@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (666) hide show
  1. package/README.md +43 -36
  2. package/dist/bin.js +5765 -4880
  3. package/dist/browser/index.d.ts +30 -0
  4. package/dist/browser/index.js +93 -0
  5. package/dist/browser/locks.js +11 -0
  6. package/dist/browser/navigation.js +14 -0
  7. package/dist/{factors → browser}/passkey.js +23 -32
  8. package/dist/browser/runtime.js +92 -0
  9. package/dist/client/core/types.d.ts +452 -5
  10. package/dist/client/core/types.js +17 -0
  11. package/dist/client/errors.js +19 -0
  12. package/dist/client/factors/device.js +94 -0
  13. package/dist/{factors → client/factors}/totp.js +12 -4
  14. package/dist/client/index.d.ts +47 -1
  15. package/dist/client/index.js +269 -232
  16. package/dist/client/runtime/mutex.js +24 -0
  17. package/dist/client/runtime/proxy.js +30 -0
  18. package/dist/client/runtime/storage.js +45 -0
  19. package/dist/client/services/adapters.js +7 -0
  20. package/dist/client/services/http.js +6 -0
  21. package/dist/client/services/resolve.js +13 -0
  22. package/dist/client/services/runtime.js +6 -0
  23. package/dist/component/_generated/component.d.ts +1355 -1399
  24. package/dist/component/convex.config.d.ts +2 -2
  25. package/dist/component/index.d.ts +4 -26
  26. package/dist/component/index.js +1 -1
  27. package/dist/component/model.d.ts +26 -112
  28. package/dist/component/model.js +76 -54
  29. package/dist/component/modules.js +38 -0
  30. package/dist/component/public/factors/devices.js +1 -1
  31. package/dist/component/public/factors/passkeys.js +1 -1
  32. package/dist/component/public/factors/totp.js +1 -1
  33. package/dist/component/public/groups/core.js +2 -2
  34. package/dist/component/public/groups/invites.js +1 -1
  35. package/dist/component/public/groups/members.js +1 -1
  36. package/dist/component/public/identity/accounts.js +1 -1
  37. package/dist/component/public/identity/codes.js +1 -1
  38. package/dist/component/public/identity/sessions.js +39 -2
  39. package/dist/component/public/identity/tokens.js +82 -4
  40. package/dist/component/public/identity/users.js +1 -1
  41. package/dist/component/public/identity/verifiers.js +10 -4
  42. package/dist/component/public/security/keys.js +1 -1
  43. package/dist/component/public/security/limits.js +1 -1
  44. package/dist/component/public/{enterprise → sso}/audit.js +26 -26
  45. package/dist/component/public/sso/core.js +263 -0
  46. package/dist/component/public/sso/domains.js +280 -0
  47. package/dist/component/public/{enterprise → sso}/scim.js +87 -87
  48. package/dist/component/public/sso/secrets.js +125 -0
  49. package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
  50. package/dist/component/public.js +9 -9
  51. package/dist/component/schema.d.ts +472 -393
  52. package/dist/component/schema.js +36 -35
  53. package/dist/core/index.d.ts +380 -0
  54. package/dist/core/index.js +83 -0
  55. package/dist/otel.d.ts +69 -0
  56. package/dist/otel.js +82 -0
  57. package/dist/providers/anonymous.d.ts +15 -34
  58. package/dist/providers/anonymous.js +27 -35
  59. package/dist/providers/apple.d.ts +59 -0
  60. package/dist/providers/apple.js +58 -0
  61. package/dist/providers/credentials.d.ts +18 -34
  62. package/dist/providers/credentials.js +16 -27
  63. package/dist/providers/custom.d.ts +94 -0
  64. package/dist/providers/custom.js +119 -0
  65. package/dist/providers/device.d.ts +15 -49
  66. package/dist/providers/device.js +17 -34
  67. package/dist/providers/email.d.ts +21 -38
  68. package/dist/providers/email.js +36 -55
  69. package/dist/providers/github.d.ts +54 -0
  70. package/dist/providers/github.js +75 -0
  71. package/dist/providers/google.d.ts +54 -0
  72. package/dist/providers/google.js +61 -0
  73. package/dist/providers/index.d.ts +16 -12
  74. package/dist/providers/index.js +15 -11
  75. package/dist/providers/microsoft.d.ts +57 -0
  76. package/dist/providers/microsoft.js +101 -0
  77. package/dist/providers/passkey.d.ts +19 -35
  78. package/dist/providers/passkey.js +20 -30
  79. package/dist/providers/password.d.ts +17 -18
  80. package/dist/providers/password.js +121 -143
  81. package/dist/providers/phone.d.ts +13 -28
  82. package/dist/providers/phone.js +21 -46
  83. package/dist/providers/sso.d.ts +16 -36
  84. package/dist/providers/sso.js +21 -22
  85. package/dist/providers/totp.d.ts +13 -29
  86. package/dist/providers/totp.js +17 -27
  87. package/dist/server/auth-context.d.ts +204 -0
  88. package/dist/server/auth-context.js +76 -0
  89. package/dist/server/auth.d.ts +99 -244
  90. package/dist/server/auth.js +56 -152
  91. package/dist/server/componentContext.d.ts +12 -0
  92. package/dist/server/componentContext.js +1 -0
  93. package/dist/server/config.js +6 -67
  94. package/dist/server/constants.js +6 -0
  95. package/dist/server/contract.d.ts +105 -0
  96. package/dist/server/contract.js +43 -0
  97. package/dist/server/cookies.js +3 -2
  98. package/dist/server/core.js +31 -36
  99. package/dist/server/crypto.js +34 -44
  100. package/dist/server/db.js +6 -1
  101. package/dist/server/device.js +96 -130
  102. package/dist/server/env.js +48 -0
  103. package/dist/server/errors.js +20 -0
  104. package/dist/server/http.d.ts +15 -59
  105. package/dist/server/http.js +136 -120
  106. package/dist/server/identity.js +2 -2
  107. package/dist/server/index.d.ts +5 -4
  108. package/dist/server/index.js +3 -3
  109. package/dist/server/keys.js +10 -1
  110. package/dist/server/limits.js +26 -26
  111. package/dist/server/log.js +28 -0
  112. package/dist/server/mounts.d.ts +1107 -296
  113. package/dist/server/mounts.js +315 -196
  114. package/dist/server/mutations/account.js +11 -14
  115. package/dist/server/mutations/code.js +6 -5
  116. package/dist/server/mutations/invalidate.js +9 -11
  117. package/dist/server/mutations/oauth.js +112 -73
  118. package/dist/server/mutations/refresh.js +47 -97
  119. package/dist/server/mutations/register.js +37 -35
  120. package/dist/server/mutations/retrieve.js +16 -16
  121. package/dist/server/mutations/signature.js +15 -18
  122. package/dist/server/mutations/signin.js +10 -5
  123. package/dist/server/mutations/signout.js +11 -14
  124. package/dist/server/mutations/store.js +25 -18
  125. package/dist/server/mutations/verifier.js +11 -8
  126. package/dist/server/mutations/verify.js +53 -41
  127. package/dist/server/oauth/factory.js +44 -0
  128. package/dist/server/oauth/index.js +12 -0
  129. package/dist/server/oauth/runtime.js +248 -0
  130. package/dist/server/passkey.js +331 -365
  131. package/dist/server/payloads.d.ts +16 -0
  132. package/dist/server/payloads.js +30 -0
  133. package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
  134. package/dist/server/prefetch.js +635 -0
  135. package/dist/server/random.js +19 -0
  136. package/dist/server/redirects.js +10 -5
  137. package/dist/server/refresh.js +14 -86
  138. package/dist/server/runtime.d.ts +531 -31
  139. package/dist/server/runtime.js +106 -267
  140. package/dist/server/secret.js +44 -0
  141. package/dist/server/services/config.js +10 -0
  142. package/dist/server/services/group.js +211 -0
  143. package/dist/server/services/logger.js +8 -0
  144. package/dist/server/services/providers.js +22 -0
  145. package/dist/server/services/refresh.js +8 -0
  146. package/dist/server/services/resolve.js +27 -0
  147. package/dist/server/services/signin.js +8 -0
  148. package/dist/server/sessions.js +35 -34
  149. package/dist/server/signin.js +229 -140
  150. package/dist/server/{enterprise → sso}/config.js +10 -3
  151. package/dist/server/sso/domain.d.ts +614 -0
  152. package/dist/server/sso/domain.js +1175 -0
  153. package/dist/server/sso/http.js +1060 -0
  154. package/dist/server/sso/oidc.js +324 -0
  155. package/dist/server/sso/policies.js +59 -0
  156. package/dist/server/sso/policy.js +139 -0
  157. package/dist/server/sso/profile.js +22 -0
  158. package/dist/server/sso/provision.js +179 -0
  159. package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
  160. package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
  161. package/dist/server/sso/shared.js +74 -0
  162. package/dist/server/sso/validators.js +88 -0
  163. package/dist/server/sso/webhook.js +94 -0
