@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +43 -36
- package/dist/bin.js +5765 -4880
- package/dist/browser/index.d.ts +30 -0
- package/dist/browser/index.js +93 -0
- package/dist/browser/locks.js +11 -0
- package/dist/browser/navigation.js +14 -0
- package/dist/{factors → browser}/passkey.js +23 -32
- package/dist/browser/runtime.js +92 -0
- package/dist/client/core/types.d.ts +452 -5
- package/dist/client/core/types.js +17 -0
- package/dist/client/errors.js +19 -0
- package/dist/client/factors/device.js +94 -0
- package/dist/{factors → client/factors}/totp.js +12 -4
- package/dist/client/index.d.ts +47 -1
- package/dist/client/index.js +269 -232
- package/dist/client/runtime/mutex.js +24 -0
- package/dist/client/runtime/proxy.js +30 -0
- package/dist/client/runtime/storage.js +45 -0
- package/dist/client/services/adapters.js +7 -0
- package/dist/client/services/http.js +6 -0
- package/dist/client/services/resolve.js +13 -0
- package/dist/client/services/runtime.js +6 -0
- package/dist/component/_generated/component.d.ts +1355 -1399
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/index.d.ts +4 -26
- package/dist/component/index.js +1 -1
- package/dist/component/model.d.ts +26 -112
- package/dist/component/model.js +76 -54
- package/dist/component/modules.js +38 -0
- package/dist/component/public/factors/devices.js +1 -1
- package/dist/component/public/factors/passkeys.js +1 -1
- package/dist/component/public/factors/totp.js +1 -1
- package/dist/component/public/groups/core.js +2 -2
- package/dist/component/public/groups/invites.js +1 -1
- package/dist/component/public/groups/members.js +1 -1
- package/dist/component/public/identity/accounts.js +1 -1
- package/dist/component/public/identity/codes.js +1 -1
- package/dist/component/public/identity/sessions.js +39 -2
- package/dist/component/public/identity/tokens.js +82 -4
- package/dist/component/public/identity/users.js +1 -1
- package/dist/component/public/identity/verifiers.js +10 -4
- package/dist/component/public/security/keys.js +1 -1
- package/dist/component/public/security/limits.js +1 -1
- package/dist/component/public/{enterprise → sso}/audit.js +26 -26
- package/dist/component/public/sso/core.js +263 -0
- package/dist/component/public/sso/domains.js +280 -0
- package/dist/component/public/{enterprise → sso}/scim.js +87 -87
- package/dist/component/public/sso/secrets.js +125 -0
- package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
- package/dist/component/public.js +9 -9
- package/dist/component/schema.d.ts +472 -393
- package/dist/component/schema.js +36 -35
- package/dist/core/index.d.ts +380 -0
- package/dist/core/index.js +83 -0
- package/dist/otel.d.ts +69 -0
- package/dist/otel.js +82 -0
- package/dist/providers/anonymous.d.ts +15 -34
- package/dist/providers/anonymous.js +27 -35
- package/dist/providers/apple.d.ts +59 -0
- package/dist/providers/apple.js +58 -0
- package/dist/providers/credentials.d.ts +18 -34
- package/dist/providers/credentials.js +16 -27
- package/dist/providers/custom.d.ts +94 -0
- package/dist/providers/custom.js +119 -0
- package/dist/providers/device.d.ts +15 -49
- package/dist/providers/device.js +17 -34
- package/dist/providers/email.d.ts +21 -38
- package/dist/providers/email.js +36 -55
- package/dist/providers/github.d.ts +54 -0
- package/dist/providers/github.js +75 -0
- package/dist/providers/google.d.ts +54 -0
- package/dist/providers/google.js +61 -0
- package/dist/providers/index.d.ts +16 -12
- package/dist/providers/index.js +15 -11
- package/dist/providers/microsoft.d.ts +57 -0
- package/dist/providers/microsoft.js +101 -0
- package/dist/providers/passkey.d.ts +19 -35
- package/dist/providers/passkey.js +20 -30
- package/dist/providers/password.d.ts +17 -18
- package/dist/providers/password.js +121 -143
- package/dist/providers/phone.d.ts +13 -28
- package/dist/providers/phone.js +21 -46
- package/dist/providers/sso.d.ts +16 -36
- package/dist/providers/sso.js +21 -22
- package/dist/providers/totp.d.ts +13 -29
- package/dist/providers/totp.js +17 -27
- package/dist/server/auth-context.d.ts +204 -0
- package/dist/server/auth-context.js +76 -0
- package/dist/server/auth.d.ts +99 -244
- package/dist/server/auth.js +56 -152
- package/dist/server/componentContext.d.ts +12 -0
- package/dist/server/componentContext.js +1 -0
- package/dist/server/config.js +6 -67
- package/dist/server/constants.js +6 -0
- package/dist/server/contract.d.ts +105 -0
- package/dist/server/contract.js +43 -0
- package/dist/server/cookies.js +3 -2
- package/dist/server/core.js +31 -36
- package/dist/server/crypto.js +34 -44
- package/dist/server/db.js +6 -1
- package/dist/server/device.js +96 -130
- package/dist/server/env.js +48 -0
- package/dist/server/errors.js +20 -0
- package/dist/server/http.d.ts +15 -59
- package/dist/server/http.js +136 -120
- package/dist/server/identity.js +2 -2
- package/dist/server/index.d.ts +5 -4
- package/dist/server/index.js +3 -3
- package/dist/server/keys.js +10 -1
- package/dist/server/limits.js +26 -26
- package/dist/server/log.js +28 -0
- package/dist/server/mounts.d.ts +1107 -296
- package/dist/server/mounts.js +315 -196
- package/dist/server/mutations/account.js +11 -14
- package/dist/server/mutations/code.js +6 -5
- package/dist/server/mutations/invalidate.js +9 -11
- package/dist/server/mutations/oauth.js +112 -73
- package/dist/server/mutations/refresh.js +47 -97
- package/dist/server/mutations/register.js +37 -35
- package/dist/server/mutations/retrieve.js +16 -16
- package/dist/server/mutations/signature.js +15 -18
- package/dist/server/mutations/signin.js +10 -5
- package/dist/server/mutations/signout.js +11 -14
- package/dist/server/mutations/store.js +25 -18
- package/dist/server/mutations/verifier.js +11 -8
- package/dist/server/mutations/verify.js +53 -41
- package/dist/server/oauth/factory.js +44 -0
- package/dist/server/oauth/index.js +12 -0
- package/dist/server/oauth/runtime.js +248 -0
- package/dist/server/passkey.js +331 -365
- package/dist/server/payloads.d.ts +16 -0
- package/dist/server/payloads.js +30 -0
- package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
- package/dist/server/prefetch.js +635 -0
- package/dist/server/random.js +19 -0
- package/dist/server/redirects.js +10 -5
- package/dist/server/refresh.js +14 -86
- package/dist/server/runtime.d.ts +531 -31
- package/dist/server/runtime.js +106 -267
- package/dist/server/secret.js +44 -0
- package/dist/server/services/config.js +10 -0
- package/dist/server/services/group.js +211 -0
- package/dist/server/services/logger.js +8 -0
- package/dist/server/services/providers.js +22 -0
- package/dist/server/services/refresh.js +8 -0
- package/dist/server/services/resolve.js +27 -0
- package/dist/server/services/signin.js +8 -0
- package/dist/server/sessions.js +35 -34
- package/dist/server/signin.js +229 -140
- package/dist/server/{enterprise → sso}/config.js +10 -3
- package/dist/server/sso/domain.d.ts +614 -0
- package/dist/server/sso/domain.js +1175 -0
- package/dist/server/sso/http.js +1060 -0
- package/dist/server/sso/oidc.js +324 -0
- package/dist/server/sso/policies.js +59 -0
- package/dist/server/sso/policy.js +139 -0
- package/dist/server/sso/profile.js +22 -0
- package/dist/server/sso/provision.js +179 -0
- package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
- package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
- package/dist/server/sso/shared.js +74 -0
- package/dist/server/sso/validators.js +88 -0
- package/dist/server/sso/webhook.js +94 -0
- package/dist/server/tokens.js +16 -4
- package/dist/server/totp.js +155 -164
- package/dist/server/types.d.ts +306 -296
- package/dist/server/types.js +1 -30
- package/dist/server/url.js +32 -0
- package/dist/server/users.js +74 -40
- package/dist/server/utils/cache.js +51 -0
- package/dist/server/utils/dispatch.js +36 -0
- package/dist/server/utils/retry.js +24 -0
- package/dist/server/utils/span.js +32 -0
- package/dist/shared/errors.js +19 -0
- package/dist/shared/log.js +45 -0
- package/{src/test.ts → dist/test.d.ts} +21 -22
- package/dist/test.js +51 -0
- package/package.json +70 -42
- package/dist/authorization/index.d.ts.map +0 -1
- package/dist/authorization/index.js.map +0 -1
- package/dist/client/core/types.d.ts.map +0 -1
- package/dist/client/index.d.ts.map +0 -1
- package/dist/client/index.js.map +0 -1
- package/dist/component/_generated/api.d.ts +0 -75
- package/dist/component/_generated/api.d.ts.map +0 -1
- package/dist/component/_generated/api.js.map +0 -1
- package/dist/component/_generated/component.d.ts.map +0 -1
- package/dist/component/_generated/dataModel.d.ts +0 -42
- package/dist/component/_generated/dataModel.d.ts.map +0 -1
- package/dist/component/_generated/server.d.ts +0 -117
- package/dist/component/_generated/server.d.ts.map +0 -1
- package/dist/component/_generated/server.js.map +0 -1
- package/dist/component/_virtual/rolldown_runtime.js +0 -18
- package/dist/component/client/core/types.d.ts +0 -2
- package/dist/component/client/index.d.ts +0 -1
- package/dist/component/convex.config.d.ts.map +0 -1
- package/dist/component/convex.config.js.map +0 -1
- package/dist/component/functions.d.ts +0 -25
- package/dist/component/functions.d.ts.map +0 -1
- package/dist/component/functions.js.map +0 -1
- package/dist/component/index.d.ts.map +0 -1
- package/dist/component/model.d.ts.map +0 -1
- package/dist/component/model.js.map +0 -1
- package/dist/component/providers/anonymous.d.ts +0 -54
