataModel,\n  T\n>;\n\n/** A pair of JWT access token and refresh token. */\nexport type Tokens = { token: string; refreshToken: string };\n\n/** Session information returned after authentication. */\nexport type SessionInfo = {\n  userId: GenericId<\"user\">;\n  sessionId: GenericId<\"session\">;\n  tokens: Tokens | null;\n};\n\n/** Session information with guaranteed non-null tokens. */\nexport type SessionInfoWithTokens = {\n  userId: GenericId<\"user\">;\n  sessionId: GenericId<\"session\">;\n  tokens: Tokens;\n};\n\n// ---------------------------------------------------------------------------\n// Cross-component document shapes\n// ---------------------------------------------------------------------------\n// These mirror the component schema tables. They exist so that server-side\n// code can work with typed results from cross-component queries/mutations\n// instead of casting to `any` at every field access.\n\nexport interface TotpDoc {\n  _id: string;\n  _creationTime: number;\n  userId: string;\n  secret: ArrayBuffer;\n  digits: number;\n  period: number;\n  verified: boolean;\n  name?: string;\n  createdAt: number;\n  lastUsedAt?: number;\n}\n\nexport interface PasskeyDoc {\n  _id: string;\n  _creationTime: number;\n  userId: string;\n  credentialId: string;\n  publicKey: ArrayBuffer;\n  algorithm: number;\n  counter: number;\n  transports?: string[];\n  deviceType: string;\n  backedUp: boolean;\n  name?: string;\n  createdAt: number;\n  lastUsedAt?: number;\n}\n\nexport interface VerifierDoc {\n  _id: string;\n  _creationTime: number;\n  signature?: string;\n  sessionId?: string;\n}\n\nexport interface UserDoc {\n  _id: string;\n  _creationTime: number;\n  email?: string;\n  emailVerificationTime?: number;\n  phone?: string;\n  phoneVerificationTime?: number;\n  name?: string;\n  image?: string;\n  isAnonymous?: boolean;\n}\n\nexport interface KeyDoc {\n  _id: string;\n  _creationTime: number;\n  userId: string;\n  prefix: string;\n  hashedKey: string;\n  name: string;\n  scopes: Array<{ resource: string; actions: string[] }>;\n  rateLimit?: { maxRequests: number; windowMs: number };\n  rateLimitState?: { attemptsLeft: number; lastAttemptTime: number };\n  expiresAt?: number;\n  lastUsedAt?: number;\n  createdAt: number;\n  revoked: boolean;\n}\n\n// ---------------------------------------------------------------------------\n// Cross-component wrapper context\n// ---------------------------------------------------------------------------\n// Structural type accepted by all wrappers below.  Works for both action and\n// mutation contexts — the only capabilities we need are runQuery / runMutation\n// and access to the component API via `auth.config.component`.\n\n/** @internal */\nexport type ComponentCallCtx = {\n  runQuery: GenericActionCtx<AuthDataModel>[\"runQuery\"];\n  runMutation: GenericActionCtx<AuthDataModel>[\"runMutation\"];\n  auth: { config: { component: AuthComponentApi } };\n};\n\n// ---------------------------------------------------------------------------\n// Typed wrappers for cross-component calls\n// ---------------------------------------------------------------------------\n// Each wrapper encapsulates the single `as any` cast at the component\n// boundary so that callers get full type safety on both args and return\n// values.