npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.22 → 0.0.4-preview.24 - Mend

@robelest/convex-auth 0.0.4-preview.22 → 0.0.4-preview.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (314) hide show

package/README.md +10 -11
package/dist/authorization/index.d.ts +1 -1
package/dist/authorization/index.js +1 -1
package/dist/authorization/index.js.map +1 -1
package/dist/client/index.d.ts +1 -2
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +36 -39
package/dist/client/index.js.map +1 -1
package/dist/component/client/index.d.ts +1 -2
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +9 -9
package/dist/component/model.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.js.map +1 -1
package/dist/component/public/enterprise/core.d.ts.map +1 -1
package/dist/component/public/enterprise/core.js.map +1 -1
package/dist/component/public/enterprise/domains.d.ts.map +1 -1
package/dist/component/public/enterprise/domains.js.map +1 -1
package/dist/component/public/enterprise/scim.d.ts.map +1 -1
package/dist/component/public/enterprise/scim.js.map +1 -1
package/dist/component/public/enterprise/secrets.d.ts.map +1 -1
package/dist/component/public/enterprise/secrets.js.map +1 -1
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -1
package/dist/component/public/enterprise/webhooks.js.map +1 -1
package/dist/component/public/factors/devices.d.ts.map +1 -1
package/dist/component/public/factors/devices.js.map +1 -1
package/dist/component/public/factors/passkeys.d.ts.map +1 -1
package/dist/component/public/factors/passkeys.js.map +1 -1
package/dist/component/public/factors/totp.d.ts.map +1 -1
package/dist/component/public/factors/totp.js.map +1 -1
package/dist/component/public/groups/core.js.map +1 -1
package/dist/component/public/groups/invites.d.ts.map +1 -1
package/dist/component/public/groups/invites.js.map +1 -1
package/dist/component/public/groups/members.d.ts.map +1 -1
package/dist/component/public/groups/members.js.map +1 -1
package/dist/component/public/identity/accounts.d.ts.map +1 -1
package/dist/component/public/identity/accounts.js.map +1 -1
package/dist/component/public/identity/codes.d.ts.map +1 -1
package/dist/component/public/identity/codes.js.map +1 -1
package/dist/component/public/identity/sessions.d.ts.map +1 -1
package/dist/component/public/identity/sessions.js.map +1 -1
package/dist/component/public/identity/tokens.d.ts.map +1 -1
package/dist/component/public/identity/tokens.js.map +1 -1
package/dist/component/public/identity/users.d.ts.map +1 -1
package/dist/component/public/identity/users.js.map +1 -1
package/dist/component/public/identity/verifiers.d.ts.map +1 -1
package/dist/component/public/identity/verifiers.js.map +1 -1
package/dist/component/public/security/keys.d.ts.map +1 -1
package/dist/component/public/security/keys.js.map +1 -1
package/dist/component/public/security/limits.d.ts.map +1 -1
package/dist/component/public/security/limits.js.map +1 -1
package/dist/component/schema.d.ts +41 -41
package/dist/component/server/auth.d.ts +127 -130
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -64
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/context.js +53 -0
package/dist/component/server/context.js.map +1 -0
package/dist/component/server/core.js +113 -250
package/dist/component/server/core.js.map +1 -1
package/dist/component/server/crypto.js +25 -7
package/dist/component/server/crypto.js.map +1 -1
package/dist/component/server/device.js +59 -16
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/enterprise/domain.js +148 -59
package/dist/component/server/enterprise/domain.js.map +1 -1
package/dist/component/server/enterprise/http.js +36 -15
package/dist/component/server/enterprise/http.js.map +1 -1
package/dist/component/server/enterprise/oidc.js +1 -1
package/dist/component/server/http.d.ts +85 -0
package/dist/component/server/http.d.ts.map +1 -0
package/dist/component/server/http.js +85 -22
package/dist/component/server/http.js.map +1 -1
package/dist/component/server/identity.js +5 -2
package/dist/component/server/identity.js.map +1 -1
package/dist/component/server/limits.js +21 -30
package/dist/component/server/limits.js.map +1 -1
package/dist/component/server/mutations/account.js +12 -10
package/dist/component/server/mutations/account.js.map +1 -1
package/dist/component/server/mutations/code.js +5 -2
package/dist/component/server/mutations/code.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/invalidate.js.map +1 -1
package/dist/component/server/mutations/oauth.js +10 -4
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +2 -2
package/dist/component/server/mutations/refresh.js.map +1 -1
package/dist/component/server/mutations/register.js +46 -42
package/dist/component/server/mutations/register.js.map +1 -1
package/dist/component/server/mutations/retrieve.js +21 -25
package/dist/component/server/mutations/retrieve.js.map +1 -1
package/dist/component/server/mutations/signature.js +10 -4
package/dist/component/server/mutations/signature.js.map +1 -1
package/dist/component/server/mutations/signout.js.map +1 -1
package/dist/component/server/mutations/store.js +9 -24
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verifier.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/mutations/verify.js.map +1 -1
package/dist/component/server/oauth.js +53 -16
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +115 -31
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/redirects.js +9 -3
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +10 -7
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/runtime.d.ts +5 -5
package/dist/component/server/runtime.js +156 -113
package/dist/component/server/runtime.js.map +1 -1
package/dist/component/server/signin.js +34 -10
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/totp.js +79 -19
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +12 -20
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +6 -3
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +10 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +14 -22
package/dist/core/types.d.ts.map +1 -1
package/dist/factors/device.js +8 -9
package/dist/factors/device.js.map +1 -1
package/dist/factors/passkey.js +18 -21
package/dist/factors/passkey.js.map +1 -1
package/dist/providers/password.js +66 -81
package/dist/providers/password.js.map +1 -1
package/dist/runtime/invite.js +2 -8
package/dist/runtime/invite.js.map +1 -1
package/dist/server/auth.d.ts +127 -130
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -64
package/dist/server/auth.js.map +1 -1
package/dist/server/context.d.ts +1 -0
package/dist/server/context.js +53 -0
package/dist/server/context.js.map +1 -0
package/dist/server/core.d.ts +74 -195
package/dist/server/core.d.ts.map +1 -1
package/dist/server/core.js +113 -250
package/dist/server/core.js.map +1 -1
package/dist/server/crypto.d.ts.map +1 -1
package/dist/server/crypto.js +25 -7
package/dist/server/crypto.js.map +1 -1
package/dist/server/device.js +59 -16
package/dist/server/device.js.map +1 -1
package/dist/server/enterprise/domain.d.ts +0 -8
package/dist/server/enterprise/domain.d.ts.map +1 -1
package/dist/server/enterprise/domain.js +148 -59
package/dist/server/enterprise/domain.js.map +1 -1
package/dist/server/enterprise/http.d.ts.map +1 -1
package/dist/server/enterprise/http.js +35 -14
package/dist/server/enterprise/http.js.map +1 -1
package/dist/server/http.d.ts +81 -3
package/dist/server/http.d.ts.map +1 -1
package/dist/server/http.js +84 -21
package/dist/server/http.js.map +1 -1
package/dist/server/identity.js +5 -2
package/dist/server/identity.js.map +1 -1
package/dist/server/index.d.ts +3 -2
package/dist/server/index.js +2 -2
package/dist/server/limits.js +21 -30
package/dist/server/limits.js.map +1 -1
package/dist/server/mounts.d.ts +25 -63
package/dist/server/mounts.d.ts.map +1 -1
package/dist/server/mounts.js +46 -107
package/dist/server/mounts.js.map +1 -1
package/dist/server/mutations/account.d.ts +8 -9
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/account.js +11 -9
package/dist/server/mutations/account.js.map +1 -1
package/dist/server/mutations/code.d.ts +12 -12
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/code.js +5 -2
