@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

package/dist/server/refresh.js

@@ -1,99 +1,27 @@
-import { LOG_LEVELS, REFRESH_TOKEN_DIVIDER, logWithLevel, maybeRedact } from "./utils.js";
-import { authDb } from "./db.js";
-import { Fx } from "@robelest/fx";
-import { Cv } from "@robelest/fx/convex";
+import { envOptionalNumber, readConfigSync } from "./env.js";
+import { maybeRedact } from "./log.js";
+import { ConvexError } from "convex/values";
 
 //#region src/server/refresh.ts
+const REFRESH_TOKEN_DIVIDER = "|";
 const DEFAULT_SESSION_INACTIVE_DURATION_MS = 1e3 * 60 * 60 * 24 * 30;
 /** @internal */
 const REFRESH_TOKEN_REUSE_WINDOW_MS = 10 * 1e3;
-/**
-* Create a new refresh token for the given session.
-*/
-/** @internal */
-async function createRefreshToken(ctx, config, sessionId, parentRefreshTokenId) {
-	const expirationTime = Date.now() + (config.session?.inactiveDurationMs ?? (process.env.AUTH_SESSION_INACTIVE_DURATION_MS !== void 0 ? Number(process.env.AUTH_SESSION_INACTIVE_DURATION_MS) : void 0) ?? DEFAULT_SESSION_INACTIVE_DURATION_MS);
-	return authDb(ctx, config).refreshTokens.create({
-		sessionId,
-		expirationTime,
-		parentRefreshTokenId: parentRefreshTokenId ?? void 0
-	});
-}
-/**
-* Parse a compound refresh token string into its constituent IDs.
-*/
+const refreshTokenExpirationTime = (config, now = Date.now()) => now + (config.session?.inactiveDurationMs ?? readConfigSync(envOptionalNumber("AUTH_SESSION_INACTIVE_DURATION_MS")) ?? DEFAULT_SESSION_INACTIVE_DURATION_MS);
 /** @internal */
 const parseRefreshToken = (refreshToken) => {
 	const [refreshTokenId, sessionId] = refreshToken.split(REFRESH_TOKEN_DIVIDER);
-	const msg = `Can't parse refresh token: ${maybeRedact(refreshToken)}`;
-	return (refreshTokenId != null ? Fx.succeed(refreshTokenId) : Cv.fail({
+	const message = `Can't parse refresh token: ${maybeRedact(refreshToken)}`;
+	if (refreshTokenId == null || sessionId == null) throw new ConvexError({
 		code: "INVALID_REFRESH_TOKEN",
-		message: msg
-	})).pipe(Fx.chain((rtId) => {
-		return (sessionId != null ? Fx.succeed(sessionId) : Cv.fail({
-			code: "INVALID_REFRESH_TOKEN",
-			message: msg
-		})).pipe(Fx.map((sId) => ({
-			refreshTokenId: rtId,
-			sessionId: sId
-		})));
-	}));
-};
-/**
-* Mark all refresh tokens descending from the given refresh token as invalid
-* immediately. Used when we detect token reuse — revoke the entire tree.
-*/
-/** @internal */
-async function invalidateRefreshTokensInSubtree(ctx, refreshToken, config) {
-	const db = authDb(ctx, config);
-	const tokensToInvalidate = [refreshToken];
-	const visited = new Set([refreshToken._id]);
-	let frontier = [refreshToken._id];
-	while (frontier.length > 0) {
-		const nextFrontier = [];
-		for (const currentTokenId of frontier) {
-			const children = await db.refreshTokens.getChildren(refreshToken.sessionId, currentTokenId);
-			for (const child of children) {
-				if (visited.has(child._id)) continue;
-				visited.add(child._id);
-				tokensToInvalidate.push(child);
-				nextFrontier.push(child._id);
-			}
-		}
-		frontier = nextFrontier;
-	}
-	await Fx.run(Fx.each(tokensToInvalidate, (token) => token.firstUsedTime === void 0 || token.firstUsedTime > Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS ? Fx.promise(() => db.refreshTokens.patch(token._id, { firstUsedTime: Date.now() - REFRESH_TOKEN_REUSE_WINDOW_MS })) : Fx.unit));
-	return tokensToInvalidate;
-}
-/**
-* Validate a refresh token and its associated session.
-*
-* Returns `null` on any validation failure (matching original semantics).
-* Each validation step is a small composable function chained with `Fx.chain`.
-* On failure, the error message is logged and the pipeline folds to `null`.
-*/
-/** @internal */
-const refreshTokenIfValid = (ctx, refreshTokenId, tokenSessionId, config) => {
-	const db = authDb(ctx, config);
-	const fetchDoc = (promise, failMsg) => Fx.from({
-		ok: promise,
-		err: () => failMsg
-	}).pipe(Fx.recover((msg) => {
-		logWithLevel(LOG_LEVELS.ERROR, msg);
-		return Fx.succeed(null);
-	}));
-	return fetchDoc(() => db.refreshTokens.getById(refreshTokenId), "Invalid refresh token format").pipe(Fx.chain((doc) => doc !== null ? Fx.succeed(doc) : Fx.fail("Invalid refresh token")), Fx.chain((doc) => doc.expirationTime >= Date.now() ? Fx.succeed(doc) : Fx.fail("Expired refresh token")), Fx.chain((doc) => doc.sessionId === tokenSessionId ? Fx.succeed(doc) : Fx.fail("Invalid refresh token session ID"))).pipe(Fx.chain((doc) => fetchDoc(() => db.sessions.getById(doc.sessionId), "Invalid refresh token session format").pipe(Fx.chain((session) => session !== null ? Fx.succeed(session) : Fx.fail("Invalid refresh token session")), Fx.chain((session) => session.expirationTime >= Date.now() ? Fx.succeed(session) : Fx.fail("Expired refresh token session")), Fx.map((session) => ({
-		session,
-		refreshTokenDoc: doc
-	})))), Fx.fold({
-		ok: (result) => result,
-		err: (msg) => {
-			logWithLevel(LOG_LEVELS.ERROR, msg);
-			return null;
-		}
-	}));
+		message
+	});
+	return {
+		refreshTokenId,
+		sessionId
+	};
 };
 
 //#endregion
-export { REFRESH_TOKEN_REUSE_WINDOW_MS, createRefreshToken, invalidateRefreshTokensInSubtree, parseRefreshToken, refreshTokenIfValid };
+export { REFRESH_TOKEN_DIVIDER, REFRESH_TOKEN_REUSE_WINDOW_MS, parseRefreshToken, refreshTokenExpirationTime };
 //# sourceMappingURL=refresh.js.map