npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.22 → 0.0.4-preview.24 - Mend

@robelest/convex-auth 0.0.4-preview.22 → 0.0.4-preview.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (314) hide show

package/README.md +10 -11
package/dist/authorization/index.d.ts +1 -1
package/dist/authorization/index.js +1 -1
package/dist/authorization/index.js.map +1 -1
package/dist/client/index.d.ts +1 -2
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +36 -39
package/dist/client/index.js.map +1 -1
package/dist/component/client/index.d.ts +1 -2
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +9 -9
package/dist/component/model.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.js.map +1 -1
package/dist/component/public/enterprise/core.d.ts.map +1 -1
package/dist/component/public/enterprise/core.js.map +1 -1
package/dist/component/public/enterprise/domains.d.ts.map +1 -1
package/dist/component/public/enterprise/domains.js.map +1 -1
package/dist/component/public/enterprise/scim.d.ts.map +1 -1
package/dist/component/public/enterprise/scim.js.map +1 -1
package/dist/component/public/enterprise/secrets.d.ts.map +1 -1
package/dist/component/public/enterprise/secrets.js.map +1 -1
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -1
package/dist/component/public/enterprise/webhooks.js.map +1 -1
package/dist/component/public/factors/devices.d.ts.map +1 -1
package/dist/component/public/factors/devices.js.map +1 -1
package/dist/component/public/factors/passkeys.d.ts.map +1 -1
package/dist/component/public/factors/passkeys.js.map +1 -1
package/dist/component/public/factors/totp.d.ts.map +1 -1
package/dist/component/public/factors/totp.js.map +1 -1
package/dist/component/public/groups/core.js.map +1 -1
package/dist/component/public/groups/invites.d.ts.map +1 -1
package/dist/component/public/groups/invites.js.map +1 -1
package/dist/component/public/groups/members.d.ts.map +1 -1
package/dist/component/public/groups/members.js.map +1 -1
package/dist/component/public/identity/accounts.d.ts.map +1 -1
package/dist/component/public/identity/accounts.js.map +1 -1
package/dist/component/public/identity/codes.d.ts.map +1 -1
package/dist/component/public/identity/codes.js.map +1 -1
package/dist/component/public/identity/sessions.d.ts.map +1 -1
package/dist/component/public/identity/sessions.js.map +1 -1
package/dist/component/public/identity/tokens.d.ts.map +1 -1
package/dist/component/public/identity/tokens.js.map +1 -1
package/dist/component/public/identity/users.d.ts.map +1 -1
package/dist/component/public/identity/users.js.map +1 -1
package/dist/component/public/identity/verifiers.d.ts.map +1 -1
package/dist/component/public/identity/verifiers.js.map +1 -1
package/dist/component/public/security/keys.d.ts.map +1 -1
package/dist/component/public/security/keys.js.map +1 -1
package/dist/component/public/security/limits.d.ts.map +1 -1
package/dist/component/public/security/limits.js.map +1 -1
package/dist/component/schema.d.ts +41 -41
package/dist/component/server/auth.d.ts +127 -130
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -64
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/context.js +53 -0
package/dist/component/server/context.js.map +1 -0
package/dist/component/server/core.js +113 -250
package/dist/component/server/core.js.map +1 -1
package/dist/component/server/crypto.js +25 -7
package/dist/component/server/crypto.js.map +1 -1
package/dist/component/server/device.js +59 -16
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/enterprise/domain.js +148 -59
package/dist/component/server/enterprise/domain.js.map +1 -1
package/dist/component/server/enterprise/http.js +36 -15
package/dist/component/server/enterprise/http.js.map +1 -1
package/dist/component/server/enterprise/oidc.js +1 -1
package/dist/component/server/http.d.ts +85 -0
package/dist/component/server/http.d.ts.map +1 -0
package/dist/component/server/http.js +85 -22
package/dist/component/server/http.js.map +1 -1
package/dist/component/server/identity.js +5 -2
package/dist/component/server/identity.js.map +1 -1
package/dist/component/server/limits.js +21 -30
package/dist/component/server/limits.js.map +1 -1
package/dist/component/server/mutations/account.js +12 -10
package/dist/component/server/mutations/account.js.map +1 -1
package/dist/component/server/mutations/code.js +5 -2
package/dist/component/server/mutations/code.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/invalidate.js.map +1 -1
package/dist/component/server/mutations/oauth.js +10 -4
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +2 -2
package/dist/component/server/mutations/refresh.js.map +1 -1
package/dist/component/server/mutations/register.js +46 -42
package/dist/component/server/mutations/register.js.map +1 -1
package/dist/component/server/mutations/retrieve.js +21 -25
