npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.25 → 0.0.4-preview.28 - Mend

@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (666) hide show

package/README.md +43 -36
package/dist/bin.js +5765 -4880
package/dist/browser/index.d.ts +30 -0
package/dist/browser/index.js +93 -0
package/dist/browser/locks.js +11 -0
package/dist/browser/navigation.js +14 -0
package/dist/{factors → browser}/passkey.js +23 -32
package/dist/browser/runtime.js +92 -0
package/dist/client/core/types.d.ts +452 -5
package/dist/client/core/types.js +17 -0
package/dist/client/errors.js +19 -0
package/dist/client/factors/device.js +94 -0
package/dist/{factors → client/factors}/totp.js +12 -4
package/dist/client/index.d.ts +47 -1
package/dist/client/index.js +269 -232
package/dist/client/runtime/mutex.js +24 -0
package/dist/client/runtime/proxy.js +30 -0
package/dist/client/runtime/storage.js +45 -0
package/dist/client/services/adapters.js +7 -0
package/dist/client/services/http.js +6 -0
package/dist/client/services/resolve.js +13 -0
package/dist/client/services/runtime.js +6 -0
package/dist/component/_generated/component.d.ts +1355 -1399
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/index.d.ts +4 -26
package/dist/component/index.js +1 -1
package/dist/component/model.d.ts +26 -112
package/dist/component/model.js +76 -54
package/dist/component/modules.js +38 -0
package/dist/component/public/factors/devices.js +1 -1
package/dist/component/public/factors/passkeys.js +1 -1
package/dist/component/public/factors/totp.js +1 -1
package/dist/component/public/groups/core.js +2 -2
package/dist/component/public/groups/invites.js +1 -1
package/dist/component/public/groups/members.js +1 -1
package/dist/component/public/identity/accounts.js +1 -1
package/dist/component/public/identity/codes.js +1 -1
package/dist/component/public/identity/sessions.js +39 -2
package/dist/component/public/identity/tokens.js +82 -4
package/dist/component/public/identity/users.js +1 -1
package/dist/component/public/identity/verifiers.js +10 -4
package/dist/component/public/security/keys.js +1 -1
package/dist/component/public/security/limits.js +1 -1
package/dist/component/public/{enterprise → sso}/audit.js +26 -26
package/dist/component/public/sso/core.js +263 -0
package/dist/component/public/sso/domains.js +280 -0
package/dist/component/public/{enterprise → sso}/scim.js +87 -87
package/dist/component/public/sso/secrets.js +125 -0
package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
package/dist/component/public.js +9 -9
package/dist/component/schema.d.ts +472 -393
package/dist/component/schema.js +36 -35
package/dist/core/index.d.ts +380 -0
package/dist/core/index.js +83 -0
package/dist/otel.d.ts +69 -0
package/dist/otel.js +82 -0
package/dist/providers/anonymous.d.ts +15 -34
package/dist/providers/anonymous.js +27 -35
package/dist/providers/apple.d.ts +59 -0
package/dist/providers/apple.js +58 -0
package/dist/providers/credentials.d.ts +18 -34
package/dist/providers/credentials.js +16 -27
package/dist/providers/custom.d.ts +94 -0
package/dist/providers/custom.js +119 -0
package/dist/providers/device.d.ts +15 -49
package/dist/providers/device.js +17 -34
package/dist/providers/email.d.ts +21 -38
package/dist/providers/email.js +36 -55
package/dist/providers/github.d.ts +54 -0
package/dist/providers/github.js +75 -0
package/dist/providers/google.d.ts +54 -0
package/dist/providers/google.js +61 -0
package/dist/providers/index.d.ts +16 -12
package/dist/providers/index.js +15 -11
package/dist/providers/microsoft.d.ts +57 -0
package/dist/providers/microsoft.js +101 -0
package/dist/providers/passkey.d.ts +19 -35
package/dist/providers/passkey.js +20 -30
package/dist/providers/password.d.ts +17 -18
package/dist/providers/password.js +121 -143
package/dist/providers/phone.d.ts +13 -28
package/dist/providers/phone.js +21 -46
package/dist/providers/sso.d.ts +16 -36
package/dist/providers/sso.js +21 -22
package/dist/providers/totp.d.ts +13 -29
package/dist/providers/totp.js +17 -27
package/dist/server/auth-context.d.ts +204 -0
package/dist/server/auth-context.js +76 -0
package/dist/server/auth.d.ts +99 -244
package/dist/server/auth.js +56 -152
package/dist/server/componentContext.d.ts +12 -0
package/dist/server/componentContext.js +1 -0
package/dist/server/config.js +6 -67
package/dist/server/constants.js +6 -0
package/dist/server/contract.d.ts +105 -0
package/dist/server/contract.js +43 -0
package/dist/server/cookies.js +3 -2
package/dist/server/core.js +31 -36
package/dist/server/crypto.js +34 -44
package/dist/server/db.js +6 -1
package/dist/server/device.js +96 -130
package/dist/server/env.js +48 -0
package/dist/server/errors.js +20 -0
package/dist/server/http.d.ts +15 -59
package/dist/server/http.js +136 -120
package/dist/server/identity.js +2 -2
package/dist/server/index.d.ts +5 -4
package/dist/server/index.js +3 -3
package/dist/server/keys.js +10 -1
package/dist/server/limits.js +26 -26
package/dist/server/log.js +28 -0
package/dist/server/mounts.d.ts +1107 -296
package/dist/server/mounts.js +315 -196
package/dist/server/mutations/account.js +11 -14
package/dist/server/mutations/code.js +6 -5
package/dist/server/mutations/invalidate.js +9 -11
package/dist/server/mutations/oauth.js +112 -73
package/dist/server/mutations/refresh.js +47 -97
package/dist/server/mutations/register.js +37 -35
package/dist/server/mutations/retrieve.js +16 -16
package/dist/server/mutations/signature.js +15 -18
package/dist/server/mutations/signin.js +10 -5
package/dist/server/mutations/signout.js +11 -14
package/dist/server/mutations/store.js +25 -18
package/dist/server/mutations/verifier.js +11 -8
package/dist/server/mutations/verify.js +53 -41
package/dist/server/oauth/factory.js +44 -0
package/dist/server/oauth/index.js +12 -0
package/dist/server/oauth/runtime.js +248 -0
package/dist/server/passkey.js +331 -365
package/dist/server/payloads.d.ts +16 -0
package/dist/server/payloads.js +30 -0
package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
package/dist/server/prefetch.js +635 -0
package/dist/server/random.js +19 -0
package/dist/server/redirects.js +10 -5
package/dist/server/refresh.js +14 -86
package/dist/server/runtime.d.ts +531 -31
package/dist/server/runtime.js +106 -267
package/dist/server/secret.js +44 -0
package/dist/server/services/config.js +10 -0
package/dist/server/services/group.js +211 -0
package/dist/server/services/logger.js +8 -0
package/dist/server/services/providers.js +22 -0
package/dist/server/services/refresh.js +8 -0
package/dist/server/services/resolve.js +27 -0
package/dist/server/services/signin.js +8 -0
package/dist/server/sessions.js +35 -34
package/dist/server/signin.js +229 -140
package/dist/server/{enterprise → sso}/config.js +10 -3
package/dist/server/sso/domain.d.ts +614 -0
package/dist/server/sso/domain.js +1175 -0
