npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.21 → 0.0.4-preview.23 - Mend

@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (310) hide show

package/dist/authorization/index.d.ts +1 -1
package/dist/authorization/index.js +1 -1
package/dist/authorization/index.js.map +1 -1
package/dist/client/index.d.ts +1 -2
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +36 -39
package/dist/client/index.js.map +1 -1
package/dist/component/client/index.d.ts +1 -2
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/model.d.ts +5 -5
package/dist/component/model.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.js.map +1 -1
package/dist/component/public/enterprise/core.d.ts.map +1 -1
package/dist/component/public/enterprise/core.js.map +1 -1
package/dist/component/public/enterprise/domains.d.ts.map +1 -1
package/dist/component/public/enterprise/domains.js.map +1 -1
package/dist/component/public/enterprise/scim.d.ts.map +1 -1
package/dist/component/public/enterprise/scim.js.map +1 -1
package/dist/component/public/enterprise/secrets.d.ts.map +1 -1
package/dist/component/public/enterprise/secrets.js.map +1 -1
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -1
package/dist/component/public/enterprise/webhooks.js.map +1 -1
package/dist/component/public/factors/devices.d.ts.map +1 -1
package/dist/component/public/factors/devices.js.map +1 -1
package/dist/component/public/factors/passkeys.d.ts.map +1 -1
package/dist/component/public/factors/passkeys.js.map +1 -1
package/dist/component/public/factors/totp.d.ts.map +1 -1
package/dist/component/public/factors/totp.js.map +1 -1
package/dist/component/public/groups/core.js.map +1 -1
package/dist/component/public/groups/invites.d.ts.map +1 -1
package/dist/component/public/groups/invites.js.map +1 -1
package/dist/component/public/groups/members.d.ts.map +1 -1
package/dist/component/public/groups/members.js.map +1 -1
package/dist/component/public/identity/accounts.d.ts.map +1 -1
package/dist/component/public/identity/accounts.js.map +1 -1
package/dist/component/public/identity/codes.d.ts.map +1 -1
package/dist/component/public/identity/codes.js.map +1 -1
package/dist/component/public/identity/sessions.d.ts.map +1 -1
package/dist/component/public/identity/sessions.js.map +1 -1
package/dist/component/public/identity/tokens.d.ts.map +1 -1
package/dist/component/public/identity/tokens.js.map +1 -1
package/dist/component/public/identity/users.d.ts.map +1 -1
package/dist/component/public/identity/users.js.map +1 -1
package/dist/component/public/identity/verifiers.d.ts.map +1 -1
package/dist/component/public/identity/verifiers.js.map +1 -1
package/dist/component/public/security/keys.d.ts.map +1 -1
package/dist/component/public/security/keys.js.map +1 -1
package/dist/component/public/security/limits.d.ts.map +1 -1
package/dist/component/public/security/limits.js.map +1 -1
package/dist/component/schema.d.ts +39 -39
package/dist/component/server/auth.d.ts +95 -52
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +63 -43
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/core.js +116 -235
package/dist/component/server/core.js.map +1 -1
package/dist/component/server/crypto.js +25 -7
package/dist/component/server/crypto.js.map +1 -1
package/dist/component/server/device.js +58 -15
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/enterprise/domain.js +148 -59
package/dist/component/server/enterprise/domain.js.map +1 -1
package/dist/component/server/enterprise/http.js +36 -15
package/dist/component/server/enterprise/http.js.map +1 -1
package/dist/component/server/enterprise/oidc.js +1 -1
package/dist/component/server/http.js +26 -21
package/dist/component/server/http.js.map +1 -1
package/dist/component/server/identity.js +5 -2
package/dist/component/server/identity.js.map +1 -1
package/dist/component/server/limits.js +21 -30
package/dist/component/server/limits.js.map +1 -1
package/dist/component/server/mutations/account.js +12 -10
package/dist/component/server/mutations/account.js.map +1 -1
package/dist/component/server/mutations/code.js +5 -2
package/dist/component/server/mutations/code.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/invalidate.js.map +1 -1
package/dist/component/server/mutations/oauth.js +10 -4
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +2 -2
package/dist/component/server/mutations/refresh.js.map +1 -1
package/dist/component/server/mutations/register.js +46 -42
package/dist/component/server/mutations/register.js.map +1 -1
package/dist/component/server/mutations/retrieve.js +21 -25
package/dist/component/server/mutations/retrieve.js.map +1 -1
package/dist/component/server/mutations/signature.js +10 -4
package/dist/component/server/mutations/signature.js.map +1 -1
package/dist/component/server/mutations/signout.js.map +1 -1
package/dist/component/server/mutations/store.js +9 -24
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verifier.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/mutations/verify.js.map +1 -1
package/dist/component/server/oauth.js +53 -16
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +115 -31
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/redirects.js +9 -3
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +10 -7
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/runtime.d.ts +3 -3
package/dist/component/server/runtime.d.ts.map +1 -1
package/dist/component/server/runtime.js +62 -20
package/dist/component/server/runtime.js.map +1 -1
package/dist/component/server/signin.js +34 -10
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/totp.js +79 -19
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +12 -20
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +6 -3
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +10 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +14 -22
package/dist/core/types.d.ts.map +1 -1
package/dist/factors/device.js +8 -9
package/dist/factors/device.js.map +1 -1
package/dist/factors/passkey.js +18 -21
package/dist/factors/passkey.js.map +1 -1
package/dist/providers/password.js +66 -81
package/dist/providers/password.js.map +1 -1
package/dist/runtime/invite.js +2 -8
package/dist/runtime/invite.js.map +1 -1
package/dist/server/auth.d.ts +95 -52
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +63 -43
package/dist/server/auth.js.map +1 -1
package/dist/server/core.d.ts +71 -159
package/dist/server/core.d.ts.map +1 -1
package/dist/server/core.js +116 -235
package/dist/server/core.js.map +1 -1
package/dist/server/crypto.d.ts.map +1 -1
package/dist/server/crypto.js +25 -7
package/dist/server/crypto.js.map +1 -1
package/dist/server/device.js +58 -15
package/dist/server/device.js.map +1 -1
package/dist/server/enterprise/domain.d.ts +0 -8
package/dist/server/enterprise/domain.d.ts.map +1 -1
package/dist/server/enterprise/domain.js +148 -59
package/dist/server/enterprise/domain.js.map +1 -1
package/dist/server/enterprise/http.d.ts.map +1 -1
package/dist/server/enterprise/http.js +35 -14
package/dist/server/enterprise/http.js.map +1 -1
package/dist/server/http.d.ts +2 -2
package/dist/server/http.d.ts.map +1 -1
package/dist/server/http.js +25 -20
package/dist/server/http.js.map +1 -1
package/dist/server/identity.js +5 -2
package/dist/server/identity.js.map +1 -1
package/dist/server/index.d.ts +2 -2
package/dist/server/limits.js +21 -30
package/dist/server/limits.js.map +1 -1
package/dist/server/mounts.d.ts +26 -64
package/dist/server/mounts.d.ts.map +1 -1
package/dist/server/mounts.js +45 -106
package/dist/server/mounts.js.map +1 -1
package/dist/server/mutations/account.d.ts +8 -9
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/account.js +11 -9
package/dist/server/mutations/account.js.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/code.js +5 -2
package/dist/server/mutations/code.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +4 -4
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/invalidate.js.map +1 -1
package/dist/server/mutations/oauth.d.ts +12 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -3
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +3 -3