package/dist/component/server/mutations/retrieve.js.map +1 -1
package/dist/component/server/mutations/signature.js +10 -4
package/dist/component/server/mutations/signature.js.map +1 -1
package/dist/component/server/mutations/signout.js.map +1 -1
package/dist/component/server/mutations/store.js +9 -24
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verifier.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/mutations/verify.js.map +1 -1
package/dist/component/server/oauth.js +53 -16
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +115 -31
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/redirects.js +9 -3
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +10 -7
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/runtime.d.ts +5 -5
package/dist/component/server/runtime.js +156 -113
package/dist/component/server/runtime.js.map +1 -1
package/dist/component/server/signin.js +34 -10
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/totp.js +79 -19
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +12 -20
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +6 -3
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +10 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +14 -22
package/dist/core/types.d.ts.map +1 -1
package/dist/factors/device.js +8 -9
package/dist/factors/device.js.map +1 -1
package/dist/factors/passkey.js +18 -21
package/dist/factors/passkey.js.map +1 -1
package/dist/providers/password.js +66 -81
package/dist/providers/password.js.map +1 -1
package/dist/runtime/invite.js +2 -8
package/dist/runtime/invite.js.map +1 -1
package/dist/server/auth.d.ts +127 -130
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -64
package/dist/server/auth.js.map +1 -1
package/dist/server/context.d.ts +1 -0
package/dist/server/context.js +53 -0
package/dist/server/context.js.map +1 -0
package/dist/server/core.d.ts +74 -195
package/dist/server/core.d.ts.map +1 -1
package/dist/server/core.js +113 -250
package/dist/server/core.js.map +1 -1
package/dist/server/crypto.d.ts.map +1 -1
package/dist/server/crypto.js +25 -7
package/dist/server/crypto.js.map +1 -1
package/dist/server/device.js +59 -16
package/dist/server/device.js.map +1 -1
package/dist/server/enterprise/domain.d.ts +0 -8
package/dist/server/enterprise/domain.d.ts.map +1 -1
package/dist/server/enterprise/domain.js +148 -59
package/dist/server/enterprise/domain.js.map +1 -1
package/dist/server/enterprise/http.d.ts.map +1 -1
package/dist/server/enterprise/http.js +35 -14
package/dist/server/enterprise/http.js.map +1 -1
package/dist/server/http.d.ts +81 -3
package/dist/server/http.d.ts.map +1 -1
package/dist/server/http.js +84 -21
package/dist/server/http.js.map +1 -1
package/dist/server/identity.js +5 -2
package/dist/server/identity.js.map +1 -1
package/dist/server/index.d.ts +3 -2
package/dist/server/index.js +2 -2
package/dist/server/limits.js +21 -30
package/dist/server/limits.js.map +1 -1
package/dist/server/mounts.d.ts +25 -63
package/dist/server/mounts.d.ts.map +1 -1
package/dist/server/mounts.js +46 -107
package/dist/server/mounts.js.map +1 -1
package/dist/server/mutations/account.d.ts +8 -9
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/account.js +11 -9
package/dist/server/mutations/account.js.map +1 -1
package/dist/server/mutations/code.d.ts +12 -12
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/code.js +5 -2
package/dist/server/mutations/code.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +4 -4
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/invalidate.js.map +1 -1
package/dist/server/mutations/oauth.d.ts +14 -12
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -3
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +3 -3
package/dist/server/mutations/refresh.d.ts.map +1 -1
package/dist/server/mutations/refresh.js +1 -1
package/dist/server/mutations/refresh.js.map +1 -1
package/dist/server/mutations/register.d.ts +11 -11
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/register.js +45 -41
package/dist/server/mutations/register.js.map +1 -1
package/dist/server/mutations/retrieve.d.ts +6 -6
package/dist/server/mutations/retrieve.d.ts.map +1 -1
package/dist/server/mutations/retrieve.js +20 -24
package/dist/server/mutations/retrieve.js.map +1 -1
package/dist/server/mutations/signature.d.ts +6 -7
package/dist/server/mutations/signature.d.ts.map +1 -1
package/dist/server/mutations/signature.js +9 -3
package/dist/server/mutations/signature.js.map +1 -1
package/dist/server/mutations/signin.d.ts +5 -5
package/dist/server/mutations/signout.js.map +1 -1
package/dist/server/mutations/store.d.ts +83 -83
package/dist/server/mutations/store.js +8 -23
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.js.map +1 -1
package/dist/server/mutations/verify.d.ts +7 -7
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/mutations/verify.js.map +1 -1
