@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/server/mounts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mounts.js","names":[],"sources":["../../src/server/mounts.ts"],"sourcesContent":["import { actionGeneric, mutationGeneric, queryGeneric } from \"convex/server\";\nimport { ConvexError, v } from \"convex/values\";\n\nimport type { AuthApi } from \"./auth\";\nimport {\n  enterpriseConnectionWhereValidator,\n  enterpriseDomainInputValidator,\n  enterpriseDomainVerificationInputValidator,\n  enterprisePolicyPatchValidator,\n  enterpriseSamlAttributeMappingValidator,\n  enterpriseSamlSpValidator,\n  enterpriseStatusValidator,\n} from \"./enterprise/validators\";\nimport type { AuthAuthorizationConfig, AuthRoleId } from \"./types\";\n\n/**\n * Permission identifiers used by mounted enterprise admin APIs.\n *\n * These permission strings are passed to your {@link EnterpriseAuthorizer}\n * callback so app code can decide whether the current user may perform a\n * specific SSO or SCIM management operation.\n *\n * @example\n * ```ts\n * const authorized: EnterpriseAuthorizer = async (ctx, input) => {\n *   if (input.permission === \"sso.connection.create\") {\n *     // Only org admins may create SSO connections\n *   }\n * };\n * ```\n */\nexport type EnterpriseAdminPermission =\n  | \"sso.connection.create\"\n  | \"sso.connection.read\"\n  | \"sso.connection.manage\"\n  | \"sso.domain.manage\"\n  | \"sso.protocol.manage\"\n  | \"sso.policy.manage\"\n  | \"sso.audit.read\"\n  | \"sso.webhook.manage\"\n  | \"scim.manage\";\n\n/**\n * Input passed to an {@link EnterpriseAuthorizer}.\n *\n * Contains the acting user, the requested permission, and the resolved\n * enterprise/group scope for the operation being authorized.\n */\nexport type EnterpriseAdminAuthorizationInput = {\n  /** The signed-in user's ID performing the admin action. */\n  userId: string;\n  /** The {@link EnterpriseAdminPermission} being requested. */\n  permission: EnterpriseAdminPermission;\n  /** Enterprise document ID, if the operation targets a specific enterprise. */\n  enterpriseId?: string;\n  /** Group document ID, if explicitly provided by the caller. */\n  groupId?: string;\n  /** Resolved group ID from the enterprise record, or `null` when no enterprise context. */\n  resolvedGroupId: string | null;\n};\n\n/**\n * App-defined authorization hook for mounted enterprise admin APIs.\n *\n * Return `void` (or resolve) to allow the operation, or `{ ok: false }` to deny it.\n *\n * @param ctx - Convex context with `ctx.auth` for identity checks.\n * @param input - The {@link EnterpriseAdminAuthorizationInput} describing who is doing what.\n * @returns `void` to allow, `{ ok: false }` to deny.\n *\n * @example\n * ```ts\n * import { EnterpriseAuthorizer } from \"@robelest/convex-auth/server\";\n *\n * const authorized: EnterpriseAuthorizer = async (ctx, input) => {\n *   const identity = await ctx.auth.getUserIdentity();\n *   if (!identity) return { ok: false };\n *   // Allow all admin ops for the org owner\n * };\n * ```\n */\nexport type EnterpriseAuthorizer = (\n  ctx: { auth: import(\"convex/server\").Auth },\n  input: EnterpriseAdminAuthorizationInput,\n) => Promise<void | { ok: false }>;\n\ntype RoleRef<TRoleId extends string> = { id: TRoleId };\n\ntype MountedEnterpriseOptions<TRoleId extends string = string> = {\n  admin?: {\n    authorized?: EnterpriseAuthorizer;\n    roles?: Array<TRoleId | RoleRef<TRoleId>>;\n  };\n};\n\n/**\n * Configuration for {@link enterprise}, {@link sso}, and {@link scim}\n * mounted admin APIs.\n *\n * @typeParam TRoleId - Role IDs that may be assigned to enterprise creators.\n *\n * @example\n * ```ts\n * import { enterprise, EnterpriseMountOptions } from \"@robelest/convex-auth/server\";\n *\n * const options: EnterpriseMountOptions = {\n *   admin: {\n *     authorized: async (ctx, input) => {\n *       // Verify the user has permission for `input.permission`\n *     },\n *     roles: [\"admin\", \"owner\"],\n *   },\n * };\n * ```\n */\nexport type EnterpriseMountOptions<TRoleId extends string = string> = {\n  admin: {\n    authorized: EnterpriseAuthorizer;\n    roles?: Array<TRoleId | RoleRef<TRoleId>>;\n  };\n};\n\ntype MountedEnterpriseTarget = {\n  enterpriseId?: string;\n  groupId?: string;\n  domain?: string;\n};\n\nfunction requireSignedInUser(auth: Pick<AuthApi, \"user\">) {\n  return async (ctx: {\n    auth: import(\"convex/server\").Auth;\n  }): Promise<string | null> => {\n    return await auth.user.id(ctx as never);\n  };\n}\n\nfunction normalizeCreatorRoleIds<TRoleId extends string>(\n  roles?: Array<TRoleId | RoleRef<TRoleId>>,\n) {\n  return roles?.map((role) => (typeof role === \"string\" ? role : role.id));\n}\n\nasync function resolveMountedEnterpriseTarget(\n  auth: Pick<AuthApi, \"sso\">,\n  ctx: { auth: import(\"convex/server\").Auth },\n  target: MountedEnterpriseTarget,\n) {\n  if (target.groupId !== undefined) {\n    return {\n      enterpriseId: target.enterpriseId,\n      groupId: target.groupId,\n      resolvedGroupId: target.groupId,\n    };\n  }\n\n  if (target.enterpriseId !== undefined) {\n    const enterprise = await auth.sso.admin.connection.get(\n      ctx as never,\n      target.enterpriseId,\n    );\n    if (enterprise === null) {\n      throw new ConvexError({\n        code: \"INVALID_PARAMETERS\",\n        message: \"Enterprise not found.\",\n      });\n    }\n    return {\n      enterpriseId: enterprise._id,\n      groupId: enterprise.groupId,\n      resolvedGroupId: enterprise.groupId,\n    };\n  }\n\n  if (target.domain !== undefined) {\n    const resolved = await auth.sso.admin.connection.getByDomain(\n      ctx as never,\n      target.domain,\n    );\n    if (resolved?.enterprise === undefined) {\n      throw new ConvexError({\n        code: \"INVALID_PARAMETERS\",\n        message: \"Enterprise not found.\",\n      });\n    }\n    return {\n      enterpriseId: resolved.enterprise._id,\n      groupId: resolved.enterprise.groupId,\n      resolvedGroupId: resolved.enterprise.groupId,\n    };\n  }\n\n  return {\n    enterpriseId: undefined,\n    groupId: undefined,\n    resolvedGroupId: null,\n  };\n}\n\nfunction createMountedAdminAuthorizer(\n  auth: Pick<AuthApi, \"sso\" | \"user\">,\n  options?: MountedEnterpriseOptions,\n) {\n  const requireUserId = requireSignedInUser(auth);\n\n  return async (\n    ctx: { auth: import(\"convex/server\").Auth },\n    permission: EnterpriseAdminPermission,\n    target: MountedEnterpriseTarget = {},\n  ) => {\n    const userId = await requireUserId(ctx);\n    if (userId === null) {\n      return { ok: false as const, code: \"NOT_SIGNED_IN\" as const };\n    }\n    if (!options?.admin?.authorized) {\n      return { ok: false as const, code: \"FORBIDDEN\" as const };\n    }\n    const resolved = await resolveMountedEnterpriseTarget(auth, ctx, target);\n    const authResult = await options.admin.authorized(ctx, {\n      userId,\n      permission,\n      enterpriseId: resolved.enterpriseId,\n      groupId: resolved.groupId,\n      resolvedGroupId: resolved.resolvedGroupId,\n    });\n    if (authResult && !authResult.ok) {\n      return { ok: false as const, code: \"FORBIDDEN\" as const };\n    }\n    return { ok: true as const, userId, ...resolved };\n  };\n}\n\n/**\n * Build optional public SSO management actions that apps can mount under\n * `convex/auth/sso/**` when they want client-callable enterprise APIs.\n *\n * `admin` is for tenant-admin control-plane operations and should be mounted\n * with an explicit authorization policy. `client` is for end-user sign-in\n * helpers and does not require tenant-admin authorization.\n *\n * @param auth - Auth API subset providing `group`, `member`, `sso`, and `user` namespaces.\n * @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.\n * @typeParam TAuthorization - Optional authorization config for typed role IDs.\n * @returns An object with `admin` (connection CRUD, OIDC/SAML protocol config, policy,\n *   audit, webhooks, domain management) and `client` (signIn, metadata) namespaces.\n *\n * @example\n * ```ts\n * // convex/auth/sso.ts\n * import { sso } from \"@robelest/convex-auth/server\";\n * import { auth } from \"../auth\";\n *\n * const mounted = sso(auth, {\n *   admin: {\n *     authorized: async (ctx, input) => { /* check permissions *\\/ },\n *   },\n * });\n *\n * export const createConnection = mounted.admin.connection.create;\n * export const signIn = mounted.client.signIn;\n * ```\n *\n * @see {@link scim}\n * @see {@link enterprise}\n */\nexport function sso<\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n>(\n  auth: Pick<AuthApi<TAuthorization>, \"group\" | \"member\" | \"sso\" | \"user\">,\n  options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>,\n) {\n  const authorize = createMountedAdminAuthorizer(auth, options);\n  const adminRoleIds = normalizeCreatorRoleIds(options?.admin?.roles);\n\n  return {\n    admin: {\n      connection: {\n        create: mutationGeneric({\n          args: {\n            groupId: v.optional(v.string()),\n            name: v.optional(v.string()),\n            slug: v.optional(v.string()),\n            status: v.optional(enterpriseStatusValidator),\n            domain: v.optional(v.string()),\n          },\n          handler: async (ctx, args) => {\n            const authResult = await authorize(ctx, \"sso.connection.create\", {\n              groupId: args.groupId,\n            });\n            if (!authResult.ok)\n              return { ok: false as const, code: authResult.code };\n            const { userId } = authResult;\n            const createsGroup = args.groupId === undefined;\n            const groupId =\n              args.groupId ??\n              (\n                await auth.group.create(ctx as never, {\n                  name: args.name?.trim() || args.slug?.trim() || \"Enterprise\",\n                  slug: args.slug,\n                  type: \"enterprise\",\n                })\n              ).groupId;\n            if (createsGroup) {\n              await auth.member.create(ctx as never, {\n                groupId,\n                userId,\n                roleIds: adminRoleIds,\n              });\n            }\n            const created = await auth.sso.admin.connection.create(\n              ctx as never,\n              {\n                groupId,\n                name: args.name,\n                slug: args.slug,\n                status: args.status,\n              },\n            );\n            if (args.domain) {\n              await auth.sso.admin.connection.domain.set(\n                ctx as never,\n                created.enterpriseId,\n                [{ domain: args.domain, isPrimary: true }],\n              );\n            }\n            return {\n              ...created,\n              groupId,\n              createdGroup: createsGroup,\n            };\n          },\n        }),\n        get: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.connection.read\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return null;\n            return await auth.sso.admin.connection.get(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n        getByGroup: queryGeneric({\n          args: { groupId: v.string() },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.connection.read\", {\n              groupId: args.groupId,\n            });\n            if (!