@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authorization/index.d.ts +1 -1
- package/dist/authorization/index.js +1 -1
- package/dist/authorization/index.js.map +1 -1
- package/dist/client/index.d.ts +1 -2
- package/dist/client/index.d.ts.map +1 -1
- package/dist/client/index.js +36 -39
- package/dist/client/index.js.map +1 -1
- package/dist/component/client/index.d.ts +1 -2
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/convex.config.d.ts.map +1 -1
- package/dist/component/model.d.ts +5 -5
- package/dist/component/model.d.ts.map +1 -1
- package/dist/component/public/enterprise/audit.d.ts.map +1 -1
- package/dist/component/public/enterprise/audit.js.map +1 -1
- package/dist/component/public/enterprise/core.d.ts.map +1 -1
- package/dist/component/public/enterprise/core.js.map +1 -1
- package/dist/component/public/enterprise/domains.d.ts.map +1 -1
- package/dist/component/public/enterprise/domains.js.map +1 -1
- package/dist/component/public/enterprise/scim.d.ts.map +1 -1
- package/dist/component/public/enterprise/scim.js.map +1 -1
- package/dist/component/public/enterprise/secrets.d.ts.map +1 -1
- package/dist/component/public/enterprise/secrets.js.map +1 -1
- package/dist/component/public/enterprise/webhooks.d.ts.map +1 -1
- package/dist/component/public/enterprise/webhooks.js.map +1 -1
- package/dist/component/public/factors/devices.d.ts.map +1 -1
- package/dist/component/public/factors/devices.js.map +1 -1
- package/dist/component/public/factors/passkeys.d.ts.map +1 -1
- package/dist/component/public/factors/passkeys.js.map +1 -1
- package/dist/component/public/factors/totp.d.ts.map +1 -1
- package/dist/component/public/factors/totp.js.map +1 -1
- package/dist/component/public/groups/core.js.map +1 -1
- package/dist/component/public/groups/invites.d.ts.map +1 -1
- package/dist/component/public/groups/invites.js.map +1 -1
- package/dist/component/public/groups/members.d.ts.map +1 -1
- package/dist/component/public/groups/members.js.map +1 -1
- package/dist/component/public/identity/accounts.d.ts.map +1 -1
- package/dist/component/public/identity/accounts.js.map +1 -1
- package/dist/component/public/identity/codes.d.ts.map +1 -1
- package/dist/component/public/identity/codes.js.map +1 -1
- package/dist/component/public/identity/sessions.d.ts.map +1 -1
- package/dist/component/public/identity/sessions.js.map +1 -1
- package/dist/component/public/identity/tokens.d.ts.map +1 -1
- package/dist/component/public/identity/tokens.js.map +1 -1
- package/dist/component/public/identity/users.d.ts.map +1 -1
- package/dist/component/public/identity/users.js.map +1 -1
- package/dist/component/public/identity/verifiers.d.ts.map +1 -1
- package/dist/component/public/identity/verifiers.js.map +1 -1
- package/dist/component/public/security/keys.d.ts.map +1 -1
- package/dist/component/public/security/keys.js.map +1 -1
- package/dist/component/public/security/limits.d.ts.map +1 -1
- package/dist/component/public/security/limits.js.map +1 -1
- package/dist/component/schema.d.ts +39 -39
- package/dist/component/server/auth.d.ts +95 -52
- package/dist/component/server/auth.d.ts.map +1 -1
- package/dist/component/server/auth.js +63 -43
- package/dist/component/server/auth.js.map +1 -1
- package/dist/component/server/core.js +116 -235
- package/dist/component/server/core.js.map +1 -1
- package/dist/component/server/crypto.js +25 -7
- package/dist/component/server/crypto.js.map +1 -1
- package/dist/component/server/device.js +58 -15
- package/dist/component/server/device.js.map +1 -1
- package/dist/component/server/enterprise/domain.js +148 -59
- package/dist/component/server/enterprise/domain.js.map +1 -1
- package/dist/component/server/enterprise/http.js +36 -15
- package/dist/component/server/enterprise/http.js.map +1 -1
- package/dist/component/server/enterprise/oidc.js +1 -1
- package/dist/component/server/http.js +26 -21
- package/dist/component/server/http.js.map +1 -1
- package/dist/component/server/identity.js +5 -2
- package/dist/component/server/identity.js.map +1 -1
- package/dist/component/server/limits.js +21 -30
- package/dist/component/server/limits.js.map +1 -1
- package/dist/component/server/mutations/account.js +12 -10
- package/dist/component/server/mutations/account.js.map +1 -1
- package/dist/component/server/mutations/code.js +5 -2
- package/dist/component/server/mutations/code.js.map +1 -1
- package/dist/component/server/mutations/invalidate.js +1 -1
- package/dist/component/server/mutations/invalidate.js.map +1 -1
- package/dist/component/server/mutations/oauth.js +10 -4
- package/dist/component/server/mutations/oauth.js.map +1 -1
- package/dist/component/server/mutations/refresh.js +2 -2
- package/dist/component/server/mutations/refresh.js.map +1 -1
- package/dist/component/server/mutations/register.js +46 -42
- package/dist/component/server/mutations/register.js.map +1 -1
- package/dist/component/server/mutations/retrieve.js +21 -25
- package/dist/component/server/mutations/retrieve.js.map +1 -1
- package/dist/component/server/mutations/signature.js +10 -4
- package/dist/component/server/mutations/signature.js.map +1 -1
- package/dist/component/server/mutations/signout.js.map +1 -1
- package/dist/component/server/mutations/store.js +9 -24
- package/dist/component/server/mutations/store.js.map +1 -1
