npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.22 → 0.0.4-preview.24 - Mend

@robelest/convex-auth 0.0.4-preview.22 → 0.0.4-preview.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (314) hide show

package/README.md +10 -11
package/dist/authorization/index.d.ts +1 -1
package/dist/authorization/index.js +1 -1
package/dist/authorization/index.js.map +1 -1
package/dist/client/index.d.ts +1 -2
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +36 -39
package/dist/client/index.js.map +1 -1
package/dist/component/client/index.d.ts +1 -2
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +9 -9
package/dist/component/model.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.js.map +1 -1
package/dist/component/public/enterprise/core.d.ts.map +1 -1
package/dist/component/public/enterprise/core.js.map +1 -1
package/dist/component/public/enterprise/domains.d.ts.map +1 -1
package/dist/component/public/enterprise/domains.js.map +1 -1
package/dist/component/public/enterprise/scim.d.ts.map +1 -1
package/dist/component/public/enterprise/scim.js.map +1 -1
package/dist/component/public/enterprise/secrets.d.ts.map +1 -1
package/dist/component/public/enterprise/secrets.js.map +1 -1
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -1
package/dist/component/public/enterprise/webhooks.js.map +1 -1
package/dist/component/public/factors/devices.d.ts.map +1 -1
package/dist/component/public/factors/devices.js.map +1 -1
package/dist/component/public/factors/passkeys.d.ts.map +1 -1
package/dist/component/public/factors/passkeys.js.map +1 -1
package/dist/component/public/factors/totp.d.ts.map +1 -1
package/dist/component/public/factors/totp.js.map +1 -1
package/dist/component/public/groups/core.js.map +1 -1
package/dist/component/public/groups/invites.d.ts.map +1 -1
package/dist/component/public/groups/invites.js.map +1 -1
package/dist/component/public/groups/members.d.ts.map +1 -1
package/dist/component/public/groups/members.js.map +1 -1
package/dist/component/public/identity/accounts.d.ts.map +1 -1
package/dist/component/public/identity/accounts.js.map +1 -1
package/dist/component/public/identity/codes.d.ts.map +1 -1
package/dist/component/public/identity/codes.js.map +1 -1
package/dist/component/public/identity/sessions.d.ts.map +1 -1
package/dist/component/public/identity/sessions.js.map +1 -1
package/dist/component/public/identity/tokens.d.ts.map +1 -1
package/dist/component/public/identity/tokens.js.map +1 -1
package/dist/component/public/identity/users.d.ts.map +1 -1
package/dist/component/public/identity/users.js.map +1 -1
package/dist/component/public/identity/verifiers.d.ts.map +1 -1
package/dist/component/public/identity/verifiers.js.map +1 -1
package/dist/component/public/security/keys.d.ts.map +1 -1
package/dist/component/public/security/keys.js.map +1 -1
package/dist/component/public/security/limits.d.ts.map +1 -1
package/dist/component/public/security/limits.js.map +1 -1
package/dist/component/schema.d.ts +41 -41
package/dist/component/server/auth.d.ts +127 -130
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -64
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/context.js +53 -0
package/dist/component/server/context.js.map +1 -0
package/dist/component/server/core.js +113 -250
package/dist/component/server/core.js.map +1 -1
package/dist/component/server/crypto.js +25 -7
package/dist/component/server/crypto.js.map +1 -1
package/dist/component/server/device.js +59 -16
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/enterprise/domain.js +148 -59
package/dist/component/server/enterprise/domain.js.map +1 -1
package/dist/component/server/enterprise/http.js +36 -15
package/dist/component/server/enterprise/http.js.map +1 -1
package/dist/component/server/enterprise/oidc.js +1 -1
package/dist/component/server/http.d.ts +85 -0
package/dist/component/server/http.d.ts.map +1 -0
package/dist/component/server/http.js +85 -22
package/dist/component/server/http.js.map +1 -1
package/dist/component/server/identity.js +5 -2
package/dist/component/server/identity.js.map +1 -1
package/dist/component/server/limits.js +21 -30
package/dist/component/server/limits.js.map +1 -1
package/dist/component/server/mutations/account.js +12 -10
package/dist/component/server/mutations/account.js.map +1 -1
package/dist/component/server/mutations/code.js +5 -2
package/dist/component/server/mutations/code.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/invalidate.js.map +1 -1
