@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (666) hide show
  1. package/README.md +43 -36
  2. package/dist/bin.js +5765 -4880
  3. package/dist/browser/index.d.ts +30 -0
  4. package/dist/browser/index.js +93 -0
  5. package/dist/browser/locks.js +11 -0
  6. package/dist/browser/navigation.js +14 -0
  7. package/dist/{factors → browser}/passkey.js +23 -32
  8. package/dist/browser/runtime.js +92 -0
  9. package/dist/client/core/types.d.ts +452 -5
  10. package/dist/client/core/types.js +17 -0
  11. package/dist/client/errors.js +19 -0
  12. package/dist/client/factors/device.js +94 -0
  13. package/dist/{factors → client/factors}/totp.js +12 -4
  14. package/dist/client/index.d.ts +47 -1
  15. package/dist/client/index.js +269 -232
  16. package/dist/client/runtime/mutex.js +24 -0
  17. package/dist/client/runtime/proxy.js +30 -0
  18. package/dist/client/runtime/storage.js +45 -0
  19. package/dist/client/services/adapters.js +7 -0
  20. package/dist/client/services/http.js +6 -0
  21. package/dist/client/services/resolve.js +13 -0
  22. package/dist/client/services/runtime.js +6 -0
  23. package/dist/component/_generated/component.d.ts +1355 -1399
  24. package/dist/component/convex.config.d.ts +2 -2
  25. package/dist/component/index.d.ts +4 -26
  26. package/dist/component/index.js +1 -1
  27. package/dist/component/model.d.ts +26 -112
  28. package/dist/component/model.js +76 -54
  29. package/dist/component/modules.js +38 -0
  30. package/dist/component/public/factors/devices.js +1 -1
  31. package/dist/component/public/factors/passkeys.js +1 -1
  32. package/dist/component/public/factors/totp.js +1 -1
  33. package/dist/component/public/groups/core.js +2 -2
  34. package/dist/component/public/groups/invites.js +1 -1
  35. package/dist/component/public/groups/members.js +1 -1
  36. package/dist/component/public/identity/accounts.js +1 -1
  37. package/dist/component/public/identity/codes.js +1 -1
  38. package/dist/component/public/identity/sessions.js +39 -2
  39. package/dist/component/public/identity/tokens.js +82 -4
  40. package/dist/component/public/identity/users.js +1 -1
  41. package/dist/component/public/identity/verifiers.js +10 -4
  42. package/dist/component/public/security/keys.js +1 -1
  43. package/dist/component/public/security/limits.js +1 -1
  44. package/dist/component/public/{enterprise → sso}/audit.js +26 -26
  45. package/dist/component/public/sso/core.js +263 -0
  46. package/dist/component/public/sso/domains.js +280 -0
  47. package/dist/component/public/{enterprise → sso}/scim.js +87 -87
  48. package/dist/component/public/sso/secrets.js +125 -0
  49. package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
  50. package/dist/component/public.js +9 -9
  51. package/dist/component/schema.d.ts +472 -393
  52. package/dist/component/schema.js +36 -35
  53. package/dist/core/index.d.ts +380 -0
  54. package/dist/core/index.js +83 -0
  55. package/dist/otel.d.ts +69 -0
  56. package/dist/otel.js +82 -0
  57. package/dist/providers/anonymous.d.ts +15 -34
  58. package/dist/providers/anonymous.js +27 -35
  59. package/dist/providers/apple.d.ts +59 -0
  60. package/dist/providers/apple.js +58 -0
  61. package/dist/providers/credentials.d.ts +18 -34
  62. package/dist/providers/credentials.js +16 -27
  63. package/dist/providers/custom.d.ts +94 -0
  64. package/dist/providers/custom.js +119 -0
  65. package/dist/providers/device.d.ts +15 -49
  66. package/dist/providers/device.js +17 -34
  67. package/dist/providers/email.d.ts +21 -38
  68. package/dist/providers/email.js +36 -55
  69. package/dist/providers/github.d.ts +54 -0
  70. package/dist/providers/github.js +75 -0
  71. package/dist/providers/google.d.ts +54 -0
  72. package/dist/providers/google.js +61 -0
  73. package/dist/providers/index.d.ts +16 -12
  74. package/dist/providers/index.js +15 -11
  75. package/dist/providers/microsoft.d.ts +57 -0
  76. package/dist/providers/microsoft.js +101 -0
  77. package/dist/providers/passkey.d.ts +19 -35
  78. package/dist/providers/passkey.js +20 -30
  79. package/dist/providers/password.d.ts +17 -18
  80. package/dist/providers/password.js +121 -143
  81. package/dist/providers/phone.d.ts +13 -28
  82. package/dist/providers/phone.js +21 -46
  83. package/dist/providers/sso.d.ts +16 -36
  84. package/dist/providers/sso.js +21 -22
  85. package/dist/providers/totp.d.ts +13 -29
  86. package/dist/providers/totp.js +17 -27
  87. package/dist/server/auth-context.d.ts +204 -0
  88. package/dist/server/auth-context.js +76 -0
  89. package/dist/server/auth.d.ts +99 -244
  90. package/dist/server/auth.js +56 -152
  91. package/dist/server/componentContext.d.ts +12 -0
  92. package/dist/server/componentContext.js +1 -0
  93. package/dist/server/config.js +6 -67
  94. package/dist/server/constants.js +6 -0
  95. package/dist/server/contract.d.ts +105 -0
  96. package/dist/server/contract.js +43 -0
  97. package/dist/server/cookies.js +3 -2
  98. package/dist/server/core.js +31 -36
  99. package/dist/server/crypto.js +34 -44
  100. package/dist/server/db.js +6 -1
  101. package/dist/server/device.js +96 -130
  102. package/dist/server/env.js +48 -0
  103. package/dist/server/errors.js +20 -0
  104. package/dist/server/http.d.ts +15 -59
  105. package/dist/server/http.js +136 -120
  106. package/dist/server/identity.js +2 -2
  107. package/dist/server/index.d.ts +5 -4
  108. package/dist/server/index.js +3 -3
  109. package/dist/server/keys.js +10 -1
  110. package/dist/server/limits.js +26 -26
  111. package/dist/server/log.js +28 -0
  112. package/dist/server/mounts.d.ts +1107 -296
  113. package/dist/server/mounts.js +315 -196
  114. package/dist/server/mutations/account.js +11 -14
  115. package/dist/server/mutations/code.js +6 -5
  116. package/dist/server/mutations/invalidate.js +9 -11
  117. package/dist/server/mutations/oauth.js +112 -73
  118. package/dist/server/mutations/refresh.js +47 -97
  119. package/dist/server/mutations/register.js +37 -35
  120. package/dist/server/mutations/retrieve.js +16 -16
  121. package/dist/server/mutations/signature.js +15 -18
  122. package/dist/server/mutations/signin.js +10 -5
  123. package/dist/server/mutations/signout.js +11 -14
  124. package/dist/server/mutations/store.js +25 -18
  125. package/dist/server/mutations/verifier.js +11 -8
  126. package/dist/server/mutations/verify.js +53 -41
  127. package/dist/server/oauth/factory.js +44 -0
  128. package/dist/server/oauth/index.js +12 -0
  129. package/dist/server/oauth/runtime.js +248 -0
  130. package/dist/server/passkey.js +331 -365
  131. package/dist/server/payloads.d.ts +16 -0
  132. package/dist/server/payloads.js +30 -0
  133. package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
  134. package/dist/server/prefetch.js +635 -0
  135. package/dist/server/random.js +19 -0
  136. package/dist/server/redirects.js +10 -5
  137. package/dist/server/refresh.js +14 -86
  138. package/dist/server/runtime.d.ts +531 -31
  139. package/dist/server/runtime.js +106 -267
  140. package/dist/server/secret.js +44 -0
  141. package/dist/server/services/config.js +10 -0
  142. package/dist/server/services/group.js +211 -0
  143. package/dist/server/services/logger.js +8 -0
  144. package/dist/server/services/providers.js +22 -0
  145. package/dist/server/services/refresh.js +8 -0
  146. package/dist/server/services/resolve.js +27 -0
  147. package/dist/server/services/signin.js +8 -0
  148. package/dist/server/sessions.js +35 -34
  149. package/dist/server/signin.js +229 -140
  150. package/dist/server/{enterprise → sso}/config.js +10 -3
  151. package/dist/server/sso/domain.d.ts +614 -0
  152. package/dist/server/sso/domain.js +1175 -0
  153. package/dist/server/sso/http.js +1060 -0
  154. package/dist/server/sso/oidc.js +324 -0
  155. package/dist/server/sso/policies.js +59 -0
  156. package/dist/server/sso/policy.js +139 -0
  157. package/dist/server/sso/profile.js +22 -0
  158. package/dist/server/sso/provision.js +179 -0
