@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/server/mounts.js

@@ -0,0 +1,643 @@
+import { enterpriseConnectionWhereValidator, enterpriseDomainInputValidator, enterpriseDomainVerificationInputValidator, enterprisePolicyPatchValidator, enterpriseSamlAttributeMappingValidator, enterpriseSamlSpValidator, enterpriseStatusValidator } from "./enterprise/validators.js";
+import { actionGeneric, mutationGeneric, queryGeneric } from "convex/server";
+import { ConvexError, v } from "convex/values";
+
+//#region src/server/mounts.ts
+function requireSignedInUser(auth) {
+	return async (ctx) => {
+		return await auth.user.id(ctx);
+	};
+}
+function normalizeCreatorRoleIds(roles) {
+	return roles?.map((role) => typeof role === "string" ? role : role.id);
+}
+async function resolveMountedEnterpriseTarget(auth, ctx, target) {
+	if (target.groupId !== void 0) return {
+		enterpriseId: target.enterpriseId,
+		groupId: target.groupId,
+		resolvedGroupId: target.groupId
+	};
+	if (target.enterpriseId !== void 0) {
+		const enterprise = await auth.sso.admin.connection.get(ctx, target.enterpriseId);
+		if (enterprise === null) throw new ConvexError({
+			code: "INVALID_PARAMETERS",
+			message: "Enterprise not found."
+		});
+		return {
+			enterpriseId: enterprise._id,
+			groupId: enterprise.groupId,
+			resolvedGroupId: enterprise.groupId
+		};
+	}
+	if (target.domain !== void 0) {
+		const resolved = await auth.sso.admin.connection.getByDomain(ctx, target.domain);
+		if (resolved?.enterprise === void 0) throw new ConvexError({
+			code: "INVALID_PARAMETERS",
+			message: "Enterprise not found."
+		});
+		return {
+			enterpriseId: resolved.enterprise._id,
+			groupId: resolved.enterprise.groupId,
+			resolvedGroupId: resolved.enterprise.groupId
+		};
+	}
+	return {
+		enterpriseId: void 0,
+		groupId: void 0,
+		resolvedGroupId: null
+	};
+}
+function createMountedAdminAuthorizer(auth, options) {
+	const requireUserId = requireSignedInUser(auth);
+	return async (ctx, permission, target = {}) => {
+		const userId = await requireUserId(ctx);
+		if (userId === null) return {
+			ok: false,
+			code: "NOT_SIGNED_IN"
+		};
+		if (!options?.admin?.authorized) return {
+			ok: false,
+			code: "FORBIDDEN"
+		};
+		const resolved = await resolveMountedEnterpriseTarget(auth, ctx, target);
+		const authResult = await options.admin.authorized(ctx, {
+			userId,
+			permission,
+			enterpriseId: resolved.enterpriseId,
+			groupId: resolved.groupId,
+			resolvedGroupId: resolved.resolvedGroupId
+		});
+		if (authResult && !authResult.ok) return {
+			ok: false,
+			code: "FORBIDDEN"
+		};
+		return {
+			ok: true,
+			userId,
+			...resolved
+		};
+	};
+}
+/**
+* Build optional public SSO management actions that apps can mount under
+* `convex/auth/sso/**` when they want client-callable enterprise APIs.
+*
+* `admin` is for tenant-admin control-plane operations and should be mounted
+* with an explicit authorization policy. `client` is for end-user sign-in
+* helpers and does not require tenant-admin authorization.
+*
+* @param auth - Auth API subset providing `group`, `member`, `sso`, and `user` namespaces.
+* @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.
+* @typeParam TAuthorization - Optional authorization config for typed role IDs.
+* @returns An object with `admin` (connection CRUD, OIDC/SAML protocol config, policy,
+*   audit, webhooks, domain management) and `client` (signIn, metadata) namespaces.
