@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (666) hide show
  1. package/README.md +43 -36
  2. package/dist/bin.js +5765 -4880
  3. package/dist/browser/index.d.ts +30 -0
  4. package/dist/browser/index.js +93 -0
  5. package/dist/browser/locks.js +11 -0
  6. package/dist/browser/navigation.js +14 -0
  7. package/dist/{factors → browser}/passkey.js +23 -32
  8. package/dist/browser/runtime.js +92 -0
  9. package/dist/client/core/types.d.ts +452 -5
  10. package/dist/client/core/types.js +17 -0
  11. package/dist/client/errors.js +19 -0
  12. package/dist/client/factors/device.js +94 -0
  13. package/dist/{factors → client/factors}/totp.js +12 -4
  14. package/dist/client/index.d.ts +47 -1
  15. package/dist/client/index.js +269 -232
  16. package/dist/client/runtime/mutex.js +24 -0
  17. package/dist/client/runtime/proxy.js +30 -0
  18. package/dist/client/runtime/storage.js +45 -0
  19. package/dist/client/services/adapters.js +7 -0
  20. package/dist/client/services/http.js +6 -0
  21. package/dist/client/services/resolve.js +13 -0
  22. package/dist/client/services/runtime.js +6 -0
  23. package/dist/component/_generated/component.d.ts +1355 -1399
  24. package/dist/component/convex.config.d.ts +2 -2
  25. package/dist/component/index.d.ts +4 -26
  26. package/dist/component/index.js +1 -1
  27. package/dist/component/model.d.ts +26 -112
  28. package/dist/component/model.js +76 -54
  29. package/dist/component/modules.js +38 -0
  30. package/dist/component/public/factors/devices.js +1 -1
  31. package/dist/component/public/factors/passkeys.js +1 -1
  32. package/dist/component/public/factors/totp.js +1 -1
  33. package/dist/component/public/groups/core.js +2 -2
  34. package/dist/component/public/groups/invites.js +1 -1
  35. package/dist/component/public/groups/members.js +1 -1
  36. package/dist/component/public/identity/accounts.js +1 -1
  37. package/dist/component/public/identity/codes.js +1 -1
  38. package/dist/component/public/identity/sessions.js +39 -2
  39. package/dist/component/public/identity/tokens.js +82 -4
  40. package/dist/component/public/identity/users.js +1 -1
  41. package/dist/component/public/identity/verifiers.js +10 -4
  42. package/dist/component/public/security/keys.js +1 -1
  43. package/dist/component/public/security/limits.js +1 -1
  44. package/dist/component/public/{enterprise → sso}/audit.js +26 -26
  45. package/dist/component/public/sso/core.js +263 -0
  46. package/dist/component/public/sso/domains.js +280 -0
  47. package/dist/component/public/{enterprise → sso}/scim.js +87 -87
  48. package/dist/component/public/sso/secrets.js +125 -0
  49. package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
  50. package/dist/component/public.js +9 -9
  51. package/dist/component/schema.d.ts +472 -393
  52. package/dist/component/schema.js +36 -35
  53. package/dist/core/index.d.ts +380 -0
  54. package/dist/core/index.js +83 -0
  55. package/dist/otel.d.ts +69 -0
  56. package/dist/otel.js +82 -0
  57. package/dist/providers/anonymous.d.ts +15 -34
  58. package/dist/providers/anonymous.js +27 -35
  59. package/dist/providers/apple.d.ts +59 -0
  60. package/dist/providers/apple.js +58 -0
  61. package/dist/providers/credentials.d.ts +18 -34
  62. package/dist/providers/credentials.js +16 -27
  63. package/dist/providers/custom.d.ts +94 -0
  64. package/dist/providers/custom.js +119 -0
  65. package/dist/providers/device.d.ts +15 -49
  66. package/dist/providers/device.js +17 -34
  67. package/dist/providers/email.d.ts +21 -38
  68. package/dist/providers/email.js +36 -55
  69. package/dist/providers/github.d.ts +54 -0
  70. package/dist/providers/github.js +75 -0
  71. package/dist/providers/google.d.ts +54 -0
  72. package/dist/providers/google.js +61 -0
  73. package/dist/providers/index.d.ts +16 -12
  74. package/dist/providers/index.js +15 -11
  75. package/dist/providers/microsoft.d.ts +57 -0
  76. package/dist/providers/microsoft.js +101 -0
  77. package/dist/providers/passkey.d.ts +19 -35
  78. package/dist/providers/passkey.js +20 -30
  79. package/dist/providers/password.d.ts +17 -18
  80. package/dist/providers/password.js +121 -143
  81. package/dist/providers/phone.d.ts +13 -28
  82. package/dist/providers/phone.js +21 -46
  83. package/dist/providers/sso.d.ts +16 -36
  84. package/dist/providers/sso.js +21 -22
  85. package/dist/providers/totp.d.ts +13 -29
  86. package/dist/providers/totp.js +17 -27
  87. package/dist/server/auth-context.d.ts +204 -0
  88. package/dist/server/auth-context.js +76 -0
  89. package/dist/server/auth.d.ts +99 -244
  90. package/dist/server/auth.js +56 -152
  91. package/dist/server/componentContext.d.ts +12 -0
  92. package/dist/server/componentContext.js +1 -0
  93. package/dist/server/config.js +6 -67
  94. package/dist/server/constants.js +6 -0
  95. package/dist/server/contract.d.ts +105 -0
  96. package/dist/server/contract.js +43 -0
  97. package/dist/server/cookies.js +3 -2
  98. package/dist/server/core.js +31 -36
  99. package/dist/server/crypto.js +34 -44
  100. package/dist/server/db.js +6 -1
  101. package/dist/server/device.js +96 -130
  102. package/dist/server/env.js +48 -0
  103. package/dist/server/errors.js +20 -0
  104. package/dist/server/http.d.ts +15 -59
  105. package/dist/server/http.js +136 -120
  106. package/dist/server/identity.js +2 -2
  107. package/dist/server/index.d.ts +5 -4
  108. package/dist/server/index.js +3 -3
  109. package/dist/server/keys.js +10 -1
  110. package/dist/server/limits.js +26 -26
  111. package/dist/server/log.js +28 -0
  112. package/dist/server/mounts.d.ts +1107 -296
  113. package/dist/server/mounts.js +315 -196
  114. package/dist/server/mutations/account.js +11 -14
  115. package/dist/server/mutations/code.js +6 -5
  116. package/dist/server/mutations/invalidate.js +9 -11
  117. package/dist/server/mutations/oauth.js +112 -73
  118. package/dist/server/mutations/refresh.js +47 -97
  119. package/dist/server/mutations/register.js +37 -35
  120. package/dist/server/mutations/retrieve.js +16 -16
  121. package/dist/server/mutations/signature.js +15 -18
  122. package/dist/server/mutations/signin.js +10 -5
  123. package/dist/server/mutations/signout.js +11 -14
  124. package/dist/server/mutations/store.js +25 -18
  125. package/dist/server/mutations/verifier.js +11 -8
  126. package/dist/server/mutations/verify.js +53 -41
  127. package/dist/server/oauth/factory.js +44 -0
  128. package/dist/server/oauth/index.js +12 -0
  129. package/dist/server/oauth/runtime.js +248 -0
  130. package/dist/server/passkey.js +331 -365
  131. package/dist/server/payloads.d.ts +16 -0
  132. package/dist/server/payloads.js +30 -0
  133. package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
  134. package/dist/server/prefetch.js +635 -0
  135. package/dist/server/random.js +19 -0
  136. package/dist/server/redirects.js +10 -5
  137. package/dist/server/refresh.js +14 -86
  138. package/dist/server/runtime.d.ts +531 -31
  139. package/dist/server/runtime.js +106 -267
  140. package/dist/server/secret.js +44 -0
  141. package/dist/server/services/config.js +10 -0
  142. package/dist/server/services/group.js +211 -0
  143. package/dist/server/services/logger.js +8 -0
  144. package/dist/server/services/providers.js +22 -0
  145. package/dist/server/services/refresh.js +8 -0
  146. package/dist/server/services/resolve.js +27 -0
  147. package/dist/server/services/signin.js +8 -0
  148. package/dist/server/sessions.js +35 -34
  149. package/dist/server/signin.js +229 -140
  150. package/dist/server/{enterprise → sso}/config.js +10 -3
  151. package/dist/server/sso/domain.d.ts +614 -0
  152. package/dist/server/sso/domain.js +1175 -0
  153. package/dist/server/sso/http.js +1060 -0
  154. package/dist/server/sso/oidc.js +324 -0
  155. package/dist/server/sso/policies.js +59 -0
  156. package/dist/server/sso/policy.js +139 -0
  157. package/dist/server/sso/profile.js +22 -0
  158. package/dist/server/sso/provision.js +179 -0
  159. package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
  160. package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
  161. package/dist/server/sso/shared.js +74 -0
  162. package/dist/server/sso/validators.js +88 -0
  163. package/dist/server/sso/webhook.js +94 -0
  164. package/dist/server/tokens.js +16 -4
  165. package/dist/server/totp.js +155 -164
  166. package/dist/server/types.d.ts +306 -296
  167. package/dist/server/types.js +1 -30
  168. package/dist/server/url.js +32 -0
  169. package/dist/server/users.js +74 -40
  170. package/dist/server/utils/cache.js +51 -0
  171. package/dist/server/utils/dispatch.js +36 -0
  172. package/dist/server/utils/retry.js +24 -0
  173. package/dist/server/utils/span.js +32 -0
  174. package/dist/shared/errors.js +19 -0
  175. package/dist/shared/log.js +45 -0
  176. package/{src/test.ts → dist/test.d.ts} +21 -22
  177. package/dist/test.js +51 -0
  178. package/package.json +70 -42
  179. package/dist/authorization/index.d.ts.map +0 -1
  180. package/dist/authorization/index.js.map +0 -1
  181. package/dist/client/core/types.d.ts.map +0 -1
  182. package/dist/client/index.d.ts.map +0 -1
  183. package/dist/client/index.js.map +0 -1
  184. package/dist/component/_generated/api.d.ts +0 -75
  185. package/dist/component/_generated/api.d.ts.map +0 -1
  186. package/dist/component/_generated/api.js.map +0 -1
  187. package/dist/component/_generated/component.d.ts.map +0 -1
  188. package/dist/component/_generated/dataModel.d.ts +0 -42
  189. package/dist/component/_generated/dataModel.d.ts.map +0 -1
  190. package/dist/component/_generated/server.d.ts +0 -117
  191. package/dist/component/_generated/server.d.ts.map +0 -1
  192. package/dist/component/_generated/server.js.map +0 -1
  193. package/dist/component/_virtual/rolldown_runtime.js +0 -18
  194. package/dist/component/client/core/types.d.ts +0 -2
  195. package/dist/component/client/index.d.ts +0 -1
  196. package/dist/component/convex.config.d.ts.map +0 -1
  197. package/dist/component/convex.config.js.map +0 -1
  198. package/dist/component/functions.d.ts +0 -25
  199. package/dist/component/functions.d.ts.map +0 -1
  200. package/dist/component/functions.js.map +0 -1
  201. package/dist/component/index.d.ts.map +0 -1
