@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23

package/src/server/mounts.ts

@@ -1,3 +1,4 @@
+import { Cv } from "@robelest/fx/convex";
 import { actionGeneric, mutationGeneric, queryGeneric } from "convex/server";
 import { ConvexError, v } from "convex/values";
 
@@ -62,11 +63,11 @@ export type EnterpriseAdminAuthorizationInput = {
 /**
  * App-defined authorization hook for mounted enterprise admin APIs.
  *
- * Return `void` (or resolve) to allow the operation, or `{ ok: false }` to deny it.
+ * Return `void` (or resolve) to allow the operation, or throw to deny it.
  *
  * @param ctx - Convex context with `ctx.auth` for identity checks.
  * @param input - The {@link EnterpriseAdminAuthorizationInput} describing who is doing what.
- * @returns `void` to allow, `{ ok: false }` to deny.
+ * @returns `void` to allow; throw to deny.
  *
  * @example
  * ```ts
@@ -74,7 +75,7 @@ export type EnterpriseAdminAuthorizationInput = {
  *
  * const authorized: EnterpriseAuthorizer = async (ctx, input) => {
  *   const identity = await ctx.auth.getUserIdentity();
- *   if (!identity) return { ok: false };
+ *   if (!identity) throw new Error("Forbidden");
  *   // Allow all admin ops for the org owner
  * };
  * ```
@@ -82,7 +83,7 @@ export type EnterpriseAdminAuthorizationInput = {
 export type EnterpriseAuthorizer = (
   ctx: { auth: import("convex/server").Auth },
   input: EnterpriseAdminAuthorizationInput,
-) => Promise<void | { ok: false }>;
+) => Promise<void>;
 
 type RoleRef<TRoleId extends string> = { id: TRoleId };
 
@@ -209,23 +210,26 @@ function createMountedAdminAuthorizer(
   ) => {
     const userId = await requireUserId(ctx);
     if (userId === null) {
-      return { ok: false as const, code: "NOT_SIGNED_IN" as const };
+      throw Cv.error({
+        code: "NOT_SIGNED_IN",
+        message: "You must be signed in to perform this action.",
+      });
     }
     if (!options?.admin?.authorized) {
-      return { ok: false as const, code: "FORBIDDEN" as const };
+      throw Cv.error({
+        code: "FORBIDDEN",
+        message: "Access denied.",
+      });
     }
     const resolved = await resolveMountedEnterpriseTarget(auth, ctx, target);
-    const authResult = await options.admin.authorized(ctx, {
+    await options.admin.authorized(ctx, {
       userId,
       permission,
       enterpriseId: resolved.enterpriseId,
       groupId: resolved.groupId,
       resolvedGroupId: resolved.resolvedGroupId,
     });
-    if (authResult && !authResult.ok) {
-      return { ok: false as const, code: "FORBIDDEN" as const };
-    }
-    return { ok: true as const, userId, ...resolved };
+    return { userId, ...resolved };
   };
 }
 
