@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

package/dist/server/prefetch.js

@@ -0,0 +1,635 @@
+import { log } from "./log.js";
+import { isLocalHost } from "./url.js";
+import { ConvexError } from "convex/values";
+import { ConvexHttpClient } from "convex/browser";
+import { makeFunctionReference } from "convex/server";
+import { parse, serialize } from "cookie";
+import { jwtDecode } from "jwt-decode";
+
+//#region src/server/prefetch.ts
+const signInActionRef = makeFunctionReference("auth:signIn");
+const signOutActionRef = makeFunctionReference("auth:signOut");
+const TOKEN_COOKIE_BASE_NAME = "__convexAuthJWT";
+const REFRESH_COOKIE_BASE_NAME = "__convexAuthRefreshToken";
+const VERIFIER_COOKIE_BASE_NAME = "__convexAuthOAuthVerifier";
+const DERIVED_COOKIE_NAMESPACE_FALLBACK = "convexauth";
+/**
+* Derive the cookie names used for auth tokens.
+*
+* On localhost the names are unprefixed; on production hosts they
+* use the `__Host-` prefix for tighter security.
+*
+* @param host - The `Host` header value. Omit to use unprefixed names.
+* @param cookieNamespace - Optional namespace suffix for cookie isolation.
+* @returns An object with `token`, `refreshToken`, and `verifier` cookie names.
+*/
+function authCookieNames(host, cookieNamespace) {
+	const prefix = isLocalHost(host) ? "" : "__Host-";
+	const namespace = normalizeCookieNamespace(cookieNamespace);
+	const suffix = namespace === null ? "" : `_${namespace}`;
+	return {
+		token: `${prefix}${TOKEN_COOKIE_BASE_NAME}${suffix}`,
+		refreshToken: `${prefix}${REFRESH_COOKIE_BASE_NAME}${suffix}`,
+		verifier: `${prefix}${VERIFIER_COOKIE_BASE_NAME}${suffix}`
+	};
+}
+/**
+* Parse auth cookie values from a raw `Cookie` header string.
+*
+* @param cookieHeader - The raw `Cookie` header, or `null`/`undefined`.
+* @param host - The `Host` header, used to determine cookie name prefixes.
+* @param cookieNamespace - Optional namespace suffix for cookie isolation.
+* @returns Parsed {@link AuthCookies} with `token`, `refreshToken`, and `verifier`.
+*/
+function parseAuthCookies(cookieHeader, host, cookieNamespace) {
+	const names = authCookieNames(host, cookieNamespace);
+	const parsed = parse(cookieHeader ?? "");
+	return {
+		token: parsed[names.token] ?? null,
+		refreshToken: parsed[names.refreshToken] ?? null,
+		verifier: parsed[names.verifier] ?? null
+	};
+}
+/**
+* Serialize auth cookies into `Set-Cookie` header strings.
+*
+* Nulled-out values produce deletion cookies (maxAge 0, expired date).
+*
+* @param cookies - The auth cookie values to serialize.
+* @param host - The `Host` header, used for cookie name prefixes and `Secure` flag.
+* @param config - Cookie lifetime config. Defaults to session cookies.
+* @param cookieNamespace - Optional namespace suffix for cookie isolation.
+* @returns An array of three `Set-Cookie` header strings.
+*/
+function serializeAuthCookies(cookies, host, config = { maxAge: null }, cookieNamespace) {
+	const names = authCookieNames(host, cookieNamespace);
+	const base = {
+		path: "/",
+		httpOnly: true,
+		sameSite: "lax",
+		secure: !isLocalHost(host)
+	};
+	const maxAge = config.maxAge ?? void 0;
+	return [
+		serialize(names.token, cookies.token ?? "", {
+			...base,
+			maxAge: cookies.token === null ? 0 : maxAge,
+			expires: cookies.token === null ? /* @__PURE__ */ new Date(0) : void 0
+		}),
+		serialize(names.refreshToken, cookies.refreshToken ?? "", {
+			...base,
+			maxAge: cookies.refreshToken === null ? 0 : maxAge,
+			expires: cookies.refreshToken === null ? /* @__PURE__ */ new Date(0) : void 0
+		}),
+		serialize(names.verifier, cookies.verifier ?? "", {
+			...base,
+			maxAge: cookies.verifier === null ? 0 : maxAge,
+			expires: cookies.verifier === null ? /* @__PURE__ */ new Date(0) : void 0
+		})
+	];
+}
+/**
+* Build structured cookie objects for any SSR framework.