package/dist/server/mutations/refresh.d.ts.map +1 -1
package/dist/server/mutations/refresh.js +1 -1
package/dist/server/mutations/refresh.js.map +1 -1
package/dist/server/mutations/register.d.ts +11 -11
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/register.js +45 -41
package/dist/server/mutations/register.js.map +1 -1
package/dist/server/mutations/retrieve.d.ts +6 -6
package/dist/server/mutations/retrieve.d.ts.map +1 -1
package/dist/server/mutations/retrieve.js +20 -24
package/dist/server/mutations/retrieve.js.map +1 -1
package/dist/server/mutations/signature.d.ts +6 -7
package/dist/server/mutations/signature.d.ts.map +1 -1
package/dist/server/mutations/signature.js +9 -3
package/dist/server/mutations/signature.js.map +1 -1
package/dist/server/mutations/signin.d.ts +5 -5
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.js.map +1 -1
package/dist/server/mutations/store.d.ts +97 -97
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +8 -23
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.js.map +1 -1
package/dist/server/mutations/verify.d.ts +10 -10
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/mutations/verify.js.map +1 -1
package/dist/server/oauth.js +53 -16
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +2 -2
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +114 -30
package/dist/server/passkey.js.map +1 -1
package/dist/server/redirects.js +9 -3
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.js +10 -7
package/dist/server/refresh.js.map +1 -1
package/dist/server/runtime.d.ts +14 -14
package/dist/server/runtime.d.ts.map +1 -1
package/dist/server/runtime.js +61 -19
package/dist/server/runtime.js.map +1 -1
package/dist/server/signin.js +34 -10
package/dist/server/signin.js.map +1 -1
package/dist/server/ssr.d.ts.map +1 -1
package/dist/server/ssr.js +175 -184
package/dist/server/ssr.js.map +1 -1
package/dist/server/totp.js +78 -18
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +13 -21
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.js +6 -3
package/dist/server/users.js.map +1 -1
package/dist/server/utils.js +10 -4
package/dist/server/utils.js.map +1 -1
package/package.json +2 -6
package/src/authorization/index.ts +1 -1
package/src/cli/index.ts +1 -1
package/src/client/core/types.ts +14 -14
package/src/client/factors/device.ts +10 -12
package/src/client/factors/passkey.ts +23 -26
package/src/client/index.ts +54 -64
package/src/client/runtime/invite.ts +5 -7
package/src/component/index.ts +1 -0
package/src/component/public/enterprise/audit.ts +6 -1
package/src/component/public/enterprise/core.ts +1 -0
package/src/component/public/enterprise/domains.ts +5 -1
package/src/component/public/enterprise/scim.ts +1 -0
package/src/component/public/enterprise/secrets.ts +1 -0
package/src/component/public/enterprise/webhooks.ts +1 -0
package/src/component/public/factors/devices.ts +1 -0
package/src/component/public/factors/passkeys.ts +1 -0
package/src/component/public/factors/totp.ts +1 -0
package/src/component/public/groups/core.ts +1 -1
package/src/component/public/groups/invites.ts +7 -1
package/src/component/public/groups/members.ts +1 -0
package/src/component/public/identity/accounts.ts +1 -0
package/src/component/public/identity/codes.ts +1 -0
package/src/component/public/identity/sessions.ts +1 -0
package/src/component/public/identity/tokens.ts +1 -0
package/src/component/public/identity/users.ts +1 -0
package/src/component/public/identity/verifiers.ts +1 -0
package/src/component/public/security/keys.ts +1 -0
package/src/component/public/security/limits.ts +1 -0
package/src/providers/password.ts +89 -110
package/src/server/auth.ts +177 -111
package/src/server/core.ts +197 -233
package/src/server/crypto.ts +31 -29
package/src/server/device.ts +65 -32
package/src/server/enterprise/domain.ts +158 -170
package/src/server/enterprise/http.ts +46 -39
package/src/server/http.ts +36 -30
package/src/server/identity.ts +5 -5
package/src/server/index.ts +2 -0
package/src/server/limits.ts +53 -80
package/src/server/mounts.ts +47 -74
package/src/server/mutations/account.ts +22 -36
package/src/server/mutations/code.ts +6 -6
package/src/server/mutations/invalidate.ts +1 -1
package/src/server/mutations/oauth.ts +14 -8
package/src/server/mutations/refresh.ts +5 -4
package/src/server/mutations/register.ts +87 -132
package/src/server/mutations/retrieve.ts +44 -44
package/src/server/mutations/signature.ts +13 -6
package/src/server/mutations/signout.ts +1 -1
package/src/server/mutations/store.ts +16 -31
package/src/server/mutations/verifier.ts +1 -1
package/src/server/mutations/verify.ts +3 -5
package/src/server/oauth.ts +60 -69
package/src/server/passkey.ts +567 -517
package/src/server/redirects.ts +10 -6
package/src/server/refresh.ts +14 -18
package/src/server/runtime.ts +70 -55
package/src/server/signin.ts +44 -37
package/src/server/ssr.ts +390 -407
package/src/server/totp.ts +85 -35
package/src/server/types.ts +19 -22
package/src/server/users.ts +7 -6
package/src/server/utils.ts +10 -12
package/dist/component/server/authError.js +0 -34
package/dist/component/server/authError.js.map +0 -1
package/dist/component/server/errors.d.ts +0 -1
package/dist/component/server/errors.js +0 -137
package/dist/component/server/errors.js.map +0 -1
package/dist/server/authError.d.ts +0 -46
package/dist/server/authError.d.ts.map +0 -1
package/dist/server/authError.js +0 -34
package/dist/server/authError.js.map +0 -1
package/dist/server/errors.d.ts +0 -177
package/dist/server/errors.d.ts.map +0 -1
package/dist/server/errors.js +0 -212
package/dist/server/errors.js.map +0 -1
package/src/server/authError.ts +0 -44
package/src/server/errors.ts +0 -290

package/dist/component/server/device.js CHANGED Viewed

@@ -1,9 +1,10 @@
-import { AuthError } from "./authError.js";
 import { generateRandomString, requireEnv, sha256 } from "./utils.js";
 import { userIdFromIdentitySubject } from "./identity.js";
 import { callSignIn } from "./mutations/signin.js";
 import { mutateDeviceAuthorize, mutateDeviceDelete, mutateDeviceInsert, mutateDeviceUpdateLastPolled, queryDeviceByCodeHash, queryDeviceByUserCode } from "./types.js";
+import { Cv } from "@robelest/fx/convex";
 import { Fx } from "@robelest/fx";
+import { ConvexError } from "convex/values";
 //#region src/server/device.ts
 /**
@@ -29,7 +30,10 @@ const handleDevice = (ctx, provider, args) => Fx.from({
 	ok: async () => {
 		const params = args.params ?? {};
 		const flow = typeof params.flow === "string" ? params.flow : "create";
-		if (!DEVICE_FLOWS.some((candidate) => candidate === flow)) throw new AuthError("DEVICE_MISSING_FLOW", "Missing `flow` parameter. Expected one of: create, poll, verify");
+		if (!DEVICE_FLOWS.some((candidate) => candidate === flow)) throw Cv.error({
+			code: "DEVICE_MISSING_FLOW",
+			message: "Missing `flow` parameter. Expected one of: create, poll, verify"
+		});
 		if (flow === "create") {
 			const deviceCode = generateRandomString(DEVICE_CODE_LENGTH, DEVICE_CODE_ALPHABET);
 			const deviceCodeHash = await sha256(deviceCode);
@@ -55,21 +59,42 @@ const handleDevice = (ctx, provider, args) => Fx.from({
 			};
 		}
 		if (flow === "poll") {
-			if (typeof params.deviceCode !== "string") throw new AuthError("DEVICE_MISSING_FLOW", "Missing `deviceCode` parameter for poll flow.");
+			if (typeof params.deviceCode !== "string") throw Cv.error({
+				code: "DEVICE_MISSING_FLOW",
+				message: "Missing `deviceCode` parameter for poll flow."
+			});
 			const doc$1 = await queryDeviceByCodeHash(ctx, await sha256(params.deviceCode));
-			if (doc$1 === null) throw new AuthError("DEVICE_CODE_EXPIRED");
+			if (doc$1 === null) throw Cv.error({
+				code: "DEVICE_CODE_EXPIRED",
+				message: "The device code has expired. Please start a new authorization request."
+			});
 			if (Date.now() > doc$1.expiresAt) {
 				await mutateDeviceDelete(ctx, doc$1._id);
-				throw new AuthError("DEVICE_CODE_EXPIRED");
+				throw Cv.error({
+					code: "DEVICE_CODE_EXPIRED",
+					message: "The device code has expired. Please start a new authorization request."
