@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/component/server/passkey.js

@@ -0,0 +1,328 @@
+import { AuthError } from "./authError.js";
+import { userIdFromIdentitySubject } from "./identity.js";
+import { authDb } from "./db.js";
+import { callVerifierSignature } from "./mutations/signature.js";
+import { callSignIn } from "./mutations/signin.js";
+import { callVerifier } from "./mutations/verifier.js";
+import { mutatePasskeyInsert, mutatePasskeyUpdateCounter, mutateVerifierDelete, queryPasskeyByCredentialId, queryPasskeysByUserId, queryUserById, queryUserByVerifiedEmail, queryVerifierById } from "./types.js";
+import { sha256 } from "@oslojs/crypto/sha2";
+import { decodeBase64urlIgnorePadding, encodeBase64urlNoPadding } from "@oslojs/encoding";
+import { Fx } from "@robelest/fx";
+import { decodePKIXECDSASignature, decodeSEC1PublicKey, p256, verifyECDSASignature } from "@oslojs/crypto/ecdsa";
+import { RSAPublicKey, decodePKCS1RSAPublicKey, sha256ObjectIdentifier, verifyRSASSAPKCS1v15Signature } from "@oslojs/crypto/rsa";
+import { COSEKeyType, ClientDataType, coseAlgorithmES256, coseAlgorithmRS256, createAssertionSignatureMessage, parseAttestationObject, parseAuthenticatorData, parseClientDataJSON } from "@oslojs/webauthn";
+
+//#region src/server/passkey.ts
+/**
+* Server-side WebAuthn ceremony logic for passkey authentication.
+*
+* Handles the four phases of the WebAuthn flow:
+* 1. registerOptions — generate PublicKeyCredentialCreationOptions
+* 2. registerVerify — verify attestation and store credential
+* 3. authOptions — generate PublicKeyCredentialRequestOptions
+* 4. authVerify — verify assertion signature and sign in
+*
+* Uses `@oslojs/webauthn` for attestation/assertion parsing and
+* `@oslojs/crypto` for signature verification.
+*
+* All functions return `Fx<A, AuthError>` composed via `Fx.chain` pipelines.
+*
+* @module
+*/
+/**
+* Resolve passkey relying party options from provider config and environment.
+*
+* Returns `Fx<RpOptions, AuthError>` — fails if neither SITE_URL nor rpId
+* is configured.
+*/
+const resolveRpOptionsFx = (provider) => {
+	const siteUrl = process.env.SITE_URL;
+	const hasSiteUrl = siteUrl !== void 0 && siteUrl !== "";
+	const hasRpId = provider.options.rpId !== void 0;
+	return Fx.succeed({
+		siteUrl,
+		hasSiteUrl,
+		hasRpId
+	}).pipe(Fx.chain(({ siteUrl: siteUrl$1, hasSiteUrl: hasSiteUrl$1, hasRpId: hasRpId$1 }) => !hasSiteUrl$1 && !hasRpId$1 ? Fx.fail(new AuthError("PASSKEY_MISSING_CONFIG", "Passkey provider requires SITE_URL env var (your frontend URL) or explicit rpId / origin in the provider config. CONVEX_SITE_URL cannot be used because WebAuthn RP ID must match the frontend domain.")) : Fx.succeed(siteUrl$1)), Fx.map((siteUrl$1) => {
+		const siteHostname = siteUrl$1 ? new URL(siteUrl$1).hostname : void 0;
+		return {
+			rpName: provider.options.rpName ?? siteHostname ?? "localhost",
+			rpId: provider.options.rpId ?? siteHostname ?? "localhost",
+			origin: provider.options.origin ?? siteUrl$1 ?? "http://localhost",
+			attestation: provider.options.attestation ?? "none",
+			userVerification: provider.options.userVerification ?? "required",
+			residentKey: provider.options.residentKey ?? "preferred",
+			authenticatorAttachment: provider.options.authenticatorAttachment,
+			algorithms: provider.options.algorithms ?? [coseAlgorithmES256, coseAlgorithmRS256],
+			challengeExpirationMs: provider.options.challengeExpirationMs ?? 3e5
+		};
+	}));
+};
+/** Verify client data type matches expected WebAuthn ceremony type. */
+const verifyClientDataType = (expectedType, label) => (clientData) => clientData.type === expectedType ? Fx.succeed(clientData) : Fx.fail(new AuthError("PASSKEY_INVALID_CLIENT_DATA", `Invalid client data type: expected ${label}`));
+/** Verify origin is in the allowed list. */
+const verifyOrigin = (rp) => (clientData) => {
+	const allowed = Array.isArray(rp.origin) ? rp.origin : [rp.origin];
+	return allowed.includes(clientData.origin) ? Fx.succeed(clientData) : Fx.fail(new AuthError("PASSKEY_INVALID_ORIGIN", `Invalid origin: ${clientData.origin}, expected one of: ${allowed.join(", ")}`));
+};
+/** Verify the challenge hash matches the stored verifier, then delete verifier. */
+const verifyAndConsumeChallenge = (ctx, verifierValue) => (clientData) => {
+	const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(clientData.challenge)));
+	return Fx.from({
+		ok: () => queryVerifierById(ctx, verifierValue),
+		err: () => new AuthError("PASSKEY_INVALID_CHALLENGE")
+	}).pipe(Fx.chain((doc) => !doc || doc.signature !== challengeHash ? Fx.fail(new AuthError("PASSKEY_INVALID_CHALLENGE")) : Fx.succeed(doc)), Fx.chain(() => Fx.from({
+		ok: () => mutateVerifierDelete(ctx, verifierValue),
+		err: () => new AuthError("PASSKEY_INVALID_CHALLENGE")
+	})), Fx.map(() => clientData));
+};
+/** Verify RP ID hash matches. */
+const verifyRpId = (rpId) => (authData) => authData.verifyRelyingPartyIdHash(rpId) ? Fx.succeed(authData) : Fx.fail(new AuthError("PASSKEY_RP_MISMATCH"));
+/** Verify user presence and (optionally) user verification flags. */
+const verifyUserFlags = (rp) => (authData) => !authData.userPresent ? Fx.fail(new AuthError("PASSKEY_USER_PRESENCE")) : rp.userVerification === "required" && !authData.userVerified ? Fx.fail(new AuthError("PASSKEY_USER_VERIFICATION")) : Fx.succeed(authData);
+const PASSKEY_FLOW = {
+	registerOptions: "registerOptions",
+	registerVerify: "registerVerify",
+	authOptions: "authOptions",
+	authVerify: "authVerify"
+};
+const PASSKEY_FLOWS = [
+	PASSKEY_FLOW.registerOptions,
+	PASSKEY_FLOW.registerVerify,
+	PASSKEY_FLOW.authOptions,
+	PASSKEY_FLOW.authVerify
+];
+const resolvePasskeyDispatchFx = (params) => {
+	const flow = params.flow;
+	return typeof flow === "string" && PASSKEY_FLOWS.includes(flow) ? Fx.succeed({ flow }) : Fx.fail(new AuthError("PASSKEY_MISSING_FLOW", "Missing `flow` parameter. Expected one of: registerOptions, registerVerify, authOptions, authVerify"));
+};
+const requirePasskeyVerifierFx = (verifier) => verifier != null ? Fx.succeed(verifier) : Fx.fail(new AuthError("PASSKEY_MISSING_VERIFIER"));
+/**
+* Main passkey handler dispatched from signIn.ts.
+*
+* Routes to the appropriate phase based on `params.flow` via `dispatchFx`.
+*/
+function handlePasskeyFx(ctx, provider, args) {
+	const params = args.params ?? {};
+	return resolvePasskeyDispatchFx(params).pipe(Fx.chain((dispatch) => {
+		return Fx.match(dispatch).on("flow", {
+			registerOptions: (_) => Fx.zip(Fx.from({
+				ok: () => ctx.auth.getUserIdentity(),
+				err: () => new AuthError("PASSKEY_AUTH_REQUIRED")
+			}).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(userIdFromIdentitySubject(id.subject)))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => {
+				const challenge = new Uint8Array(32);
+				crypto.getRandomValues(challenge);
+				const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(challenge)));
+				return Fx.from({
+					ok: async () => {
+						const verifier = await callVerifier(ctx);
+						await callVerifierSignature(ctx, {
+							verifier,
+							signature: challengeHash
+						});
+						const user = await queryUserById(ctx, userId);
+						const userName = params.userName ?? user?.email ?? "user";
+						const userDisplayName = params.userDisplayName ?? user?.name ?? userName;
+						const excludeCredentials = (await queryPasskeysByUserId(ctx, userId)).map((pk) => ({
+							id: pk.credentialId,
+							transports: pk.transports
+						}));
+						const userHandle = encodeBase64urlNoPadding(new TextEncoder().encode(userId));
+						return {
+							kind: "passkeyOptions",
+							options: {
+								rp: {
+									name: rp.rpName,
+									id: rp.rpId
+								},
+								user: {
+									id: userHandle,
+									name: userName,
+									displayName: userDisplayName
+								},
+								challenge: encodeBase64urlNoPadding(challenge),
+								pubKeyCredParams: rp.algorithms.map((alg) => ({
+									type: "public-key",
+									alg
+								})),
+								timeout: rp.challengeExpirationMs,
+								attestation: rp.attestation,
+								authenticatorSelection: {
+									residentKey: rp.residentKey,
+									requireResidentKey: rp.residentKey === "required",
+									userVerification: rp.userVerification,
+									...rp.authenticatorAttachment ? { authenticatorAttachment: rp.authenticatorAttachment } : {}
+								},
+								excludeCredentials
+							},
+							verifier
+						};
+					},
+					err: () => new AuthError("INTERNAL_ERROR")
+				});
+			})),
+			registerVerify: (_) => Fx.zip(Fx.from({
+				ok: () => ctx.auth.getUserIdentity(),
+				err: () => new AuthError("PASSKEY_AUTH_REQUIRED")
+			}).pipe(Fx.chain((id) => id === null ? Fx.fail(new AuthError("PASSKEY_AUTH_REQUIRED")) : Fx.succeed(userIdFromIdentitySubject(id.subject)))), resolveRpOptionsFx(provider)).pipe(Fx.chain(([userId, rp]) => requirePasskeyVerifierFx(args.verifier).pipe(Fx.chain((verifier) => {
+				const clientData = parseClientDataJSON(decodeBase64urlIgnorePadding(params.clientDataJSON));
+				return Fx.succeed(clientData).pipe(Fx.chain(verifyClientDataType(ClientDataType.Create, "webauthn.create")), Fx.chain(verifyOrigin(rp)), Fx.chain(verifyAndConsumeChallenge(ctx, verifier)), Fx.map(() => {
+					return parseAttestationObject(decodeBase64urlIgnorePadding(params.attestationObject)).authenticatorData;