\n\n// -- User queries --\n\nexport async function queryUserById(\n  ctx: ComponentCallCtx,\n  userId: string,\n): Promise<UserDoc | null> {\n  return (await ctx.runQuery(\n    ctx.auth.config.component.public.userGetById,\n    { userId },\n  )) as UserDoc | null;\n}\n\nexport async function queryUserByVerifiedEmail(\n  ctx: ComponentCallCtx,\n  email: string,\n): Promise<UserDoc | null> {\n  return (await ctx.runQuery(\n    ctx.auth.config.component.public.userFindByVerifiedEmail,\n    { email },\n  )) as UserDoc | null;\n}\n\n// -- Verifier queries / mutations --\n\nexport async function queryVerifierById(\n  ctx: ComponentCallCtx,\n  verifierId: string,\n): Promise<VerifierDoc | null> {\n  return (await ctx.runQuery(\n    ctx.auth.config.component.public.verifierGetById,\n    { verifierId },\n  )) as VerifierDoc | null;\n}\n\nexport async function mutateVerifierDelete(\n  ctx: ComponentCallCtx,\n  verifierId: string,\n): Promise<void> {\n  await ctx.runMutation(\n    ctx.auth.config.component.public.verifierDelete,\n    { verifierId },\n  );\n}\n\n// -- TOTP queries / mutations --\n\nexport async function queryTotpById(\n  ctx: ComponentCallCtx,\n  totpId: string,\n): Promise<TotpDoc | null> {\n  return (await ctx.runQuery(\n    ctx.auth.config.component.public.totpGetById,\n    { totpId },\n  )) as TotpDoc | null;\n}\n\nexport async function queryTotpVerifiedByUserId(\n  ctx: ComponentCallCtx,\n  userId: string,\n): Promise<TotpDoc | null> {\n  return (await ctx.runQuery(\n    ctx.auth.config.component.public.totpGetVerifiedByUserId,\n    { userId },\n  )) as TotpDoc | null;\n}\n\nexport async function mutateTotpInsert(\n  ctx: ComponentCallCtx,\n  args: {\n    userId: string;\n    secret: ArrayBuffer;\n    digits: number;\n    period: number;\n    verified: boolean;\n    name?: string;\n    createdAt: number;\n  },\n): Promise<string> {\n  return (await ctx.runMutation(\n    ctx.auth.config.component.public.totpInsert,\n    args,\n  )) as string;\n}\n\nexport async function mutateTotpMarkVerified(\n  ctx: ComponentCallCtx,\n  totpId: string,\n  lastUsedAt: number,\n): Promise<void> {\n  await ctx.runMutation(\n    ctx.auth.config.component.public.totpMarkVerified,\n    { totpId, lastUsedAt },\n  );\n}\n\nexport async function mutateTotpUpdateLastUsed(\n  ctx: ComponentCallCtx,\n  totpId: string,\n  lastUsedAt: number,\n): Promise<void> {\n  await ctx.runMutation(\n    ctx.auth.config.component.public.totpUpdateLastUsed,\n    { totpId, lastUsedAt },\n  );\n}\n\n// -- Passkey queries / mutations --\n\nexport async function queryPasskeysByUserId(\n  ctx: ComponentCallCtx,\n  userId: string,\n): Promise<PasskeyDoc[]> {\n  return (await ctx.runQuery(\n    ctx.auth.config.component.public.passkeyListByUserId,\n    { userId },\n  )) as PasskeyDoc[];\n}\n\nexport async function queryPasskeyByCredentialId(\n  ctx: ComponentCallCtx,\n  credentialId: string,\n): Promise<PasskeyDoc | null> {\n  return (await ctx.runQuery(\n    ctx.auth.config.component.public.passkeyGetByCredentialId,\n    { credentialId },\n  )) as PasskeyDoc | null;\n}\n\nexport async function mutatePasskeyInsert(\n  ctx: ComponentCallCtx,\n  args: {\n    userId: string;\n    credentialId: string;\n    publicKey: ArrayBuffer | ArrayBufferLike;\n    algorithm: number;\n    counter: number;\n    transports?: string[];\n    deviceType: string;\n    backedUp: boolean;\n    name?: string;\n    createdAt: number;\n  },\n): Promise<string> {\n  return (await ctx.runMutation(\n    ctx.auth.config.component.public.passkeyInsert,\n    args,\n  )) as string;\n}\n\nexport async function mutatePasskeyUpdateCounter(\n  ctx: ComponentCallCtx,\n  passkeyId: string,\n  counter: number,\n  lastUsedAt: number,\n): Promise<void> {\n  await ctx.runMutation(\n    ctx.auth.config.component.public.passkeyUpdateCounter,\n    { passkeyId, counter, lastUsedAt },\n  );\n}\n\n// -- Key queries / mutations --\n\nexport async function mutateKeyInsert(\n  ctx: ComponentCallCtx,\n  args: {\n    userId: string;\n    prefix: string;\n    hashedKey: string;\n    name: string;\n    scopes: Array<{ resource: string; actions: string[] }>;\n    rateLimit?: { maxRequests: number; windowMs: number };\n    expiresAt?: number;\n  },\n): Promise<string> {\n  return (await ctx.runMutation(\n    ctx.auth.config.component.public.keyInsert,\n    args,\n  )) as string;\n}\n\nexport async function queryKeysByUserId(\n  ctx: ComponentCallCtx,\n  userId: string,\n): Promise<KeyDoc[]> {\n  return (await ctx.runQuery(\n    ctx.auth.config.component.public.keyListByUserId,\n    { userId },\n  )) as KeyDoc[];\n}\n\nexport async function queryKeyById(\n  ctx: ComponentCallCtx,\n  keyId: string,\n): Promise<KeyDoc | null> {\n  return (await ctx.runQuery(\n    ctx.auth.config.component.public.keyGetById,\n    { keyId },\n  )) as KeyDoc | null;\n}\n\nexport async function mutateKeyPatch(\n  ctx: ComponentCallCtx,\n  keyId: string,\n  data: Record<string, unknown>,\n): Promise<void> {\n  await ctx.runMutation(\n    ctx.auth.config.component.public.keyPatch,\n    { keyId, data },\n  );\n}\n\nexport async function mutateKeyDelete(\n  ctx: ComponentCallCtx,\n  keyId: string,\n): Promise<void> {\n  await ctx.runMutation(\n    ctx.auth.config.component.public.keyDelete,\n    { keyId },\n  );\n}\n\n// -- Device authorization queries / mutations --\n\nexport interface DeviceDoc {\n  _id: string;\n  _creationTime: number;\n  deviceCodeHash: string;\n  userCode: string;\n  expiresAt: number;\n  interval: number;\n  status: \"pending\" | \"authorized\" | \"denied\";\n  userId?: string;\n  sessionId?: string;\n  lastPolledAt?: number;\n}\n\nexport async function mutateDeviceInsert(\n  ctx: ComponentCallCtx,\n  args: {\n    deviceCodeHash: string;\n    userCode: string;\n    expiresAt: number;\n    interval: number;\n    status: \"pending\" | \"authorized\" | \"denied\";\n  },\n): Promise<string> {\n  return (await ctx.runMutation(\n    ctx.auth.config.component.public.deviceInsert,\n    args,\n  )) as string;\n}\n\nexport async function queryDeviceByCodeHash(\n  ctx: ComponentCallCtx,\n  deviceCodeHash: string,\n): Promise<DeviceDoc | null> {\n  return (await ctx.runQuery(\n    ctx.auth.config.component.public.deviceGetByCodeHash,\n    { deviceCodeHash },\n  )) as DeviceDoc | null;\n}\n\nexport async function queryDeviceByUserCode(\n  ctx: ComponentCallCtx,\n  userCode: string,\n): Promise<DeviceDoc | null> {\n  return (await ctx.runQuery(\n    ctx.auth.config.component.public.deviceGetByUserCode,\n    { userCode },\n  )) as DeviceDoc | null;\n}\n\nexport async function mutateDeviceAuthorize(\n  ctx: ComponentCallCtx,\n  deviceId: string,\n  userId: string,\n  sessionId: string,\n): Promise<void> {\n  await ctx.runMutation(\n    ctx.auth.config.component.public.deviceAuthorize,\n    { deviceId, userId, sessionId },\n  );\n}\n\nexport async function mutateDeviceUpdateLastPolled(\n  ctx: ComponentCallCtx,\n  deviceId: string,\n  lastPolledAt: number,\n): Promise<void> {\n  await ctx.runMutation(\n    ctx.auth.config.component.public.deviceUpdateLastPolled,\n    { deviceId, lastPolledAt },\n  );\n}\n\nexport async function mutateDeviceDelete(\n  ctx: ComponentCallCtx,\n  deviceId: string,\n): Promise<void> {\n  await ctx.runMutation(\n    ctx.auth.config.component.public.deviceDelete,\n    { deviceId },\n  );\n}\n"],"mappings":";AA6IA,eAAsB,cACpB,KACA,QACyB;AACzB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,aACjC,EAAE,QAAQ,CACX;;AAGH,eAAsB,yBACpB,KACA,OACyB;AACzB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,yBACjC,EAAE,OAAO,CACV;;AAKH,eAAsB,kBACpB,KACA,YAC6B;AAC7B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,iBACjC,EAAE,YAAY,CACf;;AAGH,eAAsB,qBACpB,KACA,YACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,gBACjC,EAAE,YAAY,CACf;;AAKH,eAAsB,cACpB,KACA,QACyB;AACzB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,aACjC,EAAE,QAAQ,CACX;;AAGH,eAAsB,0BACpB,KACA,QACyB;AACzB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,yBACjC,EAAE,QAAQ,CACX;;AAGH,eAAsB,iBACpB,KACA,MASiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,YACjC,KACD;;AAGH,eAAsB,uBACpB,KACA,QACA,YACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,kBACjC;EAAE;EAAQ;EAAY,CACvB;;AAGH,eAAsB,yBACpB,KACA,QACA,YACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,oBACjC;EAAE;EAAQ;EAAY,CACvB;;AAKH,eAAsB,sBACpB,KACA,QACuB;AACvB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,QAAQ,CACX;;AAGH,eAAsB,2BACpB,KACA,cAC4B;AAC5B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,0BACjC,EAAE,cAAc,CACjB;;AAGH,eAAsB,oBACpB,KACA,MAYiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,eACjC,KACD;;AAGH,eAAsB,2BACpB,KACA,WACA,SACA,YACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,sBACjC;EAAE;EAAW;EAAS;EAAY,CACnC;;AAKH,eAAsB,gBACpB,KACA,MASiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,WACjC,KACD;;AAGH,eAAsB,kBACpB,KACA,QACmB;AACnB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,iBACjC,EAAE,QAAQ,CACX;;AAGH,eAAsB,aACpB,KACA,OACwB;AACxB,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,YACjC,EAAE,OAAO,CACV;;AAGH,eAAsB,eACpB,KACA,OACA,MACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,UACjC;EAAE;EAAO;EAAM,CAChB;;AAGH,eAAsB,gBACpB,KACA,OACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,WACjC,EAAE,OAAO,CACV;;AAkBH,eAAsB,mBACpB,KACA,MAOiB;AACjB,QAAQ,MAAM,IAAI,YAChB,IAAI,KAAK,OAAO,UAAU,OAAO,cACjC,KACD;;AAGH,eAAsB,sBACpB,KACA,gBAC2B;AAC3B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,gBAAgB,CACnB;;AAGH,eAAsB,sBACpB,KACA,UAC2B;AAC3B,QAAQ,MAAM,IAAI,SAChB,IAAI,KAAK,OAAO,UAAU,OAAO,qBACjC,EAAE,UAAU,CACb;;AAGH,eAAsB,sBACpB,KACA,UACA,QACA,WACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,iBACjC;EAAE;EAAU;EAAQ;EAAW,CAChC;;AAGH,eAAsB,6BACpB,KACA,UACA,cACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,wBACjC;EAAE;EAAU;EAAc,CAC3B;;AAGH,eAAsB,mBACpB,KACA,UACe;AACf,OAAM,IAAI,YACR,IAAI,KAAK,OAAO,UAAU,OAAO,cACjC,EAAE,UAAU,CACb"}

package/dist/server/implementation/users.d.ts

@@ -1,30 +0,0 @@
-import { Doc, MutationCtx } from "./types.js";
-import { AuthProviderMaterializedConfig, ConvexAuthConfig } from "../types.js";
-import { GenericId } from "convex/values";
-
-//#region src/server/implementation/users.d.ts
-type CreateOrUpdateUserArgs = {
-  type: "oauth" | "credentials" | "email" | "phone" | "verification";
-  provider: AuthProviderMaterializedConfig;
-  profile: Record<string, unknown> & {
-    email?: string;
-    phone?: string;
-    emailVerified?: boolean;
-    phoneVerified?: boolean;
-  };
-  shouldLinkViaEmail?: boolean;
-  shouldLinkViaPhone?: boolean;
-};
-declare function upsertUserAndAccount(ctx: MutationCtx, sessionId: GenericId<"session"> | null, account: {
-  existingAccount: Doc<"account">;
-} | {
-  providerAccountId: string;
-  secret?: string;
-}, args: CreateOrUpdateUserArgs, config: ConvexAuthConfig): Promise<{
-  userId: GenericId<"user">;
-  accountId: GenericId<"account">;
-}>;
-declare function getAccountOrThrow(ctx: MutationCtx, existingAccountId: GenericId<"account">, config: ConvexAuthConfig): Promise<any>;
-//#endregion
-export { getAccountOrThrow, upsertUserAndAccount };