- package/dist/component/providers/anonymous.d.ts.map +0 -1
- package/dist/component/providers/credentials.d.ts +0 -38
- package/dist/component/providers/credentials.d.ts.map +0 -1
- package/dist/component/providers/device.d.ts +0 -67
- package/dist/component/providers/device.d.ts.map +0 -1
- package/dist/component/providers/email.d.ts +0 -62
- package/dist/component/providers/email.d.ts.map +0 -1
- package/dist/component/providers/oauth.d.ts +0 -25
- package/dist/component/providers/oauth.d.ts.map +0 -1
- package/dist/component/providers/oauth.js +0 -13
- package/dist/component/providers/oauth.js.map +0 -1
- package/dist/component/providers/passkey.d.ts +0 -57
- package/dist/component/providers/passkey.d.ts.map +0 -1
- package/dist/component/providers/password.d.ts +0 -88
- package/dist/component/providers/password.d.ts.map +0 -1
- package/dist/component/providers/phone.d.ts +0 -48
- package/dist/component/providers/phone.d.ts.map +0 -1
- package/dist/component/providers/sso.d.ts +0 -50
- package/dist/component/providers/sso.d.ts.map +0 -1
- package/dist/component/providers/totp.d.ts +0 -45
- package/dist/component/providers/totp.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.d.ts +0 -73
- package/dist/component/public/enterprise/audit.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.js.map +0 -1
- package/dist/component/public/enterprise/core.d.ts +0 -176
- package/dist/component/public/enterprise/core.d.ts.map +0 -1
- package/dist/component/public/enterprise/core.js +0 -292
- package/dist/component/public/enterprise/core.js.map +0 -1
- package/dist/component/public/enterprise/domains.d.ts +0 -174
- package/dist/component/public/enterprise/domains.d.ts.map +0 -1
- package/dist/component/public/enterprise/domains.js +0 -271
- package/dist/component/public/enterprise/domains.js.map +0 -1
- package/dist/component/public/enterprise/scim.d.ts +0 -245
- package/dist/component/public/enterprise/scim.d.ts.map +0 -1
- package/dist/component/public/enterprise/scim.js.map +0 -1
- package/dist/component/public/enterprise/secrets.d.ts +0 -78
- package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
- package/dist/component/public/enterprise/secrets.js +0 -118
- package/dist/component/public/enterprise/secrets.js.map +0 -1
- package/dist/component/public/enterprise/webhooks.d.ts +0 -211
- package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
- package/dist/component/public/enterprise/webhooks.js.map +0 -1
- package/dist/component/public/factors/devices.d.ts +0 -157
- package/dist/component/public/factors/devices.d.ts.map +0 -1
- package/dist/component/public/factors/devices.js.map +0 -1
- package/dist/component/public/factors/passkeys.d.ts +0 -175
- package/dist/component/public/factors/passkeys.d.ts.map +0 -1
- package/dist/component/public/factors/passkeys.js.map +0 -1
- package/dist/component/public/factors/totp.d.ts +0 -189
- package/dist/component/public/factors/totp.d.ts.map +0 -1
- package/dist/component/public/factors/totp.js.map +0 -1
- package/dist/component/public/groups/core.d.ts +0 -137
- package/dist/component/public/groups/core.d.ts.map +0 -1
- package/dist/component/public/groups/core.js.map +0 -1
- package/dist/component/public/groups/invites.d.ts +0 -217
- package/dist/component/public/groups/invites.d.ts.map +0 -1
- package/dist/component/public/groups/invites.js.map +0 -1
- package/dist/component/public/groups/members.d.ts +0 -204
- package/dist/component/public/groups/members.d.ts.map +0 -1
- package/dist/component/public/groups/members.js.map +0 -1
- package/dist/component/public/identity/accounts.d.ts +0 -147
- package/dist/component/public/identity/accounts.d.ts.map +0 -1
- package/dist/component/public/identity/accounts.js.map +0 -1
- package/dist/component/public/identity/codes.d.ts +0 -104
- package/dist/component/public/identity/codes.d.ts.map +0 -1
- package/dist/component/public/identity/codes.js.map +0 -1
- package/dist/component/public/identity/sessions.d.ts +0 -128
- package/dist/component/public/identity/sessions.d.ts.map +0 -1
- package/dist/component/public/identity/sessions.js.map +0 -1
- package/dist/component/public/identity/tokens.d.ts +0 -169
- package/dist/component/public/identity/tokens.d.ts.map +0 -1
- package/dist/component/public/identity/tokens.js.map +0 -1
- package/dist/component/public/identity/users.d.ts +0 -212
- package/dist/component/public/identity/users.d.ts.map +0 -1
- package/dist/component/public/identity/users.js.map +0 -1
- package/dist/component/public/identity/verifiers.d.ts +0 -116
- package/dist/component/public/identity/verifiers.d.ts.map +0 -1
- package/dist/component/public/identity/verifiers.js.map +0 -1
- package/dist/component/public/security/keys.d.ts +0 -209
- package/dist/component/public/security/keys.d.ts.map +0 -1
- package/dist/component/public/security/keys.js.map +0 -1
- package/dist/component/public/security/limits.d.ts +0 -114
- package/dist/component/public/security/limits.d.ts.map +0 -1
- package/dist/component/public/security/limits.js.map +0 -1
- package/dist/component/public.d.ts +0 -28
- package/dist/component/public.d.ts.map +0 -1
- package/dist/component/schema.d.ts.map +0 -1
- package/dist/component/schema.js.map +0 -1
- package/dist/component/server/auth.d.ts +0 -447
- package/dist/component/server/auth.d.ts.map +0 -1
- package/dist/component/server/auth.js +0 -254
- package/dist/component/server/auth.js.map +0 -1
- package/dist/component/server/config.js +0 -121
- package/dist/component/server/config.js.map +0 -1
- package/dist/component/server/context.js +0 -53
- package/dist/component/server/context.js.map +0 -1
- package/dist/component/server/cookies.js +0 -47
- package/dist/component/server/cookies.js.map +0 -1
- package/dist/component/server/core.js +0 -576
- package/dist/component/server/core.js.map +0 -1
- package/dist/component/server/crypto.js +0 -56
- package/dist/component/server/crypto.js.map +0 -1
- package/dist/component/server/db.js +0 -87
- package/dist/component/server/db.js.map +0 -1
- package/dist/component/server/device.js +0 -152
- package/dist/component/server/device.js.map +0 -1
- package/dist/component/server/enterprise/config.js +0 -46
- package/dist/component/server/enterprise/config.js.map +0 -1
- package/dist/component/server/enterprise/domain.js +0 -974
- package/dist/component/server/enterprise/domain.js.map +0 -1
- package/dist/component/server/enterprise/http.js +0 -787
- package/dist/component/server/enterprise/http.js.map +0 -1
- package/dist/component/server/enterprise/oidc.js +0 -248
- package/dist/component/server/enterprise/oidc.js.map +0 -1
- package/dist/component/server/enterprise/policy.js +0 -85
- package/dist/component/server/enterprise/policy.js.map +0 -1
- package/dist/component/server/enterprise/saml.js.map +0 -1
- package/dist/component/server/enterprise/scim.js.map +0 -1
- package/dist/component/server/enterprise/shared.js +0 -51
- package/dist/component/server/enterprise/shared.js.map +0 -1
- package/dist/component/server/http.d.ts +0 -85
- package/dist/component/server/http.d.ts.map +0 -1
- package/dist/component/server/http.js +0 -351
- package/dist/component/server/http.js.map +0 -1
- package/dist/component/server/identity.js +0 -16
- package/dist/component/server/identity.js.map +0 -1
- package/dist/component/server/keys.js +0 -96
- package/dist/component/server/keys.js.map +0 -1
- package/dist/component/server/limits.js +0 -52
- package/dist/component/server/limits.js.map +0 -1
- package/dist/component/server/mutations/account.js +0 -46
- package/dist/component/server/mutations/account.js.map +0 -1
- package/dist/component/server/mutations/code.js +0 -68
- package/dist/component/server/mutations/code.js.map +0 -1
- package/dist/component/server/mutations/invalidate.js +0 -32
- package/dist/component/server/mutations/invalidate.js.map +0 -1
- package/dist/component/server/mutations/oauth.js +0 -116
- package/dist/component/server/mutations/oauth.js.map +0 -1
- package/dist/component/server/mutations/refresh.js +0 -119
- package/dist/component/server/mutations/refresh.js.map +0 -1
- package/dist/component/server/mutations/register.js +0 -87
- package/dist/component/server/mutations/register.js.map +0 -1
- package/dist/component/server/mutations/retrieve.js +0 -61
- package/dist/component/server/mutations/retrieve.js.map +0 -1
- package/dist/component/server/mutations/signature.js +0 -38
- package/dist/component/server/mutations/signature.js.map +0 -1
- package/dist/component/server/mutations/signin.js +0 -27
- package/dist/component/server/mutations/signin.js.map +0 -1
- package/dist/component/server/mutations/signout.js +0 -27
- package/dist/component/server/mutations/signout.js.map +0 -1
- package/dist/component/server/mutations/store/refs.js +0 -15
- package/dist/component/server/mutations/store/refs.js.map +0 -1
- package/dist/component/server/mutations/store.js +0 -70
- package/dist/component/server/mutations/store.js.map +0 -1
- package/dist/component/server/mutations/verifier.js +0 -18
- package/dist/component/server/mutations/verifier.js.map +0 -1
- package/dist/component/server/mutations/verify.js +0 -98
- package/dist/component/server/mutations/verify.js.map +0 -1
- package/dist/component/server/oauth.js +0 -242
- package/dist/component/server/oauth.js.map +0 -1
- package/dist/component/server/passkey.js +0 -415
- package/dist/component/server/passkey.js.map +0 -1
- package/dist/component/server/redirects.js +0 -40