+*
+* Use with SvelteKit's `event.cookies.set()`, TanStack Start's `setCookie()`,
+* Next.js's `cookies().set()`, or any other framework cookie API.
+*
+* @param cookies - The auth cookie values to convert.
+* @param host - The `Host` header, used for cookie name prefixes and `Secure`.
+* @param config - Cookie lifetime config. Defaults to session cookies.
+* @param cookieNamespace - Optional namespace suffix for cookie isolation.
+* @returns Structured cookie descriptors ready for framework cookie APIs.
+*/
+function structuredAuthCookies(cookies, host, config = { maxAge: null }, cookieNamespace) {
+	const names = authCookieNames(host, cookieNamespace);
+	const base = {
+		path: "/",
+		httpOnly: true,
+		secure: !isLocalHost(host),
+		sameSite: "lax"
+	};
+	const maxAge = config.maxAge ?? void 0;
+	return [
+		{
+			name: names.token,
+			value: cookies.token ?? "",
+			options: {
+				...base,
+				maxAge: cookies.token === null ? 0 : maxAge,
+				expires: cookies.token === null ? /* @__PURE__ */ new Date(0) : void 0
+			}
+		},
+		{
+			name: names.refreshToken,
+			value: cookies.refreshToken ?? "",
+			options: {
+				...base,
+				maxAge: cookies.refreshToken === null ? 0 : maxAge,
+				expires: cookies.refreshToken === null ? /* @__PURE__ */ new Date(0) : void 0
+			}
+		},
+		{
+			name: names.verifier,
+			value: cookies.verifier ?? "",
+			options: {
+				...base,
+				maxAge: cookies.verifier === null ? 0 : maxAge,
+				expires: cookies.verifier === null ? /* @__PURE__ */ new Date(0) : void 0
+			}
+		}
+	];
+}
+/**
+* Check whether a request pathname matches the auth proxy route.
+*
+* Handles trailing-slash ambiguity: both `/api/auth` and `/api/auth/`
+* match regardless of how `apiRoute` is configured.
+*
+* @param pathname - The request URL pathname.
+* @param apiRoute - The configured proxy route (e.g. `"/api/auth"`).
+* @returns `true` when the pathname matches the proxy route.
+*
+* @see {@link server}
+*/
+function shouldProxyAuthAction(pathname, apiRoute) {
+	if (apiRoute.endsWith("/")) return pathname === apiRoute || pathname === apiRoute.slice(0, -1);
+	return pathname === apiRoute || pathname === `${apiRoute}/`;
+}
+const REQUIRED_TOKEN_LIFETIME_MS = 3e4;
+const MINIMUM_REQUIRED_TOKEN_LIFETIME_MS = 5e3;
+const JSON_HEADERS = { "Content-Type": "application/json" };
+function decodeToken(token) {
+	try {
+		return jwtDecode(token);
+	} catch {
+		return null;
+	}
+}
+function jsonResponse(body, status = 200) {
+	return new Response(JSON.stringify(body), {
+		status,
+		headers: JSON_HEADERS
+	});
+}
+function appendCookieHeaders(response, values) {
+	for (const value of values) response.headers.append("Set-Cookie", value);
+	return response;
+}
+function getConvexErrorCode(error) {
+	return error instanceof ConvexError && typeof error.data === "object" && error.data !== null && typeof error.data.code === "string" ? error.data.code : null;
+}
+function getProxyErrorBody(error) {
+	return error instanceof ConvexError && typeof error.data === "object" && error.data !== null && "code" in error.data ? {
+		error: error.data.message ?? String(error),
+		authError: error.data
+	} : { error: error instanceof Error ? error.message : String(error) };
+}
+function extractSignedInTokens(result, context) {
+	if (result.kind === "signedIn") return result.tokens;
+	throw new Error(`Invalid \`auth:signIn\` result for ${context}`);
+}
+function normalizeCookieNamespace(cookieNamespace) {
+	if (cookieNamespace === void 0 || cookieNamespace === null) return null;
+	const normalized = cookieNamespace.trim().replace(/[^a-zA-Z0-9]+/g, "_").replace(/^_+|_+$/g, "").toLowerCase();
+	return normalized.length > 0 ? normalized : null;
+}
+/**
+* Safely check if a string is a valid URL without throwing.
