@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (666) hide show
  1. package/README.md +43 -36
  2. package/dist/bin.js +5765 -4880
  3. package/dist/browser/index.d.ts +30 -0
  4. package/dist/browser/index.js +93 -0
  5. package/dist/browser/locks.js +11 -0
  6. package/dist/browser/navigation.js +14 -0
  7. package/dist/{factors → browser}/passkey.js +23 -32
  8. package/dist/browser/runtime.js +92 -0
  9. package/dist/client/core/types.d.ts +452 -5
  10. package/dist/client/core/types.js +17 -0
  11. package/dist/client/errors.js +19 -0
  12. package/dist/client/factors/device.js +94 -0
  13. package/dist/{factors → client/factors}/totp.js +12 -4
  14. package/dist/client/index.d.ts +47 -1
  15. package/dist/client/index.js +269 -232
  16. package/dist/client/runtime/mutex.js +24 -0
  17. package/dist/client/runtime/proxy.js +30 -0
  18. package/dist/client/runtime/storage.js +45 -0
  19. package/dist/client/services/adapters.js +7 -0
  20. package/dist/client/services/http.js +6 -0
  21. package/dist/client/services/resolve.js +13 -0
  22. package/dist/client/services/runtime.js +6 -0
  23. package/dist/component/_generated/component.d.ts +1355 -1399
  24. package/dist/component/convex.config.d.ts +2 -2
  25. package/dist/component/index.d.ts +4 -26
  26. package/dist/component/index.js +1 -1
  27. package/dist/component/model.d.ts +26 -112
  28. package/dist/component/model.js +76 -54
  29. package/dist/component/modules.js +38 -0
  30. package/dist/component/public/factors/devices.js +1 -1
  31. package/dist/component/public/factors/passkeys.js +1 -1
  32. package/dist/component/public/factors/totp.js +1 -1
  33. package/dist/component/public/groups/core.js +2 -2
  34. package/dist/component/public/groups/invites.js +1 -1
  35. package/dist/component/public/groups/members.js +1 -1
  36. package/dist/component/public/identity/accounts.js +1 -1
  37. package/dist/component/public/identity/codes.js +1 -1
  38. package/dist/component/public/identity/sessions.js +39 -2
  39. package/dist/component/public/identity/tokens.js +82 -4
  40. package/dist/component/public/identity/users.js +1 -1
  41. package/dist/component/public/identity/verifiers.js +10 -4
  42. package/dist/component/public/security/keys.js +1 -1
  43. package/dist/component/public/security/limits.js +1 -1
  44. package/dist/component/public/{enterprise → sso}/audit.js +26 -26
  45. package/dist/component/public/sso/core.js +263 -0
  46. package/dist/component/public/sso/domains.js +280 -0
  47. package/dist/component/public/{enterprise → sso}/scim.js +87 -87
  48. package/dist/component/public/sso/secrets.js +125 -0
  49. package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
  50. package/dist/component/public.js +9 -9
  51. package/dist/component/schema.d.ts +472 -393
  52. package/dist/component/schema.js +36 -35
  53. package/dist/core/index.d.ts +380 -0
  54. package/dist/core/index.js +83 -0
  55. package/dist/otel.d.ts +69 -0
  56. package/dist/otel.js +82 -0
  57. package/dist/providers/anonymous.d.ts +15 -34
  58. package/dist/providers/anonymous.js +27 -35
  59. package/dist/providers/apple.d.ts +59 -0
  60. package/dist/providers/apple.js +58 -0
  61. package/dist/providers/credentials.d.ts +18 -34
  62. package/dist/providers/credentials.js +16 -27
  63. package/dist/providers/custom.d.ts +94 -0
  64. package/dist/providers/custom.js +119 -0
  65. package/dist/providers/device.d.ts +15 -49
  66. package/dist/providers/device.js +17 -34
  67. package/dist/providers/email.d.ts +21 -38
  68. package/dist/providers/email.js +36 -55
  69. package/dist/providers/github.d.ts +54 -0
  70. package/dist/providers/github.js +75 -0
  71. package/dist/providers/google.d.ts +54 -0
  72. package/dist/providers/google.js +61 -0
  73. package/dist/providers/index.d.ts +16 -12
  74. package/dist/providers/index.js +15 -11
  75. package/dist/providers/microsoft.d.ts +57 -0
  76. package/dist/providers/microsoft.js +101 -0
  77. package/dist/providers/passkey.d.ts +19 -35
  78. package/dist/providers/passkey.js +20 -30
  79. package/dist/providers/password.d.ts +17 -18
  80. package/dist/providers/password.js +121 -143
  81. package/dist/providers/phone.d.ts +13 -28
  82. package/dist/providers/phone.js +21 -46
  83. package/dist/providers/sso.d.ts +16 -36
  84. package/dist/providers/sso.js +21 -22
  85. package/dist/providers/totp.d.ts +13 -29
  86. package/dist/providers/totp.js +17 -27
  87. package/dist/server/auth-context.d.ts +204 -0
  88. package/dist/server/auth-context.js +76 -0
  89. package/dist/server/auth.d.ts +99 -244
  90. package/dist/server/auth.js +56 -152
  91. package/dist/server/componentContext.d.ts +12 -0
  92. package/dist/server/componentContext.js +1 -0
  93. package/dist/server/config.js +6 -67
  94. package/dist/server/constants.js +6 -0
  95. package/dist/server/contract.d.ts +105 -0
  96. package/dist/server/contract.js +43 -0
  97. package/dist/server/cookies.js +3 -2
  98. package/dist/server/core.js +31 -36
  99. package/dist/server/crypto.js +34 -44
  100. package/dist/server/db.js +6 -1
  101. package/dist/server/device.js +96 -130
  102. package/dist/server/env.js +48 -0
  103. package/dist/server/errors.js +20 -0
  104. package/dist/server/http.d.ts +15 -59
  105. package/dist/server/http.js +136 -120
  106. package/dist/server/identity.js +2 -2
  107. package/dist/server/index.d.ts +5 -4
  108. package/dist/server/index.js +3 -3
  109. package/dist/server/keys.js +10 -1
  110. package/dist/server/limits.js +26 -26
  111. package/dist/server/log.js +28 -0
  112. package/dist/server/mounts.d.ts +1107 -296
  113. package/dist/server/mounts.js +315 -196
  114. package/dist/server/mutations/account.js +11 -14
  115. package/dist/server/mutations/code.js +6 -5
  116. package/dist/server/mutations/invalidate.js +9 -11
  117. package/dist/server/mutations/oauth.js +112 -73
  118. package/dist/server/mutations/refresh.js +47 -97
  119. package/dist/server/mutations/register.js +37 -35
  120. package/dist/server/mutations/retrieve.js +16 -16
  121. package/dist/server/mutations/signature.js +15 -18
  122. package/dist/server/mutations/signin.js +10 -5
  123. package/dist/server/mutations/signout.js +11 -14
  124. package/dist/server/mutations/store.js +25 -18
  125. package/dist/server/mutations/verifier.js +11 -8
  126. package/dist/server/mutations/verify.js +53 -41
  127. package/dist/server/oauth/factory.js +44 -0
  128. package/dist/server/oauth/index.js +12 -0
  129. package/dist/server/oauth/runtime.js +248 -0
  130. package/dist/server/passkey.js +331 -365
  131. package/dist/server/payloads.d.ts +16 -0
  132. package/dist/server/payloads.js +30 -0
  133. package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
  134. package/dist/server/prefetch.js +635 -0
  135. package/dist/server/random.js +19 -0
  136. package/dist/server/redirects.js +10 -5
  137. package/dist/server/refresh.js +14 -86
  138. package/dist/server/runtime.d.ts +531 -31
  139. package/dist/server/runtime.js +106 -267
  140. package/dist/server/secret.js +44 -0
  141. package/dist/server/services/config.js +10 -0
  142. package/dist/server/services/group.js +211 -0
  143. package/dist/server/services/logger.js +8 -0
  144. package/dist/server/services/providers.js +22 -0
  145. package/dist/server/services/refresh.js +8 -0
  146. package/dist/server/services/resolve.js +27 -0
  147. package/dist/server/services/signin.js +8 -0
  148. package/dist/server/sessions.js +35 -34
  149. package/dist/server/signin.js +229 -140
  150. package/dist/server/{enterprise → sso}/config.js +10 -3
  151. package/dist/server/sso/domain.d.ts +614 -0
  152. package/dist/server/sso/domain.js +1175 -0
  153. package/dist/server/sso/http.js +1060 -0
  154. package/dist/server/sso/oidc.js +324 -0
  155. package/dist/server/sso/policies.js +59 -0
  156. package/dist/server/sso/policy.js +139 -0
  157. package/dist/server/sso/profile.js +22 -0
  158. package/dist/server/sso/provision.js +179 -0
  159. package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
  160. package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
  161. package/dist/server/sso/shared.js +74 -0
  162. package/dist/server/sso/validators.js +88 -0
  163. package/dist/server/sso/webhook.js +94 -0
  164. package/dist/server/tokens.js +16 -4
  165. package/dist/server/totp.js +155 -164
  166. package/dist/server/types.d.ts +306 -296
  167. package/dist/server/types.js +1 -30
  168. package/dist/server/url.js +32 -0
  169. package/dist/server/users.js +74 -40
  170. package/dist/server/utils/cache.js +51 -0
  171. package/dist/server/utils/dispatch.js +36 -0
  172. package/dist/server/utils/retry.js +24 -0
  173. package/dist/server/utils/span.js +32 -0
  174. package/dist/shared/errors.js +19 -0
  175. package/dist/shared/log.js +45 -0
  176. package/{src/test.ts → dist/test.d.ts} +21 -22
  177. package/dist/test.js +51 -0
  178. package/package.json +70 -42
  179. package/dist/authorization/index.d.ts.map +0 -1
  180. package/dist/authorization/index.js.map +0 -1
  181. package/dist/client/core/types.d.ts.map +0 -1
  182. package/dist/client/index.d.ts.map +0 -1
  183. package/dist/client/index.js.map +0 -1
  184. package/dist/component/_generated/api.d.ts +0 -75
  185. package/dist/component/_generated/api.d.ts.map +0 -1
  186. package/dist/component/_generated/api.js.map +0 -1
  187. package/dist/component/_generated/component.d.ts.map +0 -1
  188. package/dist/component/_generated/dataModel.d.ts +0 -42
  189. package/dist/component/_generated/dataModel.d.ts.map +0 -1
  190. package/dist/component/_generated/server.d.ts +0 -117
  191. package/dist/component/_generated/server.d.ts.map +0 -1
  192. package/dist/component/_generated/server.js.map +0 -1
  193. package/dist/component/_virtual/rolldown_runtime.js +0 -18
  194. package/dist/component/client/core/types.d.ts +0 -2
  195. package/dist/component/client/index.d.ts +0 -1
  196. package/dist/component/convex.config.d.ts.map +0 -1
  197. package/dist/component/convex.config.js.map +0 -1
  198. package/dist/component/functions.d.ts +0 -25
  199. package/dist/component/functions.d.ts.map +0 -1
  200. package/dist/component/functions.js.map +0 -1
  201. package/dist/component/index.d.ts.map +0 -1
  202. package/dist/component/model.d.ts.map +0 -1
  203. package/dist/component/model.js.map +0 -1
  204. package/dist/component/providers/anonymous.d.ts +0 -54
  205. package/dist/component/providers/anonymous.d.ts.map +0 -1
  206. package/dist/component/providers/credentials.d.ts +0 -38
  207. package/dist/component/providers/credentials.d.ts.map +0 -1
  208. package/dist/component/providers/device.d.ts +0 -67
  209. package/dist/component/providers/device.d.ts.map +0 -1
