@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +43 -36
- package/dist/bin.js +5765 -4880
- package/dist/browser/index.d.ts +30 -0
- package/dist/browser/index.js +93 -0
- package/dist/browser/locks.js +11 -0
- package/dist/browser/navigation.js +14 -0
- package/dist/{factors → browser}/passkey.js +23 -32
- package/dist/browser/runtime.js +92 -0
- package/dist/client/core/types.d.ts +452 -5
- package/dist/client/core/types.js +17 -0
- package/dist/client/errors.js +19 -0
- package/dist/client/factors/device.js +94 -0
- package/dist/{factors → client/factors}/totp.js +12 -4
- package/dist/client/index.d.ts +47 -1
- package/dist/client/index.js +269 -232
- package/dist/client/runtime/mutex.js +24 -0
- package/dist/client/runtime/proxy.js +30 -0
- package/dist/client/runtime/storage.js +45 -0
- package/dist/client/services/adapters.js +7 -0
- package/dist/client/services/http.js +6 -0
- package/dist/client/services/resolve.js +13 -0
- package/dist/client/services/runtime.js +6 -0
- package/dist/component/_generated/component.d.ts +1355 -1399
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/index.d.ts +4 -26
- package/dist/component/index.js +1 -1
- package/dist/component/model.d.ts +26 -112
- package/dist/component/model.js +76 -54
- package/dist/component/modules.js +38 -0
- package/dist/component/public/factors/devices.js +1 -1
- package/dist/component/public/factors/passkeys.js +1 -1
- package/dist/component/public/factors/totp.js +1 -1
- package/dist/component/public/groups/core.js +2 -2
- package/dist/component/public/groups/invites.js +1 -1
- package/dist/component/public/groups/members.js +1 -1
- package/dist/component/public/identity/accounts.js +1 -1
- package/dist/component/public/identity/codes.js +1 -1
- package/dist/component/public/identity/sessions.js +39 -2
- package/dist/component/public/identity/tokens.js +82 -4
- package/dist/component/public/identity/users.js +1 -1
- package/dist/component/public/identity/verifiers.js +10 -4
- package/dist/component/public/security/keys.js +1 -1
- package/dist/component/public/security/limits.js +1 -1
- package/dist/component/public/{enterprise → sso}/audit.js +26 -26
- package/dist/component/public/sso/core.js +263 -0
- package/dist/component/public/sso/domains.js +280 -0
- package/dist/component/public/{enterprise → sso}/scim.js +87 -87
- package/dist/component/public/sso/secrets.js +125 -0
- package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
- package/dist/component/public.js +9 -9
- package/dist/component/schema.d.ts +472 -393
- package/dist/component/schema.js +36 -35
- package/dist/core/index.d.ts +380 -0
- package/dist/core/index.js +83 -0
- package/dist/otel.d.ts +69 -0
- package/dist/otel.js +82 -0
- package/dist/providers/anonymous.d.ts +15 -34
- package/dist/providers/anonymous.js +27 -35
- package/dist/providers/apple.d.ts +59 -0
- package/dist/providers/apple.js +58 -0
- package/dist/providers/credentials.d.ts +18 -34
- package/dist/providers/credentials.js +16 -27
- package/dist/providers/custom.d.ts +94 -0
- package/dist/providers/custom.js +119 -0
- package/dist/providers/device.d.ts +15 -49
- package/dist/providers/device.js +17 -34
- package/dist/providers/email.d.ts +21 -38
- package/dist/providers/email.js +36 -55
- package/dist/providers/github.d.ts +54 -0
- package/dist/providers/github.js +75 -0
- package/dist/providers/google.d.ts +54 -0
- package/dist/providers/google.js +61 -0
- package/dist/providers/index.d.ts +16 -12
- package/dist/providers/index.js +15 -11
- package/dist/providers/microsoft.d.ts +57 -0
- package/dist/providers/microsoft.js +101 -0
- package/dist/providers/passkey.d.ts +19 -35
- package/dist/providers/passkey.js +20 -30
- package/dist/providers/password.d.ts +17 -18
- package/dist/providers/password.js +121 -143
- package/dist/providers/phone.d.ts +13 -28
- package/dist/providers/phone.js +21 -46
- package/dist/providers/sso.d.ts +16 -36
- package/dist/providers/sso.js +21 -22
- package/dist/providers/totp.d.ts +13 -29
- package/dist/providers/totp.js +17 -27
- package/dist/server/auth-context.d.ts +204 -0
- package/dist/server/auth-context.js +76 -0
- package/dist/server/auth.d.ts +99 -244
- package/dist/server/auth.js +56 -152
- package/dist/server/componentContext.d.ts +12 -0
- package/dist/server/componentContext.js +1 -0
- package/dist/server/config.js +6 -67
- package/dist/server/constants.js +6 -0
- package/dist/server/contract.d.ts +105 -0
- package/dist/server/contract.js +43 -0
- package/dist/server/cookies.js +3 -2
- package/dist/server/core.js +31 -36
- package/dist/server/crypto.js +34 -44
- package/dist/server/db.js +6 -1
- package/dist/server/device.js +96 -130
- package/dist/server/env.js +48 -0
- package/dist/server/errors.js +20 -0
- package/dist/server/http.d.ts +15 -59
- package/dist/server/http.js +136 -120
- package/dist/server/identity.js +2 -2
- package/dist/server/index.d.ts +5 -4
- package/dist/server/index.js +3 -3
- package/dist/server/keys.js +10 -1
- package/dist/server/limits.js +26 -26
- package/dist/server/log.js +28 -0
- package/dist/server/mounts.d.ts +1107 -296
- package/dist/server/mounts.js +315 -196
- package/dist/server/mutations/account.js +11 -14
- package/dist/server/mutations/code.js +6 -5
- package/dist/server/mutations/invalidate.js +9 -11
- package/dist/server/mutations/oauth.js +112 -73
- package/dist/server/mutations/refresh.js +47 -97
- package/dist/server/mutations/register.js +37 -35
- package/dist/server/mutations/retrieve.js +16 -16
- package/dist/server/mutations/signature.js +15 -18
- package/dist/server/mutations/signin.js +10 -5
- package/dist/server/mutations/signout.js +11 -14
- package/dist/server/mutations/store.js +25 -18
- package/dist/server/mutations/verifier.js +11 -8
- package/dist/server/mutations/verify.js +53 -41
- package/dist/server/oauth/factory.js +44 -0
- package/dist/server/oauth/index.js +12 -0
- package/dist/server/oauth/runtime.js +248 -0
- package/dist/server/passkey.js +331 -365
- package/dist/server/payloads.d.ts +16 -0
- package/dist/server/payloads.js +30 -0
- package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
- package/dist/server/prefetch.js +635 -0
- package/dist/server/random.js +19 -0
- package/dist/server/redirects.js +10 -5
- package/dist/server/refresh.js +14 -86
- package/dist/server/runtime.d.ts +531 -31
- package/dist/server/runtime.js +106 -267
- package/dist/server/secret.js +44 -0
- package/dist/server/services/config.js +10 -0
- package/dist/server/services/group.js +211 -0
- package/dist/server/services/logger.js +8 -0
- package/dist/server/services/providers.js +22 -0
- package/dist/server/services/refresh.js +8 -0
- package/dist/server/services/resolve.js +27 -0
- package/dist/server/services/signin.js +8 -0
- package/dist/server/sessions.js +35 -34
- package/dist/server/signin.js +229 -140
- package/dist/server/{enterprise → sso}/config.js +10 -3
- package/dist/server/sso/domain.d.ts +614 -0
- package/dist/server/sso/domain.js +1175 -0
- package/dist/server/sso/http.js +1060 -0
- package/dist/server/sso/oidc.js +324 -0
- package/dist/server/sso/policies.js +59 -0
- package/dist/server/sso/policy.js +139 -0
- package/dist/server/sso/profile.js +22 -0
- package/dist/server/sso/provision.js +179 -0
- package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
- package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
- package/dist/server/sso/shared.js +74 -0
- package/dist/server/sso/validators.js +88 -0
- package/dist/server/sso/webhook.js +94 -0
- package/dist/server/tokens.js +16 -4
- package/dist/server/totp.js +155 -164
- package/dist/server/types.d.ts +306 -296
- package/dist/server/types.js +1 -30
- package/dist/server/url.js +32 -0
- package/dist/server/users.js +74 -40
- package/dist/server/utils/cache.js +51 -0
- package/dist/server/utils/dispatch.js +36 -0
- package/dist/server/utils/retry.js +24 -0
- package/dist/server/utils/span.js +32 -0
- package/dist/shared/errors.js +19 -0
- package/dist/shared/log.js +45 -0
- package/{src/test.ts → dist/test.d.ts} +21 -22
- package/dist/test.js +51 -0
- package/package.json +70 -42
- package/dist/authorization/index.d.ts.map +0 -1
- package/dist/authorization/index.js.map +0 -1
- package/dist/client/core/types.d.ts.map +0 -1
- package/dist/client/index.d.ts.map +0 -1
- package/dist/client/index.js.map +0 -1
- package/dist/component/_generated/api.d.ts +0 -75
- package/dist/component/_generated/api.d.ts.map +0 -1