+				})).pipe(Fx.chain(verifyRpId(rp.rpId)), Fx.chain(verifyUserFlags(rp)), Fx.chain((authData) => {
+					if (authData.credential == null) return Fx.fail(new AuthError("PASSKEY_NO_CREDENTIAL"));
+					return Fx.succeed({
+						authData,
+						credential: authData.credential
+					});
+				}), Fx.chain(({ authData, credential }) => {
+					const credentialId = encodeBase64urlNoPadding(credential.id);
+					const publicKey = credential.publicKey;
+					let algorithm;
+					if (publicKey.isAlgorithmDefined()) algorithm = publicKey.algorithm();
+					else {
+						const keyType = publicKey.type();
+						algorithm = keyType === COSEKeyType.EC2 ? coseAlgorithmES256 : keyType === COSEKeyType.RSA ? coseAlgorithmRS256 : coseAlgorithmES256;
+					}
+					const handler = {
+						[coseAlgorithmES256]: () => {
+							const ec2 = publicKey.ec2();
+							const xBytes = new Uint8Array(32);
+							let vx = ec2.x;
+							for (let i = 31; i >= 0; i--) {
+								xBytes[i] = Number(vx & 255n);
+								vx >>= 8n;
+							}
+							const yBytes = new Uint8Array(32);
+							let vy = ec2.y;
+							for (let i = 31; i >= 0; i--) {
+								yBytes[i] = Number(vy & 255n);
+								vy >>= 8n;
+							}
+							const bytes = new Uint8Array(65);
+							bytes[0] = 4;
+							bytes.set(xBytes, 1);
+							bytes.set(yBytes, 33);
+							return Fx.succeed(bytes);
+						},
+						[coseAlgorithmRS256]: () => {
+							const rsa = publicKey.rsa();
+							const rsaPubKey = new RSAPublicKey(rsa.n, rsa.e);
+							return Fx.succeed(rsaPubKey.encodePKCS1());
+						}
+					}[algorithm];
+					return (handler ? handler() : Fx.fail(new AuthError("PASSKEY_UNSUPPORTED_ALGORITHM", `Unsupported algorithm: ${algorithm}`))).pipe(Fx.chain((publicKeyBytes) => Fx.from({
+						ok: async () => {
+							const deviceType = params.deviceType ?? "single-device";
+							const backedUp = params.backedUp ?? false;
+							await authDb(ctx, ctx.auth.config).accounts.create({
+								userId,
+								provider: provider.id,
+								providerAccountId: credentialId
+							});
+							await mutatePasskeyInsert(ctx, {
+								userId,
+								credentialId,
+								publicKey: publicKeyBytes.buffer.slice(publicKeyBytes.byteOffset, publicKeyBytes.byteOffset + publicKeyBytes.byteLength),
+								algorithm,
+								counter: authData.signatureCounter,
+								transports: params.transports,
+								deviceType,
+								backedUp,
+								name: params.passkeyName,
+								createdAt: Date.now()
+							});
+							return {
+								kind: "signedIn",
+								signedIn: await callSignIn(ctx, {
+									userId,
+									generateTokens: true
+								})
+							};
+						},
+						err: () => new AuthError("INTERNAL_ERROR")
+					})));
+				}));
+			})))),
+			authOptions: (_) => resolveRpOptionsFx(provider).pipe(Fx.chain((rp) => {
+				const challenge = new Uint8Array(32);
+				crypto.getRandomValues(challenge);
+				const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(challenge)));
+				return Fx.from({
+					ok: async () => {
+						const verifier = await callVerifier(ctx);
+						await callVerifierSignature(ctx, {
+							verifier,
+							signature: challengeHash
+						});
+						let allowCredentials;
+						if (params.email) {
+							const user = await queryUserByVerifiedEmail(ctx, params.email);
+							if (user) {
+								const passkeys = await queryPasskeysByUserId(ctx, user._id);
+								if (passkeys.length > 0) allowCredentials = passkeys.map((pk) => ({
+									type: "public-key",
+									id: pk.credentialId,
+									transports: pk.transports
+								}));
+							}
+						}
+						const options = {
+							challenge: encodeBase64urlNoPadding(challenge),
+							timeout: rp.challengeExpirationMs,
+							rpId: rp.rpId,
+							userVerification: rp.userVerification
+						};
+						if (allowCredentials) options.allowCredentials = allowCredentials;
+						return {
+							kind: "passkeyOptions",
+							options,
+							verifier
+						};
+					},
+					err: () => new AuthError("INTERNAL_ERROR")
+				});
+			})),
+			authVerify: (_) => Fx.zip(resolveRpOptionsFx(provider), requirePasskeyVerifierFx(args.verifier)).pipe(Fx.chain(([rp, verifier]) => {
+				const clientDataJSON = decodeBase64urlIgnorePadding(params.clientDataJSON);
+				const clientData = parseClientDataJSON(clientDataJSON);
+				return Fx.succeed(clientData).pipe(Fx.chain(verifyClientDataType(ClientDataType.Get, "webauthn.get")), Fx.chain(verifyOrigin(rp)), Fx.chain(verifyAndConsumeChallenge(ctx, verifier)), Fx.chain(() => params.credentialId != null ? Fx.succeed(params.credentialId) : Fx.fail(new AuthError("PASSKEY_UNKNOWN_CREDENTIAL", "Missing credential ID")))).pipe(Fx.chain((credentialId) => Fx.from({
+					ok: () => queryPasskeyByCredentialId(ctx, credentialId),
+					err: () => new AuthError("PASSKEY_UNKNOWN_CREDENTIAL")
+				}).pipe(Fx.chain((passkey) => passkey ? Fx.succeed(passkey) : Fx.fail(new AuthError("PASSKEY_UNKNOWN_CREDENTIAL", "Unknown credential"))))), Fx.chain((passkey) => {
+					const authenticatorDataBytes = decodeBase64urlIgnorePadding(params.authenticatorData);
+					const authenticatorData = parseAuthenticatorData(authenticatorDataBytes);
+					const signature = decodeBase64urlIgnorePadding(params.signature);
+					const messageHash = sha256(createAssertionSignatureMessage(authenticatorDataBytes, clientDataJSON));
+					return Fx.succeed(authenticatorData).pipe(Fx.chain(verifyRpId(rp.rpId)), Fx.chain(verifyUserFlags(rp))).pipe(Fx.chain(() => {
+						const storedPublicKeyBytes = new Uint8Array(passkey.publicKey);
+						const handler = {
+							[coseAlgorithmES256]: () => {
+								return verifyECDSASignature(decodeSEC1PublicKey(p256, storedPublicKeyBytes), messageHash, decodePKIXECDSASignature(signature)) ? Fx.succeed(void 0) : Fx.fail(new AuthError("PASSKEY_INVALID_SIGNATURE"));
+							},
+							[coseAlgorithmRS256]: () => {
+								return verifyRSASSAPKCS1v15Signature(decodePKCS1RSAPublicKey(storedPublicKeyBytes), sha256ObjectIdentifier, messageHash, signature) ? Fx.succeed(void 0) : Fx.fail(new AuthError("PASSKEY_INVALID_SIGNATURE"));
+							}
+						}[passkey.algorithm];
+						return handler ? handler() : Fx.fail(new AuthError("PASSKEY_UNSUPPORTED_ALGORITHM", `Unsupported algorithm: ${passkey.algorithm}`));
+					})).pipe(Fx.chain(() => passkey.counter !== 0 && authenticatorData.signatureCounter !== 0 && authenticatorData.signatureCounter <= passkey.counter ? Fx.fail(new AuthError("PASSKEY_COUNTER_ERROR")) : Fx.succeed(authenticatorData))).pipe(Fx.chain(() => Fx.from({
+						ok: async () => {
+							await mutatePasskeyUpdateCounter(ctx, passkey._id, authenticatorData.signatureCounter, Date.now());
+							return {
+								kind: "signedIn",
+								signedIn: await callSignIn(ctx, {
+									userId: passkey.userId,
+									generateTokens: true
+								})
+							};
+						},
+						err: () => new AuthError("INTERNAL_ERROR")
+					})));
+				}));
+			}))
+		});
+	}));
+}
+
+//#endregion
+export { handlePasskeyFx };
+//# sourceMappingURL=passkey.js.map

package/dist/component/server/passkey.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"passkey.js","names":["hasSiteUrl","hasRpId","siteUrl"],"sources":["../../../src/server/passkey.ts"],"sourcesContent":["/**\n * Server-side WebAuthn ceremony logic for passkey authentication.\n *\n * Handles the four phases of the WebAuthn flow:\n * 1. registerOptions — generate PublicKeyCredentialCreationOptions\n * 2. registerVerify — verify attestation and store credential\n * 3. authOptions — generate PublicKeyCredentialRequestOptions\n * 4. authVerify — verify assertion signature and sign in\n *\n * Uses `@oslojs/webauthn` for attestation/assertion parsing and\n * `@oslojs/crypto` for signature verification.\n *\n * All functions return `Fx<A, AuthError>` composed via `Fx.chain` pipelines.\n *\n * @module\n */\n\nimport {\n  p256,\n  verifyECDSASignature,\n  decodeSEC1PublicKey,\n  decodePKIXECDSASignature,\n} from \"@oslojs/crypto/ecdsa\";\nimport {\n  RSAPublicKey,\n  decodePKCS1RSAPublicKey,\n  sha256ObjectIdentifier,\n  verifyRSASSAPKCS1v15Signature,\n} from \"@oslojs/crypto/rsa\";\nimport { sha256 } from \"@oslojs/crypto/sha2\";\nimport {\n  encodeBase64urlNoPadding,\n  decodeBase64urlIgnorePadding,\n} from \"@oslojs/encoding\";\nimport {\n  parseAttestationObject,\n  parseClientDataJSON,\n  parseAuthenticatorData,\n  createAssertionSignatureMessage,\n  ClientDataType,\n  coseAlgorithmES256,\n  coseAlgorithmRS256,\n  COSEKeyType,\n} from \"@oslojs/webauthn\";\nimport type { Fx as FxType } from \"@robelest/fx\";\n\nimport { authDb } from \"./db\";\nimport { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./authError\";\nimport { userIdFromIdentitySubject } from \"./identity\";\nimport { callSignIn, callVerifier } from \"./mutations/index\";\nimport { callVerifierSignature } from \"./mutations/signature\";\nimport { PasskeyProviderConfig, GenericActionCtxWithAuthConfig } from \"./types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  queryUserById,\n  queryUserByVerifiedEmail,\n  queryPasskeysByUserId,\n  queryPasskeyByCredentialId,\n  queryVerifierById,\n  mutatePasskeyInsert,\n  mutatePasskeyUpdateCounter,\n  mutateVerifierDelete,\n} from \"./types\";\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n// ============================================================================\n// Resolve RP options — Fx pipeline with validation\n// ============================================================================\n\n/** Resolved relying party configuration. */\ninterface RpOptions {\n  rpName: string;\n  rpId: string;\n  origin: string | string[];\n  attestation: string;\n  userVerification: string;\n  residentKey: string;\n  authenticatorAttachment?: string;\n  algorithms: number[];\n  challengeExpirationMs: number;\n}\n\n/**\n * Resolve passkey relying party options from provider config and environment.