- package/dist/component/server/mutations/verifier.js.map +1 -1
- package/dist/component/server/mutations/verify.js +1 -1
- package/dist/component/server/mutations/verify.js.map +1 -1
- package/dist/component/server/oauth.js +53 -16
- package/dist/component/server/oauth.js.map +1 -1
- package/dist/component/server/passkey.js +115 -31
- package/dist/component/server/passkey.js.map +1 -1
- package/dist/component/server/redirects.js +9 -3
- package/dist/component/server/redirects.js.map +1 -1
- package/dist/component/server/refresh.js +10 -7
- package/dist/component/server/refresh.js.map +1 -1
- package/dist/component/server/runtime.d.ts +3 -3
- package/dist/component/server/runtime.d.ts.map +1 -1
- package/dist/component/server/runtime.js +62 -20
- package/dist/component/server/runtime.js.map +1 -1
- package/dist/component/server/signin.js +34 -10
- package/dist/component/server/signin.js.map +1 -1
- package/dist/component/server/totp.js +79 -19
- package/dist/component/server/totp.js.map +1 -1
- package/dist/component/server/types.d.ts +12 -20
- package/dist/component/server/types.d.ts.map +1 -1
- package/dist/component/server/types.js.map +1 -1
- package/dist/component/server/users.js +6 -3
- package/dist/component/server/users.js.map +1 -1
- package/dist/component/server/utils.js +10 -4
- package/dist/component/server/utils.js.map +1 -1
- package/dist/core/types.d.ts +14 -22
- package/dist/core/types.d.ts.map +1 -1
- package/dist/factors/device.js +8 -9
- package/dist/factors/device.js.map +1 -1
- package/dist/factors/passkey.js +18 -21
- package/dist/factors/passkey.js.map +1 -1
- package/dist/providers/password.js +66 -81
- package/dist/providers/password.js.map +1 -1
- package/dist/runtime/invite.js +2 -8
- package/dist/runtime/invite.js.map +1 -1
- package/dist/server/auth.d.ts +95 -52
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +63 -43
- package/dist/server/auth.js.map +1 -1
- package/dist/server/core.d.ts +71 -159
- package/dist/server/core.d.ts.map +1 -1
- package/dist/server/core.js +116 -235
- package/dist/server/core.js.map +1 -1
- package/dist/server/crypto.d.ts.map +1 -1
- package/dist/server/crypto.js +25 -7
- package/dist/server/crypto.js.map +1 -1
- package/dist/server/device.js +58 -15
- package/dist/server/device.js.map +1 -1
- package/dist/server/enterprise/domain.d.ts +0 -8
- package/dist/server/enterprise/domain.d.ts.map +1 -1
- package/dist/server/enterprise/domain.js +148 -59
- package/dist/server/enterprise/domain.js.map +1 -1
- package/dist/server/enterprise/http.d.ts.map +1 -1
- package/dist/server/enterprise/http.js +35 -14
- package/dist/server/enterprise/http.js.map +1 -1
- package/dist/server/http.d.ts +2 -2
- package/dist/server/http.d.ts.map +1 -1
- package/dist/server/http.js +25 -20
- package/dist/server/http.js.map +1 -1
- package/dist/server/identity.js +5 -2
- package/dist/server/identity.js.map +1 -1
- package/dist/server/index.d.ts +2 -2
- package/dist/server/limits.js +21 -30
- package/dist/server/limits.js.map +1 -1
- package/dist/server/mounts.d.ts +26 -64
- package/dist/server/mounts.d.ts.map +1 -1
- package/dist/server/mounts.js +45 -106
- package/dist/server/mounts.js.map +1 -1
- package/dist/server/mutations/account.d.ts +8 -9
- package/dist/server/mutations/account.d.ts.map +1 -1
- package/dist/server/mutations/account.js +11 -9
- package/dist/server/mutations/account.js.map +1 -1
- package/dist/server/mutations/code.d.ts +13 -13
- package/dist/server/mutations/code.d.ts.map +1 -1
- package/dist/server/mutations/code.js +5 -2
- package/dist/server/mutations/code.js.map +1 -1
- package/dist/server/mutations/invalidate.d.ts +4 -4
- package/dist/server/mutations/invalidate.d.ts.map +1 -1
- package/dist/server/mutations/invalidate.js.map +1 -1
- package/dist/server/mutations/oauth.d.ts +12 -10
- package/dist/server/mutations/oauth.d.ts.map +1 -1
- package/dist/server/mutations/oauth.js +9 -3
- package/dist/server/mutations/oauth.js.map +1 -1
- package/dist/server/mutations/refresh.d.ts +3 -3
- package/dist/server/mutations/refresh.d.ts.map +1 -1
- package/dist/server/mutations/refresh.js +1 -1
- package/dist/server/mutations/refresh.js.map +1 -1
- package/dist/server/mutations/register.d.ts +11 -11
- package/dist/server/mutations/register.d.ts.map +1 -1
- package/dist/server/mutations/register.js +45 -41
- package/dist/server/mutations/register.js.map +1 -1
- package/dist/server/mutations/retrieve.d.ts +6 -6
- package/dist/server/mutations/retrieve.d.ts.map +1 -1
- package/dist/server/mutations/retrieve.js +20 -24
- package/dist/server/mutations/retrieve.js.map +1 -1
- package/dist/server/mutations/signature.d.ts +6 -7
- package/dist/server/mutations/signature.d.ts.map +1 -1
- package/dist/server/mutations/signature.js +9 -3
- package/dist/server/mutations/signature.js.map +1 -1
- package/dist/server/mutations/signin.d.ts +5 -5
- package/dist/server/mutations/signin.d.ts.map +1 -1
- package/dist/server/mutations/signout.js.map +1 -1
- package/dist/server/mutations/store.d.ts +97 -97
- package/dist/server/mutations/store.d.ts.map +1 -1
- package/dist/server/mutations/store.js +8 -23
- package/dist/server/mutations/store.js.map +1 -1
- package/dist/server/mutations/verifier.js.map +1 -1
- package/dist/server/mutations/verify.d.ts +10 -10
- package/dist/server/mutations/verify.d.ts.map +1 -1
