@robelest/convex-auth 0.0.4-preview.22 → 0.0.4-preview.24

package/dist/component/server/http.js.map

@@ -1 +1 @@
-{"version":3,"file":"http.js","names":["result","parseCookies"],"sources":["../../../src/server/http.ts"],"sourcesContent":["import {\n  GenericActionCtx,\n  GenericDataModel,\n  HttpRouter,\n  httpActionGeneric,\n} from \"convex/server\";\nimport { ConvexError } from \"convex/values\";\nimport { parse as parseCookies } from \"cookie\";\n\nimport { isAuthError } from \"./errors\";\nimport { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./authError\";\nimport type { CorsConfig, HttpKeyContext } from \"./types\";\nimport { logError } from \"./utils\";\n\nexport function createHttpAction(auth: {\n  key: { verify: (ctx: GenericActionCtx<any>, rawKey: string) => Promise<any> };\n}) {\n  return (\n    handler: (\n      ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,\n      request: Request,\n    ) => Promise<Response | Record<string, unknown>>,\n    options?: {\n      scope?: { resource: string; action: string };\n      cors?: CorsConfig;\n    },\n  ) => {\n    const corsConfig = options?.cors ?? {};\n    const corsHeaders: Record<string, string> = {\n      \"Access-Control-Allow-Origin\": corsConfig.origin ?? \"*\",\n      \"Access-Control-Allow-Methods\":\n        corsConfig.methods ?? \"GET,POST,PUT,PATCH,DELETE,OPTIONS\",\n      \"Access-Control-Allow-Headers\":\n        corsConfig.headers ?? \"Content-Type,Authorization\",\n    };\n\n    return httpActionGeneric(async (genericCtx, request) => {\n      return Fx.run(\n        Fx.from({\n          ok: async () => {\n            const authHeader = request.headers.get(\"Authorization\");\n            if (!authHeader?.startsWith(\"Bearer \")) {\n              return new Response(\n                JSON.stringify({\n                  error: \"Missing or malformed Authorization: Bearer header.\",\n                  code: \"MISSING_BEARER_TOKEN\",\n                }),\n                {\n                  status: 401,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                },\n              );\n            }\n            const rawKey = authHeader.slice(7);\n\n            const keyResult = await Fx.run(\n              Fx.from({\n                ok: () => auth.key.verify(genericCtx, rawKey),\n                err: (error) => error,\n              }).pipe(\n                Fx.fold({\n                  ok: (result) => ({ ok: true, value: result }) as const,\n                  err: (error) => ({ ok: false, error }) as const,\n                }),\n              ),\n            );\n\n            if (!keyResult.ok) {\n              if (isAuthError(keyResult.error)) {\n                const { code, message } = keyResult.error.data as {\n                  code: string;\n                  message: string;\n                };\n                return new Response(JSON.stringify({ error: message, code }), {\n                  status: 403,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                });\n              }\n              throw keyResult.error;\n            }\n\n            if (\n              options?.scope &&\n              !keyResult.value.scopes.can(\n                options.scope.resource,\n                options.scope.action,\n              )\n            ) {\n              return new Response(\n                JSON.stringify({\n                  error: \"This API key does not have the required permissions.\",\n                  code: \"SCOPE_CHECK_FAILED\",\n                }),\n                {\n                  status: 403,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                },\n              );\n            }\n\n            const enrichedCtx = Object.assign(genericCtx, {\n              key: {\n                userId: keyResult.value.userId,\n                keyId: keyResult.value.keyId,\n                scopes: keyResult.value.scopes,\n              },\n            });\n            const result = await handler(enrichedCtx, request);\n\n            if (result instanceof Response) {\n              const headers = new Headers(result.headers);\n              for (const [k, val] of Object.entries(corsHeaders)) {\n                if (!headers.has(k)) headers.set(k, val);\n              }\n              return new Response(result.body, {\n                status: result.status,\n                statusText: result.statusText,\n                headers,\n              });\n            }\n\n            return new Response(JSON.stringify(result), {\n              status: 200,\n              headers: {\n                ...corsHeaders,\n                \"Content-Type\": \"application/json\",\n              },\n            });\n          },\n          err: (error) => error,\n        }).pipe(\n          Fx.recover((error) => {\n            logError(error);\n            return Fx.succeed(\n              new Response(\n                JSON.stringify({\n                  error: \"An unexpected error occurred.\",\n                  code: \"INTERNAL_ERROR\",\n                }),\n                {\n                  status: 500,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                },\n              ),\n            );\n          }),\n        ),\n      );\n    });\n  };\n}\n\nexport function createHttpRoute(\n  wrapAction: ReturnType<typeof createHttpAction>,\n) {\n  return (\n    http: { route: (config: any) => void },\n    routeConfig: {\n      path: string;\n      method: \"GET\" | \"POST\" | \"PUT\" | \"PATCH\" | \"DELETE\";\n      handler: (\n        ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,\n        request: Request,\n      ) => Promise<Response | Record<string, unknown>>;\n      scope?: { resource: string; action: string };\n      cors?: CorsConfig;\n    },\n  ) => {\n    const corsConfig = routeConfig.cors ?? {};\n    const corsHeaders: Record<string, string> = {\n      \"Access-Control-Allow-Origin\": corsConfig.origin ?? \"*\",\n      \"Access-Control-Allow-Methods\":\n        corsConfig.methods ?? \"GET,POST,PUT,PATCH,DELETE,OPTIONS\",\n      \"Access-Control-Allow-Headers\":\n        corsConfig.headers ?? \"Content-Type,Authorization\",\n    };\n\n    http.route({\n      path: routeConfig.path,\n      method: \"OPTIONS\",\n      handler: httpActionGeneric(async () => {\n        return new Response(null, { status: 204, headers: corsHeaders });\n      }),\n    });\n\n    http.route({\n      path: routeConfig.path,\n      method: routeConfig.method,\n      handler: wrapAction(routeConfig.handler, {\n        scope: routeConfig.scope,\n        cors: routeConfig.cors,\n      }),\n    });\n  };\n}\n\nexport function convertErrorsToResponse(\n  errorStatusCode: number,\n  action: (ctx: GenericActionCtx<any>, request: Request) => Promise<Response>,\n) {\n  return async (ctx: GenericActionCtx<any>, request: Request) => {\n    return Fx.run(\n      Fx.from({\n        ok: () => action(ctx, request),\n        err: (error) => error,\n      }).pipe(\n        Fx.recover((error) => {\n          if (isAuthError(error)) {\n            return Fx.succeed(\n              new Response(\n                JSON.stringify({\n                  code: error.data.code,\n                  message: error.data.message,\n                }),\n                {\n                  status: errorStatusCode,\n                  headers: { \"Content-Type\": \"application/json\" },\n                },\n              ),\n            );\n          } else if (error instanceof ConvexError) {\n            return Fx.succeed(\n              new Response(null, {\n                status: errorStatusCode,\n                statusText:\n                  typeof error.data === \"string\" ? error.data : \"Error\",\n              }),\n            );\n          } else {\n            logError(error);\n            return Fx.succeed(\n              new Response(null, {\n                status: 500,\n                statusText: \"Internal Server Error\",\n              }),\n            );\n          }\n        }),\n      ),\n    );\n  };\n}\n\nexport function getCookies(\n  request: Request,\n): Record<string, string | undefined> {\n  return parseCookies(request.headers.get(\"Cookie\") ?? \"\");\n}\n\nexport type SSORuntimeRoute = {\n  pathname?: string;\n  enterpriseId: string;\n  protocol: \"oidc\" | \"saml\" | \"scim\";\n  rest: string[];\n};\n\nfunction parseEnterpriseRuntimeRoute(\n  pathname: string,\n  routeBase: string,\n): SSORuntimeRoute | null {\n  const runtimePrefix = `${routeBase}/`;\n  const runtimeParts = pathname.startsWith(runtimePrefix)\n    ? pathname.slice(runtimePrefix.length).split(\"/\").filter(Boolean)\n    : [];\n  const [runtimeEnterpriseId, protocol, ...rest] = runtimeParts;\n  if (\n    runtimeEnterpriseId === undefined ||\n    (protocol !== \"oidc\" && protocol !== \"saml\" && protocol !== \"scim\") ||\n    rest.length === 0\n  ) {\n    return null;\n  }\n  return {\n    pathname,\n    enterpriseId: runtimeEnterpriseId,\n    protocol,\n    rest,\n  };\n}\n\nexport function addOpenIdRoutes(\n  http: HttpRouter,\n  deps: {\n    getIssuer: () => string;\n    getJwks: () => string;\n  },\n) {\n  const cacheControl =\n    \"public, max-age=15, stale-while-revalidate=15, stale-if-error=86400\";\n\n  http.route({\n    path: \"/.well-known/openid-configuration\",\n    method: \"GET\",\n    handler: httpActionGeneric(async () => {\n      const issuer = deps.getIssuer();\n      return new Response(\n        JSON.stringify({\n          issuer,\n          jwks_uri: `${issuer}/.well-known/jwks.json`,\n        }),\n        {\n          status: 200,\n          headers: {\n            \"Content-Type\": \"application/json\",\n            \"Cache-Control\": cacheControl,\n          },\n        },\n      );\n    }),\n  });\n\n  http.route({\n    path: \"/.well-known/jwks.json\",\n    method: \"GET\",\n    handler: httpActionGeneric(async () => {\n      return new Response(deps.getJwks(), {\n        status: 200,\n        headers: {\n          \"Content-Type\": \"application/json\",\n          \"Cache-Control\": cacheControl,\n        },\n      });\n    }),\n  });\n}\n\nexport function addAuthRoutes(\n  http: HttpRouter,\n  deps: {\n    handleSignIn: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n    ) => Promise<Response>;\n    handleCallback: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n    ) => Promise<Response>;\n  },\n) {\n  http.route({\n    pathPrefix: \"/api/auth/signin/\",\n    method: \"GET\",\n    handler: httpActionGeneric(deps.handleSignIn),\n  });\n\n  const callbackHandler = httpActionGeneric(deps.handleCallback);\n\n  http.route({\n    pathPrefix: \"/api/auth/callback/\",\n    method: \"GET\",\n    handler: callbackHandler,\n  });\n\n  http.route({\n    pathPrefix: \"/api/auth/callback/\",\n    method: \"POST\",\n    handler: callbackHandler,\n  });\n}\n\nexport function addSSORoutes(\n  http: HttpRouter,\n  deps: {\n    routeBase: string;\n    convertErrorsToResponse: typeof convertErrorsToResponse;\n    handleSamlMetadata: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleSamlSignIn: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleOidcSignIn: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleOidcCallback: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleSamlAcs: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleSamlSlo: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleScimRequest: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n    ) => Promise<Response>;\n    scimError: (status: number, scimType: string, detail: string) => Response;\n  },\n) {\n  const routePrefix = `${deps.routeBase}/`;\n\n  http.route({\n    pathPrefix: routePrefix,\n    method: \"GET\",\n    handler: httpActionGeneric(\n      deps.convertErrorsToResponse(400, async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (!route) {\n          throw new AuthError(\n            \"INVALID_PARAMETERS\",\n            \"Invalid enterprise runtime path.\",\n          ).toConvexError();\n        }\n        if (route.protocol === \"saml\" && route.rest.length === 1) {\n          if (route.rest[0] === \"metadata\") {\n            return await deps.handleSamlMetadata(ctx, request, route);\n          }\n          if (route.rest[0] === \"signin\") {\n            return await deps.handleSamlSignIn(ctx, request, route);\n          }\n          if (route.rest[0] === \"acs\") {\n            return await deps.handleSamlAcs(ctx, request, route);\n          }\n          if (route.rest[0] === \"slo\") {\n            return await deps.handleSamlSlo(ctx, request, route);\n          }\n        }\n        if (route.protocol === \"oidc\" && route.rest.length === 1) {\n          if (route.rest[0] === \"signin\") {\n            return await deps.handleOidcSignIn(ctx, request, route);\n          }\n          if (route.rest[0] === \"callback\") {\n            return await deps.handleOidcCallback(ctx, request, route);\n          }\n        }\n        if (route.protocol === \"scim\" && route.rest[0] === \"v2\") {\n          return await deps.handleScimRequest(ctx, request);\n        }\n        throw new AuthError(\n          \"INVALID_PARAMETERS\",\n          \"Invalid enterprise runtime path.\",\n        ).toConvexError();\n      }),\n    ),\n  });\n\n  http.route({\n    pathPrefix: routePrefix,\n    method: \"POST\",\n    handler: httpActionGeneric(\n      deps.convertErrorsToResponse(400, async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (route?.protocol === \"saml\" && route.rest.length === 1) {\n          if (route.rest[0] === \"acs\") {\n            return await deps.handleSamlAcs(ctx, request, route);\n          }\n          if (route.rest[0] === \"slo\") {\n            return await deps.handleSamlSlo(ctx, request, route);\n          }\n        }\n        if (route?.protocol === \"scim\" && route.rest[0] === \"v2\") {\n          return await deps.handleScimRequest(ctx, request);\n        }\n        throw new AuthError(\n          \"INVALID_PARAMETERS\",\n          \"Invalid enterprise runtime path.\",\n        ).toConvexError();\n      }),\n    ),\n  });\n\n  http.route({\n    pathPrefix: routePrefix,\n    method: \"PUT\",\n    handler: httpActionGeneric(\n      deps.convertErrorsToResponse(400, async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (route?.protocol === \"scim\" && route.rest[0] === \"v2\") {\n          return await deps.handleScimRequest(ctx, request);\n        }\n        throw new AuthError(\n          \"INVALID_PARAMETERS\",\n          \"Invalid enterprise runtime path.\",\n        ).toConvexError();\n      }),\n    ),\n  });\n\n  for (const method of [\"PATCH\", \"DELETE\"] as const) {\n    http.route({\n      pathPrefix: routePrefix,\n      method,\n      handler: httpActionGeneric(async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (!route || route.protocol !== \"scim\" || route.rest[0] !== \"v2\") {\n          return deps.scimError(404, \"notFound\", \"SCIM resource not found.