+*
+* @example
+* ```ts
+* // convex/auth/sso.ts
+* import { sso } from "@robelest/convex-auth/server";
+* import { auth } from "../auth";
+*
+* const mounted = sso(auth, {
+*   admin: {
+*     authorized: async (ctx, input) => { /* check permissions *\/ },
+*   },
+* });
+*
+* export const createConnection = mounted.admin.connection.create;
+* export const signIn = mounted.client.signIn;
+* ```
+*
+* @see {@link scim}
+* @see {@link enterprise}
+*/
+function sso(auth, options) {
+	const authorize = createMountedAdminAuthorizer(auth, options);
+	const adminRoleIds = normalizeCreatorRoleIds(options?.admin?.roles);
+	return {
+		admin: {
+			connection: {
+				create: mutationGeneric({
+					args: {
+						groupId: v.optional(v.string()),
+						name: v.optional(v.string()),
+						slug: v.optional(v.string()),
+						status: v.optional(enterpriseStatusValidator),
+						domain: v.optional(v.string())
+					},
+					handler: async (ctx, args) => {
+						const authResult = await authorize(ctx, "sso.connection.create", { groupId: args.groupId });
+						if (!authResult.ok) return {
+							ok: false,
+							code: authResult.code
+						};
+						const { userId } = authResult;
+						const createsGroup = args.groupId === void 0;
+						const groupId = args.groupId ?? (await auth.group.create(ctx, {
+							name: args.name?.trim() || args.slug?.trim() || "Enterprise",
+							slug: args.slug,
+							type: "enterprise"
+						})).groupId;
+						if (createsGroup) await auth.member.create(ctx, {
+							groupId,
+							userId,
+							roleIds: adminRoleIds
+						});
+						const created = await auth.sso.admin.connection.create(ctx, {
+							groupId,
+							name: args.name,
+							slug: args.slug,
+							status: args.status
+						});
+						if (args.domain) await auth.sso.admin.connection.domain.set(ctx, created.enterpriseId, [{
+							domain: args.domain,
+							isPrimary: true
+						}]);
+						return {
+							...created,
+							groupId,
+							createdGroup: createsGroup
+						};
+					}
+				}),
+				get: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
+						return await auth.sso.admin.connection.get(ctx, args.enterpriseId);
+					}
+				}),
+				getByGroup: queryGeneric({
+					args: { groupId: v.string() },
+					handler: async (ctx, args) => {
+						if (!(await authorize(ctx, "sso.connection.read", { groupId: args.groupId })).ok) return null;
+						return await auth.sso.admin.connection.getByGroup(ctx, args.groupId);
+					}
+				}),
+				getByDomain: queryGeneric({
+					args: { domain: v.string() },
+					handler: async (ctx, args) => {
+						if (!(await authorize(ctx, "sso.connection.read", { domain: args.domain })).ok) return null;
+						return await auth.sso.admin.connection.getByDomain(ctx, args.domain);
+					}
+				}),
+				list: queryGeneric({
+					args: {
+						where: v.optional(enterpriseConnectionWhereValidator),
+						limit: v.optional(v.number()),
+						cursor: v.optional(v.union(v.string(), v.null())),
+						orderBy: v.optional(v.string()),
+						order: v.optional(v.union(v.literal("asc"), v.literal("desc")))
+					},
+					handler: async (ctx, args) => {
+						if (!(await authorize(ctx, "sso.connection.read", { groupId: args.where?.groupId })).ok) return null;
+						return await auth.sso.admin.connection.list(ctx, args);
+					}
+				}),
+				update: mutationGeneric({
+					args: {
+						enterpriseId: v.string(),
+						data: v.object({
+							name: v.optional(v.string()),
+							slug: v.optional(v.string()),
+							status: v.optional(enterpriseStatusValidator)
+						})
+					},
+					handler: async (ctx, args) => {
+						const _auth = await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
+						if (!_auth.ok) return {
+							ok: false,
+							code: _auth.code
+						};
+						await auth.sso.admin.connection.update(ctx, args.enterpriseId, args.data);
+						return {
+							ok: true,
+							enterpriseId: args.enterpriseId
+						};
+					}
+				}),
+				delete: mutationGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						const _auth = await authorize(ctx, "sso.connection.manage", { enterpriseId: args.enterpriseId });
+						if (!_auth.ok) return {
+							ok: false,
+							code: _auth.code
+						};
+						return await auth.sso.admin.connection.delete(ctx, args.enterpriseId);
+					}
+				}),
+				status: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
+						return await auth.sso.admin.connection.status(ctx, args.enterpriseId);
+					}
+				}),
+				domain: {
+					list: queryGeneric({
+						args: { enterpriseId: v.string() },