\n *\n * Returns `Fx<RpOptions, AuthError>` — fails if neither SITE_URL nor rpId\n * is configured.\n */\nconst resolveRpOptionsFx = (\n  provider: PasskeyProviderConfig,\n): FxType<RpOptions, AuthError> => {\n  const siteUrl = process.env.SITE_URL;\n  const hasSiteUrl = siteUrl !== undefined && siteUrl !== \"\";\n  const hasRpId = provider.options.rpId !== undefined;\n\n  return Fx.succeed({ siteUrl, hasSiteUrl, hasRpId }).pipe(\n    Fx.chain(({ siteUrl, hasSiteUrl, hasRpId }) =>\n      !hasSiteUrl && !hasRpId\n        ? Fx.fail(\n            new AuthError(\n              \"PASSKEY_MISSING_CONFIG\",\n              \"Passkey provider requires SITE_URL env var (your frontend URL) \" +\n                \"or explicit rpId / origin in the provider config. \" +\n                \"CONVEX_SITE_URL cannot be used because WebAuthn RP ID must match the frontend domain.\",\n            ),\n          )\n        : Fx.succeed(siteUrl),\n    ),\n    Fx.map((siteUrl) => {\n      const siteHostname = siteUrl ? new URL(siteUrl).hostname : undefined;\n      return {\n        rpName: provider.options.rpName ?? siteHostname ?? \"localhost\",\n        rpId: provider.options.rpId ?? siteHostname ?? \"localhost\",\n        origin: provider.options.origin ?? siteUrl ?? \"http://localhost\",\n        attestation: provider.options.attestation ?? \"none\",\n        userVerification: provider.options.userVerification ?? \"required\",\n        residentKey: provider.options.residentKey ?? \"preferred\",\n        authenticatorAttachment: provider.options.authenticatorAttachment,\n        algorithms: provider.options.algorithms ?? [\n          coseAlgorithmES256,\n          coseAlgorithmRS256,\n        ],\n        challengeExpirationMs:\n          provider.options.challengeExpirationMs ?? 300_000,\n      };\n    }),\n  );\n};\n\n// ============================================================================\n// Composable validators — small functions (A) => Fx<B, AuthError>\n// ============================================================================\n\n/** Verify client data type matches expected WebAuthn ceremony type. */\nconst verifyClientDataType =\n  <T extends { type: ClientDataType }>(\n    expectedType: ClientDataType,\n    label: string,\n  ) =>\n  (clientData: T): FxType<T, AuthError> =>\n    clientData.type === expectedType\n      ? Fx.succeed(clientData)\n      : Fx.fail(\n          new AuthError(\n            \"PASSKEY_INVALID_CLIENT_DATA\",\n            `Invalid client data type: expected ${label}`,\n          ),\n        );\n\n/** Verify origin is in the allowed list. */\nconst verifyOrigin =\n  (rp: RpOptions) =>\n  <T extends { origin: string }>(clientData: T): FxType<T, AuthError> => {\n    const allowed = Array.isArray(rp.origin) ? rp.origin : [rp.origin];\n    return allowed.includes(clientData.origin)\n      ? Fx.succeed(clientData)\n      : Fx.fail(\n          new AuthError(\n            \"PASSKEY_INVALID_ORIGIN\",\n            `Invalid origin: ${clientData.origin}, expected one of: ${allowed.join(\", \")}`,\n          ),\n        );\n  };\n\n/** Verify the challenge hash matches the stored verifier, then delete verifier. */\nconst verifyAndConsumeChallenge =\n  (ctx: EnrichedActionCtx, verifierValue: string) =>\n  <T extends { challenge: Uint8Array }>(\n    clientData: T,\n  ): FxType<T, AuthError> => {\n    const challengeHash = encodeBase64urlNoPadding(\n      new Uint8Array(sha256(clientData.challenge)),\n    );\n    return Fx.from({\n      ok: () => queryVerifierById(ctx, verifierValue),\n      err: () => new AuthError(\"PASSKEY_INVALID_CHALLENGE\"),\n    }).pipe(\n      Fx.chain((doc) =>\n        !doc || doc.signature !== challengeHash\n          ? Fx.fail(new AuthError(\"PASSKEY_INVALID_CHALLENGE\"))\n          : Fx.succeed(doc),\n      ),\n      Fx.chain(() =>\n        Fx.from({\n          ok: () => mutateVerifierDelete(ctx, verifierValue),\n          err: () => new AuthError(\"PASSKEY_INVALID_CHALLENGE\"),\n        }),\n      ),\n      Fx.map(() => clientData),\n    );\n  };\n\n/** Verify RP ID hash matches. */\nconst verifyRpId =\n  (rpId: string) =>\n  <T extends { verifyRelyingPartyIdHash: (id: string) => boolean }>(\n    authData: T,\n  ): FxType<T, AuthError> =>\n    authData.verifyRelyingPartyIdHash(rpId)\n      ? Fx.succeed(authData)\n      : Fx.fail(new AuthError(\"PASSKEY_RP_MISMATCH\"));\n\n/** Verify user presence and (optionally) user verification flags. */\nconst verifyUserFlags =\n  (rp: RpOptions) =>\n  <T extends { userPresent: boolean; userVerified: boolean }>(\n    authData: T,\n  ): FxType<T, AuthError> =>\n    !authData.userPresent\n      ? Fx.fail(new AuthError(\"PASSKEY_USER_PRESENCE\"))\n      : rp.userVerification === \"required\" && !authData.userVerified\n        ? Fx.fail(new AuthError(\"PASSKEY_USER_VERIFICATION\"))\n        : Fx.succeed(authData);\n\n// ============================================================================\n// Registration flow\n// ============================================================================\n\n// ============================================================================\n// Authentication flow\n// ============================================================================\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\n/** Result type for all passkey flows. */\ntype PasskeyResult =\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string };\n\nconst PASSKEY_FLOW = {\n  registerOptions: \"registerOptions\",\n  registerVerify: \"registerVerify\",\n  authOptions: \"authOptions\",\n  authVerify: \"authVerify\",\n} as const;\n\nconst PASSKEY_FLOWS = [\n  PASSKEY_FLOW.registerOptions,\n  PASSKEY_FLOW.registerVerify,\n  PASSKEY_FLOW.authOptions,\n  PASSKEY_FLOW.authVerify,\n] as const;\n\ntype PasskeyDispatch =\n  | { flow: typeof PASSKEY_FLOW.registerOptions }\n  | { flow: typeof PASSKEY_FLOW.registerVerify }\n  | { flow: typeof PASSKEY_FLOW.authOptions }\n  | { flow: typeof PASSKEY_FLOW.authVerify };\n\nconst resolvePasskeyDispatchFx = (\n  params: Record<string, unknown>,\n): FxType<PasskeyDispatch, AuthError> => {\n  const flow = params.flow;\n  return typeof flow === \"string\" && PASSKEY_FLOWS.includes(flow as never)\n    ? Fx.succeed({ flow: flow as (typeof PASSKEY_FLOWS)[number] })\n    : Fx.fail(\n        new AuthError(\n          \"PASSKEY_MISSING_FLOW\",\n          \"Missing `flow` parameter. Expected one of: registerOptions, registerVerify, authOptions, authVerify\",\n        ),\n      );\n};\n\nconst requirePasskeyVerifierFx = (\n  verifier: string | undefined,\n): FxType<string, AuthError> =>\n  verifier != null\n    ? Fx.succeed(verifier)\n    : Fx.fail(new AuthError(\"PASSKEY_MISSING_VERIFIER\"));\n\n/**\n * Main passkey handler dispatched from signIn.ts.\n *\n * Routes to the appropriate phase based on `params.flow` via `dispatchFx`.\n */\nexport function handlePasskeyFx(\n  ctx: EnrichedActionCtx,\n  provider: PasskeyProviderConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n): FxType<PasskeyResult, AuthError> {\n  const params = (args.params ?? {}) as Record<string, any>;\n\n  return resolvePasskeyDispatchFx(params).pipe(\n    Fx.chain((dispatch) => {\n      const flowFx: FxType<PasskeyResult, AuthError> = Fx.match(dispatch).on(\n        \"flow\",\n        {\n          registerOptions: (_) =>\n            Fx.zip(\n              Fx.from({\n                ok: () => ctx.auth.getUserIdentity(),\n                err: () => new AuthError(\"PASSKEY_AUTH_REQUIRED\"),\n              }).pipe(\n                Fx.chain((id) =>\n                  id === null\n                    ? Fx.fail(new AuthError(\"PASSKEY_AUTH_REQUIRED\"))\n                    : Fx.succeed(userIdFromIdentitySubject(id.subject)),\n                ),\n              ),\n              resolveRpOptionsFx(provider),\n            ).pipe(\n              Fx.chain(([userId, rp]) => {\n                const challenge = new Uint8Array(32);\n                crypto.getRandomValues(challenge);\n                const challengeHash = encodeBase64urlNoPadding(\n                  new Uint8Array(sha256(challenge)),\n                );\n\n                return Fx.from({\n                  ok: async () => {\n                    const verifier = await callVerifier(ctx);\n                    await callVerifierSignature(ctx, {\n                      verifier,\n                      signature: challengeHash,\n                    });\n\n                    const user = await queryUserById(ctx, userId);\n                    const userName = params.userName ?? user?.email ?? \"user\";\n                    const userDisplayName =\n                      params.userDisplayName ?? user?.name ?? userName;\n\n                    const existing = await queryPasskeysByUserId(ctx, userId);\n                    const excludeCredentials = existing.map((pk) => ({\n                      id: pk.credentialId,\n                      transports: pk.transports,\n                    }));\n\n                    const userHandle = encodeBase64urlNoPadding(\n                      new TextEncoder().encode(userId),\n                    );\n\n                    const options = {\n                      rp: { name: rp.rpName, id: rp.rpId },\n                      user: {\n                        id: userHandle,\n                        name: userName,\n                        displayName: userDisplayName,\n                      },\n                      challenge: encodeBase64urlNoPadding(challenge),\n                      pubKeyCredParams: rp.algorithms.map((alg) => ({\n                        type: \"public-key\" as const,\n                        alg,\n                      })),\n                      timeout: rp.challengeExpirationMs,\n                      attestation: rp.attestation,\n                      authenticatorSelection: {\n                        residentKey: rp.residentKey,\n                        requireResidentKey: rp.residentKey === \"required\",\n                        userVerification: rp.userVerification,\n                        ...