@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authorization/index.d.ts +1 -1
- package/dist/authorization/index.js +1 -1
- package/dist/authorization/index.js.map +1 -1
- package/dist/client/index.d.ts +1 -2
- package/dist/client/index.d.ts.map +1 -1
- package/dist/client/index.js +36 -39
- package/dist/client/index.js.map +1 -1
- package/dist/component/client/index.d.ts +1 -2
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/convex.config.d.ts.map +1 -1
- package/dist/component/model.d.ts +5 -5
- package/dist/component/model.d.ts.map +1 -1
- package/dist/component/public/enterprise/audit.d.ts.map +1 -1
- package/dist/component/public/enterprise/audit.js.map +1 -1
- package/dist/component/public/enterprise/core.d.ts.map +1 -1
- package/dist/component/public/enterprise/core.js.map +1 -1
- package/dist/component/public/enterprise/domains.d.ts.map +1 -1
- package/dist/component/public/enterprise/domains.js.map +1 -1
- package/dist/component/public/enterprise/scim.d.ts.map +1 -1
- package/dist/component/public/enterprise/scim.js.map +1 -1
- package/dist/component/public/enterprise/secrets.d.ts.map +1 -1
- package/dist/component/public/enterprise/secrets.js.map +1 -1
- package/dist/component/public/enterprise/webhooks.d.ts.map +1 -1
- package/dist/component/public/enterprise/webhooks.js.map +1 -1
- package/dist/component/public/factors/devices.d.ts.map +1 -1
- package/dist/component/public/factors/devices.js.map +1 -1
- package/dist/component/public/factors/passkeys.d.ts.map +1 -1
- package/dist/component/public/factors/passkeys.js.map +1 -1
- package/dist/component/public/factors/totp.d.ts.map +1 -1
- package/dist/component/public/factors/totp.js.map +1 -1
- package/dist/component/public/groups/core.js.map +1 -1
- package/dist/component/public/groups/invites.d.ts.map +1 -1
- package/dist/component/public/groups/invites.js.map +1 -1
- package/dist/component/public/groups/members.d.ts.map +1 -1
- package/dist/component/public/groups/members.js.map +1 -1
- package/dist/component/public/identity/accounts.d.ts.map +1 -1
- package/dist/component/public/identity/accounts.js.map +1 -1
- package/dist/component/public/identity/codes.d.ts.map +1 -1
- package/dist/component/public/identity/codes.js.map +1 -1
- package/dist/component/public/identity/sessions.d.ts.map +1 -1
- package/dist/component/public/identity/sessions.js.map +1 -1
- package/dist/component/public/identity/tokens.d.ts.map +1 -1
- package/dist/component/public/identity/tokens.js.map +1 -1
- package/dist/component/public/identity/users.d.ts.map +1 -1
- package/dist/component/public/identity/users.js.map +1 -1
- package/dist/component/public/identity/verifiers.d.ts.map +1 -1
- package/dist/component/public/identity/verifiers.js.map +1 -1
- package/dist/component/public/security/keys.d.ts.map +1 -1
- package/dist/component/public/security/keys.js.map +1 -1
- package/dist/component/public/security/limits.d.ts.map +1 -1
- package/dist/component/public/security/limits.js.map +1 -1
- package/dist/component/schema.d.ts +39 -39
- package/dist/component/server/auth.d.ts +95 -52
- package/dist/component/server/auth.d.ts.map +1 -1
- package/dist/component/server/auth.js +63 -43
- package/dist/component/server/auth.js.map +1 -1
- package/dist/component/server/core.js +116 -235
- package/dist/component/server/core.js.map +1 -1
- package/dist/component/server/crypto.js +25 -7
- package/dist/component/server/crypto.js.map +1 -1
- package/dist/component/server/device.js +58 -15
- package/dist/component/server/device.js.map +1 -1
- package/dist/component/server/enterprise/domain.js +148 -59
- package/dist/component/server/enterprise/domain.js.map +1 -1
- package/dist/component/server/enterprise/http.js +36 -15
- package/dist/component/server/enterprise/http.js.map +1 -1
- package/dist/component/server/enterprise/oidc.js +1 -1
- package/dist/component/server/http.js +26 -21
- package/dist/component/server/http.js.map +1 -1
- package/dist/component/server/identity.js +5 -2
- package/dist/component/server/identity.js.map +1 -1
- package/dist/component/server/limits.js +21 -30
- package/dist/component/server/limits.js.map +1 -1
- package/dist/component/server/mutations/account.js +12 -10
- package/dist/component/server/mutations/account.js.map +1 -1
- package/dist/component/server/mutations/code.js +5 -2
- package/dist/component/server/mutations/code.js.map +1 -1
- package/dist/component/server/mutations/invalidate.js +1 -1
- package/dist/component/server/mutations/invalidate.js.map +1 -1
- package/dist/component/server/mutations/oauth.js +10 -4
- package/dist/component/server/mutations/oauth.js.map +1 -1
- package/dist/component/server/mutations/refresh.js +2 -2
- package/dist/component/server/mutations/refresh.js.map +1 -1
- package/dist/component/server/mutations/register.js +46 -42
- package/dist/component/server/mutations/register.js.map +1 -1
- package/dist/component/server/mutations/retrieve.js +21 -25
- package/dist/component/server/mutations/retrieve.js.map +1 -1
- package/dist/component/server/mutations/signature.js +10 -4
- package/dist/component/server/mutations/signature.js.map +1 -1
- package/dist/component/server/mutations/signout.js.map +1 -1
- package/dist/component/server/mutations/store.js +9 -24
- package/dist/component/server/mutations/store.js.map +1 -1
- package/dist/component/server/mutations/verifier.js.map +1 -1
- package/dist/component/server/mutations/verify.js +1 -1
- package/dist/component/server/mutations/verify.js.map +1 -1
- package/dist/component/server/oauth.js +53 -16
- package/dist/component/server/oauth.js.map +1 -1
- package/dist/component/server/passkey.js +115 -31
- package/dist/component/server/passkey.js.map +1 -1
- package/dist/component/server/redirects.js +9 -3
- package/dist/component/server/redirects.js.map +1 -1
- package/dist/component/server/refresh.js +10 -7
- package/dist/component/server/refresh.js.map +1 -1
- package/dist/component/server/runtime.d.ts +3 -3
- package/dist/component/server/runtime.d.ts.map +1 -1
- package/dist/component/server/runtime.js +62 -20
- package/dist/component/server/runtime.js.map +1 -1
- package/dist/component/server/signin.js +34 -10
- package/dist/component/server/signin.js.map +1 -1
- package/dist/component/server/totp.js +79 -19
- package/dist/component/server/totp.js.map +1 -1
- package/dist/component/server/types.d.ts +12 -20
- package/dist/component/server/types.d.ts.map +1 -1
- package/dist/component/server/types.js.map +1 -1
- package/dist/component/server/users.js +6 -3
- package/dist/component/server/users.js.map +1 -1
- package/dist/component/server/utils.js +10 -4
- package/dist/component/server/utils.js.map +1 -1
- package/dist/core/types.d.ts +14 -22
- package/dist/core/types.d.ts.map +1 -1
- package/dist/factors/device.js +8 -9
- package/dist/factors/device.js.map +1 -1
- package/dist/factors/passkey.js +18 -21
- package/dist/factors/passkey.js.map +1 -1
- package/dist/providers/password.js +66 -81
- package/dist/providers/password.js.map +1 -1
- package/dist/runtime/invite.js +2 -8
- package/dist/runtime/invite.js.map +1 -1
- package/dist/server/auth.d.ts +95 -52
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +63 -43
- package/dist/server/auth.js.map +1 -1
- package/dist/server/core.d.ts +71 -159
- package/dist/server/core.d.ts.map +1 -1
- package/dist/server/core.js +116 -235
- package/dist/server/core.js.map +1 -1
- package/dist/server/crypto.d.ts.map +1 -1
- package/dist/server/crypto.js +25 -7
- package/dist/server/crypto.js.map +1 -1
- package/dist/server/device.js +58 -15
- package/dist/server/device.js.map +1 -1
- package/dist/server/enterprise/domain.d.ts +0 -8
- package/dist/server/enterprise/domain.d.ts.map +1 -1
- package/dist/server/enterprise/domain.js +148 -59
- package/dist/server/enterprise/domain.js.map +1 -1
- package/dist/server/enterprise/http.d.ts.map +1 -1
- package/dist/server/enterprise/http.js +35 -14
- package/dist/server/enterprise/http.js.map +1 -1
- package/dist/server/http.d.ts +2 -2
- package/dist/server/http.d.ts.map +1 -1
- package/dist/server/http.js +25 -20
- package/dist/server/http.js.map +1 -1
- package/dist/server/identity.js +5 -2
- package/dist/server/identity.js.map +1 -1
- package/dist/server/index.d.ts +2 -2
- package/dist/server/limits.js +21 -30
- package/dist/server/limits.js.map +1 -1
- package/dist/server/mounts.d.ts +26 -64
- package/dist/server/mounts.d.ts.map +1 -1
- package/dist/server/mounts.js +45 -106
- package/dist/server/mounts.js.map +1 -1
- package/dist/server/mutations/account.d.ts +8 -9
- package/dist/server/mutations/account.d.ts.map +1 -1
- package/dist/server/mutations/account.js +11 -9
- package/dist/server/mutations/account.js.map +1 -1
- package/dist/server/mutations/code.d.ts +13 -13
- package/dist/server/mutations/code.d.ts.map +1 -1
- package/dist/server/mutations/code.js +5 -2
- package/dist/server/mutations/code.js.map +1 -1
- package/dist/server/mutations/invalidate.d.ts +4 -4
- package/dist/server/mutations/invalidate.d.ts.map +1 -1
- package/dist/server/mutations/invalidate.js.map +1 -1
- package/dist/server/mutations/oauth.d.ts +12 -10
- package/dist/server/mutations/oauth.d.ts.map +1 -1
- package/dist/server/mutations/oauth.js +9 -3
- package/dist/server/mutations/oauth.js.map +1 -1
- package/dist/server/mutations/refresh.d.ts +3 -3
- package/dist/server/mutations/refresh.d.ts.map +1 -1
- package/dist/server/mutations/refresh.js +1 -1
- package/dist/server/mutations/refresh.js.map +1 -1
- package/dist/server/mutations/register.d.ts +11 -11
- package/dist/server/mutations/register.d.ts.map +1 -1
- package/dist/server/mutations/register.js +45 -41
- package/dist/server/mutations/register.js.map +1 -1
- package/dist/server/mutations/retrieve.d.ts +6 -6
- package/dist/server/mutations/retrieve.d.ts.map +1 -1
- package/dist/server/mutations/retrieve.js +20 -24
- package/dist/server/mutations/retrieve.js.map +1 -1
- package/dist/server/mutations/signature.d.ts +6 -7
- package/dist/server/mutations/signature.d.ts.map +1 -1
- package/dist/server/mutations/signature.js +9 -3
- package/dist/server/mutations/signature.js.map +1 -1
- package/dist/server/mutations/signin.d.ts +5 -5
- package/dist/server/mutations/signin.d.ts.map +1 -1
- package/dist/server/mutations/signout.js.map +1 -1
- package/dist/server/mutations/store.d.ts +97 -97
- package/dist/server/mutations/store.d.ts.map +1 -1
- package/dist/server/mutations/store.js +8 -23
- package/dist/server/mutations/store.js.map +1 -1
- package/dist/server/mutations/verifier.js.map +1 -1
- package/dist/server/mutations/verify.d.ts +10 -10
- package/dist/server/mutations/verify.d.ts.map +1 -1
- package/dist/server/mutations/verify.js.map +1 -1
- package/dist/server/oauth.js +53 -16
- package/dist/server/oauth.js.map +1 -1
- package/dist/server/passkey.d.ts +2 -2
- package/dist/server/passkey.d.ts.map +1 -1
- package/dist/server/passkey.js +114 -30
- package/dist/server/passkey.js.map +1 -1
- package/dist/server/redirects.js +9 -3
- package/dist/server/redirects.js.map +1 -1
- package/dist/server/refresh.js +10 -7
- package/dist/server/refresh.js.map +1 -1
- package/dist/server/runtime.d.ts +14 -14
- package/dist/server/runtime.d.ts.map +1 -1
- package/dist/server/runtime.js +61 -19
- package/dist/server/runtime.js.map +1 -1
- package/dist/server/signin.js +34 -10
- package/dist/server/signin.js.map +1 -1
- package/dist/server/ssr.d.ts.map +1 -1
- package/dist/server/ssr.js +175 -184
- package/dist/server/ssr.js.map +1 -1
- package/dist/server/totp.js +78 -18
- package/dist/server/totp.js.map +1 -1
- package/dist/server/types.d.ts +13 -21
- package/dist/server/types.d.ts.map +1 -1
- package/dist/server/types.js.map +1 -1
- package/dist/server/users.js +6 -3
- package/dist/server/users.js.map +1 -1
- package/dist/server/utils.js +10 -4
- package/dist/server/utils.js.map +1 -1
- package/package.json +2 -6
- package/src/authorization/index.ts +1 -1
- package/src/cli/index.ts +1 -1
- package/src/client/core/types.ts +14 -14
- package/src/client/factors/device.ts +10 -12
- package/src/client/factors/passkey.ts +23 -26
- package/src/client/index.ts +54 -64
- package/src/client/runtime/invite.ts +5 -7
- package/src/component/index.ts +1 -0
- package/src/component/public/enterprise/audit.ts +6 -1
- package/src/component/public/enterprise/core.ts +1 -0
- package/src/component/public/enterprise/domains.ts +5 -1
- package/src/component/public/enterprise/scim.ts +1 -0
- package/src/component/public/enterprise/secrets.ts +1 -0
- package/src/component/public/enterprise/webhooks.ts +1 -0
- package/src/component/public/factors/devices.ts +1 -0
- package/src/component/public/factors/passkeys.ts +1 -0
- package/src/component/public/factors/totp.ts +1 -0
- package/src/component/public/groups/core.ts +1 -1
- package/src/component/public/groups/invites.ts +7 -1
- package/src/component/public/groups/members.ts +1 -0
- package/src/component/public/identity/accounts.ts +1 -0
- package/src/component/public/identity/codes.ts +1 -0
- package/src/component/public/identity/sessions.ts +1 -0
- package/src/component/public/identity/tokens.ts +1 -0
- package/src/component/public/identity/users.ts +1 -0
- package/src/component/public/identity/verifiers.ts +1 -0
- package/src/component/public/security/keys.ts +1 -0
- package/src/component/public/security/limits.ts +1 -0
- package/src/providers/password.ts +89 -110
- package/src/server/auth.ts +177 -111
- package/src/server/core.ts +197 -233
- package/src/server/crypto.ts +31 -29
- package/src/server/device.ts +65 -32
- package/src/server/enterprise/domain.ts +158 -170
- package/src/server/enterprise/http.ts +46 -39
- package/src/server/http.ts +36 -30
- package/src/server/identity.ts +5 -5
- package/src/server/index.ts +2 -0
- package/src/server/limits.ts +53 -80
- package/src/server/mounts.ts +47 -74
- package/src/server/mutations/account.ts +22 -36
- package/src/server/mutations/code.ts +6 -6
- package/src/server/mutations/invalidate.ts +1 -1
- package/src/server/mutations/oauth.ts +14 -8
- package/src/server/mutations/refresh.ts +5 -4
- package/src/server/mutations/register.ts +87 -132
- package/src/server/mutations/retrieve.ts +44 -44
- package/src/server/mutations/signature.ts +13 -6
- package/src/server/mutations/signout.ts +1 -1
- package/src/server/mutations/store.ts +16 -31
- package/src/server/mutations/verifier.ts +1 -1
- package/src/server/mutations/verify.ts +3 -5
- package/src/server/oauth.ts +60 -69
- package/src/server/passkey.ts +567 -517
- package/src/server/redirects.ts +10 -6
- package/src/server/refresh.ts +14 -18
- package/src/server/runtime.ts +70 -55
- package/src/server/signin.ts +44 -37
- package/src/server/ssr.ts +390 -407
- package/src/server/totp.ts +85 -35
- package/src/server/types.ts +19 -22
- package/src/server/users.ts +7 -6
- package/src/server/utils.ts +10 -12
- package/dist/component/server/authError.js +0 -34
- package/dist/component/server/authError.js.map +0 -1
- package/dist/component/server/errors.d.ts +0 -1
- package/dist/component/server/errors.js +0 -137
- package/dist/component/server/errors.js.map +0 -1
- package/dist/server/authError.d.ts +0 -46
- package/dist/server/authError.d.ts.map +0 -1
- package/dist/server/authError.js +0 -34
- package/dist/server/authError.js.map +0 -1
- package/dist/server/errors.d.ts +0 -177
- package/dist/server/errors.d.ts.map +0 -1
- package/dist/server/errors.js +0 -212
- package/dist/server/errors.js.map +0 -1
- package/src/server/authError.ts +0 -44
- package/src/server/errors.ts +0 -290
|
@@ -1,5 +1,3 @@
|
|
|
1
|
-
import { AuthError } from "./authError.js";
|
|
2
|
-
import { errorMessage } from "./utils.js";
|
|
3
1
|
import { authDb } from "./db.js";
|
|
4
2
|
import { Fx } from "@robelest/fx";
|
|
5
3
|
|
|
@@ -16,45 +14,38 @@ const isSignInRateLimited = (ctx, identifier, config) => getRateLimitState(ctx,
|
|
|
16
14
|
* If a record exists, decrement; otherwise create.
