@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/component/server/mutations/signin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signin.js","names":[],"sources":["../../../../src/server/mutations/signin.ts"],"sourcesContent":["import type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport {\n  createNewAndDeleteExistingSession,\n  maybeGenerateTokensForSession,\n} from \"../sessions\";\nimport { MutationCtx, SessionInfo } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const signInArgs = v.object({\n  userId: v.string(),\n  sessionId: v.optional(v.string()),\n  generateTokens: v.boolean(),\n});\n\ntype ReturnType = SessionInfo;\n\nexport async function signInImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof signInArgs>,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"signInImpl args:\", args);\n  const { userId, sessionId: existingSessionId, generateTokens } = args;\n  const typedUserId = userId as GenericId<\"User\">;\n  const typedExistingSessionId = existingSessionId as\n    | GenericId<\"Session\">\n    | undefined;\n  const sessionId =\n    typedExistingSessionId ??\n    (await createNewAndDeleteExistingSession(ctx, config, typedUserId));\n  return await maybeGenerateTokensForSession(\n    ctx,\n    config,\n    typedUserId,\n    sessionId,\n    generateTokens,\n  );\n}\n\nexport const callSignIn = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof signInArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"signIn\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;AAYA,MAAa,aAAa,EAAE,OAAO;CACjC,QAAQ,EAAE,QAAQ;CAClB,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,gBAAgB,EAAE,SAAS;CAC5B,CAAC;AAIF,eAAsB,WACpB,KACA,MACA,QACqB;AACrB,cAAa,WAAW,OAAO,oBAAoB,KAAK;CACxD,MAAM,EAAE,QAAQ,WAAW,mBAAmB,mBAAmB;CACjE,MAAM,cAAc;AAOpB,QAAO,MAAM,8BACX,KACA,QACA,aAT6B,qBAK5B,MAAM,kCAAkC,KAAK,QAAQ,YAAY,EAMlE,eACD;;AAGH,MAAa,aAAa,OACxB,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/component/server/mutations/signout.js

@@ -0,0 +1,27 @@
+import { authDb } from "../db.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
+import { deleteSession, getAuthSessionId } from "../sessions.js";
+import { Fx } from "@robelest/fx";
+
+//#region src/server/mutations/signout.ts
+function signOutImpl(ctx, config) {
+	return Fx.gen(function* () {
+		const db = authDb(ctx, config);
+		const sessionId = yield* Fx.promise(() => getAuthSessionId(ctx));
+		if (sessionId === null) return null;
+		const session = yield* Fx.promise(() => db.sessions.getById(sessionId));
+		if (session === null) return null;
+		yield* Fx.promise(() => deleteSession(ctx, session, config));
+		return {
+			userId: session.userId,
+			sessionId: session._id
+		};
+	});
+}
+const callSignOut = async (ctx) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: { type: "signOut" } });
+};
+
+//#endregion
+export { callSignOut, signOutImpl };
+//# sourceMappingURL=signout.js.map

package/dist/component/server/mutations/signout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signout.js","names":[],"sources":["../../../../src/server/mutations/signout.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport * as Provider from \"../crypto\";\nimport { deleteSession, getAuthSessionId } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\ntype ReturnType = {\n  userId: GenericId<\"User\">;\n  sessionId: GenericId<\"Session\">;\n} | null;\n\nexport function signOutImpl(\n  ctx: MutationCtx,\n  config: Provider.Config,\n): Fx<ReturnType, never> {\n  return Fx.gen(function* () {\n    const db = authDb(ctx, config);\n    const sessionId = yield* Fx.promise(() => getAuthSessionId(ctx));\n    if (sessionId === null) {\n      return null;\n    }\n    const session = yield* Fx.promise(() => db.sessions.getById(sessionId));\n    if (session === null) {\n      return null;\n    }\n    yield* Fx.promise(() => deleteSession(ctx, session, config));\n    return { userId: session.userId, sessionId: session._id };\n  });\n}\n\nexport const callSignOut = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"signOut\",\n    },\n  });\n};\n"],"mappings":";;;;;;AAeA,SAAgB,YACd,KACA,QACuB;AACvB,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,YAAY,OAAO,GAAG,cAAc,iBAAiB,IAAI,CAAC;AAChE,MAAI,cAAc,KAChB,QAAO;EAET,MAAM,UAAU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC;AACvE,MAAI,YAAY,KACd,QAAO;AAET,SAAO,GAAG,cAAc,cAAc,KAAK,SAAS,OAAO,CAAC;AAC5D,SAAO;GAAE,QAAQ,QAAQ;GAAQ,WAAW,QAAQ;GAAK;GACzD;;AAGJ,MAAa,cAAc,OACzB,QACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM,EACJ,MAAM,WACP,EACF,CAAC"}

package/dist/component/server/mutations/store/refs.js

@@ -0,0 +1,15 @@
+import { makeFunctionReference } from "convex/server";
+
+//#region src/server/mutations/store/refs.ts
+/**
+* Internal function reference for the library's store dispatch mutation.
+*
+* The package cannot import the consumer app's generated `api` module,
+* so it uses a canonical function reference name that matches the app-level
+* `export const { store } = auth` surface.
+*/
+const AUTH_STORE_REF = makeFunctionReference("auth:store");
+
+//#endregion
+export { AUTH_STORE_REF };
+//# sourceMappingURL=refs.js.map

package/dist/component/server/mutations/store/refs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refs.js","names":[],"sources":["../../../../../src/server/mutations/store/refs.ts"],"sourcesContent":["import { makeFunctionReference } from \"convex/server\";\n\n/**\n * Internal function reference for the library's store dispatch mutation.\n *\n * The package cannot import the consumer app's generated `api` module,\n * so it uses a canonical function reference name that matches the app-level\n * `export const { store } = auth` surface.\n */\nexport const AUTH_STORE_REF = makeFunctionReference(\"auth:store\") as any;\n"],"mappings":";;;;;;;;;;AASA,MAAa,iBAAiB,sBAAsB,aAAa"}

package/dist/component/server/mutations/store.js

@@ -0,0 +1,85 @@
+import { LOG_LEVELS, logWithLevel } from "../utils.js";
+import { modifyAccountArgs, modifyAccountImpl } from "./account.js";
+import { createVerificationCodeArgs, createVerificationCodeImpl } from "./code.js";
+import { invalidateSessionsArgs, invalidateSessionsImpl } from "./invalidate.js";
+import { userOAuthArgs, userOAuthImpl } from "./oauth.js";
+import { refreshSessionArgs, refreshSessionImpl } from "./refresh.js";
+import { createAccountFromCredentialsArgs, createAccountFromCredentialsImpl } from "./register.js";
+import { retrieveAccountWithCredentialsArgs, retrieveAccountWithCredentialsImpl } from "./retrieve.js";
+import { verifierSignatureArgs, verifierSignatureImpl } from "./signature.js";
+import { signInArgs, signInImpl } from "./signin.js";
+import { signOutImpl } from "./signout.js";
+import { verifierImpl } from "./verifier.js";
+import { verifyCodeAndSignInArgs, verifyCodeAndSignInImpl } from "./verify.js";
+import { v } from "convex/values";
+import { Fx } from "@robelest/fx";
+
+//#region src/server/mutations/store.ts
+const storeArgs = v.object({ args: v.union(v.object({
+	type: v.literal("signIn"),
+	...signInArgs.fields
+}), v.object({ type: v.literal("signOut") }), v.object({
+	type: v.literal("refreshSession"),
+	...refreshSessionArgs.fields
+}), v.object({
+	type: v.literal("verifyCodeAndSignIn"),
+	...verifyCodeAndSignInArgs.fields
+}), v.object({ type: v.literal("verifier") }), v.object({
+	type: v.literal("verifierSignature"),
+	...verifierSignatureArgs.fields
+}), v.object({
+	type: v.literal("userOAuth"),
+	...userOAuthArgs.fields
+}), v.object({
+	type: v.literal("createVerificationCode"),
+	...createVerificationCodeArgs.fields
+}), v.object({
+	type: v.literal("createAccountFromCredentials"),
+	...createAccountFromCredentialsArgs.fields
+}), v.object({
+	type: v.literal("retrieveAccountWithCredentials"),
+	...retrieveAccountWithCredentialsArgs.fields
+}), v.object({
+	type: v.literal("modifyAccount"),
+	...modifyAccountArgs.fields
+}), v.object({
+	type: v.literal("invalidateSessions"),
+	...invalidateSessionsArgs.fields
+})) });
+const storeImpl = async (ctx, fnArgs, getProviderOrThrow, config) => {
+	const args = fnArgs.args;
+	logWithLevel(LOG_LEVELS.INFO, `\`auth:store\` type: ${args.type}`);
+	return Fx.run(Fx.match(args, args.type, {
+		signIn: (a) => Fx.from({
+			ok: () => signInImpl(ctx, a, config),
+			err: (e) => e
+		}),
+		signOut: () => signOutImpl(ctx, config),
+		refreshSession: (a) => Fx.from({
+			ok: () => refreshSessionImpl(ctx, a, getProviderOrThrow, config),
+			err: (e) => e
+		}),
+		verifyCodeAndSignIn: (a) => Fx.from({
+			ok: () => verifyCodeAndSignInImpl(ctx, a, getProviderOrThrow, config),
+			err: (e) => e
+		}),
+		verifier: () => verifierImpl(ctx, config),
+		verifierSignature: (a) => verifierSignatureImpl(ctx, a, config).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),
+		userOAuth: (a) => userOAuthImpl(ctx, a, getProviderOrThrow, config).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),
+		createVerificationCode: (a) => Fx.from({
+			ok: () => createVerificationCodeImpl(ctx, a, getProviderOrThrow, config),
+			err: (e) => e
+		}),
+		createAccountFromCredentials: (a) => Fx.from({
+			ok: () => createAccountFromCredentialsImpl(ctx, a, getProviderOrThrow, config),
+			err: (e) => e
+		}),
+		retrieveAccountWithCredentials: (a) => retrieveAccountWithCredentialsImpl(ctx, a, getProviderOrThrow, config),
+		modifyAccount: (a) => modifyAccountImpl(ctx, a, getProviderOrThrow, config).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),
+		invalidateSessions: (a) => invalidateSessionsImpl(ctx, a, config)
+	}));
+};
+
+//#endregion
+export { storeArgs, storeImpl };
+//# sourceMappingURL=store.js.map

