npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.2 → 0.0.4-preview.21 - Mend

@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (798) hide show

package/README.md +67 -26
package/dist/authorization/index.d.ts +63 -0
package/dist/authorization/index.d.ts.map +1 -0
package/dist/authorization/index.js +63 -0
package/dist/authorization/index.js.map +1 -0
package/dist/bin.js +6185 -0
package/dist/client/core/types.d.ts +20 -0
package/dist/client/core/types.d.ts.map +1 -0
package/dist/client/index.d.ts +2 -299
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +407 -534
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +42 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +2546 -90
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/client/core/types.d.ts +2 -0
package/dist/component/client/index.d.ts +2 -0
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/functions.d.ts +11 -9
package/dist/component/functions.d.ts.map +1 -1
package/dist/component/functions.js.map +1 -1
package/dist/component/index.d.ts +7 -11
package/dist/component/index.js +2 -3
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +349 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/anonymous.d.ts +54 -0
package/dist/component/providers/anonymous.d.ts.map +1 -0
package/dist/component/providers/credentials.d.ts +5 -5
package/dist/component/providers/credentials.d.ts.map +1 -1
package/dist/component/providers/device.d.ts +67 -0
package/dist/component/providers/device.d.ts.map +1 -0
package/dist/component/providers/email.d.ts +62 -0
package/dist/component/providers/email.d.ts.map +1 -0
package/dist/component/providers/oauth.d.ts.map +1 -1
package/dist/component/providers/oauth.js.map +1 -1
package/dist/component/providers/passkey.d.ts +57 -0
package/dist/component/providers/passkey.d.ts.map +1 -0
package/dist/component/providers/password.d.ts +88 -0
package/dist/component/providers/password.d.ts.map +1 -0
package/dist/component/providers/phone.d.ts +48 -0
package/dist/component/providers/phone.d.ts.map +1 -0
package/dist/component/providers/sso.d.ts +50 -0
package/dist/component/providers/sso.d.ts.map +1 -0
package/dist/component/providers/totp.d.ts +45 -0
package/dist/component/providers/totp.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.d.ts +73 -0
package/dist/component/public/enterprise/audit.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.js +108 -0
package/dist/component/public/enterprise/audit.js.map +1 -0
package/dist/component/public/enterprise/core.d.ts +176 -0
package/dist/component/public/enterprise/core.d.ts.map +1 -0
package/dist/component/public/enterprise/core.js +292 -0
package/dist/component/public/enterprise/core.js.map +1 -0
package/dist/component/public/enterprise/domains.d.ts +174 -0
package/dist/component/public/enterprise/domains.d.ts.map +1 -0
package/dist/component/public/enterprise/domains.js +271 -0
package/dist/component/public/enterprise/domains.js.map +1 -0
package/dist/component/public/enterprise/scim.d.ts +245 -0
package/dist/component/public/enterprise/scim.d.ts.map +1 -0
package/dist/component/public/enterprise/scim.js +344 -0
package/dist/component/public/enterprise/scim.js.map +1 -0
package/dist/component/public/enterprise/secrets.d.ts +78 -0
package/dist/component/public/enterprise/secrets.d.ts.map +1 -0
package/dist/component/public/enterprise/secrets.js +118 -0
package/dist/component/public/enterprise/secrets.js.map +1 -0
package/dist/component/public/enterprise/webhooks.d.ts +211 -0
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -0
package/dist/component/public/enterprise/webhooks.js +300 -0
package/dist/component/public/enterprise/webhooks.js.map +1 -0
package/dist/component/public/factors/devices.d.ts +157 -0
package/dist/component/public/factors/devices.d.ts.map +1 -0
package/dist/component/public/factors/devices.js +216 -0
package/dist/component/public/factors/devices.js.map +1 -0
package/dist/component/public/factors/passkeys.d.ts +175 -0
package/dist/component/public/factors/passkeys.d.ts.map +1 -0
package/dist/component/public/factors/passkeys.js +238 -0
package/dist/component/public/factors/passkeys.js.map +1 -0
package/dist/component/public/factors/totp.d.ts +189 -0
package/dist/component/public/factors/totp.d.ts.map +1 -0
package/dist/component/public/factors/totp.js +254 -0
package/dist/component/public/factors/totp.js.map +1 -0
package/dist/component/public/groups/core.d.ts +137 -0
package/dist/component/public/groups/core.d.ts.map +1 -0
package/dist/component/public/groups/core.js +321 -0
package/dist/component/public/groups/core.js.map +1 -0
package/dist/component/public/groups/invites.d.ts +217 -0
package/dist/component/public/groups/invites.d.ts.map +1 -0
package/dist/component/public/groups/invites.js +457 -0
package/dist/component/public/groups/invites.js.map +1 -0
package/dist/component/public/groups/members.d.ts +204 -0
package/dist/component/public/groups/members.d.ts.map +1 -0
package/dist/component/public/groups/members.js +355 -0
package/dist/component/public/groups/members.js.map +1 -0
package/dist/component/public/identity/accounts.d.ts +147 -0
package/dist/component/public/identity/accounts.d.ts.map +1 -0
package/dist/component/public/identity/accounts.js +200 -0
package/dist/component/public/identity/accounts.js.map +1 -0
package/dist/component/public/identity/codes.d.ts +104 -0
package/dist/component/public/identity/codes.d.ts.map +1 -0
package/dist/component/public/identity/codes.js +140 -0
package/dist/component/public/identity/codes.js.map +1 -0
package/dist/component/public/identity/sessions.d.ts +128 -0
package/dist/component/public/identity/sessions.d.ts.map +1 -0
package/dist/component/public/identity/sessions.js +192 -0
package/dist/component/public/identity/sessions.js.map +1 -0
package/dist/component/public/identity/tokens.d.ts +169 -0
package/dist/component/public/identity/tokens.d.ts.map +1 -0
package/dist/component/public/identity/tokens.js +227 -0
package/dist/component/public/identity/tokens.js.map +1 -0
package/dist/component/public/identity/users.d.ts +212 -0
package/dist/component/public/identity/users.d.ts.map +1 -0
package/dist/component/public/identity/users.js +311 -0
package/dist/component/public/identity/users.js.map +1 -0
package/dist/component/public/identity/verifiers.d.ts +116 -0
package/dist/component/public/identity/verifiers.d.ts.map +1 -0
package/dist/component/public/identity/verifiers.js +154 -0
package/dist/component/public/identity/verifiers.js.map +1 -0
package/dist/component/public/security/keys.d.ts +209 -0
package/dist/component/public/security/keys.d.ts.map +1 -0
package/dist/component/public/security/keys.js +319 -0
package/dist/component/public/security/keys.js.map +1 -0
package/dist/component/public/security/limits.d.ts +114 -0
package/dist/component/public/security/limits.d.ts.map +1 -0
package/dist/component/public/security/limits.js +169 -0
package/dist/component/public/security/limits.js.map +1 -0
package/dist/component/public.d.ts +24 -271
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +21 -1229
package/dist/component/schema.d.ts +473 -110
package/dist/component/schema.js +162 -73
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +318 -373
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +204 -123
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/authError.js +34 -0
package/dist/component/server/authError.js.map +1 -0
package/dist/component/server/{providers.js → config.js} +43 -12
package/dist/component/server/config.js.map +1 -0
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/core.js +713 -0
package/dist/component/server/core.js.map +1 -0
package/dist/component/server/crypto.js +38 -0
package/dist/component/server/crypto.js.map +1 -0
package/dist/component/server/{implementation/db.js → db.js} +2 -1
package/dist/component/server/db.js.map +1 -0
package/dist/component/server/device.js +109 -0
package/dist/component/server/device.js.map +1 -0
package/dist/component/server/enterprise/config.js +46 -0
package/dist/component/server/enterprise/config.js.map +1 -0
package/dist/component/server/enterprise/domain.js +885 -0
package/dist/component/server/enterprise/domain.js.map +1 -0
package/dist/component/server/enterprise/http.js +766 -0
package/dist/component/server/enterprise/http.js.map +1 -0
package/dist/component/server/enterprise/oidc.js +248 -0
package/dist/component/server/enterprise/oidc.js.map +1 -0
package/dist/component/server/enterprise/policy.js +85 -0
package/dist/component/server/enterprise/policy.js.map +1 -0
package/dist/component/server/enterprise/saml.js +338 -0
package/dist/component/server/enterprise/saml.js.map +1 -0
package/dist/component/server/enterprise/scim.js +97 -0
package/dist/component/server/enterprise/scim.js.map +1 -0
package/dist/component/server/enterprise/shared.js +51 -0
package/dist/component/server/enterprise/shared.js.map +1 -0
package/dist/component/server/errors.d.ts +1 -0
package/dist/component/server/errors.js +24 -16
package/dist/component/server/errors.js.map +1 -1
package/dist/component/server/http.js +288 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/{server/implementation → component/server}/keys.js +9 -31
package/dist/component/server/keys.js.map +1 -0
package/dist/component/server/limits.js +61 -0
package/dist/component/server/limits.js.map +1 -0
package/dist/component/server/mutations/account.js +44 -0
package/dist/component/server/mutations/account.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/component/server/mutations/code.js.map +1 -0
package/dist/component/server/mutations/invalidate.js +32 -0
package/dist/component/server/mutations/invalidate.js.map +1 -0
package/dist/component/server/mutations/oauth.js +110 -0
package/dist/component/server/mutations/oauth.js.map +1 -0
package/dist/component/server/mutations/refresh.js +119 -0
package/dist/component/server/mutations/refresh.js.map +1 -0
package/dist/component/server/mutations/register.js +83 -0
package/dist/component/server/mutations/register.js.map +1 -0
package/dist/component/server/mutations/retrieve.js +65 -0
package/dist/component/server/mutations/retrieve.js.map +1 -0
package/dist/component/server/mutations/signature.js +32 -0
package/dist/component/server/mutations/signature.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/component/server/mutations/signin.js.map +1 -0
package/dist/component/server/mutations/signout.js +27 -0
package/dist/component/server/mutations/signout.js.map +1 -0
package/dist/component/server/mutations/store/refs.js +15 -0
package/dist/component/server/mutations/store/refs.js.map +1 -0
package/dist/component/server/mutations/store.js +85 -0
package/dist/component/server/mutations/store.js.map +1 -0
package/dist/component/server/mutations/verifier.js +18 -0
package/dist/component/server/mutations/verifier.js.map +1 -0
package/dist/component/server/mutations/verify.js +98 -0
package/dist/component/server/mutations/verify.js.map +1 -0
package/dist/component/server/oauth.js +106 -60
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +328 -0
package/dist/component/server/passkey.js.map +1 -0
package/dist/{server/implementation → component/server}/redirects.js +13 -11
package/dist/component/server/redirects.js.map +1 -0
package/dist/component/server/refresh.js +96 -0
