npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.25 → 0.0.4-preview.28 - Mend

@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (666) hide show

package/README.md +43 -36
package/dist/bin.js +5765 -4880
package/dist/browser/index.d.ts +30 -0
package/dist/browser/index.js +93 -0
package/dist/browser/locks.js +11 -0
package/dist/browser/navigation.js +14 -0
package/dist/{factors → browser}/passkey.js +23 -32
package/dist/browser/runtime.js +92 -0
package/dist/client/core/types.d.ts +452 -5
package/dist/client/core/types.js +17 -0
package/dist/client/errors.js +19 -0
package/dist/client/factors/device.js +94 -0
package/dist/{factors → client/factors}/totp.js +12 -4
package/dist/client/index.d.ts +47 -1
package/dist/client/index.js +269 -232
package/dist/client/runtime/mutex.js +24 -0
package/dist/client/runtime/proxy.js +30 -0
package/dist/client/runtime/storage.js +45 -0
package/dist/client/services/adapters.js +7 -0
package/dist/client/services/http.js +6 -0
package/dist/client/services/resolve.js +13 -0
package/dist/client/services/runtime.js +6 -0
package/dist/component/_generated/component.d.ts +1355 -1399
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/index.d.ts +4 -26
package/dist/component/index.js +1 -1
package/dist/component/model.d.ts +26 -112
package/dist/component/model.js +76 -54
package/dist/component/modules.js +38 -0
package/dist/component/public/factors/devices.js +1 -1
package/dist/component/public/factors/passkeys.js +1 -1
package/dist/component/public/factors/totp.js +1 -1
package/dist/component/public/groups/core.js +2 -2
package/dist/component/public/groups/invites.js +1 -1
package/dist/component/public/groups/members.js +1 -1
package/dist/component/public/identity/accounts.js +1 -1
package/dist/component/public/identity/codes.js +1 -1
package/dist/component/public/identity/sessions.js +39 -2
package/dist/component/public/identity/tokens.js +82 -4
package/dist/component/public/identity/users.js +1 -1
package/dist/component/public/identity/verifiers.js +10 -4
package/dist/component/public/security/keys.js +1 -1
package/dist/component/public/security/limits.js +1 -1
package/dist/component/public/{enterprise → sso}/audit.js +26 -26
package/dist/component/public/sso/core.js +263 -0
package/dist/component/public/sso/domains.js +280 -0
package/dist/component/public/{enterprise → sso}/scim.js +87 -87
package/dist/component/public/sso/secrets.js +125 -0
package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
package/dist/component/public.js +9 -9
package/dist/component/schema.d.ts +472 -393
package/dist/component/schema.js +36 -35
package/dist/core/index.d.ts +380 -0
package/dist/core/index.js +83 -0
package/dist/otel.d.ts +69 -0
package/dist/otel.js +82 -0
package/dist/providers/anonymous.d.ts +15 -34
package/dist/providers/anonymous.js +27 -35
package/dist/providers/apple.d.ts +59 -0
package/dist/providers/apple.js +58 -0
package/dist/providers/credentials.d.ts +18 -34
package/dist/providers/credentials.js +16 -27
package/dist/providers/custom.d.ts +94 -0
package/dist/providers/custom.js +119 -0
package/dist/providers/device.d.ts +15 -49
package/dist/providers/device.js +17 -34
package/dist/providers/email.d.ts +21 -38
package/dist/providers/email.js +36 -55
package/dist/providers/github.d.ts +54 -0
package/dist/providers/github.js +75 -0
package/dist/providers/google.d.ts +54 -0
package/dist/providers/google.js +61 -0
package/dist/providers/index.d.ts +16 -12
package/dist/providers/index.js +15 -11
package/dist/providers/microsoft.d.ts +57 -0
package/dist/providers/microsoft.js +101 -0
package/dist/providers/passkey.d.ts +19 -35
package/dist/providers/passkey.js +20 -30
package/dist/providers/password.d.ts +17 -18
package/dist/providers/password.js +121 -143
package/dist/providers/phone.d.ts +13 -28
package/dist/providers/phone.js +21 -46
package/dist/providers/sso.d.ts +16 -36
package/dist/providers/sso.js +21 -22
package/dist/providers/totp.d.ts +13 -29
package/dist/providers/totp.js +17 -27
package/dist/server/auth-context.d.ts +204 -0
package/dist/server/auth-context.js +76 -0
package/dist/server/auth.d.ts +99 -244
package/dist/server/auth.js +56 -152
package/dist/server/componentContext.d.ts +12 -0
package/dist/server/componentContext.js +1 -0
package/dist/server/config.js +6 -67
package/dist/server/constants.js +6 -0
package/dist/server/contract.d.ts +105 -0
package/dist/server/contract.js +43 -0
package/dist/server/cookies.js +3 -2
package/dist/server/core.js +31 -36
package/dist/server/crypto.js +34 -44
package/dist/server/db.js +6 -1
package/dist/server/device.js +96 -130
package/dist/server/env.js +48 -0
package/dist/server/errors.js +20 -0
package/dist/server/http.d.ts +15 -59
package/dist/server/http.js +136 -120
package/dist/server/identity.js +2 -2
package/dist/server/index.d.ts +5 -4
package/dist/server/index.js +3 -3
package/dist/server/keys.js +10 -1
package/dist/server/limits.js +26 -26
package/dist/server/log.js +28 -0
package/dist/server/mounts.d.ts +1107 -296
package/dist/server/mounts.js +315 -196
package/dist/server/mutations/account.js +11 -14
package/dist/server/mutations/code.js +6 -5
package/dist/server/mutations/invalidate.js +9 -11
package/dist/server/mutations/oauth.js +112 -73
package/dist/server/mutations/refresh.js +47 -97
package/dist/server/mutations/register.js +37 -35
package/dist/server/mutations/retrieve.js +16 -16
package/dist/server/mutations/signature.js +15 -18
package/dist/server/mutations/signin.js +10 -5
package/dist/server/mutations/signout.js +11 -14
package/dist/server/mutations/store.js +25 -18
package/dist/server/mutations/verifier.js +11 -8
package/dist/server/mutations/verify.js +53 -41
package/dist/server/oauth/factory.js +44 -0
package/dist/server/oauth/index.js +12 -0
package/dist/server/oauth/runtime.js +248 -0
package/dist/server/passkey.js +331 -365
package/dist/server/payloads.d.ts +16 -0
package/dist/server/payloads.js +30 -0
package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
package/dist/server/prefetch.js +635 -0
package/dist/server/random.js +19 -0
package/dist/server/redirects.js +10 -5
package/dist/server/refresh.js +14 -86
package/dist/server/runtime.d.ts +531 -31
package/dist/server/runtime.js +106 -267
package/dist/server/secret.js +44 -0
package/dist/server/services/config.js +10 -0
package/dist/server/services/group.js +211 -0
package/dist/server/services/logger.js +8 -0
package/dist/server/services/providers.js +22 -0
package/dist/server/services/refresh.js +8 -0
package/dist/server/services/resolve.js +27 -0
package/dist/server/services/signin.js +8 -0
package/dist/server/sessions.js +35 -34
package/dist/server/signin.js +229 -140
package/dist/server/{enterprise → sso}/config.js +10 -3
package/dist/server/sso/domain.d.ts +614 -0
package/dist/server/sso/domain.js +1175 -0
package/dist/server/sso/http.js +1060 -0
package/dist/server/sso/oidc.js +324 -0
package/dist/server/sso/policies.js +59 -0
package/dist/server/sso/policy.js +139 -0
package/dist/server/sso/profile.js +22 -0
package/dist/server/sso/provision.js +179 -0
package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
package/dist/server/sso/shared.js +74 -0
package/dist/server/sso/validators.js +88 -0
package/dist/server/sso/webhook.js +94 -0
package/dist/server/tokens.js +16 -4
package/dist/server/totp.js +155 -164
package/dist/server/types.d.ts +306 -296