  164. package/dist/server/tokens.js +16 -4
  165. package/dist/server/totp.js +155 -164
  166. package/dist/server/types.d.ts +306 -296
  167. package/dist/server/types.js +1 -30
  168. package/dist/server/url.js +32 -0
  169. package/dist/server/users.js +74 -40
  170. package/dist/server/utils/cache.js +51 -0
  171. package/dist/server/utils/dispatch.js +36 -0
  172. package/dist/server/utils/retry.js +24 -0
  173. package/dist/server/utils/span.js +32 -0
  174. package/dist/shared/errors.js +19 -0
  175. package/dist/shared/log.js +45 -0
  176. package/{src/test.ts → dist/test.d.ts} +21 -22
  177. package/dist/test.js +51 -0
  178. package/package.json +70 -42
  179. package/dist/authorization/index.d.ts.map +0 -1
  180. package/dist/authorization/index.js.map +0 -1
  181. package/dist/client/core/types.d.ts.map +0 -1
  182. package/dist/client/index.d.ts.map +0 -1
  183. package/dist/client/index.js.map +0 -1
  184. package/dist/component/_generated/api.d.ts +0 -75
  185. package/dist/component/_generated/api.d.ts.map +0 -1
  186. package/dist/component/_generated/api.js.map +0 -1
  187. package/dist/component/_generated/component.d.ts.map +0 -1
  188. package/dist/component/_generated/dataModel.d.ts +0 -42
  189. package/dist/component/_generated/dataModel.d.ts.map +0 -1
  190. package/dist/component/_generated/server.d.ts +0 -117
  191. package/dist/component/_generated/server.d.ts.map +0 -1
  192. package/dist/component/_generated/server.js.map +0 -1
  193. package/dist/component/_virtual/rolldown_runtime.js +0 -18
  194. package/dist/component/client/core/types.d.ts +0 -2
  195. package/dist/component/client/index.d.ts +0 -1
  196. package/dist/component/convex.config.d.ts.map +0 -1
  197. package/dist/component/convex.config.js.map +0 -1
  198. package/dist/component/functions.d.ts +0 -25
  199. package/dist/component/functions.d.ts.map +0 -1
  200. package/dist/component/functions.js.map +0 -1
  201. package/dist/component/index.d.ts.map +0 -1
  202. package/dist/component/model.d.ts.map +0 -1
  203. package/dist/component/model.js.map +0 -1
  204. package/dist/component/providers/anonymous.d.ts +0 -54
  205. package/dist/component/providers/anonymous.d.ts.map +0 -1
  206. package/dist/component/providers/credentials.d.ts +0 -38
  207. package/dist/component/providers/credentials.d.ts.map +0 -1
  208. package/dist/component/providers/device.d.ts +0 -67
  209. package/dist/component/providers/device.d.ts.map +0 -1
  210. package/dist/component/providers/email.d.ts +0 -62
  211. package/dist/component/providers/email.d.ts.map +0 -1
  212. package/dist/component/providers/oauth.d.ts +0 -25
  213. package/dist/component/providers/oauth.d.ts.map +0 -1
  214. package/dist/component/providers/oauth.js +0 -13
  215. package/dist/component/providers/oauth.js.map +0 -1
  216. package/dist/component/providers/passkey.d.ts +0 -57
  217. package/dist/component/providers/passkey.d.ts.map +0 -1
  218. package/dist/component/providers/password.d.ts +0 -88
  219. package/dist/component/providers/password.d.ts.map +0 -1
  220. package/dist/component/providers/phone.d.ts +0 -48
  221. package/dist/component/providers/phone.d.ts.map +0 -1
  222. package/dist/component/providers/sso.d.ts +0 -50
  223. package/dist/component/providers/sso.d.ts.map +0 -1
  224. package/dist/component/providers/totp.d.ts +0 -45
  225. package/dist/component/providers/totp.d.ts.map +0 -1
  226. package/dist/component/public/enterprise/audit.d.ts +0 -73
  227. package/dist/component/public/enterprise/audit.d.ts.map +0 -1
  228. package/dist/component/public/enterprise/audit.js.map +0 -1
  229. package/dist/component/public/enterprise/core.d.ts +0 -176
  230. package/dist/component/public/enterprise/core.d.ts.map +0 -1
  231. package/dist/component/public/enterprise/core.js +0 -292
  232. package/dist/component/public/enterprise/core.js.map +0 -1
  233. package/dist/component/public/enterprise/domains.d.ts +0 -174
  234. package/dist/component/public/enterprise/domains.d.ts.map +0 -1
  235. package/dist/component/public/enterprise/domains.js +0 -271
  236. package/dist/component/public/enterprise/domains.js.map +0 -1
  237. package/dist/component/public/enterprise/scim.d.ts +0 -245
  238. package/dist/component/public/enterprise/scim.d.ts.map +0 -1
  239. package/dist/component/public/enterprise/scim.js.map +0 -1
  240. package/dist/component/public/enterprise/secrets.d.ts +0 -78
  241. package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
  242. package/dist/component/public/enterprise/secrets.js +0 -118
  243. package/dist/component/public/enterprise/secrets.js.map +0 -1
  244. package/dist/component/public/enterprise/webhooks.d.ts +0 -211
  245. package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
  246. package/dist/component/public/enterprise/webhooks.js.map +0 -1
  247. package/dist/component/public/factors/devices.d.ts +0 -157
  248. package/dist/component/public/factors/devices.d.ts.map +0 -1
  249. package/dist/component/public/factors/devices.js.map +0 -1
  250. package/dist/component/public/factors/passkeys.d.ts +0 -175
  251. package/dist/component/public/factors/passkeys.d.ts.map +0 -1
  252. package/dist/component/public/factors/passkeys.js.map +0 -1
  253. package/dist/component/public/factors/totp.d.ts +0 -189
  254. package/dist/component/public/factors/totp.d.ts.map +0 -1
  255. package/dist/component/public/factors/totp.js.map +0 -1
  256. package/dist/component/public/groups/core.d.ts +0 -137
  257. package/dist/component/public/groups/core.d.ts.map +0 -1
  258. package/dist/component/public/groups/core.js.map +0 -1
  259. package/dist/component/public/groups/invites.d.ts +0 -217
  260. package/dist/component/public/groups/invites.d.ts.map +0 -1
  261. package/dist/component/public/groups/invites.js.map +0 -1
  262. package/dist/component/public/groups/members.d.ts +0 -204
  263. package/dist/component/public/groups/members.d.ts.map +0 -1
  264. package/dist/component/public/groups/members.js.map +0 -1
  265. package/dist/component/public/identity/accounts.d.ts +0 -147
  266. package/dist/component/public/identity/accounts.d.ts.map +0 -1
  267. package/dist/component/public/identity/accounts.js.map +0 -1
  268. package/dist/component/public/identity/codes.d.ts +0 -104
  269. package/dist/component/public/identity/codes.d.ts.map +0 -1
  270. package/dist/component/public/identity/codes.js.map +0 -1
  271. package/dist/component/public/identity/sessions.d.ts +0 -128
  272. package/dist/component/public/identity/sessions.d.ts.map +0 -1
  273. package/dist/component/public/identity/sessions.js.map +0 -1
  274. package/dist/component/public/identity/tokens.d.ts +0 -169
  275. package/dist/component/public/identity/tokens.d.ts.map +0 -1
  276. package/dist/component/public/identity/tokens.js.map +0 -1
  277. package/dist/component/public/identity/users.d.ts +0 -212
  278. package/dist/component/public/identity/users.d.ts.map +0 -1
  279. package/dist/component/public/identity/users.js.map +0 -1
  280. package/dist/component/public/identity/verifiers.d.ts +0 -116
  281. package/dist/component/public/identity/verifiers.d.ts.map +0 -1
  282. package/dist/component/public/identity/verifiers.js.map +0 -1
  283. package/dist/component/public/security/keys.d.ts +0 -209
  284. package/dist/component/public/security/keys.d.ts.map +0 -1
  285. package/dist/component/public/security/keys.js.map +0 -1
  286. package/dist/component/public/security/limits.d.ts +0 -114
  287. package/dist/component/public/security/limits.d.ts.map +0 -1
  288. package/dist/component/public/security/limits.js.map +0 -1
  289. package/dist/component/public.d.ts +0 -28
  290. package/dist/component/public.d.ts.map +0 -1
  291. package/dist/component/schema.d.ts.map +0 -1
  292. package/dist/component/schema.js.map +0 -1
  293. package/dist/component/server/auth.d.ts +0 -447
  294. package/dist/component/server/auth.d.ts.map +0 -1
  295. package/dist/component/server/auth.js +0 -254
  296. package/dist/component/server/auth.js.map +0 -1
  297. package/dist/component/server/config.js +0 -121
  298. package/dist/component/server/config.js.map +0 -1
  299. package/dist/component/server/context.js +0 -53
  300. package/dist/component/server/context.js.map +0 -1
  301. package/dist/component/server/cookies.js +0 -47
