@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23

package/dist/component/server/auth.d.ts

@@ -10,7 +10,9 @@ import { GenericId } from "convex/values";
  * minus `component` (which is passed as the first constructor argument).
  */
 type AuthConfig = Omit<ConvexAuthConfig, "component">;
-type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig | undefined> = Omit<ReturnType<typeof Auth>["auth"]["member"], "create" | "list" | "update" | "resolve"> & {
+/** Canonical user document type exposed by Convex Auth. */
+type UserDoc = Doc<"User">;
+type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig | undefined> = Omit<ReturnType<typeof Auth>["auth"]["member"], "create" | "list" | "update" | "inspect" | "require"> & {
   create: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["create"]>[0], data: {
     groupId: string;
     userId: string;
@@ -18,7 +20,6 @@ type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig |
     status?: string;
     extend?: Record<string, unknown>;
   }) => Promise<{
-    ok: true;
     memberId: string;
   }>;
   list: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["list"]>[0], opts?: {
@@ -36,17 +37,22 @@ type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig |
   update: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["update"]>[0], memberId: string, data: Record<string, unknown> & {
     roleIds?: AuthRoleId<TAuthorization>[];
   }) => Promise<{
-    ok: true;
     memberId: string;
   }>;
-  resolve: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["resolve"]>[0], opts: {
+  inspect: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["inspect"]>[0], opts: {
+    userId: string;
+    groupId: string;
+    ancestry?: boolean;
+    maxDepth?: number;
+  }) => ReturnType<ReturnType<typeof Auth>["auth"]["member"]["inspect"]>;
+  require: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["require"]>[0], opts: {
     userId: string;
     groupId: string;
     ancestry?: boolean;
     roleIds?: AuthRoleId<TAuthorization>[];
     grants?: AuthGrant<TAuthorization>[];
     maxDepth?: number;
-  }) => ReturnType<ReturnType<typeof Auth>["auth"]["member"]["resolve"]>;
+  }) => ReturnType<ReturnType<typeof Auth>["auth"]["member"]["require"]>;
 };
 /**
  * The base auth API surface returned by {@link createAuth}.
@@ -77,30 +83,29 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
   key: ReturnType<typeof Auth>["auth"]["key"];
   http: ReturnType<typeof Auth>["auth"]["http"];
   /**
-   * Resolve the current user's auth context. Framework-agnostic — use
+   * Resolve the current request's auth context. Framework-agnostic — use
    * this in fluent-convex middleware, custom wrappers, or anywhere you
-   * need the resolved `{ userId, user, groupId, role, grants }` object.
+   * need the current `{ userId, user, groupId, role, grants }` object.
    *
-   * Returns `null` when unauthenticated. Does not throw.
+   * Throws a structured `ConvexError` when unauthenticated.
    *
    * @param ctx - Convex query, mutation, or action context.
-   * @returns The resolved auth context, or `null`.
+   * @returns The current auth context.
    *
    * @example fluent-convex middleware
    * ```ts
    * const withAuth = convex.createMiddleware(async (ctx, next) => {
-   *   return next({ ...ctx, auth: await auth.resolve(ctx) });
+   *   return next({ ...ctx, auth: await auth.context(ctx) });
    * });
    * ```
    *
    * @example Direct usage in a handler
    * ```ts
-   * const resolved = await auth.resolve(ctx);
-   * if (!resolved) return { ok: false, code: "NOT_SIGNED_IN" };
-   * const { userId, grants } = resolved;
+   * const authContext = await auth.context(ctx);
+   * const { userId, grants } = authContext;
    * ```
    */
-  resolve: (ctx: any) => Promise<AuthResolvedContext | null>;
+  context: (ctx: any) => Promise<AuthContext>;
   /**
    * Context enrichment for convex-helpers `customQuery` / `customMutation` /
    * `customAction`.
@@ -109,9 +114,9 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
    * and grants, then attaches them to `ctx.auth`. Returns a `Customization`
    * object compatible with convex-helpers' custom function builders.
    *
-   * `ctx.auth` is `{ userId, user, groupId, role, grants }` when
-   * authenticated, `null` when unauthenticated. No throwing — your
-   * handler decides how to respond.
+   * `ctx.auth` is the current request auth context.
+   * By default this throws when unauthenticated so handlers can assume
+   * `ctx.auth.userId` and `ctx.auth.user` exist.
    *
    * @returns A convex-helpers `Customization` object.
    *
@@ -133,7 +138,6 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
    * export const list = authQuery({
    *   args: { workspaceId: v.string() },
    *   handler: async (ctx, args) => {
-   *     if (!ctx.auth) return [];
    *     const { userId, groupId, grants } = ctx.auth;
    *     // business logic
    *   },
@@ -144,26 +148,53 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
     args: Record<string, never>;
     input: (ctx: any) => Promise<{
       ctx: {
-        auth: AuthResolvedContext | null;
+        auth: AuthContext;
       };
       args: Record<string, never>;
     }>;
   };
 };
 /**
- * Resolved auth context injected into `ctx.auth` by `auth.ctx()`.
