@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23

package/src/server/redirects.ts

@@ -1,4 +1,5 @@
-import { AuthError } from "./authError";
+import { Cv } from "@robelest/fx/convex";
+
 import { ConvexAuthMaterializedConfig } from "./types";
 import { requireEnv } from "./utils";
 
@@ -11,17 +12,20 @@ export async function redirectAbsoluteUrl(
     return requireEnv("SITE_URL").replace(/\/$/, "");
   }
   if (typeof params.redirectTo !== "string") {
-    throw new AuthError(
-      "INVALID_REDIRECT",
-      `Expected \`redirectTo\` to be a string, got ${params.redirectTo as any}`,
-    );
+    throw Cv.error({
+      code: "INVALID_REDIRECT",
+      message: `Expected \`redirectTo\` to be a string, got ${params.redirectTo as any}`,
+    });
   }
   const redirectCallback =
     config.callbacks?.redirect ?? defaultRedirectCallback;
   try {
     return await redirectCallback({ redirectTo: params.redirectTo });
   } catch {
-    throw new AuthError("INTERNAL_ERROR");
+    throw Cv.error({
+      code: "INTERNAL_ERROR",
+      message: "An unexpected error occurred.",
+    });
   }
 }
 

package/src/server/refresh.ts

@@ -1,8 +1,8 @@
 import { Fx } from "@robelest/fx";
-import { GenericId } from "convex/values";
+import { Cv } from "@robelest/fx/convex";
+import { ConvexError, GenericId } from "convex/values";
 
 import { authDb } from "./db";
-import { AuthError } from "./authError";
 import { Doc, MutationCtx } from "./types";
 import { ConvexAuthConfig } from "./types";
 import {
@@ -56,21 +56,19 @@ export const parseRefreshToken = (
     refreshTokenId: GenericId<"RefreshToken">;
     sessionId: GenericId<"Session">;
   },
-  AuthError
+  ConvexError<any>
 > => {
   const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);
   const msg = `Can't parse refresh token: ${maybeRedact(refreshToken)}`;
-  const refreshTokenIdFx: Fx<string, AuthError> =
-    refreshTokenId != null
-      ? Fx.succeed(refreshTokenId)
-      : Fx.fail(new AuthError("INVALID_REFRESH_TOKEN", msg));
+  const refreshTokenIdFx: Fx<string, ConvexError<any>> = refreshTokenId != null
+    ? Fx.succeed(refreshTokenId)
+    : Cv.fail({ code: "INVALID_REFRESH_TOKEN", message: msg });
 
   return refreshTokenIdFx.pipe(
     Fx.chain((rtId) => {
-      const sessionIdFx: Fx<string, AuthError> =
-        sessionId != null
-          ? Fx.succeed(sessionId)
-          : Fx.fail(new AuthError("INVALID_REFRESH_TOKEN", msg));
+      const sessionIdFx: Fx<string, ConvexError<any>> = sessionId != null
+        ? Fx.succeed(sessionId)
+        : Cv.fail({ code: "INVALID_REFRESH_TOKEN", message: msg });
       return sessionIdFx.pipe(
         Fx.map((sId) => ({
           refreshTokenId: rtId as GenericId<"RefreshToken">,
@@ -115,13 +113,11 @@ export async function invalidateRefreshTokensInSubtree(
     Fx.each(tokensToInvalidate, (token) =>
       token.firstUsedTime === undefined ||
       token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS
-        ? Fx.from({
-            ok: () =>
-              db.refreshTokens.patch(token._id, {
-                firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,
-              }),
-            err: (e) => e as never,
-          })
+        ? Fx.promise(() =>
+            db.refreshTokens.patch(token._id, {
+              firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS,
+            }),
+          )
         : Fx.unit,
     ),
   );

package/src/server/runtime.ts

@@ -1,5 +1,6 @@
+import { Fx } from "@robelest/fx";
+import { Cv } from "@robelest/fx/convex";
 import {
-  Auth,
   GenericActionCtx,
   GenericDataModel,
   HttpRouter,
@@ -9,10 +10,10 @@ import {
 import { v } from "convex/values";
 import { serialize as serializeCookie } from "cookie";
 
