@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23

package/dist/server/users.js.map

@@ -1 +1 @@
-{"version":3,"file":"users.js","names":[],"sources":["../../src/server/users.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { AuthError } from \"./authError\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { AuthProviderMaterializedConfig, ConvexAuthConfig } from \"./types\";\nimport { LOG_LEVELS, logWithLevel } from \"./utils\";\n\ntype CreateOrUpdateUserArgs = {\n  type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n  provider: AuthProviderMaterializedConfig;\n  profile: Record<string, unknown> & {\n    email?: string;\n    phone?: string;\n    emailVerified?: boolean;\n    phoneVerified?: boolean;\n  };\n  accountExtend?: Record<string, unknown>;\n  shouldLinkViaEmail?: boolean;\n  shouldLinkViaPhone?: boolean;\n};\n\nfunction mergeExtend(\n  existing: unknown,\n  incoming: Record<string, unknown> | undefined,\n) {\n  if (!incoming) {\n    return undefined;\n  }\n  const existingRecord =\n    typeof existing === \"object\" &&\n    existing !== null &&\n    !Array.isArray(existing)\n      ? (existing as Record<string, unknown>)\n      : undefined;\n  return existingRecord ? { ...existingRecord, ...incoming } : incoming;\n}\n\n/** @internal */\nexport async function upsertUserAndAccount(\n  ctx: MutationCtx,\n  sessionId: GenericId<\"Session\"> | null,\n  account:\n    | { existingAccount: Doc<\"Account\"> }\n    | {\n        providerAccountId: string;\n        secret?: string;\n      },\n  args: CreateOrUpdateUserArgs,\n  config: ConvexAuthConfig,\n  opts?: { existingUserId?: GenericId<\"User\"> },\n): Promise<{\n  userId: GenericId<\"User\">;\n  accountId: GenericId<\"Account\">;\n}> {\n  const userId = await defaultCreateOrUpdateUser(\n    ctx,\n    sessionId,\n    \"existingAccount\" in account ? account.existingAccount : null,\n    args,\n    config,\n    opts?.existingUserId ?? null,\n  );\n  const accountId = await createOrUpdateAccount(\n    ctx,\n    userId,\n    account,\n    args,\n    config,\n  );\n  return { userId, accountId };\n}\n\nasync function defaultCreateOrUpdateUser(\n  ctx: MutationCtx,\n  existingSessionId: GenericId<\"Session\"> | null,\n  existingAccount: Doc<\"Account\"> | null,\n  args: CreateOrUpdateUserArgs,\n  config: ConvexAuthConfig,\n  existingUserIdOverride: GenericId<\"User\"> | null,\n) {\n  logWithLevel(LOG_LEVELS.DEBUG, \"defaultCreateOrUpdateUser args:\", {\n    existingAccountId: existingAccount?._id,\n    existingSessionId,\n    args,\n  });\n  const existingUserId = existingAccount?.userId ?? null;\n  const db = authDb(ctx, config);\n  if (config.callbacks?.createOrUpdateUser !== undefined) {\n    logWithLevel(LOG_LEVELS.DEBUG, \"Using custom createOrUpdateUser callback\");\n    return await config.callbacks.createOrUpdateUser(ctx, {\n      existingUserId,\n      ...args,\n    });\n  }\n\n  const {\n    provider,\n    profile: {\n      id: _profileId,\n      emailVerified: profileEmailVerified,\n      phoneVerified: profilePhoneVerified,\n      ...profile\n    },\n  } = args;\n  const emailVerified =\n    profileEmailVerified ??\n    (provider.type === \"oauth\" && provider.accountLinking !== \"none\");\n  const phoneVerified = profilePhoneVerified ?? false;\n  const shouldLinkViaEmail =\n    args.shouldLinkViaEmail || emailVerified || provider.type === \"email\";\n  const shouldLinkViaPhone =\n    args.shouldLinkViaPhone || phoneVerified || provider.type === \"phone\";\n\n  let userId = existingUserId ?? existingUserIdOverride;\n  if (existingUserId === null) {\n    const existingUserWithVerifiedEmailId =\n      typeof profile.email === \"string\" && shouldLinkViaEmail\n        ? ((await uniqueUserWithVerifiedEmail(ctx, profile.email, config))\n            ?._id ?? null)\n        : null;\n\n    const existingUserWithVerifiedPhoneId =\n      typeof profile.phone === \"string\" && shouldLinkViaPhone\n        ? ((await uniqueUserWithVerifiedPhone(ctx, profile.phone, config))\n            ?._id ?? null)\n        : null;\n    const linkDispatch = {\n      tag:\n        existingUserWithVerifiedEmailId !== null &&\n        existingUserWithVerifiedPhoneId !== null\n          ? \"both\"\n          : existingUserWithVerifiedEmailId !== null\n            ? \"email\"\n            : existingUserWithVerifiedPhoneId !== null\n              ? \"phone\"\n              : \"none\",\n      existingUserWithVerifiedEmailId,\n      existingUserWithVerifiedPhoneId,\n    } as const;\n\n    const linkHandlers = {\n      both: () =>\n        Fx.sync(() => {\n          logWithLevel(\n            LOG_LEVELS.DEBUG,\n            `Found existing email and phone verified users, so not linking: email: ${linkDispatch.existingUserWithVerifiedEmailId}, phone: ${linkDispatch.existingUserWithVerifiedPhoneId}`,\n          );\n          return null;\n        }),\n      email: () =>\n        Fx.sync(() => {\n          logWithLevel(\n            LOG_LEVELS.DEBUG,\n            `Found existing email verified user, linking: ${linkDispatch.existingUserWithVerifiedEmailId}`,\n          );\n          return linkDispatch.existingUserWithVerifiedEmailId;\n        }),\n      phone: () =>\n        Fx.sync(() => {\n          logWithLevel(\n            LOG_LEVELS.DEBUG,\n            `Found existing phone verified user, linking: ${linkDispatch.existingUserWithVerifiedPhoneId}`,\n          );\n          return linkDispatch.existingUserWithVerifiedPhoneId;\n        }),\n      none: () =>\n        Fx.sync(() => {\n          logWithLevel(\n            LOG_LEVELS.DEBUG,\n            \"No existing verified users found, creating new user\",\n          );\n          return null;\n        }),\n    } as const;\n\n    userId = await Fx.run(linkHandlers[linkDispatch.tag]());\n  }\n  const userData = {\n    ...(emailVerified ? { emailVerificationTime: Date.now() } : null),\n    ...(phoneVerified ? { phoneVerificationTime: Date.now() } : null),\n    ...profile,\n  };\n  const existingOrLinkedUserId = userId;\n  if (userId !== null) {\n    await Fx.run(\n      Fx.from({\n        ok: () => db.users.patch(userId!, userData),\n        err: (error) =>\n          new AuthError(\n            \"USER_UPDATE_FAILED\",\n            `Could not update user document with ID \\`${userId}\\`, ` +\n              `either the user has been deleted but their account has not, ` +\n              `or the profile data doesn't match the \\`users\\` table schema: ` +\n              `${(error as Error).message}`,\n          ),\n      }).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),\n    );\n  } else {\n    userId = (await db.users.insert(userData)) as GenericId<\"User\">;\n  }\n  const afterUserCreatedOrUpdated = config.callbacks?.afterUserCreatedOrUpdated;\n  if (afterUserCreatedOrUpdated !== undefined) {\n    logWithLevel(\n      LOG_LEVELS.DEBUG,\n      \"Calling custom afterUserCreatedOrUpdated callback\",\n    );\n    await afterUserCreatedOrUpdated(ctx, {\n      userId,\n      existingUserId: existingOrLinkedUserId,\n      ...args,\n    });\n  } else {\n    logWithLevel(\n      LOG_LEVELS.DEBUG,\n      \"No custom afterUserCreatedOrUpdated callback, skipping\",\n    );\n  }\n  return userId;\n}\n\nasync function uniqueUserWithVerifiedEmail(\n  ctx: MutationCtx,\n  email: string,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  return (await db.users.findByVerifiedEmail(email)) as Doc<\"User\"> | null;\n}\n\nasync function uniqueUserWithVerifiedPhone(\n  ctx: MutationCtx,\n  phone: string,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  return (await db.users.findByVerifiedPhone(phone)) as Doc<\"User\"> | null;\n}\n\nasync function createOrUpdateAccount(\n  ctx: MutationCtx,\n  userId: GenericId<\"User\">,\n  account:\n    | { existingAccount: Doc<\"Account\"> }\n    | {\n        providerAccountId: string;\n        secret?: string;\n      },\n  args: CreateOrUpdateUserArgs,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const mergedExtend =\n    \"existingAccount\" in account\n      ? mergeExtend(account.existingAccount.extend, args.accountExtend)\n      : args.accountExtend;\n  const accountId =\n    \"existingAccount\" in account\n      ? account.existingAccount._id\n      : ((await db.accounts.create({\n          userId,\n          provider: args.provider.id,\n          providerAccountId: account.providerAccountId,\n          secret: account.secret,\n          extend: mergedExtend,\n        })) as GenericId<\"Account\">);\n  // This is never used with the default `createOrUpdateUser` implementation,\n  // but it is used for manual linking via custom `createOrUpdateUser`:\n  if (\n    \"existingAccount\" in account &&\n    account.existingAccount.userId !