  210. package/dist/component/providers/email.d.ts +0 -62
  211. package/dist/component/providers/email.d.ts.map +0 -1
  212. package/dist/component/providers/oauth.d.ts +0 -25
  213. package/dist/component/providers/oauth.d.ts.map +0 -1
  214. package/dist/component/providers/oauth.js +0 -13
  215. package/dist/component/providers/oauth.js.map +0 -1
  216. package/dist/component/providers/passkey.d.ts +0 -57
  217. package/dist/component/providers/passkey.d.ts.map +0 -1
  218. package/dist/component/providers/password.d.ts +0 -88
  219. package/dist/component/providers/password.d.ts.map +0 -1
  220. package/dist/component/providers/phone.d.ts +0 -48
  221. package/dist/component/providers/phone.d.ts.map +0 -1
  222. package/dist/component/providers/sso.d.ts +0 -50
  223. package/dist/component/providers/sso.d.ts.map +0 -1
  224. package/dist/component/providers/totp.d.ts +0 -45
  225. package/dist/component/providers/totp.d.ts.map +0 -1
  226. package/dist/component/public/enterprise/audit.d.ts +0 -73
  227. package/dist/component/public/enterprise/audit.d.ts.map +0 -1
  228. package/dist/component/public/enterprise/audit.js.map +0 -1
  229. package/dist/component/public/enterprise/core.d.ts +0 -176
  230. package/dist/component/public/enterprise/core.d.ts.map +0 -1
  231. package/dist/component/public/enterprise/core.js +0 -292
  232. package/dist/component/public/enterprise/core.js.map +0 -1
  233. package/dist/component/public/enterprise/domains.d.ts +0 -174
  234. package/dist/component/public/enterprise/domains.d.ts.map +0 -1
  235. package/dist/component/public/enterprise/domains.js +0 -271
  236. package/dist/component/public/enterprise/domains.js.map +0 -1
  237. package/dist/component/public/enterprise/scim.d.ts +0 -245
  238. package/dist/component/public/enterprise/scim.d.ts.map +0 -1
  239. package/dist/component/public/enterprise/scim.js.map +0 -1
  240. package/dist/component/public/enterprise/secrets.d.ts +0 -78
  241. package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
  242. package/dist/component/public/enterprise/secrets.js +0 -118
  243. package/dist/component/public/enterprise/secrets.js.map +0 -1
  244. package/dist/component/public/enterprise/webhooks.d.ts +0 -211
  245. package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
  246. package/dist/component/public/enterprise/webhooks.js.map +0 -1
  247. package/dist/component/public/factors/devices.d.ts +0 -157
  248. package/dist/component/public/factors/devices.d.ts.map +0 -1
  249. package/dist/component/public/factors/devices.js.map +0 -1
  250. package/dist/component/public/factors/passkeys.d.ts +0 -175
  251. package/dist/component/public/factors/passkeys.d.ts.map +0 -1
  252. package/dist/component/public/factors/passkeys.js.map +0 -1
  253. package/dist/component/public/factors/totp.d.ts +0 -189
  254. package/dist/component/public/factors/totp.d.ts.map +0 -1
  255. package/dist/component/public/factors/totp.js.map +0 -1
  256. package/dist/component/public/groups/core.d.ts +0 -137
  257. package/dist/component/public/groups/core.d.ts.map +0 -1
  258. package/dist/component/public/groups/core.js.map +0 -1
  259. package/dist/component/public/groups/invites.d.ts +0 -217
  260. package/dist/component/public/groups/invites.d.ts.map +0 -1
  261. package/dist/component/public/groups/invites.js.map +0 -1
  262. package/dist/component/public/groups/members.d.ts +0 -204
  263. package/dist/component/public/groups/members.d.ts.map +0 -1
  264. package/dist/component/public/groups/members.js.map +0 -1
  265. package/dist/component/public/identity/accounts.d.ts +0 -147
  266. package/dist/component/public/identity/accounts.d.ts.map +0 -1
  267. package/dist/component/public/identity/accounts.js.map +0 -1
  268. package/dist/component/public/identity/codes.d.ts +0 -104
  269. package/dist/component/public/identity/codes.d.ts.map +0 -1
  270. package/dist/component/public/identity/codes.js.map +0 -1
  271. package/dist/component/public/identity/sessions.d.ts +0 -128
  272. package/dist/component/public/identity/sessions.d.ts.map +0 -1
  273. package/dist/component/public/identity/sessions.js.map +0 -1
  274. package/dist/component/public/identity/tokens.d.ts +0 -169
  275. package/dist/component/public/identity/tokens.d.ts.map +0 -1
  276. package/dist/component/public/identity/tokens.js.map +0 -1
  277. package/dist/component/public/identity/users.d.ts +0 -212
  278. package/dist/component/public/identity/users.d.ts.map +0 -1
  279. package/dist/component/public/identity/users.js.map +0 -1
  280. package/dist/component/public/identity/verifiers.d.ts +0 -116
  281. package/dist/component/public/identity/verifiers.d.ts.map +0 -1
  282. package/dist/component/public/identity/verifiers.js.map +0 -1
  283. package/dist/component/public/security/keys.d.ts +0 -209
  284. package/dist/component/public/security/keys.d.ts.map +0 -1
  285. package/dist/component/public/security/keys.js.map +0 -1
  286. package/dist/component/public/security/limits.d.ts +0 -114
  287. package/dist/component/public/security/limits.d.ts.map +0 -1
  288. package/dist/component/public/security/limits.js.map +0 -1
  289. package/dist/component/public.d.ts +0 -28
  290. package/dist/component/public.d.ts.map +0 -1
  291. package/dist/component/schema.d.ts.map +0 -1
  292. package/dist/component/schema.js.map +0 -1
  293. package/dist/component/server/auth.d.ts +0 -447
  294. package/dist/component/server/auth.d.ts.map +0 -1
  295. package/dist/component/server/auth.js +0 -254
  296. package/dist/component/server/auth.js.map +0 -1
  297. package/dist/component/server/config.js +0 -121
  298. package/dist/component/server/config.js.map +0 -1
  299. package/dist/component/server/context.js +0 -53
  300. package/dist/component/server/context.js.map +0 -1
  301. package/dist/component/server/cookies.js +0 -47
  302. package/dist/component/server/cookies.js.map +0 -1
  303. package/dist/component/server/core.js +0 -576
  304. package/dist/component/server/core.js.map +0 -1
  305. package/dist/component/server/crypto.js +0 -56
  306. package/dist/component/server/crypto.js.map +0 -1
  307. package/dist/component/server/db.js +0 -87
  308. package/dist/component/server/db.js.map +0 -1
  309. package/dist/component/server/device.js +0 -152
  310. package/dist/component/server/device.js.map +0 -1
  311. package/dist/component/server/enterprise/config.js +0 -46
  312. package/dist/component/server/enterprise/config.js.map +0 -1
  313. package/dist/component/server/enterprise/domain.js +0 -974
  314. package/dist/component/server/enterprise/domain.js.map +0 -1
  315. package/dist/component/server/enterprise/http.js +0 -787
  316. package/dist/component/server/enterprise/http.js.map +0 -1
  317. package/dist/component/server/enterprise/oidc.js +0 -248
  318. package/dist/component/server/enterprise/oidc.js.map +0 -1
  319. package/dist/component/server/enterprise/policy.js +0 -85
  320. package/dist/component/server/enterprise/policy.js.map +0 -1
  321. package/dist/component/server/enterprise/saml.js.map +0 -1
  322. package/dist/component/server/enterprise/scim.js.map +0 -1
  323. package/dist/component/server/enterprise/shared.js +0 -51
  324. package/dist/component/server/enterprise/shared.js.map +0 -1
  325. package/dist/component/server/http.d.ts +0 -85
  326. package/dist/component/server/http.d.ts.map +0 -1
  327. package/dist/component/server/http.js +0 -351
  328. package/dist/component/server/http.js.map +0 -1
  329. package/dist/component/server/identity.js +0 -16
  330. package/dist/component/server/identity.js.map +0 -1
  331. package/dist/component/server/keys.js +0 -96
  332. package/dist/component/server/keys.js.map +0 -1
  333. package/dist/component/server/limits.js +0 -52
  334. package/dist/component/server/limits.js.map +0 -1
  335. package/dist/component/server/mutations/account.js +0 -46
  336. package/dist/component/server/mutations/account.js.map +0 -1
  337. package/dist/component/server/mutations/code.js +0 -68
  338. package/dist/component/server/mutations/code.js.map +0 -1
  339. package/dist/component/server/mutations/invalidate.js +0 -32
  340. package/dist/component/server/mutations/invalidate.js.map +0 -1
  341. package/dist/component/server/mutations/oauth.js +0 -116
  342. package/dist/component/server/mutations/oauth.js.map +0 -1
  343. package/dist/component/server/mutations/refresh.js +0 -119
  344. package/dist/component/server/mutations/refresh.js.map +0 -1
  345. package/dist/component/server/mutations/register.js +0 -87
  346. package/dist/component/server/mutations/register.js.map +0 -1
  347. package/dist/component/server/mutations/retrieve.js +0 -61
  348. package/dist/component/server/mutations/retrieve.js.map +0 -1
  349. package/dist/component/server/mutations/signature.js +0 -38
  350. package/dist/component/server/mutations/signature.js.map +0 -1
  351. package/dist/component/server/mutations/signin.js +0 -27
  352. package/dist/component/server/mutations/signin.js.map +0 -1
  353. package/dist/component/server/mutations/signout.js +0 -27
  354. package/dist/component/server/mutations/signout.js.map +0 -1
  355. package/dist/component/server/mutations/store/refs.js +0 -15
  356. package/dist/component/server/mutations/store/refs.js.map +0 -1
  357. package/dist/component/server/mutations/store.js +0 -70
  358. package/dist/component/server/mutations/store.js.map +0 -1
  359. package/dist/component/server/mutations/verifier.js +0 -18
  360. package/dist/component/server/mutations/verifier.js.map +0 -1
  361. package/dist/component/server/mutations/verify.js +0 -98
  362. package/dist/component/server/mutations/verify.js.map +0 -1
  363. package/dist/component/server/oauth.js +0 -242
  364. package/dist/component/server/oauth.js.map +0 -1
  365. package/dist/component/server/passkey.js +0 -415
  366. package/dist/component/server/passkey.js.map +0 -1
  367. package/dist/component/server/redirects.js +0 -40
  368. package/dist/component/server/redirects.js.map +0 -1
  369. package/dist/component/server/refresh.js +0 -99
  370. package/dist/component/server/refresh.js.map +0 -1
  371. package/dist/component/server/runtime.d.ts +0 -136
  372. package/dist/component/server/runtime.d.ts.map +0 -1
  373. package/dist/component/server/runtime.js +0 -456
  374. package/dist/component/server/runtime.js.map +0 -1
  375. package/dist/component/server/sessions.js +0 -71
  376. package/dist/component/server/sessions.js.map +0 -1
  377. package/dist/component/server/signin.js +0 -225
  378. package/dist/component/server/signin.js.map +0 -1
  379. package/dist/component/server/tokens.js +0 -17
  380. package/dist/component/server/tokens.js.map +0 -1
  381. package/dist/component/server/totp.js +0 -208