package/dist/server/mutations/code.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +4 -4
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/invalidate.js.map +1 -1
package/dist/server/mutations/oauth.d.ts +14 -12
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -3
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +3 -3
package/dist/server/mutations/refresh.d.ts.map +1 -1
package/dist/server/mutations/refresh.js +1 -1
package/dist/server/mutations/refresh.js.map +1 -1
package/dist/server/mutations/register.d.ts +11 -11
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/register.js +45 -41
package/dist/server/mutations/register.js.map +1 -1
package/dist/server/mutations/retrieve.d.ts +6 -6
package/dist/server/mutations/retrieve.d.ts.map +1 -1
package/dist/server/mutations/retrieve.js +20 -24
package/dist/server/mutations/retrieve.js.map +1 -1
package/dist/server/mutations/signature.d.ts +6 -7
package/dist/server/mutations/signature.d.ts.map +1 -1
package/dist/server/mutations/signature.js +9 -3
package/dist/server/mutations/signature.js.map +1 -1
package/dist/server/mutations/signin.d.ts +5 -5
package/dist/server/mutations/signout.js.map +1 -1
package/dist/server/mutations/store.d.ts +83 -83
package/dist/server/mutations/store.js +8 -23
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.js.map +1 -1
package/dist/server/mutations/verify.d.ts +7 -7
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/mutations/verify.js.map +1 -1
package/dist/server/oauth.js +53 -16
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +2 -2
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +114 -30
package/dist/server/passkey.js.map +1 -1
package/dist/server/redirects.js +9 -3
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.js +10 -7
package/dist/server/refresh.js.map +1 -1
package/dist/server/runtime.d.ts +11 -11
package/dist/server/runtime.js +155 -112
package/dist/server/runtime.js.map +1 -1
package/dist/server/signin.js +34 -10
package/dist/server/signin.js.map +1 -1
package/dist/server/ssr.d.ts.map +1 -1
package/dist/server/ssr.js +175 -184
package/dist/server/ssr.js.map +1 -1
package/dist/server/totp.js +78 -18
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +13 -21
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.js +6 -3
package/dist/server/users.js.map +1 -1
package/dist/server/utils.js +10 -4
package/dist/server/utils.js.map +1 -1
package/package.json +1 -5
package/src/authorization/index.ts +1 -1
package/src/client/core/types.ts +14 -14
package/src/client/factors/device.ts +10 -12
package/src/client/factors/passkey.ts +23 -26
package/src/client/index.ts +54 -64
package/src/client/runtime/invite.ts +5 -7
package/src/component/index.ts +9 -3
package/src/component/public/enterprise/audit.ts +6 -1
package/src/component/public/enterprise/core.ts +1 -0
package/src/component/public/enterprise/domains.ts +5 -1
package/src/component/public/enterprise/scim.ts +1 -0
package/src/component/public/enterprise/secrets.ts +1 -0
package/src/component/public/enterprise/webhooks.ts +1 -0
package/src/component/public/factors/devices.ts +1 -0
package/src/component/public/factors/passkeys.ts +1 -0
package/src/component/public/factors/totp.ts +1 -0
package/src/component/public/groups/core.ts +1 -1
package/src/component/public/groups/invites.ts +7 -1
package/src/component/public/groups/members.ts +1 -0
package/src/component/public/identity/accounts.ts +1 -0
package/src/component/public/identity/codes.ts +1 -0
package/src/component/public/identity/sessions.ts +1 -0
package/src/component/public/identity/tokens.ts +1 -0
package/src/component/public/identity/users.ts +1 -0
package/src/component/public/identity/verifiers.ts +1 -0
package/src/component/public/security/keys.ts +1 -0
package/src/component/public/security/limits.ts +1 -0
package/src/providers/password.ts +89 -110
package/src/server/auth.ts +240 -182
package/src/server/context.ts +90 -0
package/src/server/core.ts +195 -286
package/src/server/crypto.ts +31 -29
package/src/server/device.ts +65 -32
package/src/server/enterprise/domain.ts +158 -170
package/src/server/enterprise/http.ts +46 -39
package/src/server/http.ts +289 -30
package/src/server/identity.ts +5 -5
package/src/server/index.ts +9 -3
package/src/server/limits.ts +53 -80
package/src/server/mounts.ts +56 -80
package/src/server/mutations/account.ts +22 -36
package/src/server/mutations/code.ts +6 -6
package/src/server/mutations/invalidate.ts +1 -1
package/src/server/mutations/oauth.ts +14 -8
package/src/server/mutations/refresh.ts +5 -4
package/src/server/mutations/register.ts +87 -132
package/src/server/mutations/retrieve.ts +44 -44
package/src/server/mutations/signature.ts +13 -6
package/src/server/mutations/signout.ts +1 -1
package/src/server/mutations/store.ts +16 -31
package/src/server/mutations/verifier.ts +1 -1
package/src/server/mutations/verify.ts +3 -5
package/src/server/oauth.ts +60 -69
package/src/server/passkey.ts +567 -517
package/src/server/redirects.ts +10 -6
package/src/server/refresh.ts +14 -18
package/src/server/runtime.ts +340 -302
package/src/server/signin.ts +44 -37
package/src/server/ssr.ts +390 -407
package/src/server/totp.ts +85 -35
package/src/server/types.ts +19 -22
package/src/server/users.ts +7 -6
package/src/server/utils.ts +10 -12
package/dist/component/server/authError.js +0 -34
package/dist/component/server/authError.js.map +0 -1
package/dist/component/server/errors.d.ts +0 -1
package/dist/component/server/errors.js +0 -137
package/dist/component/server/errors.js.map +0 -1
package/dist/server/authError.d.ts +0 -46
package/dist/server/authError.d.ts.map +0 -1
package/dist/server/authError.js +0 -34
package/dist/server/authError.js.map +0 -1
package/dist/server/errors.d.ts +0 -177
package/dist/server/errors.d.ts.map +0 -1
package/dist/server/errors.js +0 -212
package/dist/server/errors.js.map +0 -1
package/src/server/authError.ts +0 -44
package/src/server/errors.ts +0 -290

package/dist/server/auth.d.ts CHANGED Viewed

@@ -13,7 +13,7 @@ import { GenericId } from "convex/values";
 type AuthConfig = Omit<ConvexAuthConfig, "component">;
 /** Canonical user document type exposed by Convex Auth. */
 type UserDoc = Doc<"User">;
-type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig | undefined> = Omit<ReturnType<typeof Auth$1>["auth"]["member"], "create" | "list" | "update" | "resolve"> & {
+type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig | undefined> = Omit<ReturnType<typeof Auth$1>["auth"]["member"], "create" | "list" | "update" | "inspect" | "require"> & {
   create: (ctx: Parameters<ReturnType<typeof Auth$1>["auth"]["member"]["create"]>[0], data: {
     groupId: string;
     userId: string;
@@ -21,7 +21,6 @@ type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig |
     status?: string;
     extend?: Record<string, unknown>;
   }) => Promise<{
-    ok: true;
     memberId: string;
   }>;
   list: (ctx: Parameters<ReturnType<typeof Auth$1>["auth"]["member"]["list"]>[0], opts?: {
@@ -39,17 +38,22 @@ type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig |
   update: (ctx: Parameters<ReturnType<typeof Auth$1>["auth"]["member"]["update"]>[0], memberId: string, data: Record<string, unknown> & {
     roleIds?: AuthRoleId<TAuthorization>[];
   }) => Promise<{
-    ok: true;
     memberId: string;
   }>;
-  resolve: (ctx: Parameters<ReturnType<typeof Auth$1>["auth"]["member"]["resolve"]>[0], opts: {
+  inspect: (ctx: Parameters<ReturnType<typeof Auth$1>["auth"]["member"]["inspect"]>[0], opts: {
+    userId: string;
+    groupId: string;
+    ancestry?: boolean;
+    maxDepth?: number;
+  }) => ReturnType<ReturnType<typeof Auth$1>["auth"]["member"]["inspect"]>;
+  require: (ctx: Parameters<ReturnType<typeof Auth$1>["auth"]["member"]["require"]>[0], opts: {
     userId: string;
     groupId: string;
     ancestry?: boolean;
     roleIds?: AuthRoleId<TAuthorization>[];
     grants?: AuthGrant<TAuthorization>[];
     maxDepth?: number;
-  }) => ReturnType<ReturnType<typeof Auth$1>["auth"]["member"]["resolve"]>;
+  }) => ReturnType<ReturnType<typeof Auth$1>["auth"]["member"]["require"]>;
 };
 /**
  * The base auth API surface returned by {@link createAuth}.