== userId\n  ) {\n    await db.accounts.patch(accountId, { userId });\n  }\n  const accountPatchData: Record<string, unknown> = {};\n  if (mergedExtend) {\n    accountPatchData.extend = mergedExtend;\n  }\n  if (args.profile.emailVerified) {\n    accountPatchData.emailVerified = args.profile.email;\n  }\n  if (args.profile.phoneVerified) {\n    accountPatchData.phoneVerified = args.profile.phone;\n  }\n  if (Object.keys(accountPatchData).length > 0) {\n    await db.accounts.patch(accountId, accountPatchData);\n  }\n  return accountId;\n}\n"],"mappings":";;;;;;AAuBA,SAAS,YACP,UACA,UACA;AACA,KAAI,CAAC,SACH;CAEF,MAAM,iBACJ,OAAO,aAAa,YACpB,aAAa,QACb,CAAC,MAAM,QAAQ,SAAS,GACnB,WACD;AACN,QAAO,iBAAiB;EAAE,GAAG;EAAgB,GAAG;EAAU,GAAG;;;AAI/D,eAAsB,qBACpB,KACA,WACA,SAMA,MACA,QACA,MAIC;CACD,MAAM,SAAS,MAAM,0BACnB,KACA,WACA,qBAAqB,UAAU,QAAQ,kBAAkB,MACzD,MACA,QACA,MAAM,kBAAkB,KACzB;AAQD,QAAO;EAAE;EAAQ,WAPC,MAAM,sBACtB,KACA,QACA,SACA,MACA,OACD;EAC2B;;AAG9B,eAAe,0BACb,KACA,mBACA,iBACA,MACA,QACA,wBACA;AACA,cAAa,WAAW,OAAO,mCAAmC;EAChE,mBAAmB,iBAAiB;EACpC;EACA;EACD,CAAC;CACF,MAAM,iBAAiB,iBAAiB,UAAU;CAClD,MAAM,KAAK,OAAO,KAAK,OAAO;AAC9B,KAAI,OAAO,WAAW,uBAAuB,QAAW;AACtD,eAAa,WAAW,OAAO,2CAA2C;AAC1E,SAAO,MAAM,OAAO,UAAU,mBAAmB,KAAK;GACpD;GACA,GAAG;GACJ,CAAC;;CAGJ,MAAM,EACJ,UACA,SAAS,EACP,IAAI,YACJ,eAAe,sBACf,eAAe,sBACf,GAAG,cAEH;CACJ,MAAM,gBACJ,yBACC,SAAS,SAAS,WAAW,SAAS,mBAAmB;CAC5D,MAAM,gBAAgB,wBAAwB;CAC9C,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAChE,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAEhE,IAAI,SAAS,kBAAkB;AAC/B,KAAI,mBAAmB,MAAM;EAC3B,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAC/B,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAC3D,OAAO,OACX;EAEN,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAC/B,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAC3D,OAAO,OACX;EACN,MAAM,eAAe;GACnB,KACE,oCAAoC,QACpC,oCAAoC,OAChC,SACA,oCAAoC,OAClC,UACA,oCAAoC,OAClC,UACA;GACV;GACA;GACD;AAqCD,WAAS,MAAM,GAAG,IAnCG;GACnB,YACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,yEAAyE,aAAa,gCAAgC,WAAW,aAAa,kCAC/I;AACD,WAAO;KACP;GACJ,aACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,gDAAgD,aAAa,kCAC9D;AACD,WAAO,aAAa;KACpB;GACJ,aACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,gDAAgD,aAAa,kCAC9D;AACD,WAAO,aAAa;KACpB;GACJ,YACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,sDACD;AACD,WAAO;KACP;GACL,CAEkC,aAAa,MAAM,CAAC;;CAEzD,MAAM,WAAW;EACf,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAG;EACJ;CACD,MAAM,yBAAyB;AAC/B,KAAI,WAAW,KACb,OAAM,GAAG,IACP,GAAG,KAAK;EACN,UAAU,GAAG,MAAM,MAAM,QAAS,SAAS;EAC3C,MAAM,UACJ,IAAI,UACF,sBACA,4CAA4C,OAAO,gIAG7C,MAAgB,UACvB;EACJ,CAAC,CAAC,KAAK,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CACxD;KAED,UAAU,MAAM,GAAG,MAAM,OAAO,SAAS;CAE3C,MAAM,4BAA4B,OAAO,WAAW;AACpD,KAAI,8BAA8B,QAAW;AAC3C,eACE,WAAW,OACX,oDACD;AACD,QAAM,0BAA0B,KAAK;GACnC;GACA,gBAAgB;GAChB,GAAG;GACJ,CAAC;OAEF,cACE,WAAW,OACX,yDACD;AAEH,QAAO;;AAGT,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,sBACb,KACA,QACA,SAMA,MACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,eACJ,qBAAqB,UACjB,YAAY,QAAQ,gBAAgB,QAAQ,KAAK,cAAc,GAC/D,KAAK;CACX,MAAM,YACJ,qBAAqB,UACjB,QAAQ,gBAAgB,MACtB,MAAM,GAAG,SAAS,OAAO;EACzB;EACA,UAAU,KAAK,SAAS;EACxB,mBAAmB,QAAQ;EAC3B,QAAQ,QAAQ;EAChB,QAAQ;EACT,CAAC;AAGR,KACE,qBAAqB,WACrB,QAAQ,gBAAgB,WAAW,OAEnC,OAAM,GAAG,SAAS,MAAM,WAAW,EAAE,QAAQ,CAAC;CAEhD,MAAM,mBAA4C,EAAE;AACpD,KAAI,aACF,kBAAiB,SAAS;AAE5B,KAAI,KAAK,QAAQ,cACf,kBAAiB,gBAAgB,KAAK,QAAQ;AAEhD,KAAI,KAAK,QAAQ,cACf,kBAAiB,gBAAgB,KAAK,QAAQ;AAEhD,KAAI,OAAO,KAAK,iBAAiB,CAAC,SAAS,EACzC,OAAM,GAAG,SAAS,MAAM,WAAW,iBAAiB;AAEtD,QAAO"}
+{"version":3,"file":"users.js","names":[],"sources":["../../src/server/users.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport { GenericId } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { AuthProviderMaterializedConfig, ConvexAuthConfig } from \"./types\";\nimport { LOG_LEVELS, logWithLevel } from \"./utils\";\n\ntype CreateOrUpdateUserArgs = {\n  type: \"oauth\" | \"credentials\" | \"email\" | \"phone\" | \"verification\";\n  provider: AuthProviderMaterializedConfig;\n  profile: Record<string, unknown> & {\n    email?: string;\n    phone?: string;\n    emailVerified?: boolean;\n    phoneVerified?: boolean;\n  };\n  accountExtend?: Record<string, unknown>;\n  shouldLinkViaEmail?: boolean;\n  shouldLinkViaPhone?: boolean;\n};\n\nfunction mergeExtend(\n  existing: unknown,\n  incoming: Record<string, unknown> | undefined,\n) {\n  if (!incoming) {\n    return undefined;\n  }\n  const existingRecord =\n    typeof existing === \"object\" &&\n    existing !== null &&\n    !Array.isArray(existing)\n      ? (existing as Record<string, unknown>)\n      : undefined;\n  return existingRecord ? { ...existingRecord, ...incoming } : incoming;\n}\n\n/** @internal */\nexport async function upsertUserAndAccount(\n  ctx: MutationCtx,\n  sessionId: GenericId<\"Session\"> | null,\n  account:\n    | { existingAccount: Doc<\"Account\"> }\n    | {\n        providerAccountId: string;\n        secret?: string;\n      },\n  args: CreateOrUpdateUserArgs,\n  config: ConvexAuthConfig,\n  opts?: { existingUserId?: GenericId<\"User\"> },\n): Promise<{\n  userId: GenericId<\"User\">;\n  accountId: GenericId<\"Account\">;\n}> {\n  const userId = await defaultCreateOrUpdateUser(\n    ctx,\n    sessionId,\n    \"existingAccount\" in account ? account.existingAccount : null,\n    args,\n    config,\n    opts?.existingUserId ?? null,\n  );\n  const accountId = await createOrUpdateAccount(\n    ctx,\n    userId,\n    account,\n    args,\n    config,\n  );\n  return { userId, accountId };\n}\n\nasync function defaultCreateOrUpdateUser(\n  ctx: MutationCtx,\n  existingSessionId: GenericId<\"Session\"> | null,\n  existingAccount: Doc<\"Account\"> | null,\n  args: CreateOrUpdateUserArgs,\n  config: ConvexAuthConfig,\n  existingUserIdOverride: GenericId<\"User\"> | null,\n) {\n  logWithLevel(LOG_LEVELS.DEBUG, \"defaultCreateOrUpdateUser args:\", {\n    existingAccountId: existingAccount?._id,\n    existingSessionId,\n    args,\n  });\n  const existingUserId = existingAccount?.userId ?? null;\n  const db = authDb(ctx, config);\n  if (config.callbacks?.createOrUpdateUser !== undefined) {\n    logWithLevel(LOG_LEVELS.DEBUG, \"Using custom createOrUpdateUser callback\");\n    return await config.callbacks.createOrUpdateUser(ctx, {\n      existingUserId,\n      ...args,\n    });\n  }\n\n  const {\n    provider,\n    profile: {\n      id: _profileId,\n      emailVerified: profileEmailVerified,\n      phoneVerified: profilePhoneVerified,\n      ...profile\n    },\n  } = args;\n  const emailVerified =\n    profileEmailVerified ??\n    (provider.type === \"oauth\" && provider.accountLinking !== \"none\");\n  const phoneVerified = profilePhoneVerified ?? false;\n  const shouldLinkViaEmail =\n    args.shouldLinkViaEmail || emailVerified || provider.type === \"email\";\n  const shouldLinkViaPhone =\n    args.shouldLinkViaPhone || phoneVerified || provider.type === \"phone\";\n\n  let userId = existingUserId ?? existingUserIdOverride;\n  if (existingUserId === null) {\n    const existingUserWithVerifiedEmailId =\n      typeof profile.email === \"string\" && shouldLinkViaEmail\n        ? ((await uniqueUserWithVerifiedEmail(ctx, profile.email, config))\n            ?._id ?? null)\n        : null;\n\n    const existingUserWithVerifiedPhoneId =\n      typeof profile.phone === \"string\" && shouldLinkViaPhone\n        ? ((await uniqueUserWithVerifiedPhone(ctx, profile.phone, config))\n            ?._id ?? null)\n        : null;\n    const linkDispatch = {\n      tag:\n        existingUserWithVerifiedEmailId !== null &&\n        existingUserWithVerifiedPhoneId !