  382. package/dist/component/server/totp.js.map +0 -1
  383. package/dist/component/server/types.d.ts +0 -949
  384. package/dist/component/server/types.d.ts.map +0 -1
  385. package/dist/component/server/types.js +0 -79
  386. package/dist/component/server/types.js.map +0 -1
  387. package/dist/component/server/users.js +0 -123
  388. package/dist/component/server/users.js.map +0 -1
  389. package/dist/component/server/utils.js +0 -140
  390. package/dist/component/server/utils.js.map +0 -1
  391. package/dist/core/types.d.ts +0 -361
  392. package/dist/core/types.d.ts.map +0 -1
  393. package/dist/factors/device.js +0 -104
  394. package/dist/factors/device.js.map +0 -1
  395. package/dist/factors/passkey.js.map +0 -1
  396. package/dist/factors/totp.js.map +0 -1
  397. package/dist/providers/anonymous.d.ts.map +0 -1
  398. package/dist/providers/anonymous.js.map +0 -1
  399. package/dist/providers/credentials.d.ts.map +0 -1
  400. package/dist/providers/credentials.js.map +0 -1
  401. package/dist/providers/device.d.ts.map +0 -1
  402. package/dist/providers/device.js.map +0 -1
  403. package/dist/providers/email.d.ts.map +0 -1
  404. package/dist/providers/email.js.map +0 -1
  405. package/dist/providers/oauth.d.ts +0 -69
  406. package/dist/providers/oauth.d.ts.map +0 -1
  407. package/dist/providers/oauth.js +0 -43
  408. package/dist/providers/oauth.js.map +0 -1
  409. package/dist/providers/passkey.d.ts.map +0 -1
  410. package/dist/providers/passkey.js.map +0 -1
  411. package/dist/providers/password.d.ts.map +0 -1
  412. package/dist/providers/password.js.map +0 -1
  413. package/dist/providers/phone.d.ts.map +0 -1
  414. package/dist/providers/phone.js.map +0 -1
  415. package/dist/providers/sso.d.ts.map +0 -1
  416. package/dist/providers/sso.js.map +0 -1
  417. package/dist/providers/totp.d.ts.map +0 -1
  418. package/dist/providers/totp.js.map +0 -1
  419. package/dist/runtime/browser.js +0 -68
  420. package/dist/runtime/browser.js.map +0 -1
  421. package/dist/runtime/invite.js.map +0 -1
  422. package/dist/runtime/proxy.js +0 -70
  423. package/dist/runtime/proxy.js.map +0 -1
  424. package/dist/runtime/storage.js +0 -37
  425. package/dist/runtime/storage.js.map +0 -1
  426. package/dist/server/auth.d.ts.map +0 -1
  427. package/dist/server/auth.js.map +0 -1
  428. package/dist/server/config.d.ts +0 -1
  429. package/dist/server/config.js.map +0 -1
  430. package/dist/server/context.d.ts +0 -1
  431. package/dist/server/context.js.map +0 -1
  432. package/dist/server/cookies.d.ts +0 -1
  433. package/dist/server/cookies.js.map +0 -1
  434. package/dist/server/core.d.ts +0 -1315
  435. package/dist/server/core.d.ts.map +0 -1
  436. package/dist/server/core.js.map +0 -1
  437. package/dist/server/crypto.d.ts +0 -8
  438. package/dist/server/crypto.d.ts.map +0 -1
  439. package/dist/server/crypto.js.map +0 -1
  440. package/dist/server/db.d.ts +0 -1
  441. package/dist/server/db.js.map +0 -1
  442. package/dist/server/device.d.ts +0 -1
  443. package/dist/server/device.js.map +0 -1
  444. package/dist/server/enterprise/config.d.ts +0 -1
  445. package/dist/server/enterprise/config.js.map +0 -1
  446. package/dist/server/enterprise/domain.d.ts +0 -401
  447. package/dist/server/enterprise/domain.d.ts.map +0 -1
  448. package/dist/server/enterprise/domain.js +0 -974
  449. package/dist/server/enterprise/domain.js.map +0 -1
  450. package/dist/server/enterprise/http.d.ts +0 -26
  451. package/dist/server/enterprise/http.d.ts.map +0 -1
  452. package/dist/server/enterprise/http.js +0 -787
  453. package/dist/server/enterprise/http.js.map +0 -1
  454. package/dist/server/enterprise/oidc.d.ts +0 -1
  455. package/dist/server/enterprise/oidc.js +0 -248
  456. package/dist/server/enterprise/oidc.js.map +0 -1
  457. package/dist/server/enterprise/policy.d.ts +0 -1
  458. package/dist/server/enterprise/policy.js +0 -85
  459. package/dist/server/enterprise/policy.js.map +0 -1
  460. package/dist/server/enterprise/saml.d.ts +0 -1
  461. package/dist/server/enterprise/saml.js +0 -338
  462. package/dist/server/enterprise/saml.js.map +0 -1
  463. package/dist/server/enterprise/scim.d.ts +0 -1
  464. package/dist/server/enterprise/scim.js +0 -97
  465. package/dist/server/enterprise/scim.js.map +0 -1
  466. package/dist/server/enterprise/shared.d.ts +0 -5
  467. package/dist/server/enterprise/shared.d.ts.map +0 -1
  468. package/dist/server/enterprise/shared.js +0 -51
  469. package/dist/server/enterprise/shared.js.map +0 -1
  470. package/dist/server/enterprise/validators.d.ts +0 -1
  471. package/dist/server/enterprise/validators.js +0 -60
  472. package/dist/server/enterprise/validators.js.map +0 -1
  473. package/dist/server/http.d.ts.map +0 -1
  474. package/dist/server/http.js.map +0 -1
  475. package/dist/server/identity.d.ts +0 -1
  476. package/dist/server/identity.js.map +0 -1
  477. package/dist/server/keys.d.ts +0 -1
  478. package/dist/server/keys.js.map +0 -1
  479. package/dist/server/limits.d.ts +0 -1
  480. package/dist/server/limits.js.map +0 -1
  481. package/dist/server/mounts.d.ts.map +0 -1
  482. package/dist/server/mounts.js.map +0 -1
  483. package/dist/server/mutations/account.d.ts +0 -29
  484. package/dist/server/mutations/account.d.ts.map +0 -1
  485. package/dist/server/mutations/account.js.map +0 -1
  486. package/dist/server/mutations/code.d.ts +0 -30
  487. package/dist/server/mutations/code.d.ts.map +0 -1
  488. package/dist/server/mutations/code.js.map +0 -1
  489. package/dist/server/mutations/index.d.ts +0 -14
  490. package/dist/server/mutations/invalidate.d.ts +0 -20
  491. package/dist/server/mutations/invalidate.d.ts.map +0 -1
  492. package/dist/server/mutations/invalidate.js.map +0 -1
  493. package/dist/server/mutations/oauth.d.ts +0 -30
  494. package/dist/server/mutations/oauth.d.ts.map +0 -1
  495. package/dist/server/mutations/oauth.js.map +0 -1
  496. package/dist/server/mutations/refresh.d.ts +0 -21
  497. package/dist/server/mutations/refresh.d.ts.map +0 -1
  498. package/dist/server/mutations/refresh.js.map +0 -1
  499. package/dist/server/mutations/register.d.ts +0 -38
  500. package/dist/server/mutations/register.d.ts.map +0 -1
  501. package/dist/server/mutations/register.js.map +0 -1
  502. package/dist/server/mutations/retrieve.d.ts +0 -33
  503. package/dist/server/mutations/retrieve.d.ts.map +0 -1
  504. package/dist/server/mutations/retrieve.js.map +0 -1
  505. package/dist/server/mutations/signature.d.ts +0 -21
  506. package/dist/server/mutations/signature.d.ts.map +0 -1
  507. package/dist/server/mutations/signature.js.map +0 -1
  508. package/dist/server/mutations/signin.d.ts +0 -22
  509. package/dist/server/mutations/signin.d.ts.map +0 -1
  510. package/dist/server/mutations/signin.js.map +0 -1
  511. package/dist/server/mutations/signout.d.ts +0 -16
  512. package/dist/server/mutations/signout.d.ts.map +0 -1
  513. package/dist/server/mutations/signout.js.map +0 -1
  514. package/dist/server/mutations/store/refs.d.ts +0 -12
  515. package/dist/server/mutations/store/refs.d.ts.map +0 -1
  516. package/dist/server/mutations/store/refs.js.map +0 -1
  517. package/dist/server/mutations/store.d.ts +0 -306
  518. package/dist/server/mutations/store.d.ts.map +0 -1
  519. package/dist/server/mutations/store.js.map +0 -1
  520. package/dist/server/mutations/verifier.d.ts +0 -13
  521. package/dist/server/mutations/verifier.d.ts.map +0 -1
  522. package/dist/server/mutations/verifier.js.map +0 -1
  523. package/dist/server/mutations/verify.d.ts +0 -26
  524. package/dist/server/mutations/verify.d.ts.map +0 -1
  525. package/dist/server/mutations/verify.js.map +0 -1
  526. package/dist/server/oauth.d.ts +0 -1
  527. package/dist/server/oauth.js +0 -242
  528. package/dist/server/oauth.js.map +0 -1
  529. package/dist/server/passkey.d.ts +0 -27
  530. package/dist/server/passkey.d.ts.map +0 -1
  531. package/dist/server/passkey.js.map +0 -1
  532. package/dist/server/redirects.d.ts +0 -1
  533. package/dist/server/redirects.js.map +0 -1
  534. package/dist/server/refresh.d.ts +0 -1
  535. package/dist/server/refresh.js.map +0 -1
  536. package/dist/server/runtime.d.ts.map +0 -1
  537. package/dist/server/runtime.js.map +0 -1
  538. package/dist/server/sessions.d.ts +0 -1
  539. package/dist/server/sessions.js.map +0 -1
  540. package/dist/server/signin.d.ts +0 -1
  541. package/dist/server/signin.js.map +0 -1
  542. package/dist/server/ssr.d.ts.map +0 -1
  543. package/dist/server/ssr.js +0 -777
  544. package/dist/server/ssr.js.map +0 -1
  545. package/dist/server/templates.d.ts +0 -1
  546. package/dist/server/templates.js.map +0 -1
  547. package/dist/server/tokens.d.ts +0 -1
  548. package/dist/server/tokens.js.map +0 -1
  549. package/dist/server/totp.d.ts +0 -1
  550. package/dist/server/totp.js.map +0 -1
  551. package/dist/server/types.d.ts.map +0 -1
  552. package/dist/server/types.js.map +0 -1
  553. package/dist/server/users.d.ts +0 -1
  554. package/dist/server/users.js.map +0 -1
  555. package/dist/server/utils.d.ts +0 -1
  556. package/dist/server/utils.js +0 -140
  557. package/dist/server/utils.js.map +0 -1
  558. package/src/authorization/index.ts +0 -83
  559. package/src/cli/bin.ts +0 -5
  560. package/src/cli/command.ts +0 -70
  561. package/src/cli/index.ts +0 -1112
  562. package/src/cli/keys.ts +0 -23
  563. package/src/client/core/types.ts +0 -437
  564. package/src/client/factors/device.ts +0 -158
  565. package/src/client/factors/passkey.ts +0 -279
  566. package/src/client/factors/totp.ts +0 -150
  567. package/src/client/index.ts +0 -1124
  568. package/src/client/runtime/browser.ts +0 -112
  569. package/src/client/runtime/invite.ts +0 -63
  570. package/src/client/runtime/proxy.ts +0 -111
  571. package/src/client/runtime/storage.ts +0 -79
  572. package/src/component/_generated/api.ts +0 -96
  573. package/src/component/_generated/component.ts +0 -3774
  574. package/src/component/_generated/dataModel.ts +0 -60
  575. package/src/component/_generated/server.ts +0 -156
  576. package/src/component/convex.config.ts +0 -5
  577. package/src/component/functions.ts +0 -104
  578. package/src/component/index.ts +0 -42
  579. package/src/component/model.ts +0 -449
  580. package/src/component/public/enterprise/audit.ts +0 -125
  581. package/src/component/public/enterprise/core.ts +0 -355
  582. package/src/component/public/enterprise/domains.ts +0 -327
  583. package/src/component/public/enterprise/scim.ts +0 -397
  584. package/src/component/public/enterprise/secrets.ts +0 -133
  585. package/src/component/public/enterprise/webhooks.ts +0 -307
  586. package/src/component/public/factors/devices.ts +0 -224
  587. package/src/component/public/factors/passkeys.ts +0 -243
