@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/server/mutations/refresh.js

@@ -0,0 +1,119 @@
+import { logWithLevel, maybeRedact } from "../utils.js";
+import { authDb } from "../db.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
+import { REFRESH_TOKEN_REUSE_WINDOW_MS, invalidateRefreshTokensInSubtree, parseRefreshToken, refreshTokenIfValid } from "../refresh.js";
+import { generateTokensForSession } from "../sessions.js";
+import { Fx } from "@robelest/fx";
+import { v } from "convex/values";
+
+//#region src/server/mutations/refresh.ts
+const refreshSessionArgs = v.object({ refreshToken: v.string() });
+/** A soft refresh failure — logged and collapsed to null at the boundary. */
+var RefreshFailure = class {
+	_tag = "RefreshFailure";
+	constructor(reason) {
+		this.reason = reason;
+	}
+};
+async function refreshSessionImpl(ctx, args, _getProviderOrThrow, config) {
+	const db = authDb(ctx, config);
+	const { refreshToken } = args;
+	return Fx.run(parseRefreshToken(refreshToken).pipe(Fx.recover((err) => Fx.fail(new RefreshFailure(err.message))), Fx.tap(({ refreshTokenId, sessionId: tokenSessionId }) => Fx.sync(() => logWithLevel("DEBUG", `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(tokenSessionId)}`))), Fx.chain(({ refreshTokenId, sessionId: tokenSessionId }) => refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config).pipe(Fx.chain((validationResult) => validationResult === null ? Fx.gen(function* () {
+		yield* Fx.from({
+			ok: async () => {
+				const session = await db.sessions.getById(tokenSessionId);
+				if (session !== null) await db.sessions.delete(session._id);
+			},
+			err: () => new RefreshFailure("Skipping invalid session id during refresh cleanup")
+		}).pipe(Fx.recover((f) => {
+			logWithLevel("DEBUG", f.reason);
+			return Fx.succeed(void 0);
+		}));
+		yield* Fx.from({
+			ok: () => authDb(ctx, config).refreshTokens.deleteAll(tokenSessionId),
+			err: () => new RefreshFailure("Skipping invalid token session id during refresh token cleanup")
+		}).pipe(Fx.recover((f) => {
+			logWithLevel("DEBUG", f.reason);
+			return Fx.succeed(void 0);
+		}));
+		return null;
+	}) : (() => {
+		const { session } = validationResult;
+		const sessionId = session._id;
+		const userId = session.userId;
+		const tokenFirstUsed = validationResult.refreshTokenDoc.firstUsedTime;
+		return tokenFirstUsed === void 0 ? Fx.from({
+			ok: async () => {
+				await db.refreshTokens.patch(refreshTokenId, { firstUsedTime: Date.now() });
+				const result = await generateTokensForSession(ctx, config, {
+					userId,
+					sessionId,
+					issuedRefreshTokenId: null,
+					parentRefreshTokenId: refreshTokenId
+				});
+				const { refreshTokenId: newRefreshTokenId } = await Fx.run(parseRefreshToken(result.refreshToken));
+				logWithLevel("DEBUG", `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (first use) for new refresh token ${maybeRedact(newRefreshTokenId)}`);
+				return result;
+			},
+			err: () => new RefreshFailure("Failed during first-use token exchange")
+		}) : Fx.from({
+			ok: () => authDb(ctx, config).refreshTokens.getActive(tokenSessionId),
+			err: () => new RefreshFailure("Failed to load active refresh token")
+		}).pipe(Fx.chain((activeRefreshToken) => {
+			logWithLevel("DEBUG", `Active refresh token: ${maybeRedact(activeRefreshToken?._id ?? "(none)")}, parent ${maybeRedact(activeRefreshToken?.parentRefreshTokenId ?? "(none)")}`);
+			const reuseDispatch = activeRefreshToken !== null && activeRefreshToken.parentRefreshTokenId === refreshTokenId ? {
+				tag: "parentOfActive",
+				activeRefreshToken
+			} : tokenFirstUsed + REFRESH_TOKEN_REUSE_WINDOW_MS > Date.now() ? { tag: "withinReuseWindow" } : { tag: "outsideReuseWindow" };
+			if (reuseDispatch.tag === "parentOfActive") return Fx.from({
+				ok: () => generateTokensForSession(ctx, config, {
+					userId,
+					sessionId,
+					issuedRefreshTokenId: reuseDispatch.activeRefreshToken._id,
+					parentRefreshTokenId: refreshTokenId
+				}),
+				err: () => new RefreshFailure("Failed to generate tokens for parent reuse")
+			}).pipe(Fx.tap(() => Fx.sync(() => logWithLevel("DEBUG", `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} is parent of active refresh token ${maybeRedact(reuseDispatch.activeRefreshToken._id)}, so returning that token`))));
+			if (reuseDispatch.tag === "withinReuseWindow") return Fx.from({
+				ok: async () => {
+					const result = await generateTokensForSession(ctx, config, {
+						userId,
+						sessionId,
+						issuedRefreshTokenId: null,
+						parentRefreshTokenId: refreshTokenId
+					});
+					const { refreshTokenId: newRefreshTokenId } = await Fx.run(parseRefreshToken(result.refreshToken));
+					logWithLevel("DEBUG", `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (reuse) for new refresh token ${maybeRedact(newRefreshTokenId)}`);
+					return result;
+				},
+				err: () => new RefreshFailure("Failed to generate tokens for reuse window")
+			});
+			logWithLevel("ERROR", "Refresh token used outside of reuse window");
+			logWithLevel("DEBUG", `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} being used outside of reuse window, so invalidating all refresh tokens in subtree`);
+			return Fx.from({
+				ok: async () => {
+					const tokensToInvalidate = await invalidateRefreshTokensInSubtree(ctx, validationResult.refreshTokenDoc, config);
+					logWithLevel("DEBUG", `Invalidated ${tokensToInvalidate.length} refresh tokens in subtree: ${tokensToInvalidate.map((token) => maybeRedact(token._id)).join(", ")}`);
+					return null;
+				},
+				err: () => new RefreshFailure("Failed to invalidate refresh tokens in subtree")
+			});
+		}));
+	})()))), Fx.fold({
+		ok: (result) => result,
+		err: (failure) => {
+			logWithLevel("DEBUG", failure.reason);
+			return null;
+		}
+	})));
+}
+const callRefreshSession = async (ctx, args) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: {
+		type: "refreshSession",
+		...args
+	} });
+};
+
+//#endregion
+export { callRefreshSession, refreshSessionArgs, refreshSessionImpl };
+//# sourceMappingURL=refresh.js.map