+ * Current request auth context injected into `ctx.auth` by `auth.ctx()` and
+ * {@link AuthCtx}. This is the authenticated auth shape returned by
+ * {@link createAuth().context}. Optional context builders may still surface
+ * nullable fields when `optional: true` is used.
  *
- * - `null` when unauthenticated.
  * - `groupId` is `null` when the user has no active group set.
- * - `role` / `grants` are `null` / `[]` when no active group or no membership.
+ * - `role` is `null` when no active group or no membership is resolved.
+ * - `grants` is `[]` when no active group or no membership is resolved.
+ *
+ * @example
+ * ```ts
+ * import type { AuthContext } from "@robelest/convex-auth/server";
+ *
+ * const mockAuth: AuthContext = {
+ *   userId: "user123" as Id<"User">,
+ *   user: { _id: "user123", email: "test@example.com" },
+ *   groupId: "group456",
+ *   role: "admin",
+ *   grants: ["read", "write"],
+ * };
+ * ```
  */
-type AuthResolvedContext = {
-  /** The authenticated user's document ID. */userId: string; /** The authenticated user's full document. */
-  user: any; /** The user's active group ID, or `null` if none set. */
+type AuthContext = {
+  /** The authenticated user's document ID. */userId: GenericId<"User">; /** The authenticated user's full document. */
+  user: UserDoc; /** The user's active group ID, or `null` if none set. */
   groupId: string | null; /** The user's primary role in the active group, or `null`. */
   role: string | null; /** Resolved grant strings from the user's role definitions. */
   grants: string[];
 };
+type AuthCtxBase = {
+  getUserIdentity: () => Promise<UserIdentity | null>;
+};
+type RequiredAuthCtxState = AuthCtxBase & AuthContext;
+type OptionalAuthCtxState = AuthCtxBase & {
+  userId: GenericId<"User"> | null;
+  user: UserDoc | null;
+  groupId: string | null;
+  role: string | null;
+  grants: string[];
+};
 type InternalSsoApi = ReturnType<typeof Auth>["auth"]["sso"];
 type PublicSsoAdminApi = {
   connection: InternalSsoApi["connection"] & {
@@ -174,7 +205,6 @@ type PublicSsoAdminApi = {
         domain: string;
         isPrimary?: boolean;
       }>) => Promise<{
-        ok: true;
         enterpriseId: string;
         domains: Array<{
           domainId: string;
@@ -189,7 +219,6 @@ type PublicSsoAdminApi = {
           enterpriseId: string;
           domain: string;
         }) => Promise<{
-          ok: true;
           enterpriseId: string;
           domain: string;
           requestedAt: number;
@@ -204,7 +233,6 @@ type PublicSsoAdminApi = {
           enterpriseId: string;
           domain: string;
         }) => Promise<{
-          ok: boolean;
           enterpriseId: string;
           domain: string;
           verifiedAt?: number;
@@ -280,8 +308,6 @@ declare function createAuth<P extends AuthProviderConfig[], TAuthorization exten
   providers: P;
   authorization?: TAuthorization;
 }): ConvexAuthResult<P, TAuthorization>;
-/** Canonical user document type exposed by Convex Auth. */
-type UserDoc = Doc<"User">;
 /**
  * Configuration for {@link AuthCtx} context enrichment.
  *
@@ -291,16 +317,42 @@ type UserDoc = Doc<"User">;
 type AuthCtxConfig<TResolve extends Record<string, unknown> = Record<string, never>> = {
   /** Allow unauthenticated callers and return `userId: null` / `user: null`. */optional?: boolean;
   /**
-   * Attach additional derived fields to the auth context after the user is resolved.
+   * Attach additional derived fields to the auth context after the base auth
+   * context is resolved.
+   */
+  resolve?: (ctx: any, user: UserDoc, auth: AuthContext) => Promise<TResolve> | TResolve;
+  /**
+   * Override or wrap the base auth resolution used by {@link AuthCtx}.
+   *
+   * Return `undefined` to fall back to the built-in resolver,
+   * `null` for an explicit unauthenticated state, or an
+   * {@link AuthContext} object to provide a pre-resolved auth state.
+   * This is useful for tests, proxy auth, impersonation flows, or any
+   * environment that needs to inject auth without depending on the standard
+   * Convex auth tables.
+   *
+   * @param ctx - The Convex function context.
+   * @param fallback - The built-in auth resolver used by {@link AuthCtx}.
+   * @returns Resolved auth state, `null`, or `undefined` to use the fallback.
+   *
+   * @example
+   * ```ts
+   * const authCtx = AuthCtx(auth, {
+   *   authResolve: async (ctx, fallback) => {
+   *     const injected = getInjectedAuth(ctx);
+   *     return injected ?? (await fallback());
+   *   },
+   * });
+   * ```
    */
-  resolve?: (ctx: any, user: UserDoc) => Promise<TResolve> | TResolve;
+  authResolve?: (ctx: any, fallback: () => Promise<AuthContext | null>) => Promise<AuthContext | null | undefined> | AuthContext | null | undefined;
 };
 /**
  * Create a context enrichment for `customQuery` / `customMutation` — optional auth.
