@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/{server/implementation → component/server}/sessions.js

@@ -1,10 +1,11 @@
-import { LOG_LEVELS, TOKEN_SUB_CLAIM_DIVIDER, logWithLevel, maybeRedact, stringToNumber } from "./utils.js";
-import { generateToken } from "./tokens.js";
+import { LOG_LEVELS, REFRESH_TOKEN_DIVIDER, TOKEN_SUB_CLAIM_DIVIDER, logWithLevel, maybeRedact } from "./utils.js";
 import { authDb } from "./db.js";
-import { createRefreshToken, deleteAllRefreshTokens, formatRefreshToken } from "./refresh.js";
+import { createRefreshToken } from "./refresh.js";
+import { generateToken } from "./tokens.js";
 
-//#region src/server/implementation/sessions.ts
+//#region src/server/sessions.ts
 const DEFAULT_SESSION_TOTAL_DURATION_MS = 1e3 * 60 * 60 * 24 * 30;
+/** @internal */
 async function maybeGenerateTokensForSession(ctx, config, userId, sessionId, generateTokens) {
 	return {
 		userId,
@@ -17,6 +18,7 @@ async function maybeGenerateTokensForSession(ctx, config, userId, sessionId, gen
 		}) : null
 	};
 }
+/** @internal */
 async function createNewAndDeleteExistingSession(ctx, config, userId) {
 	const db = authDb(ctx, config);
 	const existingSessionId = await getAuthSessionId(ctx);
@@ -26,6 +28,7 @@ async function createNewAndDeleteExistingSession(ctx, config, userId) {
 	}
 	return await createSession(ctx, userId, config);
 }
+/** @internal */
 async function generateTokensForSession(ctx, config, args) {
 	const ids = {
 		userId: args.userId,
@@ -34,25 +37,28 @@ async function generateTokensForSession(ctx, config, args) {
 	const refreshTokenId = args.issuedRefreshTokenId ?? await createRefreshToken(ctx, config, args.sessionId, args.parentRefreshTokenId);
 	const result = {
 		token: await generateToken(ids, config),
-		refreshToken: formatRefreshToken(refreshTokenId, args.sessionId)
+		refreshToken: `${refreshTokenId}${REFRESH_TOKEN_DIVIDER}${args.sessionId}`
 	};
 	logWithLevel(LOG_LEVELS.DEBUG, `Generated token ${maybeRedact(result.token)} and refresh token ${maybeRedact(refreshTokenId)} for session ${maybeRedact(args.sessionId)}`);
 	return result;
 }
 async function createSession(ctx, userId, config) {
 	const db = authDb(ctx, config);
-	const expirationTime = Date.now() + (config.session?.totalDurationMs ?? stringToNumber(process.env.AUTH_SESSION_TOTAL_DURATION_MS) ?? DEFAULT_SESSION_TOTAL_DURATION_MS);
+	const expirationTime = Date.now() + (config.session?.totalDurationMs ?? (process.env.AUTH_SESSION_TOTAL_DURATION_MS !== void 0 ? Number(process.env.AUTH_SESSION_TOTAL_DURATION_MS) : void 0) ?? DEFAULT_SESSION_TOTAL_DURATION_MS);
 	return await db.sessions.create(userId, expirationTime);
 }
+/** @internal */
 async function deleteSession(ctx, session, config) {
-	await authDb(ctx, config).sessions.delete(session._id);
-	await deleteAllRefreshTokens(ctx, session._id, config);
+	const db = authDb(ctx, config);
+	await db.sessions.delete(session._id);
+	await db.refreshTokens.deleteAll(session._id);
 }
 /**
 * Return the current session ID from the auth identity subject.
 *
 * Internal helper used by auth runtime internals and `auth.session.current`.
 */
+/** @internal */
 async function getAuthSessionId(ctx) {
 	const identity = await ctx.auth.getUserIdentity();
 	if (identity === null) return null;

package/dist/component/server/sessions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.js","names":[],"sources":["../../../src/server/sessions.ts"],"sourcesContent":["import { Auth } from \"convex/server\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { createRefreshToken } from \"./refresh\";\nimport { generateToken } from \"./tokens\";\nimport { Doc, MutationCtx, SessionInfo } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\nimport {\n  LOG_LEVELS,\n  TOKEN_SUB_CLAIM_DIVIDER,\n  REFRESH_TOKEN_DIVIDER,\n  logWithLevel,\n  maybeRedact,\n} from \"./utils\";\n\nconst DEFAULT_SESSION_TOTAL_DURATION_MS = 1000 * 60 * 60 * 24 * 30; // 30 days\n\n/** @internal */\nexport async function maybeGenerateTokensForSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  userId: GenericId<\"User\">,\n  sessionId: GenericId<\"Session\">,\n  generateTokens: boolean,\n): Promise<SessionInfo> {\n  return {\n    userId,\n    sessionId,\n    tokens: generateTokens\n      ? await generateTokensForSession(ctx, config, {\n          userId,\n          sessionId,\n          issuedRefreshTokenId: null,\n          parentRefreshTokenId: null,\n        })\n      : null,\n  };\n}\n\n/** @internal */\nexport async function createNewAndDeleteExistingSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  userId: GenericId<\"User\">,\n) {\n  const db = authDb(ctx, config);\n  const existingSessionId = await getAuthSessionId(ctx);\n  if (existingSessionId !== null) {\n    const existingSession = await db.sessions.getById(existingSessionId);\n    if (existingSession !== null) {\n      await deleteSession(ctx, existingSession, config);\n    }\n  }\n  return await createSession(ctx, userId, config);\n}\n\n/** @internal */\nexport async function generateTokensForSession(\n  ctx: MutationCtx,\n  config: ConvexAuthConfig,\n  args: {\n    userId: GenericId<\"User\">;\n    sessionId: GenericId<\"Session\">;\n    issuedRefreshTokenId: GenericId<\"RefreshToken\"> | null;\n    parentRefreshTokenId: GenericId<\"RefreshToken\"> | null;\n  },\n) {\n  const ids = { userId: args.userId, sessionId: args.sessionId };\n  const refreshTokenId =\n    args.issuedRefreshTokenId ??\n    (await createRefreshToken(\n      ctx,\n      config,\n      args.sessionId,\n      args.parentRefreshTokenId,\n    ));\n  const result = {\n    token: await generateToken(ids, config),\n    refreshToken: `${refreshTokenId}${REFRESH_TOKEN_DIVIDER}${args.sessionId}`,\n  };\n  logWithLevel(\n    LOG_LEVELS.DEBUG,\n    `Generated token ${maybeRedact(result.token)} and refresh token ${maybeRedact(refreshTokenId)} for session ${maybeRedact(args.sessionId)}`,\n  );\n  return result;\n}\n\nasync function createSession(\n  ctx: MutationCtx,\n  userId: GenericId<\"User\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const expirationTime =\n    Date.now() +\n    (config.session?.totalDurationMs ??\n      (process.env.AUTH_SESSION_TOTAL_DURATION_MS !== undefined\n        ? Number(process.env.AUTH_SESSION_TOTAL_DURATION_MS)\n        : undefined) ??\n      DEFAULT_SESSION_TOTAL_DURATION_MS);\n  return (await db.sessions.create(\n    userId,\n    expirationTime,\n  )) as GenericId<\"Session\">;\n}\n\n/** @internal */\nexport async function deleteSession(\n  ctx: MutationCtx,\n  session: Doc<\"Session\">,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  await db.sessions.delete(session._id);\n  await db.refreshTokens.deleteAll(session._id);\n}\n\n/**\n * Return the current session ID from the auth identity subject.\n *\n * Internal helper used by auth runtime internals and `auth.session.current`.