  202. package/dist/component/model.d.ts.map +0 -1
  203. package/dist/component/model.js.map +0 -1
  204. package/dist/component/providers/anonymous.d.ts +0 -54
  205. package/dist/component/providers/anonymous.d.ts.map +0 -1
  206. package/dist/component/providers/credentials.d.ts +0 -38
  207. package/dist/component/providers/credentials.d.ts.map +0 -1
  208. package/dist/component/providers/device.d.ts +0 -67
  209. package/dist/component/providers/device.d.ts.map +0 -1
  210. package/dist/component/providers/email.d.ts +0 -62
  211. package/dist/component/providers/email.d.ts.map +0 -1
  212. package/dist/component/providers/oauth.d.ts +0 -25
  213. package/dist/component/providers/oauth.d.ts.map +0 -1
  214. package/dist/component/providers/oauth.js +0 -13
  215. package/dist/component/providers/oauth.js.map +0 -1
  216. package/dist/component/providers/passkey.d.ts +0 -57
  217. package/dist/component/providers/passkey.d.ts.map +0 -1
  218. package/dist/component/providers/password.d.ts +0 -88
  219. package/dist/component/providers/password.d.ts.map +0 -1
  220. package/dist/component/providers/phone.d.ts +0 -48
  221. package/dist/component/providers/phone.d.ts.map +0 -1
  222. package/dist/component/providers/sso.d.ts +0 -50
  223. package/dist/component/providers/sso.d.ts.map +0 -1
  224. package/dist/component/providers/totp.d.ts +0 -45
  225. package/dist/component/providers/totp.d.ts.map +0 -1
  226. package/dist/component/public/enterprise/audit.d.ts +0 -73
  227. package/dist/component/public/enterprise/audit.d.ts.map +0 -1
  228. package/dist/component/public/enterprise/audit.js.map +0 -1
  229. package/dist/component/public/enterprise/core.d.ts +0 -176
  230. package/dist/component/public/enterprise/core.d.ts.map +0 -1
  231. package/dist/component/public/enterprise/core.js +0 -292
  232. package/dist/component/public/enterprise/core.js.map +0 -1
  233. package/dist/component/public/enterprise/domains.d.ts +0 -174
  234. package/dist/component/public/enterprise/domains.d.ts.map +0 -1
  235. package/dist/component/public/enterprise/domains.js +0 -271
  236. package/dist/component/public/enterprise/domains.js.map +0 -1
  237. package/dist/component/public/enterprise/scim.d.ts +0 -245
  238. package/dist/component/public/enterprise/scim.d.ts.map +0 -1
  239. package/dist/component/public/enterprise/scim.js.map +0 -1
  240. package/dist/component/public/enterprise/secrets.d.ts +0 -78
  241. package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
  242. package/dist/component/public/enterprise/secrets.js +0 -118
  243. package/dist/component/public/enterprise/secrets.js.map +0 -1
  244. package/dist/component/public/enterprise/webhooks.d.ts +0 -211
  245. package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
  246. package/dist/component/public/enterprise/webhooks.js.map +0 -1
  247. package/dist/component/public/factors/devices.d.ts +0 -157
  248. package/dist/component/public/factors/devices.d.ts.map +0 -1
  249. package/dist/component/public/factors/devices.js.map +0 -1
  250. package/dist/component/public/factors/passkeys.d.ts +0 -175
  251. package/dist/component/public/factors/passkeys.d.ts.map +0 -1
  252. package/dist/component/public/factors/passkeys.js.map +0 -1
  253. package/dist/component/public/factors/totp.d.ts +0 -189
  254. package/dist/component/public/factors/totp.d.ts.map +0 -1
  255. package/dist/component/public/factors/totp.js.map +0 -1
  256. package/dist/component/public/groups/core.d.ts +0 -137
  257. package/dist/component/public/groups/core.d.ts.map +0 -1
  258. package/dist/component/public/groups/core.js.map +0 -1
  259. package/dist/component/public/groups/invites.d.ts +0 -217
  260. package/dist/component/public/groups/invites.d.ts.map +0 -1
  261. package/dist/component/public/groups/invites.js.map +0 -1
  262. package/dist/component/public/groups/members.d.ts +0 -204
  263. package/dist/component/public/groups/members.d.ts.map +0 -1
  264. package/dist/component/public/groups/members.js.map +0 -1
  265. package/dist/component/public/identity/accounts.d.ts +0 -147
  266. package/dist/component/public/identity/accounts.d.ts.map +0 -1
  267. package/dist/component/public/identity/accounts.js.map +0 -1
  268. package/dist/component/public/identity/codes.d.ts +0 -104
  269. package/dist/component/public/identity/codes.d.ts.map +0 -1
  270. package/dist/component/public/identity/codes.js.map +0 -1
  271. package/dist/component/public/identity/sessions.d.ts +0 -128
  272. package/dist/component/public/identity/sessions.d.ts.map +0 -1
  273. package/dist/component/public/identity/sessions.js.map +0 -1
  274. package/dist/component/public/identity/tokens.d.ts +0 -169
  275. package/dist/component/public/identity/tokens.d.ts.map +0 -1
  276. package/dist/component/public/identity/tokens.js.map +0 -1
  277. package/dist/component/public/identity/users.d.ts +0 -212
  278. package/dist/component/public/identity/users.d.ts.map +0 -1
  279. package/dist/component/public/identity/users.js.map +0 -1
  280. package/dist/component/public/identity/verifiers.d.ts +0 -116
  281. package/dist/component/public/identity/verifiers.d.ts.map +0 -1
  282. package/dist/component/public/identity/verifiers.js.map +0 -1
  283. package/dist/component/public/security/keys.d.ts +0 -209
  284. package/dist/component/public/security/keys.d.ts.map +0 -1
  285. package/dist/component/public/security/keys.js.map +0 -1
  286. package/dist/component/public/security/limits.d.ts +0 -114
  287. package/dist/component/public/security/limits.d.ts.map +0 -1
  288. package/dist/component/public/security/limits.js.map +0 -1
  289. package/dist/component/public.d.ts +0 -28
  290. package/dist/component/public.d.ts.map +0 -1
  291. package/dist/component/schema.d.ts.map +0 -1
  292. package/dist/component/schema.js.map +0 -1
  293. package/dist/component/server/auth.d.ts +0 -447
  294. package/dist/component/server/auth.d.ts.map +0 -1
  295. package/dist/component/server/auth.js +0 -254
  296. package/dist/component/server/auth.js.map +0 -1
  297. package/dist/component/server/config.js +0 -121
  298. package/dist/component/server/config.js.map +0 -1
  299. package/dist/component/server/context.js +0 -53
  300. package/dist/component/server/context.js.map +0 -1
  301. package/dist/component/server/cookies.js +0 -47
  302. package/dist/component/server/cookies.js.map +0 -1
  303. package/dist/component/server/core.js +0 -576
  304. package/dist/component/server/core.js.map +0 -1
  305. package/dist/component/server/crypto.js +0 -56
  306. package/dist/component/server/crypto.js.map +0 -1
  307. package/dist/component/server/db.js +0 -87
  308. package/dist/component/server/db.js.map +0 -1
  309. package/dist/component/server/device.js +0 -152
  310. package/dist/component/server/device.js.map +0 -1
  311. package/dist/component/server/enterprise/config.js +0 -46
  312. package/dist/component/server/enterprise/config.js.map +0 -1
  313. package/dist/component/server/enterprise/domain.js +0 -974
  314. package/dist/component/server/enterprise/domain.js.map +0 -1
  315. package/dist/component/server/enterprise/http.js +0 -787
  316. package/dist/component/server/enterprise/http.js.map +0 -1
  317. package/dist/component/server/enterprise/oidc.js +0 -248
  318. package/dist/component/server/enterprise/oidc.js.map +0 -1
  319. package/dist/component/server/enterprise/policy.js +0 -85
  320. package/dist/component/server/enterprise/policy.js.map +0 -1
  321. package/dist/component/server/enterprise/saml.js.map +0 -1
  322. package/dist/component/server/enterprise/scim.js.map +0 -1
  323. package/dist/component/server/enterprise/shared.js +0 -51
  324. package/dist/component/server/enterprise/shared.js.map +0 -1
  325. package/dist/component/server/http.d.ts +0 -85
  326. package/dist/component/server/http.d.ts.map +0 -1
  327. package/dist/component/server/http.js +0 -351
  328. package/dist/component/server/http.js.map +0 -1
  329. package/dist/component/server/identity.js +0 -16
  330. package/dist/component/server/identity.js.map +0 -1
  331. package/dist/component/server/keys.js +0 -96
  332. package/dist/component/server/keys.js.map +0 -1
  333. package/dist/component/server/limits.js +0 -52
  334. package/dist/component/server/limits.js.map +0 -1
  335. package/dist/component/server/mutations/account.js +0 -46
  336. package/dist/component/server/mutations/account.js.map +0 -1
  337. package/dist/component/server/mutations/code.js +0 -68
  338. package/dist/component/server/mutations/code.js.map +0 -1
  339. package/dist/component/server/mutations/invalidate.js +0 -32
  340. package/dist/component/server/mutations/invalidate.js.map +0 -1
  341. package/dist/component/server/mutations/oauth.js +0 -116
  342. package/dist/component/server/mutations/oauth.js.map +0 -1
  343. package/dist/component/server/mutations/refresh.js +0 -119
  344. package/dist/component/server/mutations/refresh.js.map +0 -1
  345. package/dist/component/server/mutations/register.js +0 -87
  346. package/dist/component/server/mutations/register.js.map +0 -1
  347. package/dist/component/server/mutations/retrieve.js +0 -61
  348. package/dist/component/server/mutations/retrieve.js.map +0 -1
  349. package/dist/component/server/mutations/signature.js +0 -38
  350. package/dist/component/server/mutations/signature.js.map +0 -1
  351. package/dist/component/server/mutations/signin.js +0 -27
  352. package/dist/component/server/mutations/signin.js.map +0 -1
  353. package/dist/component/server/mutations/signout.js +0 -27
  354. package/dist/component/server/mutations/signout.js.map +0 -1
  355. package/dist/component/server/mutations/store/refs.js +0 -15
  356. package/dist/component/server/mutations/store/refs.js.map +0 -1
  357. package/dist/component/server/mutations/store.js +0 -70
  358. package/dist/component/server/mutations/store.js.map +0 -1
  359. package/dist/component/server/mutations/verifier.js +0 -18
  360. package/dist/component/server/mutations/verifier.js.map +0 -1
  361. package/dist/component/server/mutations/verify.js +0 -98
  362. package/dist/component/server/mutations/verify.js.map +0 -1
  363. package/dist/component/server/oauth.js +0 -242
  364. package/dist/component/server/oauth.js.map +0 -1
