@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/server/enterprise/domain.d.ts

@@ -0,0 +1,409 @@
+import { EnterprisePolicyPatch } from "../types.js";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+
+//#region src/server/enterprise/domain.d.ts
+type ComponentCtx = Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">;
+type ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, "runQuery">;
+/**
+ * Build the enterprise and SSO management domain.
+ */
+declare function createEnterpriseDomain(deps: any): {
+  connection: {
+    create: (ctx: ComponentCtx, data: {
+      groupId: string;
+      slug?: string;
+      name?: string;
+      status?: "draft" | "active" | "disabled";
+      policy?: EnterprisePolicyPatch;
+      config?: Record<string, unknown>;
+      extend?: Record<string, unknown>;
+    }) => Promise<{
+      ok: true;
+      enterpriseId: string;
+      groupId: string;
+    }>;
+    get: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+    getByGroup: (ctx: ComponentReadCtx, groupId: string) => Promise<any>;
+    getByDomain: (ctx: ComponentReadCtx, domain: string) => Promise<any>;
+    list: (ctx: ComponentReadCtx, opts?: {
+      where?: {
+        groupId?: string;
+        slug?: string;
+        status?: "draft" | "active" | "disabled";
+      };
+      limit?: number;
+      cursor?: string | null;
+      orderBy?: "_creationTime" | "name" | "slug" | "status";
+      order?: "asc" | "desc";
+    }) => Promise<any>;
+    update: (ctx: ComponentCtx, enterpriseId: string, data: Record<string, unknown>) => Promise<{
+      ok: true;
+      enterpriseId: string;
+    }>;
+    delete: (ctx: ComponentCtx, enterpriseId: string) => Promise<{
+      ok: true;
+      enterpriseId: string;
+    }>;
+    /**
+     * Aggregate readiness status across all configured protocols for an
+     * enterprise connection.
+     *
+     * Returns a structured result indicating whether the connection is
+     * ready, with per-protocol checks so callers can surface actionable
+     * diagnostics without running full network validation.
+     */
+    status: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<{
+      enterpriseId: any;
+      status: any;
+      ready: boolean;
+      domainCount: number;
+      protocols: {
+        oidc: {
+          configured: boolean;
+          ready: boolean;
+          clientId: any;
+          issuer: any;
+        };
+        saml: {
+          configured: boolean;
+          ready: boolean;
+          entityId: any;
+        };
+        scim: {
+          configured: boolean;
+          ready: boolean;
+          basePath: any;
+          deprovisionMode: any;
+        };
+      };
+    }>;
+  };
+  domain: {
+    add: (ctx: ComponentCtx, data: {
+      enterpriseId: string;
+      groupId: string;
+      domain: string;
+      isPrimary?: boolean;
+    }) => Promise<string>;
+    list: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+    validate: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<{
+      enterpriseId: string;
+      ready: boolean;
+      summary: {
+        domainCount: any;
+        primaryCount: any;
+        verifiedCount: any;
+      };
+      domains: any;
+      warnings: string[];
+    }>;
+    remove: (ctx: ComponentCtx, domainId: string) => Promise<void>;
+    verification: {
+      request: (ctx: ComponentCtx, args: {
+        enterpriseId: string;
+        domain: string;
+      }) => Promise<{
+        ok: true;
+        enterpriseId: any;
+        domain: any;
+        requestedAt: number;
+        expiresAt: number;
+        challenge: {
+          recordType: "TXT";
+          recordName: string;
+          recordValue: any;
+        };
+      }>;
+      confirm: (ctx: ComponentCtx, args: {
+        enterpriseId: string;
+        domain: string;
+      }) => Promise<{
+        ok: boolean;
+        enterpriseId: any;
+        domain: any;
+        verifiedAt: any;
+        checks: {
+          name: string;
+          ok: boolean;
+          message: string;
+        }[];
+      } | {
+        ok: boolean;
+        enterpriseId: any;
+        domain: any;
+        checks: {
+          name: string;
+          ok: boolean;