package/dist/server/types.js +1 -30
package/dist/server/url.js +32 -0
package/dist/server/users.js +74 -40
package/dist/server/utils/cache.js +51 -0
package/dist/server/utils/dispatch.js +36 -0
package/dist/server/utils/retry.js +24 -0
package/dist/server/utils/span.js +32 -0
package/dist/shared/errors.js +19 -0
package/dist/shared/log.js +45 -0
package/{src/test.ts → dist/test.d.ts} +21 -22
package/dist/test.js +51 -0
package/package.json +70 -42
package/dist/authorization/index.d.ts.map +0 -1
package/dist/authorization/index.js.map +0 -1
package/dist/client/core/types.d.ts.map +0 -1
package/dist/client/index.d.ts.map +0 -1
package/dist/client/index.js.map +0 -1
package/dist/component/_generated/api.d.ts +0 -75
package/dist/component/_generated/api.d.ts.map +0 -1
package/dist/component/_generated/api.js.map +0 -1
package/dist/component/_generated/component.d.ts.map +0 -1
package/dist/component/_generated/dataModel.d.ts +0 -42
package/dist/component/_generated/dataModel.d.ts.map +0 -1
package/dist/component/_generated/server.d.ts +0 -117
package/dist/component/_generated/server.d.ts.map +0 -1
package/dist/component/_generated/server.js.map +0 -1
package/dist/component/_virtual/rolldown_runtime.js +0 -18
package/dist/component/client/core/types.d.ts +0 -2
package/dist/component/client/index.d.ts +0 -1
package/dist/component/convex.config.d.ts.map +0 -1
package/dist/component/convex.config.js.map +0 -1
package/dist/component/functions.d.ts +0 -25
package/dist/component/functions.d.ts.map +0 -1
package/dist/component/functions.js.map +0 -1
package/dist/component/index.d.ts.map +0 -1
package/dist/component/model.d.ts.map +0 -1
package/dist/component/model.js.map +0 -1
package/dist/component/providers/anonymous.d.ts +0 -54
package/dist/component/providers/anonymous.d.ts.map +0 -1
package/dist/component/providers/credentials.d.ts +0 -38
package/dist/component/providers/credentials.d.ts.map +0 -1
package/dist/component/providers/device.d.ts +0 -67
package/dist/component/providers/device.d.ts.map +0 -1
package/dist/component/providers/email.d.ts +0 -62
package/dist/component/providers/email.d.ts.map +0 -1
package/dist/component/providers/oauth.d.ts +0 -25
package/dist/component/providers/oauth.d.ts.map +0 -1
package/dist/component/providers/oauth.js +0 -13
package/dist/component/providers/oauth.js.map +0 -1
package/dist/component/providers/passkey.d.ts +0 -57
package/dist/component/providers/passkey.d.ts.map +0 -1
package/dist/component/providers/password.d.ts +0 -88
package/dist/component/providers/password.d.ts.map +0 -1
package/dist/component/providers/phone.d.ts +0 -48
package/dist/component/providers/phone.d.ts.map +0 -1
package/dist/component/providers/sso.d.ts +0 -50
package/dist/component/providers/sso.d.ts.map +0 -1
package/dist/component/providers/totp.d.ts +0 -45
package/dist/component/providers/totp.d.ts.map +0 -1
package/dist/component/public/enterprise/audit.d.ts +0 -73
package/dist/component/public/enterprise/audit.d.ts.map +0 -1
package/dist/component/public/enterprise/audit.js.map +0 -1
package/dist/component/public/enterprise/core.d.ts +0 -176
package/dist/component/public/enterprise/core.d.ts.map +0 -1
package/dist/component/public/enterprise/core.js +0 -292
package/dist/component/public/enterprise/core.js.map +0 -1
package/dist/component/public/enterprise/domains.d.ts +0 -174
package/dist/component/public/enterprise/domains.d.ts.map +0 -1
package/dist/component/public/enterprise/domains.js +0 -271
package/dist/component/public/enterprise/domains.js.map +0 -1
package/dist/component/public/enterprise/scim.d.ts +0 -245
package/dist/component/public/enterprise/scim.d.ts.map +0 -1
package/dist/component/public/enterprise/scim.js.map +0 -1
package/dist/component/public/enterprise/secrets.d.ts +0 -78
package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
package/dist/component/public/enterprise/secrets.js +0 -118
package/dist/component/public/enterprise/secrets.js.map +0 -1
package/dist/component/public/enterprise/webhooks.d.ts +0 -211
package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
package/dist/component/public/enterprise/webhooks.js.map +0 -1
package/dist/component/public/factors/devices.d.ts +0 -157
package/dist/component/public/factors/devices.d.ts.map +0 -1
package/dist/component/public/factors/devices.js.map +0 -1
package/dist/component/public/factors/passkeys.d.ts +0 -175
package/dist/component/public/factors/passkeys.d.ts.map +0 -1
package/dist/component/public/factors/passkeys.js.map +0 -1
package/dist/component/public/factors/totp.d.ts +0 -189
package/dist/component/public/factors/totp.d.ts.map +0 -1
package/dist/component/public/factors/totp.js.map +0 -1
package/dist/component/public/groups/core.d.ts +0 -137
package/dist/component/public/groups/core.d.ts.map +0 -1
package/dist/component/public/groups/core.js.map +0 -1
package/dist/component/public/groups/invites.d.ts +0 -217
package/dist/component/public/groups/invites.d.ts.map +0 -1
package/dist/component/public/groups/invites.js.map +0 -1
package/dist/component/public/groups/members.d.ts +0 -204
package/dist/component/public/groups/members.d.ts.map +0 -1
package/dist/component/public/groups/members.js.map +0 -1
package/dist/component/public/identity/accounts.d.ts +0 -147
package/dist/component/public/identity/accounts.d.ts.map +0 -1
package/dist/component/public/identity/accounts.js.map +0 -1
package/dist/component/public/identity/codes.d.ts +0 -104
package/dist/component/public/identity/codes.d.ts.map +0 -1
package/dist/component/public/identity/codes.js.map +0 -1
package/dist/component/public/identity/sessions.d.ts +0 -128
package/dist/component/public/identity/sessions.d.ts.map +0 -1
package/dist/component/public/identity/sessions.js.map +0 -1
package/dist/component/public/identity/tokens.d.ts +0 -169
package/dist/component/public/identity/tokens.d.ts.map +0 -1
package/dist/component/public/identity/tokens.js.map +0 -1
package/dist/component/public/identity/users.d.ts +0 -212
package/dist/component/public/identity/users.d.ts.map +0 -1
package/dist/component/public/identity/users.js.map +0 -1
package/dist/component/public/identity/verifiers.d.ts +0 -116
package/dist/component/public/identity/verifiers.d.ts.map +0 -1
package/dist/component/public/identity/verifiers.js.map +0 -1
package/dist/component/public/security/keys.d.ts +0 -209
package/dist/component/public/security/keys.d.ts.map +0 -1
package/dist/component/public/security/keys.js.map +0 -1
package/dist/component/public/security/limits.d.ts +0 -114
package/dist/component/public/security/limits.d.ts.map +0 -1
package/dist/component/public/security/limits.js.map +0 -1
package/dist/component/public.d.ts +0 -28
package/dist/component/public.d.ts.map +0 -1
package/dist/component/schema.d.ts.map +0 -1
package/dist/component/schema.js.map +0 -1
package/dist/component/server/auth.d.ts +0 -447
package/dist/component/server/auth.d.ts.map +0 -1
package/dist/component/server/auth.js +0 -254
package/dist/component/server/auth.js.map +0 -1
package/dist/component/server/config.js +0 -121
package/dist/component/server/config.js.map +0 -1
package/dist/component/server/context.js +0 -53
package/dist/component/server/context.js.map +0 -1
package/dist/component/server/cookies.js +0 -47
package/dist/component/server/cookies.js.map +0 -1
package/dist/component/server/core.js +0 -576
package/dist/component/server/core.js.map +0 -1