package/dist/component/server/mutations/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","names":[],"sources":["../../../../src/server/mutations/store.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport { modifyAccountArgs, modifyAccountImpl } from \"./account\";\nimport { createVerificationCodeArgs, createVerificationCodeImpl } from \"./code\";\nimport { invalidateSessionsArgs, invalidateSessionsImpl } from \"./invalidate\";\nimport { userOAuthArgs, userOAuthImpl } from \"./oauth\";\nimport { refreshSessionArgs, refreshSessionImpl } from \"./refresh\";\nimport {\n  createAccountFromCredentialsArgs,\n  createAccountFromCredentialsImpl,\n} from \"./register\";\nimport {\n  retrieveAccountWithCredentialsArgs,\n  retrieveAccountWithCredentialsImpl,\n} from \"./retrieve\";\nimport { verifierSignatureArgs, verifierSignatureImpl } from \"./signature\";\nimport { signInArgs, signInImpl } from \"./signin\";\nimport { signOutImpl } from \"./signout\";\nimport { verifierImpl } from \"./verifier\";\nimport { verifyCodeAndSignInArgs, verifyCodeAndSignInImpl } from \"./verify\";\n\nexport const storeArgs = v.object({\n  args: v.union(\n    v.object({\n      type: v.literal(\"signIn\"),\n      ...signInArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"signOut\"),\n    }),\n    v.object({\n      type: v.literal(\"refreshSession\"),\n      ...refreshSessionArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"verifyCodeAndSignIn\"),\n      ...verifyCodeAndSignInArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"verifier\"),\n    }),\n    v.object({\n      type: v.literal(\"verifierSignature\"),\n      ...verifierSignatureArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"userOAuth\"),\n      ...userOAuthArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"createVerificationCode\"),\n      ...createVerificationCodeArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"createAccountFromCredentials\"),\n      ...createAccountFromCredentialsArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"retrieveAccountWithCredentials\"),\n      ...retrieveAccountWithCredentialsArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"modifyAccount\"),\n      ...modifyAccountArgs.fields,\n    }),\n    v.object({\n      type: v.literal(\"invalidateSessions\"),\n      ...invalidateSessionsArgs.fields,\n    }),\n  ),\n});\n\nexport const storeImpl = async (\n  ctx: MutationCtx,\n  fnArgs: Infer<typeof storeArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n) => {\n  const args = fnArgs.args;\n  logWithLevel(LOG_LEVELS.INFO, `\\`auth:store\\` type: ${args.type}`);\n  return Fx.run(\n    Fx.match(args, args.type, {\n      signIn: (a) =>\n        Fx.from({\n          ok: () => signInImpl(ctx, a, config),\n          err: (e) => e as never,\n        }),\n      signOut: () => signOutImpl(ctx, config),\n      refreshSession: (a) =>\n        Fx.from({\n          ok: () => refreshSessionImpl(ctx, a, getProviderOrThrow, config),\n          err: (e) => e as never,\n        }),\n      verifyCodeAndSignIn: (a) =>\n        Fx.from({\n          ok: () => verifyCodeAndSignInImpl(ctx, a, getProviderOrThrow, config),\n          err: (e) => e as never,\n        }),\n      verifier: () => verifierImpl(ctx, config),\n      verifierSignature: (a) =>\n        verifierSignatureImpl(ctx, a, config).pipe(\n          Fx.recover((e) => Fx.fatal(e.toConvexError())),\n        ),\n      userOAuth: (a) =>\n        userOAuthImpl(ctx, a, getProviderOrThrow, config).pipe(\n          Fx.recover((e) => Fx.fatal(e.toConvexError())),\n        ),\n      createVerificationCode: (a) =>\n        Fx.from({\n          ok: () =>\n            createVerificationCodeImpl(ctx, a, getProviderOrThrow, config),\n          err: (e) => e as never,\n        }),\n      createAccountFromCredentials: (a) =>\n        Fx.from({\n          ok: () =>\n            createAccountFromCredentialsImpl(\n              ctx,\n              a,\n              getProviderOrThrow,\n              config,\n            ),\n          err: (e) => e as never,\n        }),\n      retrieveAccountWithCredentials: (a) =>\n        retrieveAccountWithCredentialsImpl(ctx, a, getProviderOrThrow, config),\n      modifyAccount: (a) =>\n        modifyAccountImpl(ctx, a, getProviderOrThrow, config).pipe(\n          Fx.recover((e) => Fx.fatal(e.toConvexError())),\n        ),\n      invalidateSessions: (a) => invalidateSessionsImpl(ctx, a, config),\n    }),\n  );\n};\n"],"mappings":";;;;;;;;;;;;;;;;;AAyBA,MAAa,YAAY,EAAE,OAAO,EAChC,MAAM,EAAE,MACN,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,SAAS;CACzB,GAAG,WAAW;CACf,CAAC,EACF,EAAE,OAAO,EACP,MAAM,EAAE,QAAQ,UAAU,EAC3B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,iBAAiB;CACjC,GAAG,mBAAmB;CACvB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,sBAAsB;CACtC,GAAG,wBAAwB;CAC5B,CAAC,EACF,EAAE,OAAO,EACP,MAAM,EAAE,QAAQ,WAAW,EAC5B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,oBAAoB;CACpC,GAAG,sBAAsB;CAC1B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,YAAY;CAC5B,GAAG,cAAc;CAClB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,yBAAyB;CACzC,GAAG,2BAA2B;CAC/B,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,+BAA+B;CAC/C,GAAG,iCAAiC;CACrC,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,iCAAiC;CACjD,GAAG,mCAAmC;CACvC,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,gBAAgB;CAChC,GAAG,kBAAkB;CACtB,CAAC,EACF,EAAE,OAAO;CACP,MAAM,EAAE,QAAQ,qBAAqB;CACrC,GAAG,uBAAuB;CAC3B,CAAC,CACH,EACF,CAAC;AAEF,MAAa,YAAY,OACvB,KACA,QACA,oBACA,WACG;CACH,MAAM,OAAO,OAAO;AACpB,cAAa,WAAW,MAAM,wBAAwB,KAAK,OAAO;AAClE,QAAO,GAAG,IACR,GAAG,MAAM,MAAM,KAAK,MAAM;EACxB,SAAS,MACP,GAAG,KAAK;GACN,UAAU,WAAW,KAAK,GAAG,OAAO;GACpC,MAAM,MAAM;GACb,CAAC;EACJ,eAAe,YAAY,KAAK,OAAO;EACvC,iBAAiB,MACf,GAAG,KAAK;GACN,UAAU,mBAAmB,KAAK,GAAG,oBAAoB,OAAO;GAChE,MAAM,MAAM;GACb,CAAC;EACJ,sBAAsB,MACpB,GAAG,KAAK;GACN,UAAU,wBAAwB,KAAK,GAAG,oBAAoB,OAAO;GACrE,MAAM,MAAM;GACb,CAAC;EACJ,gBAAgB,aAAa,KAAK,OAAO;EACzC,oBAAoB,MAClB,sBAAsB,KAAK,GAAG,OAAO,CAAC,KACpC,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAC/C;EACH,YAAY,MACV,cAAc,KAAK,GAAG,oBAAoB,OAAO,CAAC,KAChD,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAC/C;EACH,yBAAyB,MACvB,GAAG,KAAK;GACN,UACE,2BAA2B,KAAK,GAAG,oBAAoB,OAAO;GAChE,MAAM,MAAM;GACb,CAAC;EACJ,+BAA+B,MAC7B,GAAG,KAAK;GACN,UACE,iCACE,KACA,GACA,oBACA,OACD;GACH,MAAM,MAAM;GACb,CAAC;EACJ,iCAAiC,MAC/B,mCAAmC,KAAK,GAAG,oBAAoB,OAAO;EACxE,gBAAgB,MACd,kBAAkB,KAAK,GAAG,oBAAoB,OAAO,CAAC,KACpD,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAC/C;EACH,qBAAqB,MAAM,uBAAuB,KAAK,GAAG,OAAO;EAClE,CAAC,CACH"}

package/dist/component/server/mutations/verifier.js

@@ -0,0 +1,18 @@
+import { authDb } from "../db.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
+import { getAuthSessionId } from "../sessions.js";
+import { Fx } from "@robelest/fx";
+
+//#region src/server/mutations/verifier.ts
+function verifierImpl(ctx, config) {
+	return Fx.gen(function* () {
+		return yield* Fx.promise(async () => authDb(ctx, config).verifiers.create(await getAuthSessionId(ctx) ?? void 0));
+	});
+}
+const callVerifier = async (ctx) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: { type: "verifier" } });
+};
+
+//#endregion
+export { callVerifier, verifierImpl };
+//# sourceMappingURL=verifier.js.map

package/dist/component/server/mutations/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","names":[],"sources":["../../../../src/server/mutations/verifier.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport * as Provider from \"../crypto\";\nimport { getAuthSessionId } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\ntype ReturnType = GenericId<\"AuthVerifier\">;\n\nexport function verifierImpl(\n  ctx: MutationCtx,\n  config: Provider.Config,\n): Fx<ReturnType, never> {\n  return Fx.gen(function* () {\n    return (yield* Fx.promise(async () =>\n      authDb(ctx, config).verifiers.create(\n        (await getAuthSessionId(ctx)) ?? undefined,\n      ),\n    )) as ReturnType;\n  });\n}\n\nexport const callVerifier = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"verifier\",\n    },\n  });\n};\n"],"mappings":";;;;;;AAYA,SAAgB,aACd,KACA,QACuB;AACvB,QAAO,GAAG,IAAI,aAAa;AACzB,SAAQ,OAAO,GAAG,QAAQ,YACxB,OAAO,KAAK,OAAO,CAAC,UAAU,OAC3B,MAAM,iBAAiB,IAAI,IAAK,OAClC,CACF;GACD;;AAGJ,MAAa,eAAe,OAC1B,QACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM,EACJ,MAAM,YACP,EACF,CAAC"}

