npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.21 → 0.0.4-preview.23 - Mend

@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (310) hide show

package/dist/authorization/index.d.ts +1 -1
package/dist/authorization/index.js +1 -1
package/dist/authorization/index.js.map +1 -1
package/dist/client/index.d.ts +1 -2
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +36 -39
package/dist/client/index.js.map +1 -1
package/dist/component/client/index.d.ts +1 -2
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/model.d.ts +5 -5
package/dist/component/model.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.js.map +1 -1
package/dist/component/public/enterprise/core.d.ts.map +1 -1
package/dist/component/public/enterprise/core.js.map +1 -1
package/dist/component/public/enterprise/domains.d.ts.map +1 -1
package/dist/component/public/enterprise/domains.js.map +1 -1
package/dist/component/public/enterprise/scim.d.ts.map +1 -1
package/dist/component/public/enterprise/scim.js.map +1 -1
package/dist/component/public/enterprise/secrets.d.ts.map +1 -1
package/dist/component/public/enterprise/secrets.js.map +1 -1
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -1
package/dist/component/public/enterprise/webhooks.js.map +1 -1
package/dist/component/public/factors/devices.d.ts.map +1 -1
package/dist/component/public/factors/devices.js.map +1 -1
package/dist/component/public/factors/passkeys.d.ts.map +1 -1
package/dist/component/public/factors/passkeys.js.map +1 -1
package/dist/component/public/factors/totp.d.ts.map +1 -1
package/dist/component/public/factors/totp.js.map +1 -1
package/dist/component/public/groups/core.js.map +1 -1
package/dist/component/public/groups/invites.d.ts.map +1 -1
package/dist/component/public/groups/invites.js.map +1 -1
package/dist/component/public/groups/members.d.ts.map +1 -1
package/dist/component/public/groups/members.js.map +1 -1
package/dist/component/public/identity/accounts.d.ts.map +1 -1
package/dist/component/public/identity/accounts.js.map +1 -1
package/dist/component/public/identity/codes.d.ts.map +1 -1
package/dist/component/public/identity/codes.js.map +1 -1
package/dist/component/public/identity/sessions.d.ts.map +1 -1
package/dist/component/public/identity/sessions.js.map +1 -1
package/dist/component/public/identity/tokens.d.ts.map +1 -1
package/dist/component/public/identity/tokens.js.map +1 -1
package/dist/component/public/identity/users.d.ts.map +1 -1
package/dist/component/public/identity/users.js.map +1 -1
package/dist/component/public/identity/verifiers.d.ts.map +1 -1
package/dist/component/public/identity/verifiers.js.map +1 -1
package/dist/component/public/security/keys.d.ts.map +1 -1
package/dist/component/public/security/keys.js.map +1 -1
package/dist/component/public/security/limits.d.ts.map +1 -1
package/dist/component/public/security/limits.js.map +1 -1
package/dist/component/schema.d.ts +39 -39
package/dist/component/server/auth.d.ts +95 -52
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +63 -43
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/core.js +116 -235
package/dist/component/server/core.js.map +1 -1
package/dist/component/server/crypto.js +25 -7
package/dist/component/server/crypto.js.map +1 -1
package/dist/component/server/device.js +58 -15
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/enterprise/domain.js +148 -59
package/dist/component/server/enterprise/domain.js.map +1 -1
package/dist/component/server/enterprise/http.js +36 -15
package/dist/component/server/enterprise/http.js.map +1 -1
package/dist/component/server/enterprise/oidc.js +1 -1
package/dist/component/server/http.js +26 -21
package/dist/component/server/http.js.map +1 -1
package/dist/component/server/identity.js +5 -2
package/dist/component/server/identity.js.map +1 -1
package/dist/component/server/limits.js +21 -30
package/dist/component/server/limits.js.map +1 -1
package/dist/component/server/mutations/account.js +12 -10
package/dist/component/server/mutations/account.js.map +1 -1
package/dist/component/server/mutations/code.js +5 -2
package/dist/component/server/mutations/code.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/invalidate.js.map +1 -1
package/dist/component/server/mutations/oauth.js +10 -4
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +2 -2
package/dist/component/server/mutations/refresh.js.map +1 -1
package/dist/component/server/mutations/register.js +46 -42
package/dist/component/server/mutations/register.js.map +1 -1
package/dist/component/server/mutations/retrieve.js +21 -25
package/dist/component/server/mutations/retrieve.js.map +1 -1
package/dist/component/server/mutations/signature.js +10 -4
package/dist/component/server/mutations/signature.js.map +1 -1
package/dist/component/server/mutations/signout.js.map +1 -1
package/dist/component/server/mutations/store.js +9 -24
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verifier.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/mutations/verify.js.map +1 -1
package/dist/component/server/oauth.js +53 -16
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +115 -31
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/redirects.js +9 -3
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +10 -7
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/runtime.d.ts +3 -3
package/dist/component/server/runtime.d.ts.map +1 -1
package/dist/component/server/runtime.js +62 -20
package/dist/component/server/runtime.js.map +1 -1
package/dist/component/server/signin.js +34 -10
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/totp.js +79 -19
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +12 -20
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +6 -3
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +10 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +14 -22
package/dist/core/types.d.ts.map +1 -1
package/dist/factors/device.js +8 -9
package/dist/factors/device.js.map +1 -1
package/dist/factors/passkey.js +18 -21
package/dist/factors/passkey.js.map +1 -1
package/dist/providers/password.js +66 -81
package/dist/providers/password.js.map +1 -1
package/dist/runtime/invite.js +2 -8
package/dist/runtime/invite.js.map +1 -1
package/dist/server/auth.d.ts +95 -52
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +63 -43
package/dist/server/auth.js.map +1 -1
package/dist/server/core.d.ts +71 -159
package/dist/server/core.d.ts.map +1 -1
package/dist/server/core.js +116 -235
package/dist/server/core.js.map +1 -1
package/dist/server/crypto.d.ts.map +1 -1
