@robelest/convex-auth 0.0.4-preview.22 → 0.0.4-preview.24

package/dist/server/signin.js.map

@@ -1 +1 @@
-{"version":3,"file":"signin.js","names":[],"sources":["../../src/server/signin.ts"],"sourcesContent":["import type { Fx as FxType } from \"@robelest/fx\";\nimport { GenericId } from \"convex/values\";\n\nimport { handleDevice } from \"./device\";\nimport { Fx } from \"@robelest/fx\";\n\nimport { AuthError } from \"./authError\";\nimport {\n  callCreateVerificationCode,\n  callRefreshSession,\n  callSignIn,\n  callVerifier,\n  callVerifierSignature,\n  callVerifyCodeAndSignIn,\n} from \"./mutations/index\";\nimport { handlePasskeyFx } from \"./passkey\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport { handleTotp } from \"./totp\";\nimport {\n  AuthProviderMaterializedConfig,\n  ConvexCredentialsConfig,\n  EmailConfig,\n  GenericActionCtxWithAuthConfig,\n  PhoneConfig,\n} from \"./types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  SessionInfoWithTokens,\n  Tokens,\n  queryTotpVerifiedByUserId,\n} from \"./types\";\nimport type { OAuthMaterializedConfig } from \"./types\";\nimport { generateRandomString } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\nconst DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 60 * 60 * 24; // 24 hours\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\ntype SignInResult =\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"refreshTokens\"; signedIn: { tokens: Tokens } }\n  | { kind: \"started\"; started: true }\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n  | { kind: \"totpRequired\"; verifier: string }\n  | {\n      kind: \"totpSetup\";\n      uri: string;\n      secret: string;\n      verifier: string;\n      totpId: string;\n    }\n  | {\n      kind: \"deviceCode\";\n      deviceCode: string;\n      userCode: string;\n      verificationUri: string;\n      verificationUriComplete: string;\n      expiresIn: number;\n      interval: number;\n    };\n\n/** @internal */\nexport async function signInImpl(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): Promise<SignInResult> {\n  const fx = signInFx(ctx, provider, args, options);\n  return Fx.run(\n    fx.pipe(Fx.recover((e) => Fx.fatal((e as AuthError).toConvexError()))),\n  );\n}\n\n/**\n * Core sign-in pipeline as an Fx generator.\n *\n * Handles: refresh tokens, verification codes, then dispatches by\n * provider type using a dispatch map (no if-chain).\n */\nfunction signInFx(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<SignInResult, AuthError> {\n  return Fx.gen(function* () {\n    // --- Refresh token (no provider) ---\n    if (provider === null && args.refreshToken) {\n      const tokens = yield* Fx.promise(() =>\n        callRefreshSession(ctx, { refreshToken: args.refreshToken! }),\n      );\n      if (tokens === null) {\n        return { kind: \"signedIn\" as const, signedIn: null };\n      }\n      return { kind: \"refreshTokens\" as const, signedIn: { tokens } };\n    }\n\n    // --- Verify code (no provider, code present) ---\n    if (provider === null && args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return { kind: \"signedIn\" as const, signedIn: result };\n    }\n\n    // --- Provider is required past this point ---\n    const resolvedProvider = yield* provider != null\n      ? Fx.succeed(provider)\n      : Fx.fail(new AuthError(\"SIGN_IN_MISSING_PARAMS\"));\n\n    // --- Dispatch by provider type ---\n    return yield* Fx.match(resolvedProvider).on(\"type\", {\n      email: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      phone: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      credentials: (p) => handleCredentialsFx(ctx, p, args, options),\n      oauth: (p) => handleOAuthProviderFx(ctx, p, args, options),\n      passkey: (p) => handlePasskeyFx(ctx, p, args),\n      totp: (p) => handleTotp(ctx, p, args),\n      device: (p) => handleDevice(ctx, p, args),\n      sso: (_p) => handleSsoProviderFx(ctx, args),\n    });\n  });\n}\n\n// ============================================================================\n// Email / Phone\n// ============================================================================\n\nfunction handleEmailAndPhoneProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: EmailConfig | PhoneConfig,\n  args: {\n    params?: Record<string, any>;\n    accountId?: GenericId<\"Account\">;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"started\"; started: true }\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          provider: provider.id,\n          generateTokens: options.generateTokens,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      const verified = yield* result != null\n        ? Fx.succeed(result)\n        : Fx.fail(new AuthError(\"INVALID_VERIFICATION_CODE\"));\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: verified as SessionInfoWithTokens,\n      };\n    }\n\n    // --- Send verification code path ---\n    const alphabet =\n      \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\";\n    const code = provider.generateVerificationToken\n      ? yield* Fx.from({\n          ok: async () => provider.generateVerificationToken!(),\n          err: () =>\n            new AuthError(\n              \"INTERNAL_ERROR\",\n              \"Failed to generate verification token\",\n            ),\n        })\n      : generateRandomString(32, alphabet);\n    const expirationTime =\n      Date.now() +\n      (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1000;\n\n    const identifier = yield* Fx.promise(() =>\n      callCreateVerificationCode(ctx, {\n        provider: provider.id,\n        accountId: args.accountId,\n        email: args.params?.email,\n        phone: args.params?.phone,\n        code,\n        expirationTime,\n        allowExtraProviders: options.allowExtraProviders,\n      }),\n    );\n    const destination = yield* Fx.promise(() =>\n      redirectAbsoluteUrl(\n        ctx.auth.config,\n        (args.params ?? {}) as { redirectTo: unknown },\n      ),\n    );\n    const verificationArgs = {\n      identifier,\n      url: setURLSearchParam(destination, \"code\", code),\n      token: code,\n      expires: new Date(expirationTime),\n    };\n    yield* Fx.match(provider).on(\"type\", {\n      email: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              {\n                ...verificationArgs,\n                provider: p,\n                request: new Request(\"http://localhost\"),\n              },\n              ctx,\n            ),\n          err: () =>\n            new AuthError(\"INTERNAL_ERROR\", \"Failed to send email code\"),\n        }),\n      phone: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              { ...verificationArgs, provider: p },\n              ctx,\n            ),\n          err: () =>\n            new AuthError(\"INTERNAL_ERROR\", \"Failed to send phone code\"),\n        }),\n    });\n    return { kind: \"started\" as const, started: true as const };\n  });\n}\n\n// ============================================================================\n// Credentials\n// ============================================================================\n\nfunction handleCredentialsFx(\n  ctx: EnrichedActionCtx,\n  provider: ConvexCredentialsConfig,\n  args: {\n    params?: Record<string, any>;\n  },\n  options: {\n    generateTokens: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"totpRequired\"; verifier: string },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    const result = yield* Fx.promise(() =>\n      provider.authorize(args.params ?? {}, ctx),\n    );\n    if (result === null) {\n      return { kind: \"signedIn\" as const, signedIn: null };\n    }\n\n    // Check if user has TOTP 2FA enrolled before issuing tokens\n    const hasTotpEnrolled = yield* Fx.promise(async () => {\n      const totpDoc = await queryTotpVerifiedByUserId(ctx, result.userId);\n      return totpDoc !== null;\n    });\n    if (hasTotpEnrolled) {\n      // Create session but withhold tokens — TOTP verification needed\n      yield* Fx.promise(() =>\n        callSignIn(ctx, {\n          userId: result.userId,\n          sessionId: result.sessionId,\n          generateTokens: false,\n        }),\n      );\n      // Store userId in verifier so the TOTP verify flow can complete sign-in\n      const verifier = yield* Fx.promise(() => callVerifier(ctx));\n      yield* Fx.promise(() =>\n        callVerifierSignature(ctx, {\n          verifier,\n          signature: JSON.stringify({ userId: result.userId }),\n        }),\n      );\n      return { kind: \"totpRequired\" as const, verifier };\n    }\n\n    const idsAndTokens = yield* Fx.promise(() =>\n      callSignIn(ctx, {\n        userId: result.userId,\n        sessionId: result.sessionId,\n        generateTokens: options.generateTokens,\n      }),\n    );\n    return { kind: \"signedIn\" as const, signedIn: idsAndTokens };\n  });\n}\n\n// ============================================================================\n// OAuth\n// ============================================================================\n\nfunction handleOAuthProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: OAuthMaterializedConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n  options: {\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens | null }\n  | { kind: \"redirect\"; redirect: string; verifier: string },\n  AuthError\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: result as SessionInfoWithTokens | null,\n      };\n    }\n\n    // --- Build redirect URL ---\n    const redirect = new URL(\n      (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\")) +\n        `/api/auth/signin/${provider.id}`,\n    );\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (args.params?.redirectTo !== undefined) {\n      yield* Fx.guard(\n        typeof args.params.redirectTo !== \"string\",\n        Fx.fail(\n          new AuthError(\n            \"INVALID_REDIRECT\",\n            `Expected \\`redirectTo\\` to be a string, got ${args.params.redirectTo}`,\n          ),\n        ),\n      );\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n\n// ============================================================================\n// SSO (Enterprise OIDC / SAML)\n// ============================================================================\n\nfunction handleSsoProviderFx(\n  ctx: EnrichedActionCtx,\n  args: {\n    params?: Record<string, any>;\n  },\n): FxType<{ kind: \"redirect\"; redirect: string; verifier: string }, AuthError> {\n  return Fx.gen(function* () {\n    const enterpriseId = args.params?.enterpriseId;\n    if (!enterpriseId || typeof enterpriseId !== \"string\") {\n      return yield* Fx.fail(\n        new AuthError(\n          \"SIGN_IN_MISSING_PARAMS\",\n          \"enterpriseId is required for SSO sign-in.\",\n        ),\n      );\n    }\n\n    const protocol: \"oidc\" | \"saml\" = args.params?.protocol ?? \"oidc\";\n    if (protocol !== \"oidc\" && protocol !== \"saml\") {\n      return yield* Fx.fail(\n        new AuthError(\n          \"SIGN_IN_MISSING_PARAMS\",\n          `Invalid SSO protocol: ${protocol as string}. Expected \"oidc\" or \"saml\".`,\n        ),\n      );\n    }\n\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    const siteUrl =\n      process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\");\n    const redirect = new URL(\n      `${siteUrl}/api/auth/sso/${enterpriseId}/${protocol}/signin`,\n    );\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (typeof args.params?.redirectTo === \"string\") {\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAoCA,MAAM,6CAA6C,OAAU;;AA6B7D,eAAsB,WACpB,KACA,UACA,MAOA,SAIuB;CACvB,MAAM,KAAK,SAAS,KAAK,UAAU,MAAM,QAAQ;AACjD,QAAO,GAAG,IACR,GAAG,KAAK,GAAG,SAAS,MAAM,GAAG,MAAO,EAAgB,eAAe,CAAC,CAAC,CAAC,CACvE;;;;;;;;AASH,SAAS,SACP,KACA,UACA,MAOA,SAIiC;AACjC,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,aAAa,QAAQ,KAAK,cAAc;GAC1C,MAAM,SAAS,OAAO,GAAG,cACvB,mBAAmB,KAAK,EAAE,cAAc,KAAK,cAAe,CAAC,CAC9D;AACD,OAAI,WAAW,KACb,QAAO;IAAE,MAAM;IAAqB,UAAU;IAAM;AAEtD,UAAO;IAAE,MAAM;IAA0B,UAAU,EAAE,QAAQ;IAAE;;AAIjE,MAAI,aAAa,QAAQ,KAAK,QAAQ,SAAS,OAS7C,QAAO;GAAE,MAAM;GAAqB,UARrB,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GACqD;EAIxD,MAAM,mBAAmB,OAAO,YAAY,OACxC,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK,IAAI,UAAU,yBAAyB,CAAC;AAGpD,SAAO,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,QAAQ;GAClD,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,cAAc,MAAM,oBAAoB,KAAK,GAAG,MAAM,QAAQ;GAC9D,QAAQ,MAAM,sBAAsB,KAAK,GAAG,MAAM,QAAQ;GAC1D,UAAU,MAAM,gBAAgB,KAAK,GAAG,KAAK;GAC7C,OAAO,MAAM,WAAW,KAAK,GAAG,KAAK;GACrC,SAAS,MAAM,aAAa,KAAK,GAAG,KAAK;GACzC,MAAM,OAAO,oBAAoB,KAAK,KAAK;GAC5C,CAAC;GACF;;AAOJ,SAAS,8BACP,KACA,UACA,MAIA,SAQA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,QAAW;GACnC,MAAM,SAAS,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,SAAS;IACnB,gBAAgB,QAAQ;IACxB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;AAID,UAAO;IACL,MAAM;IACN,UALe,OAAO,UAAU,OAC9B,GAAG,QAAQ,OAAO,GAClB,GAAG,KAAK,IAAI,UAAU,4BAA4B,CAAC;IAItD;;EAMH,MAAM,OAAO,SAAS,4BAClB,OAAO,GAAG,KAAK;GACb,IAAI,YAAY,SAAS,2BAA4B;GACrD,WACE,IAAI,UACF,kBACA,wCACD;GACJ,CAAC,GACF,qBAAqB,IAVvB,iEAUoC;EACtC,MAAM,iBACJ,KAAK,KAAK,IACT,SAAS,UAAU,8CAA8C;EAmBpE,MAAM,mBAAmB;GACvB,YAlBiB,OAAO,GAAG,cAC3B,2BAA2B,KAAK;IAC9B,UAAU,SAAS;IACnB,WAAW,KAAK;IAChB,OAAO,KAAK,QAAQ;IACpB,OAAO,KAAK,QAAQ;IACpB;IACA;IACA,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GASC,KAAK,kBARa,OAAO,GAAG,cAC5B