package/dist/server/mutations/refresh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh.js","names":[],"sources":["../../../src/server/mutations/refresh.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport * as Provider from \"../crypto\";\nimport {\n  invalidateRefreshTokensInSubtree,\n  parseRefreshToken,\n  REFRESH_TOKEN_REUSE_WINDOW_MS,\n  refreshTokenIfValid,\n} from \"../refresh\";\nimport { generateTokensForSession } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const refreshSessionArgs = v.object({\n  refreshToken: v.string(),\n});\n\ntype RefreshResult = null | {\n  token: string;\n  refreshToken: string;\n};\n\n// ============================================================================\n// Small helpers for the refresh pipeline\n// ============================================================================\n\n/** A soft refresh failure — logged and collapsed to null at the boundary. */\nclass RefreshFailure {\n  readonly _tag = \"RefreshFailure\" as const;\n  constructor(readonly reason: string) {}\n}\n\n// ============================================================================\n// Main exported function\n// ============================================================================\n\nexport async function refreshSessionImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof refreshSessionArgs>,\n  _getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<RefreshResult> {\n  const db = authDb(ctx, config);\n  const { refreshToken } = args;\n\n  return Fx.run(\n    parseRefreshToken(refreshToken).pipe(\n      Fx.recover((err: AuthError) => Fx.fail(new RefreshFailure(err.message))),\n      Fx.tap(({ refreshTokenId, sessionId: tokenSessionId }) =>\n        Fx.sync(() =>\n          logWithLevel(\n            \"DEBUG\",\n            `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(tokenSessionId)}`,\n          ),\n        ),\n      ),\n      Fx.chain(({ refreshTokenId, sessionId: tokenSessionId }) =>\n        refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config).pipe(\n          Fx.chain((validationResult) =>\n            validationResult === null\n              ? Fx.gen(function* () {\n                  yield* Fx.from({\n                    ok: async () => {\n                      const session = await (db as any).sessions.getById(\n                        tokenSessionId,\n                      );\n                      if (session !== null) {\n                        await (db as any).sessions.delete(session._id);\n                      }\n                    },\n                    err: () =>\n                      new RefreshFailure(\n                        \"Skipping invalid session id during refresh cleanup\",\n                      ),\n                  }).pipe(\n                    Fx.recover((f) => {\n                      logWithLevel(\"DEBUG\", f.reason);\n                      return Fx.succeed(undefined as void);\n                    }),\n                  );\n\n                  yield* Fx.from({\n                    ok: () =>\n                      authDb(ctx, config).refreshTokens.deleteAll(\n                        tokenSessionId as any,\n                      ),\n                    err: () =>\n                      new RefreshFailure(\n                        \"Skipping invalid token session id during refresh token cleanup\",\n                      ),\n                  }).pipe(\n                    Fx.recover((f) => {\n                      logWithLevel(\"DEBUG\", f.reason);\n                      return Fx.succeed(undefined as void);\n                    }),\n                  );\n\n                  return null;\n                })\n              : (() => {\n                  const { session } = validationResult;\n                  const sessionId = session._id;\n                  const userId = session.userId;\n                  const tokenFirstUsed =\n                    validationResult.refreshTokenDoc.firstUsedTime;\n                  return tokenFirstUsed === undefined\n                    ? Fx.from({\n                        ok: async () => {\n                          await (db as any).refreshTokens.patch(\n                            refreshTokenId,\n                            {\n                              firstUsedTime: Date.now(),\n                            },\n                          );\n                          const result = await generateTokensForSession(\n                            ctx,\n                            config,\n                            {\n                              userId,\n                              sessionId,\n                              issuedRefreshTokenId: null,\n                              parentRefreshTokenId: refreshTokenId as any,\n                            },\n                          );\n                          const { refreshTokenId: newRefreshTokenId } =\n                            await Fx.run(\n                              parseRefreshToken(result.refreshToken),\n                            );\n                          logWithLevel(\n                            \"DEBUG\",\n                            `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (first use) for new refresh token ${maybeRedact(newRefreshTokenId)}`,\n                          );\n                          return result;\n                        },\n                        err: () =>\n                          new RefreshFailure(\n                            \"Failed during first-use token exchange\",\n                          ),\n                      })\n                    : Fx.from({\n                        ok: () =>\n                          authDb(ctx, config).refreshTokens.getActive(\n                            tokenSessionId as any,\n                          ),\n                        err: () =>\n                          new RefreshFailure(\n                            \"Failed to load active refresh token\",\n                          ),\n                      }).pipe(\n                        Fx.chain((activeRefreshToken) => {\n                          logWithLevel(\n                            \"DEBUG\",\n                            `Active refresh token: ${maybeRedact(activeRefreshToken?._id ?? \"(none)\")}, parent ${maybeRedact(activeRefreshToken?.parentRefreshTokenId ?? \"(none)\")}`,\n                          );\n\n                          const reuseDispatch =\n                            activeRefreshToken !== null &&\n                            activeRefreshToken.parentRefreshTokenId ===\n                              refreshTokenId\n                              ? ({\n                                  tag: \"parentOfActive\",\n                                  activeRefreshToken,\n                                } as const)\n                              : tokenFirstUsed + REFRESH_TOKEN_REUSE_WINDOW_MS >\n                                  Date.now()\n                                ? ({ tag: \"withinReuseWindow\" } as const)\n                                : ({ tag: \"outsideReuseWindow\" } as const);\n\n                          if (reuseDispatch.tag === \"parentOfActive\") {\n                            return Fx.from({\n                              ok: () =>\n                                generateTokensForSession(ctx, config, {\n                                  userId,\n                                  sessionId,\n                                  issuedRefreshTokenId:\n                                    reuseDispatch.activeRefreshToken._id,\n                                  parentRefreshTokenId: refreshTokenId as any,\n                                }),\n                              err: () =>\n                                new RefreshFailure(\n                                  \"Failed to generate tokens for parent reuse\",\n                                ),\n                            }).pipe(\n                              Fx.tap(() =>\n                                Fx.sync(() =>\n                                  logWithLevel(\n                                    \"DEBUG\",\n                                    `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} is parent of active refresh token ${maybeRedact(reuseDispatch.activeRefreshToken._id)}, so returning that token`,\n                                  ),\n                                ),\n                              ),\n                            );\n                          }\n\n                          if (reuseDispatch.tag === \"withinReuseWindow\") {\n                            return Fx.from({\n                              ok: async () => {\n                                const result = await generateTokensForSession(\n                                  ctx,\n                                  config,\n                                  {\n                                    userId,\n                                    sessionId,\n                                    issuedRefreshTokenId: null,\n                                    parentRefreshTokenId: refreshTokenId as any,\n                                  },\n                                );\n                                const { refreshTokenId: newRefreshTokenId } =\n                                  await Fx.run(\n                                    parseRefreshToken(result.refreshToken),\n                                  );\n                                logWithLevel(\n                                  \"DEBUG\",\n                                  `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (reuse) for new refresh token ${maybeRedact(newRefreshTokenId)}`,\n                                );\n                                return result;\n                              },\n                              err: () =>\n                                new RefreshFailure(\n                                  \"Failed to generate tokens for reuse window\",\n                                ),\n                            });\n                          }\n\n                          logWithLevel(\n                            \"ERROR\",\n                            \"Refresh token used outside of reuse window\",\n                          );\n                          logWithLevel(\n                            \"DEBUG\",\n                            `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} being used outside of reuse window, so invalidating all refresh tokens in subtree`,\n                          );\n                          return Fx.from({\n                            ok: async () => {\n                              const tokensToInvalidate =\n                                await invalidateRefreshTokensInSubtree(\n                                  ctx,\n                                  validationResult.refreshTokenDoc,\n                                  config,\n                                );\n                              logWithLevel(\n                                \"DEBUG\",\n                                `Invalidated ${tokensToInvalidate.length} refresh tokens in subtree: ${tokensToInvalidate\n                                  .map((token) => maybeRedact(token._id))\n                                  .join(\", \")}`,\n                              );\n                              return null;\n                            },\n                            err: () =>\n                              new RefreshFailure(\n                                \"Failed to invalidate refresh tokens in subtree\",\n                              ),\n                          });\n                        }),\n                      );\n                })(),\n          ),\n        ),\n      ),\n      Fx.fold({\n        ok: (result) => result,\n        err: (failure) => {\n          logWithLevel(\"DEBUG\", failure.reason);\n          return null;\n        },\n      }),\n    ),\n  );\n}\n\n// ============================================================================\n// Invalid token path — cleanup session and refresh tokens\n// ============================================================================\n\n// ============================================================================\n// Valid token path — dispatch on first-use / parent / reuse-window / stale\n// ============================================================================\n\n// ============================================================================\n// Action-level caller (unchanged — just forwards to mutation)\n// ============================================================================\n\nexport const callRefreshSession = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof refreshSessionArgs>,\n): Promise<RefreshResult> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"refreshSession\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;AAkBA,MAAa,qBAAqB,EAAE,OAAO,EACzC,cAAc,EAAE,QAAQ,EACzB,CAAC;;AAYF,IAAM,iBAAN,MAAqB;CACnB,AAAS,OAAO;CAChB,YAAY,AAAS,QAAgB;EAAhB;;;AAOvB,eAAsB,mBACpB,KACA,MACA,qBACA,QACwB;CACxB,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,EAAE,iBAAiB;AAEzB,QAAO,GAAG,IACR,kBAAkB,aAAa,CAAC,KAC9B,GAAG,SAAS,QAAmB,GAAG,KAAK,IAAI,eAAe,IAAI,QAAQ,CAAC,CAAC,EACxE,GAAG,KAAK,EAAE,gBAAgB,WAAW,qBACnC,GAAG,WACD,aACE,SACA,sCAAsC,YAAY,eAAe,CAAC,eAAe,YAAY,eAAe,GAC7G,CACF,CACF,EACD,GAAG,OAAO,EAAE,gBAAgB,WAAW,qBACrC,oBAAoB,KAAK,gBAAgB,gBAAgB,OAAO,CAAC,KAC/D,GAAG,OAAO,qBACR,qBAAqB,OACjB,GAAG,IAAI,aAAa;AAClB,SAAO,GAAG,KAAK;GACb,IAAI,YAAY;IACd,MAAM,UAAU,MAAO,GAAW,SAAS,QACzC,eACD;AACD,QAAI,YAAY,KACd,OAAO,GAAW,SAAS,OAAO,QAAQ,IAAI;;GAGlD,WACE,IAAI,eACF,qDACD;GACJ,CAAC,CAAC,KACD,GAAG,SAAS,MAAM;AAChB,gBAAa,SAAS,EAAE,OAAO;AAC/B,UAAO,GAAG,QAAQ,OAAkB;IACpC,CACH;AAED,SAAO,GAAG,KAAK;GACb,UACE,OAAO,KAAK,OAAO,CAAC,cAAc,UAChC,eACD;GACH,WACE,IAAI,eACF,iEACD;GACJ,CAAC,CAAC,KACD,GAAG,SAAS,MAAM;AAChB,gBAAa,SAAS,EAAE,OAAO;AAC/B,UAAO,GAAG,QAAQ,OAAkB;IACpC,CACH;AAED,SAAO;GACP,UACK;EACL,MAAM,EAAE,YAAY;EACpB,MAAM,YAAY,QAAQ;EAC1B,MAAM,SAAS,QAAQ;EACvB,MAAM,iBACJ,iBAAiB,gBAAgB;AACnC,SAAO,mBAAmB,SACtB,GAAG,KAAK;GACN,IAAI,YAAY;AACd,UAAO,GAAW,cAAc,MAC9B,gBACA,EACE,eAAe,KAAK,KAAK,EAC1B,CACF;IACD,MAAM,SAAS,MAAM,yBACnB,KACA,QACA;KACE;KACA;KACA,sBAAsB;KACtB,sBAAsB;KACvB,CACF;IACD,MAAM,EAAE,gBAAgB,sBACtB,MAAM,GAAG,IACP,kBAAkB,OAAO,aAAa,CACvC;AACH,iBACE,SACA,aAAa,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,qCAAqC,YAAY,kBAAkB,GACnI;AACD,WAAO;;GAET,WACE,IAAI,eACF,yCACD;GACJ,CAAC,GACF,GAAG,KAAK;GACN,UACE,OAAO,KAAK,OAAO,CAAC,cAAc,UAChC,eACD;GACH,WACE,IAAI,eACF,sCACD;GACJ,CAAC,CAAC,KACD,GAAG,OAAO,uBAAuB;AAC/B,gBACE,SACA,yBAAyB,YAAY,oBAAoB,OAAO,SAAS,CAAC,WAAW,YAAY,oBAAoB,wBAAwB,SAAS,GACvJ;GAED,MAAM,gBACJ,uBAAuB,QACvB,mBAAmB,yBACjB,iBACG;IACC,KAAK;IACL;IACD,GACD,iBAAiB,gCACf,KAAK,KAAK,GACT,EAAE,KAAK,qBAAqB,GAC5B,EAAE,KAAK,sBAAsB;AAEtC,OAAI,cAAc,QAAQ,iBACxB,QAAO,GAAG,KAAK;IACb,UACE,yBAAyB,KAAK,QAAQ;KACpC;KACA;KACA,sBACE,cAAc,mBAAmB;KACnC,sBAAsB;KACvB,CAAC;IACJ,WACE,IAAI,eACF,6CACD;IACJ,CAAC,CAAC,KACD,GAAG,UACD,GAAG,WACD,aACE,SACA,SAAS,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,qCAAqC,YAAY,cAAc,mBAAmB,IAAI,CAAC,2BACnJ,CACF,CACF,CACF;AAGH,OAAI,cAAc,QAAQ,oBACxB,QAAO,GAAG,KAAK;IACb,IAAI,YAAY;KACd,MAAM,SAAS,MAAM,yBACnB,KACA,QACA;MACE;MACA;MACA,sBAAsB;MACtB,sBAAsB;MACvB,CACF;KACD,MAAM,EAAE,gBAAgB,sBACtB,MAAM,GAAG,IACP,kBAAkB,OAAO,aAAa,CACvC;AACH,kBACE,SACA,aAAa,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,iCAAiC,YAAY,kBAAkB,GAC/H;AACD,YAAO;;IAET,WACE,IAAI,eACF,6CACD;IACJ,CAAC;AAGJ,gBACE,SACA,6CACD;AACD,gBACE,SACA,SAAS,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,oFAC5D;AACD,UAAO,GAAG,KAAK;IACb,IAAI,YAAY;KACd,MAAM,qBACJ,MAAM,iCACJ,KACA,iBAAiB,iBACjB,OACD;AACH,kBACE,SACA,eAAe,mBAAmB,OAAO,8BAA8B,mBACpE,KAAK,UAAU,YAAY,MAAM,IAAI,CAAC,CACtC,KAAK,KAAK,GACd;AACD,YAAO;;IAET,WACE,IAAI,eACF,iDACD;IACJ,CAAC;IACF,CACH;KACH,CACT,CACF,CACF,EACD,GAAG,KAAK;EACN,KAAK,WAAW;EAChB,MAAM,YAAY;AAChB,gBAAa,SAAS,QAAQ,OAAO;AACrC,UAAO;;EAEV,CAAC,CACH,CACF;;AAeH,MAAa,qBAAqB,OAChC,KACA,SAC2B;AAC3B,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/server/mutations/register.d.ts