- package/dist/component/_generated/api.js.map +0 -1
- package/dist/component/_generated/component.d.ts.map +0 -1
- package/dist/component/_generated/dataModel.d.ts +0 -42
- package/dist/component/_generated/dataModel.d.ts.map +0 -1
- package/dist/component/_generated/server.d.ts +0 -117
- package/dist/component/_generated/server.d.ts.map +0 -1
- package/dist/component/_generated/server.js.map +0 -1
- package/dist/component/_virtual/rolldown_runtime.js +0 -18
- package/dist/component/client/core/types.d.ts +0 -2
- package/dist/component/client/index.d.ts +0 -1
- package/dist/component/convex.config.d.ts.map +0 -1
- package/dist/component/convex.config.js.map +0 -1
- package/dist/component/functions.d.ts +0 -25
- package/dist/component/functions.d.ts.map +0 -1
- package/dist/component/functions.js.map +0 -1
- package/dist/component/index.d.ts.map +0 -1
- package/dist/component/model.d.ts.map +0 -1
- package/dist/component/model.js.map +0 -1
- package/dist/component/providers/anonymous.d.ts +0 -54
- package/dist/component/providers/anonymous.d.ts.map +0 -1
- package/dist/component/providers/credentials.d.ts +0 -38
- package/dist/component/providers/credentials.d.ts.map +0 -1
- package/dist/component/providers/device.d.ts +0 -67
- package/dist/component/providers/device.d.ts.map +0 -1
- package/dist/component/providers/email.d.ts +0 -62
- package/dist/component/providers/email.d.ts.map +0 -1
- package/dist/component/providers/oauth.d.ts +0 -25
- package/dist/component/providers/oauth.d.ts.map +0 -1
- package/dist/component/providers/oauth.js +0 -13
- package/dist/component/providers/oauth.js.map +0 -1
- package/dist/component/providers/passkey.d.ts +0 -57
- package/dist/component/providers/passkey.d.ts.map +0 -1
- package/dist/component/providers/password.d.ts +0 -88
- package/dist/component/providers/password.d.ts.map +0 -1
- package/dist/component/providers/phone.d.ts +0 -48
- package/dist/component/providers/phone.d.ts.map +0 -1
- package/dist/component/providers/sso.d.ts +0 -50
- package/dist/component/providers/sso.d.ts.map +0 -1
- package/dist/component/providers/totp.d.ts +0 -45
- package/dist/component/providers/totp.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.d.ts +0 -73
- package/dist/component/public/enterprise/audit.d.ts.map +0 -1
- package/dist/component/public/enterprise/audit.js.map +0 -1
- package/dist/component/public/enterprise/core.d.ts +0 -176
- package/dist/component/public/enterprise/core.d.ts.map +0 -1
- package/dist/component/public/enterprise/core.js +0 -292
- package/dist/component/public/enterprise/core.js.map +0 -1
- package/dist/component/public/enterprise/domains.d.ts +0 -174
- package/dist/component/public/enterprise/domains.d.ts.map +0 -1
- package/dist/component/public/enterprise/domains.js +0 -271
- package/dist/component/public/enterprise/domains.js.map +0 -1
- package/dist/component/public/enterprise/scim.d.ts +0 -245
- package/dist/component/public/enterprise/scim.d.ts.map +0 -1
- package/dist/component/public/enterprise/scim.js.map +0 -1
- package/dist/component/public/enterprise/secrets.d.ts +0 -78
- package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
- package/dist/component/public/enterprise/secrets.js +0 -118
- package/dist/component/public/enterprise/secrets.js.map +0 -1
- package/dist/component/public/enterprise/webhooks.d.ts +0 -211
- package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
- package/dist/component/public/enterprise/webhooks.js.map +0 -1
- package/dist/component/public/factors/devices.d.ts +0 -157
- package/dist/component/public/factors/devices.d.ts.map +0 -1
- package/dist/component/public/factors/devices.js.map +0 -1
- package/dist/component/public/factors/passkeys.d.ts +0 -175
- package/dist/component/public/factors/passkeys.d.ts.map +0 -1
- package/dist/component/public/factors/passkeys.js.map +0 -1
- package/dist/component/public/factors/totp.d.ts +0 -189
- package/dist/component/public/factors/totp.d.ts.map +0 -1
- package/dist/component/public/factors/totp.js.map +0 -1
- package/dist/component/public/groups/core.d.ts +0 -137
- package/dist/component/public/groups/core.d.ts.map +0 -1
- package/dist/component/public/groups/core.js.map +0 -1
- package/dist/component/public/groups/invites.d.ts +0 -217
- package/dist/component/public/groups/invites.d.ts.map +0 -1
- package/dist/component/public/groups/invites.js.map +0 -1
- package/dist/component/public/groups/members.d.ts +0 -204
- package/dist/component/public/groups/members.d.ts.map +0 -1
- package/dist/component/public/groups/members.js.map +0 -1
- package/dist/component/public/identity/accounts.d.ts +0 -147
- package/dist/component/public/identity/accounts.d.ts.map +0 -1
- package/dist/component/public/identity/accounts.js.map +0 -1
- package/dist/component/public/identity/codes.d.ts +0 -104
- package/dist/component/public/identity/codes.d.ts.map +0 -1
- package/dist/component/public/identity/codes.js.map +0 -1
- package/dist/component/public/identity/sessions.d.ts +0 -128
- package/dist/component/public/identity/sessions.d.ts.map +0 -1
- package/dist/component/public/identity/sessions.js.map +0 -1
- package/dist/component/public/identity/tokens.d.ts +0 -169
- package/dist/component/public/identity/tokens.d.ts.map +0 -1
- package/dist/component/public/identity/tokens.js.map +0 -1
- package/dist/component/public/identity/users.d.ts +0 -212
- package/dist/component/public/identity/users.d.ts.map +0 -1
- package/dist/component/public/identity/users.js.map +0 -1
- package/dist/component/public/identity/verifiers.d.ts +0 -116
- package/dist/component/public/identity/verifiers.d.ts.map +0 -1
- package/dist/component/public/identity/verifiers.js.map +0 -1
- package/dist/component/public/security/keys.d.ts +0 -209
- package/dist/component/public/security/keys.d.ts.map +0 -1
- package/dist/component/public/security/keys.js.map +0 -1
- package/dist/component/public/security/limits.d.ts +0 -114
- package/dist/component/public/security/limits.d.ts.map +0 -1
- package/dist/component/public/security/limits.js.map +0 -1
- package/dist/component/public.d.ts +0 -28
- package/dist/component/public.d.ts.map +0 -1
- package/dist/component/schema.d.ts.map +0 -1
- package/dist/component/schema.js.map +0 -1
- package/dist/component/server/auth.d.ts +0 -447
- package/dist/component/server/auth.d.ts.map +0 -1
- package/dist/component/server/auth.js +0 -254
- package/dist/component/server/auth.js.map +0 -1
- package/dist/component/server/config.js +0 -121
- package/dist/component/server/config.js.map +0 -1
- package/dist/component/server/context.js +0 -53
- package/dist/component/server/context.js.map +0 -1
- package/dist/component/server/cookies.js +0 -47
- package/dist/component/server/cookies.js.map +0 -1
- package/dist/component/server/core.js +0 -576
- package/dist/component/server/core.js.map +0 -1
- package/dist/component/server/crypto.js +0 -56
- package/dist/component/server/crypto.js.map +0 -1
- package/dist/component/server/db.js +0 -87
- package/dist/component/server/db.js.map +0 -1
- package/dist/component/server/device.js +0 -152
- package/dist/component/server/device.js.map +0 -1
- package/dist/component/server/enterprise/config.js +0 -46
- package/dist/component/server/enterprise/config.js.map +0 -1
- package/dist/component/server/enterprise/domain.js +0 -974
- package/dist/component/server/enterprise/domain.js.map +0 -1
- package/dist/component/server/enterprise/http.js +0 -787
- package/dist/component/server/enterprise/http.js.map +0 -1
- package/dist/component/server/enterprise/oidc.js +0 -248
- package/dist/component/server/enterprise/oidc.js.map +0 -1
- package/dist/component/server/enterprise/policy.js +0 -85
- package/dist/component/server/enterprise/policy.js.map +0 -1
- package/dist/component/server/enterprise/saml.js.map +0 -1
- package/dist/component/server/enterprise/scim.js.map +0 -1
- package/dist/component/server/enterprise/shared.js +0 -51
- package/dist/component/server/enterprise/shared.js.map +0 -1
- package/dist/component/server/http.d.ts +0 -85
- package/dist/component/server/http.d.ts.map +0 -1
- package/dist/component/server/http.js +0 -351
- package/dist/component/server/http.js.map +0 -1
- package/dist/component/server/identity.js +0 -16
- package/dist/component/server/identity.js.map +0 -1
- package/dist/component/server/keys.js +0 -96
- package/dist/component/server/keys.js.map +0 -1