== null\n          ? \"both\"\n          : existingUserWithVerifiedEmailId !== null\n            ? \"email\"\n            : existingUserWithVerifiedPhoneId !== null\n              ? \"phone\"\n              : \"none\",\n      existingUserWithVerifiedEmailId,\n      existingUserWithVerifiedPhoneId,\n    } as const;\n\n    const linkHandlers = {\n      both: () =>\n        Fx.sync(() => {\n          logWithLevel(\n            LOG_LEVELS.DEBUG,\n            `Found existing email and phone verified users, so not linking: email: ${linkDispatch.existingUserWithVerifiedEmailId}, phone: ${linkDispatch.existingUserWithVerifiedPhoneId}`,\n          );\n          return null;\n        }),\n      email: () =>\n        Fx.sync(() => {\n          logWithLevel(\n            LOG_LEVELS.DEBUG,\n            `Found existing email verified user, linking: ${linkDispatch.existingUserWithVerifiedEmailId}`,\n          );\n          return linkDispatch.existingUserWithVerifiedEmailId;\n        }),\n      phone: () =>\n        Fx.sync(() => {\n          logWithLevel(\n            LOG_LEVELS.DEBUG,\n            `Found existing phone verified user, linking: ${linkDispatch.existingUserWithVerifiedPhoneId}`,\n          );\n          return linkDispatch.existingUserWithVerifiedPhoneId;\n        }),\n      none: () =>\n        Fx.sync(() => {\n          logWithLevel(\n            LOG_LEVELS.DEBUG,\n            \"No existing verified users found, creating new user\",\n          );\n          return null;\n        }),\n    } as const;\n\n    userId = await Fx.run(linkHandlers[linkDispatch.tag]());\n  }\n  const userData = {\n    ...(emailVerified ? { emailVerificationTime: Date.now() } : null),\n    ...(phoneVerified ? { phoneVerificationTime: Date.now() } : null),\n    ...profile,\n  };\n  const existingOrLinkedUserId = userId;\n  if (userId !== null) {\n    await Fx.run(\n      Fx.from({\n        ok: () => db.users.patch(userId!, userData),\n        err: (error) =>\n          Cv.error({\n            code: \"USER_UPDATE_FAILED\",\n            message:\n              `Could not update user document with ID \\`${userId}\\`, ` +\n              `either the user has been deleted but their account has not, ` +\n              `or the profile data doesn't match the \\`users\\` table schema: ` +\n              `${(error as Error).message}`,\n          }),\n      }).pipe(Fx.recover((e) => Fx.fatal(e))),\n    );\n  } else {\n    userId = (await db.users.insert(userData)) as GenericId<\"User\">;\n  }\n  const afterUserCreatedOrUpdated = config.callbacks?.afterUserCreatedOrUpdated;\n  if (afterUserCreatedOrUpdated !== undefined) {\n    logWithLevel(\n      LOG_LEVELS.DEBUG,\n      \"Calling custom afterUserCreatedOrUpdated callback\",\n    );\n    await afterUserCreatedOrUpdated(ctx, {\n      userId,\n      existingUserId: existingOrLinkedUserId,\n      ...args,\n    });\n  } else {\n    logWithLevel(\n      LOG_LEVELS.DEBUG,\n      \"No custom afterUserCreatedOrUpdated callback, skipping\",\n    );\n  }\n  return userId;\n}\n\nasync function uniqueUserWithVerifiedEmail(\n  ctx: MutationCtx,\n  email: string,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  return (await db.users.findByVerifiedEmail(email)) as Doc<\"User\"> | null;\n}\n\nasync function uniqueUserWithVerifiedPhone(\n  ctx: MutationCtx,\n  phone: string,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  return (await db.users.findByVerifiedPhone(phone)) as Doc<\"User\"> | null;\n}\n\nasync function createOrUpdateAccount(\n  ctx: MutationCtx,\n  userId: GenericId<\"User\">,\n  account:\n    | { existingAccount: Doc<\"Account\"> }\n    | {\n        providerAccountId: string;\n        secret?: string;\n      },\n  args: CreateOrUpdateUserArgs,\n  config: ConvexAuthConfig,\n) {\n  const db = authDb(ctx, config);\n  const mergedExtend =\n    \"existingAccount\" in account\n      ? mergeExtend(account.existingAccount.extend, args.accountExtend)\n      : args.accountExtend;\n  const accountId =\n    \"existingAccount\" in account\n      ? account.existingAccount._id\n      : ((await db.accounts.create({\n          userId,\n          provider: args.provider.id,\n          providerAccountId: account.providerAccountId,\n          secret: account.secret,\n          extend: mergedExtend,\n        })) as GenericId<\"Account\">);\n  // This is never used with the default `createOrUpdateUser` implementation,\n  // but it is used for manual linking via custom `createOrUpdateUser`:\n  if (\n    \"existingAccount\" in account &&\n    account.existingAccount.userId !== userId\n  ) {\n    await db.accounts.patch(accountId, { userId });\n  }\n  const accountPatchData: Record<string, unknown> = {};\n  if (mergedExtend) {\n    accountPatchData.extend = mergedExtend;\n  }\n  if (args.profile.emailVerified) {\n    accountPatchData.emailVerified = args.profile.email;\n  }\n  if (args.profile.phoneVerified) {\n    accountPatchData.phoneVerified = args.profile.phone;\n  }\n  if (Object.keys(accountPatchData).length > 0) {\n    await db.accounts.patch(accountId, accountPatchData);\n  }\n  return accountId;\n}\n"],"mappings":";;;;;;AAuBA,SAAS,YACP,UACA,UACA;AACA,KAAI,CAAC,SACH;CAEF,MAAM,iBACJ,OAAO,aAAa,YACpB,aAAa,QACb,CAAC,MAAM,QAAQ,SAAS,GACnB,WACD;AACN,QAAO,iBAAiB;EAAE,GAAG;EAAgB,GAAG;EAAU,GAAG;;;AAI/D,eAAsB,qBACpB,KACA,WACA,SAMA,MACA,QACA,MAIC;CACD,MAAM,SAAS,MAAM,0BACnB,KACA,WACA,qBAAqB,UAAU,QAAQ,kBAAkB,MACzD,MACA,QACA,MAAM,kBAAkB,KACzB;AAQD,QAAO;EAAE;EAAQ,WAPC,MAAM,sBACtB,KACA,QACA,SACA,MACA,OACD;EAC2B;;AAG9B,eAAe,0BACb,KACA,mBACA,iBACA,MACA,QACA,wBACA;AACA,cAAa,WAAW,OAAO,mCAAmC;EAChE,mBAAmB,iBAAiB;EACpC;EACA;EACD,CAAC;CACF,MAAM,iBAAiB,iBAAiB,UAAU;CAClD,MAAM,KAAK,OAAO,KAAK,OAAO;AAC9B,KAAI,OAAO,WAAW,uBAAuB,QAAW;AACtD,eAAa,WAAW,OAAO,2CAA2C;AAC1E,SAAO,MAAM,OAAO,UAAU,mBAAmB,KAAK;GACpD;GACA,GAAG;GACJ,CAAC;;CAGJ,MAAM,EACJ,UACA,SAAS,EACP,IAAI,YACJ,eAAe,sBACf,eAAe,sBACf,GAAG,cAEH;CACJ,MAAM,gBACJ,yBACC,SAAS,SAAS,WAAW,SAAS,mBAAmB;CAC5D,MAAM,gBAAgB,wBAAwB;CAC9C,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAChE,MAAM,qBACJ,KAAK,sBAAsB,iBAAiB,SAAS,SAAS;CAEhE,IAAI,SAAS,kBAAkB;AAC/B,KAAI,mBAAmB,MAAM;EAC3B,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAC/B,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAC3D,OAAO,OACX;EAEN,MAAM,kCACJ,OAAO,QAAQ,UAAU,YAAY,sBAC/B,MAAM,4BAA4B,KAAK,QAAQ,OAAO,OAAO,GAC3D,OAAO,OACX;EACN,MAAM,eAAe;GACnB,KACE,oCAAoC,QACpC,oCAAoC,OAChC,SACA,oCAAoC,OAClC,UACA,oCAAoC,OAClC,UACA;GACV;GACA;GACD;AAqCD,WAAS,MAAM,GAAG,IAnCG;GACnB,YACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,yEAAyE,aAAa,gCAAgC,WAAW,aAAa,kCAC/I;AACD,WAAO;KACP;GACJ,aACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,gDAAgD,aAAa,kCAC9D;AACD,WAAO,aAAa;KACpB;GACJ,aACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,gDAAgD,aAAa,kCAC9D;AACD,WAAO,aAAa;KACpB;GACJ,YACE,GAAG,WAAW;AACZ,iBACE,WAAW,OACX,sDACD;AACD,WAAO;KACP;GACL,CAEkC,aAAa,MAAM,CAAC;;CAEzD,MAAM,WAAW;EACf,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAI,gBAAgB,EAAE,uBAAuB,KAAK,KAAK,EAAE,GAAG;EAC5D,GAAG;EACJ;CACD,MAAM,yBAAyB;AAC/B,KAAI,WAAW,KACb,OAAM,GAAG,IACP,GAAG,KAAK;EACN,UAAU,GAAG,MAAM,MAAM,QAAS,SAAS;EAC3C,MAAM,UACJ,GAAG,MAAM;GACP,MAAM;GACN,SACE,4CAA4C,OAAO,gIAG/C,MAAgB;GACvB,CAAC;EACL,CAAC,CAAC,KAAK,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CACxC;KAED,UAAU,MAAM,GAAG,MAAM,OAAO,SAAS;CAE3C,MAAM,4BAA4B,OAAO,WAAW;AACpD,KAAI,8BAA8B,QAAW;AAC3C,eACE,WAAW,OACX,oDACD;AACD,QAAM,0BAA0B,KAAK;GACnC;GACA,gBAAgB;GAChB,GAAG;GACJ,CAAC;OAEF,cACE,WAAW,OACX,yDACD;AAEH,QAAO;;AAGT,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,4BACb,KACA,OACA,QACA;AAEA,QAAQ,MADG,OAAO,KAAK,OAAO,CACb,MAAM,oBAAoB,MAAM;;AAGnD,eAAe,sBACb,KACA,QACA,SAMA,MACA,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,eACJ,qBAAqB,UACjB,YAAY,QAAQ,gBAAgB,QAAQ,KAAK,cAAc,GAC/D,KAAK;CACX,MAAM,YACJ,qBAAqB,UACjB,QAAQ,gBAAgB,MACtB,MAAM,GAAG,SAAS,OAAO;EACzB;EACA,UAAU,KAAK,SAAS;EACxB,mBAAmB,QAAQ;EAC3B,QAAQ,QAAQ;EAChB,QAAQ;EACT,CAAC;AAGR,KACE,qBAAqB,WACrB,QAAQ,gBAAgB,WAAW,OAEnC,OAAM,GAAG,SAAS,MAAM,WAAW,EAAE,QAAQ,CAAC;CAEhD,MAAM,mBAA4C,EAAE;AACpD,KAAI,aACF,kBAAiB,SAAS;AAE5B,KAAI,KAAK,QAAQ,cACf,kBAAiB,gBAAgB,KAAK,QAAQ;AAEhD,KAAI,KAAK,QAAQ,cACf,kBAAiB,gBAAgB,KAAK,QAAQ;AAEhD,KAAI,OAAO,KAAK,iBAAiB,CAAC,SAAS,EACzC,OAAM,GAAG,SAAS,MAAM,WAAW,iBAAiB;AAEtD,QAAO"}