- package/dist/component/server/redirects.js.map +0 -1
- package/dist/component/server/refresh.js +0 -99
- package/dist/component/server/refresh.js.map +0 -1
- package/dist/component/server/runtime.d.ts +0 -136
- package/dist/component/server/runtime.d.ts.map +0 -1
- package/dist/component/server/runtime.js +0 -456
- package/dist/component/server/runtime.js.map +0 -1
- package/dist/component/server/sessions.js +0 -71
- package/dist/component/server/sessions.js.map +0 -1
- package/dist/component/server/signin.js +0 -225
- package/dist/component/server/signin.js.map +0 -1
- package/dist/component/server/tokens.js +0 -17
- package/dist/component/server/tokens.js.map +0 -1
- package/dist/component/server/totp.js +0 -208
- package/dist/component/server/totp.js.map +0 -1
- package/dist/component/server/types.d.ts +0 -949
- package/dist/component/server/types.d.ts.map +0 -1
- package/dist/component/server/types.js +0 -79
- package/dist/component/server/types.js.map +0 -1
- package/dist/component/server/users.js +0 -123
- package/dist/component/server/users.js.map +0 -1
- package/dist/component/server/utils.js +0 -140
- package/dist/component/server/utils.js.map +0 -1
- package/dist/core/types.d.ts +0 -361
- package/dist/core/types.d.ts.map +0 -1
- package/dist/factors/device.js +0 -104
- package/dist/factors/device.js.map +0 -1
- package/dist/factors/passkey.js.map +0 -1
- package/dist/factors/totp.js.map +0 -1
- package/dist/providers/anonymous.d.ts.map +0 -1
- package/dist/providers/anonymous.js.map +0 -1
- package/dist/providers/credentials.d.ts.map +0 -1
- package/dist/providers/credentials.js.map +0 -1
- package/dist/providers/device.d.ts.map +0 -1
- package/dist/providers/device.js.map +0 -1
- package/dist/providers/email.d.ts.map +0 -1
- package/dist/providers/email.js.map +0 -1
- package/dist/providers/oauth.d.ts +0 -69
- package/dist/providers/oauth.d.ts.map +0 -1
- package/dist/providers/oauth.js +0 -43
- package/dist/providers/oauth.js.map +0 -1
- package/dist/providers/passkey.d.ts.map +0 -1
- package/dist/providers/passkey.js.map +0 -1
- package/dist/providers/password.d.ts.map +0 -1
- package/dist/providers/password.js.map +0 -1
- package/dist/providers/phone.d.ts.map +0 -1
- package/dist/providers/phone.js.map +0 -1
- package/dist/providers/sso.d.ts.map +0 -1
- package/dist/providers/sso.js.map +0 -1
- package/dist/providers/totp.d.ts.map +0 -1
- package/dist/providers/totp.js.map +0 -1
- package/dist/runtime/browser.js +0 -68
- package/dist/runtime/browser.js.map +0 -1
- package/dist/runtime/invite.js.map +0 -1
- package/dist/runtime/proxy.js +0 -70
- package/dist/runtime/proxy.js.map +0 -1
- package/dist/runtime/storage.js +0 -37
- package/dist/runtime/storage.js.map +0 -1
- package/dist/server/auth.d.ts.map +0 -1
- package/dist/server/auth.js.map +0 -1
- package/dist/server/config.d.ts +0 -1
- package/dist/server/config.js.map +0 -1
- package/dist/server/context.d.ts +0 -1
- package/dist/server/context.js.map +0 -1
- package/dist/server/cookies.d.ts +0 -1
- package/dist/server/cookies.js.map +0 -1
- package/dist/server/core.d.ts +0 -1315
- package/dist/server/core.d.ts.map +0 -1
- package/dist/server/core.js.map +0 -1
- package/dist/server/crypto.d.ts +0 -8
- package/dist/server/crypto.d.ts.map +0 -1
- package/dist/server/crypto.js.map +0 -1
- package/dist/server/db.d.ts +0 -1
- package/dist/server/db.js.map +0 -1
- package/dist/server/device.d.ts +0 -1
- package/dist/server/device.js.map +0 -1
- package/dist/server/enterprise/config.d.ts +0 -1
- package/dist/server/enterprise/config.js.map +0 -1
- package/dist/server/enterprise/domain.d.ts +0 -401
- package/dist/server/enterprise/domain.d.ts.map +0 -1
- package/dist/server/enterprise/domain.js +0 -974
- package/dist/server/enterprise/domain.js.map +0 -1
- package/dist/server/enterprise/http.d.ts +0 -26
- package/dist/server/enterprise/http.d.ts.map +0 -1
- package/dist/server/enterprise/http.js +0 -787
- package/dist/server/enterprise/http.js.map +0 -1
- package/dist/server/enterprise/oidc.d.ts +0 -1
- package/dist/server/enterprise/oidc.js +0 -248
- package/dist/server/enterprise/oidc.js.map +0 -1
- package/dist/server/enterprise/policy.d.ts +0 -1
- package/dist/server/enterprise/policy.js +0 -85
- package/dist/server/enterprise/policy.js.map +0 -1
- package/dist/server/enterprise/saml.d.ts +0 -1
- package/dist/server/enterprise/saml.js +0 -338
- package/dist/server/enterprise/saml.js.map +0 -1
- package/dist/server/enterprise/scim.d.ts +0 -1
- package/dist/server/enterprise/scim.js +0 -97
- package/dist/server/enterprise/scim.js.map +0 -1
- package/dist/server/enterprise/shared.d.ts +0 -5
- package/dist/server/enterprise/shared.d.ts.map +0 -1
- package/dist/server/enterprise/shared.js +0 -51
- package/dist/server/enterprise/shared.js.map +0 -1
- package/dist/server/enterprise/validators.d.ts +0 -1
- package/dist/server/enterprise/validators.js +0 -60
- package/dist/server/enterprise/validators.js.map +0 -1
- package/dist/server/http.d.ts.map +0 -1
- package/dist/server/http.js.map +0 -1
- package/dist/server/identity.d.ts +0 -1
- package/dist/server/identity.js.map +0 -1
- package/dist/server/keys.d.ts +0 -1
- package/dist/server/keys.js.map +0 -1
- package/dist/server/limits.d.ts +0 -1
- package/dist/server/limits.js.map +0 -1
- package/dist/server/mounts.d.ts.map +0 -1
- package/dist/server/mounts.js.map +0 -1
- package/dist/server/mutations/account.d.ts +0 -29
- package/dist/server/mutations/account.d.ts.map +0 -1
- package/dist/server/mutations/account.js.map +0 -1
- package/dist/server/mutations/code.d.ts +0 -30
- package/dist/server/mutations/code.d.ts.map +0 -1
- package/dist/server/mutations/code.js.map +0 -1
- package/dist/server/mutations/index.d.ts +0 -14
- package/dist/server/mutations/invalidate.d.ts +0 -20
- package/dist/server/mutations/invalidate.d.ts.map +0 -1
- package/dist/server/mutations/invalidate.js.map +0 -1
- package/dist/server/mutations/oauth.d.ts +0 -30
- package/dist/server/mutations/oauth.d.ts.map +0 -1
- package/dist/server/mutations/oauth.js.map +0 -1
- package/dist/server/mutations/refresh.d.ts +0 -21
- package/dist/server/mutations/refresh.d.ts.map +0 -1
- package/dist/server/mutations/refresh.js.map +0 -1
- package/dist/server/mutations/register.d.ts +0 -38
- package/dist/server/mutations/register.d.ts.map +0 -1
- package/dist/server/mutations/register.js.map +0 -1
- package/dist/server/mutations/retrieve.d.ts +0 -33
- package/dist/server/mutations/retrieve.d.ts.map +0 -1
- package/dist/server/mutations/retrieve.js.map +0 -1
- package/dist/server/mutations/signature.d.ts +0 -21
- package/dist/server/mutations/signature.d.ts.map +0 -1
- package/dist/server/mutations/signature.js.map +0 -1
- package/dist/server/mutations/signin.d.ts +0 -22
- package/dist/server/mutations/signin.d.ts.map +0 -1
- package/dist/server/mutations/signin.js.map +0 -1
- package/dist/server/mutations/signout.d.ts +0 -16
- package/dist/server/mutations/signout.d.ts.map +0 -1
- package/dist/server/mutations/signout.js.map +0 -1
- package/dist/server/mutations/store/refs.d.ts +0 -12
- package/dist/server/mutations/store/refs.d.ts.map +0 -1
- package/dist/server/mutations/store/refs.js.map +0 -1
- package/dist/server/mutations/store.d.ts +0 -306
- package/dist/server/mutations/store.d.ts.map +0 -1
- package/dist/server/mutations/store.js.map +0 -1
- package/dist/server/mutations/verifier.d.ts +0 -13
- package/dist/server/mutations/verifier.d.ts.map +0 -1
- package/dist/server/mutations/verifier.js.map +0 -1
- package/dist/server/mutations/verify.d.ts +0 -26
- package/dist/server/mutations/verify.d.ts.map +0 -1
- package/dist/server/mutations/verify.js.map +0 -1
- package/dist/server/oauth.d.ts +0 -1
- package/dist/server/oauth.js +0 -242
- package/dist/server/oauth.js.map +0 -1
- package/dist/server/passkey.d.ts +0 -27
- package/dist/server/passkey.d.ts.map +0 -1
- package/dist/server/passkey.js.map +0 -1
- package/dist/server/redirects.d.ts +0 -1
- package/dist/server/redirects.js.map +0 -1
- package/dist/server/refresh.d.ts +0 -1
- package/dist/server/refresh.js.map +0 -1
- package/dist/server/runtime.d.ts.map +0 -1
- package/dist/server/runtime.js.map +0 -1
- package/dist/server/sessions.d.ts +0 -1
- package/dist/server/sessions.js.map +0 -1
- package/dist/server/signin.d.ts +0 -1
- package/dist/server/signin.js.map +0 -1
- package/dist/server/ssr.d.ts.map +0 -1
- package/dist/server/ssr.js +0 -777
- package/dist/server/ssr.js.map +0 -1
- package/dist/server/templates.d.ts +0 -1
- package/dist/server/templates.js.map +0 -1
- package/dist/server/tokens.d.ts +0 -1
- package/dist/server/tokens.js.map +0 -1
- package/dist/server/totp.d.ts +0 -1
- package/dist/server/totp.js.map +0 -1
- package/dist/server/types.d.ts.map +0 -1
- package/dist/server/types.js.map +0 -1
- package/dist/server/users.d.ts +0 -1
- package/dist/server/users.js.map +0 -1
- package/dist/server/utils.d.ts +0 -1
- package/dist/server/utils.js +0 -140
- package/dist/server/utils.js.map +0 -1
- package/src/authorization/index.ts +0 -83
- package/src/cli/bin.ts +0 -5
- package/src/cli/command.ts +0 -70
- package/src/cli/index.ts +0 -1112
- package/src/cli/keys.ts +0 -23
- package/src/client/core/types.ts +0 -437
- package/src/client/factors/device.ts +0 -158
- package/src/client/factors/passkey.ts +0 -279
- package/src/client/factors/totp.ts +0 -150
- package/src/client/index.ts +0 -1124
- package/src/client/runtime/browser.ts +0 -112
