@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +67 -26
- package/dist/authorization/index.d.ts +63 -0
- package/dist/authorization/index.d.ts.map +1 -0
- package/dist/authorization/index.js +63 -0
- package/dist/authorization/index.js.map +1 -0
- package/dist/bin.js +6185 -0
- package/dist/client/core/types.d.ts +20 -0
- package/dist/client/core/types.d.ts.map +1 -0
- package/dist/client/index.d.ts +2 -299
- package/dist/client/index.d.ts.map +1 -1
- package/dist/client/index.js +407 -534
- package/dist/client/index.js.map +1 -1
- package/dist/component/_generated/api.d.ts +42 -0
- package/dist/component/_generated/api.d.ts.map +1 -1
- package/dist/component/_generated/api.js.map +1 -1
- package/dist/component/_generated/component.d.ts +2546 -90
- package/dist/component/_generated/component.d.ts.map +1 -1
- package/dist/component/client/core/types.d.ts +2 -0
- package/dist/component/client/index.d.ts +2 -0
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/functions.d.ts +11 -9
- package/dist/component/functions.d.ts.map +1 -1
- package/dist/component/functions.js.map +1 -1
- package/dist/component/index.d.ts +7 -11
- package/dist/component/index.js +2 -3
- package/dist/component/model.d.ts +153 -0
- package/dist/component/model.d.ts.map +1 -0
- package/dist/component/model.js +349 -0
- package/dist/component/model.js.map +1 -0
- package/dist/component/providers/anonymous.d.ts +54 -0
- package/dist/component/providers/anonymous.d.ts.map +1 -0
- package/dist/component/providers/credentials.d.ts +5 -5
- package/dist/component/providers/credentials.d.ts.map +1 -1
- package/dist/component/providers/device.d.ts +67 -0
- package/dist/component/providers/device.d.ts.map +1 -0
- package/dist/component/providers/email.d.ts +62 -0
- package/dist/component/providers/email.d.ts.map +1 -0
- package/dist/component/providers/oauth.d.ts.map +1 -1
- package/dist/component/providers/oauth.js.map +1 -1
- package/dist/component/providers/passkey.d.ts +57 -0
- package/dist/component/providers/passkey.d.ts.map +1 -0
- package/dist/component/providers/password.d.ts +88 -0
- package/dist/component/providers/password.d.ts.map +1 -0
- package/dist/component/providers/phone.d.ts +48 -0
- package/dist/component/providers/phone.d.ts.map +1 -0
- package/dist/component/providers/sso.d.ts +50 -0
- package/dist/component/providers/sso.d.ts.map +1 -0
- package/dist/component/providers/totp.d.ts +45 -0
- package/dist/component/providers/totp.d.ts.map +1 -0
- package/dist/component/public/enterprise/audit.d.ts +73 -0
- package/dist/component/public/enterprise/audit.d.ts.map +1 -0
- package/dist/component/public/enterprise/audit.js +108 -0
- package/dist/component/public/enterprise/audit.js.map +1 -0
- package/dist/component/public/enterprise/core.d.ts +176 -0
- package/dist/component/public/enterprise/core.d.ts.map +1 -0
- package/dist/component/public/enterprise/core.js +292 -0
- package/dist/component/public/enterprise/core.js.map +1 -0
- package/dist/component/public/enterprise/domains.d.ts +174 -0
- package/dist/component/public/enterprise/domains.d.ts.map +1 -0
- package/dist/component/public/enterprise/domains.js +271 -0
- package/dist/component/public/enterprise/domains.js.map +1 -0
- package/dist/component/public/enterprise/scim.d.ts +245 -0
- package/dist/component/public/enterprise/scim.d.ts.map +1 -0
- package/dist/component/public/enterprise/scim.js +344 -0
- package/dist/component/public/enterprise/scim.js.map +1 -0
- package/dist/component/public/enterprise/secrets.d.ts +78 -0
- package/dist/component/public/enterprise/secrets.d.ts.map +1 -0
- package/dist/component/public/enterprise/secrets.js +118 -0
- package/dist/component/public/enterprise/secrets.js.map +1 -0
- package/dist/component/public/enterprise/webhooks.d.ts +211 -0
- package/dist/component/public/enterprise/webhooks.d.ts.map +1 -0
- package/dist/component/public/enterprise/webhooks.js +300 -0
- package/dist/component/public/enterprise/webhooks.js.map +1 -0
- package/dist/component/public/factors/devices.d.ts +157 -0
- package/dist/component/public/factors/devices.d.ts.map +1 -0
- package/dist/component/public/factors/devices.js +216 -0
- package/dist/component/public/factors/devices.js.map +1 -0
- package/dist/component/public/factors/passkeys.d.ts +175 -0
- package/dist/component/public/factors/passkeys.d.ts.map +1 -0
- package/dist/component/public/factors/passkeys.js +238 -0
- package/dist/component/public/factors/passkeys.js.map +1 -0
- package/dist/component/public/factors/totp.d.ts +189 -0
- package/dist/component/public/factors/totp.d.ts.map +1 -0
- package/dist/component/public/factors/totp.js +254 -0
- package/dist/component/public/factors/totp.js.map +1 -0
- package/dist/component/public/groups/core.d.ts +137 -0
- package/dist/component/public/groups/core.d.ts.map +1 -0
- package/dist/component/public/groups/core.js +321 -0
- package/dist/component/public/groups/core.js.map +1 -0
- package/dist/component/public/groups/invites.d.ts +217 -0
- package/dist/component/public/groups/invites.d.ts.map +1 -0
- package/dist/component/public/groups/invites.js +457 -0
- package/dist/component/public/groups/invites.js.map +1 -0
- package/dist/component/public/groups/members.d.ts +204 -0
- package/dist/component/public/groups/members.d.ts.map +1 -0
- package/dist/component/public/groups/members.js +355 -0
- package/dist/component/public/groups/members.js.map +1 -0
- package/dist/component/public/identity/accounts.d.ts +147 -0
- package/dist/component/public/identity/accounts.d.ts.map +1 -0
- package/dist/component/public/identity/accounts.js +200 -0
- package/dist/component/public/identity/accounts.js.map +1 -0
- package/dist/component/public/identity/codes.d.ts +104 -0
- package/dist/component/public/identity/codes.d.ts.map +1 -0
- package/dist/component/public/identity/codes.js +140 -0
- package/dist/component/public/identity/codes.js.map +1 -0
- package/dist/component/public/identity/sessions.d.ts +128 -0
- package/dist/component/public/identity/sessions.d.ts.map +1 -0
- package/dist/component/public/identity/sessions.js +192 -0
- package/dist/component/public/identity/sessions.js.map +1 -0
- package/dist/component/public/identity/tokens.d.ts +169 -0
- package/dist/component/public/identity/tokens.d.ts.map +1 -0
- package/dist/component/public/identity/tokens.js +227 -0
- package/dist/component/public/identity/tokens.js.map +1 -0
- package/dist/component/public/identity/users.d.ts +212 -0
- package/dist/component/public/identity/users.d.ts.map +1 -0
- package/dist/component/public/identity/users.js +311 -0
- package/dist/component/public/identity/users.js.map +1 -0
- package/dist/component/public/identity/verifiers.d.ts +116 -0
- package/dist/component/public/identity/verifiers.d.ts.map +1 -0
- package/dist/component/public/identity/verifiers.js +154 -0
- package/dist/component/public/identity/verifiers.js.map +1 -0
- package/dist/component/public/security/keys.d.ts +209 -0
- package/dist/component/public/security/keys.d.ts.map +1 -0
- package/dist/component/public/security/keys.js +319 -0
- package/dist/component/public/security/keys.js.map +1 -0
- package/dist/component/public/security/limits.d.ts +114 -0
- package/dist/component/public/security/limits.d.ts.map +1 -0
- package/dist/component/public/security/limits.js +169 -0
- package/dist/component/public/security/limits.js.map +1 -0
- package/dist/component/public.d.ts +24 -271
- package/dist/component/public.d.ts.map +1 -1
- package/dist/component/public.js +21 -1229
- package/dist/component/schema.d.ts +473 -110
- package/dist/component/schema.js +162 -73
- package/dist/component/schema.js.map +1 -1
- package/dist/component/server/auth.d.ts +318 -373
- package/dist/component/server/auth.d.ts.map +1 -1
- package/dist/component/server/auth.js +204 -123
- package/dist/component/server/auth.js.map +1 -1
- package/dist/component/server/authError.js +34 -0
- package/dist/component/server/authError.js.map +1 -0
- package/dist/component/server/{providers.js → config.js} +43 -12
- package/dist/component/server/config.js.map +1 -0
- package/dist/component/server/cookies.js +3 -0
- package/dist/component/server/cookies.js.map +1 -1
- package/dist/component/server/core.js +713 -0
- package/dist/component/server/core.js.map +1 -0
- package/dist/component/server/crypto.js +38 -0
- package/dist/component/server/crypto.js.map +1 -0
- package/dist/component/server/{implementation/db.js → db.js} +2 -1
- package/dist/component/server/db.js.map +1 -0
- package/dist/component/server/device.js +109 -0
- package/dist/component/server/device.js.map +1 -0
- package/dist/component/server/enterprise/config.js +46 -0
- package/dist/component/server/enterprise/config.js.map +1 -0
- package/dist/component/server/enterprise/domain.js +885 -0
- package/dist/component/server/enterprise/domain.js.map +1 -0
- package/dist/component/server/enterprise/http.js +766 -0
- package/dist/component/server/enterprise/http.js.map +1 -0
- package/dist/component/server/enterprise/oidc.js +248 -0
- package/dist/component/server/enterprise/oidc.js.map +1 -0
- package/dist/component/server/enterprise/policy.js +85 -0
- package/dist/component/server/enterprise/policy.js.map +1 -0
- package/dist/component/server/enterprise/saml.js +338 -0
- package/dist/component/server/enterprise/saml.js.map +1 -0
- package/dist/component/server/enterprise/scim.js +97 -0
- package/dist/component/server/enterprise/scim.js.map +1 -0
- package/dist/component/server/enterprise/shared.js +51 -0
- package/dist/component/server/enterprise/shared.js.map +1 -0
- package/dist/component/server/errors.d.ts +1 -0
- package/dist/component/server/errors.js +24 -16
- package/dist/component/server/errors.js.map +1 -1
- package/dist/component/server/http.js +288 -0
- package/dist/component/server/http.js.map +1 -0
- package/dist/component/server/identity.js +13 -0
- package/dist/component/server/identity.js.map +1 -0
- package/dist/{server/implementation → component/server}/keys.js +9 -31
- package/dist/component/server/keys.js.map +1 -0
- package/dist/component/server/limits.js +61 -0
- package/dist/component/server/limits.js.map +1 -0
- package/dist/component/server/mutations/account.js +44 -0
- package/dist/component/server/mutations/account.js.map +1 -0
- package/dist/component/server/{implementation/mutations → mutations}/code.js +7 -4
- package/dist/component/server/mutations/code.js.map +1 -0
- package/dist/component/server/mutations/invalidate.js +32 -0
- package/dist/component/server/mutations/invalidate.js.map +1 -0
- package/dist/component/server/mutations/oauth.js +110 -0
- package/dist/component/server/mutations/oauth.js.map +1 -0
- package/dist/component/server/mutations/refresh.js +119 -0
- package/dist/component/server/mutations/refresh.js.map +1 -0
- package/dist/component/server/mutations/register.js +83 -0
- package/dist/component/server/mutations/register.js.map +1 -0
- package/dist/component/server/mutations/retrieve.js +65 -0
- package/dist/component/server/mutations/retrieve.js.map +1 -0
- package/dist/component/server/mutations/signature.js +32 -0
- package/dist/component/server/mutations/signature.js.map +1 -0
- package/dist/component/server/{implementation/mutations → mutations}/signin.js +2 -2
- package/dist/component/server/mutations/signin.js.map +1 -0
- package/dist/component/server/mutations/signout.js +27 -0
- package/dist/component/server/mutations/signout.js.map +1 -0
- package/dist/component/server/mutations/store/refs.js +15 -0
- package/dist/component/server/mutations/store/refs.js.map +1 -0
- package/dist/component/server/mutations/store.js +85 -0
- package/dist/component/server/mutations/store.js.map +1 -0
- package/dist/component/server/mutations/verifier.js +18 -0
- package/dist/component/server/mutations/verifier.js.map +1 -0
- package/dist/component/server/mutations/verify.js +98 -0
- package/dist/component/server/mutations/verify.js.map +1 -0
- package/dist/component/server/oauth.js +106 -60
- package/dist/component/server/oauth.js.map +1 -1
- package/dist/component/server/passkey.js +328 -0
- package/dist/component/server/passkey.js.map +1 -0
- package/dist/{server/implementation → component/server}/redirects.js +13 -11
- package/dist/component/server/redirects.js.map +1 -0
- package/dist/component/server/refresh.js +96 -0
- package/dist/component/server/refresh.js.map +1 -0
- package/dist/component/server/runtime.d.ts +136 -0
- package/dist/component/server/runtime.d.ts.map +1 -0
- package/dist/component/server/runtime.js +413 -0
- package/dist/component/server/runtime.js.map +1 -0
- package/dist/{server/implementation → component/server}/sessions.js +14 -8
- package/dist/component/server/sessions.js.map +1 -0
- package/dist/component/server/signin.js +201 -0
- package/dist/component/server/signin.js.map +1 -0
- package/dist/component/server/tokens.js +17 -0
- package/dist/component/server/tokens.js.map +1 -0
- package/dist/component/server/totp.js +148 -0
- package/dist/component/server/totp.js.map +1 -0
- package/dist/component/server/types.d.ts +387 -298
- package/dist/component/server/types.d.ts.map +1 -1
- package/dist/component/server/{implementation/types.js → types.js} +1 -1
- package/dist/component/server/types.js.map +1 -0
- package/dist/component/server/{implementation/users.js → users.js} +54 -35
- package/dist/component/server/users.js.map +1 -0
- package/dist/component/server/utils.js +110 -4
- package/dist/component/server/utils.js.map +1 -1
- package/dist/core/types.d.ts +369 -0
- package/dist/core/types.d.ts.map +1 -0
- package/dist/factors/device.js +105 -0
- package/dist/factors/device.js.map +1 -0
- package/dist/factors/passkey.js +181 -0
- package/dist/factors/passkey.js.map +1 -0
- package/dist/factors/totp.js +122 -0
- package/dist/factors/totp.js.map +1 -0
- package/dist/providers/anonymous.d.ts +3 -9
- package/dist/providers/anonymous.d.ts.map +1 -1
- package/dist/providers/anonymous.js +1 -18
- package/dist/providers/anonymous.js.map +1 -1
- package/dist/providers/credentials.d.ts +8 -10
- package/dist/providers/credentials.d.ts.map +1 -1
- package/dist/providers/credentials.js +3 -5
- package/dist/providers/credentials.js.map +1 -1
- package/dist/providers/device.d.ts +18 -10
- package/dist/providers/device.d.ts.map +1 -1
- package/dist/providers/device.js +4 -8
- package/dist/providers/device.js.map +1 -1
- package/dist/providers/email.d.ts +50 -23
- package/dist/providers/email.d.ts.map +1 -1
- package/dist/providers/email.js +58 -34
- package/dist/providers/email.js.map +1 -1
- package/dist/providers/index.d.ts +7 -3
- package/dist/providers/index.js +4 -1
- package/dist/providers/oauth.d.ts.map +1 -1
- package/dist/providers/oauth.js.map +1 -1
- package/dist/providers/passkey.d.ts +12 -9
- package/dist/providers/passkey.d.ts.map +1 -1
- package/dist/providers/passkey.js +1 -7
- package/dist/providers/passkey.js.map +1 -1
- package/dist/providers/password.d.ts +6 -12
- package/dist/providers/password.d.ts.map +1 -1
- package/dist/providers/password.js +189 -89
- package/dist/providers/password.js.map +1 -1
- package/dist/providers/phone.d.ts +40 -11
- package/dist/providers/phone.d.ts.map +1 -1
- package/dist/providers/phone.js +52 -21
- package/dist/providers/phone.js.map +1 -1
- package/dist/providers/sso.d.ts +50 -0
- package/dist/providers/sso.d.ts.map +1 -0
- package/dist/providers/sso.js +34 -0
- package/dist/providers/sso.js.map +1 -0
- package/dist/providers/totp.d.ts +12 -9
- package/dist/providers/totp.d.ts.map +1 -1
- package/dist/providers/totp.js +1 -7
- package/dist/providers/totp.js.map +1 -1
- package/dist/runtime/browser.js +68 -0
- package/dist/runtime/browser.js.map +1 -0
- package/dist/runtime/invite.js +51 -0
- package/dist/runtime/invite.js.map +1 -0
- package/dist/runtime/proxy.js +70 -0
- package/dist/runtime/proxy.js.map +1 -0
- package/dist/runtime/storage.js +37 -0
- package/dist/runtime/storage.js.map +1 -0
- package/dist/server/auth.d.ts +335 -370
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +204 -123
- package/dist/server/auth.js.map +1 -1
- package/dist/server/authError.d.ts +46 -0
- package/dist/server/authError.d.ts.map +1 -0
- package/dist/server/authError.js +34 -0
- package/dist/server/authError.js.map +1 -0
- package/dist/server/config.d.ts +1 -0
- package/dist/server/{providers.js → config.js} +43 -12
- package/dist/server/config.js.map +1 -0
- package/dist/server/cookies.d.ts +1 -38
- package/dist/server/cookies.js +3 -0
- package/dist/server/cookies.js.map +1 -1
- package/dist/server/core.d.ts +1436 -0
- package/dist/server/core.d.ts.map +1 -0
- package/dist/server/core.js +713 -0
- package/dist/server/core.js.map +1 -0
- package/dist/server/crypto.d.ts +8 -0
- package/dist/server/crypto.d.ts.map +1 -0
- package/dist/server/crypto.js +38 -0
- package/dist/server/crypto.js.map +1 -0
- package/dist/server/db.d.ts +1 -0
- package/dist/server/{implementation/db.js → db.js} +2 -1
- package/dist/server/db.js.map +1 -0
- package/dist/server/device.d.ts +1 -0
- package/dist/server/device.js +109 -0
- package/dist/server/device.js.map +1 -0
- package/dist/server/enterprise/config.d.ts +1 -0
- package/dist/server/enterprise/config.js +46 -0
- package/dist/server/enterprise/config.js.map +1 -0
- package/dist/server/enterprise/domain.d.ts +409 -0
- package/dist/server/enterprise/domain.d.ts.map +1 -0
- package/dist/server/enterprise/domain.js +885 -0
- package/dist/server/enterprise/domain.js.map +1 -0
- package/dist/server/enterprise/http.d.ts +26 -0
- package/dist/server/enterprise/http.d.ts.map +1 -0
- package/dist/server/enterprise/http.js +766 -0
- package/dist/server/enterprise/http.js.map +1 -0
- package/dist/server/enterprise/oidc.d.ts +1 -0
- package/dist/server/enterprise/oidc.js +248 -0
- package/dist/server/enterprise/oidc.js.map +1 -0
- package/dist/server/enterprise/policy.d.ts +1 -0
- package/dist/server/enterprise/policy.js +85 -0
- package/dist/server/enterprise/policy.js.map +1 -0
- package/dist/server/enterprise/saml.d.ts +1 -0
- package/dist/server/enterprise/saml.js +338 -0
- package/dist/server/enterprise/saml.js.map +1 -0
- package/dist/server/enterprise/scim.d.ts +1 -0
- package/dist/server/enterprise/scim.js +97 -0
- package/dist/server/enterprise/scim.js.map +1 -0
- package/dist/server/enterprise/shared.d.ts +5 -0
- package/dist/server/enterprise/shared.d.ts.map +1 -0
- package/dist/server/enterprise/shared.js +51 -0
- package/dist/server/enterprise/shared.js.map +1 -0
- package/dist/server/enterprise/validators.d.ts +1 -0
- package/dist/server/enterprise/validators.js +60 -0
- package/dist/server/enterprise/validators.js.map +1 -0
- package/dist/server/errors.d.ts +33 -1
- package/dist/server/errors.d.ts.map +1 -1
- package/dist/server/errors.js +44 -1
- package/dist/server/errors.js.map +1 -1
- package/dist/server/http.d.ts +59 -0
- package/dist/server/http.d.ts.map +1 -0
- package/dist/server/http.js +288 -0
- package/dist/server/http.js.map +1 -0
- package/dist/server/identity.d.ts +1 -0
- package/dist/server/identity.js +13 -0
- package/dist/server/identity.js.map +1 -0
- package/dist/server/index.d.ts +4 -182
- package/dist/server/index.js +4 -376
- package/dist/server/keys.d.ts +1 -0
- package/dist/{component/server/implementation → server}/keys.js +9 -31
- package/dist/server/keys.js.map +1 -0
- package/dist/server/limits.d.ts +1 -0
- package/dist/server/limits.js +61 -0
- package/dist/server/limits.js.map +1 -0
- package/dist/server/mounts.d.ts +647 -0
- package/dist/server/mounts.d.ts.map +1 -0
- package/dist/server/mounts.js +643 -0
- package/dist/server/mounts.js.map +1 -0
- package/dist/server/mutations/account.d.ts +30 -0
- package/dist/server/mutations/account.d.ts.map +1 -0
- package/dist/server/mutations/account.js +44 -0
- package/dist/server/mutations/account.js.map +1 -0
- package/dist/server/mutations/code.d.ts +30 -0
- package/dist/server/mutations/code.d.ts.map +1 -0
- package/dist/server/{implementation/mutations → mutations}/code.js +7 -4
- package/dist/server/mutations/code.js.map +1 -0
- package/dist/server/mutations/index.d.ts +14 -0
- package/dist/server/mutations/index.js +15 -0
- package/dist/server/mutations/invalidate.d.ts +20 -0
- package/dist/server/mutations/invalidate.d.ts.map +1 -0
- package/dist/server/mutations/invalidate.js +32 -0
- package/dist/server/mutations/invalidate.js.map +1 -0
- package/dist/server/mutations/oauth.d.ts +28 -0