  365. package/dist/component/server/passkey.js +0 -415
  366. package/dist/component/server/passkey.js.map +0 -1
  367. package/dist/component/server/redirects.js +0 -40
  368. package/dist/component/server/redirects.js.map +0 -1
  369. package/dist/component/server/refresh.js +0 -99
  370. package/dist/component/server/refresh.js.map +0 -1
  371. package/dist/component/server/runtime.d.ts +0 -136
  372. package/dist/component/server/runtime.d.ts.map +0 -1
  373. package/dist/component/server/runtime.js +0 -456
  374. package/dist/component/server/runtime.js.map +0 -1
  375. package/dist/component/server/sessions.js +0 -71
  376. package/dist/component/server/sessions.js.map +0 -1
  377. package/dist/component/server/signin.js +0 -225
  378. package/dist/component/server/signin.js.map +0 -1
  379. package/dist/component/server/tokens.js +0 -17
  380. package/dist/component/server/tokens.js.map +0 -1
  381. package/dist/component/server/totp.js +0 -208
  382. package/dist/component/server/totp.js.map +0 -1
  383. package/dist/component/server/types.d.ts +0 -949
  384. package/dist/component/server/types.d.ts.map +0 -1
  385. package/dist/component/server/types.js +0 -79
  386. package/dist/component/server/types.js.map +0 -1
  387. package/dist/component/server/users.js +0 -123
  388. package/dist/component/server/users.js.map +0 -1
  389. package/dist/component/server/utils.js +0 -140
  390. package/dist/component/server/utils.js.map +0 -1
  391. package/dist/core/types.d.ts +0 -361
  392. package/dist/core/types.d.ts.map +0 -1
  393. package/dist/factors/device.js +0 -104
  394. package/dist/factors/device.js.map +0 -1
  395. package/dist/factors/passkey.js.map +0 -1
  396. package/dist/factors/totp.js.map +0 -1
  397. package/dist/providers/anonymous.d.ts.map +0 -1
  398. package/dist/providers/anonymous.js.map +0 -1
  399. package/dist/providers/credentials.d.ts.map +0 -1
  400. package/dist/providers/credentials.js.map +0 -1
  401. package/dist/providers/device.d.ts.map +0 -1
  402. package/dist/providers/device.js.map +0 -1
  403. package/dist/providers/email.d.ts.map +0 -1
  404. package/dist/providers/email.js.map +0 -1
  405. package/dist/providers/oauth.d.ts +0 -69
  406. package/dist/providers/oauth.d.ts.map +0 -1
  407. package/dist/providers/oauth.js +0 -43
  408. package/dist/providers/oauth.js.map +0 -1
  409. package/dist/providers/passkey.d.ts.map +0 -1
  410. package/dist/providers/passkey.js.map +0 -1
  411. package/dist/providers/password.d.ts.map +0 -1
  412. package/dist/providers/password.js.map +0 -1
  413. package/dist/providers/phone.d.ts.map +0 -1
  414. package/dist/providers/phone.js.map +0 -1
  415. package/dist/providers/sso.d.ts.map +0 -1
  416. package/dist/providers/sso.js.map +0 -1
  417. package/dist/providers/totp.d.ts.map +0 -1
  418. package/dist/providers/totp.js.map +0 -1
  419. package/dist/runtime/browser.js +0 -68
  420. package/dist/runtime/browser.js.map +0 -1
  421. package/dist/runtime/invite.js.map +0 -1
  422. package/dist/runtime/proxy.js +0 -70
  423. package/dist/runtime/proxy.js.map +0 -1
  424. package/dist/runtime/storage.js +0 -37
  425. package/dist/runtime/storage.js.map +0 -1
  426. package/dist/server/auth.d.ts.map +0 -1
  427. package/dist/server/auth.js.map +0 -1
  428. package/dist/server/config.d.ts +0 -1
  429. package/dist/server/config.js.map +0 -1
  430. package/dist/server/context.d.ts +0 -1
  431. package/dist/server/context.js.map +0 -1
  432. package/dist/server/cookies.d.ts +0 -1
  433. package/dist/server/cookies.js.map +0 -1
  434. package/dist/server/core.d.ts +0 -1315
  435. package/dist/server/core.d.ts.map +0 -1
  436. package/dist/server/core.js.map +0 -1
  437. package/dist/server/crypto.d.ts +0 -8
  438. package/dist/server/crypto.d.ts.map +0 -1
  439. package/dist/server/crypto.js.map +0 -1
  440. package/dist/server/db.d.ts +0 -1
  441. package/dist/server/db.js.map +0 -1
  442. package/dist/server/device.d.ts +0 -1
  443. package/dist/server/device.js.map +0 -1
  444. package/dist/server/enterprise/config.d.ts +0 -1
  445. package/dist/server/enterprise/config.js.map +0 -1
  446. package/dist/server/enterprise/domain.d.ts +0 -401
  447. package/dist/server/enterprise/domain.d.ts.map +0 -1
  448. package/dist/server/enterprise/domain.js +0 -974
  449. package/dist/server/enterprise/domain.js.map +0 -1
  450. package/dist/server/enterprise/http.d.ts +0 -26
  451. package/dist/server/enterprise/http.d.ts.map +0 -1
  452. package/dist/server/enterprise/http.js +0 -787
  453. package/dist/server/enterprise/http.js.map +0 -1
  454. package/dist/server/enterprise/oidc.d.ts +0 -1
  455. package/dist/server/enterprise/oidc.js +0 -248
  456. package/dist/server/enterprise/oidc.js.map +0 -1
  457. package/dist/server/enterprise/policy.d.ts +0 -1
  458. package/dist/server/enterprise/policy.js +0 -85
  459. package/dist/server/enterprise/policy.js.map +0 -1
  460. package/dist/server/enterprise/saml.d.ts +0 -1
  461. package/dist/server/enterprise/saml.js +0 -338
  462. package/dist/server/enterprise/saml.js.map +0 -1
  463. package/dist/server/enterprise/scim.d.ts +0 -1
  464. package/dist/server/enterprise/scim.js +0 -97
  465. package/dist/server/enterprise/scim.js.map +0 -1
  466. package/dist/server/enterprise/shared.d.ts +0 -5
  467. package/dist/server/enterprise/shared.d.ts.map +0 -1
  468. package/dist/server/enterprise/shared.js +0 -51
  469. package/dist/server/enterprise/shared.js.map +0 -1
  470. package/dist/server/enterprise/validators.d.ts +0 -1
  471. package/dist/server/enterprise/validators.js +0 -60
  472. package/dist/server/enterprise/validators.js.map +0 -1
  473. package/dist/server/http.d.ts.map +0 -1
  474. package/dist/server/http.js.map +0 -1
  475. package/dist/server/identity.d.ts +0 -1
  476. package/dist/server/identity.js.map +0 -1
  477. package/dist/server/keys.d.ts +0 -1
  478. package/dist/server/keys.js.map +0 -1
  479. package/dist/server/limits.d.ts +0 -1
  480. package/dist/server/limits.js.map +0 -1
  481. package/dist/server/mounts.d.ts.map +0 -1
  482. package/dist/server/mounts.js.map +0 -1
  483. package/dist/server/mutations/account.d.ts +0 -29
  484. package/dist/server/mutations/account.d.ts.map +0 -1
  485. package/dist/server/mutations/account.js.map +0 -1
  486. package/dist/server/mutations/code.d.ts +0 -30
  487. package/dist/server/mutations/code.d.ts.map +0 -1
  488. package/dist/server/mutations/code.js.map +0 -1
  489. package/dist/server/mutations/index.d.ts +0 -14
  490. package/dist/server/mutations/invalidate.d.ts +0 -20
  491. package/dist/server/mutations/invalidate.d.ts.map +0 -1
  492. package/dist/server/mutations/invalidate.js.map +0 -1
  493. package/dist/server/mutations/oauth.d.ts +0 -30
  494. package/dist/server/mutations/oauth.d.ts.map +0 -1
  495. package/dist/server/mutations/oauth.js.map +0 -1
  496. package/dist/server/mutations/refresh.d.ts +0 -21
  497. package/dist/server/mutations/refresh.d.ts.map +0 -1
  498. package/dist/server/mutations/refresh.js.map +0 -1
  499. package/dist/server/mutations/register.d.ts +0 -38
  500. package/dist/server/mutations/register.d.ts.map +0 -1
  501. package/dist/server/mutations/register.js.map +0 -1
  502. package/dist/server/mutations/retrieve.d.ts +0 -33
  503. package/dist/server/mutations/retrieve.d.ts.map +0 -1
  504. package/dist/server/mutations/retrieve.js.map +0 -1
  505. package/dist/server/mutations/signature.d.ts +0 -21
  506. package/dist/server/mutations/signature.d.ts.map +0 -1
  507. package/dist/server/mutations/signature.js.map +0 -1
  508. package/dist/server/mutations/signin.d.ts +0 -22
  509. package/dist/server/mutations/signin.d.ts.map +0 -1
  510. package/dist/server/mutations/signin.js.map +0 -1
  511. package/dist/server/mutations/signout.d.ts +0 -16
  512. package/dist/server/mutations/signout.d.ts.map +0 -1
  513. package/dist/server/mutations/signout.js.map +0 -1
  514. package/dist/server/mutations/store/refs.d.ts +0 -12
  515. package/dist/server/mutations/store/refs.d.ts.map +0 -1
  516. package/dist/server/mutations/store/refs.js.map +0 -1
  517. package/dist/server/mutations/store.d.ts +0 -306
  518. package/dist/server/mutations/store.d.ts.map +0 -1
  519. package/dist/server/mutations/store.js.map +0 -1
  520. package/dist/server/mutations/verifier.d.ts +0 -13
  521. package/dist/server/mutations/verifier.d.ts.map +0 -1
  522. package/dist/server/mutations/verifier.js.map +0 -1
  523. package/dist/server/mutations/verify.d.ts +0 -26
  524. package/dist/server/mutations/verify.d.ts.map +0 -1
  525. package/dist/server/mutations/verify.js.map +0 -1
  526. package/dist/server/oauth.d.ts +0 -1
  527. package/dist/server/oauth.js +0 -242
  528. package/dist/server/oauth.js.map +0 -1
  529. package/dist/server/passkey.d.ts +0 -27
  530. package/dist/server/passkey.d.ts.map +0 -1
  531. package/dist/server/passkey.js.map +0 -1
  532. package/dist/server/redirects.d.ts +0 -1
  533. package/dist/server/redirects.js.map +0 -1
  534. package/dist/server/refresh.d.ts +0 -1
  535. package/dist/server/refresh.js.map +0 -1
  536. package/dist/server/runtime.d.ts.map +0 -1
  537. package/dist/server/runtime.js.map +0 -1
  538. package/dist/server/sessions.d.ts +0 -1
  539. package/dist/server/sessions.js.map +0 -1
  540. package/dist/server/signin.d.ts +0 -1
  541. package/dist/server/signin.js.map +0 -1
  542. package/dist/server/ssr.d.ts.map +0 -1
  543. package/dist/server/ssr.js +0 -777
  544. package/dist/server/ssr.js.map +0 -1
  545. package/dist/server/templates.d.ts +0 -1
  546. package/dist/server/templates.js.map +0 -1
  547. package/dist/server/tokens.d.ts +0 -1
  548. package/dist/server/tokens.js.map +0 -1
  549. package/dist/server/totp.d.ts +0 -1
  550. package/dist/server/totp.js.map +0 -1
  551. package/dist/server/types.d.ts.map +0 -1
  552. package/dist/server/types.js.map +0 -1
  553. package/dist/server/users.d.ts +0 -1
  554. package/dist/server/users.js.map +0 -1
  555. package/dist/server/utils.d.ts +0 -1
  556. package/dist/server/utils.js +0 -140
  557. package/dist/server/utils.js.map +0 -1
  558. package/src/authorization/index.ts +0 -83
  559. package/src/cli/bin.ts +0 -5
  560. package/src/cli/command.ts +0 -70
  561. package/src/cli/index.ts +0 -1112