- package/src/client/runtime/invite.ts +0 -63
- package/src/client/runtime/proxy.ts +0 -111
- package/src/client/runtime/storage.ts +0 -79
- package/src/component/_generated/api.ts +0 -96
- package/src/component/_generated/component.ts +0 -3774
- package/src/component/_generated/dataModel.ts +0 -60
- package/src/component/_generated/server.ts +0 -156
- package/src/component/convex.config.ts +0 -5
- package/src/component/functions.ts +0 -104
- package/src/component/index.ts +0 -42
- package/src/component/model.ts +0 -449
- package/src/component/public/enterprise/audit.ts +0 -125
- package/src/component/public/enterprise/core.ts +0 -355
- package/src/component/public/enterprise/domains.ts +0 -327
- package/src/component/public/enterprise/scim.ts +0 -397
- package/src/component/public/enterprise/secrets.ts +0 -133
- package/src/component/public/enterprise/webhooks.ts +0 -307
- package/src/component/public/factors/devices.ts +0 -224
- package/src/component/public/factors/passkeys.ts +0 -243
- package/src/component/public/factors/totp.ts +0 -259
- package/src/component/public/groups/core.ts +0 -481
- package/src/component/public/groups/invites.ts +0 -608
- package/src/component/public/groups/members.ts +0 -410
- package/src/component/public/identity/accounts.ts +0 -207
- package/src/component/public/identity/codes.ts +0 -149
- package/src/component/public/identity/sessions.ts +0 -210
- package/src/component/public/identity/tokens.ts +0 -251
- package/src/component/public/identity/users.ts +0 -355
- package/src/component/public/identity/verifiers.ts +0 -158
- package/src/component/public/security/keys.ts +0 -366
- package/src/component/public/security/limits.ts +0 -174
- package/src/component/public.ts +0 -27
- package/src/component/schema.ts +0 -505
- package/src/providers/anonymous.ts +0 -99
- package/src/providers/credentials.ts +0 -102
- package/src/providers/device.ts +0 -87
- package/src/providers/email.ts +0 -99
- package/src/providers/index.ts +0 -31
- package/src/providers/oauth.ts +0 -117
- package/src/providers/passkey.ts +0 -77
- package/src/providers/password.ts +0 -441
- package/src/providers/phone.ts +0 -93
- package/src/providers/sso.ts +0 -54
- package/src/providers/totp.ts +0 -62
- package/src/samlify.d.ts +0 -53
- package/src/server/auth.ts +0 -949
- package/src/server/config.ts +0 -200
- package/src/server/context.ts +0 -90
- package/src/server/cookies.ts +0 -49
- package/src/server/core.ts +0 -2004
- package/src/server/crypto.ts +0 -90
- package/src/server/db.ts +0 -203
- package/src/server/device.ts +0 -254
- package/src/server/enterprise/config.ts +0 -51
- package/src/server/enterprise/domain.ts +0 -1739
- package/src/server/enterprise/http.ts +0 -1331
- package/src/server/enterprise/oidc.ts +0 -500
- package/src/server/enterprise/policy.ts +0 -128
- package/src/server/enterprise/saml.ts +0 -578
- package/src/server/enterprise/scim.ts +0 -135
- package/src/server/enterprise/shared.ts +0 -134
- package/src/server/enterprise/validators.ts +0 -93
- package/src/server/http.ts +0 -790
- package/src/server/identity.ts +0 -18
- package/src/server/index.ts +0 -40
- package/src/server/keys.ts +0 -158
- package/src/server/limits.ts +0 -107
- package/src/server/mounts.ts +0 -924
- package/src/server/mutations/account.ts +0 -62
- package/src/server/mutations/code.ts +0 -119
- package/src/server/mutations/index.ts +0 -13
- package/src/server/mutations/invalidate.ts +0 -50
- package/src/server/mutations/oauth.ts +0 -243
- package/src/server/mutations/refresh.ts +0 -299
- package/src/server/mutations/register.ts +0 -155
- package/src/server/mutations/retrieve.ts +0 -109
- package/src/server/mutations/signature.ts +0 -57
- package/src/server/mutations/signin.ts +0 -54
- package/src/server/mutations/signout.ts +0 -43
- package/src/server/mutations/store/refs.ts +0 -10
- package/src/server/mutations/store.ts +0 -123
- package/src/server/mutations/verifier.ts +0 -34
- package/src/server/mutations/verify.ts +0 -200
- package/src/server/oauth.ts +0 -418
- package/src/server/passkey.ts +0 -838
- package/src/server/redirects.ts +0 -59
- package/src/server/refresh.ts +0 -218
- package/src/server/runtime.ts +0 -918
- package/src/server/sessions.ts +0 -132
- package/src/server/signin.ts +0 -445
- package/src/server/ssr.ts +0 -1747
- package/src/server/templates.ts +0 -82
- package/src/server/tokens.ts +0 -35
- package/src/server/totp.ts +0 -399
- package/src/server/types.ts +0 -1942
- package/src/server/users.ts +0 -291
- package/src/server/utils.ts +0 -220
- /package/dist/{runtime → client/runtime}/invite.js +0 -0
package/src/server/auth.ts
DELETED
|
@@ -1,949 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Auth configuration helpers for Convex Auth.
|
|
3
|
-
*
|
|
4
|
-
* @module
|
|
5
|
-
*/
|
|
6
|
-
|
|
7
|
-
import { Cv } from "@robelest/fx/convex";
|
|
8
|
-
import type { UserIdentity } from "convex/server";
|
|
9
|
-
import type { GenericId } from "convex/values";
|
|
10
|
-
|
|
11
|
-
import type { AuthApiRefs } from "../client/index";
|
|
12
|
-
import {
|
|
13
|
-
createUnauthenticatedAuthContext,
|
|
14
|
-
getAuthContext as getResolvedAuthContext,
|
|
15
|
-
} from "./context";
|
|
16
|
-
import { Auth as AuthFactory } from "./runtime";
|
|
17
|
-
import type { Doc } from "./types";
|
|
18
|
-
import type {
|
|
19
|
-
AuthAuthorizationConfig,
|
|
20
|
-
AuthGrant,
|
|
21
|
-
AuthProviderConfig,
|
|
22
|
-
AuthRoleDefinition,
|
|
23
|
-
AuthRoleId,
|
|
24
|
-
ConvexAuthConfig,
|
|
25
|
-
HasDeviceProvider,
|
|
26
|
-
HasPasskeyProvider,
|
|
27
|
-
HasSSO,
|
|
28
|
-
HasTotpProvider,
|
|
29
|
-
} from "./types";
|
|
30
|
-
|
|
31
|
-
// ============================================================================
|
|
32
|
-
// Types
|
|
33
|
-
// ============================================================================
|
|
34
|
-
|
|
35
|
-
/**
|
|
36
|
-
* Config for auth setup. Extends the standard auth config
|
|
37
|
-
* minus `component` (which is passed as the first constructor argument).
|
|
38
|
-
*/
|
|
39
|
-
export type AuthConfig = Omit<ConvexAuthConfig, "component">;
|
|
40
|
-
|
|
41
|
-
/** Canonical user document type exposed by Convex Auth. */
|
|
42
|
-
export type UserDoc = Doc<"User">;
|
|
43
|
-
|
|
44
|
-
type MemberApiWithAuthorization<
|
|
45
|
-
TAuthorization extends AuthAuthorizationConfig | undefined,
|
|
46
|
-
> = Omit<
|
|
47
|
-
ReturnType<typeof AuthFactory>["auth"]["member"],
|
|
48
|
-
"create" | "list" | "update" | "inspect" | "require"
|
|
49
|
-
> & {
|
|
50
|
-
create: (
|
|
51
|
-
ctx: Parameters<
|
|
52
|
-
ReturnType<typeof AuthFactory>["auth"]["member"]["create"]
|
|
53
|
-
>[0],
|
|
54
|
-
data: {
|
|
55
|
-
groupId: string;
|
|
56
|
-
userId: string;
|
|
57
|
-
roleIds?: AuthRoleId<TAuthorization>[];
|
|
58
|
-
status?: string;
|
|
59
|
-
extend?: Record<string, unknown>;
|
|
60
|
-
},
|
|
61
|
-
) => Promise<{ memberId: string }>;
|
|
62
|
-
list: (
|
|
63
|
-
ctx: Parameters<
|
|
64
|
-
ReturnType<typeof AuthFactory>["auth"]["member"]["list"]
|
|
65
|
-
>[0],
|
|
66
|
-
opts?: {
|
|
67
|
-
where?: {
|
|
68
|
-
groupId?: string;
|
|
69
|
-
userId?: string;
|
|
70
|
-
roleId?: AuthRoleId<TAuthorization>;
|
|
71
|
-
status?: string;
|
|
72
|
-
};
|
|
73
|
-
limit?: number;
|
|
74
|
-
cursor?: string | null;
|
|
75
|
-
orderBy?: "_creationTime" | "status";
|
|
76
|
-
order?: "asc" | "desc";
|
|
77
|
-
},
|
|
78
|
-
) => ReturnType<ReturnType<typeof AuthFactory>["auth"]["member"]["list"]>;
|
|
79
|
-
update: (
|
|
80
|
-
ctx: Parameters<
|
|
81
|
-
ReturnType<typeof AuthFactory>["auth"]["member"]["update"]
|
|
82
|
-
>[0],
|
|
83
|
-
memberId: string,
|
|
84
|
-
data: Record<string, unknown> & { roleIds?: AuthRoleId<TAuthorization>[] },
|
|
85
|
-
) => Promise<{ memberId: string }>;
|
|
86
|
-
inspect: (
|
|
87
|
-
ctx: Parameters<
|
|
88
|
-
ReturnType<typeof AuthFactory>["auth"]["member"]["inspect"]
|
|
89
|
-
>[0],
|
|
90
|
-
opts: {
|
|
91
|
-
userId: string;
|
|
92
|
-
groupId: string;
|
|
93
|
-
ancestry?: boolean;
|
|
94
|
-
maxDepth?: number;
|
|
95
|
-
},
|
|
96
|
-
) => ReturnType<ReturnType<typeof AuthFactory>["auth"]["member"]["inspect"]>;
|
|
97
|
-
require: (
|
|
98
|
-
ctx: Parameters<
|
|
99
|
-
ReturnType<typeof AuthFactory>["auth"]["member"]["require"]
|
|
100
|
-
>[0],
|
|
101
|
-
opts: {
|
|
102
|
-
userId: string;
|
|
103
|
-
groupId: string;
|
|
104
|
-
ancestry?: boolean;
|
|
105
|
-
roleIds?: AuthRoleId<TAuthorization>[];
|
|
106
|
-
grants?: AuthGrant<TAuthorization>[];
|
|
107
|
-
maxDepth?: number;
|
|
108
|
-
},
|
|
109
|
-
) => ReturnType<ReturnType<typeof AuthFactory>["auth"]["member"]["require"]>;
|
|
110
|
-
};
|
|
111
|
-
|
|
112
|
-
/**
|
|
113
|
-
* The base auth API surface returned by {@link createAuth}.
|
|
114
|
-
*
|
|
115
|
-
* Provides core namespaces — `signIn`, `signOut`, `user`, `session`,
|
|
116
|
-
* `member`, `invite`, `group`, `key`, and `http` — that are
|
|
117
|
-
* always available regardless of which providers are configured.
|
|
118
|
-
* Enterprise namespaces (`sso`, `scim`) are added conditionally by
|
|
119
|
-
* {@link AuthApi} when an SSO provider is present.
|
|
120
|
-
*
|
|
121
|
-
* Use this type when you want to describe code that only depends on the
|
|
122
|
-
* standard auth surface and should not assume enterprise features exist.
|
|
123
|
-
*
|
|
124
|
-
* @typeParam TAuthorization - The authorization config, used to narrow
|
|
125
|
-
* role IDs and grant strings on the `member` API.