package/dist/component/server/crypto.js +0 -56
package/dist/component/server/crypto.js.map +0 -1
package/dist/component/server/db.js +0 -87
package/dist/component/server/db.js.map +0 -1
package/dist/component/server/device.js +0 -152
package/dist/component/server/device.js.map +0 -1
package/dist/component/server/enterprise/config.js +0 -46
package/dist/component/server/enterprise/config.js.map +0 -1
package/dist/component/server/enterprise/domain.js +0 -974
package/dist/component/server/enterprise/domain.js.map +0 -1
package/dist/component/server/enterprise/http.js +0 -787
package/dist/component/server/enterprise/http.js.map +0 -1
package/dist/component/server/enterprise/oidc.js +0 -248
package/dist/component/server/enterprise/oidc.js.map +0 -1
package/dist/component/server/enterprise/policy.js +0 -85
package/dist/component/server/enterprise/policy.js.map +0 -1
package/dist/component/server/enterprise/saml.js.map +0 -1
package/dist/component/server/enterprise/scim.js.map +0 -1
package/dist/component/server/enterprise/shared.js +0 -51
package/dist/component/server/enterprise/shared.js.map +0 -1
package/dist/component/server/http.d.ts +0 -85
package/dist/component/server/http.d.ts.map +0 -1
package/dist/component/server/http.js +0 -351
package/dist/component/server/http.js.map +0 -1
package/dist/component/server/identity.js +0 -16
package/dist/component/server/identity.js.map +0 -1
package/dist/component/server/keys.js +0 -96
package/dist/component/server/keys.js.map +0 -1
package/dist/component/server/limits.js +0 -52
package/dist/component/server/limits.js.map +0 -1
package/dist/component/server/mutations/account.js +0 -46
package/dist/component/server/mutations/account.js.map +0 -1
package/dist/component/server/mutations/code.js +0 -68
package/dist/component/server/mutations/code.js.map +0 -1
package/dist/component/server/mutations/invalidate.js +0 -32
package/dist/component/server/mutations/invalidate.js.map +0 -1
package/dist/component/server/mutations/oauth.js +0 -116
package/dist/component/server/mutations/oauth.js.map +0 -1
package/dist/component/server/mutations/refresh.js +0 -119
package/dist/component/server/mutations/refresh.js.map +0 -1
package/dist/component/server/mutations/register.js +0 -87
package/dist/component/server/mutations/register.js.map +0 -1
package/dist/component/server/mutations/retrieve.js +0 -61
package/dist/component/server/mutations/retrieve.js.map +0 -1
package/dist/component/server/mutations/signature.js +0 -38
package/dist/component/server/mutations/signature.js.map +0 -1
package/dist/component/server/mutations/signin.js +0 -27
package/dist/component/server/mutations/signin.js.map +0 -1
package/dist/component/server/mutations/signout.js +0 -27
package/dist/component/server/mutations/signout.js.map +0 -1
package/dist/component/server/mutations/store/refs.js +0 -15
package/dist/component/server/mutations/store/refs.js.map +0 -1
package/dist/component/server/mutations/store.js +0 -70
package/dist/component/server/mutations/store.js.map +0 -1
package/dist/component/server/mutations/verifier.js +0 -18
package/dist/component/server/mutations/verifier.js.map +0 -1
package/dist/component/server/mutations/verify.js +0 -98
package/dist/component/server/mutations/verify.js.map +0 -1
package/dist/component/server/oauth.js +0 -242
package/dist/component/server/oauth.js.map +0 -1
package/dist/component/server/passkey.js +0 -415
package/dist/component/server/passkey.js.map +0 -1
package/dist/component/server/redirects.js +0 -40
package/dist/component/server/redirects.js.map +0 -1
package/dist/component/server/refresh.js +0 -99
package/dist/component/server/refresh.js.map +0 -1
package/dist/component/server/runtime.d.ts +0 -136
package/dist/component/server/runtime.d.ts.map +0 -1
package/dist/component/server/runtime.js +0 -456
package/dist/component/server/runtime.js.map +0 -1
package/dist/component/server/sessions.js +0 -71
package/dist/component/server/sessions.js.map +0 -1
package/dist/component/server/signin.js +0 -225
package/dist/component/server/signin.js.map +0 -1
package/dist/component/server/tokens.js +0 -17
package/dist/component/server/tokens.js.map +0 -1
package/dist/component/server/totp.js +0 -208
package/dist/component/server/totp.js.map +0 -1
package/dist/component/server/types.d.ts +0 -949
package/dist/component/server/types.d.ts.map +0 -1
package/dist/component/server/types.js +0 -79
package/dist/component/server/types.js.map +0 -1
package/dist/component/server/users.js +0 -123
package/dist/component/server/users.js.map +0 -1
package/dist/component/server/utils.js +0 -140
package/dist/component/server/utils.js.map +0 -1
package/dist/core/types.d.ts +0 -361
package/dist/core/types.d.ts.map +0 -1
package/dist/factors/device.js +0 -104
package/dist/factors/device.js.map +0 -1
package/dist/factors/passkey.js.map +0 -1
package/dist/factors/totp.js.map +0 -1
package/dist/providers/anonymous.d.ts.map +0 -1
package/dist/providers/anonymous.js.map +0 -1
package/dist/providers/credentials.d.ts.map +0 -1
package/dist/providers/credentials.js.map +0 -1
package/dist/providers/device.d.ts.map +0 -1
package/dist/providers/device.js.map +0 -1
package/dist/providers/email.d.ts.map +0 -1
package/dist/providers/email.js.map +0 -1
package/dist/providers/oauth.d.ts +0 -69
package/dist/providers/oauth.d.ts.map +0 -1
package/dist/providers/oauth.js +0 -43
package/dist/providers/oauth.js.map +0 -1
package/dist/providers/passkey.d.ts.map +0 -1
package/dist/providers/passkey.js.map +0 -1
package/dist/providers/password.d.ts.map +0 -1
package/dist/providers/password.js.map +0 -1
package/dist/providers/phone.d.ts.map +0 -1
package/dist/providers/phone.js.map +0 -1
package/dist/providers/sso.d.ts.map +0 -1
package/dist/providers/sso.js.map +0 -1
package/dist/providers/totp.d.ts.map +0 -1
package/dist/providers/totp.js.map +0 -1
package/dist/runtime/browser.js +0 -68
package/dist/runtime/browser.js.map +0 -1
package/dist/runtime/invite.js.map +0 -1
package/dist/runtime/proxy.js +0 -70
package/dist/runtime/proxy.js.map +0 -1
package/dist/runtime/storage.js +0 -37
package/dist/runtime/storage.js.map +0 -1
package/dist/server/auth.d.ts.map +0 -1
package/dist/server/auth.js.map +0 -1
package/dist/server/config.d.ts +0 -1
package/dist/server/config.js.map +0 -1
package/dist/server/context.d.ts +0 -1
package/dist/server/context.js.map +0 -1
package/dist/server/cookies.d.ts +0 -1
package/dist/server/cookies.js.map +0 -1
package/dist/server/core.d.ts +0 -1315
package/dist/server/core.d.ts.map +0 -1
package/dist/server/core.js.map +0 -1
package/dist/server/crypto.d.ts +0 -8
package/dist/server/crypto.d.ts.map +0 -1
package/dist/server/crypto.js.map +0 -1
package/dist/server/db.d.ts +0 -1
package/dist/server/db.js.map +0 -1
package/dist/server/device.d.ts +0 -1
package/dist/server/device.js.map +0 -1
package/dist/server/enterprise/config.d.ts +0 -1
package/dist/server/enterprise/config.js.map +0 -1
package/dist/server/enterprise/domain.d.ts +0 -401
package/dist/server/enterprise/domain.d.ts.map +0 -1
package/dist/server/enterprise/domain.js +0 -974
package/dist/server/enterprise/domain.js.map +0 -1
package/dist/server/enterprise/http.d.ts +0 -26
package/dist/server/enterprise/http.d.ts.map +0 -1
package/dist/server/enterprise/http.js +0 -787
package/dist/server/enterprise/http.js.map +0 -1
package/dist/server/enterprise/oidc.d.ts +0 -1
package/dist/server/enterprise/oidc.js +0 -248
