@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/server/enterprise/saml.js

@@ -0,0 +1,338 @@
+import { asRecord, getEnterpriseSamlUrls } from "./shared.js";
+import { getSamlConfig } from "./config.js";
+import { decodeBase64urlIgnorePadding, encodeBase64urlNoPadding } from "@oslojs/encoding";
+import { Constants, IdentityProvider, ServiceProvider, setSchemaValidator } from "@robelest/samlify";
+
+//#region src/server/enterprise/saml.ts
+const _samlifyPermissiveValidator = { validate: (_xml) => Promise.resolve("OK") };
+function ensureSamlifyValidator() {
+	setSchemaValidator(_samlifyPermissiveValidator);
+}
+/** @internal */
+function createSamlPostBindingResponse(opts) {
+	const fields = [`<input type="hidden" name="${opts.parameter}" value="${opts.value.replace(/"/g, "&quot;")}" />`, opts.relayState ? `<input type="hidden" name="RelayState" value="${opts.relayState.replace(/"/g, "&quot;")}" />` : ""].join("");
+	return new Response(`<!doctype html><html><body><form method="POST" action="${opts.endpoint}">${fields}</form><script>document.forms[0].submit();<\/script></body></html>`, {
+		status: 200,
+		headers: { "Content-Type": "text/html; charset=utf-8" }
+	});
+}
+/** @internal */
+function decodeRelayState(value) {
+	if (!value) return {};
+	try {
+		return JSON.parse(new TextDecoder().decode(decodeBase64urlIgnorePadding(value)));
+	} catch {
+		return {};
+	}
+}
+/** @internal */
+function encodeEnterpriseSamlRelayState(value) {
+	return encodeBase64urlNoPadding(new TextEncoder().encode(JSON.stringify({
+		source: `${value.source.kind}:${value.source.id}`,
+		signature: value.signature,
+		requestId: value.requestId,
+		state: value.state,
+		redirectTo: value.redirectTo
+	})));
+}
+/** @internal */
+function decodeEnterpriseSamlRelayStateOrThrow(value) {
+	if (!value) throw new Error("Missing SAML RelayState.");
+	const decoded = decodeRelayState(value);
+	if (typeof decoded.source !== "string" || typeof decoded.signature !== "string" || typeof decoded.requestId !== "string" || typeof decoded.state !== "string") throw new Error("Invalid SAML RelayState.");
+	const [kind, ...rest] = decoded.source.split(":");
+	const id = rest.join(":");
+	if (kind !== "enterprise" || id.length === 0) throw new Error("Invalid enterprise SAML source.");
+	return {
+		source: {
+			kind,
+			id
+		},
+		signature: decoded.signature,
+		requestId: decoded.requestId,
+		state: decoded.state,
+		redirectTo: typeof decoded.redirectTo === "string" ? decoded.redirectTo : void 0
+	};
+}
+/** @internal */
+async function readRequestBody(request) {
+	const contentType = request.headers.get("Content-Type") ?? "";
+	if (contentType.includes("application/x-www-form-urlencoded") || contentType.includes("multipart/form-data")) {
+		const form = await request.formData();
+		const body = {};
+		form.forEach((value, key) => {
+			body[key] = typeof value === "string" ? value : value.name;
+		});
+		return body;
+	}
+	return {};
+}
+/** @internal */
+async function readEnterpriseSamlHttpRequest(request) {
+	const url = new URL(request.url);
+	const body = await readRequestBody(request);
+	return {
+		url,
+		body,
+		query: Object.fromEntries(url.searchParams),
+		binding: request.method === "GET" ? "redirect" : body.SAMLResponse || body.SAMLRequest ? "post" : "redirect",
+		relayState: body.RelayState ?? url.searchParams.get("RelayState") ?? void 0,
+		hasSamlRequest: Boolean(body.SAMLRequest ?? url.searchParams.get("SAMLRequest")),
+		hasSamlResponse: Boolean(body.SAMLResponse ?? url.searchParams.get("SAMLResponse"))
+	};
+}
+/** @internal */
+function parseSamlIdpMetadata(metadata) {
+	const entityMeta = IdentityProvider({ metadata }).entityMeta;
+	const normalizeService = (value) => {
+		return typeof value === "string" && value.length > 0 ? value : void 0;
+	};
+	return {
+		issuer: entityMeta.getEntityID(),
+		sso: {
+			redirect: normalizeService(entityMeta.getSingleSignOnService("redirect")),
+			post: normalizeService(entityMeta.getSingleSignOnService("post"))
+		},
+		slo: {
+			redirect: normalizeService(entityMeta.getSingleLogoutService("redirect")),
+			post: normalizeService(entityMeta.getSingleLogoutService("post"))
+		},
+		signingCert: entityMeta.getX509Certificate("signing"),
+		encryptionCert: entityMeta.getX509Certificate("encrypt"),
+		nameIdFormats: (() => {
+			const nameIdFormat = entityMeta.getNameIDFormat();
+			return Array.isArray(nameIdFormat) ? nameIdFormat : [];
+		})(),
+		wantsSignedAuthnRequests: entityMeta.isWantAuthnRequestsSigned()
+	};
+}
+/** @internal */
+function createServiceProviderMetadata(opts) {
+	const binding = Constants.namespace.binding;
+	return ServiceProvider({
+		entityID: opts.entityId,
+		authnRequestsSigned: opts.authnRequestsSigned ?? false,
+		privateKey: opts.privateKey,
+		privateKeyPass: opts.privateKeyPass,
+		signingCert: opts.signingCert,
+		encryptCert: opts.encryptCert,
+		encPrivateKey: opts.encPrivateKey,
+		encPrivateKeyPass: opts.encPrivateKeyPass,
+		assertionConsumerService: [{
+			Binding: binding.post,
+			Location: opts.acsUrl
+		}],
+		singleLogoutService: opts.sloUrl ? [{
+			Binding: binding.redirect,
+			Location: opts.sloUrl
+		}, {
+			Binding: binding.post,
+			Location: opts.sloUrl
+		}] : void 0
+	}).getMetadata();
+}
+/** @internal */
+function createEnterpriseSamlMetadataXml(opts) {
+	return createServiceProviderMetadata(getSamlServiceProviderOptions({
+		rootUrl: opts.rootUrl,
+		source: opts.source,
+		config: opts.config
+	}));
+}
+/** @internal */
+function getSamlServiceProviderOptions(opts) {
+	const saml = getSamlConfig(opts.config);
+	const sp = asRecord(saml.sp) ?? {};
+	const urls = getEnterpriseSamlUrls({
+		rootUrl: opts.rootUrl,
+		source: opts.source
+	});
+	return {
+		entityId: opts.overrides?.entityId ?? sp.entityId ?? urls.metadataUrl,
+		acsUrl: opts.overrides?.acsUrl ?? sp.acsUrl ?? urls.acsUrl,
+		sloUrl: opts.overrides?.sloUrl ?? sp.sloUrl ?? urls.sloUrl,
+		relayState: opts.relayState,
+		authnRequestsSigned: saml.signAuthnRequests,
+		signingCert: sp.signingCert,
+		encryptCert: sp.encryptCert,
+		privateKey: sp.privateKey,
+		privateKeyPass: sp.privateKeyPass,
+		encPrivateKey: sp.encPrivateKey,
+		encPrivateKeyPass: sp.encPrivateKeyPass
+	};
+}
+/** @internal */
+function createSamlServiceProvider(opts) {
+	const binding = Constants.namespace.binding;
+	return ServiceProvider({
+		entityID: opts.entityId,
+		relayState: opts.relayState ?? "",
+		authnRequestsSigned: opts.authnRequestsSigned ?? false,