  302. package/dist/component/server/cookies.js.map +0 -1
  303. package/dist/component/server/core.js +0 -576
  304. package/dist/component/server/core.js.map +0 -1
  305. package/dist/component/server/crypto.js +0 -56
  306. package/dist/component/server/crypto.js.map +0 -1
  307. package/dist/component/server/db.js +0 -87
  308. package/dist/component/server/db.js.map +0 -1
  309. package/dist/component/server/device.js +0 -152
  310. package/dist/component/server/device.js.map +0 -1
  311. package/dist/component/server/enterprise/config.js +0 -46
  312. package/dist/component/server/enterprise/config.js.map +0 -1
  313. package/dist/component/server/enterprise/domain.js +0 -974
  314. package/dist/component/server/enterprise/domain.js.map +0 -1
  315. package/dist/component/server/enterprise/http.js +0 -787
  316. package/dist/component/server/enterprise/http.js.map +0 -1
  317. package/dist/component/server/enterprise/oidc.js +0 -248
  318. package/dist/component/server/enterprise/oidc.js.map +0 -1
  319. package/dist/component/server/enterprise/policy.js +0 -85
  320. package/dist/component/server/enterprise/policy.js.map +0 -1
  321. package/dist/component/server/enterprise/saml.js.map +0 -1
  322. package/dist/component/server/enterprise/scim.js.map +0 -1
  323. package/dist/component/server/enterprise/shared.js +0 -51
  324. package/dist/component/server/enterprise/shared.js.map +0 -1
  325. package/dist/component/server/http.d.ts +0 -85
  326. package/dist/component/server/http.d.ts.map +0 -1
  327. package/dist/component/server/http.js +0 -351
  328. package/dist/component/server/http.js.map +0 -1
  329. package/dist/component/server/identity.js +0 -16
  330. package/dist/component/server/identity.js.map +0 -1
  331. package/dist/component/server/keys.js +0 -96
  332. package/dist/component/server/keys.js.map +0 -1
  333. package/dist/component/server/limits.js +0 -52
  334. package/dist/component/server/limits.js.map +0 -1
  335. package/dist/component/server/mutations/account.js +0 -46
  336. package/dist/component/server/mutations/account.js.map +0 -1
  337. package/dist/component/server/mutations/code.js +0 -68
  338. package/dist/component/server/mutations/code.js.map +0 -1
  339. package/dist/component/server/mutations/invalidate.js +0 -32
  340. package/dist/component/server/mutations/invalidate.js.map +0 -1
  341. package/dist/component/server/mutations/oauth.js +0 -116
  342. package/dist/component/server/mutations/oauth.js.map +0 -1
  343. package/dist/component/server/mutations/refresh.js +0 -119
  344. package/dist/component/server/mutations/refresh.js.map +0 -1
  345. package/dist/component/server/mutations/register.js +0 -87
  346. package/dist/component/server/mutations/register.js.map +0 -1
  347. package/dist/component/server/mutations/retrieve.js +0 -61
  348. package/dist/component/server/mutations/retrieve.js.map +0 -1
  349. package/dist/component/server/mutations/signature.js +0 -38
  350. package/dist/component/server/mutations/signature.js.map +0 -1
  351. package/dist/component/server/mutations/signin.js +0 -27
  352. package/dist/component/server/mutations/signin.js.map +0 -1
  353. package/dist/component/server/mutations/signout.js +0 -27
  354. package/dist/component/server/mutations/signout.js.map +0 -1
  355. package/dist/component/server/mutations/store/refs.js +0 -15
  356. package/dist/component/server/mutations/store/refs.js.map +0 -1
  357. package/dist/component/server/mutations/store.js +0 -70
  358. package/dist/component/server/mutations/store.js.map +0 -1
  359. package/dist/component/server/mutations/verifier.js +0 -18
  360. package/dist/component/server/mutations/verifier.js.map +0 -1
  361. package/dist/component/server/mutations/verify.js +0 -98
  362. package/dist/component/server/mutations/verify.js.map +0 -1
  363. package/dist/component/server/oauth.js +0 -242
  364. package/dist/component/server/oauth.js.map +0 -1
  365. package/dist/component/server/passkey.js +0 -415
  366. package/dist/component/server/passkey.js.map +0 -1
  367. package/dist/component/server/redirects.js +0 -40
  368. package/dist/component/server/redirects.js.map +0 -1
  369. package/dist/component/server/refresh.js +0 -99
  370. package/dist/component/server/refresh.js.map +0 -1
  371. package/dist/component/server/runtime.d.ts +0 -136
  372. package/dist/component/server/runtime.d.ts.map +0 -1
  373. package/dist/component/server/runtime.js +0 -456
  374. package/dist/component/server/runtime.js.map +0 -1
  375. package/dist/component/server/sessions.js +0 -71
  376. package/dist/component/server/sessions.js.map +0 -1
  377. package/dist/component/server/signin.js +0 -225
  378. package/dist/component/server/signin.js.map +0 -1
  379. package/dist/component/server/tokens.js +0 -17
  380. package/dist/component/server/tokens.js.map +0 -1
  381. package/dist/component/server/totp.js +0 -208
  382. package/dist/component/server/totp.js.map +0 -1
  383. package/dist/component/server/types.d.ts +0 -949
  384. package/dist/component/server/types.d.ts.map +0 -1
  385. package/dist/component/server/types.js +0 -79
  386. package/dist/component/server/types.js.map +0 -1
  387. package/dist/component/server/users.js +0 -123
  388. package/dist/component/server/users.js.map +0 -1
  389. package/dist/component/server/utils.js +0 -140
  390. package/dist/component/server/utils.js.map +0 -1
  391. package/dist/core/types.d.ts +0 -361
  392. package/dist/core/types.d.ts.map +0 -1
  393. package/dist/factors/device.js +0 -104
  394. package/dist/factors/device.js.map +0 -1
  395. package/dist/factors/passkey.js.map +0 -1
  396. package/dist/factors/totp.js.map +0 -1
  397. package/dist/providers/anonymous.d.ts.map +0 -1
  398. package/dist/providers/anonymous.js.map +0 -1
  399. package/dist/providers/credentials.d.ts.map +0 -1
  400. package/dist/providers/credentials.js.map +0 -1
  401. package/dist/providers/device.d.ts.map +0 -1
  402. package/dist/providers/device.js.map +0 -1
  403. package/dist/providers/email.d.ts.map +0 -1
  404. package/dist/providers/email.js.map +0 -1
  405. package/dist/providers/oauth.d.ts +0 -69
  406. package/dist/providers/oauth.d.ts.map +0 -1
  407. package/dist/providers/oauth.js +0 -43
  408. package/dist/providers/oauth.js.map +0 -1
  409. package/dist/providers/passkey.d.ts.map +0 -1
  410. package/dist/providers/passkey.js.map +0 -1
  411. package/dist/providers/password.d.ts.map +0 -1
  412. package/dist/providers/password.js.map +0 -1
  413. package/dist/providers/phone.d.ts.map +0 -1
  414. package/dist/providers/phone.js.map +0 -1
  415. package/dist/providers/sso.d.ts.map +0 -1
  416. package/dist/providers/sso.js.map +0 -1
  417. package/dist/providers/totp.d.ts.map +0 -1
  418. package/dist/providers/totp.js.map +0 -1
  419. package/dist/runtime/browser.js +0 -68
  420. package/dist/runtime/browser.js.map +0 -1
  421. package/dist/runtime/invite.js.map +0 -1
  422. package/dist/runtime/proxy.js +0 -70
  423. package/dist/runtime/proxy.js.map +0 -1
  424. package/dist/runtime/storage.js +0 -37
  425. package/dist/runtime/storage.js.map +0 -1
  426. package/dist/server/auth.d.ts.map +0 -1
  427. package/dist/server/auth.js.map +0 -1
  428. package/dist/server/config.d.ts +0 -1
  429. package/dist/server/config.js.map +0 -1
  430. package/dist/server/context.d.ts +0 -1
  431. package/dist/server/context.js.map +0 -1
  432. package/dist/server/cookies.d.ts +0 -1
  433. package/dist/server/cookies.js.map +0 -1
  434. package/dist/server/core.d.ts +0 -1315
  435. package/dist/server/core.d.ts.map +0 -1
  436. package/dist/server/core.js.map +0 -1
  437. package/dist/server/crypto.d.ts +0 -8
  438. package/dist/server/crypto.d.ts.map +0 -1
  439. package/dist/server/crypto.js.map +0 -1
  440. package/dist/server/db.d.ts +0 -1
  441. package/dist/server/db.js.map +0 -1
  442. package/dist/server/device.d.ts +0 -1
  443. package/dist/server/device.js.map +0 -1
  444. package/dist/server/enterprise/config.d.ts +0 -1
  445. package/dist/server/enterprise/config.js.map +0 -1
  446. package/dist/server/enterprise/domain.d.ts +0 -401
  447. package/dist/server/enterprise/domain.d.ts.map +0 -1
  448. package/dist/server/enterprise/domain.js +0 -974
  449. package/dist/server/enterprise/domain.js.map +0 -1