+*/
+function canParseUrl(value) {
+	try {
+		new URL(value);
+		return true;
+	} catch {
+		return false;
+	}
+}
+function serializeAuthCookie(cookie) {
+	const parts = [`${cookie.name}=${cookie.value}`, `Path=${cookie.options.path}`];
+	if (cookie.options.httpOnly) parts.push("HttpOnly");
+	if (cookie.options.secure) parts.push("Secure");
+	if (cookie.options.sameSite) parts.push(`SameSite=${cookie.options.sameSite}`);
+	if (cookie.options.maxAge !== void 0) parts.push(`Max-Age=${cookie.options.maxAge}`);
+	if (cookie.options.expires) parts.push(`Expires=${cookie.options.expires.toUTCString()}`);
+	return parts.join("; ");
+}
+function buildRedirectResponse(location, cookies) {
+	const headers = new Headers({ Location: location });
+	for (const cookie of cookies) headers.append("Set-Cookie", serializeAuthCookie(cookie));
+	return new Response(null, {
+		status: 302,
+		headers
+	});
+}
+function deriveCookieNamespaceFromUrl(url) {
+	if (!canParseUrl(url)) return DERIVED_COOKIE_NAMESPACE_FALLBACK;
+	const parsed = new URL(url);
+	return normalizeCookieNamespace(`${parsed.hostname}${parsed.pathname}`) ?? DERIVED_COOKIE_NAMESPACE_FALLBACK;
+}
+function normalizeIssuer(value) {
+	if (!canParseUrl(value)) return value.replace(/\/+$/, "");
+	const parsed = new URL(value);
+	const pathname = parsed.pathname === "/" ? "" : parsed.pathname.replace(/\/+$/, "");
+	return `${parsed.protocol}//${parsed.host}${pathname}`;
+}
+function convexSiteIssuerFromCloudUrl(value) {
+	if (!canParseUrl(value)) return null;
+	const parsed = new URL(value);
+	if (!parsed.hostname.endsWith(".convex.cloud")) return null;
+	parsed.hostname = parsed.hostname.slice(0, -13) + ".convex.site";
+	return normalizeIssuer(parsed.toString());
+}
+function defaultAcceptedIssuersForUrl(value) {
+	const issuers = [normalizeIssuer(value)];
+	const siteIssuer = convexSiteIssuerFromCloudUrl(value);
+	if (siteIssuer !== null) issuers.push(siteIssuer);
+	return issuers;
+}
+/**
+* Create an SSR auth helper for server-side frameworks.
+*
+* Handles cookie-based token management, OAuth code exchange,
+* and automatic JWT refresh on page loads. Works with any
+* framework that gives you a `Request` object — SvelteKit,
+* TanStack Start, Remix, Next.js, etc.
+*
+* @param options - SSR configuration (Convex API URL, issuer rules, proxy route, cookie lifetime).
+* @returns An object with `token`, `verify`, `proxy`, and `refresh` methods.
+*
+* @example SvelteKit hooks
+* ```ts
+* // src/hooks.server.ts
+* import { server } from '@robelest/convex-auth/server';
+*
+* const auth = server({ url: CONVEX_URL });
+*
+* export const handle = async ({ event, resolve }) => {
+*   const { cookies, token } = await auth.refresh(event.request);
+*   for (const c of cookies) event.cookies.set(c.name, c.value, c.options);
+*   event.locals.token = token;
+*   return resolve(event);
+* };
+* ```
+*
+* @example Generic proxy endpoint
+* ```ts
+* if (shouldProxyAuthAction(url.pathname, '/api/auth')) {
+*   return auth.proxy(request);
+* }
+* ```
+*
+* @param options - Server-side auth configuration including Convex URL,
+*   accepted issuers, proxy route, and cookie behavior.