  588. package/src/component/public/factors/totp.ts +0 -259
  589. package/src/component/public/groups/core.ts +0 -481
  590. package/src/component/public/groups/invites.ts +0 -608
  591. package/src/component/public/groups/members.ts +0 -410
  592. package/src/component/public/identity/accounts.ts +0 -207
  593. package/src/component/public/identity/codes.ts +0 -149
  594. package/src/component/public/identity/sessions.ts +0 -210
  595. package/src/component/public/identity/tokens.ts +0 -251
  596. package/src/component/public/identity/users.ts +0 -355
  597. package/src/component/public/identity/verifiers.ts +0 -158
  598. package/src/component/public/security/keys.ts +0 -366
  599. package/src/component/public/security/limits.ts +0 -174
  600. package/src/component/public.ts +0 -27
  601. package/src/component/schema.ts +0 -505
  602. package/src/providers/anonymous.ts +0 -99
  603. package/src/providers/credentials.ts +0 -102
  604. package/src/providers/device.ts +0 -87
  605. package/src/providers/email.ts +0 -99
  606. package/src/providers/index.ts +0 -31
  607. package/src/providers/oauth.ts +0 -117
  608. package/src/providers/passkey.ts +0 -77
  609. package/src/providers/password.ts +0 -441
  610. package/src/providers/phone.ts +0 -93
  611. package/src/providers/sso.ts +0 -54
  612. package/src/providers/totp.ts +0 -62
  613. package/src/samlify.d.ts +0 -53
  614. package/src/server/auth.ts +0 -949
  615. package/src/server/config.ts +0 -200
  616. package/src/server/context.ts +0 -90
  617. package/src/server/cookies.ts +0 -49
  618. package/src/server/core.ts +0 -2004
  619. package/src/server/crypto.ts +0 -90
  620. package/src/server/db.ts +0 -203
  621. package/src/server/device.ts +0 -254
  622. package/src/server/enterprise/config.ts +0 -51
  623. package/src/server/enterprise/domain.ts +0 -1739
  624. package/src/server/enterprise/http.ts +0 -1331
  625. package/src/server/enterprise/oidc.ts +0 -500
  626. package/src/server/enterprise/policy.ts +0 -128
  627. package/src/server/enterprise/saml.ts +0 -578
  628. package/src/server/enterprise/scim.ts +0 -135
  629. package/src/server/enterprise/shared.ts +0 -134
  630. package/src/server/enterprise/validators.ts +0 -93
  631. package/src/server/http.ts +0 -790
  632. package/src/server/identity.ts +0 -18
  633. package/src/server/index.ts +0 -40
  634. package/src/server/keys.ts +0 -158
  635. package/src/server/limits.ts +0 -107
  636. package/src/server/mounts.ts +0 -924
  637. package/src/server/mutations/account.ts +0 -62
  638. package/src/server/mutations/code.ts +0 -119
  639. package/src/server/mutations/index.ts +0 -13
  640. package/src/server/mutations/invalidate.ts +0 -50
  641. package/src/server/mutations/oauth.ts +0 -243
  642. package/src/server/mutations/refresh.ts +0 -299
  643. package/src/server/mutations/register.ts +0 -155
  644. package/src/server/mutations/retrieve.ts +0 -109
  645. package/src/server/mutations/signature.ts +0 -57
  646. package/src/server/mutations/signin.ts +0 -54
  647. package/src/server/mutations/signout.ts +0 -43
  648. package/src/server/mutations/store/refs.ts +0 -10
  649. package/src/server/mutations/store.ts +0 -123
  650. package/src/server/mutations/verifier.ts +0 -34
  651. package/src/server/mutations/verify.ts +0 -200
  652. package/src/server/oauth.ts +0 -418
  653. package/src/server/passkey.ts +0 -838
  654. package/src/server/redirects.ts +0 -59
  655. package/src/server/refresh.ts +0 -218
  656. package/src/server/runtime.ts +0 -918
  657. package/src/server/sessions.ts +0 -132
  658. package/src/server/signin.ts +0 -445
  659. package/src/server/ssr.ts +0 -1747
  660. package/src/server/templates.ts +0 -82
  661. package/src/server/tokens.ts +0 -35
  662. package/src/server/totp.ts +0 -399
  663. package/src/server/types.ts +0 -1942
  664. package/src/server/users.ts +0 -291
  665. package/src/server/utils.ts +0 -220
  666. /package/dist/{runtime → client/runtime}/invite.js +0 -0
@@ -0,0 +1,1060 @@
1
+ import { deleteScimIdentity, getScimIdentity, getScimIdentityByConnectionAndUser, getScimIdentityByMappedGroup, insertAccount, insertUser, listScimIdentitiesByConnection, patchUser, upsertScimIdentity } from "../contract.js";
2
+ import { finalizeNormalizedProfile, normalizeStringArray } from "./profile.js";
3
+ import { SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID, decodeGroupOidcState, encodeGroupOidcState, groupOidcProviderId, groupSamlProviderId } from "./shared.js";
4
+ import { createGroupConnectionOidcRuntime } from "./oidc.js";
5
+ import { resolveProvisionedRoleIds } from "./policy.js";
6
+ import { redirectToParamCookie, useRedirectToParam } from "../cookies.js";
7
+ import { addSSORoutes, convertErrorsToResponse, getCookies } from "../http.js";
8
+ import { createOAuthAuthorizationURL, handleOAuthCallback } from "../oauth/runtime.js";
9
+ import { redirectAbsoluteUrl, setURLSearchParam } from "../redirects.js";
10
+ import { parseScimListRequest, scimError, scimJson, serializeScimGroup, serializeScimUser } from "./scim.js";
11
+ import { createGroupConnectionSamlMetadataXml, createGroupConnectionSamlSignInRequest, createSamlPostBindingResponse, encodeGroupSamlRelayState, enforceGroupConnectionSamlSecurity, parseGroupConnectionSamlLoginResponse, parseGroupConnectionSamlLogoutMessage, profileFromSamlExtract, validateGroupConnectionSamlLoginRelayState } from "./saml.js";
12
+ import { ConvexError } from "convex/values";
13
+ import { serialize } from "cookie";
14
+
15
+ //#region src/server/sso/http.ts
16
+ async function getOidcCallbackParams(request) {
17
+ const url = new URL(request.url);
18
+ const params = new URLSearchParams(url.searchParams);
19
+ if (request.headers.get("Content-Type")?.includes("application/x-www-form-urlencoded")) (await request.formData()).forEach((value, key) => {
20
+ if (typeof value === "string") params.append(key, value);
21
+ });
22
+ return params;
23
+ }
24
+ function addGroupHttpRuntime(deps) {
25
+ if (!deps.hasSSO) return;
26
+ const { http, auth, config, requireEnv, loadActiveConnectionSamlOrThrow, loadConnectionOidcOrThrow, getGroupConnectionScimContext, loadGroupPolicyOrThrow, recordGroupAuditEvent, emitGroupWebhookDeliveries, generateRandomString, inviteTokenAlphabet: INVITE_TOKEN_ALPHABET, callUserOAuth, callVerifierSignature, sharedOidcRedirectURI } = deps;
27
+ const GROUP_CONNECTION_ROUTE_BASE = deps.routeBase;
28
+ const convexError = (code, message) => new ConvexError({
29
+ code,
30
+ message
31
+ });
32
+ const SCIM_SCHEMAS = [{
33
+ id: SCIM_USER_SCHEMA_ID,
34
+ name: "User",
35
+ description: "User Account",
36
+ attributes: [
37
+ {
38
+ name: "userName",
39
+ type: "string",
40
+ required: true
41
+ },
42
+ {
43
+ name: "displayName",
44
+ type: "string"
45
+ },
46
+ {
47
+ name: "active",
48
+ type: "boolean"
49
+ },
50
+ {
51
+ name: "emails",
52
+ type: "complex",
53
+ multiValued: true
54
+ }
55
+ ]
56
+ }, {
57
+ id: SCIM_GROUP_SCHEMA_ID,
58
+ name: "Group",
59
+ description: "Group",
60
+ attributes: [{
61
+ name: "displayName",
62
+ type: "string",
63
+ required: true
64
+ }, {
65
+ name: "members",
66
+ type: "complex",
67
+ multiValued: true
68
+ }]
69
+ }];
70
+ const SCIM_RESOURCE_TYPES = [{
71
+ id: "User",
72
+ name: "User",
73
+ endpoint: "/Users",
74
+ schema: SCIM_USER_SCHEMA_ID
75
+ }, {
76
+ id: "Group",
77
+ name: "Group",
78
+ endpoint: "/Groups",
79
+ schema: SCIM_GROUP_SCHEMA_ID
80
+ }];
81
+ const handleStaticScimCollection = (items, resourceId, opts) => {
82
+ if (resourceId !== void 0) {
83
+ const item = items.find((entry) => entry[opts.by] === decodeURIComponent(resourceId));
84
+ return item ? scimJson(item) : scimError(404, "notFound", opts.notFound);
85
+ }
86
+ return scimJson({
87
+ schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
88
+ Resources: items,
89
+ totalResults: items.length,
90
+ startIndex: 1,
91
+ itemsPerPage: items.length
92
+ });
93
+ };
94
+ const pickPrimaryEmail = (body) => Array.isArray(body.emails) ? body.emails.find((entry) => entry.primary === true)?.value ?? body.emails[0]?.value : void 0;
95
+ const pickDisplayName = (body) => {
96
+ const name = typeof body.name === "object" && body.name !== null ? body.name : void 0;
97
+ const derivedName = [name?.givenName, name?.familyName].filter(Boolean).join(" ");
98
+ if (body.displayName !== void 0) return body.displayName;
99
+ if (name?.formatted !== void 0) return name.formatted;
100
+ return derivedName !== "" ? derivedName : void 0;
101
+ };
102
+ const pickPhone = (body) => Array.isArray(body.phoneNumbers) ? body.phoneNumbers[0]?.value : void 0;
103
+ const getScimProfileConfig = (scimConfig) => {
104
+ const extend = typeof scimConfig?.extend === "object" && scimConfig.extend !== null ? scimConfig.extend : {};
105
+ const profile = typeof extend.profile === "object" && extend.profile !== null ? extend.profile : {};
106
+ return {
107
+ mapping: typeof profile.mapping === "object" && profile.mapping !== null ? profile.mapping : {},
108
+ extraFields: typeof profile.extraFields === "object" && profile.extraFields !== null ? profile.extraFields : {}
109
+ };
110
+ };
111
+ const resolveScimField = (body, key) => {
112
+ switch (key) {
113
+ case "userName": return body.userName;
114
+ case "externalId": return body.externalId;
115
+ case "displayName": return body.displayName;
116
+ case "name.formatted": return body.name?.formatted;
117
+ case "name.givenName": return body.name?.givenName;
118
+ case "name.familyName": return body.name?.familyName;
119
+ case "emails.primary": return pickPrimaryEmail(body);
120
+ case "emails.value": return Array.isArray(body.emails) ? body.emails.map((entry) => entry.value).filter(Boolean) : void 0;
121
+ case "phoneNumbers.primary":
122
+ case "phoneNumbers.value": return pickPhone(body);
123
+ case "active": return body.active;
124
+ case "groups": return body.groups;
125
+ case "roles": return body.roles;
126
+ default: return key ? body[key] : void 0;
127
+ }
128
+ };
129
+ const extractScimProfile = (scimConfig, body) => {
130
+ const { mapping, extraFields } = getScimProfileConfig(scimConfig);
131
+ const extend = Object.fromEntries(Object.entries(extraFields).map(([fieldName, source]) => [fieldName, resolveScimField(body, source)]).filter(([, value]) => value !== void 0));
132
+ return finalizeNormalizedProfile({
133
+ externalId: resolveScimField(body, mapping.externalId) ?? (typeof body.externalId === "string" ? body.externalId : void 0),
134
+ name: resolveScimField(body, mapping.name) ?? pickDisplayName(body),
135
+ firstName: resolveScimField(body, mapping.firstName),
136
+ lastName: resolveScimField(body, mapping.lastName),
137
+ email: resolveScimField(body, mapping.email) ?? pickPrimaryEmail(body) ?? body.userName,