package/dist/server/crypto.js +25 -7
package/dist/server/crypto.js.map +1 -1
package/dist/server/device.js +58 -15
package/dist/server/device.js.map +1 -1
package/dist/server/enterprise/domain.d.ts +0 -8
package/dist/server/enterprise/domain.d.ts.map +1 -1
package/dist/server/enterprise/domain.js +148 -59
package/dist/server/enterprise/domain.js.map +1 -1
package/dist/server/enterprise/http.d.ts.map +1 -1
package/dist/server/enterprise/http.js +35 -14
package/dist/server/enterprise/http.js.map +1 -1
package/dist/server/http.d.ts +2 -2
package/dist/server/http.d.ts.map +1 -1
package/dist/server/http.js +25 -20
package/dist/server/http.js.map +1 -1
package/dist/server/identity.js +5 -2
package/dist/server/identity.js.map +1 -1
package/dist/server/index.d.ts +2 -2
package/dist/server/limits.js +21 -30
package/dist/server/limits.js.map +1 -1
package/dist/server/mounts.d.ts +26 -64
package/dist/server/mounts.d.ts.map +1 -1
package/dist/server/mounts.js +45 -106
package/dist/server/mounts.js.map +1 -1
package/dist/server/mutations/account.d.ts +8 -9
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/account.js +11 -9
package/dist/server/mutations/account.js.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/code.js +5 -2
package/dist/server/mutations/code.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +4 -4
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/invalidate.js.map +1 -1
package/dist/server/mutations/oauth.d.ts +12 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -3
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +3 -3
package/dist/server/mutations/refresh.d.ts.map +1 -1
package/dist/server/mutations/refresh.js +1 -1
package/dist/server/mutations/refresh.js.map +1 -1
package/dist/server/mutations/register.d.ts +11 -11
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/register.js +45 -41
package/dist/server/mutations/register.js.map +1 -1
package/dist/server/mutations/retrieve.d.ts +6 -6
package/dist/server/mutations/retrieve.d.ts.map +1 -1
package/dist/server/mutations/retrieve.js +20 -24
package/dist/server/mutations/retrieve.js.map +1 -1
package/dist/server/mutations/signature.d.ts +6 -7
package/dist/server/mutations/signature.d.ts.map +1 -1
package/dist/server/mutations/signature.js +9 -3
package/dist/server/mutations/signature.js.map +1 -1
package/dist/server/mutations/signin.d.ts +5 -5
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.js.map +1 -1
package/dist/server/mutations/store.d.ts +97 -97
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +8 -23
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.js.map +1 -1
package/dist/server/mutations/verify.d.ts +10 -10
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/mutations/verify.js.map +1 -1
package/dist/server/oauth.js +53 -16
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +2 -2
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +114 -30
package/dist/server/passkey.js.map +1 -1
package/dist/server/redirects.js +9 -3
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.js +10 -7
package/dist/server/refresh.js.map +1 -1
package/dist/server/runtime.d.ts +14 -14
package/dist/server/runtime.d.ts.map +1 -1
package/dist/server/runtime.js +61 -19
package/dist/server/runtime.js.map +1 -1
package/dist/server/signin.js +34 -10
package/dist/server/signin.js.map +1 -1
package/dist/server/ssr.d.ts.map +1 -1
package/dist/server/ssr.js +175 -184
package/dist/server/ssr.js.map +1 -1
package/dist/server/totp.js +78 -18
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +13 -21
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.js +6 -3
package/dist/server/users.js.map +1 -1
package/dist/server/utils.js +10 -4
package/dist/server/utils.js.map +1 -1
package/package.json +2 -6
package/src/authorization/index.ts +1 -1
package/src/cli/index.ts +1 -1
package/src/client/core/types.ts +14 -14
package/src/client/factors/device.ts +10 -12
package/src/client/factors/passkey.ts +23 -26
package/src/client/index.ts +54 -64
package/src/client/runtime/invite.ts +5 -7
package/src/component/index.ts +1 -0
package/src/component/public/enterprise/audit.ts +6 -1
package/src/component/public/enterprise/core.ts +1 -0
package/src/component/public/enterprise/domains.ts +5 -1
package/src/component/public/enterprise/scim.ts +1 -0
package/src/component/public/enterprise/secrets.ts +1 -0
package/src/component/public/enterprise/webhooks.ts +1 -0
package/src/component/public/factors/devices.ts +1 -0
package/src/component/public/factors/passkeys.ts +1 -0
package/src/component/public/factors/totp.ts +1 -0
package/src/component/public/groups/core.ts +1 -1
package/src/component/public/groups/invites.ts +7 -1
package/src/component/public/groups/members.ts +1 -0
package/src/component/public/identity/accounts.ts +1 -0
package/src/component/public/identity/codes.ts +1 -0
package/src/component/public/identity/sessions.ts +1 -0
package/src/component/public/identity/tokens.ts +1 -0
package/src/component/public/identity/users.ts +1 -0
package/src/component/public/identity/verifiers.ts +1 -0
package/src/component/public/security/keys.ts +1 -0
package/src/component/public/security/limits.ts +1 -0
package/src/providers/password.ts +89 -110
package/src/server/auth.ts +177 -111
package/src/server/core.ts +197 -233
package/src/server/crypto.ts +31 -29
package/src/server/device.ts +65 -32
package/src/server/enterprise/domain.ts +158 -170
package/src/server/enterprise/http.ts +46 -39
package/src/server/http.ts +36 -30
package/src/server/identity.ts +5 -5
package/src/server/index.ts +2 -0
package/src/server/limits.ts +53 -80
package/src/server/mounts.ts +47 -74
package/src/server/mutations/account.ts +22 -36
package/src/server/mutations/code.ts +6 -6
package/src/server/mutations/invalidate.ts +1 -1
package/src/server/mutations/oauth.ts +14 -8
package/src/server/mutations/refresh.ts +5 -4
package/src/server/mutations/register.ts +87 -132
package/src/server/mutations/retrieve.ts +44 -44
package/src/server/mutations/signature.ts +13 -6
package/src/server/mutations/signout.ts +1 -1
package/src/server/mutations/store.ts +16 -31
package/src/server/mutations/verifier.ts +1 -1
package/src/server/mutations/verify.ts +3 -5
package/src/server/oauth.ts +60 -69
package/src/server/passkey.ts +567 -517
package/src/server/redirects.ts +10 -6
package/src/server/refresh.ts +14 -18
package/src/server/runtime.ts +70 -55
package/src/server/signin.ts +44 -37
package/src/server/ssr.ts +390 -407
package/src/server/totp.ts +85 -35
package/src/server/types.ts +19 -22