  *
  * When `optional: true` is set, unauthenticated requests are allowed.
- * The enriched `ctx.auth` will have `userId: null` and `user: null`
- * for unauthenticated callers.
+ * The enriched `ctx.auth` will have `userId: null`, `user: null`,
+ * `groupId: null`, `role: null`, and `grants: []` for unauthenticated callers.
  *
  * @param auth - The auth API object returned by {@link createAuth}.
  * @param config - Configuration with `optional: true` and an optional
@@ -324,11 +376,7 @@ declare function AuthCtx<TResolve extends Record<string, unknown> = Record<strin
   args: {};
   input: (ctx: any, _args: any, _extra?: any) => Promise<{
     ctx: {
-      auth: {
-        getUserIdentity: () => Promise<UserIdentity | null>;
-        userId: GenericId<"User"> | null;
-        user: UserDoc | null;
-      } & TResolve;
+      auth: OptionalAuthCtxState & TResolve;
     };
     args: {};
   }>;
@@ -336,10 +384,8 @@ declare function AuthCtx<TResolve extends Record<string, unknown> = Record<strin
 /**
  * Create a context enrichment for `customQuery` / `customMutation` — required auth (default).
  *
- * When `optional` is omitted or `false`, the inferred type is the authenticated
- * auth shape. At runtime this helper still resolves instead of throwing, so if
- * no user is signed in the returned `ctx.auth.userId` and `ctx.auth.user` are
- * `null`.
+ * When `optional` is omitted or `false`, unauthenticated requests throw a
+ * structured `ConvexError` before your handler runs.
  *
  * @param auth - The auth API object returned by {@link createAuth}.
  * @param config - Optional configuration with a `resolve` callback
@@ -360,11 +406,7 @@ declare function AuthCtx<TResolve extends Record<string, unknown> = Record<strin
   args: {};
   input: (ctx: any, _args: any, _extra?: any) => Promise<{
     ctx: {
-      auth: {
-        getUserIdentity: () => Promise<UserIdentity | null>;
-        userId: GenericId<"User">;
-        user: UserDoc;
-      } & TResolve;
+      auth: RequiredAuthCtxState & TResolve;
     };
     args: {};
   }>;
@@ -374,9 +416,10 @@ declare function AuthCtx<TResolve extends Record<string, unknown> = Record<strin
  *
  * Use this to type function parameters or variables that receive the
  * enriched auth context produced by `AuthCtx`. The inferred type includes
- * `userId`, `user`, `getUserIdentity`, and any additional fields added
- * by the `resolve` callback. This is the generic utility for reusing the
- * enriched auth shape without manually duplicating conditional auth types.
+ * `userId`, `user`, `groupId`, `role`, `grants`, `getUserIdentity`, and any
+ * additional fields added by the `resolve` callback. This is the generic
+ * utility for reusing the enriched auth shape without manually duplicating
+ * conditional auth types.
  *
  * @typeParam T - An `AuthCtx` return value (must have an `input` method