138
+ phone: resolveScimField(body, mapping.phone) ?? pickPhone(body),
139
+ active: resolveScimField(body, mapping.active) ?? body.active,
140
+ groups: pickStringArray(resolveScimField(body, mapping.groups)),
141
+ roles: pickStringArray(resolveScimField(body, mapping.roles)),
142
+ extend: Object.keys(extend).length > 0 ? extend : void 0
143
+ });
144
+ };
145
+ const pickStringArray = (value) => {
146
+ return normalizeStringArray(Array.isArray(value) ? value.map((entry) => {
147
+ if (typeof entry === "string") return entry;
148
+ if (typeof entry === "object" && entry !== null && typeof entry.value === "string") return entry.value;
149
+ }) : value);
150
+ };
151
+ const normalizeScimValues = (value) => {
152
+ if (Array.isArray(value)) return value.flatMap((entry) => normalizeScimValues(entry));
153
+ if (typeof value === "string") return [value];
154
+ if (typeof value === "boolean") return [String(value)];
155
+ return [];
156
+ };
157
+ const applyUserProvisioningPatch = (args) => {
158
+ const mode = args.policy.updateProfileFromScim ?? "always";
159
+ if (mode === "never") return {};
160
+ if (mode === "always") return args.nextUser;
161
+ return Object.fromEntries(Object.entries(args.nextUser).filter(([key, value]) => {
162
+ if (value === void 0) return false;
163
+ const current = args.currentUser[key];
164
+ return current === void 0 || current === null || current === "";
165
+ }));
166
+ };
167
+ const filterScimCollection = (items, filter, filters) => {
168
+ if (!filter) return items;
169
+ const accessor = filters[filter.attribute];
170
+ if (!accessor) throw new Error("Unsupported SCIM filter.");
171
+ return items.filter((item) => {
172
+ const values = normalizeScimValues(accessor(item));
173
+ switch (filter.operator) {
174
+ case "pr": return values.length > 0;
175
+ case "eq": return values.includes(filter.value ?? "");
176
+ case "co": return values.some((value) => value.includes(filter.value ?? ""));
177
+ case "sw": return values.some((value) => value.startsWith(filter.value ?? ""));
178
+ case "ew": return values.some((value) => value.endsWith(filter.value ?? ""));
179
+ }
180
+ });
181
+ };
182
+ const paginateScimCollection = (items, listRequest) => {
183
+ const start = listRequest.startIndex - 1;
184
+ return items.slice(start, start + listRequest.count);
185
+ };
186
+ const requireScimResourceId = (resourceId, label) => {
187
+ if (!resourceId) return scimError(400, "invalidPath", `${label} resource ID is required.`);
188
+ return null;
189
+ };
190
+ const readScimJson = async (request) => await request.json();
191
+ const handleSamlAcs = async (ctx, request, runtimeRoute) => {
192
+ if (runtimeRoute.protocol !== "saml" || runtimeRoute.rest.length !== 1 || runtimeRoute.rest[0] !== "acs") throw convexError("INVALID_PARAMETERS", "Invalid connection runtime path.");
193
+ const connectionId = runtimeRoute.connectionId;
194
+ const { loaded, connection, saml } = await loadActiveConnectionSamlOrThrow(ctx, connectionId);
195
+ let parsedResponse;
196
+ try {
197
+ parsedResponse = await parseGroupConnectionSamlLoginResponse({
198
+ request,
199
+ rootUrl: requireEnv("CONVEX_SITE_URL"),
200
+ source: {
201
+ kind: "connection",
202
+ id: connection._id
203
+ },
204
+ config: loaded.config
205
+ });
206
+ } catch (error) {
207
+ throw convexError("OAUTH_PROVIDER_ERROR", `SAML response parse failed: ${error instanceof Error ? error.message : String(error)}`);
208
+ }
209
+ try {
210
+ enforceGroupConnectionSamlSecurity({
211
+ extract: parsedResponse.parsed.extract,
212
+ config: loaded.config
213
+ });
214
+ } catch (error) {
215
+ throw convexError("OAUTH_PROVIDER_ERROR", error instanceof Error ? error.message : "SAML assertion failed security validation.");
216
+ }
217
+ try {
218
+ validateGroupConnectionSamlLoginRelayState({
219
+ relayState: parsedResponse.relayState,
220
+ source: {
221
+ kind: "connection",
222
+ id: connection._id
223
+ },
224
+ inResponseTo: parsedResponse.parsed.extract?.response?.inResponseTo
225
+ });
226
+ } catch {
227
+ throw convexError("OAUTH_INVALID_STATE", "SAML RelayState did not match the pending login request.");
228
+ }
229
+ const { samlAttributes, samlSessionIndex, ...userProfile } = profileFromSamlExtract(parsedResponse.parsed.extract, saml.profile?.mapping ?? {});
230
+ const profile = userProfile;
231
+ const extraFields = typeof saml.profile === "object" && saml.profile !== null ? saml.profile.extraFields : void 0;
232
+ if (extraFields) {
233
+ const extend = {};
234
+ for (const [fieldName, attributeName] of Object.entries(extraFields)) {
235
+ const value = samlAttributes[attributeName];
236
+ if (value !== void 0) extend[fieldName] = value;
237
+ }
238
+ if (Object.keys(extend).length > 0) profile.extend = extend;
239
+ }
240
+ const maybeRedirectTo = useRedirectToParam(groupSamlProviderId(connection._id), getCookies(request));
241
+ const verificationCode = await callUserOAuth(ctx, {
242
+ provider: groupSamlProviderId(connection._id),
243
+ providerAccountId: profile.id,
244
+ profile,
245
+ signature: parsedResponse.relayState.signature,
246
+ accountExtend: {
247
+ identity: {
248
+ protocol: "saml",
249
+ connectionId: connection._id,
250
+ subject: profile.id,
251
+ entityId: typeof saml.entityId === "string" ? saml.entityId : void 0
252
+ },
253
+ saml: {
254
+ attributes: samlAttributes,
255
+ sessionIndex: samlSessionIndex
256
+ }
257
+ }
258
+ });
259
+ const vurl = setURLSearchParam(await redirectAbsoluteUrl(config, { redirectTo: maybeRedirectTo?.redirectTo ?? (typeof parsedResponse.relayState.redirectTo === "string" ? parsedResponse.relayState.redirectTo : void 0) }), "code", verificationCode);
260
+ const vheaders = new Headers({ Location: vurl });
261
+ vheaders.set("Cache-Control", "must-revalidate");
262
+ for (const { name, value, options } of maybeRedirectTo !== null ? [maybeRedirectTo.updatedCookie] : []) vheaders.append("Set-Cookie", serialize(name, value, options));
263
+ return new Response(null, {
264
+ status: 302,
265
+ headers: vheaders
266
+ });
267
+ };
268
+ const handleSamlSlo = async (ctx, request, runtimeRoute) => {
269
+ if (runtimeRoute.protocol !== "saml" || runtimeRoute.rest.length !== 1 || runtimeRoute.rest[0] !== "slo") throw convexError("INVALID_PARAMETERS", "Invalid connection runtime path.");
270
+ const { loaded, connection } = await loadActiveConnectionSamlOrThrow(ctx, runtimeRoute.connectionId);
271
+ const parsedMessage = await parseGroupConnectionSamlLogoutMessage({
272
+ request,
273
+ rootUrl: requireEnv("CONVEX_SITE_URL"),
274
+ source: {
275
+ kind: "connection",
276
+ id: connection._id
277
+ },
278
+ config: loaded.config
279
+ });
280
+ if (parsedMessage.hasSamlRequest) {
281
+ if (!parsedMessage.parsedRequest) throw convexError("INVALID_PARAMETERS", "Missing SAML logout payload.");
282
+ const responseContext = parsedMessage.runtime.sp.createLogoutResponse(parsedMessage.runtime.idp, parsedMessage.parsedRequest.extract, parsedMessage.binding, parsedMessage.relayState ?? "");
283
+ if (parsedMessage.binding === "redirect") return new Response(null, {
284
+ status: 302,
285
+ headers: { Location: responseContext.context }
286
+ });
287
+ return createSamlPostBindingResponse({
288
+ endpoint: responseContext.entityEndpoint,
289
+ parameter: "SAMLResponse",
290
+ value: responseContext.context,
291
+ relayState: parsedMessage.relayState
292
+ });
293
+ } else if (parsedMessage.hasSamlResponse) return new Response(null, { status: 204 });
294
+ else throw convexError("INVALID_PARAMETERS", "Missing SAML logout payload.");
295
+ };
296
+ const handleScimRequest = async (ctx, request) => {
297
+ try {
298
+ const { scimConfig, connection, parsedPath } = await getGroupConnectionScimContext(ctx, request);
299
+ const state = {
300
+ ctx,
301
+ request,
302
+ url: new URL(request.url),
303
+ parsedPath,
304
+ connection,
305
+ scimConfig,
306
+ policy: await loadGroupPolicyOrThrow(ctx, connection.groupId),
307
+ recordScimEvent: async (eventType, ok, subjectType, subjectId, metadata) => {
308
+ const auditEventId = await recordGroupAuditEvent(ctx, {
309
+ connectionId: connection._id,
310
+ groupId: connection.groupId,
311
+ eventType,
312
+ actorType: "scim",
313
+ subjectType,
314
+ subjectId,
315
+ ok,
316
+ metadata
317
+ });
318
+ await emitGroupWebhookDeliveries(ctx, {
319
+ connectionId: connection._id,
320
+ eventType,
321
+ auditEventId,
322
+ payload: {
323
+ connectionId: connection._id,
324
+ subjectId,
325
+ metadata
326
+ }
327
+ });
328
+ }
329
+ };
330
+ const handleUsersGet = async (state$1) => {
331
+ const members = await auth.member.list(state$1.ctx, {
332
+ where: { groupId: state$1.connection.groupId },
333
+ limit: 100
334
+ });
335
+ const identities = await listScimIdentitiesByConnection(state$1.ctx, config.component.public, state$1.connection._id);
336
+ const identityByUserId = new Map(identities.filter((identity) => typeof identity.userId === "string").map((identity) => [identity.userId, identity]));
337
+ const users = (await Promise.all(members.items.map(async (member) => {
338
+ const user = await auth.user.get(state$1.ctx, member.userId);
339
+ const typedUser = user;
340
+ return user ? {
341
+ user: typedUser,
342
+ member,
343
+ identity: identityByUserId.get(typedUser._id)
344
+ } : null;
345
+ }))).filter(Boolean);
346
+ const listRequest = parseScimListRequest(state$1.url);
347
+ const filtered = filterScimCollection(users, listRequest.filter, {
348
+ id: (item) => item.user._id,
349
+ externalId: (item) => item.identity?.externalId,
350
+ userName: (item) => item.user.email ?? item.user.phone ?? item.user.name ?? item.user._id,
351
+ displayName: (item) => item.user.name,
352
+ name: (item) => item.user.name,
353
+ "name.formatted": (item) => item.user.name,
354
+ "name.givenName": (item) => item.user.name,
355
+ "name.familyName": (item) => item.user.name,
356
+ "emails.value": (item) => item.user.email,
357
+ "phoneNumbers.value": (item) => item.user.phone,
358
+ active: (item) => item.identity?.active ?? item.member.status === "active"
359
+ });
360
+ if (state$1.parsedPath.resourceId) {
361
+ const resource = filtered.find(({ user }) => user._id === state$1.parsedPath.resourceId);
362
+ return resource ? scimJson(serializeScimUser({
363
+ id: resource.user._id,
364
+ user: resource.user,
365
+ externalId: resource.identity?.externalId,
366
+ location: `${state$1.url.origin}${state$1.url.pathname.replace(/\/[^/]+$/, "")}/${resource.user._id}`,
367
+ active: resource.identity?.active ?? resource.member.status === "active"
368
+ }), 200, { Location: `${state$1.url.origin}${state$1.url.pathname.replace(/\/[^/]+$/, "")}/${resource.user._id}` }) : scimError(404, "notFound", "User not found.");
369
+ }