+* @returns SSR helpers for reading tokens, refreshing cookies, and proxying
+*   auth actions through an httpOnly-cookie layer.
+*
+* @see {@link shouldProxyAuthAction}
+*/
+function server(options) {
+	const convexUrl = options.url;
+	const apiRoute = options.apiRoute ?? "/api/auth";
+	const cookieConfig = { maxAge: options.cookieMaxAge ?? null };
+	const verbose = options.verbose ?? false;
+	const cookieNamespace = normalizeCookieNamespace(options.cookieNamespace) ?? deriveCookieNamespaceFromUrl(convexUrl);
+	const acceptedIssuers = new Set((options.acceptedIssuers ?? defaultAcceptedIssuersForUrl(convexUrl)).map(normalizeIssuer).filter((issuer) => issuer.length > 0));
+	return {
+		token(request) {
+			return parseAuthCookies(request.headers.get("cookie"), request.headers.get("host") ?? new URL(request.url).host, cookieNamespace).token;
+		},
+		async verify(request) {
+			const token = parseAuthCookies(request.headers.get("cookie"), request.headers.get("host") ?? new URL(request.url).host, cookieNamespace).token;
+			if (token === null) return false;
+			const decodedToken = decodeToken(token);
+			return decodedToken?.exp !== void 0 && decodedToken.iss !== void 0 && acceptedIssuers.has(normalizeIssuer(decodedToken.iss)) && decodedToken.exp * 1e3 > Date.now();
+		},
+		async proxy(request) {
+			const createClient = (token) => {
+				const client = new ConvexHttpClient(convexUrl);
+				if (token !== null && token !== void 0) client.setAuth(token);
+				return client;
+			};
+			const runSignIn = async (client, args$1) => client.action(signInActionRef, args$1);
+			const runSignOut = async (token) => createClient(token).action(signOutActionRef);
+			const hydrateProxySignInClient = async (currentCookies$1, args$1) => {
+				const client = createClient();
+				const requestParams = typeof args$1.params === "object" && args$1.params !== null ? args$1.params : void 0;
+				if (!(args$1.refreshToken === void 0 && requestParams?.code === void 0)) return {
+					client,
+					cookies: currentCookies$1
+				};
+				const currentToken = currentCookies$1.token;
+				const decodedTokenValue = currentToken === null ? null : decodeToken(currentToken);
+				if (currentToken !== null && decodedTokenValue?.exp !== void 0 && decodedTokenValue.iss !== void 0 && acceptedIssuers.has(normalizeIssuer(decodedTokenValue.iss)) && decodedTokenValue.exp * 1e3 > Date.now()) {
+					client.setAuth(currentToken);
+					return {
+						client,
+						cookies: currentCookies$1
+					};
+				}
+				if (currentCookies$1.refreshToken === null) return {
+					client,
+					cookies: currentCookies$1
+				};
+				let refreshedTokens = null;
+				try {
+					refreshedTokens = extractSignedInTokens(await runSignIn(createClient(), { refreshToken: currentCookies$1.refreshToken }), "proxy sign-in auth hydration");
+				} catch {
+					refreshedTokens = null;
+				}
+				if (refreshedTokens === null) return {
+					client,
+					cookies: currentCookies$1
+				};
+				client.setAuth(refreshedTokens.token);
+				return {
+					client,
+					cookies: {
+						token: refreshedTokens.token,
+						refreshToken: refreshedTokens.refreshToken,
+						verifier: currentCookies$1.verifier
+					}
+				};
+			};
+			const toSignInProxyResponse = (result, args$1, currentCookies$1, host$1) => {
+				if (result.kind === "redirect") return appendCookieHeaders(jsonResponse({
+					kind: "redirect",
+					redirect: result.redirect,
+					verifier: result.verifier
+				}), serializeAuthCookies({
+					...currentCookies$1,
+					verifier: result.verifier
+				}, host$1, cookieConfig, cookieNamespace));
+				if (result.kind === "signedIn") {
+					const nextCookies = result.tokens === null ? {
+						token: currentCookies$1.token,
