@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authorization/index.d.ts +1 -1
- package/dist/authorization/index.js +1 -1
- package/dist/authorization/index.js.map +1 -1
- package/dist/client/index.d.ts +1 -2
- package/dist/client/index.d.ts.map +1 -1
- package/dist/client/index.js +36 -39
- package/dist/client/index.js.map +1 -1
- package/dist/component/client/index.d.ts +1 -2
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/convex.config.d.ts.map +1 -1
- package/dist/component/model.d.ts +5 -5
- package/dist/component/model.d.ts.map +1 -1
- package/dist/component/public/enterprise/audit.d.ts.map +1 -1
- package/dist/component/public/enterprise/audit.js.map +1 -1
- package/dist/component/public/enterprise/core.d.ts.map +1 -1
- package/dist/component/public/enterprise/core.js.map +1 -1
- package/dist/component/public/enterprise/domains.d.ts.map +1 -1
- package/dist/component/public/enterprise/domains.js.map +1 -1
- package/dist/component/public/enterprise/scim.d.ts.map +1 -1
- package/dist/component/public/enterprise/scim.js.map +1 -1
- package/dist/component/public/enterprise/secrets.d.ts.map +1 -1
- package/dist/component/public/enterprise/secrets.js.map +1 -1
- package/dist/component/public/enterprise/webhooks.d.ts.map +1 -1
- package/dist/component/public/enterprise/webhooks.js.map +1 -1
- package/dist/component/public/factors/devices.d.ts.map +1 -1
- package/dist/component/public/factors/devices.js.map +1 -1
- package/dist/component/public/factors/passkeys.d.ts.map +1 -1
- package/dist/component/public/factors/passkeys.js.map +1 -1
- package/dist/component/public/factors/totp.d.ts.map +1 -1
- package/dist/component/public/factors/totp.js.map +1 -1
- package/dist/component/public/groups/core.js.map +1 -1
- package/dist/component/public/groups/invites.d.ts.map +1 -1
- package/dist/component/public/groups/invites.js.map +1 -1
- package/dist/component/public/groups/members.d.ts.map +1 -1
- package/dist/component/public/groups/members.js.map +1 -1
- package/dist/component/public/identity/accounts.d.ts.map +1 -1
- package/dist/component/public/identity/accounts.js.map +1 -1
- package/dist/component/public/identity/codes.d.ts.map +1 -1
- package/dist/component/public/identity/codes.js.map +1 -1
- package/dist/component/public/identity/sessions.d.ts.map +1 -1
- package/dist/component/public/identity/sessions.js.map +1 -1
- package/dist/component/public/identity/tokens.d.ts.map +1 -1
- package/dist/component/public/identity/tokens.js.map +1 -1
- package/dist/component/public/identity/users.d.ts.map +1 -1
- package/dist/component/public/identity/users.js.map +1 -1
- package/dist/component/public/identity/verifiers.d.ts.map +1 -1
- package/dist/component/public/identity/verifiers.js.map +1 -1
- package/dist/component/public/security/keys.d.ts.map +1 -1
- package/dist/component/public/security/keys.js.map +1 -1
- package/dist/component/public/security/limits.d.ts.map +1 -1
- package/dist/component/public/security/limits.js.map +1 -1
- package/dist/component/schema.d.ts +39 -39
- package/dist/component/server/auth.d.ts +95 -52
- package/dist/component/server/auth.d.ts.map +1 -1
- package/dist/component/server/auth.js +63 -43
- package/dist/component/server/auth.js.map +1 -1
- package/dist/component/server/core.js +116 -235
- package/dist/component/server/core.js.map +1 -1