+		privateKey: opts.privateKey,
+		privateKeyPass: opts.privateKeyPass,
+		signingCert: opts.signingCert,
+		encryptCert: opts.encryptCert,
+		encPrivateKey: opts.encPrivateKey,
+		encPrivateKeyPass: opts.encPrivateKeyPass,
+		assertionConsumerService: [{
+			Binding: binding.post,
+			Location: opts.acsUrl
+		}],
+		singleLogoutService: opts.sloUrl ? [{
+			Binding: binding.redirect,
+			Location: opts.sloUrl
+		}, {
+			Binding: binding.post,
+			Location: opts.sloUrl
+		}] : void 0
+	});
+}
+/** @internal */
+function createEnterpriseSamlRuntime(opts) {
+	const saml = getSamlConfig(opts.config);
+	const spOptions = getSamlServiceProviderOptions({
+		rootUrl: opts.rootUrl,
+		source: opts.source,
+		config: opts.config,
+		relayState: opts.relayState,
+		overrides: opts.overrides
+	});
+	if (typeof saml.idp?.metadataXml !== "string") throw new Error("SAML IdP metadata is missing.");
+	return {
+		saml,
+		sp: createSamlServiceProvider(spOptions),
+		idp: IdentityProvider({ metadata: saml.idp.metadataXml }),
+		urls: getEnterpriseSamlUrls({
+			rootUrl: opts.rootUrl,
+			source: opts.source
+		})
+	};
+}
+/** @internal */
+function createEnterpriseSamlSignInRequest(opts) {
+	const runtime = createEnterpriseSamlRuntime({
+		rootUrl: opts.rootUrl,
+		source: opts.source,
+		config: opts.config
+	});
+	const binding = runtime.saml.idp.sso?.redirect ? "redirect" : "post";
+	const loginRequest = runtime.sp.createLoginRequest(runtime.idp, binding);
+	const relayState = encodeEnterpriseSamlRelayState({
+		source: opts.source,
+		signature: opts.signature,
+		requestId: loginRequest.id,
+		state: opts.state,
+		redirectTo: opts.redirectTo
+	});
+	return {
+		requestId: loginRequest.id,
+		binding,
+		relayState,
+		redirectUrl: binding === "redirect" ? (() => {
+			const redirectUrl = new URL(loginRequest.context);
+			redirectUrl.searchParams.set("RelayState", relayState);
+			return redirectUrl.toString();
+		})() : void 0,
+		post: binding === "post" ? {
+			endpoint: loginRequest.entityEndpoint,
+			value: loginRequest.context
+		} : void 0
+	};
+}
+/** @internal */
+async function parseEnterpriseSamlLoginResponse(opts) {
+	ensureSamlifyValidator();
+	const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);
+	const runtime = createEnterpriseSamlRuntime({
+		rootUrl: opts.rootUrl,
+		source: opts.source,
+		config: opts.config
+	});
+	const parsed = await runtime.sp.parseLoginResponse(runtime.idp, httpRequest.binding, {
+		query: httpRequest.query,
+		body: httpRequest.body
+	});
+	warnWeakSamlAlgorithms(parsed);
+	return {
+		...httpRequest,
+		runtime,
+		parsed,
+		relayState: decodeEnterpriseSamlRelayStateOrThrow(httpRequest.relayState ?? null)
+	};
+}
+const WEAK_SAML_ALGORITHMS = new Set([
+	"http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+	"http://www.w3.org/2000/09/xmldsig#dsa-sha1",
+	"http://www.w3.org/2000/09/xmldsig#sha1",
+	"http://www.w3.org/2001/04/xmlenc#rsa-1_5",
+	"http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
+]);
+/**
+* Warn when the SAML response uses weak cryptographic algorithms
+* such as SHA-1, RSA 1.5, or 3DES.
+*/
+function warnWeakSamlAlgorithms(parsed) {
+	try {
+		const sigAlg = parsed?.extract?.signature?.signatureAlgorithm ?? parsed?.extract?.response?.signatureAlgorithm;
+		const digestAlg = parsed?.extract?.signature?.digestAlgorithm;
+		if (sigAlg && WEAK_SAML_ALGORITHMS.has(sigAlg)) console.warn(`[convex-auth] SAML response uses weak signature algorithm: ${sigAlg}. Consider upgrading your IdP to use RSA-SHA256 or stronger.`);
+		if (digestAlg && WEAK_SAML_ALGORITHMS.has(digestAlg)) console.warn(`[convex-auth] SAML response uses weak digest algorithm: ${digestAlg}. Consider upgrading your IdP to use SHA-256 or stronger.`);
+	} catch {}
+}
+/** @internal */
+function validateEnterpriseSamlLoginRelayState(opts) {
+	if (opts.relayState.source.kind !== opts.source.kind || opts.relayState.source.id !== opts.source.id || opts.relayState.requestId !== opts.inResponseTo) throw new Error("SAML RelayState did not match the pending login request.");
+}
+/** @internal */
+async function parseEnterpriseSamlLogoutMessage(opts) {
+	ensureSamlifyValidator();
+	const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);
+	const runtime = createEnterpriseSamlRuntime({
+		rootUrl: opts.rootUrl,
+		source: opts.source,
+		config: opts.config,
+		relayState: httpRequest.relayState
+	});
+	const parsedRequest = httpRequest.hasSamlRequest ? await runtime.sp.parseLogoutRequest(runtime.idp, httpRequest.binding, {
+		query: httpRequest.query,
+		body: httpRequest.body
+	}) : void 0;
+	return {
+		...httpRequest,
+		runtime,
+		parsedRequest
+	};
+}
+/** @internal */
+function profileFromSamlExtract(extract, mapping) {
+	const attributes = typeof extract?.attributes === "object" && extract.attributes !== null ? extract.attributes : {};
+	const resolveFirst = (...keys) => {
+		for (const key of keys) {
+			if (!key) continue;
+			const attribute = attributes[key];
+			const value = Array.isArray(attribute) ? attribute[0] : attribute;
+			if (value !== void 0) return value;
+		}
+	};
+	const fieldResolvers = {
+		email: () => resolveFirst(mapping?.email),
+		name: () => resolveFirst(mapping?.name) ?? ([resolveFirst(mapping?.firstName), resolveFirst(mapping?.lastName)].filter(Boolean).join(" ") || void 0),
+		subject: () => resolveFirst(mapping?.subject) ?? extract?.nameID
+	};
+	const subject = fieldResolvers.subject();
+	if (subject === void 0) throw new Error("SAML profile is missing a subject. Configure `attributeMapping.subject` or ensure the assertion includes a NameID.");
+	const email = fieldResolvers.email();
+	const name = fieldResolvers.name();
+	return {
+		id: subject,
+		email,
+		emailVerified: typeof email === "string" ? true : void 0,
+		name,
+		samlAttributes: attributes,
+		samlSessionIndex: extract?.sessionIndex?.SessionIndex
+	};
+}
+
+//#endregion
+export { createEnterpriseSamlMetadataXml, createEnterpriseSamlRuntime, createEnterpriseSamlSignInRequest, createSamlPostBindingResponse, createSamlServiceProvider, createServiceProviderMetadata, decodeEnterpriseSamlRelayStateOrThrow, decodeRelayState, encodeEnterpriseSamlRelayState, getSamlServiceProviderOptions, parseEnterpriseSamlLoginResponse, parseEnterpriseSamlLogoutMessage, parseSamlIdpMetadata, profileFromSamlExtract, readEnterpriseSamlHttpRequest, readRequestBody, validateEnterpriseSamlLoginRelayState };
+//# sourceMappingURL=saml.js.map