  *   that returns `{ ctx: { auth: ... } }`).
@@ -400,5 +443,5 @@ type InferAuth<T extends {
   }>;
 }> = Awaited<ReturnType<T["input"]>>["ctx"]["auth"];
 //#endregion
-export { AuthApi, AuthConfig, AuthCtx, AuthCtxConfig, InferAuth, UserDoc, createAuth };
+export { AuthApi, AuthConfig, AuthContext, AuthCtx, AuthCtxConfig, InferAuth, UserDoc, createAuth };
 //# sourceMappingURL=auth.d.ts.map

package/dist/component/server/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","names":[],"sources":["../../../src/server/auth.ts"],"mappings":";;;;;;;;AAmC6D;;;KAAjD,UAAA,GAAa,IAAA,CAAK,gBAAA;AAAA,KAEzB,0BAAA,wBACoB,uBAAA,gBACrB,IAAA,CACF,UAAA,QAAkB,IAAA;EAGlB,MAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,mCAEpB,IAAA;IACE,OAAA;IACA,MAAA;IACA,OAAA,GAAU,UAAA,CAAW,cAAA;IACrB,MAAA;IACA,MAAA,GAAS,MAAA;EAAA,MAER,OAAA;IAAU,EAAA;IAAU,QAAA;EAAA;EACzB,IAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,iCAEpB,IAAA;IACE,KAAA;MACE,OAAA;MACA,MAAA;MACA,MAAA,GAAS,UAAA,CAAW,cAAA;MACpB,MAAA;IAAA;IAEF,KAAA;IACA,MAAA;IACA,OAAA;IACA,KAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,IAAA;EAClC,MAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,mCAEpB,QAAA,UACA,IAAA,EAAM,MAAA;IAA4B,OAAA,GAAU,UAAA,CAAW,cAAA;EAAA,MACpD,OAAA;IAAU,EAAA;IAAU,QAAA;EAAA;EACzB,OAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,oCAEpB,IAAA;IACE,MAAA;IACA,OAAA;IACA,QAAA;IACA,OAAA,GAAU,UAAA,CAAW,cAAA;IACrB,MAAA,GAAS,SAAA,CAAU,cAAA;IACnB,QAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,IAAA;AAAA;;;;;;;;;;;;;;;;KAmBxB,WAAA,wBACa,uBAAA;EAEvB,MAAA,EAAQ,UAAA,QAAkB,IAAA;EAC1B,OAAA,EAAS,UAAA,QAAkB,IAAA;EAC3B,KAAA,EAAO,UAAA,QAAkB,IAAA;EACzB,IAAA,EAAM,UAAA,QAAkB,IAAA;EACxB,OAAA,EAAS,UAAA,QAAkB,IAAA;EAC3B,QAAA,EAAU,UAAA,QAAkB,IAAA;EAC5B,OAAA,EAAS,UAAA,QAAkB,IAAA;EAC3B,KAAA,EAAO,UAAA,QAAkB,IAAA;EACzB,MAAA,EAAQ,0BAAA,CAA2B,cAAA;EACnC,MAAA,EAAQ,UAAA,QAAkB,IAAA;EAC1B,GAAA,EAAK,UAAA,QAAkB,IAAA;EACvB,IAAA,EAAM,UAAA,QAAkB,IAAA;EA9DlB;;;;;;;;;;;;;;;;;;;;;;;;EAuFN,OAAA,GAAU,GAAA,UAAa,OAAA,CAAQ,mBAAA;EAvEhB;;;;;;;;;;;;;;;;;;;;;;;AAgCjB;;;;;;;;;;;;;;;;EA+EE,GAAA;IACE,IAAA,EAAM,MAAA;IACN,KAAA,GAAQ,GAAA,UAAa,OAAA;MACnB,GAAA;QAAO,IAAA,EAAM,mBAAA;MAAA;MACb,IAAA,EAAM,MAAA;IAAA;EAAA;AAAA;;;;;;;;KAYA,mBAAA;EAdoB,4CAgB9B,MAAA,UAhGA;EAkGA,IAAA,OAhGA;EAkGA,OAAA,iBAlG0B;EAoG1B,IAAA,iBAnGS;EAqGT,MAAA;AAAA;AAAA,KAGG,cAAA,GAAiB,UAAA,QAAkB,IAAA;AAAA,KAEnC,iBAAA;EACH,UAAA,EAAY,cAAA;IACV,MAAA;MACE,IAAA,EAAM,cAAA;MACN,QAAA,EAAU,cAAA;MACV,GAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,YAAA,UACA,OAAA,EAAS,KAAA;QACP,MAAA;QACA,SAAA;MAAA,OAEC,OAAA;QACH,EAAA;QACA,YAAA;QACA,OAAA,EAAS,KAAA;UACP,QAAA;UACA,MAAA;UACA,SAAA;UACA,QAAA;UACA,UAAA;QAAA;MAAA;MAGJ,YAAA;QACE,OAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,IAAA;UAAQ,YAAA;UAAsB,MAAA;QAAA,MAC3B,OAAA;UACH,EAAA;UACA,YAAA;UACA,MAAA;UACA,WAAA;UACA,SAAA;UACA,SAAA;YACE,UAAA;YACA,UAAA;YACA,WAAA;UAAA;QAAA;QAGJ,OAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,IAAA;UAAQ,YAAA;UAAsB,MAAA;QAAA,MAC3B,OAAA;UACH,EAAA;UACA,YAAA;UACA,MAAA;UACA,UAAA;UACA,MAAA,EAAQ,KAAA;YAAQ,IAAA;YAAc,EAAA;YAAa,OAAA;UAAA;QAAA;MAAA;IAAA;EAAA;EAKnD,IAAA,EAAM,IAAA,CAAK,cAAA;EACX,IAAA,EAAM,IAAA,CAAK,cAAA;EACX,MAAA,EAAQ,cAAA;EACR,KAAA;IACE,IAAA,EAAM,cAAA;EAAA;EAER,OAAA;IACE,QAAA,EAAU,cAAA;IACV,QAAA;MACE,IAAA,EAAM,cAAA;IAAA;EAAA;AAAA;AAAA,KAKP,kBAAA;EACH,MAAA,EAAQ,cAAA;EACR,QAAA,EAAU,cAAA;AAAA;AAAA,KAGP,YAAA;EACH,KAAA,EAAO,iBAAA;EACP,MAAA,EAAQ,kBAAA;AAAA;AAAA,KAGL,aAAA;EACH,KAAA,EAAO,IAAA,CAAK,cAAA;AAAA;;;;;;;;;;;;;;;;KAkBF,OAAA,wBACa,uBAAA,4BACrB,WAAA,CAAY,cAAA;EACd,GAAA,EAAK,YAAA;EACL,IAAA,EAAM,aAAA;AAAA;;;;;;;;;;;;;;;;KAkBI,gBAAA,WACA,kBAAA,2BACa,uBAAA,4BAEvB,MAAA,CAAO,CAAA,iBACH,OAAA,CAAQ,cAAA,IACR,WAAA,CAAY,cAAA;AAAA,iBA6FF,UAAA,WACJ,kBAAA,2BACa,uBAAA,yBAAA,CAEvB,SAAA,EAAW,gBAAA,eACX,MAAA,EAAQ,IAAA,CAAK,UAAA;EACX,SAAA,EAAW,CAAA;EACX,aAAA,GAAgB,cAAA;AAAA,IAEjB,gBAAA,CAAiB,CAAA,EAAG,cAAA;;KA2MX,OAAA,GAAU,GAAA;;;;;;;KAQV,aAAA,kBACO,MAAA,oBAA0B,MAAA;EAzYnC,8EA4YR,QAAA;EA1YQ;;;EA8YR,OAAA,IAAW,GAAA,OAAU,IAAA,EAAM,OAAA,KAAY,OAAA,CAAQ,QAAA,IAAY,QAAA;AAAA;;;;;;;;;;;;;;;;;;;;;AA/XnC;;;iBAyZV,OAAA,kBACG,MAAA,oBAA0B,MAAA,gBAAA,CAE3C,IAAA,EAAM,QAAA,EACN,MAAA,EAAQ,aAAA,CAAc,QAAA;EAAc,QAAA;AAAA;EAEpC,IAAA;EACA,KAAA,GACE,GAAA,OACA,KAAA,OACA,MAAA,WACG,OAAA;IACH,GAAA;MACE,IAAA;QACE,eAAA,QAAuB,OAAA,CAAQ,YAAA;QAC/B,MAAA,EAAQ,SAAA;QACR,IAAA,EAAM,OAAA;MAAA,IACJ,QAAA;IAAA;IAEN,IAAA;EAAA;AAAA;;;AAhawB;;;;;;;;;AAsB5B;;;;;;;;;;;;iBAoagB,OAAA,kBACG,MAAA,oBAA0B,MAAA,gBAAA,CAE3C,IAAA,EAAM,QAAA,EACN,MAAA,GAAS,aAAA,CAAc,QAAA;EAEvB,IAAA;EACA,KAAA,GACE,GAAA,OACA,KAAA,OACA,MAAA,WACG,OAAA;IACH,GAAA;MACE,IAAA;QACE,eAAA,QAAuB,OAAA,CAAQ,YAAA;QAC/B,MAAA,EAAQ,SAAA;QACR,IAAA,EAAM,OAAA;MAAA,IACJ,QAAA;IAAA;IAEN,IAAA;EAAA;AAAA;;;;;;;;;;;;;;;;;;;;;AA9TJ;;;KAwZY,SAAA;EACE,KAAA,MAAW,IAAA,YAAgB,OAAA;IAAU,GAAA;MAAO,IAAA;IAAA;EAAA;AAAA,KACtD,OAAA,CAAQ,UAAA,CAAW,CAAA"}
+{"version":3,"file":"auth.d.ts","names":[],"sources":["../../../src/server/auth.ts"],"mappings":";;;;;;;;AAqCA;;;KAHY,UAAA,GAAa,IAAA,CAAK,gBAAA;;KAGlB,OAAA,GAAU,GAAA;AAAA,KAEjB,0BAAA,wBACoB,uBAAA,gBACrB,IAAA,CACF,UAAA,QAAkB,IAAA;EAGlB,MAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,mCAEpB,IAAA;IACE,OAAA;IACA,MAAA;IACA,OAAA,GAAU,UAAA,CAAW,cAAA;IACrB,MAAA;IACA,MAAA,GAAS,MAAA;EAAA,MAER,OAAA;IAAU,QAAA;EAAA;EACf,IAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,iCAEpB,IAAA;IACE,KAAA;MACE,OAAA;MACA,MAAA;MACA,MAAA,GAAS,UAAA,CAAW,cAAA;MACpB,MAAA;IAAA;IAEF,KAAA;IACA,MAAA;IACA,OAAA;IACA,KAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,IAAA;EAClC,MAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,mCAEpB,QAAA,UACA,IAAA,EAAM,MAAA;IAA4B,OAAA,GAAU,UAAA,CAAW,cAAA;EAAA,MACpD,OAAA;IAAU,QAAA;EAAA;EACf,OAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,oCAEpB,IAAA