(rp.authenticatorAttachment\n                          ? {\n                              authenticatorAttachment:\n                                rp.authenticatorAttachment,\n                            }\n                          : {}),\n                      },\n                      excludeCredentials,\n                    };\n\n                    return {\n                      kind: \"passkeyOptions\" as const,\n                      options,\n                      verifier,\n                    };\n                  },\n                  err: () => new AuthError(\"INTERNAL_ERROR\"),\n                });\n              }),\n            ),\n          registerVerify: (_) =>\n            Fx.zip(\n              Fx.from({\n                ok: () => ctx.auth.getUserIdentity(),\n                err: () => new AuthError(\"PASSKEY_AUTH_REQUIRED\"),\n              }).pipe(\n                Fx.chain((id) =>\n                  id === null\n                    ? Fx.fail(new AuthError(\"PASSKEY_AUTH_REQUIRED\"))\n                    : Fx.succeed(userIdFromIdentitySubject(id.subject)),\n                ),\n              ),\n              resolveRpOptionsFx(provider),\n            ).pipe(\n              Fx.chain(([userId, rp]) =>\n                requirePasskeyVerifierFx(args.verifier).pipe(\n                  Fx.chain((verifier) => {\n                    const clientDataJSON = decodeBase64urlIgnorePadding(\n                      params.clientDataJSON,\n                    );\n                    const clientData = parseClientDataJSON(clientDataJSON);\n\n                    const verifiedClientDataFx = Fx.succeed(clientData).pipe(\n                      Fx.chain(\n                        verifyClientDataType(\n                          ClientDataType.Create,\n                          \"webauthn.create\",\n                        ),\n                      ),\n                      Fx.chain(verifyOrigin(rp)),\n                      Fx.chain(verifyAndConsumeChallenge(ctx, verifier)),\n                      Fx.map(() => {\n                        const attestationObjectBytes =\n                          decodeBase64urlIgnorePadding(\n                            params.attestationObject,\n                          );\n                        const attestation = parseAttestationObject(\n                          attestationObjectBytes,\n                        );\n                        return attestation.authenticatorData;\n                      }),\n                    );\n\n                    return verifiedClientDataFx.pipe(\n                      Fx.chain(verifyRpId(rp.rpId)),\n                      Fx.chain(verifyUserFlags(rp)),\n                      Fx.chain((authData) => {\n                        if (authData.credential == null) {\n                          return Fx.fail(\n                            new AuthError(\"PASSKEY_NO_CREDENTIAL\"),\n                          );\n                        }\n                        return Fx.succeed({\n                          authData,\n                          credential: authData.credential,\n                        });\n                      }),\n                      Fx.chain(({ authData, credential }) => {\n                        const credentialId = encodeBase64urlNoPadding(\n                          credential.id,\n                        );\n                        const publicKey = credential.publicKey;\n\n                        let algorithm: number;\n                        if (publicKey.isAlgorithmDefined()) {\n                          algorithm = publicKey.algorithm();\n                        } else {\n                          const keyType = publicKey.type();\n                          algorithm =\n                            keyType === COSEKeyType.EC2\n                              ? coseAlgorithmES256\n                              : keyType === COSEKeyType.RSA\n                                ? coseAlgorithmRS256\n                                : coseAlgorithmES256;\n                        }\n\n                        const handlers: Record<\n                          number,\n                          (() => FxType<Uint8Array, AuthError>) | undefined\n                        > = {\n                          [coseAlgorithmES256]: () => {\n                            const ec2 = publicKey.ec2();\n                            const xBytes = new Uint8Array(32);\n                            let vx = ec2.x;\n                            for (let i = 31; i >= 0; i--) {\n                              xBytes[i] = Number(vx & 0xffn);\n                              vx >>= 8n;\n                            }\n                            const yBytes = new Uint8Array(32);\n                            let vy = ec2.y;\n                            for (let i = 31; i >= 0; i--) {\n                              yBytes[i] = Number(vy & 0xffn);\n                              vy >>= 8n;\n                            }\n                            const bytes = new Uint8Array(65);\n                            bytes[0] = 0x04;\n                            bytes.set(xBytes, 1);\n                            bytes.set(yBytes, 33);\n                            return Fx.succeed(bytes);\n                          },\n                          [coseAlgorithmRS256]: () => {\n                            const rsa = publicKey.rsa();\n                            const rsaPubKey = new RSAPublicKey(rsa.n, rsa.e);\n                            return Fx.succeed(rsaPubKey.encodePKCS1());\n                          },\n                        };\n\n                        const handler = handlers[algorithm];\n                        return (\n                          handler\n                            ? handler()\n                            : Fx.fail(\n                                new AuthError(\n                                  \"PASSKEY_UNSUPPORTED_ALGORITHM\",\n                                  `Unsupported algorithm: ${algorithm}`,\n                                ),\n                              )\n                        ).pipe(\n                          Fx.chain((publicKeyBytes) =>\n                            Fx.from({\n                              ok: async () => {\n                                const deviceType =\n                                  params.deviceType ?? \"single-device\";\n                                const backedUp = params.backedUp ?? false;\n\n                                const db = authDb(ctx, ctx.auth.config);\n                                await db.accounts.create({\n                                  userId,\n                                  provider: provider.id,\n                                  providerAccountId: credentialId,\n                                });\n\n                                await mutatePasskeyInsert(ctx, {\n                                  userId,\n                                  credentialId,\n                                  publicKey: publicKeyBytes.buffer.slice(\n                                    publicKeyBytes.byteOffset,\n                                    publicKeyBytes.byteOffset +\n                                      publicKeyBytes.byteLength,\n                                  ),\n                                  algorithm,\n                                  counter: authData.signatureCounter,\n                                  transports: params.transports,\n                                  deviceType,\n                                  backedUp,\n                                  name: params.passkeyName,\n                                  createdAt: Date.now(),\n                                });\n\n                                const signInResult = await callSignIn(ctx, {\n                                  userId,\n                                  generateTokens: true,\n                                });\n\n                                return {\n                                  kind: \"signedIn\" as const,\n                                  signedIn: signInResult,\n                                };\n                              },\n                              