@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (798) hide show
  1. package/README.md +67 -26
  2. package/dist/authorization/index.d.ts +63 -0
  3. package/dist/authorization/index.d.ts.map +1 -0
  4. package/dist/authorization/index.js +63 -0
  5. package/dist/authorization/index.js.map +1 -0
  6. package/dist/bin.js +6185 -0
  7. package/dist/client/core/types.d.ts +20 -0
  8. package/dist/client/core/types.d.ts.map +1 -0
  9. package/dist/client/index.d.ts +2 -299
  10. package/dist/client/index.d.ts.map +1 -1
  11. package/dist/client/index.js +407 -534
  12. package/dist/client/index.js.map +1 -1
  13. package/dist/component/_generated/api.d.ts +42 -0
  14. package/dist/component/_generated/api.d.ts.map +1 -1
  15. package/dist/component/_generated/api.js.map +1 -1
  16. package/dist/component/_generated/component.d.ts +2546 -90
  17. package/dist/component/_generated/component.d.ts.map +1 -1
  18. package/dist/component/client/core/types.d.ts +2 -0
  19. package/dist/component/client/index.d.ts +2 -0
  20. package/dist/component/convex.config.d.ts +2 -2
  21. package/dist/component/functions.d.ts +11 -9
  22. package/dist/component/functions.d.ts.map +1 -1
  23. package/dist/component/functions.js.map +1 -1
  24. package/dist/component/index.d.ts +7 -11
  25. package/dist/component/index.js +2 -3
  26. package/dist/component/model.d.ts +153 -0
  27. package/dist/component/model.d.ts.map +1 -0
  28. package/dist/component/model.js +349 -0
  29. package/dist/component/model.js.map +1 -0
  30. package/dist/component/providers/anonymous.d.ts +54 -0
  31. package/dist/component/providers/anonymous.d.ts.map +1 -0
  32. package/dist/component/providers/credentials.d.ts +5 -5
  33. package/dist/component/providers/credentials.d.ts.map +1 -1
  34. package/dist/component/providers/device.d.ts +67 -0
  35. package/dist/component/providers/device.d.ts.map +1 -0
  36. package/dist/component/providers/email.d.ts +62 -0
  37. package/dist/component/providers/email.d.ts.map +1 -0
  38. package/dist/component/providers/oauth.d.ts.map +1 -1
  39. package/dist/component/providers/oauth.js.map +1 -1
  40. package/dist/component/providers/passkey.d.ts +57 -0
  41. package/dist/component/providers/passkey.d.ts.map +1 -0
  42. package/dist/component/providers/password.d.ts +88 -0
  43. package/dist/component/providers/password.d.ts.map +1 -0
  44. package/dist/component/providers/phone.d.ts +48 -0
  45. package/dist/component/providers/phone.d.ts.map +1 -0
  46. package/dist/component/providers/sso.d.ts +50 -0
  47. package/dist/component/providers/sso.d.ts.map +1 -0
  48. package/dist/component/providers/totp.d.ts +45 -0
  49. package/dist/component/providers/totp.d.ts.map +1 -0
  50. package/dist/component/public/enterprise/audit.d.ts +73 -0
  51. package/dist/component/public/enterprise/audit.d.ts.map +1 -0
  52. package/dist/component/public/enterprise/audit.js +108 -0
  53. package/dist/component/public/enterprise/audit.js.map +1 -0
  54. package/dist/component/public/enterprise/core.d.ts +176 -0
  55. package/dist/component/public/enterprise/core.d.ts.map +1 -0
  56. package/dist/component/public/enterprise/core.js +292 -0
  57. package/dist/component/public/enterprise/core.js.map +1 -0
  58. package/dist/component/public/enterprise/domains.d.ts +174 -0
  59. package/dist/component/public/enterprise/domains.d.ts.map +1 -0
  60. package/dist/component/public/enterprise/domains.js +271 -0
  61. package/dist/component/public/enterprise/domains.js.map +1 -0
  62. package/dist/component/public/enterprise/scim.d.ts +245 -0
  63. package/dist/component/public/enterprise/scim.d.ts.map +1 -0
  64. package/dist/component/public/enterprise/scim.js +344 -0
  65. package/dist/component/public/enterprise/scim.js.map +1 -0
  66. package/dist/component/public/enterprise/secrets.d.ts +78 -0
  67. package/dist/component/public/enterprise/secrets.d.ts.map +1 -0
  68. package/dist/component/public/enterprise/secrets.js +118 -0
  69. package/dist/component/public/enterprise/secrets.js.map +1 -0
  70. package/dist/component/public/enterprise/webhooks.d.ts +211 -0
  71. package/dist/component/public/enterprise/webhooks.d.ts.map +1 -0
  72. package/dist/component/public/enterprise/webhooks.js +300 -0
  73. package/dist/component/public/enterprise/webhooks.js.map +1 -0
  74. package/dist/component/public/factors/devices.d.ts +157 -0
  75. package/dist/component/public/factors/devices.d.ts.map +1 -0
  76. package/dist/component/public/factors/devices.js +216 -0
  77. package/dist/component/public/factors/devices.js.map +1 -0
  78. package/dist/component/public/factors/passkeys.d.ts +175 -0
  79. package/dist/component/public/factors/passkeys.d.ts.map +1 -0
  80. package/dist/component/public/factors/passkeys.js +238 -0
  81. package/dist/component/public/factors/passkeys.js.map +1 -0
  82. package/dist/component/public/factors/totp.d.ts +189 -0
  83. package/dist/component/public/factors/totp.d.ts.map +1 -0
  84. package/dist/component/public/factors/totp.js +254 -0
  85. package/dist/component/public/factors/totp.js.map +1 -0
  86. package/dist/component/public/groups/core.d.ts +137 -0
  87. package/dist/component/public/groups/core.d.ts.map +1 -0
  88. package/dist/component/public/groups/core.js +321 -0
  89. package/dist/component/public/groups/core.js.map +1 -0
  90. package/dist/component/public/groups/invites.d.ts +217 -0
  91. package/dist/component/public/groups/invites.d.ts.map +1 -0
  92. package/dist/component/public/groups/invites.js +457 -0
  93. package/dist/component/public/groups/invites.js.map +1 -0
  94. package/dist/component/public/groups/members.d.ts +204 -0
  95. package/dist/component/public/groups/members.d.ts.map +1 -0
  96. package/dist/component/public/groups/members.js +355 -0
  97. package/dist/component/public/groups/members.js.map +1 -0
  98. package/dist/component/public/identity/accounts.d.ts +147 -0
  99. package/dist/component/public/identity/accounts.d.ts.map +1 -0
  100. package/dist/component/public/identity/accounts.js +200 -0
  101. package/dist/component/public/identity/accounts.js.map +1 -0
  102. package/dist/component/public/identity/codes.d.ts +104 -0
  103. package/dist/component/public/identity/codes.d.ts.map +1 -0
  104. package/dist/component/public/identity/codes.js +140 -0
  105. package/dist/component/public/identity/codes.js.map +1 -0
  106. package/dist/component/public/identity/sessions.d.ts +128 -0
  107. package/dist/component/public/identity/sessions.d.ts.map +1 -0
  108. package/dist/component/public/identity/sessions.js +192 -0
  109. package/dist/component/public/identity/sessions.js.map +1 -0
  110. package/dist/component/public/identity/tokens.d.ts +169 -0
  111. package/dist/component/public/identity/tokens.d.ts.map +1 -0
  112. package/dist/component/public/identity/tokens.js +227 -0
  113. package/dist/component/public/identity/tokens.js.map +1 -0
  114. package/dist/component/public/identity/users.d.ts +212 -0
  115. package/dist/component/public/identity/users.d.ts.map +1 -0
  116. package/dist/component/public/identity/users.js +311 -0
  117. package/dist/component/public/identity/users.js.map +1 -0
  118. package/dist/component/public/identity/verifiers.d.ts +116 -0
  119. package/dist/component/public/identity/verifiers.d.ts.map +1 -0
  120. package/dist/component/public/identity/verifiers.js +154 -0
  121. package/dist/component/public/identity/verifiers.js.map +1 -0
  122. package/dist/component/public/security/keys.d.ts +209 -0
  123. package/dist/component/public/security/keys.d.ts.map +1 -0
  124. package/dist/component/public/security/keys.js +319 -0
  125. package/dist/component/public/security/keys.js.map +1 -0
  126. package/dist/component/public/security/limits.d.ts +114 -0
  127. package/dist/component/public/security/limits.d.ts.map +1 -0
  128. package/dist/component/public/security/limits.js +169 -0
  129. package/dist/component/public/security/limits.js.map +1 -0
  130. package/dist/component/public.d.ts +24 -271
  131. package/dist/component/public.d.ts.map +1 -1
  132. package/dist/component/public.js +21 -1229
  133. package/dist/component/schema.d.ts +473 -110
  134. package/dist/component/schema.js +162 -73
  135. package/dist/component/schema.js.map +1 -1
  136. package/dist/component/server/auth.d.ts +318 -373
  137. package/dist/component/server/auth.d.ts.map +1 -1
  138. package/dist/component/server/auth.js +204 -123
  139. package/dist/component/server/auth.js.map +1 -1
  140. package/dist/component/server/authError.js +34 -0
  141. package/dist/component/server/authError.js.map +1 -0
  142. package/dist/component/server/{providers.js → config.js} +43 -12
  143. package/dist/component/server/config.js.map +1 -0
  144. package/dist/component/server/cookies.js +3 -0
  145. package/dist/component/server/cookies.js.map +1 -1
  146. package/dist/component/server/core.js +713 -0
  147. package/dist/component/server/core.js.map +1 -0
  148. package/dist/component/server/crypto.js +38 -0
  149. package/dist/component/server/crypto.js.map +1 -0
  150. package/dist/component/server/{implementation/db.js → db.js} +2 -1
  151. package/dist/component/server/db.js.map +1 -0
  152. package/dist/component/server/device.js +109 -0
  153. package/dist/component/server/device.js.map +1 -0
  154. package/dist/component/server/enterprise/config.js +46 -0
  155. package/dist/component/server/enterprise/config.js.map +1 -0
  156. package/dist/component/server/enterprise/domain.js +885 -0
  157. package/dist/component/server/enterprise/domain.js.map +1 -0
  158. package/dist/component/server/enterprise/http.js +766 -0
  159. package/dist/component/server/enterprise/http.js.map +1 -0
  160. package/dist/component/server/enterprise/oidc.js +248 -0
  161. package/dist/component/server/enterprise/oidc.js.map +1 -0
  162. package/dist/component/server/enterprise/policy.js +85 -0
  163. package/dist/component/server/enterprise/policy.js.map +1 -0
  164. package/dist/component/server/enterprise/saml.js +338 -0
  165. package/dist/component/server/enterprise/saml.js.map +1 -0
  166. package/dist/component/server/enterprise/scim.js +97 -0
  167. package/dist/component/server/enterprise/scim.js.map +1 -0
  168. package/dist/component/server/enterprise/shared.js +51 -0
  169. package/dist/component/server/enterprise/shared.js.map +1 -0
  170. package/dist/component/server/errors.d.ts +1 -0
  171. package/dist/component/server/errors.js +24 -16
  172. package/dist/component/server/errors.js.map +1 -1
  173. package/dist/component/server/http.js +288 -0