,oBACE,IAAI,KAAK,QACR,KAAK,UAAU,EAAE,CACnB,CACF,EAGqC,QAAQ,KAAK;GACjD,OAAO;GACP,SAAS,IAAI,KAAK,eAAe;GAClC;AACD,SAAO,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ;GACnC,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KACE,GAAG;KACH,UAAU;KACV,SAAS,IAAI,QAAQ,mBAAmB;KACzC,EACD,IACD;IACH,WACE,IAAI,UAAU,kBAAkB,4BAA4B;IAC/D,CAAC;GACJ,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KAAE,GAAG;KAAkB,UAAU;KAAG,EACpC,IACD;IACH,WACE,IAAI,UAAU,kBAAkB,4BAA4B;IAC/D,CAAC;GACL,CAAC;AACF,SAAO;GAAE,MAAM;GAAoB,SAAS;GAAe;GAC3D;;AAOJ,SAAS,oBACP,KACA,UACA,MAGA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,SAAS,OAAO,GAAG,cACvB,SAAS,UAAU,KAAK,UAAU,EAAE,EAAE,IAAI,CAC3C;AACD,MAAI,WAAW,KACb,QAAO;GAAE,MAAM;GAAqB,UAAU;GAAM;AAQtD,MAJwB,OAAO,GAAG,QAAQ,YAAY;AAEpD,UADgB,MAAM,0BAA0B,KAAK,OAAO,OAAO,KAChD;IACnB,EACmB;AAEnB,UAAO,GAAG,cACR,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB;IACjB,CAAC,CACH;GAED,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,UAAO,GAAG,cACR,sBAAsB,KAAK;IACzB;IACA,WAAW,KAAK,UAAU,EAAE,QAAQ,OAAO,QAAQ,CAAC;IACrD,CAAC,CACH;AACD,UAAO;IAAE,MAAM;IAAyB;IAAU;;AAUpD,SAAO;GAAE,MAAM;GAAqB,UAPf,OAAO,GAAG,cAC7B,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB,QAAQ;IACzB,CAAC,CACH;GAC2D;GAC5D;;AAOJ,SAAS,sBACP,KACA,UACA,MAIA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,OASxB,QAAO;GACL,MAAM;GACN,UAVa,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GAIA;EAIH,MAAM,WAAW,IAAI,KAClB,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB,IAChE,oBAAoB,SAAS,KAChC;EACD,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,KAAK,QAAQ,eAAe,QAAW;AACzC,UAAO,GAAG,MACR,OAAO,KAAK,OAAO,eAAe,UAClC,GAAG,KACD,IAAI,UACF,oBACA,+CAA+C,KAAK,OAAO,aAC5D,CACF,CACF;AACD,YAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD;;AAOJ,SAAS,oBACP,KACA,MAG6E;AAC7E,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,eAAe,KAAK,QAAQ;AAClC,MAAI,CAAC,gBAAgB,OAAO,iBAAiB,SAC3C,QAAO,OAAO,GAAG,KACf,IAAI,UACF,0BACA,4CACD,CACF;EAGH,MAAM,WAA4B,KAAK,QAAQ,YAAY;AAC3D,MAAI,aAAa,UAAU,aAAa,OACtC,QAAO,OAAO,GAAG,KACf,IAAI,UACF,0BACA,yBAAyB,SAAmB,8BAC7C,CACF;EAGH,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;EAC3D,MAAM,UACJ,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB;EACnE,MAAM,WAAW,IAAI,IACnB,GAAG,QAAQ,gBAAgB,aAAa,GAAG,SAAS,SACrD;AACD,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,OAAO,KAAK,QAAQ,eAAe,SACrC,UAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD"}
+{"version":3,"file":"signin.js","names":[],"sources":["../../src/server/signin.ts"],"sourcesContent":["import type { Fx as FxType } from \"@robelest/fx\";\nimport { Fx } from \"@robelest/fx\";\nimport { Cv } from \"@robelest/fx/convex\";\nimport { GenericId } from \"convex/values\";\nimport { ConvexError } from \"convex/values\";\n\nimport { handleDevice } from \"./device\";\nimport {\n  callCreateVerificationCode,\n  callRefreshSession,\n  callSignIn,\n  callVerifier,\n  callVerifierSignature,\n  callVerifyCodeAndSignIn,\n} from \"./mutations/index\";\nimport { handlePasskeyFx } from \"./passkey\";\nimport { redirectAbsoluteUrl, setURLSearchParam } from \"./redirects\";\nimport { handleTotp } from \"./totp\";\nimport {\n  AuthProviderMaterializedConfig,\n  ConvexCredentialsConfig,\n  EmailConfig,\n  GenericActionCtxWithAuthConfig,\n  PhoneConfig,\n} from \"./types\";\nimport {\n  AuthDataModel,\n  SessionInfo,\n  SessionInfoWithTokens,\n  Tokens,\n  queryTotpVerifiedByUserId,\n} from \"./types\";\nimport type { OAuthMaterializedConfig } from \"./types\";\nimport { generateRandomString } from \"./utils\";\nimport { requireEnv } from \"./utils\";\n\nconst DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 60 * 60 * 24; // 24 hours\n\ntype EnrichedActionCtx = GenericActionCtxWithAuthConfig<AuthDataModel>;\n\ntype SignInResult =\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"refreshTokens\"; signedIn: { tokens: Tokens } }\n  | { kind: \"started\"; started: true }\n  | { kind: \"redirect\"; redirect: string; verifier: string }\n  | { kind: \"passkeyOptions\"; options: Record<string, any>; verifier: string }\n  | { kind: \"totpRequired\"; verifier: string }\n  | {\n      kind: \"totpSetup\";\n      uri: string;\n      secret: string;\n      verifier: string;\n      totpId: string;\n    }\n  | {\n      kind: \"deviceCode\";\n      deviceCode: string;\n      userCode: string;\n      verificationUri: string;\n      verificationUriComplete: string;\n      expiresIn: number;\n      interval: number;\n    };\n\n/** @internal */\nexport async function signInImpl(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): Promise<SignInResult> {\n  const fx = signInFx(ctx, provider, args, options);\n  return Fx.run(fx.pipe(Fx.recover((e) => Fx.fatal(e))));\n}\n\n/**\n * Core sign-in pipeline as an Fx generator.\n *\n * Handles: refresh tokens, verification codes, then dispatches by\n * provider type using a dispatch map (no if-chain).\n */\nfunction signInFx(\n  ctx: EnrichedActionCtx,\n  provider: AuthProviderMaterializedConfig | null,\n  args: {\n    accountId?: GenericId<\"Account\">;\n    params?: Record<string, any>;\n    verifier?: string;\n    refreshToken?: string;\n    calledBy?: string;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<SignInResult, ConvexError<any>> {\n  return Fx.gen(function* () {\n    // --- Refresh token (no provider) ---\n    if (provider === null && args.refreshToken) {\n      const tokens = yield* Fx.promise(() =>\n        callRefreshSession(ctx, { refreshToken: args.refreshToken! }),\n      );\n      if (tokens === null) {\n        return { kind: \"signedIn\" as const, signedIn: null };\n      }\n      return { kind: \"refreshTokens\" as const, signedIn: { tokens } };\n    }\n\n    // --- Verify code (no provider, code present) ---\n    if (provider === null && args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return { kind: \"signedIn\" as const, signedIn: result };\n    }\n\n    // --- Provider is required past this point ---\n    const resolvedProvider = yield* provider != null\n      ? Fx.succeed(provider)\n      : Cv.fail({\n          code: \"SIGN_IN_MISSING_PARAMS\",\n          message: \"Cannot sign in: missing provider, code, or refresh token.