package/dist/server/sso/http.js +1060 -0
package/dist/server/sso/oidc.js +324 -0
package/dist/server/sso/policies.js +59 -0
package/dist/server/sso/policy.js +139 -0
package/dist/server/sso/profile.js +22 -0
package/dist/server/sso/provision.js +179 -0
package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
package/dist/server/sso/shared.js +74 -0
package/dist/server/sso/validators.js +88 -0
package/dist/server/sso/webhook.js +94 -0
package/dist/server/tokens.js +16 -4
package/dist/server/totp.js +155 -164
package/dist/server/types.d.ts +306 -296
package/dist/server/types.js +1 -30
package/dist/server/url.js +32 -0
package/dist/server/users.js +74 -40
package/dist/server/utils/cache.js +51 -0
package/dist/server/utils/dispatch.js +36 -0
package/dist/server/utils/retry.js +24 -0
package/dist/server/utils/span.js +32 -0
package/dist/shared/errors.js +19 -0
package/dist/shared/log.js +45 -0
package/{src/test.ts → dist/test.d.ts} +21 -22
package/dist/test.js +51 -0
package/package.json +70 -42
package/dist/authorization/index.d.ts.map +0 -1
package/dist/authorization/index.js.map +0 -1
package/dist/client/core/types.d.ts.map +0 -1
package/dist/client/index.d.ts.map +0 -1
package/dist/client/index.js.map +0 -1
package/dist/component/_generated/api.d.ts +0 -75
package/dist/component/_generated/api.d.ts.map +0 -1
package/dist/component/_generated/api.js.map +0 -1
package/dist/component/_generated/component.d.ts.map +0 -1
package/dist/component/_generated/dataModel.d.ts +0 -42
package/dist/component/_generated/dataModel.d.ts.map +0 -1
package/dist/component/_generated/server.d.ts +0 -117
package/dist/component/_generated/server.d.ts.map +0 -1
package/dist/component/_generated/server.js.map +0 -1
package/dist/component/_virtual/rolldown_runtime.js +0 -18
package/dist/component/client/core/types.d.ts +0 -2
package/dist/component/client/index.d.ts +0 -1
package/dist/component/convex.config.d.ts.map +0 -1
package/dist/component/convex.config.js.map +0 -1
package/dist/component/functions.d.ts +0 -25
package/dist/component/functions.d.ts.map +0 -1
package/dist/component/functions.js.map +0 -1
package/dist/component/index.d.ts.map +0 -1
package/dist/component/model.d.ts.map +0 -1
package/dist/component/model.js.map +0 -1
package/dist/component/providers/anonymous.d.ts +0 -54
package/dist/component/providers/anonymous.d.ts.map +0 -1
package/dist/component/providers/credentials.d.ts +0 -38
package/dist/component/providers/credentials.d.ts.map +0 -1
package/dist/component/providers/device.d.ts +0 -67
package/dist/component/providers/device.d.ts.map +0 -1
package/dist/component/providers/email.d.ts +0 -62
package/dist/component/providers/email.d.ts.map +0 -1
package/dist/component/providers/oauth.d.ts +0 -25
package/dist/component/providers/oauth.d.ts.map +0 -1
package/dist/component/providers/oauth.js +0 -13
package/dist/component/providers/oauth.js.map +0 -1
package/dist/component/providers/passkey.d.ts +0 -57
package/dist/component/providers/passkey.d.ts.map +0 -1
package/dist/component/providers/password.d.ts +0 -88
package/dist/component/providers/password.d.ts.map +0 -1
package/dist/component/providers/phone.d.ts +0 -48
package/dist/component/providers/phone.d.ts.map +0 -1
package/dist/component/providers/sso.d.ts +0 -50
package/dist/component/providers/sso.d.ts.map +0 -1
package/dist/component/providers/totp.d.ts +0 -45
package/dist/component/providers/totp.d.ts.map +0 -1
package/dist/component/public/enterprise/audit.d.ts +0 -73
package/dist/component/public/enterprise/audit.d.ts.map +0 -1
package/dist/component/public/enterprise/audit.js.map +0 -1
package/dist/component/public/enterprise/core.d.ts +0 -176
package/dist/component/public/enterprise/core.d.ts.map +0 -1
package/dist/component/public/enterprise/core.js +0 -292
package/dist/component/public/enterprise/core.js.map +0 -1
package/dist/component/public/enterprise/domains.d.ts +0 -174
package/dist/component/public/enterprise/domains.d.ts.map +0 -1
package/dist/component/public/enterprise/domains.js +0 -271
package/dist/component/public/enterprise/domains.js.map +0 -1
package/dist/component/public/enterprise/scim.d.ts +0 -245
package/dist/component/public/enterprise/scim.d.ts.map +0 -1
package/dist/component/public/enterprise/scim.js.map +0 -1
package/dist/component/public/enterprise/secrets.d.ts +0 -78
package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
package/dist/component/public/enterprise/secrets.js +0 -118
package/dist/component/public/enterprise/secrets.js.map +0 -1
package/dist/component/public/enterprise/webhooks.d.ts +0 -211
package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
package/dist/component/public/enterprise/webhooks.js.map +0 -1
package/dist/component/public/factors/devices.d.ts +0 -157
package/dist/component/public/factors/devices.d.ts.map +0 -1
package/dist/component/public/factors/devices.js.map +0 -1
package/dist/component/public/factors/passkeys.d.ts +0 -175
package/dist/component/public/factors/passkeys.d.ts.map +0 -1
package/dist/component/public/factors/passkeys.js.map +0 -1
package/dist/component/public/factors/totp.d.ts +0 -189
package/dist/component/public/factors/totp.d.ts.map +0 -1
package/dist/component/public/factors/totp.js.map +0 -1
package/dist/component/public/groups/core.d.ts +0 -137
package/dist/component/public/groups/core.d.ts.map +0 -1
package/dist/component/public/groups/core.js.map +0 -1
package/dist/component/public/groups/invites.d.ts +0 -217
package/dist/component/public/groups/invites.d.ts.map +0 -1
package/dist/component/public/groups/invites.js.map +0 -1
package/dist/component/public/groups/members.d.ts +0 -204
package/dist/component/public/groups/members.d.ts.map +0 -1
package/dist/component/public/groups/members.js.map +0 -1
package/dist/component/public/identity/accounts.d.ts +0 -147
package/dist/component/public/identity/accounts.d.ts.map +0 -1
package/dist/component/public/identity/accounts.js.map +0 -1
package/dist/component/public/identity/codes.d.ts +0 -104
package/dist/component/public/identity/codes.d.ts.map +0 -1
package/dist/component/public/identity/codes.js.map +0 -1
package/dist/component/public/identity/sessions.d.ts +0 -128
package/dist/component/public/identity/sessions.d.ts.map +0 -1
package/dist/component/public/identity/sessions.js.map +0 -1
package/dist/component/public/identity/tokens.d.ts +0 -169
package/dist/component/public/identity/tokens.d.ts.map +0 -1
package/dist/component/public/identity/tokens.js.map +0 -1
package/dist/component/public/identity/users.d.ts +0 -212
package/dist/component/public/identity/users.d.ts.map +0 -1
package/dist/component/public/identity/users.js.map +0 -1
package/dist/component/public/identity/verifiers.d.ts +0 -116
package/dist/component/public/identity/verifiers.d.ts.map +0 -1
package/dist/component/public/identity/verifiers.js.map +0 -1