- package/dist/server/mutations/verify.js.map +1 -1
- package/dist/server/oauth.js +53 -16
- package/dist/server/oauth.js.map +1 -1
- package/dist/server/passkey.d.ts +2 -2
- package/dist/server/passkey.d.ts.map +1 -1
- package/dist/server/passkey.js +114 -30
- package/dist/server/passkey.js.map +1 -1
- package/dist/server/redirects.js +9 -3
- package/dist/server/redirects.js.map +1 -1
- package/dist/server/refresh.js +10 -7
- package/dist/server/refresh.js.map +1 -1
- package/dist/server/runtime.d.ts +14 -14
- package/dist/server/runtime.d.ts.map +1 -1
- package/dist/server/runtime.js +61 -19
- package/dist/server/runtime.js.map +1 -1
- package/dist/server/signin.js +34 -10
- package/dist/server/signin.js.map +1 -1
- package/dist/server/ssr.d.ts.map +1 -1
- package/dist/server/ssr.js +175 -184
- package/dist/server/ssr.js.map +1 -1
- package/dist/server/totp.js +78 -18
- package/dist/server/totp.js.map +1 -1
- package/dist/server/types.d.ts +13 -21
- package/dist/server/types.d.ts.map +1 -1
- package/dist/server/types.js.map +1 -1
- package/dist/server/users.js +6 -3
- package/dist/server/users.js.map +1 -1
- package/dist/server/utils.js +10 -4
- package/dist/server/utils.js.map +1 -1
- package/package.json +2 -6
- package/src/authorization/index.ts +1 -1
- package/src/cli/index.ts +1 -1
- package/src/client/core/types.ts +14 -14
- package/src/client/factors/device.ts +10 -12
- package/src/client/factors/passkey.ts +23 -26
- package/src/client/index.ts +54 -64
- package/src/client/runtime/invite.ts +5 -7
- package/src/component/index.ts +1 -0
- package/src/component/public/enterprise/audit.ts +6 -1
- package/src/component/public/enterprise/core.ts +1 -0
- package/src/component/public/enterprise/domains.ts +5 -1
- package/src/component/public/enterprise/scim.ts +1 -0
- package/src/component/public/enterprise/secrets.ts +1 -0
- package/src/component/public/enterprise/webhooks.ts +1 -0
- package/src/component/public/factors/devices.ts +1 -0
- package/src/component/public/factors/passkeys.ts +1 -0
- package/src/component/public/factors/totp.ts +1 -0
- package/src/component/public/groups/core.ts +1 -1
- package/src/component/public/groups/invites.ts +7 -1
- package/src/component/public/groups/members.ts +1 -0
- package/src/component/public/identity/accounts.ts +1 -0
- package/src/component/public/identity/codes.ts +1 -0
- package/src/component/public/identity/sessions.ts +1 -0
- package/src/component/public/identity/tokens.ts +1 -0
- package/src/component/public/identity/users.ts +1 -0
- package/src/component/public/identity/verifiers.ts +1 -0
- package/src/component/public/security/keys.ts +1 -0
- package/src/component/public/security/limits.ts +1 -0
- package/src/providers/password.ts +89 -110
- package/src/server/auth.ts +177 -111
- package/src/server/core.ts +197 -233
- package/src/server/crypto.ts +31 -29
- package/src/server/device.ts +65 -32
- package/src/server/enterprise/domain.ts +158 -170
- package/src/server/enterprise/http.ts +46 -39
- package/src/server/http.ts +36 -30
- package/src/server/identity.ts +5 -5
- package/src/server/index.ts +2 -0
- package/src/server/limits.ts +53 -80
- package/src/server/mounts.ts +47 -74
- package/src/server/mutations/account.ts +22 -36
- package/src/server/mutations/code.ts +6 -6
- package/src/server/mutations/invalidate.ts +1 -1
- package/src/server/mutations/oauth.ts +14 -8
- package/src/server/mutations/refresh.ts +5 -4
- package/src/server/mutations/register.ts +87 -132
- package/src/server/mutations/retrieve.ts +44 -44
- package/src/server/mutations/signature.ts +13 -6
- package/src/server/mutations/signout.ts +1 -1
- package/src/server/mutations/store.ts +16 -31
- package/src/server/mutations/verifier.ts +1 -1
- package/src/server/mutations/verify.ts +3 -5
- package/src/server/oauth.ts +60 -69
- package/src/server/passkey.ts +567 -517
- package/src/server/redirects.ts +10 -6
- package/src/server/refresh.ts +14 -18
- package/src/server/runtime.ts +70 -55
- package/src/server/signin.ts +44 -37
- package/src/server/ssr.ts +390 -407
- package/src/server/totp.ts +85 -35
- package/src/server/types.ts +19 -22
- package/src/server/users.ts +7 -6
- package/src/server/utils.ts +10 -12
- package/dist/component/server/authError.js +0 -34
- package/dist/component/server/authError.js.map +0 -1
- package/dist/component/server/errors.d.ts +0 -1
- package/dist/component/server/errors.js +0 -137
- package/dist/component/server/errors.js.map +0 -1
- package/dist/server/authError.d.ts +0 -46
- package/dist/server/authError.d.ts.map +0 -1
- package/dist/server/authError.js +0 -34
- package/dist/server/authError.js.map +0 -1
- package/dist/server/errors.d.ts +0 -177
- package/dist/server/errors.d.ts.map +0 -1
- package/dist/server/errors.js +0 -212
- package/dist/server/errors.js.map +0 -1
- package/src/server/authError.ts +0 -44
- package/src/server/errors.ts +0 -290
|
@@ -1,7 +1,8 @@
|
|
|
1
|
+
import { materializeProvider } from "./config.js";
|
|
1
2
|
import { TOKEN_SUB_CLAIM_DIVIDER, generateRandomString, sha256 } from "./utils.js";
|
|
2
3
|
import { buildScopeChecker, checkKeyRateLimit, generateApiKey, hashApiKey } from "./keys.js";
|
|
3
|
-
import { materializeProvider } from "./config.js";
|
|
4
4
|
import { signInImpl } from "./signin.js";
|
|
5
|
+