  562. package/src/cli/keys.ts +0 -23
  563. package/src/client/core/types.ts +0 -437
  564. package/src/client/factors/device.ts +0 -158
  565. package/src/client/factors/passkey.ts +0 -279
  566. package/src/client/factors/totp.ts +0 -150
  567. package/src/client/index.ts +0 -1124
  568. package/src/client/runtime/browser.ts +0 -112
  569. package/src/client/runtime/invite.ts +0 -63
  570. package/src/client/runtime/proxy.ts +0 -111
  571. package/src/client/runtime/storage.ts +0 -79
  572. package/src/component/_generated/api.ts +0 -96
  573. package/src/component/_generated/component.ts +0 -3774
  574. package/src/component/_generated/dataModel.ts +0 -60
  575. package/src/component/_generated/server.ts +0 -156
  576. package/src/component/convex.config.ts +0 -5
  577. package/src/component/functions.ts +0 -104
  578. package/src/component/index.ts +0 -42
  579. package/src/component/model.ts +0 -449
  580. package/src/component/public/enterprise/audit.ts +0 -125
  581. package/src/component/public/enterprise/core.ts +0 -355
  582. package/src/component/public/enterprise/domains.ts +0 -327
  583. package/src/component/public/enterprise/scim.ts +0 -397
  584. package/src/component/public/enterprise/secrets.ts +0 -133
  585. package/src/component/public/enterprise/webhooks.ts +0 -307
  586. package/src/component/public/factors/devices.ts +0 -224
  587. package/src/component/public/factors/passkeys.ts +0 -243
  588. package/src/component/public/factors/totp.ts +0 -259
  589. package/src/component/public/groups/core.ts +0 -481
  590. package/src/component/public/groups/invites.ts +0 -608
  591. package/src/component/public/groups/members.ts +0 -410
  592. package/src/component/public/identity/accounts.ts +0 -207
  593. package/src/component/public/identity/codes.ts +0 -149
  594. package/src/component/public/identity/sessions.ts +0 -210
  595. package/src/component/public/identity/tokens.ts +0 -251
  596. package/src/component/public/identity/users.ts +0 -355
  597. package/src/component/public/identity/verifiers.ts +0 -158
  598. package/src/component/public/security/keys.ts +0 -366
  599. package/src/component/public/security/limits.ts +0 -174
  600. package/src/component/public.ts +0 -27
  601. package/src/component/schema.ts +0 -505
  602. package/src/providers/anonymous.ts +0 -99
  603. package/src/providers/credentials.ts +0 -102
  604. package/src/providers/device.ts +0 -87
  605. package/src/providers/email.ts +0 -99
  606. package/src/providers/index.ts +0 -31
  607. package/src/providers/oauth.ts +0 -117
  608. package/src/providers/passkey.ts +0 -77
  609. package/src/providers/password.ts +0 -441
  610. package/src/providers/phone.ts +0 -93
  611. package/src/providers/sso.ts +0 -54
  612. package/src/providers/totp.ts +0 -62
  613. package/src/samlify.d.ts +0 -53
  614. package/src/server/auth.ts +0 -949
  615. package/src/server/config.ts +0 -200
  616. package/src/server/context.ts +0 -90
  617. package/src/server/cookies.ts +0 -49
  618. package/src/server/core.ts +0 -2004
  619. package/src/server/crypto.ts +0 -90
  620. package/src/server/db.ts +0 -203
  621. package/src/server/device.ts +0 -254
  622. package/src/server/enterprise/config.ts +0 -51
  623. package/src/server/enterprise/domain.ts +0 -1739
  624. package/src/server/enterprise/http.ts +0 -1331
  625. package/src/server/enterprise/oidc.ts +0 -500
  626. package/src/server/enterprise/policy.ts +0 -128
  627. package/src/server/enterprise/saml.ts +0 -578
  628. package/src/server/enterprise/scim.ts +0 -135
  629. package/src/server/enterprise/shared.ts +0 -134
  630. package/src/server/enterprise/validators.ts +0 -93
  631. package/src/server/http.ts +0 -790
  632. package/src/server/identity.ts +0 -18
  633. package/src/server/index.ts +0 -40
  634. package/src/server/keys.ts +0 -158
  635. package/src/server/limits.ts +0 -107
  636. package/src/server/mounts.ts +0 -924
  637. package/src/server/mutations/account.ts +0 -62
  638. package/src/server/mutations/code.ts +0 -119
  639. package/src/server/mutations/index.ts +0 -13
  640. package/src/server/mutations/invalidate.ts +0 -50
  641. package/src/server/mutations/oauth.ts +0 -243
  642. package/src/server/mutations/refresh.ts +0 -299
  643. package/src/server/mutations/register.ts +0 -155
  644. package/src/server/mutations/retrieve.ts +0 -109
  645. package/src/server/mutations/signature.ts +0 -57
  646. package/src/server/mutations/signin.ts +0 -54
  647. package/src/server/mutations/signout.ts +0 -43
  648. package/src/server/mutations/store/refs.ts +0 -10
  649. package/src/server/mutations/store.ts +0 -123
  650. package/src/server/mutations/verifier.ts +0 -34
  651. package/src/server/mutations/verify.ts +0 -200
  652. package/src/server/oauth.ts +0 -418
  653. package/src/server/passkey.ts +0 -838
  654. package/src/server/redirects.ts +0 -59
  655. package/src/server/refresh.ts +0 -218
  656. package/src/server/runtime.ts +0 -918
  657. package/src/server/sessions.ts +0 -132
  658. package/src/server/signin.ts +0 -445
  659. package/src/server/ssr.ts +0 -1747
  660. package/src/server/templates.ts +0 -82
  661. package/src/server/tokens.ts +0 -35
  662. package/src/server/totp.ts +0 -399
  663. package/src/server/types.ts +0 -1942
  664. package/src/server/users.ts +0 -291
  665. package/src/server/utils.ts +0 -220
  666. /package/dist/{runtime → client/runtime}/invite.js +0 -0
@@ -1,18 +1,8 @@
1
- import { OAuthProviderInstance } from "../providers/oauth.js";
2
- import { CredentialsConfig } from "../providers/credentials.js";
3
- import { Password } from "../providers/password.js";
4
- import { Passkey } from "../providers/passkey.js";
5
- import { Totp } from "../providers/totp.js";
6
- import { Device } from "../providers/device.js";
7
- import { SSO } from "../providers/sso.js";
8
- import { Email } from "../providers/email.js";
9
- import { Phone } from "../providers/phone.js";
10
- import { vApiKeyDoc, vAuthVerifierDoc, vDeviceCodeDoc, vPasskeyDoc, vTotpFactorDoc } from "../component/model.js";
1
+ import { vApiKeyDoc } from "../component/model.js";
11
2
  import { _default } from "../component/schema.js";
12
- import { Anonymous } from "../providers/anonymous.js";
13
- import { AnyDataModel, DataModelFromSchemaDefinition, DocumentByName, GenericActionCtx, GenericDataModel, GenericMutationCtx, GenericQueryCtx, TableNamesInDataModel } from "convex/server";
3
+ import { CredentialsConfig } from "../providers/credentials.js";
14
4
  import { GenericId, Infer, Value } from "convex/values";
15
- import * as arctic0 from "arctic";
5
+ import { AnyDataModel, DataModelFromSchemaDefinition, DocumentByName, FunctionReference, GenericActionCtx, GenericDataModel, GenericMutationCtx, GenericQueryCtx, TableNamesInDataModel } from "convex/server";
16
6
 
17
7
  //#region src/server/types.d.ts
18
8
  /**
@@ -56,7 +46,7 @@ type AuthAuthorizationConfig = {
56
46
  * @see {@link AuthGrant}
57
47
  */
58
48
  type AuthRoleId<TAuthorization extends AuthAuthorizationConfig | undefined> = TAuthorization extends {
59
- roles: infer TRoles extends Record<string, any>;
49
+ roles: infer TRoles extends Record<string, unknown>;
60
50
  } ? keyof TRoles & string : string;
61
51
  /**
62
52
  * Extracts the union of grant strings from all roles in an authorization config.
@@ -70,7 +60,7 @@ type AuthRoleId<TAuthorization extends AuthAuthorizationConfig | undefined> = TA
70
60
  */
71
61
  type AuthGrant<TAuthorization extends AuthAuthorizationConfig | undefined> = TAuthorization extends {
72
62
  roles: infer TRoles extends Record<string, {
73
- grants: readonly any[];
63
+ grants: readonly unknown[];
74
64
  }>;
75
65
  } ? TRoles[keyof TRoles]["grants"][number] & string : string;
76
66
  /**
@@ -84,6 +74,32 @@ type ConvexAuthConfig = {
84
74
  * `@robelest/convex-auth/providers/<provider-name>`
85
75
  */
86
76
  providers: AuthProviderConfig[];
77
+ sso?: {
78
+ hooks?: {
79
+ profileResolved?: (args: {
80
+ protocol: "oidc" | "saml" | "scim";
81
+ connectionId?: string;
82
+ profile: Record<string, unknown>;
83
+ }) => Awaitable<Record<string, unknown> | void>;
84
+ beforeProvision?: (args: {
85
+ protocol: "oidc" | "saml" | "scim";
86
+ connectionId?: string;
87
+ profile: Record<string, unknown>;
88
+ }) => Awaitable<Record<string, unknown> | void>;
89
+ afterProvision?: (args: {
90
+ protocol: "oidc" | "saml" | "scim";
91
+ connectionId?: string;
92
+ profile: Record<string, unknown>;
93
+ userId: string;
94
+ }) => Awaitable<void>;
95
+ allowLink?: (args: {
96
+ protocol: "oidc" | "saml" | "scim";
97
+ connectionId?: string;
98
+ profile: Record<string, unknown>;
99
+ userId: string;
100
+ }) => Awaitable<boolean | void>;
101
+ };
102
+ };
87
103
  /**
88
104
  * Auth component reference from `components.auth`.
89
105
  *
@@ -303,102 +319,140 @@ type ConvexAuthConfig = {
303
319
  /**
304
320
  * Union of all supported auth provider config types.
305
321
  *
306
- * Includes Arctic-based OAuth providers (via the `OAuth()` factory),
307
- * plus library-native providers: credentials, email, phone, passkey
308
- * (WebAuthn), and TOTP (2FA). Each can be passed as a config object
309
- * or a factory function.
322
+ * Includes materialized provider configs plus optional config factories.
310
323
  */
311
- type AuthProviderConfig = OAuthProviderInstance | Password | Passkey | Totp | Anonymous | Device | SSO | Email | Phone | OAuthMaterializedConfig | ConvexCredentialsConfig | ((...args: any) => ConvexCredentialsConfig) | EmailConfig | ((...args: any) => EmailConfig) | PhoneConfig | ((...args: any) => PhoneConfig) | PasskeyProviderConfig | ((...args: any) => PasskeyProviderConfig) | TotpProviderConfig | ((...args: any) => TotpProviderConfig) | DeviceProviderConfig | ((...args: any) => DeviceProviderConfig) | SSOProviderConfig;
324
+ type AuthProviderConfig = OAuthMaterializedConfig | ConvexCredentialsConfig | (() => ConvexCredentialsConfig) | EmailConfig | (() => EmailConfig) | PhoneConfig | (() => PhoneConfig) | PasskeyProviderConfig | (() => PasskeyProviderConfig) | TotpProviderConfig | (() => TotpProviderConfig) | DeviceProviderConfig | (() => DeviceProviderConfig) | SSOProviderConfig;
312
325
  /**
313
326
  * Minimal config stored for the SSO provider at runtime.