\");\n        }\n        return await deps.handleScimRequest(ctx, request);\n      }),\n    });\n  }\n}\n"],"mappings":";;;;;;;;;AAgBA,SAAgB,iBAAiB,MAE9B;AACD,SACE,SAIA,YAIG;EACH,MAAM,aAAa,SAAS,QAAQ,EAAE;EACtC,MAAM,cAAsC;GAC1C,+BAA+B,WAAW,UAAU;GACpD,gCACE,WAAW,WAAW;GACxB,gCACE,WAAW,WAAW;GACzB;AAED,SAAO,kBAAkB,OAAO,YAAY,YAAY;AACtD,UAAO,GAAG,IACR,GAAG,KAAK;IACN,IAAI,YAAY;KACd,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,SAAI,CAAC,YAAY,WAAW,UAAU,CACpC,QAAO,IAAI,SACT,KAAK,UAAU;MACb,OAAO;MACP,MAAM;MACP,CAAC,EACF;MACE,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CACF;KAEH,MAAM,SAAS,WAAW,MAAM,EAAE;KAElC,MAAM,YAAY,MAAM,GAAG,IACzB,GAAG,KAAK;MACN,UAAU,KAAK,IAAI,OAAO,YAAY,OAAO;MAC7C,MAAM,UAAU;MACjB,CAAC,CAAC,KACD,GAAG,KAAK;MACN,KAAK,cAAY;OAAE,IAAI;OAAM,OAAOA;OAAQ;MAC5C,MAAM,WAAW;OAAE,IAAI;OAAO;OAAO;MACtC,CAAC,CACH,CACF;AAED,SAAI,CAAC,UAAU,IAAI;AACjB,UAAI,YAAY,UAAU,MAAM,EAAE;OAChC,MAAM,EAAE,MAAM,YAAY,UAAU,MAAM;AAI1C,cAAO,IAAI,SAAS,KAAK,UAAU;QAAE,OAAO;QAAS;QAAM,CAAC,EAAE;QAC5D,QAAQ;QACR,SAAS;SACP,GAAG;SACH,gBAAgB;SACjB;QACF,CAAC;;AAEJ,YAAM,UAAU;;AAGlB,SACE,SAAS,SACT,CAAC,UAAU,MAAM,OAAO,IACtB,QAAQ,MAAM,UACd,QAAQ,MAAM,OACf,CAED,QAAO,IAAI,SACT,KAAK,UAAU;MACb,OAAO;MACP,MAAM;MACP,CAAC,EACF;MACE,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CACF;KAUH,MAAM,SAAS,MAAM,QAPD,OAAO,OAAO,YAAY,EAC5C,KAAK;MACH,QAAQ,UAAU,MAAM;MACxB,OAAO,UAAU,MAAM;MACvB,QAAQ,UAAU,MAAM;MACzB,EACF,CAAC,EACwC,QAAQ;AAElD,SAAI,kBAAkB,UAAU;MAC9B,MAAM,UAAU,IAAI,QAAQ,OAAO,QAAQ;AAC3C,WAAK,MAAM,CAAC,GAAG,QAAQ,OAAO,QAAQ,YAAY,CAChD,KAAI,CAAC,QAAQ,IAAI,EAAE,CAAE,SAAQ,IAAI,GAAG,IAAI;AAE1C,aAAO,IAAI,SAAS,OAAO,MAAM;OAC/B,QAAQ,OAAO;OACf,YAAY,OAAO;OACnB;OACD,CAAC;;AAGJ,YAAO,IAAI,SAAS,KAAK,UAAU,OAAO,EAAE;MAC1C,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CAAC;;IAEJ,MAAM,UAAU;IACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAU;AACpB,aAAS,MAAM;AACf,WAAO,GAAG,QACR,IAAI,SACF,KAAK,UAAU;KACb,OAAO;KACP,MAAM;KACP,CAAC,EACF;KACE,QAAQ;KACR,SAAS;MACP,GAAG;MACH,gBAAgB;MACjB;KACF,CACF,CACF;KACD,CACH,CACF;IACD;;;AAIN,SAAgB,gBACd,YACA;AACA,SACE,MACA,gBAUG;EACH,MAAM,aAAa,YAAY,QAAQ,EAAE;EACzC,MAAM,cAAsC;GAC1C,+BAA+B,WAAW,UAAU;GACpD,gCACE,WAAW,WAAW;GACxB,gCACE,WAAW,WAAW;GACzB;AAED,OAAK,MAAM;GACT,MAAM,YAAY;GAClB,QAAQ;GACR,SAAS,kBAAkB,YAAY;AACrC,WAAO,IAAI,SAAS,MAAM;KAAE,QAAQ;KAAK,SAAS;KAAa,CAAC;KAChE;GACH,CAAC;AAEF,OAAK,MAAM;GACT,MAAM,YAAY;GAClB,QAAQ,YAAY;GACpB,SAAS,WAAW,YAAY,SAAS;IACvC,OAAO,YAAY;IACnB,MAAM,YAAY;IACnB,CAAC;GACH,CAAC;;;AAIN,SAAgB,wBACd,iBACA,QACA;AACA,QAAO,OAAO,KAA4B,YAAqB;AAC7D,SAAO,GAAG,IACR,GAAG,KAAK;GACN,UAAU,OAAO,KAAK,QAAQ;GAC9B,MAAM,UAAU;GACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAU;AACpB,OAAI,YAAY,MAAM,CACpB,QAAO,GAAG,QACR,IAAI,SACF,KAAK,UAAU;IACb,MAAM,MAAM,KAAK;IACjB,SAAS,MAAM,KAAK;IACrB,CAAC,EACF;IACE,QAAQ;IACR,SAAS,EAAE,gBAAgB,oBAAoB;IAChD,CACF,CACF;YACQ,iBAAiB,YAC1B,QAAO,GAAG,QACR,IAAI,SAAS,MAAM;IACjB,QAAQ;IACR,YACE,OAAO,MAAM,SAAS,WAAW,MAAM,OAAO;IACjD,CAAC,CACH;QACI;AACL,aAAS,MAAM;AACf,WAAO,GAAG,QACR,IAAI,SAAS,MAAM;KACjB,QAAQ;KACR,YAAY;KACb,CAAC,CACH;;IAEH,CACH,CACF;;;AAIL,SAAgB,WACd,SACoC;AACpC,QAAOC,MAAa,QAAQ,QAAQ,IAAI,SAAS,IAAI,GAAG;;AAU1D,SAAS,4BACP,UACA,WACwB;CACxB,MAAM,gBAAgB,GAAG,UAAU;CAInC,MAAM,CAAC,qBAAqB,UAAU,GAAG,QAHpB,SAAS,WAAW,cAAc,GACnD,SAAS,MAAM,cAAc,OAAO,CAAC,MAAM,IAAI,CAAC,OAAO,QAAQ,GAC/D,EAAE;AAEN,KACE,wBAAwB,UACvB,aAAa,UAAU,aAAa,UAAU,aAAa,UAC5D,KAAK,WAAW,EAEhB,QAAO;AAET,QAAO;EACL;EACA,cAAc;EACd;EACA;EACD;;AAGH,SAAgB,gBACd,MACA,MAIA;CACA,MAAM,eACJ;AAEF,MAAK,MAAM;EACT,MAAM;EACN,QAAQ;EACR,SAAS,kBAAkB,YAAY;GACrC,MAAM,SAAS,KAAK,WAAW;AAC/B,UAAO,IAAI,SACT,KAAK,UAAU;IACb;IACA,UAAU,GAAG,OAAO;IACrB,CAAC,EACF;IACE,QAAQ;IACR,SAAS;KACP,gBAAgB;KAChB,iBAAiB;KAClB;IACF,CACF;IACD;EACH,CAAC;AAEF,MAAK,MAAM;EACT,MAAM;EACN,QAAQ;EACR,SAAS,kBAAkB,YAAY;AACrC,UAAO,IAAI,SAAS,KAAK,SAAS,EAAE;IAClC,QAAQ;IACR,SAAS;KACP,gBAAgB;KAChB,iBAAiB;KAClB;IACF,CAAC;IACF;EACH,CAAC;;AAGJ,SAAgB,cACd,MACA,MAUA;AACA,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBAAkB,KAAK,aAAa;EAC9C,CAAC;CAEF,MAAM,kBAAkB,kBAAkB,KAAK,eAAe;AAE9D,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS;EACV,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS;EACV,CAAC;;AAGJ,SAAgB,aACd,MACA,MAuCA;CACA,MAAM,cAAc,GAAG,KAAK,UAAU;AAEtC,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,CAAC,MACH,OAAM,IAAI,UACR,sBACA,mCACD,CAAC,eAAe;AAEnB,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACxD,QAAI,MAAM,KAAK,OAAO,WACpB,QAAO,MAAM,KAAK,mBAAmB,KAAK,SAAS,MAAM;AAE3D,QAAI,MAAM,KAAK,OAAO,SACpB,QAAO,MAAM,KAAK,iBAAiB,KAAK,SAAS,MAAM;AAEzD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;AAEtD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;;AAGxD,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACxD,QAAI,MAAM,KAAK,OAAO,SACpB,QAAO,MAAM,KAAK,iBAAiB,KAAK,SAAS,MAAM;AAEzD,QAAI,MAAM,KAAK,OAAO,WACpB,QAAO,MAAM,KAAK,mBAAmB,KAAK,SAAS,MAAM;;AAG7D,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,OAAO,KACjD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,IAAI,UACR,sBACA,mCACD,CAAC,eAAe;IACjB,CACH;EACF,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACzD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;AAEtD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;;AAGxD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,OAAO,KAClD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,IAAI,UACR,sBACA,mCACD,CAAC,eAAe;IACjB,CACH;EACF,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,OAAO,KAClD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,IAAI,UACR,sBACA,mCACD,CAAC,eAAe;IACjB,CACH;EACF,CAAC;AAEF,MAAK,MAAM,UAAU,CAAC,SAAS,SAAS,CACtC,MAAK,MAAM;EACT,YAAY;EACZ;EACA,SAAS,kBAAkB,OAAO,KAAK,YAAY;GACjD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,CAAC,SAAS,MAAM,aAAa,UAAU,MAAM,KAAK,OAAO,KAC3D,QAAO,KAAK,UAAU,KAAK,YAAY,2BAA2B;AAEpE,UAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;IACjD;EACH,CAAC"}
+{"version":3,"file":"http.js","names":["result","parseCookies"],"sources":["../../../src/server/http.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport {\n  GenericActionCtx,\n  GenericDataModel,\n  HttpRouter,\n  httpActionGeneric,\n} from \"convex/server\";\nimport { ConvexError } from \"convex/values\";\nimport { parse as parseCookies } from \"cookie\";\n\nimport type {\n  AuthContext,\n  OptionalAuthContext,\n  UserDoc,\n} from \"./auth\";\nimport {\n  createUnauthenticatedAuthContext,\n  getAuthContextForUser,\n  getSessionUserId,\n} from \"./context\";\nimport type { CorsConfig, HttpKeyContext } from \"./types\";\nimport { logError } from \"./utils\";\n\ntype HttpContextAuthLike = {\n  user: {\n    get: (ctx: any, userId: string) => Promise<UserDoc>;\n    getActiveGroup: (\n      ctx: any,\n      args: { userId: string },\n    ) => Promise<string | null>;\n  };\n  member: {\n    inspect: (\n      ctx: any,\n      args: { userId: string; groupId: string },\n    ) => Promise<{\n      membership: unknown;\n      roleIds: string[];\n      grants: string[];\n    }>;\n  };\n  key: {\n    verify: (ctx: GenericActionCtx<any>, rawKey: string) => Promise<{\n      userId: string;\n      keyId: string;\n      scopes: HttpKeyContext[\"key\"][\"scopes\"];\n    }>;\n  };\n};\n\n/**\n * Auth context returned by `auth.http.context(ctx, request)`.\n *\n * This resolves raw HTTP authentication in two steps:\n * 1. session auth from `ctx.auth.getUserIdentity()`\n * 2. API key auth from `Authorization: Bearer sk_*`\n *\n * The `source` field tells you which authentication path succeeded.\n * When `source === \"key\"`, the verified API key metadata is available on\n * `key`.\n *\n * @example\n * ```ts\n * const authContext = await auth.http.context(ctx, request);\n * if (authContext.source === \"key\") {\n *   console.log(authContext.key.keyId);\n * }\n * ```\n */\nexport type HttpAuthContext =\n  | (AuthContext & {\n      /** The request authenticated through a browser or session token. */\n      source: \"session\";\n      /** No API key was used for this request. */\n      key: null;\n    })\n  | (AuthContext & {\n      /** The request authenticated through an API key. */\n      source: \"key\";\n      /** Verified API key metadata for the request. */\n      key: HttpKeyContext[\"key\"];\n    });\n\n/**\n * Nullable HTTP auth context returned by\n * `auth.http.context(ctx, request, { optional: true })`.\n *\n * This preserves a stable auth-shaped object for raw `httpAction` handlers\n * that allow anonymous callers.\n */\nexport type OptionalHttpAuthContext =\n  | (OptionalAuthContext & {\n      /** No authentication source was resolved. */\n      source: null;\n      /** No API key metadata is available. */\n      key: null;\n    })\n  | HttpAuthContext;\n\n/**\n * Configuration for {@link createAuth().http.context}.\n *\n * This mirrors {@link AuthContextConfig} for raw HTTP handlers and adds support\n * for enriching mixed session/API-key auth results.\n *\n * @typeParam TResolve - Extra fields returned from `resolve()` and merged into\n *   the resolved HTTP auth context.\n *\n * @example\n * ```ts\n * const authContext = await auth.http.context(ctx, request, {\n *   resolve: async (_ctx, user, authState) => ({\n *     email: user.email,\n *     isMachineRequest: authState.source === \"key\",\n *   }),\n * });\n * ```\n */\nexport type HttpAuthContextConfig<\n  TResolve extends Record<string, unknown> = Record<string, never>,\n> = {\n  /**\n   * Allow unauthenticated callers and return a null-shaped auth object instead\n   * of throwing `NOT_SIGNED_IN`.\n   */\n  optional?: boolean;\n  /**\n   * Attach additional derived fields to the resolved HTTP auth context.\n   *\n   * This callback runs only when authentication succeeds.\n   */\n  resolve?: (\n    ctx: GenericActionCtx<any>,\n    user: UserDoc,\n    auth: HttpAuthContext,\n  ) => Promise<TResolve> | TResolve;\n  /**\n   * Override or wrap HTTP auth resolution.\n   *\n   * Return `undefined` to use the built-in session-or-key resolver, `null` for\n   * an explicit unauthenticated state, or a fully resolved\n   * {@link HttpAuthContext}.\n   */\n  authResolve?: (\n    ctx: GenericActionCtx<any>,\n    fallback: () => Promise<HttpAuthContext | null>,\n  ) =>\n    | Promise<HttpAuthContext | null | undefined>\n    | HttpAuthContext\n    | null\n    | undefined;\n};\n\nfunction createNotSignedInError() {\n  return Cv.error({\n    code: \"NOT_SIGNED_IN\",\n    message: \"Authentication required.\",\n  });\n}\n\nasync function getHttpKeyContext(\n  auth: HttpContextAuthLike,\n  ctx: GenericActionCtx<any>,\n  request: Request,\n): Promise<HttpAuthContext | null> {\n  const authHeader = request.headers.get(\"Authorization\");\n  if (!authHeader?.startsWith(\"Bearer sk_\")) {\n    return null;\n  }\n\n  try {\n    const verified = await auth.key.verify(ctx, authHeader.slice(7));\n    const authContext = await getAuthContextForUser(auth, ctx, verified.userId);\n    return {\n      ...authContext,\n      source: \"key\",\n      key: {\n        userId: verified.userId,\n        keyId: verified.keyId,\n        scopes: verified.scopes,\n      },\n    };\n  } catch {\n    return null;\n  }\n}\n\nasync function resolveHttpAuthContext(\n  auth: HttpContextAuthLike,\n  ctx: GenericActionCtx<any>,\n  request: Request,\n): Promise<HttpAuthContext | null> {\n  const sessionUserId = await getSessionUserId(ctx);\n  if (sessionUserId !== null) {\n    const authContext = await getAuthContextForUser(auth, ctx, sessionUserId);\n    return {\n      ...authContext,\n      source: \"session\",\n      key: null,\n    };\n  }\n\n  return await getHttpKeyContext(auth, ctx, request);\n}\n\n/**\n * @internal\n * Create the implementation behind `auth.http.context(...)`.\n */\nexport function createHttpContext(auth: HttpContextAuthLike): {\n  <TResolve extends Record<string, unknown> = Record<string, never>>(\n    ctx: GenericActionCtx<any>,\n    request: Request,\n    config: HttpAuthContextConfig<TResolve> & { optional: true },\n  ): Promise<OptionalHttpAuthContext & TResolve>;\n  <TResolve extends Record<string, unknown> = Record<string, never>>(\n    ctx: GenericActionCtx<any>,\n    request: Request,\n    config?: HttpAuthContextConfig<TResolve>,\n  ): Promise<HttpAuthContext & TResolve>;\n} {\n  return (async (\n    ctx: GenericActionCtx<any>,\n    request: Request,\n    config?: HttpAuthContextConfig<any>,\n  ) => {\n    const fallback = () => resolveHttpAuthContext(auth, ctx, request);\n    const authOverride = config?.authResolve\n      ? await config.authResolve(ctx, fallback)\n      : undefined;\n    const resolved =\n      authOverride === undefined ? await fallback() : authOverride;\n\n    if (resolved === null) {\n      if (config?.optional !== true) {\n        throw createNotSignedInError();\n      }\n      return {\n        ...createUnauthenticatedAuthContext(),\n        source: null,\n        key: null,\n      };\n    }\n\n    const extra = config?.resolve\n      ? await config.resolve(ctx, resolved.user, resolved)\n      : {};\n\n    return {\n      ...resolved,\n      ...extra,\n    };\n  }) as {\n    <TResolve extends Record<string, unknown> = Record<string, never>>(\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      config: HttpAuthContextConfig<TResolve> & { optional: true },\n    ): Promise<OptionalHttpAuthContext & TResolve>;\n    <TResolve extends Record<string, unknown> = Record<string, never>>(\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      config?: HttpAuthContextConfig<TResolve>,\n    ): Promise<HttpAuthContext & TResolve>;\n  };\n}\n\nexport function createHttpAction(auth: {\n  key: { verify: (ctx: GenericActionCtx<any>, rawKey: string) => Promise<any> };\n}) {\n  return (\n    handler: (\n      ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,\n      request: Request,\n    ) => Promise<Response | Record<string, unknown>>,\n    options?: {\n      scope?: { resource: string; action: string };\n      cors?: CorsConfig;\n    },\n  ) => {\n    const corsConfig = options?.cors ?? {};\n    const corsHeaders: Record<string, string> = {\n      \"Access-Control-Allow-Origin\": corsConfig.origin ?? \"*\",\n      \"Access-Control-Allow-Methods\":\n        corsConfig.methods ?? \"GET,POST,PUT,PATCH,DELETE,OPTIONS\",\n      \"Access-Control-Allow-Headers\":\n        corsConfig.headers ?? \"Content-Type,Authorization\",\n    };\n\n    return httpActionGeneric(async (genericCtx, request) => {\n      return Fx.run(\n        Fx.from({\n          ok: async () => {\n            const authHeader = request.headers.get(\"Authorization\");\n            if (!authHeader?.startsWith(\"Bearer \")) {\n              return new Response(\n                JSON.stringify({\n                  error: \"Missing or malformed Authorization: Bearer header.\",\n                  code: \"MISSING_BEARER_TOKEN\",\n                }),\n                {\n                  status: 401,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                },\n              );\n            }\n            const rawKey = authHeader.slice(7);\n\n            const keyResult = await Fx.run(\n              Fx.attempt(\n                () => auth.key.verify(genericCtx, rawKey),\n                (result) => ({ ok: true, value: result }) as const,\n                (error) => ({ ok: false, error }) as const,\n              ),\n            );\n\n            if (!keyResult.ok) {\n              if (\n                keyResult.error instanceof ConvexError &&\n                typeof keyResult.error.data === \"object\" &&\n                keyResult.error.data !== null &&\n                \"code\" in keyResult.error.data &&\n                \"message\" in keyResult.error.data\n              ) {\n                const { code, message } = keyResult.error.data as {\n                  code: string;\n                  message: string;\n                };\n                return new Response(JSON.stringify({ error: message, code }), {\n                  status: 403,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                });\n              }\n              throw keyResult.error;\n            }\n\n            if (\n              options?.scope &&\n              !keyResult.value.scopes.can(\n                options.scope.resource,\n                options.scope.action,\n              )\n            ) {\n              return new Response(\n                JSON.stringify({\n                  error: \"This API key does not have the required permissions.\",\n                  code: \"SCOPE_CHECK_FAILED\",\n                }),\n                {\n                  status: 403,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                },\n              );\n            }\n\n            const enrichedCtx = Object.assign(genericCtx, {\n              key: {\n                userId: keyResult.value.userId,\n                keyId: keyResult.value.keyId,\n                scopes: keyResult.value.scopes,\n              },\n            });\n            const result = await handler(enrichedCtx, request);\n\n            if (result instanceof Response) {\n              const headers = new Headers(result.headers);\n              for (const [k, val] of Object.entries(corsHeaders)) {\n                if (!headers.has(k)) headers.set(k, val);\n              }\n              return new Response(result.body, {\n                status: result.status,\n                statusText: result.statusText,\n                headers,\n              });\n            }\n\n            return new Response(JSON.stringify(result), {\n              status: 200,\n              headers: {\n                ...corsHeaders,\n                \"Content-Type\": \"application/json\",\n              },\n            });\n          },\n          err: (error) => error,\n        }).pipe(\n          Fx.recover((error) => {\n            logError(error);\n            return Fx.succeed(\n              new Response(\n                JSON.stringify({\n                  error: \"An unexpected error occurred.