@@ -80,30 +84,40 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
   key: ReturnType<typeof Auth$1>["auth"]["key"];
   http: ReturnType<typeof Auth$1>["auth"]["http"];
   /**
-   * Resolve the current user's auth context. Framework-agnostic — use
+   * Resolve the current request's auth context. Framework-agnostic — use
    * this in fluent-convex middleware, custom wrappers, or anywhere you
-   * need the resolved `{ userId, user, groupId, role, grants }` object.
+   * need the current `{ userId, user, groupId, role, grants }` object.
    *
-   * Returns `null` when unauthenticated. Does not throw.
+   * Throws a structured `ConvexError` when unauthenticated by default.
+   * Pass `{ optional: true }` to get a null-shaped auth object instead.
    *
    * @param ctx - Convex query, mutation, or action context.
-   * @returns The resolved auth context, or `null`.
+   * @param config - Optional auth resolution config. Supports `optional`,
+   *   `resolve`, and `authResolve`.
+   * @returns The current auth context.
    *
    * @example fluent-convex middleware
    * ```ts
    * const withAuth = convex.createMiddleware(async (ctx, next) => {
-   *   return next({ ...ctx, auth: await auth.resolve(ctx) });
+   *   return next({ ...ctx, auth: await auth.context(ctx) });
    * });
    * ```
    *
    * @example Direct usage in a handler
-   * ```ts
-   * const resolved = await auth.resolve(ctx);
-   * if (!resolved) return { ok: false, code: "NOT_SIGNED_IN" };
-   * const { userId, grants } = resolved;
-   * ```
-   */
-  resolve: (ctx: any) => Promise<AuthResolvedContext | null>;
+    * ```ts
+    * const authContext = await auth.context(ctx);
+    * const { userId, grants } = authContext;
+    * ```
+    *
+    * @example Optional usage
+    * ```ts
+    * const authContext = await auth.context(ctx, { optional: true });
+    * if (authContext.userId === null) {
+    *   return null;
+    * }
+    * ```
+    */
+  context: AuthContextResolver;
   /**
    * Context enrichment for convex-helpers `customQuery` / `customMutation` /
    * `customAction`.
@@ -112,9 +126,9 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
    * and grants, then attaches them to `ctx.auth`. Returns a `Customization`
    * object compatible with convex-helpers' custom function builders.
    *
-   * `ctx.auth` is `{ userId, user, groupId, role, grants }` when
-   * authenticated, `null` when unauthenticated. No throwing — your
-   * handler decides how to respond.
+   * `ctx.auth` is the current request auth context.
+   * By default this throws when unauthenticated so handlers can assume
+   * `ctx.auth.userId` and `ctx.auth.user` exist.
    *
    * @returns A convex-helpers `Customization` object.
    *
@@ -136,37 +150,29 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
    * export const list = authQuery({
    *   args: { workspaceId: v.string() },
    *   handler: async (ctx, args) => {
-   *     if (!ctx.auth) return [];
    *     const { userId, groupId, grants } = ctx.auth;
    *     // business logic
    *   },
    * });
    * ```
    */
-  ctx: () => {
-    args: Record<string, never>;
-    input: (ctx: any) => Promise<{
-      ctx: {
-        auth: AuthResolvedContext | null;
-      };
-      args: Record<string, never>;
-    }>;
-  };
+  ctx: AuthContextFactory;
 };
 /**
- * Resolved auth context injected into `ctx.auth` by `auth.ctx()` and
- * {@link AuthCtx}. Also the expected return shape for custom
- * {@link AuthCtxConfig.authResolve | authResolve} hooks.
+ * Current request auth context injected into `ctx.auth` by `auth.ctx()`. This
+ * is the authenticated auth shape returned by {@link createAuth().context}.
+ * Optional context builders may still surface nullable fields when
+ * `optional: true` is used.
  *
- * - `null` when unauthenticated.
  * - `groupId` is `null` when the user has no active group set.
- * - `role` / `grants` are `null` / `[]` when no active group or no membership.
+ * - `role` is `null` when no active group or no membership is resolved.
+ * - `grants` is `[]` when no active group or no membership is resolved.
  *
  * @example
  * ```ts
- * import type { AuthResolvedContext } from "@robelest/convex-auth/server";
+ * import type { AuthContext } from "@robelest/convex-auth/server";
  *
- * const mockAuth: AuthResolvedContext = {
+ * const mockAuth: AuthContext = {
  *   userId: "user123" as Id<"User">,
  *   user: { _id: "user123", email: "test@example.com" },
  *   groupId: "group456",
@@ -175,23 +181,66 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
  * };
  * ```
  */
-type AuthResolvedContext = {
+type AuthContext = {
   /** The authenticated user's document ID. */userId: GenericId<"User">; /** The authenticated user's full document. */
   user: UserDoc; /** The user's active group ID, or `null` if none set. */
   groupId: string | null; /** The user's primary role in the active group, or `null`. */
   role: string | null; /** Resolved grant strings from the user's role definitions. */
   grants: string[];
 };
-type AuthCtxBase = {
+/**
+ * Nullable auth context returned by `auth.context(ctx, { optional: true })`
+ * and injected by `auth.ctx({ optional: true })`.
+ *
+ * Use this when callers may be unauthenticated but you still want a stable
+ * auth-shaped object.
+ *
+ * - `userId` and `user` are `null` when unauthenticated.
+ * - `groupId` and `role` are `null` when no active group is resolved.
+ * - `grants` is `[]` when no membership is resolved.