@@ -0,0 +1,38 @@
+import { Doc, MutationCtx } from "../types.js";
+import { Config, GetProviderOrThrowFunc } from "../crypto.js";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values101 from "convex/values";
+import { Infer } from "convex/values";
+
+//#region src/server/mutations/register.d.ts
+declare const createAccountFromCredentialsArgs: convex_values101.VObject<{
+  shouldLinkViaEmail?: boolean | undefined;
+  shouldLinkViaPhone?: boolean | undefined;
+  provider: string;
+  account: {
+    secret?: string | undefined;
+    id: string;
+  };
+  profile: any;
+}, {
+  provider: convex_values101.VString<string, "required">;
+  account: convex_values101.VObject<{
+    secret?: string | undefined;
+    id: string;
+  }, {
+    id: convex_values101.VString<string, "required">;
+    secret: convex_values101.VString<string | undefined, "optional">;
+  }, "required", "id" | "secret">;
+  profile: convex_values101.VAny<any, "required", string>;
+  shouldLinkViaEmail: convex_values101.VBoolean<boolean | undefined, "optional">;
+  shouldLinkViaPhone: convex_values101.VBoolean<boolean | undefined, "optional">;
+}, "required", "provider" | "account" | "account.id" | "account.secret" | "profile" | `profile.${string}` | "shouldLinkViaEmail" | "shouldLinkViaPhone">;
+type ReturnType = {
+  account: Doc<"Account">;
+  user: Doc<"User">;
+};
+declare function createAccountFromCredentialsImpl(ctx: MutationCtx, args: Infer<typeof createAccountFromCredentialsArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Promise<ReturnType>;
+declare const callCreateAccountFromCredentials: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof createAccountFromCredentialsArgs>) => Promise<ReturnType>;
+//#endregion
+export { callCreateAccountFromCredentials, createAccountFromCredentialsArgs, createAccountFromCredentialsImpl };
+//# sourceMappingURL=register.d.ts.map