  174. package/dist/component/server/http.js.map +1 -0
  175. package/dist/component/server/identity.js +13 -0
  176. package/dist/component/server/identity.js.map +1 -0
  177. package/dist/{server/implementation → component/server}/keys.js +9 -31
  178. package/dist/component/server/keys.js.map +1 -0
  179. package/dist/component/server/limits.js +61 -0
  180. package/dist/component/server/limits.js.map +1 -0
  181. package/dist/component/server/mutations/account.js +44 -0
  182. package/dist/component/server/mutations/account.js.map +1 -0
  183. package/dist/component/server/{implementation/mutations → mutations}/code.js +7 -4
  184. package/dist/component/server/mutations/code.js.map +1 -0
  185. package/dist/component/server/mutations/invalidate.js +32 -0
  186. package/dist/component/server/mutations/invalidate.js.map +1 -0
  187. package/dist/component/server/mutations/oauth.js +110 -0
  188. package/dist/component/server/mutations/oauth.js.map +1 -0
  189. package/dist/component/server/mutations/refresh.js +119 -0
  190. package/dist/component/server/mutations/refresh.js.map +1 -0
  191. package/dist/component/server/mutations/register.js +83 -0
  192. package/dist/component/server/mutations/register.js.map +1 -0
  193. package/dist/component/server/mutations/retrieve.js +65 -0
  194. package/dist/component/server/mutations/retrieve.js.map +1 -0
  195. package/dist/component/server/mutations/signature.js +32 -0
  196. package/dist/component/server/mutations/signature.js.map +1 -0
  197. package/dist/component/server/{implementation/mutations → mutations}/signin.js +2 -2
  198. package/dist/component/server/mutations/signin.js.map +1 -0
  199. package/dist/component/server/mutations/signout.js +27 -0
  200. package/dist/component/server/mutations/signout.js.map +1 -0
  201. package/dist/component/server/mutations/store/refs.js +15 -0
  202. package/dist/component/server/mutations/store/refs.js.map +1 -0
  203. package/dist/component/server/mutations/store.js +85 -0
  204. package/dist/component/server/mutations/store.js.map +1 -0
  205. package/dist/component/server/mutations/verifier.js +18 -0
  206. package/dist/component/server/mutations/verifier.js.map +1 -0
  207. package/dist/component/server/mutations/verify.js +98 -0
  208. package/dist/component/server/mutations/verify.js.map +1 -0
  209. package/dist/component/server/oauth.js +106 -60
  210. package/dist/component/server/oauth.js.map +1 -1
  211. package/dist/component/server/passkey.js +328 -0
  212. package/dist/component/server/passkey.js.map +1 -0
  213. package/dist/{server/implementation → component/server}/redirects.js +13 -11
  214. package/dist/component/server/redirects.js.map +1 -0
  215. package/dist/component/server/refresh.js +96 -0
  216. package/dist/component/server/refresh.js.map +1 -0
  217. package/dist/component/server/runtime.d.ts +136 -0
  218. package/dist/component/server/runtime.d.ts.map +1 -0
  219. package/dist/component/server/runtime.js +413 -0
  220. package/dist/component/server/runtime.js.map +1 -0
  221. package/dist/{server/implementation → component/server}/sessions.js +14 -8
  222. package/dist/component/server/sessions.js.map +1 -0
  223. package/dist/component/server/signin.js +201 -0
  224. package/dist/component/server/signin.js.map +1 -0
  225. package/dist/component/server/tokens.js +17 -0
  226. package/dist/component/server/tokens.js.map +1 -0
  227. package/dist/component/server/totp.js +148 -0
  228. package/dist/component/server/totp.js.map +1 -0
  229. package/dist/component/server/types.d.ts +387 -298
  230. package/dist/component/server/types.d.ts.map +1 -1
  231. package/dist/component/server/{implementation/types.js → types.js} +1 -1
  232. package/dist/component/server/types.js.map +1 -0
  233. package/dist/component/server/{implementation/users.js → users.js} +54 -35
  234. package/dist/component/server/users.js.map +1 -0
  235. package/dist/component/server/utils.js +110 -4
  236. package/dist/component/server/utils.js.map +1 -1
  237. package/dist/core/types.d.ts +369 -0
  238. package/dist/core/types.d.ts.map +1 -0
  239. package/dist/factors/device.js +105 -0
  240. package/dist/factors/device.js.map +1 -0
  241. package/dist/factors/passkey.js +181 -0
  242. package/dist/factors/passkey.js.map +1 -0
  243. package/dist/factors/totp.js +122 -0
  244. package/dist/factors/totp.js.map +1 -0
  245. package/dist/providers/anonymous.d.ts +3 -9
  246. package/dist/providers/anonymous.d.ts.map +1 -1
  247. package/dist/providers/anonymous.js +1 -18
  248. package/dist/providers/anonymous.js.map +1 -1
  249. package/dist/providers/credentials.d.ts +8 -10
  250. package/dist/providers/credentials.d.ts.map +1 -1
  251. package/dist/providers/credentials.js +3 -5
  252. package/dist/providers/credentials.js.map +1 -1
  253. package/dist/providers/device.d.ts +18 -10
  254. package/dist/providers/device.d.ts.map +1 -1
  255. package/dist/providers/device.js +4 -8
  256. package/dist/providers/device.js.map +1 -1
  257. package/dist/providers/email.d.ts +50 -23
  258. package/dist/providers/email.d.ts.map +1 -1
  259. package/dist/providers/email.js +58 -34
  260. package/dist/providers/email.js.map +1 -1
  261. package/dist/providers/index.d.ts +7 -3
  262. package/dist/providers/index.js +4 -1
  263. package/dist/providers/oauth.d.ts.map +1 -1
  264. package/dist/providers/oauth.js.map +1 -1
  265. package/dist/providers/passkey.d.ts +12 -9
  266. package/dist/providers/passkey.d.ts.map +1 -1
  267. package/dist/providers/passkey.js +1 -7
  268. package/dist/providers/passkey.js.map +1 -1
  269. package/dist/providers/password.d.ts +6 -12
  270. package/dist/providers/password.d.ts.map +1 -1
  271. package/dist/providers/password.js +189 -89
  272. package/dist/providers/password.js.map +1 -1
  273. package/dist/providers/phone.d.ts +40 -11
  274. package/dist/providers/phone.d.ts.map +1 -1
  275. package/dist/providers/phone.js +52 -21
  276. package/dist/providers/phone.js.map +1 -1
  277. package/dist/providers/sso.d.ts +50 -0
  278. package/dist/providers/sso.d.ts.map +1 -0
  279. package/dist/providers/sso.js +34 -0
  280. package/dist/providers/sso.js.map +1 -0
  281. package/dist/providers/totp.d.ts +12 -9
  282. package/dist/providers/totp.d.ts.map +1 -1
  283. package/dist/providers/totp.js +1 -7
  284. package/dist/providers/totp.js.map +1 -1
  285. package/dist/runtime/browser.js +68 -0
  286. package/dist/runtime/browser.js.map +1 -0
  287. package/dist/runtime/invite.js +51 -0
  288. package/dist/runtime/invite.js.map +1 -0
  289. package/dist/runtime/proxy.js +70 -0
  290. package/dist/runtime/proxy.js.map +1 -0
  291. package/dist/runtime/storage.js +37 -0
  292. package/dist/runtime/storage.js.map +1 -0
  293. package/dist/server/auth.d.ts +335 -370
  294. package/dist/server/auth.d.ts.map +1 -1
  295. package/dist/server/auth.js +204 -123
  296. package/dist/server/auth.js.map +1 -1
  297. package/dist/server/authError.d.ts +46 -0
  298. package/dist/server/authError.d.ts.map +1 -0
  299. package/dist/server/authError.js +34 -0
  300. package/dist/server/authError.js.map +1 -0
  301. package/dist/server/config.d.ts +1 -0
  302. package/dist/server/{providers.js → config.js} +43 -12
  303. package/dist/server/config.js.map +1 -0
  304. package/dist/server/cookies.d.ts +1 -38
  305. package/dist/server/cookies.js +3 -0
  306. package/dist/server/cookies.js.map +1 -1
  307. package/dist/server/core.d.ts +1436 -0
  308. package/dist/server/core.d.ts.map +1 -0
  309. package/dist/server/core.js +713 -0
  310. package/dist/server/core.js.map +1 -0
  311. package/dist/server/crypto.d.ts +8 -0
  312. package/dist/server/crypto.d.ts.map +1 -0
  313. package/dist/server/crypto.js +38 -0
  314. package/dist/server/crypto.js.map +1 -0
  315. package/dist/server/db.d.ts +1 -0
  316. package/dist/server/{implementation/db.js → db.js} +2 -1
  317. package/dist/server/db.js.map +1 -0
  318. package/dist/server/device.d.ts +1 -0
  319. package/dist/server/device.js +109 -0
  320. package/dist/server/device.js.map +1 -0
  321. package/dist/server/enterprise/config.d.ts +1 -0
  322. package/dist/server/enterprise/config.js +46 -0
  323. package/dist/server/enterprise/config.js.map +1 -0
  324. package/dist/server/enterprise/domain.d.ts +409 -0
  325. package/dist/server/enterprise/domain.d.ts.map +1 -0
  326. package/dist/server/enterprise/domain.js +885 -0
  327. package/dist/server/enterprise/domain.js.map +1 -0
  328. package/dist/server/enterprise/http.d.ts +26 -0
  329. package/dist/server/enterprise/http.d.ts.map +1 -0
  330. package/dist/server/enterprise/http.js +766 -0
  331. package/dist/server/enterprise/http.js.map +1 -0
  332. package/dist/server/enterprise/oidc.d.ts +1 -0
  333. package/dist/server/enterprise/oidc.js +248 -0
  334. package/dist/server/enterprise/oidc.js.map +1 -0
  335. package/dist/server/enterprise/policy.d.ts +1 -0
  336. package/dist/server/enterprise/policy.js +85 -0
  337. package/dist/server/enterprise/policy.js.map +1 -0
  338. package/dist/server/enterprise/saml.d.ts +1 -0
  339. package/dist/server/enterprise/saml.js +338 -0
  340. package/dist/server/enterprise/saml.js.map +1 -0
  341. package/dist/server/enterprise/scim.d.ts +1 -0
  342. package/dist/server/enterprise/scim.js +97 -0
  343. package/dist/server/enterprise/scim.js.map +1 -0
  344. package/dist/server/enterprise/shared.d.ts +5 -0
  345. package/dist/server/enterprise/shared.d.ts.map +1 -0
  346. package/dist/server/enterprise/shared.js +51 -0
  347. package/dist/server/enterprise/shared.js.map +1 -0
  348. package/dist/server/enterprise/validators.d.ts +1 -0
  349. package/dist/server/enterprise/validators.js +60 -0
  350. package/dist/server/enterprise/validators.js.map +1 -0
  351. package/dist/server/errors.d.ts +33 -1
  352. package/dist/server/errors.d.ts.map +1 -1
  353. package/dist/server/errors.js +44 -1
  354. package/dist/server/errors.js.map +1 -1
  355. package/dist/server/http.d.ts +59 -0
  356. package/dist/server/http.d.ts.map +1 -0
  357. package/dist/server/http.js +288 -0
  358. package/dist/server/http.js.map +1 -0
  359. package/dist/server/identity.d.ts +1 -0
  360. package/dist/server/identity.js +13 -0
  361. package/dist/server/identity.js.map +1 -0
  362. package/dist/server/index.d.ts +4 -182
  363. package/dist/server/index.js +4 -376
  364. package/dist/server/keys.d.ts +1 -0
  365. package/dist/{component/server/implementation → server}/keys.js +9 -31
  366. package/dist/server/keys.js.map +1 -0
  367. package/dist/server/limits.d.ts +1 -0
  368. package/dist/server/limits.js +61 -0
