@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/server/implementation/utils.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"utils.js","names":["rawSha256","osloGenerateRandomString"],"sources":["../../../src/server/implementation/utils.ts"],"sourcesContent":["import { sha256 as rawSha256 } from \"@oslojs/crypto/sha2\";\nimport { encodeHexLowerCase } from \"@oslojs/encoding\";\nimport {\n  RandomReader,\n  generateRandomString as osloGenerateRandomString,\n} from \"@oslojs/crypto/random\";\n\nexport const TOKEN_SUB_CLAIM_DIVIDER = \"|\";\nexport const REFRESH_TOKEN_DIVIDER = \"|\";\n\nexport function stringToNumber(value: string | undefined) {\n  return value !== undefined ? Number(value) : undefined;\n}\n\nexport async function sha256(input: string) {\n  return encodeHexLowerCase(rawSha256(new TextEncoder().encode(input)));\n}\n\nexport function generateRandomString(length: number, alphabet: string) {\n  const random: RandomReader = {\n    read(bytes) {\n      crypto.getRandomValues(bytes);\n    },\n  };\n\n  return osloGenerateRandomString(random, alphabet, length);\n}\n\nexport function logError(error: unknown) {\n  logWithLevel(\n    LOG_LEVELS.ERROR,\n    error instanceof Error\n      ? error.message + \"\\n\" + error.stack?.replace(\"\\\\n\", \"\\n\")\n      : error,\n  );\n}\n\nexport const LOG_LEVELS = {\n  ERROR: \"ERROR\",\n  WARN: \"WARN\",\n  INFO: \"INFO\",\n  DEBUG: \"DEBUG\",\n} as const;\ntype LogLevel = keyof typeof LOG_LEVELS;\n\nexport function logWithLevel(level: LogLevel, ...args: unknown[]) {\n  const configuredLogLevel =\n    LOG_LEVELS[\n      (process.env.AUTH_LOG_LEVEL as LogLevel | undefined) ?? \"INFO\"\n    ] ?? \"INFO\";\n  switch (level) {\n    case \"ERROR\":\n      console.error(...args);\n      break;\n    case \"WARN\":\n      if (configuredLogLevel !== \"ERROR\") {\n        console.warn(...args);\n      }\n      break;\n    case \"INFO\":\n      if (configuredLogLevel === \"INFO\" || configuredLogLevel === \"DEBUG\") {\n        console.info(...args);\n      }\n      break;\n    case \"DEBUG\":\n      if (configuredLogLevel === \"DEBUG\") {\n        console.debug(...args);\n      }\n      break;\n  }\n}\n\nconst UNREDACTED_LENGTH = 5;\nexport function maybeRedact(value: string) {\n  if (value === \"\") {\n    return \"\";\n  }\n  const shouldRedact = process.env.AUTH_LOG_SECRETS !== \"true\";\n  if (shouldRedact) {\n    if (value.length < UNREDACTED_LENGTH * 2) {\n      return \"<redacted>\";\n    }\n    return (\n      value.substring(0, UNREDACTED_LENGTH) +\n      \"<redacted>\" +\n      value.substring(value.length - UNREDACTED_LENGTH)\n    );\n  } else {\n    return value;\n  }\n}\n"],"mappings":";;;;;AAOA,MAAa,0BAA0B;AACvC,MAAa,wBAAwB;AAErC,SAAgB,eAAe,OAA2B;AACxD,QAAO,UAAU,SAAY,OAAO,MAAM,GAAG;;AAG/C,eAAsB,OAAO,OAAe;AAC1C,QAAO,mBAAmBA,SAAU,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAAC;;AAGvE,SAAgB,qBAAqB,QAAgB,UAAkB;AAOrE,QAAOC,uBANsB,EAC3B,KAAK,OAAO;AACV,SAAO,gBAAgB,MAAM;IAEhC,EAEuC,UAAU,OAAO;;AAG3D,SAAgB,SAAS,OAAgB;AACvC,cACE,WAAW,OACX,iBAAiB,QACb,MAAM,UAAU,OAAO,MAAM,OAAO,QAAQ,OAAO,KAAK,GACxD,MACL;;AAGH,MAAa,aAAa;CACxB,OAAO;CACP,MAAM;CACN,MAAM;CACN,OAAO;CACR;AAGD,SAAgB,aAAa,OAAiB,GAAG,MAAiB;CAChE,MAAM,qBACJ,WACG,QAAQ,IAAI,kBAA2C,WACrD;AACP,SAAQ,OAAR;EACE,KAAK;AACH,WAAQ,MAAM,GAAG,KAAK;AACtB;EACF,KAAK;AACH,OAAI,uBAAuB,QACzB,SAAQ,KAAK,GAAG,KAAK;AAEvB;EACF,KAAK;AACH,OAAI,uBAAuB,UAAU,uBAAuB,QAC1D,SAAQ,KAAK,GAAG,KAAK;AAEvB;EACF,KAAK;AACH,OAAI,uBAAuB,QACzB,SAAQ,MAAM,GAAG,KAAK;AAExB;;;AAIN,MAAM,oBAAoB;AAC1B,SAAgB,YAAY,OAAe;AACzC,KAAI,UAAU,GACZ,QAAO;AAGT,KADqB,QAAQ,IAAI,qBAAqB,QACpC;AAChB,MAAI,MAAM,SAAS,oBAAoB,EACrC,QAAO;AAET,SACE,MAAM,UAAU,GAAG,kBAAkB,GACrC,eACA,MAAM,UAAU,MAAM,SAAS,kBAAkB;OAGnD,QAAO"}

package/dist/server/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","names":[],"sources":["../../src/server/index.ts"],"mappings":";;KAWY,gBAAA;EAAgB,6DAE1B,MAAA;AAAA;;KAIU,WAAA;EAAW,mDAErB,KAAA,iBAFqB;EAIrB,YAAA;EAEA,QAAA;AAAA;;KAIU,UAAA;EACV,IAAA;EACA,KAAA;EACA,OAAA;IACE,IAAA;IACA,QAAA;IACA,MAAA;IACA,QAAA;IACA,MAAA;IACA,OAAA,GAAU,IAAA;EAAA;AAAA;;;;KAOF,aAAA;EAAA,oEAEV,GAAA;;;;;EAKA,QAAA,WAIA;EAFA,YAAA,kBAU8B;EAR9B,OAAA;EAQoD;;;AAGtD;;;;EAHE,gBAAA,KAAqB,OAAA,EAAS,OAAA,eAAsB,OAAA;AAAA;AAAA,KAG1C,aAAA;EAMV,iDAJA,OAAA,EAAS,UAAA,IAIJ;EAFL,QAAA,WAc6B;EAZ7B,KAAA;AAAA;;;;;;;AA4BF;;;iBAhBgB,eAAA,CAAgB,IAAA;;;;;;AAuChC;;;;;;iBAvBgB,gBAAA,CACd,YAAA,6BACA,IAAA,YACC,WAAA;;;;;AA2DH;;;;;;iBAvCgB,oBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA;;;;;;;iBAoCM,qBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,GACP,UAAA;;;AAmDH;;;;;AA6CA;;;iBA7CgB,qBAAA,CAAsB,QAAA,UAAkB,QAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA6CxC,MAAA,CAAO,OAAA,EAAS,aAAA;;;;;;;iBA4Hb,OAAA;;;;;;;;;;kBAaO,OAAA,GAAU,OAAA;;;;;;;;;;;;iBAuBX,OAAA,GAAU,OAAA,CAAQ,QAAA;;;;;;;;;;;;;;mBAuIhB,OAAA,GAAU,OAAA,CAAQ,aAAA;AAAA"}