err: () => new AuthError(\"INTERNAL_ERROR\"),\n                            }),\n                          ),\n                        );\n                      }),\n                    );\n                  }),\n                ),\n              ),\n            ),\n          authOptions: (_) =>\n            resolveRpOptionsFx(provider).pipe(\n              Fx.chain((rp) => {\n                const challenge = new Uint8Array(32);\n                crypto.getRandomValues(challenge);\n                const challengeHash = encodeBase64urlNoPadding(\n                  new Uint8Array(sha256(challenge)),\n                );\n\n                return Fx.from({\n                  ok: async () => {\n                    const verifier = await callVerifier(ctx);\n                    await callVerifierSignature(ctx, {\n                      verifier,\n                      signature: challengeHash,\n                    });\n\n                    let allowCredentials:\n                      | Array<{\n                          type: string;\n                          id: string;\n                          transports?: string[];\n                        }>\n                      | undefined;\n                    if (params.email) {\n                      const user = await queryUserByVerifiedEmail(\n                        ctx,\n                        params.email,\n                      );\n                      if (user) {\n                        const passkeys = await queryPasskeysByUserId(\n                          ctx,\n                          user._id,\n                        );\n                        if (passkeys.length > 0) {\n                          allowCredentials = passkeys.map((pk) => ({\n                            type: \"public-key\",\n                            id: pk.credentialId,\n                            transports: pk.transports,\n                          }));\n                        }\n                      }\n                    }\n\n                    const options: Record<string, any> = {\n                      challenge: encodeBase64urlNoPadding(challenge),\n                      timeout: rp.challengeExpirationMs,\n                      rpId: rp.rpId,\n                      userVerification: rp.userVerification,\n                    };\n\n                    if (allowCredentials) {\n                      options.allowCredentials = allowCredentials;\n                    }\n\n                    return {\n                      kind: \"passkeyOptions\" as const,\n                      options,\n                      verifier,\n                    };\n                  },\n                  err: () => new AuthError(\"INTERNAL_ERROR\"),\n                });\n              }),\n            ),\n          authVerify: (_) =>\n            Fx.zip(\n              resolveRpOptionsFx(provider),\n              requirePasskeyVerifierFx(args.verifier),\n            ).pipe(\n              Fx.chain(([rp, verifier]) => {\n                const clientDataJSON = decodeBase64urlIgnorePadding(\n                  params.clientDataJSON,\n                );\n                const clientData = parseClientDataJSON(clientDataJSON);\n\n                const verifiedClientDataFx = Fx.succeed(clientData).pipe(\n                  Fx.chain(\n                    verifyClientDataType(ClientDataType.Get, \"webauthn.get\"),\n                  ),\n                  Fx.chain(verifyOrigin(rp)),\n                  Fx.chain(verifyAndConsumeChallenge(ctx, verifier)),\n                  Fx.chain(() =>\n                    params.credentialId != null\n                      ? Fx.succeed(params.credentialId as string)\n                      : Fx.fail(\n                          new AuthError(\n                            \"PASSKEY_UNKNOWN_CREDENTIAL\",\n                            \"Missing credential ID\",\n                          ),\n                        ),\n                  ),\n                );\n\n                return verifiedClientDataFx.pipe(\n                  Fx.chain((credentialId) =>\n                    Fx.from({\n                      ok: () => queryPasskeyByCredentialId(ctx, credentialId),\n                      err: () => new AuthError(\"PASSKEY_UNKNOWN_CREDENTIAL\"),\n                    }).pipe(\n                      Fx.chain((passkey) =>\n                        passkey\n                          ? Fx.succeed(passkey)\n                          : Fx.fail(\n                              new AuthError(\n                                \"PASSKEY_UNKNOWN_CREDENTIAL\",\n                                \"Unknown credential\",\n                              ),\n                            ),\n                      ),\n                    ),\n                  ),\n                  Fx.chain((passkey) => {\n                    const authenticatorDataBytes = decodeBase64urlIgnorePadding(\n                      params.authenticatorData,\n                    );\n                    const authenticatorData = parseAuthenticatorData(\n                      authenticatorDataBytes,\n                    );\n\n                    const signature = decodeBase64urlIgnorePadding(\n                      params.signature,\n                    );\n                    const signatureMessage = createAssertionSignatureMessage(\n                      authenticatorDataBytes,\n                      clientDataJSON,\n                    );\n                    const messageHash = sha256(signatureMessage);\n\n                    const checkedAuthenticatorFx = Fx.succeed(\n                      authenticatorData,\n                    ).pipe(\n                      Fx.chain(verifyRpId(rp.rpId)),\n                      Fx.chain(verifyUserFlags(rp)),\n                    );\n\n                    const signatureVerifiedFx = checkedAuthenticatorFx.pipe(\n                      Fx.chain(() => {\n                        const storedPublicKeyBytes = new Uint8Array(\n                          passkey.publicKey,\n                        );\n                        const algorithmHandlers: Record<\n                          number,\n                          (() => FxType<void, AuthError>) | undefined\n                        > = {\n                          [coseAlgorithmES256]: () => {\n                            const ecPublicKey = decodeSEC1PublicKey(\n                              p256,\n                              storedPublicKeyBytes,\n                            );\n                            const ecdsaSignature =\n                              decodePKIXECDSASignature(signature);\n                            const valid = verifyECDSASignature(\n                              ecPublicKey,\n                              messageHash,\n                              ecdsaSignature,\n                            );\n                            return valid\n                              ? Fx.succeed(undefined as void)\n                              : Fx.fail(\n                                  new AuthError(\"PASSKEY_INVALID_SIGNATURE\"),\n                                );\n                          },\n                          [coseAlgorithmRS256]: () => {\n                            const rsaPublicKey =\n                              decodePKCS1RSAPublicKey(storedPublicKeyBytes);\n                            const valid = verifyRSASSAPKCS1v15Signature(\n                              rsaPublicKey,\n                              sha256ObjectIdentifier,\n                              messageHash,\n                              signature,\n                            );\n                            return valid\n                              ? Fx.succeed(undefined as void)\n                              : Fx.fail(\n                                  new AuthError(\"PASSKEY_INVALID_SIGNATURE\"),\n                                );\n                          },\n                        };\n\n                        const handler = algorithmHandlers[passkey.algorithm];\n                        return handler\n                          ? handler()\n                          : Fx.fail(\n                              new AuthError(\n                                \"PASSKEY_UNSUPPORTED_ALGORITHM\",\n                                `Unsupported algorithm: ${passkey.algorithm}`,\n                              ),\n                            );\n                      }),\n                    );\n\n                    const counterValidatedFx = signatureVerifiedFx.pipe(\n                      Fx.chain(() =>\n                        passkey.counter !== 0 &&\n                        authenticatorData.signatureCounter !