npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.21 → 0.0.4-preview.23 - Mend

@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (310) hide show

package/dist/authorization/index.d.ts +1 -1
package/dist/authorization/index.js +1 -1
package/dist/authorization/index.js.map +1 -1
package/dist/client/index.d.ts +1 -2
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +36 -39
package/dist/client/index.js.map +1 -1
package/dist/component/client/index.d.ts +1 -2
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/model.d.ts +5 -5
package/dist/component/model.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.js.map +1 -1
package/dist/component/public/enterprise/core.d.ts.map +1 -1
package/dist/component/public/enterprise/core.js.map +1 -1
package/dist/component/public/enterprise/domains.d.ts.map +1 -1
package/dist/component/public/enterprise/domains.js.map +1 -1
package/dist/component/public/enterprise/scim.d.ts.map +1 -1
package/dist/component/public/enterprise/scim.js.map +1 -1
package/dist/component/public/enterprise/secrets.d.ts.map +1 -1
package/dist/component/public/enterprise/secrets.js.map +1 -1
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -1
package/dist/component/public/enterprise/webhooks.js.map +1 -1
package/dist/component/public/factors/devices.d.ts.map +1 -1
package/dist/component/public/factors/devices.js.map +1 -1
package/dist/component/public/factors/passkeys.d.ts.map +1 -1
package/dist/component/public/factors/passkeys.js.map +1 -1
package/dist/component/public/factors/totp.d.ts.map +1 -1
package/dist/component/public/factors/totp.js.map +1 -1
package/dist/component/public/groups/core.js.map +1 -1
package/dist/component/public/groups/invites.d.ts.map +1 -1
package/dist/component/public/groups/invites.js.map +1 -1
package/dist/component/public/groups/members.d.ts.map +1 -1
package/dist/component/public/groups/members.js.map +1 -1
package/dist/component/public/identity/accounts.d.ts.map +1 -1
package/dist/component/public/identity/accounts.js.map +1 -1
package/dist/component/public/identity/codes.d.ts.map +1 -1
package/dist/component/public/identity/codes.js.map +1 -1
package/dist/component/public/identity/sessions.d.ts.map +1 -1
package/dist/component/public/identity/sessions.js.map +1 -1
package/dist/component/public/identity/tokens.d.ts.map +1 -1
package/dist/component/public/identity/tokens.js.map +1 -1
package/dist/component/public/identity/users.d.ts.map +1 -1
package/dist/component/public/identity/users.js.map +1 -1
package/dist/component/public/identity/verifiers.d.ts.map +1 -1
package/dist/component/public/identity/verifiers.js.map +1 -1
package/dist/component/public/security/keys.d.ts.map +1 -1
package/dist/component/public/security/keys.js.map +1 -1
package/dist/component/public/security/limits.d.ts.map +1 -1
package/dist/component/public/security/limits.js.map +1 -1
package/dist/component/schema.d.ts +39 -39
package/dist/component/server/auth.d.ts +95 -52
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +63 -43
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/core.js +116 -235
package/dist/component/server/core.js.map +1 -1
package/dist/component/server/crypto.js +25 -7
package/dist/component/server/crypto.js.map +1 -1
package/dist/component/server/device.js +58 -15
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/enterprise/domain.js +148 -59
package/dist/component/server/enterprise/domain.js.map +1 -1
package/dist/component/server/enterprise/http.js +36 -15
package/dist/component/server/enterprise/http.js.map +1 -1
package/dist/component/server/enterprise/oidc.js +1 -1
package/dist/component/server/http.js +26 -21
package/dist/component/server/http.js.map +1 -1
package/dist/component/server/identity.js +5 -2
package/dist/component/server/identity.js.map +1 -1
package/dist/component/server/limits.js +21 -30
package/dist/component/server/limits.js.map +1 -1
package/dist/component/server/mutations/account.js +12 -10
package/dist/component/server/mutations/account.js.map +1 -1
package/dist/component/server/mutations/code.js +5 -2
package/dist/component/server/mutations/code.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/invalidate.js.map +1 -1
package/dist/component/server/mutations/oauth.js +10 -4
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +2 -2
package/dist/component/server/mutations/refresh.js.map +1 -1
package/dist/component/server/mutations/register.js +46 -42
package/dist/component/server/mutations/register.js.map +1 -1
package/dist/component/server/mutations/retrieve.js +21 -25
package/dist/component/server/mutations/retrieve.js.map +1 -1
package/dist/component/server/mutations/signature.js +10 -4
package/dist/component/server/mutations/signature.js.map +1 -1
package/dist/component/server/mutations/signout.js.map +1 -1
package/dist/component/server/mutations/store.js +9 -24
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verifier.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/mutations/verify.js.map +1 -1
package/dist/component/server/oauth.js +53 -16
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +115 -31
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/redirects.js +9 -3
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +10 -7
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/runtime.d.ts +3 -3
package/dist/component/server/runtime.d.ts.map +1 -1
package/dist/component/server/runtime.js +62 -20
package/dist/component/server/runtime.js.map +1 -1
package/dist/component/server/signin.js +34 -10
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/totp.js +79 -19
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +12 -20
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +6 -3
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +10 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +14 -22
package/dist/core/types.d.ts.map +1 -1
package/dist/factors/device.js +8 -9
package/dist/factors/device.js.map +1 -1
package/dist/factors/passkey.js +18 -21
package/dist/factors/passkey.js.map +1 -1
package/dist/providers/password.js +66 -81
package/dist/providers/password.js.map +1 -1
package/dist/runtime/invite.js +2 -8
package/dist/runtime/invite.js.map +1 -1
package/dist/server/auth.d.ts +95 -52
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +63 -43
package/dist/server/auth.js.map +1 -1
package/dist/server/core.d.ts +71 -159
package/dist/server/core.d.ts.map +1 -1
package/dist/server/core.js +116 -235
package/dist/server/core.js.map +1 -1
package/dist/server/crypto.d.ts.map +1 -1
package/dist/server/crypto.js +25 -7
package/dist/server/crypto.js.map +1 -1
package/dist/server/device.js +58 -15
package/dist/server/device.js.map +1 -1
package/dist/server/enterprise/domain.d.ts +0 -8
package/dist/server/enterprise/domain.d.ts.map +1 -1
package/dist/server/enterprise/domain.js +148 -59
package/dist/server/enterprise/domain.js.map +1 -1
package/dist/server/enterprise/http.d.ts.map +1 -1
package/dist/server/enterprise/http.js +35 -14
package/dist/server/enterprise/http.js.map +1 -1
package/dist/server/http.d.ts +2 -2
package/dist/server/http.d.ts.map +1 -1
package/dist/server/http.js +25 -20
package/dist/server/http.js.map +1 -1
package/dist/server/identity.js +5 -2
package/dist/server/identity.js.map +1 -1
package/dist/server/index.d.ts +2 -2
package/dist/server/limits.js +21 -30
package/dist/server/limits.js.map +1 -1
package/dist/server/mounts.d.ts +26 -64
package/dist/server/mounts.d.ts.map +1 -1
package/dist/server/mounts.js +45 -106
package/dist/server/mounts.js.map +1 -1
package/dist/server/mutations/account.d.ts +8 -9
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/account.js +11 -9
package/dist/server/mutations/account.js.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/code.js +5 -2
package/dist/server/mutations/code.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +4 -4
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/invalidate.js.map +1 -1
package/dist/server/mutations/oauth.d.ts +12 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -3
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +3 -3
package/dist/server/mutations/refresh.d.ts.map +1 -1
package/dist/server/mutations/refresh.js +1 -1
package/dist/server/mutations/refresh.js.map +1 -1
package/dist/server/mutations/register.d.ts +11 -11
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/register.js +45 -41
package/dist/server/mutations/register.js.map +1 -1
package/dist/server/mutations/retrieve.d.ts +6 -6
package/dist/server/mutations/retrieve.d.ts.map +1 -1
package/dist/server/mutations/retrieve.js +20 -24
package/dist/server/mutations/retrieve.js.map +1 -1
package/dist/server/mutations/signature.d.ts +6 -7
package/dist/server/mutations/signature.d.ts.map +1 -1
package/dist/server/mutations/signature.js +9 -3
package/dist/server/mutations/signature.js.map +1 -1
package/dist/server/mutations/signin.d.ts +5 -5
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.js.map +1 -1
package/dist/server/mutations/store.d.ts +97 -97
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +8 -23
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.js.map +1 -1
package/dist/server/mutations/verify.d.ts +10 -10
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/mutations/verify.js.map +1 -1
package/dist/server/oauth.js +53 -16
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +2 -2
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +114 -30
package/dist/server/passkey.js.map +1 -1
package/dist/server/redirects.js +9 -3
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.js +10 -7
package/dist/server/refresh.js.map +1 -1
package/dist/server/runtime.d.ts +14 -14
package/dist/server/runtime.d.ts.map +1 -1
package/dist/server/runtime.js +61 -19
package/dist/server/runtime.js.map +1 -1
package/dist/server/signin.js +34 -10
package/dist/server/signin.js.map +1 -1
package/dist/server/ssr.d.ts.map +1 -1
package/dist/server/ssr.js +175 -184
package/dist/server/ssr.js.map +1 -1
package/dist/server/totp.js +78 -18
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +13 -21
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.js +6 -3
package/dist/server/users.js.map +1 -1
package/dist/server/utils.js +10 -4
package/dist/server/utils.js.map +1 -1
package/package.json +2 -6
package/src/authorization/index.ts +1 -1
package/src/cli/index.ts +1 -1
package/src/client/core/types.ts +14 -14
package/src/client/factors/device.ts +10 -12
package/src/client/factors/passkey.ts +23 -26
package/src/client/index.ts +54 -64
package/src/client/runtime/invite.ts +5 -7
package/src/component/index.ts +1 -0
package/src/component/public/enterprise/audit.ts +6 -1
package/src/component/public/enterprise/core.ts +1 -0
package/src/component/public/enterprise/domains.ts +5 -1
package/src/component/public/enterprise/scim.ts +1 -0
package/src/component/public/enterprise/secrets.ts +1 -0
package/src/component/public/enterprise/webhooks.ts +1 -0
package/src/component/public/factors/devices.ts +1 -0
package/src/component/public/factors/passkeys.ts +1 -0
package/src/component/public/factors/totp.ts +1 -0
package/src/component/public/groups/core.ts +1 -1
package/src/component/public/groups/invites.ts +7 -1
package/src/component/public/groups/members.ts +1 -0
package/src/component/public/identity/accounts.ts +1 -0
package/src/component/public/identity/codes.ts +1 -0
package/src/component/public/identity/sessions.ts +1 -0
package/src/component/public/identity/tokens.ts +1 -0
package/src/component/public/identity/users.ts +1 -0
package/src/component/public/identity/verifiers.ts +1 -0
package/src/component/public/security/keys.ts +1 -0
package/src/component/public/security/limits.ts +1 -0
package/src/providers/password.ts +89 -110
package/src/server/auth.ts +177 -111
package/src/server/core.ts +197 -233
package/src/server/crypto.ts +31 -29
package/src/server/device.ts +65 -32
package/src/server/enterprise/domain.ts +158 -170
package/src/server/enterprise/http.ts +46 -39
package/src/server/http.ts +36 -30
package/src/server/identity.ts +5 -5
package/src/server/index.ts +2 -0
package/src/server/limits.ts +53 -80
package/src/server/mounts.ts +47 -74
package/src/server/mutations/account.ts +22 -36
package/src/server/mutations/code.ts +6 -6
package/src/server/mutations/invalidate.ts +1 -1
package/src/server/mutations/oauth.ts +14 -8
package/src/server/mutations/refresh.ts +5 -4
package/src/server/mutations/register.ts +87 -132
package/src/server/mutations/retrieve.ts +44 -44
package/src/server/mutations/signature.ts +13 -6
package/src/server/mutations/signout.ts +1 -1
package/src/server/mutations/store.ts +16 -31
package/src/server/mutations/verifier.ts +1 -1
package/src/server/mutations/verify.ts +3 -5
package/src/server/oauth.ts +60 -69
package/src/server/passkey.ts +567 -517
package/src/server/redirects.ts +10 -6
package/src/server/refresh.ts +14 -18
package/src/server/runtime.ts +70 -55
package/src/server/signin.ts +44 -37
package/src/server/ssr.ts +390 -407
package/src/server/totp.ts +85 -35
package/src/server/types.ts +19 -22
package/src/server/users.ts +7 -6
package/src/server/utils.ts +10 -12
package/dist/component/server/authError.js +0 -34
package/dist/component/server/authError.js.map +0 -1
package/dist/component/server/errors.d.ts +0 -1
package/dist/component/server/errors.js +0 -137
package/dist/component/server/errors.js.map +0 -1
package/dist/server/authError.d.ts +0 -46
package/dist/server/authError.d.ts.map +0 -1
package/dist/server/authError.js +0 -34
package/dist/server/authError.js.map +0 -1
package/dist/server/errors.d.ts +0 -177
package/dist/server/errors.d.ts.map +0 -1
package/dist/server/errors.js +0 -212
package/dist/server/errors.js.map +0 -1
package/src/server/authError.ts +0 -44
package/src/server/errors.ts +0 -290