- package/dist/component/server/limits.js +0 -52
- package/dist/component/server/limits.js.map +0 -1
- package/dist/component/server/mutations/account.js +0 -46
- package/dist/component/server/mutations/account.js.map +0 -1
- package/dist/component/server/mutations/code.js +0 -68
- package/dist/component/server/mutations/code.js.map +0 -1
- package/dist/component/server/mutations/invalidate.js +0 -32
- package/dist/component/server/mutations/invalidate.js.map +0 -1
- package/dist/component/server/mutations/oauth.js +0 -116
- package/dist/component/server/mutations/oauth.js.map +0 -1
- package/dist/component/server/mutations/refresh.js +0 -119
- package/dist/component/server/mutations/refresh.js.map +0 -1
- package/dist/component/server/mutations/register.js +0 -87
- package/dist/component/server/mutations/register.js.map +0 -1
- package/dist/component/server/mutations/retrieve.js +0 -61
- package/dist/component/server/mutations/retrieve.js.map +0 -1
- package/dist/component/server/mutations/signature.js +0 -38
- package/dist/component/server/mutations/signature.js.map +0 -1
- package/dist/component/server/mutations/signin.js +0 -27
- package/dist/component/server/mutations/signin.js.map +0 -1
- package/dist/component/server/mutations/signout.js +0 -27
- package/dist/component/server/mutations/signout.js.map +0 -1
- package/dist/component/server/mutations/store/refs.js +0 -15
- package/dist/component/server/mutations/store/refs.js.map +0 -1
- package/dist/component/server/mutations/store.js +0 -70
- package/dist/component/server/mutations/store.js.map +0 -1
- package/dist/component/server/mutations/verifier.js +0 -18
- package/dist/component/server/mutations/verifier.js.map +0 -1
- package/dist/component/server/mutations/verify.js +0 -98
- package/dist/component/server/mutations/verify.js.map +0 -1
- package/dist/component/server/oauth.js +0 -242
- package/dist/component/server/oauth.js.map +0 -1
- package/dist/component/server/passkey.js +0 -415
- package/dist/component/server/passkey.js.map +0 -1
- package/dist/component/server/redirects.js +0 -40
- package/dist/component/server/redirects.js.map +0 -1
- package/dist/component/server/refresh.js +0 -99
- package/dist/component/server/refresh.js.map +0 -1
- package/dist/component/server/runtime.d.ts +0 -136
- package/dist/component/server/runtime.d.ts.map +0 -1
- package/dist/component/server/runtime.js +0 -456
- package/dist/component/server/runtime.js.map +0 -1
- package/dist/component/server/sessions.js +0 -71
- package/dist/component/server/sessions.js.map +0 -1
- package/dist/component/server/signin.js +0 -225
- package/dist/component/server/signin.js.map +0 -1
- package/dist/component/server/tokens.js +0 -17
- package/dist/component/server/tokens.js.map +0 -1
- package/dist/component/server/totp.js +0 -208
- package/dist/component/server/totp.js.map +0 -1
- package/dist/component/server/types.d.ts +0 -949
- package/dist/component/server/types.d.ts.map +0 -1
- package/dist/component/server/types.js +0 -79
- package/dist/component/server/types.js.map +0 -1
- package/dist/component/server/users.js +0 -123
- package/dist/component/server/users.js.map +0 -1
- package/dist/component/server/utils.js +0 -140
- package/dist/component/server/utils.js.map +0 -1
- package/dist/core/types.d.ts +0 -361
- package/dist/core/types.d.ts.map +0 -1
- package/dist/factors/device.js +0 -104
- package/dist/factors/device.js.map +0 -1
- package/dist/factors/passkey.js.map +0 -1
- package/dist/factors/totp.js.map +0 -1
- package/dist/providers/anonymous.d.ts.map +0 -1
- package/dist/providers/anonymous.js.map +0 -1
- package/dist/providers/credentials.d.ts.map +0 -1
- package/dist/providers/credentials.js.map +0 -1
- package/dist/providers/device.d.ts.map +0 -1
- package/dist/providers/device.js.map +0 -1
- package/dist/providers/email.d.ts.map +0 -1
- package/dist/providers/email.js.map +0 -1
- package/dist/providers/oauth.d.ts +0 -69
- package/dist/providers/oauth.d.ts.map +0 -1
- package/dist/providers/oauth.js +0 -43
- package/dist/providers/oauth.js.map +0 -1
- package/dist/providers/passkey.d.ts.map +0 -1
- package/dist/providers/passkey.js.map +0 -1
- package/dist/providers/password.d.ts.map +0 -1
- package/dist/providers/password.js.map +0 -1
- package/dist/providers/phone.d.ts.map +0 -1
- package/dist/providers/phone.js.map +0 -1
- package/dist/providers/sso.d.ts.map +0 -1
- package/dist/providers/sso.js.map +0 -1
- package/dist/providers/totp.d.ts.map +0 -1
- package/dist/providers/totp.js.map +0 -1
- package/dist/runtime/browser.js +0 -68
- package/dist/runtime/browser.js.map +0 -1
- package/dist/runtime/invite.js.map +0 -1
- package/dist/runtime/proxy.js +0 -70
- package/dist/runtime/proxy.js.map +0 -1
- package/dist/runtime/storage.js +0 -37
- package/dist/runtime/storage.js.map +0 -1
- package/dist/server/auth.d.ts.map +0 -1
- package/dist/server/auth.js.map +0 -1
- package/dist/server/config.d.ts +0 -1
- package/dist/server/config.js.map +0 -1
- package/dist/server/context.d.ts +0 -1
- package/dist/server/context.js.map +0 -1
- package/dist/server/cookies.d.ts +0 -1
- package/dist/server/cookies.js.map +0 -1
- package/dist/server/core.d.ts +0 -1315
- package/dist/server/core.d.ts.map +0 -1
- package/dist/server/core.js.map +0 -1
- package/dist/server/crypto.d.ts +0 -8
- package/dist/server/crypto.d.ts.map +0 -1
- package/dist/server/crypto.js.map +0 -1
- package/dist/server/db.d.ts +0 -1
- package/dist/server/db.js.map +0 -1
- package/dist/server/device.d.ts +0 -1
- package/dist/server/device.js.map +0 -1
- package/dist/server/enterprise/config.d.ts +0 -1
- package/dist/server/enterprise/config.js.map +0 -1
- package/dist/server/enterprise/domain.d.ts +0 -401
- package/dist/server/enterprise/domain.d.ts.map +0 -1
- package/dist/server/enterprise/domain.js +0 -974
- package/dist/server/enterprise/domain.js.map +0 -1
- package/dist/server/enterprise/http.d.ts +0 -26
- package/dist/server/enterprise/http.d.ts.map +0 -1
- package/dist/server/enterprise/http.js +0 -787
- package/dist/server/enterprise/http.js.map +0 -1
- package/dist/server/enterprise/oidc.d.ts +0 -1
- package/dist/server/enterprise/oidc.js +0 -248
- package/dist/server/enterprise/oidc.js.map +0 -1
- package/dist/server/enterprise/policy.d.ts +0 -1
- package/dist/server/enterprise/policy.js +0 -85
- package/dist/server/enterprise/policy.js.map +0 -1
- package/dist/server/enterprise/saml.d.ts +0 -1
- package/dist/server/enterprise/saml.js +0 -338
- package/dist/server/enterprise/saml.js.map +0 -1
- package/dist/server/enterprise/scim.d.ts +0 -1
- package/dist/server/enterprise/scim.js +0 -97
- package/dist/server/enterprise/scim.js.map +0 -1
- package/dist/server/enterprise/shared.d.ts +0 -5
- package/dist/server/enterprise/shared.d.ts.map +0 -1
- package/dist/server/enterprise/shared.js +0 -51
- package/dist/server/enterprise/shared.js.map +0 -1
- package/dist/server/enterprise/validators.d.ts +0 -1
- package/dist/server/enterprise/validators.js +0 -60
- package/dist/server/enterprise/validators.js.map +0 -1
- package/dist/server/http.d.ts.map +0 -1
- package/dist/server/http.js.map +0 -1
- package/dist/server/identity.d.ts +0 -1
- package/dist/server/identity.js.map +0 -1
- package/dist/server/keys.d.ts +0 -1
- package/dist/server/keys.js.map +0 -1
- package/dist/server/limits.d.ts +0 -1
- package/dist/server/limits.js.map +0 -1
- package/dist/server/mounts.d.ts.map +0 -1
- package/dist/server/mounts.js.map +0 -1
- package/dist/server/mutations/account.d.ts +0 -29
- package/dist/server/mutations/account.d.ts.map +0 -1
- package/dist/server/mutations/account.js.map +0 -1
- package/dist/server/mutations/code.d.ts +0 -30
- package/dist/server/mutations/code.d.ts.map +0 -1
- package/dist/server/mutations/code.js.map +0 -1
- package/dist/server/mutations/index.d.ts +0 -14
- package/dist/server/mutations/invalidate.d.ts +0 -20
- package/dist/server/mutations/invalidate.d.ts.map +0 -1
- package/dist/server/mutations/invalidate.js.map +0 -1
- package/dist/server/mutations/oauth.d.ts +0 -30
- package/dist/server/mutations/oauth.d.ts.map +0 -1
- package/dist/server/mutations/oauth.js.map +0 -1
- package/dist/server/mutations/refresh.d.ts +0 -21
- package/dist/server/mutations/refresh.d.ts.map +0 -1
- package/dist/server/mutations/refresh.js.map +0 -1
- package/dist/server/mutations/register.d.ts +0 -38
- package/dist/server/mutations/register.d.ts.map +0 -1
- package/dist/server/mutations/register.js.map +0 -1