370
+ const paged = paginateScimCollection(filtered, listRequest);
371
+ await state$1.recordScimEvent("group.sso.scim.read", true, "group_connection_scim", state$1.scimConfig._id);
372
+ return scimJson({
373
+ schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
374
+ Resources: paged.map(({ user, identity, member }) => serializeScimUser({
375
+ id: user._id,
376
+ user,
377
+ externalId: identity?.externalId,
378
+ location: `${state$1.url.origin}${state$1.url.pathname}/${user._id}`,
379
+ active: identity?.active ?? member.status === "active"
380
+ })),
381
+ totalResults: filtered.length,
382
+ startIndex: listRequest.startIndex,
383
+ itemsPerPage: paged.length
384
+ });
385
+ };
386
+ const handleUsersPost = async (state$1) => {
387
+ const body = await readScimJson(state$1.request);
388
+ const extractedBase = extractScimProfile(state$1.scimConfig, body);
389
+ const extracted = await config.sso?.hooks?.profileResolved?.({
390
+ protocol: "scim",
391
+ connectionId: state$1.connection._id,
392
+ profile: extractedBase
393
+ }) ?? extractedBase;
394
+ const provisionProfile = await config.sso?.hooks?.beforeProvision?.({
395
+ protocol: "scim",
396
+ connectionId: state$1.connection._id,
397
+ profile: extracted
398
+ }) ?? extracted;
399
+ const externalId = provisionProfile.externalId;
400
+ const existingIdentity = externalId ? await getScimIdentity(state$1.ctx, config.component.public, {
401
+ connectionId: state$1.connection._id,
402
+ resourceType: "user",
403
+ externalId
404
+ }) : null;
405
+ const existingUser = existingIdentity?.userId ? await auth.user.get(state$1.ctx, existingIdentity.userId) : null;
406
+ const created = existingUser === null;
407
+ const provisionedRoleIds = resolveProvisionedRoleIds({
408
+ policy: state$1.policy,
409
+ groups: provisionProfile.groups,
410
+ roles: provisionProfile.roles
411
+ });
412
+ const userId = existingUser?._id ? existingUser._id : await insertUser(state$1.ctx, config.component.public, {
413
+ name: provisionProfile.name,
414
+ ...typeof provisionProfile.firstName === "string" ? { firstName: provisionProfile.firstName } : {},
415
+ ...typeof provisionProfile.lastName === "string" ? { lastName: provisionProfile.lastName } : {},
416
+ email: provisionProfile.email,
417
+ ...typeof provisionProfile.email === "string" ? { emailVerificationTime: Date.now() } : {},
418
+ phone: provisionProfile.phone,
419
+ ...typeof provisionProfile.phone === "string" ? { phoneVerificationTime: Date.now() } : {},
420
+ ...provisionProfile.extend ? { extend: provisionProfile.extend } : {}
421
+ });
422
+ if (created && externalId) {
423
+ const providerId = state$1.connection.protocol === "oidc" ? groupOidcProviderId(state$1.connection._id) : groupSamlProviderId(state$1.connection._id);
424
+ await insertAccount(state$1.ctx, config.component.public, {
425
+ userId,
426
+ provider: providerId,
427
+ providerAccountId: externalId
428
+ });
429
+ }
430
+ if (existingUser) {
431
+ const nextUserData = {
432
+ name: provisionProfile.name,
433
+ firstName: provisionProfile.firstName,
434
+ lastName: provisionProfile.lastName,
435
+ email: provisionProfile.email,
436
+ phone: provisionProfile.phone,
437
+ ...provisionProfile.extend ? { extend: provisionProfile.extend } : {}
438
+ };
439
+ if (typeof provisionProfile.email === "string") nextUserData.emailVerificationTime = Date.now();
440
+ if (typeof provisionProfile.phone === "string") nextUserData.phoneVerificationTime = Date.now();
441
+ const patchData = applyUserProvisioningPatch({
442
+ currentUser: existingUser,
443
+ nextUser: nextUserData,
444
+ policy: state$1.policy.provisioning.user,
445
+ source: "scim"
446
+ });
447
+ if (Object.keys(patchData).length > 0) await patchUser(state$1.ctx, config.component.public, {
448
+ userId,
449
+ data: patchData
450
+ });
451
+ }
452
+ const resolution = await auth.member.inspect(state$1.ctx, {
453
+ groupId: state$1.connection.groupId,
454
+ userId
455
+ });
456
+ if (resolution.membership) await auth.member.update(state$1.ctx, resolution.membership._id, { status: body.active === false ? "inactive" : "active" });
457
+ else await auth.member.create(state$1.ctx, {
458
+ groupId: state$1.connection.groupId,
459
+ userId,
460
+ roleIds: provisionedRoleIds,
461
+ status: provisionProfile.active === false ? "inactive" : "active"
462
+ });
463
+ if (externalId) await upsertScimIdentity(state$1.ctx, config.component.public, {
464
+ connectionId: state$1.connection._id,
465
+ groupId: state$1.connection.groupId,
466
+ resourceType: "user",
467
+ externalId,
468
+ userId,
469
+ active: provisionProfile.active !== false,
470
+ raw: body,
471
+ lastProvisionedAt: Date.now()
472
+ });
473
+ await state$1.recordScimEvent(created ? "group.sso.scim.user.created" : "group.sso.scim.user.updated", true, "user", userId);
474
+ const createdUser = await auth.user.get(state$1.ctx, userId);
475
+ await config.sso?.hooks?.afterProvision?.({
476
+ protocol: "scim",
477
+ connectionId: state$1.connection._id,
478
+ profile: provisionProfile,
479
+ userId
480
+ });
481
+ const location = `${state$1.url.origin}${state$1.url.pathname}/${userId}`;
482
+ return scimJson(serializeScimUser({
483
+ id: userId,
484
+ user: createdUser ?? {},
485
+ externalId,
486
+ location,
487
+ active: provisionProfile.active !== false
488
+ }), created ? 201 : 200, { Location: location });
489
+ };
490
+ const handleUsersUpsert = async (state$1) => {
491
+ const missing = requireScimResourceId(state$1.parsedPath.resourceId, "User");
492
+ if (missing) return missing;
493
+ const userId = state$1.parsedPath.resourceId;
494
+ const existingUser = await auth.user.get(state$1.ctx, userId);
495
+ if (!existingUser) return scimError(404, "notFound", "User not found.");
496
+ const body = await readScimJson(state$1.request);
497
+ const extractedBase = extractScimProfile(state$1.scimConfig, body);
498
+ const extracted = await config.sso?.hooks?.profileResolved?.({
499
+ protocol: "scim",
500
+ connectionId: state$1.connection._id,
501
+ profile: extractedBase
502
+ }) ?? extractedBase;
503
+ const provisionProfile = await config.sso?.hooks?.beforeProvision?.({
504
+ protocol: "scim",
505
+ connectionId: state$1.connection._id,
506
+ profile: extracted
507
+ }) ?? extracted;
508
+ const externalId = provisionProfile.externalId;
509
+ const patchData = {};
510
+ let nextActive;
511
+ if (state$1.request.method === "PUT") {
512
+ patchData.name = provisionProfile.name;
513
+ patchData.firstName = provisionProfile.firstName;
514
+ patchData.lastName = provisionProfile.lastName;
515
+ patchData.email = provisionProfile.email;
516
+ patchData.phone = provisionProfile.phone;
517
+ if (provisionProfile.extend) patchData.extend = provisionProfile.extend;
518
+ if (typeof patchData.email === "string") patchData.emailVerificationTime = Date.now();
519
+ if (typeof patchData.phone === "string") patchData.phoneVerificationTime = Date.now();
520
+ } else for (const operation of Array.isArray(body.Operations) ? body.Operations : []) {
521
+ if (operation.path === "active") nextActive = typeof operation.value === "boolean" ? operation.value : void 0;
522
+ if (operation.path === "displayName" || operation.path === "name.formatted") patchData.name = operation.value;
523
+ if (operation.path === "name.givenName") patchData.firstName = operation.value;
524
+ if (operation.path === "name.familyName") patchData.lastName = operation.value;
525
+ if (operation.path === "userName" || operation.path === "emails.value") {
526
+ patchData.email = operation.value;
527
+ if (typeof operation.value === "string") patchData.emailVerificationTime = Date.now();
528
+ }
529
+ if (operation.path === "phoneNumbers.value") {
530
+ patchData.phone = operation.value;
531
+ if (typeof operation.value === "string") patchData.phoneVerificationTime = Date.now();
532
+ }
533
+ }
534
+ const nextPatchData = applyUserProvisioningPatch({
535
+ currentUser: existingUser,
536
+ nextUser: patchData,
537
+ policy: state$1.policy.provisioning.user,
538
+ source: "scim"
539
+ });
540
+ if (Object.keys(nextPatchData).length > 0) await patchUser(state$1.ctx, config.component.public, {
541
+ userId,
542
+ data: nextPatchData
543
+ });
544
+ const resolution = await auth.member.inspect(state$1.ctx, {
545
+ groupId: state$1.connection.groupId,
546
+ userId
547
+ });
548
+ if (resolution.membership) await auth.member.update(state$1.ctx, resolution.membership._id, {
549
+ roleIds: resolveProvisionedRoleIds({
550
+ policy: state$1.policy,
551
+ groups: provisionProfile.groups,
552
+ roles: provisionProfile.roles
553
+ }),
554
+ status: provisionProfile.active === false || nextActive === false ? "inactive" : "active"
555
+ });
556
+ await upsertScimIdentity(state$1.ctx, config.component.public, {
557
+ connectionId: state$1.connection._id,
558
+ groupId: state$1.connection.groupId,
559
+ resourceType: "user",
560
+ externalId: externalId !== void 0 ? externalId : (await getScimIdentityByConnectionAndUser(state$1.ctx, config.component.public, {
561
+ connectionId: state$1.connection._id,
562
+ userId
563
+ }))?.externalId ?? userId,
564
+ userId,
565
+ active: provisionProfile.active !== false && nextActive !== false,
566
+ raw: body,
567
+ lastProvisionedAt: Date.now()
568
+ });
569
+ await state$1.recordScimEvent("group.sso.scim.user.updated", true, "user", userId);
570
+ const updatedUser = await auth.user.get(state$1.ctx, userId);
571
+ await config.sso?.hooks?.afterProvision?.({
572
+ protocol: "scim",
573
+ connectionId: state$1.connection._id,
574
+ profile: provisionProfile,
575
+ userId
576
+ });
577
+ const location = `${state$1.url.origin}${state$1.url.pathname}`;
578
+ return scimJson(serializeScimUser({
579
+ id: userId,
580
+ user: updatedUser ?? existingUser,
581
+ externalId,
582
+ location,
583
+ active: provisionProfile.active !== false && nextActive !== false
584
+ }), 200, { Location: location });
585
+ };
586
+ const handleUsersDelete = async (state$1) => {
587
+ const missing = requireScimResourceId(state$1.parsedPath.resourceId, "User");
588
+ if (missing) return missing;
589
+ const userId = state$1.parsedPath.resourceId;
590
+ const resolution = await auth.member.inspect(state$1.ctx, {
591
+ groupId: state$1.connection.groupId,
592
+ userId
593
+ });
594
+ if (resolution.membership) await auth.member.delete(state$1.ctx, resolution.membership._id);
595
+ const identity = await getScimIdentityByConnectionAndUser(state$1.ctx, config.component.public, {
596
+ connectionId: state$1.connection._id,
597
+ userId
598
+ });
599
+ if (identity) if (state$1.policy.provisioning.deprovision.mode === "hard") await deleteScimIdentity(state$1.ctx, config.component.public, identity._id);
600
+ else await upsertScimIdentity(state$1.ctx, config.component.public, {