|
|
126
|
-
*/
|
|
127
|
-
export type AuthApiBase<
|
|
128
|
-
TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
|
|
129
|
-
> = {
|
|
130
|
-
signIn: ReturnType<typeof AuthFactory>["signIn"];
|
|
131
|
-
signOut: ReturnType<typeof AuthFactory>["signOut"];
|
|
132
|
-
store: ReturnType<typeof AuthFactory>["store"];
|
|
133
|
-
user: ReturnType<typeof AuthFactory>["auth"]["user"];
|
|
134
|
-
session: ReturnType<typeof AuthFactory>["auth"]["session"];
|
|
135
|
-
provider: ReturnType<typeof AuthFactory>["auth"]["provider"];
|
|
136
|
-
account: ReturnType<typeof AuthFactory>["auth"]["account"];
|
|
137
|
-
group: ReturnType<typeof AuthFactory>["auth"]["group"];
|
|
138
|
-
member: MemberApiWithAuthorization<TAuthorization>;
|
|
139
|
-
invite: ReturnType<typeof AuthFactory>["auth"]["invite"];
|
|
140
|
-
key: ReturnType<typeof AuthFactory>["auth"]["key"];
|
|
141
|
-
http: ReturnType<typeof AuthFactory>["auth"]["http"];
|
|
142
|
-
/**
|
|
143
|
-
* Resolve the current request's auth context. Framework-agnostic — use
|
|
144
|
-
* this in fluent-convex middleware, custom wrappers, or anywhere you
|
|
145
|
-
* need the current `{ userId, user, groupId, role, grants }` object.
|
|
146
|
-
*
|
|
147
|
-
* Throws a structured `ConvexError` when unauthenticated by default.
|
|
148
|
-
* Pass `{ optional: true }` to get a null-shaped auth object instead.
|
|
149
|
-
*
|
|
150
|
-
* @param ctx - Convex query, mutation, or action context.
|
|
151
|
-
* @param config - Optional auth resolution config. Supports `optional`,
|
|
152
|
-
* `resolve`, and `authResolve`.
|
|
153
|
-
* @returns The current auth context.
|
|
154
|
-
*
|
|
155
|
-
* @example fluent-convex middleware
|
|
156
|
-
* ```ts
|
|
157
|
-
* const withAuth = convex.createMiddleware(async (ctx, next) => {
|
|
158
|
-
* return next({ ...ctx, auth: await auth.context(ctx) });
|
|
159
|
-
* });
|
|
160
|
-
* ```
|
|
161
|
-
*
|
|
162
|
-
* @example Direct usage in a handler
|
|
163
|
-
* ```ts
|
|
164
|
-
* const authContext = await auth.context(ctx);
|
|
165
|
-
* const { userId, grants } = authContext;
|
|
166
|
-
* ```
|
|
167
|
-
*
|
|
168
|
-
* @example Optional usage
|
|
169
|
-
* ```ts
|
|
170
|
-
* const authContext = await auth.context(ctx, { optional: true });
|
|
171
|
-
* if (authContext.userId === null) {
|
|
172
|
-
* return null;
|
|
173
|
-
* }
|
|
174
|
-
* ```
|
|
175
|
-
*/
|
|
176
|
-
context: AuthContextResolver;
|
|
177
|
-
/**
|
|
178
|
-
* Context enrichment for convex-helpers `customQuery` / `customMutation` /
|
|
179
|
-
* `customAction`.
|
|
180
|
-
*
|
|
181
|
-
* Resolves the current user's identity, active group, membership role,
|
|
182
|
-
* and grants, then attaches them to `ctx.auth`. Returns a `Customization`
|
|
183
|
-
* object compatible with convex-helpers' custom function builders.
|
|
184
|
-
*
|
|
185
|
-
* `ctx.auth` is the current request auth context.
|
|
186
|
-
* By default this throws when unauthenticated so handlers can assume
|
|
187
|
-
* `ctx.auth.userId` and `ctx.auth.user` exist.
|
|
188
|
-
*
|
|
189
|
-
* @returns A convex-helpers `Customization` object.
|
|
190
|
-
*
|
|
191
|
-
* @example One-time setup in `convex/functions.ts`
|
|
192
|
-
* ```ts
|
|
193
|
-
* import { query, mutation, action } from "./_generated/server";
|
|
194
|
-
* import { customQuery, customMutation, customAction } from "convex-helpers/server/customFunctions";
|
|
195
|
-
* import { auth } from "./auth";
|
|
196
|
-
*
|
|
197
|
-
* export const authQuery = customQuery(query, auth.ctx());
|
|
198
|
-
* export const authMutation = customMutation(mutation, auth.ctx());
|
|
199
|
-
* export const authAction = customAction(action, auth.ctx());
|
|
200
|
-
* ```
|
|
201
|
-
*
|
|
202
|
-
* @example Per-function usage
|
|
203
|
-
* ```ts
|
|
204
|
-
* import { authQuery } from "./functions";
|
|
205
|
-
*
|
|
206
|
-
* export const list = authQuery({
|
|
207
|
-
* args: { workspaceId: v.string() },
|
|
208
|
-
* handler: async (ctx, args) => {
|
|
209
|
-
* const { userId, groupId, grants } = ctx.auth;
|
|
210
|
-
* // business logic
|
|
211
|
-
* },
|
|
212
|
-
* });
|
|
213
|
-
* ```
|
|
214
|
-
*/
|
|
215
|
-
ctx: AuthContextFactory;
|
|
216
|
-
};
|
|
217
|
-
|
|
218
|
-
/**
|
|
219
|
-
* Current request auth context injected into `ctx.auth` by `auth.ctx()`. This
|
|
220
|
-
* is the authenticated auth shape returned by {@link createAuth().context}.
|
|
221
|
-
* Optional context builders may still surface nullable fields when
|
|
222
|
-
* `optional: true` is used.
|
|
223
|
-
*
|
|
224
|
-
* - `groupId` is `null` when the user has no active group set.
|
|
225
|
-
* - `role` is `null` when no active group or no membership is resolved.
|
|
226
|
-
* - `grants` is `[]` when no active group or no membership is resolved.
|
|
227
|
-
*
|
|
228
|
-
* @example
|
|
229
|
-
* ```ts
|
|
230
|
-
* import type { AuthContext } from "@robelest/convex-auth/server";
|
|
231
|
-
*
|
|
232
|
-
* const mockAuth: AuthContext = {
|
|
233
|
-
* userId: "user123" as Id<"User">,
|
|
234
|
-
* user: { _id: "user123", email: "test@example.com" },
|
|
235
|
-
* groupId: "group456",
|
|
236
|
-
* role: "admin",
|
|
237
|
-
* grants: ["read", "write"],
|
|
238
|
-
* };
|
|
239
|
-
* ```
|
|
240
|
-
*/
|
|
241
|
-
export type AuthContext = {
|
|
242
|
-
/** The authenticated user's document ID. */
|
|
243
|
-
userId: GenericId<"User">;
|
|
244
|
-
/** The authenticated user's full document. */
|
|
245
|
-
user: UserDoc;
|
|
246
|
-
/** The user's active group ID, or `null` if none set. */
|
|
247
|
-
groupId: string | null;
|
|
248
|
-
/** The user's primary role in the active group, or `null`. */
|
|
249
|
-
role: string | null;
|
|
250
|
-
/** Resolved grant strings from the user's role definitions. */
|
|
251
|
-
grants: string[];
|
|
252
|
-
};
|
|
253
|
-
|
|
254
|
-
/**
|
|
255
|
-
* Nullable auth context returned by `auth.context(ctx, { optional: true })`
|
|
256
|
-
* and injected by `auth.ctx({ optional: true })`.
|
|
257
|
-
*
|
|
258
|
-
* Use this when callers may be unauthenticated but you still want a stable
|
|
259
|
-
* auth-shaped object.
|
|
260
|
-
*
|
|
261
|
-
* - `userId` and `user` are `null` when unauthenticated.
|
|
262
|
-
* - `groupId` and `role` are `null` when no active group is resolved.
|
|
263
|
-
* - `grants` is `[]` when no membership is resolved.
|
|
264
|
-
*
|
|
265
|
-
* @example
|
|
266
|
-
* ```ts
|
|
267
|
-
* const authContext = await auth.context(ctx, { optional: true });
|
|
268
|
-
* if (authContext.userId === null) {
|
|
269
|
-
* return null;
|
|
270
|
-
* }
|
|
271
|
-
* ```
|
|
272
|
-
*/
|
|
273
|
-
export type OptionalAuthContext = {
|
|
274
|
-
/** The authenticated user's document ID, or `null` when unauthenticated. */
|
|
275
|
-
userId: GenericId<"User"> | null;
|
|
276
|
-
/** The authenticated user's full document, or `null` when unauthenticated. */
|
|
277
|
-
user: UserDoc | null;
|
|
278
|
-
/** The user's active group ID, or `null` if none is set. */
|
|
279
|
-
groupId: string | null;
|
|
280
|
-
/** The user's primary role in the active group, or `null`. */
|
|
281
|
-
role: string | null;
|
|
282
|
-
/** Resolved grant strings for the active membership, or `[]`. */
|
|
283
|
-
grants: string[];
|
|
284
|
-
};
|
|
285
|
-
|
|
286
|
-
type AuthContextBase = {
|
|
287
|
-
getUserIdentity: () => Promise<UserIdentity | null>;
|
|
288
|
-
};
|
|
289
|
-
|
|
290
|
-
type RequiredAuthContextState = AuthContextBase & AuthContext;
|
|
291
|
-
|
|
292
|
-
type OptionalAuthContextState = AuthContextBase & OptionalAuthContext;
|
|
293
|
-
|
|
294
|
-
type ResolvedAuthContext<TResolve> = AuthContext & TResolve;
|
|
295
|
-
|
|
296
|
-
type ResolvedOptionalAuthContext<TResolve> = OptionalAuthContext & TResolve;
|
|
297
|
-
|
|
298
|
-
type AuthContextResolver = {
|
|
299
|
-
<TResolve extends Record<string, unknown> = Record<string, never>>(
|
|
300
|
-
ctx: any,
|
|
301
|
-
config: AuthContextConfig<TResolve> & { optional: true },
|
|
302
|
-
): Promise<ResolvedOptionalAuthContext<TResolve>>;
|
|
303
|
-
<TResolve extends Record<string, unknown> = Record<string, never>>(
|
|
304
|
-
ctx: any,
|
|
305
|
-
config?: AuthContextConfig<TResolve>,