_auth.ok) return null;\n            return await auth.sso.admin.connection.getByGroup(\n              ctx as never,\n              args.groupId,\n            );\n          },\n        }),\n        getByDomain: queryGeneric({\n          args: { domain: v.string() },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.connection.read\", {\n              domain: args.domain,\n            });\n            if (!_auth.ok) return null;\n            return await auth.sso.admin.connection.getByDomain(\n              ctx as never,\n              args.domain,\n            );\n          },\n        }),\n        list: queryGeneric({\n          args: {\n            where: v.optional(enterpriseConnectionWhereValidator),\n            limit: v.optional(v.number()),\n            cursor: v.optional(v.union(v.string(), v.null())),\n            orderBy: v.optional(v.string()),\n            order: v.optional(v.union(v.literal(\"asc\"), v.literal(\"desc\"))),\n          },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.connection.read\", {\n              groupId: args.where?.groupId,\n            });\n            if (!_auth.ok) return null;\n            return await auth.sso.admin.connection.list(\n              ctx as never,\n              args as never,\n            );\n          },\n        }),\n        update: mutationGeneric({\n          args: {\n            enterpriseId: v.string(),\n            data: v.object({\n              name: v.optional(v.string()),\n              slug: v.optional(v.string()),\n              status: v.optional(enterpriseStatusValidator),\n            }),\n          },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.connection.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return { ok: false as const, code: _auth.code };\n            await auth.sso.admin.connection.update(\n              ctx as never,\n              args.enterpriseId,\n              args.data,\n            );\n            return { ok: true as const, enterpriseId: args.enterpriseId };\n          },\n        }),\n        delete: mutationGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.connection.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return { ok: false as const, code: _auth.code };\n            return await auth.sso.admin.connection.delete(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n        status: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.connection.read\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return null;\n            return await auth.sso.admin.connection.status(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n        domain: {\n          list: queryGeneric({\n            args: { enterpriseId: v.string() },\n            handler: async (ctx, args) => {\n              const _auth = await authorize(ctx, \"sso.connection.read\", {\n                enterpriseId: args.enterpriseId,\n              });\n              if (!_auth.ok) return null;\n              return await auth.sso.admin.connection.domain.list(\n                ctx as never,\n                args.enterpriseId,\n              );\n            },\n          }),\n          validate: queryGeneric({\n            args: { enterpriseId: v.string() },\n            handler: async (ctx, args) => {\n              const _auth = await authorize(ctx, \"sso.domain.manage\", {\n                enterpriseId: args.enterpriseId,\n              });\n              if (!_auth.ok) return null;\n              return await auth.sso.admin.connection.domain.validate(\n                ctx as never,\n                args.enterpriseId,\n              );\n            },\n          }),\n          set: mutationGeneric({\n            args: {\n              enterpriseId: v.string(),\n              domains: v.array(enterpriseDomainInputValidator),\n            },\n            handler: async (ctx, args) => {\n              const _auth = await authorize(ctx, \"sso.domain.manage\", {\n                enterpriseId: args.enterpriseId,\n              });\n              if (!_auth.ok) return { ok: false as const, code: _auth.code };\n              return await auth.sso.admin.connection.domain.set(\n                ctx as never,\n                args.enterpriseId,\n                args.domains,\n              );\n            },\n          }),\n          verification: {\n            request: mutationGeneric({\n              args: enterpriseDomainVerificationInputValidator,\n              handler: async (ctx, args) => {\n                const _auth = await authorize(ctx, \"sso.domain.manage\", {\n                  enterpriseId: args.enterpriseId,\n                });\n                if (!_auth.ok) return { ok: false as const, code: _auth.code };\n                return await auth.sso.admin.connection.domain.verification.request(\n                  ctx as never,\n                  args,\n                );\n              },\n            }),\n            confirm: actionGeneric({\n              args: enterpriseDomainVerificationInputValidator,\n              handler: async (ctx, args) => {\n                const _auth = await authorize(ctx, \"sso.domain.manage\", {\n                  enterpriseId: args.enterpriseId,\n                });\n                if (!_auth.ok) return { ok: false as const, code: _auth.code };\n                return await auth.sso.admin.connection.domain.verification.confirm(\n                  ctx as never,\n                  args,\n                );\n              },\n            }),\n          },\n        },\n      },\n      oidc: {\n        configure: mutationGeneric({\n          args: {\n            enterpriseId: v.string(),\n            issuer: v.optional(v.string()),\n            discoveryUrl: v.optional(v.string()),\n            clientId: v.string(),\n            clientSecret: v.optional(v.string()),\n            scopes: v.optional(v.array(v.string())),\n            authorizationParams: v.optional(v.record(v.string(), v.string())),\n            clockToleranceSeconds: v.optional(v.number()),\n            strictIssuer: v.optional(v.boolean()),\n            extraFields: v.optional(v.record(v.string(), v.string())),\n          },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.protocol.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return { ok: false as const, code: _auth.code };\n            return await auth.sso.admin.oidc.configure(ctx as never, args);\n          },\n        }),\n        get: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.connection.read\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return null;\n            return await auth.sso.admin.oidc.get(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n        validate: actionGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.protocol.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return { ok: false as const, code: _auth.code };\n            return await auth.sso.admin.oidc.validate(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n      },\n      saml: {\n        configure: actionGeneric({\n          args: {\n            enterpriseId: v.string(),\n            metadataXml: v.optional(v.string()),\n            metadataUrl: v.optional(v.string()),\n            domains: v.optional(v.array(v.string())),\n            signAuthnRequests: v.optional(v.boolean()),\n            attributeMapping: v.optional(\n              enterpriseSamlAttributeMappingValidator,\n            ),\n            sp: v.optional(enterpriseSamlSpValidator),\n          },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.protocol.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return { ok: false as const, code: _auth.code };\n            return await auth.sso.admin.saml.configure(ctx as never, args);\n          },\n        }),\n        validate: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.protocol.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return null;\n            return await auth.sso.admin.saml.validate(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n      },\n      policy: {\n        get: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.connection.read\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return null;\n            return await auth.sso.admin.policy.get(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n        update: mutationGeneric({\n          args: {\n            enterpriseId: v.string(),\n            patch: enterprisePolicyPatchValidator,\n          },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.policy.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return { ok: false as const, code: _auth.code };\n            return await auth.sso.admin.policy.update(\n              ctx as never,\n              args.enterpriseId,\n              args.patch,\n            );\n          },\n        }),\n        validate: queryGeneric({\n          args: { enterpriseId: v.string() },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.policy.manage\", {\n              enterpriseId: args.enterpriseId,\n            });\n            if (!_auth.ok) return null;\n            return await auth.sso.admin.policy.validate(\n              ctx as never,\n              args.enterpriseId,\n            );\n          },\n        }),\n      },\n      audit: {\n        list: queryGeneric({\n          args: {\n            enterpriseId: v.optional(v.string()),\n            groupId: v.optional(v.string()),\n            limit: v.optional(v.number()),\n          },\n          handler: async (ctx, args) => {\n            const _auth = await authorize(ctx, \"sso.audit.read\", {\n              enterpriseId: args.enterpriseId,\n              groupId: args.groupId,\n            });\n            if (!_auth.ok) return null;\n            return await auth.sso.admin.audit.list(ctx as never, args);\n          },\n        }),\n      },\n      webhook: {\n        delivery: {\n          list: queryGeneric({\n            args: {\n              enterpriseId: v.string(),\n              limit: v.optional(v.number()),\n            },\n            handler: async (ctx, args) => {\n              const _auth = await authorize(ctx, \"sso.webhook.manage\", {\n                enterpriseId: args.enterpriseId,\n              });\n              if (!_auth.ok) return null;\n              return await (auth.sso.admin.webhook as any).delivery.list(\n                ctx as never,\n                args,\n              );\n            },\n          }),\n        },\n        endpoint: {\n          create: mutationGeneric({\n            args: {\n              enterpriseId: v.string(),\n              url: v.string(),\n              secret: v.string(),\n              subscriptions: v.array(v.string()),\n              createdByUserId: v.optional(v.string()),\n            },\n            handler: async (ctx, args) => {\n              const authResult = await authorize(ctx, \"sso.webhook.manage\", {\n                enterpriseId: args.enterpriseId,\n              });\n              if (!authResult.ok)\n                return { ok: false as const, code: authResult.code };\n              const { userId } = authResult;\n              const result = await auth.sso.admin.webhook.endpoint.create(\n                ctx as never,\n                {\n                  ...args,\n                  createdByUserId: args.createdByUserId ?? userId,\n                },\n              );\n              return {\n                _id: result.endpointId,\n                enterpriseId: args.enterpriseId,\n                url: args.url,\n                subscriptions: args.subscriptions,\n                createdByUserId: args.createdByUserId ?? userId,\n                status: \"active\",\n                failureCount: 0,\n              };\n            },\n          }),\n          list: queryGeneric({\n            args: { enterpriseId: v.string() },\n            handler: async (ctx, args) => {\n              const _auth = await authorize(ctx, \"sso.webhook.manage\", {\n                enterpriseId: args.enterpriseId,\n              });\n              if (!