- package/dist/component/server/crypto.js +25 -7
- package/dist/component/server/crypto.js.map +1 -1
- package/dist/component/server/device.js +58 -15
- package/dist/component/server/device.js.map +1 -1
- package/dist/component/server/enterprise/domain.js +148 -59
- package/dist/component/server/enterprise/domain.js.map +1 -1
- package/dist/component/server/enterprise/http.js +36 -15
- package/dist/component/server/enterprise/http.js.map +1 -1
- package/dist/component/server/enterprise/oidc.js +1 -1
- package/dist/component/server/http.js +26 -21
- package/dist/component/server/http.js.map +1 -1
- package/dist/component/server/identity.js +5 -2
- package/dist/component/server/identity.js.map +1 -1
- package/dist/component/server/limits.js +21 -30
- package/dist/component/server/limits.js.map +1 -1
- package/dist/component/server/mutations/account.js +12 -10
- package/dist/component/server/mutations/account.js.map +1 -1
- package/dist/component/server/mutations/code.js +5 -2
- package/dist/component/server/mutations/code.js.map +1 -1
- package/dist/component/server/mutations/invalidate.js +1 -1
- package/dist/component/server/mutations/invalidate.js.map +1 -1
- package/dist/component/server/mutations/oauth.js +10 -4
- package/dist/component/server/mutations/oauth.js.map +1 -1
- package/dist/component/server/mutations/refresh.js +2 -2
- package/dist/component/server/mutations/refresh.js.map +1 -1
- package/dist/component/server/mutations/register.js +46 -42
- package/dist/component/server/mutations/register.js.map +1 -1
- package/dist/component/server/mutations/retrieve.js +21 -25
- package/dist/component/server/mutations/retrieve.js.map +1 -1
- package/dist/component/server/mutations/signature.js +10 -4
- package/dist/component/server/mutations/signature.js.map +1 -1
- package/dist/component/server/mutations/signout.js.map +1 -1
- package/dist/component/server/mutations/store.js +9 -24
- package/dist/component/server/mutations/store.js.map +1 -1
- package/dist/component/server/mutations/verifier.js.map +1 -1
- package/dist/component/server/mutations/verify.js +1 -1
- package/dist/component/server/mutations/verify.js.map +1 -1
- package/dist/component/server/oauth.js +53 -16
- package/dist/component/server/oauth.js.map +1 -1
- package/dist/component/server/passkey.js +115 -31
- package/dist/component/server/passkey.js.map +1 -1
- package/dist/component/server/redirects.js +9 -3
- package/dist/component/server/redirects.js.map +1 -1
- package/dist/component/server/refresh.js +10 -7
- package/dist/component/server/refresh.js.map +1 -1
- package/dist/component/server/runtime.d.ts +3 -3
- package/dist/component/server/runtime.d.ts.map +1 -1
- package/dist/component/server/runtime.js +62 -20
- package/dist/component/server/runtime.js.map +1 -1
- package/dist/component/server/signin.js +34 -10
- package/dist/component/server/signin.js.map +1 -1
- package/dist/component/server/totp.js +79 -19
- package/dist/component/server/totp.js.map +1 -1
- package/dist/component/server/types.d.ts +12 -20
- package/dist/component/server/types.d.ts.map +1 -1
- package/dist/component/server/types.js.map +1 -1
- package/dist/component/server/users.js +6 -3
- package/dist/component/server/users.js.map +1 -1
- package/dist/component/server/utils.js +10 -4
- package/dist/component/server/utils.js.map +1 -1