\",\n                  code: \"INTERNAL_ERROR\",\n                }),\n                {\n                  status: 500,\n                  headers: {\n                    ...corsHeaders,\n                    \"Content-Type\": \"application/json\",\n                  },\n                },\n              ),\n            );\n          }),\n        ),\n      );\n    });\n  };\n}\n\nexport function createHttpRoute(\n  wrapAction: ReturnType<typeof createHttpAction>,\n) {\n  return (\n    http: { route: (config: any) => void },\n    routeConfig: {\n      path: string;\n      method: \"GET\" | \"POST\" | \"PUT\" | \"PATCH\" | \"DELETE\";\n      handler: (\n        ctx: GenericActionCtx<GenericDataModel> & HttpKeyContext,\n        request: Request,\n      ) => Promise<Response | Record<string, unknown>>;\n      scope?: { resource: string; action: string };\n      cors?: CorsConfig;\n    },\n  ) => {\n    const corsConfig = routeConfig.cors ?? {};\n    const corsHeaders: Record<string, string> = {\n      \"Access-Control-Allow-Origin\": corsConfig.origin ?? \"*\",\n      \"Access-Control-Allow-Methods\":\n        corsConfig.methods ?? \"GET,POST,PUT,PATCH,DELETE,OPTIONS\",\n      \"Access-Control-Allow-Headers\":\n        corsConfig.headers ?? \"Content-Type,Authorization\",\n    };\n\n    http.route({\n      path: routeConfig.path,\n      method: \"OPTIONS\",\n      handler: httpActionGeneric(async () => {\n        return new Response(null, { status: 204, headers: corsHeaders });\n      }),\n    });\n\n    http.route({\n      path: routeConfig.path,\n      method: routeConfig.method,\n      handler: wrapAction(routeConfig.handler, {\n        scope: routeConfig.scope,\n        cors: routeConfig.cors,\n      }),\n    });\n  };\n}\n\nexport function convertErrorsToResponse(\n  errorStatusCode: number,\n  action: (ctx: GenericActionCtx<any>, request: Request) => Promise<Response>,\n) {\n  return async (ctx: GenericActionCtx<any>, request: Request) => {\n    return Fx.run(\n      Fx.from({\n        ok: () => action(ctx, request),\n        err: (error) => error,\n      }).pipe(\n        Fx.recover((error) => {\n          if (\n            error instanceof ConvexError &&\n            typeof error.data === \"object\" &&\n            error.data !== null &&\n            \"code\" in error.data &&\n            \"message\" in error.data\n          ) {\n            return Fx.succeed(\n              new Response(\n                JSON.stringify({\n                  code: error.data.code,\n                  message: error.data.message,\n                }),\n                {\n                  status: errorStatusCode,\n                  headers: { \"Content-Type\": \"application/json\" },\n                },\n              ),\n            );\n          } else if (error instanceof ConvexError) {\n            return Fx.succeed(\n              new Response(null, {\n                status: errorStatusCode,\n                statusText:\n                  typeof error.data === \"string\" ? error.data : \"Error\",\n              }),\n            );\n          } else {\n            logError(error);\n            return Fx.succeed(\n              new Response(null, {\n                status: 500,\n                statusText: \"Internal Server Error\",\n              }),\n            );\n          }\n        }),\n      ),\n    );\n  };\n}\n\nexport function getCookies(\n  request: Request,\n): Record<string, string | undefined> {\n  return parseCookies(request.headers.get(\"Cookie\") ?? \"\");\n}\n\nexport type SSORuntimeRoute = {\n  pathname?: string;\n  enterpriseId: string;\n  protocol: \"oidc\" | \"saml\" | \"scim\";\n  rest: string[];\n};\n\nfunction parseEnterpriseRuntimeRoute(\n  pathname: string,\n  routeBase: string,\n): SSORuntimeRoute | null {\n  const runtimePrefix = `${routeBase}/`;\n  const runtimeParts = pathname.startsWith(runtimePrefix)\n    ? pathname.slice(runtimePrefix.length).split(\"/\").filter(Boolean)\n    : [];\n  const [runtimeEnterpriseId, protocol, ...rest] = runtimeParts;\n  if (\n    runtimeEnterpriseId === undefined ||\n    (protocol !== \"oidc\" && protocol !== \"saml\" && protocol !== \"scim\") ||\n    rest.length === 0\n  ) {\n    return null;\n  }\n  return {\n    pathname,\n    enterpriseId: runtimeEnterpriseId,\n    protocol,\n    rest,\n  };\n}\n\nexport function addOpenIdRoutes(\n  http: HttpRouter,\n  deps: {\n    getIssuer: () => string;\n    getJwks: () => string;\n  },\n) {\n  const cacheControl =\n    \"public, max-age=15, stale-while-revalidate=15, stale-if-error=86400\";\n\n  http.route({\n    path: \"/.well-known/openid-configuration\",\n    method: \"GET\",\n    handler: httpActionGeneric(async () => {\n      const issuer = deps.getIssuer();\n      return new Response(\n        JSON.stringify({\n          issuer,\n          jwks_uri: `${issuer}/.well-known/jwks.json`,\n        }),\n        {\n          status: 200,\n          headers: {\n            \"Content-Type\": \"application/json\",\n            \"Cache-Control\": cacheControl,\n          },\n        },\n      );\n    }),\n  });\n\n  http.route({\n    path: \"/.well-known/jwks.json\",\n    method: \"GET\",\n    handler: httpActionGeneric(async () => {\n      return new Response(deps.getJwks(), {\n        status: 200,\n        headers: {\n          \"Content-Type\": \"application/json\",\n          \"Cache-Control\": cacheControl,\n        },\n      });\n    }),\n  });\n}\n\nexport function addAuthRoutes(\n  http: HttpRouter,\n  deps: {\n    handleSignIn: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n    ) => Promise<Response>;\n    handleCallback: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n    ) => Promise<Response>;\n  },\n) {\n  http.route({\n    pathPrefix: \"/api/auth/signin/\",\n    method: \"GET\",\n    handler: httpActionGeneric(deps.handleSignIn),\n  });\n\n  const callbackHandler = httpActionGeneric(deps.handleCallback);\n\n  http.route({\n    pathPrefix: \"/api/auth/callback/\",\n    method: \"GET\",\n    handler: callbackHandler,\n  });\n\n  http.route({\n    pathPrefix: \"/api/auth/callback/\",\n    method: \"POST\",\n    handler: callbackHandler,\n  });\n}\n\nexport function addSSORoutes(\n  http: HttpRouter,\n  deps: {\n    routeBase: string;\n    convertErrorsToResponse: typeof convertErrorsToResponse;\n    handleSamlMetadata: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleSamlSignIn: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleOidcSignIn: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleOidcCallback: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleSamlAcs: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleSamlSlo: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n      route: SSORuntimeRoute,\n    ) => Promise<Response>;\n    handleScimRequest: (\n      ctx: GenericActionCtx<any>,\n      request: Request,\n    ) => Promise<Response>;\n    scimError: (status: number, scimType: string, detail: string) => Response;\n  },\n) {\n  const routePrefix = `${deps.routeBase}/`;\n\n  http.route({\n    pathPrefix: routePrefix,\n    method: \"GET\",\n    handler: httpActionGeneric(\n      deps.convertErrorsToResponse(400, async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (!route) {\n          throw Cv.error({\n            code: \"INVALID_PARAMETERS\",\n            message: \"Invalid enterprise runtime path.\",\n          });\n        }\n        if (route.protocol === \"saml\" && route.rest.length === 1) {\n          if (route.rest[0] === \"metadata\") {\n            return await deps.handleSamlMetadata(ctx, request, route);\n          }\n          if (route.rest[0] === \"signin\") {\n            return await deps.handleSamlSignIn(ctx, request, route);\n          }\n          if (route.rest[0] === \"acs\") {\n            return await deps.handleSamlAcs(ctx, request, route);\n          }\n          if (route.rest[0] === \"slo\") {\n            return await deps.handleSamlSlo(ctx, request, route);\n          }\n        }\n        if (route.protocol === \"oidc\" && route.rest.length === 1) {\n          if (route.rest[0] === \"signin\") {\n            return await deps.handleOidcSignIn(ctx, request, route);\n          }\n          if (route.rest[0] === \"callback\") {\n            return await deps.handleOidcCallback(ctx, request, route);\n          }\n        }\n        if (route.protocol === \"scim\" && route.rest[0] === \"v2\") {\n          return await deps.handleScimRequest(ctx, request);\n        }\n        throw Cv.error({\n          code: \"INVALID_PARAMETERS\",\n          message: \"Invalid enterprise runtime path.\",\n        });\n      }),\n    ),\n  });\n\n  http.route({\n    pathPrefix: routePrefix,\n    method: \"POST\",\n    handler: httpActionGeneric(\n      deps.convertErrorsToResponse(400, async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (route?.protocol === \"saml\" && route.rest.length === 1) {\n          if (route.rest[0] === \"acs\") {\n            return await deps.handleSamlAcs(ctx, request, route);\n          }\n          if (route.rest[0] === \"slo\") {\n            return await deps.handleSamlSlo(ctx, request, route);\n          }\n        }\n        if (route?.protocol === \"scim\" && route.rest[0] === \"v2\") {\n          return await deps.handleScimRequest(ctx, request);\n        }\n        throw Cv.error({\n          code: \"INVALID_PARAMETERS\",\n          message: \"Invalid enterprise runtime path.\",\n        });\n      }),\n    ),\n  });\n\n  http.route({\n    pathPrefix: routePrefix,\n    method: \"PUT\",\n    handler: httpActionGeneric(\n      deps.convertErrorsToResponse(400, async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (route?.protocol === \"scim\" && route.rest[0] === \"v2\") {\n          return await deps.handleScimRequest(ctx, request);\n        }\n        throw Cv.error({\n          code: \"INVALID_PARAMETERS\",\n          message: \"Invalid enterprise runtime path.\",\n        });\n      }),\n    ),\n  });\n\n  for (const method of [\"PATCH\", \"DELETE\"] as const) {\n    http.route({\n      pathPrefix: routePrefix,\n      method,\n      handler: httpActionGeneric(async (ctx, request) => {\n        const route = parseEnterpriseRuntimeRoute(\n          new URL(request.url).pathname,\n          deps.routeBase,\n        );\n        if (!route || route.protocol !== \"scim\" || route.rest[0] !== \"v2\") {\n          return deps.scimError(404, \"notFound\", \"SCIM resource not found.\");\n        }\n        return await deps.handleScimRequest(ctx, request);\n      }),\n    });\n  }\n}\n"],"mappings":";;;;;;;;;AA0JA,SAAS,yBAAyB;AAChC,QAAO,GAAG,MAAM;EACd,MAAM;EACN,SAAS;EACV,CAAC;;AAGJ,eAAe,kBACb,MACA,KACA,SACiC;CACjC,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,KAAI,CAAC,YAAY,WAAW,aAAa,CACvC,QAAO;AAGT,KAAI;EACF,MAAM,WAAW,MAAM,KAAK,IAAI,OAAO,KAAK,WAAW,MAAM,EAAE,CAAC;AAEhE,SAAO;GACL,GAFkB,MAAM,sBAAsB,MAAM,KAAK,SAAS,OAAO;GAGzE,QAAQ;GACR,KAAK;IACH,QAAQ,SAAS;IACjB,OAAO,SAAS;IAChB,QAAQ,SAAS;IAClB;GACF;SACK;AACN,SAAO;;;AAIX,eAAe,uBACb,MACA,KACA,SACiC;CACjC,MAAM,gBAAgB,MAAM,iBAAiB,IAAI;AACjD,KAAI,kBAAkB,KAEpB,QAAO;EACL,GAFkB,MAAM,sBAAsB,MAAM,KAAK,cAAc;EAGvE,QAAQ;EACR,KAAK;EACN;AAGH,QAAO,MAAM,kBAAkB,MAAM,KAAK,QAAQ;;;;;;AAOpD,SAAgB,kBAAkB,MAWhC;AACA,SAAQ,OACN,KACA,SACA,WACG;EACH,MAAM,iBAAiB,uBAAuB,MAAM,KAAK,QAAQ;EACjE,MAAM,eAAe,QAAQ,cACzB,MAAM,OAAO,YAAY,KAAK,SAAS,GACvC;EACJ,MAAM,WACJ,iBAAiB,SAAY,MAAM,UAAU,GAAG;AAElD,MAAI,aAAa,MAAM;AACrB,OAAI,QAAQ,aAAa,KACvB,OAAM,wBAAwB;AAEhC,UAAO;IACL,GAAG,kCAAkC;IACrC,QAAQ;IACR,KAAK;IACN;;EAGH,MAAM,QAAQ,QAAQ,UAClB,MAAM,OAAO,QAAQ,KAAK,SAAS,MAAM,SAAS,GAClD,EAAE;AAEN,SAAO;GACL,GAAG;GACH,GAAG;GACJ;;;AAeL,SAAgB,iBAAiB,MAE9B;AACD,SACE,SAIA,YAIG;EACH,MAAM,aAAa,SAAS,QAAQ,EAAE;EACtC,MAAM,cAAsC;GAC1C,+BAA+B,WAAW,UAAU;GACpD,gCACE,WAAW,WAAW;GACxB,gCACE,WAAW,WAAW;GACzB;AAED,SAAO,kBAAkB,OAAO,YAAY,YAAY;AACtD,UAAO,GAAG,IACR,GAAG,KAAK;IACN,IAAI,YAAY;KACd,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,SAAI,CAAC,YAAY,WAAW,UAAU,CACpC,QAAO,IAAI,SACT,KAAK,UAAU;MACb,OAAO;MACP,MAAM;MACP,CAAC,EACF;MACE,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CACF;KAEH,MAAM,SAAS,WAAW,MAAM,EAAE;KAElC,MAAM,YAAY,MAAM,GAAG,IACzB,GAAG,cACK,KAAK,IAAI,OAAO,YAAY,OAAO,GACxC,cAAY;MAAE,IAAI;MAAM,OAAOA;MAAQ,IACvC,WAAW;MAAE,IAAI;MAAO;MAAO,EACjC,CACF;AAED,SAAI,CAAC,UAAU,IAAI;AACjB,UACE,UAAU,iBAAiB,eAC3B,OAAO,UAAU,MAAM,SAAS,YAChC,UAAU,MAAM,SAAS,QACzB,UAAU,UAAU,MAAM,QAC1B,aAAa,UAAU,MAAM,MAC7B;OACA,MAAM,EAAE,MAAM,YAAY,UAAU,MAAM;AAI1C,cAAO,IAAI,SAAS,KAAK,UAAU;QAAE,OAAO;QAAS;QAAM,CAAC,EAAE;QAC5D,QAAQ;QACR,SAAS;SACP,GAAG;SACH,gBAAgB;SACjB;QACF,CAAC;;AAEJ,YAAM,UAAU;;AAGlB,SACE,SAAS,SACT,CAAC,UAAU,MAAM,OAAO,IACtB,QAAQ,MAAM,UACd,QAAQ,MAAM,OACf,CAED,QAAO,IAAI,SACT,KAAK,UAAU;MACb,OAAO;MACP,MAAM;MACP,CAAC,EACF;MACE,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CACF;KAUH,MAAM,SAAS,MAAM,QAPD,OAAO,OAAO,YAAY,EAC5C,KAAK;MACH,QAAQ,UAAU,MAAM;MACxB,OAAO,UAAU,MAAM;MACvB,QAAQ,UAAU,MAAM;MACzB,EACF,CAAC,EACwC,QAAQ;AAElD,SAAI,kBAAkB,UAAU;MAC9B,MAAM,UAAU,IAAI,QAAQ,OAAO,QAAQ;AAC3C,WAAK,MAAM,CAAC,GAAG,QAAQ,OAAO,QAAQ,YAAY,CAChD,KAAI,CAAC,QAAQ,IAAI,EAAE,CAAE,SAAQ,IAAI,GAAG,IAAI;AAE1C,aAAO,IAAI,SAAS,OAAO,MAAM;OAC/B,QAAQ,OAAO;OACf,YAAY,OAAO;OACnB;OACD,CAAC;;AAGJ,YAAO,IAAI,SAAS,KAAK,UAAU,OAAO,EAAE;MAC1C,QAAQ;MACR,SAAS;OACP,GAAG;OACH,gBAAgB;OACjB;MACF,CAAC;;IAEJ,MAAM,UAAU;IACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAU;AACpB,aAAS,MAAM;AACf,WAAO,GAAG,QACR,IAAI,SACF,KAAK,UAAU;KACb,OAAO;KACP,MAAM;KACP,CAAC,EACF;KACE,QAAQ;KACR,SAAS;MACP,GAAG;MACH,gBAAgB;MACjB;KACF,CACF,CACF;KACD,CACH,CACF;IACD;;;AAIN,SAAgB,gBACd,YACA;AACA,SACE,MACA,gBAUG;EACH,MAAM,aAAa,YAAY,QAAQ,EAAE;EACzC,MAAM,cAAsC;GAC1C,+BAA+B,WAAW,UAAU;GACpD,gCACE,WAAW,WAAW;GACxB,gCACE,WAAW,WAAW;GACzB;AAED,OAAK,MAAM;GACT,MAAM,YAAY;GAClB,QAAQ;GACR,SAAS,kBAAkB,YAAY;AACrC,WAAO,IAAI,SAAS,MAAM;KAAE,QAAQ;KAAK,SAAS;KAAa,CAAC;KAChE;GACH,CAAC;AAEF,OAAK,MAAM;GACT,MAAM,YAAY;GAClB,QAAQ,YAAY;GACpB,SAAS,WAAW,YAAY,SAAS;IACvC,OAAO,YAAY;IACnB,MAAM,YAAY;IACnB,CAAC;GACH,CAAC;;;AAIN,SAAgB,wBACd,iBACA,QACA;AACA,QAAO,OAAO,KAA4B,YAAqB;AAC7D,SAAO,GAAG,IACR,GAAG,KAAK;GACN,UAAU,OAAO,KAAK,QAAQ;GAC9B,MAAM,UAAU;GACjB,CAAC,CAAC,KACD,GAAG,SAAS,UAAU;AACpB,OACE,iBAAiB,eACjB,OAAO,MAAM,SAAS,YACtB,MAAM,SAAS,QACf,UAAU,MAAM,QAChB,aAAa,MAAM,KAEnB,QAAO,GAAG,QACR,IAAI,SACF,KAAK,UAAU;IACb,MAAM,MAAM,KAAK;IACjB,SAAS,MAAM,KAAK;IACrB,CAAC,EACF;IACE,QAAQ;IACR,SAAS,EAAE,gBAAgB,oBAAoB;IAChD,CACF,CACF;YACQ,iBAAiB,YAC1B,QAAO,GAAG,QACR,IAAI,SAAS,MAAM;IACjB,QAAQ;IACR,YACE,OAAO,MAAM,SAAS,WAAW,MAAM,OAAO;IACjD,CAAC,CACH;QACI;AACL,aAAS,MAAM;AACf,WAAO,GAAG,QACR,IAAI,SAAS,MAAM;KACjB,QAAQ;KACR,YAAY;KACb,CAAC,CACH;;IAEH,CACH,CACF;;;AAIL,SAAgB,WACd,SACoC;AACpC,QAAOC,MAAa,QAAQ,QAAQ,IAAI,SAAS,IAAI,GAAG;;AAU1D,SAAS,4BACP,UACA,WACwB;CACxB,MAAM,gBAAgB,GAAG,UAAU;CAInC,MAAM,CAAC,qBAAqB,UAAU,GAAG,QAHpB,SAAS,WAAW,cAAc,GACnD,SAAS,MAAM,cAAc,OAAO,CAAC,MAAM,IAAI,CAAC,OAAO,QAAQ,GAC/D,EAAE;AAEN,KACE,wBAAwB,UACvB,aAAa,UAAU,aAAa,UAAU,aAAa,UAC5D,KAAK,WAAW,EAEhB,QAAO;AAET,QAAO;EACL;EACA,cAAc;EACd;EACA;EACD;;AAGH,SAAgB,gBACd,MACA,MAIA;CACA,MAAM,eACJ;AAEF,MAAK,MAAM;EACT,MAAM;EACN,QAAQ;EACR,SAAS,kBAAkB,YAAY;GACrC,MAAM,SAAS,KAAK,WAAW;AAC/B,UAAO,IAAI,SACT,KAAK,UAAU;IACb;IACA,UAAU,GAAG,OAAO;IACrB,CAAC,EACF;IACE,QAAQ;IACR,SAAS;KACP,gBAAgB;KAChB,iBAAiB;KAClB;IACF,CACF;IACD;EACH,CAAC;AAEF,MAAK,MAAM;EACT,MAAM;EACN,QAAQ;EACR,SAAS,kBAAkB,YAAY;AACrC,UAAO,IAAI,SAAS,KAAK,SAAS,EAAE;IAClC,QAAQ;IACR,SAAS;KACP,gBAAgB;KAChB,iBAAiB;KAClB;IACF,CAAC;IACF;EACH,CAAC;;AAGJ,SAAgB,cACd,MACA,MAUA;AACA,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBAAkB,KAAK,aAAa;EAC9C,CAAC;CAEF,MAAM,kBAAkB,kBAAkB,KAAK,eAAe;AAE9D,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS;EACV,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS;EACV,CAAC;;AAGJ,SAAgB,aACd,MACA,MAuCA;CACA,MAAM,cAAc,GAAG,KAAK,UAAU;AAEtC,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,CAAC,MACH,OAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;AAEJ,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACxD,QAAI,MAAM,KAAK,OAAO,WACpB,QAAO,MAAM,KAAK,mBAAmB,KAAK,SAAS,MAAM;AAE3D,QAAI,MAAM,KAAK,OAAO,SACpB,QAAO,MAAM,KAAK,iBAAiB,KAAK,SAAS,MAAM;AAEzD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;AAEtD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;;AAGxD,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACxD,QAAI,MAAM,KAAK,OAAO,SACpB,QAAO,MAAM,KAAK,iBAAiB,KAAK,SAAS,MAAM;AAEzD,QAAI,MAAM,KAAK,OAAO,WACpB,QAAO,MAAM,KAAK,mBAAmB,KAAK,SAAS,MAAM;;AAG7D,OAAI,MAAM,aAAa,UAAU,MAAM,KAAK,OAAO,KACjD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;IACF,CACH;EACF,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,WAAW,GAAG;AACzD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;AAEtD,QAAI,MAAM,KAAK,OAAO,MACpB,QAAO,MAAM,KAAK,cAAc,KAAK,SAAS,MAAM;;AAGxD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,OAAO,KAClD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;IACF,CACH;EACF,CAAC;AAEF,MAAK,MAAM;EACT,YAAY;EACZ,QAAQ;EACR,SAAS,kBACP,KAAK,wBAAwB,KAAK,OAAO,KAAK,YAAY;GACxD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,OAAO,aAAa,UAAU,MAAM,KAAK,OAAO,KAClD,QAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;AAEnD,SAAM,GAAG,MAAM;IACb,MAAM;IACN,SAAS;IACV,CAAC;IACF,CACH;EACF,CAAC;AAEF,MAAK,MAAM,UAAU,CAAC,SAAS,SAAS,CACtC,MAAK,MAAM;EACT,YAAY;EACZ;EACA,SAAS,kBAAkB,OAAO,KAAK,YAAY;GACjD,MAAM,QAAQ,4BACZ,IAAI,IAAI,QAAQ,IAAI,CAAC,UACrB,KAAK,UACN;AACD,OAAI,CAAC,SAAS,MAAM,aAAa,UAAU,MAAM,KAAK,OAAO,KAC3D,QAAO,KAAK,UAAU,KAAK,YAAY,2BAA2B;AAEpE,UAAO,MAAM,KAAK,kBAAkB,KAAK,QAAQ;IACjD;EACH,CAAC"}