package/dist/server/oauth.js +53 -16
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +2 -2
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +114 -30
package/dist/server/passkey.js.map +1 -1
package/dist/server/redirects.js +9 -3
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.js +10 -7
package/dist/server/refresh.js.map +1 -1
package/dist/server/runtime.d.ts +11 -11
package/dist/server/runtime.js +155 -112
package/dist/server/runtime.js.map +1 -1
package/dist/server/signin.js +34 -10
package/dist/server/signin.js.map +1 -1
package/dist/server/ssr.d.ts.map +1 -1
package/dist/server/ssr.js +175 -184
package/dist/server/ssr.js.map +1 -1
package/dist/server/totp.js +78 -18
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +13 -21
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.js +6 -3
package/dist/server/users.js.map +1 -1
package/dist/server/utils.js +10 -4
package/dist/server/utils.js.map +1 -1
package/package.json +1 -5
package/src/authorization/index.ts +1 -1
package/src/client/core/types.ts +14 -14
package/src/client/factors/device.ts +10 -12
package/src/client/factors/passkey.ts +23 -26
package/src/client/index.ts +54 -64
package/src/client/runtime/invite.ts +5 -7
package/src/component/index.ts +9 -3
package/src/component/public/enterprise/audit.ts +6 -1
package/src/component/public/enterprise/core.ts +1 -0
package/src/component/public/enterprise/domains.ts +5 -1
package/src/component/public/enterprise/scim.ts +1 -0
package/src/component/public/enterprise/secrets.ts +1 -0
package/src/component/public/enterprise/webhooks.ts +1 -0
package/src/component/public/factors/devices.ts +1 -0
package/src/component/public/factors/passkeys.ts +1 -0
package/src/component/public/factors/totp.ts +1 -0
package/src/component/public/groups/core.ts +1 -1
package/src/component/public/groups/invites.ts +7 -1
package/src/component/public/groups/members.ts +1 -0
package/src/component/public/identity/accounts.ts +1 -0
package/src/component/public/identity/codes.ts +1 -0
package/src/component/public/identity/sessions.ts +1 -0
package/src/component/public/identity/tokens.ts +1 -0
package/src/component/public/identity/users.ts +1 -0
package/src/component/public/identity/verifiers.ts +1 -0
package/src/component/public/security/keys.ts +1 -0
package/src/component/public/security/limits.ts +1 -0
package/src/providers/password.ts +89 -110
package/src/server/auth.ts +240 -182
package/src/server/context.ts +90 -0
package/src/server/core.ts +195 -286
package/src/server/crypto.ts +31 -29
package/src/server/device.ts +65 -32
package/src/server/enterprise/domain.ts +158 -170
package/src/server/enterprise/http.ts +46 -39
package/src/server/http.ts +289 -30
package/src/server/identity.ts +5 -5
package/src/server/index.ts +9 -3
package/src/server/limits.ts +53 -80
package/src/server/mounts.ts +56 -80
package/src/server/mutations/account.ts +22 -36
package/src/server/mutations/code.ts +6 -6
package/src/server/mutations/invalidate.ts +1 -1
package/src/server/mutations/oauth.ts +14 -8
package/src/server/mutations/refresh.ts +5 -4
package/src/server/mutations/register.ts +87 -132
package/src/server/mutations/retrieve.ts +44 -44
package/src/server/mutations/signature.ts +13 -6
package/src/server/mutations/signout.ts +1 -1
package/src/server/mutations/store.ts +16 -31
package/src/server/mutations/verifier.ts +1 -1
package/src/server/mutations/verify.ts +3 -5
package/src/server/oauth.ts +60 -69
package/src/server/passkey.ts +567 -517
package/src/server/redirects.ts +10 -6
package/src/server/refresh.ts +14 -18
package/src/server/runtime.ts +340 -302
package/src/server/signin.ts +44 -37
package/src/server/ssr.ts +390 -407
package/src/server/totp.ts +85 -35
package/src/server/types.ts +19 -22
package/src/server/users.ts +7 -6
package/src/server/utils.ts +10 -12
package/dist/component/server/authError.js +0 -34
package/dist/component/server/authError.js.map +0 -1
package/dist/component/server/errors.d.ts +0 -1
package/dist/component/server/errors.js +0 -137
package/dist/component/server/errors.js.map +0 -1
package/dist/server/authError.d.ts +0 -46
package/dist/server/authError.d.ts.map +0 -1
package/dist/server/authError.js +0 -34
package/dist/server/authError.js.map +0 -1
package/dist/server/errors.d.ts +0 -177
package/dist/server/errors.d.ts.map +0 -1
package/dist/server/errors.js +0 -212
package/dist/server/errors.js.map +0 -1
package/src/server/authError.ts +0 -44
package/src/server/errors.ts +0 -290

package/src/server/runtime.ts CHANGED Viewed

@@ -1,5 +1,6 @@
+import { Fx } from "@robelest/fx";
+import { Cv } from "@robelest/fx/convex";
 import {
-  Auth,
   GenericActionCtx,
   GenericDataModel,
   HttpRouter,
@@ -9,10 +10,10 @@ import {
 import { v } from "convex/values";
 import { serialize as serializeCookie } from "cookie";