- package/dist/server/mutations/oauth.d.ts.map +1 -0
- package/dist/server/mutations/oauth.js +110 -0
- package/dist/server/mutations/oauth.js.map +1 -0
- package/dist/server/mutations/refresh.d.ts +21 -0
- package/dist/server/mutations/refresh.d.ts.map +1 -0
- package/dist/server/mutations/refresh.js +119 -0
- package/dist/server/mutations/refresh.js.map +1 -0
- package/dist/server/mutations/register.d.ts +38 -0
- package/dist/server/mutations/register.d.ts.map +1 -0
- package/dist/server/mutations/register.js +83 -0
- package/dist/server/mutations/register.js.map +1 -0
- package/dist/server/mutations/retrieve.d.ts +33 -0
- package/dist/server/mutations/retrieve.d.ts.map +1 -0
- package/dist/server/mutations/retrieve.js +65 -0
- package/dist/server/mutations/retrieve.js.map +1 -0
- package/dist/server/mutations/signature.d.ts +22 -0
- package/dist/server/mutations/signature.d.ts.map +1 -0
- package/dist/server/mutations/signature.js +32 -0
- package/dist/server/mutations/signature.js.map +1 -0
- package/dist/server/mutations/signin.d.ts +22 -0
- package/dist/server/mutations/signin.d.ts.map +1 -0
- package/dist/server/{implementation/mutations → mutations}/signin.js +2 -2
- package/dist/server/mutations/signin.js.map +1 -0
- package/dist/server/mutations/signout.d.ts +16 -0
- package/dist/server/mutations/signout.d.ts.map +1 -0
- package/dist/server/mutations/signout.js +27 -0
- package/dist/server/mutations/signout.js.map +1 -0
- package/dist/server/mutations/store/refs.d.ts +12 -0
- package/dist/server/mutations/store/refs.d.ts.map +1 -0
- package/dist/server/mutations/store/refs.js +15 -0
- package/dist/server/mutations/store/refs.js.map +1 -0
- package/dist/server/mutations/store.d.ts +306 -0
- package/dist/server/mutations/store.d.ts.map +1 -0
- package/dist/server/mutations/store.js +85 -0
- package/dist/server/mutations/store.js.map +1 -0
- package/dist/server/mutations/verifier.d.ts +13 -0
- package/dist/server/mutations/verifier.d.ts.map +1 -0
- package/dist/server/mutations/verifier.js +18 -0
- package/dist/server/mutations/verifier.js.map +1 -0
- package/dist/server/mutations/verify.d.ts +26 -0
- package/dist/server/mutations/verify.d.ts.map +1 -0
- package/dist/server/mutations/verify.js +98 -0
- package/dist/server/mutations/verify.js.map +1 -0
- package/dist/server/oauth.d.ts +1 -48
- package/dist/server/oauth.js +107 -64
- package/dist/server/oauth.js.map +1 -1
- package/dist/server/passkey.d.ts +27 -0
- package/dist/server/passkey.d.ts.map +1 -0
- package/dist/server/passkey.js +328 -0
- package/dist/server/passkey.js.map +1 -0
- package/dist/server/redirects.d.ts +1 -0
- package/dist/{component/server/implementation → server}/redirects.js +13 -11
- package/dist/server/redirects.js.map +1 -0
- package/dist/server/refresh.d.ts +1 -0
- package/dist/server/refresh.js +96 -0
- package/dist/server/refresh.js.map +1 -0
- package/dist/server/runtime.d.ts +136 -0
- package/dist/server/runtime.d.ts.map +1 -0
- package/dist/server/runtime.js +413 -0
- package/dist/server/runtime.js.map +1 -0
- package/dist/server/sessions.d.ts +1 -0
- package/dist/{component/server/implementation → server}/sessions.js +14 -8
- package/dist/server/sessions.js.map +1 -0
- package/dist/server/signin.d.ts +1 -0
- package/dist/server/signin.js +201 -0
- package/dist/server/signin.js.map +1 -0
- package/dist/server/ssr.d.ts +226 -0
- package/dist/server/ssr.d.ts.map +1 -0
- package/dist/server/ssr.js +786 -0
- package/dist/server/ssr.js.map +1 -0
- package/dist/server/templates.d.ts +1 -21
- package/dist/server/templates.js +2 -1
- package/dist/server/templates.js.map +1 -1
- package/dist/server/tokens.d.ts +1 -0
- package/dist/server/tokens.js +17 -0
- package/dist/server/tokens.js.map +1 -0
- package/dist/server/totp.d.ts +1 -0
- package/dist/server/totp.js +148 -0
- package/dist/server/totp.js.map +1 -0
- package/dist/server/types.d.ts +498 -306
- package/dist/server/types.d.ts.map +1 -1
- package/dist/server/types.js +108 -1
- package/dist/server/types.js.map +1 -0
- package/dist/server/users.d.ts +1 -0
- package/dist/server/{implementation/users.js → users.js} +54 -35
- package/dist/server/users.js.map +1 -0
- package/dist/server/utils.d.ts +1 -6
- package/dist/server/utils.js +110 -4
- package/dist/server/utils.js.map +1 -1
- package/package.json +49 -46
- package/src/authorization/index.ts +83 -0
- package/src/cli/bin.ts +5 -0
- package/src/cli/command.ts +6 -5
- package/src/cli/index.ts +456 -248
- package/src/cli/keys.ts +3 -0
- package/src/client/core/types.ts +437 -0
- package/src/client/factors/device.ts +160 -0
- package/src/client/factors/passkey.ts +282 -0
- package/src/client/factors/totp.ts +150 -0
- package/src/client/index.ts +745 -989
- package/src/client/runtime/browser.ts +112 -0
- package/src/client/runtime/invite.ts +65 -0
- package/src/client/runtime/proxy.ts +111 -0
- package/src/client/runtime/storage.ts +79 -0
- package/src/component/_generated/api.ts +42 -0
- package/src/component/_generated/component.ts +3123 -102
- package/src/component/functions.ts +38 -22
- package/src/component/index.ts +10 -20
- package/src/component/model.ts +449 -0
- package/src/component/public/enterprise/audit.ts +120 -0
- package/src/component/public/enterprise/core.ts +354 -0
- package/src/component/public/enterprise/domains.ts +323 -0
- package/src/component/public/enterprise/scim.ts +396 -0
- package/src/component/public/enterprise/secrets.ts +132 -0
- package/src/component/public/enterprise/webhooks.ts +306 -0
- package/src/component/public/factors/devices.ts +223 -0
- package/src/component/public/factors/passkeys.ts +242 -0
- package/src/component/public/factors/totp.ts +258 -0
- package/src/component/public/groups/core.ts +481 -0
- package/src/component/public/groups/invites.ts +602 -0
- package/src/component/public/groups/members.ts +409 -0
- package/src/component/public/identity/accounts.ts +206 -0
- package/src/component/public/identity/codes.ts +148 -0
- package/src/component/public/identity/sessions.ts +209 -0
- package/src/component/public/identity/tokens.ts +250 -0
- package/src/component/public/identity/users.ts +354 -0
- package/src/component/public/identity/verifiers.ts +157 -0
- package/src/component/public/security/keys.ts +365 -0
- package/src/component/public/security/limits.ts +173 -0
- package/src/component/public.ts +26 -1766
- package/src/component/schema.ts +273 -100
- package/src/providers/anonymous.ts +10 -20
- package/src/providers/credentials.ts +14 -22
- package/src/providers/device.ts +3 -14
- package/src/providers/email.ts +83 -47
- package/src/providers/index.ts +7 -0
- package/src/providers/oauth.ts +5 -3
- package/src/providers/passkey.ts +0 -13
- package/src/providers/password.ts +307 -130
- package/src/providers/phone.ts +81 -37
- package/src/providers/sso.ts +54 -0
- package/src/providers/totp.ts +0 -13
- package/src/samlify.d.ts +53 -0
- package/src/server/auth.ts +701 -247
- package/src/server/authError.ts +44 -0
- package/src/server/{providers.ts → config.ts} +84 -15
- package/src/server/cookies.ts +8 -1
- package/src/server/core.ts +2095 -0
- package/src/server/crypto.ts +88 -0
- package/src/server/{implementation/db.ts → db.ts} +90 -15
- package/src/server/device.ts +221 -0
- package/src/server/enterprise/config.ts +51 -0
- package/src/server/enterprise/domain.ts +1751 -0
- package/src/server/enterprise/http.ts +1324 -0
- package/src/server/enterprise/oidc.ts +500 -0
- package/src/server/enterprise/policy.ts +128 -0
- package/src/server/enterprise/saml.ts +578 -0
- package/src/server/enterprise/scim.ts +135 -0
- package/src/server/enterprise/shared.ts +134 -0
- package/src/server/enterprise/validators.ts +93 -0
- package/src/server/errors.ts +130 -119
- package/src/server/http.ts +531 -0
- package/src/server/identity.ts +18 -0
- package/src/server/index.ts +32 -650
- package/src/server/{implementation/keys.ts → keys.ts} +16 -44
- package/src/server/limits.ts +134 -0
- package/src/server/mounts.ts +948 -0
- package/src/server/mutations/account.ts +76 -0
- package/src/server/{implementation/mutations → mutations}/code.ts +22 -11
- package/src/server/mutations/index.ts +13 -0
- package/src/server/mutations/invalidate.ts +50 -0
- package/src/server/mutations/oauth.ts +237 -0
- package/src/server/mutations/refresh.ts +298 -0
- package/src/server/mutations/register.ts +200 -0
- package/src/server/mutations/retrieve.ts +109 -0
- package/src/server/mutations/signature.ts +50 -0
- package/src/server/{implementation/mutations → mutations}/signin.ts +9 -7
- package/src/server/mutations/signout.ts +43 -0
- package/src/server/mutations/store/refs.ts +10 -0
- package/src/server/mutations/store.ts +138 -0
- package/src/server/mutations/verifier.ts +34 -0
- package/src/server/mutations/verify.ts +202 -0
- package/src/server/oauth.ts +243 -131
- package/src/server/passkey.ts +784 -0
- package/src/server/{implementation/redirects.ts → redirects.ts} +21 -16
- package/src/server/refresh.ts +222 -0
- package/src/server/runtime.ts +880 -0
- package/src/server/{implementation/sessions.ts → sessions.ts} +33 -25
- package/src/server/signin.ts +438 -0
- package/src/server/ssr.ts +1764 -0
- package/src/server/templates.ts +8 -3
- package/src/server/{implementation/tokens.ts → tokens.ts} +11 -5
- package/src/server/totp.ts +349 -0
- package/src/server/types.ts +972 -207
- package/src/server/{implementation/users.ts → users.ts} +129 -75
- package/src/server/utils.ts +192 -5
- package/src/test.ts +28 -4
- package/dist/bin.cjs +0 -27757
- package/dist/component/providers/email.js +0 -47
- package/dist/component/providers/email.js.map +0 -1
- package/dist/component/public.js.map +0 -1
- package/dist/component/server/implementation/db.js.map +0 -1
- package/dist/component/server/implementation/device.js +0 -135
- package/dist/component/server/implementation/device.js.map +0 -1
- package/dist/component/server/implementation/index.d.ts +0 -870
- package/dist/component/server/implementation/index.d.ts.map +0 -1
- package/dist/component/server/implementation/index.js +0 -610
- package/dist/component/server/implementation/index.js.map +0 -1
- package/dist/component/server/implementation/keys.js.map +0 -1
- package/dist/component/server/implementation/mutations/account.js +0 -39
- package/dist/component/server/implementation/mutations/account.js.map +0 -1
- package/dist/component/server/implementation/mutations/code.js.map +0 -1
- package/dist/component/server/implementation/mutations/index.js +0 -70
- package/dist/component/server/implementation/mutations/index.js.map +0 -1
- package/dist/component/server/implementation/mutations/invalidate.js +0 -29
- package/dist/component/server/implementation/mutations/invalidate.js.map +0 -1
- package/dist/component/server/implementation/mutations/oauth.js +0 -51
- package/dist/component/server/implementation/mutations/oauth.js.map +0 -1
- package/dist/component/server/implementation/mutations/refresh.js +0 -85
- package/dist/component/server/implementation/mutations/refresh.js.map +0 -1
- package/dist/component/server/implementation/mutations/register.js +0 -65
- package/dist/component/server/implementation/mutations/register.js.map +0 -1
- package/dist/component/server/implementation/mutations/retrieve.js +0 -50
- package/dist/component/server/implementation/mutations/retrieve.js.map +0 -1
- package/dist/component/server/implementation/mutations/signature.js +0 -27
- package/dist/component/server/implementation/mutations/signature.js.map +0 -1
- package/dist/component/server/implementation/mutations/signin.js.map +0 -1
- package/dist/component/server/implementation/mutations/signout.js +0 -27
- package/dist/component/server/implementation/mutations/signout.js.map +0 -1
- package/dist/component/server/implementation/mutations/store.js +0 -12
- package/dist/component/server/implementation/mutations/store.js.map +0 -1
- package/dist/component/server/implementation/mutations/verifier.js +0 -16
- package/dist/component/server/implementation/mutations/verifier.js.map +0 -1
- package/dist/component/server/implementation/mutations/verify.js +0 -105
- package/dist/component/server/implementation/mutations/verify.js.map +0 -1
- package/dist/component/server/implementation/passkey.js +0 -307
- package/dist/component/server/implementation/passkey.js.map +0 -1
- package/dist/component/server/implementation/provider.js +0 -19
- package/dist/component/server/implementation/provider.js.map +0 -1
- package/dist/component/server/implementation/ratelimit.js +0 -48
- package/dist/component/server/implementation/ratelimit.js.map +0 -1
- package/dist/component/server/implementation/redirects.js.map +0 -1
- package/dist/component/server/implementation/refresh.js +0 -109
- package/dist/component/server/implementation/refresh.js.map +0 -1
- package/dist/component/server/implementation/sessions.js.map +0 -1
- package/dist/component/server/implementation/signin.js +0 -148
- package/dist/component/server/implementation/signin.js.map +0 -1
- package/dist/component/server/implementation/tokens.js +0 -15
- package/dist/component/server/implementation/tokens.js.map +0 -1
- package/dist/component/server/implementation/totp.js +0 -142
- package/dist/component/server/implementation/totp.js.map +0 -1
- package/dist/component/server/implementation/types.d.ts +0 -42
- package/dist/component/server/implementation/types.d.ts.map +0 -1
- package/dist/component/server/implementation/types.js.map +0 -1
- package/dist/component/server/implementation/users.js.map +0 -1
- package/dist/component/server/implementation/utils.js +0 -56
- package/dist/component/server/implementation/utils.js.map +0 -1
- package/dist/component/server/providers.js.map +0 -1
- package/dist/component/server/templates.js +0 -84
- package/dist/component/server/templates.js.map +0 -1
- package/dist/server/cookies.d.ts.map +0 -1
- package/dist/server/implementation/db.d.ts +0 -86
- package/dist/server/implementation/db.d.ts.map +0 -1
- package/dist/server/implementation/db.js.map +0 -1
- package/dist/server/implementation/device.d.ts +0 -30
- package/dist/server/implementation/device.d.ts.map +0 -1
- package/dist/server/implementation/device.js +0 -135
- package/dist/server/implementation/device.js.map +0 -1
- package/dist/server/implementation/index.d.ts +0 -870
- package/dist/server/implementation/index.d.ts.map +0 -1
- package/dist/server/implementation/index.js +0 -610
- package/dist/server/implementation/index.js.map +0 -1
- package/dist/server/implementation/keys.d.ts +0 -66
- package/dist/server/implementation/keys.d.ts.map +0 -1
- package/dist/server/implementation/keys.js.map +0 -1
- package/dist/server/implementation/mutations/account.d.ts +0 -27
- package/dist/server/implementation/mutations/account.d.ts.map +0 -1
- package/dist/server/implementation/mutations/account.js +0 -39
- package/dist/server/implementation/mutations/account.js.map +0 -1
- package/dist/server/implementation/mutations/code.d.ts +0 -29
- package/dist/server/implementation/mutations/code.d.ts.map +0 -1
- package/dist/server/implementation/mutations/code.js.map +0 -1
- package/dist/server/implementation/mutations/index.d.ts +0 -310
- package/dist/server/implementation/mutations/index.d.ts.map +0 -1
- package/dist/server/implementation/mutations/index.js +0 -70
- package/dist/server/implementation/mutations/index.js.map +0 -1
- package/dist/server/implementation/mutations/invalidate.d.ts +0 -18
- package/dist/server/implementation/mutations/invalidate.d.ts.map +0 -1
- package/dist/server/implementation/mutations/invalidate.js +0 -29
- package/dist/server/implementation/mutations/invalidate.js.map +0 -1
- package/dist/server/implementation/mutations/oauth.d.ts +0 -23
- package/dist/server/implementation/mutations/oauth.d.ts.map +0 -1
- package/dist/server/implementation/mutations/oauth.js +0 -51
- package/dist/server/implementation/mutations/oauth.js.map +0 -1
- package/dist/server/implementation/mutations/refresh.d.ts +0 -20
- package/dist/server/implementation/mutations/refresh.d.ts.map +0 -1
- package/dist/server/implementation/mutations/refresh.js +0 -85
- package/dist/server/implementation/mutations/refresh.js.map +0 -1
- package/dist/server/implementation/mutations/register.d.ts +0 -37
- package/dist/server/implementation/mutations/register.d.ts.map +0 -1
- package/dist/server/implementation/mutations/register.js +0 -65
- package/dist/server/implementation/mutations/register.js.map +0 -1
- package/dist/server/implementation/mutations/retrieve.d.ts +0 -31
- package/dist/server/implementation/mutations/retrieve.d.ts.map +0 -1
- package/dist/server/implementation/mutations/retrieve.js +0 -50
- package/dist/server/implementation/mutations/retrieve.js.map +0 -1
- package/dist/server/implementation/mutations/signature.d.ts +0 -19
- package/dist/server/implementation/mutations/signature.d.ts.map +0 -1
- package/dist/server/implementation/mutations/signature.js +0 -27
- package/dist/server/implementation/mutations/signature.js.map +0 -1
- package/dist/server/implementation/mutations/signin.d.ts +0 -21
- package/dist/server/implementation/mutations/signin.d.ts.map +0 -1
- package/dist/server/implementation/mutations/signin.js.map +0 -1
- package/dist/server/implementation/mutations/signout.d.ts +0 -14
- package/dist/server/implementation/mutations/signout.d.ts.map +0 -1
- package/dist/server/implementation/mutations/signout.js +0 -27
- package/dist/server/implementation/mutations/signout.js.map +0 -1
- package/dist/server/implementation/mutations/store.d.ts +0 -11
- package/dist/server/implementation/mutations/store.d.ts.map +0 -1
- package/dist/server/implementation/mutations/store.js +0 -12
- package/dist/server/implementation/mutations/store.js.map +0 -1
- package/dist/server/implementation/mutations/verifier.d.ts +0 -11
- package/dist/server/implementation/mutations/verifier.d.ts.map +0 -1
- package/dist/server/implementation/mutations/verifier.js +0 -16
- package/dist/server/implementation/mutations/verifier.js.map +0 -1
- package/dist/server/implementation/mutations/verify.d.ts +0 -25
- package/dist/server/implementation/mutations/verify.d.ts.map +0 -1
- package/dist/server/implementation/mutations/verify.js +0 -105
- package/dist/server/implementation/mutations/verify.js.map +0 -1
- package/dist/server/implementation/passkey.d.ts +0 -24
- package/dist/server/implementation/passkey.d.ts.map +0 -1
- package/dist/server/implementation/passkey.js +0 -307
- package/dist/server/implementation/passkey.js.map +0 -1
- package/dist/server/implementation/provider.d.ts +0 -10
- package/dist/server/implementation/provider.d.ts.map +0 -1
- package/dist/server/implementation/provider.js +0 -19
- package/dist/server/implementation/provider.js.map +0 -1
- package/dist/server/implementation/ratelimit.d.ts +0 -10
- package/dist/server/implementation/ratelimit.d.ts.map +0 -1
- package/dist/server/implementation/ratelimit.js +0 -48
- package/dist/server/implementation/ratelimit.js.map +0 -1
- package/dist/server/implementation/redirects.d.ts +0 -10
- package/dist/server/implementation/redirects.d.ts.map +0 -1
- package/dist/server/implementation/redirects.js.map +0 -1
- package/dist/server/implementation/refresh.d.ts +0 -37
- package/dist/server/implementation/refresh.d.ts.map +0 -1
- package/dist/server/implementation/refresh.js +0 -109
- package/dist/server/implementation/refresh.js.map +0 -1
- package/dist/server/implementation/sessions.d.ts +0 -29
- package/dist/server/implementation/sessions.d.ts.map +0 -1
- package/dist/server/implementation/sessions.js.map +0 -1
- package/dist/server/implementation/signin.d.ts +0 -55
- package/dist/server/implementation/signin.d.ts.map +0 -1
- package/dist/server/implementation/signin.js +0 -148
- package/dist/server/implementation/signin.js.map +0 -1
- package/dist/server/implementation/tokens.d.ts +0 -11
- package/dist/server/implementation/tokens.d.ts.map +0 -1
- package/dist/server/implementation/tokens.js +0 -15
- package/dist/server/implementation/tokens.js.map +0 -1
- package/dist/server/implementation/totp.d.ts +0 -31
- package/dist/server/implementation/totp.d.ts.map +0 -1
- package/dist/server/implementation/totp.js +0 -142
- package/dist/server/implementation/totp.js.map +0 -1
- package/dist/server/implementation/types.d.ts +0 -189
- package/dist/server/implementation/types.d.ts.map +0 -1
- package/dist/server/implementation/types.js +0 -97