import { Cv } from "@robelest/fx/convex";
|
|
5
6
|
|
|
6
7
|
//#region src/server/core.ts
|
|
7
8
|
/**
|
|
@@ -26,14 +27,12 @@ function createCoreDomains(deps) {
|
|
|
26
27
|
const normalizeRoleIds = (roleIds) => {
|
|
27
28
|
const normalized = Array.from(new Set(roleIds ?? []));
|
|
28
29
|
const invalid = normalized.filter((id) => getRoleDefinition(id) === null);
|
|
29
|
-
if (invalid.length > 0)
|
|
30
|
-
|
|
30
|
+
if (invalid.length > 0) throw Cv.error({
|
|
31
|
+
code: "INVALID_ROLE_IDS",
|
|
32
|
+
message: "One or more role IDs are invalid.",
|
|
31
33
|
invalidRoleIds: invalid
|
|
32
|
-
};
|
|
33
|
-
return
|
|
34
|
-
ok: true,
|
|
35
|
-
roleIds: normalized
|
|
36
|
-
};
|
|
34
|
+
});
|
|
35
|
+
return normalized;
|
|
37
36
|
};
|
|
38
37
|
const listAllKeysByUser = async (ctx, userId) => {
|
|
39
38
|
const items = [];
|
|
@@ -91,9 +90,11 @@ function createCoreDomains(deps) {
|
|
|
91
90
|
const authHeader = request.headers.get("Authorization");
|
|
92
91
|
if (authHeader?.startsWith("Bearer sk_")) {
|
|
93
92
|
const rawKey = authHeader.slice(7);
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
93
|
+
try {
|
|
94
|
+
return (await getAuth().key.verify(ctx, rawKey)).userId;
|
|
95
|
+
} catch {
|
|
96
|
+
return null;
|
|
97
|
+
}
|
|
97
98
|
}
|
|
98
99
|
}
|
|
99
100
|
return null;
|
|
@@ -118,10 +119,7 @@ function createCoreDomains(deps) {
|
|
|
118
119
|
userId,
|
|
119
120
|
data
|
|
120
121
|
});
|
|
121
|
-
return {
|
|
122
|
-
ok: true,
|
|
123
|
-
userId
|
|
124
|
-
};
|
|
122
|
+
return { userId };
|
|
125
123
|
},
|
|
126
124
|
setActiveGroup: async (ctx, opts) => {
|
|
127
125
|
const doc = await user.get(ctx, opts.userId);
|
|
@@ -130,7 +128,6 @@ function createCoreDomains(deps) {
|
|
|
130
128
|
const { lastActiveGroup: _omit, ...rest } = existingExtend;
|
|
131
129
|
await user.update(ctx, opts.userId, { extend: rest });
|
|
132
130
|
return {
|
|
133
|
-
ok: true,
|
|
134
131
|
userId: opts.userId,
|
|
135
132
|
groupId: null
|
|
136
133
|
};
|
|
@@ -140,7 +137,6 @@ function createCoreDomains(deps) {
|
|
|
140
137
|
lastActiveGroup: opts.groupId
|
|
141
138
|
} });
|
|
142
139
|
return {
|
|
143
|
-
ok: true,
|
|
144
140
|
userId: opts.userId,
|
|
145
141
|
groupId: opts.groupId
|
|
146
142
|
};
|
|
@@ -164,10 +160,10 @@ function createCoreDomains(deps) {
|
|
|
164
160
|
ctx.runQuery(config.component.public.totpListByUserId, { userId })
|
|
165
161
|
]);
|
|
166
162
|
const totalLinked = sessions.length + accounts.length + keys.length + members.length + passkeys.length + totps.length;
|
|
167
|
-
if (!cascade && totalLinked > 0)
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
};
|
|
163
|
+
if (!cascade && totalLinked > 0) throw Cv.error({
|
|
164
|
+
code: "INVALID_PARAMETERS",
|
|
165
|
+
message: "The provided parameters are invalid."
|
|
166
|
+
});
|
|
171
167
|
const deletions = [];
|
|
172
168
|
for (const s of sessions) deletions.push(ctx.runMutation(config.component.public.sessionDelete, { sessionId: s._id }));
|
|
173
169
|
for (const a of accounts) deletions.push(ctx.runMutation(config.component.public.accountDelete, { accountId: a._id }));
|
|
@@ -177,10 +173,7 @@ function createCoreDomains(deps) {
|
|
|
177
173
|
for (const t of totps) deletions.push(ctx.runMutation(config.component.public.totpDelete, { totpId: t._id }));
|
|
178
174
|
await Promise.all(deletions);
|
|
179
175
|
await ctx.runMutation(config.component.public.userDelete, { userId });
|
|
180
|
-
return {
|
|
181
|
-
ok: true,
|
|
182
|
-
userId
|
|
183
|
-
};
|
|
176
|
+
return { userId };
|
|
184
177
|
}
|
|
185
178
|
};
|
|
186
179
|
const session = {
|
|
@@ -193,7 +186,6 @@ function createCoreDomains(deps) {
|
|
|
193
186
|
invalidate: async (ctx, args) => {
|
|
194
187
|
await callInvalidateSessions(ctx, args);
|
|
195
188
|
return {
|
|
196
|
-
ok: true,
|
|
197
189
|
userId: args.userId,
|
|
198
190
|
except: args.except ?? []
|
|
199
191
|
};
|
|
@@ -207,10 +199,7 @@ function createCoreDomains(deps) {
|
|
|
207
199
|
};
|
|
208
200
|
const account = {
|
|
209
201
|
create: async (ctx, args) => {
|
|
210
|
-
return {
|
|
211
|
-
ok: true,
|
|
212
|
-
...await callCreateAccountFromCredentials(ctx, args)
|
|
213
|
-
};
|
|
202
|
+
return { ...await callCreateAccountFromCredentials(ctx, args) };
|
|
214
203
|
},
|
|
215
204
|
get: async (ctx, args) => {
|
|
216
205
|
const result = await callRetrieveAccountWithCredentials(ctx, args);
|
|
@@ -219,26 +208,20 @@ function createCoreDomains(deps) {
|
|
|
219
208
|
},
|
|
220
209
|
update: async (ctx, args) => {
|
|
221
210
|
await callModifyAccount(ctx, args);
|
|
222
|
-
return {
|
|
223
|
-
ok: true,
|
|
224
|
-
accountId: args.account.id
|
|
225
|
-
};
|
|
211
|
+
return { accountId: args.account.id };
|
|
226
212
|
},
|
|
227
213
|
delete: async (ctx, accountId) => {
|
|
228
214
|
const doc = await ctx.runQuery(config.component.public.accountGetById, { accountId });
|
|
229
|
-
if (doc === null)
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
};
|
|
233
|
-
if ((await ctx.runQuery(config.component.public.accountListByUser, { userId: doc.userId })).length <= 1)
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
};
|
|
215
|
+
if (doc === null) throw Cv.error({
|
|
216
|
+
code: "ACCOUNT_NOT_FOUND",
|
|
217
|
+
message: "Account not found."