package/dist/component/public/security/keys.d.ts +0 -209
package/dist/component/public/security/keys.d.ts.map +0 -1
package/dist/component/public/security/keys.js.map +0 -1
package/dist/component/public/security/limits.d.ts +0 -114
package/dist/component/public/security/limits.d.ts.map +0 -1
package/dist/component/public/security/limits.js.map +0 -1
package/dist/component/public.d.ts +0 -28
package/dist/component/public.d.ts.map +0 -1
package/dist/component/schema.d.ts.map +0 -1
package/dist/component/schema.js.map +0 -1
package/dist/component/server/auth.d.ts +0 -447
package/dist/component/server/auth.d.ts.map +0 -1
package/dist/component/server/auth.js +0 -254
package/dist/component/server/auth.js.map +0 -1
package/dist/component/server/config.js +0 -121
package/dist/component/server/config.js.map +0 -1
package/dist/component/server/context.js +0 -53
package/dist/component/server/context.js.map +0 -1
package/dist/component/server/cookies.js +0 -47
package/dist/component/server/cookies.js.map +0 -1
package/dist/component/server/core.js +0 -576
package/dist/component/server/core.js.map +0 -1
package/dist/component/server/crypto.js +0 -56
package/dist/component/server/crypto.js.map +0 -1
package/dist/component/server/db.js +0 -87
package/dist/component/server/db.js.map +0 -1
package/dist/component/server/device.js +0 -152
package/dist/component/server/device.js.map +0 -1
package/dist/component/server/enterprise/config.js +0 -46
package/dist/component/server/enterprise/config.js.map +0 -1
package/dist/component/server/enterprise/domain.js +0 -974
package/dist/component/server/enterprise/domain.js.map +0 -1
package/dist/component/server/enterprise/http.js +0 -787
package/dist/component/server/enterprise/http.js.map +0 -1
package/dist/component/server/enterprise/oidc.js +0 -248
package/dist/component/server/enterprise/oidc.js.map +0 -1
package/dist/component/server/enterprise/policy.js +0 -85
package/dist/component/server/enterprise/policy.js.map +0 -1
package/dist/component/server/enterprise/saml.js.map +0 -1
package/dist/component/server/enterprise/scim.js.map +0 -1
package/dist/component/server/enterprise/shared.js +0 -51
package/dist/component/server/enterprise/shared.js.map +0 -1
package/dist/component/server/http.d.ts +0 -85
package/dist/component/server/http.d.ts.map +0 -1
package/dist/component/server/http.js +0 -351
package/dist/component/server/http.js.map +0 -1
package/dist/component/server/identity.js +0 -16
package/dist/component/server/identity.js.map +0 -1
package/dist/component/server/keys.js +0 -96
package/dist/component/server/keys.js.map +0 -1
package/dist/component/server/limits.js +0 -52
package/dist/component/server/limits.js.map +0 -1
package/dist/component/server/mutations/account.js +0 -46
package/dist/component/server/mutations/account.js.map +0 -1
package/dist/component/server/mutations/code.js +0 -68
package/dist/component/server/mutations/code.js.map +0 -1
package/dist/component/server/mutations/invalidate.js +0 -32
package/dist/component/server/mutations/invalidate.js.map +0 -1
package/dist/component/server/mutations/oauth.js +0 -116
package/dist/component/server/mutations/oauth.js.map +0 -1
package/dist/component/server/mutations/refresh.js +0 -119
package/dist/component/server/mutations/refresh.js.map +0 -1
package/dist/component/server/mutations/register.js +0 -87
package/dist/component/server/mutations/register.js.map +0 -1
package/dist/component/server/mutations/retrieve.js +0 -61
package/dist/component/server/mutations/retrieve.js.map +0 -1
package/dist/component/server/mutations/signature.js +0 -38
package/dist/component/server/mutations/signature.js.map +0 -1
package/dist/component/server/mutations/signin.js +0 -27
package/dist/component/server/mutations/signin.js.map +0 -1
package/dist/component/server/mutations/signout.js +0 -27
package/dist/component/server/mutations/signout.js.map +0 -1
package/dist/component/server/mutations/store/refs.js +0 -15
package/dist/component/server/mutations/store/refs.js.map +0 -1
package/dist/component/server/mutations/store.js +0 -70
package/dist/component/server/mutations/store.js.map +0 -1
package/dist/component/server/mutations/verifier.js +0 -18
package/dist/component/server/mutations/verifier.js.map +0 -1
package/dist/component/server/mutations/verify.js +0 -98
package/dist/component/server/mutations/verify.js.map +0 -1
package/dist/component/server/oauth.js +0 -242
package/dist/component/server/oauth.js.map +0 -1
package/dist/component/server/passkey.js +0 -415
package/dist/component/server/passkey.js.map +0 -1
package/dist/component/server/redirects.js +0 -40
package/dist/component/server/redirects.js.map +0 -1
package/dist/component/server/refresh.js +0 -99
package/dist/component/server/refresh.js.map +0 -1
package/dist/component/server/runtime.d.ts +0 -136
package/dist/component/server/runtime.d.ts.map +0 -1
package/dist/component/server/runtime.js +0 -456
package/dist/component/server/runtime.js.map +0 -1
package/dist/component/server/sessions.js +0 -71
package/dist/component/server/sessions.js.map +0 -1
package/dist/component/server/signin.js +0 -225
package/dist/component/server/signin.js.map +0 -1
package/dist/component/server/tokens.js +0 -17
package/dist/component/server/tokens.js.map +0 -1
package/dist/component/server/totp.js +0 -208
package/dist/component/server/totp.js.map +0 -1
package/dist/component/server/types.d.ts +0 -949
package/dist/component/server/types.d.ts.map +0 -1
package/dist/component/server/types.js +0 -79
package/dist/component/server/types.js.map +0 -1
package/dist/component/server/users.js +0 -123
package/dist/component/server/users.js.map +0 -1
package/dist/component/server/utils.js +0 -140
package/dist/component/server/utils.js.map +0 -1
package/dist/core/types.d.ts +0 -361
package/dist/core/types.d.ts.map +0 -1
package/dist/factors/device.js +0 -104
package/dist/factors/device.js.map +0 -1
package/dist/factors/passkey.js.map +0 -1
package/dist/factors/totp.js.map +0 -1
package/dist/providers/anonymous.d.ts.map +0 -1
package/dist/providers/anonymous.js.map +0 -1
package/dist/providers/credentials.d.ts.map +0 -1
package/dist/providers/credentials.js.map +0 -1
package/dist/providers/device.d.ts.map +0 -1
package/dist/providers/device.js.map +0 -1
package/dist/providers/email.d.ts.map +0 -1
package/dist/providers/email.js.map +0 -1
package/dist/providers/oauth.d.ts +0 -69
package/dist/providers/oauth.d.ts.map +0 -1
package/dist/providers/oauth.js +0 -43
package/dist/providers/oauth.js.map +0 -1
package/dist/providers/passkey.d.ts.map +0 -1
package/dist/providers/passkey.js.map +0 -1
package/dist/providers/password.d.ts.map +0 -1
package/dist/providers/password.js.map +0 -1
package/dist/providers/phone.d.ts.map +0 -1
package/dist/providers/phone.js.map +0 -1