;IACE,MAAA;IACA,OAAA;IACA,QAAA;IACA,QAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,IAAA;EAClC,OAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,oCAEpB,IAAA;IACE,MAAA;IACA,OAAA;IACA,QAAA;IACA,OAAA,GAAU,UAAA,CAAW,cAAA;IACrB,MAAA,GAAS,SAAA,CAAU,cAAA;IACnB,QAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,IAAA;AAAA;;;;;;;;;;;;;;;;KAkBxB,WAAA,wBACa,uBAAA;EAEvB,MAAA,EAAQ,UAAA,QAAkB,IAAA;EAC1B,OAAA,EAAS,UAAA,QAAkB,IAAA;EAC3B,KAAA,EAAO,UAAA,QAAkB,IAAA;EACzB,IAAA,EAAM,UAAA,QAAkB,IAAA;EACxB,OAAA,EAAS,UAAA,QAAkB,IAAA;EAC3B,QAAA,EAAU,UAAA,QAAkB,IAAA;EAC5B,OAAA,EAAS,UAAA,QAAkB,IAAA;EAC3B,KAAA,EAAO,UAAA,QAAkB,IAAA;EACzB,MAAA,EAAQ,0BAAA,CAA2B,cAAA;EACnC,MAAA,EAAQ,UAAA,QAAkB,IAAA;EAC1B,GAAA,EAAK,UAAA,QAAkB,IAAA;EACvB,IAAA,EAAM,UAAA,QAAkB,IAAA;EA7EF;;;;;;;;;;;;;;;;;;;;;;;EAqGtB,OAAA,GAAU,GAAA,UAAa,OAAA,CAAQ,WAAA;EAjFK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAwHpC,GAAA;IACE,IAAA,EAAM,MAAA;IACN,KAAA,GAAQ,GAAA,UAAa,OAAA;MACnB,GAAA;QAAO,IAAA,EAAM,WAAA;MAAA;MACb,IAAA,EAAM,MAAA;IAAA;EAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;KA4BA,WAAA;EA5BA,4CA8BV,MAAA,EAAQ,SAAA,UAhCsB;EAkC9B,IAAA,EAAM,OAAA,EAhHN;EAkHA,OAAA,iBAhHA;EAkHA,IAAA,iBAlH0B;EAoH1B,MAAA;AAAA;AAAA,KAGG,WAAA;EACH,eAAA,QAAuB,OAAA,CAAQ,YAAA;AAAA;AAAA,KAG5B,oBAAA,GAAuB,WAAA,GAAc,WAAA;AAAA,KAErC,oBAAA,GAAuB,WAAA;EAC1B,MAAA,EAAQ,SAAA;EACR,IAAA,EAAM,OAAA;EACN,OAAA;EACA,IAAA;EACA,MAAA;AAAA;AAAA,KAGG,cAAA,GAAiB,UAAA,QAAkB,IAAA;AAAA,KAEnC,iBAAA;EACH,UAAA,EAAY,cAAA;IACV,MAAA;MACE,IAAA,EAAM,cAAA;MACN,QAAA,EAAU,cAAA;MACV,GAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,YAAA,UACA,OAAA,EAAS,KAAA;QACP,MAAA;QACA,SAAA;MAAA,OAEC,OAAA;QACH,YAAA;QACA,OAAA,EAAS,KAAA;UACP,QAAA;UACA,MAAA;UACA,SAAA;UACA,QAAA;UACA,UAAA;QAAA;MAAA;MAGJ,YAAA;QACE,OAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,IAAA;UAAQ,YAAA;UAAsB,MAAA;QAAA,MAC3B,OAAA;UACH,YAAA;UACA,MAAA;UACA,WAAA;UACA,SAAA;UACA,SAAA;YACE,UAAA;YACA,UAAA;YACA,WAAA;UAAA;QAAA;QAGJ,OAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,IAAA;UAAQ,YAAA;UAAsB,MAAA;QAAA,MAC3B,OAAA;UACH,YAAA;UACA,MAAA;UACA,UAAA;UACA,MAAA,EAAQ,KAAA;YAAQ,IAAA;YAAc,EAAA;YAAa,OAAA;UAAA;QAAA;MAAA;IAAA;EAAA;EAKnD,IAAA,EAAM,IAAA,CAAK,cAAA;EACX,IAAA,EAAM,IAAA,CAAK,cAAA;EACX,MAAA,EAAQ,cAAA;EACR,KAAA;IACE,IAAA,EAAM,cAAA;EAAA;EAER,OAAA;IACE,QAAA,EAAU,cAAA;IACV,QAAA;MACE,IAAA,EAAM,cAAA;IAAA;EAAA;AAAA;AAAA,KAKP,kBAAA;EACH,MAAA,EAAQ,cAAA;EACR,QAAA,EAAU,cAAA;AAAA;AAAA,KAGP,YAAA;EACH,KAAA,EAAO,iBAAA;EACP,MAAA,EAAQ,kBAAA;AAAA;AAAA,KAGL,aAAA;EACH,KAAA,EAAO,IAAA,CAAK,cAAA;AAAA;;;;;;;;;AA/EN;;;;;AAG2C;;KA8FvC,OAAA,wBACa,uBAAA,4BACrB,WAAA,CAAY,cAAA;EACd,GAAA,EAAK,YAAA;EACL,IAAA,EAAM,aAAA;AAAA;;;;;;;;;;;;;;;;KAkBI,gBAAA,WACA,kBAAA,2BACa,uBAAA,4BAEvB,MAAA,CAAO,CAAA,iBACH,OAAA,CAAQ,cAAA,IACR,WAAA,CAAY,cAAA;AAAA,iBAgGF,UAAA,WACJ,kBAAA,2BACa,uBAAA,yBAAA,CAEvB,SAAA,EAAW,gBAAA,eACX,MAAA,EAAQ,IAAA,CAAK,UAAA;EACX,SAAA,EAAW,CAAA;EACX,aAAA