package/dist/server/utils.js

@@ -1,4 +1,4 @@
-import { AuthError } from "./authError.js";
+import { Cv } from "@robelest/fx/convex";
 import { generateRandomString as generateRandomString$1 } from "@oslojs/crypto/random";
 import { sha256 as sha256$1 } from "@oslojs/crypto/sha2";
 import { decodeBase64urlIgnorePadding, encodeBase64urlNoPadding, encodeHexLowerCase } from "@oslojs/encoding";
@@ -7,13 +7,16 @@ import { decodeBase64urlIgnorePadding, encodeBase64urlNoPadding, encodeHexLowerC
 /**
 * Require an environment variable to be set, throwing at config time if missing.
 *
-* Uses `AuthError.toConvexError()` directly since this is a synchronous guard
+* Uses `Cv.error()` directly since this is a synchronous guard
 * called inline in many expressions — not suitable for Fx pipeline wrapping.
 */
 /** @internal */
 function requireEnv(name) {
 	const value = process.env[name];
-	if (value === void 0) throw new AuthError("MISSING_ENV_VAR", `Missing environment variable \`${name}\``, { variable: name }).toConvexError();
+	if (value === void 0) throw Cv.error({
+		code: "MISSING_ENV_VAR",
+		message: `Missing environment variable \`${name}\``
+	});
 	return value;
 }
 /** @internal */
@@ -107,7 +110,10 @@ async function encryptSecret(value) {
 /** @internal */
 async function decryptSecret(ciphertext) {
 	const [ivEncoded, payloadEncoded] = ciphertext.split(".");
-	if (!ivEncoded || !payloadEncoded) throw new AuthError("INVALID_PARAMETERS", "Stored enterprise secret is malformed.").toConvexError();
+	if (!ivEncoded || !payloadEncoded) throw Cv.error({
+		code: "INVALID_PARAMETERS",
+		message: "Stored enterprise secret is malformed."
+	});
 	const key = await getSecretCryptoKey();
 	const decrypted = await crypto.subtle.decrypt({
 		name: "AES-GCM",