|
|
306
|
-
): Promise<ResolvedAuthContext<TResolve>>;
|
|
307
|
-
};
|
|
308
|
-
|
|
309
|
-
type AuthContextCustomization<TAuth> = {
|
|
310
|
-
args: {};
|
|
311
|
-
input: (
|
|
312
|
-
ctx: any,
|
|
313
|
-
_args: any,
|
|
314
|
-
_extra?: any,
|
|
315
|
-
) => Promise<{
|
|
316
|
-
ctx: {
|
|
317
|
-
auth: TAuth;
|
|
318
|
-
};
|
|
319
|
-
args: {};
|
|
320
|
-
}>;
|
|
321
|
-
};
|
|
322
|
-
|
|
323
|
-
type AuthContextFactory = {
|
|
324
|
-
<TResolve extends Record<string, unknown> = Record<string, never>>(
|
|
325
|
-
config: AuthContextConfig<TResolve> & { optional: true },
|
|
326
|
-
): AuthContextCustomization<OptionalAuthContextState & TResolve>;
|
|
327
|
-
<TResolve extends Record<string, unknown> = Record<string, never>>(
|
|
328
|
-
config?: AuthContextConfig<TResolve>,
|
|
329
|
-
): AuthContextCustomization<RequiredAuthContextState & TResolve>;
|
|
330
|
-
};
|
|
331
|
-
|
|
332
|
-
type InternalSsoApi = ReturnType<typeof AuthFactory>["auth"]["sso"];
|
|
333
|
-
|
|
334
|
-
type PublicSsoAdminApi = {
|
|
335
|
-
connection: InternalSsoApi["connection"] & {
|
|
336
|
-
domain: {
|
|
337
|
-
list: InternalSsoApi["domain"]["list"];
|
|
338
|
-
validate: InternalSsoApi["domain"]["validate"];
|
|
339
|
-
set: (
|
|
340
|
-
ctx: Parameters<InternalSsoApi["connection"]["create"]>[0],
|
|
341
|
-
enterpriseId: string,
|
|
342
|
-
domains: Array<{
|
|
343
|
-
domain: string;
|
|
344
|
-
isPrimary?: boolean;
|
|
345
|
-
}>,
|
|
346
|
-
) => Promise<{
|
|
347
|
-
enterpriseId: string;
|
|
348
|
-
domains: Array<{
|
|
349
|
-
domainId: string;
|
|
350
|
-
domain: string;
|
|
351
|
-
isPrimary: boolean;
|
|
352
|
-
verified: boolean;
|
|
353
|
-
verifiedAt: number | null;
|
|
354
|
-
}>;
|
|
355
|
-
}>;
|
|
356
|
-
verification: {
|
|
357
|
-
request: (
|
|
358
|
-
ctx: Parameters<InternalSsoApi["connection"]["create"]>[0],
|
|
359
|
-
args: { enterpriseId: string; domain: string },
|
|
360
|
-
) => Promise<{
|
|
361
|
-
enterpriseId: string;
|
|
362
|
-
domain: string;
|
|
363
|
-
requestedAt: number;
|
|
364
|
-
expiresAt: number;
|
|
365
|
-
challenge: {
|
|
366
|
-
recordType: "TXT";
|
|
367
|
-
recordName: string;
|
|
368
|
-
recordValue: string;
|
|
369
|
-
};
|
|
370
|
-
}>;
|
|
371
|
-
confirm: (
|
|
372
|
-
ctx: Parameters<InternalSsoApi["connection"]["create"]>[0],
|
|
373
|
-
args: { enterpriseId: string; domain: string },
|
|
374
|
-
) => Promise<{
|
|
375
|
-
enterpriseId: string;
|
|
376
|
-
domain: string;
|
|
377
|
-
verifiedAt?: number;
|
|
378
|
-
checks: Array<{ name: string; ok: boolean; message?: string }>;
|
|
379
|
-
}>;
|
|
380
|
-
};
|
|
381
|
-
};
|
|
382
|
-
};
|
|
383
|
-
oidc: Omit<InternalSsoApi["oidc"], "signIn">;
|
|
384
|
-
saml: Omit<InternalSsoApi["saml"], "metadata">;
|
|
385
|
-
policy: InternalSsoApi["policy"];
|
|
386
|
-
audit: {
|
|
387
|
-
list: InternalSsoApi["audit"]["list"];
|
|
388
|
-
};
|
|
389
|
-
webhook: {
|
|
390
|
-
endpoint: InternalSsoApi["webhook"]["endpoint"];
|
|
391
|
-
delivery: {
|
|
392
|
-
list: InternalSsoApi["webhook"]["delivery"]["list"];
|
|
393
|
-
};
|
|
394
|
-
};
|
|
395
|
-
};
|
|
396
|
-
|
|
397
|
-
type PublicSsoClientApi = {
|
|
398
|
-
signIn: InternalSsoApi["oidc"]["signIn"];
|
|
399
|
-
metadata: InternalSsoApi["saml"]["metadata"];
|
|
400
|
-
};
|
|
401
|
-
|
|
402
|
-
type PublicSsoApi = {
|
|
403
|
-
admin: PublicSsoAdminApi;
|
|
404
|
-
client: PublicSsoClientApi;
|
|
405
|
-
};
|
|
406
|
-
|
|
407
|
-
type PublicScimApi = {
|
|
408
|
-
admin: Omit<InternalSsoApi["scim"], "getConfigByToken" | "identity">;
|
|
409
|
-
};
|
|
410
|
-
|
|
411
|
-
/**
|
|
412
|
-
* Extended auth API that includes enterprise SSO and SCIM namespaces.
|
|
413
|
-
*
|
|
414
|
-
* This type is the union of {@link AuthApiBase} plus `sso` (SSO connection
|
|
415
|
-
* management, OIDC/SAML, domain verification, policies, audit, webhooks)
|
|
416
|
-
* and `scim` (SCIM provisioning configuration). It is returned by
|
|
417
|
-
* {@link createAuth} only when `new SSO()` is included in the providers
|
|
418
|
-
* array; otherwise the narrower {@link AuthApiBase} is returned instead.
|
|
419
|
-
* Attempting to access `auth.sso` or `auth.scim` without an SSO provider
|
|
420
|
-
* produces a compile-time error because the return type narrows back to
|
|
421
|
-
* {@link AuthApiBase}.
|
|
422
|
-
*
|
|
423
|
-
* @typeParam TAuthorization - The authorization config, forwarded to
|
|
424
|
-
* {@link AuthApiBase} for typed role IDs and grant strings.
|
|
425
|
-
*/
|
|
426
|
-
export type AuthApi<
|
|
427
|
-
TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
|
|
428
|
-
> = AuthApiBase<TAuthorization> & {
|
|
429
|
-
sso: PublicSsoApi;
|
|
430
|
-
scim: PublicScimApi;
|
|
431
|
-
};
|
|
432
|
-
|
|
433
|
-
/**
|
|
434
|
-
* The return type of {@link createAuth}.
|
|
435
|
-
*
|
|
436
|
-
* Resolves to {@link AuthApi} (with `sso` and `scim` namespaces) when
|
|
437
|
-
* `new SSO()` is present in the providers array, or to the narrower
|
|
438
|
-
* {@link AuthApiBase} otherwise. This conditional type ensures that
|
|
439
|
-
* enterprise-only APIs are only accessible when the SSO provider is
|
|
440
|
-
* configured, producing a compile-time error if you try to access
|
|
441
|
-
* `auth.sso` without it.
|
|
442
|
-
* This lets application code keep a single `createAuth()` call while still
|
|
443
|
-
* getting provider-aware typing on the resulting API object.
|
|
444
|
-
*
|
|
445
|
-
* @typeParam P - The tuple of provider configs passed to `createAuth`.
|
|
446
|
-
* @typeParam TAuthorization - Optional authorization config for typed roles/grants.
|
|
447
|
-
*/
|
|
448
|
-
export type ConvexAuthResult<
|
|
449
|
-
P extends AuthProviderConfig[],
|
|
450
|
-
TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
|
|
451
|
-
> =
|
|
452
|
-
HasSSO<P> extends true
|
|
453
|
-
? AuthApi<TAuthorization>
|
|
454
|
-
: AuthApiBase<TAuthorization>;
|
|
455
|
-
|
|
456
|
-
/**
|
|
457
|
-
* Infer the typed `AuthApiRefs` for the client SDK from a `createAuth` call.
|
|
458
|
-
*
|
|
459
|
-
* Use this as the generic parameter for `client()` on the frontend:
|
|
460
|
-
*
|
|
461
|
-
* ```ts
|
|
462
|
-
* // convex/auth.ts
|
|
463
|
-
* export const auth = createAuth(components.auth, { providers: [...] });
|
|
464
|
-
*
|
|
465
|
-
* // Frontend
|
|
466
|
-
* import type { auth } from "../convex/auth";
|
|
467
|
-
* import type { InferClientApi } from "@robelest/convex-auth/server";
|
|
468
|
-
* const c = client<InferClientApi<typeof auth>>({ convex, api: api.auth });
|
|
469
|
-
* ```
|
|
470
|
-
*
|
|
471
|
-
* @typeParam T - A ConvexAuthResult to extract the client API from.
|
|
472
|
-
*/
|
|
473
|
-
export type InferClientApi<T> =
|
|
474
|
-
T extends ConvexAuthResult<infer P>
|
|
475
|
-
? AuthApiRefs<
|
|
476
|
-
HasPasskeyProvider<P>,
|
|
477
|
-
HasTotpProvider<P>,
|
|
478
|
-
HasDeviceProvider<P>
|
|
479
|
-
>
|
|
480
|
-
: AuthApiRefs;
|
|
481
|
-
|
|
482
|
-
/** @internal */
|
|
483
|
-
export type AuthLike = Pick<AuthApiBase, "user" | "member">;
|
|
484
|
-
|
|
485
|
-
// ============================================================================
|
|
486
|
-
// Auth setup APIs
|
|
487
|
-
// ============================================================================
|
|
488
|
-
|
|
489
|
-
/**
|
|
490
|
-
* Create an auth API object.
|
|
491
|
-
*
|
|
492
|
-
* When `new SSO()` is included in providers, `auth.sso` and `auth.scim`
|
|
493
|
-
* are available on the returned object. Without it, those namespaces are
|
|
494
|
-
* absent and accessing them is a TypeScript compile error.
|
|
495
|
-
*
|
|
496
|
-
* @param component - The installed auth component reference from
|
|
497
|
-
* `components.auth` in your Convex app definition.
|
|
498
|
-
* @param config - Auth configuration including `providers` and optional
|
|
499
|
-
* `authorization`. All fields from {@link AuthConfig} are accepted
|
|
500
|
-
* except `component` (passed as the first argument).
|
|
501
|
-
* @returns A {@link ConvexAuthResult} object — either {@link AuthApi}
|
|
502
|
-
* (with `sso`/`scim`) or {@link AuthApiBase}, depending on whether
|
|
503
|
-
* an SSO provider is present.