@@ -286,8 +290,6 @@ export function sso<
             const authResult = await authorize(ctx, "sso.connection.create", {
               groupId: args.groupId,
             });
-            if (!authResult.ok)
-              return { ok: false as const, code: authResult.code };
             const { userId } = authResult;
             const createsGroup = args.groupId === undefined;
             const groupId =
@@ -332,10 +334,9 @@ export function sso<
         get: queryGeneric({
           args: { enterpriseId: v.string() },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.connection.read", {
+            await authorize(ctx, "sso.connection.read", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return null;
             return await auth.sso.admin.connection.get(
               ctx as never,
               args.enterpriseId,
@@ -345,10 +346,9 @@ export function sso<
         getByGroup: queryGeneric({
           args: { groupId: v.string() },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.connection.read", {
+            await authorize(ctx, "sso.connection.read", {
               groupId: args.groupId,
             });
-            if (!_auth.ok) return null;
             return await auth.sso.admin.connection.getByGroup(
               ctx as never,
               args.groupId,
@@ -358,10 +358,9 @@ export function sso<
         getByDomain: queryGeneric({
           args: { domain: v.string() },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.connection.read", {
+            await authorize(ctx, "sso.connection.read", {
               domain: args.domain,
             });
-            if (!_auth.ok) return null;
             return await auth.sso.admin.connection.getByDomain(
               ctx as never,
               args.domain,
@@ -377,10 +376,9 @@ export function sso<
             order: v.optional(v.union(v.literal("asc"), v.literal("desc"))),
           },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.connection.read", {
+            await authorize(ctx, "sso.connection.read", {
               groupId: args.where?.groupId,
             });
-            if (!_auth.ok) return null;
             return await auth.sso.admin.connection.list(
               ctx as never,
               args as never,
@@ -397,25 +395,23 @@ export function sso<
             }),
           },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.connection.manage", {
+            await authorize(ctx, "sso.connection.manage", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return { ok: false as const, code: _auth.code };
             await auth.sso.admin.connection.update(
               ctx as never,
               args.enterpriseId,
               args.data,
             );
-            return { ok: true as const, enterpriseId: args.enterpriseId };
+            return { enterpriseId: args.enterpriseId };
           },
         }),
         delete: mutationGeneric({
           args: { enterpriseId: v.string() },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.connection.manage", {
+            await authorize(ctx, "sso.connection.manage", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return { ok: false as const, code: _auth.code };
             return await auth.sso.admin.connection.delete(
               ctx as never,
               args.enterpriseId,
@@ -425,10 +421,9 @@ export function sso<
         status: queryGeneric({
           args: { enterpriseId: v.string() },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.connection.read", {
+            await authorize(ctx, "sso.connection.read", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return null;
             return await auth.sso.admin.connection.status(
               ctx as never,
               args.enterpriseId,
@@ -439,10 +434,9 @@ export function sso<
           list: queryGeneric({
             args: { enterpriseId: v.string() },
             handler: async (ctx, args) => {
-              const _auth = await authorize(ctx, "sso.connection.read", {
+              await authorize(ctx, "sso.connection.read", {
                 enterpriseId: args.enterpriseId,
               });
-              if (!_auth.ok) return null;
               return await auth.sso.admin.connection.domain.list(
                 ctx as never,
                 args.enterpriseId,
@@ -452,10 +446,9 @@ export function sso<
           validate: queryGeneric({
             args: { enterpriseId: v.string() },
             handler: async (ctx, args) => {
-              const _auth = await authorize(ctx, "sso.domain.manage", {
+              await authorize(ctx, "sso.domain.manage", {
                 enterpriseId: args.enterpriseId,
               });
-              if (!_auth.ok) return null;
               return await auth.sso.admin.connection.domain.validate(
                 ctx as never,
                 args.enterpriseId,
@@ -468,10 +461,9 @@ export function sso<
               domains: v.array(enterpriseDomainInputValidator),
             },
             handler: async (ctx, args) => {
-              const _auth = await authorize(ctx, "sso.domain.manage", {
+              await authorize(ctx, "sso.domain.manage", {
                 enterpriseId: args.enterpriseId,
               });
-              if (!_auth.ok) return { ok: false as const, code: _auth.code };
               return await auth.sso.admin.connection.domain.set(
                 ctx as never,
                 args.enterpriseId,
@@ -483,10 +475,9 @@ export function sso<
             request: mutationGeneric({
               args: enterpriseDomainVerificationInputValidator,
               handler: async (ctx, args) => {
-                const _auth = await authorize(ctx, "sso.domain.manage", {
+                await authorize(ctx, "sso.domain.manage", {
                   enterpriseId: args.enterpriseId,
                 });
-                if (!_auth.ok) return { ok: false as const, code: _auth.code };
                 return await auth.sso.admin.connection.domain.verification.request(
                   ctx as never,
                   args,
@@ -496,10 +487,9 @@ export function sso<
             confirm: actionGeneric({
               args: enterpriseDomainVerificationInputValidator,
               handler: async (ctx, args) => {
-                const _auth = await authorize(ctx, "sso.domain.manage", {
+                await authorize(ctx, "sso.domain.manage", {
                   enterpriseId: args.enterpriseId,
                 });
-                if (!_auth.ok) return { ok: false as const, code: _auth.code };
                 return await auth.sso.admin.connection.domain.verification.confirm(
                   ctx as never,
                   args,
@@ -524,20 +514,18 @@ export function sso<
             extraFields: v.optional(v.record(v.string(), v.string())),
           },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.protocol.manage", {
+            await authorize(ctx, "sso.protocol.manage", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return { ok: false as const, code: _auth.code };
             return await auth.sso.admin.oidc.configure(ctx as never, args);
           },
         }),
         get: queryGeneric({
           args: { enterpriseId: v.string() },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.connection.read", {