  159. package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
  160. package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
  161. package/dist/server/sso/shared.js +74 -0
  162. package/dist/server/sso/validators.js +88 -0
  163. package/dist/server/sso/webhook.js +94 -0
  164. package/dist/server/tokens.js +16 -4
  165. package/dist/server/totp.js +155 -164
  166. package/dist/server/types.d.ts +306 -296
  167. package/dist/server/types.js +1 -30
  168. package/dist/server/url.js +32 -0
  169. package/dist/server/users.js +74 -40
  170. package/dist/server/utils/cache.js +51 -0
  171. package/dist/server/utils/dispatch.js +36 -0
  172. package/dist/server/utils/retry.js +24 -0
  173. package/dist/server/utils/span.js +32 -0
  174. package/dist/shared/errors.js +19 -0
  175. package/dist/shared/log.js +45 -0
  176. package/{src/test.ts → dist/test.d.ts} +21 -22
  177. package/dist/test.js +51 -0
  178. package/package.json +70 -42
  179. package/dist/authorization/index.d.ts.map +0 -1
  180. package/dist/authorization/index.js.map +0 -1
  181. package/dist/client/core/types.d.ts.map +0 -1
  182. package/dist/client/index.d.ts.map +0 -1
  183. package/dist/client/index.js.map +0 -1
  184. package/dist/component/_generated/api.d.ts +0 -75
  185. package/dist/component/_generated/api.d.ts.map +0 -1
  186. package/dist/component/_generated/api.js.map +0 -1
  187. package/dist/component/_generated/component.d.ts.map +0 -1
  188. package/dist/component/_generated/dataModel.d.ts +0 -42
  189. package/dist/component/_generated/dataModel.d.ts.map +0 -1
  190. package/dist/component/_generated/server.d.ts +0 -117
  191. package/dist/component/_generated/server.d.ts.map +0 -1
  192. package/dist/component/_generated/server.js.map +0 -1
  193. package/dist/component/_virtual/rolldown_runtime.js +0 -18
  194. package/dist/component/client/core/types.d.ts +0 -2
  195. package/dist/component/client/index.d.ts +0 -1
  196. package/dist/component/convex.config.d.ts.map +0 -1
  197. package/dist/component/convex.config.js.map +0 -1
  198. package/dist/component/functions.d.ts +0 -25
  199. package/dist/component/functions.d.ts.map +0 -1
  200. package/dist/component/functions.js.map +0 -1
  201. package/dist/component/index.d.ts.map +0 -1
  202. package/dist/component/model.d.ts.map +0 -1
  203. package/dist/component/model.js.map +0 -1
  204. package/dist/component/providers/anonymous.d.ts +0 -54
  205. package/dist/component/providers/anonymous.d.ts.map +0 -1
  206. package/dist/component/providers/credentials.d.ts +0 -38
  207. package/dist/component/providers/credentials.d.ts.map +0 -1
  208. package/dist/component/providers/device.d.ts +0 -67
  209. package/dist/component/providers/device.d.ts.map +0 -1
  210. package/dist/component/providers/email.d.ts +0 -62
  211. package/dist/component/providers/email.d.ts.map +0 -1
  212. package/dist/component/providers/oauth.d.ts +0 -25
  213. package/dist/component/providers/oauth.d.ts.map +0 -1
  214. package/dist/component/providers/oauth.js +0 -13
  215. package/dist/component/providers/oauth.js.map +0 -1
  216. package/dist/component/providers/passkey.d.ts +0 -57
  217. package/dist/component/providers/passkey.d.ts.map +0 -1
  218. package/dist/component/providers/password.d.ts +0 -88
  219. package/dist/component/providers/password.d.ts.map +0 -1
  220. package/dist/component/providers/phone.d.ts +0 -48
  221. package/dist/component/providers/phone.d.ts.map +0 -1
  222. package/dist/component/providers/sso.d.ts +0 -50
  223. package/dist/component/providers/sso.d.ts.map +0 -1
  224. package/dist/component/providers/totp.d.ts +0 -45
  225. package/dist/component/providers/totp.d.ts.map +0 -1
  226. package/dist/component/public/enterprise/audit.d.ts +0 -73
  227. package/dist/component/public/enterprise/audit.d.ts.map +0 -1
  228. package/dist/component/public/enterprise/audit.js.map +0 -1
  229. package/dist/component/public/enterprise/core.d.ts +0 -176
  230. package/dist/component/public/enterprise/core.d.ts.map +0 -1
  231. package/dist/component/public/enterprise/core.js +0 -292
  232. package/dist/component/public/enterprise/core.js.map +0 -1
  233. package/dist/component/public/enterprise/domains.d.ts +0 -174
  234. package/dist/component/public/enterprise/domains.d.ts.map +0 -1
  235. package/dist/component/public/enterprise/domains.js +0 -271
  236. package/dist/component/public/enterprise/domains.js.map +0 -1
  237. package/dist/component/public/enterprise/scim.d.ts +0 -245
  238. package/dist/component/public/enterprise/scim.d.ts.map +0 -1
  239. package/dist/component/public/enterprise/scim.js.map +0 -1
  240. package/dist/component/public/enterprise/secrets.d.ts +0 -78
  241. package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
  242. package/dist/component/public/enterprise/secrets.js +0 -118
  243. package/dist/component/public/enterprise/secrets.js.map +0 -1
  244. package/dist/component/public/enterprise/webhooks.d.ts +0 -211
  245. package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
  246. package/dist/component/public/enterprise/webhooks.js.map +0 -1
  247. package/dist/component/public/factors/devices.d.ts +0 -157
  248. package/dist/component/public/factors/devices.d.ts.map +0 -1
  249. package/dist/component/public/factors/devices.js.map +0 -1
  250. package/dist/component/public/factors/passkeys.d.ts +0 -175
  251. package/dist/component/public/factors/passkeys.d.ts.map +0 -1
  252. package/dist/component/public/factors/passkeys.js.map +0 -1
  253. package/dist/component/public/factors/totp.d.ts +0 -189
  254. package/dist/component/public/factors/totp.d.ts.map +0 -1
  255. package/dist/component/public/factors/totp.js.map +0 -1
  256. package/dist/component/public/groups/core.d.ts +0 -137
  257. package/dist/component/public/groups/core.d.ts.map +0 -1
  258. package/dist/component/public/groups/core.js.map +0 -1
  259. package/dist/component/public/groups/invites.d.ts +0 -217
  260. package/dist/component/public/groups/invites.d.ts.map +0 -1
  261. package/dist/component/public/groups/invites.js.map +0 -1
  262. package/dist/component/public/groups/members.d.ts +0 -204
  263. package/dist/component/public/groups/members.d.ts.map +0 -1
  264. package/dist/component/public/groups/members.js.map +0 -1
  265. package/dist/component/public/identity/accounts.d.ts +0 -147
  266. package/dist/component/public/identity/accounts.d.ts.map +0 -1
  267. package/dist/component/public/identity/accounts.js.map +0 -1
  268. package/dist/component/public/identity/codes.d.ts +0 -104
  269. package/dist/component/public/identity/codes.d.ts.map +0 -1
  270. package/dist/component/public/identity/codes.js.map +0 -1
  271. package/dist/component/public/identity/sessions.d.ts +0 -128
  272. package/dist/component/public/identity/sessions.d.ts.map +0 -1
  273. package/dist/component/public/identity/sessions.js.map +0 -1
  274. package/dist/component/public/identity/tokens.d.ts +0 -169
  275. package/dist/component/public/identity/tokens.d.ts.map +0 -1
  276. package/dist/component/public/identity/tokens.js.map +0 -1
  277. package/dist/component/public/identity/users.d.ts +0 -212
  278. package/dist/component/public/identity/users.d.ts.map +0 -1
  279. package/dist/component/public/identity/users.js.map +0 -1
  280. package/dist/component/public/identity/verifiers.d.ts +0 -116
  281. package/dist/component/public/identity/verifiers.d.ts.map +0 -1
  282. package/dist/component/public/identity/verifiers.js.map +0 -1
  283. package/dist/component/public/security/keys.d.ts +0 -209
  284. package/dist/component/public/security/keys.d.ts.map +0 -1
  285. package/dist/component/public/security/keys.js.map +0 -1
  286. package/dist/component/public/security/limits.d.ts +0 -114
  287. package/dist/component/public/security/limits.d.ts.map +0 -1
  288. package/dist/component/public/security/limits.js.map +0 -1
  289. package/dist/component/public.d.ts +0 -28