+ *
+ * @example
+ * ```ts
+ * const authContext = await auth.context(ctx, { optional: true });
+ * if (authContext.userId === null) {
+ *   return null;
+ * }
+ * ```
+ */
+type OptionalAuthContext = {
+  /** The authenticated user's document ID, or `null` when unauthenticated. */userId: GenericId<"User"> | null; /** The authenticated user's full document, or `null` when unauthenticated. */
+  user: UserDoc | null; /** The user's active group ID, or `null` if none is set. */
+  groupId: string | null; /** The user's primary role in the active group, or `null`. */
+  role: string | null; /** Resolved grant strings for the active membership, or `[]`. */
+  grants: string[];
+};
+type AuthContextBase = {
   getUserIdentity: () => Promise<UserIdentity | null>;
 };
-type RequiredAuthCtxState = AuthCtxBase & AuthResolvedContext;
-type OptionalAuthCtxState = AuthCtxBase & {
-  userId: GenericId<"User"> | null;
-  user: UserDoc | null;
-  groupId: string | null;
-  role: string | null;
-  grants: string[];
+type RequiredAuthContextState = AuthContextBase & AuthContext;
+type OptionalAuthContextState = AuthContextBase & OptionalAuthContext;
+type ResolvedAuthContext<TResolve> = AuthContext & TResolve;
+type ResolvedOptionalAuthContext<TResolve> = OptionalAuthContext & TResolve;
+type AuthContextResolver = {
+  <TResolve extends Record<string, unknown> = Record<string, never>>(ctx: any, config: AuthContextConfig<TResolve> & {
+    optional: true;
+  }): Promise<ResolvedOptionalAuthContext<TResolve>>;
+  <TResolve extends Record<string, unknown> = Record<string, never>>(ctx: any, config?: AuthContextConfig<TResolve>): Promise<ResolvedAuthContext<TResolve>>;
+};
+type AuthContextCustomization<TAuth> = {
+  args: {};
+  input: (ctx: any, _args: any, _extra?: any) => Promise<{
+    ctx: {
+      auth: TAuth;
+    };
+    args: {};
+  }>;
+};
+type AuthContextFactory = {
+  <TResolve extends Record<string, unknown> = Record<string, never>>(config: AuthContextConfig<TResolve> & {
+    optional: true;
+  }): AuthContextCustomization<OptionalAuthContextState & TResolve>;
+  <TResolve extends Record<string, unknown> = Record<string, never>>(config?: AuthContextConfig<TResolve>): AuthContextCustomization<RequiredAuthContextState & TResolve>;
 };
 type InternalSsoApi = ReturnType<typeof Auth$1>["auth"]["sso"];
 type PublicSsoAdminApi = {
@@ -203,7 +252,6 @@ type PublicSsoAdminApi = {
         domain: string;
         isPrimary?: boolean;
       }>) => Promise<{
-        ok: true;
         enterpriseId: string;
         domains: Array<{
           domainId: string;
@@ -218,7 +266,6 @@ type PublicSsoAdminApi = {
           enterpriseId: string;
           domain: string;
         }) => Promise<{
-          ok: true;
           enterpriseId: string;
           domain: string;
           requestedAt: number;
@@ -233,7 +280,6 @@ type PublicSsoAdminApi = {
           enterpriseId: string;
           domain: string;
         }) => Promise<{
-          ok: boolean;
           enterpriseId: string;
           domain: string;
           verifiedAt?: number;
@@ -328,35 +374,53 @@ declare function createAuth<P extends AuthProviderConfig[], TAuthorization exten
   authorization?: TAuthorization;
 }): ConvexAuthResult<P, TAuthorization>;
 /**
- * Configuration for {@link AuthCtx} context enrichment.
+ * Configuration for {@link createAuth().ctx} context enrichment.
+ *
+ * The same config shape is also used by {@link createAuth().context}.
  *
  * @typeParam TResolve - Extra fields returned from `resolve()` and merged into
  *   the resulting `ctx.auth` object.
+ *
+ * @example
+ * ```ts
+ * const authContext = await auth.context(ctx, {
+ *   resolve: async (_ctx, user, authState) => ({
+ *     email: user.email,
+ *     canWrite: authState.grants.includes("posts.write"),
+ *   }),
+ * });
+ * ```
  */
-type AuthCtxConfig<TResolve extends Record<string, unknown> = Record<string, never>> = {
-  /** Allow unauthenticated callers and return `userId: null` / `user: null`. */optional?: boolean;
+type AuthContextConfig<TResolve extends Record<string, unknown> = Record<string, never>> = {
+  /**
+   * Allow unauthenticated callers and return a null-shaped auth object instead
+   * of throwing `NOT_SIGNED_IN`.
+   */
+  optional?: boolean;
   /**
    * Attach additional derived fields to the auth context after the base auth
    * context is resolved.
+   *
+   * This callback runs only when a user is authenticated.
    */
-  resolve?: (ctx: any, user: UserDoc, auth: AuthResolvedContext) => Promise<TResolve> | TResolve;
+  resolve?: (ctx: any, user: UserDoc, auth: AuthContext) => Promise<TResolve> | TResolve;
   /**
-   * Override or wrap the base auth resolution used by {@link AuthCtx}.
+   * Override or wrap the base auth resolution used by {@link createAuth().ctx}.
    *
    * Return `undefined` to fall back to the built-in resolver,
    * `null` for an explicit unauthenticated state, or an
-   * {@link AuthResolvedContext} object to provide a pre-resolved auth state.
+   * {@link AuthContext} object to provide a pre-resolved auth state.
    * This is useful for tests, proxy auth, impersonation flows, or any
    * environment that needs to inject auth without depending on the standard
    * Convex auth tables.
    *
    * @param ctx - The Convex function context.
-   * @param fallback - The built-in auth resolver used by {@link AuthCtx}.
+   * @param fallback - The built-in auth resolver used by {@link createAuth().ctx}.
    * @returns Resolved auth state, `null`, or `undefined` to use the fallback.
    *
    * @example
    * ```ts
-   * const authCtx = AuthCtx(auth, {
+   * const authCtx = auth.ctx({
    *   authResolve: async (ctx, fallback) => {
    *     const injected = getInjectedAuth(ctx);
    *     return injected ?? (await fallback());
@@ -364,91 +428,24 @@ type AuthCtxConfig<TResolve extends Record<string, unknown> = Record<string, nev
    * });
    * ```
    */
-  authResolve?: (ctx: any, fallback: () => Promise<AuthResolvedContext | null>) => Promise<AuthResolvedContext | null | undefined> | AuthResolvedContext | null | undefined;
-};
-/**
- * Create a context enrichment for `customQuery` / `customMutation` — optional auth.
- *
- * When `optional: true` is set, unauthenticated requests are allowed.
- * The enriched `ctx.auth` will have `userId: null`, `user: null`,
- * `groupId: null`, `role: null`, and `grants: []` for unauthenticated callers.
- *
- * @param auth - The auth API object returned by {@link createAuth}.
- * @param config - Configuration with `optional: true` and an optional
- *   `resolve` callback for attaching extra fields to the auth context.
- * @returns An object with `args` and `input` compatible with Convex
- *   custom function builders.
- *
- * @example
- * ```ts
- * const authCtx = AuthCtx(auth, {
- *   optional: true,
- *   resolve: async (_ctx, user) => ({ plan: user?.extend?.plan ?? null }),
- * });
- * ```
- *
- * @see {@link createAuth}
- */
-declare function AuthCtx<TResolve extends Record<string, unknown> = Record<string, never>>(auth: AuthLike, config: AuthCtxConfig<TResolve> & {
-  optional: true;
-}): {
-  args: {};
-  input: (ctx: any, _args: any, _extra?: any) => Promise<{
-    ctx: {
-      auth: OptionalAuthCtxState & TResolve;
-    };
-    args: {};
-  }>;
-};
-/**
- * Create a context enrichment for `customQuery` / `customMutation` — required auth (default).
- *
- * When `optional` is omitted or `false`, the inferred type is the authenticated
- * auth shape. At runtime this helper still resolves instead of throwing, so if
- * no user is signed in the returned `ctx.auth.userId` / `ctx.auth.user` are
- * `null`, `ctx.auth.groupId` / `ctx.auth.role` are `null`, and
- * `ctx.auth.grants` is `[]`.
- *
- * @param auth - The auth API object returned by {@link createAuth}.
- * @param config - Optional configuration with a `resolve` callback
- *   for attaching extra fields to the auth context.
- * @returns An object with `args` and `input` compatible with Convex
- *   custom function builders.
- *
- * @example
- * ```ts
- * const authCtx = AuthCtx(auth, {
- *   resolve: async (_ctx, user) => ({ email: user.email }),
- * });
- * ```
- *
- * @see {@link createAuth}
- */
-declare function AuthCtx<TResolve extends Record<string, unknown> = Record<string, never>>(auth: AuthLike, config?: AuthCtxConfig<TResolve>): {
-  args: {};
-  input: (ctx: any, _args: any, _extra?: any) => Promise<{
-    ctx: {
-      auth: RequiredAuthCtxState & TResolve;
-    };
-    args: {};
-  }>;
+  authResolve?: (ctx: any, fallback: () => Promise<AuthContext | null>) => Promise<AuthContext | null | undefined> | AuthContext | null | undefined;
 };
 /**
- * Extract the resolved `auth` context type from an {@link AuthCtx} instance.
+ * Extract the resolved `auth` context type from an `auth.ctx()` customization.