package/dist/server/authError.d.ts DELETED Viewed

@@ -1,46 +0,0 @@
-import { AuthErrorCode } from "./errors.js";
-import { ConvexError } from "convex/values";
-//#region src/server/authError.d.ts
-/**
- * Typed error for the Fx error channel.
- *
- * Use with `Fx.fail(new AuthError("CODE"))` in pipelines.
- * At Convex boundaries, {@link toConvexError} converts these to `ConvexError`.
- */
-declare class AuthError extends Error {
-  /**
-   * Machine-readable error code.
-   * @readonly
-   */
-  readonly code: AuthErrorCode;
-  /**
-   * Optional structured context for diagnostics.
-   * @readonly
-   */
-  readonly context?: Record<string, unknown> | undefined;
-  /**
-   * Discriminant tag for error channel matching.
-   * @readonly
-   */
-  readonly _tag: "AuthError";
-  constructor(
-  /**
-   * Machine-readable error code.
-   * @readonly
-   */
-  code: AuthErrorCode, message?: string,
-  /**
-   * Optional structured context for diagnostics.
-   * @readonly
-   */
-  context?: Record<string, unknown> | undefined);
-  /** Convert to the `ConvexError` shape the Convex runtime expects. */
-  toConvexError(): ConvexError<{
-    code: AuthErrorCode;
-    message: string;
-  }>;
-}
-//#endregion
-export { AuthError };
-//# sourceMappingURL=authError.d.ts.map