package/dist/component/server/refresh.js.map +1 -0
package/dist/component/server/runtime.d.ts +136 -0
package/dist/component/server/runtime.d.ts.map +1 -0
package/dist/component/server/runtime.js +413 -0
package/dist/component/server/runtime.js.map +1 -0
package/dist/{server/implementation → component/server}/sessions.js +14 -8
package/dist/component/server/sessions.js.map +1 -0
package/dist/component/server/signin.js +201 -0
package/dist/component/server/signin.js.map +1 -0
package/dist/component/server/tokens.js +17 -0
package/dist/component/server/tokens.js.map +1 -0
package/dist/component/server/totp.js +148 -0
package/dist/component/server/totp.js.map +1 -0
package/dist/component/server/types.d.ts +387 -298
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/{implementation/types.js → types.js} +1 -1
package/dist/component/server/types.js.map +1 -0
package/dist/component/server/{implementation/users.js → users.js} +54 -35
package/dist/component/server/users.js.map +1 -0
package/dist/component/server/utils.js +110 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +369 -0
package/dist/core/types.d.ts.map +1 -0
package/dist/factors/device.js +105 -0
package/dist/factors/device.js.map +1 -0
package/dist/factors/passkey.js +181 -0
package/dist/factors/passkey.js.map +1 -0
package/dist/factors/totp.js +122 -0
package/dist/factors/totp.js.map +1 -0
package/dist/providers/anonymous.d.ts +3 -9
package/dist/providers/anonymous.d.ts.map +1 -1
package/dist/providers/anonymous.js +1 -18
package/dist/providers/anonymous.js.map +1 -1
package/dist/providers/credentials.d.ts +8 -10
package/dist/providers/credentials.d.ts.map +1 -1
package/dist/providers/credentials.js +3 -5
package/dist/providers/credentials.js.map +1 -1
package/dist/providers/device.d.ts +18 -10
package/dist/providers/device.d.ts.map +1 -1
package/dist/providers/device.js +4 -8
package/dist/providers/device.js.map +1 -1
package/dist/providers/email.d.ts +50 -23
package/dist/providers/email.d.ts.map +1 -1
package/dist/providers/email.js +58 -34
package/dist/providers/email.js.map +1 -1
package/dist/providers/index.d.ts +7 -3
package/dist/providers/index.js +4 -1
package/dist/providers/oauth.d.ts.map +1 -1
package/dist/providers/oauth.js.map +1 -1
package/dist/providers/passkey.d.ts +12 -9
package/dist/providers/passkey.d.ts.map +1 -1
package/dist/providers/passkey.js +1 -7
package/dist/providers/passkey.js.map +1 -1
package/dist/providers/password.d.ts +6 -12
package/dist/providers/password.d.ts.map +1 -1
package/dist/providers/password.js +189 -89
package/dist/providers/password.js.map +1 -1
package/dist/providers/phone.d.ts +40 -11
package/dist/providers/phone.d.ts.map +1 -1
package/dist/providers/phone.js +52 -21
package/dist/providers/phone.js.map +1 -1
package/dist/providers/sso.d.ts +50 -0
package/dist/providers/sso.d.ts.map +1 -0
package/dist/providers/sso.js +34 -0
package/dist/providers/sso.js.map +1 -0
package/dist/providers/totp.d.ts +12 -9
package/dist/providers/totp.d.ts.map +1 -1
package/dist/providers/totp.js +1 -7
package/dist/providers/totp.js.map +1 -1
package/dist/runtime/browser.js +68 -0
package/dist/runtime/browser.js.map +1 -0
package/dist/runtime/invite.js +51 -0
package/dist/runtime/invite.js.map +1 -0
package/dist/runtime/proxy.js +70 -0
package/dist/runtime/proxy.js.map +1 -0
package/dist/runtime/storage.js +37 -0
package/dist/runtime/storage.js.map +1 -0
package/dist/server/auth.d.ts +335 -370
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +204 -123
package/dist/server/auth.js.map +1 -1
package/dist/server/authError.d.ts +46 -0
package/dist/server/authError.d.ts.map +1 -0
package/dist/server/authError.js +34 -0
package/dist/server/authError.js.map +1 -0
package/dist/server/config.d.ts +1 -0
package/dist/server/{providers.js → config.js} +43 -12
package/dist/server/config.js.map +1 -0
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/core.d.ts +1436 -0
package/dist/server/core.d.ts.map +1 -0
package/dist/server/core.js +713 -0
package/dist/server/core.js.map +1 -0
package/dist/server/crypto.d.ts +8 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +38 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/db.d.ts +1 -0
package/dist/server/{implementation/db.js → db.js} +2 -1
package/dist/server/db.js.map +1 -0
package/dist/server/device.d.ts +1 -0
package/dist/server/device.js +109 -0
package/dist/server/device.js.map +1 -0
package/dist/server/enterprise/config.d.ts +1 -0
package/dist/server/enterprise/config.js +46 -0
package/dist/server/enterprise/config.js.map +1 -0
package/dist/server/enterprise/domain.d.ts +409 -0
package/dist/server/enterprise/domain.d.ts.map +1 -0
package/dist/server/enterprise/domain.js +885 -0
package/dist/server/enterprise/domain.js.map +1 -0
package/dist/server/enterprise/http.d.ts +26 -0
package/dist/server/enterprise/http.d.ts.map +1 -0
package/dist/server/enterprise/http.js +766 -0
package/dist/server/enterprise/http.js.map +1 -0
package/dist/server/enterprise/oidc.d.ts +1 -0
package/dist/server/enterprise/oidc.js +248 -0
package/dist/server/enterprise/oidc.js.map +1 -0
package/dist/server/enterprise/policy.d.ts +1 -0
package/dist/server/enterprise/policy.js +85 -0
package/dist/server/enterprise/policy.js.map +1 -0
package/dist/server/enterprise/saml.d.ts +1 -0
package/dist/server/enterprise/saml.js +338 -0
package/dist/server/enterprise/saml.js.map +1 -0
package/dist/server/enterprise/scim.d.ts +1 -0
package/dist/server/enterprise/scim.js +97 -0
package/dist/server/enterprise/scim.js.map +1 -0
package/dist/server/enterprise/shared.d.ts +5 -0
package/dist/server/enterprise/shared.d.ts.map +1 -0
package/dist/server/enterprise/shared.js +51 -0
package/dist/server/enterprise/shared.js.map +1 -0
package/dist/server/enterprise/validators.d.ts +1 -0
package/dist/server/enterprise/validators.js +60 -0
package/dist/server/enterprise/validators.js.map +1 -0
package/dist/server/errors.d.ts +33 -1
package/dist/server/errors.d.ts.map +1 -1
package/dist/server/errors.js +44 -1
package/dist/server/errors.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +288 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +4 -182
package/dist/server/index.js +4 -376
package/dist/server/keys.d.ts +1 -0
package/dist/{component/server/implementation → server}/keys.js +9 -31
package/dist/server/keys.js.map +1 -0
package/dist/server/limits.d.ts +1 -0
package/dist/server/limits.js +61 -0
package/dist/server/limits.js.map +1 -0
package/dist/server/mounts.d.ts +647 -0
package/dist/server/mounts.d.ts.map +1 -0
package/dist/server/mounts.js +643 -0
package/dist/server/mounts.js.map +1 -0
package/dist/server/mutations/account.d.ts +30 -0
package/dist/server/mutations/account.d.ts.map +1 -0
package/dist/server/mutations/account.js +44 -0
package/dist/server/mutations/account.js.map +1 -0
package/dist/server/mutations/code.d.ts +30 -0
package/dist/server/mutations/code.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/server/mutations/code.js.map +1 -0
package/dist/server/mutations/index.d.ts +14 -0
package/dist/server/mutations/index.js +15 -0
package/dist/server/mutations/invalidate.d.ts +20 -0
package/dist/server/mutations/invalidate.d.ts.map +1 -0
package/dist/server/mutations/invalidate.js +32 -0
package/dist/server/mutations/invalidate.js.map +1 -0
package/dist/server/mutations/oauth.d.ts +28 -0
package/dist/server/mutations/oauth.d.ts.map +1 -0
package/dist/server/mutations/oauth.js +110 -0
package/dist/server/mutations/oauth.js.map +1 -0
package/dist/server/mutations/refresh.d.ts +21 -0
package/dist/server/mutations/refresh.d.ts.map +1 -0
package/dist/server/mutations/refresh.js +119 -0
package/dist/server/mutations/refresh.js.map +1 -0
package/dist/server/mutations/register.d.ts +38 -0
package/dist/server/mutations/register.d.ts.map +1 -0
package/dist/server/mutations/register.js +83 -0
package/dist/server/mutations/register.js.map +1 -0
package/dist/server/mutations/retrieve.d.ts +33 -0
package/dist/server/mutations/retrieve.d.ts.map +1 -0
package/dist/server/mutations/retrieve.js +65 -0
package/dist/server/mutations/retrieve.js.map +1 -0
package/dist/server/mutations/signature.d.ts +22 -0
package/dist/server/mutations/signature.d.ts.map +1 -0
package/dist/server/mutations/signature.js +32 -0
package/dist/server/mutations/signature.js.map +1 -0
package/dist/server/mutations/signin.d.ts +22 -0
package/dist/server/mutations/signin.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/server/mutations/signin.js.map +1 -0
package/dist/server/mutations/signout.d.ts +16 -0
package/dist/server/mutations/signout.d.ts.map +1 -0
package/dist/server/mutations/signout.js +27 -0
package/dist/server/mutations/signout.js.map +1 -0
package/dist/server/mutations/store/refs.d.ts +12 -0
package/dist/server/mutations/store/refs.d.ts.map +1 -0
package/dist/server/mutations/store/refs.js +15 -0
package/dist/server/mutations/store/refs.js.map +1 -0
package/dist/server/mutations/store.d.ts +306 -0
package/dist/server/mutations/store.d.ts.map +1 -0
package/dist/server/mutations/store.js +85 -0
package/dist/server/mutations/store.js.map +1 -0
package/dist/server/mutations/verifier.d.ts +13 -0
package/dist/server/mutations/verifier.d.ts.map +1 -0
package/dist/server/mutations/verifier.js +18 -0
package/dist/server/mutations/verifier.js.map +1 -0
package/dist/server/mutations/verify.d.ts +26 -0
package/dist/server/mutations/verify.d.ts.map +1 -0
package/dist/server/mutations/verify.js +98 -0
package/dist/server/mutations/verify.js.map +1 -0
package/dist/server/oauth.d.ts +1 -48
package/dist/server/oauth.js +107 -64
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +27 -0
package/dist/server/passkey.d.ts.map +1 -0
package/dist/server/passkey.js +328 -0
package/dist/server/passkey.js.map +1 -0
package/dist/server/redirects.d.ts +1 -0
package/dist/{component/server/implementation → server}/redirects.js +13 -11
package/dist/server/redirects.js.map +1 -0
package/dist/server/refresh.d.ts +1 -0
package/dist/server/refresh.js +96 -0
package/dist/server/refresh.js.map +1 -0
package/dist/server/runtime.d.ts +136 -0
package/dist/server/runtime.d.ts.map +1 -0
package/dist/server/runtime.js +413 -0
package/dist/server/runtime.js.map +1 -0
package/dist/server/sessions.d.ts +1 -0
package/dist/{component/server/implementation → server}/sessions.js +14 -8
package/dist/server/sessions.js.map +1 -0
package/dist/server/signin.d.ts +1 -0
package/dist/server/signin.js +201 -0
package/dist/server/signin.js.map +1 -0
package/dist/server/ssr.d.ts +226 -0
package/dist/server/ssr.d.ts.map +1 -0
package/dist/server/ssr.js +786 -0
package/dist/server/ssr.js.map +1 -0
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +2 -1
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -0
package/dist/server/tokens.js +17 -0
package/dist/server/tokens.js.map +1 -0
package/dist/server/totp.d.ts +1 -0
package/dist/server/totp.js +148 -0
package/dist/server/totp.js.map +1 -0
package/dist/server/types.d.ts +498 -306
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +108 -1
package/dist/server/types.js.map +1 -0
package/dist/server/users.d.ts +1 -0
package/dist/server/{implementation/users.js → users.js} +54 -35
package/dist/server/users.js.map +1 -0
package/dist/server/utils.d.ts +1 -6
package/dist/server/utils.js +110 -4
