@robelest/convex-auth 0.0.4-preview.22 → 0.0.4-preview.23

package/dist/component/public/identity/tokens.js.map

@@ -1 +1 @@
-{"version":3,"file":"tokens.js","names":[],"sources":["../../../../src/component/public/identity/tokens.ts"],"sourcesContent":["import { v } from \"convex/values\";\nimport { mutation, query } from \"../../functions\";\nimport { vRefreshTokenDoc } from \"../../model\";\n\n/**\n * Create a new refresh token for a session.\n *\n * Inserts a document into the `RefreshToken` table. Refresh tokens are used to\n * obtain new access tokens without requiring the user to re-authenticate. When\n * a refresh token is rotated, the new token references the old one via\n * `parentRefreshTokenId` to form a token chain for replay detection.\n *\n * @param args.sessionId - The document ID of the session this refresh token belongs to.\n * @param args.expirationTime - The Unix timestamp (in milliseconds) at which this refresh token expires.\n * @param args.parentRefreshTokenId - The document ID of the parent refresh token that was\n *   exchanged to create this one. Omitted for the initial token in a session.\n * @returns The document ID of the newly created refresh token.\n *\n * @example\n * ```ts\n * const tokenId = await ctx.runMutation(\n *   component.identity.tokens.refreshTokenCreate,\n *   {\n *     sessionId: session._id,\n *     expirationTime: Date.now() + 7 * 24 * 60 * 60 * 1000, // 7 days\n *   },\n * );\n * ```\n */\nexport const refreshTokenCreate = mutation({\n  args: {\n    sessionId: v.id(\"Session\"),\n    expirationTime: v.number(),\n    parentRefreshTokenId: v.optional(v.id(\"RefreshToken\")),\n  },\n  returns: v.id(\"RefreshToken\"),\n  handler: async (ctx, args) => {\n    return await ctx.db.insert(\"RefreshToken\", args as any);\n  },\n});\n\n/**\n * Retrieve a single refresh token by its Convex document ID.\n *\n * Performs a direct point lookup on the `RefreshToken` table. Returns `null` if\n * the token has been deleted or never existed.\n *\n * @param args.refreshTokenId - The Convex document ID (`Id<\"RefreshToken\">`) of the token to retrieve.\n * @returns The refresh token document if it exists, or `null` otherwise.\n *\n * @example\n * ```ts\n * const token = await ctx.runQuery(\n *   component.identity.tokens.refreshTokenGetById,\n *   { refreshTokenId: storedTokenId },\n * );\n * if (token !== null && token.expirationTime > Date.now()) {\n *   console.log(\"Refresh token is still valid\");\n * }\n * ```\n */\nexport const refreshTokenGetById = query({\n  args: { refreshTokenId: v.id(\"RefreshToken\") },\n  returns: v.union(vRefreshTokenDoc, v.null()),\n  handler: async (ctx, { refreshTokenId }) => {\n    return await ctx.db.get(\"RefreshToken\", refreshTokenId);\n  },\n});\n\n/**\n * Patch a refresh token document with partial data.\n *\n * Merges the provided fields into the existing refresh token document. This is\n * primarily used to record `firstUsedTime` when a refresh token is first\n * exchanged, marking it as consumed for replay detection.\n *\n * @param args.refreshTokenId - The document ID of the refresh token to update.\n * @param args.data - A partial object containing the fields to merge (e.g. `{ firstUsedTime: number }`).\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Mark the refresh token as used\n * await ctx.runMutation(\n *   component.identity.tokens.refreshTokenPatch,\n *   {\n *     refreshTokenId: token._id,\n *     data: { firstUsedTime: Date.now() },\n *   },\n * );\n * ```\n */\nexport const refreshTokenPatch = mutation({\n  args: { refreshTokenId: v.id(\"RefreshToken\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { refreshTokenId, data }) => {\n    await ctx.db.patch(\"RefreshToken\", refreshTokenId, data);\n    return null;\n  },\n});\n\n/**\n * Get child tokens that were created by exchanging a specific parent token.\n *\n * Queries the `RefreshToken` table using the `session_id_parent_refresh_token_id`\n * index to find all tokens whose `parentRefreshTokenId` matches the provided\n * parent. This is used for replay detection: if a parent token has more than\n * one child, it indicates a potential token reuse attack.\n *\n * @param args.sessionId - The document ID of the session the tokens belong to.\n * @param args.parentRefreshTokenId - The document ID of the parent refresh token whose children to retrieve.\n * @returns An array of refresh token documents that were derived from the specified parent token.\n *\n * @example\n * ```ts\n * const children = await ctx.runQuery(\n *   component.identity.tokens.refreshTokenGetChildren,\n *   {\n *     sessionId: session._id,\n *     parentRefreshTokenId: parentToken._id,\n *   },\n * );\n * if (children.length > 1) {\n *   console.warn(\"Possible token reuse detected!\");\n * }\n * ```\n */\nexport const refreshTokenGetChildren = query({\n  args: {\n    sessionId: v.id(\"Session\"),\n    parentRefreshTokenId: v.id(\"RefreshToken\"),\n  },\n  returns: v.array(vRefreshTokenDoc),\n  handler: async (ctx, { sessionId, parentRefreshTokenId }) => {\n    return await ctx.db\n      .query(\"RefreshToken\")\n      .withIndex(\"session_id_parent_refresh_token_id\", (q) =>\n        q\n          .eq(\"sessionId\", sessionId as any)\n          .eq(\"parentRefreshTokenId\", parentRefreshTokenId as any),\n      )\n      .collect();\n  },\n});\n\n/**\n * List all refresh tokens belonging to a specific session.\n *\n * Queries the `RefreshToken` table using the `session_id_parent_refresh_token_id`\n * index to efficiently retrieve every refresh token associated with the given\n * session, including both active and consumed tokens.\n *\n * @param args.sessionId - The document ID of the session whose refresh tokens should be retrieved.\n * @returns An array of all refresh token documents for the specified session.\n *\n * @example\n * ```ts\n * const tokens = await ctx.runQuery(\n *   component.identity.tokens.refreshTokenListBySession,\n *   { sessionId: session._id },\n * );\n * console.log(`Session has ${tokens.length} refresh token(s)`);\n * ```\n */\nexport const refreshTokenListBySession = query({\n  args: { sessionId: v.id(\"Session\") },\n  returns: v.array(vRefreshTokenDoc),\n  handler: async (ctx, { sessionId }) => {\n    return await ctx.db\n      .query(\"RefreshToken\")\n      .withIndex(\"session_id_parent_refresh_token_id\", (q) =>\n        q.eq(\"sessionId\", sessionId as any),\n      )\n      .collect();\n  },\n});\n\n/**\n * Delete all refresh tokens for a session.\n *\n * Queries the `RefreshToken` table for all tokens belonging to the given session\n * and deletes them in parallel. This is typically called when a session is\n * revoked or when token reuse is detected, effectively invalidating the entire\n * token chain for that session.\n *\n * @param args.sessionId - The document ID of the session whose refresh tokens should be deleted.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Invalidate all tokens for a compromised session\n * await ctx.runMutation(\n *   component.identity.tokens.refreshTokenDeleteAll,\n *   { sessionId: session._id },\n * );\n * ```\n */\nexport const refreshTokenDeleteAll = mutation({\n  args: { sessionId: v.id(\"Session\") },\n  returns: v.null(),\n  handler: async (ctx, { sessionId }) => {\n    const tokens = await ctx.db\n      .query(\"RefreshToken\")\n      .withIndex(\"session_id_parent_refresh_token_id\", (q) =>\n        q.eq(\"sessionId\", sessionId as any),\n      )\n      .collect();\n    await Promise.all(\n      tokens.map((token) => ctx.db.delete(\"RefreshToken\", token._id)),\n    );\n    return null;\n  },\n});\n\n/**\n * Get the active (unused) refresh token for a session.\n *\n * Queries the `RefreshToken` table using the `session_id_first_used` index to\n * find the most recently created token for the session that has not yet been\n * exchanged (i.e. `firstUsedTime` is `undefined`). This represents the current\n * valid refresh token the client should be holding.\n *\n * @param args.sessionId - The document ID of the session whose active refresh token should be retrieved.\n * @returns The most recent unused refresh token document, or `null` if no active token exists\n *   (e.g. all tokens have been consumed or the session has no tokens).\n *\n * @example\n * ```ts\n * const activeToken = await ctx.runQuery(\n *   component.identity.tokens.refreshTokenGetActive,\n *   { sessionId: session._id },\n * );\n * if (activeToken !== null) {\n *   console.log(`Active token expires at: ${activeToken.expirationTime}`);\n * }\n * ```\n */\nexport const refreshTokenGetActive = query({\n  args: { sessionId: v.id(\"Session\") },\n  returns: v.union(vRefreshTokenDoc, v.null()),\n  handler: async (ctx, { sessionId }) => {\n    return await ctx.db\n      .query(\"RefreshToken\")\n      .withIndex(\"session_id_first_used\", (q) =>\n        q.eq(\"sessionId\", sessionId as any).eq(\"firstUsedTime\", undefined),\n      )\n      .order(\"desc\")\n      .first();\n  },\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BA,MAAa,qBAAqB,SAAS;CACzC,MAAM;EACJ,WAAW,EAAE,GAAG,UAAU;EAC1B,gBAAgB,EAAE,QAAQ;EAC1B,sBAAsB,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC;EACvD;CACD,SAAS,EAAE,GAAG,eAAe;CAC7B,SAAS,OAAO,KAAK,SAAS;AAC5B,SAAO,MAAM,IAAI,GAAG,OAAO,gBAAgB,KAAY;;CAE1D,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,sBAAsB,MAAM;CACvC,MAAM,EAAE,gBAAgB,EAAE,GAAG,eAAe,EAAE;CAC9C,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,qBAAqB;AAC1C,SAAO,MAAM,IAAI,GAAG,IAAI,gBAAgB,eAAe;;CAE1D,CAAC;;;;;;;;;;;;;;;;;;;;;;;;AAyBF,MAAa,oBAAoB,SAAS;CACxC,MAAM;EAAE,gBAAgB,EAAE,GAAG,eAAe;EAAE,MAAM,EAAE,KAAK;EAAE;CAC7D,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,gBAAgB,WAAW;AAChD,QAAM,IAAI,GAAG,MAAM,gBAAgB,gBAAgB,KAAK;AACxD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4BF,MAAa,0BAA0B,MAAM;CAC3C,MAAM;EACJ,WAAW,EAAE,GAAG,UAAU;EAC1B,sBAAsB,EAAE,GAAG,eAAe;EAC3C;CACD,SAAS,EAAE,MAAM,iBAAiB;CAClC,SAAS,OAAO,KAAK,EAAE,WAAW,2BAA2B;AAC3D,SAAO,MAAM,IAAI,GACd,MAAM,eAAe,CACrB,UAAU,uCAAuC,MAChD,EACG,GAAG,aAAa,UAAiB,CACjC,GAAG,wBAAwB,qBAA4B,CAC3D,CACA,SAAS;;CAEf,CAAC;;;;;;;;;;;;;;;;;;;;AAqBF,MAAa,4BAA4B,MAAM;CAC7C,MAAM,EAAE,WAAW,EAAE,GAAG,UAAU,EAAE;CACpC,SAAS,EAAE,MAAM,iBAAiB;CAClC,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,eAAe,CACrB,UAAU,uCAAuC,MAChD,EAAE,GAAG,aAAa,UAAiB,CACpC,CACA,SAAS;;CAEf,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,wBAAwB,SAAS;CAC5C,MAAM,EAAE,WAAW,EAAE,GAAG,UAAU,EAAE;CACpC,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,gBAAgB;EACrC,MAAM,SAAS,MAAM,IAAI,GACtB,MAAM,eAAe,CACrB,UAAU,uCAAuC,MAChD,EAAE,GAAG,aAAa,UAAiB,CACpC,CACA,SAAS;AACZ,QAAM,QAAQ,IACZ,OAAO,KAAK,UAAU,IAAI,GAAG,OAAO,gBAAgB,MAAM,IAAI,CAAC,CAChE;AACD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;;;;;AAyBF,MAAa,wBAAwB,MAAM;CACzC,MAAM,EAAE,WAAW,EAAE,GAAG,UAAU,EAAE;CACpC,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,eAAe,CACrB,UAAU,0BAA0B,MACnC,EAAE,GAAG,aAAa,UAAiB,CAAC,GAAG,iBAAiB,OAAU,CACnE,CACA,MAAM,OAAO,CACb,OAAO;;CAEb,CAAC"}
+{"version":3,"file":"tokens.js","names":[],"sources":["../../../../src/component/public/identity/tokens.ts"],"sourcesContent":["import { v } from \"convex/values\";\n\nimport { mutation, query } from \"../../functions\";\nimport { vRefreshTokenDoc } from \"../../model\";\n\n/**\n * Create a new refresh token for a session.\n *\n * Inserts a document into the `RefreshToken` table. Refresh tokens are used to\n * obtain new access tokens without requiring the user to re-authenticate. When\n * a refresh token is rotated, the new token references the old one via\n * `parentRefreshTokenId` to form a token chain for replay detection.\n *\n * @param args.sessionId - The document ID of the session this refresh token belongs to.\n * @param args.expirationTime - The Unix timestamp (in milliseconds) at which this refresh token expires.\n * @param args.parentRefreshTokenId - The document ID of the parent refresh token that was\n *   exchanged to create this one. Omitted for the initial token in a session.\n * @returns The document ID of the newly created refresh token.\n *\n * @example\n * ```ts\n * const tokenId = await ctx.runMutation(\n *   component.identity.tokens.refreshTokenCreate,\n *   {\n *     sessionId: session._id,\n *     expirationTime: Date.now() + 7 * 24 * 60 * 60 * 1000, // 7 days\n *   },\n * );\n * ```\n */\nexport const refreshTokenCreate = mutation({\n  args: {\n    sessionId: v.id(\"Session\"),\n    expirationTime: v.number(),\n    parentRefreshTokenId: v.optional(v.id(\"RefreshToken\")),\n  },\n  returns: v.id(\"RefreshToken\"),\n  handler: async (ctx, args) => {\n    return await ctx.db.insert(\"RefreshToken\", args as any);\n  },\n});\n\n/**\n * Retrieve a single refresh token by its Convex document ID.\n *\n * Performs a direct point lookup on the `RefreshToken` table. Returns `null` if\n * the token has been deleted or never existed.\n *\n * @param args.refreshTokenId - The Convex document ID (`Id<\"RefreshToken\">`) of the token to retrieve.\n * @returns The refresh token document if it exists, or `null` otherwise.\n *\n * @example\n * ```ts\n * const token = await ctx.runQuery(\n *   component.identity.tokens.refreshTokenGetById,\n *   { refreshTokenId: storedTokenId },\n * );\n * if (token !== null && token.expirationTime > Date.now()) {\n *   console.log(\"Refresh token is still valid\");\n * }\n * ```\n */\nexport const refreshTokenGetById = query({\n  args: { refreshTokenId: v.id(\"RefreshToken\") },\n  returns: v.union(vRefreshTokenDoc, v.null()),\n  handler: async (ctx, { refreshTokenId }) => {\n    return await ctx.db.get(\"RefreshToken\", refreshTokenId);\n  },\n});\n\n/**\n * Patch a refresh token document with partial data.\n *\n * Merges the provided fields into the existing refresh token document. This is\n * primarily used to record `firstUsedTime` when a refresh token is first\n * exchanged, marking it as consumed for replay detection.\n *\n * @param args.refreshTokenId - The document ID of the refresh token to update.\n * @param args.data - A partial object containing the fields to merge (e.g. `{ firstUsedTime: number }`).\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Mark the refresh token as used\n * await ctx.runMutation(\n *   component.identity.tokens.refreshTokenPatch,\n *   {\n *     refreshTokenId: token._id,\n *     data: { firstUsedTime: Date.now() },\n *   },\n * );\n * ```\n */\nexport const refreshTokenPatch = mutation({\n  args: { refreshTokenId: v.id(\"RefreshToken\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { refreshTokenId, data }) => {\n    await ctx.db.patch(\"RefreshToken\", refreshTokenId, data);\n    return null;\n  },\n});\n\n/**\n * Get child tokens that were created by exchanging a specific parent token.