-import { createCoreDomains } from "./core";
+import { configDefaults, listAvailableProviders } from "./config";
 import { redirectToParamCookie, useRedirectToParam } from "./cookies";
-import { createEnterpriseDomain } from "./enterprise/domain";
-import { addEnterpriseHttpRuntime } from "./enterprise/http";
+import { createCoreDomains } from "./core";
+import { GetProviderOrThrowFunc } from "./crypto";
 import {
   getOidcConfig,
   getPublicOidcConfig,
@@ -20,24 +21,24 @@ import {
   upsertProtocolConfig,
   withOidcSecretState,
 } from "./enterprise/config";
-import { normalizeEnterprisePolicy, patchEnterprisePolicy } from "./enterprise/policy";
+import { createEnterpriseDomain } from "./enterprise/domain";
+import { addEnterpriseHttpRuntime } from "./enterprise/http";
+import {
+  normalizeEnterprisePolicy,
+  patchEnterprisePolicy,
+} from "./enterprise/policy";
 import {
   createServiceProviderMetadata,
   getSamlServiceProviderOptions,
   parseSamlIdpMetadata,
 } from "./enterprise/saml";
-import {
-  parseScimPath,
-} from "./enterprise/scim";
+import { parseScimPath } from "./enterprise/scim";
 import {
   enterpriseOidcProviderId,
   getEnterpriseOidcUrls,
   isEnterpriseSamlSourceActive,
   normalizeDomain,
 } from "./enterprise/shared";
-import { Fx } from "@robelest/fx";
-
-import { AuthError } from "./authError";
 import {
   addAuthRoutes,
   addOpenIdRoutes,
@@ -58,8 +59,6 @@ import {
   storeImpl,
 } from "./mutations/index";
 import { createOAuthAuthorizationURL, handleOAuthCallback } from "./oauth";
-import { GetProviderOrThrowFunc } from "./crypto";
-import { configDefaults, listAvailableProviders } from "./config";
 import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects";
 import { signInImpl } from "./signin";
 import type {
@@ -171,9 +170,11 @@ export function Auth(config_: ConvexAuthConfig) {
         `Provider \`${id}\` is not configured, ` +
         `available providers are ${listAvailableProviders(config, allowExtraProviders)}.`;
       logWithLevel(LOG_LEVELS.ERROR, detail);
-      throw new AuthError("PROVIDER_NOT_CONFIGURED", detail, {
+      throw Cv.error({
+        code: "PROVIDER_NOT_CONFIGURED",
+        message: detail,
         provider: id,
-      }).toConvexError();
+      });
     }
     return provider;
   };
@@ -231,10 +232,10 @@ export function Auth(config_: ConvexAuthConfig) {
       },
     );
     if (!enterprise) {
-      throw new AuthError(
-        "INVALID_PARAMETERS",
-        enterpriseNotFoundError,
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_PARAMETERS",
+        message: enterpriseNotFoundError,
+      });
     }
     return enterprise;
   };
@@ -245,10 +246,10 @@ export function Auth(config_: ConvexAuthConfig) {
   ) => {
     const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);
     if (enterprise.status !== "active") {
-      throw new AuthError(
-        "INVALID_PARAMETERS",
-        "Enterprise connection is not active.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_PARAMETERS",
+        message: "Enterprise connection is not active.",
+      });
     }
     return enterprise;
   };
@@ -268,17 +269,17 @@ export function Auth(config_: ConvexAuthConfig) {
       enterprise,
     };
     if (!isEnterpriseSamlSourceActive(loaded)) {
-      throw new AuthError(
-        "INVALID_PARAMETERS",
-        "Enterprise connection is not active.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_PARAMETERS",
+        message: "Enterprise connection is not active.",
+      });
     }
     const saml = getSamlConfig(loaded.config);
     if (!saml.idp?.metadataXml) {
-      throw new AuthError(
-        "PROVIDER_NOT_CONFIGURED",