package/dist/server/utils.js.map +1 -1
package/package.json +49 -46
package/src/authorization/index.ts +83 -0
package/src/cli/bin.ts +5 -0
package/src/cli/command.ts +6 -5
package/src/cli/index.ts +456 -248
package/src/cli/keys.ts +3 -0
package/src/client/core/types.ts +437 -0
package/src/client/factors/device.ts +160 -0
package/src/client/factors/passkey.ts +282 -0
package/src/client/factors/totp.ts +150 -0
package/src/client/index.ts +745 -989
package/src/client/runtime/browser.ts +112 -0
package/src/client/runtime/invite.ts +65 -0
package/src/client/runtime/proxy.ts +111 -0
package/src/client/runtime/storage.ts +79 -0
package/src/component/_generated/api.ts +42 -0
package/src/component/_generated/component.ts +3123 -102
package/src/component/functions.ts +38 -22
package/src/component/index.ts +10 -20
package/src/component/model.ts +449 -0
package/src/component/public/enterprise/audit.ts +120 -0
package/src/component/public/enterprise/core.ts +354 -0
package/src/component/public/enterprise/domains.ts +323 -0
package/src/component/public/enterprise/scim.ts +396 -0
package/src/component/public/enterprise/secrets.ts +132 -0
package/src/component/public/enterprise/webhooks.ts +306 -0
package/src/component/public/factors/devices.ts +223 -0
package/src/component/public/factors/passkeys.ts +242 -0
package/src/component/public/factors/totp.ts +258 -0
package/src/component/public/groups/core.ts +481 -0
package/src/component/public/groups/invites.ts +602 -0
package/src/component/public/groups/members.ts +409 -0
package/src/component/public/identity/accounts.ts +206 -0
package/src/component/public/identity/codes.ts +148 -0
package/src/component/public/identity/sessions.ts +209 -0
package/src/component/public/identity/tokens.ts +250 -0
package/src/component/public/identity/users.ts +354 -0
package/src/component/public/identity/verifiers.ts +157 -0
package/src/component/public/security/keys.ts +365 -0
package/src/component/public/security/limits.ts +173 -0
package/src/component/public.ts +26 -1766
package/src/component/schema.ts +273 -100
package/src/providers/anonymous.ts +10 -20
package/src/providers/credentials.ts +14 -22
package/src/providers/device.ts +3 -14
package/src/providers/email.ts +83 -47
package/src/providers/index.ts +7 -0
package/src/providers/oauth.ts +5 -3
package/src/providers/passkey.ts +0 -13
package/src/providers/password.ts +307 -130
package/src/providers/phone.ts +81 -37
package/src/providers/sso.ts +54 -0
package/src/providers/totp.ts +0 -13
package/src/samlify.d.ts +53 -0
package/src/server/auth.ts +701 -247
package/src/server/authError.ts +44 -0
package/src/server/{providers.ts → config.ts} +84 -15
package/src/server/cookies.ts +8 -1
package/src/server/core.ts +2095 -0
package/src/server/crypto.ts +88 -0
package/src/server/{implementation/db.ts → db.ts} +90 -15
package/src/server/device.ts +221 -0
package/src/server/enterprise/config.ts +51 -0
package/src/server/enterprise/domain.ts +1751 -0
package/src/server/enterprise/http.ts +1324 -0
package/src/server/enterprise/oidc.ts +500 -0
package/src/server/enterprise/policy.ts +128 -0
package/src/server/enterprise/saml.ts +578 -0
package/src/server/enterprise/scim.ts +135 -0
package/src/server/enterprise/shared.ts +134 -0
package/src/server/enterprise/validators.ts +93 -0
package/src/server/errors.ts +130 -119
package/src/server/http.ts +531 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +32 -650
package/src/server/{implementation/keys.ts → keys.ts} +16 -44
package/src/server/limits.ts +134 -0
package/src/server/mounts.ts +948 -0
package/src/server/mutations/account.ts +76 -0
package/src/server/{implementation/mutations → mutations}/code.ts +22 -11
package/src/server/mutations/index.ts +13 -0
package/src/server/mutations/invalidate.ts +50 -0
package/src/server/mutations/oauth.ts +237 -0
package/src/server/mutations/refresh.ts +298 -0
package/src/server/mutations/register.ts +200 -0
package/src/server/mutations/retrieve.ts +109 -0
package/src/server/mutations/signature.ts +50 -0
package/src/server/{implementation/mutations → mutations}/signin.ts +9 -7
package/src/server/mutations/signout.ts +43 -0
package/src/server/mutations/store/refs.ts +10 -0
package/src/server/mutations/store.ts +138 -0
package/src/server/mutations/verifier.ts +34 -0
package/src/server/mutations/verify.ts +202 -0
package/src/server/oauth.ts +243 -131
package/src/server/passkey.ts +784 -0
package/src/server/{implementation/redirects.ts → redirects.ts} +21 -16
package/src/server/refresh.ts +222 -0
package/src/server/runtime.ts +880 -0
package/src/server/{implementation/sessions.ts → sessions.ts} +33 -25
package/src/server/signin.ts +438 -0
package/src/server/ssr.ts +1764 -0
package/src/server/templates.ts +8 -3
package/src/server/{implementation/tokens.ts → tokens.ts} +11 -5
package/src/server/totp.ts +349 -0
package/src/server/types.ts +972 -207
package/src/server/{implementation/users.ts → users.ts} +129 -75
package/src/server/utils.ts +192 -5
package/src/test.ts +28 -4
package/dist/bin.cjs +0 -27757
package/dist/component/providers/email.js +0 -47
package/dist/component/providers/email.js.map +0 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation/db.js.map +0 -1
package/dist/component/server/implementation/device.js +0 -135
package/dist/component/server/implementation/device.js.map +0 -1
package/dist/component/server/implementation/index.d.ts +0 -870
package/dist/component/server/implementation/index.d.ts.map +0 -1
package/dist/component/server/implementation/index.js +0 -610
package/dist/component/server/implementation/index.js.map +0 -1
package/dist/component/server/implementation/keys.js.map +0 -1
package/dist/component/server/implementation/mutations/account.js +0 -39
package/dist/component/server/implementation/mutations/account.js.map +0 -1
package/dist/component/server/implementation/mutations/code.js.map +0 -1
package/dist/component/server/implementation/mutations/index.js +0 -70
package/dist/component/server/implementation/mutations/index.js.map +0 -1
package/dist/component/server/implementation/mutations/invalidate.js +0 -29
package/dist/component/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/component/server/implementation/mutations/oauth.js +0 -51
package/dist/component/server/implementation/mutations/oauth.js.map +0 -1
package/dist/component/server/implementation/mutations/refresh.js +0 -85
package/dist/component/server/implementation/mutations/refresh.js.map +0 -1
package/dist/component/server/implementation/mutations/register.js +0 -65
package/dist/component/server/implementation/mutations/register.js.map +0 -1
package/dist/component/server/implementation/mutations/retrieve.js +0 -50
package/dist/component/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/component/server/implementation/mutations/signature.js +0 -27
package/dist/component/server/implementation/mutations/signature.js.map +0 -1
package/dist/component/server/implementation/mutations/signin.js.map +0 -1
package/dist/component/server/implementation/mutations/signout.js +0 -27
package/dist/component/server/implementation/mutations/signout.js.map +0 -1
package/dist/component/server/implementation/mutations/store.js +0 -12
package/dist/component/server/implementation/mutations/store.js.map +0 -1
package/dist/component/server/implementation/mutations/verifier.js +0 -16
package/dist/component/server/implementation/mutations/verifier.js.map +0 -1
package/dist/component/server/implementation/mutations/verify.js +0 -105
package/dist/component/server/implementation/mutations/verify.js.map +0 -1
package/dist/component/server/implementation/passkey.js +0 -307
package/dist/component/server/implementation/passkey.js.map +0 -1
package/dist/component/server/implementation/provider.js +0 -19
package/dist/component/server/implementation/provider.js.map +0 -1
package/dist/component/server/implementation/ratelimit.js +0 -48
package/dist/component/server/implementation/ratelimit.js.map +0 -1
package/dist/component/server/implementation/redirects.js.map +0 -1
package/dist/component/server/implementation/refresh.js +0 -109
package/dist/component/server/implementation/refresh.js.map +0 -1
package/dist/component/server/implementation/sessions.js.map +0 -1
package/dist/component/server/implementation/signin.js +0 -148
package/dist/component/server/implementation/signin.js.map +0 -1
package/dist/component/server/implementation/tokens.js +0 -15
package/dist/component/server/implementation/tokens.js.map +0 -1
package/dist/component/server/implementation/totp.js +0 -142
package/dist/component/server/implementation/totp.js.map +0 -1
package/dist/component/server/implementation/types.d.ts +0 -42
package/dist/component/server/implementation/types.d.ts.map +0 -1
package/dist/component/server/implementation/types.js.map +0 -1
package/dist/component/server/implementation/users.js.map +0 -1
package/dist/component/server/implementation/utils.js +0 -56
package/dist/component/server/implementation/utils.js.map +0 -1
package/dist/component/server/providers.js.map +0 -1
package/dist/component/server/templates.js +0 -84
package/dist/component/server/templates.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/implementation/db.d.ts +0 -86
package/dist/server/implementation/db.d.ts.map +0 -1
package/dist/server/implementation/db.js.map +0 -1
package/dist/server/implementation/device.d.ts +0 -30
package/dist/server/implementation/device.d.ts.map +0 -1
package/dist/server/implementation/device.js +0 -135
package/dist/server/implementation/device.js.map +0 -1
package/dist/server/implementation/index.d.ts +0 -870
package/dist/server/implementation/index.d.ts.map +0 -1
package/dist/server/implementation/index.js +0 -610
package/dist/server/implementation/index.js.map +0 -1
package/dist/server/implementation/keys.d.ts +0 -66
package/dist/server/implementation/keys.d.ts.map +0 -1
package/dist/server/implementation/keys.js.map +0 -1
package/dist/server/implementation/mutations/account.d.ts +0 -27
package/dist/server/implementation/mutations/account.d.ts.map +0 -1
package/dist/server/implementation/mutations/account.js +0 -39
package/dist/server/implementation/mutations/account.js.map +0 -1
package/dist/server/implementation/mutations/code.d.ts +0 -29
package/dist/server/implementation/mutations/code.d.ts.map +0 -1
package/dist/server/implementation/mutations/code.js.map +0 -1
package/dist/server/implementation/mutations/index.d.ts +0 -310
package/dist/server/implementation/mutations/index.d.ts.map +0 -1
package/dist/server/implementation/mutations/index.js +0 -70
package/dist/server/implementation/mutations/index.js.map +0 -1
package/dist/server/implementation/mutations/invalidate.d.ts +0 -18
package/dist/server/implementation/mutations/invalidate.d.ts.map +0 -1
package/dist/server/implementation/mutations/invalidate.js +0 -29
package/dist/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/server/implementation/mutations/oauth.d.ts +0 -23
package/dist/server/implementation/mutations/oauth.d.ts.map +0 -1
package/dist/server/implementation/mutations/oauth.js +0 -51
package/dist/server/implementation/mutations/oauth.js.map +0 -1
package/dist/server/implementation/mutations/refresh.d.ts +0 -20
package/dist/server/implementation/mutations/refresh.d.ts.map +0 -1
package/dist/server/implementation/mutations/refresh.js +0 -85