- package/dist/server/implementation/types.js.map +0 -1
- package/dist/server/implementation/users.d.ts +0 -30
- package/dist/server/implementation/users.d.ts.map +0 -1
- package/dist/server/implementation/users.js.map +0 -1
- package/dist/server/implementation/utils.d.ts +0 -19
- package/dist/server/implementation/utils.d.ts.map +0 -1
- package/dist/server/implementation/utils.js +0 -56
- package/dist/server/implementation/utils.js.map +0 -1
- package/dist/server/index.d.ts.map +0 -1
- package/dist/server/index.js.map +0 -1
- package/dist/server/oauth.d.ts.map +0 -1
- package/dist/server/providers.d.ts +0 -72
- package/dist/server/providers.d.ts.map +0 -1
- package/dist/server/providers.js.map +0 -1
- package/dist/server/templates.d.ts.map +0 -1
- package/dist/server/utils.d.ts.map +0 -1
- package/dist/server/version.d.ts +0 -5
- package/dist/server/version.d.ts.map +0 -1
- package/dist/server/version.js +0 -6
- package/dist/server/version.js.map +0 -1
- package/src/cli/utils.ts +0 -248
- package/src/server/implementation/device.ts +0 -307
- package/src/server/implementation/index.ts +0 -1583
- package/src/server/implementation/mutations/account.ts +0 -50
- package/src/server/implementation/mutations/index.ts +0 -157
- package/src/server/implementation/mutations/invalidate.ts +0 -42
- package/src/server/implementation/mutations/oauth.ts +0 -73
- package/src/server/implementation/mutations/refresh.ts +0 -175
- package/src/server/implementation/mutations/register.ts +0 -100
- package/src/server/implementation/mutations/retrieve.ts +0 -79
- package/src/server/implementation/mutations/signature.ts +0 -39
- package/src/server/implementation/mutations/signout.ts +0 -35
- package/src/server/implementation/mutations/store.ts +0 -7
- package/src/server/implementation/mutations/verifier.ts +0 -24
- package/src/server/implementation/mutations/verify.ts +0 -194
- package/src/server/implementation/passkey.ts +0 -620
- package/src/server/implementation/provider.ts +0 -36
- package/src/server/implementation/ratelimit.ts +0 -79
- package/src/server/implementation/refresh.ts +0 -172
- package/src/server/implementation/signin.ts +0 -296
- package/src/server/implementation/totp.ts +0 -342
- package/src/server/implementation/types.ts +0 -444
- package/src/server/implementation/utils.ts +0 -91
- package/src/server/version.ts +0 -2
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"core.js","names":[],"sources":["../../../src/server/core.ts"],"sourcesContent":["import { Auth, GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId } from \"convex/values\";\n\nimport {\n buildScopeChecker,\n checkKeyRateLimit,\n generateApiKey,\n hashApiKey,\n} from \"./keys\";\nimport { materializeProvider } from \"./config\";\nimport { signInImpl } from \"./signin\";\nimport type {\n AuthProviderConfig,\n KeyDoc,\n KeyScope,\n ScopeChecker,\n UserOrderBy,\n UserWhere,\n} from \"./types\";\nimport {\n generateRandomString,\n sha256,\n TOKEN_SUB_CLAIM_DIVIDER,\n} from \"./utils\";\n\ntype ComponentCtx = Pick<\n GenericActionCtx<GenericDataModel>,\n \"runQuery\" | \"runMutation\"\n>;\ntype ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, \"runQuery\">;\ntype ComponentAuthReadCtx = ComponentReadCtx & { auth: Auth };\ntype AccountCredentials = { id: string; secret?: string };\ntype CreateAccountArgs = {\n provider: string;\n account: AccountCredentials;\n profile: Record<string, unknown>;\n shouldLinkViaEmail?: boolean;\n shouldLinkViaPhone?: boolean;\n};\ntype RetrieveAccountArgs = { provider: string; account: AccountCredentials };\ntype UpdateAccountCredentialsArgs = {\n provider: string;\n account: { id: string; secret: string };\n};\n\ntype CoreDeps = {\n config: any;\n getAuth: () => any;\n callInvalidateSessions: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: { userId: GenericId<\"User\">; except?: GenericId<\"Session\">[] },\n ) => Promise<void>;\n callCreateAccountFromCredentials: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: CreateAccountArgs,\n ) => Promise<any>;\n callRetrieveAccountWithCredentials: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: RetrieveAccountArgs,\n ) => Promise<any>;\n callModifyAccount: <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: UpdateAccountCredentialsArgs,\n ) => Promise<void>;\n getEnrichCtx: () => <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n ) => any;\n inviteTokenAlphabet: string;\n inviteTokenLength: number;\n};\n\n/**\n * Build the core auth domains that back the canonical app API surface.\n *\n * Creates the grouped `user`, `session`, `account`, `provider`, `group`,\n * `member`, `invite`, and `key` APIs used by the higher-level auth\n * factory. Each namespace wraps the underlying Convex component functions with\n * application-friendly helpers, result shaping, and documentation-friendly\n * method names.\n *\n * @param deps - Internal component wiring, provider config, and helper\n * functions needed to construct the domain API surface.\n * @returns The core domain namespaces consumed by the auth factory.\n */\nexport function createCoreDomains(deps: CoreDeps) {\n const {\n config,\n getAuth,\n callInvalidateSessions,\n callCreateAccountFromCredentials,\n callRetrieveAccountWithCredentials,\n callModifyAccount,\n getEnrichCtx,\n inviteTokenAlphabet,\n inviteTokenLength,\n } = deps;\n\n const roleDefinitions = config.authorization.roles as Record<\n string,\n { label?: string; grants: string[] }\n >;\n\n const getRoleDefinition = (roleId: string) => {\n return roleDefinitions[roleId] ?? null;\n };\n\n const normalizeRoleIds = (\n roleIds?: string[],\n ):\n | { ok: true; roleIds: string[] }\n | { ok: false; invalidRoleIds: string[] } => {\n const normalized = Array.from(new Set(roleIds ?? []));\n const invalid = normalized.filter((id) => getRoleDefinition(id) === null);\n if (invalid.length > 0) {\n return { ok: false, invalidRoleIds: invalid };\n }\n return { ok: true, roleIds: normalized };\n };\n\n const listAllKeysByUser = async (ctx: ComponentCtx, userId: string) => {\n const items: Array<{ _id: string }> = [];\n let cursor: string | null = null;\n do {\n const page = (await ctx.runQuery(config.component.public.keyList, {\n where: { userId },\n limit: 100,\n cursor,\n })) as {\n items: Array<{ _id: string }>;\n nextCursor: string | null;\n };\n items.push(...page.items);\n cursor = page.nextCursor;\n } while (cursor !== null);\n return items;\n };\n\n const listAllMembersByUser = async (ctx: ComponentCtx, userId: string) => {\n const items: Array<{ _id: string }> = [];\n let cursor: string | null = null;\n do {\n const page = (await ctx.runQuery(config.component.public.memberList, {\n where: { userId },\n limit: 100,\n cursor,\n })) as {\n items: Array<{ _id: string }>;\n nextCursor: string | null;\n };\n items.push(...page.items);\n cursor = page.nextCursor;\n } while (cursor !== null);\n return items;\n };\n\n const resolveGrantedPermissions = (roleIds?: string[]) => {\n const grants = new Set<string>();\n for (const roleId of roleIds ?? []) {\n const role = getRoleDefinition(roleId);\n if (role === null) continue;\n for (const grant of role.grants) {\n grants.add(grant);\n }\n }\n return Array.from(grants).sort();\n };\n\n // Per-execution cache — attached to ctx so each function invocation has its own.\n // Eliminates redundant cross-component RPCs for the same entity within a handler.\n type CtxCache = {\n users: Map<string, any>;\n groups: Map<string, any>;\n };\n const AUTH_CACHE = Symbol(\"__convexAuthCache\");\n function cache(ctx: any): CtxCache {\n if (!ctx[AUTH_CACHE]) {\n ctx[AUTH_CACHE] = {\n users: new Map(),\n groups: new Map(),\n } satisfies CtxCache;\n }\n return ctx[AUTH_CACHE];\n }\n\n const user = {\n /**\n * Resolve the current user's ID.\n *\n * Checks two sources in order:\n *\n * 1. **Session JWT** — extracts the `userId` from `ctx.auth.getUserIdentity()`.\n * This is the standard path for browser sessions and costs zero DB reads.\n * 2. **API key** — if a `request` is provided and contains a\n * `Bearer sk_*` Authorization header, the key is verified against the\n * database and the owning `userId` is returned.\n *\n * Returns `null` when neither source produces a valid identity.\n *\n * @param ctx - Convex query, mutation, or action context.\n * @param request - Optional incoming `Request` to check for API key auth.\n * Only needed in HTTP actions or server-side handlers.\n * @returns The user's document ID, or `null` if unauthenticated.\n *\n * @example Session auth (queries, mutations)\n * ```ts\n * const userId = await auth.user.id(ctx);\n * if (!userId) return { ok: false, code: \"NOT_SIGNED_IN\" };\n * ```\n *\n * @example API key auth (HTTP actions)\n * ```ts\n * const userId = await auth.user.id(ctx, request);\n * ```\n */\n id: async (\n ctx: { auth: Auth } & Partial<ComponentCtx>,\n request?: Request,\n ): Promise<string | null> => {\n const identity = await ctx.auth.getUserIdentity();\n if (identity !== null) {\n const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n return userId;\n }\n if (request !== undefined && \"runMutation\" in ctx && ctx.runMutation) {\n const authHeader = request.headers.get(\"Authorization\");\n if (authHeader?.startsWith(\"Bearer sk_\")) {\n const rawKey = authHeader.slice(7);\n const result = await getAuth().key.verify(\n ctx as ComponentCtx,\n rawKey,\n );\n if (result.ok) {\n return result.userId;\n }\n return null;\n }\n }\n return null;\n },\n /**\n * Fetch a user document by ID.\n *\n * Results are **cached per-execution** — calling `auth.user.get(ctx, id)`\n * multiple times within the same query or mutation handler for the same\n * `userId` returns the cached result without an additional component read.\n *\n * @param ctx - Convex query or mutation context.\n * @param userId - The user's document ID.\n * @returns The user document, or `null` if not found.\n *\n * @example\n * ```ts\n * const user = await auth.user.get(ctx, userId);\n * const name = user?.name ?? user?.email ?? \"Unknown\";\n * ```\n */\n get: async (ctx: ComponentReadCtx, userId: string) => {\n const c = cache(ctx);\n if (c.users.has(userId)) return c.users.get(userId);\n const result = await ctx.runQuery(config.component.public.userGetById, {\n userId,\n });\n c.users.set(userId, result);\n return result;\n },\n /**\n * List users with optional filtering, pagination, and ordering.\n *\n * Supports filtering by `email`, `phone`, `name`, and `isAnonymous`.\n * Results are paginated — pass `cursor` from a previous response to\n * load the next page.\n *\n * @param ctx - Convex query or mutation context.\n * @param opts.where - Filter criteria (all optional, combined with AND).\n * @param opts.limit - Max items per page (default 50, max 100).\n * @param opts.cursor - Cursor from a previous `nextCursor` for pagination.\n * @param opts.orderBy - Sort field: `\"_creationTime\"` (default), `\"email\"`, etc.\n * @param opts.order - Sort direction: `\"asc\"` or `\"desc\"` (default `\"desc\"`).\n * @returns `{ items, nextCursor }` — `nextCursor` is `null` when no more pages.\n *\n * @example\n * ```ts\n * const { items, nextCursor } = await auth.user.list(ctx, {\n * where: { email: \"alice@example.com\" },\n * limit: 10,\n * });\n * ```\n */\n list: async (\n ctx: ComponentReadCtx,\n opts: {\n where?: UserWhere;\n limit?: number;\n cursor?: string | null;\n orderBy?: UserOrderBy;\n order?: \"asc\" | \"desc\";\n } = {},\n ) => {\n return await ctx.runQuery(config.component.public.userList, opts);\n },\n /**\n * Convenience method: resolve the current user ID from the session\n * and fetch their full document in one call. Returns `null` if\n * unauthenticated. Equivalent to `auth.user.id(ctx)` then `auth.user.get(ctx, id)`.\n *\n * @param ctx - Convex query or mutation context with `auth` for session lookup.\n * @returns The authenticated user's document, or `null` if unauthenticated.\n *\n * @example\n * ```ts\n * const viewer = await auth.user.viewer(ctx);\n * if (!viewer) throw new Error(\"Not signed in\");\n * console.log(viewer.name, viewer.email);\n * ```\n */\n viewer: async (ctx: ComponentAuthReadCtx) => {\n const userId = await user.id(ctx);\n if (userId === null) return null;\n return await user.get(ctx, userId);\n },\n /**\n * Patch a user document. Accepts any fields defined on the User schema\n * (e.g. `name`, `image`, `email`, `extend`).\n *\n * @param ctx - Convex mutation context.\n * @param userId - The user's document ID.\n * @param data - Fields to merge into the user document.\n * @returns `{ ok: true, userId }`.\n *\n * @example\n * ```ts\n * await auth.user.update(ctx, userId, {\n * name: \"Alice Smith\",\n * image: \"https://example.com/avatar.png\",\n * });\n * ```\n */\n update: async (\n ctx: ComponentCtx,\n userId: string,\n data: Record<string, unknown>,\n ) => {\n await ctx.runMutation(config.component.public.userPatch, {\n userId,\n data,\n });\n return { ok: true as const, userId };\n },\n /**\n * Set the user's active group. Stored in `user.extend.lastActiveGroup`.\n * Pass `groupId: null` to clear. Useful for multi-workspace apps\n * where the UI needs to remember which workspace is selected.\n *\n * @param ctx - Convex mutation context.\n * @param opts.userId - The user's document ID.\n * @param opts.groupId - Group ID to set as active, or `null` to clear.\n * @returns `{ ok: true, userId, groupId }` confirming the active group was set (or cleared).\n *\n * @example\n * ```ts\n * // Switch to a workspace\n * await auth.user.setActiveGroup(ctx, { userId, groupId: workspaceId });\n *\n * // Clear the active workspace\n * await auth.user.setActiveGroup(ctx, { userId, groupId: null });\n * ```\n */\n setActiveGroup: async (\n ctx: ComponentCtx,\n opts: { userId: string; groupId: string | null },\n ) => {\n const doc = await user.get(ctx, opts.userId);\n const existingExtend =\n doc !== null &&\n doc.extend !== null &&\n typeof doc.extend === \"object\" &&\n !Array.isArray(doc.extend)\n ? { ...(doc.extend as Record<string, unknown>) }\n : {};\n if (opts.groupId === null) {\n const { lastActiveGroup: _omit, ...rest } = existingExtend;\n await user.update(ctx, opts.userId, { extend: rest });\n return { ok: true as const, userId: opts.userId, groupId: null };\n }\n await user.update(ctx, opts.userId, {\n extend: { ...existingExtend, lastActiveGroup: opts.groupId },\n });\n return { ok: true as const, userId: opts.userId, groupId: opts.groupId };\n },\n /**\n * Read the user's active group ID from `user.extend.lastActiveGroup`.\n * Returns `null` if no active group is set.\n *\n * @param ctx - Convex query or mutation context.\n * @param opts.userId - The user's document ID.\n * @returns The active group's document ID, or `null` if none is set.\n *\n * @example\n * ```ts\n * const activeGroupId = await auth.user.getActiveGroup(ctx, { userId });\n * if (activeGroupId) {\n * const group = await auth.group.get(ctx, activeGroupId);\n * }\n * ```\n */\n getActiveGroup: async (\n ctx: ComponentReadCtx,\n opts: { userId: string },\n ): Promise<string | null> => {\n const doc = await user.get(ctx, opts.userId);\n if (\n doc !== null &&\n doc.extend !== null &&\n typeof doc.extend === \"object\" &&\n !Array.isArray(doc.extend)\n ) {\n const val = (doc.extend as Record<string, unknown>).lastActiveGroup;\n if (typeof val === \"string\") return val;\n }\n return null;\n },\n /**\n * Delete a user and all associated data.\n *\n * By default (`cascade: true`) deletes the user's sessions, accounts,\n * API keys, group memberships, passkey credentials, and TOTP factors.\n * Pass `{ cascade: false }` to delete only the user document itself.\n *\n * @param ctx - Convex mutation context.\n * @param userId - The user's document ID.\n * @param opts.cascade - Whether to delete related records (default `true`).\n * @returns `{ ok: true, userId }`.\n */\n delete: async (\n ctx: ComponentCtx,\n userId: string,\n opts?: { cascade?: boolean },\n ) => {\n const cascade = opts?.cascade !== false;\n const [sessions, accounts, keys, members, passkeys, totps] =\n await Promise.all([\n ctx.runQuery(config.component.public.sessionListByUser, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.accountListByUser, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n listAllKeysByUser(ctx, userId),\n listAllMembersByUser(ctx, userId),\n ctx.runQuery(config.component.public.passkeyListByUserId, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ctx.runQuery(config.component.public.totpListByUserId, {\n userId,\n }) as Promise<Array<{ _id: string }>>,\n ]);\n const totalLinked =\n sessions.length +\n accounts.length +\n keys.length +\n members.length +\n passkeys.length +\n totps.length;\n if (!cascade && totalLinked > 0) {\n return { ok: false as const, code: \"INVALID_PARAMETERS\" as const };\n }\n const deletions: Promise<unknown>[] = [];\n for (const s of sessions)\n deletions.push(\n ctx.runMutation(config.component.public.sessionDelete, {\n sessionId: s._id,\n }),\n );\n for (const a of accounts)\n deletions.push(\n ctx.runMutation(config.component.public.accountDelete, {\n accountId: a._id,\n }),\n );\n for (const k of keys)\n deletions.push(\n ctx.runMutation(config.component.public.keyDelete, { keyId: k._id }),\n );\n for (const m of members)\n deletions.push(\n ctx.runMutation(config.component.public.memberRemove, {\n memberId: m._id,\n }),\n );\n for (const p of passkeys)\n deletions.push(\n ctx.runMutation(config.component.public.passkeyDelete, {\n passkeyId: p._id,\n }),\n );\n for (const t of totps)\n deletions.push(\n ctx.runMutation(config.component.public.totpDelete, {\n totpId: t._id,\n }),\n );\n await Promise.all(deletions);\n await ctx.runMutation(config.component.public.userDelete, { userId });\n return { ok: true as const, userId };\n },\n };\n\n const session = {\n /**\n * Resolve the current session's ID from the JWT.\n *\n * Extracts the `sessionId` portion of the `subject` claim in the\n * identity token returned by `ctx.auth.getUserIdentity()`. The subject\n * is encoded as `userId<divider>sessionId`, so this splits on the\n * divider and returns the second segment.\n *\n * Returns `null` when there is no authenticated identity (i.e. no\n * valid session JWT).\n *\n * @param ctx - Convex query, mutation, or action context (must include `auth`).\n * @returns The current session's document ID, or `null` if unauthenticated.\n *\n * @example\n * ```ts\n * const sessionId = await auth.session.current(ctx);\n * if (!sessionId) throw new Error(\"Not signed in\");\n * ```\n */\n current: async (ctx: { auth: Auth }) => {\n const identity = await ctx.auth.getUserIdentity();\n if (identity === null) return null;\n const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n return sessionId as GenericId<\"Session\">;\n },\n /**\n * Invalidate (sign out) all sessions for a given user.\n *\n * Marks every session belonging to `userId` as invalid so that\n * subsequent requests using those session JWTs will fail authentication.\n * Optionally, one or more sessions can be excluded — this is useful\n * when you want to sign out all *other* devices while keeping the\n * current session alive.\n *\n * This method delegates to the component's internal session\n * invalidation RPC.\n *\n * @param ctx - Convex action context.\n * @param args.userId - The user whose sessions should be invalidated.\n * @param args.except - Optional array of session IDs to keep valid.\n * @returns `{ ok: true, userId, except }` confirming the operation.\n *\n * @example Sign out everywhere except the current session\n * ```ts\n * const sessionId = await auth.session.current(ctx);\n * await auth.session.invalidate(ctx, {\n * userId,\n * except: sessionId ? [sessionId] : [],\n * });\n * ```\n */\n invalidate: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: { userId: GenericId<\"User\">; except?: GenericId<\"Session\">[] },\n ) => {\n await callInvalidateSessions(ctx, args);\n return {\n ok: true as const,\n userId: args.userId,\n except: args.except ?? [],\n };\n },\n /**\n * Fetch a session document by ID.\n *\n * Returns the full session document from the component database, or\n * `null` if no session with the given ID exists. Useful for inspecting\n * session metadata such as creation time or associated device info.\n *\n * @param ctx - Convex query or mutation context.\n * @param sessionId - The session's document ID.\n * @returns The session document, or `null` if not found.