package/dist/component/server/identity.js

@@ -1,10 +1,13 @@
-import { AuthError } from "./authError.js";
+import { Cv } from "@robelest/fx/convex";
 
 //#region src/server/identity.ts
 /** @internal */
 function userIdFromIdentitySubject(subject) {
 	const [userId, ...rest] = subject.split("|");
-	if (typeof userId !== "string" || userId.length === 0 || rest.length === 0 || rest.some((segment) => segment.length === 0)) throw new AuthError("INTERNAL_ERROR", "Authenticated identity subject is malformed.");
+	if (typeof userId !== "string" || userId.length === 0 || rest.length === 0 || rest.some((segment) => segment.length === 0)) throw Cv.error({
+		code: "INTERNAL_ERROR",
+		message: "Authenticated identity subject is malformed."
+	});
 	return userId;
 }
 

package/dist/component/server/identity.js.map

@@ -1 +1 @@
-{"version":3,"file":"identity.js","names":[],"sources":["../../../src/server/identity.ts"],"sourcesContent":["import { AuthError } from \"./authError\";\n\n/** @internal */\nexport function userIdFromIdentitySubject(subject: string): string {\n  const [userId, ...rest] = subject.split(\"|\");\n  if (\n    typeof userId !== \"string\" ||\n    userId.length === 0 ||\n    rest.length === 0 ||\n    rest.some((segment) => segment.length === 0)\n  ) {\n    throw new AuthError(\n      \"INTERNAL_ERROR\",\n      \"Authenticated identity subject is malformed.\",\n    );\n  }\n  return userId;\n}\n"],"mappings":";;;;AAGA,SAAgB,0BAA0B,SAAyB;CACjE,MAAM,CAAC,QAAQ,GAAG,QAAQ,QAAQ,MAAM,IAAI;AAC5C,KACE,OAAO,WAAW,YAClB,OAAO,WAAW,KAClB,KAAK,WAAW,KAChB,KAAK,MAAM,YAAY,QAAQ,WAAW,EAAE,CAE5C,OAAM,IAAI,UACR,kBACA,+CACD;AAEH,QAAO"}
+{"version":3,"file":"identity.js","names":[],"sources":["../../../src/server/identity.ts"],"sourcesContent":["import { Cv } from \"@robelest/fx/convex\";\n\n/** @internal */\nexport function userIdFromIdentitySubject(subject: string): string {\n  const [userId, ...rest] = subject.split(\"|\");\n  if (\n    typeof userId !== \"string\" ||\n    userId.length === 0 ||\n    rest.length === 0 ||\n    rest.some((segment) => segment.length === 0)\n  ) {\n    throw Cv.error({\n      code: \"INTERNAL_ERROR\",\n      message: \"Authenticated identity subject is malformed.\",\n    });\n  }\n  return userId;\n}\n"],"mappings":";;;;AAGA,SAAgB,0BAA0B,SAAyB;CACjE,MAAM,CAAC,QAAQ,GAAG,QAAQ,QAAQ,MAAM,IAAI;AAC5C,KACE,OAAO,WAAW,YAClB,OAAO,WAAW,KAClB,KAAK,WAAW,KAChB,KAAK,MAAM,YAAY,QAAQ,WAAW,EAAE,CAE5C,OAAM,GAAG,MAAM;EACb,MAAM;EACN,SAAS;EACV,CAAC;AAEJ,QAAO"}

package/dist/component/server/limits.js

@@ -1,5 +1,3 @@
-import { AuthError } from "./authError.js";
-import { errorMessage } from "./utils.js";
 import { authDb } from "./db.js";
 import { Fx } from "@robelest/fx";
 
@@ -16,45 +14,38 @@ const isSignInRateLimited = (ctx, identifier, config) => getRateLimitState(ctx,
 * If a record exists, decrement; otherwise create.
 */
 /** @internal */
-const recordFailedSignIn = (ctx, identifier, config) => getRateLimitState(ctx, identifier, config).pipe(Fx.chain((state) => state !== null ? Fx.from({
-	ok: () => authDb(ctx, config).rateLimits.patch(state.limit._id, {
+const recordFailedSignIn = (ctx, identifier, config) => Fx.gen(function* () {
+	const state = yield* getRateLimitState(ctx, identifier, config);
+	if (state !== null) yield* Fx.promise(() => authDb(ctx, config).rateLimits.patch(state.limit._id, {
 		attemptsLeft: state.attemptsLeft - 1,
 		lastAttemptTime: Date.now()
-	}),
-	err: (e) => new AuthError("INTERNAL_ERROR", `Failed to patch rate limit: ${errorMessage(e)}`)
-}) : Fx.from({
-	ok: () => authDb(ctx, config).rateLimits.create({
+	}));
+	else yield* Fx.promise(() => authDb(ctx, config).rateLimits.create({
 		identifier,
 		attemptsLeft: (config.signIn?.maxFailedAttemptsPerHour ?? DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR) - 1,
 		lastAttemptTime: Date.now()
-	}),
-	err: (e) => new AuthError("INTERNAL_ERROR", `Failed to create rate limit: ${errorMessage(e)}`)
-})), Fx.map(() => void 0));
+	}));
+});
 /**
 * Reset the rate limit for the given identifier (e.g. after successful sign-in).
 */
 /** @internal */
-const resetSignInRateLimit = (ctx, identifier, config) => getRateLimitState(ctx, identifier, config).pipe(Fx.chain((state) => state !== null ? Fx.from({
-	ok: () => authDb(ctx, config).rateLimits.delete(state.limit._id),
-	err: (e) => new AuthError("INTERNAL_ERROR", `Failed to delete rate limit: ${errorMessage(e)}`)
-}) : Fx.unit));
-const getRateLimitState = (ctx, identifier, config) => {
+const resetSignInRateLimit = (ctx, identifier, config) => Fx.gen(function* () {
+	const state = yield* getRateLimitState(ctx, identifier, config);
+	if (state !== null) yield* Fx.promise(() => authDb(ctx, config).rateLimits.delete(state.limit._id));
+});
+const getRateLimitState = (ctx, identifier, config) => Fx.gen(function* () {
 	const now = Date.now();
 	const maxAttemptsPerHour = config.signIn?.maxFailedAttemptsPerHour ?? DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR;
-	return Fx.from({
-		ok: () => authDb(ctx, config).rateLimits.get(identifier),
-		err: (e) => new AuthError("INTERNAL_ERROR", `Failed to get rate limit: ${errorMessage(e)}`)
-	}).pipe(Fx.map((raw) => {
-		const limit = raw;
-		if (limit === null) return null;
-		const elapsed = now - limit.lastAttemptTime;
-		const maxAttemptsPerMs = maxAttemptsPerHour / (3600 * 1e3);
-		return {
-			limit,
-			attemptsLeft: Math.min(maxAttemptsPerHour, limit.attemptsLeft + elapsed * maxAttemptsPerMs)
-		};
-	}));
-};
+	const limit = yield* Fx.promise(() => authDb(ctx, config).rateLimits.get(identifier));
+	if (limit === null) return null;
+	const elapsed = now - limit.lastAttemptTime;
+	const maxAttemptsPerMs = maxAttemptsPerHour / (3600 * 1e3);
+	return {
+		limit,
+		attemptsLeft: Math.min(maxAttemptsPerHour, limit.attemptsLeft + elapsed * maxAttemptsPerMs)
+	};
+});
 