package/dist/providers/sso.d.ts.map +0 -1
package/dist/providers/sso.js.map +0 -1
package/dist/providers/totp.d.ts.map +0 -1
package/dist/providers/totp.js.map +0 -1
package/dist/runtime/browser.js +0 -68
package/dist/runtime/browser.js.map +0 -1
package/dist/runtime/invite.js.map +0 -1
package/dist/runtime/proxy.js +0 -70
package/dist/runtime/proxy.js.map +0 -1
package/dist/runtime/storage.js +0 -37
package/dist/runtime/storage.js.map +0 -1
package/dist/server/auth.d.ts.map +0 -1
package/dist/server/auth.js.map +0 -1
package/dist/server/config.d.ts +0 -1
package/dist/server/config.js.map +0 -1
package/dist/server/context.d.ts +0 -1
package/dist/server/context.js.map +0 -1
package/dist/server/cookies.d.ts +0 -1
package/dist/server/cookies.js.map +0 -1
package/dist/server/core.d.ts +0 -1315
package/dist/server/core.d.ts.map +0 -1
package/dist/server/core.js.map +0 -1
package/dist/server/crypto.d.ts +0 -8
package/dist/server/crypto.d.ts.map +0 -1
package/dist/server/crypto.js.map +0 -1
package/dist/server/db.d.ts +0 -1
package/dist/server/db.js.map +0 -1
package/dist/server/device.d.ts +0 -1
package/dist/server/device.js.map +0 -1
package/dist/server/enterprise/config.d.ts +0 -1
package/dist/server/enterprise/config.js.map +0 -1
package/dist/server/enterprise/domain.d.ts +0 -401
package/dist/server/enterprise/domain.d.ts.map +0 -1
package/dist/server/enterprise/domain.js +0 -974
package/dist/server/enterprise/domain.js.map +0 -1
package/dist/server/enterprise/http.d.ts +0 -26
package/dist/server/enterprise/http.d.ts.map +0 -1
package/dist/server/enterprise/http.js +0 -787
package/dist/server/enterprise/http.js.map +0 -1
package/dist/server/enterprise/oidc.d.ts +0 -1
package/dist/server/enterprise/oidc.js +0 -248
package/dist/server/enterprise/oidc.js.map +0 -1
package/dist/server/enterprise/policy.d.ts +0 -1
package/dist/server/enterprise/policy.js +0 -85
package/dist/server/enterprise/policy.js.map +0 -1
package/dist/server/enterprise/saml.d.ts +0 -1
package/dist/server/enterprise/saml.js +0 -338
package/dist/server/enterprise/saml.js.map +0 -1
package/dist/server/enterprise/scim.d.ts +0 -1
package/dist/server/enterprise/scim.js +0 -97
package/dist/server/enterprise/scim.js.map +0 -1
package/dist/server/enterprise/shared.d.ts +0 -5
package/dist/server/enterprise/shared.d.ts.map +0 -1
package/dist/server/enterprise/shared.js +0 -51
package/dist/server/enterprise/shared.js.map +0 -1
package/dist/server/enterprise/validators.d.ts +0 -1
package/dist/server/enterprise/validators.js +0 -60
package/dist/server/enterprise/validators.js.map +0 -1
package/dist/server/http.d.ts.map +0 -1
package/dist/server/http.js.map +0 -1
package/dist/server/identity.d.ts +0 -1
package/dist/server/identity.js.map +0 -1
package/dist/server/keys.d.ts +0 -1
package/dist/server/keys.js.map +0 -1
package/dist/server/limits.d.ts +0 -1
package/dist/server/limits.js.map +0 -1
package/dist/server/mounts.d.ts.map +0 -1
package/dist/server/mounts.js.map +0 -1
package/dist/server/mutations/account.d.ts +0 -29
package/dist/server/mutations/account.d.ts.map +0 -1
package/dist/server/mutations/account.js.map +0 -1
package/dist/server/mutations/code.d.ts +0 -30
package/dist/server/mutations/code.d.ts.map +0 -1
package/dist/server/mutations/code.js.map +0 -1
package/dist/server/mutations/index.d.ts +0 -14
package/dist/server/mutations/invalidate.d.ts +0 -20
package/dist/server/mutations/invalidate.d.ts.map +0 -1
package/dist/server/mutations/invalidate.js.map +0 -1
package/dist/server/mutations/oauth.d.ts +0 -30
package/dist/server/mutations/oauth.d.ts.map +0 -1
package/dist/server/mutations/oauth.js.map +0 -1
package/dist/server/mutations/refresh.d.ts +0 -21
package/dist/server/mutations/refresh.d.ts.map +0 -1
package/dist/server/mutations/refresh.js.map +0 -1
package/dist/server/mutations/register.d.ts +0 -38
package/dist/server/mutations/register.d.ts.map +0 -1
package/dist/server/mutations/register.js.map +0 -1
package/dist/server/mutations/retrieve.d.ts +0 -33
package/dist/server/mutations/retrieve.d.ts.map +0 -1
package/dist/server/mutations/retrieve.js.map +0 -1
package/dist/server/mutations/signature.d.ts +0 -21
package/dist/server/mutations/signature.d.ts.map +0 -1
package/dist/server/mutations/signature.js.map +0 -1
package/dist/server/mutations/signin.d.ts +0 -22
package/dist/server/mutations/signin.d.ts.map +0 -1
package/dist/server/mutations/signin.js.map +0 -1
package/dist/server/mutations/signout.d.ts +0 -16
package/dist/server/mutations/signout.d.ts.map +0 -1
package/dist/server/mutations/signout.js.map +0 -1
package/dist/server/mutations/store/refs.d.ts +0 -12
package/dist/server/mutations/store/refs.d.ts.map +0 -1
package/dist/server/mutations/store/refs.js.map +0 -1
package/dist/server/mutations/store.d.ts +0 -306
package/dist/server/mutations/store.d.ts.map +0 -1
package/dist/server/mutations/store.js.map +0 -1
package/dist/server/mutations/verifier.d.ts +0 -13
package/dist/server/mutations/verifier.d.ts.map +0 -1
package/dist/server/mutations/verifier.js.map +0 -1
package/dist/server/mutations/verify.d.ts +0 -26
package/dist/server/mutations/verify.d.ts.map +0 -1
package/dist/server/mutations/verify.js.map +0 -1
package/dist/server/oauth.d.ts +0 -1
package/dist/server/oauth.js +0 -242
package/dist/server/oauth.js.map +0 -1
package/dist/server/passkey.d.ts +0 -27
package/dist/server/passkey.d.ts.map +0 -1
package/dist/server/passkey.js.map +0 -1
package/dist/server/redirects.d.ts +0 -1
package/dist/server/redirects.js.map +0 -1
package/dist/server/refresh.d.ts +0 -1
package/dist/server/refresh.js.map +0 -1
package/dist/server/runtime.d.ts.map +0 -1
package/dist/server/runtime.js.map +0 -1
package/dist/server/sessions.d.ts +0 -1
package/dist/server/sessions.js.map +0 -1
package/dist/server/signin.d.ts +0 -1
package/dist/server/signin.js.map +0 -1
package/dist/server/ssr.d.ts.map +0 -1
package/dist/server/ssr.js +0 -777
package/dist/server/ssr.js.map +0 -1
package/dist/server/templates.d.ts +0 -1
package/dist/server/templates.js.map +0 -1
package/dist/server/tokens.d.ts +0 -1
package/dist/server/tokens.js.map +0 -1
package/dist/server/totp.d.ts +0 -1
package/dist/server/totp.js.map +0 -1
package/dist/server/types.d.ts.map +0 -1
package/dist/server/types.js.map +0 -1
package/dist/server/users.d.ts +0 -1
package/dist/server/users.js.map +0 -1
package/dist/server/utils.d.ts +0 -1
package/dist/server/utils.js +0 -140
package/dist/server/utils.js.map +0 -1
package/src/authorization/index.ts +0 -83
package/src/cli/bin.ts +0 -5
package/src/cli/command.ts +0 -70
package/src/cli/index.ts +0 -1112
package/src/cli/keys.ts +0 -23
package/src/client/core/types.ts +0 -437
package/src/client/factors/device.ts +0 -158
package/src/client/factors/passkey.ts +0 -279
package/src/client/factors/totp.ts +0 -150
package/src/client/index.ts +0 -1124