package/dist/server/implementation/mutations/refresh.js.map +0 -1
package/dist/server/implementation/mutations/register.d.ts +0 -37
package/dist/server/implementation/mutations/register.d.ts.map +0 -1
package/dist/server/implementation/mutations/register.js +0 -65
package/dist/server/implementation/mutations/register.js.map +0 -1
package/dist/server/implementation/mutations/retrieve.d.ts +0 -31
package/dist/server/implementation/mutations/retrieve.d.ts.map +0 -1
package/dist/server/implementation/mutations/retrieve.js +0 -50
package/dist/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/server/implementation/mutations/signature.d.ts +0 -19
package/dist/server/implementation/mutations/signature.d.ts.map +0 -1
package/dist/server/implementation/mutations/signature.js +0 -27
package/dist/server/implementation/mutations/signature.js.map +0 -1
package/dist/server/implementation/mutations/signin.d.ts +0 -21
package/dist/server/implementation/mutations/signin.d.ts.map +0 -1
package/dist/server/implementation/mutations/signin.js.map +0 -1
package/dist/server/implementation/mutations/signout.d.ts +0 -14
package/dist/server/implementation/mutations/signout.d.ts.map +0 -1
package/dist/server/implementation/mutations/signout.js +0 -27
package/dist/server/implementation/mutations/signout.js.map +0 -1
package/dist/server/implementation/mutations/store.d.ts +0 -11
package/dist/server/implementation/mutations/store.d.ts.map +0 -1
package/dist/server/implementation/mutations/store.js +0 -12
package/dist/server/implementation/mutations/store.js.map +0 -1
package/dist/server/implementation/mutations/verifier.d.ts +0 -11
package/dist/server/implementation/mutations/verifier.d.ts.map +0 -1
package/dist/server/implementation/mutations/verifier.js +0 -16
package/dist/server/implementation/mutations/verifier.js.map +0 -1
package/dist/server/implementation/mutations/verify.d.ts +0 -25
package/dist/server/implementation/mutations/verify.d.ts.map +0 -1
package/dist/server/implementation/mutations/verify.js +0 -105
package/dist/server/implementation/mutations/verify.js.map +0 -1
package/dist/server/implementation/passkey.d.ts +0 -24
package/dist/server/implementation/passkey.d.ts.map +0 -1
package/dist/server/implementation/passkey.js +0 -307
package/dist/server/implementation/passkey.js.map +0 -1
package/dist/server/implementation/provider.d.ts +0 -10
package/dist/server/implementation/provider.d.ts.map +0 -1
package/dist/server/implementation/provider.js +0 -19
package/dist/server/implementation/provider.js.map +0 -1
package/dist/server/implementation/ratelimit.d.ts +0 -10
package/dist/server/implementation/ratelimit.d.ts.map +0 -1
package/dist/server/implementation/ratelimit.js +0 -48
package/dist/server/implementation/ratelimit.js.map +0 -1
package/dist/server/implementation/redirects.d.ts +0 -10
package/dist/server/implementation/redirects.d.ts.map +0 -1
package/dist/server/implementation/redirects.js.map +0 -1
package/dist/server/implementation/refresh.d.ts +0 -37
package/dist/server/implementation/refresh.d.ts.map +0 -1
package/dist/server/implementation/refresh.js +0 -109
package/dist/server/implementation/refresh.js.map +0 -1
package/dist/server/implementation/sessions.d.ts +0 -29
package/dist/server/implementation/sessions.d.ts.map +0 -1
package/dist/server/implementation/sessions.js.map +0 -1
package/dist/server/implementation/signin.d.ts +0 -55
package/dist/server/implementation/signin.d.ts.map +0 -1
package/dist/server/implementation/signin.js +0 -148
package/dist/server/implementation/signin.js.map +0 -1
package/dist/server/implementation/tokens.d.ts +0 -11
package/dist/server/implementation/tokens.d.ts.map +0 -1
package/dist/server/implementation/tokens.js +0 -15
package/dist/server/implementation/tokens.js.map +0 -1
package/dist/server/implementation/totp.d.ts +0 -31
package/dist/server/implementation/totp.d.ts.map +0 -1
package/dist/server/implementation/totp.js +0 -142
package/dist/server/implementation/totp.js.map +0 -1
package/dist/server/implementation/types.d.ts +0 -189
package/dist/server/implementation/types.d.ts.map +0 -1
package/dist/server/implementation/types.js +0 -97
package/dist/server/implementation/types.js.map +0 -1
package/dist/server/implementation/users.d.ts +0 -30
package/dist/server/implementation/users.d.ts.map +0 -1
package/dist/server/implementation/users.js.map +0 -1
package/dist/server/implementation/utils.d.ts +0 -19
package/dist/server/implementation/utils.d.ts.map +0 -1
package/dist/server/implementation/utils.js +0 -56
package/dist/server/implementation/utils.js.map +0 -1
package/dist/server/index.d.ts.map +0 -1
package/dist/server/index.js.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/providers.d.ts +0 -72
package/dist/server/providers.d.ts.map +0 -1
package/dist/server/providers.js.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/dist/server/version.d.ts +0 -5
package/dist/server/version.d.ts.map +0 -1
package/dist/server/version.js +0 -6
package/dist/server/version.js.map +0 -1
package/src/cli/utils.ts +0 -248
package/src/server/implementation/device.ts +0 -307
package/src/server/implementation/index.ts +0 -1583
package/src/server/implementation/mutations/account.ts +0 -50
package/src/server/implementation/mutations/index.ts +0 -157
package/src/server/implementation/mutations/invalidate.ts +0 -42
package/src/server/implementation/mutations/oauth.ts +0 -73
package/src/server/implementation/mutations/refresh.ts +0 -175
package/src/server/implementation/mutations/register.ts +0 -100
package/src/server/implementation/mutations/retrieve.ts +0 -79
package/src/server/implementation/mutations/signature.ts +0 -39
package/src/server/implementation/mutations/signout.ts +0 -35
package/src/server/implementation/mutations/store.ts +0 -7
package/src/server/implementation/mutations/verifier.ts +0 -24
package/src/server/implementation/mutations/verify.ts +0 -194
package/src/server/implementation/passkey.ts +0 -620
package/src/server/implementation/provider.ts +0 -36
package/src/server/implementation/ratelimit.ts +0 -79
package/src/server/implementation/refresh.ts +0 -172
package/src/server/implementation/signin.ts +0 -296
package/src/server/implementation/totp.ts +0 -342
package/src/server/implementation/types.ts +0 -444
package/src/server/implementation/utils.ts +0 -91
package/src/server/version.ts +0 -2

package/src/server/implementation/index.ts DELETED Viewed

@@ -1,1583 +0,0 @@
-import {
-  Auth,
-  GenericActionCtx,
-  GenericDataModel,
-  HttpRouter,
-  actionGeneric,
-  httpActionGeneric,
-  internalMutationGeneric,
-} from "convex/server";
-import { ConvexError, GenericId, v } from "convex/values";
-import { throwAuthError, isAuthError } from "../errors";
-import { parse as parseCookies, serialize as serializeCookie } from "cookie";
-import { redirectToParamCookie, useRedirectToParam } from "../cookies";
-import type { FunctionReferenceFromExport } from "../types";
-import {
-  configDefaults,
-  listAvailableProviders,
-  materializeProvider,
-} from "../providers";
-import {
-  AuthProviderConfig,
-  ConvexAuthConfig,
-  CorsConfig,
-  HttpKeyContext,
-  UserOrderBy,
-  UserWhere,
-} from "../types";
-import { requireEnv } from "../utils";
-import {
-  ActionCtx,
-  MutationCtx,
-  KeyDoc,
-} from "./types";
-import type { Tokens } from "./types";
-export type { Doc, Tokens } from "./types";
-import {
-  LOG_LEVELS,
-  TOKEN_SUB_CLAIM_DIVIDER,
-  logError,
-  logWithLevel,
-} from "./utils";
-import { GetProviderOrThrowFunc } from "./provider";
-import {
-  callCreateAccountFromCredentials,
-  callInvalidateSessions,
-  callModifyAccount,
-  callRetreiveAccountWithCredentials,
-  callSignOut,
-  callUserOAuth,
-  callVerifierSignature,
-  storeArgs,
-  storeImpl,
-} from "./mutations/index";
-import { signInImpl } from "./signin";
-import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects";
-import {
-  generateApiKey,
-  hashApiKey,
-  buildScopeChecker,
-  validateScopes,
-  checkKeyRateLimit,
-} from "./keys";
-import {
-  createOAuthAuthorizationURL,
-  handleOAuthCallback,
-} from "../oauth";
-import type { OAuthMaterializedConfig } from "../types";
-/**
- * The type of the signIn Convex Action returned from the auth() helper.
- *
- * This type is exported for implementors of other client integrations.
- * However it is not stable, and may change until this library reaches 1.0.
- */
-export type SignInAction = FunctionReferenceFromExport<
-  ReturnType<typeof Auth>["signIn"]
->;
-/**
- * The type of the signOut Convex Action returned from the auth() helper.
- *
- * This type is exported for implementors of other client integrations.
- * However it is not stable, and may change until this library reaches 1.0.
- */
-export type SignOutAction = FunctionReferenceFromExport<
-  ReturnType<typeof Auth>["signOut"]
->;
-/**
- * Configure the Convex Auth library. Returns an object with
- * functions and `auth` helper. You must export the functions
- * from `convex/auth.ts` to make them callable:
- *
- * ```ts filename="convex/auth.ts"
- * import { Auth } from "@robelest/convex-auth/component";
- * import { components } from "./_generated/api";
- *
- * export const { auth, signIn, signOut, store } = Auth({
- *   component: components.auth,
- *   providers: [],
- * });
- * ```
- *
- * @returns An object with fields you should reexport from your
- *          `convex/auth.ts` file.
- */
-export function Auth(config_: ConvexAuthConfig) {
-  const config = configDefaults(config_);
-  const hasOAuth = config.providers.some(
-    (provider) => provider.type === "oauth",
-  );
-  const getProvider = (id: string, allowExtraProviders: boolean = false) => {
-    return (
-      config.providers.find((provider) => provider.id === id) ??
-      (allowExtraProviders
-        ? config.extraProviders.find((provider) => provider.id === id)
-        : undefined)
-    );
-  };
-  const getProviderOrThrow: GetProviderOrThrowFunc = (
-    id: string,
-    allowExtraProviders: boolean = false,
-  ) => {
-    const provider = getProvider(id, allowExtraProviders);
-    if (provider === undefined) {
-      const detail =
-        `Provider \`${id}\` is not configured, ` +
-        `available providers are ${listAvailableProviders(config, allowExtraProviders)}.`;
-      logWithLevel(LOG_LEVELS.ERROR, detail);
-      throwAuthError("PROVIDER_NOT_CONFIGURED", detail, { provider: id });
-    }
-    return provider;
-  };
-  type ComponentCtx = Pick<
-    GenericActionCtx<GenericDataModel>,
-    "runQuery" | "runMutation"
-  >;
-  type ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, "runQuery">;
-  type ComponentAuthReadCtx = ComponentReadCtx & { auth: Auth };
-  type AccountCredentials = { id: string; secret?: string };
-  type CreateAccountArgs = {
-    provider: string;
-    account: AccountCredentials;
-    profile: Record<string, unknown>;
-    shouldLinkViaEmail?: boolean;
-    shouldLinkViaPhone?: boolean;
-  };
-  type RetrieveAccountArgs = { provider: string; account: AccountCredentials };
-  type UpdateAccountCredentialsArgs = {
-    provider: string;
-    account: { id: string; secret: string };
-  };
-  const auth = {
-    user: {
-      /**
-       * Get the current user's ID from the auth context, or `null` if
-       * not signed in.