\n *\n * Queries the `RefreshToken` table using the `session_id_parent_refresh_token_id`\n * index to find all tokens whose `parentRefreshTokenId` matches the provided\n * parent. This is used for replay detection: if a parent token has more than\n * one child, it indicates a potential token reuse attack.\n *\n * @param args.sessionId - The document ID of the session the tokens belong to.\n * @param args.parentRefreshTokenId - The document ID of the parent refresh token whose children to retrieve.\n * @returns An array of refresh token documents that were derived from the specified parent token.\n *\n * @example\n * ```ts\n * const children = await ctx.runQuery(\n *   component.identity.tokens.refreshTokenGetChildren,\n *   {\n *     sessionId: session._id,\n *     parentRefreshTokenId: parentToken._id,\n *   },\n * );\n * if (children.length > 1) {\n *   console.warn(\"Possible token reuse detected!\");\n * }\n * ```\n */\nexport const refreshTokenGetChildren = query({\n  args: {\n    sessionId: v.id(\"Session\"),\n    parentRefreshTokenId: v.id(\"RefreshToken\"),\n  },\n  returns: v.array(vRefreshTokenDoc),\n  handler: async (ctx, { sessionId, parentRefreshTokenId }) => {\n    return await ctx.db\n      .query(\"RefreshToken\")\n      .withIndex(\"session_id_parent_refresh_token_id\", (q) =>\n        q\n          .eq(\"sessionId\", sessionId as any)\n          .eq(\"parentRefreshTokenId\", parentRefreshTokenId as any),\n      )\n      .collect();\n  },\n});\n\n/**\n * List all refresh tokens belonging to a specific session.\n *\n * Queries the `RefreshToken` table using the `session_id_parent_refresh_token_id`\n * index to efficiently retrieve every refresh token associated with the given\n * session, including both active and consumed tokens.\n *\n * @param args.sessionId - The document ID of the session whose refresh tokens should be retrieved.\n * @returns An array of all refresh token documents for the specified session.\n *\n * @example\n * ```ts\n * const tokens = await ctx.runQuery(\n *   component.identity.tokens.refreshTokenListBySession,\n *   { sessionId: session._id },\n * );\n * console.log(`Session has ${tokens.length} refresh token(s)`);\n * ```\n */\nexport const refreshTokenListBySession = query({\n  args: { sessionId: v.id(\"Session\") },\n  returns: v.array(vRefreshTokenDoc),\n  handler: async (ctx, { sessionId }) => {\n    return await ctx.db\n      .query(\"RefreshToken\")\n      .withIndex(\"session_id_parent_refresh_token_id\", (q) =>\n        q.eq(\"sessionId\", sessionId as any),\n      )\n      .collect();\n  },\n});\n\n/**\n * Delete all refresh tokens for a session.\n *\n * Queries the `RefreshToken` table for all tokens belonging to the given session\n * and deletes them in parallel. This is typically called when a session is\n * revoked or when token reuse is detected, effectively invalidating the entire\n * token chain for that session.\n *\n * @param args.sessionId - The document ID of the session whose refresh tokens should be deleted.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Invalidate all tokens for a compromised session\n * await ctx.runMutation(\n *   component.identity.tokens.refreshTokenDeleteAll,\n *   { sessionId: session._id },\n * );\n * ```\n */\nexport const refreshTokenDeleteAll = mutation({\n  args: { sessionId: v.id(\"Session\") },\n  returns: v.null(),\n  handler: async (ctx, { sessionId }) => {\n    const tokens = await ctx.db\n      .query(\"RefreshToken\")\n      .withIndex(\"session_id_parent_refresh_token_id\", (q) =>\n        q.eq(\"sessionId\", sessionId as any),\n      )\n      .collect();\n    await Promise.all(\n      tokens.map((token) => ctx.db.delete(\"RefreshToken\", token._id)),\n    );\n    return null;\n  },\n});\n\n/**\n * Get the active (unused) refresh token for a session.\n *\n * Queries the `RefreshToken` table using the `session_id_first_used` index to\n * find the most recently created token for the session that has not yet been\n * exchanged (i.e. `firstUsedTime` is `undefined`). This represents the current\n * valid refresh token the client should be holding.\n *\n * @param args.sessionId - The document ID of the session whose active refresh token should be retrieved.\n * @returns The most recent unused refresh token document, or `null` if no active token exists\n *   (e.g. all tokens have been consumed or the session has no tokens).\n *\n * @example\n * ```ts\n * const activeToken = await ctx.runQuery(\n *   component.identity.tokens.refreshTokenGetActive,\n *   { sessionId: session._id },\n * );\n * if (activeToken !== null) {\n *   console.log(`Active token expires at: ${activeToken.expirationTime}`);\n * }\n * ```\n */\nexport const refreshTokenGetActive = query({\n  args: { sessionId: v.id(\"Session\") },\n  returns: v.union(vRefreshTokenDoc, v.null()),\n  handler: async (ctx, { sessionId }) => {\n    return await ctx.db\n      .query(\"RefreshToken\")\n      .withIndex(\"session_id_first_used\", (q) =>\n        q.eq(\"sessionId\", sessionId as any).eq(\"firstUsedTime\", undefined),\n      )\n      .order(\"desc\")\n      .first();\n  },\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BA,MAAa,qBAAqB,SAAS;CACzC,MAAM;EACJ,WAAW,EAAE,GAAG,UAAU;EAC1B,gBAAgB,EAAE,QAAQ;EAC1B,sBAAsB,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC;EACvD;CACD,SAAS,EAAE,GAAG,eAAe;CAC7B,SAAS,OAAO,KAAK,SAAS;AAC5B,SAAO,MAAM,IAAI,GAAG,OAAO,gBAAgB,KAAY;;CAE1D,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,sBAAsB,MAAM;CACvC,MAAM,EAAE,gBAAgB,EAAE,GAAG,eAAe,EAAE;CAC9C,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,qBAAqB;AAC1C,SAAO,MAAM,IAAI,GAAG,IAAI,gBAAgB,eAAe;;CAE1D,CAAC;;;;;;;;;;;;;;;;;;;;;;;;AAyBF,MAAa,oBAAoB,SAAS;CACxC,MAAM;EAAE,gBAAgB,EAAE,GAAG,eAAe;EAAE,MAAM,EAAE,KAAK;EAAE;CAC7D,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,gBAAgB,WAAW;AAChD,QAAM,IAAI,GAAG,MAAM,gBAAgB,gBAAgB,KAAK;AACxD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4BF,MAAa,0BAA0B,MAAM;CAC3C,MAAM;EACJ,WAAW,EAAE,GAAG,UAAU;EAC1B,sBAAsB,EAAE,GAAG,eAAe;EAC3C;CACD,SAAS,EAAE,MAAM,iBAAiB;CAClC,SAAS,OAAO,KAAK,EAAE,WAAW,2BAA2B;AAC3D,SAAO,MAAM,IAAI,GACd,MAAM,eAAe,CACrB,UAAU,uCAAuC,MAChD,EACG,GAAG,aAAa,UAAiB,CACjC,GAAG,wBAAwB,qBAA4B,CAC3D,CACA,SAAS;;CAEf,CAAC;;;;;;;;;;;;;;;;;;;;AAqBF,MAAa,4BAA4B,MAAM;CAC7C,MAAM,EAAE,WAAW,EAAE,GAAG,UAAU,EAAE;CACpC,SAAS,EAAE,MAAM,iBAAiB;CAClC,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,eAAe,CACrB,UAAU,uCAAuC,MAChD,EAAE,GAAG,aAAa,UAAiB,CACpC,CACA,SAAS;;CAEf,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,wBAAwB,SAAS;CAC5C,MAAM,EAAE,WAAW,EAAE,GAAG,UAAU,EAAE;CACpC,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,gBAAgB;EACrC,MAAM,SAAS,MAAM,IAAI,GACtB,MAAM,eAAe,CACrB,UAAU,uCAAuC,MAChD,EAAE,GAAG,aAAa,UAAiB,CACpC,CACA,SAAS;AACZ,QAAM,QAAQ,IACZ,OAAO,KAAK,UAAU,IAAI,GAAG,OAAO,gBAAgB,MAAM,IAAI,CAAC,CAChE;AACD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;;;;;AAyBF,MAAa,wBAAwB,MAAM;CACzC,MAAM,EAAE,WAAW,EAAE,GAAG,UAAU,EAAE;CACpC,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,eAAe,CACrB,UAAU,0BAA0B,MACnC,EAAE,GAAG,aAAa,UAAiB,CAAC,GAAG,iBAAiB,OAAU,CACnE,CACA,MAAM,OAAO,CACb,OAAO;;CAEb,CAAC"}

package/dist/component/public/identity/users.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"users.d.ts","names":[],"sources":["../../../../src/component/public/identity/users.ts"],"mappings":";;;;;;;;;;;;;;;;AA2CA;;;;;AA6FA;;;;;AA+BA;;;;;AAqCA;;;;;AAuCA;;;;;AAmCA;cA3Oa,QAAA;;;;AA8Qb;;;;;AA2BA;;;;;;;;;;;;cA5Ma,WAAA;;;;;;;;;;;;;;;;;;;;;;;;cA+BA,uBAAA;;;;;;;;;;;;;;;;;;;;;;;;cAqCA,uBAAA;;;;;;;;;;;;;;;;;;;;;;;;;;cAuCA,UAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAmCA,UAAA;;;;;;;;;;;;;;;;;;;;;;;;cAmCA,SAAA;;;;;;;;;;;;;;;;;;;cA2BA,UAAA"}
+{"version":3,"file":"users.d.ts","names":[],"sources":["../../../../src/component/public/identity/users.ts"],"mappings":";;;;;;;;;;;;;;;;AA4CA;;;;;AA6FA;;;;;AA+BA;;;;;AAqCA;;;;;AAuCA;;;;;AAmCA;cA3Oa,QAAA;;;;AA8Qb;;;;;AA2BA;;;;;;;;;;;;cA5Ma,WAAA;;;;;;;;;;;;;;;;;;;;;;;;cA+BA,uBAAA;;;;;;;;;;;;;;;;;;;;;;;;cAqCA,uBAAA;;;;;;;;;;;;;;;;;;;;;;;;;;cAuCA,UAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAmCA,UAAA;;;;;;;;;;;;;;;;;;;;;;;;cAmCA,SAAA;;;;;;;;;;;;;;;;;;;cA2BA,UAAA"}

package/dist/component/public/identity/users.js.map

@@ -1 +1 @@
-{"version":3,"file":"users.js","names":[],"sources":["../../../../src/component/public/identity/users.ts"],"sourcesContent":["import { v } from \"convex/values\";\nimport { mutation, query } from \"../../functions\";\nimport { vPaginated, vUserDoc } from \"../../model\";\n\n/**\n * List users with optional filtering, sorting, and cursor-based pagination.\n *\n * Supports filtering by `email`, `phone`, `isAnonymous`, and `name`. When an\n * `email` or `phone` filter is provided, the corresponding database index is\n * used for efficient lookup; other filters are applied in-memory. Results are\n * returned as a paginated response `{ items, nextCursor }` -- pass `nextCursor`\n * back as `cursor` to fetch the next page, or receive `null` when all results\n * have been exhausted.\n *\n * @param args.where - Optional filter object. Fields: `email` (exact match),\n *   `phone` (exact match), `isAnonymous` (boolean), `name` (exact match).\n * @param args.limit - Maximum number of users to return per page (1--100, default 50).\n * @param args.cursor - An opaque cursor string from a previous response's `nextCursor`\n *   to continue pagination, or `null` / omitted to start from the beginning.\n * @param args.orderBy - The field to sort results by. One of `\"_creationTime\"`,\n *   `\"name\"`, `\"email\"`, or `\"phone\"`. Defaults to `\"_creationTime\"`.\n * @param args.order - Sort direction: `\"asc\"` or `\"desc\"` (default `\"desc\"`).\n * @returns An object with `items` (array of user documents) and `nextCursor`\n *   (`string | null`) for fetching subsequent pages.\n *\n * @example\n * ```ts\n * // Fetch the first page of non-anonymous users\n * const page1 = await ctx.runQuery(\n *   component.identity.users.userList,\n *   { where: { isAnonymous: false }, limit: 20 },\n * );\n * console.log(page1.items);\n *\n * // Fetch the next page\n * if (page1.nextCursor !== null) {\n *   const page2 = await ctx.runQuery(\n *     component.identity.users.userList,\n *     { where: { isAnonymous: false }, limit: 20, cursor: page1.nextCursor },\n *   );\n * }\n * ```\n */\nexport const userList = query({\n  args: {\n    where: v.optional(\n      v.object({\n        email: v.optional(v.string()),\n        phone: v.optional(v.string()),\n        isAnonymous: v.optional(v.boolean()),\n        name: v.optional(v.string()),\n      }),\n    ),\n    limit: v.optional(v.number()),\n    cursor: v.optional(v.union(v.string(), v.null())),\n    orderBy: v.optional(\n      v.union(\n        v.literal(\"_creationTime\"),\n        v.literal(\"name\"),\n        v.literal(\"email\"),\n        v.literal(\"phone\"),\n      ),\n    ),\n    order: v.optional(v.union(v.literal(\"asc\"), v.literal(\"desc\"))),\n  },\n  returns: vPaginated(vUserDoc),\n  handler: async (ctx, args) => {\n    const where = args.where ?? {};\n    const limit = Math.min(Math.max(args.limit ?? 50, 1), 100);\n    const order = args.order ?? \"desc\";\n\n    // Pick index based on where fields\n    let q;\n    if (where.email !== undefined) {\n      q = ctx.db\n        .query(\"User\")\n        .withIndex(\"email\", (idx) => idx.eq(\"email\", where.email!));\n    } else if (where.phone !== undefined) {\n      q = ctx.db\n        .query(\"User\")\n        .withIndex(\"phone\", (idx) => idx.eq(\"phone\", where.phone!));\n    } else {\n      q = ctx.db.query(\"User\");\n    }\n\n    // Apply remaining filters\n    if (where.isAnonymous !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"isAnonymous\"), where.isAnonymous!));\n    }\n    if (where.name !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"name\"), where.name!));\n    }\n    // email/phone filters when not used as index\n    if (where.email !== undefined && where.phone !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"phone\"), where.phone!));\n    }\n\n    q = q.order(order);\n\n    // Cursor-based pagination: skip past the cursor ID\n    const all = await q.collect();\n    let startIdx = 0;\n    if (args.cursor) {\n      const cursorIdx = all.findIndex((doc) => doc._id === args.cursor);\n      if (cursorIdx !== -1) {\n        startIdx = cursorIdx + 1;\n      }\n    }\n    const page = all.slice(startIdx, startIdx + limit + 1);\n    const hasMore = page.length > limit;\n    const items = hasMore ? page.slice(0, limit) : page;\n    const nextCursor = hasMore ? items[items.length - 1]._id : null;\n    return { items, nextCursor };\n  },\n});\n\n/**\n * Retrieve a single user by their Convex document ID.\n *\n * Performs a direct point lookup on the `User` table. Returns `null` if the\n * user has been deleted or never existed.\n *\n * @param args.userId - The Convex document ID (`Id<\"User\">`) of the user to retrieve.\n * @returns The user document if it exists, or `null` otherwise.\n *\n * @example\n * ```ts\n * const user = await ctx.runQuery(\n *   component.identity.users.userGetById,\n *   { userId: session.userId },\n * );\n * if (user !== null) {\n *   console.log(`Name: ${user.name}, Email: ${user.email}`);\n * }\n * ```\n */\nexport const userGetById = query({\n  args: { userId: v.id(\"User\") },\n  returns: v.union(vUserDoc, v.null()),\n  handler: async (ctx, { userId }) => {\n    return await ctx.db.get(\"User\", userId);\n  },\n});\n\n/**\n * Find a user by their verified email address.\n *\n * Queries the `User` table using the `email_verified` index to locate users\n * whose `email` matches and whose `emailVerificationTime` is set. If exactly\n * one user is found, that document is returned. Returns `null` if no user has\n * this email verified or if multiple users share the same verified email\n * (an ambiguous state that should not occur in normal operation).\n *\n * @param args.email - The verified email address to search for (case-sensitive, exact match).\n * @returns The matching user document if exactly one verified user is found, or `null` otherwise.\n *\n * @example\n * ```ts\n * const user = await ctx.runQuery(\n *   component.identity.users.userFindByVerifiedEmail,\n *   { email: \"alice@example.com\" },\n * );\n * if (user !== null) {\n *   console.log(`Found verified user: ${user._id}`);\n * }\n * ```\n */\nexport const userFindByVerifiedEmail = query({\n  args: { email: v.string() },\n  returns: v.union(vUserDoc, v.null()),\n  handler: async (ctx, { email }) => {\n    const users = await ctx.db\n      .query(\"User\")\n      .withIndex(\"email_verified\", (q) =>\n        q.eq(\"email\", email).gt(\"emailVerificationTime\", undefined),\n      )\n      .take(2);\n    return users.length === 1 ? users[0] : null;\n  },\n});\n\n/**\n * Find a user by their verified phone number.