  *
  * Use this to type function parameters or variables that receive the
- * enriched auth context produced by `AuthCtx`. The inferred type includes
+ * enriched auth context produced by `auth.ctx()`. The inferred type includes
  * `userId`, `user`, `groupId`, `role`, `grants`, `getUserIdentity`, and any
  * additional fields added by the `resolve` callback. This is the generic
  * utility for reusing the enriched auth shape without manually duplicating
  * conditional auth types.
  *
- * @typeParam T - An `AuthCtx` return value (must have an `input` method
+ * @typeParam T - An `auth.ctx()` return value (must have an `input` method
  *   that returns `{ ctx: { auth: ... } }`).
  *
  * @example
  * ```ts
- * const authCtx = AuthCtx(auth, {
+ * const authCtx = auth.ctx({
  *   resolve: async (ctx, user) => ({ orgId: user.orgId }),
  * });
  * type Auth = InferAuth<typeof authCtx>;
@@ -465,5 +462,5 @@ type InferAuth<T extends {
   }>;
 }> = Awaited<ReturnType<T["input"]>>["ctx"]["auth"];
 //#endregion
-export { AuthApi, AuthApiBase, AuthConfig, AuthCtx, AuthCtxConfig, AuthResolvedContext, ConvexAuthResult, InferAuth, InferClientApi, UserDoc, createAuth };
+export { AuthApi, AuthApiBase, AuthConfig, AuthContext, AuthContextConfig, ConvexAuthResult, InferAuth, InferClientApi, OptionalAuthContext, UserDoc, createAuth };
 //# sourceMappingURL=auth.d.ts.map

package/dist/server/auth.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth.d.ts","names":[],"sources":["../../src/server/auth.ts"],"mappings":";;;;;;;;;;~~AAqCA~~;;KAHY,UAAA,GAAa,IAAA,CAAK,gBAAA;;KAGlB,OAAA,GAAU,GAAA;AAAA,KAEjB,0BAAA,wBACoB,uBAAA,gBACrB,IAAA,CACF,UAAA,QAAkB,MAAA;EAGlB,MAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,MAAA,mCAEpB,IAAA;IACE,OAAA;IACA,MAAA;IACA,OAAA,GAAU,UAAA,CAAW,cAAA;IACrB,MAAA;IACA,MAAA,GAAS,MAAA;EAAA,MAER,OAAA;IAAU,~~EAAA;IAAU,~~QAAA;EAAA;~~EACzB~~,IAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,MAAA,iCAEpB,IAAA;IACE,KAAA;MACE,OAAA;MACA,MAAA;MACA,MAAA,GAAS,UAAA,CAAW,cAAA;MACpB,MAAA;IAAA;IAEF,KAAA;IACA,MAAA;IACA,OAAA;IACA,KAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,MAAA;EAClC,MAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,MAAA,mCAEpB,QAAA,UACA,IAAA,EAAM,MAAA;IAA4B,OAAA,GAAU,UAAA,CAAW,cAAA;EAAA,MACpD,OAAA;IAAU,EAAA;~~IAAU~~,QAAA;EAAA;~~EACzB~~,OAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,MAAA,oCAEpB,IAAA;IACE,MAAA;IACA,OAAA;IACA,QAAA;IACA,OAAA,GAAU,UAAA,CAAW,cAAA;IACrB,MAAA,GAAS,SAAA,CAAU,cAAA;IACnB,QAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,MAAA;AAAA;;;;;;;;;;;;;;;;~~KAmBxB~~,WAAA,wBACa,uBAAA;EAEvB,MAAA,EAAQ,UAAA,QAAkB,MAAA;EAC1B,OAAA,EAAS,UAAA,QAAkB,MAAA;EAC3B,KAAA,EAAO,UAAA,QAAkB,MAAA;EACzB,IAAA,EAAM,UAAA,QAAkB,MAAA;EACxB,OAAA,EAAS,UAAA,QAAkB,MAAA;EAC3B,QAAA,EAAU,UAAA,QAAkB,MAAA;EAC5B,OAAA,EAAS,UAAA,QAAkB,MAAA;EAC3B,KAAA,EAAO,UAAA,QAAkB,MAAA;EACzB,MAAA,EAAQ,0BAAA,CAA2B,cAAA;EACnC,MAAA,EAAQ,UAAA,QAAkB,MAAA;EAC1B,GAAA,EAAK,UAAA,QAAkB,MAAA;EACvB,IAAA,EAAM,UAAA,QAAkB,MAAA;~~EAnEF;;;;;;;;;;;;;;;;;;;;;;;;EA4FtB~~,OAAA,~~GAAU~~,~~GAAA,UAAa,OAAA,CAAQ,~~mBAAA;~~EAxEe;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiChD;;;;;;;;;;;;EA+EE~~,GAAA~~;IACE~~,~~IAAA~~,~~EAAM~~,~~MAAA~~;~~IACN~~,~~KAAA~~,~~GAAQ~~,~~GAAA~~,~~UAAa~~,~~OAAA~~;~~MACnB~~,~~GAAA;QAAO,~~IAAA,EAAM,~~mBAAA~~;~~MAAA~~;~~MACb~~,IAAA,~~EAAM~~,MAAA;~~IAAA;EAAA;~~AAAA~~;;;;;;;;;;;;;;;;;;;;;;;KA2BA~~,mBAAA;~~EAzGH~~,~~4CA2GP~~,MAAA,EAAQ,SAAA,~~UA1GR~~;~~EA4GA~~,IAAA,EAAM,OAAA,~~EA5GkB~~;~~EA8GxB~~,OAAA,~~iBA7GS~~;~~EA+GT~~,IAAA,~~iBA9GA~~;~~EAgHA~~,MAAA;AAAA;AAAA,KAGG,~~WAAA~~;EACH,eAAA,QAAuB,OAAA,CAAQ,YAAA;AAAA;AAAA,KAG5B,~~oBAAA~~,~~GAAuB~~,WAAA,~~GAAc~~,mBAAA;AAAA,~~KAErC~~,~~oBAAA~~,~~GAAuB~~,WAAA;~~EAC1B~~,MAAA,EAAQ,~~SAAA~~;~~EACR~~,~~IAAA~~,~~EAAM~~,OAAA;~~EACN~~,OAAA;~~EACA~~,IAAA;EACA,MAAA;AAAA;AAAA,~~KAGG~~,cAAA,GAAiB,UAAA,QAAkB,MAAA;AAAA,KAEnC,iBAAA;EACH,UAAA,EAAY,cAAA;IACV,MAAA;MACE,IAAA,EAAM,cAAA;MACN,QAAA,EAAU,cAAA;MACV,GAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,YAAA,UACA,OAAA,EAAS,KAAA;QACP,MAAA;QACA,SAAA;MAAA,OAEC,OAAA;QACH,~~EAAA;QACA,~~YAAA;QACA,OAAA,EAAS,KAAA;UACP,QAAA;UACA,MAAA;UACA,SAAA