-import { createCoreDomains } from "./core";
+import { configDefaults, listAvailableProviders } from "./config";
 import { redirectToParamCookie, useRedirectToParam } from "./cookies";
-import { createEnterpriseDomain } from "./enterprise/domain";
-import { addEnterpriseHttpRuntime } from "./enterprise/http";
+import { createCoreDomains } from "./core";
+import { GetProviderOrThrowFunc } from "./crypto";
 import {
   getOidcConfig,
   getPublicOidcConfig,
@@ -20,29 +21,30 @@ import {
   upsertProtocolConfig,
   withOidcSecretState,
 } from "./enterprise/config";
-import { normalizeEnterprisePolicy, patchEnterprisePolicy } from "./enterprise/policy";
+import { createEnterpriseDomain } from "./enterprise/domain";
+import { addEnterpriseHttpRuntime } from "./enterprise/http";
+import {
+  normalizeEnterprisePolicy,
+  patchEnterprisePolicy,
+} from "./enterprise/policy";
 import {
   createServiceProviderMetadata,
   getSamlServiceProviderOptions,
   parseSamlIdpMetadata,
 } from "./enterprise/saml";
-import {
-  parseScimPath,
-} from "./enterprise/scim";
+import { parseScimPath } from "./enterprise/scim";
 import {
   enterpriseOidcProviderId,
   getEnterpriseOidcUrls,
   isEnterpriseSamlSourceActive,
   normalizeDomain,
 } from "./enterprise/shared";
-import { Fx } from "@robelest/fx";
-import { AuthError } from "./authError";
 import {
   addAuthRoutes,
   addOpenIdRoutes,
   convertErrorsToResponse,
   createHttpAction,
+  createHttpContext,
   createHttpRoute,
   getCookies,
 } from "./http";
@@ -58,8 +60,6 @@ import {
   storeImpl,
 } from "./mutations/index";
 import { createOAuthAuthorizationURL, handleOAuthCallback } from "./oauth";
-import { GetProviderOrThrowFunc } from "./crypto";
-import { configDefaults, listAvailableProviders } from "./config";
 import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects";
 import { signInImpl } from "./signin";
 import type {
@@ -171,9 +171,11 @@ export function Auth(config_: ConvexAuthConfig) {
         `Provider \`${id}\` is not configured, ` +
         `available providers are ${listAvailableProviders(config, allowExtraProviders)}.`;
       logWithLevel(LOG_LEVELS.ERROR, detail);
-      throw new AuthError("PROVIDER_NOT_CONFIGURED", detail, {
+      throw Cv.error({
+        code: "PROVIDER_NOT_CONFIGURED",
+        message: detail,
         provider: id,
-      }).toConvexError();
+      });
     }
     return provider;
   };
@@ -231,10 +233,10 @@ export function Auth(config_: ConvexAuthConfig) {
       },
     );
     if (!enterprise) {
-      throw new AuthError(
-        "INVALID_PARAMETERS",
-        enterpriseNotFoundError,
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_PARAMETERS",
+        message: enterpriseNotFoundError,
+      });
     }
     return enterprise;
   };
@@ -245,10 +247,10 @@ export function Auth(config_: ConvexAuthConfig) {
   ) => {
     const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);
     if (enterprise.status !== "active") {
-      throw new AuthError(
-        "INVALID_PARAMETERS",
-        "Enterprise connection is not active.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_PARAMETERS",
+        message: "Enterprise connection is not active.",
+      });
     }
     return enterprise;
   };
@@ -268,17 +270,17 @@ export function Auth(config_: ConvexAuthConfig) {
       enterprise,
     };
     if (!isEnterpriseSamlSourceActive(loaded)) {
-      throw new AuthError(
-        "INVALID_PARAMETERS",
-        "Enterprise connection is not active.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_PARAMETERS",
+        message: "Enterprise connection is not active.",
+      });
     }
     const saml = getSamlConfig(loaded.config);
     if (!saml.idp?.metadataXml) {
-      throw new AuthError(
-        "PROVIDER_NOT_CONFIGURED",
-        "SAML is not configured for this enterprise.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "PROVIDER_NOT_CONFIGURED",
+        message: "SAML is not configured for this enterprise.",
+      });
     }
     return { loaded, enterprise, saml };
   };
@@ -290,10 +292,10 @@ export function Auth(config_: ConvexAuthConfig) {
     const enterprise = await loadActiveEnterpriseOrThrow(ctx, enterpriseId);
     const oidc = await getEnterpriseOidcConfigWithSecret(ctx, enterprise);
     if (oidc.enabled !== true) {
-      throw new AuthError(
-        "PROVIDER_NOT_CONFIGURED",
-        "OIDC is not configured for this enterprise.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "PROVIDER_NOT_CONFIGURED",
+        message: "OIDC is not configured for this enterprise.",
+      });
     }
     return { enterprise, oidc };
   };
@@ -407,7 +409,10 @@ export function Auth(config_: ConvexAuthConfig) {
   ) => {
     const authHeader = request.headers.get("Authorization");