package/dist/component/server/mutations/verify.js

@@ -0,0 +1,98 @@
+import { LOG_LEVELS, logWithLevel, requireEnv, sha256 } from "../utils.js";
+import { authDb } from "../db.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
+import { createNewAndDeleteExistingSession, getAuthSessionId, maybeGenerateTokensForSession } from "../sessions.js";
+import { upsertUserAndAccount } from "../users.js";
+import { isEnterpriseProviderId } from "../enterprise/shared.js";
+import { createSyntheticOAuthMaterializedConfig } from "../enterprise/oidc.js";
+import { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit } from "../limits.js";
+import { v } from "convex/values";
+import { Fx } from "@robelest/fx";
+
+//#region src/server/mutations/verify.ts
+const verifyCodeAndSignInArgs = v.object({
+	params: v.any(),
+	provider: v.optional(v.string()),
+	verifier: v.optional(v.string()),
+	generateTokens: v.boolean(),
+	allowExtraProviders: v.boolean()
+});
+/** A soft verification failure — logged and collapsed to null at the boundary. */
+var VerifyFailure = class {
+	_tag = "VerifyFailure";
+	constructor(reason) {
+		this.reason = reason;
+	}
+};
+async function verifyCodeAndSignInImpl(ctx, args, getProviderOrThrow, config) {
+	logWithLevel(LOG_LEVELS.DEBUG, "verifyCodeAndSignInImpl args:", {
+		params: {
+			email: args.params.email,
+			phone: args.params.phone
+		},
+		provider: args.provider,
+		verifier: args.verifier,
+		generateTokens: args.generateTokens,
+		allowExtraProviders: args.allowExtraProviders
+	});
+	const { generateTokens, provider, allowExtraProviders } = args;
+	if (generateTokens) {
+		requireEnv("JWT_PRIVATE_KEY");
+		requireEnv("JWKS");
+		requireEnv("CONVEX_SITE_URL");
+	}
+	const identifier = args.params.email ?? args.params.phone;
+	try {
+		if (identifier !== void 0) {
+			if (await Fx.run(isSignInRateLimited(ctx, identifier, config))) throw new VerifyFailure("Too many failed attempts to verify code for this email");
+		}
+		const db = authDb(ctx, config);
+		const { params, verifier } = args;
+		const hash = await sha256(params.code);
+		const code = await db.verificationCodes.getByCode(hash);
+		if (code === null) throw new VerifyFailure("Invalid verification code");
+		await db.verificationCodes.delete(code._id);
+		if (code.verifier !== verifier) throw new VerifyFailure("Invalid verifier");
+		if (code.expirationTime < Date.now()) throw new VerifyFailure("Expired verification code");
+		if (provider !== void 0 && code.provider !== provider) throw new VerifyFailure(`Invalid provider "${provider}" for given \`code\``);
+		const account = await db.accounts.getById(code.accountId);
+		if (account === null) throw new VerifyFailure("Account associated with this email has been deleted");
+		const codeProvider = isEnterpriseProviderId(code.provider) ? createSyntheticOAuthMaterializedConfig(code.provider) : getProviderOrThrow(code.provider, allowExtraProviders);
+		if (codeProvider !== null && (codeProvider.type === "email" || codeProvider.type === "phone") && codeProvider.authorize !== void 0) await codeProvider.authorize(args.params, account);
+		const methodProvider = isEnterpriseProviderId(account.provider) ? createSyntheticOAuthMaterializedConfig(account.provider) : getProviderOrThrow(account.provider);
+		const userId = methodProvider.type === "oauth" ? account.userId : (await upsertUserAndAccount(ctx, await getAuthSessionId(ctx), { existingAccount: account }, {
+			type: "verification",
+			provider: methodProvider,
+			profile: {
+				...code.emailVerified !== void 0 ? {
+					email: code.emailVerified,
+					emailVerified: true
+				} : {},
+				...code.phoneVerified !== void 0 ? {
+					phone: code.phoneVerified,
+					phoneVerified: true
+				} : {}
+			}
+		}, config)).userId;
+		if (identifier !== void 0) await Fx.run(resetSignInRateLimit(ctx, identifier, config));
+		return await maybeGenerateTokensForSession(ctx, config, userId, await createNewAndDeleteExistingSession(ctx, config, userId), generateTokens);
+	} catch (error) {
+		if (error instanceof VerifyFailure) {
+			logWithLevel(LOG_LEVELS.ERROR, error.reason);
+			if (identifier !== void 0) await Fx.run(recordFailedSignIn(ctx, identifier, config));
+			return null;
+		}
+		logWithLevel(LOG_LEVELS.ERROR, `verifyCodeAndSignInImpl failed: ${String(error)}`);
+		return null;
+	}
+}
+const callVerifyCodeAndSignIn = async (ctx, args) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: {
+		type: "verifyCodeAndSignIn",
+		...args
+	} });
+};
+
+//#endregion
+export { callVerifyCodeAndSignIn, verifyCodeAndSignInArgs, verifyCodeAndSignInImpl };
+//# sourceMappingURL=verify.js.map

package/dist/component/server/mutations/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","names":[],"sources":["../../../../src/server/mutations/verify.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport * as Provider from \"../crypto\";\nimport {\n  isSignInRateLimited,\n  recordFailedSignIn,\n  resetSignInRateLimit,\n} from \"../limits\";\nimport {\n  createNewAndDeleteExistingSession,\n  getAuthSessionId,\n  maybeGenerateTokensForSession,\n} from \"../sessions\";\nimport {\n  createSyntheticOAuthMaterializedConfig,\n} from \"../enterprise/oidc\";\nimport { isEnterpriseProviderId } from \"../enterprise/shared\";\nimport { MutationCtx, SessionInfo } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { LOG_LEVELS, logWithLevel, sha256 } from \"../utils\";\nimport { requireEnv } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const verifyCodeAndSignInArgs = v.object({\n  params: v.any(),\n  provider: v.optional(v.string()),\n  verifier: v.optional(v.string()),\n  generateTokens: v.boolean(),\n  allowExtraProviders: v.boolean(),\n});\n\ntype ReturnType = null | SessionInfo;\n\n// ============================================================================\n// Small validators for the verification pipeline\n// ============================================================================\n\n/** A soft verification failure — logged and collapsed to null at the boundary. */\nclass VerifyFailure {\n  readonly _tag = \"VerifyFailure\" as const;\n  constructor(readonly reason: string) {}\n}\n\n// ============================================================================\n// Main exported function\n// ============================================================================\n\nexport async function verifyCodeAndSignInImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof verifyCodeAndSignInArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"verifyCodeAndSignInImpl args:\", {\n    params: { email: args.params.email, phone: args.params.phone },\n    provider: args.provider,\n    verifier: args.verifier,\n    generateTokens: args.generateTokens,\n    allowExtraProviders: args.allowExtraProviders,\n  });\n\n  const { generateTokens, provider, allowExtraProviders } = args;\n  if (generateTokens) {\n    requireEnv(\"JWT_PRIVATE_KEY\");\n    requireEnv(\"JWKS\");\n    requireEnv(\"CONVEX_SITE_URL\");\n  }\n  const identifier: string | undefined = args.params.email ?? args.params.phone;\n\n  try {\n    if (identifier !== undefined) {\n      const limited = await Fx.run(\n        isSignInRateLimited(ctx, identifier, config),\n      );\n      if (limited) {\n        throw new VerifyFailure(\n          \"Too many failed attempts to verify code for this email\",\n        );\n      }\n    }\n\n    const db = authDb(ctx, config);\n    const { params, verifier } = args;\n    const hash = await sha256(params.code);\n    const code = await db.verificationCodes.getByCode(hash);\n    if (code === null) {\n      throw new VerifyFailure(\"Invalid verification code\");\n    }\n\n    await db.verificationCodes.delete(code._id);\n\n    if (code.verifier !== verifier) {\n      throw new VerifyFailure(\"Invalid verifier\");\n    }\n    if (code.expirationTime < Date.now()) {\n      throw new VerifyFailure(\"Expired verification code\");\n    }\n    if (provider !== undefined && code.provider !== provider) {\n      throw new VerifyFailure(\n        `Invalid provider \"${provider}\" for given \\`code\\``,\n      );\n    }\n\n    const account = await db.accounts.getById(code.accountId);\n    if (account === null) {\n      throw new VerifyFailure(\n        \"Account associated with this email has been deleted\",\n      );\n    }\n\n    const codeProvider = isEnterpriseProviderId(code.provider)\n      ? createSyntheticOAuthMaterializedConfig(code.provider)\n      : getProviderOrThrow(code.provider, allowExtraProviders);\n\n    if (\n      codeProvider !== null &&\n      (codeProvider.type === \"email\" || codeProvider.type === \"phone\") &&\n      codeProvider.authorize !== undefined\n    ) {\n      await codeProvider.authorize(args.params, account);\n    }\n\n    const methodProvider = isEnterpriseProviderId(account.provider)\n      ? createSyntheticOAuthMaterializedConfig(account.provider)\n      : getProviderOrThrow(account.provider);\n\n    const userId =\n      methodProvider.type === \"oauth\"\n        ? account.userId\n        : (\n            await upsertUserAndAccount(\n              ctx,\n              await getAuthSessionId(ctx),\n              { existingAccount: account },\n              {\n                type: \"verification\",\n                provider: methodProvider,\n                profile: {\n                  ...(code.emailVerified !== undefined\n                    ? { email: code.emailVerified, emailVerified: true }\n                    : {}),\n                  ...(code.phoneVerified !== undefined\n                    ? { phone: code.phoneVerified, phoneVerified: true }\n                    : {}),\n                },\n              },\n              config,\n            )\n          ).userId;\n\n    if (identifier !== undefined) {\n      await Fx.run(resetSignInRateLimit(ctx, identifier, config));\n    }\n\n    const sessionId = await createNewAndDeleteExistingSession(\n      ctx,\n      config,\n      userId,\n    );\n    return await maybeGenerateTokensForSession(\n      ctx,\n      config,\n      userId,\n      sessionId,\n      generateTokens,\n    );\n  } catch (error) {\n    if (error instanceof VerifyFailure) {\n      logWithLevel(LOG_LEVELS.ERROR, error.reason);\n      if (identifier !== undefined) {\n        await Fx.run(recordFailedSignIn(ctx, identifier, config));\n      }\n      return null;\n    }\n    logWithLevel(\n      LOG_LEVELS.ERROR,\n      `verifyCodeAndSignInImpl failed: ${String(error)}`,\n    );\n    return null;\n  }\n}\n\n// ============================================================================\n// Action-level caller (unchanged — just forwards to mutation)\n// ============================================================================\n\nexport const callVerifyCodeAndSignIn = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof verifyCodeAndSignInArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"verifyCodeAndSignIn\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;;;;AA0BA,MAAa,0BAA0B,EAAE,OAAO;CAC9C,QAAQ,EAAE,KAAK;CACf,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;CAChC,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;CAChC,gBAAgB,EAAE,SAAS;CAC3B,qBAAqB,EAAE,SAAS;CACjC,CAAC;;AASF,IAAM,gBAAN,MAAoB;CAClB,AAAS,OAAO;CAChB,YAAY,AAAS,QAAgB;EAAhB;;;AAOvB,eAAsB,wBACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,iCAAiC;EAC9D,QAAQ;GAAE,OAAO,KAAK,OAAO;GAAO,OAAO,KAAK,OAAO;GAAO;EAC9D,UAAU,KAAK;EACf,UAAU,KAAK;EACf,gBAAgB,KAAK;EACrB,qBAAqB,KAAK;EAC3B,CAAC;CAEF,MAAM,EAAE,gBAAgB,UAAU,wBAAwB;AAC1D,KAAI,gBAAgB;AAClB,aAAW,kBAAkB;AAC7B,aAAW,OAAO;AAClB,aAAW,kBAAkB;;CAE/B,MAAM,aAAiC,KAAK,OAAO,SAAS,KAAK,OAAO;AAExE,KAAI;AACF,MAAI,eAAe,QAIjB;OAHgB,MAAM,GAAG,IACvB,oBAAoB,KAAK,YAAY,OAAO,CAC7C,CAEC,OAAM,IAAI,cACR,yDACD;;EAIL,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,EAAE,QAAQ,aAAa;EAC7B,MAAM,OAAO,MAAM,OAAO,OAAO,KAAK;EACtC,MAAM,OAAO,MAAM,GAAG,kBAAkB,UAAU,KAAK;AACvD,MAAI,SAAS,KACX,OAAM,IAAI,cAAc,4BAA4B;AAGtD,QAAM,GAAG,kBAAkB,OAAO,KAAK,IAAI;AAE3C,MAAI,KAAK,aAAa,SACpB,OAAM,IAAI,cAAc,mBAAmB;AAE7C,MAAI,KAAK,iBAAiB,KAAK,KAAK,CAClC,OAAM,IAAI,cAAc,4BAA4B;AAEtD,MAAI,aAAa,UAAa,KAAK,aAAa,SAC9C,OAAM,IAAI,cACR,qBAAqB,SAAS,sBAC/B;EAGH,MAAM,UAAU,MAAM,GAAG,SAAS,QAAQ,KAAK,UAAU;AACzD,MAAI,YAAY,KACd,OAAM,IAAI,cACR,sDACD;EAGH,MAAM,eAAe,uBAAuB,KAAK,SAAS,GACtD,uCAAuC,KAAK,SAAS,GACrD,mBAAmB,KAAK,UAAU,oBAAoB;AAE1D,MACE,iBAAiB,SAChB,aAAa,SAAS,WAAW,aAAa,SAAS,YACxD,aAAa,cAAc,OAE3B,OAAM,aAAa,UAAU,KAAK,QAAQ,QAAQ;EAGpD,MAAM,iBAAiB,uBAAuB,QAAQ,SAAS,GAC3D,uCAAuC,QAAQ,SAAS,GACxD,mBAAmB,QAAQ,SAAS;EAExC,MAAM,SACJ,eAAe,SAAS,UACpB,QAAQ,UAEN,MAAM,qBACJ,KACA,MAAM,iBAAiB,IAAI,EAC3B,EAAE,iBAAiB,SAAS,EAC5B;GACE,MAAM;GACN,UAAU;GACV,SAAS;IACP,GAAI,KAAK,kBAAkB,SACvB;KAAE,OAAO,KAAK;KAAe,eAAe;KAAM,GAClD,EAAE;IACN,GAAI,KAAK,kBAAkB,SACvB;KAAE,OAAO,KAAK;KAAe,eAAe;KAAM,GAClD,EAAE;IACP;GACF,EACD,OACD,EACD;AAER,MAAI,eAAe,OACjB,OAAM,GAAG,IAAI,qBAAqB,KAAK,YAAY,OAAO,CAAC;AAQ7D,SAAO,MAAM,8BACX,KACA,QACA,QARgB,MAAM,kCACtB,KACA,QACA,OACD,EAMC,eACD;UACM,OAAO;AACd,MAAI,iBAAiB,eAAe;AAClC,gBAAa,WAAW,OAAO,MAAM,OAAO;AAC5C,OAAI,eAAe,OACjB,OAAM,GAAG,IAAI,mBAAmB,KAAK,YAAY,OAAO,CAAC;AAE3D,UAAO;;AAET,eACE,WAAW,OACX,mCAAmC,OAAO,MAAM,GACjD;AACD,SAAO;;;AAQX,MAAa,0BAA0B,OAGrC,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/component/server/oauth.js