package/dist/server/utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"utils.js","names":["rawSha256","osloGenerateRandomString"],"sources":["../../src/server/utils.ts"],"sourcesContent":["import {\n  RandomReader,\n  generateRandomString as osloGenerateRandomString,\n} from \"@oslojs/crypto/random\";\nimport { sha256 as rawSha256 } from \"@oslojs/crypto/sha2\";\nimport {\n  decodeBase64urlIgnorePadding,\n  encodeBase64urlNoPadding,\n  encodeHexLowerCase,\n} from \"@oslojs/encoding\";\n\nimport { AuthError } from \"./authError\";\n\n/**\n * Require an environment variable to be set, throwing at config time if missing.\n *\n * Uses `AuthError.toConvexError()` directly since this is a synchronous guard\n * called inline in many expressions — not suitable for Fx pipeline wrapping.\n */\n/** @internal */\nexport function requireEnv(name: string) {\n  const value = process.env[name];\n  if (value === undefined) {\n    throw new AuthError(\n      \"MISSING_ENV_VAR\",\n      `Missing environment variable \\`${name}\\``,\n      { variable: name },\n    ).toConvexError();\n  }\n  return value;\n}\n\n/** @internal */\nexport function isLocalHost(host?: string) {\n  if (host === undefined) {\n    return false;\n  }\n  const raw = host.includes(\"://\") ? host : `http://${host}`;\n  let url: URL;\n  try {\n    url = new URL(raw);\n  } catch {\n    return false;\n  }\n  return (\n    url.hostname === \"localhost\" ||\n    url.hostname === \"127.0.0.1\" ||\n    url.hostname === \"::1\"\n  );\n}\n\n// Internal server utilities (merged from former internalUtils.ts)\n\n/** @internal */\nexport const TOKEN_SUB_CLAIM_DIVIDER = \"|\";\n/** @internal */\nexport const REFRESH_TOKEN_DIVIDER = \"|\";\n\n/** @internal */\nexport async function sha256(input: string) {\n  return encodeHexLowerCase(rawSha256(new TextEncoder().encode(input)));\n}\n\n/** @internal */\nexport function generateRandomString(length: number, alphabet: string) {\n  const random: RandomReader = {\n    read(bytes) {\n      crypto.getRandomValues(bytes as Uint8Array<ArrayBuffer>);\n    },\n  };\n\n  return osloGenerateRandomString(random, alphabet, length);\n}\n\n/** @internal */\nexport function errorMessage(error: unknown) {\n  return error instanceof Error ? error.message : String(error);\n}\n\n/** @internal */\nexport function logError(error: unknown) {\n  logWithLevel(\n    LOG_LEVELS.ERROR,\n    error instanceof Error\n      ? error.message + \"\\n\" + error.stack?.replace(\"\\\\n\", \"\\n\")\n      : error,\n  );\n}\n\n/** @internal */\nexport const LOG_LEVELS = {\n  ERROR: \"ERROR\",\n  WARN: \"WARN\",\n  INFO: \"INFO\",\n  DEBUG: \"DEBUG\",\n} as const;\ntype LogLevel = keyof typeof LOG_LEVELS;\n\n/** @internal */\nexport function logWithLevel(level: LogLevel, ...args: unknown[]) {\n  const configuredLogLevel =\n    LOG_LEVELS[\n      (process.env.AUTH_LOG_LEVEL as LogLevel | undefined) ?? \"INFO\"\n    ] ?? \"INFO\";\n  switch (level) {\n    case \"ERROR\":\n      console.error(...args);\n      break;\n    case \"WARN\":\n      if (configuredLogLevel !== \"ERROR\") {\n        console.warn(...args);\n      }\n      break;\n    case \"INFO\":\n      if (configuredLogLevel === \"INFO\" || configuredLogLevel === \"DEBUG\") {\n        console.info(...args);\n      }\n      break;\n    case \"DEBUG\":\n      if (configuredLogLevel === \"DEBUG\") {\n        console.debug(...args);\n      }\n      break;\n  }\n}\n\nconst UNREDACTED_LENGTH = 5;\n/** @internal */\nexport function maybeRedact(value: string) {\n  if (value === \"\") {\n    return \"\";\n  }\n  const shouldRedact = process.env.AUTH_LOG_SECRETS !== \"true\";\n  if (shouldRedact) {\n    if (value.length < UNREDACTED_LENGTH * 2) {\n      return \"<redacted>\";\n    }\n    return (\n      value.substring(0, UNREDACTED_LENGTH) +\n      \"<redacted>\" +\n      value.substring(value.length - UNREDACTED_LENGTH)\n    );\n  } else {\n    return value;\n  }\n}\n\nconst SECRET_KEY_ENV = \"AUTH_SECRET_ENCRYPTION_KEY\";\nconst SECRET_IV_LENGTH = 12;\n\nfunction toArrayBuffer(bytes: Uint8Array) {\n  return bytes.buffer.slice(\n    bytes.byteOffset,\n    bytes.byteOffset + bytes.byteLength,\n  ) as ArrayBuffer;\n}\n\nasync function getSecretCryptoKey() {\n  const material = requireEnv(SECRET_KEY_ENV);\n  const rawKey = rawSha256(new TextEncoder().encode(material));\n  return await crypto.subtle.importKey(\n    \"raw\",\n    toArrayBuffer(rawKey),\n    { name: \"AES-GCM\" },\n    false,\n    [\"encrypt\", \"decrypt\"],\n  );\n}\n\n/** @internal */\nexport async function encryptSecret(value: string) {\n  const key = await getSecretCryptoKey();\n  const iv = crypto.getRandomValues(new Uint8Array(SECRET_IV_LENGTH));\n  const encrypted = await crypto.subtle.encrypt(\n    { name: \"AES-GCM\", iv: toArrayBuffer(iv) },\n    key,\n    toArrayBuffer(new TextEncoder().encode(value)),\n  );\n  return `${encodeBase64urlNoPadding(iv)}.${encodeBase64urlNoPadding(new Uint8Array(encrypted))}`;\n}\n\n/** @internal */\nexport async function decryptSecret(ciphertext: string) {\n  const [ivEncoded, payloadEncoded] = ciphertext.split(\".\");\n  if (!ivEncoded || !payloadEncoded) {\n    throw new AuthError(\n      \"INVALID_PARAMETERS\",\n      \"Stored enterprise secret is malformed.\",\n    ).toConvexError();\n  }\n  const key = await getSecretCryptoKey();\n  const decrypted = await crypto.subtle.decrypt(\n    {\n      name: \"AES-GCM\",\n      iv: toArrayBuffer(decodeBase64urlIgnorePadding(ivEncoded)),\n    },\n    key,\n    toArrayBuffer(decodeBase64urlIgnorePadding(payloadEncoded)),\n  );\n  return new TextDecoder().decode(decrypted);\n}\n"],"mappings":";;;;;;;;;;;;;AAoBA,SAAgB,WAAW,MAAc;CACvC,MAAM,QAAQ,QAAQ,IAAI;AAC1B,KAAI,UAAU,OACZ,OAAM,IAAI,UACR,mBACA,kCAAkC,KAAK,KACvC,EAAE,UAAU,MAAM,CACnB,CAAC,eAAe;AAEnB,QAAO;;;AAIT,SAAgB,YAAY,MAAe;AACzC,KAAI,SAAS,OACX,QAAO;CAET,MAAM,MAAM,KAAK,SAAS,MAAM,GAAG,OAAO,UAAU;CACpD,IAAI;AACJ,KAAI;AACF,QAAM,IAAI,IAAI,IAAI;SACZ;AACN,SAAO;;AAET,QACE,IAAI,aAAa,eACjB,IAAI,aAAa,eACjB,IAAI,aAAa;;;AAOrB,MAAa,0BAA0B;;AAEvC,MAAa,wBAAwB;;AAGrC,eAAsB,OAAO,OAAe;AAC1C,QAAO,mBAAmBA,SAAU,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAAC;;;AAIvE,SAAgB,qBAAqB,QAAgB,UAAkB;AAOrE,QAAOC,uBANsB,EAC3B,KAAK,OAAO;AACV,SAAO,gBAAgB,MAAiC;IAE3D,EAEuC,UAAU,OAAO;;;AAI3D,SAAgB,aAAa,OAAgB;AAC3C,QAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;;;AAI/D,SAAgB,SAAS,OAAgB;AACvC,cACE,WAAW,OACX,iBAAiB,QACb,MAAM,UAAU,OAAO,MAAM,OAAO,QAAQ,OAAO,KAAK,GACxD,MACL;;;AAIH,MAAa,aAAa;CACxB,OAAO;CACP,MAAM;CACN,MAAM;CACN,OAAO;CACR;;AAID,SAAgB,aAAa,OAAiB,GAAG,MAAiB;CAChE,MAAM,qBACJ,WACG,QAAQ,IAAI,kBAA2C,WACrD;AACP,SAAQ,OAAR;EACE,KAAK;AACH,WAAQ,MAAM,GAAG,KAAK;AACtB;EACF,KAAK;AACH,OAAI,uBAAuB,QACzB,SAAQ,KAAK,GAAG,KAAK;AAEvB;EACF,KAAK;AACH,OAAI,uBAAuB,UAAU,uBAAuB,QAC1D,SAAQ,KAAK,GAAG,KAAK;AAEvB;EACF,KAAK;AACH,OAAI,uBAAuB,QACzB,SAAQ,MAAM,GAAG,KAAK;AAExB;;;AAIN,MAAM,oBAAoB;;AAE1B,SAAgB,YAAY,OAAe;AACzC,KAAI,UAAU,GACZ,QAAO;AAGT,KADqB,QAAQ,IAAI,qBAAqB,QACpC;AAChB,MAAI,MAAM,SAAS,oBAAoB,EACrC,QAAO;AAET,SACE,MAAM,UAAU,GAAG,kBAAkB,GACrC,eACA,MAAM,UAAU,MAAM,SAAS,kBAAkB;OAGnD,QAAO;;AAIX,MAAM,iBAAiB;AACvB,MAAM,mBAAmB;AAEzB,SAAS,cAAc,OAAmB;AACxC,QAAO,MAAM,OAAO,MAClB,MAAM,YACN,MAAM,aAAa,MAAM,WAC1B;;AAGH,eAAe,qBAAqB;CAClC,MAAM,WAAW,WAAW,eAAe;CAC3C,MAAM,SAASD,SAAU,IAAI,aAAa,CAAC,OAAO,SAAS,CAAC;AAC5D,QAAO,MAAM,OAAO,OAAO,UACzB,OACA,cAAc,OAAO,EACrB,EAAE,MAAM,WAAW,EACnB,OACA,CAAC,WAAW,UAAU,CACvB;;;AAIH,eAAsB,cAAc,OAAe;CACjD,MAAM,MAAM,MAAM,oBAAoB;CACtC,MAAM,KAAK,OAAO,gBAAgB,IAAI,WAAW,iBAAiB,CAAC;CACnE,MAAM,YAAY,MAAM,OAAO,OAAO,QACpC;EAAE,MAAM;EAAW,IAAI,cAAc,GAAG;EAAE,EAC1C,KACA,cAAc,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAC/C;AACD,QAAO,GAAG,yBAAyB,GAAG,CAAC,GAAG,yBAAyB,IAAI,WAAW,UAAU,CAAC;;;AAI/F,eAAsB,cAAc,YAAoB;CACtD,MAAM,CAAC,WAAW,kBAAkB,WAAW,MAAM,IAAI;AACzD,KAAI,CAAC,aAAa,CAAC,eACjB,OAAM,IAAI,UACR,sBACA,yCACD,CAAC,eAAe;CAEnB,MAAM,MAAM,MAAM,oBAAoB;CACtC,MAAM,YAAY,MAAM,OAAO,OAAO,QACpC;EACE,MAAM;EACN,IAAI,cAAc,6BAA6B,UAAU,CAAC;EAC3D,EACD,KACA,cAAc,6BAA6B,eAAe,CAAC,CAC5D;AACD,QAAO,IAAI,aAAa,CAAC,OAAO,UAAU"}
