@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23

package/dist/server/runtime.js.map

@@ -1 +1 @@
-{"version":3,"file":"runtime.js","names":["serializeCookie"],"sources":["../../src/server/runtime.ts"],"sourcesContent":["import {\n  Auth,\n  GenericActionCtx,\n  GenericDataModel,\n  HttpRouter,\n  actionGeneric,\n  internalMutationGeneric,\n} from \"convex/server\";\nimport { v } from \"convex/values\";\nimport { serialize as serializeCookie } from \"cookie\";\n\nimport { createCoreDomains } from \"./core\";\nimport { redirectToParamCookie, useRedirectToParam } from \"./cookies\";\nimport { createEnterpriseDomain } from \"./enterprise/domain\";\nimport { addEnterpriseHttpRuntime } from \"./enterprise/http\";\nimport {\n  getOidcConfig,\n  getPublicOidcConfig,\n  getSamlConfig,\n  upsertProtocolConfig,\n  withOidcSecretState,\n} from \"./enterprise/config\";\nimport { normalizeEnterprisePolicy, patchEnterprisePolicy } from \"./enterprise/policy\";\nimport {\n  createServiceProviderMetadata,\n  getSamlServiceProviderOptions,\n  parseSamlIdpMetadata,\n} from \"./enterprise/saml\";\nimport {\n  parseScimPath,\n} from \"./enterprise/scim\";\nimport {\n  enterpriseOidcProviderId,\n  getEnterpriseOidcUrls,\n  isEnterpriseSamlSourceActive,\n  normalizeDomain,\n} from \"./enterprise/shared\";\nimport { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./authError\";\nimport {\n  addAuthRoutes,\n  addOpenIdRoutes,\n  convertErrorsToResponse,\n  createHttpAction,\n  createHttpRoute,\n  getCookies,\n} from \"./http\";\nimport {\n  callCreateAccountFromCredentials,\n  callInvalidateSessions,\n  callModifyAccount,\n  callRetrieveAccountWithCredentials,\n  callSignOut,\n  callUserOAuth,\n  callVerifierSignature,\n  storeArgs,\n  storeImpl,\n} from \"./mutations/index\";\nimport { createOAuthAuthorizationURL, handleOAuthCallback } from \"./oauth\";\nimport { GetProviderOrThrowFunc } from \"./crypto\";\nimport { configDefaults, listAvailableProviders } from \"./config\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport { signInImpl } from \"./signin\";\nimport type {\n  ConvexAuthConfig,\n  FunctionReferenceFromExport,\n  OAuthMaterializedConfig,\n  Tokens,\n} from \"./types\";\nimport { MutationCtx } from \"./types\";\nimport {\n  decryptSecret,\n  encryptSecret,\n  generateRandomString,\n  LOG_LEVELS,\n  logError,\n  logWithLevel,\n  sha256,\n} from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\nconst ENTERPRISE_OIDC_CLIENT_SECRET_KIND = \"oidc_client_secret\" as const;\n\n/**\n * The type of the signIn Convex Action returned from the auth() helper.\n *\n * This type is exported for implementors of other client integrations.\n * However it is not stable, and may change until this library reaches 1.0.\n *\n * @internal\n */\nexport type SignInAction = FunctionReferenceFromExport<\n  ReturnType<typeof Auth>[\"signIn\"]\n>;\n\n/** @internal */\nexport type SignInActionResult =\n  | { kind: \"signedIn\"; tokens: Tokens | null }\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n  | { kind: \"started\" }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n  | { kind: \"totpRequired\"; verifier: string }\n  | {\n      kind: \"totpSetup\";\n      totpSetup: { uri: string; secret: string; totpId: string };\n      verifier: string;\n    }\n  | {\n      kind: \"deviceCode\";\n      deviceCode: {\n        deviceCode: string;\n        userCode: string;\n        verificationUri: string;\n        verificationUriComplete: string;\n        expiresIn: number;\n        interval: number;\n      };\n    };\n/**\n * The type of the signOut Convex Action returned from the auth() helper.\n *\n * This type is exported for implementors of other client integrations.\n * However it is not stable, and may change until this library reaches 1.0.\n *\n * @internal\n */\nexport type SignOutAction = FunctionReferenceFromExport<\n  ReturnType<typeof Auth>[\"signOut\"]\n>;\n\n/**\n * Configure the Convex Auth library. Returns an object with\n * functions and `auth` helper. You must export the functions\n * from `convex/auth.ts` to make them callable:\n *\n * ```ts filename=\"convex/auth.ts\"\n * import { createAuth } from \"@robelest/convex-auth/component\";\n * import { components } from \"./_generated/api\";\n *\n * export const auth = createAuth(components.auth, {\n *   providers: [],\n * });\n * export const { signIn, signOut, store } = auth;\n * ```\n *\n * @returns An object with fields you should reexport from your\n *          `convex/auth.ts` file.\n */\nexport function Auth(config_: ConvexAuthConfig) {\n  const config = configDefaults(config_);\n  const hasOAuth = config.providers.some(\n    (provider) => provider.type === \"oauth\",\n  );\n  const hasSSO = config.providers.some((provider) => provider.type === \"sso\");\n  const getProviderOrThrow: GetProviderOrThrowFunc = (\n    id: string,\n    allowExtraProviders: boolean = false,\n  ) => {\n    const provider =\n      config.providers.find(\n        (configuredProvider) => configuredProvider.id === id,\n      ) ??\n      (allowExtraProviders\n        ? config.extraProviders.find(\n            (configuredProvider) => configuredProvider.id === id,\n          )\n        : undefined);\n    if (provider === undefined) {\n      const detail =\n        `Provider \\`${id}\\` is not configured, ` +\n        `available providers are ${listAvailableProviders(config, allowExtraProviders)}.`;\n      logWithLevel(LOG_LEVELS.ERROR, detail);\n      throw new AuthError(\"PROVIDER_NOT_CONFIGURED\", detail, {\n        provider: id,\n      }).toConvexError();\n    }\n    return provider;\n  };\n  type ComponentCtx = Pick<\n    GenericActionCtx<GenericDataModel>,\n    \"runQuery\" | \"runMutation\"\n  >;\n  type ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, \"runQuery\">;\n  const getEnterpriseSecret = async (\n    ctx: ComponentReadCtx | ComponentCtx,\n    enterpriseId: string,\n    kind: typeof ENTERPRISE_OIDC_CLIENT_SECRET_KIND,\n  ) => {\n    return await ctx.runQuery(config.component.public.enterpriseSecretGet, {\n      enterpriseId,\n      kind,\n    });\n  };\n  const getEnterpriseOidcConfigWithSecret = async (\n    ctx: ComponentReadCtx | ComponentCtx,\n    enterprise: { _id: string; config?: unknown },\n  ): Promise<Record<string, any>> => {\n    const oidc = getOidcConfig(enterprise.config);\n    const secret = await getEnterpriseSecret(\n      ctx,\n      enterprise._id,\n      ENTERPRISE_OIDC_CLIENT_SECRET_KIND,\n    );\n    return {\n      ...oidc,\n      ...(secret\n        ? { clientSecret: await decryptSecret(secret.ciphertext) }\n        : {}),\n    };\n  };\n  const INVITE_TOKEN_ALPHABET =\n    \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\n  const INVITE_TOKEN_LENGTH = 48;\n\n  const enterpriseNotFoundError = \"Enterprise not found.\";\n\n  const ENTERPRISE_CONTROL_ROUTE_BASE = \"/api/auth/sso\";\n\n  const getPolicyFromEnterprise = (enterprise: { policy?: unknown }) =>\n    normalizeEnterprisePolicy(enterprise.policy);\n\n  const loadEnterpriseOrThrow = async (\n    ctx: ComponentReadCtx,\n    enterpriseId: string,\n  ) => {\n    const enterprise = await ctx.runQuery(\n      config.component.public.enterpriseGet,\n      {\n        enterpriseId,\n      },\n    );\n    if (!enterprise) {\n      throw new AuthError(\n        \"INVALID_PARAMETERS\",\n        enterpriseNotFoundError,\n      ).toConvexError();\n    }\n    return enterprise;\n  };\n\n  const loadActiveEnterpriseOrThrow = async (\n    ctx: ComponentReadCtx,\n    enterpriseId: string,\n  ) => {\n    const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);\n    if (enterprise.status !== \"active\") {\n      throw new AuthError(\n        \"INVALID_PARAMETERS\",\n        \"Enterprise connection is not active.\",\n      ).toConvexError();\n    }\n    return enterprise;\n  };\n\n  const loadActiveEnterpriseSamlOrThrow = async (\n    ctx: ComponentReadCtx,\n    enterpriseId: string,\n  ) => {\n    const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);\n    const loaded = {\n      source: {\n        kind: \"enterprise\" as const,\n        id: enterpriseId,\n      },\n      config: enterprise.config,\n      status: enterprise.status,\n      enterprise,\n    };\n    if (!isEnterpriseSamlSourceActive(loaded)) {\n      throw new AuthError(\n        \"INVALID_PARAMETERS\",\n        \"Enterprise connection is not active.\",\n      ).toConvexError();\n    }\n    const saml = getSamlConfig(loaded.config);\n    if (!saml.idp?.metadataXml) {\n      throw new AuthError(\n        \"PROVIDER_NOT_CONFIGURED\",\n        \"SAML is not configured for this enterprise.\",\n      ).toConvexError();\n    }\n    return { loaded, enterprise, saml };\n  };\n\n  const loadEnterpriseOidcOrThrow = async (\n    ctx: ComponentReadCtx,\n    enterpriseId: string,\n  ) => {\n    const enterprise = await loadActiveEnterpriseOrThrow(ctx, enterpriseId);\n    const oidc = await getEnterpriseOidcConfigWithSecret(ctx, enterprise);\n    if (oidc.enabled !== true) {\n      throw new AuthError(\n        \"PROVIDER_NOT_CONFIGURED\",\n        \"OIDC is not configured for this enterprise.\",\n      ).toConvexError();\n    }\n    return { enterprise, oidc };\n  };\n\n  const validateEnterprisePolicy = (\n    policy: ReturnType<typeof normalizeEnterprisePolicy>,\n  ) => {\n    const checks: Array<{\n      name: string;\n      ok: boolean;\n      message?: string;\n    }> = [];\n\n    checks.push({ name: \"policy_version\", ok: policy.version === 1 });\n    checks.push({\n      name: \"jit_default_role_ids_present\",\n      ok:\n        policy.provisioning.jit.mode !== \"createUserAndMembership\" ||\n        policy.provisioning.jit.defaultRoleIds.length > 0,\n      message:\n        policy.provisioning.jit.mode === \"createUserAndMembership\" &&\n        policy.provisioning.jit.defaultRoleIds.length === 0\n          ? \"At least one default roleId is required when JIT membership provisioning is enabled.\"\n          : undefined,\n    });\n    checks.push({\n      name: \"jit_default_role_ids_known\",\n      ok: policy.provisioning.jit.defaultRoleIds.every(\n        (roleId) => config.authorization.roles[roleId] !== undefined,\n      ),\n      message: policy.provisioning.jit.defaultRoleIds.every(\n        (roleId) => config.authorization.roles[roleId] !== undefined,\n      )\n        ? undefined\n        : \"JIT defaultRoleIds contains unknown roleIds.\",\n    });\n    checks.push({\n      name: \"scim_reuse_supported\",\n      ok:\n        policy.provisioning.scimReuse.user === \"externalId\" ||\n        policy.provisioning.scimReuse.user === \"none\",\n    });\n\n    return checks;\n  };\n\n  const recordEnterpriseAuditEvent = async (\n    ctx: ComponentCtx,\n    data: {\n      enterpriseId: string;\n      groupId: string;\n      eventType: string;\n      actorType: \"user\" | \"system\" | \"scim\" | \"api_key\" | \"webhook\";\n      actorId?: string;\n      subjectType: string;\n      subjectId?: string;\n      ok: boolean;\n      requestId?: string;\n      ip?: string;\n      metadata?: Record<string, unknown>;\n    },\n  ) => {\n    const { ok, ...rest } = data;\n    return (await ctx.runMutation(\n      config.component.public.enterpriseAuditEventCreate,\n      {\n        ...rest,\n        status: ok ? \"success\" : \"failure\",\n        occurredAt: Date.now(),\n      },\n    )) as string;\n  };\n\n  const emitEnterpriseWebhookDeliveries = async (\n    ctx: ComponentCtx,\n    data: {\n      enterpriseId: string;\n      eventType: string;\n      payload: Record<string, unknown>;\n      auditEventId?: string;\n    },\n  ) => {\n    const endpoints = await ctx.runQuery(\n      config.component.public.enterpriseWebhookEndpointList,\n      { enterpriseId: data.enterpriseId },\n    );\n    for (const endpoint of endpoints) {\n      if (\n        endpoint.status !== \"active\" ||\n        !endpoint.subscriptions.includes(data.eventType)\n      ) {\n        continue;\n      }\n      await ctx.runMutation(\n        config.component.public.enterpriseWebhookDeliveryEnqueue,\n        {\n          enterpriseId: data.enterpriseId,\n          endpointId: endpoint._id,\n          auditEventId: data.auditEventId,\n          eventType: data.eventType,\n          payload: data.payload,\n          nextAttemptAt: Date.now(),\n        },\n      );\n    }\n  };\n\n  const getEnterpriseScimContext = async (\n    ctx: ComponentReadCtx,\n    request: Request,\n  ) => {\n    const authHeader = request.headers.get(\"Authorization\");\n    if (!authHeader?.startsWith(\"Bearer \")) {\n      throw new AuthError(\"MISSING_BEARER_TOKEN\").toConvexError();\n    }\n    const token = authHeader.slice(7);\n    const scimConfig = await ctx.runQuery(\n      config.component.public.enterpriseScimConfigGetByTokenHash,\n      { tokenHash: await sha256(token) },\n    );\n    if (!scimConfig || scimConfig.status !== \"active\") {\n      throw new AuthError(\n        \"INVALID_API_KEY\",\n        \"Invalid SCIM token.\",\n      ).toConvexError();\n    }\n    const parsedPath = parseScimPath(new URL(request.url).pathname);\n    if (parsedPath.enterpriseId !== scimConfig.enterpriseId) {\n      throw new AuthError(\n        \"INVALID_API_KEY\",\n        \"SCIM token/tenant mismatch.\",\n      ).toConvexError();\n    }\n    const enterprise = await ctx.runQuery(\n      config.component.public.enterpriseGet,\n      {\n        enterpriseId: scimConfig.enterpriseId,\n      },\n    );\n    if (enterprise === null) {\n      throw new AuthError(\n        \"INVALID_PARAMETERS\",\n        \"Enterprise not found.\",\n      ).toConvexError();\n    }\n    return { scimConfig, enterprise, parsedPath };\n  };\n\n  let auth: any;\n  auth = {\n    ...createCoreDomains({\n      config,\n      getAuth: () => auth,\n      callInvalidateSessions,\n      callCreateAccountFromCredentials,\n      callRetrieveAccountWithCredentials,\n      callModifyAccount,\n      getEnrichCtx: () => enrichCtx,\n      inviteTokenAlphabet: INVITE_TOKEN_ALPHABET,\n      inviteTokenLength: INVITE_TOKEN_LENGTH,\n    }),\n    /**\n     * SSO namespace — enterprise SSO connection management, domain, OIDC,\n     * SAML, SCIM, audit, and webhook helpers.