package/src/server/users.ts +7 -6
package/src/server/utils.ts +10 -12
package/dist/component/server/authError.js +0 -34
package/dist/component/server/authError.js.map +0 -1
package/dist/component/server/errors.d.ts +0 -1
package/dist/component/server/errors.js +0 -137
package/dist/component/server/errors.js.map +0 -1
package/dist/server/authError.d.ts +0 -46
package/dist/server/authError.d.ts.map +0 -1
package/dist/server/authError.js +0 -34
package/dist/server/authError.js.map +0 -1
package/dist/server/errors.d.ts +0 -177
package/dist/server/errors.d.ts.map +0 -1
package/dist/server/errors.js +0 -212
package/dist/server/errors.js.map +0 -1
package/src/server/authError.ts +0 -44
package/src/server/errors.ts +0 -290

package/src/server/ssr.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { Fx } from "@robelest/fx";
 import { ConvexHttpClient } from "convex/browser";
 import { makeFunctionReference } from "convex/server";
 import { ConvexError } from "convex/values";
@@ -9,7 +10,6 @@ import type {
   SignInActionResult,
   SignOutAction,
 } from "./runtime";
-import { Fx } from "@robelest/fx";
 import { isLocalHost } from "./utils";
 const signInActionRef: SignInAction = makeFunctionReference("auth:signIn");
@@ -598,60 +598,158 @@ export function server(options: ServerOptions) {
       return Fx.run(
         Fx.match(actionDispatch, actionDispatch.action, {
           sessionStart: (_) =>
-            Fx.from({
-              ok: async () => {
-                const refreshDispatch =
-                  args.refreshToken === undefined
-                    ? { kind: "passthrough" as const }
-                    : currentCookies.refreshToken === null
-                      ? { kind: "refreshRequestedWithoutCookie" as const }
-                      : {
-                          kind: "hydrateRefreshFromCookie" as const,
-                          refreshToken: currentCookies.refreshToken,
-                        };
+            Fx.promise(async () => {
+              const refreshDispatch =
+                args.refreshToken === undefined
+                  ? { kind: "passthrough" as const }
+                  : currentCookies.refreshToken === null
+                    ? { kind: "refreshRequestedWithoutCookie" as const }
+                    : {
+                        kind: "hydrateRefreshFromCookie" as const,
+                        refreshToken: currentCookies.refreshToken,
+                      };
-                const refreshResponse = await Fx.run(
-                  Fx.match(refreshDispatch, refreshDispatch.kind, {
-                    passthrough: async () => null,
-                    hydrateRefreshFromCookie: async ({ refreshToken }) => {
-                      args.refreshToken = refreshToken;
-                      return null;
-                    },
-                    refreshRequestedWithoutCookie: async () => {
-                      const currentToken = currentCookies.token;
-                      const decodedToken =
-                        currentToken === null
-                          ? null
-                          : await Fx.run(
-                              Fx.attempt(
-                                async () =>
-                                  jwtDecode<DecodedToken>(currentToken),
-                                (decoded) => decoded,
-                                () => null,
-                              ),
+              const refreshResponse = await Fx.run(
+                Fx.match(refreshDispatch, refreshDispatch.kind, {
+                  passthrough: async () => null,
+                  hydrateRefreshFromCookie: async ({ refreshToken }) => {
+                    args.refreshToken = refreshToken;
+                    return null;
+                  },
+                  refreshRequestedWithoutCookie: async () => {
+                    const currentToken = currentCookies.token;
+                    const decodedToken =
+                      currentToken === null
+                        ? null
+                        : await Fx.run(
+                            Fx.attempt(
+                              async () => jwtDecode<DecodedToken>(currentToken),
+                              (decoded) => decoded,
+                              () => null,
+                            ),
+                          );
+                    const tokenDispatch =
+                      currentToken !== null &&
+                      decodedToken?.exp !== undefined &&
+                      decodedToken.iss !== undefined &&
+                      acceptedIssuers.has(normalizeIssuer(decodedToken.iss)) &&
+                      decodedToken.exp * 1000 > Date.now()
+                        ? {
+                            kind: "validToken" as const,
+                            token: currentToken,
+                          }
+                        : { kind: "missingToken" as const };
+                    return await Fx.run(
+                      Fx.match(tokenDispatch, tokenDispatch.kind, {
+                        validToken: ({ token }) =>
+                          new Response(
+                            JSON.stringify({
+                              tokens: {
+                                token,
+                                refreshToken: "dummy",
+                              },
+                            }),
+                            {
+                              status: 200,
+                              headers: {
+                                "Content-Type": "application/json",
+                              },
+                            },
+                          ),
+                        missingToken: () =>
+                          new Response(JSON.stringify({ tokens: null }), {
+                            status: 200,
+                            headers: {
+                              "Content-Type": "application/json",
+                            },
+                          }),
+                      }),
+                    );
+                  },
+                }),
+              );
+              const refreshDecision =
+                refreshResponse !== null
+                  ? {
+                      kind: "shortCircuit" as const,
+                      response: refreshResponse,
+                    }
+                  : { kind: "continue" as const };
+              const maybeShortCircuitResponse = await Fx.run(
+                Fx.match(refreshDecision, refreshDecision.kind, {