314
- * No options — enterprise configuration is entirely per-tenant runtime state.
327
+ * No options — connection configuration is entirely per-tenant runtime state.
315
328
  */
316
329
  interface SSOProviderConfig {
317
330
  id: string;
318
331
  type: "sso";
332
+ /**
333
+ * Optional shared callback URI for all OIDC group connections.
334
+ * When omitted, each connection gets its own callback path.
335
+ */
336
+ redirectURI?: string;
319
337
  }
320
338
  /**
321
- * Account linking strategy for enterprise SSO sign-in.
339
+ * Account linking strategy for group SSO sign-in.
322
340
  *
323
341
  * - `"verifiedEmail"` — link accounts when the IdP-provided email matches a verified email on an existing user.
324
342
  * - `"none"` — never auto-link; always create a new account.
325
343
  */
326
- type EnterpriseAccountLinkingPolicy = "verifiedEmail" | "none";
344
+ type GroupConnectionAccountLinkingPolicy = "verifiedEmail" | "none";
327
345
  /**
328
346
  * Policy for reusing existing users during SCIM provisioning.
329
347
  *
330
348
  * - `"externalId"` — match by the SCIM `externalId` to reuse a previously provisioned user.
331
349
  * - `"none"` — always create a new user for each SCIM provision request.
332
350
  */
333
- type EnterpriseScimReuseUserPolicy = "externalId" | "none";
351
+ type GroupConnectionScimReuseUserPolicy = "externalId" | "none";
334
352
  /**
335
- * Just-in-time provisioning mode for enterprise SSO.
353
+ * Just-in-time provisioning mode for group SSO.
336
354
  *
337
355
  * - `"off"` — no JIT provisioning; users must be pre-provisioned.
338
356
  * - `"createUser"` — create a user record on first SSO sign-in.
339
- * - `"createUserAndMembership"` — create a user and add them to the enterprise group on first SSO sign-in.
357
+ * - `"createUserAndMembership"` — create a user and add them to the group on first SSO sign-in.
340
358
  */
341
- type EnterpriseJitProvisioningMode = "off" | "createUser" | "createUserAndMembership";
359
+ type GroupConnectionJitProvisioningMode = "off" | "createUser" | "createUserAndMembership";
342
360
  /**
343
361
  * Deprovisioning strategy when a SCIM user is deleted.
344
362
  *
345
363
  * - `"soft"` — mark the user as inactive but preserve the record.
346
364
  * - `"hard"` — permanently delete the user and associated data.
347
365
  */
348
- type EnterpriseDeprovisionMode = "soft" | "hard";
366
+ type GroupConnectionDeprovisionMode = "soft" | "hard";
367
+ type GroupConnectionProfileUpdateMode = "never" | "missing" | "always";
368
+ type GroupConnectionProvisioningAuthority = "app" | "sso" | "scim";
369
+ type GroupConnectionGroupSyncMode = "ignore" | "sync";
370
+ type GroupConnectionRoleSyncMode = "ignore" | "map";
349
371
  /**
350
- * Effective enterprise policy document stored for an SSO/SCIM tenant.
372
+ * Effective group policy document stored for an SSO/SCIM tenant.
351
373
  *
352
374
  * Controls account linking, JIT provisioning, SCIM reuse behavior,
353
375
  * deprovisioning, and any app-defined extension metadata.
354
376
  *
355
- * @see {@link EnterprisePolicyPatch}
377
+ * @see {@link GroupConnectionPolicyPatch}
356
378
  */
357
- interface EnterprisePolicy {
379
+ interface GroupConnectionPolicy {
358
380
  version: 1;
359
381
  identity: {
360
382
  accountLinking: {
361
- oidc: EnterpriseAccountLinkingPolicy;
362
- saml: EnterpriseAccountLinkingPolicy;
383
+ oidc: GroupConnectionAccountLinkingPolicy;
384
+ saml: GroupConnectionAccountLinkingPolicy;
363
385
  };
364
386
  };
365
387
  provisioning: {
388
+ user: {
389
+ createOnSignIn: boolean;
390
+ updateProfileOnLogin: GroupConnectionProfileUpdateMode;
391
+ updateProfileFromScim: GroupConnectionProfileUpdateMode;
392
+ authority: GroupConnectionProvisioningAuthority;
393
+ };
366
394
  scimReuse: {
367
- user: EnterpriseScimReuseUserPolicy;
395
+ user: GroupConnectionScimReuseUserPolicy;
368
396
  };
369
397
  jit: {
370
- mode: EnterpriseJitProvisioningMode;
398
+ mode: GroupConnectionJitProvisioningMode;
371
399
  defaultRoleIds: string[];
372
400
  };
373
401
  deprovision: {
374
- mode: EnterpriseDeprovisionMode;
402
+ mode: GroupConnectionDeprovisionMode;
403
+ };
404
+ groups: {
405
+ mode: GroupConnectionGroupSyncMode;
406
+ source: "protocol";
407
+ mapping?: Record<string, string[]>;
408
+ };
409
+ roles: {
410
+ mode: GroupConnectionRoleSyncMode;
411
+ source: "protocol";
412
+ mapping?: Record<string, string[]>;
375
413
  };
376
414
  };
377
415
  extend?: Record<string, unknown>;
378
416
  }
379
417
  /**
380
- * Partial update payload for {@link EnterprisePolicy}.
418
+ * Partial update payload for {@link GroupConnectionPolicy}.
381
419
  *
382
- * Use this when patching only selected enterprise policy sections without
420
+ * Use this when patching only selected group policy sections without
383
421
  * replacing the entire stored policy document.
384
422
  */
385
- interface EnterprisePolicyPatch {
423
+ interface GroupConnectionPolicyPatch {
386
424
  identity?: {
387
425
  accountLinking?: {
388
- oidc?: EnterpriseAccountLinkingPolicy;
389
- saml?: EnterpriseAccountLinkingPolicy;
426
+ oidc?: GroupConnectionAccountLinkingPolicy;
427
+ saml?: GroupConnectionAccountLinkingPolicy;
390
428
  };
391
429
  };
392
430
  provisioning?: {
431
+ user?: {
432
+ createOnSignIn?: boolean;
433
+ updateProfileOnLogin?: GroupConnectionProfileUpdateMode;
434
+ updateProfileFromScim?: GroupConnectionProfileUpdateMode;
435
+ authority?: GroupConnectionProvisioningAuthority;
436
+ };
393
437
  scimReuse?: {
394
- user?: EnterpriseScimReuseUserPolicy;
438
+ user?: GroupConnectionScimReuseUserPolicy;
395
439
  };
396
440
  jit?: {
397
- mode?: EnterpriseJitProvisioningMode;
441
+ mode?: GroupConnectionJitProvisioningMode;
398
442
  defaultRoleIds?: string[];
399
443
  };
400
444
  deprovision?: {
401
- mode?: EnterpriseDeprovisionMode;
445
+ mode?: GroupConnectionDeprovisionMode;
446
+ };
447
+ groups?: {
448
+ mode?: GroupConnectionGroupSyncMode;
449
+ source?: "protocol";
450
+ mapping?: Record<string, string[]>;
451
+ };
452
+ roles?: {
453
+ mode?: GroupConnectionRoleSyncMode;
454
+ source?: "protocol";
455
+ mapping?: Record<string, string[]>;
402
456
  };
403
457
  };
404
458
  extend?: Record<string, unknown>;
@@ -504,7 +558,8 @@ interface PhoneConfig<DataModel extends GenericDataModel = GenericDataModel> {
504
558
  * Any tokens shorter than 24 characters are assumed to not
505
559
  * be secure enough on their own, and require providing
506
560
  * the original `phone` used in the initial `signIn` call.
507
- * @returns
561
+ *
562
+ * @returns The verification token to send to the user.
508
563
  */
509
564
  generateVerificationToken?: () => Promise<string>;
510
565
  /**
@@ -537,8 +592,13 @@ interface PhoneConfig<DataModel extends GenericDataModel = GenericDataModel> {
537
592
  type PhoneUserConfig<DataModel extends GenericDataModel = GenericDataModel> = Omit<Partial<PhoneConfig<DataModel>>, "options" | "type">;
538
593
  /**
539
594
  * Credentials provider config used by Convex Auth.
595
+ *
596
+ * Extends the user-facing {@link CredentialsConfig} with the stable provider
597
+ * `id` and `type` fields injected by the library.
598
+ *
599
+ * @typeParam DataModel - The Convex data model used by the auth context.
540
600
  */
541
- type ConvexCredentialsConfig = CredentialsConfig<any> & {
601
+ type ConvexCredentialsConfig<DataModel extends GenericDataModel = GenericDataModel> = CredentialsConfig<DataModel> & {
542
602
  type: "credentials";
543
603
  id: string;
544
604
  };
@@ -620,6 +680,35 @@ interface OAuthProfile {
620
680
  /** Additional claims from the ID token or userinfo endpoint. */
621
681
  [key: string]: unknown;
622
682
  }
683
+ /**
684
+ * Stable OAuth token shape exposed to provider callbacks.
685
+ *
686
+ * This contract is owned by convex-auth so users are insulated from changes
687
+ * to the underlying OAuth implementation.