_auth.ok) return null;\n              const endpoints = await auth.sso.admin.webhook.endpoint.list(\n                ctx as never,\n                args.enterpriseId,\n              );\n              return endpoints.map((endpoint: Record<string, unknown>) => {\n                const { secretHash: _secretHash, ...rest } = endpoint;\n                return rest;\n              });\n            },\n          }),\n          disable: mutationGeneric({\n            args: { endpointId: v.string() },\n            handler: async (ctx, args) => {\n              const endpoint = await auth.sso.admin.webhook.endpoint.get(\n                ctx as never,\n                args.endpointId,\n              );\n              if (!endpoint) {\n                return {\n                  ok: false as const,\n                  code: \"INVALID_PARAMETERS\" as const,\n                };\n              }\n              const _auth = await authorize(ctx, \"sso.webhook.manage\", {\n                enterpriseId: endpoint.enterpriseId,\n                groupId: endpoint.groupId,\n              });\n              if (!_auth.ok) return { ok: false as const, code: _auth.code };\n              return await auth.sso.admin.webhook.endpoint.disable(\n                ctx as never,\n                args.endpointId,\n              );\n            },\n          }),\n        },\n      },\n    },\n    client: {\n      signIn: queryGeneric({\n        args: {\n          enterpriseId: v.optional(v.string()),\n          email: v.optional(v.string()),\n          domain: v.optional(v.string()),\n          redirectTo: v.optional(v.string()),\n        },\n        handler: async (ctx, args) => {\n          return await auth.sso.client.signIn(ctx as never, args);\n        },\n      }),\n      metadata: queryGeneric({\n        args: {\n          enterpriseId: v.string(),\n          entityId: v.optional(v.string()),\n          acsUrl: v.optional(v.string()),\n          sloUrl: v.optional(v.string()),\n        },\n        handler: async (ctx, args) => {\n          return await auth.sso.client.metadata(ctx as never, args);\n        },\n      }),\n    },\n  };\n}\n\n/**\n * Build optional public SCIM management actions that apps can mount under\n * `convex/auth/scim/**` when they want client-callable enterprise admin APIs.\n *\n * @param auth - Auth API subset providing `scim`, `sso`, and `user` namespaces.\n * @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.\n * @typeParam TAuthorization - Optional authorization config for typed role IDs.\n * @returns An object with `admin.configure`, `admin.get`, and `admin.validate` actions.\n *\n * @example\n * ```ts\n * // convex/auth/scim.ts\n * import { scim } from \"@robelest/convex-auth/server\";\n * import { auth } from \"../auth\";\n *\n * const mounted = scim(auth, {\n *   admin: {\n *     authorized: async (ctx, input) => { /* check permissions *\\/ },\n *   },\n * });\n *\n * export const configure = mounted.admin.configure;\n * export const get = mounted.admin.get;\n * export const validate = mounted.admin.validate;\n * ```\n *\n * @see {@link sso}\n * @see {@link enterprise}\n */\nexport function scim<\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n>(\n  auth: Pick<AuthApi<TAuthorization>, \"scim\" | \"sso\" | \"user\">,\n  options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>,\n) {\n  const authorize = createMountedAdminAuthorizer(auth, options);\n\n  return {\n    admin: {\n      configure: mutationGeneric({\n        args: {\n          enterpriseId: v.string(),\n          basePath: v.optional(v.string()),\n          status: v.optional(enterpriseStatusValidator),\n        },\n        handler: async (ctx, args) => {\n          const _auth = await authorize(ctx, \"scim.manage\", {\n            enterpriseId: args.enterpriseId,\n          });\n          if (!_auth.ok) return { ok: false as const, code: _auth.code };\n          return await auth.scim.admin.configure(ctx as never, args);\n        },\n      }),\n      get: queryGeneric({\n        args: { enterpriseId: v.string() },\n        handler: async (ctx, args) => {\n          const _auth = await authorize(ctx, \"scim.manage\", {\n            enterpriseId: args.enterpriseId,\n          });\n          if (!_auth.ok) return null;\n          return await auth.scim.admin.get(ctx as never, args.enterpriseId);\n        },\n      }),\n      validate: queryGeneric({\n        args: { enterpriseId: v.string() },\n        handler: async (ctx, args) => {\n          const _auth = await authorize(ctx, \"scim.manage\", {\n            enterpriseId: args.enterpriseId,\n          });\n          if (!_auth.ok) return null;\n          return await auth.scim.admin.validate(\n            ctx as never,\n            args.enterpriseId,\n          );\n        },\n      }),\n    },\n  };\n}\n\n/**\n * Build a flat mounted enterprise API surface for app-owned Convex exports.\n *\n * Combines {@link sso} and {@link scim} into a single flat object with\n * all SSO connection, protocol, policy, audit, webhook, and SCIM\n * management functions plus end-user sign-in helpers. The `authorized`\n * callback is required for all admin operations.\n *\n * @param auth - Auth API subset providing `group`, `member`, `scim`, `sso`, and `user` namespaces.\n * @param options - Required {@link EnterpriseMountOptions} with an `admin.authorized` callback.\n * @typeParam TAuthorization - Optional authorization config for typed role IDs.\n * @returns A flat object with all enterprise management functions (e.g. `createConnection`,\n *   `configureOidc`, `configureScim`, `signIn`, etc.).\n *\n * @example\n * ```ts\n * // convex/auth/enterprise.ts\n * import { enterprise } from \"@robelest/convex-auth/server\";\n * import { auth } from \"../auth\";\n *\n * const api = enterprise(auth, {\n *   admin: {\n *     authorized: async (ctx, input) => { /* check permissions *\\/ },\n *     roles: [\"admin\"],\n *   },\n * });\n *\n * export const createConnection = api.createConnection;\n * export const configureOidc = api.configureOidc;\n * export const signIn = api.signIn;\n * ```\n *\n * @see {@link sso}\n * @see {@link scim}\n */\nexport function enterprise<\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n>(\n  auth: Pick<\n    AuthApi<TAuthorization>,\n    \"group\" | \"member\" | \"scim\" | \"sso\" | \"user\"\n  >,\n  options: EnterpriseMountOptions<AuthRoleId<TAuthorization>>,\n) {\n  const mountedSso = sso(auth, {\n    admin: options.admin,\n  });\n  const mountedScim = scim(auth, {\n    admin: { authorized: options.admin.authorized },\n  });\n\n  return {\n    createConnection: mountedSso.admin.connection.create,\n    getConnection: mountedSso.admin.connection.get,\n    getConnectionByGroup: mountedSso.admin.connection.getByGroup,\n    getConnectionByDomain: mountedSso.admin.connection.getByDomain,\n    listConnections: mountedSso.admin.connection.list,\n    updateConnection: mountedSso.admin.connection.update,\n    deleteConnection: mountedSso.admin.connection.delete,\n    getConnectionStatus: mountedSso.admin.connection.status,\n    listDomains: mountedSso.admin.connection.domain.list,\n    validateDomains: mountedSso.admin.connection.domain.validate,\n    setDomains: mountedSso.admin.connection.domain.set,\n    requestDomainVerification:\n      mountedSso.admin.connection.domain.verification.request,\n    confirmDomainVerification:\n      mountedSso.admin.connection.domain.verification.confirm,\n    configureOidc: mountedSso.admin.oidc.configure,\n    getOidc: mountedSso.admin.oidc.get,\n    validateOidc: mountedSso.admin.oidc.validate,\n    configureSaml: mountedSso.admin.saml.configure,\n    validateSaml: mountedSso.admin.saml.validate,\n    getPolicy: mountedSso.admin.policy.get,\n    updatePolicy: mountedSso.admin.policy.update,\n    validatePolicy: mountedSso.admin.policy.validate,\n    listAudit: mountedSso.admin.audit.list,\n    createWebhookEndpoint: mountedSso.admin.webhook.endpoint.create,\n    listWebhookEndpoints: mountedSso.admin.webhook.endpoint.list,\n    listWebhookDeliveries: mountedSso.admin.webhook.delivery.list,\n    disableWebhookEndpoint: mountedSso.admin.webhook.endpoint.disable,\n    configureScim: mountedScim.admin.configure,\n    getScim: mountedScim.admin.get,\n    validateScim: mountedScim.admin.validate,\n    signIn: mountedSso.client.signIn,\n    metadata: mountedSso.client.metadata,\n  };\n}\n"],"mappings":";;;;;AAgIA,SAAS,oBAAoB,MAA6B;AACxD,QAAO,OAAO,QAEgB;AAC5B,SAAO,MAAM,KAAK,KAAK,GAAG,IAAa;;;AAI3C,SAAS,wBACP,OACA;AACA,QAAO,OAAO,KAAK,SAAU,OAAO,SAAS,WAAW,OAAO,KAAK,GAAI;;AAG1E,eAAe,+BACb,MACA,KACA,QACA;AACA,KAAI,OAAO,YAAY,OACrB,QAAO;EACL,cAAc,OAAO;EACrB,SAAS,OAAO;EAChB,iBAAiB,OAAO;EACzB;AAGH,KAAI,OAAO,iBAAiB,QAAW;EACrC,MAAM,aAAa,MAAM,KAAK,IAAI,MAAM,WAAW,IACjD,KACA,OAAO,aACR;AACD,MAAI,eAAe,KACjB,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,SAAO;GACL,cAAc,WAAW;GACzB,SAAS,WAAW;GACpB,iBAAiB,WAAW;GAC7B;;AAGH,KAAI,OAAO,WAAW,QAAW;EAC/B,MAAM,WAAW,MAAM,KAAK,IAAI,MAAM,WAAW,YAC/C,KACA,OAAO,OACR;AACD,MAAI,UAAU,eAAe,OAC3B,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,SAAO;GACL,cAAc,SAAS,WAAW;GAClC,SAAS,SAAS,WAAW;GAC7B,iBAAiB,SAAS,WAAW;GACtC;;AAGH,QAAO;EACL,cAAc;EACd,SAAS;EACT,iBAAiB;EAClB;;AAGH,SAAS,6BACP,MACA,SACA;CACA,MAAM,gBAAgB,oBAAoB,KAAK;AAE/C,QAAO,OACL,KACA,YACA,SAAkC,EAAE,KACjC;EACH,MAAM,SAAS,MAAM,cAAc,IAAI;AACvC,MAAI,WAAW,KACb,QAAO;GAAE,IAAI;GAAgB,MAAM;GAA0B;AAE/D,MAAI,CAAC,SAAS,OAAO,WACnB,QAAO;GAAE,IAAI;GAAgB,MAAM;GAAsB;EAE3D,MAAM,WAAW,MAAM,+BAA+B,MAAM,KAAK,OAAO;EACxE,MAAM,aAAa,MAAM,QAAQ,MAAM,WAAW,KAAK;GACrD;GACA;GACA,cAAc,SAAS;GACvB,SAAS,SAAS;GAClB,iBAAiB,SAAS;GAC3B,CAAC;AACF,MAAI,cAAc,CAAC,WAAW,GAC5B,QAAO;GAAE,IAAI;GAAgB,MAAM;GAAsB;AAE3D,SAAO;GAAE,IAAI;GAAe;GAAQ,GAAG;GAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqCrD,SAAgB,IAGd,MACA,SACA;CACA,MAAM,YAAY,6BAA6B,MAAM,QAAQ;CAC7D,MAAM,eAAe,wBAAwB,SAAS,OAAO,MAAM;AAEnE,QAAO;EACL,OAAO;GACL,YAAY;IACV,QAAQ,gBAAgB;KACtB,MAAM;MACJ,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC/B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC5B,QAAQ,EAAE,SAAS,0BAA0B;MAC7C,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC/B;KACD,SAAS,OAAO,KAAK,SAAS;MAC5B,MAAM,aAAa,MAAM,UAAU,KAAK,yBAAyB,EAC/D,SAAS,KAAK,SACf,CAAC;AACF,UAAI,CAAC,WAAW,GACd,QAAO;OAAE,IAAI;OAAgB,MAAM,WAAW;OAAM;MACtD,MAAM,EAAE,WAAW;MACnB,MAAM,eAAe,KAAK,YAAY;MACtC,MAAM,UACJ,KAAK,YAEH,MAAM,KAAK,MAAM,OAAO,KAAc;OACpC,MAAM,KAAK,MAAM,MAAM,IAAI,KAAK,MAAM,MAAM,IAAI;OAChD,MAAM,KAAK;OACX,MAAM;OACP,CAAC,EACF;AACJ,UAAI,aACF,OAAM,KAAK,OAAO,OAAO,KAAc;OACrC;OACA;OACA,SAAS;OACV,CAAC;MAEJ,MAAM,UAAU,MAAM,KAAK,IAAI,MAAM,WAAW,OAC9C,KACA;OACE;OACA,MAAM,KAAK;OACX,MAAM,KAAK;OACX,QAAQ,KAAK;OACd,CACF;AACD,UAAI,KAAK,OACP,OAAM,KAAK,IAAI,MAAM,WAAW,OAAO,IACrC,KACA,QAAQ,cACR,CAAC;OAAE,QAAQ,KAAK;OAAQ,WAAW;OAAM,CAAC,CAC3C;AAEH,aAAO;OACL,GAAG;OACH;OACA,cAAc;OACf;;KAEJ,CAAC;IACF,KAAK,aAAa;KAChB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAI5B,