-//# sourceMappingURL=users.d.ts.map

package/dist/server/implementation/users.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"users.d.ts","names":[],"sources":["../../../src/server/implementation/users.ts"],"mappings":";;;;;KAOK,sBAAA;EACH,IAAA;EACA,QAAA,EAAU,8BAAA;EACV,OAAA,EAAS,MAAA;IACP,KAAA;IACA,KAAA;IACA,aAAA;IACA,aAAA;EAAA;EAEF,kBAAA;EACA,kBAAA;AAAA;AAAA,iBAGoB,oBAAA,CACpB,GAAA,EAAK,WAAA,EACL,SAAA,EAAW,SAAA,oBACX,OAAA;EACM,eAAA,EAAiB,GAAA;AAAA;EAEjB,iBAAA;EACA,MAAA;AAAA,GAEN,IAAA,EAAM,sBAAA,EACN,MAAA,EAAQ,gBAAA,GACP,OAAA;EACD,MAAA,EAAQ,SAAA;EACR,SAAA,EAAW,SAAA;AAAA;AAAA,iBAgMS,iBAAA,CACpB,GAAA,EAAK,WAAA,EACL,iBAAA,EAAmB,SAAA,aACnB,MAAA,EAAQ,gBAAA,GAAgB,OAAA"}

package/dist/server/implementation/users.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"users.js","names":[],"sources":["../../../src/server/implementation/users.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { AuthProviderMaterializedConfig, ConvexAuthConfig } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"./utils\";\nimport { authDb } from \"./db\";\nimport { throwAuthError } from \"../errors\";\n\ntype CreateOrUpdateUserArgs = {\n  type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n  provider: AuthProviderMaterializedConfig;\n  profile: Record<string, unknown> & {\n    email?: string;\n    phone?: string;\n    emailVerified?: boolean;\n    phoneVerified?: boolean;\n  };\n  shouldLinkViaEmail?: boolean;\n  shouldLinkViaPhone?: boolean;\n};\n\nexport async function upsertUserAndAccount(\n  ctx: MutationCtx,\n  sessionId: GenericId<\"session\"> | null,\n  account:\n    | { existingAccount: Doc<\"account\"> }\n    | {\n        providerAccountId: string;\n        secret?: string;\n      },\n  args: CreateOrUpdateUserArgs,\n  config: ConvexAuthConfig,\n): Promise<{\n  userId: GenericId<\"user\">;\n  accountId: GenericId<\"account\">;\n}> {\n  const userId = await defaultCreateOrUpdateUser(\n    ctx,\n    sessionId,\n    \"existingAccount\" in account ? account.existingAccount : null,\n    args,\n    config,\n  );\n  const accountId = await createOrUpdateAccount(ctx, userId, account, args, config);\n  return { userId, accountId };\n}\n\nasync function defaultCreateOrUpdateUser(\n  ctx: MutationCtx,\n  existingSessionId: GenericId<\"session\"> | null,\n  existingAccount: Doc<\"account\"> | null,\n  args: CreateOrUpdateUserArgs,\n  config: ConvexAuthConfig,\n) {\n  logWithLevel(LOG_LEVELS.DEBUG, \"defaultCreateOrUpdateUser args:\", {\n    existingAccountId: existingAccount?._id,\n    existingSessionId,\n    args,\n  });\n  const existingUserId = existingAccount?.userId ?? null;\n  const db = authDb(ctx, config);\n  if (config.callbacks?.createOrUpdateUser !== undefined) {\n    logWithLevel(LOG_LEVELS.DEBUG, \"Using custom createOrUpdateUser callback\");\n    return await config.callbacks.createOrUpdateUser(ctx, {\n      existingUserId,\n      ...args,\n    });\n  }\n\n  const {\n    provider,\n    profile: {\n      emailVerified: profileEmailVerified,\n      phoneVerified: profilePhoneVerified,\n      ...profile\n    },\n  } = args;\n  const emailVerified =\n    profileEmailVerified ??\n    (provider.type === \"oauth\" &&\n      provider.allowDangerousEmailAccountLinking !== false);\n  const phoneVerified = profilePhoneVerified ?? false;\n  const shouldLinkViaEmail =\n    args.shouldLinkViaEmail || emailVerified || provider.type === \"email\";\n  const shouldLinkViaPhone =\n    args.shouldLinkViaPhone || phoneVerified || provider.type === \"phone\";\n\n  let userId = existingUserId;\n  if (existingUserId === null) {\n    const existingUserWithVerifiedEmailId =\n      typeof profile.email === \"string\" && shouldLinkViaEmail\n        ? (await uniqueUserWithVerifiedEmail(ctx, profile.email, config))?._id ??