\n */\n/** @internal */\nexport async function getAuthSessionId(ctx: { auth: Auth }) {\n  const identity = await ctx.auth.getUserIdentity();\n  if (identity === null) {\n    return null;\n  }\n  const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n  return sessionId as GenericId<\"Session\">;\n}\n"],"mappings":";;;;;;AAgBA,MAAM,oCAAoC,MAAO,KAAK,KAAK,KAAK;;AAGhE,eAAsB,8BACpB,KACA,QACA,QACA,WACA,gBACsB;AACtB,QAAO;EACL;EACA;EACA,QAAQ,iBACJ,MAAM,yBAAyB,KAAK,QAAQ;GAC1C;GACA;GACA,sBAAsB;GACtB,sBAAsB;GACvB,CAAC,GACF;EACL;;;AAIH,eAAsB,kCACpB,KACA,QACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,oBAAoB,MAAM,iBAAiB,IAAI;AACrD,KAAI,sBAAsB,MAAM;EAC9B,MAAM,kBAAkB,MAAM,GAAG,SAAS,QAAQ,kBAAkB;AACpE,MAAI,oBAAoB,KACtB,OAAM,cAAc,KAAK,iBAAiB,OAAO;;AAGrD,QAAO,MAAM,cAAc,KAAK,QAAQ,OAAO;;;AAIjD,eAAsB,yBACpB,KACA,QACA,MAMA;CACA,MAAM,MAAM;EAAE,QAAQ,KAAK;EAAQ,WAAW,KAAK;EAAW;CAC9D,MAAM,iBACJ,KAAK,wBACJ,MAAM,mBACL,KACA,QACA,KAAK,WACL,KAAK,qBACN;CACH,MAAM,SAAS;EACb,OAAO,MAAM,cAAc,KAAK,OAAO;EACvC,cAAc,GAAG,iBAAiB,wBAAwB,KAAK;EAChE;AACD,cACE,WAAW,OACX,mBAAmB,YAAY,OAAO,MAAM,CAAC,qBAAqB,YAAY,eAAe,CAAC,eAAe,YAAY,KAAK,UAAU,GACzI;AACD,QAAO;;AAGT,eAAe,cACb,KACA,QACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,iBACJ,KAAK,KAAK,IACT,OAAO,SAAS,oBACd,QAAQ,IAAI,mCAAmC,SAC5C,OAAO,QAAQ,IAAI,+BAA+B,GAClD,WACJ;AACJ,QAAQ,MAAM,GAAG,SAAS,OACxB,QACA,eACD;;;AAIH,eAAsB,cACpB,KACA,SACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;AAC9B,OAAM,GAAG,SAAS,OAAO,QAAQ,IAAI;AACrC,OAAM,GAAG,cAAc,UAAU,QAAQ,IAAI;;;;;;;;AAS/C,eAAsB,iBAAiB,KAAqB;CAC1D,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,KAAI,aAAa,KACf,QAAO;CAET,MAAM,GAAG,aAAa,SAAS,QAAQ,MAAM,wBAAwB;AACrE,QAAO"}

package/dist/component/server/signin.js

@@ -0,0 +1,201 @@
+import { AuthError } from "./authError.js";
+import { generateRandomString, requireEnv } from "./utils.js";
+import { callCreateVerificationCode } from "./mutations/code.js";
+import { callRefreshSession } from "./mutations/refresh.js";
+import { callVerifierSignature } from "./mutations/signature.js";
+import { callSignIn } from "./mutations/signin.js";
+import { callVerifier } from "./mutations/verifier.js";
+import { callVerifyCodeAndSignIn } from "./mutations/verify.js";
+import { queryTotpVerifiedByUserId } from "./types.js";
+import { handleDevice } from "./device.js";
+import { handlePasskeyFx } from "./passkey.js";
+import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
+import { handleTotp } from "./totp.js";
+import { Fx } from "@robelest/fx";
+
+//#region src/server/signin.ts
+const DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 3600 * 24;
+/** @internal */
+async function signInImpl(ctx, provider, args, options) {
+	const fx = signInFx(ctx, provider, args, options);
+	return Fx.run(fx.pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+}
+/**
+* Core sign-in pipeline as an Fx generator.
+*
+* Handles: refresh tokens, verification codes, then dispatches by
+* provider type using a dispatch map (no if-chain).
+*/
+function signInFx(ctx, provider, args, options) {
+	return Fx.gen(function* () {
+		if (provider === null && args.refreshToken) {
+			const tokens = yield* Fx.promise(() => callRefreshSession(ctx, { refreshToken: args.refreshToken }));
+			if (tokens === null) return {
+				kind: "signedIn",
+				signedIn: null
+			};
+			return {
+				kind: "refreshTokens",
+				signedIn: { tokens }
+			};
+		}
+		if (provider === null && args.params?.code !== void 0) return {
+			kind: "signedIn",
+			signedIn: yield* Fx.promise(() => callVerifyCodeAndSignIn(ctx, {
+				params: args.params,
+				verifier: args.verifier,
+				generateTokens: true,
+				allowExtraProviders: options.allowExtraProviders
+			}))
+		};
+		const resolvedProvider = yield* provider != null ? Fx.succeed(provider) : Fx.fail(new AuthError("SIGN_IN_MISSING_PARAMS"));
+		return yield* Fx.match(resolvedProvider).on("type", {
+			email: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),
+			phone: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),
+			credentials: (p) => handleCredentialsFx(ctx, p, args, options),
+			oauth: (p) => handleOAuthProviderFx(ctx, p, args, options),
+			passkey: (p) => handlePasskeyFx(ctx, p, args),
+			totp: (p) => handleTotp(ctx, p, args),
+			device: (p) => handleDevice(ctx, p, args),
+			sso: (_p) => handleSsoProviderFx(ctx, args)
+		});
+	});
+}
+function handleEmailAndPhoneProviderFx(ctx, provider, args, options) {
+	return Fx.gen(function* () {
+		if (args.params?.code !== void 0) {
+			const result = yield* Fx.promise(() => callVerifyCodeAndSignIn(ctx, {
+				params: args.params,
+				provider: provider.id,
+				generateTokens: options.generateTokens,
+				allowExtraProviders: options.allowExtraProviders
+			}));
+			return {
+				kind: "signedIn",
+				signedIn: yield* result != null ? Fx.succeed(result) : Fx.fail(new AuthError("INVALID_VERIFICATION_CODE"))
+			};
+		}
+		const code = provider.generateVerificationToken ? yield* Fx.from({
+			ok: async () => provider.generateVerificationToken(),
+			err: () => new AuthError("INTERNAL_ERROR", "Failed to generate verification token")
+		}) : generateRandomString(32, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
+		const expirationTime = Date.now() + (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1e3;
+		const verificationArgs = {
+			identifier: yield* Fx.promise(() => callCreateVerificationCode(ctx, {
+				provider: provider.id,
+				accountId: args.accountId,
+				email: args.params?.email,
+				phone: args.params?.phone,
+				code,
+				expirationTime,
+				allowExtraProviders: options.allowExtraProviders
+			})),
+			url: setURLSearchParam(yield* Fx.promise(() => redirectAbsoluteUrl(ctx.auth.config, args.params ?? {})), "code", code),
+			token: code,
+			expires: new Date(expirationTime)
+		};
+		yield* Fx.match(provider).on("type", {
+			email: (p) => Fx.from({
+				ok: async () => p.sendVerificationRequest({
+					...verificationArgs,
+					provider: p,
+					request: new Request("http://localhost")
+				}, ctx),
+				err: () => new AuthError("INTERNAL_ERROR", "Failed to send email code")
+			}),
+			phone: (p) => Fx.from({
+				ok: async () => p.sendVerificationRequest({
+					...verificationArgs,
+					provider: p
+				}, ctx),
+				err: () => new AuthError("INTERNAL_ERROR", "Failed to send phone code")
+			})
+		});
+		return {
+			kind: "started",
+			started: true
+		};
+	});
+}
+function handleCredentialsFx(ctx, provider, args, options) {
+	return Fx.gen(function* () {
+		const result = yield* Fx.promise(() => provider.authorize(args.params ?? {}, ctx));
+		if (result === null) return {
+			kind: "signedIn",
+			signedIn: null
+		};
+		if (yield* Fx.promise(async () => {
+			return await queryTotpVerifiedByUserId(ctx, result.userId) !== null;
+		})) {
+			yield* Fx.promise(() => callSignIn(ctx, {
+				userId: result.userId,
+				sessionId: result.sessionId,
+				generateTokens: false
+			}));
+			const verifier = yield* Fx.promise(() => callVerifier(ctx));
+			yield* Fx.promise(() => callVerifierSignature(ctx, {
+				verifier,
+				signature: JSON.stringify({ userId: result.userId })
+			}));
+			return {
+				kind: "totpRequired",
+				verifier
+			};
+		}
+		return {
+			kind: "signedIn",
+			signedIn: yield* Fx.promise(() => callSignIn(ctx, {
+				userId: result.userId,
+				sessionId: result.sessionId,
+				generateTokens: options.generateTokens
+			}))
+		};
+	});
+}
+function handleOAuthProviderFx(ctx, provider, args, options) {
+	return Fx.gen(function* () {