package/dist/server/enterprise/oidc.js.map +0 -1
package/dist/server/enterprise/policy.d.ts +0 -1
package/dist/server/enterprise/policy.js +0 -85
package/dist/server/enterprise/policy.js.map +0 -1
package/dist/server/enterprise/saml.d.ts +0 -1
package/dist/server/enterprise/saml.js +0 -338
package/dist/server/enterprise/saml.js.map +0 -1
package/dist/server/enterprise/scim.d.ts +0 -1
package/dist/server/enterprise/scim.js +0 -97
package/dist/server/enterprise/scim.js.map +0 -1
package/dist/server/enterprise/shared.d.ts +0 -5
package/dist/server/enterprise/shared.d.ts.map +0 -1
package/dist/server/enterprise/shared.js +0 -51
package/dist/server/enterprise/shared.js.map +0 -1
package/dist/server/enterprise/validators.d.ts +0 -1
package/dist/server/enterprise/validators.js +0 -60
package/dist/server/enterprise/validators.js.map +0 -1
package/dist/server/http.d.ts.map +0 -1
package/dist/server/http.js.map +0 -1
package/dist/server/identity.d.ts +0 -1
package/dist/server/identity.js.map +0 -1
package/dist/server/keys.d.ts +0 -1
package/dist/server/keys.js.map +0 -1
package/dist/server/limits.d.ts +0 -1
package/dist/server/limits.js.map +0 -1
package/dist/server/mounts.d.ts.map +0 -1
package/dist/server/mounts.js.map +0 -1
package/dist/server/mutations/account.d.ts +0 -29
package/dist/server/mutations/account.d.ts.map +0 -1
package/dist/server/mutations/account.js.map +0 -1
package/dist/server/mutations/code.d.ts +0 -30
package/dist/server/mutations/code.d.ts.map +0 -1
package/dist/server/mutations/code.js.map +0 -1
package/dist/server/mutations/index.d.ts +0 -14
package/dist/server/mutations/invalidate.d.ts +0 -20
package/dist/server/mutations/invalidate.d.ts.map +0 -1
package/dist/server/mutations/invalidate.js.map +0 -1
package/dist/server/mutations/oauth.d.ts +0 -30
package/dist/server/mutations/oauth.d.ts.map +0 -1
package/dist/server/mutations/oauth.js.map +0 -1
package/dist/server/mutations/refresh.d.ts +0 -21
package/dist/server/mutations/refresh.d.ts.map +0 -1
package/dist/server/mutations/refresh.js.map +0 -1
package/dist/server/mutations/register.d.ts +0 -38
package/dist/server/mutations/register.d.ts.map +0 -1
package/dist/server/mutations/register.js.map +0 -1
package/dist/server/mutations/retrieve.d.ts +0 -33
package/dist/server/mutations/retrieve.d.ts.map +0 -1
package/dist/server/mutations/retrieve.js.map +0 -1
package/dist/server/mutations/signature.d.ts +0 -21
package/dist/server/mutations/signature.d.ts.map +0 -1
package/dist/server/mutations/signature.js.map +0 -1
package/dist/server/mutations/signin.d.ts +0 -22
package/dist/server/mutations/signin.d.ts.map +0 -1
package/dist/server/mutations/signin.js.map +0 -1
package/dist/server/mutations/signout.d.ts +0 -16
package/dist/server/mutations/signout.d.ts.map +0 -1
package/dist/server/mutations/signout.js.map +0 -1
package/dist/server/mutations/store/refs.d.ts +0 -12
package/dist/server/mutations/store/refs.d.ts.map +0 -1
package/dist/server/mutations/store/refs.js.map +0 -1
package/dist/server/mutations/store.d.ts +0 -306
package/dist/server/mutations/store.d.ts.map +0 -1
package/dist/server/mutations/store.js.map +0 -1
package/dist/server/mutations/verifier.d.ts +0 -13
package/dist/server/mutations/verifier.d.ts.map +0 -1
package/dist/server/mutations/verifier.js.map +0 -1
package/dist/server/mutations/verify.d.ts +0 -26
package/dist/server/mutations/verify.d.ts.map +0 -1
package/dist/server/mutations/verify.js.map +0 -1
package/dist/server/oauth.d.ts +0 -1
package/dist/server/oauth.js +0 -242
package/dist/server/oauth.js.map +0 -1
package/dist/server/passkey.d.ts +0 -27
package/dist/server/passkey.d.ts.map +0 -1
package/dist/server/passkey.js.map +0 -1
package/dist/server/redirects.d.ts +0 -1
package/dist/server/redirects.js.map +0 -1
package/dist/server/refresh.d.ts +0 -1
package/dist/server/refresh.js.map +0 -1
package/dist/server/runtime.d.ts.map +0 -1
package/dist/server/runtime.js.map +0 -1
package/dist/server/sessions.d.ts +0 -1
package/dist/server/sessions.js.map +0 -1
package/dist/server/signin.d.ts +0 -1
package/dist/server/signin.js.map +0 -1
package/dist/server/ssr.d.ts.map +0 -1
package/dist/server/ssr.js +0 -777
package/dist/server/ssr.js.map +0 -1
package/dist/server/templates.d.ts +0 -1
package/dist/server/templates.js.map +0 -1
package/dist/server/tokens.d.ts +0 -1
package/dist/server/tokens.js.map +0 -1
package/dist/server/totp.d.ts +0 -1
package/dist/server/totp.js.map +0 -1
package/dist/server/types.d.ts.map +0 -1
package/dist/server/types.js.map +0 -1
package/dist/server/users.d.ts +0 -1
package/dist/server/users.js.map +0 -1
package/dist/server/utils.d.ts +0 -1
package/dist/server/utils.js +0 -140
package/dist/server/utils.js.map +0 -1
package/src/authorization/index.ts +0 -83
package/src/cli/bin.ts +0 -5
package/src/cli/command.ts +0 -70
package/src/cli/index.ts +0 -1112
package/src/cli/keys.ts +0 -23
package/src/client/core/types.ts +0 -437
package/src/client/factors/device.ts +0 -158
package/src/client/factors/passkey.ts +0 -279
package/src/client/factors/totp.ts +0 -150
package/src/client/index.ts +0 -1124
package/src/client/runtime/browser.ts +0 -112
package/src/client/runtime/invite.ts +0 -63
package/src/client/runtime/proxy.ts +0 -111
package/src/client/runtime/storage.ts +0 -79
package/src/component/_generated/api.ts +0 -96
package/src/component/_generated/component.ts +0 -3774
package/src/component/_generated/dataModel.ts +0 -60
package/src/component/_generated/server.ts +0 -156
package/src/component/convex.config.ts +0 -5
package/src/component/functions.ts +0 -104
package/src/component/index.ts +0 -42
package/src/component/model.ts +0 -449
package/src/component/public/enterprise/audit.ts +0 -125
package/src/component/public/enterprise/core.ts +0 -355
package/src/component/public/enterprise/domains.ts +0 -327
package/src/component/public/enterprise/scim.ts +0 -397
package/src/component/public/enterprise/secrets.ts +0 -133
package/src/component/public/enterprise/webhooks.ts +0 -307
package/src/component/public/factors/devices.ts +0 -224
package/src/component/public/factors/passkeys.ts +0 -243
package/src/component/public/factors/totp.ts +0 -259
package/src/component/public/groups/core.ts +0 -481
package/src/component/public/groups/invites.ts +0 -608
package/src/component/public/groups/members.ts +0 -410
package/src/component/public/identity/accounts.ts +0 -207
package/src/component/public/identity/codes.ts +0 -149
package/src/component/public/identity/sessions.ts +0 -210
package/src/component/public/identity/tokens.ts +0 -251
package/src/component/public/identity/users.ts +0 -355
package/src/component/public/identity/verifiers.ts +0 -158
package/src/component/public/security/keys.ts +0 -366
package/src/component/public/security/limits.ts +0 -174
package/src/component/public.ts +0 -27
package/src/component/schema.ts +0 -505
package/src/providers/anonymous.ts +0 -99
package/src/providers/credentials.ts +0 -102
package/src/providers/device.ts +0 -87
package/src/providers/email.ts +0 -99
package/src/providers/index.ts +0 -31
package/src/providers/oauth.ts +0 -117
package/src/providers/passkey.ts +0 -77
package/src/providers/password.ts +0 -441
package/src/providers/phone.ts +0 -93
package/src/providers/sso.ts +0 -54
package/src/providers/totp.ts +0 -62
package/src/samlify.d.ts +0 -53
package/src/server/auth.ts +0 -949
package/src/server/config.ts +0 -200