\n          null\n        : null;\n\n    const existingUserWithVerifiedPhoneId =\n      typeof profile.phone === \"string\" && shouldLinkViaPhone\n        ? (await uniqueUserWithVerifiedPhone(ctx, profile.phone, config))?._id ??\n          null\n        : null;\n    // If there is both email and phone verified user\n    // already we can't link.\n    if (\n      existingUserWithVerifiedEmailId !== null &&\n      existingUserWithVerifiedPhoneId !== null\n    ) {\n      logWithLevel(\n        LOG_LEVELS.DEBUG,\n        `Found existing email and phone verified users, so not linking: email: ${existingUserWithVerifiedEmailId}, phone: ${existingUserWithVerifiedPhoneId}`,\n      );\n      userId = null;\n    } else if (existingUserWithVerifiedEmailId !== null) {\n      logWithLevel(\n        LOG_LEVELS.DEBUG,\n        `Found existing email verified user, linking: ${existingUserWithVerifiedEmailId}`,\n      );\n      userId = existingUserWithVerifiedEmailId;\n    } else if (existingUserWithVerifiedPhoneId !== null) {\n      logWithLevel(\n        LOG_LEVELS.DEBUG,\n        `Found existing phone verified user, linking: ${existingUserWithVerifiedPhoneId}`,\n      );\n      userId = existingUserWithVerifiedPhoneId;\n    } else {\n      logWithLevel(\n        LOG_LEVELS.DEBUG,\n        \"No existing verified users found, creating new user\",\n      );\n      userId = null;\n    }\n  }\n  const userData = {\n    ...(emailVerified ? { emailVerificationTime: Date.now() } : null),\n    ...(phoneVerified ? { phoneVerificationTime: Date.now() } : null),\n    ...profile,\n  };\n  const existingOrLinkedUserId = userId;\n  if (userId !== null) {\n    try {\n      await db.users.patch(userId, userData);\n    } catch (error) {\n      throwAuthError(\"USER_UPDATE_FAILED\", `Could not update user document with ID \\`${userId}\\`, ` +\n          `either the user has been deleted but their account has not, ` +\n          `or the profile data doesn't match the \\`users\\` table schema: ` +\n          `${(error as Error).message}`);\n    }\n  } else {\n    userId = (await db.users.insert(userData)) as GenericId<\"user\">;\n  }\n  const afterUserCreatedOrUpdated = config.callbacks?.afterUserCreatedOrUpdated;\n  if (afterUserCreatedOrUpdated !== undefined) {\n    logWithLevel(\n      LOG_LEVELS.DEBUG,\n      \"Calling custom afterUserCreatedOrUpdated callback\",\n    );\n    await afterUserCreatedOrUpdated(ctx, {\n      userId,\n      existingUserId: existingOrLinkedUserId,\n      ...args,\n    });\n  } else {\n    logWithLevel(\n      LOG_LEVELS.DEBUG,\n      \"No custom afterUserCreatedOrUpdated callback, skipping\",\n    );\n  }\n  return userId;\n}\n\nasync function uniqueUserWithVerifiedEmail(\n  ctx: MutationCtx,\n  email: string,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  return (await db.users.findByVerifiedEmail(email)) as Doc<\"user\"> | null;\n}\n\nasync function uniqueUserWithVerifiedPhone(\n  ctx: MutationCtx,\n  phone: string,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  return (await db.users.findByVerifiedPhone(phone)) as Doc<\"user\"> | null;\n}\n\nasync function createOrUpdateAccount(\n  ctx: MutationCtx,\n  userId: GenericId<\"user\">,\n  account:\n    | { existingAccount: Doc<\"account\"> }\n    | {\n        providerAccountId: string;\n        secret?: string;\n      },\n  args: CreateOrUpdateUserArgs,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const accountId =\n    \"existingAccount\" in account\n      ? account.existingAccount._id\n      : ((await db.accounts.create({\n          userId,\n          provider: args.provider.id,\n          providerAccountId: account.providerAccountId,\n          secret: account.secret,\n        })) as GenericId<\"account\">);\n  // This is never used with the default `createOrUpdateUser` implementation,\n  // but it is used for manual linking via custom `createOrUpdateUser`:\n  if (\n    \"existingAccount\" in account &&\n    account.existingAccount.userId !