  450. package/dist/server/enterprise/http.d.ts +0 -26
  451. package/dist/server/enterprise/http.d.ts.map +0 -1
  452. package/dist/server/enterprise/http.js +0 -787
  453. package/dist/server/enterprise/http.js.map +0 -1
  454. package/dist/server/enterprise/oidc.d.ts +0 -1
  455. package/dist/server/enterprise/oidc.js +0 -248
  456. package/dist/server/enterprise/oidc.js.map +0 -1
  457. package/dist/server/enterprise/policy.d.ts +0 -1
  458. package/dist/server/enterprise/policy.js +0 -85
  459. package/dist/server/enterprise/policy.js.map +0 -1
  460. package/dist/server/enterprise/saml.d.ts +0 -1
  461. package/dist/server/enterprise/saml.js +0 -338
  462. package/dist/server/enterprise/saml.js.map +0 -1
  463. package/dist/server/enterprise/scim.d.ts +0 -1
  464. package/dist/server/enterprise/scim.js +0 -97
  465. package/dist/server/enterprise/scim.js.map +0 -1
  466. package/dist/server/enterprise/shared.d.ts +0 -5
  467. package/dist/server/enterprise/shared.d.ts.map +0 -1
  468. package/dist/server/enterprise/shared.js +0 -51
  469. package/dist/server/enterprise/shared.js.map +0 -1
  470. package/dist/server/enterprise/validators.d.ts +0 -1
  471. package/dist/server/enterprise/validators.js +0 -60
  472. package/dist/server/enterprise/validators.js.map +0 -1
  473. package/dist/server/http.d.ts.map +0 -1
  474. package/dist/server/http.js.map +0 -1
  475. package/dist/server/identity.d.ts +0 -1
  476. package/dist/server/identity.js.map +0 -1
  477. package/dist/server/keys.d.ts +0 -1
  478. package/dist/server/keys.js.map +0 -1
  479. package/dist/server/limits.d.ts +0 -1
  480. package/dist/server/limits.js.map +0 -1
  481. package/dist/server/mounts.d.ts.map +0 -1
  482. package/dist/server/mounts.js.map +0 -1
  483. package/dist/server/mutations/account.d.ts +0 -29
  484. package/dist/server/mutations/account.d.ts.map +0 -1
  485. package/dist/server/mutations/account.js.map +0 -1
  486. package/dist/server/mutations/code.d.ts +0 -30
  487. package/dist/server/mutations/code.d.ts.map +0 -1
  488. package/dist/server/mutations/code.js.map +0 -1
  489. package/dist/server/mutations/index.d.ts +0 -14
  490. package/dist/server/mutations/invalidate.d.ts +0 -20
  491. package/dist/server/mutations/invalidate.d.ts.map +0 -1
  492. package/dist/server/mutations/invalidate.js.map +0 -1
  493. package/dist/server/mutations/oauth.d.ts +0 -30
  494. package/dist/server/mutations/oauth.d.ts.map +0 -1
  495. package/dist/server/mutations/oauth.js.map +0 -1
  496. package/dist/server/mutations/refresh.d.ts +0 -21
  497. package/dist/server/mutations/refresh.d.ts.map +0 -1
  498. package/dist/server/mutations/refresh.js.map +0 -1
  499. package/dist/server/mutations/register.d.ts +0 -38
  500. package/dist/server/mutations/register.d.ts.map +0 -1
  501. package/dist/server/mutations/register.js.map +0 -1
  502. package/dist/server/mutations/retrieve.d.ts +0 -33
  503. package/dist/server/mutations/retrieve.d.ts.map +0 -1
  504. package/dist/server/mutations/retrieve.js.map +0 -1
  505. package/dist/server/mutations/signature.d.ts +0 -21
  506. package/dist/server/mutations/signature.d.ts.map +0 -1
  507. package/dist/server/mutations/signature.js.map +0 -1
  508. package/dist/server/mutations/signin.d.ts +0 -22
  509. package/dist/server/mutations/signin.d.ts.map +0 -1
  510. package/dist/server/mutations/signin.js.map +0 -1
  511. package/dist/server/mutations/signout.d.ts +0 -16
  512. package/dist/server/mutations/signout.d.ts.map +0 -1
  513. package/dist/server/mutations/signout.js.map +0 -1
  514. package/dist/server/mutations/store/refs.d.ts +0 -12
  515. package/dist/server/mutations/store/refs.d.ts.map +0 -1
  516. package/dist/server/mutations/store/refs.js.map +0 -1
  517. package/dist/server/mutations/store.d.ts +0 -306
  518. package/dist/server/mutations/store.d.ts.map +0 -1
  519. package/dist/server/mutations/store.js.map +0 -1
  520. package/dist/server/mutations/verifier.d.ts +0 -13
  521. package/dist/server/mutations/verifier.d.ts.map +0 -1
  522. package/dist/server/mutations/verifier.js.map +0 -1
  523. package/dist/server/mutations/verify.d.ts +0 -26
  524. package/dist/server/mutations/verify.d.ts.map +0 -1
  525. package/dist/server/mutations/verify.js.map +0 -1
  526. package/dist/server/oauth.d.ts +0 -1
  527. package/dist/server/oauth.js +0 -242
  528. package/dist/server/oauth.js.map +0 -1
  529. package/dist/server/passkey.d.ts +0 -27
  530. package/dist/server/passkey.d.ts.map +0 -1
  531. package/dist/server/passkey.js.map +0 -1
  532. package/dist/server/redirects.d.ts +0 -1
  533. package/dist/server/redirects.js.map +0 -1
  534. package/dist/server/refresh.d.ts +0 -1
  535. package/dist/server/refresh.js.map +0 -1
  536. package/dist/server/runtime.d.ts.map +0 -1
  537. package/dist/server/runtime.js.map +0 -1
  538. package/dist/server/sessions.d.ts +0 -1
  539. package/dist/server/sessions.js.map +0 -1
  540. package/dist/server/signin.d.ts +0 -1
  541. package/dist/server/signin.js.map +0 -1
  542. package/dist/server/ssr.d.ts.map +0 -1
  543. package/dist/server/ssr.js +0 -777
  544. package/dist/server/ssr.js.map +0 -1
  545. package/dist/server/templates.d.ts +0 -1
  546. package/dist/server/templates.js.map +0 -1
  547. package/dist/server/tokens.d.ts +0 -1
  548. package/dist/server/tokens.js.map +0 -1
  549. package/dist/server/totp.d.ts +0 -1
  550. package/dist/server/totp.js.map +0 -1
  551. package/dist/server/types.d.ts.map +0 -1
  552. package/dist/server/types.js.map +0 -1
  553. package/dist/server/users.d.ts +0 -1
  554. package/dist/server/users.js.map +0 -1
  555. package/dist/server/utils.d.ts +0 -1
  556. package/dist/server/utils.js +0 -140
  557. package/dist/server/utils.js.map +0 -1
  558. package/src/authorization/index.ts +0 -83
  559. package/src/cli/bin.ts +0 -5
  560. package/src/cli/command.ts +0 -70
  561. package/src/cli/index.ts +0 -1112
  562. package/src/cli/keys.ts +0 -23
  563. package/src/client/core/types.ts +0 -437
  564. package/src/client/factors/device.ts +0 -158
  565. package/src/client/factors/passkey.ts +0 -279
  566. package/src/client/factors/totp.ts +0 -150
  567. package/src/client/index.ts +0 -1124
  568. package/src/client/runtime/browser.ts +0 -112
  569. package/src/client/runtime/invite.ts +0 -63
  570. package/src/client/runtime/proxy.ts +0 -111
  571. package/src/client/runtime/storage.ts +0 -79
  572. package/src/component/_generated/api.ts +0 -96
  573. package/src/component/_generated/component.ts +0 -3774
  574. package/src/component/_generated/dataModel.ts +0 -60
  575. package/src/component/_generated/server.ts +0 -156
  576. package/src/component/convex.config.ts +0 -5
  577. package/src/component/functions.ts +0 -104
  578. package/src/component/index.ts +0 -42
  579. package/src/component/model.ts +0 -449
  580. package/src/component/public/enterprise/audit.ts +0 -125
  581. package/src/component/public/enterprise/core.ts +0 -355
  582. package/src/component/public/enterprise/domains.ts +0 -327
  583. package/src/component/public/enterprise/scim.ts +0 -397
  584. package/src/component/public/enterprise/secrets.ts +0 -133
  585. package/src/component/public/enterprise/webhooks.ts +0 -307
  586. package/src/component/public/factors/devices.ts +0 -224
  587. package/src/component/public/factors/passkeys.ts +0 -243
  588. package/src/component/public/factors/totp.ts +0 -259
  589. package/src/component/public/groups/core.ts +0 -481
  590. package/src/component/public/groups/invites.ts +0 -608
  591. package/src/component/public/groups/members.ts +0 -410
  592. package/src/component/public/identity/accounts.ts +0 -207
  593. package/src/component/public/identity/codes.ts +0 -149
  594. package/src/component/public/identity/sessions.ts +0 -210
  595. package/src/component/public/identity/tokens.ts +0 -251
  596. package/src/component/public/identity/users.ts +0 -355
  597. package/src/component/public/identity/verifiers.ts +0 -158
  598. package/src/component/public/security/keys.ts +0 -366
  599. package/src/component/public/security/limits.ts +0 -174
  600. package/src/component/public.ts +0 -27
  601. package/src/component/schema.ts +0 -505
  602. package/src/providers/anonymous.ts +0 -99
  603. package/src/providers/credentials.ts +0 -102