\n *\n * Queries the `User` table using the `phone_verified` index to locate users\n * whose `phone` matches and whose `phoneVerificationTime` is set. If exactly\n * one user is found, that document is returned. Returns `null` if no user has\n * this phone verified or if multiple users share the same verified phone\n * (an ambiguous state that should not occur in normal operation).\n *\n * @param args.phone - The verified phone number to search for (exact match, e.g. `\"+15551234567\"`).\n * @returns The matching user document if exactly one verified user is found, or `null` otherwise.\n *\n * @example\n * ```ts\n * const user = await ctx.runQuery(\n *   component.identity.users.userFindByVerifiedPhone,\n *   { phone: \"+15551234567\" },\n * );\n * if (user !== null) {\n *   console.log(`Found verified user: ${user._id}`);\n * }\n * ```\n */\nexport const userFindByVerifiedPhone = query({\n  args: { phone: v.string() },\n  returns: v.union(vUserDoc, v.null()),\n  handler: async (ctx, { phone }) => {\n    const users = await ctx.db\n      .query(\"User\")\n      .withIndex(\"phone_verified\", (q) =>\n        q.eq(\"phone\", phone).gt(\"phoneVerificationTime\", undefined),\n      )\n      .take(2);\n    return users.length === 1 ? users[0] : null;\n  },\n});\n\n/**\n * Insert a new user document into the `User` table.\n *\n * Creates a brand-new user record. The `data` argument should conform to the\n * User table schema (e.g. `name`, `email`, `phone`, `isAnonymous`, `image`,\n * `extend`), but is typed as `any` to allow flexible extension.\n *\n * @param args.data - The user document fields to insert. Typically includes `name`,\n *   `email`, `isAnonymous`, and any custom fields under `extend`.\n * @returns The document ID of the newly created user.\n *\n * @example\n * ```ts\n * const userId = await ctx.runMutation(\n *   component.identity.users.userInsert,\n *   {\n *     data: {\n *       name: \"Alice\",\n *       email: \"alice@example.com\",\n *       isAnonymous: false,\n *     },\n *   },\n * );\n * ```\n */\nexport const userInsert = mutation({\n  args: { data: v.any() },\n  returns: v.id(\"User\"),\n  handler: async (ctx, { data }) => {\n    return await ctx.db.insert(\"User\", data);\n  },\n});\n\n/**\n * Insert a new user or update an existing one (upsert).\n *\n * When `userId` is provided and refers to an existing user, the document is\n * patched with the supplied `data` and the same `userId` is returned. When\n * `userId` is omitted or `undefined`, a new user document is inserted and its\n * generated ID is returned. This is the primary mechanism used during sign-in\n * flows to either create or refresh user profile data.\n *\n * @param args.userId - The document ID of an existing user to update. If `undefined`,\n *   a new user is created instead.\n * @param args.data - The user document fields to insert or merge. Accepts the same\n *   shape as the User table schema.\n * @returns The document ID of the created or updated user.\n *\n * @example\n * ```ts\n * // Create a new user if none exists, or update the existing one\n * const userId = await ctx.runMutation(\n *   component.identity.users.userUpsert,\n *   {\n *     userId: existingUserId ?? undefined,\n *     data: { name: \"Alice\", email: \"alice@example.com\" },\n *   },\n * );\n * ```\n */\nexport const userUpsert = mutation({\n  args: { userId: v.optional(v.id(\"User\")), data: v.any() },\n  returns: v.id(\"User\"),\n  handler: async (ctx, { userId, data }) => {\n    if (userId !== undefined) {\n      await ctx.db.patch(\"User\", userId, data);\n      return userId;\n    }\n    return await ctx.db.insert(\"User\", data);\n  },\n});\n\n/**\n * Patch an existing user document with partial data.\n *\n * Merges the provided fields into the existing user document. Fields not\n * included in `data` are left unchanged. Useful for updating profile\n * information such as `name`, `email`, or custom `extend` fields without\n * overwriting the entire document.\n *\n * @param args.userId - The document ID of the user to update.\n * @param args.data - A partial object containing the fields to merge into the user document.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * await ctx.runMutation(\n *   component.identity.users.userPatch,\n *   {\n *     userId: user._id,\n *     data: { name: \"Alice Smith\", image: \"https://example.com/avatar.png\" },\n *   },\n * );\n * ```\n */\nexport const userPatch = mutation({\n  args: { userId: v.id(\"User\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { userId, data }) => {\n    await ctx.db.patch(\"User\", userId, data);\n    return null;\n  },\n});\n\n/**\n * Delete a user document by ID.\n *\n * Removes the user from the `User` table. This is a no-op if the user does not\n * exist (i.e. was already deleted). Callers should ensure that related resources\n * such as accounts, sessions, and refresh tokens are cleaned up separately.\n *\n * @param args.userId - The document ID of the user to delete.\n * @returns `null` on success (including when the user was already absent).\n *\n * @example\n * ```ts\n * await ctx.runMutation(\n *   component.identity.users.userDelete,\n *   { userId: user._id },\n * );\n * ```\n */\nexport const userDelete = mutation({\n  args: { userId: v.id(\"User\") },\n  returns: v.null(),\n  handler: async (ctx, { userId }) => {\n    if ((await ctx.db.get(\"User\", userId)) !== null) {\n      await ctx.db.delete(\"User\", userId);\n    }\n    return null;\n  },\n});\n\n// ============================================================================\n// Accounts\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2CA,MAAa,WAAW,MAAM;CAC5B,MAAM;EACJ,OAAO,EAAE,SACP,EAAE,OAAO;GACP,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC7B,aAAa,EAAE,SAAS,EAAE,SAAS,CAAC;GACpC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC7B,CAAC,CACH;EACD,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC;EACjD,SAAS,EAAE,SACT,EAAE,MACA,EAAE,QAAQ,gBAAgB,EAC1B,EAAE,QAAQ,OAAO,EACjB,EAAE,QAAQ,QAAQ,EAClB,EAAE,QAAQ,QAAQ,CACnB,CACF;EACD,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC;EAChE;CACD,SAAS,WAAW,SAAS;CAC7B,SAAS,OAAO,KAAK,SAAS;EAC5B,MAAM,QAAQ,KAAK,SAAS,EAAE;EAC9B,MAAM,QAAQ,KAAK,IAAI,KAAK,IAAI,KAAK,SAAS,IAAI,EAAE,EAAE,IAAI;EAC1D,MAAM,QAAQ,KAAK,SAAS;EAG5B,IAAI;AACJ,MAAI,MAAM,UAAU,OAClB,KAAI,IAAI,GACL,MAAM,OAAO,CACb,UAAU,UAAU,QAAQ,IAAI,GAAG,SAAS,MAAM,MAAO,CAAC;WACpD,MAAM,UAAU,OACzB,KAAI,IAAI,GACL,MAAM,OAAO,CACb,UAAU,UAAU,QAAQ,IAAI,GAAG,SAAS,MAAM,MAAO,CAAC;MAE7D,KAAI,IAAI,GAAG,MAAM,OAAO;AAI1B,MAAI,MAAM,gBAAgB,OACxB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,cAAc,EAAE,MAAM,YAAa,CAAC;AAEvE,MAAI,MAAM,SAAS,OACjB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,OAAO,EAAE,MAAM,KAAM,CAAC;AAGzD,MAAI,MAAM,UAAU,UAAa,MAAM,UAAU,OAC/C,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,QAAQ,EAAE,MAAM,MAAO,CAAC;AAG3D,MAAI,EAAE,MAAM,MAAM;EAGlB,MAAM,MAAM,MAAM,EAAE,SAAS;EAC7B,IAAI,WAAW;AACf,MAAI,KAAK,QAAQ;GACf,MAAM,YAAY,IAAI,WAAW,QAAQ,IAAI,QAAQ,KAAK,OAAO;AACjE,OAAI,cAAc,GAChB,YAAW,YAAY;;EAG3B,MAAM,OAAO,IAAI,MAAM,UAAU,WAAW,QAAQ,EAAE;EACtD,MAAM,UAAU,KAAK,SAAS;EAC9B,MAAM,QAAQ,UAAU,KAAK,MAAM,GAAG,MAAM,GAAG;AAE/C,SAAO;GAAE;GAAO,YADG,UAAU,MAAM,MAAM,SAAS,GAAG,MAAM;GAC/B;;CAE/B,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,cAAc,MAAM;CAC/B,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,EAAE;CAC9B,SAAS,EAAE,MAAM,UAAU,EAAE,MAAM,CAAC;CACpC,SAAS,OAAO,KAAK,EAAE,aAAa;AAClC,SAAO,MAAM,IAAI,GAAG,IAAI,QAAQ,OAAO;;CAE1C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;AAyBF,MAAa,0BAA0B,MAAM;CAC3C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE;CAC3B,SAAS,EAAE,MAAM,UAAU,EAAE,MAAM,CAAC;CACpC,SAAS,OAAO,KAAK,EAAE,YAAY;EACjC,MAAM,QAAQ,MAAM,IAAI,GACrB,MAAM,OAAO,CACb,UAAU,mBAAmB,MAC5B,EAAE,GAAG,SAAS,MAAM,CAAC,GAAG,yBAAyB,OAAU,CAC5D,CACA,KAAK,EAAE;AACV,SAAO,MAAM,WAAW,IAAI,MAAM,KAAK;;CAE1C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;AAyBF,MAAa,0BAA0B,MAAM;CAC3C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE;CAC3B,SAAS,EAAE,MAAM,UAAU,EAAE,MAAM,CAAC;CACpC,SAAS,OAAO,KAAK,EAAE,YAAY;EACjC,MAAM,QAAQ,MAAM,IAAI,GACrB,MAAM,OAAO,CACb,UAAU,mBAAmB,MAC5B,EAAE,GAAG,SAAS,MAAM,CAAC,GAAG,yBAAyB,OAAU,CAC5D,CACA,KAAK,EAAE;AACV,SAAO,MAAM,WAAW,IAAI,MAAM,KAAK;;CAE1C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BF,MAAa,aAAa,SAAS;CACjC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;CACvB,SAAS,EAAE,GAAG,OAAO;CACrB,SAAS,OAAO,KAAK,EAAE,WAAW;AAChC,SAAO,MAAM,IAAI,GAAG,OAAO,QAAQ,KAAK;;CAE3C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BF,MAAa,aAAa,SAAS;CACjC,MAAM;EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAAE,MAAM,EAAE,KAAK;EAAE;CACzD,SAAS,EAAE,GAAG,OAAO;CACrB,SAAS,OAAO,KAAK,EAAE,QAAQ,WAAW;AACxC,MAAI,WAAW,QAAW;AACxB,SAAM,IAAI,GAAG,MAAM,QAAQ,QAAQ,KAAK;AACxC,UAAO;;AAET,SAAO,MAAM,IAAI,GAAG,OAAO,QAAQ,KAAK;;CAE3C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;AAyBF,MAAa,YAAY,SAAS;CAChC,MAAM;EAAE,QAAQ,EAAE,GAAG,OAAO;EAAE,MAAM,EAAE,KAAK;EAAE;CAC7C,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,QAAQ,WAAW;AACxC,QAAM,IAAI,GAAG,MAAM,QAAQ,QAAQ,KAAK;AACxC,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;AAoBF,MAAa,aAAa,SAAS;CACjC,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,EAAE;CAC9B,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,aAAa;AAClC,MAAK,MAAM,IAAI,GAAG,IAAI,QAAQ,OAAO,KAAM,KACzC,OAAM,IAAI,GAAG,OAAO,QAAQ,OAAO;AAErC,SAAO;;CAEV,CAAC"}
+{"version":3,"file":"users.js","names":[],"sources":["../../../../src/component/public/identity/users.ts"],"sourcesContent":["import { v } from \"convex/values\";\n\nimport { mutation, query } from \"../../functions\";\nimport { vPaginated, vUserDoc } from \"../../model\";\n\n/**\n * List users with optional filtering, sorting, and cursor-based pagination.\n *\n * Supports filtering by `email`, `phone`, `isAnonymous`, and `name`. When an\n * `email` or `phone` filter is provided, the corresponding database index is\n * used for efficient lookup; other filters are applied in-memory. Results are\n * returned as a paginated response `{ items, nextCursor }` -- pass `nextCursor`\n * back as `cursor` to fetch the next page, or receive `null` when all results\n * have been exhausted.\n *\n * @param args.where - Optional filter object. Fields: `email` (exact match),\n *   `phone` (exact match), `isAnonymous` (boolean), `name` (exact match).\n * @param args.limit - Maximum number of users to return per page (1--100, default 50).\n * @param args.cursor - An opaque cursor string from a previous response's `nextCursor`\n *   to continue pagination, or `null` / omitted to start from the beginning.\n * @param args.orderBy - The field to sort results by. One of `\"_creationTime\"`,\n *   `\"name\"`, `\"email\"`, or `\"phone\"`. Defaults to `\"_creationTime\"`.\n * @param args.order - Sort direction: `\"asc\"` or `\"desc\"` (default `\"desc\"`).\n * @returns An object with `items` (array of user documents) and `nextCursor`\n *   (`string | null`) for fetching subsequent pages.\n *\n * @example\n * ```ts\n * // Fetch the first page of non-anonymous users\n * const page1 = await ctx.runQuery(\n *   component.identity.users.userList,\n *   { where: { isAnonymous: false }, limit: 20 },\n * );\n * console.log(page1.items);\n *\n * // Fetch the next page\n * if (page1.nextCursor !== null) {\n *   const page2 = await ctx.runQuery(\n *     component.identity.users.userList,\n *     { where: { isAnonymous: false }, limit: 20, cursor: page1.nextCursor },\n *   );\n * }\n * ```\n */\nexport const userList = query({\n  args: {\n    where: v.optional(\n      v.object({\n        email: v.optional(v.string()),\n        phone: v.optional(v.string()),\n        isAnonymous: v.optional(v.boolean()),\n        name: v.optional(v.string()),\n      }),\n    ),\n    limit: v.optional(v.number()),\n    cursor: v.optional(v.union(v.string(), v.null())),\n    orderBy: v.optional(\n      v.union(\n        v.literal(\"_creationTime\"),\n        v.literal(\"name\"),\n        v.literal(\"email\"),\n        v.literal(\"phone\"),\n      ),\n    ),\n    order: v.optional(v.union(v.literal(\"asc\"), v.literal(\"desc\"))),\n  },\n  returns: vPaginated(vUserDoc),\n  handler: async (ctx, args) => {\n    const where = args.where ?? {};\n    const limit = Math.min(Math.max(args.limit ?? 50, 1), 100);\n    const order = args.order ?? \"desc\";\n\n    // Pick index based on where fields\n    let q;\n    if (where.email !== undefined) {\n      q = ctx.db\n        .query(\"User\")\n        .withIndex(\"email\", (idx) => idx.eq(\"email\", where.email!));\n    } else if (where.phone !== undefined) {\n      q = ctx.db\n        .query(\"User\")\n        .withIndex(\"phone\", (idx) => idx.eq(\"phone\", where.phone!));\n    } else {\n      q = ctx.db.query(\"User\");\n    }\n\n    // Apply remaining filters\n    if (where.isAnonymous !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"isAnonymous\"), where.isAnonymous!));\n    }\n    if (where.name !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"name\"), where.name!));\n    }\n    // email/phone filters when not used as index\n    if (where.email !== undefined && where.phone !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"phone\"), where.phone!));\n    }\n\n    q = q.order(order);\n\n    // Cursor-based pagination: skip past the cursor ID\n    const all = await q.collect();\n    let startIdx = 0;\n    if (args.cursor) {\n      const cursorIdx = all.findIndex((doc) => doc._id === args.cursor);\n      if (cursorIdx !== -1) {\n        startIdx = cursorIdx + 1;\n      }\n    }\n    const page = all.slice(startIdx, startIdx + limit + 1);\n    const hasMore = page.length > limit;\n    const items = hasMore ? page.slice(0, limit) : page;\n    const nextCursor = hasMore ? items[items.length - 1]._id : null;\n    return { items, nextCursor };\n  },\n});\n\n/**\n * Retrieve a single user by their Convex document ID.\n *\n * Performs a direct point lookup on the `User` table. Returns `null` if the\n * user has been deleted or never existed.\n *\n * @param args.userId - The Convex document ID (`Id<\"User\">`) of the user to retrieve.\n * @returns The user document if it exists, or `null` otherwise.\n *\n * @example\n * ```ts\n * const user = await ctx.runQuery(\n *   component.identity.users.userGetById,\n *   { userId: session.userId },\n * );\n * if (user !