|
|
218
|
+
});
|
|
219
|
+
if ((await ctx.runQuery(config.component.public.accountListByUser, { userId: doc.userId })).length <= 1) throw Cv.error({
|
|
220
|
+
code: "INVALID_PARAMETERS",
|
|
221
|
+
message: "The provided parameters are invalid."
|
|
222
|
+
});
|
|
237
223
|
await ctx.runMutation(config.component.public.accountDelete, { accountId });
|
|
238
|
-
return {
|
|
239
|
-
ok: true,
|
|
240
|
-
accountId
|
|
241
|
-
};
|
|
224
|
+
return { accountId };
|
|
242
225
|
},
|
|
243
226
|
listPasskeys: async (ctx, opts) => {
|
|
244
227
|
return await ctx.runQuery(config.component.public.passkeyListByUserId, opts);
|
|
@@ -248,27 +231,18 @@ function createCoreDomains(deps) {
|
|
|
248
231
|
passkeyId,
|
|
249
232
|
data: { name }
|
|
250
233
|
});
|
|
251
|
-
return {
|
|
252
|
-
ok: true,
|
|
253
|
-
passkeyId
|
|
254
|
-
};
|
|
234
|
+
return { passkeyId };
|
|
255
235
|
},
|
|
256
236
|
deletePasskey: async (ctx, passkeyId) => {
|
|
257
237
|
await ctx.runMutation(config.component.public.passkeyDelete, { passkeyId });
|
|
258
|
-
return {
|
|
259
|
-
ok: true,
|
|
260
|
-
passkeyId
|
|
261
|
-
};
|
|
238
|
+
return { passkeyId };
|
|
262
239
|
},
|
|
263
240
|
listTotps: async (ctx, opts) => {
|
|
264
241
|
return await ctx.runQuery(config.component.public.totpListByUserId, opts);
|
|
265
242
|
},
|
|
266
243
|
deleteTotp: async (ctx, totpId) => {
|
|
267
244
|
await ctx.runMutation(config.component.public.totpDelete, { totpId });
|
|
268
|
-
return {
|
|
269
|
-
ok: true,
|
|
270
|
-
totpId
|
|
271
|
-
};
|
|
245
|
+
return { totpId };
|
|
272
246
|
}
|
|
273
247
|
};
|
|
274
248
|
const provider = { signIn: async (ctx, providerConfig, args) => {
|
|
@@ -283,10 +257,7 @@ function createCoreDomains(deps) {
|
|
|
283
257
|
} };
|
|
284
258
|
const group = {
|
|
285
259
|
create: async (ctx, data) => {
|
|
286
|
-
return {
|
|
287
|
-
ok: true,
|
|
288
|
-
groupId: await ctx.runMutation(config.component.public.groupCreate, data)
|
|
289
|
-
};
|
|
260
|
+
return { groupId: await ctx.runMutation(config.component.public.groupCreate, data) };
|
|
290
261
|
},
|
|
291
262
|
get: async (ctx, groupId) => {
|
|
292
263
|
const c = cache(ctx);
|
|
@@ -309,17 +280,11 @@ function createCoreDomains(deps) {
|
|
|
309
280
|
groupId,
|
|
310
281
|
data
|
|
311
282
|
});
|
|
312
|
-
return {
|
|
313
|
-
ok: true,
|
|
314
|
-
groupId
|
|
315
|
-
};
|
|
283
|
+
return { groupId };
|
|
316
284
|
},
|
|
317
285
|
delete: async (ctx, groupId) => {
|
|
318
286
|
await ctx.runMutation(config.component.public.groupDelete, { groupId });
|
|
319
|
-
return {
|
|
320
|
-
ok: true,
|
|
321
|
-
groupId
|
|
322
|
-
};
|
|
287
|
+
return { groupId };
|
|
323
288
|
},
|
|
324
289
|
ancestors: async (ctx, opts) => {
|
|
325
290
|
const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
|
|
@@ -362,19 +327,11 @@ function createCoreDomains(deps) {
|
|
|
362
327
|
};
|
|
363
328
|
const member = {
|
|
364
329
|
create: async (ctx, data) => {
|
|
365
|
-
const
|
|
366
|
-
|
|
367
|
-
|
|
368
|
-
|
|
369
|
-
|
|
370
|
-
};
|
|
371
|
-
return {
|
|
372
|
-
ok: true,
|
|
373
|
-
memberId: await ctx.runMutation(config.component.public.memberAdd, {
|
|
374
|
-
...data,
|
|
375
|
-
roleIds: normalized.roleIds
|
|
376
|
-
})
|
|
377
|
-
};
|
|
330
|
+
const roleIds = normalizeRoleIds(data.roleIds);
|
|
331
|
+
return { memberId: await ctx.runMutation(config.component.public.memberAdd, {
|
|
332
|
+
...data,
|
|
333
|
+
roleIds
|
|
334
|
+
}) };
|
|
378
335
|
},
|
|
379
336
|
get: async (ctx, memberId) => {
|
|
380
337
|
return await ctx.runQuery(config.component.public.memberGet, { memberId });
|
|
@@ -390,137 +347,84 @@ function createCoreDomains(deps) {
|
|
|
390
347
|
},
|
|
391
348
|
delete: async (ctx, memberId) => {
|
|
392
349
|
await ctx.runMutation(config.component.public.memberRemove, { memberId });
|
|
393
|
-
return {
|
|
394
|
-
ok: true,
|
|
395
|
-
memberId
|
|
396
|
-
};
|
|
350
|
+
return { memberId };
|
|
397
351
|
},
|
|
398
352
|
update: async (ctx, memberId, data) => {
|
|
399
353
|
const nextData = { ...data };
|
|
400
|
-
if ("roleIds" in nextData)
|
|
401
|
-
const normalized = normalizeRoleIds(Array.isArray(nextData.roleIds) ? nextData.roleIds : void 0);