+				});
 			}
-			if (doc$1.lastPolledAt !== void 0 && (Date.now() - doc$1.lastPolledAt) / 1e3 < doc$1.interval) throw new AuthError("DEVICE_SLOW_DOWN");
+			if (doc$1.lastPolledAt !== void 0 && (Date.now() - doc$1.lastPolledAt) / 1e3 < doc$1.interval) throw Cv.error({
+				code: "DEVICE_SLOW_DOWN",
+				message: "Polling too frequently. Increase the interval between requests."
+			});
 			await mutateDeviceUpdateLastPolled(ctx, doc$1._id, Date.now());
-			if (doc$1.status === "pending") throw new AuthError("DEVICE_AUTHORIZATION_PENDING");
+			if (doc$1.status === "pending") throw Cv.error({
+				code: "DEVICE_AUTHORIZATION_PENDING",
+				message: "The user has not yet authorized this device."
+			});
 			if (doc$1.status === "denied") {
 				await mutateDeviceDelete(ctx, doc$1._id);
-				throw new AuthError("DEVICE_CODE_DENIED");
+				throw Cv.error({
+					code: "DEVICE_CODE_DENIED",
+					message: "The authorization request was denied."
+				});
 			}
-			if (!doc$1.userId || !doc$1.sessionId) throw new AuthError("INTERNAL_ERROR", "Authorized device code missing userId or sessionId");
+			if (!doc$1.userId || !doc$1.sessionId) throw Cv.error({
+				code: "INTERNAL_ERROR",
+				message: "Authorized device code missing userId or sessionId"
+			});
 			await mutateDeviceDelete(ctx, doc$1._id);
 			return {
 				kind: "signedIn",
@@ -80,17 +105,32 @@ const handleDevice = (ctx, provider, args) => Fx.from({
 				})
 			};
 		}
-		if (typeof params.userCode !== "string") throw new AuthError("DEVICE_INVALID_USER_CODE", "Missing `userCode` parameter for verify flow.");
+		if (typeof params.userCode !== "string") throw Cv.error({
+			code: "DEVICE_INVALID_USER_CODE",
+			message: "Missing `userCode` parameter for verify flow."
+		});
 		const identity = await ctx.auth.getUserIdentity();
-		if (identity === null) throw new AuthError("NOT_SIGNED_IN", "You must be signed in to authorize a device.");
+		if (identity === null) throw Cv.error({
+			code: "NOT_SIGNED_IN",
+			message: "You must be signed in to authorize a device."
+		});
 		const userId = userIdFromIdentitySubject(identity.subject);
 		const doc = await queryDeviceByUserCode(ctx, params.userCode);
-		if (doc === null) throw new AuthError("DEVICE_INVALID_USER_CODE");
+		if (doc === null) throw Cv.error({
+			code: "DEVICE_INVALID_USER_CODE",
+			message: "Invalid or expired user code."
+		});
 		if (Date.now() > doc.expiresAt) {
 			await mutateDeviceDelete(ctx, doc._id);
-			throw new AuthError("DEVICE_CODE_EXPIRED");
+			throw Cv.error({
+				code: "DEVICE_CODE_EXPIRED",
+				message: "The device code has expired. Please start a new authorization request."
+			});
 		}
-		if (doc.status !== "pending") throw new AuthError("DEVICE_ALREADY_AUTHORIZED");
+		if (doc.status !== "pending") throw Cv.error({
+			code: "DEVICE_ALREADY_AUTHORIZED",
+			message: "This device code has already been authorized."
+		});
 		const signInResult = await callSignIn(ctx, {
 			userId,
 			generateTokens: false
@@ -101,7 +141,10 @@ const handleDevice = (ctx, provider, args) => Fx.from({
 			signedIn: null
 		};
 	},
-	err: (e) => e instanceof AuthError ? e : new AuthError("INTERNAL_ERROR", `Device flow failed: ${String(e)}`)
+	err: (e) => e instanceof ConvexError ? e : Cv.error({
+		code: "INTERNAL_ERROR",
+		message: `Device flow failed: ${String(e)}`
+	})
 });
 //#endregion

package/dist/component/server/device.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"device.js","names":["doc"],"sources":["../../../src/server/device.ts"],"sourcesContent":["/*\n Server-side device authorization flow logic (RFC 8628).\n \n Handles the three phases of the device flow:\n * 1. (default) — Generate a device code + user code pair\n * 2. poll — Device checks whether the user has authorized yet\n * 3. verify — Authenticated user links a user code to their session\n \n Uses `@oslojs/crypto/random` for code generation and\n * `@oslojs/crypto/sha2` for hashing device codes before storage.\n /\n\nimport { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./authError\";\nimport { userIdFromIdentitySubject } from \"./identity\";\nimport { callSignIn } from \"./mutations/index\";\nimport { DeviceProviderConfig, GenericActionCtxWithAuthConfig } from \"./types\";\nimport {\n AuthDataModel,\n SessionInfo,\n mutateDeviceInsert,\n queryDeviceByCodeHash,\n queryDeviceByUserCode,\n mutateDeviceAuthorize,\n mutateDeviceUpdateLastPolled,\n mutateDeviceDelete,\n} from \"./types\";\nimport { generateRandomString, sha256 } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n// ============================================================================\n// Constants\n// ============================================================================\n\nconst DEVICE_CODE_ALPHABET =\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\nconst DEVICE_CODE_LENGTH = 40;\nconst DEVICE_FLOWS = [\"create\", \"poll\", \"verify\"] as const;\n\n// ============================================================================\n// Create flow\n// ============================================================================\n\n// ============================================================================\n// Poll flow — pipeline of validations + status dispatch\n// ============================================================================\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\ntype DeviceResult =\n \| {\n kind: \"deviceCode\";\n deviceCode: string;\n userCode: string;\n verificationUri: string;\n verificationUriComplete: string;\n expiresIn: number;\n interval: number;\n }\n \| { kind: \"signedIn\"; signedIn: SessionInfo \| null };\n\n/* @internal /\nexport const handleDevice = (\n ctx: EnrichedActionCtx,\n provider: DeviceProviderConfig,\n args: { params?: Record<string, any> },\n): Fx<DeviceResult, AuthError> =>\n Fx.from({\n ok: async () => {\n const params = (args.params ?? {}) as Record<string, unknown>;\n const flow = (typeof params.flow === \"string\" ? params.flow : \"create\") as\n \| \"create\"\n \| \"poll\"\n \| \"verify\";\n\n if (!DEVICE_FLOWS.some((candidate) => candidate === flow)) {\n throw new AuthError(\n \"DEVICE_MISSING_FLOW\",\n \"Missing `flow` parameter. Expected one of: create, poll, verify\",\n );\n }\n\n if (flow === \"create\") {\n const deviceCode = generateRandomString(\n DEVICE_CODE_LENGTH,\n DEVICE_CODE_ALPHABET,\n );\n const deviceCodeHash = await sha256(deviceCode);\n\n const rawUserCode = generateRandomString(\n provider.userCodeLength,\n provider.charset,\n );\n const mid = Math.floor(rawUserCode.length / 2);\n const userCode =\n rawUserCode.slice(0, mid) + \"-\" + rawUserCode.slice(mid);\n\n const expiresAt = Date.now() + provider.expiresIn 1000;\n await mutateDeviceInsert(ctx, {\n deviceCodeHash,\n userCode,\n expiresAt,\n interval: provider.interval,\n status: \"pending\",\n });\n\n const verificationUri =\n provider.verificationUri ??