601
+ connectionId: identity.connectionId,
602
+ groupId: identity.groupId,
603
+ resourceType: identity.resourceType,
604
+ externalId: identity.externalId,
605
+ userId: identity.userId,
606
+ mappedGroupId: identity.mappedGroupId,
607
+ active: false,
608
+ raw: identity.raw,
609
+ lastProvisionedAt: Date.now()
610
+ });
611
+ await state$1.recordScimEvent("group.sso.scim.user.deleted", true, "user", userId);
612
+ return new Response(null, { status: 204 });
613
+ };
614
+ const handleGroupsGet = async (state$1) => {
615
+ const groupsList = await auth.group.list(state$1.ctx, {
616
+ where: { parentGroupId: state$1.connection.groupId },
617
+ limit: 100
618
+ });
619
+ const identities = await listScimIdentitiesByConnection(state$1.ctx, config.component.public, state$1.connection._id);
620
+ const identityByGroupId = new Map(identities.filter((identity) => typeof identity.mappedGroupId === "string").map((identity) => [identity.mappedGroupId, identity]));
621
+ const groups = await Promise.all(groupsList.items.map(async (group) => {
622
+ const typedGroup = group;
623
+ const members = await auth.member.list(state$1.ctx, {
624
+ where: {
625
+ groupId: typedGroup._id,
626
+ status: "active"
627
+ },
628
+ limit: 100
629
+ });
630
+ return {
631
+ group: typedGroup,
632
+ identity: identityByGroupId.get(typedGroup._id),
633
+ memberIds: members.items.map((member) => member.userId)
634
+ };
635
+ }));
636
+ const listRequest = parseScimListRequest(state$1.url);
637
+ const filtered = filterScimCollection(groups, listRequest.filter, {
638
+ id: (item) => item.group._id,
639
+ externalId: (item) => item.identity?.externalId,
640
+ displayName: (item) => item.group.name,
641
+ "members.value": (item) => item.memberIds
642
+ });
643
+ if (state$1.parsedPath.resourceId) {
644
+ const resource = filtered.find(({ group }) => group._id === state$1.parsedPath.resourceId);
645
+ if (!resource) return scimError(404, "notFound", "Group not found.");
646
+ const members = (await auth.member.list(state$1.ctx, {
647
+ where: {
648
+ groupId: resource.group._id,
649
+ status: "active"
650
+ },
651
+ limit: 100
652
+ })).items.map((member) => ({ value: member.userId }));
653
+ const location = `${state$1.url.origin}${state$1.url.pathname.replace(/\/[^/]+$/, "")}/${resource.group._id}`;
654
+ return scimJson(serializeScimGroup({
655
+ id: resource.group._id,
656
+ group: resource.group,
657
+ externalId: resource.identity?.externalId,
658
+ location,
659
+ members
660
+ }), 200, { Location: location });
661
+ }
662
+ const paged = paginateScimCollection(filtered, listRequest);
663
+ return scimJson({
664
+ schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
665
+ Resources: paged.map(({ group, identity }) => serializeScimGroup({
666
+ id: group._id,
667
+ group,
668
+ externalId: identity?.externalId,
669
+ location: `${state$1.url.origin}${state$1.url.pathname}/${group._id}`
670
+ })),
671
+ totalResults: filtered.length,
672
+ startIndex: listRequest.startIndex,
673
+ itemsPerPage: paged.length
674
+ });
675
+ };
676
+ const handleGroupsPost = async (state$1) => {
677
+ const body = await readScimJson(state$1.request);
678
+ const externalId = typeof body.externalId === "string" ? body.externalId : void 0;
679
+ const existingIdentity = externalId ? await getScimIdentity(state$1.ctx, config.component.public, {
680
+ connectionId: state$1.connection._id,
681
+ resourceType: "group",
682
+ externalId
683
+ }) : null;
684
+ const existingGroup = existingIdentity?.mappedGroupId ? await auth.group.get(state$1.ctx, existingIdentity.mappedGroupId) : null;
685
+ const created = existingGroup === null;
686
+ const provisionedRoleIds = resolveProvisionedRoleIds({
687
+ policy: state$1.policy,
688
+ groups: typeof body.displayName === "string" ? [body.displayName] : void 0,
689
+ roles: pickStringArray(body.roles)
690
+ });
691
+ const groupId = existingGroup?._id ? existingGroup._id : (await auth.group.create(state$1.ctx, {
692
+ name: typeof body.displayName === "string" ? body.displayName : "Group",
693
+ parentGroupId: state$1.connection.groupId,
694
+ type: "organization"
695
+ })).groupId;
696
+ if (!created && existingGroup) {
697
+ const location$1 = `${state$1.url.origin}${state$1.url.pathname}/${groupId}`;
698
+ return scimJson(serializeScimGroup({
699
+ id: groupId,
700
+ group: existingGroup,
701
+ externalId,
702
+ location: location$1,
703
+ members: (await auth.member.list(state$1.ctx, {
704
+ where: {
705
+ groupId,
706
+ status: "active"
707
+ },
708
+ limit: 100
709
+ })).items.map((member) => ({ value: member.userId }))
710
+ }), 200, { Location: location$1 });
711
+ }
712
+ await upsertScimIdentity(state$1.ctx, config.component.public, {
713
+ connectionId: state$1.connection._id,
714
+ groupId: state$1.connection.groupId,
715
+ resourceType: "group",
716
+ externalId: externalId ?? groupId,
717
+ mappedGroupId: groupId,
718
+ active: true,
719
+ raw: body,
720
+ lastProvisionedAt: Date.now()
721
+ });
722
+ const currentMembers = (await auth.member.list(state$1.ctx, {
723
+ where: {
724
+ groupId,
725
+ status: "active"
726
+ },
727
+ limit: 100
728
+ })).items;
729
+ const currentByUserId = new Map(currentMembers.map((member) => [member.userId, member]));
730
+ const nextUserIds = new Set((Array.isArray(body.members) ? body.members : []).map((member) => String(member.value)));
731
+ for (const member of currentMembers) if (!nextUserIds.has(member.userId)) await auth.member.delete(state$1.ctx, member._id);
732
+ for (const userId of nextUserIds.values()) if (!currentByUserId.has(userId)) try {
733
+ await auth.member.create(state$1.ctx, {
734
+ groupId,
735
+ userId,
736
+ roleIds: provisionedRoleIds,
737
+ status: "active"
738
+ });
739
+ } catch {}
740
+ await state$1.recordScimEvent(created ? "group.sso.scim.group.created" : "group.sso.scim.group.updated", true, "group", groupId);
741
+ const group = await auth.group.get(state$1.ctx, groupId);
742
+ const location = `${state$1.url.origin}${state$1.url.pathname}/${groupId}`;
743
+ return scimJson(serializeScimGroup({
744
+ id: groupId,
745
+ group: group ?? {},
746
+ externalId,
747
+ location,
748
+ members: (await auth.member.list(state$1.ctx, {
749
+ where: {
750
+ groupId,
751
+ status: "active"
752
+ },
753
+ limit: 100
754
+ })).items.map((member) => ({ value: member.userId }))
755
+ }), created ? 201 : 200, { Location: location });
756
+ };
757
+ const handleGroupsPatch = async (state$1) => {
758
+ const missing = requireScimResourceId(state$1.parsedPath.resourceId, "Group");
759
+ if (missing) return missing;
760
+ const groupId = state$1.parsedPath.resourceId;
761
+ const body = await readScimJson(state$1.request);
762
+ for (const operation of Array.isArray(body.Operations) ? body.Operations : []) {
763
+ if (operation.path === "displayName") await auth.group.update(state$1.ctx, groupId, { name: operation.value });
764
+ if (operation.path === "members" && operation.op === "add") for (const member of Array.isArray(operation.value) ? operation.value : []) try {
765
+ await auth.member.create(state$1.ctx, {
766
+ groupId,
767
+ userId: String(member.value),
768
+ roleIds: resolveProvisionedRoleIds({
769
+ policy: state$1.policy,
770
+ groups: typeof body.displayName === "string" ? [body.displayName] : void 0,
771
+ roles: pickStringArray(body.roles)
772
+ }),
773
+ status: "active"
774
+ });
775
+ } catch {}
776
+ if (operation.path === "members" && operation.op === "replace") {
777
+ const currentMembers = (await auth.member.list(state$1.ctx, {
778
+ where: {
779
+ groupId,
780
+ status: "active"
781
+ },
782
+ limit: 100
783
+ })).items;
784
+ const currentUserIds = new Set(currentMembers.map((member) => member.userId));
785
+ const nextUserIds = new Set((Array.isArray(operation.value) ? operation.value : []).map((member) => String(member.value)));
786
+ for (const member of currentMembers) if (!nextUserIds.has(member.userId)) await auth.member.delete(state$1.ctx, member._id);
787
+ for (const userId of nextUserIds.values()) if (!currentUserIds.has(userId)) try {
788
+ await auth.member.create(state$1.ctx, {
789
+ groupId,
790
+ userId,
791
+ roleIds: resolveProvisionedRoleIds({
792
+ policy: state$1.policy,
793
+ groups: typeof body.displayName === "string" ? [body.displayName] : void 0,
794
+ roles: pickStringArray(body.roles)
795
+ }),
796
+ status: "active"
797
+ });
798
+ } catch {}
799
+ }
800
+ if (typeof operation.path === "string" && operation.op === "remove" && operation.path.startsWith("members[")) {
801
+ const userId = operation.path.match(/^members\[value eq "([^"]+)"\]$/)?.[1];
802
+ if (userId) {
803
+ const resolution = await auth.member.inspect(state$1.ctx, {
804
+ groupId,
805
+ userId
806
+ });
807
+ if (resolution.membership) await auth.member.delete(state$1.ctx, resolution.membership._id);
808
+ }
809
+ }
810
+ }
811
+ await state$1.recordScimEvent("group.sso.scim.group.updated", true, "group", groupId);
812
+ const group = await auth.group.get(state$1.ctx, groupId);
813
+ const location = `${state$1.url.origin}${state$1.url.pathname}`;
814
+ const members = (await auth.member.list(state$1.ctx, {
815
+ where: {
816
+ groupId,
817
+ status: "active"
818
+ },
819
+ limit: 100
820
+ })).items;
821
+ return scimJson(serializeScimGroup({
822
+ id: groupId,
823
+ group: group ?? {},
824
+ location,
825
+ members: members.map((member) => ({ value: member.userId }))
826
+ }), 200, { Location: location });
827
+ };
828
+ const handleGroupsDelete = async (state$1) => {
829
+ const missing = requireScimResourceId(state$1.parsedPath.resourceId, "Group");
830
+ if (missing) return missing;
831
+ const groupId = state$1.parsedPath.resourceId;
832
+ await auth.group.delete(state$1.ctx, groupId);
833
+ const identity = await getScimIdentityByMappedGroup(state$1.ctx, config.component.public, groupId);
834
+ if (identity) await deleteScimIdentity(state$1.ctx, config.component.public, identity._id);
835
+ await state$1.recordScimEvent("group.sso.scim.group.deleted", true, "group", groupId);
836
+ return new Response(null, { status: 204 });
837
+ };
838
+ const handler = {
839
+ ServiceProviderConfig: { GET: async () => scimJson({
840
+ schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
841
+ patch: { supported: true },
842
+ bulk: {
843
+ supported: false,
844
+ maxOperations: 0,
845
+ maxPayloadSize: 0
846
+ },
847
+ filter: {
848
+ supported: true,
849
+ maxResults: 100
850
+ },
851
+ changePassword: { supported: false },
852
+ sort: { supported: false },
853
+ etag: { supported: false },
854
+ authenticationSchemes: [{
855
+ type: "oauthbearertoken",
856
+ name: "Bearer Token",
857
+ description: "Use the SCIM token generated by Convex Auth connection."