== null) {\n *   console.log(`Name: ${user.name}, Email: ${user.email}`);\n * }\n * ```\n */\nexport const userGetById = query({\n  args: { userId: v.id(\"User\") },\n  returns: v.union(vUserDoc, v.null()),\n  handler: async (ctx, { userId }) => {\n    return await ctx.db.get(\"User\", userId);\n  },\n});\n\n/**\n * Find a user by their verified email address.\n *\n * Queries the `User` table using the `email_verified` index to locate users\n * whose `email` matches and whose `emailVerificationTime` is set. If exactly\n * one user is found, that document is returned. Returns `null` if no user has\n * this email verified or if multiple users share the same verified email\n * (an ambiguous state that should not occur in normal operation).\n *\n * @param args.email - The verified email address to search for (case-sensitive, exact match).\n * @returns The matching user document if exactly one verified user is found, or `null` otherwise.\n *\n * @example\n * ```ts\n * const user = await ctx.runQuery(\n *   component.identity.users.userFindByVerifiedEmail,\n *   { email: \"alice@example.com\" },\n * );\n * if (user !== null) {\n *   console.log(`Found verified user: ${user._id}`);\n * }\n * ```\n */\nexport const userFindByVerifiedEmail = query({\n  args: { email: v.string() },\n  returns: v.union(vUserDoc, v.null()),\n  handler: async (ctx, { email }) => {\n    const users = await ctx.db\n      .query(\"User\")\n      .withIndex(\"email_verified\", (q) =>\n        q.eq(\"email\", email).gt(\"emailVerificationTime\", undefined),\n      )\n      .take(2);\n    return users.length === 1 ? users[0] : null;\n  },\n});\n\n/**\n * Find a user by their verified phone number.\n *\n * Queries the `User` table using the `phone_verified` index to locate users\n * whose `phone` matches and whose `phoneVerificationTime` is set. If exactly\n * one user is found, that document is returned. Returns `null` if no user has\n * this phone verified or if multiple users share the same verified phone\n * (an ambiguous state that should not occur in normal operation).\n *\n * @param args.phone - The verified phone number to search for (exact match, e.g. `\"+15551234567\"`).\n * @returns The matching user document if exactly one verified user is found, or `null` otherwise.\n *\n * @example\n * ```ts\n * const user = await ctx.runQuery(\n *   component.identity.users.userFindByVerifiedPhone,\n *   { phone: \"+15551234567\" },\n * );\n * if (user !== null) {\n *   console.log(`Found verified user: ${user._id}`);\n * }\n * ```\n */\nexport const userFindByVerifiedPhone = query({\n  args: { phone: v.string() },\n  returns: v.union(vUserDoc, v.null()),\n  handler: async (ctx, { phone }) => {\n    const users = await ctx.db\n      .query(\"User\")\n      .withIndex(\"phone_verified\", (q) =>\n        q.eq(\"phone\", phone).gt(\"phoneVerificationTime\", undefined),\n      )\n      .take(2);\n    return users.length === 1 ? users[0] : null;\n  },\n});\n\n/**\n * Insert a new user document into the `User` table.\n *\n * Creates a brand-new user record. The `data` argument should conform to the\n * User table schema (e.g. `name`, `email`, `phone`, `isAnonymous`, `image`,\n * `extend`), but is typed as `any` to allow flexible extension.\n *\n * @param args.data - The user document fields to insert. Typically includes `name`,\n *   `email`, `isAnonymous`, and any custom fields under `extend`.\n * @returns The document ID of the newly created user.\n *\n * @example\n * ```ts\n * const userId = await ctx.runMutation(\n *   component.identity.users.userInsert,\n *   {\n *     data: {\n *       name: \"Alice\",\n *       email: \"alice@example.com\",\n *       isAnonymous: false,\n *     },\n *   },\n * );\n * ```\n */\nexport const userInsert = mutation({\n  args: { data: v.any() },\n  returns: v.id(\"User\"),\n  handler: async (ctx, { data }) => {\n    return await ctx.db.insert(\"User\", data);\n  },\n});\n\n/**\n * Insert a new user or update an existing one (upsert).\n *\n * When `userId` is provided and refers to an existing user, the document is\n * patched with the supplied `data` and the same `userId` is returned. When\n * `userId` is omitted or `undefined`, a new user document is inserted and its\n * generated ID is returned. This is the primary mechanism used during sign-in\n * flows to either create or refresh user profile data.\n *\n * @param args.userId - The document ID of an existing user to update. If `undefined`,\n *   a new user is created instead.\n * @param args.data - The user document fields to insert or merge. Accepts the same\n *   shape as the User table schema.\n * @returns The document ID of the created or updated user.\n *\n * @example\n * ```ts\n * // Create a new user if none exists, or update the existing one\n * const userId = await ctx.runMutation(\n *   component.identity.users.userUpsert,\n *   {\n *     userId: existingUserId ?? undefined,\n *     data: { name: \"Alice\", email: \"alice@example.com\" },\n *   },\n * );\n * ```\n */\nexport const userUpsert = mutation({\n  args: { userId: v.optional(v.id(\"User\")), data: v.any() },\n  returns: v.id(\"User\"),\n  handler: async (ctx, { userId, data }) => {\n    if (userId !== undefined) {\n      await ctx.db.patch(\"User\", userId, data);\n      return userId;\n    }\n    return await ctx.db.insert(\"User\", data);\n  },\n});\n\n/**\n * Patch an existing user document with partial data.\n *\n * Merges the provided fields into the existing user document. Fields not\n * included in `data` are left unchanged. Useful for updating profile\n * information such as `name`, `email`, or custom `extend` fields without\n * overwriting the entire document.\n *\n * @param args.userId - The document ID of the user to update.\n * @param args.data - A partial object containing the fields to merge into the user document.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * await ctx.runMutation(\n *   component.identity.users.userPatch,\n *   {\n *     userId: user._id,\n *     data: { name: \"Alice Smith\", image: \"https://example.com/avatar.png\" },\n *   },\n * );\n * ```\n */\nexport const userPatch = mutation({\n  args: { userId: v.id(\"User\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { userId, data }) => {\n    await ctx.db.patch(\"User\", userId, data);\n    return null;\n  },\n});\n\n/**\n * Delete a user document by ID.\n *\n * Removes the user from the `User` table. This is a no-op if the user does not\n * exist (i.e. was already deleted). Callers should ensure that related resources\n * such as accounts, sessions, and refresh tokens are cleaned up separately.\n *\n * @param args.userId - The document ID of the user to delete.\n * @returns `null` on success (including when the user was already absent).\n *\n * @example\n * ```ts\n * await ctx.runMutation(\n *   component.identity.users.userDelete,\n *   { userId: user._id },\n * );\n * ```\n */\nexport const userDelete = mutation({\n  args: { userId: v.id(\"User\") },\n  returns: v.null(),\n  handler: async (ctx, { userId }) => {\n    if ((await ctx.db.get(\"User\", userId)) !== null) {\n      await ctx.db.delete(\"User\", userId);\n    }\n    return null;\n  },\n});\n\n// ============================================================================\n// Accounts\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4CA,MAAa,WAAW,MAAM;CAC5B,MAAM;EACJ,OAAO,EAAE,SACP,EAAE,OAAO;GACP,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC7B,aAAa,EAAE,SAAS,EAAE,SAAS,CAAC;GACpC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC7B,CAAC,CACH;EACD,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC;EACjD,SAAS,EAAE,SACT,EAAE,MACA,EAAE,QAAQ,gBAAgB,EAC1B,EAAE,QAAQ,OAAO,EACjB,EAAE,QAAQ,QAAQ,EAClB,EAAE,QAAQ,QAAQ,CACnB,CACF;EACD,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC;EAChE;CACD,SAAS,WAAW,SAAS;CAC7B,SAAS,OAAO,KAAK,SAAS;EAC5B,MAAM,QAAQ,KAAK,SAAS,EAAE;EAC9B,MAAM,QAAQ,KAAK,IAAI,KAAK,IAAI,KAAK,SAAS,IAAI,EAAE,EAAE,IAAI;EAC1D,MAAM,QAAQ,KAAK,SAAS;EAG5B,IAAI;AACJ,MAAI,MAAM,UAAU,OAClB,KAAI,IAAI,GACL,MAAM,OAAO,CACb,UAAU,UAAU,QAAQ,IAAI,GAAG,SAAS,MAAM,MAAO,CAAC;WACpD,MAAM,UAAU,OACzB,KAAI,IAAI,GACL,MAAM,OAAO,CACb,UAAU,UAAU,QAAQ,IAAI,GAAG,SAAS,MAAM,MAAO,CAAC;MAE7D,KAAI,IAAI,GAAG,MAAM,OAAO;AAI1B,MAAI,MAAM,gBAAgB,OACxB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,cAAc,EAAE,MAAM,YAAa,CAAC;AAEvE,MAAI,MAAM,SAAS,OACjB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,OAAO,EAAE,MAAM,KAAM,CAAC;AAGzD,MAAI,MAAM,UAAU,UAAa,MAAM,UAAU,OAC/C,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,QAAQ,EAAE,MAAM,MAAO,CAAC;AAG3D,MAAI,EAAE,MAAM,MAAM;EAGlB,MAAM,MAAM,MAAM,EAAE,SAAS;EAC7B,IAAI,WAAW;AACf,MAAI,KAAK,QAAQ;GACf,MAAM,YAAY,IAAI,WAAW,QAAQ,IAAI,QAAQ,KAAK,OAAO;AACjE,OAAI,cAAc,GAChB,YAAW,YAAY;;EAG3B,MAAM,OAAO,IAAI,MAAM,UAAU,WAAW,QAAQ,EAAE;EACtD,MAAM,UAAU,KAAK,SAAS;EAC9B,MAAM,QAAQ,UAAU,KAAK,MAAM,GAAG,MAAM,GAAG;AAE/C,SAAO;GAAE;GAAO,YADG,UAAU,MAAM,MAAM,SAAS,GAAG,MAAM;GAC/B;;CAE/B,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,cAAc,MAAM;CAC/B,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,EAAE;CAC9B,SAAS,EAAE,MAAM,UAAU,EAAE,MAAM,CAAC;CACpC,SAAS,OAAO,KAAK,EAAE,aAAa;AAClC,SAAO,MAAM,IAAI,GAAG,IAAI,QAAQ,OAAO;;CAE1C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;AAyBF,MAAa,0BAA0B,MAAM;CAC3C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE;CAC3B,SAAS,EAAE,MAAM,UAAU,EAAE,MAAM,CAAC;CACpC,SAAS,OAAO,KAAK,EAAE,YAAY;EACjC,MAAM,QAAQ,MAAM,IAAI,GACrB,MAAM,OAAO,CACb,UAAU,mBAAmB,MAC5B,EAAE,GAAG,SAAS,MAAM,CAAC,GAAG,yBAAyB,OAAU,CAC5D,CACA,KAAK,EAAE;AACV,SAAO,MAAM,WAAW,IAAI,MAAM,KAAK;;CAE1C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;AAyBF,MAAa,0BAA0B,MAAM;CAC3C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE;CAC3B,SAAS,EAAE,MAAM,UAAU,EAAE,MAAM,CAAC;CACpC,SAAS,OAAO,KAAK,EAAE,YAAY;EACjC,MAAM,QAAQ,MAAM,IAAI,GACrB,MAAM,OAAO,CACb,UAAU,mBAAmB,MAC5B,EAAE,GAAG,SAAS,MAAM,CAAC,GAAG,yBAAyB,OAAU,CAC5D,CACA,KAAK,EAAE;AACV,SAAO,MAAM,WAAW,IAAI,MAAM,KAAK;;CAE1C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BF,MAAa,aAAa,SAAS;CACjC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;CACvB,SAAS,EAAE,GAAG,OAAO;CACrB,SAAS,OAAO,KAAK,EAAE,WAAW;AAChC,SAAO,MAAM,IAAI,GAAG,OAAO,QAAQ,KAAK;;CAE3C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BF,MAAa,aAAa,SAAS;CACjC,MAAM;EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAAE,MAAM,EAAE,KAAK;EAAE;CACzD,SAAS,EAAE,GAAG,OAAO;CACrB,SAAS,OAAO,KAAK,EAAE,QAAQ,WAAW;AACxC,MAAI,WAAW,QAAW;AACxB,SAAM,IAAI,GAAG,MAAM,QAAQ,QAAQ,KAAK;AACxC,UAAO;;AAET,SAAO,MAAM,IAAI,GAAG,OAAO,QAAQ,KAAK;;CAE3C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;AAyBF,MAAa,YAAY,SAAS;CAChC,MAAM;EAAE,QAAQ,EAAE,GAAG,OAAO;EAAE,MAAM,EAAE,KAAK;EAAE;CAC7C,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,QAAQ,WAAW;AACxC,QAAM,IAAI,GAAG,MAAM,QAAQ,QAAQ,KAAK;AACxC,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;AAoBF,MAAa,aAAa,SAAS;CACjC,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,EAAE;CAC9B,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,aAAa;AAClC,MAAK,MAAM,IAAI,GAAG,IAAI,QAAQ,OAAO,KAAM,KACzC,OAAM,IAAI,GAAG,OAAO,QAAQ,OAAO;AAErC,SAAO;;CAEV,CAAC"}

package/dist/component/public/identity/verifiers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifiers.d.ts","names":[],"sources":["../../../../src/component/public/identity/verifiers.ts"],"mappings":";;;;;;;;;;;;;AAwBA;;;;;AA4BA;;;;;cA5Ba,cAAA;;;;;AA6Fb;;;;;AA4BA;;;;;;;;;;;cA7Fa,eAAA;;;;;;;;;;;;;;;;;;;;;;;cA8BA,sBAAA;;;;;;;;;;;;;;;;;;;;;;;;;cAmCA,aAAA;;;;;;;;;;;;;;;;;;;;cA4BA,cAAA"}
+{"version":3,"file":"verifiers.d.ts","names":[],"sources":["../../../../src/component/public/identity/verifiers.ts"],"mappings":";;;;;;;;;;;;;AAyBA;;;;;AA4BA;;;;;cA5Ba,cAAA;;;;;AA6Fb;;;;;AA4BA;;;;;;;;;;;cA7Fa,eAAA;;;;;;;;;;;;;;;;;;;;;;;cA8BA,sBAAA;;;;;;;;;;;;;;;;;;;;;;;;;cAmCA,aAAA;;;;;;;;;;;;;;;;;;;;cA4BA,cAAA"}

package/dist/component/public/identity/verifiers.js.map

@@ -1 +1 @@
-{"version":3,"file":"verifiers.js","names":[],"sources":["../../../../src/component/public/identity/verifiers.ts"],"sourcesContent":["import { v } from \"convex/values\";\nimport { mutation, query } from \"../../functions\";\nimport { vAuthVerifierDoc } from \"../../model\";\n\n/**\n * Create a new PKCE verifier, optionally linked to a session.\n *\n * Inserts a document into the `AuthVerifier` table. Verifiers are used during\n * OAuth/OIDC flows to implement the PKCE (Proof Key for Code Exchange) pattern,\n * preventing authorization code interception attacks. The verifier can optionally\n * be linked to an existing session for session-aware flows.\n *\n * @param args.sessionId - An optional session document ID to associate with the verifier.\n *   When provided, the verifier is scoped to the given session.\n * @returns The document ID of the newly created verifier.\n *\n * @example\n * ```ts\n * const verifierId = await ctx.runMutation(\n *   component.identity.verifiers.verifierCreate,\n *   { sessionId: session._id },\n * );\n * ```\n */\nexport const verifierCreate = mutation({\n  args: { sessionId: v.optional(v.id(\"Session\")) },\n  returns: v.id(\"AuthVerifier\"),\n  handler: async (ctx, { sessionId }) => {\n    return await ctx.db.insert(\"AuthVerifier\", { sessionId: sessionId as any });\n  },\n});\n\n/**\n * Retrieve a single verifier by its Convex document ID.\n *\n * Performs a direct point lookup on the `AuthVerifier` table. Returns `null` if\n * the verifier has been deleted or never existed.\n *\n * @param args.verifierId - The Convex document ID (`Id<\"AuthVerifier\">`) of the verifier to retrieve.\n * @returns The verifier document if it exists, or `null` otherwise.\n *\n * @example\n * ```ts\n * const verifier = await ctx.runQuery(\n *   component.identity.verifiers.verifierGetById,\n *   { verifierId: storedVerifierId },\n * );\n * if (verifier !== null) {\n *   console.log(`Verifier signature: ${verifier.signature}`);\n * }\n * ```\n */\nexport const verifierGetById = query({\n  args: { verifierId: v.id(\"AuthVerifier\") },\n  returns: v.union(vAuthVerifierDoc, v.null()),\n  handler: async (ctx, { verifierId }) => {\n    return await ctx.db.get(\"AuthVerifier\", verifierId);\n  },\n});\n\n/**\n * Look up a verifier by its cryptographic signature.\n *\n * Queries the `AuthVerifier` table using the `signature` index to find the\n * unique verifier matching the given signature string. This is the primary\n * lookup used during the OAuth callback phase to correlate the incoming\n * authorization response with the original PKCE challenge.\n *\n * @param args.signature - The cryptographic signature string to search for (exact match).\n * @returns The matching verifier document, or `null` if no verifier has the given signature.