- package/dist/core/types.d.ts +14 -22
- package/dist/core/types.d.ts.map +1 -1
- package/dist/factors/device.js +8 -9
- package/dist/factors/device.js.map +1 -1
- package/dist/factors/passkey.js +18 -21
- package/dist/factors/passkey.js.map +1 -1
- package/dist/providers/password.js +66 -81
- package/dist/providers/password.js.map +1 -1
- package/dist/runtime/invite.js +2 -8
- package/dist/runtime/invite.js.map +1 -1
- package/dist/server/auth.d.ts +95 -52
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +63 -43
- package/dist/server/auth.js.map +1 -1
- package/dist/server/core.d.ts +71 -159
- package/dist/server/core.d.ts.map +1 -1
- package/dist/server/core.js +116 -235
- package/dist/server/core.js.map +1 -1
- package/dist/server/crypto.d.ts.map +1 -1
- package/dist/server/crypto.js +25 -7
- package/dist/server/crypto.js.map +1 -1
- package/dist/server/device.js +58 -15
- package/dist/server/device.js.map +1 -1
- package/dist/server/enterprise/domain.d.ts +0 -8
- package/dist/server/enterprise/domain.d.ts.map +1 -1
- package/dist/server/enterprise/domain.js +148 -59
- package/dist/server/enterprise/domain.js.map +1 -1
- package/dist/server/enterprise/http.d.ts.map +1 -1
- package/dist/server/enterprise/http.js +35 -14
- package/dist/server/enterprise/http.js.map +1 -1
- package/dist/server/http.d.ts +2 -2
- package/dist/server/http.d.ts.map +1 -1
- package/dist/server/http.js +25 -20
- package/dist/server/http.js.map +1 -1
- package/dist/server/identity.js +5 -2
- package/dist/server/identity.js.map +1 -1
- package/dist/server/index.d.ts +2 -2
- package/dist/server/limits.js +21 -30
- package/dist/server/limits.js.map +1 -1
- package/dist/server/mounts.d.ts +26 -64
- package/dist/server/mounts.d.ts.map +1 -1
- package/dist/server/mounts.js +45 -106
- package/dist/server/mounts.js.map +1 -1
- package/dist/server/mutations/account.d.ts +8 -9
- package/dist/server/mutations/account.d.ts.map +1 -1
- package/dist/server/mutations/account.js +11 -9
- package/dist/server/mutations/account.js.map +1 -1
- package/dist/server/mutations/code.d.ts +13 -13
- package/dist/server/mutations/code.d.ts.map +1 -1
- package/dist/server/mutations/code.js +5 -2
- package/dist/server/mutations/code.js.map +1 -1
- package/dist/server/mutations/invalidate.d.ts +4 -4
- package/dist/server/mutations/invalidate.d.ts.map +1 -1
- package/dist/server/mutations/invalidate.js.map +1 -1
- package/dist/server/mutations/oauth.d.ts +12 -10
- package/dist/server/mutations/oauth.d.ts.map +1 -1
- package/dist/server/mutations/oauth.js +9 -3
- package/dist/server/mutations/oauth.js.map +1 -1
- package/dist/server/mutations/refresh.d.ts +3 -3
- package/dist/server/mutations/refresh.d.ts.map +1 -1
- package/dist/server/mutations/refresh.js +1 -1
- package/dist/server/mutations/refresh.js.map +1 -1
- package/dist/server/mutations/register.d.ts +11 -11
- package/dist/server/mutations/register.d.ts.map +1 -1
- package/dist/server/mutations/register.js +45 -41
- package/dist/server/mutations/register.js.map +1 -1
- package/dist/server/mutations/retrieve.d.ts +6 -6
- package/dist/server/mutations/retrieve.d.ts.map +1 -1
- package/dist/server/mutations/retrieve.js +20 -24
- package/dist/server/mutations/retrieve.js.map +1 -1
- package/dist/server/mutations/signature.d.ts +6 -7
- package/dist/server/mutations/signature.d.ts.map +1 -1