\n *\n * @example\n * ```ts\n * const session = await auth.session.get(ctx, sessionId);\n * if (!session) throw new Error(\"Session not found\");\n * ```\n */\n get: async (ctx: ComponentReadCtx, sessionId: string) => {\n return await ctx.runQuery(config.component.public.sessionGetById, {\n sessionId,\n });\n },\n /**\n * List all sessions belonging to a user.\n *\n * Returns every session document associated with the given `userId`,\n * including both active and expired sessions. This is useful for\n * building \"active sessions\" UIs or auditing sign-in history.\n *\n * @param ctx - Convex query or mutation context.\n * @param opts.userId - The user whose sessions to list.\n * @returns An array of session documents.\n *\n * @example\n * ```ts\n * const sessions = await auth.session.list(ctx, { userId });\n * console.log(`User has ${sessions.length} sessions`);\n * ```\n */\n list: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n return await ctx.runQuery(config.component.public.sessionListByUser, {\n userId: opts.userId,\n });\n },\n };\n\n const account = {\n /**\n * Create a new auth account linked to a user.\n *\n * Creates a credentials-based account record for a given provider. If\n * the user does not yet exist, one is created from the supplied\n * `profile`. If `shouldLinkViaEmail` or `shouldLinkViaPhone` is set,\n * the account may be linked to an existing user whose email or phone\n * matches the profile.\n *\n * The `account.secret` (e.g. a hashed password) is optional and\n * depends on the provider type.\n *\n * @param ctx - Convex action context.\n * @param args.provider - The provider ID (e.g. `\"password\"`, `\"credentials\"`).\n * @param args.account.id - Provider-specific account identifier (e.g. email address).\n * @param args.account.secret - Optional credential secret (e.g. hashed password).\n * @param args.profile - Profile data used to create or update the user document.\n * @param args.shouldLinkViaEmail - If `true`, link to an existing user by email match.\n * @param args.shouldLinkViaPhone - If `true`, link to an existing user by phone match.\n * @returns `{ ok: true, ...created }` with the created account and user information.\n *\n * @example\n * ```ts\n * const result = await auth.account.create(ctx, {\n * provider: \"password\",\n * account: { id: \"alice@example.com\", secret: hashedPassword },\n * profile: { email: \"alice@example.com\", name: \"Alice\" },\n * });\n * ```\n */\n create: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: CreateAccountArgs,\n ) => {\n const created = await callCreateAccountFromCredentials(ctx, args);\n return { ok: true as const, ...created };\n },\n /**\n * Retrieve an auth account by provider and credentials.\n *\n * Looks up an account matching the given provider and account ID,\n * optionally verifying the secret (e.g. password). If the account\n * exists and the credentials are valid, the full account document is\n * returned. Returns `null` if no matching account is found or if the\n * credential verification fails (indicated by a string error from the\n * underlying RPC).\n *\n * @param ctx - Convex action context.\n * @param args.provider - The provider ID (e.g. `\"password\"`).\n * @param args.account.id - Provider-specific account identifier.\n * @param args.account.secret - Optional credential secret to verify.\n * @returns The account document, or `null` if not found or verification failed.\n *\n * @example\n * ```ts\n * const acct = await auth.account.get(ctx, {\n * provider: \"password\",\n * account: { id: \"alice@example.com\", secret: plainTextPassword },\n * });\n * if (!acct) throw new Error(\"Invalid credentials\");\n * ```\n */\n get: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: RetrieveAccountArgs,\n ) => {\n const result = await callRetrieveAccountWithCredentials(ctx, args);\n if (typeof result === \"string\") {\n return null;\n }\n return result;\n },\n /**\n * Update the credentials (secret) for an existing auth account.\n *\n * Replaces the stored secret for the account identified by `provider`\n * and `account.id`. This is the standard path for password changes\n * and password resets — the new secret is typically a freshly hashed\n * password.\n *\n * @param ctx - Convex action context.\n * @param args.provider - The provider ID (e.g. `\"password\"`).\n * @param args.account.id - Provider-specific account identifier.\n * @param args.account.secret - The new credential secret to store.\n * @returns `{ ok: true, accountId }` confirming the update.\n *\n * @example Password reset\n * ```ts\n * await auth.account.update(ctx, {\n * provider: \"password\",\n * account: { id: \"alice@example.com\", secret: newHashedPassword },\n * });\n * ```\n */\n update: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: UpdateAccountCredentialsArgs,\n ) => {\n await callModifyAccount(ctx, args);\n return { ok: true as const, accountId: args.account.id };\n },\n /**\n * Delete an auth account by ID.\n *\n * Removes the account record from the database. As a safety measure,\n * deletion is **refused** if this is the user's only remaining account\n * — the user must always have at least one linked account. If the\n * account is not found, returns an error result instead of throwing.\n *\n * @param ctx - Convex mutation context.\n * @param accountId - The account's document ID.\n * @returns `{ ok: true, accountId }` on success, or\n * `{ ok: false, code: \"ACCOUNT_NOT_FOUND\" }` if the account does not exist, or\n * `{ ok: false, code: \"INVALID_PARAMETERS\" }` if it is the user's last account.\n *\n * @example\n * ```ts\n * const result = await auth.account.delete(ctx, accountId);\n * if (!result.ok) {\n * console.error(\"Cannot delete account:\", result.code);\n * }\n * ```\n */\n delete: async (ctx: ComponentCtx, accountId: string) => {\n const doc = await ctx.runQuery(config.component.public.accountGetById, {\n accountId,\n });\n if (doc === null) {\n return { ok: false as const, code: \"ACCOUNT_NOT_FOUND\" as const };\n }\n const allAccounts = (await ctx.runQuery(\n config.component.public.accountListByUser,\n { userId: (doc as any).userId },\n )) as Array<{ _id: string }>;\n if (allAccounts.length <= 1) {\n return { ok: false as const, code: \"INVALID_PARAMETERS\" as const };\n }\n await ctx.runMutation(config.component.public.accountDelete, {\n accountId,\n });\n return { ok: true as const, accountId };\n },\n /**\n * List all passkey credentials registered for a user.\n *\n * Returns every WebAuthn passkey credential associated with the given\n * `userId`. Each document includes the credential's public key,\n * metadata (such as a human-readable name), and counters used for\n * replay protection.\n *\n * @param ctx - Convex query or mutation context.\n * @param opts.userId - The user whose passkeys to list.\n * @returns An array of passkey credential documents.\n *\n * @example\n * ```ts\n * const passkeys = await auth.account.listPasskeys(ctx, { userId });\n * for (const pk of passkeys) {\n * console.log(pk.name ?? \"Unnamed passkey\", pk._id);\n * }\n * ```\n */\n listPasskeys: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n return await ctx.runQuery(\n config.component.public.passkeyListByUserId,\n opts,\n );\n },\n /**\n * Rename a passkey credential.\n *\n * Updates the human-readable `name` metadata on a passkey document.\n * Useful for letting users label their passkeys (e.g. \"MacBook Pro\",\n * \"YubiKey 5\").\n *\n * @param ctx - Convex mutation context.\n * @param passkeyId - The passkey credential's document ID.\n * @param name - The new display name for the passkey.\n * @returns `{ ok: true, passkeyId }` confirming the rename.\n *\n * @example\n * ```ts\n * await auth.account.renamePasskey(ctx, passkeyId, \"Work laptop\");\n * ```\n */\n renamePasskey: async (\n ctx: ComponentCtx,\n passkeyId: string,\n name: string,\n ) => {\n await ctx.runMutation(config.component.public.passkeyUpdateMeta, {\n passkeyId,\n data: { name },\n });\n return { ok: true as const, passkeyId };\n },\n /**\n * Delete a passkey credential.\n *\n * Permanently removes a WebAuthn passkey credential from the database.\n * After deletion, the physical authenticator associated with this\n * credential can no longer be used to sign in.\n *\n * @param ctx - Convex mutation context.\n * @param passkeyId - The passkey credential's document ID.\n * @returns `{ ok: true, passkeyId }` confirming the deletion.\n *\n * @example\n * ```ts\n * await auth.account.deletePasskey(ctx, passkeyId);\n * ```\n */\n deletePasskey: async (ctx: ComponentCtx, passkeyId: string) => {\n await ctx.runMutation(config.component.public.passkeyDelete, {\n passkeyId,\n });\n return { ok: true as const, passkeyId };\n },\n /**\n * List all TOTP (time-based one-time password) factors for a user.\n *\n * Returns every TOTP authenticator factor registered for the given\n * `userId`. Each document includes the secret, issuer, and verification\n * metadata needed for two-factor authentication management UIs.\n *\n * @param ctx - Convex query or mutation context.\n * @param opts.userId - The user whose TOTP factors to list.\n * @returns An array of TOTP factor documents.\n *\n * @example\n * ```ts\n * const totps = await auth.account.listTotps(ctx, { userId });\n * const has2FA = totps.length > 0;\n * ```\n */\n listTotps: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n return await ctx.runQuery(config.component.public.totpListByUserId, opts);\n },\n /**\n * Delete a TOTP factor.\n *\n * Permanently removes a TOTP authenticator factor from the database.\n * After deletion, codes generated by the corresponding authenticator\n * app will no longer be accepted for two-factor authentication.\n *\n * @param ctx - Convex mutation context.\n * @param totpId - The TOTP factor's document ID.\n * @returns `{ ok: true, totpId }` confirming the deletion.\n *\n * @example\n * ```ts\n * await auth.account.deleteTotp(ctx, totpId);\n * ```\n */\n deleteTotp: async (ctx: ComponentCtx, totpId: string) => {\n await ctx.runMutation(config.component.public.totpDelete, { totpId });\n return { ok: true as const, totpId };\n },\n };\n\n const provider = {\n /**\n * Sign in through a specific provider from server-side code.\n *\n * Materializes the supplied provider config, runs the standard sign-in\n * flow, and returns the resulting `userId` and `sessionId` when the\n * provider completes authentication immediately. Returns `null` for\n * providers that require additional client-side steps (for example\n * redirects, email verification, or other non-immediate flows).\n *\n * This helper is useful for trusted server flows where you already know\n * which provider should handle the sign-in and want the same behavior as\n * the public auth API without generating tokens for the client.\n *\n * @param ctx - Convex action context.\n * @param providerConfig - Provider configuration object to materialize and use.\n * @param args.accountId - Optional account document ID to sign in with directly.\n * @param args.params - Optional provider-specific parameters forwarded to the sign-in flow.\n * @returns `{ userId, sessionId }` when sign-in succeeds immediately, or `null`\n * when the provider does not produce an immediate signed-in result.\n *\n * @example\n * ```ts\n * const signedIn = await auth.provider.signIn(ctx, passwordProvider, {\n * params: { email: \"alice@example.com\", password: \"secret\" },\n * });\n *\n * if (!signedIn) {\n * throw new Error(\"Provider requires another auth step\");\n * }\n * ```\n */\n signIn: async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n providerConfig: AuthProviderConfig,\n args: {\n accountId?: GenericId<\"Account\">;\n params?: Record<string, unknown>;\n },\n ) => {\n const result = await signInImpl(\n getEnrichCtx()(ctx),\n materializeProvider(providerConfig),\n args as {\n accountId?: GenericId<\"Account\">;\n params?: Record<string, any>;\n },\n { generateTokens: false, allowExtraProviders: true },\n );\n return result.kind === \"signedIn\"\n ? result.signedIn !== null\n ? {\n userId: result.signedIn.userId,\n sessionId: result.signedIn.sessionId,\n }\n : null\n : null;\n },\n };\n\n const group = {\n /**\n * Create a new group (organization, workspace, team, etc.).\n *\n * Groups are hierarchical — set `parentGroupId` to nest under an existing\n * group, or omit it to create a root-level group. Two denormalized fields\n * are maintained automatically:\n *\n * - `rootGroupId` — the root ancestor (self-referencing for root groups).\n * - `isRoot` — `true` when the group has no parent.\n *\n * @param ctx - Convex mutation context.\n * @param data.name - Display name for the group.\n * @param data.slug - URL-safe slug (optional).\n * @param data.type - App-defined type string (e.g. `\"workspace\"`, `\"team\"`).\n * @param data.parentGroupId - Nest under this group. Omit for a root group.\n * @param data.tags - Faceted classification tags (normalized at write time).\n * @param data.extend - Arbitrary app-specific metadata.\n * @returns `{ ok: true, groupId }`.\n *\n * @example Root group\n * ```ts\n * const { groupId } = await auth.group.create(ctx, {\n * name: \"Acme Corp\", type: \"workspace\",\n * });\n * ```\n *\n * @example Nested team\n * ```ts\n * const { groupId } = await auth.group.create(ctx, {\n * name: \"Engineering\", parentGroupId: orgId, type: \"team\",\n * });\n * ```\n */\n create: async (\n ctx: ComponentCtx,\n data: {\n name: string;\n slug?: string;\n type?: string;\n parentGroupId?: string;\n tags?: Array<{ key: string; value: string }>;\n extend?: Record<string, unknown>;\n },\n ): Promise<{ ok: true; groupId: string }> => {\n const groupId = (await ctx.runMutation(\n config.component.public.groupCreate,\n data,\n )) as string;\n return { ok: true, groupId };\n },\n /**\n * Fetch a group document by ID.\n *\n * Results are **cached per-execution** — calling `auth.group.get(ctx, id)`\n * multiple times within the same handler for the same `groupId` returns\n * the cached result without an additional component read.\n *\n * @param ctx - Convex query or mutation context.\n * @param groupId - The group's document ID.\n * @returns The group document (including `rootGroupId`, `isRoot`), or `null`.\n */\n get: async (ctx: ComponentReadCtx, groupId: string) => {\n const c = cache(ctx);\n if (c.groups.has(groupId)) return c.groups.get(groupId);\n const result = await ctx.runQuery(config.component.public.groupGet, {\n groupId,\n });\n c.groups.set(groupId, result);\n return result;\n },\n /**\n * List groups with optional filtering, pagination, and ordering.\n *\n * Supports filtering by `slug`, `type`, `parentGroupId`, `name`,\n * `isRoot`, and tags (`tagsAll`, `tagsAny`). The `isRoot` and\n * `parentGroupId` filters use dedicated indexes for efficient queries.\n *\n * @param ctx - Convex query or mutation context.\n * @param opts.where - Filter criteria (all optional, combined with AND).\n * @param opts.where.isRoot - `true` to find root groups, `false` for nested.\n * @param opts.where.parentGroupId - List direct children of this group.\n * @param opts.limit - Max items per page (default 50, max 100).\n * @param opts.cursor - Cursor from a previous `nextCursor`.\n * @param opts.orderBy - Sort field: `\"_creationTime\"`, `\"name\"`, `\"slug\"`, `\"type\"`.\n * @param opts.order - Sort direction: `\"asc\"` or `\"desc\"`.\n * @returns `{ items, nextCursor }`.\n *\n * @example List root workspaces\n * ```ts\n * const { items } = await auth.group.list(ctx, {\n * where: { isRoot: true },\n * orderBy: \"name\", order: \"asc\",\n * });\n * ```\n *\n * @example List children of a group\n * ```ts\n * const { items } = await auth.group.list(ctx, {\n * where: { parentGroupId: orgId },\n * });\n * ```\n */\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n slug?: string;\n type?: string;\n parentGroupId?: string;\n name?: string;\n isRoot?: boolean;\n tagsAll?: Array<{ key: string; value: string }>;\n tagsAny?: Array<{ key: string; value: string }>;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?: \"_creationTime\" | \"name\" | \"slug\" | \"type\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.groupList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n /**\n * Patch a group document.\n *\n * If `parentGroupId` is changed, the group's `rootGroupId` and `isRoot`\n * fields are recomputed automatically and cascaded to all descendants.\n *\n * @param ctx - Convex mutation context.\n * @param groupId - The group's document ID.\n * @param data - Fields to merge (e.g. `name`, `slug`, `tags`, `parentGroupId`).\n * @returns `{ ok: true, groupId }`.\n *\n * @example\n * ```ts\n * await auth.group.update(ctx, groupId, {\n * name: \"Acme Corp (renamed)\",\n * slug: \"acme-corp\",\n * });\n * ```\n */\n update: async (\n ctx: ComponentCtx,\n groupId: string,\n data: Record<string, unknown>,\n ) => {\n await ctx.runMutation(config.component.public.groupUpdate, {\n groupId,\n data,\n });\n return { ok: true as const, groupId };\n },\n /**\n * Delete a group and recursively cascade to all descendant groups,\n * their members, invites, and tags.\n *\n * @param ctx - Convex mutation context.\n * @param groupId - The group's document ID.\n * @returns `{ ok: true, groupId }`.\n *\n * @example\n * ```ts\n * await auth.group.delete(ctx, groupId);\n * ```\n */\n delete: async (ctx: ComponentCtx, groupId: string) => {\n await ctx.runMutation(config.component.public.groupDelete, { groupId });\n return { ok: true as const, groupId };\n },\n /**\n * Walk up the group hierarchy from `groupId` and return all ancestor\n * groups in order from immediate parent to root. Detects cycles and\n * respects `maxDepth` (default 32).\n *\n * @param ctx - Convex query or mutation context.\n * @param opts.groupId - Starting group ID.\n * @param opts.maxDepth - Max levels to traverse (default 32).\n * @param opts.includeSelf - Include the starting group in the result.\n * @returns `{ ancestors, cycleDetected, maxDepthReached }`.\n *\n * @example\n * ```ts\n * const { ancestors } = await auth.group.ancestors(ctx, {\n * groupId: teamId,\n * includeSelf: true,\n * });\n * const rootOrg = ancestors[ancestors.length - 1];\n * ```\n */\n ancestors: async (\n ctx: ComponentReadCtx,\n opts: { groupId: string; maxDepth?: number; includeSelf?: boolean },\n ) => {\n const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));\n const visited = new Set<string>();\n const ancestors: any[] = [];\n let cycleDetected = false;\n let maxDepthReached = false;\n let currentGroupId: string | undefined = opts.groupId;\n let depth = 0;\n let isFirst = true;\n while (currentGroupId !== undefined) {\n if (depth > maxDepth) {\n maxDepthReached = true;\n break;\n }\n if (visited.has(currentGroupId)) {\n cycleDetected = true;\n break;\n }\n visited.add(currentGroupId);\n const doc = await group.get(ctx, currentGroupId);\n if (doc === null) break;\n if (isFirst) {\n isFirst = false;\n if (opts.includeSelf) ancestors.push(doc);\n currentGroupId = doc.parentGroupId;\n depth += 1;\n continue;\n }\n ancestors.push(doc);\n currentGroupId = doc.parentGroupId;\n depth += 1;\n }\n return { ancestors, cycleDetected, maxDepthReached };\n },\n };\n\n const member = {\n /**\n * Add a user to a group with optional role IDs.\n *\n * Role IDs are validated against the roles defined in `defineRoles()` —\n * invalid IDs return `{ ok: false, code: \"INVALID_ROLE_IDS\" }`.\n * Throws `DUPLICATE_MEMBERSHIP` if the user is already a member.\n *\n * @param ctx - Convex mutation context.\n * @param data.groupId - The group to add the user to.\n * @param data.userId - The user's document ID.\n * @param data.roleIds - Role IDs from `defineRoles()` (optional).\n * @param data.status - Membership status string (optional, app-defined).\n * @param data.extend - Arbitrary app-specific metadata.\n * @returns `{ ok: true, memberId }` or `{ ok: false, code, invalidRoleIds }`.\n *\n * @example\n * ```ts\n * const { memberId } = await auth.member.create(ctx, {\n * groupId: orgId,\n * userId,\n * roleIds: [roles.orgAdmin.id],\n * });\n * ```\n */\n create: async (\n ctx: ComponentCtx,\n data: {\n groupId: string;\n userId: string;\n roleIds?: string[];\n status?: string;\n extend?: Record<string, unknown>;\n },\n ) => {\n const normalized = normalizeRoleIds(data.roleIds);\n if (!normalized.ok)\n return {\n ok: false as const,\n code: \"INVALID_ROLE_IDS\" as const,\n invalidRoleIds: normalized.invalidRoleIds,\n };\n const memberId = (await ctx.runMutation(\n config.component.public.memberAdd,\n { ...data, roleIds: normalized.roleIds },\n )) as string;\n return { ok: true as const, memberId };\n },\n /**\n * Fetch a membership document by its document ID.