\n *\n * @example\n * ```ts\n * const verifier = await ctx.runQuery(\n *   component.identity.verifiers.verifierGetBySignature,\n *   { signature: incomingStateParam },\n * );\n * if (verifier === null) {\n *   throw new Error(\"Invalid or expired OAuth state\");\n * }\n * ```\n */\nexport const verifierGetBySignature = query({\n  args: { signature: v.string() },\n  returns: v.union(vAuthVerifierDoc, v.null()),\n  handler: async (ctx, { signature }) => {\n    return await ctx.db\n      .query(\"AuthVerifier\")\n      .withIndex(\"signature\", (q) => q.eq(\"signature\", signature))\n      .unique();\n  },\n});\n\n/**\n * Patch a verifier document with partial data.\n *\n * Merges the provided fields into the existing verifier document. This is\n * typically used to set the `signature` field after the verifier is initially\n * created, or to associate a `sessionId` with an existing verifier.\n *\n * @param args.verifierId - The document ID of the verifier to update.\n * @param args.data - A partial object containing the fields to merge into the verifier document\n *   (e.g. `{ signature: string }` or `{ sessionId: Id<\"Session\"> }`).\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Set the PKCE signature on the verifier\n * await ctx.runMutation(\n *   component.identity.verifiers.verifierPatch,\n *   {\n *     verifierId: verifier._id,\n *     data: { signature: generatedSignature },\n *   },\n * );\n * ```\n */\nexport const verifierPatch = mutation({\n  args: { verifierId: v.id(\"AuthVerifier\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { verifierId, data }) => {\n    await ctx.db.patch(\"AuthVerifier\", verifierId, data);\n    return null;\n  },\n});\n\n/**\n * Delete a verifier document permanently.\n *\n * Removes the verifier from the `AuthVerifier` table. This is typically called\n * after a successful OAuth callback to clean up the consumed PKCE state, or\n * to expire stale verifiers that were never completed.\n *\n * @param args.verifierId - The document ID of the verifier to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Clean up the verifier after a successful OAuth exchange\n * await ctx.runMutation(\n *   component.identity.verifiers.verifierDelete,\n *   { verifierId: verifier._id },\n * );\n * ```\n */\nexport const verifierDelete = mutation({\n  args: { verifierId: v.id(\"AuthVerifier\") },\n  returns: v.null(),\n  handler: async (ctx, { verifierId }) => {\n    await ctx.db.delete(\"AuthVerifier\", verifierId);\n    return null;\n  },\n});\n\n// ============================================================================\n// Verification Codes\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAwBA,MAAa,iBAAiB,SAAS;CACrC,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC,EAAE;CAChD,SAAS,EAAE,GAAG,eAAe;CAC7B,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GAAG,OAAO,gBAAgB,EAAa,WAAkB,CAAC;;CAE9E,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,kBAAkB,MAAM;CACnC,MAAM,EAAE,YAAY,EAAE,GAAG,eAAe,EAAE;CAC1C,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,iBAAiB;AACtC,SAAO,MAAM,IAAI,GAAG,IAAI,gBAAgB,WAAW;;CAEtD,CAAC;;;;;;;;;;;;;;;;;;;;;;;AAwBF,MAAa,yBAAyB,MAAM;CAC1C,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE;CAC/B,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,eAAe,CACrB,UAAU,cAAc,MAAM,EAAE,GAAG,aAAa,UAAU,CAAC,CAC3D,QAAQ;;CAEd,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;AA0BF,MAAa,gBAAgB,SAAS;CACpC,MAAM;EAAE,YAAY,EAAE,GAAG,eAAe;EAAE,MAAM,EAAE,KAAK;EAAE;CACzD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,YAAY,WAAW;AAC5C,QAAM,IAAI,GAAG,MAAM,gBAAgB,YAAY,KAAK;AACpD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;AAqBF,MAAa,iBAAiB,SAAS;CACrC,MAAM,EAAE,YAAY,EAAE,GAAG,eAAe,EAAE;CAC1C,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,iBAAiB;AACtC,QAAM,IAAI,GAAG,OAAO,gBAAgB,WAAW;AAC/C,SAAO;;CAEV,CAAC"}
+{"version":3,"file":"verifiers.js","names":[],"sources":["../../../../src/component/public/identity/verifiers.ts"],"sourcesContent":["import { v } from \"convex/values\";\n\nimport { mutation, query } from \"../../functions\";\nimport { vAuthVerifierDoc } from \"../../model\";\n\n/**\n * Create a new PKCE verifier, optionally linked to a session.\n *\n * Inserts a document into the `AuthVerifier` table. Verifiers are used during\n * OAuth/OIDC flows to implement the PKCE (Proof Key for Code Exchange) pattern,\n * preventing authorization code interception attacks. The verifier can optionally\n * be linked to an existing session for session-aware flows.\n *\n * @param args.sessionId - An optional session document ID to associate with the verifier.\n *   When provided, the verifier is scoped to the given session.\n * @returns The document ID of the newly created verifier.\n *\n * @example\n * ```ts\n * const verifierId = await ctx.runMutation(\n *   component.identity.verifiers.verifierCreate,\n *   { sessionId: session._id },\n * );\n * ```\n */\nexport const verifierCreate = mutation({\n  args: { sessionId: v.optional(v.id(\"Session\")) },\n  returns: v.id(\"AuthVerifier\"),\n  handler: async (ctx, { sessionId }) => {\n    return await ctx.db.insert(\"AuthVerifier\", { sessionId: sessionId as any });\n  },\n});\n\n/**\n * Retrieve a single verifier by its Convex document ID.\n *\n * Performs a direct point lookup on the `AuthVerifier` table. Returns `null` if\n * the verifier has been deleted or never existed.\n *\n * @param args.verifierId - The Convex document ID (`Id<\"AuthVerifier\">`) of the verifier to retrieve.\n * @returns The verifier document if it exists, or `null` otherwise.\n *\n * @example\n * ```ts\n * const verifier = await ctx.runQuery(\n *   component.identity.verifiers.verifierGetById,\n *   { verifierId: storedVerifierId },\n * );\n * if (verifier !== null) {\n *   console.log(`Verifier signature: ${verifier.signature}`);\n * }\n * ```\n */\nexport const verifierGetById = query({\n  args: { verifierId: v.id(\"AuthVerifier\") },\n  returns: v.union(vAuthVerifierDoc, v.null()),\n  handler: async (ctx, { verifierId }) => {\n    return await ctx.db.get(\"AuthVerifier\", verifierId);\n  },\n});\n\n/**\n * Look up a verifier by its cryptographic signature.\n *\n * Queries the `AuthVerifier` table using the `signature` index to find the\n * unique verifier matching the given signature string. This is the primary\n * lookup used during the OAuth callback phase to correlate the incoming\n * authorization response with the original PKCE challenge.\n *\n * @param args.signature - The cryptographic signature string to search for (exact match).\n * @returns The matching verifier document, or `null` if no verifier has the given signature.\n *\n * @example\n * ```ts\n * const verifier = await ctx.runQuery(\n *   component.identity.verifiers.verifierGetBySignature,\n *   { signature: incomingStateParam },\n * );\n * if (verifier === null) {\n *   throw new Error(\"Invalid or expired OAuth state\");\n * }\n * ```\n */\nexport const verifierGetBySignature = query({\n  args: { signature: v.string() },\n  returns: v.union(vAuthVerifierDoc, v.null()),\n  handler: async (ctx, { signature }) => {\n    return await ctx.db\n      .query(\"AuthVerifier\")\n      .withIndex(\"signature\", (q) => q.eq(\"signature\", signature))\n      .unique();\n  },\n});\n\n/**\n * Patch a verifier document with partial data.\n *\n * Merges the provided fields into the existing verifier document. This is\n * typically used to set the `signature` field after the verifier is initially\n * created, or to associate a `sessionId` with an existing verifier.\n *\n * @param args.verifierId - The document ID of the verifier to update.\n * @param args.data - A partial object containing the fields to merge into the verifier document\n *   (e.g. `{ signature: string }` or `{ sessionId: Id<\"Session\"> }`).\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Set the PKCE signature on the verifier\n * await ctx.runMutation(\n *   component.identity.verifiers.verifierPatch,\n *   {\n *     verifierId: verifier._id,\n *     data: { signature: generatedSignature },\n *   },\n * );\n * ```\n */\nexport const verifierPatch = mutation({\n  args: { verifierId: v.id(\"AuthVerifier\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { verifierId, data }) => {\n    await ctx.db.patch(\"AuthVerifier\", verifierId, data);\n    return null;\n  },\n});\n\n/**\n * Delete a verifier document permanently.\n *\n * Removes the verifier from the `AuthVerifier` table. This is typically called\n * after a successful OAuth callback to clean up the consumed PKCE state, or\n * to expire stale verifiers that were never completed.\n *\n * @param args.verifierId - The document ID of the verifier to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Clean up the verifier after a successful OAuth exchange\n * await ctx.runMutation(\n *   component.identity.verifiers.verifierDelete,\n *   { verifierId: verifier._id },\n * );\n * ```\n */\nexport const verifierDelete = mutation({\n  args: { verifierId: v.id(\"AuthVerifier\") },\n  returns: v.null(),\n  handler: async (ctx, { verifierId }) => {\n    await ctx.db.delete(\"AuthVerifier\", verifierId);\n    return null;\n  },\n});\n\n// ============================================================================\n// Verification Codes\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAyBA,MAAa,iBAAiB,SAAS;CACrC,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC,EAAE;CAChD,SAAS,EAAE,GAAG,eAAe;CAC7B,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GAAG,OAAO,gBAAgB,EAAa,WAAkB,CAAC;;CAE9E,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,kBAAkB,MAAM;CACnC,MAAM,EAAE,YAAY,EAAE,GAAG,eAAe,EAAE;CAC1C,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,iBAAiB;AACtC,SAAO,MAAM,IAAI,GAAG,IAAI,gBAAgB,WAAW;;CAEtD,CAAC;;;;;;;;;;;;;;;;;;;;;;;AAwBF,MAAa,yBAAyB,MAAM;CAC1C,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE;CAC/B,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,eAAe,CACrB,UAAU,cAAc,MAAM,EAAE,GAAG,aAAa,UAAU,CAAC,CAC3D,QAAQ;;CAEd,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;AA0BF,MAAa,gBAAgB,SAAS;CACpC,MAAM;EAAE,YAAY,EAAE,GAAG,eAAe;EAAE,MAAM,EAAE,KAAK;EAAE;CACzD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,YAAY,WAAW;AAC5C,QAAM,IAAI,GAAG,MAAM,gBAAgB,YAAY,KAAK;AACpD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;AAqBF,MAAa,iBAAiB,SAAS;CACrC,MAAM,EAAE,YAAY,EAAE,GAAG,eAAe,EAAE;CAC1C,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,iBAAiB;AACtC,QAAM,IAAI,GAAG,OAAO,gBAAgB,WAAW;AAC/C,SAAO;;CAEV,CAAC"}

package/dist/component/public/security/keys.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"keys.d.ts","names":[],"sources":["../../../../src/component/public/security/keys.ts"],"mappings":";;;;;;;;;;;;;;AAqDA;;;;;AAmDA;;;;;AAyDA;;;;;AAwFA;;;;;AAsDA;;;;;AA8CA;;;cAxSa,SAAA;;;;;;;;;;;;;;;;;;;;;;;;;;cAmDA,iBAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAyDA,OAAA;;;;;;;;;;;;;;;;;;;;;;;cAwFA,UAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAsDA,QAAA;;;;;;;;;;;;;;;;;;;;cA8CA,SAAA"}
+{"version":3,"file":"keys.d.ts","names":[],"sources":["../../../../src/component/public/security/keys.ts"],"mappings":";;;;;;;;;;;;;;AAsDA;;;;;AAmDA;;;;;AAyDA;;;;;AAwFA;;;;;AAsDA;;;;;AA8CA;;;cAxSa,SAAA;;;;;;;;;;;;;;;;;;;;;;;;;;cAmDA,iBAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAyDA,OAAA;;;;;;;;;;;;;;;;;;;;;;;cAwFA,UAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAsDA,QAAA;;;;;;;;;;;;;;;;;;;;cA8CA,SAAA"}

package/dist/component/public/security/keys.js.map

@@ -1 +1 @@
-{"version":3,"file":"keys.js","names":[],"sources":["../../../../src/component/public/security/keys.ts"],"sourcesContent":["import { ConvexError, v } from \"convex/values\";\nimport { mutation, query } from \"../../functions\";\nimport {\n  vApiKeyDoc,\n  vApiKeyRateLimit,\n  vApiKeyRateLimitState,\n  vApiKeyScope,\n  vPaginated,\n} from \"../../model\";\n\n// ============================================================================\n// API Keys\n// ============================================================================\n\n/**\n * Insert a new API key record into the `ApiKey` table.\n *\n * Creates an API key entry with the given metadata and scopes. The caller\n * is responsible for generating and hashing the raw key before passing it\n * here -- this function only stores the hash, never the plaintext key.\n * The `createdAt` timestamp and `revoked: false` flag are set automatically.\n *\n * @param userId - The `_id` of the `User` who owns this API key.\n * @param prefix - A short, visible prefix for the key (e.g. `\"sk_live_\"`)\n *   that helps users identify which key was used without exposing the secret.\n * @param hashedKey - SHA-256 hash of the full API key string. Used for\n *   constant-time lookup during Bearer token verification.\n * @param name - Human-readable name for the key (e.g. `\"Production Backend\"`).\n * @param scopes - Array of permission scopes, each containing a `resource`\n *   name and an array of allowed `actions` (e.g.\n *   `[{ resource: \"messages\", actions: [\"read\", \"write\"] }]`).\n * @param rateLimit - Optional rate limit configuration to apply per-key\n *   (e.g. max requests per window).\n * @param expiresAt - Optional Unix timestamp (in milliseconds) after which\n *   the key is no longer valid. Omit for non-expiring keys.\n * @param metadata - Optional arbitrary metadata to attach to the key record.\n * @returns The `_id` of the newly created `ApiKey` document.\n *\n * @example\n * ```ts\n * const keyId = await ctx.runMutation(\n *   components.auth.security.keys.keyInsert,\n *   {\n *     userId: user._id,\n *     prefix: \"sk_live_\",\n *     hashedKey: await sha256(rawKey),\n *     name: \"Production Backend\",\n *     scopes: [{ resource: \"messages\", actions: [\"read\", \"write\"] }],\n *     expiresAt: Date.now() + 90 * 24 * 60 * 60 * 1000,\n *   },\n * );\n * ```\n */\nexport const keyInsert = mutation({\n  args: {\n    userId: v.id(\"User\"),\n    prefix: v.string(),\n    hashedKey: v.string(),\n    name: v.string(),\n    scopes: v.array(\n      v.object({\n        resource: v.string(),\n        actions: v.array(v.string()),\n      }),\n    ),\n    rateLimit: v.optional(vApiKeyRateLimit),\n    expiresAt: v.optional(v.number()),\n    metadata: v.optional(v.any()),\n  },\n  returns: v.id(\"ApiKey\"),\n  handler: async (ctx, args) => {\n    return await ctx.db.insert(\"ApiKey\", {\n      ...args,\n      createdAt: Date.now(),\n      revoked: false,\n    });\n  },\n});\n\n/**\n * Look up an API key by its SHA-256 hash.\n *\n * Queries the `ApiKey` table using the `hashed_key` index. This is the\n * primary lookup path during Bearer token verification: the incoming\n * token is hashed and matched against stored hashes in constant time.\n * Returns the full key record including scopes, rate limit state, and\n * revocation status so the caller can perform authorization checks.