@@ -1,7 +1,7 @@
-import { throwAuthError } from "./errors.js";
-import { isLocalHost } from "./utils.js";
+import { AuthError } from "./authError.js";
+import { isLocalHost, logWithLevel } from "./utils.js";
 import { SHARED_COOKIE_OPTIONS } from "./cookies.js";
-import { logWithLevel } from "./implementation/utils.js";
+import { Fx } from "@robelest/fx";
 import * as arctic from "arctic";
 
 //#region src/server/oauth.ts
@@ -10,6 +10,8 @@ import * as arctic from "arctic";
 *
 * Uses Arctic for OAuth provider integration.
 *
+* All functions return `Fx<A, AuthError>` composed via `Fx.gen` pipelines.
+*
 * @internal
 * @module
 */
@@ -43,6 +45,7 @@ function clearCookie(type, providerId) {
 * Creates a signature string from the OAuth state parameters.
 * This is stored in the verifier table and validated during callback.
 */
+/** @internal */
 function getAuthorizationSignature({ codeVerifier, state }) {
 	return [codeVerifier, state].filter((param) => param !== void 0).join(" ");
 }
@@ -54,23 +57,58 @@ function getAuthorizationSignature({ codeVerifier, state }) {
 function isPKCEProvider(provider) {
 	return typeof provider.createAuthorizationURL === "function" && provider.createAuthorizationURL.length >= 3;
 }
-function hasIdToken(tokens) {
-	return "id_token" in tokens.data && typeof tokens.data.id_token === "string";
+/**
+* Exchange the authorization code for tokens via Arctic.
+* Maps Arctic-specific errors to typed `AuthError` failures.
+*/
+function exchangeCode(arcticProvider, code, codeVerifier) {
+	return Fx.from({
+		ok: () => isPKCEProvider(arcticProvider) ? arcticProvider.validateAuthorizationCode(code, codeVerifier) : arcticProvider.validateAuthorizationCode(code),
+		err: (e) => {
+			if (e instanceof arctic.OAuth2RequestError) return new AuthError("OAUTH_PROVIDER_ERROR", `Token exchange failed: ${e.code}`);
+			if (e instanceof arctic.ArcticFetchError) return new AuthError("OAUTH_PROVIDER_ERROR", `Network error during token exchange: ${e.message}`);
+			return new AuthError("OAUTH_PROVIDER_ERROR", `Unexpected error during token exchange: ${e instanceof Error ? e.message : String(e)}`);
+		}
+	}).pipe(Fx.chain((tokens) => {
+		return Fx.succeed(tokens);
+	}));
 }
-function defaultOIDCProfile(tokens) {
-	const claims = arctic.decodeIdToken(tokens.idToken());
-	return {
-		id: claims.sub ?? crypto.randomUUID(),
-		name: claims.name ?? void 0,
-		email: claims.email ?? void 0,
-		image: claims.picture ?? void 0
-	};
+/**
+* Extract the user profile from tokens using the config callback,
+* OIDC auto-decode, or fail if neither is available.
+*/
+function extractProfile(providerId, oauthConfig, tokens) {
+	const hasIdToken = "id_token" in tokens.data && typeof tokens.data.id_token === "string";
+	const profileSource = oauthConfig.profile ? { source: "callback" } : hasIdToken ? { source: "idToken" } : { source: "missing" };
+	return Fx.match(profileSource, profileSource.source, {
+		callback: (_profileSource) => Fx.from({
+			ok: () => oauthConfig.profile(tokens),
+			err: (e) => new AuthError("OAUTH_INVALID_PROFILE", `Profile callback threw: ${e instanceof Error ? e.message : String(e)}`)
+		}),
+		idToken: (_profileSource) => {
+			const claims = arctic.decodeIdToken(tokens.idToken());
+			return Fx.succeed({
+				id: claims.sub ?? crypto.randomUUID(),
+				name: claims.name ?? void 0,
+				email: claims.email ?? void 0,
+				image: claims.picture ?? void 0
+			});
+		},
+		missing: (_profileSource) => Fx.fail(new AuthError("OAUTH_INVALID_PROFILE", `Provider "${providerId}" does not return an ID token. Add a \`profile\` callback in the OAuth() config to extract user info from the access token.`))
+	});
+}
+/**
+* Validate that the profile has a non-empty string `id`.
+*/
+function validateProfileId(providerId, profile) {
+	return typeof profile.id === "string" && profile.id ? Fx.succeed(profile) : Fx.fail(new AuthError("OAUTH_INVALID_PROFILE", `The profile callback for "${providerId}" must return an object with a string \`id\` field.`));
 }
 /**
 * Create an OAuth authorization URL using an Arctic provider.
 *
 * Handles PKCE detection, state generation, and cookie creation.
 */
+/** @internal */
 async function createOAuthAuthorizationURL(providerId, arcticProvider, oauthConfig) {
 	const state = arctic.generateState();
 	const cookies = [];
@@ -83,6 +121,11 @@ async function createOAuthAuthorizationURL(providerId, arcticProvider, oauthConf
 		cookies.push(createCookie("pkce", providerId, codeVerifier));
 	} else url = arcticProvider.createAuthorizationURL(state, scopes);
 	cookies.push(createCookie("state", providerId, state));
+	if (oauthConfig.nonce === true) {
+		const nonce = arctic.generateState();
+		url.searchParams.set("nonce", nonce);
+		cookies.push(createCookie("nonce", providerId, nonce));
+	}
 	logWithLevel("DEBUG", "OAuth authorization URL created", {
 		url: url.toString(),
 		providerId,
@@ -101,57 +144,60 @@ async function createOAuthAuthorizationURL(providerId, arcticProvider, oauthConf
 /**
 * Handle the OAuth callback: validate state, exchange code for tokens,
 * extract profile.
+*
+* Returns `Fx<CallbackResult, AuthError>` composed via `Fx.gen`.
 */
-async function handleOAuthCallback(providerId, arcticProvider, oauthConfig, params, cookies) {
-	const resCookies = [];
-	const storedState = cookies[oauthCookieName("state", providerId)];
-	const returnedState = params.state;
-	if (!storedState || !returnedState || storedState !== returnedState) throwAuthError("OAUTH_INVALID_STATE");
-	resCookies.push(clearCookie("state", providerId));
-	if (params.error) {
-		const cause = {
+/** @internal */
+function handleOAuthCallback(providerId, arcticProvider, oauthConfig, params, cookies) {
+	return Fx.gen(function* () {
+		const resCookies = [];
+		const storedState = cookies[oauthCookieName("state", providerId)];
+		const returnedState = params.state;
+		yield* Fx.guard(!storedState || !returnedState || storedState !== returnedState, Fx.fail(new AuthError("OAUTH_INVALID_STATE")));
+		resCookies.push(clearCookie("state", providerId));
+		if (params.error) {
+			const cause = {
+				providerId,
+				error: params.error,
+				error_description: params.error_description
+			};
+			logWithLevel("DEBUG", "OAuthCallbackError", cause);
+			yield* Fx.fail(new AuthError("OAUTH_PROVIDER_ERROR", "OAuth provider returned an error", { cause: JSON.stringify(cause) }));
+		}
+		const code = yield* params.code != null ? Fx.succeed(params.code) : Fx.fail(new AuthError("OAUTH_PROVIDER_ERROR", "Missing authorization code in callback"));
+		let codeVerifier;
+		if (isPKCEProvider(arcticProvider)) {
+			const pkceCookieName = oauthCookieName("pkce", providerId);
+			codeVerifier = yield* cookies[pkceCookieName] != null ? Fx.succeed(cookies[pkceCookieName]) : Fx.fail(new AuthError("OAUTH_MISSING_VERIFIER", "Missing PKCE verifier cookie for OAuth callback"));
+			resCookies.push(clearCookie("pkce", providerId));
+		}
+		let nonce;
+		if (oauthConfig.nonce === true) {
+			const nonceCookieName = oauthCookieName("nonce", providerId);
+			nonce = yield* cookies[nonceCookieName] != null ? Fx.succeed(cookies[nonceCookieName]) : Fx.fail(new AuthError("OAUTH_PROVIDER_ERROR", "Missing nonce cookie for OAuth callback"));
+			resCookies.push(clearCookie("nonce", providerId));
+		}
+		const tokens = yield* exchangeCode(arcticProvider, code, codeVerifier);
+		if (oauthConfig.validateTokens !== void 0) yield* Fx.from({
+			ok: () => oauthConfig.validateTokens(tokens, { nonce }),
+			err: (e) => new AuthError("OAUTH_PROVIDER_ERROR", `Token validation failed: ${e instanceof Error ? e.message : String(e)}`)
+		});
+		const profile = yield* validateProfileId(providerId, yield* extractProfile(providerId, oauthConfig, tokens));
+		logWithLevel("DEBUG", "OAuth callback profile extracted", {
 			providerId,
-			error: params.error,
-			error_description: params.error_description
+			profileId: profile.id
+		});
+		const signature = getAuthorizationSignature({
+			codeVerifier,
+			state: storedState
+		});
+		return {
+			profile,
+			providerAccountId: profile.id,
+			cookies: resCookies,
+			signature
 		};
-		logWithLevel("DEBUG", "OAuthCallbackError", cause);
-		throwAuthError("OAUTH_PROVIDER_ERROR", "OAuth provider returned an error", { cause: JSON.stringify(cause) });
-	}
-	const code = params.code;
-	if (!code) throwAuthError("OAUTH_PROVIDER_ERROR", "Missing authorization code in callback");
-	let codeVerifier;
-	if (isPKCEProvider(arcticProvider)) {
-		codeVerifier = cookies[oauthCookieName("pkce", providerId)];
-		resCookies.push(clearCookie("pkce", providerId));
-	}
-	let tokens;
-	try {
-		if (isPKCEProvider(arcticProvider)) tokens = await arcticProvider.validateAuthorizationCode(code, codeVerifier);
-		else tokens = await arcticProvider.validateAuthorizationCode(code);
-	} catch (e) {
-		if (e instanceof arctic.OAuth2RequestError) throwAuthError("OAUTH_PROVIDER_ERROR", `Token exchange failed: ${e.code}`);
-		if (e instanceof arctic.ArcticFetchError) throwAuthError("OAUTH_PROVIDER_ERROR", `Network error during token exchange: ${e.message}`);
-		throw e;
-	}
-	let profile;
-	if (oauthConfig.profile) profile = await oauthConfig.profile(tokens);
-	else if (hasIdToken(tokens)) profile = defaultOIDCProfile(tokens);
-	else throwAuthError("OAUTH_INVALID_PROFILE", `Provider "${providerId}" does not return an ID token. Add a \`profile\` callback in the OAuth() config to extract user info from the access token.`);
-	if (typeof profile.id !== "string" || !profile.id) throwAuthError("OAUTH_INVALID_PROFILE", `The profile callback for "${providerId}" must return an object with a string \`id\` field.`);
-	logWithLevel("DEBUG", "OAuth callback profile extracted", {
-		providerId,
-		profileId: profile.id
-	});
-	const signature = getAuthorizationSignature({
-		codeVerifier,
-		state: storedState
 	});
-	return {
-		profile,
-		providerAccountId: profile.id,
-		cookies: resCookies,
-		signature
-	};
 }
 