\",\n        });\n\n    // --- Dispatch by provider type ---\n    return yield* Fx.match(resolvedProvider).on(\"type\", {\n      email: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      phone: (p) => handleEmailAndPhoneProviderFx(ctx, p, args, options),\n      credentials: (p) => handleCredentialsFx(ctx, p, args, options),\n      oauth: (p) => handleOAuthProviderFx(ctx, p, args, options),\n      passkey: (p) => handlePasskeyFx(ctx, p, args),\n      totp: (p) => handleTotp(ctx, p, args),\n      device: (p) => handleDevice(ctx, p, args),\n      sso: (_p) => handleSsoProviderFx(ctx, args),\n    });\n  });\n}\n\n// ============================================================================\n// Email / Phone\n// ============================================================================\n\nfunction handleEmailAndPhoneProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: EmailConfig | PhoneConfig,\n  args: {\n    params?: Record<string, any>;\n    accountId?: GenericId<\"Account\">;\n  },\n  options: {\n    generateTokens: boolean;\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"started\"; started: true }\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens },\n  ConvexError<any>\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          provider: provider.id,\n          generateTokens: options.generateTokens,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      const verified = yield* result != null\n        ? Fx.succeed(result)\n        : Cv.fail({\n            code: \"INVALID_VERIFICATION_CODE\",\n            message: \"Invalid or expired verification code.\",\n          });\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: verified as SessionInfoWithTokens,\n      };\n    }\n\n    // --- Send verification code path ---\n    const alphabet =\n      \"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\";\n    const code = provider.generateVerificationToken\n      ? yield* Fx.from({\n          ok: async () => provider.generateVerificationToken!(),\n          err: () =>\n            Cv.error({\n              code: \"INTERNAL_ERROR\",\n              message: \"Failed to generate verification token\",\n            }),\n        })\n      : generateRandomString(32, alphabet);\n    const expirationTime =\n      Date.now() +\n      (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1000;\n\n    const identifier = yield* Fx.promise(() =>\n      callCreateVerificationCode(ctx, {\n        provider: provider.id,\n        accountId: args.accountId,\n        email: args.params?.email,\n        phone: args.params?.phone,\n        code,\n        expirationTime,\n        allowExtraProviders: options.allowExtraProviders,\n      }),\n    );\n    const destination = yield* Fx.promise(() =>\n      redirectAbsoluteUrl(\n        ctx.auth.config,\n        (args.params ?? {}) as { redirectTo: unknown },\n      ),\n    );\n    const verificationArgs = {\n      identifier,\n      url: setURLSearchParam(destination, \"code\", code),\n      token: code,\n      expires: new Date(expirationTime),\n    };\n    yield* Fx.match(provider).on(\"type\", {\n      email: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              {\n                ...verificationArgs,\n                provider: p,\n                request: new Request(\"http://localhost\"),\n              },\n              ctx,\n            ),\n          err: () =>\n            Cv.error({\n              code: \"INTERNAL_ERROR\",\n              message: \"Failed to send email code\",\n            }),\n        }),\n      phone: (p) =>\n        Fx.from({\n          ok: async () =>\n            p.sendVerificationRequest(\n              { ...verificationArgs, provider: p },\n              ctx,\n            ),\n          err: () =>\n            Cv.error({\n              code: \"INTERNAL_ERROR\",\n              message: \"Failed to send phone code\",\n            }),\n        }),\n    });\n    return { kind: \"started\" as const, started: true as const };\n  });\n}\n\n// ============================================================================\n// Credentials\n// ============================================================================\n\nfunction handleCredentialsFx(\n  ctx: EnrichedActionCtx,\n  provider: ConvexCredentialsConfig,\n  args: {\n    params?: Record<string, any>;\n  },\n  options: {\n    generateTokens: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfo | null }\n  | { kind: \"totpRequired\"; verifier: string },\n  ConvexError<any>\n> {\n  return Fx.gen(function* () {\n    const result = yield* Fx.promise(() =>\n      provider.authorize(args.params ?? {}, ctx),\n    );\n    if (result === null) {\n      return { kind: \"signedIn\" as const, signedIn: null };\n    }\n\n    // Check if user has TOTP 2FA enrolled before issuing tokens\n    const hasTotpEnrolled = yield* Fx.promise(async () => {\n      const totpDoc = await queryTotpVerifiedByUserId(ctx, result.userId);\n      return totpDoc !== null;\n    });\n    if (hasTotpEnrolled) {\n      // Create session but withhold tokens — TOTP verification needed\n      yield* Fx.promise(() =>\n        callSignIn(ctx, {\n          userId: result.userId,\n          sessionId: result.sessionId,\n          generateTokens: false,\n        }),\n      );\n      // Store userId in verifier so the TOTP verify flow can complete sign-in\n      const verifier = yield* Fx.promise(() => callVerifier(ctx));\n      yield* Fx.promise(() =>\n        callVerifierSignature(ctx, {\n          verifier,\n          signature: JSON.stringify({ userId: result.userId }),\n        }),\n      );\n      return { kind: \"totpRequired\" as const, verifier };\n    }\n\n    const idsAndTokens = yield* Fx.promise(() =>\n      callSignIn(ctx, {\n        userId: result.userId,\n        sessionId: result.sessionId,\n        generateTokens: options.generateTokens,\n      }),\n    );\n    return { kind: \"signedIn\" as const, signedIn: idsAndTokens };\n  });\n}\n\n// ============================================================================\n// OAuth\n// ============================================================================\n\nfunction handleOAuthProviderFx(\n  ctx: EnrichedActionCtx,\n  provider: OAuthMaterializedConfig,\n  args: {\n    params?: Record<string, any>;\n    verifier?: string;\n  },\n  options: {\n    allowExtraProviders: boolean;\n  },\n): FxType<\n  | { kind: \"signedIn\"; signedIn: SessionInfoWithTokens | null }\n  | { kind: \"redirect\"; redirect: string; verifier: string },\n  ConvexError<any>\n> {\n  return Fx.gen(function* () {\n    // --- Code verification path ---\n    if (args.params?.code !== undefined) {\n      const result = yield* Fx.promise(() =>\n        callVerifyCodeAndSignIn(ctx, {\n          params: args.params,\n          verifier: args.verifier,\n          generateTokens: true,\n          allowExtraProviders: options.allowExtraProviders,\n        }),\n      );\n      return {\n        kind: \"signedIn\" as const,\n        signedIn: result as SessionInfoWithTokens | null,\n      };\n    }\n\n    // --- Build redirect URL ---\n    const redirect = new URL(\n      (process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\")) +\n        `/api/auth/signin/${provider.id}`,\n    );\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (args.params?.redirectTo !