  369. package/dist/server/limits.js.map +1 -0
  370. package/dist/server/mounts.d.ts +647 -0
  371. package/dist/server/mounts.d.ts.map +1 -0
  372. package/dist/server/mounts.js +643 -0
  373. package/dist/server/mounts.js.map +1 -0
  374. package/dist/server/mutations/account.d.ts +30 -0
  375. package/dist/server/mutations/account.d.ts.map +1 -0
  376. package/dist/server/mutations/account.js +44 -0
  377. package/dist/server/mutations/account.js.map +1 -0
  378. package/dist/server/mutations/code.d.ts +30 -0
  379. package/dist/server/mutations/code.d.ts.map +1 -0
  380. package/dist/server/{implementation/mutations → mutations}/code.js +7 -4
  381. package/dist/server/mutations/code.js.map +1 -0
  382. package/dist/server/mutations/index.d.ts +14 -0
  383. package/dist/server/mutations/index.js +15 -0
  384. package/dist/server/mutations/invalidate.d.ts +20 -0
  385. package/dist/server/mutations/invalidate.d.ts.map +1 -0
  386. package/dist/server/mutations/invalidate.js +32 -0
  387. package/dist/server/mutations/invalidate.js.map +1 -0
  388. package/dist/server/mutations/oauth.d.ts +28 -0
  389. package/dist/server/mutations/oauth.d.ts.map +1 -0
  390. package/dist/server/mutations/oauth.js +110 -0
  391. package/dist/server/mutations/oauth.js.map +1 -0
  392. package/dist/server/mutations/refresh.d.ts +21 -0
  393. package/dist/server/mutations/refresh.d.ts.map +1 -0
  394. package/dist/server/mutations/refresh.js +119 -0
  395. package/dist/server/mutations/refresh.js.map +1 -0
  396. package/dist/server/mutations/register.d.ts +38 -0
  397. package/dist/server/mutations/register.d.ts.map +1 -0
  398. package/dist/server/mutations/register.js +83 -0
  399. package/dist/server/mutations/register.js.map +1 -0
  400. package/dist/server/mutations/retrieve.d.ts +33 -0
  401. package/dist/server/mutations/retrieve.d.ts.map +1 -0
  402. package/dist/server/mutations/retrieve.js +65 -0
  403. package/dist/server/mutations/retrieve.js.map +1 -0
  404. package/dist/server/mutations/signature.d.ts +22 -0
  405. package/dist/server/mutations/signature.d.ts.map +1 -0
  406. package/dist/server/mutations/signature.js +32 -0
  407. package/dist/server/mutations/signature.js.map +1 -0
  408. package/dist/server/mutations/signin.d.ts +22 -0
  409. package/dist/server/mutations/signin.d.ts.map +1 -0
  410. package/dist/server/{implementation/mutations → mutations}/signin.js +2 -2
  411. package/dist/server/mutations/signin.js.map +1 -0
  412. package/dist/server/mutations/signout.d.ts +16 -0
  413. package/dist/server/mutations/signout.d.ts.map +1 -0
  414. package/dist/server/mutations/signout.js +27 -0
  415. package/dist/server/mutations/signout.js.map +1 -0
  416. package/dist/server/mutations/store/refs.d.ts +12 -0
  417. package/dist/server/mutations/store/refs.d.ts.map +1 -0
  418. package/dist/server/mutations/store/refs.js +15 -0
  419. package/dist/server/mutations/store/refs.js.map +1 -0
  420. package/dist/server/mutations/store.d.ts +306 -0
  421. package/dist/server/mutations/store.d.ts.map +1 -0
  422. package/dist/server/mutations/store.js +85 -0
  423. package/dist/server/mutations/store.js.map +1 -0
  424. package/dist/server/mutations/verifier.d.ts +13 -0
  425. package/dist/server/mutations/verifier.d.ts.map +1 -0
  426. package/dist/server/mutations/verifier.js +18 -0
  427. package/dist/server/mutations/verifier.js.map +1 -0
  428. package/dist/server/mutations/verify.d.ts +26 -0
  429. package/dist/server/mutations/verify.d.ts.map +1 -0
  430. package/dist/server/mutations/verify.js +98 -0
  431. package/dist/server/mutations/verify.js.map +1 -0
  432. package/dist/server/oauth.d.ts +1 -48
  433. package/dist/server/oauth.js +107 -64
  434. package/dist/server/oauth.js.map +1 -1
  435. package/dist/server/passkey.d.ts +27 -0
  436. package/dist/server/passkey.d.ts.map +1 -0
  437. package/dist/server/passkey.js +328 -0
  438. package/dist/server/passkey.js.map +1 -0
  439. package/dist/server/redirects.d.ts +1 -0
  440. package/dist/{component/server/implementation → server}/redirects.js +13 -11
  441. package/dist/server/redirects.js.map +1 -0
  442. package/dist/server/refresh.d.ts +1 -0
  443. package/dist/server/refresh.js +96 -0
  444. package/dist/server/refresh.js.map +1 -0
  445. package/dist/server/runtime.d.ts +136 -0
  446. package/dist/server/runtime.d.ts.map +1 -0
  447. package/dist/server/runtime.js +413 -0
  448. package/dist/server/runtime.js.map +1 -0
  449. package/dist/server/sessions.d.ts +1 -0
  450. package/dist/{component/server/implementation → server}/sessions.js +14 -8
  451. package/dist/server/sessions.js.map +1 -0
  452. package/dist/server/signin.d.ts +1 -0
  453. package/dist/server/signin.js +201 -0
  454. package/dist/server/signin.js.map +1 -0
  455. package/dist/server/ssr.d.ts +226 -0
  456. package/dist/server/ssr.d.ts.map +1 -0
  457. package/dist/server/ssr.js +786 -0
  458. package/dist/server/ssr.js.map +1 -0
  459. package/dist/server/templates.d.ts +1 -21
  460. package/dist/server/templates.js +2 -1
  461. package/dist/server/templates.js.map +1 -1
  462. package/dist/server/tokens.d.ts +1 -0
  463. package/dist/server/tokens.js +17 -0
  464. package/dist/server/tokens.js.map +1 -0
  465. package/dist/server/totp.d.ts +1 -0
  466. package/dist/server/totp.js +148 -0
  467. package/dist/server/totp.js.map +1 -0
  468. package/dist/server/types.d.ts +498 -306
  469. package/dist/server/types.d.ts.map +1 -1
  470. package/dist/server/types.js +108 -1
  471. package/dist/server/types.js.map +1 -0
  472. package/dist/server/users.d.ts +1 -0
  473. package/dist/server/{implementation/users.js → users.js} +54 -35
  474. package/dist/server/users.js.map +1 -0
  475. package/dist/server/utils.d.ts +1 -6
  476. package/dist/server/utils.js +110 -4
  477. package/dist/server/utils.js.map +1 -1
  478. package/package.json +49 -46
  479. package/src/authorization/index.ts +83 -0
  480. package/src/cli/bin.ts +5 -0
  481. package/src/cli/command.ts +6 -5
  482. package/src/cli/index.ts +456 -248
  483. package/src/cli/keys.ts +3 -0
  484. package/src/client/core/types.ts +437 -0
  485. package/src/client/factors/device.ts +160 -0
  486. package/src/client/factors/passkey.ts +282 -0
  487. package/src/client/factors/totp.ts +150 -0
  488. package/src/client/index.ts +745 -989
  489. package/src/client/runtime/browser.ts +112 -0
  490. package/src/client/runtime/invite.ts +65 -0
  491. package/src/client/runtime/proxy.ts +111 -0
  492. package/src/client/runtime/storage.ts +79 -0
  493. package/src/component/_generated/api.ts +42 -0
  494. package/src/component/_generated/component.ts +3123 -102
  495. package/src/component/functions.ts +38 -22
  496. package/src/component/index.ts +10 -20
  497. package/src/component/model.ts +449 -0
  498. package/src/component/public/enterprise/audit.ts +120 -0
  499. package/src/component/public/enterprise/core.ts +354 -0
  500. package/src/component/public/enterprise/domains.ts +323 -0
  501. package/src/component/public/enterprise/scim.ts +396 -0
  502. package/src/component/public/enterprise/secrets.ts +132 -0
  503. package/src/component/public/enterprise/webhooks.ts +306 -0
  504. package/src/component/public/factors/devices.ts +223 -0
  505. package/src/component/public/factors/passkeys.ts +242 -0
  506. package/src/component/public/factors/totp.ts +258 -0
  507. package/src/component/public/groups/core.ts +481 -0
  508. package/src/component/public/groups/invites.ts +602 -0
  509. package/src/component/public/groups/members.ts +409 -0
  510. package/src/component/public/identity/accounts.ts +206 -0
  511. package/src/component/public/identity/codes.ts +148 -0
  512. package/src/component/public/identity/sessions.ts +209 -0
  513. package/src/component/public/identity/tokens.ts +250 -0
  514. package/src/component/public/identity/users.ts +354 -0
  515. package/src/component/public/identity/verifiers.ts +157 -0
  516. package/src/component/public/security/keys.ts +365 -0
  517. package/src/component/public/security/limits.ts +173 -0
  518. package/src/component/public.ts +26 -1766
  519. package/src/component/schema.ts +273 -100
  520. package/src/providers/anonymous.ts +10 -20
  521. package/src/providers/credentials.ts +14 -22
  522. package/src/providers/device.ts +3 -14
  523. package/src/providers/email.ts +83 -47
  524. package/src/providers/index.ts +7 -0
  525. package/src/providers/oauth.ts +5 -3
  526. package/src/providers/passkey.ts +0 -13
  527. package/src/providers/password.ts +307 -130
  528. package/src/providers/phone.ts +81 -37
  529. package/src/providers/sso.ts +54 -0
  530. package/src/providers/totp.ts +0 -13
  531. package/src/samlify.d.ts +53 -0
  532. package/src/server/auth.ts +701 -247
  533. package/src/server/authError.ts +44 -0
  534. package/src/server/{providers.ts → config.ts} +84 -15
  535. package/src/server/cookies.ts +8 -1
  536. package/src/server/core.ts +2095 -0
  537. package/src/server/crypto.ts +88 -0
  538. package/src/server/{implementation/db.ts → db.ts} +90 -15
  539. package/src/server/device.ts +221 -0
  540. package/src/server/enterprise/config.ts +51 -0
  541. package/src/server/enterprise/domain.ts +1751 -0
  542. package/src/server/enterprise/http.ts +1324 -0
  543. package/src/server/enterprise/oidc.ts +500 -0
  544. package/src/server/enterprise/policy.ts +128 -0
  545. package/src/server/enterprise/saml.ts +578 -0
  546. package/src/server/enterprise/scim.ts +135 -0
  547. package/src/server/enterprise/shared.ts +134 -0
  548. package/src/server/enterprise/validators.ts +93 -0
  549. package/src/server/errors.ts +130 -119
  550. package/src/server/http.ts +531 -0
  551. package/src/server/identity.ts +18 -0
  552. package/src/server/index.ts +32 -650
  553. package/src/server/{implementation/keys.ts → keys.ts} +16 -44
  554. package/src/server/limits.ts +134 -0
  555. package/src/server/mounts.ts +948 -0
  556. package/src/server/mutations/account.ts +76 -0
  557. package/src/server/{implementation/mutations → mutations}/code.ts +22 -11
  558. package/src/server/mutations/index.ts +13 -0
  559. package/src/server/mutations/invalidate.ts +50 -0
  560. package/src/server/mutations/oauth.ts +237 -0
  561. package/src/server/mutations/refresh.ts +298 -0
  562. package/src/server/mutations/register.ts +200 -0
  563. package/src/server/mutations/retrieve.ts +109 -0
  564. package/src/server/mutations/signature.ts +50 -0
  565. package/src/server/{implementation/mutations → mutations}/signin.ts +9 -7
  566. package/src/server/mutations/signout.ts +43 -0