package/dist/server/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../src/server/index.ts"],"sourcesContent":["import { ConvexHttpClient } from \"convex/browser\";\nimport { ConvexError } from \"convex/values\";\nimport { jwtDecode } from \"jwt-decode\";\nimport { parse, serialize } from \"cookie\";\nimport type {\n  SignInAction,\n  SignOutAction,\n} from \"./implementation/index\";\nimport { isLocalHost } from \"./utils\";\n\n/** Cookie lifetime configuration for auth tokens. */\nexport type AuthCookieConfig = {\n  /** Maximum age in seconds, or `null` for session cookies. */\n  maxAge: number | null;\n};\n\n/** Raw cookie values extracted from a request. */\nexport type AuthCookies = {\n  /** The JWT access token, or `null` when absent. */\n  token: string | null;\n  /** The refresh token, or `null` when absent. */\n  refreshToken: string | null;\n  /** The OAuth PKCE verifier, or `null` when absent. */\n  verifier: string | null;\n};\n\n/** A structured cookie ready to be set via any framework's cookie API. */\nexport type AuthCookie = {\n  name: string;\n  value: string;\n  options: {\n    path: string;\n    httpOnly: boolean;\n    secure: boolean;\n    sameSite: \"lax\" | \"strict\" | \"none\";\n    maxAge?: number;\n    expires?: Date;\n  };\n};\n\n/**\n * Options for the SSR auth helper returned by {@link server}.\n */\nexport type ServerOptions = {\n  /** Convex deployment URL (e.g. `https://your-app.convex.cloud`). */\n  url: string;\n  /**\n   * Path the client POSTs auth actions to. Defaults to `\"/api/auth\"`.\n   * Must match the `proxy` option on the client.\n   */\n  apiRoute?: string;\n  /** Cookie `maxAge` in seconds, or `null` for session cookies. */\n  cookieMaxAge?: number | null;\n  /** Enable verbose debug logging for token refresh and cookie operations. */\n  verbose?: boolean;\n  /**\n   * Control whether `refresh()` handles OAuth `?code=` query parameters.\n   *\n   * - `true` (default): always exchange the code on GET requests with `text/html` accept.\n   * - `false`: never exchange — useful when only the client handles codes.\n   * - A function: called with the `Request` for per-request decisions.\n   */\n  shouldHandleCode?: ((request: Request) => boolean | Promise<boolean>) | boolean;\n};\n\nexport type RefreshResult = {\n  /** Structured cookies to set on the response. */\n  cookies: AuthCookie[];\n  /** URL to redirect to (set after OAuth code exchange). */\n  redirect?: string;\n  /** JWT for SSR hydration, or `null` if not authenticated. */\n  token: string | null;\n};\n\n/**\n * Derive the cookie names used for auth tokens.\n *\n * On localhost the names are unprefixed; on production hosts they\n * use the `__Host-` prefix for tighter security.\n *\n * @param host - The `Host` header value. Omit to use unprefixed names.\n * @returns An object with `token`, `refreshToken`, and `verifier` cookie names.\n */\nexport function authCookieNames(host?: string) {\n  const prefix = isLocalHost(host) ? \"\" : \"__Host-\";\n  return {\n    token: `${prefix}__convexAuthJWT`,\n    refreshToken: `${prefix}__convexAuthRefreshToken`,\n    verifier: `${prefix}__convexAuthOAuthVerifier`,\n  };\n}\n\n/**\n * Parse auth cookie values from a raw `Cookie` header string.\n *\n * @param cookieHeader - The raw `Cookie` header, or `null`/`undefined`.\n * @param host - The `Host` header, used to determine cookie name prefixes.\n * @returns Parsed {@link AuthCookies} with `token`, `refreshToken`, and `verifier`.\n */\nexport function parseAuthCookies(\n  cookieHeader: string | null | undefined,\n  host?: string,\n): AuthCookies {\n  const names = authCookieNames(host);\n  const parsed = parse(cookieHeader ?? \"\");\n  return {\n    token: parsed[names.token] ?? null,\n    refreshToken: parsed[names.refreshToken] ?? null,\n    verifier: parsed[names.verifier] ?? null,\n  };\n}\n\n/**\n * Serialize auth cookies into `Set-Cookie` header strings.\n *\n * Nulled-out values produce deletion cookies (maxAge 0, expired date).\n *\n * @param cookies - The auth cookie values to serialize.\n * @param host - The `Host` header, used for cookie name prefixes and `Secure` flag.\n * @param config - Cookie lifetime config. Defaults to session cookies.\n * @returns An array of three `Set-Cookie` header strings.\n */\nexport function serializeAuthCookies(\n  cookies: AuthCookies,\n  host?: string,\n  config: AuthCookieConfig = { maxAge: null },\n) {\n  const names = authCookieNames(host);\n  const secure = !isLocalHost(host);\n  const base = {\n    path: \"/\",\n    httpOnly: true,\n    sameSite: \"lax\" as const,\n    secure,\n  };\n  const maxAge = config.maxAge ?? undefined;\n  return [\n    serialize(names.token, cookies.token ?? \"\", {\n      ...base,\n      maxAge: cookies.token === null ? 0 : maxAge,\n      expires: cookies.token === null ? new Date(0) : undefined,\n    }),\n    serialize(names.refreshToken, cookies.refreshToken ?? \"\", {\n      ...base,\n      maxAge: cookies.refreshToken === null ? 0 : maxAge,\n      expires: cookies.refreshToken === null ? new Date(0) : undefined,\n    }),\n    serialize(names.verifier, cookies.verifier ?? \"\", {\n      ...base,\n      maxAge: cookies.verifier === null ? 0 : maxAge,\n      expires: cookies.verifier === null ? new Date(0) : undefined,\n    }),\n  ];\n}\n\n/**\n * Build structured cookie objects for any SSR framework.\n *\n * Use with SvelteKit's `event.cookies.set()`, TanStack Start's `setCookie()`,\n * Next.js's `cookies().set()`, or any other framework cookie API.\n */\nexport function structuredAuthCookies(\n  cookies: AuthCookies,\n  host?: string,\n  config: AuthCookieConfig = { maxAge: null },\n): AuthCookie[] {\n  const names = authCookieNames(host);\n  const secure = !isLocalHost(host);\n  const base = {\n    path: \"/\" as const,\n    httpOnly: true as const,\n    secure,\n    sameSite: \"lax\" as const,\n  };\n  const maxAge = config.maxAge ?? undefined;\n  return [\n    {\n      name: names.token,\n      value: cookies.token ?? \"\",\n      options: {\n        ...base,\n        maxAge: cookies.token === null ? 0 : maxAge,\n        expires: cookies.token === null ? new Date(0) : undefined,\n      },\n    },\n    {\n      name: names.refreshToken,\n      value: cookies.refreshToken ?? \"\",\n      options: {\n        ...base,\n        maxAge: cookies.refreshToken === null ? 0 : maxAge,\n        expires: cookies.refreshToken === null ? new Date(0) : undefined,\n      },\n    },\n    {\n      name: names.verifier,\n      value: cookies.verifier ?? \"\",\n      options: {\n        ...base,\n        maxAge: cookies.verifier === null ? 0 : maxAge,\n        expires: cookies.verifier === null ? new Date(0) : undefined,\n      },\n    },\n  ];\n}\n\n/**\n * Check whether a request pathname matches the auth proxy route.\n *\n * Handles trailing-slash ambiguity: both `/api/auth` and `/api/auth/`\n * match regardless of how `apiRoute` is configured.\n *\n * @param pathname - The request URL pathname.\n * @param apiRoute - The configured proxy route (e.g. `\"/api/auth\"`).\n * @returns `true` when the pathname matches the proxy route.\n */\nexport function shouldProxyAuthAction(pathname: string, apiRoute: string) {\n  if (apiRoute.endsWith(\"/\")) {\n    return pathname === apiRoute || pathname === apiRoute.slice(0, -1);\n  }\n  return pathname === apiRoute || pathname === `${apiRoute}/`;\n}\n\nconst REQUIRED_TOKEN_LIFETIME_MS = 60_000;\nconst MINIMUM_REQUIRED_TOKEN_LIFETIME_MS = 10_000;\n\ntype DecodedToken = { exp?: number; iat?: number };\n\n/**\n * Create an SSR auth helper for server-side frameworks.\n *\n * Handles cookie-based token management, OAuth code exchange,\n * and automatic JWT refresh on page loads. Works with any\n * framework that gives you a `Request` object — SvelteKit,\n * TanStack Start, Remix, Next.js, etc.\n *\n * @param options - SSR configuration (Convex URL, proxy route, cookie lifetime).\n * @returns An object with `token`, `verify`, `proxy`, and `refresh` methods.\n *\n * @example SvelteKit hooks\n * ```ts\n * // src/hooks.server.ts\n * import { server } from '@robelest/convex-auth/server';\n *\n * const auth = server({ url: CONVEX_URL });\n *\n * export const handle = async ({ event, resolve }) => {\n *   const { cookies, token } = await auth.refresh(event.request);\n *   for (const c of cookies) event.cookies.set(c.name, c.value, c.options);\n *   event.locals.token = token;\n *   return resolve(event);\n * };\n * ```\n *\n * @example Generic proxy endpoint\n * ```ts\n * if (shouldProxyAuthAction(url.pathname, '/api/auth')) {\n *   return auth.proxy(request);\n * }\n * ```\n */\nexport function server(options: ServerOptions) {\n  const convexUrl = options.url;\n  const apiRoute = options.apiRoute ?? \"/api/auth\";\n  const cookieConfig = { maxAge: options.cookieMaxAge ?? null };\n  const verbose = options.verbose ?? false;\n\n  const logVerbose = (message: string) => {\n    if (!verbose) {\n      return;\n    }\n    console.debug(\n      `${new Date().toISOString()} [convex-auth/server] ${message}`,\n    );\n  };\n\n  const cookieHost = (request: Request) => {\n    return request.headers.get(\"host\") ?? new URL(request.url).host;\n  };\n\n  const parseRequestCookies = (request: Request) => {\n    return parseAuthCookies(request.headers.get(\"cookie\"), cookieHost(request));\n  };\n\n  const attachCookies = (response: Response, cookies: string[]) => {\n    for (const value of cookies) {\n      response.headers.append(\"Set-Cookie\", value);\n    }\n    return response;\n  };\n\n  const jsonResponse = (body: unknown, status = 200) => {\n    return new Response(JSON.stringify(body), {\n      status,\n      headers: {\n        \"Content-Type\": \"application/json\",\n      },\n    });\n  };\n\n  const isCorsRequest = (request: Request) => {\n    const originHeader = request.headers.get(\"origin\");\n    if (originHeader === null) {\n      return false;\n    }\n    const requestUrl = new URL(request.url);\n    const originUrl = new URL(originHeader);\n    return (\n      originUrl.host !