package/dist/component/server/mutations/oauth.js +10 -4
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +2 -2
package/dist/component/server/mutations/refresh.js.map +1 -1
package/dist/component/server/mutations/register.js +46 -42
package/dist/component/server/mutations/register.js.map +1 -1
package/dist/component/server/mutations/retrieve.js +21 -25
package/dist/component/server/mutations/retrieve.js.map +1 -1
package/dist/component/server/mutations/signature.js +10 -4
package/dist/component/server/mutations/signature.js.map +1 -1
package/dist/component/server/mutations/signout.js.map +1 -1
package/dist/component/server/mutations/store.js +9 -24
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verifier.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/mutations/verify.js.map +1 -1
package/dist/component/server/oauth.js +53 -16
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +115 -31
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/redirects.js +9 -3
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +10 -7
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/runtime.d.ts +5 -5
package/dist/component/server/runtime.js +156 -113
package/dist/component/server/runtime.js.map +1 -1
package/dist/component/server/signin.js +34 -10
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/totp.js +79 -19
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +12 -20
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +6 -3
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +10 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +14 -22
package/dist/core/types.d.ts.map +1 -1
package/dist/factors/device.js +8 -9
package/dist/factors/device.js.map +1 -1
package/dist/factors/passkey.js +18 -21
package/dist/factors/passkey.js.map +1 -1
package/dist/providers/password.js +66 -81
package/dist/providers/password.js.map +1 -1
package/dist/runtime/invite.js +2 -8
package/dist/runtime/invite.js.map +1 -1
package/dist/server/auth.d.ts +127 -130
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -64
package/dist/server/auth.js.map +1 -1
package/dist/server/context.d.ts +1 -0
package/dist/server/context.js +53 -0
package/dist/server/context.js.map +1 -0
package/dist/server/core.d.ts +74 -195
package/dist/server/core.d.ts.map +1 -1
package/dist/server/core.js +113 -250
package/dist/server/core.js.map +1 -1
package/dist/server/crypto.d.ts.map +1 -1
package/dist/server/crypto.js +25 -7
package/dist/server/crypto.js.map +1 -1
package/dist/server/device.js +59 -16
package/dist/server/device.js.map +1 -1
package/dist/server/enterprise/domain.d.ts +0 -8
package/dist/server/enterprise/domain.d.ts.map +1 -1
package/dist/server/enterprise/domain.js +148 -59
package/dist/server/enterprise/domain.js.map +1 -1
package/dist/server/enterprise/http.d.ts.map +1 -1
package/dist/server/enterprise/http.js +35 -14
package/dist/server/enterprise/http.js.map +1 -1
package/dist/server/http.d.ts +81 -3
package/dist/server/http.d.ts.map +1 -1
package/dist/server/http.js +84 -21
package/dist/server/http.js.map +1 -1
package/dist/server/identity.js +5 -2
package/dist/server/identity.js.map +1 -1
package/dist/server/index.d.ts +3 -2
package/dist/server/index.js +2 -2
package/dist/server/limits.js +21 -30
package/dist/server/limits.js.map +1 -1
package/dist/server/mounts.d.ts +25 -63
package/dist/server/mounts.d.ts.map +1 -1
package/dist/server/mounts.js +46 -107
package/dist/server/mounts.js.map +1 -1
package/dist/server/mutations/account.d.ts +8 -9
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/account.js +11 -9
package/dist/server/mutations/account.js.map +1 -1
package/dist/server/mutations/code.d.ts +12 -12
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/code.js +5 -2
package/dist/server/mutations/code.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +4 -4
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/invalidate.js.map +1 -1
package/dist/server/mutations/oauth.d.ts +14 -12
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -3
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +3 -3
package/dist/server/mutations/refresh.d.ts.map +1 -1
package/dist/server/mutations/refresh.js +1 -1
package/dist/server/mutations/refresh.js.map +1 -1
package/dist/server/mutations/register.d.ts +11 -11
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/register.js +45 -41
package/dist/server/mutations/register.js.map +1 -1
package/dist/server/mutations/retrieve.d.ts +6 -6