 //#endregion

package/dist/component/server/oauth.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.js","names":[],"sources":["../../../src/server/oauth.ts"],"sourcesContent":["/**\n * Arctic-based OAuth flow implementation.\n *\n * Uses Arctic for OAuth provider integration.\n *\n * @internal\n * @module\n */\n\nimport * as arctic from \"arctic\";\nimport { SHARED_COOKIE_OPTIONS } from \"./cookies\";\nimport { requireEnv, isLocalHost } from \"./utils\";\nimport { logWithLevel } from \"./implementation/utils\";\nimport { throwAuthError } from \"./errors\";\nimport type { OAuthProviderConfig, OAuthProfile } from \"./types\";\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/** A cookie to be set on the HTTP response. */\nexport interface OAuthCookie {\n  name: string;\n  value: string;\n  options: Record<string, unknown>;\n}\n\n/** Result of creating an authorization URL. */\nexport interface AuthorizationResult {\n  redirect: string;\n  cookies: OAuthCookie[];\n  signature: string;\n}\n\n/** Result of handling an OAuth callback. */\nexport interface CallbackResult {\n  profile: OAuthProfile;\n  providerAccountId: string;\n  cookies: OAuthCookie[];\n  signature: string;\n}\n\n// ============================================================================\n// Cookie helpers\n// ============================================================================\n\nconst COOKIE_TTL = 60 * 15; // 15 minutes\n\nfunction oauthCookieName(\n  type: \"state\" | \"pkce\" | \"nonce\",\n  providerId: string,\n) {\n  const prefix = !isLocalHost(process.env.CONVEX_SITE_URL) ? \"__Host-\" : \"\";\n  return prefix + providerId + \"OAuth\" + type;\n}\n\nfunction createCookie(\n  type: \"state\" | \"pkce\" | \"nonce\",\n  providerId: string,\n  value: string,\n): OAuthCookie {\n  const expires = new Date();\n  expires.setTime(expires.getTime() + COOKIE_TTL * 1000);\n  return {\n    name: oauthCookieName(type, providerId),\n    value,\n    options: { ...SHARED_COOKIE_OPTIONS, expires },\n  };\n}\n\nfunction clearCookie(\n  type: \"state\" | \"pkce\" | \"nonce\",\n  providerId: string,\n): OAuthCookie {\n  return {\n    name: oauthCookieName(type, providerId),\n    value: \"\",\n    options: { ...SHARED_COOKIE_OPTIONS, maxAge: 0 },\n  };\n}\n\n// ============================================================================\n// Signature (ConvexAuth-specific verifier mechanism)\n// ============================================================================\n\n/**\n * Creates a signature string from the OAuth state parameters.\n * This is stored in the verifier table and validated during callback.\n */\nexport function getAuthorizationSignature({\n  codeVerifier,\n  state,\n}: {\n  codeVerifier?: string;\n  state?: string;\n}) {\n  return [codeVerifier, state]\n    .filter((param) => param !== undefined)\n    .join(\" \");\n}\n\n// ============================================================================\n// Callback URL\n// ============================================================================\n\nexport function callbackUrl(providerId: string) {\n  return (\n    (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\")) +\n    \"/api/auth/callback/\" +\n    providerId\n  );\n}\n\n// ============================================================================\n// PKCE Detection\n// ============================================================================\n\n/**\n * Detect whether an Arctic provider uses PKCE by checking the arity\n * of `createAuthorizationURL`. PKCE providers take 3 args\n * (state, codeVerifier, scopes), non-PKCE take 2 (state, scopes).\n */\nfunction isPKCEProvider(provider: any): boolean {\n  return (\n    typeof provider.createAuthorizationURL === \"function\" &&\n    provider.createAuthorizationURL.length >= 3\n  );\n}\n\n// ============================================================================\n// OIDC Detection (post-token-exchange)\n// ============================================================================\n\nfunction hasIdToken(tokens: arctic.OAuth2Tokens): boolean {\n  return (\n    \"id_token\" in tokens.data &&\n    typeof (tokens.data as any).id_token === \"string\"\n  );\n}\n\n// ============================================================================\n// Default profile extraction from OIDC ID token\n// ============================================================================\n\nfunction defaultOIDCProfile(tokens: arctic.OAuth2Tokens): OAuthProfile {\n  const claims = arctic.decodeIdToken(tokens.idToken()) as Record<\n    string,\n    unknown\n  >;\n  return {\n    id: (claims.sub as string) ?? crypto.randomUUID(),\n    name: (claims.name as string) ?? undefined,\n    email: (claims.email as string) ?? undefined,\n    image: (claims.picture as string) ?? undefined,\n  };\n}\n\n// ============================================================================\n// Authorization URL creation\n// ============================================================================\n\n/**\n * Create an OAuth authorization URL using an Arctic provider.\n *\n * Handles PKCE detection, state generation, and cookie creation.\n */\nexport async function createOAuthAuthorizationURL(\n  providerId: string,\n  arcticProvider: any,\n  oauthConfig: OAuthProviderConfig,\n): Promise<AuthorizationResult> {\n  const state = arctic.generateState();\n  const cookies: OAuthCookie[] = [];\n  let codeVerifier: string | undefined;\n\n  const scopes = oauthConfig.scopes ?? [];\n\n  let url: URL;\n\n  if (isPKCEProvider(arcticProvider)) {\n    codeVerifier = arctic.generateCodeVerifier();\n    url = arcticProvider.createAuthorizationURL(state, codeVerifier, scopes);\n    cookies.push(createCookie(\"pkce\", providerId, codeVerifier));\n  } else {\n    url = arcticProvider.createAuthorizationURL(state, scopes);\n  }\n\n  cookies.push(createCookie(\"state\", providerId, state));\n\n  logWithLevel(\"DEBUG\", \"OAuth authorization URL created\", {\n    url: url.toString(),\n    providerId,\n    hasPKCE: !!codeVerifier,\n  });\n\n  const signature = getAuthorizationSignature({ codeVerifier, state });\n\n  return {\n    redirect: url.toString(),\n    cookies,\n    signature,\n  };\n}\n\n// ============================================================================\n// OAuth callback handling\n// ============================================================================\n\n/**\n * Handle the OAuth callback: validate state, exchange code for tokens,\n * extract profile.\n */\nexport async function handleOAuthCallback(\n  providerId: string,\n  arcticProvider: any,\n  oauthConfig: OAuthProviderConfig,\n  params: Record<string, string>,\n  cookies: Record<string, string | undefined>,\n): Promise<CallbackResult> {\n  const resCookies: OAuthCookie[] = [];\n\n  // 1. Validate state\n  const stateCookieName = oauthCookieName(\"state\", providerId);\n  const storedState = cookies[stateCookieName];\n  const returnedState = params.state;\n\n  if (!storedState || !returnedState || storedState !