+                  shortCircuit: ({ response }) => response,
+                  continue: () => null,
+                }),
+              );
+              if (maybeShortCircuitResponse !== null) {
+                return maybeShortCircuitResponse;
+              }
+              const client = new ConvexHttpClient(convexUrl);
+              const authDispatch =
+                args.refreshToken === undefined &&
+                args.params?.code === undefined &&
+                currentCookies.token !== null
+                  ? {
+                      kind: "attachAuth" as const,
+                      token: currentCookies.token,
+                    }
+                  : { kind: "skipAuth" as const };
+              await Fx.run(
+                Fx.match(authDispatch, authDispatch.kind, {
+                  attachAuth: ({ token }) => {
+                    client.setAuth(token);
+                  },
+                  skipAuth: () => undefined,
+                }),
+              );
+              return Fx.run(
+                Fx.from({
+                  ok: () => client.action(signInActionRef, args),
+                  err: (error) => error,
+                }).pipe(
+                  Fx.fold({
+                    ok: (result: SignInActionResult) =>
+                      Fx.run(
+                        Fx.match(result, result.kind, {
+                          redirect: (redirectResult) => {
+                            const response = new Response(
+                              JSON.stringify({
+                                kind: "redirect",
+                                redirect: redirectResult.redirect,
+                                verifier: redirectResult.verifier,
+                              }),
+                              {
+                                status: 200,
+                                headers: {
+                                  "Content-Type": "application/json",
+                                },
+                              },
                             );
-                      const tokenDispatch =
-                        currentToken !== null &&
-                        decodedToken?.exp !== undefined &&
-                        decodedToken.iss !== undefined &&
-                        acceptedIssuers.has(
-                          normalizeIssuer(decodedToken.iss),
-                        ) &&
-                        decodedToken.exp * 1000 > Date.now()
-                          ? {
-                              kind: "validToken" as const,
-                              token: currentToken,
+                            for (const value of serializeAuthCookies(
+                              {
+                                ...currentCookies,
+                                verifier: redirectResult.verifier,
+                              },
+                              host,
+                              cookieConfig,
+                              cookieNamespace,
+                            )) {
+                              response.headers.append("Set-Cookie", value);
                             }
-                          : { kind: "missingToken" as const };
-                      return await Fx.run(
-                        Fx.match(tokenDispatch, tokenDispatch.kind, {
-                          validToken: ({ token }) =>
-                            new Response(
+                            return Fx.succeed(response);
+                          },
+                          signedIn: (signedInResult) => {
+                            const response = new Response(
                               JSON.stringify({
-                                tokens: {
-                                  token,
-                                  refreshToken: "dummy",
-                                },
+                                kind: "signedIn",
+                                tokens:
+                                  signedInResult.tokens === null
+                                    ? null
+                                    : {
+                                        token: signedInResult.tokens.token,
+                                        refreshToken: "dummy",
+                                      },
                               }),
                               {
                                 status: 200,
@@ -659,380 +757,265 @@ export function server(options: ServerOptions) {
                                   "Content-Type": "application/json",
                                 },
                               },
-                            ),
-                          missingToken: () =>
-                            new Response(JSON.stringify({ tokens: null }), {
-                              status: 200,
-                              headers: {
-                                "Content-Type": "application/json",
+                            );
+                            for (const value of serializeAuthCookies(
+                              {
+                                token: signedInResult.tokens?.token ?? null,
+                                refreshToken:
+                                  signedInResult.tokens?.refreshToken ?? null,
+                                verifier: null,
                               },
-                            }),
-                        }),
-                      );
-                    },
-                  }),
-                );
-                const refreshDecision =
-                  refreshResponse !== null
-                    ? {
-                        kind: "shortCircuit" as const,
-                        response: refreshResponse,
-                      }
-                    : { kind: "continue" as const };
-                const maybeShortCircuitResponse = await Fx.run(
-                  Fx.match(refreshDecision, refreshDecision.kind, {
-                    shortCircuit: ({ response }) => response,
-                    continue: () => null,
-                  }),
-                );
-                if (maybeShortCircuitResponse !== null) {
-                  return maybeShortCircuitResponse;
-                }
-                const client = new ConvexHttpClient(convexUrl);
-                const authDispatch =
-                  args.refreshToken === undefined &&
-                  args.params?.code === undefined &&
-                  currentCookies.token !== null
-                    ? {