package/dist/server/mutations/retrieve.d.ts.map +1 -1
package/dist/server/mutations/retrieve.js +20 -24
package/dist/server/mutations/retrieve.js.map +1 -1
package/dist/server/mutations/signature.d.ts +6 -7
package/dist/server/mutations/signature.d.ts.map +1 -1
package/dist/server/mutations/signature.js +9 -3
package/dist/server/mutations/signature.js.map +1 -1
package/dist/server/mutations/signin.d.ts +5 -5
package/dist/server/mutations/signout.js.map +1 -1
package/dist/server/mutations/store.d.ts +83 -83
package/dist/server/mutations/store.js +8 -23
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.js.map +1 -1
package/dist/server/mutations/verify.d.ts +7 -7
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/mutations/verify.js.map +1 -1
package/dist/server/oauth.js +53 -16
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +2 -2
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +114 -30
package/dist/server/passkey.js.map +1 -1
package/dist/server/redirects.js +9 -3
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.js +10 -7
package/dist/server/refresh.js.map +1 -1
package/dist/server/runtime.d.ts +11 -11
package/dist/server/runtime.js +155 -112
package/dist/server/runtime.js.map +1 -1
package/dist/server/signin.js +34 -10
package/dist/server/signin.js.map +1 -1
package/dist/server/ssr.d.ts.map +1 -1
package/dist/server/ssr.js +175 -184
package/dist/server/ssr.js.map +1 -1
package/dist/server/totp.js +78 -18
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +13 -21
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.js +6 -3
package/dist/server/users.js.map +1 -1
package/dist/server/utils.js +10 -4
package/dist/server/utils.js.map +1 -1
package/package.json +1 -5
package/src/authorization/index.ts +1 -1
package/src/client/core/types.ts +14 -14
package/src/client/factors/device.ts +10 -12
package/src/client/factors/passkey.ts +23 -26
package/src/client/index.ts +54 -64
package/src/client/runtime/invite.ts +5 -7
package/src/component/index.ts +9 -3
package/src/component/public/enterprise/audit.ts +6 -1
package/src/component/public/enterprise/core.ts +1 -0
package/src/component/public/enterprise/domains.ts +5 -1
package/src/component/public/enterprise/scim.ts +1 -0
package/src/component/public/enterprise/secrets.ts +1 -0
package/src/component/public/enterprise/webhooks.ts +1 -0
package/src/component/public/factors/devices.ts +1 -0
package/src/component/public/factors/passkeys.ts +1 -0
package/src/component/public/factors/totp.ts +1 -0
package/src/component/public/groups/core.ts +1 -1
package/src/component/public/groups/invites.ts +7 -1
package/src/component/public/groups/members.ts +1 -0
package/src/component/public/identity/accounts.ts +1 -0
package/src/component/public/identity/codes.ts +1 -0
package/src/component/public/identity/sessions.ts +1 -0
package/src/component/public/identity/tokens.ts +1 -0
package/src/component/public/identity/users.ts +1 -0
package/src/component/public/identity/verifiers.ts +1 -0
package/src/component/public/security/keys.ts +1 -0
package/src/component/public/security/limits.ts +1 -0
package/src/providers/password.ts +89 -110
package/src/server/auth.ts +240 -182
package/src/server/context.ts +90 -0
package/src/server/core.ts +195 -286
package/src/server/crypto.ts +31 -29
package/src/server/device.ts +65 -32
package/src/server/enterprise/domain.ts +158 -170
package/src/server/enterprise/http.ts +46 -39
package/src/server/http.ts +289 -30
package/src/server/identity.ts +5 -5
package/src/server/index.ts +9 -3
package/src/server/limits.ts +53 -80
package/src/server/mounts.ts +56 -80
package/src/server/mutations/account.ts +22 -36
package/src/server/mutations/code.ts +6 -6
package/src/server/mutations/invalidate.ts +1 -1
package/src/server/mutations/oauth.ts +14 -8
package/src/server/mutations/refresh.ts +5 -4
package/src/server/mutations/register.ts +87 -132
package/src/server/mutations/retrieve.ts +44 -44
package/src/server/mutations/signature.ts +13 -6
package/src/server/mutations/signout.ts +1 -1
package/src/server/mutations/store.ts +16 -31
package/src/server/mutations/verifier.ts +1 -1
package/src/server/mutations/verify.ts +3 -5
package/src/server/oauth.ts +60 -69
package/src/server/passkey.ts +567 -517
package/src/server/redirects.ts +10 -6
package/src/server/refresh.ts +14 -18
package/src/server/runtime.ts +340 -302
package/src/server/signin.ts +44 -37
package/src/server/ssr.ts +390 -407
package/src/server/totp.ts +85 -35