|
|
17
15
|
*/
|
|
18
16
|
/** @internal */
|
|
19
|
-
const recordFailedSignIn = (ctx, identifier, config) =>
|
|
20
|
-
|
|
17
|
+
const recordFailedSignIn = (ctx, identifier, config) => Fx.gen(function* () {
|
|
18
|
+
const state = yield* getRateLimitState(ctx, identifier, config);
|
|
19
|
+
if (state !== null) yield* Fx.promise(() => authDb(ctx, config).rateLimits.patch(state.limit._id, {
|
|
21
20
|
attemptsLeft: state.attemptsLeft - 1,
|
|
22
21
|
lastAttemptTime: Date.now()
|
|
23
|
-
})
|
|
24
|
-
|
|
25
|
-
}) : Fx.from({
|
|
26
|
-
ok: () => authDb(ctx, config).rateLimits.create({
|
|
22
|
+
}));
|
|
23
|
+
else yield* Fx.promise(() => authDb(ctx, config).rateLimits.create({
|
|
27
24
|
identifier,
|
|
28
25
|
attemptsLeft: (config.signIn?.maxFailedAttemptsPerHour ?? DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR) - 1,
|
|
29
26
|
lastAttemptTime: Date.now()
|
|
30
|
-
})
|
|
31
|
-
|
|
32
|
-
})), Fx.map(() => void 0));
|
|
27
|
+
}));
|
|
28
|
+
});
|
|
33
29
|
/**
|
|
34
30
|
* Reset the rate limit for the given identifier (e.g. after successful sign-in).
|
|
35
31
|
*/
|
|
36
32
|
/** @internal */
|
|
37
|
-
const resetSignInRateLimit = (ctx, identifier, config) =>
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
})
|
|
41
|
-
const getRateLimitState = (ctx, identifier, config) => {
|
|
33
|
+
const resetSignInRateLimit = (ctx, identifier, config) => Fx.gen(function* () {
|
|
34
|
+
const state = yield* getRateLimitState(ctx, identifier, config);
|
|
35
|
+
if (state !== null) yield* Fx.promise(() => authDb(ctx, config).rateLimits.delete(state.limit._id));
|
|
36
|
+
});
|
|
37
|
+
const getRateLimitState = (ctx, identifier, config) => Fx.gen(function* () {
|
|
42
38
|
const now = Date.now();
|
|
43
39
|
const maxAttemptsPerHour = config.signIn?.maxFailedAttemptsPerHour ?? DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR;
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
limit,
|
|
54
|
-
attemptsLeft: Math.min(maxAttemptsPerHour, limit.attemptsLeft + elapsed * maxAttemptsPerMs)
|
|
55
|
-
};
|
|
56
|
-
}));
|
|
57
|
-
};
|
|
40
|
+
const limit = yield* Fx.promise(() => authDb(ctx, config).rateLimits.get(identifier));
|
|
41
|
+
if (limit === null) return null;
|
|
42
|
+
const elapsed = now - limit.lastAttemptTime;
|
|
43
|
+
const maxAttemptsPerMs = maxAttemptsPerHour / (3600 * 1e3);
|
|
44
|
+
return {
|
|
45
|
+
limit,
|
|
46
|
+
attemptsLeft: Math.min(maxAttemptsPerHour, limit.attemptsLeft + elapsed * maxAttemptsPerMs)
|
|
47
|
+
};
|
|
48
|
+
});
|
|
58
49
|
|
|
59
50
|
//#endregion
|
|
60
51
|
export { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit };
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"limits.js","names":[],"sources":["../../../src/server/limits.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\
|
|
1
|
+
{"version":3,"file":"limits.js","names":[],"sources":["../../../src/server/limits.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { ConvexError } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\n\nconst DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;\n\n/**\n * Check whether the given identifier is currently rate-limited.\n */\n/** @internal */\nexport const isSignInRateLimited = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<boolean, ConvexError<any>> =>\n getRateLimitState(ctx, identifier, config).pipe(\n Fx.map((state) => state !== null && state.attemptsLeft < 1),\n );\n\n/**\n * Record a failed sign-in attempt for the given identifier.\n *\n * If a record exists, decrement; otherwise create.\n */\n/** @internal */\nexport const recordFailedSignIn = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<void, ConvexError<any>> =>\n Fx.gen(function* () {\n const state = yield* getRateLimitState(ctx, identifier, config);\n if (state !== null) {\n yield* Fx.promise(() =>\n authDb(ctx, config).rateLimits.patch(state.limit._id, {\n attemptsLeft: state.attemptsLeft - 1,\n lastAttemptTime: Date.now(),\n }),\n );\n } else {\n yield* Fx.promise(() =>\n authDb(ctx, config).rateLimits.create({\n identifier,\n attemptsLeft:\n (config.signIn?.maxFailedAttemptsPerHour ??\n DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR) - 1,\n lastAttemptTime: Date.now(),\n }),\n );\n }\n });\n\n/**\n * Reset the rate limit for the given identifier (e.g. after successful sign-in).\n */\n/** @internal */\nexport const resetSignInRateLimit = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<void, ConvexError<any>> =>\n Fx.gen(function* () {\n const state = yield* getRateLimitState(ctx, identifier, config);\n if (state !== null) {\n yield* Fx.promise(() =>\n authDb(ctx, config).rateLimits.delete(state.limit._id),\n );\n }\n });\n\n// ---------------------------------------------------------------------------\n// Internal\n// ---------------------------------------------------------------------------\n\ntype RateLimitState = {\n limit: Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number };\n attemptsLeft: number;\n} | null;\n\nconst getRateLimitState = (\n ctx: MutationCtx,\n identifier: string,\n config: ConvexAuthConfig,\n): Fx<RateLimitState, ConvexError<any>> =>\n Fx.gen(function* () {\n const now = Date.now();\n const maxAttemptsPerHour =\n config.signIn?.maxFailedAttemptsPerHour ??\n DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR;\n\n const limit = (yield* Fx.promise(() =>\n authDb(ctx, config).rateLimits.get(identifier),\n )) as\n | (Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number })\n | null;\n if (limit === null) return null;\n const elapsed = now - limit.lastAttemptTime;\n const maxAttemptsPerMs = maxAttemptsPerHour / (60 * 60 * 1000);\n const attemptsLeft = Math.min(\n maxAttemptsPerHour,\n limit.attemptsLeft + elapsed * maxAttemptsPerMs,\n );\n return { limit, attemptsLeft };\n });\n"],"mappings":";;;;AAOA,MAAM,wCAAwC;;;;;AAM9C,MAAa,uBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,KAAK,UAAU,UAAU,QAAQ,MAAM,eAAe,EAAE,CAC5D;;;;;;;AAQH,MAAa,sBACX,KACA,YACA,WAEA,GAAG,IAAI,aAAa;CAClB,MAAM,QAAQ,OAAO,kBAAkB,KAAK,YAAY,OAAO;AAC/D,KAAI,UAAU,KACZ,QAAO,GAAG,cACR,OAAO,KAAK,OAAO,CAAC,WAAW,MAAM,MAAM,MAAM,KAAK;EACpD,cAAc,MAAM,eAAe;EACnC,iBAAiB,KAAK,KAAK;EAC5B,CAAC,CACH;KAED,QAAO,GAAG,cACR,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO;EACpC;EACA,eACG,OAAO,QAAQ,4BACd,yCAAyC;EAC7C,iBAAiB,KAAK,KAAK;EAC5B,CAAC,CACH;EAEH;;;;;AAMJ,MAAa,wBACX,KACA,YACA,WAEA,GAAG,IAAI,aAAa;CAClB,MAAM,QAAQ,OAAO,kBAAkB,KAAK,YAAY,OAAO;AAC/D,KAAI,UAAU,KACZ,QAAO,GAAG,cACR,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO,MAAM,MAAM,IAAI,CACvD;EAEH;AAWJ,MAAM,qBACJ,KACA,YACA,WAEA,GAAG,IAAI,aAAa;CAClB,MAAM,MAAM,KAAK,KAAK;CACtB,MAAM,qBACJ,OAAO,QAAQ,4BACf;CAEF,MAAM,QAAS,OAAO,GAAG,cACvB,OAAO,KAAK,OAAO,CAAC,WAAW,IAAI,WAAW,CAC/C;AAGD,KAAI,UAAU,KAAM,QAAO;CAC3B,MAAM,UAAU,MAAM,MAAM;CAC5B,MAAM,mBAAmB,sBAAsB,OAAU;AAKzD,QAAO;EAAE;EAAO,cAJK,KAAK,IACxB,oBACA,MAAM,eAAe,UAAU,iBAChC;EAC6B;EAC9B"}
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
import { AuthError } from "../authError.js";
|
|
2
1
|
import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
|
|
3
|
-
import { authDb } from "../db.js";
|
|
4
2
|
import { hash } from "../crypto.js";
|
|
3
|
+
import { authDb } from "../db.js";
|
|
5
4
|
import { AUTH_STORE_REF } from "./store/refs.js";
|
|
6
|
-
import {
|
|
5
|
+
import { Cv } from "@robelest/fx/convex";
|
|
7
6
|
import { Fx } from "@robelest/fx";
|
|
7
|
+
import { v } from "convex/values";
|
|
8
8
|
|
|
9
9
|
//#region src/server/mutations/account.ts
|
|
10
10
|
const modifyAccountArgs = v.object({
|
|
@@ -24,13 +24,15 @@ function modifyAccountImpl(ctx, args, getProviderOrThrow, config) {
|
|
|
24
24
|
secret: maybeRedact(account.secret ?? "")
|
|
25
25
|
}
|
|
26
26
|
});
|
|
27
|
-
return Fx.