- package/dist/server/mutations/retrieve.d.ts +0 -33
- package/dist/server/mutations/retrieve.d.ts.map +0 -1
- package/dist/server/mutations/retrieve.js.map +0 -1
- package/dist/server/mutations/signature.d.ts +0 -21
- package/dist/server/mutations/signature.d.ts.map +0 -1
- package/dist/server/mutations/signature.js.map +0 -1
- package/dist/server/mutations/signin.d.ts +0 -22
- package/dist/server/mutations/signin.d.ts.map +0 -1
- package/dist/server/mutations/signin.js.map +0 -1
- package/dist/server/mutations/signout.d.ts +0 -16
- package/dist/server/mutations/signout.d.ts.map +0 -1
- package/dist/server/mutations/signout.js.map +0 -1
- package/dist/server/mutations/store/refs.d.ts +0 -12
- package/dist/server/mutations/store/refs.d.ts.map +0 -1
- package/dist/server/mutations/store/refs.js.map +0 -1
- package/dist/server/mutations/store.d.ts +0 -306
- package/dist/server/mutations/store.d.ts.map +0 -1
- package/dist/server/mutations/store.js.map +0 -1
- package/dist/server/mutations/verifier.d.ts +0 -13
- package/dist/server/mutations/verifier.d.ts.map +0 -1
- package/dist/server/mutations/verifier.js.map +0 -1
- package/dist/server/mutations/verify.d.ts +0 -26
- package/dist/server/mutations/verify.d.ts.map +0 -1
- package/dist/server/mutations/verify.js.map +0 -1
- package/dist/server/oauth.d.ts +0 -1
- package/dist/server/oauth.js +0 -242
- package/dist/server/oauth.js.map +0 -1
- package/dist/server/passkey.d.ts +0 -27
- package/dist/server/passkey.d.ts.map +0 -1
- package/dist/server/passkey.js.map +0 -1
- package/dist/server/redirects.d.ts +0 -1
- package/dist/server/redirects.js.map +0 -1
- package/dist/server/refresh.d.ts +0 -1
- package/dist/server/refresh.js.map +0 -1
- package/dist/server/runtime.d.ts.map +0 -1
- package/dist/server/runtime.js.map +0 -1
- package/dist/server/sessions.d.ts +0 -1
- package/dist/server/sessions.js.map +0 -1
- package/dist/server/signin.d.ts +0 -1
- package/dist/server/signin.js.map +0 -1
- package/dist/server/ssr.d.ts.map +0 -1
- package/dist/server/ssr.js +0 -777
- package/dist/server/ssr.js.map +0 -1
- package/dist/server/templates.d.ts +0 -1
- package/dist/server/templates.js.map +0 -1
- package/dist/server/tokens.d.ts +0 -1
- package/dist/server/tokens.js.map +0 -1
- package/dist/server/totp.d.ts +0 -1
- package/dist/server/totp.js.map +0 -1
- package/dist/server/types.d.ts.map +0 -1
- package/dist/server/types.js.map +0 -1
- package/dist/server/users.d.ts +0 -1
- package/dist/server/users.js.map +0 -1
- package/dist/server/utils.d.ts +0 -1
- package/dist/server/utils.js +0 -140
- package/dist/server/utils.js.map +0 -1
- package/src/authorization/index.ts +0 -83
- package/src/cli/bin.ts +0 -5
- package/src/cli/command.ts +0 -70
- package/src/cli/index.ts +0 -1112
- package/src/cli/keys.ts +0 -23
- package/src/client/core/types.ts +0 -437
- package/src/client/factors/device.ts +0 -158
- package/src/client/factors/passkey.ts +0 -279
- package/src/client/factors/totp.ts +0 -150
- package/src/client/index.ts +0 -1124
- package/src/client/runtime/browser.ts +0 -112
- package/src/client/runtime/invite.ts +0 -63
- package/src/client/runtime/proxy.ts +0 -111
- package/src/client/runtime/storage.ts +0 -79
- package/src/component/_generated/api.ts +0 -96
- package/src/component/_generated/component.ts +0 -3774
- package/src/component/_generated/dataModel.ts +0 -60
- package/src/component/_generated/server.ts +0 -156
- package/src/component/convex.config.ts +0 -5
- package/src/component/functions.ts +0 -104
- package/src/component/index.ts +0 -42
- package/src/component/model.ts +0 -449
- package/src/component/public/enterprise/audit.ts +0 -125
- package/src/component/public/enterprise/core.ts +0 -355
- package/src/component/public/enterprise/domains.ts +0 -327
- package/src/component/public/enterprise/scim.ts +0 -397
- package/src/component/public/enterprise/secrets.ts +0 -133
- package/src/component/public/enterprise/webhooks.ts +0 -307
- package/src/component/public/factors/devices.ts +0 -224
- package/src/component/public/factors/passkeys.ts +0 -243
- package/src/component/public/factors/totp.ts +0 -259
- package/src/component/public/groups/core.ts +0 -481
- package/src/component/public/groups/invites.ts +0 -608
- package/src/component/public/groups/members.ts +0 -410
- package/src/component/public/identity/accounts.ts +0 -207
- package/src/component/public/identity/codes.ts +0 -149
- package/src/component/public/identity/sessions.ts +0 -210
- package/src/component/public/identity/tokens.ts +0 -251
- package/src/component/public/identity/users.ts +0 -355
- package/src/component/public/identity/verifiers.ts +0 -158
- package/src/component/public/security/keys.ts +0 -366
- package/src/component/public/security/limits.ts +0 -174
- package/src/component/public.ts +0 -27
- package/src/component/schema.ts +0 -505
- package/src/providers/anonymous.ts +0 -99
- package/src/providers/credentials.ts +0 -102
- package/src/providers/device.ts +0 -87
- package/src/providers/email.ts +0 -99
- package/src/providers/index.ts +0 -31
- package/src/providers/oauth.ts +0 -117
- package/src/providers/passkey.ts +0 -77
- package/src/providers/password.ts +0 -441
- package/src/providers/phone.ts +0 -93
- package/src/providers/sso.ts +0 -54
- package/src/providers/totp.ts +0 -62
- package/src/samlify.d.ts +0 -53
- package/src/server/auth.ts +0 -949
- package/src/server/config.ts +0 -200
- package/src/server/context.ts +0 -90
- package/src/server/cookies.ts +0 -49
- package/src/server/core.ts +0 -2004
- package/src/server/crypto.ts +0 -90
- package/src/server/db.ts +0 -203
- package/src/server/device.ts +0 -254
- package/src/server/enterprise/config.ts +0 -51
- package/src/server/enterprise/domain.ts +0 -1739
- package/src/server/enterprise/http.ts +0 -1331
- package/src/server/enterprise/oidc.ts +0 -500
- package/src/server/enterprise/policy.ts +0 -128
- package/src/server/enterprise/saml.ts +0 -578
- package/src/server/enterprise/scim.ts +0 -135
- package/src/server/enterprise/shared.ts +0 -134
- package/src/server/enterprise/validators.ts +0 -93
- package/src/server/http.ts +0 -790
- package/src/server/identity.ts +0 -18
- package/src/server/index.ts +0 -40
- package/src/server/keys.ts +0 -158
- package/src/server/limits.ts +0 -107
- package/src/server/mounts.ts +0 -924
- package/src/server/mutations/account.ts +0 -62
- package/src/server/mutations/code.ts +0 -119
- package/src/server/mutations/index.ts +0 -13
- package/src/server/mutations/invalidate.ts +0 -50
- package/src/server/mutations/oauth.ts +0 -243
- package/src/server/mutations/refresh.ts +0 -299
- package/src/server/mutations/register.ts +0 -155
- package/src/server/mutations/retrieve.ts +0 -109
- package/src/server/mutations/signature.ts +0 -57
- package/src/server/mutations/signin.ts +0 -54
- package/src/server/mutations/signout.ts +0 -43
- package/src/server/mutations/store/refs.ts +0 -10
- package/src/server/mutations/store.ts +0 -123
- package/src/server/mutations/verifier.ts +0 -34
- package/src/server/mutations/verify.ts +0 -200
- package/src/server/oauth.ts +0 -418
- package/src/server/passkey.ts +0 -838
- package/src/server/redirects.ts +0 -59
- package/src/server/refresh.ts +0 -218
- package/src/server/runtime.ts +0 -918
- package/src/server/sessions.ts +0 -132
- package/src/server/signin.ts +0 -445
- package/src/server/ssr.ts +0 -1747
- package/src/server/templates.ts +0 -82
- package/src/server/tokens.ts +0 -35
- package/src/server/totp.ts +0 -399
- package/src/server/types.ts +0 -1942
- package/src/server/users.ts +0 -291
- package/src/server/utils.ts +0 -220
- /package/dist/{runtime → client/runtime}/invite.js +0 -0
package/dist/server/core.js
CHANGED
|
@@ -1,9 +1,8 @@
|
|
|
1
1
|
import { getSessionUserId } from "./context.js";
|
|
2
|
-
import {
|
|
3
|
-
import { TOKEN_SUB_CLAIM_DIVIDER, generateRandomString, sha256 } from "./utils.js";
|
|
2
|
+
import { generateRandomString, sha256 } from "./random.js";
|
|
4
3
|
import { buildScopeChecker, checkKeyRateLimit, generateApiKey, hashApiKey } from "./keys.js";
|
|
5
|
-
import {
|
|
6
|
-
import {
|
|
4
|
+
import { TOKEN_SUB_CLAIM_DIVIDER } from "./constants.js";
|
|
5
|
+
import { ConvexError } from "convex/values";
|
|
7
6
|
|
|
8
7
|
//#region src/server/core.ts
|
|
9
8
|
/**
|
|
@@ -20,7 +19,7 @@ import { Cv } from "@robelest/fx/convex";
|
|
|
20
19
|
* @returns The core domain namespaces consumed by the auth factory.