package/dist/server/enterprise/saml.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"saml.js","names":[],"sources":["../../../src/server/enterprise/saml.ts"],"sourcesContent":["import {\n  decodeBase64urlIgnorePadding,\n  encodeBase64urlNoPadding,\n} from \"@oslojs/encoding\";\nimport {\n  Constants,\n  IdentityProvider,\n  ServiceProvider,\n  setSchemaValidator,\n} from \"@robelest/samlify\";\n\nimport type { SAMLAttributeMapping } from \"../types\";\nimport { getSamlConfig } from \"./config\";\nimport type {\n  EnterpriseSamlHttpRequest,\n  EnterpriseSamlRelayState,\n  EnterpriseSamlSource,\n  ParsedSamlMetadata,\n} from \"./shared\";\nimport { asRecord, getEnterpriseSamlUrls } from \"./shared\";\n\n// Samlify requires a schema validator to be registered before parsing any SAML\n// response. We use a permissive validator that always resolves because Convex's\n// edge runtime has no file-system access for XML schema files, and structural\n// correctness is already ensured by the XML parser. This is called directly\n// before each parse operation since Convex can restart the V8 isolate between\n// requests, resetting module-level state.\nconst _samlifyPermissiveValidator = {\n  validate: (_xml: string) => Promise.resolve(\"OK\"),\n};\nfunction ensureSamlifyValidator() {\n  setSchemaValidator(_samlifyPermissiveValidator);\n}\n\n/** @internal */\nexport function createSamlPostBindingResponse(opts: {\n  endpoint: string;\n  parameter: \"SAMLRequest\" | \"SAMLResponse\";\n  value: string;\n  relayState?: string;\n}) {\n  const fields = [\n    `<input type=\"hidden\" name=\"${opts.parameter}\" value=\"${opts.value.replace(/\"/g, \"&quot;\")}\" />`,\n    opts.relayState\n      ? `<input type=\"hidden\" name=\"RelayState\" value=\"${opts.relayState.replace(/\"/g, \"&quot;\")}\" />`\n      : \"\",\n  ].join(\"\");\n  return new Response(\n    `<!doctype html><html><body><form method=\"POST\" action=\"${opts.endpoint}\">${fields}</form><script>document.forms[0].submit();</script></body></html>`,\n    { status: 200, headers: { \"Content-Type\": \"text/html; charset=utf-8\" } },\n  );\n}\n\n/** @internal */\nexport function decodeRelayState(\n  value: string | null,\n): Record<string, unknown> {\n  if (!value) {\n    return {};\n  }\n  try {\n    return JSON.parse(\n      new TextDecoder().decode(decodeBase64urlIgnorePadding(value)),\n    );\n  } catch {\n    return {};\n  }\n}\n\n/** @internal */\nexport function encodeEnterpriseSamlRelayState(\n  value: EnterpriseSamlRelayState,\n) {\n  return encodeBase64urlNoPadding(\n    new TextEncoder().encode(\n      JSON.stringify({\n        source: `${value.source.kind}:${value.source.id}`,\n        signature: value.signature,\n        requestId: value.requestId,\n        state: value.state,\n        redirectTo: value.redirectTo,\n      }),\n    ),\n  );\n}\n\n/** @internal */\nexport function decodeEnterpriseSamlRelayStateOrThrow(\n  value: string | null,\n): EnterpriseSamlRelayState {\n  if (!value) {\n    throw new Error(\"Missing SAML RelayState.\");\n  }\n  const decoded = decodeRelayState(value);\n  if (\n    typeof decoded.source !== \"string\" ||\n    typeof decoded.signature !== \"string\" ||\n    typeof decoded.requestId !== \"string\" ||\n    typeof decoded.state !== \"string\"\n  ) {\n    throw new Error(\"Invalid SAML RelayState.\");\n  }\n  const [kind, ...rest] = decoded.source.split(\":\");\n  const id = rest.join(\":\");\n  if (kind !== \"enterprise\" || id.length === 0) {\n    throw new Error(\"Invalid enterprise SAML source.\");\n  }\n  return {\n    source: { kind, id } as EnterpriseSamlSource,\n    signature: decoded.signature,\n    requestId: decoded.requestId,\n    state: decoded.state,\n    redirectTo:\n      typeof decoded.redirectTo === \"string\" ? decoded.redirectTo : undefined,\n  };\n}\n\n/** @internal */\nexport async function readRequestBody(\n  request: Request,\n): Promise<Record<string, string>> {\n  const contentType = request.headers.get(\"Content-Type\") ?? \"\";\n  if (\n    contentType.includes(\"application/x-www-form-urlencoded\") ||\n    contentType.includes(\"multipart/form-data\")\n  ) {\n    const form = await request.formData();\n    const body: Record<string, string> = {};\n    form.forEach((value, key) => {\n      body[key] = typeof value === \"string\" ? value : value.name;\n    });\n    return body;\n  }\n  return {};\n}\n\n/** @internal */\nexport async function readEnterpriseSamlHttpRequest(\n  request: Request,\n): Promise<EnterpriseSamlHttpRequest> {\n  const url = new URL(request.url);\n  const body = await readRequestBody(request);\n  const query = Object.fromEntries(url.searchParams);\n  const binding =\n    request.method === \"GET\"\n      ? \"redirect\"\n      : body.SAMLResponse || body.SAMLRequest\n        ? \"post\"\n        : \"redirect\";\n  return {\n    url,\n    body,\n    query,\n    binding,\n    relayState:\n      body.RelayState ?? url.searchParams.get(\"RelayState\") ?? undefined,\n    hasSamlRequest: Boolean(\n      body.SAMLRequest ?? url.searchParams.get(\"SAMLRequest\"),\n    ),\n    hasSamlResponse: Boolean(\n      body.SAMLResponse ?? url.searchParams.get(\"SAMLResponse\"),\n    ),\n  };\n}\n\n/** @internal */\nexport function parseSamlIdpMetadata(metadata: string): ParsedSamlMetadata {\n  const idp = IdentityProvider({ metadata });\n  const entityMeta = idp.entityMeta;\n\n  const normalizeService = (value: unknown): string | undefined => {\n    return typeof value === \"string\" && value.length > 0 ? value : undefined;\n  };\n\n  return {\n    issuer: entityMeta.getEntityID(),\n    sso: {\n      redirect: normalizeService(entityMeta.getSingleSignOnService(\"redirect\")),\n      post: normalizeService(entityMeta.getSingleSignOnService(\"post\")),\n    },\n    slo: {\n      redirect: normalizeService(entityMeta.getSingleLogoutService(\"redirect\")),\n      post: normalizeService(entityMeta.getSingleLogoutService(\"post\")),\n    },\n    signingCert: entityMeta.getX509Certificate(\"signing\"),\n    encryptionCert: entityMeta.getX509Certificate(\"encrypt\"),\n    nameIdFormats: (() => {\n      const nameIdFormat = entityMeta.getNameIDFormat();\n      return Array.isArray(nameIdFormat) ? nameIdFormat : [];\n    })(),\n    wantsSignedAuthnRequests: entityMeta.isWantAuthnRequestsSigned(),\n  };\n}\n\n/** @internal */\nexport function createServiceProviderMetadata(opts: {\n  entityId: string;\n  acsUrl: string;\n  sloUrl?: string;\n  authnRequestsSigned?: boolean;\n  signingCert?: string | string[];\n  encryptCert?: string | string[];\n  privateKey?: string;\n  privateKeyPass?: string;\n  encPrivateKey?: string;\n  encPrivateKeyPass?: string;\n}) {\n  const binding = Constants.namespace.binding;\n  const sp = ServiceProvider({\n    entityID: opts.entityId,\n    authnRequestsSigned: opts.authnRequestsSigned ?? false,\n    privateKey: opts.privateKey,\n    privateKeyPass: opts.privateKeyPass,\n    signingCert: opts.signingCert,\n    encryptCert: opts.encryptCert,\n    encPrivateKey: opts.encPrivateKey,\n    encPrivateKeyPass: opts.encPrivateKeyPass,\n    assertionConsumerService: [\n      {\n        Binding: binding.post,\n        Location: opts.acsUrl,\n      },\n    ],\n    singleLogoutService: opts.sloUrl\n      ? [\n          {\n            Binding: binding.redirect,\n            Location: opts.sloUrl,\n          },\n          {\n            Binding: binding.post,\n            Location: opts.sloUrl,\n          },\n        ]\n      : undefined,\n  });\n  return sp.getMetadata();\n}\n\n/** @internal */\nexport function createEnterpriseSamlMetadataXml(opts: {\n  rootUrl: string;\n  source: EnterpriseSamlSource;\n  config: unknown;\n}) {\n  return createServiceProviderMetadata(\n    getSamlServiceProviderOptions({\n      rootUrl: opts.rootUrl,\n      source: opts.source,\n      config: opts.config,\n    }),\n  );\n}\n\n/** @internal */\nexport function getSamlServiceProviderOptions(opts: {\n  rootUrl: string;\n  source: EnterpriseSamlSource;\n  