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
27
|
+
return Fx.gen(function* () {
|
|
28
|
+
const existingAccount = yield* Fx.promise(() => db.accounts.get(provider, account.id));
|
|
29
|
+
if (existingAccount === null) return yield* Cv.fail({
|
|
30
|
+
code: "ACCOUNT_NOT_FOUND",
|
|
31
|
+
message: `Cannot modify account with ID ${account.id} because it does not exist`
|
|
32
|
+
});
|
|
33
|
+
const hashedSecret = yield* hash(getProviderOrThrow(provider), account.secret);
|
|
34
|
+
yield* Fx.promise(() => db.accounts.patch(existingAccount._id, { secret: hashedSecret }));
|
|
35
|
+
});
|
|
34
36
|
}
|
|
35
37
|
const callModifyAccount = async (ctx, args) => {
|
|
36
38
|
return ctx.runMutation(AUTH_STORE_REF, { args: {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"account.js","names":[],"sources":["../../../../src/server/mutations/account.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport {
|
|
1
|
+
{"version":3,"file":"account.js","names":[],"sources":["../../../../src/server/mutations/account.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { ConvexError, Infer, v } from \"convex/values\";\n\nimport { GetProviderOrThrowFunc, hash } from \"../crypto\";\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const modifyAccountArgs = v.object({\n provider: v.string(),\n account: v.object({ id: v.string(), secret: v.string() }),\n});\n\nexport function modifyAccountImpl(\n ctx: MutationCtx,\n args: Infer<typeof modifyAccountArgs>,\n getProviderOrThrow: GetProviderOrThrowFunc,\n config: Provider.Config,\n): Fx<void, ConvexError<any>> {\n const { provider, account } = args;\n const db = authDb(ctx, config);\n\n logWithLevel(LOG_LEVELS.DEBUG, \"modifyAccountImpl args:\", {\n provider,\n account: { id: account.id, secret: maybeRedact(account.secret ?? \"\") },\n });\n\n return Fx.gen(function* () {\n const existingAccount = yield* Fx.promise(() =>\n db.accounts.get(provider, account.id),\n );\n if (existingAccount === null) {\n return yield* Cv.fail({\n code: \"ACCOUNT_NOT_FOUND\",\n message: `Cannot modify account with ID ${account.id} because it does not exist`,\n });\n }\n const hashedSecret = yield* hash(\n getProviderOrThrow(provider),\n account.secret,\n );\n yield* Fx.promise(() =>\n db.accounts.patch(existingAccount._id, { secret: hashedSecret }),\n );\n });\n}\n\nexport const callModifyAccount = async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: Infer<typeof modifyAccountArgs>,\n): Promise<void> => {\n return ctx.runMutation(AUTH_STORE_REF, {\n args: {\n type: \"modifyAccount\",\n ...args,\n },\n });\n};\n"],"mappings":";;;;;;;;;AAYA,MAAa,oBAAoB,EAAE,OAAO;CACxC,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,QAAQ;EAAE,CAAC;CAC1D,CAAC;AAEF,SAAgB,kBACd,KACA,MACA,oBACA,QAC4B;CAC5B,MAAM,EAAE,UAAU,YAAY;CAC9B,MAAM,KAAK,OAAO,KAAK,OAAO;AAE9B,cAAa,WAAW,OAAO,2BAA2B;EACxD;EACA,SAAS;GAAE,IAAI,QAAQ;GAAI,QAAQ,YAAY,QAAQ,UAAU,GAAG;GAAE;EACvE,CAAC;AAEF,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,QAAQ,GAAG,CACtC;AACD,MAAI,oBAAoB,KACtB,QAAO,OAAO,GAAG,KAAK;GACpB,MAAM;GACN,SAAS,iCAAiC,QAAQ,GAAG;GACtD,CAAC;EAEJ,MAAM,eAAe,OAAO,KAC1B,mBAAmB,SAAS,EAC5B,QAAQ,OACT;AACD,SAAO,GAAG,cACR,GAAG,SAAS,MAAM,gBAAgB,KAAK,EAAE,QAAQ,cAAc,CAAC,CACjE;GACD;;AAGJ,MAAa,oBAAoB,OAC/B,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}
|
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
import { AuthError } from "../authError.js";
|
|
2
1
|
import { LOG_LEVELS, logWithLevel, sha256 } from "../utils.js";
|
|
3
2
|
import { authDb } from "../db.js";
|
|
4
3
|
import { AUTH_STORE_REF } from "./store/refs.js";
|
|
5
4
|
import { getAuthSessionId } from "../sessions.js";
|
|
6
5
|
import { upsertUserAndAccount } from "../users.js";
|
|
6
|
+
import { Cv } from "@robelest/fx/convex";
|
|
7
7
|
import { v } from "convex/values";
|
|
8
8
|
|
|
9
9
|
//#region src/server/mutations/code.ts
|
|
@@ -22,7 +22,10 @@ async function createVerificationCodeImpl(ctx, args, getProviderOrThrow, config)
|
|
|
22
22
|
const db = authDb(ctx, config);
|
|
23
23
|
const typedExistingAccountId = existingAccountId;
|
|
24
24
|
const existingAccount = typedExistingAccountId !== void 0 ? await db.accounts.getById(typedExistingAccountId) ?? (() => {
|
|
25
|
-
throw
|
|
25
|
+
throw Cv.error({
|
|
26
|
+
code: "ACCOUNT_NOT_FOUND",
|
|
27
|
+
message: `Expected an account to exist for ID "${typedExistingAccountId}"`
|
|
28
|
+
});
|
|
26
29
|
})() : await db.accounts.get(providerId, email ?? phone);
|
|
27
30
|
const provider = getProviderOrThrow(providerId, allowExtraProviders);
|
|
28
31
|
const { accountId } = await upsertUserAndAccount(ctx, await getAuthSessionId(ctx), existingAccount !== null ? { existingAccount } : { providerAccountId: email ?? phone }, provider.type === "email" ? {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"code.js","names":[],"sources":["../../../../src/server/mutations/code.ts"],"sourcesContent":["import type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport
|
|
1
|
+
{"version":3,"file":"code.js","names":[],"sources":["../../../../src/server/mutations/code.ts"],"sourcesContent":["import { Cv } from \"@robelest/fx/convex\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { getAuthSessionId } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { EmailConfig, PhoneConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { LOG_LEVELS, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const createVerificationCodeArgs = v.object({\n accountId: v.optional(v.string()),\n provider: v.string(),\n email: v.optional(v.string()),\n phone: v.optional(v.string()),\n code: v.string(),\n expirationTime: v.number(),\n allowExtraProviders: v.boolean(),\n});\n\ntype ReturnType = string;\n\nexport async function createVerificationCodeImpl(\n ctx: MutationCtx,\n args: Infer<typeof createVerificationCodeArgs>,\n getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n config: Provider.Config,\n): Promise<ReturnType> {\n logWithLevel(LOG_LEVELS.DEBUG, \"createVerificationCodeImpl args:\", args);\n const {\n email,\n phone,\n code,\n expirationTime,\n provider: providerId,\n accountId: existingAccountId,\n allowExtraProviders,\n } = args;\n const db = authDb(ctx, config);\n const typedExistingAccountId = existingAccountId as\n | GenericId<\"Account\">\n | undefined;\n const existingAccount =\n typedExistingAccountId !== undefined\n ? ((await db.accounts.getById(typedExistingAccountId)) ??\n (() => {\n throw Cv.error({\n code: \"ACCOUNT_NOT_FOUND\",\n message: `Expected an account to exist for ID \"${typedExistingAccountId}\"`,\n });\n })())\n : await db.accounts.get(providerId, email ?? phone!);\n\n const provider = getProviderOrThrow(providerId, allowExtraProviders) as\n | EmailConfig\n | PhoneConfig;\n const { accountId } = await upsertUserAndAccount(\n ctx,\n await getAuthSessionId(ctx),\n existingAccount !== null\n ? { existingAccount }\n : { providerAccountId: email ?? phone! },\n provider.type === \"email\"\n ? { type: \"email\", provider, profile: { email: email! } }\n : { type: \"phone\", provider, profile: { phone: phone! } },\n config,\n );\n await generateUniqueVerificationCode(\n ctx,\n accountId,\n providerId,\n code,\n expirationTime,\n { email, phone },\n config,\n );\n return email ?? phone!;\n}\n\nexport const callCreateVerificationCode = async <\n DataModel extends GenericDataModel,\n>(\n ctx: GenericActionCtx<DataModel>,\n args: Infer<typeof createVerificationCodeArgs>,\n): Promise<ReturnType> => {\n return ctx.runMutation(AUTH_STORE_REF, {\n args: {\n type: \"createVerificationCode\",\n ...args,\n },\n });\n};\n\nasync function generateUniqueVerificationCode(\n ctx: MutationCtx,\n accountId: GenericId<\"Account\">,\n provider: string,\n code: string,\n expirationTime: number,\n { email, phone }: { email?: string; phone?: string },\n config: Provider.Config,\n) {\n const db = authDb(ctx, config);\n const existingCode = await db.verificationCodes.getByAccountId(accountId);\n if (existingCode !== null) {\n await db.verificationCodes.delete(existingCode._id);\n }\n await db.verificationCodes.create({\n accountId,\n provider,\n code: await sha256(code),\n expirationTime,\n emailVerified: email,\n phoneVerified: phone,\n });\n}\n"],"mappings":";;;;;;;;;AAaA,MAAa,6BAA6B,EAAE,OAAO;CACjD,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,UAAU,EAAE,QAAQ;CACpB,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,MAAM,EAAE,QAAQ;CAChB,gBAAgB,EAAE,QAAQ;CAC1B,qBAAqB,EAAE,SAAS;CACjC,CAAC;AAIF,eAAsB,2BACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,oCAAoC,KAAK;CACxE,MAAM,EACJ,OACA,OACA,MACA,gBACA,UAAU,YACV,WAAW,mBACX,wBACE;CACJ,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,yBAAyB;CAG/B,MAAM,kBACJ,2BAA2B,SACrB,MAAM,GAAG,SAAS,QAAQ,uBAAuB,WAC5C;AACL,QAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS,wCAAwC,uBAAuB;GACzE,CAAC;KACA,GACJ,MAAM,GAAG,SAAS,IAAI,YAAY,SAAS,MAAO;CAExD,MAAM,WAAW,mBAAmB,YAAY,oBAAoB;CAGpE,MAAM,EAAE,cAAc,MAAM,qBAC1B,KACA,MAAM,iBAAiB,IAAI,EAC3B,oBAAoB,OAChB,EAAE,iBAAiB,GACnB,EAAE,mBAAmB,SAAS,OAAQ,EAC1C,SAAS,SAAS,UACd;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,GACvD;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,EAC3D,OACD;AACD,OAAM,+BACJ,KACA,WACA,YACA,MACA,gBACA;EAAE;EAAO;EAAO,EAChB,OACD;AACD,QAAO,SAAS;;AAGlB,MAAa,6BAA6B,OAGxC,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,eAAe,+BACb,KACA,WACA,UACA,MACA,gBACA,EAAE,OAAO,SACT,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,eAAe,MAAM,GAAG,kBAAkB,eAAe,UAAU;AACzE,KAAI,iBAAiB,KACnB,OAAM,GAAG,kBAAkB,OAAO,aAAa,IAAI;AAErD,OAAM,GAAG,kBAAkB,OAAO;EAChC;EACA;EACA,MAAM,MAAM,OAAO,KAAK;EACxB;EACA,eAAe;EACf,eAAe;EAChB,CAAC"}
|
|
@@ -2,8 +2,8 @@ import { LOG_LEVELS, logWithLevel } from "../utils.js";
|
|
|
2
2
|
import { authDb } from "../db.js";
|
|
3
3
|
import { AUTH_STORE_REF } from "./store/refs.js";
|
|
4
4
|
import { deleteSession } from "../sessions.js";
|
|
5
|
-
import { v } from "convex/values";
|
|
6
5
|
import { Fx } from "@robelest/fx";
|
|
6
|
+
import { v } from "convex/values";
|
|
7
7
|
|
|
8
8
|
//#region src/server/mutations/invalidate.ts
|
|
9
9
|
const invalidateSessionsArgs = v.object({
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"invalidate.js","names":[],"sources":["../../../../src/server/mutations/invalidate.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport
|
|
1
|
+
{"version":3,"file":"invalidate.js","names":[],"sources":["../../../../src/server/mutations/invalidate.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { deleteSession } from \"../sessions\";\nimport { Doc, MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const invalidateSessionsArgs = v.object({\n userId: v.string(),\n except: v.optional(v.array(v.string())),\n});\n\nexport const callInvalidateSessions = async <\n DataModel extends GenericDataModel,\n>(\n ctx: GenericActionCtx<DataModel>,\n args: Infer<typeof invalidateSessionsArgs>,\n): Promise<void> => {\n return ctx.runMutation(AUTH_STORE_REF, {\n args: {\n type: \"invalidateSessions\",\n ...args,\n },\n });\n};\n\nexport function invalidateSessionsImpl(\n ctx: MutationCtx,\n args: Infer<typeof invalidateSessionsArgs>,\n config: Provider.Config,\n): Fx<void, never> {\n return Fx.gen(function* () {\n logWithLevel(LOG_LEVELS.DEBUG, \"invalidateSessionsImpl args:\", args);\n const { userId, except } = args;\n const exceptSet = new Set(except ?? []);\n const typedUserId = userId as GenericId<\"User\">;\n const sessions = (yield* Fx.promise(() =>\n authDb(ctx, config).sessions.listByUser(typedUserId),\n )) as Doc<\"Session\">[];\n yield* Fx.each(sessions, (session: Doc<\"Session\">) =>\n exceptSet.has(session._id)\n ? Fx.unit\n : Fx.promise(() => deleteSession(ctx, session, config)),\n );\n });\n}\n"],"mappings":";;;;;;;;AAWA,MAAa,yBAAyB,EAAE,OAAO;CAC7C,QAAQ,EAAE,QAAQ;CAClB,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CACxC,CAAC;AAEF,MAAa,yBAAyB,OAGpC,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,SAAgB,uBACd,KACA,MACA,QACiB;AACjB,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,WAAW,OAAO,gCAAgC,KAAK;EACpE,MAAM,EAAE,QAAQ,WAAW;EAC3B,MAAM,YAAY,IAAI,IAAI,UAAU,EAAE,CAAC;EACvC,MAAM,cAAc;EACpB,MAAM,WAAY,OAAO,GAAG,cAC1B,OAAO,KAAK,OAAO,CAAC,SAAS,WAAW,YAAY,CACrD;AACD,SAAO,GAAG,KAAK,WAAW,YACxB,UAAU,IAAI,QAAQ,IAAI,GACtB,GAAG,OACH,GAAG,cAAc,cAAc,KAAK,SAAS,OAAO,CAAC,CAC1D;GACD"}
|
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
import { AuthError } from "../authError.js";
|
|
2
1
|
import { generateRandomString, logWithLevel, sha256 } from "../utils.js";
|
|
3
2
|
import { authDb } from "../db.js";
|
|
4
3
|
import { AUTH_STORE_REF } from "./store/refs.js";
|
|
@@ -6,8 +5,9 @@ import { upsertUserAndAccount } from "../users.js";
|
|
|
6
5
|
import { ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, isEnterpriseProviderId } from "../enterprise/shared.js";
|
|
7
6
|
import { createSyntheticOAuthMaterializedConfig } from "../enterprise/oidc.js";
|
|
8
7
|
import { normalizeEnterprisePolicy } from "../enterprise/policy.js";
|
|
9
|
-
import {
|
|
8
|
+
import { Cv } from "@robelest/fx/convex";
|
|
10
9
|
import { Fx } from "@robelest/fx";
|
|
10
|
+
import { v } from "convex/values";
|
|
11
11
|
|
|
12
12
|
//#region src/server/mutations/oauth.ts
|
|
13
13
|
const OAUTH_SIGN_IN_EXPIRATION_MS = 1e3 * 60 * 2;
|
|
@@ -59,8 +59,14 @@ function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
|
|
|
59
59
|
})) : null;
|
|
60
60
|
const verifier = yield* Fx.from({
|
|
61
61
|
ok: () => db.verifiers.getBySignature(signature),
|
|
62
|
-
err: () =>
|
|
63
|
-
|
|
62
|
+
err: () => Cv.error({
|
|
63
|
+
code: "OAUTH_INVALID_STATE",
|
|
64
|
+
message: "Invalid OAuth state. Please try signing in again."