+						handler: async (ctx, args) => {
+							if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
+							return await auth.sso.admin.connection.domain.list(ctx, args.enterpriseId);
+						}
+					}),
+					validate: queryGeneric({
+						args: { enterpriseId: v.string() },
+						handler: async (ctx, args) => {
+							if (!(await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId })).ok) return null;
+							return await auth.sso.admin.connection.domain.validate(ctx, args.enterpriseId);
+						}
+					}),
+					set: mutationGeneric({
+						args: {
+							enterpriseId: v.string(),
+							domains: v.array(enterpriseDomainInputValidator)
+						},
+						handler: async (ctx, args) => {
+							const _auth = await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
+							if (!_auth.ok) return {
+								ok: false,
+								code: _auth.code
+							};
+							return await auth.sso.admin.connection.domain.set(ctx, args.enterpriseId, args.domains);
+						}
+					}),
+					verification: {
+						request: mutationGeneric({
+							args: enterpriseDomainVerificationInputValidator,
+							handler: async (ctx, args) => {
+								const _auth = await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
+								if (!_auth.ok) return {
+									ok: false,
+									code: _auth.code
+								};
+								return await auth.sso.admin.connection.domain.verification.request(ctx, args);
+							}
+						}),
+						confirm: actionGeneric({
+							args: enterpriseDomainVerificationInputValidator,
+							handler: async (ctx, args) => {
+								const _auth = await authorize(ctx, "sso.domain.manage", { enterpriseId: args.enterpriseId });
+								if (!_auth.ok) return {
+									ok: false,
+									code: _auth.code
+								};
+								return await auth.sso.admin.connection.domain.verification.confirm(ctx, args);
+							}
+						})
+					}
+				}
+			},
+			oidc: {
+				configure: mutationGeneric({
+					args: {
+						enterpriseId: v.string(),
+						issuer: v.optional(v.string()),
+						discoveryUrl: v.optional(v.string()),
+						clientId: v.string(),
+						clientSecret: v.optional(v.string()),
+						scopes: v.optional(v.array(v.string())),
+						authorizationParams: v.optional(v.record(v.string(), v.string())),
+						clockToleranceSeconds: v.optional(v.number()),
+						strictIssuer: v.optional(v.boolean()),
+						extraFields: v.optional(v.record(v.string(), v.string()))
+					},
+					handler: async (ctx, args) => {
+						const _auth = await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
+						if (!_auth.ok) return {
+							ok: false,
+							code: _auth.code
+						};
+						return await auth.sso.admin.oidc.configure(ctx, args);
+					}
+				}),
+				get: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
+						return await auth.sso.admin.oidc.get(ctx, args.enterpriseId);
+					}
+				}),
+				validate: actionGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						const _auth = await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
+						if (!_auth.ok) return {
+							ok: false,
+							code: _auth.code
+						};
+						return await auth.sso.admin.oidc.validate(ctx, args.enterpriseId);
+					}
+				})
+			},
+			saml: {
+				configure: actionGeneric({
+					args: {
+						enterpriseId: v.string(),
+						metadataXml: v.optional(v.string()),
+						metadataUrl: v.optional(v.string()),
+						domains: v.optional(v.array(v.string())),
+						signAuthnRequests: v.optional(v.boolean()),
+						attributeMapping: v.optional(enterpriseSamlAttributeMappingValidator),
+						sp: v.optional(enterpriseSamlSpValidator)
+					},
+					handler: async (ctx, args) => {
+						const _auth = await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId });
+						if (!_auth.ok) return {
+							ok: false,
+							code: _auth.code
+						};
+						return await auth.sso.admin.saml.configure(ctx, args);
+					}
+				}),
+				validate: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						if (!(await authorize(ctx, "sso.protocol.manage", { enterpriseId: args.enterpriseId })).ok) return null;
+						return await auth.sso.admin.saml.validate(ctx, args.enterpriseId);
+					}
+				})
+			},
+			policy: {
+				get: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						if (!(await authorize(ctx, "sso.connection.read", { enterpriseId: args.enterpriseId })).ok) return null;
+						return await auth.sso.admin.policy.get(ctx, args.enterpriseId);
+					}
+				}),
+				update: mutationGeneric({
+					args: {
+						enterpriseId: v.string(),
+						patch: enterprisePolicyPatchValidator
+					},
+					handler: async (ctx, args) => {