+            await authorize(ctx, "sso.connection.read", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return null;
             return await auth.sso.admin.oidc.get(
               ctx as never,
               args.enterpriseId,
@@ -547,10 +535,9 @@ export function sso<
         validate: actionGeneric({
           args: { enterpriseId: v.string() },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.protocol.manage", {
+            await authorize(ctx, "sso.protocol.manage", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return { ok: false as const, code: _auth.code };
             return await auth.sso.admin.oidc.validate(
               ctx as never,
               args.enterpriseId,
@@ -572,20 +559,18 @@ export function sso<
             sp: v.optional(enterpriseSamlSpValidator),
           },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.protocol.manage", {
+            await authorize(ctx, "sso.protocol.manage", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return { ok: false as const, code: _auth.code };
             return await auth.sso.admin.saml.configure(ctx as never, args);
           },
         }),
         validate: queryGeneric({
           args: { enterpriseId: v.string() },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.protocol.manage", {
+            await authorize(ctx, "sso.protocol.manage", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return null;
             return await auth.sso.admin.saml.validate(
               ctx as never,
               args.enterpriseId,
@@ -597,10 +582,9 @@ export function sso<
         get: queryGeneric({
           args: { enterpriseId: v.string() },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.connection.read", {
+            await authorize(ctx, "sso.connection.read", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return null;
             return await auth.sso.admin.policy.get(
               ctx as never,
               args.enterpriseId,
@@ -613,10 +597,9 @@ export function sso<
             patch: enterprisePolicyPatchValidator,
           },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.policy.manage", {
+            await authorize(ctx, "sso.policy.manage", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return { ok: false as const, code: _auth.code };
             return await auth.sso.admin.policy.update(
               ctx as never,
               args.enterpriseId,
@@ -627,10 +610,9 @@ export function sso<
         validate: queryGeneric({
           args: { enterpriseId: v.string() },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.policy.manage", {
+            await authorize(ctx, "sso.policy.manage", {
               enterpriseId: args.enterpriseId,
             });
-            if (!_auth.ok) return null;
             return await auth.sso.admin.policy.validate(
               ctx as never,
               args.enterpriseId,
@@ -646,11 +628,10 @@ export function sso<
             limit: v.optional(v.number()),
           },
           handler: async (ctx, args) => {
-            const _auth = await authorize(ctx, "sso.audit.read", {
+            await authorize(ctx, "sso.audit.read", {
               enterpriseId: args.enterpriseId,
               groupId: args.groupId,
             });
-            if (!_auth.ok) return null;
             return await auth.sso.admin.audit.list(ctx as never, args);
           },
         }),
@@ -663,10 +644,9 @@ export function sso<
               limit: v.optional(v.number()),
             },
             handler: async (ctx, args) => {
-              const _auth = await authorize(ctx, "sso.webhook.manage", {
+              await authorize(ctx, "sso.webhook.manage", {
                 enterpriseId: args.enterpriseId,
               });
-              if (!_auth.ok) return null;
               return await (auth.sso.admin.webhook as any).delivery.list(
                 ctx as never,
                 args,
@@ -687,8 +667,6 @@ export function sso<
               const authResult = await authorize(ctx, "sso.webhook.manage", {
                 enterpriseId: args.enterpriseId,
               });
-              if (!authResult.ok)
-                return { ok: false as const, code: authResult.code };
               const { userId } = authResult;
               const result = await auth.sso.admin.webhook.endpoint.create(
                 ctx as never,
@@ -711,10 +689,9 @@ export function sso<
           list: queryGeneric({
             args: { enterpriseId: v.string() },
             handler: async (ctx, args) => {
-              const _auth = await authorize(ctx, "sso.webhook.manage", {
+              await authorize(ctx, "sso.webhook.manage", {
                 enterpriseId: args.enterpriseId,
               });
-              if (!_auth.ok) return null;
               const endpoints = await auth.sso.admin.webhook.endpoint.list(
                 ctx as never,
                 args.enterpriseId,
@@ -733,16 +710,15 @@ export function sso<
                 args.endpointId,
               );
               if (!endpoint) {
-                return {
-                  ok: false as const,
-                  code: "INVALID_PARAMETERS" as const,
-                };
+                throw Cv.error({
+                  code: "INVALID_PARAMETERS",
+                  message: "Webhook endpoint not found.",
+                });
               }
-              const _auth = await authorize(ctx, "sso.webhook.manage", {
+              await authorize(ctx, "sso.webhook.manage", {
                 enterpriseId: endpoint.enterpriseId,
                 groupId: endpoint.groupId,
               });
-              if (!_auth.ok) return { ok: false as const, code: _auth.code };
               return await auth.sso.admin.webhook.endpoint.disable(
                 ctx as never,
                 args.endpointId,
@@ -825,30 +801,27 @@ export function scim<
           status: v.optional(enterpriseStatusValidator),
         },
         handler: async (ctx, args) => {
-          const _auth = await authorize(ctx, "scim.manage", {
+          await authorize(ctx, "scim.manage", {
             enterpriseId: args.enterpriseId,
           });
-          if (!_auth.ok) return { ok: false as const, code: _auth.code };
           return await auth.scim.admin.configure(ctx as never, args);
         },
       }),
       get: queryGeneric({
         args: { enterpriseId: v.string() },
         handler: async (ctx, args) => {
-          const _auth = await authorize(ctx, "scim.manage", {
+          await authorize(ctx, "scim.manage", {
             enterpriseId: args.enterpriseId,
           });
-          if (!_auth.ok) return null;
           return await auth.scim.admin.get(ctx as never, args.enterpriseId);
         },
       }),
       validate: queryGeneric({
         args: { enterpriseId: v.string() },
         handler: async (ctx, args) => {
-          const _auth = await authorize(ctx, "scim.manage", {
+          await authorize(ctx, "scim.manage", {
             enterpriseId: args.enterpriseId,
           });
-          if (!_auth.ok) return null;
           return await auth.scim.admin.validate(
             ctx as never,
             args.enterpriseId,