+{"version":3,"file":"utils.js","names":["rawSha256","osloGenerateRandomString"],"sources":["../../src/server/utils.ts"],"sourcesContent":["import {\n  RandomReader,\n  generateRandomString as osloGenerateRandomString,\n} from \"@oslojs/crypto/random\";\nimport { sha256 as rawSha256 } from \"@oslojs/crypto/sha2\";\nimport {\n  decodeBase64urlIgnorePadding,\n  encodeBase64urlNoPadding,\n  encodeHexLowerCase,\n} from \"@oslojs/encoding\";\nimport { Cv } from \"@robelest/fx/convex\";\n\n/**\n * Require an environment variable to be set, throwing at config time if missing.\n *\n * Uses `Cv.error()` directly since this is a synchronous guard\n * called inline in many expressions — not suitable for Fx pipeline wrapping.\n */\n/** @internal */\nexport function requireEnv(name: string) {\n  const value = process.env[name];\n  if (value === undefined) {\n    throw Cv.error({\n      code: \"MISSING_ENV_VAR\",\n      message: `Missing environment variable \\`${name}\\``,\n    });\n  }\n  return value;\n}\n\n/** @internal */\nexport function isLocalHost(host?: string) {\n  if (host === undefined) {\n    return false;\n  }\n  const raw = host.includes(\"://\") ? host : `http://${host}`;\n  let url: URL;\n  try {\n    url = new URL(raw);\n  } catch {\n    return false;\n  }\n  return (\n    url.hostname === \"localhost\" ||\n    url.hostname === \"127.0.0.1\" ||\n    url.hostname === \"::1\"\n  );\n}\n\n// Internal server utilities (merged from former internalUtils.ts)\n\n/** @internal */\nexport const TOKEN_SUB_CLAIM_DIVIDER = \"|\";\n/** @internal */\nexport const REFRESH_TOKEN_DIVIDER = \"|\";\n\n/** @internal */\nexport async function sha256(input: string) {\n  return encodeHexLowerCase(rawSha256(new TextEncoder().encode(input)));\n}\n\n/** @internal */\nexport function generateRandomString(length: number, alphabet: string) {\n  const random: RandomReader = {\n    read(bytes) {\n      crypto.getRandomValues(bytes as Uint8Array<ArrayBuffer>);\n    },\n  };\n\n  return osloGenerateRandomString(random, alphabet, length);\n}\n\n/** @internal */\nexport function errorMessage(error: unknown) {\n  return error instanceof Error ? error.message : String(error);\n}\n\n/** @internal */\nexport function logError(error: unknown) {\n  logWithLevel(\n    LOG_LEVELS.ERROR,\n    error instanceof Error\n      ? error.message + \"\\n\" + error.stack?.replace(\"\\\\n\", \"\\n\")\n      : error,\n  );\n}\n\n/** @internal */\nexport const LOG_LEVELS = {\n  ERROR: \"ERROR\",\n  WARN: \"WARN\",\n  INFO: \"INFO\",\n  DEBUG: \"DEBUG\",\n} as const;\ntype LogLevel = keyof typeof LOG_LEVELS;\n\n/** @internal */\nexport function logWithLevel(level: LogLevel, ...args: unknown[]) {\n  const configuredLogLevel =\n    LOG_LEVELS[\n      (process.env.AUTH_LOG_LEVEL as LogLevel | undefined) ?? \"INFO\"\n    ] ?? \"INFO\";\n  switch (level) {\n    case \"ERROR\":\n      console.error(...args);\n      break;\n    case \"WARN\":\n      if (configuredLogLevel !== \"ERROR\") {\n        console.warn(...args);\n      }\n      break;\n    case \"INFO\":\n      if (configuredLogLevel === \"INFO\" || configuredLogLevel === \"DEBUG\") {\n        console.info(...args);\n      }\n      break;\n    case \"DEBUG\":\n      if (configuredLogLevel === \"DEBUG\") {\n        console.debug(...args);\n      }\n      break;\n  }\n}\n\nconst UNREDACTED_LENGTH = 5;\n/** @internal */\nexport function maybeRedact(value: string) {\n  if (value === \"\") {\n    return \"\";\n  }\n  const shouldRedact = process.env.AUTH_LOG_SECRETS !== \"true\";\n  if (shouldRedact) {\n    if (value.length < UNREDACTED_LENGTH * 2) {\n      return \"<redacted>\";\n    }\n    return (\n      value.substring(0, UNREDACTED_LENGTH) +\n      \"<redacted>\" +\n      value.substring(value.length - UNREDACTED_LENGTH)\n    );\n  } else {\n    return value;\n  }\n}\n\nconst SECRET_KEY_ENV = \"AUTH_SECRET_ENCRYPTION_KEY\";\nconst SECRET_IV_LENGTH = 12;\n\nfunction toArrayBuffer(bytes: Uint8Array) {\n  return bytes.buffer.slice(\n    bytes.byteOffset,\n    bytes.byteOffset + bytes.byteLength,\n  ) as ArrayBuffer;\n}\n\nasync function getSecretCryptoKey() {\n  const material = requireEnv(SECRET_KEY_ENV);\n  const rawKey = rawSha256(new TextEncoder().encode(material));\n  return await crypto.subtle.importKey(\n    \"raw\",\n    toArrayBuffer(rawKey),\n    { name: \"AES-GCM\" },\n    false,\n    [\"encrypt\", \"decrypt\"],\n  );\n}\n\n/** @internal */\nexport async function encryptSecret(value: string) {\n  const key = await getSecretCryptoKey();\n  const iv = crypto.getRandomValues(new Uint8Array(SECRET_IV_LENGTH));\n  const encrypted = await crypto.subtle.encrypt(\n    { name: \"AES-GCM\", iv: toArrayBuffer(iv) },\n    key,\n    toArrayBuffer(new TextEncoder().encode(value)),\n  );\n  return `${encodeBase64urlNoPadding(iv)}.${encodeBase64urlNoPadding(new Uint8Array(encrypted))}`;\n}\n\n/** @internal */\nexport async function decryptSecret(ciphertext: string) {\n  const [ivEncoded, payloadEncoded] = ciphertext.split(\".\");\n  if (!ivEncoded || !payloadEncoded) {\n    throw Cv.error({\n      code: \"INVALID_PARAMETERS\",\n      message: \"Stored enterprise secret is malformed.\",\n    });\n  }\n  const key = await getSecretCryptoKey();\n  const decrypted = await crypto.subtle.decrypt(\n    {\n      name: \"AES-GCM\",\n      iv: toArrayBuffer(decodeBase64urlIgnorePadding(ivEncoded)),\n    },\n    key,\n    toArrayBuffer(decodeBase64urlIgnorePadding(payloadEncoded)),\n  );\n  return new TextDecoder().decode(decrypted);\n}\n"],"mappings":";;;;;;;;;;;;;AAmBA,SAAgB,WAAW,MAAc;CACvC,MAAM,QAAQ,QAAQ,IAAI;AAC1B,KAAI,UAAU,OACZ,OAAM,GAAG,MAAM;EACb,MAAM;EACN,SAAS,kCAAkC,KAAK;EACjD,CAAC;AAEJ,QAAO;;;AAIT,SAAgB,YAAY,MAAe;AACzC,KAAI,SAAS,OACX,QAAO;CAET,MAAM,MAAM,KAAK,SAAS,MAAM,GAAG,OAAO,UAAU;CACpD,IAAI;AACJ,KAAI;AACF,QAAM,IAAI,IAAI,IAAI;SACZ;AACN,SAAO;;AAET,QACE,IAAI,aAAa,eACjB,IAAI,aAAa,eACjB,IAAI,aAAa;;;AAOrB,MAAa,0BAA0B;;AAEvC,MAAa,wBAAwB;;AAGrC,eAAsB,OAAO,OAAe;AAC1C,QAAO,mBAAmBA,SAAU,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAAC;;;AAIvE,SAAgB,qBAAqB,QAAgB,UAAkB;AAOrE,QAAOC,uBANsB,EAC3B,KAAK,OAAO;AACV,SAAO,gBAAgB,MAAiC;IAE3D,EAEuC,UAAU,OAAO;;;AAI3D,SAAgB,aAAa,OAAgB;AAC3C,QAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;;;AAI/D,SAAgB,SAAS,OAAgB;AACvC,cACE,WAAW,OACX,iBAAiB,QACb,MAAM,UAAU,OAAO,MAAM,OAAO,QAAQ,OAAO,KAAK,GACxD,MACL;;;AAIH,MAAa,aAAa;CACxB,OAAO;CACP,MAAM;CACN,MAAM;CACN,OAAO;CACR;;AAID,SAAgB,aAAa,OAAiB,GAAG,MAAiB;CAChE,MAAM,qBACJ,WACG,QAAQ,IAAI,kBAA2C,WACrD;AACP,SAAQ,OAAR;EACE,KAAK;AACH,WAAQ,MAAM,GAAG,KAAK;AACtB;EACF,KAAK;AACH,OAAI,uBAAuB,QACzB,SAAQ,KAAK,GAAG,KAAK;AAEvB;EACF,KAAK;AACH,OAAI,uBAAuB,UAAU,uBAAuB,QAC1D,SAAQ,KAAK,GAAG,KAAK;AAEvB;EACF,KAAK;AACH,OAAI,uBAAuB,QACzB,SAAQ,MAAM,GAAG,KAAK;AAExB;;;AAIN,MAAM,oBAAoB;;AAE1B,SAAgB,YAAY,OAAe;AACzC,KAAI,UAAU,GACZ,QAAO;AAGT,KADqB,QAAQ,IAAI,qBAAqB,QACpC;AAChB,MAAI,MAAM,SAAS,oBAAoB,EACrC,QAAO;AAET,SACE,MAAM,UAAU,GAAG,kBAAkB,GACrC,eACA,MAAM,UAAU,MAAM,SAAS,kBAAkB;OAGnD,QAAO;;AAIX,MAAM,iBAAiB;AACvB,MAAM,mBAAmB;AAEzB,SAAS,cAAc,OAAmB;AACxC,QAAO,MAAM,OAAO,MAClB,MAAM,YACN,MAAM,aAAa,MAAM,WAC1B;;AAGH,eAAe,qBAAqB;CAClC,MAAM,WAAW,WAAW,eAAe;CAC3C,MAAM,SAASD,SAAU,IAAI,aAAa,CAAC,OAAO,SAAS,CAAC;AAC5D,QAAO,MAAM,OAAO,OAAO,UACzB,OACA,cAAc,OAAO,EACrB,EAAE,MAAM,WAAW,EACnB,OACA,CAAC,WAAW,UAAU,CACvB;;;AAIH,eAAsB,cAAc,OAAe;CACjD,MAAM,MAAM,MAAM,oBAAoB;CACtC,MAAM,KAAK,OAAO,gBAAgB,IAAI,WAAW,iBAAiB,CAAC;CACnE,MAAM,YAAY,MAAM,OAAO,OAAO,QACpC;EAAE,MAAM;EAAW,IAAI,cAAc,GAAG;EAAE,EAC1C,KACA,cAAc,IAAI,aAAa,CAAC,OAAO,MAAM,CAAC,CAC/C;AACD,QAAO,GAAG,yBAAyB,GAAG,CAAC,GAAG,yBAAyB,IAAI,WAAW,UAAU,CAAC;;;AAI/F,eAAsB,cAAc,YAAoB;CACtD,MAAM,CAAC,WAAW,kBAAkB,WAAW,MAAM,IAAI;AACzD,KAAI,CAAC,aAAa,CAAC,eACjB,OAAM,GAAG,MAAM;EACb,MAAM;EACN,SAAS;EACV,CAAC;CAEJ,MAAM,MAAM,MAAM,oBAAoB;CACtC,MAAM,YAAY,MAAM,OAAO,OAAO,QACpC;EACE,MAAM;EACN,IAAI,cAAc,6BAA6B,UAAU,CAAC;EAC3D,EACD,KACA,cAAc,6BAA6B,eAAe,CAAC,CAC5D;AACD,QAAO,IAAI,aAAa,CAAC,OAAO,UAAU"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@robelest/convex-auth",
-  "version": "0.0.4-preview.21",
+  "version": "0.0.4-preview.23",
   "description": "Authentication for Convex",
   "keywords": [
     "auth",
@@ -54,10 +54,6 @@
       "types": "./dist/component/convex.config.d.ts",
       "default": "./dist/component/convex.config.js"
     },
-    "./errors": {
-      "types": "./dist/server/errors.d.ts",
-      "import": "./dist/server/errors.js"
-    },
     "./providers": {
       "types": "./dist/providers/index.d.ts",
       "import": "./dist/providers/index.js"
@@ -103,7 +99,7 @@
   },
   "@comment devDependencies": [
     "The CLI deps (@clack/prompts, @commander-js/extra-typings, dotenv,",
-    "valibot) are devDependencies because they are bundled into dist/bin.cjs",
+    "valibot) are devDependencies because they are bundled into dist/bin.js",
     "via esbuild."
   ],
   "scripts": {