package/src/server/context.ts +0 -90
package/src/server/cookies.ts +0 -49
package/src/server/core.ts +0 -2004
package/src/server/crypto.ts +0 -90
package/src/server/db.ts +0 -203
package/src/server/device.ts +0 -254
package/src/server/enterprise/config.ts +0 -51
package/src/server/enterprise/domain.ts +0 -1739
package/src/server/enterprise/http.ts +0 -1331
package/src/server/enterprise/oidc.ts +0 -500
package/src/server/enterprise/policy.ts +0 -128
package/src/server/enterprise/saml.ts +0 -578
package/src/server/enterprise/scim.ts +0 -135
package/src/server/enterprise/shared.ts +0 -134
package/src/server/enterprise/validators.ts +0 -93
package/src/server/http.ts +0 -790
package/src/server/identity.ts +0 -18
package/src/server/index.ts +0 -40
package/src/server/keys.ts +0 -158
package/src/server/limits.ts +0 -107
package/src/server/mounts.ts +0 -924
package/src/server/mutations/account.ts +0 -62
package/src/server/mutations/code.ts +0 -119
package/src/server/mutations/index.ts +0 -13
package/src/server/mutations/invalidate.ts +0 -50
package/src/server/mutations/oauth.ts +0 -243
package/src/server/mutations/refresh.ts +0 -299
package/src/server/mutations/register.ts +0 -155
package/src/server/mutations/retrieve.ts +0 -109
package/src/server/mutations/signature.ts +0 -57
package/src/server/mutations/signin.ts +0 -54
package/src/server/mutations/signout.ts +0 -43
package/src/server/mutations/store/refs.ts +0 -10
package/src/server/mutations/store.ts +0 -123
package/src/server/mutations/verifier.ts +0 -34
package/src/server/mutations/verify.ts +0 -200
package/src/server/oauth.ts +0 -418
package/src/server/passkey.ts +0 -838
package/src/server/redirects.ts +0 -59
package/src/server/refresh.ts +0 -218
package/src/server/runtime.ts +0 -918
package/src/server/sessions.ts +0 -132
package/src/server/signin.ts +0 -445
package/src/server/ssr.ts +0 -1747
package/src/server/templates.ts +0 -82
package/src/server/tokens.ts +0 -35
package/src/server/totp.ts +0 -399
package/src/server/types.ts +0 -1942
package/src/server/users.ts +0 -291
package/src/server/utils.ts +0 -220
/package/dist/{runtime → client/runtime}/invite.js +0 -0

package/dist/server/sso/oidc.js ADDED Viewed

@@ -0,0 +1,324 @@
+import { log } from "../log.js";
+import { createCache } from "../utils/cache.js";
+import { retryWithBackoff } from "../utils/retry.js";
+import { withSpan } from "../utils/span.js";
+import { finalizeNormalizedProfile, normalizeStringArray } from "./profile.js";
+import { getGroupOidcUrls, groupOidcProviderId } from "./shared.js";
+import { sha256 } from "@oslojs/crypto/sha2";
+import { encodeBase64urlNoPadding } from "@oslojs/encoding";
+import { createRemoteJWKSet, customFetch, decodeProtectedHeader, jwtVerify } from "jose";
+import { decodeIdToken } from "arctic";
+//#region src/server/sso/oidc.ts
+const OIDC_JWKS_CACHE = createCache({
+	capacity: 128,
+	timeToLiveMs: 3600 * 1e3,
+	lookup: (cacheKey) => {
+		const key = JSON.parse(cacheKey);
+		const fetchImpl = key.runtimeOrigin !== void 0 || key.externalHost !== void 0 ? createGroupConnectionOidcFetchFromParts(key.runtimeOrigin, key.externalHost) : void 0;
+		return fetchImpl ? createRemoteJWKSet(new URL(key.url), { [customFetch]: fetchImpl }) : createRemoteJWKSet(new URL(key.url));
+	}
+});
+function validateOidcDiscovery(data) {
+	if (typeof data !== "object" || data === null) throw new Error("OIDC discovery response is not an object.");
+	const obj = data;
+	if (typeof obj.issuer !== "string") throw new Error("OIDC discovery is missing 'issuer'.");
+	if (typeof obj.authorization_endpoint !== "string") throw new Error("OIDC discovery is missing 'authorization_endpoint'.");
+	if (typeof obj.token_endpoint !== "string") throw new Error("OIDC discovery is missing 'token_endpoint'.");
+	if (typeof obj.jwks_uri !== "string") throw new Error("OIDC discovery is missing 'jwks_uri'.");
+	return {
+		issuer: obj.issuer,
+		authorization_endpoint: obj.authorization_endpoint,
+		token_endpoint: obj.token_endpoint,
+		jwks_uri: obj.jwks_uri,
+		userinfo_endpoint: typeof obj.userinfo_endpoint === "string" ? obj.userinfo_endpoint : void 0,
+		token_endpoint_auth_methods_supported: Array.isArray(obj.token_endpoint_auth_methods_supported) ? obj.token_endpoint_auth_methods_supported.filter((v) => typeof v === "string") : void 0,
+		id_token_signing_alg_values_supported: Array.isArray(obj.id_token_signing_alg_values_supported) ? obj.id_token_signing_alg_values_supported.filter((v) => typeof v === "string") : void 0
+	};
+}
+function validateOidcUserInfo(data) {
+	if (typeof data !== "object" || data === null) return {};
+	const obj = data;
+	return {
+		sub: typeof obj.sub === "string" ? obj.sub : void 0,
+		email: typeof obj.email === "string" ? obj.email : void 0,
+		email_verified: typeof obj.email_verified === "boolean" ? obj.email_verified : void 0,
+		name: typeof obj.name === "string" ? obj.name : void 0,
+		picture: typeof obj.picture === "string" ? obj.picture : void 0
+	};
+}
+const asError = (error) => error instanceof Error ? error : new Error(String(error));
+function getOidcSections(config) {
+	return {
+		discovery: typeof config.discovery === "object" && config.discovery !== null ? config.discovery : {},
+		client: typeof config.client === "object" && config.client !== null ? config.client : {},
+		request: typeof config.request === "object" && config.request !== null ? config.request : {},
+		security: typeof config.security === "object" && config.security !== null ? config.security : {},
+		profile: typeof config.profile === "object" && config.profile !== null ? config.profile : {}
+	};
+}
+async function discoverOidcConfiguration(config) {
+	const { discovery } = getOidcSections(config);
+	const discoveryUrl = typeof discovery.discoveryUrl === "string" ? discovery.discoveryUrl : typeof discovery.issuer === "string" ? `${discovery.issuer.replace(/\/$/, "")}/.well-known/openid-configuration` : null;
+	if (!discoveryUrl) throw new Error("Group connection OIDC requires an issuer or discoveryUrl.");
+	const oidcFetch = createGroupConnectionOidcFetch(config, typeof discovery.issuer === "string" ? discovery.issuer : void 0);
+	return withSpan("convex-auth.sso.oidc.discovery", {}, async () => {
+		return retryWithBackoff(async () => {
+			const response = await oidcFetch(discoveryUrl, { signal: AbortSignal.timeout(1e4) });
+			if (!response.ok) throw new Error(`Failed to discover OIDC configuration: ${response.status}`);
+			return validateOidcDiscovery(await response.json());
+		}, {
+			maxRetries: 2,
+			baseMs: 200
+		});
+	});
+}
+function createGroupConnectionOidcFetch(config, discoveredIssuer) {
+	const { discovery } = getOidcSections(config);
+	return createGroupConnectionOidcFetchFromParts(typeof discovery.discoveryUrl === "string" ? new URL(discovery.discoveryUrl).origin : void 0, typeof discovery.issuer === "string" ? new URL(discovery.issuer).host : typeof discoveredIssuer === "string" ? new URL(discoveredIssuer).host : void 0);
+}
+function createGroupConnectionOidcFetchFromParts(runtimeOrigin, externalHost) {
+	return async (input, init) => {
+		const url = new URL(typeof input === "string" ? input : input.toString());
+		const rewrittenUrl = runtimeOrigin !== void 0 && url.origin !== runtimeOrigin ? new URL(`${runtimeOrigin}${url.pathname}${url.search}`) : url;
+		const headers = new Headers(init?.headers);