\n *\n * @param ctx - Convex query or mutation context.\n * @param memberId - The membership document ID.\n * @returns The membership document, or `null` if not found.\n *\n * @example\n * ```ts\n * const membership = await auth.member.get(ctx, memberId);\n * if (!membership) throw new Error(\"Membership not found\");\n * console.log(membership.roleIds, membership.groupId);\n * ```\n */\n get: async (ctx: ComponentReadCtx, memberId: string) => {\n return await ctx.runQuery(config.component.public.memberGet, {\n memberId,\n });\n },\n /**\n * List memberships with optional filtering and pagination.\n *\n * Supports filtering by `groupId`, `userId`, `roleId`, and `status`.\n * When `groupId` and `status` are both provided, a compound index\n * is used for efficient queries.\n *\n * @param ctx - Convex query or mutation context.\n * @param opts.where - Filter criteria (all optional).\n * @param opts.limit - Max items per page (default 50, max 100).\n * @param opts.cursor - Cursor for pagination.\n * @param opts.orderBy - Sort field: `\"_creationTime\"` or `\"status\"`.\n * @param opts.order - Sort direction: `\"asc\"` or `\"desc\"`.\n * @returns `{ items, nextCursor }`.\n *\n * @example\n * ```ts\n * const { items } = await auth.member.list(ctx, {\n * where: { groupId: orgId },\n * limit: 20,\n * orderBy: \"_creationTime\",\n * order: \"asc\",\n * });\n * ```\n */\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n groupId?: string;\n userId?: string;\n roleId?: string;\n status?: string;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?: \"_creationTime\" | \"status\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.memberList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n /**\n * Remove a membership by its document ID.\n *\n * @param ctx - Convex mutation context.\n * @param memberId - The membership document ID.\n * @returns `{ ok: true, memberId }`.\n *\n * @example\n * ```ts\n * await auth.member.delete(ctx, memberId);\n * ```\n */\n delete: async (ctx: ComponentCtx, memberId: string) => {\n await ctx.runMutation(config.component.public.memberRemove, { memberId });\n return { ok: true as const, memberId };\n },\n /**\n * Patch a membership's `roleIds`, `status`, or `extend` fields.\n * Role IDs are validated against `defineRoles()`.\n *\n * @param ctx - Convex mutation context.\n * @param memberId - The membership document ID.\n * @param data - Fields to merge. `roleIds` are validated.\n * @returns `{ ok: true, memberId }` or `{ ok: false, code: \"INVALID_ROLE_IDS\" }`.\n *\n * @example\n * ```ts\n * await auth.member.update(ctx, memberId, {\n * roleIds: [roles.orgAdmin.id],\n * status: \"active\",\n * });\n * ```\n */\n update: async (\n ctx: ComponentCtx,\n memberId: string,\n data: Record<string, unknown>,\n ) => {\n const nextData = { ...data };\n if (\"roleIds\" in nextData) {\n const normalized = normalizeRoleIds(\n Array.isArray(nextData.roleIds)\n ? (nextData.roleIds as string[])\n : undefined,\n );\n if (!normalized.ok)\n return {\n ok: false as const,\n code: \"INVALID_ROLE_IDS\" as const,\n invalidRoleIds: normalized.invalidRoleIds,\n };\n nextData.roleIds = normalized.roleIds;\n }\n await ctx.runMutation(config.component.public.memberUpdate, {\n memberId,\n data: nextData,\n });\n return { ok: true as const, memberId };\n },\n /**\n * Resolve a user's membership in a group, optionally walking the\n * hierarchy and checking grants.\n *\n * **Default (no flags):** Direct lookup at `groupId` only — fast,\n * 1 component read. Replaces the old `getByUserAndGroup`.\n *\n * **`ancestry: true`:** Walk the group hierarchy from `groupId` up\n * to root, returning the first matching membership. Includes\n * `traversedGroupIds` in the result. Expensive (N reads).\n *\n * **`grants: [...]`:** Check if the user has all specified grants.\n * Works at the direct level by default. Combine with\n * `ancestry: true` to check inherited grants.\n *\n * @param ctx - Convex query or mutation context.\n * @param opts.userId - The user's document ID.\n * @param opts.groupId - The group to check membership in.\n * @param opts.ancestry - Walk the hierarchy (default `false`).\n * @param opts.grants - Grant strings to check (optional).\n * @param opts.roleIds - Role IDs to filter by (optional).\n * @param opts.maxDepth - Max hierarchy levels (default 32, only with ancestry).\n * @returns `{ ok, membership, roleIds, grants, missingGrants, ... }`.\n * `ok` is `true` when membership exists and all requested grants are satisfied.\n *\n * @example Direct lookup\n * ```ts\n * const result = await auth.member.resolve(ctx, { userId, groupId });\n * if (!result.membership) return { ok: false, code: \"NOT_A_MEMBER\" };\n * ```\n *\n * @example Check grants (no hierarchy walk)\n * ```ts\n * const result = await auth.member.resolve(ctx, {\n * userId, groupId, grants: [\"issues.create\"],\n * });\n * if (!result.ok) return { ok: false, code: \"FORBIDDEN\" };\n * ```\n *\n * @example Walk hierarchy + check grants\n * ```ts\n * const result = await auth.member.resolve(ctx, {\n * userId, groupId: teamId, ancestry: true, grants: [\"issues.create\"],\n * });\n * ```\n */\n resolve: async (\n ctx: ComponentReadCtx,\n opts: {\n userId: string;\n groupId: string;\n ancestry?: boolean;\n roleIds?: string[];\n grants?: string[];\n maxDepth?: number;\n },\n ) => {\n const normalized = normalizeRoleIds(opts.roleIds);\n if (!normalized.ok)\n return {\n ok: false as const,\n membership: null,\n matchedGroupId: null,\n roleIds: [] as string[],\n grants: [] as string[],\n missingGrants: Array.from(new Set(opts.grants ?? [])),\n depth: null,\n isDirect: false,\n isInherited: false,\n traversedGroupIds: [] as string[],\n code: \"INVALID_ROLE_IDS\" as const,\n invalidRoleIds: normalized.invalidRoleIds,\n };\n const requestedRoleIds = normalized.roleIds;\n const roleFilter =\n requestedRoleIds.length > 0 ? new Set(requestedRoleIds) : null;\n const requiredGrants = Array.from(new Set(opts.grants ?? []));\n const useAncestry = opts.ancestry === true;\n\n let membership: any = null;\n let matchedGroupId: string | null = null;\n let depth: number | null = null;\n let isDirect = false;\n let isInherited = false;\n let traversedGroupIds: string[] = [];\n\n if (useAncestry) {\n // Hierarchy walk — single component RPC\n const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));\n const result = await ctx.runQuery(\n config.component.public.memberResolve,\n {\n userId: opts.userId,\n groupId: opts.groupId,\n maxDepth,\n ancestry: true,\n },\n );\n membership = result.membership;\n matchedGroupId = result.matchedGroupId;\n depth = result.depth;\n isDirect = result.isDirect;\n isInherited = result.isInherited;\n traversedGroupIds = result.traversedGroupIds ?? [];\n } else {\n // Fast path — direct lookup, 1 read\n const doc = await ctx.runQuery(\n config.component.public.memberGetByGroupAndUser,\n { userId: opts.userId, groupId: opts.groupId },\n );\n membership = doc;\n matchedGroupId = doc ? opts.groupId : null;\n depth = doc ? 0 : null;\n isDirect = doc !== null;\n }\n\n if (membership === null) {\n return {\n ok: false as const,\n membership: null,\n matchedGroupId: null,\n roleIds: [] as string[],\n grants: [] as string[],\n missingGrants: requiredGrants,\n depth: null,\n isDirect: false,\n isInherited: false,\n traversedGroupIds,\n };\n }\n\n const membershipRoleIds = membership.roleIds ?? [];\n const membershipGrants = resolveGrantedPermissions(membershipRoleIds);\n\n // Check role filter\n if (\n roleFilter !== null &&\n !membershipRoleIds.some((roleId: string) => roleFilter.has(roleId))\n ) {\n return {\n ok: false as const,\n membership: null,\n matchedGroupId: null,\n roleIds: [] as string[],\n grants: [] as string[],\n missingGrants: requiredGrants,\n depth: null,\n isDirect: false,\n isInherited: false,\n traversedGroupIds,\n };\n }\n\n const missingGrants = requiredGrants.filter(\n (grant) => !membershipGrants.includes(grant),\n );\n\n return {\n ok: missingGrants.length === 0,\n membership,\n matchedGroupId,\n roleIds: membershipRoleIds,\n grants: membershipGrants,\n missingGrants,\n depth,\n isDirect,\n isInherited,\n traversedGroupIds,\n };\n },\n };\n\n const invite = {\n /**\n * Create a pending invite. Returns a one-time `token` the recipient\n * uses to accept. Optionally scoped to a group with role IDs.\n *\n * @param ctx - Convex mutation context.\n * @param data.groupId - The group to invite the user to (optional).\n * @param data.invitedByUserId - The user who created this invite (optional).\n * @param data.email - The invitee's email address (optional).\n * @param data.roleIds - Role IDs from `defineRoles()` to assign on acceptance (optional).\n * @param data.expiresTime - Expiration timestamp in ms since epoch (optional).\n * @param data.extend - Arbitrary app-specific metadata (optional).\n * @returns `{ ok: true, inviteId, token }` or `{ ok: false, code: \"INVALID_ROLE_IDS\" }`.\n *\n * @example\n * ```ts\n * const { token } = await auth.invite.create(ctx, {\n * groupId, email: \"alice@example.com\", roleIds: [roles.member.id],\n * });\n * ```\n */\n create: async (\n ctx: ComponentCtx,\n data: {\n groupId?: string;\n invitedByUserId?: string;\n email?: string;\n roleIds?: string[];\n expiresTime?: number;\n extend?: Record<string, unknown>;\n },\n ) => {\n const normalized = normalizeRoleIds(data.roleIds);\n if (!normalized.ok)\n return {\n ok: false as const,\n code: \"INVALID_ROLE_IDS\" as const,\n invalidRoleIds: normalized.invalidRoleIds,\n };\n const token = generateRandomString(\n inviteTokenLength,\n inviteTokenAlphabet,\n );\n const tokenHash = await sha256(token);\n const inviteId = (await ctx.runMutation(\n config.component.public.inviteCreate,\n { ...data, roleIds: normalized.roleIds, tokenHash, status: \"pending\" },\n )) as string;\n return { ok: true as const, inviteId, token };\n },\n /**\n * Fetch an invite document by ID.\n *\n * Returns the full invite document including its status, email,\n * group, role IDs, and token hash. Useful for displaying invite\n * details or checking status before performing actions.\n *\n * @param ctx - Convex query or mutation context.\n * @param inviteId - The invite's document ID.\n * @returns The invite document, or `null` if not found.\n *\n * @example\n * ```ts\n * const invite = await auth.invite.get(ctx, inviteId);\n * if (invite?.status === \"pending\") {\n * // show invite details\n * }\n * ```\n */\n get: async (ctx: ComponentReadCtx, inviteId: string) => {\n return await ctx.runQuery(config.component.public.inviteGet, {\n inviteId,\n });\n },\n token: {\n /**\n * Look up an invite by its raw token string.\n *\n * Hashes the raw token and queries the database for a matching\n * invite. This is the standard path for invite-link landing pages\n * where the token is extracted from the URL.\n *\n * @param ctx - Convex query or mutation context.\n * @param token - The raw invite token string from the invite link.\n * @returns The invite document, or `null` if no matching invite exists.\n *\n * @example\n * ```ts\n * const invite = await auth.invite.token.get(ctx, tokenFromUrl);\n * if (!invite || invite.status !== \"pending\") {\n * throw new Error(\"Invalid or expired invite\");\n * }\n * ```\n */\n get: async (ctx: ComponentReadCtx, token: string) => {\n const tokenHash = await sha256(token);\n return await ctx.runQuery(\n config.component.public.inviteGetByTokenHash,\n { tokenHash },\n );\n },\n /**\n * Accept an invite by token. Creates a membership and marks the invite as accepted.\n *\n * Hashes the raw token, finds the matching invite, creates a group\n * membership with the invite's role IDs, and transitions the invite\n * status to `\"accepted\"`.\n *\n * @param ctx - Convex mutation context.\n * @param args.token - The raw invite token string.\n * @param args.acceptedByUserId - The user accepting the invite.\n * @returns `{ ok: true, ...result }` with the created membership details.\n *\n * @example\n * ```ts\n * const result = await auth.invite.token.accept(ctx, {\n * token: tokenFromUrl,\n * acceptedByUserId: userId,\n * });\n * ```\n */\n accept: async (\n ctx: ComponentCtx,\n args: { token: string; acceptedByUserId: string },\n ) => {\n const tokenHash = await sha256(args.token);\n const result = await ctx.runMutation(\n config.component.public.inviteAcceptByToken,\n { tokenHash, acceptedByUserId: args.acceptedByUserId },\n );\n return { ok: true as const, ...result };\n },\n },\n /**\n * List invites with optional filtering by group, status, email, etc.\n * Results are paginated.\n *\n * @param ctx - Convex query or mutation context.\n * @param opts.where - Filter criteria (all optional).\n * @param opts.where.status - `\"pending\"`, `\"accepted\"`, `\"revoked\"`, or `\"expired\"`.\n * @param opts.limit - Max items per page (default 50, max 100).\n * @param opts.cursor - Cursor from a previous `nextCursor` for pagination.\n * @param opts.orderBy - Sort field: `\"_creationTime\"`, `\"status\"`, `\"email\"`,\n * `\"expiresTime\"`, or `\"acceptedTime\"`.\n * @param opts.order - Sort direction: `\"asc\"` or `\"desc\"`.\n * @returns `{ items, nextCursor }` — `nextCursor` is `null` when there are no more pages.\n *\n * @example\n * ```ts\n * const { items } = await auth.invite.list(ctx, {\n * where: { groupId, status: \"pending\" },\n * orderBy: \"_creationTime\",\n * order: \"desc\",\n * });\n * ```\n */\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n tokenHash?: string;\n groupId?: string;\n status?: \"pending\" | \"accepted\" | \"revoked\" | \"expired\";\n email?: string;\n invitedByUserId?: string;\n roleId?: string;\n acceptedByUserId?: string;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?:\n | \"_creationTime\"\n | \"status\"\n | \"email\"\n | \"expiresTime\"\n | \"acceptedTime\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.inviteList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n /**\n * Accept an invite by ID. Optionally specify who accepted it.\n *\n * Transitions the invite's status to `\"accepted\"` and optionally\n * records the accepting user. Unlike `invite.token.accept`, this\n * method does not automatically create a group membership — use it\n * for admin-driven invite acceptance flows.\n *\n * @param ctx - Convex mutation context.\n * @param inviteId - The invite's document ID.\n * @param acceptedByUserId - The user who accepted the invite (optional).\n * @returns `{ ok: true, inviteId, acceptedByUserId }`.\n *\n * @example\n * ```ts\n * await auth.invite.accept(ctx, inviteId, userId);\n * ```\n */\n accept: async (\n ctx: ComponentCtx,\n inviteId: string,\n acceptedByUserId?: string,\n ) => {\n await ctx.runMutation(config.component.public.inviteAccept, {\n inviteId,\n ...(acceptedByUserId ? { acceptedByUserId } : {}),\n });\n return {\n ok: true as const,\n inviteId,\n acceptedByUserId: acceptedByUserId ?? null,\n };\n },\n /**\n * Revoke a pending invite. Sets its status to `\"revoked\"`.\n *\n * Once revoked, the invite's token can no longer be used to accept\n * the invitation. This is a permanent status change.\n *\n * @param ctx - Convex mutation context.\n * @param inviteId - The invite's document ID.\n * @returns `{ ok: true, inviteId }`.\n *\n * @example\n * ```ts\n * await auth.invite.revoke(ctx, inviteId);\n * ```\n */\n revoke: async (ctx: ComponentCtx, inviteId: string) => {\n await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });\n return { ok: true as const, inviteId };\n },\n };\n\n const key = {\n /**\n * Create an API key for programmatic access. The returned `secret`\n * (prefixed `sk_`) is shown only once — it is stored as a hash.\n *\n * @param ctx - Convex mutation context.\n * @param opts.userId - Owner of the key.\n * @param opts.name - Human-readable name (e.g. `\"CI Pipeline\"`).\n * @param opts.scopes - Array of `{ resource, actions }` permission scopes.\n * @param opts.rateLimit - Optional per-key rate limit `{ maxRequests, windowMs }`.\n * @param opts.expiresAt - Optional expiration timestamp (ms since epoch).\n * @param opts.metadata - Arbitrary app-specific metadata.\n * @returns `{ ok: true, keyId, secret }`. Store `secret` securely — it cannot be retrieved later.\n *\n * @example\n * ```ts\n * const { secret } = await auth.key.create(ctx, {\n * userId,\n * name: \"CI Pipeline\",\n * scopes: [{ resource: \"data\", actions: [\"read\"] }],\n * });\n * ```\n */\n create: async (\n ctx: ComponentCtx,\n opts: {\n userId: string;\n name: string;\n scopes: KeyScope[];\n rateLimit?: { maxRequests: number; windowMs: number };\n expiresAt?: number;\n metadata?: Record<string, unknown>;\n },\n ): Promise<{ ok: true; keyId: string; secret: string }> => {\n const { raw, hashedKey, displayPrefix } = await generateApiKey(\"sk_\");\n const keyId = (await ctx.runMutation(config.component.public.keyInsert, {\n userId: opts.userId,\n prefix: displayPrefix,\n hashedKey,\n name: opts.name,\n scopes: opts.scopes,\n rateLimit: opts.rateLimit,\n expiresAt: opts.expiresAt,\n metadata: opts.metadata,\n })) as string;\n return { ok: true, keyId, secret: raw };\n },\n /**\n * Verify an API key and return the owner's identity and scopes.\n *\n * Checks the key against the database, enforces expiration and rate\n * limits, and returns a `ScopeChecker` for permission evaluation.\n *\n * @param ctx - Convex mutation context (updates `lastUsedAt` and rate limit state).\n * @param rawKey - The raw `sk_*` key string.\n * @returns On success: `{ ok: true, userId, keyId, scopes }` where `scopes.can(resource, action)` checks permissions.\n * On failure: `{ ok: false, code }` with one of:\n * - `\"INVALID_API_KEY\"` — key not found.\n * - `\"API_KEY_REVOKED\"` — key was revoked.\n * - `\"API_KEY_EXPIRED\"` — key past its `expiresAt`.\n * - `\"API_KEY_RATE_LIMITED\"` — rate limit exceeded.\n *\n * @example\n * ```ts\n * const result = await auth.key.verify(ctx, rawKey);\n * if (!result.ok) return { ok: false, code: result.code };\n * const canRead = result.scopes.can(\"data\", \"read\");\n * ```\n */\n verify: async (\n ctx: ComponentCtx,\n rawKey: string,\n ): Promise<\n | { ok: true; userId: string; keyId: string; scopes: ScopeChecker }\n | {\n ok: false;\n code:\n | \"INVALID_API_KEY\"\n | \"API_KEY_REVOKED\"\n | \"API_KEY_EXPIRED\"\n | \"API_KEY_RATE_LIMITED\";\n }\n > => {\n const hashedKey = await hashApiKey(rawKey);\n const doc = (await ctx.runQuery(\n config.component.public.keyGetByHashedKey,\n { hashedKey },\n )) as KeyDoc | null;\n if (!doc) {\n return { ok: false as const, code: \"INVALID_API_KEY\" as const };\n }\n const k = doc;\n if (k.revoked) {\n return { ok: false as const, code: \"API_KEY_REVOKED\" as const };\n }\n if (k.expiresAt && k.expiresAt < Date.now()) {\n return { ok: false as const, code: \"API_KEY_EXPIRED\" as const };\n }\n const patchData: Record<string, unknown> = { lastUsedAt: Date.now() };\n if (k.rateLimit) {\n const { limited, newState } = checkKeyRateLimit(\n k.rateLimit,\n k.rateLimitState ?? undefined,\n );\n if (limited) {\n return { ok: false as const, code: \"API_KEY_RATE_LIMITED\" as const };\n }\n patchData.rateLimitState = newState;\n }\n await ctx.runMutation(config.component.public.keyPatch, {\n keyId: k._id,\n data: patchData,\n });\n return {\n ok: true as const,\n userId: k.userId,\n keyId: k._id,\n scopes: buildScopeChecker(k.scopes),\n };\n },\n /**\n * List API keys with optional filtering by user, revocation status, name,\n * or prefix. Results are paginated. Does not expose raw key secrets.\n *\n * @param ctx - Convex query or mutation context.\n * @param opts.where - Filter criteria (all optional, combined with AND).\n * @param opts.limit - Max items per page (default 50, max 100).\n * @param opts.cursor - Cursor from a previous `nextCursor` for pagination.\n * @param opts.orderBy - Sort field: `\"_creationTime\"`, `\"name\"`, `\"lastUsedAt\"`, `\"expiresAt\"`, or `\"revoked\"`.\n * @param opts.order - Sort direction: `\"asc\"` or `\"desc\"`.\n * @returns `{ items, nextCursor }` — `nextCursor` is `null` when no more pages.