UAAI,EAHU,MAAM,UAAU,KAAK,uBAAuB,EACxD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AACtB,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,IACrC,KACA,KAAK,aACN;;KAEJ,CAAC;IACF,YAAY,aAAa;KACvB,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE;KAC7B,SAAS,OAAO,KAAK,SAAS;AAI5B,UAAI,EAHU,MAAM,UAAU,KAAK,uBAAuB,EACxD,SAAS,KAAK,SACf,CAAC,EACS,GAAI,QAAO;AACtB,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,WACrC,KACA,KAAK,QACN;;KAEJ,CAAC;IACF,aAAa,aAAa;KACxB,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE;KAC5B,SAAS,OAAO,KAAK,SAAS;AAI5B,UAAI,EAHU,MAAM,UAAU,KAAK,uBAAuB,EACxD,QAAQ,KAAK,QACd,CAAC,EACS,GAAI,QAAO;AACtB,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,YACrC,KACA,KAAK,OACN;;KAEJ,CAAC;IACF,MAAM,aAAa;KACjB,MAAM;MACJ,OAAO,EAAE,SAAS,mCAAmC;MACrD,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC7B,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC;MACjD,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC/B,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC;MAChE;KACD,SAAS,OAAO,KAAK,SAAS;AAI5B,UAAI,EAHU,MAAM,UAAU,KAAK,uBAAuB,EACxD,SAAS,KAAK,OAAO,SACtB,CAAC,EACS,GAAI,QAAO;AACtB,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,KACrC,KACA,KACD;;KAEJ,CAAC;IACF,QAAQ,gBAAgB;KACtB,MAAM;MACJ,cAAc,EAAE,QAAQ;MACxB,MAAM,EAAE,OAAO;OACb,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;OAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;OAC5B,QAAQ,EAAE,SAAS,0BAA0B;OAC9C,CAAC;MACH;KACD,SAAS,OAAO,KAAK,SAAS;MAC5B,MAAM,QAAQ,MAAM,UAAU,KAAK,yBAAyB,EAC1D,cAAc,KAAK,cACpB,CAAC;AACF,UAAI,CAAC,MAAM,GAAI,QAAO;OAAE,IAAI;OAAgB,MAAM,MAAM;OAAM;AAC9D,YAAM,KAAK,IAAI,MAAM,WAAW,OAC9B,KACA,KAAK,cACL,KAAK,KACN;AACD,aAAO;OAAE,IAAI;OAAe,cAAc,KAAK;OAAc;;KAEhE,CAAC;IACF,QAAQ,gBAAgB;KACtB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;MAC5B,MAAM,QAAQ,MAAM,UAAU,KAAK,yBAAyB,EAC1D,cAAc,KAAK,cACpB,CAAC;AACF,UAAI,CAAC,MAAM,GAAI,QAAO;OAAE,IAAI;OAAgB,MAAM,MAAM;OAAM;AAC9D,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OACrC,KACA,KAAK,aACN;;KAEJ,CAAC;IACF,QAAQ,aAAa;KACnB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAI5B,UAAI,EAHU,MAAM,UAAU,KAAK,uBAAuB,EACxD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AACtB,aAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OACrC,KACA,KAAK,aACN;;KAEJ,CAAC;IACF,QAAQ;KACN,MAAM,aAAa;MACjB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;MAClC,SAAS,OAAO,KAAK,SAAS;AAI5B,WAAI,EAHU,MAAM,UAAU,KAAK,uBAAuB,EACxD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AACtB,cAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OAAO,KAC5C,KACA,KAAK,aACN;;MAEJ,CAAC;KACF,UAAU,aAAa;MACrB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;MAClC,SAAS,OAAO,KAAK,SAAS;AAI5B,WAAI,EAHU,MAAM,UAAU,KAAK,qBAAqB,EACtD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AACtB,cAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OAAO,SAC5C,KACA,KAAK,aACN;;MAEJ,CAAC;KACF,KAAK,gBAAgB;MACnB,MAAM;OACJ,cAAc,EAAE,QAAQ;OACxB,SAAS,EAAE,MAAM,+BAA+B;OACjD;MACD,SAAS,OAAO,KAAK,SAAS;OAC5B,MAAM,QAAQ,MAAM,UAAU,KAAK,qBAAqB,EACtD,cAAc,KAAK,cACpB,CAAC;AACF,WAAI,CAAC,MAAM,GAAI,QAAO;QAAE,IAAI;QAAgB,MAAM,MAAM;QAAM;AAC9D,cAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OAAO,IAC5C,KACA,KAAK,cACL,KAAK,QACN;;MAEJ,CAAC;KACF,cAAc;MACZ,SAAS,gBAAgB;OACvB,MAAM;OACN,SAAS,OAAO,KAAK,SAAS;QAC5B,MAAM,QAAQ,MAAM,UAAU,KAAK,qBAAqB,EACtD,cAAc,KAAK,cACpB,CAAC;AACF,YAAI,CAAC,MAAM,GAAI,QAAO;SAAE,IAAI;SAAgB,MAAM,MAAM;SAAM;AAC9D,eAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OAAO,aAAa,QACzD,KACA,KACD;;OAEJ,CAAC;MACF,SAAS,cAAc;OACrB,MAAM;OACN,SAAS,OAAO,KAAK,SAAS;QAC5B,MAAM,QAAQ,MAAM,UAAU,KAAK,qBAAqB,EACtD,cAAc,KAAK,cACpB,CAAC;AACF,YAAI,CAAC,MAAM,GAAI,QAAO;SAAE,IAAI;SAAgB,MAAM,MAAM;SAAM;AAC9D,eAAO,MAAM,KAAK,IAAI,MAAM,WAAW,OAAO,aAAa,QACzD,KACA,KACD;;OAEJ,CAAC;MACH;KACF;IACF;GACD,MAAM;IACJ,WAAW,gBAAgB;KACzB,MAAM;MACJ,cAAc,EAAE,QAAQ;MACxB,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC9B,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;MACpC,UAAU,EAAE,QAAQ;MACpB,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;MACpC,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;MACvC,qBAAqB,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC;MACjE,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC7C,cAAc,EAAE,SAAS,EAAE,SAAS,CAAC;MACrC,aAAa,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC;MAC1D;KACD,SAAS,OAAO,KAAK,SAAS;MAC5B,MAAM,QAAQ,MAAM,UAAU,KAAK,uBAAuB,EACxD,cAAc,KAAK,cACpB,CAAC;AACF,UAAI,CAAC,MAAM,GAAI,QAAO;OAAE,IAAI;OAAgB,MAAM,MAAM;OAAM;AAC9D,aAAO,MAAM,KAAK,IAAI,MAAM,KAAK,UAAU,KAAc,KAAK;;KAEjE,CAAC;IACF,KAAK,aAAa;KAChB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAI5B,UAAI,EAHU,MAAM,UAAU,KAAK,uBAAuB,EACxD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AACtB,aAAO,MAAM,KAAK,IAAI,MAAM,KAAK,IAC/B,KACA,KAAK,aACN;;KAEJ,CAAC;IACF,UAAU,cAAc;KACtB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;MAC5B,MAAM,QAAQ,MAAM,UAAU,KAAK,uBAAuB,EACxD,cAAc,KAAK,cACpB,CAAC;AACF,UAAI,CAAC,MAAM,GAAI,QAAO;OAAE,IAAI;OAAgB,MAAM,MAAM;OAAM;AAC9D,aAAO,MAAM,KAAK,IAAI,MAAM,KAAK,SAC/B,KACA,KAAK,aACN;;KAEJ,CAAC;IACH;GACD,MAAM;IACJ,WAAW,cAAc;KACvB,MAAM;MACJ,cAAc,EAAE,QAAQ;MACxB,aAAa,EAAE,SAAS,EAAE,QAAQ,CAAC;MACnC,aAAa,EAAE,SAAS,EAAE,QAAQ,CAAC;MACnC,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;MACxC,mBAAmB,EAAE,SAAS,EAAE,SAAS,CAAC;MAC1C,kBAAkB,EAAE,SAClB,wCACD;MACD,IAAI,EAAE,SAAS,0BAA0B;MAC1C;KACD,SAAS,OAAO,KAAK,SAAS;MAC5B,MAAM,QAAQ,MAAM,UAAU,KAAK,uBAAuB,EACxD,cAAc,KAAK,cACpB,CAAC;AACF,UAAI,CAAC,MAAM,GAAI,QAAO;OAAE,IAAI;OAAgB,MAAM,MAAM;OAAM;AAC9D,aAAO,MAAM,KAAK,IAAI,MAAM,KAAK,UAAU,KAAc,KAAK;;KAEjE,CAAC;IACF,UAAU,aAAa;KACrB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAI5B,UAAI,EAHU,MAAM,UAAU,KAAK,uBAAuB,EACxD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AACtB,aAAO,MAAM,KAAK,IAAI,MAAM,KAAK,SAC/B,KACA,KAAK,aACN;;KAEJ,CAAC;IACH;GACD,QAAQ;IACN,KAAK,aAAa;KAChB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAI5B,UAAI,EAHU,MAAM,UAAU,KAAK,uBAAuB,EACxD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AACtB,aAAO,MAAM,KAAK,IAAI,MAAM,OAAO,IACjC,KACA,KAAK,aACN;;KAEJ,CAAC;IACF,QAAQ,gBAAgB;KACtB,MAAM;MACJ,cAAc,EAAE,QAAQ;MACxB,OAAO;MACR;KACD,SAAS,OAAO,KAAK,SAAS;MAC5B,MAAM,QAAQ,MAAM,UAAU,KAAK,qBAAqB,EACtD,cAAc,KAAK,cACpB,CAAC;AACF,UAAI,CAAC,MAAM,GAAI,QAAO;OAAE,IAAI;OAAgB,MAAM,MAAM;OAAM;AAC9D,aAAO,MAAM,KAAK,IAAI,MAAM,OAAO,OACjC,KACA,KAAK,cACL,KAAK,MACN;;KAEJ,CAAC;IACF,UAAU,aAAa;KACrB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;KAClC,SAAS,OAAO,KAAK,SAAS;AAI5B,UAAI,EAHU,MAAM,UAAU,KAAK,qBAAqB,EACtD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AACtB,aAAO,MAAM,KAAK,IAAI,MAAM,OAAO,SACjC,KACA,KAAK,aACN;;KAEJ,CAAC;IACH;GACD,OAAO,EACL,MAAM,aAAa;IACjB,MAAM;KACJ,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;KACpC,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC/B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC9B;IACD,SAAS,OAAO,KAAK,SAAS;AAK5B,SAAI,EAJU,MAAM,UAAU,KAAK,kBAAkB;MACnD,cAAc,KAAK;MACnB,SAAS,KAAK;MACf,CAAC,EACS,GAAI,QAAO;AACtB,YAAO,MAAM,KAAK,IAAI,MAAM,MAAM,KAAK,KAAc,KAAK;;IAE7D,CAAC,EACH;GACD,SAAS;IACP,UAAU,EACR,MAAM,aAAa;KACjB,MAAM;MACJ,cAAc,EAAE,QAAQ;MACxB,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;MAC9B;KACD,SAAS,OAAO,KAAK,SAAS;AAI5B,UAAI,EAHU,MAAM,UAAU,KAAK,sBAAsB,EACvD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AACtB,aAAO,MAAO,KAAK,IAAI,MAAM,QAAgB,SAAS,KACpD,KACA,KACD;;KAEJ,CAAC,EACH;IACD,UAAU;KACR,QAAQ,gBAAgB;MACtB,MAAM;OACJ,cAAc,EAAE,QAAQ;OACxB,KAAK,EAAE,QAAQ;OACf,QAAQ,EAAE,QAAQ;OAClB,eAAe,EAAE,MAAM,EAAE,QAAQ,CAAC;OAClC,iBAAiB,EAAE,SAAS,EAAE,QAAQ,CAAC;OACxC;MACD,SAAS,OAAO,KAAK,SAAS;OAC5B,MAAM,aAAa,MAAM,UAAU,KAAK,sBAAsB,EAC5D,cAAc,KAAK,cACpB,CAAC;AACF,WAAI,CAAC,WAAW,GACd,QAAO;QAAE,IAAI;QAAgB,MAAM,WAAW;QAAM;OACtD,MAAM,EAAE,WAAW;AAQnB,cAAO;QACL,MARa,MAAM,KAAK,IAAI,MAAM,QAAQ,SAAS,OACnD,KACA;SACE,GAAG;SACH,iBAAiB,KAAK,mBAAmB;SAC1C,CACF,EAEa;QACZ,cAAc,KAAK;QACnB,KAAK,KAAK;QACV,eAAe,KAAK;QACpB,iBAAiB,KAAK,mBAAmB;QACzC,QAAQ;QACR,cAAc;QACf;;MAEJ,CAAC;KACF,MAAM,aAAa;MACjB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;MAClC,SAAS,OAAO,KAAK,SAAS;AAI5B,WAAI,EAHU,MAAM,UAAU,KAAK,sBAAsB,EACvD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AAKtB,eAJkB,MAAM,KAAK,IAAI,MAAM,QAAQ,SAAS,KACtD,KACA,KAAK,aACN,EACgB,KAAK,aAAsC;QAC1D,MAAM,EAAE,YAAY,aAAa,GAAG,SAAS;AAC7C,eAAO;SACP;;MAEL,CAAC;KACF,SAAS,gBAAgB;MACvB,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE;MAChC,SAAS,OAAO,KAAK,SAAS;OAC5B,MAAM,WAAW,MAAM,KAAK,IAAI,MAAM,QAAQ,SAAS,IACrD,KACA,KAAK,WACN;AACD,WAAI,CAAC,SACH,QAAO;QACL,IAAI;QACJ,MAAM;QACP;OAEH,MAAM,QAAQ,MAAM,UAAU,KAAK,sBAAsB;QACvD,cAAc,SAAS;QACvB,SAAS,SAAS;QACnB,CAAC;AACF,WAAI,CAAC,MAAM,GAAI,QAAO;QAAE,IAAI;QAAgB,MAAM,MAAM;QAAM;AAC9D,cAAO,MAAM,KAAK,IAAI,MAAM,QAAQ,SAAS,QAC3C,KACA,KAAK,WACN;;MAEJ,CAAC;KACH;IACF;GACF;EACD,QAAQ;GACN,QAAQ,aAAa;IACnB,MAAM;KACJ,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;KACpC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC7B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC9B,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;KACnC;IACD,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAO,MAAM,KAAK,IAAI,OAAO,OAAO,KAAc,KAAK;;IAE1D,CAAC;GACF,UAAU,aAAa;IACrB,MAAM;KACJ,cAAc,EAAE,QAAQ;KACxB,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;KAChC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC9B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;KAC/B;IACD,SAAS,OAAO,KAAK,SAAS;AAC5B,YAAO,MAAM,KAAK,IAAI,OAAO,SAAS,KAAc,KAAK;;IAE5D,CAAC;GACH;EACF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCH,SAAgB,KAGd,MACA,SACA;CACA,MAAM,YAAY,6BAA6B,MAAM,QAAQ;AAE7D,QAAO,EACL,OAAO;EACL,WAAW,gBAAgB;GACzB,MAAM;IACJ,cAAc,EAAE,QAAQ;IACxB,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;IAChC,QAAQ,EAAE,SAAS,0BAA0B;IAC9C;GACD,SAAS,OAAO,KAAK,SAAS;IAC5B,MAAM,QAAQ,MAAM,UAAU,KAAK,eAAe,EAChD,cAAc,KAAK,cACpB,CAAC;AACF,QAAI,CAAC,MAAM,GAAI,QAAO;KAAE,IAAI;KAAgB,MAAM,MAAM;KAAM;AAC9D,WAAO,MAAM,KAAK,KAAK,MAAM,UAAU,KAAc,KAAK;;GAE7D,CAAC;EACF,KAAK,aAAa;GAChB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;GAClC,SAAS,OAAO,KAAK,SAAS;AAI5B,QAAI,EAHU,MAAM,UAAU,KAAK,eAAe,EAChD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AACtB,WAAO,MAAM,KAAK,KAAK,MAAM,IAAI,KAAc,KAAK,aAAa;;GAEpE,CAAC;EACF,UAAU,aAAa;GACrB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE;GAClC,SAAS,OAAO,KAAK,SAAS;AAI5B,QAAI,EAHU,MAAM,UAAU,KAAK,eAAe,EAChD,cAAc,KAAK,cACpB,CAAC,EACS,GAAI,QAAO;AACtB,WAAO,MAAM,KAAK,KAAK,MAAM,SAC3B,KACA,KAAK,aACN;;GAEJ,CAAC;EACH,EACF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCH,SAAgB,WAGd,MAIA,SACA;CACA,MAAM,aAAa,IAAI,MAAM,EAC3B,OAAO,QAAQ,OAChB,CAAC;CACF,MAAM,cAAc,KAAK,MAAM,EAC7B,OAAO,EAAE,YAAY,QAAQ,MAAM,YAAY,EAChD,CAAC;AAEF,QAAO;EACL,kBAAkB,WAAW,MAAM,WAAW;EAC9C,eAAe,WAAW,MAAM,WAAW;EAC3C,sBAAsB,WAAW,MAAM,WAAW;EAClD,uBAAuB,WAAW,MAAM,WAAW;EACnD,iBAAiB,WAAW,MAAM,WAAW;EAC7C,kBAAkB,WAAW,MAAM,WAAW;EAC9C,kBAAkB,WAAW,MAAM,WAAW;EAC9C,qBAAqB,WAAW,MAAM,WAAW;EACjD,aAAa,WAAW,MAAM,WAAW,OAAO;EAChD,iBAAiB,WAAW,MAAM,WAAW,OAAO;EACpD,YAAY,WAAW,MAAM,WAAW,OAAO;EAC/C,2BACE,WAAW,MAAM,WAAW,OAAO,aAAa;EAClD,2BACE,WAAW,MAAM,WAAW,OAAO,aAAa;EAClD,eAAe,WAAW,MAAM,KAAK;EACrC,SAAS,WAAW,MAAM,KAAK;EAC/B,cAAc,WAAW,MAAM,KAAK;EACpC,eAAe,WAAW,MAAM,KAAK;EACrC,cAAc,WAAW,MAAM,KAAK;EACpC,WAAW,WAAW,MAAM,OAAO;EACnC,cAAc,WAAW,MAAM,OAAO;EACtC,gBAAgB,WAAW,MAAM,OAAO;EACxC,WAAW,WAAW,MAAM,MAAM;EAClC,uBAAuB,WAAW,MAAM,QAAQ,SAAS;EACzD,sBAAsB,WAAW,MAAM,QAAQ,SAAS;EACxD,uBAAuB,WAAW,MAAM,QAAQ,SAAS;EACzD,wBAAwB,WAAW,MAAM,QAAQ,SAAS;EAC1D,eAAe,YAAY,MAAM;EACjC,SAAS,YAAY,MAAM;EAC3B,cAAc,YAAY,MAAM;EAChC,QAAQ,WAAW,OAAO;EAC1B,UAAU,WAAW,OAAO;EAC7B"}