package/dist/server/mutations/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","names":[],"sources":["../../../src/server/mutations/register.ts"],"mappings":";;;;;;;cAca,gCAAA,mBAAgC,OAAA;;;;;;;;;;YAM3C,gBAAA,CAAA,OAAA;;;;;;;;;;;;KAEG,UAAA;EAAe,OAAA,EAAS,GAAA;EAAgB,IAAA,EAAM,GAAA;AAAA;AAAA,iBAE7B,gCAAA,CACpB,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,gCAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,OAAA,CAAQ,UAAA;AAAA,cA8JE,gCAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,gCAAA,MAClB,OAAA,CAAQ,UAAA"}

package/dist/server/mutations/register.js

@@ -0,0 +1,83 @@
+import { AuthError } from "../authError.js";
+import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
+import { authDb } from "../db.js";
+import { hash, verify } from "../crypto.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
+import { getAuthSessionId } from "../sessions.js";
+import { upsertUserAndAccount } from "../users.js";
+import { Fx } from "@robelest/fx";
+import { v } from "convex/values";
+
+//#region src/server/mutations/register.ts
+const createAccountFromCredentialsArgs = v.object({
+	provider: v.string(),
+	account: v.object({
+		id: v.string(),
+		secret: v.optional(v.string())
+	}),
+	profile: v.any(),
+	shouldLinkViaEmail: v.optional(v.boolean()),
+	shouldLinkViaPhone: v.optional(v.boolean())
+});
+async function createAccountFromCredentialsImpl(ctx, args, getProviderOrThrow, config) {
+	logWithLevel(LOG_LEVELS.DEBUG, "createAccountFromCredentialsImpl args:", {
+		provider: args.provider,
+		account: {
+			id: args.account.id,
+			secret: maybeRedact(args.account.secret ?? "")
+		}
+	});
+	const { provider: providerId, account, profile, shouldLinkViaEmail, shouldLinkViaPhone } = args;
+	const db = authDb(ctx, config);
+	const provider = getProviderOrThrow(providerId);
+	return Fx.run(Fx.from({
+		ok: () => db.accounts.get(provider.id, account.id),
+		err: () => new AuthError("INTERNAL_ERROR", "Failed to look up account")
+	}).pipe(Fx.chain((existingAccount) => {
+		if (existingAccount !== null) return (account.secret !== void 0 ? verify(provider, account.secret, existingAccount.secret ?? "").pipe(Fx.chain((valid) => valid ? Fx.succeed(void 0) : Fx.fail(new AuthError("ACCOUNT_ALREADY_EXISTS", `Account ${account.id} already exists`)))) : Fx.succeed(void 0)).pipe(Fx.chain(() => Fx.from({
+			ok: () => db.users.getById(existingAccount.userId),
+			err: () => new AuthError("ACCOUNT_NOT_FOUND", `Linked user for account ${account.id} was not found.`)
+		}).pipe(Fx.chain((doc) => doc === null ? Fx.fail(new AuthError("ACCOUNT_NOT_FOUND", `Linked user for account ${account.id} was not found.`)) : Fx.succeed(doc)))), Fx.map((user) => ({
+			account: existingAccount,
+			user
+		})));
+		return (account.secret !== void 0 ? hash(provider, account.secret) : Fx.succeed(void 0)).pipe(Fx.chain((secret) => Fx.from({
+			ok: async () => upsertUserAndAccount(ctx, await getAuthSessionId(ctx), {
+				providerAccountId: account.id,
+				secret
+			}, {
+				type: "credentials",
+				provider,
+				profile,
+				shouldLinkViaEmail,
+				shouldLinkViaPhone
+			}, config),
+			err: () => new AuthError("INTERNAL_ERROR")
+		})), Fx.chain((result) => {
+			const { userId, accountId } = result;
+			return Fx.zip(Fx.from({
+				ok: () => db.accounts.getById(accountId),
+				err: () => new AuthError("INTERNAL_ERROR")
+			}), Fx.from({
+				ok: () => db.users.getById(userId),
+				err: () => new AuthError("INTERNAL_ERROR")
+			}));
+		}), Fx.chain((pair) => {
+			const [createdAccount, createdUser] = pair;
+			return createdAccount === null ? Fx.fail(new AuthError("ACCOUNT_NOT_FOUND", `Created account was not found.`)) : createdUser === null ? Fx.fail(new AuthError("USER_UPDATE_FAILED", `Created user was not found.`)) : Fx.succeed({
+				account: createdAccount,
+				user: createdUser
+			});
+		}));
+	}), Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+}
+const callCreateAccountFromCredentials = async (ctx, args) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: {
+		type: "createAccountFromCredentials",
+		...args
+	} });
+};
+
+//#endregion
+export { callCreateAccountFromCredentials, createAccountFromCredentialsArgs, createAccountFromCredentialsImpl };
+//# sourceMappingURL=register.js.map