config: unknown;\n  overrides?: {\n    entityId?: string;\n    acsUrl?: string;\n    sloUrl?: string;\n  };\n  relayState?: string;\n}) {\n  const saml = getSamlConfig(opts.config);\n  const sp = asRecord(saml.sp) ?? {};\n  const urls = getEnterpriseSamlUrls({\n    rootUrl: opts.rootUrl,\n    source: opts.source,\n  });\n  return {\n    entityId: opts.overrides?.entityId ?? sp.entityId ?? urls.metadataUrl,\n    acsUrl: opts.overrides?.acsUrl ?? sp.acsUrl ?? urls.acsUrl,\n    sloUrl: opts.overrides?.sloUrl ?? sp.sloUrl ?? urls.sloUrl,\n    relayState: opts.relayState,\n    authnRequestsSigned: saml.signAuthnRequests,\n    signingCert: sp.signingCert,\n    encryptCert: sp.encryptCert,\n    privateKey: sp.privateKey,\n    privateKeyPass: sp.privateKeyPass,\n    encPrivateKey: sp.encPrivateKey,\n    encPrivateKeyPass: sp.encPrivateKeyPass,\n  };\n}\n\n/** @internal */\nexport function createSamlServiceProvider(opts: {\n  entityId: string;\n  acsUrl: string;\n  sloUrl?: string;\n  relayState?: string;\n  authnRequestsSigned?: boolean;\n  signingCert?: string | string[];\n  encryptCert?: string | string[];\n  privateKey?: string;\n  privateKeyPass?: string;\n  encPrivateKey?: string;\n  encPrivateKeyPass?: string;\n}) {\n  const binding = Constants.namespace.binding;\n  return ServiceProvider({\n    entityID: opts.entityId,\n    relayState: opts.relayState ?? \"\",\n    authnRequestsSigned: opts.authnRequestsSigned ?? false,\n    privateKey: opts.privateKey,\n    privateKeyPass: opts.privateKeyPass,\n    signingCert: opts.signingCert,\n    encryptCert: opts.encryptCert,\n    encPrivateKey: opts.encPrivateKey,\n    encPrivateKeyPass: opts.encPrivateKeyPass,\n    assertionConsumerService: [\n      {\n        Binding: binding.post,\n        Location: opts.acsUrl,\n      },\n    ],\n    singleLogoutService: opts.sloUrl\n      ? [\n          { Binding: binding.redirect, Location: opts.sloUrl },\n          { Binding: binding.post, Location: opts.sloUrl },\n        ]\n      : undefined,\n  });\n}\n\n/** @internal */\nexport function createEnterpriseSamlRuntime(opts: {\n  rootUrl: string;\n  source: EnterpriseSamlSource;\n  config: unknown;\n  relayState?: string;\n  overrides?: {\n    entityId?: string;\n    acsUrl?: string;\n    sloUrl?: string;\n  };\n}) {\n  const saml = getSamlConfig(opts.config);\n  const spOptions = getSamlServiceProviderOptions({\n    rootUrl: opts.rootUrl,\n    source: opts.source,\n    config: opts.config,\n    relayState: opts.relayState,\n    overrides: opts.overrides,\n  });\n  if (typeof saml.idp?.metadataXml !== \"string\") {\n    throw new Error(\"SAML IdP metadata is missing.\");\n  }\n  return {\n    saml,\n    sp: createSamlServiceProvider(spOptions),\n    idp: IdentityProvider({ metadata: saml.idp.metadataXml }),\n    urls: getEnterpriseSamlUrls({ rootUrl: opts.rootUrl, source: opts.source }),\n  };\n}\n\n/** @internal */\nexport function createEnterpriseSamlSignInRequest(opts: {\n  rootUrl: string;\n  source: EnterpriseSamlSource;\n  config: unknown;\n  state: string;\n  signature: string;\n  redirectTo?: string;\n}) {\n  const runtime = createEnterpriseSamlRuntime({\n    rootUrl: opts.rootUrl,\n    source: opts.source,\n    config: opts.config,\n  });\n  const binding = runtime.saml.idp.sso?.redirect ? \"redirect\" : \"post\";\n  const loginRequest = runtime.sp.createLoginRequest(\n    runtime.idp,\n    binding as any,\n  ) as any;\n  const relayState = encodeEnterpriseSamlRelayState({\n    source: opts.source,\n    signature: opts.signature,\n    requestId: loginRequest.id,\n    state: opts.state,\n    redirectTo: opts.redirectTo,\n  });\n  return {\n    requestId: loginRequest.id as string,\n    binding,\n    relayState,\n    redirectUrl:\n      binding === \"redirect\"\n        ? (() => {\n            const redirectUrl = new URL(loginRequest.context);\n            redirectUrl.searchParams.set(\"RelayState\", relayState);\n            return redirectUrl.toString();\n          })()\n        : undefined,\n    post:\n      binding === \"post\"\n        ? {\n            endpoint: loginRequest.entityEndpoint as string,\n            value: loginRequest.context as string,\n          }\n        : undefined,\n  };\n}\n\n/** @internal */\nexport async function parseEnterpriseSamlLoginResponse(opts: {\n  request: Request;\n  rootUrl: string;\n  source: EnterpriseSamlSource;\n  config: unknown;\n}) {\n  ensureSamlifyValidator();\n  const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);\n  const runtime = createEnterpriseSamlRuntime({\n    rootUrl: opts.rootUrl,\n    source: opts.source,\n    config: opts.config,\n  });\n  const parsed = (await runtime.sp.parseLoginResponse(\n    runtime.idp as any,\n    httpRequest.binding as any,\n    {\n      query: httpRequest.query,\n      body: httpRequest.body,\n    },\n  )) as any;\n  // Check for weak SAML algorithms and warn.\n  warnWeakSamlAlgorithms(parsed);\n\n  return {\n    ...httpRequest,\n    runtime,\n    parsed,\n    relayState: decodeEnterpriseSamlRelayStateOrThrow(\n      httpRequest.relayState ?? null,\n    ),\n  };\n}\n\nconst WEAK_SAML_ALGORITHMS = new Set([\n  // Signature algorithms\n  \"http://www.w3.org/2000/09/xmldsig#rsa-sha1\",\n  \"http://www.w3.org/2000/09/xmldsig#dsa-sha1\",\n  // Digest algorithms\n  \"http://www.w3.org/2000/09/xmldsig#sha1\",\n  // Key encryption\n  \"http://www.w3.org/2001/04/xmlenc#rsa-1_5\",\n  // Data encryption\n  \"http://www.w3.org/2001/04/xmlenc#tripledes-cbc\",\n]);\n\n/**\n * Warn when the SAML response uses weak cryptographic algorithms\n * such as SHA-1, RSA 1.5, or 3DES.\n */\nfunction warnWeakSamlAlgorithms(parsed: any) {\n  try {\n    const sigAlg =\n      parsed?.extract?.signature?.signatureAlgorithm ??\n      parsed?.extract?.response?.signatureAlgorithm;\n    const digestAlg = parsed?.extract?.signature?.digestAlgorithm;\n\n    if (sigAlg && WEAK_SAML_ALGORITHMS.has(sigAlg)) {\n      console.warn(\n        `[convex-auth] SAML response uses weak signature algorithm: ${sigAlg}. ` +\n          `Consider upgrading your IdP to use RSA-SHA256 or stronger.`,\n      );\n    }\n    if (digestAlg && WEAK_SAML_ALGORITHMS.has(digestAlg)) {\n      console.warn(\n        `[convex-auth] SAML response uses weak digest algorithm: ${digestAlg}. ` +\n          `Consider upgrading your IdP to use SHA-256 or stronger.`,\n      );\n    }\n  } catch {\n    // Non-critical — don't break auth flow for algorithm check failures\n  }\n}\n\n/** @internal */\nexport function validateEnterpriseSamlLoginRelayState(opts: {\n  relayState: EnterpriseSamlRelayState;\n  source: EnterpriseSamlSource;\n  inResponseTo?: string;\n}) {\n  if (\n    opts.relayState.source.kind !== opts.source.kind ||\n    opts.relayState.source.id !== opts.source.id ||\n    opts.relayState.requestId !== opts.inResponseTo\n  ) {\n    throw new Error(\"SAML RelayState did not match the pending login request.\");\n  }\n}\n\n/** @internal */\nexport async function parseEnterpriseSamlLogoutMessage(opts: {\n  request: Request;\n  rootUrl: string;\n  source: EnterpriseSamlSource;\n  config: unknown;\n}) {\n  ensureSamlifyValidator();\n  const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);\n  const runtime = createEnterpriseSamlRuntime({\n    rootUrl: opts.rootUrl,\n    source: opts.source,\n    config: opts.config,\n    relayState: httpRequest.relayState,\n  });\n  const parsedRequest = httpRequest.hasSamlRequest\n    ? ((await runtime.sp.parseLogoutRequest(\n        runtime.idp as any,\n        httpRequest.binding as any,\n        {\n          query: httpRequest.query,\n          body: httpRequest.body,\n        },\n      )) as any)\n    : undefined;\n  return {\n    ...httpRequest,\n    runtime,\n    parsedRequest,\n  };\n}\n\n/** @internal */\nexport function profileFromSamlExtract(\n  extract: any,\n  mapping?: SAMLAttributeMapping,\n) {\n  const attributes =\n    typeof extract?.attributes === \"object\" && extract.attributes !