package/dist/server/authError.d.ts.map DELETED Viewed

	@@ -1 +0,0 @@
1	- {"version":3,"file":"authError.d.ts","names":[],"sources":["../../src/server/authError.ts"],"mappings":";;;;;;AAYA;;;;cAAa,SAAA,SAAkB,KAAA;EAYZ;;;;EAAA,SAAN,IAAA,EAAM,aAAA;EAZiB;;;;EAAA,SAkBvB,OAAA,GAAU,MAAA;EAAV;;;;EAAA,SAbF,IAAA;;EAQP;;;;EADS,IAAA,EAAM,aAAA,EACf,OAAA;EAW6B;;;;EANpB,OAAA,GAAU,MAAA;;EAMrB,aAAA,CAAA,GAAiB,WAAA;IAAc,IAAA,EAAM,aAAA;IAAe,OAAA;EAAA;AAAA"}

package/dist/server/authError.js DELETED Viewed

@@ -1,34 +0,0 @@
-import { AUTH_ERRORS } from "./errors.js";
-import { Cv } from "@robelest/fx/convex";
-//#region src/server/authError.ts
-/**
-* Typed error for the Fx error channel.
-*
-* Use with `Fx.fail(new AuthError("CODE"))` in pipelines.
-* At Convex boundaries, {@link toConvexError} converts these to `ConvexError`.
-*/
-var AuthError = class extends Error {
-	/**
-	* Discriminant tag for error channel matching.
-	* @readonly
-	*/
-	_tag = "AuthError";
-	constructor(code, message, context) {
-		super(message ?? AUTH_ERRORS[code]);
-		this.code = code;
-		this.context = context;
-	}
-	/** Convert to the `ConvexError` shape the Convex runtime expects. */
-	toConvexError() {
-		return Cv.error({
-			code: this.code,
-			message: this.message,
-			...this.context
-		});
-	}
-};
-//#endregion
-export { AuthError };
-//# sourceMappingURL=authError.js.map

package/dist/server/authError.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"authError.js","names":[],"sources":["../../src/server/authError.ts"],"sourcesContent":["import { Cv } from \"@robelest/fx/convex\";\nimport type { ConvexError } from \"convex/values\";\n\nimport { AUTH_ERRORS } from \"./errors\";\nimport type { AuthErrorCode } from \"./errors\";\n\n/**\n * Typed error for the Fx error channel.\n *\n * Use with `Fx.fail(new AuthError(\"CODE\"))` in pipelines.\n * At Convex boundaries, {@link toConvexError} converts these to `ConvexError`.\n */\nexport class AuthError extends Error {\n /**\n * Discriminant tag for error channel matching.\n * @readonly\n */\n readonly _tag = \"AuthError\" as const;\n\n constructor(\n /**\n * Machine-readable error code.\n * @readonly\n */\n readonly code: AuthErrorCode,\n message?: string,\n /**\n * Optional structured context for diagnostics.\n * @readonly\n */\n readonly context?: Record<string, unknown>,\n ) {\n super(message ?? AUTH_ERRORS[code]);\n }\n\n /** Convert to the `ConvexError` shape the Convex runtime expects. */\n toConvexError(): ConvexError<{ code: AuthErrorCode; message: string }> {\n return Cv.error({\n code: this.code,\n message: this.message,\n ...this.context,\n });\n }\n}\n"],"mappings":";;;;;;;;;;AAYA,IAAa,YAAb,cAA+B,MAAM;;;;;CAKnC,AAAS,OAAO;CAEhB,YAKE,AAAS,MACT,SAKA,AAAS,SACT;AACA,QAAM,WAAW,YAAY,MAAM;EAR1B;EAMA;;;CAMX,gBAAuE;AACrE,SAAO,GAAG,MAAM;GACd,MAAM,KAAK;GACX,SAAS,KAAK;GACd,GAAG,KAAK;GACT,CAAC"}