package/src/client/runtime/browser.ts +0 -112
package/src/client/runtime/invite.ts +0 -63
package/src/client/runtime/proxy.ts +0 -111
package/src/client/runtime/storage.ts +0 -79
package/src/component/_generated/api.ts +0 -96
package/src/component/_generated/component.ts +0 -3774
package/src/component/_generated/dataModel.ts +0 -60
package/src/component/_generated/server.ts +0 -156
package/src/component/convex.config.ts +0 -5
package/src/component/functions.ts +0 -104
package/src/component/index.ts +0 -42
package/src/component/model.ts +0 -449
package/src/component/public/enterprise/audit.ts +0 -125
package/src/component/public/enterprise/core.ts +0 -355
package/src/component/public/enterprise/domains.ts +0 -327
package/src/component/public/enterprise/scim.ts +0 -397
package/src/component/public/enterprise/secrets.ts +0 -133
package/src/component/public/enterprise/webhooks.ts +0 -307
package/src/component/public/factors/devices.ts +0 -224
package/src/component/public/factors/passkeys.ts +0 -243
package/src/component/public/factors/totp.ts +0 -259
package/src/component/public/groups/core.ts +0 -481
package/src/component/public/groups/invites.ts +0 -608
package/src/component/public/groups/members.ts +0 -410
package/src/component/public/identity/accounts.ts +0 -207
package/src/component/public/identity/codes.ts +0 -149
package/src/component/public/identity/sessions.ts +0 -210
package/src/component/public/identity/tokens.ts +0 -251
package/src/component/public/identity/users.ts +0 -355
package/src/component/public/identity/verifiers.ts +0 -158
package/src/component/public/security/keys.ts +0 -366
package/src/component/public/security/limits.ts +0 -174
package/src/component/public.ts +0 -27
package/src/component/schema.ts +0 -505
package/src/providers/anonymous.ts +0 -99
package/src/providers/credentials.ts +0 -102
package/src/providers/device.ts +0 -87
package/src/providers/email.ts +0 -99
package/src/providers/index.ts +0 -31
package/src/providers/oauth.ts +0 -117
package/src/providers/passkey.ts +0 -77
package/src/providers/password.ts +0 -441
package/src/providers/phone.ts +0 -93
package/src/providers/sso.ts +0 -54
package/src/providers/totp.ts +0 -62
package/src/samlify.d.ts +0 -53
package/src/server/auth.ts +0 -949
package/src/server/config.ts +0 -200
package/src/server/context.ts +0 -90
package/src/server/cookies.ts +0 -49
package/src/server/core.ts +0 -2004
package/src/server/crypto.ts +0 -90
package/src/server/db.ts +0 -203
package/src/server/device.ts +0 -254
package/src/server/enterprise/config.ts +0 -51
package/src/server/enterprise/domain.ts +0 -1739
package/src/server/enterprise/http.ts +0 -1331
package/src/server/enterprise/oidc.ts +0 -500
package/src/server/enterprise/policy.ts +0 -128
package/src/server/enterprise/saml.ts +0 -578
package/src/server/enterprise/scim.ts +0 -135
package/src/server/enterprise/shared.ts +0 -134
package/src/server/enterprise/validators.ts +0 -93
package/src/server/http.ts +0 -790
package/src/server/identity.ts +0 -18
package/src/server/index.ts +0 -40
package/src/server/keys.ts +0 -158
package/src/server/limits.ts +0 -107
package/src/server/mounts.ts +0 -924
package/src/server/mutations/account.ts +0 -62
package/src/server/mutations/code.ts +0 -119
package/src/server/mutations/index.ts +0 -13
package/src/server/mutations/invalidate.ts +0 -50
package/src/server/mutations/oauth.ts +0 -243
package/src/server/mutations/refresh.ts +0 -299
package/src/server/mutations/register.ts +0 -155
package/src/server/mutations/retrieve.ts +0 -109
package/src/server/mutations/signature.ts +0 -57
package/src/server/mutations/signin.ts +0 -54
package/src/server/mutations/signout.ts +0 -43
package/src/server/mutations/store/refs.ts +0 -10
package/src/server/mutations/store.ts +0 -123
package/src/server/mutations/verifier.ts +0 -34
package/src/server/mutations/verify.ts +0 -200
package/src/server/oauth.ts +0 -418
package/src/server/passkey.ts +0 -838
package/src/server/redirects.ts +0 -59
package/src/server/refresh.ts +0 -218
package/src/server/runtime.ts +0 -918
package/src/server/sessions.ts +0 -132
package/src/server/signin.ts +0 -445
package/src/server/ssr.ts +0 -1747
package/src/server/templates.ts +0 -82
package/src/server/tokens.ts +0 -35
package/src/server/totp.ts +0 -399
package/src/server/types.ts +0 -1942
package/src/server/users.ts +0 -291
package/src/server/utils.ts +0 -220
/package/dist/{runtime → client/runtime}/invite.js +0 -0

package/dist/client/core/types.d.ts CHANGED Viewed

@@ -1,7 +1,157 @@
-import { FunctionReference } from "convex/server";
 import { ConvexError, Value } from "convex/values";
+import { FunctionReference } from "convex/server";
 //#region src/client/core/types.d.ts
+/**
+ * Structural interface for any Convex client.
+ * Satisfied by `ConvexClient` (`convex/browser`),
+ * `ConvexReactClient` (`convex/react`), and similar transports.
+ *
+ * `clearAuth` is present on `ConvexReactClient` and `BaseConvexClient`
+ * but not on the simplified `ConvexClient`. When available we call it
+ * during sign-out for a clean deauthentication.
+ */
+interface ConvexTransport {
+  action(action: unknown, args: unknown): Promise<unknown>;
+  setAuth(fetchToken: (args: {
+    forceRefreshToken: boolean;
+  }) => Promise<string | null | undefined>, onChange?: (isAuthenticated: boolean) => void): void;
+  clearAuth?(): void;
+}
+/** Minimal action-only transport used for unauthenticated auth flows. */
+interface ActionTransport {
+  action(action: unknown, args: unknown): Promise<unknown>;
+}
+type SignInApiRef = {
+  signIn: AuthApiRefs["signIn"];
+};
+/** Pluggable key-value storage supplied by the host runtime. */
+interface Storage {
+  getItem(key: string): string | null | undefined | Promise<string | null | undefined>;
+  setItem(key: string, value: string): void | Promise<void>;
+  removeItem(key: string): void | Promise<void>;
+}
+/** Platform-neutral location/navigation hooks. */
+interface LocationRuntime {
+  get(): URL | null;
+  replace(relativeUrl: string): void | Promise<void>;
+  redirect(url: URL): void | Promise<void>;
+}
+/** Cross-context synchronization hooks, such as browser storage events. */
+interface SyncRuntime {
+  subscribe(key: string, callback: (value: string | null) => void | Promise<void>): (() => void) | null;
+}
+/** Cross-context mutex/locking primitive. */
+interface MutexRuntime {
+  withKey<T>(key: string, callback: () => Promise<T>): Promise<T>;
+}
+/** Proxy request execution supplied by the host runtime. */
+interface ProxyRuntime {
+  fetch(body: Record<string, unknown>, proxyPath: string): Promise<Response>;
+}
+/**
+ * Platform-neutral client runtime dependencies.
+ *
+ * The core `client` package should depend only on these interfaces, while the
+ * browser package can provide concrete implementations backed by DOM APIs.