package/dist/server/mutations/account.d.ts

@@ -0,0 +1,30 @@
+import { MutationCtx } from "../types.js";
+import { AuthError } from "../authError.js";
+import { Config, GetProviderOrThrowFunc } from "../crypto.js";
+import { Fx } from "@robelest/fx";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values3 from "convex/values";
+import { Infer } from "convex/values";
+
+//#region src/server/mutations/account.d.ts
+declare const modifyAccountArgs: convex_values3.VObject<{
+  provider: string;
+  account: {
+    id: string;
+    secret: string;
+  };
+}, {
+  provider: convex_values3.VString<string, "required">;
+  account: convex_values3.VObject<{
+    id: string;
+    secret: string;
+  }, {
+    id: convex_values3.VString<string, "required">;
+    secret: convex_values3.VString<string, "required">;
+  }, "required", "id" | "secret">;
+}, "required", "provider" | "account" | "account.id" | "account.secret">;
+declare function modifyAccountImpl(ctx: MutationCtx, args: Infer<typeof modifyAccountArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Fx<void, AuthError>;
+declare const callModifyAccount: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof modifyAccountArgs>) => Promise<void>;
+//#endregion
+export { callModifyAccount, modifyAccountArgs, modifyAccountImpl };
+//# sourceMappingURL=account.d.ts.map

package/dist/server/mutations/account.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"account.d.ts","names":[],"sources":["../../../src/server/mutations/account.ts"],"mappings":";;;;;;;;;cAYa,iBAAA,iBAAiB,OAAA;;;;;;;YAG5B,cAAA,CAAA,OAAA;;;;;;;;;iBAEc,iBAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,iBAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,OAAS,SAAA;AAAA,cA2CC,iBAAA,qBAA6C,gBAAA,EACxD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,iBAAA,MAClB,OAAA"}

package/dist/server/mutations/account.js

@@ -0,0 +1,44 @@
+import { AuthError } from "../authError.js";
+import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
+import { authDb } from "../db.js";
+import { hash } from "../crypto.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
+import { Fx } from "@robelest/fx";
+import { v } from "convex/values";
+
+//#region src/server/mutations/account.ts
+const modifyAccountArgs = v.object({
+	provider: v.string(),
+	account: v.object({
+		id: v.string(),
+		secret: v.string()
+	})
+});
+function modifyAccountImpl(ctx, args, getProviderOrThrow, config) {
+	const { provider, account } = args;
+	const db = authDb(ctx, config);
+	logWithLevel(LOG_LEVELS.DEBUG, "modifyAccountImpl args:", {
+		provider,
+		account: {
+			id: account.id,
+			secret: maybeRedact(account.secret ?? "")
+		}
+	});
+	return Fx.from({
+		ok: () => db.accounts.get(provider, account.id),
+		err: () => new AuthError("ACCOUNT_NOT_FOUND", `Cannot modify account with ID ${account.id} because it does not exist`)
+	}).pipe(Fx.chain((doc) => doc === null ? Fx.fail(new AuthError("ACCOUNT_NOT_FOUND", `Cannot modify account with ID ${account.id} because it does not exist`)) : Fx.succeed(doc)), Fx.chain((existingAccount) => hash(getProviderOrThrow(provider), account.secret).pipe(Fx.chain((hashedSecret) => Fx.from({
+		ok: () => db.accounts.patch(existingAccount._id, { secret: hashedSecret }),
+		err: () => new AuthError("INTERNAL_ERROR", "Failed to patch account")
+	})))), Fx.map(() => void 0));
+}
+const callModifyAccount = async (ctx, args) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: {
+		type: "modifyAccount",
+		...args
+	} });
+};
+
+//#endregion
+export { callModifyAccount, modifyAccountArgs, modifyAccountImpl };
+//# sourceMappingURL=account.js.map

package/dist/server/mutations/account.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"account.js","names":[],"sources":["../../../src/server/mutations/account.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport { GetProviderOrThrowFunc, hash } from \"../crypto\";\nimport * as Provider from \"../crypto\";\nimport { MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const modifyAccountArgs = v.object({\n  provider: v.string(),\n  account: v.object({ id: v.string(), secret: v.string() }),\n});\n\nexport function modifyAccountImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof modifyAccountArgs>,\n  getProviderOrThrow: GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Fx<void, AuthError> {\n  const { provider, account } = args;\n  const db = authDb(ctx, config);\n\n  logWithLevel(LOG_LEVELS.DEBUG, \"modifyAccountImpl args:\", {\n    provider,\n    account: { id: account.id, secret: maybeRedact(account.secret ?? \"\") },\n  });\n\n  return Fx.from({\n    ok: () => db.accounts.get(provider, account.id),\n    err: () =>\n      new AuthError(\n        \"ACCOUNT_NOT_FOUND\",\n        `Cannot modify account with ID ${account.id} because it does not exist`,\n      ),\n  }).pipe(\n    Fx.chain((doc) =>\n      doc === null\n        ? Fx.fail(\n            new AuthError(\n              \"ACCOUNT_NOT_FOUND\",\n              `Cannot modify account with ID ${account.id} because it does not exist`,\n            ),\n          )\n        : Fx.succeed(doc),\n    ),\n    Fx.chain((existingAccount) =>\n      hash(getProviderOrThrow(provider), account.secret).pipe(\n        Fx.chain((hashedSecret) =>\n          Fx.from({\n            ok: () =>\n              db.accounts.patch(existingAccount._id, { secret: hashedSecret }),\n            err: () =>\n              new AuthError(\"INTERNAL_ERROR\", \"Failed to patch account\"),\n          }),\n        ),\n      ),\n    ),\n    Fx.map(() => undefined),\n  );\n}\n\nexport const callModifyAccount = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof modifyAccountArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"modifyAccount\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;AAYA,MAAa,oBAAoB,EAAE,OAAO;CACxC,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,QAAQ;EAAE,CAAC;CAC1D,CAAC;AAEF,SAAgB,kBACd,KACA,MACA,oBACA,QACqB;CACrB,MAAM,EAAE,UAAU,YAAY;CAC9B,MAAM,KAAK,OAAO,KAAK,OAAO;AAE9B,cAAa,WAAW,OAAO,2BAA2B;EACxD;EACA,SAAS;GAAE,IAAI,QAAQ;GAAI,QAAQ,YAAY,QAAQ,UAAU,GAAG;GAAE;EACvE,CAAC;AAEF,QAAO,GAAG,KAAK;EACb,UAAU,GAAG,SAAS,IAAI,UAAU,QAAQ,GAAG;EAC/C,WACE,IAAI,UACF,qBACA,iCAAiC,QAAQ,GAAG,4BAC7C;EACJ,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KACD,IAAI,UACF,qBACA,iCAAiC,QAAQ,GAAG,4BAC7C,CACF,GACD,GAAG,QAAQ,IAAI,CACpB,EACD,GAAG,OAAO,oBACR,KAAK,mBAAmB,SAAS,EAAE,QAAQ,OAAO,CAAC,KACjD,GAAG,OAAO,iBACR,GAAG,KAAK;EACN,UACE,GAAG,SAAS,MAAM,gBAAgB,KAAK,EAAE,QAAQ,cAAc,CAAC;EAClE,WACE,IAAI,UAAU,kBAAkB,0BAA0B;EAC7D,CAAC,CACH,CACF,CACF,EACD,GAAG,UAAU,OAAU,CACxB;;AAGH,MAAa,oBAAoB,OAC/B,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/server/mutations/code.d.ts