== null\n      ? (extract.attributes as Record<string, unknown>)\n      : {};\n  const resolveFirst = (...keys: Array<string | undefined>) => {\n    for (const key of keys) {\n      if (!key) {\n        continue;\n      }\n      const attribute = attributes[key];\n      const value = Array.isArray(attribute) ? attribute[0] : attribute;\n      if (value !== undefined) {\n        return value;\n      }\n    }\n    return undefined;\n  };\n  const fieldResolvers = {\n    email: () => resolveFirst(mapping?.email),\n    name: () =>\n      resolveFirst(mapping?.name) ??\n      ([resolveFirst(mapping?.firstName), resolveFirst(mapping?.lastName)]\n        .filter(Boolean)\n        .join(\" \") ||\n        undefined),\n    subject: () =>\n      resolveFirst(mapping?.subject) ?? (extract?.nameID as string | undefined),\n  } as const;\n  const subject = fieldResolvers.subject() as string | undefined;\n  if (subject === undefined) {\n    throw new Error(\n      \"SAML profile is missing a subject. Configure `attributeMapping.subject` or ensure the assertion includes a NameID.\",\n    );\n  }\n  const email = fieldResolvers.email() as string | undefined;\n  const name = fieldResolvers.name() as string | undefined;\n  return {\n    id: subject,\n    email,\n    emailVerified: typeof email === \"string\" ? true : undefined,\n    name,\n    samlAttributes: attributes,\n    samlSessionIndex: extract?.sessionIndex?.SessionIndex as string | undefined,\n  };\n}\n"],"mappings":";;;;;;AA2BA,MAAM,8BAA8B,EAClC,WAAW,SAAiB,QAAQ,QAAQ,KAAK,EAClD;AACD,SAAS,yBAAyB;AAChC,oBAAmB,4BAA4B;;;AAIjD,SAAgB,8BAA8B,MAK3C;CACD,MAAM,SAAS,CACb,8BAA8B,KAAK,UAAU,WAAW,KAAK,MAAM,QAAQ,MAAM,SAAS,CAAC,OAC3F,KAAK,aACD,iDAAiD,KAAK,WAAW,QAAQ,MAAM,SAAS,CAAC,QACzF,GACL,CAAC,KAAK,GAAG;AACV,QAAO,IAAI,SACT,0DAA0D,KAAK,SAAS,IAAI,OAAO,qEACnF;EAAE,QAAQ;EAAK,SAAS,EAAE,gBAAgB,4BAA4B;EAAE,CACzE;;;AAIH,SAAgB,iBACd,OACyB;AACzB,KAAI,CAAC,MACH,QAAO,EAAE;AAEX,KAAI;AACF,SAAO,KAAK,MACV,IAAI,aAAa,CAAC,OAAO,6BAA6B,MAAM,CAAC,CAC9D;SACK;AACN,SAAO,EAAE;;;;AAKb,SAAgB,+BACd,OACA;AACA,QAAO,yBACL,IAAI,aAAa,CAAC,OAChB,KAAK,UAAU;EACb,QAAQ,GAAG,MAAM,OAAO,KAAK,GAAG,MAAM,OAAO;EAC7C,WAAW,MAAM;EACjB,WAAW,MAAM;EACjB,OAAO,MAAM;EACb,YAAY,MAAM;EACnB,CAAC,CACH,CACF;;;AAIH,SAAgB,sCACd,OAC0B;AAC1B,KAAI,CAAC,MACH,OAAM,IAAI,MAAM,2BAA2B;CAE7C,MAAM,UAAU,iBAAiB,MAAM;AACvC,KACE,OAAO,QAAQ,WAAW,YAC1B,OAAO,QAAQ,cAAc,YAC7B,OAAO,QAAQ,cAAc,YAC7B,OAAO,QAAQ,UAAU,SAEzB,OAAM,IAAI,MAAM,2BAA2B;CAE7C,MAAM,CAAC,MAAM,GAAG,QAAQ,QAAQ,OAAO,MAAM,IAAI;CACjD,MAAM,KAAK,KAAK,KAAK,IAAI;AACzB,KAAI,SAAS,gBAAgB,GAAG,WAAW,EACzC,OAAM,IAAI,MAAM,kCAAkC;AAEpD,QAAO;EACL,QAAQ;GAAE;GAAM;GAAI;EACpB,WAAW,QAAQ;EACnB,WAAW,QAAQ;EACnB,OAAO,QAAQ;EACf,YACE,OAAO,QAAQ,eAAe,WAAW,QAAQ,aAAa;EACjE;;;AAIH,eAAsB,gBACpB,SACiC;CACjC,MAAM,cAAc,QAAQ,QAAQ,IAAI,eAAe,IAAI;AAC3D,KACE,YAAY,SAAS,oCAAoC,IACzD,YAAY,SAAS,sBAAsB,EAC3C;EACA,MAAM,OAAO,MAAM,QAAQ,UAAU;EACrC,MAAM,OAA+B,EAAE;AACvC,OAAK,SAAS,OAAO,QAAQ;AAC3B,QAAK,OAAO,OAAO,UAAU,WAAW,QAAQ,MAAM;IACtD;AACF,SAAO;;AAET,QAAO,EAAE;;;AAIX,eAAsB,8BACpB,SACoC;CACpC,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;CAChC,MAAM,OAAO,MAAM,gBAAgB,QAAQ;AAQ3C,QAAO;EACL;EACA;EACA,OAVY,OAAO,YAAY,IAAI,aAAa;EAWhD,SATA,QAAQ,WAAW,QACf,aACA,KAAK,gBAAgB,KAAK,cACxB,SACA;EAMN,YACE,KAAK,cAAc,IAAI,aAAa,IAAI,aAAa,IAAI;EAC3D,gBAAgB,QACd,KAAK,eAAe,IAAI,aAAa,IAAI,cAAc,CACxD;EACD,iBAAiB,QACf,KAAK,gBAAgB,IAAI,aAAa,IAAI,eAAe,CAC1D;EACF;;;AAIH,SAAgB,qBAAqB,UAAsC;CAEzE,MAAM,aADM,iBAAiB,EAAE,UAAU,CAAC,CACnB;CAEvB,MAAM,oBAAoB,UAAuC;AAC/D,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS,IAAI,QAAQ;;AAGjE,QAAO;EACL,QAAQ,WAAW,aAAa;EAChC,KAAK;GACH,UAAU,iBAAiB,WAAW,uBAAuB,WAAW,CAAC;GACzE,MAAM,iBAAiB,WAAW,uBAAuB,OAAO,CAAC;GAClE;EACD,KAAK;GACH,UAAU,iBAAiB,WAAW,uBAAuB,WAAW,CAAC;GACzE,MAAM,iBAAiB,WAAW,uBAAuB,OAAO,CAAC;GAClE;EACD,aAAa,WAAW,mBAAmB,UAAU;EACrD,gBAAgB,WAAW,mBAAmB,UAAU;EACxD,sBAAsB;GACpB,MAAM,eAAe,WAAW,iBAAiB;AACjD,UAAO,MAAM,QAAQ,aAAa,GAAG,eAAe,EAAE;MACpD;EACJ,0BAA0B,WAAW,2BAA2B;EACjE;;;AAIH,SAAgB,8BAA8B,MAW3C;CACD,MAAM,UAAU,UAAU,UAAU;AA6BpC,QA5BW,gBAAgB;EACzB,UAAU,KAAK;EACf,qBAAqB,KAAK,uBAAuB;EACjD,YAAY,KAAK;EACjB,gBAAgB,KAAK;EACrB,aAAa,KAAK;EAClB,aAAa,KAAK;EAClB,eAAe,KAAK;EACpB,mBAAmB,KAAK;EACxB,0BAA0B,CACxB;GACE,SAAS,QAAQ;GACjB,UAAU,KAAK;GAChB,CACF;EACD,qBAAqB,KAAK,SACtB,CACE;GACE,SAAS,QAAQ;GACjB,UAAU,KAAK;GAChB,EACD;GACE,SAAS,QAAQ;GACjB,UAAU,KAAK;GAChB,CACF,GACD;EACL,CAAC,CACQ,aAAa;;;AAIzB,SAAgB,gCAAgC,MAI7C;AACD,QAAO,8BACL,8BAA8B;EAC5B,SAAS,KAAK;EACd,QAAQ,KAAK;EACb,QAAQ,KAAK;EACd,CAAC,CACH;;;AAIH,SAAgB,8BAA8B,MAU3C;CACD,MAAM,OAAO,cAAc,KAAK,OAAO;CACvC,MAAM,KAAK,SAAS,KAAK,GAAG,IAAI,EAAE;CAClC,MAAM,OAAO,sBAAsB;EACjC,SAAS,KAAK;EACd,QAAQ,KAAK;EACd,CAAC;AACF,QAAO;EACL,UAAU,KAAK,WAAW,YAAY,GAAG,YAAY,KAAK;EAC1D,QAAQ,KAAK,WAAW,UAAU,GAAG,UAAU,KAAK;EACpD,QAAQ,KAAK,WAAW,UAAU,GAAG,UAAU,KAAK;EACpD,YAAY,KAAK;EACjB,qBAAqB,KAAK;EAC1B,aAAa,GAAG;EAChB,aAAa,GAAG;EAChB,YAAY,GAAG;EACf,gBAAgB,GAAG;EACnB,eAAe,GAAG;EAClB,mBAAmB,GAAG;EACvB;;;AAIH,SAAgB,0BAA0B,MAYvC;CACD,MAAM,UAAU,UAAU,UAAU;AACpC,QAAO,gBAAgB;EACrB,UAAU,KAAK;EACf,YAAY,KAAK,cAAc;EAC/B,qBAAqB,KAAK,uBAAuB;EACjD,YAAY,KAAK;EACjB,gBAAgB,KAAK;EACrB,aAAa,KAAK;EAClB,aAAa,KAAK;EAClB,eAAe,KAAK;EACpB,mBAAmB,KAAK;EACxB,0BAA0B,CACxB;GACE,SAAS,QAAQ;GACjB,UAAU,KAAK;GAChB,CACF;EACD,qBAAqB,KAAK,SACtB,CACE;GAAE,SAAS,QAAQ;GAAU,UAAU,KAAK;GAAQ,EACpD;GAAE,SAAS,QAAQ;GAAM,UAAU,KAAK;GAAQ,CACjD,GACD;EACL,CAAC;;;AAIJ,SAAgB,4BAA4B,MAUzC;CACD,MAAM,OAAO,cAAc,KAAK,OAAO;CACvC,MAAM,YAAY,8BAA8B;EAC9C,SAAS,KAAK;EACd,QAAQ,KAAK;EACb,QAAQ,KAAK;EACb,YAAY,KAAK;EACjB,WAAW,KAAK;EACjB,CAAC;AACF,KAAI,OAAO,KAAK,KAAK,gBAAgB,SACnC,OAAM,IAAI,MAAM,gCAAgC;AAElD,QAAO;EACL;EACA,IAAI,0BAA0B,UAAU;EACxC,KAAK,iBAAiB,EAAE,UAAU,KAAK,IAAI,aAAa,CAAC;EACzD,MAAM,sBAAsB;GAAE,SAAS,KAAK;GAAS,QAAQ,KAAK;GAAQ,CAAC;EAC5E;;;AAIH,SAAgB,kCAAkC,MAO/C;CACD,MAAM,UAAU,4BAA4B;EAC1C,SAAS,KAAK;EACd,QAAQ,KAAK;EACb,QAAQ,KAAK;EACd,CAAC;CACF,MAAM,UAAU,QAAQ,KAAK,IAAI,KAAK,WAAW,aAAa;CAC9D,MAAM,eAAe,QAAQ,GAAG,mBAC9B,QAAQ,KACR,QACD;CACD,MAAM,aAAa,+BAA+B;EAChD,QAAQ,KAAK;EACb,WAAW,KAAK;EAChB,WAAW,aAAa;EACxB,OAAO,KAAK;EACZ,YAAY,KAAK;EAClB,CAAC;AACF,QAAO;EACL,WAAW,aAAa;EACxB;EACA;EACA,aACE,YAAY,oBACD;GACL,MAAM,cAAc,IAAI,IAAI,aAAa,QAAQ;AACjD,eAAY,aAAa,IAAI,cAAc,WAAW;AACtD,UAAO,YAAY,UAAU;MAC3B,GACJ;EACN,MACE,YAAY,SACR;GACE,UAAU,aAAa;GACvB,OAAO,aAAa;GACrB,GACD;EACP;;;AAIH,eAAsB,iCAAiC,MAKpD;AACD,yBAAwB;CACxB,MAAM,cAAc,MAAM,8BAA8B,KAAK,QAAQ;CACrE,MAAM,UAAU,4BAA4B;EAC1C,SAAS,KAAK;EACd,QAAQ,KAAK;EACb,QAAQ,KAAK;EACd,CAAC;CACF,MAAM,SAAU,MAAM,QAAQ,GAAG,mBAC/B,QAAQ,KACR,YAAY,SACZ;EACE,OAAO,YAAY;EACnB,MAAM,YAAY;EACnB,CACF;AAED,wBAAuB,OAAO;AAE9B,QAAO;EACL,GAAG;EACH;EACA;EACA,YAAY,sCACV,YAAY,cAAc,KAC3B;EACF;;AAGH,MAAM,uBAAuB,IAAI,IAAI;CAEnC;CACA;CAEA;CAEA;CAEA;CACD,CAAC;;;;;AAMF,SAAS,uBAAuB,QAAa;AAC3C,KAAI;EACF,MAAM,SACJ,QAAQ,SAAS,WAAW,sBAC5B,QAAQ,SAAS,UAAU;EAC7B,MAAM,YAAY,QAAQ,SAAS,WAAW;AAE9C,MAAI,UAAU,qBAAqB,IAAI,OAAO,CAC5C,SAAQ,KACN,8DAA8D,OAAO,8DAEtE;AAEH,MAAI,aAAa,qBAAqB,IAAI,UAAU,CAClD,SAAQ,KACN,2DAA2D,UAAU,2DAEtE;SAEG;;;AAMV,SAAgB,sCAAsC,MAInD;AACD,KACE,KAAK,WAAW,OAAO,SAAS,KAAK,OAAO,QAC5C,KAAK,WAAW,OAAO,OAAO,KAAK,OAAO,MAC1C,KAAK,WAAW,cAAc,KAAK,aAEnC,OAAM,IAAI,MAAM,2DAA2D;;;AAK/E,eAAsB,iCAAiC,MAKpD;AACD,yBAAwB;CACxB,MAAM,cAAc,MAAM,8BAA8B,KAAK,QAAQ;CACrE,MAAM,UAAU,4BAA4B;EAC1C,SAAS,KAAK;EACd,QAAQ,KAAK;EACb,QAAQ,KAAK;EACb,YAAY,YAAY;EACzB,CAAC;CACF,MAAM,gBAAgB,YAAY,iBAC5B,MAAM,QAAQ,GAAG,mBACjB,QAAQ,KACR,YAAY,SACZ;EACE,OAAO,YAAY;EACnB,MAAM,YAAY;EACnB,CACF,GACD;AACJ,QAAO;EACL,GAAG;EACH;EACA;EACD;;;AAIH,SAAgB,uBACd,SACA,SACA;CACA,MAAM,aACJ,OAAO,SAAS,eAAe,YAAY,QAAQ,eAAe,OAC7D,QAAQ,aACT,EAAE;CACR,MAAM,gBAAgB,GAAG,SAAoC;AAC3D,OAAK,MAAM,OAAO,MAAM;AACtB,OAAI,CAAC,IACH;GAEF,MAAM,YAAY,WAAW;GAC7B,MAAM,QAAQ,MAAM,QAAQ,UAAU,GAAG,UAAU,KAAK;AACxD,OAAI,UAAU,OACZ,QAAO;;;CAKb,MAAM,iBAAiB;EACrB,aAAa,aAAa,SAAS,MAAM;EACzC,YACE,aAAa,SAAS,KAAK,KAC1B,CAAC,aAAa,SAAS,UAAU,EAAE,aAAa,SAAS,SAAS,CAAC,CACjE,OAAO,QAAQ,CACf,KAAK,IAAI,IACV;EACJ,eACE,aAAa,SAAS,QAAQ,IAAK,SAAS;EAC/C;CACD,MAAM,UAAU,eAAe,SAAS;AACxC,KAAI,YAAY,OACd,OAAM,IAAI,MACR,qHACD;CAEH,MAAM,QAAQ,eAAe,OAAO;CACpC,MAAM,OAAO,eAAe,MAAM;AAClC,QAAO;EACL,IAAI;EACJ;EACA,eAAe,OAAO,UAAU,WAAW,OAAO;EAClD;EACA,gBAAgB;EAChB,kBAAkB,SAAS,cAAc;EAC1C"}