+		if (runtimeOrigin !== void 0 && externalHost !== void 0) headers.set("host", externalHost);
+		return await fetch(rewrittenUrl, {
+			...init,
+			headers
+		});
+	};
+}
+function normalizeOidcProfile(claims, mapping) {
+	const getMapped = (key) => typeof key === "string" ? claims[key] : void 0;
+	return finalizeNormalizedProfile({
+		id: (typeof getMapped(mapping?.subject) === "string" ? getMapped(mapping?.subject) : void 0) ?? (typeof claims.sub === "string" ? claims.sub : crypto.randomUUID()),
+		email: (typeof getMapped(mapping?.email) === "string" ? getMapped(mapping?.email) : void 0) ?? (typeof claims.email === "string" ? claims.email : void 0),
+		emailVerified: (typeof getMapped(mapping?.emailVerified) === "boolean" ? getMapped(mapping?.emailVerified) : void 0) ?? (typeof claims.email_verified === "boolean" ? claims.email_verified : void 0),
+		name: (typeof getMapped(mapping?.name) === "string" ? getMapped(mapping?.name) : void 0) ?? (typeof claims.name === "string" ? claims.name : void 0),
+		image: (typeof getMapped(mapping?.image) === "string" ? getMapped(mapping?.image) : void 0) ?? (typeof claims.picture === "string" ? claims.picture : void 0),
+		groups: normalizeStringArray(getMapped(mapping?.groups)),
+		roles: normalizeStringArray(getMapped(mapping?.roles))
+	});
+}
+function getOidcJwks(url, runtimeOrigin, externalHost, fetchImpl) {
+	const cacheKey = JSON.stringify({
+		url,
+		runtimeOrigin: fetchImpl ? runtimeOrigin : void 0,
+		externalHost: fetchImpl ? externalHost : void 0
+	});
+	return OIDC_JWKS_CACHE.get(cacheKey);
+}
+async function userInfoProfileFx(opts) {
+	return withSpan("convex-auth.sso.oidc.userinfo", {}, async () => {
+		let userInfo;
+		try {
+			const response = await (opts.fetchImpl ?? fetch)(opts.endpoint, { headers: { Authorization: `Bearer ${opts.accessToken}` } });
+			if (!response.ok) throw new Error(`OIDC userinfo request failed: ${response.status}`);
+			userInfo = validateOidcUserInfo(await response.json());
+		} catch {
+			return null;
+		}
+		const userInfoSubject = typeof userInfo.sub === "string" ? userInfo.sub : void 0;
+		const tokenSubject = typeof opts.verifiedClaims.sub === "string" ? opts.verifiedClaims.sub : void 0;
+		if (userInfoSubject !== void 0 && tokenSubject !== void 0 && userInfoSubject !== tokenSubject) throw new Error("OIDC userinfo subject does not match ID token subject.");
+		return {
+			id: userInfoSubject ?? (typeof opts.verifiedClaims.sub === "string" ? opts.verifiedClaims.sub : void 0) ?? crypto.randomUUID(),
+			email: typeof userInfo.email === "string" ? userInfo.email : opts.verifiedProfile.email,
+			emailVerified: typeof userInfo.email_verified === "boolean" ? userInfo.email_verified : opts.verifiedProfile.emailVerified,
+			name: typeof userInfo.name === "string" ? userInfo.name : opts.verifiedProfile.name,
+			image: typeof userInfo.picture === "string" ? userInfo.picture : opts.verifiedProfile.image
+		};
+	});
+}
+/** @internal */
+async function createGroupConnectionOidcProvider(config, redirectUri) {
+	const { discovery: discoveryConfig, client, request, security, profile } = getOidcSections(config);
+	const discovery = await discoverOidcConfiguration(config);
+	const discoveredIssuer = typeof discovery.issuer === "string" ? discovery.issuer.replace(/\/$/, "") : "";
+	const expectedIssuer = typeof discoveryConfig.issuer === "string" ? discoveryConfig.issuer.replace(/\/$/, "") : discoveredIssuer;
+	const strictIssuer = security.strictIssuer === true;
+	if (typeof discoveryConfig.issuer === "string" && expectedIssuer !== discoveredIssuer) {
+		if (strictIssuer) throw new Error(`Configured OIDC issuer mismatch. configured=${expectedIssuer} discovery=${discoveredIssuer}`);
+		log("WARN", "Configured OIDC issuer differs from discovery issuer; accepting both for token verification.", {
+			configuredIssuer: expectedIssuer,
+			discoveryIssuer: discoveredIssuer
+		});
+	}
+	const authorizationEndpoint = discovery.authorization_endpoint;
+	const tokenEndpoint = discovery.token_endpoint;
+	const jwksUri = typeof discoveryConfig.jwksUri === "string" ? discoveryConfig.jwksUri : typeof discovery.jwks_uri === "string" ? discovery.jwks_uri : "";
+	const supportedIdTokenSigningAlgs = Array.isArray(discovery.id_token_signing_alg_values_supported) ? discovery.id_token_signing_alg_values_supported.filter((value) => typeof value === "string") : [];
+	const discoveredTokenEndpointAuthMethods = Array.isArray(discovery.token_endpoint_auth_methods_supported) ? discovery.token_endpoint_auth_methods_supported.filter((value) => typeof value === "string") : [];
+	const tokenEndpointAuthMethod = client.authMethod === "client_secret_basic" || client.authMethod === "client_secret_post" ? client.authMethod : discoveredTokenEndpointAuthMethods.includes("client_secret_basic") ? "client_secret_basic" : "client_secret_post";
+	const userinfoEndpoint = discovery.userinfo_endpoint ?? void 0;
+	const claimMapping = typeof profile.mapping === "object" && profile.mapping !== null ? profile.mapping : void 0;
+	const oidcFetch = createGroupConnectionOidcFetch(config, discovery.issuer);
+	const runtimeOrigin = typeof discoveryConfig.discoveryUrl === "string" ? new URL(discoveryConfig.discoveryUrl).origin : void 0;
+	const externalHost = typeof discoveryConfig.issuer === "string" ? new URL(discoveryConfig.issuer).host : typeof discovery.issuer === "string" ? new URL(discovery.issuer).host : void 0;
+	const scopes = Array.isArray(request.scopes) ? request.scopes.filter((value) => typeof value === "string") : [
+		"openid",
+		"profile",
+		"email"
+	];
+	const expectedAudience = Array.isArray(discoveryConfig.audience) ? discoveryConfig.audience.filter((value) => typeof value === "string") : typeof discoveryConfig.audience === "string" ? discoveryConfig.audience : String(client.id);
+	const clockToleranceSeconds = typeof security.clockToleranceSeconds === "number" ? security.clockToleranceSeconds : 10;
+	const getIssuerCandidates = (issuer) => {
+		const candidates = [issuer];
+		if (issuer.startsWith("https://")) candidates.push(`http://${issuer.slice(8)}`);
+		else if (issuer.startsWith("http://")) candidates.push(`https://${issuer.slice(7)}`);
+		return candidates;
+	};
+	const expectedIssuers = strictIssuer ? [expectedIssuer] : Array.from(new Set([...getIssuerCandidates(expectedIssuer), ...getIssuerCandidates(discoveredIssuer)]));
+	const jwks = getOidcJwks(jwksUri, runtimeOrigin, externalHost, oidcFetch);
+	let verifiedClaims = null;
+	let verifiedProfile = null;
+	const normalizeProfile = (claims) => normalizeOidcProfile(claims, claimMapping);
+	return {
+		provider: {
+			pkce: "required",
+			createAuthorizationURL({ state, codeVerifier, scopes: requestedScopes, nonce, loginHint }) {
+				if (!codeVerifier) throw new Error("OIDC PKCE requires a code verifier.");
+				const url = new URL(authorizationEndpoint);
+				url.searchParams.set("response_type", "code");
+				url.searchParams.set("client_id", String(client.id));
+				url.searchParams.set("redirect_uri", redirectUri);
+				url.searchParams.set("scope", (requestedScopes.length > 0 ? requestedScopes : scopes).join(" "));
+				url.searchParams.set("state", state);
+				url.searchParams.set("code_challenge_method", "S256");
+				url.searchParams.set("code_challenge", encodeBase64urlNoPadding(sha256(new TextEncoder().encode(codeVerifier))));