-       *
-       * @param ctx - Any Convex context with an `auth` field (query, mutation, or action).
-       * @returns The user's `Id<"user">`, or `null` when unauthenticated.
-       */
-      current: async (ctx: { auth: Auth }) => {
-        const identity = await ctx.auth.getUserIdentity();
-        if (identity === null) {
-          return null;
-        }
-        const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
-        return userId as GenericId<"user">;
-      },
-      /**
-       * Get the current user's ID, or throw if not signed in.
-       * Use this when authentication is required.
-       *
-       * @param ctx - Any Convex context with an `auth` field.
-       * @returns The user's `Id<"user">`.
-       * @throws `ConvexError` with code `NOT_SIGNED_IN` when unauthenticated.
-       */
-      require: async (ctx: { auth: Auth }) => {
-        const identity = await ctx.auth.getUserIdentity();
-        if (identity === null) {
-          throwAuthError("NOT_SIGNED_IN");
-        }
-        const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
-        return userId as GenericId<"user">;
-      },
-      /**
-       * Retrieve a user document by their ID.
-       *
-       * @param ctx - Convex context with `runQuery`.
-       * @param userId - The user document ID.
-       * @returns The user document, or `null` if not found.
-       */
-      get: async (ctx: ComponentReadCtx, userId: string) => {
-        return await ctx.runQuery(config.component.public.userGetById, { userId });
-      },
-      /**
-       * List users with optional filters, sorting, and pagination.
-       *
-       * @param opts.where - Optional filters (email, phone, name, anonymous).
-       * @param opts.limit - Max users to return (default 50).
-       * @param opts.cursor - Pagination cursor from a previous page.
-       * @param opts.orderBy - Sort field.
-       * @param opts.order - Sort direction.
-       * @returns `{ items, nextCursor }`.
-       */
-      list: async (
-        ctx: ComponentReadCtx,
-        opts: {
-          where?: UserWhere;
-          limit?: number;
-          cursor?: string | null;
-          orderBy?: UserOrderBy;
-          order?: "asc" | "desc";
-        } = {},
-      ) => {
-        return await ctx.runQuery(config.component.public.userList, opts);
-      },
-      /**
-       * Get the currently signed-in user's document, or `null` if not
-       * signed in. Convenience combining `current()` + `get()`.
-       *
-       * @param ctx - Convex context with `auth` and `runQuery`.
-       * @returns The user document, or `null` when unauthenticated.
-       */
-      viewer: async (ctx: ComponentAuthReadCtx) => {
-        const userId = await auth.user.current(ctx);
-        if (userId === null) {
-          return null;
-        }
-        return await ctx.runQuery(config.component.public.userGetById, { userId });
-      },
-      /**
-       * Update a user document with partial data.
-       *
-       * @param ctx - Convex context with `runMutation`.
-       * @param userId - The user document ID.
-       * @param data - Partial data to merge into the user document.
-       */
-      patch: async (
-        ctx: ComponentCtx,
-        userId: string,
-        data: Record<string, unknown>,
-      ) => {
-        await ctx.runMutation(config.component.public.userPatch, {
-          userId,
-          data,
-        });
-      },
-      /**
-       * Query a user's group memberships.
-       */
-      group: {
-        /**
-         * List all groups a user belongs to. Returns member records which
-         * include the `groupId`, `role`, `status`, and `extend` for each.
-         *
-         * This is a convenience wrapper around `auth.group.member.list`
-         * with `where: { userId }`.
-         */
-        list: async (
-          ctx: ComponentReadCtx,
-          opts: {
-            userId: string;
-            limit?: number;
-            cursor?: string | null;
-            order?: "asc" | "desc";
-          },
-        ) => {
-          return await ctx.runQuery(config.component.public.memberList, {
-            where: { userId: opts.userId },
-            limit: opts.limit,
-            cursor: opts.cursor,
-            order: opts.order,
-          });
-        },
-        /**
-         * Look up a user's membership in a specific group. Returns the member
-         * record (with role, status, extend) or `null` if the user is not
-         * a member.
-         */
-        get: async (
-          ctx: ComponentReadCtx,
-          opts: { userId: string; groupId: string },
-        ) => {
-          return await ctx.runQuery(
-            config.component.public.memberGetByGroupAndUser,
-            opts,
-          );
-        },
-      },
-    },
-    session: {
-      /**
-       * Get the current session ID from the auth context, or `null` if
-       * not signed in.
-       *
-       * @param ctx - Any Convex context with an `auth` field.
-       * @returns The session's `Id<"session">`, or `null` when unauthenticated.
-       */
-      current: async (ctx: { auth: Auth }) => {
-        const identity = await ctx.auth.getUserIdentity();
-        if (identity === null) {
-          return null;
-        }
-        const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
-        return sessionId as GenericId<"session">;
-      },
-      /**
-       * Invalidate sessions for a user, optionally preserving specific sessions.
-       *
-       * @param ctx - Convex action context.
-       * @param args.userId - The user whose sessions to invalidate.
-       * @param args.except - Session IDs to preserve (e.g. the current session).
-       */
-      invalidate: async <DataModel extends GenericDataModel>(
-        ctx: GenericActionCtx<DataModel>,
-        args: {
-          userId: GenericId<"user">;
-          except?: GenericId<"session">[];
-        },
-      ): Promise<void> => {
-        const actionCtx = ctx as unknown as ActionCtx;
-        return await callInvalidateSessions(actionCtx, args);
-      },
-    },
-    account: {
-      /**
-       * Create an account and user for a credentials provider.
-       *
-       * @param ctx - Convex action context.
-       * @param args - Provider ID, account credentials, profile data, and link flags.
-       * @returns `{ account, user }` — the created account and user documents.
-       */
-      create: async <DataModel extends GenericDataModel>(
-        ctx: GenericActionCtx<DataModel>,
-        args: CreateAccountArgs,
-      ) => {
-        const actionCtx = ctx as unknown as ActionCtx;
-        return await callCreateAccountFromCredentials(actionCtx, args);
-      },
-      /**
-       * Retrieve an account and user for a credentials provider.
-       *
-       * @param ctx - Convex action context.
-       * @param args - Provider ID and account credentials (id, optional secret).
-       * @returns `{ account, user }` — the matched account and user documents.
-       * @throws `ConvexError` with code `ACCOUNT_NOT_FOUND` when no match exists.
-       */
-      get: async <DataModel extends GenericDataModel>(
-        ctx: GenericActionCtx<DataModel>,
-        args: RetrieveAccountArgs,
-      ) => {
-        const actionCtx = ctx as unknown as ActionCtx;
-        const result = await callRetreiveAccountWithCredentials(actionCtx, args);
-        if (typeof result === "string") {
-          throwAuthError("ACCOUNT_NOT_FOUND", result);
-        }
-        return result;
-      },
-      /**
-       * Update account credentials (secret) for an existing account.
-       *
-       * @param ctx - Convex action context.
-       * @param args - Provider ID and new account credentials (id + secret).
-       */
-      update: async <DataModel extends GenericDataModel>(
-        ctx: GenericActionCtx<DataModel>,
-        args: UpdateAccountCredentialsArgs,
-      ): Promise<void> => {
-        const actionCtx = ctx as unknown as ActionCtx;
-        return await callModifyAccount(actionCtx, args);
-      },
-    },
-    provider: {
-      /**
-       * Sign in via another provider, typically from a credentials flow.
-       *
-       * @param ctx - Convex action context.
-       * @param provider - The provider config to sign in with.
-       * @param args - Optional account ID and params.
-       * @returns `{ userId, sessionId }` on success, or `null`.
-       */
-      signIn: async <DataModel extends GenericDataModel>(
-        ctx: GenericActionCtx<DataModel>,
-        provider: AuthProviderConfig,
-        args: {
-          accountId?: GenericId<"account">;
-          params?: Record<string, unknown>;
-        },
-      ) => {
-        const result = await signInImpl(
-          enrichCtx(ctx),
-          materializeProvider(provider),
-          // params type widened: Record<string, unknown> → Record<string, any>
-          args as { accountId?: GenericId<"account">; params?: Record<string, any> },
-          {
-            generateTokens: false,
-            allowExtraProviders: true,
-          },
-        );
-        return result.kind === "signedIn"
-          ? result.signedIn !== null
-            ? { userId: result.signedIn.userId, sessionId: result.signedIn.sessionId }
-            : null
-          : null;
-      },
-    },
-    /**
-     * Hierarchical group management. Groups can nest arbitrarily deep
-     * via `parentGroupId`. A root group has no parent.
-     *
-     * ```ts
-     * const groupId = await auth.group.create(ctx, { name: "Acme Corp" });
-     * const subGroupId = await auth.group.create(ctx, {
-     *   name: "Engineering",
-     *   parentGroupId: groupId,
-     * });
-     * ```
-     */
-    group: {
-      /**
-       * Create a new group. Omit `parentGroupId` for a root-level group,
-       * or provide it to create a nested group.
-       *
-       * @returns The ID of the newly created group.
-       */
-      create: async (
-        ctx: ComponentCtx,
-        data: {
-          name: string;
-          slug?: string;
-          type?: string;
-          parentGroupId?: string;
-          tags?: Array<{ key: string; value: string }>;
-          extend?: Record<string, unknown>;
-        },
-      ): Promise<string> => {
-        return (await ctx.runMutation(
-          config.component.public.groupCreate,
-          data,
-        )) as string;
-      },
-      /**
-       * Retrieve a group by its ID. Returns `null` if not found.
-       */
-      get: async (ctx: ComponentReadCtx, groupId: string) => {
-        return await ctx.runQuery(config.component.public.groupGet, { groupId });
-      },
-      /**
-       * List groups with optional filtering, sorting, and pagination.
-       *
-       * Empty `where` returns **all** groups.
-       *
-       * ```ts
-       * // All groups of type "team"
-       * await auth.group.list(ctx, { where: { type: "team" } });
-       *
-       * // Paginated
-       * const page1 = await auth.group.list(ctx, { limit: 10 });
-       * const page2 = await auth.group.list(ctx, { limit: 10, cursor: page1.nextCursor });
-       * ```
-       */
-      list: async (
-        ctx: ComponentReadCtx,
-        opts?: {
-          where?: {
-            slug?: string;
-            type?: string;
-            parentGroupId?: string;
-            name?: string;
-            isRoot?: boolean;
-            tagsAll?: Array<{ key: string; value: string }>;
-            tagsAny?: Array<{ key: string; value: string }>;
-          };
-          limit?: number;
-          cursor?: string | null;
-          orderBy?: "_creationTime" | "name" | "slug" | "type";
-          order?: "asc" | "desc";
-        },
-      ) => {
-        return await ctx.runQuery(config.component.public.groupList, {
-          where: opts?.where,
-          limit: opts?.limit,
-          cursor: opts?.cursor,
-          orderBy: opts?.orderBy,
-          order: opts?.order,
-        });
-      },
-      /**
-       * Update a group's fields (name, slug, tags, extend, parentGroupId).