package/dist/server/enterprise/scim.d.ts

@@ -0,0 +1 @@
+export { };

package/dist/server/enterprise/scim.js

@@ -0,0 +1,97 @@
+import { SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID } from "./shared.js";
+
+//#region src/server/enterprise/scim.ts
+/** @internal */
+function parseScimPath(pathname) {
+	const [api, auth, sso, enterpriseId, protocol, version, ...rest] = pathname.split("/").filter(Boolean);
+	if (api !== "api" || auth !== "auth" || sso !== "sso" || !enterpriseId || enterpriseId === "setup" || protocol !== "scim" || version !== "v2") return {
+		enterpriseId: "",
+		resource: "",
+		resourceId: void 0
+	};
+	return {
+		enterpriseId,
+		resource: rest[0] ?? "",
+		resourceId: rest[1]
+	};
+}
+/** @internal */
+function parseScimListRequest(url) {
+	const startIndex = Math.max(1, Number(url.searchParams.get("startIndex") ?? "1"));
+	const count = Math.min(100, Math.max(1, Number(url.searchParams.get("count") ?? "100")));
+	const filterParam = url.searchParams.get("filter");
+	return {
+		startIndex,
+		count,
+		filter: filterParam ? (() => {
+			const match = filterParam.match(/^([A-Za-z0-9_.]+)\s+eq\s+"([^"]+)"$/);
+			if (!match) throw new Error("Unsupported SCIM filter.");
+			return {
+				attribute: match[1],
+				value: match[2]
+			};
+		})() : void 0
+	};
+}
+/** @internal */
+function scimJson(data, status = 200, headers) {
+	const responseHeaders = new Headers({ "Content-Type": "application/scim+json" });
+	if (headers) new Headers(headers).forEach((value, key) => {
+		responseHeaders.set(key, value);
+	});
+	return new Response(JSON.stringify(data), {
+		status,
+		headers: responseHeaders
+	});
+}
+/** @internal */
+function scimError(status, scimType, detail) {
+	return scimJson({
+		schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+		status: String(status),
+		scimType,
+		detail
+	}, status);
+}
+/** @internal */
+function serializeScimUser(args) {
+	return {
+		schemas: [SCIM_USER_SCHEMA_ID],
+		id: args.id,
+		externalId: args.externalId,
+		meta: {
+			resourceType: "User",
+			location: args.location
+		},
+		userName: args.user.email ?? args.user.phone ?? args.user.name ?? args.id,
+		active: args.active ?? true,
+		name: args.user.name !== void 0 ? { formatted: args.user.name } : void 0,
+		emails: typeof args.user.email === "string" ? [{
+			value: args.user.email,
+			primary: true
+		}] : void 0,
+		phoneNumbers: typeof args.user.phone === "string" ? [{
+			value: args.user.phone,
+			primary: true
+		}] : void 0,
+		displayName: args.user.name
+	};
+}
+/** @internal */
+function serializeScimGroup(args) {
+	return {
+		schemas: [SCIM_GROUP_SCHEMA_ID],
+		id: args.id,
+		externalId: args.externalId,
+		meta: {
+			resourceType: "Group",
+			location: args.location
+		},
+		displayName: args.group.name ?? args.id,
+		members: args.members ?? []
+	};
+}
+
+//#endregion
+export { parseScimListRequest, parseScimPath, scimError, scimJson, serializeScimGroup, serializeScimUser };
+//# sourceMappingURL=scim.js.map

package/dist/server/enterprise/scim.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scim.js","names":[],"sources":["../../../src/server/enterprise/scim.ts"],"sourcesContent":["import type { ScimListRequest } from \"./shared\";\nimport { SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID } from \"./shared\";\n\n/** @internal */\nexport function parseScimPath(pathname: string) {\n  const parts = pathname.split(\"/\").filter(Boolean);\n  const [api, auth, sso, enterpriseId, protocol, version, ...rest] = parts;\n\n  if (\n    api !== \"api\" ||\n    auth !== \"auth\" ||\n    sso !== \"sso\" ||\n    !enterpriseId ||\n    enterpriseId === \"setup\" ||\n    protocol !== \"scim\" ||\n    version !== \"v2\"\n  ) {\n    return {\n      enterpriseId: \"\",\n      resource: \"\",\n      resourceId: undefined,\n    };\n  }\n\n  return {\n    enterpriseId,\n    resource: rest[0] ?? \"\",\n    resourceId: rest[1],\n  };\n}\n\n/** @internal */\nexport function parseScimListRequest(url: URL): ScimListRequest {\n  const startIndex = Math.max(\n    1,\n    Number(url.searchParams.get(\"startIndex\") ?? \"1\"),\n  );\n  const count = Math.min(\n    100,\n    Math.max(1, Number(url.searchParams.get(\"count\") ?? \"100\")),\n  );\n  const filterParam = url.searchParams.get(\"filter\");\n  const filter = filterParam\n    ? (() => {\n        const match = filterParam.match(/^([A-Za-z0-9_.]+)\\s+eq\\s+\"([^\"]+)\"$/);\n        if (!match) {\n          throw new Error(\"Unsupported SCIM filter.\");\n        }\n        return { attribute: match[1]!, value: match[2]! };\n      })()\n    : undefined;\n  return { startIndex, count, filter };\n}\n\n/** @internal */\nexport function scimJson(data: unknown, status = 200, headers?: HeadersInit) {\n  const responseHeaders = new Headers({\n    \"Content-Type\": \"application/scim+json\",\n  });\n  if (headers) {\n    new Headers(headers).forEach((value, key) => {\n      responseHeaders.set(key, value);\n    });\n  }\n  return new Response(JSON.stringify(data), {\n    status,\n    headers: responseHeaders,\n  });\n}\n\n/** @internal */\nexport function scimError(status: number, scimType: string, detail: string) {\n  return scimJson(\n    {\n      schemas: [\"urn:ietf:params:scim:api:messages:2.0:Error\"],\n      status: String(status),\n      scimType,\n      detail,\n    },\n    status,\n  );\n}\n\n/** @internal */\nexport function serializeScimUser(args: {\n  id: string;\n  user: Record<string, any>;\n  externalId?: string;\n  active?: boolean;\n  location?: string;\n}) {\n  return {\n    schemas: [SCIM_USER_SCHEMA_ID],\n    id: args.id,\n    externalId: args.externalId,\n    meta: {\n      resourceType: \"User\",\n      location: args.location,\n    },\n    userName: args.user.email ?? args.user.phone ?? args.user.name ?? args.id,\n    active: args.active ?? true,\n    name:\n      args.user.name !== undefined ? { formatted: args.user.name } : undefined,\n    emails:\n      typeof args.user.email === \"string\"\n        ? [{ value: args.user.email, primary: true }]\n        : undefined,\n    phoneNumbers:\n      typeof args.user.phone === \"string\"\n        ? [{ value: args.user.phone, primary: true }]\n        : undefined,\n    displayName: args.user.name,\n  };\n}\n\n/** @internal */\nexport function serializeScimGroup(args: {\n  id: string;\n  group: Record<string, any>;\n  externalId?: string;\n  members?: Array<{ value: string; display?: string }>;\n  location?: string;\n}) {\n  return {\n    schemas: [SCIM_GROUP_SCHEMA_ID],\n    id: args.id,\n    externalId: args.externalId,\n    meta: {\n      resourceType: \"Group\",\n      location: args.location,\n    },\n    displayName: args.group.name ?? args.id,\n    members: args.members ?? [],\n  };\n}\n"],"mappings":";;;;AAIA,SAAgB,cAAc,UAAkB;CAE9C,MAAM,CAAC,KAAK,MAAM,KAAK,cAAc,UAAU,SAAS,GAAG,QAD7C,SAAS,MAAM,IAAI,CAAC,OAAO,QAAQ;AAGjD,KACE,QAAQ,SACR,SAAS,UACT,QAAQ,SACR,CAAC,gBACD,iBAAiB,WACjB,aAAa,UACb,YAAY,KAEZ,QAAO;EACL,cAAc;EACd,UAAU;EACV,YAAY;EACb;AAGH,QAAO;EACL;EACA,UAAU,KAAK,MAAM;EACrB,YAAY,KAAK;EAClB;;;AAIH,SAAgB,qBAAqB,KAA2B;CAC9D,MAAM,aAAa,KAAK,IACtB,GACA,OAAO,IAAI,aAAa,IAAI,aAAa,IAAI,IAAI,CAClD;CACD,MAAM,QAAQ,KAAK,IACjB,KACA,KAAK,IAAI,GAAG,OAAO,IAAI,aAAa,IAAI,QAAQ,IAAI,MAAM,CAAC,CAC5D;CACD,MAAM,cAAc,IAAI,aAAa,IAAI,SAAS;AAUlD,QAAO;EAAE;EAAY;EAAO,QATb,qBACJ;GACL,MAAM,QAAQ,YAAY,MAAM,sCAAsC;AACtE,OAAI,CAAC,MACH,OAAM,IAAI,MAAM,2BAA2B;AAE7C,UAAO;IAAE,WAAW,MAAM;IAAK,OAAO,MAAM;IAAK;MAC/C,GACJ;EACgC;;;AAItC,SAAgB,SAAS,MAAe,SAAS,KAAK,SAAuB;CAC3E,MAAM,kBAAkB,IAAI,QAAQ,EAClC,gBAAgB,yBACjB,CAAC;AACF,KAAI,QACF,KAAI,QAAQ,QAAQ,CAAC,SAAS,OAAO,QAAQ;AAC3C,kBAAgB,IAAI,KAAK,MAAM;GAC/B;AAEJ,QAAO,IAAI,SAAS,KAAK,UAAU,KAAK,EAAE;EACxC;EACA,SAAS;EACV,CAAC;;;AAIJ,SAAgB,UAAU,QAAgB,UAAkB,QAAgB;AAC1E,QAAO,SACL;EACE,SAAS,CAAC,8CAA8C;EACxD,QAAQ,OAAO,OAAO;EACtB;EACA;EACD,EACD,OACD;;;AAIH,SAAgB,kBAAkB,MAM/B;AACD,QAAO;EACL,SAAS,CAAC,oBAAoB;EAC9B,IAAI,KAAK;EACT,YAAY,KAAK;EACjB,MAAM;GACJ,cAAc;GACd,UAAU,KAAK;GAChB;EACD,UAAU,KAAK,KAAK,SAAS,KAAK,KAAK,SAAS,KAAK,KAAK,QAAQ,KAAK;EACvE,QAAQ,KAAK,UAAU;EACvB,MACE,KAAK,KAAK,SAAS,SAAY,EAAE,WAAW,KAAK,KAAK,MAAM,GAAG;EACjE,QACE,OAAO,KAAK,KAAK,UAAU,WACvB,CAAC;GAAE,OAAO,KAAK,KAAK;GAAO,SAAS;GAAM,CAAC,GAC3C;EACN,cACE,OAAO,KAAK,KAAK,UAAU,WACvB,CAAC;GAAE,OAAO,KAAK,KAAK;GAAO,SAAS;GAAM,CAAC,GAC3C;EACN,aAAa,KAAK,KAAK;EACxB;;;AAIH,SAAgB,mBAAmB,MAMhC;AACD,QAAO;EACL,SAAS,CAAC,qBAAqB;EAC/B,IAAI,KAAK;EACT,YAAY,KAAK;EACjB,MAAM;GACJ,cAAc;GACd,UAAU,KAAK;GAChB;EACD,aAAa,KAAK,MAAM,QAAQ,KAAK;EACrC,SAAS,KAAK,WAAW,EAAE;EAC5B"}