  567. package/src/server/mutations/store/refs.ts +10 -0
  568. package/src/server/mutations/store.ts +138 -0
  569. package/src/server/mutations/verifier.ts +34 -0
  570. package/src/server/mutations/verify.ts +202 -0
  571. package/src/server/oauth.ts +243 -131
  572. package/src/server/passkey.ts +784 -0
  573. package/src/server/{implementation/redirects.ts → redirects.ts} +21 -16
  574. package/src/server/refresh.ts +222 -0
  575. package/src/server/runtime.ts +880 -0
  576. package/src/server/{implementation/sessions.ts → sessions.ts} +33 -25
  577. package/src/server/signin.ts +438 -0
  578. package/src/server/ssr.ts +1764 -0
  579. package/src/server/templates.ts +8 -3
  580. package/src/server/{implementation/tokens.ts → tokens.ts} +11 -5
  581. package/src/server/totp.ts +349 -0
  582. package/src/server/types.ts +972 -207
  583. package/src/server/{implementation/users.ts → users.ts} +129 -75
  584. package/src/server/utils.ts +192 -5
  585. package/src/test.ts +28 -4
  586. package/dist/bin.cjs +0 -27757
  587. package/dist/component/providers/email.js +0 -47
  588. package/dist/component/providers/email.js.map +0 -1
  589. package/dist/component/public.js.map +0 -1
  590. package/dist/component/server/implementation/db.js.map +0 -1
  591. package/dist/component/server/implementation/device.js +0 -135
  592. package/dist/component/server/implementation/device.js.map +0 -1
  593. package/dist/component/server/implementation/index.d.ts +0 -870
  594. package/dist/component/server/implementation/index.d.ts.map +0 -1
  595. package/dist/component/server/implementation/index.js +0 -610
  596. package/dist/component/server/implementation/index.js.map +0 -1
  597. package/dist/component/server/implementation/keys.js.map +0 -1
  598. package/dist/component/server/implementation/mutations/account.js +0 -39
  599. package/dist/component/server/implementation/mutations/account.js.map +0 -1
  600. package/dist/component/server/implementation/mutations/code.js.map +0 -1
  601. package/dist/component/server/implementation/mutations/index.js +0 -70
  602. package/dist/component/server/implementation/mutations/index.js.map +0 -1
  603. package/dist/component/server/implementation/mutations/invalidate.js +0 -29
  604. package/dist/component/server/implementation/mutations/invalidate.js.map +0 -1
  605. package/dist/component/server/implementation/mutations/oauth.js +0 -51
  606. package/dist/component/server/implementation/mutations/oauth.js.map +0 -1
  607. package/dist/component/server/implementation/mutations/refresh.js +0 -85
  608. package/dist/component/server/implementation/mutations/refresh.js.map +0 -1
  609. package/dist/component/server/implementation/mutations/register.js +0 -65
  610. package/dist/component/server/implementation/mutations/register.js.map +0 -1
  611. package/dist/component/server/implementation/mutations/retrieve.js +0 -50
  612. package/dist/component/server/implementation/mutations/retrieve.js.map +0 -1
  613. package/dist/component/server/implementation/mutations/signature.js +0 -27
  614. package/dist/component/server/implementation/mutations/signature.js.map +0 -1
  615. package/dist/component/server/implementation/mutations/signin.js.map +0 -1
  616. package/dist/component/server/implementation/mutations/signout.js +0 -27
  617. package/dist/component/server/implementation/mutations/signout.js.map +0 -1
  618. package/dist/component/server/implementation/mutations/store.js +0 -12
  619. package/dist/component/server/implementation/mutations/store.js.map +0 -1
  620. package/dist/component/server/implementation/mutations/verifier.js +0 -16
  621. package/dist/component/server/implementation/mutations/verifier.js.map +0 -1
  622. package/dist/component/server/implementation/mutations/verify.js +0 -105
  623. package/dist/component/server/implementation/mutations/verify.js.map +0 -1
  624. package/dist/component/server/implementation/passkey.js +0 -307
  625. package/dist/component/server/implementation/passkey.js.map +0 -1
  626. package/dist/component/server/implementation/provider.js +0 -19
  627. package/dist/component/server/implementation/provider.js.map +0 -1
  628. package/dist/component/server/implementation/ratelimit.js +0 -48
  629. package/dist/component/server/implementation/ratelimit.js.map +0 -1
  630. package/dist/component/server/implementation/redirects.js.map +0 -1
  631. package/dist/component/server/implementation/refresh.js +0 -109
  632. package/dist/component/server/implementation/refresh.js.map +0 -1
  633. package/dist/component/server/implementation/sessions.js.map +0 -1
  634. package/dist/component/server/implementation/signin.js +0 -148
  635. package/dist/component/server/implementation/signin.js.map +0 -1
  636. package/dist/component/server/implementation/tokens.js +0 -15
  637. package/dist/component/server/implementation/tokens.js.map +0 -1
  638. package/dist/component/server/implementation/totp.js +0 -142
  639. package/dist/component/server/implementation/totp.js.map +0 -1
  640. package/dist/component/server/implementation/types.d.ts +0 -42
  641. package/dist/component/server/implementation/types.d.ts.map +0 -1
  642. package/dist/component/server/implementation/types.js.map +0 -1
  643. package/dist/component/server/implementation/users.js.map +0 -1
  644. package/dist/component/server/implementation/utils.js +0 -56
  645. package/dist/component/server/implementation/utils.js.map +0 -1
  646. package/dist/component/server/providers.js.map +0 -1
  647. package/dist/component/server/templates.js +0 -84
  648. package/dist/component/server/templates.js.map +0 -1
  649. package/dist/server/cookies.d.ts.map +0 -1
  650. package/dist/server/implementation/db.d.ts +0 -86
  651. package/dist/server/implementation/db.d.ts.map +0 -1
  652. package/dist/server/implementation/db.js.map +0 -1
  653. package/dist/server/implementation/device.d.ts +0 -30
  654. package/dist/server/implementation/device.d.ts.map +0 -1
  655. package/dist/server/implementation/device.js +0 -135
  656. package/dist/server/implementation/device.js.map +0 -1
  657. package/dist/server/implementation/index.d.ts +0 -870
  658. package/dist/server/implementation/index.d.ts.map +0 -1
  659. package/dist/server/implementation/index.js +0 -610
  660. package/dist/server/implementation/index.js.map +0 -1
  661. package/dist/server/implementation/keys.d.ts +0 -66
  662. package/dist/server/implementation/keys.d.ts.map +0 -1
  663. package/dist/server/implementation/keys.js.map +0 -1
  664. package/dist/server/implementation/mutations/account.d.ts +0 -27
  665. package/dist/server/implementation/mutations/account.d.ts.map +0 -1
  666. package/dist/server/implementation/mutations/account.js +0 -39
  667. package/dist/server/implementation/mutations/account.js.map +0 -1
  668. package/dist/server/implementation/mutations/code.d.ts +0 -29
  669. package/dist/server/implementation/mutations/code.d.ts.map +0 -1
  670. package/dist/server/implementation/mutations/code.js.map +0 -1
  671. package/dist/server/implementation/mutations/index.d.ts +0 -310
  672. package/dist/server/implementation/mutations/index.d.ts.map +0 -1
  673. package/dist/server/implementation/mutations/index.js +0 -70
  674. package/dist/server/implementation/mutations/index.js.map +0 -1
  675. package/dist/server/implementation/mutations/invalidate.d.ts +0 -18
  676. package/dist/server/implementation/mutations/invalidate.d.ts.map +0 -1
  677. package/dist/server/implementation/mutations/invalidate.js +0 -29
  678. package/dist/server/implementation/mutations/invalidate.js.map +0 -1
  679. package/dist/server/implementation/mutations/oauth.d.ts +0 -23
  680. package/dist/server/implementation/mutations/oauth.d.ts.map +0 -1
  681. package/dist/server/implementation/mutations/oauth.js +0 -51
  682. package/dist/server/implementation/mutations/oauth.js.map +0 -1
  683. package/dist/server/implementation/mutations/refresh.d.ts +0 -20
  684. package/dist/server/implementation/mutations/refresh.d.ts.map +0 -1
  685. package/dist/server/implementation/mutations/refresh.js +0 -85
  686. package/dist/server/implementation/mutations/refresh.js.map +0 -1
  687. package/dist/server/implementation/mutations/register.d.ts +0 -37
  688. package/dist/server/implementation/mutations/register.d.ts.map +0 -1
  689. package/dist/server/implementation/mutations/register.js +0 -65
  690. package/dist/server/implementation/mutations/register.js.map +0 -1
  691. package/dist/server/implementation/mutations/retrieve.d.ts +0 -31
  692. package/dist/server/implementation/mutations/retrieve.d.ts.map +0 -1
  693. package/dist/server/implementation/mutations/retrieve.js +0 -50
  694. package/dist/server/implementation/mutations/retrieve.js.map +0 -1
  695. package/dist/server/implementation/mutations/signature.d.ts +0 -19
  696. package/dist/server/implementation/mutations/signature.d.ts.map +0 -1
  697. package/dist/server/implementation/mutations/signature.js +0 -27
  698. package/dist/server/implementation/mutations/signature.js.map +0 -1
  699. package/dist/server/implementation/mutations/signin.d.ts +0 -21
  700. package/dist/server/implementation/mutations/signin.d.ts.map +0 -1
  701. package/dist/server/implementation/mutations/signin.js.map +0 -1
  702. package/dist/server/implementation/mutations/signout.d.ts +0 -14
  703. package/dist/server/implementation/mutations/signout.d.ts.map +0 -1
  704. package/dist/server/implementation/mutations/signout.js +0 -27
  705. package/dist/server/implementation/mutations/signout.js.map +0 -1
  706. package/dist/server/implementation/mutations/store.d.ts +0 -11
  707. package/dist/server/implementation/mutations/store.d.ts.map +0 -1
  708. package/dist/server/implementation/mutations/store.js +0 -12
  709. package/dist/server/implementation/mutations/store.js.map +0 -1
  710. package/dist/server/implementation/mutations/verifier.d.ts +0 -11
  711. package/dist/server/implementation/mutations/verifier.d.ts.map +0 -1
  712. package/dist/server/implementation/mutations/verifier.js +0 -16
  713. package/dist/server/implementation/mutations/verifier.js.map +0 -1
  714. package/dist/server/implementation/mutations/verify.d.ts +0 -25
  715. package/dist/server/implementation/mutations/verify.d.ts.map +0 -1
  716. package/dist/server/implementation/mutations/verify.js +0 -105
  717. package/dist/server/implementation/mutations/verify.js.map +0 -1
  718. package/dist/server/implementation/passkey.d.ts +0 -24
  719. package/dist/server/implementation/passkey.d.ts.map +0 -1