+		if (args.params?.code !== void 0) return {
+			kind: "signedIn",
+			signedIn: yield* Fx.promise(() => callVerifyCodeAndSignIn(ctx, {
+				params: args.params,
+				verifier: args.verifier,
+				generateTokens: true,
+				allowExtraProviders: options.allowExtraProviders
+			}))
+		};
+		const redirect = new URL((process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv("CONVEX_SITE_URL")) + `/api/auth/signin/${provider.id}`);
+		const verifier = yield* Fx.promise(() => callVerifier(ctx));
+		redirect.searchParams.set("code", verifier);
+		if (args.params?.redirectTo !== void 0) {
+			yield* Fx.guard(typeof args.params.redirectTo !== "string", Fx.fail(new AuthError("INVALID_REDIRECT", `Expected \`redirectTo\` to be a string, got ${args.params.redirectTo}`)));
+			redirect.searchParams.set("redirectTo", args.params.redirectTo);
+		}
+		return {
+			kind: "redirect",
+			redirect: redirect.toString(),
+			verifier
+		};
+	});
+}
+function handleSsoProviderFx(ctx, args) {
+	return Fx.gen(function* () {
+		const enterpriseId = args.params?.enterpriseId;
+		if (!enterpriseId || typeof enterpriseId !== "string") return yield* Fx.fail(new AuthError("SIGN_IN_MISSING_PARAMS", "enterpriseId is required for SSO sign-in."));
+		const protocol = args.params?.protocol ?? "oidc";
+		if (protocol !== "oidc" && protocol !== "saml") return yield* Fx.fail(new AuthError("SIGN_IN_MISSING_PARAMS", `Invalid SSO protocol: ${protocol}. Expected "oidc" or "saml".`));
+		const verifier = yield* Fx.promise(() => callVerifier(ctx));
+		const siteUrl = process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv("CONVEX_SITE_URL");
+		const redirect = new URL(`${siteUrl}/api/auth/sso/${enterpriseId}/${protocol}/signin`);
+		redirect.searchParams.set("code", verifier);
+		if (typeof args.params?.redirectTo === "string") redirect.searchParams.set("redirectTo", args.params.redirectTo);
+		return {
+			kind: "redirect",
+			redirect: redirect.toString(),
+			verifier
+		};
+	});
+}
+
+//#endregion
+export { signInImpl };
+//# sourceMappingURL=signin.js.map

package/dist/component/server/signin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signin.js","names":[],"sources":["../../../src/server/signin.ts"],"sourcesContent":["import type { Fx as FxType } from \"@robelest/fx\";\nimport { GenericId } from \"convex/values\";\n\nimport { handleDevice } from \"./device\";\nimport { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./authError\";\nimport {\n  callCreateVerificationCode,\n  callRefreshSession,\n  callSignIn,\n  callVerifier,\n  callVerifierSignature,\n  callVerifyCodeAndSignIn,\n} from \"./mutations/index\";\nimport { handlePasskeyFx } from \"./passkey\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport { handleTotp } from \"./totp\";\nimport {\n  AuthProviderMaterializedConfig,\n  ConvexCredentialsConfig,\n  EmailConfig,\n  GenericActionCtxWithAuthConfig,\n  PhoneConfig,\n} from \"./types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  SessionInfoWithTokens,\n  Tokens,\n  queryTotpVerifiedByUserId,\n} from \"./types\";\nimport type { OAuthMaterializedConfig } from \"./types\";\nimport { generateRandomString } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\nconst DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 60 * 60 * 24; // 24 hours\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\ntype SignInResult =\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"refreshTokens\"; signedIn: { tokens: Tokens } }\n  | { kind: \"started\"; started: true }\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n  | { kind: \"totpRequired\"; verifier: string }\n  | {\n      kind: \"totpSetup\";\n      uri: string;\n      secret: string;\n      verifier: string;\n      totpId: string;\n    }\n  | {\n      kind: \"deviceCode\";\n      deviceCode: string;\n      userCode: string;\n      verificationUri: string;\n      verificationUriComplete: string;\n      expiresIn: number;\n      interval: number;\n    };\n\n/** @internal */\nexport async function signInImpl(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): Promise<SignInResult> {\n  const fx = signInFx(ctx, provider, args, options);\n  return Fx.run(\n    fx.pipe(Fx.recover((e) => Fx.fatal((e as AuthError).toConvexError()))),\n  );\n}\n\n/**\n * Core sign-in pipeline as an Fx generator.\n *\n * Handles: refresh tokens, verification codes, then dispatches by\n * provider type using a dispatch map (no if-chain).\n */\nfunction signInFx(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<SignInResult, AuthError> {\n  return Fx.gen(function* () {\n    // --- Refresh token (no provider) ---\n    if (provider === null && args.refreshToken) {\n      const tokens = yield* Fx.promise(() =>\n        callRefreshSession(ctx, { refreshToken: args.refreshToken! }),\n      );\n      if (tokens === null) {\n        return { kind: \"signedIn\" as const, signedIn: null };\n      }\n      return { kind: \"refreshTokens\" as const, signedIn: { tokens } };\n    }\n\n    // --- Verify code (no provider, code present) ---\n    if (provider === null && args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return { kind: \"signedIn\" as const, signedIn: result };\n    }\n\n    // --- Provider is required past this point ---\n    const resolvedProvider = yield* provider != null\n      ? Fx.succeed(provider)\n      : Fx.fail(new AuthError(\"SIGN_IN_MISSING_PARAMS\"));\n\n    // --- Dispatch by provider type ---\n    return yield* Fx.match(resolvedProvider).on(\"type\", {\n      email: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      phone: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      credentials: (p) => handleCredentialsFx(ctx, p, args, options),\n      oauth: (p) => handleOAuthProviderFx(ctx, p, args, options),\n      passkey: (p) => handlePasskeyFx(ctx, p, args),\n      totp: (p) => handleTotp(ctx, p, args),\n      device: (p) => handleDevice(ctx, p, args),\n      sso: (_p) => handleSsoProviderFx(ctx, args),\n    });\n  });\n}\n\n// ============================================================================\n// Email / Phone\n// ============================================================================\n\nfunction handleEmailAndPhoneProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: EmailConfig | PhoneConfig,\n  args: {\n    params?: Record<string, any>;\n    accountId?: GenericId<\"Account\">;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"started\"; started: true }\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          provider: provider.id,\n          generateTokens: options.generateTokens,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      const verified = yield* result != null\n        ? Fx.succeed(result)\n        : Fx.fail(new AuthError(\"INVALID_VERIFICATION_CODE\"));\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: verified as SessionInfoWithTokens,\n      };\n    }\n\n    // --- Send verification code path ---\n    const alphabet =\n      \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\";\n    const code = provider.generateVerificationToken\n      ? yield* Fx.from({\n          ok: async () => provider.generateVerificationToken!