- package/dist/server/mutations/signature.js +9 -3
- package/dist/server/mutations/signature.js.map +1 -1
- package/dist/server/mutations/signin.d.ts +5 -5
- package/dist/server/mutations/signin.d.ts.map +1 -1
- package/dist/server/mutations/signout.js.map +1 -1
- package/dist/server/mutations/store.d.ts +97 -97
- package/dist/server/mutations/store.d.ts.map +1 -1
- package/dist/server/mutations/store.js +8 -23
- package/dist/server/mutations/store.js.map +1 -1
- package/dist/server/mutations/verifier.js.map +1 -1
- package/dist/server/mutations/verify.d.ts +10 -10
- package/dist/server/mutations/verify.d.ts.map +1 -1
- package/dist/server/mutations/verify.js.map +1 -1
- package/dist/server/oauth.js +53 -16
- package/dist/server/oauth.js.map +1 -1
- package/dist/server/passkey.d.ts +2 -2
- package/dist/server/passkey.d.ts.map +1 -1
- package/dist/server/passkey.js +114 -30
- package/dist/server/passkey.js.map +1 -1
- package/dist/server/redirects.js +9 -3
- package/dist/server/redirects.js.map +1 -1
- package/dist/server/refresh.js +10 -7
- package/dist/server/refresh.js.map +1 -1
- package/dist/server/runtime.d.ts +14 -14
- package/dist/server/runtime.d.ts.map +1 -1
- package/dist/server/runtime.js +61 -19
- package/dist/server/runtime.js.map +1 -1
- package/dist/server/signin.js +34 -10
- package/dist/server/signin.js.map +1 -1
- package/dist/server/ssr.d.ts.map +1 -1
- package/dist/server/ssr.js +175 -184
- package/dist/server/ssr.js.map +1 -1
- package/dist/server/totp.js +78 -18
- package/dist/server/totp.js.map +1 -1
- package/dist/server/types.d.ts +13 -21
- package/dist/server/types.d.ts.map +1 -1
- package/dist/server/types.js.map +1 -1
- package/dist/server/users.js +6 -3
- package/dist/server/users.js.map +1 -1
- package/dist/server/utils.js +10 -4
- package/dist/server/utils.js.map +1 -1
- package/package.json +2 -6
- package/src/authorization/index.ts +1 -1
- package/src/cli/index.ts +1 -1
- package/src/client/core/types.ts +14 -14
- package/src/client/factors/device.ts +10 -12
- package/src/client/factors/passkey.ts +23 -26
- package/src/client/index.ts +54 -64
- package/src/client/runtime/invite.ts +5 -7
- package/src/component/index.ts +1 -0
- package/src/component/public/enterprise/audit.ts +6 -1
- package/src/component/public/enterprise/core.ts +1 -0
- package/src/component/public/enterprise/domains.ts +5 -1
- package/src/component/public/enterprise/scim.ts +1 -0
- package/src/component/public/enterprise/secrets.ts +1 -0
- package/src/component/public/enterprise/webhooks.ts +1 -0
- package/src/component/public/factors/devices.ts +1 -0
- package/src/component/public/factors/passkeys.ts +1 -0
- package/src/component/public/factors/totp.ts +1 -0
- package/src/component/public/groups/core.ts +1 -1
- package/src/component/public/groups/invites.ts +7 -1
- package/src/component/public/groups/members.ts +1 -0
- package/src/component/public/identity/accounts.ts +1 -0
- package/src/component/public/identity/codes.ts +1 -0
- package/src/component/public/identity/sessions.ts +1 -0
- package/src/component/public/identity/tokens.ts +1 -0
- package/src/component/public/identity/users.ts +1 -0
- package/src/component/public/identity/verifiers.ts +1 -0
- package/src/component/public/security/keys.ts +1 -0
- package/src/component/public/security/limits.ts +1 -0