+				if (nonce !== void 0) url.searchParams.set("nonce", nonce);
+				if (typeof loginHint === "string") url.searchParams.set("login_hint", loginHint);
+				const authorizationParams = typeof request.authorizationParams === "object" && request.authorizationParams !== null ? request.authorizationParams : {};
+				for (const [key, value] of Object.entries(authorizationParams)) if (typeof value === "string") url.searchParams.set(key, value);
+				return url;
+			},
+			async validateAuthorizationCode({ code, codeVerifier }) {
+				const body = new URLSearchParams({
+					grant_type: "authorization_code",
+					code,
+					redirect_uri: redirectUri
+				});
+				const headers = new Headers({ "Content-Type": "application/x-www-form-urlencoded" });
+				if (typeof client.secret === "string" && tokenEndpointAuthMethod === "client_secret_basic") {
+					const basicAuth = typeof btoa === "function" ? btoa(`${String(client.id)}:${client.secret}`) : Buffer.from(`${String(client.id)}:${client.secret}`).toString("base64");
+					headers.set("Authorization", `Basic ${basicAuth}`);
+				} else {
+					body.set("client_id", String(client.id));
+					if (typeof client.secret === "string") body.set("client_secret", client.secret);
+				}
+				if (codeVerifier) body.set("code_verifier", codeVerifier);
+				const response = await oidcFetch(tokenEndpoint, {
+					method: "POST",
+					headers,
+					body
+				});
+				if (!response.ok) {
+					const detail = await response.text();
+					throw new Error(`OIDC token exchange failed: ${response.status}${detail ? ` ${detail}` : ""}`);
+				}
+				const data = await response.json();
+				return {
+					accessToken: typeof data.access_token === "string" ? data.access_token : void 0,
+					refreshToken: typeof data.refresh_token === "string" ? data.refresh_token : void 0,
+					idToken: typeof data.id_token === "string" ? data.id_token : void 0,
+					accessTokenExpiresAt: typeof data.expires_in === "number" ? new Date(Date.now() + data.expires_in * 1e3) : void 0,
+					scopes: typeof data.scope === "string" ? data.scope.split(/[\s,]+/).map((scope) => scope.trim()).filter((scope) => scope.length > 0) : void 0,
+					raw: data
+				};
+			}
+		},
+		oauthConfig: {
+			scopes,
+			nonce: true,
+			validateTokens: async (tokens, ctx) => {
+				if (ctx.nonce === void 0) throw new Error("OIDC nonce is required.");
+				const idToken = tokens.idToken;
+				if (idToken === void 0) throw new Error("OIDC response is missing id_token.");
+				const verifiedIdToken = idToken;
+				const tokenAlg = decodeProtectedHeader(verifiedIdToken).alg;
+				const useSymmetricValidation = typeof tokenAlg === "string" && (tokenAlg === "HS256" || tokenAlg === "HS384" || tokenAlg === "HS512") && supportedIdTokenSigningAlgs.includes(tokenAlg);
+				const verificationOptions = {
+					audience: expectedAudience,
+					requiredClaims: [
+						"iss",
+						"sub",
+						"aud",
+						"exp",
+						"iat"
+					],
+					clockTolerance: clockToleranceSeconds
+				};
+				let verification;
+				try {
+					verification = await (useSymmetricValidation ? jwtVerify(verifiedIdToken, (() => {
+						if (typeof client.secret !== "string") throw new Error("OIDC provider uses symmetric ID token signatures but clientSecret is missing.");
+						return new TextEncoder().encode(client.secret);
+					})(), verificationOptions) : jwtVerify(verifiedIdToken, jwks, verificationOptions));
+				} catch (error) {
+					throw asError(error);
+				}
+				const payload = verification.payload;
+				const tokenIssuerRaw = typeof payload.iss === "string" ? payload.iss : void 0;
+				const tokenIssuer = typeof tokenIssuerRaw === "string" ? tokenIssuerRaw.replace(/\/$/, "") : void 0;
+				if (!tokenIssuer || !expectedIssuers.includes(tokenIssuer)) throw new Error(`OIDC token issuer mismatch. Received: ${tokenIssuer ?? "<missing>"}. Expected one of: ${expectedIssuers.join(", ")}`);
+				if (payload.nonce !== ctx.nonce) throw new Error("OIDC nonce mismatch.");
+				if (Array.isArray(payload.aud) && payload.aud.length > 1 && payload.azp !== String(client.id)) throw new Error("OIDC authorized party does not match client ID.");
+				verifiedClaims = payload;
+				verifiedProfile = normalizeProfile(payload);
+			},
+			accountLinking: config.accountLinking,
+			profile: async (tokens) => {
+				if (verifiedProfile === null || verifiedClaims === null) {
+					if (tokens.idToken === void 0) throw new Error("OIDC response is missing id_token.");
+					const claims = decodeIdToken(tokens.idToken);
+					verifiedClaims = claims;
+					verifiedProfile = normalizeProfile(claims);
+				}
+				if (userinfoEndpoint && typeof tokens.accessToken === "string") {
+					const userInfoProfile = await userInfoProfileFx({
+						endpoint: userinfoEndpoint,
+						accessToken: tokens.accessToken,
+						verifiedClaims,
+						verifiedProfile,
+						fetchImpl: oidcFetch
+					});
+					if (userInfoProfile !== null) return userInfoProfile;
+				}
+				return verifiedProfile;
+			}
+		}
+	};
+}
+/** @internal */
+function createSyntheticOAuthMaterializedConfig(providerId, options) {
+	return {
+		id: providerId,
+		type: "oauth",
+		provider: null,
+		scopes: [],
+		accountLinking: options?.accountLinking ?? "verifiedEmail"
+	};
+}
+/** @internal */
+async function createGroupConnectionOidcRuntime(opts) {
+	const providerId = groupOidcProviderId(opts.connectionId);
+	const urls = getGroupOidcUrls({
+		rootUrl: opts.rootUrl,
+		connectionId: opts.connectionId,
+		sharedRedirectURI: opts.sharedRedirectURI
+	});
+	const { provider, oauthConfig } = await createGroupConnectionOidcProvider(opts.oidc, urls.callbackUrl);
+	return {
+		oidc: opts.oidc,
+		providerId,
+		provider,
+		oauthConfig,
+		...urls
+	};
+}
+/** @internal */
+//#endregion
+export { createGroupConnectionOidcRuntime, createSyntheticOAuthMaterializedConfig };
+//# sourceMappingURL=oidc.js.map

package/dist/server/sso/policies.js ADDED Viewed

@@ -0,0 +1,59 @@
+import { getGroup } from "../contract.js";
+import { patchGroupConnectionPolicy } from "./policy.js";
+import { ConvexError } from "convex/values";
+//#region src/server/sso/policies.ts
+const convexError = (data) => new ConvexError(data);
+function createGroupPolicyDomain(deps) {
+	const { config, loadGroupPolicyOrThrow, validateGroupConnectionPolicy, recordGroupAuditEvent } = deps;
+	return {
+		get: async (ctx, groupId) => {
+			return await loadGroupPolicyOrThrow(ctx, groupId);
+		},
+		update: async (ctx, groupId, patch) => {
+			const group = await getGroup(ctx, config.component.public, groupId);
+			if (!group) throw convexError({
+				code: "INVALID_PARAMETERS",
+				message: "Group not found."
+			});
+			const policy = patchGroupConnectionPolicy(group.policy, patch);
+			await ctx.runMutation(config.component.public.groupUpdate, {
+				groupId,
+				data: { policy }
+			});
+			await recordGroupAuditEvent(ctx, {
+				groupId,
+				eventType: "group.sso.policy.updated",
+				actorType: "system",
+				subjectType: "group_policy",
+				subjectId: groupId,
+				ok: true,
+				metadata: { version: policy.version }
+			});
+			return policy;
+		},
+		validate: async (ctx, groupId) => {
+			if (!await getGroup(ctx, config.component.public, groupId)) return {
+				ok: false,
+				groupId,
+				checks: [{
+					name: "group_exists",
+					ok: false,
+					message: "Group not found."