== 0 &&\n                        authenticatorData.signatureCounter <= passkey.counter\n                          ? Fx.fail(new AuthError(\"PASSKEY_COUNTER_ERROR\"))\n                          : Fx.succeed(authenticatorData),\n                      ),\n                    );\n\n                    return counterValidatedFx.pipe(\n                      Fx.chain(() =>\n                        Fx.from({\n                          ok: async () => {\n                            await mutatePasskeyUpdateCounter(\n                              ctx,\n                              passkey._id,\n                              authenticatorData.signatureCounter,\n                              Date.now(),\n                            );\n\n                            const signInResult = await callSignIn(ctx, {\n                              userId: passkey.userId,\n                              generateTokens: true,\n                            });\n\n                            return {\n                              kind: \"signedIn\" as const,\n                              signedIn: signInResult,\n                            };\n                          },\n                          err: () => new AuthError(\"INTERNAL_ERROR\"),\n                        }),\n                      ),\n                    );\n                  }),\n                );\n              }),\n            ),\n        },\n      );\n      return flowFx;\n    }),\n  );\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4FA,MAAM,sBACJ,aACiC;CACjC,MAAM,UAAU,QAAQ,IAAI;CAC5B,MAAM,aAAa,YAAY,UAAa,YAAY;CACxD,MAAM,UAAU,SAAS,QAAQ,SAAS;AAE1C,QAAO,GAAG,QAAQ;EAAE;EAAS;EAAY;EAAS,CAAC,CAAC,KAClD,GAAG,OAAO,EAAE,oBAAS,0BAAY,yBAC/B,CAACA,gBAAc,CAACC,YACZ,GAAG,KACD,IAAI,UACF,0BACA,yMAGD,CACF,GACD,GAAG,QAAQC,UAAQ,CACxB,EACD,GAAG,KAAK,cAAY;EAClB,MAAM,eAAeA,YAAU,IAAI,IAAIA,UAAQ,CAAC,WAAW;AAC3D,SAAO;GACL,QAAQ,SAAS,QAAQ,UAAU,gBAAgB;GACnD,MAAM,SAAS,QAAQ,QAAQ,gBAAgB;GAC/C,QAAQ,SAAS,QAAQ,UAAUA,aAAW;GAC9C,aAAa,SAAS,QAAQ,eAAe;GAC7C,kBAAkB,SAAS,QAAQ,oBAAoB;GACvD,aAAa,SAAS,QAAQ,eAAe;GAC7C,yBAAyB,SAAS,QAAQ;GAC1C,YAAY,SAAS,QAAQ,cAAc,CACzC,oBACA,mBACD;GACD,uBACE,SAAS,QAAQ,yBAAyB;GAC7C;GACD,CACH;;;AAQH,MAAM,wBAEF,cACA,WAED,eACC,WAAW,SAAS,eAChB,GAAG,QAAQ,WAAW,GACtB,GAAG,KACD,IAAI,UACF,+BACA,sCAAsC,QACvC,CACF;;AAGT,MAAM,gBACH,QAC8B,eAAwC;CACrE,MAAM,UAAU,MAAM,QAAQ,GAAG,OAAO,GAAG,GAAG,SAAS,CAAC,GAAG,OAAO;AAClE,QAAO,QAAQ,SAAS,WAAW,OAAO,GACtC,GAAG,QAAQ,WAAW,GACtB,GAAG,KACD,IAAI,UACF,0BACA,mBAAmB,WAAW,OAAO,qBAAqB,QAAQ,KAAK,KAAK,GAC7E,CACF;;;AAIT,MAAM,6BACH,KAAwB,mBAEvB,eACyB;CACzB,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,WAAW,UAAU,CAAC,CAC7C;AACD,QAAO,GAAG,KAAK;EACb,UAAU,kBAAkB,KAAK,cAAc;EAC/C,WAAW,IAAI,UAAU,4BAA4B;EACtD,CAAC,CAAC,KACD,GAAG,OAAO,QACR,CAAC,OAAO,IAAI,cAAc,gBACtB,GAAG,KAAK,IAAI,UAAU,4BAA4B,CAAC,GACnD,GAAG,QAAQ,IAAI,CACpB,EACD,GAAG,YACD,GAAG,KAAK;EACN,UAAU,qBAAqB,KAAK,cAAc;EAClD,WAAW,IAAI,UAAU,4BAA4B;EACtD,CAAC,CACH,EACD,GAAG,UAAU,WAAW,CACzB;;;AAIL,MAAM,cACH,UAEC,aAEA,SAAS,yBAAyB,KAAK,GACnC,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC;;AAGrD,MAAM,mBACH,QAEC,aAEA,CAAC,SAAS,cACN,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,qBAAqB,cAAc,CAAC,SAAS,eAC9C,GAAG,KAAK,IAAI,UAAU,4BAA4B,CAAC,GACnD,GAAG,QAAQ,SAAS;AAmB9B,MAAM,eAAe;CACnB,iBAAiB;CACjB,gBAAgB;CAChB,aAAa;CACb,YAAY;CACb;AAED,MAAM,gBAAgB;CACpB,aAAa;CACb,aAAa;CACb,aAAa;CACb,aAAa;CACd;AAQD,MAAM,4BACJ,WACuC;CACvC,MAAM,OAAO,OAAO;AACpB,QAAO,OAAO,SAAS,YAAY,cAAc,SAAS,KAAc,GACpE,GAAG,QAAQ,EAAQ,MAAwC,CAAC,GAC5D,GAAG,KACD,IAAI,UACF,wBACA,sGACD,CACF;;AAGP,MAAM,4BACJ,aAEA,YAAY,OACR,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,2BAA2B,CAAC;;;;;;AAOxD,SAAgB,gBACd,KACA,UACA,MAIkC;CAClC,MAAM,SAAU,KAAK,UAAU,EAAE;AAEjC,QAAO,yBAAyB,OAAO,CAAC,KACtC,GAAG,OAAO,aAAa;AAwerB,SAveiD,GAAG,MAAM,SAAS,CAAC,GAClE,QACA;GACE,kBAAkB,MAChB,GAAG,IACD,GAAG,KAAK;IACN,UAAU,IAAI,KAAK,iBAAiB;IACpC,WAAW,IAAI,UAAU,wBAAwB;IAClD,CAAC,CAAC,KACD,GAAG,OAAO,OACR,OAAO,OACH,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,QAAQ,0BAA0B,GAAG,QAAQ,CAAC,CACtD,CACF,EACD,mBAAmB,SAAS,CAC7B,CAAC,KACA,GAAG,OAAO,CAAC,QAAQ,QAAQ;IACzB,MAAM,YAAY,IAAI,WAAW,GAAG;AACpC,WAAO,gBAAgB,UAAU;IACjC,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,UAAU,CAAC,CAClC;AAED,WAAO,GAAG,KAAK;KACb,IAAI,YAAY;MACd,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,YAAM,sBAAsB,KAAK;OAC/B;OACA,WAAW;OACZ,CAAC;MAEF,MAAM,OAAO,MAAM,cAAc,KAAK,OAAO;MAC7C,MAAM,WAAW,OAAO,YAAY,MAAM,SAAS;MACnD,MAAM,kBACJ,OAAO,mBAAmB,MAAM,QAAQ;MAG1C,MAAM,sBADW,MAAM,sBAAsB,KAAK,OAAO,EACrB,KAAK,QAAQ;OAC/C,IAAI,GAAG;OACP,YAAY,GAAG;OAChB,EAAE;MAEH,MAAM,aAAa,yBACjB,IAAI,aAAa,CAAC,OAAO,OAAO,CACjC;AA8BD,aAAO;OACL,MAAM;OACN,SA9Bc;QACd,IAAI;SAAE,MAAM,GAAG;SAAQ,IAAI,GAAG;SAAM;QACpC,MAAM;SACJ,IAAI;SACJ,MAAM;SACN,aAAa;SACd;QACD,WAAW,yBAAyB,UAAU;QAC9C,kBAAkB,GAAG,WAAW,KAAK,SAAS;SAC5C,MAAM;SACN;SACD,EAAE;QACH,SAAS,GAAG;QACZ,aAAa,GAAG;QAChB,wBAAwB;SACtB,aAAa,GAAG;SAChB,oBAAoB,GAAG,gBAAgB;SACvC,kBAAkB,GAAG;SACrB,GAAI,GAAG,0BACH,EACE,yBACE,GAAG,yBACN,GACD,EAAE;SACP;QACD;QACD;OAKC;OACD;;KAEH,WAAW,IAAI,UAAU,iBAAiB;KAC3C,CAAC;KACF,CACH;GACH,iBAAiB,MACf,GAAG,IACD,GAAG,KAAK;IACN,UAAU,IAAI,KAAK,iBAAiB;IACpC,WAAW,IAAI,UAAU,wBAAwB;IAClD,CAAC,CAAC,KACD,GAAG,OAAO,OACR,OAAO,OACH,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,QAAQ,0BAA0B,GAAG,QAAQ,CAAC,CACtD,CACF,EACD,mBAAmB,SAAS,CAC7B,CAAC,KACA,GAAG,OAAO,CAAC,QAAQ,QACjB,yBAAyB,KAAK,SAAS,CAAC,KACtC,GAAG,OAAO,aAAa;IAIrB,MAAM,aAAa,oBAHI,6BACrB,OAAO,eACR,CACqD;AAuBtD,WArB6B,GAAG,QAAQ,WAAW,CAAC,KAClD,GAAG,MACD,qBACE,eAAe,QACf,kBACD,CACF,EACD,GAAG,MAAM,aAAa,GAAG,CAAC,EAC1B,GAAG,MAAM,0BAA0B,KAAK,SAAS,CAAC,EAClD,GAAG,UAAU;AAQX,YAHoB,uBAHlB,6BACE,OAAO,kBACR,CAGF,CACkB;MACnB,CACH,CAE2B,KAC1B,GAAG,MAAM,WAAW,GAAG,KAAK,CAAC,EAC7B,GAAG,MAAM,gBAAgB,GAAG,CAAC,EAC7B,GAAG,OAAO,aAAa;AACrB,SAAI,SAAS,cAAc,KACzB,QAAO,GAAG,KACR,IAAI,UAAU,wBAAwB,CACvC;AAEH,YAAO,GAAG,QAAQ;MAChB;MACA,YAAY,SAAS;MACtB,CAAC;MACF,EACF,GAAG,OAAO,EAAE,UAAU,iBAAiB;KACrC,MAAM,eAAe,yBACnB,WAAW,GACZ;KACD,MAAM,YAAY,WAAW;KAE7B,IAAI;AACJ,SAAI,UAAU,oBAAoB,CAChC,aAAY,UAAU,WAAW;UAC5B;MACL,MAAM,UAAU,UAAU,MAAM;AAChC,kBACE,YAAY,YAAY,MACpB,qBACA,YAAY,YAAY,MACtB,qBACA;;KAkCV,MAAM,UA5BF;OACD,2BAA2B;OAC1B,MAAM,MAAM,UAAU,KAAK;OAC3B,MAAM,SAAS,IAAI,WAAW,GAAG;OACjC,IAAI,KAAK,IAAI;AACb,YAAK,IAAI,IAAI,IAAI,KAAK,GAAG,KAAK;AAC5B,eAAO,KAAK,OAAO,KAAK,KAAM;AAC9B,eAAO;;OAET,MAAM,SAAS,IAAI,WAAW,GAAG;OACjC,IAAI,KAAK,IAAI;AACb,YAAK,IAAI,IAAI,IAAI,KAAK,GAAG,KAAK;AAC5B,eAAO,KAAK,OAAO,KAAK,KAAM;AAC9B,eAAO;;OAET,MAAM,QAAQ,IAAI,WAAW,GAAG;AAChC,aAAM,KAAK;AACX,aAAM,IAAI,QAAQ,EAAE;AACpB,aAAM,IAAI,QAAQ,GAAG;AACrB,cAAO,GAAG,QAAQ,MAAM;;OAEzB,2BAA2B;OAC1B,MAAM,MAAM,UAAU,KAAK;OAC3B,MAAM,YAAY,IAAI,aAAa,IAAI,GAAG,IAAI,EAAE;AAChD,cAAO,GAAG,QAAQ,UAAU,aAAa,CAAC;;MAE7C,CAEwB;AACzB,aACE,UACI,SAAS,GACT,GAAG,KACD,IAAI,UACF,iCACA,0BAA0B,YAC3B,CACF,EACL,KACA,GAAG,OAAO,mBACR,GAAG,KAAK;MACN,IAAI,YAAY;OACd,MAAM,aACJ,OAAO,cAAc;OACvB,MAAM,WAAW,OAAO,YAAY;AAGpC,aADW,OAAO,KAAK,IAAI,KAAK,OAAO,CAC9B,SAAS,OAAO;QACvB;QACA,UAAU,SAAS;QACnB,mBAAmB;QACpB,CAAC;AAEF,aAAM,oBAAoB,KAAK;QAC7B;QACA;QACA,WAAW,eAAe,OAAO,MAC/B,eAAe,YACf,eAAe,aACb,eAAe,WAClB;QACD;QACA,SAAS,SAAS;QAClB,YAAY,OAAO;QACnB;QACA;QACA,MAAM,OAAO;QACb,WAAW,KAAK,KAAK;QACtB,CAAC;AAOF,cAAO;QACL,MAAM;QACN,UAPmB,MAAM,WAAW,KAAK;SACzC;SACA,gBAAgB;SACjB,CAAC;QAKD;;MAEH,WAAW,IAAI,UAAU,iBAAiB;MAC3C,CAAC,CACH,CACF;MACD,CACH;KACD,CACH,CACF,CACF;GACH,cAAc,MACZ,mBAAmB,SAAS,CAAC,KAC3B,GAAG,OAAO,OAAO;IACf,MAAM,YAAY,IAAI,WAAW,GAAG;AACpC,WAAO,gBAAgB,UAAU;IACjC,MAAM,gBAAgB,yBACpB,IAAI,WAAW,OAAO,UAAU,CAAC,CAClC;AAED,WAAO,GAAG,KAAK;KACb,IAAI,YAAY;MACd,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,YAAM,sBAAsB,KAAK;OAC/B;OACA,WAAW;OACZ,CAAC;MAEF,IAAI;AAOJ,UAAI,OAAO,OAAO;OAChB,MAAM,OAAO,MAAM,yBACjB,KACA,OAAO,MACR;AACD,WAAI,MAAM;QACR,MAAM,WAAW,MAAM,sBACrB,KACA,KAAK,IACN;AACD,YAAI,SAAS,SAAS,EACpB,oBAAmB,SAAS,KAAK,QAAQ;SACvC,MAAM;SACN,IAAI,GAAG;SACP,YAAY,GAAG;SAChB,EAAE;;;MAKT,MAAM,UAA+B;OACnC,WAAW,yBAAyB,UAAU;OAC9C,SAAS,GAAG;OACZ,MAAM,GAAG;OACT,kBAAkB,GAAG;OACtB;AAED,UAAI,iBACF,SAAQ,mBAAmB;AAG7B,aAAO;OACL,MAAM;OACN;OACA;OACD;;KAEH,WAAW,IAAI,UAAU,iBAAiB;KAC3C,CAAC;KACF,CACH;GACH,aAAa,MACX,GAAG,IACD,mBAAmB,SAAS,EAC5B,yBAAyB,KAAK,SAAS,CACxC,CAAC,KACA,GAAG,OAAO,CAAC,IAAI,cAAc;IAC3B,MAAM,iBAAiB,6BACrB,OAAO,eACR;IACD,MAAM,aAAa,oBAAoB,eAAe;AAoBtD,WAlB6B,GAAG,QAAQ,WAAW,CAAC,KAClD,GAAG,MACD,qBAAqB,eAAe,KAAK,eAAe,CACzD,EACD,GAAG,MAAM,aAAa,GAAG,CAAC,EAC1B,GAAG,MAAM,0BAA0B,KAAK,SAAS,CAAC,EAClD,GAAG,YACD,OAAO,gBAAgB,OACnB,GAAG,QAAQ,OAAO,aAAuB,GACzC,GAAG,KACD,IAAI,UACF,8BACA,wBACD,CACF,CACN,CACF,CAE2B,KAC1B,GAAG,OAAO,iBACR,GAAG,KAAK;KACN,UAAU,2BAA2B,KAAK,aAAa;KACvD,WAAW,IAAI,UAAU,6BAA6B;KACvD,CAAC,CAAC,KACD,GAAG,OAAO,YACR,UACI,GAAG,QAAQ,QAAQ,GACnB,GAAG,KACD,IAAI,UACF,8BACA,qBACD,CACF,CACN,CACF,CACF,EACD,GAAG,OAAO,YAAY;KACpB,MAAM,yBAAyB,6BAC7B,OAAO,kBACR;KACD,MAAM,oBAAoB,uBACxB,uBACD;KAED,MAAM,YAAY,6BAChB,OAAO,UACR;KAKD,MAAM,cAAc,OAJK,gCACvB,wBACA,eACD,CAC2C;AA2E5C,YAzE+B,GAAG,QAChC,kBACD,CAAC,KACA,GAAG,MAAM,WAAW,GAAG,KAAK,CAAC,EAC7B,GAAG,MAAM,gBAAgB,GAAG,CAAC,CAC9B,CAEkD,KACjD,GAAG,YAAY;MACb,MAAM,uBAAuB,IAAI,WAC/B,QAAQ,UACT;MAwCD,MAAM,UApCF;QACD,2BAA2B;AAY1B,eALc,qBANM,oBAClB,MACA,qBACD,EAKC,aAHA,yBAAyB,UAAU,CAKpC,GAEG,GAAG,QAAQ,OAAkB,GAC7B,GAAG,KACD,IAAI,UAAU,4BAA4B,CAC3C;;QAEN,2BAA2B;AAS1B,eANc,8BADZ,wBAAwB,qBAAqB,EAG7C,wBACA,aACA,UACD,GAEG,GAAG,QAAQ,OAAkB,GAC7B,GAAG,KACD,IAAI,UAAU,4BAA4B,CAC3C;;OAER,CAEiC,QAAQ;AAC1C,aAAO,UACH,SAAS,GACT,GAAG,KACD,IAAI,UACF,iCACA,0BAA0B,QAAQ,YACnC,CACF;OACL,CACH,CAE8C,KAC7C,GAAG,YACD,QAAQ,YAAY,KACpB,kBAAkB,qBAAqB,KACvC,kBAAkB,oBAAoB,QAAQ,UAC1C,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,QAAQ,kBAAkB,CAClC,CACF,CAEyB,KACxB,GAAG,YACD,GAAG,KAAK;MACN,IAAI,YAAY;AACd,aAAM,2BACJ,KACA,QAAQ,KACR,kBAAkB,kBAClB,KAAK,KAAK,CACX;AAOD,cAAO;QACL,MAAM;QACN,UAPmB,MAAM,WAAW,KAAK;SACzC,QAAQ,QAAQ;SAChB,gBAAgB;SACjB,CAAC;QAKD;;MAEH,WAAW,IAAI,UAAU,iBAAiB;MAC3C,CAAC,CACH,CACF;MACD,CACH;KACD,CACH;GACJ,CACF;GAED,CACH"}

package/dist/{server/implementation → component/server}/redirects.js

@@ -1,18 +1,23 @@
-import { throwAuthError } from "../errors.js";
-import { requireEnv } from "../utils.js";
+import { AuthError } from "./authError.js";
+import { requireEnv } from "./utils.js";
 
-//#region src/server/implementation/redirects.ts