+						refreshToken: currentCookies$1.refreshToken,
+						verifier: null
+					} : {
+						token: result.tokens.token,
+						refreshToken: result.tokens.refreshToken,
+						verifier: null
+					};
+					return appendCookieHeaders(jsonResponse({
+						kind: "signedIn",
+						tokens: result.tokens === null ? null : {
+							token: result.tokens.token,
+							refreshToken: "dummy"
+						}
+					}), serializeAuthCookies(nextCookies, host$1, cookieConfig, cookieNamespace));
+				}
+				if (result.kind === "started") return jsonResponse(result);
+				if (result.kind === "passkeyOptions") return jsonResponse(result);
+				if (result.kind === "totpRequired") return jsonResponse(result);
+				if (result.kind === "totpSetup") return jsonResponse(result);
+				if (result.kind === "deviceCode") return jsonResponse(result);
+				return jsonResponse(result);
+			};
+			const requestDispatch = !shouldProxyAuthAction(new URL(request.url).pathname, apiRoute) ? { kind: "invalidRoute" } : request.method !== "POST" ? { kind: "invalidMethod" } : (() => {
+				const originHeader = request.headers.get("origin");
+				if (originHeader === null) return false;
+				const forwardedProtoHeader = request.headers.get("x-forwarded-proto");
+				const protocol = forwardedProtoHeader !== null ? (() => {
+					const forwardedProto = forwardedProtoHeader.split(",")[0]?.trim();
+					if (forwardedProto !== void 0 && forwardedProto.length > 0) return forwardedProto.endsWith(":") ? forwardedProto : `${forwardedProto}:`;
+					return new URL(request.url).protocol;
+				})() : new URL(request.url).protocol;
+				const requestHost = request.headers.get("host") ?? new URL(request.url).host;
+				const hostCandidate = `${protocol}//${requestHost}`;
+				const host$1 = canParseUrl(hostCandidate) ? new URL(hostCandidate).host : requestHost;
+				if (!canParseUrl(originHeader)) return true;
+				const originUrl = new URL(originHeader);
+				return originUrl.host !== host$1 || originUrl.protocol !== protocol;
+			})() ? { kind: "invalidOrigin" } : { kind: "valid" };
+			let validationErrorResponse = null;
+			if (requestDispatch.kind === "invalidRoute") validationErrorResponse = new Response("Invalid route", { status: 404 });
+			else if (requestDispatch.kind === "invalidMethod") validationErrorResponse = new Response("Invalid method", { status: 405 });
+			else if (requestDispatch.kind === "invalidOrigin") validationErrorResponse = new Response("Invalid origin", { status: 403 });
+			if (validationErrorResponse !== null) return validationErrorResponse;
+			let body = null;
+			try {
+				const parsed = await request.json();
+				body = typeof parsed === "object" && parsed !== null ? parsed : null;
+			} catch {
+				body = null;
+			}
+			if (body === null) return new Response("Invalid request body", { status: 400 });
+			const action = body.action;
+			const args = typeof body.args === "object" && body.args !== null ? { ...body.args } : {};
+			if (args.refreshToken === null) args.refreshToken = void 0;
+			const actionDispatch = action === "auth:signIn" ? { action: "sessionStart" } : action === "auth:signOut" ? { action: "sessionStop" } : null;
+			if (actionDispatch === null) return new Response("Invalid action", { status: 400 });
+			const host = request.headers.get("host") ?? new URL(request.url).host;
+			const currentCookies = parseAuthCookies(request.headers.get("cookie"), host, cookieNamespace);
+			if (actionDispatch.action === "sessionStart") {
+				let refreshResponse = null;
+				if (args.refreshToken === void 0) refreshResponse = null;
+				else if (currentCookies.refreshToken === null) {
+					const currentToken = currentCookies.token;
+					const decodedToken = currentToken === null ? null : decodeToken(currentToken);