-                        kind: "attachAuth" as const,
-                        token: currentCookies.token,
-                      }
-                    : { kind: "skipAuth" as const };
-                await Fx.run(
-                  Fx.match(authDispatch, authDispatch.kind, {
-                    attachAuth: ({ token }) => {
-                      client.setAuth(token);
-                    },
-                    skipAuth: () => undefined,
-                  }),
-                );
-                return Fx.run(
-                  Fx.from({
-                    ok: () => client.action(signInActionRef, args),
-                    err: (error) => error,
-                  }).pipe(
-                    Fx.fold({
-                      ok: (result: SignInActionResult) =>
-                        Fx.run(
-                          Fx.match(result, result.kind, {
-                            redirect: (redirectResult) => {
-                              const response = new Response(
-                                JSON.stringify({
-                                  kind: "redirect",
-                                  redirect: redirectResult.redirect,
-                                  verifier: redirectResult.verifier,
-                                }),
+                              host,
+                              cookieConfig,
+                              cookieNamespace,
+                            )) {
+                              response.headers.append("Set-Cookie", value);
+                            }
+                            return Fx.succeed(response);
+                          },
+                          started: (startedResult) =>
+                            Fx.succeed(
+                              new Response(JSON.stringify(startedResult), {
+                                status: 200,
+                                headers: {
+                                  "Content-Type": "application/json",
+                                },
+                              }),
+                            ),
+                          passkeyOptions: (passkeyOptionsResult) =>
+                            Fx.succeed(
+                              new Response(
+                                JSON.stringify(passkeyOptionsResult),
                                 {
                                   status: 200,
                                   headers: {
                                     "Content-Type": "application/json",
                                   },
                                 },
-                              );
-                              for (const value of serializeAuthCookies(
-                                {
-                                  ...currentCookies,
-                                  verifier: redirectResult.verifier,
+                              ),
+                            ),
+                          totpRequired: (totpRequiredResult) =>
+                            Fx.succeed(
+                              new Response(JSON.stringify(totpRequiredResult), {
+                                status: 200,
+                                headers: {
+                                  "Content-Type": "application/json",
                                 },
-                                host,
-                                cookieConfig,
-                                cookieNamespace,
-                              )) {
-                                response.headers.append("Set-Cookie", value);
-                              }
-                              return Fx.succeed(response);
-                            },
-                            signedIn: (signedInResult) => {
-                              const response = new Response(
-                                JSON.stringify({
-                                  kind: "signedIn",
-                                  tokens:
-                                    signedInResult.tokens === null
-                                      ? null
-                                      : {
-                                          token: signedInResult.tokens.token,
-                                          refreshToken: "dummy",
-                                        },
-                                }),
-                                {
-                                  status: 200,
-                                  headers: {
-                                    "Content-Type": "application/json",
-                                  },
+                              }),
+                            ),
+                          totpSetup: (totpSetupResult) =>
+                            Fx.succeed(
+                              new Response(JSON.stringify(totpSetupResult), {
+                                status: 200,
+                                headers: {
+                                  "Content-Type": "application/json",
                                 },
-                              );
-                              for (const value of serializeAuthCookies(
-                                {
-                                  token: signedInResult.tokens?.token ?? null,
-                                  refreshToken:
-                                    signedInResult.tokens?.refreshToken ?? null,
-                                  verifier: null,
+                              }),
+                            ),
+                          deviceCode: (deviceCodeResult) =>
+                            Fx.succeed(
+                              new Response(JSON.stringify(deviceCodeResult), {
+                                status: 200,
+                                headers: {
+                                  "Content-Type": "application/json",
                                 },
-                                host,
-                                cookieConfig,
-                                cookieNamespace,
-                              )) {
-                                response.headers.append("Set-Cookie", value);
-                              }
-                              return Fx.succeed(response);
-                            },
-                            started: (startedResult) =>
-                              Fx.succeed(
-                                new Response(JSON.stringify(startedResult), {
-                                  status: 200,
-                                  headers: {