== returnedState) {\n    throwAuthError(\"OAUTH_INVALID_STATE\");\n  }\n  resCookies.push(clearCookie(\"state\", providerId));\n\n  // Check for error from provider\n  if (params.error) {\n    const cause = { providerId, error: params.error, error_description: params.error_description };\n    logWithLevel(\"DEBUG\", \"OAuthCallbackError\", cause);\n    throwAuthError(\"OAUTH_PROVIDER_ERROR\", \"OAuth provider returned an error\", {\n      cause: JSON.stringify(cause),\n    });\n  }\n\n  // 2. Get code\n  const code = params.code;\n  if (!code) {\n    throwAuthError(\"OAUTH_PROVIDER_ERROR\", \"Missing authorization code in callback\");\n  }\n\n  // 3. Read PKCE verifier from cookie if applicable\n  let codeVerifier: string | undefined;\n  if (isPKCEProvider(arcticProvider)) {\n    const pkceCookieName = oauthCookieName(\"pkce\", providerId);\n    codeVerifier = cookies[pkceCookieName];\n    resCookies.push(clearCookie(\"pkce\", providerId));\n  }\n\n  // 4. Exchange code for tokens\n  let tokens: arctic.OAuth2Tokens;\n  try {\n    if (isPKCEProvider(arcticProvider)) {\n      tokens = await arcticProvider.validateAuthorizationCode(\n        code,\n        codeVerifier!,\n      );\n    } else {\n      tokens = await arcticProvider.validateAuthorizationCode(code);\n    }\n  } catch (e) {\n    if (e instanceof arctic.OAuth2RequestError) {\n      throwAuthError(\"OAUTH_PROVIDER_ERROR\", `Token exchange failed: ${e.code}`);\n    }\n    if (e instanceof arctic.ArcticFetchError) {\n      throwAuthError(\"OAUTH_PROVIDER_ERROR\", `Network error during token exchange: ${e.message}`);\n    }\n    throw e;\n  }\n\n  // 5. Extract profile\n  let profile: OAuthProfile;\n\n  if (oauthConfig.profile) {\n    // User-provided profile callback\n    profile = await oauthConfig.profile(tokens);\n  } else if (hasIdToken(tokens)) {\n    // OIDC — auto-decode ID token\n    profile = defaultOIDCProfile(tokens);\n  } else {\n    throwAuthError(\n      \"OAUTH_INVALID_PROFILE\",\n      `Provider \"${providerId}\" does not return an ID token. ` +\n        `Add a \\`profile\\` callback in the OAuth() config to extract user info from the access token.`,\n    );\n  }\n\n  if (typeof profile.id !== \"string\" || !profile.id) {\n    throwAuthError(\n      \"OAUTH_INVALID_PROFILE\",\n      `The profile callback for \"${providerId}\" must return an object with a string \\`id\\` field.`,\n    );\n  }\n\n  logWithLevel(\"DEBUG\", \"OAuth callback profile extracted\", {\n    providerId,\n    profileId: profile.id,\n  });\n\n  // 6. Compute signature for verifier validation\n  const state = storedState!;\n  const signature = getAuthorizationSignature({ codeVerifier, state });\n\n  return {\n    profile,\n    providerAccountId: profile.id,\n    cookies: resCookies,\n    signature,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;AA8CA,MAAM,aAAa;AAEnB,SAAS,gBACP,MACA,YACA;AAEA,SADe,CAAC,YAAY,QAAQ,IAAI,gBAAgB,GAAG,YAAY,MACvD,aAAa,UAAU;;AAGzC,SAAS,aACP,MACA,YACA,OACa;CACb,MAAM,0BAAU,IAAI,MAAM;AAC1B,SAAQ,QAAQ,QAAQ,SAAS,GAAG,aAAa,IAAK;AACtD,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC;EACA,SAAS;GAAE,GAAG;GAAuB;GAAS;EAC/C;;AAGH,SAAS,YACP,MACA,YACa;AACb,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC,OAAO;EACP,SAAS;GAAE,GAAG;GAAuB,QAAQ;GAAG;EACjD;;;;;;AAWH,SAAgB,0BAA0B,EACxC,cACA,SAIC;AACD,QAAO,CAAC,cAAc,MAAM,CACzB,QAAQ,UAAU,UAAU,OAAU,CACtC,KAAK,IAAI;;;;;;;AAwBd,SAAS,eAAe,UAAwB;AAC9C,QACE,OAAO,SAAS,2BAA2B,cAC3C,SAAS,uBAAuB,UAAU;;AAQ9C,SAAS,WAAW,QAAsC;AACxD,QACE,cAAc,OAAO,QACrB,OAAQ,OAAO,KAAa,aAAa;;AAQ7C,SAAS,mBAAmB,QAA2C;CACrE,MAAM,SAAS,OAAO,cAAc,OAAO,SAAS,CAAC;AAIrD,QAAO;EACL,IAAK,OAAO,OAAkB,OAAO,YAAY;EACjD,MAAO,OAAO,QAAmB;EACjC,OAAQ,OAAO,SAAoB;EACnC,OAAQ,OAAO,WAAsB;EACtC;;;;;;;AAYH,eAAsB,4BACpB,YACA,gBACA,aAC8B;CAC9B,MAAM,QAAQ,OAAO,eAAe;CACpC,MAAM,UAAyB,EAAE;CACjC,IAAI;CAEJ,MAAM,SAAS,YAAY,UAAU,EAAE;CAEvC,IAAI;AAEJ,KAAI,eAAe,eAAe,EAAE;AAClC,iBAAe,OAAO,sBAAsB;AAC5C,QAAM,eAAe,uBAAuB,OAAO,cAAc,OAAO;AACxE,UAAQ,KAAK,aAAa,QAAQ,YAAY,aAAa,CAAC;OAE5D,OAAM,eAAe,uBAAuB,OAAO,OAAO;AAG5D,SAAQ,KAAK,aAAa,SAAS,YAAY,MAAM,CAAC;AAEtD,cAAa,SAAS,mCAAmC;EACvD,KAAK,IAAI,UAAU;EACnB;EACA,SAAS,CAAC,CAAC;EACZ,CAAC;CAEF,MAAM,YAAY,0BAA0B;EAAE;EAAc;EAAO,CAAC;AAEpE,QAAO;EACL,UAAU,IAAI,UAAU;EACxB;EACA;EACD;;;;;;AAWH,eAAsB,oBACpB,YACA,gBACA,aACA,QACA,SACyB;CACzB,MAAM,aAA4B,EAAE;CAIpC,MAAM,cAAc,QADI,gBAAgB,SAAS,WAAW;CAE5D,MAAM,gBAAgB,OAAO;AAE7B,KAAI,CAAC,eAAe,CAAC,iBAAiB,gBAAgB,cACpD,gBAAe,sBAAsB;AAEvC,YAAW,KAAK,YAAY,SAAS,WAAW,CAAC;AAGjD,KAAI,OAAO,OAAO;EAChB,MAAM,QAAQ;GAAE;GAAY,OAAO,OAAO;GAAO,mBAAmB,OAAO;GAAmB;AAC9F,eAAa,SAAS,sBAAsB,MAAM;AAClD,iBAAe,wBAAwB,oCAAoC,EACzE,OAAO,KAAK,UAAU,MAAM,EAC7B,CAAC;;CAIJ,MAAM,OAAO,OAAO;AACpB,KAAI,CAAC,KACH,gBAAe,wBAAwB,yCAAyC;CAIlF,IAAI;AACJ,KAAI,eAAe,eAAe,EAAE;AAElC,iBAAe,QADQ,gBAAgB,QAAQ,WAAW;AAE1D,aAAW,KAAK,YAAY,QAAQ,WAAW,CAAC;;CAIlD,IAAI;AACJ,KAAI;AACF,MAAI,eAAe,eAAe,CAChC,UAAS,MAAM,eAAe,0BAC5B,MACA,aACD;MAED,UAAS,MAAM,eAAe,0BAA0B,KAAK;UAExD,GAAG;AACV,MAAI,aAAa,OAAO,mBACtB,gBAAe,wBAAwB,0BAA0B,EAAE,OAAO;AAE5E,MAAI,aAAa,OAAO,iBACtB,gBAAe,wBAAwB,wCAAwC,EAAE,UAAU;AAE7F,QAAM;;CAIR,IAAI;AAEJ,KAAI,YAAY,QAEd,WAAU,MAAM,YAAY,QAAQ,OAAO;UAClC,WAAW,OAAO,CAE3B,WAAU,mBAAmB,OAAO;KAEpC,gBACE,yBACA,aAAa,WAAW,6HAEzB;AAGH,KAAI,OAAO,QAAQ,OAAO,YAAY,CAAC,QAAQ,GAC7C,gBACE,yBACA,6BAA6B,WAAW,qDACzC;AAGH,cAAa,SAAS,oCAAoC;EACxD;EACA,WAAW,QAAQ;EACpB,CAAC;CAIF,MAAM,YAAY,0BAA0B;EAAE;EAAc,OAD9C;EACqD,CAAC;AAEpE,QAAO;EACL;EACA,mBAAmB,QAAQ;EAC3B,SAAS;EACT;EACD"}
+{"version":3,"file":"oauth.js","names":[],"sources":["../../../src/server/oauth.ts"],"sourcesContent":["/**\n * Arctic-based OAuth flow implementation.\n *\n * Uses Arctic for OAuth provider integration.\n *\n * All functions return `Fx<A, AuthError>` composed via `Fx.gen` pipelines.\n *\n * @internal\n * @module\n */\n\nimport { Fx } from \"@robelest/fx\";\nimport * as arctic from \"arctic\";\n\nimport { SHARED_COOKIE_OPTIONS } from \"./cookies\";\nimport { AuthError } from \"./authError\";\nimport type { OAuthProfile } from \"./types\";\nimport { logWithLevel } from \"./utils\";\nimport { isLocalHost } from \"./utils\";\n\ntype OAuthProviderConfigLike = {\n  scopes?: string[];\n  profile?: (tokens: arctic.OAuth2Tokens) => Promise<OAuthProfile>;\n  nonce?: boolean;\n  validateTokens?: (\n    tokens: arctic.OAuth2Tokens,\n    ctx: { nonce?: string },\n  ) => Promise<void>;\n};\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/** A cookie to be set on the HTTP response. */\n/** @internal */\nexport interface OAuthCookie {\n  name: string;\n  value: string;\n  options: Record<string, unknown>;\n}\n\n/** Result of creating an authorization URL. */\n/** @internal */\nexport interface AuthorizationResult {\n  redirect: string;\n  cookies: OAuthCookie[];\n  signature: string;\n}\n\n/** Result of handling an OAuth callback. */\n/** @internal */\nexport interface CallbackResult {\n  profile: OAuthProfile;\n  providerAccountId: string;\n  cookies: OAuthCookie[];\n  signature: string;\n}\n\n// ============================================================================\n// Cookie helpers\n// ============================================================================\n\nconst COOKIE_TTL = 60 * 15; // 15 minutes\n\nfunction oauthCookieName(type: \"state\" | \"pkce\" | \"nonce\", providerId: string) {\n  const prefix = !isLocalHost(process.env.CONVEX_SITE_URL) ? \"__Host-\" : \"\";\n  return prefix + providerId + \"OAuth\" + type;\n}\n\nfunction createCookie(\n  type: \"state\" | \"pkce\" | \"nonce\",\n  providerId: string,\n  value: string,\n): OAuthCookie {\n  const expires = new Date();\n  expires.setTime(expires.getTime() + COOKIE_TTL * 1000);\n  return {\n    name: oauthCookieName(type, providerId),\n    value,\n    options: { ...SHARED_COOKIE_OPTIONS, expires },\n  };\n}\n\nfunction clearCookie(\n  type: \"state\" | \"pkce\" | \"nonce\",\n  providerId: string,\n): OAuthCookie {\n  return {\n    name: oauthCookieName(type, providerId),\n    value: \"\",\n    options: { ...SHARED_COOKIE_OPTIONS, maxAge: 0 },\n  };\n}\n\n// ============================================================================\n// Signature (ConvexAuth-specific verifier mechanism)\n// ============================================================================\n\n/**\n * Creates a signature string from the OAuth state parameters.