688
+ */
689
+ interface OAuthTokens {
690
+ accessToken?: string;
691
+ refreshToken?: string;
692
+ idToken?: string;
693
+ accessTokenExpiresAt?: Date;
694
+ refreshTokenExpiresAt?: Date;
695
+ scopes?: string[];
696
+ raw?: unknown;
697
+ }
698
+ interface OAuthRuntimeClient {
699
+ readonly pkce: "required" | "optional" | "never";
700
+ createAuthorizationURL(args: {
701
+ state: string;
702
+ codeVerifier?: string;
703
+ scopes: string[];
704
+ nonce?: string;
705
+ loginHint?: string;
706
+ }): URL;
707
+ validateAuthorizationCode(args: {
708
+ code: string;
709
+ codeVerifier?: string;
710
+ }): Promise<OAuthTokens>;
711
+ }
623
712
  /** Credentials identifying a provider account (e.g. email + hashed password). */
624
713
  type AuthAccountCredentials = {
625
714
  /** Provider-specific account identifier (e.g. email address). */id: string; /** Optional secret (e.g. hashed password). */
@@ -704,15 +793,15 @@ type AuthMemberRequireArgs = AuthMemberInspectArgs & {
704
793
  */
705
794
  type AuthServerHelpers = {
706
795
  /** Account management: create, retrieve, and update provider-linked accounts. */account: {
707
- create: (ctx: GenericActionCtx<any>, args: AuthCreateAccountArgs) => Promise<{
796
+ create: (ctx: GenericActionCtx<GenericDataModel>, args: AuthCreateAccountArgs) => Promise<{
708
797
  account: GenericDoc<GenericDataModel, "Account">;
709
798
  user: GenericDoc<GenericDataModel, "User">;
710
799
  }>;
711
- get: (ctx: GenericActionCtx<any>, args: AuthRetrieveAccountArgs) => Promise<{
800
+ get: (ctx: GenericActionCtx<GenericDataModel>, args: AuthRetrieveAccountArgs) => Promise<{
712
801
  account: GenericDoc<GenericDataModel, "Account">;
713
802
  user: GenericDoc<GenericDataModel, "User">;
714
803
  }>;
715
- update: (ctx: GenericActionCtx<any>, args: AuthUpdateAccountArgs) => Promise<{
804
+ update: (ctx: GenericActionCtx<GenericDataModel>, args: AuthUpdateAccountArgs) => Promise<{
716
805
  accountId: GenericId<"Account">;
717
806
  }>;
718
807
  };
@@ -720,17 +809,17 @@ type AuthServerHelpers = {
720
809
  current: (ctx: {
721
810
  auth: GenericActionCtx<GenericDataModel>["auth"];
722
811
  }) => Promise<GenericId<"Session"> | null>;
723
- invalidate: (ctx: GenericActionCtx<any>, args: AuthInvalidateSessionsArgs) => Promise<{
812
+ invalidate: (ctx: GenericActionCtx<GenericDataModel>, args: AuthInvalidateSessionsArgs) => Promise<{
724
813
  userId: GenericId<"User">;
725
814
  except: GenericId<"Session">[];
726
815
  }>;
727
816
  };
728
817
  member: {
729
- inspect: (ctx: GenericActionCtx<any>, args: AuthMemberInspectArgs) => Promise<AuthMemberInspectResult>;
730
- require: (ctx: GenericActionCtx<any>, args: AuthMemberRequireArgs) => Promise<AuthMemberInspectResult>;
818
+ inspect: (ctx: GenericActionCtx<GenericDataModel>, args: AuthMemberInspectArgs) => Promise<AuthMemberInspectResult>;
819
+ require: (ctx: GenericActionCtx<GenericDataModel>, args: AuthMemberRequireArgs) => Promise<AuthMemberInspectResult>;
731
820
  };
732
821
  provider: {
733
- signIn: (ctx: GenericActionCtx<any>, provider: AuthProviderConfig, args: AuthProviderSignInArgs) => Promise<AuthProviderSignInResult>;
822
+ signIn: (ctx: GenericActionCtx<GenericDataModel>, provider: AuthProviderConfig, args: AuthProviderSignInArgs) => Promise<AuthProviderSignInResult>;
734
823
  };
735
824
  };
736
825
  /**
@@ -752,30 +841,24 @@ type GenericActionCtxWithAuthConfig<DataModel extends GenericDataModel> = Generi
752
841
  */
753
842
  type ConvexAuthMaterializedConfig = {
754
843
  providers: AuthProviderMaterializedConfig[];
755
- } & Pick<ConvexAuthConfig, "component" | "session" | "jwt" | "signIn" | "callbacks" | "authorization">;
756
- /**
757
- * Maps SAML assertion attribute names to user profile fields.
758
- *
759
- * Use this to tell the SSO flow which SAML attributes correspond to
760
- * the user's subject identifier, email, and display name fields.
761
- */
762
- interface SAMLAttributeMapping {
763
- /** SAML attribute for the unique subject identifier (NameID). */
844
+ } & Pick<ConvexAuthConfig, "component" | "session" | "jwt" | "signIn" | "callbacks" | "authorization" | "sso">;
845
+ interface SSOProfileMapping {
764
846
  subject?: string;
765
- /** SAML attribute for the user's email address. */
766
847
  email?: string;
767
- /** SAML attribute for the user's full display name. */
848
+ emailVerified?: string;
768
849
  name?: string;
769
- /** SAML attribute for the user's first / given name. */
770
850
  firstName?: string;
771
- /** SAML attribute for the user's last / family name. */
772
851
  lastName?: string;
852
+ image?: string;
853
+ phone?: string;
854
+ active?: string;
855
+ externalId?: string;
856
+ groups?: string;
857
+ roles?: string;
773
858
  }
859
+ interface OIDCClaimMapping extends Pick<SSOProfileMapping, "subject" | "email" | "emailVerified" | "name" | "image" | "groups" | "roles"> {}
774
860
  /**
775
- * Materialized OAuth provider config (Arctic-based).
776
- *
777
- * Carries the Arctic provider instance along with scopes and profile config.
778
- * Produced by materializing an `OAuthProviderInstance` during `configDefaults`.
861
+ * Materialized OAuth provider config.
779
862
  */
780
863
  interface OAuthMaterializedConfig {
781
864
  /**
@@ -789,10 +872,10 @@ interface OAuthMaterializedConfig {
789
872
  */
790
873
  readonly type: "oauth";
791
874
  /**
792
- * The Arctic provider instance.
875
+ * The runtime client used for the authorization code flow.
793
876
  * @readonly
794
877
  */
795
- readonly provider: any;
878
+ readonly provider: OAuthRuntimeClient | null;
796
879
  /**
797
880
  * OAuth scopes to request.
798
881
  * @readonly
@@ -802,7 +885,13 @@ interface OAuthMaterializedConfig {
802
885
  * User-provided profile extraction callback.
803
886
  * @readonly
804
887
  */
805
- readonly profile?: (tokens: arctic0.OAuth2Tokens) => Promise<OAuthProfile>;
888
+ readonly profile?: (tokens: OAuthTokens) => Promise<OAuthProfile>;
889
+ /** Whether to issue and verify a nonce cookie during the callback flow. */
890
+ readonly nonce?: boolean;
891
+ /** Optional token validation hook after code exchange. */
892
+ readonly validateTokens?: (tokens: OAuthTokens, ctx: {
893
+ nonce?: string;
894
+ }) => Promise<void>;
806
895
  /**
807
896
  * Account-linking policy for OAuth identities. Defaults to verified email linking.
808
897
  * @readonly
@@ -839,15 +928,23 @@ interface DeviceProviderConfig {
839
928
  */
840
929
  type AuthProviderMaterializedConfig = OAuthMaterializedConfig | EmailConfig | PhoneConfig | ConvexCredentialsConfig | PasskeyProviderConfig | TotpProviderConfig | DeviceProviderConfig | SSOProviderConfig;
841
930
  /**
842
- * Resolves to `true` when the providers list includes `SSO`, otherwise `false`.
931
+ * Resolves to `true` when the providers list includes `sso()`, otherwise `false`.
843
932
  *
844
- * Used to make `auth.sso` conditionally present on the `createAuth`
845
- * return type — it only appears when `new SSO()` is in the providers array.
933
+ * Used to make `auth.group.sso` conditionally present on the `createAuth`
934
+ * return type — it only appears when `sso()` is in the providers array.
846
935
  */
847
- type HasSSO<P extends AuthProviderConfig[]> = SSO extends P[number] ? true : false;
848
- type HasPasskeyProvider<P extends AuthProviderConfig[]> = Passkey extends P[number] ? true : false;
849
- type HasTotpProvider<P extends AuthProviderConfig[]> = Totp extends P[number] ? true : false;
850
- type HasDeviceProvider<P extends AuthProviderConfig[]> = Device extends P[number] ? true : false;
936
+ type HasSSO<P extends AuthProviderConfig[]> = Extract<P[number], {
937
+ type: "sso";
938
+ }> extends never ? false : true;
939
+ type HasPasskeyProvider<P extends AuthProviderConfig[]> = Extract<P[number], {
940
+ type: "passkey";
941
+ }> extends never ? false : true;
942
+ type HasTotpProvider<P extends AuthProviderConfig[]> = Extract<P[number], {
943
+ type: "totp";
944
+ }> extends never ? false : true;
945
+ type HasDeviceProvider<P extends AuthProviderConfig[]> = Extract<P[number], {
946
+ type: "device";
947
+ }> extends never ? false : true;
851
948
  /**
852
949
  * A single scope entry stored per API key.
853
950
  * Uses a resource:action pattern for structured permissions.
@@ -877,129 +974,6 @@ interface ScopeChecker {
877
974
  /** The raw scope entries from the key. */
878
975
  scopes: KeyScope[];
879
976
  }
880
- /**
881
- * An API key record as returned by `auth.key.list()` and `auth.key.get()`.
882
- * Never includes the raw key material — only the display prefix.
883
- */
884
- interface KeyRecord {
885
- /** Document ID. */
886
- _id: string;
887
- /** Owner user ID. */
888
- userId: string;
889
- /** Display prefix (e.g. `"sk_abc1"`). Safe to show in UIs. */
890
- prefix: string;
891
- /** Human-readable name (e.g. "CI Pipeline"). */
892
- name: string;
893
- /** Resource:action permissions granted to this key. */
894
- scopes: KeyScope[];
895
- /** Per-key rate limit, if configured. */
896
- rateLimit?: {
897
- maxRequests: number;
898
- windowMs: number;
899
- };
900
- /** Expiration timestamp (ms since epoch), or `undefined` for no expiry. */
901
- expiresAt?: number;
902
- /** Timestamp of last successful verification, or `undefined` if never used. */
903
- lastUsedAt?: number;
904
- /** Creation timestamp (ms since epoch). */
905
- createdAt: number;
906
- /** `true` when the key has been revoked (soft-deleted). */
907
- revoked: boolean;
908
- /** Arbitrary app-specific metadata attached to the key. */
909
- metadata?: Record<string, unknown>;
910
- }
911
- /**
912
- * Options for paginated list queries. Every entity list method uses this
913
- * same shape with entity-specific `TWhere` and `TOrderBy` type parameters.
914
- *
915
- * @typeParam TWhere - The type of the optional filter object.
916
- * @typeParam TOrderBy - The union of sortable field names.
917
- *
918
- * ```ts
919
- * const result = await auth.group.list(ctx, {
920
- * where: { type: "team" },
921
- * limit: 20,
922
- * orderBy: "name",
923
- * order: "asc",
924
- * });
925
- * ```
926
- */
927
- type ListOptions<TWhere extends Record<string, unknown>, TOrderBy extends string> = {
928
- /** Serializable filter — only known fields for the entity. */where?: TWhere; /** Maximum number of items to return. Defaults to 50, max 100. */
929
- limit?: number; /** Opaque cursor from a previous `ListResult.nextCursor`. */
930
- cursor?: string | null; /** Field to sort by. Defaults to `"_creationTime"`. */
931
- orderBy?: TOrderBy; /** Sort direction. Defaults to `"desc"`. */
932
- order?: "asc" | "desc";
933
- };
934
- /**
935
- * Paginated list result returned by every entity list method.
936
- *
937
- * @typeParam T - The type of items in the result array.
938
- */
939
- type ListResult<T> = {
940
- /** The page of items. */items: T[]; /** Opaque cursor for the next page, or `null` when exhausted. */
941
- nextCursor: string | null;
942
- };
943
- /**
944
- * A single key/value tag for group classification.
945
- *
946
- * Tags are normalized at write time: both `key` and `value` are
947
- * trimmed and lowercased. Filtering is strict exact-match only.
948
- */
949
- type GroupTag = {
950
- key: string;
951
- value: string;
952
- };
953
- /** Filter fields for `auth.group.list()`. All optional. */
954
- type GroupWhere = {
955
- slug?: string;
956
- type?: string;
957
- parentGroupId?: string;
958
- name?: string; /** When `true`, return only root groups (no parent). When `false`, only non-root. */
959
- isRoot?: boolean;
960
- /**
961
- * Return only groups that have **all** of the specified tags.