\n     */\n    sso: createEnterpriseDomain({\n      config,\n      getAuth: () => auth,\n      normalizeEnterprisePolicy,\n      normalizeDomain,\n      getEnterpriseSecret,\n      loadEnterpriseOrThrow,\n      validateEnterprisePolicy,\n      recordEnterpriseAuditEvent,\n      emitEnterpriseWebhookDeliveries,\n      enterpriseNotFoundError,\n      ENTERPRISE_OIDC_CLIENT_SECRET_KIND,\n      requireEnv,\n      generateRandomString,\n      INVITE_TOKEN_ALPHABET,\n      sha256,\n      encryptSecret,\n      upsertProtocolConfig,\n      parseSamlIdpMetadata,\n      createServiceProviderMetadata,\n      getSamlServiceProviderOptions,\n      getPublicOidcConfig,\n      withOidcSecretState,\n      getOidcConfig,\n      getEnterpriseOidcUrls,\n      enterpriseOidcProviderId,\n      getPolicyFromEnterprise,\n      patchEnterprisePolicy,\n    }),\n    // HTTP wiring stays local to the factory because it still depends on a\n    // dense mix of OAuth, SAML, SCIM, cookie, and response helpers.\n    http: {\n      /**\n       * Register core HTTP routes for JWT verification and OAuth sign-in.\n       *\n       * ```ts\n       * import { httpRouter } from \"convex/server\";\n       * import { auth } from \"./auth\";\n       *\n       * const http = httpRouter();\n       *\n       * auth.http.add(http);\n       *\n       * export default http;\n       * ```\n       *\n       * The following routes are handled always:\n       *\n       * - `/.well-known/openid-configuration`\n       * - `/.well-known/jwks.json`\n       *\n       * The following routes are handled if OAuth is configured:\n       *\n       * - `/api/auth/signin/*`\n       * - `/api/auth/callback/*`\n       *\n       * @param http your HTTP router\n       */\n      add: (http: HttpRouter) => {\n        addOpenIdRoutes(http, {\n          getIssuer: () => requireEnv(\"CONVEX_SITE_URL\"),\n          getJwks: () => requireEnv(\"JWKS\"),\n        });\n\n        addEnterpriseHttpRuntime({\n          http,\n          hasSSO,\n          auth,\n          config,\n          routeBase: ENTERPRISE_CONTROL_ROUTE_BASE,\n          requireEnv,\n          loadActiveEnterpriseSamlOrThrow,\n          loadEnterpriseOidcOrThrow,\n          getEnterpriseScimContext,\n          getPolicyFromEnterprise,\n          normalizeEnterprisePolicy,\n          recordEnterpriseAuditEvent,\n          emitEnterpriseWebhookDeliveries,\n          generateRandomString,\n          inviteTokenAlphabet: INVITE_TOKEN_ALPHABET,\n          callUserOAuth,\n          callVerifierSignature,\n        });\n\n        if (hasOAuth) {\n          addAuthRoutes(http, {\n            handleSignIn: convertErrorsToResponse(400, async (ctx, request) => {\n              const url = new URL(request.url);\n              const pathParts = url.pathname.split(\"/\");\n              const providerId = pathParts.at(-1)!;\n              if (providerId === null) {\n                throw new AuthError(\"OAUTH_MISSING_PROVIDER\").toConvexError();\n              }\n              const verifier = url.searchParams.get(\"code\");\n              if (verifier === null) {\n                throw new AuthError(\"OAUTH_MISSING_VERIFIER\").toConvexError();\n              }\n              const provider = getProviderOrThrow(providerId);\n\n              const oauthConfig = provider as OAuthMaterializedConfig;\n              const { redirect, cookies, signature } =\n                await createOAuthAuthorizationURL(\n                  providerId,\n                  oauthConfig.provider,\n                  oauthConfig,\n                );\n\n              await callVerifierSignature(ctx, {\n                verifier,\n                signature,\n              });\n\n              const redirectTo = url.searchParams.get(\"redirectTo\");\n              if (redirectTo !== null) {\n                cookies.push(redirectToParamCookie(providerId, redirectTo));\n              }\n\n              const headers = new Headers({ Location: redirect });\n              for (const { name, value, options } of cookies) {\n                headers.append(\n                  \"Set-Cookie\",\n                  serializeCookie(name, value, options as any),\n                );\n              }\n\n              return new Response(null, { status: 302, headers });\n            }),\n            handleCallback: async (ctx, request) => {\n              const url = new URL(request.url);\n              const providerId = new URL(request.url).pathname\n                .split(\"/\")\n                .at(-1);\n              if (!providerId) {\n                throw new AuthError(\"OAUTH_MISSING_PROVIDER\").toConvexError();\n              }\n              logWithLevel(\n                LOG_LEVELS.DEBUG,\n                \"Handling OAuth callback for provider:\",\n                providerId,\n              );\n              const provider = getProviderOrThrow(providerId);\n\n              const cookies = getCookies(request);\n\n              const maybeRedirectTo = useRedirectToParam(provider.id, cookies);\n\n              const destinationUrl = await redirectAbsoluteUrl(config, {\n                redirectTo: maybeRedirectTo?.redirectTo,\n              });\n\n              const params = url.searchParams;\n\n              if (\n                request.headers.get(\"Content-Type\") ===\n                \"application/x-www-form-urlencoded\"\n              ) {\n                const formData = await request.formData();\n                formData.forEach((value, key) => {\n                  if (typeof value === \"string\") {\n                    params.append(key, value);\n                  }\n                });\n              }\n\n              return Fx.run(\n                Fx.from({\n                  ok: async () => {\n                    const oauthConfig = provider as OAuthMaterializedConfig;\n                    const result = await Fx.run(\n                      handleOAuthCallback(\n                        providerId,\n                        oauthConfig.provider,\n                        oauthConfig,\n                        Object.fromEntries(params.entries()),\n                        cookies,\n                      ),\n                    );\n                    const oauthCookies = result.cookies;\n                    const { id: profileId, ...profileData } = result.profile;\n                    const { signature } = result;\n\n                    const verificationCode = await callUserOAuth(ctx, {\n                      provider: providerId,\n                      providerAccountId: profileId,\n                      profile: profileData,\n                      signature,\n                    });\n\n                    const redirUrl = setURLSearchParam(\n                      destinationUrl,\n                      \"code\",\n                      verificationCode,\n                    );\n                    const redirHeaders = new Headers({ Location: redirUrl });\n                    redirHeaders.set(\"Cache-Control\", \"must-revalidate\");\n                    for (const { name, value, options } of [\n                      ...oauthCookies,\n                      ...(maybeRedirectTo !== null\n                        ? [maybeRedirectTo.updatedCookie]\n                        : []),\n                    ] as any) {\n                      redirHeaders.append(\n                        \"Set-Cookie\",\n                        serializeCookie(name, value, options),\n                      );\n                    }\n                    return new Response(null, {\n                      status: 302,\n                      headers: redirHeaders,\n                    });\n                  },\n                  err: (error) => error,\n                }).pipe(\n                  Fx.recover((error) => {\n                    logError(error);\n                    const respHeaders = new Headers({\n                      Location: destinationUrl,\n                    });\n                    for (const { name, value, options } of maybeRedirectTo !==\n                    null\n                      ? [maybeRedirectTo.updatedCookie]\n                      : []) {\n                      respHeaders.append(\n                        \"Set-Cookie\",\n                        serializeCookie(name, value, options),\n                      );\n                    }\n                    return Fx.succeed(\n                      new Response(null, {\n                        status: 302,\n                        headers: respHeaders,\n                      }),\n                    );\n                  }),\n                ),\n              );\n            },\n          });\n        }\n      },\n\n      /**\n       * Wrap an HTTP action handler with Bearer token authentication.\n       *\n       * Extracts the `Authorization: Bearer <key>` header, verifies the\n       * API key via `auth.key.verify()`, and injects `ctx.key` with the\n       * verified key info. Returns structured JSON error responses for\n       * missing/invalid/revoked/expired/rate-limited keys.\n       *\n       * If the handler returns a plain object, it is auto-wrapped in a\n       * `200 JSON` response. If it returns a `Response`, CORS headers\n       * are merged and the response is passed through.\n       *\n       * ```ts\n       * const handler = auth.http.action(async (ctx, request) => {\n       *   const data = await ctx.runQuery(api.data.get, { userId: ctx.key.userId });\n       *   return { data };\n       * });\n       * http.route({ path: \"/api/data\", method: \"GET\", handler });\n       * ```\n       *\n       * @param handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.\n       * @param options.scope - Optional scope check; returns 403 if the key lacks permission.\n       * @param options.cors - CORS config; defaults to permissive (`*`).\n       */\n      action: createHttpAction(auth),\n\n      /**\n       * Register a Bearer-authenticated route **and** its OPTIONS preflight\n       * in a single call.\n       *\n       * ```ts\n       * auth.http.route(http, {\n       *   path: \"/api/messages\",\n       *   method: \"POST\",\n       *   handler: async (ctx, request) => {\n       *     const { body } = await request.json();\n       *     await ctx.runMutation(internal.messages.sendAsUser, {\n       *       userId: ctx.key.userId,\n       *       body,\n       *     });\n       *     return { success: true };\n       *   },\n       * });\n       * ```\n       *\n       * @param http - The Convex HTTP router.\n       * @param routeConfig.path - The URL path to match.\n       * @param routeConfig.method - HTTP method (GET, POST, PUT, PATCH, DELETE).\n       * @param routeConfig.handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.\n       * @param routeConfig.scope - Optional scope check; returns 403 if the key lacks permission.\n       * @param routeConfig.cors - CORS config; defaults to permissive (`*`).\n       */\n      route: createHttpRoute(createHttpAction(auth)),\n    },\n  };\n\n  const enrichCtx = <DataModel extends GenericDataModel>(\n    ctx: GenericActionCtx<DataModel>,\n  ) => ({\n    ...ctx,\n    auth: {\n      ...ctx.auth,\n      config,\n      account: auth.account,\n      session: auth.session,\n      member: auth.member,\n      provider: auth.provider,\n    },\n  });\n\n  return {\n    /**\n     * Helper for configuring HTTP actions.\n     */\n    auth,\n    /**\n     * Action called by the client to sign the user in.\n     *\n     * Also used for refreshing the session.\n     */\n    signIn: actionGeneric({\n      args: {\n        provider: v.optional(v.string()),\n        params: v.optional(v.any()),\n        verifier: v.optional(v.string()),\n        refreshToken: v.optional(v.string()),\n        calledBy: v.optional(v.string()),\n      },\n      handler: async (ctx, args): Promise<SignInActionResult> => {\n        if (args.calledBy !== undefined) {\n          logWithLevel(\"INFO\", `\\`auth:signIn\\` called by ${args.calledBy}`);\n        }\n        const provider =\n          args.provider !== undefined\n            ? getProviderOrThrow(args.provider)\n            : null;\n        const result = await signInImpl(enrichCtx(ctx), provider, args, {\n          generateTokens: true,\n          allowExtraProviders: false,\n        });\n        return Fx.run(\n          Fx.match(result, result.kind, {\n            redirect: (r) =>\n              Fx.succeed({\n                kind: \"redirect\" as const,\n                redirect: r.redirect,\n                verifier: r.verifier,\n              }),\n            signedIn: (r) =>\n              Fx.succeed({\n                kind: \"signedIn\" as const,\n                tokens: r.signedIn?.tokens ?? null,\n              }),\n            refreshTokens: (r) =>\n              Fx.succeed({\n                kind: \"signedIn\" as const,\n                tokens: r.signedIn?.tokens ?? null,\n              }),\n            started: () => Fx.succeed({ kind: \"started\" as const }),\n            passkeyOptions: (r) =>\n              Fx.succeed({\n                kind: \"passkeyOptions\" as const,\n                options: r.options,\n                verifier: r.verifier,\n              }),\n            totpRequired: (r) =>\n              Fx.succeed({\n                kind: \"totpRequired\" as const,\n                verifier: r.verifier,\n              }),\n            totpSetup: (r) =>\n              Fx.succeed({\n                kind: \"totpSetup\" as const,\n                totpSetup: {\n                  uri: r.uri,\n                  secret: r.secret,\n                  totpId: r.totpId,\n                },\n                verifier: r.verifier,\n              }),\n            deviceCode: (r) =>\n              Fx.succeed({\n                kind: \"deviceCode\" as const,\n                deviceCode: {\n                  deviceCode: r.deviceCode,\n                  userCode: r.userCode,\n                  verificationUri: r.verificationUri,\n                  verificationUriComplete: r.verificationUriComplete,\n                  expiresIn: r.expiresIn,\n                  interval: r.interval,\n                },\n              }),\n          }),\n        );\n      },\n    }),\n    /**\n     * Action called by the client to invalidate the current session.