(),\n          err: () =>\n            new AuthError(\n              \"INTERNAL_ERROR\",\n              \"Failed to generate verification token\",\n            ),\n        })\n      : generateRandomString(32, alphabet);\n    const expirationTime =\n      Date.now() +\n      (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1000;\n\n    const identifier = yield* Fx.promise(() =>\n      callCreateVerificationCode(ctx, {\n        provider: provider.id,\n        accountId: args.accountId,\n        email: args.params?.email,\n        phone: args.params?.phone,\n        code,\n        expirationTime,\n        allowExtraProviders: options.allowExtraProviders,\n      }),\n    );\n    const destination = yield* Fx.promise(() =>\n      redirectAbsoluteUrl(\n        ctx.auth.config,\n        (args.params ?? {}) as { redirectTo: unknown },\n      ),\n    );\n    const verificationArgs = {\n      identifier,\n      url: setURLSearchParam(destination, \"code\", code),\n      token: code,\n      expires: new Date(expirationTime),\n    };\n    yield* Fx.match(provider).on(\"type\", {\n      email: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              {\n                ...verificationArgs,\n                provider: p,\n                request: new Request(\"http://localhost\"),\n              },\n              ctx,\n            ),\n          err: () =>\n            new AuthError(\"INTERNAL_ERROR\", \"Failed to send email code\"),\n        }),\n      phone: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              { ...verificationArgs, provider: p },\n              ctx,\n            ),\n          err: () =>\n            new AuthError(\"INTERNAL_ERROR\", \"Failed to send phone code\"),\n        }),\n    });\n    return { kind: \"started\" as const, started: true as const };\n  });\n}\n\n// ============================================================================\n// Credentials\n// ============================================================================\n\nfunction handleCredentialsFx(\n  ctx: EnrichedActionCtx,\n  provider: ConvexCredentialsConfig,\n  args: {\n    params?: Record<string, any>;\n  },\n  options: {\n    generateTokens: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"totpRequired\"; verifier: string },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    const result = yield* Fx.promise(() =>\n      provider.authorize(args.params ?? {}, ctx),\n    );\n    if (result === null) {\n      return { kind: \"signedIn\" as const, signedIn: null };\n    }\n\n    // Check if user has TOTP 2FA enrolled before issuing tokens\n    const hasTotpEnrolled = yield* Fx.promise(async () => {\n      const totpDoc = await queryTotpVerifiedByUserId(ctx, result.userId);\n      return totpDoc !== null;\n    });\n    if (hasTotpEnrolled) {\n      // Create session but withhold tokens — TOTP verification needed\n      yield* Fx.promise(() =>\n        callSignIn(ctx, {\n          userId: result.userId,\n          sessionId: result.sessionId,\n          generateTokens: false,\n        }),\n      );\n      // Store userId in verifier so the TOTP verify flow can complete sign-in\n      const verifier = yield* Fx.promise(() => callVerifier(ctx));\n      yield* Fx.promise(() =>\n        callVerifierSignature(ctx, {\n          verifier,\n          signature: JSON.stringify({ userId: result.userId }),\n        }),\n      );\n      return { kind: \"totpRequired\" as const, verifier };\n    }\n\n    const idsAndTokens = yield* Fx.promise(() =>\n      callSignIn(ctx, {\n        userId: result.userId,\n        sessionId: result.sessionId,\n        generateTokens: options.generateTokens,\n      }),\n    );\n    return { kind: \"signedIn\" as const, signedIn: idsAndTokens };\n  });\n}\n\n// ============================================================================\n// OAuth\n// ============================================================================\n\nfunction handleOAuthProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: OAuthMaterializedConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n  options: {\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens | null }\n  | { kind: \"redirect\"; redirect: string; verifier: string },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: result as SessionInfoWithTokens | null,\n      };\n    }\n\n    // --- Build redirect URL ---\n    const redirect = new URL(\n      (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\")) +\n        `/api/auth/signin/${provider.id}`,\n    );\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (args.params?.redirectTo !== undefined) {\n      yield* Fx.guard(\n        typeof args.params.redirectTo !== \"string\",\n        Fx.fail(\n          new AuthError(\n            \"INVALID_REDIRECT\",\n            `Expected \\`redirectTo\\` to be a string, got ${args.params.redirectTo}`,\n          ),\n        ),\n      );\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n\n// ============================================================================\n// SSO (Enterprise OIDC / SAML)\n// ============================================================================\n\nfunction handleSsoProviderFx(\n  ctx: EnrichedActionCtx,\n  args: {\n    params?: Record<string, any>;\n  },\n): FxType<{ kind: \"redirect\"; redirect: string; verifier: string }, AuthError> {\n  return Fx.gen(function* () {\n    const enterpriseId = args.params?.enterpriseId;\n    if (!enterpriseId || typeof enterpriseId !== \"string\") {\n      return yield* Fx.fail(\n        new AuthError(\n          \"SIGN_IN_MISSING_PARAMS\",\n          \"enterpriseId is required for SSO sign-in.\",\n        ),\n      );\n    }\n\n    const protocol: \"oidc\" | \"saml\" = args.params?.protocol ?? \"oidc\";\n    if (protocol !== \"oidc\" && protocol !== \"saml\") {\n      return yield* Fx.fail(\n        new AuthError(\n          \"SIGN_IN_MISSING_PARAMS\",\n          `Invalid SSO protocol: ${protocol as string}. Expected \"oidc\" or \"saml\".`,\n        ),\n      );\n    }\n\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    const siteUrl =\n      process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\");\n    const redirect = new URL(\n      `${siteUrl}/api/auth/sso/${enterpriseId}/${protocol}/signin`,\n    );\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (typeof args.params?.redirectTo === \"string\") {\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAoCA,MAAM,6CAA6C,OAAU;;AA6B7D,eAAsB,WACpB,KACA,UACA,MAOA,SAIuB;CACvB,MAAM,KAAK,SAAS,KAAK,UAAU,MAAM,QAAQ;AACjD,QAAO,GAAG,IACR,GAAG,KAAK,GAAG,SAAS,MAAM,GAAG,MAAO,EAAgB,eAAe,CAAC,CAAC,CAAC,CACvE;;;;;;;;AASH,SAAS,SACP,KACA,UACA,MAOA,SAIiC;AACjC,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,aAAa,QAAQ,KAAK,cAAc;GAC1C,MAAM,SAAS,OAAO,GAAG,cACvB,mBAAmB,KAAK,EAAE,cAAc,KAAK,cAAe,CAAC,CAC9D;AACD,OAAI,WAAW,KACb,QAAO;IAAE,MAAM;IAAqB,UAAU;IAAM;AAEtD,UAAO;IAAE,MAAM;IAA0B,UAAU,EAAE,QAAQ;IAAE;;AAIjE,MAAI,aAAa,QAAQ,KAAK,QAAQ,SAAS,OAS7C,QAAO;GAAE,MAAM;GAAqB,UARrB,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GACqD;EAIxD,MAAM,mBAAmB,OAAO,YAAY,OACxC,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,yBAAyB,CAAC;AAGpD,SAAO,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,QAAQ;GAClD,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,cAAc,MAAM,oBAAoB,KAAK,GAAG,MAAM,QAAQ;GAC9D,QAAQ,MAAM,sBAAsB,KAAK,GAAG,MAAM,QAAQ;GAC1D,UAAU,MAAM,gBAAgB,KAAK,GAAG,KAAK;GAC7C,OAAO,MAAM,WAAW,KAAK,GAAG,KAAK;GACrC,SAAS,MAAM,aAAa,KAAK,GAAG,KAAK;GACzC,MAAM,OAAO,oBAAoB,KAAK,KAAK;GAC5C,CAAC;GACF;;AAOJ,SAAS,8BACP,KACA,UACA,MAIA,SAQA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,QAAW;GACnC,MAAM,SAAS,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,SAAS;IACnB,gBAAgB,QAAQ;IACxB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;AAID,UAAO;IACL,MAAM;IACN,UALe,OAAO,UAAU,OAC9B,GAAG,QAAQ,OAAO,GAClB,GAAG,KAAK,IAAI,UAAU,4BAA4B,CAAC;IAItD;;EAMH,MAAM,OAAO,SAAS,4BAClB,OAAO,GAAG,KAAK;GACb,IAAI,YAAY,SAAS,2BAA4B;GACrD,WACE,IAAI,UACF,kBACA,wCACD;GACJ,CAAC,GACF,qBAAqB,IAVvB,iEAUoC;EACtC,MAAM,iBACJ,KAAK,KAAK,IACT,SAAS,UAAU,8CAA8C;EAmBpE,MAAM,mBAAmB;GACvB,YAlBiB,OAAO,GAAG,cAC3B,2BAA2B,KAAK;IAC9B,UAAU,SAAS;IACnB,WAAW,KAAK;IAChB,OAAO,KAAK,QAAQ;IACpB,OAAO,KAAK,QAAQ;IACpB;IACA;IACA,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GASC,KAAK,kBARa,OAAO,GAAG,cAC5B,oBACE,IAAI,KAAK,QACR,KAAK,UAAU,EAAE,CACnB,CACF,EAGqC,QAAQ,KAAK;GACjD,OAAO;GACP,SAAS,IAAI,KAAK,eAAe;GAClC;AACD,SAAO,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ;GACnC,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KACE,GAAG;KACH,UAAU;KACV,SAAS,IAAI,QAAQ,mBAAmB;KACzC,EACD,IACD;IACH,WACE,IAAI,UAAU,kBAAkB,4BAA4B;IAC/D,CAAC;GACJ,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KAAE,GAAG;KAAkB,UAAU;KAAG,EACpC,IACD;IACH,WACE,IAAI,UAAU,kBAAkB,4BAA4B;IAC/D,CAAC;GACL,CAAC;AACF,SAAO;GAAE,MAAM;GAAoB,SAAS;GAAe;GAC3D;;AAOJ,SAAS,oBACP,KACA,UACA,MAGA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,SAAS,OAAO,GAAG,cACvB,SAAS,UAAU,KAAK,UAAU,EAAE,EAAE,IAAI,CAC3C;AACD,MAAI,WAAW,KACb,QAAO;GAAE,MAAM;GAAqB,UAAU;GAAM;AAQtD,MAJwB,OAAO,GAAG,QAAQ,YAAY;AAEpD,UADgB,MAAM,0BAA0B,KAAK,OAAO,OAAO,KAChD;IACnB,EACmB;AAEnB,UAAO,GAAG,cACR,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB;IACjB,CAAC,CACH;GAED,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,UAAO,GAAG,cACR,sBAAsB,KAAK;IACzB;IACA,WAAW,KAAK,UAAU,EAAE,QAAQ,OAAO,QAAQ,CAAC;IACrD,CAAC,CACH;AACD,UAAO;IAAE,MAAM;IAAyB;IAAU;;AAUpD,SAAO;GAAE,MAAM;GAAqB,UAPf,OAAO,GAAG,cAC7B,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB,QAAQ;IACzB,CAAC,CACH;GAC2D;GAC5D;;AAOJ,SAAS,sBACP,KACA,UACA,MAIA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,OASxB,QAAO;GACL,MAAM;GACN,UAVa,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GAIA;EAIH,MAAM,WAAW,IAAI,KAClB,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB,IAChE,oBAAoB,SAAS,KAChC;EACD,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,KAAK,QAAQ,eAAe,QAAW;AACzC,UAAO,GAAG,MACR,OAAO,KAAK,OAAO,eAAe,UAClC,GAAG,KACD,IAAI,UACF,oBACA,+CAA+C,KAAK,OAAO,aAC5D,CACF,CACF;AACD,YAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD;;AAOJ,SAAS,oBACP,KACA,MAG6E;AAC7E,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,eAAe,KAAK,QAAQ;AAClC,MAAI,CAAC,gBAAgB,OAAO,iBAAiB,SAC3C,QAAO,OAAO,GAAG,KACf,IAAI,UACF,0BACA,4CACD,CACF;EAGH,MAAM,WAA4B,KAAK,QAAQ,YAAY;AAC3D,MAAI,aAAa,UAAU,aAAa,OACtC,QAAO,OAAO,GAAG,KACf,IAAI,UACF,0BACA,yBAAyB,SAAmB,8BAC7C,CACF;EAGH,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;EAC3D,MAAM,UACJ,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB;EACnE,MAAM,WAAW,IAAI,IACnB,GAAG,QAAQ,gBAAgB,aAAa,GAAG,SAAS,SACrD;AACD,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,OAAO,KAAK,QAAQ,eAAe,SACrC,UAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD"}

package/dist/component/server/tokens.js

@@ -0,0 +1,17 @@
+import { TOKEN_SUB_CLAIM_DIVIDER, generateRandomString, requireEnv } from "./utils.js";
+import { SignJWT, importPKCS8 } from "jose";
+
+//#region src/server/tokens.ts
+const DEFAULT_JWT_DURATION_MS = 1e3 * 60 * 60;
+const TOKEN_JTI_LENGTH = 24;
+const TOKEN_JTI_ALPHABET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+/** @internal */
+async function generateToken(args, config) {
+	const privateKey = await importPKCS8(requireEnv("JWT_PRIVATE_KEY"), "RS256");
+	const expirationTime = new Date(Date.now() + (config.jwt?.durationMs ?? DEFAULT_JWT_DURATION_MS));
+	return await new SignJWT({ sub: args.userId + TOKEN_SUB_CLAIM_DIVIDER + args.sessionId }).setProtectedHeader({ alg: "RS256" }).setIssuedAt().setJti(generateRandomString(TOKEN_JTI_LENGTH, TOKEN_JTI_ALPHABET)).setIssuer(requireEnv("CONVEX_SITE_URL")).setAudience("convex").setExpirationTime(expirationTime).sign(privateKey);
+}
+
+//#endregion
+export { generateToken };
+//# sourceMappingURL=tokens.js.map

package/dist/component/server/tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.js","names":[],"sources":["../../../src/server/tokens.ts"],"sourcesContent":["import { GenericId } from \"convex/values\";\nimport { SignJWT, importPKCS8 } from \"jose\";\n\nimport { ConvexAuthConfig } from \"./types\";\nimport { generateRandomString, TOKEN_SUB_CLAIM_DIVIDER } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\nconst DEFAULT_JWT_DURATION_MS = 1000 * 60 * 60; // 1 hour\nconst TOKEN_JTI_LENGTH = 24;\nconst TOKEN_JTI_ALPHABET =\n  \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789\";\n\n/** @internal */\nexport async function generateToken(\n  args: {\n    userId: GenericId<\"User\">;\n    sessionId: GenericId<\"Session\">;\n  },\n  config: ConvexAuthConfig,\n) {\n  const privateKey = await importPKCS8(requireEnv(\"JWT_PRIVATE_KEY\"), \"RS256\");\n  const expirationTime = new Date(\n    Date.now() + (config.jwt?.durationMs ?? DEFAULT_JWT_DURATION_MS),\n  );\n  return await new SignJWT({\n    sub: args.userId + TOKEN_SUB_CLAIM_DIVIDER + args.sessionId,\n  })\n    .setProtectedHeader({ alg: \"RS256\" })\n    .setIssuedAt()\n    .setJti(generateRandomString(TOKEN_JTI_LENGTH, TOKEN_JTI_ALPHABET))\n    .setIssuer(requireEnv(\"CONVEX_SITE_URL\"))\n    .setAudience(\"convex\")\n    .setExpirationTime(expirationTime)\n    .sign(privateKey);\n}\n"],"mappings":";;;;AAOA,MAAM,0BAA0B,MAAO,KAAK;AAC5C,MAAM,mBAAmB;AACzB,MAAM,qBACJ;;AAGF,eAAsB,cACpB,MAIA,QACA;CACA,MAAM,aAAa,MAAM,YAAY,WAAW,kBAAkB,EAAE,QAAQ;CAC5E,MAAM,iBAAiB,IAAI,KACzB,KAAK,KAAK,IAAI,OAAO,KAAK,cAAc,yBACzC;AACD,QAAO,MAAM,IAAI,QAAQ,EACvB,KAAK,KAAK,SAAS,0BAA0B,KAAK,WACnD,CAAC,CACC,mBAAmB,EAAE,KAAK,SAAS,CAAC,CACpC,aAAa,CACb,OAAO,qBAAqB,kBAAkB,mBAAmB,CAAC,CAClE,UAAU,WAAW,kBAAkB,CAAC,CACxC,YAAY,SAAS,CACrB,kBAAkB,eAAe,CACjC,KAAK,WAAW"}

package/dist/component/server/totp.js

@@ -0,0 +1,148 @@
+import { AuthError } from "./authError.js";
+import { userIdFromIdentitySubject } from "./identity.js";
+import { callVerifierSignature } from "./mutations/signature.js";
+import { callSignIn } from "./mutations/signin.js";
+import { callVerifier } from "./mutations/verifier.js";
+import { mutateTotpInsert, mutateTotpMarkVerified, mutateTotpUpdateLastUsed, mutateVerifierDelete, queryTotpById, queryTotpVerifiedByUserId, queryUserById, queryVerifierById } from "./types.js";
+import { encodeBase32LowerCaseNoPadding } from "@oslojs/encoding";
+import { Fx } from "@robelest/fx";
+import { createTOTPKeyURI, verifyTOTPWithGracePeriod } from "@oslojs/otp";
+
+//#region src/server/totp.ts
+/**
+* Server-side TOTP ceremony logic for two-factor authentication.