  720. package/dist/server/implementation/passkey.js +0 -307
  721. package/dist/server/implementation/passkey.js.map +0 -1
  722. package/dist/server/implementation/provider.d.ts +0 -10
  723. package/dist/server/implementation/provider.d.ts.map +0 -1
  724. package/dist/server/implementation/provider.js +0 -19
  725. package/dist/server/implementation/provider.js.map +0 -1
  726. package/dist/server/implementation/ratelimit.d.ts +0 -10
  727. package/dist/server/implementation/ratelimit.d.ts.map +0 -1
  728. package/dist/server/implementation/ratelimit.js +0 -48
  729. package/dist/server/implementation/ratelimit.js.map +0 -1
  730. package/dist/server/implementation/redirects.d.ts +0 -10
  731. package/dist/server/implementation/redirects.d.ts.map +0 -1
  732. package/dist/server/implementation/redirects.js.map +0 -1
  733. package/dist/server/implementation/refresh.d.ts +0 -37
  734. package/dist/server/implementation/refresh.d.ts.map +0 -1
  735. package/dist/server/implementation/refresh.js +0 -109
  736. package/dist/server/implementation/refresh.js.map +0 -1
  737. package/dist/server/implementation/sessions.d.ts +0 -29
  738. package/dist/server/implementation/sessions.d.ts.map +0 -1
  739. package/dist/server/implementation/sessions.js.map +0 -1
  740. package/dist/server/implementation/signin.d.ts +0 -55
  741. package/dist/server/implementation/signin.d.ts.map +0 -1
  742. package/dist/server/implementation/signin.js +0 -148
  743. package/dist/server/implementation/signin.js.map +0 -1
  744. package/dist/server/implementation/tokens.d.ts +0 -11
  745. package/dist/server/implementation/tokens.d.ts.map +0 -1
  746. package/dist/server/implementation/tokens.js +0 -15
  747. package/dist/server/implementation/tokens.js.map +0 -1
  748. package/dist/server/implementation/totp.d.ts +0 -31
  749. package/dist/server/implementation/totp.d.ts.map +0 -1
  750. package/dist/server/implementation/totp.js +0 -142
  751. package/dist/server/implementation/totp.js.map +0 -1
  752. package/dist/server/implementation/types.d.ts +0 -189
  753. package/dist/server/implementation/types.d.ts.map +0 -1
  754. package/dist/server/implementation/types.js +0 -97
  755. package/dist/server/implementation/types.js.map +0 -1
  756. package/dist/server/implementation/users.d.ts +0 -30
  757. package/dist/server/implementation/users.d.ts.map +0 -1
  758. package/dist/server/implementation/users.js.map +0 -1
  759. package/dist/server/implementation/utils.d.ts +0 -19
  760. package/dist/server/implementation/utils.d.ts.map +0 -1
  761. package/dist/server/implementation/utils.js +0 -56
  762. package/dist/server/implementation/utils.js.map +0 -1
  763. package/dist/server/index.d.ts.map +0 -1
  764. package/dist/server/index.js.map +0 -1
  765. package/dist/server/oauth.d.ts.map +0 -1
  766. package/dist/server/providers.d.ts +0 -72
  767. package/dist/server/providers.d.ts.map +0 -1
  768. package/dist/server/providers.js.map +0 -1
  769. package/dist/server/templates.d.ts.map +0 -1
  770. package/dist/server/utils.d.ts.map +0 -1
  771. package/dist/server/version.d.ts +0 -5
  772. package/dist/server/version.d.ts.map +0 -1
  773. package/dist/server/version.js +0 -6
  774. package/dist/server/version.js.map +0 -1
  775. package/src/cli/utils.ts +0 -248
  776. package/src/server/implementation/device.ts +0 -307
  777. package/src/server/implementation/index.ts +0 -1583
  778. package/src/server/implementation/mutations/account.ts +0 -50
  779. package/src/server/implementation/mutations/index.ts +0 -157
  780. package/src/server/implementation/mutations/invalidate.ts +0 -42
  781. package/src/server/implementation/mutations/oauth.ts +0 -73
  782. package/src/server/implementation/mutations/refresh.ts +0 -175
  783. package/src/server/implementation/mutations/register.ts +0 -100
  784. package/src/server/implementation/mutations/retrieve.ts +0 -79
  785. package/src/server/implementation/mutations/signature.ts +0 -39
  786. package/src/server/implementation/mutations/signout.ts +0 -35
  787. package/src/server/implementation/mutations/store.ts +0 -7
  788. package/src/server/implementation/mutations/verifier.ts +0 -24
  789. package/src/server/implementation/mutations/verify.ts +0 -194
  790. package/src/server/implementation/passkey.ts +0 -620
  791. package/src/server/implementation/provider.ts +0 -36
  792. package/src/server/implementation/ratelimit.ts +0 -79
  793. package/src/server/implementation/refresh.ts +0 -172
  794. package/src/server/implementation/signin.ts +0 -296
  795. package/src/server/implementation/totp.ts +0 -342
  796. package/src/server/implementation/types.ts +0 -444
  797. package/src/server/implementation/utils.ts +0 -91
  798. package/src/server/version.ts +0 -2
package/dist/server/ssr.js ADDED
@@ -0,0 +1,786 @@
1
+ import { isLocalHost } from "./utils.js";
2
+ import { Fx } from "@robelest/fx";
3
+ import { makeFunctionReference } from "convex/server";
4
+ import { ConvexError } from "convex/values";
5
+ import { parse, serialize } from "cookie";
6
+ import { ConvexHttpClient } from "convex/browser";
7
+ import { jwtDecode } from "jwt-decode";
8
+
9
+ //#region src/server/ssr.ts
10
+ const signInActionRef = makeFunctionReference("auth:signIn");
11
+ const signOutActionRef = makeFunctionReference("auth:signOut");
12
+ const TOKEN_COOKIE_BASE_NAME = "__convexAuthJWT";
13
+ const REFRESH_COOKIE_BASE_NAME = "__convexAuthRefreshToken";
14
+ const VERIFIER_COOKIE_BASE_NAME = "__convexAuthOAuthVerifier";
15
+ const DERIVED_COOKIE_NAMESPACE_FALLBACK = "convexauth";
16
+ /**
17
+ * Derive the cookie names used for auth tokens.
18
+ *
19
+ * On localhost the names are unprefixed; on production hosts they
20
+ * use the `__Host-` prefix for tighter security.
21
+ *
22
+ * @param host - The `Host` header value. Omit to use unprefixed names.
23
+ * @param cookieNamespace - Optional namespace suffix for cookie isolation.
24
+ * @returns An object with `token`, `refreshToken`, and `verifier` cookie names.
25
+ */
26
+ function authCookieNames(host, cookieNamespace) {
27
+ const prefix = isLocalHost(host) ? "" : "__Host-";
28
+ const namespace = normalizeCookieNamespace(cookieNamespace);
29
+ const suffix = namespace === null ? "" : `_${namespace}`;
30
+ return {
31
+ token: `${prefix}${TOKEN_COOKIE_BASE_NAME}${suffix}`,
32
+ refreshToken: `${prefix}${REFRESH_COOKIE_BASE_NAME}${suffix}`,
33
+ verifier: `${prefix}${VERIFIER_COOKIE_BASE_NAME}${suffix}`
34
+ };
35
+ }
36
+ /**
37
+ * Parse auth cookie values from a raw `Cookie` header string.
38
+ *
39
+ * @param cookieHeader - The raw `Cookie` header, or `null`/`undefined`.
40
+ * @param host - The `Host` header, used to determine cookie name prefixes.
41
+ * @param cookieNamespace - Optional namespace suffix for cookie isolation.
42
+ * @returns Parsed {@link AuthCookies} with `token`, `refreshToken`, and `verifier`.
43
+ */
44
+ function parseAuthCookies(cookieHeader, host, cookieNamespace) {
45
+ const names = authCookieNames(host, cookieNamespace);
46
+ const parsed = parse(cookieHeader ?? "");
47
+ return {
48
+ token: parsed[names.token] ?? null,
49
+ refreshToken: parsed[names.refreshToken] ?? null,
50
+ verifier: parsed[names.verifier] ?? null
51
+ };
52
+ }
53
+ /**
54
+ * Serialize auth cookies into `Set-Cookie` header strings.
55
+ *
56
+ * Nulled-out values produce deletion cookies (maxAge 0, expired date).
57
+ *
58
+ * @param cookies - The auth cookie values to serialize.
59
+ * @param host - The `Host` header, used for cookie name prefixes and `Secure` flag.
60
+ * @param config - Cookie lifetime config. Defaults to session cookies.
61
+ * @param cookieNamespace - Optional namespace suffix for cookie isolation.
62
+ * @returns An array of three `Set-Cookie` header strings.
63
+ */
64
+ function serializeAuthCookies(cookies, host, config = { maxAge: null }, cookieNamespace) {
65
+ const names = authCookieNames(host, cookieNamespace);
66
+ const base = {
67
+ path: "/",
68
+ httpOnly: true,
69
+ sameSite: "lax",
70
+ secure: !isLocalHost(host)
71
+ };
72
+ const maxAge = config.maxAge ?? void 0;
73
+ return [
74
+ serialize(names.token, cookies.token ?? "", {
75
+ ...base,
76
+ maxAge: cookies.token === null ? 0 : maxAge,
77
+ expires: cookies.token === null ? /* @__PURE__ */ new Date(0) : void 0
78
+ }),
79
+ serialize(names.refreshToken, cookies.refreshToken ?? "", {
80
+ ...base,
81
+ maxAge: cookies.refreshToken === null ? 0 : maxAge,
82
+ expires: cookies.refreshToken === null ? /* @__PURE__ */ new Date(0) : void 0
83
+ }),
84
+ serialize(names.verifier, cookies.verifier ?? "", {
85
+ ...base,
86
+ maxAge: cookies.verifier === null ? 0 : maxAge,
87
+ expires: cookies.verifier === null ? /* @__PURE__ */ new Date(0) : void 0
88
+ })
89
+ ];
90
+ }
91
+ /**
92
+ * Build structured cookie objects for any SSR framework.
93
+ *
94
+ * Use with SvelteKit's `event.cookies.set()`, TanStack Start's `setCookie()`,
95
+ * Next.js's `cookies().set()`, or any other framework cookie API.
96
+ *
97
+ * @param cookies - The auth cookie values to convert.
98
+ * @param host - The `Host` header, used for cookie name prefixes and `Secure`.
99
+ * @param config - Cookie lifetime config. Defaults to session cookies.
100
+ * @param cookieNamespace - Optional namespace suffix for cookie isolation.
101
+ * @returns Structured cookie descriptors ready for framework cookie APIs.
102
+ */
103
+ function structuredAuthCookies(cookies, host, config = { maxAge: null }, cookieNamespace) {
104
+ const names = authCookieNames(host, cookieNamespace);
105
+ const base = {
106
+ path: "/",
107
+ httpOnly: true,
108
+ secure: !isLocalHost(host),
109
+ sameSite: "lax"
110
+ };
111
+ const maxAge = config.maxAge ?? void 0;
112
+ return [
113
+ {
114
+ name: names.token,
115
+ value: cookies.token ?? "",
116
+ options: {
117
+ ...base,
118
+ maxAge: cookies.token === null ? 0 : maxAge,
119
+ expires: cookies.token === null ? /* @__PURE__ */ new Date(0) : void 0
120
+ }
121
+ },
122
+ {
123
+ name: names.refreshToken,
124
+ value: cookies.refreshToken ?? "",
125
+ options: {
126
+ ...base,
127
+ maxAge: cookies.refreshToken === null ? 0 : maxAge,
128
+ expires: cookies.refreshToken === null ? /* @__PURE__ */ new Date(0) : void 0
129
+ }
130
+ },
131
+ {
132
+ name: names.verifier,
133
+ value: cookies.verifier ?? "",
134
+ options: {
135
+ ...base,
136
+ maxAge: cookies.verifier === null ? 0 : maxAge,
137
+ expires: cookies.verifier === null ? /* @__PURE__ */ new Date(0) : void 0
138
+ }
139
+ }
140
+ ];
141
+ }
142
+ /**
143
+ * Check whether a request pathname matches the auth proxy route.