+ */
+interface ClientRuntime {
+  environment?: "client" | "server";
+  storage?: Storage | null;
+  location?: LocationRuntime;
+  sync?: SyncRuntime;
+  mutex?: MutexRuntime;
+  proxy?: ProxyRuntime;
+}
+/** Platform-specific factor adapters injected by entrypoints like `browser`. */
+interface ClientAdapters {
+  passkey?: PasskeyClient;
+  totp?: TotpClient;
+  device?: DeviceClient;
+}
+interface ClientAdapterDeps {
+  proxy: string | undefined;
+  convex: ConvexTransport;
+  requireApiRefs: () => SignInApiRef;
+  proxyFetch: (body: Record<string, unknown>) => Promise<unknown>;
+  setTokenAndMaybeWait: (args: {
+    shouldStore: true;
+    tokens: AuthSession | null;
+    waitForHandshake: boolean;
+    context: {
+      provider?: string;
+      flow: string;
+    };
+  } | {
+    shouldStore: false;
+    tokens: {
+      token: string;
+    } | null;
+    waitForHandshake: boolean;
+    context: {
+      provider?: string;
+      flow: string;
+    };
+  }) => Promise<boolean>;
+}
+interface ClientAdapterFactories {
+  passkey?: (deps: ClientAdapterDeps) => PasskeyClient;
+}
+type AuthSession = {
+  token: string;
+  refreshToken: string;
+};
+/**
+ * Device code response returned when signing in with the `"device"` provider.
+ *
+ * The device displays the `userCode` (or `verificationUriComplete`) and
+ * polls via `auth.device.poll()` until the user authorizes.
+ */
+type DeviceCodeResult = {
+  /** High-entropy device code used for polling (keep secret). */deviceCode: string; /** Short human-readable code the user enters (e.g. "WDJB-MJHT"). */
+  userCode: string; /** Base verification URL (e.g. "https://myapp.com/device"). */
+  verificationUri: string; /** Verification URL with user code pre-filled as `?code=XXXX-XXXX`. */
+  verificationUriComplete: string; /** Lifetime of the codes in seconds. */
+  expiresIn: number; /** Minimum polling interval in seconds. */
+  interval: number;
+};
+/**
+ * Result of a `signIn` call.
+ *
+ * - `kind: "signedIn"` — credentials were accepted and the user is authenticated.
+ * - `kind: "redirect"` — OAuth flow initiated; redirect the user to `redirect.toString()`.
+ * - `kind: "totpRequired"` — credentials valid but 2FA is needed; call `auth.totp.verify()`.
+ * - `kind: "deviceCode"` — device flow initiated; display the code and poll via `auth.device.poll()`.
+ * - `kind: "started"` — a non-immediate flow started (for example email/phone verification).
+ *
+ * @see {@link AuthState}
+ */
+type SignInResult = {
+  kind: "signedIn";
+} | {
+  kind: "redirect";
+  redirect: URL;
+  verifier: string;
+} | {
+  kind: "totpRequired";
+  verifier: string;
+} | {
+  kind: "deviceCode";
+  deviceCode: DeviceCodeResult;
+} | {
+  kind: "started";
+};
+/**
+ * Reactive auth state snapshot returned by `auth.state` and `auth.onChange`.
+ *
+ * @see {@link SignInResult}
+ */
+type AuthState = {
+  /** High-level auth phase for deterministic UI state handling. */phase: "loading" | "handshake" | "authenticated" | "unauthenticated"; /** `true` during initial hydration before the first token is resolved. */
+  isLoading: boolean; /** `true` only after Convex confirms authentication with the backend. */
+  isAuthenticated: boolean; /** The raw JWT string, or `null` when not authenticated. */
+  token: string | null;
+};
 /**
  * Typed Convex API references for the auth functions.
  * Pass these from your generated `api` object.
@@ -11,10 +161,307 @@ import { ConvexError, Value } from "convex/values";
  * @typeParam HasDevice - Whether the device provider is configured.
  */
 type AuthApiRefs<HasPasskey extends boolean = boolean, HasTotp extends boolean = boolean, HasDevice extends boolean = boolean> = {
-  signIn: FunctionReference<"action", "public", any, any>;
-  signOut: FunctionReference<"action", "public", any, any>;
-  store: FunctionReference<"mutation", "public", any, any>;
+  signIn: FunctionReference<"action", "public", Record<string, Value>, unknown>;
+  signOut: FunctionReference<"action", "public", Record<string, Value>, unknown>;
+  store: FunctionReference<"mutation", "public", Record<string, Value>, unknown>;
+};
+/**
+ * Passkey (WebAuthn) client-side helpers.
+ *
+ * @see {@link TotpClient}
+ * @see {@link DeviceClient}
+ */
+interface PasskeyClient {
+  /**
+   * Check whether the current runtime exposes WebAuthn passkey APIs.
+   *
+   * @returns `true` when `navigator.credentials` is available.
+   *
+   * @example
+   * ```ts
+   * if (auth.passkey.isSupported()) {
+   *   // Show passkey registration button
+   * }
+   * ```
+   */
+  isSupported(): boolean;
+  /**
+   * Check whether conditional mediation (autofill-style passkeys) is available.
+   *
+   * @returns `true` when the browser supports `PublicKeyCredential.isConditionalMediationAvailable`.
+   *
+   * @example
+   * ```ts
+   * if (await auth.passkey.isAutofillSupported()) {
+   *   await auth.passkey.authenticate({ autofill: true });
+   * }
+   * ```
+   */
+  isAutofillSupported(): Promise<boolean>;
+  /**
+   * Start a passkey registration flow and complete the WebAuthn ceremony.
+   *
+   * Creates a new credential bound to the current user's account.
+   *
+   * @param opts - Optional registration hints.
+   * @param opts.name - Human-readable name for the passkey (e.g. `"MacBook Pro"`).
+   * @param opts.email - Email hint for discoverable credentials.
+   * @param opts.userName - WebAuthn `user.name` override.
+   * @param opts.userDisplayName - WebAuthn `user.displayName` override.
+   * @returns A {@link SignInResult} — typically `{ kind: "signedIn" }` on success.
+   *
+   * @example
+   * ```ts
+   * const result = await auth.passkey.register({ name: "My laptop" });
+   * ```
+   */
+  register(opts?: Record<string, unknown>): Promise<SignInResult>;
+  /**
+   * Authenticate with an existing passkey and complete the WebAuthn ceremony.
+   *
+   * @param opts - Optional authentication hints.
+   * @param opts.email - Email hint to filter discoverable credentials.
+   * @param opts.autofill - Set to `true` for conditional UI (autofill) mode.
+   * @returns A {@link SignInResult} — typically `{ kind: "signedIn" }` on success.
+   *
+   * @example
+   * ```ts
+   * const result = await auth.passkey.authenticate();
+   * ```
+   */
+  authenticate(opts?: Record<string, unknown>): Promise<SignInResult>;
+}
+/**
+ * TOTP two-factor authentication client-side helpers.
+ *
+ * @see {@link PasskeyClient}
+ * @see {@link DeviceClient}
+ */
+interface TotpClient {
+  /**
+   * Start TOTP enrollment and return the setup URI, secret, verifier, and factor ID.
+   *
+   * The returned `uri` is an `otpauth://` URL that can be rendered as a QR code
+   * for the user to scan with their authenticator app.
+   *
+   * @param opts - Optional setup hints.
+   * @param opts.name - Issuer name shown in the authenticator app.
+   * @param opts.accountName - Account label in the authenticator app.
+   * @returns An object with `{ uri, secret, verifier, totpId }`.
+   *
+   * @example
+   * ```ts
+   * const { uri, secret, verifier, totpId } = await auth.totp.setup();
+   * // Render `uri` as a QR code, then confirm:
+   * await auth.totp.confirm({ code: userCode, verifier, totpId });
+   * ```
+   */
+  setup(opts?: Record<string, unknown>): Promise<Record<string, unknown>>;
+  /**
+   * Confirm a newly created TOTP factor with the first authenticator code.