;UACA,QAAA;UACA,UAAA;QAAA;MAAA;MAGJ,YAAA;QACE,OAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,IAAA;UAAQ,YAAA;UAAsB,MAAA;QAAA,MAC3B,OAAA;UACH,~~EAAA;UACA,~~YAAA;UACA,MAAA;UACA,WAAA;UACA,SAAA;UACA,SAAA;YACE,UAAA;YACA,UAAA;YACA,WAAA;UAAA;QAAA;QAGJ,OAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,IAAA;UAAQ,YAAA;UAAsB,MAAA;QAAA,MAC3B,OAAA;UACH,~~EAAA;UACA,~~YAAA;UACA,MAAA;UACA,UAAA;UACA,MAAA,EAAQ,KAAA;YAAQ,IAAA;YAAc,EAAA;YAAa,OAAA;UAAA;QAAA;MAAA;IAAA;EAAA;EAKnD,IAAA,EAAM,IAAA,CAAK,cAAA;EACX,IAAA,EAAM,IAAA,CAAK,cAAA;EACX,MAAA,EAAQ,cAAA;EACR,KAAA;IACE,IAAA,EAAM,cAAA;EAAA;EAER,OAAA;IACE,QAAA,EAAU,cAAA;IACV,QAAA;MACE,IAAA,EAAM,cAAA;IAAA;EAAA;AAAA;AAAA,KAKP,kBAAA;EACH,MAAA,EAAQ,cAAA;EACR,QAAA,EAAU,cAAA;AAAA;AAAA,KAGP,YAAA;EACH,KAAA,EAAO,iBAAA;EACP,MAAA,EAAQ,kBAAA;AAAA;AAAA,KAGL,aAAA;EACH,KAAA,EAAO,IAAA,CAAK,cAAA;AAAA~~;;;;;;;;;;;;;;;;KAkBF~~,OAAA,wBACa,uBAAA,4BACrB,WAAA,CAAY,cAAA;EACd,GAAA,EAAK,YAAA;EACL,IAAA,EAAM,aAAA;AAAA~~;;;;;;;;;;;;;;;;KAkBI~~,gBAAA,WACA,kBAAA,2BACa,uBAAA,4BAEvB,MAAA,CAAO,CAAA,iBACH,OAAA,CAAQ,cAAA,IACR,WAAA,CAAY,cAAA;;;;;;;;;;;;;;;;;;KAmBN,cAAA,MACV,CAAA,SAAU,gBAAA,YACN,WAAA,CACE,kBAAA,CAAmB,CAAA,GACnB,eAAA,CAAgB,CAAA,GAChB,iBAAA,CAAkB,CAAA,KAEpB,WAAA;AAAA,~~iBAmEU~~,UAAA,WACJ,kBAAA,2BACa,uBAAA,yBAAA,CAEvB,SAAA,EAAW,gBAAA,eACX,MAAA,EAAQ,IAAA,CAAK,UAAA;EACX,SAAA,EAAW,CAAA;EACX,aAAA,GAAgB,cAAA;AAAA,IAEjB,gBAAA,CAAiB,CAAA,EAAG,cAAA~~;;;;;;;KAgNX~~,~~aAAA~~,kBACO,MAAA,oBAA0B,MAAA;~~EAlZnC~~,~~8EAqZR,~~QAAA;~~EAnZU;;;;EAwZV~~,OAAA,IACE,GAAA,OACA,IAAA,EAAM,OAAA,EACN,IAAA,EAAM,~~mBAAA~~,KACH,OAAA,CAAQ,QAAA,IAAY,QAAA;~~EAtZD~~;;;;;;;;;;;;;;;;;;;;;;;;~~EA+axB~~,WAAA,IACE,GAAA,OACA,QAAA,QAAgB,OAAA,CAAQ,~~mBAAA~~,~~aAEtB~~,OAAA,CAAQ,~~mBAAA~~,~~uBACR~~,~~mBAAA~~;AAAA~~;;;;;;;;;AA/ZoB;;;;;;;;;;AAOA;;;;;iBAobV~~,OAAA,kBACG,MAAA,oBAA0B,MAAA,gBAAA,CAE3C,IAAA,EAAM,QAAA,EACN,MAAA,EAAQ,aAAA,CAAc,QAAA;EAAc,QAAA;AAAA;EAEpC,IAAA;EACA,KAAA,GACE,GAAA,OACA,KAAA,OACA,MAAA,WACG,OAAA;IACH,GAAA;MACE,IAAA,EAAM,oBAAA,GAAuB,QAAA;IAAA;IAE/B,IAAA;EAAA;AAAA;;;;AAxaJ;;;;;;;;;;;;;;;;;;;;AAsBA;iBA6agB,OAAA,kBACG,MAAA,oBAA0B,MAAA,gBAAA,CAE3C,IAAA,EAAM,QAAA,EACN,MAAA,GAAS,aAAA,CAAc,QAAA;EAEvB,IAAA;EACA,KAAA,GACE,GAAA,OACA,KAAA,OACA,MAAA,WACG,OAAA;IACH,GAAA;MACE,IAAA,EAAM,oBAAA,GAAuB,QAAA;IAAA;IAE/B,IAAA;EAAA;AAAA;;;;;;;;;;;;;;;;AAnaJ;;;;;;;;;KA+eY,SAAA;EACE,KAAA,MAAW,IAAA,YAAgB,OAAA;IAAU,GAAA;MAAO,IAAA;IAAA;EAAA;AAAA,KACtD,OAAA,CAAQ,UAAA,CAAW,CAAA"}
1	+ {"version":3,"file":"auth.d.ts","names":[],"sources":["../../src/server/auth.ts"],"mappings":";;;;;;;;;;AAyCA;;KAHY,UAAA,GAAa,IAAA,CAAK,gBAAA;;KAGlB,OAAA,GAAU,GAAA;AAAA,KAEjB,0BAAA,wBACoB,uBAAA,gBACrB,IAAA,CACF,UAAA,QAAkB,MAAA;EAGlB,MAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,MAAA,mCAEpB,IAAA;IACE,OAAA;IACA,MAAA;IACA,OAAA,GAAU,UAAA,CAAW,cAAA;IACrB,MAAA;IACA,MAAA,GAAS,MAAA;EAAA,MAER,OAAA;IAAU,QAAA;EAAA;EACf,IAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,MAAA,iCAEpB,IAAA;IACE,KAAA;MACE,OAAA;MACA,MAAA;MACA,MAAA,GAAS,UAAA,CAAW,cAAA;MACpB,MAAA;IAAA;IAEF,KAAA;IACA,MAAA;IACA,OAAA;IACA,KAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,MAAA;EAClC,MAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,MAAA,mCAEpB,QAAA,UACA,IAAA,EAAM,MAAA;IAA4B,OAAA,GAAU,UAAA,CAAW,cAAA;EAAA,MACpD,OAAA;IAAU,QAAA;EAAA;EACf,OAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,MAAA,oCAEpB,IAAA;IACE,MAAA;IACA,OAAA;IACA,QAAA;IACA,QAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,MAAA;EAClC,OAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,MAAA,oCAEpB,IAAA;IACE,MAAA;IACA,OAAA;IACA,QAAA;IACA,OAAA,GAAU,UAAA,CAAW,cAAA;IACrB,MAAA,GAAS,SAAA,CAAU,cAAA;IACnB,QAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,MAAA;AAAA;;;;;;;;;;;;;;;;KAkBxB,WAAA,wBACa,uBAAA;EAEvB,MAAA,EAAQ,UAAA,QAAkB,MAAA;EAC1B,OAAA,EAAS,UAAA,QAAkB,MAAA;EAC3B,KAAA,EAAO,UAAA,QAAkB,MAAA;EACzB,IAAA,EAAM,UAAA,QAAkB,MAAA;EACxB,OAAA,EAAS,UAAA,QAAkB,MAAA;EAC3B,QAAA,EAAU,UAAA,QAAkB,MAAA;EAC5B,OAAA,EAAS,UAAA,QAAkB,MAAA;EAC3B,KAAA,EAAO,UAAA,QAAkB,MAAA;EACzB,MAAA,EAAQ,0BAAA,CAA2B,cAAA;EACnC,MAAA,EAAQ,UAAA,QAAkB,MAAA;EAC1B,GAAA,EAAK,UAAA,QAAkB,MAAA;EACvB,IAAA,EAAM,UAAA,QAAkB,MAAA;EA7EpB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgHJ,OAAA,EAAS,mBAAA;EAzFP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwCJ;;;;;;;;EAwFE,GAAA,EAAK,kBAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;KA0BK,WAAA;EA/GV,4CAiHA,MAAA,EAAQ,SAAA,UAjHkB;EAmH1B,IAAA,EAAM,OAAA,EAlHG;EAoHT,OAAA,iBAnHA;EAqHA,IAAA,iBArHyB;EAuHzB,MAAA;AAAA;;;;;;;;;;;;;;;;;;;;KAsBU,mBAAA;EArIL,4EAuIL,MAAA,EAAQ,SAAA,iBAtIR;EAwIA,IAAA,EAAM,OAAA,SAxIkB;EA0IxB,OAAA,iBAvGS;EAyGT,IAAA,iBAlEK;EAoEL,MAAA;AAAA;AAAA,KAGG,eAAA;EACH,eAAA,QAAuB,OAAA,CAAQ,YAAA;AAAA;AAAA,KAG5B,wBAAA,GAA2B,eAAA,GAAkB,WAAA;AAAA,KAE7C,wBAAA,GAA2B,eAAA,GAAkB,mBAAA;AAAA,KAE7C,mBAAA,aAAgC,WAAA,GAAc,QAAA;AAAA,KAE9C,2BAAA,aAAwC,mBAAA,GAAsB,QAAA;AAAA,KAE9D,mBAAA;EAAA,kBACe,MAAA,oBAA0B,MAAA,iBAC1C,GAAA,OACA,MAAA,EAAQ,iBAAA,CAAkB,QAAA;IAAc,QAAA;EAAA,IACvC,OAAA,CAAQ,2BAAA,CAA4B,QAAA;EAAA,kBACrB,MAAA,oBAA0B,MAAA,iBAC1C,GAAA,OACA,MAAA,GAAS,iBAAA,CAAkB,QAAA,IAC1B,OAAA,CAAQ,mBAAA,CAAoB,QAAA;AAAA;AAAA,KAG5B,wBAAA;EACH,IAAA;EACA,KAAA,GACE,GAAA,OACA,KAAA,OACA,MAAA,WACG,OAAA;IACH,GAAA;MACE,IAAA,EAAM,KAAA;IAAA;IAER,IAAA;EAAA;AAAA;AAAA,KAIC,kBAAA;EAAA,kBACe,MAAA,oBAA0B,MAAA,iBAC1C,MAAA,EAAQ,iBAAA,CAAkB,QAAA;IAAc,QAAA;EAAA,IACvC,wBAAA,CAAyB,wBAAA,GAA2B,QAAA;EAAA,kBACrC,MAAA,oBAA0B,MAAA,iBAC1C,MAAA,GAAS,iBAAA,CAAkB,QAAA,IAC1B,wBAAA,CAAyB,wBAAA,GAA2B,QAAA;AAAA;AAAA,KAGpD,cAAA,GAAiB,UAAA,QAAkB,MAAA;AAAA,KAEnC,iBAAA;EACH,UAAA,EAAY,cAAA;IACV,MAAA;MACE,IAAA,EAAM,cAAA;MACN,QAAA,EAAU,cAAA;MACV,GAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,YAAA,UACA,OAAA,EAAS,KAAA;QACP,MAAA;QACA,SAAA;MAAA,OAEC,OAAA;QACH,YAAA;QACA,OAAA,EAAS,KAAA;UACP,QAAA;UACA,MAAA;UACA,SAAA;UACA,QAAA;UACA,UAAA;QAAA;MAAA;MAGJ,YAAA;QACE,OAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,IAAA;UAAQ,YAAA;UAAsB,MAAA;QAAA,MAC3B,OAAA;UACH,YAAA;UACA,MAAA;UACA,WAAA;UACA,SAAA;UACA,SAAA;YACE,UAAA;YACA,UAAA;YACA,WAAA;UAAA;QAAA;QAGJ,OAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,IAAA;UAAQ,YAAA;UAAsB,MAAA;QAAA,MAC3B,OAAA;UACH,YAAA;UACA,MAAA;UACA,UAAA;UACA,MAAA,EAAQ,KAAA;YAAQ,IAAA;YAAc,EAAA;YAAa,OAAA;UAAA;QAAA;MAAA;IAAA;EAAA;EAKnD,IAAA,EAAM,IAAA,CAAK,cAAA;EACX,IAAA,EAAM,IAAA,CAAK,cAAA;EACX,MAAA,EAAQ,cAAA;EACR,KAAA;IACE,IAAA,EAAM,cAAA;EAAA;EAER,OAAA;IACE,QAAA,EAAU,cAAA;IACV,QAAA;MACE,IAAA,EAAM,cAAA;IAAA;EAAA;AAAA;AAAA,KAKP,kBAAA;EACH,MAAA,EAAQ,cAAA;EACR,QAAA,EAAU,cAAA;AAAA;AAAA,KAGP,YAAA;EACH,KAAA,EAAO,iBAAA;EACP,MAAA,EAAQ,kBAAA;AAAA;AAAA,KAGL,aAAA;EACH,KAAA,EAAO,IAAA,CAAK,cAAA;AAAA;;;;AAtG2B;;;;;;;;;;;;KAwH7B,OAAA,wBACa,uBAAA,4BACrB,WAAA,CAAY,cAAA;EACd,GAAA,EAAK,YAAA;EACL,IAAA,EAAM,aAAA;AAAA;;AA/GA;;;;;;;;;;;;;;KAiII,gBAAA,WACA,kBAAA,2BACa,uBAAA,4BAEvB,MAAA,CAAO,CAAA,iBACH,OAAA,CAAQ,cAAA,IACR,WAAA,CAAY,cAAA;;;;;;;;;;;;;;;;;;KAmBN,cAAA,MACV,CAAA,SAAU,gBAAA,YACN,WAAA,CACE,kBAAA,CAAmB,CAAA,GACnB,eAAA,CAAgB,CAAA,GAChB,iBAAA,CAAkB,CAAA,KAEpB,WAAA;AAAA,iBAmFU,UAAA,WACJ,kBAAA,2BACa,uBAAA,yBAAA,CAEvB,SAAA,EAAW,gBAAA,eACX,MAAA,EAAQ,IAAA,CAAK,UAAA;EACX,SAAA,EAAW,CAAA;EACX,aAAA,GAAgB,cAAA;AAAA,IAEjB,gBAAA,CAAiB,CAAA,EAAG,cAAA;;;;AAnP0C;;;;;AAGd;;;;;;;;;;KAucvC,iBAAA,kBACO,MAAA,oBAA0B,MAAA;EA9anB;;;;EAobxB,QAAA;EAhagB;;;;;;EAuahB,OAAA,IACE,GAAA,OACA,IAAA,EAAM,OAAA,EACN,IAAA,EAAM,WAAA,KACH,OAAA,CAAQ,QAAA,IAAY,QAAA;EAlajB;;;;;;;;;;;;;;;;;;;;;;;;EA2bR,WAAA,IACE,GAAA,OACA,QAAA,QAAgB,OAAA,CAAQ,WAAA,aACrB,OAAA,CAAQ,WAAA,uBAAkC,WAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;KAkHrC,SAAA;EACE,KAAA,MAAW,IAAA,YAAgB,OAAA;IAAU,GAAA;MAAO,IAAA;IAAA;EAAA;AAAA,KACtD,OAAA,CAAQ,UAAA,CAAW,CAAA"}

package/dist/server/auth.js CHANGED Viewed

@@ -1,8 +1,14 @@
-import { AuthError } from "./authError.js";
+import { createUnauthenticatedAuthContext, getAuthContext } from "./context.js";
 import { Auth } from "./runtime.js";
+import { Cv } from "@robelest/fx/convex";
 //#region src/server/auth.ts
 /**
+* Auth configuration helpers for Convex Auth.
+*
+* @module
+*/
+/**
 * Create an auth API object.
 *
 * When `new SSO()` is included in providers, `auth.sso` and `auth.scim`
@@ -26,41 +32,29 @@ import { Auth } from "./runtime.js";
 * });
 * ```
 *
-* @see {@link AuthCtx}
-*/
-/**
-* Resolve auth context for the current user. Returns the enriched
-* `ctx.auth` object or `null` when unauthenticated.