\n *\n * @param hashedKey - SHA-256 hash of the API key string extracted from\n *   the `Authorization: Bearer <token>` header.\n * @returns The matching `ApiKey` document (including rate limit state),\n *   or `null` if no key matches the given hash.\n *\n * @example\n * ```ts\n * const apiKey = await ctx.runQuery(\n *   components.auth.security.keys.keyGetByHashedKey,\n *   { hashedKey: await sha256(bearerToken) },\n * );\n * if (apiKey === null || apiKey.revoked) {\n *   throw new Error(\"Invalid or revoked API key\");\n * }\n * ```\n */\nexport const keyGetByHashedKey = query({\n  args: { hashedKey: v.string() },\n  returns: v.union(vApiKeyDoc, v.null()),\n  handler: async (ctx, { hashedKey }) => {\n    return await ctx.db\n      .query(\"ApiKey\")\n      .withIndex(\"hashed_key\", (q) => q.eq(\"hashedKey\", hashedKey))\n      .first();\n  },\n});\n\n/**\n * List API keys with optional filtering, sorting, and cursor-based pagination.\n *\n * Returns a paginated result `{ items, nextCursor }` from the `ApiKey`\n * table. Supports filtering by `userId`, `revoked` status, `name`, and\n * `prefix`. The page size is clamped between 1 and 100 (default 50).\n * Pass the returned `nextCursor` as `cursor` in a subsequent call to\n * fetch the next page.\n *\n * @param where - Optional filter object. All specified fields are\n *   combined with AND logic:\n *   - `userId` -- restrict to keys owned by this user.\n *   - `revoked` -- `true` for revoked keys, `false` for active keys.\n *   - `name` -- exact match on the key's human-readable name.\n *   - `prefix` -- exact match on the key prefix string.\n * @param limit - Maximum number of items to return per page (1--100,\n *   default `50`).\n * @param cursor - Opaque cursor string (an `ApiKey` document `_id`)\n *   returned from a previous call. Pass `null` or omit for the first page.\n * @param orderBy - Field to sort by. One of `\"_creationTime\"`, `\"name\"`,\n *   `\"lastUsedAt\"`, `\"expiresAt\"`, or `\"revoked\"`. Defaults to\n *   `\"_creationTime\"`.\n * @param order - Sort direction, `\"asc\"` or `\"desc\"` (default `\"desc\"`).\n * @returns An object with `items` (array of `ApiKey` documents) and\n *   `nextCursor` (string ID of the last item, or `null` if no more pages).\n *\n * @example\n * ```ts\n * // Fetch the first page of active keys for a user\n * const page = await ctx.runQuery(\n *   components.auth.security.keys.keyList,\n *   {\n *     where: { userId: user._id, revoked: false },\n *     limit: 20,\n *     order: \"desc\",\n *   },\n * );\n * // Fetch the next page\n * if (page.nextCursor) {\n *   const page2 = await ctx.runQuery(\n *     components.auth.security.keys.keyList,\n *     { where: { userId: user._id, revoked: false }, cursor: page.nextCursor },\n *   );\n * }\n * ```\n */\nexport const keyList = query({\n  args: {\n    where: v.optional(\n      v.object({\n        userId: v.optional(v.id(\"User\")),\n        revoked: v.optional(v.boolean()),\n        name: v.optional(v.string()),\n        prefix: v.optional(v.string()),\n      }),\n    ),\n    limit: v.optional(v.number()),\n    cursor: v.optional(v.union(v.string(), v.null())),\n    orderBy: v.optional(\n      v.union(\n        v.literal(\"_creationTime\"),\n        v.literal(\"name\"),\n        v.literal(\"lastUsedAt\"),\n        v.literal(\"expiresAt\"),\n        v.literal(\"revoked\"),\n      ),\n    ),\n    order: v.optional(v.union(v.literal(\"asc\"), v.literal(\"desc\"))),\n  },\n  returns: vPaginated(vApiKeyDoc),\n  handler: async (ctx, args) => {\n    const where = args.where ?? {};\n    const limit = Math.min(Math.max(args.limit ?? 50, 1), 100);\n    const order = args.order ?? \"desc\";\n\n    let q;\n    if (where.userId !== undefined) {\n      q = ctx.db\n        .query(\"ApiKey\")\n        .withIndex(\"user_id\", (idx) => idx.eq(\"userId\", where.userId!));\n    } else {\n      q = ctx.db.query(\"ApiKey\");\n    }\n\n    if (where.revoked !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"revoked\"), where.revoked!));\n    }\n    if (where.name !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"name\"), where.name!));\n    }\n    if (where.prefix !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"prefix\"), where.prefix!));\n    }\n\n    q = q.order(order);\n\n    const all = await q.collect();\n    let startIdx = 0;\n    if (args.cursor) {\n      const cursorIdx = all.findIndex((doc) => doc._id === args.cursor);\n      if (cursorIdx !== -1) {\n        startIdx = cursorIdx + 1;\n      }\n    }\n    const page = all.slice(startIdx, startIdx + limit + 1);\n    const hasMore = page.length > limit;\n    const items = hasMore ? page.slice(0, limit) : page;\n    const nextCursor = hasMore ? items[items.length - 1]._id : null;\n    return { items, nextCursor };\n  },\n});\n\n/**\n * Get a single API key by its document ID.\n *\n * Performs a direct document lookup on the `ApiKey` table. Useful when\n * you already have the key's `_id` (e.g. from a list query or a stored\n * reference) and need to retrieve its full details.\n *\n * @param keyId - The `_id` of the `ApiKey` document to retrieve.\n * @returns The `ApiKey` document, or `null` if no key exists with the\n *   given ID.\n *\n * @example\n * ```ts\n * const apiKey = await ctx.runQuery(\n *   components.auth.security.keys.keyGetById,\n *   { keyId: storedKeyId },\n * );\n * if (apiKey !== null) {\n *   console.log(apiKey.name, apiKey.scopes);\n * }\n * ```\n */\nexport const keyGetById = query({\n  args: { keyId: v.id(\"ApiKey\") },\n  returns: v.union(vApiKeyDoc, v.null()),\n  handler: async (ctx, { keyId }) => {\n    return await ctx.db.get(\"ApiKey\", keyId);\n  },\n});\n\n/**\n * Patch an API key record with partial updates.\n *\n * Performs a partial update on the `ApiKey` document. Supports modifying\n * the key's name, scopes, rate limit configuration, rate limit state,\n * revocation flag, and last-used timestamp. Throws a `ConvexError` with\n * code `\"KEY_NOT_FOUND\"` if the key does not exist.\n *\n * @param keyId - The `_id` of the `ApiKey` document to update.\n * @param data - An object containing the fields to patch. All fields are\n *   optional:\n *   - `name` -- Updated human-readable name.\n *   - `scopes` -- Replacement array of permission scopes.\n *   - `rateLimit` -- Updated rate limit configuration.\n *   - `rateLimitState` -- Updated rate limit tracking state (token\n *     count, last refill time).\n *   - `revoked` -- Set to `true` to revoke the key, `false` to\n *     reinstate it.\n *   - `lastUsedAt` -- Unix timestamp (in milliseconds) of the most\n *     recent API call using this key.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Revoke an API key\n * await ctx.runMutation(\n *   components.auth.security.keys.keyPatch,\n *   {\n *     keyId: apiKey._id,\n *     data: { revoked: true },\n *   },\n * );\n *\n * // Rename and update scopes\n * await ctx.runMutation(\n *   components.auth.security.keys.keyPatch,\n *   {\n *     keyId: apiKey._id,\n *     data: {\n *       name: \"Read-Only Key\",\n *       scopes: [{ resource: \"messages\", actions: [\"read\"] }],\n *     },\n *   },\n * );\n * ```\n */\nexport const keyPatch = mutation({\n  args: {\n    keyId: v.id(\"ApiKey\"),\n    data: v.object({\n      name: v.optional(v.string()),\n      scopes: v.optional(v.array(vApiKeyScope)),\n      rateLimit: v.optional(vApiKeyRateLimit),\n      rateLimitState: v.optional(vApiKeyRateLimitState),\n      revoked: v.optional(v.boolean()),\n      lastUsedAt: v.optional(v.number()),\n    }),\n  },\n  returns: v.null(),\n  handler: async (ctx, { keyId, data }) => {\n    const key = await ctx.db.get(\"ApiKey\", keyId);\n    if (key === null) {\n      throw new ConvexError({\n        code: \"KEY_NOT_FOUND\",\n        message: \"API key not found\",\n        keyId,\n      });\n    }\n    await ctx.db.patch(\"ApiKey\", keyId, data);\n    return null;\n  },\n});\n\n/**\n * Hard-delete an API key record from the `ApiKey` table.\n *\n * Permanently removes the API key document. Unlike revocation (which\n * keeps the record for audit purposes), this is an irreversible\n * deletion. Throws a `ConvexError` with code `\"KEY_NOT_FOUND\"` if the\n * key does not exist.\n *\n * @param keyId - The `_id` of the `ApiKey` document to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * await ctx.runMutation(\n *   components.auth.security.keys.keyDelete,\n *   { keyId: apiKey._id },\n * );\n * ```\n */\nexport const keyDelete = mutation({\n  args: { keyId: v.id(\"ApiKey\") },\n  returns: v.null(),\n  handler: async (ctx, { keyId }) => {\n    const key = await ctx.db.get(\"ApiKey\", keyId);\n    if (key === null) {\n      throw new ConvexError({\n        code: \"KEY_NOT_FOUND\",\n        message: \"API key not found\",\n        keyId,\n      });\n    }\n    await ctx.db.delete(\"ApiKey\", keyId);\n    return null;\n  },\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqDA,MAAa,YAAY,SAAS;CAChC,MAAM;EACJ,QAAQ,EAAE,GAAG,OAAO;EACpB,QAAQ,EAAE,QAAQ;EAClB,WAAW,EAAE,QAAQ;EACrB,MAAM,EAAE,QAAQ;EAChB,QAAQ,EAAE,MACR,EAAE,OAAO;GACP,UAAU,EAAE,QAAQ;GACpB,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC;GAC7B,CAAC,CACH;EACD,WAAW,EAAE,SAAS,iBAAiB;EACvC,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;EAC9B;CACD,SAAS,EAAE,GAAG,SAAS;CACvB,SAAS,OAAO,KAAK,SAAS;AAC5B,SAAO,MAAM,IAAI,GAAG,OAAO,UAAU;GACnC,GAAG;GACH,WAAW,KAAK,KAAK;GACrB,SAAS;GACV,CAAC;;CAEL,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BF,MAAa,oBAAoB,MAAM;CACrC,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE;CAC/B,SAAS,EAAE,MAAM,YAAY,EAAE,MAAM,CAAC;CACtC,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,SAAS,CACf,UAAU,eAAe,MAAM,EAAE,GAAG,aAAa,UAAU,CAAC,CAC5D,OAAO;;CAEb,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDF,MAAa,UAAU,MAAM;CAC3B,MAAM;EACJ,OAAO,EAAE,SACP,EAAE,OAAO;GACP,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;GAChC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;GAChC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC5B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC/B,CAAC,CACH;EACD,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC;EACjD,SAAS,EAAE,SACT,EAAE,MACA,EAAE,QAAQ,gBAAgB,EAC1B,EAAE,QAAQ,OAAO,EACjB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,YAAY,EACtB,EAAE,QAAQ,UAAU,CACrB,CACF;EACD,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC;EAChE;CACD,SAAS,WAAW,WAAW;CAC/B,SAAS,OAAO,KAAK,SAAS;EAC5B,MAAM,QAAQ,KAAK,SAAS,EAAE;EAC9B,MAAM,QAAQ,KAAK,IAAI,KAAK,IAAI,KAAK,SAAS,IAAI,EAAE,EAAE,IAAI;EAC1D,MAAM,QAAQ,KAAK,SAAS;EAE5B,IAAI;AACJ,MAAI,MAAM,WAAW,OACnB,KAAI,IAAI,GACL,MAAM,SAAS,CACf,UAAU,YAAY,QAAQ,IAAI,GAAG,UAAU,MAAM,OAAQ,CAAC;MAEjE,KAAI,IAAI,GAAG,MAAM,SAAS;AAG5B,MAAI,MAAM,YAAY,OACpB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,UAAU,EAAE,MAAM,QAAS,CAAC;AAE/D,MAAI,MAAM,SAAS,OACjB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,OAAO,EAAE,MAAM,KAAM,CAAC;AAEzD,MAAI,MAAM,WAAW,OACnB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,SAAS,EAAE,MAAM,OAAQ,CAAC;AAG7D,MAAI,EAAE,MAAM,MAAM;EAElB,MAAM,MAAM,MAAM,EAAE,SAAS;EAC7B,IAAI,WAAW;AACf,MAAI,KAAK,QAAQ;GACf,MAAM,YAAY,IAAI,WAAW,QAAQ,IAAI,QAAQ,KAAK,OAAO;AACjE,OAAI,cAAc,GAChB,YAAW,YAAY;;EAG3B,MAAM,OAAO,IAAI,MAAM,UAAU,WAAW,QAAQ,EAAE;EACtD,MAAM,UAAU,KAAK,SAAS;EAC9B,MAAM,QAAQ,UAAU,KAAK,MAAM,GAAG,MAAM,GAAG;AAE/C,SAAO;GAAE;GAAO,YADG,UAAU,MAAM,MAAM,SAAS,GAAG,MAAM;GAC/B;;CAE/B,CAAC;;;;;;;;;;;;;;;;;;;;;;;AAwBF,MAAa,aAAa,MAAM;CAC9B,MAAM,EAAE,OAAO,EAAE,GAAG,SAAS,EAAE;CAC/B,SAAS,EAAE,MAAM,YAAY,EAAE,MAAM,CAAC;CACtC,SAAS,OAAO,KAAK,EAAE,YAAY;AACjC,SAAO,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM;;CAE3C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDF,MAAa,WAAW,SAAS;CAC/B,MAAM;EACJ,OAAO,EAAE,GAAG,SAAS;EACrB,MAAM,EAAE,OAAO;GACb,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC5B,QAAQ,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;GACzC,WAAW,EAAE,SAAS,iBAAiB;GACvC,gBAAgB,EAAE,SAAS,sBAAsB;GACjD,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;GAChC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;GACnC,CAAC;EACH;CACD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,OAAO,WAAW;AAEvC,MADY,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM,KACjC,KACV,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACT;GACD,CAAC;AAEJ,QAAM,IAAI,GAAG,MAAM,UAAU,OAAO,KAAK;AACzC,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;AAqBF,MAAa,YAAY,SAAS;CAChC,MAAM,EAAE,OAAO,EAAE,GAAG,SAAS,EAAE;CAC/B,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,YAAY;AAEjC,MADY,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM,KACjC,KACV,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACT;GACD,CAAC;AAEJ,QAAM,IAAI,GAAG,OAAO,UAAU,MAAM;AACpC,SAAO;;CAEV,CAAC"}