+					if (currentToken !== null && decodedToken?.exp !== void 0 && decodedToken.iss !== void 0 && acceptedIssuers.has(normalizeIssuer(decodedToken.iss)) && decodedToken.exp * 1e3 > Date.now()) refreshResponse = jsonResponse({ tokens: {
+						token: currentToken,
+						refreshToken: "dummy"
+					} });
+					else refreshResponse = jsonResponse({ tokens: null });
+				} else {
+					args.refreshToken = currentCookies.refreshToken ?? void 0;
+					refreshResponse = null;
+				}
+				if (refreshResponse !== null) return refreshResponse;
+				const { client, cookies: effectiveCookies } = await hydrateProxySignInClient(currentCookies, args);
+				try {
+					return toSignInProxyResponse(await runSignIn(client, args), args, effectiveCookies, host);
+				} catch (error) {
+					return appendCookieHeaders(jsonResponse(getProxyErrorBody(error), 400), serializeAuthCookies({
+						token: effectiveCookies.token,
+						refreshToken: effectiveCookies.refreshToken,
+						verifier: null
+					}, host, cookieConfig, cookieNamespace));
+				}
+			} else {
+				try {
+					await runSignOut(currentCookies.token);
+				} catch (error) {
+					log("ERROR", "[convex-auth/server] proxy sign-out failed", error);
+					if (currentCookies.refreshToken !== null) try {
+						const refreshedTokens = extractSignedInTokens(await runSignIn(createClient(), { refreshToken: currentCookies.refreshToken }), "sign-out fallback refresh");
+						if (refreshedTokens !== null) await runSignOut(refreshedTokens.token);
+					} catch (fallbackError) {
+						log("ERROR", "[convex-auth/server] proxy sign-out fallback failed", fallbackError);
+					}
+				}
+				return appendCookieHeaders(jsonResponse(null), serializeAuthCookies({
+					token: null,
+					refreshToken: null,
+					verifier: null
+				}, host, cookieConfig, cookieNamespace));
+			}
+		},
+		async refresh(request) {
+			const createClient = () => new ConvexHttpClient(convexUrl);
+			const logVerbose = (message) => {
+				if (verbose) log("DEBUG", `${(/* @__PURE__ */ new Date()).toISOString()} [convex-auth/server] ${message}`);
+			};
+			const refreshWithToken = async (refreshToken$1) => {
+				try {
+					const tokens$1 = extractSignedInTokens(await createClient().action(signInActionRef, { refreshToken: refreshToken$1 }), "token refresh");
+					logVerbose(`Refreshed tokens, null=${tokens$1 === null}`);
+					return tokens$1;
+				} catch (error) {
+					log("ERROR", "[convex-auth/server] refresh-token exchange failed", error);
+					if (getConvexErrorCode(error) === "INVALID_REFRESH_TOKEN") {
+						logVerbose("Refresh token rejected, clearing auth cookies");
+						return null;
+					}
+					logVerbose("Token refresh failed transiently, keeping current cookies");
+					return;
+				}
+			};
+			const host = request.headers.get("host") ?? new URL(request.url).host;
+			const currentCookies = parseAuthCookies(request.headers.get("cookie"), host, cookieNamespace);
+			const currentToken = currentCookies.token;
+			const originHeader = request.headers.get("origin");
+			const forwardedProtoHeader = request.headers.get("x-forwarded-proto");
+			const protocol = forwardedProtoHeader !== null ? (() => {
+				const forwardedProto = forwardedProtoHeader.split(",")[0]?.trim();
+				if (forwardedProto !== void 0 && forwardedProto.length > 0) return forwardedProto.endsWith(":") ? forwardedProto : `${forwardedProto}:`;
+				return new URL(request.url).protocol;
+			})() : new URL(request.url).protocol;
+			const requestHost = request.headers.get("host") ?? new URL(request.url).host;
+			const hostCandidate = `${protocol}//${requestHost}`;
+			const normalizedHost = canParseUrl(hostCandidate) ? new URL(hostCandidate).host : requestHost;