== userId\n  ) {\n    await db.accounts.patch(accountId, { userId });\n  }\n  if (args.profile.emailVerified) {\n    await db.accounts.patch(accountId, { emailVerified: args.profile.email });\n  }\n  if (args.profile.phoneVerified) {\n    await db.accounts.patch(accountId, { phoneVerified: args.profile.phone });\n  }\n  return accountId;\n}\n\nexport async function getAccountOrThrow(\n  ctx: MutationCtx,\n  existingAccountId: GenericId<\"account\">,\n  config: ConvexAuthConfig,\n) {\n  const existingAccount = await authDb(ctx, config).accounts.getById(existingAccountId);\n  if (existingAccount === null) {\n    throwAuthError(\"ACCOUNT_NOT_FOUND\", `Expected an account to exist for ID \"${existingAccountId}\"`);\n  }\n  return existingAccount;\n}\n"],"mappings":";;;;;AAoBA,eAAsB,qBACpB,KACA,WACA,SAMA,MACA,QAIC;CACD,MAAM,SAAS,MAAM,0BACnB,KACA,WACA,qBAAqB,UAAU,QAAQ,kBAAkB,MACzD,MACA,OACD;AAED,QAAO;EAAE;EAAQ,WADC,MAAM,sBAAsB,KAAK,QAAQ,SAAS,MAAM,OAAO;EACrD;;AAG9B,eAAe,0BACb,KACA,mBACA,iBACA,MACA,QACA;AACA,cAAa,WAAW,OAAO,mCAAmC;EAChE,mBAAmB,iBAAiB;EACpC;EACA;EACD,CAAC;CACF,MAAM,iBAAiB,iBAAiB,UAAU;CAClD,MAAM,KAAK,OAAO,KAAK,OAAO;AAC9B,KAAI,OAAO,WAAW,uBAAuB,QAAW;AACtD,eAAa,WAAW,OAAO,2CAA2C;AAC1E,SAAO,MAAM,OAAO,UAAU,mBAAmB,KAAK;GACpD;GACA,GAAG;GACJ,CAAC;;CAGJ,MAAM,EACJ,UACA,SAAS,EACP,eAAe,sBACf,eAAe,sBACf,GAAG,cAEH;CACJ,MAAM,gBACJ,yBACC,SAAS,SAAS,WACjB,SAAS,sCAAsC;CACnD,MAAM,gBAAgB,wBAAwB;CAC9C,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAChE,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAEhE,IAAI,SAAS;AACb,KAAI,mBAAmB,MAAM;EAC3B,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAChC,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAAG,OACjE,OACA;EAEN,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAChC,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAAG,OACjE,OACA;AAGN,MACE,oCAAoC,QACpC,oCAAoC,MACpC;AACA,gBACE,WAAW,OACX,yEAAyE,gCAAgC,WAAW,kCACrH;AACD,YAAS;aACA,oCAAoC,MAAM;AACnD,gBACE,WAAW,OACX,gDAAgD,kCACjD;AACD,YAAS;aACA,oCAAoC,MAAM;AACnD,gBACE,WAAW,OACX,gDAAgD,kCACjD;AACD,YAAS;SACJ;AACL,gBACE,WAAW,OACX,sDACD;AACD,YAAS;;;CAGb,MAAM,WAAW;EACf,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAG;EACJ;CACD,MAAM,yBAAyB;AAC/B,KAAI,WAAW,KACb,KAAI;AACF,QAAM,GAAG,MAAM,MAAM,QAAQ,SAAS;UAC/B,OAAO;AACd,iBAAe,sBAAsB,4CAA4C,OAAO,gIAGhF,MAAgB,UAAU;;KAGpC,UAAU,MAAM,GAAG,MAAM,OAAO,SAAS;CAE3C,MAAM,4BAA4B,OAAO,WAAW;AACpD,KAAI,8BAA8B,QAAW;AAC3C,eACE,WAAW,OACX,oDACD;AACD,QAAM,0BAA0B,KAAK;GACnC;GACA,gBAAgB;GAChB,GAAG;GACJ,CAAC;OAEF,cACE,WAAW,OACX,yDACD;AAEH,QAAO;;AAGT,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,sBACb,KACA,QACA,SAMA,MACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,YACJ,qBAAqB,UACjB,QAAQ,gBAAgB,MACtB,MAAM,GAAG,SAAS,OAAO;EACzB;EACA,UAAU,KAAK,SAAS;EACxB,mBAAmB,QAAQ;EAC3B,QAAQ,QAAQ;EACjB,CAAC;AAGR,KACE,qBAAqB,WACrB,QAAQ,gBAAgB,WAAW,OAEnC,OAAM,GAAG,SAAS,MAAM,WAAW,EAAE,QAAQ,CAAC;AAEhD,KAAI,KAAK,QAAQ,cACf,OAAM,GAAG,SAAS,MAAM,WAAW,EAAE,eAAe,KAAK,QAAQ,OAAO,CAAC;AAE3E,KAAI,KAAK,QAAQ,cACf,OAAM,GAAG,SAAS,MAAM,WAAW,EAAE,eAAe,KAAK,QAAQ,OAAO,CAAC;AAE3E,QAAO;;AAGT,eAAsB,kBACpB,KACA,mBACA,QACA;CACA,MAAM,kBAAkB,MAAM,OAAO,KAAK,OAAO,CAAC,SAAS,QAAQ,kBAAkB;AACrF,KAAI,oBAAoB,KACtB,gBAAe,qBAAqB,wCAAwC,kBAAkB,GAAG;AAEnG,QAAO"}