144
+ *
145
+ * Handles trailing-slash ambiguity: both `/api/auth` and `/api/auth/`
146
+ * match regardless of how `apiRoute` is configured.
147
+ *
148
+ * @param pathname - The request URL pathname.
149
+ * @param apiRoute - The configured proxy route (e.g. `"/api/auth"`).
150
+ * @returns `true` when the pathname matches the proxy route.
151
+ *
152
+ * @see {@link server}
153
+ */
154
+ function shouldProxyAuthAction(pathname, apiRoute) {
155
+ if (apiRoute.endsWith("/")) return pathname === apiRoute || pathname === apiRoute.slice(0, -1);
156
+ return pathname === apiRoute || pathname === `${apiRoute}/`;
157
+ }
158
+ const REQUIRED_TOKEN_LIFETIME_MS = 6e4;
159
+ const MINIMUM_REQUIRED_TOKEN_LIFETIME_MS = 1e4;
160
+ function normalizeCookieNamespace(cookieNamespace) {
161
+ if (cookieNamespace === void 0 || cookieNamespace === null) return null;
162
+ const normalized = cookieNamespace.trim().replace(/[^a-zA-Z0-9]+/g, "_").replace(/^_+|_+$/g, "").toLowerCase();
163
+ return normalized.length > 0 ? normalized : null;
164
+ }
165
+ /**
166
+ * Safely check if a string is a valid URL without throwing.
167
+ */
168
+ function canParseUrl(value) {
169
+ try {
170
+ new URL(value);
171
+ return true;
172
+ } catch {
173
+ return false;
174
+ }
175
+ }
176
+ function serializeAuthCookie(cookie) {
177
+ const parts = [`${cookie.name}=${cookie.value}`, `Path=${cookie.options.path}`];
178
+ if (cookie.options.httpOnly) parts.push("HttpOnly");
179
+ if (cookie.options.secure) parts.push("Secure");
180
+ if (cookie.options.sameSite) parts.push(`SameSite=${cookie.options.sameSite}`);
181
+ if (cookie.options.maxAge !== void 0) parts.push(`Max-Age=${cookie.options.maxAge}`);
182
+ if (cookie.options.expires) parts.push(`Expires=${cookie.options.expires.toUTCString()}`);
183
+ return parts.join("; ");
184
+ }
185
+ function buildRedirectResponse(location, cookies) {
186
+ const headers = new Headers({ Location: location });
187
+ for (const cookie of cookies) headers.append("Set-Cookie", serializeAuthCookie(cookie));
188
+ return new Response(null, {
189
+ status: 302,
190
+ headers
191
+ });
192
+ }
193
+ function deriveCookieNamespaceFromUrl(url) {
194
+ if (!canParseUrl(url)) return DERIVED_COOKIE_NAMESPACE_FALLBACK;
195
+ const parsed = new URL(url);
196
+ return normalizeCookieNamespace(`${parsed.hostname}${parsed.pathname}`) ?? DERIVED_COOKIE_NAMESPACE_FALLBACK;
197
+ }
198
+ function normalizeIssuer(value) {
199
+ if (!canParseUrl(value)) return value.replace(/\/+$/, "");
200
+ const parsed = new URL(value);
201
+ const pathname = parsed.pathname === "/" ? "" : parsed.pathname.replace(/\/+$/, "");
202
+ return `${parsed.protocol}//${parsed.host}${pathname}`;
203
+ }
204
+ function convexSiteIssuerFromCloudUrl(value) {
205
+ if (!canParseUrl(value)) return null;
206
+ const parsed = new URL(value);
207
+ if (!parsed.hostname.endsWith(".convex.cloud")) return null;
208
+ parsed.hostname = parsed.hostname.slice(0, -13) + ".convex.site";
209
+ return normalizeIssuer(parsed.toString());
210
+ }
211
+ function defaultAcceptedIssuersForUrl(value) {
212
+ const issuers = [normalizeIssuer(value)];
213
+ const siteIssuer = convexSiteIssuerFromCloudUrl(value);
214
+ if (siteIssuer !== null) issuers.push(siteIssuer);
215
+ return issuers;
216
+ }
217
+ /**
218
+ * Create an SSR auth helper for server-side frameworks.
219
+ *
220
+ * Handles cookie-based token management, OAuth code exchange,
221
+ * and automatic JWT refresh on page loads. Works with any
222
+ * framework that gives you a `Request` object — SvelteKit,
223
+ * TanStack Start, Remix, Next.js, etc.
224
+ *
225
+ * @param options - SSR configuration (Convex API URL, issuer rules, proxy route, cookie lifetime).
226
+ * @returns An object with `token`, `verify`, `proxy`, and `refresh` methods.
227
+ *
228
+ * @example SvelteKit hooks
229
+ * ```ts
230
+ * // src/hooks.server.ts
231
+ * import { server } from '@robelest/convex-auth/server';
232
+ *
233
+ * const auth = server({ url: CONVEX_URL });
234
+ *
235
+ * export const handle = async ({ event, resolve }) => {
236
+ * const { cookies, token } = await auth.refresh(event.request);
237
+ * for (const c of cookies) event.cookies.set(c.name, c.value, c.options);
238
+ * event.locals.token = token;
239
+ * return resolve(event);
240
+ * };
241
+ * ```
242
+ *
243
+ * @example Generic proxy endpoint
244
+ * ```ts
245
+ * if (shouldProxyAuthAction(url.pathname, '/api/auth')) {
246
+ * return auth.proxy(request);
247
+ * }
248
+ * ```
249
+ *
250
+ * @param options - Server-side auth configuration including Convex URL,
251
+ * accepted issuers, proxy route, and cookie behavior.
252
+ * @returns SSR helpers for reading tokens, refreshing cookies, and proxying
253
+ * auth actions through an httpOnly-cookie layer.
254
+ *
255
+ * @see {@link shouldProxyAuthAction}
256
+ */
257
+ function server(options) {
258
+ const convexUrl = options.url;
259
+ const apiRoute = options.apiRoute ?? "/api/auth";
260
+ const cookieConfig = { maxAge: options.cookieMaxAge ?? null };
261
+ const verbose = options.verbose ?? false;
262
+ const cookieNamespace = normalizeCookieNamespace(options.cookieNamespace) ?? deriveCookieNamespaceFromUrl(convexUrl);
263
+ const acceptedIssuers = new Set((options.acceptedIssuers ?? defaultAcceptedIssuersForUrl(convexUrl)).map(normalizeIssuer).filter((issuer) => issuer.length > 0));
264
+ return {
265
+ token(request) {
266
+ return parseAuthCookies(request.headers.get("cookie"), request.headers.get("host") ?? new URL(request.url).host, cookieNamespace).token;
267
+ },
268
+ async verify(request) {
269
+ const token = parseAuthCookies(request.headers.get("cookie"), request.headers.get("host") ?? new URL(request.url).host, cookieNamespace).token;
270
+ if (token === null) return false;
271
+ const decodedToken = await Fx.run(Fx.attempt(async () => jwtDecode(token), (decoded) => decoded, () => null));
272
+ if (decodedToken?.exp === void 0 || decodedToken.iss === void 0) return false;
273
+ if (!acceptedIssuers.has(normalizeIssuer(decodedToken.iss))) return false;
274
+ return decodedToken.exp * 1e3 > Date.now();
275
+ },
276
+ async proxy(request) {
277
+ const requestDispatch = !shouldProxyAuthAction(new URL(request.url).pathname, apiRoute) ? { kind: "invalidRoute" } : request.method !== "POST" ? { kind: "invalidMethod" } : (() => {
278
+ const originHeader = request.headers.get("origin");
279
+ if (originHeader === null) return false;
280
+ const forwardedProtoHeader = request.headers.get("x-forwarded-proto");
281
+ const protocol = forwardedProtoHeader !== null ? (() => {
282
+ const forwardedProto = forwardedProtoHeader.split(",")[0]?.trim();
283
+ if (forwardedProto !== void 0 && forwardedProto.length > 0) return forwardedProto.endsWith(":") ? forwardedProto : `${forwardedProto}:`;
284
+ return new URL(request.url).protocol;
285
+ })() : new URL(request.url).protocol;
286
+ const requestHost = request.headers.get("host") ?? new URL(request.url).host;
287
+ const hostCandidate = `${protocol}//${requestHost}`;
288
+ const host$1 = canParseUrl(hostCandidate) ? new URL(hostCandidate).host : requestHost;
289
+ if (!canParseUrl(originHeader)) return true;
290
+ const originUrl = new URL(originHeader);
291
+ return originUrl.host !== host$1 || originUrl.protocol !== protocol;
292
+ })() ? { kind: "invalidOrigin" } : { kind: "valid" };
293
+ const validationErrorResponse = await Fx.run(Fx.match(requestDispatch, requestDispatch.kind, {
294
+ invalidRoute: () => new Response("Invalid route", { status: 404 }),
295
+ invalidMethod: () => new Response("Invalid method", { status: 405 }),
296
+ invalidOrigin: () => new Response("Invalid origin", { status: 403 }),
297
+ valid: () => null
298
+ }));
299
+ if (validationErrorResponse !== null) return validationErrorResponse;
300
+ const body = await Fx.run(Fx.attempt(async () => {
301
+ const parsed = await request.json();
302
+ if (typeof parsed !== "object" || parsed === null) return null;
303
+ return parsed;
304
+ }, (parsed) => parsed, () => null));
305
+ if (body === null) return new Response("Invalid request body", { status: 400 });
306
+ const action = body.action;
307
+ const args = typeof body.args === "object" && body.args !== null ? body.args : {};
308
+ const actionDispatch = action === "auth:signIn" ? { action: "sessionStart" } : action === "auth:signOut" ? { action: "sessionStop" } : null;
309
+ if (actionDispatch === null) return new Response("Invalid action", { status: 400 });
310
+ const host = request.headers.get("host") ?? new URL(request.url).host;
311
+ const currentCookies = parseAuthCookies(request.headers.get("cookie"), host, cookieNamespace);
312
+ return Fx.run(Fx.match(actionDispatch, actionDispatch.action, {
313
+ sessionStart: (_) => Fx.from({
314
+ ok: async () => {
315
+ const refreshDispatch = args.refreshToken === void 0 ? { kind: "passthrough" } : currentCookies.refreshToken === null ? { kind: "refreshRequestedWithoutCookie" } : {
316
+ kind: "hydrateRefreshFromCookie",
317
+ refreshToken: currentCookies.refreshToken
318
+ };
319
+ const refreshResponse = await Fx.run(Fx.match(refreshDispatch, refreshDispatch.kind, {
320
+ passthrough: async () => null,
321
+ hydrateRefreshFromCookie: async ({ refreshToken }) => {
322
+ args.refreshToken = refreshToken;
323
+ return null;
324
+ },
325
+ refreshRequestedWithoutCookie: async () => {
326
+ const currentToken = currentCookies.token;
327
+ const decodedToken = currentToken === null ? null : await Fx.run(Fx.attempt(async () => jwtDecode(currentToken), (decoded) => decoded, () => null));
328
+ const tokenDispatch = currentToken !== null && decodedToken?.exp !== void 0 && decodedToken.iss !== void 0 && acceptedIssuers.has(normalizeIssuer(decodedToken.iss)) && decodedToken.exp * 1e3 > Date.now() ? {
329
+ kind: "validToken",
330
+ token: currentToken
331
+ } : { kind: "missingToken" };
332
+ return await Fx.run(Fx.match(tokenDispatch, tokenDispatch.kind, {
333
+ validToken: ({ token }) => new Response(JSON.stringify({ tokens: {
334
+ token,
335
+ refreshToken: "dummy"
336
+ } }), {
337
+ status: 200,
338
+ headers: { "Content-Type": "application/json" }
339
+ }),
340
+ missingToken: () => new Response(JSON.stringify({ tokens: null }), {
341
+ status: 200,
342
+ headers: { "Content-Type": "application/json" }
343
+ })
344
+ }));
345
+ }
346
+ }));
347
+ const refreshDecision = refreshResponse !== null ? {
348
+ kind: "shortCircuit",
349
+ response: refreshResponse
350
+ } : { kind: "continue" };
351