package/src/server/types.ts +19 -22
package/src/server/users.ts +7 -6
package/src/server/utils.ts +10 -12
package/dist/component/server/authError.js +0 -34
package/dist/component/server/authError.js.map +0 -1
package/dist/component/server/errors.d.ts +0 -1
package/dist/component/server/errors.js +0 -137
package/dist/component/server/errors.js.map +0 -1
package/dist/server/authError.d.ts +0 -46
package/dist/server/authError.d.ts.map +0 -1
package/dist/server/authError.js +0 -34
package/dist/server/authError.js.map +0 -1
package/dist/server/errors.d.ts +0 -177
package/dist/server/errors.d.ts.map +0 -1
package/dist/server/errors.js +0 -212
package/dist/server/errors.js.map +0 -1
package/src/server/authError.ts +0 -44
package/src/server/errors.ts +0 -290

package/src/server/enterprise/http.ts CHANGED Viewed

@@ -1,11 +1,10 @@
+import { Fx } from "@robelest/fx";
+import { Cv } from "@robelest/fx/convex";
 import type { GenericActionCtx, HttpRouter } from "convex/server";
+import { ConvexError } from "convex/values";
 import { serialize as serializeCookie } from "cookie";
 import { redirectToParamCookie, useRedirectToParam } from "../cookies";
-import { isAuthError } from "../errors";
-import { Fx } from "@robelest/fx";
-import { AuthError } from "../authError";
 import { addSSORoutes, convertErrorsToResponse, getCookies } from "../http";
 import type { SSORuntimeRoute } from "../http";
 import { createOAuthAuthorizationURL, handleOAuthCallback } from "../oauth";
@@ -207,12 +206,10 @@ export function addEnterpriseHttpRuntime(deps: EnterpriseHttpRuntimeDeps) {
           runtimeRoute.protocol !== "saml" ||
             runtimeRoute.rest.length !== 1 ||
             runtimeRoute.rest[0] !== "acs",
-          Fx.fail(
-            new AuthError(
-              "INVALID_PARAMETERS",
-              "Invalid enterprise runtime path.",
-            ).toConvexError(),
-          ),
+          Cv.fail({
+            code: "INVALID_PARAMETERS",
+            message: "Invalid enterprise runtime path.",
+          }),
         );
         const enterpriseId = runtimeRoute.enterpriseId;
@@ -230,10 +227,10 @@ export function addEnterpriseHttpRuntime(deps: EnterpriseHttpRuntimeDeps) {
               config: loaded.config,
             }),
           err: (e) =>
-            new AuthError(
-              "OAUTH_PROVIDER_ERROR",
-              `SAML response parse failed: ${e instanceof Error ? e.message : String(e)}`,
-            ).toConvexError(),
+            Cv.error({
+              code: "OAUTH_PROVIDER_ERROR",
+              message: `SAML response parse failed: ${e instanceof Error ? e.message : String(e)}`,
+            }),
         });
         yield* Fx.from({
@@ -247,10 +244,11 @@ export function addEnterpriseHttpRuntime(deps: EnterpriseHttpRuntimeDeps) {
             return Promise.resolve();
           },
           err: () =>
-            new AuthError(
-              "OAUTH_INVALID_STATE",
-              "SAML RelayState did not match the pending login request.",
-            ).toConvexError(),
+            Cv.error({
+              code: "OAUTH_INVALID_STATE",
+              message:
+                "SAML RelayState did not match the pending login request.",
+            }),
         });
         const { samlAttributes, samlSessionIndex, ...userProfile } =
@@ -331,10 +329,10 @@ export function addEnterpriseHttpRuntime(deps: EnterpriseHttpRuntimeDeps) {
       runtimeRoute.rest.length !== 1 ||
       runtimeRoute.rest[0] !== "slo"
     ) {
-      throw new AuthError(
-        "INVALID_PARAMETERS",
-        "Invalid enterprise runtime path.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_PARAMETERS",
+        message: "Invalid enterprise runtime path.",
+      });
     }
     const { loaded, enterprise } = await loadActiveEnterpriseSamlOrThrow(
       ctx,
@@ -371,10 +369,10 @@ export function addEnterpriseHttpRuntime(deps: EnterpriseHttpRuntimeDeps) {
     if (parsedMessage.hasSamlResponse) {
       return new Response(null, { status: 204 });
     }
-    throw new AuthError(
-      "INVALID_PARAMETERS",
-      "Missing SAML logout payload.",
-    ).toConvexError();
+    throw Cv.error({
+      code: "INVALID_PARAMETERS",
+      message: "Missing SAML logout payload.",
+    });
   };
   const handleScimRequest = async (
@@ -645,7 +643,7 @@ export function addEnterpriseHttpRuntime(deps: EnterpriseHttpRuntimeDeps) {
           userId,