  604. package/src/providers/device.ts +0 -87
  605. package/src/providers/email.ts +0 -99
  606. package/src/providers/index.ts +0 -31
  607. package/src/providers/oauth.ts +0 -117
  608. package/src/providers/passkey.ts +0 -77
  609. package/src/providers/password.ts +0 -441
  610. package/src/providers/phone.ts +0 -93
  611. package/src/providers/sso.ts +0 -54
  612. package/src/providers/totp.ts +0 -62
  613. package/src/samlify.d.ts +0 -53
  614. package/src/server/auth.ts +0 -949
  615. package/src/server/config.ts +0 -200
  616. package/src/server/context.ts +0 -90
  617. package/src/server/cookies.ts +0 -49
  618. package/src/server/core.ts +0 -2004
  619. package/src/server/crypto.ts +0 -90
  620. package/src/server/db.ts +0 -203
  621. package/src/server/device.ts +0 -254
  622. package/src/server/enterprise/config.ts +0 -51
  623. package/src/server/enterprise/domain.ts +0 -1739
  624. package/src/server/enterprise/http.ts +0 -1331
  625. package/src/server/enterprise/oidc.ts +0 -500
  626. package/src/server/enterprise/policy.ts +0 -128
  627. package/src/server/enterprise/saml.ts +0 -578
  628. package/src/server/enterprise/scim.ts +0 -135
  629. package/src/server/enterprise/shared.ts +0 -134
  630. package/src/server/enterprise/validators.ts +0 -93
  631. package/src/server/http.ts +0 -790
  632. package/src/server/identity.ts +0 -18
  633. package/src/server/index.ts +0 -40
  634. package/src/server/keys.ts +0 -158
  635. package/src/server/limits.ts +0 -107
  636. package/src/server/mounts.ts +0 -924
  637. package/src/server/mutations/account.ts +0 -62
  638. package/src/server/mutations/code.ts +0 -119
  639. package/src/server/mutations/index.ts +0 -13
  640. package/src/server/mutations/invalidate.ts +0 -50
  641. package/src/server/mutations/oauth.ts +0 -243
  642. package/src/server/mutations/refresh.ts +0 -299
  643. package/src/server/mutations/register.ts +0 -155
  644. package/src/server/mutations/retrieve.ts +0 -109
  645. package/src/server/mutations/signature.ts +0 -57
  646. package/src/server/mutations/signin.ts +0 -54
  647. package/src/server/mutations/signout.ts +0 -43
  648. package/src/server/mutations/store/refs.ts +0 -10
  649. package/src/server/mutations/store.ts +0 -123
  650. package/src/server/mutations/verifier.ts +0 -34
  651. package/src/server/mutations/verify.ts +0 -200
  652. package/src/server/oauth.ts +0 -418
  653. package/src/server/passkey.ts +0 -838
  654. package/src/server/redirects.ts +0 -59
  655. package/src/server/refresh.ts +0 -218
  656. package/src/server/runtime.ts +0 -918
  657. package/src/server/sessions.ts +0 -132
  658. package/src/server/signin.ts +0 -445
  659. package/src/server/ssr.ts +0 -1747
  660. package/src/server/templates.ts +0 -82
  661. package/src/server/tokens.ts +0 -35
  662. package/src/server/totp.ts +0 -399
  663. package/src/server/types.ts +0 -1942
  664. package/src/server/users.ts +0 -291
  665. package/src/server/utils.ts +0 -220
  666. /package/dist/{runtime → client/runtime}/invite.js +0 -0
@@ -0,0 +1,179 @@
1
+ import { getGroupConnection, getScimConfigByConnection, getScimConfigByTokenHash, getScimIdentity, upsertScimConfig, upsertScimIdentity } from "../contract.js";
2
+ import { ConvexError } from "convex/values";
3
+
4
+ //#region src/server/sso/provision.ts
5
+ function getScimConfigShape(scimConfig) {
6
+ return typeof scimConfig?.extend === "object" && scimConfig.extend !== null ? scimConfig.extend : {};
7
+ }
8
+ const convexError = (data) => new ConvexError(data);
9
+ function createGroupScimDomain(deps) {
10
+ const { config, requireEnv, generateRandomString, INVITE_TOKEN_ALPHABET, sha256, loadGroupPolicyOrThrow, recordGroupAuditEvent, emitGroupWebhookDeliveries } = deps;
11
+ const getScimBasePath = (connectionId) => `${requireEnv("CONVEX_SITE_URL")}/api/auth/connections/${connectionId}/scim/v2`;
12
+ const validateScim = async (ctx, connectionId) => {
13
+ const checks = [];
14
+ const connection = await getGroupConnection(ctx, config.component.public, connectionId);
15
+ if (!connection) return {
16
+ ok: false,
17
+ connectionId,
18
+ checks: [{
19
+ name: "group_connection_exists",
20
+ ok: false,
21
+ message: "Connection not found."
22
+ }]
23
+ };
24
+ const policy = await loadGroupPolicyOrThrow(ctx, connection.groupId);
25
+ const scimConfig = await getScimConfigByConnection(ctx, config.component.public, connectionId);
26
+ const hasConfig = scimConfig !== null && scimConfig !== void 0;
27
+ checks.push({
28
+ name: "scim_config_exists",
29
+ ok: hasConfig,
30
+ message: hasConfig ? void 0 : "SCIM has not been configured."
31
+ });
32
+ const isActive = scimConfig?.status === "active";
33
+ checks.push({
34
+ name: "scim_config_active",
35
+ ok: isActive,
36
+ message: isActive ? void 0 : `SCIM config status is ${hasConfig ? scimConfig?.status : "unknown"}.`
37
+ });
38
+ const hasToken = typeof scimConfig?.tokenHash === "string" && scimConfig.tokenHash.length > 0;
39
+ checks.push({
40
+ name: "token_hash_set",
41
+ ok: hasToken,
42
+ message: hasToken ? void 0 : "SCIM bearer token has not been set."
43
+ });
44
+ const hasBasePath = typeof scimConfig?.basePath === "string" && scimConfig.basePath === getScimBasePath(connection._id);
45
+ checks.push({
46
+ name: "base_path_matches_route",
47
+ ok: hasBasePath,
48
+ message: hasBasePath ? void 0 : "SCIM basePath does not match the derived route."
49
+ });
50
+ const supportsIdempotentExternalId = policy.provisioning.scimReuse.user === "externalId";
51
+ checks.push({
52
+ name: "user_external_id_reuse_enabled",
53
+ ok: supportsIdempotentExternalId,
54
+ message: supportsIdempotentExternalId ? void 0 : "SCIM user retry-safe provisioning works best with scimReuse.user = externalId."
55
+ });
56
+ checks.push({
57
+ name: "filter_subset_supported",
58
+ ok: true,
59
+ message: "Supported filters: eq, co, sw, ew, pr on common user/group fields."
60
+ });
61
+ checks.push({
62
+ name: "protocol_capabilities_declared",
63
+ ok: true
64
+ });
65
+ return {
66
+ ok: checks.every((c) => c.ok),
67
+ connectionId: connection._id,
68
+ basePath: getScimBasePath(connection._id),
69
+ deprovisionMode: policy.provisioning.deprovision.mode,
70
+ capabilities: {
71
+ users: true,
72
+ groups: true,
73
+ patch: true,
74
+ put: true,
75
+ filters: [
76
+ "eq",
77
+ "co",
78
+ "sw",
79
+ "ew",
80
+ "pr"
81
+ ],
82
+ bulk: false,
83
+ etag: false
84
+ },
85
+ checks
86
+ };
87
+ };
88
+ return {
89
+ configure: async (ctx, data) => {
90
+ const connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
91
+ if (connection === null) throw convexError({
92
+ code: "INVALID_PARAMETERS",
93
+ message: "Connection not found."
94
+ });
95
+ const rawToken = generateRandomString(48, INVITE_TOKEN_ALPHABET);
96
+ const tokenHash = await sha256(rawToken);
97
+ const basePath = getScimBasePath(connection._id);
98
+ const configId = await upsertScimConfig(ctx, config.component.public, {
99
+ connectionId: connection._id,
100
+ groupId: connection.groupId,
101
+ status: data.status ?? "active",
102
+ basePath,
103
+ tokenHash,
104
+ lastRotatedAt: Date.now(),
105
+ extend: {
106
+ security: data.security,
107
+ profile: data.profile
108
+ }
109
+ });
110
+ const auditEventId = await recordGroupAuditEvent(ctx, {
111
+ connectionId: connection._id,
112
+ groupId: connection.groupId,
113
+ eventType: "group.sso.scim.configured",
114
+ actorType: "system",
115
+ subjectType: "group_connection_scim",
116
+ subjectId: configId,
117
+ ok: true
118
+ });
119
+ await emitGroupWebhookDeliveries(ctx, {
120
+ connectionId: connection._id,
121
+ eventType: "group.sso.scim.configured",
122
+ auditEventId,
123
+ payload: {
124
+ connectionId: connection._id,
125
+ scimConfigId: configId
126
+ }
127
+ });
128
+ return {
129
+ connectionId: connection._id,
130
+ configId,
131
+ basePath,
132
+ token: rawToken
133
+ };
134
+ },
135
+ get: async (ctx, connectionId) => {
136
+ const scimConfig = await getScimConfigByConnection(ctx, config.component.public, connectionId);
137
+ if (!scimConfig) return null;
138
+ const shape = getScimConfigShape(scimConfig);
139
+ return {
140
+ ...scimConfig,
141
+ security: shape.security,
142
+ profile: shape.profile
143
+ };
144
+ },
145
+ status: async (ctx, connectionId) => {