+*
+* Handles the three phases of the TOTP flow:
+* 1. setup   — generate a TOTP secret and `otpauth://` URI for enrollment
+* 2. confirm — verify the first code from the authenticator app
+* 3. verify  — verify a TOTP code during sign-in (2FA challenge)
+*/
+const TOTP_FLOWS = [
+	"setup",
+	"confirm",
+	"verify"
+];
+const resolveTotpFlowFx = (params) => {
+	const flow = params.flow;
+	return typeof flow === "string" && TOTP_FLOWS.includes(flow) ? Fx.succeed(flow) : Fx.fail(new AuthError("TOTP_MISSING_FLOW", "Missing `flow` parameter. Expected one of: setup, confirm, verify"));
+};
+const requireTotpVerifierFx = (verifier) => verifier != null ? Fx.succeed(verifier) : Fx.fail(new AuthError("TOTP_MISSING_VERIFIER"));
+const requireTotpCodeFx = (params) => typeof params.code === "string" ? Fx.succeed(params.code) : Fx.fail(new AuthError("TOTP_MISSING_CODE"));
+const requireTotpIdFx = (params) => typeof params.totpId === "string" ? Fx.succeed(params.totpId) : Fx.fail(new AuthError("TOTP_MISSING_ID"));
+const resolveTotpDispatchFx = (params, verifier) => resolveTotpFlowFx(params).pipe(Fx.chain((flow) => Fx.match({ flow }).on("flow", {
+	setup: () => Fx.succeed({
+		flow: "setup",
+		params
+	}),
+	confirm: () => Fx.gen(function* () {
+		const resolvedVerifier = yield* requireTotpVerifierFx(verifier);
+		return {
+			flow: "confirm",
+			code: yield* requireTotpCodeFx(params),
+			totpId: yield* requireTotpIdFx(params),
+			verifier: resolvedVerifier
+		};
+	}),
+	verify: () => Fx.gen(function* () {
+		const resolvedVerifier = yield* requireTotpVerifierFx(verifier);
+		return {
+			flow: "verify",
+			code: yield* requireTotpCodeFx(params),
+			verifier: resolvedVerifier
+		};
+	})
+})));
+/** @internal */
+const handleTotp = (ctx, provider, args) => {
+	return resolveTotpDispatchFx(args.params ?? {}, args.verifier).pipe(Fx.chain((dispatch) => Fx.match(dispatch).on("flow", {
+		setup: ({ params }) => Fx.from({
+			ok: () => ctx.auth.getUserIdentity(),
+			err: (e) => new AuthError("INTERNAL_ERROR", String(e))
+		}).pipe(Fx.chain((identity) => identity === null ? Fx.fail(new AuthError("TOTP_AUTH_REQUIRED")) : Fx.succeed(userIdFromIdentitySubject(identity.subject))), Fx.chain((userId) => Fx.from({
+			ok: async () => {
+				const secret = new Uint8Array(20);
+				crypto.getRandomValues(secret);
+				let accountName = params.accountName;
+				if (!accountName) accountName = (await queryUserById(ctx, userId))?.email ?? "user";
+				const uri = createTOTPKeyURI(provider.options.issuer, accountName, secret, provider.options.period, provider.options.digits);
+				const base32Secret = encodeBase32LowerCaseNoPadding(secret);
+				const verifier = await callVerifier(ctx);
+				await callVerifierSignature(ctx, {
+					verifier,
+					signature: JSON.stringify({
+						secret: Array.from(secret),
+						userId,
+						digits: provider.options.digits,
+						period: provider.options.period
+					})
+				});
+				return {
+					kind: "totpSetup",
+					uri,
+					secret: base32Secret,
+					verifier,
+					totpId: await mutateTotpInsert(ctx, {
+						userId,
+						secret: secret.buffer.slice(secret.byteOffset, secret.byteOffset + secret.byteLength),
+						digits: provider.options.digits,
+						period: provider.options.period,
+						verified: false,
+						name: typeof params.name === "string" ? params.name : void 0,
+						createdAt: Date.now()
+					})
+				};
+			},
+			err: (e) => new AuthError("INTERNAL_ERROR", `TOTP setup failed: ${String(e)}`)
+		}))),
+		confirm: ({ code, totpId, verifier }) => Fx.from({
+			ok: () => ctx.auth.getUserIdentity(),
+			err: (e) => new AuthError("INTERNAL_ERROR", String(e))
+		}).pipe(Fx.chain((identity) => identity === null ? Fx.fail(new AuthError("TOTP_AUTH_REQUIRED")) : Fx.succeed(userIdFromIdentitySubject(identity.subject))), Fx.chain((userId) => Fx.from({
+			ok: () => queryTotpById(ctx, totpId),
+			err: () => new AuthError("TOTP_NOT_FOUND")
+		}).pipe(Fx.chain((doc) => doc === null ? Fx.fail(new AuthError("TOTP_NOT_FOUND")) : Fx.succeed(doc)), Fx.chain((totpDoc) => totpDoc.verified ? Fx.fail(new AuthError("TOTP_ALREADY_VERIFIED")) : Fx.succeed(totpDoc))).pipe(Fx.chain((totpDoc) => verifyTOTPWithGracePeriod(new Uint8Array(totpDoc.secret), provider.options.period, provider.options.digits, code, 30) ? Fx.succeed(totpDoc) : Fx.fail(new AuthError("TOTP_INVALID_CODE")))).pipe(Fx.chain((_totpDoc) => Fx.from({
+			ok: async () => {
+				await mutateTotpMarkVerified(ctx, totpId, Date.now());
+				await mutateVerifierDelete(ctx, verifier);
+				return callSignIn(ctx, {
+					userId,
+					generateTokens: true
+				});
+			},
+			err: (e) => new AuthError("INTERNAL_ERROR", String(e))
+		}))).pipe(Fx.map((signInResult) => ({
+			kind: "signedIn",
+			signedIn: signInResult
+		}))))),
+		verify: ({ code, verifier }) => Fx.from({
+			ok: () => queryVerifierById(ctx, verifier),
+			err: () => new AuthError("TOTP_INVALID_VERIFIER")
+		}).pipe(Fx.chain((doc) => doc === null ? Fx.fail(new AuthError("TOTP_INVALID_VERIFIER")) : Fx.succeed(doc)), Fx.map((doc) => {
+			return {
+				userId: JSON.parse(doc.signature).userId,
+				code,
+				verifier
+			};
+		}), Fx.chain(({ userId, code: code$1, verifier: verifier$1 }) => Fx.from({
+			ok: () => queryTotpVerifiedByUserId(ctx, userId),
+			err: () => new AuthError("TOTP_NO_ENROLLMENT")
+		}).pipe(Fx.chain((totpDoc) => totpDoc === null ? Fx.fail(new AuthError("TOTP_NO_ENROLLMENT")) : Fx.succeed(totpDoc)), Fx.chain((totpDoc) => verifyTOTPWithGracePeriod(new Uint8Array(totpDoc.secret), totpDoc.period, totpDoc.digits, code$1, 30) ? Fx.succeed(totpDoc) : Fx.fail(new AuthError("TOTP_INVALID_CODE"))), Fx.chain((totpDoc) => Fx.from({
+			ok: async () => {
+				await mutateTotpUpdateLastUsed(ctx, totpDoc._id, Date.now());
+				await mutateVerifierDelete(ctx, verifier$1);
+				return callSignIn(ctx, {
+					userId,
+					generateTokens: true
+				});
+			},
+			err: (e) => new AuthError("INTERNAL_ERROR", String(e))
+		})), Fx.map((signInResult) => ({
+			kind: "signedIn",
+			signedIn: signInResult
+		})))))
+	})));
+};
+
+//#endregion
+export { handleTotp };
+//# sourceMappingURL=totp.js.map

package/dist/component/server/totp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp.js","names":["code","verifier"],"sources":["../../../src/server/totp.ts"],"sourcesContent":["/**\n * Server-side TOTP ceremony logic for two-factor authentication.\n *\n * Handles the three phases of the TOTP flow:\n * 1. setup   — generate a TOTP secret and `otpauth://` URI for enrollment\n * 2. confirm — verify the first code from the authenticator app\n * 3. verify  — verify a TOTP code during sign-in (2FA challenge)\n */\n\nimport { encodeBase32LowerCaseNoPadding } from \"@oslojs/encoding\";\nimport { verifyTOTPWithGracePeriod, createTOTPKeyURI } from \"@oslojs/otp\";\nimport type { Fx as FxType } from \"@robelest/fx\";\n\nimport { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./authError\";\nimport { userIdFromIdentitySubject } from \"./identity\";\nimport { callSignIn, callVerifier } from \"./mutations/index\";\nimport { callVerifierSignature } from \"./mutations/signature\";\nimport { TotpProviderConfig, GenericActionCtxWithAuthConfig } from \"./types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  queryUserById,\n  queryTotpById,\n  queryTotpVerifiedByUserId,\n  queryVerifierById,\n  mutateTotpInsert,\n  mutateTotpMarkVerified,\n  mutateTotpUpdateLastUsed,\n  mutateVerifierDelete,\n} from \"./types\";\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n// ============================================================================\n// Setup