     if (!authHeader?.startsWith("Bearer ")) {
-      throw new AuthError("MISSING_BEARER_TOKEN").toConvexError();
+      throw Cv.error({
+        code: "MISSING_BEARER_TOKEN",
+        message: "Missing or malformed Authorization: Bearer header.",
+      });
     }
     const token = authHeader.slice(7);
     const scimConfig = await ctx.runQuery(
@@ -415,17 +420,17 @@ export function Auth(config_: ConvexAuthConfig) {
       { tokenHash: await sha256(token) },
     );
     if (!scimConfig || scimConfig.status !== "active") {
-      throw new AuthError(
-        "INVALID_API_KEY",
-        "Invalid SCIM token.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_API_KEY",
+        message: "Invalid SCIM token.",
+      });
     }
     const parsedPath = parseScimPath(new URL(request.url).pathname);
     if (parsedPath.enterpriseId !== scimConfig.enterpriseId) {
-      throw new AuthError(
-        "INVALID_API_KEY",
-        "SCIM token/tenant mismatch.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_API_KEY",
+        message: "SCIM token/tenant mismatch.",
+      });
     }
     const enterprise = await ctx.runQuery(
       config.component.public.enterpriseGet,
@@ -434,10 +439,10 @@ export function Auth(config_: ConvexAuthConfig) {
       },
     );
     if (enterprise === null) {
-      throw new AuthError(
-        "INVALID_PARAMETERS",
-        "Enterprise not found.",
-      ).toConvexError();
+      throw Cv.error({
+        code: "INVALID_PARAMETERS",
+        message: "Enterprise not found.",
+      });
     }
     return { scimConfig, enterprise, parsedPath };
   };
@@ -488,272 +493,305 @@ export function Auth(config_: ConvexAuthConfig) {
       getPolicyFromEnterprise,
       patchEnterprisePolicy,
     }),
-    // HTTP wiring stays local to the factory because it still depends on a
-    // dense mix of OAuth, SAML, SCIM, cookie, and response helpers.
-    http: {
-      /**
-       * Register core HTTP routes for JWT verification and OAuth sign-in.
-       *
-       * ```ts
-       * import { httpRouter } from "convex/server";
-       * import { auth } from "./auth";
-       *
-       * const http = httpRouter();
-       *
-       * auth.http.add(http);
-       *
-       * export default http;
-       * ```
-       *
-       * The following routes are handled always:
-       *
-       * - `/.well-known/openid-configuration`
-       * - `/.well-known/jwks.json`
-       *
-       * The following routes are handled if OAuth is configured:
-       *
-       * - `/api/auth/signin/*`
-       * - `/api/auth/callback/*`
-       *
-       * @param http your HTTP router
-       */
-      add: (http: HttpRouter) => {
-        addOpenIdRoutes(http, {
-          getIssuer: () => requireEnv("CONVEX_SITE_URL"),
-          getJwks: () => requireEnv("JWKS"),
-        });
-        addEnterpriseHttpRuntime({
-          http,
-          hasSSO,
-          auth,
-          config,
-          routeBase: ENTERPRISE_CONTROL_ROUTE_BASE,
-          requireEnv,
-          loadActiveEnterpriseSamlOrThrow,
-          loadEnterpriseOidcOrThrow,
-          getEnterpriseScimContext,
-          getPolicyFromEnterprise,
-          normalizeEnterprisePolicy,
-          recordEnterpriseAuditEvent,
-          emitEnterpriseWebhookDeliveries,
-          generateRandomString,
-          inviteTokenAlphabet: INVITE_TOKEN_ALPHABET,
-          callUserOAuth,
-          callVerifierSignature,
-        });
+  };
-        if (hasOAuth) {
-          addAuthRoutes(http, {
-            handleSignIn: convertErrorsToResponse(400, async (ctx, request) => {
-              const url = new URL(request.url);
-              const pathParts = url.pathname.split("/");
-              const providerId = pathParts.at(-1)!;
-              if (providerId === null) {
-                throw new AuthError("OAUTH_MISSING_PROVIDER").toConvexError();
-              }
-              const verifier = url.searchParams.get("code");
-              if (verifier === null) {
-                throw new AuthError("OAUTH_MISSING_VERIFIER").toConvexError();
-              }
-              const provider = getProviderOrThrow(providerId);
-              const oauthConfig = provider as OAuthMaterializedConfig;
-              const { redirect, cookies, signature } =
-                await createOAuthAuthorizationURL(
-                  providerId,
-                  oauthConfig.provider,
-                  oauthConfig,
-                );
-              await callVerifierSignature(ctx, {
-                verifier,
-                signature,
+  // HTTP wiring stays local to the factory because it still depends on a
+  // dense mix of OAuth, SAML, SCIM, cookie, and response helpers.
+  auth.http = {
+    /**
+     * Register core HTTP routes for JWT verification and OAuth sign-in.