|
|
21
20
|
*/
|
|
22
21
|
function createCoreDomains(deps) {
|
|
23
|
-
const { config,
|
|
22
|
+
const { config, callInvalidateSessions, callCreateAccountFromCredentials, callRetrieveAccountWithCredentials, callModifyAccount, inviteTokenAlphabet, inviteTokenLength } = deps;
|
|
24
23
|
const roleDefinitions = config.authorization.roles;
|
|
25
24
|
const getRoleDefinition = (roleId) => {
|
|
26
25
|
return roleDefinitions[roleId] ?? null;
|
|
@@ -28,7 +27,7 @@ function createCoreDomains(deps) {
|
|
|
28
27
|
const normalizeRoleIds = (roleIds) => {
|
|
29
28
|
const normalized = Array.from(new Set(roleIds ?? []));
|
|
30
29
|
const invalid = normalized.filter((id) => getRoleDefinition(id) === null);
|
|
31
|
-
if (invalid.length > 0) throw
|
|
30
|
+
if (invalid.length > 0) throw new ConvexError({
|
|
32
31
|
code: "INVALID_ROLE_IDS",
|
|
33
32
|
message: "One or more role IDs are invalid.",
|
|
34
33
|
invalidRoleIds: invalid
|
|
@@ -74,11 +73,12 @@ function createCoreDomains(deps) {
|
|
|
74
73
|
};
|
|
75
74
|
const AUTH_CACHE = Symbol("__convexAuthCache");
|
|
76
75
|
function cache(ctx) {
|
|
77
|
-
|
|
76
|
+
const cachedCtx = ctx;
|
|
77
|
+
if (!cachedCtx[AUTH_CACHE]) cachedCtx[AUTH_CACHE] = {
|
|
78
78
|
users: /* @__PURE__ */ new Map(),
|
|
79
79
|
groups: /* @__PURE__ */ new Map()
|
|
80
80
|
};
|
|
81
|
-
return
|
|
81
|
+
return cachedCtx[AUTH_CACHE];
|
|
82
82
|
}
|
|
83
83
|
const user = {
|
|
84
84
|
get: async (ctx, userId) => {
|
|
@@ -142,7 +142,7 @@ function createCoreDomains(deps) {
|
|
|
142
142
|
ctx.runQuery(config.component.public.totpListByUserId, { userId })
|
|
143
143
|
]);
|
|
144
144
|
const totalLinked = sessions.length + accounts.length + keys.length + members.length + passkeys.length + totps.length;
|
|
145
|
-
if (!cascade && totalLinked > 0) throw
|
|
145
|
+
if (!cascade && totalLinked > 0) throw new ConvexError({
|
|
146
146
|
code: "INVALID_PARAMETERS",
|
|
147
147
|
message: "The provided parameters are invalid."
|
|
148
148
|
});
|
|
@@ -194,11 +194,11 @@ function createCoreDomains(deps) {
|
|
|
194
194
|
},
|
|
195
195
|
delete: async (ctx, accountId) => {
|
|
196
196
|
const doc = await ctx.runQuery(config.component.public.accountGetById, { accountId });
|
|
197
|
-
if (doc === null) throw
|
|
197
|
+
if (doc === null) throw new ConvexError({
|
|
198
198
|
code: "ACCOUNT_NOT_FOUND",
|
|
199
199
|
message: "Account not found."
|
|
200
200
|
});
|
|
201
|
-
if ((await ctx.runQuery(config.component.public.accountListByUser, { userId: doc.userId })).length <= 1) throw
|
|
201
|
+
if ((await ctx.runQuery(config.component.public.accountListByUser, { userId: doc.userId })).length <= 1) throw new ConvexError({
|
|
202
202
|
code: "INVALID_PARAMETERS",
|
|
203
203
|
message: "The provided parameters are invalid."
|
|
204
204
|
});
|
|
@@ -227,16 +227,9 @@ function createCoreDomains(deps) {
|
|
|
227
227
|
return { totpId };
|
|
228
228
|
}
|
|
229
229
|
};
|
|
230
|
-
const provider = { signIn: async (ctx, providerConfig, args) => {
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
allowExtraProviders: true
|
|
234
|
-
});
|
|
235
|
-
return result.kind === "signedIn" ? result.signedIn !== null ? {
|
|
236
|
-
userId: result.signedIn.userId,
|
|
237
|
-
sessionId: result.signedIn.sessionId
|
|
238
|
-
} : null : null;
|
|
239
|
-
} };
|
|
230
|
+
const provider = { signIn: deps.signInForProvider ? async (ctx, providerConfig, args) => {
|
|
231
|
+
return deps.signInForProvider(ctx, providerConfig, args);
|
|
232
|
+
} : void 0 };
|
|
240
233
|
const group = {
|
|
241
234
|
create: async (ctx, data) => {
|
|
242
235
|
return { groupId: await ctx.runMutation(config.component.public.groupCreate, data) };
|
|
@@ -345,7 +338,8 @@ function createCoreDomains(deps) {
|
|
|
345
338
|
let membership = null;
|
|
346
339
|
if (useAncestry) {
|
|
347
340
|
const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
|
|
348
|
-
|
|
341
|
+
const memberResolveRef = config.component.public["memberResolve"];
|
|
342
|
+
membership = (await ctx.runQuery(memberResolveRef, {
|
|
349
343
|
userId: opts.userId,
|
|
350
344
|
groupId: opts.groupId,
|
|
351
345
|
maxDepth,
|
|
@@ -378,18 +372,18 @@ function createCoreDomains(deps) {
|
|
|
378
372
|
ancestry: opts.ancestry,
|
|
379
373
|
maxDepth: opts.maxDepth
|
|
380
374
|
});
|
|
381
|
-
if (result.membership === null) throw
|
|
375
|
+
if (result.membership === null) throw new ConvexError({
|
|
382
376
|
code: "NOT_A_MEMBER",
|
|
383
377
|
message: "User is not a member of this group.",
|
|
384
378
|
groupId: opts.groupId
|
|
385
379
|
});
|
|
386
|
-
if (roleFilter !== null && !result.roleIds.some((roleId) => roleFilter.has(roleId))) throw
|
|
380
|
+
if (roleFilter !== null && !result.roleIds.some((roleId) => roleFilter.has(roleId))) throw new ConvexError({
|
|
387
381
|
code: "NOT_A_MEMBER",
|
|
388
382
|
message: "User is not a member of this group.",
|
|
389
383
|
groupId: opts.groupId
|
|
390
384
|
});
|
|
391
385
|
const missingGrants = requiredGrants.filter((grant) => !result.grants.includes(grant));
|
|
392
|
-
if (missingGrants.length > 0) throw
|
|
386
|
+
if (missingGrants.length > 0) throw new ConvexError({
|
|
393
387
|
code: "MISSING_GRANTS",
|
|
394
388
|
message: "User is missing required grants.",
|
|
395
389
|
groupId: opts.groupId,
|
|
@@ -473,23 +467,23 @@ function createCoreDomains(deps) {
|
|
|
473
467
|
verify: async (ctx, rawKey) => {
|
|
474
468
|
const hashedKey = await hashApiKey(rawKey);
|
|
475
469
|
const doc = await ctx.runQuery(config.component.public.keyGetByHashedKey, { hashedKey });
|
|
476
|
-
if (!doc) throw
|
|
470
|
+
if (!doc) throw new ConvexError({
|
|
477
471
|
code: "INVALID_API_KEY",
|
|
478
472
|
message: "Invalid API key."
|
|
479
473
|
});
|
|
480
474
|
const k = doc;
|
|
481
|
-
if (k.revoked) throw
|
|
475
|
+
if (k.revoked) throw new ConvexError({
|
|
482
476
|
code: "API_KEY_REVOKED",
|
|
483
477
|
message: "This API key has been revoked."
|
|
484
478
|
});
|
|
485
|
-
if (k.expiresAt && k.expiresAt < Date.now()) throw
|
|
479
|
+
if (k.expiresAt && k.expiresAt < Date.now()) throw new ConvexError({
|
|
486
480
|
code: "API_KEY_EXPIRED",
|
|
487
481
|
message: "This API key has expired."