+						const _auth = await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId });
+						if (!_auth.ok) return {
+							ok: false,
+							code: _auth.code
+						};
+						return await auth.sso.admin.policy.update(ctx, args.enterpriseId, args.patch);
+					}
+				}),
+				validate: queryGeneric({
+					args: { enterpriseId: v.string() },
+					handler: async (ctx, args) => {
+						if (!(await authorize(ctx, "sso.policy.manage", { enterpriseId: args.enterpriseId })).ok) return null;
+						return await auth.sso.admin.policy.validate(ctx, args.enterpriseId);
+					}
+				})
+			},
+			audit: { list: queryGeneric({
+				args: {
+					enterpriseId: v.optional(v.string()),
+					groupId: v.optional(v.string()),
+					limit: v.optional(v.number())
+				},
+				handler: async (ctx, args) => {
+					if (!(await authorize(ctx, "sso.audit.read", {
+						enterpriseId: args.enterpriseId,
+						groupId: args.groupId
+					})).ok) return null;
+					return await auth.sso.admin.audit.list(ctx, args);
+				}
+			}) },
+			webhook: {
+				delivery: { list: queryGeneric({
+					args: {
+						enterpriseId: v.string(),
+						limit: v.optional(v.number())
+					},
+					handler: async (ctx, args) => {
+						if (!(await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId })).ok) return null;
+						return await auth.sso.admin.webhook.delivery.list(ctx, args);
+					}
+				}) },
+				endpoint: {
+					create: mutationGeneric({
+						args: {
+							enterpriseId: v.string(),
+							url: v.string(),
+							secret: v.string(),
+							subscriptions: v.array(v.string()),
+							createdByUserId: v.optional(v.string())
+						},
+						handler: async (ctx, args) => {
+							const authResult = await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId });
+							if (!authResult.ok) return {
+								ok: false,
+								code: authResult.code
+							};
+							const { userId } = authResult;
+							return {
+								_id: (await auth.sso.admin.webhook.endpoint.create(ctx, {
+									...args,
+									createdByUserId: args.createdByUserId ?? userId
+								})).endpointId,
+								enterpriseId: args.enterpriseId,
+								url: args.url,
+								subscriptions: args.subscriptions,
+								createdByUserId: args.createdByUserId ?? userId,
+								status: "active",
+								failureCount: 0
+							};
+						}
+					}),
+					list: queryGeneric({
+						args: { enterpriseId: v.string() },
+						handler: async (ctx, args) => {
+							if (!(await authorize(ctx, "sso.webhook.manage", { enterpriseId: args.enterpriseId })).ok) return null;
+							return (await auth.sso.admin.webhook.endpoint.list(ctx, args.enterpriseId)).map((endpoint) => {
+								const { secretHash: _secretHash, ...rest } = endpoint;
+								return rest;
+							});
+						}
+					}),
+					disable: mutationGeneric({
+						args: { endpointId: v.string() },
+						handler: async (ctx, args) => {
+							const endpoint = await auth.sso.admin.webhook.endpoint.get(ctx, args.endpointId);
+							if (!endpoint) return {
+								ok: false,
+								code: "INVALID_PARAMETERS"
+							};
+							const _auth = await authorize(ctx, "sso.webhook.manage", {
+								enterpriseId: endpoint.enterpriseId,
+								groupId: endpoint.groupId
+							});
+							if (!_auth.ok) return {
+								ok: false,
+								code: _auth.code
+							};
+							return await auth.sso.admin.webhook.endpoint.disable(ctx, args.endpointId);
+						}
+					})
+				}
+			}
+		},
+		client: {
+			signIn: queryGeneric({
+				args: {
+					enterpriseId: v.optional(v.string()),
+					email: v.optional(v.string()),
+					domain: v.optional(v.string()),
+					redirectTo: v.optional(v.string())
+				},
+				handler: async (ctx, args) => {
+					return await auth.sso.client.signIn(ctx, args);
+				}
+			}),
+			metadata: queryGeneric({
+				args: {
+					enterpriseId: v.string(),
+					entityId: v.optional(v.string()),
+					acsUrl: v.optional(v.string()),
+					sloUrl: v.optional(v.string())
+				},
+				handler: async (ctx, args) => {
+					return await auth.sso.client.metadata(ctx, args);
+				}
+			})
+		}
+	};
+}
+/**
+* Build optional public SCIM management actions that apps can mount under
+* `convex/auth/scim/**` when they want client-callable enterprise admin APIs.
+*
+* @param auth - Auth API subset providing `scim`, `sso`, and `user` namespaces.
+* @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.
+* @typeParam TAuthorization - Optional authorization config for typed role IDs.
+* @returns An object with `admin.configure`, `admin.get`, and `admin.validate` actions.