+   *
+   * Call this after the user scans the QR code and enters the first OTP.
+   *
+   * @param opts - Confirmation parameters.
+   * @param opts.code - The 6-digit TOTP code from the authenticator app.
+   * @param opts.verifier - The verifier string returned by {@link TotpClient.setup}.
+   * @param opts.totpId - The factor ID returned by {@link TotpClient.setup}.
+   *
+   * @example
+   * ```ts
+   * await auth.totp.confirm({ code: "123456", verifier, totpId });
+   * ```
+   */
+  confirm(opts: Record<string, unknown>): Promise<void>;
+  /**
+   * Complete a sign-in that is waiting on TOTP verification.
+   *
+   * Called when `signIn()` returns `{ kind: "totpRequired" }`.
+   *
+   * @param opts - Verification parameters.
+   * @param opts.code - The 6-digit TOTP code from the authenticator app.
+   * @param opts.verifier - The verifier string from the `totpRequired` result.
+   *
+   * @example
+   * ```ts
+   * const result = await auth.signIn("password", { email, password });
+   * if (result.kind === "totpRequired") {
+   *   await auth.totp.verify({ code: totpCode, verifier: result.verifier });
+   * }
+   * ```
+   */
+  verify(opts: Record<string, unknown>): Promise<void>;
+}
+/**
+ * Device authorization (RFC 8628) client-side helpers.
+ *
+ * @see {@link PasskeyClient}
+ * @see {@link TotpClient}
+ */
+interface DeviceClient {
+  /**
+   * Poll until a device flow is approved or expires.
+   *
+   * Polls the server at the interval specified in the {@link DeviceCodeResult}
+   * until the user authorizes the device or the code expires.
+   *
+   * @param opts - Poll options.
+   * @param opts.code - The {@link DeviceCodeResult} returned from `signIn("device")`.
+   * @throws `ConvexError({ code: "DEVICE_CODE_EXPIRED" })` when the code expires before authorization.
+   *
+   * @example
+   * ```ts
+   * const result = await auth.signIn("device");
+   * if (result.kind === "deviceCode") {
+   *   // Display result.deviceCode.userCode to the user
+   *   await auth.device.poll({ code: result.deviceCode });
+   *   console.log("Device authorized!");
+   * }
+   * ```
+   */
+  poll(opts: {
+    code: DeviceCodeResult;
+  }): Promise<void>;
+  /**
+   * Approve a device flow from the verification page using the displayed user code.
+   *
+   * Call this on the authorization page where the user enters the short code
+   * shown on the device screen.
+   *
+   * @param opts - Verification options.
+   * @param opts.code - The user code string (e.g. `"WDJB-MJHT"`).
+   * @throws `ConvexError({ code: "DEVICE_AUTHORIZATION_FAILED" })` when verification fails.
+   *
+   * @example
+   * ```ts
+   * await auth.device.verify({ code: "WDJB-MJHT" });
+   * ```
+   */
+  verify(opts: {
+    code: string;
+  }): Promise<void>;
+}
+/**
+ * Extract capability flags from an AuthApiRefs type.
+ *
+ * @typeParam Api - An AuthApiRefs type to extract capability flags from.
+ */
+type InferCaps<Api extends AuthApiRefs<boolean, boolean, boolean>> = Api extends AuthApiRefs<infer P, infer T, infer D> ? {
+  passkey: P;
+  totp: T;
+  device: D;
+} : {
+  passkey: boolean;
+  totp: boolean;
+  device: boolean;
+};
+/** Pending invite detected from URL or recovered from storage after redirect. */
+interface PendingInvite {
+  /**
+   * Raw one-time invite token. Pass to your invite acceptance mutation.
+   * @readonly
+   */
+  readonly token: string;
+  /**
+   * Invite email from the URL or stored redirect state, if available.
+   * @readonly
+   */
+  readonly email: string | null;
+  /**
+   * Consume the invite: clears storage/URL params and returns the token.
+   *
+   * @returns The invite token.
+   * @throws When there is no pending invite to accept.
+   */
+  accept(): Promise<{
+    token: string;
+  }>;
+}
+/** Base auth client — always present. */
+interface AuthClientBase {
+  /**
+   * Reactive auth state snapshot.
+   * @readonly
+   */
+  readonly state: AuthState;
+  /** SSR-safe query-param reader. */
+  param: (name: string) => string | null;
+  /**
+   * Pending invite recovered from the URL or storage, if present.
+   * @readonly
+   */
+  readonly invite: PendingInvite | null;
+  /** Start a sign-in flow for a provider. */
+  signIn: (provider: string, params?: Record<string, unknown>) => Promise<SignInResult>;
+  /** Sign out and clear local auth state. */
+  signOut: () => Promise<void>;
+  /** Subscribe to auth state changes. Returns an unsubscribe function. */
+  onChange: (callback: (state: AuthState) => void) => () => void;
+  /** Tear down listeners and reject in-flight handshakes. */
+  destroy: () => void;
+}
+/**
+ * Framework-agnostic auth client return type.
+ *
+ * Conditionally includes `totp` and `device` helpers based on the
+ * capabilities in the `AuthApiRefs` type. Browser-only `passkey` helpers are
+ * added by {@link BrowserAuthClient}.
+ *
+ * @typeParam Api - An AuthApiRefs type that determines which factor helpers are included.
+ */
+type AuthClient<Api extends AuthApiRefs<boolean, boolean, boolean> = AuthApiRefs> = AuthClientBase & (InferCaps<Api>["totp"] extends true ? {
+  totp: TotpClient;
+} : {}) & (InferCaps<Api>["device"] extends true ? {
+  device: DeviceClient;
+} : {});
+/**
+ * Browser auth client return type.
+ *
+ * Extends {@link AuthClient} with conditional passkey helpers when the
+ * generated auth API exposes passkey capabilities.
+ *
+ * @typeParam Api - An AuthApiRefs type that determines which factor helpers are included.
+ */
+type BrowserAuthClient<Api extends AuthApiRefs<boolean, boolean, boolean> = AuthApiRefs> = AuthClient<Api> & (InferCaps<Api>["passkey"] extends true ? {
+  passkey: PasskeyClient;
+} : {});
+/**
+ * Options for {@link client}.
+ *
+ * @typeParam Api - An AuthApiRefs type.
+ */
+type ClientOptions<Api extends AuthApiRefs<boolean, boolean, boolean> = AuthApiRefs> = {
+  /** Any Convex client implementation used to run auth actions. */convex: ConvexTransport; /** Platform runtime implementation used by the client core. */
+  runtime?: ClientRuntime; /** Platform-specific factor adapters supplied by higher-level entrypoints. */
+  adapters?: ClientAdapters; /** Platform-specific adapter factories supplied by higher-level entrypoints. */
+  adapterFactories?: ClientAdapterFactories;
+  /**
+   * Typed auth function refs from your generated `api` object.
+   * Required outside proxy mode.
+   */
+  api?: Api; /** Explicit Convex deployment URL when it cannot be inferred from the client. */
+  url?: string;
+  /**
+   * Optional action-only transport for direct code exchange outside proxy mode.
+   * Required in non-browser runtimes when `proxyPath` is not set.
+   */
+  httpClient?: ActionTransport | null;
+  /**
+   * Storage backend for persisted tokens.
+   *
+   * Defaults to `runtime.storage` when provided, otherwise `null`.
+   */
+  storage?: Storage | null; /** Override how OAuth code cleanup updates the current URL. */
+  replaceUrl?: (relativeUrl: string) => void | Promise<void>;
+  /**
+   * Proxy endpoint used instead of direct Convex auth calls.