\n     */\n    signOut: actionGeneric({\n      args: {},\n      handler: async (ctx) => {\n        await callSignOut(ctx);\n      },\n    }),\n\n    /**\n     * Internal mutation used by the library to read and write\n     * to the database during signin and signout.\n     */\n    store: internalMutationGeneric({\n      args: storeArgs,\n      handler: async (ctx: MutationCtx, args) => {\n        return storeImpl(ctx, args, getProviderOrThrow, config);\n      },\n    }),\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkFA,MAAM,qCAAqC;;;;;;;;;;;;;;;;;;;AAmE3C,SAAgB,KAAK,SAA2B;CAC9C,MAAM,SAAS,eAAe,QAAQ;CACtC,MAAM,WAAW,OAAO,UAAU,MAC/B,aAAa,SAAS,SAAS,QACjC;CACD,MAAM,SAAS,OAAO,UAAU,MAAM,aAAa,SAAS,SAAS,MAAM;CAC3E,MAAM,sBACJ,IACA,sBAA+B,UAC5B;EACH,MAAM,WACJ,OAAO,UAAU,MACd,uBAAuB,mBAAmB,OAAO,GACnD,KACA,sBACG,OAAO,eAAe,MACnB,uBAAuB,mBAAmB,OAAO,GACnD,GACD;AACN,MAAI,aAAa,QAAW;GAC1B,MAAM,SACJ,cAAc,GAAG,gDACU,uBAAuB,QAAQ,oBAAoB,CAAC;AACjF,gBAAa,WAAW,OAAO,OAAO;AACtC,SAAM,IAAI,UAAU,2BAA2B,QAAQ,EACrD,UAAU,IACX,CAAC,CAAC,eAAe;;AAEpB,SAAO;;CAOT,MAAM,sBAAsB,OAC1B,KACA,cACA,SACG;AACH,SAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,qBAAqB;GACrE;GACA;GACD,CAAC;;CAEJ,MAAM,oCAAoC,OACxC,KACA,eACiC;EACjC,MAAM,OAAO,cAAc,WAAW,OAAO;EAC7C,MAAM,SAAS,MAAM,oBACnB,KACA,WAAW,KACX,mCACD;AACD,SAAO;GACL,GAAG;GACH,GAAI,SACA,EAAE,cAAc,MAAM,cAAc,OAAO,WAAW,EAAE,GACxD,EAAE;GACP;;CAEH,MAAM,wBACJ;CACF,MAAM,sBAAsB;CAE5B,MAAM,0BAA0B;CAEhC,MAAM,gCAAgC;CAEtC,MAAM,2BAA2B,eAC/B,0BAA0B,WAAW,OAAO;CAE9C,MAAM,wBAAwB,OAC5B,KACA,iBACG;EACH,MAAM,aAAa,MAAM,IAAI,SAC3B,OAAO,UAAU,OAAO,eACxB,EACE,cACD,CACF;AACD,MAAI,CAAC,WACH,OAAM,IAAI,UACR,sBACA,wBACD,CAAC,eAAe;AAEnB,SAAO;;CAGT,MAAM,8BAA8B,OAClC,KACA,iBACG;EACH,MAAM,aAAa,MAAM,sBAAsB,KAAK,aAAa;AACjE,MAAI,WAAW,WAAW,SACxB,OAAM,IAAI,UACR,sBACA,uCACD,CAAC,eAAe;AAEnB,SAAO;;CAGT,MAAM,kCAAkC,OACtC,KACA,iBACG;EACH,MAAM,aAAa,MAAM,sBAAsB,KAAK,aAAa;EACjE,MAAM,SAAS;GACb,QAAQ;IACN,MAAM;IACN,IAAI;IACL;GACD,QAAQ,WAAW;GACnB,QAAQ,WAAW;GACnB;GACD;AACD,MAAI,CAAC,6BAA6B,OAAO,CACvC,OAAM,IAAI,UACR,sBACA,uCACD,CAAC,eAAe;EAEnB,MAAM,OAAO,cAAc,OAAO,OAAO;AACzC,MAAI,CAAC,KAAK,KAAK,YACb,OAAM,IAAI,UACR,2BACA,8CACD,CAAC,eAAe;AAEnB,SAAO;GAAE;GAAQ;GAAY;GAAM;;CAGrC,MAAM,4BAA4B,OAChC,KACA,iBACG;EACH,MAAM,aAAa,MAAM,4BAA4B,KAAK,aAAa;EACvE,MAAM,OAAO,MAAM,kCAAkC,KAAK,WAAW;AACrE,MAAI,KAAK,YAAY,KACnB,OAAM,IAAI,UACR,2BACA,8CACD,CAAC,eAAe;AAEnB,SAAO;GAAE;GAAY;GAAM;;CAG7B,MAAM,4BACJ,WACG;EACH,MAAM,SAID,EAAE;AAEP,SAAO,KAAK;GAAE,MAAM;GAAkB,IAAI,OAAO,YAAY;GAAG,CAAC;AACjE,SAAO,KAAK;GACV,MAAM;GACN,IACE,OAAO,aAAa,IAAI,SAAS,6BACjC,OAAO,aAAa,IAAI,eAAe,SAAS;GAClD,SACE,OAAO,aAAa,IAAI,SAAS,6BACjC,OAAO,aAAa,IAAI,eAAe,WAAW,IAC9C,yFACA;GACP,CAAC;AACF,SAAO,KAAK;GACV,MAAM;GACN,IAAI,OAAO,aAAa,IAAI,eAAe,OACxC,WAAW,OAAO,cAAc,MAAM,YAAY,OACpD;GACD,SAAS,OAAO,aAAa,IAAI,eAAe,OAC7C,WAAW,OAAO,cAAc,MAAM,YAAY,OACpD,GACG,SACA;GACL,CAAC;AACF,SAAO,KAAK;GACV,MAAM;GACN,IACE,OAAO,aAAa,UAAU,SAAS,gBACvC,OAAO,aAAa,UAAU,SAAS;GAC1C,CAAC;AAEF,SAAO;;CAGT,MAAM,6BAA6B,OACjC,KACA,SAaG;EACH,MAAM,EAAE,IAAI,GAAG,SAAS;AACxB,SAAQ,MAAM,IAAI,YAChB,OAAO,UAAU,OAAO,4BACxB;GACE,GAAG;GACH,QAAQ,KAAK,YAAY;GACzB,YAAY,KAAK,KAAK;GACvB,CACF;;CAGH,MAAM,kCAAkC,OACtC,KACA,SAMG;EACH,MAAM,YAAY,MAAM,IAAI,SAC1B,OAAO,UAAU,OAAO,+BACxB,EAAE,cAAc,KAAK,cAAc,CACpC;AACD,OAAK,MAAM,YAAY,WAAW;AAChC,OACE,SAAS,WAAW,YACpB,CAAC,SAAS,cAAc,SAAS,KAAK,UAAU,CAEhD;AAEF,SAAM,IAAI,YACR,OAAO,UAAU,OAAO,kCACxB;IACE,cAAc,KAAK;IACnB,YAAY,SAAS;IACrB,cAAc,KAAK;IACnB,WAAW,KAAK;IAChB,SAAS,KAAK;IACd,eAAe,KAAK,KAAK;IAC1B,CACF;;;CAIL,MAAM,2BAA2B,OAC/B,KACA,YACG;EACH,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,MAAI,CAAC,YAAY,WAAW,UAAU,CACpC,OAAM,IAAI,UAAU,uBAAuB,CAAC,eAAe;EAE7D,MAAM,QAAQ,WAAW,MAAM,EAAE;EACjC,MAAM,aAAa,MAAM,IAAI,SAC3B,OAAO,UAAU,OAAO,oCACxB,EAAE,WAAW,MAAM,OAAO,MAAM,EAAE,CACnC;AACD,MAAI,CAAC,cAAc,WAAW,WAAW,SACvC,OAAM,IAAI,UACR,mBACA,sBACD,CAAC,eAAe;EAEnB,MAAM,aAAa,cAAc,IAAI,IAAI,QAAQ,IAAI,CAAC,SAAS;AAC/D,MAAI,WAAW,iBAAiB,WAAW,aACzC,OAAM,IAAI,UACR,mBACA,8BACD,CAAC,eAAe;EAEnB,MAAM,aAAa,MAAM,IAAI,SAC3B,OAAO,UAAU,OAAO,eACxB,EACE,cAAc,WAAW,cAC1B,CACF;AACD,MAAI,eAAe,KACjB,OAAM,IAAI,UACR,sBACA,wBACD,CAAC,eAAe;AAEnB,SAAO;GAAE;GAAY;GAAY;GAAY;;CAG/C,IAAI;AACJ,QAAO;EACL,GAAG,kBAAkB;GACnB;GACA,eAAe;GACf;GACA;GACA;GACA;GACA,oBAAoB;GACpB,qBAAqB;GACrB,mBAAmB;GACpB,CAAC;EAKF,KAAK,uBAAuB;GAC1B;GACA,eAAe;GACf;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACD,CAAC;EAGF,MAAM;GA2BJ,MAAM,SAAqB;AACzB,oBAAgB,MAAM;KACpB,iBAAiB,WAAW,kBAAkB;KAC9C,eAAe,WAAW,OAAO;KAClC,CAAC;AAEF,6BAAyB;KACvB;KACA;KACA;KACA;KACA,WAAW;KACX;KACA;KACA;KACA;KACA;KACA;KACA;KACA;KACA;KACA,qBAAqB;KACrB;KACA;KACD,CAAC;AAEF,QAAI,SACF,eAAc,MAAM;KAClB,cAAc,wBAAwB,KAAK,OAAO,KAAK,YAAY;MACjE,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;MAEhC,MAAM,aADY,IAAI,SAAS,MAAM,IAAI,CACZ,GAAG,GAAG;AACnC,UAAI,eAAe,KACjB,OAAM,IAAI,UAAU,yBAAyB,CAAC,eAAe;MAE/D,MAAM,WAAW,IAAI,aAAa,IAAI,OAAO;AAC7C,UAAI,aAAa,KACf,OAAM,IAAI,UAAU,yBAAyB,CAAC,eAAe;MAI/D,MAAM,cAFW,mBAAmB,WAAW;MAG/C,MAAM,EAAE,UAAU,SAAS,cACzB,MAAM,4BACJ,YACA,YAAY,UACZ,YACD;AAEH,YAAM,sBAAsB,KAAK;OAC/B;OACA;OACD,CAAC;MAEF,MAAM,aAAa,IAAI,aAAa,IAAI,aAAa;AACrD,UAAI,eAAe,KACjB,SAAQ,KAAK,sBAAsB,YAAY,WAAW,CAAC;MAG7D,MAAM,UAAU,IAAI,QAAQ,EAAE,UAAU,UAAU,CAAC;AACnD,WAAK,MAAM,EAAE,MAAM,OAAO,aAAa,QACrC,SAAQ,OACN,cACAA,UAAgB,MAAM,OAAO,QAAe,CAC7C;AAGH,aAAO,IAAI,SAAS,MAAM;OAAE,QAAQ;OAAK;OAAS,CAAC;OACnD;KACF,gBAAgB,OAAO,KAAK,YAAY;MACtC,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;MAChC,MAAM,aAAa,IAAI,IAAI,QAAQ,IAAI,CAAC,SACrC,MAAM,IAAI,CACV,GAAG,GAAG;AACT,UAAI,CAAC,WACH,OAAM,IAAI,UAAU,yBAAyB,CAAC,eAAe;AAE/D,mBACE,WAAW,OACX,yCACA,WACD;MACD,MAAM,WAAW,mBAAmB,WAAW;MAE/C,MAAM,UAAU,WAAW,QAAQ;MAEnC,MAAM,kBAAkB,mBAAmB,SAAS,IAAI,QAAQ;MAEhE,MAAM,iBAAiB,MAAM,oBAAoB,QAAQ,EACvD,YAAY,iBAAiB,YAC9B,CAAC;MAEF,MAAM,SAAS,IAAI;AAEnB,UACE,QAAQ,QAAQ,IAAI,eAAe,KACnC,oCAGA,EADiB,MAAM,QAAQ,UAAU,EAChC,SAAS,OAAO,QAAQ;AAC/B,WAAI,OAAO,UAAU,SACnB,QAAO,OAAO,KAAK,MAAM;QAE3B;AAGJ,aAAO,GAAG,IACR,GAAG,KAAK;OACN,IAAI,YAAY;QACd,MAAM,cAAc;QACpB,MAAM,SAAS,MAAM,GAAG,IACtB,oBACE,YACA,YAAY,UACZ,aACA,OAAO,YAAY,OAAO,SAAS,CAAC,EACpC,QACD,CACF;QACD,MAAM,eAAe,OAAO;QAC5B,MAAM,EAAE,IAAI,WAAW,GAAG,gBAAgB,OAAO;QACjD,MAAM,EAAE,cAAc;QAStB,MAAM,WAAW,kBACf,gBACA,QATuB,MAAM,cAAc,KAAK;SAChD,UAAU;SACV,mBAAmB;SACnB,SAAS;SACT;SACD,CAAC,CAMD;QACD,MAAM,eAAe,IAAI,QAAQ,EAAE,UAAU,UAAU,CAAC;AACxD,qBAAa,IAAI,iBAAiB,kBAAkB;AACpD,aAAK,MAAM,EAAE,MAAM,OAAO,aAAa,CACrC,GAAG,cACH,GAAI,oBAAoB,OACpB,CAAC,gBAAgB,cAAc,GAC/B,EAAE,CACP,CACC,cAAa,OACX,cACAA,UAAgB,MAAM,OAAO,QAAQ,CACtC;AAEH,eAAO,IAAI,SAAS,MAAM;SACxB,QAAQ;SACR,SAAS;SACV,CAAC;;OAEJ,MAAM,UAAU;OACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAU;AACpB,gBAAS,MAAM;OACf,MAAM,cAAc,IAAI,QAAQ,EAC9B,UAAU,gBACX,CAAC;AACF,YAAK,MAAM,EAAE,MAAM,OAAO,aAAa,oBACvC,OACI,CAAC,gBAAgB,cAAc,GAC/B,EAAE,CACJ,aAAY,OACV,cACAA,UAAgB,MAAM,OAAO,QAAQ,CACtC;AAEH,cAAO,GAAG,QACR,IAAI,SAAS,MAAM;QACjB,QAAQ;QACR,SAAS;QACV,CAAC,CACH;QACD,CACH,CACF;;KAEJ,CAAC;;GA4BN,QAAQ,iBAAiB,KAAK;GA4B9B,OAAO,gBAAgB,iBAAiB,KAAK,CAAC;GAC/C;EACF;CAED,MAAM,aACJ,SACI;EACJ,GAAG;EACH,MAAM;GACJ,GAAG,IAAI;GACP;GACA,SAAS,KAAK;GACd,SAAS,KAAK;GACd,QAAQ,KAAK;GACb,UAAU,KAAK;GAChB;EACF;AAED,QAAO;EAIL;EAMA,QAAQ,cAAc;GACpB,MAAM;IACJ,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;IAChC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;IAC3B,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;IAChC,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;IACpC,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;IACjC;GACD,SAAS,OAAO,KAAK,SAAsC;AACzD,QAAI,KAAK,aAAa,OACpB,cAAa,QAAQ,6BAA6B,KAAK,WAAW;IAEpE,MAAM,WACJ,KAAK,aAAa,SACd,mBAAmB,KAAK,SAAS,GACjC;IACN,MAAM,SAAS,MAAM,WAAW,UAAU,IAAI,EAAE,UAAU,MAAM;KAC9D,gBAAgB;KAChB,qBAAqB;KACtB,CAAC;AACF,WAAO,GAAG,IACR,GAAG,MAAM,QAAQ,OAAO,MAAM;KAC5B,WAAW,MACT,GAAG,QAAQ;MACT,MAAM;MACN,UAAU,EAAE;MACZ,UAAU,EAAE;MACb,CAAC;KACJ,WAAW,MACT,GAAG,QAAQ;MACT,MAAM;MACN,QAAQ,EAAE,UAAU,UAAU;MAC/B,CAAC;KACJ,gBAAgB,MACd,GAAG,QAAQ;MACT,MAAM;MACN,QAAQ,EAAE,UAAU,UAAU;MAC/B,CAAC;KACJ,eAAe,GAAG,QAAQ,EAAE,MAAM,WAAoB,CAAC;KACvD,iBAAiB,MACf,GAAG,QAAQ;MACT,MAAM;MACN,SAAS,EAAE;MACX,UAAU,EAAE;MACb,CAAC;KACJ,eAAe,MACb,GAAG,QAAQ;MACT,MAAM;MACN,UAAU,EAAE;MACb,CAAC;KACJ,YAAY,MACV,GAAG,QAAQ;MACT,MAAM;MACN,WAAW;OACT,KAAK,EAAE;OACP,QAAQ,EAAE;OACV,QAAQ,EAAE;OACX;MACD,UAAU,EAAE;MACb,CAAC;KACJ,aAAa,MACX,GAAG,QAAQ;MACT,MAAM;MACN,YAAY;OACV,YAAY,EAAE;OACd,UAAU,EAAE;OACZ,iBAAiB,EAAE;OACnB,yBAAyB,EAAE;OAC3B,WAAW,EAAE;OACb,UAAU,EAAE;OACb;MACF,CAAC;KACL,CAAC,CACH;;GAEJ,CAAC;EAIF,SAAS,cAAc;GACrB,MAAM,EAAE;GACR,SAAS,OAAO,QAAQ;AACtB,UAAM,YAAY,IAAI;;GAEzB,CAAC;EAMF,OAAO,wBAAwB;GAC7B,MAAM;GACN,SAAS,OAAO,KAAkB,SAAS;AACzC,WAAO,UAAU,KAAK,MAAM,oBAAoB,OAAO;;GAE1D,CAAC;EACH"}
+{"version":3,"file":"runtime.js","names":["serializeCookie"],"sources":["../../src/server/runtime.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport {\n  GenericActionCtx,\n  GenericDataModel,\n  HttpRouter,\n  actionGeneric,\n  internalMutationGeneric,\n} from \"convex/server\";\nimport { v } from \"convex/values\";\nimport { serialize as serializeCookie } from \"cookie\";\n\nimport { configDefaults, listAvailableProviders } from \"./config\";\nimport { redirectToParamCookie, useRedirectToParam } from \"./cookies\";\nimport { createCoreDomains } from \"./core\";\nimport { GetProviderOrThrowFunc } from \"./crypto\";\nimport {\n  getOidcConfig,\n  getPublicOidcConfig,\n  getSamlConfig,\n  upsertProtocolConfig,\n  withOidcSecretState,\n} from \"./enterprise/config\";\nimport { createEnterpriseDomain } from \"./enterprise/domain\";\nimport { addEnterpriseHttpRuntime } from \"./enterprise/http\";\nimport {\n  normalizeEnterprisePolicy,\n  patchEnterprisePolicy,\n} from \"./enterprise/policy\";\nimport {\n  createServiceProviderMetadata,\n  getSamlServiceProviderOptions,\n  parseSamlIdpMetadata,\n} from \"./enterprise/saml\";\nimport { parseScimPath } from \"./enterprise/scim\";\nimport {\n  enterpriseOidcProviderId,\n  getEnterpriseOidcUrls,\n  isEnterpriseSamlSourceActive,\n  normalizeDomain,\n} from \"./enterprise/shared\";\nimport {\n  addAuthRoutes,\n  addOpenIdRoutes,\n  convertErrorsToResponse,\n  createHttpAction,\n  createHttpRoute,\n  getCookies,\n} from \"./http\";\nimport {\n  callCreateAccountFromCredentials,\n  callInvalidateSessions,\n  callModifyAccount,\n  callRetrieveAccountWithCredentials,\n  callSignOut,\n  callUserOAuth,\n  callVerifierSignature,\n  storeArgs,\n  storeImpl,\n} from \"./mutations/index\";\nimport { createOAuthAuthorizationURL, handleOAuthCallback } from \"./oauth\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport { signInImpl } from \"./signin\";\nimport type {\n  ConvexAuthConfig,\n  FunctionReferenceFromExport,\n  OAuthMaterializedConfig,\n  Tokens,\n} from \"./types\";\nimport { MutationCtx } from \"./types\";\nimport {\n  decryptSecret,\n  encryptSecret,\n  generateRandomString,\n  LOG_LEVELS,\n  logError,\n  logWithLevel,\n  sha256,\n} from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\nconst ENTERPRISE_OIDC_CLIENT_SECRET_KIND = \"oidc_client_secret\" as const;\n\n/**\n * The type of the signIn Convex Action returned from the auth() helper.\n *\n * This type is exported for implementors of other client integrations.\n * However it is not stable, and may change until this library reaches 1.0.\n *\n * @internal\n */\nexport type SignInAction = FunctionReferenceFromExport<\n  ReturnType<typeof Auth>[\"signIn\"]\n>;\n\n/** @internal */\nexport type SignInActionResult =\n  | { kind: \"signedIn\"; tokens: Tokens | null }\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n  | { kind: \"started\" }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n  | { kind: \"totpRequired\"; verifier: string }\n  | {\n      kind: \"totpSetup\";\n      totpSetup: { uri: string; secret: string; totpId: string };\n      verifier: string;\n    }\n  | {\n      kind: \"deviceCode\";\n      deviceCode: {\n        deviceCode: string;\n        userCode: string;\n        verificationUri: string;\n        verificationUriComplete: string;\n        expiresIn: number;\n        interval: number;\n      };\n    };\n/**\n * The type of the signOut Convex Action returned from the auth() helper.\n *\n * This type is exported for implementors of other client integrations.\n * However it is not stable, and may change until this library reaches 1.0.\n *\n * @internal\n */\nexport type SignOutAction = FunctionReferenceFromExport<\n  ReturnType<typeof Auth>[\"signOut\"]\n>;\n\n/**\n * Configure the Convex Auth library. Returns an object with\n * functions and `auth` helper. You must export the functions\n * from `convex/auth.ts` to make them callable:\n *\n * ```ts filename=\"convex/auth.ts\"\n * import { createAuth } from \"@robelest/convex-auth/component\";\n * import { components } from \"./_generated/api\";\n *\n * export const auth = createAuth(components.auth, {\n *   providers: [],\n * });\n * export const { signIn, signOut, store } = auth;\n * ```\n *\n * @returns An object with fields you should reexport from your\n *          `convex/auth.ts` file.\n */\nexport function Auth(config_: ConvexAuthConfig) {\n  const config = configDefaults(config_);\n  const hasOAuth = config.providers.some(\n    (provider) => provider.type === \"oauth\",\n  );\n  const hasSSO = config.providers.some((provider) => provider.type === \"sso\");\n  const getProviderOrThrow: GetProviderOrThrowFunc = (\n    id: string,\n    allowExtraProviders: boolean = false,\n  ) => {\n    const provider =\n      config.providers.find(\n        (configuredProvider) => configuredProvider.id === id,\n      ) ??\n      (allowExtraProviders\n        ? config.extraProviders.find(\n            (configuredProvider) => configuredProvider.id === id,\n          )\n        : undefined);\n    if (provider === undefined) {\n      const detail =\n        `Provider \\`${id}\\` is not configured, ` +\n        `available providers are ${listAvailableProviders(config, allowExtraProviders)}.