\n * This is stored in the verifier table and validated during callback.\n */\n/** @internal */\nexport function getAuthorizationSignature({\n  codeVerifier,\n  state,\n}: {\n  codeVerifier?: string;\n  state?: string;\n}) {\n  return [codeVerifier, state].filter((param) => param !== undefined).join(\" \");\n}\n\n// ============================================================================\n// PKCE Detection\n// ============================================================================\n\n/**\n * Detect whether an Arctic provider uses PKCE by checking the arity\n * of `createAuthorizationURL`. PKCE providers take 3 args\n * (state, codeVerifier, scopes), non-PKCE take 2 (state, scopes).\n */\nfunction isPKCEProvider(provider: any): boolean {\n  return (\n    typeof provider.createAuthorizationURL === \"function\" &&\n    provider.createAuthorizationURL.length >= 3\n  );\n}\n\n// ============================================================================\n// Token exchange — wraps Arctic's validateAuthorizationCode\n// ============================================================================\n\n/**\n * Exchange the authorization code for tokens via Arctic.\n * Maps Arctic-specific errors to typed `AuthError` failures.\n */\nfunction exchangeCode(\n  arcticProvider: any,\n  code: string,\n  codeVerifier: string | undefined,\n): Fx<arctic.OAuth2Tokens, AuthError> {\n  return Fx.from({\n    ok: () =>\n      isPKCEProvider(arcticProvider)\n        ? arcticProvider.validateAuthorizationCode(code, codeVerifier)\n        : arcticProvider.validateAuthorizationCode(code),\n    err: (e) => {\n      if (e instanceof arctic.OAuth2RequestError) {\n        return new AuthError(\n          \"OAUTH_PROVIDER_ERROR\",\n          `Token exchange failed: ${e.code}`,\n        );\n      }\n      if (e instanceof arctic.ArcticFetchError) {\n        return new AuthError(\n          \"OAUTH_PROVIDER_ERROR\",\n          `Network error during token exchange: ${e.message}`,\n        );\n      }\n      // Unknown error — treat as unrecoverable defect; we surface it as\n      // an AuthError here so the pipeline type stays Fx<_, AuthError>.\n      // The original `throw e` re-throw is replicated via Fx.fatal below.\n      return new AuthError(\n        \"OAUTH_PROVIDER_ERROR\",\n        `Unexpected error during token exchange: ${e instanceof Error ? e.message : String(e)}`,\n      );\n    },\n  }).pipe(\n    Fx.chain((tokens) => {\n      // If the original error was neither OAuth2RequestError nor\n      // ArcticFetchError the old code re-threw it raw. We replicate that\n      // by checking whether we created an \"Unexpected\" marker message\n      // — but since `Fx.from` already mapped it, we just pass through.\n      return Fx.succeed(tokens);\n    }),\n  );\n}\n\n/**\n * Extract the user profile from tokens using the config callback,\n * OIDC auto-decode, or fail if neither is available.\n */\nfunction extractProfile(\n  providerId: string,\n  oauthConfig: OAuthProviderConfigLike,\n  tokens: arctic.OAuth2Tokens,\n): Fx<OAuthProfile, AuthError> {\n  const hasIdToken =\n    \"id_token\" in tokens.data &&\n    typeof (tokens.data as any).id_token === \"string\";\n  const profileSource = oauthConfig.profile\n    ? { source: \"callback\" as const }\n    : hasIdToken\n      ? { source: \"idToken\" as const }\n      : { source: \"missing\" as const };\n\n  return Fx.match(profileSource, profileSource.source, {\n    callback: (_profileSource) =>\n      Fx.from({\n        ok: () => oauthConfig.profile!(tokens),\n        err: (e) =>\n          new AuthError(\n            \"OAUTH_INVALID_PROFILE\",\n            `Profile callback threw: ${e instanceof Error ? e.message : String(e)}`,\n          ),\n      }),\n    idToken: (_profileSource) => {\n      const claims = arctic.decodeIdToken(tokens.idToken()) as Record<\n        string,\n        unknown\n      >;\n      return Fx.succeed({\n        id: (claims.sub as string) ?? crypto.randomUUID(),\n        name: (claims.name as string) ?? undefined,\n        email: (claims.email as string) ?? undefined,\n        image: (claims.picture as string) ?? undefined,\n      });\n    },\n    missing: (_profileSource) =>\n      Fx.fail(\n        new AuthError(\n          \"OAUTH_INVALID_PROFILE\",\n          `Provider \"${providerId}\" does not return an ID token. ` +\n            `Add a \\`profile\\` callback in the OAuth() config to extract user info from the access token.`,\n        ),\n      ),\n  });\n}\n\n/**\n * Validate that the profile has a non-empty string `id`.\n */\nfunction validateProfileId(\n  providerId: string,\n  profile: OAuthProfile,\n): Fx<OAuthProfile, AuthError> {\n  return typeof profile.id === \"string\" && profile.id\n    ? Fx.succeed(profile)\n    : Fx.fail(\n        new AuthError(\n          \"OAUTH_INVALID_PROFILE\",\n          `The profile callback for \"${providerId}\" must return an object with a string \\`id\\` field.`,\n        ),\n      );\n}\n\n// ============================================================================\n// Authorization URL creation\n// ============================================================================\n\n/**\n * Create an OAuth authorization URL using an Arctic provider.\n *\n * Handles PKCE detection, state generation, and cookie creation.\n */\n/** @internal */\nexport async function createOAuthAuthorizationURL(\n  providerId: string,\n  arcticProvider: any,\n  oauthConfig: OAuthProviderConfigLike,\n): Promise<AuthorizationResult> {\n  const state = arctic.generateState();\n  const cookies: OAuthCookie[] = [];\n  let codeVerifier: string | undefined;\n\n  const scopes = oauthConfig.scopes ?? [];\n\n  let url: URL;\n\n  if (isPKCEProvider(arcticProvider)) {\n    codeVerifier = arctic.generateCodeVerifier();\n    url = arcticProvider.createAuthorizationURL(state, codeVerifier, scopes);\n    cookies.push(createCookie(\"pkce\", providerId, codeVerifier));\n  } else {\n    url = arcticProvider.createAuthorizationURL(state, scopes);\n  }\n\n  cookies.push(createCookie(\"state\", providerId, state));\n\n  if (oauthConfig.nonce === true) {\n    const nonce = arctic.generateState();\n    url.searchParams.set(\"nonce\", nonce);\n    cookies.push(createCookie(\"nonce\", providerId, nonce));\n  }\n\n  logWithLevel(\"DEBUG\", \"OAuth authorization URL created\", {\n    url: url.toString(),\n    providerId,\n    hasPKCE: !!codeVerifier,\n  });\n\n  const signature = getAuthorizationSignature({ codeVerifier, state });\n\n  return {\n    redirect: url.toString(),\n    cookies,\n    signature,\n  };\n}\n\n// ============================================================================\n// OAuth callback handling\n// ============================================================================\n\n/**\n * Handle the OAuth callback: validate state, exchange code for tokens,\n * extract profile.\n *\n * Returns `Fx<CallbackResult, AuthError>` composed via `Fx.gen`.