package/src/server/mutations/account.ts

@@ -1,11 +1,11 @@
 import { Fx } from "@robelest/fx";
+import { Cv } from "@robelest/fx/convex";
 import type { GenericActionCtx, GenericDataModel } from "convex/server";
-import { Infer, v } from "convex/values";
+import { ConvexError, Infer, v } from "convex/values";
 
-import { authDb } from "../db";
-import { AuthError } from "../authError";
 import { GetProviderOrThrowFunc, hash } from "../crypto";
 import * as Provider from "../crypto";
+import { authDb } from "../db";
 import { MutationCtx } from "../types";
 import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils";
 import { AUTH_STORE_REF } from "./store/refs";
@@ -20,7 +20,7 @@ export function modifyAccountImpl(
   args: Infer<typeof modifyAccountArgs>,
   getProviderOrThrow: GetProviderOrThrowFunc,
   config: Provider.Config,
-): Fx<void, AuthError> {
+): Fx<void, ConvexError<any>> {
   const { provider, account } = args;
   const db = authDb(ctx, config);
 
@@ -29,38 +29,24 @@ export function modifyAccountImpl(
     account: { id: account.id, secret: maybeRedact(account.secret ?? "") },
   });
 
-  return Fx.from({
-    ok: () => db.accounts.get(provider, account.id),
-    err: () =>
-      new AuthError(
-        "ACCOUNT_NOT_FOUND",
-        `Cannot modify account with ID ${account.id} because it does not exist`,
-      ),
-  }).pipe(
-    Fx.chain((doc) =>
-      doc === null
-        ? Fx.fail(
-            new AuthError(
-              "ACCOUNT_NOT_FOUND",
-              `Cannot modify account with ID ${account.id} because it does not exist`,
-            ),
-          )
-        : Fx.succeed(doc),
-    ),
-    Fx.chain((existingAccount) =>
-      hash(getProviderOrThrow(provider), account.secret).pipe(
-        Fx.chain((hashedSecret) =>
-          Fx.from({
-            ok: () =>
-              db.accounts.patch(existingAccount._id, { secret: hashedSecret }),
-            err: () =>
-              new AuthError("INTERNAL_ERROR", "Failed to patch account"),
-          }),
-        ),
-      ),
-    ),
-    Fx.map(() => undefined),
-  );
+  return Fx.gen(function* () {
+    const existingAccount = yield* Fx.promise(() =>
+      db.accounts.get(provider, account.id),
+    );
+    if (existingAccount === null) {
+      return yield* Cv.fail({
+        code: "ACCOUNT_NOT_FOUND",
+        message: `Cannot modify account with ID ${account.id} because it does not exist`,
+      });
+    }
+    const hashedSecret = yield* hash(
+      getProviderOrThrow(provider),
+      account.secret,
+    );
+    yield* Fx.promise(() =>
+      db.accounts.patch(existingAccount._id, { secret: hashedSecret }),
+    );
+  });
 }
 
 export const callModifyAccount = async <DataModel extends GenericDataModel>(

package/src/server/mutations/code.ts

@@ -1,9 +1,9 @@
+import { Cv } from "@robelest/fx/convex";
 import type { GenericActionCtx, GenericDataModel } from "convex/server";
 import { GenericId, Infer, v } from "convex/values";
 