-        "SAML is not configured for this enterprise.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "PROVIDER_NOT_CONFIGURED",
+        message: "SAML is not configured for this enterprise.",
+      });
     }
     return { loaded, enterprise, saml };
   };
@@ -290,10 +291,10 @@ export function Auth(config_: ConvexAuthConfig) {
     const enterprise = await loadActiveEnterpriseOrThrow(ctx, enterpriseId);
     const oidc = await getEnterpriseOidcConfigWithSecret(ctx, enterprise);
     if (oidc.enabled !== true) {
-      throw new AuthError(
-        "PROVIDER_NOT_CONFIGURED",
-        "OIDC is not configured for this enterprise.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "PROVIDER_NOT_CONFIGURED",
+        message: "OIDC is not configured for this enterprise.",
+      });
     }
     return { enterprise, oidc };
   };
@@ -407,7 +408,10 @@ export function Auth(config_: ConvexAuthConfig) {
   ) => {
     const authHeader = request.headers.get("Authorization");
     if (!authHeader?.startsWith("Bearer ")) {
-      throw new AuthError("MISSING_BEARER_TOKEN").toConvexError();
+      throw Cv.error({
+        code: "MISSING_BEARER_TOKEN",
+        message: "Missing or malformed Authorization: Bearer header.",
+      });
     }
     const token = authHeader.slice(7);
     const scimConfig = await ctx.runQuery(
@@ -415,17 +419,17 @@ export function Auth(config_: ConvexAuthConfig) {
       { tokenHash: await sha256(token) },
     );
     if (!scimConfig || scimConfig.status !== "active") {
-      throw new AuthError(
-        "INVALID_API_KEY",
-        "Invalid SCIM token.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_API_KEY",
+        message: "Invalid SCIM token.",
+      });
     }
     const parsedPath = parseScimPath(new URL(request.url).pathname);
     if (parsedPath.enterpriseId !== scimConfig.enterpriseId) {
-      throw new AuthError(
-        "INVALID_API_KEY",
-        "SCIM token/tenant mismatch.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_API_KEY",
+        message: "SCIM token/tenant mismatch.",
+      });
     }
     const enterprise = await ctx.runQuery(
       config.component.public.enterpriseGet,
@@ -434,10 +438,10 @@ export function Auth(config_: ConvexAuthConfig) {
       },
     );
     if (enterprise === null) {
-      throw new AuthError(
-        "INVALID_PARAMETERS",
-        "Enterprise not found.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_PARAMETERS",
+        message: "Enterprise not found.",
+      });
     }
     return { scimConfig, enterprise, parsedPath };
   };
@@ -548,13 +552,19 @@ export function Auth(config_: ConvexAuthConfig) {
             handleSignIn: convertErrorsToResponse(400, async (ctx, request) => {
               const url = new URL(request.url);
               const pathParts = url.pathname.split("/");
-              const providerId = pathParts.at(-1)!;
+              const providerId = pathParts[pathParts.length - 1]!;
               if (providerId === null) {
-                throw new AuthError("OAUTH_MISSING_PROVIDER").toConvexError();
+                throw Cv.error({
+                  code: "OAUTH_MISSING_PROVIDER",
+                  message: "Missing OAuth provider ID.",
+                });
               }
               const verifier = url.searchParams.get("code");
               if (verifier === null) {
-                throw new AuthError("OAUTH_MISSING_VERIFIER").toConvexError();
+                throw Cv.error({
+                  code: "OAUTH_MISSING_VERIFIER",
+                  message: "Missing sign-in verifier.",
+                });
               }
               const provider = getProviderOrThrow(providerId);
 