flow\n// ============================================================================\n\n// ============================================================================\n// Confirm flow\n// ============================================================================\n\n// ============================================================================\n// Verify flow (2FA during sign-in)\n// ============================================================================\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\ntype TotpResult =\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | {\n      kind: \"totpSetup\";\n      uri: string;\n      secret: string;\n      verifier: string;\n      totpId: string;\n    };\n\nconst TOTP_FLOWS = [\"setup\", \"confirm\", \"verify\"] as const;\n\ntype TotpFlow = (typeof TOTP_FLOWS)[number];\n\ntype TotpDispatch =\n  | { flow: \"setup\"; params: Record<string, unknown> }\n  | { flow: \"confirm\"; code: string; totpId: string; verifier: string }\n  | { flow: \"verify\"; code: string; verifier: string };\n\nconst resolveTotpFlowFx = (\n  params: Record<string, unknown>,\n): FxType<TotpFlow, AuthError> => {\n  const flow = params.flow;\n  return typeof flow === \"string\" && TOTP_FLOWS.includes(flow as never)\n    ? Fx.succeed(flow as TotpFlow)\n    : Fx.fail(\n        new AuthError(\n          \"TOTP_MISSING_FLOW\",\n          \"Missing `flow` parameter. Expected one of: setup, confirm, verify\",\n        ),\n      );\n};\n\nconst requireTotpVerifierFx = (\n  verifier: string | undefined,\n): FxType<string, AuthError> =>\n  verifier != null\n    ? Fx.succeed(verifier)\n    : Fx.fail(new AuthError(\"TOTP_MISSING_VERIFIER\"));\n\nconst requireTotpCodeFx = (\n  params: Record<string, unknown>,\n): FxType<string, AuthError> =>\n  typeof params.code === \"string\"\n    ? Fx.succeed(params.code)\n    : Fx.fail(new AuthError(\"TOTP_MISSING_CODE\"));\n\nconst requireTotpIdFx = (\n  params: Record<string, unknown>,\n): FxType<string, AuthError> =>\n  typeof params.totpId === \"string\"\n    ? Fx.succeed(params.totpId)\n    : Fx.fail(new AuthError(\"TOTP_MISSING_ID\"));\n\nconst resolveTotpDispatchFx = (\n  params: Record<string, unknown>,\n  verifier: string | undefined,\n): FxType<TotpDispatch, AuthError> =>\n  resolveTotpFlowFx(params).pipe(\n    Fx.chain((flow) =>\n      Fx.match({ flow }).on(\"flow\", {\n        setup: () => Fx.succeed({ flow: \"setup\" as const, params }),\n        confirm: () =>\n          Fx.gen(function* () {\n            const resolvedVerifier = yield* requireTotpVerifierFx(verifier);\n            const code = yield* requireTotpCodeFx(params);\n            const totpId = yield* requireTotpIdFx(params);\n            return {\n              flow: \"confirm\" as const,\n              code,\n              totpId,\n              verifier: resolvedVerifier,\n            };\n          }),\n        verify: () =>\n          Fx.gen(function* () {\n            const resolvedVerifier = yield* requireTotpVerifierFx(verifier);\n            const code = yield* requireTotpCodeFx(params);\n            return {\n              flow: \"verify\" as const,\n              code,\n              verifier: resolvedVerifier,\n            };\n          }),\n      }),\n    ),\n  );\n\n/** @internal */\nexport const handleTotp = (\n  ctx: EnrichedActionCtx,\n  provider: TotpProviderConfig,\n  args: { params?: Record<string, any>; verifier?: string },\n): FxType<TotpResult, AuthError> => {\n  const params = (args.params ?? {}) as Record<string, unknown>;\n\n  return resolveTotpDispatchFx(params, args.verifier).pipe(\n    Fx.chain((dispatch) =>\n      Fx.match(dispatch).on(\"flow\", {\n        setup: ({ params }) =>\n          Fx.from({\n            ok: () => ctx.auth.getUserIdentity(),\n            err: (e) => new AuthError(\"INTERNAL_ERROR\", String(e)),\n          }).pipe(\n            Fx.chain((identity) =>\n              identity === null\n                ? Fx.fail(new AuthError(\"TOTP_AUTH_REQUIRED\"))\n                : Fx.succeed(userIdFromIdentitySubject(identity.subject)),\n            ),\n            Fx.chain((userId) =>\n              Fx.from({\n                ok: async () => {\n                  const secret = new Uint8Array(20);\n                  crypto.getRandomValues(secret);\n\n                  let accountName: string = params.accountName as string;\n                  if (!accountName) {\n                    const user = await queryUserById(ctx, userId);\n                    accountName = user?.email ?? \"user\";\n                  }\n\n                  const uri = createTOTPKeyURI(\n                    provider.options.issuer,\n                    accountName,\n                    secret,\n                    provider.options.period,\n                    provider.options.digits,\n                  );\n                  const base32Secret = encodeBase32LowerCaseNoPadding(secret);\n\n                  const verifier = await callVerifier(ctx);\n                  await callVerifierSignature(ctx, {\n                    verifier,\n                    signature: JSON.stringify({\n                      secret: Array.from(secret),\n                      userId,\n                      digits: provider.options.digits,\n                      period: provider.options.period,\n                    }),\n                  });\n\n                  const totpId = await mutateTotpInsert(ctx, {\n                    userId,\n                    secret: secret.buffer.slice(\n                      secret.byteOffset,\n                      secret.byteOffset + secret.byteLength,\n                    ),\n                    digits: provider.options.digits,\n                    period: provider.options.period,\n                    verified: false,\n                    name:\n                      typeof params.name === \"string\" ? params.name : undefined,\n                    createdAt: Date.now(),\n                  });\n\n                  return {\n                    kind: \"totpSetup\" as const,\n                    uri,\n                    secret: base32Secret,\n                    verifier,\n                    totpId,\n                  };\n                },\n                err: (e) =>\n                  new AuthError(\n                    \"INTERNAL_ERROR\",\n                    `TOTP setup failed: ${String(e)}`,\n                  ),\n              }),\n            ),\n          ),\n        confirm: ({ code, totpId, verifier }) =>\n          Fx.from({\n            ok: () => ctx.auth.getUserIdentity(),\n            err: (e) => new AuthError(\"INTERNAL_ERROR\", String(e)),\n          }).pipe(\n            Fx.chain((identity) =>\n              identity === null\n                ? Fx.fail(new AuthError(\"TOTP_AUTH_REQUIRED\"))\n                : Fx.succeed(userIdFromIdentitySubject(identity.subject)),\n            ),\n            Fx.chain((userId) =>\n              Fx.from({\n                ok: () => queryTotpById(ctx, totpId),\n                err: () => new AuthError(\"TOTP_NOT_FOUND\"),\n              })\n                .pipe(\n                  Fx.chain((doc) =>\n                    doc === null\n                      ? Fx.fail(new AuthError(\"TOTP_NOT_FOUND\"))\n                      : Fx.succeed(doc),\n                  ),\n                  Fx.chain((totpDoc) =>\n                    totpDoc.verified\n                      ? Fx.fail(new AuthError(\"TOTP_ALREADY_VERIFIED\"))\n                      : Fx.succeed(totpDoc),\n                  ),\n                )\n                .pipe(\n                  Fx.chain((totpDoc) =>\n                    verifyTOTPWithGracePeriod(\n                      new Uint8Array(totpDoc.secret),\n                      