146
+ const currentConfig = await getScimConfigByConnection(ctx, config.component.public, connectionId);
147
+ const result = await validateScim(ctx, connectionId);
148
+ return {
149
+ connectionId,
150
+ configured: currentConfig?.status !== void 0,
151
+ ready: result.ok,
152
+ config: currentConfig,
153
+ checks: result.checks,
154
+ capabilities: "capabilities" in result ? result.capabilities : void 0
155
+ };
156
+ },
157
+ getConfigByToken: async (ctx, token) => {
158
+ return await getScimConfigByTokenHash(ctx, config.component.public, await sha256(token));
159
+ },
160
+ validate: async (ctx, connectionId) => {
161
+ return await validateScim(ctx, connectionId);
162
+ },
163
+ identity: {
164
+ get: async (ctx, data) => {
165
+ return await getScimIdentity(ctx, config.component.public, data);
166
+ },
167
+ upsert: async (ctx, data) => {
168
+ return await upsertScimIdentity(ctx, config.component.public, {
169
+ ...data,
170
+ lastProvisionedAt: Date.now()
171
+ });
172
+ }
173
+ }
174
+ };
175
+ }
176
+
177
+ //#endregion
178
+ export { createGroupScimDomain };
179
+ //# sourceMappingURL=provision.js.map
@@ -1,9 +1,11 @@
1
- import { asRecord, getEnterpriseSamlUrls } from "./shared.js";
1
+ import { log } from "../log.js";
2
+ import { finalizeNormalizedProfile, normalizeStringArray } from "./profile.js";
3
+ import { asRecord, getGroupSamlUrls } from "./shared.js";
2
4
  import { getSamlConfig } from "./config.js";
3
5
  import { decodeBase64urlIgnorePadding, encodeBase64urlNoPadding } from "@oslojs/encoding";
4
6
  import { Constants, IdentityProvider, ServiceProvider, setSchemaValidator } from "@robelest/samlify";
5
7
 
6
- //#region src/server/enterprise/saml.ts
8
+ //#region src/server/sso/saml.ts
7
9
  const _samlifyPermissiveValidator = { validate: (_xml) => Promise.resolve("OK") };
8
10
  function ensureSamlifyValidator() {
9
11
  setSchemaValidator(_samlifyPermissiveValidator);
@@ -26,7 +28,7 @@ function decodeRelayState(value) {
26
28
  }
27
29
  }
28
30
  /** @internal */
29
- function encodeEnterpriseSamlRelayState(value) {
31
+ function encodeGroupSamlRelayState(value) {
30
32
  return encodeBase64urlNoPadding(new TextEncoder().encode(JSON.stringify({
31
33
  source: `${value.source.kind}:${value.source.id}`,
32
34
  signature: value.signature,
@@ -36,13 +38,13 @@ function encodeEnterpriseSamlRelayState(value) {
36
38
  })));
37
39
  }
38
40
  /** @internal */
39
- function decodeEnterpriseSamlRelayStateOrThrow(value) {
41
+ function decodeGroupSamlRelayStateOrThrow(value) {
40
42
  if (!value) throw new Error("Missing SAML RelayState.");
41
43
  const decoded = decodeRelayState(value);
42
44
  if (typeof decoded.source !== "string" || typeof decoded.signature !== "string" || typeof decoded.requestId !== "string" || typeof decoded.state !== "string") throw new Error("Invalid SAML RelayState.");
43
45
  const [kind, ...rest] = decoded.source.split(":");
44
46
  const id = rest.join(":");
45
- if (kind !== "enterprise" || id.length === 0) throw new Error("Invalid enterprise SAML source.");
47
+ if (kind !== "connection" || id.length === 0) throw new Error("Invalid group connection SAML source.");
46
48
  return {
47
49
  source: {
48
50
  kind,
@@ -68,7 +70,7 @@ async function readRequestBody(request) {
68
70
  return {};
69
71
  }
70
72
  /** @internal */
71
- async function readEnterpriseSamlHttpRequest(request) {
73
+ async function readGroupConnectionSamlHttpRequest(request) {
72
74
  const url = new URL(request.url);
73
75
  const body = await readRequestBody(request);
74
76
  return {
@@ -81,32 +83,76 @@ async function readEnterpriseSamlHttpRequest(request) {
81
83
  hasSamlResponse: Boolean(body.SAMLResponse ?? url.searchParams.get("SAMLResponse"))
82
84
  };
83
85
  }
86
+ function getSamlSecurityConfig(config) {
87
+ return asRecord(getSamlConfig(config).security) ?? {};
88
+ }
84
89
  /** @internal */
85
90
  function parseSamlIdpMetadata(metadata) {
86
- const entityMeta = IdentityProvider({ metadata }).entityMeta;
87
- const normalizeService = (value) => {
88
- return typeof value === "string" && value.length > 0 ? value : void 0;
91
+ const source = typeof metadata === "string" ? metadata : String(metadata);
92
+ const entityId = source.match(/<[^>]*EntityDescriptor\b[^>]*\bentityID="([^"]+)"/i)?.[1] ?? null;
93
+ if (!entityId) throw new Error("SAML metadata is missing EntityDescriptor@entityID.");
94
+ const parseAttributes = (source$1) => {
95
+ const attributes = {};
96
+ for (const match of source$1.matchAll(/([A-Za-z_:][\w:.-]*)="([^"]*)"/g)) attributes[match[1]] = match[2];
97
+ return attributes;
98
+ };
99
+ const readServiceBindings = (tagName) => {
100
+ const bindings = {};
101
+ const pattern = new RegExp(`<(?:[A-Za-z0-9_.-]+:)?${tagName}\\b([^>]*)\\/?>(?:<\\/(?:[A-Za-z0-9_.-]+:)?${tagName}>)?`, "gi");
102
+ for (const match of source.matchAll(pattern)) {
103
+ const attrs = parseAttributes(match[1] ?? "");
104
+ const binding = attrs.Binding ?? attrs.binding;
105
+ const location = attrs.Location ?? attrs.location;
106
+ if (!binding || !location) continue;
107
+ if (binding.includes("HTTP-Redirect")) bindings.redirect = location;
108
+ if (binding.includes("HTTP-POST")) bindings.post = location;
109
+ }
110
+ return bindings;
111
+ };
112
+ const readCertificates = (use) => {
113
+ const certs = [];
114
+ const blockPattern = new RegExp(`<(?:[A-Za-z0-9_.-]+:)?KeyDescriptor\\b([^>]*)>([\\s\\S]*?)<\\/(?:[A-Za-z0-9_.-]+:)?KeyDescriptor>`, "gi");
115
+ for (const match of source.matchAll(blockPattern)) {
116
+ const attrs = parseAttributes(match[1] ?? "");
117
+ if ((attrs.use ?? attrs.Use ?? "signing").toLowerCase() !== use) continue;
118
+ for (const certMatch of (match[2] ?? "").matchAll(/<(?:[A-Za-z0-9_.-]+:)?X509Certificate>([\s\S]*?)<\/(?:[A-Za-z0-9_.-]+:)?X509Certificate>/gi)) {
119
+ const certificate = certMatch[1]?.replace(/\s+/g, "").trim();
120
+ if (certificate) certs.push(certificate);
121
+ }
122
+ }
123
+ if (certs.length === 0) return null;
124
+ return certs.length === 1 ? certs[0] : certs;
89
125
  };
126
+ const nameIdFormats = [...source.matchAll(/<(?:[A-Za-z0-9_.-]+:)?NameIDFormat>([\s\S]*?)<\/(?:[A-Za-z0-9_.-]+:)?NameIDFormat>/gi)].map((match) => match[1]?.trim()).filter((value) => Boolean(value));
90
127
  return {
91
- issuer: entityMeta.getEntityID(),
92
- sso: {
93
- redirect: normalizeService(entityMeta.getSingleSignOnService("redirect")),
94
- post: normalizeService(entityMeta.getSingleSignOnService("post"))
95
- },
96
- slo: {
97
- redirect: normalizeService(entityMeta.getSingleLogoutService("redirect")),
98
- post: normalizeService(entityMeta.getSingleLogoutService("post"))
99
- },
100
- signingCert: entityMeta.getX509Certificate("signing"),
101
- encryptionCert: entityMeta.getX509Certificate("encrypt"),
102
- nameIdFormats: (() => {
103
- const nameIdFormat = entityMeta.getNameIDFormat();
104
- return Array.isArray(nameIdFormat) ? nameIdFormat : [];
105
- })(),
106
- wantsSignedAuthnRequests: entityMeta.isWantAuthnRequestsSigned()
128
+ entityId,
129
+ issuer: entityId,
130
+ sso: readServiceBindings("SingleSignOnService"),
131
+ slo: readServiceBindings("SingleLogoutService"),
132
+ signingCert: readCertificates("signing"),
133
+ encryptionCert: readCertificates("encryption"),
134
+ nameIdFormats,
135
+ wantsSignedAuthnRequests: /WantAuthnRequestsSigned="true"/i.test(source)
107
136
  };
108
137
  }
109
138
  /** @internal */
139
+ function enforceSamlMetadataSize(opts) {
140
+ const maxMetadataSize = getSamlSecurityConfig(opts.config).maxMetadataSize;
141
+ if (typeof maxMetadataSize === "number" && maxMetadataSize > 0 && opts.metadataXml.length > maxMetadataSize) throw new Error("SAML metadata exceeds the configured size limit.");
142
+ }
143
+ /** @internal */
144
+ function parseSamlIdpMetadataChecked(opts) {
145
+ enforceSamlMetadataSize(opts);
146
+ return parseSamlIdpMetadata(opts.metadataXml);
147
+ }
148
+ /** @internal */
149
+ function enforceSamlResponseSize(opts) {
150
+ const maxResponseSize = getSamlSecurityConfig(opts.config).maxResponseSize;
151
+ if (typeof maxResponseSize !== "number" || maxResponseSize <= 0) return;
152
+ const encoded = opts.request.body.SAMLResponse ?? opts.request.query.SAMLResponse;
153