|
|
488
482
|
});
|
|
489
483
|
const patchData = { lastUsedAt: Date.now() };
|
|
490
484
|
if (k.rateLimit) {
|
|
491
485
|
const { limited, newState } = checkKeyRateLimit(k.rateLimit, k.rateLimitState ?? void 0);
|
|
492
|
-
if (limited) throw
|
|
486
|
+
if (limited) throw new ConvexError({
|
|
493
487
|
code: "API_KEY_RATE_LIMITED",
|
|
494
488
|
message: "API key rate limit exceeded. Please try again later."
|
|
495
489
|
});
|
|
@@ -537,11 +531,12 @@ function createCoreDomains(deps) {
|
|
|
537
531
|
},
|
|
538
532
|
rotate: async (ctx, keyId, opts) => {
|
|
539
533
|
const existing = await ctx.runQuery(config.component.public.keyGetById, { keyId });
|
|
540
|
-
if (!existing) throw
|
|
534
|
+
if (!existing) throw new ConvexError({
|
|
541
535
|
code: "INVALID_PARAMETERS",
|
|
542
536
|
message: "The provided parameters are invalid."
|
|
543
537
|
});
|
|
544
|
-
|
|
538
|
+
const typedExisting = existing;
|
|
539
|
+
if (typedExisting.revoked === true) throw new ConvexError({
|
|
545
540
|
code: "API_KEY_REVOKED",
|
|
546
541
|
message: "This API key has been revoked."
|
|
547
542
|
});
|
|
@@ -550,12 +545,12 @@ function createCoreDomains(deps) {
|
|
|
550
545
|
data: { revoked: true }
|
|
551
546
|
});
|
|
552
547
|
return await key.create(ctx, {
|
|
553
|
-
userId:
|
|
554
|
-
name: opts?.name ??
|
|
555
|
-
scopes:
|
|
556
|
-
rateLimit:
|
|
548
|
+
userId: typedExisting.userId,
|
|
549
|
+
name: opts?.name ?? typedExisting.name ?? keyId,
|
|
550
|
+
scopes: typedExisting.scopes ?? [],
|
|
551
|
+
rateLimit: typedExisting.rateLimit,
|
|
557
552
|
expiresAt: opts?.expiresAt,
|
|
558
|
-
metadata:
|
|
553
|
+
metadata: typedExisting.metadata
|
|
559
554
|
});
|
|
560
555
|
}
|
|
561
556
|
};
|
package/dist/server/crypto.js
CHANGED
|
@@ -1,55 +1,45 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import { Fx } from "@robelest/fx";
|
|
3
|
-
import { Cv } from "@robelest/fx/convex";
|
|
1
|
+
import { ConvexError } from "convex/values";
|
|
4
2
|
|
|
5
3
|
//#region src/server/crypto.ts
|
|
4
|
+
function errorMessage(error) {
|
|
5
|
+
return error instanceof Error ? error.message : String(error);
|
|
6
|
+
}
|
|
7
|
+
const credentialsError = (code, message) => new ConvexError({
|
|
8
|
+
code,
|
|
9
|
+
message
|
|
10
|
+
});
|
|
11
|
+
function asCredentialsProvider(provider) {
|
|
12
|
+
if (provider.type !== "credentials") throw credentialsError("INVALID_CREDENTIALS_PROVIDER", `Provider ${provider.id} is not a credentials provider`);
|
|
13
|
+
return provider;
|
|
14
|
+
}
|
|
6
15
|
/**
|
|
7
16
|
* Hash a secret using the provider's `crypto.hashSecret` function.
|
|
8
|
-
*
|
|
9
|
-
* Validates that the provider is a credentials provider and has the
|
|
10
|
-
* required crypto function, returning typed errors through the Fx channel.
|
|
17
|
+
* @internal
|
|
11
18
|
*/
|
|
12
|
-
|
|
13
|
-
const
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
});
|
|
23
|
-
return yield* Fx.from({
|
|
24
|
-
ok: () => hashSecretFn(secret),
|
|
25
|
-
err: (e) => Cv.error({
|
|
26
|
-
code: "INTERNAL_ERROR",
|
|
27
|
-
message: `Hash failed: ${errorMessage(e)}`
|
|
28
|
-
})
|
|
29
|
-
});
|
|
30
|
-
});
|
|
19
|
+
async function hash(provider, secret) {
|
|
20
|
+
const credProvider = asCredentialsProvider(provider);
|
|
21
|
+
const hashSecret = credProvider.crypto?.hashSecret;
|
|
22
|
+
if (!hashSecret) throw credentialsError("MISSING_CRYPTO_FUNCTION", `Provider ${credProvider.id} does not have a \`crypto.hashSecret\` function`);
|
|
23
|
+
try {
|
|
24
|
+
return await hashSecret(secret);
|
|
25
|
+
} catch (error) {
|
|
26
|
+
throw credentialsError("INTERNAL_ERROR", `Hash failed: ${errorMessage(error)}`);
|
|
27
|
+
}
|
|
28
|
+
}
|
|
31
29
|
/**
|
|
32
30
|
* Verify a secret against a hash using the provider's `crypto.verifySecret` function.
|
|
31
|
+
* @internal
|
|
33
32
|
*/
|
|
34
|
-
|
|
35
|
-
const
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
});
|
|
45
|
-
return yield* Fx.from({
|
|
46
|
-
ok: () => verifySecretFn(secret, hashValue),
|
|
47
|
-
err: (e) => Cv.error({
|
|
48
|
-
code: "INTERNAL_ERROR",
|
|
49
|
-
message: `Verify failed: ${errorMessage(e)}`
|
|
50
|
-
})
|
|
51
|
-
});
|
|
52
|
-
});
|
|
33
|
+
async function verify(provider, secret, hashValue) {
|
|
34
|
+
const credProvider = asCredentialsProvider(provider);
|
|
35
|
+
const verifySecret = credProvider.crypto?.verifySecret;
|
|
36
|
+
if (!verifySecret) throw credentialsError("MISSING_CRYPTO_FUNCTION", `Provider ${credProvider.id} does not have a \`crypto.verifySecret\` function`);
|
|
37
|
+
try {
|
|
38
|
+
return await verifySecret(secret, hashValue);
|
|
39
|
+
} catch (error) {
|
|
40
|
+
throw credentialsError("INTERNAL_ERROR", `Verify failed: ${errorMessage(error)}`);
|
|
41
|
+
}
|
|
42
|
+
}
|
|
53
43
|
|
|
54
44
|
//#endregion
|
|
55
45
|
export { hash, verify };
|
package/dist/server/db.js
CHANGED
|
@@ -35,12 +35,16 @@ function authDb(ctx, config) {
|
|
|
35
35
|
userId,
|
|
36
36
|
expirationTime
|
|
37
37
|
}),
|
|
38
|
+
issue: (args) => ctx.runMutation(component.public.sessionIssue, args),
|
|
38
39
|
getById: (sessionId) => ctx.runQuery(component.public.sessionGetById, { sessionId }),
|
|
39
40
|
delete: (sessionId) => ctx.runMutation(component.public.sessionDelete, { sessionId }),
|
|
40
41
|
listByUser: (userId) => ctx.runQuery(component.public.sessionListByUser, { userId })
|
|
41
42
|
},
|
|
42
43
|
verifiers: {
|
|
43
|
-
create: (sessionId) => ctx.runMutation(component.public.verifierCreate, {
|
|
44
|
+
create: (sessionId, signature) => ctx.runMutation(component.public.verifierCreate, {
|
|
45
|
+
sessionId,
|
|
46
|
+
signature
|
|
47
|
+
}),
|
|
44
48
|
getById: (verifierId) => ctx.runQuery(component.public.verifierGetById, { verifierId }),
|
|
45
49
|
getBySignature: (signature) => ctx.runQuery(component.public.verifierGetBySignature, { signature }),
|
|
46
50
|
patch: (verifierId, data) => ctx.runMutation(component.public.verifierPatch, {
|
|
@@ -57,6 +61,7 @@ function authDb(ctx, config) {
|
|
|
57
61
|
},
|
|
58
62
|
refreshTokens: {
|
|
59
63
|
create: (args) => ctx.runMutation(component.public.refreshTokenCreate, args),
|
|
64
|
+
exchange: (args) => ctx.runMutation(component.public.refreshTokenExchange, args),
|
|
60
65
|
getById: (refreshTokenId) => ctx.runQuery(component.public.refreshTokenGetById, { refreshTokenId }),
|
|
61
66
|
patch: (refreshTokenId, data) => ctx.runMutation(component.public.refreshTokenPatch, {
|
|
62
67
|
refreshTokenId,
|
package/dist/server/device.js
CHANGED
|
@@ -1,22 +1,15 @@
|
|
|
1
1
|
import { userIdFromIdentitySubject } from "./identity.js";
|
|
2
|
-
import { generateRandomString,
|
|
2
|
+
import { generateRandomString, sha256 } from "./random.js";
|
|
3
|
+
import { requireEnv } from "./env.js";
|
|
3
4
|
import { callSignIn } from "./mutations/signin.js";
|
|
5
|
+
import { AuthFlowError, authFlowError } from "../shared/errors.js";
|
|
6
|
+
import { toConvexError } from "./errors.js";
|
|
4
7
|
import { mutateDeviceAuthorize, mutateDeviceDelete, mutateDeviceInsert, mutateDeviceUpdateLastPolled, queryDeviceByCodeHash, queryDeviceByUserCode } from "./types.js";
|
|
5
|
-
import { Fx } from "@robelest/fx";
|
|
6
|
-
import { Cv } from "@robelest/fx/convex";
|
|
7
8
|
import { ConvexError } from "convex/values";
|
|
8
9
|
|
|
9
10
|
//#region src/server/device.ts
|
|
10
11
|
/**
|
|
11
12
|
* Server-side device authorization flow logic (RFC 8628).