provider.options.period,\n                      provider.options.digits,\n                      code,\n                      30,\n                    )\n                      ? Fx.succeed(totpDoc)\n                      : Fx.fail(new AuthError(\"TOTP_INVALID_CODE\")),\n                  ),\n                )\n                .pipe(\n                  Fx.chain((_totpDoc) =>\n                    Fx.from({\n                      ok: async () => {\n                        await mutateTotpMarkVerified(ctx, totpId, Date.now());\n                        await mutateVerifierDelete(ctx, verifier);\n                        return callSignIn(ctx, {\n                          userId,\n                          generateTokens: true,\n                        });\n                      },\n                      err: (e) => new AuthError(\"INTERNAL_ERROR\", String(e)),\n                    }),\n                  ),\n                )\n                .pipe(\n                  Fx.map((signInResult) => ({\n                    kind: \"signedIn\" as const,\n                    signedIn: signInResult,\n                  })),\n                ),\n            ),\n          ),\n        verify: ({ code, verifier }) =>\n          Fx.from({\n            ok: () => queryVerifierById(ctx, verifier),\n            err: () => new AuthError(\"TOTP_INVALID_VERIFIER\"),\n          }).pipe(\n            Fx.chain((doc) =>\n              doc === null\n                ? Fx.fail(new AuthError(\"TOTP_INVALID_VERIFIER\"))\n                : Fx.succeed(doc),\n            ),\n            Fx.map((doc) => {\n              const data = JSON.parse(doc.signature!);\n              return { userId: data.userId as string, code, verifier };\n            }),\n            Fx.chain(({ userId, code, verifier }) =>\n              Fx.from({\n                ok: () => queryTotpVerifiedByUserId(ctx, userId),\n                err: () => new AuthError(\"TOTP_NO_ENROLLMENT\"),\n              }).pipe(\n                Fx.chain((totpDoc) =>\n                  totpDoc === null\n                    ? Fx.fail(new AuthError(\"TOTP_NO_ENROLLMENT\"))\n                    : Fx.succeed(totpDoc),\n                ),\n                Fx.chain((totpDoc) =>\n                  verifyTOTPWithGracePeriod(\n                    new Uint8Array(totpDoc.secret),\n                    totpDoc.period,\n                    totpDoc.digits,\n                    code,\n                    30,\n                  )\n                    ? Fx.succeed(totpDoc)\n                    : Fx.fail(new AuthError(\"TOTP_INVALID_CODE\")),\n                ),\n                Fx.chain((totpDoc) =>\n                  Fx.from({\n                    ok: async () => {\n                      await mutateTotpUpdateLastUsed(\n                        ctx,\n                        totpDoc._id,\n                        Date.now(),\n                      );\n                      await mutateVerifierDelete(ctx, verifier);\n                      return callSignIn(ctx, { userId, generateTokens: true });\n                    },\n                    err: (e) => new AuthError(\"INTERNAL_ERROR\", String(e)),\n                  }),\n                ),\n                Fx.map((signInResult) => ({\n                  kind: \"signedIn\" as const,\n                  signedIn: signInResult,\n                })),\n              ),\n            ),\n          ),\n      }),\n    ),\n  );\n};\n\n// ============================================================================\n// Helpers\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;AA6DA,MAAM,aAAa;CAAC;CAAS;CAAW;CAAS;AASjD,MAAM,qBACJ,WACgC;CAChC,MAAM,OAAO,OAAO;AACpB,QAAO,OAAO,SAAS,YAAY,WAAW,SAAS,KAAc,GACjE,GAAG,QAAQ,KAAiB,GAC5B,GAAG,KACD,IAAI,UACF,qBACA,oEACD,CACF;;AAGP,MAAM,yBACJ,aAEA,YAAY,OACR,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC;AAErD,MAAM,qBACJ,WAEA,OAAO,OAAO,SAAS,WACnB,GAAG,QAAQ,OAAO,KAAK,GACvB,GAAG,KAAK,IAAI,UAAU,oBAAoB,CAAC;AAEjD,MAAM,mBACJ,WAEA,OAAO,OAAO,WAAW,WACrB,GAAG,QAAQ,OAAO,OAAO,GACzB,GAAG,KAAK,IAAI,UAAU,kBAAkB,CAAC;AAE/C,MAAM,yBACJ,QACA,aAEA,kBAAkB,OAAO,CAAC,KACxB,GAAG,OAAO,SACR,GAAG,MAAM,EAAE,MAAM,CAAC,CAAC,GAAG,QAAQ;CAC5B,aAAa,GAAG,QAAQ;EAAE,MAAM;EAAkB;EAAQ,CAAC;CAC3D,eACE,GAAG,IAAI,aAAa;EAClB,MAAM,mBAAmB,OAAO,sBAAsB,SAAS;AAG/D,SAAO;GACL,MAAM;GACN,MAJW,OAAO,kBAAkB,OAAO;GAK3C,QAJa,OAAO,gBAAgB,OAAO;GAK3C,UAAU;GACX;GACD;CACJ,cACE,GAAG,IAAI,aAAa;EAClB,MAAM,mBAAmB,OAAO,sBAAsB,SAAS;AAE/D,SAAO;GACL,MAAM;GACN,MAHW,OAAO,kBAAkB,OAAO;GAI3C,UAAU;GACX;GACD;CACL,CAAC,CACH,CACF;;AAGH,MAAa,cACX,KACA,UACA,SACkC;AAGlC,QAAO,sBAFS,KAAK,UAAU,EAAE,EAEI,KAAK,SAAS,CAAC,KAClD,GAAG,OAAO,aACR,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ;EAC5B,QAAQ,EAAE,aACR,GAAG,KAAK;GACN,UAAU,IAAI,KAAK,iBAAiB;GACpC,MAAM,MAAM,IAAI,UAAU,kBAAkB,OAAO,EAAE,CAAC;GACvD,CAAC,CAAC,KACD,GAAG,OAAO,aACR,aAAa,OACT,GAAG,KAAK,IAAI,UAAU,qBAAqB,CAAC,GAC5C,GAAG,QAAQ,0BAA0B,SAAS,QAAQ,CAAC,CAC5D,EACD,GAAG,OAAO,WACR,GAAG,KAAK;GACN,IAAI,YAAY;IACd,MAAM,SAAS,IAAI,WAAW,GAAG;AACjC,WAAO,gBAAgB,OAAO;IAE9B,IAAI,cAAsB,OAAO;AACjC,QAAI,CAAC,YAEH,gBADa,MAAM,cAAc,KAAK,OAAO,GACzB,SAAS;IAG/B,MAAM,MAAM,iBACV,SAAS,QAAQ,QACjB,aACA,QACA,SAAS,QAAQ,QACjB,SAAS,QAAQ,OAClB;IACD,MAAM,eAAe,+BAA+B,OAAO;IAE3D,MAAM,WAAW,MAAM,aAAa,IAAI;AACxC,UAAM,sBAAsB,KAAK;KAC/B;KACA,WAAW,KAAK,UAAU;MACxB,QAAQ,MAAM,KAAK,OAAO;MAC1B;MACA,QAAQ,SAAS,QAAQ;MACzB,QAAQ,SAAS,QAAQ;MAC1B,CAAC;KACH,CAAC;AAgBF,WAAO;KACL,MAAM;KACN;KACA,QAAQ;KACR;KACA,QAnBa,MAAM,iBAAiB,KAAK;MACzC;MACA,QAAQ,OAAO,OAAO,MACpB,OAAO,YACP,OAAO,aAAa,OAAO,WAC5B;MACD,QAAQ,SAAS,QAAQ;MACzB,QAAQ,SAAS,QAAQ;MACzB,UAAU;MACV,MACE,OAAO,OAAO,SAAS,WAAW,OAAO,OAAO;MAClD,WAAW,KAAK,KAAK;MACtB,CAAC;KAQD;;GAEH,MAAM,MACJ,IAAI,UACF,kBACA,sBAAsB,OAAO,EAAE,GAChC;GACJ,CAAC,CACH,CACF;EACH,UAAU,EAAE,MAAM,QAAQ,eACxB,GAAG,KAAK;GACN,UAAU,IAAI,KAAK,iBAAiB;GACpC,MAAM,MAAM,IAAI,UAAU,kBAAkB,OAAO,EAAE,CAAC;GACvD,CAAC,CAAC,KACD,GAAG,OAAO,aACR,aAAa,OACT,GAAG,KAAK,IAAI,UAAU,qBAAqB,CAAC,GAC5C,GAAG,QAAQ,0BAA0B,SAAS,QAAQ,CAAC,CAC5D,EACD,GAAG,OAAO,WACR,GAAG,KAAK;GACN,UAAU,cAAc,KAAK,OAAO;GACpC,WAAW,IAAI,UAAU,iBAAiB;GAC3C,CAAC,CACC,KACC,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK,IAAI,UAAU,iBAAiB,CAAC,GACxC,GAAG,QAAQ,IAAI,CACpB,EACD,GAAG,OAAO,YACR,QAAQ,WACJ,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,QAAQ,QAAQ,CACxB,CACF,CACA,KACC,GAAG,OAAO,YACR,0BACE,IAAI,WAAW,QAAQ,OAAO,EAC9B,SAAS,QAAQ,QACjB,SAAS,QAAQ,QACjB,MACA,GACD,GACG,GAAG,QAAQ,QAAQ,GACnB,GAAG,KAAK,IAAI,UAAU,oBAAoB,CAAC,CAChD,CACF,CACA,KACC,GAAG,OAAO,aACR,GAAG,KAAK;GACN,IAAI,YAAY;AACd,UAAM,uBAAuB,KAAK,QAAQ,KAAK,KAAK,CAAC;AACrD,UAAM,qBAAqB,KAAK,SAAS;AACzC,WAAO,WAAW,KAAK;KACrB;KACA,gBAAgB;KACjB,CAAC;;GAEJ,MAAM,MAAM,IAAI,UAAU,kBAAkB,OAAO,EAAE,CAAC;GACvD,CAAC,CACH,CACF,CACA,KACC,GAAG,KAAK,kBAAkB;GACxB,MAAM;GACN,UAAU;GACX,EAAE,CACJ,CACJ,CACF;EACH,SAAS,EAAE,MAAM,eACf,GAAG,KAAK;GACN,UAAU,kBAAkB,KAAK,SAAS;GAC1C,WAAW,IAAI,UAAU,wBAAwB;GAClD,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK,IAAI,UAAU,wBAAwB,CAAC,GAC/C,GAAG,QAAQ,IAAI,CACpB,EACD,GAAG,KAAK,QAAQ;AAEd,UAAO;IAAE,QADI,KAAK,MAAM,IAAI,UAAW,CACjB;IAAkB;IAAM;IAAU;IACxD,EACF,GAAG,OAAO,EAAE,QAAQ,cAAM,2BACxB,GAAG,KAAK;GACN,UAAU,0BAA0B,KAAK,OAAO;GAChD,WAAW,IAAI,UAAU,qBAAqB;GAC/C,CAAC,CAAC,KACD,GAAG,OAAO,YACR,YAAY,OACR,GAAG,KAAK,IAAI,UAAU,qBAAqB,CAAC,GAC5C,GAAG,QAAQ,QAAQ,CACxB,EACD,GAAG,OAAO,YACR,0BACE,IAAI,WAAW,QAAQ,OAAO,EAC9B,QAAQ,QACR,QAAQ,QACRA,QACA,GACD,GACG,GAAG,QAAQ,QAAQ,GACnB,GAAG,KAAK,IAAI,UAAU,oBAAoB,CAAC,CAChD,EACD,GAAG,OAAO,YACR,GAAG,KAAK;GACN,IAAI,YAAY;AACd,UAAM,yBACJ,KACA,QAAQ,KACR,KAAK,KAAK,CACX;AACD,UAAM,qBAAqB,KAAKC,WAAS;AACzC,WAAO,WAAW,KAAK;KAAE;KAAQ,gBAAgB;KAAM,CAAC;;GAE1D,MAAM,MAAM,IAAI,UAAU,kBAAkB,OAAO,EAAE,CAAC;GACvD,CAAC,CACH,EACD,GAAG,KAAK,kBAAkB;GACxB,MAAM;GACN,UAAU;GACX,EAAE,CACJ,CACF,CACF;EACJ,CAAC,CACH,CACF"}