== undefined) {\n      yield* Fx.guard(\n        typeof args.params.redirectTo !== \"string\",\n        Cv.fail({\n          code: \"INVALID_REDIRECT\",\n          message: `Expected \\`redirectTo\\` to be a string, got ${args.params.redirectTo}`,\n        }),\n      );\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n\n// ============================================================================\n// SSO (Enterprise OIDC / SAML)\n// ============================================================================\n\nfunction handleSsoProviderFx(\n  ctx: EnrichedActionCtx,\n  args: {\n    params?: Record<string, any>;\n  },\n): FxType<\n  { kind: \"redirect\"; redirect: string; verifier: string },\n  ConvexError<any>\n> {\n  return Fx.gen(function* () {\n    const enterpriseId = args.params?.enterpriseId;\n    if (!enterpriseId || typeof enterpriseId !== \"string\") {\n      return yield* Cv.fail({\n        code: \"SIGN_IN_MISSING_PARAMS\",\n        message: \"enterpriseId is required for SSO sign-in.\",\n      });\n    }\n\n    const protocol: \"oidc\" | \"saml\" = args.params?.protocol ?? \"oidc\";\n    if (protocol !== \"oidc\" && protocol !== \"saml\") {\n      return yield* Cv.fail({\n        code: \"SIGN_IN_MISSING_PARAMS\",\n        message: `Invalid SSO protocol: ${protocol as string}. Expected \"oidc\" or \"saml\".`,\n      });\n    }\n\n    const verifier = yield* Fx.promise(() => callVerifier(ctx));\n    const siteUrl =\n      process.env.CUSTOM_AUTH_SITE_URL ?? requireEnv(\"CONVEX_SITE_URL\");\n    const redirect = new URL(\n      `${siteUrl}/api/auth/sso/${enterpriseId}/${protocol}/signin`,\n    );\n    redirect.searchParams.set(\"code\", verifier);\n\n    if (typeof args.params?.redirectTo === \"string\") {\n      redirect.searchParams.set(\"redirectTo\", args.params.redirectTo);\n    }\n\n    return {\n      kind: \"redirect\" as const,\n      redirect: redirect.toString(),\n      verifier,\n    };\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAoCA,MAAM,6CAA6C,OAAU;;AA6B7D,eAAsB,WACpB,KACA,UACA,MAOA,SAIuB;CACvB,MAAM,KAAK,SAAS,KAAK,UAAU,MAAM,QAAQ;AACjD,QAAO,GAAG,IAAI,GAAG,KAAK,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC;;;;;;;;AASxD,SAAS,SACP,KACA,UACA,MAOA,SAIwC;AACxC,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,aAAa,QAAQ,KAAK,cAAc;GAC1C,MAAM,SAAS,OAAO,GAAG,cACvB,mBAAmB,KAAK,EAAE,cAAc,KAAK,cAAe,CAAC,CAC9D;AACD,OAAI,WAAW,KACb,QAAO;IAAE,MAAM;IAAqB,UAAU;IAAM;AAEtD,UAAO;IAAE,MAAM;IAA0B,UAAU,EAAE,QAAQ;IAAE;;AAIjE,MAAI,aAAa,QAAQ,KAAK,QAAQ,SAAS,OAS7C,QAAO;GAAE,MAAM;GAAqB,UARrB,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GACqD;EAIxD,MAAM,mBAAmB,OAAO,YAAY,OACxC,GAAG,QAAQ,SAAS,GACpB,GAAG,KAAK;GACN,MAAM;GACN,SAAS;GACV,CAAC;AAGN,SAAO,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,QAAQ;GAClD,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,QAAQ,MAAM,8BAA8B,KAAK,GAAG,MAAM,QAAQ;GAClE,cAAc,MAAM,oBAAoB,KAAK,GAAG,MAAM,QAAQ;GAC9D,QAAQ,MAAM,sBAAsB,KAAK,GAAG,MAAM,QAAQ;GAC1D,UAAU,MAAM,gBAAgB,KAAK,GAAG,KAAK;GAC7C,OAAO,MAAM,WAAW,KAAK,GAAG,KAAK;GACrC,SAAS,MAAM,aAAa,KAAK,GAAG,KAAK;GACzC,MAAM,OAAO,oBAAoB,KAAK,KAAK;GAC5C,CAAC;GACF;;AAOJ,SAAS,8BACP,KACA,UACA,MAIA,SAQA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,QAAW;GACnC,MAAM,SAAS,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,SAAS;IACnB,gBAAgB,QAAQ;IACxB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;AAOD,UAAO;IACL,MAAM;IACN,UARe,OAAO,UAAU,OAC9B,GAAG,QAAQ,OAAO,GAClB,GAAG,KAAK;KACN,MAAM;KACN,SAAS;KACV,CAAC;IAIL;;EAMH,MAAM,OAAO,SAAS,4BAClB,OAAO,GAAG,KAAK;GACb,IAAI,YAAY,SAAS,2BAA4B;GACrD,WACE,GAAG,MAAM;IACP,MAAM;IACN,SAAS;IACV,CAAC;GACL,CAAC,GACF,qBAAqB,IAVvB,iEAUoC;EACtC,MAAM,iBACJ,KAAK,KAAK,IACT,SAAS,UAAU,8CAA8C;EAmBpE,MAAM,mBAAmB;GACvB,YAlBiB,OAAO,GAAG,cAC3B,2BAA2B,KAAK;IAC9B,UAAU,SAAS;IACnB,WAAW,KAAK;IAChB,OAAO,KAAK,QAAQ;IACpB,OAAO,KAAK,QAAQ;IACpB;IACA;IACA,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GASC,KAAK,kBARa,OAAO,GAAG,cAC5B,oBACE,IAAI,KAAK,QACR,KAAK,UAAU,EAAE,CACnB,CACF,EAGqC,QAAQ,KAAK;GACjD,OAAO;GACP,SAAS,IAAI,KAAK,eAAe;GAClC;AACD,SAAO,GAAG,MAAM,SAAS,CAAC,GAAG,QAAQ;GACnC,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KACE,GAAG;KACH,UAAU;KACV,SAAS,IAAI,QAAQ,mBAAmB;KACzC,EACD,IACD;IACH,WACE,GAAG,MAAM;KACP,MAAM;KACN,SAAS;KACV,CAAC;IACL,CAAC;GACJ,QAAQ,MACN,GAAG,KAAK;IACN,IAAI,YACF,EAAE,wBACA;KAAE,GAAG;KAAkB,UAAU;KAAG,EACpC,IACD;IACH,WACE,GAAG,MAAM;KACP,MAAM;KACN,SAAS;KACV,CAAC;IACL,CAAC;GACL,CAAC;AACF,SAAO;GAAE,MAAM;GAAoB,SAAS;GAAe;GAC3D;;AAOJ,SAAS,oBACP,KACA,UACA,MAGA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,SAAS,OAAO,GAAG,cACvB,SAAS,UAAU,KAAK,UAAU,EAAE,EAAE,IAAI,CAC3C;AACD,MAAI,WAAW,KACb,QAAO;GAAE,MAAM;GAAqB,UAAU;GAAM;AAQtD,MAJwB,OAAO,GAAG,QAAQ,YAAY;AAEpD,UADgB,MAAM,0BAA0B,KAAK,OAAO,OAAO,KAChD;IACnB,EACmB;AAEnB,UAAO,GAAG,cACR,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB;IACjB,CAAC,CACH;GAED,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,UAAO,GAAG,cACR,sBAAsB,KAAK;IACzB;IACA,WAAW,KAAK,UAAU,EAAE,QAAQ,OAAO,QAAQ,CAAC;IACrD,CAAC,CACH;AACD,UAAO;IAAE,MAAM;IAAyB;IAAU;;AAUpD,SAAO;GAAE,MAAM;GAAqB,UAPf,OAAO,GAAG,cAC7B,WAAW,KAAK;IACd,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,gBAAgB,QAAQ;IACzB,CAAC,CACH;GAC2D;GAC5D;;AAOJ,SAAS,sBACP,KACA,UACA,MAIA,SAOA;AACA,QAAO,GAAG,IAAI,aAAa;AAEzB,MAAI,KAAK,QAAQ,SAAS,OASxB,QAAO;GACL,MAAM;GACN,UAVa,OAAO,GAAG,cACvB,wBAAwB,KAAK;IAC3B,QAAQ,KAAK;IACb,UAAU,KAAK;IACf,gBAAgB;IAChB,qBAAqB,QAAQ;IAC9B,CAAC,CACH;GAIA;EAIH,MAAM,WAAW,IAAI,KAClB,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB,IAChE,oBAAoB,SAAS,KAChC;EACD,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;AAC3D,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,KAAK,QAAQ,eAAe,QAAW;AACzC,UAAO,GAAG,MACR,OAAO,KAAK,OAAO,eAAe,UAClC,GAAG,KAAK;IACN,MAAM;IACN,SAAS,+CAA+C,KAAK,OAAO;IACrE,CAAC,CACH;AACD,YAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD;;AAOJ,SAAS,oBACP,KACA,MAMA;AACA,QAAO,GAAG,IAAI,aAAa;EACzB,MAAM,eAAe,KAAK,QAAQ;AAClC,MAAI,CAAC,gBAAgB,OAAO,iBAAiB,SAC3C,QAAO,OAAO,GAAG,KAAK;GACpB,MAAM;GACN,SAAS;GACV,CAAC;EAGJ,MAAM,WAA4B,KAAK,QAAQ,YAAY;AAC3D,MAAI,aAAa,UAAU,aAAa,OACtC,QAAO,OAAO,GAAG,KAAK;GACpB,MAAM;GACN,SAAS,yBAAyB,SAAmB;GACtD,CAAC;EAGJ,MAAM,WAAW,OAAO,GAAG,cAAc,aAAa,IAAI,CAAC;EAC3D,MAAM,UACJ,QAAQ,IAAI,wBAAwB,WAAW,kBAAkB;EACnE,MAAM,WAAW,IAAI,IACnB,GAAG,QAAQ,gBAAgB,aAAa,GAAG,SAAS,SACrD;AACD,WAAS,aAAa,IAAI,QAAQ,SAAS;AAE3C,MAAI,OAAO,KAAK,QAAQ,eAAe,SACrC,UAAS,aAAa,IAAI,cAAc,KAAK,OAAO,WAAW;AAGjE,SAAO;GACL,MAAM;GACN,UAAU,SAAS,UAAU;GAC7B;GACD;GACD"}