+ const maybeShortCircuitResponse = await Fx.run(Fx.match(refreshDecision, refreshDecision.kind, {
352
+ shortCircuit: ({ response }) => response,
353
+ continue: () => null
354
+ }));
355
+ if (maybeShortCircuitResponse !== null) return maybeShortCircuitResponse;
356
+ const client = new ConvexHttpClient(convexUrl);
357
+ const authDispatch = args.refreshToken === void 0 && args.params?.code === void 0 && currentCookies.token !== null ? {
358
+ kind: "attachAuth",
359
+ token: currentCookies.token
360
+ } : { kind: "skipAuth" };
361
+ await Fx.run(Fx.match(authDispatch, authDispatch.kind, {
362
+ attachAuth: ({ token }) => {
363
+ client.setAuth(token);
364
+ },
365
+ skipAuth: () => void 0
366
+ }));
367
+ return Fx.run(Fx.from({
368
+ ok: () => client.action(signInActionRef, args),
369
+ err: (error) => error
370
+ }).pipe(Fx.fold({
371
+ ok: (result) => Fx.run(Fx.match(result, result.kind, {
372
+ redirect: (redirectResult) => {
373
+ const response = new Response(JSON.stringify({
374
+ kind: "redirect",
375
+ redirect: redirectResult.redirect,
376
+ verifier: redirectResult.verifier
377
+ }), {
378
+ status: 200,
379
+ headers: { "Content-Type": "application/json" }
380
+ });
381
+ for (const value of serializeAuthCookies({
382
+ ...currentCookies,
383
+ verifier: redirectResult.verifier
384
+ }, host, cookieConfig, cookieNamespace)) response.headers.append("Set-Cookie", value);
385
+ return Fx.succeed(response);
386
+ },
387
+ signedIn: (signedInResult) => {
388
+ const response = new Response(JSON.stringify({
389
+ kind: "signedIn",
390
+ tokens: signedInResult.tokens === null ? null : {
391
+ token: signedInResult.tokens.token,
392
+ refreshToken: "dummy"
393
+ }
394
+ }), {
395
+ status: 200,
396
+ headers: { "Content-Type": "application/json" }
397
+ });
398
+ for (const value of serializeAuthCookies({
399
+ token: signedInResult.tokens?.token ?? null,
400
+ refreshToken: signedInResult.tokens?.refreshToken ?? null,
401
+ verifier: null
402
+ }, host, cookieConfig, cookieNamespace)) response.headers.append("Set-Cookie", value);
403
+ return Fx.succeed(response);
404
+ },
405
+ started: (startedResult) => Fx.succeed(new Response(JSON.stringify(startedResult), {
406
+ status: 200,
407
+ headers: { "Content-Type": "application/json" }
408
+ })),
409
+ passkeyOptions: (passkeyOptionsResult) => Fx.succeed(new Response(JSON.stringify(passkeyOptionsResult), {
410
+ status: 200,
411
+ headers: { "Content-Type": "application/json" }
412
+ })),
413
+ totpRequired: (totpRequiredResult) => Fx.succeed(new Response(JSON.stringify(totpRequiredResult), {
414
+ status: 200,
415
+ headers: { "Content-Type": "application/json" }
416
+ })),
417
+ totpSetup: (totpSetupResult) => Fx.succeed(new Response(JSON.stringify(totpSetupResult), {
418
+ status: 200,
419
+ headers: { "Content-Type": "application/json" }
420
+ })),
421
+ deviceCode: (deviceCodeResult) => Fx.succeed(new Response(JSON.stringify(deviceCodeResult), {
422
+ status: 200,
423
+ headers: { "Content-Type": "application/json" }
424
+ }))
425
+ })),
426
+ err: (error) => {
427
+ const errorBody = error instanceof ConvexError && typeof error.data === "object" && error.data !== null && "code" in error.data ? {
428
+ error: error.data.message ?? String(error),
429
+ authError: error.data
430
+ } : { error: error instanceof Error ? error.message : String(error) };
431
+ const response = new Response(JSON.stringify(errorBody), {
432
+ status: 400,
433
+ headers: { "Content-Type": "application/json" }
434
+ });
435
+ const clearSession = args.refreshToken !== void 0 && error instanceof ConvexError && typeof error.data === "object" && error.data !== null && error.data.code === "INVALID_REFRESH_TOKEN";
436
+ for (const value of serializeAuthCookies({
437
+ token: clearSession ? null : currentCookies.token,
438
+ refreshToken: clearSession ? null : currentCookies.refreshToken,
439
+ verifier: null
440
+ }, host, cookieConfig, cookieNamespace)) response.headers.append("Set-Cookie", value);
441
+ return response;
442
+ }
443
+ })));
444
+ },
445
+ err: (e) => e
446
+ }),
447
+ sessionStop: (_) => Fx.from({
448
+ ok: async () => {
449
+ await Fx.run(Fx.from({
450
+ ok: () => (() => {
451
+ const client = new ConvexHttpClient(convexUrl);
452
+ if (currentCookies.token !== null) client.setAuth(currentCookies.token);
453
+ return client.action(signOutActionRef);
454
+ })(),
455
+ err: (error) => error
456
+ }).pipe(Fx.recover((error) => {
457
+ console.error("[convex-auth/server] proxy sign-out failed", error);
458
+ const fallbackDispatch = currentCookies.refreshToken !== null ? {
459
+ kind: "attemptFallback",
460
+ refreshToken: currentCookies.refreshToken
461
+ } : { kind: "skipFallback" };
462
+ return Fx.match(fallbackDispatch, fallbackDispatch.kind, {
463
+ attemptFallback: ({ refreshToken }) => Fx.from({
464
+ ok: async () => {
465
+ const refreshed = await new ConvexHttpClient(convexUrl).action(signInActionRef, { refreshToken });
466
+ const refreshedTokens = await Fx.run(Fx.match(refreshed, refreshed.kind, {
467
+ signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
468
+ redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
469
+ started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
470
+ passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
471
+ totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
472
+ totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
473
+ deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh"))
474
+ }));
475
+ const fallbackSignOutDispatch = refreshedTokens !== null ? {
476
+ kind: "signOutWithRefreshed",
477
+ token: refreshedTokens.token
478
+ } : { kind: "skipRefreshedSignOut" };
479
+ await Fx.run(Fx.match(fallbackSignOutDispatch, fallbackSignOutDispatch.kind, {
480
+ signOutWithRefreshed: ({ token }) => Fx.from({
481
+ ok: async () => {
482
+ const client = new ConvexHttpClient(convexUrl);
483
+ client.setAuth(token);
484
+ await client.action(signOutActionRef);
485
+ },
486
+ err: (error$1) => error$1
487
+ }),
488
+ skipRefreshedSignOut: () => Fx.succeed(void 0)
489
+ }));
490
+ },
491
+ err: (fallbackError) => fallbackError
492
+ }).pipe(Fx.recover((fallbackError) => {
493
+ console.error("[convex-auth/server] proxy sign-out fallback failed", fallbackError);
494
+ return Fx.succeed(void 0);
495
+ })),
496
+ skipFallback: () => Fx.succeed(void 0)
497
+ });
498
+ }), Fx.map(() => void 0)));
499
+ const response = new Response(JSON.stringify(null), {
500
+ status: 200,
501
+ headers: { "Content-Type": "application/json" }
502
+ });
503
+ for (const value of serializeAuthCookies({
504
+ token: null,
505
+ refreshToken: null,
506
+ verifier: null
507
+ }, host, cookieConfig, cookieNamespace)) response.headers.append("Set-Cookie", value);
508
+ return response;
509
+ },
510
+ err: (e) => e
511
+ })
512
+ }));
513
+ },
514
+ async refresh(request) {
515
+ const host = request.headers.get("host") ?? new URL(request.url).host;
516
+ const currentCookies = parseAuthCookies(request.headers.get("cookie"), host, cookieNamespace);
517
+ const currentToken = currentCookies.token;
518
+ const originHeader = request.headers.get("origin");
519
+ const forwardedProtoHeader = request.headers.get("x-forwarded-proto");
520
+ const protocol = forwardedProtoHeader !== null ? (() => {
521
+ const forwardedProto = forwardedProtoHeader.split(",")[0]?.trim();
522
+ if (forwardedProto !== void 0 && forwardedProto.length > 0) return forwardedProto.endsWith(":") ? forwardedProto : `${forwardedProto}:`;
523
+ return new URL(request.url).protocol;
524
+ })() : new URL(request.url).protocol;
525
+ const requestHost = request.headers.get("host") ?? new URL(request.url).host;
526
+ const hostCandidate = `${protocol}//${requestHost}`;
527
+ const normalizedHost = canParseUrl(hostCandidate) ? new URL(hostCandidate).host : requestHost;
528
+ const originUrl = originHeader !== null && canParseUrl(originHeader) ? new URL(originHeader) : null;
529
+ const corsDispatch = originHeader !== null && (originUrl === null || originUrl.host !== normalizedHost || originUrl.protocol !== protocol) ? { kind: "crossOrigin" } : { kind: "sameOrigin" };
530
+ const corsRefreshResult = await Fx.run(Fx.match(corsDispatch, corsDispatch.kind, {
531
+ crossOrigin: () => ({
532
+ redirect: false,
533
+ cookies: [],
534
+ token: null
535
+ }),
536
+ sameOrigin: () => null
537
+ }));
538
+ if (corsRefreshResult !== null) return corsRefreshResult;
539
+ const requestUrl = new URL(request.url);
540
+ const code = requestUrl.searchParams.get("code");
541
+ const shouldHandleCode = options.shouldHandleCode === void 0 ? true : typeof options.shouldHandleCode === "function" ? await options.shouldHandleCode(request) : options.shouldHandleCode;
542
+ const codeExchangeDispatch = code !== null && request.method === "GET" && request.headers.get("accept")?.includes("text/html") && shouldHandleCode ? {
543
+ kind: "exchange",
544
+ code
545
+ } : { kind: "skip" };
546
+ const codeExchangeResult = await Fx.run(Fx.match(codeExchangeDispatch, codeExchangeDispatch.kind, {
547
+ exchange: async ({ code: verificationCode }) => {
548
+ const redirectUrl = new URL(requestUrl.toString());
549
+ return Fx.run(Fx.from({
550
+ ok: async () => {
551
+ const result = await new ConvexHttpClient(convexUrl).action(signInActionRef, {
552
+ params: { code: verificationCode },
553
+ verifier: currentCookies.verifier ?? void 0
554
+ });
555
+ return {
556
+ kind: "signedIn",
557
+ tokens: await Fx.run(Fx.match(result, result.kind, {
558
+ signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
559
+ redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange")),
560
+ started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange")),
561
+ passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange")),
562
+ totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange")),
563
+ totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange")),
564
+ deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for code exchange"))
565
+ }))
566
+ };
567
+ },
568
+ err: (error) => error
569
+ }).pipe(Fx.fold({
570
+ ok: (result) => {
571
+ redirectUrl.searchParams.delete("code");
572
+ const cookies = structuredAuthCookies({
573
+ token: result.tokens?.token ?? null,
574
+ refreshToken: result.tokens?.refreshToken ?? null,
575
+ verifier: null
576
+ }, host, cookieConfig, cookieNamespace);
577
+ return {
578
+ redirect: true,
579
+ response: buildRedirectResponse(redirectUrl.toString(), cookies)
580
+ };
581
+ },
582
+ err: (error) => {
583