  290. package/dist/component/public.d.ts.map +0 -1
  291. package/dist/component/schema.d.ts.map +0 -1
  292. package/dist/component/schema.js.map +0 -1
  293. package/dist/component/server/auth.d.ts +0 -447
  294. package/dist/component/server/auth.d.ts.map +0 -1
  295. package/dist/component/server/auth.js +0 -254
  296. package/dist/component/server/auth.js.map +0 -1
  297. package/dist/component/server/config.js +0 -121
  298. package/dist/component/server/config.js.map +0 -1
  299. package/dist/component/server/context.js +0 -53
  300. package/dist/component/server/context.js.map +0 -1
  301. package/dist/component/server/cookies.js +0 -47
  302. package/dist/component/server/cookies.js.map +0 -1
  303. package/dist/component/server/core.js +0 -576
  304. package/dist/component/server/core.js.map +0 -1
  305. package/dist/component/server/crypto.js +0 -56
  306. package/dist/component/server/crypto.js.map +0 -1
  307. package/dist/component/server/db.js +0 -87
  308. package/dist/component/server/db.js.map +0 -1
  309. package/dist/component/server/device.js +0 -152
  310. package/dist/component/server/device.js.map +0 -1
  311. package/dist/component/server/enterprise/config.js +0 -46
  312. package/dist/component/server/enterprise/config.js.map +0 -1
  313. package/dist/component/server/enterprise/domain.js +0 -974
  314. package/dist/component/server/enterprise/domain.js.map +0 -1
  315. package/dist/component/server/enterprise/http.js +0 -787
  316. package/dist/component/server/enterprise/http.js.map +0 -1
  317. package/dist/component/server/enterprise/oidc.js +0 -248
  318. package/dist/component/server/enterprise/oidc.js.map +0 -1
  319. package/dist/component/server/enterprise/policy.js +0 -85
  320. package/dist/component/server/enterprise/policy.js.map +0 -1
  321. package/dist/component/server/enterprise/saml.js.map +0 -1
  322. package/dist/component/server/enterprise/scim.js.map +0 -1
  323. package/dist/component/server/enterprise/shared.js +0 -51
  324. package/dist/component/server/enterprise/shared.js.map +0 -1
  325. package/dist/component/server/http.d.ts +0 -85
  326. package/dist/component/server/http.d.ts.map +0 -1
  327. package/dist/component/server/http.js +0 -351
  328. package/dist/component/server/http.js.map +0 -1
  329. package/dist/component/server/identity.js +0 -16
  330. package/dist/component/server/identity.js.map +0 -1
  331. package/dist/component/server/keys.js +0 -96
  332. package/dist/component/server/keys.js.map +0 -1
  333. package/dist/component/server/limits.js +0 -52
  334. package/dist/component/server/limits.js.map +0 -1
  335. package/dist/component/server/mutations/account.js +0 -46
  336. package/dist/component/server/mutations/account.js.map +0 -1
  337. package/dist/component/server/mutations/code.js +0 -68
  338. package/dist/component/server/mutations/code.js.map +0 -1
  339. package/dist/component/server/mutations/invalidate.js +0 -32
  340. package/dist/component/server/mutations/invalidate.js.map +0 -1
  341. package/dist/component/server/mutations/oauth.js +0 -116
  342. package/dist/component/server/mutations/oauth.js.map +0 -1
  343. package/dist/component/server/mutations/refresh.js +0 -119
  344. package/dist/component/server/mutations/refresh.js.map +0 -1
  345. package/dist/component/server/mutations/register.js +0 -87
  346. package/dist/component/server/mutations/register.js.map +0 -1
  347. package/dist/component/server/mutations/retrieve.js +0 -61
  348. package/dist/component/server/mutations/retrieve.js.map +0 -1
  349. package/dist/component/server/mutations/signature.js +0 -38
  350. package/dist/component/server/mutations/signature.js.map +0 -1
  351. package/dist/component/server/mutations/signin.js +0 -27
  352. package/dist/component/server/mutations/signin.js.map +0 -1
  353. package/dist/component/server/mutations/signout.js +0 -27
  354. package/dist/component/server/mutations/signout.js.map +0 -1
  355. package/dist/component/server/mutations/store/refs.js +0 -15
  356. package/dist/component/server/mutations/store/refs.js.map +0 -1
  357. package/dist/component/server/mutations/store.js +0 -70
  358. package/dist/component/server/mutations/store.js.map +0 -1
  359. package/dist/component/server/mutations/verifier.js +0 -18
  360. package/dist/component/server/mutations/verifier.js.map +0 -1
  361. package/dist/component/server/mutations/verify.js +0 -98
  362. package/dist/component/server/mutations/verify.js.map +0 -1
  363. package/dist/component/server/oauth.js +0 -242
  364. package/dist/component/server/oauth.js.map +0 -1
  365. package/dist/component/server/passkey.js +0 -415
  366. package/dist/component/server/passkey.js.map +0 -1
  367. package/dist/component/server/redirects.js +0 -40
  368. package/dist/component/server/redirects.js.map +0 -1
  369. package/dist/component/server/refresh.js +0 -99
  370. package/dist/component/server/refresh.js.map +0 -1
  371. package/dist/component/server/runtime.d.ts +0 -136
  372. package/dist/component/server/runtime.d.ts.map +0 -1
  373. package/dist/component/server/runtime.js +0 -456
  374. package/dist/component/server/runtime.js.map +0 -1
  375. package/dist/component/server/sessions.js +0 -71
  376. package/dist/component/server/sessions.js.map +0 -1
  377. package/dist/component/server/signin.js +0 -225
  378. package/dist/component/server/signin.js.map +0 -1
  379. package/dist/component/server/tokens.js +0 -17
  380. package/dist/component/server/tokens.js.map +0 -1
  381. package/dist/component/server/totp.js +0 -208
  382. package/dist/component/server/totp.js.map +0 -1
  383. package/dist/component/server/types.d.ts +0 -949
  384. package/dist/component/server/types.d.ts.map +0 -1
  385. package/dist/component/server/types.js +0 -79
  386. package/dist/component/server/types.js.map +0 -1
  387. package/dist/component/server/users.js +0 -123
  388. package/dist/component/server/users.js.map +0 -1
  389. package/dist/component/server/utils.js +0 -140
  390. package/dist/component/server/utils.js.map +0 -1
  391. package/dist/core/types.d.ts +0 -361
  392. package/dist/core/types.d.ts.map +0 -1
  393. package/dist/factors/device.js +0 -104
  394. package/dist/factors/device.js.map +0 -1
  395. package/dist/factors/passkey.js.map +0 -1
  396. package/dist/factors/totp.js.map +0 -1
  397. package/dist/providers/anonymous.d.ts.map +0 -1
  398. package/dist/providers/anonymous.js.map +0 -1
  399. package/dist/providers/credentials.d.ts.map +0 -1
  400. package/dist/providers/credentials.js.map +0 -1
  401. package/dist/providers/device.d.ts.map +0 -1
  402. package/dist/providers/device.js.map +0 -1
  403. package/dist/providers/email.d.ts.map +0 -1
  404. package/dist/providers/email.js.map +0 -1
  405. package/dist/providers/oauth.d.ts +0 -69
  406. package/dist/providers/oauth.d.ts.map +0 -1
  407. package/dist/providers/oauth.js +0 -43
  408. package/dist/providers/oauth.js.map +0 -1
  409. package/dist/providers/passkey.d.ts.map +0 -1
  410. package/dist/providers/passkey.js.map +0 -1
  411. package/dist/providers/password.d.ts.map +0 -1
  412. package/dist/providers/password.js.map +0 -1
  413. package/dist/providers/phone.d.ts.map +0 -1
  414. package/dist/providers/phone.js.map +0 -1
  415. package/dist/providers/sso.d.ts.map +0 -1
  416. package/dist/providers/sso.js.map +0 -1
  417. package/dist/providers/totp.d.ts.map +0 -1
  418. package/dist/providers/totp.js.map +0 -1
  419. package/dist/runtime/browser.js +0 -68
  420. package/dist/runtime/browser.js.map +0 -1
  421. package/dist/runtime/invite.js.map +0 -1
  422. package/dist/runtime/proxy.js +0 -70
  423. package/dist/runtime/proxy.js.map +0 -1
  424. package/dist/runtime/storage.js +0 -37
  425. package/dist/runtime/storage.js.map +0 -1
  426. package/dist/server/auth.d.ts.map +0 -1
  427. package/dist/server/auth.js.map +0 -1
  428. package/dist/server/config.d.ts +0 -1
  429. package/dist/server/config.js.map +0 -1