package/dist/server/mutations/register.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.js","names":["Provider.verify","Provider.hash"],"sources":["../../../src/server/mutations/register.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport * as Provider from \"../crypto\";\nimport { getAuthSessionId } from \"../sessions\";\nimport { Doc, MutationCtx } from \"../types\";\nimport { ConvexCredentialsConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const createAccountFromCredentialsArgs = v.object({\n  provider: v.string(),\n  account: v.object({ id: v.string(), secret: v.optional(v.string()) }),\n  profile: v.any(),\n  shouldLinkViaEmail: v.optional(v.boolean()),\n  shouldLinkViaPhone: v.optional(v.boolean()),\n});\n\ntype ReturnType = { account: Doc<\"Account\">; user: Doc<\"User\"> };\n\nexport async function createAccountFromCredentialsImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof createAccountFromCredentialsArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"createAccountFromCredentialsImpl args:\", {\n    provider: args.provider,\n    account: {\n      id: args.account.id,\n      secret: maybeRedact(args.account.secret ?? \"\"),\n    },\n  });\n\n  const {\n    provider: providerId,\n    account,\n    profile,\n    shouldLinkViaEmail,\n    shouldLinkViaPhone,\n  } = args;\n  const db = authDb(ctx, config);\n  const provider = getProviderOrThrow(providerId) as ConvexCredentialsConfig;\n\n  return Fx.run(\n    Fx.from({\n      ok: () =>\n        db.accounts.get(\n          provider.id,\n          account.id,\n        ) as Promise<Doc<\"Account\"> | null>,\n      err: () => new AuthError(\"INTERNAL_ERROR\", \"Failed to look up account\"),\n    }).pipe(\n      Fx.chain((existingAccount) => {\n        if (existingAccount !== null) {\n          const verifyExistingAccountFx =\n            account.secret !== undefined\n              ? Provider.verify(\n                  provider,\n                  account.secret,\n                  existingAccount.secret ?? \"\",\n                ).pipe(\n                  Fx.chain((valid) =>\n                    valid\n                      ? Fx.succeed(undefined)\n                      : Fx.fail(\n                          new AuthError(\n                            \"ACCOUNT_ALREADY_EXISTS\",\n                            `Account ${account.id} already exists`,\n                          ),\n                        ),\n                  ),\n                )\n              : Fx.succeed(undefined);\n\n          return verifyExistingAccountFx.pipe(\n            Fx.chain(() =>\n              Fx.from({\n                ok: () =>\n                  db.users.getById(\n                    existingAccount.userId,\n                  ) as Promise<Doc<\"User\"> | null>,\n                err: () =>\n                  new AuthError(\n                    \"ACCOUNT_NOT_FOUND\",\n                    `Linked user for account ${account.id} was not found.`,\n                  ),\n              }).pipe(\n                Fx.chain((doc) =>\n                  doc === null\n                    ? Fx.fail(\n                        new AuthError(\n                          \"ACCOUNT_NOT_FOUND\",\n                          `Linked user for account ${account.id} was not found.`,\n                        ),\n                      )\n                    : Fx.succeed(doc),\n                ),\n              ),\n            ),\n            Fx.map((user) => ({\n              account: existingAccount,\n              user,\n            })),\n          );\n        }\n\n        const secretFx: Fx<string | undefined, AuthError> =\n          account.secret !== undefined\n            ? Provider.hash(provider, account.secret)\n            : Fx.succeed<string | undefined>(undefined);\n\n        return secretFx.pipe(\n          Fx.chain((secret) =>\n            Fx.from({\n              ok: async () =>\n                upsertUserAndAccount(\n                  ctx,\n                  await getAuthSessionId(ctx),\n                  { providerAccountId: account.id, secret },\n                  {\n                    type: \"credentials\",\n                    provider,\n                    profile,\n                    shouldLinkViaEmail,\n                    shouldLinkViaPhone,\n                  },\n                  config,\n                ),\n              err: () => new AuthError(\"INTERNAL_ERROR\"),\n            }),\n          ),\n          Fx.chain((result) => {\n            const { userId, accountId } = result as {\n              userId: string;\n              accountId: string;\n            };\n            return Fx.zip(\n              Fx.from({\n                ok: () =>\n                  db.accounts.getById(\n                    accountId,\n                  ) as Promise<Doc<\"Account\"> | null>,\n                err: () => new AuthError(\"INTERNAL_ERROR\"),\n              }),\n              Fx.from({\n                ok: () =>\n                  db.users.getById(userId) as Promise<Doc<\"User\"> | null>,\n                err: () => new AuthError(\"INTERNAL_ERROR\"),\n              }),\n            );\n          }),\n          Fx.chain((pair) => {\n            const [createdAccount, createdUser] = pair as [\n              Doc<\"Account\"> | null,\n              Doc<\"User\"> | null,\n            ];\n            return createdAccount === null\n              ? Fx.fail(\n                  new AuthError(\n                    \"ACCOUNT_NOT_FOUND\",\n                    `Created account was not found.`,\n                  ),\n                )\n              : createdUser === null\n                ? Fx.fail(\n                    new AuthError(\n                      \"USER_UPDATE_FAILED\",\n                      `Created user was not found.`,\n                    ),\n                  )\n                : Fx.succeed({\n                    account: createdAccount,\n                    user: createdUser,\n                  });\n          }),\n        );\n      }),\n      Fx.recover((e) => Fx.fatal((e as AuthError).toConvexError())),\n    ),\n  ) as Promise<ReturnType>;\n}\n\nexport const callCreateAccountFromCredentials = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof createAccountFromCredentialsArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"createAccountFromCredentials\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;;;AAcA,MAAa,mCAAmC,EAAE,OAAO;CACvD,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAAE,CAAC;CACrE,SAAS,EAAE,KAAK;CAChB,oBAAoB,EAAE,SAAS,EAAE,SAAS,CAAC;CAC3C,oBAAoB,EAAE,SAAS,EAAE,SAAS,CAAC;CAC5C,CAAC;AAIF,eAAsB,iCACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,0CAA0C;EACvE,UAAU,KAAK;EACf,SAAS;GACP,IAAI,KAAK,QAAQ;GACjB,QAAQ,YAAY,KAAK,QAAQ,UAAU,GAAG;GAC/C;EACF,CAAC;CAEF,MAAM,EACJ,UAAU,YACV,SACA,SACA,oBACA,uBACE;CACJ,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,WAAW,mBAAmB,WAAW;AAE/C,QAAO,GAAG,IACR,GAAG,KAAK;EACN,UACE,GAAG,SAAS,IACV,SAAS,IACT,QAAQ,GACT;EACH,WAAW,IAAI,UAAU,kBAAkB,4BAA4B;EACxE,CAAC,CAAC,KACD,GAAG,OAAO,oBAAoB;AAC5B,MAAI,oBAAoB,KAqBtB,SAnBE,QAAQ,WAAW,SACfA,OACE,UACA,QAAQ,QACR,gBAAgB,UAAU,GAC3B,CAAC,KACA,GAAG,OAAO,UACR,QACI,GAAG,QAAQ,OAAU,GACrB,GAAG,KACD,IAAI,UACF,0BACA,WAAW,QAAQ,GAAG,iBACvB,CACF,CACN,CACF,GACD,GAAG,QAAQ,OAAU,EAEI,KAC7B,GAAG,YACD,GAAG,KAAK;GACN,UACE,GAAG,MAAM,QACP,gBAAgB,OACjB;GACH,WACE,IAAI,UACF,qBACA,2BAA2B,QAAQ,GAAG,iBACvC;GACJ,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KACD,IAAI,UACF,qBACA,2BAA2B,QAAQ,GAAG,iBACvC,CACF,GACD,GAAG,QAAQ,IAAI,CACpB,CACF,CACF,EACD,GAAG,KAAK,UAAU;GAChB,SAAS;GACT;GACD,EAAE,CACJ;AAQH,UAJE,QAAQ,WAAW,SACfC,KAAc,UAAU,QAAQ,OAAO,GACvC,GAAG,QAA4B,OAAU,EAE/B,KACd,GAAG,OAAO,WACR,GAAG,KAAK;GACN,IAAI,YACF,qBACE,KACA,MAAM,iBAAiB,IAAI,EAC3B;IAAE,mBAAmB,QAAQ;IAAI;IAAQ,EACzC;IACE,MAAM;IACN;IACA;IACA;IACA;IACD,EACD,OACD;GACH,WAAW,IAAI,UAAU,iBAAiB;GAC3C,CAAC,CACH,EACD,GAAG,OAAO,WAAW;GACnB,MAAM,EAAE,QAAQ,cAAc;AAI9B,UAAO,GAAG,IACR,GAAG,KAAK;IACN,UACE,GAAG,SAAS,QACV,UACD;IACH,WAAW,IAAI,UAAU,iBAAiB;IAC3C,CAAC,EACF,GAAG,KAAK;IACN,UACE,GAAG,MAAM,QAAQ,OAAO;IAC1B,WAAW,IAAI,UAAU,iBAAiB;IAC3C,CAAC,CACH;IACD,EACF,GAAG,OAAO,SAAS;GACjB,MAAM,CAAC,gBAAgB,eAAe;AAItC,UAAO,mBAAmB,OACtB,GAAG,KACD,IAAI,UACF,qBACA,iCACD,CACF,GACD,gBAAgB,OACd,GAAG,KACD,IAAI,UACF,sBACA,8BACD,CACF,GACD,GAAG,QAAQ;IACT,SAAS;IACT,MAAM;IACP,CAAC;IACR,CACH;GACD,EACF,GAAG,SAAS,MAAM,GAAG,MAAO,EAAgB,eAAe,CAAC,CAAC,CAC9D,CACF;;AAGH,MAAa,mCAAmC,OAG9C,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/server/mutations/retrieve.d.ts

@@ -0,0 +1,33 @@
+import { Doc, MutationCtx } from "../types.js";
+import { Config, GetProviderOrThrowFunc } from "../crypto.js";
+import { Fx } from "@robelest/fx";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values116 from "convex/values";
+import { Infer } from "convex/values";
+
+//#region src/server/mutations/retrieve.d.ts
+declare const retrieveAccountWithCredentialsArgs: convex_values116.VObject<{
+  provider: string;
+  account: {
+    secret?: string | undefined;
+    id: string;
+  };
+}, {
+  provider: convex_values116.VString<string, "required">;
+  account: convex_values116.VObject<{
+    secret?: string | undefined;
+    id: string;
+  }, {
+    id: convex_values116.VString<string, "required">;
+    secret: convex_values116.VString<string | undefined, "optional">;
+  }, "required", "id" | "secret">;
+}, "required", "provider" | "account" | "account.id" | "account.secret">;
+type ReturnType = "InvalidAccountId" | "TooManyFailedAttempts" | "InvalidSecret" | {
+  account: Doc<"Account">;
+  user: Doc<"User">;
+};
+declare function retrieveAccountWithCredentialsImpl(ctx: MutationCtx, args: Infer<typeof retrieveAccountWithCredentialsArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Fx<ReturnType>;
+declare const callRetrieveAccountWithCredentials: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof retrieveAccountWithCredentialsArgs>) => Promise<ReturnType>;
+//#endregion
+export { callRetrieveAccountWithCredentials, retrieveAccountWithCredentialsArgs, retrieveAccountWithCredentialsImpl };
+//# sourceMappingURL=retrieve.d.ts.map