 //#endregion
 export { isSignInRateLimited, recordFailedSignIn, resetSignInRateLimit };

package/dist/component/server/limits.js.map

@@ -1 +1 @@
-{"version":3,"file":"limits.js","names":[],"sources":["../../../src/server/limits.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\n\nimport { authDb } from \"./db\";\nimport { AuthError } from \"./authError\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\nimport { errorMessage } from \"./utils\";\n\nconst DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;\n\n/**\n * Check whether the given identifier is currently rate-limited.\n */\n/** @internal */\nexport const isSignInRateLimited = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<boolean, AuthError> =>\n  getRateLimitState(ctx, identifier, config).pipe(\n    Fx.map((state) => state !== null && state.attemptsLeft < 1),\n  );\n\n/**\n * Record a failed sign-in attempt for the given identifier.\n *\n * If a record exists, decrement; otherwise create.\n */\n/** @internal */\nexport const recordFailedSignIn = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<void, AuthError> =>\n  getRateLimitState(ctx, identifier, config).pipe(\n    Fx.chain((state) =>\n      state !== null\n        ? Fx.from({\n            ok: () =>\n              authDb(ctx, config).rateLimits.patch(state.limit._id, {\n                attemptsLeft: state.attemptsLeft - 1,\n                lastAttemptTime: Date.now(),\n              }),\n            err: (e) =>\n              new AuthError(\n                \"INTERNAL_ERROR\",\n                `Failed to patch rate limit: ${errorMessage(e)}`,\n              ),\n          })\n        : Fx.from({\n            ok: () =>\n              authDb(ctx, config).rateLimits.create({\n                identifier,\n                attemptsLeft:\n                  (config.signIn?.maxFailedAttemptsPerHour ??\n                    DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR) - 1,\n                lastAttemptTime: Date.now(),\n              }),\n            err: (e) =>\n              new AuthError(\n                \"INTERNAL_ERROR\",\n                `Failed to create rate limit: ${errorMessage(e)}`,\n              ),\n          }),\n    ),\n    Fx.map(() => undefined),\n  );\n\n/**\n * Reset the rate limit for the given identifier (e.g. after successful sign-in).\n */\n/** @internal */\nexport const resetSignInRateLimit = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<void, AuthError> =>\n  getRateLimitState(ctx, identifier, config).pipe(\n    Fx.chain((state) =>\n      state !== null\n        ? Fx.from({\n            ok: () => authDb(ctx, config).rateLimits.delete(state.limit._id),\n            err: (e) =>\n              new AuthError(\n                \"INTERNAL_ERROR\",\n                `Failed to delete rate limit: ${errorMessage(e)}`,\n              ),\n          })\n        : Fx.unit,\n    ),\n  );\n\n// ---------------------------------------------------------------------------\n// Internal\n// ---------------------------------------------------------------------------\n\ntype RateLimitState = {\n  limit: Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number };\n  attemptsLeft: number;\n} | null;\n\nconst getRateLimitState = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<RateLimitState, AuthError> => {\n  const now = Date.now();\n  const maxAttemptsPerHour =\n    config.signIn?.maxFailedAttemptsPerHour ??\n    DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR;\n\n  return Fx.from({\n    ok: () => authDb(ctx, config).rateLimits.get(identifier),\n    err: (e) =>\n      new AuthError(\n        \"INTERNAL_ERROR\",\n        `Failed to get rate limit: ${errorMessage(e)}`,\n      ),\n  }).pipe(\n    Fx.map((raw) => {\n      const limit = raw as\n        | (Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number })\n        | null;\n      if (limit === null) return null;\n      const elapsed = now - limit.lastAttemptTime;\n      const maxAttemptsPerMs = maxAttemptsPerHour / (60 * 60 * 1000);\n      const attemptsLeft = Math.min(\n        maxAttemptsPerHour,\n        limit.attemptsLeft + elapsed * maxAttemptsPerMs,\n      );\n      return { limit, attemptsLeft };\n    }),\n  );\n};\n"],"mappings":";;;;;;AAQA,MAAM,wCAAwC;;;;;AAM9C,MAAa,uBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,KAAK,UAAU,UAAU,QAAQ,MAAM,eAAe,EAAE,CAC5D;;;;;;;AAQH,MAAa,sBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,OAAO,UACR,UAAU,OACN,GAAG,KAAK;CACN,UACE,OAAO,KAAK,OAAO,CAAC,WAAW,MAAM,MAAM,MAAM,KAAK;EACpD,cAAc,MAAM,eAAe;EACnC,iBAAiB,KAAK,KAAK;EAC5B,CAAC;CACJ,MAAM,MACJ,IAAI,UACF,kBACA,+BAA+B,aAAa,EAAE,GAC/C;CACJ,CAAC,GACF,GAAG,KAAK;CACN,UACE,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO;EACpC;EACA,eACG,OAAO,QAAQ,4BACd,yCAAyC;EAC7C,iBAAiB,KAAK,KAAK;EAC5B,CAAC;CACJ,MAAM,MACJ,IAAI,UACF,kBACA,gCAAgC,aAAa,EAAE,GAChD;CACJ,CAAC,CACP,EACD,GAAG,UAAU,OAAU,CACxB;;;;;AAMH,MAAa,wBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,OAAO,UACR,UAAU,OACN,GAAG,KAAK;CACN,UAAU,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO,MAAM,MAAM,IAAI;CAChE,MAAM,MACJ,IAAI,UACF,kBACA,gCAAgC,aAAa,EAAE,GAChD;CACJ,CAAC,GACF,GAAG,KACR,CACF;AAWH,MAAM,qBACJ,KACA,YACA,WACkC;CAClC,MAAM,MAAM,KAAK,KAAK;CACtB,MAAM,qBACJ,OAAO,QAAQ,4BACf;AAEF,QAAO,GAAG,KAAK;EACb,UAAU,OAAO,KAAK,OAAO,CAAC,WAAW,IAAI,WAAW;EACxD,MAAM,MACJ,IAAI,UACF,kBACA,6BAA6B,aAAa,EAAE,GAC7C;EACJ,CAAC,CAAC,KACD,GAAG,KAAK,QAAQ;EACd,MAAM,QAAQ;AAGd,MAAI,UAAU,KAAM,QAAO;EAC3B,MAAM,UAAU,MAAM,MAAM;EAC5B,MAAM,mBAAmB,sBAAsB,OAAU;AAKzD,SAAO;GAAE;GAAO,cAJK,KAAK,IACxB,oBACA,MAAM,eAAe,UAAU,iBAChC;GAC6B;GAC9B,CACH"}
+{"version":3,"file":"limits.js","names":[],"sources":["../../../src/server/limits.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { ConvexError } from \"convex/values\";\n\nimport { authDb } from \"./db\";\nimport { Doc, MutationCtx } from \"./types\";\nimport { ConvexAuthConfig } from \"./types\";\n\nconst DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR = 10;\n\n/**\n * Check whether the given identifier is currently rate-limited.\n */\n/** @internal */\nexport const isSignInRateLimited = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<boolean, ConvexError<any>> =>\n  getRateLimitState(ctx, identifier, config).pipe(\n    Fx.map((state) => state !== null && state.attemptsLeft < 1),\n  );\n\n/**\n * Record a failed sign-in attempt for the given identifier.\n *\n * If a record exists, decrement; otherwise create.\n */\n/** @internal */\nexport const recordFailedSignIn = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<void, ConvexError<any>> =>\n  Fx.gen(function* () {\n    const state = yield* getRateLimitState(ctx, identifier, config);\n    if (state !== null) {\n      yield* Fx.promise(() =>\n        authDb(ctx, config).rateLimits.patch(state.limit._id, {\n          attemptsLeft: state.attemptsLeft - 1,\n          lastAttemptTime: Date.now(),\n        }),\n      );\n    } else {\n      yield* Fx.promise(() =>\n        authDb(ctx, config).rateLimits.create({\n          identifier,\n          attemptsLeft:\n            (config.signIn?.maxFailedAttemptsPerHour ??\n              DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR) - 1,\n          lastAttemptTime: Date.now(),\n        }),\n      );\n    }\n  });\n\n/**\n * Reset the rate limit for the given identifier (e.g. after successful sign-in).\n */\n/** @internal */\nexport const resetSignInRateLimit = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<void, ConvexError<any>> =>\n  Fx.gen(function* () {\n    const state = yield* getRateLimitState(ctx, identifier, config);\n    if (state !== null) {\n      yield* Fx.promise(() =>\n        authDb(ctx, config).rateLimits.delete(state.limit._id),\n      );\n    }\n  });\n\n// ---------------------------------------------------------------------------\n// Internal\n// ---------------------------------------------------------------------------\n\ntype RateLimitState = {\n  limit: Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number };\n  attemptsLeft: number;\n} | null;\n\nconst getRateLimitState = (\n  ctx: MutationCtx,\n  identifier: string,\n  config: ConvexAuthConfig,\n): Fx<RateLimitState, ConvexError<any>> =>\n  Fx.gen(function* () {\n    const now = Date.now();\n    const maxAttemptsPerHour =\n      config.signIn?.maxFailedAttemptsPerHour ??\n      DEFAULT_MAX_SIGN_IN_ATTEMPTS_PER_HOUR;\n\n    const limit = (yield* Fx.promise(() =>\n      authDb(ctx, config).rateLimits.get(identifier),\n    )) as\n      | (Doc<\"RateLimit\"> & { attemptsLeft: number; lastAttemptTime: number })\n      | null;\n    if (limit === null) return null;\n    const elapsed = now - limit.lastAttemptTime;\n    const maxAttemptsPerMs = maxAttemptsPerHour / (60 * 60 * 1000);\n    const attemptsLeft = Math.min(\n      maxAttemptsPerHour,\n      limit.attemptsLeft + elapsed * maxAttemptsPerMs,\n    );\n    return { limit, attemptsLeft };\n  });\n"],"mappings":";;;;AAOA,MAAM,wCAAwC;;;;;AAM9C,MAAa,uBACX,KACA,YACA,WAEA,kBAAkB,KAAK,YAAY,OAAO,CAAC,KACzC,GAAG,KAAK,UAAU,UAAU,QAAQ,MAAM,eAAe,EAAE,CAC5D;;;;;;;AAQH,MAAa,sBACX,KACA,YACA,WAEA,GAAG,IAAI,aAAa;CAClB,MAAM,QAAQ,OAAO,kBAAkB,KAAK,YAAY,OAAO;AAC/D,KAAI,UAAU,KACZ,QAAO,GAAG,cACR,OAAO,KAAK,OAAO,CAAC,WAAW,MAAM,MAAM,MAAM,KAAK;EACpD,cAAc,MAAM,eAAe;EACnC,iBAAiB,KAAK,KAAK;EAC5B,CAAC,CACH;KAED,QAAO,GAAG,cACR,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO;EACpC;EACA,eACG,OAAO,QAAQ,4BACd,yCAAyC;EAC7C,iBAAiB,KAAK,KAAK;EAC5B,CAAC,CACH;EAEH;;;;;AAMJ,MAAa,wBACX,KACA,YACA,WAEA,GAAG,IAAI,aAAa;CAClB,MAAM,QAAQ,OAAO,kBAAkB,KAAK,YAAY,OAAO;AAC/D,KAAI,UAAU,KACZ,QAAO,GAAG,cACR,OAAO,KAAK,OAAO,CAAC,WAAW,OAAO,MAAM,MAAM,IAAI,CACvD;EAEH;AAWJ,MAAM,qBACJ,KACA,YACA,WAEA,GAAG,IAAI,aAAa;CAClB,MAAM,MAAM,KAAK,KAAK;CACtB,MAAM,qBACJ,OAAO,QAAQ,4BACf;CAEF,MAAM,QAAS,OAAO,GAAG,cACvB,OAAO,KAAK,OAAO,CAAC,WAAW,IAAI,WAAW,CAC/C;AAGD,KAAI,UAAU,KAAM,QAAO;CAC3B,MAAM,UAAU,MAAM,MAAM;CAC5B,MAAM,mBAAmB,sBAAsB,OAAU;AAKzD,QAAO;EAAE;EAAO,cAJK,KAAK,IACxB,oBACA,MAAM,eAAe,UAAU,iBAChC;EAC6B;EAC9B"}

package/dist/component/server/mutations/account.js

@@ -1,10 +1,10 @@
-import { AuthError } from "../authError.js";
 import { LOG_LEVELS, logWithLevel, maybeRedact } from "../utils.js";
-import { authDb } from "../db.js";
 import { hash } from "../crypto.js";
+import { authDb } from "../db.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
-import { v } from "convex/values";
+import { Cv } from "@robelest/fx/convex";
 import { Fx } from "@robelest/fx";
+import { v } from "convex/values";
 
 //#region src/server/mutations/account.ts
 const modifyAccountArgs = v.object({
@@ -24,13 +24,15 @@ function modifyAccountImpl(ctx, args, getProviderOrThrow, config) {
 			secret: maybeRedact(account.secret ?? "")
 		}
 	});
-	return Fx.from({
-		ok: () => db.accounts.get(provider, account.id),
-		err: () => new AuthError("ACCOUNT_NOT_FOUND", `Cannot modify account with ID ${account.id} because it does not exist`)
-	}).pipe(Fx.chain((doc) => doc === null ? Fx.fail(new AuthError("ACCOUNT_NOT_FOUND", `Cannot modify account with ID ${account.id} because it does not exist`)) : Fx.succeed(doc)), Fx.chain((existingAccount) => hash(getProviderOrThrow(provider), account.secret).pipe(Fx.chain((hashedSecret) => Fx.from({
-		ok: () => db.accounts.patch(existingAccount._id, { secret: hashedSecret }),
-		err: () => new AuthError("INTERNAL_ERROR", "Failed to patch account")
-	})))), Fx.map(() => void 0));
+	return Fx.gen(function* () {
+		const existingAccount = yield* Fx.promise(() => db.accounts.get(provider, account.id));
+		if (existingAccount === null) return yield* Cv.fail({
+			code: "ACCOUNT_NOT_FOUND",
+			message: `Cannot modify account with ID ${account.id} because it does not exist`
+		});
+		const hashedSecret = yield* hash(getProviderOrThrow(provider), account.secret);
+		yield* Fx.promise(() => db.accounts.patch(existingAccount._id, { secret: hashedSecret }));
+	});
 }
 const callModifyAccount = async (ctx, args) => {
 	return ctx.runMutation(AUTH_STORE_REF, { args: {

package/dist/component/server/mutations/account.js.map

@@ -1 +1 @@
-{"version":3,"file":"account.js","names":[],"sources":["../../../../src/server/mutations/account.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport { GetProviderOrThrowFunc, hash } from \"../crypto\";\nimport * as Provider from \"../crypto\";\nimport { MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const modifyAccountArgs = v.object({\n  provider: v.string(),\n  account: v.object({ id: v.string(), secret: v.string() }),\n});\n\nexport function modifyAccountImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof modifyAccountArgs>,\n  getProviderOrThrow: GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Fx<void, AuthError> {\n  const { provider, account } = args;\n  const db = authDb(ctx, config);\n\n  logWithLevel(LOG_LEVELS.DEBUG, \"modifyAccountImpl args:\", {\n    provider,\n    account: { id: account.id, secret: maybeRedact(account.secret ?? \"\") },\n  });\n\n  return Fx.from({\n    ok: () => db.accounts.get(provider, account.id),\n    err: () =>\n      new AuthError(\n        \"ACCOUNT_NOT_FOUND\",\n        `Cannot modify account with ID ${account.id} because it does not exist`,\n      ),\n  }).pipe(\n    Fx.chain((doc) =>\n      doc === null\n        ? Fx.fail(\n            new AuthError(\n              \"ACCOUNT_NOT_FOUND\",\n              `Cannot modify account with ID ${account.id} because it does not exist`,\n            ),\n          )\n        : Fx.succeed(doc),\n    ),\n    Fx.chain((existingAccount) =>\n      hash(getProviderOrThrow(provider), account.secret).pipe(\n        Fx.chain((hashedSecret) =>\n          Fx.from({\n            ok: () =>\n              db.accounts.patch(existingAccount._id, { secret: hashedSecret }),\n            err: () =>\n              new AuthError(\"INTERNAL_ERROR\", \"Failed to patch account\"),\n          }),\n        ),\n      ),\n    ),\n    Fx.map(() => undefined),\n  );\n}\n\nexport const callModifyAccount = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof modifyAccountArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"modifyAccount\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;AAYA,MAAa,oBAAoB,EAAE,OAAO;CACxC,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,QAAQ;EAAE,CAAC;CAC1D,CAAC;AAEF,SAAgB,kBACd,KACA,MACA,oBACA,QACqB;CACrB,MAAM,EAAE,UAAU,YAAY;CAC9B,MAAM,KAAK,OAAO,KAAK,OAAO;AAE9B,cAAa,WAAW,OAAO,2BAA2B;EACxD;EACA,SAAS;GAAE,IAAI,QAAQ;GAAI,QAAQ,YAAY,QAAQ,UAAU,GAAG;GAAE;EACvE,CAAC;AAEF,QAAO,GAAG,KAAK;EACb,UAAU,GAAG,SAAS,IAAI,UAAU,QAAQ,GAAG;EAC/C,WACE,IAAI,UACF,qBACA,iCAAiC,QAAQ,GAAG,4BAC7C;EACJ,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KACD,IAAI,UACF,qBACA,iCAAiC,QAAQ,GAAG,4BAC7C,CACF,GACD,GAAG,QAAQ,IAAI,CACpB,EACD,GAAG,OAAO,oBACR,KAAK,mBAAmB,SAAS,EAAE,QAAQ,OAAO,CAAC,KACjD,GAAG,OAAO,iBACR,GAAG,KAAK;EACN,UACE,GAAG,SAAS,MAAM,gBAAgB,KAAK,EAAE,QAAQ,cAAc,CAAC;EAClE,WACE,IAAI,UAAU,kBAAkB,0BAA0B;EAC7D,CAAC,CACH,CACF,CACF,EACD,GAAG,UAAU,OAAU,CACxB;;AAGH,MAAa,oBAAoB,OAC/B,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}
+{"version":3,"file":"account.js","names":[],"sources":["../../../../src/server/mutations/account.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { ConvexError, Infer, v } from \"convex/values\";\n\nimport { GetProviderOrThrowFunc, hash } from \"../crypto\";\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel, maybeRedact } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const modifyAccountArgs = v.object({\n  provider: v.string(),\n  account: v.object({ id: v.string(), secret: v.string() }),\n});\n\nexport function modifyAccountImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof modifyAccountArgs>,\n  getProviderOrThrow: GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Fx<void, ConvexError<any>> {\n  const { provider, account } = args;\n  const db = authDb(ctx, config);\n\n  logWithLevel(LOG_LEVELS.DEBUG, \"modifyAccountImpl args:\", {\n    provider,\n    account: { id: account.id, secret: maybeRedact(account.secret ?? \"\") },\n  });\n\n  return Fx.gen(function* () {\n    const existingAccount = yield* Fx.promise(() =>\n      db.accounts.get(provider, account.id),\n    );\n    if (existingAccount === null) {\n      return yield* Cv.fail({\n        code: \"ACCOUNT_NOT_FOUND\",\n        message: `Cannot modify account with ID ${account.id} because it does not exist`,\n      });\n    }\n    const hashedSecret = yield* hash(\n      getProviderOrThrow(provider),\n      account.secret,\n    );\n    yield* Fx.promise(() =>\n      db.accounts.patch(existingAccount._id, { secret: hashedSecret }),\n    );\n  });\n}\n\nexport const callModifyAccount = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof modifyAccountArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"modifyAccount\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;AAYA,MAAa,oBAAoB,EAAE,OAAO;CACxC,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,OAAO;EAAE,IAAI,EAAE,QAAQ;EAAE,QAAQ,EAAE,QAAQ;EAAE,CAAC;CAC1D,CAAC;AAEF,SAAgB,kBACd,KACA,MACA,oBACA,QAC4B;CAC5B,MAAM,EAAE,UAAU,YAAY;CAC9B,MAAM,KAAK,OAAO,KAAK,OAAO;AAE9B,cAAa,WAAW,OAAO,2BAA2B;EACxD;EACA,SAAS;GAAE,IAAI,QAAQ;GAAI,QAAQ,YAAY,QAAQ,UAAU,GAAG;GAAE;EACvE,CAAC;AAEF,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,QAAQ,GAAG,CACtC;AACD,MAAI,oBAAoB,KACtB,QAAO,OAAO,GAAG,KAAK;GACpB,MAAM;GACN,SAAS,iCAAiC,QAAQ,GAAG;GACtD,CAAC;EAEJ,MAAM,eAAe,OAAO,KAC1B,mBAAmB,SAAS,EAC5B,QAAQ,OACT;AACD,SAAO,GAAG,cACR,GAAG,SAAS,MAAM,gBAAgB,KAAK,EAAE,QAAQ,cAAc,CAAC,CACjE;GACD;;AAGJ,MAAa,oBAAoB,OAC/B,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/component/server/mutations/code.js