962
- * Each tag is matched exactly on normalized `(key, value)`.
963
- */
964
- tagsAll?: GroupTag[];
965
- /**
966
- * Return only groups that have **at least one** of the specified tags.
967
- * Each tag is matched exactly on normalized `(key, value)`.
968
- */
969
- tagsAny?: GroupTag[];
970
- };
971
- /** Sortable fields for `auth.group.list()`. */
972
- type GroupOrderBy = "_creationTime" | "name" | "slug" | "type";
973
- /** Filter fields for `auth.member.list()`. All optional. */
974
- type MemberWhere = {
975
- groupId?: string;
976
- userId?: string;
977
- roleId?: string;
978
- status?: string;
979
- };
980
- /** Sortable fields for `auth.member.list()`. */
981
- type MemberOrderBy = "_creationTime" | "status";
982
- /** Filter fields for `auth.invite.list()`. All optional. */
983
- type InviteWhere = {
984
- tokenHash?: string;
985
- groupId?: string;
986
- status?: "pending" | "accepted" | "revoked" | "expired";
987
- email?: string;
988
- invitedByUserId?: string;
989
- roleId?: string;
990
- acceptedByUserId?: string;
991
- };
992
- /** Sortable fields for `auth.invite.list()`. */
993
- type InviteOrderBy = "_creationTime" | "status" | "email" | "expiresTime" | "acceptedTime";
994
- /** Filter fields for `auth.key.list()`. All optional. */
995
- type KeyWhere = {
996
- userId?: string;
997
- revoked?: boolean;
998
- name?: string;
999
- prefix?: string;
1000
- };
1001
- /** Sortable fields for `auth.key.list()`. */
1002
- type KeyOrderBy = "_creationTime" | "name" | "lastUsedAt" | "expiresAt" | "revoked";
1003
977
  /** Filter fields for `auth.user.list()`. All optional. */
1004
978
  type UserWhere = {
1005
979
  email?: string;
@@ -1037,13 +1011,139 @@ interface HttpKeyContext {
1037
1011
  * CORS configuration for Bearer-authenticated HTTP endpoints.
1038
1012
  */
1039
1013
  interface CorsConfig {
1040
- /** Allowed origin(s). Defaults to `"*"`. */
1041
- origin?: string;
1014
+ /**
1015
+ * Allowed origins. Defaults to the site URLs from environment
1016
+ * (`SITE_URL` and `SECONDARY_URL`). Pass `["*"]` to allow any origin.
1017
+ */
1018
+ origins?: string[];
1042
1019
  /** Allowed HTTP methods. Defaults to `"GET,POST,PUT,PATCH,DELETE,OPTIONS"`. */
1043
1020
  methods?: string;
1044
1021
  /** Allowed request headers. Defaults to `"Content-Type,Authorization"`. */
1045
1022
  headers?: string;
1046
1023
  }
1024
+ /**
1025
+ * Component function references required by core auth runtime.
1026
+ */
1027
+ type AuthComponentApi = {
1028
+ public: {
1029
+ userGetById: FunctionReference<"query", "internal">;
1030
+ userList: FunctionReference<"query", "internal">;
1031
+ userFindByVerifiedEmail: FunctionReference<"query", "internal">;
1032
+ userFindByVerifiedPhone: FunctionReference<"query", "internal">;
1033
+ userInsert: FunctionReference<"mutation", "internal">;
1034
+ userUpsert: FunctionReference<"mutation", "internal">;
1035
+ userPatch: FunctionReference<"mutation", "internal">;
1036
+ userDelete: FunctionReference<"mutation", "internal">;
1037
+ accountGet: FunctionReference<"query", "internal">;
1038
+ accountGetById: FunctionReference<"query", "internal">;
1039
+ accountInsert: FunctionReference<"mutation", "internal">;
1040
+ accountListByUser: FunctionReference<"query", "internal">;
1041
+ accountPatch: FunctionReference<"mutation", "internal">;
1042
+ accountDelete: FunctionReference<"mutation", "internal">;
1043
+ sessionCreate: FunctionReference<"mutation", "internal">;
1044
+ sessionGetById: FunctionReference<"query", "internal">;
1045
+ sessionDelete: FunctionReference<"mutation", "internal">;
1046
+ sessionListByUser: FunctionReference<"query", "internal">;
1047
+ verifierCreate: FunctionReference<"mutation", "internal">;
1048
+ verifierGetById: FunctionReference<"query", "internal">;
1049
+ verifierGetBySignature: FunctionReference<"query", "internal">;
1050
+ verifierPatch: FunctionReference<"mutation", "internal">;
1051
+ verifierDelete: FunctionReference<"mutation", "internal">;
1052
+ verificationCodeGetByAccountId: FunctionReference<"query", "internal">;
1053
+ verificationCodeGetByCode: FunctionReference<"query", "internal">;
1054
+ verificationCodeCreate: FunctionReference<"mutation", "internal">;
1055
+ verificationCodeDelete: FunctionReference<"mutation", "internal">;
1056
+ refreshTokenCreate: FunctionReference<"mutation", "internal">;
1057
+ refreshTokenGetById: FunctionReference<"query", "internal">;
1058
+ refreshTokenPatch: FunctionReference<"mutation", "internal">;
1059
+ refreshTokenGetChildren: FunctionReference<"query", "internal">;
1060
+ refreshTokenListBySession: FunctionReference<"query", "internal">;
1061
+ refreshTokenDeleteAll: FunctionReference<"mutation", "internal">;
1062
+ refreshTokenGetActive: FunctionReference<"query", "internal">;
1063
+ rateLimitGet: FunctionReference<"query", "internal">;
1064
+ rateLimitCreate: FunctionReference<"mutation", "internal">;
1065
+ rateLimitPatch: FunctionReference<"mutation", "internal">;
1066
+ rateLimitDelete: FunctionReference<"mutation", "internal">;
1067
+ groupCreate: FunctionReference<"mutation", "internal">;
1068
+ groupGet: FunctionReference<"query", "internal">;
1069
+ groupList: FunctionReference<"query", "internal">;
1070
+ groupUpdate: FunctionReference<"mutation", "internal">;
1071
+ groupDelete: FunctionReference<"mutation", "internal">;
1072
+ memberAdd: FunctionReference<"mutation", "internal">;
1073
+ memberGet: FunctionReference<"query", "internal">;
1074
+ memberList: FunctionReference<"query", "internal">;
1075
+ memberGetByGroupAndUser: FunctionReference<"query", "internal">;
1076
+ memberRemove: FunctionReference<"mutation", "internal">;
1077
+ memberUpdate: FunctionReference<"mutation", "internal">;
1078
+ inviteCreate: FunctionReference<"mutation", "internal">;
1079
+ inviteGet: FunctionReference<"query", "internal">;
1080
+ inviteGetByTokenHash: FunctionReference<"query", "internal">;
1081
+ inviteList: FunctionReference<"query", "internal">;
1082
+ inviteAccept: FunctionReference<"mutation", "internal">;
1083
+ inviteAcceptByToken: FunctionReference<"mutation", "internal">;
1084
+ inviteRevoke: FunctionReference<"mutation", "internal">;
1085
+ keyInsert: FunctionReference<"mutation", "internal">;
1086
+ keyGetByHashedKey: FunctionReference<"query", "internal">;
1087
+ keyGetById: FunctionReference<"query", "internal">;
1088
+ keyList: FunctionReference<"query", "internal">;
1089
+ keyPatch: FunctionReference<"mutation", "internal">;
1090
+ keyDelete: FunctionReference<"mutation", "internal">;
1091
+ passkeyInsert: FunctionReference<"mutation", "internal">;
1092
+ passkeyGetByCredentialId: FunctionReference<"query", "internal">;
1093
+ passkeyListByUserId: FunctionReference<"query", "internal">;
1094
+ passkeyUpdateCounter: FunctionReference<"mutation", "internal">;
1095
+ passkeyUpdateMeta: FunctionReference<"mutation", "internal">;
1096
+ passkeyDelete: FunctionReference<"mutation", "internal">;
1097
+ totpInsert: FunctionReference<"mutation", "internal", any, any>;
1098
+ totpGetVerifiedByUserId: FunctionReference<"query", "internal", any, any>;
1099
+ totpListByUserId: FunctionReference<"query", "internal", any, any>;
1100
+ totpGetById: FunctionReference<"query", "internal", any, any>;
1101
+ totpMarkVerified: FunctionReference<"mutation", "internal", any, any>;
1102
+ totpUpdateLastUsed: FunctionReference<"mutation", "internal", any, any>;
1103
+ totpDelete: FunctionReference<"mutation", "internal", any, any>;
1104
+ deviceInsert: FunctionReference<"mutation", "internal", any, any>;
1105
+ deviceGetByCodeHash: FunctionReference<"query", "internal", any, any>;
1106
+ deviceGetByUserCode: FunctionReference<"query", "internal", any, any>;
1107
+ deviceAuthorize: FunctionReference<"mutation", "internal", any, any>;
1108
+ deviceUpdateLastPolled: FunctionReference<"mutation", "internal", any, any>;
1109
+ deviceDelete: FunctionReference<"mutation", "internal", any, any>;
1110
+ groupConnectionCreate: FunctionReference<"mutation", "internal", any, any>;
1111
+ groupConnectionGet: FunctionReference<"query", "internal", any, any>;
1112
+ groupConnectionGetByDomain: FunctionReference<"query", "internal", any, any>;
1113
+ groupConnectionList: FunctionReference<"query", "internal", any, any>;
1114
+ groupConnectionUpdate: FunctionReference<"mutation", "internal", any, any>;
1115
+ groupConnectionDelete: FunctionReference<"mutation", "internal", any, any>;
1116
+ groupConnectionDomainAdd: FunctionReference<"mutation", "internal", any, any>;
1117
+ groupConnectionDomainList: FunctionReference<"query", "internal", any, any>;
1118
+ groupConnectionDomainDelete: FunctionReference<"mutation", "internal", any, any>;
1119
+ groupConnectionDomainVerificationGet: FunctionReference<"query", "internal", any, any>;
1120
+ groupConnectionDomainVerificationUpsert: FunctionReference<"mutation", "internal", any, any>;
1121
+ groupConnectionDomainVerificationDelete: FunctionReference<"mutation", "internal", any, any>;
1122
+ groupConnectionDomainVerify: FunctionReference<"mutation", "internal", any, any>;
1123
+ groupConnectionSecretUpsert: FunctionReference<"mutation", "internal", any, any>;
1124
+ groupConnectionSecretGet: FunctionReference<"query", "internal", any, any>;
1125
+ groupConnectionSecretDelete: FunctionReference<"mutation", "internal", any, any>;
1126
+ groupConnectionScimConfigUpsert: FunctionReference<"mutation", "internal", any, any>;
1127
+ groupConnectionScimConfigGetByGroupConnection: FunctionReference<"query", "internal", any, any>;
1128
+ groupConnectionScimConfigGetByTokenHash: FunctionReference<"query", "internal", any, any>;
1129
+ groupConnectionScimIdentityGet: FunctionReference<"query", "internal", any, any>;
1130
+ groupConnectionScimIdentityGetByUser: FunctionReference<"query", "internal", any, any>;
1131
+ groupConnectionScimIdentityGetByGroupConnectionAndUser: FunctionReference<"query", "internal", any, any>;
1132
+ groupConnectionScimIdentityGetByMappedGroup: FunctionReference<"query", "internal", any, any>;
1133
+ groupConnectionScimIdentityListByGroupConnection: FunctionReference<"query", "internal", any, any>;
1134
+ groupConnectionScimIdentityUpsert: FunctionReference<"mutation", "internal", any, any>;
1135
+ groupConnectionScimIdentityDelete: FunctionReference<"mutation", "internal", any, any>;
1136
+ groupAuditEventCreate: FunctionReference<"mutation", "internal", any, any>;
1137
+ groupAuditEventList: FunctionReference<"query", "internal", any, any>;
1138
+ groupWebhookEndpointCreate: FunctionReference<"mutation", "internal", any, any>;
1139
+ groupWebhookEndpointList: FunctionReference<"query", "internal", any, any>;
1140
+ groupWebhookEndpointGet: FunctionReference<"query", "internal", any, any>;
1141
+ groupWebhookEndpointUpdate: FunctionReference<"mutation", "internal", any, any>;
1142
+ groupWebhookDeliveryEnqueue: FunctionReference<"mutation", "internal", any, any>;
1143
+ groupWebhookDeliveryListReady: FunctionReference<"query", "internal", any, any>;
1144
+ groupWebhookDeliveryPatch: FunctionReference<"mutation", "internal", any, any>;
1145
+ };
1146
+ };
1047
1147
  /**
1048
1148
  * Convex document from a given table.