|
|
65
|
+
})
|
|
66
|
+
}).pipe(Fx.chain((doc) => doc === null ? Cv.fail({
|
|
67
|
+
code: "OAUTH_INVALID_STATE",
|
|
68
|
+
message: "Invalid OAuth state. Please try signing in again."
|
|
69
|
+
}) : Fx.succeed(doc)));
|
|
64
70
|
const { accountId } = yield* Fx.promise(() => upsertUserAndAccount(ctx, verifier.sessionId ?? null, existingAccount !== null ? { existingAccount } : { providerAccountId }, {
|
|
65
71
|
type: "oauth",
|
|
66
72
|
provider: isEnterpriseProviderId(provider) ? createSyntheticOAuthMaterializedConfig(provider, { accountLinking: enterpriseProtocol === "oidc" ? enterprisePolicy?.identity.accountLinking.oidc : enterpriseProtocol === "saml" ? enterprisePolicy?.identity.accountLinking.saml : void 0 }) : getProviderOrThrow(provider),
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth.js","names":[],"sources":["../../../../src/server/mutations/oauth.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport * as Provider from \"../crypto\";\nimport {\n createSyntheticOAuthMaterializedConfig,\n} from \"../enterprise/oidc\";\nimport { normalizeEnterprisePolicy } from \"../enterprise/policy\";\nimport {\n ENTERPRISE_OIDC_PROVIDER_PREFIX,\n ENTERPRISE_SAML_PROVIDER_PREFIX,\n isEnterpriseProviderId,\n} from \"../enterprise/shared\";\nimport { MutationCtx } from \"../types\";\nimport type { AuthProviderMaterializedConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { generateRandomString, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nconst OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes\n\nexport const userOAuthArgs = v.object({\n provider: v.string(),\n providerAccountId: v.string(),\n profile: v.any(),\n signature: v.string(),\n accountExtend: v.optional(v.any()),\n});\n\nfunction normalizeAccountExtend(\n provider: string,\n providerAccountId: string,\n accountExtend: unknown,\n) {\n const baseIdentity: Record<string, unknown> = {\n type: \"oauth\",\n provider,\n providerAccountId,\n };\n if (provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)) {\n baseIdentity.type = \"enterprise-oidc\";\n baseIdentity.enterpriseId = provider.slice(\n ENTERPRISE_OIDC_PROVIDER_PREFIX.length,\n );\n }\n if (provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)) {\n baseIdentity.type = \"enterprise-saml\";\n baseIdentity.enterpriseId = provider.slice(\n ENTERPRISE_SAML_PROVIDER_PREFIX.length,\n );\n }\n const provided =\n typeof accountExtend === \"object\" &&\n accountExtend !== null &&\n !Array.isArray(accountExtend)\n ? (accountExtend as Record<string, unknown>)\n : undefined;\n const providedIdentity =\n provided &&\n typeof provided.identity === \"object\" &&\n provided.identity !== null &&\n !Array.isArray(provided.identity)\n ? (provided.identity as Record<string, unknown>)\n : undefined;\n return {\n ...provided,\n identity: {\n ...baseIdentity,\n ...providedIdentity,\n },\n };\n}\n\ntype ReturnType = string;\n\nexport function userOAuthImpl(\n ctx: MutationCtx,\n args: Infer<typeof userOAuthArgs>,\n getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n config: Provider.Config,\n): Fx<ReturnType, AuthError> {\n return Fx.gen(function* () {\n logWithLevel(\"DEBUG\", \"userOAuthImpl args:\", args);\n const { profile, provider, providerAccountId, signature, accountExtend } =\n args;\n const db = authDb(ctx, config);\n const existingAccount = yield* Fx.promise(() =>\n db.accounts.get(provider, providerAccountId),\n );\n const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)\n ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length)\n : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length)\n : null;\n const enterprise =\n enterpriseId !== null\n ? yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.enterpriseGet, {\n enterpriseId,\n }),\n )\n : null;\n const enterprisePolicy = enterprise\n ? normalizeEnterprisePolicy(enterprise.policy)\n : null;\n const enterpriseProtocol = provider.startsWith(\n ENTERPRISE_OIDC_PROVIDER_PREFIX,\n )\n ? \"oidc\"\n : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n ? \"saml\"\n : null;\n\n const existingScimIdentity =\n enterpriseId !== null &&\n existingAccount === null &&\n enterprisePolicy?.provisioning.scimReuse.user === \"externalId\"\n ? yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {\n enterpriseId,\n resourceType: \"user\",\n externalId: providerAccountId,\n }),\n )\n : null;\n\n const verifier = yield* Fx.from({\n ok: () => db.verifiers.getBySignature(signature),\n err: () => new AuthError(\"OAUTH_INVALID_STATE\"),\n }).pipe(\n Fx.chain((doc) =>\n doc === null\n ? Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\"))\n : Fx.succeed(doc),\n ),\n );\n\n const { accountId } = yield* Fx.promise(() =>\n upsertUserAndAccount(\n ctx,\n verifier.sessionId ?? null,\n existingAccount !== null ? { existingAccount } : { providerAccountId },\n {\n type: \"oauth\",\n provider: (isEnterpriseProviderId(provider)\n ? createSyntheticOAuthMaterializedConfig(provider, {\n accountLinking:\n enterpriseProtocol === \"oidc\"\n ? enterprisePolicy?.identity.accountLinking.oidc\n : enterpriseProtocol === \"saml\"\n ? enterprisePolicy?.identity.accountLinking.saml\n : undefined,\n })\n : getProviderOrThrow(provider)) as AuthProviderMaterializedConfig,\n profile,\n accountExtend: normalizeAccountExtend(\n provider,\n providerAccountId,\n accountExtend,\n ),\n },\n config,\n existingScimIdentity?.userId\n ? { existingUserId: existingScimIdentity.userId }\n : undefined,\n ),\n );\n\n // JIT group provisioning: if this is an enterprise SSO sign-in and the\n // enterprise connection has a groupId, auto-add the user as a member of\n // that group if they aren't already a member.\n if (\n enterpriseId !== null &&\n enterprisePolicy?.provisioning.jit.mode === \"createUserAndMembership\"\n ) {\n const account = yield* Fx.promise(() => db.accounts.getById(accountId));\n const userId = account?.userId;\n if (userId) {\n const groupId = (enterprise as any)?.groupId as string | undefined;\n if (groupId) {\n const existingMembership = yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.memberGetByGroupAndUser, {\n userId,\n groupId,\n }),\n );\n if (existingMembership === null) {\n yield* Fx.promise(() =>\n ctx.runMutation(config.component.public.memberAdd, {\n groupId,\n userId,\n roleIds: enterprisePolicy.provisioning.jit.defaultRoleIds,\n status: \"active\",\n }),\n );\n }\n }\n }\n }\n\n const code = generateRandomString(8, \"0123456789\");\n yield* Fx.promise(() => db.verifiers.delete(verifier._id));\n const existingVerificationCode = yield* Fx.promise(() =>\n db.verificationCodes.getByAccountId(accountId),\n );\n if (existingVerificationCode !== null) {\n yield* Fx.promise(() =>\n db.verificationCodes.delete(existingVerificationCode._id),\n );\n }\n yield* Fx.promise(async () =>\n db.verificationCodes.create({\n code: await sha256(code),\n accountId,\n provider,\n expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,\n verifier: verifier._id,\n }),\n );\n return code;\n });\n}\n\nexport const callUserOAuth = async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: Infer<typeof userOAuthArgs>,\n): Promise<ReturnType> => {\n return ctx.runMutation(AUTH_STORE_REF, {\n args: {\n type: \"userOAuth\",\n ...args,\n },\n });\n};\n"],"mappings":";;;;;;;;;;;;AAsBA,MAAM,8BAA8B,MAAO,KAAK;AAEhD,MAAa,gBAAgB,EAAE,OAAO;CACpC,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,SAAS,EAAE,KAAK;CAChB,WAAW,EAAE,QAAQ;CACrB,eAAe,EAAE,SAAS,EAAE,KAAK,CAAC;CACnC,CAAC;AAEF,SAAS,uBACP,UACA,mBACA,eACA;CACA,MAAM,eAAwC;EAC5C,MAAM;EACN;EACA;EACD;AACD,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;AAEH,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;CAEH,MAAM,WACJ,OAAO,kBAAkB,YACzB,kBAAkB,QAClB,CAAC,MAAM,QAAQ,cAAc,GACxB,gBACD;CACN,MAAM,mBACJ,YACA,OAAO,SAAS,aAAa,YAC7B,SAAS,aAAa,QACtB,CAAC,MAAM,QAAQ,SAAS,SAAS,GAC5B,SAAS,WACV;AACN,QAAO;EACL,GAAG;EACH,UAAU;GACR,GAAG;GACH,GAAG;GACJ;EACF;;AAKH,SAAgB,cACd,KACA,MACA,oBACA,QAC2B;AAC3B,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,SAAS,uBAAuB,KAAK;EAClD,MAAM,EAAE,SAAS,UAAU,mBAAmB,WAAW,kBACvD;EACF,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,kBAAkB,CAC7C;EACD,MAAM,eAAe,SAAS,WAAW,gCAAgC,GACrE,SAAS,MAAM,gCAAgC,OAAO,GACtD,SAAS,WAAW,gCAAgC,GAClD,SAAS,MAAM,gCAAgC,OAAO,GACtD;EACN,MAAM,aACJ,iBAAiB,OACb,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,eAAe,EAClD,cACD,CAAC,CACH,GACD;EACN,MAAM,mBAAmB,aACrB,0BAA0B,WAAW,OAAO,GAC5C;EACJ,MAAM,qBAAqB,SAAS,WAClC,gCACD,GACG,SACA,SAAS,WAAW,gCAAgC,GAClD,SACA;EAEN,MAAM,uBACJ,iBAAiB,QACjB,oBAAoB,QACpB,kBAAkB,aAAa,UAAU,SAAS,eAC9C,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,2BAA2B;GAC9D;GACA,cAAc;GACd,YAAY;GACb,CAAC,CACH,GACD;EAEN,MAAM,WAAW,OAAO,GAAG,KAAK;GAC9B,UAAU,GAAG,UAAU,eAAe,UAAU;GAChD,WAAW,IAAI,UAAU,sBAAsB;GAChD,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,GAC7C,GAAG,QAAQ,IAAI,CACpB,CACF;EAED,MAAM,EAAE,cAAc,OAAO,GAAG,cAC9B,qBACE,KACA,SAAS,aAAa,MACtB,oBAAoB,OAAO,EAAE,iBAAiB,GAAG,EAAE,mBAAmB,EACtE;GACE,MAAM;GACN,UAAW,uBAAuB,SAAS,GACvC,uCAAuC,UAAU,EAC/C,gBACE,uBAAuB,SACnB,kBAAkB,SAAS,eAAe,OAC1C,uBAAuB,SACrB,kBAAkB,SAAS,eAAe,OAC1C,QACT,CAAC,GACF,mBAAmB,SAAS;GAChC;GACA,eAAe,uBACb,UACA,mBACA,cACD;GACF,EACD,QACA,sBAAsB,SAClB,EAAE,gBAAgB,qBAAqB,QAAQ,GAC/C,OACL,CACF;AAKD,MACE,iBAAiB,QACjB,kBAAkB,aAAa,IAAI,SAAS,2BAC5C;GAEA,MAAM,UADU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC,GAC/C;AACxB,OAAI,QAAQ;IACV,MAAM,UAAW,YAAoB;AACrC,QAAI,SAOF;UAN2B,OAAO,GAAG,cACnC,IAAI,SAAS,OAAO,UAAU,OAAO,yBAAyB;MAC5D;MACA;MACD,CAAC,CACH,MAC0B,KACzB,QAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;MACjD;MACA;MACA,SAAS,iBAAiB,aAAa,IAAI;MAC3C,QAAQ;MACT,CAAC,CACH;;;;EAMT,MAAM,OAAO,qBAAqB,GAAG,aAAa;AAClD,SAAO,GAAG,cAAc,GAAG,UAAU,OAAO,SAAS,IAAI,CAAC;EAC1D,MAAM,2BAA2B,OAAO,GAAG,cACzC,GAAG,kBAAkB,eAAe,UAAU,CAC/C;AACD,MAAI,6BAA6B,KAC/B,QAAO,GAAG,cACR,GAAG,kBAAkB,OAAO,yBAAyB,IAAI,CAC1D;AAEH,SAAO,GAAG,QAAQ,YAChB,GAAG,kBAAkB,OAAO;GAC1B,MAAM,MAAM,OAAO,KAAK;GACxB;GACA;GACA,gBAAgB,KAAK,KAAK,GAAG;GAC7B,UAAU,SAAS;GACpB,CAAC,CACH;AACD,SAAO;GACP;;AAGJ,MAAa,gBAAgB,OAC3B,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"oauth.js","names":[],"sources":["../../../../src/server/mutations/oauth.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport type { ConvexError } from \"convex/values\";\nimport { Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { createSyntheticOAuthMaterializedConfig } from \"../enterprise/oidc\";\nimport { normalizeEnterprisePolicy } from \"../enterprise/policy\";\nimport {\n ENTERPRISE_OIDC_PROVIDER_PREFIX,\n ENTERPRISE_SAML_PROVIDER_PREFIX,\n isEnterpriseProviderId,\n} from \"../enterprise/shared\";\nimport { MutationCtx } from \"../types\";\nimport type { AuthProviderMaterializedConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { generateRandomString, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nconst OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes\n\nexport const userOAuthArgs = v.object({\n provider: v.string(),\n providerAccountId: v.string(),\n profile: v.any(),\n signature: v.string(),\n accountExtend: v.optional(v.any()),\n});\n\nfunction normalizeAccountExtend(\n provider: string,\n providerAccountId: string,\n accountExtend: unknown,\n) {\n const baseIdentity: Record<string, unknown> = {\n type: \"oauth\",\n provider,\n providerAccountId,\n };\n if (provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)) {\n baseIdentity.type = \"enterprise-oidc\";\n baseIdentity.enterpriseId = provider.slice(\n ENTERPRISE_OIDC_PROVIDER_PREFIX.length,\n );\n }\n if (provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)) {\n baseIdentity.type = \"enterprise-saml\";\n baseIdentity.enterpriseId = provider.slice(\n ENTERPRISE_SAML_PROVIDER_PREFIX.length,\n );\n }\n const provided =\n typeof accountExtend === \"object\" &&\n accountExtend !