           data: patchData,
         });
-        const resolution = await auth.member.resolve(state.ctx, {
+        const resolution = await auth.member.inspect(state.ctx, {
           groupId: state.enterprise.groupId,
           userId,
         });
@@ -711,7 +709,7 @@ export function addEnterpriseHttpRuntime(deps: EnterpriseHttpRuntimeDeps) {
         );
         if (missing) return missing;
         const userId = state.parsedPath.resourceId!;
-        const resolution = await auth.member.resolve(state.ctx, {
+        const resolution = await auth.member.inspect(state.ctx, {
           groupId: state.enterprise.groupId,
           userId,
         });
@@ -961,15 +959,12 @@ export function addEnterpriseHttpRuntime(deps: EnterpriseHttpRuntimeDeps) {
             );
             const userId = match?.[1];
             if (userId) {
-              const resolution = await auth.member.resolve(
-                state.ctx,
-                { groupId, userId },
-              );
+              const resolution = await auth.member.inspect(state.ctx, {
+                groupId,
+                userId,
+              });
               if (resolution.membership) {
-                await auth.member.delete(
-                  state.ctx,
-                  resolution.membership._id,
-                );
+                await auth.member.delete(state.ctx, resolution.membership._id);
               }
             }
           }
@@ -1105,7 +1100,13 @@ export function addEnterpriseHttpRuntime(deps: EnterpriseHttpRuntimeDeps) {
       ) {
         return scimError(400, "invalidFilter", error.message);
       }
-      if (isAuthError(error)) {
+      if (
+        error instanceof ConvexError &&
+        typeof error.data === "object" &&
+        error.data !== null &&
+        "code" in error.data &&
+        "message" in error.data
+      ) {
         const code = error.data.code as string;
         const status =
           code === "MISSING_BEARER_TOKEN" || code === "INVALID_API_KEY"
@@ -1141,7 +1142,10 @@ export function addEnterpriseHttpRuntime(deps: EnterpriseHttpRuntimeDeps) {
       const url = new URL(request.url);
       const verifier = url.searchParams.get("code");
       if (!verifier) {
-        throw new AuthError("OAUTH_MISSING_VERIFIER").toConvexError();
+        throw Cv.error({
+          code: "OAUTH_MISSING_VERIFIER",
+          message: "Missing sign-in verifier.",
+        });
       }
       const { loaded, enterprise } = await loadActiveEnterpriseSamlOrThrow(
         ctx,
@@ -1204,7 +1208,10 @@ export function addEnterpriseHttpRuntime(deps: EnterpriseHttpRuntimeDeps) {
       const url = new URL(request.url);
       const verifier = url.searchParams.get("code");
       if (!verifier) {
-        throw new AuthError("OAUTH_MISSING_VERIFIER").toConvexError();
+        throw Cv.error({
+          code: "OAUTH_MISSING_VERIFIER",
+          message: "Missing sign-in verifier.",
+        });
       }
       const { enterprise, oidc } = await loadEnterpriseOidcOrThrow(
         ctx,

package/src/server/http.ts CHANGED Viewed

@@ -1,3 +1,5 @@
+import { Fx } from "@robelest/fx";
+import { Cv } from "@robelest/fx/convex";
 import {
   GenericActionCtx,
   GenericDataModel,
@@ -7,13 +9,262 @@ import {
 import { ConvexError } from "convex/values";
 import { parse as parseCookies } from "cookie";
-import { isAuthError } from "./errors";
-import { Fx } from "@robelest/fx";
-import { AuthError } from "./authError";
+import type {
+  AuthContext,
+  OptionalAuthContext,
+  UserDoc,
+} from "./auth";
+import {
+  createUnauthenticatedAuthContext,
+  getAuthContextForUser,
+  getSessionUserId,
+} from "./context";
 import type { CorsConfig, HttpKeyContext } from "./types";
 import { logError } from "./utils";
+type HttpContextAuthLike = {
+  user: {
+    get: (ctx: any, userId: string) => Promise<UserDoc>;
+    getActiveGroup: (
+      ctx: any,
+      args: { userId: string },
+    ) => Promise<string | null>;
+  };
+  member: {
+    inspect: (
+      ctx: any,
+      args: { userId: string; groupId: string },
+    ) => Promise<{
+      membership: unknown;
+      roleIds: string[];
+      grants: string[];
+    }>;
+  };
+  key: {
+    verify: (ctx: GenericActionCtx<any>, rawKey: string) => Promise<{
+      userId: string;
+      keyId: string;
+      scopes: HttpKeyContext["key"]["scopes"];
+    }>;
+  };
+};
+/**
+ * Auth context returned by `auth.http.context(ctx, request)`.