`;\n      logWithLevel(LOG_LEVELS.ERROR, detail);\n      throw Cv.error({\n        code: \"PROVIDER_NOT_CONFIGURED\",\n        message: detail,\n        provider: id,\n      });\n    }\n    return provider;\n  };\n  type ComponentCtx = Pick<\n    GenericActionCtx<GenericDataModel>,\n    \"runQuery\" | \"runMutation\"\n  >;\n  type ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, \"runQuery\">;\n  const getEnterpriseSecret = async (\n    ctx: ComponentReadCtx | ComponentCtx,\n    enterpriseId: string,\n    kind: typeof ENTERPRISE_OIDC_CLIENT_SECRET_KIND,\n  ) => {\n    return await ctx.runQuery(config.component.public.enterpriseSecretGet, {\n      enterpriseId,\n      kind,\n    });\n  };\n  const getEnterpriseOidcConfigWithSecret = async (\n    ctx: ComponentReadCtx | ComponentCtx,\n    enterprise: { _id: string; config?: unknown },\n  ): Promise<Record<string, any>> => {\n    const oidc = getOidcConfig(enterprise.config);\n    const secret = await getEnterpriseSecret(\n      ctx,\n      enterprise._id,\n      ENTERPRISE_OIDC_CLIENT_SECRET_KIND,\n    );\n    return {\n      ...oidc,\n      ...(secret\n        ? { clientSecret: await decryptSecret(secret.ciphertext) }\n        : {}),\n    };\n  };\n  const INVITE_TOKEN_ALPHABET =\n    \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\n  const INVITE_TOKEN_LENGTH = 48;\n\n  const enterpriseNotFoundError = \"Enterprise not found.\";\n\n  const ENTERPRISE_CONTROL_ROUTE_BASE = \"/api/auth/sso\";\n\n  const getPolicyFromEnterprise = (enterprise: { policy?: unknown }) =>\n    normalizeEnterprisePolicy(enterprise.policy);\n\n  const loadEnterpriseOrThrow = async (\n    ctx: ComponentReadCtx,\n    enterpriseId: string,\n  ) => {\n    const enterprise = await ctx.runQuery(\n      config.component.public.enterpriseGet,\n      {\n        enterpriseId,\n      },\n    );\n    if (!enterprise) {\n      throw Cv.error({\n        code: \"INVALID_PARAMETERS\",\n        message: enterpriseNotFoundError,\n      });\n    }\n    return enterprise;\n  };\n\n  const loadActiveEnterpriseOrThrow = async (\n    ctx: ComponentReadCtx,\n    enterpriseId: string,\n  ) => {\n    const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);\n    if (enterprise.status !== \"active\") {\n      throw Cv.error({\n        code: \"INVALID_PARAMETERS\",\n        message: \"Enterprise connection is not active.\",\n      });\n    }\n    return enterprise;\n  };\n\n  const loadActiveEnterpriseSamlOrThrow = async (\n    ctx: ComponentReadCtx,\n    enterpriseId: string,\n  ) => {\n    const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);\n    const loaded = {\n      source: {\n        kind: \"enterprise\" as const,\n        id: enterpriseId,\n      },\n      config: enterprise.config,\n      status: enterprise.status,\n      enterprise,\n    };\n    if (!isEnterpriseSamlSourceActive(loaded)) {\n      throw Cv.error({\n        code: \"INVALID_PARAMETERS\",\n        message: \"Enterprise connection is not active.\",\n      });\n    }\n    const saml = getSamlConfig(loaded.config);\n    if (!saml.idp?.metadataXml) {\n      throw Cv.error({\n        code: \"PROVIDER_NOT_CONFIGURED\",\n        message: \"SAML is not configured for this enterprise.\",\n      });\n    }\n    return { loaded, enterprise, saml };\n  };\n\n  const loadEnterpriseOidcOrThrow = async (\n    ctx: ComponentReadCtx,\n    enterpriseId: string,\n  ) => {\n    const enterprise = await loadActiveEnterpriseOrThrow(ctx, enterpriseId);\n    const oidc = await getEnterpriseOidcConfigWithSecret(ctx, enterprise);\n    if (oidc.enabled !== true) {\n      throw Cv.error({\n        code: \"PROVIDER_NOT_CONFIGURED\",\n        message: \"OIDC is not configured for this enterprise.\",\n      });\n    }\n    return { enterprise, oidc };\n  };\n\n  const validateEnterprisePolicy = (\n    policy: ReturnType<typeof normalizeEnterprisePolicy>,\n  ) => {\n    const checks: Array<{\n      name: string;\n      ok: boolean;\n      message?: string;\n    }> = [];\n\n    checks.push({ name: \"policy_version\", ok: policy.version === 1 });\n    checks.push({\n      name: \"jit_default_role_ids_present\",\n      ok:\n        policy.provisioning.jit.mode !== \"createUserAndMembership\" ||\n        policy.provisioning.jit.defaultRoleIds.length > 0,\n      message:\n        policy.provisioning.jit.mode === \"createUserAndMembership\" &&\n        policy.provisioning.jit.defaultRoleIds.length === 0\n          ? \"At least one default roleId is required when JIT membership provisioning is enabled.\"\n          : undefined,\n    });\n    checks.push({\n      name: \"jit_default_role_ids_known\",\n      ok: policy.provisioning.jit.defaultRoleIds.every(\n        (roleId) => config.authorization.roles[roleId] !== undefined,\n      ),\n      message: policy.provisioning.jit.defaultRoleIds.every(\n        (roleId) => config.authorization.roles[roleId] !== undefined,\n      )\n        ? undefined\n        : \"JIT defaultRoleIds contains unknown roleIds.\",\n    });\n    checks.push({\n      name: \"scim_reuse_supported\",\n      ok:\n        policy.provisioning.scimReuse.user === \"externalId\" ||\n        policy.provisioning.scimReuse.user === \"none\",\n    });\n\n    return checks;\n  };\n\n  const recordEnterpriseAuditEvent = async (\n    ctx: ComponentCtx,\n    data: {\n      enterpriseId: string;\n      groupId: string;\n      eventType: string;\n      actorType: \"user\" | \"system\" | \"scim\" | \"api_key\" | \"webhook\";\n      actorId?: string;\n      subjectType: string;\n      subjectId?: string;\n      ok: boolean;\n      requestId?: string;\n      ip?: string;\n      metadata?: Record<string, unknown>;\n    },\n  ) => {\n    const { ok, ...rest } = data;\n    return (await ctx.runMutation(\n      config.component.public.enterpriseAuditEventCreate,\n      {\n        ...rest,\n        status: ok ? \"success\" : \"failure\",\n        occurredAt: Date.now(),\n      },\n    )) as string;\n  };\n\n  const emitEnterpriseWebhookDeliveries = async (\n    ctx: ComponentCtx,\n    data: {\n      enterpriseId: string;\n      eventType: string;\n      payload: Record<string, unknown>;\n      auditEventId?: string;\n    },\n  ) => {\n    const endpoints = await ctx.runQuery(\n      config.component.public.enterpriseWebhookEndpointList,\n      { enterpriseId: data.enterpriseId },\n    );\n    for (const endpoint of endpoints) {\n      if (\n        endpoint.status !== \"active\" ||\n        !endpoint.subscriptions.includes(data.eventType)\n      ) {\n        continue;\n      }\n      await ctx.runMutation(\n        config.component.public.enterpriseWebhookDeliveryEnqueue,\n        {\n          enterpriseId: data.enterpriseId,\n          endpointId: endpoint._id,\n          auditEventId: data.auditEventId,\n          eventType: data.eventType,\n          payload: data.payload,\n          nextAttemptAt: Date.now(),\n        },\n      );\n    }\n  };\n\n  const getEnterpriseScimContext = async (\n    ctx: ComponentReadCtx,\n    request: Request,\n  ) => {\n    const authHeader = request.headers.get(\"Authorization\");\n    if (!authHeader?.startsWith(\"Bearer \")) {\n      throw Cv.error({\n        code: \"MISSING_BEARER_TOKEN\",\n        message: \"Missing or malformed Authorization: Bearer header.\",\n      });\n    }\n    const token = authHeader.slice(7);\n    const scimConfig = await ctx.runQuery(\n      config.component.public.enterpriseScimConfigGetByTokenHash,\n      { tokenHash: await sha256(token) },\n    );\n    if (!scimConfig || scimConfig.status !== \"active\") {\n      throw Cv.error({\n        code: \"INVALID_API_KEY\",\n        message: \"Invalid SCIM token.\",\n      });\n    }\n    const parsedPath = parseScimPath(new URL(request.url).pathname);\n    if (parsedPath.enterpriseId !== scimConfig.enterpriseId) {\n      throw Cv.error({\n        code: \"INVALID_API_KEY\",\n        message: \"SCIM token/tenant mismatch.\",\n      });\n    }\n    const enterprise = await ctx.runQuery(\n      config.component.public.enterpriseGet,\n      {\n        enterpriseId: scimConfig.enterpriseId,\n      },\n    );\n    if (enterprise === null) {\n      throw Cv.error({\n        code: \"INVALID_PARAMETERS\",\n        message: \"Enterprise not found.\",\n      });\n    }\n    return { scimConfig, enterprise, parsedPath };\n  };\n\n  let auth: any;\n  auth = {\n    ...createCoreDomains({\n      config,\n      getAuth: () => auth,\n      callInvalidateSessions,\n      callCreateAccountFromCredentials,\n      callRetrieveAccountWithCredentials,\n      callModifyAccount,\n      getEnrichCtx: () => enrichCtx,\n      inviteTokenAlphabet: INVITE_TOKEN_ALPHABET,\n      inviteTokenLength: INVITE_TOKEN_LENGTH,\n    }),\n    /**\n     * SSO namespace — enterprise SSO connection management, domain, OIDC,\n     * SAML, SCIM, audit, and webhook helpers.\n     */\n    sso: createEnterpriseDomain({\n      config,\n      getAuth: () => auth,\n      normalizeEnterprisePolicy,\n      normalizeDomain,\n      getEnterpriseSecret,\n      loadEnterpriseOrThrow,\n      validateEnterprisePolicy,\n      recordEnterpriseAuditEvent,\n      emitEnterpriseWebhookDeliveries,\n      enterpriseNotFoundError,\n      ENTERPRISE_OIDC_CLIENT_SECRET_KIND,\n      requireEnv,\n      generateRandomString,\n      INVITE_TOKEN_ALPHABET,\n      sha256,\n      encryptSecret,\n      upsertProtocolConfig,\n      parseSamlIdpMetadata,\n      createServiceProviderMetadata,\n      getSamlServiceProviderOptions,\n      getPublicOidcConfig,\n      withOidcSecretState,\n      getOidcConfig,\n      getEnterpriseOidcUrls,\n      enterpriseOidcProviderId,\n      getPolicyFromEnterprise,\n      patchEnterprisePolicy,\n    }),\n    // HTTP wiring stays local to the factory because it still depends on a\n    // dense mix of OAuth, SAML, SCIM, cookie, and response helpers.\n    http: {\n      /**\n       * Register core HTTP routes for JWT verification and OAuth sign-in.\n       *\n       * ```ts\n       * import { httpRouter } from \"convex/server\";\n       * import { auth } from \"./auth\";\n       *\n       * const http = httpRouter();\n       *\n       * auth.http.add(http);\n       *\n       * export default http;\n       * ```\n       *\n       * The following routes are handled always:\n       *\n       * - `/.well-known/openid-configuration`\n       * - `/.well-known/jwks.json`\n       *\n       * The following routes are handled if OAuth is configured:\n       *\n       * - `/api/auth/signin/*`\n       * - `/api/auth/callback/*`\n       *\n       * @param http your HTTP router\n       */\n      add: (http: HttpRouter) => {\n        addOpenIdRoutes(http, {\n          getIssuer: () => requireEnv(\"CONVEX_SITE_URL\"),\n          getJwks: () => requireEnv(\"JWKS\"),\n        });\n\n        addEnterpriseHttpRuntime({\n          http,\n          hasSSO,\n          auth,\n          config,\n          routeBase: ENTERPRISE_CONTROL_ROUTE_BASE,\n          requireEnv,\n          loadActiveEnterpriseSamlOrThrow,\n          loadEnterpriseOidcOrThrow,\n          getEnterpriseScimContext,\n          getPolicyFromEnterprise,\n          normalizeEnterprisePolicy,\n          recordEnterpriseAuditEvent,\n          emitEnterpriseWebhookDeliveries,\n          generateRandomString,\n          inviteTokenAlphabet: INVITE_TOKEN_ALPHABET,\n          callUserOAuth,\n          callVerifierSignature,\n        });\n\n        if (hasOAuth) {\n          addAuthRoutes(http, {\n            handleSignIn: convertErrorsToResponse(400, async (ctx, request) => {\n              const url = new URL(request.url);\n              const pathParts = url.pathname.split(\"/\");\n              const providerId = pathParts[pathParts.length - 1]!;\n              if (providerId === null) {\n                throw Cv.error({\n                  code: \"OAUTH_MISSING_PROVIDER\",\n                  message: \"Missing OAuth provider ID.\",\n                });\n              }\n              const verifier = url.searchParams.get(\"code\");\n              if (verifier === null) {\n                throw Cv.error({\n                  code: \"OAUTH_MISSING_VERIFIER\",\n                  message: \"Missing sign-in verifier.\",\n                });\n              }\n              const provider = getProviderOrThrow(providerId);\n\n              const oauthConfig = provider as OAuthMaterializedConfig;\n              const { redirect, cookies, signature } =\n                await createOAuthAuthorizationURL(\n                  providerId,\n                  oauthConfig.provider,\n                  oauthConfig,\n                );\n\n              await callVerifierSignature(ctx, {\n                verifier,\n                signature,\n              });\n\n              const redirectTo = url.searchParams.get(\"redirectTo\");\n              if (redirectTo !== null) {\n                cookies.push(redirectToParamCookie(providerId, redirectTo));\n              }\n\n              const headers = new Headers({ Location: redirect });\n              for (const { name, value, options } of cookies) {\n                headers.append(\n                  \"Set-Cookie\",\n                  serializeCookie(name, value, options as any),\n                );\n              }\n\n              return new Response(null, { status: 302, headers });\n            }),\n            handleCallback: async (ctx, request) => {\n              const url = new URL(request.url);\n              const callbackPathParts = new URL(request.url).pathname.split(\n                \"/\",\n              );\n              const providerId =\n                callbackPathParts[callbackPathParts.length - 1];\n              if (!providerId) {\n                throw Cv.error({\n                  code: \"OAUTH_MISSING_PROVIDER\",\n                  message: \"Missing OAuth provider ID.