\n *\n * @example\n * ```ts\n * const { items } = await auth.key.list(ctx, {\n * where: { userId, revoked: false },\n * orderBy: \"lastUsedAt\",\n * order: \"desc\",\n * });\n * ```\n */\n list: async (\n ctx: ComponentReadCtx,\n opts?: {\n where?: {\n userId?: string;\n revoked?: boolean;\n name?: string;\n prefix?: string;\n };\n limit?: number;\n cursor?: string | null;\n orderBy?:\n | \"_creationTime\"\n | \"name\"\n | \"lastUsedAt\"\n | \"expiresAt\"\n | \"revoked\";\n order?: \"asc\" | \"desc\";\n },\n ) => {\n return await ctx.runQuery(config.component.public.keyList, {\n where: opts?.where,\n limit: opts?.limit,\n cursor: opts?.cursor,\n orderBy: opts?.orderBy,\n order: opts?.order,\n });\n },\n /**\n * Fetch an API key record by ID. Does not expose the raw key secret.\n *\n * Returns the key document including metadata, scopes, rate limit\n * configuration, and revocation status. The raw secret is never\n * stored or returned — only the hashed key and display prefix.\n *\n * @param ctx - Convex query or mutation context.\n * @param keyId - The API key's document ID.\n * @returns `{ ok: true, key }` with the key document, or `{ ok: false }` if not found.\n *\n * @example\n * ```ts\n * const result = await auth.key.get(ctx, keyId);\n * if (!result.ok) throw new Error(\"Key not found\");\n * console.log(result.key.name, result.key.prefix);\n * ```\n */\n get: async (\n ctx: ComponentReadCtx,\n keyId: string,\n ): Promise<{ ok: true; key: KeyDoc } | { ok: false }> => {\n const doc = (await ctx.runQuery(config.component.public.keyGetById, {\n keyId,\n })) as KeyDoc | null;\n if (!doc) return { ok: false as const };\n return { ok: true as const, key: doc };\n },\n /**\n * Update a key's name, scopes, or rate limit.\n *\n * Patches the specified fields on the API key document. Only the\n * provided fields are changed — omitted fields remain unchanged.\n *\n * @param ctx - Convex mutation context.\n * @param keyId - The API key's document ID.\n * @param data - Fields to merge into the key document.\n * @returns `{ ok: true, keyId }`.\n *\n * @example\n * ```ts\n * await auth.key.update(ctx, keyId, {\n * name: \"CI Pipeline (updated)\",\n * scopes: [{ resource: \"data\", actions: [\"read\", \"write\"] }],\n * });\n * ```\n */\n update: async (\n ctx: ComponentCtx,\n keyId: string,\n data: {\n name?: string;\n scopes?: KeyScope[];\n rateLimit?: { maxRequests: number; windowMs: number };\n },\n ) => {\n await ctx.runMutation(config.component.public.keyPatch, { keyId, data });\n return { ok: true as const, keyId };\n },\n /**\n * Soft-delete: set `revoked: true`. The key can no longer be verified.\n *\n * After revocation, any subsequent calls to `auth.key.verify` with\n * this key will return `{ ok: false, code: \"API_KEY_REVOKED\" }`.\n * The key record is preserved for audit purposes.\n *\n * @param ctx - Convex mutation context.\n * @param keyId - The API key's document ID.\n * @returns `{ ok: true, keyId }`.\n *\n * @example\n * ```ts\n * await auth.key.revoke(ctx, keyId);\n * ```\n */\n revoke: async (ctx: ComponentCtx, keyId: string) => {\n await ctx.runMutation(config.component.public.keyPatch, {\n keyId,\n data: { revoked: true },\n });\n return { ok: true as const, keyId };\n },\n /**\n * Hard-delete: permanently remove the key record.\n *\n * Unlike `revoke`, this permanently removes the key document from\n * the database. Use this when you need to fully clean up a key\n * rather than preserving it for audit history.\n *\n * @param ctx - Convex mutation context.\n * @param keyId - The API key's document ID.\n * @returns `{ ok: true, keyId }`.\n *\n * @example\n * ```ts\n * await auth.key.delete(ctx, keyId);\n * ```\n */\n delete: async (ctx: ComponentCtx, keyId: string) => {\n await ctx.runMutation(config.component.public.keyDelete, { keyId });\n return { ok: true as const, keyId };\n },\n /**\n * Rotate a key: revokes the old key and creates a new one with the\n * same user, scopes, and rate limit. Returns the new `keyId` and `secret`.\n * Fails with `{ ok: false }` if the key is already revoked.\n *\n * @param ctx - Convex mutation context.\n * @param keyId - The existing API key's document ID to rotate.\n * @param opts.name - Optional new name for the rotated key (defaults to the old name).\n * @param opts.expiresAt - Optional new expiration timestamp in ms since epoch.\n * @returns `{ ok: true, keyId, secret }` with the new key, or `{ ok: false, code }` on failure.\n *\n * @example\n * ```ts\n * const result = await auth.key.rotate(ctx, oldKeyId, {\n * expiresAt: Date.now() + 30 * 24 * 60 * 60 * 1000, // 30 days\n * });\n * if (result.ok) {\n * // Store result.secret securely — shown only once\n * }\n * ```\n */\n rotate: async (\n ctx: ComponentCtx,\n keyId: string,\n opts?: { name?: string; expiresAt?: number },\n ): Promise<\n | { ok: true; keyId: string; secret: string }\n | { ok: false; code: \"INVALID_PARAMETERS\" | \"API_KEY_REVOKED\" }\n > => {\n const existing = await ctx.runQuery(config.component.public.keyGetById, {\n keyId,\n });\n if (!existing) {\n return { ok: false as const, code: \"INVALID_PARAMETERS\" as const };\n }\n if ((existing as any).revoked === true) {\n return { ok: false as const, code: \"API_KEY_REVOKED\" as const };\n }\n await ctx.runMutation(config.component.public.keyPatch, {\n keyId,\n data: { revoked: true },\n });\n return await key.create(ctx, {\n userId: (existing as any).userId,\n name: opts?.name ?? (existing as any).name,\n scopes: (existing as any).scopes ?? [],\n rateLimit: (existing as any).rateLimit,\n expiresAt: opts?.expiresAt,\n metadata: (existing as any).metadata,\n });\n },\n };\n\n return {\n user,\n session,\n account,\n provider,\n group,\n member,\n invite,\n key,\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAoFA,SAAgB,kBAAkB,MAAgB;CAChD,MAAM,EACJ,QACA,SACA,wBACA,kCACA,oCACA,mBACA,cACA,qBACA,sBACE;CAEJ,MAAM,kBAAkB,OAAO,cAAc;CAK7C,MAAM,qBAAqB,WAAmB;AAC5C,SAAO,gBAAgB,WAAW;;CAGpC,MAAM,oBACJ,YAG6C;EAC7C,MAAM,aAAa,MAAM,KAAK,IAAI,IAAI,WAAW,EAAE,CAAC,CAAC;EACrD,MAAM,UAAU,WAAW,QAAQ,OAAO,kBAAkB,GAAG,KAAK,KAAK;AACzE,MAAI,QAAQ,SAAS,EACnB,QAAO;GAAE,IAAI;GAAO,gBAAgB;GAAS;AAE/C,SAAO;GAAE,IAAI;GAAM,SAAS;GAAY;;CAG1C,MAAM,oBAAoB,OAAO,KAAmB,WAAmB;EACrE,MAAM,QAAgC,EAAE;EACxC,IAAI,SAAwB;AAC5B,KAAG;GACD,MAAM,OAAQ,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,SAAS;IAChE,OAAO,EAAE,QAAQ;IACjB,OAAO;IACP;IACD,CAAC;AAIF,SAAM,KAAK,GAAG,KAAK,MAAM;AACzB,YAAS,KAAK;WACP,WAAW;AACpB,SAAO;;CAGT,MAAM,uBAAuB,OAAO,KAAmB,WAAmB;EACxE,MAAM,QAAgC,EAAE;EACxC,IAAI,SAAwB;AAC5B,KAAG;GACD,MAAM,OAAQ,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;IACnE,OAAO,EAAE,QAAQ;IACjB,OAAO;IACP;IACD,CAAC;AAIF,SAAM,KAAK,GAAG,KAAK,MAAM;AACzB,YAAS,KAAK;WACP,WAAW;AACpB,SAAO;;CAGT,MAAM,6BAA6B,YAAuB;EACxD,MAAM,yBAAS,IAAI,KAAa;AAChC,OAAK,MAAM,UAAU,WAAW,EAAE,EAAE;GAClC,MAAM,OAAO,kBAAkB,OAAO;AACtC,OAAI,SAAS,KAAM;AACnB,QAAK,MAAM,SAAS,KAAK,OACvB,QAAO,IAAI,MAAM;;AAGrB,SAAO,MAAM,KAAK,OAAO,CAAC,MAAM;;CASlC,MAAM,aAAa,OAAO,oBAAoB;CAC9C,SAAS,MAAM,KAAoB;AACjC,MAAI,CAAC,IAAI,YACP,KAAI,cAAc;GAChB,uBAAO,IAAI,KAAK;GAChB,wBAAQ,IAAI,KAAK;GAClB;AAEH,SAAO,IAAI;;CAGb,MAAM,OAAO;EA8BX,IAAI,OACF,KACA,YAC2B;GAC3B,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,OAAI,aAAa,MAAM;IACrB,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,wBAAwB;AAChE,WAAO;;AAET,OAAI,YAAY,UAAa,iBAAiB,OAAO,IAAI,aAAa;IACpE,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,QAAI,YAAY,WAAW,aAAa,EAAE;KACxC,MAAM,SAAS,WAAW,MAAM,EAAE;KAClC,MAAM,SAAS,MAAM,SAAS,CAAC,IAAI,OACjC,KACA,OACD;AACD,SAAI,OAAO,GACT,QAAO,OAAO;AAEhB,YAAO;;;AAGX,UAAO;;EAmBT,KAAK,OAAO,KAAuB,WAAmB;GACpD,MAAM,IAAI,MAAM,IAAI;AACpB,OAAI,EAAE,MAAM,IAAI,OAAO,CAAE,QAAO,EAAE,MAAM,IAAI,OAAO;GACnD,MAAM,SAAS,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,aAAa,EACrE,QACD,CAAC;AACF,KAAE,MAAM,IAAI,QAAQ,OAAO;AAC3B,UAAO;;EAyBT,MAAM,OACJ,KACA,OAMI,EAAE,KACH;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,UAAU,KAAK;;EAiBnE,QAAQ,OAAO,QAA8B;GAC3C,MAAM,SAAS,MAAM,KAAK,GAAG,IAAI;AACjC,OAAI,WAAW,KAAM,QAAO;AAC5B,UAAO,MAAM,KAAK,IAAI,KAAK,OAAO;;EAmBpC,QAAQ,OACN,KACA,QACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;IACvD;IACA;IACD,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAQ;;EAqBtC,gBAAgB,OACd,KACA,SACG;GACH,MAAM,MAAM,MAAM,KAAK,IAAI,KAAK,KAAK,OAAO;GAC5C,MAAM,iBACJ,QAAQ,QACR,IAAI,WAAW,QACf,OAAO,IAAI,WAAW,YACtB,CAAC,MAAM,QAAQ,IAAI,OAAO,GACtB,EAAE,GAAI,IAAI,QAAoC,GAC9C,EAAE;AACR,OAAI,KAAK,YAAY,MAAM;IACzB,MAAM,EAAE,iBAAiB,OAAO,GAAG,SAAS;AAC5C,UAAM,KAAK,OAAO,KAAK,KAAK,QAAQ,EAAE,QAAQ,MAAM,CAAC;AACrD,WAAO;KAAE,IAAI;KAAe,QAAQ,KAAK;KAAQ,SAAS;KAAM;;AAElE,SAAM,KAAK,OAAO,KAAK,KAAK,QAAQ,EAClC,QAAQ;IAAE,GAAG;IAAgB,iBAAiB,KAAK;IAAS,EAC7D,CAAC;AACF,UAAO;IAAE,IAAI;IAAe,QAAQ,KAAK;IAAQ,SAAS,KAAK;IAAS;;EAkB1E,gBAAgB,OACd,KACA,SAC2B;GAC3B,MAAM,MAAM,MAAM,KAAK,IAAI,KAAK,KAAK,OAAO;AAC5C,OACE,QAAQ,QACR,IAAI,WAAW,QACf,OAAO,IAAI,WAAW,YACtB,CAAC,MAAM,QAAQ,IAAI,OAAO,EAC1B;IACA,MAAM,MAAO,IAAI,OAAmC;AACpD,QAAI,OAAO,QAAQ,SAAU,QAAO;;AAEtC,UAAO;;EAcT,QAAQ,OACN,KACA,QACA,SACG;GACH,MAAM,UAAU,MAAM,YAAY;GAClC,MAAM,CAAC,UAAU,UAAU,MAAM,SAAS,UAAU,SAClD,MAAM,QAAQ,IAAI;IAChB,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACtD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACtD,QACD,CAAC;IACF,kBAAkB,KAAK,OAAO;IAC9B,qBAAqB,KAAK,OAAO;IACjC,IAAI,SAAS,OAAO,UAAU,OAAO,qBAAqB,EACxD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,kBAAkB,EACrD,QACD,CAAC;IACH,CAAC;GACJ,MAAM,cACJ,SAAS,SACT,SAAS,SACT,KAAK,SACL,QAAQ,SACR,SAAS,SACT,MAAM;AACR,OAAI,CAAC,WAAW,cAAc,EAC5B,QAAO;IAAE,IAAI;IAAgB,MAAM;IAA+B;GAEpE,MAAM,YAAgC,EAAE;AACxC,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,KACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW,EAAE,OAAO,EAAE,KAAK,CAAC,CACrE;AACH,QAAK,MAAM,KAAK,QACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EACpD,UAAU,EAAE,KACb,CAAC,CACH;AACH,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,MACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAClD,QAAQ,EAAE,KACX,CAAC,CACH;AACH,SAAM,QAAQ,IAAI,UAAU;AAC5B,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAAE,QAAQ,CAAC;AACrE,UAAO;IAAE,IAAI;IAAe;IAAQ;;EAEvC;CAED,MAAM,UAAU;EAqBd,SAAS,OAAO,QAAwB;GACtC,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,OAAI,aAAa,KAAM,QAAO;GAC9B,MAAM,GAAG,aAAa,SAAS,QAAQ,MAAM,wBAAwB;AACrE,UAAO;;EA4BT,YAAY,OACV,KACA,SACG;AACH,SAAM,uBAAuB,KAAK,KAAK;AACvC,UAAO;IACL,IAAI;IACJ,QAAQ,KAAK;IACb,QAAQ,KAAK,UAAU,EAAE;IAC1B;;EAmBH,KAAK,OAAO,KAAuB,cAAsB;AACvD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,gBAAgB,EAChE,WACD,CAAC;;EAmBJ,MAAM,OAAO,KAAuB,SAA6B;AAC/D,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACnE,QAAQ,KAAK,QACd,CAAC;;EAEL;CAED,MAAM,UAAU;EA+Bd,QAAQ,OACN,KACA,SACG;AAEH,UAAO;IAAE,IAAI;IAAe,GADZ,MAAM,iCAAiC,KAAK,KAAK;IACzB;;EA2B1C,KAAK,OACH,KACA,SACG;GACH,MAAM,SAAS,MAAM,mCAAmC,KAAK,KAAK;AAClE,OAAI,OAAO,WAAW,SACpB,QAAO;AAET,UAAO;;EAwBT,QAAQ,OACN,KACA,SACG;AACH,SAAM,kBAAkB,KAAK,KAAK;AAClC,UAAO;IAAE,IAAI;IAAe,WAAW,KAAK,QAAQ;IAAI;;EAwB1D,QAAQ,OAAO,KAAmB,cAAsB;GACtD,MAAM,MAAM,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,gBAAgB,EACrE,WACD,CAAC;AACF,OAAI,QAAQ,KACV,QAAO;IAAE,IAAI;IAAgB,MAAM;IAA8B;AAMnE,QAJqB,MAAM,IAAI,SAC7B,OAAO,UAAU,OAAO,mBACxB,EAAE,QAAS,IAAY,QAAQ,CAChC,EACe,UAAU,EACxB,QAAO;IAAE,IAAI;IAAgB,MAAM;IAA+B;AAEpE,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EAC3D,WACD,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAW;;EAsBzC,cAAc,OAAO,KAAuB,SAA6B;AACvE,UAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,qBACxB,KACD;;EAmBH,eAAe,OACb,KACA,WACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,mBAAmB;IAC/D;IACA,MAAM,EAAE,MAAM;IACf,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAW;;EAkBzC,eAAe,OAAO,KAAmB,cAAsB;AAC7D,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EAC3D,WACD,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAW;;EAmBzC,WAAW,OAAO,KAAuB,SAA6B;AACpE,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,kBAAkB,KAAK;;EAkB3E,YAAY,OAAO,KAAmB,WAAmB;AACvD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAAE,QAAQ,CAAC;AACrE,UAAO;IAAE,IAAI;IAAe;IAAQ;;EAEvC;CAED,MAAM,WAAW,EAgCf,QAAQ,OACN,KACA,gBACA,SAIG;EACH,MAAM,SAAS,MAAM,WACnB,cAAc,CAAC,IAAI,EACnB,oBAAoB,eAAe,EACnC,MAIA;GAAE,gBAAgB;GAAO,qBAAqB;GAAM,CACrD;AACD,SAAO,OAAO,SAAS,aACnB,OAAO,aAAa,OAClB;GACE,QAAQ,OAAO,SAAS;GACxB,WAAW,OAAO,SAAS;GAC5B,GACD,OACF;IAEP;CAED,MAAM,QAAQ;EAkCZ,QAAQ,OACN,KACA,SAQ2C;AAK3C,UAAO;IAAE,IAAI;IAAM,SAJF,MAAM,IAAI,YACzB,OAAO,UAAU,OAAO,aACxB,KACD;IAC2B;;EAa9B,KAAK,OAAO,KAAuB,YAAoB;GACrD,MAAM,IAAI,MAAM,IAAI;AACpB,OAAI,EAAE,OAAO,IAAI,QAAQ,CAAE,QAAO,EAAE,OAAO,IAAI,QAAQ;GACvD,MAAM,SAAS,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,UAAU,EAClE,SACD,CAAC;AACF,KAAE,OAAO,IAAI,SAAS,OAAO;AAC7B,UAAO;;EAkCT,MAAM,OACJ,KACA,SAeG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW;IAC3D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAqBJ,QAAQ,OACN,KACA,SACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,aAAa;IACzD;IACA;IACD,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAS;;EAevC,QAAQ,OAAO,KAAmB,YAAoB;AACpD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,aAAa,EAAE,SAAS,CAAC;AACvE,UAAO;IAAE,IAAI;IAAe;IAAS;;EAsBvC,WAAW,OACT,KACA,SACG;GACH,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,YAAY,GAAG,CAAC;GAC7D,MAAM,0BAAU,IAAI,KAAa;GACjC,MAAM,YAAmB,EAAE;GAC3B,IAAI,gBAAgB;GACpB,IAAI,kBAAkB;GACtB,IAAI,iBAAqC,KAAK;GAC9C,IAAI,QAAQ;GACZ,IAAI,UAAU;AACd,UAAO,mBAAmB,QAAW;AACnC,QAAI,QAAQ,UAAU;AACpB,uBAAkB;AAClB;;AAEF,QAAI,QAAQ,IAAI,eAAe,EAAE;AAC/B,qBAAgB;AAChB;;AAEF,YAAQ,IAAI,eAAe;IAC3B,MAAM,MAAM,MAAM,MAAM,IAAI,KAAK,eAAe;AAChD,QAAI,QAAQ,KAAM;AAClB,QAAI,SAAS;AACX,eAAU;AACV,SAAI,KAAK,YAAa,WAAU,KAAK,IAAI;AACzC,sBAAiB,IAAI;AACrB,cAAS;AACT;;AAEF,cAAU,KAAK,IAAI;AACnB,qBAAiB,IAAI;AACrB,aAAS;;AAEX,UAAO;IAAE;IAAW;IAAe;IAAiB;;EAEvD;CAED,MAAM,SAAS;EAyBb,QAAQ,OACN,KACA,SAOG;GACH,MAAM,aAAa,iBAAiB,KAAK,QAAQ;AACjD,OAAI,CAAC,WAAW,GACd,QAAO;IACL,IAAI;IACJ,MAAM;IACN,gBAAgB,WAAW;IAC5B;AAKH,UAAO;IAAE,IAAI;IAAe,UAJV,MAAM,IAAI,YAC1B,OAAO,UAAU,OAAO,WACxB;KAAE,GAAG;KAAM,SAAS,WAAW;KAAS,CACzC;IACqC;;EAgBxC,KAAK,OAAO,KAAuB,aAAqB;AACtD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW,EAC3D,UACD,CAAC;;EA2BJ,MAAM,OACJ,KACA,SAYG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;IAC5D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAcJ,QAAQ,OAAO,KAAmB,aAAqB;AACrD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EAAE,UAAU,CAAC;AACzE,UAAO;IAAE,IAAI;IAAe;IAAU;;EAmBxC,QAAQ,OACN,KACA,UACA,SACG;GACH,MAAM,WAAW,EAAE,GAAG,MAAM;AAC5B,OAAI,aAAa,UAAU;IACzB,MAAM,aAAa,iBACjB,MAAM,QAAQ,SAAS,QAAQ,GAC1B,SAAS,UACV,OACL;AACD,QAAI,CAAC,WAAW,GACd,QAAO;KACL,IAAI;KACJ,MAAM;KACN,gBAAgB,WAAW;KAC5B;AACH,aAAS,UAAU,WAAW;;AAEhC,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc;IAC1D;IACA,MAAM;IACP,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAU;;EAgDxC,SAAS,OACP,KACA,SAQG;GACH,MAAM,aAAa,iBAAiB,KAAK,QAAQ;AACjD,OAAI,CAAC,WAAW,GACd,QAAO;IACL,IAAI;IACJ,YAAY;IACZ,gBAAgB;IAChB,SAAS,EAAE;IACX,QAAQ,EAAE;IACV,eAAe,MAAM,KAAK,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC,CAAC;IACrD,OAAO;IACP,UAAU;IACV,aAAa;IACb,mBAAmB,EAAE;IACrB,MAAM;IACN,gBAAgB,WAAW;IAC5B;GACH,MAAM,mBAAmB,WAAW;GACpC,MAAM,aACJ,iBAAiB,SAAS,IAAI,IAAI,IAAI,iBAAiB,GAAG;GAC5D,MAAM,iBAAiB,MAAM,KAAK,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC,CAAC;GAC7D,MAAM,cAAc,KAAK,aAAa;GAEtC,IAAI,aAAkB;GACtB,IAAI,iBAAgC;GACpC,IAAI,QAAuB;GAC3B,IAAI,WAAW;GACf,IAAI,cAAc;GAClB,IAAI,oBAA8B,EAAE;AAEpC,OAAI,aAAa;IAEf,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,YAAY,GAAG,CAAC;IAC7D,MAAM,SAAS,MAAM,IAAI,SACvB,OAAO,UAAU,OAAO,eACxB;KACE,QAAQ,KAAK;KACb,SAAS,KAAK;KACd;KACA,UAAU;KACX,CACF;AACD,iBAAa,OAAO;AACpB,qBAAiB,OAAO;AACxB,YAAQ,OAAO;AACf,eAAW,OAAO;AAClB,kBAAc,OAAO;AACrB,wBAAoB,OAAO,qBAAqB,EAAE;UAC7C;IAEL,MAAM,MAAM,MAAM,IAAI,SACpB,OAAO,UAAU,OAAO,yBACxB;KAAE,QAAQ,KAAK;KAAQ,SAAS,KAAK;KAAS,CAC/C;AACD,iBAAa;AACb,qBAAiB,MAAM,KAAK,UAAU;AACtC,YAAQ,MAAM,IAAI;AAClB,eAAW,QAAQ;;AAGrB,OAAI,eAAe,KACjB,QAAO;IACL,IAAI;IACJ,YAAY;IACZ,gBAAgB;IAChB,SAAS,EAAE;IACX,QAAQ,EAAE;IACV,eAAe;IACf,OAAO;IACP,UAAU;IACV,aAAa;IACb;IACD;GAGH,MAAM,oBAAoB,WAAW,WAAW,EAAE;GAClD,MAAM,mBAAmB,0BAA0B,kBAAkB;AAGrE,OACE,eAAe,QACf,CAAC,kBAAkB,MAAM,WAAmB,WAAW,IAAI,OAAO,CAAC,CAEnE,QAAO;IACL,IAAI;IACJ,YAAY;IACZ,gBAAgB;IAChB,SAAS,EAAE;IACX,QAAQ,EAAE;IACV,eAAe;IACf,OAAO;IACP,UAAU;IACV,aAAa;IACb;IACD;GAGH,MAAM,gBAAgB,eAAe,QAClC,UAAU,CAAC,iBAAiB,SAAS,MAAM,CAC7C;AAED,UAAO;IACL,IAAI,cAAc,WAAW;IAC7B;IACA;IACA,SAAS;IACT,QAAQ;IACR;IACA;IACA;IACA;IACA;IACD;;EAEJ;CAED,MAAM,SAAS;EAqBb,QAAQ,OACN,KACA,SAQG;GACH,MAAM,aAAa,iBAAiB,KAAK,QAAQ;AACjD,OAAI,CAAC,WAAW,GACd,QAAO;IACL,IAAI;IACJ,MAAM;IACN,gBAAgB,WAAW;IAC5B;GACH,MAAM,QAAQ,qBACZ,mBACA,oBACD;GACD,MAAM,YAAY,MAAM,OAAO,MAAM;AAKrC,UAAO;IAAE,IAAI;IAAe,UAJV,MAAM,IAAI,YAC1B,OAAO,UAAU,OAAO,cACxB;KAAE,GAAG;KAAM,SAAS,WAAW;KAAS;KAAW,QAAQ;KAAW,CACvE;IACqC;IAAO;;EAqB/C,KAAK,OAAO,KAAuB,aAAqB;AACtD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW,EAC3D,UACD,CAAC;;EAEJ,OAAO;GAoBL,KAAK,OAAO,KAAuB,UAAkB;IACnD,MAAM,YAAY,MAAM,OAAO,MAAM;AACrC,WAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,sBACxB,EAAE,WAAW,CACd;;GAsBH,QAAQ,OACN,KACA,SACG;IACH,MAAM,YAAY,MAAM,OAAO,KAAK,MAAM;AAK1C,WAAO;KAAE,IAAI;KAAe,GAJb,MAAM,IAAI,YACvB,OAAO,UAAU,OAAO,qBACxB;MAAE;MAAW,kBAAkB,KAAK;MAAkB,CACvD;KACsC;;GAE1C;EAwBD,MAAM,OACJ,KACA,SAoBG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;IAC5D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAoBJ,QAAQ,OACN,KACA,UACA,qBACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc;IAC1D;IACA,GAAI,mBAAmB,EAAE,kBAAkB,GAAG,EAAE;IACjD,CAAC;AACF,UAAO;IACL,IAAI;IACJ;IACA,kBAAkB,oBAAoB;IACvC;;EAiBH,QAAQ,OAAO,KAAmB,aAAqB;AACrD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EAAE,UAAU,CAAC;AACzE,UAAO;IAAE,IAAI;IAAe;IAAU;;EAEzC;CAED,MAAM,MAAM;EAuBV,QAAQ,OACN,KACA,SAQyD;GACzD,MAAM,EAAE,KAAK,WAAW,kBAAkB,MAAM,eAAe,MAAM;AAWrE,UAAO;IAAE,IAAI;IAAM,OAVJ,MAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;KACtE,QAAQ,KAAK;KACb,QAAQ;KACR;KACA,MAAM,KAAK;KACX,QAAQ,KAAK;KACb,WAAW,KAAK;KAChB,WAAW,KAAK;KAChB,UAAU,KAAK;KAChB,CAAC;IACwB,QAAQ;IAAK;;EAwBzC,QAAQ,OACN,KACA,WAWG;GACH,MAAM,YAAY,MAAM,WAAW,OAAO;GAC1C,MAAM,MAAO,MAAM,IAAI,SACrB,OAAO,UAAU,OAAO,mBACxB,EAAE,WAAW,CACd;AACD,OAAI,CAAC,IACH,QAAO;IAAE,IAAI;IAAgB,MAAM;IAA4B;GAEjE,MAAM,IAAI;AACV,OAAI,EAAE,QACJ,QAAO;IAAE,IAAI;IAAgB,MAAM;IAA4B;AAEjE,OAAI,EAAE,aAAa,EAAE,YAAY,KAAK,KAAK,CACzC,QAAO;IAAE,IAAI;IAAgB,MAAM;IAA4B;GAEjE,MAAM,YAAqC,EAAE,YAAY,KAAK,KAAK,EAAE;AACrE,OAAI,EAAE,WAAW;IACf,MAAM,EAAE,SAAS,aAAa,kBAC5B,EAAE,WACF,EAAE,kBAAkB,OACrB;AACD,QAAI,QACF,QAAO;KAAE,IAAI;KAAgB,MAAM;KAAiC;AAEtE,cAAU,iBAAiB;;AAE7B,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IACtD,OAAO,EAAE;IACT,MAAM;IACP,CAAC;AACF,UAAO;IACL,IAAI;IACJ,QAAQ,EAAE;IACV,OAAO,EAAE;IACT,QAAQ,kBAAkB,EAAE,OAAO;IACpC;;EAuBH,MAAM,OACJ,KACA,SAiBG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,SAAS;IACzD,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAoBJ,KAAK,OACH,KACA,UACuD;GACvD,MAAM,MAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY,EAClE,OACD,CAAC;AACF,OAAI,CAAC,IAAK,QAAO,EAAE,IAAI,OAAgB;AACvC,UAAO;IAAE,IAAI;IAAe,KAAK;IAAK;;EAqBxC,QAAQ,OACN,KACA,OACA,SAKG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IAAE;IAAO;IAAM,CAAC;AACxE,UAAO;IAAE,IAAI;IAAe;IAAO;;EAkBrC,QAAQ,OAAO,KAAmB,UAAkB;AAClD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IACtD;IACA,MAAM,EAAE,SAAS,MAAM;IACxB,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAO;;EAkBrC,QAAQ,OAAO,KAAmB,UAAkB;AAClD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW,EAAE,OAAO,CAAC;AACnE,UAAO;IAAE,IAAI;IAAe;IAAO;;EAuBrC,QAAQ,OACN,KACA,OACA,SAIG;GACH,MAAM,WAAW,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY,EACtE,OACD,CAAC;AACF,OAAI,CAAC,SACH,QAAO;IAAE,IAAI;IAAgB,MAAM;IAA+B;AAEpE,OAAK,SAAiB,YAAY,KAChC,QAAO;IAAE,IAAI;IAAgB,MAAM;IAA4B;AAEjE,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IACtD;IACA,MAAM,EAAE,SAAS,MAAM;IACxB,CAAC;AACF,UAAO,MAAM,IAAI,OAAO,KAAK;IAC3B,QAAS,SAAiB;IAC1B,MAAM,MAAM,QAAS,SAAiB;IACtC,QAAS,SAAiB,UAAU,EAAE;IACtC,WAAY,SAAiB;IAC7B,WAAW,MAAM;IACjB,UAAW,SAAiB;IAC7B,CAAC;;EAEL;AAED,QAAO;EACL;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACD"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
import { AuthError } from "./authError.js";
|
|
2
|
+
import { errorMessage } from "./utils.js";
|
|
3
|
+
import { Fx } from "@robelest/fx";
|
|
4
|
+
|
|
5
|
+
//#region src/server/crypto.ts
|
|
6
|
+
/**
|
|
7
|
+
* Hash a secret using the provider's `crypto.hashSecret` function.
|
|
8
|
+
*
|
|
9
|
+
* Validates that the provider is a credentials provider and has the
|
|
10
|
+
* required crypto function, returning typed errors through the Fx channel.