== requestUrl.host ||\n      originUrl.protocol !== requestUrl.protocol\n    );\n  };\n\n  const decodeToken = (token: string): DecodedToken | null => {\n    try {\n      return jwtDecode<DecodedToken>(token);\n    } catch {\n      return null;\n    }\n  };\n\n  const convexClient = (token?: string | null) => {\n    const client = new ConvexHttpClient(convexUrl);\n    if (token !== undefined && token !== null) {\n      client.setAuth(token);\n    }\n    return client;\n  };\n\n  const refreshTokens = async (\n    request: Request,\n  ): Promise<{ token: string; refreshToken: string } | null | undefined> => {\n    const cookies = parseRequestCookies(request);\n    const { token, refreshToken } = cookies;\n    if (refreshToken === null && token === null) {\n      logVerbose(\"No auth cookies found, skipping refresh\");\n      return undefined;\n    }\n    if (refreshToken === null || token === null) {\n      logVerbose(\"Only one auth cookie present, clearing auth cookies\");\n      return null;\n    }\n    const decodedToken = decodeToken(token);\n    if (decodedToken?.exp === undefined || decodedToken.iat === undefined) {\n      logVerbose(\"Failed to decode token, clearing auth cookies\");\n      return null;\n    }\n    const totalTokenLifetimeMs = decodedToken.exp * 1000 - decodedToken.iat * 1000;\n    const minimumExpiration =\n      Date.now() +\n      Math.min(\n        REQUIRED_TOKEN_LIFETIME_MS,\n        Math.max(MINIMUM_REQUIRED_TOKEN_LIFETIME_MS, totalTokenLifetimeMs / 10),\n      );\n    if (decodedToken.exp * 1000 > minimumExpiration) {\n      logVerbose(\"Token valid long enough, skipping refresh\");\n      return undefined;\n    }\n\n    try {\n      const result = await convexClient().action(\n        \"auth:signIn\" as unknown as SignInAction,\n        {\n          refreshToken,\n        },\n      );\n      if (result.tokens === undefined) {\n        throw new Error(\"Invalid `auth:signIn` result for token refresh\");\n      }\n      logVerbose(`Refreshed tokens, null=${result.tokens === null}`);\n      return result.tokens;\n    } catch (error) {\n      console.error(error);\n      logVerbose(\"Token refresh failed, clearing auth cookies\");\n      return null;\n    }\n  };\n\n  return {\n    /**\n     * Read the JWT from the request cookies without any validation.\n     *\n     * @param request - The incoming HTTP request.\n     * @returns The raw JWT string, or `null` when no token cookie exists.\n     */\n    token(request: Request): string | null {\n      return parseRequestCookies(request).token;\n    },\n\n    /**\n     * Check whether the request carries a non-expired JWT.\n     *\n     * Performs local expiration checking only (no network call).\n     * Use for lightweight auth guards in middleware.\n     *\n     * @param request - The incoming HTTP request.\n     * @returns `true` when a valid, non-expired JWT exists in the cookies.\n     */\n    async verify(request: Request): Promise<boolean> {\n      const token = parseRequestCookies(request).token;\n      if (token === null) {\n        return false;\n      }\n      const decodedToken = decodeToken(token);\n      if (decodedToken?.exp === undefined) {\n        return false;\n      }\n      return decodedToken.exp * 1000 > Date.now();\n    },\n\n    /**\n     * Handle a proxied `signIn` or `signOut` POST from the client.\n     *\n     * Validates the route, method, and origin, then forwards the\n     * action to Convex and returns a `Response` with updated\n     * `Set-Cookie` headers. The client never sees the real\n     * refresh token — it stays in httpOnly cookies.\n     *\n     * @param request - The incoming POST request from the client.\n     * @returns A JSON `Response` with auth result and cookie headers.\n     */\n    async proxy(request: Request): Promise<Response> {\n      const requestUrl = new URL(request.url);\n      if (!shouldProxyAuthAction(requestUrl.pathname, apiRoute)) {\n        return new Response(\"Invalid route\", { status: 404 });\n      }\n      if (request.method !== \"POST\") {\n        return new Response(\"Invalid method\", { status: 405 });\n      }\n      if (isCorsRequest(request)) {\n        return new Response(\"Invalid origin\", { status: 403 });\n      }\n\n      const body = await request.json();\n      const action = body.action as string;\n      const args = (body.args ?? {}) as Record<string, any>;\n\n      if (action !== \"auth:signIn\" && action !== \"auth:signOut\") {\n        return new Response(\"Invalid action\", { status: 400 });\n      }\n\n      const currentCookies = parseRequestCookies(request);\n      const host = cookieHost(request);\n\n      if (action === \"auth:signIn\") {\n        if (args.refreshToken !== undefined) {\n          if (currentCookies.refreshToken === null) {\n            return jsonResponse({ tokens: null });\n          }\n          args.refreshToken = currentCookies.refreshToken;\n        }\n        const client = convexClient(\n          args.refreshToken !== undefined || args.params?.code !== undefined\n            ? null\n            : currentCookies.token,\n        );\n\n        try {\n          const result = await client.action(\n            \"auth:signIn\" as unknown as SignInAction,\n            args,\n          );\n          if (result.redirect !== undefined) {\n            const response = jsonResponse({ redirect: result.redirect });\n            return attachCookies(\n              response,\n              serializeAuthCookies(\n                {\n                  ...currentCookies,\n                  verifier: result.verifier ?? null,\n                },\n                host,\n                cookieConfig,\n              ),\n            );\n          }\n          if (result.tokens !== undefined) {\n            const response = jsonResponse({\n              tokens:\n                result.tokens === null\n                  ? null\n                  : { token: result.tokens.token, refreshToken: \"dummy\" },\n            });\n            return attachCookies(\n              response,\n              serializeAuthCookies(\n                {\n                  token: result.tokens?.token ?? null,\n                  refreshToken: result.tokens?.refreshToken ?? null,\n                  verifier: null,\n                },\n                host,\n                cookieConfig,\n              ),\n            );\n          }\n          return jsonResponse(result);\n        } catch (error: unknown) {\n          // Forward structured error data when available (ConvexError with { code, message }).\n          const errorBody =\n            error instanceof ConvexError &&\n            typeof error.data === \"object\" &&\n            error.data !== null &&\n            \"code\" in error.data\n              ? { error: (error.data as { message?: string }).message ?? String(error), authError: error.data }\n              : { error: error instanceof Error ? error.message : String(error) };\n          const response = jsonResponse(errorBody, 400);\n          return attachCookies(\n            response,\n            serializeAuthCookies(\n              {\n                token: null,\n                refreshToken: null,\n                verifier: null,\n              },\n              host,\n              cookieConfig,\n            ),\n          );\n        }\n      }\n\n      try {\n        await convexClient(currentCookies.token).action(\n          \"auth:signOut\" as unknown as SignOutAction,\n        );\n      } catch (error) {\n        console.error(error);\n      }\n      return attachCookies(\n        jsonResponse(null),\n        serializeAuthCookies(\n          {\n            token: null,\n            refreshToken: null,\n            verifier: null,\n          },\n          host,\n          cookieConfig,\n        ),\n      );\n    },\n\n    /**\n     * Refresh auth tokens on page load.\n     *\n     * Call this in your server hooks/middleware on every request.\n     * It handles three scenarios:\n     *\n     * 1. **OAuth code exchange** — exchanges a `?code=` query param for tokens and returns a redirect URL.\n     * 2. **Token refresh** — refreshes the JWT if it's close to expiry.\n     * 3. **No-op** — returns the existing token when no refresh is needed.\n     *\n     * @param request - The incoming HTTP request.\n     * @returns Structured cookies to set on the response, an optional redirect URL, and the current JWT.\n     */\n    async refresh(request: Request): Promise<RefreshResult> {\n      const host = cookieHost(request);\n      const currentToken = parseRequestCookies(request).token;\n\n      // CORS request — clear all auth cookies.