\",\n                });\n              }\n              logWithLevel(\n                LOG_LEVELS.DEBUG,\n                \"Handling OAuth callback for provider:\",\n                providerId,\n              );\n              const provider = getProviderOrThrow(providerId);\n\n              const cookies = getCookies(request);\n\n              const maybeRedirectTo = useRedirectToParam(provider.id, cookies);\n\n              const destinationUrl = await redirectAbsoluteUrl(config, {\n                redirectTo: maybeRedirectTo?.redirectTo,\n              });\n\n              const params = url.searchParams;\n\n              if (\n                request.headers.get(\"Content-Type\") ===\n                \"application/x-www-form-urlencoded\"\n              ) {\n                const formData = await request.formData();\n                formData.forEach((value, key) => {\n                  if (typeof value === \"string\") {\n                    params.append(key, value);\n                  }\n                });\n              }\n\n              return Fx.run(\n                Fx.from({\n                  ok: async () => {\n                    const oauthConfig = provider as OAuthMaterializedConfig;\n                    const result = await Fx.run(\n                      handleOAuthCallback(\n                        providerId,\n                        oauthConfig.provider,\n                        oauthConfig,\n                        Object.fromEntries(params.entries()),\n                        cookies,\n                      ),\n                    );\n                    const oauthCookies = result.cookies;\n                    const { id: profileId, ...profileData } = result.profile;\n                    const { signature } = result;\n\n                    const verificationCode = await callUserOAuth(ctx, {\n                      provider: providerId,\n                      providerAccountId: profileId,\n                      profile: profileData,\n                      signature,\n                    });\n\n                    const redirUrl = setURLSearchParam(\n                      destinationUrl,\n                      \"code\",\n                      verificationCode,\n                    );\n                    const redirHeaders = new Headers({ Location: redirUrl });\n                    redirHeaders.set(\"Cache-Control\", \"must-revalidate\");\n                    for (const { name, value, options } of [\n                      ...oauthCookies,\n                      ...(maybeRedirectTo !== null\n                        ? [maybeRedirectTo.updatedCookie]\n                        : []),\n                    ] as any) {\n                      redirHeaders.append(\n                        \"Set-Cookie\",\n                        serializeCookie(name, value, options),\n                      );\n                    }\n                    return new Response(null, {\n                      status: 302,\n                      headers: redirHeaders,\n                    });\n                  },\n                  err: (error) => error,\n                }).pipe(\n                  Fx.recover((error) => {\n                    logError(error);\n                    const respHeaders = new Headers({\n                      Location: destinationUrl,\n                    });\n                    for (const { name, value, options } of maybeRedirectTo !==\n                    null\n                      ? [maybeRedirectTo.updatedCookie]\n                      : []) {\n                      respHeaders.append(\n                        \"Set-Cookie\",\n                        serializeCookie(name, value, options),\n                      );\n                    }\n                    return Fx.succeed(\n                      new Response(null, {\n                        status: 302,\n                        headers: respHeaders,\n                      }),\n                    );\n                  }),\n                ),\n              );\n            },\n          });\n        }\n      },\n\n      /**\n       * Wrap an HTTP action handler with Bearer token authentication.\n       *\n       * Extracts the `Authorization: Bearer <key>` header, verifies the\n       * API key via `auth.key.verify()`, and injects `ctx.key` with the\n       * verified key info. Returns structured JSON error responses for\n       * missing/invalid/revoked/expired/rate-limited keys.\n       *\n       * If the handler returns a plain object, it is auto-wrapped in a\n       * `200 JSON` response. If it returns a `Response`, CORS headers\n       * are merged and the response is passed through.\n       *\n       * ```ts\n       * const handler = auth.http.action(async (ctx, request) => {\n       *   const data = await ctx.runQuery(api.data.get, { userId: ctx.key.userId });\n       *   return { data };\n       * });\n       * http.route({ path: \"/api/data\", method: \"GET\", handler });\n       * ```\n       *\n       * @param handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.\n       * @param options.scope - Optional scope check; returns 403 if the key lacks permission.\n       * @param options.cors - CORS config; defaults to permissive (`*`).\n       */\n      action: createHttpAction(auth),\n\n      /**\n       * Register a Bearer-authenticated route **and** its OPTIONS preflight\n       * in a single call.\n       *\n       * ```ts\n       * auth.http.route(http, {\n       *   path: \"/api/messages\",\n       *   method: \"POST\",\n       *   handler: async (ctx, request) => {\n       *     const { body } = await request.json();\n       *     await ctx.runMutation(internal.messages.sendAsUser, {\n       *       userId: ctx.key.userId,\n       *       body,\n       *     });\n       *     return { success: true };\n       *   },\n       * });\n       * ```\n       *\n       * @param http - The Convex HTTP router.\n       * @param routeConfig.path - The URL path to match.\n       * @param routeConfig.method - HTTP method (GET, POST, PUT, PATCH, DELETE).\n       * @param routeConfig.handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.\n       * @param routeConfig.scope - Optional scope check; returns 403 if the key lacks permission.\n       * @param routeConfig.cors - CORS config; defaults to permissive (`*`).\n       */\n      route: createHttpRoute(createHttpAction(auth)),\n    },\n  };\n\n  const enrichCtx = <DataModel extends GenericDataModel>(\n    ctx: GenericActionCtx<DataModel>,\n  ) => ({\n    ...ctx,\n    auth: {\n      ...ctx.auth,\n      config,\n      account: auth.account,\n      session: auth.session,\n      member: auth.member,\n      provider: auth.provider,\n    },\n  });\n\n  return {\n    /**\n     * Helper for configuring HTTP actions.\n     */\n    auth,\n    /**\n     * Action called by the client to sign the user in.\n     *\n     * Also used for refreshing the session.\n     */\n    signIn: actionGeneric({\n      args: {\n        provider: v.optional(v.string()),\n        params: v.optional(v.any()),\n        verifier: v.optional(v.string()),\n        refreshToken: v.optional(v.string()),\n        calledBy: v.optional(v.string()),\n      },\n      handler: async (ctx, args): Promise<SignInActionResult> => {\n        if (args.calledBy !== undefined) {\n          logWithLevel(\"INFO\", `\\`auth:signIn\\` called by ${args.calledBy}`);\n        }\n        const provider =\n          args.provider !== undefined\n            ? getProviderOrThrow(args.provider)\n            : null;\n        const result = await signInImpl(enrichCtx(ctx), provider, args, {\n          generateTokens: true,\n          allowExtraProviders: false,\n        });\n        return Fx.run(\n          Fx.match(result, result.kind, {\n            redirect: (r) =>\n              Fx.succeed({\n                kind: \"redirect\" as const,\n                redirect: r.redirect,\n                verifier: r.verifier,\n              }),\n            signedIn: (r) =>\n              Fx.succeed({\n                kind: \"signedIn\" as const,\n                tokens: r.signedIn?.tokens ?? null,\n              }),\n            refreshTokens: (r) =>\n              Fx.succeed({\n                kind: \"signedIn\" as const,\n                tokens: r.signedIn?.tokens ?? null,\n              }),\n            started: () => Fx.succeed({ kind: \"started\" as const }),\n            passkeyOptions: (r) =>\n              Fx.succeed({\n                kind: \"passkeyOptions\" as const,\n                options: r.options,\n                verifier: r.verifier,\n              }),\n            totpRequired: (r) =>\n              Fx.succeed({\n                kind: \"totpRequired\" as const,\n                verifier: r.verifier,\n              }),\n            totpSetup: (r) =>\n              Fx.succeed({\n                kind: \"totpSetup\" as const,\n                totpSetup: {\n                  uri: r.uri,\n                  secret: r.secret,\n                  totpId: r.totpId,\n                },\n                verifier: r.verifier,\n              }),\n            deviceCode: (r) =>\n              Fx.succeed({\n                kind: \"deviceCode\" as const,\n                deviceCode: {\n                  deviceCode: r.deviceCode,\n                  userCode: r.userCode,\n                  verificationUri: r.verificationUri,\n                  verificationUriComplete: r.verificationUriComplete,\n                  expiresIn: r.expiresIn,\n                  interval: r.interval,\n                },\n              }),\n          }),\n        );\n      },\n    }),\n    /**\n     * Action called by the client to invalidate the current session.\n     */\n    signOut: actionGeneric({\n      args: {},\n      handler: async (ctx) => {\n        await callSignOut(ctx);\n      },\n    }),\n\n    /**\n     * Internal mutation used by the library to read and write\n     * to the database during signin and signout.\n     */\n    store: internalMutationGeneric({\n      args: storeArgs,\n      handler: async (ctx: MutationCtx, args) => {\n        return storeImpl(ctx, args, getProviderOrThrow, config);\n      },\n    }),\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiFA,MAAM,qCAAqC;;;;;;;;;;;;;;;;;;;AAmE3C,SAAgB,KAAK,SAA2B;CAC9C,MAAM,SAAS,eAAe,QAAQ;CACtC,MAAM,WAAW,OAAO,UAAU,MAC/B,aAAa,SAAS,SAAS,QACjC;CACD,MAAM,SAAS,OAAO,UAAU,MAAM,aAAa,SAAS,SAAS,MAAM;CAC3E,MAAM,sBACJ,IACA,sBAA+B,UAC5B;EACH,MAAM,WACJ,OAAO,UAAU,MACd,uBAAuB,mBAAmB,OAAO,GACnD,KACA,sBACG,OAAO,eAAe,MACnB,uBAAuB,mBAAmB,OAAO,GACnD,GACD;AACN,MAAI,aAAa,QAAW;GAC1B,MAAM,SACJ,cAAc,GAAG,gDACU,uBAAuB,QAAQ,oBAAoB,CAAC;AACjF,gBAAa,WAAW,OAAO,OAAO;AACtC,SAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACT,UAAU;IACX,CAAC;;AAEJ,SAAO;;CAOT,MAAM,sBAAsB,OAC1B,KACA,cACA,SACG;AACH,SAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,qBAAqB;GACrE;GACA;GACD,CAAC;;CAEJ,MAAM,oCAAoC,OACxC,KACA,eACiC;EACjC,MAAM,OAAO,cAAc,WAAW,OAAO;EAC7C,MAAM,SAAS,MAAM,oBACnB,KACA,WAAW,KACX,mCACD;AACD,SAAO;GACL,GAAG;GACH,GAAI,SACA,EAAE,cAAc,MAAM,cAAc,OAAO,WAAW,EAAE,GACxD,EAAE;GACP;;CAEH,MAAM,wBACJ;CACF,MAAM,sBAAsB;CAE5B,MAAM,0BAA0B;CAEhC,MAAM,gCAAgC;CAEtC,MAAM,2BAA2B,eAC/B,0BAA0B,WAAW,OAAO;CAE9C,MAAM,wBAAwB,OAC5B,KACA,iBACG;EACH,MAAM,aAAa,MAAM,IAAI,SAC3B,OAAO,UAAU,OAAO,eACxB,EACE,cACD,CACF;AACD,MAAI,CAAC,WACH,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,SAAO;;CAGT,MAAM,8BAA8B,OAClC,KACA,iBACG;EACH,MAAM,aAAa,MAAM,sBAAsB,KAAK,aAAa;AACjE,MAAI,WAAW,WAAW,SACxB,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,SAAO;;CAGT,MAAM,kCAAkC,OACtC,KACA,iBACG;EACH,MAAM,aAAa,MAAM,sBAAsB,KAAK,aAAa;EACjE,MAAM,SAAS;GACb,QAAQ;IACN,MAAM;IACN,IAAI;IACL;GACD,QAAQ,WAAW;GACnB,QAAQ,WAAW;GACnB;GACD;AACD,MAAI,CAAC,6BAA6B,OAAO,CACvC,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;EAEJ,MAAM,OAAO,cAAc,OAAO,OAAO;AACzC,MAAI,CAAC,KAAK,KAAK,YACb,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,SAAO;GAAE;GAAQ;GAAY;GAAM;;CAGrC,MAAM,4BAA4B,OAChC,KACA,iBACG;EACH,MAAM,aAAa,MAAM,4BAA4B,KAAK,aAAa;EACvE,MAAM,OAAO,MAAM,kCAAkC,KAAK,WAAW;AACrE,MAAI,KAAK,YAAY,KACnB,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,SAAO;GAAE;GAAY;GAAM;;CAG7B,MAAM,4BACJ,WACG;EACH,MAAM,SAID,EAAE;AAEP,SAAO,KAAK;GAAE,MAAM;GAAkB,IAAI,OAAO,YAAY;GAAG,CAAC;AACjE,SAAO,KAAK;GACV,MAAM;GACN,IACE,OAAO,aAAa,IAAI,SAAS,6BACjC,OAAO,aAAa,IAAI,eAAe,SAAS;GAClD,SACE,OAAO,aAAa,IAAI,SAAS,6BACjC,OAAO,aAAa,IAAI,eAAe,WAAW,IAC9C,yFACA;GACP,CAAC;AACF,SAAO,KAAK;GACV,MAAM;GACN,IAAI,OAAO,aAAa,IAAI,eAAe,OACxC,WAAW,OAAO,cAAc,MAAM,YAAY,OACpD;GACD,SAAS,OAAO,aAAa,IAAI,eAAe,OAC7C,WAAW,OAAO,cAAc,MAAM,YAAY,OACpD,GACG,SACA;GACL,CAAC;AACF,SAAO,KAAK;GACV,MAAM;GACN,IACE,OAAO,aAAa,UAAU,SAAS,gBACvC,OAAO,aAAa,UAAU,SAAS;GAC1C,CAAC;AAEF,SAAO;;CAGT,MAAM,6BAA6B,OACjC,KACA,SAaG;EACH,MAAM,EAAE,IAAI,GAAG,SAAS;AACxB,SAAQ,MAAM,IAAI,YAChB,OAAO,UAAU,OAAO,4BACxB;GACE,GAAG;GACH,QAAQ,KAAK,YAAY;GACzB,YAAY,KAAK,KAAK;GACvB,CACF;;CAGH,MAAM,kCAAkC,OACtC,KACA,SAMG;EACH,MAAM,YAAY,MAAM,IAAI,SAC1B,OAAO,UAAU,OAAO,+BACxB,EAAE,cAAc,KAAK,cAAc,CACpC;AACD,OAAK,MAAM,YAAY,WAAW;AAChC,OACE,SAAS,WAAW,YACpB,CAAC,SAAS,cAAc,SAAS,KAAK,UAAU,CAEhD;AAEF,SAAM,IAAI,YACR,OAAO,UAAU,OAAO,kCACxB;IACE,cAAc,KAAK;IACnB,YAAY,SAAS;IACrB,cAAc,KAAK;IACnB,WAAW,KAAK;IAChB,SAAS,KAAK;IACd,eAAe,KAAK,KAAK;IAC1B,CACF;;;CAIL,MAAM,2BAA2B,OAC/B,KACA,YACG;EACH,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,MAAI,CAAC,YAAY,WAAW,UAAU,CACpC,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;EAEJ,MAAM,QAAQ,WAAW,MAAM,EAAE;EACjC,MAAM,aAAa,MAAM,IAAI,SAC3B,OAAO,UAAU,OAAO,oCACxB,EAAE,WAAW,MAAM,OAAO,MAAM,EAAE,CACnC;AACD,MAAI,CAAC,cAAc,WAAW,WAAW,SACvC,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;EAEJ,MAAM,aAAa,cAAc,IAAI,IAAI,QAAQ,IAAI,CAAC,SAAS;AAC/D,MAAI,WAAW,iBAAiB,WAAW,aACzC,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;EAEJ,MAAM,aAAa,MAAM,IAAI,SAC3B,OAAO,UAAU,OAAO,eACxB,EACE,cAAc,WAAW,cAC1B,CACF;AACD,MAAI,eAAe,KACjB,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,SAAO;GAAE;GAAY;GAAY;GAAY;;CAG/C,IAAI;AACJ,QAAO;EACL,GAAG,kBAAkB;GACnB;GACA,eAAe;GACf;GACA;GACA;GACA;GACA,oBAAoB;GACpB,qBAAqB;GACrB,mBAAmB;GACpB,CAAC;EAKF,KAAK,uBAAuB;GAC1B;GACA,eAAe;GACf;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACD,CAAC;EAGF,MAAM;GA2BJ,MAAM,SAAqB;AACzB,oBAAgB,MAAM;KACpB,iBAAiB,WAAW,kBAAkB;KAC9C,eAAe,WAAW,OAAO;KAClC,CAAC;AAEF,6BAAyB;KACvB;KACA;KACA;KACA;KACA,WAAW;KACX;KACA;KACA;KACA;KACA;KACA;KACA;KACA;KACA;KACA,qBAAqB;KACrB;KACA;KACD,CAAC;AAEF,QAAI,SACF,eAAc,MAAM;KAClB,cAAc,wBAAwB,KAAK,OAAO,KAAK,YAAY;MACjE,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;MAChC,MAAM,YAAY,IAAI,SAAS,MAAM,IAAI;MACzC,MAAM,aAAa,UAAU,UAAU,SAAS;AAChD,UAAI,eAAe,KACjB,OAAM,GAAG,MAAM;OACb,MAAM;OACN,SAAS;OACV,CAAC;MAEJ,MAAM,WAAW,IAAI,aAAa,IAAI,OAAO;AAC7C,UAAI,aAAa,KACf,OAAM,GAAG,MAAM;OACb,MAAM;OACN,SAAS;OACV,CAAC;MAIJ,MAAM,cAFW,mBAAmB,WAAW;MAG/C,MAAM,EAAE,UAAU,SAAS,cACzB,MAAM,4BACJ,YACA,YAAY,UACZ,YACD;AAEH,YAAM,sBAAsB,KAAK;OAC/B;OACA;OACD,CAAC;MAEF,MAAM,aAAa,IAAI,aAAa,IAAI,aAAa;AACrD,UAAI,eAAe,KACjB,SAAQ,KAAK,sBAAsB,YAAY,WAAW,CAAC;MAG7D,MAAM,UAAU,IAAI,QAAQ,EAAE,UAAU,UAAU,CAAC;AACnD,WAAK,MAAM,EAAE,MAAM,OAAO,aAAa,QACrC,SAAQ,OACN,cACAA,UAAgB,MAAM,OAAO,QAAe,CAC7C;AAGH,aAAO,IAAI,SAAS,MAAM;OAAE,QAAQ;OAAK;OAAS,CAAC;OACnD;KACF,gBAAgB,OAAO,KAAK,YAAY;MACtC,MAAM,MAAM,IAAI,IAAI,QAAQ,IAAI;MAChC,MAAM,oBAAoB,IAAI,IAAI,QAAQ,IAAI,CAAC,SAAS,MACtD,IACD;MACD,MAAM,aACJ,kBAAkB,kBAAkB,SAAS;AAC/C,UAAI,CAAC,WACH,OAAM,GAAG,MAAM;OACb,MAAM;OACN,SAAS;OACV,CAAC;AAEJ,mBACE,WAAW,OACX,yCACA,WACD;MACD,MAAM,WAAW,mBAAmB,WAAW;MAE/C,MAAM,UAAU,WAAW,QAAQ;MAEnC,MAAM,kBAAkB,mBAAmB,SAAS,IAAI,QAAQ;MAEhE,MAAM,iBAAiB,MAAM,oBAAoB,QAAQ,EACvD,YAAY,iBAAiB,YAC9B,CAAC;MAEF,MAAM,SAAS,IAAI;AAEnB,UACE,QAAQ,QAAQ,IAAI,eAAe,KACnC,oCAGA,EADiB,MAAM,QAAQ,UAAU,EAChC,SAAS,OAAO,QAAQ;AAC/B,WAAI,OAAO,UAAU,SACnB,QAAO,OAAO,KAAK,MAAM;QAE3B;AAGJ,aAAO,GAAG,IACR,GAAG,KAAK;OACN,IAAI,YAAY;QACd,MAAM,cAAc;QACpB,MAAM,SAAS,MAAM,GAAG,IACtB,oBACE,YACA,YAAY,UACZ,aACA,OAAO,YAAY,OAAO,SAAS,CAAC,EACpC,QACD,CACF;QACD,MAAM,eAAe,OAAO;QAC5B,MAAM,EAAE,IAAI,WAAW,GAAG,gBAAgB,OAAO;QACjD,MAAM,EAAE,cAAc;QAStB,MAAM,WAAW,kBACf,gBACA,QATuB,MAAM,cAAc,KAAK;SAChD,UAAU;SACV,mBAAmB;SACnB,SAAS;SACT;SACD,CAAC,CAMD;QACD,MAAM,eAAe,IAAI,QAAQ,EAAE,UAAU,UAAU,CAAC;AACxD,qBAAa,IAAI,iBAAiB,kBAAkB;AACpD,aAAK,MAAM,EAAE,MAAM,OAAO,aAAa,CACrC,GAAG,cACH,GAAI,oBAAoB,OACpB,CAAC,gBAAgB,cAAc,GAC/B,EAAE,CACP,CACC,cAAa,OACX,cACAA,UAAgB,MAAM,OAAO,QAAQ,CACtC;AAEH,eAAO,IAAI,SAAS,MAAM;SACxB,QAAQ;SACR,SAAS;SACV,CAAC;;OAEJ,MAAM,UAAU;OACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAU;AACpB,gBAAS,MAAM;OACf,MAAM,cAAc,IAAI,QAAQ,EAC9B,UAAU,gBACX,CAAC;AACF,YAAK,MAAM,EAAE,MAAM,OAAO,aAAa,oBACvC,OACI,CAAC,gBAAgB,cAAc,GAC/B,EAAE,CACJ,aAAY,OACV,cACAA,UAAgB,MAAM,OAAO,QAAQ,CACtC;AAEH,cAAO,GAAG,QACR,IAAI,SAAS,MAAM;QACjB,QAAQ;QACR,SAAS;QACV,CAAC,CACH;QACD,CACH,CACF;;KAEJ,CAAC;;GA4BN,QAAQ,iBAAiB,KAAK;GA4B9B,OAAO,gBAAgB,iBAAiB,KAAK,CAAC;GAC/C;EACF;CAED,MAAM,aACJ,SACI;EACJ,GAAG;EACH,MAAM;GACJ,GAAG,IAAI;GACP;GACA,SAAS,KAAK;GACd,SAAS,KAAK;GACd,QAAQ,KAAK;GACb,UAAU,KAAK;GAChB;EACF;AAED,QAAO;EAIL;EAMA,QAAQ,cAAc;GACpB,MAAM;IACJ,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;IAChC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;IAC3B,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;IAChC,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;IACpC,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;IACjC;GACD,SAAS,OAAO,KAAK,SAAsC;AACzD,QAAI,KAAK,aAAa,OACpB,cAAa,QAAQ,6BAA6B,KAAK,WAAW;IAEpE,MAAM,WACJ,KAAK,aAAa,SACd,mBAAmB,KAAK,SAAS,GACjC;IACN,MAAM,SAAS,MAAM,WAAW,UAAU,IAAI,EAAE,UAAU,MAAM;KAC9D,gBAAgB;KAChB,qBAAqB;KACtB,CAAC;AACF,WAAO,GAAG,IACR,GAAG,MAAM,QAAQ,OAAO,MAAM;KAC5B,WAAW,MACT,GAAG,QAAQ;MACT,MAAM;MACN,UAAU,EAAE;MACZ,UAAU,EAAE;MACb,CAAC;KACJ,WAAW,MACT,GAAG,QAAQ;MACT,MAAM;MACN,QAAQ,EAAE,UAAU,UAAU;MAC/B,CAAC;KACJ,gBAAgB,MACd,GAAG,QAAQ;MACT,MAAM;MACN,QAAQ,EAAE,UAAU,UAAU;MAC/B,CAAC;KACJ,eAAe,GAAG,QAAQ,EAAE,MAAM,WAAoB,CAAC;KACvD,iBAAiB,MACf,GAAG,QAAQ;MACT,MAAM;MACN,SAAS,EAAE;MACX,UAAU,EAAE;MACb,CAAC;KACJ,eAAe,MACb,GAAG,QAAQ;MACT,MAAM;MACN,UAAU,EAAE;MACb,CAAC;KACJ,YAAY,MACV,GAAG,QAAQ;MACT,MAAM;MACN,WAAW;OACT,KAAK,EAAE;OACP,QAAQ,EAAE;OACV,QAAQ,EAAE;OACX;MACD,UAAU,EAAE;MACb,CAAC;KACJ,aAAa,MACX,GAAG,QAAQ;MACT,MAAM;MACN,YAAY;OACV,YAAY,EAAE;OACd,UAAU,EAAE;OACZ,iBAAiB,EAAE;OACnB,yBAAyB,EAAE;OAC3B,WAAW,EAAE;OACb,UAAU,EAAE;OACb;MACF,CAAC;KACL,CAAC,CACH;;GAEJ,CAAC;EAIF,SAAS,cAAc;GACrB,MAAM,EAAE;GACR,SAAS,OAAO,QAAQ;AACtB,UAAM,YAAY,IAAI;;GAEzB,CAAC;EAMF,OAAO,wBAAwB;GAC7B,MAAM;GACN,SAAS,OAAO,KAAkB,SAAS;AACzC,WAAO,UAAU,KAAK,MAAM,oBAAoB,OAAO;;GAE1D,CAAC;EACH"}

package/dist/server/signin.js

@@ -1,4 +1,3 @@
-import { AuthError } from "./authError.js";
 import { generateRandomString, requireEnv } from "./utils.js";
 import { callCreateVerificationCode } from "./mutations/code.js";
 import { callRefreshSession } from "./mutations/refresh.js";
@@ -12,13 +11,14 @@ import { handlePasskeyFx } from "./passkey.js";
 import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
 import { handleTotp } from "./totp.js";
 import { Fx } from "@robelest/fx";
+import { Cv } from "@robelest/fx/convex";
 
 //#region src/server/signin.ts
 const DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 3600 * 24;
 /** @internal */
 async function signInImpl(ctx, provider, args, options) {
 	const fx = signInFx(ctx, provider, args, options);
-	return Fx.run(fx.pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+	return Fx.run(fx.pipe(Fx.recover((e) => Fx.fatal(e))));
 }
 /**
 * Core sign-in pipeline as an Fx generator.
@@ -48,7 +48,10 @@ function signInFx(ctx, provider, args, options) {
 				allowExtraProviders: options.allowExtraProviders
 			}))
 		};
-		const resolvedProvider = yield* provider != null ? Fx.succeed(provider) : Fx.fail(new AuthError("SIGN_IN_MISSING_PARAMS"));
+		const resolvedProvider = yield* provider != null ? Fx.succeed(provider) : Cv.fail({
+			code: "SIGN_IN_MISSING_PARAMS",
+			message: "Cannot sign in: missing provider, code, or refresh token."
+		});
 		return yield* Fx.match(resolvedProvider).on("type", {
 			email: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),
 			phone: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),
@@ -72,12 +75,18 @@ function handleEmailAndPhoneProviderFx(ctx, provider, args, options) {
 			}));
 			return {
 				kind: "signedIn",
-				signedIn: yield* result != null ? Fx.succeed(result) : Fx.fail(new AuthError("INVALID_VERIFICATION_CODE"))
+				signedIn: yield* result != null ? Fx.succeed(result) : Cv.fail({
+					code: "INVALID_VERIFICATION_CODE",
+					message: "Invalid or expired verification code."
+				})
 			};
 		}
 		const code = provider.generateVerificationToken ? yield* Fx.from({
 			ok: async () => provider.generateVerificationToken(),
-			err: () => new AuthError("INTERNAL_ERROR", "Failed to generate verification token")
+			err: () => Cv.error({
+				code: "INTERNAL_ERROR",
+				message: "Failed to generate verification token"
+			})
 		}) : generateRandomString(32, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
 		const expirationTime = Date.now() + (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1e3;
 		const verificationArgs = {
@@ -101,14 +110,20 @@ function handleEmailAndPhoneProviderFx(ctx, provider, args, options) {
 					provider: p,
 					request: new Request("http://localhost")
 				}, ctx),
-				err: () => new AuthError("INTERNAL_ERROR", "Failed to send email code")
+				err: () => Cv.error({
+					code: "INTERNAL_ERROR",
+					message: "Failed to send email code"
+				})
 			}),
 			phone: (p) => Fx.from({
 				ok: async () => p.sendVerificationRequest({
 					...verificationArgs,
 					provider: p
 				}, ctx),
-				err: () => new AuthError("INTERNAL_ERROR", "Failed to send phone code")
+				err: () => Cv.error({
+					code: "INTERNAL_ERROR",
+					message: "Failed to send phone code"
+				})
 			})
 		});
 		return {
@@ -167,7 +182,10 @@ function handleOAuthProviderFx(ctx, provider, args, options) {
 		const verifier = yield* Fx.promise(() => callVerifier(ctx));
 		redirect.searchParams.set("code", verifier);
 		if (args.params?.redirectTo !== void 0) {
-			yield* Fx.guard(typeof args.params.redirectTo !== "string", Fx.fail(new AuthError("INVALID_REDIRECT", `Expected \`redirectTo\` to be a string, got ${args.params.redirectTo}`)));
+			yield* Fx.guard(typeof args.params.redirectTo !== "string", Cv.fail({
+				code: "INVALID_REDIRECT",
+				message: `Expected \`redirectTo\` to be a string, got ${args.params.redirectTo}`
+			}));
 			redirect.searchParams.set("redirectTo", args.params.redirectTo);
 		}
 		return {
@@ -180,9 +198,15 @@ function handleOAuthProviderFx(ctx, provider, args, options) {
 function handleSsoProviderFx(ctx, args) {
 	return Fx.gen(function* () {
 		const enterpriseId = args.params?.enterpriseId;
-		if (!enterpriseId || typeof enterpriseId !== "string") return yield* Fx.fail(new AuthError("SIGN_IN_MISSING_PARAMS", "enterpriseId is required for SSO sign-in."));
+		if (!enterpriseId || typeof enterpriseId !== "string") return yield* Cv.fail({
+			code: "SIGN_IN_MISSING_PARAMS",
+			message: "enterpriseId is required for SSO sign-in."
+		});
 		const protocol = args.params?.protocol ?? "oidc";
-		if (protocol !== "oidc" && protocol !== "saml") return yield* Fx.fail(new AuthError("SIGN_IN_MISSING_PARAMS", `Invalid SSO protocol: ${protocol}. Expected "oidc" or "saml".`));
+		if (protocol !== "oidc" && protocol !== "saml") return yield* Cv.fail({
+			code: "SIGN_IN_MISSING_PARAMS",
+			message: `Invalid SSO protocol: ${protocol}. Expected "oidc" or "saml".`
+		});
 		const verifier = yield* Fx.promise(() => callVerifier(ctx));
 		const siteUrl = process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv("CONVEX_SITE_URL");
 		const redirect = new URL(`${siteUrl}/api/auth/sso/${enterpriseId}/${protocol}/signin`);

package/dist/server/signin.js.map

@@ -1 +1 @@
-{"version":3,"file":"signin.js","names":[],"sources":["../../src/server/signin.ts"],"sourcesContent":["import type { Fx as FxType } from \"@robelest/fx\";\nimport { GenericId } from \"convex/values\";\n\nimport { handleDevice } from \"./device\";\nimport { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./authError\";\nimport {\n  callCreateVerificationCode,\n  callRefreshSession,\n  callSignIn,\n  callVerifier,\n  callVerifierSignature,\n  callVerifyCodeAndSignIn,\n} from \"./mutations/index\";\nimport { handlePasskeyFx } from \"./passkey\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport { handleTotp } from \"./totp\";\nimport {\n  AuthProviderMaterializedConfig,\n  ConvexCredentialsConfig,\n  EmailConfig,\n  GenericActionCtxWithAuthConfig,\n  PhoneConfig,\n} from \"./types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  SessionInfoWithTokens,\n  Tokens,\n  queryTotpVerifiedByUserId,\n} from \"./types\";\nimport type { OAuthMaterializedConfig } from \"./types\";\nimport { generateRandomString } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\nconst DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 60 * 60 * 24; // 24 hours\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\ntype SignInResult =\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"refreshTokens\"; signedIn: { tokens: Tokens } }\n  | { kind: \"started\"; started: true }\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n  | { kind: \"totpRequired\"; verifier: string }\n  | {\n      kind: \"totpSetup\";\n      uri: string;\n      secret: string;\n      verifier: string;\n      totpId: string;\n    }\n  | {\n      kind: \"deviceCode\";\n      deviceCode: string;\n      userCode: string;\n      verificationUri: string;\n      verificationUriComplete: string;\n      expiresIn: number;\n      interval: number;\n    };\n\n/** @internal */\nexport async function signInImpl(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): Promise<SignInResult> {\n  const fx = signInFx(ctx, provider, args, options);\n  return Fx.run(\n    fx.pipe(Fx.recover((e) => Fx.fatal((e as AuthError).toConvexError()))),\n  );\n}\n\n/**\n * Core sign-in pipeline as an Fx generator.\n *\n * Handles: refresh tokens, verification codes, then dispatches by\n * provider type using a dispatch map (no if-chain).\n */\nfunction signInFx(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<SignInResult, AuthError> {\n  return Fx.gen(function* () {\n    // --- Refresh token (no provider) ---\n    if (provider === null && args.refreshToken) {\n      const tokens = yield* Fx.promise(() =>\n        callRefreshSession(ctx, { refreshToken: args.refreshToken! }),\n      );\n      if (tokens === null) {\n        return { kind: \"signedIn\" as const, signedIn: null };\n      }\n      return { kind: \"refreshTokens\" as const, signedIn: { tokens } };\n    }\n\n    // --- Verify code (no provider, code present) ---\n    if (provider === null && args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return { kind: \"signedIn\" as const, signedIn: result };\n    }\n\n    // --- Provider is required past this point ---\n    const resolvedProvider = yield* provider != null\n      ? Fx.succeed(provider)\n      : Fx.fail(new AuthError(\"SIGN_IN_MISSING_PARAMS\"));\n\n    // --- Dispatch by provider type ---\n    return yield* Fx.match(resolvedProvider).on(\"type\", {\n      email: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      phone: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      credentials: (p) => handleCredentialsFx(ctx, p, args, options),\n      oauth: (p) => handleOAuthProviderFx(ctx, p, args, options),\n      passkey: (p) => handlePasskeyFx(ctx, p, args),\n      totp: (p) => handleTotp(ctx, p, args),\n      device: (p) => handleDevice(ctx, p, args),\n      sso: (_p) => handleSsoProviderFx(ctx, args),\n    });\n  });\n}\n\n// ============================================================================\n// Email / Phone\n// ============================================================================\n\nfunction handleEmailAndPhoneProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: EmailConfig | PhoneConfig,\n  args: {\n    params?: Record<string, any>;\n    accountId?: GenericId<\"Account\">;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"started\"; started: true }\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          provider: provider.id,\n          generateTokens: options.generateTokens,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      const verified = yield* result != null\n        ? Fx.succeed(result)\n        : Fx.fail(new AuthError(\"INVALID_VERIFICATION_CODE\"));\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: verified as SessionInfoWithTokens,\n      };\n    }\n\n    // --- Send verification code path ---\n    const alphabet =\n      \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\";\n    const code = provider.generateVerificationToken\n      ? yield* Fx.from({\n          ok: async () => provider.generateVerificationToken!