package/dist/server/mutations/retrieve.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"retrieve.d.ts","names":[],"sources":["../../../src/server/mutations/retrieve.ts"],"mappings":";;;;;;;;cAgBa,kCAAA,mBAAkC,OAAA;;;;;;;YAG7C,gBAAA,CAAA,OAAA;;;;;;;;;KAEG,UAAA;EAIC,OAAA,EAAS,GAAA;EAAgB,IAAA,EAAM,GAAA;AAAA;AAAA,iBAErB,kCAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,kCAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA;AAAA,cAgEO,kCAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,kCAAA,MAClB,OAAA,CAAQ,UAAA"}

package/dist/server/mutations/retrieve.js

@@ -0,0 +1,65 @@
+import { AuthError } from "../authError.js";
+import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
+import { authDb } from "../db.js";
+import { verify } from "../crypto.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
+import { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit } from "../limits.js";
+import { Fx } from "@robelest/fx";
+import { v } from "convex/values";
+
+//#region src/server/mutations/retrieve.ts
+const retrieveAccountWithCredentialsArgs = v.object({
+	provider: v.string(),
+	account: v.object({
+		id: v.string(),
+		secret: v.optional(v.string())
+	})
+});
+function retrieveAccountWithCredentialsImpl(ctx, args, getProviderOrThrow, config) {
+	const { provider: providerId, account } = args;
+	const db = authDb(ctx, config);
+	logWithLevel(LOG_LEVELS.DEBUG, "retrieveAccountWithCredentialsImpl args:", {
+		provider: providerId,
+		account: {
+			id: account.id,
+			secret: maybeRedact(account.secret ?? "")
+		}
+	});
+	return Fx.from({
+		ok: async () => {
+			const existingAccount = await db.accounts.get(providerId, account.id);
+			if (existingAccount === null) return "InvalidAccountId";
+			if (account.secret !== void 0) {
+				if (await Fx.run(isSignInRateLimited(ctx, existingAccount._id, config))) return "TooManyFailedAttempts";
+				if (!await Fx.run(verify(getProviderOrThrow(providerId), account.secret, existingAccount.secret ?? ""))) {
+					await Fx.run(recordFailedSignIn(ctx, existingAccount._id, config));
+					return "InvalidSecret";
+				}
+				await Fx.run(resetSignInRateLimit(ctx, existingAccount._id, config));
+			}
+			const user = await db.users.getById(existingAccount.userId);
+			if (user === null) {
+				logWithLevel(LOG_LEVELS.ERROR, `Account ${existingAccount._id} is linked to missing user ${existingAccount.userId}`);
+				return "InvalidAccountId";
+			}
+			return {
+				account: existingAccount,
+				user
+			};
+		},
+		err: () => new AuthError("INTERNAL_ERROR", "Failed to look up account")
+	}).pipe(Fx.fold({
+		ok: (v$1) => v$1,
+		err: () => "InvalidAccountId"
+	}));
+}
+const callRetrieveAccountWithCredentials = async (ctx, args) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: {
+		type: "retrieveAccountWithCredentials",
+		...args
+	} });
+};
+
+//#endregion
+export { callRetrieveAccountWithCredentials, retrieveAccountWithCredentialsArgs, retrieveAccountWithCredentialsImpl };
+//# sourceMappingURL=retrieve.js.map

package/dist/server/mutations/retrieve.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"retrieve.js","names":["Provider.verify","v"],"sources":["../../../src/server/mutations/retrieve.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport * as Provider from \"../crypto\";\nimport {\n  isSignInRateLimited,\n  recordFailedSignIn,\n  resetSignInRateLimit,\n} from \"../limits\";\nimport { Doc, MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const retrieveAccountWithCredentialsArgs = v.object({\n  provider: v.string(),\n  account: v.object({ id: v.string(), secret: v.optional(v.string()) }),\n});\n\ntype ReturnType =\n  | \"InvalidAccountId\"\n  | \"TooManyFailedAttempts\"\n  | \"InvalidSecret\"\n  | { account: Doc<\"Account\">; user: Doc<\"User\"> };\n\nexport function retrieveAccountWithCredentialsImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof retrieveAccountWithCredentialsArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Fx<ReturnType> {\n  const { provider: providerId, account } = args;\n  const db = authDb(ctx, config);\n\n  logWithLevel(LOG_LEVELS.DEBUG, \"retrieveAccountWithCredentialsImpl args:\", {\n    provider: providerId,\n    account: { id: account.id, secret: maybeRedact(account.secret ?? \"\") },\n  });\n\n  return Fx.from({\n    ok: async () => {\n      const existingAccount = (await db.accounts.get(\n        providerId,\n        account.id,\n      )) as Doc<\"Account\"> | null;\n      if (existingAccount === null) {\n        return \"InvalidAccountId\" as const;\n      }\n\n      if (account.secret !== undefined) {\n        const limited = await Fx.run(\n          isSignInRateLimited(ctx, existingAccount._id, config),\n        );\n        if (limited) {\n          return \"TooManyFailedAttempts\" as const;\n        }\n\n        const valid = await Fx.run(\n          Provider.verify(\n            getProviderOrThrow(providerId),\n            account.secret,\n            existingAccount.secret ?? \"\",\n          ),\n        );\n        if (!valid) {\n          await Fx.run(recordFailedSignIn(ctx, existingAccount._id, config));\n          return \"InvalidSecret\" as const;\n        }\n\n        await Fx.run(resetSignInRateLimit(ctx, existingAccount._id, config));\n      }\n\n      const user = (await db.users.getById(\n        existingAccount.userId,\n      )) as Doc<\"User\"> | null;\n      if (user === null) {\n        logWithLevel(\n          LOG_LEVELS.ERROR,\n          `Account ${existingAccount._id} is linked to missing user ${existingAccount.userId}`,\n        );\n        return \"InvalidAccountId\" as const;\n      }\n\n      return { account: existingAccount, user } as const;\n    },\n    err: () => new AuthError(\"INTERNAL_ERROR\", \"Failed to look up account\"),\n  }).pipe(\n    Fx.fold({\n      ok: (v) => v as ReturnType,\n      err: () => \"InvalidAccountId\" as ReturnType,\n    }),\n  );\n}\n\nexport const callRetrieveAccountWithCredentials = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof retrieveAccountWithCredentialsArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"retrieveAccountWithCredentials\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;;AAgBA,MAAa,qCAAqC,EAAE,OAAO;CACzD,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAAE,CAAC;CACtE,CAAC;AAQF,SAAgB,mCACd,KACA,MACA,oBACA,QACgB;CAChB,MAAM,EAAE,UAAU,YAAY,YAAY;CAC1C,MAAM,KAAK,OAAO,KAAK,OAAO;AAE9B,cAAa,WAAW,OAAO,4CAA4C;EACzE,UAAU;EACV,SAAS;GAAE,IAAI,QAAQ;GAAI,QAAQ,YAAY,QAAQ,UAAU,GAAG;GAAE;EACvE,CAAC;AAEF,QAAO,GAAG,KAAK;EACb,IAAI,YAAY;GACd,MAAM,kBAAmB,MAAM,GAAG,SAAS,IACzC,YACA,QAAQ,GACT;AACD,OAAI,oBAAoB,KACtB,QAAO;AAGT,OAAI,QAAQ,WAAW,QAAW;AAIhC,QAHgB,MAAM,GAAG,IACvB,oBAAoB,KAAK,gBAAgB,KAAK,OAAO,CACtD,CAEC,QAAO;AAUT,QAAI,CAPU,MAAM,GAAG,IACrBA,OACE,mBAAmB,WAAW,EAC9B,QAAQ,QACR,gBAAgB,UAAU,GAC3B,CACF,EACW;AACV,WAAM,GAAG,IAAI,mBAAmB,KAAK,gBAAgB,KAAK,OAAO,CAAC;AAClE,YAAO;;AAGT,UAAM,GAAG,IAAI,qBAAqB,KAAK,gBAAgB,KAAK,OAAO,CAAC;;GAGtE,MAAM,OAAQ,MAAM,GAAG,MAAM,QAC3B,gBAAgB,OACjB;AACD,OAAI,SAAS,MAAM;AACjB,iBACE,WAAW,OACX,WAAW,gBAAgB,IAAI,6BAA6B,gBAAgB,SAC7E;AACD,WAAO;;AAGT,UAAO;IAAE,SAAS;IAAiB;IAAM;;EAE3C,WAAW,IAAI,UAAU,kBAAkB,4BAA4B;EACxE,CAAC,CAAC,KACD,GAAG,KAAK;EACN,KAAK,QAAMC;EACX,WAAW;EACZ,CAAC,CACH;;AAGH,MAAa,qCAAqC,OAGhD,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/server/mutations/signature.d.ts