  430. package/dist/server/context.d.ts +0 -1
  431. package/dist/server/context.js.map +0 -1
  432. package/dist/server/cookies.d.ts +0 -1
  433. package/dist/server/cookies.js.map +0 -1
  434. package/dist/server/core.d.ts +0 -1315
  435. package/dist/server/core.d.ts.map +0 -1
  436. package/dist/server/core.js.map +0 -1
  437. package/dist/server/crypto.d.ts +0 -8
  438. package/dist/server/crypto.d.ts.map +0 -1
  439. package/dist/server/crypto.js.map +0 -1
  440. package/dist/server/db.d.ts +0 -1
  441. package/dist/server/db.js.map +0 -1
  442. package/dist/server/device.d.ts +0 -1
  443. package/dist/server/device.js.map +0 -1
  444. package/dist/server/enterprise/config.d.ts +0 -1
  445. package/dist/server/enterprise/config.js.map +0 -1
  446. package/dist/server/enterprise/domain.d.ts +0 -401
  447. package/dist/server/enterprise/domain.d.ts.map +0 -1
  448. package/dist/server/enterprise/domain.js +0 -974
  449. package/dist/server/enterprise/domain.js.map +0 -1
  450. package/dist/server/enterprise/http.d.ts +0 -26
  451. package/dist/server/enterprise/http.d.ts.map +0 -1
  452. package/dist/server/enterprise/http.js +0 -787
  453. package/dist/server/enterprise/http.js.map +0 -1
  454. package/dist/server/enterprise/oidc.d.ts +0 -1
  455. package/dist/server/enterprise/oidc.js +0 -248
  456. package/dist/server/enterprise/oidc.js.map +0 -1
  457. package/dist/server/enterprise/policy.d.ts +0 -1
  458. package/dist/server/enterprise/policy.js +0 -85
  459. package/dist/server/enterprise/policy.js.map +0 -1
  460. package/dist/server/enterprise/saml.d.ts +0 -1
  461. package/dist/server/enterprise/saml.js +0 -338
  462. package/dist/server/enterprise/saml.js.map +0 -1
  463. package/dist/server/enterprise/scim.d.ts +0 -1
  464. package/dist/server/enterprise/scim.js +0 -97
  465. package/dist/server/enterprise/scim.js.map +0 -1
  466. package/dist/server/enterprise/shared.d.ts +0 -5
  467. package/dist/server/enterprise/shared.d.ts.map +0 -1
  468. package/dist/server/enterprise/shared.js +0 -51
  469. package/dist/server/enterprise/shared.js.map +0 -1
  470. package/dist/server/enterprise/validators.d.ts +0 -1
  471. package/dist/server/enterprise/validators.js +0 -60
  472. package/dist/server/enterprise/validators.js.map +0 -1
  473. package/dist/server/http.d.ts.map +0 -1
  474. package/dist/server/http.js.map +0 -1
  475. package/dist/server/identity.d.ts +0 -1
  476. package/dist/server/identity.js.map +0 -1
  477. package/dist/server/keys.d.ts +0 -1
  478. package/dist/server/keys.js.map +0 -1
  479. package/dist/server/limits.d.ts +0 -1
  480. package/dist/server/limits.js.map +0 -1
  481. package/dist/server/mounts.d.ts.map +0 -1
  482. package/dist/server/mounts.js.map +0 -1
  483. package/dist/server/mutations/account.d.ts +0 -29
  484. package/dist/server/mutations/account.d.ts.map +0 -1
  485. package/dist/server/mutations/account.js.map +0 -1
  486. package/dist/server/mutations/code.d.ts +0 -30
  487. package/dist/server/mutations/code.d.ts.map +0 -1
  488. package/dist/server/mutations/code.js.map +0 -1
  489. package/dist/server/mutations/index.d.ts +0 -14
  490. package/dist/server/mutations/invalidate.d.ts +0 -20
  491. package/dist/server/mutations/invalidate.d.ts.map +0 -1
  492. package/dist/server/mutations/invalidate.js.map +0 -1
  493. package/dist/server/mutations/oauth.d.ts +0 -30
  494. package/dist/server/mutations/oauth.d.ts.map +0 -1
  495. package/dist/server/mutations/oauth.js.map +0 -1
  496. package/dist/server/mutations/refresh.d.ts +0 -21
  497. package/dist/server/mutations/refresh.d.ts.map +0 -1
  498. package/dist/server/mutations/refresh.js.map +0 -1
  499. package/dist/server/mutations/register.d.ts +0 -38
  500. package/dist/server/mutations/register.d.ts.map +0 -1
  501. package/dist/server/mutations/register.js.map +0 -1
  502. package/dist/server/mutations/retrieve.d.ts +0 -33
  503. package/dist/server/mutations/retrieve.d.ts.map +0 -1
  504. package/dist/server/mutations/retrieve.js.map +0 -1
  505. package/dist/server/mutations/signature.d.ts +0 -21
  506. package/dist/server/mutations/signature.d.ts.map +0 -1
  507. package/dist/server/mutations/signature.js.map +0 -1
  508. package/dist/server/mutations/signin.d.ts +0 -22
  509. package/dist/server/mutations/signin.d.ts.map +0 -1
  510. package/dist/server/mutations/signin.js.map +0 -1
  511. package/dist/server/mutations/signout.d.ts +0 -16
  512. package/dist/server/mutations/signout.d.ts.map +0 -1
  513. package/dist/server/mutations/signout.js.map +0 -1
  514. package/dist/server/mutations/store/refs.d.ts +0 -12
  515. package/dist/server/mutations/store/refs.d.ts.map +0 -1
  516. package/dist/server/mutations/store/refs.js.map +0 -1
  517. package/dist/server/mutations/store.d.ts +0 -306
  518. package/dist/server/mutations/store.d.ts.map +0 -1
  519. package/dist/server/mutations/store.js.map +0 -1
  520. package/dist/server/mutations/verifier.d.ts +0 -13
  521. package/dist/server/mutations/verifier.d.ts.map +0 -1
  522. package/dist/server/mutations/verifier.js.map +0 -1
  523. package/dist/server/mutations/verify.d.ts +0 -26
  524. package/dist/server/mutations/verify.d.ts.map +0 -1
  525. package/dist/server/mutations/verify.js.map +0 -1
  526. package/dist/server/oauth.d.ts +0 -1
  527. package/dist/server/oauth.js +0 -242
  528. package/dist/server/oauth.js.map +0 -1
  529. package/dist/server/passkey.d.ts +0 -27
  530. package/dist/server/passkey.d.ts.map +0 -1
  531. package/dist/server/passkey.js.map +0 -1
  532. package/dist/server/redirects.d.ts +0 -1
  533. package/dist/server/redirects.js.map +0 -1
  534. package/dist/server/refresh.d.ts +0 -1
  535. package/dist/server/refresh.js.map +0 -1
  536. package/dist/server/runtime.d.ts.map +0 -1
  537. package/dist/server/runtime.js.map +0 -1
  538. package/dist/server/sessions.d.ts +0 -1
  539. package/dist/server/sessions.js.map +0 -1
  540. package/dist/server/signin.d.ts +0 -1
  541. package/dist/server/signin.js.map +0 -1
  542. package/dist/server/ssr.d.ts.map +0 -1
  543. package/dist/server/ssr.js +0 -777
  544. package/dist/server/ssr.js.map +0 -1
  545. package/dist/server/templates.d.ts +0 -1
  546. package/dist/server/templates.js.map +0 -1
  547. package/dist/server/tokens.d.ts +0 -1
  548. package/dist/server/tokens.js.map +0 -1
  549. package/dist/server/totp.d.ts +0 -1
  550. package/dist/server/totp.js.map +0 -1
  551. package/dist/server/types.d.ts.map +0 -1
  552. package/dist/server/types.js.map +0 -1
  553. package/dist/server/users.d.ts +0 -1
  554. package/dist/server/users.js.map +0 -1
  555. package/dist/server/utils.d.ts +0 -1
  556. package/dist/server/utils.js +0 -140
  557. package/dist/server/utils.js.map +0 -1
  558. package/src/authorization/index.ts +0 -83
  559. package/src/cli/bin.ts +0 -5
  560. package/src/cli/command.ts +0 -70
  561. package/src/cli/index.ts +0 -1112
  562. package/src/cli/keys.ts +0 -23
  563. package/src/client/core/types.ts +0 -437
  564. package/src/client/factors/device.ts +0 -158
  565. package/src/client/factors/passkey.ts +0 -279
  566. package/src/client/factors/totp.ts +0 -150
  567. package/src/client/index.ts +0 -1124
  568. package/src/client/runtime/browser.ts +0 -112
  569. package/src/client/runtime/invite.ts +0 -63
  570. package/src/client/runtime/proxy.ts +0 -111
  571. package/src/client/runtime/storage.ts +0 -79
  572. package/src/component/_generated/api.ts +0 -96
  573. package/src/component/_generated/component.ts +0 -3774
  574. package/src/component/_generated/dataModel.ts +0 -60
  575. package/src/component/_generated/server.ts +0 -156
  576. package/src/component/convex.config.ts +0 -5
  577. package/src/component/functions.ts +0 -104
  578. package/src/component/index.ts +0 -42
  579. package/src/component/model.ts +0 -449
  580. package/src/component/public/enterprise/audit.ts +0 -125
  581. package/src/component/public/enterprise/core.ts +0 -355
  582. package/src/component/public/enterprise/domains.ts +0 -327