-*
-* Resolution flow:
-* 1. `user.id(ctx)` → userId or null (exit early)
-* 2. `user.get(ctx, userId)` → user doc (cached per-execution)
-* 3. `user.getActiveGroup(ctx, { userId })` → groupId or null
-* 4. If groupId → `member.resolve(ctx, { userId, groupId })` → role + grants
+* @see {@link AuthContextConfig}
 */
-async function resolveAuthContext(auth, ctx) {
-	const userId = await auth.user.id(ctx);
-	if (!userId) return null;
-	const user = await auth.user.get(ctx, userId);
-	const groupId = await auth.user.getActiveGroup(ctx, { userId });
-	let role = null;
-	let grants = [];
-	if (groupId) {
-		const resolved = await auth.member.resolve(ctx, {
-			userId,
-			groupId
-		});
-		if (resolved.membership) {
-			role = resolved.roleIds[0] ?? null;
-			grants = resolved.grants;
-		}
+async function resolveConfiguredAuthContext(auth, ctx, config) {
+	const fallback = () => getAuthContext(auth, ctx);
+	const authOverride = config?.authResolve ? await config.authResolve(ctx, fallback) : void 0;
+	return authOverride === void 0 ? await fallback() : authOverride;
+}
+function createNotSignedInError() {
+	return Cv.error({
+		code: "NOT_SIGNED_IN",
+		message: "Authentication required."
+	});
+}
+async function createPublicAuthContext(auth, ctx, config) {
+	const resolved = await resolveConfiguredAuthContext(auth, ctx, config);
+	if (resolved === null) {
+		if (config?.optional !== true) throw createNotSignedInError();
+		return createUnauthenticatedAuthContext();
 	}
+	const extra = config?.resolve ? await config.resolve(ctx, resolved.user, resolved) : {};
 	return {
-		userId,
-		user,
-		groupId,
-		role,
-		grants
+		...resolved,
+		...extra
 	};
 }
 function createAuth(component, config) {
@@ -72,20 +66,32 @@ function createAuth(component, config) {
 	const { domain: domainApi, scim: scimApi, connection: connectionApi, audit: auditApi, webhook: webhookApi, oidc: oidcApi, saml: samlApi, ...restSso } = authResult.auth.sso;
 	const setEnterpriseDomains = async (ctx, enterpriseId, domains) => {
 		const enterprise = await connectionApi.get(ctx, enterpriseId);
-		if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+		if (enterprise === null) throw Cv.error({
+			code: "INVALID_PARAMETERS",
+			message: "Enterprise not found."
+		});
 		const normalized = domains.map((entry) => ({
 			...entry,
 			domain: entry.domain.trim().toLowerCase()
 		}));
 		const deduped = /* @__PURE__ */ new Map();
 		for (const entry of normalized) {
-			if (entry.domain.length === 0) throw new AuthError("INVALID_PARAMETERS", "Domain must not be empty.").toConvexError();
-			if (deduped.has(entry.domain)) throw new AuthError("INVALID_PARAMETERS", `Duplicate domain: ${entry.domain}`).toConvexError();
+			if (entry.domain.length === 0) throw Cv.error({
+				code: "INVALID_PARAMETERS",
+				message: "Domain must not be empty."
+			});
+			if (deduped.has(entry.domain)) throw Cv.error({
+				code: "INVALID_PARAMETERS",
+				message: `Duplicate domain: ${entry.domain}`
+			});
 			deduped.set(entry.domain, entry);
 		}
 		const nextDomains = [...deduped.values()];
 		const primaryCount = nextDomains.filter((entry) => entry.isPrimary).length;
-		if (primaryCount > 1) throw new AuthError("INVALID_PARAMETERS", "Only one primary domain may be set.").toConvexError();
+		if (primaryCount > 1) throw Cv.error({
+			code: "INVALID_PARAMETERS",
+			message: "Only one primary domain may be set."
+		});
 		if (nextDomains.length > 0 && primaryCount === 0) nextDomains[0] = {
 			...nextDomains[0],
 			isPrimary: true
@@ -109,7 +115,6 @@ function createAuth(component, config) {
 			});
 		}
 		return {
-			ok: true,
 			enterpriseId,
 			domains: (await domainApi.list(ctx, enterpriseId)).map((domain) => ({
 				domainId: domain._id,
@@ -168,38 +173,69 @@ function createAuth(component, config) {
 			validate: scimApi.validate
 		} },
 		http: authResult.auth.http,
-		resolve: (ctx) => resolveAuthContext(authResult.auth, ctx),
-		ctx: () => ({
-			args: {},
-			input: async (ctx) => {
-				return {
-					ctx: { auth: await resolveAuthContext(authResult.auth, ctx) },
-					args: {}
-				};
-			}
-		})
+		context: ((ctx, config$1) => createPublicAuthContext(authResult.auth, ctx, config$1)),
+		ctx: ((config$1) => createAuthContextCustomization(authResult.auth, config$1))
 	};
 }
-function AuthCtx(auth, config) {
+/**
+* Create a context enrichment for `customQuery` / `customMutation` — optional auth.
+*
+* When `optional: true` is set, unauthenticated requests are allowed.
+* The enriched `ctx.auth` will have `userId: null`, `user: null`,
+* `groupId: null`, `role: null`, and `grants: []` for unauthenticated callers.
+*
+* @param config - Configuration with `optional: true` and an optional
+*   `resolve` callback for attaching extra fields to the auth context.
+* @returns An object with `args` and `input` compatible with Convex
+*   custom function builders.
+*
+* @example
+* ```ts
+* const authCtx = auth.ctx({
+*   optional: true,
+*   resolve: async (_ctx, user) => ({ plan: user.extend?.plan ?? null }),
+* });
+* ```
+*
+* @see {@link createAuth}
+*/
+/**
+* Create a context enrichment for `customQuery` / `customMutation` — required auth (default).
+*
+* When `optional` is omitted or `false`, unauthenticated requests throw a
+* structured `ConvexError` before your handler runs.
+*
+* @param config - Optional configuration with a `resolve` callback
+*   for attaching extra fields to the auth context.
+* @returns An object with `args` and `input` compatible with Convex
+*   custom function builders.
+*
+* @example
+* ```ts
+* const authCtx = auth.ctx({
+*   resolve: async (_ctx, user) => ({ email: user.email }),
+* });
+* ```
+*
+* @see {@link createAuth}
+*/
+function createAuthContextCustomization(auth, config) {
 	return {
 		args: {},
 		input: async (ctx, _args, _extra) => {
 			const nativeAuth = ctx.auth;
 			const getUserIdentity = nativeAuth.getUserIdentity.bind(nativeAuth);
-			const fallback = () => resolveAuthContext(auth, ctx);
-			const authOverride = config?.authResolve ? await config.authResolve(ctx, fallback) : void 0;
-			const resolved = authOverride === void 0 ? await fallback() : authOverride;
-			if (resolved === null) return {
-				ctx: { auth: {
-					getUserIdentity,
-					userId: null,
-					user: null,
-					groupId: null,
-					role: null,
-					grants: []
-				} },
-				args: {}
-			};
+			const resolved = await resolveConfiguredAuthContext(auth, ctx, config);
+			if (resolved === null) {
+				if (config?.optional !== true) throw createNotSignedInError();
+				return {
+					ctx: { auth: {
+						getUserIdentity,
+						...createUnauthenticatedAuthContext()
+					} },
+					args: {}
+				};
+			}
 			const extra = config?.resolve ? await config.resolve(ctx, resolved.user, resolved) : {};
 			return {
 				ctx: { auth: {
@@ -214,5 +250,5 @@ function AuthCtx(auth, config) {
 }
 //#endregion
-export { AuthCtx, createAuth };
+export { createAuth };
 //# sourceMappingURL=auth.js.map