@@ -0,0 +1,22 @@
+import { MutationCtx } from "../types.js";
+import { AuthError } from "../authError.js";
+import { Config } from "../crypto.js";
+import { Fx } from "@robelest/fx";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values111 from "convex/values";
+import { Infer } from "convex/values";
+
+//#region src/server/mutations/signature.d.ts
+declare const verifierSignatureArgs: convex_values111.VObject<{
+  verifier: string;
+  signature: string;
+}, {
+  verifier: convex_values111.VString<string, "required">;
+  signature: convex_values111.VString<string, "required">;
+}, "required", "verifier" | "signature">;
+type ReturnType = void;
+declare function verifierSignatureImpl(ctx: MutationCtx, args: Infer<typeof verifierSignatureArgs>, config: Config): Fx<ReturnType, AuthError>;
+declare const callVerifierSignature: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof verifierSignatureArgs>) => Promise<void>;
+//#endregion
+export { callVerifierSignature, verifierSignatureArgs, verifierSignatureImpl };
+//# sourceMappingURL=signature.d.ts.map

package/dist/server/mutations/signature.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signature.d.ts","names":[],"sources":["../../../src/server/mutations/signature.ts"],"mappings":";;;;;;;;;cAUa,qBAAA,mBAAqB,OAAA;;;;YAGhC,gBAAA,CAAA,OAAA;;;KAEG,UAAA;AAAA,iBAEW,qBAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,qBAAA,GACnB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA,EAAY,SAAA;AAAA,cAkBL,qBAAA,qBAAiD,gBAAA,EAC5D,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,qBAAA,MAClB,OAAA"}

package/dist/server/mutations/signature.js

@@ -0,0 +1,32 @@
+import { AuthError } from "../authError.js";
+import { authDb } from "../db.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
+import { Fx } from "@robelest/fx";
+import { v } from "convex/values";
+
+//#region src/server/mutations/signature.ts
+const verifierSignatureArgs = v.object({
+	verifier: v.string(),
+	signature: v.string()
+});
+function verifierSignatureImpl(ctx, args, config) {
+	return Fx.gen(function* () {
+		const { verifier, signature } = args;
+		const db = authDb(ctx, config);
+		const verifierDoc = yield* Fx.from({
+			ok: () => db.verifiers.getById(verifier),
+			err: () => new AuthError("INVALID_VERIFIER")
+		}).pipe(Fx.chain((doc) => doc === null ? Fx.fail(new AuthError("INVALID_VERIFIER")) : Fx.succeed(doc)));
+		yield* Fx.promise(() => db.verifiers.patch(verifierDoc._id, { signature }));
+	});
+}
+const callVerifierSignature = async (ctx, args) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: {
+		type: "verifierSignature",
+		...args
+	} });
+};
+
+//#endregion
+export { callVerifierSignature, verifierSignatureArgs, verifierSignatureImpl };
+//# sourceMappingURL=signature.js.map

package/dist/server/mutations/signature.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signature.js","names":[],"sources":["../../../src/server/mutations/signature.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport * as Provider from \"../crypto\";\nimport { MutationCtx } from \"../types\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const verifierSignatureArgs = v.object({\n  verifier: v.string(),\n  signature: v.string(),\n});\n\ntype ReturnType = void;\n\nexport function verifierSignatureImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof verifierSignatureArgs>,\n  config: Provider.Config,\n): Fx<ReturnType, AuthError> {\n  return Fx.gen(function* () {\n    const { verifier, signature } = args;\n    const db = authDb(ctx, config);\n    const verifierDoc = yield* Fx.from({\n      ok: () => db.verifiers.getById(verifier as GenericId<\"AuthVerifier\">),\n      err: () => new AuthError(\"INVALID_VERIFIER\"),\n    }).pipe(\n      Fx.chain((doc) =>\n        doc === null\n          ? Fx.fail(new AuthError(\"INVALID_VERIFIER\"))\n          : Fx.succeed(doc),\n      ),\n    );\n    yield* Fx.promise(() => db.verifiers.patch(verifierDoc._id, { signature }));\n  });\n}\n\nexport const callVerifierSignature = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof verifierSignatureArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"verifierSignature\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;AAUA,MAAa,wBAAwB,EAAE,OAAO;CAC5C,UAAU,EAAE,QAAQ;CACpB,WAAW,EAAE,QAAQ;CACtB,CAAC;AAIF,SAAgB,sBACd,KACA,MACA,QAC2B;AAC3B,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,EAAE,UAAU,cAAc;EAChC,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,cAAc,OAAO,GAAG,KAAK;GACjC,UAAU,GAAG,UAAU,QAAQ,SAAsC;GACrE,WAAW,IAAI,UAAU,mBAAmB;GAC7C,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK,IAAI,UAAU,mBAAmB,CAAC,GAC1C,GAAG,QAAQ,IAAI,CACpB,CACF;AACD,SAAO,GAAG,cAAc,GAAG,UAAU,MAAM,YAAY,KAAK,EAAE,WAAW,CAAC,CAAC;GAC3E;;AAGJ,MAAa,wBAAwB,OACnC,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/server/mutations/signin.d.ts

@@ -0,0 +1,22 @@
+import { MutationCtx, SessionInfo } from "../types.js";
+import { Config } from "../crypto.js";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+import * as convex_values16 from "convex/values";
+import { Infer } from "convex/values";
+
+//#region src/server/mutations/signin.d.ts
+declare const signInArgs: convex_values16.VObject<{
+  sessionId?: string | undefined;
+  userId: string;
+  generateTokens: boolean;
+}, {
+  userId: convex_values16.VString<string, "required">;
+  sessionId: convex_values16.VString<string | undefined, "optional">;
+  generateTokens: convex_values16.VBoolean<boolean, "required">;
+}, "required", "userId" | "sessionId" | "generateTokens">;
+type ReturnType = SessionInfo;
+declare function signInImpl(ctx: MutationCtx, args: Infer<typeof signInArgs>, config: Config): Promise<ReturnType>;
+declare const callSignIn: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof signInArgs>) => Promise<ReturnType>;
+//#endregion
+export { callSignIn, signInArgs, signInImpl };
+//# sourceMappingURL=signin.d.ts.map

package/dist/server/mutations/signin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signin.d.ts","names":[],"sources":["../../../src/server/mutations/signin.ts"],"mappings":";;;;;;;cAYa,UAAA,kBAAU,OAAA;;;;;UAIrB,eAAA,CAAA,OAAA;;;;KAEG,UAAA,GAAa,WAAA;AAAA,iBAEI,UAAA,CACpB,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,UAAA,GACnB,MAAA,EAAQ,MAAA,GACP,OAAA,CAAQ,UAAA;AAAA,cAmBE,UAAA,qBAAsC,gBAAA,EACjD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,UAAA,MAClB,OAAA,CAAQ,UAAA"}

package/dist/server/{implementation/mutations → mutations}/signin.js

@@ -1,9 +1,9 @@
 import { LOG_LEVELS, logWithLevel } from "../utils.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
 import { createNewAndDeleteExistingSession, maybeGenerateTokensForSession } from "../sessions.js";
-import { AUTH_STORE_REF } from "./store.js";
 import { v } from "convex/values";
 