@@ -0,0 +1,30 @@
+import { MutationCtx } from "../types.js";
+import { Config, GetProviderOrThrowFunc } from "../crypto.js";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values8 from "convex/values";
+import { Infer } from "convex/values";
+
+//#region src/server/mutations/code.d.ts
+declare const createVerificationCodeArgs: convex_values8.VObject<{
+  email?: string | undefined;
+  accountId?: string | undefined;
+  phone?: string | undefined;
+  provider: string;
+  code: string;
+  expirationTime: number;
+  allowExtraProviders: boolean;
+}, {
+  accountId: convex_values8.VString<string | undefined, "optional">;
+  provider: convex_values8.VString<string, "required">;
+  email: convex_values8.VString<string | undefined, "optional">;
+  phone: convex_values8.VString<string | undefined, "optional">;
+  code: convex_values8.VString<string, "required">;
+  expirationTime: convex_values8.VFloat64<number, "required">;
+  allowExtraProviders: convex_values8.VBoolean<boolean, "required">;
+}, "required", "email" | "provider" | "code" | "accountId" | "phone" | "expirationTime" | "allowExtraProviders">;
+type ReturnType = string;
+declare function createVerificationCodeImpl(ctx: MutationCtx, args: Infer<typeof createVerificationCodeArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Promise<ReturnType>;
+declare const callCreateVerificationCode: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof createVerificationCodeArgs>) => Promise<ReturnType>;
+//#endregion
+export { callCreateVerificationCode, createVerificationCodeArgs, createVerificationCodeImpl };
+//# sourceMappingURL=code.d.ts.map

package/dist/server/mutations/code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"code.d.ts","names":[],"sources":["../../../src/server/mutations/code.ts"],"mappings":";;;;;;;cAaa,0BAAA,iBAA0B,OAAA;;;;;;;;;aAQrC,cAAA,CAAA,OAAA;;;;;;;;KAEG,UAAA;AAAA,iBAEiB,0BAAA,CACpB,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,0BAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,OAAA,CAAQ,UAAA;AAAA,cAoDE,0BAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,0BAAA,MAClB,OAAA,CAAQ,UAAA"}

package/dist/server/{implementation/mutations → mutations}/code.js

@@ -1,11 +1,12 @@
+import { AuthError } from "../authError.js";
 import { LOG_LEVELS, logWithLevel, sha256 } from "../utils.js";
 import { authDb } from "../db.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
 import { getAuthSessionId } from "../sessions.js";
-import { AUTH_STORE_REF } from "./store.js";
-import { getAccountOrThrow, upsertUserAndAccount } from "../users.js";
+import { upsertUserAndAccount } from "../users.js";
 import { v } from "convex/values";
 
-//#region src/server/implementation/mutations/code.ts
+//#region src/server/mutations/code.ts
 const createVerificationCodeArgs = v.object({
 	accountId: v.optional(v.string()),
 	provider: v.string(),
@@ -20,7 +21,9 @@ async function createVerificationCodeImpl(ctx, args, getProviderOrThrow, config)
 	const { email, phone, code, expirationTime, provider: providerId, accountId: existingAccountId, allowExtraProviders } = args;
 	const db = authDb(ctx, config);
 	const typedExistingAccountId = existingAccountId;
-	const existingAccount = typedExistingAccountId !== void 0 ? await getAccountOrThrow(ctx, typedExistingAccountId, config) : await db.accounts.get(providerId, email ?? phone);
+	const existingAccount = typedExistingAccountId !== void 0 ? await db.accounts.getById(typedExistingAccountId) ?? (() => {
+		throw new AuthError("ACCOUNT_NOT_FOUND", `Expected an account to exist for ID "${typedExistingAccountId}"`).toConvexError();
+	})() : await db.accounts.get(providerId, email ?? phone);
 	const provider = getProviderOrThrow(providerId, allowExtraProviders);
 	const { accountId } = await upsertUserAndAccount(ctx, await getAuthSessionId(ctx), existingAccount !== null ? { existingAccount } : { providerAccountId: email ?? phone }, provider.type === "email" ? {
 		type: "email",

package/dist/server/mutations/code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"code.js","names":[],"sources":["../../../src/server/mutations/code.ts"],"sourcesContent":["import type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport * as Provider from \"../crypto\";\nimport { getAuthSessionId } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { EmailConfig, PhoneConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { LOG_LEVELS, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const createVerificationCodeArgs = v.object({\n  accountId: v.optional(v.string()),\n  provider: v.string(),\n  email: v.optional(v.string()),\n  phone: v.optional(v.string()),\n  code: v.string(),\n  expirationTime: v.number(),\n  allowExtraProviders: v.boolean(),\n});\n\ntype ReturnType = string;\n\nexport async function createVerificationCodeImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof createVerificationCodeArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"createVerificationCodeImpl args:\", args);\n  const {\n    email,\n    phone,\n    code,\n    expirationTime,\n    provider: providerId,\n    accountId: existingAccountId,\n    allowExtraProviders,\n  } = args;\n  const db = authDb(ctx, config);\n  const typedExistingAccountId = existingAccountId as\n    | GenericId<\"Account\">\n    | undefined;\n  const existingAccount =\n    typedExistingAccountId !== undefined\n      ? ((await db.accounts.getById(typedExistingAccountId)) ??\n        (() => {\n          throw new AuthError(\n            \"ACCOUNT_NOT_FOUND\",\n            `Expected an account to exist for ID \"${typedExistingAccountId}\"`,\n          ).toConvexError();\n        })())\n      : await db.accounts.get(providerId, email ?? phone!);\n\n  const provider = getProviderOrThrow(providerId, allowExtraProviders) as\n    | EmailConfig\n    | PhoneConfig;\n  const { accountId } = await upsertUserAndAccount(\n    ctx,\n    await getAuthSessionId(ctx),\n    existingAccount !== null\n      ? { existingAccount }\n      : { providerAccountId: email ?? phone! },\n    provider.type === \"email\"\n      ? { type: \"email\", provider, profile: { email: email! } }\n      : { type: \"phone\", provider, profile: { phone: phone! } },\n    config,\n  );\n  await generateUniqueVerificationCode(\n    ctx,\n    accountId,\n    providerId,\n    code,\n    expirationTime,\n    { email, phone },\n    config,\n  );\n  return email ?? phone!;\n}\n\nexport const callCreateVerificationCode = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof createVerificationCodeArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"createVerificationCode\",\n      ...args,\n    },\n  });\n};\n\nasync function generateUniqueVerificationCode(\n  ctx: MutationCtx,\n  accountId: GenericId<\"Account\">,\n  provider: string,\n  code: string,\n  expirationTime: number,\n  { email, phone }: { email?: string; phone?: string },\n  config: Provider.Config,\n) {\n  const db = authDb(ctx, config);\n  const existingCode = await db.verificationCodes.getByAccountId(accountId);\n  if (existingCode !== null) {\n    await db.verificationCodes.delete(existingCode._id);\n  }\n  await db.verificationCodes.create({\n    accountId,\n    provider,\n    code: await sha256(code),\n    expirationTime,\n    emailVerified: email,\n    phoneVerified: phone,\n  });\n}\n"],"mappings":";;;;;;;;;AAaA,MAAa,6BAA6B,EAAE,OAAO;CACjD,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,UAAU,EAAE,QAAQ;CACpB,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,MAAM,EAAE,QAAQ;CAChB,gBAAgB,EAAE,QAAQ;CAC1B,qBAAqB,EAAE,SAAS;CACjC,CAAC;AAIF,eAAsB,2BACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,oCAAoC,KAAK;CACxE,MAAM,EACJ,OACA,OACA,MACA,gBACA,UAAU,YACV,WAAW,mBACX,wBACE;CACJ,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,yBAAyB;CAG/B,MAAM,kBACJ,2BAA2B,SACrB,MAAM,GAAG,SAAS,QAAQ,uBAAuB,WAC5C;AACL,QAAM,IAAI,UACR,qBACA,wCAAwC,uBAAuB,GAChE,CAAC,eAAe;KACf,GACJ,MAAM,GAAG,SAAS,IAAI,YAAY,SAAS,MAAO;CAExD,MAAM,WAAW,mBAAmB,YAAY,oBAAoB;CAGpE,MAAM,EAAE,cAAc,MAAM,qBAC1B,KACA,MAAM,iBAAiB,IAAI,EAC3B,oBAAoB,OAChB,EAAE,iBAAiB,GACnB,EAAE,mBAAmB,SAAS,OAAQ,EAC1C,SAAS,SAAS,UACd;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,GACvD;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,EAC3D,OACD;AACD,OAAM,+BACJ,KACA,WACA,YACA,MACA,gBACA;EAAE;EAAO;EAAO,EAChB,OACD;AACD,QAAO,SAAS;;AAGlB,MAAa,6BAA6B,OAGxC,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,eAAe,+BACb,KACA,WACA,UACA,MACA,gBACA,EAAE,OAAO,SACT,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,eAAe,MAAM,GAAG,kBAAkB,eAAe,UAAU;AACzE,KAAI,iBAAiB,KACnB,OAAM,GAAG,kBAAkB,OAAO,aAAa,IAAI;AAErD,OAAM,GAAG,kBAAkB,OAAO;EAChC;EACA;EACA,MAAM,MAAM,OAAO,KAAK;EACxB;EACA,eAAe;EACf,eAAe;EAChB,CAAC"}

package/dist/server/mutations/index.d.ts

@@ -0,0 +1,14 @@
+import { callModifyAccount } from "./account.js";
+import { callCreateVerificationCode } from "./code.js";
+import { callInvalidateSessions } from "./invalidate.js";
+import { callUserOAuth } from "./oauth.js";
+import { callRefreshSession } from "./refresh.js";
+import { callCreateAccountFromCredentials } from "./register.js";
+import { callRetrieveAccountWithCredentials } from "./retrieve.js";
+import { callVerifierSignature } from "./signature.js";
+import { callSignIn } from "./signin.js";
+import { callSignOut } from "./signout.js";
+import { storeArgs, storeImpl } from "./store.js";
+import { callVerifier } from "./verifier.js";
+import { callVerifyCodeAndSignIn } from "./verify.js";
+export { callCreateAccountFromCredentials, callCreateVerificationCode, callInvalidateSessions, callModifyAccount, callRefreshSession, callRetrieveAccountWithCredentials, callSignIn, callSignOut, callUserOAuth, callVerifier, callVerifierSignature, callVerifyCodeAndSignIn, storeArgs, storeImpl };

package/dist/server/mutations/index.js

@@ -0,0 +1,15 @@
+import { callModifyAccount } from "./account.js";
+import { callCreateVerificationCode } from "./code.js";
+import { callInvalidateSessions } from "./invalidate.js";
+import { callUserOAuth } from "./oauth.js";
+import { callRefreshSession } from "./refresh.js";
+import { callCreateAccountFromCredentials } from "./register.js";
+import { callRetrieveAccountWithCredentials } from "./retrieve.js";
+import { callVerifierSignature } from "./signature.js";
+import { callSignIn } from "./signin.js";
+import { callSignOut } from "./signout.js";
+import { callVerifier } from "./verifier.js";
+import { callVerifyCodeAndSignIn } from "./verify.js";
+import { storeArgs, storeImpl } from "./store.js";
+
+export { callCreateAccountFromCredentials, callCreateVerificationCode, callInvalidateSessions, callModifyAccount, callRefreshSession, callRetrieveAccountWithCredentials, callSignIn, callSignOut, callUserOAuth, callVerifier, callVerifierSignature, callVerifyCodeAndSignIn, storeArgs, storeImpl };

package/dist/server/mutations/invalidate.d.ts

@@ -0,0 +1,20 @@
+import { MutationCtx } from "../types.js";
+import { Config } from "../crypto.js";
+import { Fx } from "@robelest/fx";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values0 from "convex/values";
+import { Infer } from "convex/values";
+
+//#region src/server/mutations/invalidate.d.ts
+declare const invalidateSessionsArgs: convex_values0.VObject<{
+  except?: string[] | undefined;
+  userId: string;
+}, {
+  userId: convex_values0.VString<string, "required">;
+  except: convex_values0.VArray<string[] | undefined, convex_values0.VString<string, "required">, "optional">;
+}, "required", "userId" | "except">;
+declare const callInvalidateSessions: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof invalidateSessionsArgs>) => Promise<void>;
+declare function invalidateSessionsImpl(ctx: MutationCtx, args: Infer<typeof invalidateSessionsArgs>, config: Config): Fx<void, never>;
+//#endregion
+export { callInvalidateSessions, invalidateSessionsArgs, invalidateSessionsImpl };
+//# sourceMappingURL=invalidate.d.ts.map

package/dist/server/mutations/invalidate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"invalidate.d.ts","names":[],"sources":["../../../src/server/mutations/invalidate.ts"],"mappings":";;;;;;;;cAWa,sBAAA,iBAAsB,OAAA;;;;UAGjC,cAAA,CAAA,OAAA;;;cAEW,sBAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,sBAAA,MAClB,OAAA;AAAA,iBASa,sBAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,sBAAA,GACnB,MAAA,EAAQ,MAAA,GACP,EAAA"}