+          message?: string;
+        }[];
+        verifiedAt?: undefined;
+      } | {
+        ok: boolean;
+        enterpriseId: any;
+        domain: any;
+        verifiedAt: number;
+        checks: {
+          name: string;
+          ok: boolean;
+          message?: string;
+        }[];
+      }>;
+    };
+  };
+  saml: {
+    configure: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, data: {
+      enterpriseId: string;
+      metadataXml?: string;
+      metadataUrl?: string;
+      domains?: string[];
+      signAuthnRequests?: boolean;
+      attributeMapping?: {
+        subject?: string;
+        email?: string;
+        name?: string;
+        firstName?: string;
+        lastName?: string;
+      };
+      sp?: {
+        entityId?: string;
+        acsUrl?: string;
+        sloUrl?: string;
+        signingCert?: string | string[];
+        encryptCert?: string | string[];
+        privateKey?: string;
+        privateKeyPass?: string;
+        encPrivateKey?: string;
+        encPrivateKeyPass?: string;
+      };
+    }) => Promise<{
+      ok: true;
+      enterpriseId: any;
+      groupId: any;
+    }>;
+    metadata: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, opts: {
+      enterpriseId: string;
+      entityId?: string;
+      acsUrl?: string;
+      sloUrl?: string;
+    }) => Promise<any>;
+    /**
+     * Validate the stored SAML config for an enterprise connection.
+     *
+     * Re-parses IdP metadata, checks signing cert presence, and verifies
+     * SP metadata can be generated. Returns a structured result with
+     * per-check details rather than throwing on first failure.
+     */
+    validate: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, enterpriseId: string) => Promise<{
+      ok: boolean;
+      enterpriseId: any;
+      checks: {
+        name: string;
+        ok: boolean;
+        message?: string;
+      }[];
+    }>;
+  };
+  policy: {
+    get: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+    update: (ctx: ComponentCtx, enterpriseId: string, patch: EnterprisePolicyPatch) => Promise<any>;
+    validate: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<{
+      ok: boolean;
+      enterpriseId: string;
+      checks: {
+        name: string;
+        ok: boolean;
+        message: any;
+      }[];
+      policy?: undefined;
+    } | {
+      ok: any;
+      enterpriseId: string;
+      policy: any;
+      checks: any;
+    }>;
+  };
+  oidc: {
+    /**
+     * Register or update enterprise OIDC connection settings.
+     *
+     * Persists protocol config under `enterprise.config.protocols.oidc` and
+     * records an `enterprise.oidc.registered` audit event.
+     */
+    configure: (ctx: ComponentCtx, data: {
+      enterpriseId: string;
+      issuer?: string;
+      discoveryUrl?: string;
+      clientId: string;
+      clientSecret?: string;
+      scopes?: string[];
+      authorizationParams?: Record<string, string>;
+      clockToleranceSeconds?: number;
+      strictIssuer?: boolean;
+      /**
+       * Map OIDC claim names to `user.extend` field names.
+       * Example: `{ department: "department", role: "job_title" }` means
+       * the OIDC `department` claim is stored as `user.extend.department`.
+       */
+      extraFields?: Record<string, string>;
+    }) => Promise<any>;
+    /**
+     * Fetch the stored OIDC config for an enterprise.
+     */
+    get: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+    /**
+     * Resolve enterprise OIDC sign-in route from enterprise id, domain, or
+     * user email domain.
+     */
+    signIn: (ctx: ComponentReadCtx, data: {
+      enterpriseId?: string;
+      email?: string;
+      domain?: string;
+      redirectTo?: string;
+    }) => Promise<{
+      enterpriseId: any;
+      providerId: any;
+      signInPath: any;
+      callbackPath: any;
+      redirectTo: string | undefined;
+    }>;
+    /**
+     * Validate the stored OIDC config for an enterprise connection.
+     *
+     * Fetches the OIDC discovery document from the configured issuer or
+     * discoveryUrl, verifies required fields are present, and checks that
+     * clientId is set. Returns a structured result with per-check details.