@@ -588,11 +598,16 @@ export function Auth(config_: ConvexAuthConfig) {
             }),
             handleCallback: async (ctx, request) => {
               const url = new URL(request.url);
-              const providerId = new URL(request.url).pathname
-                .split("/")
-                .at(-1);
+              const callbackPathParts = new URL(request.url).pathname.split(
+                "/",
+              );
+              const providerId =
+                callbackPathParts[callbackPathParts.length - 1];
               if (!providerId) {
-                throw new AuthError("OAUTH_MISSING_PROVIDER").toConvexError();
+                throw Cv.error({
+                  code: "OAUTH_MISSING_PROVIDER",
+                  message: "Missing OAuth provider ID.",
+                });
               }
               logWithLevel(
                 LOG_LEVELS.DEBUG,

package/src/server/signin.ts

@@ -1,10 +1,10 @@
 import type { Fx as FxType } from "@robelest/fx";
+import { Fx } from "@robelest/fx";
+import { Cv } from "@robelest/fx/convex";
 import { GenericId } from "convex/values";
+import { ConvexError } from "convex/values";
 
 import { handleDevice } from "./device";
-import { Fx } from "@robelest/fx";
-
-import { AuthError } from "./authError";
 import {
   callCreateVerificationCode,
   callRefreshSession,
@@ -79,9 +79,7 @@ export async function signInImpl(
   },
 ): Promise<SignInResult> {
   const fx = signInFx(ctx, provider, args, options);
-  return Fx.run(
-    fx.pipe(Fx.recover((e) => Fx.fatal((e as AuthError).toConvexError()))),
-  );
+  return Fx.run(fx.pipe(Fx.recover((e) => Fx.fatal(e))));
 }
 
 /**
@@ -104,7 +102,7 @@ function signInFx(
     generateTokens: boolean;
     allowExtraProviders: boolean;
   },
-): FxType<SignInResult, AuthError> {
+): FxType<SignInResult, ConvexError<any>> {
   return Fx.gen(function* () {
     // --- Refresh token (no provider) ---
     if (provider === null && args.refreshToken) {
@@ -133,7 +131,10 @@ function signInFx(
     // --- Provider is required past this point ---
     const resolvedProvider = yield* provider != null
       ? Fx.succeed(provider)
-      : Fx.fail(new AuthError("SIGN_IN_MISSING_PARAMS"));
+      : Cv.fail({
+          code: "SIGN_IN_MISSING_PARAMS",
+          message: "Cannot sign in: missing provider, code, or refresh token.",
+        });
 