\n `${process.env.SITE_URL ?? requireEnv(\"SITE_URL\")}/device`;\n\n return {\n kind: \"deviceCode\" as const,\n deviceCode,\n userCode,\n verificationUri,\n verificationUriComplete: `${verificationUri}?user_code=${encodeURIComponent(userCode)}`,\n expiresIn: provider.expiresIn,\n interval: provider.interval,\n };\n }\n\n if (flow === \"poll\") {\n if (typeof params.deviceCode !== \"string\") {\n throw new AuthError(\n \"DEVICE_MISSING_FLOW\",\n \"Missing `deviceCode` parameter for poll flow.\",\n );\n }\n\n const hash = await sha256(params.deviceCode);\n const doc = await queryDeviceByCodeHash(ctx, hash);\n if (doc === null) {\n throw new AuthError(\"DEVICE_CODE_EXPIRED\");\n }\n if (Date.now() > doc.expiresAt) {\n await mutateDeviceDelete(ctx, doc._id);\n throw new AuthError(\"DEVICE_CODE_EXPIRED\");\n }\n if (\n doc.lastPolledAt !== undefined &&\n (Date.now() - doc.lastPolledAt) / 1000 < doc.interval\n ) {\n throw new AuthError(\"DEVICE_SLOW_DOWN\");\n }\n\n await mutateDeviceUpdateLastPolled(ctx, doc._id, Date.now());\n\n if (doc.status === \"pending\") {\n throw new AuthError(\"DEVICE_AUTHORIZATION_PENDING\");\n }\n if (doc.status === \"denied\") {\n await mutateDeviceDelete(ctx, doc._id);\n throw new AuthError(\"DEVICE_CODE_DENIED\");\n }\n\n if (!doc.userId \|\| !doc.sessionId) {\n throw new AuthError(\n \"INTERNAL_ERROR\",\n \"Authorized device code missing userId or sessionId\",\n );\n }\n\n await mutateDeviceDelete(ctx, doc._id);\n const signInResult = await callSignIn(ctx, {\n userId: doc.userId,\n sessionId: doc.sessionId,\n generateTokens: true,\n });\n return { kind: \"signedIn\" as const, signedIn: signInResult };\n }\n\n if (typeof params.userCode !== \"string\") {\n throw new AuthError(\n \"DEVICE_INVALID_USER_CODE\",\n \"Missing `userCode` parameter for verify flow.\",\n );\n }\n\n const identity = await ctx.auth.getUserIdentity();\n if (identity === null) {\n throw new AuthError(\n \"NOT_SIGNED_IN\",\n \"You must be signed in to authorize a device.\",\n );\n }\n\n const userId = userIdFromIdentitySubject(identity.subject);\n const doc = await queryDeviceByUserCode(ctx, params.userCode);\n if (doc === null) {\n throw new AuthError(\"DEVICE_INVALID_USER_CODE\");\n }\n if (Date.now() > doc.expiresAt) {\n await mutateDeviceDelete(ctx, doc._id);\n throw new AuthError(\"DEVICE_CODE_EXPIRED\");\n }\n if (doc.status !== \"pending\") {\n throw new AuthError(\"DEVICE_ALREADY_AUTHORIZED\");\n }\n\n const signInResult = await callSignIn(ctx, {\n userId,\n generateTokens: false,\n });\n await mutateDeviceAuthorize(\n ctx,\n doc._id,\n signInResult.userId,\n signInResult.sessionId,\n );\n return { kind: \"signedIn\" as const, signedIn: null };\n },\n err: (e) =>\n e instanceof AuthError\n ? e\n : new AuthError(\"INTERNAL_ERROR\", `Device flow failed: ${String(e)}`),\n });\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAqCA,MAAM,uBACJ;AACF,MAAM,qBAAqB;AAC3B,MAAM,eAAe;CAAC;CAAU;CAAQ;CAAS;;AA2BjD,MAAa,gBACX,KACA,UACA,SAEA,GAAG,KAAK;CACN,IAAI,YAAY;EACd,MAAM,SAAU,KAAK,UAAU,EAAE;EACjC,MAAM,OAAQ,OAAO,OAAO,SAAS,WAAW,OAAO,OAAO;AAK9D,MAAI,CAAC,aAAa,MAAM,cAAc,cAAc,KAAK,CACvD,OAAM,IAAI,UACR,uBACA,kEACD;AAGH,MAAI,SAAS,UAAU;GACrB,MAAM,aAAa,qBACjB,oBACA,qBACD;GACD,MAAM,iBAAiB,MAAM,OAAO,WAAW;GAE/C,MAAM,cAAc,qBAClB,SAAS,gBACT,SAAS,QACV;GACD,MAAM,MAAM,KAAK,MAAM,YAAY,SAAS,EAAE;GAC9C,MAAM,WACJ,YAAY,MAAM,GAAG,IAAI,GAAG,MAAM,YAAY,MAAM,IAAI;AAG1D,SAAM,mBAAmB,KAAK;IAC5B;IACA;IACA,WAJgB,KAAK,KAAK,GAAG,SAAS,YAAY;IAKlD,UAAU,SAAS;IACnB,QAAQ;IACT,CAAC;GAEF,MAAM,kBACJ,SAAS,mBACT,GAAG,QAAQ,IAAI,YAAY,WAAW,WAAW,CAAC;AAEpD,UAAO;IACL,MAAM;IACN;IACA;IACA;IACA,yBAAyB,GAAG,gBAAgB,aAAa,mBAAmB,SAAS;IACrF,WAAW,SAAS;IACpB,UAAU,SAAS;IACpB;;AAGH,MAAI,SAAS,QAAQ;AACnB,OAAI,OAAO,OAAO,eAAe,SAC/B,OAAM,IAAI,UACR,uBACA,gDACD;GAIH,MAAMA,QAAM,MAAM,sBAAsB,KAD3B,MAAM,OAAO,OAAO,WAAW,CACM;AAClD,OAAIA,UAAQ,KACV,OAAM,IAAI,UAAU,sBAAsB;AAE5C,OAAI,KAAK,KAAK,GAAGA,MAAI,WAAW;AAC9B,UAAM,mBAAmB,KAAKA,MAAI,IAAI;AACtC,UAAM,IAAI,UAAU,sBAAsB;;AAE5C,OACEA,MAAI,iBAAiB,WACpB,KAAK,KAAK,GAAGA,MAAI,gBAAgB,MAAOA,MAAI,SAE7C,OAAM,IAAI,UAAU,mBAAmB;AAGzC,SAAM,6BAA6B,KAAKA,MAAI,KAAK,KAAK,KAAK,CAAC;AAE5D,OAAIA,MAAI,WAAW,UACjB,OAAM,IAAI,UAAU,+BAA+B;AAErD,OAAIA,MAAI,WAAW,UAAU;AAC3B,UAAM,mBAAmB,KAAKA,MAAI,IAAI;AACtC,UAAM,IAAI,UAAU,qBAAqB;;AAG3C,OAAI,CAACA,MAAI,UAAU,CAACA,MAAI,UACtB,OAAM,IAAI,UACR,kBACA,qDACD;AAGH,SAAM,mBAAmB,KAAKA,MAAI,IAAI;AAMtC,UAAO;IAAE,MAAM;IAAqB,UALf,MAAM,WAAW,KAAK;KACzC,QAAQA,MAAI;KACZ,WAAWA,MAAI;KACf,gBAAgB;KACjB,CAAC;IAC0D;;AAG9D,MAAI,OAAO,OAAO,aAAa,SAC7B,OAAM,IAAI,UACR,4BACA,gDACD;EAGH,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,MAAI,aAAa,KACf,OAAM,IAAI,UACR,iBACA,+CACD;EAGH,MAAM,SAAS,0BAA0B,SAAS,QAAQ;EAC1D,MAAM,MAAM,MAAM,sBAAsB,KAAK,OAAO,SAAS;AAC7D,MAAI,QAAQ,KACV,OAAM,IAAI,UAAU,2BAA2B;AAEjD,MAAI,KAAK,KAAK,GAAG,IAAI,WAAW;AAC9B,SAAM,mBAAmB,KAAK,IAAI,IAAI;AACtC,SAAM,IAAI,UAAU,sBAAsB;;AAE5C,MAAI,IAAI,WAAW,UACjB,OAAM,IAAI,UAAU,4BAA4B;EAGlD,MAAM,eAAe,MAAM,WAAW,KAAK;GACzC;GACA,gBAAgB;GACjB,CAAC;AACF,QAAM,sBACJ,KACA,IAAI,KACJ,aAAa,QACb,aAAa,UACd;AACD,SAAO;GAAE,MAAM;GAAqB,UAAU;GAAM;;CAEtD,MAAM,MACJ,aAAa,YACT,IACA,IAAI,UAAU,kBAAkB,uBAAuB,OAAO,EAAE,GAAG;CAC1E,CAAC"}