+ *
+ * This resolves raw HTTP authentication in two steps:
+ * 1. session auth from `ctx.auth.getUserIdentity()`
+ * 2. API key auth from `Authorization: Bearer sk_*`
+ *
+ * The `source` field tells you which authentication path succeeded.
+ * When `source === "key"`, the verified API key metadata is available on
+ * `key`.
+ *
+ * @example
+ * ```ts
+ * const authContext = await auth.http.context(ctx, request);
+ * if (authContext.source === "key") {
+ *   console.log(authContext.key.keyId);
+ * }
+ * ```
+ */
+export type HttpAuthContext =
+  | (AuthContext & {
+      /** The request authenticated through a browser or session token. */
+      source: "session";
+      /** No API key was used for this request. */
+      key: null;
+    })
+  | (AuthContext & {
+      /** The request authenticated through an API key. */
+      source: "key";
+      /** Verified API key metadata for the request. */
+      key: HttpKeyContext["key"];
+    });
+/**
+ * Nullable HTTP auth context returned by
+ * `auth.http.context(ctx, request, { optional: true })`.
+ *
+ * This preserves a stable auth-shaped object for raw `httpAction` handlers
+ * that allow anonymous callers.
+ */
+export type OptionalHttpAuthContext =
+  | (OptionalAuthContext & {
+      /** No authentication source was resolved. */
+      source: null;
+      /** No API key metadata is available. */
+      key: null;
+    })
+  | HttpAuthContext;
+/**
+ * Configuration for {@link createAuth().http.context}.
+ *
+ * This mirrors {@link AuthContextConfig} for raw HTTP handlers and adds support
+ * for enriching mixed session/API-key auth results.
+ *
+ * @typeParam TResolve - Extra fields returned from `resolve()` and merged into
+ *   the resolved HTTP auth context.
+ *
+ * @example
+ * ```ts
+ * const authContext = await auth.http.context(ctx, request, {
+ *   resolve: async (_ctx, user, authState) => ({
+ *     email: user.email,
+ *     isMachineRequest: authState.source === "key",
+ *   }),
+ * });
+ * ```
+ */
+export type HttpAuthContextConfig<
+  TResolve extends Record<string, unknown> = Record<string, never>,
+> = {
+  /**
+   * Allow unauthenticated callers and return a null-shaped auth object instead
+   * of throwing `NOT_SIGNED_IN`.
+   */
+  optional?: boolean;
+  /**
+   * Attach additional derived fields to the resolved HTTP auth context.
+   *
+   * This callback runs only when authentication succeeds.
+   */
+  resolve?: (
+    ctx: GenericActionCtx<any>,
+    user: UserDoc,
+    auth: HttpAuthContext,
+  ) => Promise<TResolve> | TResolve;
+  /**
+   * Override or wrap HTTP auth resolution.
+   *
+   * Return `undefined` to use the built-in session-or-key resolver, `null` for
+   * an explicit unauthenticated state, or a fully resolved
+   * {@link HttpAuthContext}.