+     *
+     * ```ts
+     * import { httpRouter } from "convex/server";
+     * import { auth } from "./auth";
+     *
+     * const http = httpRouter();
+     *
+     * auth.http.add(http);
+     *
+     * export default http;
+     * ```
+     *
+     * The following routes are handled always:
+     *
+     * - `/.well-known/openid-configuration`
+     * - `/.well-known/jwks.json`
+     *
+     * The following routes are handled if OAuth is configured:
+     *
+     * - `/api/auth/signin/*`
+     * - `/api/auth/callback/*`
+     *
+     * @param http your HTTP router
+     */
+    add: (http: HttpRouter) => {
+      addOpenIdRoutes(http, {
+        getIssuer: () => requireEnv("CONVEX_SITE_URL"),
+        getJwks: () => requireEnv("JWKS"),
+      });
+      addEnterpriseHttpRuntime({
+        http,
+        hasSSO,
+        auth,
+        config,
+        routeBase: ENTERPRISE_CONTROL_ROUTE_BASE,
+        requireEnv,
+        loadActiveEnterpriseSamlOrThrow,
+        loadEnterpriseOidcOrThrow,
+        getEnterpriseScimContext,
+        getPolicyFromEnterprise,
+        normalizeEnterprisePolicy,
+        recordEnterpriseAuditEvent,
+        emitEnterpriseWebhookDeliveries,
+        generateRandomString,
+        inviteTokenAlphabet: INVITE_TOKEN_ALPHABET,
+        callUserOAuth,
+        callVerifierSignature,
+      });
+      if (hasOAuth) {
+        addAuthRoutes(http, {
+          handleSignIn: convertErrorsToResponse(400, async (ctx, request) => {
+            const url = new URL(request.url);
+            const pathParts = url.pathname.split("/");
+            const providerId = pathParts[pathParts.length - 1]!;
+            if (providerId === null) {
+              throw Cv.error({
+                code: "OAUTH_MISSING_PROVIDER",
+                message: "Missing OAuth provider ID.",
               });
+            }
+            const verifier = url.searchParams.get("code");
+            if (verifier === null) {
+              throw Cv.error({
+                code: "OAUTH_MISSING_VERIFIER",
+                message: "Missing sign-in verifier.",
+              });
+            }
+            const provider = getProviderOrThrow(providerId);
-              const redirectTo = url.searchParams.get("redirectTo");
-              if (redirectTo !== null) {
-                cookies.push(redirectToParamCookie(providerId, redirectTo));
-              }
-              const headers = new Headers({ Location: redirect });
-              for (const { name, value, options } of cookies) {
-                headers.append(
-                  "Set-Cookie",
-                  serializeCookie(name, value, options as any),
-                );
-              }
-              return new Response(null, { status: 302, headers });
-            }),
-            handleCallback: async (ctx, request) => {
-              const url = new URL(request.url);
-              const providerId = new URL(request.url).pathname
-                .split("/")
-                .at(-1);
-              if (!providerId) {
-                throw new AuthError("OAUTH_MISSING_PROVIDER").toConvexError();
-              }
-              logWithLevel(
-                LOG_LEVELS.DEBUG,
-                "Handling OAuth callback for provider:",
+            const oauthConfig = provider as OAuthMaterializedConfig;
+            const { redirect, cookies, signature } =
+              await createOAuthAuthorizationURL(
                 providerId,
+                oauthConfig.provider,
+                oauthConfig,
               );
-              const provider = getProviderOrThrow(providerId);
-              const cookies = getCookies(request);
-              const maybeRedirectTo = useRedirectToParam(provider.id, cookies);
+            await callVerifierSignature(ctx, {
+              verifier,
+              signature,
+            });
+            const redirectTo = url.searchParams.get("redirectTo");
+            if (redirectTo !== null) {
+              cookies.push(redirectToParamCookie(providerId, redirectTo));
+            }
+            const headers = new Headers({ Location: redirect });
+            for (const { name, value, options } of cookies) {
+              headers.append(
+                "Set-Cookie",
+                serializeCookie(name, value, options as any),
+              );
+            }
-              const destinationUrl = await redirectAbsoluteUrl(config, {
-                redirectTo: maybeRedirectTo?.redirectTo,
+            return new Response(null, { status: 302, headers });
+          }),
+          handleCallback: async (ctx, request) => {
+            const url = new URL(request.url);
+            const callbackPathParts = new URL(request.url).pathname.split("/");
+            const providerId = callbackPathParts[callbackPathParts.length - 1];
+            if (!providerId) {
+              throw Cv.error({
+                code: "OAUTH_MISSING_PROVIDER",
+                message: "Missing OAuth provider ID.",
               });
-              const params = url.searchParams;
-              if (
-                request.headers.get("Content-Type") ===
-                "application/x-www-form-urlencoded"
-              ) {
-                const formData = await request.formData();
-                formData.forEach((value, key) => {
-                  if (typeof value === "string") {
-                    params.append(key, value);
-                  }
-                });
-              }
-              return Fx.run(
-                Fx.from({
-                  ok: async () => {
-                    const oauthConfig = provider as OAuthMaterializedConfig;
-                    const result = await Fx.run(
-                      handleOAuthCallback(
-                        providerId,
-                        oauthConfig.provider,
-                        oauthConfig,
-                        Object.fromEntries(params.entries()),
-                        cookies,
-                      ),
+            }
+            logWithLevel(
+              LOG_LEVELS.DEBUG,
+              "Handling OAuth callback for provider:",
+              providerId,
+            );