@@ -1,9 +1,9 @@
-import { AuthError } from "../authError.js";
 import { LOG_LEVELS, logWithLevel, sha256 } from "../utils.js";
 import { authDb } from "../db.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
 import { getAuthSessionId } from "../sessions.js";
 import { upsertUserAndAccount } from "../users.js";
+import { Cv } from "@robelest/fx/convex";
 import { v } from "convex/values";
 
 //#region src/server/mutations/code.ts
@@ -22,7 +22,10 @@ async function createVerificationCodeImpl(ctx, args, getProviderOrThrow, config)
 	const db = authDb(ctx, config);
 	const typedExistingAccountId = existingAccountId;
 	const existingAccount = typedExistingAccountId !== void 0 ? await db.accounts.getById(typedExistingAccountId) ?? (() => {
-		throw new AuthError("ACCOUNT_NOT_FOUND", `Expected an account to exist for ID "${typedExistingAccountId}"`).toConvexError();
+		throw Cv.error({
+			code: "ACCOUNT_NOT_FOUND",
+			message: `Expected an account to exist for ID "${typedExistingAccountId}"`
+		});
 	})() : await db.accounts.get(providerId, email ?? phone);
 	const provider = getProviderOrThrow(providerId, allowExtraProviders);
 	const { accountId } = await upsertUserAndAccount(ctx, await getAuthSessionId(ctx), existingAccount !== null ? { existingAccount } : { providerAccountId: email ?? phone }, provider.type === "email" ? {

package/dist/component/server/mutations/code.js.map

@@ -1 +1 @@
-{"version":3,"file":"code.js","names":[],"sources":["../../../../src/server/mutations/code.ts"],"sourcesContent":["import type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport * as Provider from \"../crypto\";\nimport { getAuthSessionId } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { EmailConfig, PhoneConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { LOG_LEVELS, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const createVerificationCodeArgs = v.object({\n  accountId: v.optional(v.string()),\n  provider: v.string(),\n  email: v.optional(v.string()),\n  phone: v.optional(v.string()),\n  code: v.string(),\n  expirationTime: v.number(),\n  allowExtraProviders: v.boolean(),\n});\n\ntype ReturnType = string;\n\nexport async function createVerificationCodeImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof createVerificationCodeArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"createVerificationCodeImpl args:\", args);\n  const {\n    email,\n    phone,\n    code,\n    expirationTime,\n    provider: providerId,\n    accountId: existingAccountId,\n    allowExtraProviders,\n  } = args;\n  const db = authDb(ctx, config);\n  const typedExistingAccountId = existingAccountId as\n    | GenericId<\"Account\">\n    | undefined;\n  const existingAccount =\n    typedExistingAccountId !== undefined\n      ? ((await db.accounts.getById(typedExistingAccountId)) ??\n        (() => {\n          throw new AuthError(\n            \"ACCOUNT_NOT_FOUND\",\n            `Expected an account to exist for ID \"${typedExistingAccountId}\"`,\n          ).toConvexError();\n        })())\n      : await db.accounts.get(providerId, email ?? phone!);\n\n  const provider = getProviderOrThrow(providerId, allowExtraProviders) as\n    | EmailConfig\n    | PhoneConfig;\n  const { accountId } = await upsertUserAndAccount(\n    ctx,\n    await getAuthSessionId(ctx),\n    existingAccount !== null\n      ? { existingAccount }\n      : { providerAccountId: email ?? phone! },\n    provider.type === \"email\"\n      ? { type: \"email\", provider, profile: { email: email! } }\n      : { type: \"phone\", provider, profile: { phone: phone! } },\n    config,\n  );\n  await generateUniqueVerificationCode(\n    ctx,\n    accountId,\n    providerId,\n    code,\n    expirationTime,\n    { email, phone },\n    config,\n  );\n  return email ?? phone!;\n}\n\nexport const callCreateVerificationCode = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof createVerificationCodeArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"createVerificationCode\",\n      ...args,\n    },\n  });\n};\n\nasync function generateUniqueVerificationCode(\n  ctx: MutationCtx,\n  accountId: GenericId<\"Account\">,\n  provider: string,\n  code: string,\n  expirationTime: number,\n  { email, phone }: { email?: string; phone?: string },\n  config: Provider.Config,\n) {\n  const db = authDb(ctx, config);\n  const existingCode = await db.verificationCodes.getByAccountId(accountId);\n  if (existingCode !== null) {\n    await db.verificationCodes.delete(existingCode._id);\n  }\n  await db.verificationCodes.create({\n    accountId,\n    provider,\n    code: await sha256(code),\n    expirationTime,\n    emailVerified: email,\n    phoneVerified: phone,\n  });\n}\n"],"mappings":";;;;;;;;;AAaA,MAAa,6BAA6B,EAAE,OAAO;CACjD,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,UAAU,EAAE,QAAQ;CACpB,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,MAAM,EAAE,QAAQ;CAChB,gBAAgB,EAAE,QAAQ;CAC1B,qBAAqB,EAAE,SAAS;CACjC,CAAC;AAIF,eAAsB,2BACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,oCAAoC,KAAK;CACxE,MAAM,EACJ,OACA,OACA,MACA,gBACA,UAAU,YACV,WAAW,mBACX,wBACE;CACJ,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,yBAAyB;CAG/B,MAAM,kBACJ,2BAA2B,SACrB,MAAM,GAAG,SAAS,QAAQ,uBAAuB,WAC5C;AACL,QAAM,IAAI,UACR,qBACA,wCAAwC,uBAAuB,GAChE,CAAC,eAAe;KACf,GACJ,MAAM,GAAG,SAAS,IAAI,YAAY,SAAS,MAAO;CAExD,MAAM,WAAW,mBAAmB,YAAY,oBAAoB;CAGpE,MAAM,EAAE,cAAc,MAAM,qBAC1B,KACA,MAAM,iBAAiB,IAAI,EAC3B,oBAAoB,OAChB,EAAE,iBAAiB,GACnB,EAAE,mBAAmB,SAAS,OAAQ,EAC1C,SAAS,SAAS,UACd;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,GACvD;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,EAC3D,OACD;AACD,OAAM,+BACJ,KACA,WACA,YACA,MACA,gBACA;EAAE;EAAO;EAAO,EAChB,OACD;AACD,QAAO,SAAS;;AAGlB,MAAa,6BAA6B,OAGxC,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,eAAe,+BACb,KACA,WACA,UACA,MACA,gBACA,EAAE,OAAO,SACT,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,eAAe,MAAM,GAAG,kBAAkB,eAAe,UAAU;AACzE,KAAI,iBAAiB,KACnB,OAAM,GAAG,kBAAkB,OAAO,aAAa,IAAI;AAErD,OAAM,GAAG,kBAAkB,OAAO;EAChC;EACA;EACA,MAAM,MAAM,OAAO,KAAK;EACxB;EACA,eAAe;EACf,eAAe;EAChB,CAAC"}
+{"version":3,"file":"code.js","names":[],"sources":["../../../../src/server/mutations/code.ts"],"sourcesContent":["import { Cv } from \"@robelest/fx/convex\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { getAuthSessionId } from \"../sessions\";\nimport { MutationCtx } from \"../types\";\nimport { EmailConfig, PhoneConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { LOG_LEVELS, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const createVerificationCodeArgs = v.object({\n  accountId: v.optional(v.string()),\n  provider: v.string(),\n  email: v.optional(v.string()),\n  phone: v.optional(v.string()),\n  code: v.string(),\n  expirationTime: v.number(),\n  allowExtraProviders: v.boolean(),\n});\n\ntype ReturnType = string;\n\nexport async function createVerificationCodeImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof createVerificationCodeArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Promise<ReturnType> {\n  logWithLevel(LOG_LEVELS.DEBUG, \"createVerificationCodeImpl args:\", args);\n  const {\n    email,\n    phone,\n    code,\n    expirationTime,\n    provider: providerId,\n    accountId: existingAccountId,\n    allowExtraProviders,\n  } = args;\n  const db = authDb(ctx, config);\n  const typedExistingAccountId = existingAccountId as\n    | GenericId<\"Account\">\n    | undefined;\n  const existingAccount =\n    typedExistingAccountId !== undefined\n      ? ((await db.accounts.getById(typedExistingAccountId)) ??\n        (() => {\n          throw Cv.error({\n            code: \"ACCOUNT_NOT_FOUND\",\n            message: `Expected an account to exist for ID \"${typedExistingAccountId}\"`,\n          });\n        })())\n      : await db.accounts.get(providerId, email ?? phone!);\n\n  const provider = getProviderOrThrow(providerId, allowExtraProviders) as\n    | EmailConfig\n    | PhoneConfig;\n  const { accountId } = await upsertUserAndAccount(\n    ctx,\n    await getAuthSessionId(ctx),\n    existingAccount !== null\n      ? { existingAccount }\n      : { providerAccountId: email ?? phone! },\n    provider.type === \"email\"\n      ? { type: \"email\", provider, profile: { email: email! } }\n      : { type: \"phone\", provider, profile: { phone: phone! } },\n    config,\n  );\n  await generateUniqueVerificationCode(\n    ctx,\n    accountId,\n    providerId,\n    code,\n    expirationTime,\n    { email, phone },\n    config,\n  );\n  return email ?? phone!;\n}\n\nexport const callCreateVerificationCode = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof createVerificationCodeArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"createVerificationCode\",\n      ...args,\n    },\n  });\n};\n\nasync function generateUniqueVerificationCode(\n  ctx: MutationCtx,\n  accountId: GenericId<\"Account\">,\n  provider: string,\n  code: string,\n  expirationTime: number,\n  { email, phone }: { email?: string; phone?: string },\n  config: Provider.Config,\n) {\n  const db = authDb(ctx, config);\n  const existingCode = await db.verificationCodes.getByAccountId(accountId);\n  if (existingCode !== null) {\n    await db.verificationCodes.delete(existingCode._id);\n  }\n  await db.verificationCodes.create({\n    accountId,\n    provider,\n    code: await sha256(code),\n    expirationTime,\n    emailVerified: email,\n    phoneVerified: phone,\n  });\n}\n"],"mappings":";;;;;;;;;AAaA,MAAa,6BAA6B,EAAE,OAAO;CACjD,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,UAAU,EAAE,QAAQ;CACpB,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,MAAM,EAAE,QAAQ;CAChB,gBAAgB,EAAE,QAAQ;CAC1B,qBAAqB,EAAE,SAAS;CACjC,CAAC;AAIF,eAAsB,2BACpB,KACA,MACA,oBACA,QACqB;AACrB,cAAa,WAAW,OAAO,oCAAoC,KAAK;CACxE,MAAM,EACJ,OACA,OACA,MACA,gBACA,UAAU,YACV,WAAW,mBACX,wBACE;CACJ,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,yBAAyB;CAG/B,MAAM,kBACJ,2BAA2B,SACrB,MAAM,GAAG,SAAS,QAAQ,uBAAuB,WAC5C;AACL,QAAM,GAAG,MAAM;GACb,MAAM;GACN,SAAS,wCAAwC,uBAAuB;GACzE,CAAC;KACA,GACJ,MAAM,GAAG,SAAS,IAAI,YAAY,SAAS,MAAO;CAExD,MAAM,WAAW,mBAAmB,YAAY,oBAAoB;CAGpE,MAAM,EAAE,cAAc,MAAM,qBAC1B,KACA,MAAM,iBAAiB,IAAI,EAC3B,oBAAoB,OAChB,EAAE,iBAAiB,GACnB,EAAE,mBAAmB,SAAS,OAAQ,EAC1C,SAAS,SAAS,UACd;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,GACvD;EAAE,MAAM;EAAS;EAAU,SAAS,EAAS,OAAQ;EAAE,EAC3D,OACD;AACD,OAAM,+BACJ,KACA,WACA,YACA,MACA,gBACA;EAAE;EAAO;EAAO,EAChB,OACD;AACD,QAAO,SAAS;;AAGlB,MAAa,6BAA6B,OAGxC,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,eAAe,+BACb,KACA,WACA,UACA,MACA,gBACA,EAAE,OAAO,SACT,QACA;CACA,MAAM,KAAK,OAAO,KAAK,OAAO;CAC9B,MAAM,eAAe,MAAM,GAAG,kBAAkB,eAAe,UAAU;AACzE,KAAI,iBAAiB,KACnB,OAAM,GAAG,kBAAkB,OAAO,aAAa,IAAI;AAErD,OAAM,GAAG,kBAAkB,OAAO;EAChC;EACA;EACA,MAAM,MAAM,OAAO,KAAK;EACxB;EACA,eAAe;EACf,eAAe;EAChB,CAAC"}

package/dist/component/server/mutations/invalidate.js

@@ -2,8 +2,8 @@ import { LOG_LEVELS, logWithLevel } from "../utils.js";
 import { authDb } from "../db.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
 import { deleteSession } from "../sessions.js";
-import { v } from "convex/values";
 import { Fx } from "@robelest/fx";
+import { v } from "convex/values";
 