== null &&\n !Array.isArray(accountExtend)\n ? (accountExtend as Record<string, unknown>)\n : undefined;\n const providedIdentity =\n provided &&\n typeof provided.identity === \"object\" &&\n provided.identity !== null &&\n !Array.isArray(provided.identity)\n ? (provided.identity as Record<string, unknown>)\n : undefined;\n return {\n ...provided,\n identity: {\n ...baseIdentity,\n ...providedIdentity,\n },\n };\n}\n\ntype ReturnType = string;\n\nexport function userOAuthImpl(\n ctx: MutationCtx,\n args: Infer<typeof userOAuthArgs>,\n getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n config: Provider.Config,\n): Fx<ReturnType, ConvexError<{ code: string; message: string }>> {\n return Fx.gen(function* () {\n logWithLevel(\"DEBUG\", \"userOAuthImpl args:\", args);\n const { profile, provider, providerAccountId, signature, accountExtend } =\n args;\n const db = authDb(ctx, config);\n const existingAccount = yield* Fx.promise(() =>\n db.accounts.get(provider, providerAccountId),\n );\n const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)\n ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length)\n : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length)\n : null;\n const enterprise =\n enterpriseId !== null\n ? yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.enterpriseGet, {\n enterpriseId,\n }),\n )\n : null;\n const enterprisePolicy = enterprise\n ? normalizeEnterprisePolicy(enterprise.policy)\n : null;\n const enterpriseProtocol = provider.startsWith(\n ENTERPRISE_OIDC_PROVIDER_PREFIX,\n )\n ? \"oidc\"\n : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n ? \"saml\"\n : null;\n\n const existingScimIdentity =\n enterpriseId !== null &&\n existingAccount === null &&\n enterprisePolicy?.provisioning.scimReuse.user === \"externalId\"\n ? yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {\n enterpriseId,\n resourceType: \"user\",\n externalId: providerAccountId,\n }),\n )\n : null;\n\n const verifier = yield* Fx.from({\n ok: () => db.verifiers.getBySignature(signature),\n err: () =>\n Cv.error({\n code: \"OAUTH_INVALID_STATE\",\n message: \"Invalid OAuth state. Please try signing in again.\",\n }),\n }).pipe(\n Fx.chain((doc) =>\n doc === null\n ? Cv.fail({\n code: \"OAUTH_INVALID_STATE\",\n message: \"Invalid OAuth state. Please try signing in again.\",\n })\n : Fx.succeed(doc),\n ),\n );\n\n const { accountId } = yield* Fx.promise(() =>\n upsertUserAndAccount(\n ctx,\n verifier.sessionId ?? null,\n existingAccount !== null ? { existingAccount } : { providerAccountId },\n {\n type: \"oauth\",\n provider: (isEnterpriseProviderId(provider)\n ? createSyntheticOAuthMaterializedConfig(provider, {\n accountLinking:\n enterpriseProtocol === \"oidc\"\n ? enterprisePolicy?.identity.accountLinking.oidc\n : enterpriseProtocol === \"saml\"\n ? enterprisePolicy?.identity.accountLinking.saml\n : undefined,\n })\n : getProviderOrThrow(provider)) as AuthProviderMaterializedConfig,\n profile,\n accountExtend: normalizeAccountExtend(\n provider,\n providerAccountId,\n accountExtend,\n ),\n },\n config,\n existingScimIdentity?.userId\n ? { existingUserId: existingScimIdentity.userId }\n : undefined,\n ),\n );\n\n // JIT group provisioning: if this is an enterprise SSO sign-in and the\n // enterprise connection has a groupId, auto-add the user as a member of\n // that group if they aren't already a member.\n if (\n enterpriseId !== null &&\n enterprisePolicy?.provisioning.jit.mode === \"createUserAndMembership\"\n ) {\n const account = yield* Fx.promise(() => db.accounts.getById(accountId));\n const userId = account?.userId;\n if (userId) {\n const groupId = (enterprise as any)?.groupId as string | undefined;\n if (groupId) {\n const existingMembership = yield* Fx.promise(() =>\n ctx.runQuery(config.component.public.memberGetByGroupAndUser, {\n userId,\n groupId,\n }),\n );\n if (existingMembership === null) {\n yield* Fx.promise(() =>\n ctx.runMutation(config.component.public.memberAdd, {\n groupId,\n userId,\n roleIds: enterprisePolicy.provisioning.jit.defaultRoleIds,\n status: \"active\",\n }),\n );\n }\n }\n }\n }\n\n const code = generateRandomString(8, \"0123456789\");\n yield* Fx.promise(() => db.verifiers.delete(verifier._id));\n const existingVerificationCode = yield* Fx.promise(() =>\n db.verificationCodes.getByAccountId(accountId),\n );\n if (existingVerificationCode !== null) {\n yield* Fx.promise(() =>\n db.verificationCodes.delete(existingVerificationCode._id),\n );\n }\n yield* Fx.promise(async () =>\n db.verificationCodes.create({\n code: await sha256(code),\n accountId,\n provider,\n expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,\n verifier: verifier._id,\n }),\n );\n return code;\n });\n}\n\nexport const callUserOAuth = async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: Infer<typeof userOAuthArgs>,\n): Promise<ReturnType> => {\n return ctx.runMutation(AUTH_STORE_REF, {\n args: {\n type: \"userOAuth\",\n ...args,\n },\n });\n};\n"],"mappings":";;;;;;;;;;;;AAqBA,MAAM,8BAA8B,MAAO,KAAK;AAEhD,MAAa,gBAAgB,EAAE,OAAO;CACpC,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,SAAS,EAAE,KAAK;CAChB,WAAW,EAAE,QAAQ;CACrB,eAAe,EAAE,SAAS,EAAE,KAAK,CAAC;CACnC,CAAC;AAEF,SAAS,uBACP,UACA,mBACA,eACA;CACA,MAAM,eAAwC;EAC5C,MAAM;EACN;EACA;EACD;AACD,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;AAEH,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;CAEH,MAAM,WACJ,OAAO,kBAAkB,YACzB,kBAAkB,QAClB,CAAC,MAAM,QAAQ,cAAc,GACxB,gBACD;CACN,MAAM,mBACJ,YACA,OAAO,SAAS,aAAa,YAC7B,SAAS,aAAa,QACtB,CAAC,MAAM,QAAQ,SAAS,SAAS,GAC5B,SAAS,WACV;AACN,QAAO;EACL,GAAG;EACH,UAAU;GACR,GAAG;GACH,GAAG;GACJ;EACF;;AAKH,SAAgB,cACd,KACA,MACA,oBACA,QACgE;AAChE,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,SAAS,uBAAuB,KAAK;EAClD,MAAM,EAAE,SAAS,UAAU,mBAAmB,WAAW,kBACvD;EACF,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,kBAAkB,CAC7C;EACD,MAAM,eAAe,SAAS,WAAW,gCAAgC,GACrE,SAAS,MAAM,gCAAgC,OAAO,GACtD,SAAS,WAAW,gCAAgC,GAClD,SAAS,MAAM,gCAAgC,OAAO,GACtD;EACN,MAAM,aACJ,iBAAiB,OACb,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,eAAe,EAClD,cACD,CAAC,CACH,GACD;EACN,MAAM,mBAAmB,aACrB,0BAA0B,WAAW,OAAO,GAC5C;EACJ,MAAM,qBAAqB,SAAS,WAClC,gCACD,GACG,SACA,SAAS,WAAW,gCAAgC,GAClD,SACA;EAEN,MAAM,uBACJ,iBAAiB,QACjB,oBAAoB,QACpB,kBAAkB,aAAa,UAAU,SAAS,eAC9C,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,2BAA2B;GAC9D;GACA,cAAc;GACd,YAAY;GACb,CAAC,CACH,GACD;EAEN,MAAM,WAAW,OAAO,GAAG,KAAK;GAC9B,UAAU,GAAG,UAAU,eAAe,UAAU;GAChD,WACE,GAAG,MAAM;IACP,MAAM;IACN,SAAS;IACV,CAAC;GACL,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK;GACN,MAAM;GACN,SAAS;GACV,CAAC,GACF,GAAG,QAAQ,IAAI,CACpB,CACF;EAED,MAAM,EAAE,cAAc,OAAO,GAAG,cAC9B,qBACE,KACA,SAAS,aAAa,MACtB,oBAAoB,OAAO,EAAE,iBAAiB,GAAG,EAAE,mBAAmB,EACtE;GACE,MAAM;GACN,UAAW,uBAAuB,SAAS,GACvC,uCAAuC,UAAU,EAC/C,gBACE,uBAAuB,SACnB,kBAAkB,SAAS,eAAe,OAC1C,uBAAuB,SACrB,kBAAkB,SAAS,eAAe,OAC1C,QACT,CAAC,GACF,mBAAmB,SAAS;GAChC;GACA,eAAe,uBACb,UACA,mBACA,cACD;GACF,EACD,QACA,sBAAsB,SAClB,EAAE,gBAAgB,qBAAqB,QAAQ,GAC/C,OACL,CACF;AAKD,MACE,iBAAiB,QACjB,kBAAkB,aAAa,IAAI,SAAS,2BAC5C;GAEA,MAAM,UADU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC,GAC/C;AACxB,OAAI,QAAQ;IACV,MAAM,UAAW,YAAoB;AACrC,QAAI,SAOF;UAN2B,OAAO,GAAG,cACnC,IAAI,SAAS,OAAO,UAAU,OAAO,yBAAyB;MAC5D;MACA;MACD,CAAC,CACH,MAC0B,KACzB,QAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;MACjD;MACA;MACA,SAAS,iBAAiB,aAAa,IAAI;MAC3C,QAAQ;MACT,CAAC,CACH;;;;EAMT,MAAM,OAAO,qBAAqB,GAAG,aAAa;AAClD,SAAO,GAAG,cAAc,GAAG,UAAU,OAAO,SAAS,IAAI,CAAC;EAC1D,MAAM,2BAA2B,OAAO,GAAG,cACzC,GAAG,kBAAkB,eAAe,UAAU,CAC/C;AACD,MAAI,6BAA6B,KAC/B,QAAO,GAAG,cACR,GAAG,kBAAkB,OAAO,yBAAyB,IAAI,CAC1D;AAEH,SAAO,GAAG,QAAQ,YAChB,GAAG,kBAAkB,OAAO;GAC1B,MAAM,MAAM,OAAO,KAAK;GACxB;GACA;GACA,gBAAgB,KAAK,KAAK,GAAG;GAC7B,UAAU,SAAS;GACpB,CAAC,CACH;AACD,SAAO;GACP;;AAGJ,MAAa,gBAAgB,OAC3B,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}
|
|
@@ -3,8 +3,8 @@ import { authDb } from "../db.js";
|
|
|
3
3
|
import { AUTH_STORE_REF } from "./store/refs.js";
|
|
4
4
|
import { REFRESH_TOKEN_REUSE_WINDOW_MS, invalidateRefreshTokensInSubtree, parseRefreshToken, refreshTokenIfValid } from "../refresh.js";
|
|
5
5
|
import { generateTokensForSession } from "../sessions.js";
|
|
6
|
-
import { v } from "convex/values";
|
|
7
6
|
import { Fx } from "@robelest/fx";
|
|
7
|
+
import { v } from "convex/values";
|
|
8
8
|
|
|
9
9
|
//#region src/server/mutations/refresh.ts
|
|
10
10
|
const refreshSessionArgs = v.object({ refreshToken: v.string() });
|
|
@@ -18,7 +18,7 @@ var RefreshFailure = class {
|
|
|
18
18
|
async function refreshSessionImpl(ctx, args, _getProviderOrThrow, config) {
|
|
19
19
|
const db = authDb(ctx, config);
|
|
20
20
|
const { refreshToken } = args;
|
|
21
|
-
return Fx.run(parseRefreshToken(refreshToken).pipe(Fx.recover((err) => Fx.fail(new RefreshFailure(err.message))), Fx.tap(({ refreshTokenId, sessionId: tokenSessionId }) => Fx.sync(() => logWithLevel("DEBUG", `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(tokenSessionId)}`))), Fx.chain(({ refreshTokenId, sessionId: tokenSessionId }) => refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config).pipe(Fx.chain((validationResult) => validationResult === null ? Fx.gen(function* () {
|
|
21
|
+
return Fx.run(parseRefreshToken(refreshToken).pipe(Fx.recover((err) => Fx.fail(new RefreshFailure(err.data.message))), Fx.tap(({ refreshTokenId, sessionId: tokenSessionId }) => Fx.sync(() => logWithLevel("DEBUG", `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(tokenSessionId)}`))), Fx.chain(({ refreshTokenId, sessionId: tokenSessionId }) => refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config).pipe(Fx.chain((validationResult) => validationResult === null ? Fx.gen(function* () {
|
|
22
22
|
yield* Fx.from({
|
|
23
23
|
ok: async () => {
|
|
24
24
|