  583. package/src/component/public/enterprise/scim.ts +0 -397
  584. package/src/component/public/enterprise/secrets.ts +0 -133
  585. package/src/component/public/enterprise/webhooks.ts +0 -307
  586. package/src/component/public/factors/devices.ts +0 -224
  587. package/src/component/public/factors/passkeys.ts +0 -243
  588. package/src/component/public/factors/totp.ts +0 -259
  589. package/src/component/public/groups/core.ts +0 -481
  590. package/src/component/public/groups/invites.ts +0 -608
  591. package/src/component/public/groups/members.ts +0 -410
  592. package/src/component/public/identity/accounts.ts +0 -207
  593. package/src/component/public/identity/codes.ts +0 -149
  594. package/src/component/public/identity/sessions.ts +0 -210
  595. package/src/component/public/identity/tokens.ts +0 -251
  596. package/src/component/public/identity/users.ts +0 -355
  597. package/src/component/public/identity/verifiers.ts +0 -158
  598. package/src/component/public/security/keys.ts +0 -366
  599. package/src/component/public/security/limits.ts +0 -174
  600. package/src/component/public.ts +0 -27
  601. package/src/component/schema.ts +0 -505
  602. package/src/providers/anonymous.ts +0 -99
  603. package/src/providers/credentials.ts +0 -102
  604. package/src/providers/device.ts +0 -87
  605. package/src/providers/email.ts +0 -99
  606. package/src/providers/index.ts +0 -31
  607. package/src/providers/oauth.ts +0 -117
  608. package/src/providers/passkey.ts +0 -77
  609. package/src/providers/password.ts +0 -441
  610. package/src/providers/phone.ts +0 -93
  611. package/src/providers/sso.ts +0 -54
  612. package/src/providers/totp.ts +0 -62
  613. package/src/samlify.d.ts +0 -53
  614. package/src/server/auth.ts +0 -949
  615. package/src/server/config.ts +0 -200
  616. package/src/server/context.ts +0 -90
  617. package/src/server/cookies.ts +0 -49
  618. package/src/server/core.ts +0 -2004
  619. package/src/server/crypto.ts +0 -90
  620. package/src/server/db.ts +0 -203
  621. package/src/server/device.ts +0 -254
  622. package/src/server/enterprise/config.ts +0 -51
  623. package/src/server/enterprise/domain.ts +0 -1739
  624. package/src/server/enterprise/http.ts +0 -1331
  625. package/src/server/enterprise/oidc.ts +0 -500
  626. package/src/server/enterprise/policy.ts +0 -128
  627. package/src/server/enterprise/saml.ts +0 -578
  628. package/src/server/enterprise/scim.ts +0 -135
  629. package/src/server/enterprise/shared.ts +0 -134
  630. package/src/server/enterprise/validators.ts +0 -93
  631. package/src/server/http.ts +0 -790
  632. package/src/server/identity.ts +0 -18
  633. package/src/server/index.ts +0 -40
  634. package/src/server/keys.ts +0 -158
  635. package/src/server/limits.ts +0 -107
  636. package/src/server/mounts.ts +0 -924
  637. package/src/server/mutations/account.ts +0 -62
  638. package/src/server/mutations/code.ts +0 -119
  639. package/src/server/mutations/index.ts +0 -13
  640. package/src/server/mutations/invalidate.ts +0 -50
  641. package/src/server/mutations/oauth.ts +0 -243
  642. package/src/server/mutations/refresh.ts +0 -299
  643. package/src/server/mutations/register.ts +0 -155
  644. package/src/server/mutations/retrieve.ts +0 -109
  645. package/src/server/mutations/signature.ts +0 -57
  646. package/src/server/mutations/signin.ts +0 -54
  647. package/src/server/mutations/signout.ts +0 -43
  648. package/src/server/mutations/store/refs.ts +0 -10
  649. package/src/server/mutations/store.ts +0 -123
  650. package/src/server/mutations/verifier.ts +0 -34
  651. package/src/server/mutations/verify.ts +0 -200
  652. package/src/server/oauth.ts +0 -418
  653. package/src/server/passkey.ts +0 -838
  654. package/src/server/redirects.ts +0 -59
  655. package/src/server/refresh.ts +0 -218
  656. package/src/server/runtime.ts +0 -918
  657. package/src/server/sessions.ts +0 -132
  658. package/src/server/signin.ts +0 -445
  659. package/src/server/ssr.ts +0 -1747
  660. package/src/server/templates.ts +0 -82
  661. package/src/server/tokens.ts +0 -35
  662. package/src/server/totp.ts +0 -399
  663. package/src/server/types.ts +0 -1942
  664. package/src/server/users.ts +0 -291
  665. package/src/server/utils.ts +0 -220
  666. /package/dist/{runtime → client/runtime}/invite.js +0 -0
@@ -0,0 +1,88 @@
1
+ import { v } from "convex/values";
2
+
3
+ //#region src/server/sso/validators.ts
4
+ /** @internal Shared validator for mounted group connection status fields. */
5
+ const groupConnectionStatusValidator = v.union(v.literal("draft"), v.literal("active"), v.literal("disabled"));
6
+ /** @internal Structured validator for mounted group policy patch payloads. */
7
+ const groupPolicyPatchValidator = v.object({
8
+ identity: v.optional(v.object({ accountLinking: v.optional(v.object({
9
+ oidc: v.optional(v.union(v.literal("verifiedEmail"), v.literal("none"))),
10
+ saml: v.optional(v.union(v.literal("verifiedEmail"), v.literal("none")))
11
+ })) })),
12
+ provisioning: v.optional(v.object({
13
+ user: v.optional(v.object({
14
+ createOnSignIn: v.optional(v.boolean()),
15
+ updateProfileOnLogin: v.optional(v.union(v.literal("never"), v.literal("missing"), v.literal("always"))),
16
+ updateProfileFromScim: v.optional(v.union(v.literal("never"), v.literal("missing"), v.literal("always"))),
17
+ authority: v.optional(v.union(v.literal("app"), v.literal("sso"), v.literal("scim")))
18
+ })),
19
+ scimReuse: v.optional(v.object({ user: v.optional(v.union(v.literal("externalId"), v.literal("none"))) })),
20
+ jit: v.optional(v.object({
21
+ mode: v.optional(v.union(v.literal("off"), v.literal("createUser"), v.literal("createUserAndMembership"))),
22
+ defaultRoleIds: v.optional(v.array(v.string()))
23
+ })),
24
+ deprovision: v.optional(v.object({ mode: v.optional(v.union(v.literal("soft"), v.literal("hard"))) })),
25
+ groups: v.optional(v.object({
26
+ mode: v.optional(v.union(v.literal("ignore"), v.literal("sync"))),
27
+ source: v.optional(v.literal("protocol")),
28
+ mapping: v.optional(v.record(v.string(), v.array(v.string())))
29
+ })),
30
+ roles: v.optional(v.object({
31
+ mode: v.optional(v.union(v.literal("ignore"), v.literal("map"))),
32
+ source: v.optional(v.literal("protocol")),
33
+ mapping: v.optional(v.record(v.string(), v.array(v.string())))
34
+ }))
35
+ }))
36
+ });
37
+ /** @internal Filter validator for mounted group connection list queries. */
38
+ const groupConnectionWhereValidator = v.object({
39
+ groupId: v.optional(v.string()),
40
+ slug: v.optional(v.string()),
41
+ status: v.optional(groupConnectionStatusValidator)
42
+ });
43
+ /** @internal Domain replacement input validator for mounted connection APIs. */
44
+ const groupConnectionDomainInputValidator = v.object({
45
+ domain: v.string(),
46
+ isPrimary: v.optional(v.boolean())
47
+ });
48
+ /** @internal Input validator for connection domain verification actions. */
49
+ const groupConnectionDomainVerificationInputValidator = v.object({
50
+ connectionId: v.string(),
51
+ domain: v.string()
52
+ });
53
+ /** @internal SAML attribute mapping validator for mounted SSO admin APIs. */
54
+ const ssoSamlAttributeMappingValidator = v.object({
55
+ subject: v.optional(v.string()),
56
+ email: v.optional(v.string()),
57
+ name: v.optional(v.string()),
58
+ firstName: v.optional(v.string()),
59
+ lastName: v.optional(v.string()),
60
+ image: v.optional(v.string()),
61
+ groups: v.optional(v.string()),
62
+ roles: v.optional(v.string())
63
+ });
64
+ /** @internal SAML service-provider override validator for mounted admin APIs. */
65
+ const ssoSamlSpValidator = v.object({
66
+ entityId: v.optional(v.string()),
67
+ acsUrl: v.optional(v.string()),
68
+ sloUrl: v.optional(v.string()),
69
+ signingCert: v.optional(v.union(v.string(), v.array(v.string()))),
70
+ encryptCert: v.optional(v.union(v.string(), v.array(v.string()))),
71
+ privateKey: v.optional(v.string()),
72
+ privateKeyPass: v.optional(v.string()),