\n      if (isCorsRequest(request)) {\n        return {\n          cookies: structuredAuthCookies(\n            { token: null, refreshToken: null, verifier: null },\n            host,\n            cookieConfig,\n          ),\n          token: null,\n        };\n      }\n\n      // OAuth code exchange — exchange code for tokens and redirect.\n      const requestUrl = new URL(request.url);\n      const code = requestUrl.searchParams.get(\"code\");\n      const shouldHandleCode =\n        options.shouldHandleCode === undefined\n          ? true\n          : typeof options.shouldHandleCode === \"function\"\n            ? await options.shouldHandleCode(request)\n            : options.shouldHandleCode;\n\n      if (\n        code !== null &&\n        request.method === \"GET\" &&\n        request.headers.get(\"accept\")?.includes(\"text/html\") &&\n        shouldHandleCode\n      ) {\n        const requestCookies = parseRequestCookies(request);\n        const redirectUrl = new URL(requestUrl);\n        redirectUrl.searchParams.delete(\"code\");\n        try {\n          const result = await convexClient().action(\n            \"auth:signIn\" as unknown as SignInAction,\n            {\n              params: { code },\n              verifier: requestCookies.verifier ?? undefined,\n            },\n          );\n          if (result.tokens === undefined) {\n            throw new Error(\"Invalid `auth:signIn` result for code exchange\");\n          }\n          return {\n            cookies: structuredAuthCookies(\n              {\n                token: result.tokens?.token ?? null,\n                refreshToken: result.tokens?.refreshToken ?? null,\n                verifier: null,\n              },\n              host,\n              cookieConfig,\n            ),\n            redirect: redirectUrl.toString(),\n            token: result.tokens?.token ?? null,\n          };\n        } catch (error) {\n          console.error(error);\n          return {\n            cookies: structuredAuthCookies(\n              { token: null, refreshToken: null, verifier: null },\n              host,\n              cookieConfig,\n            ),\n            redirect: redirectUrl.toString(),\n            token: null,\n          };\n        }\n      }\n\n      // Normal page load — refresh tokens if needed.\n      const tokens = await refreshTokens(request);\n      if (tokens === undefined) {\n        // No refresh needed — return current token for hydration.\n        return { cookies: [], token: currentToken };\n      }\n      return {\n        cookies: structuredAuthCookies(\n          {\n            token: tokens?.token ?? null,\n            refreshToken: tokens?.refreshToken ?? null,\n            verifier: null,\n          },\n          host,\n          cookieConfig,\n        ),\n        token: tokens?.token ?? null,\n      };\n    },\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAmFA,SAAgB,gBAAgB,MAAe;CAC7C,MAAM,SAAS,YAAY,KAAK,GAAG,KAAK;AACxC,QAAO;EACL,OAAO,GAAG,OAAO;EACjB,cAAc,GAAG,OAAO;EACxB,UAAU,GAAG,OAAO;EACrB;;;;;;;;;AAUH,SAAgB,iBACd,cACA,MACa;CACb,MAAM,QAAQ,gBAAgB,KAAK;CACnC,MAAM,SAAS,MAAM,gBAAgB,GAAG;AACxC,QAAO;EACL,OAAO,OAAO,MAAM,UAAU;EAC9B,cAAc,OAAO,MAAM,iBAAiB;EAC5C,UAAU,OAAO,MAAM,aAAa;EACrC;;;;;;;;;;;;AAaH,SAAgB,qBACd,SACA,MACA,SAA2B,EAAE,QAAQ,MAAM,EAC3C;CACA,MAAM,QAAQ,gBAAgB,KAAK;CAEnC,MAAM,OAAO;EACX,MAAM;EACN,UAAU;EACV,UAAU;EACV,QALa,CAAC,YAAY,KAAK;EAMhC;CACD,MAAM,SAAS,OAAO,UAAU;AAChC,QAAO;EACL,UAAU,MAAM,OAAO,QAAQ,SAAS,IAAI;GAC1C,GAAG;GACH,QAAQ,QAAQ,UAAU,OAAO,IAAI;GACrC,SAAS,QAAQ,UAAU,uBAAO,IAAI,KAAK,EAAE,GAAG;GACjD,CAAC;EACF,UAAU,MAAM,cAAc,QAAQ,gBAAgB,IAAI;GACxD,GAAG;GACH,QAAQ,QAAQ,iBAAiB,OAAO,IAAI;GAC5C,SAAS,QAAQ,iBAAiB,uBAAO,IAAI,KAAK,EAAE,GAAG;GACxD,CAAC;EACF,UAAU,MAAM,UAAU,QAAQ,YAAY,IAAI;GAChD,GAAG;GACH,QAAQ,QAAQ,aAAa,OAAO,IAAI;GACxC,SAAS,QAAQ,aAAa,uBAAO,IAAI,KAAK,EAAE,GAAG;GACpD,CAAC;EACH;;;;;;;;AASH,SAAgB,sBACd,SACA,MACA,SAA2B,EAAE,QAAQ,MAAM,EAC7B;CACd,MAAM,QAAQ,gBAAgB,KAAK;CAEnC,MAAM,OAAO;EACX,MAAM;EACN,UAAU;EACV,QAJa,CAAC,YAAY,KAAK;EAK/B,UAAU;EACX;CACD,MAAM,SAAS,OAAO,UAAU;AAChC,QAAO;EACL;GACE,MAAM,MAAM;GACZ,OAAO,QAAQ,SAAS;GACxB,SAAS;IACP,GAAG;IACH,QAAQ,QAAQ,UAAU,OAAO,IAAI;IACrC,SAAS,QAAQ,UAAU,uBAAO,IAAI,KAAK,EAAE,GAAG;IACjD;GACF;EACD;GACE,MAAM,MAAM;GACZ,OAAO,QAAQ,gBAAgB;GAC/B,SAAS;IACP,GAAG;IACH,QAAQ,QAAQ,iBAAiB,OAAO,IAAI;IAC5C,SAAS,QAAQ,iBAAiB,uBAAO,IAAI,KAAK,EAAE,GAAG;IACxD;GACF;EACD;GACE,MAAM,MAAM;GACZ,OAAO,QAAQ,YAAY;GAC3B,SAAS;IACP,GAAG;IACH,QAAQ,QAAQ,aAAa,OAAO,IAAI;IACxC,SAAS,QAAQ,aAAa,uBAAO,IAAI,KAAK,EAAE,GAAG;IACpD;GACF;EACF;;;;;;;;;;;;AAaH,SAAgB,sBAAsB,UAAkB,UAAkB;AACxE,KAAI,SAAS,SAAS,IAAI,CACxB,QAAO,aAAa,YAAY,aAAa,SAAS,MAAM,GAAG,GAAG;AAEpE,QAAO,aAAa,YAAY,aAAa,GAAG,SAAS;;AAG3D,MAAM,6BAA6B;AACnC,MAAM,qCAAqC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqC3C,SAAgB,OAAO,SAAwB;CAC7C,MAAM,YAAY,QAAQ;CAC1B,MAAM,WAAW,QAAQ,YAAY;CACrC,MAAM,eAAe,EAAE,QAAQ,QAAQ,gBAAgB,MAAM;CAC7D,MAAM,UAAU,QAAQ,WAAW;CAEnC,MAAM,cAAc,YAAoB;AACtC,MAAI,CAAC,QACH;AAEF,UAAQ,MACN,oBAAG,IAAI,MAAM,EAAC,aAAa,CAAC,wBAAwB,UACrD;;CAGH,MAAM,cAAc,YAAqB;AACvC,SAAO,QAAQ,QAAQ,IAAI,OAAO,IAAI,IAAI,IAAI,QAAQ,IAAI,CAAC;;CAG7D,MAAM,uBAAuB,YAAqB;AAChD,SAAO,iBAAiB,QAAQ,QAAQ,IAAI,SAAS,EAAE,WAAW,QAAQ,CAAC;;CAG7E,MAAM,iBAAiB,UAAoB,YAAsB;AAC/D,OAAK,MAAM,SAAS,QAClB,UAAS,QAAQ,OAAO,cAAc,MAAM;AAE9C,SAAO;;CAGT,MAAM,gBAAgB,MAAe,SAAS,QAAQ;AACpD,SAAO,IAAI,SAAS,KAAK,UAAU,KAAK,EAAE;GACxC;GACA,SAAS,EACP,gBAAgB,oBACjB;GACF,CAAC;;CAGJ,MAAM,iBAAiB,YAAqB;EAC1C,MAAM,eAAe,QAAQ,QAAQ,IAAI,SAAS;AAClD,MAAI,iBAAiB,KACnB,QAAO;EAET,MAAM,aAAa,IAAI,IAAI,QAAQ,IAAI;EACvC,MAAM,YAAY,IAAI,IAAI,aAAa;AACvC,SACE,UAAU,SAAS,WAAW,QAC9B,UAAU,aAAa,WAAW;;CAItC,MAAM,eAAe,UAAuC;AAC1D,MAAI;AACF,UAAO,UAAwB,MAAM;UAC/B;AACN,UAAO;;;CAIX,MAAM,gBAAgB,UAA0B;EAC9C,MAAM,SAAS,IAAI,iBAAiB,UAAU;AAC9C,MAAI,UAAU,UAAa,UAAU,KACnC,QAAO,QAAQ,MAAM;AAEvB,SAAO;;CAGT,MAAM,gBAAgB,OACpB,YACwE;EAExE,MAAM,EAAE,OAAO,iBADC,oBAAoB,QAAQ;AAE5C,MAAI,iBAAiB,QAAQ,UAAU,MAAM;AAC3C,cAAW,0CAA0C;AACrD;;AAEF,MAAI,iBAAiB,QAAQ,UAAU,MAAM;AAC3C,cAAW,sDAAsD;AACjE,UAAO;;EAET,MAAM,eAAe,YAAY,MAAM;AACvC,MAAI,cAAc,QAAQ,UAAa,aAAa,QAAQ,QAAW;AACrE,cAAW,gDAAgD;AAC3D,UAAO;;EAET,MAAM,uBAAuB,aAAa,MAAM,MAAO,aAAa,MAAM;EAC1E,MAAM,oBACJ,KAAK,KAAK,GACV,KAAK,IACH,4BACA,KAAK,IAAI,oCAAoC,uBAAuB,GAAG,CACxE;AACH,MAAI,aAAa,MAAM,MAAO,mBAAmB;AAC/C,cAAW,4CAA4C;AACvD;;AAGF,MAAI;GACF,MAAM,SAAS,MAAM,cAAc,CAAC,OAClC,eACA,EACE,cACD,CACF;AACD,OAAI,OAAO,WAAW,OACpB,OAAM,IAAI,MAAM,iDAAiD;AAEnE,cAAW,0BAA0B,OAAO,WAAW,OAAO;AAC9D,UAAO,OAAO;WACP,OAAO;AACd,WAAQ,MAAM,MAAM;AACpB,cAAW,8CAA8C;AACzD,UAAO;;;AAIX,QAAO;EAOL,MAAM,SAAiC;AACrC,UAAO,oBAAoB,QAAQ,CAAC;;EAYtC,MAAM,OAAO,SAAoC;GAC/C,MAAM,QAAQ,oBAAoB,QAAQ,CAAC;AAC3C,OAAI,UAAU,KACZ,QAAO;GAET,MAAM,eAAe,YAAY,MAAM;AACvC,OAAI,cAAc,QAAQ,OACxB,QAAO;AAET,UAAO,aAAa,MAAM,MAAO,KAAK,KAAK;;EAc7C,MAAM,MAAM,SAAqC;AAE/C,OAAI,CAAC,sBADc,IAAI,IAAI,QAAQ,IAAI,CACD,UAAU,SAAS,CACvD,QAAO,IAAI,SAAS,iBAAiB,EAAE,QAAQ,KAAK,CAAC;AAEvD,OAAI,QAAQ,WAAW,OACrB,QAAO,IAAI,SAAS,kBAAkB,EAAE,QAAQ,KAAK,CAAC;AAExD,OAAI,cAAc,QAAQ,CACxB,QAAO,IAAI,SAAS,kBAAkB,EAAE,QAAQ,KAAK,CAAC;GAGxD,MAAM,OAAO,MAAM,QAAQ,MAAM;GACjC,MAAM,SAAS,KAAK;GACpB,MAAM,OAAQ,KAAK,QAAQ,EAAE;AAE7B,OAAI,WAAW,iBAAiB,WAAW,eACzC,QAAO,IAAI,SAAS,kBAAkB,EAAE,QAAQ,KAAK,CAAC;GAGxD,MAAM,iBAAiB,oBAAoB,QAAQ;GACnD,MAAM,OAAO,WAAW,QAAQ;AAEhC,OAAI,WAAW,eAAe;AAC5B,QAAI,KAAK,iBAAiB,QAAW;AACnC,SAAI,eAAe,iBAAiB,KAClC,QAAO,aAAa,EAAE,QAAQ,MAAM,CAAC;AAEvC,UAAK,eAAe,eAAe;;IAErC,MAAM,SAAS,aACb,KAAK,iBAAiB,UAAa,KAAK,QAAQ,SAAS,SACrD,OACA,eAAe,MACpB;AAED,QAAI;KACF,MAAM,SAAS,MAAM,OAAO,OAC1B,eACA,KACD;AACD,SAAI,OAAO,aAAa,OAEtB,QAAO,cADU,aAAa,EAAE,UAAU,OAAO,UAAU,CAAC,EAG1D,qBACE;MACE,GAAG;MACH,UAAU,OAAO,YAAY;MAC9B,EACD,MACA,aACD,CACF;AAEH,SAAI,OAAO,WAAW,OAOpB,QAAO,cANU,aAAa,EAC5B,QACE,OAAO,WAAW,OACd,OACA;MAAE,OAAO,OAAO,OAAO;MAAO,cAAc;MAAS,EAC5D,CAAC,EAGA,qBACE;MACE,OAAO,OAAO,QAAQ,SAAS;MAC/B,cAAc,OAAO,QAAQ,gBAAgB;MAC7C,UAAU;MACX,EACD,MACA,aACD,CACF;AAEH,YAAO,aAAa,OAAO;aACpB,OAAgB;AAUvB,YAAO,cADU,aANf,iBAAiB,eACjB,OAAO,MAAM,SAAS,YACtB,MAAM,SAAS,QACf,UAAU,MAAM,OACZ;MAAE,OAAQ,MAAM,KAA8B,WAAW,OAAO,MAAM;MAAE,WAAW,MAAM;MAAM,GAC/F,EAAE,OAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,EAAE,EAC9B,IAAI,EAG3C,qBACE;MACE,OAAO;MACP,cAAc;MACd,UAAU;MACX,EACD,MACA,aACD,CACF;;;AAIL,OAAI;AACF,UAAM,aAAa,eAAe,MAAM,CAAC,OACvC,eACD;YACM,OAAO;AACd,YAAQ,MAAM,MAAM;;AAEtB,UAAO,cACL,aAAa,KAAK,EAClB,qBACE;IACE,OAAO;IACP,cAAc;IACd,UAAU;IACX,EACD,MACA,aACD,CACF;;EAgBH,MAAM,QAAQ,SAA0C;GACtD,MAAM,OAAO,WAAW,QAAQ;GAChC,MAAM,eAAe,oBAAoB,QAAQ,CAAC;AAGlD,OAAI,cAAc,QAAQ,CACxB,QAAO;IACL,SAAS,sBACP;KAAE,OAAO;KAAM,cAAc;KAAM,UAAU;KAAM,EACnD,MACA,aACD;IACD,OAAO;IACR;GAIH,MAAM,aAAa,IAAI,IAAI,QAAQ,IAAI;GACvC,MAAM,OAAO,WAAW,aAAa,IAAI,OAAO;GAChD,MAAM,mBACJ,QAAQ,qBAAqB,SACzB,OACA,OAAO,QAAQ,qBAAqB,aAClC,MAAM,QAAQ,iBAAiB,QAAQ,GACvC,QAAQ;AAEhB,OACE,SAAS,QACT,QAAQ,WAAW,SACnB,QAAQ,QAAQ,IAAI,SAAS,EAAE,SAAS,YAAY,IACpD,kBACA;IACA,MAAM,iBAAiB,oBAAoB,QAAQ;IACnD,MAAM,cAAc,IAAI,IAAI,WAAW;AACvC,gBAAY,aAAa,OAAO,OAAO;AACvC,QAAI;KACF,MAAM,SAAS,MAAM,cAAc,CAAC,OAClC,eACA;MACE,QAAQ,EAAE,MAAM;MAChB,UAAU,eAAe,YAAY;MACtC,CACF;AACD,SAAI,OAAO,WAAW,OACpB,OAAM,IAAI,MAAM,iDAAiD;AAEnE,YAAO;MACL,SAAS,sBACP;OACE,OAAO,OAAO,QAAQ,SAAS;OAC/B,cAAc,OAAO,QAAQ,gBAAgB;OAC7C,UAAU;OACX,EACD,MACA,aACD;MACD,UAAU,YAAY,UAAU;MAChC,OAAO,OAAO,QAAQ,SAAS;MAChC;aACM,OAAO;AACd,aAAQ,MAAM,MAAM;AACpB,YAAO;MACL,SAAS,sBACP;OAAE,OAAO;OAAM,cAAc;OAAM,UAAU;OAAM,EACnD,MACA,aACD;MACD,UAAU,YAAY,UAAU;MAChC,OAAO;MACR;;;GAKL,MAAM,SAAS,MAAM,cAAc,QAAQ;AAC3C,OAAI,WAAW,OAEb,QAAO;IAAE,SAAS,EAAE;IAAE,OAAO;IAAc;AAE7C,UAAO;IACL,SAAS,sBACP;KACE,OAAO,QAAQ,SAAS;KACxB,cAAc,QAAQ,gBAAgB;KACtC,UAAU;KACX,EACD,MACA,aACD;IACD,OAAO,QAAQ,SAAS;IACzB;;EAEJ"}