+{"version":3,"file":"keys.js","names":[],"sources":["../../../../src/component/public/security/keys.ts"],"sourcesContent":["import { ConvexError, v } from \"convex/values\";\n\nimport { mutation, query } from \"../../functions\";\nimport {\n  vApiKeyDoc,\n  vApiKeyRateLimit,\n  vApiKeyRateLimitState,\n  vApiKeyScope,\n  vPaginated,\n} from \"../../model\";\n\n// ============================================================================\n// API Keys\n// ============================================================================\n\n/**\n * Insert a new API key record into the `ApiKey` table.\n *\n * Creates an API key entry with the given metadata and scopes. The caller\n * is responsible for generating and hashing the raw key before passing it\n * here -- this function only stores the hash, never the plaintext key.\n * The `createdAt` timestamp and `revoked: false` flag are set automatically.\n *\n * @param userId - The `_id` of the `User` who owns this API key.\n * @param prefix - A short, visible prefix for the key (e.g. `\"sk_live_\"`)\n *   that helps users identify which key was used without exposing the secret.\n * @param hashedKey - SHA-256 hash of the full API key string. Used for\n *   constant-time lookup during Bearer token verification.\n * @param name - Human-readable name for the key (e.g. `\"Production Backend\"`).\n * @param scopes - Array of permission scopes, each containing a `resource`\n *   name and an array of allowed `actions` (e.g.\n *   `[{ resource: \"messages\", actions: [\"read\", \"write\"] }]`).\n * @param rateLimit - Optional rate limit configuration to apply per-key\n *   (e.g. max requests per window).\n * @param expiresAt - Optional Unix timestamp (in milliseconds) after which\n *   the key is no longer valid. Omit for non-expiring keys.\n * @param metadata - Optional arbitrary metadata to attach to the key record.\n * @returns The `_id` of the newly created `ApiKey` document.\n *\n * @example\n * ```ts\n * const keyId = await ctx.runMutation(\n *   components.auth.security.keys.keyInsert,\n *   {\n *     userId: user._id,\n *     prefix: \"sk_live_\",\n *     hashedKey: await sha256(rawKey),\n *     name: \"Production Backend\",\n *     scopes: [{ resource: \"messages\", actions: [\"read\", \"write\"] }],\n *     expiresAt: Date.now() + 90 * 24 * 60 * 60 * 1000,\n *   },\n * );\n * ```\n */\nexport const keyInsert = mutation({\n  args: {\n    userId: v.id(\"User\"),\n    prefix: v.string(),\n    hashedKey: v.string(),\n    name: v.string(),\n    scopes: v.array(\n      v.object({\n        resource: v.string(),\n        actions: v.array(v.string()),\n      }),\n    ),\n    rateLimit: v.optional(vApiKeyRateLimit),\n    expiresAt: v.optional(v.number()),\n    metadata: v.optional(v.any()),\n  },\n  returns: v.id(\"ApiKey\"),\n  handler: async (ctx, args) => {\n    return await ctx.db.insert(\"ApiKey\", {\n      ...args,\n      createdAt: Date.now(),\n      revoked: false,\n    });\n  },\n});\n\n/**\n * Look up an API key by its SHA-256 hash.\n *\n * Queries the `ApiKey` table using the `hashed_key` index. This is the\n * primary lookup path during Bearer token verification: the incoming\n * token is hashed and matched against stored hashes in constant time.\n * Returns the full key record including scopes, rate limit state, and\n * revocation status so the caller can perform authorization checks.\n *\n * @param hashedKey - SHA-256 hash of the API key string extracted from\n *   the `Authorization: Bearer <token>` header.\n * @returns The matching `ApiKey` document (including rate limit state),\n *   or `null` if no key matches the given hash.\n *\n * @example\n * ```ts\n * const apiKey = await ctx.runQuery(\n *   components.auth.security.keys.keyGetByHashedKey,\n *   { hashedKey: await sha256(bearerToken) },\n * );\n * if (apiKey === null || apiKey.revoked) {\n *   throw new Error(\"Invalid or revoked API key\");\n * }\n * ```\n */\nexport const keyGetByHashedKey = query({\n  args: { hashedKey: v.string() },\n  returns: v.union(vApiKeyDoc, v.null()),\n  handler: async (ctx, { hashedKey }) => {\n    return await ctx.db\n      .query(\"ApiKey\")\n      .withIndex(\"hashed_key\", (q) => q.eq(\"hashedKey\", hashedKey))\n      .first();\n  },\n});\n\n/**\n * List API keys with optional filtering, sorting, and cursor-based pagination.\n *\n * Returns a paginated result `{ items, nextCursor }` from the `ApiKey`\n * table. Supports filtering by `userId`, `revoked` status, `name`, and\n * `prefix`. The page size is clamped between 1 and 100 (default 50).\n * Pass the returned `nextCursor` as `cursor` in a subsequent call to\n * fetch the next page.\n *\n * @param where - Optional filter object. All specified fields are\n *   combined with AND logic:\n *   - `userId` -- restrict to keys owned by this user.\n *   - `revoked` -- `true` for revoked keys, `false` for active keys.\n *   - `name` -- exact match on the key's human-readable name.\n *   - `prefix` -- exact match on the key prefix string.\n * @param limit - Maximum number of items to return per page (1--100,\n *   default `50`).\n * @param cursor - Opaque cursor string (an `ApiKey` document `_id`)\n *   returned from a previous call. Pass `null` or omit for the first page.\n * @param orderBy - Field to sort by. One of `\"_creationTime\"`, `\"name\"`,\n *   `\"lastUsedAt\"`, `\"expiresAt\"`, or `\"revoked\"`. Defaults to\n *   `\"_creationTime\"`.\n * @param order - Sort direction, `\"asc\"` or `\"desc\"` (default `\"desc\"`).\n * @returns An object with `items` (array of `ApiKey` documents) and\n *   `nextCursor` (string ID of the last item, or `null` if no more pages).\n *\n * @example\n * ```ts\n * // Fetch the first page of active keys for a user\n * const page = await ctx.runQuery(\n *   components.auth.security.keys.keyList,\n *   {\n *     where: { userId: user._id, revoked: false },\n *     limit: 20,\n *     order: \"desc\",\n *   },\n * );\n * // Fetch the next page\n * if (page.nextCursor) {\n *   const page2 = await ctx.runQuery(\n *     components.auth.security.keys.keyList,\n *     { where: { userId: user._id, revoked: false }, cursor: page.nextCursor },\n *   );\n * }\n * ```\n */\nexport const keyList = query({\n  args: {\n    where: v.optional(\n      v.object({\n        userId: v.optional(v.id(\"User\")),\n        revoked: v.optional(v.boolean()),\n        name: v.optional(v.string()),\n        prefix: v.optional(v.string()),\n      }),\n    ),\n    limit: v.optional(v.number()),\n    cursor: v.optional(v.union(v.string(), v.null())),\n    orderBy: v.optional(\n      v.union(\n        v.literal(\"_creationTime\"),\n        v.literal(\"name\"),\n        v.literal(\"lastUsedAt\"),\n        v.literal(\"expiresAt\"),\n        v.literal(\"revoked\"),\n      ),\n    ),\n    order: v.optional(v.union(v.literal(\"asc\"), v.literal(\"desc\"))),\n  },\n  returns: vPaginated(vApiKeyDoc),\n  handler: async (ctx, args) => {\n    const where = args.where ?? {};\n    const limit = Math.min(Math.max(args.limit ?? 50, 1), 100);\n    const order = args.order ?? \"desc\";\n\n    let q;\n    if (where.userId !== undefined) {\n      q = ctx.db\n        .query(\"ApiKey\")\n        .withIndex(\"user_id\", (idx) => idx.eq(\"userId\", where.userId!));\n    } else {\n      q = ctx.db.query(\"ApiKey\");\n    }\n\n    if (where.revoked !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"revoked\"), where.revoked!));\n    }\n    if (where.name !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"name\"), where.name!));\n    }\n    if (where.prefix !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"prefix\"), where.prefix!));\n    }\n\n    q = q.order(order);\n\n    const all = await q.collect();\n    let startIdx = 0;\n    if (args.cursor) {\n      const cursorIdx = all.findIndex((doc) => doc._id === args.cursor);\n      if (cursorIdx !== -1) {\n        startIdx = cursorIdx + 1;\n      }\n    }\n    const page = all.slice(startIdx, startIdx + limit + 1);\n    const hasMore = page.length > limit;\n    const items = hasMore ? page.slice(0, limit) : page;\n    const nextCursor = hasMore ? items[items.length - 1]._id : null;\n    return { items, nextCursor };\n  },\n});\n\n/**\n * Get a single API key by its document ID.\n *\n * Performs a direct document lookup on the `ApiKey` table. Useful when\n * you already have the key's `_id` (e.g. from a list query or a stored\n * reference) and need to retrieve its full details.\n *\n * @param keyId - The `_id` of the `ApiKey` document to retrieve.\n * @returns The `ApiKey` document, or `null` if no key exists with the\n *   given ID.\n *\n * @example\n * ```ts\n * const apiKey = await ctx.runQuery(\n *   components.auth.security.keys.keyGetById,\n *   { keyId: storedKeyId },\n * );\n * if (apiKey !== null) {\n *   console.log(apiKey.name, apiKey.scopes);\n * }\n * ```\n */\nexport const keyGetById = query({\n  args: { keyId: v.id(\"ApiKey\") },\n  returns: v.union(vApiKeyDoc, v.null()),\n  handler: async (ctx, { keyId }) => {\n    return await ctx.db.get(\"ApiKey\", keyId);\n  },\n});\n\n/**\n * Patch an API key record with partial updates.\n *\n * Performs a partial update on the `ApiKey` document. Supports modifying\n * the key's name, scopes, rate limit configuration, rate limit state,\n * revocation flag, and last-used timestamp. Throws a `ConvexError` with\n * code `\"KEY_NOT_FOUND\"` if the key does not exist.\n *\n * @param keyId - The `_id` of the `ApiKey` document to update.\n * @param data - An object containing the fields to patch. All fields are\n *   optional:\n *   - `name` -- Updated human-readable name.\n *   - `scopes` -- Replacement array of permission scopes.\n *   - `rateLimit` -- Updated rate limit configuration.\n *   - `rateLimitState` -- Updated rate limit tracking state (token\n *     count, last refill time).\n *   - `revoked` -- Set to `true` to revoke the key, `false` to\n *     reinstate it.\n *   - `lastUsedAt` -- Unix timestamp (in milliseconds) of the most\n *     recent API call using this key.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Revoke an API key\n * await ctx.runMutation(\n *   components.auth.security.keys.keyPatch,\n *   {\n *     keyId: apiKey._id,\n *     data: { revoked: true },\n *   },\n * );\n *\n * // Rename and update scopes\n * await ctx.runMutation(\n *   components.auth.security.keys.keyPatch,\n *   {\n *     keyId: apiKey._id,\n *     data: {\n *       name: \"Read-Only Key\",\n *       scopes: [{ resource: \"messages\", actions: [\"read\"] }],\n *     },\n *   },\n * );\n * ```\n */\nexport const keyPatch = mutation({\n  args: {\n    keyId: v.id(\"ApiKey\"),\n    data: v.object({\n      name: v.optional(v.string()),\n      scopes: v.optional(v.array(vApiKeyScope)),\n      rateLimit: v.optional(vApiKeyRateLimit),\n      rateLimitState: v.optional(vApiKeyRateLimitState),\n      revoked: v.optional(v.boolean()),\n      lastUsedAt: v.optional(v.number()),\n    }),\n  },\n  returns: v.null(),\n  handler: async (ctx, { keyId, data }) => {\n    const key = await ctx.db.get(\"ApiKey\", keyId);\n    if (key === null) {\n      throw new ConvexError({\n        code: \"KEY_NOT_FOUND\",\n        message: \"API key not found\",\n        keyId,\n      });\n    }\n    await ctx.db.patch(\"ApiKey\", keyId, data);\n    return null;\n  },\n});\n\n/**\n * Hard-delete an API key record from the `ApiKey` table.\n *\n * Permanently removes the API key document. Unlike revocation (which\n * keeps the record for audit purposes), this is an irreversible\n * deletion. Throws a `ConvexError` with code `\"KEY_NOT_FOUND\"` if the\n * key does not exist.\n *\n * @param keyId - The `_id` of the `ApiKey` document to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * await ctx.runMutation(\n *   components.auth.security.keys.keyDelete,\n *   { keyId: apiKey._id },\n * );\n * ```\n */\nexport const keyDelete = mutation({\n  args: { keyId: v.id(\"ApiKey\") },\n  returns: v.null(),\n  handler: async (ctx, { keyId }) => {\n    const key = await ctx.db.get(\"ApiKey\", keyId);\n    if (key === null) {\n      throw new ConvexError({\n        code: \"KEY_NOT_FOUND\",\n        message: \"API key not found\",\n        keyId,\n      });\n    }\n    await ctx.db.delete(\"ApiKey\", keyId);\n    return null;\n  },\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsDA,MAAa,YAAY,SAAS;CAChC,MAAM;EACJ,QAAQ,EAAE,GAAG,OAAO;EACpB,QAAQ,EAAE,QAAQ;EAClB,WAAW,EAAE,QAAQ;EACrB,MAAM,EAAE,QAAQ;EAChB,QAAQ,EAAE,MACR,EAAE,OAAO;GACP,UAAU,EAAE,QAAQ;GACpB,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC;GAC7B,CAAC,CACH;EACD,WAAW,EAAE,SAAS,iBAAiB;EACvC,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;EAC9B;CACD,SAAS,EAAE,GAAG,SAAS;CACvB,SAAS,OAAO,KAAK,SAAS;AAC5B,SAAO,MAAM,IAAI,GAAG,OAAO,UAAU;GACnC,GAAG;GACH,WAAW,KAAK,KAAK;GACrB,SAAS;GACV,CAAC;;CAEL,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BF,MAAa,oBAAoB,MAAM;CACrC,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE;CAC/B,SAAS,EAAE,MAAM,YAAY,EAAE,MAAM,CAAC;CACtC,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,SAAS,CACf,UAAU,eAAe,MAAM,EAAE,GAAG,aAAa,UAAU,CAAC,CAC5D,OAAO;;CAEb,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDF,MAAa,UAAU,MAAM;CAC3B,MAAM;EACJ,OAAO,EAAE,SACP,EAAE,OAAO;GACP,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;GAChC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;GAChC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC5B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC/B,CAAC,CACH;EACD,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC;EACjD,SAAS,EAAE,SACT,EAAE,MACA,EAAE,QAAQ,gBAAgB,EAC1B,EAAE,QAAQ,OAAO,EACjB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,YAAY,EACtB,EAAE,QAAQ,UAAU,CACrB,CACF;EACD,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC;EAChE;CACD,SAAS,WAAW,WAAW;CAC/B,SAAS,OAAO,KAAK,SAAS;EAC5B,MAAM,QAAQ,KAAK,SAAS,EAAE;EAC9B,MAAM,QAAQ,KAAK,IAAI,KAAK,IAAI,KAAK,SAAS,IAAI,EAAE,EAAE,IAAI;EAC1D,MAAM,QAAQ,KAAK,SAAS;EAE5B,IAAI;AACJ,MAAI,MAAM,WAAW,OACnB,KAAI,IAAI,GACL,MAAM,SAAS,CACf,UAAU,YAAY,QAAQ,IAAI,GAAG,UAAU,MAAM,OAAQ,CAAC;MAEjE,KAAI,IAAI,GAAG,MAAM,SAAS;AAG5B,MAAI,MAAM,YAAY,OACpB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,UAAU,EAAE,MAAM,QAAS,CAAC;AAE/D,MAAI,MAAM,SAAS,OACjB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,OAAO,EAAE,MAAM,KAAM,CAAC;AAEzD,MAAI,MAAM,WAAW,OACnB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,SAAS,EAAE,MAAM,OAAQ,CAAC;AAG7D,MAAI,EAAE,MAAM,MAAM;EAElB,MAAM,MAAM,MAAM,EAAE,SAAS;EAC7B,IAAI,WAAW;AACf,MAAI,KAAK,QAAQ;GACf,MAAM,YAAY,IAAI,WAAW,QAAQ,IAAI,QAAQ,KAAK,OAAO;AACjE,OAAI,cAAc,GAChB,YAAW,YAAY;;EAG3B,MAAM,OAAO,IAAI,MAAM,UAAU,WAAW,QAAQ,EAAE;EACtD,MAAM,UAAU,KAAK,SAAS;EAC9B,MAAM,QAAQ,UAAU,KAAK,MAAM,GAAG,MAAM,GAAG;AAE/C,SAAO;GAAE;GAAO,YADG,UAAU,MAAM,MAAM,SAAS,GAAG,MAAM;GAC/B;;CAE/B,CAAC;;;;;;;;;;;;;;;;;;;;;;;AAwBF,MAAa,aAAa,MAAM;CAC9B,MAAM,EAAE,OAAO,EAAE,GAAG,SAAS,EAAE;CAC/B,SAAS,EAAE,MAAM,YAAY,EAAE,MAAM,CAAC;CACtC,SAAS,OAAO,KAAK,EAAE,YAAY;AACjC,SAAO,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM;;CAE3C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDF,MAAa,WAAW,SAAS;CAC/B,MAAM;EACJ,OAAO,EAAE,GAAG,SAAS;EACrB,MAAM,EAAE,OAAO;GACb,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC5B,QAAQ,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;GACzC,WAAW,EAAE,SAAS,iBAAiB;GACvC,gBAAgB,EAAE,SAAS,sBAAsB;GACjD,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;GAChC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;GACnC,CAAC;EACH;CACD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,OAAO,WAAW;AAEvC,MADY,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM,KACjC,KACV,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACT;GACD,CAAC;AAEJ,QAAM,IAAI,GAAG,MAAM,UAAU,OAAO,KAAK;AACzC,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;AAqBF,MAAa,YAAY,SAAS;CAChC,MAAM,EAAE,OAAO,EAAE,GAAG,SAAS,EAAE;CAC/B,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,YAAY;AAEjC,MADY,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM,KACjC,KACV,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACT;GACD,CAAC;AAEJ,QAAM,IAAI,GAAG,OAAO,UAAU,MAAM;AACpC,SAAO;;CAEV,CAAC"}

package/dist/component/public/security/limits.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"limits.d.ts","names":[],"sources":["../../../../src/component/public/security/limits.ts"],"mappings":";;;;;;;;;;;;AA4BA;;;;;AAgDA;;;;;AA+CA;;;;;cA/Fa,YAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAgDA,eAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cA+CA,cAAA;;;;;;;;;;;;;;;;;;;;;cAsCA,eAAA"}
+{"version":3,"file":"limits.d.ts","names":[],"sources":["../../../../src/component/public/security/limits.ts"],"mappings":";;;;;;;;;;;;AA6BA;;;;;AAgDA;;;;;AA+CA;;;;;cA/Fa,YAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAgDA,eAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cA+CA,cAAA;;;;;;;;;;;;;;;;;;;;;cAsCA,eAAA"}