package/dist/server/ssr.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ssr.d.ts","names":[],"sources":["../../src/server/ssr.ts"],"mappings":";;KAkBY,gBAAA;EAAgB,6DAE1B,MAAA;AAAA;;KAIU,WAAA;EAAW,mDAErB,KAAA,iBAFqB;EAIrB,YAAA;EAEA,QAAA;AAAA;;KAIU,UAAA;EACV,IAAA;EACA,KAAA;EACA,OAAA;IACE,IAAA;IACA,QAAA;IACA,MAAA;IACA,QAAA;IACA,MAAA;IACA,OAAA,GAAU,IAAA;EAAA;AAAA;;;;KAOF,aAAA;EAAA,wEAEV,GAAA;;;;;;;EAOA,eAAA;EAkBA;;;;;;EAXA,QAAA,WA+BU;EA7BV,YAAA;EAEA,OAAA;EA8BI;;;;;;EAvBJ,eAAA;EAiCS;;AAkBX;;;;;;;EAzCE,gBAAA,KACM,OAAA,EAAS,OAAA,eAAsB,OAAA;AAAA;;;AA8DvC;;;KArDY,aAAA;EAsDV,yEAnDI,QAAA,QAqDJ;EAnDI,QAAA,EAAU,QAAA;AAAA;EAoDF,sDAhDR,QAAA,SAqE8B;EAnE9B,OAAA,EAAS,UAAA,IAsE8B;EApEvC,KAAA;AAAA;;;;;;;AAgHN;;;;iBA9FgB,eAAA,CACd,IAAA,WACA,eAAA;;;;;;;;;;;;;iBAoBc,gBAAA,CACd,YAAA,6BACA,IAAA,WACA,eAAA,mBACC,WAAA;;;;;AA0QH;;;;;;;iBArPgB,oBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA;;;;;;;;;;;;;iBA2Cc,qBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA,mBACC,UAAA;;;;;;;;;;;;;iBAuDa,qBAAA,CAAsB,QAAA,UAAkB,QAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA0IxC,MAAA,CAAO,OAAA,EAAS,aAAA;;;;;;;iBAqBb,OAAA;;;;;;;;;;kBAiBO,OAAA,GAAU,OAAA;;;;;;;;;;;;iBAoCX,OAAA,GAAU,OAAA,CAAQ,QAAA;;;;;;;;;;;;;;mBA+iBhB,OAAA,GAAU,OAAA,CAAQ,aAAA;AAAA"}
+{"version":3,"file":"ssr.d.ts","names":[],"sources":["../../src/server/ssr.ts"],"mappings":";;KAkBY,gBAAA;EAAgB,6DAE1B,MAAA;AAAA;;KAIU,WAAA;EAAW,mDAErB,KAAA,iBAFqB;EAIrB,YAAA;EAEA,QAAA;AAAA;;KAIU,UAAA;EACV,IAAA;EACA,KAAA;EACA,OAAA;IACE,IAAA;IACA,QAAA;IACA,MAAA;IACA,QAAA;IACA,MAAA;IACA,OAAA,GAAU,IAAA;EAAA;AAAA;;;;KAOF,aAAA;EAAA,wEAEV,GAAA;;;;;;;EAOA,eAAA;EAkBA;;;;;;EAXA,QAAA,WA+BU;EA7BV,YAAA;EAEA,OAAA;EA8BI;;;;;;EAvBJ,eAAA;EAiCS;;AAkBX;;;;;;;EAzCE,gBAAA,KACM,OAAA,EAAS,OAAA,eAAsB,OAAA;AAAA;;;AA8DvC;;;KArDY,aAAA;EAsDV,yEAnDI,QAAA,QAqDJ;EAnDI,QAAA,EAAU,QAAA;AAAA;EAoDF,sDAhDR,QAAA,SAqE8B;EAnE9B,OAAA,EAAS,UAAA,IAsE8B;EApEvC,KAAA;AAAA;;;;;;;AAgHN;;;;iBA9FgB,eAAA,CACd,IAAA,WACA,eAAA;;;;;;;;;;;;;iBAoBc,gBAAA,CACd,YAAA,6BACA,IAAA,WACA,eAAA,mBACC,WAAA;;;;;AA0QH;;;;;;;iBArPgB,oBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA;;;;;;;;;;;;;iBA2Cc,qBAAA,CACd,OAAA,EAAS,WAAA,EACT,IAAA,WACA,MAAA,GAAQ,gBAAA,EACR,eAAA,mBACC,UAAA;;;;;;;;;;;;;iBAuDa,qBAAA,CAAsB,QAAA,UAAkB,QAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA0IxC,MAAA,CAAO,OAAA,EAAS,aAAA;;;;;;;iBAqBb,OAAA;;;;;;;;;;kBAiBO,OAAA,GAAU,OAAA;;;;;;;;;;;;iBAoCX,OAAA,GAAU,OAAA,CAAQ,QAAA;;;;;;;;;;;;;;mBA8hBhB,OAAA,GAAU,OAAA,CAAQ,aAAA;AAAA"}

package/dist/server/ssr.js

@@ -310,204 +310,195 @@ function server(options) {
 			const host = request.headers.get("host") ?? new URL(request.url).host;
 			const currentCookies = parseAuthCookies(request.headers.get("cookie"), host, cookieNamespace);
 			return Fx.run(Fx.match(actionDispatch, actionDispatch.action, {
-				sessionStart: (_) => Fx.from({
-					ok: async () => {
-						const refreshDispatch = args.refreshToken === void 0 ? { kind: "passthrough" } : currentCookies.refreshToken === null ? { kind: "refreshRequestedWithoutCookie" } : {
-							kind: "hydrateRefreshFromCookie",
-							refreshToken: currentCookies.refreshToken
-						};
-						const refreshResponse = await Fx.run(Fx.match(refreshDispatch, refreshDispatch.kind, {
-							passthrough: async () => null,
-							hydrateRefreshFromCookie: async ({ refreshToken }) => {
-								args.refreshToken = refreshToken;
-								return null;
-							},
-							refreshRequestedWithoutCookie: async () => {
-								const currentToken = currentCookies.token;
-								const decodedToken = currentToken === null ? null : await Fx.run(Fx.attempt(async () => jwtDecode(currentToken), (decoded) => decoded, () => null));
-								const tokenDispatch = currentToken !== null && decodedToken?.exp !== void 0 && decodedToken.iss !== void 0 && acceptedIssuers.has(normalizeIssuer(decodedToken.iss)) && decodedToken.exp * 1e3 > Date.now() ? {
-									kind: "validToken",
-									token: currentToken
-								} : { kind: "missingToken" };
-								return await Fx.run(Fx.match(tokenDispatch, tokenDispatch.kind, {
-									validToken: ({ token }) => new Response(JSON.stringify({ tokens: {
-										token,
-										refreshToken: "dummy"
-									} }), {
-										status: 200,
-										headers: { "Content-Type": "application/json" }
-									}),
-									missingToken: () => new Response(JSON.stringify({ tokens: null }), {
-										status: 200,
-										headers: { "Content-Type": "application/json" }
-									})
-								}));
-							}
-						}));
-						const refreshDecision = refreshResponse !== null ? {
-							kind: "shortCircuit",
-							response: refreshResponse
-						} : { kind: "continue" };
-						const maybeShortCircuitResponse = await Fx.run(Fx.match(refreshDecision, refreshDecision.kind, {
-							shortCircuit: ({ response }) => response,
-							continue: () => null
-						}));
-						if (maybeShortCircuitResponse !== null) return maybeShortCircuitResponse;
-						const client = new ConvexHttpClient(convexUrl);
-						const authDispatch = args.refreshToken === void 0 && args.params?.code === void 0 && currentCookies.token !== null ? {
-							kind: "attachAuth",
-							token: currentCookies.token
-						} : { kind: "skipAuth" };
-						await Fx.run(Fx.match(authDispatch, authDispatch.kind, {
-							attachAuth: ({ token }) => {
-								client.setAuth(token);
-							},
-							skipAuth: () => void 0
-						}));
-						return Fx.run(Fx.from({
-							ok: () => client.action(signInActionRef, args),
-							err: (error) => error
-						}).pipe(Fx.fold({
-							ok: (result) => Fx.run(Fx.match(result, result.kind, {
-								redirect: (redirectResult) => {
-									const response = new Response(JSON.stringify({
-										kind: "redirect",
-										redirect: redirectResult.redirect,
-										verifier: redirectResult.verifier
-									}), {
-										status: 200,
-										headers: { "Content-Type": "application/json" }
-									});
-									for (const value of serializeAuthCookies({
-										...currentCookies,
-										verifier: redirectResult.verifier
-									}, host, cookieConfig, cookieNamespace)) response.headers.append("Set-Cookie", value);
-									return Fx.succeed(response);
-								},
-								signedIn: (signedInResult) => {
-									const response = new Response(JSON.stringify({
-										kind: "signedIn",
-										tokens: signedInResult.tokens === null ? null : {
-											token: signedInResult.tokens.token,
-											refreshToken: "dummy"
-										}
-									}), {
-										status: 200,
-										headers: { "Content-Type": "application/json" }
-									});
-									for (const value of serializeAuthCookies({
-										token: signedInResult.tokens?.token ?? null,
-										refreshToken: signedInResult.tokens?.refreshToken ?? null,
-										verifier: null
-									}, host, cookieConfig, cookieNamespace)) response.headers.append("Set-Cookie", value);
-									return Fx.succeed(response);
-								},
-								started: (startedResult) => Fx.succeed(new Response(JSON.stringify(startedResult), {