-                                    "Content-Type": "application/json",
-                                  },
-                                }),
-                              ),
-                            passkeyOptions: (passkeyOptionsResult) =>
-                              Fx.succeed(
-                                new Response(
-                                  JSON.stringify(passkeyOptionsResult),
-                                  {
-                                    status: 200,
-                                    headers: {
-                                      "Content-Type": "application/json",
-                                    },
-                                  },
-                                ),
-                              ),
-                            totpRequired: (totpRequiredResult) =>
-                              Fx.succeed(
-                                new Response(
-                                  JSON.stringify(totpRequiredResult),
-                                  {
-                                    status: 200,
-                                    headers: {
-                                      "Content-Type": "application/json",
-                                    },
-                                  },
-                                ),
-                              ),
-                            totpSetup: (totpSetupResult) =>
-                              Fx.succeed(
-                                new Response(JSON.stringify(totpSetupResult), {
-                                  status: 200,
-                                  headers: {
-                                    "Content-Type": "application/json",
-                                  },
-                                }),
-                              ),
-                            deviceCode: (deviceCodeResult) =>
-                              Fx.succeed(
-                                new Response(JSON.stringify(deviceCodeResult), {
-                                  status: 200,
-                                  headers: {
-                                    "Content-Type": "application/json",
-                                  },
-                                }),
-                              ),
-                          }),
-                        ),
-                      err: (error: unknown) => {
-                        const errorBody =
-                          error instanceof ConvexError &&
-                          typeof error.data === "object" &&
-                          error.data !== null &&
-                          "code" in error.data
-                            ? {
-                                error:
-                                  (error.data as { message?: string })
-                                    .message ?? String(error),
-                                authError: error.data,
-                              }
-                            : {
-                                error:
-                                  error instanceof Error
-                                    ? error.message
-                                    : String(error),
-                              };
-                        const response = new Response(
-                          JSON.stringify(errorBody),
-                          {
-                            status: 400,
-                            headers: {
-                              "Content-Type": "application/json",
-                            },
-                          },
-                        );
-                        const clearSession =
-                          args.refreshToken !== undefined &&
-                          error instanceof ConvexError &&
-                          typeof error.data === "object" &&
-                          error.data !== null &&
-                          (error.data as Record<string, unknown>).code ===
-                            "INVALID_REFRESH_TOKEN";
-                        for (const value of serializeAuthCookies(
-                          {
-                            token: clearSession ? null : currentCookies.token,
-                            refreshToken: clearSession
-                              ? null
-                              : currentCookies.refreshToken,
-                            verifier: null,
-                          },
-                          host,
-                          cookieConfig,
-                          cookieNamespace,
-                        )) {
-                          response.headers.append("Set-Cookie", value);
-                        }
-                        return response;
-                      },
-                    }),
-                  ),
-                );
-              },
-              err: (e) => e as never,
-            }),
-          sessionStop: (_) =>
-            Fx.from({
-              ok: async () => {
-                await Fx.run(
-                  Fx.from({
-                    ok: () =>
-                      (() => {
-                        const client = new ConvexHttpClient(convexUrl);
-                        if (currentCookies.token !== null) {
-                          client.setAuth(currentCookies.token);
-                        }
-                        return client.action(signOutActionRef);
-                      })(),
-                    err: (error) => error,
-                  }).pipe(
-                    Fx.recover((error: unknown) => {
-                      console.error(
-                        "[convex-auth/server] proxy sign-out failed",
-                        error,
-                      );
-                      const fallbackDispatch =
-                        currentCookies.refreshToken !== null
+                              }),
+                            ),
+                        }),
+                      ),
+                    err: (error: unknown) => {
+                      const errorBody =
+                        error instanceof ConvexError &&
+                        typeof error.data === "object" &&
+                        error.data !== null &&
+                        "code" in error.data
                           ? {
-                              kind: "attemptFallback" as const,
-                              refreshToken: currentCookies.refreshToken,
+                              error:
+                                (error.data as { message?: string }).message ??