(),\n          err: () =>\n            new AuthError(\n              \"INTERNAL_ERROR\",\n              \"Failed to generate verification token\",\n            ),\n        })\n      : generateRandomString(32, alphabet);\n    const expirationTime =\n      Date.now() +\n      (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1000;\n\n    const identifier = yield* Fx.promise(() =>\n      callCreateVerificationCode(ctx, {\n        provider: provider.id,\n        accountId: args.accountId,\n        email: args.params?.email,\n        phone: args.params?.phone,\n        code,\n        expirationTime,\n        allowExtraProviders: options.allowExtraProviders,\n      }),\n    );\n    const destination = yield* Fx.promise(() =>\n      redirectAbsoluteUrl(\n        ctx.auth.config,\n        (args.params ?? {}) as { redirectTo: unknown },\n      ),\n    );\n    const verificationArgs = {\n      identifier,\n      url: setURLSearchParam(destination, \"code\", code),\n      token: code,\n      expires: new Date(expirationTime),\n    };\n    yield* Fx.match(provider).on(\"type\", {\n      email: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              {\n                ...verificationArgs,\n                provider: p,\n                request: new Request(\"http://localhost\"),\n              },\n              ctx,\n            ),\n          err: () =>\n            new AuthError(\"INTERNAL_ERROR\", \"Failed to send email code\"),\n        }),\n      phone: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              { ...verificationArgs, provider: p },\n              ctx,\n            ),\n          err: () =>\n            new AuthError(\"INTERNAL_ERROR\", \"Failed to send phone code\"),\n        }),\n    });\n    return { kind: \"started\" as const, started: true as const };\n  });\n}\n\n// ============================================================================\n// Credentials\n// ============================================================================\n\nfunction handleCredentialsFx(\n  ctx: EnrichedActionCtx,\n  provider: ConvexCredentialsConfig,\n  args: {\n    params?: Record<string, any>;\n  },\n  options: {\n    generateTokens: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"totpRequired\"; verifier: string },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    const result = yield* Fx.promise(() =>\n      provider.authorize(args.params ?? {}, ctx),\n    );\n    if (result === null) {\n      return { kind: \"signedIn\" as const, signedIn: null };\n    }\n\n    // Check if user has TOTP 2FA enrolled before issuing tokens\n    const hasTotpEnrolled = yield* Fx.promise(async () => {\n      const totpDoc = await queryTotpVerifiedByUserId(ctx, result.userId);\n      return totpDoc !== null;\n    });\n    if (hasTotpEnrolled) {\n      // Create session but withhold tokens — TOTP verification needed\n      yield* Fx.promise(() =>\n        callSignIn(ctx, {\n          userId: result.userId,\n          sessionId: result.sessionId,\n          generateTokens: false,\n        }),\n      );\n      // Store userId in verifier so the TOTP verify flow can complete sign-in\n      const verifier = yield* Fx.promise(() => callVerifier(ctx));\n      yield* Fx.promise(() =>\n        callVerifierSignature(ctx, {\n          verifier,\n          signature: JSON.stringify({ userId: result.userId }),\n        }),\n      );\n      return { kind: \"totpRequired\" as const, verifier };\n    }\n\n    const idsAndTokens = yield* Fx.promise(() =>\n      callSignIn(ctx, {\n        userId: result.userId,\n        sessionId: result.sessionId,\n        generateTokens: options.generateTokens,\n      }),\n    );\n    return { kind: \"signedIn\" as const, signedIn: idsAndTokens };\n  });\n}\n\n// ============================================================================\n// OAuth\n// ============================================================================\n\nfunction handleOAuthProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: OAuthMaterializedConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n  options: {\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens | null }\n  | { kind: \"redirect\"; redirect: string; verifier: string },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: result as SessionInfoWithTokens | null,\n      };\n    }\n\n    // --- Build redirect URL ---\n    const redirect = new URL(\n      (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\")) +\n        `/api/auth/signin/${provider.id}`,\n    );\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (args.params?.redirectTo !== undefined) {\n      yield* Fx.guard(\n        typeof args.params.redirectTo !== \"string\",\n        Fx.fail(\n          new AuthError(\n            \"INVALID_REDIRECT\",\n            `Expected \\`redirectTo\\` to be a string, got ${args.params.redirectTo}`,\n          ),\n        ),\n      );\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n\n// ============================================================================\n// SSO (Enterprise OIDC / SAML)\n// ============================================================================\n\nfunction handleSsoProviderFx(\n  ctx: EnrichedActionCtx,\n  args: {\n    params?: Record<string, any>;\n  },\n): FxType<{ kind: \"redirect\"; redirect: string; verifier: string }, AuthError> {\n  return Fx.gen(function* () {\n    const enterpriseId = args.params?.enterpriseId;\n    if (!enterpriseId || typeof enterpriseId !== \"string\") {\n      return yield* Fx.fail(\n        new AuthError(\n          \"SIGN_IN_MISSING_PARAMS\",\n          \"enterpriseId is required for SSO sign-in.\",\n        ),\n      );\n    }\n\n    const protocol: \"oidc\" | \"saml\" = args.params?.protocol ?? \"oidc\";\n    if (protocol !== \"oidc\" && protocol !== \"saml\") {\n      return yield* Fx.fail(\n        new AuthError(\n          \"SIGN_IN_MISSING_PARAMS\",\n          `Invalid SSO protocol: ${protocol as string}. Expected \"oidc\" or \"saml\".`,\n        ),\n      );\n    }\n\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    const siteUrl =\n      process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\");\n    const redirect = new URL(\n      `${siteUrl}/api/auth/sso/${enterpriseId}/${protocol}/signin`,\n    );\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (typeof args.params?.redirectTo === \"string\") {\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAoCA,MAAM,6CAA6C,OAAU;;AA6B7D,eAAsB,WACpB,KACA,UACA,MAOA,SAIuB;CACvB,MAAM,KAAK,SAAS,KAAK,UAAU,MAAM,QAAQ;AACjD,QAAO,GAAG,IACR,GAAG,KAAK,GAAG,SAAS,MAAM,GAAG,MAAO,EAAgB,eAAe,CAAC,CAAC,CAAC,CACvE;;;;;;;;AASH,SAAS,SACP,KACA,UACA,MAOA,SAIiC;AACjC,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,aAAa,QAAQ,KAAK,cAAc;GAC1C,MAAM,SAAS,OAAO,GAAG,cACvB,mBAAmB,KAAK,EAAE,cAAc,KAAK,cAAe,CAAC,CAC9D;AACD,OAAI,WAAW,KACb,QAAO;IAAE,MAAM;IAAqB,UAAU;IAAM;AAEtD,UAAO;IAAE,MAAM;IAA0B,UAAU,EAAE,QAAQ;IAAE;;AAIjE,MAAI,aAAa,QAAQ,KAAK,QAAQ,SAAS,OAS7C,QAAO;GAAE,MAAM;GAAqB,UARrB,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GACqD;EAIxD,MAAM,mBAAmB,OAAO,YAAY,OACxC,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,yBAAyB,CAAC;AAGpD,SAAO,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,QAAQ;GAClD,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,cAAc,MAAM,oBAAoB,KAAK,GAAG,MAAM,QAAQ;GAC9D,QAAQ,MAAM,sBAAsB,KAAK,GAAG,MAAM,QAAQ;GAC1D,UAAU,MAAM,gBAAgB,KAAK,GAAG,KAAK;GAC7C,OAAO,MAAM,WAAW,KAAK,GAAG,KAAK;GACrC,SAAS,MAAM,aAAa,KAAK,GAAG,KAAK;GACzC,MAAM,OAAO,oBAAoB,KAAK,KAAK;GAC5C,CAAC;GACF;;AAOJ,SAAS,8BACP,KACA,UACA,MAIA,SAQA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,QAAW;GACnC,MAAM,SAAS,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,SAAS;IACnB,gBAAgB,QAAQ;IACxB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;AAID,UAAO;IACL,MAAM;IACN,UALe,OAAO,UAAU,OAC9B,GAAG,QAAQ,OAAO,GAClB,GAAG,KAAK,IAAI,UAAU,4BAA4B,CAAC;IAItD;;EAMH,MAAM,OAAO,SAAS,4BAClB,OAAO,GAAG,KAAK;GACb,IAAI,YAAY,SAAS,2BAA4B;GACrD,WACE,IAAI,UACF,kBACA,wCACD;GACJ,CAAC,GACF,qBAAqB,IAVvB,iEAUoC;EACtC,MAAM,iBACJ,KAAK,KAAK,IACT,SAAS,UAAU,8CAA8C;EAmBpE,MAAM,mBAAmB;GACvB,YAlBiB,OAAO,GAAG,cAC3B,2BAA2B,KAAK;IAC9B,UAAU,SAAS;IACnB,WAAW,KAAK;IAChB,OAAO,KAAK,QAAQ;IACpB,OAAO,KAAK,QAAQ;IACpB;IACA;IACA,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GASC,KAAK,kBARa,OAAO,GAAG,cAC5B,oBACE,IAAI,KAAK,QACR,KAAK,UAAU,EAAE,CACnB,CACF,EAGqC,QAAQ,KAAK;GACjD,OAAO;GACP,SAAS,IAAI,KAAK,eAAe;GAClC;AACD,SAAO,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ;GACnC,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KACE,GAAG;KACH,UAAU;KACV,SAAS,IAAI,QAAQ,mBAAmB;KACzC,EACD,IACD;IACH,WACE,IAAI,UAAU,kBAAkB,4BAA4B;IAC/D,CAAC;GACJ,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KAAE,GAAG;KAAkB,UAAU;KAAG,EACpC,IACD;IACH,WACE,IAAI,UAAU,kBAAkB,4BAA4B;IAC/D,CAAC;GACL,CAAC;AACF,SAAO;GAAE,MAAM;GAAoB,SAAS;GAAe;GAC3D;;AAOJ,SAAS,oBACP,KACA,UACA,MAGA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,SAAS,OAAO,GAAG,cACvB,SAAS,UAAU,KAAK,UAAU,EAAE,EAAE,IAAI,CAC3C;AACD,MAAI,WAAW,KACb,QAAO;GAAE,MAAM;GAAqB,UAAU;GAAM;AAQtD,MAJwB,OAAO,GAAG,QAAQ,YAAY;AAEpD,UADgB,MAAM,0BAA0B,KAAK,OAAO,OAAO,KAChD;IACnB,EACmB;AAEnB,UAAO,GAAG,cACR,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB;IACjB,CAAC,CACH;GAED,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,UAAO,GAAG,cACR,sBAAsB,KAAK;IACzB;IACA,WAAW,KAAK,UAAU,EAAE,QAAQ,OAAO,QAAQ,CAAC;IACrD,CAAC,CACH;AACD,UAAO;IAAE,MAAM;IAAyB;IAAU;;AAUpD,SAAO;GAAE,MAAM;GAAqB,UAPf,OAAO,GAAG,cAC7B,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB,QAAQ;IACzB,CAAC,CACH;GAC2D;GAC5D;;AAOJ,SAAS,sBACP,KACA,UACA,MAIA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,OASxB,QAAO;GACL,MAAM;GACN,UAVa,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GAIA;EAIH,MAAM,WAAW,IAAI,KAClB,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB,IAChE,oBAAoB,SAAS,KAChC;EACD,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,KAAK,QAAQ,eAAe,QAAW;AACzC,UAAO,GAAG,MACR,OAAO,KAAK,OAAO,eAAe,UAClC,GAAG,KACD,IAAI,UACF,oBACA,+CAA+C,KAAK,OAAO,aAC5D,CACF,CACF;AACD,YAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD;;AAOJ,SAAS,oBACP,KACA,MAG6E;AAC7E,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,eAAe,KAAK,QAAQ;AAClC,MAAI,CAAC,gBAAgB,OAAO,iBAAiB,SAC3C,QAAO,OAAO,GAAG,KACf,IAAI,UACF,0BACA,4CACD,CACF;EAGH,MAAM,WAA4B,KAAK,QAAQ,YAAY;AAC3D,MAAI,aAAa,UAAU,aAAa,OACtC,QAAO,OAAO,GAAG,KACf,IAAI,UACF,0BACA,yBAAyB,SAAmB,8BAC7C,CACF;EAGH,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;EAC3D,MAAM,UACJ,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB;EACnE,MAAM,WAAW,IAAI,IACnB,GAAG,QAAQ,gBAAgB,aAAa,GAAG,SAAS,SACrD;AACD,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,OAAO,KAAK,QAAQ,eAAe,SACrC,UAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD"}
+{"version":3,"file":"signin.js","names":[],"sources":["../../src/server/signin.ts"],"sourcesContent":["import type { Fx as FxType } from \"@robelest/fx\";\nimport { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport { GenericId } from \"convex/values\";\nimport { ConvexError } from \"convex/values\";\n\nimport { handleDevice } from \"./device\";\nimport {\n  callCreateVerificationCode,\n  callRefreshSession,\n  callSignIn,\n  callVerifier,\n  callVerifierSignature,\n  callVerifyCodeAndSignIn,\n} from \"./mutations/index\";\nimport { handlePasskeyFx } from \"./passkey\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport { handleTotp } from \"./totp\";\nimport {\n  AuthProviderMaterializedConfig,\n  ConvexCredentialsConfig,\n  EmailConfig,\n  GenericActionCtxWithAuthConfig,\n  PhoneConfig,\n} from \"./types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  SessionInfoWithTokens,\n  Tokens,\n  queryTotpVerifiedByUserId,\n} from \"./types\";\nimport type { OAuthMaterializedConfig } from \"./types\";\nimport { generateRandomString } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\nconst DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 60 * 60 * 24; // 24 hours\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\ntype SignInResult =\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"refreshTokens\"; signedIn: { tokens: Tokens } }\n  | { kind: \"started\"; started: true }\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n  | { kind: \"totpRequired\"; verifier: string }\n  | {\n      kind: \"totpSetup\";\n      uri: string;\n      secret: string;\n      verifier: string;\n      totpId: string;\n    }\n  | {\n      kind: \"deviceCode\";\n      deviceCode: string;\n      userCode: string;\n      verificationUri: string;\n      verificationUriComplete: string;\n      expiresIn: number;\n      interval: number;\n    };\n\n/** @internal */\nexport async function signInImpl(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): Promise<SignInResult> {\n  const fx = signInFx(ctx, provider, args, options);\n  return Fx.run(fx.pipe(Fx.recover((e) => Fx.fatal(e))));\n}\n\n/**\n * Core sign-in pipeline as an Fx generator.\n *\n * Handles: refresh tokens, verification codes, then dispatches by\n * provider type using a dispatch map (no if-chain).\n */\nfunction signInFx(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<SignInResult, ConvexError<any>> {\n  return Fx.gen(function* () {\n    // --- Refresh token (no provider) ---\n    if (provider === null && args.refreshToken) {\n      const tokens = yield* Fx.promise(() =>\n        callRefreshSession(ctx, { refreshToken: args.refreshToken! }),\n      );\n      if (tokens === null) {\n        return { kind: \"signedIn\" as const, signedIn: null };\n      }\n      return { kind: \"refreshTokens\" as const, signedIn: { tokens } };\n    }\n\n    // --- Verify code (no provider, code present) ---\n    if (provider === null && args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return { kind: \"signedIn\" as const, signedIn: result };\n    }\n\n    // --- Provider is required past this point ---\n    const resolvedProvider = yield* provider != null\n      ? Fx.succeed(provider)\n      : Cv.fail({\n          code: \"SIGN_IN_MISSING_PARAMS\",\n          message: \"Cannot sign in: missing provider, code, or refresh token.\",\n        });\n\n    // --- Dispatch by provider type ---\n    return yield* Fx.match(resolvedProvider).on(\"type\", {\n      email: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      phone: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      credentials: (p) => handleCredentialsFx(ctx, p, args, options),\n      oauth: (p) => handleOAuthProviderFx(ctx, p, args, options),\n      passkey: (p) => handlePasskeyFx(ctx, p, args),\n      totp: (p) => handleTotp(ctx, p, args),\n      device: (p) => handleDevice(ctx, p, args),\n      sso: (_p) => handleSsoProviderFx(ctx, args),\n    });\n  });\n}\n\n// ============================================================================\n// Email / Phone\n// ============================================================================\n\nfunction handleEmailAndPhoneProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: EmailConfig | PhoneConfig,\n  args: {\n    params?: Record<string, any>;\n    accountId?: GenericId<\"Account\">;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"started\"; started: true }\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens },\n  ConvexError<any>\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          provider: provider.id,\n          generateTokens: options.generateTokens,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      const verified = yield* result != null\n        ? Fx.succeed(result)\n        : Cv.fail({\n            code: \"INVALID_VERIFICATION_CODE\",\n            message: \"Invalid or expired verification code.