+				}]
+			};
+			const policy = await loadGroupPolicyOrThrow(ctx, groupId);
+			const checks = validateGroupConnectionPolicy(policy);
+			return {
+				ok: checks.every((check) => check.ok),
+				groupId,
+				policy,
+				checks
+			};
+		}
+	};
+}
+//#endregion
+export { createGroupPolicyDomain };
+//# sourceMappingURL=policies.js.map

package/dist/server/sso/policy.js ADDED Viewed

@@ -0,0 +1,139 @@
+import { asRecord } from "./shared.js";
+//#region src/server/sso/policy.ts
+const DEFAULT_GROUP_CONNECTION_POLICY = {
+	version: 1,
+	identity: { accountLinking: {
+		oidc: "verifiedEmail",
+		saml: "verifiedEmail"
+	} },
+	provisioning: {
+		user: {
+			createOnSignIn: true,
+			updateProfileOnLogin: "missing",
+			updateProfileFromScim: "always",
+			authority: "app"
+		},
+		scimReuse: { user: "externalId" },
+		jit: {
+			mode: "createUserAndMembership",
+			defaultRoleIds: []
+		},
+		deprovision: { mode: "soft" },
+		groups: {
+			mode: "ignore",
+			source: "protocol"
+		},
+		roles: {
+			mode: "ignore",
+			source: "protocol"
+		}
+	}
+};
+function normalizeGroupConnectionPolicy(policy) {
+	const input = asRecord(policy) ?? {};
+	const accountLinking = asRecord((asRecord(input.identity) ?? {}).accountLinking) ?? {};
+	const provisioning = asRecord(input.provisioning) ?? {};
+	const scimReuse = asRecord(provisioning.scimReuse) ?? {};
+	const user = asRecord(provisioning.user) ?? {};
+	const jit = asRecord(provisioning.jit) ?? {};
+	const deprovision = asRecord(provisioning.deprovision) ?? {};
+	const groups = asRecord(provisioning.groups) ?? {};
+	const roles = asRecord(provisioning.roles) ?? {};
+	const extend = asRecord(input.extend) ?? void 0;
+	return {
+		version: 1,
+		identity: { accountLinking: {
+			oidc: accountLinking.oidc === "none" ? "none" : DEFAULT_GROUP_CONNECTION_POLICY.identity.accountLinking.oidc,
+			saml: accountLinking.saml === "none" ? "none" : DEFAULT_GROUP_CONNECTION_POLICY.identity.accountLinking.saml
+		} },
+		provisioning: {
+			user: {
+				createOnSignIn: typeof user.createOnSignIn === "boolean" ? user.createOnSignIn : DEFAULT_GROUP_CONNECTION_POLICY.provisioning.user.createOnSignIn,
+				updateProfileOnLogin: user.updateProfileOnLogin === "never" || user.updateProfileOnLogin === "always" ? user.updateProfileOnLogin : DEFAULT_GROUP_CONNECTION_POLICY.provisioning.user.updateProfileOnLogin,
+				updateProfileFromScim: user.updateProfileFromScim === "never" || user.updateProfileFromScim === "missing" ? user.updateProfileFromScim : DEFAULT_GROUP_CONNECTION_POLICY.provisioning.user.updateProfileFromScim,
+				authority: user.authority === "sso" || user.authority === "scim" ? user.authority : DEFAULT_GROUP_CONNECTION_POLICY.provisioning.user.authority
+			},
+			scimReuse: { user: scimReuse.user === "none" ? "none" : DEFAULT_GROUP_CONNECTION_POLICY.provisioning.scimReuse.user },
+			jit: {
+				mode: jit.mode === "off" || jit.mode === "createUser" || jit.mode === "createUserAndMembership" ? jit.mode : DEFAULT_GROUP_CONNECTION_POLICY.provisioning.jit.mode,
+				defaultRoleIds: Array.isArray(jit.defaultRoleIds) ? Array.from(new Set(jit.defaultRoleIds.filter((value) => typeof value === "string" && value.length > 0))) : typeof jit.defaultRole === "string" && jit.defaultRole.length > 0 ? [jit.defaultRole] : DEFAULT_GROUP_CONNECTION_POLICY.provisioning.jit.defaultRoleIds
+			},
+			deprovision: { mode: deprovision.mode === "hard" ? "hard" : DEFAULT_GROUP_CONNECTION_POLICY.provisioning.deprovision.mode },
+			groups: {
+				mode: groups.mode === "sync" ? "sync" : DEFAULT_GROUP_CONNECTION_POLICY.provisioning.groups.mode,
+				source: "protocol",
+				...typeof groups.mapping === "object" && groups.mapping !== null ? { mapping: Object.fromEntries(Object.entries(groups.mapping).filter(([key, value]) => typeof key === "string" && Array.isArray(value)).map(([key, value]) => [key, Array.from(new Set(value.filter((item) => typeof item === "string" && item.length > 0)))])) } : {}
+			},
+			roles: {
+				mode: roles.mode === "map" ? "map" : DEFAULT_GROUP_CONNECTION_POLICY.provisioning.roles.mode,
+				source: "protocol",
+				...typeof roles.mapping === "object" && roles.mapping !== null ? { mapping: Object.fromEntries(Object.entries(roles.mapping).filter(([key, value]) => typeof key === "string" && Array.isArray(value)).map(([key, value]) => [key, Array.from(new Set(value.filter((item) => typeof item === "string" && item.length > 0)))])) } : {}
+			}
+		},
+		...extend ? { extend } : {}
+	};
+}
+function patchGroupConnectionPolicy(current, patch) {
+	const base = normalizeGroupConnectionPolicy(current);
+	return normalizeGroupConnectionPolicy({
+		...base,
+		...patch,
+		identity: {
+			...base.identity,
+			...patch.identity,
+			accountLinking: {
+				...base.identity.accountLinking,
+				...patch.identity?.accountLinking
+			}
+		},
+		provisioning: {
+			...base.provisioning,
+			...patch.provisioning,
+			scimReuse: {
+				...base.provisioning.scimReuse,
+				...patch.provisioning?.scimReuse
+			},
+			user: {
+				...base.provisioning.user,
+				...patch.provisioning?.user
+			},
+			jit: {
+				...base.provisioning.jit,
+				...patch.provisioning?.jit
+			},
+			deprovision: {
+				...base.provisioning.deprovision,
+				...patch.provisioning?.deprovision
+			},
+			groups: {
+				...base.provisioning.groups,
+				...patch.provisioning?.groups
+			},
+			roles: {
+				...base.provisioning.roles,
+				...patch.provisioning?.roles
+			}
+		},
+		extend: patch.extend === void 0 ? base.extend : {
+			...base.extend,
+			...patch.extend
+		}
+	});
+}
+function resolveProvisionedRoleIds(opts) {
+	const roleIds = new Set(opts.policy.provisioning.jit.defaultRoleIds);
+	if (opts.policy.provisioning.groups.mode === "sync") {
+		const mapping = opts.policy.provisioning.groups.mapping ?? {};
+		for (const group of opts.groups ?? []) for (const roleId of mapping[group] ?? []) roleIds.add(roleId);
+	}
+	if (opts.policy.provisioning.roles.mode === "map") {
+		const mapping = opts.policy.provisioning.roles.mapping ?? {};
+		for (const role of opts.roles ?? []) for (const roleId of mapping[role] ?? []) roleIds.add(roleId);
+	}
+	return Array.from(roleIds);
+}
+//#endregion
+export { normalizeGroupConnectionPolicy, patchGroupConnectionPolicy, resolveProvisionedRoleIds };
+//# sourceMappingURL=policy.js.map

package/dist/server/sso/profile.js ADDED Viewed

@@ -0,0 +1,22 @@
+//#region src/server/sso/profile.ts
+/** @internal */
+function normalizeStringArray(value) {
+	if (Array.isArray(value)) {
+		const values = value.filter((item) => typeof item === "string" && item.length > 0);
+		return values.length > 0 ? values : void 0;
+	}
+	if (typeof value === "string" && value.length > 0) return [value];
+}
+/** @internal */
+function finalizeNormalizedProfile(input) {
+	return {
+		...input,
+		groups: normalizeStringArray(input.groups),
+		roles: normalizeStringArray(input.roles),
+		...input.extend && Object.keys(input.extend).length > 0 ? { extend: input.extend } : {}
+	};
+}
+//#endregion
+export { finalizeNormalizedProfile, normalizeStringArray };
+//# sourceMappingURL=profile.js.map