+                                String(error),
+                              authError: error.data,
                             }
-                          : { kind: "skipFallback" as const };
-                      return Fx.match(fallbackDispatch, fallbackDispatch.kind, {
-                        attemptFallback: ({ refreshToken }) =>
-                          Fx.from({
-                            ok: async () => {
-                              const refreshClient = new ConvexHttpClient(
-                                convexUrl,
-                              );
-                              const refreshed = (await refreshClient.action(
-                                signInActionRef,
-                                {
-                                  refreshToken,
-                                },
-                              )) as SignInActionResult;
-                              const refreshedTokens = await Fx.run(
-                                Fx.match(refreshed, refreshed.kind, {
-                                  signedIn: (signedInResult) =>
-                                    Fx.succeed(signedInResult.tokens),
-                                  redirect: () =>
-                                    Fx.fatal(
-                                      new Error(
-                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
-                                      ),
+                          : {
+                              error:
+                                error instanceof Error
+                                  ? error.message
+                                  : String(error),
+                            };
+                      const response = new Response(JSON.stringify(errorBody), {
+                        status: 400,
+                        headers: {
+                          "Content-Type": "application/json",
+                        },
+                      });
+                      const clearSession =
+                        args.refreshToken !== undefined &&
+                        error instanceof ConvexError &&
+                        typeof error.data === "object" &&
+                        error.data !== null &&
+                        (error.data as Record<string, unknown>).code ===
+                          "INVALID_REFRESH_TOKEN";
+                      for (const value of serializeAuthCookies(
+                        {
+                          token: clearSession ? null : currentCookies.token,
+                          refreshToken: clearSession
+                            ? null
+                            : currentCookies.refreshToken,
+                          verifier: null,
+                        },
+                        host,
+                        cookieConfig,
+                        cookieNamespace,
+                      )) {
+                        response.headers.append("Set-Cookie", value);
+                      }
+                      return response;
+                    },
+                  }),
+                ),
+              );
+            }),
+          sessionStop: (_) =>
+            Fx.promise(async () => {
+              await Fx.run(
+                Fx.from({
+                  ok: () =>
+                    (() => {
+                      const client = new ConvexHttpClient(convexUrl);
+                      if (currentCookies.token !== null) {
+                        client.setAuth(currentCookies.token);
+                      }
+                      return client.action(signOutActionRef);
+                    })(),
+                  err: (error) => error,
+                }).pipe(
+                  Fx.recover((error: unknown) => {
+                    console.error(
+                      "[convex-auth/server] proxy sign-out failed",
+                      error,
+                    );
+                    const fallbackDispatch =
+                      currentCookies.refreshToken !== null
+                        ? {
+                            kind: "attemptFallback" as const,
+                            refreshToken: currentCookies.refreshToken,
+                          }
+                        : { kind: "skipFallback" as const };
+                    return Fx.match(fallbackDispatch, fallbackDispatch.kind, {
+                      attemptFallback: ({ refreshToken }) =>
+                        Fx.from({
+                          ok: async () => {
+                            const refreshClient = new ConvexHttpClient(
+                              convexUrl,
+                            );
+                            const refreshed = (await refreshClient.action(
+                              signInActionRef,
+                              {
+                                refreshToken,
+                              },
+                            )) as SignInActionResult;
+                            const refreshedTokens = await Fx.run(
+                              Fx.match(refreshed, refreshed.kind, {
+                                signedIn: (signedInResult) =>
+                                  Fx.succeed(signedInResult.tokens),
+                                redirect: () =>
+                                  Fx.fatal(
+                                    new Error(
+                                      "Invalid `auth:signIn` result for sign-out fallback refresh",
                                     ),
-                                  started: () =>
-                                    Fx.fatal(
-                                      new Error(
-                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
-                                      ),
+                                  ),
+                                started: () =>
+                                  Fx.fatal(
+                                    new Error(
+                                      "Invalid `auth:signIn` result for sign-out fallback refresh",
                                     ),
-                                  passkeyOptions: () =>
-                                    Fx.fatal(
-                                      new Error(
-                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
-                                      ),
+                                  ),
+                                passkeyOptions: () =>
+                                  Fx.fatal(
+                                    new Error(
+                                      "Invalid `auth:signIn` result for sign-out fallback refresh",
                                     ),
-                                  totpRequired: () =>
-                                    Fx.fatal(
-                                      new Error(
-                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
-                                      ),
+                                  ),
+                                totpRequired: () =>
+                                  Fx.fatal(
+                                    new Error(
+                                      "Invalid `auth:signIn` result for sign-out fallback refresh",