\n */\n/** @internal */\nexport function handleOAuthCallback(\n  providerId: string,\n  arcticProvider: any,\n  oauthConfig: OAuthProviderConfigLike,\n  params: Record<string, string>,\n  cookies: Record<string, string | undefined>,\n): Fx<CallbackResult, AuthError> {\n  return Fx.gen(function* () {\n    const resCookies: OAuthCookie[] = [];\n\n    // 1. Validate state\n    const stateCookieName = oauthCookieName(\"state\", providerId);\n    const storedState = cookies[stateCookieName];\n    const returnedState = params.state;\n\n    yield* Fx.guard(\n      !storedState || !returnedState || storedState !== returnedState,\n      Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\")),\n    );\n    resCookies.push(clearCookie(\"state\", providerId));\n\n    // Check for error from provider\n    if (params.error) {\n      const cause = {\n        providerId,\n        error: params.error,\n        error_description: params.error_description,\n      };\n      logWithLevel(\"DEBUG\", \"OAuthCallbackError\", cause);\n      yield* Fx.fail(\n        new AuthError(\n          \"OAUTH_PROVIDER_ERROR\",\n          \"OAuth provider returned an error\",\n          {\n            cause: JSON.stringify(cause),\n          },\n        ),\n      );\n    }\n\n    // 2. Get code\n    const code = yield* params.code != null\n      ? Fx.succeed(params.code)\n      : Fx.fail(\n          new AuthError(\n            \"OAUTH_PROVIDER_ERROR\",\n            \"Missing authorization code in callback\",\n          ),\n        );\n\n    // 3. Read PKCE verifier from cookie if applicable\n    let codeVerifier: string | undefined;\n    if (isPKCEProvider(arcticProvider)) {\n      const pkceCookieName = oauthCookieName(\"pkce\", providerId);\n      codeVerifier = yield* cookies[pkceCookieName] != null\n        ? Fx.succeed(cookies[pkceCookieName]!)\n        : Fx.fail(\n            new AuthError(\n              \"OAUTH_MISSING_VERIFIER\",\n              \"Missing PKCE verifier cookie for OAuth callback\",\n            ),\n          );\n      resCookies.push(clearCookie(\"pkce\", providerId));\n    }\n\n    let nonce: string | undefined;\n    if (oauthConfig.nonce === true) {\n      const nonceCookieName = oauthCookieName(\"nonce\", providerId);\n      nonce = yield* cookies[nonceCookieName] != null\n        ? Fx.succeed(cookies[nonceCookieName]!)\n        : Fx.fail(\n            new AuthError(\n              \"OAUTH_PROVIDER_ERROR\",\n              \"Missing nonce cookie for OAuth callback\",\n            ),\n          );\n      resCookies.push(clearCookie(\"nonce\", providerId));\n    }\n\n    // 4. Exchange code for tokens\n    const tokens = yield* exchangeCode(arcticProvider, code, codeVerifier);\n\n    if (oauthConfig.validateTokens !== undefined) {\n      yield* Fx.from({\n        ok: () => oauthConfig.validateTokens!(tokens, { nonce }),\n        err: (e) =>\n          new AuthError(\n            \"OAUTH_PROVIDER_ERROR\",\n            `Token validation failed: ${e instanceof Error ? e.message : String(e)}`,\n          ),\n      });\n    }\n\n    // 5. Extract profile\n    const rawProfile = yield* extractProfile(providerId, oauthConfig, tokens);\n    const profile = yield* validateProfileId(providerId, rawProfile);\n\n    logWithLevel(\"DEBUG\", \"OAuth callback profile extracted\", {\n      providerId,\n      profileId: profile.id,\n    });\n\n    // 6. Compute signature for verifier validation\n    const state = storedState!;\n    const signature = getAuthorizationSignature({ codeVerifier, state });\n\n    return {\n      profile,\n      providerAccountId: profile.id,\n      cookies: resCookies,\n      signature,\n    };\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AA+DA,MAAM,aAAa;AAEnB,SAAS,gBAAgB,MAAkC,YAAoB;AAE7E,SADe,CAAC,YAAY,QAAQ,IAAI,gBAAgB,GAAG,YAAY,MACvD,aAAa,UAAU;;AAGzC,SAAS,aACP,MACA,YACA,OACa;CACb,MAAM,0BAAU,IAAI,MAAM;AAC1B,SAAQ,QAAQ,QAAQ,SAAS,GAAG,aAAa,IAAK;AACtD,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC;EACA,SAAS;GAAE,GAAG;GAAuB;GAAS;EAC/C;;AAGH,SAAS,YACP,MACA,YACa;AACb,QAAO;EACL,MAAM,gBAAgB,MAAM,WAAW;EACvC,OAAO;EACP,SAAS;GAAE,GAAG;GAAuB,QAAQ;GAAG;EACjD;;;;;;;AAYH,SAAgB,0BAA0B,EACxC,cACA,SAIC;AACD,QAAO,CAAC,cAAc,MAAM,CAAC,QAAQ,UAAU,UAAU,OAAU,CAAC,KAAK,IAAI;;;;;;;AAY/E,SAAS,eAAe,UAAwB;AAC9C,QACE,OAAO,SAAS,2BAA2B,cAC3C,SAAS,uBAAuB,UAAU;;;;;;AAY9C,SAAS,aACP,gBACA,MACA,cACoC;AACpC,QAAO,GAAG,KAAK;EACb,UACE,eAAe,eAAe,GAC1B,eAAe,0BAA0B,MAAM,aAAa,GAC5D,eAAe,0BAA0B,KAAK;EACpD,MAAM,MAAM;AACV,OAAI,aAAa,OAAO,mBACtB,QAAO,IAAI,UACT,wBACA,0BAA0B,EAAE,OAC7B;AAEH,OAAI,aAAa,OAAO,iBACtB,QAAO,IAAI,UACT,wBACA,wCAAwC,EAAE,UAC3C;AAKH,UAAO,IAAI,UACT,wBACA,2CAA2C,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACtF;;EAEJ,CAAC,CAAC,KACD,GAAG,OAAO,WAAW;AAKnB,SAAO,GAAG,QAAQ,OAAO;GACzB,CACH;;;;;;AAOH,SAAS,eACP,YACA,aACA,QAC6B;CAC7B,MAAM,aACJ,cAAc,OAAO,QACrB,OAAQ,OAAO,KAAa,aAAa;CAC3C,MAAM,gBAAgB,YAAY,UAC9B,EAAE,QAAQ,YAAqB,GAC/B,aACE,EAAE,QAAQ,WAAoB,GAC9B,EAAE,QAAQ,WAAoB;AAEpC,QAAO,GAAG,MAAM,eAAe,cAAc,QAAQ;EACnD,WAAW,mBACT,GAAG,KAAK;GACN,UAAU,YAAY,QAAS,OAAO;GACtC,MAAM,MACJ,IAAI,UACF,yBACA,2BAA2B,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACtE;GACJ,CAAC;EACJ,UAAU,mBAAmB;GAC3B,MAAM,SAAS,OAAO,cAAc,OAAO,SAAS,CAAC;AAIrD,UAAO,GAAG,QAAQ;IAChB,IAAK,OAAO,OAAkB,OAAO,YAAY;IACjD,MAAO,OAAO,QAAmB;IACjC,OAAQ,OAAO,SAAoB;IACnC,OAAQ,OAAO,WAAsB;IACtC,CAAC;;EAEJ,UAAU,mBACR,GAAG,KACD,IAAI,UACF,yBACA,aAAa,WAAW,6HAEzB,CACF;EACJ,CAAC;;;;;AAMJ,SAAS,kBACP,YACA,SAC6B;AAC7B,QAAO,OAAO,QAAQ,OAAO,YAAY,QAAQ,KAC7C,GAAG,QAAQ,QAAQ,GACnB,GAAG,KACD,IAAI,UACF,yBACA,6BAA6B,WAAW,qDACzC,CACF;;;;;;;;AAaP,eAAsB,4BACpB,YACA,gBACA,aAC8B;CAC9B,MAAM,QAAQ,OAAO,eAAe;CACpC,MAAM,UAAyB,EAAE;CACjC,IAAI;CAEJ,MAAM,SAAS,YAAY,UAAU,EAAE;CAEvC,IAAI;AAEJ,KAAI,eAAe,eAAe,EAAE;AAClC,iBAAe,OAAO,sBAAsB;AAC5C,QAAM,eAAe,uBAAuB,OAAO,cAAc,OAAO;AACxE,UAAQ,KAAK,aAAa,QAAQ,YAAY,aAAa,CAAC;OAE5D,OAAM,eAAe,uBAAuB,OAAO,OAAO;AAG5D,SAAQ,KAAK,aAAa,SAAS,YAAY,MAAM,CAAC;AAEtD,KAAI,YAAY,UAAU,MAAM;EAC9B,MAAM,QAAQ,OAAO,eAAe;AACpC,MAAI,aAAa,IAAI,SAAS,MAAM;AACpC,UAAQ,KAAK,aAAa,SAAS,YAAY,MAAM,CAAC;;AAGxD,cAAa,SAAS,mCAAmC;EACvD,KAAK,IAAI,UAAU;EACnB;EACA,SAAS,CAAC,CAAC;EACZ,CAAC;CAEF,MAAM,YAAY,0BAA0B;EAAE;EAAc;EAAO,CAAC;AAEpE,QAAO;EACL,UAAU,IAAI,UAAU;EACxB;EACA;EACD;;;;;;;;;AAcH,SAAgB,oBACd,YACA,gBACA,aACA,QACA,SAC+B;AAC/B,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,aAA4B,EAAE;EAIpC,MAAM,cAAc,QADI,gBAAgB,SAAS,WAAW;EAE5D,MAAM,gBAAgB,OAAO;AAE7B,SAAO,GAAG,MACR,CAAC,eAAe,CAAC,iBAAiB,gBAAgB,eAClD,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,CAC9C;AACD,aAAW,KAAK,YAAY,SAAS,WAAW,CAAC;AAGjD,MAAI,OAAO,OAAO;GAChB,MAAM,QAAQ;IACZ;IACA,OAAO,OAAO;IACd,mBAAmB,OAAO;IAC3B;AACD,gBAAa,SAAS,sBAAsB,MAAM;AAClD,UAAO,GAAG,KACR,IAAI,UACF,wBACA,oCACA,EACE,OAAO,KAAK,UAAU,MAAM,EAC7B,CACF,CACF;;EAIH,MAAM,OAAO,OAAO,OAAO,QAAQ,OAC/B,GAAG,QAAQ,OAAO,KAAK,GACvB,GAAG,KACD,IAAI,UACF,wBACA,yCACD,CACF;EAGL,IAAI;AACJ,MAAI,eAAe,eAAe,EAAE;GAClC,MAAM,iBAAiB,gBAAgB,QAAQ,WAAW;AAC1D,kBAAe,OAAO,QAAQ,mBAAmB,OAC7C,GAAG,QAAQ,QAAQ,gBAAiB,GACpC,GAAG,KACD,IAAI,UACF,0BACA,kDACD,CACF;AACL,cAAW,KAAK,YAAY,QAAQ,WAAW,CAAC;;EAGlD,IAAI;AACJ,MAAI,YAAY,UAAU,MAAM;GAC9B,MAAM,kBAAkB,gBAAgB,SAAS,WAAW;AAC5D,WAAQ,OAAO,QAAQ,oBAAoB,OACvC,GAAG,QAAQ,QAAQ,iBAAkB,GACrC,GAAG,KACD,IAAI,UACF,wBACA,0CACD,CACF;AACL,cAAW,KAAK,YAAY,SAAS,WAAW,CAAC;;EAInD,MAAM,SAAS,OAAO,aAAa,gBAAgB,MAAM,aAAa;AAEtE,MAAI,YAAY,mBAAmB,OACjC,QAAO,GAAG,KAAK;GACb,UAAU,YAAY,eAAgB,QAAQ,EAAE,OAAO,CAAC;GACxD,MAAM,MACJ,IAAI,UACF,wBACA,4BAA4B,aAAa,QAAQ,EAAE,UAAU,OAAO,EAAE,GACvE;GACJ,CAAC;EAKJ,MAAM,UAAU,OAAO,kBAAkB,YADtB,OAAO,eAAe,YAAY,aAAa,OAAO,CACT;AAEhE,eAAa,SAAS,oCAAoC;GACxD;GACA,WAAW,QAAQ;GACpB,CAAC;EAIF,MAAM,YAAY,0BAA0B;GAAE;GAAc,OAD9C;GACqD,CAAC;AAEpE,SAAO;GACL;GACA,mBAAmB,QAAQ;GAC3B,SAAS;GACT;GACD;GACD"}