,GAAgB,cAAA;AAAA,IAEjB,gBAAA,CAAiB,CAAA,EAAG,cAAA;;;;;;;KA8NX,aAAA,kBACO,MAAA,oBAA0B,MAAA;EA9anC,8EAibR,QAAA;EA7aI;;;;EAkbJ,OAAA,IACE,GAAA,OACA,IAAA,EAAM,OAAA,EACN,IAAA,EAAM,WAAA,KACH,OAAA,CAAQ,QAAA,IAAY,QAAA;EAnbT;;;;;;;;;;;;;;;;;;;;;;;;EA4chB,WAAA,IACE,GAAA,OACA,QAAA,QAAgB,OAAA,CAAQ,WAAA,aACrB,OAAA,CAAQ,WAAA,uBAAkC,WAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;AA9avB;;iBAwcV,OAAA,kBACG,MAAA,oBAA0B,MAAA,gBAAA,CAE3C,IAAA,EAAM,QAAA,EACN,MAAA,EAAQ,aAAA,CAAc,QAAA;EAAc,QAAA;AAAA;EAEpC,IAAA;EACA,KAAA,GACE,GAAA,OACA,KAAA,OACA,MAAA,WACG,OAAA;IACH,GAAA;MACE,IAAA,EAAM,oBAAA,GAAuB,QAAA;IAAA;IAE/B,IAAA;EAAA;AAAA;;;;;;;;AA3cwB;;;;;;;;;AAsB5B;;;;;iBA6cgB,OAAA,kBACG,MAAA,oBAA0B,MAAA,gBAAA,CAE3C,IAAA,EAAM,QAAA,EACN,MAAA,GAAS,aAAA,CAAc,QAAA;EAEvB,IAAA;EACA,KAAA,GACE,GAAA,OACA,KAAA,OACA,MAAA,WACG,OAAA;IACH,GAAA;MACE,IAAA,EAAM,oBAAA,GAAuB,QAAA;IAAA;IAE/B,IAAA;EAAA;AAAA;;;;;;;AAtcJ;;;;;;;;;;;;;;;;;;KAwhBY,SAAA;EACE,KAAA,MAAW,IAAA,YAAgB,OAAA;IAAU,GAAA;MAAO,IAAA;IAAA;EAAA;AAAA,KACtD,OAAA,CAAQ,UAAA,CAAW,CAAA"}

package/dist/component/server/auth.js

@@ -1,9 +1,13 @@
-import { AuthError } from "./authError.js";
 import { Auth } from "./runtime.js";
-import { Fx } from "@robelest/fx";
+import { Cv } from "@robelest/fx/convex";
 
 //#region src/server/auth.ts
 /**
+* Auth configuration helpers for Convex Auth.
+*
+* @module
+*/
+/**
 * Create an auth API object.
 *
 * When `new SSO()` is included in providers, `auth.sso` and `auth.scim`
@@ -37,9 +41,9 @@ import { Fx } from "@robelest/fx";
 * 1. `user.id(ctx)` → userId or null (exit early)
 * 2. `user.get(ctx, userId)` → user doc (cached per-execution)
 * 3. `user.getActiveGroup(ctx, { userId })` → groupId or null
-* 4. If groupId → `member.resolve(ctx, { userId, groupId })` → role + grants
+* 4. If groupId → `member.inspect(ctx, { userId, groupId })` → role + grants
 */
-async function resolveAuthContext(auth, ctx) {
+async function getAuthContext(auth, ctx) {
 	const userId = await auth.user.id(ctx);
 	if (!userId) return null;
 	const user = await auth.user.get(ctx, userId);
@@ -47,7 +51,7 @@ async function resolveAuthContext(auth, ctx) {
 	let role = null;
 	let grants = [];
 	if (groupId) {
-		const resolved = await auth.member.resolve(ctx, {
+		const resolved = await auth.member.inspect(ctx, {
 			userId,
 			groupId
 		});
@@ -73,20 +77,32 @@ function createAuth(component, config) {
 	const { domain: domainApi, scim: scimApi, connection: connectionApi, audit: auditApi, webhook: webhookApi, oidc: oidcApi, saml: samlApi, ...restSso } = authResult.auth.sso;
 	const setEnterpriseDomains = async (ctx, enterpriseId, domains) => {
 		const enterprise = await connectionApi.get(ctx, enterpriseId);
-		if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+		if (enterprise === null) throw Cv.error({
+			code: "INVALID_PARAMETERS",
+			message: "Enterprise not found."