+ if (typeof encoded === "string" && encoded.length > maxResponseSize) throw new Error("SAML response exceeds the configured size limit.");
154
+ }
155
+ /** @internal */
110
156
  function createServiceProviderMetadata(opts) {
111
157
  const binding = Constants.namespace.binding;
112
158
  return ServiceProvider({
@@ -132,7 +178,7 @@ function createServiceProviderMetadata(opts) {
132
178
  }).getMetadata();
133
179
  }
134
180
  /** @internal */
135
- function createEnterpriseSamlMetadataXml(opts) {
181
+ function createGroupConnectionSamlMetadataXml(opts) {
136
182
  return createServiceProviderMetadata(getSamlServiceProviderOptions({
137
183
  rootUrl: opts.rootUrl,
138
184
  source: opts.source,
@@ -142,8 +188,8 @@ function createEnterpriseSamlMetadataXml(opts) {
142
188
  /** @internal */
143
189
  function getSamlServiceProviderOptions(opts) {
144
190
  const saml = getSamlConfig(opts.config);
145
- const sp = asRecord(saml.sp) ?? {};
146
- const urls = getEnterpriseSamlUrls({
191
+ const sp = asRecord(saml.serviceProvider) ?? {};
192
+ const urls = getGroupSamlUrls({
147
193
  rootUrl: opts.rootUrl,
148
194
  source: opts.source
149
195
  });
@@ -152,7 +198,7 @@ function getSamlServiceProviderOptions(opts) {
152
198
  acsUrl: opts.overrides?.acsUrl ?? sp.acsUrl ?? urls.acsUrl,
153
199
  sloUrl: opts.overrides?.sloUrl ?? sp.sloUrl ?? urls.sloUrl,
154
200
  relayState: opts.relayState,
155
- authnRequestsSigned: saml.signAuthnRequests,
201
+ authnRequestsSigned: saml.request?.signAuthnRequests,
156
202
  signingCert: sp.signingCert,
157
203
  encryptCert: sp.encryptCert,
158
204
  privateKey: sp.privateKey,
@@ -188,7 +234,7 @@ function createSamlServiceProvider(opts) {
188
234
  });
189
235
  }
190
236
  /** @internal */
191
- function createEnterpriseSamlRuntime(opts) {
237
+ function createGroupConnectionSamlRuntime(opts) {
192
238
  const saml = getSamlConfig(opts.config);
193
239
  const spOptions = getSamlServiceProviderOptions({
194
240
  rootUrl: opts.rootUrl,
@@ -202,22 +248,51 @@ function createEnterpriseSamlRuntime(opts) {
202
248
  saml,
203
249
  sp: createSamlServiceProvider(spOptions),
204
250
  idp: IdentityProvider({ metadata: saml.idp.metadataXml }),
205
- urls: getEnterpriseSamlUrls({
251
+ urls: getGroupSamlUrls({
206
252
  rootUrl: opts.rootUrl,
207
253
  source: opts.source
208
254
  })
209
255
  };
210
256
  }
257
+ function verifySamlTimeWindow(notBefore, notOnOrAfter, clockSkewSeconds) {
258
+ const now = Date.now();
259
+ const drift = clockSkewSeconds * 1e3;
260
+ if (notBefore) {
261
+ const notBeforeTime = new Date(notBefore).getTime();
262
+ if (Number.isFinite(notBeforeTime) && now < notBeforeTime - drift) throw new Error("SAML assertion is not yet valid.");
263
+ }
264
+ if (notOnOrAfter) {
265
+ const notOnOrAfterTime = new Date(notOnOrAfter).getTime();
266
+ if (Number.isFinite(notOnOrAfterTime) && now >= notOnOrAfterTime + drift) throw new Error("SAML assertion has expired.");
267
+ }
268
+ }
269
+ /** @internal */
270
+ function enforceGroupConnectionSamlSecurity(opts) {
271
+ enforceSamlAlgorithmPolicy(opts);
272
+ const security = asRecord(getSamlConfig(opts.config).security) ?? {};
273
+ const conditions = opts.extract?.conditions;
274
+ if (security.requireSignedAssertions === true && typeof opts.extract?.signature?.signatureAlgorithm !== "string") throw new Error("SAML assertion must be signed.");
275
+ if (security.requireTimestamps === true) {
276
+ if (!conditions?.notBefore && !conditions?.notOnOrAfter) throw new Error("SAML assertion missing required timestamp conditions.");
277
+ }
278
+ if (conditions?.notBefore || conditions?.notOnOrAfter) verifySamlTimeWindow(conditions.notBefore, conditions.notOnOrAfter, security.clockSkewSeconds ?? 300);
279
+ }
280
+ function toSamlHttpRequest(request) {
281
+ return {
282
+ query: request.query,
283
+ body: request.body
284
+ };
285
+ }
211
286
  /** @internal */
212
- function createEnterpriseSamlSignInRequest(opts) {
213
- const runtime = createEnterpriseSamlRuntime({
287
+ function createGroupConnectionSamlSignInRequest(opts) {
288
+ const runtime = createGroupConnectionSamlRuntime({
214
289
  rootUrl: opts.rootUrl,
215
290
  source: opts.source,
216
291
  config: opts.config
217
292
  });
218
- const binding = runtime.saml.idp.sso?.redirect ? "redirect" : "post";
293
+ const binding = runtime.saml.idp?.sso?.redirect ? "redirect" : "post";
219
294
  const loginRequest = runtime.sp.createLoginRequest(runtime.idp, binding);
220
- const relayState = encodeEnterpriseSamlRelayState({
295
+ const relayState = encodeGroupSamlRelayState({
221
296
  source: opts.source,
222
297
  signature: opts.signature,
223
298
  requestId: loginRequest.id,
@@ -240,24 +315,25 @@ function createEnterpriseSamlSignInRequest(opts) {
240
315
  };
241
316
  }
242
317
  /** @internal */
243
- async function parseEnterpriseSamlLoginResponse(opts) {
318
+ async function parseGroupConnectionSamlLoginResponse(opts) {
244
319
  ensureSamlifyValidator();
245
- const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);
246
- const runtime = createEnterpriseSamlRuntime({
320
+ const httpRequest = await readGroupConnectionSamlHttpRequest(opts.request);
321
+ enforceSamlResponseSize({
322
+ request: httpRequest,
323
+ config: opts.config
324
+ });
325
+ const runtime = createGroupConnectionSamlRuntime({
247
326
  rootUrl: opts.rootUrl,
248
327
  source: opts.source,
249
328
  config: opts.config
250
329
  });
251
- const parsed = await runtime.sp.parseLoginResponse(runtime.idp, httpRequest.binding, {
252
- query: httpRequest.query,
253
- body: httpRequest.body
254
- });
330
+ const parsed = await runtime.sp.parseLoginResponse(runtime.idp, httpRequest.binding, toSamlHttpRequest(httpRequest));
255
331
  warnWeakSamlAlgorithms(parsed);
256
332
  return {
257
333
  ...httpRequest,
258
334
  runtime,
259
335
  parsed,
260
- relayState: decodeEnterpriseSamlRelayStateOrThrow(httpRequest.relayState ?? null)
336
+ relayState: decodeGroupSamlRelayStateOrThrow(httpRequest.relayState ?? null)
261
337
  };
262
338
  }
263
339
  const WEAK_SAML_ALGORITHMS = new Set([
@@ -275,28 +351,32 @@ function warnWeakSamlAlgorithms(parsed) {
275
351
  try {
276
352
  const sigAlg = parsed?.extract?.signature?.signatureAlgorithm ?? parsed?.extract?.response?.signatureAlgorithm;
277
353
  const digestAlg = parsed?.extract?.signature?.digestAlgorithm;
278
- if (sigAlg && WEAK_SAML_ALGORITHMS.has(sigAlg)) console.warn(`[convex-auth] SAML response uses weak signature algorithm: ${sigAlg}. Consider upgrading your IdP to use RSA-SHA256 or stronger.`);
279
- if (digestAlg && WEAK_SAML_ALGORITHMS.has(digestAlg)) console.warn(`[convex-auth] SAML response uses weak digest algorithm: ${digestAlg}. Consider upgrading your IdP to use SHA-256 or stronger.`);
354
+ if (sigAlg && WEAK_SAML_ALGORITHMS.has(sigAlg)) log("WARN", `[convex-auth] SAML response uses weak signature algorithm: ${sigAlg}. Consider upgrading your IdP to use RSA-SHA256 or stronger.`);
355
+ if (digestAlg && WEAK_SAML_ALGORITHMS.has(digestAlg)) log("WARN", `[convex-auth] SAML response uses weak digest algorithm: ${digestAlg}. Consider upgrading your IdP to use SHA-256 or stronger.`);
280
356
  } catch {}
281
357
  }
282
358
  /** @internal */
283
- function validateEnterpriseSamlLoginRelayState(opts) {
359
+ function enforceSamlAlgorithmPolicy(opts) {
360
+ if (getSamlSecurityConfig(opts.config).weakAlgorithmHandling !== "reject") return;
361
+ const sigAlg = opts.extract?.signature?.signatureAlgorithm ?? opts.extract?.response?.signatureAlgorithm;
362
+ const digestAlg = opts.extract?.signature?.digestAlgorithm;
363
+ if (sigAlg && WEAK_SAML_ALGORITHMS.has(sigAlg) || digestAlg && WEAK_SAML_ALGORITHMS.has(digestAlg)) throw new Error("SAML response uses a rejected weak cryptographic algorithm.");
364
+ }
365
+ /** @internal */
366
+ function validateGroupConnectionSamlLoginRelayState(opts) {
284
367
  if (opts.relayState.source.kind !== opts.source.kind || opts.relayState.source.id !== opts.source.id || opts.relayState.requestId !== opts.inResponseTo) throw new Error("SAML RelayState did not match the pending login request.");
285
368
  }
286
369
  /** @internal */
287
- async function parseEnterpriseSamlLogoutMessage(opts) {
370
+ async function parseGroupConnectionSamlLogoutMessage(opts) {