package/dist/server/errors.d.ts DELETED Viewed

@@ -1,177 +0,0 @@
-import { ConvexError } from "convex/values";
-//#region src/server/errors.d.ts
-/**
- * Map of every auth error code to its default human-readable message.
- *
- * Use the keys as the `code` argument to {@link throwAuthError}.
- * Clients can match on these codes for conditional error handling.
- *
- * @example
- * ```ts
- * throwAuthError("NOT_SIGNED_IN");
- * // ConvexError { data: { code: "NOT_SIGNED_IN", message: "You must be signed in..." } }
- * ```
- */
-declare const AUTH_ERRORS: {
-  readonly PROVIDER_NOT_CONFIGURED: "This sign-in method is not available.";
-  readonly EMAIL_CONFIG_REQUIRED: "Email transport is not configured. Configure email in createAuth(...).";
-  readonly MISSING_ENV_VAR: "A required server environment variable is missing.";
-  readonly MISSING_ACTION_CONTEXT: "Action context is required for this operation.";
-  readonly INVALID_PARAMETERS: "The provided parameters are invalid.";
-  readonly NOT_SIGNED_IN: "You must be signed in to perform this action.";
-  readonly INVALID_VERIFICATION_CODE: "Invalid or expired verification code.";
-  readonly INVALID_REFRESH_TOKEN: "Your session has expired. Please sign in again.";
-  readonly AUTH_HANDSHAKE_TIMEOUT: "Sign-in succeeded but authentication confirmation timed out.";
-  readonly AUTH_HANDSHAKE_REJECTED: "Authentication was rejected while confirming the session.";
-  readonly SIGN_IN_MISSING_PARAMS: "Cannot sign in: missing provider, code, or refresh token.";
-  readonly UNSUPPORTED_PROVIDER_TYPE: "This provider type is not supported.";
-  readonly INVALID_REDIRECT: "Invalid redirect URL.";
-  readonly EMAIL_SEND_FAILED: "Failed to send verification email. Please try again.";
-  readonly INVALID_API_KEY: "Invalid API key.";
-  readonly API_KEY_REVOKED: "This API key has been revoked.";
-  readonly API_KEY_EXPIRED: "This API key has expired.";
-  readonly API_KEY_RATE_LIMITED: "API key rate limit exceeded. Please try again later.";
-  readonly API_KEY_INVALID_SCOPE: "Invalid scope requested for API key.";
-  readonly KEY_NOT_FOUND: "API key not found.";
-  readonly MISSING_BEARER_TOKEN: "Missing or malformed Authorization: Bearer header.";
-  readonly SCOPE_CHECK_FAILED: "This API key does not have the required permissions.";
-  readonly OAUTH_MISSING_PROVIDER: "Missing OAuth provider ID.";
-  readonly OAUTH_MISSING_VERIFIER: "Missing sign-in verifier.";
-  readonly OAUTH_INVALID_STATE: "Invalid OAuth state. Please try signing in again.";
-  readonly OAUTH_PROVIDER_ERROR: "The sign-in provider returned an error.";
-  readonly OAUTH_MISSING_ID_TOKEN: "ID token claims are missing from the provider response.";
-  readonly OAUTH_INVALID_PROFILE: "The sign-in provider returned an invalid profile.";
-  readonly OAUTH_UNSUPPORTED_AUTH_METHOD: "Unsupported OAuth client authentication method.";
-  readonly OAUTH_NO_USERINFO: "No userinfo endpoint configured for this provider.";
-  readonly ACCOUNT_ALREADY_EXISTS: "An account with these credentials already exists.";
-  readonly ACCOUNT_NOT_FOUND: "Account not found.";
-  readonly INVALID_CREDENTIALS_PROVIDER: "This provider does not support credential operations.";
-  readonly MISSING_CRYPTO_FUNCTION: "This provider is missing a required cryptographic function.";
-  readonly USER_UPDATE_FAILED: "Could not update the user record.";
-  readonly INVALID_VERIFIER: "Invalid or expired verifier.";
-  readonly PASSKEY_MISSING_CONFIG: "Passkey provider requires SITE_URL or explicit rpId configuration.";
-  readonly PASSKEY_AUTH_REQUIRED: "Sign in first, then add a passkey to your account.";
-  readonly PASSKEY_MISSING_VERIFIER: "Missing verifier for passkey operation.";
-  readonly PASSKEY_INVALID_CLIENT_DATA: "Invalid passkey client data.";
-  readonly PASSKEY_INVALID_ORIGIN: "Passkey origin does not match the expected value.";
-  readonly PASSKEY_INVALID_CHALLENGE: "Invalid or expired passkey challenge.";
-  readonly PASSKEY_RP_MISMATCH: "Relying party ID mismatch.";
-  readonly PASSKEY_USER_PRESENCE: "User presence flag not set.";
-  readonly PASSKEY_USER_VERIFICATION: "User verification required but not performed.";
-  readonly PASSKEY_NO_CREDENTIAL: "No credential in attestation.";
-  readonly PASSKEY_UNSUPPORTED_ALGORITHM: "Unsupported passkey algorithm.";
-  readonly PASSKEY_INVALID_SIGNATURE: "Invalid passkey signature.";
-  readonly PASSKEY_UNKNOWN_CREDENTIAL: "Unknown passkey credential.";
-  readonly PASSKEY_COUNTER_ERROR: "Authenticator counter did not increase — possible credential cloning detected.";
-  readonly PASSKEY_MISSING_FLOW: "Missing passkey flow parameter.";
-  readonly PASSKEY_UNKNOWN_FLOW: "Unknown passkey flow.";
-  readonly TOTP_AUTH_REQUIRED: "Sign in first, then set up two-factor authentication.";
-  readonly TOTP_MISSING_VERIFIER: "Missing verifier for TOTP operation.";
-  readonly TOTP_MISSING_CODE: "Missing TOTP code.";
-  readonly TOTP_MISSING_ID: "Missing TOTP enrollment ID.";
-  readonly TOTP_NOT_FOUND: "TOTP enrollment not found.";
-  readonly TOTP_ALREADY_VERIFIED: "TOTP enrollment is already verified.";
-  readonly TOTP_INVALID_CODE: "Invalid TOTP code.";
-  readonly TOTP_INVALID_VERIFIER: "Invalid or expired TOTP verifier.";
-  readonly TOTP_NO_ENROLLMENT: "No verified TOTP enrollment found.";
-  readonly TOTP_MISSING_FLOW: "Missing TOTP flow parameter.";
-  readonly TOTP_UNKNOWN_FLOW: "Unknown TOTP flow.";
-  readonly DEVICE_CODE_EXPIRED: "The device code has expired. Please start a new authorization request.";
-  readonly DEVICE_CODE_DENIED: "The authorization request was denied.";
-  readonly DEVICE_AUTHORIZATION_PENDING: "The user has not yet authorized this device.";
-  readonly DEVICE_SLOW_DOWN: "Polling too frequently. Increase the interval between requests.";
-  readonly DEVICE_INVALID_USER_CODE: "Invalid or expired user code.";
-  readonly DEVICE_ALREADY_AUTHORIZED: "This device code has already been authorized.";
-  readonly DEVICE_MISSING_FLOW: "Missing device flow parameter.";
-  readonly DEVICE_UNKNOWN_FLOW: "Unknown device flow.";
-  readonly INVITE_EXPIRED: "This invitation has expired.";
-  readonly INVITE_EMAIL_MISMATCH: "This invitation is for a different email.";
-  readonly INVITE_ALREADY_ACCEPTED: "This invitation has already been accepted.";
-  readonly DUPLICATE_INVITE: "A pending invite already exists for this email in this group.";
-  readonly INVITE_NOT_FOUND: "Invite not found.";
-  readonly INVITE_NOT_PENDING: "Cannot accept or revoke invite that is not pending.";
-  readonly FORBIDDEN: "Access denied.";
-  readonly NO_ACTIVE_GROUP: "User has no active group set.";
-  readonly DUPLICATE_MEMBERSHIP: "User is already a member of this group.";
-  readonly ENTERPRISE_ALREADY_EXISTS: "An enterprise record already exists for this group.";
-  readonly ENTERPRISE_DOMAIN_TAKEN: "That domain is already attached to another enterprise.";
-  readonly INTERNAL_ERROR: "An unexpected error occurred.";
-};
-/** Union of all recognized auth error code strings (keys of {@link AUTH_ERRORS}). */
-type AuthErrorCode = keyof typeof AUTH_ERRORS;
-/**
- * Throw a structured `ConvexError` with `{ code, message }`.
- *
- * Use this in your own Convex functions (queries, mutations, actions)
- * to throw auth-domain errors that clients can match on by `code`.
- * The library itself uses `AuthError` internally, but consumers
- * should prefer this helper for simplicity.
- *
- * @param code    Machine-readable error code from `AUTH_ERRORS`.
- * @param message Optional override for the default human-readable message.
- * @param context Optional extra fields merged into the error payload.
- *
- * @example
- * ```ts
- * import { throwAuthError } from "@robelest/convex-auth/server";
- *
- * // In a custom mutation:
- * if (!isAdmin) {
- *   throwAuthError("FORBIDDEN");
- * }
- * ```
- *
- * @throws {ConvexError} Always — throws a `ConvexError` with `{ code, message }` payload.
- */
-declare function throwAuthError(code: AuthErrorCode, message?: string, context?: Record<string, unknown>): never;
-/**
- * Type guard: check whether a caught value is a structured auth `ConvexError`.
- *
- * @param error - The caught value (typically from a `catch` block).
- * @returns `true` when `error` is a `ConvexError` with `{ code, message }` data.
- *
- * @example
- * ```ts
- * try { await auth.signIn('email', { email }); }
- * catch (e) {
- *   if (isAuthError(e)) console.log(e.data.code); // "EMAIL_SEND_FAILED"
- * }
- * ```
- */
-declare function isAuthError(error: unknown): error is ConvexError<{
-  code: AuthErrorCode;
-  message: string;
-}>;
-/**
- * Extract `{ code, message }` from a caught error.
- *
- * Works for `ConvexError` (from Convex actions), plain `Error`
- * instances, and structured auth errors. Returns `null` when the
- * value is not an error object.
- *
- * @param error - The caught value to parse.
- * @returns `{ code, message }` when extractable, or `null`.
- *   When `code` is `null`, the error is not a structured auth error
- *   but `message` still contains the error text.
- *
- * @example
- * ```ts
- * try {
- *   await auth.signIn("email", { email });
- * } catch (e) {
- *   const err = parseAuthError(e);
- *   if (err?.code === "EMAIL_SEND_FAILED") { ... }
- * }
- * ```
- */
-declare function parseAuthError(error: unknown): {
-  code: AuthErrorCode;
-  message: string;
-} | {
-  code: null;
-  message: string;
-} | null;
-//#endregion
-export { AUTH_ERRORS, AuthErrorCode, isAuthError, parseAuthError, throwAuthError };
-//# sourceMappingURL=errors.d.ts.map