|
|
11
|
+
*/
|
|
12
|
+
/** @internal */
|
|
13
|
+
const hash = (provider, secret) => Fx.gen(function* () {
|
|
14
|
+
if (provider.type !== "credentials") return yield* Fx.fail(new AuthError("INVALID_CREDENTIALS_PROVIDER", `Provider ${provider.id} is not a credentials provider`));
|
|
15
|
+
const hashSecretFn = provider.crypto?.hashSecret;
|
|
16
|
+
if (!hashSecretFn) return yield* Fx.fail(new AuthError("MISSING_CRYPTO_FUNCTION", `Provider ${provider.id} does not have a \`crypto.hashSecret\` function`));
|
|
17
|
+
return yield* Fx.from({
|
|
18
|
+
ok: () => hashSecretFn(secret),
|
|
19
|
+
err: (e) => new AuthError("INTERNAL_ERROR", `Hash failed: ${errorMessage(e)}`)
|
|
20
|
+
});
|
|
21
|
+
});
|
|
22
|
+
/**
|
|
23
|
+
* Verify a secret against a hash using the provider's `crypto.verifySecret` function.
|
|
24
|
+
*/
|
|
25
|
+
/** @internal */
|
|
26
|
+
const verify = (provider, secret, hashValue) => Fx.gen(function* () {
|
|
27
|
+
if (provider.type !== "credentials") return yield* Fx.fail(new AuthError("INVALID_CREDENTIALS_PROVIDER", `Provider ${provider.id} is not a credentials provider`));
|
|
28
|
+
const verifySecretFn = provider.crypto?.verifySecret;
|
|
29
|
+
if (!verifySecretFn) return yield* Fx.fail(new AuthError("MISSING_CRYPTO_FUNCTION", `Provider ${provider.id} does not have a \`crypto.verifySecret\` function`));
|
|
30
|
+
return yield* Fx.from({
|
|
31
|
+
ok: () => verifySecretFn(secret, hashValue),
|
|
32
|
+
err: (e) => new AuthError("INTERNAL_ERROR", `Verify failed: ${errorMessage(e)}`)
|
|
33
|
+
});
|
|
34
|
+
});
|
|
35
|
+
|
|
36
|
+
//#endregion
|
|
37
|
+
export { hash, verify };
|
|
38
|
+
//# sourceMappingURL=crypto.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"crypto.js","names":[],"sources":["../../../src/server/crypto.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./authError\";\nimport { AuthProviderMaterializedConfig } from \"./types\";\nimport { ConvexAuthMaterializedConfig } from \"./types\";\nimport { errorMessage } from \"./utils\";\n\n/**\n * Hash a secret using the provider's `crypto.hashSecret` function.\n *\n * Validates that the provider is a credentials provider and has the\n * required crypto function, returning typed errors through the Fx channel.\n */\n/** @internal */\nexport const hash = (provider: any, secret: string): Fx<string, AuthError> =>\n Fx.gen(function* () {\n if (provider.type !== \"credentials\") {\n return yield* Fx.fail(\n new AuthError(\n \"INVALID_CREDENTIALS_PROVIDER\",\n `Provider ${provider.id} is not a credentials provider`,\n ),\n );\n }\n\n const hashSecretFn = provider.crypto?.hashSecret as\n | ((s: string) => Promise<string>)\n | undefined;\n if (!hashSecretFn) {\n return yield* Fx.fail(\n new AuthError(\n \"MISSING_CRYPTO_FUNCTION\",\n `Provider ${provider.id} does not have a \\`crypto.hashSecret\\` function`,\n ),\n );\n }\n\n return yield* Fx.from({\n ok: () => hashSecretFn(secret),\n err: (e) =>\n new AuthError(\"INTERNAL_ERROR\", `Hash failed: ${errorMessage(e)}`),\n });\n });\n\n/**\n * Verify a secret against a hash using the provider's `crypto.verifySecret` function.\n */\n/** @internal */\nexport const verify = (\n provider: AuthProviderMaterializedConfig,\n secret: string,\n hashValue: string,\n): Fx<boolean, AuthError> =>\n Fx.gen(function* () {\n if (provider.type !== \"credentials\") {\n return yield* Fx.fail(\n new AuthError(\n \"INVALID_CREDENTIALS_PROVIDER\",\n `Provider ${provider.id} is not a credentials provider`,\n ),\n );\n }\n\n const verifySecretFn = (provider as any).crypto?.verifySecret as\n | ((s: string, h: string) => Promise<boolean>)\n | undefined;\n if (!verifySecretFn) {\n return yield* Fx.fail(\n new AuthError(\n \"MISSING_CRYPTO_FUNCTION\",\n `Provider ${provider.id} does not have a \\`crypto.verifySecret\\` function`,\n ),\n );\n }\n\n return yield* Fx.from({\n ok: () => verifySecretFn(secret, hashValue),\n err: (e) =>\n new AuthError(\"INTERNAL_ERROR\", `Verify failed: ${errorMessage(e)}`),\n });\n });\n\nexport type GetProviderOrThrowFunc = (\n provider: string,\n allowExtraProviders?: boolean,\n) => AuthProviderMaterializedConfig;\n\nexport type Config = ConvexAuthMaterializedConfig;\n"],"mappings":";;;;;;;;;;;;AAcA,MAAa,QAAQ,UAAe,WAClC,GAAG,IAAI,aAAa;AAClB,KAAI,SAAS,SAAS,cACpB,QAAO,OAAO,GAAG,KACf,IAAI,UACF,gCACA,YAAY,SAAS,GAAG,gCACzB,CACF;CAGH,MAAM,eAAe,SAAS,QAAQ;AAGtC,KAAI,CAAC,aACH,QAAO,OAAO,GAAG,KACf,IAAI,UACF,2BACA,YAAY,SAAS,GAAG,iDACzB,CACF;AAGH,QAAO,OAAO,GAAG,KAAK;EACpB,UAAU,aAAa,OAAO;EAC9B,MAAM,MACJ,IAAI,UAAU,kBAAkB,gBAAgB,aAAa,EAAE,GAAG;EACrE,CAAC;EACF;;;;;AAMJ,MAAa,UACX,UACA,QACA,cAEA,GAAG,IAAI,aAAa;AAClB,KAAI,SAAS,SAAS,cACpB,QAAO,OAAO,GAAG,KACf,IAAI,UACF,gCACA,YAAY,SAAS,GAAG,gCACzB,CACF;CAGH,MAAM,iBAAkB,SAAiB,QAAQ;AAGjD,KAAI,CAAC,eACH,QAAO,OAAO,GAAG,KACf,IAAI,UACF,2BACA,YAAY,SAAS,GAAG,mDACzB,CACF;AAGH,QAAO,OAAO,GAAG,KAAK;EACpB,UAAU,eAAe,QAAQ,UAAU;EAC3C,MAAM,MACJ,IAAI,UAAU,kBAAkB,kBAAkB,aAAa,EAAE,GAAG;EACvE,CAAC;EACF"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"db.js","names":[],"sources":["../../../src/server/db.ts"],"sourcesContent":["import {\n GenericActionCtx,\n GenericDataModel,\n GenericMutationCtx,\n FunctionReference,\n} from \"convex/server\";\n\ntype MutationCtxLike = Pick<\n GenericMutationCtx<GenericDataModel>,\n \"runQuery\" | \"runMutation\"\n>;\ntype ActionCtxLike = Pick<\n GenericActionCtx<GenericDataModel>,\n \"runQuery\" | \"runMutation\" | \"runAction\"\n>;\n\ntype CtxLike = MutationCtxLike | ActionCtxLike;\n\ntype AuthComponentApiLike = {\n public: {\n userGetById: FunctionReference<\"query\", \"internal\">;\n userFindByVerifiedEmail: FunctionReference<\"query\", \"internal\">;\n userFindByVerifiedPhone: FunctionReference<\"query\", \"internal\">;\n userInsert: FunctionReference<\"mutation\", \"internal\">;\n userPatch: FunctionReference<\"mutation\", \"internal\">;\n userUpsert: FunctionReference<\"mutation\", \"internal\">;\n accountGet: FunctionReference<\"query\", \"internal\">;\n accountGetById: FunctionReference<\"query\", \"internal\">;\n accountInsert: FunctionReference<\"mutation\", \"internal\">;\n accountPatch: FunctionReference<\"mutation\", \"internal\">;\n accountDelete: FunctionReference<\"mutation\", \"internal\">;\n sessionCreate: FunctionReference<\"mutation\", \"internal\">;\n sessionGetById: FunctionReference<\"query\", \"internal\">;\n sessionDelete: FunctionReference<\"mutation\", \"internal\">;\n sessionListByUser: FunctionReference<\"query\", \"internal\">;\n verifierCreate: FunctionReference<\"mutation\", \"internal\">;\n verifierGetById: FunctionReference<\"query\", \"internal\">;\n verifierGetBySignature: FunctionReference<\"query\", \"internal\">;\n verifierPatch: FunctionReference<\"mutation\", \"internal\">;\n verifierDelete: FunctionReference<\"mutation\", \"internal\">;\n verificationCodeGetByAccountId: FunctionReference<\"query\", \"internal\">;\n verificationCodeGetByCode: FunctionReference<\"query\", \"internal\">;\n verificationCodeCreate: FunctionReference<\"mutation\", \"internal\">;\n verificationCodeDelete: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenCreate: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetById: FunctionReference<\"query\", \"internal\">;\n refreshTokenPatch: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetChildren: FunctionReference<\"query\", \"internal\">;\n refreshTokenListBySession: FunctionReference<\"query\", \"internal\">;\n refreshTokenDeleteAll: FunctionReference<\"mutation\", \"internal\">;\n refreshTokenGetActive: FunctionReference<\"query\", \"internal\">;\n rateLimitGet: FunctionReference<\"query\", \"internal\">;\n rateLimitCreate: FunctionReference<\"mutation\", \"internal\">;\n rateLimitPatch: FunctionReference<\"mutation\", \"internal\">;\n rateLimitDelete: FunctionReference<\"mutation\", \"internal\">;\n };\n};\n\n/** @internal */\nexport type AuthDbConfig = { component: AuthComponentApiLike };\n\n/** @internal */\nexport type AuthDb = ReturnType<typeof authDb>;\n\n/** @internal */\nexport function authDb(ctx: CtxLike, config: AuthDbConfig) {\n const component = config.component;\n return {\n users: {\n getById: (userId: string) =>\n ctx.runQuery(component.public.userGetById, { userId }),\n findByVerifiedEmail: (email: string) =>\n ctx.runQuery(component.public.userFindByVerifiedEmail, { email }),\n findByVerifiedPhone: (phone: string) =>\n ctx.runQuery(component.public.userFindByVerifiedPhone, { phone }),\n insert: (data: Record<string, unknown>) =>\n ctx.runMutation(component.public.userInsert, {\n data,\n }) as Promise<string>,\n patch: (userId: string, data: Record<string, unknown>) =>\n ctx.runMutation(component.public.userPatch, { userId, data }),\n upsert: (userId: string | undefined, data: Record<string, unknown>) =>\n ctx.runMutation(component.public.userUpsert, {\n userId,\n data,\n }) as Promise<string>,\n },\n accounts: {\n get: (provider: string, providerAccountId: string) =>\n ctx.runQuery(component.public.accountGet, {\n provider,\n providerAccountId,\n }),\n getById: (accountId: string) =>\n ctx.runQuery(component.public.accountGetById, { accountId }),\n create: (args: {\n userId: string;\n provider: string;\n providerAccountId: string;\n secret?: string;\n extend?: Record<string, unknown>;\n }) =>\n ctx.runMutation(\n component.public.accountInsert,\n args,\n ) as Promise<string>,\n patch: (accountId: string, data: Record<string, unknown>) =>\n ctx.runMutation(component.public.accountPatch, { accountId, data }),\n delete: (accountId: string) =>\n ctx.runMutation(component.public.accountDelete, { accountId }),\n },\n sessions: {\n create: (userId: string, expirationTime: number) =>\n ctx.runMutation(component.public.sessionCreate, {\n userId,\n expirationTime,\n }) as Promise<string>,\n getById: (sessionId: string) =>\n ctx.runQuery(component.public.sessionGetById, { sessionId }),\n delete: (sessionId: string) =>\n ctx.runMutation(component.public.sessionDelete, { sessionId }),\n listByUser: (userId: string) =>\n ctx.runQuery(component.public.sessionListByUser, { userId }),\n },\n verifiers: {\n create: (sessionId?: string) =>\n ctx.runMutation(component.public.verifierCreate, {\n sessionId,\n }) as Promise<string>,\n getById: (verifierId: string) =>\n ctx.runQuery(component.public.verifierGetById, { verifierId }),\n getBySignature: (signature: string) =>\n ctx.runQuery(component.public.verifierGetBySignature, { signature }),\n patch: (verifierId: string, data: Record<string, unknown>) =>\n ctx.runMutation(component.public.verifierPatch, { verifierId, data }),\n delete: (verifierId: string) =>\n ctx.runMutation(component.public.verifierDelete, { verifierId }),\n },\n verificationCodes: {\n getByAccountId: (accountId: string) =>\n ctx.runQuery(component.public.verificationCodeGetByAccountId, {\n accountId,\n }),\n getByCode: (code: string) =>\n ctx.runQuery(component.public.verificationCodeGetByCode, { code }),\n create: (args: {\n accountId: string;\n provider: string;\n code: string;\n expirationTime: number;\n verifier?: string;\n emailVerified?: string;\n phoneVerified?: string;\n }) => ctx.runMutation(component.public.verificationCodeCreate, args),\n delete: (verificationCodeId: string) =>\n ctx.runMutation(component.public.verificationCodeDelete, {\n verificationCodeId,\n }),\n },\n refreshTokens: {\n create: (args: {\n sessionId: string;\n expirationTime: number;\n parentRefreshTokenId?: string;\n }) =>\n ctx.runMutation(\n component.public.refreshTokenCreate,\n args,\n ) as Promise<string>,\n getById: (refreshTokenId: string) =>\n ctx.runQuery(component.public.refreshTokenGetById, { refreshTokenId }),\n patch: (refreshTokenId: string, data: Record<string, unknown>) =>\n ctx.runMutation(component.public.refreshTokenPatch, {\n refreshTokenId,\n data,\n }),\n getChildren: (sessionId: string, parentRefreshTokenId: string) =>\n ctx.runQuery(component.public.refreshTokenGetChildren, {\n sessionId,\n parentRefreshTokenId,\n }),\n listBySession: (sessionId: string) =>\n ctx.runQuery(component.public.refreshTokenListBySession, { sessionId }),\n deleteAll: (sessionId: string) =>\n ctx.runMutation(component.public.refreshTokenDeleteAll, { sessionId }),\n getActive: (sessionId: string) =>\n ctx.runQuery(component.public.refreshTokenGetActive, { sessionId }),\n },\n rateLimits: {\n get: (identifier: string) =>\n ctx.runQuery(component.public.rateLimitGet, { identifier }),\n create: (args: {\n identifier: string;\n attemptsLeft: number;\n lastAttemptTime: number;\n }) => ctx.runMutation(component.public.rateLimitCreate, args),\n patch: (rateLimitId: string, data: Record<string, unknown>) =>\n ctx.runMutation(component.public.rateLimitPatch, { rateLimitId, data }),\n delete: (rateLimitId: string) =>\n ctx.runMutation(component.public.rateLimitDelete, { rateLimitId }),\n },\n };\n}\n"],"mappings":";;AAiEA,SAAgB,OAAO,KAAc,QAAsB;CACzD,MAAM,YAAY,OAAO;AACzB,QAAO;EACL,OAAO;GACL,UAAU,WACR,IAAI,SAAS,UAAU,OAAO,aAAa,EAAE,QAAQ,CAAC;GACxD,sBAAsB,UACpB,IAAI,SAAS,UAAU,OAAO,yBAAyB,EAAE,OAAO,CAAC;GACnE,sBAAsB,UACpB,IAAI,SAAS,UAAU,OAAO,yBAAyB,EAAE,OAAO,CAAC;GACnE,SAAS,SACP,IAAI,YAAY,UAAU,OAAO,YAAY,EAC3C,MACD,CAAC;GACJ,QAAQ,QAAgB,SACtB,IAAI,YAAY,UAAU,OAAO,WAAW;IAAE;IAAQ;IAAM,CAAC;GAC/D,SAAS,QAA4B,SACnC,IAAI,YAAY,UAAU,OAAO,YAAY;IAC3C;IACA;IACD,CAAC;GACL;EACD,UAAU;GACR,MAAM,UAAkB,sBACtB,IAAI,SAAS,UAAU,OAAO,YAAY;IACxC;IACA;IACD,CAAC;GACJ,UAAU,cACR,IAAI,SAAS,UAAU,OAAO,gBAAgB,EAAE,WAAW,CAAC;GAC9D,SAAS,SAOP,IAAI,YACF,UAAU,OAAO,eACjB,KACD;GACH,QAAQ,WAAmB,SACzB,IAAI,YAAY,UAAU,OAAO,cAAc;IAAE;IAAW;IAAM,CAAC;GACrE,SAAS,cACP,IAAI,YAAY,UAAU,OAAO,eAAe,EAAE,WAAW,CAAC;GACjE;EACD,UAAU;GACR,SAAS,QAAgB,mBACvB,IAAI,YAAY,UAAU,OAAO,eAAe;IAC9C;IACA;IACD,CAAC;GACJ,UAAU,cACR,IAAI,SAAS,UAAU,OAAO,gBAAgB,EAAE,WAAW,CAAC;GAC9D,SAAS,cACP,IAAI,YAAY,UAAU,OAAO,eAAe,EAAE,WAAW,CAAC;GAChE,aAAa,WACX,IAAI,SAAS,UAAU,OAAO,mBAAmB,EAAE,QAAQ,CAAC;GAC/D;EACD,WAAW;GACT,SAAS,cACP,IAAI,YAAY,UAAU,OAAO,gBAAgB,EAC/C,WACD,CAAC;GACJ,UAAU,eACR,IAAI,SAAS,UAAU,OAAO,iBAAiB,EAAE,YAAY,CAAC;GAChE,iBAAiB,cACf,IAAI,SAAS,UAAU,OAAO,wBAAwB,EAAE,WAAW,CAAC;GACtE,QAAQ,YAAoB,SAC1B,IAAI,YAAY,UAAU,OAAO,eAAe;IAAE;IAAY;IAAM,CAAC;GACvE,SAAS,eACP,IAAI,YAAY,UAAU,OAAO,gBAAgB,EAAE,YAAY,CAAC;GACnE;EACD,mBAAmB;GACjB,iBAAiB,cACf,IAAI,SAAS,UAAU,OAAO,gCAAgC,EAC5D,WACD,CAAC;GACJ,YAAY,SACV,IAAI,SAAS,UAAU,OAAO,2BAA2B,EAAE,MAAM,CAAC;GACpE,SAAS,SAQH,IAAI,YAAY,UAAU,OAAO,wBAAwB,KAAK;GACpE,SAAS,uBACP,IAAI,YAAY,UAAU,OAAO,wBAAwB,EACvD,oBACD,CAAC;GACL;EACD,eAAe;GACb,SAAS,SAKP,IAAI,YACF,UAAU,OAAO,oBACjB,KACD;GACH,UAAU,mBACR,IAAI,SAAS,UAAU,OAAO,qBAAqB,EAAE,gBAAgB,CAAC;GACxE,QAAQ,gBAAwB,SAC9B,IAAI,YAAY,UAAU,OAAO,mBAAmB;IAClD;IACA;IACD,CAAC;GACJ,cAAc,WAAmB,yBAC/B,IAAI,SAAS,UAAU,OAAO,yBAAyB;IACrD;IACA;IACD,CAAC;GACJ,gBAAgB,cACd,IAAI,SAAS,UAAU,OAAO,2BAA2B,EAAE,WAAW,CAAC;GACzE,YAAY,cACV,IAAI,YAAY,UAAU,OAAO,uBAAuB,EAAE,WAAW,CAAC;GACxE,YAAY,cACV,IAAI,SAAS,UAAU,OAAO,uBAAuB,EAAE,WAAW,CAAC;GACtE;EACD,YAAY;GACV,MAAM,eACJ,IAAI,SAAS,UAAU,OAAO,cAAc,EAAE,YAAY,CAAC;GAC7D,SAAS,SAIH,IAAI,YAAY,UAAU,OAAO,iBAAiB,KAAK;GAC7D,QAAQ,aAAqB,SAC3B,IAAI,YAAY,UAAU,OAAO,gBAAgB;IAAE;IAAa;IAAM,CAAC;GACzE,SAAS,gBACP,IAAI,YAAY,UAAU,OAAO,iBAAiB,EAAE,aAAa,CAAC;GACrE;EACF"}
|
|
@@ -0,0 +1,109 @@
|
|
|
1
|
+
import { AuthError } from "./authError.js";
|
|
2
|
+
import { generateRandomString, requireEnv, sha256 } from "./utils.js";
|
|
3
|
+
import { userIdFromIdentitySubject } from "./identity.js";
|
|
4
|
+
import { callSignIn } from "./mutations/signin.js";
|
|
5
|
+
import { mutateDeviceAuthorize, mutateDeviceDelete, mutateDeviceInsert, mutateDeviceUpdateLastPolled, queryDeviceByCodeHash, queryDeviceByUserCode } from "./types.js";
|
|
6
|
+
import { Fx } from "@robelest/fx";
|
|
7
|
+
|
|
8
|
+
//#region src/server/device.ts
|
|
9
|
+
/**
|
|
10
|
+
* Server-side device authorization flow logic (RFC 8628).
|
|
11
|
+
*
|
|
12
|
+
* Handles the three phases of the device flow:
|
|
13
|
+
* 1. (default) — Generate a device code + user code pair
|
|
14
|
+
* 2. poll — Device checks whether the user has authorized yet
|
|
15
|
+
* 3. verify — Authenticated user links a user code to their session
|
|
16
|
+
*
|
|
17
|
+
* Uses `@oslojs/crypto/random` for code generation and
|
|
18
|
+
* `@oslojs/crypto/sha2` for hashing device codes before storage.