+     */
+    validate: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<{
+      ok: boolean;
+      enterpriseId: any;
+      checks: {
+        name: string;
+        ok: boolean;
+        message?: string;
+      }[];
+    }>;
+  };
+  scim: {
+    configure: (ctx: ComponentCtx, data: {
+      enterpriseId: string;
+      basePath?: string;
+      status?: "draft" | "active" | "disabled";
+    }) => Promise<{
+      ok: true;
+      enterpriseId: any;
+      configId: string;
+      basePath: string;
+      token: any;
+    }>;
+    get: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+    getConfigByToken: (ctx: ComponentReadCtx, token: string) => Promise<any>;
+    /**
+     * Validate the stored SCIM config for an enterprise connection.
+     *
+     * Checks that a SCIM config record exists, is active, has a token
+     * hash set, and has a non-empty basePath. Returns a structured result
+     * with per-check details.
+     */
+    validate: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<{
+      ok: boolean;
+      enterpriseId: string;
+      checks: {
+        name: string;
+        ok: boolean;
+        message: string;
+      }[];
+      basePath?: undefined;
+      deprovisionMode?: undefined;
+    } | {
+      ok: boolean;
+      enterpriseId: any;
+      basePath: any;
+      deprovisionMode: any;
+      checks: {
+        name: string;
+        ok: boolean;
+        message?: string;
+      }[];
+    }>;
+    identity: {
+      get: (ctx: ComponentReadCtx, data: {
+        enterpriseId: string;
+        resourceType: "user" | "group";
+        externalId: string;
+      }) => Promise<any>;
+      upsert: (ctx: ComponentCtx, data: {
+        enterpriseId: string;
+        groupId: string;
+        resourceType: "user" | "group";
+        externalId: string;
+        userId?: string;
+        mappedGroupId?: string;
+        active?: boolean;
+        raw?: Record<string, unknown>;
+      }) => Promise<string>;
+    };
+  };
+  audit: {
+    record: (ctx: ComponentCtx, data: {
+      enterpriseId: string;
+      groupId: string;
+      eventType: string;
+      actorType: "user" | "system" | "scim" | "api_key" | "webhook";
+      actorId?: string;
+      subjectType: string;
+      subjectId?: string;
+      ok: boolean;
+      requestId?: string;
+      ip?: string;
+      metadata?: Record<string, unknown>;
+    }) => Promise<any>;
+    list: (ctx: ComponentReadCtx, data: {
+      enterpriseId?: string;