+ console.error("[convex-auth/server] code exchange failed", error);
584
+ const errorCode = error instanceof ConvexError && typeof error.data === "object" && error.data !== null && typeof error.data.code === "string" ? error.data.code : null;
585
+ if (!(errorCode === "OAUTH_INVALID_STATE" || errorCode === "OAUTH_PROVIDER_ERROR" || errorCode === "OAUTH_MISSING_ID_TOKEN" || errorCode === "OAUTH_INVALID_PROFILE" || errorCode === "OAUTH_MISSING_VERIFIER" || errorCode === "INVALID_VERIFIER" || errorCode === "INVALID_VERIFICATION_CODE")) return {
586
+ redirect: false,
587
+ cookies: [],
588
+ token: currentCookies.token
589
+ };
590
+ redirectUrl.searchParams.delete("code");
591
+ const cookies = structuredAuthCookies({
592
+ token: currentCookies.token,
593
+ refreshToken: currentCookies.refreshToken,
594
+ verifier: null
595
+ }, host, cookieConfig, cookieNamespace);
596
+ return {
597
+ redirect: true,
598
+ response: buildRedirectResponse(redirectUrl.toString(), cookies)
599
+ };
600
+ }
601
+ })));
602
+ },
603
+ skip: async () => null
604
+ }));
605
+ const codeExchangeDecision = codeExchangeResult !== null ? {
606
+ kind: "done",
607
+ result: codeExchangeResult
608
+ } : { kind: "continue" };
609
+ const maybeCodeExchangeResult = await Fx.run(Fx.match(codeExchangeDecision, codeExchangeDecision.kind, {
610
+ done: ({ result }) => result,
611
+ continue: () => null
612
+ }));
613
+ if (maybeCodeExchangeResult !== null) return maybeCodeExchangeResult;
614
+ const tokens = await Fx.run(Fx.gen(function* () {
615
+ const { token, refreshToken } = currentCookies;
616
+ const malformedRefreshTokenDispatch = refreshToken !== null && (refreshToken.trim().length === 0 || refreshToken === "dummy") ? { kind: "malformed" } : { kind: "ok" };
617
+ const malformedRefreshTokenResult = yield* Fx.match(malformedRefreshTokenDispatch, malformedRefreshTokenDispatch.kind, {
618
+ malformed: () => {
619
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refresh token cookie malformed, clearing auth cookies`);
620
+ return null;
621
+ },
622
+ ok: () => void 0
623
+ });
624
+ if (malformedRefreshTokenResult !== void 0) return malformedRefreshTokenResult;
625
+ const decodedToken = token === null ? null : yield* Fx.attempt(async () => jwtDecode(token), (decoded) => decoded, () => null);
626
+ const issuerDispatch = decodedToken?.iss !== void 0 && !acceptedIssuers.has(normalizeIssuer(decodedToken.iss)) ? { kind: "issuerMismatch" } : { kind: "issuerOk" };
627
+ const issuerResult = yield* Fx.match(issuerDispatch, issuerDispatch.kind, {
628
+ issuerMismatch: () => {
629
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Access token issuer mismatch, clearing auth cookies`);
630
+ return null;
631
+ },
632
+ issuerOk: () => void 0
633
+ });
634
+ if (issuerResult !== void 0) return issuerResult;
635
+ const tokenState = token === null ? refreshToken === null ? { kind: "none" } : {
636
+ kind: "refreshOnly",
637
+ refreshToken
638
+ } : refreshToken === null ? {
639
+ kind: "accessOnly",
640
+ token
641
+ } : {
642
+ kind: "both",
643
+ token,
644
+ refreshToken
645
+ };
646
+ return yield* Fx.match(tokenState, tokenState.kind, {
647
+ none: () => {
648
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] No auth cookies found, skipping refresh`);
649
+ return Fx.succeed(void 0);
650
+ },
651
+ refreshOnly: ({ refreshToken: refreshTokenValue }) => {
652
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Access token cookie missing, attempting refresh-token recovery`);
653
+ return Fx.from({
654
+ ok: async () => {
655
+ const result = await new ConvexHttpClient(convexUrl).action(signInActionRef, { refreshToken: refreshTokenValue });
656
+ const tokens$1 = await Fx.run(Fx.match(result, result.kind, {
657
+ signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
658
+ redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
659
+ started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
660
+ passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
661
+ totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
662
+ totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
663
+ deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh"))
664
+ }));
665
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refreshed tokens, null=${tokens$1 === null}`);
666
+ return tokens$1;
667
+ },
668
+ err: (error) => error
669
+ }).pipe(Fx.recover((error) => {
670
+ console.error("[convex-auth/server] refresh-token exchange failed", error);
671
+ if ((error instanceof ConvexError && typeof error.data === "object" && error.data !== null && typeof error.data.code === "string" ? error.data.code : null) === "INVALID_REFRESH_TOKEN") {
672
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refresh token rejected, clearing auth cookies`);
673
+ return Fx.succeed(null);
674
+ }
675
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Token refresh failed transiently, keeping current cookies`);
676
+ return Fx.succeed(void 0);
677
+ }));
678
+ },
679
+ accessOnly: () => {
680
+ const accessOnlyDispatch = decodedToken?.exp !== void 0 && decodedToken.iss !== void 0 && acceptedIssuers.has(normalizeIssuer(decodedToken.iss)) && decodedToken.exp * 1e3 > Date.now() ? { kind: "accessValid" } : { kind: "accessInvalid" };
681
+ return Fx.match(accessOnlyDispatch, accessOnlyDispatch.kind, {
682
+ accessValid: () => {
683
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refresh token cookie missing but access token still valid`);
684
+ return Fx.succeed(void 0);
685
+ },
686
+ accessInvalid: () => {
687
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refresh token cookie missing and access token invalid, clearing`);
688
+ return Fx.succeed(null);
689
+ }
690
+ });
691
+ },
692
+ both: ({ refreshToken: refreshTokenValue }) => {
693
+ const bothDecodeDispatch = decodedToken?.exp === void 0 || decodedToken.iat === void 0 ? { kind: "undecodable" } : {
694
+ kind: "decoded",
695
+ decodedToken
696
+ };
697
+ return Fx.match(bothDecodeDispatch, bothDecodeDispatch.kind, {
698
+ undecodable: () => {
699
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Failed to decode access token, attempting refresh-token recovery`);
700
+ return Fx.from({
701
+ ok: async () => {
702
+ const result = await new ConvexHttpClient(convexUrl).action(signInActionRef, { refreshToken: refreshTokenValue });
703
+ const tokens$1 = await Fx.run(Fx.match(result, result.kind, {
704
+ signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
705
+ redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
706
+ started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
707
+ passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
708
+ totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
709
+ totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
710
+ deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh"))
711
+ }));
712
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refreshed tokens, null=${tokens$1 === null}`);
713
+ return tokens$1;
714
+ },
715
+ err: (error) => error
716
+ }).pipe(Fx.recover((error) => {
717
+ console.error("[convex-auth/server] refresh-token exchange failed", error);
718
+ if ((error instanceof ConvexError && typeof error.data === "object" && error.data !== null && typeof error.data.code === "string" ? error.data.code : null) === "INVALID_REFRESH_TOKEN") {
719
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refresh token rejected, clearing auth cookies`);
720
+ return Fx.succeed(null);
721
+ }
722
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Token refresh failed transiently, keeping current cookies`);
723
+ return Fx.succeed(void 0);
724
+ }));
725
+ },
726
+ decoded: ({ decodedToken: decodedAccessToken }) => {
727
+ const totalTokenLifetimeMs = decodedAccessToken.exp * 1e3 - decodedAccessToken.iat * 1e3;
728
+ const minimumExpiration = Date.now() + Math.min(REQUIRED_TOKEN_LIFETIME_MS, Math.max(MINIMUM_REQUIRED_TOKEN_LIFETIME_MS, totalTokenLifetimeMs / 10));
729
+ const expirationDispatch = decodedAccessToken.exp * 1e3 > minimumExpiration ? { kind: "skipRefresh" } : { kind: "refresh" };
730
+ return Fx.match(expirationDispatch, expirationDispatch.kind, {
731
+ skipRefresh: () => {
732
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Token valid long enough, skipping refresh`);
733
+ return Fx.succeed(void 0);
734
+ },
735
+ refresh: () => Fx.from({
736
+ ok: async () => {
737
+ const result = await new ConvexHttpClient(convexUrl).action(signInActionRef, { refreshToken: refreshTokenValue });
738
+ const tokens$1 = await Fx.run(Fx.match(result, result.kind, {
739
+ signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
740
+ redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
741
+ started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
742
+ passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
743
+ totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
744
+ totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh")),
745
+ deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for token refresh"))
746
+ }));
747
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refreshed tokens, null=${tokens$1 === null}`);
748
+ return tokens$1;
749
+ },
750
+ err: (error) => error
751
+ }).pipe(Fx.recover((error) => {
752
+ console.error("[convex-auth/server] refresh-token exchange failed", error);
753
+ if ((error instanceof ConvexError && typeof error.data === "object" && error.data !== null && typeof error.data.code === "string" ? error.data.code : null) === "INVALID_REFRESH_TOKEN") {
754
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Refresh token rejected, clearing auth cookies`);
755
+ return Fx.succeed(null);
756
+ }
757
+ if (verbose) console.debug(`${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] Token refresh failed transiently, keeping current cookies`);
758
+ return Fx.succeed(void 0);
759
+ }))
760
+ });
761
+ }
762
+ });
763
+ }
764
+ });
765
+ }));
766
+ if (tokens === void 0) return {
767
+ redirect: false,
768
+ cookies: [],
769
+ token: currentToken
770
+ };
771
+ return {
772
+ redirect: false,
773
+ cookies: structuredAuthCookies({
774
+ token: tokens?.token ?? null,
775
+ refreshToken: tokens?.refreshToken ?? null,
776
+ verifier: null
777
+ }, host, cookieConfig, cookieNamespace),
778
+ token: tokens?.token ?? null
779
+ };
780
+ }
781
+ };
782
+ }
783
+
784
+ //#endregion
785
+ export { authCookieNames, parseAuthCookies, serializeAuthCookies, server, shouldProxyAuthAction, structuredAuthCookies };
786
+ //# sourceMappingURL=ssr.js.map