 //#region src/server/mutations/invalidate.ts
 const invalidateSessionsArgs = v.object({

package/dist/component/server/mutations/invalidate.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalidate.js","names":[],"sources":["../../../../src/server/mutations/invalidate.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport * as Provider from \"../crypto\";\nimport { deleteSession } from \"../sessions\";\nimport { Doc, MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const invalidateSessionsArgs = v.object({\n  userId: v.string(),\n  except: v.optional(v.array(v.string())),\n});\n\nexport const callInvalidateSessions = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof invalidateSessionsArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"invalidateSessions\",\n      ...args,\n    },\n  });\n};\n\nexport function invalidateSessionsImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof invalidateSessionsArgs>,\n  config: Provider.Config,\n): Fx<void, never> {\n  return Fx.gen(function* () {\n    logWithLevel(LOG_LEVELS.DEBUG, \"invalidateSessionsImpl args:\", args);\n    const { userId, except } = args;\n    const exceptSet = new Set(except ?? []);\n    const typedUserId = userId as GenericId<\"User\">;\n    const sessions = (yield* Fx.promise(() =>\n      authDb(ctx, config).sessions.listByUser(typedUserId),\n    )) as Doc<\"Session\">[];\n    yield* Fx.each(sessions, (session: Doc<\"Session\">) =>\n      exceptSet.has(session._id)\n        ? Fx.unit\n        : Fx.promise(() => deleteSession(ctx, session, config)),\n    );\n  });\n}\n"],"mappings":";;;;;;;;AAWA,MAAa,yBAAyB,EAAE,OAAO;CAC7C,QAAQ,EAAE,QAAQ;CAClB,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CACxC,CAAC;AAEF,MAAa,yBAAyB,OAGpC,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,SAAgB,uBACd,KACA,MACA,QACiB;AACjB,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,WAAW,OAAO,gCAAgC,KAAK;EACpE,MAAM,EAAE,QAAQ,WAAW;EAC3B,MAAM,YAAY,IAAI,IAAI,UAAU,EAAE,CAAC;EACvC,MAAM,cAAc;EACpB,MAAM,WAAY,OAAO,GAAG,cAC1B,OAAO,KAAK,OAAO,CAAC,SAAS,WAAW,YAAY,CACrD;AACD,SAAO,GAAG,KAAK,WAAW,YACxB,UAAU,IAAI,QAAQ,IAAI,GACtB,GAAG,OACH,GAAG,cAAc,cAAc,KAAK,SAAS,OAAO,CAAC,CAC1D;GACD"}
+{"version":3,"file":"invalidate.js","names":[],"sources":["../../../../src/server/mutations/invalidate.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId, Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { deleteSession } from \"../sessions\";\nimport { Doc, MutationCtx } from \"../types\";\nimport { LOG_LEVELS, logWithLevel } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nexport const invalidateSessionsArgs = v.object({\n  userId: v.string(),\n  except: v.optional(v.array(v.string())),\n});\n\nexport const callInvalidateSessions = async <\n  DataModel extends GenericDataModel,\n>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof invalidateSessionsArgs>,\n): Promise<void> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"invalidateSessions\",\n      ...args,\n    },\n  });\n};\n\nexport function invalidateSessionsImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof invalidateSessionsArgs>,\n  config: Provider.Config,\n): Fx<void, never> {\n  return Fx.gen(function* () {\n    logWithLevel(LOG_LEVELS.DEBUG, \"invalidateSessionsImpl args:\", args);\n    const { userId, except } = args;\n    const exceptSet = new Set(except ?? []);\n    const typedUserId = userId as GenericId<\"User\">;\n    const sessions = (yield* Fx.promise(() =>\n      authDb(ctx, config).sessions.listByUser(typedUserId),\n    )) as Doc<\"Session\">[];\n    yield* Fx.each(sessions, (session: Doc<\"Session\">) =>\n      exceptSet.has(session._id)\n        ? Fx.unit\n        : Fx.promise(() => deleteSession(ctx, session, config)),\n    );\n  });\n}\n"],"mappings":";;;;;;;;AAWA,MAAa,yBAAyB,EAAE,OAAO;CAC7C,QAAQ,EAAE,QAAQ;CAClB,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CACxC,CAAC;AAEF,MAAa,yBAAyB,OAGpC,KACA,SACkB;AAClB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC;;AAGJ,SAAgB,uBACd,KACA,MACA,QACiB;AACjB,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,WAAW,OAAO,gCAAgC,KAAK;EACpE,MAAM,EAAE,QAAQ,WAAW;EAC3B,MAAM,YAAY,IAAI,IAAI,UAAU,EAAE,CAAC;EACvC,MAAM,cAAc;EACpB,MAAM,WAAY,OAAO,GAAG,cAC1B,OAAO,KAAK,OAAO,CAAC,SAAS,WAAW,YAAY,CACrD;AACD,SAAO,GAAG,KAAK,WAAW,YACxB,UAAU,IAAI,QAAQ,IAAI,GACtB,GAAG,OACH,GAAG,cAAc,cAAc,KAAK,SAAS,OAAO,CAAC,CAC1D;GACD"}

package/dist/component/server/mutations/oauth.js

@@ -1,4 +1,3 @@
-import { AuthError } from "../authError.js";
 import { generateRandomString, logWithLevel, sha256 } from "../utils.js";
 import { authDb } from "../db.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
@@ -6,8 +5,9 @@ import { upsertUserAndAccount } from "../users.js";
 import { ENTERPRISE_OIDC_PROVIDER_PREFIX, ENTERPRISE_SAML_PROVIDER_PREFIX, isEnterpriseProviderId } from "../enterprise/shared.js";
 import { createSyntheticOAuthMaterializedConfig } from "../enterprise/oidc.js";
 import { normalizeEnterprisePolicy } from "../enterprise/policy.js";
-import { v } from "convex/values";
+import { Cv } from "@robelest/fx/convex";
 import { Fx } from "@robelest/fx";
+import { v } from "convex/values";
 
 //#region src/server/mutations/oauth.ts
 const OAUTH_SIGN_IN_EXPIRATION_MS = 1e3 * 60 * 2;
@@ -59,8 +59,14 @@ function userOAuthImpl(ctx, args, getProviderOrThrow, config) {
 		})) : null;
 		const verifier = yield* Fx.from({
 			ok: () => db.verifiers.getBySignature(signature),
-			err: () => new AuthError("OAUTH_INVALID_STATE")
-		}).pipe(Fx.chain((doc) => doc === null ? Fx.fail(new AuthError("OAUTH_INVALID_STATE")) : Fx.succeed(doc)));
+			err: () => Cv.error({
+				code: "OAUTH_INVALID_STATE",
+				message: "Invalid OAuth state. Please try signing in again."
+			})
+		}).pipe(Fx.chain((doc) => doc === null ? Cv.fail({
+			code: "OAUTH_INVALID_STATE",
+			message: "Invalid OAuth state. Please try signing in again."
+		}) : Fx.succeed(doc)));
 		const { accountId } = yield* Fx.promise(() => upsertUserAndAccount(ctx, verifier.sessionId ?? null, existingAccount !== null ? { existingAccount } : { providerAccountId }, {
 			type: "oauth",
 			provider: isEnterpriseProviderId(provider) ? createSyntheticOAuthMaterializedConfig(provider, { accountLinking: enterpriseProtocol === "oidc" ? enterprisePolicy?.identity.accountLinking.oidc : enterpriseProtocol === "saml" ? enterprisePolicy?.identity.accountLinking.saml : void 0 }) : getProviderOrThrow(provider),