73
+ encPrivateKey: v.optional(v.string()),
74
+ encPrivateKeyPass: v.optional(v.string())
75
+ });
76
+ /** @internal SAML security validator for mounted admin APIs. */
77
+ const ssoSamlSecurityValidator = v.object({
78
+ requireSignedAssertions: v.optional(v.boolean()),
79
+ requireTimestamps: v.optional(v.boolean()),
80
+ clockSkewSeconds: v.optional(v.number()),
81
+ weakAlgorithmHandling: v.optional(v.union(v.literal("warn"), v.literal("reject"))),
82
+ maxMetadataSize: v.optional(v.number()),
83
+ maxResponseSize: v.optional(v.number())
84
+ });
85
+
86
+ //#endregion
87
+ export { groupConnectionDomainInputValidator, groupConnectionDomainVerificationInputValidator, groupConnectionStatusValidator, groupConnectionWhereValidator, groupPolicyPatchValidator, ssoSamlAttributeMappingValidator, ssoSamlSecurityValidator, ssoSamlSpValidator };
88
+ //# sourceMappingURL=validators.js.map
@@ -0,0 +1,94 @@
1
+ import { createWebhookEndpoint, getWebhookEndpoint, listReadyWebhookDeliveries, listWebhookDeliveries, listWebhookEndpoints, patchWebhookDelivery, updateWebhookEndpoint } from "../contract.js";
2
+ import { ConvexError } from "convex/values";
3
+
4
+ //#region src/server/sso/webhook.ts
5
+ const convexError = (data) => new ConvexError(data);
6
+ function createGroupWebhookDomain(deps) {
7
+ const { config, sha256, loadConnectionOrThrow, recordGroupAuditEvent, emitGroupWebhookDeliveries } = deps;
8
+ return {
9
+ endpoint: {
10
+ get: async (ctx, endpointId) => {
11
+ return await getWebhookEndpoint(ctx, config.component.public, endpointId);
12
+ },
13
+ create: async (ctx, data) => {
14
+ const connection = await loadConnectionOrThrow(ctx, data.connectionId);
15
+ if (connection === null) throw convexError({
16
+ code: "INVALID_PARAMETERS",
17
+ message: "Connection not found."
18
+ });
19
+ const secretHash = await sha256(data.secret);
20
+ const endpointId = await createWebhookEndpoint(ctx, config.component.public, {
21
+ connectionId: connection._id,
22
+ groupId: connection.groupId,
23
+ url: data.url,
24
+ secretHash,
25
+ subscriptions: data.subscriptions,
26
+ createdByUserId: data.createdByUserId
27
+ });
28
+ await recordGroupAuditEvent(ctx, {
29
+ connectionId: connection._id,
30
+ groupId: connection.groupId,
31
+ eventType: "group.sso.webhook.endpoint.created",
32
+ actorType: data.createdByUserId ? "user" : "system",
33
+ actorId: data.createdByUserId,
34
+ subjectType: "group_webhook_endpoint",
35
+ subjectId: endpointId,
36
+ ok: true
37
+ });
38
+ return { endpointId };
39
+ },
40
+ list: async (ctx, connectionId) => {
41
+ return await listWebhookEndpoints(ctx, config.component.public, connectionId);
42
+ },
43
+ disable: async (ctx, endpointId) => {
44
+ await updateWebhookEndpoint(ctx, config.component.public, {
45
+ endpointId,
46
+ data: { status: "disabled" }
47
+ });
48
+ return { endpointId };
49
+ }
50
+ },
51
+ emit: async (ctx, data) => {
52
+ await emitGroupWebhookDeliveries(ctx, data);
53
+ },
54
+ delivery: {
55
+ list: async (ctx, data) => {
56
+ return await listWebhookDeliveries(ctx, config.component.public, data);
57
+ },
58
+ listReady: async (ctx, limit) => {
59
+ return await listReadyWebhookDeliveries(ctx, config.component.public, {
60
+ now: Date.now(),
61
+ limit
62
+ });
63
+ },
64
+ markDelivered: async (ctx, deliveryId, responseStatus) => {
65
+ await patchWebhookDelivery(ctx, config.component.public, {
66
+ deliveryId,
67
+ data: {
68
+ status: "delivered",
69
+ attemptCount: 1,
70
+ lastAttemptAt: Date.now(),
71
+ lastResponseStatus: responseStatus
72
+ }
73
+ });
74
+ },
75
+ markFailed: async (ctx, deliveryId, data) => {
76
+ await patchWebhookDelivery(ctx, config.component.public, {
77
+ deliveryId,
78
+ data: {
79
+ status: data.retryAt ? "pending" : "failed",
80
+ attemptCount: data.attemptCount,
81
+ lastAttemptAt: Date.now(),
82
+ lastResponseStatus: data.responseStatus,
83
+ lastError: data.error,
84
+ nextAttemptAt: data.retryAt ?? Date.now()
85
+ }
86
+ });
87
+ }
88
+ }
89
+ };
90
+ }
91
+
92
+ //#endregion
93
+ export { createGroupWebhookDomain };
94
+ //# sourceMappingURL=webhook.js.map
@@ -1,17 +1,29 @@
1
- import { TOKEN_SUB_CLAIM_DIVIDER, generateRandomString, requireEnv } from "./utils.js";
1
+ import { generateRandomString } from "./random.js";
2
+ import { requireEnv } from "./env.js";
2
3
  import { SignJWT, importPKCS8 } from "jose";
3
4
 
4
5
  //#region src/server/tokens.ts
6
+ const TOKEN_SUB_CLAIM_DIVIDER = "|";
5
7
  const DEFAULT_JWT_DURATION_MS = 1e3 * 60 * 60;
6
8
  const TOKEN_JTI_LENGTH = 24;
7
9
  const TOKEN_JTI_ALPHABET = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
10
+ let cachedPrivateKeyPromise = null;
11
+ let cachedIssuer = null;
12
+ const getPrivateKey = () => {
13
+ if (cachedPrivateKeyPromise === null) cachedPrivateKeyPromise = importPKCS8(requireEnv("JWT_PRIVATE_KEY"), "RS256");
14
+ return cachedPrivateKeyPromise;
15
+ };
16
+ const getIssuer = () => {
17
+ if (cachedIssuer === null) cachedIssuer = requireEnv("CONVEX_SITE_URL");
18
+ return cachedIssuer;
19
+ };
8
20
  /** @internal */
9
21
  async function generateToken(args, config) {
10
- const privateKey = await importPKCS8(requireEnv("JWT_PRIVATE_KEY"), "RS256");
22
+ const privateKey = await getPrivateKey();
11
23
  const expirationTime = new Date(Date.now() + (config.jwt?.durationMs ?? DEFAULT_JWT_DURATION_MS));
12
- return await new SignJWT({ sub: args.userId + TOKEN_SUB_CLAIM_DIVIDER + args.sessionId }).setProtectedHeader({ alg: "RS256" }).setIssuedAt().setJti(generateRandomString(TOKEN_JTI_LENGTH, TOKEN_JTI_ALPHABET)).setIssuer(requireEnv("CONVEX_SITE_URL")).setAudience("convex").setExpirationTime(expirationTime).sign(privateKey);
24
+ return await new SignJWT({ sub: args.userId + TOKEN_SUB_CLAIM_DIVIDER + args.sessionId }).setProtectedHeader({ alg: "RS256" }).setIssuedAt().setJti(generateRandomString(TOKEN_JTI_LENGTH, TOKEN_JTI_ALPHABET)).setIssuer(getIssuer()).setAudience("convex").setExpirationTime(expirationTime).sign(privateKey);
13
25
  }
14
26
 
15
27
  //#endregion
16
- export { generateToken };
28
+ export { TOKEN_SUB_CLAIM_DIVIDER, generateToken };
17
29
  //# sourceMappingURL=tokens.js.map
@@ -1,10 +1,10 @@
1
1
  import { userIdFromIdentitySubject } from "./identity.js";
2
- import { callVerifierSignature } from "./mutations/signature.js";
3
2
  import { callSignIn } from "./mutations/signin.js";
4
3
  import { callVerifier } from "./mutations/verifier.js";
4
+ import { authFlowError } from "../shared/errors.js";
5
+ import { toConvexError } from "./errors.js";
5
6
  import { mutateTotpInsert, mutateTotpMarkVerified, mutateTotpUpdateLastUsed, mutateVerifierDelete, queryTotpById, queryTotpVerifiedByUserId, queryUserById, queryVerifierById } from "./types.js";
6
- import { Fx } from "@robelest/fx";
7
- import { Cv } from "@robelest/fx/convex";
7
+ import { ConvexError } from "convex/values";
8
8
  import { encodeBase32LowerCaseNoPadding } from "@oslojs/encoding";
9
9
  import { createTOTPKeyURI, verifyTOTPWithGracePeriod } from "@oslojs/otp";
10
10
 
@@ -22,185 +22,176 @@ const TOTP_FLOWS = [
22
22
  "confirm",
23
23
  "verify"
24
24
  ];
25
- const resolveTotpFlowFx = (params) => {
25
+ const convexError = (code, message) => toConvexError(authFlowError(code, message));
26
+ const asConvexError = (error, code, message) => error instanceof ConvexError ? error : error instanceof Error ? toConvexError(authFlowError(code, error.message || message)) : convexError(code, message);
27
+ function resolveTotpFlow(params) {
26
28
  const flow = params.flow;
27
- return typeof flow === "string" && TOTP_FLOWS.includes(flow) ? Fx.succeed(flow) : Cv.fail({
28
- code: "TOTP_MISSING_FLOW",
29
- message: "Missing `flow` parameter. Expected one of: setup, confirm, verify"
30
- });
31
- };
32
- const requireTotpVerifierFx = (verifier) => verifier != null ? Fx.succeed(verifier) : Cv.fail({
33
- code: "TOTP_MISSING_VERIFIER",
34
- message: "Missing verifier for TOTP operation."