+			const originUrl = originHeader !== null && canParseUrl(originHeader) ? new URL(originHeader) : null;
+			if (originHeader !== null && (originUrl === null || originUrl.host !== normalizedHost || originUrl.protocol !== protocol)) return {
+				redirect: false,
+				cookies: [],
+				token: null
+			};
+			const requestUrl = new URL(request.url);
+			const code = requestUrl.searchParams.get("code");
+			const shouldHandleCodeOption = options.shouldHandleCode;
+			let shouldHandleCode;
+			if (shouldHandleCodeOption === void 0) shouldHandleCode = true;
+			else if (typeof shouldHandleCodeOption === "function") {
+				const result = shouldHandleCodeOption(request);
+				shouldHandleCode = typeof result === "boolean" ? result : await result;
+			} else shouldHandleCode = shouldHandleCodeOption;
+			let codeExchangeResult = null;
+			if (code !== null && request.method === "GET" && request.headers.get("accept")?.includes("text/html") && shouldHandleCode) {
+				const redirectUrl = new URL(requestUrl.toString());
+				try {
+					const tokens$1 = extractSignedInTokens(await createClient().action(signInActionRef, {
+						params: { code },
+						verifier: currentCookies.verifier ?? void 0
+					}), "code exchange");
+					redirectUrl.searchParams.delete("code");
+					const cookies = structuredAuthCookies({
+						token: tokens$1?.token ?? null,
+						refreshToken: tokens$1?.refreshToken ?? null,
+						verifier: null
+					}, host, cookieConfig, cookieNamespace);
+					codeExchangeResult = {
+						redirect: true,
+						response: buildRedirectResponse(redirectUrl.toString(), cookies)
+					};
+				} catch (error) {
+					log("ERROR", "[convex-auth/server] code exchange failed", error);
+					if (![
+						"OAUTH_INVALID_STATE",
+						"OAUTH_PROVIDER_ERROR",
+						"OAUTH_MISSING_ID_TOKEN",
+						"OAUTH_INVALID_PROFILE",
+						"OAUTH_MISSING_VERIFIER",
+						"INVALID_VERIFIER",
+						"INVALID_VERIFICATION_CODE"
+					].includes(getConvexErrorCode(error) ?? "")) codeExchangeResult = {
+						redirect: false,
+						cookies: [],
+						token: currentCookies.token
+					};
+					else {
+						redirectUrl.searchParams.delete("code");
+						const cookies = structuredAuthCookies({
+							token: currentCookies.token,
+							refreshToken: currentCookies.refreshToken,
+							verifier: null
+						}, host, cookieConfig, cookieNamespace);
+						codeExchangeResult = {
+							redirect: true,
+							response: buildRedirectResponse(redirectUrl.toString(), cookies)
+						};
+					}
+				}
+			}
+			if (codeExchangeResult !== null) return codeExchangeResult;
+			const { token, refreshToken } = currentCookies;
+			if (refreshToken !== null && (refreshToken.trim().length === 0 || refreshToken === "dummy")) {
+				logVerbose("Refresh token cookie malformed, clearing auth cookies");
+				return {
+					redirect: false,
+					cookies: structuredAuthCookies({
+						token: null,
+						refreshToken: null,
+						verifier: null
+					}, host, cookieConfig, cookieNamespace),
+					token: null
+				};
+			}
+			const decodedToken = token === null ? null : decodeToken(token);
+			if (decodedToken?.iss !== void 0 && !acceptedIssuers.has(normalizeIssuer(decodedToken.iss))) {
+				logVerbose("Access token issuer mismatch, clearing auth cookies");
+				return {
+					redirect: false,
+					cookies: structuredAuthCookies({
+						token: null,
+						refreshToken: null,
+						verifier: null
+					}, host, cookieConfig, cookieNamespace),
+					token: null
+				};
+			}
+			let tokens;
+			if (token === null && refreshToken === null) {
+				logVerbose("No auth cookies found, skipping refresh");
+				tokens = void 0;
+			} else if (token === null && refreshToken !== null) {
+				logVerbose("Access token cookie missing, attempting refresh-token recovery");