- package/src/providers/password.ts +89 -110
- package/src/server/auth.ts +177 -111
- package/src/server/core.ts +197 -233
- package/src/server/crypto.ts +31 -29
- package/src/server/device.ts +65 -32
- package/src/server/enterprise/domain.ts +158 -170
- package/src/server/enterprise/http.ts +46 -39
- package/src/server/http.ts +36 -30
- package/src/server/identity.ts +5 -5
- package/src/server/index.ts +2 -0
- package/src/server/limits.ts +53 -80
- package/src/server/mounts.ts +47 -74
- package/src/server/mutations/account.ts +22 -36
- package/src/server/mutations/code.ts +6 -6
- package/src/server/mutations/invalidate.ts +1 -1
- package/src/server/mutations/oauth.ts +14 -8
- package/src/server/mutations/refresh.ts +5 -4
- package/src/server/mutations/register.ts +87 -132
- package/src/server/mutations/retrieve.ts +44 -44
- package/src/server/mutations/signature.ts +13 -6
- package/src/server/mutations/signout.ts +1 -1
- package/src/server/mutations/store.ts +16 -31
- package/src/server/mutations/verifier.ts +1 -1
- package/src/server/mutations/verify.ts +3 -5
- package/src/server/oauth.ts +60 -69
- package/src/server/passkey.ts +567 -517
- package/src/server/redirects.ts +10 -6
- package/src/server/refresh.ts +14 -18
- package/src/server/runtime.ts +70 -55
- package/src/server/signin.ts +44 -37
- package/src/server/ssr.ts +390 -407
- package/src/server/totp.ts +85 -35
- package/src/server/types.ts +19 -22
- package/src/server/users.ts +7 -6
- package/src/server/utils.ts +10 -12
- package/dist/component/server/authError.js +0 -34
- package/dist/component/server/authError.js.map +0 -1
- package/dist/component/server/errors.d.ts +0 -1
- package/dist/component/server/errors.js +0 -137
- package/dist/component/server/errors.js.map +0 -1
- package/dist/server/authError.d.ts +0 -46
- package/dist/server/authError.d.ts.map +0 -1
- package/dist/server/authError.js +0 -34
- package/dist/server/authError.js.map +0 -1
- package/dist/server/errors.d.ts +0 -177
- package/dist/server/errors.d.ts.map +0 -1
- package/dist/server/errors.js +0 -212
- package/dist/server/errors.js.map +0 -1
- package/src/server/authError.ts +0 -44
- package/src/server/errors.ts +0 -290
package/src/server/oauth.ts
CHANGED
|
@@ -3,17 +3,18 @@
|
|
|
3
3
|
*
|
|
4
4
|
* Uses Arctic for OAuth provider integration.
|
|
5
5
|
*
|
|
6
|
-
* All functions return `Fx<A,
|
|
6
|
+
* All functions return `Fx<A, ConvexError<any>>` composed via `Fx.gen` pipelines.
|
|
7
7
|
*
|
|
8
8
|
* @internal
|
|
9
9
|
* @module
|
|
10
10
|
*/
|
|
11
11
|
|
|
12
12
|
import { Fx } from "@robelest/fx";
|
|
13
|
+
import { Cv } from "@robelest/fx/convex";
|
|
13
14
|
import * as arctic from "arctic";
|
|
15
|
+
import type { ConvexError } from "convex/values";
|
|
14
16
|
|
|
15
17
|
import { SHARED_COOKIE_OPTIONS } from "./cookies";
|
|
16
|
-
import { AuthError } from "./authError";
|
|
17
18
|
import type { OAuthProfile } from "./types";
|
|
18
19
|
import { logWithLevel } from "./utils";
|
|
19
20
|
import { isLocalHost } from "./utils";
|
|
@@ -134,13 +135,13 @@ function isPKCEProvider(provider: any): boolean {
|
|
|
134
135
|
|
|
135
136
|
/**
|
|
136
137
|
* Exchange the authorization code for tokens via Arctic.
|
|
137
|
-
* Maps Arctic-specific errors to typed `
|
|
138
|
+
* Maps Arctic-specific errors to typed `ConvexError<any>` failures.