|
|
504
|
-
*
|
|
505
|
-
* @example
|
|
506
|
-
* ```ts
|
|
507
|
-
* export const auth = createAuth(components.auth, {
|
|
508
|
-
* providers: [password(), google()],
|
|
509
|
-
* authorization: { roles },
|
|
510
|
-
* });
|
|
511
|
-
* ```
|
|
512
|
-
*
|
|
513
|
-
* @see {@link AuthContextConfig}
|
|
514
|
-
*/
|
|
515
|
-
|
|
516
|
-
// ---------------------------------------------------------------------------
|
|
517
|
-
// Function builders — shared auth resolution logic
|
|
518
|
-
// ---------------------------------------------------------------------------
|
|
519
|
-
|
|
520
|
-
async function resolveConfiguredAuthContext(
|
|
521
|
-
auth: AuthLike,
|
|
522
|
-
ctx: any,
|
|
523
|
-
config?: AuthContextConfig<any>,
|
|
524
|
-
): Promise<AuthContext | null> {
|
|
525
|
-
const fallback = () => getResolvedAuthContext(auth, ctx);
|
|
526
|
-
const authOverride = config?.authResolve
|
|
527
|
-
? await config.authResolve(ctx, fallback)
|
|
528
|
-
: undefined;
|
|
529
|
-
return authOverride === undefined ? await fallback() : authOverride;
|
|
530
|
-
}
|
|
531
|
-
|
|
532
|
-
function createNotSignedInError() {
|
|
533
|
-
return Cv.error({
|
|
534
|
-
code: "NOT_SIGNED_IN",
|
|
535
|
-
message: "Authentication required.",
|
|
536
|
-
});
|
|
537
|
-
}
|
|
538
|
-
|
|
539
|
-
async function createPublicAuthContext(
|
|
540
|
-
auth: AuthLike,
|
|
541
|
-
ctx: any,
|
|
542
|
-
config?: AuthContextConfig<any>,
|
|
543
|
-
) {
|
|
544
|
-
const resolved = await resolveConfiguredAuthContext(auth, ctx, config);
|
|
545
|
-
|
|
546
|
-
if (resolved === null) {
|
|
547
|
-
if (config?.optional !== true) {
|
|
548
|
-
throw createNotSignedInError();
|
|
549
|
-
}
|
|
550
|
-
return createUnauthenticatedAuthContext();
|
|
551
|
-
}
|
|
552
|
-
|
|
553
|
-
const extra = config?.resolve
|
|
554
|
-
? await config.resolve(ctx, resolved.user, resolved)
|
|
555
|
-
: {};
|
|
556
|
-
|
|
557
|
-
return {
|
|
558
|
-
...resolved,
|
|
559
|
-
...extra,
|
|
560
|
-
};
|
|
561
|
-
}
|
|
562
|
-
|
|
563
|
-
export function createAuth<
|
|
564
|
-
P extends AuthProviderConfig[],
|
|
565
|
-
TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
|
|
566
|
-
>(
|
|
567
|
-
component: ConvexAuthConfig["component"],
|
|
568
|
-
config: Omit<AuthConfig, "providers" | "authorization"> & {
|
|
569
|
-
providers: P;
|
|
570
|
-
authorization?: TAuthorization;
|
|
571
|
-
},
|
|
572
|
-
): ConvexAuthResult<P, TAuthorization> {
|
|
573
|
-
const authResult = AuthFactory({
|
|
574
|
-
...config,
|
|
575
|
-
component,
|
|
576
|
-
providers: [...config.providers],
|
|
577
|
-
});
|
|
578
|
-
const {
|
|
579
|
-
domain: domainApi,
|
|
580
|
-
scim: scimApi,
|
|
581
|
-
connection: connectionApi,
|
|
582
|
-
audit: auditApi,
|
|
583
|
-
webhook: webhookApi,
|
|
584
|
-
oidc: oidcApi,
|
|
585
|
-
saml: samlApi,
|
|
586
|
-
...restSso
|
|
587
|
-
} = authResult.auth.sso as InternalSsoApi;
|
|
588
|
-
|
|
589
|
-
type SetEnterpriseDomains = PublicSsoAdminApi["connection"]["domain"]["set"];
|
|
590
|
-
type EnterpriseDomainInput = Array<{
|
|
591
|
-
domain: string;
|
|
592
|
-
isPrimary?: boolean;
|
|
593
|
-
}>;
|
|
594
|
-
const setEnterpriseDomains: PublicSsoAdminApi["connection"]["domain"]["set"] =
|
|
595
|
-
async (
|
|
596
|
-
ctx: Parameters<SetEnterpriseDomains>[0],
|
|
597
|
-
enterpriseId: Parameters<SetEnterpriseDomains>[1],
|
|
598
|
-
domains: EnterpriseDomainInput,
|
|
599
|
-
) => {
|
|
600
|
-
const enterprise = await connectionApi.get(ctx, enterpriseId);
|
|
601
|
-
if (enterprise === null) {
|
|
602
|
-
throw Cv.error({
|
|
603
|
-
code: "INVALID_PARAMETERS",
|
|
604
|
-
message: "Enterprise not found.",
|
|
605
|
-
});
|
|
606
|
-
}
|
|
607
|
-
|
|
608
|
-
const normalized = domains.map((entry: (typeof domains)[number]) => ({
|
|
609
|
-
...entry,
|
|
610
|
-
domain: entry.domain.trim().toLowerCase(),
|
|
611
|
-
}));
|
|
612
|
-
const deduped = new Map<string, (typeof normalized)[number]>();
|
|
613
|
-
for (const entry of normalized) {
|
|
614
|
-
if (entry.domain.length === 0) {
|
|
615
|
-
throw Cv.error({
|
|
616
|
-
code: "INVALID_PARAMETERS",
|
|
617
|
-
message: "Domain must not be empty.",
|
|
618
|
-
});
|
|
619
|
-
}
|
|
620
|
-
if (deduped.has(entry.domain)) {
|
|
621
|
-
throw Cv.error({
|
|
622
|
-
code: "INVALID_PARAMETERS",
|
|
623
|
-
message: `Duplicate domain: ${entry.domain}`,
|
|
624
|
-
});
|
|
625
|
-
}
|
|
626
|
-
deduped.set(entry.domain, entry);
|
|
627
|
-
}
|
|
628
|
-
|
|
629
|
-
const nextDomains = [...deduped.values()];
|
|
630
|
-
const primaryCount = nextDomains.filter(
|
|
631
|
-
(entry) => entry.isPrimary,
|
|
632
|
-
).length;
|
|
633
|
-
if (primaryCount > 1) {
|
|
634
|
-
throw Cv.error({
|
|
635
|
-
code: "INVALID_PARAMETERS",
|
|
636
|
-
message: "Only one primary domain may be set.",
|
|
637
|
-
});
|
|
638
|
-
}
|
|
639
|
-
if (nextDomains.length > 0 && primaryCount === 0) {
|
|
640
|
-
nextDomains[0] = { ...nextDomains[0], isPrimary: true };
|
|
641
|
-
}
|
|
642
|
-
|
|
643
|
-
const currentDomains = await domainApi.list(ctx, enterpriseId);
|
|
644
|
-
const currentByDomain = new Map<string, (typeof currentDomains)[number]>(
|
|
645
|
-
currentDomains.map((entry: (typeof currentDomains)[number]) => [
|
|
646
|
-
entry.domain.toLowerCase(),
|
|
647
|
-
entry,
|
|
648
|
-
]),
|
|
649
|
-
);
|
|
650
|
-
|
|
651
|
-
for (const existing of currentDomains) {
|
|
652
|
-
if (!deduped.has(existing.domain.toLowerCase())) {
|
|
653
|
-
await domainApi.remove(ctx, existing._id);
|
|
654
|
-
}
|
|
655
|
-
}
|
|
656
|
-
|
|
657
|
-
for (const nextDomain of nextDomains) {
|
|
658
|
-
const current = currentByDomain.get(nextDomain.domain);
|
|
659
|
-
if (current && current.isPrimary === Boolean(nextDomain.isPrimary)) {
|
|
660
|
-
continue;
|
|
661
|
-
}
|
|
662
|
-
if (current) {
|
|
663
|
-
await domainApi.remove(ctx, current._id);
|
|
664
|
-
}
|
|
665
|
-
const domainId = await domainApi.add(ctx, {
|
|
666
|
-
enterpriseId: enterprise._id,
|
|
667
|
-
groupId: enterprise.groupId,
|
|
668
|
-
domain: nextDomain.domain,
|
|
669
|
-
isPrimary: nextDomain.isPrimary,
|
|
670
|
-
});
|
|
671
|
-
if (current?.verifiedAt !== undefined) {
|
|
672
|
-
await (ctx as any).runMutation(
|
|
673
|
-
component.public.enterpriseDomainVerify,
|
|
674
|
-
{
|
|
675
|
-
domainId,
|
|
676
|
-
verifiedAt: current.verifiedAt,
|
|
677
|
-
},
|
|
678
|
-
);
|
|
679
|
-
}
|
|
680
|
-
}
|
|
681
|
-
|
|
682
|
-
const updatedDomains = await domainApi.list(ctx, enterpriseId);
|
|
683
|
-
return {
|
|
684
|
-
enterpriseId,
|
|
685
|
-
domains: updatedDomains.map(
|
|
686
|
-
(domain: (typeof updatedDomains)[number]) => ({
|
|
687
|
-
domainId: domain._id,
|
|
688
|
-
domain: domain.domain,
|
|
689
|
-
isPrimary: domain.isPrimary,
|
|
690
|
-
verified: domain.verifiedAt !== undefined,
|
|
691
|
-
verifiedAt: domain.verifiedAt ?? null,
|
|
692
|
-
}),
|
|
693
|
-
),
|
|
694
|
-
};
|
|
695
|
-
};
|
|
696
|
-
|
|
697
|
-
const publicSso: PublicSsoApi = {
|
|
698
|
-
admin: {
|
|
699
|
-
...restSso,
|
|
700
|
-
oidc: {
|
|
701
|
-
...oidcApi,
|
|
702
|
-
},
|
|
703
|
-
saml: {
|
|
704
|
-
...samlApi,
|
|
705
|
-
},
|
|
706
|
-
connection: {
|
|
707
|
-
...connectionApi,
|
|
708
|
-
domain: {
|
|
709
|
-
list: domainApi.list,
|
|
710
|
-
validate: domainApi.validate,
|
|
711
|
-
set: setEnterpriseDomains,
|
|
712
|
-
verification: {
|
|
713
|
-
request: domainApi.verification.request,
|
|
714
|
-
confirm: domainApi.verification.confirm,
|
|
715
|
-
},
|
|
716
|
-
},
|
|
717
|
-
},
|
|
718
|
-
policy: restSso.policy,
|
|
719
|
-
audit: {
|
|
720
|
-
list: auditApi.list,
|
|
721
|
-
},
|
|
722
|
-
webhook: {
|
|
723
|
-
endpoint: webhookApi.endpoint,
|
|
724
|
-
delivery: {
|
|
725
|
-
list: webhookApi.delivery.list,
|
|
726
|
-
},
|
|
727
|
-
},
|
|
728
|
-
},
|
|
729
|
-
client: {
|
|
730
|
-
signIn: oidcApi.signIn,
|
|
731
|
-
metadata: samlApi.metadata,
|
|
732
|
-
},
|
|
733
|
-
};
|
|
734
|
-
|
|
735
|
-
return {
|
|
736
|
-
signIn: authResult.signIn,
|
|
737
|
-
signOut: authResult.signOut,
|
|
738
|
-
store: authResult.store,
|
|
739
|
-
user: authResult.auth.user,
|
|
740
|
-
session: authResult.auth.session,
|
|
741
|
-
provider: authResult.auth.provider,
|
|
742
|
-
account: authResult.auth.account,
|
|
743
|
-
group: authResult.auth.group,
|
|
744
|
-
member: authResult.auth.member,
|
|
745
|
-
invite: authResult.auth.invite,
|
|
746
|
-
key: authResult.auth.key,
|
|
747
|
-
sso: publicSso,
|
|
748
|
-
scim: {
|
|
749
|
-
admin: {
|
|
750
|
-
configure: scimApi.configure,
|
|
751
|
-
get: scimApi.get,
|
|
752
|
-
validate: scimApi.validate,
|
|
753
|
-
},
|
|
754
|
-
},
|
|
755
|
-
http: authResult.auth.http,
|
|
756
|
-
|
|
757
|
-
context: ((ctx: any, config?: AuthContextConfig<any>) =>
|
|
758
|
-
createPublicAuthContext(authResult.auth, ctx, config)) as AuthContextResolver,
|
|
759
|
-
|
|
760
|
-
ctx: ((config?: AuthContextConfig<any>) =>
|
|
761
|
-
createAuthContextCustomization(authResult.auth, config)) as AuthContextFactory,
|
|
762
|
-
} as unknown as ConvexAuthResult<P, TAuthorization>;
|
|
763
|
-
}
|
|
764
|
-
|
|
765
|
-
// ============================================================================
|
|
766
|
-
// auth.ctx() — ctx enrichment for customQuery / customMutation
|
|
767
|
-
// ============================================================================
|
|
768
|
-
|
|
769
|
-
/**
|
|
770
|
-
* Configuration for {@link createAuth().ctx} context enrichment.