-									status: 200,
-									headers: { "Content-Type": "application/json" }
-								})),
-								passkeyOptions: (passkeyOptionsResult) => Fx.succeed(new Response(JSON.stringify(passkeyOptionsResult), {
+				sessionStart: (_) => Fx.promise(async () => {
+					const refreshDispatch = args.refreshToken === void 0 ? { kind: "passthrough" } : currentCookies.refreshToken === null ? { kind: "refreshRequestedWithoutCookie" } : {
+						kind: "hydrateRefreshFromCookie",
+						refreshToken: currentCookies.refreshToken
+					};
+					const refreshResponse = await Fx.run(Fx.match(refreshDispatch, refreshDispatch.kind, {
+						passthrough: async () => null,
+						hydrateRefreshFromCookie: async ({ refreshToken }) => {
+							args.refreshToken = refreshToken;
+							return null;
+						},
+						refreshRequestedWithoutCookie: async () => {
+							const currentToken = currentCookies.token;
+							const decodedToken = currentToken === null ? null : await Fx.run(Fx.attempt(async () => jwtDecode(currentToken), (decoded) => decoded, () => null));
+							const tokenDispatch = currentToken !== null && decodedToken?.exp !== void 0 && decodedToken.iss !== void 0 && acceptedIssuers.has(normalizeIssuer(decodedToken.iss)) && decodedToken.exp * 1e3 > Date.now() ? {
+								kind: "validToken",
+								token: currentToken
+							} : { kind: "missingToken" };
+							return await Fx.run(Fx.match(tokenDispatch, tokenDispatch.kind, {
+								validToken: ({ token }) => new Response(JSON.stringify({ tokens: {
+									token,
+									refreshToken: "dummy"
+								} }), {
 									status: 200,
 									headers: { "Content-Type": "application/json" }
-								})),
-								totpRequired: (totpRequiredResult) => Fx.succeed(new Response(JSON.stringify(totpRequiredResult), {
+								}),
+								missingToken: () => new Response(JSON.stringify({ tokens: null }), {
 									status: 200,
 									headers: { "Content-Type": "application/json" }
-								})),
-								totpSetup: (totpSetupResult) => Fx.succeed(new Response(JSON.stringify(totpSetupResult), {
+								})
+							}));
+						}
+					}));
+					const refreshDecision = refreshResponse !== null ? {
+						kind: "shortCircuit",
+						response: refreshResponse
+					} : { kind: "continue" };
+					const maybeShortCircuitResponse = await Fx.run(Fx.match(refreshDecision, refreshDecision.kind, {
+						shortCircuit: ({ response }) => response,
+						continue: () => null
+					}));
+					if (maybeShortCircuitResponse !== null) return maybeShortCircuitResponse;
+					const client = new ConvexHttpClient(convexUrl);
+					const authDispatch = args.refreshToken === void 0 && args.params?.code === void 0 && currentCookies.token !== null ? {
+						kind: "attachAuth",
+						token: currentCookies.token
+					} : { kind: "skipAuth" };
+					await Fx.run(Fx.match(authDispatch, authDispatch.kind, {
+						attachAuth: ({ token }) => {
+							client.setAuth(token);
+						},
+						skipAuth: () => void 0
+					}));
+					return Fx.run(Fx.from({
+						ok: () => client.action(signInActionRef, args),
+						err: (error) => error
+					}).pipe(Fx.fold({
+						ok: (result) => Fx.run(Fx.match(result, result.kind, {
+							redirect: (redirectResult) => {
+								const response = new Response(JSON.stringify({
+									kind: "redirect",
+									redirect: redirectResult.redirect,
+									verifier: redirectResult.verifier
+								}), {
 									status: 200,
 									headers: { "Content-Type": "application/json" }
-								})),
-								deviceCode: (deviceCodeResult) => Fx.succeed(new Response(JSON.stringify(deviceCodeResult), {
+								});
+								for (const value of serializeAuthCookies({
+									...currentCookies,
+									verifier: redirectResult.verifier
+								}, host, cookieConfig, cookieNamespace)) response.headers.append("Set-Cookie", value);
+								return Fx.succeed(response);
+							},
+							signedIn: (signedInResult) => {
+								const response = new Response(JSON.stringify({
+									kind: "signedIn",
+									tokens: signedInResult.tokens === null ? null : {
+										token: signedInResult.tokens.token,
+										refreshToken: "dummy"
+									}
+								}), {
 									status: 200,
 									headers: { "Content-Type": "application/json" }
-								}))
-							})),
-							err: (error) => {
-								const errorBody = error instanceof ConvexError && typeof error.data === "object" && error.data !== null && "code" in error.data ? {
-									error: error.data.message ?? String(error),
-									authError: error.data
-								} : { error: error instanceof Error ? error.message : String(error) };
-								const response = new Response(JSON.stringify(errorBody), {
-									status: 400,
-									headers: { "Content-Type": "application/json" }
 								});
-								const clearSession = args.refreshToken !== void 0 && error instanceof ConvexError && typeof error.data === "object" && error.data !== null && error.data.code === "INVALID_REFRESH_TOKEN";
 								for (const value of serializeAuthCookies({
-									token: clearSession ? null : currentCookies.token,
-									refreshToken: clearSession ? null : currentCookies.refreshToken,
+									token: signedInResult.tokens?.token ?? null,
+									refreshToken: signedInResult.tokens?.refreshToken ?? null,
 									verifier: null
 								}, host, cookieConfig, cookieNamespace)) response.headers.append("Set-Cookie", value);
-								return response;
-							}
-						})));
-					},
-					err: (e) => e
-				}),
-				sessionStop: (_) => Fx.from({
-					ok: async () => {
-						await Fx.run(Fx.from({
-							ok: () => (() => {
-								const client = new ConvexHttpClient(convexUrl);
-								if (currentCookies.token !== null) client.setAuth(currentCookies.token);
-								return client.action(signOutActionRef);
-							})(),
-							err: (error) => error
-						}).pipe(Fx.recover((error) => {
-							console.error("[convex-auth/server] proxy sign-out failed", error);
-							const fallbackDispatch = currentCookies.refreshToken !== null ? {
-								kind: "attemptFallback",
-								refreshToken: currentCookies.refreshToken
-							} : { kind: "skipFallback" };
-							return Fx.match(fallbackDispatch, fallbackDispatch.kind, {
-								attemptFallback: ({ refreshToken }) => Fx.from({
-									ok: async () => {
-										const refreshed = await new ConvexHttpClient(convexUrl).action(signInActionRef, { refreshToken });
-										const refreshedTokens = await Fx.run(Fx.match(refreshed, refreshed.kind, {
-											signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
-											redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
-											started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