package/dist/component/public/security/limits.js.map

@@ -1 +1 @@
-{"version":3,"file":"limits.js","names":[],"sources":["../../../../src/component/public/security/limits.ts"],"sourcesContent":["import { v } from \"convex/values\";\nimport { mutation, query } from \"../../functions\";\nimport { vRateLimitResult } from \"../../model\";\n\n/**\n * Look up a rate limit entry by its string identifier.\n *\n * Queries the `RateLimit` table using the `by_identifier` unique index.\n * Returns the rate limit state with camelCase field names (`attemptsLeft`,\n * `lastAttemptTime`) mapped from the snake_case storage format. Used to\n * check whether an action should be allowed or throttled.\n *\n * @param identifier - Unique string identifying the rate limit bucket\n *   (e.g. `\"login:user@example.com\"` or `\"api:sk_live_abc123\"`).\n * @returns The rate limit state object (including `attemptsLeft` and\n *   `lastAttemptTime`), or `null` if no entry exists for the identifier.\n *\n * @example\n * ```ts\n * const limit = await ctx.runQuery(\n *   components.auth.security.limits.rateLimitGet,\n *   { identifier: `login:${email}` },\n * );\n * if (limit !== null && limit.attemptsLeft <= 0) {\n *   throw new Error(\"Too many login attempts. Please try again later.\");\n * }\n * ```\n */\nexport const rateLimitGet = query({\n  args: { identifier: v.string() },\n  returns: v.union(vRateLimitResult, v.null()),\n  handler: async (ctx, { identifier }) => {\n    const row = await ctx.db\n      .query(\"RateLimit\")\n      .withIndex(\"by_identifier\", (q) => q.eq(\"identifier\", identifier))\n      .unique();\n    if (row === null) {\n      return null;\n    }\n    return {\n      ...row,\n      attemptsLeft: row.attempts_left,\n      lastAttemptTime: row.last_attempt_time,\n    };\n  },\n});\n\n/**\n * Create a new rate limit entry in the `RateLimit` table.\n *\n * Initializes a rate limit bucket for a given identifier. The entry\n * tracks remaining attempts and the timestamp of the last attempt,\n * storing them in snake_case format internally. Call this when the\n * first rate-limited action occurs for an identifier that does not\n * yet have an entry.\n *\n * @param identifier - Unique string identifying the rate limit bucket\n *   (e.g. `\"login:user@example.com\"` or `\"otp:+15551234567\"`).\n * @param attemptsLeft - Number of remaining attempts before the action\n *   is throttled.\n * @param lastAttemptTime - Unix timestamp (in milliseconds) of the\n *   initial attempt.\n * @returns The `_id` of the newly created `RateLimit` document.\n *\n * @example\n * ```ts\n * const rateLimitId = await ctx.runMutation(\n *   components.auth.security.limits.rateLimitCreate,\n *   {\n *     identifier: `login:${email}`,\n *     attemptsLeft: 4, // 5 max minus this attempt\n *     lastAttemptTime: Date.now(),\n *   },\n * );\n * ```\n */\nexport const rateLimitCreate = mutation({\n  args: {\n    identifier: v.string(),\n    attemptsLeft: v.number(),\n    lastAttemptTime: v.number(),\n  },\n  returns: v.id(\"RateLimit\"),\n  handler: async (ctx, { identifier, attemptsLeft, lastAttemptTime }) => {\n    return await ctx.db.insert(\"RateLimit\", {\n      identifier,\n      attempts_left: attemptsLeft,\n      last_attempt_time: lastAttemptTime,\n    });\n  },\n});\n\n/**\n * Patch a rate limit entry with partial data.\n *\n * Updates an existing `RateLimit` document with the provided fields.\n * Automatically maps camelCase field names (`attemptsLeft`,\n * `lastAttemptTime`) to the snake_case storage format before writing.\n * Typically called to decrement remaining attempts or to reset the\n * bucket after a cooldown window has elapsed.\n *\n * @param rateLimitId - The `_id` of the `RateLimit` document to update.\n * @param data - An object containing the fields to patch. Supports\n *   camelCase names which are transparently converted:\n *   - `attemptsLeft` -- Updated number of remaining attempts.\n *   - `lastAttemptTime` -- Updated timestamp of the most recent attempt.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Decrement attempts after a failed login\n * await ctx.runMutation(\n *   components.auth.security.limits.rateLimitPatch,\n *   {\n *     rateLimitId: limit._id,\n *     data: {\n *       attemptsLeft: limit.attemptsLeft - 1,\n *       lastAttemptTime: Date.now(),\n *     },\n *   },\n * );\n * ```\n */\nexport const rateLimitPatch = mutation({\n  args: { rateLimitId: v.id(\"RateLimit\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { rateLimitId, data }) => {\n    const nextData: Record<string, unknown> = { ...data };\n    if (nextData.attemptsLeft !== undefined) {\n      nextData.attempts_left = nextData.attemptsLeft;\n      delete nextData.attemptsLeft;\n    }\n    if (nextData.lastAttemptTime !== undefined) {\n      nextData.last_attempt_time = nextData.lastAttemptTime;\n      delete nextData.lastAttemptTime;\n    }\n    await ctx.db.patch(\"RateLimit\", rateLimitId, nextData);\n    return null;\n  },\n});\n\n/**\n * Delete a rate limit entry from the `RateLimit` table.\n *\n * Permanently removes the rate limit bucket. This effectively resets\n * rate limiting for the associated identifier, allowing the next\n * action to proceed without throttling. Useful for administrative\n * resets or cleanup of expired buckets.\n *\n * @param rateLimitId - The `_id` of the `RateLimit` document to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Admin resets a user's login rate limit\n * await ctx.runMutation(\n *   components.auth.security.limits.rateLimitDelete,\n *   { rateLimitId: limit._id },\n * );\n * ```\n */\nexport const rateLimitDelete = mutation({\n  args: { rateLimitId: v.id(\"RateLimit\") },\n  returns: v.null(),\n  handler: async (ctx, { rateLimitId }) => {\n    await ctx.db.delete(\"RateLimit\", rateLimitId);\n    return null;\n  },\n});\n\n// ============================================================================\n// Device Authorization (RFC 8628)\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4BA,MAAa,eAAe,MAAM;CAChC,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE;CAChC,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,iBAAiB;EACtC,MAAM,MAAM,MAAM,IAAI,GACnB,MAAM,YAAY,CAClB,UAAU,kBAAkB,MAAM,EAAE,GAAG,cAAc,WAAW,CAAC,CACjE,QAAQ;AACX,MAAI,QAAQ,KACV,QAAO;AAET,SAAO;GACL,GAAG;GACH,cAAc,IAAI;GAClB,iBAAiB,IAAI;GACtB;;CAEJ,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BF,MAAa,kBAAkB,SAAS;CACtC,MAAM;EACJ,YAAY,EAAE,QAAQ;EACtB,cAAc,EAAE,QAAQ;EACxB,iBAAiB,EAAE,QAAQ;EAC5B;CACD,SAAS,EAAE,GAAG,YAAY;CAC1B,SAAS,OAAO,KAAK,EAAE,YAAY,cAAc,sBAAsB;AACrE,SAAO,MAAM,IAAI,GAAG,OAAO,aAAa;GACtC;GACA,eAAe;GACf,mBAAmB;GACpB,CAAC;;CAEL,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCF,MAAa,iBAAiB,SAAS;CACrC,MAAM;EAAE,aAAa,EAAE,GAAG,YAAY;EAAE,MAAM,EAAE,KAAK;EAAE;CACvD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,aAAa,WAAW;EAC7C,MAAM,WAAoC,EAAE,GAAG,MAAM;AACrD,MAAI,SAAS,iBAAiB,QAAW;AACvC,YAAS,gBAAgB,SAAS;AAClC,UAAO,SAAS;;AAElB,MAAI,SAAS,oBAAoB,QAAW;AAC1C,YAAS,oBAAoB,SAAS;AACtC,UAAO,SAAS;;AAElB,QAAM,IAAI,GAAG,MAAM,aAAa,aAAa,SAAS;AACtD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,kBAAkB,SAAS;CACtC,MAAM,EAAE,aAAa,EAAE,GAAG,YAAY,EAAE;CACxC,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,kBAAkB;AACvC,QAAM,IAAI,GAAG,OAAO,aAAa,YAAY;AAC7C,SAAO;;CAEV,CAAC"}
+{"version":3,"file":"limits.js","names":[],"sources":["../../../../src/component/public/security/limits.ts"],"sourcesContent":["import { v } from \"convex/values\";\n\nimport { mutation, query } from \"../../functions\";\nimport { vRateLimitResult } from \"../../model\";\n\n/**\n * Look up a rate limit entry by its string identifier.\n *\n * Queries the `RateLimit` table using the `by_identifier` unique index.\n * Returns the rate limit state with camelCase field names (`attemptsLeft`,\n * `lastAttemptTime`) mapped from the snake_case storage format. Used to\n * check whether an action should be allowed or throttled.\n *\n * @param identifier - Unique string identifying the rate limit bucket\n *   (e.g. `\"login:user@example.com\"` or `\"api:sk_live_abc123\"`).\n * @returns The rate limit state object (including `attemptsLeft` and\n *   `lastAttemptTime`), or `null` if no entry exists for the identifier.\n *\n * @example\n * ```ts\n * const limit = await ctx.runQuery(\n *   components.auth.security.limits.rateLimitGet,\n *   { identifier: `login:${email}` },\n * );\n * if (limit !== null && limit.attemptsLeft <= 0) {\n *   throw new Error(\"Too many login attempts. Please try again later.\");\n * }\n * ```\n */\nexport const rateLimitGet = query({\n  args: { identifier: v.string() },\n  returns: v.union(vRateLimitResult, v.null()),\n  handler: async (ctx, { identifier }) => {\n    const row = await ctx.db\n      .query(\"RateLimit\")\n      .withIndex(\"by_identifier\", (q) => q.eq(\"identifier\", identifier))\n      .unique();\n    if (row === null) {\n      return null;\n    }\n    return {\n      ...row,\n      attemptsLeft: row.attempts_left,\n      lastAttemptTime: row.last_attempt_time,\n    };\n  },\n});\n\n/**\n * Create a new rate limit entry in the `RateLimit` table.\n *\n * Initializes a rate limit bucket for a given identifier. The entry\n * tracks remaining attempts and the timestamp of the last attempt,\n * storing them in snake_case format internally. Call this when the\n * first rate-limited action occurs for an identifier that does not\n * yet have an entry.\n *\n * @param identifier - Unique string identifying the rate limit bucket\n *   (e.g. `\"login:user@example.com\"` or `\"otp:+15551234567\"`).\n * @param attemptsLeft - Number of remaining attempts before the action\n *   is throttled.\n * @param lastAttemptTime - Unix timestamp (in milliseconds) of the\n *   initial attempt.\n * @returns The `_id` of the newly created `RateLimit` document.\n *\n * @example\n * ```ts\n * const rateLimitId = await ctx.runMutation(\n *   components.auth.security.limits.rateLimitCreate,\n *   {\n *     identifier: `login:${email}`,\n *     attemptsLeft: 4, // 5 max minus this attempt\n *     lastAttemptTime: Date.now(),\n *   },\n * );\n * ```\n */\nexport const rateLimitCreate = mutation({\n  args: {\n    identifier: v.string(),\n    attemptsLeft: v.number(),\n    lastAttemptTime: v.number(),\n  },\n  returns: v.id(\"RateLimit\"),\n  handler: async (ctx, { identifier, attemptsLeft, lastAttemptTime }) => {\n    return await ctx.db.insert(\"RateLimit\", {\n      identifier,\n      attempts_left: attemptsLeft,\n      last_attempt_time: lastAttemptTime,\n    });\n  },\n});\n\n/**\n * Patch a rate limit entry with partial data.\n *\n * Updates an existing `RateLimit` document with the provided fields.\n * Automatically maps camelCase field names (`attemptsLeft`,\n * `lastAttemptTime`) to the snake_case storage format before writing.\n * Typically called to decrement remaining attempts or to reset the\n * bucket after a cooldown window has elapsed.\n *\n * @param rateLimitId - The `_id` of the `RateLimit` document to update.\n * @param data - An object containing the fields to patch. Supports\n *   camelCase names which are transparently converted:\n *   - `attemptsLeft` -- Updated number of remaining attempts.\n *   - `lastAttemptTime` -- Updated timestamp of the most recent attempt.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Decrement attempts after a failed login\n * await ctx.runMutation(\n *   components.auth.security.limits.rateLimitPatch,\n *   {\n *     rateLimitId: limit._id,\n *     data: {\n *       attemptsLeft: limit.attemptsLeft - 1,\n *       lastAttemptTime: Date.now(),\n *     },\n *   },\n * );\n * ```\n */\nexport const rateLimitPatch = mutation({\n  args: { rateLimitId: v.id(\"RateLimit\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { rateLimitId, data }) => {\n    const nextData: Record<string, unknown> = { ...data };\n    if (nextData.attemptsLeft !== undefined) {\n      nextData.attempts_left = nextData.attemptsLeft;\n      delete nextData.attemptsLeft;\n    }\n    if (nextData.lastAttemptTime !== undefined) {\n      nextData.last_attempt_time = nextData.lastAttemptTime;\n      delete nextData.lastAttemptTime;\n    }\n    await ctx.db.patch(\"RateLimit\", rateLimitId, nextData);\n    return null;\n  },\n});\n\n/**\n * Delete a rate limit entry from the `RateLimit` table.\n *\n * Permanently removes the rate limit bucket. This effectively resets\n * rate limiting for the associated identifier, allowing the next\n * action to proceed without throttling. Useful for administrative\n * resets or cleanup of expired buckets.\n *\n * @param rateLimitId - The `_id` of the `RateLimit` document to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Admin resets a user's login rate limit\n * await ctx.runMutation(\n *   components.auth.security.limits.rateLimitDelete,\n *   { rateLimitId: limit._id },\n * );\n * ```\n */\nexport const rateLimitDelete = mutation({\n  args: { rateLimitId: v.id(\"RateLimit\") },\n  returns: v.null(),\n  handler: async (ctx, { rateLimitId }) => {\n    await ctx.db.delete(\"RateLimit\", rateLimitId);\n    return null;\n  },\n});\n\n// ============================================================================\n// Device Authorization (RFC 8628)\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BA,MAAa,eAAe,MAAM;CAChC,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE;CAChC,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,iBAAiB;EACtC,MAAM,MAAM,MAAM,IAAI,GACnB,MAAM,YAAY,CAClB,UAAU,kBAAkB,MAAM,EAAE,GAAG,cAAc,WAAW,CAAC,CACjE,QAAQ;AACX,MAAI,QAAQ,KACV,QAAO;AAET,SAAO;GACL,GAAG;GACH,cAAc,IAAI;GAClB,iBAAiB,IAAI;GACtB;;CAEJ,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BF,MAAa,kBAAkB,SAAS;CACtC,MAAM;EACJ,YAAY,EAAE,QAAQ;EACtB,cAAc,EAAE,QAAQ;EACxB,iBAAiB,EAAE,QAAQ;EAC5B;CACD,SAAS,EAAE,GAAG,YAAY;CAC1B,SAAS,OAAO,KAAK,EAAE,YAAY,cAAc,sBAAsB;AACrE,SAAO,MAAM,IAAI,GAAG,OAAO,aAAa;GACtC;GACA,eAAe;GACf,mBAAmB;GACpB,CAAC;;CAEL,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCF,MAAa,iBAAiB,SAAS;CACrC,MAAM;EAAE,aAAa,EAAE,GAAG,YAAY;EAAE,MAAM,EAAE,KAAK;EAAE;CACvD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,aAAa,WAAW;EAC7C,MAAM,WAAoC,EAAE,GAAG,MAAM;AACrD,MAAI,SAAS,iBAAiB,QAAW;AACvC,YAAS,gBAAgB,SAAS;AAClC,UAAO,SAAS;;AAElB,MAAI,SAAS,oBAAoB,QAAW;AAC1C,YAAS,oBAAoB,SAAS;AACtC,UAAO,SAAS;;AAElB,QAAM,IAAI,GAAG,MAAM,aAAa,aAAa,SAAS;AACtD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,kBAAkB,SAAS;CACtC,MAAM,EAAE,aAAa,EAAE,GAAG,YAAY,EAAE;CACxC,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,kBAAkB;AACvC,QAAM,IAAI,GAAG,OAAO,aAAa,YAAY;AAC7C,SAAO;;CAEV,CAAC"}