package/dist/server/errors.d.ts.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"errors.d.ts","names":[],"sources":["../../src/server/errors.ts"],"mappings":";;;;;;;;;;;;;;;cAmCa,WAAA;EAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAmID,aAAA,gBAA6B,WAAA;;;;;AA0FzC;;;;;;;;;;;;;;;;;;;;iBA5DgB,cAAA,CACd,IAAA,EAAM,aAAA,EACN,OAAA,WACA,OAAA,GAAU,MAAA;;;;;;;;;;;;;;;iBAuBI,WAAA,CACd,KAAA,YACC,KAAA,IAAS,WAAA;EAAc,IAAA,EAAM,aAAA;EAAe,OAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;iBAgC/B,cAAA,CACd,KAAA;EAEI,IAAA,EAAM,aAAA;EAAe,OAAA;AAAA;EACrB,IAAA;EAAY,OAAA;AAAA"}

package/dist/server/errors.js DELETED Viewed

@@ -1,212 +0,0 @@
-import { ConvexError } from "convex/values";
-//#region src/server/errors.ts
-/**
-* Structured error handling for Convex Auth.
-*
-* Every error thrown by the auth system uses `ConvexError` with a
-* `{ code, message }` payload so clients can distinguish error types
-* and display user-friendly messages.
-*
-* **Consumer API:** Use {@link throwAuthError} to throw structured errors
-* from your own Convex functions (e.g. custom authorization checks).
-*
-* **Internal pattern:** The library itself uses `new AuthError(code)` with
-* the `@robelest/fx` effect system (`Fx.fail(new AuthError(code))`).
-* You do not need to use `AuthError` directly — it is an implementation detail.
-*
-* @module
-*/
-/**
-* Map of every auth error code to its default human-readable message.
-*
-* Use the keys as the `code` argument to {@link throwAuthError}.
-* Clients can match on these codes for conditional error handling.
-*
-* @example
-* ```ts
-* throwAuthError("NOT_SIGNED_IN");
-* // ConvexError { data: { code: "NOT_SIGNED_IN", message: "You must be signed in..." } }
-* ```
-*/
-const AUTH_ERRORS = {
-	PROVIDER_NOT_CONFIGURED: "This sign-in method is not available.",
-	EMAIL_CONFIG_REQUIRED: "Email transport is not configured. Configure email in createAuth(...).",
-	MISSING_ENV_VAR: "A required server environment variable is missing.",
-	MISSING_ACTION_CONTEXT: "Action context is required for this operation.",
-	INVALID_PARAMETERS: "The provided parameters are invalid.",
-	NOT_SIGNED_IN: "You must be signed in to perform this action.",
-	INVALID_VERIFICATION_CODE: "Invalid or expired verification code.",
-	INVALID_REFRESH_TOKEN: "Your session has expired. Please sign in again.",
-	AUTH_HANDSHAKE_TIMEOUT: "Sign-in succeeded but authentication confirmation timed out.",
-	AUTH_HANDSHAKE_REJECTED: "Authentication was rejected while confirming the session.",
-	SIGN_IN_MISSING_PARAMS: "Cannot sign in: missing provider, code, or refresh token.",
-	UNSUPPORTED_PROVIDER_TYPE: "This provider type is not supported.",
-	INVALID_REDIRECT: "Invalid redirect URL.",
-	EMAIL_SEND_FAILED: "Failed to send verification email. Please try again.",
-	INVALID_API_KEY: "Invalid API key.",
-	API_KEY_REVOKED: "This API key has been revoked.",
-	API_KEY_EXPIRED: "This API key has expired.",
-	API_KEY_RATE_LIMITED: "API key rate limit exceeded. Please try again later.",
-	API_KEY_INVALID_SCOPE: "Invalid scope requested for API key.",
-	KEY_NOT_FOUND: "API key not found.",
-	MISSING_BEARER_TOKEN: "Missing or malformed Authorization: Bearer header.",
-	SCOPE_CHECK_FAILED: "This API key does not have the required permissions.",
-	OAUTH_MISSING_PROVIDER: "Missing OAuth provider ID.",
-	OAUTH_MISSING_VERIFIER: "Missing sign-in verifier.",
-	OAUTH_INVALID_STATE: "Invalid OAuth state. Please try signing in again.",
-	OAUTH_PROVIDER_ERROR: "The sign-in provider returned an error.",
-	OAUTH_MISSING_ID_TOKEN: "ID token claims are missing from the provider response.",
-	OAUTH_INVALID_PROFILE: "The sign-in provider returned an invalid profile.",
-	OAUTH_UNSUPPORTED_AUTH_METHOD: "Unsupported OAuth client authentication method.",
-	OAUTH_NO_USERINFO: "No userinfo endpoint configured for this provider.",
-	ACCOUNT_ALREADY_EXISTS: "An account with these credentials already exists.",
-	ACCOUNT_NOT_FOUND: "Account not found.",
-	INVALID_CREDENTIALS_PROVIDER: "This provider does not support credential operations.",
-	MISSING_CRYPTO_FUNCTION: "This provider is missing a required cryptographic function.",
-	USER_UPDATE_FAILED: "Could not update the user record.",
-	INVALID_VERIFIER: "Invalid or expired verifier.",
-	PASSKEY_MISSING_CONFIG: "Passkey provider requires SITE_URL or explicit rpId configuration.",
-	PASSKEY_AUTH_REQUIRED: "Sign in first, then add a passkey to your account.",
-	PASSKEY_MISSING_VERIFIER: "Missing verifier for passkey operation.",
-	PASSKEY_INVALID_CLIENT_DATA: "Invalid passkey client data.",
-	PASSKEY_INVALID_ORIGIN: "Passkey origin does not match the expected value.",
-	PASSKEY_INVALID_CHALLENGE: "Invalid or expired passkey challenge.",
-	PASSKEY_RP_MISMATCH: "Relying party ID mismatch.",
-	PASSKEY_USER_PRESENCE: "User presence flag not set.",
-	PASSKEY_USER_VERIFICATION: "User verification required but not performed.",
-	PASSKEY_NO_CREDENTIAL: "No credential in attestation.",
-	PASSKEY_UNSUPPORTED_ALGORITHM: "Unsupported passkey algorithm.",
-	PASSKEY_INVALID_SIGNATURE: "Invalid passkey signature.",
-	PASSKEY_UNKNOWN_CREDENTIAL: "Unknown passkey credential.",
-	PASSKEY_COUNTER_ERROR: "Authenticator counter did not increase — possible credential cloning detected.",
-	PASSKEY_MISSING_FLOW: "Missing passkey flow parameter.",
-	PASSKEY_UNKNOWN_FLOW: "Unknown passkey flow.",
-	TOTP_AUTH_REQUIRED: "Sign in first, then set up two-factor authentication.",
-	TOTP_MISSING_VERIFIER: "Missing verifier for TOTP operation.",
-	TOTP_MISSING_CODE: "Missing TOTP code.",
-	TOTP_MISSING_ID: "Missing TOTP enrollment ID.",
-	TOTP_NOT_FOUND: "TOTP enrollment not found.",
-	TOTP_ALREADY_VERIFIED: "TOTP enrollment is already verified.",
-	TOTP_INVALID_CODE: "Invalid TOTP code.",
-	TOTP_INVALID_VERIFIER: "Invalid or expired TOTP verifier.",
-	TOTP_NO_ENROLLMENT: "No verified TOTP enrollment found.",
-	TOTP_MISSING_FLOW: "Missing TOTP flow parameter.",
-	TOTP_UNKNOWN_FLOW: "Unknown TOTP flow.",
-	DEVICE_CODE_EXPIRED: "The device code has expired. Please start a new authorization request.",
-	DEVICE_CODE_DENIED: "The authorization request was denied.",
-	DEVICE_AUTHORIZATION_PENDING: "The user has not yet authorized this device.",
-	DEVICE_SLOW_DOWN: "Polling too frequently. Increase the interval between requests.",
-	DEVICE_INVALID_USER_CODE: "Invalid or expired user code.",
-	DEVICE_ALREADY_AUTHORIZED: "This device code has already been authorized.",
-	DEVICE_MISSING_FLOW: "Missing device flow parameter.",
-	DEVICE_UNKNOWN_FLOW: "Unknown device flow.",
-	INVITE_EXPIRED: "This invitation has expired.",
-	INVITE_EMAIL_MISMATCH: "This invitation is for a different email.",
-	INVITE_ALREADY_ACCEPTED: "This invitation has already been accepted.",
-	DUPLICATE_INVITE: "A pending invite already exists for this email in this group.",
-	INVITE_NOT_FOUND: "Invite not found.",
-	INVITE_NOT_PENDING: "Cannot accept or revoke invite that is not pending.",
-	FORBIDDEN: "Access denied.",
-	NO_ACTIVE_GROUP: "User has no active group set.",
-	DUPLICATE_MEMBERSHIP: "User is already a member of this group.",
-	ENTERPRISE_ALREADY_EXISTS: "An enterprise record already exists for this group.",
-	ENTERPRISE_DOMAIN_TAKEN: "That domain is already attached to another enterprise.",
-	INTERNAL_ERROR: "An unexpected error occurred."
-};
-/**
-* Throw a structured `ConvexError` with `{ code, message }`.
-*
-* Use this in your own Convex functions (queries, mutations, actions)
-* to throw auth-domain errors that clients can match on by `code`.
-* The library itself uses `AuthError` internally, but consumers
-* should prefer this helper for simplicity.
-*
-* @param code    Machine-readable error code from `AUTH_ERRORS`.
-* @param message Optional override for the default human-readable message.
-* @param context Optional extra fields merged into the error payload.
-*
-* @example
-* ```ts
-* import { throwAuthError } from "@robelest/convex-auth/server";
-*
-* // In a custom mutation:
-* if (!isAdmin) {
-*   throwAuthError("FORBIDDEN");
-* }
-* ```
-*
-* @throws {ConvexError} Always — throws a `ConvexError` with `{ code, message }` payload.
-*/
-function throwAuthError(code, message, context) {
-	throw new ConvexError({
-		code,
-		message: message ?? AUTH_ERRORS[code],
-		...context
-	});
-}
-/**
-* Type guard: check whether a caught value is a structured auth `ConvexError`.
-*
-* @param error - The caught value (typically from a `catch` block).
-* @returns `true` when `error` is a `ConvexError` with `{ code, message }` data.
-*
-* @example
-* ```ts
-* try { await auth.signIn('email', { email }); }
-* catch (e) {
-*   if (isAuthError(e)) console.log(e.data.code); // "EMAIL_SEND_FAILED"
-* }
-* ```
-*/
-function isAuthError(error) {
-	return error instanceof ConvexError && typeof error.data === "object" && error.data !== null && "code" in error.data && "message" in error.data;
-}
-/**
-* Extract `{ code, message }` from a caught error.
-*
-* Works for `ConvexError` (from Convex actions), plain `Error`
-* instances, and structured auth errors. Returns `null` when the
-* value is not an error object.
-*
-* @param error - The caught value to parse.
-* @returns `{ code, message }` when extractable, or `null`.
-*   When `code` is `null`, the error is not a structured auth error
-*   but `message` still contains the error text.
-*
-* @example
-* ```ts
-* try {
-*   await auth.signIn("email", { email });
-* } catch (e) {
-*   const err = parseAuthError(e);
-*   if (err?.code === "EMAIL_SEND_FAILED") { ... }
-* }
-* ```
-*/
-function parseAuthError(error) {
-	if (isAuthError(error)) {
-		const { code, message } = error.data;
-		return {
-			code,
-			message
-		};
-	}
-	if (error instanceof Error && "_tag" in error && error._tag === "AuthError" && "code" in error && typeof error.code === "string") return {
-		code: error.code,
-		message: error.message
-	};
-	if (error instanceof ConvexError && typeof error.data === "string") return {
-		code: null,
-		message: error.data
-	};
-	if (error instanceof Error) return {
-		code: null,
-		message: error.message
-	};
-	return null;
-}
-//#endregion
-export { AUTH_ERRORS, isAuthError, parseAuthError, throwAuthError };
-//# sourceMappingURL=errors.js.map