                                     ),
-                                  totpSetup: () =>
-                                    Fx.fatal(
-                                      new Error(
-                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
-                                      ),
+                                  ),
+                                totpSetup: () =>
+                                  Fx.fatal(
+                                    new Error(
+                                      "Invalid `auth:signIn` result for sign-out fallback refresh",
                                     ),
-                                  deviceCode: () =>
-                                    Fx.fatal(
-                                      new Error(
-                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
-                                      ),
+                                  ),
+                                deviceCode: () =>
+                                  Fx.fatal(
+                                    new Error(
+                                      "Invalid `auth:signIn` result for sign-out fallback refresh",
                                     ),
-                                }),
-                              );
-                              const fallbackSignOutDispatch =
-                                refreshedTokens !== null
-                                  ? {
-                                      kind: "signOutWithRefreshed" as const,
-                                      token: refreshedTokens.token,
-                                    }
-                                  : { kind: "skipRefreshedSignOut" as const };
-                              await Fx.run(
-                                Fx.match(
-                                  fallbackSignOutDispatch,
-                                  fallbackSignOutDispatch.kind,
-                                  {
-                                    signOutWithRefreshed: ({ token }) =>
-                                      Fx.from({
-                                        ok: async () => {
-                                          const client = new ConvexHttpClient(
-                                            convexUrl,
-                                          );
-                                          client.setAuth(token);
-                                          await client.action(signOutActionRef);
-                                        },
-                                        err: (error) => error,
-                                      }),
-                                    skipRefreshedSignOut: () => Fx.succeed(undefined),
-                                  },
-                                ),
-                              );
-                            },
-                            err: (fallbackError) => fallbackError,
-                          }).pipe(
-                            Fx.recover((fallbackError: unknown) => {
-                              console.error(
-                                "[convex-auth/server] proxy sign-out fallback failed",
-                                fallbackError,
-                              );
-                              return Fx.succeed(undefined);
-                            }),
-                          ),
-                        skipFallback: () => Fx.succeed(undefined),
-                      });
-                    }),
-                    Fx.map(() => undefined),
-                  ),
-                );
-                const response = new Response(JSON.stringify(null), {
-                  status: 200,
-                  headers: {
-                    "Content-Type": "application/json",
-                  },
-                });
-                for (const value of serializeAuthCookies(
-                  {
-                    token: null,
-                    refreshToken: null,
-                    verifier: null,
-                  },
-                  host,
-                  cookieConfig,
-                  cookieNamespace,
-                )) {
-                  response.headers.append("Set-Cookie", value);
-                }
-                return response;
-              },
-              err: (e) => e as never,
+                                  ),
+                              }),
+                            );
+                            const fallbackSignOutDispatch =
+                              refreshedTokens !== null
+                                ? {
+                                    kind: "signOutWithRefreshed" as const,
+                                    token: refreshedTokens.token,
+                                  }
+                                : { kind: "skipRefreshedSignOut" as const };
+                            await Fx.run(
+                              Fx.match(
+                                fallbackSignOutDispatch,
+                                fallbackSignOutDispatch.kind,
+                                {
+                                  signOutWithRefreshed: ({ token }) =>
+                                    Fx.promise(async () => {
+                                      const client = new ConvexHttpClient(
+                                        convexUrl,
+                                      );
+                                      client.setAuth(token);
+                                      await client.action(signOutActionRef);
+                                    }),
+                                  skipRefreshedSignOut: () =>
+                                    Fx.succeed(undefined),
+                                },
+                              ),
+                            );
+                          },
+                          err: (error) => error,
+                        }).pipe(
+                          Fx.recover((fallbackError: unknown) => {
+                            console.error(
+                              "[convex-auth/server] proxy sign-out fallback failed",
+                              fallbackError,
+                            );
+                            return Fx.succeed(undefined);
+                          }),
+                        ),
+                      skipFallback: () => Fx.succeed(undefined),
+                    });
+                  }),
+                  Fx.map(() => undefined),
+                ),
+              );
+              const response = new Response(JSON.stringify(null), {
+                status: 200,
+                headers: {
+                  "Content-Type": "application/json",
+                },
+              });
+              for (const value of serializeAuthCookies(
+                {
+                  token: null,
+                  refreshToken: null,
+                  verifier: null,
+                },
+                host,
+                cookieConfig,
+                cookieNamespace,
+              )) {
+                response.headers.append("Set-Cookie", value);
+              }
+              return response;
             }),
         }),
       );