1	+ {"version":3,"file":"device.js","names":["doc"],"sources":["../../../src/server/device.ts"],"sourcesContent":["/*\n Server-side device authorization flow logic (RFC 8628).\n \n Handles the three phases of the device flow:\n * 1. (default) — Generate a device code + user code pair\n * 2. poll — Device checks whether the user has authorized yet\n * 3. verify — Authenticated user links a user code to their session\n \n Uses `@oslojs/crypto/random` for code generation and\n * `@oslojs/crypto/sha2` for hashing device codes before storage.\n /\n\nimport { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport { ConvexError } from \"convex/values\";\n\nimport { userIdFromIdentitySubject } from \"./identity\";\nimport { callSignIn } from \"./mutations/index\";\nimport { DeviceProviderConfig, GenericActionCtxWithAuthConfig } from \"./types\";\nimport {\n AuthDataModel,\n SessionInfo,\n mutateDeviceInsert,\n queryDeviceByCodeHash,\n queryDeviceByUserCode,\n mutateDeviceAuthorize,\n mutateDeviceUpdateLastPolled,\n mutateDeviceDelete,\n} from \"./types\";\nimport { generateRandomString, sha256 } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\n// ============================================================================\n// Constants\n// ============================================================================\n\nconst DEVICE_CODE_ALPHABET =\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\nconst DEVICE_CODE_LENGTH = 40;\nconst DEVICE_FLOWS = [\"create\", \"poll\", \"verify\"] as const;\n\n// ============================================================================\n// Create flow\n// ============================================================================\n\n// ============================================================================\n// Poll flow — pipeline of validations + status dispatch\n// ============================================================================\n\n// ============================================================================\n// Main dispatch\n// ============================================================================\n\ntype DeviceResult =\n \| {\n kind: \"deviceCode\";\n deviceCode: string;\n userCode: string;\n verificationUri: string;\n verificationUriComplete: string;\n expiresIn: number;\n interval: number;\n }\n \| { kind: \"signedIn\"; signedIn: SessionInfo \| null };\n\n/* @internal /\nexport const handleDevice = (\n ctx: EnrichedActionCtx,\n provider: DeviceProviderConfig,\n args: { params?: Record<string, any> },\n): Fx<DeviceResult, ConvexError<any>> =>\n Fx.from({\n ok: async () => {\n const params = (args.params ?? {}) as Record<string, unknown>;\n const flow = (typeof params.flow === \"string\" ? params.flow : \"create\") as\n \| \"create\"\n \| \"poll\"\n \| \"verify\";\n\n if (!DEVICE_FLOWS.some((candidate) => candidate === flow)) {\n throw Cv.error({\n code: \"DEVICE_MISSING_FLOW\",\n message:\n \"Missing `flow` parameter. Expected one of: create, poll, verify\",\n });\n }\n\n if (flow === \"create\") {\n const deviceCode = generateRandomString(\n DEVICE_CODE_LENGTH,\n DEVICE_CODE_ALPHABET,\n );\n const deviceCodeHash = await sha256(deviceCode);\n\n const rawUserCode = generateRandomString(\n provider.userCodeLength,\n provider.charset,\n );\n const mid = Math.floor(rawUserCode.length / 2);\n const userCode =\n rawUserCode.slice(0, mid) + \"-\" + rawUserCode.slice(mid);\n\n const expiresAt = Date.now() + provider.expiresIn 1000;\n await mutateDeviceInsert(ctx, {\n deviceCodeHash,\n userCode,\n expiresAt,\n interval: provider.interval,\n status: \"pending\",\n });\n\n const verificationUri =\n provider.verificationUri ??\n `${process.env.SITE_URL ?? requireEnv(\"SITE_URL\")}/device`;\n\n return {\n kind: \"deviceCode\" as const,\n deviceCode,\n userCode,\n verificationUri,\n verificationUriComplete: `${verificationUri}?user_code=${encodeURIComponent(userCode)}`,\n expiresIn: provider.expiresIn,\n interval: provider.interval,\n };\n }\n\n if (flow === \"poll\") {\n if (typeof params.deviceCode !== \"string\") {\n throw Cv.error({\n code: \"DEVICE_MISSING_FLOW\",\n message: \"Missing `deviceCode` parameter for poll flow.\",\n });\n }\n\n const hash = await sha256(params.deviceCode);\n const doc = await queryDeviceByCodeHash(ctx, hash);\n if (doc === null) {\n throw Cv.error({\n code: \"DEVICE_CODE_EXPIRED\",\n message:\n \"The device code has expired. Please start a new authorization request.\",\n });\n }\n if (Date.now() > doc.expiresAt) {\n await mutateDeviceDelete(ctx, doc._id);\n throw Cv.error({\n code: \"DEVICE_CODE_EXPIRED\",\n message:\n \"The device code has expired. Please start a new authorization request.\",\n });\n }\n if (\n doc.lastPolledAt !== undefined &&\n (Date.now() - doc.lastPolledAt) / 1000 < doc.interval\n ) {\n throw Cv.error({\n code: \"DEVICE_SLOW_DOWN\",\n message:\n \"Polling too frequently. Increase the interval between requests.\",\n });\n }\n\n await mutateDeviceUpdateLastPolled(ctx, doc._id, Date.now());\n\n if (doc.status === \"pending\") {\n throw Cv.error({\n code: \"DEVICE_AUTHORIZATION_PENDING\",\n message: \"The user has not yet authorized this device.\",\n });\n }\n if (doc.status === \"denied\") {\n await mutateDeviceDelete(ctx, doc._id);\n throw Cv.error({\n code: \"DEVICE_CODE_DENIED\",\n message: \"The authorization request was denied.\",\n });\n }\n\n if (!doc.userId \|\| !doc.sessionId) {\n throw Cv.error({\n code: \"INTERNAL_ERROR\",\n message: \"Authorized device code missing userId or sessionId\",\n });\n }\n\n await mutateDeviceDelete(ctx, doc._id);\n const signInResult = await callSignIn(ctx, {\n userId: doc.userId,\n sessionId: doc.sessionId,\n generateTokens: true,\n });\n return { kind: \"signedIn\" as const, signedIn: signInResult };\n }\n\n if (typeof params.userCode !== \"string\") {\n throw Cv.error({\n code: \"DEVICE_INVALID_USER_CODE\",\n message: \"Missing `userCode` parameter for verify flow.\",\n });\n }\n\n const identity = await ctx.auth.getUserIdentity();\n if (identity === null) {\n throw Cv.error({\n code: \"NOT_SIGNED_IN\",\n message: \"You must be signed in to authorize a device.\",\n });\n }\n\n const userId = userIdFromIdentitySubject(identity.subject);\n const doc = await queryDeviceByUserCode(ctx, params.userCode);\n if (doc === null) {\n throw Cv.error({\n code: \"DEVICE_INVALID_USER_CODE\",\n message: \"Invalid or expired user code.