package/dist/server/oauth.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"oauth.d.ts","names":[],"sources":["../../src/server/oauth.ts"],"mappings":";;;;UAqBiB,WAAA;EACf,IAAA;EACA,KAAA;EACA,OAAA,EAAS,MAAA;AAAA;;UAIM,mBAAA;EACf,QAAA;EACA,OAAA,EAAS,WAAA;EACT,SAAA;AAAA;;UAIe,cAAA;EACf,OAAA,EAAS,YAAA;EACT,iBAAA;EACA,OAAA,EAAS,WAAA;EACT,SAAA;AAAA;;;;;iBAkDc,yBAAA,CAAA;EACd,YAAA;EACA;AAAA;EAEA,YAAA;EACA,KAAA;AAAA;AAAA,iBAWc,WAAA,CAAY,UAAA;;;;;;iBA6DN,2BAAA,CACpB,UAAA,UACA,cAAA,OACA,WAAA,EAAa,mBAAA,GACZ,OAAA,CAAQ,mBAAA;;;;;iBA0CW,mBAAA,CACpB,UAAA,UACA,cAAA,OACA,WAAA,EAAa,mBAAA,EACb,MAAA,EAAQ,MAAA,kBACR,OAAA,EAAS,MAAA,+BACR,OAAA,CAAQ,cAAA"}