package/dist/server/errors.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"errors.js","names":[],"sources":["../../src/server/errors.ts"],"sourcesContent":["/**\n * Structured error handling for Convex Auth.\n *\n * Every error thrown by the auth system uses `ConvexError` with a\n * `{ code, message }` payload so clients can distinguish error types\n * and display user-friendly messages.\n *\n * **Consumer API:** Use {@link throwAuthError} to throw structured errors\n * from your own Convex functions (e.g. custom authorization checks).\n *\n * **Internal pattern:** The library itself uses `new AuthError(code)` with\n * the `@robelest/fx` effect system (`Fx.fail(new AuthError(code))`).\n * You do not need to use `AuthError` directly — it is an implementation detail.\n *\n * @module\n */\n\nimport { ConvexError } from \"convex/values\";\n\n// ============================================================================\n// Error code → default message map (single source of truth)\n// ============================================================================\n\n/**\n * Map of every auth error code to its default human-readable message.\n *\n * Use the keys as the `code` argument to {@link throwAuthError}.\n * Clients can match on these codes for conditional error handling.\n *\n * @example\n * ```ts\n * throwAuthError(\"NOT_SIGNED_IN\");\n * // ConvexError { data: { code: \"NOT_SIGNED_IN\", message: \"You must be signed in...\" } }\n * ```\n */\nexport const AUTH_ERRORS = {\n // ---- Configuration ----\n PROVIDER_NOT_CONFIGURED: \"This sign-in method is not available.\",\n EMAIL_CONFIG_REQUIRED:\n \"Email transport is not configured. Configure email in createAuth(...).\",\n MISSING_ENV_VAR: \"A required server environment variable is missing.\",\n MISSING_ACTION_CONTEXT: \"Action context is required for this operation.\",\n INVALID_PARAMETERS: \"The provided parameters are invalid.\",\n\n // ---- Authentication ----\n NOT_SIGNED_IN: \"You must be signed in to perform this action.\",\n INVALID_VERIFICATION_CODE: \"Invalid or expired verification code.\",\n INVALID_REFRESH_TOKEN: \"Your session has expired. Please sign in again.\",\n AUTH_HANDSHAKE_TIMEOUT:\n \"Sign-in succeeded but authentication confirmation timed out.\",\n AUTH_HANDSHAKE_REJECTED:\n \"Authentication was rejected while confirming the session.\",\n SIGN_IN_MISSING_PARAMS:\n \"Cannot sign in: missing provider, code, or refresh token.\",\n UNSUPPORTED_PROVIDER_TYPE: \"This provider type is not supported.\",\n INVALID_REDIRECT: \"Invalid redirect URL.\",\n\n // ---- Email / Phone ----\n EMAIL_SEND_FAILED: \"Failed to send verification email. Please try again.\",\n\n // ---- API Keys ----\n INVALID_API_KEY: \"Invalid API key.\",\n API_KEY_REVOKED: \"This API key has been revoked.\",\n API_KEY_EXPIRED: \"This API key has expired.\",\n API_KEY_RATE_LIMITED: \"API key rate limit exceeded. Please try again later.\",\n API_KEY_INVALID_SCOPE: \"Invalid scope requested for API key.\",\n KEY_NOT_FOUND: \"API key not found.\",\n\n // ---- HTTP Bearer Auth ----\n MISSING_BEARER_TOKEN: \"Missing or malformed Authorization: Bearer header.\",\n SCOPE_CHECK_FAILED: \"This API key does not have the required permissions.\",\n\n // ---- OAuth ----\n OAUTH_MISSING_PROVIDER: \"Missing OAuth provider ID.\",\n OAUTH_MISSING_VERIFIER: \"Missing sign-in verifier.\",\n OAUTH_INVALID_STATE: \"Invalid OAuth state. Please try signing in again.\",\n OAUTH_PROVIDER_ERROR: \"The sign-in provider returned an error.\",\n OAUTH_MISSING_ID_TOKEN:\n \"ID token claims are missing from the provider response.\",\n OAUTH_INVALID_PROFILE: \"The sign-in provider returned an invalid profile.\",\n OAUTH_UNSUPPORTED_AUTH_METHOD:\n \"Unsupported OAuth client authentication method.\",\n OAUTH_NO_USERINFO: \"No userinfo endpoint configured for this provider.\",\n\n // ---- Credentials ----\n ACCOUNT_ALREADY_EXISTS: \"An account with these credentials already exists.\",\n ACCOUNT_NOT_FOUND: \"Account not found.\",\n INVALID_CREDENTIALS_PROVIDER:\n \"This provider does not support credential operations.\",\n MISSING_CRYPTO_FUNCTION:\n \"This provider is missing a required cryptographic function.\",\n USER_UPDATE_FAILED: \"Could not update the user record.\",\n\n // ---- Verifier ----\n INVALID_VERIFIER: \"Invalid or expired verifier.\",\n\n // ---- Passkey ----\n PASSKEY_MISSING_CONFIG:\n \"Passkey provider requires SITE_URL or explicit rpId configuration.\",\n PASSKEY_AUTH_REQUIRED: \"Sign in first, then add a passkey to your account.\",\n PASSKEY_MISSING_VERIFIER: \"Missing verifier for passkey operation.\",\n PASSKEY_INVALID_CLIENT_DATA: \"Invalid passkey client data.\",\n PASSKEY_INVALID_ORIGIN: \"Passkey origin does not match the expected value.\",\n PASSKEY_INVALID_CHALLENGE: \"Invalid or expired passkey challenge.\",\n PASSKEY_RP_MISMATCH: \"Relying party ID mismatch.\",\n PASSKEY_USER_PRESENCE: \"User presence flag not set.\",\n PASSKEY_USER_VERIFICATION: \"User verification required but not performed.\",\n PASSKEY_NO_CREDENTIAL: \"No credential in attestation.\",\n PASSKEY_UNSUPPORTED_ALGORITHM: \"Unsupported passkey algorithm.\",\n PASSKEY_INVALID_SIGNATURE: \"Invalid passkey signature.\",\n PASSKEY_UNKNOWN_CREDENTIAL: \"Unknown passkey credential.\",\n PASSKEY_COUNTER_ERROR:\n \"Authenticator counter did not increase — possible credential cloning detected.\",\n PASSKEY_MISSING_FLOW: \"Missing passkey flow parameter.\",\n PASSKEY_UNKNOWN_FLOW: \"Unknown passkey flow.\",\n\n // ---- TOTP ----\n TOTP_AUTH_REQUIRED: \"Sign in first, then set up two-factor authentication.\",\n TOTP_MISSING_VERIFIER: \"Missing verifier for TOTP operation.\",\n TOTP_MISSING_CODE: \"Missing TOTP code.\",\n TOTP_MISSING_ID: \"Missing TOTP enrollment ID.\",\n TOTP_NOT_FOUND: \"TOTP enrollment not found.\",\n TOTP_ALREADY_VERIFIED: \"TOTP enrollment is already verified.\",\n TOTP_INVALID_CODE: \"Invalid TOTP code.\",\n TOTP_INVALID_VERIFIER: \"Invalid or expired TOTP verifier.\",\n TOTP_NO_ENROLLMENT: \"No verified TOTP enrollment found.\",\n TOTP_MISSING_FLOW: \"Missing TOTP flow parameter.\",\n TOTP_UNKNOWN_FLOW: \"Unknown TOTP flow.\",\n\n // ---- Device Authorization (RFC 8628) ----\n DEVICE_CODE_EXPIRED:\n \"The device code has expired. Please start a new authorization request.\",\n DEVICE_CODE_DENIED: \"The authorization request was denied.\",\n DEVICE_AUTHORIZATION_PENDING: \"The user has not yet authorized this device.\",\n DEVICE_SLOW_DOWN:\n \"Polling too frequently. Increase the interval between requests.\",\n DEVICE_INVALID_USER_CODE: \"Invalid or expired user code.