-//#region src/server/implementation/mutations/signin.ts
+//#region src/server/mutations/signin.ts
 const signInArgs = v.object({
 	userId: v.string(),
 	sessionId: v.optional(v.string()),

package/dist/server/mutations/signin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signin.js","names":[],"sources":["../../../src/server/mutations/signin.ts"],"sourcesContent":["import type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport {\n  createNewAndDeleteExistingSession,\n  maybeGenerateTokensForSession,\n} from \"../sessions\";\nimport { MutationCtx, SessionInfo } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const signInArgs = v.object({\n  userId: v.string(),\n  sessionId: v.optional(v.string()),\n  generateTokens: v.boolean(),\n});\n\ntype ReturnType = SessionInfo;\n\nexport async function signInImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof signInArgs>,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"signInImpl args:\", args);\n  const { userId, sessionId: existingSessionId, generateTokens } = args;\n  const typedUserId = userId as GenericId<\"User\">;\n  const typedExistingSessionId = existingSessionId as\n    | GenericId<\"Session\">\n    | undefined;\n  const sessionId =\n    typedExistingSessionId ??\n    (await createNewAndDeleteExistingSession(ctx, config, typedUserId));\n  return await maybeGenerateTokensForSession(\n    ctx,\n    config,\n    typedUserId,\n    sessionId,\n    generateTokens,\n  );\n}\n\nexport const callSignIn = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof signInArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"signIn\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;AAYA,MAAa,aAAa,EAAE,OAAO;CACjC,QAAQ,EAAE,QAAQ;CAClB,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,gBAAgB,EAAE,SAAS;CAC5B,CAAC;AAIF,eAAsB,WACpB,KACA,MACA,QACqB;AACrB,cAAa,WAAW,OAAO,oBAAoB,KAAK;CACxD,MAAM,EAAE,QAAQ,WAAW,mBAAmB,mBAAmB;CACjE,MAAM,cAAc;AAOpB,QAAO,MAAM,8BACX,KACA,QACA,aAT6B,qBAK5B,MAAM,kCAAkC,KAAK,QAAQ,YAAY,EAMlE,eACD;;AAGH,MAAa,aAAa,OACxB,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/server/mutations/signout.d.ts

@@ -0,0 +1,16 @@
+import { MutationCtx } from "../types.js";
+import { Config } from "../crypto.js";
+import { Fx } from "@robelest/fx";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+import { GenericId } from "convex/values";
+
+//#region src/server/mutations/signout.d.ts
+type ReturnType = {
+  userId: GenericId<"User">;
+  sessionId: GenericId<"Session">;
+} | null;
+declare function signOutImpl(ctx: MutationCtx, config: Config): Fx<ReturnType, never>;
+declare const callSignOut: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>) => Promise<void>;
+//#endregion
+export { callSignOut, signOutImpl };
+//# sourceMappingURL=signout.d.ts.map

package/dist/server/mutations/signout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signout.d.ts","names":[],"sources":["../../../src/server/mutations/signout.ts"],"mappings":";;;;;;;KAUK,UAAA;EACH,MAAA,EAAQ,SAAA;EACR,SAAA,EAAW,SAAA;AAAA;AAAA,iBAGG,WAAA,CACd,GAAA,EAAK,WAAA,EACL,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA;AAAA,cAgBO,WAAA,qBAAuC,gBAAA,EAClD,GAAA,EAAK,gBAAA,CAAiB,SAAA,MACrB,OAAA"}

package/dist/server/mutations/signout.js

@@ -0,0 +1,27 @@
+import { authDb } from "../db.js";
+import { AUTH_STORE_REF } from "./store/refs.js";
+import { deleteSession, getAuthSessionId } from "../sessions.js";
+import { Fx } from "@robelest/fx";
+
+//#region src/server/mutations/signout.ts
+function signOutImpl(ctx, config) {
+	return Fx.gen(function* () {
+		const db = authDb(ctx, config);
+		const sessionId = yield* Fx.promise(() => getAuthSessionId(ctx));
+		if (sessionId === null) return null;
+		const session = yield* Fx.promise(() => db.sessions.getById(sessionId));
+		if (session === null) return null;
+		yield* Fx.promise(() => deleteSession(ctx, session, config));
+		return {
+			userId: session.userId,
+			sessionId: session._id
+		};
+	});
+}
+const callSignOut = async (ctx) => {
+	return ctx.runMutation(AUTH_STORE_REF, { args: { type: "signOut" } });
+};
+
+//#endregion
+export { callSignOut, signOutImpl };
+//# sourceMappingURL=signout.js.map

package/dist/server/mutations/signout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signout.js","names":[],"sources":["../../../src/server/mutations/signout.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport * as Provider from \"../crypto\";\nimport { deleteSession, getAuthSessionId } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\ntype ReturnType = {\n  userId: GenericId<\"User\">;\n  sessionId: GenericId<\"Session\">;\n} | null;\n\nexport function signOutImpl(\n  ctx: MutationCtx,\n  config: Provider.Config,\n): Fx<ReturnType, never> {\n  return Fx.gen(function* () {\n    const db = authDb(ctx, config);\n    const sessionId = yield* Fx.promise(() => getAuthSessionId(ctx));\n    if (sessionId === null) {\n      return null;\n    }\n    const session = yield* Fx.promise(() => db.sessions.getById(sessionId));\n    if (session === null) {\n      return null;\n    }\n    yield* Fx.promise(() => deleteSession(ctx, session, config));\n    return { userId: session.userId, sessionId: session._id };\n  });\n}\n\nexport const callSignOut = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"signOut\",\n    },\n  });\n};\n"],"mappings":";;;;;;AAeA,SAAgB,YACd,KACA,QACuB;AACvB,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,YAAY,OAAO,GAAG,cAAc,iBAAiB,IAAI,CAAC;AAChE,MAAI,cAAc,KAChB,QAAO;EAET,MAAM,UAAU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC;AACvE,MAAI,YAAY,KACd,QAAO;AAET,SAAO,GAAG,cAAc,cAAc,KAAK,SAAS,OAAO,CAAC;AAC5D,SAAO;GAAE,QAAQ,QAAQ;GAAQ,WAAW,QAAQ;GAAK;GACzD;;AAGJ,MAAa,cAAc,OACzB,QACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM,EACJ,MAAM,WACP,EACF,CAAC"}

package/dist/server/mutations/store/refs.d.ts

@@ -0,0 +1,12 @@
+//#region src/server/mutations/store/refs.d.ts
+/**
+ * Internal function reference for the library's store dispatch mutation.
+ *
+ * The package cannot import the consumer app's generated `api` module,
+ * so it uses a canonical function reference name that matches the app-level
+ * `export const { store } = auth` surface.
+ */
+declare const AUTH_STORE_REF: any;
+//#endregion
+export { AUTH_STORE_REF };
+//# sourceMappingURL=refs.d.ts.map

package/dist/server/mutations/store/refs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refs.d.ts","names":[],"sources":["../../../../src/server/mutations/store/refs.ts"],"mappings":";;AASA;;;;;;cAAa,cAAA"}

package/dist/server/mutations/store/refs.js

@@ -0,0 +1,15 @@
+import { makeFunctionReference } from "convex/server";
+
+//#region src/server/mutations/store/refs.ts
+/**
+* Internal function reference for the library's store dispatch mutation.
+*
+* The package cannot import the consumer app's generated `api` module,
+* so it uses a canonical function reference name that matches the app-level
+* `export const { store } = auth` surface.
+*/
+const AUTH_STORE_REF = makeFunctionReference("auth:store");
+
+//#endregion
+export { AUTH_STORE_REF };
+//# sourceMappingURL=refs.js.map