+            const provider = getProviderOrThrow(providerId);
+            const cookies = getCookies(request);
+            const maybeRedirectTo = useRedirectToParam(provider.id, cookies);
+            const destinationUrl = await redirectAbsoluteUrl(config, {
+              redirectTo: maybeRedirectTo?.redirectTo,
+            });
+            const params = url.searchParams;
+            if (
+              request.headers.get("Content-Type") ===
+              "application/x-www-form-urlencoded"
+            ) {
+              const formData = await request.formData();
+              formData.forEach((value, key) => {
+                if (typeof value === "string") {
+                  params.append(key, value);
+                }
+              });
+            }
+            return Fx.run(
+              Fx.from({
+                ok: async () => {
+                  const oauthConfig = provider as OAuthMaterializedConfig;
+                  const result = await Fx.run(
+                    handleOAuthCallback(
+                      providerId,
+                      oauthConfig.provider,
+                      oauthConfig,
+                      Object.fromEntries(params.entries()),
+                      cookies,
+                    ),
+                  );
+                  const oauthCookies = result.cookies;
+                  const { id: profileId, ...profileData } = result.profile;
+                  const { signature } = result;
+                  const verificationCode = await callUserOAuth(ctx, {
+                    provider: providerId,
+                    providerAccountId: profileId,
+                    profile: profileData,
+                    signature,
+                  });
+                  const redirUrl = setURLSearchParam(
+                    destinationUrl,
+                    "code",
+                    verificationCode,
+                  );
+                  const redirHeaders = new Headers({ Location: redirUrl });
+                  redirHeaders.set("Cache-Control", "must-revalidate");
+                  for (const { name, value, options } of [
+                    ...oauthCookies,
+                    ...(maybeRedirectTo !== null
+                      ? [maybeRedirectTo.updatedCookie]
+                      : []),
+                  ] as any) {
+                    redirHeaders.append(
+                      "Set-Cookie",
+                      serializeCookie(name, value, options),
                     );
-                    const oauthCookies = result.cookies;
-                    const { id: profileId, ...profileData } = result.profile;
-                    const { signature } = result;
-                    const verificationCode = await callUserOAuth(ctx, {
-                      provider: providerId,
-                      providerAccountId: profileId,
-                      profile: profileData,
-                      signature,
-                    });
-                    const redirUrl = setURLSearchParam(
-                      destinationUrl,
-                      "code",
-                      verificationCode,
+                  }
+                  return new Response(null, {
+                    status: 302,
+                    headers: redirHeaders,
+                  });
+                },
+                err: (error) => error,
+              }).pipe(
+                Fx.recover((error) => {
+                  logError(error);
+                  const respHeaders = new Headers({
+                    Location: destinationUrl,
+                  });
+                  for (const { name, value, options } of maybeRedirectTo !== null
+                    ? [maybeRedirectTo.updatedCookie]
+                    : []) {
+                    respHeaders.append(
+                      "Set-Cookie",
+                      serializeCookie(name, value, options),
                     );
-                    const redirHeaders = new Headers({ Location: redirUrl });
-                    redirHeaders.set("Cache-Control", "must-revalidate");
-                    for (const { name, value, options } of [
-                      ...oauthCookies,
-                      ...(maybeRedirectTo !== null
-                        ? [maybeRedirectTo.updatedCookie]
-                        : []),
-                    ] as any) {
-                      redirHeaders.append(
-                        "Set-Cookie",
-                        serializeCookie(name, value, options),
-                      );
-                    }
-                    return new Response(null, {
+                  }
+                  return Fx.succeed(
+                    new Response(null, {
                       status: 302,
-                      headers: redirHeaders,
-                    });
-                  },
-                  err: (error) => error,
-                }).pipe(
-                  Fx.recover((error) => {
-                    logError(error);
-                    const respHeaders = new Headers({
-                      Location: destinationUrl,
-                    });
-                    for (const { name, value, options } of maybeRedirectTo !==
-                    null
-                      ? [maybeRedirectTo.updatedCookie]
-                      : []) {
-                      respHeaders.append(
-                        "Set-Cookie",
-                        serializeCookie(name, value, options),
-                      );
-                    }
-                    return Fx.succeed(
-                      new Response(null, {
-                        status: 302,
-                        headers: respHeaders,
-                      }),
-                    );
-                  }),
-                ),
-              );
-            },
-          });
-        }
-      },
-      /**
-       * Wrap an HTTP action handler with Bearer token authentication.
-       *
-       * Extracts the `Authorization: Bearer <key>` header, verifies the
-       * API key via `auth.key.verify()`, and injects `ctx.key` with the
-       * verified key info. Returns structured JSON error responses for
-       * missing/invalid/revoked/expired/rate-limited keys.