-       */
-      update: async (
-        ctx: ComponentCtx,
-        groupId: string,
-        data: Record<string, unknown>,
-      ) => {
-        await ctx.runMutation(config.component.public.groupUpdate, { groupId, data });
-      },
-      /**
-       * Delete a group and cascade to all descendants. Deletes child groups
-       * (recursively), all members, and all invites for this group and its
-       * descendants.
-       */
-      delete: async (ctx: ComponentCtx, groupId: string) => {
-        await ctx.runMutation(config.component.public.groupDelete, { groupId });
-      },
-      /**
-       * Manage group membership. A member links a user to a group with an
-       * application-defined role string (e.g. "owner", "admin", "member").
-       *
-       * The auth component stores roles but does not enforce access control.
-       * Your application defines what each role means.
-       */
-      member: {
-        /**
-         * Add a user as a member of a group.
-         *
-         * @param data.groupId - The group to add the member to.
-         * @param data.userId - The user to add.
-         * @param data.role - Application-defined role (e.g. "owner", "admin", "member").
-         * @param data.status - Optional membership status (e.g. "active", "suspended").
-         * @param data.extend - Optional arbitrary JSON extension data.
-         * @throws ConvexError with code `DUPLICATE_MEMBERSHIP` if the user is
-         * already a member of the target group.
-         * @returns The ID of the new member record.
-         */
-        add: async (
-          ctx: ComponentCtx,
-          data: {
-            groupId: string;
-            userId: string;
-            role?: string;
-            status?: string;
-            extend?: Record<string, unknown>;
-          },
-        ): Promise<string> => {
-          return (await ctx.runMutation(
-            config.component.public.memberAdd,
-            data,
-          )) as string;
-        },
-        /**
-         * Retrieve a member record by its ID. Returns `null` if not found.
-         */
-        get: async (ctx: ComponentReadCtx, memberId: string) => {
-          return await ctx.runQuery(config.component.public.memberGet, { memberId });
-        },
-        /**
-         * List members with optional filtering, sorting, and pagination.
-         *
-         * ```ts
-         * // All members of a group
-         * await auth.group.member.list(ctx, { where: { groupId } });
-         *
-         * // Admins only
-         * await auth.group.member.list(ctx, { where: { groupId, role: "admin" } });
-         * ```
-         */
-        list: async (
-          ctx: ComponentReadCtx,
-          opts?: {
-            where?: {
-              groupId?: string;
-              userId?: string;
-              role?: string;
-              status?: string;
-            };
-            limit?: number;
-            cursor?: string | null;
-            orderBy?: "_creationTime" | "role" | "status";
-            order?: "asc" | "desc";
-          },
-        ) => {
-          return await ctx.runQuery(config.component.public.memberList, {
-            where: opts?.where,
-            limit: opts?.limit,
-            cursor: opts?.cursor,
-            orderBy: opts?.orderBy,
-            order: opts?.order,
-          });
-        },
-        /**
-         * Remove a member from a group by deleting the member record.
-         */
-        remove: async (ctx: ComponentCtx, memberId: string) => {
-          await ctx.runMutation(config.component.public.memberRemove, { memberId });
-        },
-        /**
-         * Update a member's fields (role, status, extend).
-         *
-         * ```ts
-         * await auth.group.member.update(ctx, memberId, { role: "admin" });
-         * ```
-         */
-        update: async (
-          ctx: ComponentCtx,
-          memberId: string,
-          data: Record<string, unknown>,
-        ) => {
-          await ctx.runMutation(config.component.public.memberUpdate, {
-            memberId,
-            data,
-          });
-        },
-      },
-    },
-    /**
-     * Manage platform-level invitations.
-     *
-     * Invites can optionally target a group by setting `groupId`, but they do
-     * not require groups and can be used in apps with user-only collaboration.
-     */
-    invite: {
-      /**
-       * Create a new invitation.
-       *
-       * @param data.groupId - Optional group to invite the user into.
-       * @param data.invitedByUserId - Optional user sending the invitation
-       *   (omit for CLI-generated invites).
-       * @param data.email - Optional email of the invitee (omit for
-       *   CLI-generated invite links where the email is unknown upfront).
-       * @param data.tokenHash - Hashed token for secure acceptance.
-       * @param data.role - Optional role to assign on acceptance.
-       * @param data.status - Initial status (typically "pending").
-       * @param data.expiresTime - Optional expiration timestamp (omit for
-       *   single-use, non-expiring invites).
-       * @param data.extend - Optional arbitrary JSON extension data.
-       * @throws ConvexError with code `DUPLICATE_INVITE` if a pending invite
-       * already exists for this email and scope.
-       * @returns The ID of the new invite record.
-       */
-      create: async (
-        ctx: ComponentCtx,
-        data: {
-          groupId?: string;
-          invitedByUserId?: string;
-          email?: string;
-          tokenHash: string;
-          role?: string;
-          status: "pending" | "accepted" | "revoked" | "expired";
-          expiresTime?: number;
-          extend?: Record<string, unknown>;
-        },
-      ): Promise<string> => {
-        return (await ctx.runMutation(config.component.public.inviteCreate, data)) as string;
-      },
-      /**
-       * Retrieve an invite by its ID. Returns `null` if not found.
-       */
-      get: async (ctx: ComponentReadCtx, inviteId: string) => {
-        return await ctx.runQuery(config.component.public.inviteGet, { inviteId });
-      },
-      /**
-       * List invites with optional filtering, sorting, and pagination.
-       *
-       * ```ts
-       * // Pending invites for a group
-       * await auth.invite.list(ctx, { where: { groupId, status: "pending" } });
-       * ```
-       */
-      list: async (
-        ctx: ComponentReadCtx,
-        opts?: {
-          where?: {
-            tokenHash?: string;
-            groupId?: string;
-            status?: "pending" | "accepted" | "revoked" | "expired";
-            email?: string;
-            invitedByUserId?: string;
-            role?: string;
-            acceptedByUserId?: string;
-          };
-          limit?: number;
-          cursor?: string | null;
-          orderBy?: "_creationTime" | "status" | "email" | "expiresTime" | "acceptedTime";
-          order?: "asc" | "desc";
-        },
-      ) => {
-        return await ctx.runQuery(config.component.public.inviteList, {
-          where: opts?.where,
-          limit: opts?.limit,
-          cursor: opts?.cursor,
-          orderBy: opts?.orderBy,
-          order: opts?.order,
-        });
-      },
-      /**
-       * Accept an invitation. Marks the invite as "accepted" and records
-       * the timestamp. If the invite has a group, the caller is responsible
-       * for creating the member record via `auth.group.member.add` in the
-       * same Convex mutation for transactional safety.
-       *
-       * @param ctx - Convex context with `runMutation`.
-       * @param inviteId - The invite document ID.
-       * @param acceptedByUserId - User accepting the invite (recorded for audit).
-       * @throws `ConvexError` with code `INVITE_NOT_FOUND` when the invite does not exist.
-       * @throws `ConvexError` with code `INVITE_NOT_PENDING` when the invite is not in `pending` status.
-       *
-       * @example
-       * ```ts
-       * export const acceptInvite = mutation({
-       *   args: { inviteId: v.string() },
-       *   handler: async (ctx, { inviteId }) => {
-       *     const userId = await auth.user.require(ctx);
-       *     const invite = await auth.invite.get(ctx, inviteId);
-       *     if (!invite) throw new Error("Invite not found");
-       *
-       *     await auth.invite.accept(ctx, inviteId);
-       *     if (invite.groupId) {
-       *       await auth.group.member.add(ctx, {
-       *         groupId: invite.groupId,
-       *         userId,
-       *         role: invite.role,
-       *       });
-       *     }
-       *   },
-       * });
-       * ```
-       */
-      accept: async (ctx: ComponentCtx, inviteId: string, acceptedByUserId?: string) => {
-        await ctx.runMutation(config.component.public.inviteAccept, {
-          inviteId,
-          ...(acceptedByUserId ? { acceptedByUserId } : {}),
-        });
-      },
-      /**
-       * Revoke a pending invitation.
-       *
-       * @param ctx - Convex context with `runMutation`.
-       * @param inviteId - The invite document ID.
-       * @throws `ConvexError` with code `INVITE_NOT_FOUND` when the invite does not exist.
-       * @throws `ConvexError` with code `INVITE_NOT_PENDING` when the invite is not in `pending` status.
-       */
-      revoke: async (ctx: ComponentCtx, inviteId: string) => {
-        await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });
-      },
-    },
-    /**
-     * Manage passkey credentials for users.
-     *
-     * ```ts
-     * const passkeys = await auth.passkey.list(ctx, { userId });
-     * await auth.passkey.rename(ctx, passkeyId, "MacBook Touch ID");
-     * await auth.passkey.remove(ctx, passkeyId);
-     * ```
-     */
-    passkey: {
-      /**
-       * List all passkeys for a user.
-       *
-       * @param opts.userId - The user whose passkeys to list.
-       * @returns Array of passkey records with credentialId, name, deviceType,
-       * backedUp, createdAt, and lastUsedAt.
-       */
-      list: async (ctx: ComponentReadCtx, opts: { userId: string }) => {
-        return await ctx.runQuery(
-          config.component.public.passkeyListByUserId,
-          opts,
-        );
-      },
-      /**
-       * Rename a passkey (set a user-friendly display name).
-       *
-       * @param passkeyId - The passkey document ID.
-       * @param name - New display name (e.g. "MacBook Touch ID").
-       */
-      rename: async (ctx: ComponentCtx, passkeyId: string, name: string) => {
-        await ctx.runMutation(
-          config.component.public.passkeyUpdateMeta,
-          { passkeyId, data: { name } },
-        );
-      },
-      /**
-       * Delete a passkey credential.
-       *
-       * @param passkeyId - The passkey document ID to remove.
-       */
-      remove: async (ctx: ComponentCtx, passkeyId: string) => {
-        await ctx.runMutation(
-          config.component.public.passkeyDelete,
-          { passkeyId },
-        );
-      },
-    },
-    /**
-     * Manage TOTP two-factor authentication enrollments for users.
-     *
-     * ```ts
-     * const enrollments = await auth.totp.list(ctx, { userId });
-     * await auth.totp.remove(ctx, totpId);
-     * ```
-     */
-    totp: {
-      /**
-       * List all TOTP enrollments for a user.
-       *
-       * @param opts.userId - The user whose enrollments to list.
-       * @returns Array of TOTP enrollment records.
-       */
-      list: async (ctx: ComponentReadCtx, opts: { userId: string }) => {
-        return await ctx.runQuery(
-          config.component.public.totpListByUserId,
-          opts,
-        );
-      },
-      /**
-       * Delete a TOTP enrollment.
-       *
-       * @param totpId - The TOTP document ID to remove.
-       */
-      remove: async (ctx: ComponentCtx, totpId: string) => {
-        await ctx.runMutation(
-          config.component.public.totpDelete,
-          { totpId },
-        );
-      },
-    },
-    /**
-     * Manage API keys for programmatic access.
-     *
-     * Keys use SHA-256 hashing (via `@oslojs/crypto`) and support
-     * scoped resource:action permissions with optional per-key rate limiting.