+//#region src/server/redirects.ts
+/** @internal */
 async function redirectAbsoluteUrl(config, params) {
-	if (params.redirectTo !== void 0) {
-		if (typeof params.redirectTo !== "string") throwAuthError("INVALID_REDIRECT", `Expected \`redirectTo\` to be a string, got ${params.redirectTo}`);
-		return await (config.callbacks?.redirect ?? defaultRedirectCallback)(params);
+	if (params.redirectTo === void 0) return requireEnv("SITE_URL").replace(/\/$/, "");
+	if (typeof params.redirectTo !== "string") throw new AuthError("INVALID_REDIRECT", `Expected \`redirectTo\` to be a string, got ${params.redirectTo}`);
+	const redirectCallback = config.callbacks?.redirect ?? defaultRedirectCallback;
+	try {
+		return await redirectCallback({ redirectTo: params.redirectTo });
+	} catch {
+		throw new AuthError("INTERNAL_ERROR");
 	}
-	return siteUrl();
 }
 async function defaultRedirectCallback({ redirectTo }) {
-	if (redirectTo.startsWith("?") || redirectTo.startsWith("/")) return `${siteUrl()}${redirectTo}`;
+	if (redirectTo.startsWith("?") || redirectTo.startsWith("/")) return `${requireEnv("SITE_URL").replace(/\/$/, "")}${redirectTo}`;
 	return redirectTo;
 }
+/** @internal */
 function setURLSearchParam(absoluteUrl, param, value) {
 	const pattern = /([^:]+):(.*)/;
 	const [, scheme, rest] = absoluteUrl.match(pattern);
@@ -23,9 +28,6 @@ function setURLSearchParam(absoluteUrl, param, value) {
 	const [, , withParam] = url.toString().match(pattern);
 	return `${scheme}:${hasNoDomain ? (startsWithPath ? "/" : "") + "//" + withParam.slice(13) : withParam}`;
 }
-function siteUrl() {
-	return requireEnv("SITE_URL").replace(/\/$/, "");
-}
 
 //#endregion
 export { redirectAbsoluteUrl, setURLSearchParam };

package/dist/component/server/redirects.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redirects.js","names":[],"sources":["../../../src/server/redirects.ts"],"sourcesContent":["import { AuthError } from \"./authError\";\nimport { ConvexAuthMaterializedConfig } from \"./types\";\nimport { requireEnv } from \"./utils\";\n\n/** @internal */\nexport async function redirectAbsoluteUrl(\n  config: ConvexAuthMaterializedConfig,\n  params: { redirectTo: unknown },\n) {\n  if (params.redirectTo === undefined) {\n    return requireEnv(\"SITE_URL\").replace(/\\/$/, \"\");\n  }\n  if (typeof params.redirectTo !== \"string\") {\n    throw new AuthError(\n      \"INVALID_REDIRECT\",\n      `Expected \\`redirectTo\\` to be a string, got ${params.redirectTo as any}`,\n    );\n  }\n  const redirectCallback =\n    config.callbacks?.redirect ?? defaultRedirectCallback;\n  try {\n    return await redirectCallback({ redirectTo: params.redirectTo });\n  } catch {\n    throw new AuthError(\"INTERNAL_ERROR\");\n  }\n}\n\nasync function defaultRedirectCallback({ redirectTo }: { redirectTo: string }) {\n  // Resolve relative paths against SITE_URL; absolute URLs are passed through\n  // as-is. The developer is trusted to provide valid redirect targets.\n  if (redirectTo.startsWith(\"?\") || redirectTo.startsWith(\"/\")) {\n    return `${requireEnv(\"SITE_URL\").replace(/\\/$/, \"\")}${redirectTo}`;\n  }\n  return redirectTo;\n}\n\n// Temporary work-around because Convex doesn't support\n// schemes other than http and https.\n/** @internal */\nexport function setURLSearchParam(\n  absoluteUrl: string,\n  param: string,\n  value: string,\n) {\n  const pattern = /([^:]+):(.*)/;\n  const [, scheme, rest] = absoluteUrl.match(pattern)!;\n  const hasNoDomain = /^\\/\\/(?:\\/|$|\\?)/.test(rest);\n  const startsWithPath = hasNoDomain && rest.startsWith(\"///\");\n  const url = new URL(\n    `http:${hasNoDomain ? \"//googblibok\" + rest.slice(2) : rest}`,\n  );\n  url.searchParams.set(param, value);\n  const [, , withParam] = url.toString().match(pattern)!;\n  return `${scheme}:${hasNoDomain ? (startsWithPath ? \"/\" : \"\") + \"//\" + withParam.slice(13) : withParam}`;\n}\n"],"mappings":";;;;;AAKA,eAAsB,oBACpB,QACA,QACA;AACA,KAAI,OAAO,eAAe,OACxB,QAAO,WAAW,WAAW,CAAC,QAAQ,OAAO,GAAG;AAElD,KAAI,OAAO,OAAO,eAAe,SAC/B,OAAM,IAAI,UACR,oBACA,+CAA+C,OAAO,aACvD;CAEH,MAAM,mBACJ,OAAO,WAAW,YAAY;AAChC,KAAI;AACF,SAAO,MAAM,iBAAiB,EAAE,YAAY,OAAO,YAAY,CAAC;SAC1D;AACN,QAAM,IAAI,UAAU,iBAAiB;;;AAIzC,eAAe,wBAAwB,EAAE,cAAsC;AAG7E,KAAI,WAAW,WAAW,IAAI,IAAI,WAAW,WAAW,IAAI,CAC1D,QAAO,GAAG,WAAW,WAAW,CAAC,QAAQ,OAAO,GAAG,GAAG;AAExD,QAAO;;;AAMT,SAAgB,kBACd,aACA,OACA,OACA;CACA,MAAM,UAAU;CAChB,MAAM,GAAG,QAAQ,QAAQ,YAAY,MAAM,QAAQ;CACnD,MAAM,cAAc,mBAAmB,KAAK,KAAK;CACjD,MAAM,iBAAiB,eAAe,KAAK,WAAW,MAAM;CAC5D,MAAM,MAAM,IAAI,IACd,QAAQ,cAAc,iBAAiB,KAAK,MAAM,EAAE,GAAG,OACxD;AACD,KAAI,aAAa,IAAI,OAAO,MAAM;CAClC,MAAM,KAAK,aAAa,IAAI,UAAU,CAAC,MAAM,QAAQ;AACrD,QAAO,GAAG,OAAO,GAAG,eAAe,iBAAiB,MAAM,MAAM,OAAO,UAAU,MAAM,GAAG,GAAG"}

package/dist/component/server/refresh.js

@@ -0,0 +1,96 @@
+import { AuthError } from "./authError.js";
+import { LOG_LEVELS, REFRESH_TOKEN_DIVIDER, logWithLevel, maybeRedact } from "./utils.js";
+import { authDb } from "./db.js";
+import { Fx } from "@robelest/fx";
+
+//#region src/server/refresh.ts
+const DEFAULT_SESSION_INACTIVE_DURATION_MS = 1e3 * 60 * 60 * 24 * 30;
+/** @internal */
+const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1e3;
+/**
+* Create a new refresh token for the given session.
+*/
+/** @internal */
+async function createRefreshToken(ctx, config, sessionId, parentRefreshTokenId) {
+	const expirationTime = Date.now() + (config.session?.inactiveDurationMs ?? (process.env.AUTH_SESSION_INACTIVE_DURATION_MS !== void 0 ? Number(process.env.AUTH_SESSION_INACTIVE_DURATION_MS) : void 0) ?? DEFAULT_SESSION_INACTIVE_DURATION_MS);
+	return authDb(ctx, config).refreshTokens.create({
+		sessionId,
+		expirationTime,
+		parentRefreshTokenId: parentRefreshTokenId ?? void 0
+	});
+}
+/**
+* Parse a compound refresh token string into its constituent IDs.
+*/
+/** @internal */
+const parseRefreshToken = (refreshToken) => {
+	const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);
+	const msg = `Can't parse refresh token: ${maybeRedact(refreshToken)}`;
+	return (refreshTokenId != null ? Fx.succeed(refreshTokenId) : Fx.fail(new AuthError("INVALID_REFRESH_TOKEN", msg))).pipe(Fx.chain((rtId) => {
+		return (sessionId != null ? Fx.succeed(sessionId) : Fx.fail(new AuthError("INVALID_REFRESH_TOKEN", msg))).pipe(Fx.map((sId) => ({
+			refreshTokenId: rtId,
+			sessionId: sId
+		})));
+	}));
+};
+/**
+* Mark all refresh tokens descending from the given refresh token as invalid
+* immediately. Used when we detect token reuse — revoke the entire tree.
+*/
+/** @internal */
+async function invalidateRefreshTokensInSubtree(ctx, refreshToken, config) {
+	const db = authDb(ctx, config);
+	const tokensToInvalidate = [refreshToken];
+	const visited = new Set([refreshToken._id]);
+	let frontier = [refreshToken._id];
+	while (frontier.length > 0) {
+		const nextFrontier = [];
+		for (const currentTokenId of frontier) {
+			const children = await db.refreshTokens.getChildren(refreshToken.sessionId, currentTokenId);
+			for (const child of children) {
+				if (visited.has(child._id)) continue;
+				visited.add(child._id);
+				tokensToInvalidate.push(child);
+				nextFrontier.push(child._id);
+			}
+		}
+		frontier = nextFrontier;
+	}
+	await Fx.run(Fx.each(tokensToInvalidate, (token) => token.firstUsedTime === void 0 || token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS ? Fx.from({
+		ok: () => db.refreshTokens.patch(token._id, { firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS }),
+		err: (e) => e
+	}) : Fx.unit));
+	return tokensToInvalidate;
+}
+/**
+* Validate a refresh token and its associated session.
+*
+* Returns `null` on any validation failure (matching original semantics).
+* Each validation step is a small composable function chained with `Fx.chain`.
+* On failure, the error message is logged and the pipeline folds to `null`.
+*/
+/** @internal */
+const refreshTokenIfValid = (ctx, refreshTokenId, tokenSessionId, config) => {
+	const db = authDb(ctx, config);
+	const fetchDoc = (promise, failMsg) => Fx.from({
+		ok: promise,
+		err: () => failMsg
+	}).pipe(Fx.recover((msg) => {
+		logWithLevel(LOG_LEVELS.ERROR, msg);
+		return Fx.succeed(null);
+	}));
+	return fetchDoc(() => db.refreshTokens.getById(refreshTokenId), "Invalid refresh token format").pipe(Fx.chain((doc) => doc !== null ? Fx.succeed(doc) : Fx.fail("Invalid refresh token")), Fx.chain((doc) => doc.expirationTime >= Date.now() ? Fx.succeed(doc) : Fx.fail("Expired refresh token")), Fx.chain((doc) => doc.sessionId === tokenSessionId ? Fx.succeed(doc) : Fx.fail("Invalid refresh token session ID"))).pipe(Fx.chain((doc) => fetchDoc(() => db.sessions.getById(doc.sessionId), "Invalid refresh token session format").pipe(Fx.chain((session) => session !== null ? Fx.succeed(session) : Fx.fail("Invalid refresh token session")), Fx.chain((session) => session.expirationTime >= Date.now() ? Fx.succeed(session) : Fx.fail("Expired refresh token session")), Fx.map((session) => ({
+		session,
+		refreshTokenDoc: doc
+	})))), Fx.fold({
+		ok: (result) => result,
+		err: (msg) => {
+			logWithLevel(LOG_LEVELS.ERROR, msg);
+			return null;
+		}
+	}));
+};
+
+//#endregion
+export { REFRESH_TOKEN_REUSE_WINDOW_MS, createRefreshToken, invalidateRefreshTokensInSubtree, parseRefreshToken, refreshTokenIfValid };
+//# sourceMappingURL=refresh.js.map