\",\n DEVICE_ALREADY_AUTHORIZED: \"This device code has already been authorized.\",\n DEVICE_MISSING_FLOW: \"Missing device flow parameter.\",\n DEVICE_UNKNOWN_FLOW: \"Unknown device flow.\",\n\n // ---- Invites ----\n INVITE_EXPIRED: \"This invitation has expired.\",\n INVITE_EMAIL_MISMATCH: \"This invitation is for a different email.\",\n INVITE_ALREADY_ACCEPTED: \"This invitation has already been accepted.\",\n DUPLICATE_INVITE:\n \"A pending invite already exists for this email in this group.\",\n INVITE_NOT_FOUND: \"Invite not found.\",\n INVITE_NOT_PENDING: \"Cannot accept or revoke invite that is not pending.\",\n\n // ---- Groups / Members ----\n FORBIDDEN: \"Access denied.\",\n NO_ACTIVE_GROUP: \"User has no active group set.\",\n DUPLICATE_MEMBERSHIP: \"User is already a member of this group.\",\n\n // ---- Enterprise ----\n ENTERPRISE_ALREADY_EXISTS:\n \"An enterprise record already exists for this group.\",\n ENTERPRISE_DOMAIN_TAKEN:\n \"That domain is already attached to another enterprise.\",\n\n // ---- Internal (should never reach user) ----\n INTERNAL_ERROR: \"An unexpected error occurred.\",\n} as const satisfies Record<string, string>;\n\n/** Union of all recognized auth error code strings (keys of {@link AUTH_ERRORS}). */\nexport type AuthErrorCode = keyof typeof AUTH_ERRORS;\n\n// ============================================================================\n// Error helpers\n// ============================================================================\n\n/**\n * Throw a structured `ConvexError` with `{ code, message }`.\n *\n * Use this in your own Convex functions (queries, mutations, actions)\n * to throw auth-domain errors that clients can match on by `code`.\n * The library itself uses `AuthError` internally, but consumers\n * should prefer this helper for simplicity.\n *\n * @param code Machine-readable error code from `AUTH_ERRORS`.\n * @param message Optional override for the default human-readable message.\n * @param context Optional extra fields merged into the error payload.\n *\n * @example\n * ```ts\n * import { throwAuthError } from \"@robelest/convex-auth/server\";\n *\n * // In a custom mutation:\n * if (!isAdmin) {\n * throwAuthError(\"FORBIDDEN\");\n * }\n * ```\n *\n * @throws {ConvexError} Always — throws a `ConvexError` with `{ code, message }` payload.\n */\nexport function throwAuthError(\n code: AuthErrorCode,\n message?: string,\n context?: Record<string, unknown>,\n): never {\n throw new ConvexError({\n code,\n message: message ?? AUTH_ERRORS[code],\n ...context,\n });\n}\n\n/**\n * Type guard: check whether a caught value is a structured auth `ConvexError`.\n *\n * @param error - The caught value (typically from a `catch` block).\n * @returns `true` when `error` is a `ConvexError` with `{ code, message }` data.\n *\n * @example\n * ```ts\n * try { await auth.signIn('email', { email }); }\n * catch (e) {\n * if (isAuthError(e)) console.log(e.data.code); // \"EMAIL_SEND_FAILED\"\n * }\n * ```\n */\nexport function isAuthError(\n error: unknown,\n): error is ConvexError<{ code: AuthErrorCode; message: string }> {\n return (\n error instanceof ConvexError &&\n typeof error.data === \"object\" &&\n error.data !== null &&\n \"code\" in error.data &&\n \"message\" in error.data\n );\n}\n\n/**\n * Extract `{ code, message }` from a caught error.\n *\n * Works for `ConvexError` (from Convex actions), plain `Error`\n * instances, and structured auth errors. Returns `null` when the\n * value is not an error object.\n *\n * @param error - The caught value to parse.\n * @returns `{ code, message }` when extractable, or `null`.\n * When `code` is `null`, the error is not a structured auth error\n * but `message` still contains the error text.\n *\n * @example\n * ```ts\n * try {\n * await auth.signIn(\"email\", { email });\n * } catch (e) {\n * const err = parseAuthError(e);\n * if (err?.code === \"EMAIL_SEND_FAILED\") { ... }\n * }\n * ```\n */\nexport function parseAuthError(\n error: unknown,\n):\n | { code: AuthErrorCode; message: string }\n | { code: null; message: string }\n | null {\n if (isAuthError(error)) {\n const { code, message } = error.data as {\n code: AuthErrorCode;\n message: string;\n };\n return { code, message };\n }\n // Recognize the Fx-native AuthError class (has _tag + code)\n if (\n error instanceof Error &&\n \"_tag\" in error &&\n (error as any)._tag === \"AuthError\" &&\n \"code\" in error &&\n typeof (error as any).code === \"string\"\n ) {\n return {\n code: (error as any).code as AuthErrorCode,\n message: error.message,\n };\n }\n if (error instanceof ConvexError && typeof error.data === \"string\") {\n return { code: null, message: error.data };\n }\n if (error instanceof Error) {\n return { code: null, message: error.message };\n }\n return null;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCA,MAAa,cAAc;CAEzB,yBAAyB;CACzB,uBACE;CACF,iBAAiB;CACjB,wBAAwB;CACxB,oBAAoB;CAGpB,eAAe;CACf,2BAA2B;CAC3B,uBAAuB;CACvB,wBACE;CACF,yBACE;CACF,wBACE;CACF,2BAA2B;CAC3B,kBAAkB;CAGlB,mBAAmB;CAGnB,iBAAiB;CACjB,iBAAiB;CACjB,iBAAiB;CACjB,sBAAsB;CACtB,uBAAuB;CACvB,eAAe;CAGf,sBAAsB;CACtB,oBAAoB;CAGpB,wBAAwB;CACxB,wBAAwB;CACxB,qBAAqB;CACrB,sBAAsB;CACtB,wBACE;CACF,uBAAuB;CACvB,+BACE;CACF,mBAAmB;CAGnB,wBAAwB;CACxB,mBAAmB;CACnB,8BACE;CACF,yBACE;CACF,oBAAoB;CAGpB,kBAAkB;CAGlB,wBACE;CACF,uBAAuB;CACvB,0BAA0B;CAC1B,6BAA6B;CAC7B,wBAAwB;CACxB,2BAA2B;CAC3B,qBAAqB;CACrB,uBAAuB;CACvB,2BAA2B;CAC3B,uBAAuB;CACvB,+BAA+B;CAC/B,2BAA2B;CAC3B,4BAA4B;CAC5B,uBACE;CACF,sBAAsB;CACtB,sBAAsB;CAGtB,oBAAoB;CACpB,uBAAuB;CACvB,mBAAmB;CACnB,iBAAiB;CACjB,gBAAgB;CAChB,uBAAuB;CACvB,mBAAmB;CACnB,uBAAuB;CACvB,oBAAoB;CACpB,mBAAmB;CACnB,mBAAmB;CAGnB,qBACE;CACF,oBAAoB;CACpB,8BAA8B;CAC9B,kBACE;CACF,0BAA0B;CAC1B,2BAA2B;CAC3B,qBAAqB;CACrB,qBAAqB;CAGrB,gBAAgB;CAChB,uBAAuB;CACvB,yBAAyB;CACzB,kBACE;CACF,kBAAkB;CAClB,oBAAoB;CAGpB,WAAW;CACX,iBAAiB;CACjB,sBAAsB;CAGtB,2BACE;CACF,yBACE;CAGF,gBAAgB;CACjB;;;;;;;;;;;;;;;;;;;;;;;;;AAiCD,SAAgB,eACd,MACA,SACA,SACO;AACP,OAAM,IAAI,YAAY;EACpB;EACA,SAAS,WAAW,YAAY;EAChC,GAAG;EACJ,CAAC;;;;;;;;;;;;;;;;AAiBJ,SAAgB,YACd,OACgE;AAChE,QACE,iBAAiB,eACjB,OAAO,MAAM,SAAS,YACtB,MAAM,SAAS,QACf,UAAU,MAAM,QAChB,aAAa,MAAM;;;;;;;;;;;;;;;;;;;;;;;;AA0BvB,SAAgB,eACd,OAIO;AACP,KAAI,YAAY,MAAM,EAAE;EACtB,MAAM,EAAE,MAAM,YAAY,MAAM;AAIhC,SAAO;GAAE;GAAM;GAAS;;AAG1B,KACE,iBAAiB,SACjB,UAAU,SACT,MAAc,SAAS,eACxB,UAAU,SACV,OAAQ,MAAc,SAAS,SAE/B,QAAO;EACL,MAAO,MAAc;EACrB,SAAS,MAAM;EAChB;AAEH,KAAI,iBAAiB,eAAe,OAAO,MAAM,SAAS,SACxD,QAAO;EAAE,MAAM;EAAM,SAAS,MAAM;EAAM;AAE5C,KAAI,iBAAiB,MACnB,QAAO;EAAE,MAAM;EAAM,SAAS,MAAM;EAAS;AAE/C,QAAO"}