package/dist/component/server/mutations/oauth.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.js","names":[],"sources":["../../../../src/server/mutations/oauth.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { Infer, v } from \"convex/values\";\n\nimport { authDb } from \"../db\";\nimport { AuthError } from \"../authError\";\nimport * as Provider from \"../crypto\";\nimport {\n  createSyntheticOAuthMaterializedConfig,\n} from \"../enterprise/oidc\";\nimport { normalizeEnterprisePolicy } from \"../enterprise/policy\";\nimport {\n  ENTERPRISE_OIDC_PROVIDER_PREFIX,\n  ENTERPRISE_SAML_PROVIDER_PREFIX,\n  isEnterpriseProviderId,\n} from \"../enterprise/shared\";\nimport { MutationCtx } from \"../types\";\nimport type { AuthProviderMaterializedConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { generateRandomString, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nconst OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes\n\nexport const userOAuthArgs = v.object({\n  provider: v.string(),\n  providerAccountId: v.string(),\n  profile: v.any(),\n  signature: v.string(),\n  accountExtend: v.optional(v.any()),\n});\n\nfunction normalizeAccountExtend(\n  provider: string,\n  providerAccountId: string,\n  accountExtend: unknown,\n) {\n  const baseIdentity: Record<string, unknown> = {\n    type: \"oauth\",\n    provider,\n    providerAccountId,\n  };\n  if (provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-oidc\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_OIDC_PROVIDER_PREFIX.length,\n    );\n  }\n  if (provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-saml\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_SAML_PROVIDER_PREFIX.length,\n    );\n  }\n  const provided =\n    typeof accountExtend === \"object\" &&\n    accountExtend !== null &&\n    !Array.isArray(accountExtend)\n      ? (accountExtend as Record<string, unknown>)\n      : undefined;\n  const providedIdentity =\n    provided &&\n    typeof provided.identity === \"object\" &&\n    provided.identity !== null &&\n    !Array.isArray(provided.identity)\n      ? (provided.identity as Record<string, unknown>)\n      : undefined;\n  return {\n    ...provided,\n    identity: {\n      ...baseIdentity,\n      ...providedIdentity,\n    },\n  };\n}\n\ntype ReturnType = string;\n\nexport function userOAuthImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof userOAuthArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Fx<ReturnType, AuthError> {\n  return Fx.gen(function* () {\n    logWithLevel(\"DEBUG\", \"userOAuthImpl args:\", args);\n    const { profile, provider, providerAccountId, signature, accountExtend } =\n      args;\n    const db = authDb(ctx, config);\n    const existingAccount = yield* Fx.promise(() =>\n      db.accounts.get(provider, providerAccountId),\n    );\n    const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)\n      ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length)\n      : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n        ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length)\n        : null;\n    const enterprise =\n      enterpriseId !== null\n        ? yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.enterpriseGet, {\n              enterpriseId,\n            }),\n          )\n        : null;\n    const enterprisePolicy = enterprise\n      ? normalizeEnterprisePolicy(enterprise.policy)\n      : null;\n    const enterpriseProtocol = provider.startsWith(\n      ENTERPRISE_OIDC_PROVIDER_PREFIX,\n    )\n      ? \"oidc\"\n      : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n        ? \"saml\"\n        : null;\n\n    const existingScimIdentity =\n      enterpriseId !== null &&\n      existingAccount === null &&\n      enterprisePolicy?.provisioning.scimReuse.user === \"externalId\"\n        ? yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {\n              enterpriseId,\n              resourceType: \"user\",\n              externalId: providerAccountId,\n            }),\n          )\n        : null;\n\n    const verifier = yield* Fx.from({\n      ok: () => db.verifiers.getBySignature(signature),\n      err: () => new AuthError(\"OAUTH_INVALID_STATE\"),\n    }).pipe(\n      Fx.chain((doc) =>\n        doc === null\n          ? Fx.fail(new AuthError(\"OAUTH_INVALID_STATE\"))\n          : Fx.succeed(doc),\n      ),\n    );\n\n    const { accountId } = yield* Fx.promise(() =>\n      upsertUserAndAccount(\n        ctx,\n        verifier.sessionId ?? null,\n        existingAccount !== null ? { existingAccount } : { providerAccountId },\n        {\n          type: \"oauth\",\n          provider: (isEnterpriseProviderId(provider)\n            ? createSyntheticOAuthMaterializedConfig(provider, {\n                accountLinking:\n                  enterpriseProtocol === \"oidc\"\n                    ? enterprisePolicy?.identity.accountLinking.oidc\n                    : enterpriseProtocol === \"saml\"\n                      ? enterprisePolicy?.identity.accountLinking.saml\n                      : undefined,\n              })\n            : getProviderOrThrow(provider)) as AuthProviderMaterializedConfig,\n          profile,\n          accountExtend: normalizeAccountExtend(\n            provider,\n            providerAccountId,\n            accountExtend,\n          ),\n        },\n        config,\n        existingScimIdentity?.userId\n          ? { existingUserId: existingScimIdentity.userId }\n          : undefined,\n      ),\n    );\n\n    // JIT group provisioning: if this is an enterprise SSO sign-in and the\n    // enterprise connection has a groupId, auto-add the user as a member of\n    // that group if they aren't already a member.\n    if (\n      enterpriseId !== null &&\n      enterprisePolicy?.provisioning.jit.mode === \"createUserAndMembership\"\n    ) {\n      const account = yield* Fx.promise(() => db.accounts.getById(accountId));\n      const userId = account?.userId;\n      if (userId) {\n        const groupId = (enterprise as any)?.groupId as string | undefined;\n        if (groupId) {\n          const existingMembership = yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.memberGetByGroupAndUser, {\n              userId,\n              groupId,\n            }),\n          );\n          if (existingMembership === null) {\n            yield* Fx.promise(() =>\n              ctx.runMutation(config.component.public.memberAdd, {\n                groupId,\n                userId,\n                roleIds: enterprisePolicy.provisioning.jit.defaultRoleIds,\n                status: \"active\",\n              }),\n            );\n          }\n        }\n      }\n    }\n\n    const code = generateRandomString(8, \"0123456789\");\n    yield* Fx.promise(() => db.verifiers.delete(verifier._id));\n    const existingVerificationCode = yield* Fx.promise(() =>\n      db.verificationCodes.getByAccountId(accountId),\n    );\n    if (existingVerificationCode !== null) {\n      yield* Fx.promise(() =>\n        db.verificationCodes.delete(existingVerificationCode._id),\n      );\n    }\n    yield* Fx.promise(async () =>\n      db.verificationCodes.create({\n        code: await sha256(code),\n        accountId,\n        provider,\n        expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,\n        verifier: verifier._id,\n      }),\n    );\n    return code;\n  });\n}\n\nexport const callUserOAuth = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof userOAuthArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"userOAuth\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;;;;AAsBA,MAAM,8BAA8B,MAAO,KAAK;AAEhD,MAAa,gBAAgB,EAAE,OAAO;CACpC,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,SAAS,EAAE,KAAK;CAChB,WAAW,EAAE,QAAQ;CACrB,eAAe,EAAE,SAAS,EAAE,KAAK,CAAC;CACnC,CAAC;AAEF,SAAS,uBACP,UACA,mBACA,eACA;CACA,MAAM,eAAwC;EAC5C,MAAM;EACN;EACA;EACD;AACD,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;AAEH,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;CAEH,MAAM,WACJ,OAAO,kBAAkB,YACzB,kBAAkB,QAClB,CAAC,MAAM,QAAQ,cAAc,GACxB,gBACD;CACN,MAAM,mBACJ,YACA,OAAO,SAAS,aAAa,YAC7B,SAAS,aAAa,QACtB,CAAC,MAAM,QAAQ,SAAS,SAAS,GAC5B,SAAS,WACV;AACN,QAAO;EACL,GAAG;EACH,UAAU;GACR,GAAG;GACH,GAAG;GACJ;EACF;;AAKH,SAAgB,cACd,KACA,MACA,oBACA,QAC2B;AAC3B,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,SAAS,uBAAuB,KAAK;EAClD,MAAM,EAAE,SAAS,UAAU,mBAAmB,WAAW,kBACvD;EACF,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,kBAAkB,CAC7C;EACD,MAAM,eAAe,SAAS,WAAW,gCAAgC,GACrE,SAAS,MAAM,gCAAgC,OAAO,GACtD,SAAS,WAAW,gCAAgC,GAClD,SAAS,MAAM,gCAAgC,OAAO,GACtD;EACN,MAAM,aACJ,iBAAiB,OACb,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,eAAe,EAClD,cACD,CAAC,CACH,GACD;EACN,MAAM,mBAAmB,aACrB,0BAA0B,WAAW,OAAO,GAC5C;EACJ,MAAM,qBAAqB,SAAS,WAClC,gCACD,GACG,SACA,SAAS,WAAW,gCAAgC,GAClD,SACA;EAEN,MAAM,uBACJ,iBAAiB,QACjB,oBAAoB,QACpB,kBAAkB,aAAa,UAAU,SAAS,eAC9C,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,2BAA2B;GAC9D;GACA,cAAc;GACd,YAAY;GACb,CAAC,CACH,GACD;EAEN,MAAM,WAAW,OAAO,GAAG,KAAK;GAC9B,UAAU,GAAG,UAAU,eAAe,UAAU;GAChD,WAAW,IAAI,UAAU,sBAAsB;GAChD,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK,IAAI,UAAU,sBAAsB,CAAC,GAC7C,GAAG,QAAQ,IAAI,CACpB,CACF;EAED,MAAM,EAAE,cAAc,OAAO,GAAG,cAC9B,qBACE,KACA,SAAS,aAAa,MACtB,oBAAoB,OAAO,EAAE,iBAAiB,GAAG,EAAE,mBAAmB,EACtE;GACE,MAAM;GACN,UAAW,uBAAuB,SAAS,GACvC,uCAAuC,UAAU,EAC/C,gBACE,uBAAuB,SACnB,kBAAkB,SAAS,eAAe,OAC1C,uBAAuB,SACrB,kBAAkB,SAAS,eAAe,OAC1C,QACT,CAAC,GACF,mBAAmB,SAAS;GAChC;GACA,eAAe,uBACb,UACA,mBACA,cACD;GACF,EACD,QACA,sBAAsB,SAClB,EAAE,gBAAgB,qBAAqB,QAAQ,GAC/C,OACL,CACF;AAKD,MACE,iBAAiB,QACjB,kBAAkB,aAAa,IAAI,SAAS,2BAC5C;GAEA,MAAM,UADU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC,GAC/C;AACxB,OAAI,QAAQ;IACV,MAAM,UAAW,YAAoB;AACrC,QAAI,SAOF;UAN2B,OAAO,GAAG,cACnC,IAAI,SAAS,OAAO,UAAU,OAAO,yBAAyB;MAC5D;MACA;MACD,CAAC,CACH,MAC0B,KACzB,QAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;MACjD;MACA;MACA,SAAS,iBAAiB,aAAa,IAAI;MAC3C,QAAQ;MACT,CAAC,CACH;;;;EAMT,MAAM,OAAO,qBAAqB,GAAG,aAAa;AAClD,SAAO,GAAG,cAAc,GAAG,UAAU,OAAO,SAAS,IAAI,CAAC;EAC1D,MAAM,2BAA2B,OAAO,GAAG,cACzC,GAAG,kBAAkB,eAAe,UAAU,CAC/C;AACD,MAAI,6BAA6B,KAC/B,QAAO,GAAG,cACR,GAAG,kBAAkB,OAAO,yBAAyB,IAAI,CAC1D;AAEH,SAAO,GAAG,QAAQ,YAChB,GAAG,kBAAkB,OAAO;GAC1B,MAAM,MAAM,OAAO,KAAK;GACxB;GACA;GACA,gBAAgB,KAAK,KAAK,GAAG;GAC7B,UAAU,SAAS;GACpB,CAAC,CACH;AACD,SAAO;GACP;;AAGJ,MAAa,gBAAgB,OAC3B,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}
+{"version":3,"file":"oauth.js","names":[],"sources":["../../../../src/server/mutations/oauth.ts"],"sourcesContent":["import { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport type { GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport type { ConvexError } from \"convex/values\";\nimport { Infer, v } from \"convex/values\";\n\nimport * as Provider from \"../crypto\";\nimport { authDb } from \"../db\";\nimport { createSyntheticOAuthMaterializedConfig } from \"../enterprise/oidc\";\nimport { normalizeEnterprisePolicy } from \"../enterprise/policy\";\nimport {\n  ENTERPRISE_OIDC_PROVIDER_PREFIX,\n  ENTERPRISE_SAML_PROVIDER_PREFIX,\n  isEnterpriseProviderId,\n} from \"../enterprise/shared\";\nimport { MutationCtx } from \"../types\";\nimport type { AuthProviderMaterializedConfig } from \"../types\";\nimport { upsertUserAndAccount } from \"../users\";\nimport { generateRandomString, logWithLevel, sha256 } from \"../utils\";\nimport { AUTH_STORE_REF } from \"./store/refs\";\n\nconst OAUTH_SIGN_IN_EXPIRATION_MS = 1000 * 60 * 2; // 2 minutes\n\nexport const userOAuthArgs = v.object({\n  provider: v.string(),\n  providerAccountId: v.string(),\n  profile: v.any(),\n  signature: v.string(),\n  accountExtend: v.optional(v.any()),\n});\n\nfunction normalizeAccountExtend(\n  provider: string,\n  providerAccountId: string,\n  accountExtend: unknown,\n) {\n  const baseIdentity: Record<string, unknown> = {\n    type: \"oauth\",\n    provider,\n    providerAccountId,\n  };\n  if (provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-oidc\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_OIDC_PROVIDER_PREFIX.length,\n    );\n  }\n  if (provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)) {\n    baseIdentity.type = \"enterprise-saml\";\n    baseIdentity.enterpriseId = provider.slice(\n      ENTERPRISE_SAML_PROVIDER_PREFIX.length,\n    );\n  }\n  const provided =\n    typeof accountExtend === \"object\" &&\n    accountExtend !== null &&\n    !Array.isArray(accountExtend)\n      ? (accountExtend as Record<string, unknown>)\n      : undefined;\n  const providedIdentity =\n    provided &&\n    typeof provided.identity === \"object\" &&\n    provided.identity !== null &&\n    !Array.isArray(provided.identity)\n      ? (provided.identity as Record<string, unknown>)\n      : undefined;\n  return {\n    ...provided,\n    identity: {\n      ...baseIdentity,\n      ...providedIdentity,\n    },\n  };\n}\n\ntype ReturnType = string;\n\nexport function userOAuthImpl(\n  ctx: MutationCtx,\n  args: Infer<typeof userOAuthArgs>,\n  getProviderOrThrow: Provider.GetProviderOrThrowFunc,\n  config: Provider.Config,\n): Fx<ReturnType, ConvexError<{ code: string; message: string }>> {\n  return Fx.gen(function* () {\n    logWithLevel(\"DEBUG\", \"userOAuthImpl args:\", args);\n    const { profile, provider, providerAccountId, signature, accountExtend } =\n      args;\n    const db = authDb(ctx, config);\n    const existingAccount = yield* Fx.promise(() =>\n      db.accounts.get(provider, providerAccountId),\n    );\n    const enterpriseId = provider.startsWith(ENTERPRISE_OIDC_PROVIDER_PREFIX)\n      ? provider.slice(ENTERPRISE_OIDC_PROVIDER_PREFIX.length)\n      : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n        ? provider.slice(ENTERPRISE_SAML_PROVIDER_PREFIX.length)\n        : null;\n    const enterprise =\n      enterpriseId !== null\n        ? yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.enterpriseGet, {\n              enterpriseId,\n            }),\n          )\n        : null;\n    const enterprisePolicy = enterprise\n      ? normalizeEnterprisePolicy(enterprise.policy)\n      : null;\n    const enterpriseProtocol = provider.startsWith(\n      ENTERPRISE_OIDC_PROVIDER_PREFIX,\n    )\n      ? \"oidc\"\n      : provider.startsWith(ENTERPRISE_SAML_PROVIDER_PREFIX)\n        ? \"saml\"\n        : null;\n\n    const existingScimIdentity =\n      enterpriseId !== null &&\n      existingAccount === null &&\n      enterprisePolicy?.provisioning.scimReuse.user === \"externalId\"\n        ? yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.enterpriseScimIdentityGet, {\n              enterpriseId,\n              resourceType: \"user\",\n              externalId: providerAccountId,\n            }),\n          )\n        : null;\n\n    const verifier = yield* Fx.from({\n      ok: () => db.verifiers.getBySignature(signature),\n      err: () =>\n        Cv.error({\n          code: \"OAUTH_INVALID_STATE\",\n          message: \"Invalid OAuth state. Please try signing in again.\",\n        }),\n    }).pipe(\n      Fx.chain((doc) =>\n        doc === null\n          ? Cv.fail({\n              code: \"OAUTH_INVALID_STATE\",\n              message: \"Invalid OAuth state. Please try signing in again.\",\n            })\n          : Fx.succeed(doc),\n      ),\n    );\n\n    const { accountId } = yield* Fx.promise(() =>\n      upsertUserAndAccount(\n        ctx,\n        verifier.sessionId ?? null,\n        existingAccount !== null ? { existingAccount } : { providerAccountId },\n        {\n          type: \"oauth\",\n          provider: (isEnterpriseProviderId(provider)\n            ? createSyntheticOAuthMaterializedConfig(provider, {\n                accountLinking:\n                  enterpriseProtocol === \"oidc\"\n                    ? enterprisePolicy?.identity.accountLinking.oidc\n                    : enterpriseProtocol === \"saml\"\n                      ? enterprisePolicy?.identity.accountLinking.saml\n                      : undefined,\n              })\n            : getProviderOrThrow(provider)) as AuthProviderMaterializedConfig,\n          profile,\n          accountExtend: normalizeAccountExtend(\n            provider,\n            providerAccountId,\n            accountExtend,\n          ),\n        },\n        config,\n        existingScimIdentity?.userId\n          ? { existingUserId: existingScimIdentity.userId }\n          : undefined,\n      ),\n    );\n\n    // JIT group provisioning: if this is an enterprise SSO sign-in and the\n    // enterprise connection has a groupId, auto-add the user as a member of\n    // that group if they aren't already a member.\n    if (\n      enterpriseId !== null &&\n      enterprisePolicy?.provisioning.jit.mode === \"createUserAndMembership\"\n    ) {\n      const account = yield* Fx.promise(() => db.accounts.getById(accountId));\n      const userId = account?.userId;\n      if (userId) {\n        const groupId = (enterprise as any)?.groupId as string | undefined;\n        if (groupId) {\n          const existingMembership = yield* Fx.promise(() =>\n            ctx.runQuery(config.component.public.memberGetByGroupAndUser, {\n              userId,\n              groupId,\n            }),\n          );\n          if (existingMembership === null) {\n            yield* Fx.promise(() =>\n              ctx.runMutation(config.component.public.memberAdd, {\n                groupId,\n                userId,\n                roleIds: enterprisePolicy.provisioning.jit.defaultRoleIds,\n                status: \"active\",\n              }),\n            );\n          }\n        }\n      }\n    }\n\n    const code = generateRandomString(8, \"0123456789\");\n    yield* Fx.promise(() => db.verifiers.delete(verifier._id));\n    const existingVerificationCode = yield* Fx.promise(() =>\n      db.verificationCodes.getByAccountId(accountId),\n    );\n    if (existingVerificationCode !== null) {\n      yield* Fx.promise(() =>\n        db.verificationCodes.delete(existingVerificationCode._id),\n      );\n    }\n    yield* Fx.promise(async () =>\n      db.verificationCodes.create({\n        code: await sha256(code),\n        accountId,\n        provider,\n        expirationTime: Date.now() + OAUTH_SIGN_IN_EXPIRATION_MS,\n        verifier: verifier._id,\n      }),\n    );\n    return code;\n  });\n}\n\nexport const callUserOAuth = async <DataModel extends GenericDataModel>(\n  ctx: GenericActionCtx<DataModel>,\n  args: Infer<typeof userOAuthArgs>,\n): Promise<ReturnType> => {\n  return ctx.runMutation(AUTH_STORE_REF, {\n    args: {\n      type: \"userOAuth\",\n      ...args,\n    },\n  });\n};\n"],"mappings":";;;;;;;;;;;;AAqBA,MAAM,8BAA8B,MAAO,KAAK;AAEhD,MAAa,gBAAgB,EAAE,OAAO;CACpC,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,SAAS,EAAE,KAAK;CAChB,WAAW,EAAE,QAAQ;CACrB,eAAe,EAAE,SAAS,EAAE,KAAK,CAAC;CACnC,CAAC;AAEF,SAAS,uBACP,UACA,mBACA,eACA;CACA,MAAM,eAAwC;EAC5C,MAAM;EACN;EACA;EACD;AACD,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;AAEH,KAAI,SAAS,WAAW,gCAAgC,EAAE;AACxD,eAAa,OAAO;AACpB,eAAa,eAAe,SAAS,MACnC,gCAAgC,OACjC;;CAEH,MAAM,WACJ,OAAO,kBAAkB,YACzB,kBAAkB,QAClB,CAAC,MAAM,QAAQ,cAAc,GACxB,gBACD;CACN,MAAM,mBACJ,YACA,OAAO,SAAS,aAAa,YAC7B,SAAS,aAAa,QACtB,CAAC,MAAM,QAAQ,SAAS,SAAS,GAC5B,SAAS,WACV;AACN,QAAO;EACL,GAAG;EACH,UAAU;GACR,GAAG;GACH,GAAG;GACJ;EACF;;AAKH,SAAgB,cACd,KACA,MACA,oBACA,QACgE;AAChE,QAAO,GAAG,IAAI,aAAa;AACzB,eAAa,SAAS,uBAAuB,KAAK;EAClD,MAAM,EAAE,SAAS,UAAU,mBAAmB,WAAW,kBACvD;EACF,MAAM,KAAK,OAAO,KAAK,OAAO;EAC9B,MAAM,kBAAkB,OAAO,GAAG,cAChC,GAAG,SAAS,IAAI,UAAU,kBAAkB,CAC7C;EACD,MAAM,eAAe,SAAS,WAAW,gCAAgC,GACrE,SAAS,MAAM,gCAAgC,OAAO,GACtD,SAAS,WAAW,gCAAgC,GAClD,SAAS,MAAM,gCAAgC,OAAO,GACtD;EACN,MAAM,aACJ,iBAAiB,OACb,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,eAAe,EAClD,cACD,CAAC,CACH,GACD;EACN,MAAM,mBAAmB,aACrB,0BAA0B,WAAW,OAAO,GAC5C;EACJ,MAAM,qBAAqB,SAAS,WAClC,gCACD,GACG,SACA,SAAS,WAAW,gCAAgC,GAClD,SACA;EAEN,MAAM,uBACJ,iBAAiB,QACjB,oBAAoB,QACpB,kBAAkB,aAAa,UAAU,SAAS,eAC9C,OAAO,GAAG,cACR,IAAI,SAAS,OAAO,UAAU,OAAO,2BAA2B;GAC9D;GACA,cAAc;GACd,YAAY;GACb,CAAC,CACH,GACD;EAEN,MAAM,WAAW,OAAO,GAAG,KAAK;GAC9B,UAAU,GAAG,UAAU,eAAe,UAAU;GAChD,WACE,GAAG,MAAM;IACP,MAAM;IACN,SAAS;IACV,CAAC;GACL,CAAC,CAAC,KACD,GAAG,OAAO,QACR,QAAQ,OACJ,GAAG,KAAK;GACN,MAAM;GACN,SAAS;GACV,CAAC,GACF,GAAG,QAAQ,IAAI,CACpB,CACF;EAED,MAAM,EAAE,cAAc,OAAO,GAAG,cAC9B,qBACE,KACA,SAAS,aAAa,MACtB,oBAAoB,OAAO,EAAE,iBAAiB,GAAG,EAAE,mBAAmB,EACtE;GACE,MAAM;GACN,UAAW,uBAAuB,SAAS,GACvC,uCAAuC,UAAU,EAC/C,gBACE,uBAAuB,SACnB,kBAAkB,SAAS,eAAe,OAC1C,uBAAuB,SACrB,kBAAkB,SAAS,eAAe,OAC1C,QACT,CAAC,GACF,mBAAmB,SAAS;GAChC;GACA,eAAe,uBACb,UACA,mBACA,cACD;GACF,EACD,QACA,sBAAsB,SAClB,EAAE,gBAAgB,qBAAqB,QAAQ,GAC/C,OACL,CACF;AAKD,MACE,iBAAiB,QACjB,kBAAkB,aAAa,IAAI,SAAS,2BAC5C;GAEA,MAAM,UADU,OAAO,GAAG,cAAc,GAAG,SAAS,QAAQ,UAAU,CAAC,GAC/C;AACxB,OAAI,QAAQ;IACV,MAAM,UAAW,YAAoB;AACrC,QAAI,SAOF;UAN2B,OAAO,GAAG,cACnC,IAAI,SAAS,OAAO,UAAU,OAAO,yBAAyB;MAC5D;MACA;MACD,CAAC,CACH,MAC0B,KACzB,QAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;MACjD;MACA;MACA,SAAS,iBAAiB,aAAa,IAAI;MAC3C,QAAQ;MACT,CAAC,CACH;;;;EAMT,MAAM,OAAO,qBAAqB,GAAG,aAAa;AAClD,SAAO,GAAG,cAAc,GAAG,UAAU,OAAO,SAAS,IAAI,CAAC;EAC1D,MAAM,2BAA2B,OAAO,GAAG,cACzC,GAAG,kBAAkB,eAAe,UAAU,CAC/C;AACD,MAAI,6BAA6B,KAC/B,QAAO,GAAG,cACR,GAAG,kBAAkB,OAAO,yBAAyB,IAAI,CAC1D;AAEH,SAAO,GAAG,QAAQ,YAChB,GAAG,kBAAkB,OAAO;GAC1B,MAAM,MAAM,OAAO,KAAK;GACxB;GACA;GACA,gBAAgB,KAAK,KAAK,GAAG;GAC7B,UAAU,SAAS;GACpB,CAAC,CACH;AACD,SAAO;GACP;;AAGJ,MAAa,gBAAgB,OAC3B,KACA,SACwB;AACxB,QAAO,IAAI,YAAY,gBAAgB,EACrC,MAAM;EACJ,MAAM;EACN,GAAG;EACJ,EACF,CAAC"}

package/dist/component/server/mutations/refresh.js

@@ -3,8 +3,8 @@ import { authDb } from "../db.js";
 import { AUTH_STORE_REF } from "./store/refs.js";
 import { REFRESH_TOKEN_REUSE_WINDOW_MS, invalidateRefreshTokensInSubtree, parseRefreshToken, refreshTokenIfValid } from "../refresh.js";
 import { generateTokensForSession } from "../sessions.js";
-import { v } from "convex/values";
 import { Fx } from "@robelest/fx";
+import { v } from "convex/values";
 
 //#region src/server/mutations/refresh.ts
 const refreshSessionArgs = v.object({ refreshToken: v.string() });
@@ -18,7 +18,7 @@ var RefreshFailure = class {
 async function refreshSessionImpl(ctx, args, _getProviderOrThrow, config) {
 	const db = authDb(ctx, config);
 	const { refreshToken } = args;
-	return Fx.run(parseRefreshToken(refreshToken).pipe(Fx.recover((err) => Fx.fail(new RefreshFailure(err.message))), Fx.tap(({ refreshTokenId, sessionId: tokenSessionId }) => Fx.sync(() => logWithLevel("DEBUG", `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(tokenSessionId)}`))), Fx.chain(({ refreshTokenId, sessionId: tokenSessionId }) => refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config).pipe(Fx.chain((validationResult) => validationResult === null ? Fx.gen(function* () {
+	return Fx.run(parseRefreshToken(refreshToken).pipe(Fx.recover((err) => Fx.fail(new RefreshFailure(err.data.message))), Fx.tap(({ refreshTokenId, sessionId: tokenSessionId }) => Fx.sync(() => logWithLevel("DEBUG", `refreshSessionImpl args: Token ID: ${maybeRedact(refreshTokenId)} Session ID: ${maybeRedact(tokenSessionId)}`))), Fx.chain(({ refreshTokenId, sessionId: tokenSessionId }) => refreshTokenIfValid(ctx, refreshTokenId, tokenSessionId, config).pipe(Fx.chain((validationResult) => validationResult === null ? Fx.gen(function* () {
 		yield* Fx.from({
 			ok: async () => {
 				const session = await db.sessions.getById(tokenSessionId);