1049
1149
  */
@@ -1053,99 +1153,9 @@ type GenericDoc<DataModel extends GenericDataModel, TableName extends TableNames
1053
1153
  };
1054
1154
  /** Data model derived from the component schema. */
1055
1155
  type AuthDataModel = DataModelFromSchemaDefinition<typeof _default>;
1056
- /** Action context typed to the auth component's data model. */
1057
- type ActionCtx = GenericActionCtx<AuthDataModel>;
1058
- /** Mutation context typed to the auth component's data model. */
1059
- type MutationCtx = GenericMutationCtx<AuthDataModel>;
1060
- /** Query context typed to the auth component's data model. */
1061
- type QueryCtx = GenericQueryCtx<AuthDataModel>;
1062
1156
  /** A document from any table in the auth component schema. */
1063
1157
  type Doc<T extends TableNamesInDataModel<AuthDataModel>> = GenericDoc<AuthDataModel, T>;
1064
- /** A pair of JWT access token and refresh token. */
1065
- type Tokens = {
1066
- token: string;
1067
- refreshToken: string;
1068
- };
1069
- /** Session information returned after authentication. */
1070
- type SessionInfo = {
1071
- userId: GenericId<"User">;
1072
- sessionId: GenericId<"Session">;
1073
- tokens: Tokens | null;
1074
- };
1075
- /** Session information with guaranteed non-null tokens. */
1076
- type SessionInfoWithTokens = {
1077
- userId: GenericId<"User">;
1078
- sessionId: GenericId<"Session">;
1079
- tokens: Tokens;
1080
- };
1081
- type TotpDoc = Infer<typeof vTotpFactorDoc>;
1082
- type PasskeyDoc = Infer<typeof vPasskeyDoc>;
1083
- type VerifierDoc = Infer<typeof vAuthVerifierDoc>;
1084
1158
  type KeyDoc = Infer<typeof vApiKeyDoc>;
1085
- declare function queryUserById(ctx: ComponentCallCtx, userId: string): Promise<CrossComponentUserDoc | null>;
1086
- declare function queryUserByVerifiedEmail(ctx: ComponentCallCtx, email: string): Promise<CrossComponentUserDoc | null>;
1087
- declare function queryVerifierById(ctx: ComponentCallCtx, verifierId: string): Promise<VerifierDoc | null>;
1088
- declare function mutateVerifierDelete(ctx: ComponentCallCtx, verifierId: string): Promise<void>;
1089
- declare function queryTotpById(ctx: ComponentCallCtx, totpId: string): Promise<TotpDoc | null>;
1090
- declare function queryTotpVerifiedByUserId(ctx: ComponentCallCtx, userId: string): Promise<TotpDoc | null>;
1091
- declare function mutateTotpInsert(ctx: ComponentCallCtx, args: {
1092
- userId: string;
1093
- secret: ArrayBuffer;
1094
- digits: number;
1095
- period: number;
1096
- verified: boolean;
1097
- name?: string;
1098
- createdAt: number;
1099
- }): Promise<string>;
1100
- declare function mutateTotpMarkVerified(ctx: ComponentCallCtx, totpId: string, lastUsedAt: number): Promise<void>;
1101
- declare function mutateTotpUpdateLastUsed(ctx: ComponentCallCtx, totpId: string, lastUsedAt: number): Promise<void>;
1102
- declare function queryPasskeysByUserId(ctx: ComponentCallCtx, userId: string): Promise<PasskeyDoc[]>;
1103
- declare function queryPasskeyByCredentialId(ctx: ComponentCallCtx, credentialId: string): Promise<PasskeyDoc | null>;
1104
- declare function mutatePasskeyInsert(ctx: ComponentCallCtx, args: {
1105
- userId: string;
1106
- credentialId: string;
1107
- publicKey: ArrayBuffer | ArrayBufferLike;
1108
- algorithm: number;
1109
- counter: number;
1110
- transports?: string[];
1111
- deviceType: string;
1112
- backedUp: boolean;
1113
- name?: string;
1114
- createdAt: number;
1115
- }): Promise<string>;
1116
- declare function mutatePasskeyUpdateCounter(ctx: ComponentCallCtx, passkeyId: string, counter: number, lastUsedAt: number): Promise<void>;
1117
- declare function mutateKeyInsert(ctx: ComponentCallCtx, args: {
1118
- userId: string;
1119
- prefix: string;
1120
- hashedKey: string;
1121
- name: string;
1122
- scopes: Array<{
1123
- resource: string;
1124
- actions: string[];
1125
- }>;
1126
- rateLimit?: {
1127
- maxRequests: number;
1128
- windowMs: number;
1129
- };
1130
- expiresAt?: number;
1131
- }): Promise<string>;
1132
- declare function queryKeysByUserId(ctx: ComponentCallCtx, userId: string): Promise<KeyDoc[]>;
1133
- declare function queryKeyById(ctx: ComponentCallCtx, keyId: string): Promise<KeyDoc | null>;
1134
- declare function mutateKeyPatch(ctx: ComponentCallCtx, keyId: string, data: Record<string, unknown>): Promise<void>;
1135
- declare function mutateKeyDelete(ctx: ComponentCallCtx, keyId: string): Promise<void>;
1136
- type DeviceDoc = Infer<typeof vDeviceCodeDoc>;
1137
- declare function mutateDeviceInsert(ctx: ComponentCallCtx, args: {
1138
- deviceCodeHash: string;
1139
- userCode: string;
1140
- expiresAt: number;
1141
- interval: number;
1142
- status: "pending" | "authorized" | "denied";
1143
- }): Promise<string>;
1144
- declare function queryDeviceByCodeHash(ctx: ComponentCallCtx, deviceCodeHash: string): Promise<DeviceDoc | null>;
1145
- declare function queryDeviceByUserCode(ctx: ComponentCallCtx, userCode: string): Promise<DeviceDoc | null>;
1146
- declare function mutateDeviceAuthorize(ctx: ComponentCallCtx, deviceId: string, userId: string, sessionId: string): Promise<void>;
1147
- declare function mutateDeviceUpdateLastPolled(ctx: ComponentCallCtx, deviceId: string, lastPolledAt: number): Promise<void>;
1148
- declare function mutateDeviceDelete(ctx: ComponentCallCtx, deviceId: string): Promise<void>;
1149
1159
  //#endregion
1150
- export { ActionCtx, AuthAccountCredentials, AuthAuthorizationConfig, AuthCreateAccountArgs, AuthDataModel, AuthGrant, AuthInvalidateSessionsArgs, AuthMemberInspectArgs, AuthMemberInspectResult, AuthMemberRequireArgs, AuthProviderConfig, AuthProviderMaterializedConfig, AuthProviderSignInArgs, AuthProviderSignInResult, AuthRetrieveAccountArgs, AuthRoleDefinition, AuthRoleId, AuthServerHelpers, AuthUpdateAccountArgs, Awaitable, ConvexAuthConfig, ConvexAuthMaterializedConfig, ConvexCredentialsConfig, CorsConfig, DeviceDoc, DeviceProviderConfig, Doc, EmailConfig, EmailUserConfig, EnterpriseAccountLinkingPolicy, EnterpriseDeprovisionMode, EnterpriseJitProvisioningMode, EnterprisePolicy, EnterprisePolicyPatch, EnterpriseScimReuseUserPolicy, GenericActionCtxWithAuthConfig, GenericDoc, GroupOrderBy, GroupTag, GroupWhere, HasDeviceProvider, HasPasskeyProvider, HasSSO, HasTotpProvider, HttpKeyContext, InviteOrderBy, InviteWhere, KeyDoc, KeyOrderBy, KeyRecord, KeyScope, KeyWhere, ListOptions, ListResult, MemberOrderBy, MemberWhere, MutationCtx, OAuthMaterializedConfig, OAuthProfile, PasskeyDoc, PasskeyProviderConfig, PhoneConfig, PhoneUserConfig, QueryCtx, SAMLAttributeMapping, SSOProviderConfig, ScopeChecker, SessionInfo, SessionInfoWithTokens, Tokens, TotpDoc, TotpProviderConfig, UserOrderBy, UserWhere, VerifierDoc, mutateDeviceAuthorize, mutateDeviceDelete, mutateDeviceInsert, mutateDeviceUpdateLastPolled, mutateKeyDelete, mutateKeyInsert, mutateKeyPatch, mutatePasskeyInsert, mutatePasskeyUpdateCounter, mutateTotpInsert, mutateTotpMarkVerified, mutateTotpUpdateLastUsed, mutateVerifierDelete, queryDeviceByCodeHash, queryDeviceByUserCode, queryKeyById, queryKeysByUserId, queryPasskeyByCredentialId, queryPasskeysByUserId, queryTotpById, queryTotpVerifiedByUserId, queryUserById, queryUserByVerifiedEmail, queryVerifierById };
1160
+ export { AuthAuthorizationConfig, AuthGrant, AuthProviderConfig, AuthRoleId, ConvexAuthConfig, ConvexAuthMaterializedConfig, ConvexCredentialsConfig, CorsConfig, DeviceProviderConfig, Doc, EmailConfig, EmailUserConfig, GenericActionCtxWithAuthConfig, GenericDoc, GroupConnectionDeprovisionMode, GroupConnectionPolicy, GroupConnectionPolicyPatch, HasDeviceProvider, HasPasskeyProvider, HasSSO, HasTotpProvider, HttpKeyContext, KeyDoc, KeyScope, OAuthMaterializedConfig, OAuthProfile, OAuthTokens, OIDCClaimMapping, PasskeyProviderConfig, PhoneConfig, PhoneUserConfig, SSOProviderConfig, ScopeChecker, TotpProviderConfig, UserOrderBy, UserWhere };
1151
1161
  //# sourceMappingURL=types.d.ts.map