package/src/server/authError.ts DELETED Viewed

@@ -1,44 +0,0 @@
-import { Cv } from "@robelest/fx/convex";
-import type { ConvexError } from "convex/values";
-import { AUTH_ERRORS } from "./errors";
-import type { AuthErrorCode } from "./errors";
-/**
- * Typed error for the Fx error channel.
- *
- * Use with `Fx.fail(new AuthError("CODE"))` in pipelines.
- * At Convex boundaries, {@link toConvexError} converts these to `ConvexError`.
- */
-export class AuthError extends Error {
-  /**
-   * Discriminant tag for error channel matching.
-   * @readonly
-   */
-  readonly _tag = "AuthError" as const;
-  constructor(
-    /**
-     * Machine-readable error code.
-     * @readonly
-     */
-    readonly code: AuthErrorCode,
-    message?: string,
-    /**
-     * Optional structured context for diagnostics.
-     * @readonly
-     */
-    readonly context?: Record<string, unknown>,
-  ) {
-    super(message ?? AUTH_ERRORS[code]);
-  }
-  /** Convert to the `ConvexError` shape the Convex runtime expects. */
-  toConvexError(): ConvexError<{ code: AuthErrorCode; message: string }> {
-    return Cv.error({
-      code: this.code,
-      message: this.message,
-      ...this.context,
-    });
-  }
-}