package/dist/server/mutations/invalidate.js

@@ -0,0 +1,32 @@
+import { LOG_LEVELS, logWithLevel } from "../utils.js";
+import { authDb } from "../db.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
+import { deleteSession } from "../sessions.js";
+import { Fx } from "@robelest/fx";
+import { v } from "convex/values";
+
+//#region src/server/mutations/invalidate.ts
+const invalidateSessionsArgs = v.object({
+	userId: v.string(),
+	except: v.optional(v.array(v.string()))
+});
+const callInvalidateSessions = async (ctx, args) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: {
+		type: "invalidateSessions",
+		...args
+	} });
+};
+function invalidateSessionsImpl(ctx, args, config) {
+	return Fx.gen(function* () {
+		logWithLevel(LOG_LEVELS.DEBUG, "invalidateSessionsImpl args:", args);
+		const { userId, except } = args;
+		const exceptSet = new Set(except ?? []);
+		const typedUserId = userId;
+		const sessions = yield* Fx.promise(() => authDb(ctx, config).sessions.listByUser(typedUserId));
+		yield* Fx.each(sessions, (session) => exceptSet.has(session._id) ? Fx.unit : Fx.promise(() => deleteSession(ctx, session, config)));
+	});
+}
+
+//#endregion
+export { callInvalidateSessions, invalidateSessionsArgs, invalidateSessionsImpl };
+//# sourceMappingURL=invalidate.js.map

package/dist/server/mutations/invalidate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"invalidate.js","names":[],"sources":["../../../src/server/mutations/invalidate.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport * as Provider from \"../crypto\";\nimport { deleteSession } from \"../sessions\";\nimport { Doc, MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const invalidateSessionsArgs = v.object({\n  userId: v.string(),\n  except: v.optional(v.array(v.string())),\n});\n\nexport const callInvalidateSessions = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof invalidateSessionsArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"invalidateSessions\",\n      ...args,\n    },\n  });\n};\n\nexport function invalidateSessionsImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof invalidateSessionsArgs>,\n  config: Provider.Config,\n): Fx<void, never> {\n  return Fx.gen(function* () {\n    logWithLevel(LOG_LEVELS.DEBUG, \"invalidateSessionsImpl args:\", args);\n    const { userId, except } = args;\n    const exceptSet = new Set(except ?? []);\n    const typedUserId = userId as GenericId<\"User\">;\n    const sessions = (yield* Fx.promise(() =>\n      authDb(ctx, config).sessions.listByUser(typedUserId),\n    )) as Doc<\"Session\">[];\n    yield* Fx.each(sessions, (session: Doc<\"Session\">) =>\n      exceptSet.has(session._id)\n        ? Fx.unit\n        : Fx.promise(() => deleteSession(ctx, session, config)),\n    );\n  });\n}\n"],"mappings":";;;;;;;;AAWA,MAAa,yBAAyB,EAAE,OAAO;CAC7C,QAAQ,EAAE,QAAQ;CAClB,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CACxC,CAAC;AAEF,MAAa,yBAAyB,OAGpC,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,SAAgB,uBACd,KACA,MACA,QACiB;AACjB,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,WAAW,OAAO,gCAAgC,KAAK;EACpE,MAAM,EAAE,QAAQ,WAAW;EAC3B,MAAM,YAAY,IAAI,IAAI,UAAU,EAAE,CAAC;EACvC,MAAM,cAAc;EACpB,MAAM,WAAY,OAAO,GAAG,cAC1B,OAAO,KAAK,OAAO,CAAC,SAAS,WAAW,YAAY,CACrD;AACD,SAAO,GAAG,KAAK,WAAW,YACxB,UAAU,IAAI,QAAQ,IAAI,GACtB,GAAG,OACH,GAAG,cAAc,cAAc,KAAK,SAAS,OAAO,CAAC,CAC1D;GACD"}

package/dist/server/mutations/oauth.d.ts

@@ -0,0 +1,28 @@
+import { MutationCtx } from "../types.js";
+import { AuthError } from "../authError.js";
+import { Config, GetProviderOrThrowFunc } from "../crypto.js";
+import { Fx } from "@robelest/fx";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values89 from "convex/values";
+import { Infer } from "convex/values";
+
+//#region src/server/mutations/oauth.d.ts
+declare const userOAuthArgs: convex_values89.VObject<{
+  accountExtend?: any;
+  provider: string;
+  signature: string;
+  providerAccountId: string;
+  profile: any;
+}, {
+  provider: convex_values89.VString<string, "required">;
+  providerAccountId: convex_values89.VString<string, "required">;
+  profile: convex_values89.VAny<any, "required", string>;
+  signature: convex_values89.VString<string, "required">;
+  accountExtend: convex_values89.VAny<any, "optional", string>;
+}, "required", "provider" | "signature" | "providerAccountId" | "profile" | "accountExtend" | `profile.${string}` | `accountExtend.${string}`>;
+type ReturnType = string;
+declare function userOAuthImpl(ctx: MutationCtx, args: Infer<typeof userOAuthArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Fx<ReturnType, AuthError>;
+declare const callUserOAuth: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof userOAuthArgs>) => Promise<ReturnType>;
+//#endregion
+export { callUserOAuth, userOAuthArgs, userOAuthImpl };
+//# sourceMappingURL=oauth.d.ts.map

package/dist/server/mutations/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","names":[],"sources":["../../../src/server/mutations/oauth.ts"],"mappings":";;;;;;;;;cAwBa,aAAA,kBAAa,OAAA;;;;;;;YAMxB,eAAA,CAAA,OAAA;;;;;;KA8CG,UAAA;AAAA,iBAEW,aAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,aAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA,EAAY,SAAA;AAAA,cA+IL,aAAA,qBAAyC,gBAAA,EACpD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,aAAA,MAClB,OAAA,CAAQ,UAAA"}

package/dist/server/mutations/oauth.js

@@ -0,0 +1,110 @@
+import { AuthError } from "../authError.js";
+import { generateRandomString, logWithLevel, sha256 } from "../utils.js";
+import { authDb } from "../db.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
+import { upsertUserAndAccount } from "../users.js";
+import { ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, isEnterpriseProviderId } from "../enterprise/shared.js";
+import { createSyntheticOAuthMaterializedConfig } from "../enterprise/oidc.js";
+import { normalizeEnterprisePolicy } from "../enterprise/policy.js";
+import { Fx } from "@robelest/fx";
+import { v } from "convex/values";
+
+//#region src/server/mutations/oauth.ts
+const OAUTH_SIGN_IN_EXPIRATION_MS = 1e3 * 60 * 2;
+const userOAuthArgs = v.object({
+	provider: v.string(),
+	providerAccountId: v.string(),
+	profile: v.any(),
+	signature: v.string(),
+	accountExtend: v.optional(v.any())
+});
+function normalizeAccountExtend(provider, providerAccountId, accountExtend) {
+	const baseIdentity = {
+		type: "oauth",
+		provider,
+		providerAccountId
+	};
+	if (provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)) {
+		baseIdentity.type = "enterprise-oidc";
+		baseIdentity.enterpriseId = provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length);
+	}
+	if (provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)) {
+		baseIdentity.type = "enterprise-saml";
+		baseIdentity.enterpriseId = provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length);
+	}
+	const provided = typeof accountExtend === "object" && accountExtend !== null && !Array.isArray(accountExtend) ? accountExtend : void 0;
+	const providedIdentity = provided && typeof provided.identity === "object" && provided.identity !== null && !Array.isArray(provided.identity) ? provided.identity : void 0;
+	return {
+		...provided,
+		identity: {
+			...baseIdentity,
+			...providedIdentity
+		}
+	};
+}
+function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
+	return Fx.gen(function* () {
+		logWithLevel("DEBUG", "userOAuthImpl args:", args);
+		const { profile, provider, providerAccountId, signature, accountExtend } = args;
+		const db = authDb(ctx, config);
+		const existingAccount = yield* Fx.promise(() => db.accounts.get(provider, providerAccountId));
+		const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length) : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX) ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length) : null;
+		const enterprise = enterpriseId !== null ? yield* Fx.promise(() => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId })) : null;
+		const enterprisePolicy = enterprise ? normalizeEnterprisePolicy(enterprise.policy) : null;
+		const enterpriseProtocol = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX) ? "oidc" : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX) ? "saml" : null;
+		const existingScimIdentity = enterpriseId !== null && existingAccount === null && enterprisePolicy?.provisioning.scimReuse.user === "externalId" ? yield* Fx.promise(() => ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {
+			enterpriseId,
+			resourceType: "user",
+			externalId: providerAccountId
+		})) : null;
+		const verifier = yield* Fx.from({
+			ok: () => db.verifiers.getBySignature(signature),
+			err: () => new AuthError("OAUTH_INVALID_STATE")
+		}).pipe(Fx.chain((doc) => doc === null ? Fx.fail(new AuthError("OAUTH_INVALID_STATE")) : Fx.succeed(doc)));
+		const { accountId } = yield* Fx.promise(() => upsertUserAndAccount(ctx, verifier.sessionId ?? null, existingAccount !== null ? { existingAccount } : { providerAccountId }, {
+			type: "oauth",
+			provider: isEnterpriseProviderId(provider) ? createSyntheticOAuthMaterializedConfig(provider, { accountLinking: enterpriseProtocol === "oidc" ? enterprisePolicy?.identity.accountLinking.oidc : enterpriseProtocol === "saml" ? enterprisePolicy?.identity.accountLinking.saml : void 0 }) : getProviderOrThrow(provider),
+			profile,
+			accountExtend: normalizeAccountExtend(provider, providerAccountId, accountExtend)
+		}, config, existingScimIdentity?.userId ? { existingUserId: existingScimIdentity.userId } : void 0));
+		if (enterpriseId !== null && enterprisePolicy?.provisioning.jit.mode === "createUserAndMembership") {
+			const userId = (yield* Fx.promise(() => db.accounts.getById(accountId)))?.userId;
+			if (userId) {
+				const groupId = enterprise?.groupId;
+				if (groupId) {
+					if ((yield* Fx.promise(() => ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
+						userId,
+						groupId
+					}))) === null) yield* Fx.promise(() => ctx.runMutation(config.component.public.memberAdd, {
+						groupId,
+						userId,
+						roleIds: enterprisePolicy.provisioning.jit.defaultRoleIds,
+						status: "active"
+					}));
+				}
+			}
+		}
+		const code = generateRandomString(8, "0123456789");
+		yield* Fx.promise(() => db.verifiers.delete(verifier._id));
+		const existingVerificationCode = yield* Fx.promise(() => db.verificationCodes.getByAccountId(accountId));
+		if (existingVerificationCode !== null) yield* Fx.promise(() => db.verificationCodes.delete(existingVerificationCode._id));
+		yield* Fx.promise(async () => db.verificationCodes.create({
+			code: await sha256(code),
+			accountId,
+			provider,
+			expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,
+			verifier: verifier._id
+		}));
+		return code;
+	});
+}
+const callUserOAuth = async (ctx, args) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: {
+		type: "userOAuth",
+		...args
+	} });
+};
+
+//#endregion
+export { callUserOAuth, userOAuthArgs, userOAuthImpl };
+//# sourceMappingURL=oauth.js.map