|
|
138
139
|
*/
|
|
139
140
|
function exchangeCode(
|
|
140
141
|
arcticProvider: any,
|
|
141
142
|
code: string,
|
|
142
143
|
codeVerifier: string | undefined,
|
|
143
|
-
): Fx<arctic.OAuth2Tokens,
|
|
144
|
+
): Fx<arctic.OAuth2Tokens, ConvexError<any>> {
|
|
144
145
|
return Fx.from({
|
|
145
146
|
ok: () =>
|
|
146
147
|
isPKCEProvider(arcticProvider)
|
|
@@ -148,24 +149,24 @@ function exchangeCode(
|
|
|
148
149
|
: arcticProvider.validateAuthorizationCode(code),
|
|
149
150
|
err: (e) => {
|
|
150
151
|
if (e instanceof arctic.OAuth2RequestError) {
|
|
151
|
-
return
|
|
152
|
-
"OAUTH_PROVIDER_ERROR",
|
|
153
|
-
`Token exchange failed: ${e.code}`,
|
|
154
|
-
);
|
|
152
|
+
return Cv.error({
|
|
153
|
+
code: "OAUTH_PROVIDER_ERROR",
|
|
154
|
+
message: `Token exchange failed: ${e.code}`,
|
|
155
|
+
});
|
|
155
156
|
}
|
|
156
157
|
if (e instanceof arctic.ArcticFetchError) {
|
|
157
|
-
return
|
|
158
|
-
"OAUTH_PROVIDER_ERROR",
|
|
159
|
-
`Network error during token exchange: ${e.message}`,
|
|
160
|
-
);
|
|
158
|
+
return Cv.error({
|
|
159
|
+
code: "OAUTH_PROVIDER_ERROR",
|
|
160
|
+
message: `Network error during token exchange: ${e.message}`,
|
|
161
|
+
});
|
|
161
162
|
}
|
|
162
163
|
// Unknown error — treat as unrecoverable defect; we surface it as
|
|
163
|
-
// an
|
|
164
|
+
// an ConvexError<any> here so the pipeline type stays Fx<_, ConvexError<any>>.
|
|
164
165
|
// The original `throw e` re-throw is replicated via Fx.fatal below.
|
|
165
|
-
return
|
|
166
|
-
"OAUTH_PROVIDER_ERROR",
|
|
167
|
-
`Unexpected error during token exchange: ${e instanceof Error ? e.message : String(e)}`,
|
|
168
|
-
);
|
|
166
|
+
return Cv.error({
|
|
167
|
+
code: "OAUTH_PROVIDER_ERROR",
|
|
168
|
+
message: `Unexpected error during token exchange: ${e instanceof Error ? e.message : String(e)}`,
|
|
169
|
+
});
|
|
169
170
|
},
|
|
170
171
|
}).pipe(
|
|
171
172
|
Fx.chain((tokens) => {
|
|
@@ -186,7 +187,7 @@ function extractProfile(
|
|
|
186
187
|
providerId: string,
|
|
187
188
|
oauthConfig: OAuthProviderConfigLike,
|
|
188
189
|
tokens: arctic.OAuth2Tokens,
|
|
189
|
-
): Fx<OAuthProfile,
|
|
190
|
+
): Fx<OAuthProfile, ConvexError<any>> {
|
|
190
191
|
const hasIdToken =
|
|
191
192
|
"id_token" in tokens.data &&
|
|
192
193
|
typeof (tokens.data as any).id_token === "string";
|
|
@@ -201,10 +202,10 @@ function extractProfile(
|
|
|
201
202
|
Fx.from({
|
|
202
203
|
ok: () => oauthConfig.profile!(tokens),
|
|
203
204
|
err: (e) =>
|
|
204
|
-
|
|
205
|
-
"OAUTH_INVALID_PROFILE",
|
|
206
|
-
`Profile callback threw: ${e instanceof Error ? e.message : String(e)}`,
|
|
207
|
-
),
|
|
205
|
+
Cv.error({
|
|
206
|
+
code: "OAUTH_INVALID_PROFILE",
|
|
207
|
+
message: `Profile callback threw: ${e instanceof Error ? e.message : String(e)}`,