package/dist/server/providers.d.ts

@@ -1,72 +0,0 @@
-import { ApiKeyConfig, AuthComponentApi, AuthProviderConfig, AuthProviderMaterializedConfig, ConvexAuthConfig, EmailTransport } from "./types.js";
-import * as convex_server86 from "convex/server";
-import * as convex_values0 from "convex/values";
-
-//#region src/server/providers.d.ts
-/**
- * Resolve raw provider configs into materialized form and apply defaults.
- *
- * @internal
- */
-declare function configDefaults(config_: ConvexAuthConfig): {
-  extraProviders: AuthProviderMaterializedConfig[];
-  providers: AuthProviderMaterializedConfig[];
-  component: AuthComponentApi;
-  session?: {
-    totalDurationMs?: number;
-    inactiveDurationMs?: number;
-  };
-  jwt?: {
-    durationMs?: number;
-  };
-  signIn?: {
-    maxFailedAttempsPerHour?: number;
-  };
-  apiKeys?: ApiKeyConfig;
-  email?: EmailTransport;
-  callbacks?: {
-    redirect?: (params: {
-      redirectTo: string;
-    }) => Promise<string>;
-    createOrUpdateUser?: (ctx: convex_server86.GenericMutationCtx<convex_server86.AnyDataModel>, args: {
-      existingUserId: convex_values0.GenericId<"user"> | null;
-      type: "oauth" | "credentials" | "email" | "phone" | "verification";
-      provider: AuthProviderMaterializedConfig;
-      profile: Record<string, unknown> & {
-        email?: string;
-        phone?: string;
-        emailVerified?: boolean;
-        phoneVerified?: boolean;
-      };
-      shouldLink?: boolean;
-    }) => Promise<convex_values0.GenericId<"user">>;
-    afterUserCreatedOrUpdated?: (ctx: convex_server86.GenericMutationCtx<convex_server86.AnyDataModel>, args: {
-      userId: convex_values0.GenericId<"user">;
-      existingUserId: convex_values0.GenericId<"user"> | null;
-      type: "oauth" | "credentials" | "email" | "phone" | "verification";
-      provider: AuthProviderMaterializedConfig;
-      profile: Record<string, unknown> & {
-        email?: string;
-        phone?: string;
-        emailVerified?: boolean;
-        phoneVerified?: boolean;
-      };
-      shouldLink?: boolean;
-    }) => Promise<void>;
-  };
-};
-/**
- * Materialize a single provider config into its runtime form.
- *
- * @internal
- */
-declare function materializeProvider(provider: AuthProviderConfig): AuthProviderMaterializedConfig;
-/**
- * List available provider IDs for error messages.
- *
- * @internal
- */
-declare function listAvailableProviders(config: ReturnType<typeof configDefaults>, allowExtraProviders: boolean): string;
-//#endregion
-export { configDefaults, listAvailableProviders, materializeProvider };
-//# sourceMappingURL=providers.d.ts.map

package/dist/server/providers.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"providers.d.ts","names":[],"sources":["../../src/server/providers.ts"],"mappings":";;;;;;;;;AAgCA;iBAAgB,cAAA,CAAe,OAAA,EAAS,gBAAA;;;;;;;;;;;;;;;;;gBAmG6hC,MAAA;;;0BAA8jB,GAAA,EAAA,eAAA,CAAA,kBAAA,iBAAA,YAAA,GAAA,IAAA;sBAAA,cAAA,CAAA,SAAA;;;;;;;;;;;iCAA64D,GAAA,EAAA,eAAA,CAAA,kBAAA,iBAAA,YAAA,GAAA,IAAA;cAAA,cAAA,CAAA,SAAA;;;;;;;;;;;;;;;;;;;iBAhFhgH,mBAAA,CAAoB,QAAA,EAAU,kBAAA,GAGd,8BAAA;;;;;;iBAQhB,sBAAA,CACd,MAAA,EAAQ,UAAA,QAAkB,cAAA,GAC1B,mBAAA"}