-import { authDb } from "../db";
-import { AuthError } from "../authError";
 import * as Provider from "../crypto";
+import { authDb } from "../db";
 import { getAuthSessionId } from "../sessions";
 import { MutationCtx } from "../types";
 import { EmailConfig, PhoneConfig } from "../types";
@@ -47,10 +47,10 @@ export async function createVerificationCodeImpl(
     typedExistingAccountId !== undefined
       ? ((await db.accounts.getById(typedExistingAccountId)) ??
         (() => {
-          throw new AuthError(
-            "ACCOUNT_NOT_FOUND",
-            `Expected an account to exist for ID "${typedExistingAccountId}"`,
-          ).toConvexError();
+          throw Cv.error({
+            code: "ACCOUNT_NOT_FOUND",
+            message: `Expected an account to exist for ID "${typedExistingAccountId}"`,
+          });
         })())
       : await db.accounts.get(providerId, email ?? phone!);
 

package/src/server/mutations/invalidate.ts

@@ -2,8 +2,8 @@ import { Fx } from "@robelest/fx";
 import type { GenericActionCtx, GenericDataModel } from "convex/server";
 import { GenericId, Infer, v } from "convex/values";
 
-import { authDb } from "../db";
 import * as Provider from "../crypto";
+import { authDb } from "../db";
 import { deleteSession } from "../sessions";
 import { Doc, MutationCtx } from "../types";
 import { LOG_LEVELS, logWithLevel } from "../utils";

package/src/server/mutations/oauth.ts

@@ -1,13 +1,12 @@
 import { Fx } from "@robelest/fx";
+import { Cv } from "@robelest/fx/convex";
 import type { GenericActionCtx, GenericDataModel } from "convex/server";
+import type { ConvexError } from "convex/values";
 import { Infer, v } from "convex/values";
 
-import { authDb } from "../db";
-import { AuthError } from "../authError";
 import * as Provider from "../crypto";
-import {
-  createSyntheticOAuthMaterializedConfig,
-} from "../enterprise/oidc";
+import { authDb } from "../db";
+import { createSyntheticOAuthMaterializedConfig } from "../enterprise/oidc";
 import { normalizeEnterprisePolicy } from "../enterprise/policy";
 import {
   ENTERPRISE_OIDC_PROVIDER_PREFIX,
@@ -81,7 +80,7 @@ export function userOAuthImpl(
   args: Infer<typeof userOAuthArgs>,
   getProviderOrThrow: Provider.GetProviderOrThrowFunc,
   config: Provider.Config,
-): Fx<ReturnType, AuthError> {
+): Fx<ReturnType, ConvexError<{ code: string; message: string }>> {
   return Fx.gen(function* () {
     logWithLevel("DEBUG", "userOAuthImpl args:", args);
     const { profile, provider, providerAccountId, signature, accountExtend } =
@@ -129,11 +128,18 @@ export function userOAuthImpl(
 
     const verifier = yield* Fx.from({
       ok: () => db.verifiers.getBySignature(signature),
-      err: () => new AuthError("OAUTH_INVALID_STATE"),
+      err: () =>
+        Cv.error({
+          code: "OAUTH_INVALID_STATE",
+          message: "Invalid OAuth state. Please try signing in again.",
+        }),
     }).pipe(
       Fx.chain((doc) =>
         doc === null
-          ? Fx.fail(new AuthError("OAUTH_INVALID_STATE"))
+          ? Cv.fail({
+              code: "OAUTH_INVALID_STATE",
+              message: "Invalid OAuth state. Please try signing in again.",
+            })
           : Fx.succeed(doc),
       ),
     );

package/src/server/mutations/refresh.ts

@@ -1,10 +1,9 @@
 import { Fx } from "@robelest/fx";
 import type { GenericActionCtx, GenericDataModel } from "convex/server";
-import { Infer, v } from "convex/values";
+import { ConvexError, Infer, v } from "convex/values";
 
-import { authDb } from "../db";
-import { AuthError } from "../authError";
 import * as Provider from "../crypto";
+import { authDb } from "../db";
 import {
   invalidateRefreshTokensInSubtree,
   parseRefreshToken,
@@ -50,7 +49,9 @@ export async function refreshSessionImpl(
 
   return Fx.run(
     parseRefreshToken(refreshToken).pipe(
-      Fx.recover((err: AuthError) => Fx.fail(new RefreshFailure(err.message))),
+      Fx.recover((err: ConvexError<any>) =>
+        Fx.fail(new RefreshFailure(err.data.message)),
+      ),
       Fx.tap(({ refreshTokenId, sessionId: tokenSessionId }) =>
         Fx.sync(() =>
           logWithLevel(