+   * When set, provide `runtime.proxy` and omit direct `api`/`httpClient`
+   * transport requirements.
+   */
+  proxyPath?: string; /** Server-provided JWT seed used for flash-free SSR hydration. */
+  tokenSeed?: string | null; /** SSR-safe URL source for reading query parameters. */
+  location?: URL | (() => URL | null);
 };
 //#endregion
-export { AuthApiRefs };
+export { AuthApiRefs, AuthClient, AuthState, BrowserAuthClient, ClientOptions, ClientRuntime, DeviceClient, DeviceCodeResult, PasskeyClient, PendingInvite, SignInResult, Storage, TotpClient };
 //# sourceMappingURL=types.d.ts.map

package/dist/client/core/types.js ADDED Viewed

@@ -0,0 +1,17 @@
+//#region src/client/core/types.ts
+function createDeferred() {
+	let resolve;
+	let reject;
+	return {
+		promise: new Promise((res, rej) => {
+			resolve = res;
+			reject = rej;
+		}),
+		resolve,
+		reject
+	};
+}
+//#endregion
+export { createDeferred };
+//# sourceMappingURL=types.js.map

package/dist/client/errors.js ADDED Viewed

@@ -0,0 +1,19 @@
+import { ConvexError } from "convex/values";
+//#region src/client/errors.ts
+const HANDSHAKE_ERROR_MESSAGES = {
+	AUTH_HANDSHAKE_TIMEOUT: "Sign-in succeeded but authentication confirmation timed out.",
+	AUTH_HANDSHAKE_REJECTED: "Authentication was rejected while confirming the session."
+};
+/** @internal */
+const createHandshakeError = (code, context) => {
+	return new ConvexError({
+		code,
+		message: HANDSHAKE_ERROR_MESSAGES[code],
+		...context
+	});
+};
+//#endregion
+export { createHandshakeError };
+//# sourceMappingURL=errors.js.map

package/dist/client/factors/device.js ADDED Viewed

@@ -0,0 +1,94 @@
+import { ConvexError } from "convex/values";
+//#region src/client/factors/device.ts
+function isSignedInResult(result) {
+	return result.kind === "signedIn";
+}
+/** @internal */
+function createDeviceClient(deps) {
+	const { proxy, convex, requireApiRefs, proxyFetch, setTokenAndMaybeWait } = deps;
+	const requestDeviceSignIn = async (params) => {
+		return proxy ? await proxyFetch({
+			action: "auth:signIn",
+			args: {
+				provider: "device",
+				params
+			}
+		}) : await convex.action(requireApiRefs().signIn, {
+			provider: "device",
+			params
+		});
+	};
+	return {
+		poll: async (opts) => {
+			const { code } = opts;
+			const intervalMs = code.interval * 1e3;
+			const expiresAt = Date.now() + code.expiresIn * 1e3;
+			while (Date.now() < expiresAt) {
+				await new Promise((resolve) => setTimeout(resolve, intervalMs));
+				const params = {
+					flow: "poll",
+					deviceCode: code.deviceCode
+				};
+				let pollResult;
+				try {
+					pollResult = await requestDeviceSignIn(params);
+				} catch (error) {
+					if (error instanceof ConvexError) {
+						const errorCode = error.data?.code;
+						if (errorCode === "DEVICE_AUTHORIZATION_PENDING") continue;
+						if (errorCode === "DEVICE_SLOW_DOWN") {
+							await new Promise((resolve) => setTimeout(resolve, intervalMs));
+							continue;
+						}
+					}
+					throw error;
+				}
+				if (pollResult === null) continue;
+				if (isSignedInResult(pollResult) && pollResult.tokens) {
+					if (proxy) await setTokenAndMaybeWait({
+						shouldStore: false,
+						tokens: pollResult.tokens === null ? null : { token: pollResult.tokens.token },
+						waitForHandshake: true,
+						context: {
+							provider: "device",
+							flow: "poll"
+						}
+					});
+					else await setTokenAndMaybeWait({
+						shouldStore: true,
+						tokens: pollResult.tokens ?? null,
+						waitForHandshake: true,
+						context: {
+							provider: "device",
+							flow: "poll"
+						}
+					});
+					return;
+				}
+			}
+			throw new ConvexError({
+				code: "DEVICE_CODE_EXPIRED",
+				message: "Device code expired before authorization was completed."
+			});
+		},
+		verify: async (opts) => {
+			const params = {
+				flow: "verify",
+				userCode: opts.code
+			};
+			try {
+				await requestDeviceSignIn(params);
+			} catch (error) {
+				throw new ConvexError({
+					code: "DEVICE_AUTHORIZATION_FAILED",
+					message: error instanceof Error ? error.message : "Invalid or expired code."
+				});
+			}
+		}
+	};
+}
+//#endregion
+export { createDeviceClient };
+//# sourceMappingURL=device.js.map

package/dist/{factors → client/factors}/totp.js RENAMED Viewed

@@ -1,4 +1,10 @@
 //#region src/client/factors/totp.ts
+function isSignedInResult(result) {
+	return result.kind === "signedIn";
+}
+function isTotpSetupResult(result) {
+	return result.kind === "totpSetup";
+}
 /** @internal */
 function createTotpClient(deps) {
 	const { proxy, convex, requireApiRefs, proxyFetch, setTokenAndMaybeWait } = deps;
@@ -15,6 +21,7 @@ function createTotpClient(deps) {
 						params
 					}
 				});
+				if (!isTotpSetupResult(result$1)) throw new Error("Server did not return TOTP setup data.");
 				return {
 					uri: result$1.totpSetup.uri,
 					secret: result$1.totpSetup.secret,
@@ -26,6 +33,7 @@ function createTotpClient(deps) {
 				provider: "totp",
 				params
 			});
+			if (!isTotpSetupResult(result)) throw new Error("Server did not return TOTP setup data.");
 			return {
 				uri: result.totpSetup.uri,
 				secret: result.totpSetup.secret,
@@ -48,7 +56,7 @@ function createTotpClient(deps) {
 						verifier: opts.verifier
 					}
 				});
-				if (result$1.tokens) await setTokenAndMaybeWait({
+				if (isSignedInResult(result$1) && result$1.tokens) await setTokenAndMaybeWait({
 					shouldStore: false,
 					tokens: result$1.tokens === null ? null : { token: result$1.tokens.token },
 					waitForHandshake: true,
@@ -64,7 +72,7 @@ function createTotpClient(deps) {
 				params,
 				verifier: opts.verifier
 			});
-			if (result.tokens) await setTokenAndMaybeWait({
+			if (isSignedInResult(result) && result.tokens) await setTokenAndMaybeWait({
 				shouldStore: true,
 				tokens: result.tokens ?? null,
 				waitForHandshake: true,
@@ -88,7 +96,7 @@ function createTotpClient(deps) {
 						verifier: opts.verifier
 					}
 				});
-				if (result$1.tokens) await setTokenAndMaybeWait({
+				if (isSignedInResult(result$1) && result$1.tokens) await setTokenAndMaybeWait({
 					shouldStore: false,
 					tokens: result$1.tokens === null ? null : { token: result$1.tokens.token },
 					waitForHandshake: true,
@@ -104,7 +112,7 @@ function createTotpClient(deps) {
 				params,
 				verifier: opts.verifier
 			});
-			if (result.tokens) await setTokenAndMaybeWait({
+			if (isSignedInResult(result) && result.tokens) await setTokenAndMaybeWait({
 				shouldStore: true,
 				tokens: result.tokens ?? null,
 				waitForHandshake: true,