package/src/authorization/index.ts

@@ -11,7 +11,7 @@
  * map where each role has an `id` (matching its key), an optional `label`,
  * and a typed `grants` array. The returned object is fully type-safe:
  * role IDs and grant strings are narrowed to their literal types, so
- * `member.resolve()` and `member.create()` calls are checked at compile time.
+ * `member.inspect()` / `member.require()` and `member.create()` calls are checked at compile time.
  * This is the canonical way to define role metadata for the auth library.
  *
  * @param roles - An object mapping role IDs to their configuration.

package/src/cli/index.ts

@@ -22,7 +22,7 @@ import { generateKeys } from "./keys";
 // ---------------------------------------------------------------------------
 
 function getPackageVersion(): string {
-  // When bundled to dist/bin.cjs the package.json is one level up
+  // When bundled to dist/bin.js the package.json is one level up
   for (const relative of ["..", "../.."]) {
     try {
       const pkgPath = path.resolve(__dirname, relative, "package.json");

package/src/client/core/types.ts

@@ -286,21 +286,19 @@ export interface DeviceClient {
    *
    * @param opts - Poll options.
    * @param opts.code - The {@link DeviceCodeResult} returned from `signIn("device")`.
-   * @returns `{ ok: true }` when authorized, or `{ ok: false, expired }` on failure.
+   * @throws `ConvexError({ code: "DEVICE_CODE_EXPIRED" })` when the code expires before authorization.
    *
    * @example
    * ```ts
    * const result = await auth.signIn("device");
    * if (result.kind === "deviceCode") {
    *   // Display result.deviceCode.userCode to the user
-   *   const poll = await auth.device.poll({ code: result.deviceCode });
-   *   if (poll.ok) console.log("Device authorized!");
+   *   await auth.device.poll({ code: result.deviceCode });
+   *   console.log("Device authorized!");
    * }
    * ```
    */
-  poll(opts: {
-    code: DeviceCodeResult;
-  }): Promise<{ ok: true } | { ok: false; expired: boolean }>;
+  poll(opts: { code: DeviceCodeResult }): Promise<void>;
 
   /**
    * Approve a device flow from the verification page using the displayed user code.
@@ -310,17 +308,14 @@ export interface DeviceClient {
    *
    * @param opts - Verification options.
    * @param opts.code - The user code string (e.g. `"WDJB-MJHT"`).
-   * @returns `{ ok: true }` on success, or `{ ok: false, message }` on failure.
+   * @throws `ConvexError({ code: "DEVICE_AUTHORIZATION_FAILED" })` when verification fails.
    *
    * @example
    * ```ts
-   * const result = await auth.device.verify({ code: "WDJB-MJHT" });
-   * if (!result.ok) console.error(result.message);
+   * await auth.device.verify({ code: "WDJB-MJHT" });
    * ```
    */
-  verify(opts: {
-    code: string;
-  }): Promise<{ ok: true } | { ok: false; message: string }>;
+  verify(opts: { code: string }): Promise<void>;
 }
 
 /**
@@ -345,8 +340,13 @@ export interface PendingInvite {
    * @readonly
    */
   readonly email: string | null;
-  /** Consume the invite: clears storage/URL params and returns the token. */
-  accept(): Promise<{ ok: boolean; token?: string; message?: string }>;
+  /**
+   * Consume the invite: clears storage/URL params and returns the token.
+   *
+   * @returns The invite token.
+   * @throws When there is no pending invite to accept.
+   */
+  accept(): Promise<{ token: string }>;
 }
 
 /** Base auth client — always present. */

package/src/client/factors/device.ts

@@ -36,9 +36,7 @@ export function createDeviceClient(deps: DeviceDeps): DeviceClient {
     deps;
 
   return {
-    poll: async (opts: {
-      code: DeviceCodeResult;
-    }): Promise<{ ok: true } | { ok: false; expired: boolean }> => {
+    poll: async (opts: { code: DeviceCodeResult }): Promise<void> => {
       const { code } = opts;
       const intervalMs = code.interval * 1000;
       const expiresAt = Date.now() + code.expiresIn * 1000;
@@ -121,16 +119,17 @@ export function createDeviceClient(deps: DeviceDeps): DeviceClient {
               context: { provider: "device", flow: "poll" },
             });
           }
-          return { ok: true as const };
+          return;
         }
       }
 
-      return { ok: false as const, expired: true };
+      throw new ConvexError({
+        code: "DEVICE_CODE_EXPIRED",
+        message: "Device code expired before authorization was completed.",
+      });
     },
 
-    verify: async (opts: {
-      code: string;
-    }): Promise<{ ok: true } | { ok: false; message: string }> => {
+    verify: async (opts: { code: string }): Promise<void> => {
       const params: Record<string, any> = {
         flow: "verify",
         userCode: opts.code,
@@ -148,12 +147,11 @@ export function createDeviceClient(deps: DeviceDeps): DeviceClient {
             params,
           });
         }
-        return { ok: true as const };
       } catch (e: unknown) {
-        return {
-          ok: false as const,
+        throw new ConvexError({
+          code: "DEVICE_AUTHORIZATION_FAILED",
           message: e instanceof Error ? e.message : "Invalid or expired code.",
-        };
+        });
       }
     },
   };

package/src/client/factors/passkey.ts

@@ -1,6 +1,5 @@
 import { Fx } from "@robelest/fx";
 
-import { base64urlDecode, base64urlEncode } from "../runtime/browser";
 import type {
   AuthSession,
   ConvexTransport,
@@ -8,6 +7,7 @@ import type {
   SignInActionResult,
   SignInResult,
 } from "../core/types";
+import { base64urlDecode, base64urlEncode } from "../runtime/browser";
 
 type PasskeyDeps = {
   proxy: string | undefined;
@@ -43,31 +43,28 @@ export function createPasskeyClient(deps: PasskeyDeps): PasskeyClient {
     return Fx.run(
       Fx.match(result, result.kind, {
         signedIn: (signedInResult) =>
-          Fx.from({
-            ok: async () => {
-              const signingIn = await setTokenAndMaybeWait(
-                proxy
-                  ? {
-                      shouldStore: false as const,
-                      tokens:
-                        signedInResult.tokens === null
-                          ? null
-                          : { token: signedInResult.tokens.token },
-                      waitForHandshake: true,
-                      context: { provider: "passkey", flow },
-                    }
-                  : {
-                      shouldStore: true as const,
-                      tokens: signedInResult.tokens,
-                      waitForHandshake: true,
-                      context: { provider: "passkey", flow },
-                    },
-              );
-              return signingIn
-                ? ({ kind: "signedIn" as const } as SignInResult)
-                : ({ kind: "started" as const } as SignInResult);
-            },
-            err: (e) => e as never,
+          Fx.promise(async () => {
+            const signingIn = await setTokenAndMaybeWait(
+              proxy
+                ? {
+                    shouldStore: false as const,
+                    tokens:
+                      signedInResult.tokens === null
+                        ? null
+                        : { token: signedInResult.tokens.token },
+                    waitForHandshake: true,
+                    context: { provider: "passkey", flow },
+                  }
+                : {
+                    shouldStore: true as const,
+                    tokens: signedInResult.tokens,
+                    waitForHandshake: true,
+                    context: { provider: "passkey", flow },
+                  },
+            );
+            return signingIn
+              ? ({ kind: "signedIn" as const } as SignInResult)
+              : ({ kind: "started" as const } as SignInResult);
           }),
         redirect: () => Fx.succeed({ kind: "started" as const }),
         started: () => Fx.succeed({ kind: "started" as const }),

package/src/client/index.ts

@@ -2,18 +2,6 @@ import { Fx } from "@robelest/fx";
 import { ConvexHttpClient } from "convex/browser";
 import { ConvexError, Value } from "convex/values";
 