|
|
19
|
+
*/
|
|
20
|
+
const DEVICE_CODE_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
|
|
21
|
+
const DEVICE_CODE_LENGTH = 40;
|
|
22
|
+
const DEVICE_FLOWS = [
|
|
23
|
+
"create",
|
|
24
|
+
"poll",
|
|
25
|
+
"verify"
|
|
26
|
+
];
|
|
27
|
+
/** @internal */
|
|
28
|
+
const handleDevice = (ctx, provider, args) => Fx.from({
|
|
29
|
+
ok: async () => {
|
|
30
|
+
const params = args.params ?? {};
|
|
31
|
+
const flow = typeof params.flow === "string" ? params.flow : "create";
|
|
32
|
+
if (!DEVICE_FLOWS.some((candidate) => candidate === flow)) throw new AuthError("DEVICE_MISSING_FLOW", "Missing `flow` parameter. Expected one of: create, poll, verify");
|
|
33
|
+
if (flow === "create") {
|
|
34
|
+
const deviceCode = generateRandomString(DEVICE_CODE_LENGTH, DEVICE_CODE_ALPHABET);
|
|
35
|
+
const deviceCodeHash = await sha256(deviceCode);
|
|
36
|
+
const rawUserCode = generateRandomString(provider.userCodeLength, provider.charset);
|
|
37
|
+
const mid = Math.floor(rawUserCode.length / 2);
|
|
38
|
+
const userCode = rawUserCode.slice(0, mid) + "-" + rawUserCode.slice(mid);
|
|
39
|
+
await mutateDeviceInsert(ctx, {
|
|
40
|
+
deviceCodeHash,
|
|
41
|
+
userCode,
|
|
42
|
+
expiresAt: Date.now() + provider.expiresIn * 1e3,
|
|
43
|
+
interval: provider.interval,
|
|
44
|
+
status: "pending"
|
|
45
|
+
});
|
|
46
|
+
const verificationUri = provider.verificationUri ?? `${process.env.SITE_URL ?? requireEnv("SITE_URL")}/device`;
|
|
47
|
+
return {
|
|
48
|
+
kind: "deviceCode",
|
|
49
|
+
deviceCode,
|
|
50
|
+
userCode,
|
|
51
|
+
verificationUri,
|
|
52
|
+
verificationUriComplete: `${verificationUri}?user_code=${encodeURIComponent(userCode)}`,
|
|
53
|
+
expiresIn: provider.expiresIn,
|
|
54
|
+
interval: provider.interval
|
|
55
|
+
};
|
|
56
|
+
}
|
|
57
|
+
if (flow === "poll") {
|
|
58
|
+
if (typeof params.deviceCode !== "string") throw new AuthError("DEVICE_MISSING_FLOW", "Missing `deviceCode` parameter for poll flow.");
|
|
59
|
+
const doc$1 = await queryDeviceByCodeHash(ctx, await sha256(params.deviceCode));
|
|
60
|
+
if (doc$1 === null) throw new AuthError("DEVICE_CODE_EXPIRED");
|
|
61
|
+
if (Date.now() > doc$1.expiresAt) {
|
|
62
|
+
await mutateDeviceDelete(ctx, doc$1._id);
|
|
63
|
+
throw new AuthError("DEVICE_CODE_EXPIRED");
|
|
64
|
+
}
|
|
65
|
+
if (doc$1.lastPolledAt !== void 0 && (Date.now() - doc$1.lastPolledAt) / 1e3 < doc$1.interval) throw new AuthError("DEVICE_SLOW_DOWN");
|
|
66
|
+
await mutateDeviceUpdateLastPolled(ctx, doc$1._id, Date.now());
|
|
67
|
+
if (doc$1.status === "pending") throw new AuthError("DEVICE_AUTHORIZATION_PENDING");
|
|
68
|
+
if (doc$1.status === "denied") {
|
|
69
|
+
await mutateDeviceDelete(ctx, doc$1._id);
|
|
70
|
+
throw new AuthError("DEVICE_CODE_DENIED");
|
|
71
|
+
}
|
|
72
|
+
if (!doc$1.userId || !doc$1.sessionId) throw new AuthError("INTERNAL_ERROR", "Authorized device code missing userId or sessionId");
|
|
73
|
+
await mutateDeviceDelete(ctx, doc$1._id);
|
|
74
|
+
return {
|
|
75
|
+
kind: "signedIn",
|
|
76
|
+
signedIn: await callSignIn(ctx, {
|
|
77
|
+
userId: doc$1.userId,
|
|
78
|
+
sessionId: doc$1.sessionId,
|
|
79
|
+
generateTokens: true
|
|
80
|
+
})
|
|
81
|
+
};
|
|
82
|
+
}
|
|
83
|
+
if (typeof params.userCode !== "string") throw new AuthError("DEVICE_INVALID_USER_CODE", "Missing `userCode` parameter for verify flow.");
|
|
84
|
+
const identity = await ctx.auth.getUserIdentity();
|
|
85
|
+
if (identity === null) throw new AuthError("NOT_SIGNED_IN", "You must be signed in to authorize a device.");
|
|
86
|
+
const userId = userIdFromIdentitySubject(identity.subject);
|
|
87
|
+
const doc = await queryDeviceByUserCode(ctx, params.userCode);
|
|
88
|
+
if (doc === null) throw new AuthError("DEVICE_INVALID_USER_CODE");
|
|
89
|
+
if (Date.now() > doc.expiresAt) {
|
|
90
|
+
await mutateDeviceDelete(ctx, doc._id);
|
|
91
|
+
throw new AuthError("DEVICE_CODE_EXPIRED");
|
|
92
|
+
}
|
|
93
|
+
if (doc.status !== "pending") throw new AuthError("DEVICE_ALREADY_AUTHORIZED");
|
|
94
|
+
const signInResult = await callSignIn(ctx, {
|
|
95
|
+
userId,
|
|
96
|
+
generateTokens: false
|
|
97
|
+
});
|
|
98
|
+
await mutateDeviceAuthorize(ctx, doc._id, signInResult.userId, signInResult.sessionId);
|
|
99
|
+
return {
|
|
100
|
+
kind: "signedIn",
|
|
101
|
+
signedIn: null
|
|
102
|
+
};
|
|
103
|
+
},
|
|
104
|
+
err: (e) => e instanceof AuthError ? e : new AuthError("INTERNAL_ERROR", `Device flow failed: ${String(e)}`)
|
|
105
|
+
});
|
|
106
|
+
|
|
107
|
+
//#endregion
|
|
108
|
+
export { handleDevice };
|
|
109
|
+
//# sourceMappingURL=device.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"device.js","names":["doc"],"sources":["../../../src/server/device.ts"],"sourcesContent":["/**\n * Server-side device authorization flow logic (RFC 8628).\n *\n * Handles the three phases of the device flow:\n * 1. (default) — Generate a device code + user code pair\n * 2. poll — Device checks whether the user has authorized yet\n * 3. verify — Authenticated user links a user code to their session\n *\n * Uses `@oslojs/crypto/random` for code generation and\n * `@oslojs/crypto/sha2` for hashing device codes before storage.\n */\n\nimport { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./authError\";\nimport { userIdFromIdentitySubject } from \"./identity\";\nimport { callSignIn } from \"./mutations/index\";\nimport { DeviceProviderConfig, GenericActionCtxWithAuthConfig } from \"./types\";\nimport {\n AuthDataModel,\n SessionInfo,\n mutateDeviceInsert,\n queryDeviceByCodeHash,\n queryDeviceByUserCode,\n mutateDeviceAuthorize,\n mutateDeviceUpdateLastPolled,\n mutateDeviceDelete,\n} from \"./types\";\nimport { generateRandomString, sha256 } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n// ============================================================================\n// Constants\n// ============================================================================\n\nconst DEVICE_CODE_ALPHABET =\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\nconst DEVICE_CODE_LENGTH = 40;\nconst DEVICE_FLOWS = [\"create\", \"poll\", \"verify\"] as const;\n\n// ============================================================================\n// Create flow\n// ============================================================================\n\n// ============================================================================\n// Poll flow — pipeline of validations + status dispatch\n// ============================================================================\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\ntype DeviceResult =\n | {\n kind: \"deviceCode\";\n deviceCode: string;\n userCode: string;\n verificationUri: string;\n verificationUriComplete: string;\n expiresIn: number;\n interval: number;\n }\n | { kind: \"signedIn\"; signedIn: SessionInfo | null };\n\n/** @internal */\nexport const handleDevice = (\n ctx: EnrichedActionCtx,\n provider: DeviceProviderConfig,\n args: { params?: Record<string, any> },\n): Fx<DeviceResult, AuthError> =>\n Fx.from({\n ok: async () => {\n const params = (args.params ?? {}) as Record<string, unknown>;\n const flow = (typeof params.flow === \"string\" ? params.flow : \"create\") as\n | \"create\"\n | \"poll\"\n | \"verify\";\n\n if (!DEVICE_FLOWS.some((candidate) => candidate === flow)) {\n throw new AuthError(\n \"DEVICE_MISSING_FLOW\",\n \"Missing `flow` parameter. Expected one of: create, poll, verify\",\n );\n }\n\n if (flow === \"create\") {\n const deviceCode = generateRandomString(\n DEVICE_CODE_LENGTH,\n DEVICE_CODE_ALPHABET,\n );\n const deviceCodeHash = await sha256(deviceCode);\n\n const rawUserCode = generateRandomString(\n provider.userCodeLength,\n provider.charset,\n );\n const mid = Math.floor(rawUserCode.length / 2);\n const userCode =\n rawUserCode.slice(0, mid) + \"-\" + rawUserCode.slice(mid);\n\n const expiresAt = Date.now() + provider.expiresIn * 1000;\n await mutateDeviceInsert(ctx, {\n deviceCodeHash,\n userCode,\n expiresAt,\n interval: provider.interval,\n status: \"pending\",\n });\n\n const verificationUri =\n provider.verificationUri ??\n `${process.env.SITE_URL ?? requireEnv(\"SITE_URL\")}/device`;\n\n return {\n kind: \"deviceCode\" as const,\n deviceCode,\n userCode,\n verificationUri,\n verificationUriComplete: `${verificationUri}?user_code=${encodeURIComponent(userCode)}`,\n expiresIn: provider.expiresIn,\n interval: provider.interval,\n };\n }\n\n if (flow === \"poll\") {\n if (typeof params.deviceCode !== \"string\") {\n throw new AuthError(\n \"DEVICE_MISSING_FLOW\",\n \"Missing `deviceCode` parameter for poll flow.\",\n );\n }\n\n const hash = await sha256(params.deviceCode);\n const doc = await queryDeviceByCodeHash(ctx, hash);\n if (doc === null) {\n throw new AuthError(\"DEVICE_CODE_EXPIRED\");\n }\n if (Date.now() > doc.expiresAt) {\n await mutateDeviceDelete(ctx, doc._id);\n throw new AuthError(\"DEVICE_CODE_EXPIRED\");\n }\n if (\n doc.lastPolledAt !== undefined &&\n (Date.now() - doc.lastPolledAt) / 1000 < doc.interval\n ) {\n throw new AuthError(\"DEVICE_SLOW_DOWN\");\n }\n\n await mutateDeviceUpdateLastPolled(ctx, doc._id, Date.now());\n\n if (doc.status === \"pending\") {\n throw new AuthError(\"DEVICE_AUTHORIZATION_PENDING\");\n }\n if (doc.status === \"denied\") {\n await mutateDeviceDelete(ctx, doc._id);\n throw new AuthError(\"DEVICE_CODE_DENIED\");\n }\n\n if (!doc.userId || !doc.sessionId) {\n throw new AuthError(\n \"INTERNAL_ERROR\",\n \"Authorized device code missing userId or sessionId\",\n );\n }\n\n await mutateDeviceDelete(ctx, doc._id);\n const signInResult = await callSignIn(ctx, {\n userId: doc.userId,\n sessionId: doc.sessionId,\n generateTokens: true,\n });\n return { kind: \"signedIn\" as const, signedIn: signInResult };\n }\n\n if (typeof params.userCode !== \"string\") {\n throw new AuthError(\n \"DEVICE_INVALID_USER_CODE\",\n \"Missing `userCode` parameter for verify flow.\",\n );\n }\n\n const identity = await ctx.auth.getUserIdentity();\n if (identity === null) {\n throw new AuthError(\n \"NOT_SIGNED_IN\",\n \"You must be signed in to authorize a device.\",\n );\n }\n\n const userId = userIdFromIdentitySubject(identity.subject);\n const doc = await queryDeviceByUserCode(ctx, params.userCode);\n if (doc === null) {\n throw new AuthError(\"DEVICE_INVALID_USER_CODE\");\n }\n if (Date.now() > doc.expiresAt) {\n await mutateDeviceDelete(ctx, doc._id);\n throw new AuthError(\"DEVICE_CODE_EXPIRED\");\n }\n if (doc.status !== \"pending\") {\n throw new AuthError(\"DEVICE_ALREADY_AUTHORIZED\");\n }\n\n const signInResult = await callSignIn(ctx, {\n userId,\n generateTokens: false,\n });\n await mutateDeviceAuthorize(\n ctx,\n doc._id,\n signInResult.userId,\n signInResult.sessionId,\n );\n return { kind: \"signedIn\" as const, signedIn: null };\n },\n err: (e) =>\n e instanceof AuthError\n ? e\n : new AuthError(\"INTERNAL_ERROR\", `Device flow failed: ${String(e)}`),\n });\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAqCA,MAAM,uBACJ;AACF,MAAM,qBAAqB;AAC3B,MAAM,eAAe;CAAC;CAAU;CAAQ;CAAS;;AA2BjD,MAAa,gBACX,KACA,UACA,SAEA,GAAG,KAAK;CACN,IAAI,YAAY;EACd,MAAM,SAAU,KAAK,UAAU,EAAE;EACjC,MAAM,OAAQ,OAAO,OAAO,SAAS,WAAW,OAAO,OAAO;AAK9D,MAAI,CAAC,aAAa,MAAM,cAAc,cAAc,KAAK,CACvD,OAAM,IAAI,UACR,uBACA,kEACD;AAGH,MAAI,SAAS,UAAU;GACrB,MAAM,aAAa,qBACjB,oBACA,qBACD;GACD,MAAM,iBAAiB,MAAM,OAAO,WAAW;GAE/C,MAAM,cAAc,qBAClB,SAAS,gBACT,SAAS,QACV;GACD,MAAM,MAAM,KAAK,MAAM,YAAY,SAAS,EAAE;GAC9C,MAAM,WACJ,YAAY,MAAM,GAAG,IAAI,GAAG,MAAM,YAAY,MAAM,IAAI;AAG1D,SAAM,mBAAmB,KAAK;IAC5B;IACA;IACA,WAJgB,KAAK,KAAK,GAAG,SAAS,YAAY;IAKlD,UAAU,SAAS;IACnB,QAAQ;IACT,CAAC;GAEF,MAAM,kBACJ,SAAS,mBACT,GAAG,QAAQ,IAAI,YAAY,WAAW,WAAW,CAAC;AAEpD,UAAO;IACL,MAAM;IACN;IACA;IACA;IACA,yBAAyB,GAAG,gBAAgB,aAAa,mBAAmB,SAAS;IACrF,WAAW,SAAS;IACpB,UAAU,SAAS;IACpB;;AAGH,MAAI,SAAS,QAAQ;AACnB,OAAI,OAAO,OAAO,eAAe,SAC/B,OAAM,IAAI,UACR,uBACA,gDACD;GAIH,MAAMA,QAAM,MAAM,sBAAsB,KAD3B,MAAM,OAAO,OAAO,WAAW,CACM;AAClD,OAAIA,UAAQ,KACV,OAAM,IAAI,UAAU,sBAAsB;AAE5C,OAAI,KAAK,KAAK,GAAGA,MAAI,WAAW;AAC9B,UAAM,mBAAmB,KAAKA,MAAI,IAAI;AACtC,UAAM,IAAI,UAAU,sBAAsB;;AAE5C,OACEA,MAAI,iBAAiB,WACpB,KAAK,KAAK,GAAGA,MAAI,gBAAgB,MAAOA,MAAI,SAE7C,OAAM,IAAI,UAAU,mBAAmB;AAGzC,SAAM,6BAA6B,KAAKA,MAAI,KAAK,KAAK,KAAK,CAAC;AAE5D,OAAIA,MAAI,WAAW,UACjB,OAAM,IAAI,UAAU,+BAA+B;AAErD,OAAIA,MAAI,WAAW,UAAU;AAC3B,UAAM,mBAAmB,KAAKA,MAAI,IAAI;AACtC,UAAM,IAAI,UAAU,qBAAqB;;AAG3C,OAAI,CAACA,MAAI,UAAU,CAACA,MAAI,UACtB,OAAM,IAAI,UACR,kBACA,qDACD;AAGH,SAAM,mBAAmB,KAAKA,MAAI,IAAI;AAMtC,UAAO;IAAE,MAAM;IAAqB,UALf,MAAM,WAAW,KAAK;KACzC,QAAQA,MAAI;KACZ,WAAWA,MAAI;KACf,gBAAgB;KACjB,CAAC;IAC0D;;AAG9D,MAAI,OAAO,OAAO,aAAa,SAC7B,OAAM,IAAI,UACR,4BACA,gDACD;EAGH,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,MAAI,aAAa,KACf,OAAM,IAAI,UACR,iBACA,+CACD;EAGH,MAAM,SAAS,0BAA0B,SAAS,QAAQ;EAC1D,MAAM,MAAM,MAAM,sBAAsB,KAAK,OAAO,SAAS;AAC7D,MAAI,QAAQ,KACV,OAAM,IAAI,UAAU,2BAA2B;AAEjD,MAAI,KAAK,KAAK,GAAG,IAAI,WAAW;AAC9B,SAAM,mBAAmB,KAAK,IAAI,IAAI;AACtC,SAAM,IAAI,UAAU,sBAAsB;;AAE5C,MAAI,IAAI,WAAW,UACjB,OAAM,IAAI,UAAU,4BAA4B;EAGlD,MAAM,eAAe,MAAM,WAAW,KAAK;GACzC;GACA,gBAAgB;GACjB,CAAC;AACF,QAAM,sBACJ,KACA,IAAI,KACJ,aAAa,QACb,aAAa,UACd;AACD,SAAO;GAAE,MAAM;GAAqB,UAAU;GAAM;;CAEtD,MAAM,MACJ,aAAa,YACT,IACA,IAAI,UAAU,kBAAkB,uBAAuB,OAAO,EAAE,GAAG;CAC1E,CAAC"}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
import { asRecord } from "./shared.js";
|
|
2
|
+
|
|
3
|
+
//#region src/server/enterprise/config.ts
|
|
4
|
+
const getProtocolConfig = (config, protocol) => {
|
|
5
|
+
const base = asRecord(config);
|
|
6
|
+
const direct = base?.[protocol];
|
|
7
|
+
const viaProtocols = asRecord(base?.protocols)?.[protocol];
|
|
8
|
+
return asRecord(direct) ?? asRecord(viaProtocols) ?? {};
|
|
9
|
+
};
|
|
10
|
+
/** @internal */
|
|
11
|
+
function getOidcConfig(config) {
|
|
12
|
+
return getProtocolConfig(config, "oidc");
|
|
13
|
+
}
|
|
14
|
+
/** @internal */
|
|
15
|
+
function getPublicOidcConfig(config) {
|
|
16
|
+
const { clientSecret: _clientSecret, ...publicOidc } = getOidcConfig(config);
|
|
17
|
+
return publicOidc;
|
|
18
|
+
}
|
|
19
|
+
/** @internal */
|
|
20
|
+
function withOidcSecretState(config, hasClientSecret) {
|
|
21
|
+
return {
|
|
22
|
+
...config,
|
|
23
|
+
hasClientSecret
|
|
24
|
+
};
|
|
25
|
+
}
|
|
26
|
+
/** @internal */
|
|
27
|
+
function getSamlConfig(config) {
|
|
28
|
+
return getProtocolConfig(config, "saml");
|
|
29
|
+
}
|
|
30
|
+
/** @internal */
|
|
31
|
+
function upsertProtocolConfig(config, protocol, protocolConfig) {
|
|
32
|
+
const base = asRecord(config) ?? {};
|
|
33
|
+
const protocols = asRecord(base.protocols) ?? {};
|
|
34
|
+
protocols[protocol] = {
|
|
35
|
+
...asRecord(protocols[protocol]),
|
|
36
|
+
...protocolConfig
|
|
37
|
+
};
|
|
38
|
+
return {
|
|
39
|
+
...base,
|
|
40
|
+
protocols
|
|
41
|
+
};
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
//#endregion
|
|
45
|
+
export { getOidcConfig, getPublicOidcConfig, getSamlConfig, upsertProtocolConfig, withOidcSecretState };
|
|
46
|
+
//# sourceMappingURL=config.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"config.js","names":[],"sources":["../../../../src/server/enterprise/config.ts"],"sourcesContent":["import { asRecord } from \"./shared\";\n\nconst getProtocolConfig = (config: unknown, protocol: \"oidc\" | \"saml\") => {\n const base = asRecord(config);\n const direct = base?.[protocol];\n const viaProtocols = asRecord(base?.protocols)?.[protocol];\n return asRecord(direct) ?? asRecord(viaProtocols) ?? {};\n};\n\n/** @internal */\nexport function getOidcConfig(config: unknown): Record<string, any> {\n return getProtocolConfig(config, \"oidc\");\n}\n\n/** @internal */\nexport function getPublicOidcConfig(config: unknown): Record<string, any> {\n const oidc = getOidcConfig(config);\n const { clientSecret: _clientSecret, ...publicOidc } = oidc;\n return publicOidc;\n}\n\n/** @internal */\nexport function withOidcSecretState(\n config: Record<string, any>,\n hasClientSecret: boolean,\n) {\n return {\n ...config,\n hasClientSecret,\n };\n}\n\n/** @internal */\nexport function getSamlConfig(config: unknown): Record<string, any> {\n return getProtocolConfig(config, \"saml\");\n}\n\n/** @internal */\nexport function upsertProtocolConfig(\n config: unknown,\n protocol: \"oidc\" | \"saml\",\n protocolConfig: Record<string, unknown>,\n) {\n const base = asRecord(config) ?? {};\n const protocols = asRecord(base.protocols) ?? {};\n protocols[protocol] = {\n ...asRecord(protocols[protocol]),\n ...protocolConfig,\n };\n return { ...base, protocols };\n}\n"],"mappings":";;;AAEA,MAAM,qBAAqB,QAAiB,aAA8B;CACxE,MAAM,OAAO,SAAS,OAAO;CAC7B,MAAM,SAAS,OAAO;CACtB,MAAM,eAAe,SAAS,MAAM,UAAU,GAAG;AACjD,QAAO,SAAS,OAAO,IAAI,SAAS,aAAa,IAAI,EAAE;;;AAIzD,SAAgB,cAAc,QAAsC;AAClE,QAAO,kBAAkB,QAAQ,OAAO;;;AAI1C,SAAgB,oBAAoB,QAAsC;CAExE,MAAM,EAAE,cAAc,eAAe,GAAG,eAD3B,cAAc,OAAO;AAElC,QAAO;;;AAIT,SAAgB,oBACd,QACA,iBACA;AACA,QAAO;EACL,GAAG;EACH;EACD;;;AAIH,SAAgB,cAAc,QAAsC;AAClE,QAAO,kBAAkB,QAAQ,OAAO;;;AAI1C,SAAgB,qBACd,QACA,UACA,gBACA;CACA,MAAM,OAAO,SAAS,OAAO,IAAI,EAAE;CACnC,MAAM,YAAY,SAAS,KAAK,UAAU,IAAI,EAAE;AAChD,WAAU,YAAY;EACpB,GAAG,SAAS,UAAU,UAAU;EAChC,GAAG;EACJ;AACD,QAAO;EAAE,GAAG;EAAM;EAAW"}
|