+      groupId?: string;
+      limit?: number;
+    }) => Promise<any>;
+  };
+  webhook: {
+    endpoint: {
+      get: (ctx: ComponentReadCtx, endpointId: string) => Promise<any>;
+      create: (ctx: ComponentCtx, data: {
+        enterpriseId: string;
+        url: string;
+        secret: string;
+        subscriptions: string[];
+        createdByUserId?: string;
+      }) => Promise<{
+        ok: true;
+        endpointId: string;
+      }>;
+      list: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+      disable: (ctx: ComponentCtx, endpointId: string) => Promise<{
+        ok: true;
+        endpointId: string;
+      }>;
+    };
+    emit: (ctx: ComponentCtx, data: {
+      enterpriseId: string;
+      eventType: string;
+      payload: Record<string, unknown>;
+      auditEventId?: string;
+    }) => Promise<void>;
+    delivery: {
+      list: (ctx: ComponentReadCtx, data: {
+        enterpriseId: string;
+        limit?: number;
+      }) => Promise<any>;
+      listReady: (ctx: ComponentReadCtx, limit?: number) => Promise<any>;
+      markDelivered: (ctx: ComponentCtx, deliveryId: string, responseStatus?: number) => Promise<void>;
+      markFailed: (ctx: ComponentCtx, deliveryId: string, data: {
+        attemptCount: number;
+        responseStatus?: number;
+        error?: string;
+        retryAt?: number;
+      }) => Promise<void>;
+    };
+  };
+};
+//#endregion
+export { createEnterpriseDomain };
+//# sourceMappingURL=domain.d.ts.map

package/dist/server/enterprise/domain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"domain.d.ts","names":[],"sources":["../../../src/server/enterprise/domain.ts"],"mappings":";;;;KAOK,YAAA,GAAe,IAAA,CAClB,gBAAA,CAAiB,gBAAA;AAAA,KAGd,gBAAA,GAAmB,IAAA,CAAK,gBAAA,CAAiB,gBAAA;AANQ;;;AAAA,iBAWtC,sBAAA,CAAuB,IAAA;;kBAiF1B,YAAA,EAAY,IAAA;MAEf,OAAA;MACA,IAAA;MACA,IAAA;MACA,MAAA;MACA,MAAA,GAAS,qBAAA;MACT,MAAA,GAAS,MAAA;MACT,MAAA,GAAS,MAAA;IAAA,MAEV,OAAA;MAAU,EAAA;MAAU,YAAA;MAAsB,OAAA;IAAA;eAc5B,gBAAA,EAAgB,YAAA,aAAsB,OAAA;sBAK/B,gBAAA,EAAgB,OAAA,aAAiB,OAAA;uBAQhC,gBAAA,EAAgB,MAAA,aAAgB,OAAA;gBASlD,gBAAA,EAAgB,IAAA;MAEnB,KAAA;QACE,OAAA;QACA,IAAA;QACA,MAAA;MAAA;MAEF,KAAA;MACA,MAAA;MACA,OAAA;MACA,KAAA;IAAA,MACD,OAAA;kBAWI,YAAA,EAAY,YAAA,UACG,IAAA,EACd,MAAA,sBAAuB,OAAA;;;;kBAQX,YAAA,EAAY,YAAA,aAAsB,OAAA;;;;IAhC/C;;;;;;;;kBA8Ca,gBAAA,EAAgB,YAAA,aAAsB,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;eA4EnD,YAAA,EAAY,IAAA;MAEf,YAAA;MACA,OAAA;MACA,MAAA;MACA,SAAA;IAAA,MAED,OAAA;gBASe