+   */
+  authResolve?: (
+    ctx: GenericActionCtx<any>,
+    fallback: () => Promise<HttpAuthContext | null>,
+  ) =>
+    | Promise<HttpAuthContext | null | undefined>
+    | HttpAuthContext
+    | null
+    | undefined;
+};
+function createNotSignedInError() {
+  return Cv.error({
+    code: "NOT_SIGNED_IN",
+    message: "Authentication required.",
+  });
+}
+async function getHttpKeyContext(
+  auth: HttpContextAuthLike,
+  ctx: GenericActionCtx<any>,
+  request: Request,
+): Promise<HttpAuthContext | null> {
+  const authHeader = request.headers.get("Authorization");
+  if (!authHeader?.startsWith("Bearer sk_")) {
+    return null;
+  }
+  try {
+    const verified = await auth.key.verify(ctx, authHeader.slice(7));
+    const authContext = await getAuthContextForUser(auth, ctx, verified.userId);
+    return {
+      ...authContext,
+      source: "key",
+      key: {
+        userId: verified.userId,
+        keyId: verified.keyId,
+        scopes: verified.scopes,
+      },
+    };
+  } catch {
+    return null;
+  }
+}
+async function resolveHttpAuthContext(
+  auth: HttpContextAuthLike,
+  ctx: GenericActionCtx<any>,
+  request: Request,
+): Promise<HttpAuthContext | null> {
+  const sessionUserId = await getSessionUserId(ctx);
+  if (sessionUserId !== null) {
+    const authContext = await getAuthContextForUser(auth, ctx, sessionUserId);
+    return {
+      ...authContext,
+      source: "session",
+      key: null,
+    };
+  }
+  return await getHttpKeyContext(auth, ctx, request);
+}
+/**
+ * @internal
+ * Create the implementation behind `auth.http.context(...)`.
+ */
+export function createHttpContext(auth: HttpContextAuthLike): {
+  <TResolve extends Record<string, unknown> = Record<string, never>>(
+    ctx: GenericActionCtx<any>,
+    request: Request,
+    config: HttpAuthContextConfig<TResolve> & { optional: true },
+  ): Promise<OptionalHttpAuthContext & TResolve>;
+  <TResolve extends Record<string, unknown> = Record<string, never>>(
+    ctx: GenericActionCtx<any>,
+    request: Request,
+    config?: HttpAuthContextConfig<TResolve>,
+  ): Promise<HttpAuthContext & TResolve>;
+} {
+  return (async (
+    ctx: GenericActionCtx<any>,
+    request: Request,
+    config?: HttpAuthContextConfig<any>,
+  ) => {
+    const fallback = () => resolveHttpAuthContext(auth, ctx, request);
+    const authOverride = config?.authResolve
+      ? await config.authResolve(ctx, fallback)
+      : undefined;
+    const resolved =
+      authOverride === undefined ? await fallback() : authOverride;
+    if (resolved === null) {
+      if (config?.optional !== true) {
+        throw createNotSignedInError();
+      }
+      return {
+        ...createUnauthenticatedAuthContext(),
+        source: null,
+        key: null,
+      };
+    }
+    const extra = config?.resolve
+      ? await config.resolve(ctx, resolved.user, resolved)
+      : {};
+    return {
+      ...resolved,
+      ...extra,
+    };
+  }) as {
+    <TResolve extends Record<string, unknown> = Record<string, never>>(
+      ctx: GenericActionCtx<any>,
+      request: Request,
+      config: HttpAuthContextConfig<TResolve> & { optional: true },
+    ): Promise<OptionalHttpAuthContext & TResolve>;
+    <TResolve extends Record<string, unknown> = Record<string, never>>(
+      ctx: GenericActionCtx<any>,
+      request: Request,
+      config?: HttpAuthContextConfig<TResolve>,
+    ): Promise<HttpAuthContext & TResolve>;
+  };
+}
 export function createHttpAction(auth: {
   key: { verify: (ctx: GenericActionCtx<any>, rawKey: string) => Promise<any> };
 }) {
@@ -59,19 +310,21 @@ export function createHttpAction(auth: {
             const rawKey = authHeader.slice(7);
             const keyResult = await Fx.run(
-              Fx.from({
-                ok: () => auth.key.verify(genericCtx, rawKey),
-                err: (error) => error,
-              }).pipe(
-                Fx.fold({
-                  ok: (result) => ({ ok: true, value: result }) as const,
-                  err: (error) => ({ ok: false, error }) as const,
-                }),
+              Fx.attempt(
+                () => auth.key.verify(genericCtx, rawKey),
+                (result) => ({ ok: true, value: result }) as const,
+                (error) => ({ ok: false, error }) as const,
               ),