|
|
402
|
-
if (!normalized.ok) return {
|
|
403
|
-
ok: false,
|
|
404
|
-
code: "INVALID_ROLE_IDS",
|
|
405
|
-
invalidRoleIds: normalized.invalidRoleIds
|
|
406
|
-
};
|
|
407
|
-
nextData.roleIds = normalized.roleIds;
|
|
408
|
-
}
|
|
354
|
+
if ("roleIds" in nextData) nextData.roleIds = normalizeRoleIds(Array.isArray(nextData.roleIds) ? nextData.roleIds : void 0);
|
|
409
355
|
await ctx.runMutation(config.component.public.memberUpdate, {
|
|
410
356
|
memberId,
|
|
411
357
|
data: nextData
|
|
412
358
|
});
|
|
413
|
-
return {
|
|
414
|
-
ok: true,
|
|
415
|
-
memberId
|
|
416
|
-
};
|
|
359
|
+
return { memberId };
|
|
417
360
|
},
|
|
418
|
-
|
|
419
|
-
const normalized = normalizeRoleIds(opts.roleIds);
|
|
420
|
-
if (!normalized.ok) return {
|
|
421
|
-
ok: false,
|
|
422
|
-
membership: null,
|
|
423
|
-
matchedGroupId: null,
|
|
424
|
-
roleIds: [],
|
|
425
|
-
grants: [],
|
|
426
|
-
missingGrants: Array.from(new Set(opts.grants ?? [])),
|
|
427
|
-
depth: null,
|
|
428
|
-
isDirect: false,
|
|
429
|
-
isInherited: false,
|
|
430
|
-
traversedGroupIds: [],
|
|
431
|
-
code: "INVALID_ROLE_IDS",
|
|
432
|
-
invalidRoleIds: normalized.invalidRoleIds
|
|
433
|
-
};
|
|
434
|
-
const requestedRoleIds = normalized.roleIds;
|
|
435
|
-
const roleFilter = requestedRoleIds.length > 0 ? new Set(requestedRoleIds) : null;
|
|
436
|
-
const requiredGrants = Array.from(new Set(opts.grants ?? []));
|
|
361
|
+
inspect: async (ctx, opts) => {
|
|
437
362
|
const useAncestry = opts.ancestry === true;
|
|
438
363
|
let membership = null;
|
|
439
|
-
let matchedGroupId = null;
|
|
440
|
-
let depth = null;
|
|
441
|
-
let isDirect = false;
|
|
442
|
-
let isInherited = false;
|
|
443
|
-
let traversedGroupIds = [];
|
|
444
364
|
if (useAncestry) {
|
|
445
365
|
const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
|
|
446
|
-
|
|
366
|
+
membership = (await ctx.runQuery(config.component.public.memberResolve, {
|
|
447
367
|
userId: opts.userId,
|
|
448
368
|
groupId: opts.groupId,
|
|
449
369
|
maxDepth,
|
|
450
370
|
ancestry: true
|
|
451
|
-
});
|
|
452
|
-
|
|
453
|
-
|
|
454
|
-
|
|
455
|
-
|
|
456
|
-
isInherited = result.isInherited;
|
|
457
|
-
traversedGroupIds = result.traversedGroupIds ?? [];
|
|
458
|
-
} else {
|
|
459
|
-
const doc = await ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
|
|
460
|
-
userId: opts.userId,
|
|
461
|
-
groupId: opts.groupId
|
|
462
|
-
});
|
|
463
|
-
membership = doc;
|
|
464
|
-
matchedGroupId = doc ? opts.groupId : null;
|
|
465
|
-
depth = doc ? 0 : null;
|
|
466
|
-
isDirect = doc !== null;
|
|
467
|
-
}
|
|
371
|
+
})).membership;
|
|
372
|
+
} else membership = await ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
|
|
373
|
+
userId: opts.userId,
|
|
374
|
+
groupId: opts.groupId
|
|
375
|
+
});
|
|
468
376
|
if (membership === null) return {
|
|
469
|
-
ok: false,
|
|
470
377
|
membership: null,
|
|
471
|
-
matchedGroupId: null,
|
|
472
378
|
roleIds: [],
|
|
473
|
-
grants: []
|
|
474
|
-
missingGrants: requiredGrants,
|
|
475
|
-
depth: null,
|
|
476
|
-
isDirect: false,
|
|
477
|
-
isInherited: false,
|
|
478
|
-
traversedGroupIds
|
|
379
|
+
grants: []
|
|
479
380
|
};
|
|
480
381
|
const membershipRoleIds = membership.roleIds ?? [];
|
|
481
382
|
const membershipGrants = resolveGrantedPermissions(membershipRoleIds);
|
|
482
|
-
if (roleFilter !== null && !membershipRoleIds.some((roleId) => roleFilter.has(roleId))) return {
|
|
483
|
-
ok: false,
|
|
484
|
-
membership: null,
|
|
485
|
-
matchedGroupId: null,
|
|
486
|
-
roleIds: [],
|
|
487
|
-
grants: [],
|
|
488
|
-
missingGrants: requiredGrants,
|
|
489
|
-
depth: null,
|
|
490
|
-
isDirect: false,
|
|
491
|
-
isInherited: false,
|
|
492
|
-
traversedGroupIds
|
|
493
|
-
};
|
|
494
|
-
const missingGrants = requiredGrants.filter((grant) => !membershipGrants.includes(grant));
|
|
495
383
|
return {
|
|
496
|
-
ok: missingGrants.length === 0,
|
|
497
384
|
membership,
|
|
498
|
-
matchedGroupId,
|
|
499
385
|
roleIds: membershipRoleIds,
|
|
500
|
-
grants: membershipGrants
|
|
501
|
-
missingGrants,
|
|
502
|
-
depth,
|
|
503
|
-