+				tokens = await refreshWithToken(refreshToken);
+			} else if (token !== null && refreshToken === null) if (decodedToken?.exp !== void 0 && decodedToken.iss !== void 0 && acceptedIssuers.has(normalizeIssuer(decodedToken.iss)) && decodedToken.exp * 1e3 > Date.now()) {
+				logVerbose("Refresh token cookie missing but access token still valid");
+				tokens = void 0;
+			} else {
+				logVerbose("Refresh token cookie missing and access token invalid, clearing");
+				tokens = null;
+			}
+			else if (decodedToken?.exp === void 0 || decodedToken.iat === void 0) {
+				logVerbose("Failed to decode access token, attempting refresh-token recovery");
+				tokens = await refreshWithToken(refreshToken);
+			} else {
+				const totalTokenLifetimeMs = decodedToken.exp * 1e3 - decodedToken.iat * 1e3;
+				const minimumExpiration = Date.now() + Math.min(REQUIRED_TOKEN_LIFETIME_MS, Math.max(MINIMUM_REQUIRED_TOKEN_LIFETIME_MS, totalTokenLifetimeMs / 10));
+				if (decodedToken.exp * 1e3 > minimumExpiration) {
+					logVerbose("Token valid long enough, skipping refresh");
+					tokens = void 0;
+				} else tokens = await refreshWithToken(refreshToken);
+			}
+			if (tokens === void 0) return {
+				redirect: false,
+				cookies: [],
+				token: currentToken
+			};
+			return {
+				redirect: false,
+				cookies: structuredAuthCookies({
+					token: tokens?.token ?? null,
+					refreshToken: tokens?.refreshToken ?? null,
+					verifier: null
+				}, host, cookieConfig, cookieNamespace),
+				token: tokens?.token ?? null
+			};
+		}
+	};
+}
+
+//#endregion
+export { authCookieNames, parseAuthCookies, serializeAuthCookies, server, shouldProxyAuthAction, structuredAuthCookies };
+//# sourceMappingURL=prefetch.js.map

package/dist/server/random.js

@@ -0,0 +1,19 @@
+import { generateRandomString } from "@oslojs/crypto/random";
+import { sha256 } from "@oslojs/crypto/sha2";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+
+//#region src/server/random.ts
+/** @internal */
+async function sha256$1(input) {
+	return encodeHexLowerCase(sha256(new TextEncoder().encode(input)));
+}
+/** @internal */
+function generateRandomString$1(length, alphabet) {
+	return generateRandomString({ read(bytes) {
+		crypto.getRandomValues(bytes);
+	} }, alphabet, length);
+}
+
+//#endregion
+export { generateRandomString$1 as generateRandomString, sha256$1 as sha256 };
+//# sourceMappingURL=random.js.map

package/dist/server/redirects.js

@@ -1,19 +1,24 @@
-import { requireEnv } from "./utils.js";
-import { Cv } from "@robelest/fx/convex";
+import { requireEnv } from "./env.js";
+import { ConvexError } from "convex/values";
 
 //#region src/server/redirects.ts
+const describeUnknown = (value) => {
+	if (typeof value === "string") return JSON.stringify(value);
+	if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint" || value === null) return String(value);
+	return JSON.stringify(value) ?? Object.prototype.toString.call(value);
+};
 /** @internal */
 async function redirectAbsoluteUrl(config, params) {
 	if (params.redirectTo === void 0) return requireEnv("SITE_URL").replace(/\/$/, "");
-	if (typeof params.redirectTo !== "string") throw Cv.error({
+	if (typeof params.redirectTo !== "string") throw new ConvexError({
 		code: "INVALID_REDIRECT",
-		message: `Expected \`redirectTo\` to be a string, got ${params.redirectTo}`
+		message: `Expected \`redirectTo\` to be a string, got ${describeUnknown(params.redirectTo)}`
 	});
 	const redirectCallback = config.callbacks?.redirect ?? defaultRedirectCallback;
 	try {
 		return await redirectCallback({ redirectTo: params.redirectTo });
 	} catch {
-		throw Cv.error({
+		throw new ConvexError({
 			code: "INTERNAL_ERROR",
 			message: "An unexpected error occurred."
 		});