-       *
-       * If the handler returns a plain object, it is auto-wrapped in a
-       * `200 JSON` response. If it returns a `Response`, CORS headers
-       * are merged and the response is passed through.
-       *
-       * ```ts
-       * const handler = auth.http.action(async (ctx, request) => {
-       *   const data = await ctx.runQuery(api.data.get, { userId: ctx.key.userId });
-       *   return { data };
-       * });
-       * http.route({ path: "/api/data", method: "GET", handler });
-       * ```
-       *
-       * @param handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.
-       * @param options.scope - Optional scope check; returns 403 if the key lacks permission.
-       * @param options.cors - CORS config; defaults to permissive (`*`).
-       */
-      action: createHttpAction(auth),
-      /**
-       * Register a Bearer-authenticated route **and** its OPTIONS preflight
-       * in a single call.
-       *
-       * ```ts
-       * auth.http.route(http, {
-       *   path: "/api/messages",
-       *   method: "POST",
-       *   handler: async (ctx, request) => {
-       *     const { body } = await request.json();
-       *     await ctx.runMutation(internal.messages.sendAsUser, {
-       *       userId: ctx.key.userId,
-       *       body,
-       *     });
-       *     return { success: true };
-       *   },
-       * });
-       * ```
-       *
-       * @param http - The Convex HTTP router.
-       * @param routeConfig.path - The URL path to match.
-       * @param routeConfig.method - HTTP method (GET, POST, PUT, PATCH, DELETE).
-       * @param routeConfig.handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.
-       * @param routeConfig.scope - Optional scope check; returns 403 if the key lacks permission.
-       * @param routeConfig.cors - CORS config; defaults to permissive (`*`).
-       */
-      route: createHttpRoute(createHttpAction(auth)),
+                      headers: respHeaders,
+                    }),
+                  );
+                }),
+              ),
+            );
+          },
+        });
+      }
     },
+    /**
+     * Resolve mixed HTTP auth for a raw `httpAction`.
+     *
+     * Checks session auth first, then falls back to `Authorization: Bearer sk_*`
+     * API keys. This is the low-level helper for endpoints that intentionally
+     * accept either browser sessions or API keys.
+     * Pass `{ optional: true }` to get a null-shaped auth object instead of a
+     * `NOT_SIGNED_IN` error.
+     *
+     * ```ts
+     * http.route({
+     *   path: "/api/data",
+     *   method: "GET",
+     *   handler: httpAction(async (ctx, request) => {
+     *     const authContext = await auth.http.context(ctx, request);
+     *     return Response.json({
+     *       userId: authContext.userId,
+     *       source: authContext.source,
+     *     });
+     *   }),
+     * });
+     * ```
+     */
+    context: createHttpContext(auth),
+    /**
+     * Wrap an HTTP action handler with Bearer token authentication.
+     *
+     * Extracts the `Authorization: Bearer <key>` header, verifies the
+     * API key via `auth.key.verify()`, and injects `ctx.key` with the
+     * verified key info. Returns structured JSON error responses for
+     * missing/invalid/revoked/expired/rate-limited keys.
+     *
+     * If the handler returns a plain object, it is auto-wrapped in a
+     * `200 JSON` response. If it returns a `Response`, CORS headers
+     * are merged and the response is passed through.
+     *
+     * ```ts
+     * const handler = auth.http.action(async (ctx, request) => {
+     *   const data = await ctx.runQuery(api.data.get, { userId: ctx.key.userId });
+     *   return { data };
+     * });
+     * http.route({ path: "/api/data", method: "GET", handler });
+     * ```
+     *
+     * @param handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.
+     * @param options.scope - Optional scope check; returns 403 if the key lacks permission.
+     * @param options.cors - CORS config; defaults to permissive (`*`).
+     */
+    action: createHttpAction(auth),
+    /**
+     * Register a Bearer-authenticated route **and** its OPTIONS preflight
+     * in a single call.
+     *
+     * ```ts
+     * auth.http.route(http, {
+     *   path: "/api/messages",
+     *   method: "POST",
+     *   handler: async (ctx, request) => {
+     *     const { body } = await request.json();
+     *     await ctx.runMutation(internal.messages.sendAsUser, {
+     *       userId: ctx.key.userId,
+     *       body,
+     *     });
+     *     return { success: true };
+     *   },
+     * });
+     * ```
+     *
+     * @param http - The Convex HTTP router.
+     * @param routeConfig.path - The URL path to match.
+     * @param routeConfig.method - HTTP method (GET, POST, PUT, PATCH, DELETE).
+     * @param routeConfig.handler - Receives enriched `ctx` (with `ctx.key`) and the raw `Request`.
+     * @param routeConfig.scope - Optional scope check; returns 403 if the key lacks permission.
+     * @param routeConfig.cors - CORS config; defaults to permissive (`*`).
+     */
+    route: createHttpRoute(createHttpAction(auth)),
   };
   const enrichCtx = <DataModel extends GenericDataModel>(