     // --- Dispatch by provider type ---
     return yield* Fx.match(resolvedProvider).on("type", {
@@ -167,7 +168,7 @@ function handleEmailAndPhoneProviderFx(
 ): FxType<
   | { kind: "started"; started: true }
   | { kind: "signedIn"; signedIn: SessionInfoWithTokens },
-  AuthError
+  ConvexError<any>
 > {
   return Fx.gen(function* () {
     // --- Code verification path ---
@@ -182,7 +183,10 @@ function handleEmailAndPhoneProviderFx(
       );
       const verified = yield* result != null
         ? Fx.succeed(result)
-        : Fx.fail(new AuthError("INVALID_VERIFICATION_CODE"));
+        : Cv.fail({
+            code: "INVALID_VERIFICATION_CODE",
+            message: "Invalid or expired verification code.",
+          });
       return {
         kind: "signedIn" as const,
         signedIn: verified as SessionInfoWithTokens,
@@ -196,10 +200,10 @@ function handleEmailAndPhoneProviderFx(
       ? yield* Fx.from({
           ok: async () => provider.generateVerificationToken!(),
           err: () =>
-            new AuthError(
-              "INTERNAL_ERROR",
-              "Failed to generate verification token",
-            ),
+            Cv.error({
+              code: "INTERNAL_ERROR",
+              message: "Failed to generate verification token",
+            }),
         })
       : generateRandomString(32, alphabet);
     const expirationTime =
@@ -242,7 +246,10 @@ function handleEmailAndPhoneProviderFx(
               ctx,
             ),
           err: () =>
-            new AuthError("INTERNAL_ERROR", "Failed to send email code"),
+            Cv.error({
+              code: "INTERNAL_ERROR",
+              message: "Failed to send email code",
+            }),
         }),
       phone: (p) =>
         Fx.from({
@@ -252,7 +259,10 @@ function handleEmailAndPhoneProviderFx(
               ctx,
             ),
           err: () =>
-            new AuthError("INTERNAL_ERROR", "Failed to send phone code"),
+            Cv.error({
+              code: "INTERNAL_ERROR",
+              message: "Failed to send phone code",
+            }),
         }),
     });
     return { kind: "started" as const, started: true as const };
@@ -275,7 +285,7 @@ function handleCredentialsFx(
 ): FxType<
   | { kind: "signedIn"; signedIn: SessionInfo | null }
   | { kind: "totpRequired"; verifier: string },
-  AuthError
+  ConvexError<any>
 > {
   return Fx.gen(function* () {
     const result = yield* Fx.promise(() =>
@@ -338,7 +348,7 @@ function handleOAuthProviderFx(
 ): FxType<
   | { kind: "signedIn"; signedIn: SessionInfoWithTokens | null }
   | { kind: "redirect"; redirect: string; verifier: string },
-  AuthError
+  ConvexError<any>
 > {
   return Fx.gen(function* () {
     // --- Code verification path ---
@@ -368,12 +378,10 @@ function handleOAuthProviderFx(
     if (args.params?.redirectTo !== undefined) {
       yield* Fx.guard(
         typeof args.params.redirectTo !== "string",
-        Fx.fail(
-          new AuthError(
-            "INVALID_REDIRECT",
-            `Expected \`redirectTo\` to be a string, got ${args.params.redirectTo}`,
-          ),
-        ),
+        Cv.fail({
+          code: "INVALID_REDIRECT",
+          message: `Expected \`redirectTo\` to be a string, got ${args.params.redirectTo}`,
+        }),
       );
       redirect.searchParams.set("redirectTo", args.params.redirectTo);
     }
@@ -395,26 +403,25 @@ function handleSsoProviderFx(
   args: {
     params?: Record<string, any>;
   },
-): FxType<{ kind: "redirect"; redirect: string; verifier: string }, AuthError> {
+): FxType<
+  { kind: "redirect"; redirect: string; verifier: string },
+  ConvexError<any>
+> {
   return Fx.gen(function* () {
     const enterpriseId = args.params?.enterpriseId;
     if (!enterpriseId || typeof enterpriseId !== "string") {
-      return yield* Fx.fail(
-        new AuthError(
-          "SIGN_IN_MISSING_PARAMS",
-          "enterpriseId is required for SSO sign-in.",
-        ),
-      );
+      return yield* Cv.fail({
+        code: "SIGN_IN_MISSING_PARAMS",
+        message: "enterpriseId is required for SSO sign-in.",
+      });
     }
 
     const protocol: "oidc" | "saml" = args.params?.protocol ?? "oidc";
     if (protocol !== "oidc" && protocol !== "saml") {
-      return yield* Fx.fail(
-        new AuthError(
-          "SIGN_IN_MISSING_PARAMS",
-          `Invalid SSO protocol: ${protocol as string}. Expected "oidc" or "saml".`,
-        ),
-      );
+      return yield* Cv.fail({
+        code: "SIGN_IN_MISSING_PARAMS",
+        message: `Invalid SSO protocol: ${protocol as string}. Expected "oidc" or "saml".`,
+      });
     }
 
     const verifier = yield* Fx.promise(() => callVerifier(ctx));