             );
             if (!keyResult.ok) {
-              if (isAuthError(keyResult.error)) {
+              if (
+                keyResult.error instanceof ConvexError &&
+                typeof keyResult.error.data === "object" &&
+                keyResult.error.data !== null &&
+                "code" in keyResult.error.data &&
+                "message" in keyResult.error.data
+              ) {
                 const { code, message } = keyResult.error.data as {
                   code: string;
                   message: string;
@@ -219,7 +472,13 @@ export function convertErrorsToResponse(
         err: (error) => error,
       }).pipe(
         Fx.recover((error) => {
-          if (isAuthError(error)) {
+          if (
+            error instanceof ConvexError &&
+            typeof error.data === "object" &&
+            error.data !== null &&
+            "code" in error.data &&
+            "message" in error.data
+          ) {
             return Fx.succeed(
               new Response(
                 JSON.stringify({
@@ -426,10 +685,10 @@ export function addSSORoutes(
           deps.routeBase,
         );
         if (!route) {
-          throw new AuthError(
-            "INVALID_PARAMETERS",
-            "Invalid enterprise runtime path.",
-          ).toConvexError();
+          throw Cv.error({
+            code: "INVALID_PARAMETERS",
+            message: "Invalid enterprise runtime path.",
+          });
         }
         if (route.protocol === "saml" && route.rest.length === 1) {
           if (route.rest[0] === "metadata") {
@@ -456,10 +715,10 @@ export function addSSORoutes(
         if (route.protocol === "scim" && route.rest[0] === "v2") {
           return await deps.handleScimRequest(ctx, request);
         }
-        throw new AuthError(
-          "INVALID_PARAMETERS",
-          "Invalid enterprise runtime path.",
-        ).toConvexError();
+        throw Cv.error({
+          code: "INVALID_PARAMETERS",
+          message: "Invalid enterprise runtime path.",
+        });
       }),
     ),
   });
@@ -484,10 +743,10 @@ export function addSSORoutes(
         if (route?.protocol === "scim" && route.rest[0] === "v2") {
           return await deps.handleScimRequest(ctx, request);
         }
-        throw new AuthError(
-          "INVALID_PARAMETERS",
-          "Invalid enterprise runtime path.",
-        ).toConvexError();
+        throw Cv.error({
+          code: "INVALID_PARAMETERS",
+          message: "Invalid enterprise runtime path.",
+        });
       }),
     ),
   });
@@ -504,10 +763,10 @@ export function addSSORoutes(
         if (route?.protocol === "scim" && route.rest[0] === "v2") {
           return await deps.handleScimRequest(ctx, request);
         }
-        throw new AuthError(
-          "INVALID_PARAMETERS",
-          "Invalid enterprise runtime path.",
-        ).toConvexError();
+        throw Cv.error({
+          code: "INVALID_PARAMETERS",
+          message: "Invalid enterprise runtime path.",
+        });
       }),
     ),
   });

package/src/server/identity.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { AuthError } from "./authError";
+import { Cv } from "@robelest/fx/convex";
 /** @internal */
 export function userIdFromIdentitySubject(subject: string): string {
@@ -9,10 +9,10 @@ export function userIdFromIdentitySubject(subject: string): string {
     rest.length === 0 ||
     rest.some((segment) => segment.length === 0)
   ) {
-    throw new AuthError(
-      "INTERNAL_ERROR",
-      "Authenticated identity subject is malformed.",
-    );
+    throw Cv.error({
+      code: "INTERNAL_ERROR",
+      message: "Authenticated identity subject is malformed.",
+    });
   }
   return userId;
 }

package/src/server/index.ts CHANGED Viewed

@@ -1,15 +1,21 @@
-export { AuthCtx, createAuth } from "./auth";
+export { createAuth } from "./auth";
 export type {
   AuthApi,
   AuthApiBase,
+  AuthContext,
+  AuthContextConfig,
   AuthConfig,
-  AuthCtxConfig,
-  AuthResolvedContext,
   ConvexAuthResult,
   InferAuth,
   InferClientApi,
+  OptionalAuthContext,
   UserDoc,
 } from "./auth";
+export type {
+  HttpAuthContext,
+  HttpAuthContextConfig,
+  OptionalHttpAuthContext,
+} from "./http";
 export type {
   EnterpriseAdminAuthorizationInput,
   EnterpriseAdminPermission,