-											passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
-											totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
-											totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
-											deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh"))
-										}));
-										const fallbackSignOutDispatch = refreshedTokens !== null ? {
-											kind: "signOutWithRefreshed",
-											token: refreshedTokens.token
-										} : { kind: "skipRefreshedSignOut" };
-										await Fx.run(Fx.match(fallbackSignOutDispatch, fallbackSignOutDispatch.kind, {
-											signOutWithRefreshed: ({ token }) => Fx.from({
-												ok: async () => {
-													const client = new ConvexHttpClient(convexUrl);
-													client.setAuth(token);
-													await client.action(signOutActionRef);
-												},
-												err: (error$1) => error$1
-											}),
-											skipRefreshedSignOut: () => Fx.succeed(void 0)
-										}));
-									},
-									err: (fallbackError) => fallbackError
-								}).pipe(Fx.recover((fallbackError) => {
-									console.error("[convex-auth/server] proxy sign-out fallback failed", fallbackError);
-									return Fx.succeed(void 0);
-								})),
-								skipFallback: () => Fx.succeed(void 0)
+								return Fx.succeed(response);
+							},
+							started: (startedResult) => Fx.succeed(new Response(JSON.stringify(startedResult), {
+								status: 200,
+								headers: { "Content-Type": "application/json" }
+							})),
+							passkeyOptions: (passkeyOptionsResult) => Fx.succeed(new Response(JSON.stringify(passkeyOptionsResult), {
+								status: 200,
+								headers: { "Content-Type": "application/json" }
+							})),
+							totpRequired: (totpRequiredResult) => Fx.succeed(new Response(JSON.stringify(totpRequiredResult), {
+								status: 200,
+								headers: { "Content-Type": "application/json" }
+							})),
+							totpSetup: (totpSetupResult) => Fx.succeed(new Response(JSON.stringify(totpSetupResult), {
+								status: 200,
+								headers: { "Content-Type": "application/json" }
+							})),
+							deviceCode: (deviceCodeResult) => Fx.succeed(new Response(JSON.stringify(deviceCodeResult), {
+								status: 200,
+								headers: { "Content-Type": "application/json" }
+							}))
+						})),
+						err: (error) => {
+							const errorBody = error instanceof ConvexError && typeof error.data === "object" && error.data !== null && "code" in error.data ? {
+								error: error.data.message ?? String(error),
+								authError: error.data
+							} : { error: error instanceof Error ? error.message : String(error) };
+							const response = new Response(JSON.stringify(errorBody), {
+								status: 400,
+								headers: { "Content-Type": "application/json" }
 							});
-						}), Fx.map(() => void 0)));
-						const response = new Response(JSON.stringify(null), {
-							status: 200,
-							headers: { "Content-Type": "application/json" }
+							const clearSession = args.refreshToken !== void 0 && error instanceof ConvexError && typeof error.data === "object" && error.data !== null && error.data.code === "INVALID_REFRESH_TOKEN";
+							for (const value of serializeAuthCookies({
+								token: clearSession ? null : currentCookies.token,
+								refreshToken: clearSession ? null : currentCookies.refreshToken,
+								verifier: null
+							}, host, cookieConfig, cookieNamespace)) response.headers.append("Set-Cookie", value);
+							return response;
+						}
+					})));
+				}),
+				sessionStop: (_) => Fx.promise(async () => {
+					await Fx.run(Fx.from({
+						ok: () => (() => {
+							const client = new ConvexHttpClient(convexUrl);
+							if (currentCookies.token !== null) client.setAuth(currentCookies.token);
+							return client.action(signOutActionRef);
+						})(),
+						err: (error) => error
+					}).pipe(Fx.recover((error) => {
+						console.error("[convex-auth/server] proxy sign-out failed", error);
+						const fallbackDispatch = currentCookies.refreshToken !== null ? {
+							kind: "attemptFallback",
+							refreshToken: currentCookies.refreshToken
+						} : { kind: "skipFallback" };
+						return Fx.match(fallbackDispatch, fallbackDispatch.kind, {
+							attemptFallback: ({ refreshToken }) => Fx.from({
+								ok: async () => {
+									const refreshed = await new ConvexHttpClient(convexUrl).action(signInActionRef, { refreshToken });
+									const refreshedTokens = await Fx.run(Fx.match(refreshed, refreshed.kind, {
+										signedIn: (signedInResult) => Fx.succeed(signedInResult.tokens),
+										redirect: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
+										started: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
+										passkeyOptions: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
+										totpRequired: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
+										totpSetup: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh")),
+										deviceCode: () => Fx.fatal(/* @__PURE__ */ new Error("Invalid `auth:signIn` result for sign-out fallback refresh"))
+									}));
+									const fallbackSignOutDispatch = refreshedTokens !== null ? {
+										kind: "signOutWithRefreshed",
+										token: refreshedTokens.token
+									} : { kind: "skipRefreshedSignOut" };
+									await Fx.run(Fx.match(fallbackSignOutDispatch, fallbackSignOutDispatch.kind, {
+										signOutWithRefreshed: ({ token }) => Fx.promise(async () => {
+											const client = new ConvexHttpClient(convexUrl);
+											client.setAuth(token);
+											await client.action(signOutActionRef);
+										}),
+										skipRefreshedSignOut: () => Fx.succeed(void 0)
+									}));
+								},
+								err: (error$1) => error$1
+							}).pipe(Fx.recover((fallbackError) => {
+								console.error("[convex-auth/server] proxy sign-out fallback failed", fallbackError);
+								return Fx.succeed(void 0);
+							})),
+							skipFallback: () => Fx.succeed(void 0)
 						});
-						for (const value of serializeAuthCookies({
-							token: null,
-							refreshToken: null,
-							verifier: null
-						}, host, cookieConfig, cookieNamespace)) response.headers.append("Set-Cookie", value);
-						return response;
-					},
-					err: (e) => e
+					}), Fx.map(() => void 0)));
+					const response = new Response(JSON.stringify(null), {
+						status: 200,
+						headers: { "Content-Type": "application/json" }
+					});
+					for (const value of serializeAuthCookies({
+						token: null,
+						refreshToken: null,
+						verifier: null
+					}, host, cookieConfig, cookieNamespace)) response.headers.append("Set-Cookie", value);
+					return response;
 				})
 			}));
 		},