+		});
 		const normalized = domains.map((entry) => ({
 			...entry,
 			domain: entry.domain.trim().toLowerCase()
 		}));
 		const deduped = /* @__PURE__ */ new Map();
 		for (const entry of normalized) {
-			if (entry.domain.length === 0) throw new AuthError("INVALID_PARAMETERS", "Domain must not be empty.").toConvexError();
-			if (deduped.has(entry.domain)) throw new AuthError("INVALID_PARAMETERS", `Duplicate domain: ${entry.domain}`).toConvexError();
+			if (entry.domain.length === 0) throw Cv.error({
+				code: "INVALID_PARAMETERS",
+				message: "Domain must not be empty."
+			});
+			if (deduped.has(entry.domain)) throw Cv.error({
+				code: "INVALID_PARAMETERS",
+				message: `Duplicate domain: ${entry.domain}`
+			});
 			deduped.set(entry.domain, entry);
 		}
 		const nextDomains = [...deduped.values()];
 		const primaryCount = nextDomains.filter((entry) => entry.isPrimary).length;
-		if (primaryCount > 1) throw new AuthError("INVALID_PARAMETERS", "Only one primary domain may be set.").toConvexError();
+		if (primaryCount > 1) throw Cv.error({
+			code: "INVALID_PARAMETERS",
+			message: "Only one primary domain may be set."
+		});
 		if (nextDomains.length > 0 && primaryCount === 0) nextDomains[0] = {
 			...nextDomains[0],
 			isPrimary: true
@@ -110,7 +126,6 @@ function createAuth(component, config) {
 			});
 		}
 		return {
-			ok: true,
 			enterpriseId,
 			domains: (await domainApi.list(ctx, enterpriseId)).map((domain) => ({
 				domainId: domain._id,
@@ -169,12 +184,24 @@ function createAuth(component, config) {
 			validate: scimApi.validate
 		} },
 		http: authResult.auth.http,
-		resolve: (ctx) => resolveAuthContext(authResult.auth, ctx),
+		context: async (ctx) => {
+			const authContext = await getAuthContext(authResult.auth, ctx);
+			if (authContext === null) throw Cv.error({
+				code: "NOT_SIGNED_IN",
+				message: "Authentication required."
+			});
+			return authContext;
+		},
 		ctx: () => ({
 			args: {},
 			input: async (ctx) => {
+				const authCtx = await getAuthContext(authResult.auth, ctx);
+				if (authCtx === null) throw Cv.error({
+					code: "NOT_SIGNED_IN",
+					message: "Authentication required."
+				});
 				return {
-					ctx: { auth: await resolveAuthContext(authResult.auth, ctx) },
+					ctx: { auth: authCtx },
 					args: {}
 				};
 			}
@@ -186,39 +213,32 @@ function AuthCtx(auth, config) {
 		args: {},
 		input: async (ctx, _args, _extra) => {
 			const nativeAuth = ctx.auth;
-			const modeDispatch = config?.optional === true ? { mode: "optional" } : { mode: "required" };
-			const userContext = await Fx.run(Fx.match(modeDispatch, modeDispatch.mode, {
-				optional: async () => {
-					const userId = await auth.user.id(ctx);
-					if (!userId) return null;
-					return {
-						userId,
-						user: await auth.user.get(ctx, userId)
-					};
-				},
-				required: async () => {
-					const userId = await auth.user.id(ctx);
-					if (!userId) return null;
-					return {
-						userId,
-						user: await auth.user.get(ctx, userId)
-					};
-				}
-			}));
-			if (userContext === null) return {
-				ctx: { auth: {
-					getUserIdentity: nativeAuth.getUserIdentity.bind(nativeAuth),
-					userId: null,
-					user: null
-				} },
-				args: {}
-			};
-			const extra = config?.resolve ? await config.resolve(ctx, userContext.user) : {};
+			const getUserIdentity = nativeAuth.getUserIdentity.bind(nativeAuth);
+			const fallback = () => getAuthContext(auth, ctx);
+			const authOverride = config?.authResolve ? await config.authResolve(ctx, fallback) : void 0;
+			const resolved = authOverride === void 0 ? await fallback() : authOverride;
+			if (resolved === null) {
+				if (config?.optional !== true) throw Cv.error({
+					code: "NOT_SIGNED_IN",
+					message: "Authentication required."
+				});
+				return {
+					ctx: { auth: {
+						getUserIdentity,
+						userId: null,
+						user: null,
+						groupId: null,
+						role: null,
+						grants: []
+					} },
+					args: {}
+				};
+			}
+			const extra = config?.resolve ? await config.resolve(ctx, resolved.user, resolved) : {};
 			return {
 				ctx: { auth: {
-					getUserIdentity: nativeAuth.getUserIdentity.bind(nativeAuth),
-					userId: userContext.userId,
-					user: userContext.user,
+					getUserIdentity,
+					...resolved,
 					...extra
 				} },
 				args: {}