|
|
12
|
-
*
|
|
13
|
-
* Handles the three phases of the device flow:
|
|
14
|
-
* 1. (default) — Generate a device code + user code pair
|
|
15
|
-
* 2. poll — Device checks whether the user has authorized yet
|
|
16
|
-
* 3. verify — Authenticated user links a user code to their session
|
|
17
|
-
*
|
|
18
|
-
* Uses `@oslojs/crypto/random` for code generation and
|
|
19
|
-
* `@oslojs/crypto/sha2` for hashing device codes before storage.
|
|
20
13
|
*/
|
|
21
14
|
const DEVICE_CODE_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
|
|
22
15
|
const DEVICE_CODE_LENGTH = 40;
|
|
@@ -25,127 +18,100 @@ const DEVICE_FLOWS = [
|
|
|
25
18
|
"poll",
|
|
26
19
|
"verify"
|
|
27
20
|
];
|
|
21
|
+
const deviceError = authFlowError;
|
|
22
|
+
const assertFlow = (flow) => {
|
|
23
|
+
if (DEVICE_FLOWS.includes(flow)) return flow;
|
|
24
|
+
throw deviceError("DEVICE_MISSING_FLOW", "Missing `flow` parameter. Expected one of: create, poll, verify");
|
|
25
|
+
};
|
|
26
|
+
async function handleCreate(ctx, provider) {
|
|
27
|
+
const deviceCode = generateRandomString(DEVICE_CODE_LENGTH, DEVICE_CODE_ALPHABET);
|
|
28
|
+
const deviceCodeHash = await sha256(deviceCode);
|
|
29
|
+
const rawUserCode = generateRandomString(provider.userCodeLength, provider.charset);
|
|
30
|
+
const mid = Math.floor(rawUserCode.length / 2);
|
|
31
|
+
const userCode = rawUserCode.slice(0, mid) + "-" + rawUserCode.slice(mid);
|
|
32
|
+
await mutateDeviceInsert(ctx, {
|
|
33
|
+
deviceCodeHash,
|
|
34
|
+
userCode,
|
|
35
|
+
expiresAt: Date.now() + provider.expiresIn * 1e3,
|
|
36
|
+
interval: provider.interval,
|
|
37
|
+
status: "pending"
|
|
38
|
+
});
|
|
39
|
+
const verificationUri = provider.verificationUri ?? `${process.env.SITE_URL ?? requireEnv("SITE_URL")}/device`;
|
|
40
|
+
return {
|
|
41
|
+
kind: "deviceCode",
|
|
42
|
+
deviceCode,
|
|
43
|
+
userCode,
|
|
44
|
+
verificationUri,
|
|
45
|
+
verificationUriComplete: `${verificationUri}?code=${encodeURIComponent(userCode)}`,
|
|
46
|
+
expiresIn: provider.expiresIn,
|
|
47
|
+
interval: provider.interval
|
|
48
|
+
};
|
|
49
|
+
}
|
|
50
|
+
async function handlePoll(ctx, params) {
|
|
51
|
+
if (typeof params.deviceCode !== "string") throw deviceError("DEVICE_MISSING_FLOW", "Missing `deviceCode` parameter for poll flow.");
|
|
52
|
+
const doc = await queryDeviceByCodeHash(ctx, await sha256(params.deviceCode));
|
|
53
|
+
if (doc === null) throw deviceError("DEVICE_CODE_EXPIRED", "The device code has expired. Please start a new authorization request.");
|
|
54
|
+
if (Date.now() > doc.expiresAt) {
|
|
55
|
+
await mutateDeviceDelete(ctx, doc._id);
|
|
56
|
+
throw deviceError("DEVICE_CODE_EXPIRED", "The device code has expired. Please start a new authorization request.");
|
|
57
|
+
}
|
|
58
|
+
if (doc.lastPolledAt !== void 0 && (Date.now() - doc.lastPolledAt) / 1e3 < doc.interval) throw deviceError("DEVICE_SLOW_DOWN", "Polling too frequently. Increase the interval between requests.");
|
|
59
|
+
await mutateDeviceUpdateLastPolled(ctx, doc._id, Date.now());
|
|
60
|
+
if (doc.status === "pending") throw deviceError("DEVICE_AUTHORIZATION_PENDING", "The user has not yet authorized this device.");
|
|
61
|
+
if (doc.status === "denied") {
|
|
62
|
+
await mutateDeviceDelete(ctx, doc._id);
|
|
63
|
+
throw deviceError("DEVICE_CODE_DENIED", "The authorization request was denied.");
|
|
64
|
+
}
|
|
65
|
+
if (!doc.userId || !doc.sessionId) throw deviceError("INTERNAL_ERROR", "Authorized device code missing userId or sessionId");
|
|
66
|
+
await mutateDeviceDelete(ctx, doc._id);
|
|
67
|
+
return {
|
|
68
|
+
kind: "signedIn",
|
|
69
|
+
signedIn: await callSignIn(ctx, {
|
|
70
|
+
userId: doc.userId,
|
|
71
|
+
sessionId: doc.sessionId,
|
|
72
|
+
generateTokens: true
|
|
73
|
+
})
|
|
74
|
+
};
|
|
75
|
+
}
|
|
76
|
+
async function handleDeviceVerify(ctx, params) {
|
|
77
|
+
if (typeof params.userCode !== "string") throw deviceError("DEVICE_INVALID_USER_CODE", "Missing `userCode` parameter for verify flow.");
|
|
78
|
+
const identity = await ctx.auth.getUserIdentity();
|
|
79
|
+
if (identity === null) throw deviceError("NOT_SIGNED_IN", "You must be signed in to authorize a device.");
|
|
80
|
+
const userId = userIdFromIdentitySubject(identity.subject);
|
|
81
|
+
const doc = await queryDeviceByUserCode(ctx, params.userCode);
|
|
82
|
+
if (doc === null) throw deviceError("DEVICE_INVALID_USER_CODE", "Invalid or expired user code.");
|
|
83
|
+
if (Date.now() > doc.expiresAt) {
|
|
84
|
+
await mutateDeviceDelete(ctx, doc._id);
|
|
85
|
+
throw deviceError("DEVICE_CODE_EXPIRED", "The device code has expired. Please start a new authorization request.");
|
|
86
|
+
}
|
|
87
|
+
if (doc.status !== "pending") throw deviceError("DEVICE_ALREADY_AUTHORIZED", "This device code has already been authorized.");
|
|
88
|
+
const signInResult = await callSignIn(ctx, {
|
|
89
|
+
userId,
|
|
90
|
+
generateTokens: false
|
|
91
|
+
});
|
|
92
|
+
await mutateDeviceAuthorize(ctx, doc._id, signInResult.userId, signInResult.sessionId);
|
|
93
|
+
return {
|
|
94
|
+
kind: "signedIn",
|
|
95
|
+
signedIn: null
|
|
96
|
+
};
|
|
97
|
+
}
|
|
28
98
|
/** @internal */
|
|
29
|
-
const handleDevice = (ctx, provider, args) =>
|
|
30
|
-
|
|
99
|
+
const handleDevice = async (ctx, provider, args) => {
|
|
100
|
+
try {
|
|
31
101
|
const params = args.params ?? {};
|
|
32
|
-
const flow = typeof params.flow === "string" ? params.flow : "create";
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
userCode,
|
|
46
|
-
expiresAt: Date.now() + provider.expiresIn * 1e3,
|
|
47
|
-
interval: provider.interval,
|
|
48
|
-
status: "pending"
|
|
49
|
-
});
|
|
50
|
-
const verificationUri = provider.verificationUri ?? `${process.env.SITE_URL ?? requireEnv("SITE_URL")}/device`;
|
|
51
|
-
return {
|
|
52
|
-
kind: "deviceCode",
|
|
53
|
-
deviceCode,
|
|
54
|
-
userCode,
|
|
55
|
-
verificationUri,
|
|
56
|
-
verificationUriComplete: `${verificationUri}?user_code=${encodeURIComponent(userCode)}`,
|
|
57
|
-
expiresIn: provider.expiresIn,
|
|
58
|
-
interval: provider.interval
|
|
59
|
-
};
|
|
60
|
-
}
|
|
61
|
-
if (flow === "poll") {
|
|
62
|
-
if (typeof params.deviceCode !== "string") throw Cv.error({
|
|
63
|
-
code: "DEVICE_MISSING_FLOW",
|
|
64
|
-
message: "Missing `deviceCode` parameter for poll flow."
|
|
65
|
-
});
|
|
66
|
-
const doc$1 = await queryDeviceByCodeHash(ctx, await sha256(params.deviceCode));
|
|
67
|
-
if (doc$1 === null) throw Cv.error({
|
|
68
|
-
code: "DEVICE_CODE_EXPIRED",
|
|
69
|
-
message: "The device code has expired. Please start a new authorization request."