package/dist/server/providers.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"providers.js","names":[],"sources":["../../src/server/providers.ts"],"sourcesContent":["import {\n  AuthProviderConfig,\n  AuthProviderMaterializedConfig,\n  ConvexAuthConfig,\n  OAuthMaterializedConfig,\n} from \"./types\";\nimport { isOAuthProvider, type OAuthProviderInstance } from \"../providers/oauth\";\n\n// ============================================================================\n// Provider class detection\n// ============================================================================\n\n/** Check if something is a new-style class provider with `_toMaterialized()`. */\nfunction isClassProvider(\n  provider: any,\n): provider is { _toMaterialized(): AuthProviderMaterializedConfig } {\n  return (\n    typeof provider === \"object\" &&\n    provider !== null &&\n    typeof provider._toMaterialized === \"function\"\n  );\n}\n\n// ============================================================================\n// Public API\n// ============================================================================\n\n/**\n * Resolve raw provider configs into materialized form and apply defaults.\n *\n * @internal\n */\nexport function configDefaults(config_: ConvexAuthConfig) {\n  const config = materializeAndDefaultProviders(config_);\n  // Collect extra providers from credentials providers\n  const extraProviders = config.providers\n    .filter((p) => p.type === \"credentials\")\n    .map((p) => p.extraProviders)\n    .flat()\n    .filter((p) => p !== undefined);\n  return {\n    ...config,\n    extraProviders: materializeProviders(extraProviders),\n  };\n}\n\n/**\n * Materialize a single provider config into its runtime form.\n *\n * @internal\n */\nexport function materializeProvider(provider: AuthProviderConfig) {\n  const config = { providers: [provider], component: {} as any };\n  materializeAndDefaultProviders(config);\n  return config.providers[0] as AuthProviderMaterializedConfig;\n}\n\n/**\n * List available provider IDs for error messages.\n *\n * @internal\n */\nexport function listAvailableProviders(\n  config: ReturnType<typeof configDefaults>,\n  allowExtraProviders: boolean,\n) {\n  const availableProviders = config.providers\n    .concat(allowExtraProviders ? config.extraProviders : [])\n    .map((provider) => `\\`${provider.id}\\``);\n  return availableProviders.length > 0\n    ? availableProviders.join(\", \")\n    : \"no providers have been configured\";\n}\n\n// ============================================================================\n// Internal helpers\n// ============================================================================\n\nfunction materializeProviders(providers: AuthProviderConfig[]) {\n  const config = { providers, component: {} as any };\n  materializeAndDefaultProviders(config);\n  return config.providers as AuthProviderMaterializedConfig[];\n}\n\nfunction materializeAndDefaultProviders(config_: ConvexAuthConfig) {\n  const allProviders: AuthProviderMaterializedConfig[] = [];\n\n  for (const raw of config_.providers) {\n    if (isOAuthProvider(raw)) {\n      allProviders.push(materializeOAuthProvider(raw));\n    } else if (isClassProvider(raw)) {\n      allProviders.push(raw._toMaterialized());\n    } else {\n      // Factory function or plain config object\n      const resolved = typeof raw === \"function\" ? raw() : (raw as any);\n      // Merge `options` into the provider (backward compat with factory-style\n      // providers that store user overrides in an `options` field).\n      const merged = resolved.options\n        ? { ...resolved, ...resolved.options }\n        : resolved;\n      allProviders.push(merged as AuthProviderMaterializedConfig);\n    }\n  }\n\n  const config = { ...config_, providers: allProviders };\n\n  // Set phone provider API key from env\n  config.providers.forEach((provider) => {\n    if (provider.type === \"phone\") {\n      const ID = provider.id.toUpperCase().replace(/-/g, \"_\");\n      provider.apiKey ??= process.env[`AUTH_${ID}_KEY`];\n    }\n  });\n\n  return config;\n}\n\n/**\n * Materialize an Arctic-based `OAuthProviderInstance` into the runtime config.\n */\nfunction materializeOAuthProvider(\n  instance: OAuthProviderInstance,\n): OAuthMaterializedConfig {\n  return {\n    id: instance.id,\n    type: \"oauth\",\n    provider: instance.provider,\n    scopes: instance.scopes,\n    profile: instance.profile,\n  };\n}\n"],"mappings":";;;;AAaA,SAAS,gBACP,UACmE;AACnE,QACE,OAAO,aAAa,YACpB,aAAa,QACb,OAAO,SAAS,oBAAoB;;;;;;;AAaxC,SAAgB,eAAe,SAA2B;CACxD,MAAM,SAAS,+BAA+B,QAAQ;CAEtD,MAAM,iBAAiB,OAAO,UAC3B,QAAQ,MAAM,EAAE,SAAS,cAAc,CACvC,KAAK,MAAM,EAAE,eAAe,CAC5B,MAAM,CACN,QAAQ,MAAM,MAAM,OAAU;AACjC,QAAO;EACL,GAAG;EACH,gBAAgB,qBAAqB,eAAe;EACrD;;;;;;;AAQH,SAAgB,oBAAoB,UAA8B;CAChE,MAAM,SAAS;EAAE,WAAW,CAAC,SAAS;EAAE,WAAW,EAAE;EAAS;AAC9D,gCAA+B,OAAO;AACtC,QAAO,OAAO,UAAU;;;;;;;AAQ1B,SAAgB,uBACd,QACA,qBACA;CACA,MAAM,qBAAqB,OAAO,UAC/B,OAAO,sBAAsB,OAAO,iBAAiB,EAAE,CAAC,CACxD,KAAK,aAAa,KAAK,SAAS,GAAG,IAAI;AAC1C,QAAO,mBAAmB,SAAS,IAC/B,mBAAmB,KAAK,KAAK,GAC7B;;AAON,SAAS,qBAAqB,WAAiC;CAC7D,MAAM,SAAS;EAAE;EAAW,WAAW,EAAE;EAAS;AAClD,gCAA+B,OAAO;AACtC,QAAO,OAAO;;AAGhB,SAAS,+BAA+B,SAA2B;CACjE,MAAM,eAAiD,EAAE;AAEzD,MAAK,MAAM,OAAO,QAAQ,UACxB,KAAI,gBAAgB,IAAI,CACtB,cAAa,KAAK,yBAAyB,IAAI,CAAC;UACvC,gBAAgB,IAAI,CAC7B,cAAa,KAAK,IAAI,iBAAiB,CAAC;MACnC;EAEL,MAAM,WAAW,OAAO,QAAQ,aAAa,KAAK,GAAI;EAGtD,MAAM,SAAS,SAAS,UACpB;GAAE,GAAG;GAAU,GAAG,SAAS;GAAS,GACpC;AACJ,eAAa,KAAK,OAAyC;;CAI/D,MAAM,SAAS;EAAE,GAAG;EAAS,WAAW;EAAc;AAGtD,QAAO,UAAU,SAAS,aAAa;AACrC,MAAI,SAAS,SAAS,SAAS;GAC7B,MAAM,KAAK,SAAS,GAAG,aAAa,CAAC,QAAQ,MAAM,IAAI;AACvD,YAAS,WAAW,QAAQ,IAAI,QAAQ,GAAG;;GAE7C;AAEF,QAAO;;;;;AAMT,SAAS,yBACP,UACyB;AACzB,QAAO;EACL,IAAI,SAAS;EACb,MAAM;EACN,UAAU,SAAS;EACnB,QAAQ,SAAS;EACjB,SAAS,SAAS;EACnB"}

package/dist/server/templates.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"templates.d.ts","names":[],"sources":["../../src/server/templates.ts"],"mappings":";;AAiBA;;;;;;;;;;;;;;;iBAAgB,qBAAA,CAAsB,GAAA,UAAa,IAAA"}

package/dist/server/utils.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"utils.d.ts","names":[],"sources":["../../src/server/utils.ts"],"mappings":";iBAEgB,UAAA,CAAW,IAAA;AAAA,iBAQX,WAAA,CAAY,IAAA"}

package/dist/server/version.d.ts

@@ -1,5 +0,0 @@
-//#region src/server/version.d.ts
-declare const AUTH_VERSION = "0.0.4-preview.2";
-//#endregion
-export { AUTH_VERSION };
-//# sourceMappingURL=version.d.ts.map

package/dist/server/version.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"version.d.ts","names":[],"sources":["../../src/server/version.ts"],"mappings":";cACa,YAAA"}

package/dist/server/version.js

@@ -1,6 +0,0 @@
-//#region src/server/version.ts
-const AUTH_VERSION = "0.0.4-preview.2";
-
-//#endregion
-export { AUTH_VERSION };
-//# sourceMappingURL=version.js.map

package/dist/server/version.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"version.js","names":[],"sources":["../../src/server/version.ts"],"sourcesContent":["// Auto-generated by scripts/generate-version.js — do not edit.\nexport const AUTH_VERSION = \"0.0.4-preview.2\";\n"],"mappings":";AACA,MAAa,eAAe"}