\",\n });\n }\n if (Date.now() > doc.expiresAt) {\n await mutateDeviceDelete(ctx, doc._id);\n throw Cv.error({\n code: \"DEVICE_CODE_EXPIRED\",\n message:\n \"The device code has expired. Please start a new authorization request.\",\n });\n }\n if (doc.status !== \"pending\") {\n throw Cv.error({\n code: \"DEVICE_ALREADY_AUTHORIZED\",\n message: \"This device code has already been authorized.\",\n });\n }\n\n const signInResult = await callSignIn(ctx, {\n userId,\n generateTokens: false,\n });\n await mutateDeviceAuthorize(\n ctx,\n doc._id,\n signInResult.userId,\n signInResult.sessionId,\n );\n return { kind: \"signedIn\" as const, signedIn: null };\n },\n err: (e) =>\n e instanceof ConvexError\n ? e\n : Cv.error({\n code: \"INTERNAL_ERROR\",\n message: `Device flow failed: ${String(e)}`,\n }),\n });\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAsCA,MAAM,uBACJ;AACF,MAAM,qBAAqB;AAC3B,MAAM,eAAe;CAAC;CAAU;CAAQ;CAAS;;AA2BjD,MAAa,gBACX,KACA,UACA,SAEA,GAAG,KAAK;CACN,IAAI,YAAY;EACd,MAAM,SAAU,KAAK,UAAU,EAAE;EACjC,MAAM,OAAQ,OAAO,OAAO,SAAS,WAAW,OAAO,OAAO;AAK9D,MAAI,CAAC,aAAa,MAAM,cAAc,cAAc,KAAK,CACvD,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SACE;GACH,CAAC;AAGJ,MAAI,SAAS,UAAU;GACrB,MAAM,aAAa,qBACjB,oBACA,qBACD;GACD,MAAM,iBAAiB,MAAM,OAAO,WAAW;GAE/C,MAAM,cAAc,qBAClB,SAAS,gBACT,SAAS,QACV;GACD,MAAM,MAAM,KAAK,MAAM,YAAY,SAAS,EAAE;GAC9C,MAAM,WACJ,YAAY,MAAM,GAAG,IAAI,GAAG,MAAM,YAAY,MAAM,IAAI;AAG1D,SAAM,mBAAmB,KAAK;IAC5B;IACA;IACA,WAJgB,KAAK,KAAK,GAAG,SAAS,YAAY;IAKlD,UAAU,SAAS;IACnB,QAAQ;IACT,CAAC;GAEF,MAAM,kBACJ,SAAS,mBACT,GAAG,QAAQ,IAAI,YAAY,WAAW,WAAW,CAAC;AAEpD,UAAO;IACL,MAAM;IACN;IACA;IACA;IACA,yBAAyB,GAAG,gBAAgB,aAAa,mBAAmB,SAAS;IACrF,WAAW,SAAS;IACpB,UAAU,SAAS;IACpB;;AAGH,MAAI,SAAS,QAAQ;AACnB,OAAI,OAAO,OAAO,eAAe,SAC/B,OAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;GAIJ,MAAMA,QAAM,MAAM,sBAAsB,KAD3B,MAAM,OAAO,OAAO,WAAW,CACM;AAClD,OAAIA,UAAQ,KACV,OAAM,GAAG,MAAM;IACb,MAAM;IACN,SACE;IACH,CAAC;AAEJ,OAAI,KAAK,KAAK,GAAGA,MAAI,WAAW;AAC9B,UAAM,mBAAmB,KAAKA,MAAI,IAAI;AACtC,UAAM,GAAG,MAAM;KACb,MAAM;KACN,SACE;KACH,CAAC;;AAEJ,OACEA,MAAI,iBAAiB,WACpB,KAAK,KAAK,GAAGA,MAAI,gBAAgB,MAAOA,MAAI,SAE7C,OAAM,GAAG,MAAM;IACb,MAAM;IACN,SACE;IACH,CAAC;AAGJ,SAAM,6BAA6B,KAAKA,MAAI,KAAK,KAAK,KAAK,CAAC;AAE5D,OAAIA,MAAI,WAAW,UACjB,OAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;AAEJ,OAAIA,MAAI,WAAW,UAAU;AAC3B,UAAM,mBAAmB,KAAKA,MAAI,IAAI;AACtC,UAAM,GAAG,MAAM;KACb,MAAM;KACN,SAAS;KACV,CAAC;;AAGJ,OAAI,CAACA,MAAI,UAAU,CAACA,MAAI,UACtB,OAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;AAGJ,SAAM,mBAAmB,KAAKA,MAAI,IAAI;AAMtC,UAAO;IAAE,MAAM;IAAqB,UALf,MAAM,WAAW,KAAK;KACzC,QAAQA,MAAI;KACZ,WAAWA,MAAI;KACf,gBAAgB;KACjB,CAAC;IAC0D;;AAG9D,MAAI,OAAO,OAAO,aAAa,SAC7B,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;EAGJ,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,MAAI,aAAa,KACf,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;EAGJ,MAAM,SAAS,0BAA0B,SAAS,QAAQ;EAC1D,MAAM,MAAM,MAAM,sBAAsB,KAAK,OAAO,SAAS;AAC7D,MAAI,QAAQ,KACV,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;AAEJ,MAAI,KAAK,KAAK,GAAG,IAAI,WAAW;AAC9B,SAAM,mBAAmB,KAAK,IAAI,IAAI;AACtC,SAAM,GAAG,MAAM;IACb,MAAM;IACN,SACE;IACH,CAAC;;AAEJ,MAAI,IAAI,WAAW,UACjB,OAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS;GACV,CAAC;EAGJ,MAAM,eAAe,MAAM,WAAW,KAAK;GACzC;GACA,gBAAgB;GACjB,CAAC;AACF,QAAM,sBACJ,KACA,IAAI,KACJ,aAAa,QACb,aAAa,UACd;AACD,SAAO;GAAE,MAAM;GAAqB,UAAU;GAAM;;CAEtD,MAAM,MACJ,aAAa,cACT,IACA,GAAG,MAAM;EACP,MAAM;EACN,SAAS,uBAAuB,OAAO,EAAE;EAC1C,CAAC;CACT,CAAC"}

package/dist/component/server/enterprise/domain.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { AuthError } from "../authError.js";
+import { Cv } from "@robelest/fx/convex";
 import { Fx } from "@robelest/fx";
 //#region src/server/enterprise/domain.ts
@@ -34,7 +34,6 @@ function createEnterpriseDomain(deps) {
 		connection: {
 			create: async (ctx, data) => {
 				return {
-					ok: true,
 					enterpriseId: await ctx.runMutation(config.component.public.enterpriseCreate, {
 						...data,
 						policy: normalizeEnterprisePolicy(data.policy)
@@ -65,21 +64,18 @@ function createEnterpriseDomain(deps) {
 					enterpriseId,
 					data
 				});
-				return {
-					ok: true,
-					enterpriseId
-				};
+				return { enterpriseId };
 			},
 			delete: async (ctx, enterpriseId) => {
 				await ctx.runMutation(config.component.public.enterpriseDelete, { enterpriseId });
-				return {
-					ok: true,
-					enterpriseId
-				};
+				return { enterpriseId };
 			},
 			status: async (ctx, enterpriseId) => {
 				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
-				if (!enterprise) throw new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError).toConvexError();
+				if (!enterprise) throw Cv.error({
+					code: "INVALID_PARAMETERS",
+					message: enterpriseNotFoundError
+				});
 				const policy = getPolicyFromEnterprise(enterprise);
 				const protocols = enterprise.config?.protocols ?? {};
 				const oidcConfig = protocols.oidc;
@@ -130,7 +126,10 @@ function createEnterpriseDomain(deps) {
 			},
 			validate: async (ctx, enterpriseId) => {
 				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
-				if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError).toConvexError();
+				if (enterprise === null) throw Cv.error({
+					code: "INVALID_PARAMETERS",
+					message: enterpriseNotFoundError
+				});
 				const domains = await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
 				const primaryDomains = domains.filter((domain) => domain.isPrimary);
 				const verifiedDomains = domains.filter((domain) => domain.verifiedAt !== void 0);
@@ -159,7 +158,10 @@ function createEnterpriseDomain(deps) {
 					const enterprise = await loadEnterpriseOrThrow(ctx, args.enterpriseId);
 					const normalizedDomain = normalizeDomain(args.domain);
 					const domain = (await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId: enterprise._id })).find((entry) => entry.domain === normalizedDomain);
-					if (!domain) throw new AuthError("INVALID_PARAMETERS", "Domain is not attached to this enterprise.").toConvexError();
+					if (!domain) throw Cv.error({
+						code: "INVALID_PARAMETERS",
+						message: "Domain is not attached to this enterprise."