|
|
70
|
-
});
|
|
71
|
-
if (Date.now() > doc$1.expiresAt) {
|
|
72
|
-
await mutateDeviceDelete(ctx, doc$1._id);
|
|
73
|
-
throw Cv.error({
|
|
74
|
-
code: "DEVICE_CODE_EXPIRED",
|
|
75
|
-
message: "The device code has expired. Please start a new authorization request."
|
|
76
|
-
});
|
|
77
|
-
}
|
|
78
|
-
if (doc$1.lastPolledAt !== void 0 && (Date.now() - doc$1.lastPolledAt) / 1e3 < doc$1.interval) throw Cv.error({
|
|
79
|
-
code: "DEVICE_SLOW_DOWN",
|
|
80
|
-
message: "Polling too frequently. Increase the interval between requests."
|
|
81
|
-
});
|
|
82
|
-
await mutateDeviceUpdateLastPolled(ctx, doc$1._id, Date.now());
|
|
83
|
-
if (doc$1.status === "pending") throw Cv.error({
|
|
84
|
-
code: "DEVICE_AUTHORIZATION_PENDING",
|
|
85
|
-
message: "The user has not yet authorized this device."
|
|
86
|
-
});
|
|
87
|
-
if (doc$1.status === "denied") {
|
|
88
|
-
await mutateDeviceDelete(ctx, doc$1._id);
|
|
89
|
-
throw Cv.error({
|
|
90
|
-
code: "DEVICE_CODE_DENIED",
|
|
91
|
-
message: "The authorization request was denied."
|
|
92
|
-
});
|
|
93
|
-
}
|
|
94
|
-
if (!doc$1.userId || !doc$1.sessionId) throw Cv.error({
|
|
95
|
-
code: "INTERNAL_ERROR",
|
|
96
|
-
message: "Authorized device code missing userId or sessionId"
|
|
97
|
-
});
|
|
98
|
-
await mutateDeviceDelete(ctx, doc$1._id);
|
|
99
|
-
return {
|
|
100
|
-
kind: "signedIn",
|
|
101
|
-
signedIn: await callSignIn(ctx, {
|
|
102
|
-
userId: doc$1.userId,
|
|
103
|
-
sessionId: doc$1.sessionId,
|
|
104
|
-
generateTokens: true
|
|
105
|
-
})
|
|
106
|
-
};
|
|
107
|
-
}
|
|
108
|
-
if (typeof params.userCode !== "string") throw Cv.error({
|
|
109
|
-
code: "DEVICE_INVALID_USER_CODE",
|
|
110
|
-
message: "Missing `userCode` parameter for verify flow."
|
|
111
|
-
});
|
|
112
|
-
const identity = await ctx.auth.getUserIdentity();
|
|
113
|
-
if (identity === null) throw Cv.error({
|
|
114
|
-
code: "NOT_SIGNED_IN",
|
|
115
|
-
message: "You must be signed in to authorize a device."
|
|
116
|
-
});
|
|
117
|
-
const userId = userIdFromIdentitySubject(identity.subject);
|
|
118
|
-
const doc = await queryDeviceByUserCode(ctx, params.userCode);
|
|
119
|
-
if (doc === null) throw Cv.error({
|
|
120
|
-
code: "DEVICE_INVALID_USER_CODE",
|
|
121
|
-
message: "Invalid or expired user code."
|
|
122
|
-
});
|
|
123
|
-
if (Date.now() > doc.expiresAt) {
|
|
124
|
-
await mutateDeviceDelete(ctx, doc._id);
|
|
125
|
-
throw Cv.error({
|
|
126
|
-
code: "DEVICE_CODE_EXPIRED",
|
|
127
|
-
message: "The device code has expired. Please start a new authorization request."
|
|
128
|
-
});
|
|
129
|
-
}
|
|
130
|
-
if (doc.status !== "pending") throw Cv.error({
|
|
131
|
-
code: "DEVICE_ALREADY_AUTHORIZED",
|
|
132
|
-
message: "This device code has already been authorized."
|
|
133
|
-
});
|
|
134
|
-
const signInResult = await callSignIn(ctx, {
|
|
135
|
-
userId,
|
|
136
|
-
generateTokens: false
|
|
137
|
-
});
|
|
138
|
-
await mutateDeviceAuthorize(ctx, doc._id, signInResult.userId, signInResult.sessionId);
|
|
139
|
-
return {
|
|
140
|
-
kind: "signedIn",
|
|
141
|
-
signedIn: null
|
|
142
|
-
};
|
|
143
|
-
},
|
|
144
|
-
err: (e) => e instanceof ConvexError ? e : Cv.error({
|
|
145
|
-
code: "INTERNAL_ERROR",
|
|
146
|
-
message: `Device flow failed: ${String(e)}`
|
|
147
|
-
})
|
|
148
|
-
});
|
|
102
|
+
const flow = assertFlow(typeof params.flow === "string" ? params.flow : "create");
|
|
103
|
+
return await new Map([
|
|
104
|
+
["create", () => handleCreate(ctx, provider)],
|
|
105
|
+
["poll", () => handlePoll(ctx, params)],
|
|
106
|
+
["verify", () => handleDeviceVerify(ctx, params)]
|
|
107
|
+
]).get(flow)();
|
|
108
|
+
} catch (error) {
|
|
109
|
+
if (error instanceof ConvexError) throw error;
|
|
110
|
+
if (error instanceof AuthFlowError) throw toConvexError(error);
|
|
111
|
+
if (error instanceof Error) throw toConvexError(authFlowError("INTERNAL_ERROR", `Device flow failed: ${error.message}`));
|
|
112
|
+
throw toConvexError(error);
|
|
113
|
+
}
|
|
114
|
+
};
|
|
149
115
|
|
|
150
116
|
//#endregion
|
|
151
117
|
export { handleDevice };
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
import { ConvexError } from "convex/values";
|
|
2
|
+
|
|
3
|
+
//#region src/server/env.ts
|
|
4
|
+
function readEnv(name) {
|
|
5
|
+
const value = typeof process === "undefined" ? void 0 : process.env?.[name];
|
|
6
|
+
return typeof value === "string" && value.length > 0 ? value : void 0;
|
|
7
|
+
}
|
|
8
|
+
/** @internal */
|
|
9
|
+
const readConfigSync = (value) => value;
|
|
10
|
+
/** @internal */
|
|
11
|
+
const envString = (name) => {
|
|
12
|
+
const value = readEnv(name);
|
|
13
|
+
if (value === void 0) throw new Error(`Missing environment variable \`${name}\``);
|
|
14
|
+
return value;
|
|
15
|
+
};
|
|
16
|
+
/** @internal */
|
|
17
|
+
const envOptionalString = (name) => readEnv(name);
|
|
18
|
+
/** @internal */
|
|
19
|
+
const envOptionalNumber = (name) => {
|
|
20
|
+
const value = readEnv(name);
|
|
21
|
+
if (value === void 0) return;
|
|
22
|
+
const parsed = Number(value);
|
|
23
|
+
if (!Number.isFinite(parsed)) throw new Error(`Invalid numeric environment variable \`${name}\``);
|
|
24
|
+
return parsed;
|
|
25
|
+
};
|
|
26
|
+
/** @internal */
|
|
27
|
+
const envBoolean = (name) => {
|
|
28
|
+
const value = readEnv(name);
|
|
29
|
+
if (value === void 0) return;
|
|
30
|
+
if (value === "true") return true;
|
|
31
|
+
if (value === "false") return false;
|
|
32
|
+
throw new Error(`Invalid boolean environment variable \`${name}\``);
|
|
33
|
+
};
|
|
34
|
+
/** @internal */
|
|
35
|
+
function requireEnv(name) {
|
|
36
|
+
try {
|
|
37
|
+
return readConfigSync(envString(name));
|
|
38
|
+
} catch {
|
|
39
|
+
throw new ConvexError({
|
|
40
|
+
code: "MISSING_ENV_VAR",
|
|
41
|
+
message: `Missing environment variable \`${name}\``
|
|
42
|
+
});
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
//#endregion
|
|
47
|
+
export { envBoolean, envOptionalNumber, envOptionalString, readConfigSync, requireEnv };
|
|
48
|
+
//# sourceMappingURL=env.js.map
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { AuthFlowError } from "../shared/errors.js";
|
|
2
|
+
import { ConvexError } from "convex/values";
|
|
3
|
+
|
|
4
|
+
//#region src/server/errors.ts
|
|
5
|
+
/** @internal */
|
|
6
|
+
const toConvexError = (error) => {
|
|
7
|
+
if (error instanceof ConvexError) return error;
|
|
8
|
+
if (error instanceof AuthFlowError) return new ConvexError({
|
|
9
|
+
code: error.code,
|
|
10
|
+
message: error.message
|
|
11
|
+
});
|
|
12
|
+
return new ConvexError({
|
|
13
|
+
code: "INTERNAL_ERROR",
|
|
14
|
+
message: error instanceof Error ? error.message : String(error)
|
|
15
|
+
});
|
|
16
|
+
};
|
|
17
|
+
|
|
18
|
+
//#endregion
|
|
19
|
+
export { toConvexError };
|
|
20
|
+
//# sourceMappingURL=errors.js.map
|