package/dist/server/enterprise/shared.d.ts

@@ -0,0 +1,5 @@
+//#region src/server/enterprise/shared.d.ts
+declare const asRecord: (value: unknown) => Record<string, any> | null;
+//#endregion
+export { asRecord };
+//# sourceMappingURL=shared.d.ts.map

package/dist/server/enterprise/shared.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shared.d.ts","names":[],"sources":["../../../src/server/enterprise/shared.ts"],"mappings":";cAkIa,QAAA,GAAY,KAAA,cAAc,MAAA"}

package/dist/server/enterprise/shared.js

@@ -0,0 +1,51 @@
+//#region src/server/enterprise/shared.ts
+/** @internal */
+const SCIM_USER_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:User";
+/** @internal */
+const SCIM_GROUP_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:Group";
+/** @internal */
+const ENTERPRISE_OIDC_PROVIDER_PREFIX = "enterprise:oidc:";
+/** @internal */
+const ENTERPRISE_SAML_PROVIDER_PREFIX = "enterprise:saml:";
+/** @internal */
+function normalizeDomain(domain) {
+	return domain.trim().toLowerCase().replace(/^@+/, "");
+}
+/** @internal */
+function enterpriseOidcProviderId(enterpriseId) {
+	return `${ENTERPRISE_OIDC_PROVIDER_PREFIX}${enterpriseId}`;
+}
+/** @internal */
+function enterpriseSamlProviderId(enterpriseId) {
+	return `${ENTERPRISE_SAML_PROVIDER_PREFIX}${enterpriseId}`;
+}
+/** @internal */
+function getEnterpriseSamlUrls(opts) {
+	const root = opts.rootUrl.replace(/\/$/, "");
+	return {
+		metadataUrl: `${root}/api/auth/sso/${opts.source.id}/saml/metadata`,
+		acsUrl: `${root}/api/auth/sso/${opts.source.id}/saml/acs`,
+		sloUrl: `${root}/api/auth/sso/${opts.source.id}/saml/slo`
+	};
+}
+/** @internal */
+function getEnterpriseOidcUrls(opts) {
+	const root = opts.rootUrl.replace(/\/$/, "");
+	return {
+		signInUrl: `${root}/api/auth/sso/${opts.enterpriseId}/oidc/signin`,
+		callbackUrl: `${root}/api/auth/sso/${opts.enterpriseId}/oidc/callback`
+	};
+}
+/** @internal */
+function isEnterpriseSamlSourceActive(source) {
+	return source.status === "active";
+}
+/** @internal */
+function isEnterpriseProviderId(providerId) {
+	return providerId.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) || providerId.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX);
+}
+const asRecord = (value) => typeof value === "object" && value !== null ? value : null;
+
+//#endregion
+export { ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID, asRecord, enterpriseOidcProviderId, enterpriseSamlProviderId, getEnterpriseOidcUrls, getEnterpriseSamlUrls, isEnterpriseProviderId, isEnterpriseSamlSourceActive, normalizeDomain };
+//# sourceMappingURL=shared.js.map

package/dist/server/enterprise/shared.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shared.js","names":[],"sources":["../../../src/server/enterprise/shared.ts"],"sourcesContent":["/** @internal */\nexport type ParsedSamlMetadata = {\n  issuer: string;\n  sso: {\n    redirect?: string;\n    post?: string;\n  };\n  slo: {\n    redirect?: string;\n    post?: string;\n  };\n  signingCert: string | string[] | null;\n  encryptionCert: string | string[] | null;\n  nameIdFormats: string[];\n  wantsSignedAuthnRequests: boolean;\n};\n\n/** @internal */\nexport type EnterpriseSamlSource = { kind: \"enterprise\"; id: string };\n\n/** @internal */\nexport type EnterpriseSamlRelayState = {\n  source: EnterpriseSamlSource;\n  signature: string;\n  requestId: string;\n  state: string;\n  redirectTo?: string;\n};\n\n/** @internal */\nexport type EnterpriseSamlUrls = {\n  metadataUrl: string;\n  acsUrl: string;\n  sloUrl?: string;\n};\n\n/** @internal */\nexport type EnterpriseSamlLoadedSource = {\n  source: EnterpriseSamlSource;\n  config: unknown;\n  status?: string;\n};\n\n/** @internal */\nexport type EnterpriseSamlHttpRequest = {\n  url: URL;\n  body: Record<string, string>;\n  query: Record<string, string>;\n  binding: \"redirect\" | \"post\";\n  relayState?: string;\n  hasSamlRequest: boolean;\n  hasSamlResponse: boolean;\n};\n\n/** @internal */\nexport type ScimListRequest = {\n  startIndex: number;\n  count: number;\n  filter?: { attribute: string; value: string };\n};\n\n/** @internal */\nexport const SCIM_USER_SCHEMA_ID = \"urn:ietf:params:scim:schemas:core:2.0:User\";\n/** @internal */\nexport const SCIM_GROUP_SCHEMA_ID =\n  \"urn:ietf:params:scim:schemas:core:2.0:Group\";\n\n/** @internal */\nexport const ENTERPRISE_OIDC_PROVIDER_PREFIX = \"enterprise:oidc:\";\n/** @internal */\nexport const ENTERPRISE_SAML_PROVIDER_PREFIX = \"enterprise:saml:\";\n\n/** @internal */\nexport function normalizeDomain(domain: string): string {\n  return domain.trim().toLowerCase().replace(/^@+/, \"\");\n}\n\n/** @internal */\nexport function enterpriseOidcProviderId(enterpriseId: string): string {\n  return `${ENTERPRISE_OIDC_PROVIDER_PREFIX}${enterpriseId}`;\n}\n\n/** @internal */\nexport function enterpriseSamlProviderId(enterpriseId: string): string {\n  return `${ENTERPRISE_SAML_PROVIDER_PREFIX}${enterpriseId}`;\n}\n\n/** @internal */\nexport function getEnterpriseSamlUrls(opts: {\n  rootUrl: string;\n  source: EnterpriseSamlSource;\n}): EnterpriseSamlUrls {\n  const root = opts.rootUrl.replace(/\\/$/, \"\");\n  const metadataBase = `${root}/api/auth/sso/${opts.source.id}/saml/metadata`;\n  const acsBase = `${root}/api/auth/sso/${opts.source.id}/saml/acs`;\n  const sloBase = `${root}/api/auth/sso/${opts.source.id}/saml/slo`;\n  return {\n    metadataUrl: metadataBase,\n    acsUrl: acsBase,\n    sloUrl: sloBase,\n  };\n}\n\n/** @internal */\nexport function getEnterpriseOidcUrls(opts: {\n  rootUrl: string;\n  enterpriseId: string;\n}) {\n  const root = opts.rootUrl.replace(/\\/$/, \"\");\n  return {\n    signInUrl: `${root}/api/auth/sso/${opts.enterpriseId}/oidc/signin`,\n    callbackUrl: `${root}/api/auth/sso/${opts.enterpriseId}/oidc/callback`,\n  };\n}\n\n/** @internal */\nexport function isEnterpriseSamlSourceActive(\n  source: EnterpriseSamlLoadedSource,\n) {\n  return source.status === \"active\";\n}\n\n/** @internal */\nexport function isEnterpriseProviderId(providerId: string): boolean {\n  return (\n    providerId.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) ||\n    providerId.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n  );\n}\n\nexport const asRecord = (value: unknown) =>\n  typeof value === \"object\" && value !== null\n    ? (value as Record<string, any>)\n    : null;\n"],"mappings":";;AA8DA,MAAa,sBAAsB;;AAEnC,MAAa,uBACX;;AAGF,MAAa,kCAAkC;;AAE/C,MAAa,kCAAkC;;AAG/C,SAAgB,gBAAgB,QAAwB;AACtD,QAAO,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,OAAO,GAAG;;;AAIvD,SAAgB,yBAAyB,cAA8B;AACrE,QAAO,GAAG,kCAAkC;;;AAI9C,SAAgB,yBAAyB,cAA8B;AACrE,QAAO,GAAG,kCAAkC;;;AAI9C,SAAgB,sBAAsB,MAGf;CACrB,MAAM,OAAO,KAAK,QAAQ,QAAQ,OAAO,GAAG;AAI5C,QAAO;EACL,aAJmB,GAAG,KAAK,gBAAgB,KAAK,OAAO,GAAG;EAK1D,QAJc,GAAG,KAAK,gBAAgB,KAAK,OAAO,GAAG;EAKrD,QAJc,GAAG,KAAK,gBAAgB,KAAK,OAAO,GAAG;EAKtD;;;AAIH,SAAgB,sBAAsB,MAGnC;CACD,MAAM,OAAO,KAAK,QAAQ,QAAQ,OAAO,GAAG;AAC5C,QAAO;EACL,WAAW,GAAG,KAAK,gBAAgB,KAAK,aAAa;EACrD,aAAa,GAAG,KAAK,gBAAgB,KAAK,aAAa;EACxD;;;AAIH,SAAgB,6BACd,QACA;AACA,QAAO,OAAO,WAAW;;;AAI3B,SAAgB,uBAAuB,YAA6B;AAClE,QACE,WAAW,WAAW,gCAAgC,IACtD,WAAW,WAAW,gCAAgC;;AAI1D,MAAa,YAAY,UACvB,OAAO,UAAU,YAAY,UAAU,OAClC,QACD"}