\",\n          });\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: verified as SessionInfoWithTokens,\n      };\n    }\n\n    // --- Send verification code path ---\n    const alphabet =\n      \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\";\n    const code = provider.generateVerificationToken\n      ? yield* Fx.from({\n          ok: async () => provider.generateVerificationToken!(),\n          err: () =>\n            Cv.error({\n              code: \"INTERNAL_ERROR\",\n              message: \"Failed to generate verification token\",\n            }),\n        })\n      : generateRandomString(32, alphabet);\n    const expirationTime =\n      Date.now() +\n      (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1000;\n\n    const identifier = yield* Fx.promise(() =>\n      callCreateVerificationCode(ctx, {\n        provider: provider.id,\n        accountId: args.accountId,\n        email: args.params?.email,\n        phone: args.params?.phone,\n        code,\n        expirationTime,\n        allowExtraProviders: options.allowExtraProviders,\n      }),\n    );\n    const destination = yield* Fx.promise(() =>\n      redirectAbsoluteUrl(\n        ctx.auth.config,\n        (args.params ?? {}) as { redirectTo: unknown },\n      ),\n    );\n    const verificationArgs = {\n      identifier,\n      url: setURLSearchParam(destination, \"code\", code),\n      token: code,\n      expires: new Date(expirationTime),\n    };\n    yield* Fx.match(provider).on(\"type\", {\n      email: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              {\n                ...verificationArgs,\n                provider: p,\n                request: new Request(\"http://localhost\"),\n              },\n              ctx,\n            ),\n          err: () =>\n            Cv.error({\n              code: \"INTERNAL_ERROR\",\n              message: \"Failed to send email code\",\n            }),\n        }),\n      phone: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              { ...verificationArgs, provider: p },\n              ctx,\n            ),\n          err: () =>\n            Cv.error({\n              code: \"INTERNAL_ERROR\",\n              message: \"Failed to send phone code\",\n            }),\n        }),\n    });\n    return { kind: \"started\" as const, started: true as const };\n  });\n}\n\n// ============================================================================\n// Credentials\n// ============================================================================\n\nfunction handleCredentialsFx(\n  ctx: EnrichedActionCtx,\n  provider: ConvexCredentialsConfig,\n  args: {\n    params?: Record<string, any>;\n  },\n  options: {\n    generateTokens: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"totpRequired\"; verifier: string },\n  ConvexError<any>\n> {\n  return Fx.gen(function* () {\n    const result = yield* Fx.promise(() =>\n      provider.authorize(args.params ?? {}, ctx),\n    );\n    if (result === null) {\n      return { kind: \"signedIn\" as const, signedIn: null };\n    }\n\n    // Check if user has TOTP 2FA enrolled before issuing tokens\n    const hasTotpEnrolled = yield* Fx.promise(async () => {\n      const totpDoc = await queryTotpVerifiedByUserId(ctx, result.userId);\n      return totpDoc !== null;\n    });\n    if (hasTotpEnrolled) {\n      // Create session but withhold tokens — TOTP verification needed\n      yield* Fx.promise(() =>\n        callSignIn(ctx, {\n          userId: result.userId,\n          sessionId: result.sessionId,\n          generateTokens: false,\n        }),\n      );\n      // Store userId in verifier so the TOTP verify flow can complete sign-in\n      const verifier = yield* Fx.promise(() => callVerifier(ctx));\n      yield* Fx.promise(() =>\n        callVerifierSignature(ctx, {\n          verifier,\n          signature: JSON.stringify({ userId: result.userId }),\n        }),\n      );\n      return { kind: \"totpRequired\" as const, verifier };\n    }\n\n    const idsAndTokens = yield* Fx.promise(() =>\n      callSignIn(ctx, {\n        userId: result.userId,\n        sessionId: result.sessionId,\n        generateTokens: options.generateTokens,\n      }),\n    );\n    return { kind: \"signedIn\" as const, signedIn: idsAndTokens };\n  });\n}\n\n// ============================================================================\n// OAuth\n// ============================================================================\n\nfunction handleOAuthProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: OAuthMaterializedConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n  options: {\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens | null }\n  | { kind: \"redirect\"; redirect: string; verifier: string },\n  ConvexError<any>\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: result as SessionInfoWithTokens | null,\n      };\n    }\n\n    // --- Build redirect URL ---\n    const redirect = new URL(\n      (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\")) +\n        `/api/auth/signin/${provider.id}`,\n    );\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (args.params?.redirectTo !== undefined) {\n      yield* Fx.guard(\n        typeof args.params.redirectTo !== \"string\",\n        Cv.fail({\n          code: \"INVALID_REDIRECT\",\n          message: `Expected \\`redirectTo\\` to be a string, got ${args.params.redirectTo}`,\n        }),\n      );\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n\n// ============================================================================\n// SSO (Enterprise OIDC / SAML)\n// ============================================================================\n\nfunction handleSsoProviderFx(\n  ctx: EnrichedActionCtx,\n  args: {\n    params?: Record<string, any>;\n  },\n): FxType<\n  { kind: \"redirect\"; redirect: string; verifier: string },\n  ConvexError<any>\n> {\n  return Fx.gen(function* () {\n    const enterpriseId = args.params?.enterpriseId;\n    if (!enterpriseId || typeof enterpriseId !== \"string\") {\n      return yield* Cv.fail({\n        code: \"SIGN_IN_MISSING_PARAMS\",\n        message: \"enterpriseId is required for SSO sign-in.\",\n      });\n    }\n\n    const protocol: \"oidc\" | \"saml\" = args.params?.protocol ?? \"oidc\";\n    if (protocol !== \"oidc\" && protocol !== \"saml\") {\n      return yield* Cv.fail({\n        code: \"SIGN_IN_MISSING_PARAMS\",\n        message: `Invalid SSO protocol: ${protocol as string}. Expected \"oidc\" or \"saml\".`,\n      });\n    }\n\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    const siteUrl =\n      process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\");\n    const redirect = new URL(\n      `${siteUrl}/api/auth/sso/${enterpriseId}/${protocol}/signin`,\n    );\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (typeof args.params?.redirectTo === \"string\") {\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAoCA,MAAM,6CAA6C,OAAU;;AA6B7D,eAAsB,WACpB,KACA,UACA,MAOA,SAIuB;CACvB,MAAM,KAAK,SAAS,KAAK,UAAU,MAAM,QAAQ;AACjD,QAAO,GAAG,IAAI,GAAG,KAAK,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC;;;;;;;;AASxD,SAAS,SACP,KACA,UACA,MAOA,SAIwC;AACxC,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,aAAa,QAAQ,KAAK,cAAc;GAC1C,MAAM,SAAS,OAAO,GAAG,cACvB,mBAAmB,KAAK,EAAE,cAAc,KAAK,cAAe,CAAC,CAC9D;AACD,OAAI,WAAW,KACb,QAAO;IAAE,MAAM;IAAqB,UAAU;IAAM;AAEtD,UAAO;IAAE,MAAM;IAA0B,UAAU,EAAE,QAAQ;IAAE;;AAIjE,MAAI,aAAa,QAAQ,KAAK,QAAQ,SAAS,OAS7C,QAAO;GAAE,MAAM;GAAqB,UARrB,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GACqD;EAIxD,MAAM,mBAAmB,OAAO,YAAY,OACxC,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK;GACN,MAAM;GACN,SAAS;GACV,CAAC;AAGN,SAAO,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,QAAQ;GAClD,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,cAAc,MAAM,oBAAoB,KAAK,GAAG,MAAM,QAAQ;GAC9D,QAAQ,MAAM,sBAAsB,KAAK,GAAG,MAAM,QAAQ;GAC1D,UAAU,MAAM,gBAAgB,KAAK,GAAG,KAAK;GAC7C,OAAO,MAAM,WAAW,KAAK,GAAG,KAAK;GACrC,SAAS,MAAM,aAAa,KAAK,GAAG,KAAK;GACzC,MAAM,OAAO,oBAAoB,KAAK,KAAK;GAC5C,CAAC;GACF;;AAOJ,SAAS,8BACP,KACA,UACA,MAIA,SAQA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,QAAW;GACnC,MAAM,SAAS,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,SAAS;IACnB,gBAAgB,QAAQ;IACxB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;AAOD,UAAO;IACL,MAAM;IACN,UARe,OAAO,UAAU,OAC9B,GAAG,QAAQ,OAAO,GAClB,GAAG,KAAK;KACN,MAAM;KACN,SAAS;KACV,CAAC;IAIL;;EAMH,MAAM,OAAO,SAAS,4BAClB,OAAO,GAAG,KAAK;GACb,IAAI,YAAY,SAAS,2BAA4B;GACrD,WACE,GAAG,MAAM;IACP,MAAM;IACN,SAAS;IACV,CAAC;GACL,CAAC,GACF,qBAAqB,IAVvB,iEAUoC;EACtC,MAAM,iBACJ,KAAK,KAAK,IACT,SAAS,UAAU,8CAA8C;EAmBpE,MAAM,mBAAmB;GACvB,YAlBiB,OAAO,GAAG,cAC3B,2BAA2B,KAAK;IAC9B,UAAU,SAAS;IACnB,WAAW,KAAK;IAChB,OAAO,KAAK,QAAQ;IACpB,OAAO,KAAK,QAAQ;IACpB;IACA;IACA,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GASC,KAAK,kBARa,OAAO,GAAG,cAC5B,oBACE,IAAI,KAAK,QACR,KAAK,UAAU,EAAE,CACnB,CACF,EAGqC,QAAQ,KAAK;GACjD,OAAO;GACP,SAAS,IAAI,KAAK,eAAe;GAClC;AACD,SAAO,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ;GACnC,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KACE,GAAG;KACH,UAAU;KACV,SAAS,IAAI,QAAQ,mBAAmB;KACzC,EACD,IACD;IACH,WACE,GAAG,MAAM;KACP,MAAM;KACN,SAAS;KACV,CAAC;IACL,CAAC;GACJ,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KAAE,GAAG;KAAkB,UAAU;KAAG,EACpC,IACD;IACH,WACE,GAAG,MAAM;KACP,MAAM;KACN,SAAS;KACV,CAAC;IACL,CAAC;GACL,CAAC;AACF,SAAO;GAAE,MAAM;GAAoB,SAAS;GAAe;GAC3D;;AAOJ,SAAS,oBACP,KACA,UACA,MAGA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,SAAS,OAAO,GAAG,cACvB,SAAS,UAAU,KAAK,UAAU,EAAE,EAAE,IAAI,CAC3C;AACD,MAAI,WAAW,KACb,QAAO;GAAE,MAAM;GAAqB,UAAU;GAAM;AAQtD,MAJwB,OAAO,GAAG,QAAQ,YAAY;AAEpD,UADgB,MAAM,0BAA0B,KAAK,OAAO,OAAO,KAChD;IACnB,EACmB;AAEnB,UAAO,GAAG,cACR,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB;IACjB,CAAC,CACH;GAED,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,UAAO,GAAG,cACR,sBAAsB,KAAK;IACzB;IACA,WAAW,KAAK,UAAU,EAAE,QAAQ,OAAO,QAAQ,CAAC;IACrD,CAAC,CACH;AACD,UAAO;IAAE,MAAM;IAAyB;IAAU;;AAUpD,SAAO;GAAE,MAAM;GAAqB,UAPf,OAAO,GAAG,cAC7B,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB,QAAQ;IACzB,CAAC,CACH;GAC2D;GAC5D;;AAOJ,SAAS,sBACP,KACA,UACA,MAIA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,OASxB,QAAO;GACL,MAAM;GACN,UAVa,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GAIA;EAIH,MAAM,WAAW,IAAI,KAClB,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB,IAChE,oBAAoB,SAAS,KAChC;EACD,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,KAAK,QAAQ,eAAe,QAAW;AACzC,UAAO,GAAG,MACR,OAAO,KAAK,OAAO,eAAe,UAClC,GAAG,KAAK;IACN,MAAM;IACN,SAAS,+CAA+C,KAAK,OAAO;IACrE,CAAC,CACH;AACD,YAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD;;AAOJ,SAAS,oBACP,KACA,MAMA;AACA,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,eAAe,KAAK,QAAQ;AAClC,MAAI,CAAC,gBAAgB,OAAO,iBAAiB,SAC3C,QAAO,OAAO,GAAG,KAAK;GACpB,MAAM;GACN,SAAS;GACV,CAAC;EAGJ,MAAM,WAA4B,KAAK,QAAQ,YAAY;AAC3D,MAAI,aAAa,UAAU,aAAa,OACtC,QAAO,OAAO,GAAG,KAAK;GACpB,MAAM;GACN,SAAS,yBAAyB,SAAmB;GACtD,CAAC;EAGJ,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;EAC3D,MAAM,UACJ,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB;EACnE,MAAM,WAAW,IAAI,IACnB,GAAG,QAAQ,gBAAgB,aAAa,GAAG,SAAS,SACrD;AACD,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,OAAO,KAAK,QAAQ,eAAe,SACrC,UAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD"}

package/dist/server/ssr.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ssr.d.ts","names":[],"sources":["../../src/server/ssr.ts"],"mappings":";;KAkBY,gBAAA;EAAgB,6DAE1B,MAAA;AAAA;;KAIU,WAAA;EAAW,mDAErB,KAAA,iBAFqB;EAIrB,YAAA;EAEA,QAAA;AAAA;;KAIU,UAAA;EACV,IAAA;EACA,KAAA;EACA,OAAA;IACE,IAAA;IACA,QAAA;IACA,MAAA;IACA,QAAA;IACA,MAAA;IACA,OAAA,GAAU,IAAA;EAAA;AAAA;;;;KAOF,aAAA;EAAA,wEAEV,GAAA;;;;;;;EAOA,eAAA;EAkBA;;;;;;EAXA,QAAA,WA+BU;EA7BV,YAAA;EAEA,OAAA;EA8BI;;;;;;EAvBJ,eAAA;EAiCS;;AAkBX;;;;;;;EAzCE,gBAAA,KACM,OAAA,EAAS,OAAA,eAAsB,OAAA;AAAA;;;AA8DvC;;;KArDY,aAAA;EAsDV,yEAnDI,QAAA,QAqDJ;EAnDI,QAAA,EAAU,QAAA;AAAA;EAoDF,sDAhDR,QAAA,SAqE8B;EAnE9B,OAAA,EAAS,UAAA,IAsE8B;EApEvC,KAAA;AAAA;;;;;;;AAgHN;;;;iBA9FgB,eAAA,CACd,IAAA,WACA,eAAA;;;;;;;;;;;;;iBAoBc,gBAAA,CACd,YAAA,6BACA,IAAA,WACA,eAAA,mBACC,WAAA;;;;;AA0QH;;;;;;;iBArPgB,oBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA;;;;;;;;;;;;;iBA2Cc,qBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA,mBACC,UAAA;;;;;;;;;;;;;iBAuDa,qBAAA,CAAsB,QAAA,UAAkB,QAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA0IxC,MAAA,CAAO,OAAA,EAAS,aAAA;;;;;;;iBAqBb,OAAA;;;;;;;;;;kBAiBO,OAAA,GAAU,OAAA;;;;;;;;;;;;iBAoCX,OAAA,GAAU,OAAA,CAAQ,QAAA;;;;;;;;;;;;;;mBA+iBhB,OAAA,GAAU,OAAA,CAAQ,aAAA;AAAA"}
+{"version":3,"file":"ssr.d.ts","names":[],"sources":["../../src/server/ssr.ts"],"mappings":";;KAkBY,gBAAA;EAAgB,6DAE1B,MAAA;AAAA;;KAIU,WAAA;EAAW,mDAErB,KAAA,iBAFqB;EAIrB,YAAA;EAEA,QAAA;AAAA;;KAIU,UAAA;EACV,IAAA;EACA,KAAA;EACA,OAAA;IACE,IAAA;IACA,QAAA;IACA,MAAA;IACA,QAAA;IACA,MAAA;IACA,OAAA,GAAU,IAAA;EAAA;AAAA;;;;KAOF,aAAA;EAAA,wEAEV,GAAA;;;;;;;EAOA,eAAA;EAkBA;;;;;;EAXA,QAAA,WA+BU;EA7BV,YAAA;EAEA,OAAA;EA8BI;;;;;;EAvBJ,eAAA;EAiCS;;AAkBX;;;;;;;EAzCE,gBAAA,KACM,OAAA,EAAS,OAAA,eAAsB,OAAA;AAAA;;;AA8DvC;;;KArDY,aAAA;EAsDV,yEAnDI,QAAA,QAqDJ;EAnDI,QAAA,EAAU,QAAA;AAAA;EAoDF,sDAhDR,QAAA,SAqE8B;EAnE9B,OAAA,EAAS,UAAA,IAsE8B;EApEvC,KAAA;AAAA;;;;;;;AAgHN;;;;iBA9FgB,eAAA,CACd,IAAA,WACA,eAAA;;;;;;;;;;;;;iBAoBc,gBAAA,CACd,YAAA,6BACA,IAAA,WACA,eAAA,mBACC,WAAA;;;;;AA0QH;;;;;;;iBArPgB,oBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA;;;;;;;;;;;;;iBA2Cc,qBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA,mBACC,UAAA;;;;;;;;;;;;;iBAuDa,qBAAA,CAAsB,QAAA,UAAkB,QAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA0IxC,MAAA,CAAO,OAAA,EAAS,aAAA;;;;;;;iBAqBb,OAAA;;;;;;;;;;kBAiBO,OAAA,GAAU,OAAA;;;;;;;;;;;;iBAoCX,OAAA,GAAU,OAAA,CAAQ,QAAA;;;;;;;;;;;;;;mBA8hBhB,OAAA,GAAU,OAAA,CAAQ,aAAA;AAAA"}