package/src/cli/utils.ts

@@ -1,248 +0,0 @@
-/**
- * Shared CLI utilities — logging, subprocess execution, file helpers.
- *
- * Eliminates duplication across index.ts, upload.ts, link.ts.
- * All output goes to stderr so stdout can be piped cleanly.
- */
-
-import chalk from "chalk";
-import { execFileSync } from "child_process";
-import { existsSync, readFileSync, writeFileSync } from "fs";
-import { extname } from "path";
-
-// ---------------------------------------------------------------------------
-// Logging — unified output to stderr with chalk prefixes
-// ---------------------------------------------------------------------------
-
-const write = (msg: string) => process.stderr.write(msg + "\n");
-
-export const log = {
-  step:    (n: number, msg: string) => write(`${chalk.blue.bold(`[${n}]`)} ${chalk.bold(msg)}`),
-  success: (msg: string) => write(`${chalk.green("✔")} ${msg}`),
-  warn:    (msg: string) => write(`${chalk.yellow.bold("!")} ${msg}`),
-  error:   (msg: string, detail?: string) =>
-    write(`${chalk.red("✖")} ${msg}${detail ? `\n  ${chalk.grey(`Error: ${detail}`)}` : ""}`),
-  info:    (msg: string) => write(`${chalk.blue.bold("i")} ${msg}`),
-  blank:   () => write(""),
-  raw:     (msg: string) => write(msg),
-  indent:  (msg: string) => write(`  ${msg}`),
-} as const;
-
-// ---------------------------------------------------------------------------
-// Subprocess — safe execFile with argument arrays (no shell injection)
-// ---------------------------------------------------------------------------
-
-export type DeploymentOptions = {
-  prod?: boolean;
-  adminKey?: string;
-  url?: string;
-  previewName?: string;
-  deploymentName?: string;
-};
-
-/** Build CLI args array for Convex deployment selection. */
-export const deploymentArgs = (opts: DeploymentOptions): string[] => {
-  const args: string[] = [];
-  if (opts.adminKey)       args.push("--admin-key", opts.adminKey);
-  if (opts.url)            args.push("--url", opts.url);
-  else if (opts.prod)      args.push("--prod");
-  else if (opts.previewName)     args.push("--preview-name", opts.previewName);
-  else if (opts.deploymentName)  args.push("--deployment-name", opts.deploymentName);
-  return args;
-};
-
-/** Run `npx convex env get <name>` and return the value. */
-export const envGet = (name: string, opts: DeploymentOptions): string =>
-  execFileSync("npx", ["convex", "env", "get", ...deploymentArgs(opts), name], {
-    encoding: "utf-8",
-    stdio: ["pipe", "pipe", "pipe"],
-  }).slice(0, -1); // strip trailing newline
-
-/** Run `npx convex env set <name> <value>`. */
-export const envSet = (
-  name: string,
-  value: string,
-  opts: DeploymentOptions & { hideValue?: boolean },
-): void => {
-  execFileSync(
-    "npx",
-    ["convex", "env", "set", ...deploymentArgs(opts), "--", name, value],
-    { stdio: opts.hideValue ? "ignore" : "inherit" },
-  );
-};
-
-/**
- * Run a Convex function via `npx convex run` and return parsed JSON output.
- * Uses execFile with argument arrays — no shell injection.
- */
-export const convexRun = <T = unknown>(
-  functionPath: string,
-  args: Record<string, unknown>,
-  opts: { prod?: boolean } = {},
-): Promise<T> =>
-  new Promise((resolve, reject) => {
-    const { execFile } = require("child_process");
-    const cmdArgs = [
-      "convex", "run", functionPath,
-      JSON.stringify(args),
-      "--typecheck=disable",
-      "--codegen=disable",
-      ...(opts.prod ? ["--prod"] : []),
-    ];
-    execFile("npx", cmdArgs, { encoding: "utf-8" }, (error: any, stdout: string, stderr: string) => {
-      if (error) {
-        reject(new Error(`convex run ${functionPath} failed: ${stderr || stdout}`));
-        return;
-      }
-      try {
-        resolve(JSON.parse(stdout.trim()) as T);
-      } catch {
-        // If output is not JSON, return raw string as-is
-        resolve(stdout.trim() as T);
-      }
-    });
-  });
-
-// ---------------------------------------------------------------------------
-// MIME types
-// ---------------------------------------------------------------------------
-
-const MIME_TYPES: Record<string, string> = {
-  ".html": "text/html; charset=utf-8",
-  ".js":   "application/javascript; charset=utf-8",
-  ".mjs":  "application/javascript; charset=utf-8",
-  ".css":  "text/css; charset=utf-8",
-  ".json": "application/json; charset=utf-8",
-  ".png":  "image/png",
-  ".jpg":  "image/jpeg",
-  ".jpeg": "image/jpeg",
-  ".gif":  "image/gif",
-  ".svg":  "image/svg+xml",
-  ".ico":  "image/x-icon",
-  ".webp": "image/webp",
-  ".woff": "font/woff",
-  ".woff2":"font/woff2",
-  ".ttf":  "font/ttf",
-  ".txt":  "text/plain; charset=utf-8",
-  ".map":  "application/json",
-  ".webmanifest": "application/manifest+json",
-  ".xml":  "application/xml",
-  ".br":   "application/octet-stream",
-  ".gz":   "application/gzip",
-};
-
-export const getMimeType = (path: string): string =>
-  MIME_TYPES[extname(path).toLowerCase()] ?? "application/octet-stream";
-
-// ---------------------------------------------------------------------------
-// File helpers
-// ---------------------------------------------------------------------------
-
-/**
- * Check for an existing non-empty source file (.ts or .js) at the given
- * base path (without extension). Returns the path if found, null otherwise.
- */
-export const findExistingSource = (basePath: string): string | null =>
-  [".ts", ".js"]
-    .map((ext) => basePath + ext)
-    .find((p) => existsSync(p) && readFileSync(p, "utf-8").trim() !== "")
-    ?? null;
-
-/**
- * Test whether an existing file already matches a template.
- * Templates use `$$` as wildcards and `;` followed by newline as flexible separators.
- */
-export const matchesTemplate = (existing: string, template: string): boolean =>
-  new RegExp(
-    template
-      .replace(/[.*+?^${}()|[\]\\]/g, "\\$&")
-      .replace(/\\\$\\\$/g, ".*")
-      .replace(/;\n/g, ";.*"),
-    "s",
-  ).test(existing);
-
-/** Strip template markers from a source template. */
-export const stripMarkers = (template: string): string =>
-  template.replace(/\$\$/g, "");
-
-/**
- * Higher-order function: ensure a file matches a template.
- *
- * - If the file doesn't exist → create it
- * - If it already matches → log success
- * - If it exists but doesn't match → show instructions and prompt
- *
- * Returns a configured function bound to the convex folder path + TS preference.
- */
-export const createFileEnsurer = (
-  convexFolderPath: string,
-  usesTypeScript: boolean,
-  promptFn: (message: string) => Promise<void>,
-) => {
-  const path = require("path");
-
-  return async (
-    baseName: string,
-    template: string,
-    description: string,
-  ): Promise<void> => {
-    const source = stripMarkers(template);
-    const filePath = path.join(convexFolderPath, baseName);
-    const existing = findExistingSource(filePath);
-
-    if (existing) {
-      const content = readFileSync(existing, "utf-8");
-      if (matchesTemplate(content, template)) {
-        log.success(`${chalk.bold(existing)} already configured.`);
-        return;
-      }
-      log.info(`${chalk.bold(existing)} needs ${description}:`);
-      log.raw(`\n${indentBlock(source)}\n`);
-      await promptFn("Ready to continue?");
-      return;
-    }
-
-    const ext = usesTypeScript ? ".ts" : ".js";
-    const newPath = filePath + ext;
-    writeFileSync(newPath, source);
-    log.success(`Created ${chalk.bold(newPath)}`);
-  };
-};
-
-/** Indent a multiline string (2 spaces, first line not indented). */
-export const indentBlock = (s: string): string =>
-  s.replace(/^/gm, "  ").slice(2);
-
-// ---------------------------------------------------------------------------
-// Crypto helpers
-// ---------------------------------------------------------------------------
-
-export { randomBytes, createHash } from "crypto";
-
-/** Generate a URL-safe random token (32 bytes → 43 chars base64url). */
-export const generateToken = (): string =>
-  require("crypto").randomBytes(32).toString("base64url");
-
-/** SHA-256 hash a string and return the hex digest. */
-export const hashToken = (token: string): string =>
-  require("crypto").createHash("sha256").update(token).digest("hex");
-
-// ---------------------------------------------------------------------------
-// Package version
-// ---------------------------------------------------------------------------
-
-/** Read the auth package version from its own package.json. */
-export const getPackageVersion = (): string => {
-  try {
-    const pkgPath = require("path").resolve(__dirname, "..", "package.json");
-    return JSON.parse(readFileSync(pkgPath, "utf-8")).version;
-  } catch {
-    // Fallback: if running from dist/bin.cjs, package.json is two levels up
-    try {
-      const pkgPath = require("path").resolve(__dirname, "..", "..", "package.json");
-      return JSON.parse(readFileSync(pkgPath, "utf-8")).version;
-    } catch {
-      return "unknown";
-    }
-  }
-};