|
|
208
|
+
}),
|
|
208
209
|
}),
|
|
209
210
|
idToken: (_profileSource) => {
|
|
210
211
|
const claims = arctic.decodeIdToken(tokens.idToken()) as Record<
|
|
@@ -219,13 +220,12 @@ function extractProfile(
|
|
|
219
220
|
});
|
|
220
221
|
},
|
|
221
222
|
missing: (_profileSource) =>
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
223
|
+
Cv.fail({
|
|
224
|
+
code: "OAUTH_INVALID_PROFILE",
|
|
225
|
+
message:
|
|
225
226
|
`Provider "${providerId}" does not return an ID token. ` +
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
),
|
|
227
|
+
`Add a \`profile\` callback in the OAuth() config to extract user info from the access token.`,
|
|
228
|
+
}),
|
|
229
229
|
});
|
|
230
230
|
}
|
|
231
231
|
|
|
@@ -235,15 +235,13 @@ function extractProfile(
|
|
|
235
235
|
function validateProfileId(
|
|
236
236
|
providerId: string,
|
|
237
237
|
profile: OAuthProfile,
|
|
238
|
-
): Fx<OAuthProfile,
|
|
238
|
+
): Fx<OAuthProfile, ConvexError<any>> {
|
|
239
239
|
return typeof profile.id === "string" && profile.id
|
|
240
240
|
? Fx.succeed(profile)
|
|
241
|
-
:
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
),
|
|
246
|
-
);
|
|
241
|
+
: Cv.fail({
|
|
242
|
+
code: "OAUTH_INVALID_PROFILE",
|
|
243
|
+
message: `The profile callback for "${providerId}" must return an object with a string \`id\` field.`,
|
|
244
|
+
});
|
|
247
245
|
}
|
|
248
246
|
|
|
249
247
|
// ============================================================================
|
|
@@ -308,7 +306,7 @@ export async function createOAuthAuthorizationURL(
|
|
|
308
306
|
* Handle the OAuth callback: validate state, exchange code for tokens,
|
|
309
307
|
* extract profile.
|
|
310
308
|
*
|
|
311
|
-
* Returns `Fx<CallbackResult,
|
|
309
|
+
* Returns `Fx<CallbackResult, ConvexError<any>>` composed via `Fx.gen`.
|
|
312
310
|
*/
|
|
313
311
|
/** @internal */
|
|
314
312
|
export function handleOAuthCallback(
|
|
@@ -317,7 +315,7 @@ export function handleOAuthCallback(
|
|
|
317
315
|
oauthConfig: OAuthProviderConfigLike,
|
|
318
316
|
params: Record<string, string>,
|
|
319
317
|
cookies: Record<string, string | undefined>,
|
|
320
|
-
): Fx<CallbackResult,
|
|
318
|
+
): Fx<CallbackResult, ConvexError<any>> {
|
|
321
319
|
return Fx.gen(function* () {
|
|
322
320
|
const resCookies: OAuthCookie[] = [];
|
|
323
321
|
|
|
@@ -328,7 +326,10 @@ export function handleOAuthCallback(
|
|
|
328
326
|
|
|
329
327
|
yield* Fx.guard(
|
|
330
328
|
!storedState || !returnedState || storedState !== returnedState,
|
|
331
|
-
|
|
329
|
+
Cv.fail({
|
|
330
|
+
code: "OAUTH_INVALID_STATE",
|
|
331
|
+
message: "Invalid OAuth state. Please try signing in again.",
|
|
332
|
+
}),
|
|
332
333
|
);
|
|
333
334
|
resCookies.push(clearCookie("state", providerId));
|
|
334
335
|
|
|