858
+ }]
859
+ }) },
860
+ Schemas: { GET: async (state$1) => handleStaticScimCollection(SCIM_SCHEMAS, state$1.parsedPath.resourceId, {
861
+ by: "id",
862
+ notFound: "Schema not found."
863
+ }) },
864
+ ResourceTypes: { GET: async (state$1) => handleStaticScimCollection(SCIM_RESOURCE_TYPES, state$1.parsedPath.resourceId, {
865
+ by: "name",
866
+ notFound: "Resource type not found."
867
+ }) },
868
+ Users: {
869
+ GET: handleUsersGet,
870
+ POST: handleUsersPost,
871
+ PATCH: handleUsersUpsert,
872
+ PUT: handleUsersUpsert,
873
+ DELETE: handleUsersDelete
874
+ },
875
+ Groups: {
876
+ GET: handleGroupsGet,
877
+ POST: handleGroupsPost,
878
+ PATCH: handleGroupsPatch,
879
+ DELETE: handleGroupsDelete
880
+ }
881
+ }[state.parsedPath.resource]?.[state.request.method];
882
+ return handler ? await handler(state) : scimError(404, "notFound", "SCIM resource not found.");
883
+ } catch (error) {
884
+ if (error instanceof Error && error.message === "Unsupported SCIM filter.") return scimError(400, "invalidFilter", error.message);
885
+ if (error instanceof ConvexError && typeof error.data === "object" && error.data !== null && "code" in error.data && "message" in error.data) {
886
+ const code = error.data.code;
887
+ return scimError(code === "MISSING_BEARER_TOKEN" || code === "INVALID_API_KEY" ? 401 : 400, code, error.data.message);
888
+ }
889
+ throw error;
890
+ }
891
+ };
892
+ const handleOidcCallbackForConnection = async (ctx, request, connectionId) => {
893
+ const url = new URL(request.url);
894
+ const { connection, oidc } = await loadConnectionOidcOrThrow(ctx, connectionId);
895
+ const { providerId, provider, oauthConfig } = await createGroupConnectionOidcRuntime({
896
+ rootUrl: requireEnv("CONVEX_SITE_URL"),
897
+ connectionId: connection._id,
898
+ oidc,
899
+ sharedRedirectURI: sharedOidcRedirectURI
900
+ });
901
+ const cookies = getCookies(request);
902
+ const maybeRedirectTo = useRedirectToParam(providerId, cookies);
903
+ const destinationUrl = await redirectAbsoluteUrl(config, { redirectTo: maybeRedirectTo?.redirectTo });
904
+ const result = await handleOAuthCallback(providerId, {
905
+ ...oauthConfig,
906
+ provider
907
+ }, Object.fromEntries(url.searchParams.entries()), cookies);
908
+ const extraFields = typeof oidc.profile === "object" && oidc.profile !== null ? oidc.profile.extraFields : void 0;
909
+ let profile = result.profile;
910
+ if (extraFields && typeof profile === "object" && profile) {
911
+ const extend = {};
912
+ for (const [claimName, fieldName] of Object.entries(extraFields)) if (claimName in profile) extend[fieldName] = profile[claimName];
913
+ if (Object.keys(extend).length > 0) profile = {
914
+ ...profile,
915
+ extend
916
+ };
917
+ }
918
+ const verificationCode = await callUserOAuth(ctx, {
919
+ provider: providerId,
920
+ providerAccountId: result.providerAccountId,
921
+ profile,
922
+ signature: result.signature,
923
+ accountExtend: { identity: {
924
+ protocol: "oidc",
925
+ connectionId: connection._id,
926
+ subject: result.providerAccountId,
927
+ issuer: typeof oidc.discovery?.issuer === "string" ? oidc.discovery.issuer : void 0,
928
+ discoveryUrl: typeof oidc.discovery?.discoveryUrl === "string" ? oidc.discovery.discoveryUrl : void 0
929
+ } }
930
+ });
931
+ const headers = new Headers({ Location: setURLSearchParam(destinationUrl, "code", verificationCode) });
932
+ for (const { name, value, options } of result.cookies) headers.append("Set-Cookie", serialize(name, value, options));
933
+ if (maybeRedirectTo) headers.append("Set-Cookie", serialize(maybeRedirectTo.updatedCookie.name, maybeRedirectTo.updatedCookie.value, maybeRedirectTo.updatedCookie.options));
934
+ return new Response(null, {
935
+ status: 302,
936
+ headers
937
+ });
938
+ };
939
+ addSSORoutes(http, {
940
+ routeBase: GROUP_CONNECTION_ROUTE_BASE,
941
+ convertErrorsToResponse,
942
+ handleSamlMetadata: async (ctx, _request, runtimeRoute) => {
943
+ const { loaded } = await loadActiveConnectionSamlOrThrow(ctx, runtimeRoute.connectionId);
944
+ return new Response(createGroupConnectionSamlMetadataXml({
945
+ rootUrl: requireEnv("CONVEX_SITE_URL"),
946
+ source: loaded.source,
947
+ config: loaded.config
948
+ }), {
949
+ status: 200,
950
+ headers: { "Content-Type": "application/xml" }
951
+ });
952
+ },
953
+ handleSamlSignIn: async (ctx, request, runtimeRoute) => {
954
+ const url = new URL(request.url);
955
+ const verifier = url.searchParams.get("code");
956
+ if (!verifier) throw convexError("OAUTH_MISSING_VERIFIER", "Missing sign-in verifier.");
957
+ const { loaded, connection } = await loadActiveConnectionSamlOrThrow(ctx, runtimeRoute.connectionId);
958
+ const state = generateRandomString(24, INVITE_TOKEN_ALPHABET);
959
+ const signInRequest = createGroupConnectionSamlSignInRequest({
960
+ rootUrl: requireEnv("CONVEX_SITE_URL"),
961
+ source: {
962
+ kind: "connection",
963
+ id: connection._id
964
+ },
965
+ config: loaded.config,
966
+ state,
967
+ signature: `saml ${connection._id} pending ${state}`,
968
+ redirectTo: url.searchParams.get("redirectTo") ?? void 0
969
+ });
970
+ const signature = `saml ${connection._id} ${signInRequest.requestId} ${state}`;
971
+ await callVerifierSignature(ctx, {
972
+ verifier,
973
+ signature
974
+ });
975
+ const redirectTo = url.searchParams.get("redirectTo");
976
+ const redirectCookies = redirectTo !== null ? [redirectToParamCookie(groupSamlProviderId(connection._id), redirectTo)] : [];
977
+ const relayState = encodeGroupSamlRelayState({
978
+ source: {
979
+ kind: "connection",
980
+ id: connection._id
981
+ },
982
+ signature,
983
+ requestId: signInRequest.requestId,
984
+ state,
985
+ redirectTo: url.searchParams.get("redirectTo") ?? void 0
986
+ });
987
+ if (signInRequest.binding === "redirect" && signInRequest.redirectUrl) {
988
+ const redirectUrl = new URL(signInRequest.redirectUrl);
989
+ redirectUrl.searchParams.set("RelayState", relayState);
990
+ const headers = new Headers({ Location: redirectUrl.toString() });
991
+ for (const { name, value, options } of redirectCookies) headers.append("Set-Cookie", serialize(name, value, options));
992
+ return new Response(null, {
993
+ status: 302,
994
+ headers
995
+ });
996
+ }
997
+ const response = createSamlPostBindingResponse({
998
+ endpoint: signInRequest.post.endpoint,
999
+ parameter: "SAMLRequest",
1000
+ value: signInRequest.post.value,
1001
+ relayState
1002
+ });
1003
+ for (const { name, value, options } of redirectCookies) response.headers.append("Set-Cookie", serialize(name, value, options));
1004
+ return response;
1005
+ },
1006
+ handleOidcSignIn: async (ctx, request, runtimeRoute) => {
1007
+ const url = new URL(request.url);
1008
+ const verifier = url.searchParams.get("code");
1009
+ if (!verifier) throw convexError("OAUTH_MISSING_VERIFIER", "Missing sign-in verifier.");
1010
+ const { connection, oidc } = await loadConnectionOidcOrThrow(ctx, runtimeRoute.connectionId);
1011
+ const { providerId, provider, oauthConfig } = await createGroupConnectionOidcRuntime({
1012
+ rootUrl: requireEnv("CONVEX_SITE_URL"),
1013
+ connectionId: connection._id,
1014
+ oidc,
1015
+ sharedRedirectURI: sharedOidcRedirectURI
1016
+ });
1017
+ const { redirect, cookies, signature } = await createOAuthAuthorizationURL(providerId, {
1018
+ ...oauthConfig,
1019
+ provider
1020
+ }, {
1021
+ loginHint: url.searchParams.get("loginHint") ?? (typeof oidc.request?.loginHint === "string" ? oidc.request.loginHint : void 0),
1022
+ stateTransform: typeof sharedOidcRedirectURI === "string" ? (state) => encodeGroupOidcState({
1023
+ connectionId: connection._id,
1024
+ state
1025
+ }) : void 0
1026
+ });
1027
+ await callVerifierSignature(ctx, {
1028
+ verifier,
1029
+ signature
1030
+ });
1031
+ const redirectTo = url.searchParams.get("redirectTo");
1032
+ const headers_ = new Headers({ Location: redirect });
1033
+ for (const { name, value, options } of [...cookies, ...redirectTo !== null ? [redirectToParamCookie(providerId, redirectTo)] : []]) headers_.append("Set-Cookie", serialize(name, value, options));
1034
+ return new Response(null, {
1035
+ status: 302,
1036
+ headers: headers_
1037
+ });
1038
+ },
1039
+ handleOidcCallback: async (ctx, request, runtimeRoute) => {
1040
+ return await handleOidcCallbackForConnection(ctx, request, runtimeRoute.connectionId);
1041
+ },
1042
+ handleSamlAcs,
1043
+ handleSamlSlo,
1044
+ handleScimRequest,
1045
+ sharedOidcCallbackPath: sharedOidcRedirectURI,
1046
+ handleOidcSharedCallback: async (ctx, request) => {
1047
+ const url = new URL(request.url);
1048
+ const params = await getOidcCallbackParams(request);
1049
+ const { connectionId, state } = decodeGroupOidcState(params.get("state"));
1050
+ params.set("state", state);
1051
+ url.search = params.toString();
1052
+ return await handleOidcCallbackForConnection(ctx, new Request(url, request), connectionId);
1053
+ },
1054
+ scimError
1055
+ });
1056
+ }
1057
+
1058
+ //#endregion
1059
+ export { addGroupHttpRuntime };
1060
+ //# sourceMappingURL=http.js.map