-import { AUTH_ERRORS } from "../server/errors";
-import { browserMutex, getStorageListenerRegistry } from "./runtime/browser";
-import { createDeviceClient } from "./factors/device";
-import { createInviteManager } from "./runtime/invite";
-import { createPasskeyClient } from "./factors/passkey";
-import {
-  createProxyHelpers,
-  isRetriableProxyRefreshError,
-  isTransientNetworkError,
-} from "./runtime/proxy";
-import { createStorageHelpers } from "./runtime/storage";
-import { createTotpClient } from "./factors/totp";
 import type {
   AuthApiRefs,
   AuthClient,
@@ -33,14 +21,18 @@ import type {
   Storage,
   TotpClient,
 } from "./core/types";
+import { createDeviceClient } from "./factors/device";
+import { createPasskeyClient } from "./factors/passkey";
+import { createTotpClient } from "./factors/totp";
+import { browserMutex, getStorageListenerRegistry } from "./runtime/browser";
+import { createInviteManager } from "./runtime/invite";
+import {
+  createProxyHelpers,
+  isRetriableProxyRefreshError,
+  isTransientNetworkError,
+} from "./runtime/proxy";
+import { createStorageHelpers } from "./runtime/storage";
 
-// Re-export error utilities so consumers can import from `@robelest/convex-auth/client`.
-export {
-  isAuthError,
-  parseAuthError,
-  AUTH_ERRORS,
-  type AuthErrorCode,
-} from "../server/errors";
 export type {
   AuthApiRefs,
   AuthClient,
@@ -253,13 +245,20 @@ export function client<
   };
   let handlingCodeFlow = false;
 
+  const HANDSHAKE_ERROR_MESSAGES: Record<AuthHandshakeErrorCode, string> = {
+    AUTH_HANDSHAKE_TIMEOUT:
+      "Sign-in succeeded but authentication confirmation timed out.",
+    AUTH_HANDSHAKE_REJECTED:
+      "Authentication was rejected while confirming the session.",
+  };
+
   const createHandshakeError = (
     code: AuthHandshakeErrorCode,
     context: Record<string, unknown>,
   ) => {
     return new ConvexError({
       code,
-      message: AUTH_ERRORS[code],
+      message: HANDSHAKE_ERROR_MESSAGES[code],
       ...context,
     } as Value);
   };
@@ -652,25 +651,19 @@ export function client<
       Fx.run(
         Fx.match(result, result.kind, {
           redirect: (redirectResult) =>
-            Fx.from({
-              ok: async () => {
-                const redirectUrl = new URL(redirectResult.redirect);
-                if (options.persistVerifier) {
-                  await storageSet(
-                    VERIFIER_STORAGE_KEY,
-                    redirectResult.verifier,
-                  );
-                }
-                if (typeof window !== "undefined") {
-                  window.location.href = redirectUrl.toString();
-                }
-                return {
-                  kind: "redirect" as const,
-                  redirect: redirectUrl,
-                  verifier: redirectResult.verifier,
-                };
-              },
-              err: (e) => e as never,
+            Fx.promise(async () => {
+              const redirectUrl = new URL(redirectResult.redirect);
+              if (options.persistVerifier) {
+                await storageSet(VERIFIER_STORAGE_KEY, redirectResult.verifier);
+              }
+              if (typeof window !== "undefined") {
+                window.location.href = redirectUrl.toString();
+              }
+              return {
+                kind: "redirect" as const,
+                redirect: redirectUrl,
+                verifier: redirectResult.verifier,
+              };
             }),
           totpRequired: (totpRequiredResult) =>
             Fx.succeed({
@@ -685,31 +678,28 @@ export function client<
               ),
             }),
           signedIn: (signedInResult) =>
-            Fx.from({
-              ok: async () => {
-                const signingIn = await setTokenAndMaybeWait(
-                  options.shouldStore
-                    ? {
-                        shouldStore: true as const,
-                        tokens: signedInResult.tokens,
-                        waitForHandshake: true,
-                        context: { provider, flow },
-                      }
-                    : {
-                        shouldStore: false as const,
-                        tokens:
-                          signedInResult.tokens === null
-                            ? null
-                            : { token: signedInResult.tokens.token },
-                        waitForHandshake: true,
-                        context: { provider, flow },
-                      },
-                );
-                return signingIn
-                  ? ({ kind: "signedIn" as const } as SignInResult)
-                  : ({ kind: "started" as const } as SignInResult);
-              },
-              err: (e) => e as never,
+            Fx.promise(async () => {
+              const signingIn = await setTokenAndMaybeWait(
+                options.shouldStore
+                  ? {
+                      shouldStore: true as const,
+                      tokens: signedInResult.tokens,
+                      waitForHandshake: true,
+                      context: { provider, flow },
+                    }
+                  : {
+                      shouldStore: false as const,
+                      tokens:
+                        signedInResult.tokens === null
+                          ? null
+                          : { token: signedInResult.tokens.token },
+                      waitForHandshake: true,
+                      context: { provider, flow },
+                    },
+              );
+              return signingIn
+                ? ({ kind: "signedIn" as const } as SignInResult)
+                : ({ kind: "started" as const } as SignInResult);
             }),
           started: (_startedResult) => Fx.succeed({ kind: "started" as const }),
           passkeyOptions: (_passkeyOptionsResult) =>

package/src/client/runtime/invite.ts

@@ -48,18 +48,16 @@ export function createInviteManager(args: {
         await storageSet(emailKey, pendingInvite.email);
       }
     },
-    async acceptInvite(): Promise<{
-      ok: boolean;
-      token?: string;
-      message?: string;
-    }> {
-      if (!pendingInvite) return { ok: false, message: "No pending invite" };
+    async acceptInvite(): Promise<{ token: string }> {
+      if (!pendingInvite) {
+        throw new Error("No pending invite to accept.");
+      }
       const { token } = pendingInvite;
       pendingInvite = null;
       void storageRemove(tokenKey);
       void storageRemove(emailKey);
       cleanUrlParams(["invite", "email"]);
-      return { ok: true, token };
+      return { token };
     },
   };
 }

package/src/component/index.ts

@@ -10,6 +10,7 @@
 export { AuthCtx, createAuth } from "../server/auth";
 export type {
   AuthApi,
+  AuthContext,
   AuthConfig,
   AuthCtxConfig,
   InferAuth,

package/src/component/public/enterprise/audit.ts

@@ -1,6 +1,11 @@
 import { v } from "convex/values";
+
 import { mutation, query } from "../../functions";
-import { vAuditActorType, vAuditStatus, vEnterpriseAuditEventDoc } from "../../model";
+import {
+  vAuditActorType,
+  vAuditStatus,
+  vEnterpriseAuditEventDoc,
+} from "../../model";
 
 /**
  * Record a new audit event for an enterprise.

package/src/component/public/enterprise/core.ts

@@ -1,4 +1,5 @@
 import { ConvexError, v } from "convex/values";
+
 import { mutation, query } from "../../functions";
 import {
   vEnterpriseDoc,

package/src/component/public/enterprise/domains.ts

@@ -1,6 +1,10 @@
 import { ConvexError, v } from "convex/values";
+
 import { mutation, query } from "../../functions";
-import { vEnterpriseDomainDoc, vEnterpriseDomainVerificationDoc } from "../../model";
+import {
+  vEnterpriseDomainDoc,
+  vEnterpriseDomainVerificationDoc,
+} from "../../model";
 
 /**
  * Link a domain to an enterprise record, or update an existing link.

package/src/component/public/enterprise/scim.ts

@@ -1,4 +1,5 @@
 import { v } from "convex/values";
+
 import { mutation, query } from "../../functions";
 import {
   vEnterpriseScimConfigDoc,

package/src/component/public/enterprise/secrets.ts

@@ -1,4 +1,5 @@
 import { v } from "convex/values";
+
 import { mutation, query } from "../../functions";
 import { vEnterpriseSecretDoc, vEnterpriseSecretKind } from "../../model";
 

package/src/component/public/enterprise/webhooks.ts

@@ -1,4 +1,5 @@
 import { v } from "convex/values";
+
 import { mutation, query } from "../../functions";
 import {
   vEnterpriseWebhookDeliveryDoc,

package/src/component/public/factors/devices.ts

@@ -1,4 +1,5 @@
 import { v } from "convex/values";
+
 import { mutation, query } from "../../functions";
 import { vDeviceCodeDoc, vDeviceStatus } from "../../model";
 

package/src/component/public/factors/passkeys.ts

@@ -1,4 +1,5 @@
 import { v } from "convex/values";
+
 import { mutation, query } from "../../functions";
 import { vPasskeyDoc } from "../../model";