@@ -340,26 +341,20 @@ export function handleOAuthCallback(
|
|
|
340
341
|
error_description: params.error_description,
|
|
341
342
|
};
|
|
342
343
|
logWithLevel("DEBUG", "OAuthCallbackError", cause);
|
|
343
|
-
yield*
|
|
344
|
-
|
|
345
|
-
|
|
346
|
-
|
|
347
|
-
|
|
348
|
-
cause: JSON.stringify(cause),
|
|
349
|
-
},
|
|
350
|
-
),
|
|
351
|
-
);
|
|
344
|
+
yield* Cv.fail({
|
|
345
|
+
code: "OAUTH_PROVIDER_ERROR",
|
|
346
|
+
message: "OAuth provider returned an error",
|
|
347
|
+
cause: JSON.stringify(cause),
|
|
348
|
+
});
|
|
352
349
|
}
|
|
353
350
|
|
|
354
351
|
// 2. Get code
|
|
355
352
|
const code = yield* params.code != null
|
|
356
353
|
? Fx.succeed(params.code)
|
|
357
|
-
:
|
|
358
|
-
|
|
359
|
-
|
|
360
|
-
|
|
361
|
-
),
|
|
362
|
-
);
|
|
354
|
+
: Cv.fail({
|
|
355
|
+
code: "OAUTH_PROVIDER_ERROR",
|
|
356
|
+
message: "Missing authorization code in callback",
|
|
357
|
+
});
|
|
363
358
|
|
|
364
359
|
// 3. Read PKCE verifier from cookie if applicable
|
|
365
360
|
let codeVerifier: string | undefined;
|
|
@@ -367,12 +362,10 @@ export function handleOAuthCallback(
|
|
|
367
362
|
const pkceCookieName = oauthCookieName("pkce", providerId);
|
|
368
363
|
codeVerifier = yield* cookies[pkceCookieName] != null
|
|
369
364
|
? Fx.succeed(cookies[pkceCookieName]!)
|
|
370
|
-
:
|
|
371
|
-
|
|
372
|
-
|
|
373
|
-
|
|
374
|
-
),
|
|
375
|
-
);
|
|
365
|
+
: Cv.fail({
|
|
366
|
+
code: "OAUTH_MISSING_VERIFIER",
|
|
367
|
+
message: "Missing PKCE verifier cookie for OAuth callback",
|
|
368
|
+
});
|
|
376
369
|
resCookies.push(clearCookie("pkce", providerId));
|
|
377
370
|
}
|
|
378
371
|
|
|
@@ -381,12 +374,10 @@ export function handleOAuthCallback(
|
|
|
381
374
|
const nonceCookieName = oauthCookieName("nonce", providerId);
|
|
382
375
|
nonce = yield* cookies[nonceCookieName] != null
|
|
383
376
|
? Fx.succeed(cookies[nonceCookieName]!)
|
|
384
|
-
:
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
|
|
388
|
-
),
|
|
389
|
-
);
|
|
377
|
+
: Cv.fail({
|
|
378
|
+
code: "OAUTH_PROVIDER_ERROR",
|
|
379
|
+
message: "Missing nonce cookie for OAuth callback",
|
|
380
|
+
});
|
|
390
381
|
resCookies.push(clearCookie("nonce", providerId));
|
|
391
382
|
}
|
|
392
383
|
|
|
@@ -397,10 +388,10 @@ export function handleOAuthCallback(
|
|
|
397
388
|
yield* Fx.from({
|
|
398
389
|
ok: () => oauthConfig.validateTokens!(tokens, { nonce }),
|
|
399
390
|
err: (e) =>
|
|
400
|
-
|
|
401
|
-
"OAUTH_PROVIDER_ERROR",
|
|
402
|
-
`Token validation failed: ${e instanceof Error ? e.message : String(e)}`,
|
|
403
|
-
),
|
|
391
|
+
Cv.error({
|
|
392
|
+
code: "OAUTH_PROVIDER_ERROR",
|
|
393
|
+
message: `Token validation failed: ${e instanceof Error ? e.message : String(e)}`,
|
|
394
|
+
}),
|
|
404
395
|
});
|
|
405
396
|
}
|
|
406
397
|
|