288
371
  ensureSamlifyValidator();
289
- const httpRequest = await readEnterpriseSamlHttpRequest(opts.request);
290
- const runtime = createEnterpriseSamlRuntime({
372
+ const httpRequest = await readGroupConnectionSamlHttpRequest(opts.request);
373
+ const runtime = createGroupConnectionSamlRuntime({
291
374
  rootUrl: opts.rootUrl,
292
375
  source: opts.source,
293
376
  config: opts.config,
294
377
  relayState: httpRequest.relayState
295
378
  });
296
- const parsedRequest = httpRequest.hasSamlRequest ? await runtime.sp.parseLogoutRequest(runtime.idp, httpRequest.binding, {
297
- query: httpRequest.query,
298
- body: httpRequest.body
299
- }) : void 0;
379
+ const parsedRequest = httpRequest.hasSamlRequest ? await runtime.sp.parseLogoutRequest(runtime.idp, httpRequest.binding, toSamlHttpRequest(httpRequest)) : void 0;
300
380
  return {
301
381
  ...httpRequest,
302
382
  runtime,
@@ -316,23 +396,29 @@ function profileFromSamlExtract(extract, mapping) {
316
396
  };
317
397
  const fieldResolvers = {
318
398
  email: () => resolveFirst(mapping?.email),
399
+ groups: () => normalizeStringArray(resolveFirst(mapping?.groups)),
319
400
  name: () => resolveFirst(mapping?.name) ?? ([resolveFirst(mapping?.firstName), resolveFirst(mapping?.lastName)].filter(Boolean).join(" ") || void 0),
401
+ roles: () => normalizeStringArray(resolveFirst(mapping?.roles)),
320
402
  subject: () => resolveFirst(mapping?.subject) ?? extract?.nameID
321
403
  };
322
404
  const subject = fieldResolvers.subject();
323
405
  if (subject === void 0) throw new Error("SAML profile is missing a subject. Configure `attributeMapping.subject` or ensure the assertion includes a NameID.");
324
406
  const email = fieldResolvers.email();
407
+ const groups = fieldResolvers.groups();
325
408
  const name = fieldResolvers.name();
326
- return {
409
+ const roles = fieldResolvers.roles();
410
+ return finalizeNormalizedProfile({
327
411
  id: subject,
328
412
  email,
329
413
  emailVerified: typeof email === "string" ? true : void 0,
414
+ groups,
330
415
  name,
416
+ roles,
331
417
  samlAttributes: attributes,
332
418
  samlSessionIndex: extract?.sessionIndex?.SessionIndex
333
- };
419
+ });
334
420
  }
335
421
 
336
422
  //#endregion
337
- export { createEnterpriseSamlMetadataXml, createEnterpriseSamlSignInRequest, createSamlPostBindingResponse, createServiceProviderMetadata, encodeEnterpriseSamlRelayState, getSamlServiceProviderOptions, parseEnterpriseSamlLoginResponse, parseEnterpriseSamlLogoutMessage, parseSamlIdpMetadata, profileFromSamlExtract, validateEnterpriseSamlLoginRelayState };
423
+ export { createGroupConnectionSamlMetadataXml, createGroupConnectionSamlSignInRequest, createSamlPostBindingResponse, createServiceProviderMetadata, encodeGroupSamlRelayState, enforceGroupConnectionSamlSecurity, getSamlServiceProviderOptions, parseGroupConnectionSamlLoginResponse, parseGroupConnectionSamlLogoutMessage, parseSamlIdpMetadataChecked, profileFromSamlExtract, validateGroupConnectionSamlLoginRelayState };
338
424
  //# sourceMappingURL=saml.js.map
@@ -1,16 +1,16 @@
1
1
  import { SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID } from "./shared.js";
2
2
 
3
- //#region src/server/enterprise/scim.ts
3
+ //#region src/server/sso/scim.ts
4
4
  /** @internal */
5
5
  function parseScimPath(pathname) {
6
- const [api, auth, sso, enterpriseId, protocol, version, ...rest] = pathname.split("/").filter(Boolean);
7
- if (api !== "api" || auth !== "auth" || sso !== "sso" || !enterpriseId || enterpriseId === "setup" || protocol !== "scim" || version !== "v2") return {
8
- enterpriseId: "",
6
+ const [api, auth, connections, connectionId, protocol, version, ...rest] = pathname.split("/").filter(Boolean);
7
+ if (api !== "api" || auth !== "auth" || connections !== "connections" || !connectionId || connectionId === "setup" || protocol !== "scim" || version !== "v2") return {
8
+ connectionId: "",
9
9
  resource: "",
10
10
  resourceId: void 0
11
11
  };
12
12
  return {
13
- enterpriseId,
13
+ connectionId,
14
14
  resource: rest[0] ?? "",
15
15
  resourceId: rest[1]
16
16
  };
@@ -24,11 +24,17 @@ function parseScimListRequest(url) {
24
24
  startIndex,
25
25
  count,
26
26
  filter: filterParam ? (() => {
27
- const match = filterParam.match(/^([A-Za-z0-9_.]+)\s+eq\s+"([^"]+)"$/);
27
+ const presentMatch = filterParam.match(/^([A-Za-z0-9_.]+)\s+pr$/);
28
+ if (presentMatch) return {
29
+ attribute: presentMatch[1],
30
+ operator: "pr"
31
+ };
32
+ const match = filterParam.match(/^([A-Za-z0-9_.]+(?:\[value eq "[^"]+"\])?)\s+(eq|co|sw|ew)\s+"([^"]+)"$/);
28
33
  if (!match) throw new Error("Unsupported SCIM filter.");
29
34
  return {
30
35
  attribute: match[1],
31
- value: match[2]
36
+ operator: match[2],
37
+ value: match[3]
32
38
  };
33
39
  })() : void 0
34
40
  };
@@ -0,0 +1,74 @@
1
+ //#region src/server/sso/shared.ts
2
+ /** @internal */
3
+ const SCIM_USER_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:User";
4
+ /** @internal */
5
+ const SCIM_GROUP_SCHEMA_ID = "urn:ietf:params:scim:schemas:core:2.0:Group";
6
+ /** @internal */
7
+ const GROUP_OIDC_PROVIDER_PREFIX = "group:oidc:";
8
+ /** @internal */
9
+ const GROUP_SAML_PROVIDER_PREFIX = "group:saml:";
10
+ /** @internal */
11
+ function normalizeDomain(domain) {
12
+ return domain.trim().toLowerCase().replace(/^@+/, "");
13
+ }
14
+ /** @internal */
15
+ function groupOidcProviderId(connectionId) {
16
+ return `${GROUP_OIDC_PROVIDER_PREFIX}${connectionId}`;
17
+ }
18
+ /** @internal */
19
+ function groupSamlProviderId(connectionId) {
20
+ return `${GROUP_SAML_PROVIDER_PREFIX}${connectionId}`;
21
+ }
22
+ /** @internal */
23
+ function getGroupSamlUrls(opts) {
24
+ const root = opts.rootUrl.replace(/\/$/, "");
25
+ return {
26
+ metadataUrl: `${root}/api/auth/connections/${opts.source.id}/saml/metadata`,
27
+ acsUrl: `${root}/api/auth/connections/${opts.source.id}/saml/acs`,
28
+ sloUrl: `${root}/api/auth/connections/${opts.source.id}/saml/slo`
29
+ };
30
+ }
31
+ /** @internal */
32
+ function getGroupOidcUrls(opts) {
33
+ const root = opts.rootUrl.replace(/\/$/, "");
34
+ const callbackUrl = (() => {
35
+ if (typeof opts.sharedRedirectURI !== "string") return `${root}/api/auth/connections/${opts.connectionId}/oidc/callback`;
36
+ if (/^https?:\/\//.test(opts.sharedRedirectURI)) return opts.sharedRedirectURI;
37
+ return `${root}${opts.sharedRedirectURI.startsWith("/") ? "" : "/"}${opts.sharedRedirectURI}`;
38
+ })();
39
+ return {
40
+ signInUrl: `${root}/api/auth/connections/${opts.connectionId}/oidc/signin`,
41
+ callbackUrl
42
+ };
43
+ }
44
+ /** @internal */
45
+ function encodeGroupOidcState(opts) {
46
+ const json = JSON.stringify(opts);
47
+ return (typeof btoa === "function" ? btoa(json) : Buffer.from(json, "utf8").toString("base64")).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
48
+ }
49
+ /** @internal */
50
+ function decodeGroupOidcState(value) {
51
+ if (!value) throw new Error("Missing OIDC state.");
52
+ const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
53
+ const padded = normalized + "=".repeat((4 - normalized.length % 4) % 4);
54
+ const decoded = typeof atob === "function" ? atob(padded) : Buffer.from(padded, "base64").toString("utf8");
55
+ const parsed = JSON.parse(decoded);
56
+ if (typeof parsed.connectionId !== "string" || typeof parsed.state !== "string") throw new Error("Invalid OIDC state.");
57
+ return {
58
+ connectionId: parsed.connectionId,
59
+ state: parsed.state
60
+ };
61
+ }
62
+ /** @internal */
63
+ function isGroupSamlSourceActive(source) {
64
+ return source.status === "active";
65
+ }
66
+ /** @internal */
67
+ function isGroupProviderId(providerId) {
68
+ return providerId.startsWith(GROUP_OIDC_PROVIDER_PREFIX) || providerId.startsWith(GROUP_SAML_PROVIDER_PREFIX);
69
+ }
70
+ const asRecord = (value) => typeof value === "object" && value !== null ? value : null;
71
+
72
+ //#endregion
73
+ export { GROUP_OIDC_PROVIDER_PREFIX, GROUP_SAML_PROVIDER_PREFIX, SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID, asRecord, decodeGroupOidcState, encodeGroupOidcState, getGroupOidcUrls, getGroupSamlUrls, groupOidcProviderId, groupSamlProviderId, isGroupProviderId, isGroupSamlSourceActive, normalizeDomain };
74
+ //# sourceMappingURL=shared.js.map