-     *
-     * ```ts
-     * const { keyId, raw } = await auth.key.create(ctx, {
-     *   userId,
-     *   name: "CI Pipeline",
-     *   scopes: [{ resource: "users", actions: ["read", "list"] }],
-     * });
-     * // raw = "sk_live_abc123..." — show once, never stored
-     *
-     * const result = await auth.key.verify(ctx, rawKey);
-     * result.scopes.can("users", "read"); // true
-     * ```
-     */
-    key: {
-      /**
-       * Create a new API key. Returns the raw key **once** — it cannot
-       * be retrieved again after creation.
-       *
-       * @param opts.userId - The user this key belongs to.
-       * @param opts.name - Human-readable name (e.g. "CI Pipeline").
-       * @param opts.scopes - Resource:action permissions for this key.
-       * @param opts.rateLimit - Optional per-key rate limit override.
-       * @param opts.expiresAt - Optional expiration timestamp.
-       * @returns `{ keyId, raw }` where `raw` is the full key string.
-       */
-      create: async (
-        ctx: ComponentCtx,
-        opts: {
-          userId: string;
-          name: string;
-          scopes: import("../types.js").KeyScope[];
-          rateLimit?: { maxRequests: number; windowMs: number };
-          expiresAt?: number;
-        },
-      ): Promise<{ keyId: string; raw: string }> => {
-        const prefix = config.apiKeys?.prefix ?? "sk_live_";
-        // Validate scopes against config if defined
-        validateScopes(opts.scopes, config.apiKeys?.scopes);
-        const { raw, hashedKey, displayPrefix } = await generateApiKey(prefix);
-        const keyId = (await ctx.runMutation(
-          config.component.public.keyInsert,
-          {
-            userId: opts.userId,
-            prefix: displayPrefix,
-            hashedKey,
-            name: opts.name,
-            scopes: opts.scopes,
-            rateLimit: opts.rateLimit ?? config.apiKeys?.defaultRateLimit,
-            expiresAt: opts.expiresAt,
-          },
-        )) as string;
-        return { keyId, raw };
-      },
-      /**
-       * Verify a raw API key string. Returns the userId and a scope checker
-       * if the key is valid, not revoked, not expired, and not rate-limited.
-       *
-       * Also updates `lastUsedAt` and rate limit state as a side effect.
-       *
-       * @throws Error if the key is invalid, revoked, expired, or rate-limited.
-       */
-      verify: async (
-        ctx: ComponentCtx,
-        rawKey: string,
-      ): Promise<{
-        userId: string;
-        keyId: string;
-        scopes: import("../types.js").ScopeChecker;
-      }> => {
-        const hashedKey = await hashApiKey(rawKey);
-        const key = (await ctx.runQuery(
-          config.component.public.keyGetByHashedKey,
-          { hashedKey },
-        )) as KeyDoc | null;
-        if (!key) {
-          throwAuthError("INVALID_API_KEY");
-        }
-        if (key.revoked) {
-          throwAuthError("API_KEY_REVOKED");
-        }
-        if (key.expiresAt && key.expiresAt < Date.now()) {
-          throwAuthError("API_KEY_EXPIRED");
-        }
-        // Check per-key rate limit
-        const patchData: Record<string, unknown> = { lastUsedAt: Date.now() };
-        if (key.rateLimit) {
-          const { limited, newState } = checkKeyRateLimit(
-            key.rateLimit,
-            key.rateLimitState ?? undefined,
-          );
-          if (limited) {
-            throwAuthError("API_KEY_RATE_LIMITED");
-          }
-          patchData.rateLimitState = newState;
-        }
-        // Update lastUsedAt (and rate limit state if applicable)
-        await ctx.runMutation(config.component.public.keyPatch, {
-          keyId: key._id,
-          data: patchData,
-        });
-        return {
-          userId: key.userId,
-          keyId: key._id,
-          scopes: buildScopeChecker(key.scopes),
-        };
-      },
-      /**
-       * List API keys with optional filtering, sorting, and pagination.
-       * Never includes the raw key — only the display prefix.
-       *
-       * ```ts
-       * // All keys for a user
-       * await auth.key.list(ctx, { where: { userId } });
-       *
-       * // Only active (non-revoked)
-       * await auth.key.list(ctx, { where: { userId, revoked: false } });
-       * ```
-       */
-      list: async (
-        ctx: ComponentReadCtx,
-        opts?: {
-          where?: {
-            userId?: string;
-            revoked?: boolean;
-            name?: string;
-            prefix?: string;
-          };
-          limit?: number;
-          cursor?: string | null;
-          orderBy?: "_creationTime" | "name" | "lastUsedAt" | "expiresAt" | "revoked";
-          order?: "asc" | "desc";
-        },
-      ) => {
-        return await ctx.runQuery(config.component.public.keyList, {
-          where: opts?.where,
-          limit: opts?.limit,
-          cursor: opts?.cursor,
-          orderBy: opts?.orderBy,
-          order: opts?.order,
-        });
-      },
-      /**
-       * Get a single API key by its document ID.
-       * Returns `null` if not found.
-       */
-      get: async (ctx: ComponentReadCtx, keyId: string): Promise<KeyDoc | null> => {
-        return (await ctx.runQuery(
-          config.component.public.keyGetById,
-          { keyId },
-        )) as KeyDoc | null;
-      },
-      /**
-       * Update an API key's metadata (name, scopes, rate limit).
-       */
-      update: async (
-        ctx: ComponentCtx,
-        keyId: string,
-        data: {
-          name?: string;
-          scopes?: import("../types.js").KeyScope[];
-          rateLimit?: { maxRequests: number; windowMs: number };
-        },
-      ) => {
-        if (data.scopes) {
-          validateScopes(data.scopes, config.apiKeys?.scopes);
-        }
-        await ctx.runMutation(config.component.public.keyPatch, {
-          keyId,
-          data,
-        });
-      },
-      /**
-       * Revoke an API key (soft delete). The key record is preserved
-       * for audit purposes but can no longer be used for authentication.
-       */
-      revoke: async (ctx: ComponentCtx, keyId: string) => {
-        await ctx.runMutation(config.component.public.keyPatch, {
-          keyId,
-          data: { revoked: true },
-        });
-      },
-      /**
-       * Hard delete an API key record.
-       */
-      remove: async (ctx: ComponentCtx, keyId: string) => {
-        await ctx.runMutation(config.component.public.keyDelete, {
-          keyId,
-        });
-      },
-    },
-    /**
-     * HTTP namespace — route registration and Bearer-authenticated endpoints.
-     */
-    http: {
-      /**
-       * Register core HTTP routes for JWT verification and OAuth sign-in.
-       *
-       * ```ts
-       * import { httpRouter } from "convex/server";
-       * import { auth } from "./auth";
-       *
-       * const http = httpRouter();
-       *
-       * auth.http.add(http);
-       *
-       * export default http;
-       * ```
-       *
-       * The following routes are handled always:
-       *
-       * - `/.well-known/openid-configuration`
-       * - `/.well-known/jwks.json`
-       *
-       * The following routes are handled if OAuth is configured:
-       *
-       * - `/api/auth/signin/*`
-       * - `/api/auth/callback/*`
-       *
-       * @param http your HTTP router
-       */
-      add: (http: HttpRouter) => {
-      http.route({
-        path: "/.well-known/openid-configuration",
-        method: "GET",
-        handler: httpActionGeneric(async () => {
-          return new Response(
-            JSON.stringify({
-              issuer: requireEnv("CONVEX_SITE_URL"),
-              jwks_uri:
-                requireEnv("CONVEX_SITE_URL") + "/.well-known/jwks.json",
-              authorization_endpoint:
-                requireEnv("CONVEX_SITE_URL") + "/oauth/authorize",
-            }),
-            {
-              status: 200,
-              headers: {
-                "Content-Type": "application/json",
-                "Cache-Control":
-                  "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-              },
-            },
-          );
-        }),
-      });
-      http.route({
-        path: "/.well-known/jwks.json",
-        method: "GET",
-        handler: httpActionGeneric(async () => {
-          return new Response(requireEnv("JWKS"), {
-            status: 200,
-            headers: {
-              "Content-Type": "application/json",
-              "Cache-Control":
-                "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-            },
-          });
-        }),
-      });
-      if (hasOAuth) {
-        http.route({
-          pathPrefix: "/api/auth/signin/",
-          method: "GET",
-          handler: httpActionGeneric(
-            convertErrorsToResponse(400, async (ctx, request) => {
-              const url = new URL(request.url);
-              const pathParts = url.pathname.split("/");
-              const providerId = pathParts.at(-1)!;
-              if (providerId === null) {
-                throwAuthError("OAUTH_MISSING_PROVIDER");
-              }
-              const verifier = url.searchParams.get("code");
-              if (verifier === null) {
-                throwAuthError("OAUTH_MISSING_VERIFIER");
-              }
-              const provider = getProviderOrThrow(providerId);
-              const oauthConfig = provider as OAuthMaterializedConfig;
-              const { redirect, cookies, signature } =
-                await createOAuthAuthorizationURL(
-                  providerId,
-                  oauthConfig.provider,
-                  oauthConfig,
-                );
-              await callVerifierSignature(ctx, {
-                verifier,
-                signature,
-              });
-              const redirectTo = url.searchParams.get("redirectTo");
-              if (redirectTo !== null) {
-                cookies.push(redirectToParamCookie(providerId, redirectTo));
-              }
-              const headers = new Headers({ Location: redirect });
-              for (const { name, value, options } of cookies) {
-                headers.append(
-                  "Set-Cookie",
-                  serializeCookie(name, value, options as any),
-                );
-              }
-              return new Response(null, { status: 302, headers });
-            }),
-          ),
-        });
-        const callbackAction = httpActionGeneric(
-          async (genericCtx, request) => {
-            const ctx = genericCtx as unknown as ActionCtx;
-            const url = new URL(request.url);
-            const pathParts = url.pathname.split("/");
-            const providerId = pathParts.at(-1)!;
-            logWithLevel(
-              LOG_LEVELS.DEBUG,
-              "Handling OAuth callback for provider:",
-              providerId,
-            );
-            const provider = getProviderOrThrow(providerId);
-            const cookies = getCookies(request);
-            const maybeRedirectTo = useRedirectToParam(provider.id, cookies);
-            const destinationUrl = await redirectAbsoluteUrl(config, {
-              redirectTo: maybeRedirectTo?.redirectTo,
-            });
-            const params = url.searchParams;
-            // Handle OAuth providers that use formData (such as Apple)
-            if (
-              request.headers.get("Content-Type") ===
-              "application/x-www-form-urlencoded"
-            ) {
-              const formData = await request.formData();
-              for (const [key, value] of formData.entries()) {
-                if (typeof value === "string") {
-                  params.append(key, value);
-                }
-              }
-            }
-            try {
-              const oauthConfig = provider as OAuthMaterializedConfig;
-              const result = await handleOAuthCallback(
-                providerId,
-                oauthConfig.provider,
-                oauthConfig,
-                Object.fromEntries(params.entries()),
-                cookies,
-              );
-              const { id: profileId, ...profileData } = result.profile;
-              const { signature } = result;
-              const verificationCode = await callUserOAuth(ctx, {
-                provider: providerId,
-                providerAccountId: profileId,
-                profile: profileData,
-                signature,
-              });
-              return new Response(null, {
-                status: 302,
-                headers: {
-                  Location: setURLSearchParam(
-                    destinationUrl,
-                    "code",
-                    verificationCode,
-                  ),
-                  "Cache-Control": "must-revalidate",
-                },
-              });
-            } catch (error) {
-              logError(error);
-              return Response.redirect(destinationUrl);
-            }
-          },
-        );
-        http.route({
-          pathPrefix: "/api/auth/callback/",
-          method: "GET",
-          handler: callbackAction,
-        });
-        http.route({
-          pathPrefix: "/api/auth/callback/",
-          method: "POST",
-          handler: callbackAction,
-        });
-      }
-    },
-      /**
-       * Wrap an HTTP action handler with Bearer token authentication.