+					});
 					const requestedAt = Date.now();
 					const expiresAt = requestedAt + ENTERPRISE_DOMAIN_VERIFICATION_TTL_MS;
 					const token = generateRandomString(32, INVITE_TOKEN_ALPHABET);
@@ -191,7 +193,6 @@ function createEnterpriseDomain(deps) {
 						}
 					});
 					return {
-						ok: true,
 						enterpriseId: enterprise._id,
 						domain: normalizedDomain,
 						requestedAt,
@@ -207,7 +208,10 @@ function createEnterpriseDomain(deps) {
 					const enterprise = await loadEnterpriseOrThrow(ctx, args.enterpriseId);
 					const normalizedDomain = normalizeDomain(args.domain);
 					const domain = (await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId: enterprise._id })).find((entry) => entry.domain === normalizedDomain);
-					if (!domain) throw new AuthError("INVALID_PARAMETERS", "Domain is not attached to this enterprise.").toConvexError();
+					if (!domain) throw Cv.error({
+						code: "INVALID_PARAMETERS",
+						message: "Domain is not attached to this enterprise."
+					});
 					if (domain.verifiedAt !== void 0) return {
 						ok: true,
 						enterpriseId: enterprise._id,
@@ -260,7 +264,10 @@ function createEnterpriseDomain(deps) {
 					try {
 						txtValues = await resolveTxtValues(verification.recordName);
 					} catch (error) {
-						throw new AuthError("INTERNAL_ERROR", error instanceof Error ? error.message : "Failed to resolve DNS TXT records.").toConvexError();
+						throw Cv.error({
+							code: "INTERNAL_ERROR",
+							message: error instanceof Error ? error.message : "Failed to resolve DNS TXT records."
+						});
 					}
 					checks.push({
 						name: "dns_record_present",
@@ -312,19 +319,37 @@ function createEnterpriseDomain(deps) {
 				return await Fx.run(Fx.gen(function* () {
 					const enterprise = yield* Fx.from({
 						ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
-						err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
-					}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)));
+						err: () => Cv.error({
+							code: "INTERNAL_ERROR",
+							message: "Failed to load enterprise."
+						})
+					}).pipe(Fx.chain((ent) => ent === null ? Cv.fail({
+						code: "INVALID_PARAMETERS",
+						message: enterpriseNotFoundError
+					}) : Fx.succeed(ent)));
 					const metadataXml = yield* data.metadataXml ? Fx.succeed(data.metadataXml) : data.metadataUrl ? Fx.defer(() => Fx.from({
 						ok: async () => {
 							const response = await fetch(data.metadataUrl);
 							if (!response.ok) throw new Error(`Failed to fetch SAML metadata: ${response.status}`);
 							return await response.text();
 						},
-						err: (error) => new AuthError("INVALID_PARAMETERS", error instanceof Error ? error.message : "Failed to fetch SAML metadata")
-					})).pipe(Fx.timeout(1e4), Fx.retry(Fx.retry.compose(Fx.retry.jittered(Fx.retry.exponential(200)), Fx.retry.recurs(2))), Fx.recover((error) => Fx.fail(new AuthError("INVALID_PARAMETERS", error instanceof Error ? error.message : "Failed to fetch SAML metadata")))) : Fx.fail(new AuthError("INVALID_PARAMETERS", "SAML registration requires metadataXml or metadataUrl."));
+						err: (error) => Cv.error({
+							code: "INVALID_PARAMETERS",
+							message: error instanceof Error ? error.message : "Failed to fetch SAML metadata"
+						})
+					})).pipe(Fx.timeout(1e4), Fx.retry(Fx.retry.compose(Fx.retry.jittered(Fx.retry.exponential(200)), Fx.retry.recurs(2))), Fx.recover((error) => Cv.fail({
+						code: "INVALID_PARAMETERS",
+						message: error instanceof Error ? error.message : "Failed to fetch SAML metadata"
+					}))) : Cv.fail({
+						code: "INVALID_PARAMETERS",
+						message: "SAML registration requires metadataXml or metadataUrl."
+					});
 					const parsed = yield* Fx.from({
 						ok: () => parseSamlIdpMetadata(metadataXml),
-						err: () => new AuthError("INVALID_PARAMETERS", "Failed to parse SAML metadata.")
+						err: () => Cv.error({
+							code: "INVALID_PARAMETERS",
+							message: "Failed to parse SAML metadata."
+						})
 					});
 					const baseConfig = upsertProtocolConfig(enterprise.config, "saml", {
 						enabled: true,
@@ -349,7 +374,10 @@ function createEnterpriseDomain(deps) {
 								config: nextConfig
 							}
 						}),
-						err: () => new AuthError("INTERNAL_ERROR", "Failed to persist SAML registration.")
+						err: () => Cv.error({
+							code: "INTERNAL_ERROR",
+							message: "Failed to persist SAML registration."
+						})
 					});
 					if (normalizedDomains) for (const [index, domain] of normalizedDomains.entries()) yield* Fx.from({
 						ok: () => ctx.runMutation(config.component.public.enterpriseDomainAdd, {
@@ -358,7 +386,10 @@ function createEnterpriseDomain(deps) {
 							domain,
 							isPrimary: index === 0
 						}),
-						err: () => new AuthError("INTERNAL_ERROR", "Failed to persist enterprise domain.")
+						err: () => Cv.error({
+							code: "INTERNAL_ERROR",
+							message: "Failed to persist enterprise domain."
+						})
 					});
 					yield* Fx.from({
 						ok: () => recordEnterpriseAuditEvent(ctx, {
@@ -374,18 +405,23 @@ function createEnterpriseDomain(deps) {
 								domains: normalizedDomains
 							}
 						}),
-						err: () => new AuthError("INTERNAL_ERROR", "Failed to record SAML registration audit event.")
+						err: () => Cv.error({
+							code: "INTERNAL_ERROR",
+							message: "Failed to record SAML registration audit event."
+						})
 					});
 					return {
-						ok: true,
 						enterpriseId: enterprise._id,
 						groupId: enterprise.groupId
 					};
-				}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+				}).pipe(Fx.recover((e) => Fx.fatal(e))));
 			},
 			metadata: async (ctx, opts) => {
 				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: opts.enterpriseId });
-				if (!enterprise) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+				if (!enterprise) throw Cv.error({
+					code: "INVALID_PARAMETERS",
+					message: "Enterprise not found."
+				});
 				return createServiceProviderMetadata(getSamlServiceProviderOptions({
 					rootUrl: requireEnv("CONVEX_SITE_URL"),
 					source: {
@@ -507,11 +543,20 @@ function createEnterpriseDomain(deps) {
 		oidc: {
 			configure: async (ctx, data) => {
 				return await Fx.run(Fx.gen(function* () {
-					yield* Fx.guard(data.issuer === void 0 && data.discoveryUrl === void 0, Fx.fail(new AuthError("INVALID_PARAMETERS", "OIDC registration requires issuer or discoveryUrl.")));
+					yield* Fx.guard(data.issuer === void 0 && data.discoveryUrl === void 0, Cv.fail({
+						code: "INVALID_PARAMETERS",
+						message: "OIDC registration requires issuer or discoveryUrl."
+					}));
 					const enterprise = yield* Fx.from({
 						ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
-						err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
-					}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)));
+						err: () => Cv.error({
+							code: "INTERNAL_ERROR",
+							message: "Failed to load enterprise."
+						})
+					}).pipe(Fx.chain((ent) => ent === null ? Cv.fail({
+						code: "INVALID_PARAMETERS",
+						message: enterpriseNotFoundError
+					}) : Fx.succeed(ent)));
 					const nextConfig = upsertProtocolConfig(enterprise.config, "oidc", {
 						enabled: true,
 						issuer: data.issuer,
@@ -532,12 +577,18 @@ function createEnterpriseDomain(deps) {
 							enterpriseId: data.enterpriseId,
 							data: { config: nextConfig }
 						}),
-						err: () => new AuthError("INTERNAL_ERROR", "Failed to persist OIDC registration.")
+						err: () => Cv.error({
+							code: "INTERNAL_ERROR",
+							message: "Failed to persist OIDC registration."
+						})
 					});
 					if (data.clientSecret !== void 0) {
 						const ciphertext = yield* Fx.from({
 							ok: () => encryptSecret(data.clientSecret),
-							err: () => new AuthError("INTERNAL_ERROR", "Failed to encrypt OIDC client secret.")
+							err: () => Cv.error({
+								code: "INTERNAL_ERROR",
+								message: "Failed to encrypt OIDC client secret."