package/dist/server/implementation/utils.d.ts

@@ -1,19 +0,0 @@
-//#region src/server/implementation/utils.d.ts
-declare const TOKEN_SUB_CLAIM_DIVIDER = "|";
-declare const REFRESH_TOKEN_DIVIDER = "|";
-declare function stringToNumber(value: string | undefined): number | undefined;
-declare function sha256(input: string): Promise<string>;
-declare function generateRandomString(length: number, alphabet: string): string;
-declare function logError(error: unknown): void;
-declare const LOG_LEVELS: {
-  readonly ERROR: "ERROR";
-  readonly WARN: "WARN";
-  readonly INFO: "INFO";
-  readonly DEBUG: "DEBUG";
-};
-type LogLevel = keyof typeof LOG_LEVELS;
-declare function logWithLevel(level: LogLevel, ...args: unknown[]): void;
-declare function maybeRedact(value: string): string;
-//#endregion
-export { LOG_LEVELS, REFRESH_TOKEN_DIVIDER, TOKEN_SUB_CLAIM_DIVIDER, generateRandomString, logError, logWithLevel, maybeRedact, sha256, stringToNumber };
-//# sourceMappingURL=utils.d.ts.map

package/dist/server/implementation/utils.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"utils.d.ts","names":[],"sources":["../../../src/server/implementation/utils.ts"],"mappings":";cAOa,uBAAA;AAAA,cACA,qBAAA;AAAA,iBAEG,cAAA,CAAe,KAAA;AAAA,iBAIT,MAAA,CAAO,KAAA,WAAa,OAAA;AAAA,iBAI1B,oBAAA,CAAqB,MAAA,UAAgB,QAAA;AAAA,iBAUrC,QAAA,CAAS,KAAA;AAAA,cASZ,UAAA;EAAA;;;;;KAMR,QAAA,gBAAwB,UAAA;AAAA,iBAEb,YAAA,CAAa,KAAA,EAAO,QAAA,KAAa,IAAA;AAAA,iBA4BjC,WAAA,CAAY,KAAA"}

package/dist/server/implementation/utils.js

@@ -1,56 +0,0 @@
-import { sha256 as sha256$1 } from "@oslojs/crypto/sha2";
-import { encodeHexLowerCase } from "@oslojs/encoding";
-import { generateRandomString as generateRandomString$1 } from "@oslojs/crypto/random";
-
-//#region src/server/implementation/utils.ts
-const TOKEN_SUB_CLAIM_DIVIDER = "|";
-const REFRESH_TOKEN_DIVIDER = "|";
-function stringToNumber(value) {
-	return value !== void 0 ? Number(value) : void 0;
-}
-async function sha256(input) {
-	return encodeHexLowerCase(sha256$1(new TextEncoder().encode(input)));
-}
-function generateRandomString(length, alphabet) {
-	return generateRandomString$1({ read(bytes) {
-		crypto.getRandomValues(bytes);
-	} }, alphabet, length);
-}
-function logError(error) {
-	logWithLevel(LOG_LEVELS.ERROR, error instanceof Error ? error.message + "\n" + error.stack?.replace("\\n", "\n") : error);
-}
-const LOG_LEVELS = {
-	ERROR: "ERROR",
-	WARN: "WARN",
-	INFO: "INFO",
-	DEBUG: "DEBUG"
-};
-function logWithLevel(level, ...args) {
-	const configuredLogLevel = LOG_LEVELS[process.env.AUTH_LOG_LEVEL ?? "INFO"] ?? "INFO";
-	switch (level) {
-		case "ERROR":
-			console.error(...args);
-			break;
-		case "WARN":
-			if (configuredLogLevel !== "ERROR") console.warn(...args);
-			break;
-		case "INFO":
-			if (configuredLogLevel === "INFO" || configuredLogLevel === "DEBUG") console.info(...args);
-			break;
-		case "DEBUG":
-			if (configuredLogLevel === "DEBUG") console.debug(...args);
-			break;
-	}
-}
-const UNREDACTED_LENGTH = 5;
-function maybeRedact(value) {
-	if (value === "") return "";
-	if (process.env.AUTH_LOG_SECRETS !== "true") {
-		if (value.length < UNREDACTED_LENGTH * 2) return "<redacted>";
-		return value.substring(0, UNREDACTED_LENGTH) + "<redacted>" + value.substring(value.length - UNREDACTED_LENGTH);
-	} else return value;
-}
-
-//#endregion
-export { LOG_LEVELS, REFRESH_TOKEN_DIVIDER, TOKEN_SUB_CLAIM_DIVIDER, generateRandomString, logError, logWithLevel, maybeRedact, sha256, stringToNumber };
-//# sourceMappingURL=utils.js.map