const session = await db.sessions.getById(tokenSessionId);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"refresh.js","names":[],"sources":["../../../../src/server/mutations/refresh.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport * as Provider from \"../crypto\";\nimport {\n invalidateRefreshTokensInSubtree,\n parseRefreshToken,\n REFRESH_TOKEN_REUSE_WINDOW_MS,\n refreshTokenIfValid,\n} from \"../refresh\";\nimport { generateTokensForSession } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const refreshSessionArgs = v.object({\n refreshToken: v.string(),\n});\n\ntype RefreshResult = null | {\n token: string;\n refreshToken: string;\n};\n\n// ============================================================================\n// Small helpers for the refresh pipeline\n// ============================================================================\n\n/** A soft refresh failure — logged and collapsed to null at the boundary. */\nclass RefreshFailure {\n readonly _tag = \"RefreshFailure\" as const;\n constructor(readonly reason: string) {}\n}\n\n// ============================================================================\n// Main exported function\n// ============================================================================\n\nexport async function refreshSessionImpl(\n ctx: MutationCtx,\n args: Infer<typeof refreshSessionArgs>,\n _getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n config: Provider.Config,\n): Promise<RefreshResult> {\n const db = authDb(ctx, config);\n const { refreshToken } = args;\n\n return Fx.run(\n parseRefreshToken(refreshToken).pipe(\n Fx.recover((err: AuthError) => Fx.fail(new RefreshFailure(err.message))),\n Fx.tap(({ refreshTokenId, sessionId: tokenSessionId }) =>\n Fx.sync(() =>\n logWithLevel(\n \"DEBUG\",\n `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(tokenSessionId)}`,\n ),\n ),\n ),\n Fx.chain(({ refreshTokenId, sessionId: tokenSessionId }) =>\n refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config).pipe(\n Fx.chain((validationResult) =>\n validationResult === null\n ? Fx.gen(function* () {\n yield* Fx.from({\n ok: async () => {\n const session = await (db as any).sessions.getById(\n tokenSessionId,\n );\n if (session !== null) {\n await (db as any).sessions.delete(session._id);\n }\n },\n err: () =>\n new RefreshFailure(\n \"Skipping invalid session id during refresh cleanup\",\n ),\n }).pipe(\n Fx.recover((f) => {\n logWithLevel(\"DEBUG\", f.reason);\n return Fx.succeed(undefined as void);\n }),\n );\n\n yield* Fx.from({\n ok: () =>\n authDb(ctx, config).refreshTokens.deleteAll(\n tokenSessionId as any,\n ),\n err: () =>\n new RefreshFailure(\n \"Skipping invalid token session id during refresh token cleanup\",\n ),\n }).pipe(\n Fx.recover((f) => {\n logWithLevel(\"DEBUG\", f.reason);\n return Fx.succeed(undefined as void);\n }),\n );\n\n return null;\n })\n : (() => {\n const { session } = validationResult;\n const sessionId = session._id;\n const userId = session.userId;\n const tokenFirstUsed =\n validationResult.refreshTokenDoc.firstUsedTime;\n return tokenFirstUsed === undefined\n ? Fx.from({\n ok: async () => {\n await (db as any).refreshTokens.patch(\n refreshTokenId,\n {\n firstUsedTime: Date.now(),\n },\n );\n const result = await generateTokensForSession(\n ctx,\n config,\n {\n userId,\n sessionId,\n issuedRefreshTokenId: null,\n parentRefreshTokenId: refreshTokenId as any,\n },\n );\n const { refreshTokenId: newRefreshTokenId } =\n await Fx.run(\n parseRefreshToken(result.refreshToken),\n );\n logWithLevel(\n \"DEBUG\",\n `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (first use) for new refresh token ${maybeRedact(newRefreshTokenId)}`,\n );\n return result;\n },\n err: () =>\n new RefreshFailure(\n \"Failed during first-use token exchange\",\n ),\n })\n : Fx.from({\n ok: () =>\n authDb(ctx, config).refreshTokens.getActive(\n tokenSessionId as any,\n ),\n err: () =>\n new RefreshFailure(\n \"Failed to load active refresh token\",\n ),\n }).pipe(\n Fx.chain((activeRefreshToken) => {\n logWithLevel(\n \"DEBUG\",\n `Active refresh token: ${maybeRedact(activeRefreshToken?._id ?? \"(none)\")}, parent ${maybeRedact(activeRefreshToken?.parentRefreshTokenId ?? \"(none)\")}`,\n );\n\n const reuseDispatch =\n activeRefreshToken !== null &&\n activeRefreshToken.parentRefreshTokenId ===\n refreshTokenId\n ? ({\n tag: \"parentOfActive\",\n activeRefreshToken,\n } as const)\n : tokenFirstUsed + REFRESH_TOKEN_REUSE_WINDOW_MS >\n Date.now()\n ? ({ tag: \"withinReuseWindow\" } as const)\n : ({ tag: \"outsideReuseWindow\" } as const);\n\n if (reuseDispatch.tag === \"parentOfActive\") {\n return Fx.from({\n ok: () =>\n generateTokensForSession(ctx, config, {\n userId,\n sessionId,\n issuedRefreshTokenId:\n reuseDispatch.activeRefreshToken._id,\n parentRefreshTokenId: refreshTokenId as any,\n }),\n err: () =>\n new RefreshFailure(\n \"Failed to generate tokens for parent reuse\",\n ),\n }).pipe(\n Fx.tap(() =>\n Fx.sync(() =>\n logWithLevel(\n \"DEBUG\",\n `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} is parent of active refresh token ${maybeRedact(reuseDispatch.activeRefreshToken._id)}, so returning that token`,\n ),\n ),\n ),\n );\n }\n\n if (reuseDispatch.tag === \"withinReuseWindow\") {\n return Fx.from({\n ok: async () => {\n const result = await generateTokensForSession(\n ctx,\n config,\n {\n userId,\n sessionId,\n issuedRefreshTokenId: null,\n parentRefreshTokenId: refreshTokenId as any,\n },\n );\n const { refreshTokenId: newRefreshTokenId } =\n await Fx.run(\n parseRefreshToken(result.refreshToken),\n );\n logWithLevel(\n \"DEBUG\",\n `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (reuse) for new refresh token ${maybeRedact(newRefreshTokenId)}`,\n );\n return result;\n },\n err: () =>\n new RefreshFailure(\n \"Failed to generate tokens for reuse window\",\n ),\n });\n }\n\n logWithLevel(\n \"ERROR\",\n \"Refresh token used outside of reuse window\",\n );\n logWithLevel(\n \"DEBUG\",\n `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} being used outside of reuse window, so invalidating all refresh tokens in subtree`,\n );\n return Fx.from({\n ok: async () => {\n const tokensToInvalidate =\n await invalidateRefreshTokensInSubtree(\n ctx,\n validationResult.refreshTokenDoc,\n config,\n );\n logWithLevel(\n \"DEBUG\",\n `Invalidated ${tokensToInvalidate.length} refresh tokens in subtree: ${tokensToInvalidate\n .map((token) => maybeRedact(token._id))\n .join(\", \")}`,\n );\n return null;\n },\n err: () =>\n new RefreshFailure(\n \"Failed to invalidate refresh tokens in subtree\",\n ),\n });\n }),\n );\n })(),\n ),\n ),\n ),\n Fx.fold({\n ok: (result) => result,\n err: (failure) => {\n logWithLevel(\"DEBUG\", failure.reason);\n return null;\n },\n }),\n ),\n );\n}\n\n// ============================================================================\n// Invalid token path — cleanup session and refresh tokens\n// ============================================================================\n\n// ============================================================================\n// Valid token path — dispatch on first-use / parent / reuse-window / stale\n// ============================================================================\n\n// ============================================================================\n// Action-level caller (unchanged — just forwards to mutation)\n// ============================================================================\n\nexport const callRefreshSession = async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: Infer<typeof refreshSessionArgs>,\n): Promise<RefreshResult> => {\n return ctx.runMutation(AUTH_STORE_REF, {\n args: {\n type: \"refreshSession\",\n ...args,\n },\n });\n};\n"],"mappings":";;;;;;;;;AAkBA,MAAa,qBAAqB,EAAE,OAAO,EACzC,cAAc,EAAE,QAAQ,EACzB,CAAC;;AAYF,IAAM,iBAAN,MAAqB;CACnB,AAAS,OAAO;CAChB,YAAY,AAAS,QAAgB;EAAhB;;;AAOvB,eAAsB,mBACpB,KACA,MACA,qBACA,QACwB;CACxB,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,EAAE,iBAAiB;AAEzB,QAAO,GAAG,IACR,kBAAkB,aAAa,CAAC,KAC9B,GAAG,SAAS,QAAmB,GAAG,KAAK,IAAI,eAAe,IAAI,QAAQ,CAAC,CAAC,EACxE,GAAG,KAAK,EAAE,gBAAgB,WAAW,qBACnC,GAAG,WACD,aACE,SACA,sCAAsC,YAAY,eAAe,CAAC,eAAe,YAAY,eAAe,GAC7G,CACF,CACF,EACD,GAAG,OAAO,EAAE,gBAAgB,WAAW,qBACrC,oBAAoB,KAAK,gBAAgB,gBAAgB,OAAO,CAAC,KAC/D,GAAG,OAAO,qBACR,qBAAqB,OACjB,GAAG,IAAI,aAAa;AAClB,SAAO,GAAG,KAAK;GACb,IAAI,YAAY;IACd,MAAM,UAAU,MAAO,GAAW,SAAS,QACzC,eACD;AACD,QAAI,YAAY,KACd,OAAO,GAAW,SAAS,OAAO,QAAQ,IAAI;;GAGlD,WACE,IAAI,eACF,qDACD;GACJ,CAAC,CAAC,KACD,GAAG,SAAS,MAAM;AAChB,gBAAa,SAAS,EAAE,OAAO;AAC/B,UAAO,GAAG,QAAQ,OAAkB;IACpC,CACH;AAED,SAAO,GAAG,KAAK;GACb,UACE,OAAO,KAAK,OAAO,CAAC,cAAc,UAChC,eACD;GACH,WACE,IAAI,eACF,iEACD;GACJ,CAAC,CAAC,KACD,GAAG,SAAS,MAAM;AAChB,gBAAa,SAAS,EAAE,OAAO;AAC/B,UAAO,GAAG,QAAQ,OAAkB;IACpC,CACH;AAED,SAAO;GACP,UACK;EACL,MAAM,EAAE,YAAY;EACpB,MAAM,YAAY,QAAQ;EAC1B,MAAM,SAAS,QAAQ;EACvB,MAAM,iBACJ,iBAAiB,gBAAgB;AACnC,SAAO,mBAAmB,SACtB,GAAG,KAAK;GACN,IAAI,YAAY;AACd,UAAO,GAAW,cAAc,MAC9B,gBACA,EACE,eAAe,KAAK,KAAK,EAC1B,CACF;IACD,MAAM,SAAS,MAAM,yBACnB,KACA,QACA;KACE;KACA;KACA,sBAAsB;KACtB,sBAAsB;KACvB,CACF;IACD,MAAM,EAAE,gBAAgB,sBACtB,MAAM,GAAG,IACP,kBAAkB,OAAO,aAAa,CACvC;AACH,iBACE,SACA,aAAa,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,qCAAqC,YAAY,kBAAkB,GACnI;AACD,WAAO;;GAET,WACE,IAAI,eACF,yCACD;GACJ,CAAC,GACF,GAAG,KAAK;GACN,UACE,OAAO,KAAK,OAAO,CAAC,cAAc,UAChC,eACD;GACH,WACE,IAAI,eACF,sCACD;GACJ,CAAC,CAAC,KACD,GAAG,OAAO,uBAAuB;AAC/B,gBACE,SACA,yBAAyB,YAAY,oBAAoB,OAAO,SAAS,CAAC,WAAW,YAAY,oBAAoB,wBAAwB,SAAS,GACvJ;GAED,MAAM,gBACJ,uBAAuB,QACvB,mBAAmB,yBACjB,iBACG;IACC,KAAK;IACL;IACD,GACD,iBAAiB,gCACf,KAAK,KAAK,GACT,EAAE,KAAK,qBAAqB,GAC5B,EAAE,KAAK,sBAAsB;AAEtC,OAAI,cAAc,QAAQ,iBACxB,QAAO,GAAG,KAAK;IACb,UACE,yBAAyB,KAAK,QAAQ;KACpC;KACA;KACA,sBACE,cAAc,mBAAmB;KACnC,sBAAsB;KACvB,CAAC;IACJ,WACE,IAAI,eACF,6CACD;IACJ,CAAC,CAAC,KACD,GAAG,UACD,GAAG,WACD,aACE,SACA,SAAS,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,qCAAqC,YAAY,cAAc,mBAAmB,IAAI,CAAC,2BACnJ,CACF,CACF,CACF;AAGH,OAAI,cAAc,QAAQ,oBACxB,QAAO,GAAG,KAAK;IACb,IAAI,YAAY;KACd,MAAM,SAAS,MAAM,yBACnB,KACA,QACA;MACE;MACA;MACA,sBAAsB;MACtB,sBAAsB;MACvB,CACF;KACD,MAAM,EAAE,gBAAgB,sBACtB,MAAM,GAAG,IACP,kBAAkB,OAAO,aAAa,CACvC;AACH,kBACE,SACA,aAAa,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,iCAAiC,YAAY,kBAAkB,GAC/H;AACD,YAAO;;IAET,WACE,IAAI,eACF,6CACD;IACJ,CAAC;AAGJ,gBACE,SACA,6CACD;AACD,gBACE,SACA,SAAS,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,oFAC5D;AACD,UAAO,GAAG,KAAK;IACb,IAAI,YAAY;KACd,MAAM,qBACJ,MAAM,iCACJ,KACA,iBAAiB,iBACjB,OACD;AACH,kBACE,SACA,eAAe,mBAAmB,OAAO,8BAA8B,mBACpE,KAAK,UAAU,YAAY,MAAM,IAAI,CAAC,CACtC,KAAK,KAAK,GACd;AACD,YAAO;;IAET,WACE,IAAI,eACF,iDACD;IACJ,CAAC;IACF,CACH;KACH,CACT,CACF,CACF,EACD,GAAG,KAAK;EACN,KAAK,WAAW;EAChB,MAAM,YAAY;AAChB,gBAAa,SAAS,QAAQ,OAAO;AACrC,UAAO;;EAEV,CAAC,CACH,CACF;;AAeH,MAAa,qBAAqB,OAChC,KACA,SAC2B;AAC3B,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"refresh.js","names":[],"sources":["../../../../src/server/mutations/refresh.