|
|
771
|
-
*
|
|
772
|
-
* The same config shape is also used by {@link createAuth().context}.
|
|
773
|
-
*
|
|
774
|
-
* @typeParam TResolve - Extra fields returned from `resolve()` and merged into
|
|
775
|
-
* the resulting `ctx.auth` object.
|
|
776
|
-
*
|
|
777
|
-
* @example
|
|
778
|
-
* ```ts
|
|
779
|
-
* const authContext = await auth.context(ctx, {
|
|
780
|
-
* resolve: async (_ctx, user, authState) => ({
|
|
781
|
-
* email: user.email,
|
|
782
|
-
* canWrite: authState.grants.includes("posts.write"),
|
|
783
|
-
* }),
|
|
784
|
-
* });
|
|
785
|
-
* ```
|
|
786
|
-
*/
|
|
787
|
-
export type AuthContextConfig<
|
|
788
|
-
TResolve extends Record<string, unknown> = Record<string, never>,
|
|
789
|
-
> = {
|
|
790
|
-
/**
|
|
791
|
-
* Allow unauthenticated callers and return a null-shaped auth object instead
|
|
792
|
-
* of throwing `NOT_SIGNED_IN`.
|
|
793
|
-
*/
|
|
794
|
-
optional?: boolean;
|
|
795
|
-
/**
|
|
796
|
-
* Attach additional derived fields to the auth context after the base auth
|
|
797
|
-
* context is resolved.
|
|
798
|
-
*
|
|
799
|
-
* This callback runs only when a user is authenticated.
|
|
800
|
-
*/
|
|
801
|
-
resolve?: (
|
|
802
|
-
ctx: any,
|
|
803
|
-
user: UserDoc,
|
|
804
|
-
auth: AuthContext,
|
|
805
|
-
) => Promise<TResolve> | TResolve;
|
|
806
|
-
/**
|
|
807
|
-
* Override or wrap the base auth resolution used by {@link createAuth().ctx}.
|
|
808
|
-
*
|
|
809
|
-
* Return `undefined` to fall back to the built-in resolver,
|
|
810
|
-
* `null` for an explicit unauthenticated state, or an
|
|
811
|
-
* {@link AuthContext} object to provide a pre-resolved auth state.
|
|
812
|
-
* This is useful for tests, proxy auth, impersonation flows, or any
|
|
813
|
-
* environment that needs to inject auth without depending on the standard
|
|
814
|
-
* Convex auth tables.
|
|
815
|
-
*
|
|
816
|
-
* @param ctx - The Convex function context.
|
|
817
|
-
* @param fallback - The built-in auth resolver used by {@link createAuth().ctx}.
|
|
818
|
-
* @returns Resolved auth state, `null`, or `undefined` to use the fallback.
|
|
819
|
-
*
|
|
820
|
-
* @example
|
|
821
|
-
* ```ts
|
|
822
|
-
* const authCtx = auth.ctx({
|
|
823
|
-
* authResolve: async (ctx, fallback) => {
|
|
824
|
-
* const injected = getInjectedAuth(ctx);
|
|
825
|
-
* return injected ?? (await fallback());
|
|
826
|
-
* },
|
|
827
|
-
* });
|
|
828
|
-
* ```
|
|
829
|
-
*/
|
|
830
|
-
authResolve?: (
|
|
831
|
-
ctx: any,
|
|
832
|
-
fallback: () => Promise<AuthContext | null>,
|
|
833
|
-
) => Promise<AuthContext | null | undefined> | AuthContext | null | undefined;
|
|
834
|
-
};
|
|
835
|
-
|
|
836
|
-
/**
|
|
837
|
-
* Create a context enrichment for `customQuery` / `customMutation` — optional auth.
|
|
838
|
-
*
|
|
839
|
-
* When `optional: true` is set, unauthenticated requests are allowed.
|
|
840
|
-
* The enriched `ctx.auth` will have `userId: null`, `user: null`,
|
|
841
|
-
* `groupId: null`, `role: null`, and `grants: []` for unauthenticated callers.
|
|
842
|
-
*
|
|
843
|
-
* @param config - Configuration with `optional: true` and an optional
|
|
844
|
-
* `resolve` callback for attaching extra fields to the auth context.
|
|
845
|
-
* @returns An object with `args` and `input` compatible with Convex
|
|
846
|
-
* custom function builders.
|
|
847
|
-
*
|
|
848
|
-
* @example
|
|
849
|
-
* ```ts
|
|
850
|
-
* const authCtx = auth.ctx({
|
|
851
|
-
* optional: true,
|
|
852
|
-
* resolve: async (_ctx, user) => ({ plan: user.extend?.plan ?? null }),
|
|
853
|
-
* });
|
|
854
|
-
* ```
|
|
855
|
-
*
|
|
856
|
-
* @see {@link createAuth}
|
|
857
|
-
*/
|
|
858
|
-
|
|
859
|
-
/**
|
|
860
|
-
* Create a context enrichment for `customQuery` / `customMutation` — required auth (default).
|
|
861
|
-
*
|
|
862
|
-
* When `optional` is omitted or `false`, unauthenticated requests throw a
|
|
863
|
-
* structured `ConvexError` before your handler runs.
|
|
864
|
-
*
|
|
865
|
-
* @param config - Optional configuration with a `resolve` callback
|
|
866
|
-
* for attaching extra fields to the auth context.
|
|
867
|
-
* @returns An object with `args` and `input` compatible with Convex
|
|
868
|
-
* custom function builders.
|
|
869
|
-
*
|
|
870
|
-
* @example
|
|
871
|
-
* ```ts
|
|
872
|
-
* const authCtx = auth.ctx({
|
|
873
|
-
* resolve: async (_ctx, user) => ({ email: user.email }),
|
|
874
|
-
* });
|
|
875
|
-
* ```
|
|
876
|
-
*
|
|
877
|
-
* @see {@link createAuth}
|
|
878
|
-
*/
|
|
879
|
-
function createAuthContextCustomization(
|
|
880
|
-
auth: AuthLike,
|
|
881
|
-
config?: AuthContextConfig<any>,
|
|
882
|
-
) {
|
|
883
|
-
return {
|
|
884
|
-
args: {},
|
|
885
|
-
input: async (ctx: any, _args: any, _extra?: any) => {
|
|
886
|
-
const nativeAuth = ctx.auth;
|
|
887
|
-
const getUserIdentity = nativeAuth.getUserIdentity.bind(nativeAuth);
|
|
888
|
-
const resolved = await resolveConfiguredAuthContext(auth, ctx, config);
|
|
889
|
-
|
|
890
|
-
if (resolved === null) {
|
|
891
|
-
if (config?.optional !== true) {
|
|
892
|
-
throw createNotSignedInError();
|
|
893
|
-
}
|
|
894
|
-
return {
|
|
895
|
-
ctx: {
|
|
896
|
-
auth: {
|
|
897
|
-
getUserIdentity,
|
|
898
|
-
...createUnauthenticatedAuthContext(),
|
|
899
|
-
},
|
|
900
|
-
},
|
|
901
|
-
args: {},
|
|
902
|
-
};
|
|
903
|
-
}
|
|
904
|
-
|
|
905
|
-
const extra = config?.resolve
|
|
906
|
-
? await config.resolve(ctx, resolved.user, resolved)
|
|
907
|
-
: {};
|
|
908
|
-
|
|
909
|
-
return {
|
|
910
|
-
ctx: {
|
|
911
|
-
auth: {
|
|
912
|
-
getUserIdentity,
|
|
913
|
-
...resolved,
|
|
914
|
-
...extra,
|
|
915
|
-
},
|
|
916
|
-
},
|
|
917
|
-
args: {},
|
|
918
|
-
};
|
|
919
|
-
},
|
|
920
|
-
};
|
|
921
|
-
}
|
|
922
|
-
|
|
923
|
-
/**
|
|
924
|
-
* Extract the resolved `auth` context type from an `auth.ctx()` customization.
|
|
925
|
-
*
|
|
926
|
-
* Use this to type function parameters or variables that receive the
|
|
927
|
-
* enriched auth context produced by `auth.ctx()`. The inferred type includes
|
|
928
|
-
* `userId`, `user`, `groupId`, `role`, `grants`, `getUserIdentity`, and any
|
|
929
|
-
* additional fields added by the `resolve` callback. This is the generic
|
|
930
|
-
* utility for reusing the enriched auth shape without manually duplicating
|
|
931
|
-
* conditional auth types.
|
|
932
|
-
*
|
|
933
|
-
* @typeParam T - An `auth.ctx()` return value (must have an `input` method
|
|
934
|
-
* that returns `{ ctx: { auth: ... } }`).
|
|
935
|
-
*
|
|
936
|
-
* @example
|
|
937
|
-
* ```ts
|
|
938
|
-
* const authCtx = auth.ctx({
|
|
939
|
-
* resolve: async (ctx, user) => ({ orgId: user.orgId }),
|
|
940
|
-
* });
|
|
941
|
-
* type Auth = InferAuth<typeof authCtx>;
|
|
942
|
-
* // Auth = { userId: Id<"User">; user: UserDoc; getUserIdentity: ...; orgId: string }
|
|
943
|
-
* ```
|
|
944
|
-
*
|
|
945
|
-
* @see {@link createAuth}
|
|
946
|
-
*/
|
|
947
|
-
export type InferAuth<
|
|
948
|
-
T extends { input: (...args: any[]) => Promise<{ ctx: { auth: any } }> },
|
|
949
|
-
> = Awaited<ReturnType<T["input"]>>["ctx"]["auth"];
|