package/dist/server/enterprise/validators.d.ts

@@ -0,0 +1 @@
+export { };

package/dist/server/enterprise/validators.js

@@ -0,0 +1,60 @@
+import { v } from "convex/values";
+
+//#region src/server/enterprise/validators.ts
+/** @internal Shared validator for mounted enterprise connection status fields. */
+const enterpriseStatusValidator = v.union(v.literal("draft"), v.literal("active"), v.literal("disabled"));
+/** @internal Structured validator for mounted enterprise policy patch payloads. */
+const enterprisePolicyPatchValidator = v.object({
+	identity: v.optional(v.object({ accountLinking: v.optional(v.object({
+		oidc: v.optional(v.union(v.literal("verifiedEmail"), v.literal("none"))),
+		saml: v.optional(v.union(v.literal("verifiedEmail"), v.literal("none")))
+	})) })),
+	provisioning: v.optional(v.object({
+		scimReuse: v.optional(v.object({ user: v.optional(v.union(v.literal("externalId"), v.literal("none"))) })),
+		jit: v.optional(v.object({
+			mode: v.optional(v.union(v.literal("off"), v.literal("createUser"), v.literal("createUserAndMembership"))),
+			defaultRoleIds: v.optional(v.array(v.string()))
+		})),
+		deprovision: v.optional(v.object({ mode: v.optional(v.union(v.literal("soft"), v.literal("hard"))) }))
+	}))
+});
+/** @internal Filter validator for mounted enterprise connection list queries. */
+const enterpriseConnectionWhereValidator = v.object({
+	groupId: v.optional(v.string()),
+	slug: v.optional(v.string()),
+	status: v.optional(enterpriseStatusValidator)
+});
+/** @internal Domain replacement input validator for mounted enterprise APIs. */
+const enterpriseDomainInputValidator = v.object({
+	domain: v.string(),
+	isPrimary: v.optional(v.boolean())
+});
+/** @internal Input validator for enterprise domain verification actions. */
+const enterpriseDomainVerificationInputValidator = v.object({
+	enterpriseId: v.string(),
+	domain: v.string()
+});
+/** @internal SAML attribute mapping validator for mounted SSO admin APIs. */
+const enterpriseSamlAttributeMappingValidator = v.object({
+	subject: v.optional(v.string()),
+	email: v.optional(v.string()),
+	name: v.optional(v.string()),
+	firstName: v.optional(v.string()),
+	lastName: v.optional(v.string())
+});
+/** @internal SAML service-provider override validator for mounted admin APIs. */
+const enterpriseSamlSpValidator = v.object({
+	entityId: v.optional(v.string()),
+	acsUrl: v.optional(v.string()),
+	sloUrl: v.optional(v.string()),
+	signingCert: v.optional(v.union(v.string(), v.array(v.string()))),
+	encryptCert: v.optional(v.union(v.string(), v.array(v.string()))),
+	privateKey: v.optional(v.string()),
+	privateKeyPass: v.optional(v.string()),
+	encPrivateKey: v.optional(v.string()),
+	encPrivateKeyPass: v.optional(v.string())
+});
+
+//#endregion
+export { enterpriseConnectionWhereValidator, enterpriseDomainInputValidator, enterpriseDomainVerificationInputValidator, enterprisePolicyPatchValidator, enterpriseSamlAttributeMappingValidator, enterpriseSamlSpValidator, enterpriseStatusValidator };
+//# sourceMappingURL=validators.js.map

package/dist/server/enterprise/validators.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validators.js","names":[],"sources":["../../../src/server/enterprise/validators.ts"],"sourcesContent":["import { v } from \"convex/values\";\n\n/** @internal Shared validator for mounted enterprise connection status fields. */\nexport const enterpriseStatusValidator = v.union(\n  v.literal(\"draft\"),\n  v.literal(\"active\"),\n  v.literal(\"disabled\"),\n);\n\n/** @internal Structured validator for mounted enterprise policy patch payloads. */\nexport const enterprisePolicyPatchValidator = v.object({\n  identity: v.optional(\n    v.object({\n      accountLinking: v.optional(\n        v.object({\n          oidc: v.optional(\n            v.union(v.literal(\"verifiedEmail\"), v.literal(\"none\")),\n          ),\n          saml: v.optional(\n            v.union(v.literal(\"verifiedEmail\"), v.literal(\"none\")),\n          ),\n        }),\n      ),\n    }),\n  ),\n  provisioning: v.optional(\n    v.object({\n      scimReuse: v.optional(\n        v.object({\n          user: v.optional(v.union(v.literal(\"externalId\"), v.literal(\"none\"))),\n        }),\n      ),\n      jit: v.optional(\n        v.object({\n          mode: v.optional(\n            v.union(\n              v.literal(\"off\"),\n              v.literal(\"createUser\"),\n              v.literal(\"createUserAndMembership\"),\n            ),\n          ),\n          defaultRoleIds: v.optional(v.array(v.string())),\n        }),\n      ),\n      deprovision: v.optional(\n        v.object({\n          mode: v.optional(v.union(v.literal(\"soft\"), v.literal(\"hard\"))),\n        }),\n      ),\n    }),\n  ),\n});\n\n/** @internal Filter validator for mounted enterprise connection list queries. */\nexport const enterpriseConnectionWhereValidator = v.object({\n  groupId: v.optional(v.string()),\n  slug: v.optional(v.string()),\n  status: v.optional(enterpriseStatusValidator),\n});\n\n/** @internal Domain replacement input validator for mounted enterprise APIs. */\nexport const enterpriseDomainInputValidator = v.object({\n  domain: v.string(),\n  isPrimary: v.optional(v.boolean()),\n});\n\n/** @internal Input validator for enterprise domain verification actions. */\nexport const enterpriseDomainVerificationInputValidator = v.object({\n  enterpriseId: v.string(),\n  domain: v.string(),\n});\n\n/** @internal SAML attribute mapping validator for mounted SSO admin APIs. */\nexport const enterpriseSamlAttributeMappingValidator = v.object({\n  subject: v.optional(v.string()),\n  email: v.optional(v.string()),\n  name: v.optional(v.string()),\n  firstName: v.optional(v.string()),\n  lastName: v.optional(v.string()),\n});\n\n/** @internal SAML service-provider override validator for mounted admin APIs. */\nexport const enterpriseSamlSpValidator = v.object({\n  entityId: v.optional(v.string()),\n  acsUrl: v.optional(v.string()),\n  sloUrl: v.optional(v.string()),\n  signingCert: v.optional(v.union(v.string(), v.array(v.string()))),\n  encryptCert: v.optional(v.union(v.string(), v.array(v.string()))),\n  privateKey: v.optional(v.string()),\n  privateKeyPass: v.optional(v.string()),\n  encPrivateKey: v.optional(v.string()),\n  encPrivateKeyPass: v.optional(v.string()),\n});\n"],"mappings":";;;;AAGA,MAAa,4BAA4B,EAAE,MACzC,EAAE,QAAQ,QAAQ,EAClB,EAAE,QAAQ,SAAS,EACnB,EAAE,QAAQ,WAAW,CACtB;;AAGD,MAAa,iCAAiC,EAAE,OAAO;CACrD,UAAU,EAAE,SACV,EAAE,OAAO,EACP,gBAAgB,EAAE,SAChB,EAAE,OAAO;EACP,MAAM,EAAE,SACN,EAAE,MAAM,EAAE,QAAQ,gBAAgB,EAAE,EAAE,QAAQ,OAAO,CAAC,CACvD;EACD,MAAM,EAAE,SACN,EAAE,MAAM,EAAE,QAAQ,gBAAgB,EAAE,EAAE,QAAQ,OAAO,CAAC,CACvD;EACF,CAAC,CACH,EACF,CAAC,CACH;CACD,cAAc,EAAE,SACd,EAAE,OAAO;EACP,WAAW,EAAE,SACX,EAAE,OAAO,EACP,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,aAAa,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC,EACtE,CAAC,CACH;EACD,KAAK,EAAE,SACL,EAAE,OAAO;GACP,MAAM,EAAE,SACN,EAAE,MACA,EAAE,QAAQ,MAAM,EAChB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,0BAA0B,CACrC,CACF;GACD,gBAAgB,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;GAChD,CAAC,CACH;EACD,aAAa,EAAE,SACb,EAAE,OAAO,EACP,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,OAAO,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC,EAChE,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;AAGF,MAAa,qCAAqC,EAAE,OAAO;CACzD,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC/B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,QAAQ,EAAE,SAAS,0BAA0B;CAC9C,CAAC;;AAGF,MAAa,iCAAiC,EAAE,OAAO;CACrD,QAAQ,EAAE,QAAQ;CAClB,WAAW,EAAE,SAAS,EAAE,SAAS,CAAC;CACnC,CAAC;;AAGF,MAAa,6CAA6C,EAAE,OAAO;CACjE,cAAc,EAAE,QAAQ;CACxB,QAAQ,EAAE,QAAQ;CACnB,CAAC;;AAGF,MAAa,0CAA0C,EAAE,OAAO;CAC9D,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC/B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,CAAC;;AAGF,MAAa,4BAA4B,EAAE,OAAO;CAChD,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;CAChC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC9B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC9B,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;CACjE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;CACjE,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;CAClC,gBAAgB,EAAE,SAAS,EAAE,QAAQ,CAAC;CACtC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;CACrC,mBAAmB,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC1C,CAAC"}