isDirect,
|
|
504
|
-
isInherited,
|
|
505
|
-
traversedGroupIds
|
|
386
|
+
grants: membershipGrants
|
|
506
387
|
};
|
|
388
|
+
},
|
|
389
|
+
require: async (ctx, opts) => {
|
|
390
|
+
const validatedRoleIds = normalizeRoleIds(opts.roleIds);
|
|
391
|
+
const requiredGrants = Array.from(new Set(opts.grants ?? []));
|
|
392
|
+
const roleFilter = validatedRoleIds.length > 0 ? new Set(validatedRoleIds) : null;
|
|
393
|
+
const result = await member.inspect(ctx, {
|
|
394
|
+
userId: opts.userId,
|
|
395
|
+
groupId: opts.groupId,
|
|
396
|
+
ancestry: opts.ancestry,
|
|
397
|
+
maxDepth: opts.maxDepth
|
|
398
|
+
});
|
|
399
|
+
if (result.membership === null) throw Cv.error({
|
|
400
|
+
code: "NOT_A_MEMBER",
|
|
401
|
+
message: "User is not a member of this group.",
|
|
402
|
+
groupId: opts.groupId
|
|
403
|
+
});
|
|
404
|
+
if (roleFilter !== null && !result.roleIds.some((roleId) => roleFilter.has(roleId))) throw Cv.error({
|
|
405
|
+
code: "NOT_A_MEMBER",
|
|
406
|
+
message: "User is not a member of this group.",
|
|
407
|
+
groupId: opts.groupId
|
|
408
|
+
});
|
|
409
|
+
const missingGrants = requiredGrants.filter((grant) => !result.grants.includes(grant));
|
|
410
|
+
if (missingGrants.length > 0) throw Cv.error({
|
|
411
|
+
code: "MISSING_GRANTS",
|
|
412
|
+
message: "User is missing required grants.",
|
|
413
|
+
groupId: opts.groupId,
|
|
414
|
+
missingGrants
|
|
415
|
+
});
|
|
416
|
+
return result;
|
|
507
417
|
}
|
|
508
418
|
};
|
|
509
419
|
const invite = {
|
|
510
420
|
create: async (ctx, data) => {
|
|
511
|
-
const
|
|
512
|
-
if (!normalized.ok) return {
|
|
513
|
-
ok: false,
|
|
514
|
-
code: "INVALID_ROLE_IDS",
|
|
515
|
-
invalidRoleIds: normalized.invalidRoleIds
|
|
516
|
-
};
|
|
421
|
+
const roleIds = normalizeRoleIds(data.roleIds);
|
|
517
422
|
const token = generateRandomString(inviteTokenLength, inviteTokenAlphabet);
|
|
518
423
|
const tokenHash = await sha256(token);
|
|
519
424
|
return {
|
|
520
|
-
ok: true,
|
|
521
425
|
inviteId: await ctx.runMutation(config.component.public.inviteCreate, {
|
|
522
426
|
...data,
|
|
523
|
-
roleIds
|
|
427
|
+
roleIds,
|
|
524
428
|
tokenHash,
|
|
525
429
|
status: "pending"
|
|
526
430
|
}),
|
|
@@ -537,13 +441,10 @@ function createCoreDomains(deps) {
|
|
|
537
441
|
},
|
|
538
442
|
accept: async (ctx, args) => {
|
|
539
443
|
const tokenHash = await sha256(args.token);
|
|
540
|
-
return {
|
|
541
|
-
|
|
542
|
-
|
|
543
|
-
|
|
544
|
-
acceptedByUserId: args.acceptedByUserId
|
|
545
|
-
})
|
|
546
|
-
};
|
|
444
|
+
return { ...await ctx.runMutation(config.component.public.inviteAcceptByToken, {
|
|
445
|
+
tokenHash,
|
|
446
|
+
acceptedByUserId: args.acceptedByUserId
|
|
447
|
+
}) };
|
|
547
448
|
}
|
|
548
449
|
},
|
|
549
450
|
list: async (ctx, opts) => {
|
|
@@ -561,24 +462,19 @@ function createCoreDomains(deps) {
|
|
|
561
462
|
...acceptedByUserId ? { acceptedByUserId } : {}
|
|
562
463
|
});
|
|
563
464
|
return {
|
|
564
|
-
ok: true,
|
|
565
465
|
inviteId,
|
|
566
466
|
acceptedByUserId: acceptedByUserId ?? null
|
|
567
467
|
};
|
|
568
468
|
},
|
|
569
469
|
revoke: async (ctx, inviteId) => {
|
|
570
470
|
await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });
|
|
571
|
-
return {
|
|
572
|
-
ok: true,
|
|
573
|
-
inviteId
|
|
574
|
-
};
|
|
471
|
+
return { inviteId };
|
|
575
472
|
}
|
|
576
473
|
};
|
|
577
474
|
const key = {
|
|
578
475
|
create: async (ctx, opts) => {
|
|
579
476
|
const { raw, hashedKey, displayPrefix } = await generateApiKey("sk_");
|
|
580
477
|
return {
|
|
581
|
-
ok: true,
|
|
582
478
|
keyId: await ctx.runMutation(config.component.public.keyInsert, {
|
|
583
479
|
userId: opts.userId,
|
|
584
480
|
prefix: displayPrefix,
|
|
@@ -595,26 +491,26 @@ function createCoreDomains(deps) {
|
|
|
595
491
|
verify: async (ctx, rawKey) => {
|
|
596
492
|
const hashedKey = await hashApiKey(rawKey);
|
|
597
493
|
const doc = await ctx.runQuery(config.component.public.keyGetByHashedKey, { hashedKey });
|
|
598
|
-
if (!doc)
|
|
599
|
-
|
|
600
|
-
|
|
601
|
-
};
|
|
494
|
+
if (!doc) throw Cv.error({
|
|
495
|
+
code: "INVALID_API_KEY",
|
|
496
|
+
message: "Invalid API key."