+*
+* @example
+* ```ts
+* // convex/auth/scim.ts
+* import { scim } from "@robelest/convex-auth/server";
+* import { auth } from "../auth";
+*
+* const mounted = scim(auth, {
+*   admin: {
+*     authorized: async (ctx, input) => { /* check permissions *\/ },
+*   },
+* });
+*
+* export const configure = mounted.admin.configure;
+* export const get = mounted.admin.get;
+* export const validate = mounted.admin.validate;
+* ```
+*
+* @see {@link sso}
+* @see {@link enterprise}
+*/
+function scim(auth, options) {
+	const authorize = createMountedAdminAuthorizer(auth, options);
+	return { admin: {
+		configure: mutationGeneric({
+			args: {
+				enterpriseId: v.string(),
+				basePath: v.optional(v.string()),
+				status: v.optional(enterpriseStatusValidator)
+			},
+			handler: async (ctx, args) => {
+				const _auth = await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId });
+				if (!_auth.ok) return {
+					ok: false,
+					code: _auth.code
+				};
+				return await auth.scim.admin.configure(ctx, args);
+			}
+		}),
+		get: queryGeneric({
+			args: { enterpriseId: v.string() },
+			handler: async (ctx, args) => {
+				if (!(await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId })).ok) return null;
+				return await auth.scim.admin.get(ctx, args.enterpriseId);
+			}
+		}),
+		validate: queryGeneric({
+			args: { enterpriseId: v.string() },
+			handler: async (ctx, args) => {
+				if (!(await authorize(ctx, "scim.manage", { enterpriseId: args.enterpriseId })).ok) return null;
+				return await auth.scim.admin.validate(ctx, args.enterpriseId);
+			}
+		})
+	} };
+}
+/**
+* Build a flat mounted enterprise API surface for app-owned Convex exports.
+*
+* Combines {@link sso} and {@link scim} into a single flat object with
+* all SSO connection, protocol, policy, audit, webhook, and SCIM
+* management functions plus end-user sign-in helpers. The `authorized`
+* callback is required for all admin operations.
+*
+* @param auth - Auth API subset providing `group`, `member`, `scim`, `sso`, and `user` namespaces.
+* @param options - Required {@link EnterpriseMountOptions} with an `admin.authorized` callback.
+* @typeParam TAuthorization - Optional authorization config for typed role IDs.
+* @returns A flat object with all enterprise management functions (e.g. `createConnection`,
+*   `configureOidc`, `configureScim`, `signIn`, etc.).
+*
+* @example
+* ```ts
+* // convex/auth/enterprise.ts
+* import { enterprise } from "@robelest/convex-auth/server";
+* import { auth } from "../auth";
+*
+* const api = enterprise(auth, {
+*   admin: {
+*     authorized: async (ctx, input) => { /* check permissions *\/ },
+*     roles: ["admin"],
+*   },
+* });
+*
+* export const createConnection = api.createConnection;
+* export const configureOidc = api.configureOidc;
+* export const signIn = api.signIn;
+* ```
+*
+* @see {@link sso}
+* @see {@link scim}
+*/
+function enterprise(auth, options) {
+	const mountedSso = sso(auth, { admin: options.admin });
+	const mountedScim = scim(auth, { admin: { authorized: options.admin.authorized } });
+	return {
+		createConnection: mountedSso.admin.connection.create,
+		getConnection: mountedSso.admin.connection.get,
+		getConnectionByGroup: mountedSso.admin.connection.getByGroup,
+		getConnectionByDomain: mountedSso.admin.connection.getByDomain,
+		listConnections: mountedSso.admin.connection.list,
+		updateConnection: mountedSso.admin.connection.update,
+		deleteConnection: mountedSso.admin.connection.delete,
+		getConnectionStatus: mountedSso.admin.connection.status,
+		listDomains: mountedSso.admin.connection.domain.list,
+		validateDomains: mountedSso.admin.connection.domain.validate,
+		setDomains: mountedSso.admin.connection.domain.set,
+		requestDomainVerification: mountedSso.admin.connection.domain.verification.request,
+		confirmDomainVerification: mountedSso.admin.connection.domain.verification.confirm,
+		configureOidc: mountedSso.admin.oidc.configure,
+		getOidc: mountedSso.admin.oidc.get,
+		validateOidc: mountedSso.admin.oidc.validate,
+		configureSaml: mountedSso.admin.saml.configure,
+		validateSaml: mountedSso.admin.saml.validate,
+		getPolicy: mountedSso.admin.policy.get,
+		updatePolicy: mountedSso.admin.policy.update,
+		validatePolicy: mountedSso.admin.policy.validate,
+		listAudit: mountedSso.admin.audit.list,
+		createWebhookEndpoint: mountedSso.admin.webhook.endpoint.create,
+		listWebhookEndpoints: mountedSso.admin.webhook.endpoint.list,
+		listWebhookDeliveries: mountedSso.admin.webhook.delivery.list,
+		disableWebhookEndpoint: mountedSso.admin.webhook.endpoint.disable,
+		configureScim: mountedScim.admin.configure,
+		getScim: mountedScim.admin.get,
+		validateScim: mountedScim.admin.validate,
+		signIn: mountedSso.client.signIn,
+		metadata: mountedSso.client.metadata
+	};
+}
+
+//#endregion
+export { enterprise, scim, sso };
+//# sourceMappingURL=mounts.js.map