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { ConvexError, Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport {\n invalidateRefreshTokensInSubtree,\n parseRefreshToken,\n REFRESH_TOKEN_REUSE_WINDOW_MS,\n refreshTokenIfValid,\n} from \"../refresh\";\nimport { generateTokensForSession } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const refreshSessionArgs = v.object({\n refreshToken: v.string(),\n});\n\ntype RefreshResult = null | {\n token: string;\n refreshToken: string;\n};\n\n// ============================================================================\n// Small helpers for the refresh pipeline\n// ============================================================================\n\n/** A soft refresh failure — logged and collapsed to null at the boundary. */\nclass RefreshFailure {\n readonly _tag = \"RefreshFailure\" as const;\n constructor(readonly reason: string) {}\n}\n\n// ============================================================================\n// Main exported function\n// ============================================================================\n\nexport async function refreshSessionImpl(\n ctx: MutationCtx,\n args: Infer<typeof refreshSessionArgs>,\n _getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n config: Provider.Config,\n): Promise<RefreshResult> {\n const db = authDb(ctx, config);\n const { refreshToken } = args;\n\n return Fx.run(\n parseRefreshToken(refreshToken).pipe(\n Fx.recover((err: ConvexError<any>) =>\n Fx.fail(new RefreshFailure(err.data.message)),\n ),\n Fx.tap(({ refreshTokenId, sessionId: tokenSessionId }) =>\n Fx.sync(() =>\n logWithLevel(\n \"DEBUG\",\n `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(tokenSessionId)}`,\n ),\n ),\n ),\n Fx.chain(({ refreshTokenId, sessionId: tokenSessionId }) =>\n refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config).pipe(\n Fx.chain((validationResult) =>\n validationResult === null\n ? Fx.gen(function* () {\n yield* Fx.from({\n ok: async () => {\n const session = await (db as any).sessions.getById(\n tokenSessionId,\n );\n if (session !== null) {\n await (db as any).sessions.delete(session._id);\n }\n },\n err: () =>\n new RefreshFailure(\n \"Skipping invalid session id during refresh cleanup\",\n ),\n }).pipe(\n Fx.recover((f) => {\n logWithLevel(\"DEBUG\", f.reason);\n return Fx.succeed(undefined as void);\n }),\n );\n\n yield* Fx.from({\n ok: () =>\n authDb(ctx, config).refreshTokens.deleteAll(\n tokenSessionId as any,\n ),\n err: () =>\n new RefreshFailure(\n \"Skipping invalid token session id during refresh token cleanup\",\n ),\n }).pipe(\n Fx.recover((f) => {\n logWithLevel(\"DEBUG\", f.reason);\n return Fx.succeed(undefined as void);\n }),\n );\n\n return null;\n })\n : (() => {\n const { session } = validationResult;\n const sessionId = session._id;\n const userId = session.userId;\n const tokenFirstUsed =\n validationResult.refreshTokenDoc.firstUsedTime;\n return tokenFirstUsed === undefined\n ? Fx.from({\n ok: async () => {\n await (db as any).refreshTokens.patch(\n refreshTokenId,\n {\n firstUsedTime: Date.now(),\n },\n );\n const result = await generateTokensForSession(\n ctx,\n config,\n {\n userId,\n sessionId,\n issuedRefreshTokenId: null,\n parentRefreshTokenId: refreshTokenId as any,\n },\n );\n const { refreshTokenId: newRefreshTokenId } =\n await Fx.run(\n parseRefreshToken(result.refreshToken),\n );\n logWithLevel(\n \"DEBUG\",\n `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (first use) for new refresh token ${maybeRedact(newRefreshTokenId)}`,\n );\n return result;\n },\n err: () =>\n new RefreshFailure(\n \"Failed during first-use token exchange\",\n ),\n })\n : Fx.from({\n ok: () =>\n authDb(ctx, config).refreshTokens.getActive(\n tokenSessionId as any,\n ),\n err: () =>\n new RefreshFailure(\n \"Failed to load active refresh token\",\n ),\n }).pipe(\n Fx.chain((activeRefreshToken) => {\n logWithLevel(\n \"DEBUG\",\n `Active refresh token: ${maybeRedact(activeRefreshToken?._id ?? \"(none)\")}, parent ${maybeRedact(activeRefreshToken?.parentRefreshTokenId ?? \"(none)\")}`,\n );\n\n const reuseDispatch =\n activeRefreshToken !== null &&\n activeRefreshToken.parentRefreshTokenId ===\n refreshTokenId\n ? ({\n tag: \"parentOfActive\",\n activeRefreshToken,\n } as const)\n : tokenFirstUsed + REFRESH_TOKEN_REUSE_WINDOW_MS >\n Date.now()\n ? ({ tag: \"withinReuseWindow\" } as const)\n : ({ tag: \"outsideReuseWindow\" } as const);\n\n if (reuseDispatch.tag === \"parentOfActive\") {\n return Fx.from({\n ok: () =>\n generateTokensForSession(ctx, config, {\n userId,\n sessionId,\n issuedRefreshTokenId:\n reuseDispatch.activeRefreshToken._id,\n parentRefreshTokenId: refreshTokenId as any,\n }),\n err: () =>\n new RefreshFailure(\n \"Failed to generate tokens for parent reuse\",\n ),\n }).pipe(\n Fx.tap(() =>\n Fx.sync(() =>\n logWithLevel(\n \"DEBUG\",\n `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} is parent of active refresh token ${maybeRedact(reuseDispatch.activeRefreshToken._id)}, so returning that token`,\n ),\n ),\n ),\n );\n }\n\n if (reuseDispatch.tag === \"withinReuseWindow\") {\n return Fx.from({\n ok: async () => {\n const result = await generateTokensForSession(\n ctx,\n config,\n {\n userId,\n sessionId,\n issuedRefreshTokenId: null,\n parentRefreshTokenId: refreshTokenId as any,\n },\n );\n const { refreshTokenId: newRefreshTokenId } =\n await Fx.run(\n parseRefreshToken(result.refreshToken),\n );\n logWithLevel(\n \"DEBUG\",\n `Exchanged ${maybeRedact(validationResult.refreshTokenDoc._id)} (reuse) for new refresh token ${maybeRedact(newRefreshTokenId)}`,\n );\n return result;\n },\n err: () =>\n new RefreshFailure(\n \"Failed to generate tokens for reuse window\",\n ),\n });\n }\n\n logWithLevel(\n \"ERROR\",\n \"Refresh token used outside of reuse window\",\n );\n logWithLevel(\n \"DEBUG\",\n `Token ${maybeRedact(validationResult.refreshTokenDoc._id)} being used outside of reuse window, so invalidating all refresh tokens in subtree`,\n );\n return Fx.from({\n ok: async () => {\n const tokensToInvalidate =\n await invalidateRefreshTokensInSubtree(\n ctx,\n validationResult.refreshTokenDoc,\n config,\n );\n logWithLevel(\n \"DEBUG\",\n `Invalidated ${tokensToInvalidate.length} refresh tokens in subtree: ${tokensToInvalidate\n .map((token) => maybeRedact(token._id))\n .join(\", \")}`,\n );\n return null;\n },\n err: () =>\n new RefreshFailure(\n \"Failed to invalidate refresh tokens in subtree\",\n ),\n });\n }),\n );\n })(),\n ),\n ),\n ),\n Fx.fold({\n ok: (result) => result,\n err: (failure) => {\n logWithLevel(\"DEBUG\", failure.reason);\n return null;\n },\n }),\n ),\n );\n}\n\n// ============================================================================\n// Invalid token path — cleanup session and refresh tokens\n// ============================================================================\n\n// ============================================================================\n// Valid token path — dispatch on first-use / parent / reuse-window / stale\n// ============================================================================\n\n// ============================================================================\n// Action-level caller (unchanged — just forwards to mutation)\n// ============================================================================\n\nexport const callRefreshSession = async <DataModel extends GenericDataModel>(\n ctx: GenericActionCtx<DataModel>,\n args: Infer<typeof refreshSessionArgs>,\n): Promise<RefreshResult> => {\n return ctx.runMutation(AUTH_STORE_REF, {\n args: {\n type: \"refreshSession\",\n ...args,\n },\n });\n};\n"],"mappings":";;;;;;;;;AAiBA,MAAa,qBAAqB,EAAE,OAAO,EACzC,cAAc,EAAE,QAAQ,EACzB,CAAC;;AAYF,IAAM,iBAAN,MAAqB;CACnB,AAAS,OAAO;CAChB,YAAY,AAAS,QAAgB;EAAhB;;;AAOvB,eAAsB,mBACpB,KACA,MACA,qBACA,QACwB;CACxB,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,EAAE,iBAAiB;AAEzB,QAAO,GAAG,IACR,kBAAkB,aAAa,CAAC,KAC9B,GAAG,SAAS,QACV,GAAG,KAAK,IAAI,eAAe,IAAI,KAAK,QAAQ,CAAC,CAC9C,EACD,GAAG,KAAK,EAAE,gBAAgB,WAAW,qBACnC,GAAG,WACD,aACE,SACA,sCAAsC,YAAY,eAAe,CAAC,eAAe,YAAY,eAAe,GAC7G,CACF,CACF,EACD,GAAG,OAAO,EAAE,gBAAgB,WAAW,qBACrC,oBAAoB,KAAK,gBAAgB,gBAAgB,OAAO,CAAC,KAC/D,GAAG,OAAO,qBACR,qBAAqB,OACjB,GAAG,IAAI,aAAa;AAClB,SAAO,GAAG,KAAK;GACb,IAAI,YAAY;IACd,MAAM,UAAU,MAAO,GAAW,SAAS,QACzC,eACD;AACD,QAAI,YAAY,KACd,OAAO,GAAW,SAAS,OAAO,QAAQ,IAAI;;GAGlD,WACE,IAAI,eACF,qDACD;GACJ,CAAC,CAAC,KACD,GAAG,SAAS,MAAM;AAChB,gBAAa,SAAS,EAAE,OAAO;AAC/B,UAAO,GAAG,QAAQ,OAAkB;IACpC,CACH;AAED,SAAO,GAAG,KAAK;GACb,UACE,OAAO,KAAK,OAAO,CAAC,cAAc,UAChC,eACD;GACH,WACE,IAAI,eACF,iEACD;GACJ,CAAC,CAAC,KACD,GAAG,SAAS,MAAM;AAChB,gBAAa,SAAS,EAAE,OAAO;AAC/B,UAAO,GAAG,QAAQ,OAAkB;IACpC,CACH;AAED,SAAO;GACP,UACK;EACL,MAAM,EAAE,YAAY;EACpB,MAAM,YAAY,QAAQ;EAC1B,MAAM,SAAS,QAAQ;EACvB,MAAM,iBACJ,iBAAiB,gBAAgB;AACnC,SAAO,mBAAmB,SACtB,GAAG,KAAK;GACN,IAAI,YAAY;AACd,UAAO,GAAW,cAAc,MAC9B,gBACA,EACE,eAAe,KAAK,KAAK,EAC1B,CACF;IACD,MAAM,SAAS,MAAM,yBACnB,KACA,QACA;KACE;KACA;KACA,sBAAsB;KACtB,sBAAsB;KACvB,CACF;IACD,MAAM,EAAE,gBAAgB,sBACtB,MAAM,GAAG,IACP,kBAAkB,OAAO,aAAa,CACvC;AACH,iBACE,SACA,aAAa,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,qCAAqC,YAAY,kBAAkB,GACnI;AACD,WAAO;;GAET,WACE,IAAI,eACF,yCACD;GACJ,CAAC,GACF,GAAG,KAAK;GACN,UACE,OAAO,KAAK,OAAO,CAAC,cAAc,UAChC,eACD;GACH,WACE,IAAI,eACF,sCACD;GACJ,CAAC,CAAC,KACD,GAAG,OAAO,uBAAuB;AAC/B,gBACE,SACA,yBAAyB,YAAY,oBAAoB,OAAO,SAAS,CAAC,WAAW,YAAY,oBAAoB,wBAAwB,SAAS,GACvJ;GAED,MAAM,gBACJ,uBAAuB,QACvB,mBAAmB,yBACjB,iBACG;IACC,KAAK;IACL;IACD,GACD,iBAAiB,gCACf,KAAK,KAAK,GACT,EAAE,KAAK,qBAAqB,GAC5B,EAAE,KAAK,sBAAsB;AAEtC,OAAI,cAAc,QAAQ,iBACxB,QAAO,GAAG,KAAK;IACb,UACE,yBAAyB,KAAK,QAAQ;KACpC;KACA;KACA,sBACE,cAAc,mBAAmB;KACnC,sBAAsB;KACvB,CAAC;IACJ,WACE,IAAI,eACF,6CACD;IACJ,CAAC,CAAC,KACD,GAAG,UACD,GAAG,WACD,aACE,SACA,SAAS,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,qCAAqC,YAAY,cAAc,mBAAmB,IAAI,CAAC,2BACnJ,CACF,CACF,CACF;AAGH,OAAI,cAAc,QAAQ,oBACxB,QAAO,GAAG,KAAK;IACb,IAAI,YAAY;KACd,MAAM,SAAS,MAAM,yBACnB,KACA,QACA;MACE;MACA;MACA,sBAAsB;MACtB,sBAAsB;MACvB,CACF;KACD,MAAM,EAAE,gBAAgB,sBACtB,MAAM,GAAG,IACP,kBAAkB,OAAO,aAAa,CACvC;AACH,kBACE,SACA,aAAa,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,iCAAiC,YAAY,kBAAkB,GAC/H;AACD,YAAO;;IAET,WACE,IAAI,eACF,6CACD;IACJ,CAAC;AAGJ,gBACE,SACA,6CACD;AACD,gBACE,SACA,SAAS,YAAY,iBAAiB,gBAAgB,IAAI,CAAC,oFAC5D;AACD,UAAO,GAAG,KAAK;IACb,IAAI,YAAY;KACd,MAAM,qBACJ,MAAM,iCACJ,KACA,iBAAiB,iBACjB,OACD;AACH,kBACE,SACA,eAAe,mBAAmB,OAAO,8BAA8B,mBACpE,KAAK,UAAU,YAAY,MAAM,IAAI,CAAC,CACtC,KAAK,KAAK,GACd;AACD,YAAO;;IAET,WACE,IAAI,eACF,iDACD;IACJ,CAAC;IACF,CACH;KACH,CACT,CACF,CACF,EACD,GAAG,KAAK;EACN,KAAK,WAAW;EAChB,MAAM,YAAY;AAChB,gBAAa,SAAS,QAAQ,OAAO;AACrC,UAAO;;EAEV,CAAC,CACH,CACF;;AAeH,MAAa,qBAAqB,OAChC,KACA,SAC2B;AAC3B,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}
|
|
@@ -1,12 +1,12 @@
|
|
|
1
|
-
import { AuthError } from "../authError.js";
|
|
2
1
|
import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
|
|
3
|
-
import { authDb } from "../db.js";
|
|
4
2
|
import { hash, verify } from "../crypto.js";
|
|
3
|
+
import { authDb } from "../db.js";
|
|
5
4
|
import { AUTH_STORE_REF } from "./store/refs.js";
|
|
6
5
|
import { getAuthSessionId } from "../sessions.js";
|
|
7
6
|
import { upsertUserAndAccount } from "../users.js";
|
|
8
|
-
import {
|
|
7
|
+
import { Cv } from "@robelest/fx/convex";
|
|
9
8
|
import { Fx } from "@robelest/fx";
|
|
9
|
+
import { v } from "convex/values";
|
|
10
10
|
|
|
11
11
|
//#region src/server/mutations/register.ts
|
|
12
12
|
const createAccountFromCredentialsArgs = v.object({
|
|
@@ -30,46 +30,50 @@ async function createAccountFromCredentialsImpl(ctx, args, getProviderOrThrow, c
|
|
|
30
30
|
const { provider: providerId, account, profile, shouldLinkViaEmail, shouldLinkViaPhone } = args;
|
|
31
31
|
const db = authDb(ctx, config);
|
|
32
32
|
const provider = getProviderOrThrow(providerId);
|
|
33
|
-
return Fx.run(Fx.