+							})
 						});
 						yield* Fx.from({
 							ok: () => ctx.runMutation(config.component.public.enterpriseSecretUpsert, {
@@ -547,7 +598,10 @@ function createEnterpriseDomain(deps) {
 								ciphertext,
 								updatedAt: Date.now()
 							}),
-							err: () => new AuthError("INTERNAL_ERROR", "Failed to persist OIDC client secret.")
+							err: () => Cv.error({
+								code: "INTERNAL_ERROR",
+								message: "Failed to persist OIDC client secret."
+							})
 						});
 					}
 					yield* Fx.from({
@@ -564,39 +618,75 @@ function createEnterpriseDomain(deps) {
 								discoveryUrl: data.discoveryUrl
 							}
 						}),
-						err: () => new AuthError("INTERNAL_ERROR", "Failed to record OIDC registration audit event.")
+						err: () => Cv.error({
+							code: "INTERNAL_ERROR",
+							message: "Failed to record OIDC registration audit event."
+						})
 					});
 					const secret = yield* Fx.from({
 						ok: () => getEnterpriseSecret(ctx, data.enterpriseId, ENTERPRISE_OIDC_CLIENT_SECRET_KIND),
-						err: () => new AuthError("INTERNAL_ERROR", "Failed to load OIDC secret metadata.")
+						err: () => Cv.error({
+							code: "INTERNAL_ERROR",
+							message: "Failed to load OIDC secret metadata."
+						})
 					});
 					return withOidcSecretState(getPublicOidcConfig(nextConfig), secret !== null);
-				}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+				}).pipe(Fx.recover((e) => Fx.fatal(e))));
 			},
 			get: async (ctx, enterpriseId) => {
 				return await Fx.run(Fx.from({
 					ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId }),
-					err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
-				}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)), Fx.chain((enterprise) => Fx.from({
+					err: () => Cv.error({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load enterprise."
+					})
+				}).pipe(Fx.chain((ent) => ent === null ? Cv.fail({
+					code: "INVALID_PARAMETERS",
+					message: enterpriseNotFoundError
+				}) : Fx.succeed(ent)), Fx.chain((enterprise) => Fx.from({
 					ok: async () => {
 						const secret = await getEnterpriseSecret(ctx, enterprise._id, ENTERPRISE_OIDC_CLIENT_SECRET_KIND);
 						return withOidcSecretState(getPublicOidcConfig(enterprise.config), secret !== null);
 					},
-					err: () => new AuthError("INTERNAL_ERROR", "Failed to load OIDC secret metadata.")
-				})), Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+					err: () => Cv.error({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load OIDC secret metadata."
+					})
+				})), Fx.recover((e) => Fx.fatal(e))));
 			},
 			signIn: async (ctx, data) => {
 				return await Fx.run(Fx.gen(function* () {
 					const enterprise = data.enterpriseId !== void 0 ? yield* Fx.from({
 						ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
-						err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
-					}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent))) : data.domain !== void 0 || data.email !== void 0 ? yield* Fx.from({
-						ok: () => ctx.runQuery(config.component.public.enterpriseGetByDomain, { domain: normalizeDomain(data.domain ?? String(data.email).split("@").at(-1) ?? "") }),
-						err: () => new AuthError("INTERNAL_ERROR", "Failed to resolve enterprise by domain.")
-					}).pipe(Fx.chain((result) => result?.enterprise && result.domain?.verifiedAt !== void 0 ? Fx.succeed(result.enterprise) : Fx.fail(new AuthError("INVALID_PARAMETERS", "No enterprise OIDC connection matched the provided input.")))) : yield* Fx.fail(new AuthError("INVALID_PARAMETERS", "No enterprise OIDC connection matched the provided input."));
-					yield* Fx.guard(enterprise.status !== "active", Fx.fail(new AuthError("INVALID_PARAMETERS", "Enterprise connection is not active.")));
+						err: () => Cv.error({
+							code: "INTERNAL_ERROR",
+							message: "Failed to load enterprise."
+						})
+					}).pipe(Fx.chain((ent) => ent === null ? Cv.fail({
+						code: "INVALID_PARAMETERS",
+						message: enterpriseNotFoundError
+					}) : Fx.succeed(ent))) : data.domain !== void 0 || data.email !== void 0 ? yield* Fx.from({
+						ok: () => ctx.runQuery(config.component.public.enterpriseGetByDomain, { domain: normalizeDomain(data.domain ?? String(data.email).split("@").pop() ?? "") }),
+						err: () => Cv.error({
+							code: "INTERNAL_ERROR",
+							message: "Failed to resolve enterprise by domain."
+						})
+					}).pipe(Fx.chain((result) => result?.enterprise && result.domain?.verifiedAt !== void 0 ? Fx.succeed(result.enterprise) : Cv.fail({
+						code: "INVALID_PARAMETERS",
+						message: "No enterprise OIDC connection matched the provided input."
+					}))) : yield* Cv.fail({
+						code: "INVALID_PARAMETERS",
+						message: "No enterprise OIDC connection matched the provided input."
+					});
+					yield* Fx.guard(enterprise.status !== "active", Cv.fail({
+						code: "INVALID_PARAMETERS",
+						message: "Enterprise connection is not active."
+					}));
 					const oidc = getOidcConfig(enterprise.config);
-					yield* Fx.guard(oidc.enabled !== true, Fx.fail(new AuthError("PROVIDER_NOT_CONFIGURED", "OIDC is not configured for this enterprise.")));
+					yield* Fx.guard(oidc.enabled !== true, Cv.fail({
+						code: "PROVIDER_NOT_CONFIGURED",
+						message: "OIDC is not configured for this enterprise."
+					}));
 					const urls = getEnterpriseOidcUrls({
 						rootUrl: requireEnv("CONVEX_SITE_URL"),
 						enterpriseId: enterprise._id
@@ -608,7 +698,7 @@ function createEnterpriseDomain(deps) {
 						callbackPath: urls.callbackUrl,
 						redirectTo: data.redirectTo
 					};
-				}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+				}).pipe(Fx.recover((e) => Fx.fatal(e))));
 			},
 			validate: async (ctx, enterpriseId) => {
 				const checks = [];
@@ -683,7 +773,10 @@ function createEnterpriseDomain(deps) {
 		scim: {
 			configure: async (ctx, data) => {
 				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId });
-				if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+				if (enterprise === null) throw Cv.error({
+					code: "INVALID_PARAMETERS",
+					message: "Enterprise not found."
+				});
 				const rawToken = generateRandomString(48, INVITE_TOKEN_ALPHABET);
 				const tokenHash = await sha256(rawToken);
 				const configId = await ctx.runMutation(config.component.public.enterpriseScimConfigUpsert, {
@@ -713,7 +806,6 @@ function createEnterpriseDomain(deps) {
 					}
 				});
 				return {
-					ok: true,
 					enterpriseId: enterprise._id,
 					configId,
 					basePath: data.basePath ?? `${requireEnv("CONVEX_SITE_URL")}/api/auth/sso/${enterprise._id}/scim/v2`,
@@ -799,7 +891,10 @@ function createEnterpriseDomain(deps) {
 				},
 				create: async (ctx, data) => {
 					const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId });
-					if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+					if (enterprise === null) throw Cv.error({
+						code: "INVALID_PARAMETERS",
+						message: "Enterprise not found."
+					});
 					const secretHash = await sha256(data.secret);
 					const endpointId = await ctx.runMutation(config.component.public.enterpriseWebhookEndpointCreate, {
 						enterpriseId: enterprise._id,
@@ -819,10 +914,7 @@ function createEnterpriseDomain(deps) {
 						subjectId: endpointId,
 						ok: true
 					});
-					return {
-						ok: true,
-						endpointId
-					};
+					return { endpointId };
 				},
 				list: async (ctx, enterpriseId) => {
 					return await ctx.runQuery(config.component.public.enterpriseWebhookEndpointList, { enterpriseId });
@@ -832,10 +924,7 @@ function createEnterpriseDomain(deps) {
 						endpointId,
 						data: { status: "disabled" }
 					});
-					return {
-						ok: true,
-						endpointId
-					};
+					return { endpointId };
 				}
 			},
 			emit: async (ctx, data) => {