package/dist/server/mutations/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","names":[],"sources":["../../../src/server/mutations/oauth.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport * as Provider from \"../crypto\";\nimport {\n  createSyntheticOAuthMaterializedConfig,\n} from \"../enterprise/oidc\";\nimport { normalizeEnterprisePolicy } from \"../enterprise/policy\";\nimport {\n  ENTERPRISE_OIDC_PROVIDER_PREFIX,\n  ENTERPRISE_SAML_PROVIDER_PREFIX,\n  isEnterpriseProviderId,\n} from \"../enterprise/shared\";\nimport { MutationCtx } from \"../types\";\nimport type { AuthProviderMaterializedConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { generateRandomString, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nconst OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes\n\nexport const userOAuthArgs = v.object({\n  provider: v.string(),\n  providerAccountId: v.string(),\n  profile: v.any(),\n  signature: v.string(),\n  accountExtend: v.optional(v.any()),\n});\n\nfunction normalizeAccountExtend(\n  provider: string,\n  providerAccountId: string,\n  accountExtend: unknown,\n) {\n  const baseIdentity: Record<string, unknown> = {\n    type: \"oauth\",\n    provider,\n    providerAccountId,\n  };\n  if (provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-oidc\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_OIDC_PROVIDER_PREFIX.length,\n    );\n  }\n  if (provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-saml\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_SAML_PROVIDER_PREFIX.length,\n    );\n  }\n  const provided =\n    typeof accountExtend === \"object\" &&\n    accountExtend !== null &&\n    !Array.isArray(accountExtend)\n      ? (accountExtend as Record<string, unknown>)\n      : undefined;\n  const providedIdentity =\n    provided &&\n    typeof provided.identity === \"object\" &&\n    provided.identity !== null &&\n    !Array.isArray(provided.identity)\n      ? (provided.identity as Record<string, unknown>)\n      : undefined;\n  return {\n    ...provided,\n    identity: {\n      ...baseIdentity,\n      ...providedIdentity,\n    },\n  };\n}\n\ntype ReturnType = string;\n\nexport function userOAuthImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof userOAuthArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Fx<ReturnType, AuthError> {\n  return Fx.gen(function* () {\n    logWithLevel(\"DEBUG\", \"userOAuthImpl args:\", args);\n    const { profile, provider, providerAccountId, signature, accountExtend } =\n      args;\n    const db = authDb(ctx, config);\n    const existingAccount = yield* Fx.promise(() =>\n      db.accounts.get(provider, providerAccountId),\n    );\n    const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)\n      ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length)\n      : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n        ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length)\n        : null;\n    const enterprise =\n      enterpriseId !== null\n        ? yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.enterpriseGet, {\n              enterpriseId,\n            }),\n          )\n        : null;\n    const enterprisePolicy = enterprise\n      ? normalizeEnterprisePolicy(enterprise.policy)\n      : null;\n    const enterpriseProtocol = provider.startsWith(\n      ENTERPRISE_OIDC_PROVIDER_PREFIX,\n    )\n      ? \"oidc\"\n      : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n        ? \"saml\"\n        : null;\n\n    const existingScimIdentity =\n      enterpriseId !== null &&\n      existingAccount === null &&\n      enterprisePolicy?.provisioning.scimReuse.user === \"externalId\"\n        ? yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {\n              enterpriseId,\n              resourceType: \"user\",\n              externalId: providerAccountId,\n            }),\n          )\n        : null;\n\n    const verifier = yield* Fx.from({\n      ok: () => db.verifiers.getBySignature(signature),\n      err: () => new AuthError(\"OAUTH_INVALID_STATE\"),\n    }).pipe(\n      Fx.chain((doc) =>\n        doc === null\n          ? Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\"))\n          : Fx.succeed(doc),\n      ),\n    );\n\n    const { accountId } = yield* Fx.promise(() =>\n      upsertUserAndAccount(\n        ctx,\n        verifier.sessionId ?? null,\n        existingAccount !== null ? { existingAccount } : { providerAccountId },\n        {\n          type: \"oauth\",\n          provider: (isEnterpriseProviderId(provider)\n            ? createSyntheticOAuthMaterializedConfig(provider, {\n                accountLinking:\n                  enterpriseProtocol === \"oidc\"\n                    ? enterprisePolicy?.identity.accountLinking.oidc\n                    : enterpriseProtocol === \"saml\"\n                      ? enterprisePolicy?.identity.accountLinking.saml\n                      : undefined,\n              })\n            : getProviderOrThrow(provider)) as AuthProviderMaterializedConfig,\n          profile,\n          accountExtend: normalizeAccountExtend(\n            provider,\n            providerAccountId,\n            accountExtend,\n          ),\n        },\n        config,\n        existingScimIdentity?.userId\n          ? { existingUserId: existingScimIdentity.userId }\n          : undefined,\n      ),\n    );\n\n    // JIT group provisioning: if this is an enterprise SSO sign-in and the\n    // enterprise connection has a groupId, auto-add the user as a member of\n    // that group if they aren't already a member.\n    if (\n      enterpriseId !== null &&\n      enterprisePolicy?.provisioning.jit.mode === \"createUserAndMembership\"\n    ) {\n      const account = yield* Fx.promise(() => db.accounts.getById(accountId));\n      const userId = account?.userId;\n      if (userId) {\n        const groupId = (enterprise as any)?.groupId as string | undefined;\n        if (groupId) {\n          const existingMembership = yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.memberGetByGroupAndUser, {\n              userId,\n              groupId,\n            }),\n          );\n          if (existingMembership === null) {\n            yield* Fx.promise(() =>\n              ctx.runMutation(config.component.public.memberAdd, {\n                groupId,\n                userId,\n                roleIds: enterprisePolicy.provisioning.jit.defaultRoleIds,\n                status: \"active\",\n              }),\n            );\n          }\n        }\n      }\n    }\n\n    const code = generateRandomString(8, \"0123456789\");\n    yield* Fx.promise(() => db.verifiers.delete(verifier._id));\n    const existingVerificationCode = yield* Fx.promise(() =>\n      db.verificationCodes.getByAccountId(accountId),\n    );\n    if (existingVerificationCode !== null) {\n      yield* Fx.promise(() =>\n        db.verificationCodes.delete(existingVerificationCode._id),\n      );\n    }\n    yield* Fx.promise(async () =>\n      db.verificationCodes.create({\n        code: await sha256(code),\n        accountId,\n        provider,\n        expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,\n        verifier: verifier._id,\n      }),\n    );\n    return code;\n  });\n}\n\nexport const callUserOAuth = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof userOAuthArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"userOAuth\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;;;;AAsBA,MAAM,8BAA8B,MAAO,KAAK;AAEhD,MAAa,gBAAgB,EAAE,OAAO;CACpC,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,SAAS,EAAE,KAAK;CAChB,WAAW,EAAE,QAAQ;CACrB,eAAe,EAAE,SAAS,EAAE,KAAK,CAAC;CACnC,CAAC;AAEF,SAAS,uBACP,UACA,mBACA,eACA;CACA,MAAM,eAAwC;EAC5C,MAAM;EACN;EACA;EACD;AACD,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;AAEH,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;CAEH,MAAM,WACJ,OAAO,kBAAkB,YACzB,kBAAkB,QAClB,CAAC,MAAM,QAAQ,cAAc,GACxB,gBACD;CACN,MAAM,mBACJ,YACA,OAAO,SAAS,aAAa,YAC7B,SAAS,aAAa,QACtB,CAAC,MAAM,QAAQ,SAAS,SAAS,GAC5B,SAAS,WACV;AACN,QAAO;EACL,GAAG;EACH,UAAU;GACR,GAAG;GACH,GAAG;GACJ;EACF;;AAKH,SAAgB,cACd,KACA,MACA,oBACA,QAC2B;AAC3B,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,SAAS,uBAAuB,KAAK;EAClD,MAAM,EAAE,SAAS,UAAU,mBAAmB,WAAW,kBACvD;EACF,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,kBAAkB,CAC7C;EACD,MAAM,eAAe,SAAS,WAAW,gCAAgC,GACrE,SAAS,MAAM,gCAAgC,OAAO,GACtD,SAAS,WAAW,gCAAgC,GAClD,SAAS,MAAM,gCAAgC,OAAO,GACtD;EACN,MAAM,aACJ,iBAAiB,OACb,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,eAAe,EAClD,cACD,CAAC,CACH,GACD;EACN,MAAM,mBAAmB,aACrB,0BAA0B,WAAW,OAAO,GAC5C;EACJ,MAAM,qBAAqB,SAAS,WAClC,gCACD,GACG,SACA,SAAS,WAAW,gCAAgC,GAClD,SACA;EAEN,MAAM,uBACJ,iBAAiB,QACjB,oBAAoB,QACpB,kBAAkB,aAAa,UAAU,SAAS,eAC9C,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,2BAA2B;GAC9D;GACA,cAAc;GACd,YAAY;GACb,CAAC,CACH,GACD;EAEN,MAAM,WAAW,OAAO,GAAG,KAAK;GAC9B,UAAU,GAAG,UAAU,eAAe,UAAU;GAChD,WAAW,IAAI,UAAU,sBAAsB;GAChD,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,GAC7C,GAAG,QAAQ,IAAI,CACpB,CACF;EAED,MAAM,EAAE,cAAc,OAAO,GAAG,cAC9B,qBACE,KACA,SAAS,aAAa,MACtB,oBAAoB,OAAO,EAAE,iBAAiB,GAAG,EAAE,mBAAmB,EACtE;GACE,MAAM;GACN,UAAW,uBAAuB,SAAS,GACvC,uCAAuC,UAAU,EAC/C,gBACE,uBAAuB,SACnB,kBAAkB,SAAS,eAAe,OAC1C,uBAAuB,SACrB,kBAAkB,SAAS,eAAe,OAC1C,QACT,CAAC,GACF,mBAAmB,SAAS;GAChC;GACA,eAAe,uBACb,UACA,mBACA,cACD;GACF,EACD,QACA,sBAAsB,SAClB,EAAE,gBAAgB,qBAAqB,QAAQ,GAC/C,OACL,CACF;AAKD,MACE,iBAAiB,QACjB,kBAAkB,aAAa,IAAI,SAAS,2BAC5C;GAEA,MAAM,UADU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC,GAC/C;AACxB,OAAI,QAAQ;IACV,MAAM,UAAW,YAAoB;AACrC,QAAI,SAOF;UAN2B,OAAO,GAAG,cACnC,IAAI,SAAS,OAAO,UAAU,OAAO,yBAAyB;MAC5D;MACA;MACD,CAAC,CACH,MAC0B,KACzB,QAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;MACjD;MACA;MACA,SAAS,iBAAiB,aAAa,IAAI;MAC3C,QAAQ;MACT,CAAC,CACH;;;;EAMT,MAAM,OAAO,qBAAqB,GAAG,aAAa;AAClD,SAAO,GAAG,cAAc,GAAG,UAAU,OAAO,SAAS,IAAI,CAAC;EAC1D,MAAM,2BAA2B,OAAO,GAAG,cACzC,GAAG,kBAAkB,eAAe,UAAU,CAC/C;AACD,MAAI,6BAA6B,KAC/B,QAAO,GAAG,cACR,GAAG,kBAAkB,OAAO,yBAAyB,IAAI,CAC1D;AAEH,SAAO,GAAG,QAAQ,YAChB,GAAG,kBAAkB,OAAO;GAC1B,MAAM,MAAM,OAAO,KAAK;GACxB;GACA;GACA,gBAAgB,KAAK,KAAK,GAAG;GAC7B,UAAU,SAAS;GACpB,CAAC,CACH;AACD,SAAO;GACP;;AAGJ,MAAa,gBAAgB,OAC3B,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/server/mutations/refresh.d.ts

@@ -0,0 +1,21 @@
+import { MutationCtx } from "../types.js";
+import { Config, GetProviderOrThrowFunc } from "../crypto.js";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values109 from "convex/values";
+import { Infer } from "convex/values";
+
+//#region src/server/mutations/refresh.d.ts
+declare const refreshSessionArgs: convex_values109.VObject<{
+  refreshToken: string;
+}, {
+  refreshToken: convex_values109.VString<string, "required">;
+}, "required", "refreshToken">;
+type RefreshResult = null | {
+  token: string;
+  refreshToken: string;
+};
+declare function refreshSessionImpl(ctx: MutationCtx, args: Infer<typeof refreshSessionArgs>, _getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Promise<RefreshResult>;
+declare const callRefreshSession: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof refreshSessionArgs>) => Promise<RefreshResult>;
+//#endregion
+export { callRefreshSession, refreshSessionArgs, refreshSessionImpl };
+//# sourceMappingURL=refresh.d.ts.map

package/dist/server/mutations/refresh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.d.ts","names":[],"sources":["../../../src/server/mutations/refresh.ts"],"mappings":";;;;;;;cAkBa,kBAAA,EAEX,gBAAA,CAF6B,OAAA;;;gBAE7B,gBAAA,CAAA,OAAA;AAAA;AAAA,KAEG,aAAA;EACH,KAAA;EACA,YAAA;AAAA;AAAA,iBAiBoB,kBAAA,CACpB,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,kBAAA,GACnB,mBAAA,EAAqB,sBAAA,EACrB,MAAA,EAAQ,MAAA,GACP,OAAA,CAAQ,aAAA;AAAA,cAiPE,kBAAA,qBAA8C,gBAAA,EACzD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,kBAAA,MAClB,OAAA,CAAQ,aAAA"}