-       *
-       * Extracts the `Authorization: Bearer <key>` header, verifies the
-       * API key via `auth.key.verify()`, and injects `ctx.key` with the
-       * verified key info. Returns structured JSON error responses for
-       * missing/invalid/revoked/expired/rate-limited keys.
-       *
-       * If the handler returns a plain object, it is auto-wrapped in a
-       * `200 JSON` response. If it returns a `Response`, CORS headers
-       * are merged and the response is passed through.
-       *
-       * ```ts
-       * const handler = auth.http.action(async (ctx, request) => {
-       *   const data = await ctx.runQuery(api.data.get, { userId: ctx.key.userId });
-       *   return { data };
-       * });
-       * http.route({ path: "/api/data", method: "GET", handler });
-       * ```
-       *
-       * @param handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.
-       * @param options.scope - Optional scope check; returns 403 if the key lacks permission.
-       * @param options.cors - CORS config; defaults to permissive (`*`).
-       */
-      action: (
-        handler: (
-          ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,
-          request: Request,
-        ) => Promise<Response | Record<string, unknown>>,
-        options?: {
-          scope?: { resource: string; action: string };
-          cors?: CorsConfig;
-        },
-      ) => {
-        const corsConfig = options?.cors ?? {};
-        const corsHeaders: Record<string, string> = {
-          "Access-Control-Allow-Origin": corsConfig.origin ?? "*",
-          "Access-Control-Allow-Methods":
-            corsConfig.methods ?? "GET,POST,PUT,PATCH,DELETE,OPTIONS",
-          "Access-Control-Allow-Headers":
-            corsConfig.headers ?? "Content-Type,Authorization",
-        };
-        const jsonError = (
-          status: number,
-          code: string,
-          message: string,
-        ) =>
-          new Response(JSON.stringify({ error: message, code }), {
-            status,
-            headers: { ...corsHeaders, "Content-Type": "application/json" },
-          });
-        return httpActionGeneric(async (genericCtx, request) => {
-          const ctx = genericCtx as unknown as GenericActionCtx<GenericDataModel>;
-          try {
-            // 1. Extract Bearer token
-            const authHeader = request.headers.get("Authorization");
-            if (!authHeader?.startsWith("Bearer ")) {
-              return jsonError(
-                401,
-                "MISSING_BEARER_TOKEN",
-                "Missing or malformed Authorization: Bearer header.",
-              );
-            }
-            const rawKey = authHeader.slice(7);
-            // 2. Verify API key
-            let keyResult: { userId: string; keyId: string; scopes: import("../types.js").ScopeChecker };
-            try {
-              keyResult = await auth.key.verify(ctx, rawKey);
-            } catch (error: unknown) {
-              if (isAuthError(error)) {
-                const { code, message } = error.data as { code: string; message: string };
-                return jsonError(403, code, message);
-              }
-              throw error;
-            }
-            // 3. Optional scope check
-            if (options?.scope) {
-              if (!keyResult.scopes.can(options.scope.resource, options.scope.action)) {
-                return jsonError(
-                  403,
-                  "SCOPE_CHECK_FAILED",
-                  "This API key does not have the required permissions.",
-                );
-              }
-            }
-            // 4. Enrich context with key info
-            const enrichedCtx = Object.assign(ctx, {
-              key: {
-                userId: keyResult.userId,
-                keyId: keyResult.keyId,
-                scopes: keyResult.scopes,
-              },
-            });
-            // 5. Call handler
-            const result = await handler(enrichedCtx, request);
-            // 6. Auto-wrap plain objects as JSON responses
-            if (result instanceof Response) {
-              // Merge CORS headers into existing response
-              const headers = new Headers(result.headers);
-              for (const [k, val] of Object.entries(corsHeaders)) {
-                if (!headers.has(k)) headers.set(k, val);
-              }
-              return new Response(result.body, {
-                status: result.status,
-                statusText: result.statusText,
-                headers,
-              });
-            }
-            return new Response(JSON.stringify(result), {
-              status: 200,
-              headers: { ...corsHeaders, "Content-Type": "application/json" },
-            });
-          } catch (error: unknown) {
-            logError(error);
-            return jsonError(500, "INTERNAL_ERROR", "An unexpected error occurred.");
-          }
-        });
-      },
-      /**
-       * Register a Bearer-authenticated route **and** its OPTIONS preflight
-       * in a single call.
-       *
-       * ```ts
-       * auth.http.route(http, {
-       *   path: "/api/messages",
-       *   method: "POST",
-       *   handler: async (ctx, request) => {
-       *     const { body } = await request.json();
-       *     await ctx.runMutation(internal.messages.sendAsUser, {
-       *       userId: ctx.key.userId,
-       *       body,
-       *     });
-       *     return { success: true };
-       *   },
-       * });
-       * ```
-       *
-       * @param http - The Convex HTTP router.
-       * @param routeConfig.path - The URL path to match.
-       * @param routeConfig.method - HTTP method (GET, POST, PUT, PATCH, DELETE).
-       * @param routeConfig.handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.
-       * @param routeConfig.scope - Optional scope check; returns 403 if the key lacks permission.
-       * @param routeConfig.cors - CORS config; defaults to permissive (`*`).
-       */
-      route: (
-        http: HttpRouter,
-        routeConfig: {
-          path: string;
-          method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
-          handler: (
-            ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,
-            request: Request,
-          ) => Promise<Response | Record<string, unknown>>;
-          scope?: { resource: string; action: string };
-          cors?: CorsConfig;
-        },
-      ) => {
-        const corsConfig = routeConfig.cors ?? {};
-        const corsHeaders: Record<string, string> = {
-          "Access-Control-Allow-Origin": corsConfig.origin ?? "*",
-          "Access-Control-Allow-Methods":
-            corsConfig.methods ?? "GET,POST,PUT,PATCH,DELETE,OPTIONS",
-          "Access-Control-Allow-Headers":
-            corsConfig.headers ?? "Content-Type,Authorization",
-        };
-        // Register OPTIONS preflight
-        http.route({
-          path: routeConfig.path,
-          method: "OPTIONS",
-          handler: httpActionGeneric(async () => {
-            return new Response(null, { status: 204, headers: corsHeaders });
-          }),
-        });
-        // Register the main route with Bearer auth wrapping
-        http.route({
-          path: routeConfig.path,
-          method: routeConfig.method,
-          handler: auth.http.action(routeConfig.handler, {
-            scope: routeConfig.scope,
-            cors: routeConfig.cors,
-          }),
-        });
-      },
-    },
-  };
-  const enrichCtx = <DataModel extends GenericDataModel>(
-    ctx: GenericActionCtx<DataModel>,
-  ) => ({
-    ...ctx,
-    auth: {
-      ...ctx.auth,
-      config,
-      account: auth.account,
-      session: auth.session,
-      provider: auth.provider,
-    },
-  });
-  return {
-    /**
-     * Helper for configuring HTTP actions.
-     */
-    auth,
-    /**
-     * Action called by the client to sign the user in.
-     *
-     * Also used for refreshing the session.
-     */
-    signIn: actionGeneric({
-      args: {
-        provider: v.optional(v.string()),
-        params: v.optional(v.any()),
-        verifier: v.optional(v.string()),
-        refreshToken: v.optional(v.string()),
-        calledBy: v.optional(v.string()),
-      },
-      handler: async (
-        ctx,
-        args,
-      ): Promise<{
-        redirect?: string;
-        verifier?: string;
-        tokens?: Tokens | null;
-        started?: boolean;
-        options?: Record<string, any>;
-        totpRequired?: boolean;
-        totpSetup?: { uri: string; secret: string; totpId: string };
-        deviceCode?: {
-          deviceCode: string;
-          userCode: string;
-          verificationUri: string;
-          verificationUriComplete: string;
-          expiresIn: number;
-          interval: number;
-        };
-      }> => {
-        if (args.calledBy !== undefined) {
-          logWithLevel("INFO", `\`auth:signIn\` called by ${args.calledBy}`);
-        }
-        const provider =
-          args.provider !== undefined
-            ? getProviderOrThrow(args.provider)
-            : null;
-        const result = await signInImpl(enrichCtx(ctx), provider, args, {
-          generateTokens: true,
-          allowExtraProviders: false,
-        });
-        switch (result.kind) {
-          case "redirect":
-            return { redirect: result.redirect, verifier: result.verifier };
-          case "signedIn":
-          case "refreshTokens":
-            return { tokens: result.signedIn?.tokens ?? null };
-          case "started":
-            return { started: true };
-          case "passkeyOptions":
-            return { options: result.options, verifier: result.verifier };
-          case "totpRequired":
-            return { totpRequired: true, verifier: result.verifier };
-          case "totpSetup":
-            return { totpSetup: { uri: result.uri, secret: result.secret, totpId: result.totpId }, verifier: result.verifier };
-          case "deviceCode":
-            return {
-              deviceCode: {
-                deviceCode: result.deviceCode,
-                userCode: result.userCode,
-                verificationUri: result.verificationUri,
-                verificationUriComplete: result.verificationUriComplete,
-                expiresIn: result.expiresIn,
-                interval: result.interval,
-              },
-            };
-          default: {
-            const _typecheck: never = result;
-            throwAuthError("INTERNAL_ERROR", `Unexpected result from signIn, ${String(result)}`);
-          }
-        }
-      },
-    }),
-    /**
-     * Action called by the client to invalidate the current session.
-     */
-    signOut: actionGeneric({
-      args: {},
-      handler: async (ctx) => {
-        await callSignOut(ctx);
-      },
-    }),
-    /**
-     * Internal mutation used by the library to read and write
-     * to the database during signin and signout.
-     */
-    store: internalMutationGeneric({
-      args: storeArgs,
-      handler: async (ctx: MutationCtx, args) => {
-        return storeImpl(ctx, args, getProviderOrThrow, config);
-      },
-    }),
-  };
-}
-function convertErrorsToResponse(
-  errorStatusCode: number,
-  action: (ctx: GenericActionCtx<any>, request: Request) => Promise<Response>,
-) {
-  return async (ctx: GenericActionCtx<any>, request: Request) => {
-    try {
-      return await action(ctx, request);
-    } catch (error) {
-      if (isAuthError(error)) {
-        return new Response(
-          JSON.stringify({ code: error.data.code, message: error.data.message }),
-          {
-            status: errorStatusCode,
-            headers: { "Content-Type": "application/json" },
-          },
-        );
-      } else if (error instanceof ConvexError) {
-        return new Response(null, {
-          status: errorStatusCode,
-          statusText: typeof error.data === "string" ? error.data : "Error",
-        });
-      } else {
-        logError(error);
-        return new Response(null, {
-          status: 500,
-          statusText: "Internal Server Error",
-        });
-      }
-    }
-  };
-}
-function getCookies(request: Request): Record<string, string | undefined> {
-  return parseCookies(request.headers.get("Cookie") ?? "");
-}