35
- });
36
- const requireTotpCodeFx = (params) => typeof params.code === "string" ? Fx.succeed(params.code) : Cv.fail({
37
- code: "TOTP_MISSING_CODE",
38
- message: "Missing TOTP code."
39
- });
40
- const requireTotpIdFx = (params) => typeof params.totpId === "string" ? Fx.succeed(params.totpId) : Cv.fail({
41
- code: "TOTP_MISSING_ID",
42
- message: "Missing TOTP enrollment ID."
43
- });
44
- const resolveTotpDispatchFx = (params, verifier) => resolveTotpFlowFx(params).pipe(Fx.chain((flow) => Fx.match({ flow }).on("flow", {
45
- setup: () => Fx.succeed({
29
+ if (typeof flow === "string" && TOTP_FLOWS.includes(flow)) return flow;
30
+ throw convexError("TOTP_MISSING_FLOW", "Missing `flow` parameter. Expected one of: setup, confirm, verify");
31
+ }
32
+ function requireTotpVerifier(verifier) {
33
+ if (verifier != null) return verifier;
34
+ throw convexError("TOTP_MISSING_VERIFIER", "Missing verifier for TOTP operation.");
35
+ }
36
+ function requireTotpCode(params) {
37
+ if (typeof params.code === "string") return params.code;
38
+ throw convexError("TOTP_MISSING_CODE", "Missing TOTP code.");
39
+ }
40
+ function requireTotpId(params) {
41
+ if (typeof params.totpId === "string") return params.totpId;
42
+ throw convexError("TOTP_MISSING_ID", "Missing TOTP enrollment ID.");
43
+ }
44
+ function resolveTotpDispatch(params, verifier) {
45
+ const flow = resolveTotpFlow(params);
46
+ if (flow === "setup") return {
46
47
  flow: "setup",
47
48
  params
48
- }),
49
- confirm: () => Fx.gen(function* () {
50
- const resolvedVerifier = yield* requireTotpVerifierFx(verifier);
49
+ };
50
+ if (flow === "confirm") {
51
+ const resolvedVerifier$1 = requireTotpVerifier(verifier);
51
52
  return {
52
53
  flow: "confirm",
53
- code: yield* requireTotpCodeFx(params),
54
- totpId: yield* requireTotpIdFx(params),
55
- verifier: resolvedVerifier
56
- };
57
- }),
58
- verify: () => Fx.gen(function* () {
59
- const resolvedVerifier = yield* requireTotpVerifierFx(verifier);
60
- return {
61
- flow: "verify",
62
- code: yield* requireTotpCodeFx(params),
63
- verifier: resolvedVerifier
54
+ code: requireTotpCode(params),
55
+ totpId: requireTotpId(params),
56
+ verifier: resolvedVerifier$1
64
57
  };
65
- })
66
- })));
58
+ }
59
+ const resolvedVerifier = requireTotpVerifier(verifier);
60
+ return {
61
+ flow: "verify",
62
+ code: requireTotpCode(params),
63
+ verifier: resolvedVerifier
64
+ };
65
+ }
66
+ async function requireAuthenticatedUserId(ctx) {
67
+ let identity;
68
+ try {
69
+ identity = await ctx.auth.getUserIdentity();
70
+ } catch (error) {
71
+ throw asConvexError(error, "INTERNAL_ERROR", String(error));
72
+ }
73
+ if (identity === null) throw convexError("TOTP_AUTH_REQUIRED", "Sign in first, then set up two-factor authentication.");
74
+ return userIdFromIdentitySubject(identity.subject);
75
+ }
67
76
  /** @internal */
68
- const handleTotp = (ctx, provider, args) => {
69
- return resolveTotpDispatchFx(args.params ?? {}, args.verifier).pipe(Fx.chain((dispatch) => Fx.match(dispatch).on("flow", {
70
- setup: ({ params }) => Fx.from({
71
- ok: () => ctx.auth.getUserIdentity(),
72
- err: (e) => Cv.error({
73
- code: "INTERNAL_ERROR",
74
- message: String(e)
75
- })
76
- }).pipe(Fx.chain((identity) => identity === null ? Cv.fail({
77
- code: "TOTP_AUTH_REQUIRED",
78
- message: "Sign in first, then set up two-factor authentication."
79
- }) : Fx.succeed(userIdFromIdentitySubject(identity.subject))), Fx.chain((userId) => Fx.from({
80
- ok: async () => {
81
- const secret = new Uint8Array(20);
82
- crypto.getRandomValues(secret);
83
- let accountName = params.accountName;
84
- if (!accountName) accountName = (await queryUserById(ctx, userId))?.email ?? "user";
85
- const uri = createTOTPKeyURI(provider.options.issuer, accountName, secret, provider.options.period, provider.options.digits);
86
- const base32Secret = encodeBase32LowerCaseNoPadding(secret);
87
- const verifier = await callVerifier(ctx);
88
- await callVerifierSignature(ctx, {
89
- verifier,
90
- signature: JSON.stringify({
91
- secret: Array.from(secret),
92
- userId,
93
- digits: provider.options.digits,
94
- period: provider.options.period
95
- })
77
+ const handleTotp = async (ctx, provider, args) => {
78
+ const dispatch = resolveTotpDispatch(args.params ?? {}, args.verifier);
79
+ const handler = {
80
+ setup: async () => {
81
+ const { params: setupParams } = dispatch;
82
+ const userId = await requireAuthenticatedUserId(ctx);
83
+ const secret = new Uint8Array(20);
84
+ crypto.getRandomValues(secret);
85
+ let accountName = setupParams.accountName;
86
+ if (!accountName) {
87
+ let user;
88
+ try {
89
+ user = await queryUserById(ctx, userId);
90
+ } catch (error) {
91
+ throw asConvexError(error, "INTERNAL_ERROR", `TOTP setup failed: ${String(error)}`);
92
+ }
93
+ accountName = user?.email ?? "user";
94
+ }
95
+ const uri = createTOTPKeyURI(provider.options.issuer, accountName, secret, provider.options.period, provider.options.digits);
96
+ const base32Secret = encodeBase32LowerCaseNoPadding(secret);
97
+ let verifier;
98
+ try {
99
+ verifier = await callVerifier(ctx, JSON.stringify({
100
+ secret: Array.from(secret),
101
+ userId,
102
+ digits: provider.options.digits,
103
+ period: provider.options.period
104
+ }));
105
+ } catch (error) {
106
+ throw asConvexError(error, "INTERNAL_ERROR", `TOTP setup failed: ${String(error)}`);
107
+ }
108
+ let totpId;
109
+ try {
110
+ totpId = await mutateTotpInsert(ctx, {
111
+ userId,
112
+ secret: secret.buffer.slice(secret.byteOffset, secret.byteOffset + secret.byteLength),
113
+ digits: provider.options.digits,
114
+ period: provider.options.period,
115
+ verified: false,
116
+ name: typeof setupParams.name === "string" ? setupParams.name : void 0,
117
+ createdAt: Date.now()
96
118
  });
97
- return {
98
- kind: "totpSetup",
99
- uri,
100
- secret: base32Secret,
101
- verifier,
102
- totpId: await mutateTotpInsert(ctx, {
103
- userId,
104
- secret: secret.buffer.slice(secret.byteOffset, secret.byteOffset + secret.byteLength),
105
- digits: provider.options.digits,
106
- period: provider.options.period,
107
- verified: false,
108
- name: typeof params.name === "string" ? params.name : void 0,
109
- createdAt: Date.now()
110
- })
111
- };
112
- },
113
- err: (e) => Cv.error({
114
- code: "INTERNAL_ERROR",
115
- message: `TOTP setup failed: ${String(e)}`
116
- })
117
- }))),
118
- confirm: ({ code, totpId, verifier }) => Fx.from({
119
- ok: () => ctx.auth.getUserIdentity(),
120
- err: (e) => Cv.error({
121
- code: "INTERNAL_ERROR",
122
- message: String(e)
123
- })
124
- }).pipe(Fx.chain((identity) => identity === null ? Cv.fail({
125
- code: "TOTP_AUTH_REQUIRED",
126
- message: "Sign in first, then set up two-factor authentication."