package/dist/component/server/refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.js","names":[],"sources":["../../../src/server/refresh.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { AuthError } from \"./authError\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\nimport {\n  LOG_LEVELS,\n  REFRESH_TOKEN_DIVIDER,\n  logWithLevel,\n  maybeRedact,\n} from \"./utils\";\n\nconst DEFAULT_SESSION_INACTIVE_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days\n/** @internal */\nexport const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1000; // 10 seconds\n\n// ---------------------------------------------------------------------------\n// Refresh token CRUD\n// ---------------------------------------------------------------------------\n\n/**\n * Create a new refresh token for the given session.\n */\n/** @internal */\nexport async function createRefreshToken(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  sessionId: GenericId<\"Session\">,\n  parentRefreshTokenId: GenericId<\"RefreshToken\"> | null,\n): Promise<GenericId<\"RefreshToken\">> {\n  const expirationTime =\n    Date.now() +\n    (config.session?.inactiveDurationMs ??\n      (process.env.AUTH_SESSION_INACTIVE_DURATION_MS !== undefined\n        ? Number(process.env.AUTH_SESSION_INACTIVE_DURATION_MS)\n        : undefined) ??\n      DEFAULT_SESSION_INACTIVE_DURATION_MS);\n\n  return authDb(ctx, config).refreshTokens.create({\n    sessionId,\n    expirationTime,\n    parentRefreshTokenId: parentRefreshTokenId ?? undefined,\n  }) as Promise<GenericId<\"RefreshToken\">>;\n}\n\n/**\n * Parse a compound refresh token string into its constituent IDs.\n */\n/** @internal */\nexport const parseRefreshToken = (\n  refreshToken: string,\n): Fx<\n  {\n    refreshTokenId: GenericId<\"RefreshToken\">;\n    sessionId: GenericId<\"Session\">;\n  },\n  AuthError\n> => {\n  const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);\n  const msg = `Can't parse refresh token: ${maybeRedact(refreshToken)}`;\n  const refreshTokenIdFx: Fx<string, AuthError> =\n    refreshTokenId != null\n      ? Fx.succeed(refreshTokenId)\n      : Fx.fail(new AuthError(\"INVALID_REFRESH_TOKEN\", msg));\n\n  return refreshTokenIdFx.pipe(\n    Fx.chain((rtId) => {\n      const sessionIdFx: Fx<string, AuthError> =\n        sessionId != null\n          ? Fx.succeed(sessionId)\n          : Fx.fail(new AuthError(\"INVALID_REFRESH_TOKEN\", msg));\n      return sessionIdFx.pipe(\n        Fx.map((sId) => ({\n          refreshTokenId: rtId as GenericId<\"RefreshToken\">,\n          sessionId: sId as GenericId<\"Session\">,\n        })),\n      );\n    }),\n  );\n};\n\n/**\n * Mark all refresh tokens descending from the given refresh token as invalid\n * immediately. Used when we detect token reuse — revoke the entire tree.\n */\n/** @internal */\nexport async function invalidateRefreshTokensInSubtree(\n  ctx: MutationCtx,\n  refreshToken: Doc<\"RefreshToken\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const tokensToInvalidate = [refreshToken];\n  const visited = new Set<GenericId<\"RefreshToken\">>([refreshToken._id]);\n  let frontier: GenericId<\"RefreshToken\">[] = [refreshToken._id];\n  while (frontier.length > 0) {\n    const nextFrontier: GenericId<\"RefreshToken\">[] = [];\n    for (const currentTokenId of frontier) {\n      const children = (await db.refreshTokens.getChildren(\n        refreshToken.sessionId,\n        currentTokenId,\n      )) as Doc<\"RefreshToken\">[];\n      for (const child of children) {\n        if (visited.has(child._id)) continue;\n        visited.add(child._id);\n        tokensToInvalidate.push(child);\n        nextFrontier.push(child._id);\n      }\n    }\n    frontier = nextFrontier;\n  }\n  await Fx.run(\n    Fx.each(tokensToInvalidate, (token) =>\n      token.firstUsedTime === undefined ||\n      token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS\n        ? Fx.from({\n            ok: () =>\n              db.refreshTokens.patch(token._id, {\n                firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,\n              }),\n            err: (e) => e as never,\n          })\n        : Fx.unit,\n    ),\n  );\n  return tokensToInvalidate;\n}\n\n// ---------------------------------------------------------------------------\n// Validation pipeline — the core of refresh token handling\n// ---------------------------------------------------------------------------\n\n/**\n * Validate a refresh token and its associated session.\n *\n * Returns `null` on any validation failure (matching original semantics).\n * Each validation step is a small composable function chained with `Fx.chain`.\n * On failure, the error message is logged and the pipeline folds to `null`.\n */\n/** @internal */\nexport const refreshTokenIfValid = (\n  ctx: MutationCtx,\n  refreshTokenId: string,\n  tokenSessionId: string,\n  config: ConvexAuthConfig,\n): Fx<\n  { session: Doc<\"Session\">; refreshTokenDoc: Doc<\"RefreshToken\"> } | null,\n  never\n> => {\n  const db = authDb(ctx, config);\n\n  const fetchDoc = <T>(\n    promise: () => Promise<T | null>,\n    failMsg: string,\n  ): Fx<T | null, never> =>\n    Fx.from({ ok: promise, err: () => failMsg }).pipe(\n      Fx.recover((msg) => {\n        logWithLevel(LOG_LEVELS.ERROR, msg);\n        return Fx.succeed(null as T | null);\n      }),\n    );\n\n  // The entire validation is a single pipeline:\n  // fetch token → not null → not expired → session matches → fetch session → not null → not expired → combine\n  return fetchDoc(\n    () =>\n      db.refreshTokens.getById(\n        refreshTokenId as GenericId<\"RefreshToken\">,\n      ) as Promise<Doc<\"RefreshToken\"> | null>,\n    \"Invalid refresh token format\",\n  )\n    .pipe(\n      Fx.chain((doc) =>\n        doc !== null ? Fx.succeed(doc) : Fx.fail(\"Invalid refresh token\"),\n      ),\n      Fx.chain((doc) =>\n        doc.expirationTime >= Date.now()\n          ? Fx.succeed(doc)\n          : Fx.fail(\"Expired refresh token\"),\n      ),\n      Fx.chain((doc) =>\n        doc.sessionId === tokenSessionId\n          ? Fx.succeed(doc)\n          : Fx.fail(\"Invalid refresh token session ID\"),\n      ),\n    )\n    .pipe(\n      Fx.chain((doc: Doc<\"RefreshToken\">) =>\n        fetchDoc(\n          () =>\n            db.sessions.getById(\n              doc.sessionId,\n            ) as Promise<Doc<\"Session\"> | null>,\n          \"Invalid refresh token session format\",\n        ).pipe(\n          Fx.chain((session) =>\n            session !== null\n              ? Fx.succeed(session)\n              : Fx.fail(\"Invalid refresh token session\"),\n          ),\n          Fx.chain((session) =>\n            session.expirationTime >= Date.now()\n              ? Fx.succeed(session)\n              : Fx.fail(\"Expired refresh token session\"),\n          ),\n          Fx.map((session) => ({\n            session,\n            refreshTokenDoc: doc,\n          })),\n        ),\n      ),\n      Fx.fold({\n        ok: (result) => result,\n        err: (msg) => {\n          logWithLevel(LOG_LEVELS.ERROR, msg);\n          return null;\n        },\n      }),\n    );\n};\n"],"mappings":";;;;;;AAcA,MAAM,uCAAuC,MAAO,KAAK,KAAK,KAAK;;AAEnE,MAAa,gCAAgC,KAAK;;;;;AAUlD,eAAsB,mBACpB,KACA,QACA,WACA,sBACoC;CACpC,MAAM,iBACJ,KAAK,KAAK,IACT,OAAO,SAAS,uBACd,QAAQ,IAAI,sCAAsC,SAC/C,OAAO,QAAQ,IAAI,kCAAkC,GACrD,WACJ;AAEJ,QAAO,OAAO,KAAK,OAAO,CAAC,cAAc,OAAO;EAC9C;EACA;EACA,sBAAsB,wBAAwB;EAC/C,CAAC;;;;;;AAOJ,MAAa,qBACX,iBAOG;CACH,MAAM,CAAC,gBAAgB,aAAa,aAAa,MAAM,sBAAsB;CAC7E,MAAM,MAAM,8BAA8B,YAAY,aAAa;AAMnE,SAJE,kBAAkB,OACd,GAAG,QAAQ,eAAe,GAC1B,GAAG,KAAK,IAAI,UAAU,yBAAyB,IAAI,CAAC,EAElC,KACtB,GAAG,OAAO,SAAS;AAKjB,UAHE,aAAa,OACT,GAAG,QAAQ,UAAU,GACrB,GAAG,KAAK,IAAI,UAAU,yBAAyB,IAAI,CAAC,EACvC,KACjB,GAAG,KAAK,SAAS;GACf,gBAAgB;GAChB,WAAW;GACZ,EAAE,CACJ;GACD,CACH;;;;;;;AAQH,eAAsB,iCACpB,KACA,cACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,qBAAqB,CAAC,aAAa;CACzC,MAAM,UAAU,IAAI,IAA+B,CAAC,aAAa,IAAI,CAAC;CACtE,IAAI,WAAwC,CAAC,aAAa,IAAI;AAC9D,QAAO,SAAS,SAAS,GAAG;EAC1B,MAAM,eAA4C,EAAE;AACpD,OAAK,MAAM,kBAAkB,UAAU;GACrC,MAAM,WAAY,MAAM,GAAG,cAAc,YACvC,aAAa,WACb,eACD;AACD,QAAK,MAAM,SAAS,UAAU;AAC5B,QAAI,QAAQ,IAAI,MAAM,IAAI,CAAE;AAC5B,YAAQ,IAAI,MAAM,IAAI;AACtB,uBAAmB,KAAK,MAAM;AAC9B,iBAAa,KAAK,MAAM,IAAI;;;AAGhC,aAAW;;AAEb,OAAM,GAAG,IACP,GAAG,KAAK,qBAAqB,UAC3B,MAAM,kBAAkB,UACxB,MAAM,gBAAgB,KAAK,KAAK,GAAG,gCAC/B,GAAG,KAAK;EACN,UACE,GAAG,cAAc,MAAM,MAAM,KAAK,EAChC,eAAe,KAAK,KAAK,GAAG,+BAC7B,CAAC;EACJ,MAAM,MAAM;EACb,CAAC,GACF,GAAG,KACR,CACF;AACD,QAAO;;;;;;;;;;AAeT,MAAa,uBACX,KACA,gBACA,gBACA,WAIG;CACH,MAAM,KAAK,OAAO,KAAK,OAAO;CAE9B,MAAM,YACJ,SACA,YAEA,GAAG,KAAK;EAAE,IAAI;EAAS,WAAW;EAAS,CAAC,CAAC,KAC3C,GAAG,SAAS,QAAQ;AAClB,eAAa,WAAW,OAAO,IAAI;AACnC,SAAO,GAAG,QAAQ,KAAiB;GACnC,CACH;AAIH,QAAO,eAEH,GAAG,cAAc,QACf,eACD,EACH,+BACD,CACE,KACC,GAAG,OAAO,QACR,QAAQ,OAAO,GAAG,QAAQ,IAAI,GAAG,GAAG,KAAK,wBAAwB,CAClE,EACD,GAAG,OAAO,QACR,IAAI,kBAAkB,KAAK,KAAK,GAC5B,GAAG,QAAQ,IAAI,GACf,GAAG,KAAK,wBAAwB,CACrC,EACD,GAAG,OAAO,QACR,IAAI,cAAc,iBACd,GAAG,QAAQ,IAAI,GACf,GAAG,KAAK,mCAAmC,CAChD,CACF,CACA,KACC,GAAG,OAAO,QACR,eAEI,GAAG,SAAS,QACV,IAAI,UACL,EACH,uCACD,CAAC,KACA,GAAG,OAAO,YACR,YAAY,OACR,GAAG,QAAQ,QAAQ,GACnB,GAAG,KAAK,gCAAgC,CAC7C,EACD,GAAG,OAAO,YACR,QAAQ,kBAAkB,KAAK,KAAK,GAChC,GAAG,QAAQ,QAAQ,GACnB,GAAG,KAAK,gCAAgC,CAC7C,EACD,GAAG,KAAK,aAAa;EACnB;EACA,iBAAiB;EAClB,EAAE,CACJ,CACF,EACD,GAAG,KAAK;EACN,KAAK,WAAW;EAChB,MAAM,QAAQ;AACZ,gBAAa,WAAW,OAAO,IAAI;AACnC,UAAO;;EAEV,CAAC,CACH"}