,gBAAA,EAAgB,YAAA,aAAsB,OAAA;oBAQlC,gBAAA,EAAgB,YAAA,aAAsB,OAAA;;;;;;;;;;;kBAuDxC,YAAA,EAAY,QAAA,aAAkB,OAAA;;qBAOzC,YAAA,EAAY,IAAA;QACT,YAAA;QAAsB,MAAA;MAAA,MAAgB,OAAA;;;;;;;;;;;;qBAoEzC,YAAA,EAAY,IAAA;QACT,YAAA;QAAsB,MAAA;MAAA,MAAgB,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAsJd,gBAAA,EAAgB,GAAA,EAC7C,gBAAA,CAAiB,SAAA,GAAU,IAAA;MAE9B,YAAA;MACA,WAAA;MACA,WAAA;MACA,OAAA;MACA,iBAAA;MACA,gBAAA;QACE,OAAA;QACA,KAAA;QACA,IAAA;QACA,SAAA;QACA,QAAA;MAAA;MAEF,EAAA;QACE,QAAA;QACA,MAAA;QACA,MAAA;QACA,WAAA;QACA,WAAA;QACA,UAAA;QACA,cAAA;QACA,aAAA;QACA,iBAAA;MAAA;IAAA,MAEH,OAAA;;;;;iCAoKgC,gBAAA,EAAgB,GAAA,EAC5C,gBAAA,CAAiB,SAAA,GAAU,IAAA;MAE9B,YAAA;MACA,QAAA;MACA,MAAA;MACA,MAAA;IAAA,MACD,OAAA;IA1lBmB;;;;;;;iCA6nBa,gBAAA,EAAgB,GAAA,EAC5C,gBAAA,CAAiB,SAAA,GAAU,YAAA,aACZ,OAAA;;;;;;;;;;;eA4FL,gBAAA,EAAgB,YAAA,aAAsB,OAAA;kBAKhD,YAAA,EAAY,YAAA,UACG,KAAA,EACb,qBAAA,KAAqB,OAAA;oBAoBR,gBAAA,EAAgB,YAAA,aAAsB,OAAA;;;;;;;;;;;;;;;;;IAnpBrD;;;;;;qBAurBA,YAAA,EAAY,IAAA;MAEf,YAAA;MACA,MAAA;MACA,YAAA;MACA,QAAA;MACA,YAAA;MACA,MAAA;MACA,mBAAA,GAAsB,MAAA;MACtB,qBAAA;MACA,YAAA;MAzqBkC;;;;;MA+qBlC,WAAA,GAAc,MAAA;IAAA,MACf,OAAA;;;;eAqIc,gBAAA,EAAgB,YAAA,aAAsB,OAAA;IA9vBnC;;;;kBA+yBb,gBAAA,EAAgB,IAAA;MAEnB,YAAA;MACA,KAAA;MACA,MAAA;MACA,UAAA;IAAA,MACD,OAAA;;;;;;;;;;;;;;oBA4GmB,gBAAA,EAAgB,YAAA,aAAsB,OAAA;;;;;;;;;;;qBAsHrD,YAAA,EAAY,IAAA;MAEf,YAAA;MACA,QAAA;MACA,MAAA;IAAA,MACD,OAAA;;;;;;;eAsDc,gBAAA,EAAgB,YAAA,aAAsB,OAAA;4BAMzB,gBAAA,EAAgB,KAAA,aAAe,OAAA;;;;;;;;oBAavC,gBAAA,EAAgB,YAAA,aAAsB,OAAA;;;;;;;;;;;;;;;;;;;;;;iBA+EnD,gBAAA,EAAgB,IAAA;QAEnB,YAAA;QACA,YAAA;QACA,UAAA;MAAA,MACD,OAAA;oBAQI,YAAA,EAAY,IAAA;QAEf,YAAA;QACA,OAAA;QACA,YAAA;QACA,UAAA;QACA,MAAA;QACA,aAAA;QACA,MAAA;QACA,GAAA,GAAM,MAAA;MAAA,MACP,OAAA;IAAA;EAAA;;kBAWE,YAAA,EAAY,IAAA;MAEf,YAAA;MACA,OAAA;MACA,SAAA;MACA,SAAA;MACA,OAAA;MACA,WAAA;MACA,SAAA;MACA,EAAA;MACA,SAAA;MACA,EAAA;MACA,QAAA,GAAW,MAAA;IAAA,MACZ,OAAA;gBAKI,gBAAA,EAAgB,IAAA;MACb,YAAA;MAAuB,OAAA;MAAkB,KAAA;IAAA,MAAgB,OAAA;EAAA;;;iBAUhD,gBAAA,EAAgB,UAAA,aAAoB,OAAA;oBAO9C,YAAA,EAAY,IAAA;QAEf,YAAA;QACA,GAAA;QACA,MAAA;QACA,aAAA;QACA,eAAA;MAAA,MACD,OAAA;;;;kBAsCe,gBAAA,EAAgB,YAAA,aAAsB,OAAA;qBAMnC,YAAA,EAAY,UAAA,aAAoB,OAAA;;;;;gBAShD,YAAA,EAAY,IAAA;MAEf,YAAA;MACA,SAAA;MACA,OAAA,EAAS,MAAA;MACT,YAAA;IAAA,MACD,OAAA;;kBAMM,gBAAA,EAAgB,IAAA;QACb,YAAA;QAAsB,KAAA;MAAA,MAAgB,OAAA;uBAOzB,gBAAA,EAAgB,KAAA,cAAgB,OAAA;2BAOhD,YAAA,EAAY,UAAA,UACC,cAAA,cACK,OAAA;wBAgBlB,YAAA,EAAY,UAAA,UACC,IAAA;QAEhB,YAAA;QACA,cAAA;QACA,KAAA;QACA,OAAA;MAAA,MACD,OAAA;IAAA;EAAA;AAAA"}