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
user
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
providerAccountId: account.id,
|
|
47
|
-
secret
|
|
48
|
-
}, {
|
|
49
|
-
type: "credentials",
|
|
50
|
-
provider,
|
|
51
|
-
profile,
|
|
52
|
-
shouldLinkViaEmail,
|
|
53
|
-
shouldLinkViaPhone
|
|
54
|
-
}, config),
|
|
55
|
-
err: () => new AuthError("INTERNAL_ERROR")
|
|
56
|
-
})), Fx.chain((result) => {
|
|
57
|
-
const { userId, accountId } = result;
|
|
58
|
-
return Fx.zip(Fx.from({
|
|
59
|
-
ok: () => db.accounts.getById(accountId),
|
|
60
|
-
err: () => new AuthError("INTERNAL_ERROR")
|
|
61
|
-
}), Fx.from({
|
|
62
|
-
ok: () => db.users.getById(userId),
|
|
63
|
-
err: () => new AuthError("INTERNAL_ERROR")
|
|
64
|
-
}));
|
|
65
|
-
}), Fx.chain((pair) => {
|
|
66
|
-
const [createdAccount, createdUser] = pair;
|
|
67
|
-
return createdAccount === null ? Fx.fail(new AuthError("ACCOUNT_NOT_FOUND", `Created account was not found.`)) : createdUser === null ? Fx.fail(new AuthError("USER_UPDATE_FAILED", `Created user was not found.`)) : Fx.succeed({
|
|
68
|
-
account: createdAccount,
|
|
69
|
-
user: createdUser
|
|
33
|
+
return Fx.run(Fx.gen(function* () {
|
|
34
|
+
const existingAccount = yield* Fx.promise(() => db.accounts.get(provider.id, account.id));
|
|
35
|
+
if (existingAccount !== null) {
|
|
36
|
+
if (account.secret !== void 0) {
|
|
37
|
+
if (!(yield* verify(provider, account.secret, existingAccount.secret ?? ""))) return yield* Cv.fail({
|
|
38
|
+
code: "ACCOUNT_ALREADY_EXISTS",
|
|
39
|
+
message: `Account ${account.id} already exists`
|
|
40
|
+
});
|
|
41
|
+
}
|
|
42
|
+
const user = yield* Fx.promise(() => db.users.getById(existingAccount.userId));
|
|
43
|
+
if (user === null) return yield* Cv.fail({
|
|
44
|
+
code: "ACCOUNT_NOT_FOUND",
|
|
45
|
+
message: `Linked user for account ${account.id} was not found.`
|
|
70
46
|
});
|
|
71
|
-
|
|
72
|
-
|
|
47
|
+
return {
|
|
48
|
+
account: existingAccount,
|
|
49
|
+
user
|
|
50
|
+
};
|
|
51
|
+
}
|
|
52
|
+
const secret = account.secret !== void 0 ? yield* hash(provider, account.secret) : void 0;
|
|
53
|
+
const { userId, accountId } = yield* Fx.promise(async () => upsertUserAndAccount(ctx, await getAuthSessionId(ctx), {
|
|
54
|
+
providerAccountId: account.id,
|
|
55
|
+
secret
|
|
56
|
+
}, {
|
|
57
|
+
type: "credentials",
|
|
58
|
+
provider,
|
|
59
|
+
profile,
|
|
60
|
+
shouldLinkViaEmail,
|
|
61
|
+
shouldLinkViaPhone
|
|
62
|
+
}, config));
|
|
63
|
+
const [createdAccount, createdUser] = yield* Fx.zip(Fx.promise(() => db.accounts.getById(accountId)), Fx.promise(() => db.users.getById(userId)));
|
|
64
|
+
if (createdAccount === null) return yield* Cv.fail({
|
|
65
|
+
code: "ACCOUNT_NOT_FOUND",
|
|
66
|
+
message: `Created account was not found.`
|
|
67
|
+
});
|
|
68
|
+
if (createdUser === null) return yield* Cv.fail({
|
|
69
|
+
code: "USER_UPDATE_FAILED",
|
|
70
|
+
message: `Created user was not found.`
|
|
71
|
+
});
|
|
72
|
+
return {
|
|
73
|
+
account: createdAccount,
|
|
74
|
+
user: createdUser
|
|
75
|
+
};
|
|
76
|
+
}));
|
|
73
77
|
}
|
|
74
78
|
const callCreateAccountFromCredentials = async (ctx, args) => {
|
|
75
79
|
return ctx.runMutation(AUTH_STORE_REF, { args: {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"register.js","names":["Provider.verify","Provider.hash"],"sources":["../../../../src/server/mutations/register.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport
|
|
1
|
+
{"version":3,"file":"register.js","names":["Provider.verify","Provider.hash"],"sources":["../../../../src/server/mutations/register.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { getAuthSessionId } from \"../sessions\";\nimport { Doc, MutationCtx } from \"../types\";\nimport { ConvexCredentialsConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const createAccountFromCredentialsArgs = v.object({\n provider: v.string(),\n account: v.object({ id: v.string(), secret: v.optional(v.string()) }),\n profile: v.any(),\n shouldLinkViaEmail: v.optional(v.boolean()),\n shouldLinkViaPhone: v.optional(v.boolean()),\n});\n\ntype ReturnType = { account: Doc<\"Account\">; user: Doc<\"User\"> };\n\nexport async function createAccountFromCredentialsImpl(\n ctx: MutationCtx,\n args: Infer<typeof createAccountFromCredentialsArgs>,\n getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n config: Provider.Config,\n): Promise<ReturnType> {\n logWithLevel(LOG_LEVELS.DEBUG, \"createAccountFromCredentialsImpl args:\", {\n provider: args.provider,\n account: {\n id: args.account.id,\n secret: maybeRedact(args.account.secret ?? \"\"),\n },\n });\n\n const {\n provider: providerId,\n account,\n profile,\n shouldLinkViaEmail,\n shouldLinkViaPhone,\n } = args;\n const db = authDb(ctx, config);\n const provider = getProviderOrThrow(providerId) as ConvexCredentialsConfig;\n\n return Fx.run(\n Fx.gen(function* () {\n const existingAccount = yield* Fx.promise(\n () =>\n db.accounts.get(\n provider.id,\n account.id,\n ) as Promise<Doc<\"Account\"> | null>,\n );\n\n if (existingAccount !== null) {\n if (account.secret !== undefined) {\n const valid = yield* Provider.verify(\n provider,\n account.secret,\n existingAccount.secret ?? \"\",\n );\n if (!valid) {\n return yield* Cv.fail({\n code: \"ACCOUNT_ALREADY_EXISTS\",\n message: `Account ${account.id} already exists`,\n });\n }\n }\n\n const user = yield* Fx.promise(\n () =>\n db.users.getById(\n existingAccount.userId,\n ) as Promise<Doc<\"User\"> | null>,\n );\n if (user === null) {\n return yield* Cv.fail({\n code: \"ACCOUNT_NOT_FOUND\",\n message: `Linked user for account ${account.id} was not found.`,\n });\n }\n\n return { account: existingAccount, user };\n }\n\n const secret =\n account.secret !== undefined\n ? yield* Provider.hash(provider, account.secret)\n : undefined;\n\n const result = yield* Fx.promise(async () =>\n upsertUserAndAccount(\n ctx,\n await getAuthSessionId(ctx),\n { providerAccountId: account.id, secret },\n {\n type: \"credentials\",\n provider,\n profile,\n shouldLinkViaEmail,\n shouldLinkViaPhone,\n },\n config,\n ),\n );\n\n const { userId, accountId } = result as {\n userId: string;\n accountId: string;\n };\n const [createdAccount, createdUser] = yield* Fx.zip(\n Fx.promise(\n () =>\n db.accounts.getById(accountId) as Promise<Doc<\"Account\"> | null>,\n ),\n Fx.promise(\n () => db.users.getById(userId) as Promise<Doc<\"User\"> | null>,\n ),\n );\n\n if (createdAccount === null) {\n return yield* Cv.fail({\n code: \"ACCOUNT_NOT_FOUND\",\n message: `Created account was not found.`,\n });\n }\n if (createdUser === null) {\n return yield* Cv.fail({\n code: \"USER_UPDATE_FAILED\",\n message: `Created user was not found.`,\n });\n }\n\n return { account: createdAccount, user: createdUser };\n }),\n ) as Promise<ReturnType>;\n}\n\nexport const callCreateAccountFromCredentials = async <\n DataModel extends GenericDataModel,\n>(\n ctx: GenericActionCtx<DataModel>,\n args: Infer<typeof createAccountFromCredentialsArgs>,\n): Promise<ReturnType> => {\n return ctx.runMutation(AUTH_STORE_REF, {\n args: {\n type: \"createAccountFromCredentials\",\n ...args,\n },\n });\n};\n"],"mappings":";;;;;;;;;;;AAcA,MAAa,mCAAmC,EAAE,OAAO;CACvD,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAAE,CAAC;CACrE,SAAS,EAAE,KAAK;CAChB,oBAAoB,EAAE,SAAS,EAAE,SAAS,CAAC;CAC3C,oBAAoB,EAAE,SAAS,EAAE,SAAS,CAAC;CAC5C,CAAC;AAIF,eAAsB,iCACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,0CAA0C;EACvE,UAAU,KAAK;EACf,SAAS;GACP,IAAI,KAAK,QAAQ;GACjB,QAAQ,YAAY,KAAK,QAAQ,UAAU,GAAG;GAC/C;EACF,CAAC;CAEF,MAAM,EACJ,UAAU,YACV,SACA,SACA,oBACA,uBACE;CACJ,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,WAAW,mBAAmB,WAAW;AAE/C,QAAO,GAAG,IACR,GAAG,IAAI,aAAa;EAClB,MAAM,kBAAkB,OAAO,GAAG,cAE9B,GAAG,SAAS,IACV,SAAS,IACT,QAAQ,GACT,CACJ;AAED,MAAI,oBAAoB,MAAM;AAC5B,OAAI,QAAQ,WAAW,QAMrB;QAAI,EALU,OAAOA,OACnB,UACA,QAAQ,QACR,gBAAgB,UAAU,GAC3B,EAEC,QAAO,OAAO,GAAG,KAAK;KACpB,MAAM;KACN,SAAS,WAAW,QAAQ,GAAG;KAChC,CAAC;;GAIN,MAAM,OAAO,OAAO,GAAG,cAEnB,GAAG,MAAM,QACP,gBAAgB,OACjB,CACJ;AACD,OAAI,SAAS,KACX,QAAO,OAAO,GAAG,KAAK;IACpB,MAAM;IACN,SAAS,2BAA2B,QAAQ,GAAG;IAChD,CAAC;AAGJ,UAAO;IAAE,SAAS;IAAiB;IAAM;;EAG3C,MAAM,SACJ,QAAQ,WAAW,SACf,OAAOC,KAAc,UAAU,QAAQ,OAAO,GAC9C;EAkBN,MAAM,EAAE,QAAQ,cAhBD,OAAO,GAAG,QAAQ,YAC/B,qBACE,KACA,MAAM,iBAAiB,IAAI,EAC3B;GAAE,mBAAmB,QAAQ;GAAI;GAAQ,EACzC;GACE,MAAM;GACN;GACA;GACA;GACA;GACD,EACD,OACD,CACF;EAMD,MAAM,CAAC,gBAAgB,eAAe,OAAO,GAAG,IAC9C,GAAG,cAEC,GAAG,SAAS,QAAQ,UAAU,CACjC,EACD,GAAG,cACK,GAAG,MAAM,QAAQ,OAAO,CAC/B,CACF;AAED,MAAI,mBAAmB,KACrB,QAAO,OAAO,GAAG,KAAK;GACpB,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,MAAI,gBAAgB,KAClB,QAAO,OAAO,GAAG,KAAK;GACpB,MAAM;GACN,SAAS;GACV,CAAC;AAGJ,SAAO;GAAE,SAAS;GAAgB,MAAM;GAAa;GACrD,CACH;;AAGH,MAAa,mCAAmC,OAG9C,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}
|