127
- }) : Fx.succeed(userIdFromIdentitySubject(identity.subject))), Fx.chain((userId) => Fx.from({
128
- ok: () => queryTotpById(ctx, totpId),
129
- err: () => Cv.error({
130
- code: "TOTP_NOT_FOUND",
131
- message: "TOTP enrollment not found."
132
- })
133
- }).pipe(Fx.chain((doc) => doc === null ? Cv.fail({
134
- code: "TOTP_NOT_FOUND",
135
- message: "TOTP enrollment not found."
136
- }) : Fx.succeed(doc)), Fx.chain((totpDoc) => totpDoc.verified ? Cv.fail({
137
- code: "TOTP_ALREADY_VERIFIED",
138
- message: "TOTP enrollment is already verified."
139
- }) : Fx.succeed(totpDoc))).pipe(Fx.chain((totpDoc) => verifyTOTPWithGracePeriod(new Uint8Array(totpDoc.secret), provider.options.period, provider.options.digits, code, 30) ? Fx.succeed(totpDoc) : Cv.fail({
140
- code: "TOTP_INVALID_CODE",
141
- message: "Invalid TOTP code."
142
- }))).pipe(Fx.chain((_totpDoc) => Fx.from({
143
- ok: async () => {
119
+ } catch (error) {
120
+ throw asConvexError(error, "INTERNAL_ERROR", `TOTP setup failed: ${String(error)}`);
121
+ }
122
+ return {
123
+ kind: "totpSetup",
124
+ uri,
125
+ secret: base32Secret,
126
+ verifier,
127
+ totpId
128
+ };
129
+ },
130
+ confirm: async () => {
131
+ const { code, totpId, verifier } = dispatch;
132
+ const userId = await requireAuthenticatedUserId(ctx);
133
+ let doc;
134
+ try {
135
+ doc = await queryTotpById(ctx, totpId);
136
+ } catch {
137
+ throw convexError("TOTP_NOT_FOUND", "TOTP enrollment not found.");
138
+ }
139
+ if (doc === null) throw convexError("TOTP_NOT_FOUND", "TOTP enrollment not found.");
140
+ if (doc.verified) throw convexError("TOTP_ALREADY_VERIFIED", "TOTP enrollment is already verified.");
141
+ if (!verifyTOTPWithGracePeriod(new Uint8Array(doc.secret), provider.options.period, provider.options.digits, code, 30)) throw convexError("TOTP_INVALID_CODE", "Invalid TOTP code.");
142
+ let signInResult;
143
+ try {
144
144
  await mutateTotpMarkVerified(ctx, totpId, Date.now());
145
145
  await mutateVerifierDelete(ctx, verifier);
146
- return callSignIn(ctx, {
146
+ signInResult = await callSignIn(ctx, {
147
147
  userId,
148
148
  generateTokens: true
149
149
  });
150
- },
151
- err: (e) => Cv.error({
152
- code: "INTERNAL_ERROR",
153
- message: String(e)
154
- })
155
- }))).pipe(Fx.map((signInResult) => ({
156
- kind: "signedIn",
157
- signedIn: signInResult
158
- }))))),
159
- verify: ({ code, verifier }) => Fx.from({
160
- ok: () => queryVerifierById(ctx, verifier),
161
- err: () => Cv.error({
162
- code: "TOTP_INVALID_VERIFIER",
163
- message: "Invalid or expired TOTP verifier."
164
- })
165
- }).pipe(Fx.chain((doc) => doc === null ? Cv.fail({
166
- code: "TOTP_INVALID_VERIFIER",
167
- message: "Invalid or expired TOTP verifier."
168
- }) : Fx.succeed(doc)), Fx.map((doc) => {
150
+ } catch (error) {
151
+ throw asConvexError(error, "INTERNAL_ERROR", String(error));
152
+ }
169
153
  return {
170
- userId: JSON.parse(doc.signature).userId,
171
- code,
172
- verifier
154
+ kind: "signedIn",
155
+ signedIn: signInResult
173
156
  };
174
- }), Fx.chain(({ userId, code: code$1, verifier: verifier$1 }) => Fx.from({
175
- ok: () => queryTotpVerifiedByUserId(ctx, userId),
176
- err: () => Cv.error({
177
- code: "TOTP_NO_ENROLLMENT",
178
- message: "No verified TOTP enrollment found."
179
- })
180
- }).pipe(Fx.chain((totpDoc) => totpDoc === null ? Cv.fail({
181
- code: "TOTP_NO_ENROLLMENT",
182
- message: "No verified TOTP enrollment found."
183
- }) : Fx.succeed(totpDoc)), Fx.chain((totpDoc) => verifyTOTPWithGracePeriod(new Uint8Array(totpDoc.secret), totpDoc.period, totpDoc.digits, code$1, 30) ? Fx.succeed(totpDoc) : Cv.fail({
184
- code: "TOTP_INVALID_CODE",
185
- message: "Invalid TOTP code."
186
- })), Fx.chain((totpDoc) => Fx.from({
187
- ok: async () => {
188
- await mutateTotpUpdateLastUsed(ctx, totpDoc._id, Date.now());
189
- await mutateVerifierDelete(ctx, verifier$1);
190
- return callSignIn(ctx, {
157
+ },
158
+ verify: async () => {
159
+ const { code, verifier } = dispatch;
160
+ let doc;
161
+ try {
162
+ doc = await queryVerifierById(ctx, verifier);
163
+ } catch {
164
+ throw convexError("TOTP_INVALID_VERIFIER", "Invalid or expired TOTP verifier.");
165
+ }
166
+ if (doc === null) throw convexError("TOTP_INVALID_VERIFIER", "Invalid or expired TOTP verifier.");
167
+ const userId = JSON.parse(doc.signature).userId;
168
+ let totp;
169
+ try {
170
+ totp = await queryTotpVerifiedByUserId(ctx, userId);
171
+ } catch {
172
+ throw convexError("TOTP_NO_ENROLLMENT", "No verified TOTP enrollment found.");
173
+ }
174
+ if (totp === null) throw convexError("TOTP_NO_ENROLLMENT", "No verified TOTP enrollment found.");
175
+ if (!verifyTOTPWithGracePeriod(new Uint8Array(totp.secret), totp.period, totp.digits, code, 30)) throw convexError("TOTP_INVALID_CODE", "Invalid TOTP code.");
176
+ let signInResult;
177
+ try {
178
+ await mutateTotpUpdateLastUsed(ctx, totp._id, Date.now());
179
+ await mutateVerifierDelete(ctx, verifier);
180
+ signInResult = await callSignIn(ctx, {
191
181
  userId,
192
182
  generateTokens: true
193
183
  });
194
- },
195
- err: (e) => Cv.error({
196
- code: "INTERNAL_ERROR",
197
- message: String(e)
198
- })
199
- })), Fx.map((signInResult) => ({
200
- kind: "signedIn",
201
- signedIn: signInResult
202
- })))))
203
- })));
184
+ } catch (error) {
185
+ throw asConvexError(error, "INTERNAL_ERROR", String(error));
186
+ }
187
+ return {
188
+ kind: "signedIn",
189
+ signedIn: signInResult
190
+ };
191
+ }
192
+ }[dispatch.flow];
193
+ if (!handler) throw convexError("TOTP_MISSING_FLOW", `Unknown TOTP flow: ${dispatch.flow}`);
194
+ return handler();
204
195
  };
205
196
 
206
197
  //#endregion