|
|
497
|
+
});
|
|
602
498
|
const k = doc;
|
|
603
|
-
if (k.revoked)
|
|
604
|
-
|
|
605
|
-
|
|
606
|
-
};
|
|
607
|
-
if (k.expiresAt && k.expiresAt < Date.now())
|
|
608
|
-
|
|
609
|
-
|
|
610
|
-
};
|
|
499
|
+
if (k.revoked) throw Cv.error({
|
|
500
|
+
code: "API_KEY_REVOKED",
|
|
501
|
+
message: "This API key has been revoked."
|
|
502
|
+
});
|
|
503
|
+
if (k.expiresAt && k.expiresAt < Date.now()) throw Cv.error({
|
|
504
|
+
code: "API_KEY_EXPIRED",
|
|
505
|
+
message: "This API key has expired."
|
|
506
|
+
});
|
|
611
507
|
const patchData = { lastUsedAt: Date.now() };
|
|
612
508
|
if (k.rateLimit) {
|
|
613
509
|
const { limited, newState } = checkKeyRateLimit(k.rateLimit, k.rateLimitState ?? void 0);
|
|
614
|
-
if (limited)
|
|
615
|
-
|
|
616
|
-
|
|
617
|
-
};
|
|
510
|
+
if (limited) throw Cv.error({
|
|
511
|
+
code: "API_KEY_RATE_LIMITED",
|
|
512
|
+
message: "API key rate limit exceeded. Please try again later."
|
|
513
|
+
});
|
|
618
514
|
patchData.rateLimitState = newState;
|
|
619
515
|
}
|
|
620
516
|
await ctx.runMutation(config.component.public.keyPatch, {
|
|
@@ -622,7 +518,6 @@ function createCoreDomains(deps) {
|
|
|
622
518
|
data: patchData
|
|
623
519
|
});
|
|
624
520
|
return {
|
|
625
|
-
ok: true,
|
|
626
521
|
userId: k.userId,
|
|
627
522
|
keyId: k._id,
|
|
628
523
|
scopes: buildScopeChecker(k.scopes)
|
|
@@ -638,50 +533,36 @@ function createCoreDomains(deps) {
|
|
|
638
533
|
});
|
|
639
534
|
},
|
|
640
535
|
get: async (ctx, keyId) => {
|
|
641
|
-
|
|
642
|
-
if (!doc) return { ok: false };
|
|
643
|
-
return {
|
|
644
|
-
ok: true,
|
|
645
|
-
key: doc
|
|
646
|
-
};
|
|
536
|
+
return await ctx.runQuery(config.component.public.keyGetById, { keyId }) ?? null;
|
|
647
537
|
},
|
|
648
538
|
update: async (ctx, keyId, data) => {
|
|
649
539
|
await ctx.runMutation(config.component.public.keyPatch, {
|
|
650
540
|
keyId,
|
|
651
541
|
data
|
|
652
542
|
});
|
|
653
|
-
return {
|
|
654
|
-
ok: true,
|
|
655
|
-
keyId
|
|
656
|
-
};
|
|
543
|
+
return { keyId };
|
|
657
544
|
},
|
|
658
545
|
revoke: async (ctx, keyId) => {
|
|
659
546
|
await ctx.runMutation(config.component.public.keyPatch, {
|
|
660
547
|
keyId,
|
|
661
548
|
data: { revoked: true }
|
|
662
549
|
});
|
|
663
|
-
return {
|
|
664
|
-
ok: true,
|
|
665
|
-
keyId
|
|
666
|
-
};
|
|
550
|
+
return { keyId };
|
|
667
551
|
},
|
|
668
552
|
delete: async (ctx, keyId) => {
|
|
669
553
|
await ctx.runMutation(config.component.public.keyDelete, { keyId });
|
|
670
|
-
return {
|
|
671
|
-
ok: true,
|
|
672
|
-
keyId
|
|
673
|
-
};
|
|
554
|
+
return { keyId };
|
|
674
555
|
},
|
|
675
556
|
rotate: async (ctx, keyId, opts) => {
|
|
676
557
|
const existing = await ctx.runQuery(config.component.public.keyGetById, { keyId });
|
|
677
|
-
if (!existing)
|
|
678
|
-
|
|
679
|
-
|
|
680
|
-
};
|
|
681
|
-
if (existing.revoked === true)
|
|
682
|
-
|
|
683
|
-
|
|
684
|
-
};
|
|
558
|
+
if (!existing) throw Cv.error({
|
|
559
|
+
code: "INVALID_PARAMETERS",
|
|
560
|
+
message: "The provided parameters are invalid."
|
|
561
|
+
});
|
|
562
|
+
if (existing.revoked === true) throw Cv.error({
|
|
563
|
+
code: "API_KEY_REVOKED",
|
|
564
|
+
message: "This API key has been revoked."
|
|
565
|
+
});
|
|
685
566
|
await ctx.runMutation(config.component.public.keyPatch, {
|
|
686
567
|
keyId,
|
|
687
568
|
data: { revoked: true }
|